From: Sasha Levin Date: Tue, 10 Jun 2025 11:54:34 +0000 (-0400) Subject: Fixes for 6.12 X-Git-Tag: v6.6.94~78 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=21f40a864cf387186c4b19107ea3cdf000d959f5;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.12 Signed-off-by: Sasha Levin --- diff --git a/queue-6.12/acpi-osi-stop-advertising-support-for-3.0-_scp-exten.patch b/queue-6.12/acpi-osi-stop-advertising-support-for-3.0-_scp-exten.patch new file mode 100644 index 0000000000..ab8aebe2e4 --- /dev/null +++ b/queue-6.12/acpi-osi-stop-advertising-support-for-3.0-_scp-exten.patch @@ -0,0 +1,44 @@ +From ed5896986f98af15c08994a2f2d03fc00ce001cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Apr 2025 18:54:54 +0200 +Subject: ACPI: OSI: Stop advertising support for "3.0 _SCP Extensions" + +From: Armin Wolf + +[ Upstream commit 8cf4fdac9bdead7bca15fc56fdecdf78d11c3ec6 ] + +As specified in section 5.7.2 of the ACPI specification the feature +group string "3.0 _SCP Extensions" implies that the operating system +evaluates the _SCP control method with additional parameters. + +However the ACPI thermal driver evaluates the _SCP control method +without those additional parameters, conflicting with the above +feature group string advertised to the firmware thru _OSI. + +Stop advertising support for this feature string to avoid confusing +the ACPI firmware. + +Fixes: e5f660ebef68 ("ACPI / osi: Collect _OSI handling into one single file") +Signed-off-by: Armin Wolf +Link: https://patch.msgid.link/20250410165456.4173-2-W_Armin@gmx.de +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/osi.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/acpi/osi.c b/drivers/acpi/osi.c +index df9328c850bd3..f2c943b934be0 100644 +--- a/drivers/acpi/osi.c ++++ b/drivers/acpi/osi.c +@@ -42,7 +42,6 @@ static struct acpi_osi_entry + osi_setup_entries[OSI_STRING_ENTRIES_MAX] __initdata = { + {"Module Device", true}, + {"Processor Device", true}, +- {"3.0 _SCP Extensions", true}, + {"Processor Aggregator Device", true}, + }; + +-- +2.39.5 + diff --git a/queue-6.12/acpi-resource-fix-a-typo-for-mechrevo-in-irq1_edge_l.patch b/queue-6.12/acpi-resource-fix-a-typo-for-mechrevo-in-irq1_edge_l.patch new file mode 100644 index 0000000000..5b832e1918 --- /dev/null +++ b/queue-6.12/acpi-resource-fix-a-typo-for-mechrevo-in-irq1_edge_l.patch @@ -0,0 +1,40 @@ +From 1f9b4101480324dd66a9cca0c50f4893fc8d8892 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Apr 2025 15:39:46 +0800 +Subject: ACPI: resource: fix a typo for MECHREVO in + irq1_edge_low_force_override[] + +From: Mingcong Bai + +[ Upstream commit 113e04276018bd13978051d8b05a613b4d390cc9 ] + +The vendor name for MECHREVO was incorrectly spelled in commit +b53f09ecd602 ("ACPI: resource: Do IRQ override on MECHREV GM7XG0M"). + +Correct this typo in this trivial patch. + +Fixes: b53f09ecd602 ("ACPI: resource: Do IRQ override on MECHREV GM7XG0M") +Signed-off-by: Mingcong Bai +Link: https://patch.msgid.link/20250417073947.47419-1-jeffbai@aosc.io +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/resource.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/acpi/resource.c b/drivers/acpi/resource.c +index 14c7bac4100b4..7d59c6c9185fc 100644 +--- a/drivers/acpi/resource.c ++++ b/drivers/acpi/resource.c +@@ -534,7 +534,7 @@ static const struct dmi_system_id irq1_level_low_skip_override[] = { + */ + static const struct dmi_system_id irq1_edge_low_force_override[] = { + { +- /* MECHREV Jiaolong17KS Series GM7XG0M */ ++ /* MECHREVO Jiaolong17KS Series GM7XG0M */ + .matches = { + DMI_MATCH(DMI_BOARD_NAME, "GM7XG0M"), + }, +-- +2.39.5 + diff --git a/queue-6.12/acpica-exserial-don-t-forget-to-handle-ffixedhw-opre.patch b/queue-6.12/acpica-exserial-don-t-forget-to-handle-ffixedhw-opre.patch new file mode 100644 index 0000000000..7ea2f5f654 --- /dev/null +++ b/queue-6.12/acpica-exserial-don-t-forget-to-handle-ffixedhw-opre.patch @@ -0,0 +1,45 @@ +From 1c3464425de68328a7dc926aac8a086ea17fa595 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Apr 2025 21:43:11 +0300 +Subject: ACPICA: exserial: don't forget to handle FFixedHW opregions for + reading + +From: Daniil Tatianin + +[ Upstream commit 0f8af0356a45547683a216e4921006a3c6a6d922 ] + +The initial commit that introduced support for FFixedHW operation +regions did add a special case in the AcpiExReadSerialBus If, but +forgot to actually handle it inside the switch, so add the missing case +to prevent reads from failing with AE_AML_INVALID_SPACE_ID. + +Link: https://github.com/acpica/acpica/pull/998 +Fixes: ee64b827a9a ("ACPICA: Add support for FFH Opregion special context data") +Signed-off-by: Daniil Tatianin +Link: https://patch.msgid.link/20250401184312.599962-1-d-tatianin@yandex-team.ru +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/exserial.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/acpi/acpica/exserial.c b/drivers/acpi/acpica/exserial.c +index 5241f4c01c765..89a4ac447a2be 100644 +--- a/drivers/acpi/acpica/exserial.c ++++ b/drivers/acpi/acpica/exserial.c +@@ -201,6 +201,12 @@ acpi_ex_read_serial_bus(union acpi_operand_object *obj_desc, + function = ACPI_READ; + break; + ++ case ACPI_ADR_SPACE_FIXED_HARDWARE: ++ ++ buffer_length = ACPI_FFH_INPUT_BUFFER_SIZE; ++ function = ACPI_READ; ++ break; ++ + default: + return_ACPI_STATUS(AE_AML_INVALID_SPACE_ID); + } +-- +2.39.5 + diff --git a/queue-6.12/alsa-core-fix-up-bus-match-const-issues.patch b/queue-6.12/alsa-core-fix-up-bus-match-const-issues.patch new file mode 100644 index 0000000000..be8a922450 --- /dev/null +++ b/queue-6.12/alsa-core-fix-up-bus-match-const-issues.patch @@ -0,0 +1,118 @@ +From c9c9412f3df572a9411042dc8bfeee082471abf5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 May 2025 12:08:05 +0200 +Subject: ALSA: core: fix up bus match const issues. + +From: Greg Kroah-Hartman + +[ Upstream commit 62f134ab190c5fd5c9f68fe638ad8e13bb8a4cb4 ] + +In commit d69d80484598 ("driver core: have match() callback in struct +bus_type take a const *"), the match bus callback was changed to have +the driver be a const pointer. Unfortunately that const attribute was +thrown away when container_of() is called, which is not correct and was +not caught by the compiler due to how container_of() is implemented. +Fix this up by correctly preserving the const attribute of the driver +passed to the bus match function which requires the hdac_driver match +function to also take a const pointer for the driver structure. + +Cc: Jaroslav Kysela +Cc: Takashi Iwai +Fixes: d69d80484598 ("driver core: have match() callback in struct bus_type take a const *") +Signed-off-by: Greg Kroah-Hartman +Link: https://patch.msgid.link/2025052204-hyphen-thermal-3e72@gregkh +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + include/sound/hdaudio.h | 4 ++-- + sound/core/seq_device.c | 2 +- + sound/hda/hda_bus_type.c | 6 +++--- + sound/pci/hda/hda_bind.c | 4 ++-- + 4 files changed, 8 insertions(+), 8 deletions(-) + +diff --git a/include/sound/hdaudio.h b/include/sound/hdaudio.h +index b098ceadbe74b..9a70048adbc06 100644 +--- a/include/sound/hdaudio.h ++++ b/include/sound/hdaudio.h +@@ -223,7 +223,7 @@ struct hdac_driver { + struct device_driver driver; + int type; + const struct hda_device_id *id_table; +- int (*match)(struct hdac_device *dev, struct hdac_driver *drv); ++ int (*match)(struct hdac_device *dev, const struct hdac_driver *drv); + void (*unsol_event)(struct hdac_device *dev, unsigned int event); + + /* fields used by ext bus APIs */ +@@ -235,7 +235,7 @@ struct hdac_driver { + #define drv_to_hdac_driver(_drv) container_of(_drv, struct hdac_driver, driver) + + const struct hda_device_id * +-hdac_get_device_id(struct hdac_device *hdev, struct hdac_driver *drv); ++hdac_get_device_id(struct hdac_device *hdev, const struct hdac_driver *drv); + + /* + * Bus verb operators +diff --git a/sound/core/seq_device.c b/sound/core/seq_device.c +index 4492be5d2317c..bac9f86037342 100644 +--- a/sound/core/seq_device.c ++++ b/sound/core/seq_device.c +@@ -43,7 +43,7 @@ MODULE_LICENSE("GPL"); + static int snd_seq_bus_match(struct device *dev, const struct device_driver *drv) + { + struct snd_seq_device *sdev = to_seq_dev(dev); +- struct snd_seq_driver *sdrv = to_seq_drv(drv); ++ const struct snd_seq_driver *sdrv = to_seq_drv(drv); + + return strcmp(sdrv->id, sdev->id) == 0 && + sdrv->argsize == sdev->argsize; +diff --git a/sound/hda/hda_bus_type.c b/sound/hda/hda_bus_type.c +index 7545ace7b0ee4..eb72a7af2e56e 100644 +--- a/sound/hda/hda_bus_type.c ++++ b/sound/hda/hda_bus_type.c +@@ -21,7 +21,7 @@ MODULE_LICENSE("GPL"); + * driver id_table and returns the matching device id entry. + */ + const struct hda_device_id * +-hdac_get_device_id(struct hdac_device *hdev, struct hdac_driver *drv) ++hdac_get_device_id(struct hdac_device *hdev, const struct hdac_driver *drv) + { + if (drv->id_table) { + const struct hda_device_id *id = drv->id_table; +@@ -38,7 +38,7 @@ hdac_get_device_id(struct hdac_device *hdev, struct hdac_driver *drv) + } + EXPORT_SYMBOL_GPL(hdac_get_device_id); + +-static int hdac_codec_match(struct hdac_device *dev, struct hdac_driver *drv) ++static int hdac_codec_match(struct hdac_device *dev, const struct hdac_driver *drv) + { + if (hdac_get_device_id(dev, drv)) + return 1; +@@ -49,7 +49,7 @@ static int hdac_codec_match(struct hdac_device *dev, struct hdac_driver *drv) + static int hda_bus_match(struct device *dev, const struct device_driver *drv) + { + struct hdac_device *hdev = dev_to_hdac_dev(dev); +- struct hdac_driver *hdrv = drv_to_hdac_driver(drv); ++ const struct hdac_driver *hdrv = drv_to_hdac_driver(drv); + + if (hdev->type != hdrv->type) + return 0; +diff --git a/sound/pci/hda/hda_bind.c b/sound/pci/hda/hda_bind.c +index b7ca2a83fbb08..90633970b59f7 100644 +--- a/sound/pci/hda/hda_bind.c ++++ b/sound/pci/hda/hda_bind.c +@@ -18,10 +18,10 @@ + /* + * find a matching codec id + */ +-static int hda_codec_match(struct hdac_device *dev, struct hdac_driver *drv) ++static int hda_codec_match(struct hdac_device *dev, const struct hdac_driver *drv) + { + struct hda_codec *codec = container_of(dev, struct hda_codec, core); +- struct hda_codec_driver *driver = ++ const struct hda_codec_driver *driver = + container_of(drv, struct hda_codec_driver, core); + const struct hda_device_id *list; + /* check probe_id instead of vendor_id if set */ +-- +2.39.5 + diff --git a/queue-6.12/arm-aspeed-don-t-select-sram.patch b/queue-6.12/arm-aspeed-don-t-select-sram.patch new file mode 100644 index 0000000000..2ba3c7b2e9 --- /dev/null +++ b/queue-6.12/arm-aspeed-don-t-select-sram.patch @@ -0,0 +1,37 @@ +From 6ade71b4e5930edd0b9cf29c8b468434142f75dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 May 2025 16:00:42 +0930 +Subject: ARM: aspeed: Don't select SRAM + +From: Joel Stanley + +[ Upstream commit e4f59f873c3ffe2a0150e11115a83e2dfb671dbf ] + +The ASPEED devices have SRAM, but don't require it for basic function +(or any function; there's no known users of the driver). + +Fixes: 8c2ed9bcfbeb ("arm: Add Aspeed machine") +Signed-off-by: Joel Stanley +Link: https://patch.msgid.link/20250115103942.421429-1-joel@jms.id.au +Signed-off-by: Andrew Jeffery +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + arch/arm/mach-aspeed/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/arch/arm/mach-aspeed/Kconfig b/arch/arm/mach-aspeed/Kconfig +index 080019aa6fcd8..fcf287edd0e5e 100644 +--- a/arch/arm/mach-aspeed/Kconfig ++++ b/arch/arm/mach-aspeed/Kconfig +@@ -2,7 +2,6 @@ + menuconfig ARCH_ASPEED + bool "Aspeed BMC architectures" + depends on (CPU_LITTLE_ENDIAN && ARCH_MULTI_V5) || ARCH_MULTI_V6 || ARCH_MULTI_V7 +- select SRAM + select WATCHDOG + select ASPEED_WATCHDOG + select MFD_SYSCON +-- +2.39.5 + diff --git a/queue-6.12/arm-dts-at91-at91sam9263-fix-nand-chip-selects.patch b/queue-6.12/arm-dts-at91-at91sam9263-fix-nand-chip-selects.patch new file mode 100644 index 0000000000..5fdb885fa5 --- /dev/null +++ b/queue-6.12/arm-dts-at91-at91sam9263-fix-nand-chip-selects.patch @@ -0,0 +1,67 @@ +From df4c0a926193d7275fa961a473709f07492858e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Apr 2025 23:04:46 +0200 +Subject: ARM: dts: at91: at91sam9263: fix NAND chip selects + +From: Wolfram Sang + +[ Upstream commit c72ede1c24be689733bcd2233a3a56f2478429c8 ] + +NAND did not work on my USB-A9263. I discovered that the offending +commit converted the PIO bank for chip selects wrongly, so all A9263 +boards need to be fixed. + +Fixes: 1004a2977bdc ("ARM: dts: at91: Switch to the new NAND bindings") +Signed-off-by: Wolfram Sang +Reviewed-by: Alexandre Belloni +Link: https://lore.kernel.org/r/20250402210446.5972-2-wsa+renesas@sang-engineering.com +Signed-off-by: Claudiu Beznea +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/microchip/at91sam9263ek.dts | 2 +- + arch/arm/boot/dts/microchip/tny_a9263.dts | 2 +- + arch/arm/boot/dts/microchip/usb_a9263.dts | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/arm/boot/dts/microchip/at91sam9263ek.dts b/arch/arm/boot/dts/microchip/at91sam9263ek.dts +index ce8baff6a9f4e..e42e1a75a715d 100644 +--- a/arch/arm/boot/dts/microchip/at91sam9263ek.dts ++++ b/arch/arm/boot/dts/microchip/at91sam9263ek.dts +@@ -152,7 +152,7 @@ + nand@3 { + reg = <0x3 0x0 0x800000>; + rb-gpios = <&pioA 22 GPIO_ACTIVE_HIGH>; +- cs-gpios = <&pioA 15 GPIO_ACTIVE_HIGH>; ++ cs-gpios = <&pioD 15 GPIO_ACTIVE_HIGH>; + nand-bus-width = <8>; + nand-ecc-mode = "soft"; + nand-on-flash-bbt; +diff --git a/arch/arm/boot/dts/microchip/tny_a9263.dts b/arch/arm/boot/dts/microchip/tny_a9263.dts +index 62b7d9f9a926c..c8b6318aaa838 100644 +--- a/arch/arm/boot/dts/microchip/tny_a9263.dts ++++ b/arch/arm/boot/dts/microchip/tny_a9263.dts +@@ -64,7 +64,7 @@ + nand@3 { + reg = <0x3 0x0 0x800000>; + rb-gpios = <&pioA 22 GPIO_ACTIVE_HIGH>; +- cs-gpios = <&pioA 15 GPIO_ACTIVE_HIGH>; ++ cs-gpios = <&pioD 15 GPIO_ACTIVE_HIGH>; + nand-bus-width = <8>; + nand-ecc-mode = "soft"; + nand-on-flash-bbt; +diff --git a/arch/arm/boot/dts/microchip/usb_a9263.dts b/arch/arm/boot/dts/microchip/usb_a9263.dts +index 25c643067b2ec..454176ce6d3ff 100644 +--- a/arch/arm/boot/dts/microchip/usb_a9263.dts ++++ b/arch/arm/boot/dts/microchip/usb_a9263.dts +@@ -84,7 +84,7 @@ + nand@3 { + reg = <0x3 0x0 0x800000>; + rb-gpios = <&pioA 22 GPIO_ACTIVE_HIGH>; +- cs-gpios = <&pioA 15 GPIO_ACTIVE_HIGH>; ++ cs-gpios = <&pioD 15 GPIO_ACTIVE_HIGH>; + nand-bus-width = <8>; + nand-ecc-mode = "soft"; + nand-on-flash-bbt; +-- +2.39.5 + diff --git a/queue-6.12/arm-dts-at91-usb_a9263-fix-gpio-for-dataflash-chip-s.patch b/queue-6.12/arm-dts-at91-usb_a9263-fix-gpio-for-dataflash-chip-s.patch new file mode 100644 index 0000000000..0ddf199829 --- /dev/null +++ b/queue-6.12/arm-dts-at91-usb_a9263-fix-gpio-for-dataflash-chip-s.patch @@ -0,0 +1,39 @@ +From a8b9bb7c674edc3ba3127395eaea636ee949787a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Apr 2025 13:27:43 +0200 +Subject: ARM: dts: at91: usb_a9263: fix GPIO for Dataflash chip select + +From: Wolfram Sang + +[ Upstream commit 67ba341e57ab158423818ed33bfa1c40eb0e5e7e ] + +Dataflash did not work on my board. After checking schematics and using +the proper GPIO, it works now. Also, make it active low to avoid: + +flash@0 enforce active low on GPIO handle + +Fixes: 2432d201468d ("ARM: at91: dt: usb-a9263: add dataflash support") +Signed-off-by: Wolfram Sang +Link: https://lore.kernel.org/r/20250404112742.67416-2-wsa+renesas@sang-engineering.com +Signed-off-by: Claudiu Beznea +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/microchip/usb_a9263.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/microchip/usb_a9263.dts b/arch/arm/boot/dts/microchip/usb_a9263.dts +index 45745915b2e16..25c643067b2ec 100644 +--- a/arch/arm/boot/dts/microchip/usb_a9263.dts ++++ b/arch/arm/boot/dts/microchip/usb_a9263.dts +@@ -58,7 +58,7 @@ + }; + + spi0: spi@fffa4000 { +- cs-gpios = <&pioB 15 GPIO_ACTIVE_HIGH>; ++ cs-gpios = <&pioA 5 GPIO_ACTIVE_LOW>; + status = "okay"; + flash@0 { + compatible = "atmel,at45", "atmel,dataflash"; +-- +2.39.5 + diff --git a/queue-6.12/arm-dts-qcom-apq8064-add-missing-clocks-to-the-timer.patch b/queue-6.12/arm-dts-qcom-apq8064-add-missing-clocks-to-the-timer.patch new file mode 100644 index 0000000000..3f18d2c19c --- /dev/null +++ b/queue-6.12/arm-dts-qcom-apq8064-add-missing-clocks-to-the-timer.patch @@ -0,0 +1,38 @@ +From a3b339b7e568c708f0c2b7f8ccc659b3a3c20d39 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Mar 2025 15:21:59 +0200 +Subject: ARM: dts: qcom: apq8064: add missing clocks to the timer node + +From: Dmitry Baryshkov + +[ Upstream commit 4b0eb149df58b6750cd8113e5ee5b3ac7cc51743 ] + +In order to fix DT schema warning and describe hardware properly, add +missing sleep clock to the timer node. + +Fixes: f335b8af4fd5 ("ARM: dts: qcom: Add initial APQ8064 SoC and IFC6410 board device trees") +Signed-off-by: Dmitry Baryshkov +Reviewed-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20250318-fix-nexus-4-v2-6-bcedd1406790@oss.qualcomm.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/qcom/qcom-apq8064.dtsi | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/arm/boot/dts/qcom/qcom-apq8064.dtsi b/arch/arm/boot/dts/qcom/qcom-apq8064.dtsi +index ac7494ed633e1..1d802d931028d 100644 +--- a/arch/arm/boot/dts/qcom/qcom-apq8064.dtsi ++++ b/arch/arm/boot/dts/qcom/qcom-apq8064.dtsi +@@ -326,6 +326,8 @@ + ; + reg = <0x0200a000 0x100>; + clock-frequency = <27000000>; ++ clocks = <&sleep_clk>; ++ clock-names = "sleep"; + cpu-offset = <0x80000>; + }; + +-- +2.39.5 + diff --git a/queue-6.12/arm-dts-qcom-apq8064-merge-hw-splinlock-into-corresp.patch b/queue-6.12/arm-dts-qcom-apq8064-merge-hw-splinlock-into-corresp.patch new file mode 100644 index 0000000000..bef100b6b9 --- /dev/null +++ b/queue-6.12/arm-dts-qcom-apq8064-merge-hw-splinlock-into-corresp.patch @@ -0,0 +1,58 @@ +From 9c2eff562e425dcd6df6653266c9cc28bd353616 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Mar 2025 15:22:00 +0200 +Subject: ARM: dts: qcom: apq8064 merge hw splinlock into corresponding syscon + device + +From: Dmitry Baryshkov + +[ Upstream commit 325c6a441ae1f8fcb1db9bb945b8bdbd3142141e ] + +Follow up the expected way of describing the SFPB hwspinlock and merge +hwspinlock node into corresponding syscon node, fixing several dt-schema +warnings. + +Fixes: 24a9baf933dc ("ARM: dts: qcom: apq8064: Add hwmutex and SMEM nodes") +Signed-off-by: Dmitry Baryshkov +Reviewed-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20250318-fix-nexus-4-v2-7-bcedd1406790@oss.qualcomm.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/qcom/qcom-apq8064.dtsi | 13 ++++--------- + 1 file changed, 4 insertions(+), 9 deletions(-) + +diff --git a/arch/arm/boot/dts/qcom/qcom-apq8064.dtsi b/arch/arm/boot/dts/qcom/qcom-apq8064.dtsi +index 1d802d931028d..38ce6f5fe6b48 100644 +--- a/arch/arm/boot/dts/qcom/qcom-apq8064.dtsi ++++ b/arch/arm/boot/dts/qcom/qcom-apq8064.dtsi +@@ -213,12 +213,6 @@ + }; + }; + +- sfpb_mutex: hwmutex { +- compatible = "qcom,sfpb-mutex"; +- syscon = <&sfpb_wrapper_mutex 0x604 0x4>; +- #hwlock-cells = <1>; +- }; +- + smem { + compatible = "qcom,smem"; + memory-region = <&smem_region>; +@@ -305,9 +299,10 @@ + pinctrl-0 = <&ps_hold_default_state>; + }; + +- sfpb_wrapper_mutex: syscon@1200000 { +- compatible = "syscon"; +- reg = <0x01200000 0x8000>; ++ sfpb_mutex: hwmutex@1200600 { ++ compatible = "qcom,sfpb-mutex"; ++ reg = <0x01200600 0x100>; ++ #hwlock-cells = <1>; + }; + + intc: interrupt-controller@2000000 { +-- +2.39.5 + diff --git a/queue-6.12/arm-dts-qcom-apq8064-move-replicator-out-of-soc-node.patch b/queue-6.12/arm-dts-qcom-apq8064-move-replicator-out-of-soc-node.patch new file mode 100644 index 0000000000..4ec0137e6a --- /dev/null +++ b/queue-6.12/arm-dts-qcom-apq8064-move-replicator-out-of-soc-node.patch @@ -0,0 +1,112 @@ +From ce29363b0db111d16af0d8aed6c19e9834acf262 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Mar 2025 15:22:03 +0200 +Subject: ARM: dts: qcom: apq8064: move replicator out of soc node + +From: Dmitry Baryshkov + +[ Upstream commit f2420037d90a8354594b3da541e19dcbb60c75e1 ] + +The CoreSight static replicator device isn't a part of the system MMIO +bus, as such it should not be a part of the soc node. Follow the example +of other platforms and move it out of the soc bus to the top-level (and +reoder ports to follow alphabetic order). + +Fixes: 7a5c275fd821 ("ARM: dts: qcom: Add apq8064 CoreSight components") +Signed-off-by: Dmitry Baryshkov +Reviewed-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20250318-fix-nexus-4-v2-10-bcedd1406790@oss.qualcomm.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/qcom/qcom-apq8064.dtsi | 67 ++++++++++++------------ + 1 file changed, 34 insertions(+), 33 deletions(-) + +diff --git a/arch/arm/boot/dts/qcom/qcom-apq8064.dtsi b/arch/arm/boot/dts/qcom/qcom-apq8064.dtsi +index 38ce6f5fe6b48..be87c396f05f1 100644 +--- a/arch/arm/boot/dts/qcom/qcom-apq8064.dtsi ++++ b/arch/arm/boot/dts/qcom/qcom-apq8064.dtsi +@@ -278,6 +278,40 @@ + }; + }; + ++ replicator { ++ compatible = "arm,coresight-static-replicator"; ++ ++ clocks = <&rpmcc RPM_QDSS_CLK>; ++ clock-names = "apb_pclk"; ++ ++ in-ports { ++ port { ++ replicator_in: endpoint { ++ remote-endpoint = <&funnel_out>; ++ }; ++ }; ++ }; ++ ++ out-ports { ++ #address-cells = <1>; ++ #size-cells = <0>; ++ ++ port@0 { ++ reg = <0>; ++ replicator_out0: endpoint { ++ remote-endpoint = <&etb_in>; ++ }; ++ }; ++ ++ port@1 { ++ reg = <1>; ++ replicator_out1: endpoint { ++ remote-endpoint = <&tpiu_in>; ++ }; ++ }; ++ }; ++ }; ++ + soc: soc { + #address-cells = <1>; + #size-cells = <1>; +@@ -1529,39 +1563,6 @@ + }; + }; + +- replicator { +- compatible = "arm,coresight-static-replicator"; +- +- clocks = <&rpmcc RPM_QDSS_CLK>; +- clock-names = "apb_pclk"; +- +- out-ports { +- #address-cells = <1>; +- #size-cells = <0>; +- +- port@0 { +- reg = <0>; +- replicator_out0: endpoint { +- remote-endpoint = <&etb_in>; +- }; +- }; +- port@1 { +- reg = <1>; +- replicator_out1: endpoint { +- remote-endpoint = <&tpiu_in>; +- }; +- }; +- }; +- +- in-ports { +- port { +- replicator_in: endpoint { +- remote-endpoint = <&funnel_out>; +- }; +- }; +- }; +- }; +- + funnel@1a04000 { + compatible = "arm,coresight-dynamic-funnel", "arm,primecell"; + reg = <0x1a04000 0x1000>; +-- +2.39.5 + diff --git a/queue-6.12/arm64-defconfig-mediatek-enable-phy-drivers.patch b/queue-6.12/arm64-defconfig-mediatek-enable-phy-drivers.patch new file mode 100644 index 0000000000..65475e4e61 --- /dev/null +++ b/queue-6.12/arm64-defconfig-mediatek-enable-phy-drivers.patch @@ -0,0 +1,52 @@ +From 1e6eb834e8286bb467b6be1bfcd22a854aba0ccf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 May 2025 18:49:24 +0530 +Subject: arm64: defconfig: mediatek: enable PHY drivers +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Vignesh Raman + +[ Upstream commit f52cd248d844f9451858992f924988ac413fdc7e ] + +The mediatek display driver fails to probe on mt8173-elm-hana and +mt8183-kukui-jacuzzi-juniper-sku16 in v6.14-rc4 due to missing PHY +configurations. + +Commit 924d66011f24 ("drm/mediatek: stop selecting foreign drivers") +stopped selecting the MediaTek PHY drivers, requiring them to be +explicitly enabled in defconfig. + +Enable the following PHY drivers for MediaTek platforms: +CONFIG_PHY_MTK_HDMI=m for HDMI display +CONFIG_PHY_MTK_MIPI_DSI=m for DSI display +CONFIG_PHY_MTK_DP=m for DP display + +Fixes: 924d66011f24 ("drm/mediatek: stop selecting foreign drivers") +Reviewed-by: Nícolas F. R. A. Prado +Signed-off-by: Vignesh Raman +Link: https://lore.kernel.org/r/20250512131933.1247830-1-vignesh.raman@collabora.com +Signed-off-by: AngeloGioacchino Del Regno +Signed-off-by: Sasha Levin +--- + arch/arm64/configs/defconfig | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/arm64/configs/defconfig b/arch/arm64/configs/defconfig +index 8fe7dbae33bf9..f988dd79add89 100644 +--- a/arch/arm64/configs/defconfig ++++ b/arch/arm64/configs/defconfig +@@ -1536,6 +1536,9 @@ CONFIG_PHY_HISTB_COMBPHY=y + CONFIG_PHY_HISI_INNO_USB2=y + CONFIG_PHY_MVEBU_CP110_COMPHY=y + CONFIG_PHY_MTK_TPHY=y ++CONFIG_PHY_MTK_HDMI=m ++CONFIG_PHY_MTK_MIPI_DSI=m ++CONFIG_PHY_MTK_DP=m + CONFIG_PHY_QCOM_EDP=m + CONFIG_PHY_QCOM_PCIE2=m + CONFIG_PHY_QCOM_QMP=m +-- +2.39.5 + diff --git a/queue-6.12/arm64-dts-imx8mm-beacon-fix-rtc-capacitive-load.patch b/queue-6.12/arm64-dts-imx8mm-beacon-fix-rtc-capacitive-load.patch new file mode 100644 index 0000000000..e1098c51af --- /dev/null +++ b/queue-6.12/arm64-dts-imx8mm-beacon-fix-rtc-capacitive-load.patch @@ -0,0 +1,37 @@ +From b22a58adb44edcd03f8c0afc605afa68104c1470 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Apr 2025 20:01:27 -0500 +Subject: arm64: dts: imx8mm-beacon: Fix RTC capacitive load + +From: Adam Ford + +[ Upstream commit 2e98d456666d63f897ba153210bcef9d78ba0f3a ] + +Although not noticeable when used every day, the RTC appears to drift when +left to sit over time. This is due to the capacitive load not being +properly set. Fix RTC drift by correcting the capacitive load setting +from 7000 to 12500, which matches the actual hardware configuration. + +Fixes: 593816fa2f35 ("arm64: dts: imx: Add Beacon i.MX8m-Mini development kit") +Signed-off-by: Adam Ford +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/imx8mm-beacon-som.dtsi | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/boot/dts/freescale/imx8mm-beacon-som.dtsi b/arch/arm64/boot/dts/freescale/imx8mm-beacon-som.dtsi +index 62ed64663f495..9ba0cb89fa24e 100644 +--- a/arch/arm64/boot/dts/freescale/imx8mm-beacon-som.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mm-beacon-som.dtsi +@@ -233,6 +233,7 @@ + rtc: rtc@51 { + compatible = "nxp,pcf85263"; + reg = <0x51>; ++ quartz-load-femtofarads = <12500>; + }; + }; + +-- +2.39.5 + diff --git a/queue-6.12/arm64-dts-imx8mm-beacon-set-sai5-mclk-direction-to-o.patch b/queue-6.12/arm64-dts-imx8mm-beacon-set-sai5-mclk-direction-to-o.patch new file mode 100644 index 0000000000..9fb3c6bce8 --- /dev/null +++ b/queue-6.12/arm64-dts-imx8mm-beacon-set-sai5-mclk-direction-to-o.patch @@ -0,0 +1,41 @@ +From ac958dd74b80930cf146ef8838295032c78029ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Apr 2025 20:01:30 -0500 +Subject: arm64: dts: imx8mm-beacon: Set SAI5 MCLK direction to output for HDMI + audio + +From: Adam Ford + +[ Upstream commit 8c716f80dfe8cd6ed9a2696847cea1affeeff6ff ] + +The HDMI bridge chip fails to generate an audio source due to the SAI5 +master clock (MCLK) direction not being set to output. This prevents proper +clocking of the HDMI audio interface. + +Add the `fsl,sai-mclk-direction-output` property to the SAI5 node to ensure +the MCLK is driven by the SoC, resolving the HDMI sound issue. + +Fixes: 8ad7d14d99f3 ("arm64: dts: imx8mm-beacon: Add HDMI video with sound") +Signed-off-by: Adam Ford +Reviewed-by: Frank Li +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/imx8mm-beacon-kit.dts | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/boot/dts/freescale/imx8mm-beacon-kit.dts b/arch/arm64/boot/dts/freescale/imx8mm-beacon-kit.dts +index 97ff1ddd63188..734a75198f06e 100644 +--- a/arch/arm64/boot/dts/freescale/imx8mm-beacon-kit.dts ++++ b/arch/arm64/boot/dts/freescale/imx8mm-beacon-kit.dts +@@ -124,6 +124,7 @@ + assigned-clock-parents = <&clk IMX8MM_AUDIO_PLL1_OUT>; + assigned-clock-rates = <24576000>; + #sound-dai-cells = <0>; ++ fsl,sai-mclk-direction-output; + status = "okay"; + }; + +-- +2.39.5 + diff --git a/queue-6.12/arm64-dts-imx8mn-beacon-fix-rtc-capacitive-load.patch b/queue-6.12/arm64-dts-imx8mn-beacon-fix-rtc-capacitive-load.patch new file mode 100644 index 0000000000..8c70ff9187 --- /dev/null +++ b/queue-6.12/arm64-dts-imx8mn-beacon-fix-rtc-capacitive-load.patch @@ -0,0 +1,38 @@ +From a1bd625b9d14003ea9d2ab5df6b6b58e58270a6a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Apr 2025 20:01:28 -0500 +Subject: arm64: dts: imx8mn-beacon: Fix RTC capacitive load + +From: Adam Ford + +[ Upstream commit c3f03bec30efd5082b55876846d57b5d17dae7b9 ] + +Although not noticeable when used every day, the RTC appears to drift when +left to sit over time. This is due to the capacitive load not being +properly set. Fix RTC drift by correcting the capacitive load setting +from 7000 to 12500, which matches the actual hardware configuration. + +Fixes: 36ca3c8ccb53 ("arm64: dts: imx: Add Beacon i.MX8M Nano development kit") +Signed-off-by: Adam Ford +Reviewed-by: Frank Li +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/imx8mn-beacon-som.dtsi | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/boot/dts/freescale/imx8mn-beacon-som.dtsi b/arch/arm64/boot/dts/freescale/imx8mn-beacon-som.dtsi +index 2a64115eebf1c..bb11590473a4c 100644 +--- a/arch/arm64/boot/dts/freescale/imx8mn-beacon-som.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mn-beacon-som.dtsi +@@ -242,6 +242,7 @@ + rtc: rtc@51 { + compatible = "nxp,pcf85263"; + reg = <0x51>; ++ quartz-load-femtofarads = <12500>; + }; + }; + +-- +2.39.5 + diff --git a/queue-6.12/arm64-dts-imx8mn-beacon-set-sai5-mclk-direction-to-o.patch b/queue-6.12/arm64-dts-imx8mn-beacon-set-sai5-mclk-direction-to-o.patch new file mode 100644 index 0000000000..1e464793ca --- /dev/null +++ b/queue-6.12/arm64-dts-imx8mn-beacon-set-sai5-mclk-direction-to-o.patch @@ -0,0 +1,41 @@ +From 2d6c2bcf2268e108d4f66856f0adbbaf71eac007 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Apr 2025 20:01:31 -0500 +Subject: arm64: dts: imx8mn-beacon: Set SAI5 MCLK direction to output for HDMI + audio + +From: Adam Ford + +[ Upstream commit a747c4dd2a60c4d0179b372032a4b98548135096 ] + +The HDMI bridge chip fails to generate an audio source due to the SAI5 +master clock (MCLK) direction not being set to output. This prevents proper +clocking of the HDMI audio interface. + +Add the `fsl,sai-mclk-direction-output` property to the SAI5 node to ensure +the MCLK is driven by the SoC, resolving the HDMI sound issue. + +Fixes: 1d6880ceef43 ("arm64: dts: imx8mn-beacon: Add HDMI video with sound") +Signed-off-by: Adam Ford +Reviewed-by: Frank Li +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/imx8mn-beacon-kit.dts | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/boot/dts/freescale/imx8mn-beacon-kit.dts b/arch/arm64/boot/dts/freescale/imx8mn-beacon-kit.dts +index 1df5ceb113879..37fc5ed98d7f6 100644 +--- a/arch/arm64/boot/dts/freescale/imx8mn-beacon-kit.dts ++++ b/arch/arm64/boot/dts/freescale/imx8mn-beacon-kit.dts +@@ -124,6 +124,7 @@ + assigned-clock-parents = <&clk IMX8MN_AUDIO_PLL1_OUT>; + assigned-clock-rates = <24576000>; + #sound-dai-cells = <0>; ++ fsl,sai-mclk-direction-output; + status = "okay"; + }; + +-- +2.39.5 + diff --git a/queue-6.12/arm64-dts-imx8mp-beacon-fix-rtc-capacitive-load.patch b/queue-6.12/arm64-dts-imx8mp-beacon-fix-rtc-capacitive-load.patch new file mode 100644 index 0000000000..98b652eed7 --- /dev/null +++ b/queue-6.12/arm64-dts-imx8mp-beacon-fix-rtc-capacitive-load.patch @@ -0,0 +1,38 @@ +From 1a09fa6e05d1f963c678ad677418e88252621d0b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Apr 2025 20:01:29 -0500 +Subject: arm64: dts: imx8mp-beacon: Fix RTC capacitive load + +From: Adam Ford + +[ Upstream commit 6821ee17537938e919e8b86a541aae451f73165b ] + +Although not noticeable when used every day, the RTC appears to drift when +left to sit over time. This is due to the capacitive load not being +properly set. Fix RTC drift by correcting the capacitive load setting +from 7000 to 12500, which matches the actual hardware configuration. + +Fixes: 25a5ccdce767 ("arm64: dts: freescale: Introduce imx8mp-beacon-kit") +Signed-off-by: Adam Ford +Reviewed-by: Frank Li +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/imx8mp-beacon-som.dtsi | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/boot/dts/freescale/imx8mp-beacon-som.dtsi b/arch/arm64/boot/dts/freescale/imx8mp-beacon-som.dtsi +index 15f7ab58db36c..88561df70d03a 100644 +--- a/arch/arm64/boot/dts/freescale/imx8mp-beacon-som.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mp-beacon-som.dtsi +@@ -257,6 +257,7 @@ + rtc: rtc@51 { + compatible = "nxp,pcf85263"; + reg = <0x51>; ++ quartz-load-femtofarads = <12500>; + }; + }; + +-- +2.39.5 + diff --git a/queue-6.12/arm64-dts-mediatek-mt6357-drop-regulator-fixed-compa.patch b/queue-6.12/arm64-dts-mediatek-mt6357-drop-regulator-fixed-compa.patch new file mode 100644 index 0000000000..171767bbd5 --- /dev/null +++ b/queue-6.12/arm64-dts-mediatek-mt6357-drop-regulator-fixed-compa.patch @@ -0,0 +1,121 @@ +From 1e6e8228fa972fed0ad1e3aaea2548d2f88c5a8e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 May 2025 11:32:10 -0400 +Subject: arm64: dts: mediatek: mt6357: Drop regulator-fixed compatibles +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nícolas F. R. A. Prado + +[ Upstream commit d77e89b7b03fb945b4353f2dcc4a70b34baa7bcb ] + +Some of the regulators in the MT6357 PMIC dtsi have compatible set to +regulator-fixed, even though they don't serve any purpose: all those +regulators are handled as a whole by the mt6357-regulator driver. In +fact this is the only dtsi in this family of chips where this is the +case: mt6359 and mt6358 don't have any such compatibles. + +A side-effect caused by this is that the DT kselftest, which is supposed +to identify nodes with compatibles that can be probed, but haven't, +shows these nodes as failures. + +Remove the useless compatibles to move the dtsi in line with the others +in its family and fix the DT kselftest failures. + +Fixes: 55749bb478f8 ("arm64: dts: mediatek: add mt6357 device-tree") +Signed-off-by: Nícolas F. R. A. Prado +Link: https://lore.kernel.org/r/20250502-mt6357-regulator-fixed-compatibles-removal-v1-1-a582c16743fe@collabora.com +Signed-off-by: AngeloGioacchino Del Regno +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/mediatek/mt6357.dtsi | 10 ---------- + 1 file changed, 10 deletions(-) + +diff --git a/arch/arm64/boot/dts/mediatek/mt6357.dtsi b/arch/arm64/boot/dts/mediatek/mt6357.dtsi +index 5fafa842d312f..dca4e5c3d8e21 100644 +--- a/arch/arm64/boot/dts/mediatek/mt6357.dtsi ++++ b/arch/arm64/boot/dts/mediatek/mt6357.dtsi +@@ -60,7 +60,6 @@ + }; + + mt6357_vfe28_reg: ldo-vfe28 { +- compatible = "regulator-fixed"; + regulator-name = "vfe28"; + regulator-min-microvolt = <2800000>; + regulator-max-microvolt = <2800000>; +@@ -75,7 +74,6 @@ + }; + + mt6357_vrf18_reg: ldo-vrf18 { +- compatible = "regulator-fixed"; + regulator-name = "vrf18"; + regulator-min-microvolt = <1800000>; + regulator-max-microvolt = <1800000>; +@@ -83,7 +81,6 @@ + }; + + mt6357_vrf12_reg: ldo-vrf12 { +- compatible = "regulator-fixed"; + regulator-name = "vrf12"; + regulator-min-microvolt = <1200000>; + regulator-max-microvolt = <1200000>; +@@ -112,7 +109,6 @@ + }; + + mt6357_vcn28_reg: ldo-vcn28 { +- compatible = "regulator-fixed"; + regulator-name = "vcn28"; + regulator-min-microvolt = <2800000>; + regulator-max-microvolt = <2800000>; +@@ -120,7 +116,6 @@ + }; + + mt6357_vcn18_reg: ldo-vcn18 { +- compatible = "regulator-fixed"; + regulator-name = "vcn18"; + regulator-min-microvolt = <1800000>; + regulator-max-microvolt = <1800000>; +@@ -142,7 +137,6 @@ + }; + + mt6357_vcamio_reg: ldo-vcamio18 { +- compatible = "regulator-fixed"; + regulator-name = "vcamio"; + regulator-min-microvolt = <1800000>; + regulator-max-microvolt = <1800000>; +@@ -175,7 +169,6 @@ + }; + + mt6357_vaux18_reg: ldo-vaux18 { +- compatible = "regulator-fixed"; + regulator-name = "vaux18"; + regulator-min-microvolt = <1800000>; + regulator-max-microvolt = <1800000>; +@@ -183,7 +176,6 @@ + }; + + mt6357_vaud28_reg: ldo-vaud28 { +- compatible = "regulator-fixed"; + regulator-name = "vaud28"; + regulator-min-microvolt = <2800000>; + regulator-max-microvolt = <2800000>; +@@ -191,7 +183,6 @@ + }; + + mt6357_vio28_reg: ldo-vio28 { +- compatible = "regulator-fixed"; + regulator-name = "vio28"; + regulator-min-microvolt = <2800000>; + regulator-max-microvolt = <2800000>; +@@ -199,7 +190,6 @@ + }; + + mt6357_vio18_reg: ldo-vio18 { +- compatible = "regulator-fixed"; + regulator-name = "vio18"; + regulator-min-microvolt = <1800000>; + regulator-max-microvolt = <1800000>; +-- +2.39.5 + diff --git a/queue-6.12/arm64-dts-mediatek-mt8195-reparent-vdec1-2-and-venc1.patch b/queue-6.12/arm64-dts-mediatek-mt8195-reparent-vdec1-2-and-venc1.patch new file mode 100644 index 0000000000..d7491aa6f9 --- /dev/null +++ b/queue-6.12/arm64-dts-mediatek-mt8195-reparent-vdec1-2-and-venc1.patch @@ -0,0 +1,110 @@ +From 0b2574749f462b549e37e07b85711c948ef0dd34 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Apr 2025 11:06:15 +0200 +Subject: arm64: dts: mediatek: mt8195: Reparent vdec1/2 and venc1 power + domains + +From: AngeloGioacchino Del Regno + +[ Upstream commit 394f29033324e2317bfd6a7ed99b9a60832b36a2 ] + +By hardware, the first and second core of the video decoder IP +need the VDEC_SOC to be powered up in order to be able to be +accessed (both internally, by firmware, and externally, by the +kernel). +Similarly, for the video encoder IP, the second core needs the +first core to be powered up in order to be accessible. + +Fix that by reparenting the VDEC1/2 power domains to be children +of VDEC0 (VDEC_SOC), and the VENC1 to be a child of VENC0. + +Fixes: 2b515194bf0c ("arm64: dts: mt8195: Add power domains controller") +Reviewed-by: Chen-Yu Tsai +Link: https://lore.kernel.org/r/20250402090615.25871-3-angelogioacchino.delregno@collabora.com +Signed-off-by: AngeloGioacchino Del Regno +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/mediatek/mt8195.dtsi | 50 +++++++++++++----------- + 1 file changed, 27 insertions(+), 23 deletions(-) + +diff --git a/arch/arm64/boot/dts/mediatek/mt8195.dtsi b/arch/arm64/boot/dts/mediatek/mt8195.dtsi +index f013dbad9dc4e..2e138b54f5563 100644 +--- a/arch/arm64/boot/dts/mediatek/mt8195.dtsi ++++ b/arch/arm64/boot/dts/mediatek/mt8195.dtsi +@@ -617,22 +617,6 @@ + #size-cells = <0>; + #power-domain-cells = <1>; + +- power-domain@MT8195_POWER_DOMAIN_VDEC1 { +- reg = ; +- clocks = <&vdecsys CLK_VDEC_LARB1>; +- clock-names = "vdec1-0"; +- mediatek,infracfg = <&infracfg_ao>; +- #power-domain-cells = <0>; +- }; +- +- power-domain@MT8195_POWER_DOMAIN_VENC_CORE1 { +- reg = ; +- clocks = <&vencsys_core1 CLK_VENC_CORE1_LARB>; +- clock-names = "venc1-larb"; +- mediatek,infracfg = <&infracfg_ao>; +- #power-domain-cells = <0>; +- }; +- + power-domain@MT8195_POWER_DOMAIN_VDOSYS0 { + reg = ; + clocks = <&topckgen CLK_TOP_CFG_VDO0>, +@@ -678,15 +662,25 @@ + clocks = <&vdecsys_soc CLK_VDEC_SOC_LARB1>; + clock-names = "vdec0-0"; + mediatek,infracfg = <&infracfg_ao>; ++ #address-cells = <1>; ++ #size-cells = <0>; + #power-domain-cells = <0>; +- }; + +- power-domain@MT8195_POWER_DOMAIN_VDEC2 { +- reg = ; +- clocks = <&vdecsys_core1 CLK_VDEC_CORE1_LARB1>; +- clock-names = "vdec2-0"; +- mediatek,infracfg = <&infracfg_ao>; +- #power-domain-cells = <0>; ++ power-domain@MT8195_POWER_DOMAIN_VDEC1 { ++ reg = ; ++ clocks = <&vdecsys CLK_VDEC_LARB1>; ++ clock-names = "vdec1-0"; ++ mediatek,infracfg = <&infracfg_ao>; ++ #power-domain-cells = <0>; ++ }; ++ ++ power-domain@MT8195_POWER_DOMAIN_VDEC2 { ++ reg = ; ++ clocks = <&vdecsys_core1 CLK_VDEC_CORE1_LARB1>; ++ clock-names = "vdec2-0"; ++ mediatek,infracfg = <&infracfg_ao>; ++ #power-domain-cells = <0>; ++ }; + }; + + power-domain@MT8195_POWER_DOMAIN_VENC { +@@ -694,7 +688,17 @@ + clocks = <&vencsys CLK_VENC_LARB>; + clock-names = "venc0-larb"; + mediatek,infracfg = <&infracfg_ao>; ++ #address-cells = <1>; ++ #size-cells = <0>; + #power-domain-cells = <0>; ++ ++ power-domain@MT8195_POWER_DOMAIN_VENC_CORE1 { ++ reg = ; ++ clocks = <&vencsys_core1 CLK_VENC_CORE1_LARB>; ++ clock-names = "venc1-larb"; ++ mediatek,infracfg = <&infracfg_ao>; ++ #power-domain-cells = <0>; ++ }; + }; + + power-domain@MT8195_POWER_DOMAIN_VDOSYS1 { +-- +2.39.5 + diff --git a/queue-6.12/arm64-dts-mt6359-add-missing-compatible-property-to-.patch b/queue-6.12/arm64-dts-mt6359-add-missing-compatible-property-to-.patch new file mode 100644 index 0000000000..34550cf439 --- /dev/null +++ b/queue-6.12/arm64-dts-mt6359-add-missing-compatible-property-to-.patch @@ -0,0 +1,41 @@ +From 6215001c8b23e0b73eefb46313713bef27c49d4a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 May 2025 15:23:39 +0200 +Subject: arm64: dts: mt6359: Add missing 'compatible' property to regulators + node + +From: Julien Massot + +[ Upstream commit 1fe38d2a19950fa6dbc384ee8967c057aef9faf4 ] + +The 'compatible' property is required by the +'mfd/mediatek,mt6397.yaml' binding. Add it to fix the following +dtb-check error: +mediatek/mt8395-radxa-nio-12l.dtb: pmic: regulators: +'compatible' is a required property + +Fixes: 3b7d143be4b7 ("arm64: dts: mt6359: add PMIC MT6359 related nodes") +Signed-off-by: Julien Massot +Link: https://lore.kernel.org/r/20250505-mt8395-dtb-errors-v1-3-9c4714dcdcdb@collabora.com +Signed-off-by: AngeloGioacchino Del Regno +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/mediatek/mt6359.dtsi | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/arm64/boot/dts/mediatek/mt6359.dtsi b/arch/arm64/boot/dts/mediatek/mt6359.dtsi +index 8e1b8c85c6ede..57af3e7899841 100644 +--- a/arch/arm64/boot/dts/mediatek/mt6359.dtsi ++++ b/arch/arm64/boot/dts/mediatek/mt6359.dtsi +@@ -18,6 +18,8 @@ + }; + + regulators { ++ compatible = "mediatek,mt6359-regulator"; ++ + mt6359_vs1_buck_reg: buck_vs1 { + regulator-name = "vs1"; + regulator-min-microvolt = <800000>; +-- +2.39.5 + diff --git a/queue-6.12/arm64-dts-mt6359-rename-rtc-node-to-match-binding-ex.patch b/queue-6.12/arm64-dts-mt6359-rename-rtc-node-to-match-binding-ex.patch new file mode 100644 index 0000000000..cf4b171e1d --- /dev/null +++ b/queue-6.12/arm64-dts-mt6359-rename-rtc-node-to-match-binding-ex.patch @@ -0,0 +1,42 @@ +From c25e5d81fa3fbcd4c988776eab75474c5f99e23b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 May 2025 10:19:58 +0200 +Subject: arm64: dts: mt6359: Rename RTC node to match binding expectations + +From: Julien Massot + +[ Upstream commit cfe035d8662cfbd6edff9bd89c4b516bbb34c350 ] + +Rename the node 'mt6359rtc' to 'rtc', as required by the binding. + +Fix the following dtb-check error: + +mediatek/mt8395-radxa-nio-12l.dtb: pmic: 'mt6359rtc' do not match +any of the regexes: 'pinctrl-[0-9]+' + +Fixes: 3b7d143be4b7 ("arm64: dts: mt6359: add PMIC MT6359 related nodes") +Signed-off-by: Julien Massot +Reviewed-by: AngeloGioacchino Del Regno +Link: https://lore.kernel.org/r/20250514-mt8395-dtb-errors-v2-3-d67b9077c59a@collabora.com +Signed-off-by: AngeloGioacchino Del Regno +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/mediatek/mt6359.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/mediatek/mt6359.dtsi b/arch/arm64/boot/dts/mediatek/mt6359.dtsi +index 57af3e7899841..779d6dfb55c00 100644 +--- a/arch/arm64/boot/dts/mediatek/mt6359.dtsi ++++ b/arch/arm64/boot/dts/mediatek/mt6359.dtsi +@@ -298,7 +298,7 @@ + }; + }; + +- mt6359rtc: mt6359rtc { ++ mt6359rtc: rtc { + compatible = "mediatek,mt6358-rtc"; + }; + }; +-- +2.39.5 + diff --git a/queue-6.12/arm64-dts-mt8183-add-port-node-to-mt8183.dtsi.patch b/queue-6.12/arm64-dts-mt8183-add-port-node-to-mt8183.dtsi.patch new file mode 100644 index 0000000000..1d5b3766d4 --- /dev/null +++ b/queue-6.12/arm64-dts-mt8183-add-port-node-to-mt8183.dtsi.patch @@ -0,0 +1,63 @@ +From 5a8cb71bf2c808291eb851f4b63046875313f75b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Apr 2025 12:03:39 +0800 +Subject: arm64: dts: mt8183: Add port node to mt8183.dtsi + +From: Pin-yen Lin + +[ Upstream commit d15059f7be59f887c1a370037cc2337c2ff2ad56 ] + +Add the port node to fix the binding schema check. Also update +mt8183-kukui to reference the new port node. + +Fixes: 88ec840270e6 ("arm64: dts: mt8183: Add dsi node") +Fixes: 27eaf34df364 ("arm64: dts: mt8183: config dsi node") +Signed-off-by: Pin-yen Lin +Link: https://lore.kernel.org/r/20250423040354.2847447-1-treapking@chromium.org +Signed-off-by: AngeloGioacchino Del Regno +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/mediatek/mt8183-kukui.dtsi | 10 +++------- + arch/arm64/boot/dts/mediatek/mt8183.dtsi | 4 ++++ + 2 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/arch/arm64/boot/dts/mediatek/mt8183-kukui.dtsi b/arch/arm64/boot/dts/mediatek/mt8183-kukui.dtsi +index 22924f61ec9ed..c4fafd51b1225 100644 +--- a/arch/arm64/boot/dts/mediatek/mt8183-kukui.dtsi ++++ b/arch/arm64/boot/dts/mediatek/mt8183-kukui.dtsi +@@ -280,14 +280,10 @@ + }; + }; + }; ++}; + +- ports { +- port { +- dsi_out: endpoint { +- remote-endpoint = <&panel_in>; +- }; +- }; +- }; ++&dsi_out { ++ remote-endpoint = <&panel_in>; + }; + + &gic { +diff --git a/arch/arm64/boot/dts/mediatek/mt8183.dtsi b/arch/arm64/boot/dts/mediatek/mt8183.dtsi +index 92c41463d10e3..65be2c2c26d40 100644 +--- a/arch/arm64/boot/dts/mediatek/mt8183.dtsi ++++ b/arch/arm64/boot/dts/mediatek/mt8183.dtsi +@@ -1836,6 +1836,10 @@ + phys = <&mipi_tx0>; + phy-names = "dphy"; + status = "disabled"; ++ ++ port { ++ dsi_out: endpoint { }; ++ }; + }; + + dpi0: dpi@14015000 { +-- +2.39.5 + diff --git a/queue-6.12/arm64-dts-qcom-ipq9574-fix-usb-vdd-info.patch b/queue-6.12/arm64-dts-qcom-ipq9574-fix-usb-vdd-info.patch new file mode 100644 index 0000000000..288fed8673 --- /dev/null +++ b/queue-6.12/arm64-dts-qcom-ipq9574-fix-usb-vdd-info.patch @@ -0,0 +1,65 @@ +From e477541f75b60408370bf9f3f5a81a1bc5f2214e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Feb 2025 13:05:45 +0530 +Subject: arm64: dts: qcom: ipq9574: Fix USB vdd info + +From: Varadarajan Narayanan + +[ Upstream commit 4f4c905e6a2a4e884f4e9b7326c94fac3500e0f9 ] + +USB phys in ipq9574 use the 'L5' regulator. The commit ec4f047679d5 +("arm64: dts: qcom: ipq9574: Enable USB") incorrectly specified it as +'L2'. Because of this when the phy module turns off/on its regulators, +the wrong regulator is turned off/on resulting in 2 issues, namely the +correct regulator related to the USB phy is not turned off/on and the +module powered by the incorrect regulator is affected. + +Fixes: ec4f047679d5 ("arm64: dts: qcom: ipq9574: Enable USB") +Signed-off-by: Varadarajan Narayanan +Reviewed-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20250207073545.1768990-2-quic_varada@quicinc.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/ipq9574-rdp-common.dtsi | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/qcom/ipq9574-rdp-common.dtsi b/arch/arm64/boot/dts/qcom/ipq9574-rdp-common.dtsi +index 91e104b0f8653..a5294a42c287a 100644 +--- a/arch/arm64/boot/dts/qcom/ipq9574-rdp-common.dtsi ++++ b/arch/arm64/boot/dts/qcom/ipq9574-rdp-common.dtsi +@@ -111,6 +111,13 @@ + regulator-always-on; + regulator-boot-on; + }; ++ ++ mp5496_l5: l5 { ++ regulator-min-microvolt = <1800000>; ++ regulator-max-microvolt = <1800000>; ++ regulator-always-on; ++ regulator-boot-on; ++ }; + }; + }; + +@@ -146,7 +153,7 @@ + }; + + &usb_0_qmpphy { +- vdda-pll-supply = <&mp5496_l2>; ++ vdda-pll-supply = <&mp5496_l5>; + vdda-phy-supply = <®ulator_fixed_0p925>; + + status = "okay"; +@@ -154,7 +161,7 @@ + + &usb_0_qusbphy { + vdd-supply = <®ulator_fixed_0p925>; +- vdda-pll-supply = <&mp5496_l2>; ++ vdda-pll-supply = <&mp5496_l5>; + vdda-phy-dpdm-supply = <®ulator_fixed_3p3>; + + status = "okay"; +-- +2.39.5 + diff --git a/queue-6.12/arm64-dts-qcom-qcm2290-fix-some-of-qup-interconnects.patch b/queue-6.12/arm64-dts-qcom-qcm2290-fix-some-of-qup-interconnects.patch new file mode 100644 index 0000000000..225d638de9 --- /dev/null +++ b/queue-6.12/arm64-dts-qcom-qcm2290-fix-some-of-qup-interconnects.patch @@ -0,0 +1,103 @@ +From 0508f5caef9bd737cbe05f475ab4ac8cd5fa3f2d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Feb 2025 22:41:18 +0200 +Subject: arm64: dts: qcom: qcm2290: fix (some) of QUP interconnects + +From: Dmitry Baryshkov + +[ Upstream commit e07d2d57a1c7254d25597dcdd34f318a91ec9398 ] + +While adding interconnect support for the QCM2290 platform some of them +got the c&p error, rogue MASTER_APPSS_PROC for the config_noc +interconnect. Turn that into SLAVE_QUP_0 as expected. + +Fixes: 5b970ff0193d ("arm64: dts: qcom: qcm2290: Hook up interconnects") +Reported-by: Konrad Dybcio +Reviewed-by: Konrad Dybcio +Signed-off-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20250207-rb1-bt-v4-4-d810fc8c94a9@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/qcm2290.dtsi | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/arch/arm64/boot/dts/qcom/qcm2290.dtsi b/arch/arm64/boot/dts/qcom/qcm2290.dtsi +index 79bc42ffb6a1f..2cfdf5bd5fd9b 100644 +--- a/arch/arm64/boot/dts/qcom/qcm2290.dtsi ++++ b/arch/arm64/boot/dts/qcom/qcm2290.dtsi +@@ -1073,7 +1073,7 @@ + interconnects = <&qup_virt MASTER_QUP_CORE_0 RPM_ALWAYS_TAG + &qup_virt SLAVE_QUP_CORE_0 RPM_ALWAYS_TAG>, + <&bimc MASTER_APPSS_PROC RPM_ALWAYS_TAG +- &config_noc MASTER_APPSS_PROC RPM_ALWAYS_TAG>; ++ &config_noc SLAVE_QUP_0 RPM_ALWAYS_TAG>; + interconnect-names = "qup-core", + "qup-config"; + #address-cells = <1>; +@@ -1092,7 +1092,7 @@ + interconnects = <&qup_virt MASTER_QUP_CORE_0 RPM_ALWAYS_TAG + &qup_virt SLAVE_QUP_CORE_0 RPM_ALWAYS_TAG>, + <&bimc MASTER_APPSS_PROC RPM_ALWAYS_TAG +- &config_noc MASTER_APPSS_PROC RPM_ALWAYS_TAG>; ++ &config_noc SLAVE_QUP_0 RPM_ALWAYS_TAG>; + interconnect-names = "qup-core", + "qup-config"; + status = "disabled"; +@@ -1137,7 +1137,7 @@ + interconnects = <&qup_virt MASTER_QUP_CORE_0 RPM_ALWAYS_TAG + &qup_virt SLAVE_QUP_CORE_0 RPM_ALWAYS_TAG>, + <&bimc MASTER_APPSS_PROC RPM_ALWAYS_TAG +- &config_noc MASTER_APPSS_PROC RPM_ALWAYS_TAG>; ++ &config_noc SLAVE_QUP_0 RPM_ALWAYS_TAG>; + interconnect-names = "qup-core", + "qup-config"; + #address-cells = <1>; +@@ -1184,7 +1184,7 @@ + interconnects = <&qup_virt MASTER_QUP_CORE_0 RPM_ALWAYS_TAG + &qup_virt SLAVE_QUP_CORE_0 RPM_ALWAYS_TAG>, + <&bimc MASTER_APPSS_PROC RPM_ALWAYS_TAG +- &config_noc MASTER_APPSS_PROC RPM_ALWAYS_TAG>; ++ &config_noc SLAVE_QUP_0 RPM_ALWAYS_TAG>; + interconnect-names = "qup-core", + "qup-config"; + #address-cells = <1>; +@@ -1231,7 +1231,7 @@ + interconnects = <&qup_virt MASTER_QUP_CORE_0 RPM_ALWAYS_TAG + &qup_virt SLAVE_QUP_CORE_0 RPM_ALWAYS_TAG>, + <&bimc MASTER_APPSS_PROC RPM_ALWAYS_TAG +- &config_noc MASTER_APPSS_PROC RPM_ALWAYS_TAG>; ++ &config_noc SLAVE_QUP_0 RPM_ALWAYS_TAG>; + interconnect-names = "qup-core", + "qup-config"; + #address-cells = <1>; +@@ -1278,7 +1278,7 @@ + interconnects = <&qup_virt MASTER_QUP_CORE_0 RPM_ALWAYS_TAG + &qup_virt SLAVE_QUP_CORE_0 RPM_ALWAYS_TAG>, + <&bimc MASTER_APPSS_PROC RPM_ALWAYS_TAG +- &config_noc MASTER_APPSS_PROC RPM_ALWAYS_TAG>; ++ &config_noc SLAVE_QUP_0 RPM_ALWAYS_TAG>; + interconnect-names = "qup-core", + "qup-config"; + #address-cells = <1>; +@@ -1297,7 +1297,7 @@ + interconnects = <&qup_virt MASTER_QUP_CORE_0 RPM_ALWAYS_TAG + &qup_virt SLAVE_QUP_CORE_0 RPM_ALWAYS_TAG>, + <&bimc MASTER_APPSS_PROC RPM_ALWAYS_TAG +- &config_noc MASTER_APPSS_PROC RPM_ALWAYS_TAG>; ++ &config_noc SLAVE_QUP_0 RPM_ALWAYS_TAG>; + interconnect-names = "qup-core", + "qup-config"; + status = "disabled"; +@@ -1342,7 +1342,7 @@ + interconnects = <&qup_virt MASTER_QUP_CORE_0 RPM_ALWAYS_TAG + &qup_virt SLAVE_QUP_CORE_0 RPM_ALWAYS_TAG>, + <&bimc MASTER_APPSS_PROC RPM_ALWAYS_TAG +- &config_noc MASTER_APPSS_PROC RPM_ALWAYS_TAG>; ++ &config_noc SLAVE_QUP_0 RPM_ALWAYS_TAG>; + interconnect-names = "qup-core", + "qup-config"; + #address-cells = <1>; +-- +2.39.5 + diff --git a/queue-6.12/arm64-dts-qcom-sc8280xp-x13s-drop-duplicate-dmic-sup.patch b/queue-6.12/arm64-dts-qcom-sc8280xp-x13s-drop-duplicate-dmic-sup.patch new file mode 100644 index 0000000000..07ef02d3fc --- /dev/null +++ b/queue-6.12/arm64-dts-qcom-sc8280xp-x13s-drop-duplicate-dmic-sup.patch @@ -0,0 +1,53 @@ +From 678f18ac8781d768fe9d1777bd2e326c6b8b870d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Dec 2024 18:44:02 +0100 +Subject: arm64: dts: qcom: sc8280xp-x13s: Drop duplicate DMIC supplies + +From: Stephan Gerhold + +[ Upstream commit a2e617f4e6981aa514a569e927f90b0d39bb31b2 ] + +The WCD938x codec provides two controls for each of the MIC_BIASn outputs: + + - "MIC BIASn" enables an internal regulator to generate the output + with a configurable voltage (qcom,micbiasN-microvolt). + + - "VA MIC BIASn" enables "pull-up mode" that bypasses the internal + regulator and directly outputs fixed 1.8V from the VDD_PX pin. + This is intended for low-power VA (voice activation) use cases. + +The audio-routing setup for the ThinkPad X13s currently specifies both +as power supplies for the DMICs, but only one of them can be active +at the same time. In practice, only the internal regulator is used +with the current setup because the driver prefers it over pull-up mode. + +Make this more clear by dropping the redundant routes to the pull-up +"VA MIC BIASn" supply. There is no functional difference except that we +skip briefly switching to pull-up mode when shutting down the microphone. + +Fixes: 2e498f35c385 ("arm64: dts: qcom: sc8280xp-x13s: fix va dmic dai links and routing") +Signed-off-by: Stephan Gerhold +Link: https://lore.kernel.org/r/20241203-x1e80100-va-mic-bias-v1-1-0dfd4d9b492c@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/sc8280xp-lenovo-thinkpad-x13s.dts | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/arch/arm64/boot/dts/qcom/sc8280xp-lenovo-thinkpad-x13s.dts b/arch/arm64/boot/dts/qcom/sc8280xp-lenovo-thinkpad-x13s.dts +index 6a28cab971891..8e5951da5920d 100644 +--- a/arch/arm64/boot/dts/qcom/sc8280xp-lenovo-thinkpad-x13s.dts ++++ b/arch/arm64/boot/dts/qcom/sc8280xp-lenovo-thinkpad-x13s.dts +@@ -1131,9 +1131,6 @@ + "VA DMIC0", "MIC BIAS1", + "VA DMIC1", "MIC BIAS1", + "VA DMIC2", "MIC BIAS3", +- "VA DMIC0", "VA MIC BIAS1", +- "VA DMIC1", "VA MIC BIAS1", +- "VA DMIC2", "VA MIC BIAS3", + "TX SWR_ADC1", "ADC2_OUTPUT"; + + wcd-playback-dai-link { +-- +2.39.5 + diff --git a/queue-6.12/arm64-dts-qcom-sda660-ifc6560-fix-dt-validate-warnin.patch b/queue-6.12/arm64-dts-qcom-sda660-ifc6560-fix-dt-validate-warnin.patch new file mode 100644 index 0000000000..130025cff3 --- /dev/null +++ b/queue-6.12/arm64-dts-qcom-sda660-ifc6560-fix-dt-validate-warnin.patch @@ -0,0 +1,47 @@ +From 89bdf2caf81ec0b9eaf1f820c8f3d746870fda0b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 May 2025 14:51:20 +0300 +Subject: arm64: dts: qcom: sda660-ifc6560: Fix dt-validate warning + +From: Alexey Minnekhanov + +[ Upstream commit f5110806b41eaa0eb0ab1bf2787876a580c6246c ] + +If you remove clocks property, you should remove clock-names, too. +Fixes warning with dtbs check: + + 'clocks' is a dependency of 'clock-names' + +Fixes: 34279d6e3f32c ("arm64: dts: qcom: sdm660: Add initial Inforce IFC6560 board support") +Signed-off-by: Alexey Minnekhanov +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20250504115120.1432282-4-alexeymin@postmarketos.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/sda660-inforce-ifc6560.dts | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/arm64/boot/dts/qcom/sda660-inforce-ifc6560.dts b/arch/arm64/boot/dts/qcom/sda660-inforce-ifc6560.dts +index 962c8aa400440..dc604be4afc63 100644 +--- a/arch/arm64/boot/dts/qcom/sda660-inforce-ifc6560.dts ++++ b/arch/arm64/boot/dts/qcom/sda660-inforce-ifc6560.dts +@@ -167,6 +167,7 @@ + * BAM DMA interconnects support is in place. + */ + /delete-property/ clocks; ++ /delete-property/ clock-names; + }; + + &blsp1_uart2 { +@@ -179,6 +180,7 @@ + * BAM DMA interconnects support is in place. + */ + /delete-property/ clocks; ++ /delete-property/ clock-names; + }; + + &blsp2_uart1 { +-- +2.39.5 + diff --git a/queue-6.12/arm64-dts-qcom-sdm660-lavender-add-missing-usb-phy-s.patch b/queue-6.12/arm64-dts-qcom-sdm660-lavender-add-missing-usb-phy-s.patch new file mode 100644 index 0000000000..6dbe7984af --- /dev/null +++ b/queue-6.12/arm64-dts-qcom-sdm660-lavender-add-missing-usb-phy-s.patch @@ -0,0 +1,38 @@ +From 02349b9ac124589edc929c7fccbcd880efd5c5bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 May 2025 14:51:19 +0300 +Subject: arm64: dts: qcom: sdm660-lavender: Add missing USB phy supply + +From: Alexey Minnekhanov + +[ Upstream commit dbf62a117a1b7f605a98dd1fd1fd6c85ec324ea0 ] + +Fixes the following dtbs check error: + + phy@c012000: 'vdda-pll-supply' is a required property + +Fixes: e5d3e752b050e ("arm64: dts: qcom: sdm660-xiaomi-lavender: Add USB") +Signed-off-by: Alexey Minnekhanov +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20250504115120.1432282-3-alexeymin@postmarketos.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/sdm660-xiaomi-lavender.dts | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/boot/dts/qcom/sdm660-xiaomi-lavender.dts b/arch/arm64/boot/dts/qcom/sdm660-xiaomi-lavender.dts +index 0b4d71c14a772..a9926ad6c6f9f 100644 +--- a/arch/arm64/boot/dts/qcom/sdm660-xiaomi-lavender.dts ++++ b/arch/arm64/boot/dts/qcom/sdm660-xiaomi-lavender.dts +@@ -107,6 +107,7 @@ + status = "okay"; + + vdd-supply = <&vreg_l1b_0p925>; ++ vdda-pll-supply = <&vreg_l10a_1p8>; + vdda-phy-dpdm-supply = <&vreg_l7b_3p125>; + }; + +-- +2.39.5 + diff --git a/queue-6.12/arm64-dts-qcom-sdm660-xiaomi-lavender-add-missing-sd.patch b/queue-6.12/arm64-dts-qcom-sdm660-xiaomi-lavender-add-missing-sd.patch new file mode 100644 index 0000000000..fb09473e59 --- /dev/null +++ b/queue-6.12/arm64-dts-qcom-sdm660-xiaomi-lavender-add-missing-sd.patch @@ -0,0 +1,40 @@ +From 907d92e8ab0c7aba735289e837d8bb415256e2d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Apr 2025 16:01:01 +0300 +Subject: arm64: dts: qcom: sdm660-xiaomi-lavender: Add missing SD card detect + GPIO + +From: Alexey Minnekhanov + +[ Upstream commit 2eca6af66709de0d1ba14cdf8b6d200a1337a3a2 ] + +During initial porting these cd-gpios were missed. Having card detect is +beneficial because driver does not need to do polling every second and it +can just use IRQ. SD card detection in U-Boot is also fixed by this. + +Fixes: cf85e9aee210 ("arm64: dts: qcom: sdm660-xiaomi-lavender: Add eMMC and SD") +Signed-off-by: Alexey Minnekhanov +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20250415130101.1429281-1-alexeymin@postmarketos.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/sdm660-xiaomi-lavender.dts | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/arm64/boot/dts/qcom/sdm660-xiaomi-lavender.dts b/arch/arm64/boot/dts/qcom/sdm660-xiaomi-lavender.dts +index 7167f75bced3f..0b4d71c14a772 100644 +--- a/arch/arm64/boot/dts/qcom/sdm660-xiaomi-lavender.dts ++++ b/arch/arm64/boot/dts/qcom/sdm660-xiaomi-lavender.dts +@@ -404,6 +404,8 @@ + &sdhc_2 { + status = "okay"; + ++ cd-gpios = <&tlmm 54 GPIO_ACTIVE_HIGH>; ++ + vmmc-supply = <&vreg_l5b_2p95>; + vqmmc-supply = <&vreg_l2b_2p95>; + }; +-- +2.39.5 + diff --git a/queue-6.12/arm64-dts-qcom-sdm845-starqltechn-fix-usb-regulator-.patch b/queue-6.12/arm64-dts-qcom-sdm845-starqltechn-fix-usb-regulator-.patch new file mode 100644 index 0000000000..1511baa414 --- /dev/null +++ b/queue-6.12/arm64-dts-qcom-sdm845-starqltechn-fix-usb-regulator-.patch @@ -0,0 +1,46 @@ +From 8e2d00891cb6ba508ff5595bdf9389eac7514a92 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Feb 2025 19:38:54 +0300 +Subject: arm64: dts: qcom: sdm845-starqltechn: fix usb regulator mistake + +From: Dzmitry Sankouski + +[ Upstream commit 242e4126ee007b95765c21a9d74651fdcf221f2b ] + +Usb regulator was wrongly pointed to vreg_l1a_0p875. +However, on starqltechn it's powered from vreg_l5a_0p8. + +Fixes: d711b22eee55 ("arm64: dts: qcom: starqltechn: add initial device tree for starqltechn") +Reviewed-by: Konrad Dybcio +Signed-off-by: Dzmitry Sankouski +Link: https://lore.kernel.org/r/20250225-starqltechn_integration_upstream-v9-3-a5d80375cb66@gmail.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/sdm845-samsung-starqltechn.dts | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/qcom/sdm845-samsung-starqltechn.dts b/arch/arm64/boot/dts/qcom/sdm845-samsung-starqltechn.dts +index 6fc30fd1262b8..f3f2b25883d81 100644 +--- a/arch/arm64/boot/dts/qcom/sdm845-samsung-starqltechn.dts ++++ b/arch/arm64/boot/dts/qcom/sdm845-samsung-starqltechn.dts +@@ -135,8 +135,6 @@ + vdda_sp_sensor: + vdda_ufs1_core: + vdda_ufs2_core: +- vdda_usb1_ss_core: +- vdda_usb2_ss_core: + vreg_l1a_0p875: ldo1 { + regulator-min-microvolt = <880000>; + regulator-max-microvolt = <880000>; +@@ -157,6 +155,7 @@ + regulator-initial-mode = ; + }; + ++ vdda_usb1_ss_core: + vdd_wcss_cx: + vdd_wcss_mx: + vdda_wcss_pll: +-- +2.39.5 + diff --git a/queue-6.12/arm64-dts-qcom-sdm845-starqltechn-refactor-node-orde.patch b/queue-6.12/arm64-dts-qcom-sdm845-starqltechn-refactor-node-orde.patch new file mode 100644 index 0000000000..381dd8b089 --- /dev/null +++ b/queue-6.12/arm64-dts-qcom-sdm845-starqltechn-refactor-node-orde.patch @@ -0,0 +1,35 @@ +From 42e855608176f8649852c7cd2ee0e381a2b8cae0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Feb 2025 19:38:55 +0300 +Subject: arm64: dts: qcom: sdm845-starqltechn: refactor node order + +From: Dzmitry Sankouski + +[ Upstream commit cba1dd3d851ebc1b6c5ae4000208a9753320694b ] + +Fixes: d711b22eee55 ("arm64: dts: qcom: starqltechn: add initial device tree for starqltechn") +Signed-off-by: Dzmitry Sankouski +Link: https://lore.kernel.org/r/20250225-starqltechn_integration_upstream-v9-4-a5d80375cb66@gmail.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/sdm845-samsung-starqltechn.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/qcom/sdm845-samsung-starqltechn.dts b/arch/arm64/boot/dts/qcom/sdm845-samsung-starqltechn.dts +index f3f2b25883d81..8a0d63bd594b3 100644 +--- a/arch/arm64/boot/dts/qcom/sdm845-samsung-starqltechn.dts ++++ b/arch/arm64/boot/dts/qcom/sdm845-samsung-starqltechn.dts +@@ -382,8 +382,8 @@ + }; + + &sdhc_2 { +- pinctrl-names = "default"; + pinctrl-0 = <&sdc2_clk_state &sdc2_cmd_state &sdc2_data_state &sd_card_det_n_state>; ++ pinctrl-names = "default"; + cd-gpios = <&tlmm 126 GPIO_ACTIVE_LOW>; + vmmc-supply = <&vreg_l21a_2p95>; + vqmmc-supply = <&vddpx_2>; +-- +2.39.5 + diff --git a/queue-6.12/arm64-dts-qcom-sdm845-starqltechn-remove-excess-rese.patch b/queue-6.12/arm64-dts-qcom-sdm845-starqltechn-remove-excess-rese.patch new file mode 100644 index 0000000000..7e0a2efee9 --- /dev/null +++ b/queue-6.12/arm64-dts-qcom-sdm845-starqltechn-remove-excess-rese.patch @@ -0,0 +1,42 @@ +From b2792c4c8751e19181743ab89bf783851dfca2b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Feb 2025 19:38:56 +0300 +Subject: arm64: dts: qcom: sdm845-starqltechn: remove excess reserved gpios + +From: Dzmitry Sankouski + +[ Upstream commit fb5fce873b952f8b1c5f7edcabcc8611ef45ea7a ] + +Starqltechn has 2 reserved gpio ranges <27 4>, <85 4>. +<27 4> is spi for eSE(embedded Secure Element). +<85 4> is spi for fingerprint. + +Remove excess reserved gpio regions. + +Fixes: d711b22eee55 ("arm64: dts: qcom: starqltechn: add initial device tree for starqltechn") +Reviewed-by: Konrad Dybcio +Signed-off-by: Dzmitry Sankouski +Link: https://lore.kernel.org/r/20250225-starqltechn_integration_upstream-v9-5-a5d80375cb66@gmail.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/sdm845-samsung-starqltechn.dts | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/qcom/sdm845-samsung-starqltechn.dts b/arch/arm64/boot/dts/qcom/sdm845-samsung-starqltechn.dts +index 8a0d63bd594b3..5948b401165ce 100644 +--- a/arch/arm64/boot/dts/qcom/sdm845-samsung-starqltechn.dts ++++ b/arch/arm64/boot/dts/qcom/sdm845-samsung-starqltechn.dts +@@ -418,7 +418,8 @@ + }; + + &tlmm { +- gpio-reserved-ranges = <0 4>, <27 4>, <81 4>, <85 4>; ++ gpio-reserved-ranges = <27 4>, /* SPI (eSE - embedded Secure Element) */ ++ <85 4>; /* SPI (fingerprint reader) */ + + sdc2_clk_state: sdc2-clk-state { + pins = "sdc2_clk"; +-- +2.39.5 + diff --git a/queue-6.12/arm64-dts-qcom-sdm845-starqltechn-remove-wifi.patch b/queue-6.12/arm64-dts-qcom-sdm845-starqltechn-remove-wifi.patch new file mode 100644 index 0000000000..45b3f70cac --- /dev/null +++ b/queue-6.12/arm64-dts-qcom-sdm845-starqltechn-remove-wifi.patch @@ -0,0 +1,46 @@ +From bef0f8b450d1cd944334c6a6ffee07ab8315168b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Feb 2025 19:38:53 +0300 +Subject: arm64: dts: qcom: sdm845-starqltechn: remove wifi + +From: Dzmitry Sankouski + +[ Upstream commit 2d3dd4b237638853b8a99353401ab8d88a6afb6c ] + +Starqltechn has broadcom chip for wifi, so sdm845 wifi part +can be disabled. + +Fixes: d711b22eee55 ("arm64: dts: qcom: starqltechn: add initial device tree for starqltechn") +Reviewed-by: Konrad Dybcio +Signed-off-by: Dzmitry Sankouski +Fixes: d711b22eee55 ("arm64: dts: qcom: starqltechn: add initial device tree for starqltechn") +Reviewed-by: Bryan O'Donoghue +Link: https://lore.kernel.org/r/20250225-starqltechn_integration_upstream-v9-2-a5d80375cb66@gmail.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/sdm845-samsung-starqltechn.dts | 8 -------- + 1 file changed, 8 deletions(-) + +diff --git a/arch/arm64/boot/dts/qcom/sdm845-samsung-starqltechn.dts b/arch/arm64/boot/dts/qcom/sdm845-samsung-starqltechn.dts +index d37a433130b98..6fc30fd1262b8 100644 +--- a/arch/arm64/boot/dts/qcom/sdm845-samsung-starqltechn.dts ++++ b/arch/arm64/boot/dts/qcom/sdm845-samsung-starqltechn.dts +@@ -418,14 +418,6 @@ + status = "okay"; + }; + +-&wifi { +- vdd-0.8-cx-mx-supply = <&vreg_l5a_0p8>; +- vdd-1.8-xo-supply = <&vreg_l7a_1p8>; +- vdd-1.3-rfa-supply = <&vreg_l17a_1p3>; +- vdd-3.3-ch0-supply = <&vreg_l25a_3p3>; +- status = "okay"; +-}; +- + &tlmm { + gpio-reserved-ranges = <0 4>, <27 4>, <81 4>, <85 4>; + +-- +2.39.5 + diff --git a/queue-6.12/arm64-dts-qcom-sm8250-fix-cpu7-opp-table.patch b/queue-6.12/arm64-dts-qcom-sm8250-fix-cpu7-opp-table.patch new file mode 100644 index 0000000000..9e2205f12c --- /dev/null +++ b/queue-6.12/arm64-dts-qcom-sm8250-fix-cpu7-opp-table.patch @@ -0,0 +1,41 @@ +From e202251589c03d0d903bc7996c7c28ed6760f2be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 8 Mar 2025 18:27:51 +0800 +Subject: arm64: dts: qcom: sm8250: Fix CPU7 opp table + +From: Xilin Wu + +[ Upstream commit 28f997b89967afdc0855d8aa7538b251fb44f654 ] + +There is a typo in cpu7_opp9. Fix it to get rid of the following +errors. + +[ 0.198043] cpu cpu7: Voltage update failed freq=1747200 +[ 0.198052] cpu cpu7: failed to update OPP for freq=1747200 + +Fixes: 8e0e8016cb79 ("arm64: dts: qcom: sm8250: Add CPU opp tables") +Signed-off-by: Xilin Wu +Reviewed-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20250308-fix-sm8250-cpufreq-v1-1-8a0226721399@gmail.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/sm8250.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/qcom/sm8250.dtsi b/arch/arm64/boot/dts/qcom/sm8250.dtsi +index faa36d17b9f2c..e17937f76806c 100644 +--- a/arch/arm64/boot/dts/qcom/sm8250.dtsi ++++ b/arch/arm64/boot/dts/qcom/sm8250.dtsi +@@ -606,7 +606,7 @@ + }; + + cpu7_opp9: opp-1747200000 { +- opp-hz = /bits/ 64 <1708800000>; ++ opp-hz = /bits/ 64 <1747200000>; + opp-peak-kBps = <5412000 42393600>; + }; + +-- +2.39.5 + diff --git a/queue-6.12/arm64-dts-qcom-sm8350-reenable-crypto-cryptobam.patch b/queue-6.12/arm64-dts-qcom-sm8350-reenable-crypto-cryptobam.patch new file mode 100644 index 0000000000..b6f893556b --- /dev/null +++ b/queue-6.12/arm64-dts-qcom-sm8350-reenable-crypto-cryptobam.patch @@ -0,0 +1,59 @@ +From 15026806de4c35bcae9032cd4663df508fd9d897 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Feb 2025 18:03:47 +0100 +Subject: arm64: dts: qcom: sm8350: Reenable crypto & cryptobam + +From: Luca Weiss + +[ Upstream commit 75eefd474469abf95aa9ef6da8161d69f86b98b4 ] + +When num-channels and qcom,num-ees is not provided in devicetree, the +driver will try to read these values from the registers during probe but +this fails if the interconnect is not on and then crashes the system. + +So we can provide these properties in devicetree (queried after patching +BAM driver to enable the necessary interconnect) so we can probe +cryptobam without reading registers and then also use the QCE as +expected. + +Fixes: 4d29db204361 ("arm64: dts: qcom: sm8350: fix BAM DMA crash and reboot") +Fixes: f1040a7fe8f0 ("arm64: dts: qcom: sm8350: Add Crypto Engine support") +Signed-off-by: Luca Weiss +Signed-off-by: Stephan Gerhold +Link: https://lore.kernel.org/r/20250212-bam-dma-fixes-v1-1-f560889e65d8@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/sm8350.dtsi | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/arch/arm64/boot/dts/qcom/sm8350.dtsi b/arch/arm64/boot/dts/qcom/sm8350.dtsi +index 404473fa491ae..0be8f2befec7c 100644 +--- a/arch/arm64/boot/dts/qcom/sm8350.dtsi ++++ b/arch/arm64/boot/dts/qcom/sm8350.dtsi +@@ -1806,11 +1806,11 @@ + interrupts = ; + #dma-cells = <1>; + qcom,ee = <0>; ++ qcom,num-ees = <4>; ++ num-channels = <16>; + qcom,controlled-remotely; + iommus = <&apps_smmu 0x594 0x0011>, + <&apps_smmu 0x596 0x0011>; +- /* FIXME: Probing BAM DMA causes some abort and system hang */ +- status = "fail"; + }; + + crypto: crypto@1dfa000 { +@@ -1822,8 +1822,6 @@ + <&apps_smmu 0x596 0x0011>; + interconnects = <&aggre2_noc MASTER_CRYPTO 0 &mc_virt SLAVE_EBI1 0>; + interconnect-names = "memory"; +- /* FIXME: dependency BAM DMA is disabled */ +- status = "disabled"; + }; + + ipa: ipa@1e40000 { +-- +2.39.5 + diff --git a/queue-6.12/arm64-dts-qcom-sm8650-add-missing-cpu-cfg-interconne.patch b/queue-6.12/arm64-dts-qcom-sm8650-add-missing-cpu-cfg-interconne.patch new file mode 100644 index 0000000000..a39ac5bc97 --- /dev/null +++ b/queue-6.12/arm64-dts-qcom-sm8650-add-missing-cpu-cfg-interconne.patch @@ -0,0 +1,46 @@ +From 2b9c39d45a90f4c91a6598e63cbf32aaf531f6fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Feb 2025 10:00:33 +0100 +Subject: arm64: dts: qcom: sm8650: add missing cpu-cfg interconnect path in + the mdss node + +From: Neil Armstrong + +[ Upstream commit f22be5c1dd3e12519e3f3b80c14d10b90be2c2fc ] + +The bindings requires the mdp0-mem and the cpu-cfg interconnect path, +add the missing cpu-cfg path to fix the dtbs check error and also to ensure +that MDSS has enough bandwidth to let HLOS write config registers. + +Fixes: 9fa33cbca3d2 ("arm64: dts: qcom: sm8650: correct MDSS interconnects") +Reviewed-by: Konrad Dybcio +Reviewed-by: Dmitry Baryshkov +Signed-off-by: Neil Armstrong +Link: https://lore.kernel.org/r/20250227-topic-sm8x50-mdss-interconnect-bindings-fix-v5-2-bf6233c6ebe5@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/sm8650.dtsi | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/qcom/sm8650.dtsi b/arch/arm64/boot/dts/qcom/sm8650.dtsi +index 0c54a89bb3322..edde21972f5ac 100644 +--- a/arch/arm64/boot/dts/qcom/sm8650.dtsi ++++ b/arch/arm64/boot/dts/qcom/sm8650.dtsi +@@ -3605,8 +3605,11 @@ + resets = <&dispcc DISP_CC_MDSS_CORE_BCR>; + + interconnects = <&mmss_noc MASTER_MDP QCOM_ICC_TAG_ALWAYS +- &mc_virt SLAVE_EBI1 QCOM_ICC_TAG_ALWAYS>; +- interconnect-names = "mdp0-mem"; ++ &mc_virt SLAVE_EBI1 QCOM_ICC_TAG_ALWAYS>, ++ <&gem_noc MASTER_APPSS_PROC QCOM_ICC_TAG_ACTIVE_ONLY ++ &config_noc SLAVE_DISPLAY_CFG QCOM_ICC_TAG_ACTIVE_ONLY>; ++ interconnect-names = "mdp0-mem", ++ "cpu-cfg"; + + power-domains = <&dispcc MDSS_GDSC>; + +-- +2.39.5 + diff --git a/queue-6.12/arm64-dts-qcom-sm8650-setup-gpu-thermal-with-higher-.patch b/queue-6.12/arm64-dts-qcom-sm8650-setup-gpu-thermal-with-higher-.patch new file mode 100644 index 0000000000..b8be6075d7 --- /dev/null +++ b/queue-6.12/arm64-dts-qcom-sm8650-setup-gpu-thermal-with-higher-.patch @@ -0,0 +1,240 @@ +From 59cd74d3a25a18fe02c77f18c7c75ee7dce04fdc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Feb 2025 14:23:18 +0100 +Subject: arm64: dts: qcom: sm8650: setup gpu thermal with higher temperatures + +From: Neil Armstrong + +[ Upstream commit 2250f65b32565eb8b757e89248c75977f370f498 ] + +On the SM8650, the dynamic clock and voltage scaling (DCVS) for the GPU +is done from the HLOS, but the GPU can achieve a much higher temperature +before failing according the reference downstream implementation. + +Set higher temperatures in the GPU trip points corresponding to +the temperatures provided by Qualcomm in the dowstream source, much +closer to the junction temperature and with a higher critical +temperature trip in the case the HLOS DCVS cannot handle the +temperature surge. + +The tsens MAX_THRESHOLD is set to 120C on those platforms, so set +the hot to 110C to leave a chance to HLOS to react and critical to +115C to avoid the monitor thermal shutdown. + +Fixes: 497624ed5506 ("arm64: dts: qcom: sm8650: Throttle the GPU when overheating") +Signed-off-by: Neil Armstrong +Reviewed-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20250203-topic-sm8650-thermal-cpu-idle-v4-2-65e35f307301@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/sm8650.dtsi | 64 ++++++++++++++-------------- + 1 file changed, 32 insertions(+), 32 deletions(-) + +diff --git a/arch/arm64/boot/dts/qcom/sm8650.dtsi b/arch/arm64/boot/dts/qcom/sm8650.dtsi +index fddf979de38d1..0c54a89bb3322 100644 +--- a/arch/arm64/boot/dts/qcom/sm8650.dtsi ++++ b/arch/arm64/boot/dts/qcom/sm8650.dtsi +@@ -6354,20 +6354,20 @@ + + trips { + gpu0_alert0: trip-point0 { +- temperature = <85000>; ++ temperature = <95000>; + hysteresis = <1000>; + type = "passive"; + }; + + trip-point1 { +- temperature = <90000>; ++ temperature = <110000>; + hysteresis = <1000>; + type = "hot"; + }; + + trip-point2 { +- temperature = <110000>; +- hysteresis = <1000>; ++ temperature = <115000>; ++ hysteresis = <0>; + type = "critical"; + }; + }; +@@ -6387,20 +6387,20 @@ + + trips { + gpu1_alert0: trip-point0 { +- temperature = <85000>; ++ temperature = <95000>; + hysteresis = <1000>; + type = "passive"; + }; + + trip-point1 { +- temperature = <90000>; ++ temperature = <110000>; + hysteresis = <1000>; + type = "hot"; + }; + + trip-point2 { +- temperature = <110000>; +- hysteresis = <1000>; ++ temperature = <115000>; ++ hysteresis = <0>; + type = "critical"; + }; + }; +@@ -6420,20 +6420,20 @@ + + trips { + gpu2_alert0: trip-point0 { +- temperature = <85000>; ++ temperature = <95000>; + hysteresis = <1000>; + type = "passive"; + }; + + trip-point1 { +- temperature = <90000>; ++ temperature = <110000>; + hysteresis = <1000>; + type = "hot"; + }; + + trip-point2 { +- temperature = <110000>; +- hysteresis = <1000>; ++ temperature = <115000>; ++ hysteresis = <0>; + type = "critical"; + }; + }; +@@ -6453,20 +6453,20 @@ + + trips { + gpu3_alert0: trip-point0 { +- temperature = <85000>; ++ temperature = <95000>; + hysteresis = <1000>; + type = "passive"; + }; + + trip-point1 { +- temperature = <90000>; ++ temperature = <110000>; + hysteresis = <1000>; + type = "hot"; + }; + + trip-point2 { +- temperature = <110000>; +- hysteresis = <1000>; ++ temperature = <115000>; ++ hysteresis = <0>; + type = "critical"; + }; + }; +@@ -6486,20 +6486,20 @@ + + trips { + gpu4_alert0: trip-point0 { +- temperature = <85000>; ++ temperature = <95000>; + hysteresis = <1000>; + type = "passive"; + }; + + trip-point1 { +- temperature = <90000>; ++ temperature = <110000>; + hysteresis = <1000>; + type = "hot"; + }; + + trip-point2 { +- temperature = <110000>; +- hysteresis = <1000>; ++ temperature = <115000>; ++ hysteresis = <0>; + type = "critical"; + }; + }; +@@ -6519,20 +6519,20 @@ + + trips { + gpu5_alert0: trip-point0 { +- temperature = <85000>; ++ temperature = <95000>; + hysteresis = <1000>; + type = "passive"; + }; + + trip-point1 { +- temperature = <90000>; ++ temperature = <110000>; + hysteresis = <1000>; + type = "hot"; + }; + + trip-point2 { +- temperature = <110000>; +- hysteresis = <1000>; ++ temperature = <115000>; ++ hysteresis = <0>; + type = "critical"; + }; + }; +@@ -6552,20 +6552,20 @@ + + trips { + gpu6_alert0: trip-point0 { +- temperature = <85000>; ++ temperature = <95000>; + hysteresis = <1000>; + type = "passive"; + }; + + trip-point1 { +- temperature = <90000>; ++ temperature = <110000>; + hysteresis = <1000>; + type = "hot"; + }; + + trip-point2 { +- temperature = <110000>; +- hysteresis = <1000>; ++ temperature = <115000>; ++ hysteresis = <0>; + type = "critical"; + }; + }; +@@ -6585,20 +6585,20 @@ + + trips { + gpu7_alert0: trip-point0 { +- temperature = <85000>; ++ temperature = <95000>; + hysteresis = <1000>; + type = "passive"; + }; + + trip-point1 { +- temperature = <90000>; ++ temperature = <110000>; + hysteresis = <1000>; + type = "hot"; + }; + + trip-point2 { +- temperature = <110000>; +- hysteresis = <1000>; ++ temperature = <115000>; ++ hysteresis = <0>; + type = "critical"; + }; + }; +-- +2.39.5 + diff --git a/queue-6.12/arm64-dts-qcom-x1e80100-mark-usb_2-as-dma-coherent.patch b/queue-6.12/arm64-dts-qcom-x1e80100-mark-usb_2-as-dma-coherent.patch new file mode 100644 index 0000000000..15ded4b9a3 --- /dev/null +++ b/queue-6.12/arm64-dts-qcom-x1e80100-mark-usb_2-as-dma-coherent.patch @@ -0,0 +1,37 @@ +From 539ac4b625b541b5912ea0bca8d30c2fe0a6a563 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Jan 2025 21:52:31 +0100 +Subject: arm64: dts: qcom: x1e80100: Mark usb_2 as dma-coherent + +From: Mark Kettenis + +[ Upstream commit 45bd6ff900cfe5038e2718a900f153ded3fa5392 ] + +Make this USB controller consistent with the others on this platform. + +Fixes: 4af46b7bd66f ("arm64: dts: qcom: x1e80100: Add USB nodes") +Signed-off-by: Mark Kettenis +Reviewed-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20250109205232.92336-1-kettenis@openbsd.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/x1e80100.dtsi | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/arm64/boot/dts/qcom/x1e80100.dtsi b/arch/arm64/boot/dts/qcom/x1e80100.dtsi +index 5a5abd5fa6585..948ce7dd8b058 100644 +--- a/arch/arm64/boot/dts/qcom/x1e80100.dtsi ++++ b/arch/arm64/boot/dts/qcom/x1e80100.dtsi +@@ -4284,6 +4284,8 @@ + phy-names = "usb2-phy"; + maximum-speed = "high-speed"; + ++ dma-coherent; ++ + ports { + #address-cells = <1>; + #size-cells = <0>; +-- +2.39.5 + diff --git a/queue-6.12/arm64-dts-qcom-x1e80100-romulus-keep-l12b-and-l15b-a.patch b/queue-6.12/arm64-dts-qcom-x1e80100-romulus-keep-l12b-and-l15b-a.patch new file mode 100644 index 0000000000..a9ee1f15d7 --- /dev/null +++ b/queue-6.12/arm64-dts-qcom-x1e80100-romulus-keep-l12b-and-l15b-a.patch @@ -0,0 +1,47 @@ +From bc3843c7d49ac60fc85e5aae22ce907e44ee3469 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Mar 2025 18:10:46 +0100 +Subject: arm64: dts: qcom: x1e80100-romulus: Keep L12B and L15B always on + +From: Konrad Dybcio + +[ Upstream commit 0783c8b3c06b9cf16b5108d558e2faffb8c533b7 ] + +These regulators power some electronic components onboard. They're +most likely kept online by other pieces of firmware, but you can never +be sure enough. + +Fixes: 09d77be56093 ("arm64: dts: qcom: Add support for X1-based Surface Laptop 7 devices") +Reported-by: Johan Hovold +Signed-off-by: Konrad Dybcio +Reviewed-by: Johan Hovold +Link: https://lore.kernel.org/r/20250304-topic-sl7_vregs_aon-v1-1-b2dc706e4157@oss.qualcomm.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/x1e80100-microsoft-romulus.dtsi | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/arm64/boot/dts/qcom/x1e80100-microsoft-romulus.dtsi b/arch/arm64/boot/dts/qcom/x1e80100-microsoft-romulus.dtsi +index 19da90704b7cb..001a9dc0a4baa 100644 +--- a/arch/arm64/boot/dts/qcom/x1e80100-microsoft-romulus.dtsi ++++ b/arch/arm64/boot/dts/qcom/x1e80100-microsoft-romulus.dtsi +@@ -267,6 +267,7 @@ + regulator-min-microvolt = <1200000>; + regulator-max-microvolt = <1200000>; + regulator-initial-mode = ; ++ regulator-always-on; + }; + + vreg_l13b: ldo13 { +@@ -288,6 +289,7 @@ + regulator-min-microvolt = <1800000>; + regulator-max-microvolt = <1800000>; + regulator-initial-mode = ; ++ regulator-always-on; + }; + + vreg_l16b: ldo16 { +-- +2.39.5 + diff --git a/queue-6.12/arm64-dts-renesas-white-hawk-ard-audio-fix-tpu0-grou.patch b/queue-6.12/arm64-dts-renesas-white-hawk-ard-audio-fix-tpu0-grou.patch new file mode 100644 index 0000000000..2af174ee05 --- /dev/null +++ b/queue-6.12/arm64-dts-renesas-white-hawk-ard-audio-fix-tpu0-grou.patch @@ -0,0 +1,42 @@ +From 54e6e5cd5d225337c92179130b491f1660932985 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 May 2025 06:43:24 +0000 +Subject: arm64: dts: renesas: white-hawk-ard-audio: Fix TPU0 groups + +From: Thuan Nguyen + +[ Upstream commit 652eea251dd852f02cef6223f367220acb3d1867 ] + +White Hawk ARD audio uses a clock generated by the TPU, but commit +3d144ef10a44 ("pinctrl: renesas: r8a779g0: Fix TPU suffixes") renamed +pin group "tpu_to0_a" to "tpu_to0_b". Update DTS accordingly otherwise +the sound driver does not receive a clock signal. + +Fixes: 3d144ef10a448f89 ("pinctrl: renesas: r8a779g0: Fix TPU suffixes") +Signed-off-by: Thuan Nguyen +Signed-off-by: Duy Nguyen +Reviewed-by: Geert Uytterhoeven +Acked-by: Kuninori Morimoto +Link: https://lore.kernel.org/TYCPR01MB8740608B675365215ADB0374B49CA@TYCPR01MB8740.jpnprd01.prod.outlook.com +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + .../boot/dts/renesas/r8a779g0-white-hawk-ard-audio-da7212.dtso | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/renesas/r8a779g0-white-hawk-ard-audio-da7212.dtso b/arch/arm64/boot/dts/renesas/r8a779g0-white-hawk-ard-audio-da7212.dtso +index e6cf304c77ee9..5d820bd32ff67 100644 +--- a/arch/arm64/boot/dts/renesas/r8a779g0-white-hawk-ard-audio-da7212.dtso ++++ b/arch/arm64/boot/dts/renesas/r8a779g0-white-hawk-ard-audio-da7212.dtso +@@ -108,7 +108,7 @@ + }; + + tpu0_pins: tpu0 { +- groups = "tpu_to0_a"; ++ groups = "tpu_to0_b"; + function = "tpu"; + }; + }; +-- +2.39.5 + diff --git a/queue-6.12/arm64-dts-rockchip-add-vcc-supply-to-spi-flash-on-rk.patch b/queue-6.12/arm64-dts-rockchip-add-vcc-supply-to-spi-flash-on-rk.patch new file mode 100644 index 0000000000..67faaf17d3 --- /dev/null +++ b/queue-6.12/arm64-dts-rockchip-add-vcc-supply-to-spi-flash-on-rk.patch @@ -0,0 +1,41 @@ +From f054ccc521f99dcbffe2851b8fa2293ca3991869 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 May 2025 20:56:55 +0100 +Subject: arm64: dts: rockchip: Add vcc-supply to SPI flash on rk3566-rock3c + +From: Peter Robinson + +[ Upstream commit a706a593cb19796f31d3a888423ef1a71885ae72 ] + +As described in the radxa_rock_3c_v1400_schematic.pdf, the SPI Flash's +VCC connector is connected to VCCIO_FLASH and according to the +that same schematic, that belongs to the VCC_1V8 power source. + +This fixes the following warning: + + spi-nor spi4.0: supply vcc not found, using dummy regulator + +Fixes: ee219017ddb5 ("arm64: dts: rockchip: Add Radxa ROCK 3C") +Signed-off-by: Peter Robinson +Link: https://lore.kernel.org/r/20250506195702.593044-1-pbrobinson@gmail.com +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/rockchip/rk3566-rock-3c.dts | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/boot/dts/rockchip/rk3566-rock-3c.dts b/arch/arm64/boot/dts/rockchip/rk3566-rock-3c.dts +index f2cc086e5001a..887c9be1b4100 100644 +--- a/arch/arm64/boot/dts/rockchip/rk3566-rock-3c.dts ++++ b/arch/arm64/boot/dts/rockchip/rk3566-rock-3c.dts +@@ -636,6 +636,7 @@ + spi-max-frequency = <104000000>; + spi-rx-bus-width = <4>; + spi-tx-bus-width = <1>; ++ vcc-supply = <&vcc_1v8>; + }; + }; + +-- +2.39.5 + diff --git a/queue-6.12/arm64-dts-rockchip-disable-unrouted-usb-controllers-.patch b/queue-6.12/arm64-dts-rockchip-disable-unrouted-usb-controllers-.patch new file mode 100644 index 0000000000..d4b79a9614 --- /dev/null +++ b/queue-6.12/arm64-dts-rockchip-disable-unrouted-usb-controllers-.patch @@ -0,0 +1,67 @@ +From 301547ccd9314424f529d2dbb73fe428c6de82c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Apr 2025 17:18:10 +0200 +Subject: arm64: dts: rockchip: disable unrouted USB controllers and PHY on + RK3399 Puma with Haikou + +From: Quentin Schulz + +[ Upstream commit febd8c6ab52c683b447fe22fc740918c86feae43 ] + +The u2phy0_host port is the part of the USB PHY0 (namely the +HOST0_DP/DM lanes) which routes directly to the USB2.0 HOST +controller[1]. The other lanes of the PHY are routed to the USB3.0 OTG +controller (dwc3), which we do use. + +The HOST0_DP/DM lanes aren't routed on RK3399 Puma so let's simply +disable the USB2.0 controllers. + +USB3 OTG has been known to be unstable on RK3399 Puma Haikou for a +while, one of the recurring issues being that only USB2 is detected and +not USB3 in host mode. Reading the justification above and seeing that +we are keeping u2phy0_host in the Haikou carrierboard DTS probably may +have bothered you since it should be changed to u2phy0_otg. The issue is +that if it's switched to that, USB OTG on Haikou is entirely broken. I +have checked the routing in the Gerber file, the lanes are going to the +expected ball pins (that is, NOT HOST0_DP/DM). +u2phy0_host is for sure the wrong part of the PHY to use, but it's the +only one that works at the moment for that board so keep it until we +figure out what exactly is broken. + +No intended functional change. + +[1] https://rockchip.fr/Rockchip%20RK3399%20TRM%20V1.3%20Part2.pdf + Chapter 2 USB2.0 PHY + +Fixes: 2c66fc34e945 ("arm64: dts: rockchip: add RK3399-Q7 (Puma) SoM") +Signed-off-by: Quentin Schulz +Signed-off-by: Lukasz Czechowski +Link: https://lore.kernel.org/r/20250425-onboard_usb_dev-v2-5-4a76a474a010@thaumatec.com +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/rockchip/rk3399-puma-haikou.dts | 8 -------- + 1 file changed, 8 deletions(-) + +diff --git a/arch/arm64/boot/dts/rockchip/rk3399-puma-haikou.dts b/arch/arm64/boot/dts/rockchip/rk3399-puma-haikou.dts +index f6f15946579eb..57466fbfd3f9a 100644 +--- a/arch/arm64/boot/dts/rockchip/rk3399-puma-haikou.dts ++++ b/arch/arm64/boot/dts/rockchip/rk3399-puma-haikou.dts +@@ -284,14 +284,6 @@ + status = "okay"; + }; + +-&usb_host0_ehci { +- status = "okay"; +-}; +- +-&usb_host0_ohci { +- status = "okay"; +-}; +- + &vopb { + status = "okay"; + }; +-- +2.39.5 + diff --git a/queue-6.12/arm64-dts-rockchip-move-shmem-memory-to-reserved-mem.patch b/queue-6.12/arm64-dts-rockchip-move-shmem-memory-to-reserved-mem.patch new file mode 100644 index 0000000000..bc69ae855a --- /dev/null +++ b/queue-6.12/arm64-dts-rockchip-move-shmem-memory-to-reserved-mem.patch @@ -0,0 +1,52 @@ +From 3c7c0166f62ca1373a8fc76a815eee03a568c0ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Apr 2025 17:00:09 +0800 +Subject: arm64: dts: rockchip: Move SHMEM memory to reserved memory on rk3588 + +From: Chukun Pan + +[ Upstream commit 8ecd096d018be8a6bd3bd930f3a41a85db66a67d ] + +0x0 to 0xf0000000 are SDRAM memory areas where 0x10f000 is located. +So move the SHMEM memory of arm_scmi to the reserved memory node. + +Fixes: c9211fa2602b ("arm64: dts: rockchip: Add base DT for rk3588 SoC") +Signed-off-by: Chukun Pan +Link: https://lore.kernel.org/r/20250401090009.733771-2-amadeus@jmu.edu.cn +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/rockchip/rk3588-base.dtsi | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +diff --git a/arch/arm64/boot/dts/rockchip/rk3588-base.dtsi b/arch/arm64/boot/dts/rockchip/rk3588-base.dtsi +index 83e7e0fbe7839..ad4331bc07806 100644 +--- a/arch/arm64/boot/dts/rockchip/rk3588-base.dtsi ++++ b/arch/arm64/boot/dts/rockchip/rk3588-base.dtsi +@@ -428,16 +428,15 @@ + #clock-cells = <0>; + }; + +- pmu_sram: sram@10f000 { +- compatible = "mmio-sram"; +- reg = <0x0 0x0010f000 0x0 0x100>; +- ranges = <0 0x0 0x0010f000 0x100>; +- #address-cells = <1>; +- #size-cells = <1>; ++ reserved-memory { ++ #address-cells = <2>; ++ #size-cells = <2>; ++ ranges; + +- scmi_shmem: sram@0 { ++ scmi_shmem: shmem@10f000 { + compatible = "arm,scmi-shmem"; +- reg = <0x0 0x100>; ++ reg = <0x0 0x0010f000 0x0 0x100>; ++ no-map; + }; + }; + +-- +2.39.5 + diff --git a/queue-6.12/arm64-dts-rockchip-update-emmc-for-nanopi-r5-series.patch b/queue-6.12/arm64-dts-rockchip-update-emmc-for-nanopi-r5-series.patch new file mode 100644 index 0000000000..b0c9c9b75c --- /dev/null +++ b/queue-6.12/arm64-dts-rockchip-update-emmc-for-nanopi-r5-series.patch @@ -0,0 +1,45 @@ +From 88722bbc1fd8be625ebeddb496a8f03883da7daa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 May 2025 23:25:28 +0100 +Subject: arm64: dts: rockchip: Update eMMC for NanoPi R5 series + +From: Peter Robinson + +[ Upstream commit 8eca9e979a1efbcc3d090f6eb3f4da621e7c87e0 ] + +Add the 3.3v and 1.8v regulators that are connected to +the eMMC on the R5 series devices, as well as adding the +eMMC data strobe, and enable eMMC HS200 mode as the +Foresee FEMDNN0xxG-A3A55 modules support it. + +Fixes: c8ec73b05a95d ("arm64: dts: rockchip: create common dtsi for NanoPi R5 series") +Signed-off-by: Peter Robinson +Reviewed-by: Diederik de Haas +Link: https://lore.kernel.org/r/20250506222531.625157-1-pbrobinson@gmail.com +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/rockchip/rk3568-nanopi-r5s.dtsi | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/rockchip/rk3568-nanopi-r5s.dtsi b/arch/arm64/boot/dts/rockchip/rk3568-nanopi-r5s.dtsi +index 93189f8306400..c30354268c8f5 100644 +--- a/arch/arm64/boot/dts/rockchip/rk3568-nanopi-r5s.dtsi ++++ b/arch/arm64/boot/dts/rockchip/rk3568-nanopi-r5s.dtsi +@@ -486,9 +486,12 @@ + &sdhci { + bus-width = <8>; + max-frequency = <200000000>; ++ mmc-hs200-1_8v; + non-removable; + pinctrl-names = "default"; +- pinctrl-0 = <&emmc_bus8 &emmc_clk &emmc_cmd>; ++ pinctrl-0 = <&emmc_bus8 &emmc_clk &emmc_cmd &emmc_datastrobe>; ++ vmmc-supply = <&vcc_3v3>; ++ vqmmc-supply = <&vcc_1v8>; + status = "okay"; + }; + +-- +2.39.5 + diff --git a/queue-6.12/arm64-dts-ti-k3-j721e-common-proc-board-enable-ospi1.patch b/queue-6.12/arm64-dts-ti-k3-j721e-common-proc-board-enable-ospi1.patch new file mode 100644 index 0000000000..5d5ab252b5 --- /dev/null +++ b/queue-6.12/arm64-dts-ti-k3-j721e-common-proc-board-enable-ospi1.patch @@ -0,0 +1,36 @@ +From 9489875e0729222c5513b2a70f7737ed3f4f015b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 May 2025 10:37:01 +0530 +Subject: arm64: dts: ti: k3-j721e-common-proc-board: Enable OSPI1 on J721E + +From: Prasanth Babu Mantena + +[ Upstream commit 6b8deb2ff0d31848c43a73f6044e69ba9276b3ec ] + +J721E SoM has MT25QU512AB Serial NOR flash connected to +OSPI1 controller. Enable ospi1 node in device tree. + +Fixes: 73676c480b72 ("arm64: dts: ti: k3-j721e: Enable OSPI nodes at the board level") +Signed-off-by: Prasanth Babu Mantena +Link: https://lore.kernel.org/r/20250507050701.3007209-1-p-mantena@ti.com +Signed-off-by: Nishanth Menon +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/ti/k3-j721e-common-proc-board.dts | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/boot/dts/ti/k3-j721e-common-proc-board.dts b/arch/arm64/boot/dts/ti/k3-j721e-common-proc-board.dts +index 8230d53cd6960..f7a557e6af547 100644 +--- a/arch/arm64/boot/dts/ti/k3-j721e-common-proc-board.dts ++++ b/arch/arm64/boot/dts/ti/k3-j721e-common-proc-board.dts +@@ -557,6 +557,7 @@ + &ospi1 { + pinctrl-names = "default"; + pinctrl-0 = <&mcu_fss0_ospi1_pins_default>; ++ status = "okay"; + + flash@0 { + compatible = "jedec,spi-nor"; +-- +2.39.5 + diff --git a/queue-6.12/arm64-fpsimd-avoid-clobbering-kernel-fpsimd-state-wi.patch b/queue-6.12/arm64-fpsimd-avoid-clobbering-kernel-fpsimd-state-wi.patch new file mode 100644 index 0000000000..fc7fd8c0db --- /dev/null +++ b/queue-6.12/arm64-fpsimd-avoid-clobbering-kernel-fpsimd-state-wi.patch @@ -0,0 +1,55 @@ +From 55332dc121328923aed0228a41909dfe9c476002 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Apr 2025 17:40:04 +0100 +Subject: arm64/fpsimd: Avoid clobbering kernel FPSIMD state with SMSTOP + +From: Mark Rutland + +[ Upstream commit 01098d893fa8a6edb2b56e178b798e3e6b674f02 ] + +On system with SME, a thread's kernel FPSIMD state may be erroneously +clobbered during a context switch immediately after that state is +restored. Systems without SME are unaffected. + +If the CPU happens to be in streaming SVE mode before a context switch +to a thread with kernel FPSIMD state, fpsimd_thread_switch() will +restore the kernel FPSIMD state using fpsimd_load_kernel_state() while +the CPU is still in streaming SVE mode. When fpsimd_thread_switch() +subsequently calls fpsimd_flush_cpu_state(), this will execute an +SMSTOP, causing an exit from streaming SVE mode. The exit from +streaming SVE mode will cause the hardware to reset a number of +FPSIMD/SVE/SME registers, clobbering the FPSIMD state. + +Fix this by calling fpsimd_flush_cpu_state() before restoring the kernel +FPSIMD state. + +Fixes: e92bee9f861b ("arm64/fpsimd: Avoid erroneous elide of user state reload") +Signed-off-by: Mark Rutland +Cc: Ard Biesheuvel +Cc: Mark Brown +Cc: Will Deacon +Reviewed-by: Mark Brown +Link: https://lore.kernel.org/r/20250409164010.3480271-8-mark.rutland@arm.com +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/fpsimd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/kernel/fpsimd.c b/arch/arm64/kernel/fpsimd.c +index 12982f1570fca..9f2b83c50f7d9 100644 +--- a/arch/arm64/kernel/fpsimd.c ++++ b/arch/arm64/kernel/fpsimd.c +@@ -1575,8 +1575,8 @@ void fpsimd_thread_switch(struct task_struct *next) + fpsimd_save_user_state(); + + if (test_tsk_thread_flag(next, TIF_KERNEL_FPSTATE)) { +- fpsimd_load_kernel_state(next); + fpsimd_flush_cpu_state(); ++ fpsimd_load_kernel_state(next); + } else { + /* + * Fix up TIF_FOREIGN_FPSTATE to correctly describe next's +-- +2.39.5 + diff --git a/queue-6.12/arm64-fpsimd-avoid-res0-bits-in-the-sme-trap-handler.patch b/queue-6.12/arm64-fpsimd-avoid-res0-bits-in-the-sme-trap-handler.patch new file mode 100644 index 0000000000..ccada289ac --- /dev/null +++ b/queue-6.12/arm64-fpsimd-avoid-res0-bits-in-the-sme-trap-handler.patch @@ -0,0 +1,78 @@ +From cf59b2a4582c872df5feff53f45b7c52fc02b6ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Apr 2025 17:39:58 +0100 +Subject: arm64/fpsimd: Avoid RES0 bits in the SME trap handler + +From: Mark Rutland + +[ Upstream commit 95507570fb2f75544af69760cd5d8f48fc5c7f20 ] + +The SME trap handler consumes RES0 bits from the ESR when determining +the reason for the trap, and depends upon those bits reading as zero. +This may break in future when those RES0 bits are allocated a meaning +and stop reading as zero. + +For SME traps taken with ESR_ELx.EC == 0b011101, the specific reason for +the trap is indicated by ESR_ELx.ISS.SMTC ("SME Trap Code"). This field +occupies bits [2:0] of ESR_ELx.ISS, and as of ARM DDI 0487 L.a, bits +[24:3] of ESR_ELx.ISS are RES0. ESR_ELx.ISS itself occupies bits [24:0] +of ESR_ELx. + +Extract the SMTC field specifically, matching the way we handle ESR_ELx +fields elsewhere, and ensuring that the handler is future-proof. + +Fixes: 8bd7f91c03d8 ("arm64/sme: Implement traps and syscall handling for SME") +Signed-off-by: Mark Rutland +Cc: Marc Zyngier +Cc: Mark Brown +Cc: Will Deacon +Reviewed-by: Mark Brown +Link: https://lore.kernel.org/r/20250409164010.3480271-2-mark.rutland@arm.com +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + arch/arm64/include/asm/esr.h | 14 ++++++++------ + arch/arm64/kernel/fpsimd.c | 2 +- + 2 files changed, 9 insertions(+), 7 deletions(-) + +diff --git a/arch/arm64/include/asm/esr.h b/arch/arm64/include/asm/esr.h +index da6d2c1c0b030..5f4dc6364dbb9 100644 +--- a/arch/arm64/include/asm/esr.h ++++ b/arch/arm64/include/asm/esr.h +@@ -370,12 +370,14 @@ + /* + * ISS values for SME traps + */ +- +-#define ESR_ELx_SME_ISS_SME_DISABLED 0 +-#define ESR_ELx_SME_ISS_ILL 1 +-#define ESR_ELx_SME_ISS_SM_DISABLED 2 +-#define ESR_ELx_SME_ISS_ZA_DISABLED 3 +-#define ESR_ELx_SME_ISS_ZT_DISABLED 4 ++#define ESR_ELx_SME_ISS_SMTC_MASK GENMASK(2, 0) ++#define ESR_ELx_SME_ISS_SMTC(esr) ((esr) & ESR_ELx_SME_ISS_SMTC_MASK) ++ ++#define ESR_ELx_SME_ISS_SMTC_SME_DISABLED 0 ++#define ESR_ELx_SME_ISS_SMTC_ILL 1 ++#define ESR_ELx_SME_ISS_SMTC_SM_DISABLED 2 ++#define ESR_ELx_SME_ISS_SMTC_ZA_DISABLED 3 ++#define ESR_ELx_SME_ISS_SMTC_ZT_DISABLED 4 + + /* ISS field definitions for MOPS exceptions */ + #define ESR_ELx_MOPS_ISS_MEM_INST (UL(1) << 24) +diff --git a/arch/arm64/kernel/fpsimd.c b/arch/arm64/kernel/fpsimd.c +index f38d22dac140f..1aab12a320bbd 100644 +--- a/arch/arm64/kernel/fpsimd.c ++++ b/arch/arm64/kernel/fpsimd.c +@@ -1436,7 +1436,7 @@ void do_sme_acc(unsigned long esr, struct pt_regs *regs) + * If this not a trap due to SME being disabled then something + * is being used in the wrong mode, report as SIGILL. + */ +- if (ESR_ELx_ISS(esr) != ESR_ELx_SME_ISS_SME_DISABLED) { ++ if (ESR_ELx_SME_ISS_SMTC(esr) != ESR_ELx_SME_ISS_SMTC_SME_DISABLED) { + force_signal_inject(SIGILL, ILL_ILLOPC, regs->pc, 0); + return; + } +-- +2.39.5 + diff --git a/queue-6.12/arm64-fpsimd-avoid-warning-when-sve_to_fpsimd-is-unu.patch b/queue-6.12/arm64-fpsimd-avoid-warning-when-sve_to_fpsimd-is-unu.patch new file mode 100644 index 0000000000..92e77b1b50 --- /dev/null +++ b/queue-6.12/arm64-fpsimd-avoid-warning-when-sve_to_fpsimd-is-unu.patch @@ -0,0 +1,77 @@ +From 728a18688799b412e824c293a65e0d88a47a8524 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Apr 2025 18:32:40 +0100 +Subject: arm64/fpsimd: Avoid warning when sve_to_fpsimd() is unused + +From: Mark Rutland + +[ Upstream commit f699c66691fb7e08a5a631c5baf5f2a19b7a6468 ] + +Historically fpsimd_to_sve() and sve_to_fpsimd() were (conditionally) +called by functions which were defined regardless of CONFIG_ARM64_SVE. +Hence it was necessary that both fpsimd_to_sve() and sve_to_fpsimd() +were always defined and not guarded by ifdeffery. + +As a result of the removal of fpsimd_signal_preserve_current_state() in +commit: + + 929fa99b1215966f ("arm64/fpsimd: signal: Always save+flush state early") + +... sve_to_fpsimd() has no callers when CONFIG_ARM64_SVE=n, resulting in +a build-time warnign that it is unused: + +| arch/arm64/kernel/fpsimd.c:676:13: warning: unused function 'sve_to_fpsimd' [-Wunused-function] +| 676 | static void sve_to_fpsimd(struct task_struct *task) +| | ^~~~~~~~~~~~~ +| 1 warning generated. + +In contrast, fpsimd_to_sve() still has callers which are defined when +CONFIG_ARM64_SVE=n, and it would be awkward to hide this behind +ifdeffery and/or to use stub functions. + +For now, suppress the warning by marking both fpsimd_to_sve() and +sve_to_fpsimd() as 'static inline', as we usually do for stub functions. +The compiler will no longer warn if either function is unused. + +Aside from suppressing the warning, there should be no functional change +as a result of this patch. + +Link: https://lore.kernel.org/linux-arm-kernel/20250429194600.GA26883@willie-the-truck/ +Reported-by: Will Deacon +Fixes: 929fa99b1215 ("arm64/fpsimd: signal: Always save+flush state early") +Signed-off-by: Mark Rutland +Cc: Marc Zyngier +Cc: Mark Brown +Cc: Will Deacon +Link: https://lore.kernel.org/r/20250430173240.4023627-1-mark.rutland@arm.com +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/fpsimd.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/kernel/fpsimd.c b/arch/arm64/kernel/fpsimd.c +index 9f4f3d54c2207..c5285ee55bfb0 100644 +--- a/arch/arm64/kernel/fpsimd.c ++++ b/arch/arm64/kernel/fpsimd.c +@@ -651,7 +651,7 @@ static void __fpsimd_to_sve(void *sst, struct user_fpsimd_state const *fst, + * task->thread.uw.fpsimd_state must be up to date before calling this + * function. + */ +-static void fpsimd_to_sve(struct task_struct *task) ++static inline void fpsimd_to_sve(struct task_struct *task) + { + unsigned int vq; + void *sst = task->thread.sve_state; +@@ -675,7 +675,7 @@ static void fpsimd_to_sve(struct task_struct *task) + * bytes of allocated kernel memory. + * task->thread.sve_state must be up to date before calling this function. + */ +-static void sve_to_fpsimd(struct task_struct *task) ++static inline void sve_to_fpsimd(struct task_struct *task) + { + unsigned int vq, vl; + void const *sst = task->thread.sve_state; +-- +2.39.5 + diff --git a/queue-6.12/arm64-fpsimd-discard-stale-cpu-state-when-handling-s.patch b/queue-6.12/arm64-fpsimd-discard-stale-cpu-state-when-handling-s.patch new file mode 100644 index 0000000000..b0fcf780f2 --- /dev/null +++ b/queue-6.12/arm64-fpsimd-discard-stale-cpu-state-when-handling-s.patch @@ -0,0 +1,101 @@ +From 075a97eeaf5a616a2d488204ca85097689fdf704 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Apr 2025 17:40:02 +0100 +Subject: arm64/fpsimd: Discard stale CPU state when handling SME traps + +From: Mark Brown + +[ Upstream commit d3eaab3c70905c5467e5c4ea403053d67505adeb ] + +The logic for handling SME traps manipulates saved FPSIMD/SVE/SME state +incorrectly, and a race with preemption can result in a task having +TIF_SME set and TIF_FOREIGN_FPSTATE clear even though the live CPU state +is stale (e.g. with SME traps enabled). This can result in warnings from +do_sme_acc() where SME traps are not expected while TIF_SME is set: + +| /* With TIF_SME userspace shouldn't generate any traps */ +| if (test_and_set_thread_flag(TIF_SME)) +| WARN_ON(1); + +This is very similar to the SVE issue we fixed in commit: + + 751ecf6afd6568ad ("arm64/sve: Discard stale CPU state when handling SVE traps") + +The race can occur when the SME trap handler is preempted before and +after manipulating the saved FPSIMD/SVE/SME state, starting and ending on +the same CPU, e.g. + +| void do_sme_acc(unsigned long esr, struct pt_regs *regs) +| { +| // Trap on CPU 0 with TIF_SME clear, SME traps enabled +| // task->fpsimd_cpu is 0. +| // per_cpu_ptr(&fpsimd_last_state, 0) is task. +| +| ... +| +| // Preempted; migrated from CPU 0 to CPU 1. +| // TIF_FOREIGN_FPSTATE is set. +| +| get_cpu_fpsimd_context(); +| +| /* With TIF_SME userspace shouldn't generate any traps */ +| if (test_and_set_thread_flag(TIF_SME)) +| WARN_ON(1); +| +| if (!test_thread_flag(TIF_FOREIGN_FPSTATE)) { +| unsigned long vq_minus_one = +| sve_vq_from_vl(task_get_sme_vl(current)) - 1; +| sme_set_vq(vq_minus_one); +| +| fpsimd_bind_task_to_cpu(); +| } +| +| put_cpu_fpsimd_context(); +| +| // Preempted; migrated from CPU 1 to CPU 0. +| // task->fpsimd_cpu is still 0 +| // If per_cpu_ptr(&fpsimd_last_state, 0) is still task then: +| // - Stale HW state is reused (with SME traps enabled) +| // - TIF_FOREIGN_FPSTATE is cleared +| // - A return to userspace skips HW state restore +| } + +Fix the case where the state is not live and TIF_FOREIGN_FPSTATE is set +by calling fpsimd_flush_task_state() to detach from the saved CPU +state. This ensures that a subsequent context switch will not reuse the +stale CPU state, and will instead set TIF_FOREIGN_FPSTATE, forcing the +new state to be reloaded from memory prior to a return to userspace. + +Note: this was originallly posted as [1]. + +Fixes: 8bd7f91c03d8 ("arm64/sme: Implement traps and syscall handling for SME") +Reported-by: Mark Rutland +Signed-off-by: Mark Brown +Link: https://lore.kernel.org/linux-arm-kernel/20241204-arm64-sme-reenable-v2-1-bae87728251d@kernel.org/ +[ Rutland: rewrite commit message ] +Signed-off-by: Mark Rutland +Cc: Marc Zyngier +Cc: Will Deacon +Link: https://lore.kernel.org/r/20250409164010.3480271-6-mark.rutland@arm.com +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/fpsimd.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/arm64/kernel/fpsimd.c b/arch/arm64/kernel/fpsimd.c +index 1aab12a320bbd..42b6740d1a64c 100644 +--- a/arch/arm64/kernel/fpsimd.c ++++ b/arch/arm64/kernel/fpsimd.c +@@ -1460,6 +1460,8 @@ void do_sme_acc(unsigned long esr, struct pt_regs *regs) + sme_set_vq(vq_minus_one); + + fpsimd_bind_task_to_cpu(); ++ } else { ++ fpsimd_flush_task_state(current); + } + + put_cpu_fpsimd_context(); +-- +2.39.5 + diff --git a/queue-6.12/arm64-fpsimd-do-not-discard-modified-sve-state.patch b/queue-6.12/arm64-fpsimd-do-not-discard-modified-sve-state.patch new file mode 100644 index 0000000000..30edcc6f9f --- /dev/null +++ b/queue-6.12/arm64-fpsimd-do-not-discard-modified-sve-state.patch @@ -0,0 +1,286 @@ +From 5a6efa8005c4f254204f4d93a495d68ac3785923 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 May 2025 14:26:21 +0100 +Subject: arm64/fpsimd: Do not discard modified SVE state + +From: Mark Rutland + +[ Upstream commit 398edaa12f9cf2be7902f306fc023c20e3ebd3e4 ] + +Historically SVE state was discarded deterministically early in the +syscall entry path, before ptrace is notified of syscall entry. This +permitted ptrace to modify SVE state before and after the "real" syscall +logic was executed, with the modified state being retained. + +This behaviour was changed by commit: + + 8c845e2731041f0f ("arm64/sve: Leave SVE enabled on syscall if we don't context switch") + +That commit was intended to speed up workloads that used SVE by +opportunistically leaving SVE enabled when returning from a syscall. +The syscall entry logic was modified to truncate the SVE state without +disabling userspace access to SVE, and fpsimd_save_user_state() was +modified to discard userspace SVE state whenever +in_syscall(current_pt_regs()) is true, i.e. when +current_pt_regs()->syscallno != NO_SYSCALL. + +Leaving SVE enabled opportunistically resulted in a couple of changes to +userspace visible behaviour which weren't described at the time, but are +logical consequences of opportunistically leaving SVE enabled: + +* Signal handlers can observe the type of saved state in the signal's + sve_context record. When the kernel only tracks FPSIMD state, the 'vq' + field is 0 and there is no space allocated for register contents. When + the kernel tracks SVE state, the 'vq' field is non-zero and the + register contents are saved into the record. + + As a result of the above commit, 'vq' (and the presence of SVE + register state) is non-deterministically zero or non-zero for a period + of time after a syscall. The effective register state is still + deterministic. + + Hopefully no-one relies on this being deterministic. In general, + handlers for asynchronous events cannot expect a deterministic state. + +* Similarly to signal handlers, ptrace requests can observe the type of + saved state in the NT_ARM_SVE and NT_ARM_SSVE regsets, as this is + exposed in the header flags. As a result of the above commit, this is + now in a non-deterministic state after a syscall. The effective + register state is still deterministic. + + Hopefully no-one relies on this being deterministic. In general, + debuggers would have to handle this changing at arbitrary points + during program flow. + +Discarding the SVE state within fpsimd_save_user_state() resulted in +other changes to userspace visible behaviour which are not desirable: + +* A ptrace tracer can modify (or create) a tracee's SVE state at syscall + entry or syscall exit. As a result of the above commit, the tracee's + SVE state can be discarded non-deterministically after modification, + rather than being retained as it previously was. + + Note that for co-operative tracer/tracee pairs, the tracer may + (re)initialise the tracee's state arbitrarily after the tracee sends + itself an initial SIGSTOP via a syscall, so this affects realistic + design patterns. + +* The current_pt_regs()->syscallno field can be modified via ptrace, and + can be altered even when the tracee is not really in a syscall, + causing non-deterministic discarding to occur in situations where this + was not previously possible. + +Further, using current_pt_regs()->syscallno in this way is unsound: + +* There are data races between readers and writers of the + current_pt_regs()->syscallno field. + + The current_pt_regs()->syscallno field is written in interruptible + task context using plain C accesses, and is read in irq/softirq + context using plain C accesses. These accesses are subject to data + races, with the usual concerns with tearing, etc. + +* Writes to current_pt_regs()->syscallno are subject to compiler + reordering. + + As current_pt_regs()->syscallno is written with plain C accesses, + the compiler is free to move those writes arbitrarily relative to + anything which doesn't access the same memory location. + + In theory this could break signal return, where prior to restoring the + SVE state, restore_sigframe() calls forget_syscall(). If the write + were hoisted after restore of some SVE state, that state could be + discarded unexpectedly. + + In practice that reordering cannot happen in the absence of LTO (as + cross compilation-unit function calls happen prevent this reordering), + and that reordering appears to be unlikely in the presence of LTO. + +Additionally, since commit: + + f130ac0ae4412dbe ("arm64: syscall: unmask DAIF earlier for SVCs") + +... DAIF is unmasked before el0_svc_common() sets regs->syscallno to the +real syscall number. Consequently state may be saved in SVE format prior +to this point. + +Considering all of the above, current_pt_regs()->syscallno should not be +used to infer whether the SVE state can be discarded. Luckily we can +instead use cpu_fp_state::to_save to track when it is safe to discard +the SVE state: + +* At syscall entry, after the live SVE register state is truncated, set + cpu_fp_state::to_save to FP_STATE_FPSIMD to indicate that only the + FPSIMD portion is live and needs to be saved. + +* At syscall exit, once the task's state is guaranteed to be live, set + cpu_fp_state::to_save to FP_STATE_CURRENT to indicate that TIF_SVE + must be considered to determine which state needs to be saved. + +* Whenever state is modified, it must be saved+flushed prior to + manipulation. The state will be truncated if necessary when it is + saved, and reloading the state will set fp_state::to_save to + FP_STATE_CURRENT, preventing subsequent discarding. + +This permits SVE state to be discarded *only* when it is known to have +been truncated (and the non-FPSIMD portions must be zero), and ensures +that SVE state is retained after it is explicitly modified. + +For backporting, note that this fix depends on the following commits: + +* b2482807fbd4 ("arm64/sme: Optimise SME exit on syscall entry") +* f130ac0ae441 ("arm64: syscall: unmask DAIF earlier for SVCs") +* 929fa99b1215 ("arm64/fpsimd: signal: Always save+flush state early") + +Fixes: 8c845e273104 ("arm64/sve: Leave SVE enabled on syscall if we don't context switch") +Fixes: f130ac0ae441 ("arm64: syscall: unmask DAIF earlier for SVCs") +Signed-off-by: Mark Rutland +Cc: Catalin Marinas +Cc: Marc Zyngier +Cc: Mark Brown +Cc: Will Deacon +Link: https://lore.kernel.org/r/20250508132644.1395904-2-mark.rutland@arm.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/include/asm/fpsimd.h | 3 +++ + arch/arm64/kernel/entry-common.c | 46 ++++++++++++++++++++++++-------- + arch/arm64/kernel/fpsimd.c | 15 ++++++----- + 3 files changed, 47 insertions(+), 17 deletions(-) + +diff --git a/arch/arm64/include/asm/fpsimd.h b/arch/arm64/include/asm/fpsimd.h +index f2a84efc36185..c8dcb67b81a72 100644 +--- a/arch/arm64/include/asm/fpsimd.h ++++ b/arch/arm64/include/asm/fpsimd.h +@@ -6,6 +6,7 @@ + #define __ASM_FP_H + + #include ++#include + #include + #include + #include +@@ -94,6 +95,8 @@ struct cpu_fp_state { + enum fp_type to_save; + }; + ++DECLARE_PER_CPU(struct cpu_fp_state, fpsimd_last_state); ++ + extern void fpsimd_bind_state_to_cpu(struct cpu_fp_state *fp_state); + + extern void fpsimd_flush_task_state(struct task_struct *target); +diff --git a/arch/arm64/kernel/entry-common.c b/arch/arm64/kernel/entry-common.c +index 3fcd9d080bf2a..d23315ef7b679 100644 +--- a/arch/arm64/kernel/entry-common.c ++++ b/arch/arm64/kernel/entry-common.c +@@ -393,20 +393,16 @@ static bool cortex_a76_erratum_1463225_debug_handler(struct pt_regs *regs) + * As per the ABI exit SME streaming mode and clear the SVE state not + * shared with FPSIMD on syscall entry. + */ +-static inline void fp_user_discard(void) ++static inline void fpsimd_syscall_enter(void) + { +- /* +- * If SME is active then exit streaming mode. If ZA is active +- * then flush the SVE registers but leave userspace access to +- * both SVE and SME enabled, otherwise disable SME for the +- * task and fall through to disabling SVE too. This means +- * that after a syscall we never have any streaming mode +- * register state to track, if this changes the KVM code will +- * need updating. +- */ ++ /* Ensure PSTATE.SM is clear, but leave PSTATE.ZA as-is. */ + if (system_supports_sme()) + sme_smstop_sm(); + ++ /* ++ * The CPU is not in streaming mode. If non-streaming SVE is not ++ * supported, there is no SVE state that needs to be discarded. ++ */ + if (!system_supports_sve()) + return; + +@@ -416,6 +412,33 @@ static inline void fp_user_discard(void) + sve_vq_minus_one = sve_vq_from_vl(task_get_sve_vl(current)) - 1; + sve_flush_live(true, sve_vq_minus_one); + } ++ ++ /* ++ * Any live non-FPSIMD SVE state has been zeroed. Allow ++ * fpsimd_save_user_state() to lazily discard SVE state until either ++ * the live state is unbound or fpsimd_syscall_exit() is called. ++ */ ++ __this_cpu_write(fpsimd_last_state.to_save, FP_STATE_FPSIMD); ++} ++ ++static __always_inline void fpsimd_syscall_exit(void) ++{ ++ if (!system_supports_sve()) ++ return; ++ ++ /* ++ * The current task's user FPSIMD/SVE/SME state is now bound to this ++ * CPU. The fpsimd_last_state.to_save value is either: ++ * ++ * - FP_STATE_FPSIMD, if the state has not been reloaded on this CPU ++ * since fpsimd_syscall_enter(). ++ * ++ * - FP_STATE_CURRENT, if the state has been reloaded on this CPU at ++ * any point. ++ * ++ * Reset this to FP_STATE_CURRENT to stop lazy discarding. ++ */ ++ __this_cpu_write(fpsimd_last_state.to_save, FP_STATE_CURRENT); + } + + UNHANDLED(el1t, 64, sync) +@@ -707,10 +730,11 @@ static void noinstr el0_svc(struct pt_regs *regs) + { + enter_from_user_mode(regs); + cortex_a76_erratum_1463225_svc_handler(); +- fp_user_discard(); ++ fpsimd_syscall_enter(); + local_daif_restore(DAIF_PROCCTX); + do_el0_svc(regs); + exit_to_user_mode(regs); ++ fpsimd_syscall_exit(); + } + + static void noinstr el0_fpac(struct pt_regs *regs, unsigned long esr) +diff --git a/arch/arm64/kernel/fpsimd.c b/arch/arm64/kernel/fpsimd.c +index c5285ee55bfb0..8854bce5cfe20 100644 +--- a/arch/arm64/kernel/fpsimd.c ++++ b/arch/arm64/kernel/fpsimd.c +@@ -119,7 +119,7 @@ + * whatever is in the FPSIMD registers is not saved to memory, but discarded. + */ + +-static DEFINE_PER_CPU(struct cpu_fp_state, fpsimd_last_state); ++DEFINE_PER_CPU(struct cpu_fp_state, fpsimd_last_state); + + __ro_after_init struct vl_info vl_info[ARM64_VEC_MAX] = { + #ifdef CONFIG_ARM64_SVE +@@ -453,12 +453,15 @@ static void fpsimd_save_user_state(void) + *(last->fpmr) = read_sysreg_s(SYS_FPMR); + + /* +- * If a task is in a syscall the ABI allows us to only +- * preserve the state shared with FPSIMD so don't bother +- * saving the full SVE state in that case. ++ * Save SVE state if it is live. ++ * ++ * The syscall ABI discards live SVE state at syscall entry. When ++ * entering a syscall, fpsimd_syscall_enter() sets to_save to ++ * FP_STATE_FPSIMD to allow the SVE state to be lazily discarded until ++ * either new SVE state is loaded+bound or fpsimd_syscall_exit() is ++ * called prior to a return to userspace. + */ +- if ((last->to_save == FP_STATE_CURRENT && test_thread_flag(TIF_SVE) && +- !in_syscall(current_pt_regs())) || ++ if ((last->to_save == FP_STATE_CURRENT && test_thread_flag(TIF_SVE)) || + last->to_save == FP_STATE_SVE) { + save_sve_regs = true; + save_ffr = true; +-- +2.39.5 + diff --git a/queue-6.12/arm64-fpsimd-don-t-corrupt-fpmr-when-streaming-mode-.patch b/queue-6.12/arm64-fpsimd-don-t-corrupt-fpmr-when-streaming-mode-.patch new file mode 100644 index 0000000000..9d3c415b82 --- /dev/null +++ b/queue-6.12/arm64-fpsimd-don-t-corrupt-fpmr-when-streaming-mode-.patch @@ -0,0 +1,73 @@ +From dfaa86768421377cfe2e4f9ff285c3ca9a7eb507 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Apr 2025 17:40:03 +0100 +Subject: arm64/fpsimd: Don't corrupt FPMR when streaming mode changes + +From: Mark Brown + +[ Upstream commit e5fa85fce08b21ed41643cb7968bf66bbd0532e3 ] + +When the effective value of PSTATE.SM is changed from 0 to 1 or from 1 +to 0 by any method, an entry or exit to/from streaming SVE mode is +performed, and hardware automatically resets a number of registers. As +of ARM DDI 0487 L.a, this means: + +* All implemented bits of the SVE vector registers are set to zero. + +* All implemented bits of the SVE predicate registers are set to zero. + +* All implemented bits of FFR are set to zero, if FFR is implemented in + the new mode. + +* FPSR is set to 0x0000_0000_0800_009f. + +* FPMR is set to 0, if FPMR is implemented. + +Currently task_fpsimd_load() restores FPMR before restoring SVCR (which +is an accessor for PSTATE.{SM,ZA}), and so the restored value of FPMR +may be clobbered if the restored value of PSTATE.SM happens to differ +from the initial value of PSTATE.SM. + +Fix this by moving the restore of FPMR later. + +Note: this was originally posted as [1]. + +Fixes: 203f2b95a882 ("arm64/fpsimd: Support FEAT_FPMR") +Signed-off-by: Mark Brown +Link: https://lore.kernel.org/linux-arm-kernel/20241204-arm64-sme-reenable-v2-2-bae87728251d@kernel.org/ +[ Rutland: rewrite commit message ] +Signed-off-by: Mark Rutland +Link: https://lore.kernel.org/r/20250409164010.3480271-7-mark.rutland@arm.com +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/fpsimd.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/arm64/kernel/fpsimd.c b/arch/arm64/kernel/fpsimd.c +index 42b6740d1a64c..12982f1570fca 100644 +--- a/arch/arm64/kernel/fpsimd.c ++++ b/arch/arm64/kernel/fpsimd.c +@@ -359,9 +359,6 @@ static void task_fpsimd_load(void) + WARN_ON(preemptible()); + WARN_ON(test_thread_flag(TIF_KERNEL_FPSTATE)); + +- if (system_supports_fpmr()) +- write_sysreg_s(current->thread.uw.fpmr, SYS_FPMR); +- + if (system_supports_sve() || system_supports_sme()) { + switch (current->thread.fp_type) { + case FP_STATE_FPSIMD: +@@ -413,6 +410,9 @@ static void task_fpsimd_load(void) + restore_ffr = system_supports_fa64(); + } + ++ if (system_supports_fpmr()) ++ write_sysreg_s(current->thread.uw.fpmr, SYS_FPMR); ++ + if (restore_sve_regs) { + WARN_ON_ONCE(current->thread.fp_type != FP_STATE_SVE); + sve_load_state(sve_pffr(¤t->thread), +-- +2.39.5 + diff --git a/queue-6.12/arm64-fpsimd-fix-merging-of-fpsimd-state-during-sign.patch b/queue-6.12/arm64-fpsimd-fix-merging-of-fpsimd-state-during-sign.patch new file mode 100644 index 0000000000..c8ce7d0e34 --- /dev/null +++ b/queue-6.12/arm64-fpsimd-fix-merging-of-fpsimd-state-during-sign.patch @@ -0,0 +1,105 @@ +From fc1719e335a7a280f192943c9925a1499cff2186 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Apr 2025 17:40:06 +0100 +Subject: arm64/fpsimd: Fix merging of FPSIMD state during signal return + +From: Mark Rutland + +[ Upstream commit c94f2f326146a34066a0070ed90b8bc656b1842f ] + +For backwards compatibility reasons, when a signal return occurs which +restores SVE state, the effective lower 128 bits of each of the SVE +vector registers are restored from the corresponding FPSIMD vector +register in the FPSIMD signal frame, overriding the values in the SVE +signal frame. This is intended to be the case regardless of streaming +mode. + +To make this happen, restore_sve_fpsimd_context() uses +fpsimd_update_current_state() to merge the lower 128 bits from the +FPSIMD signal frame into the SVE register state. Unfortunately, +fpsimd_update_current_state() performs this merging dependent upon +TIF_SVE, which is not always correct for streaming SVE register state: + +* When restoring non-streaming SVE register state there is no observable + problem, as the signal return code configures TIF_SVE and the saved + fp_type to match before calling fpsimd_update_current_state(), which + observes either: + + - TIF_SVE set AND fp_type == FP_STATE_SVE + - TIF_SVE clear AND fp_type == FP_STATE_FPSIMD + +* On systems which have SME but not SVE, TIF_SVE cannot be set. Thus the + merging will never happen for the streaming SVE register state. + +* On systems which have SVE and SME, TIF_SVE can be set and cleared + independently of PSTATE.SM. Thus the merging may or may not happen for + streaming SVE register state. + + As TIF_SVE can be cleared non-deterministically during syscalls + (including at the start of sigreturn()), the merging may occur + non-deterministically from the perspective of userspace. + +This logic has been broken since its introduction in commit: + + 85ed24dad2904f7c ("arm64/sme: Implement streaming SVE signal handling") + +... at which point both fpsimd_signal_preserve_current_state() and +fpsimd_update_current_state() only checked TIF SVE. When PSTATE.SM==1 +and TIF_SVE was clear, signal delivery would place stale FPSIMD state +into the FPSIMD signal frame, and signal return would not merge this +into the restored register state. + +Subsequently, signal delivery was fixed as part of commit: + + 61da7c8e2a602f66 ("arm64/signal: Don't assume that TIF_SVE means we saved SVE state") + +... but signal restore was not given a corresponding fix, and when +TIF_SVE was clear, signal restore would still fail to merge the FPSIMD +state into the restored SVE register state. The 'Fixes' tag did not +indicate that this had been broken since its introduction. + +Fix this by merging the FPSIMD state dependent upon the saved fp_type, +matching what we (currently) do during signal delivery. + +As described above, when backporting this commit, it will also be +necessary to backport commit: + + 61da7c8e2a602f66 ("arm64/signal: Don't assume that TIF_SVE means we saved SVE state") + +... and prior to commit: + + baa8515281b30861 ("arm64/fpsimd: Track the saved FPSIMD state type separately to TIF_SVE") + +... it will be necessary for fpsimd_signal_preserve_current_state() and +fpsimd_update_current_state() to consider both TIF_SVE and +thread_sm_enabled(¤t->thread), in place of the saved fp_type. + +Fixes: 85ed24dad290 ("arm64/sme: Implement streaming SVE signal handling") +Signed-off-by: Mark Rutland +Cc: Marc Zyngier +Cc: Mark Brown +Cc: Will Deacon +Reviewed-by: Mark Brown +Link: https://lore.kernel.org/r/20250409164010.3480271-10-mark.rutland@arm.com +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/fpsimd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/kernel/fpsimd.c b/arch/arm64/kernel/fpsimd.c +index 8b8cd9d238234..9f4f3d54c2207 100644 +--- a/arch/arm64/kernel/fpsimd.c ++++ b/arch/arm64/kernel/fpsimd.c +@@ -1806,7 +1806,7 @@ void fpsimd_update_current_state(struct user_fpsimd_state const *state) + get_cpu_fpsimd_context(); + + current->thread.uw.fpsimd_state = *state; +- if (test_thread_flag(TIF_SVE)) ++ if (current->thread.fp_type == FP_STATE_SVE) + fpsimd_to_sve(current); + + task_fpsimd_load(); +-- +2.39.5 + diff --git a/queue-6.12/arm64-fpsimd-reset-fpmr-upon-exec.patch b/queue-6.12/arm64-fpsimd-reset-fpmr-upon-exec.patch new file mode 100644 index 0000000000..c524868927 --- /dev/null +++ b/queue-6.12/arm64-fpsimd-reset-fpmr-upon-exec.patch @@ -0,0 +1,50 @@ +From 404caf942d851206ec37fde43b779491f6acb034 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Apr 2025 17:40:05 +0100 +Subject: arm64/fpsimd: Reset FPMR upon exec() + +From: Mark Rutland + +[ Upstream commit a90878f297d3dba906a6261deccb1bd4a791ba52 ] + +An exec() is expected to reset all FPSIMD/SVE/SME state, and barring +special handling of the vector lengths, the state is expected to reset +to zero. This reset is handled in fpsimd_flush_thread(), which the core +exec() code calls via flush_thread(). + +When support was added for FPMR, no logic was added to +fpsimd_flush_thread() to reset the FPMR value, and thus it is +erroneously inherited across an exec(). + +Add the missing reset of FPMR. + +Fixes: 203f2b95a882 ("arm64/fpsimd: Support FEAT_FPMR") +Signed-off-by: Mark Rutland +Cc: Marc Zyngier +Cc: Mark Brown +Cc: Will Deacon +Reviewed-by: Mark Brown +Link: https://lore.kernel.org/r/20250409164010.3480271-9-mark.rutland@arm.com +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/fpsimd.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/arm64/kernel/fpsimd.c b/arch/arm64/kernel/fpsimd.c +index 9f2b83c50f7d9..8b8cd9d238234 100644 +--- a/arch/arm64/kernel/fpsimd.c ++++ b/arch/arm64/kernel/fpsimd.c +@@ -1663,6 +1663,9 @@ void fpsimd_flush_thread(void) + current->thread.svcr = 0; + } + ++ if (system_supports_fpmr()) ++ current->thread.uw.fpmr = 0; ++ + current->thread.fp_type = FP_STATE_FPSIMD; + + put_cpu_fpsimd_context(); +-- +2.39.5 + diff --git a/queue-6.12/arm64-support-arm64_va_bits-52-when-setting-arch_mma.patch b/queue-6.12/arm64-support-arm64_va_bits-52-when-setting-arch_mma.patch new file mode 100644 index 0000000000..a31f2af770 --- /dev/null +++ b/queue-6.12/arm64-support-arm64_va_bits-52-when-setting-arch_mma.patch @@ -0,0 +1,56 @@ +From a504db981f51acd39584a8917c294f38f5822ef2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Apr 2025 11:47:54 +0000 +Subject: arm64: Support ARM64_VA_BITS=52 when setting ARCH_MMAP_RND_BITS_MAX +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kornel Dulęba + +[ Upstream commit f101c56447717c595d803894ba0e215f56c6fba4 ] + +When the 52-bit virtual addressing was introduced the select like +ARCH_MMAP_RND_BITS_MAX logic was never updated to account for it. +Because of that the rnd max bits knob is set to the default value of 18 +when ARM64_VA_BITS=52. +Fix this by setting ARCH_MMAP_RND_BITS_MAX to the same value that would +be used if 48-bit addressing was used. Higher values can't used here +because 52-bit addressing is used only if the caller provides a hint to +mmap, with a fallback to 48-bit. The knob in question is an upper bound +for what the user can set in /proc/sys/vm/mmap_rnd_bits, which in turn +is used to determine how many random bits can be inserted into the base +address used for mmap allocations. Since 48-bit allocations are legal +with ARM64_VA_BITS=52, we need to make sure that the base address is +small enough to facilitate this. + +Fixes: b6d00d47e81a ("arm64: mm: Introduce 52-bit Kernel VAs") +Signed-off-by: Kornel Dulęba +Reviewed-by: Anshuman Khandual +Link: https://lore.kernel.org/r/20250417114754.3238273-1-korneld@google.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/Kconfig | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig +index a11a7a42edbfb..7887d18cce3e4 100644 +--- a/arch/arm64/Kconfig ++++ b/arch/arm64/Kconfig +@@ -322,9 +322,9 @@ config ARCH_MMAP_RND_BITS_MAX + default 24 if ARM64_VA_BITS=39 + default 27 if ARM64_VA_BITS=42 + default 30 if ARM64_VA_BITS=47 +- default 29 if ARM64_VA_BITS=48 && ARM64_64K_PAGES +- default 31 if ARM64_VA_BITS=48 && ARM64_16K_PAGES +- default 33 if ARM64_VA_BITS=48 ++ default 29 if (ARM64_VA_BITS=48 || ARM64_VA_BITS=52) && ARM64_64K_PAGES ++ default 31 if (ARM64_VA_BITS=48 || ARM64_VA_BITS=52) && ARM64_16K_PAGES ++ default 33 if (ARM64_VA_BITS=48 || ARM64_VA_BITS=52) + default 14 if ARM64_64K_PAGES + default 16 if ARM64_16K_PAGES + default 18 +-- +2.39.5 + diff --git a/queue-6.12/arm64-tegra-add-uartd-serial-alias-for-jetson-tx1-mo.patch b/queue-6.12/arm64-tegra-add-uartd-serial-alias-for-jetson-tx1-mo.patch new file mode 100644 index 0000000000..35f7b373fc --- /dev/null +++ b/queue-6.12/arm64-tegra-add-uartd-serial-alias-for-jetson-tx1-mo.patch @@ -0,0 +1,39 @@ +From 3dca3c4cd5d017ce6ae87912970de552ef844868 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 20 Apr 2025 09:35:37 -0500 +Subject: arm64: tegra: Add uartd serial alias for Jetson TX1 module + +From: Aaron Kling + +[ Upstream commit dfb25484bd73c8590954ead6fd58a1587ba3bbc5 ] + +If a serial-tegra interface does not have an alias, the driver fails to +probe with an error: +serial-tegra 70006300.serial: failed to get alias id, errno -19 +This prevents the bluetooth device from being accessible. + +Fixes: 6eba6471bbb7 ("arm64: tegra: Wire up Bluetooth on Jetson TX1 module") +Signed-off-by: Aaron Kling +Reviewed-by: Tomasz Maciej Nowak +Link: https://lore.kernel.org/r/20250420-tx1-bt-v1-1-153cba105a4e@gmail.com +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/nvidia/tegra210-p2180.dtsi | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/boot/dts/nvidia/tegra210-p2180.dtsi b/arch/arm64/boot/dts/nvidia/tegra210-p2180.dtsi +index 1c53ccc5e3cbf..9c1b2e7d3997f 100644 +--- a/arch/arm64/boot/dts/nvidia/tegra210-p2180.dtsi ++++ b/arch/arm64/boot/dts/nvidia/tegra210-p2180.dtsi +@@ -11,6 +11,7 @@ + rtc0 = "/i2c@7000d000/pmic@3c"; + rtc1 = "/rtc@7000e000"; + serial0 = &uarta; ++ serial3 = &uartd; + }; + + chosen { +-- +2.39.5 + diff --git a/queue-6.12/arm64-tegra-drop-remaining-serial-clock-names-and-re.patch b/queue-6.12/arm64-tegra-drop-remaining-serial-clock-names-and-re.patch new file mode 100644 index 0000000000..d7edb55b5b --- /dev/null +++ b/queue-6.12/arm64-tegra-drop-remaining-serial-clock-names-and-re.patch @@ -0,0 +1,153 @@ +From acb8ee5734a6d0e6bf9aede77532c15f3da31314 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Apr 2025 20:51:47 -0500 +Subject: arm64: tegra: Drop remaining serial clock-names and reset-names + +From: Aaron Kling + +[ Upstream commit 4cd763297c2203c6ba587d7d4a9105f96597b998 ] + +The referenced commit only removed some of the names, missing all that +weren't in use at the time. The commit removes the rest. + +Fixes: 71de0a054d0e ("arm64: tegra: Drop serial clock-names and reset-names") +Signed-off-by: Aaron Kling +Link: https://lore.kernel.org/r/20250428-tegra-serial-fixes-v1-1-4f47c5d85bf6@gmail.com +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/nvidia/tegra186.dtsi | 12 ------------ + arch/arm64/boot/dts/nvidia/tegra194.dtsi | 12 ------------ + 2 files changed, 24 deletions(-) + +diff --git a/arch/arm64/boot/dts/nvidia/tegra186.dtsi b/arch/arm64/boot/dts/nvidia/tegra186.dtsi +index 2b3bb5d0af17b..f0b7949df92c0 100644 +--- a/arch/arm64/boot/dts/nvidia/tegra186.dtsi ++++ b/arch/arm64/boot/dts/nvidia/tegra186.dtsi +@@ -621,9 +621,7 @@ + reg-shift = <2>; + interrupts = ; + clocks = <&bpmp TEGRA186_CLK_UARTB>; +- clock-names = "serial"; + resets = <&bpmp TEGRA186_RESET_UARTB>; +- reset-names = "serial"; + status = "disabled"; + }; + +@@ -633,9 +631,7 @@ + reg-shift = <2>; + interrupts = ; + clocks = <&bpmp TEGRA186_CLK_UARTD>; +- clock-names = "serial"; + resets = <&bpmp TEGRA186_RESET_UARTD>; +- reset-names = "serial"; + status = "disabled"; + }; + +@@ -645,9 +641,7 @@ + reg-shift = <2>; + interrupts = ; + clocks = <&bpmp TEGRA186_CLK_UARTE>; +- clock-names = "serial"; + resets = <&bpmp TEGRA186_RESET_UARTE>; +- reset-names = "serial"; + status = "disabled"; + }; + +@@ -657,9 +651,7 @@ + reg-shift = <2>; + interrupts = ; + clocks = <&bpmp TEGRA186_CLK_UARTF>; +- clock-names = "serial"; + resets = <&bpmp TEGRA186_RESET_UARTF>; +- reset-names = "serial"; + status = "disabled"; + }; + +@@ -1236,9 +1228,7 @@ + reg-shift = <2>; + interrupts = ; + clocks = <&bpmp TEGRA186_CLK_UARTC>; +- clock-names = "serial"; + resets = <&bpmp TEGRA186_RESET_UARTC>; +- reset-names = "serial"; + status = "disabled"; + }; + +@@ -1248,9 +1238,7 @@ + reg-shift = <2>; + interrupts = ; + clocks = <&bpmp TEGRA186_CLK_UARTG>; +- clock-names = "serial"; + resets = <&bpmp TEGRA186_RESET_UARTG>; +- reset-names = "serial"; + status = "disabled"; + }; + +diff --git a/arch/arm64/boot/dts/nvidia/tegra194.dtsi b/arch/arm64/boot/dts/nvidia/tegra194.dtsi +index 33f92b77cd9d9..c369507747851 100644 +--- a/arch/arm64/boot/dts/nvidia/tegra194.dtsi ++++ b/arch/arm64/boot/dts/nvidia/tegra194.dtsi +@@ -766,9 +766,7 @@ + reg-shift = <2>; + interrupts = ; + clocks = <&bpmp TEGRA194_CLK_UARTD>; +- clock-names = "serial"; + resets = <&bpmp TEGRA194_RESET_UARTD>; +- reset-names = "serial"; + status = "disabled"; + }; + +@@ -778,9 +776,7 @@ + reg-shift = <2>; + interrupts = ; + clocks = <&bpmp TEGRA194_CLK_UARTE>; +- clock-names = "serial"; + resets = <&bpmp TEGRA194_RESET_UARTE>; +- reset-names = "serial"; + status = "disabled"; + }; + +@@ -790,9 +786,7 @@ + reg-shift = <2>; + interrupts = ; + clocks = <&bpmp TEGRA194_CLK_UARTF>; +- clock-names = "serial"; + resets = <&bpmp TEGRA194_RESET_UARTF>; +- reset-names = "serial"; + status = "disabled"; + }; + +@@ -817,9 +811,7 @@ + reg-shift = <2>; + interrupts = ; + clocks = <&bpmp TEGRA194_CLK_UARTH>; +- clock-names = "serial"; + resets = <&bpmp TEGRA194_RESET_UARTH>; +- reset-names = "serial"; + status = "disabled"; + }; + +@@ -1616,9 +1608,7 @@ + reg-shift = <2>; + interrupts = ; + clocks = <&bpmp TEGRA194_CLK_UARTC>; +- clock-names = "serial"; + resets = <&bpmp TEGRA194_RESET_UARTC>; +- reset-names = "serial"; + status = "disabled"; + }; + +@@ -1628,9 +1618,7 @@ + reg-shift = <2>; + interrupts = ; + clocks = <&bpmp TEGRA194_CLK_UARTG>; +- clock-names = "serial"; + resets = <&bpmp TEGRA194_RESET_UARTG>; +- reset-names = "serial"; + status = "disabled"; + }; + +-- +2.39.5 + diff --git a/queue-6.12/asoc-apple-mca-constrain-channels-according-to-tdm-m.patch b/queue-6.12/asoc-apple-mca-constrain-channels-according-to-tdm-m.patch new file mode 100644 index 0000000000..6dba9bb0dc --- /dev/null +++ b/queue-6.12/asoc-apple-mca-constrain-channels-according-to-tdm-m.patch @@ -0,0 +1,70 @@ +From 669f90f0747318f9087ad0a15d46e9b9bb383c40 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 May 2025 20:50:46 +1000 +Subject: ASoC: apple: mca: Constrain channels according to TDM mask +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Martin PoviÅ¡er + +[ Upstream commit e717c661e2d1a660e96c40b0fe9933e23a1d7747 ] + +We don't (and can't) configure the hardware correctly if the number of +channels exceeds the weight of the TDM mask. Report that constraint in +startup of FE. + +Fixes: 3df5d0d97289 ("ASoC: apple: mca: Start new platform driver") +Signed-off-by: Martin PoviÅ¡er +Signed-off-by: James Calligeros +Link: https://patch.msgid.link/20250518-mca-fixes-v1-1-ee1015a695f6@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/apple/mca.c | 23 +++++++++++++++++++++++ + 1 file changed, 23 insertions(+) + +diff --git a/sound/soc/apple/mca.c b/sound/soc/apple/mca.c +index c9e7d40c47cc1..4a4ec1c09e132 100644 +--- a/sound/soc/apple/mca.c ++++ b/sound/soc/apple/mca.c +@@ -464,6 +464,28 @@ static int mca_configure_serdes(struct mca_cluster *cl, int serdes_unit, + return -EINVAL; + } + ++static int mca_fe_startup(struct snd_pcm_substream *substream, ++ struct snd_soc_dai *dai) ++{ ++ struct mca_cluster *cl = mca_dai_to_cluster(dai); ++ unsigned int mask, nchannels; ++ ++ if (cl->tdm_slots) { ++ if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) ++ mask = cl->tdm_tx_mask; ++ else ++ mask = cl->tdm_rx_mask; ++ ++ nchannels = hweight32(mask); ++ } else { ++ nchannels = 2; ++ } ++ ++ return snd_pcm_hw_constraint_minmax(substream->runtime, ++ SNDRV_PCM_HW_PARAM_CHANNELS, ++ 1, nchannels); ++} ++ + static int mca_fe_set_tdm_slot(struct snd_soc_dai *dai, unsigned int tx_mask, + unsigned int rx_mask, int slots, int slot_width) + { +@@ -680,6 +702,7 @@ static int mca_fe_hw_params(struct snd_pcm_substream *substream, + } + + static const struct snd_soc_dai_ops mca_fe_ops = { ++ .startup = mca_fe_startup, + .set_fmt = mca_fe_set_fmt, + .set_bclk_ratio = mca_set_bclk_ratio, + .set_tdm_slot = mca_fe_set_tdm_slot, +-- +2.39.5 + diff --git a/queue-6.12/asoc-codecs-hda-fix-rpm-usage-count-underflow.patch b/queue-6.12/asoc-codecs-hda-fix-rpm-usage-count-underflow.patch new file mode 100644 index 0000000000..555545ab60 --- /dev/null +++ b/queue-6.12/asoc-codecs-hda-fix-rpm-usage-count-underflow.patch @@ -0,0 +1,60 @@ +From d1d4f98758e365c61696cd4851c2818cab2e8247 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 May 2025 16:10:17 +0200 +Subject: ASoC: codecs: hda: Fix RPM usage count underflow +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Cezary Rojewski + +[ Upstream commit ff0045de4ee0288dec683690f66f2f369b7d3466 ] + +RPM manipulation in hda_codec_probe_complete()'s error path is +superfluous and leads to RPM usage count underflow if the +build-controls operation fails. + +hda_codec_probe_complete() is called in: + +1) hda_codec_probe() for all non-HDMI codecs +2) in card->late_probe() for HDMI codecs + +Error path for hda_codec_probe() takes care of bus' RPM already. +For 2) if late_probe() fails, ASoC performs card cleanup what +triggers hda_codec_remote() - same treatment is in 1). + +Fixes: b5df2a7dca1c ("ASoC: codecs: Add HD-Audio codec driver") +Reviewed-by: Amadeusz Sławiński +Signed-off-by: Cezary Rojewski +Link: https://patch.msgid.link/20250530141025.2942936-2-cezary.rojewski@intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/hda.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/codecs/hda.c b/sound/soc/codecs/hda.c +index ddc00927313cf..dc7794c9ac44c 100644 +--- a/sound/soc/codecs/hda.c ++++ b/sound/soc/codecs/hda.c +@@ -152,7 +152,7 @@ int hda_codec_probe_complete(struct hda_codec *codec) + ret = snd_hda_codec_build_controls(codec); + if (ret < 0) { + dev_err(&hdev->dev, "unable to create controls %d\n", ret); +- goto out; ++ return ret; + } + + /* Bus suspended codecs as it does not manage their pm */ +@@ -160,7 +160,7 @@ int hda_codec_probe_complete(struct hda_codec *codec) + /* rpm was forbidden in snd_hda_codec_device_new() */ + snd_hda_codec_set_power_save(codec, 2000); + snd_hda_codec_register(codec); +-out: ++ + /* Complement pm_runtime_get_sync(bus) in probe */ + pm_runtime_mark_last_busy(bus->dev); + pm_runtime_put_autosuspend(bus->dev); +-- +2.39.5 + diff --git a/queue-6.12/asoc-intel-avs-fix-deadlock-when-the-failing-ipc-is-.patch b/queue-6.12/asoc-intel-avs-fix-deadlock-when-the-failing-ipc-is-.patch new file mode 100644 index 0000000000..c3b16bf515 --- /dev/null +++ b/queue-6.12/asoc-intel-avs-fix-deadlock-when-the-failing-ipc-is-.patch @@ -0,0 +1,45 @@ +From 9ab159e331a9cd50b2bf54360df7055dc2c35793 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 May 2025 16:10:18 +0200 +Subject: ASoC: Intel: avs: Fix deadlock when the failing IPC is SET_D0IX +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Cezary Rojewski + +[ Upstream commit 9ad1f3cd0d60444c69948854c7e50d2a61b63755 ] + +The procedure handling IPC timeouts and EXCEPTION_CAUGHT notification +shall cancel any D0IX work before proceeding with DSP recovery. If +SET_D0IX called from delayed_work is the failing IPC the procedure will +deadlock. Conditionally skip cancelling the work to fix that. + +Fixes: 335c4cbd201d ("ASoC: Intel: avs: D0ix power state support") +Reviewed-by: Amadeusz Sławiński +Signed-off-by: Cezary Rojewski +Link: https://patch.msgid.link/20250530141025.2942936-3-cezary.rojewski@intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/avs/ipc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/intel/avs/ipc.c b/sound/soc/intel/avs/ipc.c +index 4fba46e77c470..eff1d46040da6 100644 +--- a/sound/soc/intel/avs/ipc.c ++++ b/sound/soc/intel/avs/ipc.c +@@ -169,7 +169,9 @@ static void avs_dsp_exception_caught(struct avs_dev *adev, union avs_notify_msg + + dev_crit(adev->dev, "communication severed, rebooting dsp..\n"); + +- cancel_delayed_work_sync(&ipc->d0ix_work); ++ /* Avoid deadlock as the exception may be the response to SET_D0IX. */ ++ if (current_work() != &ipc->d0ix_work.work) ++ cancel_delayed_work_sync(&ipc->d0ix_work); + ipc->in_d0ix = false; + /* Re-enabled on recovery completion. */ + pm_runtime_disable(adev->dev); +-- +2.39.5 + diff --git a/queue-6.12/asoc-intel-avs-verify-content-returned-by-parse_int_.patch b/queue-6.12/asoc-intel-avs-verify-content-returned-by-parse_int_.patch new file mode 100644 index 0000000000..3c59fccb55 --- /dev/null +++ b/queue-6.12/asoc-intel-avs-verify-content-returned-by-parse_int_.patch @@ -0,0 +1,52 @@ +From fa3c6226185d5b8d0d025d40dfcec40806dc6ee8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 May 2025 16:10:23 +0200 +Subject: ASoC: Intel: avs: Verify content returned by parse_int_array() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Cezary Rojewski + +[ Upstream commit 93e246b6769bdacb09cfff4ea0f00fe5ab4f0d7a ] + +The first element of the returned array stores its length. If it is 0, +any manipulation beyond the element at index 0 ends with null-ptr-deref. + +Fixes: 5a565ba23abe ("ASoC: Intel: avs: Probing and firmware tracing over debugfs") +Reviewed-by: Amadeusz Sławiński +Signed-off-by: Cezary Rojewski +Link: https://patch.msgid.link/20250530141025.2942936-8-cezary.rojewski@intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/avs/debugfs.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/intel/avs/debugfs.c b/sound/soc/intel/avs/debugfs.c +index 1767ded4d9830..c9978fb9c74e2 100644 +--- a/sound/soc/intel/avs/debugfs.c ++++ b/sound/soc/intel/avs/debugfs.c +@@ -372,7 +372,10 @@ static ssize_t trace_control_write(struct file *file, const char __user *from, s + return ret; + + num_elems = *array; +- resource_mask = array[1]; ++ if (!num_elems) { ++ ret = -EINVAL; ++ goto free_array; ++ } + + /* + * Disable if just resource mask is provided - no log priority flags. +@@ -380,6 +383,7 @@ static ssize_t trace_control_write(struct file *file, const char __user *from, s + * Enable input format: mask, prio1, .., prioN + * Where 'N' equals number of bits set in the 'mask'. + */ ++ resource_mask = array[1]; + if (num_elems == 1) { + ret = disable_logs(adev, resource_mask); + } else { +-- +2.39.5 + diff --git a/queue-6.12/asoc-mediatek-mt8195-set-etdm1-2-in-out-to-comp_dumm.patch b/queue-6.12/asoc-mediatek-mt8195-set-etdm1-2-in-out-to-comp_dumm.patch new file mode 100644 index 0000000000..db66e82d74 --- /dev/null +++ b/queue-6.12/asoc-mediatek-mt8195-set-etdm1-2-in-out-to-comp_dumm.patch @@ -0,0 +1,98 @@ +From 1432bfd3e06bf133b6335fb3061f5bfb92fa5883 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Apr 2025 10:44:33 +0200 +Subject: ASoC: mediatek: mt8195: Set ETDM1/2 IN/OUT to COMP_DUMMY() + +From: Julien Massot + +[ Upstream commit 7af317f7faaab09d5a78f24605057d11f5955115 ] + +ETDM2_IN_BE and ETDM1_OUT_BE are defined as COMP_EMPTY(), +in the case the codec dai_name will be null. + +Avoid a crash if the device tree is not assigning a codec +to these links. + +[ 1.179936] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 +[ 1.181065] Mem abort info: +[ 1.181420] ESR = 0x0000000096000004 +[ 1.181892] EC = 0x25: DABT (current EL), IL = 32 bits +[ 1.182576] SET = 0, FnV = 0 +[ 1.182964] EA = 0, S1PTW = 0 +[ 1.183367] FSC = 0x04: level 0 translation fault +[ 1.183983] Data abort info: +[ 1.184406] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 +[ 1.185097] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 +[ 1.185766] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 +[ 1.186439] [0000000000000000] user address but active_mm is swapper +[ 1.187239] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP +[ 1.188029] Modules linked in: +[ 1.188420] CPU: 7 UID: 0 PID: 70 Comm: kworker/u32:1 Not tainted 6.14.0-rc4-next-20250226+ #85 +[ 1.189515] Hardware name: Radxa NIO 12L (DT) +[ 1.190065] Workqueue: events_unbound deferred_probe_work_func +[ 1.190808] pstate: 40400009 (nZcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) +[ 1.191683] pc : __pi_strcmp+0x24/0x140 +[ 1.192170] lr : mt8195_mt6359_soc_card_probe+0x224/0x7b0 +[ 1.192854] sp : ffff800083473970 +[ 1.193271] x29: ffff800083473a10 x28: 0000000000001008 x27: 0000000000000002 +[ 1.194168] x26: ffff800082408960 x25: ffff800082417db0 x24: ffff800082417d88 +[ 1.195065] x23: 000000000000001e x22: ffff800082dbf480 x21: ffff800082dc07b8 +[ 1.195961] x20: 0000000000000000 x19: 0000000000000013 x18: 00000000ffffffff +[ 1.196858] x17: 000000040044ffff x16: 005000f2b5503510 x15: 0000000000000006 +[ 1.197755] x14: ffff800082407af0 x13: 6e6f69737265766e x12: 692d6b636f6c6374 +[ 1.198651] x11: 0000000000000002 x10: ffff80008240b920 x9 : 0000000000000018 +[ 1.199547] x8 : 0101010101010101 x7 : 0000000000000000 x6 : 0000000000000000 +[ 1.200443] x5 : 0000000000000000 x4 : 8080808080000000 x3 : 303933383978616d +[ 1.201339] x2 : 0000000000000000 x1 : ffff80008240b920 x0 : 0000000000000000 +[ 1.202236] Call trace: +[ 1.202545] __pi_strcmp+0x24/0x140 (P) +[ 1.203029] mtk_soundcard_common_probe+0x3bc/0x5b8 +[ 1.203644] platform_probe+0x70/0xe8 +[ 1.204106] really_probe+0xc8/0x3a0 +[ 1.204556] __driver_probe_device+0x84/0x160 +[ 1.205104] driver_probe_device+0x44/0x130 +[ 1.205630] __device_attach_driver+0xc4/0x170 +[ 1.206189] bus_for_each_drv+0x8c/0xf8 +[ 1.206672] __device_attach+0xa8/0x1c8 +[ 1.207155] device_initial_probe+0x1c/0x30 +[ 1.207681] bus_probe_device+0xb0/0xc0 +[ 1.208165] deferred_probe_work_func+0xa4/0x100 +[ 1.208747] process_one_work+0x158/0x3e0 +[ 1.209254] worker_thread+0x2c4/0x3e8 +[ 1.209727] kthread+0x134/0x1f0 +[ 1.210136] ret_from_fork+0x10/0x20 +[ 1.210589] Code: 54000401 b50002c6 d503201f f86a6803 (f8408402) +[ 1.211355] ---[ end trace 0000000000000000 ]--- + +Signed-off-by: Julien Massot +Fixes: e70b8dd26711 ("ASoC: mediatek: mt8195: Remove afe-dai component and rework codec link") +Reviewed-by: AngeloGioacchino Del Regno +Link: https://patch.msgid.link/20250417-mt8395-audio-sof-v1-2-30587426e5dd@collabora.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/mediatek/mt8195/mt8195-mt6359.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/mediatek/mt8195/mt8195-mt6359.c b/sound/soc/mediatek/mt8195/mt8195-mt6359.c +index 8ebf6c7502aa3..400cec09c3a3c 100644 +--- a/sound/soc/mediatek/mt8195/mt8195-mt6359.c ++++ b/sound/soc/mediatek/mt8195/mt8195-mt6359.c +@@ -822,12 +822,12 @@ SND_SOC_DAILINK_DEFS(ETDM1_IN_BE, + + SND_SOC_DAILINK_DEFS(ETDM2_IN_BE, + DAILINK_COMP_ARRAY(COMP_CPU("ETDM2_IN")), +- DAILINK_COMP_ARRAY(COMP_EMPTY()), ++ DAILINK_COMP_ARRAY(COMP_DUMMY()), + DAILINK_COMP_ARRAY(COMP_EMPTY())); + + SND_SOC_DAILINK_DEFS(ETDM1_OUT_BE, + DAILINK_COMP_ARRAY(COMP_CPU("ETDM1_OUT")), +- DAILINK_COMP_ARRAY(COMP_EMPTY()), ++ DAILINK_COMP_ARRAY(COMP_DUMMY()), + DAILINK_COMP_ARRAY(COMP_EMPTY())); + + SND_SOC_DAILINK_DEFS(ETDM2_OUT_BE, +-- +2.39.5 + diff --git a/queue-6.12/asoc-sof-amd-add-missing-acp-descriptor-field.patch b/queue-6.12/asoc-sof-amd-add-missing-acp-descriptor-field.patch new file mode 100644 index 0000000000..1966e703fb --- /dev/null +++ b/queue-6.12/asoc-sof-amd-add-missing-acp-descriptor-field.patch @@ -0,0 +1,38 @@ +From c0439fabf63c06a4f4bb78bd4e97865e1cf9d247 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 May 2025 21:12:41 +0530 +Subject: ASoC: SOF: amd: add missing acp descriptor field + +From: Vijendar Mukunda + +[ Upstream commit 7c2bad7b95db5b4b978853cd4dd042ae3ec83e63 ] + +Add missing acp descriptor field acp_error_stat for ACP7.0 platform. + +Fixes: 490be7ba2a01 ("ASoC: SOF: amd: add support for acp7.0 based platform") + +Signed-off-by: Vijendar Mukunda +Reviewed-by: Ranjani Sridharan +Reviewed-by: Bard Liao +Link: https://patch.msgid.link/20250502154445.3008598-3-Vijendar.Mukunda@amd.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/sof/amd/pci-acp70.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/soc/sof/amd/pci-acp70.c b/sound/soc/sof/amd/pci-acp70.c +index a5d8b6a95a222..fe2ad0395f5d3 100644 +--- a/sound/soc/sof/amd/pci-acp70.c ++++ b/sound/soc/sof/amd/pci-acp70.c +@@ -34,6 +34,7 @@ static const struct sof_amd_acp_desc acp70_chip_info = { + .ext_intr_cntl = ACP70_EXTERNAL_INTR_CNTL, + .ext_intr_stat = ACP70_EXT_INTR_STAT, + .ext_intr_stat1 = ACP70_EXT_INTR_STAT1, ++ .acp_error_stat = ACP70_ERROR_STATUS, + .dsp_intr_base = ACP70_DSP_SW_INTR_BASE, + .acp_sw0_i2s_err_reason = ACP7X_SW0_I2S_ERROR_REASON, + .sram_pte_offset = ACP70_SRAM_PTE_OFFSET, +-- +2.39.5 + diff --git a/queue-6.12/asoc-sof-ipc4-pcm-adjust-pipeline_list-pipelines-all.patch b/queue-6.12/asoc-sof-ipc4-pcm-adjust-pipeline_list-pipelines-all.patch new file mode 100644 index 0000000000..ad23f4eb5e --- /dev/null +++ b/queue-6.12/asoc-sof-ipc4-pcm-adjust-pipeline_list-pipelines-all.patch @@ -0,0 +1,46 @@ +From afcd756d8cc76faa46c4e23958b935c45cc8f463 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Apr 2025 23:25:12 -0700 +Subject: ASoC: SOF: ipc4-pcm: Adjust pipeline_list->pipelines allocation type + +From: Kees Cook + +[ Upstream commit 00a371adbbfb46db561db85a9d7b53b2363880a1 ] + +In preparation for making the kmalloc family of allocators type aware, +we need to make sure that the returned type from the allocation matches +the type of the variable being assigned. (Before, the allocator would +always return "void *", which can be implicitly cast to any pointer type.) + +The assigned type is "struct snd_sof_pipeline **", but the returned type +will be "struct snd_sof_widget **". These are the same size allocation +(pointer size) but the types don't match. Adjust the allocation type to +match the assignment. + +Signed-off-by: Kees Cook +Fixes: 9c04363d222b ("ASoC: SOF: Introduce struct snd_sof_pipeline") +Acked-by: Peter Ujfalusi +Link: https://patch.msgid.link/20250426062511.work.859-kees@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/sof/ipc4-pcm.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/sof/ipc4-pcm.c b/sound/soc/sof/ipc4-pcm.c +index 2fe4969cdc3b4..9db2cdb321282 100644 +--- a/sound/soc/sof/ipc4-pcm.c ++++ b/sound/soc/sof/ipc4-pcm.c +@@ -780,7 +780,8 @@ static int sof_ipc4_pcm_setup(struct snd_sof_dev *sdev, struct snd_sof_pcm *spcm + + /* allocate memory for max number of pipeline IDs */ + pipeline_list->pipelines = kcalloc(ipc4_data->max_num_pipelines, +- sizeof(struct snd_sof_widget *), GFP_KERNEL); ++ sizeof(*pipeline_list->pipelines), ++ GFP_KERNEL); + if (!pipeline_list->pipelines) { + sof_ipc4_pcm_free(sdev, spcm); + return -ENOMEM; +-- +2.39.5 + diff --git a/queue-6.12/asoc-tas2764-enable-main-irqs.patch b/queue-6.12/asoc-tas2764-enable-main-irqs.patch new file mode 100644 index 0000000000..22500171c9 --- /dev/null +++ b/queue-6.12/asoc-tas2764-enable-main-irqs.patch @@ -0,0 +1,41 @@ +From 9e94e2c8bb834bd34363f6c57d7405f0253cd0a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 6 Apr 2025 09:15:08 +1000 +Subject: ASoC: tas2764: Enable main IRQs + +From: Hector Martin + +[ Upstream commit dd50f0e38563f15819059c923bf142200453e003 ] + +IRQ handling was added in commit dae191fb957f ("ASoC: tas2764: Add IRQ +handling") however that same commit masks all interrupts coming from +the chip. Unmask the "main" interrupts so that we can see and +deal with a number of errors including clock, voltage, and current. + +Fixes: dae191fb957f ("ASoC: tas2764: Add IRQ handling") +Reviewed-by: Neal Gompa +Signed-off-by: Hector Martin +Signed-off-by: James Calligeros +Link: https://patch.msgid.link/20250406-apple-codec-changes-v5-4-50a00ec850a3@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/tas2764.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/tas2764.c b/sound/soc/codecs/tas2764.c +index 39a7d39536fe6..4326555aac032 100644 +--- a/sound/soc/codecs/tas2764.c ++++ b/sound/soc/codecs/tas2764.c +@@ -540,7 +540,7 @@ static int tas2764_codec_probe(struct snd_soc_component *component) + tas2764_reset(tas2764); + + if (tas2764->irq) { +- ret = snd_soc_component_write(tas2764->component, TAS2764_INT_MASK0, 0xff); ++ ret = snd_soc_component_write(tas2764->component, TAS2764_INT_MASK0, 0x00); + if (ret < 0) + return ret; + +-- +2.39.5 + diff --git a/queue-6.12/asoc-ti-omap-hdmi-re-add-dai_link-platform-to-fix-ca.patch b/queue-6.12/asoc-ti-omap-hdmi-re-add-dai_link-platform-to-fix-ca.patch new file mode 100644 index 0000000000..c197c2a27d --- /dev/null +++ b/queue-6.12/asoc-ti-omap-hdmi-re-add-dai_link-platform-to-fix-ca.patch @@ -0,0 +1,77 @@ +From 79533a1d300b77760e4125e8871609c48cac023f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 31 May 2025 23:13:41 +0900 +Subject: ASoC: ti: omap-hdmi: Re-add dai_link->platform to fix card init + +From: Yuuki NAGAO + +[ Upstream commit bae071aa7bcd034054cec91666c80f812adeccd9 ] + +The removed dai_link->platform component cause a fail which +is exposed at runtime. (ex: when a sound tool is used) +This patch re-adds the dai_link->platform component to have +a full card registered. + +Before this patch: +$ aplay -l +**** List of PLAYBACK Hardware Devices **** +card 1: HDMI [HDMI], device 0: HDMI snd-soc-dummy-dai-0 [] + Subdevices: 1/1 + Subdevice #0: subdevice #0 + +$ speaker-test -D plughw:1,0 -t sine +speaker-test 1.2.8 +Playback device is plughw:1,0 +Stream parameters are 48000Hz, S16_LE, 1 channels +Sine wave rate is 440.0000Hz +Playback open error: -22,Invalid argument + +After this patch which restores the platform component: +$ aplay -l +**** List of PLAYBACK Hardware Devices **** +card 0: HDMI [HDMI], device 0: HDMI snd-soc-dummy-dai-0 [HDMI snd-soc-dummy-dai-0] + Subdevices: 0/1 + Subdevice #0: subdevice #0 + +-> Resolve the playback error. + +Fixes: 3b0db249cf8f ("ASoC: ti: remove unnecessary dai_link->platform") + +Signed-off-by: Yuuki NAGAO +Link: https://patch.msgid.link/20250531141341.81164-1-wf.yn386@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/ti/omap-hdmi.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/ti/omap-hdmi.c b/sound/soc/ti/omap-hdmi.c +index cf43ac19c4a6d..55e7cb96858fc 100644 +--- a/sound/soc/ti/omap-hdmi.c ++++ b/sound/soc/ti/omap-hdmi.c +@@ -361,17 +361,20 @@ static int omap_hdmi_audio_probe(struct platform_device *pdev) + if (!card->dai_link) + return -ENOMEM; + +- compnent = devm_kzalloc(dev, sizeof(*compnent), GFP_KERNEL); ++ compnent = devm_kzalloc(dev, 2 * sizeof(*compnent), GFP_KERNEL); + if (!compnent) + return -ENOMEM; +- card->dai_link->cpus = compnent; ++ card->dai_link->cpus = &compnent[0]; + card->dai_link->num_cpus = 1; + card->dai_link->codecs = &snd_soc_dummy_dlc; + card->dai_link->num_codecs = 1; ++ card->dai_link->platforms = &compnent[1]; ++ card->dai_link->num_platforms = 1; + + card->dai_link->name = card->name; + card->dai_link->stream_name = card->name; + card->dai_link->cpus->dai_name = dev_name(ad->dssdev); ++ card->dai_link->platforms->name = dev_name(ad->dssdev); + card->num_links = 1; + card->dev = dev; + +-- +2.39.5 + diff --git a/queue-6.12/backlight-pm8941-add-null-check-in-wled_configure.patch b/queue-6.12/backlight-pm8941-add-null-check-in-wled_configure.patch new file mode 100644 index 0000000000..af76a673dd --- /dev/null +++ b/queue-6.12/backlight-pm8941-add-null-check-in-wled_configure.patch @@ -0,0 +1,47 @@ +From 8ca6a7ce3d5c0615356d9687ef91c1118857067c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Apr 2025 17:16:47 +0800 +Subject: backlight: pm8941: Add NULL check in wled_configure() + +From: Henry Martin + +[ Upstream commit e12d3e1624a02706cdd3628bbf5668827214fa33 ] + +devm_kasprintf() returns NULL when memory allocation fails. Currently, +wled_configure() does not check for this case, which results in a NULL +pointer dereference. + +Add NULL check after devm_kasprintf() to prevent this issue. + +Fixes: f86b77583d88 ("backlight: pm8941: Convert to using %pOFn instead of device_node.name") +Signed-off-by: Henry Martin +Reviewed-by: Dmitry Baryshkov +Reviewed-by: "Daniel Thompson (RISCstar)" +Link: https://lore.kernel.org/r/20250401091647.22784-1-bsdhenrymartin@gmail.com +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/video/backlight/qcom-wled.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/video/backlight/qcom-wled.c b/drivers/video/backlight/qcom-wled.c +index 10129095a4c17..b19e5f73de8bb 100644 +--- a/drivers/video/backlight/qcom-wled.c ++++ b/drivers/video/backlight/qcom-wled.c +@@ -1406,9 +1406,11 @@ static int wled_configure(struct wled *wled) + wled->ctrl_addr = be32_to_cpu(*prop_addr); + + rc = of_property_read_string(dev->of_node, "label", &wled->name); +- if (rc) ++ if (rc) { + wled->name = devm_kasprintf(dev, GFP_KERNEL, "%pOFn", dev->of_node); +- ++ if (!wled->name) ++ return -ENOMEM; ++ } + switch (wled->version) { + case 3: + u32_opts = wled3_opts; +-- +2.39.5 + diff --git a/queue-6.12/bluetooth-btintel-check-dsbr-size-from-efi-variable.patch b/queue-6.12/bluetooth-btintel-check-dsbr-size-from-efi-variable.patch new file mode 100644 index 0000000000..50eff65474 --- /dev/null +++ b/queue-6.12/bluetooth-btintel-check-dsbr-size-from-efi-variable.patch @@ -0,0 +1,58 @@ +From c0319bfba8848271b9d1a7f05330baa9b616cacd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 May 2025 09:31:35 -0700 +Subject: Bluetooth: btintel: Check dsbr size from EFI variable + +From: Kees Cook + +[ Upstream commit 3aa1dc3c9060e335e82e9c182bf3d1db29220b1b ] + +Since the size of struct btintel_dsbr is already known, we can just +start there instead of querying the EFI variable size. If the final +result doesn't match what we expect also fail. This fixes a stack buffer +overflow when the EFI variable is larger than struct btintel_dsbr. + +Reported-by: zepta +Closes: https://lore.kernel.org/all/CAPBS6KoaWV9=dtjTESZiU6KK__OZX0KpDk-=JEH8jCHFLUYv3Q@mail.gmail.com +Fixes: eb9e749c0182 ("Bluetooth: btintel: Allow configuring drive strength of BRI") +Signed-off-by: Kees Cook +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btintel.c | 10 ++-------- + 1 file changed, 2 insertions(+), 8 deletions(-) + +diff --git a/drivers/bluetooth/btintel.c b/drivers/bluetooth/btintel.c +index 645047fb92fd2..51d6d91ed4041 100644 +--- a/drivers/bluetooth/btintel.c ++++ b/drivers/bluetooth/btintel.c +@@ -2705,7 +2705,7 @@ static int btintel_uefi_get_dsbr(u32 *dsbr_var) + } __packed data; + + efi_status_t status; +- unsigned long data_size = 0; ++ unsigned long data_size = sizeof(data); + efi_guid_t guid = EFI_GUID(0xe65d8884, 0xd4af, 0x4b20, 0x8d, 0x03, + 0x77, 0x2e, 0xcc, 0x3d, 0xa5, 0x31); + +@@ -2715,16 +2715,10 @@ static int btintel_uefi_get_dsbr(u32 *dsbr_var) + if (!efi_rt_services_supported(EFI_RT_SUPPORTED_GET_VARIABLE)) + return -EOPNOTSUPP; + +- status = efi.get_variable(BTINTEL_EFI_DSBR, &guid, NULL, &data_size, +- NULL); +- +- if (status != EFI_BUFFER_TOO_SMALL || !data_size) +- return -EIO; +- + status = efi.get_variable(BTINTEL_EFI_DSBR, &guid, NULL, &data_size, + &data); + +- if (status != EFI_SUCCESS) ++ if (status != EFI_SUCCESS || data_size != sizeof(data)) + return -ENXIO; + + *dsbr_var = data.dsbr; +-- +2.39.5 + diff --git a/queue-6.12/bluetooth-iso-fix-not-using-sid-from-adv-report.patch b/queue-6.12/bluetooth-iso-fix-not-using-sid-from-adv-report.patch new file mode 100644 index 0000000000..bf1a712231 --- /dev/null +++ b/queue-6.12/bluetooth-iso-fix-not-using-sid-from-adv-report.patch @@ -0,0 +1,298 @@ +From acba85f1fabfb53d6d2e0a1883bffcbbcbbe6d71 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Apr 2025 12:37:50 -0400 +Subject: Bluetooth: ISO: Fix not using SID from adv report + +From: Luiz Augusto von Dentz + +[ Upstream commit e2d471b7806b09744d65a64bcf41337468f2443b ] + +Up until now it has been assumed that the application would be able to +enter the advertising SID in sockaddr_iso_bc.bc_sid, but userspace has +no access to SID since the likes of MGMT_EV_DEVICE_FOUND cannot carry +it, so it was left unset (0x00) which means it would be unable to +synchronize if the broadcast source is using a different SID e.g. 0x04: + +> HCI Event: LE Meta Event (0x3e) plen 57 + LE Extended Advertising Report (0x0d) + Num reports: 1 + Entry 0 + Event type: 0x0000 + Props: 0x0000 + Data status: Complete + Address type: Random (0x01) + Address: 0B:82:E8:50:6D:C8 (Non-Resolvable) + Primary PHY: LE 1M + Secondary PHY: LE 2M + SID: 0x04 + TX power: 127 dBm + RSSI: -55 dBm (0xc9) + Periodic advertising interval: 180.00 msec (0x0090) + Direct address type: Public (0x00) + Direct address: 00:00:00:00:00:00 (OUI 00-00-00) + Data length: 0x1f + 06 16 52 18 5b 0b e1 05 16 56 18 04 00 11 30 4c ..R.[....V....0L + 75 69 7a 27 73 20 53 32 33 20 55 6c 74 72 61 uiz's S23 Ultra + Service Data: Broadcast Audio Announcement (0x1852) + Broadcast ID: 14748507 (0xe10b5b) + Service Data: Public Broadcast Announcement (0x1856) + Data[2]: 0400 + Unknown EIR field 0x30[16]: 4c75697a27732053323320556c747261 +< HCI Command: LE Periodic Advertising Create Sync (0x08|0x0044) plen 14 + Options: 0x0000 + Use advertising SID, Advertiser Address Type and address + Reporting initially enabled + SID: 0x00 (<- Invalid) + Adv address type: Random (0x01) + Adv address: 0B:82:E8:50:6D:C8 (Non-Resolvable) + Skip: 0x0000 + Sync timeout: 20000 msec (0x07d0) + Sync CTE type: 0x0000 + +So instead this changes now allow application to set HCI_SID_INVALID +which will make hci_le_pa_create_sync to wait for a report, update the +conn->sid using the report SID and only then issue PA create sync +command: + +< HCI Command: LE Periodic Advertising Create Sync + Options: 0x0000 + Use advertising SID, Advertiser Address Type and address + Reporting initially enabled + SID: 0x04 + Adv address type: Random (0x01) + Adv address: 0B:82:E8:50:6D:C8 (Non-Resolvable) + Skip: 0x0000 + Sync timeout: 20000 msec (0x07d0) + Sync CTE type: 0x0000 +> HCI Event: LE Meta Event (0x3e) plen 16 + LE Periodic Advertising Sync Established (0x0e) + Status: Success (0x00) + Sync handle: 64 + Advertising SID: 0x04 + Advertiser address type: Random (0x01) + Advertiser address: 0B:82:E8:50:6D:C8 (Non-Resolvable) + Advertiser PHY: LE 2M (0x02) + Periodic advertising interval: 180.00 msec (0x0090) + Advertiser clock accuracy: 0x05 + +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_conn.c | 2 ++ + net/bluetooth/hci_core.c | 13 ++++++----- + net/bluetooth/hci_event.c | 16 ++++++++++++- + net/bluetooth/hci_sync.c | 49 +++++++++++++++++++++++++++++++++++---- + net/bluetooth/iso.c | 9 +++++-- + 5 files changed, 75 insertions(+), 14 deletions(-) + +diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c +index ae66fa0a5fb58..c6c1232db4e28 100644 +--- a/net/bluetooth/hci_conn.c ++++ b/net/bluetooth/hci_conn.c +@@ -2067,6 +2067,8 @@ struct hci_conn *hci_pa_create_sync(struct hci_dev *hdev, bdaddr_t *dst, + { + struct hci_conn *conn; + ++ bt_dev_dbg(hdev, "dst %pMR type %d sid %d", dst, dst_type, sid); ++ + conn = hci_conn_add_unset(hdev, ISO_LINK, dst, HCI_ROLE_SLAVE); + if (IS_ERR(conn)) + return conn; +diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c +index 72439764186ed..743b63287a18f 100644 +--- a/net/bluetooth/hci_core.c ++++ b/net/bluetooth/hci_core.c +@@ -4071,10 +4071,13 @@ static void hci_send_cmd_sync(struct hci_dev *hdev, struct sk_buff *skb) + return; + } + +- err = hci_send_frame(hdev, skb); +- if (err < 0) { +- hci_cmd_sync_cancel_sync(hdev, -err); +- return; ++ if (hci_skb_opcode(skb) != HCI_OP_NOP) { ++ err = hci_send_frame(hdev, skb); ++ if (err < 0) { ++ hci_cmd_sync_cancel_sync(hdev, -err); ++ return; ++ } ++ atomic_dec(&hdev->cmd_cnt); + } + + if (hdev->req_status == HCI_REQ_PEND && +@@ -4082,8 +4085,6 @@ static void hci_send_cmd_sync(struct hci_dev *hdev, struct sk_buff *skb) + kfree_skb(hdev->req_skb); + hdev->req_skb = skb_clone(hdev->sent_cmd, GFP_KERNEL); + } +- +- atomic_dec(&hdev->cmd_cnt); + } + + static void hci_cmd_work(struct work_struct *work) +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index 8894633403519..5c4c3d04d8b93 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -6333,6 +6333,17 @@ static void hci_le_ext_adv_report_evt(struct hci_dev *hdev, void *data, + info->secondary_phy &= 0x1f; + } + ++ /* Check if PA Sync is pending and if the hci_conn SID has not ++ * been set update it. ++ */ ++ if (hci_dev_test_flag(hdev, HCI_PA_SYNC)) { ++ struct hci_conn *conn; ++ ++ conn = hci_conn_hash_lookup_create_pa_sync(hdev); ++ if (conn && conn->sid == HCI_SID_INVALID) ++ conn->sid = info->sid; ++ } ++ + if (legacy_evt_type != LE_ADV_INVALID) { + process_adv_report(hdev, legacy_evt_type, &info->bdaddr, + info->bdaddr_type, NULL, 0, +@@ -7136,7 +7147,8 @@ static void hci_le_meta_evt(struct hci_dev *hdev, void *data, + + /* Only match event if command OGF is for LE */ + if (hdev->req_skb && +- hci_opcode_ogf(hci_skb_opcode(hdev->req_skb)) == 0x08 && ++ (hci_opcode_ogf(hci_skb_opcode(hdev->req_skb)) == 0x08 || ++ hci_skb_opcode(hdev->req_skb) == HCI_OP_NOP) && + hci_skb_event(hdev->req_skb) == ev->subevent) { + *opcode = hci_skb_opcode(hdev->req_skb); + hci_req_cmd_complete(hdev, *opcode, 0x00, req_complete, +@@ -7492,8 +7504,10 @@ void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb) + goto done; + } + ++ hci_dev_lock(hdev); + kfree_skb(hdev->recv_event); + hdev->recv_event = skb_clone(skb, GFP_KERNEL); ++ hci_dev_unlock(hdev); + + event = hdr->evt; + if (!event) { +diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c +index 6597936fbd51b..59011f45906a1 100644 +--- a/net/bluetooth/hci_sync.c ++++ b/net/bluetooth/hci_sync.c +@@ -6890,20 +6890,37 @@ int hci_le_conn_update_sync(struct hci_dev *hdev, struct hci_conn *conn, + + static void create_pa_complete(struct hci_dev *hdev, void *data, int err) + { ++ struct hci_conn *conn = data; ++ struct hci_conn *pa_sync; ++ + bt_dev_dbg(hdev, "err %d", err); + +- if (!err) ++ if (err == -ECANCELED) + return; + ++ hci_dev_lock(hdev); ++ + hci_dev_clear_flag(hdev, HCI_PA_SYNC); + +- if (err == -ECANCELED) +- return; ++ if (!hci_conn_valid(hdev, conn)) ++ clear_bit(HCI_CONN_CREATE_PA_SYNC, &conn->flags); + +- hci_dev_lock(hdev); ++ if (!err) ++ goto unlock; + +- hci_update_passive_scan_sync(hdev); ++ /* Add connection to indicate PA sync error */ ++ pa_sync = hci_conn_add_unset(hdev, ISO_LINK, BDADDR_ANY, ++ HCI_ROLE_SLAVE); + ++ if (IS_ERR(pa_sync)) ++ goto unlock; ++ ++ set_bit(HCI_CONN_PA_SYNC_FAILED, &pa_sync->flags); ++ ++ /* Notify iso layer */ ++ hci_connect_cfm(pa_sync, bt_status(err)); ++ ++unlock: + hci_dev_unlock(hdev); + } + +@@ -6917,9 +6934,23 @@ static int hci_le_pa_create_sync(struct hci_dev *hdev, void *data) + if (!hci_conn_valid(hdev, conn)) + return -ECANCELED; + ++ if (conn->sync_handle != HCI_SYNC_HANDLE_INVALID) ++ return -EINVAL; ++ + if (hci_dev_test_and_set_flag(hdev, HCI_PA_SYNC)) + return -EBUSY; + ++ /* Stop scanning if SID has not been set and active scanning is enabled ++ * so we use passive scanning which will be scanning using the allow ++ * list programmed to contain only the connection address. ++ */ ++ if (conn->sid == HCI_SID_INVALID && ++ hci_dev_test_flag(hdev, HCI_LE_SCAN)) { ++ hci_scan_disable_sync(hdev); ++ hci_dev_set_flag(hdev, HCI_LE_SCAN_INTERRUPTED); ++ hci_discovery_set_state(hdev, DISCOVERY_STOPPED); ++ } ++ + /* Mark HCI_CONN_CREATE_PA_SYNC so hci_update_passive_scan_sync can + * program the address in the allow list so PA advertisements can be + * received. +@@ -6928,6 +6959,14 @@ static int hci_le_pa_create_sync(struct hci_dev *hdev, void *data) + + hci_update_passive_scan_sync(hdev); + ++ /* SID has not been set listen for HCI_EV_LE_EXT_ADV_REPORT to update ++ * it. ++ */ ++ if (conn->sid == HCI_SID_INVALID) ++ __hci_cmd_sync_status_sk(hdev, HCI_OP_NOP, 0, NULL, ++ HCI_EV_LE_EXT_ADV_REPORT, ++ conn->conn_timeout, NULL); ++ + memset(&cp, 0, sizeof(cp)); + cp.options = qos->bcast.options; + cp.sid = conn->sid; +diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c +index 72bf9b1db2247..a08a0f3d5003c 100644 +--- a/net/bluetooth/iso.c ++++ b/net/bluetooth/iso.c +@@ -938,7 +938,7 @@ static int iso_sock_bind_bc(struct socket *sock, struct sockaddr *addr, + + iso_pi(sk)->dst_type = sa->iso_bc->bc_bdaddr_type; + +- if (sa->iso_bc->bc_sid > 0x0f) ++ if (sa->iso_bc->bc_sid > 0x0f && sa->iso_bc->bc_sid != HCI_SID_INVALID) + return -EINVAL; + + iso_pi(sk)->bc_sid = sa->iso_bc->bc_sid; +@@ -1963,6 +1963,9 @@ static bool iso_match_sid(struct sock *sk, void *data) + { + struct hci_ev_le_pa_sync_established *ev = data; + ++ if (iso_pi(sk)->bc_sid == HCI_SID_INVALID) ++ return true; ++ + return ev->sid == iso_pi(sk)->bc_sid; + } + +@@ -2009,8 +2012,10 @@ int iso_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, __u8 *flags) + if (ev1) { + sk = iso_get_sock(&hdev->bdaddr, bdaddr, BT_LISTEN, + iso_match_sid, ev1); +- if (sk && !ev1->status) ++ if (sk && !ev1->status) { + iso_pi(sk)->sync_handle = le16_to_cpu(ev1->handle); ++ iso_pi(sk)->bc_sid = ev1->sid; ++ } + + goto done; + } +-- +2.39.5 + diff --git a/queue-6.12/bluetooth-l2cap-fix-not-responding-with-l2cap_cr_le_.patch b/queue-6.12/bluetooth-l2cap-fix-not-responding-with-l2cap_cr_le_.patch new file mode 100644 index 0000000000..f9d686b8d8 --- /dev/null +++ b/queue-6.12/bluetooth-l2cap-fix-not-responding-with-l2cap_cr_le_.patch @@ -0,0 +1,40 @@ +From 6cd9acecda4d260545969990f02305aa111e6e52 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 May 2025 14:53:11 -0400 +Subject: Bluetooth: L2CAP: Fix not responding with L2CAP_CR_LE_ENCRYPTION + +From: Luiz Augusto von Dentz + +[ Upstream commit 03dba9cea72f977e873e4e60e220fa596959dd8f ] + +Depending on the security set the response to L2CAP_LE_CONN_REQ shall be +just L2CAP_CR_LE_ENCRYPTION if only encryption when BT_SECURITY_MEDIUM +is selected since that means security mode 2 which doesn't require +authentication which is something that is covered in the qualification +test L2CAP/LE/CFC/BV-25-C. + +Link: https://github.com/bluez/bluez/issues/1270 +Fixes: 27e2d4c8d28b ("Bluetooth: Add basic LE L2CAP connect request receiving support") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index 66fa5d6fea6ca..a40534bf9084d 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -4835,7 +4835,8 @@ static int l2cap_le_connect_req(struct l2cap_conn *conn, + + if (!smp_sufficient_security(conn->hcon, pchan->sec_level, + SMP_ALLOW_STK)) { +- result = L2CAP_CR_LE_AUTHENTICATION; ++ result = pchan->sec_level == BT_SECURITY_MEDIUM ? ++ L2CAP_CR_LE_ENCRYPTION : L2CAP_CR_LE_AUTHENTICATION; + chan = NULL; + goto response_unlock; + } +-- +2.39.5 + diff --git a/queue-6.12/bluetooth-mgmt-iterate-over-mesh-commands-in-mgmt_me.patch b/queue-6.12/bluetooth-mgmt-iterate-over-mesh-commands-in-mgmt_me.patch new file mode 100644 index 0000000000..0cf207e888 --- /dev/null +++ b/queue-6.12/bluetooth-mgmt-iterate-over-mesh-commands-in-mgmt_me.patch @@ -0,0 +1,36 @@ +From 859b84b252a48f6da3149ad92576e80f8ea84f2c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 May 2025 11:42:30 +0300 +Subject: Bluetooth: MGMT: iterate over mesh commands in mgmt_mesh_foreach() + +From: Dmitry Antipov + +[ Upstream commit 3bb88524b7d030160bb3c9b35f928b2778092111 ] + +In 'mgmt_mesh_foreach()', iterate over mesh commands +rather than generic mgmt ones. Compile tested only. + +Fixes: b338d91703fa ("Bluetooth: Implement support for Mesh") +Signed-off-by: Dmitry Antipov +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/mgmt_util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/bluetooth/mgmt_util.c b/net/bluetooth/mgmt_util.c +index 17ab909a7c07f..67db32a60c6a9 100644 +--- a/net/bluetooth/mgmt_util.c ++++ b/net/bluetooth/mgmt_util.c +@@ -321,7 +321,7 @@ void mgmt_mesh_foreach(struct hci_dev *hdev, + { + struct mgmt_mesh_tx *mesh_tx, *tmp; + +- list_for_each_entry_safe(mesh_tx, tmp, &hdev->mgmt_pending, list) { ++ list_for_each_entry_safe(mesh_tx, tmp, &hdev->mesh_pending, list) { + if (!sk || mesh_tx->sk == sk) + cb(mesh_tx, data); + } +-- +2.39.5 + diff --git a/queue-6.12/bonding-assign-random-address-if-device-address-is-s.patch b/queue-6.12/bonding-assign-random-address-if-device-address-is-s.patch new file mode 100644 index 0000000000..7f87fd5131 --- /dev/null +++ b/queue-6.12/bonding-assign-random-address-if-device-address-is-s.patch @@ -0,0 +1,92 @@ +From c9a31b92cf1765c83369061f9ac97d648741bda7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Apr 2025 04:22:38 +0000 +Subject: bonding: assign random address if device address is same as bond + +From: Hangbin Liu + +[ Upstream commit 5c3bf6cba7911f470afd748606be5c03a9512fcc ] + +This change addresses a MAC address conflict issue in failover scenarios, +similar to the problem described in commit a951bc1e6ba5 ("bonding: correct +the MAC address for 'follow' fail_over_mac policy"). + +In fail_over_mac=follow mode, the bonding driver expects the formerly active +slave to swap MAC addresses with the newly active slave during failover. +However, under certain conditions, two slaves may end up with the same MAC +address, which breaks this policy: + +1) ip link set eth0 master bond0 + -> bond0 adopts eth0's MAC address (MAC0). + +2) ip link set eth1 master bond0 + -> eth1 is added as a backup with its own MAC (MAC1). + +3) ip link set eth0 nomaster + -> eth0 is released and restores its MAC (MAC0). + -> eth1 becomes the active slave, and bond0 assigns MAC0 to eth1. + +4) ip link set eth0 master bond0 + -> eth0 is re-added to bond0, now both eth0 and eth1 have MAC0. + +This results in a MAC address conflict and violates the expected behavior +of the failover policy. + +To fix this, we assign a random MAC address to any newly added slave if +its current MAC address matches that of the bond. The original (permanent) +MAC address is saved and will be restored when the device is released +from the bond. + +This ensures that each slave has a unique MAC address during failover +transitions, preserving the integrity of the fail_over_mac=follow policy. + +Fixes: 3915c1e8634a ("bonding: Add "follow" option to fail_over_mac") +Signed-off-by: Hangbin Liu +Acked-by: Jay Vosburgh +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 25 ++++++++++++++++++------- + 1 file changed, 18 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 4d2e30f4ee250..2a513dbbd9756 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -2113,15 +2113,26 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev, + * set the master's mac address to that of the first slave + */ + memcpy(ss.__data, bond_dev->dev_addr, bond_dev->addr_len); +- ss.ss_family = slave_dev->type; +- res = dev_set_mac_address(slave_dev, (struct sockaddr *)&ss, +- extack); +- if (res) { +- slave_err(bond_dev, slave_dev, "Error %d calling set_mac_address\n", res); +- goto err_restore_mtu; +- } ++ } else if (bond->params.fail_over_mac == BOND_FOM_FOLLOW && ++ BOND_MODE(bond) == BOND_MODE_ACTIVEBACKUP && ++ memcmp(slave_dev->dev_addr, bond_dev->dev_addr, bond_dev->addr_len) == 0) { ++ /* Set slave to random address to avoid duplicate mac ++ * address in later fail over. ++ */ ++ eth_random_addr(ss.__data); ++ } else { ++ goto skip_mac_set; + } + ++ ss.ss_family = slave_dev->type; ++ res = dev_set_mac_address(slave_dev, (struct sockaddr *)&ss, extack); ++ if (res) { ++ slave_err(bond_dev, slave_dev, "Error %d calling set_mac_address\n", res); ++ goto err_restore_mtu; ++ } ++ ++skip_mac_set: ++ + /* set no_addrconf flag before open to prevent IPv6 addrconf */ + slave_dev->priv_flags |= IFF_NO_ADDRCONF; + +-- +2.39.5 + diff --git a/queue-6.12/bpf-allow-xdp-dev-bound-programs-to-perform-xdp_redi.patch b/queue-6.12/bpf-allow-xdp-dev-bound-programs-to-perform-xdp_redi.patch new file mode 100644 index 0000000000..4cd28a5bac --- /dev/null +++ b/queue-6.12/bpf-allow-xdp-dev-bound-programs-to-perform-xdp_redi.patch @@ -0,0 +1,91 @@ +From e6dd3c74180b5cd8c92ea838b906966f1179a338 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Apr 2025 17:44:02 +0200 +Subject: bpf: Allow XDP dev-bound programs to perform XDP_REDIRECT into maps + +From: Lorenzo Bianconi + +[ Upstream commit 714070c4cb7a10ff57450a618a936775f3036245 ] + +In the current implementation if the program is dev-bound to a specific +device, it will not be possible to perform XDP_REDIRECT into a DEVMAP +or CPUMAP even if the program is running in the driver NAPI context and +it is not attached to any map entry. This seems in contrast with the +explanation available in bpf_prog_map_compatible routine. +Fix the issue introducing __bpf_prog_map_compatible utility routine in +order to avoid bpf_prog_is_dev_bound() check running bpf_check_tail_call() +at program load time (bpf_prog_select_runtime()). +Continue forbidding to attach a dev-bound program to XDP maps +(BPF_MAP_TYPE_PROG_ARRAY, BPF_MAP_TYPE_DEVMAP and BPF_MAP_TYPE_CPUMAP). + +Fixes: 3d76a4d3d4e59 ("bpf: XDP metadata RX kfuncs") +Signed-off-by: Lorenzo Bianconi +Signed-off-by: Martin KaFai Lau +Acked-by: Stanislav Fomichev +Signed-off-by: Sasha Levin +--- + kernel/bpf/core.c | 27 ++++++++++++++++----------- + 1 file changed, 16 insertions(+), 11 deletions(-) + +diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c +index a60a6a2ce0d7f..a713cc7b00849 100644 +--- a/kernel/bpf/core.c ++++ b/kernel/bpf/core.c +@@ -2303,8 +2303,8 @@ static unsigned int __bpf_prog_ret0_warn(const void *ctx, + return 0; + } + +-bool bpf_prog_map_compatible(struct bpf_map *map, +- const struct bpf_prog *fp) ++static bool __bpf_prog_map_compatible(struct bpf_map *map, ++ const struct bpf_prog *fp) + { + enum bpf_prog_type prog_type = resolve_prog_type(fp); + bool ret; +@@ -2313,14 +2313,6 @@ bool bpf_prog_map_compatible(struct bpf_map *map, + if (fp->kprobe_override) + return false; + +- /* XDP programs inserted into maps are not guaranteed to run on +- * a particular netdev (and can run outside driver context entirely +- * in the case of devmap and cpumap). Until device checks +- * are implemented, prohibit adding dev-bound programs to program maps. +- */ +- if (bpf_prog_is_dev_bound(aux)) +- return false; +- + spin_lock(&map->owner.lock); + if (!map->owner.type) { + /* There's no owner yet where we could check for +@@ -2354,6 +2346,19 @@ bool bpf_prog_map_compatible(struct bpf_map *map, + return ret; + } + ++bool bpf_prog_map_compatible(struct bpf_map *map, const struct bpf_prog *fp) ++{ ++ /* XDP programs inserted into maps are not guaranteed to run on ++ * a particular netdev (and can run outside driver context entirely ++ * in the case of devmap and cpumap). Until device checks ++ * are implemented, prohibit adding dev-bound programs to program maps. ++ */ ++ if (bpf_prog_is_dev_bound(fp->aux)) ++ return false; ++ ++ return __bpf_prog_map_compatible(map, fp); ++} ++ + static int bpf_check_tail_call(const struct bpf_prog *fp) + { + struct bpf_prog_aux *aux = fp->aux; +@@ -2366,7 +2371,7 @@ static int bpf_check_tail_call(const struct bpf_prog *fp) + if (!map_type_contains_progs(map)) + continue; + +- if (!bpf_prog_map_compatible(map, fp)) { ++ if (!__bpf_prog_map_compatible(map, fp)) { + ret = -EINVAL; + goto out; + } +-- +2.39.5 + diff --git a/queue-6.12/bpf-avoid-__bpf_prog_ret0_warn-when-jit-fails.patch b/queue-6.12/bpf-avoid-__bpf_prog_ret0_warn-when-jit-fails.patch new file mode 100644 index 0000000000..f71cb1020d --- /dev/null +++ b/queue-6.12/bpf-avoid-__bpf_prog_ret0_warn-when-jit-fails.patch @@ -0,0 +1,57 @@ +From b1901d728f640bdb603b45fcd3d063ad7493424a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 May 2025 21:33:58 +0800 +Subject: bpf: Avoid __bpf_prog_ret0_warn when jit fails + +From: KaFai Wan + +[ Upstream commit 86bc9c742426a16b52a10ef61f5b721aecca2344 ] + +syzkaller reported an issue: + +WARNING: CPU: 3 PID: 217 at kernel/bpf/core.c:2357 __bpf_prog_ret0_warn+0xa/0x20 kernel/bpf/core.c:2357 +Modules linked in: +CPU: 3 UID: 0 PID: 217 Comm: kworker/u32:6 Not tainted 6.15.0-rc4-syzkaller-00040-g8bac8898fe39 +RIP: 0010:__bpf_prog_ret0_warn+0xa/0x20 kernel/bpf/core.c:2357 +Call Trace: + + bpf_dispatcher_nop_func include/linux/bpf.h:1316 [inline] + __bpf_prog_run include/linux/filter.h:718 [inline] + bpf_prog_run include/linux/filter.h:725 [inline] + cls_bpf_classify+0x74a/0x1110 net/sched/cls_bpf.c:105 + ... + +When creating bpf program, 'fp->jit_requested' depends on bpf_jit_enable. +This issue is triggered because of CONFIG_BPF_JIT_ALWAYS_ON is not set +and bpf_jit_enable is set to 1, causing the arch to attempt JIT the prog, +but jit failed due to FAULT_INJECTION. As a result, incorrectly +treats the program as valid, when the program runs it calls +`__bpf_prog_ret0_warn` and triggers the WARN_ON_ONCE(1). + +Reported-by: syzbot+0903f6d7f285e41cdf10@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/bpf/6816e34e.a70a0220.254cdc.002c.GAE@google.com +Fixes: fa9dd599b4da ("bpf: get rid of pure_initcall dependency to enable jits") +Signed-off-by: KaFai Wan +Link: https://lore.kernel.org/r/20250526133358.2594176-1-mannkafai@gmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c +index a713cc7b00849..68a327158989b 100644 +--- a/kernel/bpf/core.c ++++ b/kernel/bpf/core.c +@@ -2419,7 +2419,7 @@ struct bpf_prog *bpf_prog_select_runtime(struct bpf_prog *fp, int *err) + /* In case of BPF to BPF calls, verifier did all the prep + * work with regards to JITing, etc. + */ +- bool jit_needed = false; ++ bool jit_needed = fp->jit_requested; + + if (fp->bpf_func) + goto finalize; +-- +2.39.5 + diff --git a/queue-6.12/bpf-check-link_create.flags-parameter-for-multi_kpro.patch b/queue-6.12/bpf-check-link_create.flags-parameter-for-multi_kpro.patch new file mode 100644 index 0000000000..41c5cdff2a --- /dev/null +++ b/queue-6.12/bpf-check-link_create.flags-parameter-for-multi_kpro.patch @@ -0,0 +1,41 @@ +From b7fc8c5dd90b94199211116c0776d1d3ed72a629 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Apr 2025 11:57:51 +0800 +Subject: bpf: Check link_create.flags parameter for multi_kprobe + +From: Tao Chen + +[ Upstream commit 243911982aa9faf4361aa952f879331ad66933fe ] + +The link_create.flags are currently not used for multi-kprobes, so return +-EINVAL if it is set, same as for other attach APIs. + +We allow target_fd, on the other hand, to have an arbitrary value for +multi-kprobe, as there are existing users (libbpf) relying on this. + +Fixes: 0dcac2725406 ("bpf: Add multi kprobe link") +Signed-off-by: Tao Chen +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20250407035752.1108927-1-chen.dylane@linux.dev +Signed-off-by: Sasha Levin +--- + kernel/trace/bpf_trace.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c +index e5c063fc8ef97..042263e739e29 100644 +--- a/kernel/trace/bpf_trace.c ++++ b/kernel/trace/bpf_trace.c +@@ -2932,6 +2932,9 @@ int bpf_kprobe_multi_link_attach(const union bpf_attr *attr, struct bpf_prog *pr + if (sizeof(u64) != sizeof(void *)) + return -EOPNOTSUPP; + ++ if (attr->link_create.flags) ++ return -EINVAL; ++ + if (!is_kprobe_multi(prog)) + return -EINVAL; + +-- +2.39.5 + diff --git a/queue-6.12/bpf-fix-ktls-panic-with-sockmap.patch b/queue-6.12/bpf-fix-ktls-panic-with-sockmap.patch new file mode 100644 index 0000000000..5c9b4815bc --- /dev/null +++ b/queue-6.12/bpf-fix-ktls-panic-with-sockmap.patch @@ -0,0 +1,123 @@ +From e5d8bee316f2b47cf173219adc57ab981d6678fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Feb 2025 13:20:14 +0800 +Subject: bpf: fix ktls panic with sockmap + +From: Jiayuan Chen + +[ Upstream commit 54a3ecaeeeae8176da8badbd7d72af1017032c39 ] + +[ 2172.936997] ------------[ cut here ]------------ +[ 2172.936999] kernel BUG at lib/iov_iter.c:629! +...... +[ 2172.944996] PKRU: 55555554 +[ 2172.945155] Call Trace: +[ 2172.945299] +[ 2172.945428] ? die+0x36/0x90 +[ 2172.945601] ? do_trap+0xdd/0x100 +[ 2172.945795] ? iov_iter_revert+0x178/0x180 +[ 2172.946031] ? iov_iter_revert+0x178/0x180 +[ 2172.946267] ? do_error_trap+0x7d/0x110 +[ 2172.946499] ? iov_iter_revert+0x178/0x180 +[ 2172.946736] ? exc_invalid_op+0x50/0x70 +[ 2172.946961] ? iov_iter_revert+0x178/0x180 +[ 2172.947197] ? asm_exc_invalid_op+0x1a/0x20 +[ 2172.947446] ? iov_iter_revert+0x178/0x180 +[ 2172.947683] ? iov_iter_revert+0x5c/0x180 +[ 2172.947913] tls_sw_sendmsg_locked.isra.0+0x794/0x840 +[ 2172.948206] tls_sw_sendmsg+0x52/0x80 +[ 2172.948420] ? inet_sendmsg+0x1f/0x70 +[ 2172.948634] __sys_sendto+0x1cd/0x200 +[ 2172.948848] ? find_held_lock+0x2b/0x80 +[ 2172.949072] ? syscall_trace_enter+0x140/0x270 +[ 2172.949330] ? __lock_release.isra.0+0x5e/0x170 +[ 2172.949595] ? find_held_lock+0x2b/0x80 +[ 2172.949817] ? syscall_trace_enter+0x140/0x270 +[ 2172.950211] ? lockdep_hardirqs_on_prepare+0xda/0x190 +[ 2172.950632] ? ktime_get_coarse_real_ts64+0xc2/0xd0 +[ 2172.951036] __x64_sys_sendto+0x24/0x30 +[ 2172.951382] do_syscall_64+0x90/0x170 +...... + +After calling bpf_exec_tx_verdict(), the size of msg_pl->sg may increase, +e.g., when the BPF program executes bpf_msg_push_data(). + +If the BPF program sets cork_bytes and sg.size is smaller than cork_bytes, +it will return -ENOSPC and attempt to roll back to the non-zero copy +logic. However, during rollback, msg->msg_iter is reset, but since +msg_pl->sg.size has been increased, subsequent executions will exceed the +actual size of msg_iter. +''' +iov_iter_revert(&msg->msg_iter, msg_pl->sg.size - orig_size); +''' + +The changes in this commit are based on the following considerations: + +1. When cork_bytes is set, rolling back to non-zero copy logic is +pointless and can directly go to zero-copy logic. + +2. We can not calculate the correct number of bytes to revert msg_iter. + +Assume the original data is "abcdefgh" (8 bytes), and after 3 pushes +by the BPF program, it becomes 11-byte data: "abc?de?fgh?". +Then, we set cork_bytes to 6, which means the first 6 bytes have been +processed, and the remaining 5 bytes "?fgh?" will be cached until the +length meets the cork_bytes requirement. + +However, some data in "?fgh?" is not within 'sg->msg_iter' +(but in msg_pl instead), especially the data "?" we pushed. + +So it doesn't seem as simple as just reverting through an offset of +msg_iter. + +3. For non-TLS sockets in tcp_bpf_sendmsg, when a "cork" situation occurs, +the user-space send() doesn't return an error, and the returned length is +the same as the input length parameter, even if some data is cached. + +Additionally, I saw that the current non-zero-copy logic for handling +corking is written as: +''' +line 1177 +else if (ret != -EAGAIN) { + if (ret == -ENOSPC) + ret = 0; + goto send_end; +''' + +So it's ok to just return 'copied' without error when a "cork" situation +occurs. + +Fixes: fcb14cb1bdac ("new iov_iter flavour - ITER_UBUF") +Fixes: d3b18ad31f93 ("tls: add bpf support to sk_msg handling") +Signed-off-by: Jiayuan Chen +Acked-by: John Fastabend +Link: https://lore.kernel.org/r/20250219052015.274405-2-jiayuan.chen@linux.dev +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + net/tls/tls_sw.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c +index 7bcc9b4408a2c..b3cae4dd4f499 100644 +--- a/net/tls/tls_sw.c ++++ b/net/tls/tls_sw.c +@@ -1120,9 +1120,13 @@ static int tls_sw_sendmsg_locked(struct sock *sk, struct msghdr *msg, + num_async++; + else if (ret == -ENOMEM) + goto wait_for_memory; +- else if (ctx->open_rec && ret == -ENOSPC) ++ else if (ctx->open_rec && ret == -ENOSPC) { ++ if (msg_pl->cork_bytes) { ++ ret = 0; ++ goto send_end; ++ } + goto rollback_iter; +- else if (ret != -EAGAIN) ++ } else if (ret != -EAGAIN) + goto send_end; + } + continue; +-- +2.39.5 + diff --git a/queue-6.12/bpf-fix-uninitialized-values-in-bpf_-core-probe-_rea.patch b/queue-6.12/bpf-fix-uninitialized-values-in-bpf_-core-probe-_rea.patch new file mode 100644 index 0000000000..ca1a7a1754 --- /dev/null +++ b/queue-6.12/bpf-fix-uninitialized-values-in-bpf_-core-probe-_rea.patch @@ -0,0 +1,58 @@ +From 0770b4cecd7054aa0713c3e68b7ee41841bd9917 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 May 2025 19:30:31 +0000 +Subject: bpf: Fix uninitialized values in BPF_{CORE,PROBE}_READ + +From: Anton Protopopov + +[ Upstream commit 41d4ce6df3f4945341ec509a840cc002a413b6cc ] + +With the latest LLVM bpf selftests build will fail with +the following error message: + + progs/profiler.inc.h:710:31: error: default initialization of an object of type 'typeof ((parent_task)->real_cred->uid.val)' (aka 'const unsigned int') leaves the object uninitialized and is incompatible with C++ [-Werror,-Wdefault-const-init-unsafe] + 710 | proc_exec_data->parent_uid = BPF_CORE_READ(parent_task, real_cred, uid.val); + | ^ + tools/testing/selftests/bpf/tools/include/bpf/bpf_core_read.h:520:35: note: expanded from macro 'BPF_CORE_READ' + 520 | ___type((src), a, ##__VA_ARGS__) __r; \ + | ^ + +This happens because BPF_CORE_READ (and other macro) declare the +variable __r using the ___type macro which can inherit const modifier +from intermediate types. + +Fix this by using __typeof_unqual__, when supported. (And when it +is not supported, the problem shouldn't appear, as older compilers +haven't complained.) + +Fixes: 792001f4f7aa ("libbpf: Add user-space variants of BPF_CORE_READ() family of macros") +Fixes: a4b09a9ef945 ("libbpf: Add non-CO-RE variants of BPF_CORE_READ() macro family") +Signed-off-by: Anton Protopopov +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20250502193031.3522715-1-a.s.protopopov@gmail.com +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/bpf_core_read.h | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/tools/lib/bpf/bpf_core_read.h b/tools/lib/bpf/bpf_core_read.h +index c0e13cdf96607..b997c68bd9453 100644 +--- a/tools/lib/bpf/bpf_core_read.h ++++ b/tools/lib/bpf/bpf_core_read.h +@@ -388,7 +388,13 @@ extern void *bpf_rdonly_cast(const void *obj, __u32 btf_id) __ksym __weak; + #define ___arrow10(a, b, c, d, e, f, g, h, i, j) a->b->c->d->e->f->g->h->i->j + #define ___arrow(...) ___apply(___arrow, ___narg(__VA_ARGS__))(__VA_ARGS__) + ++#if defined(__clang__) && (__clang_major__ >= 19) ++#define ___type(...) __typeof_unqual__(___arrow(__VA_ARGS__)) ++#elif defined(__GNUC__) && (__GNUC__ >= 14) ++#define ___type(...) __typeof_unqual__(___arrow(__VA_ARGS__)) ++#else + #define ___type(...) typeof(___arrow(__VA_ARGS__)) ++#endif + + #define ___read(read_fn, dst, src_type, src, accessor) \ + read_fn((void *)(dst), sizeof(*(dst)), &((src_type)(src))->accessor) +-- +2.39.5 + diff --git a/queue-6.12/bpf-fix-warn-in-get_bpf_raw_tp_regs.patch b/queue-6.12/bpf-fix-warn-in-get_bpf_raw_tp_regs.patch new file mode 100644 index 0000000000..774493413d --- /dev/null +++ b/queue-6.12/bpf-fix-warn-in-get_bpf_raw_tp_regs.patch @@ -0,0 +1,86 @@ +From c1202a31ed32b4e07ac378c0d5ff5f365429125b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 May 2025 12:27:47 +0800 +Subject: bpf: Fix WARN() in get_bpf_raw_tp_regs + +From: Tao Chen + +[ Upstream commit 3880cdbed1c4607e378f58fa924c5d6df900d1d3 ] + +syzkaller reported an issue: + +WARNING: CPU: 3 PID: 5971 at kernel/trace/bpf_trace.c:1861 get_bpf_raw_tp_regs+0xa4/0x100 kernel/trace/bpf_trace.c:1861 +Modules linked in: +CPU: 3 UID: 0 PID: 5971 Comm: syz-executor205 Not tainted 6.15.0-rc5-syzkaller-00038-g707df3375124 #0 PREEMPT(full) +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 +RIP: 0010:get_bpf_raw_tp_regs+0xa4/0x100 kernel/trace/bpf_trace.c:1861 +RSP: 0018:ffffc90003636fa8 EFLAGS: 00010293 +RAX: 0000000000000000 RBX: 0000000000000003 RCX: ffffffff81c6bc4c +RDX: ffff888032efc880 RSI: ffffffff81c6bc83 RDI: 0000000000000005 +RBP: ffff88806a730860 R08: 0000000000000005 R09: 0000000000000003 +R10: 0000000000000004 R11: 0000000000000000 R12: 0000000000000004 +R13: 0000000000000001 R14: ffffc90003637008 R15: 0000000000000900 +FS: 0000000000000000(0000) GS:ffff8880d6cdf000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f7baee09130 CR3: 0000000029f5a000 CR4: 0000000000352ef0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + ____bpf_get_stack_raw_tp kernel/trace/bpf_trace.c:1934 [inline] + bpf_get_stack_raw_tp+0x24/0x160 kernel/trace/bpf_trace.c:1931 + bpf_prog_ec3b2eefa702d8d3+0x43/0x47 + bpf_dispatcher_nop_func include/linux/bpf.h:1316 [inline] + __bpf_prog_run include/linux/filter.h:718 [inline] + bpf_prog_run include/linux/filter.h:725 [inline] + __bpf_trace_run kernel/trace/bpf_trace.c:2363 [inline] + bpf_trace_run3+0x23f/0x5a0 kernel/trace/bpf_trace.c:2405 + __bpf_trace_mmap_lock_acquire_returned+0xfc/0x140 include/trace/events/mmap_lock.h:47 + __traceiter_mmap_lock_acquire_returned+0x79/0xc0 include/trace/events/mmap_lock.h:47 + __do_trace_mmap_lock_acquire_returned include/trace/events/mmap_lock.h:47 [inline] + trace_mmap_lock_acquire_returned include/trace/events/mmap_lock.h:47 [inline] + __mmap_lock_do_trace_acquire_returned+0x138/0x1f0 mm/mmap_lock.c:35 + __mmap_lock_trace_acquire_returned include/linux/mmap_lock.h:36 [inline] + mmap_read_trylock include/linux/mmap_lock.h:204 [inline] + stack_map_get_build_id_offset+0x535/0x6f0 kernel/bpf/stackmap.c:157 + __bpf_get_stack+0x307/0xa10 kernel/bpf/stackmap.c:483 + ____bpf_get_stack kernel/bpf/stackmap.c:499 [inline] + bpf_get_stack+0x32/0x40 kernel/bpf/stackmap.c:496 + ____bpf_get_stack_raw_tp kernel/trace/bpf_trace.c:1941 [inline] + bpf_get_stack_raw_tp+0x124/0x160 kernel/trace/bpf_trace.c:1931 + bpf_prog_ec3b2eefa702d8d3+0x43/0x47 + +Tracepoint like trace_mmap_lock_acquire_returned may cause nested call +as the corner case show above, which will be resolved with more general +method in the future. As a result, WARN_ON_ONCE will be triggered. As +Alexei suggested, remove the WARN_ON_ONCE first. + +Fixes: 9594dc3c7e71 ("bpf: fix nested bpf tracepoints with per-cpu data") +Reported-by: syzbot+45b0c89a0fc7ae8dbadc@syzkaller.appspotmail.com +Suggested-by: Alexei Starovoitov +Signed-off-by: Tao Chen +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20250513042747.757042-1-chen.dylane@linux.dev + +Closes: https://lore.kernel.org/bpf/8bc2554d-1052-4922-8832-e0078a033e1d@gmail.com +Signed-off-by: Sasha Levin +--- + kernel/trace/bpf_trace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c +index 042263e739e29..66075e86b691c 100644 +--- a/kernel/trace/bpf_trace.c ++++ b/kernel/trace/bpf_trace.c +@@ -1828,7 +1828,7 @@ static struct pt_regs *get_bpf_raw_tp_regs(void) + struct bpf_raw_tp_regs *tp_regs = this_cpu_ptr(&bpf_raw_tp_regs); + int nest_level = this_cpu_inc_return(bpf_raw_tp_nest_level); + +- if (WARN_ON_ONCE(nest_level > ARRAY_SIZE(tp_regs->regs))) { ++ if (nest_level > ARRAY_SIZE(tp_regs->regs)) { + this_cpu_dec(bpf_raw_tp_nest_level); + return ERR_PTR(-EBUSY); + } +-- +2.39.5 + diff --git a/queue-6.12/bpf-revert-bpf-remove-unnecessary-rcu_read_-lock-unl.patch b/queue-6.12/bpf-revert-bpf-remove-unnecessary-rcu_read_-lock-unl.patch new file mode 100644 index 0000000000..60c119bd18 --- /dev/null +++ b/queue-6.12/bpf-revert-bpf-remove-unnecessary-rcu_read_-lock-unl.patch @@ -0,0 +1,48 @@ +From 1b7c11193e0ab72b41a44fd8603c53a19e041597 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 May 2025 13:49:43 +0800 +Subject: bpf: Revert "bpf: remove unnecessary rcu_read_{lock,unlock}() in + multi-uprobe attach logic" + +From: Di Shen + +[ Upstream commit 4e2e6841ff761cc15a54e8bebcf35d7325ec78a2 ] + +This reverts commit 4a8f635a6054. + +Althought get_pid_task() internally already calls rcu_read_lock() and +rcu_read_unlock(), the find_vpid() was not. + +The documentation for find_vpid() clearly states: +"Must be called with the tasklist_lock or rcu_read_lock() held." + +Add proper rcu_read_lock/unlock() to protect the find_vpid(). + +Fixes: 4a8f635a6054 ("bpf: remove unnecessary rcu_read_{lock,unlock}() in multi-uprobe attach logic") +Reported-by: Xuewen Yan +Signed-off-by: Di Shen +Acked-by: Andrii Nakryiko +Link: https://lore.kernel.org/r/20250520054943.5002-1-xuewen.yan@unisoc.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/trace/bpf_trace.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c +index 66075e86b691c..3ec7df7dbeec4 100644 +--- a/kernel/trace/bpf_trace.c ++++ b/kernel/trace/bpf_trace.c +@@ -3349,7 +3349,9 @@ int bpf_uprobe_multi_link_attach(const union bpf_attr *attr, struct bpf_prog *pr + } + + if (pid) { ++ rcu_read_lock(); + task = get_pid_task(find_vpid(pid), PIDTYPE_TGID); ++ rcu_read_unlock(); + if (!task) { + err = -ESRCH; + goto error_path_put; +-- +2.39.5 + diff --git a/queue-6.12/bpf-sockmap-avoid-using-sk_socket-after-free-when-se.patch b/queue-6.12/bpf-sockmap-avoid-using-sk_socket-after-free-when-se.patch new file mode 100644 index 0000000000..a711dfa2d4 --- /dev/null +++ b/queue-6.12/bpf-sockmap-avoid-using-sk_socket-after-free-when-se.patch @@ -0,0 +1,125 @@ +From ace54801e173edfb1465b029efc6f064e176821d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 May 2025 22:17:12 +0800 +Subject: bpf, sockmap: Avoid using sk_socket after free when sending + +From: Jiayuan Chen + +[ Upstream commit 8259eb0e06d8f64c700f5fbdb28a5c18e10de291 ] + +The sk->sk_socket is not locked or referenced in backlog thread, and +during the call to skb_send_sock(), there is a race condition with +the release of sk_socket. All types of sockets(tcp/udp/unix/vsock) +will be affected. + +Race conditions: +''' +CPU0 CPU1 + +backlog::skb_send_sock + sendmsg_unlocked + sock_sendmsg + sock_sendmsg_nosec + close(fd): + ... + ops->release() -> sock_map_close() + sk_socket->ops = NULL + free(socket) + sock->ops->sendmsg + ^ + panic here +''' + +The ref of psock become 0 after sock_map_close() executed. +''' +void sock_map_close() +{ + ... + if (likely(psock)) { + ... + // !! here we remove psock and the ref of psock become 0 + sock_map_remove_links(sk, psock) + psock = sk_psock_get(sk); + if (unlikely(!psock)) + goto no_psock; <=== Control jumps here via goto + ... + cancel_delayed_work_sync(&psock->work); <=== not executed + sk_psock_put(sk, psock); + ... +} +''' + +Based on the fact that we already wait for the workqueue to finish in +sock_map_close() if psock is held, we simply increase the psock +reference count to avoid race conditions. + +With this patch, if the backlog thread is running, sock_map_close() will +wait for the backlog thread to complete and cancel all pending work. + +If no backlog running, any pending work that hasn't started by then will +fail when invoked by sk_psock_get(), as the psock reference count have +been zeroed, and sk_psock_drop() will cancel all jobs via +cancel_delayed_work_sync(). + +In summary, we require synchronization to coordinate the backlog thread +and close() thread. + +The panic I catched: +''' +Workqueue: events sk_psock_backlog +RIP: 0010:sock_sendmsg+0x21d/0x440 +RAX: 0000000000000000 RBX: ffffc9000521fad8 RCX: 0000000000000001 +... +Call Trace: + + ? die_addr+0x40/0xa0 + ? exc_general_protection+0x14c/0x230 + ? asm_exc_general_protection+0x26/0x30 + ? sock_sendmsg+0x21d/0x440 + ? sock_sendmsg+0x3e0/0x440 + ? __pfx_sock_sendmsg+0x10/0x10 + __skb_send_sock+0x543/0xb70 + sk_psock_backlog+0x247/0xb80 +... +''' + +Fixes: 4b4647add7d3 ("sock_map: avoid race between sock_map_close and sk_psock_put") +Reported-by: Michal Luczaj +Signed-off-by: Jiayuan Chen +Signed-off-by: Martin KaFai Lau +Reviewed-by: John Fastabend +Link: https://lore.kernel.org/r/20250516141713.291150-1-jiayuan.chen@linux.dev +Signed-off-by: Sasha Levin +--- + net/core/skmsg.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/net/core/skmsg.c b/net/core/skmsg.c +index 1219e0404def0..a8d238dd982af 100644 +--- a/net/core/skmsg.c ++++ b/net/core/skmsg.c +@@ -655,6 +655,13 @@ static void sk_psock_backlog(struct work_struct *work) + bool ingress; + int ret; + ++ /* Increment the psock refcnt to synchronize with close(fd) path in ++ * sock_map_close(), ensuring we wait for backlog thread completion ++ * before sk_socket freed. If refcnt increment fails, it indicates ++ * sock_map_close() completed with sk_socket potentially already freed. ++ */ ++ if (!sk_psock_get(psock->sk)) ++ return; + mutex_lock(&psock->work_mutex); + while ((skb = skb_peek(&psock->ingress_skb))) { + len = skb->len; +@@ -706,6 +713,7 @@ static void sk_psock_backlog(struct work_struct *work) + } + end: + mutex_unlock(&psock->work_mutex); ++ sk_psock_put(psock->sk, psock); + } + + struct sk_psock *sk_psock_init(struct sock *sk, int node) +-- +2.39.5 + diff --git a/queue-6.12/bpf-sockmap-fix-duplicated-data-transmission.patch b/queue-6.12/bpf-sockmap-fix-duplicated-data-transmission.patch new file mode 100644 index 0000000000..008990cea0 --- /dev/null +++ b/queue-6.12/bpf-sockmap-fix-duplicated-data-transmission.patch @@ -0,0 +1,68 @@ +From 9e329fef793214ce0df74318029833cf25f4fa78 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Apr 2025 22:21:21 +0800 +Subject: bpf, sockmap: fix duplicated data transmission + +From: Jiayuan Chen + +[ Upstream commit 3b4f14b794287be137ea2c6158765d1ea1e018a4 ] + +In the !ingress path under sk_psock_handle_skb(), when sending data to the +remote under snd_buf limitations, partial skb data might be transmitted. + +Although we preserved the partial transmission state (offset/length), the +state wasn't properly consumed during retries. This caused the retry path +to resend the entire skb data instead of continuing from the previous +offset, resulting in data overlap at the receiver side. + +Fixes: 405df89dd52c ("bpf, sockmap: Improved check for empty queue") +Signed-off-by: Jiayuan Chen +Link: https://lore.kernel.org/r/20250407142234.47591-3-jiayuan.chen@linux.dev +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + net/core/skmsg.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/net/core/skmsg.c b/net/core/skmsg.c +index f76cbf49c68c8..74eac311faf25 100644 +--- a/net/core/skmsg.c ++++ b/net/core/skmsg.c +@@ -655,11 +655,6 @@ static void sk_psock_backlog(struct work_struct *work) + int ret; + + mutex_lock(&psock->work_mutex); +- if (unlikely(state->len)) { +- len = state->len; +- off = state->off; +- } +- + while ((skb = skb_peek(&psock->ingress_skb))) { + len = skb->len; + off = 0; +@@ -669,6 +664,13 @@ static void sk_psock_backlog(struct work_struct *work) + off = stm->offset; + len = stm->full_len; + } ++ ++ /* Resume processing from previous partial state */ ++ if (unlikely(state->len)) { ++ len = state->len; ++ off = state->off; ++ } ++ + ingress = skb_bpf_ingress(skb); + skb_bpf_redirect_clear(skb); + do { +@@ -696,6 +698,8 @@ static void sk_psock_backlog(struct work_struct *work) + len -= ret; + } while (len); + ++ /* The entire skb sent, clear state */ ++ sk_psock_skb_state(psock, state, 0, 0); + skb = skb_dequeue(&psock->ingress_skb); + kfree_skb(skb); + } +-- +2.39.5 + diff --git a/queue-6.12/bpf-sockmap-fix-panic-when-calling-skb_linearize.patch b/queue-6.12/bpf-sockmap-fix-panic-when-calling-skb_linearize.patch new file mode 100644 index 0000000000..025a1fa4b2 --- /dev/null +++ b/queue-6.12/bpf-sockmap-fix-panic-when-calling-skb_linearize.patch @@ -0,0 +1,198 @@ +From 4e857db5613660c1e5082a14ebe1708a535531c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Apr 2025 22:21:22 +0800 +Subject: bpf, sockmap: Fix panic when calling skb_linearize +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jiayuan Chen + +[ Upstream commit 5ca2e29f6834c64c0e5a9ccf1278c21fb49b827e ] + +The panic can be reproduced by executing the command: +./bench sockmap -c 2 -p 1 -a --rx-verdict-ingress --rx-strp 100000 + +Then a kernel panic was captured: +''' +[ 657.460555] kernel BUG at net/core/skbuff.c:2178! +[ 657.462680] Tainted: [W]=WARN +[ 657.463287] Workqueue: events sk_psock_backlog +... +[ 657.469610] +[ 657.469738] ? die+0x36/0x90 +[ 657.469916] ? do_trap+0x1d0/0x270 +[ 657.470118] ? pskb_expand_head+0x612/0xf40 +[ 657.470376] ? pskb_expand_head+0x612/0xf40 +[ 657.470620] ? do_error_trap+0xa3/0x170 +[ 657.470846] ? pskb_expand_head+0x612/0xf40 +[ 657.471092] ? handle_invalid_op+0x2c/0x40 +[ 657.471335] ? pskb_expand_head+0x612/0xf40 +[ 657.471579] ? exc_invalid_op+0x2d/0x40 +[ 657.471805] ? asm_exc_invalid_op+0x1a/0x20 +[ 657.472052] ? pskb_expand_head+0xd1/0xf40 +[ 657.472292] ? pskb_expand_head+0x612/0xf40 +[ 657.472540] ? lock_acquire+0x18f/0x4e0 +[ 657.472766] ? find_held_lock+0x2d/0x110 +[ 657.472999] ? __pfx_pskb_expand_head+0x10/0x10 +[ 657.473263] ? __kmalloc_cache_noprof+0x5b/0x470 +[ 657.473537] ? __pfx___lock_release.isra.0+0x10/0x10 +[ 657.473826] __pskb_pull_tail+0xfd/0x1d20 +[ 657.474062] ? __kasan_slab_alloc+0x4e/0x90 +[ 657.474707] sk_psock_skb_ingress_enqueue+0x3bf/0x510 +[ 657.475392] ? __kasan_kmalloc+0xaa/0xb0 +[ 657.476010] sk_psock_backlog+0x5cf/0xd70 +[ 657.476637] process_one_work+0x858/0x1a20 +''' + +The panic originates from the assertion BUG_ON(skb_shared(skb)) in +skb_linearize(). A previous commit(see Fixes tag) introduced skb_get() +to avoid race conditions between skb operations in the backlog and skb +release in the recvmsg path. However, this caused the panic to always +occur when skb_linearize is executed. + +The "--rx-strp 100000" parameter forces the RX path to use the strparser +module which aggregates data until it reaches 100KB before calling sockmap +logic. The 100KB payload exceeds MAX_MSG_FRAGS, triggering skb_linearize. + +To fix this issue, just move skb_get into sk_psock_skb_ingress_enqueue. + +''' +sk_psock_backlog: + sk_psock_handle_skb + skb_get(skb) <== we move it into 'sk_psock_skb_ingress_enqueue' + sk_psock_skb_ingress____________ + ↓ + | + | → sk_psock_skb_ingress_self + | sk_psock_skb_ingress_enqueue +sk_psock_verdict_apply_________________↑ skb_linearize +''' + +Note that for verdict_apply path, the skb_get operation is unnecessary so +we add 'take_ref' param to control it's behavior. + +Fixes: a454d84ee20b ("bpf, sockmap: Fix skb refcnt race after locking changes") +Signed-off-by: Jiayuan Chen +Link: https://lore.kernel.org/r/20250407142234.47591-4-jiayuan.chen@linux.dev +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + net/core/skmsg.c | 31 ++++++++++++++++--------------- + 1 file changed, 16 insertions(+), 15 deletions(-) + +diff --git a/net/core/skmsg.c b/net/core/skmsg.c +index 74eac311faf25..1219e0404def0 100644 +--- a/net/core/skmsg.c ++++ b/net/core/skmsg.c +@@ -529,16 +529,22 @@ static int sk_psock_skb_ingress_enqueue(struct sk_buff *skb, + u32 off, u32 len, + struct sk_psock *psock, + struct sock *sk, +- struct sk_msg *msg) ++ struct sk_msg *msg, ++ bool take_ref) + { + int num_sge, copied; + ++ /* skb_to_sgvec will fail when the total number of fragments in ++ * frag_list and frags exceeds MAX_MSG_FRAGS. For example, the ++ * caller may aggregate multiple skbs. ++ */ + num_sge = skb_to_sgvec(skb, msg->sg.data, off, len); + if (num_sge < 0) { + /* skb linearize may fail with ENOMEM, but lets simply try again + * later if this happens. Under memory pressure we don't want to + * drop the skb. We need to linearize the skb so that the mapping + * in skb_to_sgvec can not error. ++ * Note that skb_linearize requires the skb not to be shared. + */ + if (skb_linearize(skb)) + return -EAGAIN; +@@ -555,7 +561,7 @@ static int sk_psock_skb_ingress_enqueue(struct sk_buff *skb, + msg->sg.start = 0; + msg->sg.size = copied; + msg->sg.end = num_sge; +- msg->skb = skb; ++ msg->skb = take_ref ? skb_get(skb) : skb; + + sk_psock_queue_msg(psock, msg); + sk_psock_data_ready(sk, psock); +@@ -563,7 +569,7 @@ static int sk_psock_skb_ingress_enqueue(struct sk_buff *skb, + } + + static int sk_psock_skb_ingress_self(struct sk_psock *psock, struct sk_buff *skb, +- u32 off, u32 len); ++ u32 off, u32 len, bool take_ref); + + static int sk_psock_skb_ingress(struct sk_psock *psock, struct sk_buff *skb, + u32 off, u32 len) +@@ -577,7 +583,7 @@ static int sk_psock_skb_ingress(struct sk_psock *psock, struct sk_buff *skb, + * correctly. + */ + if (unlikely(skb->sk == sk)) +- return sk_psock_skb_ingress_self(psock, skb, off, len); ++ return sk_psock_skb_ingress_self(psock, skb, off, len, true); + msg = sk_psock_create_ingress_msg(sk, skb); + if (!msg) + return -EAGAIN; +@@ -589,7 +595,7 @@ static int sk_psock_skb_ingress(struct sk_psock *psock, struct sk_buff *skb, + * into user buffers. + */ + skb_set_owner_r(skb, sk); +- err = sk_psock_skb_ingress_enqueue(skb, off, len, psock, sk, msg); ++ err = sk_psock_skb_ingress_enqueue(skb, off, len, psock, sk, msg, true); + if (err < 0) + kfree(msg); + return err; +@@ -600,7 +606,7 @@ static int sk_psock_skb_ingress(struct sk_psock *psock, struct sk_buff *skb, + * because the skb is already accounted for here. + */ + static int sk_psock_skb_ingress_self(struct sk_psock *psock, struct sk_buff *skb, +- u32 off, u32 len) ++ u32 off, u32 len, bool take_ref) + { + struct sk_msg *msg = alloc_sk_msg(GFP_ATOMIC); + struct sock *sk = psock->sk; +@@ -609,7 +615,7 @@ static int sk_psock_skb_ingress_self(struct sk_psock *psock, struct sk_buff *skb + if (unlikely(!msg)) + return -EAGAIN; + skb_set_owner_r(skb, sk); +- err = sk_psock_skb_ingress_enqueue(skb, off, len, psock, sk, msg); ++ err = sk_psock_skb_ingress_enqueue(skb, off, len, psock, sk, msg, take_ref); + if (err < 0) + kfree(msg); + return err; +@@ -618,18 +624,13 @@ static int sk_psock_skb_ingress_self(struct sk_psock *psock, struct sk_buff *skb + static int sk_psock_handle_skb(struct sk_psock *psock, struct sk_buff *skb, + u32 off, u32 len, bool ingress) + { +- int err = 0; +- + if (!ingress) { + if (!sock_writeable(psock->sk)) + return -EAGAIN; + return skb_send_sock(psock->sk, skb, off, len); + } +- skb_get(skb); +- err = sk_psock_skb_ingress(psock, skb, off, len); +- if (err < 0) +- kfree_skb(skb); +- return err; ++ ++ return sk_psock_skb_ingress(psock, skb, off, len); + } + + static void sk_psock_skb_state(struct sk_psock *psock, +@@ -1017,7 +1018,7 @@ static int sk_psock_verdict_apply(struct sk_psock *psock, struct sk_buff *skb, + off = stm->offset; + len = stm->full_len; + } +- err = sk_psock_skb_ingress_self(psock, skb, off, len); ++ err = sk_psock_skb_ingress_self(psock, skb, off, len, false); + } + if (err < 0) { + spin_lock_bh(&psock->ingress_lock); +-- +2.39.5 + diff --git a/queue-6.12/bpftool-fix-regression-of-bpftool-cgroup-tree-einval.patch b/queue-6.12/bpftool-fix-regression-of-bpftool-cgroup-tree-einval.patch new file mode 100644 index 0000000000..6fa919e8e3 --- /dev/null +++ b/queue-6.12/bpftool-fix-regression-of-bpftool-cgroup-tree-einval.patch @@ -0,0 +1,60 @@ +From cbdb3e7f3db31fea66afb659e38506ffcf0d345f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Apr 2025 21:15:36 +0000 +Subject: bpftool: Fix regression of "bpftool cgroup tree" EINVAL on older + kernels + +From: YiFei Zhu + +[ Upstream commit 43745d11bfd9683abdf08ad7a5cc403d6a9ffd15 ] + +If cgroup_has_attached_progs queries an attach type not supported +by the running kernel, due to the kernel being older than the bpftool +build, it would encounter an -EINVAL from BPF_PROG_QUERY syscall. + +Prior to commit 98b303c9bf05 ("bpftool: Query only cgroup-related +attach types"), this EINVAL would be ignored by the function, allowing +the function to only consider supported attach types. The commit +changed so that, instead of querying all attach types, only attach +types from the array `cgroup_attach_types` is queried. The assumption +is that because these are only cgroup attach types, they should all +be supported. Unfortunately this assumption may be false when the +kernel is older than the bpftool build, where the attach types queried +by bpftool is not yet implemented in the kernel. This would result in +errors such as: + + $ bpftool cgroup tree + CgroupPath + ID AttachType AttachFlags Name + Error: can't query bpf programs attached to /sys/fs/cgroup: Invalid argument + +This patch restores the logic of ignoring EINVAL from prior to that patch. + +Fixes: 98b303c9bf05 ("bpftool: Query only cgroup-related attach types") +Reported-by: Sagarika Sharma +Reported-by: Minh-Anh Nguyen +Signed-off-by: YiFei Zhu +Signed-off-by: Andrii Nakryiko +Acked-by: Quentin Monnet +Link: https://lore.kernel.org/bpf/20250428211536.1651456-1-zhuyifei@google.com +Signed-off-by: Sasha Levin +--- + tools/bpf/bpftool/cgroup.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/bpf/bpftool/cgroup.c b/tools/bpf/bpftool/cgroup.c +index 9af426d432993..afab728468bf6 100644 +--- a/tools/bpf/bpftool/cgroup.c ++++ b/tools/bpf/bpftool/cgroup.c +@@ -221,7 +221,7 @@ static int cgroup_has_attached_progs(int cgroup_fd) + for (i = 0; i < ARRAY_SIZE(cgroup_attach_types); i++) { + int count = count_attached_bpf_progs(cgroup_fd, cgroup_attach_types[i]); + +- if (count < 0) ++ if (count < 0 && errno != EINVAL) + return -1; + + if (count > 0) { +-- +2.39.5 + diff --git a/queue-6.12/brd-fix-aligned_sector-from-brd_do_discard.patch b/queue-6.12/brd-fix-aligned_sector-from-brd_do_discard.patch new file mode 100644 index 0000000000..d2e13f9db1 --- /dev/null +++ b/queue-6.12/brd-fix-aligned_sector-from-brd_do_discard.patch @@ -0,0 +1,37 @@ +From 233df451a0b179ab28c34f6e83b43c809585c55f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 May 2025 14:17:55 +0800 +Subject: brd: fix aligned_sector from brd_do_discard() + +From: Yu Kuai + +[ Upstream commit d4099f8893b057ad7e8d61df76bdeaf807ebd679 ] + +The calculation is just wrong, fix it by round_up(). + +Fixes: 9ead7efc6f3f ("brd: implement discard support") +Signed-off-by: Yu Kuai +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20250506061756.2970934-3-yukuai1@huaweicloud.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/brd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/block/brd.c b/drivers/block/brd.c +index 292f127cae0ab..9549cd71e083b 100644 +--- a/drivers/block/brd.c ++++ b/drivers/block/brd.c +@@ -224,7 +224,7 @@ static int brd_do_bvec(struct brd_device *brd, struct page *page, + + static void brd_do_discard(struct brd_device *brd, sector_t sector, u32 size) + { +- sector_t aligned_sector = (sector + PAGE_SECTORS) & ~PAGE_SECTORS; ++ sector_t aligned_sector = round_up(sector, PAGE_SECTORS); + struct page *page; + + size -= (aligned_sector - sector) * SECTOR_SIZE; +-- +2.39.5 + diff --git a/queue-6.12/brd-fix-discard-end-sector.patch b/queue-6.12/brd-fix-discard-end-sector.patch new file mode 100644 index 0000000000..941b073b25 --- /dev/null +++ b/queue-6.12/brd-fix-discard-end-sector.patch @@ -0,0 +1,60 @@ +From fd62621f6c7ed233cf1584cfccfa19c3b325e130 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 May 2025 14:17:56 +0800 +Subject: brd: fix discard end sector + +From: Yu Kuai + +[ Upstream commit a26a339a654b9403f0ee1004f1db4c2b2a355460 ] + +brd_do_discard() just aligned start sector to page, this can only work +if the discard size if at least one page. For example: + +blkdiscard /dev/ram0 -o 5120 -l 1024 + +In this case, size = (1024 - (8192 - 5120)), which is a huge value. + +Fix the problem by round_down() the end sector. + +Fixes: 9ead7efc6f3f ("brd: implement discard support") +Signed-off-by: Yu Kuai +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20250506061756.2970934-4-yukuai1@huaweicloud.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/brd.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/block/brd.c b/drivers/block/brd.c +index 9549cd71e083b..02fa8106ef549 100644 +--- a/drivers/block/brd.c ++++ b/drivers/block/brd.c +@@ -225,18 +225,21 @@ static int brd_do_bvec(struct brd_device *brd, struct page *page, + static void brd_do_discard(struct brd_device *brd, sector_t sector, u32 size) + { + sector_t aligned_sector = round_up(sector, PAGE_SECTORS); ++ sector_t aligned_end = round_down( ++ sector + (size >> SECTOR_SHIFT), PAGE_SECTORS); + struct page *page; + +- size -= (aligned_sector - sector) * SECTOR_SIZE; ++ if (aligned_end <= aligned_sector) ++ return; ++ + xa_lock(&brd->brd_pages); +- while (size >= PAGE_SIZE && aligned_sector < rd_size * 2) { ++ while (aligned_sector < aligned_end && aligned_sector < rd_size * 2) { + page = __xa_erase(&brd->brd_pages, aligned_sector >> PAGE_SECTORS_SHIFT); + if (page) { + __free_page(page); + brd->brd_nr_pages--; + } + aligned_sector += PAGE_SECTORS; +- size -= PAGE_SIZE; + } + xa_unlock(&brd->brd_pages); + } +-- +2.39.5 + diff --git a/queue-6.12/btrfs-fix-invalid-data-space-release-when-truncating.patch b/queue-6.12/btrfs-fix-invalid-data-space-release-when-truncating.patch new file mode 100644 index 0000000000..b676695290 --- /dev/null +++ b/queue-6.12/btrfs-fix-invalid-data-space-release-when-truncating.patch @@ -0,0 +1,57 @@ +From e3516558f72d6971851f2f2d359d8b1242ffd55b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 May 2025 17:08:50 +0100 +Subject: btrfs: fix invalid data space release when truncating block in NOCOW + mode + +From: Filipe Manana + +[ Upstream commit d3914d6030aa6be2993dfc223d096ff93018c236 ] + +If when truncating a block we fail to reserve data space and then we +proceed anyway because we can do a NOCOW write, if we later get an error +when trying to get the folio from the inode's mapping, we end up releasing +data space that we haven't reserved, screwing up the bytes_may_use counter +from the data space_info, eventually resulting in an underflow when all +other reservations done by other tasks are released, if any, or right away +if there are no other reservations at the moment. + +This is because when we get an error when trying to grab the block's folio +we call btrfs_delalloc_release_space(), which releases metadata (which we +have reserved) and data (which we haven't reserved). + +Fix this by calling btrfs_delalloc_release_space() only if we did reserve +data space, that is, if we aren't falling back to NOCOW, meaning the local +variable @only_release_metadata has a false value, otherwise release only +metadata by calling btrfs_delalloc_release_metadata(). + +Fixes: 6d4572a9d71d ("btrfs: allow btrfs_truncate_block() to fallback to nocow for data space reservation") +Reviewed-by: Qu Wenruo +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/inode.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c +index 9ce1270addb04..1ab5b0c1b9b76 100644 +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -4857,8 +4857,11 @@ int btrfs_truncate_block(struct btrfs_inode *inode, loff_t from, loff_t len, + folio = __filemap_get_folio(mapping, index, + FGP_LOCK | FGP_ACCESSED | FGP_CREAT, mask); + if (IS_ERR(folio)) { +- btrfs_delalloc_release_space(inode, data_reserved, block_start, +- blocksize, true); ++ if (only_release_metadata) ++ btrfs_delalloc_release_metadata(inode, blocksize, true); ++ else ++ btrfs_delalloc_release_space(inode, data_reserved, ++ block_start, blocksize, true); + btrfs_delalloc_release_extents(inode, blocksize); + ret = -ENOMEM; + goto out; +-- +2.39.5 + diff --git a/queue-6.12/btrfs-scrub-fix-a-wrong-error-type-when-metadata-byt.patch b/queue-6.12/btrfs-scrub-fix-a-wrong-error-type-when-metadata-byt.patch new file mode 100644 index 0000000000..c7609634cd --- /dev/null +++ b/queue-6.12/btrfs-scrub-fix-a-wrong-error-type-when-metadata-byt.patch @@ -0,0 +1,38 @@ +From 22209fcda0121c13e833f7c8568c722872ec0040 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 May 2025 18:56:18 +0930 +Subject: btrfs: scrub: fix a wrong error type when metadata bytenr mismatches + +From: Qu Wenruo + +[ Upstream commit f2c19541e421b3235efc515dad88b581f00592ae ] + +When the bytenr doesn't match for a metadata tree block, we will report +it as an csum error, which is incorrect and should be reported as a +metadata error instead. + +Fixes: a3ddbaebc7c9 ("btrfs: scrub: introduce a helper to verify one metadata block") +Signed-off-by: Qu Wenruo +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/scrub.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/btrfs/scrub.c b/fs/btrfs/scrub.c +index 51eb41d18c3e5..3fcc7c092c5ec 100644 +--- a/fs/btrfs/scrub.c ++++ b/fs/btrfs/scrub.c +@@ -619,7 +619,7 @@ static void scrub_verify_one_metadata(struct scrub_stripe *stripe, int sector_nr + memcpy(on_disk_csum, header->csum, fs_info->csum_size); + + if (logical != btrfs_stack_header_bytenr(header)) { +- bitmap_set(&stripe->csum_error_bitmap, sector_nr, sectors_per_tree); ++ bitmap_set(&stripe->meta_error_bitmap, sector_nr, sectors_per_tree); + bitmap_set(&stripe->error_bitmap, sector_nr, sectors_per_tree); + btrfs_warn_rl(fs_info, + "tree block %llu mirror %u has bad bytenr, has %llu want %llu", +-- +2.39.5 + diff --git a/queue-6.12/btrfs-scrub-update-device-stats-when-an-error-is-det.patch b/queue-6.12/btrfs-scrub-update-device-stats-when-an-error-is-det.patch new file mode 100644 index 0000000000..0e08dbcff9 --- /dev/null +++ b/queue-6.12/btrfs-scrub-update-device-stats-when-an-error-is-det.patch @@ -0,0 +1,184 @@ +From 91eaddd4b66c5aae171a43fa8da7e26c51831f19 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 May 2025 08:37:54 +0930 +Subject: btrfs: scrub: update device stats when an error is detected + +From: Qu Wenruo + +[ Upstream commit ec1f3a207cdf314eae4d4ae145f1ffdb829f0652 ] + +[BUG] +Since the migration to the new scrub_stripe interface, scrub no longer +updates the device stats when hitting an error, no matter if it's a read +or checksum mismatch error. E.g: + + BTRFS info (device dm-2): scrub: started on devid 1 + BTRFS error (device dm-2): unable to fixup (regular) error at logical 13631488 on dev /dev/mapper/test-scratch1 physical 13631488 + BTRFS warning (device dm-2): checksum error at logical 13631488 on dev /dev/mapper/test-scratch1, physical 13631488, root 5, inode 257, offset 0, length 4096, links 1 (path: file) + BTRFS error (device dm-2): unable to fixup (regular) error at logical 13631488 on dev /dev/mapper/test-scratch1 physical 13631488 + BTRFS warning (device dm-2): checksum error at logical 13631488 on dev /dev/mapper/test-scratch1, physical 13631488, root 5, inode 257, offset 0, length 4096, links 1 (path: file) + BTRFS info (device dm-2): scrub: finished on devid 1 with status: 0 + +Note there is no line showing the device stats error update. + +[CAUSE] +In the migration to the new scrub_stripe interface, we no longer call +btrfs_dev_stat_inc_and_print(). + +[FIX] +- Introduce a new bitmap for metadata generation errors + * A new bitmap + @meta_gen_error_bitmap is introduced to record which blocks have + metadata generation mismatch errors. + + * A new counter for that bitmap + @init_nr_meta_gen_errors, is also introduced to store the number of + generation mismatch errors that are found during the initial read. + + This is for the error reporting at scrub_stripe_report_errors(). + + * New dedicated error message for unrepaired generation mismatches + + * Update @meta_gen_error_bitmap if a transid mismatch is hit + +- Add btrfs_dev_stat_inc_and_print() calls to the following call sites + * scrub_stripe_report_errors() + * scrub_write_endio() + This is only for the write errors. + +This means there is a minor behavior change: + +- The timing of device stats error message + Since we concentrate the error messages at + scrub_stripe_report_errors(), the device stats error messages will all + show up in one go, after the detailed scrub error messages: + + BTRFS error (device dm-2): unable to fixup (regular) error at logical 13631488 on dev /dev/mapper/test-scratch1 physical 13631488 + BTRFS warning (device dm-2): checksum error at logical 13631488 on dev /dev/mapper/test-scratch1, physical 13631488, root 5, inode 257, offset 0, length 4096, links 1 (path: file) + BTRFS error (device dm-2): unable to fixup (regular) error at logical 13631488 on dev /dev/mapper/test-scratch1 physical 13631488 + BTRFS warning (device dm-2): checksum error at logical 13631488 on dev /dev/mapper/test-scratch1, physical 13631488, root 5, inode 257, offset 0, length 4096, links 1 (path: file) + BTRFS error (device dm-2): bdev /dev/mapper/test-scratch1 errs: wr 0, rd 0, flush 0, corrupt 1, gen 0 + BTRFS error (device dm-2): bdev /dev/mapper/test-scratch1 errs: wr 0, rd 0, flush 0, corrupt 2, gen 0 + +Fixes: e02ee89baa66 ("btrfs: scrub: switch scrub_simple_mirror() to scrub_stripe infrastructure") +Reviewed-by: Filipe Manana +Signed-off-by: Qu Wenruo +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/scrub.c | 32 +++++++++++++++++++++++++++++--- + 1 file changed, 29 insertions(+), 3 deletions(-) + +diff --git a/fs/btrfs/scrub.c b/fs/btrfs/scrub.c +index d8fcc3eb85c88..51eb41d18c3e5 100644 +--- a/fs/btrfs/scrub.c ++++ b/fs/btrfs/scrub.c +@@ -153,12 +153,14 @@ struct scrub_stripe { + unsigned int init_nr_io_errors; + unsigned int init_nr_csum_errors; + unsigned int init_nr_meta_errors; ++ unsigned int init_nr_meta_gen_errors; + + /* + * The following error bitmaps are all for the current status. + * Every time we submit a new read, these bitmaps may be updated. + * +- * error_bitmap = io_error_bitmap | csum_error_bitmap | meta_error_bitmap; ++ * error_bitmap = io_error_bitmap | csum_error_bitmap | ++ * meta_error_bitmap | meta_generation_bitmap; + * + * IO and csum errors can happen for both metadata and data. + */ +@@ -166,6 +168,7 @@ struct scrub_stripe { + unsigned long io_error_bitmap; + unsigned long csum_error_bitmap; + unsigned long meta_error_bitmap; ++ unsigned long meta_gen_error_bitmap; + + /* For writeback (repair or replace) error reporting. */ + unsigned long write_error_bitmap; +@@ -672,7 +675,7 @@ static void scrub_verify_one_metadata(struct scrub_stripe *stripe, int sector_nr + } + if (stripe->sectors[sector_nr].generation != + btrfs_stack_header_generation(header)) { +- bitmap_set(&stripe->meta_error_bitmap, sector_nr, sectors_per_tree); ++ bitmap_set(&stripe->meta_gen_error_bitmap, sector_nr, sectors_per_tree); + bitmap_set(&stripe->error_bitmap, sector_nr, sectors_per_tree); + btrfs_warn_rl(fs_info, + "tree block %llu mirror %u has bad generation, has %llu want %llu", +@@ -684,6 +687,7 @@ static void scrub_verify_one_metadata(struct scrub_stripe *stripe, int sector_nr + bitmap_clear(&stripe->error_bitmap, sector_nr, sectors_per_tree); + bitmap_clear(&stripe->csum_error_bitmap, sector_nr, sectors_per_tree); + bitmap_clear(&stripe->meta_error_bitmap, sector_nr, sectors_per_tree); ++ bitmap_clear(&stripe->meta_gen_error_bitmap, sector_nr, sectors_per_tree); + } + + static void scrub_verify_one_sector(struct scrub_stripe *stripe, int sector_nr) +@@ -972,8 +976,22 @@ static void scrub_stripe_report_errors(struct scrub_ctx *sctx, + if (__ratelimit(&rs) && dev) + scrub_print_common_warning("header error", dev, false, + stripe->logical, physical); ++ if (test_bit(sector_nr, &stripe->meta_gen_error_bitmap)) ++ if (__ratelimit(&rs) && dev) ++ scrub_print_common_warning("generation error", dev, false, ++ stripe->logical, physical); + } + ++ /* Update the device stats. */ ++ for (int i = 0; i < stripe->init_nr_io_errors; i++) ++ btrfs_dev_stat_inc_and_print(stripe->dev, BTRFS_DEV_STAT_READ_ERRS); ++ for (int i = 0; i < stripe->init_nr_csum_errors; i++) ++ btrfs_dev_stat_inc_and_print(stripe->dev, BTRFS_DEV_STAT_CORRUPTION_ERRS); ++ /* Generation mismatch error is based on each metadata, not each block. */ ++ for (int i = 0; i < stripe->init_nr_meta_gen_errors; ++ i += (fs_info->nodesize >> fs_info->sectorsize_bits)) ++ btrfs_dev_stat_inc_and_print(stripe->dev, BTRFS_DEV_STAT_GENERATION_ERRS); ++ + spin_lock(&sctx->stat_lock); + sctx->stat.data_extents_scrubbed += stripe->nr_data_extents; + sctx->stat.tree_extents_scrubbed += stripe->nr_meta_extents; +@@ -982,7 +1000,8 @@ static void scrub_stripe_report_errors(struct scrub_ctx *sctx, + sctx->stat.no_csum += nr_nodatacsum_sectors; + sctx->stat.read_errors += stripe->init_nr_io_errors; + sctx->stat.csum_errors += stripe->init_nr_csum_errors; +- sctx->stat.verify_errors += stripe->init_nr_meta_errors; ++ sctx->stat.verify_errors += stripe->init_nr_meta_errors + ++ stripe->init_nr_meta_gen_errors; + sctx->stat.uncorrectable_errors += + bitmap_weight(&stripe->error_bitmap, stripe->nr_sectors); + sctx->stat.corrected_errors += nr_repaired_sectors; +@@ -1028,6 +1047,8 @@ static void scrub_stripe_read_repair_worker(struct work_struct *work) + stripe->nr_sectors); + stripe->init_nr_meta_errors = bitmap_weight(&stripe->meta_error_bitmap, + stripe->nr_sectors); ++ stripe->init_nr_meta_gen_errors = bitmap_weight(&stripe->meta_gen_error_bitmap, ++ stripe->nr_sectors); + + if (bitmap_empty(&stripe->init_error_bitmap, stripe->nr_sectors)) + goto out; +@@ -1142,6 +1163,9 @@ static void scrub_write_endio(struct btrfs_bio *bbio) + bitmap_set(&stripe->write_error_bitmap, sector_nr, + bio_size >> fs_info->sectorsize_bits); + spin_unlock_irqrestore(&stripe->write_error_lock, flags); ++ for (int i = 0; i < (bio_size >> fs_info->sectorsize_bits); i++) ++ btrfs_dev_stat_inc_and_print(stripe->dev, ++ BTRFS_DEV_STAT_WRITE_ERRS); + } + bio_put(&bbio->bio); + +@@ -1508,10 +1532,12 @@ static void scrub_stripe_reset_bitmaps(struct scrub_stripe *stripe) + stripe->init_nr_io_errors = 0; + stripe->init_nr_csum_errors = 0; + stripe->init_nr_meta_errors = 0; ++ stripe->init_nr_meta_gen_errors = 0; + stripe->error_bitmap = 0; + stripe->io_error_bitmap = 0; + stripe->csum_error_bitmap = 0; + stripe->meta_error_bitmap = 0; ++ stripe->meta_gen_error_bitmap = 0; + } + + /* +-- +2.39.5 + diff --git a/queue-6.12/bus-fsl-mc-fix-double-free-on-mc_dev.patch b/queue-6.12/bus-fsl-mc-fix-double-free-on-mc_dev.patch new file mode 100644 index 0000000000..2c6a7ff2fd --- /dev/null +++ b/queue-6.12/bus-fsl-mc-fix-double-free-on-mc_dev.patch @@ -0,0 +1,52 @@ +From f5654092bca65f1b89d1e91c7facc98915011f12 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Apr 2025 13:58:09 +0300 +Subject: bus: fsl-mc: fix double-free on mc_dev + +From: Ioana Ciornei + +[ Upstream commit d694bf8a9acdbd061596f3e7549bc8cb70750a60 ] + +The blamed commit tried to simplify how the deallocations are done but, +in the process, introduced a double-free on the mc_dev variable. + +In case the MC device is a DPRC, a new mc_bus is allocated and the +mc_dev variable is just a reference to one of its fields. In this +circumstance, on the error path only the mc_bus should be freed. + +This commit introduces back the following checkpatch warning which is a +false-positive. + +WARNING: kfree(NULL) is safe and this check is probably not required ++ if (mc_bus) ++ kfree(mc_bus); + +Fixes: a042fbed0290 ("staging: fsl-mc: simplify couple of deallocations") +Signed-off-by: Ioana Ciornei +Link: https://lore.kernel.org/r/20250408105814.2837951-2-ioana.ciornei@nxp.com +Signed-off-by: Christophe Leroy +Signed-off-by: Sasha Levin +--- + drivers/bus/fsl-mc/fsl-mc-bus.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/bus/fsl-mc/fsl-mc-bus.c b/drivers/bus/fsl-mc/fsl-mc-bus.c +index 930d8a3ba722b..58d16ff166c2d 100644 +--- a/drivers/bus/fsl-mc/fsl-mc-bus.c ++++ b/drivers/bus/fsl-mc/fsl-mc-bus.c +@@ -905,8 +905,10 @@ int fsl_mc_device_add(struct fsl_mc_obj_desc *obj_desc, + + error_cleanup_dev: + kfree(mc_dev->regions); +- kfree(mc_bus); +- kfree(mc_dev); ++ if (mc_bus) ++ kfree(mc_bus); ++ else ++ kfree(mc_dev); + + return error; + } +-- +2.39.5 + diff --git a/queue-6.12/calipso-don-t-call-calipso-functions-for-af_inet-sk.patch b/queue-6.12/calipso-don-t-call-calipso-functions-for-af_inet-sk.patch new file mode 100644 index 0000000000..38cf5a74f4 --- /dev/null +++ b/queue-6.12/calipso-don-t-call-calipso-functions-for-af_inet-sk.patch @@ -0,0 +1,108 @@ +From 35ba645eef9bf0d308dc942c955729132a08cffc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 May 2025 15:18:56 -0700 +Subject: calipso: Don't call calipso functions for AF_INET sk. + +From: Kuniyuki Iwashima + +[ Upstream commit 6e9f2df1c550ead7cecb3e450af1105735020c92 ] + +syzkaller reported a null-ptr-deref in txopt_get(). [0] + +The offset 0x70 was of struct ipv6_txoptions in struct ipv6_pinfo, +so struct ipv6_pinfo was NULL there. + +However, this never happens for IPv6 sockets as inet_sk(sk)->pinet6 +is always set in inet6_create(), meaning the socket was not IPv6 one. + +The root cause is missing validation in netlbl_conn_setattr(). + +netlbl_conn_setattr() switches branches based on struct +sockaddr.sa_family, which is passed from userspace. However, +netlbl_conn_setattr() does not check if the address family matches +the socket. + +The syzkaller must have called connect() for an IPv6 address on +an IPv4 socket. + +We have a proper validation in tcp_v[46]_connect(), but +security_socket_connect() is called in the earlier stage. + +Let's copy the validation to netlbl_conn_setattr(). + +[0]: +Oops: general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN NOPTI +KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077] +CPU: 2 UID: 0 PID: 12928 Comm: syz.9.1677 Not tainted 6.12.0 #1 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 +RIP: 0010:txopt_get include/net/ipv6.h:390 [inline] +RIP: 0010: +Code: 02 00 00 49 8b ac 24 f8 02 00 00 e8 84 69 2a fd e8 ff 00 16 fd 48 8d 7d 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 53 02 00 00 48 8b 6d 70 48 85 ed 0f 84 ab 01 00 +RSP: 0018:ffff88811b8afc48 EFLAGS: 00010212 +RAX: dffffc0000000000 RBX: 1ffff11023715f8a RCX: ffffffff841ab00c +RDX: 000000000000000e RSI: ffffc90007d9e000 RDI: 0000000000000070 +RBP: 0000000000000000 R08: ffffed1023715f9d R09: ffffed1023715f9e +R10: ffffed1023715f9d R11: 0000000000000003 R12: ffff888123075f00 +R13: ffff88810245bd80 R14: ffff888113646780 R15: ffff888100578a80 +FS: 00007f9019bd7640(0000) GS:ffff8882d2d00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f901b927bac CR3: 0000000104788003 CR4: 0000000000770ef0 +PKRU: 80000000 +Call Trace: + + calipso_sock_setattr+0x56/0x80 net/netlabel/netlabel_calipso.c:557 + netlbl_conn_setattr+0x10c/0x280 net/netlabel/netlabel_kapi.c:1177 + selinux_netlbl_socket_connect_helper+0xd3/0x1b0 security/selinux/netlabel.c:569 + selinux_netlbl_socket_connect_locked security/selinux/netlabel.c:597 [inline] + selinux_netlbl_socket_connect+0xb6/0x100 security/selinux/netlabel.c:615 + selinux_socket_connect+0x5f/0x80 security/selinux/hooks.c:4931 + security_socket_connect+0x50/0xa0 security/security.c:4598 + __sys_connect_file+0xa4/0x190 net/socket.c:2067 + __sys_connect+0x12c/0x170 net/socket.c:2088 + __do_sys_connect net/socket.c:2098 [inline] + __se_sys_connect net/socket.c:2095 [inline] + __x64_sys_connect+0x73/0xb0 net/socket.c:2095 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xaa/0x1b0 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7f901b61a12d +Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f9019bd6fa8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a +RAX: ffffffffffffffda RBX: 00007f901b925fa0 RCX: 00007f901b61a12d +RDX: 000000000000001c RSI: 0000200000000140 RDI: 0000000000000003 +RBP: 00007f901b701505 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 0000000000000000 R14: 00007f901b5b62a0 R15: 00007f9019bb7000 + +Modules linked in: + +Fixes: ceba1832b1b2 ("calipso: Set the calipso socket label to match the secattr.") +Reported-by: syzkaller +Reported-by: John Cheung +Closes: https://lore.kernel.org/netdev/CAP=Rh=M1LzunrcQB1fSGauMrJrhL6GGps5cPAKzHJXj6GQV+-g@mail.gmail.com/ +Signed-off-by: Kuniyuki Iwashima +Acked-by: Paul Moore +Link: https://patch.msgid.link/20250522221858.91240-1-kuniyu@amazon.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/netlabel/netlabel_kapi.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c +index cd9160bbc9197..6ea16138582c0 100644 +--- a/net/netlabel/netlabel_kapi.c ++++ b/net/netlabel/netlabel_kapi.c +@@ -1165,6 +1165,9 @@ int netlbl_conn_setattr(struct sock *sk, + break; + #if IS_ENABLED(CONFIG_IPV6) + case AF_INET6: ++ if (sk->sk_family != AF_INET6) ++ return -EAFNOSUPPORT; ++ + addr6 = (struct sockaddr_in6 *)addr; + entry = netlbl_domhsh_getentry_af6(secattr->domain, + &addr6->sin6_addr); +-- +2.39.5 + diff --git a/queue-6.12/cifs-fix-validation-of-smb1-query-reparse-point-resp.patch b/queue-6.12/cifs-fix-validation-of-smb1-query-reparse-point-resp.patch new file mode 100644 index 0000000000..f9889cb326 --- /dev/null +++ b/queue-6.12/cifs-fix-validation-of-smb1-query-reparse-point-resp.patch @@ -0,0 +1,83 @@ +From 711f621847580d556374ad35e2d725fb0bbf4e2a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Dec 2024 19:55:13 +0100 +Subject: cifs: Fix validation of SMB1 query reparse point response +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit 56e84c64fc257a95728ee73165456b025c48d408 ] + +Validate the SMB1 query reparse point response per [MS-CIFS] section +2.2.7.2 NT_TRANSACT_IOCTL. + +NT_TRANSACT_IOCTL response contains one word long setup data after which is +ByteCount member. So check that SetupCount is 1 before trying to read and +use ByteCount member. + +Output setup data contains ReturnedDataLen member which is the output +length of executed IOCTL command by remote system. So check that output was +not truncated before transferring over network. + +Change MaxSetupCount of NT_TRANSACT_IOCTL request from 4 to 1 as io_rsp +structure already expects one word long output setup data. This should +prevent server sending incompatible structure (in case it would be extended +in future, which is unlikely). + +Change MaxParameterCount of NT_TRANSACT_IOCTL request from 2 to 0 as +NT IOCTL does not have any documented output parameters and this function +does not parse any output parameters at all. + +Fixes: ed3e0a149b58 ("smb: client: implement ->query_reparse_point() for SMB1") +Signed-off-by: Pali Rohár +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/client/cifssmb.c | 20 ++++++++++++++++++-- + 1 file changed, 18 insertions(+), 2 deletions(-) + +diff --git a/fs/smb/client/cifssmb.c b/fs/smb/client/cifssmb.c +index 8667f403a0ab6..cf8d9de2298fc 100644 +--- a/fs/smb/client/cifssmb.c ++++ b/fs/smb/client/cifssmb.c +@@ -2780,10 +2780,10 @@ int cifs_query_reparse_point(const unsigned int xid, + + io_req->TotalParameterCount = 0; + io_req->TotalDataCount = 0; +- io_req->MaxParameterCount = cpu_to_le32(2); ++ io_req->MaxParameterCount = cpu_to_le32(0); + /* BB find exact data count max from sess structure BB */ + io_req->MaxDataCount = cpu_to_le32(CIFSMaxBufSize & 0xFFFFFF00); +- io_req->MaxSetupCount = 4; ++ io_req->MaxSetupCount = 1; + io_req->Reserved = 0; + io_req->ParameterOffset = 0; + io_req->DataCount = 0; +@@ -2810,6 +2810,22 @@ int cifs_query_reparse_point(const unsigned int xid, + goto error; + } + ++ /* SetupCount must be 1, otherwise offset to ByteCount is incorrect. */ ++ if (io_rsp->SetupCount != 1) { ++ rc = -EIO; ++ goto error; ++ } ++ ++ /* ++ * ReturnedDataLen is output length of executed IOCTL. ++ * DataCount is output length transferred over network. ++ * Check that we have full FSCTL_GET_REPARSE_POINT buffer. ++ */ ++ if (data_count != le16_to_cpu(io_rsp->ReturnedDataLen)) { ++ rc = -EIO; ++ goto error; ++ } ++ + end = 2 + get_bcc(&io_rsp->hdr) + (__u8 *)&io_rsp->ByteCount; + start = (__u8 *)&io_rsp->hdr.Protocol + data_offset; + if (start >= end) { +-- +2.39.5 + diff --git a/queue-6.12/clk-bcm-rpi-add-null-check-in-raspberrypi_clk_regist.patch b/queue-6.12/clk-bcm-rpi-add-null-check-in-raspberrypi_clk_regist.patch new file mode 100644 index 0000000000..84eff1a504 --- /dev/null +++ b/queue-6.12/clk-bcm-rpi-add-null-check-in-raspberrypi_clk_regist.patch @@ -0,0 +1,42 @@ +From aaa20257794103f867ca1ac6e38427bc87e77a60 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Apr 2025 10:05:13 +0800 +Subject: clk: bcm: rpi: Add NULL check in raspberrypi_clk_register() + +From: Henry Martin + +[ Upstream commit 73c46d9a93d071ca69858dea3f569111b03e549e ] + +devm_kasprintf() returns NULL when memory allocation fails. Currently, +raspberrypi_clk_register() does not check for this case, which results +in a NULL pointer dereference. + +Add NULL check after devm_kasprintf() to prevent this issue. + +Fixes: 93d2725affd6 ("clk: bcm: rpi: Discover the firmware clocks") +Signed-off-by: Henry Martin +Reviewed-by: Dave Stevenson +Link: https://lore.kernel.org/r/20250402020513.42628-1-bsdhenrymartin@gmail.com +Reviewed-by: Stefan Wahren +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/bcm/clk-raspberrypi.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/clk/bcm/clk-raspberrypi.c b/drivers/clk/bcm/clk-raspberrypi.c +index a18a8768feb40..6cb26b6e7347d 100644 +--- a/drivers/clk/bcm/clk-raspberrypi.c ++++ b/drivers/clk/bcm/clk-raspberrypi.c +@@ -271,6 +271,8 @@ static struct clk_hw *raspberrypi_clk_register(struct raspberrypi_clk *rpi, + init.name = devm_kasprintf(rpi->dev, GFP_KERNEL, + "fw-clk-%s", + rpi_firmware_clk_names[id]); ++ if (!init.name) ++ return ERR_PTR(-ENOMEM); + init.ops = &raspberrypi_firmware_clk_ops; + init.flags = CLK_GET_RATE_NOCACHE; + +-- +2.39.5 + diff --git a/queue-6.12/clk-qcom-camcc-sm6350-add-_wait_val-values-for-gdscs.patch b/queue-6.12/clk-qcom-camcc-sm6350-add-_wait_val-values-for-gdscs.patch new file mode 100644 index 0000000000..e43dd4ddc1 --- /dev/null +++ b/queue-6.12/clk-qcom-camcc-sm6350-add-_wait_val-values-for-gdscs.patch @@ -0,0 +1,95 @@ +From d2558e21031b63e216e7f9cbabc6ee468cd22f7d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Apr 2025 14:12:55 +0200 +Subject: clk: qcom: camcc-sm6350: Add *_wait_val values for GDSCs + +From: Luca Weiss + +[ Upstream commit e7b1c13280ad866f3b935f6c658713c41db61635 ] + +Compared to the msm-4.19 driver the mainline GDSC driver always sets the +bits for en_rest, en_few & clk_dis, and if those values are not set +per-GDSC in the respective driver then the default value from the GDSC +driver is used. The downstream driver only conditionally sets +clk_dis_wait_val if qcom,clk-dis-wait-val is given in devicetree. + +Correct this situation by explicitly setting those values. For all GDSCs +the reset value of those bits are used. + +Fixes: 80f5451d9a7c ("clk: qcom: Add camera clock controller driver for SM6350") +Signed-off-by: Luca Weiss +Reviewed-by: Taniya Das +Link: https://lore.kernel.org/r/20250425-sm6350-gdsc-val-v1-1-1f252d9c5e4e@fairphone.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/camcc-sm6350.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/drivers/clk/qcom/camcc-sm6350.c b/drivers/clk/qcom/camcc-sm6350.c +index f6634cc8663ef..418668184ec35 100644 +--- a/drivers/clk/qcom/camcc-sm6350.c ++++ b/drivers/clk/qcom/camcc-sm6350.c +@@ -1694,6 +1694,9 @@ static struct clk_branch camcc_sys_tmr_clk = { + + static struct gdsc bps_gdsc = { + .gdscr = 0x6004, ++ .en_rest_wait_val = 0x2, ++ .en_few_wait_val = 0x2, ++ .clk_dis_wait_val = 0xf, + .pd = { + .name = "bps_gdsc", + }, +@@ -1703,6 +1706,9 @@ static struct gdsc bps_gdsc = { + + static struct gdsc ipe_0_gdsc = { + .gdscr = 0x7004, ++ .en_rest_wait_val = 0x2, ++ .en_few_wait_val = 0x2, ++ .clk_dis_wait_val = 0xf, + .pd = { + .name = "ipe_0_gdsc", + }, +@@ -1712,6 +1718,9 @@ static struct gdsc ipe_0_gdsc = { + + static struct gdsc ife_0_gdsc = { + .gdscr = 0x9004, ++ .en_rest_wait_val = 0x2, ++ .en_few_wait_val = 0x2, ++ .clk_dis_wait_val = 0xf, + .pd = { + .name = "ife_0_gdsc", + }, +@@ -1720,6 +1729,9 @@ static struct gdsc ife_0_gdsc = { + + static struct gdsc ife_1_gdsc = { + .gdscr = 0xa004, ++ .en_rest_wait_val = 0x2, ++ .en_few_wait_val = 0x2, ++ .clk_dis_wait_val = 0xf, + .pd = { + .name = "ife_1_gdsc", + }, +@@ -1728,6 +1740,9 @@ static struct gdsc ife_1_gdsc = { + + static struct gdsc ife_2_gdsc = { + .gdscr = 0xb004, ++ .en_rest_wait_val = 0x2, ++ .en_few_wait_val = 0x2, ++ .clk_dis_wait_val = 0xf, + .pd = { + .name = "ife_2_gdsc", + }, +@@ -1736,6 +1751,9 @@ static struct gdsc ife_2_gdsc = { + + static struct gdsc titan_top_gdsc = { + .gdscr = 0x14004, ++ .en_rest_wait_val = 0x2, ++ .en_few_wait_val = 0x2, ++ .clk_dis_wait_val = 0xf, + .pd = { + .name = "titan_top_gdsc", + }, +-- +2.39.5 + diff --git a/queue-6.12/clk-qcom-dispcc-sm6350-add-_wait_val-values-for-gdsc.patch b/queue-6.12/clk-qcom-dispcc-sm6350-add-_wait_val-values-for-gdsc.patch new file mode 100644 index 0000000000..9bd8fba017 --- /dev/null +++ b/queue-6.12/clk-qcom-dispcc-sm6350-add-_wait_val-values-for-gdsc.patch @@ -0,0 +1,45 @@ +From a2f89da940bd79b52a4f51c2cd91f2abf4fa2846 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Apr 2025 14:12:56 +0200 +Subject: clk: qcom: dispcc-sm6350: Add *_wait_val values for GDSCs + +From: Luca Weiss + +[ Upstream commit 673989d27123618afab56df1143a75454178b4ae ] + +Compared to the msm-4.19 driver the mainline GDSC driver always sets the +bits for en_rest, en_few & clk_dis, and if those values are not set +per-GDSC in the respective driver then the default value from the GDSC +driver is used. The downstream driver only conditionally sets +clk_dis_wait_val if qcom,clk-dis-wait-val is given in devicetree. + +Correct this situation by explicitly setting those values. For all GDSCs +the reset value of those bits are used. + +Fixes: 837519775f1d ("clk: qcom: Add display clock controller driver for SM6350") +Signed-off-by: Luca Weiss +Reviewed-by: Taniya Das +Link: https://lore.kernel.org/r/20250425-sm6350-gdsc-val-v1-2-1f252d9c5e4e@fairphone.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/dispcc-sm6350.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/clk/qcom/dispcc-sm6350.c b/drivers/clk/qcom/dispcc-sm6350.c +index 2bc6b5f99f572..d52fd4b49a02f 100644 +--- a/drivers/clk/qcom/dispcc-sm6350.c ++++ b/drivers/clk/qcom/dispcc-sm6350.c +@@ -680,6 +680,9 @@ static struct clk_branch disp_cc_xo_clk = { + + static struct gdsc mdss_gdsc = { + .gdscr = 0x1004, ++ .en_rest_wait_val = 0x2, ++ .en_few_wait_val = 0x2, ++ .clk_dis_wait_val = 0xf, + .pd = { + .name = "mdss_gdsc", + }, +-- +2.39.5 + diff --git a/queue-6.12/clk-qcom-gcc-msm8939-fix-mclk0-mclk1-for-24-mhz.patch b/queue-6.12/clk-qcom-gcc-msm8939-fix-mclk0-mclk1-for-24-mhz.patch new file mode 100644 index 0000000000..0009879a7f --- /dev/null +++ b/queue-6.12/clk-qcom-gcc-msm8939-fix-mclk0-mclk1-for-24-mhz.patch @@ -0,0 +1,49 @@ +From 5888b04830febd1da3d23e12bdd8552ea5886700 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Apr 2025 18:45:12 +0200 +Subject: clk: qcom: gcc-msm8939: Fix mclk0 & mclk1 for 24 MHz + +From: Vincent Knecht + +[ Upstream commit 9e7acf70cf6aa7b22f67d911f50a8cd510e8fb00 ] + +Fix mclk0 & mclk1 parent map to use correct GPLL6 configuration and +freq_tbl to use GPLL6 instead of GPLL0 so that they tick at 24 MHz. + +Fixes: 1664014e4679 ("clk: qcom: gcc-msm8939: Add MSM8939 Generic Clock Controller") +Suggested-by: Stephan Gerhold +Reviewed-by: Konrad Dybcio +Reviewed-by: Bryan O'Donoghue +Signed-off-by: Vincent Knecht +Link: https://lore.kernel.org/r/20250414-gcc-msm8939-fixes-mclk-v2-resend2-v2-1-5ddcf572a6de@mailoo.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/gcc-msm8939.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/clk/qcom/gcc-msm8939.c b/drivers/clk/qcom/gcc-msm8939.c +index 7431c9a65044f..45193b3d714ba 100644 +--- a/drivers/clk/qcom/gcc-msm8939.c ++++ b/drivers/clk/qcom/gcc-msm8939.c +@@ -432,7 +432,7 @@ static const struct parent_map gcc_xo_gpll0_gpll1a_gpll6_sleep_map[] = { + { P_XO, 0 }, + { P_GPLL0, 1 }, + { P_GPLL1_AUX, 2 }, +- { P_GPLL6, 2 }, ++ { P_GPLL6, 3 }, + { P_SLEEP_CLK, 6 }, + }; + +@@ -1113,7 +1113,7 @@ static struct clk_rcg2 jpeg0_clk_src = { + }; + + static const struct freq_tbl ftbl_gcc_camss_mclk0_1_clk[] = { +- F(24000000, P_GPLL0, 1, 1, 45), ++ F(24000000, P_GPLL6, 1, 1, 45), + F(66670000, P_GPLL0, 12, 0, 0), + { } + }; +-- +2.39.5 + diff --git a/queue-6.12/clk-qcom-gcc-sm6350-add-_wait_val-values-for-gdscs.patch b/queue-6.12/clk-qcom-gcc-sm6350-add-_wait_val-values-for-gdscs.patch new file mode 100644 index 0000000000..25e27b0d03 --- /dev/null +++ b/queue-6.12/clk-qcom-gcc-sm6350-add-_wait_val-values-for-gdscs.patch @@ -0,0 +1,55 @@ +From 840273ddebec535615ee31200b791e62f1f90d13 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Apr 2025 14:12:57 +0200 +Subject: clk: qcom: gcc-sm6350: Add *_wait_val values for GDSCs + +From: Luca Weiss + +[ Upstream commit afdfd829a99e467869e3ca1955fb6c6e337c340a ] + +Compared to the msm-4.19 driver the mainline GDSC driver always sets the +bits for en_rest, en_few & clk_dis, and if those values are not set +per-GDSC in the respective driver then the default value from the GDSC +driver is used. The downstream driver only conditionally sets +clk_dis_wait_val if qcom,clk-dis-wait-val is given in devicetree. + +Correct this situation by explicitly setting those values. For all GDSCs +the reset value of those bits are used. + +Fixes: 131abae905df ("clk: qcom: Add SM6350 GCC driver") +Signed-off-by: Luca Weiss +Reviewed-by: Taniya Das +Link: https://lore.kernel.org/r/20250425-sm6350-gdsc-val-v1-3-1f252d9c5e4e@fairphone.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/gcc-sm6350.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/clk/qcom/gcc-sm6350.c b/drivers/clk/qcom/gcc-sm6350.c +index 74346dc026068..a4d6dff9d0f7f 100644 +--- a/drivers/clk/qcom/gcc-sm6350.c ++++ b/drivers/clk/qcom/gcc-sm6350.c +@@ -2320,6 +2320,9 @@ static struct clk_branch gcc_video_xo_clk = { + + static struct gdsc usb30_prim_gdsc = { + .gdscr = 0x1a004, ++ .en_rest_wait_val = 0x2, ++ .en_few_wait_val = 0x2, ++ .clk_dis_wait_val = 0xf, + .pd = { + .name = "usb30_prim_gdsc", + }, +@@ -2328,6 +2331,9 @@ static struct gdsc usb30_prim_gdsc = { + + static struct gdsc ufs_phy_gdsc = { + .gdscr = 0x3a004, ++ .en_rest_wait_val = 0x2, ++ .en_few_wait_val = 0x2, ++ .clk_dis_wait_val = 0xf, + .pd = { + .name = "ufs_phy_gdsc", + }, +-- +2.39.5 + diff --git a/queue-6.12/clk-qcom-gpucc-sm6350-add-_wait_val-values-for-gdscs.patch b/queue-6.12/clk-qcom-gpucc-sm6350-add-_wait_val-values-for-gdscs.patch new file mode 100644 index 0000000000..71483ee50d --- /dev/null +++ b/queue-6.12/clk-qcom-gpucc-sm6350-add-_wait_val-values-for-gdscs.patch @@ -0,0 +1,56 @@ +From d667f3fd3766c6c3da1d56fdf1a23db6047f891f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Apr 2025 14:12:58 +0200 +Subject: clk: qcom: gpucc-sm6350: Add *_wait_val values for GDSCs + +From: Luca Weiss + +[ Upstream commit d988b0b866c2aeb23aa74022b5bbd463165a7a33 ] + +Compared to the msm-4.19 driver the mainline GDSC driver always sets the +bits for en_rest, en_few & clk_dis, and if those values are not set +per-GDSC in the respective driver then the default value from the GDSC +driver is used. The downstream driver only conditionally sets +clk_dis_wait_val if qcom,clk-dis-wait-val is given in devicetree. + +Correct this situation by explicitly setting those values. For all GDSCs +the reset value of those bits are used, with the exception of +gpu_cx_gdsc which has an explicit value (qcom,clk-dis-wait-val = <8>). + +Fixes: 013804a727a0 ("clk: qcom: Add GPU clock controller driver for SM6350") +Signed-off-by: Luca Weiss +Reviewed-by: Taniya Das +Link: https://lore.kernel.org/r/20250425-sm6350-gdsc-val-v1-4-1f252d9c5e4e@fairphone.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/gpucc-sm6350.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/clk/qcom/gpucc-sm6350.c b/drivers/clk/qcom/gpucc-sm6350.c +index 1e12ad8948dbd..644bdc41892c6 100644 +--- a/drivers/clk/qcom/gpucc-sm6350.c ++++ b/drivers/clk/qcom/gpucc-sm6350.c +@@ -412,6 +412,9 @@ static struct clk_branch gpu_cc_gx_vsense_clk = { + static struct gdsc gpu_cx_gdsc = { + .gdscr = 0x106c, + .gds_hw_ctrl = 0x1540, ++ .en_rest_wait_val = 0x2, ++ .en_few_wait_val = 0x2, ++ .clk_dis_wait_val = 0x8, + .pd = { + .name = "gpu_cx_gdsc", + }, +@@ -422,6 +425,9 @@ static struct gdsc gpu_cx_gdsc = { + static struct gdsc gpu_gx_gdsc = { + .gdscr = 0x100c, + .clamp_io_ctrl = 0x1508, ++ .en_rest_wait_val = 0x2, ++ .en_few_wait_val = 0x2, ++ .clk_dis_wait_val = 0x2, + .pd = { + .name = "gpu_gx_gdsc", + .power_on = gdsc_gx_do_nothing_enable, +-- +2.39.5 + diff --git a/queue-6.12/coresight-catu-introduce-refcount-and-spinlock-for-e.patch b/queue-6.12/coresight-catu-introduce-refcount-and-spinlock-for-e.patch new file mode 100644 index 0000000000..a640eda430 --- /dev/null +++ b/queue-6.12/coresight-catu-introduce-refcount-and-spinlock-for-e.patch @@ -0,0 +1,110 @@ +From d5c489a12059e2a7bf9ff61f0f6471ce7a11841d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Apr 2025 16:12:59 -0700 +Subject: coresight: catu: Introduce refcount and spinlock for + enabling/disabling + +From: Yabin Cui + +[ Upstream commit a03a0a08c6fe5e50c1b12ea41b9e228e7f649c22 ] + +When tracing ETM data on multiple CPUs concurrently via the +perf interface, the CATU device is shared across different CPU +paths. This can lead to race conditions when multiple CPUs attempt +to enable or disable the CATU device simultaneously. + +To address these race conditions, this patch introduces the +following changes: + +1. The enable and disable operations for the CATU device are not + reentrant. Therefore, a spinlock is added to ensure that only + one CPU can enable or disable a given CATU device at any point + in time. + +2. A reference counter is used to manage the enable/disable state + of the CATU device. The device is enabled when the first CPU + requires it and is only disabled when the last CPU finishes + using it. This ensures the device remains active as long as at + least one CPU needs it. + +Fixes: fcacb5c154ba ("coresight: Introduce support for Coresight Address Translation Unit") +Signed-off-by: Yabin Cui +Reviewed-by: James Clark +Reviewed-by: Leo Yan +Signed-off-by: Suzuki K Poulose +Link: https://lore.kernel.org/r/20250429231301.1952246-2-yabinc@google.com +Signed-off-by: Sasha Levin +--- + drivers/hwtracing/coresight/coresight-catu.c | 25 +++++++++++++------- + drivers/hwtracing/coresight/coresight-catu.h | 1 + + 2 files changed, 18 insertions(+), 8 deletions(-) + +diff --git a/drivers/hwtracing/coresight/coresight-catu.c b/drivers/hwtracing/coresight/coresight-catu.c +index 8cf85ff216bbe..25fd02955c38d 100644 +--- a/drivers/hwtracing/coresight/coresight-catu.c ++++ b/drivers/hwtracing/coresight/coresight-catu.c +@@ -458,12 +458,17 @@ static int catu_enable_hw(struct catu_drvdata *drvdata, enum cs_mode cs_mode, + static int catu_enable(struct coresight_device *csdev, enum cs_mode mode, + void *data) + { +- int rc; ++ int rc = 0; + struct catu_drvdata *catu_drvdata = csdev_to_catu_drvdata(csdev); + +- CS_UNLOCK(catu_drvdata->base); +- rc = catu_enable_hw(catu_drvdata, mode, data); +- CS_LOCK(catu_drvdata->base); ++ guard(raw_spinlock_irqsave)(&catu_drvdata->spinlock); ++ if (csdev->refcnt == 0) { ++ CS_UNLOCK(catu_drvdata->base); ++ rc = catu_enable_hw(catu_drvdata, mode, data); ++ CS_LOCK(catu_drvdata->base); ++ } ++ if (!rc) ++ csdev->refcnt++; + return rc; + } + +@@ -486,12 +491,15 @@ static int catu_disable_hw(struct catu_drvdata *drvdata) + + static int catu_disable(struct coresight_device *csdev, void *__unused) + { +- int rc; ++ int rc = 0; + struct catu_drvdata *catu_drvdata = csdev_to_catu_drvdata(csdev); + +- CS_UNLOCK(catu_drvdata->base); +- rc = catu_disable_hw(catu_drvdata); +- CS_LOCK(catu_drvdata->base); ++ guard(raw_spinlock_irqsave)(&catu_drvdata->spinlock); ++ if (--csdev->refcnt == 0) { ++ CS_UNLOCK(catu_drvdata->base); ++ rc = catu_disable_hw(catu_drvdata); ++ CS_LOCK(catu_drvdata->base); ++ } + return rc; + } + +@@ -550,6 +558,7 @@ static int __catu_probe(struct device *dev, struct resource *res) + dev->platform_data = pdata; + + drvdata->base = base; ++ raw_spin_lock_init(&drvdata->spinlock); + catu_desc.access = CSDEV_ACCESS_IOMEM(base); + catu_desc.pdata = pdata; + catu_desc.dev = dev; +diff --git a/drivers/hwtracing/coresight/coresight-catu.h b/drivers/hwtracing/coresight/coresight-catu.h +index 141feac1c14b0..755776cd19c5b 100644 +--- a/drivers/hwtracing/coresight/coresight-catu.h ++++ b/drivers/hwtracing/coresight/coresight-catu.h +@@ -65,6 +65,7 @@ struct catu_drvdata { + void __iomem *base; + struct coresight_device *csdev; + int irq; ++ raw_spinlock_t spinlock; + }; + + #define CATU_REG32(name, offset) \ +-- +2.39.5 + diff --git a/queue-6.12/coresight-fixes-device-s-owner-field-for-registered-.patch b/queue-6.12/coresight-fixes-device-s-owner-field-for-registered-.patch new file mode 100644 index 0000000000..547b48aa9a --- /dev/null +++ b/queue-6.12/coresight-fixes-device-s-owner-field-for-registered-.patch @@ -0,0 +1,175 @@ +From 61efb37db174fca1a642220defa6b0c74321c965 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Sep 2024 11:53:27 +0800 +Subject: coresight: Fixes device's owner field for registered using + coresight_init_driver() + +From: Junhao He + +[ Upstream commit 9f52aecc952ddf307571517d5c91136c8c4e87c9 ] + +The coresight_init_driver() of the coresight-core module is called from +the sub coresgiht device (such as tmc/stm/funnle/...) module. It calls +amba_driver_register() and Platform_driver_register(), which are macro +functions that use the coresight-core's module to initialize the caller's +owner field. Therefore, when the sub coresight device calls +coresight_init_driver(), an incorrect THIS_MODULE value is captured. + +The sub coesgiht modules can be removed while their callbacks are +running, resulting in a general protection failure. + +Add module parameter to coresight_init_driver() so can be called +with the module of the callback. + +Fixes: 075b7cd7ad7d ("coresight: Add helpers registering/removing both AMBA and platform drivers") +Signed-off-by: Junhao He +Signed-off-by: Suzuki K Poulose +Link: https://lore.kernel.org/r/20240918035327.9710-1-hejunhao3@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/hwtracing/coresight/coresight-catu.c | 2 +- + drivers/hwtracing/coresight/coresight-core.c | 6 +++--- + drivers/hwtracing/coresight/coresight-cpu-debug.c | 3 ++- + drivers/hwtracing/coresight/coresight-funnel.c | 3 ++- + drivers/hwtracing/coresight/coresight-replicator.c | 3 ++- + drivers/hwtracing/coresight/coresight-stm.c | 2 +- + drivers/hwtracing/coresight/coresight-tmc-core.c | 2 +- + drivers/hwtracing/coresight/coresight-tpiu.c | 2 +- + include/linux/coresight.h | 2 +- + 9 files changed, 14 insertions(+), 11 deletions(-) + +diff --git a/drivers/hwtracing/coresight/coresight-catu.c b/drivers/hwtracing/coresight/coresight-catu.c +index d8ad64ea81f11..8cf85ff216bbe 100644 +--- a/drivers/hwtracing/coresight/coresight-catu.c ++++ b/drivers/hwtracing/coresight/coresight-catu.c +@@ -702,7 +702,7 @@ static int __init catu_init(void) + { + int ret; + +- ret = coresight_init_driver("catu", &catu_driver, &catu_platform_driver); ++ ret = coresight_init_driver("catu", &catu_driver, &catu_platform_driver, THIS_MODULE); + tmc_etr_set_catu_ops(&etr_catu_buf_ops); + return ret; + } +diff --git a/drivers/hwtracing/coresight/coresight-core.c b/drivers/hwtracing/coresight/coresight-core.c +index c42aa9fddab9b..c7e35a431ab00 100644 +--- a/drivers/hwtracing/coresight/coresight-core.c ++++ b/drivers/hwtracing/coresight/coresight-core.c +@@ -1422,17 +1422,17 @@ module_init(coresight_init); + module_exit(coresight_exit); + + int coresight_init_driver(const char *drv, struct amba_driver *amba_drv, +- struct platform_driver *pdev_drv) ++ struct platform_driver *pdev_drv, struct module *owner) + { + int ret; + +- ret = amba_driver_register(amba_drv); ++ ret = __amba_driver_register(amba_drv, owner); + if (ret) { + pr_err("%s: error registering AMBA driver\n", drv); + return ret; + } + +- ret = platform_driver_register(pdev_drv); ++ ret = __platform_driver_register(pdev_drv, owner); + if (!ret) + return 0; + +diff --git a/drivers/hwtracing/coresight/coresight-cpu-debug.c b/drivers/hwtracing/coresight/coresight-cpu-debug.c +index 75962dae9aa18..cc599c5ef4b22 100644 +--- a/drivers/hwtracing/coresight/coresight-cpu-debug.c ++++ b/drivers/hwtracing/coresight/coresight-cpu-debug.c +@@ -774,7 +774,8 @@ static struct platform_driver debug_platform_driver = { + + static int __init debug_init(void) + { +- return coresight_init_driver("debug", &debug_driver, &debug_platform_driver); ++ return coresight_init_driver("debug", &debug_driver, &debug_platform_driver, ++ THIS_MODULE); + } + + static void __exit debug_exit(void) +diff --git a/drivers/hwtracing/coresight/coresight-funnel.c b/drivers/hwtracing/coresight/coresight-funnel.c +index 5a819c8970fbf..8f451b051ddc3 100644 +--- a/drivers/hwtracing/coresight/coresight-funnel.c ++++ b/drivers/hwtracing/coresight/coresight-funnel.c +@@ -433,7 +433,8 @@ static struct amba_driver dynamic_funnel_driver = { + + static int __init funnel_init(void) + { +- return coresight_init_driver("funnel", &dynamic_funnel_driver, &funnel_driver); ++ return coresight_init_driver("funnel", &dynamic_funnel_driver, &funnel_driver, ++ THIS_MODULE); + } + + static void __exit funnel_exit(void) +diff --git a/drivers/hwtracing/coresight/coresight-replicator.c b/drivers/hwtracing/coresight/coresight-replicator.c +index 3e55be9c84186..f7607c72857c5 100644 +--- a/drivers/hwtracing/coresight/coresight-replicator.c ++++ b/drivers/hwtracing/coresight/coresight-replicator.c +@@ -438,7 +438,8 @@ static struct amba_driver dynamic_replicator_driver = { + + static int __init replicator_init(void) + { +- return coresight_init_driver("replicator", &dynamic_replicator_driver, &replicator_driver); ++ return coresight_init_driver("replicator", &dynamic_replicator_driver, &replicator_driver, ++ THIS_MODULE); + } + + static void __exit replicator_exit(void) +diff --git a/drivers/hwtracing/coresight/coresight-stm.c b/drivers/hwtracing/coresight/coresight-stm.c +index cb3e04755c992..65bc50a6d3e9a 100644 +--- a/drivers/hwtracing/coresight/coresight-stm.c ++++ b/drivers/hwtracing/coresight/coresight-stm.c +@@ -1047,7 +1047,7 @@ static struct platform_driver stm_platform_driver = { + + static int __init stm_init(void) + { +- return coresight_init_driver("stm", &stm_driver, &stm_platform_driver); ++ return coresight_init_driver("stm", &stm_driver, &stm_platform_driver, THIS_MODULE); + } + + static void __exit stm_exit(void) +diff --git a/drivers/hwtracing/coresight/coresight-tmc-core.c b/drivers/hwtracing/coresight/coresight-tmc-core.c +index 3a482fd2cb225..475fa4bb6813b 100644 +--- a/drivers/hwtracing/coresight/coresight-tmc-core.c ++++ b/drivers/hwtracing/coresight/coresight-tmc-core.c +@@ -741,7 +741,7 @@ static struct platform_driver tmc_platform_driver = { + + static int __init tmc_init(void) + { +- return coresight_init_driver("tmc", &tmc_driver, &tmc_platform_driver); ++ return coresight_init_driver("tmc", &tmc_driver, &tmc_platform_driver, THIS_MODULE); + } + + static void __exit tmc_exit(void) +diff --git a/drivers/hwtracing/coresight/coresight-tpiu.c b/drivers/hwtracing/coresight/coresight-tpiu.c +index b048e146fbb10..f9ecd05cbe5c5 100644 +--- a/drivers/hwtracing/coresight/coresight-tpiu.c ++++ b/drivers/hwtracing/coresight/coresight-tpiu.c +@@ -318,7 +318,7 @@ static struct platform_driver tpiu_platform_driver = { + + static int __init tpiu_init(void) + { +- return coresight_init_driver("tpiu", &tpiu_driver, &tpiu_platform_driver); ++ return coresight_init_driver("tpiu", &tpiu_driver, &tpiu_platform_driver, THIS_MODULE); + } + + static void __exit tpiu_exit(void) +diff --git a/include/linux/coresight.h b/include/linux/coresight.h +index f106b10251118..59f99b7da43f5 100644 +--- a/include/linux/coresight.h ++++ b/include/linux/coresight.h +@@ -683,7 +683,7 @@ coresight_find_output_type(struct coresight_platform_data *pdata, + union coresight_dev_subtype subtype); + + int coresight_init_driver(const char *drv, struct amba_driver *amba_drv, +- struct platform_driver *pdev_drv); ++ struct platform_driver *pdev_drv, struct module *owner); + + void coresight_remove_driver(struct amba_driver *amba_drv, + struct platform_driver *pdev_drv); +-- +2.39.5 + diff --git a/queue-6.12/coresight-prevent-deactivate-active-config-while-ena.patch b/queue-6.12/coresight-prevent-deactivate-active-config-while-ena.patch new file mode 100644 index 0000000000..41960f23fb --- /dev/null +++ b/queue-6.12/coresight-prevent-deactivate-active-config-while-ena.patch @@ -0,0 +1,179 @@ +From 5c2ace544ef8b4f5ce0b1ce3e37a952b75413fce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 May 2025 17:19:51 +0100 +Subject: coresight: prevent deactivate active config while enabling the config + +From: Yeoreum Yun + +[ Upstream commit 408c97c4a5e0b634dcd15bf8b8808b382e888164 ] + +While enable active config via cscfg_csdev_enable_active_config(), +active config could be deactivated via configfs' sysfs interface. +This could make UAF issue in below scenario: + +CPU0 CPU1 +(sysfs enable) load module + cscfg_load_config_sets() + activate config. // sysfs + (sys_active_cnt == 1) +... +cscfg_csdev_enable_active_config() +lock(csdev->cscfg_csdev_lock) +// here load config activate by CPU1 +unlock(csdev->cscfg_csdev_lock) + + deactivate config // sysfs + (sys_activec_cnt == 0) + cscfg_unload_config_sets() + unload module + +// access to config_desc which freed +// while unloading module. +cscfg_csdev_enable_config + +To address this, use cscfg_config_desc's active_cnt as a reference count + which will be holded when + - activate the config. + - enable the activated config. +and put the module reference when config_active_cnt == 0. + +Fixes: f8cce2ff3c04 ("coresight: syscfg: Add API to activate and enable configurations") +Suggested-by: Suzuki K Poulose +Signed-off-by: Yeoreum Yun +Reviewed-by: Leo Yan +Signed-off-by: Suzuki K Poulose +Link: https://lore.kernel.org/r/20250514161951.3427590-4-yeoreum.yun@arm.com +Signed-off-by: Sasha Levin +--- + .../hwtracing/coresight/coresight-config.h | 2 +- + .../hwtracing/coresight/coresight-syscfg.c | 49 +++++++++++++------ + 2 files changed, 35 insertions(+), 16 deletions(-) + +diff --git a/drivers/hwtracing/coresight/coresight-config.h b/drivers/hwtracing/coresight/coresight-config.h +index 6ba0139757418..84cdde6f0e4db 100644 +--- a/drivers/hwtracing/coresight/coresight-config.h ++++ b/drivers/hwtracing/coresight/coresight-config.h +@@ -228,7 +228,7 @@ struct cscfg_feature_csdev { + * @feats_csdev:references to the device features to enable. + */ + struct cscfg_config_csdev { +- const struct cscfg_config_desc *config_desc; ++ struct cscfg_config_desc *config_desc; + struct coresight_device *csdev; + bool enabled; + struct list_head node; +diff --git a/drivers/hwtracing/coresight/coresight-syscfg.c b/drivers/hwtracing/coresight/coresight-syscfg.c +index 11138a9762b01..30a561d874819 100644 +--- a/drivers/hwtracing/coresight/coresight-syscfg.c ++++ b/drivers/hwtracing/coresight/coresight-syscfg.c +@@ -867,6 +867,25 @@ void cscfg_csdev_reset_feats(struct coresight_device *csdev) + } + EXPORT_SYMBOL_GPL(cscfg_csdev_reset_feats); + ++static bool cscfg_config_desc_get(struct cscfg_config_desc *config_desc) ++{ ++ if (!atomic_fetch_inc(&config_desc->active_cnt)) { ++ /* must ensure that config cannot be unloaded in use */ ++ if (unlikely(cscfg_owner_get(config_desc->load_owner))) { ++ atomic_dec(&config_desc->active_cnt); ++ return false; ++ } ++ } ++ ++ return true; ++} ++ ++static void cscfg_config_desc_put(struct cscfg_config_desc *config_desc) ++{ ++ if (!atomic_dec_return(&config_desc->active_cnt)) ++ cscfg_owner_put(config_desc->load_owner); ++} ++ + /* + * This activate configuration for either perf or sysfs. Perf can have multiple + * active configs, selected per event, sysfs is limited to one. +@@ -890,22 +909,17 @@ static int _cscfg_activate_config(unsigned long cfg_hash) + if (config_desc->available == false) + return -EBUSY; + +- /* must ensure that config cannot be unloaded in use */ +- err = cscfg_owner_get(config_desc->load_owner); +- if (err) ++ if (!cscfg_config_desc_get(config_desc)) { ++ err = -EINVAL; + break; ++ } ++ + /* + * increment the global active count - control changes to + * active configurations + */ + atomic_inc(&cscfg_mgr->sys_active_cnt); + +- /* +- * mark the descriptor as active so enable config on a +- * device instance will use it +- */ +- atomic_inc(&config_desc->active_cnt); +- + err = 0; + dev_dbg(cscfg_device(), "Activate config %s.\n", config_desc->name); + break; +@@ -920,9 +934,8 @@ static void _cscfg_deactivate_config(unsigned long cfg_hash) + + list_for_each_entry(config_desc, &cscfg_mgr->config_desc_list, item) { + if ((unsigned long)config_desc->event_ea->var == cfg_hash) { +- atomic_dec(&config_desc->active_cnt); + atomic_dec(&cscfg_mgr->sys_active_cnt); +- cscfg_owner_put(config_desc->load_owner); ++ cscfg_config_desc_put(config_desc); + dev_dbg(cscfg_device(), "Deactivate config %s.\n", config_desc->name); + break; + } +@@ -1047,7 +1060,7 @@ int cscfg_csdev_enable_active_config(struct coresight_device *csdev, + unsigned long cfg_hash, int preset) + { + struct cscfg_config_csdev *config_csdev_active = NULL, *config_csdev_item; +- const struct cscfg_config_desc *config_desc; ++ struct cscfg_config_desc *config_desc; + unsigned long flags; + int err = 0; + +@@ -1062,8 +1075,8 @@ int cscfg_csdev_enable_active_config(struct coresight_device *csdev, + spin_lock_irqsave(&csdev->cscfg_csdev_lock, flags); + list_for_each_entry(config_csdev_item, &csdev->config_csdev_list, node) { + config_desc = config_csdev_item->config_desc; +- if ((atomic_read(&config_desc->active_cnt)) && +- ((unsigned long)config_desc->event_ea->var == cfg_hash)) { ++ if (((unsigned long)config_desc->event_ea->var == cfg_hash) && ++ cscfg_config_desc_get(config_desc)) { + config_csdev_active = config_csdev_item; + csdev->active_cscfg_ctxt = (void *)config_csdev_active; + break; +@@ -1097,7 +1110,11 @@ int cscfg_csdev_enable_active_config(struct coresight_device *csdev, + err = -EBUSY; + spin_unlock_irqrestore(&csdev->cscfg_csdev_lock, flags); + } ++ ++ if (err) ++ cscfg_config_desc_put(config_desc); + } ++ + return err; + } + EXPORT_SYMBOL_GPL(cscfg_csdev_enable_active_config); +@@ -1136,8 +1153,10 @@ void cscfg_csdev_disable_active_config(struct coresight_device *csdev) + spin_unlock_irqrestore(&csdev->cscfg_csdev_lock, flags); + + /* true if there was an enabled active config */ +- if (config_csdev) ++ if (config_csdev) { + cscfg_csdev_disable_config(config_csdev); ++ cscfg_config_desc_put(config_csdev->config_desc); ++ } + } + EXPORT_SYMBOL_GPL(cscfg_csdev_disable_active_config); + +-- +2.39.5 + diff --git a/queue-6.12/counter-interrupt-cnt-protect-enable-disable-ops-wit.patch b/queue-6.12/counter-interrupt-cnt-protect-enable-disable-ops-wit.patch new file mode 100644 index 0000000000..accb57f8b5 --- /dev/null +++ b/queue-6.12/counter-interrupt-cnt-protect-enable-disable-ops-wit.patch @@ -0,0 +1,109 @@ +From 3e376e8fdfd39c9d4889c796a9b7c36d41a530b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Mar 2025 18:36:40 +0200 +Subject: counter: interrupt-cnt: Protect enable/disable OPs with mutex + +From: Alexander Sverdlin + +[ Upstream commit 7351312632e831e51383f48957d47712fae791ef ] + +Enable/disable seems to be racy on SMP, consider the following scenario: + +CPU0 CPU1 + +interrupt_cnt_enable_write(true) +{ + if (priv->enabled == enable) + return 0; + + if (enable) { + priv->enabled = true; + interrupt_cnt_enable_write(false) + { + if (priv->enabled == enable) + return 0; + + if (enable) { + priv->enabled = true; + enable_irq(priv->irq); + } else { + disable_irq(priv->irq) + priv->enabled = false; + } + enable_irq(priv->irq); + } else { + disable_irq(priv->irq); + priv->enabled = false; + } + +The above would result in priv->enabled == false, but IRQ left enabled. +Protect both write (above race) and read (to propagate the value on SMP) +callbacks with a mutex. + +Signed-off-by: Alexander Sverdlin +Fixes: a55ebd47f21f ("counter: add IRQ or GPIO based counter") +Acked-by: Oleksij Rempel +Link: https://lore.kernel.org/r/20250331163642.2382651-1-alexander.sverdlin@siemens.com +Signed-off-by: William Breathitt Gray +Signed-off-by: Sasha Levin +--- + drivers/counter/interrupt-cnt.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/counter/interrupt-cnt.c b/drivers/counter/interrupt-cnt.c +index 229473855c5b3..bc762ba87a19b 100644 +--- a/drivers/counter/interrupt-cnt.c ++++ b/drivers/counter/interrupt-cnt.c +@@ -3,12 +3,14 @@ + * Copyright (c) 2021 Pengutronix, Oleksij Rempel + */ + ++#include + #include + #include + #include + #include + #include + #include ++#include + #include + #include + +@@ -19,6 +21,7 @@ struct interrupt_cnt_priv { + struct gpio_desc *gpio; + int irq; + bool enabled; ++ struct mutex lock; + struct counter_signal signals; + struct counter_synapse synapses; + struct counter_count cnts; +@@ -41,6 +44,8 @@ static int interrupt_cnt_enable_read(struct counter_device *counter, + { + struct interrupt_cnt_priv *priv = counter_priv(counter); + ++ guard(mutex)(&priv->lock); ++ + *enable = priv->enabled; + + return 0; +@@ -51,6 +56,8 @@ static int interrupt_cnt_enable_write(struct counter_device *counter, + { + struct interrupt_cnt_priv *priv = counter_priv(counter); + ++ guard(mutex)(&priv->lock); ++ + if (priv->enabled == enable) + return 0; + +@@ -227,6 +234,8 @@ static int interrupt_cnt_probe(struct platform_device *pdev) + if (ret) + return ret; + ++ mutex_init(&priv->lock); ++ + ret = devm_counter_add(dev, counter); + if (ret < 0) + return dev_err_probe(dev, ret, "Failed to add counter\n"); +-- +2.39.5 + diff --git a/queue-6.12/crypto-api-redo-lookup-on-eexist.patch b/queue-6.12/crypto-api-redo-lookup-on-eexist.patch new file mode 100644 index 0000000000..19b73d7c54 --- /dev/null +++ b/queue-6.12/crypto-api-redo-lookup-on-eexist.patch @@ -0,0 +1,56 @@ +From ac165fbf9b815ef6575ef9a5a6debf835693f9a0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 May 2025 18:29:38 +0800 +Subject: crypto: api - Redo lookup on EEXIST + +From: Herbert Xu + +[ Upstream commit 0a3cf32da469ff1df6e016f5f82b439a63d14461 ] + +When two crypto algorithm lookups occur at the same time with +different names for the same algorithm, e.g., ctr(aes-generic) +and ctr(aes), they will both be instantiated. However, only one +of them can be registered. The second instantiation will fail +with EEXIST. + +Avoid failing the second lookup by making it retry, but only once +because there are tricky names such as gcm_base(ctr(aes),ghash) +that will always fail, despite triggering instantiation and EEXIST. + +Reported-by: Ingo Franzki +Fixes: 2825982d9d66 ("[CRYPTO] api: Added event notification") +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/api.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/crypto/api.c b/crypto/api.c +index c2c4eb14ef955..5ce54328fef11 100644 +--- a/crypto/api.c ++++ b/crypto/api.c +@@ -220,10 +220,19 @@ static struct crypto_alg *crypto_larval_wait(struct crypto_alg *alg, + if (crypto_is_test_larval(larval)) + crypto_larval_kill(larval); + alg = ERR_PTR(-ETIMEDOUT); +- } else if (!alg) { ++ } else if (!alg || PTR_ERR(alg) == -EEXIST) { ++ int err = alg ? -EEXIST : -EAGAIN; ++ ++ /* ++ * EEXIST is expected because two probes can be scheduled ++ * at the same time with one using alg_name and the other ++ * using driver_name. Do a re-lookup but do not retry in ++ * case we hit a quirk like gcm_base(ctr(aes),...) which ++ * will never match. ++ */ + alg = &larval->alg; + alg = crypto_alg_lookup(alg->cra_name, type, mask) ?: +- ERR_PTR(-EAGAIN); ++ ERR_PTR(err); + } else if (IS_ERR(alg)) + ; + else if (crypto_is_test_larval(larval) && +-- +2.39.5 + diff --git a/queue-6.12/crypto-lrw-only-add-ecb-if-it-is-not-already-there.patch b/queue-6.12/crypto-lrw-only-add-ecb-if-it-is-not-already-there.patch new file mode 100644 index 0000000000..45939a3d51 --- /dev/null +++ b/queue-6.12/crypto-lrw-only-add-ecb-if-it-is-not-already-there.patch @@ -0,0 +1,48 @@ +From 5c10e2faf6597567461ba078d0d26e974317015e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 May 2025 16:28:08 +0800 +Subject: crypto: lrw - Only add ecb if it is not already there + +From: Herbert Xu + +[ Upstream commit 3d73909bddc2ebb3224a8bc2e5ce00e9df70c15d ] + +Only add ecb to the cipher name if it isn't already ecb. + +Also use memcmp instead of strncmp since these strings are all +stored in an array of length CRYPTO_MAX_ALG_NAME. + +Fixes: 700cb3f5fe75 ("crypto: lrw - Convert to skcipher") +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-lkp/202505151503.d8a6cf10-lkp@intel.com +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/lrw.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/crypto/lrw.c b/crypto/lrw.c +index e216fbf2b7866..4bede0031c63c 100644 +--- a/crypto/lrw.c ++++ b/crypto/lrw.c +@@ -322,7 +322,7 @@ static int lrw_create(struct crypto_template *tmpl, struct rtattr **tb) + + err = crypto_grab_skcipher(spawn, skcipher_crypto_instance(inst), + cipher_name, 0, mask); +- if (err == -ENOENT) { ++ if (err == -ENOENT && memcmp(cipher_name, "ecb(", 4)) { + err = -ENAMETOOLONG; + if (snprintf(ecb_name, CRYPTO_MAX_ALG_NAME, "ecb(%s)", + cipher_name) >= CRYPTO_MAX_ALG_NAME) +@@ -356,7 +356,7 @@ static int lrw_create(struct crypto_template *tmpl, struct rtattr **tb) + /* Alas we screwed up the naming so we have to mangle the + * cipher name. + */ +- if (!strncmp(cipher_name, "ecb(", 4)) { ++ if (!memcmp(cipher_name, "ecb(", 4)) { + int len; + + len = strscpy(ecb_name, cipher_name + 4, sizeof(ecb_name)); +-- +2.39.5 + diff --git a/queue-6.12/crypto-marvell-cesa-avoid-empty-transfer-descriptor.patch b/queue-6.12/crypto-marvell-cesa-avoid-empty-transfer-descriptor.patch new file mode 100644 index 0000000000..4f11cca960 --- /dev/null +++ b/queue-6.12/crypto-marvell-cesa-avoid-empty-transfer-descriptor.patch @@ -0,0 +1,36 @@ +From bb2b12681e5a494bef784a7ec47c240aaa1eaa18 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 10 May 2025 18:43:33 +0800 +Subject: crypto: marvell/cesa - Avoid empty transfer descriptor + +From: Herbert Xu + +[ Upstream commit 1bafd82d9a40cf09c6c40f1c09cc35b7050b1a9f ] + +The user may set req->src even if req->nbytes == 0. If there +is no data to hash from req->src, do not generate an empty TDMA +descriptor. + +Fixes: db509a45339f ("crypto: marvell/cesa - add TDMA support") +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/marvell/cesa/hash.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/crypto/marvell/cesa/hash.c b/drivers/crypto/marvell/cesa/hash.c +index f150861ceaf69..6815eddc90681 100644 +--- a/drivers/crypto/marvell/cesa/hash.c ++++ b/drivers/crypto/marvell/cesa/hash.c +@@ -663,7 +663,7 @@ static int mv_cesa_ahash_dma_req_init(struct ahash_request *req) + if (ret) + goto err_free_tdma; + +- if (iter.src.sg) { ++ if (iter.base.len > iter.src.op_offset) { + /* + * Add all the new data, inserting an operation block and + * launch command between each full SRAM block-worth of +-- +2.39.5 + diff --git a/queue-6.12/crypto-marvell-cesa-handle-zero-length-skcipher-requ.patch b/queue-6.12/crypto-marvell-cesa-handle-zero-length-skcipher-requ.patch new file mode 100644 index 0000000000..c6521b378b --- /dev/null +++ b/queue-6.12/crypto-marvell-cesa-handle-zero-length-skcipher-requ.patch @@ -0,0 +1,36 @@ +From ac6b58271f6d8eb8b0b22737e62c80461e06b427 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 10 May 2025 18:41:31 +0800 +Subject: crypto: marvell/cesa - Handle zero-length skcipher requests + +From: Herbert Xu + +[ Upstream commit 8a4e047c6cc07676f637608a9dd675349b5de0a7 ] + +Do not access random memory for zero-length skcipher requests. +Just return 0. + +Fixes: f63601fd616a ("crypto: marvell/cesa - add a new driver for Marvell's CESA") +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/marvell/cesa/cipher.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/crypto/marvell/cesa/cipher.c b/drivers/crypto/marvell/cesa/cipher.c +index 0f37dfd42d850..3876e3ce822f4 100644 +--- a/drivers/crypto/marvell/cesa/cipher.c ++++ b/drivers/crypto/marvell/cesa/cipher.c +@@ -459,6 +459,9 @@ static int mv_cesa_skcipher_queue_req(struct skcipher_request *req, + struct mv_cesa_skcipher_req *creq = skcipher_request_ctx(req); + struct mv_cesa_engine *engine; + ++ if (!req->cryptlen) ++ return 0; ++ + ret = mv_cesa_skcipher_req_init(req, tmpl); + if (ret) + return ret; +-- +2.39.5 + diff --git a/queue-6.12/crypto-sun8i-ce-cipher-fix-error-handling-in-sun8i_c.patch b/queue-6.12/crypto-sun8i-ce-cipher-fix-error-handling-in-sun8i_c.patch new file mode 100644 index 0000000000..6d2260b051 --- /dev/null +++ b/queue-6.12/crypto-sun8i-ce-cipher-fix-error-handling-in-sun8i_c.patch @@ -0,0 +1,77 @@ +From 8cc1ee984a9f6c50e51de5cf87dc4169aa6acf9a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Apr 2025 15:45:14 +0300 +Subject: crypto: sun8i-ce-cipher - fix error handling in + sun8i_ce_cipher_prepare() + +From: Ovidiu Panait + +[ Upstream commit f31adc3e356f7350d4a4d68c98d3f60f2f6e26b3 ] + +Fix two DMA cleanup issues on the error path in sun8i_ce_cipher_prepare(): + +1] If dma_map_sg() fails for areq->dst, the device driver would try to free + DMA memory it has not allocated in the first place. To fix this, on the + "theend_sgs" error path, call dma unmap only if the corresponding dma + map was successful. + +2] If the dma_map_single() call for the IV fails, the device driver would + try to free an invalid DMA memory address on the "theend_iv" path: + ------------[ cut here ]------------ + DMA-API: sun8i-ce 1904000.crypto: device driver tries to free an invalid DMA memory address + WARNING: CPU: 2 PID: 69 at kernel/dma/debug.c:968 check_unmap+0x123c/0x1b90 + Modules linked in: skcipher_example(O+) + CPU: 2 UID: 0 PID: 69 Comm: 1904000.crypto- Tainted: G O 6.15.0-rc3+ #24 PREEMPT + Tainted: [O]=OOT_MODULE + Hardware name: OrangePi Zero2 (DT) + pc : check_unmap+0x123c/0x1b90 + lr : check_unmap+0x123c/0x1b90 + ... + Call trace: + check_unmap+0x123c/0x1b90 (P) + debug_dma_unmap_page+0xac/0xc0 + dma_unmap_page_attrs+0x1f4/0x5fc + sun8i_ce_cipher_do_one+0x1bd4/0x1f40 + crypto_pump_work+0x334/0x6e0 + kthread_worker_fn+0x21c/0x438 + kthread+0x374/0x664 + ret_from_fork+0x10/0x20 + ---[ end trace 0000000000000000 ]--- + +To fix this, check for !dma_mapping_error() before calling +dma_unmap_single() on the "theend_iv" path. + +Fixes: 06f751b61329 ("crypto: allwinner - Add sun8i-ce Crypto Engine") +Signed-off-by: Ovidiu Panait +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c b/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c +index 19b7fb4a93e86..05f67661553c9 100644 +--- a/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c ++++ b/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c +@@ -275,13 +275,16 @@ static int sun8i_ce_cipher_prepare(struct crypto_engine *engine, void *async_req + } else { + if (nr_sgs > 0) + dma_unmap_sg(ce->dev, areq->src, ns, DMA_TO_DEVICE); +- dma_unmap_sg(ce->dev, areq->dst, nd, DMA_FROM_DEVICE); ++ ++ if (nr_sgd > 0) ++ dma_unmap_sg(ce->dev, areq->dst, nd, DMA_FROM_DEVICE); + } + + theend_iv: + if (areq->iv && ivsize > 0) { +- if (rctx->addr_iv) ++ if (!dma_mapping_error(ce->dev, rctx->addr_iv)) + dma_unmap_single(ce->dev, rctx->addr_iv, rctx->ivlen, DMA_TO_DEVICE); ++ + offset = areq->cryptlen - ivsize; + if (rctx->op_dir & CE_DECRYPTION) { + memcpy(areq->iv, chan->backup_iv, ivsize); +-- +2.39.5 + diff --git a/queue-6.12/crypto-sun8i-ce-hash-fix-error-handling-in-sun8i_ce_.patch b/queue-6.12/crypto-sun8i-ce-hash-fix-error-handling-in-sun8i_ce_.patch new file mode 100644 index 0000000000..a6fb7b71f0 --- /dev/null +++ b/queue-6.12/crypto-sun8i-ce-hash-fix-error-handling-in-sun8i_ce_.patch @@ -0,0 +1,131 @@ +From ac6ca0d5f374a4db75616c5f25d7da22b8d0115b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Apr 2025 22:23:16 +0300 +Subject: crypto: sun8i-ce-hash - fix error handling in sun8i_ce_hash_run() + +From: Ovidiu Panait + +[ Upstream commit ea4dd134ef332bd9e3e734c1ba0a1521f436b678 ] + +Rework error handling in sun8i_ce_hash_run() to unmap the dma buffers in +case of failure. Currently, the dma unmap functions are not called if the +function errors out at various points. + +Fixes: 56f6d5aee88d1 ("crypto: sun8i-ce - support hash algorithms") +Signed-off-by: Ovidiu Panait +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + .../crypto/allwinner/sun8i-ce/sun8i-ce-hash.c | 34 ++++++++++++------- + 1 file changed, 21 insertions(+), 13 deletions(-) + +diff --git a/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-hash.c b/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-hash.c +index 6072dd9f390b4..3f9d79ea01aaa 100644 +--- a/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-hash.c ++++ b/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-hash.c +@@ -343,9 +343,8 @@ int sun8i_ce_hash_run(struct crypto_engine *engine, void *breq) + u32 common; + u64 byte_count; + __le32 *bf; +- void *buf = NULL; ++ void *buf, *result; + int j, i, todo; +- void *result = NULL; + u64 bs; + int digestsize; + dma_addr_t addr_res, addr_pad; +@@ -365,14 +364,14 @@ int sun8i_ce_hash_run(struct crypto_engine *engine, void *breq) + buf = kcalloc(2, bs, GFP_KERNEL | GFP_DMA); + if (!buf) { + err = -ENOMEM; +- goto theend; ++ goto err_out; + } + bf = (__le32 *)buf; + + result = kzalloc(digestsize, GFP_KERNEL | GFP_DMA); + if (!result) { + err = -ENOMEM; +- goto theend; ++ goto err_free_buf; + } + + flow = rctx->flow; +@@ -398,7 +397,7 @@ int sun8i_ce_hash_run(struct crypto_engine *engine, void *breq) + if (nr_sgs <= 0 || nr_sgs > MAX_SG) { + dev_err(ce->dev, "Invalid sg number %d\n", nr_sgs); + err = -EINVAL; +- goto theend; ++ goto err_free_result; + } + + len = areq->nbytes; +@@ -411,7 +410,7 @@ int sun8i_ce_hash_run(struct crypto_engine *engine, void *breq) + if (len > 0) { + dev_err(ce->dev, "remaining len %d\n", len); + err = -EINVAL; +- goto theend; ++ goto err_unmap_src; + } + addr_res = dma_map_single(ce->dev, result, digestsize, DMA_FROM_DEVICE); + cet->t_dst[0].addr = desc_addr_val_le32(ce, addr_res); +@@ -419,7 +418,7 @@ int sun8i_ce_hash_run(struct crypto_engine *engine, void *breq) + if (dma_mapping_error(ce->dev, addr_res)) { + dev_err(ce->dev, "DMA map dest\n"); + err = -EINVAL; +- goto theend; ++ goto err_unmap_src; + } + + byte_count = areq->nbytes; +@@ -441,7 +440,7 @@ int sun8i_ce_hash_run(struct crypto_engine *engine, void *breq) + } + if (!j) { + err = -EINVAL; +- goto theend; ++ goto err_unmap_result; + } + + addr_pad = dma_map_single(ce->dev, buf, j * 4, DMA_TO_DEVICE); +@@ -450,7 +449,7 @@ int sun8i_ce_hash_run(struct crypto_engine *engine, void *breq) + if (dma_mapping_error(ce->dev, addr_pad)) { + dev_err(ce->dev, "DMA error on padding SG\n"); + err = -EINVAL; +- goto theend; ++ goto err_unmap_result; + } + + if (ce->variant->hash_t_dlen_in_bits) +@@ -463,16 +462,25 @@ int sun8i_ce_hash_run(struct crypto_engine *engine, void *breq) + err = sun8i_ce_run_task(ce, flow, crypto_ahash_alg_name(tfm)); + + dma_unmap_single(ce->dev, addr_pad, j * 4, DMA_TO_DEVICE); +- dma_unmap_sg(ce->dev, areq->src, ns, DMA_TO_DEVICE); ++ ++err_unmap_result: + dma_unmap_single(ce->dev, addr_res, digestsize, DMA_FROM_DEVICE); ++ if (!err) ++ memcpy(areq->result, result, algt->alg.hash.base.halg.digestsize); + ++err_unmap_src: ++ dma_unmap_sg(ce->dev, areq->src, ns, DMA_TO_DEVICE); + +- memcpy(areq->result, result, algt->alg.hash.base.halg.digestsize); +-theend: +- kfree(buf); ++err_free_result: + kfree(result); ++ ++err_free_buf: ++ kfree(buf); ++ ++err_out: + local_bh_disable(); + crypto_finalize_hash_request(engine, breq, err); + local_bh_enable(); ++ + return 0; + } +-- +2.39.5 + diff --git a/queue-6.12/crypto-sun8i-ce-move-fallback-ahash_request-to-the-e.patch b/queue-6.12/crypto-sun8i-ce-move-fallback-ahash_request-to-the-e.patch new file mode 100644 index 0000000000..e29a55cb4c --- /dev/null +++ b/queue-6.12/crypto-sun8i-ce-move-fallback-ahash_request-to-the-e.patch @@ -0,0 +1,41 @@ +From 2525b7246ae5a858be2609f002db81f6b74ec8ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 May 2025 15:06:56 +0300 +Subject: crypto: sun8i-ce - move fallback ahash_request to the end of the + struct + +From: Ovidiu Panait + +[ Upstream commit c822831b426307a6ca426621504d3c7f99765a39 ] + +'struct ahash_request' has a flexible array at the end, so it must be the +last member in a struct, to avoid overwriting other struct members. + +Therefore, move 'fallback_req' to the end of the 'sun8i_ce_hash_reqctx' +struct. + +Fixes: 56f6d5aee88d ("crypto: sun8i-ce - support hash algorithms") +Signed-off-by: Ovidiu Panait +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/allwinner/sun8i-ce/sun8i-ce.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/crypto/allwinner/sun8i-ce/sun8i-ce.h b/drivers/crypto/allwinner/sun8i-ce/sun8i-ce.h +index 3b5c2af013d0d..83df4d7190531 100644 +--- a/drivers/crypto/allwinner/sun8i-ce/sun8i-ce.h ++++ b/drivers/crypto/allwinner/sun8i-ce/sun8i-ce.h +@@ -308,8 +308,8 @@ struct sun8i_ce_hash_tfm_ctx { + * @flow: the flow to use for this request + */ + struct sun8i_ce_hash_reqctx { +- struct ahash_request fallback_req; + int flow; ++ struct ahash_request fallback_req; // keep at the end + }; + + /* +-- +2.39.5 + diff --git a/queue-6.12/crypto-sun8i-ce-undo-runtime-pm-changes-during-drive.patch b/queue-6.12/crypto-sun8i-ce-undo-runtime-pm-changes-during-drive.patch new file mode 100644 index 0000000000..64e4998fce --- /dev/null +++ b/queue-6.12/crypto-sun8i-ce-undo-runtime-pm-changes-during-drive.patch @@ -0,0 +1,78 @@ +From a2a48810ec6719f61298bc9e847770c1edd801b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 May 2025 22:06:50 +0300 +Subject: crypto: sun8i-ce - undo runtime PM changes during driver removal + +From: Ovidiu Panait + +[ Upstream commit 9334f427576e6d361a409959b52246b0aa10476f ] + +The pm_runtime_use_autosuspend() call must be undone with +pm_runtime_dont_use_autosuspend() at driver exit, but this is not +currently handled in the driver. + +To fix this issue and at the same time simplify error handling, switch +to devm_pm_runtime_enable(). It will call both pm_runtime_disable() and +pm_runtime_dont_use_autosuspend() during driver removal. + +Fixes: 06f751b61329 ("crypto: allwinner - Add sun8i-ce Crypto Engine") +Signed-off-by: Ovidiu Panait +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + .../crypto/allwinner/sun8i-ce/sun8i-ce-core.c | 17 ++++++----------- + 1 file changed, 6 insertions(+), 11 deletions(-) + +diff --git a/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-core.c b/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-core.c +index e55e58e164db3..fcc6832a065cb 100644 +--- a/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-core.c ++++ b/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-core.c +@@ -832,13 +832,12 @@ static int sun8i_ce_pm_init(struct sun8i_ce_dev *ce) + err = pm_runtime_set_suspended(ce->dev); + if (err) + return err; +- pm_runtime_enable(ce->dev); +- return err; +-} + +-static void sun8i_ce_pm_exit(struct sun8i_ce_dev *ce) +-{ +- pm_runtime_disable(ce->dev); ++ err = devm_pm_runtime_enable(ce->dev); ++ if (err) ++ return err; ++ ++ return 0; + } + + static int sun8i_ce_get_clks(struct sun8i_ce_dev *ce) +@@ -1041,7 +1040,7 @@ static int sun8i_ce_probe(struct platform_device *pdev) + "sun8i-ce-ns", ce); + if (err) { + dev_err(ce->dev, "Cannot request CryptoEngine Non-secure IRQ (err=%d)\n", err); +- goto error_irq; ++ goto error_pm; + } + + err = sun8i_ce_register_algs(ce); +@@ -1082,8 +1081,6 @@ static int sun8i_ce_probe(struct platform_device *pdev) + return 0; + error_alg: + sun8i_ce_unregister_algs(ce); +-error_irq: +- sun8i_ce_pm_exit(ce); + error_pm: + sun8i_ce_free_chanlist(ce, MAXFLOW - 1); + return err; +@@ -1104,8 +1101,6 @@ static void sun8i_ce_remove(struct platform_device *pdev) + #endif + + sun8i_ce_free_chanlist(ce, MAXFLOW - 1); +- +- sun8i_ce_pm_exit(ce); + } + + static const struct of_device_id sun8i_ce_crypto_of_match_table[] = { +-- +2.39.5 + diff --git a/queue-6.12/crypto-sun8i-ss-do-not-use-sg_dma_len-before-calling.patch b/queue-6.12/crypto-sun8i-ss-do-not-use-sg_dma_len-before-calling.patch new file mode 100644 index 0000000000..7b8306f6b8 --- /dev/null +++ b/queue-6.12/crypto-sun8i-ss-do-not-use-sg_dma_len-before-calling.patch @@ -0,0 +1,39 @@ +From f3f5aa779e53cd418b7ecfdc23d4dacaa3f4d7d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 27 Apr 2025 13:12:36 +0200 +Subject: crypto: sun8i-ss - do not use sg_dma_len before calling DMA functions + +From: Corentin Labbe + +[ Upstream commit 2dfc7cd74a5e062a5405560447517e7aab1c7341 ] + +When testing sun8i-ss with multi_v7_defconfig, all CBC algorithm fail crypto +selftests. +This is strange since on sunxi_defconfig, everything was ok. +The problem was in the IV setup loop which never run because sg_dma_len +was 0. + +Fixes: 359e893e8af4 ("crypto: sun8i-ss - rework handling of IV") +Signed-off-by: Corentin Labbe +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/allwinner/sun8i-ss/sun8i-ss-cipher.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/crypto/allwinner/sun8i-ss/sun8i-ss-cipher.c b/drivers/crypto/allwinner/sun8i-ss/sun8i-ss-cipher.c +index 9b9605ce8ee62..8831bcb230c2d 100644 +--- a/drivers/crypto/allwinner/sun8i-ss/sun8i-ss-cipher.c ++++ b/drivers/crypto/allwinner/sun8i-ss/sun8i-ss-cipher.c +@@ -141,7 +141,7 @@ static int sun8i_ss_setup_ivs(struct skcipher_request *areq) + + /* we need to copy all IVs from source in case DMA is bi-directionnal */ + while (sg && len) { +- if (sg_dma_len(sg) == 0) { ++ if (sg->length == 0) { + sg = sg_next(sg); + continue; + } +-- +2.39.5 + diff --git a/queue-6.12/crypto-xts-only-add-ecb-if-it-is-not-already-there.patch b/queue-6.12/crypto-xts-only-add-ecb-if-it-is-not-already-there.patch new file mode 100644 index 0000000000..5f9ab8e676 --- /dev/null +++ b/queue-6.12/crypto-xts-only-add-ecb-if-it-is-not-already-there.patch @@ -0,0 +1,46 @@ +From 2504cd64013e44ee44a7a80ef272e77a0319f119 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 May 2025 16:34:04 +0800 +Subject: crypto: xts - Only add ecb if it is not already there + +From: Herbert Xu + +[ Upstream commit 270b6f13454cb7f2f7058c50df64df409c5dcf55 ] + +Only add ecb to the cipher name if it isn't already ecb. + +Also use memcmp instead of strncmp since these strings are all +stored in an array of length CRYPTO_MAX_ALG_NAME. + +Fixes: f1c131b45410 ("crypto: xts - Convert to skcipher") +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/xts.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/crypto/xts.c b/crypto/xts.c +index 672e1a3f0b0c9..91e391a6ba270 100644 +--- a/crypto/xts.c ++++ b/crypto/xts.c +@@ -363,7 +363,7 @@ static int xts_create(struct crypto_template *tmpl, struct rtattr **tb) + + err = crypto_grab_skcipher(&ctx->spawn, skcipher_crypto_instance(inst), + cipher_name, 0, mask); +- if (err == -ENOENT) { ++ if (err == -ENOENT && memcmp(cipher_name, "ecb(", 4)) { + err = -ENAMETOOLONG; + if (snprintf(name, CRYPTO_MAX_ALG_NAME, "ecb(%s)", + cipher_name) >= CRYPTO_MAX_ALG_NAME) +@@ -397,7 +397,7 @@ static int xts_create(struct crypto_template *tmpl, struct rtattr **tb) + /* Alas we screwed up the naming so we have to mangle the + * cipher name. + */ +- if (!strncmp(cipher_name, "ecb(", 4)) { ++ if (!memcmp(cipher_name, "ecb(", 4)) { + int len; + + len = strscpy(name, cipher_name + 4, sizeof(name)); +-- +2.39.5 + diff --git a/queue-6.12/dm-don-t-change-md-if-dm_table_set_restrictions-fail.patch b/queue-6.12/dm-don-t-change-md-if-dm_table_set_restrictions-fail.patch new file mode 100644 index 0000000000..658ad69ba3 --- /dev/null +++ b/queue-6.12/dm-don-t-change-md-if-dm_table_set_restrictions-fail.patch @@ -0,0 +1,81 @@ +From c755cea7cdf8dcd6aeffa08cb551cbda9d20ccff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Apr 2025 15:49:38 -0400 +Subject: dm: don't change md if dm_table_set_restrictions() fails + +From: Benjamin Marzinski + +[ Upstream commit 9eb7109a5bfc5b8226e9517e9f3cc6d414391884 ] + +__bind was changing the disk capacity, geometry and mempools of the +mapped device before calling dm_table_set_restrictions() which could +fail, forcing dm to drop the new table. Failing here would leave the +device using the old table but with the wrong capacity and mempools. + +Move dm_table_set_restrictions() earlier in __bind(). Since it needs the +capacity to be set, save the old version and restore it on failure. + +Fixes: bb37d77239af2 ("dm: introduce zone append emulation") +Reviewed-by: Damien Le Moal +Tested-by: Damien Le Moal +Signed-off-by: Benjamin Marzinski +Signed-off-by: Mikulas Patocka +Signed-off-by: Sasha Levin +--- + drivers/md/dm.c | 22 ++++++++++++---------- + 1 file changed, 12 insertions(+), 10 deletions(-) + +diff --git a/drivers/md/dm.c b/drivers/md/dm.c +index d29125ee9e72a..12d5f414a6788 100644 +--- a/drivers/md/dm.c ++++ b/drivers/md/dm.c +@@ -2410,21 +2410,29 @@ static struct dm_table *__bind(struct mapped_device *md, struct dm_table *t, + struct queue_limits *limits) + { + struct dm_table *old_map; +- sector_t size; ++ sector_t size, old_size; + int ret; + + lockdep_assert_held(&md->suspend_lock); + + size = dm_table_get_size(t); + ++ old_size = dm_get_size(md); ++ set_capacity(md->disk, size); ++ ++ ret = dm_table_set_restrictions(t, md->queue, limits); ++ if (ret) { ++ set_capacity(md->disk, old_size); ++ old_map = ERR_PTR(ret); ++ goto out; ++ } ++ + /* + * Wipe any geometry if the size of the table changed. + */ +- if (size != dm_get_size(md)) ++ if (size != old_size) + memset(&md->geometry, 0, sizeof(md->geometry)); + +- set_capacity(md->disk, size); +- + dm_table_event_callback(t, event_callback, md); + + if (dm_table_request_based(t)) { +@@ -2457,12 +2465,6 @@ static struct dm_table *__bind(struct mapped_device *md, struct dm_table *t, + t->mempools = NULL; + } + +- ret = dm_table_set_restrictions(t, md->queue, limits); +- if (ret) { +- old_map = ERR_PTR(ret); +- goto out; +- } +- + old_map = rcu_dereference_protected(md->map, lockdep_is_held(&md->suspend_lock)); + rcu_assign_pointer(md->map, (void *)t); + md->immutable_target_type = dm_table_get_immutable_target_type(t); +-- +2.39.5 + diff --git a/queue-6.12/dm-fix-dm_blk_report_zones.patch b/queue-6.12/dm-fix-dm_blk_report_zones.patch new file mode 100644 index 0000000000..3d53bebbc4 --- /dev/null +++ b/queue-6.12/dm-fix-dm_blk_report_zones.patch @@ -0,0 +1,120 @@ +From b10bbce8cbe8ddceca7db24ab4c1786446016261 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Apr 2025 15:49:41 -0400 +Subject: dm: fix dm_blk_report_zones + +From: Benjamin Marzinski + +[ Upstream commit 37f53a2c60d03743e0eacf7a0c01c279776fef4e ] + +If dm_get_live_table() returned NULL, dm_put_live_table() was never +called. Also, it is possible that md->zone_revalidate_map will change +while calling this function. Only read it once, so that we are always +using the same value. Otherwise we might miss a call to +dm_put_live_table(). + +Finally, while md->zone_revalidate_map is set and a process is calling +blk_revalidate_disk_zones() to set up the zone append emulation +resources, it is possible that another process, perhaps triggered by +blkdev_report_zones_ioctl(), will call dm_blk_report_zones(). If +blk_revalidate_disk_zones() fails, these resources can be freed while +the other process is still using them, causing a use-after-free error. + +blk_revalidate_disk_zones() will only ever be called when initially +setting up the zone append emulation resources, such as when setting up +a zoned dm-crypt table for the first time. Further table swaps will not +set md->zone_revalidate_map or call blk_revalidate_disk_zones(). +However it must be called using the new table (referenced by +md->zone_revalidate_map) and the new queue limits while the DM device is +suspended. dm_blk_report_zones() needs some way to distinguish between a +call from blk_revalidate_disk_zones(), which must be allowed to use +md->zone_revalidate_map to access this not yet activated table, and all +other calls to dm_blk_report_zones(), which should not be allowed while +the device is suspended and cannot use md->zone_revalidate_map, since +the zone resources might be freed by the process currently calling +blk_revalidate_disk_zones(). + +Solve this by tracking the process that sets md->zone_revalidate_map in +dm_revalidate_zones() and only allowing that process to make use of it +in dm_blk_report_zones(). + +Fixes: f211268ed1f9b ("dm: Use the block layer zone append emulation") +Reviewed-by: Damien Le Moal +Tested-by: Damien Le Moal +Signed-off-by: Benjamin Marzinski +Signed-off-by: Mikulas Patocka +Signed-off-by: Sasha Levin +--- + drivers/md/dm-core.h | 1 + + drivers/md/dm-zone.c | 25 +++++++++++++++++-------- + 2 files changed, 18 insertions(+), 8 deletions(-) + +diff --git a/drivers/md/dm-core.h b/drivers/md/dm-core.h +index 3637761f35853..f3a3f2ef63226 100644 +--- a/drivers/md/dm-core.h ++++ b/drivers/md/dm-core.h +@@ -141,6 +141,7 @@ struct mapped_device { + #ifdef CONFIG_BLK_DEV_ZONED + unsigned int nr_zones; + void *zone_revalidate_map; ++ struct task_struct *revalidate_map_task; + #endif + + #ifdef CONFIG_IMA +diff --git a/drivers/md/dm-zone.c b/drivers/md/dm-zone.c +index c0d41c36e06eb..04cc36a9d5ca4 100644 +--- a/drivers/md/dm-zone.c ++++ b/drivers/md/dm-zone.c +@@ -56,24 +56,31 @@ int dm_blk_report_zones(struct gendisk *disk, sector_t sector, + { + struct mapped_device *md = disk->private_data; + struct dm_table *map; +- int srcu_idx, ret; ++ struct dm_table *zone_revalidate_map = md->zone_revalidate_map; ++ int srcu_idx, ret = -EIO; ++ bool put_table = false; + +- if (!md->zone_revalidate_map) { +- /* Regular user context */ ++ if (!zone_revalidate_map || md->revalidate_map_task != current) { ++ /* ++ * Regular user context or ++ * Zone revalidation during __bind() is in progress, but this ++ * call is from a different process ++ */ + if (dm_suspended_md(md)) + return -EAGAIN; + + map = dm_get_live_table(md, &srcu_idx); +- if (!map) +- return -EIO; ++ put_table = true; + } else { + /* Zone revalidation during __bind() */ +- map = md->zone_revalidate_map; ++ map = zone_revalidate_map; + } + +- ret = dm_blk_do_report_zones(md, map, sector, nr_zones, cb, data); ++ if (map) ++ ret = dm_blk_do_report_zones(md, map, sector, nr_zones, cb, ++ data); + +- if (!md->zone_revalidate_map) ++ if (put_table) + dm_put_live_table(md, srcu_idx); + + return ret; +@@ -175,7 +182,9 @@ int dm_revalidate_zones(struct dm_table *t, struct request_queue *q) + * our table for dm_blk_report_zones() to use directly. + */ + md->zone_revalidate_map = t; ++ md->revalidate_map_task = current; + ret = blk_revalidate_disk_zones(disk); ++ md->revalidate_map_task = NULL; + md->zone_revalidate_map = NULL; + + if (ret) { +-- +2.39.5 + diff --git a/queue-6.12/dm-flakey-error-all-ios-when-num_features-is-absent.patch b/queue-6.12/dm-flakey-error-all-ios-when-num_features-is-absent.patch new file mode 100644 index 0000000000..0d303e57b7 --- /dev/null +++ b/queue-6.12/dm-flakey-error-all-ios-when-num_features-is-absent.patch @@ -0,0 +1,68 @@ +From d66888666966b14584c172316cf0aec29d7e0fcd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Apr 2025 19:47:36 -0400 +Subject: dm-flakey: error all IOs when num_features is absent + +From: Benjamin Marzinski + +[ Upstream commit 40ed054f39bc99eac09871c33198e501f4acdf24 ] + +dm-flakey would error all IOs if num_features was 0, but if it was +absent, dm-flakey would never error any IO. Fix this so that no +num_features works the same as num_features set to 0. + +Fixes: aa7d7bc99fed7 ("dm flakey: add an "error_reads" option") +Reported-by: Kent Overstreet +Signed-off-by: Benjamin Marzinski +Signed-off-by: Mikulas Patocka +Signed-off-by: Sasha Levin +--- + drivers/md/dm-flakey.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/drivers/md/dm-flakey.c b/drivers/md/dm-flakey.c +index b690905ab89ff..806a80dd3bd9b 100644 +--- a/drivers/md/dm-flakey.c ++++ b/drivers/md/dm-flakey.c +@@ -53,8 +53,8 @@ struct per_bio_data { + static int parse_features(struct dm_arg_set *as, struct flakey_c *fc, + struct dm_target *ti) + { +- int r; +- unsigned int argc; ++ int r = 0; ++ unsigned int argc = 0; + const char *arg_name; + + static const struct dm_arg _args[] = { +@@ -65,14 +65,13 @@ static int parse_features(struct dm_arg_set *as, struct flakey_c *fc, + {0, PROBABILITY_BASE, "Invalid random corrupt argument"}, + }; + +- /* No feature arguments supplied. */ +- if (!as->argc) +- return 0; +- +- r = dm_read_arg_group(_args, as, &argc, &ti->error); +- if (r) ++ if (as->argc && (r = dm_read_arg_group(_args, as, &argc, &ti->error))) + return r; + ++ /* No feature arguments supplied. */ ++ if (!argc) ++ goto error_all_io; ++ + while (argc) { + arg_name = dm_shift_arg(as); + argc--; +@@ -217,6 +216,7 @@ static int parse_features(struct dm_arg_set *as, struct flakey_c *fc, + if (!fc->corrupt_bio_byte && !test_bit(ERROR_READS, &fc->flags) && + !test_bit(DROP_WRITES, &fc->flags) && !test_bit(ERROR_WRITES, &fc->flags) && + !fc->random_read_corrupt && !fc->random_write_corrupt) { ++error_all_io: + set_bit(ERROR_WRITES, &fc->flags); + set_bit(ERROR_READS, &fc->flags); + } +-- +2.39.5 + diff --git a/queue-6.12/dm-flakey-make-corrupting-read-bios-work.patch b/queue-6.12/dm-flakey-make-corrupting-read-bios-work.patch new file mode 100644 index 0000000000..771c97f9e1 --- /dev/null +++ b/queue-6.12/dm-flakey-make-corrupting-read-bios-work.patch @@ -0,0 +1,180 @@ +From 74cc08c09adda64b65e47365800473b19d2ae570 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Apr 2025 19:47:38 -0400 +Subject: dm-flakey: make corrupting read bios work + +From: Benjamin Marzinski + +[ Upstream commit 13e79076c89f6e96a6cca8f6df38b40d025907b4 ] + +dm-flakey corrupts the read bios in the endio function. However, the +corrupt_bio_* functions checked bio_has_data() to see if there was data +to corrupt. Since this was the endio function, there was no data left to +complete, so bio_has_data() was always false. Fix this by saving a copy +of the bio's bi_iter in flakey_map(), and using this to initialize the +iter for corrupting the read bios. This patch also skips cloning the bio +for write bios with no data. + +Reported-by: Kent Overstreet +Fixes: a3998799fb4df ("dm flakey: add corrupt_bio_byte feature") +Signed-off-by: Benjamin Marzinski +Signed-off-by: Mikulas Patocka +Signed-off-by: Sasha Levin +--- + drivers/md/dm-flakey.c | 54 ++++++++++++++++++++++-------------------- + 1 file changed, 28 insertions(+), 26 deletions(-) + +diff --git a/drivers/md/dm-flakey.c b/drivers/md/dm-flakey.c +index 806a80dd3bd9b..347881f323d5b 100644 +--- a/drivers/md/dm-flakey.c ++++ b/drivers/md/dm-flakey.c +@@ -47,7 +47,8 @@ enum feature_flag_bits { + }; + + struct per_bio_data { +- bool bio_submitted; ++ bool bio_can_corrupt; ++ struct bvec_iter saved_iter; + }; + + static int parse_features(struct dm_arg_set *as, struct flakey_c *fc, +@@ -339,7 +340,8 @@ static void flakey_map_bio(struct dm_target *ti, struct bio *bio) + } + + static void corrupt_bio_common(struct bio *bio, unsigned int corrupt_bio_byte, +- unsigned char corrupt_bio_value) ++ unsigned char corrupt_bio_value, ++ struct bvec_iter start) + { + struct bvec_iter iter; + struct bio_vec bvec; +@@ -348,7 +350,7 @@ static void corrupt_bio_common(struct bio *bio, unsigned int corrupt_bio_byte, + * Overwrite the Nth byte of the bio's data, on whichever page + * it falls. + */ +- bio_for_each_segment(bvec, bio, iter) { ++ __bio_for_each_segment(bvec, bio, iter, start) { + if (bio_iter_len(bio, iter) > corrupt_bio_byte) { + unsigned char *segment = bvec_kmap_local(&bvec); + segment[corrupt_bio_byte] = corrupt_bio_value; +@@ -357,36 +359,31 @@ static void corrupt_bio_common(struct bio *bio, unsigned int corrupt_bio_byte, + "(rw=%c bi_opf=%u bi_sector=%llu size=%u)\n", + bio, corrupt_bio_value, corrupt_bio_byte, + (bio_data_dir(bio) == WRITE) ? 'w' : 'r', bio->bi_opf, +- (unsigned long long)bio->bi_iter.bi_sector, +- bio->bi_iter.bi_size); ++ (unsigned long long)start.bi_sector, ++ start.bi_size); + break; + } + corrupt_bio_byte -= bio_iter_len(bio, iter); + } + } + +-static void corrupt_bio_data(struct bio *bio, struct flakey_c *fc) ++static void corrupt_bio_data(struct bio *bio, struct flakey_c *fc, ++ struct bvec_iter start) + { + unsigned int corrupt_bio_byte = fc->corrupt_bio_byte - 1; + +- if (!bio_has_data(bio)) +- return; +- +- corrupt_bio_common(bio, corrupt_bio_byte, fc->corrupt_bio_value); ++ corrupt_bio_common(bio, corrupt_bio_byte, fc->corrupt_bio_value, start); + } + +-static void corrupt_bio_random(struct bio *bio) ++static void corrupt_bio_random(struct bio *bio, struct bvec_iter start) + { + unsigned int corrupt_byte; + unsigned char corrupt_value; + +- if (!bio_has_data(bio)) +- return; +- +- corrupt_byte = get_random_u32() % bio->bi_iter.bi_size; ++ corrupt_byte = get_random_u32() % start.bi_size; + corrupt_value = get_random_u8(); + +- corrupt_bio_common(bio, corrupt_byte, corrupt_value); ++ corrupt_bio_common(bio, corrupt_byte, corrupt_value, start); + } + + static void clone_free(struct bio *clone) +@@ -481,7 +478,7 @@ static int flakey_map(struct dm_target *ti, struct bio *bio) + unsigned int elapsed; + struct per_bio_data *pb = dm_per_bio_data(bio, sizeof(struct per_bio_data)); + +- pb->bio_submitted = false; ++ pb->bio_can_corrupt = false; + + if (op_is_zone_mgmt(bio_op(bio))) + goto map_bio; +@@ -490,10 +487,11 @@ static int flakey_map(struct dm_target *ti, struct bio *bio) + elapsed = (jiffies - fc->start_time) / HZ; + if (elapsed % (fc->up_interval + fc->down_interval) >= fc->up_interval) { + bool corrupt_fixed, corrupt_random; +- /* +- * Flag this bio as submitted while down. +- */ +- pb->bio_submitted = true; ++ ++ if (bio_has_data(bio)) { ++ pb->bio_can_corrupt = true; ++ pb->saved_iter = bio->bi_iter; ++ } + + /* + * Error reads if neither corrupt_bio_byte or drop_writes or error_writes are set. +@@ -516,6 +514,8 @@ static int flakey_map(struct dm_target *ti, struct bio *bio) + return DM_MAPIO_SUBMITTED; + } + ++ if (!pb->bio_can_corrupt) ++ goto map_bio; + /* + * Corrupt matching writes. + */ +@@ -535,9 +535,11 @@ static int flakey_map(struct dm_target *ti, struct bio *bio) + struct bio *clone = clone_bio(ti, fc, bio); + if (clone) { + if (corrupt_fixed) +- corrupt_bio_data(clone, fc); ++ corrupt_bio_data(clone, fc, ++ clone->bi_iter); + if (corrupt_random) +- corrupt_bio_random(clone); ++ corrupt_bio_random(clone, ++ clone->bi_iter); + submit_bio(clone); + return DM_MAPIO_SUBMITTED; + } +@@ -559,21 +561,21 @@ static int flakey_end_io(struct dm_target *ti, struct bio *bio, + if (op_is_zone_mgmt(bio_op(bio))) + return DM_ENDIO_DONE; + +- if (!*error && pb->bio_submitted && (bio_data_dir(bio) == READ)) { ++ if (!*error && pb->bio_can_corrupt && (bio_data_dir(bio) == READ)) { + if (fc->corrupt_bio_byte) { + if ((fc->corrupt_bio_rw == READ) && + all_corrupt_bio_flags_match(bio, fc)) { + /* + * Corrupt successful matching READs while in down state. + */ +- corrupt_bio_data(bio, fc); ++ corrupt_bio_data(bio, fc, pb->saved_iter); + } + } + if (fc->random_read_corrupt) { + u64 rnd = get_random_u64(); + u32 rem = do_div(rnd, PROBABILITY_BASE); + if (rem < fc->random_read_corrupt) +- corrupt_bio_random(bio); ++ corrupt_bio_random(bio, pb->saved_iter); + } + if (test_bit(ERROR_READS, &fc->flags)) { + /* +-- +2.39.5 + diff --git a/queue-6.12/dm-free-table-mempools-if-not-used-in-__bind.patch b/queue-6.12/dm-free-table-mempools-if-not-used-in-__bind.patch new file mode 100644 index 0000000000..7033e29053 --- /dev/null +++ b/queue-6.12/dm-free-table-mempools-if-not-used-in-__bind.patch @@ -0,0 +1,54 @@ +From 69389c4079a6b392f86459e7a17672dfc15475a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Apr 2025 15:49:39 -0400 +Subject: dm: free table mempools if not used in __bind + +From: Benjamin Marzinski + +[ Upstream commit e8819e7f03470c5b468720630d9e4e1d5b99159e ] + +With request-based dm, the mempools don't need reloading when switching +tables, but the unused table mempools are not freed until the active +table is finally freed. Free them immediately if they are not needed. + +Fixes: 29dec90a0f1d9 ("dm: fix bio_set allocation") +Reviewed-by: Damien Le Moal +Tested-by: Damien Le Moal +Signed-off-by: Benjamin Marzinski +Signed-off-by: Mikulas Patocka +Signed-off-by: Sasha Levin +--- + drivers/md/dm.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/md/dm.c b/drivers/md/dm.c +index 12d5f414a6788..92e5a233f5160 100644 +--- a/drivers/md/dm.c ++++ b/drivers/md/dm.c +@@ -2450,10 +2450,10 @@ static struct dm_table *__bind(struct mapped_device *md, struct dm_table *t, + * requests in the queue may refer to bio from the old bioset, + * so you must walk through the queue to unprep. + */ +- if (!md->mempools) { ++ if (!md->mempools) + md->mempools = t->mempools; +- t->mempools = NULL; +- } ++ else ++ dm_free_md_mempools(t->mempools); + } else { + /* + * The md may already have mempools that need changing. +@@ -2462,8 +2462,8 @@ static struct dm_table *__bind(struct mapped_device *md, struct dm_table *t, + */ + dm_free_md_mempools(md->mempools); + md->mempools = t->mempools; +- t->mempools = NULL; + } ++ t->mempools = NULL; + + old_map = rcu_dereference_protected(md->map, lockdep_is_held(&md->suspend_lock)); + rcu_assign_pointer(md->map, (void *)t); +-- +2.39.5 + diff --git a/queue-6.12/dmaengine-ti-add-null-check-in-udma_probe.patch b/queue-6.12/dmaengine-ti-add-null-check-in-udma_probe.patch new file mode 100644 index 0000000000..c2c8113574 --- /dev/null +++ b/queue-6.12/dmaengine-ti-add-null-check-in-udma_probe.patch @@ -0,0 +1,43 @@ +From 884b87facab84c40bdaca3f8bfd66de0ff79f53e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Apr 2025 10:39:00 +0800 +Subject: dmaengine: ti: Add NULL check in udma_probe() + +From: Henry Martin + +[ Upstream commit fd447415e74bccd7362f760d4ea727f8e1ebfe91 ] + +devm_kasprintf() returns NULL when memory allocation fails. Currently, +udma_probe() does not check for this case, which results in a NULL +pointer dereference. + +Add NULL check after devm_kasprintf() to prevent this issue. + +Fixes: 25dcb5dd7b7c ("dmaengine: ti: New driver for K3 UDMA") +Signed-off-by: Henry Martin +Reviewed-by: Nathan Lynch +Acked-by: Peter Ujfalusi +Link: https://lore.kernel.org/r/20250402023900.43440-1-bsdhenrymartin@gmail.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/ti/k3-udma.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/dma/ti/k3-udma.c b/drivers/dma/ti/k3-udma.c +index 7d89385c3c450..38b54719587cf 100644 +--- a/drivers/dma/ti/k3-udma.c ++++ b/drivers/dma/ti/k3-udma.c +@@ -5572,7 +5572,8 @@ static int udma_probe(struct platform_device *pdev) + uc->config.dir = DMA_MEM_TO_MEM; + uc->name = devm_kasprintf(dev, GFP_KERNEL, "%s chan%d", + dev_name(dev), i); +- ++ if (!uc->name) ++ return -ENOMEM; + vchan_init(&uc->vc, &ud->ddev); + /* Use custom vchan completion handling */ + tasklet_setup(&uc->vc.task, udma_vchan_complete); +-- +2.39.5 + diff --git a/queue-6.12/do_change_type-refuse-to-operate-on-unmounted-not-ou.patch b/queue-6.12/do_change_type-refuse-to-operate-on-unmounted-not-ou.patch new file mode 100644 index 0000000000..0c1244298c --- /dev/null +++ b/queue-6.12/do_change_type-refuse-to-operate-on-unmounted-not-ou.patch @@ -0,0 +1,40 @@ +From 4bb5d784afa36eb52b3d80d9437b1648c3f6e4a0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Jun 2025 12:27:08 -0400 +Subject: do_change_type(): refuse to operate on unmounted/not ours mounts + +From: Al Viro + +[ Upstream commit 12f147ddd6de7382dad54812e65f3f08d05809fc ] + +Ensure that propagation settings can only be changed for mounts located +in the caller's mount namespace. This change aligns permission checking +with the rest of mount(2). + +Reviewed-by: Christian Brauner +Fixes: 07b20889e305 ("beginning of the shared-subtree proper") +Reported-by: "Orlando, Noah" +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + fs/namespace.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/fs/namespace.c b/fs/namespace.c +index 1022a5af691d6..843bc6191f30b 100644 +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -2714,6 +2714,10 @@ static int do_change_type(struct path *path, int ms_flags) + return -EINVAL; + + namespace_lock(); ++ if (!check_mnt(mnt)) { ++ err = -EINVAL; ++ goto out_unlock; ++ } + if (type == MS_SHARED) { + err = invent_group_ids(mnt, recurse); + if (err) +-- +2.39.5 + diff --git a/queue-6.12/driver-net-ethernet-mtk_star_emac-fix-suspend-resume.patch b/queue-6.12/driver-net-ethernet-mtk_star_emac-fix-suspend-resume.patch new file mode 100644 index 0000000000..384701add1 --- /dev/null +++ b/queue-6.12/driver-net-ethernet-mtk_star_emac-fix-suspend-resume.patch @@ -0,0 +1,53 @@ +From 54562ed608ea78bee4a4c66626457c1d8a54a1fa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 May 2025 15:53:51 +0800 +Subject: driver: net: ethernet: mtk_star_emac: fix suspend/resume issue + +From: Yanqing Wang + +[ Upstream commit ba99c627aac85bc746fb4a6e2d79edb3ad100326 ] + +Identify the cause of the suspend/resume hang: netif_carrier_off() +is called during link state changes and becomes stuck while +executing linkwatch_work(). + +To resolve this issue, call netif_device_detach() during the Ethernet +suspend process to temporarily detach the network device from the +kernel and prevent the suspend/resume hang. + +Fixes: 8c7bd5a454ff ("net: ethernet: mtk-star-emac: new driver") +Signed-off-by: Yanqing Wang +Signed-off-by: Macpaul Lin +Signed-off-by: Biao Huang +Link: https://patch.msgid.link/20250528075351.593068-1-macpaul.lin@mediatek.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mediatek/mtk_star_emac.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ethernet/mediatek/mtk_star_emac.c b/drivers/net/ethernet/mediatek/mtk_star_emac.c +index c2ab87828d858..5eb7a97e7eb17 100644 +--- a/drivers/net/ethernet/mediatek/mtk_star_emac.c ++++ b/drivers/net/ethernet/mediatek/mtk_star_emac.c +@@ -1468,6 +1468,8 @@ static __maybe_unused int mtk_star_suspend(struct device *dev) + if (netif_running(ndev)) + mtk_star_disable(ndev); + ++ netif_device_detach(ndev); ++ + clk_bulk_disable_unprepare(MTK_STAR_NCLKS, priv->clks); + + return 0; +@@ -1492,6 +1494,8 @@ static __maybe_unused int mtk_star_resume(struct device *dev) + clk_bulk_disable_unprepare(MTK_STAR_NCLKS, priv->clks); + } + ++ netif_device_attach(ndev); ++ + return ret; + } + +-- +2.39.5 + diff --git a/queue-6.12/drivers-hv-always-select-config_sysfb-for-hyper-v-gu.patch b/queue-6.12/drivers-hv-always-select-config_sysfb-for-hyper-v-gu.patch new file mode 100644 index 0000000000..08e2dec374 --- /dev/null +++ b/queue-6.12/drivers-hv-always-select-config_sysfb-for-hyper-v-gu.patch @@ -0,0 +1,74 @@ +From cb5dfdad9b774e57874864ac995a0a0ccbbd0a49 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 May 2025 21:01:43 -0700 +Subject: Drivers: hv: Always select CONFIG_SYSFB for Hyper-V guests + +From: Michael Kelley + +[ Upstream commit 96959283a58d91ae20d025546f00e16f0a555208 ] + +The Hyper-V host provides guest VMs with a range of MMIO addresses +that guest VMBus drivers can use. The VMBus driver in Linux manages +that MMIO space, and allocates portions to drivers upon request. As +part of managing that MMIO space in a Generation 2 VM, the VMBus +driver must reserve the portion of the MMIO space that Hyper-V has +designated for the synthetic frame buffer, and not allocate this +space to VMBus drivers other than graphics framebuffer drivers. The +synthetic frame buffer MMIO area is described by the screen_info data +structure that is passed to the Linux kernel at boot time, so the +VMBus driver must access screen_info for Generation 2 VMs. (In +Generation 1 VMs, the framebuffer MMIO space is communicated to +the guest via a PCI pseudo-device, and access to screen_info is +not needed.) + +In commit a07b50d80ab6 ("hyperv: avoid dependency on screen_info") +the VMBus driver's access to screen_info is restricted to when +CONFIG_SYSFB is enabled. CONFIG_SYSFB is typically enabled in kernels +built for Hyper-V by virtue of having at least one of CONFIG_FB_EFI, +CONFIG_FB_VESA, or CONFIG_SYSFB_SIMPLEFB enabled, so the restriction +doesn't usually affect anything. But it's valid to have none of these +enabled, in which case CONFIG_SYSFB is not enabled, and the VMBus driver +is unable to properly reserve the framebuffer MMIO space for graphics +framebuffer drivers. The framebuffer MMIO space may be assigned to +some other VMBus driver, with undefined results. As an example, if +a VM is using a PCI pass-thru NVMe controller to host the OS disk, +the PCI NVMe controller is probed before any graphics devices, and the +NVMe controller is assigned a portion of the framebuffer MMIO space. +Hyper-V reports an error to Linux during the probe, and the OS disk +fails to get setup. Then Linux fails to boot in the VM. + +Fix this by having CONFIG_HYPERV always select SYSFB. Then the +VMBus driver in a Gen 2 VM can always reserve the MMIO space for the +graphics framebuffer driver, and prevent the undefined behavior. But +don't select SYSFB when building for HYPERV_VTL_MODE as VTLs other +than VTL 0 don't have a framebuffer and aren't subject to the issue. +Adding SYSFB in such cases is harmless, but would increase the image +size for no purpose. + +Fixes: a07b50d80ab6 ("hyperv: avoid dependency on screen_info") +Signed-off-by: Michael Kelley +Reviewed-by: Saurabh Sengar +Link: https://lore.kernel.org/stable/20250520040143.6964-1-mhklinux%40outlook.com +Link: https://lore.kernel.org/r/20250520040143.6964-1-mhklinux@outlook.com +Signed-off-by: Wei Liu +Message-ID: <20250520040143.6964-1-mhklinux@outlook.com> +Signed-off-by: Sasha Levin +--- + drivers/hv/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hv/Kconfig b/drivers/hv/Kconfig +index 862c47b191afe..f492693b26734 100644 +--- a/drivers/hv/Kconfig ++++ b/drivers/hv/Kconfig +@@ -9,6 +9,7 @@ config HYPERV + select PARAVIRT + select X86_HV_CALLBACK_VECTOR if X86 + select OF_EARLY_FLATTREE if OF ++ select SYSFB if !HYPERV_VTL_MODE + help + Select this option to run Linux as a Hyper-V client operating + system. +-- +2.39.5 + diff --git a/queue-6.12/drm-amd-pp-fix-potential-null-pointer-dereference-in.patch b/queue-6.12/drm-amd-pp-fix-potential-null-pointer-dereference-in.patch new file mode 100644 index 0000000000..641e19686b --- /dev/null +++ b/queue-6.12/drm-amd-pp-fix-potential-null-pointer-dereference-in.patch @@ -0,0 +1,54 @@ +From b737b760666db7d9ee76e049843da4cbe0c6c5fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Mar 2025 12:04:35 +0800 +Subject: drm/amd/pp: Fix potential NULL pointer dereference in + atomctrl_initialize_mc_reg_table + +From: Charles Han + +[ Upstream commit 820116a39f96bdc7d426c33a804b52f53700a919 ] + +The function atomctrl_initialize_mc_reg_table() and +atomctrl_initialize_mc_reg_table_v2_2() does not check the return +value of smu_atom_get_data_table(). If smu_atom_get_data_table() +fails to retrieve vram_info, it returns NULL which is later +dereferenced. + +Fixes: b3892e2bb519 ("drm/amd/pp: Use atombios api directly in powerplay (v2)") +Fixes: 5f92b48cf62c ("drm/amd/pm: add mc register table initialization") +Signed-off-by: Charles Han +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/pm/powerplay/hwmgr/ppatomctrl.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/ppatomctrl.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/ppatomctrl.c +index 5c54c9fd44619..a76fc15a55f5b 100644 +--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/ppatomctrl.c ++++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/ppatomctrl.c +@@ -144,6 +144,10 @@ int atomctrl_initialize_mc_reg_table( + vram_info = (ATOM_VRAM_INFO_HEADER_V2_1 *) + smu_atom_get_data_table(hwmgr->adev, + GetIndexIntoMasterTable(DATA, VRAM_Info), &size, &frev, &crev); ++ if (!vram_info) { ++ pr_err("Could not retrieve the VramInfo table!"); ++ return -EINVAL; ++ } + + if (module_index >= vram_info->ucNumOfVRAMModule) { + pr_err("Invalid VramInfo table."); +@@ -181,6 +185,10 @@ int atomctrl_initialize_mc_reg_table_v2_2( + vram_info = (ATOM_VRAM_INFO_HEADER_V2_2 *) + smu_atom_get_data_table(hwmgr->adev, + GetIndexIntoMasterTable(DATA, VRAM_Info), &size, &frev, &crev); ++ if (!vram_info) { ++ pr_err("Could not retrieve the VramInfo table!"); ++ return -EINVAL; ++ } + + if (module_index >= vram_info->ucNumOfVRAMModule) { + pr_err("Invalid VramInfo table."); +-- +2.39.5 + diff --git a/queue-6.12/drm-bridge-lt9611uxc-fix-an-error-handling-path-in-l.patch b/queue-6.12/drm-bridge-lt9611uxc-fix-an-error-handling-path-in-l.patch new file mode 100644 index 0000000000..9ec778a9c5 --- /dev/null +++ b/queue-6.12/drm-bridge-lt9611uxc-fix-an-error-handling-path-in-l.patch @@ -0,0 +1,45 @@ +From 19247592c4e3f1aecb02a80fb4256c6232df05f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Apr 2025 08:48:16 +0200 +Subject: drm/bridge: lt9611uxc: Fix an error handling path in + lt9611uxc_probe() + +From: Christophe JAILLET + +[ Upstream commit b848cd418aebdb313364b4843f41fae82281a823 ] + +If lt9611uxc_audio_init() fails, some resources still need to be released +before returning the error code. + +Use the existing error handling path. + +Fixes: 0cbbd5b1a012 ("drm: bridge: add support for lontium LT9611UXC bridge") +Signed-off-by: Christophe JAILLET +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/f167608e392c6b4d7d7f6e45e3c21878feb60cbd.1744958833.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/lontium-lt9611uxc.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/bridge/lontium-lt9611uxc.c b/drivers/gpu/drm/bridge/lontium-lt9611uxc.c +index 4d1d40e1f1b4d..748bed8acd2d9 100644 +--- a/drivers/gpu/drm/bridge/lontium-lt9611uxc.c ++++ b/drivers/gpu/drm/bridge/lontium-lt9611uxc.c +@@ -879,7 +879,11 @@ static int lt9611uxc_probe(struct i2c_client *client) + } + } + +- return lt9611uxc_audio_init(dev, lt9611uxc); ++ ret = lt9611uxc_audio_init(dev, lt9611uxc); ++ if (ret) ++ goto err_remove_bridge; ++ ++ return 0; + + err_remove_bridge: + free_irq(client->irq, lt9611uxc); +-- +2.39.5 + diff --git a/queue-6.12/drm-i915-guc-check-if-expecting-reply-before-decreme.patch b/queue-6.12/drm-i915-guc-check-if-expecting-reply-before-decreme.patch new file mode 100644 index 0000000000..bc0fcaa28f --- /dev/null +++ b/queue-6.12/drm-i915-guc-check-if-expecting-reply-before-decreme.patch @@ -0,0 +1,53 @@ +From 10788d42c08ef22569ea45808c95358fddc9012d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 May 2025 15:52:24 -0700 +Subject: drm/i915/guc: Check if expecting reply before decrementing + outstanding_submission_g2h + +From: Jesus Narvaez + +[ Upstream commit c557fd1050f6691dde36818dfc1a4c415c42901b ] + +When sending a H2G message where a reply is expected in +guc_submission_send_busy_loop(), outstanding_submission_g2h is +incremented before the send. However, if there is an error sending the +message, outstanding_submission_g2h is decremented without checking if a +reply is expected. + +Therefore, check if reply is expected when there is a failure before +decrementing outstanding_submission_g2h. + +Fixes: 2f2cc53b5fe7 ("drm/i915/guc: Close deregister-context race against CT-loss") +Signed-off-by: Jesus Narvaez +Cc: Daniele Ceraolo Spurio +Cc: Alan Previn +Cc: Anshuman Gupta +Cc: Mousumi Jana +Cc: Rodrigo Vivi +Cc: Matt Roper +Reviewed-by: Daniele Ceraolo Spurio +Signed-off-by: John Harrison +Link: https://lore.kernel.org/r/20250514225224.4142684-1-jesus.narvaez@intel.com +(cherry picked from commit a6a26786f22a4ab0227bcf610510c4c9c2df0808) +Signed-off-by: Joonas Lahtinen +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c b/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c +index 8aaadbb702df6..00e2cf92d99c7 100644 +--- a/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c ++++ b/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c +@@ -633,7 +633,7 @@ static int guc_submission_send_busy_loop(struct intel_guc *guc, + atomic_inc(&guc->outstanding_submission_g2h); + + ret = intel_guc_send_busy_loop(guc, action, len, g2h_len_dw, loop); +- if (ret) ++ if (ret && g2h_len_dw) + atomic_dec(&guc->outstanding_submission_g2h); + + return ret; +-- +2.39.5 + diff --git a/queue-6.12/drm-i915-guc-handle-race-condition-where-wakeref-cou.patch b/queue-6.12/drm-i915-guc-handle-race-condition-where-wakeref-cou.patch new file mode 100644 index 0000000000..de8dd2bf7e --- /dev/null +++ b/queue-6.12/drm-i915-guc-handle-race-condition-where-wakeref-cou.patch @@ -0,0 +1,82 @@ +From 5780acb57f5e132957afd18d401b986d74d59532 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 May 2025 16:05:51 -0700 +Subject: drm/i915/guc: Handle race condition where wakeref count drops below 0 + +From: Jesus Narvaez + +[ Upstream commit 0323a5127e7c534cfc88efe0f850a0cb777e938b ] + +There is a rare race condition when preparing for a reset where +guc_lrc_desc_unpin() could be in the process of deregistering a context +while a different thread is scrubbing outstanding contexts and it alters +the context state and does a wakeref put. Then, if there is a failure +with deregister_context(), a second wakeref put could occur. As a result +the wakeref count could drop below 0 and fail an INTEL_WAKEREF_BUG_ON() +check. + +Therefore if there is a failure with deregister_context(), undo the +context state changes and do a wakeref put only if the context was set +to be destroyed earlier. + +v2: Expand comment to better explain change. (Daniele) +v3: Removed addition to the original comment. (Daniele) + +Fixes: 2f2cc53b5fe7 ("drm/i915/guc: Close deregister-context race against CT-loss") +Signed-off-by: Jesus Narvaez +Cc: Daniele Ceraolo Spurio +Cc: Alan Previn +Cc: Anshuman Gupta +Cc: Mousumi Jana +Cc: Rodrigo Vivi +Cc: Matt Roper +Reviewed-by: Daniele Ceraolo Spurio +Signed-off-by: John Harrison +Link: https://lore.kernel.org/r/20250528230551.1855177-1-jesus.narvaez@intel.com +(cherry picked from commit f36a75aba1c3176d177964bca76f86a075d2943a) +Signed-off-by: Joonas Lahtinen +Signed-off-by: Sasha Levin +--- + .../gpu/drm/i915/gt/uc/intel_guc_submission.c | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c b/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c +index 00e2cf92d99c7..b48373b166779 100644 +--- a/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c ++++ b/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c +@@ -3422,18 +3422,29 @@ static inline int guc_lrc_desc_unpin(struct intel_context *ce) + * GuC is active, lets destroy this context, but at this point we can still be racing + * with suspend, so we undo everything if the H2G fails in deregister_context so + * that GuC reset will find this context during clean up. ++ * ++ * There is a race condition where the reset code could have altered ++ * this context's state and done a wakeref put before we try to ++ * deregister it here. So check if the context is still set to be ++ * destroyed before undoing earlier changes, to avoid two wakeref puts ++ * on the same context. + */ + ret = deregister_context(ce, ce->guc_id.id); + if (ret) { ++ bool pending_destroyed; + spin_lock_irqsave(&ce->guc_state.lock, flags); +- set_context_registered(ce); +- clr_context_destroyed(ce); ++ pending_destroyed = context_destroyed(ce); ++ if (pending_destroyed) { ++ set_context_registered(ce); ++ clr_context_destroyed(ce); ++ } + spin_unlock_irqrestore(&ce->guc_state.lock, flags); + /* + * As gt-pm is awake at function entry, intel_wakeref_put_async merely decrements + * the wakeref immediately but per function spec usage call this after unlock. + */ +- intel_wakeref_put_async(>->wakeref); ++ if (pending_destroyed) ++ intel_wakeref_put_async(>->wakeref); + } + + return ret; +-- +2.39.5 + diff --git a/queue-6.12/drm-i915-psr-fix-using-wrong-mask-in-reg_field_prep.patch b/queue-6.12/drm-i915-psr-fix-using-wrong-mask-in-reg_field_prep.patch new file mode 100644 index 0000000000..3dfa51d475 --- /dev/null +++ b/queue-6.12/drm-i915-psr-fix-using-wrong-mask-in-reg_field_prep.patch @@ -0,0 +1,44 @@ +From df583d420229ce115d968acb750de243a3d88e53 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 May 2025 15:05:11 +0300 +Subject: drm/i915/psr: Fix using wrong mask in REG_FIELD_PREP +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jouni Högander + +[ Upstream commit 57d63c6cd0851d3af612a556ec61b0f2a9bd522f ] + +Wrong mask is used in PORT_ALPM_LFPS_CTL_FIRST_LFPS_HALF_CYCLE_DURATION and +PORT_ALPM_LFPS_CTL_LAST_LFPS_HALF_CYCLE_DURATION. + +Fixes: 295099580f04 ("drm/i915/psr: Add missing ALPM AUX-Less register definitions") +Signed-off-by: Jouni Högander +Reviewed-by: Ankit Nautiyal +Link: https://lore.kernel.org/r/20250526120512.1702815-12-jouni.hogander@intel.com +(cherry picked from commit 8097128a40ff378761034ec72cdbf6f46e466dc0) +Signed-off-by: Joonas Lahtinen +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/display/intel_psr_regs.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/i915/display/intel_psr_regs.h b/drivers/gpu/drm/i915/display/intel_psr_regs.h +index 642bb15fb5475..25c0424e34db2 100644 +--- a/drivers/gpu/drm/i915/display/intel_psr_regs.h ++++ b/drivers/gpu/drm/i915/display/intel_psr_regs.h +@@ -314,8 +314,8 @@ + #define PORT_ALPM_LFPS_CTL_LFPS_HALF_CYCLE_DURATION_MASK REG_GENMASK(20, 16) + #define PORT_ALPM_LFPS_CTL_LFPS_HALF_CYCLE_DURATION(val) REG_FIELD_PREP(PORT_ALPM_LFPS_CTL_LFPS_HALF_CYCLE_DURATION_MASK, val) + #define PORT_ALPM_LFPS_CTL_FIRST_LFPS_HALF_CYCLE_DURATION_MASK REG_GENMASK(12, 8) +-#define PORT_ALPM_LFPS_CTL_FIRST_LFPS_HALF_CYCLE_DURATION(val) REG_FIELD_PREP(PORT_ALPM_LFPS_CTL_LFPS_HALF_CYCLE_DURATION_MASK, val) ++#define PORT_ALPM_LFPS_CTL_FIRST_LFPS_HALF_CYCLE_DURATION(val) REG_FIELD_PREP(PORT_ALPM_LFPS_CTL_FIRST_LFPS_HALF_CYCLE_DURATION_MASK, val) + #define PORT_ALPM_LFPS_CTL_LAST_LFPS_HALF_CYCLE_DURATION_MASK REG_GENMASK(4, 0) +-#define PORT_ALPM_LFPS_CTL_LAST_LFPS_HALF_CYCLE_DURATION(val) REG_FIELD_PREP(PORT_ALPM_LFPS_CTL_LFPS_HALF_CYCLE_DURATION_MASK, val) ++#define PORT_ALPM_LFPS_CTL_LAST_LFPS_HALF_CYCLE_DURATION(val) REG_FIELD_PREP(PORT_ALPM_LFPS_CTL_LAST_LFPS_HALF_CYCLE_DURATION_MASK, val) + + #endif /* __INTEL_PSR_REGS_H__ */ +-- +2.39.5 + diff --git a/queue-6.12/drm-mediatek-fix-kobject-put-for-component-sub-drive.patch b/queue-6.12/drm-mediatek-fix-kobject-put-for-component-sub-drive.patch new file mode 100644 index 0000000000..4ee82f3bc2 --- /dev/null +++ b/queue-6.12/drm-mediatek-fix-kobject-put-for-component-sub-drive.patch @@ -0,0 +1,67 @@ +From c53d301c6c2d2189be4a79a3f1107e7c023a22ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Apr 2025 12:47:38 +0200 +Subject: drm/mediatek: Fix kobject put for component sub-drivers + +From: AngeloGioacchino Del Regno + +[ Upstream commit 80805b62ea5b95eda54c225b989f929ca0691ab0 ] + +In function mtk_drm_get_all_drm_priv(), this driver is incrementing +the refcount for the sub-drivers of mediatek-drm with a call to +device_find_child() when taking a reference to all of those child +devices. + +When the component bind fails multiple times this results in a +refcount_t overflow, as the reference count is never decremented: +fix that by adding a call to put_device() for all of the mmsys +devices in a loop, in error cases of mtk_drm_bind() and in the +mtk_drm_unbind() callback. + +Fixes: 1ef7ed48356c ("drm/mediatek: Modify mediatek-drm for mt8195 multi mmsys support") +Reviewed-by: Chen-Yu Tsai +Signed-off-by: AngeloGioacchino Del Regno +Link: https://patchwork.kernel.org/project/dri-devel/patch/20250403104741.71045-3-angelogioacchino.delregno@collabora.com/ +Signed-off-by: Chun-Kuang Hu +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/mediatek/mtk_drm_drv.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/gpu/drm/mediatek/mtk_drm_drv.c b/drivers/gpu/drm/mediatek/mtk_drm_drv.c +index 86541b0d5c496..3cdda6694f7f5 100644 +--- a/drivers/gpu/drm/mediatek/mtk_drm_drv.c ++++ b/drivers/gpu/drm/mediatek/mtk_drm_drv.c +@@ -675,6 +675,10 @@ static int mtk_drm_bind(struct device *dev) + for (i = 0; i < private->data->mmsys_dev_num; i++) + private->all_drm_private[i]->drm = NULL; + err_put_dev: ++ for (i = 0; i < private->data->mmsys_dev_num; i++) { ++ /* For device_find_child in mtk_drm_get_all_priv() */ ++ put_device(private->all_drm_private[i]->dev); ++ } + put_device(private->mutex_dev); + return ret; + } +@@ -682,6 +686,7 @@ static int mtk_drm_bind(struct device *dev) + static void mtk_drm_unbind(struct device *dev) + { + struct mtk_drm_private *private = dev_get_drvdata(dev); ++ int i; + + /* for multi mmsys dev, unregister drm dev in mmsys master */ + if (private->drm_master) { +@@ -689,6 +694,10 @@ static void mtk_drm_unbind(struct device *dev) + mtk_drm_kms_deinit(private->drm); + drm_dev_put(private->drm); + ++ for (i = 0; i < private->data->mmsys_dev_num; i++) { ++ /* For device_find_child in mtk_drm_get_all_priv() */ ++ put_device(private->all_drm_private[i]->dev); ++ } + put_device(private->mutex_dev); + } + private->mtk_drm_bound = false; +-- +2.39.5 + diff --git a/queue-6.12/drm-mediatek-mtk_drm_drv-fix-kobject-put-for-mtk_mut.patch b/queue-6.12/drm-mediatek-mtk_drm_drv-fix-kobject-put-for-mtk_mut.patch new file mode 100644 index 0000000000..189e7c7ab9 --- /dev/null +++ b/queue-6.12/drm-mediatek-mtk_drm_drv-fix-kobject-put-for-mtk_mut.patch @@ -0,0 +1,107 @@ +From 917dae2ab43dc25f0bb018579844ecfbed34739b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Apr 2025 12:47:37 +0200 +Subject: drm/mediatek: mtk_drm_drv: Fix kobject put for mtk_mutex device ptr + +From: AngeloGioacchino Del Regno + +[ Upstream commit 22918591fb747a6d16801e74a170cf98e886f83b ] + +This driver is taking a kobject for mtk_mutex only once per mmsys +device for each drm-mediatek driver instance, differently from the +behavior with other components, but it is decrementing the kobj's +refcount in a loop and once per mmsys: this is not right and will +result in a refcount_t underflow warning when mediatek-drm returns +multiple probe deferrals in one boot (or when manually bound and +unbound). + +Besides that, the refcount for mutex_dev was not decremented for +error cases in mtk_drm_bind(), causing another refcount_t warning +but this time for overflow, when the failure happens not during +driver bind but during component bind. + +In order to fix one of the reasons why this is happening, remove +the put_device(xx->mutex_dev) loop from the mtk_drm_kms_init()'s +put_mutex_dev label (and drop the label) and add a single call to +correctly free the single incremented refcount of mutex_dev to +the mtk_drm_unbind() function to fix the refcount_t underflow. + +Moreover, add the same call to the error cases in mtk_drm_bind() +to fix the refcount_t overflow. + +Fixes: 1ef7ed48356c ("drm/mediatek: Modify mediatek-drm for mt8195 multi mmsys support") +Reviewed-by: Chen-Yu Tsai +Signed-off-by: AngeloGioacchino Del Regno +Link: https://patchwork.kernel.org/project/dri-devel/patch/20250403104741.71045-2-angelogioacchino.delregno@collabora.com/ +Signed-off-by: Chun-Kuang Hu +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/mediatek/mtk_drm_drv.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +diff --git a/drivers/gpu/drm/mediatek/mtk_drm_drv.c b/drivers/gpu/drm/mediatek/mtk_drm_drv.c +index 4e93fd075e03c..86541b0d5c496 100644 +--- a/drivers/gpu/drm/mediatek/mtk_drm_drv.c ++++ b/drivers/gpu/drm/mediatek/mtk_drm_drv.c +@@ -463,7 +463,7 @@ static int mtk_drm_kms_init(struct drm_device *drm) + + ret = drmm_mode_config_init(drm); + if (ret) +- goto put_mutex_dev; ++ return ret; + + drm->mode_config.min_width = 64; + drm->mode_config.min_height = 64; +@@ -482,7 +482,7 @@ static int mtk_drm_kms_init(struct drm_device *drm) + drm->dev_private = private->all_drm_private[i]; + ret = component_bind_all(private->all_drm_private[i]->dev, drm); + if (ret) +- goto put_mutex_dev; ++ return ret; + } + + /* +@@ -575,9 +575,6 @@ static int mtk_drm_kms_init(struct drm_device *drm) + err_component_unbind: + for (i = 0; i < private->data->mmsys_dev_num; i++) + component_unbind_all(private->all_drm_private[i]->dev, drm); +-put_mutex_dev: +- for (i = 0; i < private->data->mmsys_dev_num; i++) +- put_device(private->all_drm_private[i]->mutex_dev); + + return ret; + } +@@ -648,8 +645,10 @@ static int mtk_drm_bind(struct device *dev) + return 0; + + drm = drm_dev_alloc(&mtk_drm_driver, dev); +- if (IS_ERR(drm)) +- return PTR_ERR(drm); ++ if (IS_ERR(drm)) { ++ ret = PTR_ERR(drm); ++ goto err_put_dev; ++ } + + private->drm_master = true; + drm->dev_private = private; +@@ -675,6 +674,8 @@ static int mtk_drm_bind(struct device *dev) + drm_dev_put(drm); + for (i = 0; i < private->data->mmsys_dev_num; i++) + private->all_drm_private[i]->drm = NULL; ++err_put_dev: ++ put_device(private->mutex_dev); + return ret; + } + +@@ -687,6 +688,8 @@ static void mtk_drm_unbind(struct device *dev) + drm_dev_unregister(private->drm); + mtk_drm_kms_deinit(private->drm); + drm_dev_put(private->drm); ++ ++ put_device(private->mutex_dev); + } + private->mtk_drm_bound = false; + private->drm_master = false; +-- +2.39.5 + diff --git a/queue-6.12/drm-mediatek-mtk_drm_drv-unbind-secondary-mmsys-comp.patch b/queue-6.12/drm-mediatek-mtk_drm_drv-unbind-secondary-mmsys-comp.patch new file mode 100644 index 0000000000..3041b0832b --- /dev/null +++ b/queue-6.12/drm-mediatek-mtk_drm_drv-unbind-secondary-mmsys-comp.patch @@ -0,0 +1,58 @@ +From 2e56860bcdc833bd74c95cc88bfc6559eec74bba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Apr 2025 12:47:39 +0200 +Subject: drm/mediatek: mtk_drm_drv: Unbind secondary mmsys components on err + +From: AngeloGioacchino Del Regno + +[ Upstream commit 94c933716567084bfb9e79dcd81eb2b2308e84e1 ] + +When calling component_bind_all(), if a component that is included +in the list fails, all of those that have been successfully bound +will be unbound, but this driver has two components lists for two +actual devices, as in, each mmsys instance has its own components +list. + +In case mmsys0 (or actually vdosys0) is able to bind all of its +components, but the secondary one fails, all of the components of +the first are kept bound, while the ones of mmsys1/vdosys1 are +correctly cleaned up. + +This is not right because, in case of a failure, the components +are re-bound for all of the mmsys/vdosys instances without caring +about the ones that were previously left in a bound state. + +Fix that by calling component_unbind_all() on all of the previous +component masters that succeeded binding all subdevices when any +of the other masters errors out. + +Fixes: 1ef7ed48356c ("drm/mediatek: Modify mediatek-drm for mt8195 multi mmsys support") +Reviewed-by: Chen-Yu Tsai +Signed-off-by: AngeloGioacchino Del Regno +Link: https://patchwork.kernel.org/project/dri-devel/patch/20250403104741.71045-4-angelogioacchino.delregno@collabora.com/ +Signed-off-by: Chun-Kuang Hu +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/mediatek/mtk_drm_drv.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/mediatek/mtk_drm_drv.c b/drivers/gpu/drm/mediatek/mtk_drm_drv.c +index 3cdda6694f7f5..42e62b0409612 100644 +--- a/drivers/gpu/drm/mediatek/mtk_drm_drv.c ++++ b/drivers/gpu/drm/mediatek/mtk_drm_drv.c +@@ -481,8 +481,11 @@ static int mtk_drm_kms_init(struct drm_device *drm) + for (i = 0; i < private->data->mmsys_dev_num; i++) { + drm->dev_private = private->all_drm_private[i]; + ret = component_bind_all(private->all_drm_private[i]->dev, drm); +- if (ret) ++ if (ret) { ++ while (--i >= 0) ++ component_unbind_all(private->all_drm_private[i]->dev, drm); + return ret; ++ } + } + + /* +-- +2.39.5 + diff --git a/queue-6.12/drm-msm-a6xx-disable-rgb565_predicator-on-adreno-7c3.patch b/queue-6.12/drm-msm-a6xx-disable-rgb565_predicator-on-adreno-7c3.patch new file mode 100644 index 0000000000..9e29890610 --- /dev/null +++ b/queue-6.12/drm-msm-a6xx-disable-rgb565_predicator-on-adreno-7c3.patch @@ -0,0 +1,39 @@ +From e656c85e50cefc15374d67b5cd56a9882f779ec4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 May 2025 13:13:40 +0200 +Subject: drm/msm/a6xx: Disable rgb565_predicator on Adreno 7c3 + +From: Konrad Dybcio + +[ Upstream commit 5a9c1bea011fb42088ba08ceaa252fb20e695626 ] + +This feature is supposed to be enabled with UBWC v4 or later. +Implementations of this SKU feature an effective UBWC version of 3, so +disable it, in line with the BSP kernel. + +Reported-by: Dmitry Baryshkov +Reviewed-by: Akhil P Oommen +Fixes: 192f4ee3e408 ("drm/msm/a6xx: Add support for Adreno 7c Gen 3 gpu") +Signed-off-by: Konrad Dybcio +Patchwork: https://patchwork.freedesktop.org/patch/651759/ +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/adreno/a6xx_gpu.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/adreno/a6xx_gpu.c b/drivers/gpu/drm/msm/adreno/a6xx_gpu.c +index d903ad9c0b5fb..d2189441aa38a 100644 +--- a/drivers/gpu/drm/msm/adreno/a6xx_gpu.c ++++ b/drivers/gpu/drm/msm/adreno/a6xx_gpu.c +@@ -554,7 +554,6 @@ static void a6xx_calc_ubwc_config(struct adreno_gpu *gpu) + if (adreno_is_7c3(gpu)) { + gpu->ubwc_config.highest_bank_bit = 14; + gpu->ubwc_config.amsbc = 1; +- gpu->ubwc_config.rgb565_predicator = 1; + gpu->ubwc_config.uavflagprd_inv = 2; + gpu->ubwc_config.macrotile_mode = 1; + } +-- +2.39.5 + diff --git a/queue-6.12/drm-msm-dpu-enable-smartdma-on-sc8180x.patch b/queue-6.12/drm-msm-dpu-enable-smartdma-on-sc8180x.patch new file mode 100644 index 0000000000..183c977afd --- /dev/null +++ b/queue-6.12/drm-msm-dpu-enable-smartdma-on-sc8180x.patch @@ -0,0 +1,101 @@ +From 0525666e9f94165adddbafa935d71d8351552fd1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Apr 2025 22:49:09 +0300 +Subject: drm/msm/dpu: enable SmartDMA on SC8180X + +From: Dmitry Baryshkov + +[ Upstream commit 8dcccd7a156ffb3157de7f527cc7c6100e9a455a ] + +Reworking of the catalog dropped the SmartDMA feature bit on the SC8180X +platform. Renable SmartDMA support on this SoC. + +Fixes: 460c410f02e4 ("drm/msm/dpu: duplicate sdm845 catalog entries") +Signed-off-by: Dmitry Baryshkov +Patchwork: https://patchwork.freedesktop.org/patch/650421/ +Link: https://lore.kernel.org/r/20250425-dpu-rework-vig-masks-v2-2-c71900687d08@oss.qualcomm.com +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + .../drm/msm/disp/dpu1/catalog/dpu_5_1_sc8180x.h | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_5_1_sc8180x.h b/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_5_1_sc8180x.h +index e8eacdb47967a..485c3041c8018 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_5_1_sc8180x.h ++++ b/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_5_1_sc8180x.h +@@ -75,7 +75,7 @@ static const struct dpu_sspp_cfg sc8180x_sspp[] = { + { + .name = "sspp_0", .id = SSPP_VIG0, + .base = 0x4000, .len = 0x1f0, +- .features = VIG_SDM845_MASK, ++ .features = VIG_SDM845_MASK_SDMA, + .sblk = &dpu_vig_sblk_qseed3_1_4, + .xin_id = 0, + .type = SSPP_TYPE_VIG, +@@ -83,7 +83,7 @@ static const struct dpu_sspp_cfg sc8180x_sspp[] = { + }, { + .name = "sspp_1", .id = SSPP_VIG1, + .base = 0x6000, .len = 0x1f0, +- .features = VIG_SDM845_MASK, ++ .features = VIG_SDM845_MASK_SDMA, + .sblk = &dpu_vig_sblk_qseed3_1_4, + .xin_id = 4, + .type = SSPP_TYPE_VIG, +@@ -91,7 +91,7 @@ static const struct dpu_sspp_cfg sc8180x_sspp[] = { + }, { + .name = "sspp_2", .id = SSPP_VIG2, + .base = 0x8000, .len = 0x1f0, +- .features = VIG_SDM845_MASK, ++ .features = VIG_SDM845_MASK_SDMA, + .sblk = &dpu_vig_sblk_qseed3_1_4, + .xin_id = 8, + .type = SSPP_TYPE_VIG, +@@ -99,7 +99,7 @@ static const struct dpu_sspp_cfg sc8180x_sspp[] = { + }, { + .name = "sspp_3", .id = SSPP_VIG3, + .base = 0xa000, .len = 0x1f0, +- .features = VIG_SDM845_MASK, ++ .features = VIG_SDM845_MASK_SDMA, + .sblk = &dpu_vig_sblk_qseed3_1_4, + .xin_id = 12, + .type = SSPP_TYPE_VIG, +@@ -107,7 +107,7 @@ static const struct dpu_sspp_cfg sc8180x_sspp[] = { + }, { + .name = "sspp_8", .id = SSPP_DMA0, + .base = 0x24000, .len = 0x1f0, +- .features = DMA_SDM845_MASK, ++ .features = DMA_SDM845_MASK_SDMA, + .sblk = &dpu_dma_sblk, + .xin_id = 1, + .type = SSPP_TYPE_DMA, +@@ -115,7 +115,7 @@ static const struct dpu_sspp_cfg sc8180x_sspp[] = { + }, { + .name = "sspp_9", .id = SSPP_DMA1, + .base = 0x26000, .len = 0x1f0, +- .features = DMA_SDM845_MASK, ++ .features = DMA_SDM845_MASK_SDMA, + .sblk = &dpu_dma_sblk, + .xin_id = 5, + .type = SSPP_TYPE_DMA, +@@ -123,7 +123,7 @@ static const struct dpu_sspp_cfg sc8180x_sspp[] = { + }, { + .name = "sspp_10", .id = SSPP_DMA2, + .base = 0x28000, .len = 0x1f0, +- .features = DMA_CURSOR_SDM845_MASK, ++ .features = DMA_CURSOR_SDM845_MASK_SDMA, + .sblk = &dpu_dma_sblk, + .xin_id = 9, + .type = SSPP_TYPE_DMA, +@@ -131,7 +131,7 @@ static const struct dpu_sspp_cfg sc8180x_sspp[] = { + }, { + .name = "sspp_11", .id = SSPP_DMA3, + .base = 0x2a000, .len = 0x1f0, +- .features = DMA_CURSOR_SDM845_MASK, ++ .features = DMA_CURSOR_SDM845_MASK_SDMA, + .sblk = &dpu_dma_sblk, + .xin_id = 13, + .type = SSPP_TYPE_DMA, +-- +2.39.5 + diff --git a/queue-6.12/drm-msm-dpu-enable-smartdma-on-sm8150.patch b/queue-6.12/drm-msm-dpu-enable-smartdma-on-sm8150.patch new file mode 100644 index 0000000000..e963ece5f8 --- /dev/null +++ b/queue-6.12/drm-msm-dpu-enable-smartdma-on-sm8150.patch @@ -0,0 +1,101 @@ +From fa8787534706502d6440edfdac12b7edd9014034 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Apr 2025 22:49:08 +0300 +Subject: drm/msm/dpu: enable SmartDMA on SM8150 + +From: Dmitry Baryshkov + +[ Upstream commit 6a2343de0b6f70a21bf503ac4688dc905cb068e1 ] + +Reworking of the catalog dropped the SmartDMA feature bit on the SM8150 +platform. Renable SmartDMA support on this SoC. + +Fixes: 460c410f02e4 ("drm/msm/dpu: duplicate sdm845 catalog entries") +Signed-off-by: Dmitry Baryshkov +Patchwork: https://patchwork.freedesktop.org/patch/650418/ +Link: https://lore.kernel.org/r/20250425-dpu-rework-vig-masks-v2-1-c71900687d08@oss.qualcomm.com +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + .../drm/msm/disp/dpu1/catalog/dpu_5_0_sm8150.h | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_5_0_sm8150.h b/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_5_0_sm8150.h +index 36cc9dbc00b5c..d8d5a91c00ec8 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_5_0_sm8150.h ++++ b/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_5_0_sm8150.h +@@ -76,7 +76,7 @@ static const struct dpu_sspp_cfg sm8150_sspp[] = { + { + .name = "sspp_0", .id = SSPP_VIG0, + .base = 0x4000, .len = 0x1f0, +- .features = VIG_SDM845_MASK, ++ .features = VIG_SDM845_MASK_SDMA, + .sblk = &dpu_vig_sblk_qseed3_1_4, + .xin_id = 0, + .type = SSPP_TYPE_VIG, +@@ -84,7 +84,7 @@ static const struct dpu_sspp_cfg sm8150_sspp[] = { + }, { + .name = "sspp_1", .id = SSPP_VIG1, + .base = 0x6000, .len = 0x1f0, +- .features = VIG_SDM845_MASK, ++ .features = VIG_SDM845_MASK_SDMA, + .sblk = &dpu_vig_sblk_qseed3_1_4, + .xin_id = 4, + .type = SSPP_TYPE_VIG, +@@ -92,7 +92,7 @@ static const struct dpu_sspp_cfg sm8150_sspp[] = { + }, { + .name = "sspp_2", .id = SSPP_VIG2, + .base = 0x8000, .len = 0x1f0, +- .features = VIG_SDM845_MASK, ++ .features = VIG_SDM845_MASK_SDMA, + .sblk = &dpu_vig_sblk_qseed3_1_4, + .xin_id = 8, + .type = SSPP_TYPE_VIG, +@@ -100,7 +100,7 @@ static const struct dpu_sspp_cfg sm8150_sspp[] = { + }, { + .name = "sspp_3", .id = SSPP_VIG3, + .base = 0xa000, .len = 0x1f0, +- .features = VIG_SDM845_MASK, ++ .features = VIG_SDM845_MASK_SDMA, + .sblk = &dpu_vig_sblk_qseed3_1_4, + .xin_id = 12, + .type = SSPP_TYPE_VIG, +@@ -108,7 +108,7 @@ static const struct dpu_sspp_cfg sm8150_sspp[] = { + }, { + .name = "sspp_8", .id = SSPP_DMA0, + .base = 0x24000, .len = 0x1f0, +- .features = DMA_SDM845_MASK, ++ .features = DMA_SDM845_MASK_SDMA, + .sblk = &dpu_dma_sblk, + .xin_id = 1, + .type = SSPP_TYPE_DMA, +@@ -116,7 +116,7 @@ static const struct dpu_sspp_cfg sm8150_sspp[] = { + }, { + .name = "sspp_9", .id = SSPP_DMA1, + .base = 0x26000, .len = 0x1f0, +- .features = DMA_SDM845_MASK, ++ .features = DMA_SDM845_MASK_SDMA, + .sblk = &dpu_dma_sblk, + .xin_id = 5, + .type = SSPP_TYPE_DMA, +@@ -124,7 +124,7 @@ static const struct dpu_sspp_cfg sm8150_sspp[] = { + }, { + .name = "sspp_10", .id = SSPP_DMA2, + .base = 0x28000, .len = 0x1f0, +- .features = DMA_CURSOR_SDM845_MASK, ++ .features = DMA_CURSOR_SDM845_MASK_SDMA, + .sblk = &dpu_dma_sblk, + .xin_id = 9, + .type = SSPP_TYPE_DMA, +@@ -132,7 +132,7 @@ static const struct dpu_sspp_cfg sm8150_sspp[] = { + }, { + .name = "sspp_11", .id = SSPP_DMA3, + .base = 0x2a000, .len = 0x1f0, +- .features = DMA_CURSOR_SDM845_MASK, ++ .features = DMA_CURSOR_SDM845_MASK_SDMA, + .sblk = &dpu_dma_sblk, + .xin_id = 13, + .type = SSPP_TYPE_DMA, +-- +2.39.5 + diff --git a/queue-6.12/drm-panel-samsung-sofef00-drop-s6e3fc2x01-support.patch b/queue-6.12/drm-panel-samsung-sofef00-drop-s6e3fc2x01-support.patch new file mode 100644 index 0000000000..0734950f3a --- /dev/null +++ b/queue-6.12/drm-panel-samsung-sofef00-drop-s6e3fc2x01-support.patch @@ -0,0 +1,96 @@ +From b2375d12b28e77b80c71e1ea925f3a23e5e9d8f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Apr 2025 18:31:44 +0200 +Subject: drm/panel: samsung-sofef00: Drop s6e3fc2x01 support + +From: Casey Connolly + +[ Upstream commit e1eb7293ab4107e9e19fa609835e657fe30dfec7 ] + +We never properly supported this panel and always used the wrong init +sequence. Drop support so we can move it to it's own proper driver. + +Fixes: 5933baa36e26 ("drm/panel/samsung-sofef00: Add panel for OnePlus 6/T devices") +Signed-off-by: Casey Connolly +Signed-off-by: David Heidelberg +Reviewed-by: Neil Armstrong +Signed-off-by: Neil Armstrong +Link: https://lore.kernel.org/r/20250419-drop-s6e3fc2x01-support-v1-1-05edfe0d27aa@ixit.cz +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panel/panel-samsung-sofef00.c | 34 ++----------------- + 1 file changed, 2 insertions(+), 32 deletions(-) + +diff --git a/drivers/gpu/drm/panel/panel-samsung-sofef00.c b/drivers/gpu/drm/panel/panel-samsung-sofef00.c +index 04ce925b3d9db..49cfa84b34f0c 100644 +--- a/drivers/gpu/drm/panel/panel-samsung-sofef00.c ++++ b/drivers/gpu/drm/panel/panel-samsung-sofef00.c +@@ -22,7 +22,6 @@ struct sofef00_panel { + struct mipi_dsi_device *dsi; + struct regulator *supply; + struct gpio_desc *reset_gpio; +- const struct drm_display_mode *mode; + }; + + static inline +@@ -159,26 +158,11 @@ static const struct drm_display_mode enchilada_panel_mode = { + .height_mm = 145, + }; + +-static const struct drm_display_mode fajita_panel_mode = { +- .clock = (1080 + 72 + 16 + 36) * (2340 + 32 + 4 + 18) * 60 / 1000, +- .hdisplay = 1080, +- .hsync_start = 1080 + 72, +- .hsync_end = 1080 + 72 + 16, +- .htotal = 1080 + 72 + 16 + 36, +- .vdisplay = 2340, +- .vsync_start = 2340 + 32, +- .vsync_end = 2340 + 32 + 4, +- .vtotal = 2340 + 32 + 4 + 18, +- .width_mm = 68, +- .height_mm = 145, +-}; +- + static int sofef00_panel_get_modes(struct drm_panel *panel, struct drm_connector *connector) + { + struct drm_display_mode *mode; +- struct sofef00_panel *ctx = to_sofef00_panel(panel); + +- mode = drm_mode_duplicate(connector->dev, ctx->mode); ++ mode = drm_mode_duplicate(connector->dev, &enchilada_panel_mode); + if (!mode) + return -ENOMEM; + +@@ -239,13 +223,6 @@ static int sofef00_panel_probe(struct mipi_dsi_device *dsi) + if (!ctx) + return -ENOMEM; + +- ctx->mode = of_device_get_match_data(dev); +- +- if (!ctx->mode) { +- dev_err(dev, "Missing device mode\n"); +- return -ENODEV; +- } +- + ctx->supply = devm_regulator_get(dev, "vddio"); + if (IS_ERR(ctx->supply)) + return dev_err_probe(dev, PTR_ERR(ctx->supply), +@@ -295,14 +272,7 @@ static void sofef00_panel_remove(struct mipi_dsi_device *dsi) + } + + static const struct of_device_id sofef00_panel_of_match[] = { +- { // OnePlus 6 / enchilada +- .compatible = "samsung,sofef00", +- .data = &enchilada_panel_mode, +- }, +- { // OnePlus 6T / fajita +- .compatible = "samsung,s6e3fc2x01", +- .data = &fajita_panel_mode, +- }, ++ { .compatible = "samsung,sofef00" }, + { /* sentinel */ } + }; + MODULE_DEVICE_TABLE(of, sofef00_panel_of_match); +-- +2.39.5 + diff --git a/queue-6.12/drm-panel-simple-fix-the-warnings-for-the-evervision.patch b/queue-6.12/drm-panel-simple-fix-the-warnings-for-the-evervision.patch new file mode 100644 index 0000000000..e5a9bfecb0 --- /dev/null +++ b/queue-6.12/drm-panel-simple-fix-the-warnings-for-the-evervision.patch @@ -0,0 +1,47 @@ +From 99275d50e00980b58e3f530c0f547dc8db3791a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 May 2025 09:41:10 +0200 +Subject: drm/panel-simple: fix the warnings for the Evervision VGG644804 + +From: Michael Walle + +[ Upstream commit 5dc1ea903588a73fb03b3a3e5a041a7c63a4bccd ] + +The panel lacked the connector type which causes a warning. Adding the +connector type reveals wrong bus_flags and bits per pixel. Fix all of +it. + +Fixes: 1319f2178bdf ("drm/panel-simple: add Evervision VGG644804 panel entry") +Signed-off-by: Michael Walle +Reviewed-by: Neil Armstrong +Signed-off-by: Neil Armstrong +Link: https://lore.kernel.org/r/20250520074110.655114-1-mwalle@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panel/panel-simple.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/panel/panel-simple.c b/drivers/gpu/drm/panel/panel-simple.c +index d041ff542a4ee..82db3daf4f81a 100644 +--- a/drivers/gpu/drm/panel/panel-simple.c ++++ b/drivers/gpu/drm/panel/panel-simple.c +@@ -2141,13 +2141,14 @@ static const struct display_timing evervision_vgg644804_timing = { + static const struct panel_desc evervision_vgg644804 = { + .timings = &evervision_vgg644804_timing, + .num_timings = 1, +- .bpc = 8, ++ .bpc = 6, + .size = { + .width = 115, + .height = 86, + }, + .bus_format = MEDIA_BUS_FMT_RGB666_1X7X3_SPWG, +- .bus_flags = DRM_BUS_FLAG_DE_HIGH | DRM_BUS_FLAG_PIXDATA_SAMPLE_NEGEDGE, ++ .bus_flags = DRM_BUS_FLAG_DE_HIGH, ++ .connector_type = DRM_MODE_CONNECTOR_LVDS, + }; + + static const struct display_timing evervision_vgg804821_timing = { +-- +2.39.5 + diff --git a/queue-6.12/drm-panthor-fix-gpu_coherency_ace-_lite-definitions.patch b/queue-6.12/drm-panthor-fix-gpu_coherency_ace-_lite-definitions.patch new file mode 100644 index 0000000000..bdc589aff5 --- /dev/null +++ b/queue-6.12/drm-panthor-fix-gpu_coherency_ace-_lite-definitions.patch @@ -0,0 +1,47 @@ +From 5d77affe03d93a9a719113135b3f5e7c387282de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Apr 2025 10:09:29 +0200 +Subject: drm/panthor: Fix GPU_COHERENCY_ACE[_LITE] definitions + +From: Boris Brezillon + +[ Upstream commit d1df2907fb69df56aad8e4a0734dac0778c234a7 ] + +GPU_COHERENCY_ACE and GPU_COHERENCY_ACE_LITE definitions have been +swapped. + +Changes in v2: +- New patch + +Changes in v3: +- Add Steve's R-b + +Reported-by: Liviu Dudau +Fixes: 546b366600ef ("drm/panthor: Add GPU register definitions") +Reviewed-by: Steven Price +Reviewed-by: Liviu Dudau +Link: https://lore.kernel.org/r/20250404080933.2912674-2-boris.brezillon@collabora.com +Signed-off-by: Boris Brezillon +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panthor/panthor_regs.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/panthor/panthor_regs.h b/drivers/gpu/drm/panthor/panthor_regs.h +index b7b3b3add1662..a7a323dc5cf92 100644 +--- a/drivers/gpu/drm/panthor/panthor_regs.h ++++ b/drivers/gpu/drm/panthor/panthor_regs.h +@@ -133,8 +133,8 @@ + #define GPU_COHERENCY_PROT_BIT(name) BIT(GPU_COHERENCY_ ## name) + + #define GPU_COHERENCY_PROTOCOL 0x304 +-#define GPU_COHERENCY_ACE 0 +-#define GPU_COHERENCY_ACE_LITE 1 ++#define GPU_COHERENCY_ACE_LITE 0 ++#define GPU_COHERENCY_ACE 1 + #define GPU_COHERENCY_NONE 31 + + #define MCU_CONTROL 0x700 +-- +2.39.5 + diff --git a/queue-6.12/drm-panthor-update-panthor_mmu-irq-mask-when-needed.patch b/queue-6.12/drm-panthor-update-panthor_mmu-irq-mask-when-needed.patch new file mode 100644 index 0000000000..4ebd5b46e1 --- /dev/null +++ b/queue-6.12/drm-panthor-update-panthor_mmu-irq-mask-when-needed.patch @@ -0,0 +1,44 @@ +From e2be3d71093f645f24b9bba1de1a484edcf71393 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Apr 2025 10:09:31 +0200 +Subject: drm/panthor: Update panthor_mmu::irq::mask when needed + +From: Boris Brezillon + +[ Upstream commit 8ba64cf2f358079d09faba7529aad2b0a46c7903 ] + +When we clear the faulty bits in the AS mask, we also need to update +the panthor_mmu::irq::mask field otherwise our IRQ handler won't get +called again until the GPU is reset. + +Changes in v2: +- Add Liviu's R-b + +Changes in v3: +- Add Steve's R-b + +Fixes: 647810ec2476 ("drm/panthor: Add the MMU/VM logical block") +Reviewed-by: Liviu Dudau +Reviewed-by: Steven Price +Link: https://lore.kernel.org/r/20250404080933.2912674-4-boris.brezillon@collabora.com +Signed-off-by: Boris Brezillon +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panthor/panthor_mmu.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/panthor/panthor_mmu.c b/drivers/gpu/drm/panthor/panthor_mmu.c +index 0e6f94df690dd..b57824abeb9ee 100644 +--- a/drivers/gpu/drm/panthor/panthor_mmu.c ++++ b/drivers/gpu/drm/panthor/panthor_mmu.c +@@ -780,6 +780,7 @@ int panthor_vm_active(struct panthor_vm *vm) + if (ptdev->mmu->as.faulty_mask & panthor_mmu_as_fault_mask(ptdev, as)) { + gpu_write(ptdev, MMU_INT_CLEAR, panthor_mmu_as_fault_mask(ptdev, as)); + ptdev->mmu->as.faulty_mask &= ~panthor_mmu_as_fault_mask(ptdev, as); ++ ptdev->mmu->irq.mask |= panthor_mmu_as_fault_mask(ptdev, as); + gpu_write(ptdev, MMU_INT_MASK, ~ptdev->mmu->as.faulty_mask); + } + +-- +2.39.5 + diff --git a/queue-6.12/drm-rcar-du-fix-memory-leak-in-rcar_du_vsps_init.patch b/queue-6.12/drm-rcar-du-fix-memory-leak-in-rcar_du_vsps_init.patch new file mode 100644 index 0000000000..d975b1999f --- /dev/null +++ b/queue-6.12/drm-rcar-du-fix-memory-leak-in-rcar_du_vsps_init.patch @@ -0,0 +1,61 @@ +From 00df5100c2018b63ad99ca9a44c675de8842d39f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Nov 2023 12:24:24 +0000 +Subject: drm: rcar-du: Fix memory leak in rcar_du_vsps_init() + +From: Biju Das + +[ Upstream commit 91e3bf09a90bb4340c0c3c51396e7531555efda4 ] + +The rcar_du_vsps_init() doesn't free the np allocated by +of_parse_phandle_with_fixed_args() for the non-error case. + +Fix memory leak for the non-error case. + +While at it, replace the label 'error'->'done' as it applies to non-error +case as well and update the error check condition for rcar_du_vsp_init() +to avoid breakage in future, if it returns positive value. + +Fixes: 3e81374e2014 ("drm: rcar-du: Support multiple sources from the same VSP") +Signed-off-by: Biju Das +Reviewed-by: Laurent Pinchart +Link: https://lore.kernel.org/r/20231116122424.80136-1-biju.das.jz@bp.renesas.com +Signed-off-by: Tomi Valkeinen +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/renesas/rcar-du/rcar_du_kms.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/renesas/rcar-du/rcar_du_kms.c b/drivers/gpu/drm/renesas/rcar-du/rcar_du_kms.c +index 70d8ad065bfa1..4c8fe83dd6101 100644 +--- a/drivers/gpu/drm/renesas/rcar-du/rcar_du_kms.c ++++ b/drivers/gpu/drm/renesas/rcar-du/rcar_du_kms.c +@@ -705,7 +705,7 @@ static int rcar_du_vsps_init(struct rcar_du_device *rcdu) + ret = of_parse_phandle_with_fixed_args(np, vsps_prop_name, + cells, i, &args); + if (ret < 0) +- goto error; ++ goto done; + + /* + * Add the VSP to the list or update the corresponding existing +@@ -743,13 +743,11 @@ static int rcar_du_vsps_init(struct rcar_du_device *rcdu) + vsp->dev = rcdu; + + ret = rcar_du_vsp_init(vsp, vsps[i].np, vsps[i].crtcs_mask); +- if (ret < 0) +- goto error; ++ if (ret) ++ goto done; + } + +- return 0; +- +-error: ++done: + for (i = 0; i < ARRAY_SIZE(vsps); ++i) + of_node_put(vsps[i].np); + +-- +2.39.5 + diff --git a/queue-6.12/drm-tegra-rgb-fix-the-unbound-reference-count.patch b/queue-6.12/drm-tegra-rgb-fix-the-unbound-reference-count.patch new file mode 100644 index 0000000000..6a47da5ac7 --- /dev/null +++ b/queue-6.12/drm-tegra-rgb-fix-the-unbound-reference-count.patch @@ -0,0 +1,57 @@ +From 32e3481704567d3ec2e1f7c98cb9de1f1d100863 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Feb 2025 11:21:35 +0000 +Subject: drm/tegra: rgb: Fix the unbound reference count + +From: Biju Das + +[ Upstream commit 3c3642335065c3bde0742b0edc505b6ea8fdc2b3 ] + +The of_get_child_by_name() increments the refcount in tegra_dc_rgb_probe, +but the driver does not decrement the refcount during unbind. Fix the +unbound reference count using devm_add_action_or_reset() helper. + +Fixes: d8f4a9eda006 ("drm: Add NVIDIA Tegra20 support") +Signed-off-by: Biju Das +Signed-off-by: Thierry Reding +Link: https://lore.kernel.org/r/20250205112137.36055-1-biju.das.jz@bp.renesas.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/tegra/rgb.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/tegra/rgb.c b/drivers/gpu/drm/tegra/rgb.c +index 1e8ec50b759e4..ff5a749710db3 100644 +--- a/drivers/gpu/drm/tegra/rgb.c ++++ b/drivers/gpu/drm/tegra/rgb.c +@@ -200,6 +200,11 @@ static const struct drm_encoder_helper_funcs tegra_rgb_encoder_helper_funcs = { + .atomic_check = tegra_rgb_encoder_atomic_check, + }; + ++static void tegra_dc_of_node_put(void *data) ++{ ++ of_node_put(data); ++} ++ + int tegra_dc_rgb_probe(struct tegra_dc *dc) + { + struct device_node *np; +@@ -207,7 +212,14 @@ int tegra_dc_rgb_probe(struct tegra_dc *dc) + int err; + + np = of_get_child_by_name(dc->dev->of_node, "rgb"); +- if (!np || !of_device_is_available(np)) ++ if (!np) ++ return -ENODEV; ++ ++ err = devm_add_action_or_reset(dc->dev, tegra_dc_of_node_put, np); ++ if (err < 0) ++ return err; ++ ++ if (!of_device_is_available(np)) + return -ENODEV; + + rgb = devm_kzalloc(dc->dev, sizeof(*rgb), GFP_KERNEL); +-- +2.39.5 + diff --git a/queue-6.12/drm-vc4-tests-use-return-instead-of-assert.patch b/queue-6.12/drm-vc4-tests-use-return-instead-of-assert.patch new file mode 100644 index 0000000000..db0cd32e32 --- /dev/null +++ b/queue-6.12/drm-vc4-tests-use-return-instead-of-assert.patch @@ -0,0 +1,113 @@ +From 0b3814b5fd25b7ec12651b174be9bd0b59d2c322 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Apr 2025 15:33:30 +0200 +Subject: drm/vc4: tests: Use return instead of assert +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maxime Ripard + +[ Upstream commit 9e26a3740cc08ef8bcdc5e5d824792cd677affce ] + +The vc4_mock_atomic_add_output() and vc4_mock_atomic_del_output() assert +that the functions they are calling didn't fail. Since some of them can +return EDEADLK, we can't properly deal with it. + +Since both functions are expected to return an int, and all caller check +the return value, let's just properly propagate the errors when they +occur. + +Fixes: f759f5b53f1c ("drm/vc4: tests: Introduce a mocking infrastructure") +Fixes: 76ec18dc5afa ("drm/vc4: tests: Add unit test suite for the PV muxing") +Reviewed-by: Maíra Canal +Link: https://lore.kernel.org/r/20250403-drm-vc4-kunit-failures-v2-1-e09195cc8840@kernel.org +Signed-off-by: Maxime Ripard +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vc4/tests/vc4_mock_output.c | 36 ++++++++++++++------- + 1 file changed, 24 insertions(+), 12 deletions(-) + +diff --git a/drivers/gpu/drm/vc4/tests/vc4_mock_output.c b/drivers/gpu/drm/vc4/tests/vc4_mock_output.c +index e70d7c3076acf..f0ddc223c1f83 100644 +--- a/drivers/gpu/drm/vc4/tests/vc4_mock_output.c ++++ b/drivers/gpu/drm/vc4/tests/vc4_mock_output.c +@@ -75,24 +75,30 @@ int vc4_mock_atomic_add_output(struct kunit *test, + int ret; + + encoder = vc4_find_encoder_by_type(drm, type); +- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, encoder); ++ if (!encoder) ++ return -ENODEV; + + crtc = vc4_find_crtc_for_encoder(test, drm, encoder); +- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, crtc); ++ if (!crtc) ++ return -ENODEV; + + output = encoder_to_vc4_dummy_output(encoder); + conn = &output->connector; + conn_state = drm_atomic_get_connector_state(state, conn); +- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, conn_state); ++ if (IS_ERR(conn_state)) ++ return PTR_ERR(conn_state); + + ret = drm_atomic_set_crtc_for_connector(conn_state, crtc); +- KUNIT_EXPECT_EQ(test, ret, 0); ++ if (ret) ++ return ret; + + crtc_state = drm_atomic_get_crtc_state(state, crtc); +- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, crtc_state); ++ if (IS_ERR(crtc_state)) ++ return PTR_ERR(crtc_state); + + ret = drm_atomic_set_mode_for_crtc(crtc_state, &default_mode); +- KUNIT_EXPECT_EQ(test, ret, 0); ++ if (ret) ++ return ret; + + crtc_state->active = true; + +@@ -113,26 +119,32 @@ int vc4_mock_atomic_del_output(struct kunit *test, + int ret; + + encoder = vc4_find_encoder_by_type(drm, type); +- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, encoder); ++ if (!encoder) ++ return -ENODEV; + + crtc = vc4_find_crtc_for_encoder(test, drm, encoder); +- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, crtc); ++ if (!crtc) ++ return -ENODEV; + + crtc_state = drm_atomic_get_crtc_state(state, crtc); +- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, crtc_state); ++ if (IS_ERR(crtc_state)) ++ return PTR_ERR(crtc_state); + + crtc_state->active = false; + + ret = drm_atomic_set_mode_for_crtc(crtc_state, NULL); +- KUNIT_ASSERT_EQ(test, ret, 0); ++ if (ret) ++ return ret; + + output = encoder_to_vc4_dummy_output(encoder); + conn = &output->connector; + conn_state = drm_atomic_get_connector_state(state, conn); +- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, conn_state); ++ if (IS_ERR(conn_state)) ++ return PTR_ERR(conn_state); + + ret = drm_atomic_set_crtc_for_connector(conn_state, NULL); +- KUNIT_ASSERT_EQ(test, ret, 0); ++ if (ret) ++ return ret; + + return 0; + } +-- +2.39.5 + diff --git a/queue-6.12/drm-vkms-adjust-vkms_state-active_planes-allocation-.patch b/queue-6.12/drm-vkms-adjust-vkms_state-active_planes-allocation-.patch new file mode 100644 index 0000000000..31b3e0e605 --- /dev/null +++ b/queue-6.12/drm-vkms-adjust-vkms_state-active_planes-allocation-.patch @@ -0,0 +1,44 @@ +From cd1e196cdd87b94ab20968c8b7a8f0d84afaef63 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Apr 2025 23:14:32 -0700 +Subject: drm/vkms: Adjust vkms_state->active_planes allocation type + +From: Kees Cook + +[ Upstream commit 258aebf100540d36aba910f545d4d5ddf4ecaf0b ] + +In preparation for making the kmalloc family of allocators type aware, +we need to make sure that the returned type from the allocation matches +the type of the variable being assigned. (Before, the allocator would +always return "void *", which can be implicitly cast to any pointer type.) + +The assigned type is "struct vkms_plane_state **", but the returned type +will be "struct drm_plane **". These are the same size (pointer size), but +the types don't match. Adjust the allocation type to match the assignment. + +Signed-off-by: Kees Cook +Reviewed-by: Louis Chauvet +Fixes: 8b1865873651 ("drm/vkms: totally reworked crc data tracking") +Link: https://lore.kernel.org/r/20250426061431.work.304-kees@kernel.org +Signed-off-by: Louis Chauvet +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vkms/vkms_crtc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/vkms/vkms_crtc.c b/drivers/gpu/drm/vkms/vkms_crtc.c +index 40b4d084e3cee..91b589a497d02 100644 +--- a/drivers/gpu/drm/vkms/vkms_crtc.c ++++ b/drivers/gpu/drm/vkms/vkms_crtc.c +@@ -198,7 +198,7 @@ static int vkms_crtc_atomic_check(struct drm_crtc *crtc, + i++; + } + +- vkms_state->active_planes = kcalloc(i, sizeof(plane), GFP_KERNEL); ++ vkms_state->active_planes = kcalloc(i, sizeof(*vkms_state->active_planes), GFP_KERNEL); + if (!vkms_state->active_planes) + return -ENOMEM; + vkms_state->num_active_planes = i; +-- +2.39.5 + diff --git a/queue-6.12/drm-vmwgfx-add-error-path-for-xa_store-in-vmw_bo_add.patch b/queue-6.12/drm-vmwgfx-add-error-path-for-xa_store-in-vmw_bo_add.patch new file mode 100644 index 0000000000..40a56a751b --- /dev/null +++ b/queue-6.12/drm-vmwgfx-add-error-path-for-xa_store-in-vmw_bo_add.patch @@ -0,0 +1,102 @@ +From 30963cacc033d977dbadec594b4ffa105bbe912b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Feb 2025 15:52:23 +0100 +Subject: drm/vmwgfx: Add error path for xa_store in + vmw_bo_add_detached_resource + +From: Keisuke Nishimura + +[ Upstream commit 3282422bf251db541fe07c548ca304130d37d754 ] + +The xa_store() may fail due to memory allocation failure because there +is no guarantee that the index is already used. This fix introduces new +paths to handle the error. + +This patch also aligns the order of function calls by calling +vmw_bo_add_detached_resource() before ttm_prime_object_init() in order +to allow consistent error handling. + +Fixes: d6667f0ddf46 ("drm/vmwgfx: Fix handling of dumb buffers") +Signed-off-by: Keisuke Nishimura +Signed-off-by: Zack Rusin +Link: https://patchwork.freedesktop.org/patch/msgid/20250225145223.34773-1-keisuke.nishimura@inria.fr +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vmwgfx/vmwgfx_bo.c | 4 ++-- + drivers/gpu/drm/vmwgfx/vmwgfx_bo.h | 2 +- + drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 16 ++++++++++++++-- + 3 files changed, 17 insertions(+), 5 deletions(-) + +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c b/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c +index 183cda50094cb..ad61373332cc2 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c +@@ -849,9 +849,9 @@ void vmw_bo_placement_set_default_accelerated(struct vmw_bo *bo) + vmw_bo_placement_set(bo, domain, domain); + } + +-void vmw_bo_add_detached_resource(struct vmw_bo *vbo, struct vmw_resource *res) ++int vmw_bo_add_detached_resource(struct vmw_bo *vbo, struct vmw_resource *res) + { +- xa_store(&vbo->detached_resources, (unsigned long)res, res, GFP_KERNEL); ++ return xa_err(xa_store(&vbo->detached_resources, (unsigned long)res, res, GFP_KERNEL)); + } + + void vmw_bo_del_detached_resource(struct vmw_bo *vbo, struct vmw_resource *res) +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_bo.h b/drivers/gpu/drm/vmwgfx/vmwgfx_bo.h +index c21ba7ff77368..940c0a0b9c451 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_bo.h ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_bo.h +@@ -142,7 +142,7 @@ void vmw_bo_move_notify(struct ttm_buffer_object *bo, + struct ttm_resource *mem); + void vmw_bo_swap_notify(struct ttm_buffer_object *bo); + +-void vmw_bo_add_detached_resource(struct vmw_bo *vbo, struct vmw_resource *res); ++int vmw_bo_add_detached_resource(struct vmw_bo *vbo, struct vmw_resource *res); + void vmw_bo_del_detached_resource(struct vmw_bo *vbo, struct vmw_resource *res); + struct vmw_surface *vmw_bo_surface(struct vmw_bo *vbo); + +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c +index 5721c74da3e0b..1f7626f6ac0b1 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c +@@ -871,7 +871,12 @@ int vmw_surface_define_ioctl(struct drm_device *dev, void *data, + vmw_resource_unreference(&res); + goto out_unlock; + } +- vmw_bo_add_detached_resource(res->guest_memory_bo, res); ++ ++ ret = vmw_bo_add_detached_resource(res->guest_memory_bo, res); ++ if (unlikely(ret != 0)) { ++ vmw_resource_unreference(&res); ++ goto out_unlock; ++ } + } + + tmp = vmw_resource_reference(&srf->res); +@@ -1670,6 +1675,14 @@ vmw_gb_surface_define_internal(struct drm_device *dev, + + } + ++ if (res->guest_memory_bo) { ++ ret = vmw_bo_add_detached_resource(res->guest_memory_bo, res); ++ if (unlikely(ret != 0)) { ++ vmw_resource_unreference(&res); ++ goto out_unlock; ++ } ++ } ++ + tmp = vmw_resource_reference(res); + ret = ttm_prime_object_init(tfile, res->guest_memory_size, &user_srf->prime, + VMW_RES_SURFACE, +@@ -1684,7 +1697,6 @@ vmw_gb_surface_define_internal(struct drm_device *dev, + rep->handle = user_srf->prime.base.handle; + rep->backup_size = res->guest_memory_size; + if (res->guest_memory_bo) { +- vmw_bo_add_detached_resource(res->guest_memory_bo, res); + rep->buffer_map_handle = + drm_vma_node_offset_addr(&res->guest_memory_bo->tbo.base.vma_node); + rep->buffer_size = res->guest_memory_bo->tbo.base.size; +-- +2.39.5 + diff --git a/queue-6.12/drm-vmwgfx-add-seqno-waiter-for-sync_files.patch b/queue-6.12/drm-vmwgfx-add-seqno-waiter-for-sync_files.patch new file mode 100644 index 0000000000..11a9f28490 --- /dev/null +++ b/queue-6.12/drm-vmwgfx-add-seqno-waiter-for-sync_files.patch @@ -0,0 +1,89 @@ +From c7546d052cb07fa7cd4a2e26508510303c5d97fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Feb 2025 14:06:33 -0600 +Subject: drm/vmwgfx: Add seqno waiter for sync_files + +From: Ian Forbes + +[ Upstream commit 0039a3b35b10d9c15d3d26320532ab56cc566750 ] + +Because sync_files are passive waiters they do not participate in +the processing of fences like the traditional vmw_fence_wait IOCTL. +If userspace exclusively uses sync_files for synchronization then +nothing in the kernel actually processes fence updates as interrupts +for fences are masked and ignored if the kernel does not indicate to the +SVGA device that there are active waiters. + +This oversight results in a bug where the entire GUI can freeze waiting +on a sync_file that will never be signalled as we've masked the interrupts +to signal its completion. This bug is incredibly racy as any process which +interacts with the fencing code via the 3D stack can process the stuck +fences on behalf of the stuck process causing it to run again. Even a +simple app like eglinfo is enough to resume the stuck process. Usually +this bug is seen at a login screen like GDM because there are no other +3D apps running. + +By adding a seqno waiter we re-enable interrupt based processing of the +dma_fences associated with the sync_file which is signalled as part of a +dma_fence_callback. + +This has likely been broken since it was initially added to the kernel in +2017 but has gone unnoticed until mutter recently started using sync_files +heavily over the course of 2024 as part of their explicit sync support. + +Fixes: c906965dee22 ("drm/vmwgfx: Add export fence to file descriptor support") +Signed-off-by: Ian Forbes +Signed-off-by: Zack Rusin +Link: https://patchwork.freedesktop.org/patch/msgid/20250228200633.642417-1-ian.forbes@broadcom.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 26 +++++++++++++++++++++++++ + 1 file changed, 26 insertions(+) + +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c +index 2e52d73eba484..ea741bc4ac3fc 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c +@@ -4086,6 +4086,23 @@ static int vmw_execbuf_tie_context(struct vmw_private *dev_priv, + return 0; + } + ++/* ++ * DMA fence callback to remove a seqno_waiter ++ */ ++struct seqno_waiter_rm_context { ++ struct dma_fence_cb base; ++ struct vmw_private *dev_priv; ++}; ++ ++static void seqno_waiter_rm_cb(struct dma_fence *f, struct dma_fence_cb *cb) ++{ ++ struct seqno_waiter_rm_context *ctx = ++ container_of(cb, struct seqno_waiter_rm_context, base); ++ ++ vmw_seqno_waiter_remove(ctx->dev_priv); ++ kfree(ctx); ++} ++ + int vmw_execbuf_process(struct drm_file *file_priv, + struct vmw_private *dev_priv, + void __user *user_commands, void *kernel_commands, +@@ -4266,6 +4283,15 @@ int vmw_execbuf_process(struct drm_file *file_priv, + } else { + /* Link the fence with the FD created earlier */ + fd_install(out_fence_fd, sync_file->file); ++ struct seqno_waiter_rm_context *ctx = ++ kmalloc(sizeof(*ctx), GFP_KERNEL); ++ ctx->dev_priv = dev_priv; ++ vmw_seqno_waiter_add(dev_priv); ++ if (dma_fence_add_callback(&fence->base, &ctx->base, ++ seqno_waiter_rm_cb) < 0) { ++ vmw_seqno_waiter_remove(dev_priv); ++ kfree(ctx); ++ } + } + } + +-- +2.39.5 + diff --git a/queue-6.12/drm-vmwgfx-fix-dumb-buffer-leak.patch b/queue-6.12/drm-vmwgfx-fix-dumb-buffer-leak.patch new file mode 100644 index 0000000000..69a5abeaa5 --- /dev/null +++ b/queue-6.12/drm-vmwgfx-fix-dumb-buffer-leak.patch @@ -0,0 +1,135 @@ +From 7789ee4e840d8b753330163df1785ff90a644e60 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Jan 2025 14:44:24 -0600 +Subject: drm/vmwgfx: Fix dumb buffer leak + +From: Ian Forbes + +[ Upstream commit f42c09e614f1bda96f5690be8d0bb273234febbc ] + +Dumb buffers were not being freed because the GEM reference that was +acquired in gb_surface_define was not dropped like it is in the 2D case. +Dropping this ref uncovered a few additional issues with freeing the +resources associated with dirty tracking in vmw_bo_free/release. + +Additionally the TTM object associated with the surface were also leaking +which meant that when the ttm_object_file was closed at process exit the +destructor unreferenced an already destroyed surface. + +The solution is to remove the destructor from the vmw_user_surface +associated with the dumb_buffer and immediately unreferencing the TTM +object which his removes it from the ttm_object_file. + +This also allows the early return in vmw_user_surface_base_release for the +dumb buffer case to be removed as it should no longer occur. + +The chain of references now has the GEM handle(s) owning the dumb buffer. +The GEM handles have a singular GEM reference to the vmw_bo which is +dropped when all handles are closed. When the GEM reference count hits +zero the vmw_bo is freed which then unreferences the surface via +vmw_resource_release in vmw_bo_release. + +Fixes: d6667f0ddf46 ("drm/vmwgfx: Fix handling of dumb buffers") +Signed-off-by: Ian Forbes +Reviewed-by: Zack Rusin +Signed-off-by: Zack Rusin +Link: https://patchwork.freedesktop.org/patch/msgid/20250123204424.836896-1-ian.forbes@broadcom.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vmwgfx/vmwgfx_bo.c | 6 ++++-- + drivers/gpu/drm/vmwgfx/vmwgfx_resource.c | 2 +- + drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 18 ++++++++++++------ + 3 files changed, 17 insertions(+), 9 deletions(-) + +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c b/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c +index ad61373332cc2..e8e49f13cfa2c 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c +@@ -51,11 +51,13 @@ static void vmw_bo_release(struct vmw_bo *vbo) + mutex_lock(&res->dev_priv->cmdbuf_mutex); + (void)vmw_resource_reserve(res, false, true); + vmw_resource_mob_detach(res); ++ if (res->dirty) ++ res->func->dirty_free(res); + if (res->coherent) + vmw_bo_dirty_release(res->guest_memory_bo); + res->guest_memory_bo = NULL; + res->guest_memory_offset = 0; +- vmw_resource_unreserve(res, false, false, false, NULL, ++ vmw_resource_unreserve(res, true, false, false, NULL, + 0); + mutex_unlock(&res->dev_priv->cmdbuf_mutex); + } +@@ -73,9 +75,9 @@ static void vmw_bo_free(struct ttm_buffer_object *bo) + { + struct vmw_bo *vbo = to_vmw_bo(&bo->base); + +- WARN_ON(vbo->dirty); + WARN_ON(!RB_EMPTY_ROOT(&vbo->res_tree)); + vmw_bo_release(vbo); ++ WARN_ON(vbo->dirty); + kfree(vbo); + } + +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_resource.c b/drivers/gpu/drm/vmwgfx/vmwgfx_resource.c +index a73af8a355fbf..c4d5fe5f330f9 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_resource.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_resource.c +@@ -273,7 +273,7 @@ int vmw_user_resource_lookup_handle(struct vmw_private *dev_priv, + goto out_bad_resource; + + res = converter->base_obj_to_res(base); +- kref_get(&res->kref); ++ vmw_resource_reference(res); + + *p_res = res; + ret = 0; +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c +index 1f7626f6ac0b1..d7a8070330ba5 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c +@@ -658,7 +658,7 @@ static void vmw_user_surface_free(struct vmw_resource *res) + struct vmw_user_surface *user_srf = + container_of(srf, struct vmw_user_surface, srf); + +- WARN_ON_ONCE(res->dirty); ++ WARN_ON(res->dirty); + if (user_srf->master) + drm_master_put(&user_srf->master); + kfree(srf->offsets); +@@ -689,8 +689,7 @@ static void vmw_user_surface_base_release(struct ttm_base_object **p_base) + * Dumb buffers own the resource and they'll unref the + * resource themselves + */ +- if (res && res->guest_memory_bo && res->guest_memory_bo->is_dumb) +- return; ++ WARN_ON(res && res->guest_memory_bo && res->guest_memory_bo->is_dumb); + + vmw_resource_unreference(&res); + } +@@ -2370,12 +2369,19 @@ int vmw_dumb_create(struct drm_file *file_priv, + vbo = res->guest_memory_bo; + vbo->is_dumb = true; + vbo->dumb_surface = vmw_res_to_srf(res); +- ++ drm_gem_object_put(&vbo->tbo.base); ++ /* ++ * Unset the user surface dtor since this in not actually exposed ++ * to userspace. The suface is owned via the dumb_buffer's GEM handle ++ */ ++ struct vmw_user_surface *usurf = container_of(vbo->dumb_surface, ++ struct vmw_user_surface, srf); ++ usurf->prime.base.refcount_release = NULL; + err: + if (res) + vmw_resource_unreference(&res); +- if (ret) +- ttm_ref_object_base_unref(tfile, arg.rep.handle); ++ ++ ttm_ref_object_base_unref(tfile, arg.rep.handle); + + return ret; + } +-- +2.39.5 + diff --git a/queue-6.12/drm-xe-d3cold-set-power-state-to-d3cold-during-s2idl.patch b/queue-6.12/drm-xe-d3cold-set-power-state-to-d3cold-during-s2idl.patch new file mode 100644 index 0000000000..e529d20b45 --- /dev/null +++ b/queue-6.12/drm-xe-d3cold-set-power-state-to-d3cold-during-s2idl.patch @@ -0,0 +1,45 @@ +From 12bf4fbcd6d5cd6908ba17eedde1f19eb3d61697 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Mar 2025 21:49:14 +0530 +Subject: drm/xe/d3cold: Set power state to D3Cold during s2idle/s3 + +From: Badal Nilawar + +[ Upstream commit f945dd89fa8da3f662508165453dafdb4035d9d3 ] + +According to pci core guidelines, pci_save_config is recommended when the +driver explicitly needs to set the pci power state. As of now xe kmd is +only doing pci_save_config while entering to s2idle/s3 state, which makes +pci core think that device driver has already applied required pci power +state. This leads to GPU remain in D0 state. To fix the issue setting +the pci power state to D3Cold. + +Fixes:dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs") + +Cc: Rafael J. Wysocki +Cc: Rodrigo Vivi +Signed-off-by: Badal Nilawar +Signed-off-by: Anshuman Gupta +Reviewed-by: Rodrigo Vivi +Link: https://lore.kernel.org/r/20250327161914.432552-1-badal.nilawar@intel.com +Signed-off-by: Rodrigo Vivi +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/xe/xe_pci.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/xe/xe_pci.c b/drivers/gpu/drm/xe/xe_pci.c +index 025d649434673..23028afbbe1d1 100644 +--- a/drivers/gpu/drm/xe/xe_pci.c ++++ b/drivers/gpu/drm/xe/xe_pci.c +@@ -910,6 +910,7 @@ static int xe_pci_suspend(struct device *dev) + + pci_save_state(pdev); + pci_disable_device(pdev); ++ pci_set_power_state(pdev, PCI_D3cold); + + return 0; + } +-- +2.39.5 + diff --git a/queue-6.12/drm-xe-make-xe_gt_freq-part-of-the-documentation.patch b/queue-6.12/drm-xe-make-xe_gt_freq-part-of-the-documentation.patch new file mode 100644 index 0000000000..92e94c635c --- /dev/null +++ b/queue-6.12/drm-xe-make-xe_gt_freq-part-of-the-documentation.patch @@ -0,0 +1,87 @@ +From d087ea794ace91cb613cfbbaf1fe3dcdb8b7c47e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 May 2025 12:51:47 -0400 +Subject: drm/xe: Make xe_gt_freq part of the Documentation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rodrigo Vivi + +[ Upstream commit 55f8aa083604ce098c9d6a0911c6bcde15d03a80 ] + +The documentation was created with the creation of the component, +however it has never been actually shown in the actual Documentation. + +While doing this, fixes the identation style, to avoid new warnings +while building htmldocs. + +Fixes: bef52b5c7a19 ("drm/xe: Create a xe_gt_freq component for raw management and sysfs") +Reviewed-by: Lucas De Marchi +Link: https://lore.kernel.org/r/20250521165146.39616-3-rodrigo.vivi@intel.com +Signed-off-by: Rodrigo Vivi +(cherry picked from commit af53f0fd99c3bbb3afd29f1612c9e88c5a92cc01) +Signed-off-by: Thomas Hellström +Signed-off-by: Sasha Levin +--- + Documentation/gpu/xe/index.rst | 1 + + Documentation/gpu/xe/xe_gt_freq.rst | 14 ++++++++++++++ + drivers/gpu/drm/xe/xe_gt_freq.c | 2 ++ + 3 files changed, 17 insertions(+) + create mode 100644 Documentation/gpu/xe/xe_gt_freq.rst + +diff --git a/Documentation/gpu/xe/index.rst b/Documentation/gpu/xe/index.rst +index 3f07aa3b54325..89bbdcccf8eb7 100644 +--- a/Documentation/gpu/xe/index.rst ++++ b/Documentation/gpu/xe/index.rst +@@ -16,6 +16,7 @@ DG2, etc is provided to prototype the driver. + xe_migrate + xe_cs + xe_pm ++ xe_gt_freq + xe_pcode + xe_gt_mcr + xe_wa +diff --git a/Documentation/gpu/xe/xe_gt_freq.rst b/Documentation/gpu/xe/xe_gt_freq.rst +new file mode 100644 +index 0000000000000..c0811200e3275 +--- /dev/null ++++ b/Documentation/gpu/xe/xe_gt_freq.rst +@@ -0,0 +1,14 @@ ++.. SPDX-License-Identifier: (GPL-2.0+ OR MIT) ++ ++========================== ++Xe GT Frequency Management ++========================== ++ ++.. kernel-doc:: drivers/gpu/drm/xe/xe_gt_freq.c ++ :doc: Xe GT Frequency Management ++ ++Internal API ++============ ++ ++.. kernel-doc:: drivers/gpu/drm/xe/xe_gt_freq.c ++ :internal: +diff --git a/drivers/gpu/drm/xe/xe_gt_freq.c b/drivers/gpu/drm/xe/xe_gt_freq.c +index ab76973f3e1e6..a05fde2c7b122 100644 +--- a/drivers/gpu/drm/xe/xe_gt_freq.c ++++ b/drivers/gpu/drm/xe/xe_gt_freq.c +@@ -32,6 +32,7 @@ + * Xe's Freq provides a sysfs API for frequency management: + * + * device/tile#/gt#/freq0/_freq *read-only* files: ++ * + * - act_freq: The actual resolved frequency decided by PCODE. + * - cur_freq: The current one requested by GuC PC to the PCODE. + * - rpn_freq: The Render Performance (RP) N level, which is the minimal one. +@@ -39,6 +40,7 @@ + * - rp0_freq: The Render Performance (RP) 0 level, which is the maximum one. + * + * device/tile#/gt#/freq0/_freq *read-write* files: ++ * + * - min_freq: Min frequency request. + * - max_freq: Max frequency request. + * If max <= min, then freq_min becomes a fixed frequency request. +-- +2.39.5 + diff --git a/queue-6.12/dt-bindings-soc-fsl-qman-fqd-fix-reserved-memory.yam.patch b/queue-6.12/dt-bindings-soc-fsl-qman-fqd-fix-reserved-memory.yam.patch new file mode 100644 index 0000000000..657d34f260 --- /dev/null +++ b/queue-6.12/dt-bindings-soc-fsl-qman-fqd-fix-reserved-memory.yam.patch @@ -0,0 +1,47 @@ +From a3c3c8cca210853da4a2133931a31970ff9d40ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 May 2025 10:42:31 -0500 +Subject: dt-bindings: soc: fsl,qman-fqd: Fix reserved-memory.yaml reference + +From: Rob Herring (Arm) + +[ Upstream commit 1090c38bbfd9ab7f22830c0e8a5c605e7d4ef084 ] + +The reserved-memory.yaml reference needs the full path. No warnings were +generated because the example has the wrong compatible string, so fix +that too. + +Fixes: 304a90c4f75d ("dt-bindings: soc: fsl: Convert q(b)man-* to yaml format") +Acked-by: Conor Dooley +Link: https://lore.kernel.org/r/20250507154231.1590634-1-robh@kernel.org +Signed-off-by: Rob Herring (Arm) +Signed-off-by: Sasha Levin +--- + Documentation/devicetree/bindings/soc/fsl/fsl,qman-fqd.yaml | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/Documentation/devicetree/bindings/soc/fsl/fsl,qman-fqd.yaml b/Documentation/devicetree/bindings/soc/fsl/fsl,qman-fqd.yaml +index de0b4ae740ff2..a975bce599750 100644 +--- a/Documentation/devicetree/bindings/soc/fsl/fsl,qman-fqd.yaml ++++ b/Documentation/devicetree/bindings/soc/fsl/fsl,qman-fqd.yaml +@@ -50,7 +50,7 @@ required: + - compatible + + allOf: +- - $ref: reserved-memory.yaml ++ - $ref: /schemas/reserved-memory/reserved-memory.yaml + + unevaluatedProperties: false + +@@ -61,7 +61,7 @@ examples: + #size-cells = <2>; + + qman-fqd { +- compatible = "shared-dma-pool"; ++ compatible = "fsl,qman-fqd"; + size = <0 0x400000>; + alignment = <0 0x400000>; + no-map; +-- +2.39.5 + diff --git a/queue-6.12/dt-bindings-vendor-prefixes-add-liontron-name.patch b/queue-6.12/dt-bindings-vendor-prefixes-add-liontron-name.patch new file mode 100644 index 0000000000..fd2872daed --- /dev/null +++ b/queue-6.12/dt-bindings-vendor-prefixes-add-liontron-name.patch @@ -0,0 +1,40 @@ +From 6192334afd46b213ae99df7e1e12b07a7c4f008c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 May 2025 17:47:27 +0100 +Subject: dt-bindings: vendor-prefixes: Add Liontron name + +From: Andre Przywara + +[ Upstream commit 9baa27a2e9fc746143ab686b6dbe2d515284a4c5 ] + +Liontron is a company based in Shenzen, China, making industrial +development boards and embedded computers, mostly using Rockchip and +Allwinner SoCs. + +Add their name to the list of vendors. + +Signed-off-by: Andre Przywara +Acked-by: Rob Herring (Arm) +Link: https://patch.msgid.link/20250505164729.18175-2-andre.przywara@arm.com +Signed-off-by: Chen-Yu Tsai +Signed-off-by: Sasha Levin +--- + Documentation/devicetree/bindings/vendor-prefixes.yaml | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/Documentation/devicetree/bindings/vendor-prefixes.yaml b/Documentation/devicetree/bindings/vendor-prefixes.yaml +index 71a1a399e1e1f..af9a8d43b2479 100644 +--- a/Documentation/devicetree/bindings/vendor-prefixes.yaml ++++ b/Documentation/devicetree/bindings/vendor-prefixes.yaml +@@ -846,6 +846,8 @@ patternProperties: + description: Linux-specific binding + "^linx,.*": + description: Linx Technologies ++ "^liontron,.*": ++ description: Shenzhen Liontron Technology Co., Ltd + "^liteon,.*": + description: LITE-ON Technology Corp. + "^litex,.*": +-- +2.39.5 + diff --git a/queue-6.12/edac-skx_common-fix-general-protection-fault.patch b/queue-6.12/edac-skx_common-fix-general-protection-fault.patch new file mode 100644 index 0000000000..efd5d25c8b --- /dev/null +++ b/queue-6.12/edac-skx_common-fix-general-protection-fault.patch @@ -0,0 +1,68 @@ +From 459721fc0c0a8091ce81578a4b0bd02c6136e302 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Apr 2025 23:07:18 +0800 +Subject: EDAC/skx_common: Fix general protection fault + +From: Qiuxu Zhuo + +[ Upstream commit 20d2d476b3ae18041be423671a8637ed5ffd6958 ] + +After loading i10nm_edac (which automatically loads skx_edac_common), if +unload only i10nm_edac, then reload it and perform error injection testing, +a general protection fault may occur: + + mce: [Hardware Error]: Machine check events logged + Oops: general protection fault ... + ... + Workqueue: events mce_gen_pool_process + RIP: 0010:string+0x53/0xe0 + ... + Call Trace: + + ? die_addr+0x37/0x90 + ? exc_general_protection+0x1e7/0x3f0 + ? asm_exc_general_protection+0x26/0x30 + ? string+0x53/0xe0 + vsnprintf+0x23e/0x4c0 + snprintf+0x4d/0x70 + skx_adxl_decode+0x16a/0x330 [skx_edac_common] + skx_mce_check_error.part.0+0xf8/0x220 [skx_edac_common] + skx_mce_check_error+0x17/0x20 [skx_edac_common] + ... + +The issue arose was because the variable 'adxl_component_count' (inside +skx_edac_common), which counts the ADXL components, was not reset. During +the reloading of i10nm_edac, the count was incremented by the actual number +of ADXL components again, resulting in a count that was double the real +number of ADXL components. This led to an out-of-bounds reference to the +ADXL component array, causing the general protection fault above. + +Fix this issue by resetting the 'adxl_component_count' in adxl_put(), +which is called during the unloading of {skx,i10nm}_edac. + +Fixes: 123b15863550 ("EDAC, i10nm: make skx_common.o a separate module") +Reported-by: Feng Xu +Signed-off-by: Qiuxu Zhuo +Signed-off-by: Tony Luck +Tested-by: Feng Xu +Link: https://lore.kernel.org/r/20250417150724.1170168-2-qiuxu.zhuo@intel.com +Signed-off-by: Sasha Levin +--- + drivers/edac/skx_common.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/edac/skx_common.c b/drivers/edac/skx_common.c +index 85ec3196664d3..88f5ff249f2e0 100644 +--- a/drivers/edac/skx_common.c ++++ b/drivers/edac/skx_common.c +@@ -115,6 +115,7 @@ EXPORT_SYMBOL_GPL(skx_adxl_get); + + void skx_adxl_put(void) + { ++ adxl_component_count = 0; + kfree(adxl_values); + kfree(adxl_msg); + } +-- +2.39.5 + diff --git a/queue-6.12/edac-skx_common-i10nm-fix-the-loss-of-saved-rrl-for-.patch b/queue-6.12/edac-skx_common-i10nm-fix-the-loss-of-saved-rrl-for-.patch new file mode 100644 index 0000000000..80ad545489 --- /dev/null +++ b/queue-6.12/edac-skx_common-i10nm-fix-the-loss-of-saved-rrl-for-.patch @@ -0,0 +1,164 @@ +From 4b0fb9366dd4314749512adc310b49e4ac53b471 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Apr 2025 23:07:19 +0800 +Subject: EDAC/{skx_common,i10nm}: Fix the loss of saved RRL for HBM pseudo + channel 0 + +From: Qiuxu Zhuo + +[ Upstream commit eeed3e03f4261e5e381a72ae099ff00ccafbb437 ] + +When enabling the retry_rd_err_log (RRL) feature during the loading of the +i10nm_edac driver with the module parameter retry_rd_err_log=2 (Linux RRL +control mode), the default values of the control bits of RRL are saved so +that they can be restored during the unloading of the driver. + +In the current code, the RRL of pseudo channel 1 of HBM overwrites pseudo +channel 0 during the loading of the driver, resulting in the loss of saved +RRL for pseudo channel 0. This causes the RRL of pseudo channel 0 of HBM to +be wrongly restored with the values from pseudo channel 1 when unloading +the driver. + +Fix this issue by creating two separate groups of RRL control registers +per channel to save default RRL settings of two {sub-,pseudo-}channels. + +Fixes: acd4cf68fefe ("EDAC/i10nm: Retrieve and print retry_rd_err_log registers for HBM") +Signed-off-by: Qiuxu Zhuo +Signed-off-by: Tony Luck +Tested-by: Feng Xu +Link: https://lore.kernel.org/r/20250417150724.1170168-3-qiuxu.zhuo@intel.com +Signed-off-by: Sasha Levin +--- + drivers/edac/i10nm_base.c | 35 +++++++++++++++++++---------------- + drivers/edac/skx_common.h | 11 ++++++++--- + 2 files changed, 27 insertions(+), 19 deletions(-) + +diff --git a/drivers/edac/i10nm_base.c b/drivers/edac/i10nm_base.c +index fbdf005bed3a4..ac4b3d95531c5 100644 +--- a/drivers/edac/i10nm_base.c ++++ b/drivers/edac/i10nm_base.c +@@ -95,7 +95,7 @@ static u32 offsets_demand2_spr[] = {0x22c70, 0x22d80, 0x22f18, 0x22d58, 0x22c64, + static u32 offsets_demand_spr_hbm0[] = {0x2a54, 0x2a60, 0x2b10, 0x2a58, 0x2a5c, 0x0ee0}; + static u32 offsets_demand_spr_hbm1[] = {0x2e54, 0x2e60, 0x2f10, 0x2e58, 0x2e5c, 0x0fb0}; + +-static void __enable_retry_rd_err_log(struct skx_imc *imc, int chan, bool enable, ++static void __enable_retry_rd_err_log(struct skx_imc *imc, int chan, bool enable, u32 *rrl_ctl, + u32 *offsets_scrub, u32 *offsets_demand, + u32 *offsets_demand2) + { +@@ -108,10 +108,10 @@ static void __enable_retry_rd_err_log(struct skx_imc *imc, int chan, bool enable + + if (enable) { + /* Save default configurations */ +- imc->chan[chan].retry_rd_err_log_s = s; +- imc->chan[chan].retry_rd_err_log_d = d; ++ rrl_ctl[0] = s; ++ rrl_ctl[1] = d; + if (offsets_demand2) +- imc->chan[chan].retry_rd_err_log_d2 = d2; ++ rrl_ctl[2] = d2; + + s &= ~RETRY_RD_ERR_LOG_NOOVER_UC; + s |= RETRY_RD_ERR_LOG_EN; +@@ -125,25 +125,25 @@ static void __enable_retry_rd_err_log(struct skx_imc *imc, int chan, bool enable + } + } else { + /* Restore default configurations */ +- if (imc->chan[chan].retry_rd_err_log_s & RETRY_RD_ERR_LOG_UC) ++ if (rrl_ctl[0] & RETRY_RD_ERR_LOG_UC) + s |= RETRY_RD_ERR_LOG_UC; +- if (imc->chan[chan].retry_rd_err_log_s & RETRY_RD_ERR_LOG_NOOVER) ++ if (rrl_ctl[0] & RETRY_RD_ERR_LOG_NOOVER) + s |= RETRY_RD_ERR_LOG_NOOVER; +- if (!(imc->chan[chan].retry_rd_err_log_s & RETRY_RD_ERR_LOG_EN)) ++ if (!(rrl_ctl[0] & RETRY_RD_ERR_LOG_EN)) + s &= ~RETRY_RD_ERR_LOG_EN; +- if (imc->chan[chan].retry_rd_err_log_d & RETRY_RD_ERR_LOG_UC) ++ if (rrl_ctl[1] & RETRY_RD_ERR_LOG_UC) + d |= RETRY_RD_ERR_LOG_UC; +- if (imc->chan[chan].retry_rd_err_log_d & RETRY_RD_ERR_LOG_NOOVER) ++ if (rrl_ctl[1] & RETRY_RD_ERR_LOG_NOOVER) + d |= RETRY_RD_ERR_LOG_NOOVER; +- if (!(imc->chan[chan].retry_rd_err_log_d & RETRY_RD_ERR_LOG_EN)) ++ if (!(rrl_ctl[1] & RETRY_RD_ERR_LOG_EN)) + d &= ~RETRY_RD_ERR_LOG_EN; + + if (offsets_demand2) { +- if (imc->chan[chan].retry_rd_err_log_d2 & RETRY_RD_ERR_LOG_UC) ++ if (rrl_ctl[2] & RETRY_RD_ERR_LOG_UC) + d2 |= RETRY_RD_ERR_LOG_UC; +- if (!(imc->chan[chan].retry_rd_err_log_d2 & RETRY_RD_ERR_LOG_NOOVER)) ++ if (!(rrl_ctl[2] & RETRY_RD_ERR_LOG_NOOVER)) + d2 &= ~RETRY_RD_ERR_LOG_NOOVER; +- if (!(imc->chan[chan].retry_rd_err_log_d2 & RETRY_RD_ERR_LOG_EN)) ++ if (!(rrl_ctl[2] & RETRY_RD_ERR_LOG_EN)) + d2 &= ~RETRY_RD_ERR_LOG_EN; + } + } +@@ -157,6 +157,7 @@ static void __enable_retry_rd_err_log(struct skx_imc *imc, int chan, bool enable + static void enable_retry_rd_err_log(bool enable) + { + int i, j, imc_num, chan_num; ++ struct skx_channel *chan; + struct skx_imc *imc; + struct skx_dev *d; + +@@ -171,8 +172,9 @@ static void enable_retry_rd_err_log(bool enable) + if (!imc->mbase) + continue; + ++ chan = d->imc[i].chan; + for (j = 0; j < chan_num; j++) +- __enable_retry_rd_err_log(imc, j, enable, ++ __enable_retry_rd_err_log(imc, j, enable, chan[j].rrl_ctl[0], + res_cfg->offsets_scrub, + res_cfg->offsets_demand, + res_cfg->offsets_demand2); +@@ -186,12 +188,13 @@ static void enable_retry_rd_err_log(bool enable) + if (!imc->mbase || !imc->hbm_mc) + continue; + ++ chan = d->imc[i].chan; + for (j = 0; j < chan_num; j++) { +- __enable_retry_rd_err_log(imc, j, enable, ++ __enable_retry_rd_err_log(imc, j, enable, chan[j].rrl_ctl[0], + res_cfg->offsets_scrub_hbm0, + res_cfg->offsets_demand_hbm0, + NULL); +- __enable_retry_rd_err_log(imc, j, enable, ++ __enable_retry_rd_err_log(imc, j, enable, chan[j].rrl_ctl[1], + res_cfg->offsets_scrub_hbm1, + res_cfg->offsets_demand_hbm1, + NULL); +diff --git a/drivers/edac/skx_common.h b/drivers/edac/skx_common.h +index 849198fd14da6..f40eb6e4f6319 100644 +--- a/drivers/edac/skx_common.h ++++ b/drivers/edac/skx_common.h +@@ -79,6 +79,9 @@ + */ + #define MCACOD_EXT_MEM_ERR 0x280 + ++/* Max RRL register sets per {,sub-,pseudo-}channel. */ ++#define NUM_RRL_SET 3 ++ + /* + * Each cpu socket contains some pci devices that provide global + * information, and also some that are local to each of the two +@@ -117,9 +120,11 @@ struct skx_dev { + struct skx_channel { + struct pci_dev *cdev; + struct pci_dev *edev; +- u32 retry_rd_err_log_s; +- u32 retry_rd_err_log_d; +- u32 retry_rd_err_log_d2; ++ /* ++ * Two groups of RRL control registers per channel to save default RRL ++ * settings of two {sub-,pseudo-}channels in Linux RRL control mode. ++ */ ++ u32 rrl_ctl[2][NUM_RRL_SET]; + struct skx_dimm { + u8 close_pg; + u8 bank_xor_enable; +-- +2.39.5 + diff --git a/queue-6.12/efi-libstub-describe-missing-out-parameter-in-efi_lo.patch b/queue-6.12/efi-libstub-describe-missing-out-parameter-in-efi_lo.patch new file mode 100644 index 0000000000..148c88f3f6 --- /dev/null +++ b/queue-6.12/efi-libstub-describe-missing-out-parameter-in-efi_lo.patch @@ -0,0 +1,40 @@ +From 2c937427bd89f49738805c580b98090a1836127b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 May 2025 00:31:11 +0800 +Subject: efi/libstub: Describe missing 'out' parameter in efi_load_initrd + +From: Hans Zhang <18255117159@163.com> + +[ Upstream commit c8e1927e7f7d63721e32ec41d27ccb0eb1a1b0fc ] + +The function efi_load_initrd() had a documentation warning due to +the missing description for the 'out' parameter. Add the parameter +description to the kernel-doc comment to resolve the warning and +improve API documentation. + +Fixes the following compiler warning: +drivers/firmware/efi/libstub/efi-stub-helper.c:611: warning: Function parameter or struct member 'out' not described in 'efi_load_initrd' + +Fixes: f4dc7fffa987 ("efi: libstub: unify initrd loading between architectures") +Signed-off-by: Hans Zhang <18255117159@163.com> +Signed-off-by: Ard Biesheuvel +Signed-off-by: Sasha Levin +--- + drivers/firmware/efi/libstub/efi-stub-helper.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/firmware/efi/libstub/efi-stub-helper.c b/drivers/firmware/efi/libstub/efi-stub-helper.c +index de659f6a815fd..1ad414da9920a 100644 +--- a/drivers/firmware/efi/libstub/efi-stub-helper.c ++++ b/drivers/firmware/efi/libstub/efi-stub-helper.c +@@ -603,6 +603,7 @@ efi_status_t efi_load_initrd_cmdline(efi_loaded_image_t *image, + * @image: EFI loaded image protocol + * @soft_limit: preferred address for loading the initrd + * @hard_limit: upper limit address for loading the initrd ++ * @out: pointer to store the address of the initrd table + * + * Return: status code + */ +-- +2.39.5 + diff --git a/queue-6.12/erofs-avoid-using-multiple-devices-with-different-ty.patch b/queue-6.12/erofs-avoid-using-multiple-devices-with-different-ty.patch new file mode 100644 index 0000000000..76bab79154 --- /dev/null +++ b/queue-6.12/erofs-avoid-using-multiple-devices-with-different-ty.patch @@ -0,0 +1,64 @@ +From 107a50fc03b9fd4225583bca2e346ae8f52222cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 May 2025 09:48:37 +0800 +Subject: erofs: avoid using multiple devices with different type + +From: Sheng Yong + +[ Upstream commit 9748f2f54f66743ac77275c34886a9f890e18409 ] + +For multiple devices, both primary and extra devices should be the +same type. `erofs_init_device` has already guaranteed that if the +primary is a file-backed device, extra devices should also be +regular files. + +However, if the primary is a block device while the extra device +is a file-backed device, `erofs_init_device` will get an ENOTBLK, +which is not treated as an error in `erofs_fc_get_tree`, and that +leads to an UAF: + + erofs_fc_get_tree + get_tree_bdev_flags(erofs_fc_fill_super) + erofs_read_superblock + erofs_init_device // sbi->dif0 is not inited yet, + // return -ENOTBLK + deactivate_locked_super + free(sbi) + if (err is -ENOTBLK) + sbi->dif0.file = filp_open() // sbi UAF + +So if -ENOTBLK is hitted in `erofs_init_device`, it means the +primary device must be a block device, and the extra device +is not a block device. The error can be converted to -EINVAL. + +Fixes: fb176750266a ("erofs: add file-backed mount support") +Signed-off-by: Sheng Yong +Reviewed-by: Gao Xiang +Reviewed-by: Hongbo Li +Link: https://lore.kernel.org/r/20250515014837.3315886-1-shengyong1@xiaomi.com +Signed-off-by: Gao Xiang +Signed-off-by: Sasha Levin +--- + fs/erofs/super.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/fs/erofs/super.c b/fs/erofs/super.c +index 1143e1913f25b..5fcdab6145176 100644 +--- a/fs/erofs/super.c ++++ b/fs/erofs/super.c +@@ -188,8 +188,11 @@ static int erofs_init_device(struct erofs_buf *buf, struct super_block *sb, + filp_open(dif->path, O_RDONLY | O_LARGEFILE, 0) : + bdev_file_open_by_path(dif->path, + BLK_OPEN_READ, sb->s_type, NULL); +- if (IS_ERR(file)) ++ if (IS_ERR(file)) { ++ if (file == ERR_PTR(-ENOTBLK)) ++ return -EINVAL; + return PTR_ERR(file); ++ } + + if (!erofs_is_fileio_mode(sbi)) { + dif->dax_dev = fs_dax_get_by_bdev(file_bdev(file), +-- +2.39.5 + diff --git a/queue-6.12/erofs-fix-file-handle-encoding-for-64-bit-nids.patch b/queue-6.12/erofs-fix-file-handle-encoding-for-64-bit-nids.patch new file mode 100644 index 0000000000..7132489b9e --- /dev/null +++ b/queue-6.12/erofs-fix-file-handle-encoding-for-64-bit-nids.patch @@ -0,0 +1,115 @@ +From ccbb8c1e6fad88a99e56857bdcfc5f4af82d5126 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 May 2025 09:40:15 +0000 +Subject: erofs: fix file handle encoding for 64-bit NIDs + +From: Hongbo Li + +[ Upstream commit 510de8363f2c3d8e67fa9dfb2366e821382036e0 ] + +EROFS uses NID to indicate the on-disk inode offset, which can +exceed 32 bits. However, the default encode_fh uses the ino32, +thus it doesn't work if the image is larger than 128GiB. + +Let's introduce our own helpers to encode file handles. + +It's easy to reproduce: + 1. prepare an erofs image with nid bigger than U32_MAX + 2. mount -t erofs foo.img /mnt/erofs + 3. set exportfs with configuration: /mnt/erofs *(rw,sync, + no_root_squash) + 4. mount -t nfs $IP:/mnt/erofs /mnt/nfs + 5. md5sum /mnt/nfs/foo # foo is the file which nid bigger + than U32_MAX. # you will get ESTALE error. + +In the case of overlayfs, the underlying filesystem's file +handle is encoded in ovl_fb.fid, which is similar to NFS's +case. If the NID of file is larger than U32_MAX, the overlay +will get -ESTALE error when calls exportfs_decode_fh. + +Fixes: 3e917cc305c6 ("erofs: make filesystem exportable") +Signed-off-by: Hongbo Li +Reviewed-by: Gao Xiang +Link: https://lore.kernel.org/r/20250507094015.14007-1-lihongbo22@huawei.com +Signed-off-by: Gao Xiang +Signed-off-by: Sasha Levin +--- + fs/erofs/super.c | 44 ++++++++++++++++++++++++++++++++++++-------- + 1 file changed, 36 insertions(+), 8 deletions(-) + +diff --git a/fs/erofs/super.c b/fs/erofs/super.c +index 3421448fef0e3..1143e1913f25b 100644 +--- a/fs/erofs/super.c ++++ b/fs/erofs/super.c +@@ -537,24 +537,52 @@ static int erofs_fc_parse_param(struct fs_context *fc, + return 0; + } + +-static struct inode *erofs_nfs_get_inode(struct super_block *sb, +- u64 ino, u32 generation) ++static int erofs_encode_fh(struct inode *inode, u32 *fh, int *max_len, ++ struct inode *parent) + { +- return erofs_iget(sb, ino); ++ erofs_nid_t nid = EROFS_I(inode)->nid; ++ int len = parent ? 6 : 3; ++ ++ if (*max_len < len) { ++ *max_len = len; ++ return FILEID_INVALID; ++ } ++ ++ fh[0] = (u32)(nid >> 32); ++ fh[1] = (u32)(nid & 0xffffffff); ++ fh[2] = inode->i_generation; ++ ++ if (parent) { ++ nid = EROFS_I(parent)->nid; ++ ++ fh[3] = (u32)(nid >> 32); ++ fh[4] = (u32)(nid & 0xffffffff); ++ fh[5] = parent->i_generation; ++ } ++ ++ *max_len = len; ++ return parent ? FILEID_INO64_GEN_PARENT : FILEID_INO64_GEN; + } + + static struct dentry *erofs_fh_to_dentry(struct super_block *sb, + struct fid *fid, int fh_len, int fh_type) + { +- return generic_fh_to_dentry(sb, fid, fh_len, fh_type, +- erofs_nfs_get_inode); ++ if ((fh_type != FILEID_INO64_GEN && ++ fh_type != FILEID_INO64_GEN_PARENT) || fh_len < 3) ++ return NULL; ++ ++ return d_obtain_alias(erofs_iget(sb, ++ ((u64)fid->raw[0] << 32) | fid->raw[1])); + } + + static struct dentry *erofs_fh_to_parent(struct super_block *sb, + struct fid *fid, int fh_len, int fh_type) + { +- return generic_fh_to_parent(sb, fid, fh_len, fh_type, +- erofs_nfs_get_inode); ++ if (fh_type != FILEID_INO64_GEN_PARENT || fh_len < 6) ++ return NULL; ++ ++ return d_obtain_alias(erofs_iget(sb, ++ ((u64)fid->raw[3] << 32) | fid->raw[4])); + } + + static struct dentry *erofs_get_parent(struct dentry *child) +@@ -570,7 +598,7 @@ static struct dentry *erofs_get_parent(struct dentry *child) + } + + static const struct export_operations erofs_export_ops = { +- .encode_fh = generic_encode_ino32_fh, ++ .encode_fh = erofs_encode_fh, + .fh_to_dentry = erofs_fh_to_dentry, + .fh_to_parent = erofs_fh_to_parent, + .get_parent = erofs_get_parent, +-- +2.39.5 + diff --git a/queue-6.12/f2fs-clean-up-unnecessary-indentation.patch b/queue-6.12/f2fs-clean-up-unnecessary-indentation.patch new file mode 100644 index 0000000000..2b3fa4f67a --- /dev/null +++ b/queue-6.12/f2fs-clean-up-unnecessary-indentation.patch @@ -0,0 +1,88 @@ +From f51fde378098c4aa74c4f053eb3041f07a3a63f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Apr 2025 19:03:03 +0000 +Subject: f2fs: clean up unnecessary indentation + +From: Jaegeuk Kim + +[ Upstream commit 05d3273ad03fa5ea1177b4f3dfeeb6de4899b504 ] + +No functional change. + +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/segment.h | 40 ++++++++++++++++++++++++---------------- + 1 file changed, 24 insertions(+), 16 deletions(-) + +diff --git a/fs/f2fs/segment.h b/fs/f2fs/segment.h +index 0c004dd5595b9..25d3cda9bd5a3 100644 +--- a/fs/f2fs/segment.h ++++ b/fs/f2fs/segment.h +@@ -431,7 +431,6 @@ static inline void __set_free(struct f2fs_sb_info *sbi, unsigned int segno) + unsigned int secno = GET_SEC_FROM_SEG(sbi, segno); + unsigned int start_segno = GET_SEG_FROM_SEC(sbi, secno); + unsigned int next; +- unsigned int usable_segs = f2fs_usable_segs_in_sec(sbi); + + spin_lock(&free_i->segmap_lock); + clear_bit(segno, free_i->free_segmap); +@@ -439,7 +438,7 @@ static inline void __set_free(struct f2fs_sb_info *sbi, unsigned int segno) + + next = find_next_bit(free_i->free_segmap, + start_segno + SEGS_PER_SEC(sbi), start_segno); +- if (next >= start_segno + usable_segs) { ++ if (next >= start_segno + f2fs_usable_segs_in_sec(sbi)) { + clear_bit(secno, free_i->free_secmap); + free_i->free_sections++; + } +@@ -465,22 +464,31 @@ static inline void __set_test_and_free(struct f2fs_sb_info *sbi, + unsigned int secno = GET_SEC_FROM_SEG(sbi, segno); + unsigned int start_segno = GET_SEG_FROM_SEC(sbi, secno); + unsigned int next; +- unsigned int usable_segs = f2fs_usable_segs_in_sec(sbi); ++ bool ret; + + spin_lock(&free_i->segmap_lock); +- if (test_and_clear_bit(segno, free_i->free_segmap)) { +- free_i->free_segments++; +- +- if (!inmem && IS_CURSEC(sbi, secno)) +- goto skip_free; +- next = find_next_bit(free_i->free_segmap, +- start_segno + SEGS_PER_SEC(sbi), start_segno); +- if (next >= start_segno + usable_segs) { +- if (test_and_clear_bit(secno, free_i->free_secmap)) +- free_i->free_sections++; +- } +- } +-skip_free: ++ ret = test_and_clear_bit(segno, free_i->free_segmap); ++ if (!ret) ++ goto unlock_out; ++ ++ free_i->free_segments++; ++ ++ if (!inmem && IS_CURSEC(sbi, secno)) ++ goto unlock_out; ++ ++ /* check large section */ ++ next = find_next_bit(free_i->free_segmap, ++ start_segno + SEGS_PER_SEC(sbi), start_segno); ++ if (next < start_segno + f2fs_usable_segs_in_sec(sbi)) ++ goto unlock_out; ++ ++ ret = test_and_clear_bit(secno, free_i->free_secmap); ++ if (!ret) ++ goto unlock_out; ++ ++ free_i->free_sections++; ++ ++unlock_out: + spin_unlock(&free_i->segmap_lock); + } + +-- +2.39.5 + diff --git a/queue-6.12/f2fs-clean-up-w-fscrypt_is_bounce_page.patch b/queue-6.12/f2fs-clean-up-w-fscrypt_is_bounce_page.patch new file mode 100644 index 0000000000..8db38ee9f4 --- /dev/null +++ b/queue-6.12/f2fs-clean-up-w-fscrypt_is_bounce_page.patch @@ -0,0 +1,34 @@ +From 8170fc592e5bdb16510cb3aa49277a6123f04b97 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Apr 2025 18:52:36 +0800 +Subject: f2fs: clean up w/ fscrypt_is_bounce_page() + +From: Chao Yu + +[ Upstream commit 0c708e35cf26449ca317fcbfc274704660b6d269 ] + +Just cleanup, no logic changes. + +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/data.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c +index 1b0050b8421d8..8564441cef9bc 100644 +--- a/fs/f2fs/data.c ++++ b/fs/f2fs/data.c +@@ -53,7 +53,7 @@ bool f2fs_is_cp_guaranteed(struct page *page) + struct inode *inode; + struct f2fs_sb_info *sbi; + +- if (!mapping) ++ if (fscrypt_is_bounce_page(page)) + return false; + + inode = mapping->host; +-- +2.39.5 + diff --git a/queue-6.12/f2fs-fix-to-correct-check-conditions-in-f2fs_cross_r.patch b/queue-6.12/f2fs-fix-to-correct-check-conditions-in-f2fs_cross_r.patch new file mode 100644 index 0000000000..602e66cf71 --- /dev/null +++ b/queue-6.12/f2fs-fix-to-correct-check-conditions-in-f2fs_cross_r.patch @@ -0,0 +1,36 @@ +From 7e71788a112bc8d8122583d1a02eb06fb7161f61 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 May 2025 16:45:49 +0800 +Subject: f2fs: fix to correct check conditions in f2fs_cross_rename + +From: Zhiguo Niu + +[ Upstream commit 9883494c45a13dc88d27dde4f988c04823b42a2f ] + +Should be "old_dir" here. + +Fixes: 5c57132eaf52 ("f2fs: support project quota") +Signed-off-by: Zhiguo Niu +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/namei.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/f2fs/namei.c b/fs/f2fs/namei.c +index f8407a645303b..6f70f377f1211 100644 +--- a/fs/f2fs/namei.c ++++ b/fs/f2fs/namei.c +@@ -1099,7 +1099,7 @@ static int f2fs_cross_rename(struct inode *old_dir, struct dentry *old_dentry, + if ((is_inode_flag_set(new_dir, FI_PROJ_INHERIT) && + !projid_eq(F2FS_I(new_dir)->i_projid, + F2FS_I(old_inode)->i_projid)) || +- (is_inode_flag_set(new_dir, FI_PROJ_INHERIT) && ++ (is_inode_flag_set(old_dir, FI_PROJ_INHERIT) && + !projid_eq(F2FS_I(old_dir)->i_projid, + F2FS_I(new_inode)->i_projid))) + return -EXDEV; +-- +2.39.5 + diff --git a/queue-6.12/f2fs-fix-to-detect-gcing-page-in-f2fs_is_cp_guarante.patch b/queue-6.12/f2fs-fix-to-detect-gcing-page-in-f2fs_is_cp_guarante.patch new file mode 100644 index 0000000000..29d21ebba7 --- /dev/null +++ b/queue-6.12/f2fs-fix-to-detect-gcing-page-in-f2fs_is_cp_guarante.patch @@ -0,0 +1,91 @@ +From bc1fa2f112e601df6cc06246d4a753f6c2d59194 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Apr 2025 18:52:37 +0800 +Subject: f2fs: fix to detect gcing page in f2fs_is_cp_guaranteed() + +From: Chao Yu + +[ Upstream commit aa1be8dd64163eca4dde7fd2557eb19927a06a47 ] + +Jan Prusakowski reported a f2fs bug as below: + +f2fs/007 will hang kernel during testing w/ below configs: + +kernel 6.12.18 (from pixel-kernel/android16-6.12) +export MKFS_OPTIONS="-O encrypt -O extra_attr -O project_quota -O quota" +export F2FS_MOUNT_OPTIONS="test_dummy_encryption,discard,fsync_mode=nobarrier,reserve_root=32768,checkpoint_merge,atgc" + +cat /proc//stack +f2fs_wait_on_all_pages+0xa3/0x130 +do_checkpoint+0x40c/0x5d0 +f2fs_write_checkpoint+0x258/0x550 +kill_f2fs_super+0x14f/0x190 +deactivate_locked_super+0x30/0xb0 +cleanup_mnt+0xba/0x150 +task_work_run+0x59/0xa0 +syscall_exit_to_user_mode+0x12d/0x130 +do_syscall_64+0x57/0x110 +entry_SYSCALL_64_after_hwframe+0x76/0x7e + +cat /sys/kernel/debug/f2fs/status + + - IO_W (CP: -256, Data: 256, Flush: ( 0 0 1), Discard: ( 0 0)) cmd: 0 undiscard: 0 + +CP IOs reference count becomes negative. + +The root cause is: + +After 4961acdd65c9 ("f2fs: fix to tag gcing flag on page during block +migration"), we will tag page w/ gcing flag for raw page of cluster +during its migration. + +However, if the inode is both encrypted and compressed, during +ioc_decompress(), it will tag page w/ gcing flag, and it increase +F2FS_WB_DATA reference count: +- f2fs_write_multi_page + - f2fs_write_raw_page + - f2fs_write_single_page + - do_write_page + - f2fs_submit_page_write + - WB_DATA_TYPE(bio_page, fio->compressed_page) + : bio_page is encrypted, so mapping is NULL, and fio->compressed_page + is NULL, it returns F2FS_WB_DATA + - inc_page_count(.., F2FS_WB_DATA) + +Then, during end_io(), it decrease F2FS_WB_CP_DATA reference count: +- f2fs_write_end_io + - f2fs_compress_write_end_io + - fscrypt_pagecache_folio + : get raw page from encrypted page + - WB_DATA_TYPE(&folio->page, false) + : raw page has gcing flag, it returns F2FS_WB_CP_DATA + - dec_page_count(.., F2FS_WB_CP_DATA) + +In order to fix this issue, we need to detect gcing flag in raw page +in f2fs_is_cp_guaranteed(). + +Fixes: 4961acdd65c9 ("f2fs: fix to tag gcing flag on page during block migration") +Reported-by: Jan Prusakowski +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/data.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c +index 8564441cef9bc..62c7fd1168a15 100644 +--- a/fs/f2fs/data.c ++++ b/fs/f2fs/data.c +@@ -54,7 +54,7 @@ bool f2fs_is_cp_guaranteed(struct page *page) + struct f2fs_sb_info *sbi; + + if (fscrypt_is_bounce_page(page)) +- return false; ++ return page_private_gcing(fscrypt_pagecache_page(page)); + + inode = mapping->host; + sbi = F2FS_I_SB(inode); +-- +2.39.5 + diff --git a/queue-6.12/f2fs-fix-to-do-sanity-check-on-sbi-total_valid_block.patch b/queue-6.12/f2fs-fix-to-do-sanity-check-on-sbi-total_valid_block.patch new file mode 100644 index 0000000000..bb2eefcaa9 --- /dev/null +++ b/queue-6.12/f2fs-fix-to-do-sanity-check-on-sbi-total_valid_block.patch @@ -0,0 +1,76 @@ +From 87d0820d4207b4b5da99a24ddfe0953746f8e54c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Apr 2025 20:22:08 +0800 +Subject: f2fs: fix to do sanity check on sbi->total_valid_block_count + +From: Chao Yu + +[ Upstream commit 05872a167c2cab80ef186ef23cc34a6776a1a30c ] + +syzbot reported a f2fs bug as below: + +------------[ cut here ]------------ +kernel BUG at fs/f2fs/f2fs.h:2521! +RIP: 0010:dec_valid_block_count+0x3b2/0x3c0 fs/f2fs/f2fs.h:2521 +Call Trace: + f2fs_truncate_data_blocks_range+0xc8c/0x11a0 fs/f2fs/file.c:695 + truncate_dnode+0x417/0x740 fs/f2fs/node.c:973 + truncate_nodes+0x3ec/0xf50 fs/f2fs/node.c:1014 + f2fs_truncate_inode_blocks+0x8e3/0x1370 fs/f2fs/node.c:1197 + f2fs_do_truncate_blocks+0x840/0x12b0 fs/f2fs/file.c:810 + f2fs_truncate_blocks+0x10d/0x300 fs/f2fs/file.c:838 + f2fs_truncate+0x417/0x720 fs/f2fs/file.c:888 + f2fs_setattr+0xc4f/0x12f0 fs/f2fs/file.c:1112 + notify_change+0xbca/0xe90 fs/attr.c:552 + do_truncate+0x222/0x310 fs/open.c:65 + handle_truncate fs/namei.c:3466 [inline] + do_open fs/namei.c:3849 [inline] + path_openat+0x2e4f/0x35d0 fs/namei.c:4004 + do_filp_open+0x284/0x4e0 fs/namei.c:4031 + do_sys_openat2+0x12b/0x1d0 fs/open.c:1429 + do_sys_open fs/open.c:1444 [inline] + __do_sys_creat fs/open.c:1522 [inline] + __se_sys_creat fs/open.c:1516 [inline] + __x64_sys_creat+0x124/0x170 fs/open.c:1516 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xf3/0x230 arch/x86/entry/syscall_64.c:94 + +The reason is: in fuzzed image, sbi->total_valid_block_count is +inconsistent w/ mapped blocks indexed by inode, so, we should +not trigger panic for such case, instead, let's print log and +set fsck flag. + +Fixes: 39a53e0ce0df ("f2fs: add superblock and major in-memory structure") +Reported-by: syzbot+8b376a77b2f364097fbe@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/linux-f2fs-devel/67f3c0b2.050a0220.396535.0547.GAE@google.com +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/f2fs.h | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h +index 1c783c2e4902a..1219e37fa7ad3 100644 +--- a/fs/f2fs/f2fs.h ++++ b/fs/f2fs/f2fs.h +@@ -2508,8 +2508,14 @@ static inline void dec_valid_block_count(struct f2fs_sb_info *sbi, + blkcnt_t sectors = count << F2FS_LOG_SECTORS_PER_BLOCK; + + spin_lock(&sbi->stat_lock); +- f2fs_bug_on(sbi, sbi->total_valid_block_count < (block_t) count); +- sbi->total_valid_block_count -= (block_t)count; ++ if (unlikely(sbi->total_valid_block_count < count)) { ++ f2fs_warn(sbi, "Inconsistent total_valid_block_count:%u, ino:%lu, count:%u", ++ sbi->total_valid_block_count, inode->i_ino, count); ++ sbi->total_valid_block_count = 0; ++ set_sbi_flag(sbi, SBI_NEED_FSCK); ++ } else { ++ sbi->total_valid_block_count -= count; ++ } + if (sbi->reserved_blocks && + sbi->current_reserved_blocks < sbi->reserved_blocks) + sbi->current_reserved_blocks = min(sbi->reserved_blocks, +-- +2.39.5 + diff --git a/queue-6.12/f2fs-prevent-the-current-section-from-being-selected.patch b/queue-6.12/f2fs-prevent-the-current-section-from-being-selected.patch new file mode 100644 index 0000000000..cc1c1b58ea --- /dev/null +++ b/queue-6.12/f2fs-prevent-the-current-section-from-being-selected.patch @@ -0,0 +1,67 @@ +From fc36098df8b503d1a083b8d218ff8f25edadb12a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Apr 2025 08:21:06 +0900 +Subject: f2fs: prevent the current section from being selected as a victim + during GC + +From: yohan.joung + +[ Upstream commit d26fecb03e1f1069480d41fa2a6cea87ebbb89b8 ] + +When selecting a victim using next_victim_seg in a large section, the +selected section might already have been cleared and designated as the +new current section, making it actively in use. +This behavior causes inconsistency between the SIT and SSA. + +F2FS-fs (dm-54): Inconsistent segment (70961) type [0, 1] in SSA and SIT +Call trace: +dump_backtrace+0xe8/0x10c +show_stack+0x18/0x28 +dump_stack_lvl+0x50/0x6c +dump_stack+0x18/0x28 +f2fs_stop_checkpoint+0x1c/0x3c +do_garbage_collect+0x41c/0x271c +f2fs_gc+0x27c/0x828 +gc_thread_func+0x290/0x88c +kthread+0x11c/0x164 +ret_from_fork+0x10/0x20 + +issue scenario +segs_per_sec=2 +- seg#0 and seg#1 are all dirty +- all valid blocks are removed in seg#1 +- gc select this sec and next_victim_seg=seg#0 +- migrate seg#0, next_victim_seg=seg#1 +- checkpoint -> sec(seg#0, seg#1) becomes free +- allocator assigns sec(seg#0, seg#1) to curseg +- gc tries to migrate seg#1 + +Fixes: e3080b0120a1 ("f2fs: support subsectional garbage collection") +Signed-off-by: yohan.joung +Signed-off-by: Chao Yu +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/segment.h | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/fs/f2fs/segment.h b/fs/f2fs/segment.h +index 25d3cda9bd5a3..05a342933f98f 100644 +--- a/fs/f2fs/segment.h ++++ b/fs/f2fs/segment.h +@@ -488,6 +488,11 @@ static inline void __set_test_and_free(struct f2fs_sb_info *sbi, + + free_i->free_sections++; + ++ if (GET_SEC_FROM_SEG(sbi, sbi->next_victim_seg[BG_GC]) == secno) ++ sbi->next_victim_seg[BG_GC] = NULL_SEGNO; ++ if (GET_SEC_FROM_SEG(sbi, sbi->next_victim_seg[FG_GC]) == secno) ++ sbi->next_victim_seg[FG_GC] = NULL_SEGNO; ++ + unlock_out: + spin_unlock(&free_i->segmap_lock); + } +-- +2.39.5 + diff --git a/queue-6.12/f2fs-use-d_inode-dentry-cleanup-dentry-d_inode.patch b/queue-6.12/f2fs-use-d_inode-dentry-cleanup-dentry-d_inode.patch new file mode 100644 index 0000000000..b682afbf95 --- /dev/null +++ b/queue-6.12/f2fs-use-d_inode-dentry-cleanup-dentry-d_inode.patch @@ -0,0 +1,74 @@ +From 52b38a745c0ae1d18523c62934eabd4bf5f9c44d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 May 2025 16:45:48 +0800 +Subject: f2fs: use d_inode(dentry) cleanup dentry->d_inode + +From: Zhiguo Niu + +[ Upstream commit a6c397a31f58a1d577c2c8d04b624e9baa31951c ] + +no logic changes. + +Signed-off-by: Zhiguo Niu +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/namei.c | 8 ++++---- + fs/f2fs/super.c | 4 ++-- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/fs/f2fs/namei.c b/fs/f2fs/namei.c +index 57d46e1439ded..f8407a645303b 100644 +--- a/fs/f2fs/namei.c ++++ b/fs/f2fs/namei.c +@@ -413,7 +413,7 @@ static int f2fs_link(struct dentry *old_dentry, struct inode *dir, + + if (is_inode_flag_set(dir, FI_PROJ_INHERIT) && + (!projid_eq(F2FS_I(dir)->i_projid, +- F2FS_I(old_dentry->d_inode)->i_projid))) ++ F2FS_I(inode)->i_projid))) + return -EXDEV; + + err = f2fs_dquot_initialize(dir); +@@ -905,7 +905,7 @@ static int f2fs_rename(struct mnt_idmap *idmap, struct inode *old_dir, + + if (is_inode_flag_set(new_dir, FI_PROJ_INHERIT) && + (!projid_eq(F2FS_I(new_dir)->i_projid, +- F2FS_I(old_dentry->d_inode)->i_projid))) ++ F2FS_I(old_inode)->i_projid))) + return -EXDEV; + + /* +@@ -1098,10 +1098,10 @@ static int f2fs_cross_rename(struct inode *old_dir, struct dentry *old_dentry, + + if ((is_inode_flag_set(new_dir, FI_PROJ_INHERIT) && + !projid_eq(F2FS_I(new_dir)->i_projid, +- F2FS_I(old_dentry->d_inode)->i_projid)) || ++ F2FS_I(old_inode)->i_projid)) || + (is_inode_flag_set(new_dir, FI_PROJ_INHERIT) && + !projid_eq(F2FS_I(old_dir)->i_projid, +- F2FS_I(new_dentry->d_inode)->i_projid))) ++ F2FS_I(new_inode)->i_projid))) + return -EXDEV; + + err = f2fs_dquot_initialize(old_dir); +diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c +index 573cc4725e2e8..faa76531246eb 100644 +--- a/fs/f2fs/super.c ++++ b/fs/f2fs/super.c +@@ -1862,9 +1862,9 @@ static int f2fs_statfs(struct dentry *dentry, struct kstatfs *buf) + buf->f_fsid = u64_to_fsid(id); + + #ifdef CONFIG_QUOTA +- if (is_inode_flag_set(dentry->d_inode, FI_PROJ_INHERIT) && ++ if (is_inode_flag_set(d_inode(dentry), FI_PROJ_INHERIT) && + sb_has_quota_limits_enabled(sb, PRJQUOTA)) { +- f2fs_statfs_project(sb, F2FS_I(dentry->d_inode)->i_projid, buf); ++ f2fs_statfs_project(sb, F2FS_I(d_inode(dentry))->i_projid, buf); + } + #endif + return 0; +-- +2.39.5 + diff --git a/queue-6.12/f2fs-zone-fix-to-avoid-inconsistence-in-between-sit-.patch b/queue-6.12/f2fs-zone-fix-to-avoid-inconsistence-in-between-sit-.patch new file mode 100644 index 0000000000..bf735e71d7 --- /dev/null +++ b/queue-6.12/f2fs-zone-fix-to-avoid-inconsistence-in-between-sit-.patch @@ -0,0 +1,75 @@ +From 88e579c426d64c7c1448c982314b92ae7f566f53 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Mar 2025 16:06:46 +0800 +Subject: f2fs: zone: fix to avoid inconsistence in between SIT and SSA + +From: Chao Yu + +[ Upstream commit 773704c1ef96a8b70d0d186ab725f50548de82c4 ] + +w/ below testcase, it will cause inconsistence in between SIT and SSA. + +create_null_blk 512 2 1024 1024 +mkfs.f2fs -m /dev/nullb0 +mount /dev/nullb0 /mnt/f2fs/ +touch /mnt/f2fs/file +f2fs_io pinfile set /mnt/f2fs/file +fallocate -l 4GiB /mnt/f2fs/file + +F2FS-fs (nullb0): Inconsistent segment (0) type [1, 0] in SSA and SIT +CPU: 5 UID: 0 PID: 2398 Comm: fallocate Tainted: G O 6.13.0-rc1 #84 +Tainted: [O]=OOT_MODULE +Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006 +Call Trace: + + dump_stack_lvl+0xb3/0xd0 + dump_stack+0x14/0x20 + f2fs_handle_critical_error+0x18c/0x220 [f2fs] + f2fs_stop_checkpoint+0x38/0x50 [f2fs] + do_garbage_collect+0x674/0x6e0 [f2fs] + f2fs_gc_range+0x12b/0x230 [f2fs] + f2fs_allocate_pinning_section+0x5c/0x150 [f2fs] + f2fs_expand_inode_data+0x1cc/0x3c0 [f2fs] + f2fs_fallocate+0x3c3/0x410 [f2fs] + vfs_fallocate+0x15f/0x4b0 + __x64_sys_fallocate+0x4a/0x80 + x64_sys_call+0x15e8/0x1b80 + do_syscall_64+0x68/0x130 + entry_SYSCALL_64_after_hwframe+0x67/0x6f +RIP: 0033:0x7f9dba5197ca +F2FS-fs (nullb0): Stopped filesystem due to reason: 4 + +The reason is f2fs_gc_range() may try to migrate block in curseg, however, +its SSA block is not uptodate due to the last summary block data is still +in cache of curseg. + +In this patch, we add a condition in f2fs_gc_range() to check whether +section is opened or not, and skip block migration for opened section. + +Fixes: 9703d69d9d15 ("f2fs: support file pinning for zoned devices") +Reviewed-by: Daeho Jeong +Cc: Daeho Jeong +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/gc.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/f2fs/gc.c b/fs/f2fs/gc.c +index e0469316c7cd4..cd56c0e66657b 100644 +--- a/fs/f2fs/gc.c ++++ b/fs/f2fs/gc.c +@@ -2072,6 +2072,9 @@ int f2fs_gc_range(struct f2fs_sb_info *sbi, + .iroot = RADIX_TREE_INIT(gc_list.iroot, GFP_NOFS), + }; + ++ if (IS_CURSEC(sbi, GET_SEC_FROM_SEG(sbi, segno))) ++ continue; ++ + do_garbage_collect(sbi, segno, &gc_list, FG_GC, true, false); + put_gc_inode(&gc_list); + +-- +2.39.5 + diff --git a/queue-6.12/fbdev-core-fbcvt-avoid-division-by-0-in-fb_cvt_hperi.patch b/queue-6.12/fbdev-core-fbcvt-avoid-division-by-0-in-fb_cvt_hperi.patch new file mode 100644 index 0000000000..2cc1338b67 --- /dev/null +++ b/queue-6.12/fbdev-core-fbcvt-avoid-division-by-0-in-fb_cvt_hperi.patch @@ -0,0 +1,42 @@ +From a997b2050cdba4d4256a664e2425e2f3d5fbcb6a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 May 2025 23:35:58 +0300 +Subject: fbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod() + +From: Sergey Shtylyov + +[ Upstream commit 3f6dae09fc8c306eb70fdfef70726e1f154e173a ] + +In fb_find_mode_cvt(), iff mode->refresh somehow happens to be 0x80000000, +cvt.f_refresh will become 0 when multiplying it by 2 due to overflow. It's +then passed to fb_cvt_hperiod(), where it's used as a divider -- division +by 0 will result in kernel oops. Add a sanity check for cvt.f_refresh to +avoid such overflow... + +Found by Linux Verification Center (linuxtesting.org) with the Svace static +analysis tool. + +Fixes: 96fe6a2109db ("[PATCH] fbdev: Add VESA Coordinated Video Timings (CVT) support") +Signed-off-by: Sergey Shtylyov +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/core/fbcvt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/video/fbdev/core/fbcvt.c b/drivers/video/fbdev/core/fbcvt.c +index 64843464c6613..cd3821bd82e56 100644 +--- a/drivers/video/fbdev/core/fbcvt.c ++++ b/drivers/video/fbdev/core/fbcvt.c +@@ -312,7 +312,7 @@ int fb_find_mode_cvt(struct fb_videomode *mode, int margins, int rb) + cvt.f_refresh = cvt.refresh; + cvt.interlace = 1; + +- if (!cvt.xres || !cvt.yres || !cvt.refresh) { ++ if (!cvt.xres || !cvt.yres || !cvt.refresh || cvt.f_refresh > INT_MAX) { + printk(KERN_INFO "fbcvt: Invalid input parameters\n"); + return 1; + } +-- +2.39.5 + diff --git a/queue-6.12/firmware-psci-fix-refcount-leak-in-psci_dt_init.patch b/queue-6.12/firmware-psci-fix-refcount-leak-in-psci_dt_init.patch new file mode 100644 index 0000000000..ea0866eacc --- /dev/null +++ b/queue-6.12/firmware-psci-fix-refcount-leak-in-psci_dt_init.patch @@ -0,0 +1,42 @@ +From b481e575d0e07d685b354765b6965811515b69b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Mar 2025 23:17:12 +0800 +Subject: firmware: psci: Fix refcount leak in psci_dt_init + +From: Miaoqian Lin + +[ Upstream commit 7ff37d29fd5c27617b9767e1b8946d115cf93a1e ] + +Fix a reference counter leak in psci_dt_init() where of_node_put(np) was +missing after of_find_matching_node_and_match() when np is unavailable. + +Fixes: d09a0011ec0d ("drivers: psci: Allow PSCI node to be disabled") +Signed-off-by: Miaoqian Lin +Reviewed-by: Gavin Shan +Acked-by: Mark Rutland +Link: https://lore.kernel.org/r/20250318151712.28763-1-linmq006@gmail.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/firmware/psci/psci.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/firmware/psci/psci.c b/drivers/firmware/psci/psci.c +index 2328ca58bba61..d6701d81cf680 100644 +--- a/drivers/firmware/psci/psci.c ++++ b/drivers/firmware/psci/psci.c +@@ -759,8 +759,10 @@ int __init psci_dt_init(void) + + np = of_find_matching_node_and_match(NULL, psci_of_match, &matched_np); + +- if (!np || !of_device_is_available(np)) ++ if (!np || !of_device_is_available(np)) { ++ of_node_put(np); + return -ENODEV; ++ } + + init_fn = (psci_initcall_t)matched_np->data; + ret = init_fn(np); +-- +2.39.5 + diff --git a/queue-6.12/firmware-sdei-allow-sdei-initialization-without-acpi.patch b/queue-6.12/firmware-sdei-allow-sdei-initialization-without-acpi.patch new file mode 100644 index 0000000000..44a751e442 --- /dev/null +++ b/queue-6.12/firmware-sdei-allow-sdei-initialization-without-acpi.patch @@ -0,0 +1,136 @@ +From 0e8caef035a8ad3aeb5e97dbc56d18ed15a6b578 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 May 2025 12:57:57 +0800 +Subject: firmware: SDEI: Allow sdei initialization without ACPI_APEI_GHES + +From: Huang Yiwei + +[ Upstream commit 59529bbe642de4eb2191a541d9b4bae7eb73862e ] + +SDEI usually initialize with the ACPI table, but on platforms where +ACPI is not used, the SDEI feature can still be used to handle +specific firmware calls or other customized purposes. Therefore, it +is not necessary for ARM_SDE_INTERFACE to depend on ACPI_APEI_GHES. + +In commit dc4e8c07e9e2 ("ACPI: APEI: explicit init of HEST and GHES +in acpi_init()"), to make APEI ready earlier, sdei_init was moved +into acpi_ghes_init instead of being a standalone initcall, adding +ACPI_APEI_GHES dependency to ARM_SDE_INTERFACE. This restricts the +flexibility and usability of SDEI. + +This patch corrects the dependency in Kconfig and splits sdei_init() +into two separate functions: sdei_init() and acpi_sdei_init(). +sdei_init() will be called by arch_initcall and will only initialize +the platform driver, while acpi_sdei_init() will initialize the +device from acpi_ghes_init() when ACPI is ready. This allows the +initialization of SDEI without ACPI_APEI_GHES enabled. + +Fixes: dc4e8c07e9e2 ("ACPI: APEI: explicit init of HEST and GHES in apci_init()") +Cc: Shuai Xue +Signed-off-by: Huang Yiwei +Reviewed-by: Shuai Xue +Reviewed-by: Gavin Shan +Acked-by: Rafael J. Wysocki +Link: https://lore.kernel.org/r/20250507045757.2658795-1-quic_hyiwei@quicinc.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/acpi/apei/Kconfig | 1 + + drivers/acpi/apei/ghes.c | 2 +- + drivers/firmware/Kconfig | 1 - + drivers/firmware/arm_sdei.c | 11 ++++++++--- + include/linux/arm_sdei.h | 4 ++-- + 5 files changed, 12 insertions(+), 7 deletions(-) + +diff --git a/drivers/acpi/apei/Kconfig b/drivers/acpi/apei/Kconfig +index 3cfe7e7475f2f..070c07d68dfb2 100644 +--- a/drivers/acpi/apei/Kconfig ++++ b/drivers/acpi/apei/Kconfig +@@ -23,6 +23,7 @@ config ACPI_APEI_GHES + select ACPI_HED + select IRQ_WORK + select GENERIC_ALLOCATOR ++ select ARM_SDE_INTERFACE if ARM64 + help + Generic Hardware Error Source provides a way to report + platform hardware errors (such as that from chipset). It +diff --git a/drivers/acpi/apei/ghes.c b/drivers/acpi/apei/ghes.c +index cff6685fa6cc6..6cf40e8ac321e 100644 +--- a/drivers/acpi/apei/ghes.c ++++ b/drivers/acpi/apei/ghes.c +@@ -1612,7 +1612,7 @@ void __init acpi_ghes_init(void) + { + int rc; + +- sdei_init(); ++ acpi_sdei_init(); + + if (acpi_disabled) + return; +diff --git a/drivers/firmware/Kconfig b/drivers/firmware/Kconfig +index 9f35f69e0f9e2..f7044bf53d1fc 100644 +--- a/drivers/firmware/Kconfig ++++ b/drivers/firmware/Kconfig +@@ -31,7 +31,6 @@ config ARM_SCPI_PROTOCOL + config ARM_SDE_INTERFACE + bool "ARM Software Delegated Exception Interface (SDEI)" + depends on ARM64 +- depends on ACPI_APEI_GHES + help + The Software Delegated Exception Interface (SDEI) is an ARM + standard for registering callbacks from the platform firmware +diff --git a/drivers/firmware/arm_sdei.c b/drivers/firmware/arm_sdei.c +index 3e8051fe82965..71e2a9a89f6ad 100644 +--- a/drivers/firmware/arm_sdei.c ++++ b/drivers/firmware/arm_sdei.c +@@ -1062,13 +1062,12 @@ static bool __init sdei_present_acpi(void) + return true; + } + +-void __init sdei_init(void) ++void __init acpi_sdei_init(void) + { + struct platform_device *pdev; + int ret; + +- ret = platform_driver_register(&sdei_driver); +- if (ret || !sdei_present_acpi()) ++ if (!sdei_present_acpi()) + return; + + pdev = platform_device_register_simple(sdei_driver.driver.name, +@@ -1081,6 +1080,12 @@ void __init sdei_init(void) + } + } + ++static int __init sdei_init(void) ++{ ++ return platform_driver_register(&sdei_driver); ++} ++arch_initcall(sdei_init); ++ + int sdei_event_handler(struct pt_regs *regs, + struct sdei_registered_event *arg) + { +diff --git a/include/linux/arm_sdei.h b/include/linux/arm_sdei.h +index 255701e1251b4..f652a5028b590 100644 +--- a/include/linux/arm_sdei.h ++++ b/include/linux/arm_sdei.h +@@ -46,12 +46,12 @@ int sdei_unregister_ghes(struct ghes *ghes); + /* For use by arch code when CPU hotplug notifiers are not appropriate. */ + int sdei_mask_local_cpu(void); + int sdei_unmask_local_cpu(void); +-void __init sdei_init(void); ++void __init acpi_sdei_init(void); + void sdei_handler_abort(void); + #else + static inline int sdei_mask_local_cpu(void) { return 0; } + static inline int sdei_unmask_local_cpu(void) { return 0; } +-static inline void sdei_init(void) { } ++static inline void acpi_sdei_init(void) { } + static inline void sdei_handler_abort(void) { } + #endif /* CONFIG_ARM_SDE_INTERFACE */ + +-- +2.39.5 + diff --git a/queue-6.12/fix-propagation-graph-breakage-by-move_mount_set_gro.patch b/queue-6.12/fix-propagation-graph-breakage-by-move_mount_set_gro.patch new file mode 100644 index 0000000000..162b382697 --- /dev/null +++ b/queue-6.12/fix-propagation-graph-breakage-by-move_mount_set_gro.patch @@ -0,0 +1,60 @@ +From ae156113a395ee611081cd6f79f797f2fe596d54 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Jun 2025 17:57:27 -0400 +Subject: fix propagation graph breakage by MOVE_MOUNT_SET_GROUP move_mount(2) + +From: Al Viro + +[ Upstream commit d8cc0362f918d020ca1340d7694f07062dc30f36 ] + +9ffb14ef61ba "move_mount: allow to add a mount into an existing group" +breaks assertions on ->mnt_share/->mnt_slave. For once, the data structures +in question are actually documented. + +Documentation/filesystem/sharedsubtree.rst: + All vfsmounts in a peer group have the same ->mnt_master. If it is + non-NULL, they form a contiguous (ordered) segment of slave list. + +do_set_group() puts a mount into the same place in propagation graph +as the old one. As the result, if old mount gets events from somewhere +and is not a pure event sink, new one needs to be placed next to the +old one in the slave list the old one's on. If it is a pure event +sink, we only need to make sure the new one doesn't end up in the +middle of some peer group. + +"move_mount: allow to add a mount into an existing group" ends up putting +the new one in the beginning of list; that's definitely not going to be +in the middle of anything, so that's fine for case when old is not marked +shared. In case when old one _is_ marked shared (i.e. is not a pure event +sink), that breaks the assumptions of propagation graph iterators. + +Put the new mount next to the old one on the list - that does the right thing +in "old is marked shared" case and is just as correct as the current behaviour +if old is not marked shared (kudos to Pavel for pointing that out - my original +suggested fix changed behaviour in the "nor marked" case, which complicated +things for no good reason). + +Reviewed-by: Christian Brauner +Fixes: 9ffb14ef61ba ("move_mount: allow to add a mount into an existing group") +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + fs/namespace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/namespace.c b/fs/namespace.c +index 1cb236af29bec..1022a5af691d6 100644 +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -3151,7 +3151,7 @@ static int do_set_group(struct path *from_path, struct path *to_path) + if (IS_MNT_SLAVE(from)) { + struct mount *m = from->mnt_master; + +- list_add(&to->mnt_slave, &m->mnt_slave_list); ++ list_add(&to->mnt_slave, &from->mnt_slave); + to->mnt_master = m; + } + +-- +2.39.5 + diff --git a/queue-6.12/fix-sock_exceed_buf_limit-not-being-triggered-in-__s.patch b/queue-6.12/fix-sock_exceed_buf_limit-not-being-triggered-in-__s.patch new file mode 100644 index 0000000000..b308b07eed --- /dev/null +++ b/queue-6.12/fix-sock_exceed_buf_limit-not-being-triggered-in-__s.patch @@ -0,0 +1,64 @@ +From 0fefcbf0a4a4341bd4650cdc3997b4337237e601 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 May 2025 11:04:19 +0800 +Subject: Fix sock_exceed_buf_limit not being triggered in + __sk_mem_raise_allocated + +From: Tengteng Yang + +[ Upstream commit 8542d6fac25c03b4bf36b2d762cfe60fda8491bb ] + +When a process under memory pressure is not part of any cgroup and +the charged flag is false, trace_sock_exceed_buf_limit was not called +as expected. + +This regression was introduced by commit 2def8ff3fdb6 ("sock: +Code cleanup on __sk_mem_raise_allocated()"). The fix changes the +default value of charged to true while preserving existing logic. + +Fixes: 2def8ff3fdb6 ("sock: Code cleanup on __sk_mem_raise_allocated()") +Signed-off-by: Abel Wu +Signed-off-by: Tengteng Yang +Link: https://patch.msgid.link/20250527030419.67693-1-yangtengteng@bytedance.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/sock.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/core/sock.c b/net/core/sock.c +index 0842dc9189bf8..3c5386c76d6fe 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -3157,16 +3157,16 @@ int __sk_mem_raise_allocated(struct sock *sk, int size, int amt, int kind) + { + struct mem_cgroup *memcg = mem_cgroup_sockets_enabled ? sk->sk_memcg : NULL; + struct proto *prot = sk->sk_prot; +- bool charged = false; ++ bool charged = true; + long allocated; + + sk_memory_allocated_add(sk, amt); + allocated = sk_memory_allocated(sk); + + if (memcg) { +- if (!mem_cgroup_charge_skmem(memcg, amt, gfp_memcg_charge())) ++ charged = mem_cgroup_charge_skmem(memcg, amt, gfp_memcg_charge()); ++ if (!charged) + goto suppress_allocation; +- charged = true; + } + + /* Under limit. */ +@@ -3251,7 +3251,7 @@ int __sk_mem_raise_allocated(struct sock *sk, int size, int amt, int kind) + + sk_memory_allocated_sub(sk, amt); + +- if (charged) ++ if (memcg && charged) + mem_cgroup_uncharge_skmem(memcg, amt); + + return 0; +-- +2.39.5 + diff --git a/queue-6.12/fpga-fix-potential-null-pointer-deref-in-fpga_mgr_te.patch b/queue-6.12/fpga-fix-potential-null-pointer-deref-in-fpga_mgr_te.patch new file mode 100644 index 0000000000..5d53f40745 --- /dev/null +++ b/queue-6.12/fpga-fix-potential-null-pointer-deref-in-fpga_mgr_te.patch @@ -0,0 +1,45 @@ +From 1a29fb6e7cf8b18e2aee5131ce2b1fa740a94074 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Apr 2025 16:37:37 +0100 +Subject: fpga: fix potential null pointer deref in + fpga_mgr_test_img_load_sgt() + +From: Qasim Ijaz + +[ Upstream commit 6ebf1982038af12f3588417e4fd0417d2551da28 ] + +fpga_mgr_test_img_load_sgt() allocates memory for sgt using +kunit_kzalloc() however it does not check if the allocation failed. +It then passes sgt to sg_alloc_table(), which passes it to +__sg_alloc_table(). This function calls memset() on sgt in an attempt to +zero it out. If the allocation fails then sgt will be NULL and the +memset will trigger a NULL pointer dereference. + +Fix this by checking the allocation with KUNIT_ASSERT_NOT_ERR_OR_NULL(). + +Reviewed-by: Marco Pagani +Fixes: ccbc1c302115 ("fpga: add an initial KUnit suite for the FPGA Manager") +Signed-off-by: Qasim Ijaz +Acked-by: Xu Yilun +Link: https://lore.kernel.org/r/20250422153737.5264-1-qasdev00@gmail.com +Signed-off-by: Xu Yilun +Signed-off-by: Sasha Levin +--- + drivers/fpga/tests/fpga-mgr-test.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/fpga/tests/fpga-mgr-test.c b/drivers/fpga/tests/fpga-mgr-test.c +index 9cb37aefbac4b..1902ebf5a298f 100644 +--- a/drivers/fpga/tests/fpga-mgr-test.c ++++ b/drivers/fpga/tests/fpga-mgr-test.c +@@ -263,6 +263,7 @@ static void fpga_mgr_test_img_load_sgt(struct kunit *test) + img_buf = init_test_buffer(test, IMAGE_SIZE); + + sgt = kunit_kzalloc(test, sizeof(*sgt), GFP_KERNEL); ++ KUNIT_ASSERT_NOT_ERR_OR_NULL(test, sgt); + ret = sg_alloc_table(sgt, 1, GFP_KERNEL); + KUNIT_ASSERT_EQ(test, ret, 0); + sg_init_one(sgt->sgl, img_buf, IMAGE_SIZE); +-- +2.39.5 + diff --git a/queue-6.12/fs-ntfs3-add-missing-direct_io-in-ntfs_aops_cmpr.patch b/queue-6.12/fs-ntfs3-add-missing-direct_io-in-ntfs_aops_cmpr.patch new file mode 100644 index 0000000000..aaa70287c1 --- /dev/null +++ b/queue-6.12/fs-ntfs3-add-missing-direct_io-in-ntfs_aops_cmpr.patch @@ -0,0 +1,47 @@ +From 8d6309a912df8f52e368d0bea00c100b8278b001 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Apr 2025 17:26:37 +0800 +Subject: fs/ntfs3: Add missing direct_IO in ntfs_aops_cmpr + +From: Lizhi Xu + +[ Upstream commit 8b26c8c376b29cf29710fbfd093df194cefe26ad ] + +The ntfs3 can use the page cache directly, so its address_space_operations +need direct_IO. Exit ntfs_direct_IO() if it is a compressed file. + +Fixes: b432163ebd15 ("fs/ntfs3: Update inode->i_mapping->a_ops on compression state") +Reported-by: syzbot+e36cc3297bd3afd25e19@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=e36cc3297bd3afd25e19 +Signed-off-by: Lizhi Xu +Signed-off-by: Konstantin Komarov +Signed-off-by: Sasha Levin +--- + fs/ntfs3/inode.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/fs/ntfs3/inode.c b/fs/ntfs3/inode.c +index a1e11228dafd0..5c05cccd2d40b 100644 +--- a/fs/ntfs3/inode.c ++++ b/fs/ntfs3/inode.c +@@ -805,6 +805,10 @@ static ssize_t ntfs_direct_IO(struct kiocb *iocb, struct iov_iter *iter) + ret = 0; + goto out; + } ++ if (is_compressed(ni)) { ++ ret = 0; ++ goto out; ++ } + + ret = blockdev_direct_IO(iocb, inode, iter, + wr ? ntfs_get_block_direct_IO_W : +@@ -2108,5 +2112,6 @@ const struct address_space_operations ntfs_aops_cmpr = { + .read_folio = ntfs_read_folio, + .readahead = ntfs_readahead, + .dirty_folio = block_dirty_folio, ++ .direct_IO = ntfs_direct_IO, + }; + // clang-format on +-- +2.39.5 + diff --git a/queue-6.12/fs-ntfs3-handle-hdr_first_de-return-value.patch b/queue-6.12/fs-ntfs3-handle-hdr_first_de-return-value.patch new file mode 100644 index 0000000000..4bf4450fb6 --- /dev/null +++ b/queue-6.12/fs-ntfs3-handle-hdr_first_de-return-value.patch @@ -0,0 +1,56 @@ +From 95962a5d7555c0a3c43d94ac50da2fc4eb98d867 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Mar 2025 13:42:18 +0000 +Subject: fs/ntfs3: handle hdr_first_de() return value + +From: Andrey Vatoropin + +[ Upstream commit af5cab0e5b6f8edb0be51a9f47f3f620e0b4fd70 ] + +The hdr_first_de() function returns a pointer to a struct NTFS_DE. This +pointer may be NULL. To handle the NULL error effectively, it is important +to implement an error handler. This will help manage potential errors +consistently. + +Additionally, error handling for the return value already exists at other +points where this function is called. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 82cae269cfa9 ("fs/ntfs3: Add initialization of super block") +Signed-off-by: Andrey Vatoropin +Signed-off-by: Konstantin Komarov +Signed-off-by: Sasha Levin +--- + fs/ntfs3/index.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/fs/ntfs3/index.c b/fs/ntfs3/index.c +index 78d20e4baa2c9..1bf2a6593dec6 100644 +--- a/fs/ntfs3/index.c ++++ b/fs/ntfs3/index.c +@@ -2182,6 +2182,10 @@ static int indx_get_entry_to_replace(struct ntfs_index *indx, + + e = hdr_first_de(&n->index->ihdr); + fnd_push(fnd, n, e); ++ if (!e) { ++ err = -EINVAL; ++ goto out; ++ } + + if (!de_is_last(e)) { + /* +@@ -2203,6 +2207,10 @@ static int indx_get_entry_to_replace(struct ntfs_index *indx, + + n = fnd->nodes[level]; + te = hdr_first_de(&n->index->ihdr); ++ if (!te) { ++ err = -EINVAL; ++ goto out; ++ } + /* Copy the candidate entry into the replacement entry buffer. */ + re = kmalloc(le16_to_cpu(te->size) + sizeof(u64), GFP_NOFS); + if (!re) { +-- +2.39.5 + diff --git a/queue-6.12/gfs2-gfs2_create_inode-error-handling-fix.patch b/queue-6.12/gfs2-gfs2_create_inode-error-handling-fix.patch new file mode 100644 index 0000000000..f480d24f8a --- /dev/null +++ b/queue-6.12/gfs2-gfs2_create_inode-error-handling-fix.patch @@ -0,0 +1,35 @@ +From ad72569542ae166a5117364ba89b6867aaa30be3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Apr 2025 16:40:58 +0200 +Subject: gfs2: gfs2_create_inode error handling fix + +From: Andreas Gruenbacher + +[ Upstream commit af4044fd0b77e915736527dd83011e46e6415f01 ] + +When gfs2_create_inode() finds a directory, make sure to return -EISDIR. + +Fixes: 571a4b57975a ("GFS2: bugger off early if O_CREAT open finds a directory") +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Sasha Levin +--- + fs/gfs2/inode.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/gfs2/inode.c b/fs/gfs2/inode.c +index 1b95db2c3aac3..3be24285ab01d 100644 +--- a/fs/gfs2/inode.c ++++ b/fs/gfs2/inode.c +@@ -659,7 +659,8 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry, + if (!IS_ERR(inode)) { + if (S_ISDIR(inode->i_mode)) { + iput(inode); +- inode = ERR_PTR(-EISDIR); ++ inode = NULL; ++ error = -EISDIR; + goto fail_gunlock; + } + d_instantiate(dentry, inode); +-- +2.39.5 + diff --git a/queue-6.12/gfs2-replace-sd_aspace-with-sd_inode.patch b/queue-6.12/gfs2-replace-sd_aspace-with-sd_inode.patch new file mode 100644 index 0000000000..3fca58c04f --- /dev/null +++ b/queue-6.12/gfs2-replace-sd_aspace-with-sd_inode.patch @@ -0,0 +1,237 @@ +From 2f64b0a998abdf23b8535592cd1feaa132138c2d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 6 Apr 2025 00:31:37 +0200 +Subject: gfs2: replace sd_aspace with sd_inode + +From: Andreas Gruenbacher + +[ Upstream commit ae9f3bd8259a0a8f67be2420e66bb05fbb95af48 ] + +Currently, sdp->sd_aspace and the per-inode metadata address spaces use +sb->s_bdev->bd_mapping->host as their ->host; folios in those address +spaces will thus appear to be on bdev rather than on gfs2 filesystems. +This is a problem because gfs2 doesn't support cgroup writeback +(SB_I_CGROUPWB), but bdev does. + +Fix that by using a "dummy" gfs2 inode as ->host in those address +spaces. When coming from a folio, folio->mapping->host->i_sb will then +be a gfs2 super block and the SB_I_CGROUPWB flag will not be set in +sb->s_iflags. + +Based on a previous version from Bob Peterson from several years ago. +Thanks to Tetsuo Handa, Jan Kara, and Rafael Aquini for helping figure +this out. + +Fixes: aaa2cacf8184 ("writeback: add lockdep annotation to inode_to_wb()") +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Sasha Levin +--- + fs/gfs2/glock.c | 3 +-- + fs/gfs2/glops.c | 4 ++-- + fs/gfs2/incore.h | 9 ++++++++- + fs/gfs2/meta_io.c | 2 +- + fs/gfs2/meta_io.h | 4 +--- + fs/gfs2/ops_fstype.c | 31 ++++++++++++++++++------------- + fs/gfs2/super.c | 2 +- + 7 files changed, 32 insertions(+), 23 deletions(-) + +diff --git a/fs/gfs2/glock.c b/fs/gfs2/glock.c +index 4f1eca99786b6..aecce4bb5e1a9 100644 +--- a/fs/gfs2/glock.c ++++ b/fs/gfs2/glock.c +@@ -1183,7 +1183,6 @@ int gfs2_glock_get(struct gfs2_sbd *sdp, u64 number, + const struct gfs2_glock_operations *glops, int create, + struct gfs2_glock **glp) + { +- struct super_block *s = sdp->sd_vfs; + struct lm_lockname name = { .ln_number = number, + .ln_type = glops->go_type, + .ln_sbd = sdp }; +@@ -1246,7 +1245,7 @@ int gfs2_glock_get(struct gfs2_sbd *sdp, u64 number, + mapping = gfs2_glock2aspace(gl); + if (mapping) { + mapping->a_ops = &gfs2_meta_aops; +- mapping->host = s->s_bdev->bd_mapping->host; ++ mapping->host = sdp->sd_inode; + mapping->flags = 0; + mapping_set_gfp_mask(mapping, GFP_NOFS); + mapping->i_private_data = NULL; +diff --git a/fs/gfs2/glops.c b/fs/gfs2/glops.c +index 95d8081681dcc..72a0601ce65e2 100644 +--- a/fs/gfs2/glops.c ++++ b/fs/gfs2/glops.c +@@ -168,7 +168,7 @@ void gfs2_ail_flush(struct gfs2_glock *gl, bool fsync) + static int gfs2_rgrp_metasync(struct gfs2_glock *gl) + { + struct gfs2_sbd *sdp = gl->gl_name.ln_sbd; +- struct address_space *metamapping = &sdp->sd_aspace; ++ struct address_space *metamapping = gfs2_aspace(sdp); + struct gfs2_rgrpd *rgd = gfs2_glock2rgrp(gl); + const unsigned bsize = sdp->sd_sb.sb_bsize; + loff_t start = (rgd->rd_addr * bsize) & PAGE_MASK; +@@ -225,7 +225,7 @@ static int rgrp_go_sync(struct gfs2_glock *gl) + static void rgrp_go_inval(struct gfs2_glock *gl, int flags) + { + struct gfs2_sbd *sdp = gl->gl_name.ln_sbd; +- struct address_space *mapping = &sdp->sd_aspace; ++ struct address_space *mapping = gfs2_aspace(sdp); + struct gfs2_rgrpd *rgd = gfs2_glock2rgrp(gl); + const unsigned bsize = sdp->sd_sb.sb_bsize; + loff_t start, end; +diff --git a/fs/gfs2/incore.h b/fs/gfs2/incore.h +index bd1348bff90eb..e5535d7b46592 100644 +--- a/fs/gfs2/incore.h ++++ b/fs/gfs2/incore.h +@@ -793,7 +793,7 @@ struct gfs2_sbd { + + /* Log stuff */ + +- struct address_space sd_aspace; ++ struct inode *sd_inode; + + spinlock_t sd_log_lock; + +@@ -849,6 +849,13 @@ struct gfs2_sbd { + unsigned long sd_glock_dqs_held; + }; + ++#define GFS2_BAD_INO 1 ++ ++static inline struct address_space *gfs2_aspace(struct gfs2_sbd *sdp) ++{ ++ return sdp->sd_inode->i_mapping; ++} ++ + static inline void gfs2_glstats_inc(struct gfs2_glock *gl, int which) + { + gl->gl_stats.stats[which]++; +diff --git a/fs/gfs2/meta_io.c b/fs/gfs2/meta_io.c +index fea3efcc2f930..960d6afcdfad8 100644 +--- a/fs/gfs2/meta_io.c ++++ b/fs/gfs2/meta_io.c +@@ -132,7 +132,7 @@ struct buffer_head *gfs2_getbuf(struct gfs2_glock *gl, u64 blkno, int create) + unsigned int bufnum; + + if (mapping == NULL) +- mapping = &sdp->sd_aspace; ++ mapping = gfs2_aspace(sdp); + + shift = PAGE_SHIFT - sdp->sd_sb.sb_bsize_shift; + index = blkno >> shift; /* convert block to page */ +diff --git a/fs/gfs2/meta_io.h b/fs/gfs2/meta_io.h +index 831d988c2ceb7..b7c8a6684d024 100644 +--- a/fs/gfs2/meta_io.h ++++ b/fs/gfs2/meta_io.h +@@ -44,9 +44,7 @@ static inline struct gfs2_sbd *gfs2_mapping2sbd(struct address_space *mapping) + struct gfs2_glock_aspace *gla = + container_of(mapping, struct gfs2_glock_aspace, mapping); + return gla->glock.gl_name.ln_sbd; +- } else if (mapping->a_ops == &gfs2_rgrp_aops) +- return container_of(mapping, struct gfs2_sbd, sd_aspace); +- else ++ } else + return inode->i_sb->s_fs_info; + } + +diff --git a/fs/gfs2/ops_fstype.c b/fs/gfs2/ops_fstype.c +index e83d293c36142..6ce475e1c6d64 100644 +--- a/fs/gfs2/ops_fstype.c ++++ b/fs/gfs2/ops_fstype.c +@@ -72,7 +72,6 @@ void free_sbd(struct gfs2_sbd *sdp) + static struct gfs2_sbd *init_sbd(struct super_block *sb) + { + struct gfs2_sbd *sdp; +- struct address_space *mapping; + + sdp = kzalloc(sizeof(struct gfs2_sbd), GFP_KERNEL); + if (!sdp) +@@ -109,16 +108,6 @@ static struct gfs2_sbd *init_sbd(struct super_block *sb) + + INIT_LIST_HEAD(&sdp->sd_sc_inodes_list); + +- mapping = &sdp->sd_aspace; +- +- address_space_init_once(mapping); +- mapping->a_ops = &gfs2_rgrp_aops; +- mapping->host = sb->s_bdev->bd_mapping->host; +- mapping->flags = 0; +- mapping_set_gfp_mask(mapping, GFP_NOFS); +- mapping->i_private_data = NULL; +- mapping->writeback_index = 0; +- + spin_lock_init(&sdp->sd_log_lock); + atomic_set(&sdp->sd_log_pinned, 0); + INIT_LIST_HEAD(&sdp->sd_log_revokes); +@@ -1135,6 +1124,7 @@ static int gfs2_fill_super(struct super_block *sb, struct fs_context *fc) + int silent = fc->sb_flags & SB_SILENT; + struct gfs2_sbd *sdp; + struct gfs2_holder mount_gh; ++ struct address_space *mapping; + int error; + + sdp = init_sbd(sb); +@@ -1156,6 +1146,7 @@ static int gfs2_fill_super(struct super_block *sb, struct fs_context *fc) + sb->s_flags |= SB_NOSEC; + sb->s_magic = GFS2_MAGIC; + sb->s_op = &gfs2_super_ops; ++ + sb->s_d_op = &gfs2_dops; + sb->s_export_op = &gfs2_export_ops; + sb->s_qcop = &gfs2_quotactl_ops; +@@ -1181,9 +1172,21 @@ static int gfs2_fill_super(struct super_block *sb, struct fs_context *fc) + sdp->sd_tune.gt_statfs_quantum = 30; + } + ++ /* Set up an address space for metadata writes */ ++ sdp->sd_inode = new_inode(sb); ++ error = -ENOMEM; ++ if (!sdp->sd_inode) ++ goto fail_free; ++ sdp->sd_inode->i_ino = GFS2_BAD_INO; ++ sdp->sd_inode->i_size = OFFSET_MAX; ++ ++ mapping = gfs2_aspace(sdp); ++ mapping->a_ops = &gfs2_rgrp_aops; ++ mapping_set_gfp_mask(mapping, GFP_NOFS); ++ + error = init_names(sdp, silent); + if (error) +- goto fail_free; ++ goto fail_iput; + + snprintf(sdp->sd_fsname, sizeof(sdp->sd_fsname), "%s", sdp->sd_table_name); + +@@ -1192,7 +1195,7 @@ static int gfs2_fill_super(struct super_block *sb, struct fs_context *fc) + WQ_MEM_RECLAIM | WQ_HIGHPRI | WQ_FREEZABLE, 0, + sdp->sd_fsname); + if (!sdp->sd_glock_wq) +- goto fail_free; ++ goto fail_iput; + + sdp->sd_delete_wq = alloc_workqueue("gfs2-delete/%s", + WQ_MEM_RECLAIM | WQ_FREEZABLE, 0, sdp->sd_fsname); +@@ -1309,6 +1312,8 @@ static int gfs2_fill_super(struct super_block *sb, struct fs_context *fc) + fail_glock_wq: + if (sdp->sd_glock_wq) + destroy_workqueue(sdp->sd_glock_wq); ++fail_iput: ++ iput(sdp->sd_inode); + fail_free: + free_sbd(sdp); + sb->s_fs_info = NULL; +diff --git a/fs/gfs2/super.c b/fs/gfs2/super.c +index b9cef63c78717..6d62ff5cb445a 100644 +--- a/fs/gfs2/super.c ++++ b/fs/gfs2/super.c +@@ -648,7 +648,7 @@ static void gfs2_put_super(struct super_block *sb) + gfs2_jindex_free(sdp); + /* Take apart glock structures and buffer lists */ + gfs2_gl_hash_clear(sdp); +- truncate_inode_pages_final(&sdp->sd_aspace); ++ iput(sdp->sd_inode); + gfs2_delete_debugfs_file(sdp); + + gfs2_sys_fs_del(sdp); +-- +2.39.5 + diff --git a/queue-6.12/gve-add-missing-null-check-for-gve_alloc_pending_pac.patch b/queue-6.12/gve-add-missing-null-check-for-gve_alloc_pending_pac.patch new file mode 100644 index 0000000000..e3decb7242 --- /dev/null +++ b/queue-6.12/gve-add-missing-null-check-for-gve_alloc_pending_pac.patch @@ -0,0 +1,44 @@ +From 91dc5b7792ad239cdd4d5d4e4939e31870cc5c7c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Jun 2025 03:34:29 -0700 +Subject: gve: add missing NULL check for gve_alloc_pending_packet() in TX DQO + +From: Alok Tiwari + +[ Upstream commit 12c331b29c7397ac3b03584e12902990693bc248 ] + +gve_alloc_pending_packet() can return NULL, but gve_tx_add_skb_dqo() +did not check for this case before dereferencing the returned pointer. + +Add a missing NULL check to prevent a potential NULL pointer +dereference when allocation fails. + +This improves robustness in low-memory scenarios. + +Fixes: a57e5de476be ("gve: DQO: Add TX path") +Signed-off-by: Alok Tiwari +Reviewed-by: Mina Almasry +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/google/gve/gve_tx_dqo.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/google/gve/gve_tx_dqo.c b/drivers/net/ethernet/google/gve/gve_tx_dqo.c +index f879426cb5523..26053cc85d1c5 100644 +--- a/drivers/net/ethernet/google/gve/gve_tx_dqo.c ++++ b/drivers/net/ethernet/google/gve/gve_tx_dqo.c +@@ -770,6 +770,9 @@ static int gve_tx_add_skb_dqo(struct gve_tx_ring *tx, + s16 completion_tag; + + pkt = gve_alloc_pending_packet(tx); ++ if (!pkt) ++ return -ENOMEM; ++ + pkt->skb = skb; + completion_tag = pkt - tx->dqo.pending_packets; + +-- +2.39.5 + diff --git a/queue-6.12/gve-fix-rx_buffers_posted-stat-to-report-per-queue-f.patch b/queue-6.12/gve-fix-rx_buffers_posted-stat-to-report-per-queue-f.patch new file mode 100644 index 0000000000..4564744a58 --- /dev/null +++ b/queue-6.12/gve-fix-rx_buffers_posted-stat-to-report-per-queue-f.patch @@ -0,0 +1,39 @@ +From c5b0fe72685064ce8ce9685afa2e66ea9fc24321 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 May 2025 06:08:16 -0700 +Subject: gve: Fix RX_BUFFERS_POSTED stat to report per-queue fill_cnt + +From: Alok Tiwari + +[ Upstream commit f41a94aade120dc60322865f363cee7865f2df01 ] + +Previously, the RX_BUFFERS_POSTED stat incorrectly reported the +fill_cnt from RX queue 0 for all queues, resulting in inaccurate +per-queue statistics. +Fix this by correctly indexing priv->rx[idx].fill_cnt for each RX queue. + +Fixes: 24aeb56f2d38 ("gve: Add Gvnic stats AQ command and ethtool show/set-priv-flags.") +Signed-off-by: Alok Tiwari +Link: https://patch.msgid.link/20250527130830.1812903-1-alok.a.tiwari@oracle.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/google/gve/gve_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/google/gve/gve_main.c b/drivers/net/ethernet/google/gve/gve_main.c +index 862c4575701fe..14f39d1f59d36 100644 +--- a/drivers/net/ethernet/google/gve/gve_main.c ++++ b/drivers/net/ethernet/google/gve/gve_main.c +@@ -2207,7 +2207,7 @@ void gve_handle_report_stats(struct gve_priv *priv) + }; + stats[stats_idx++] = (struct stats) { + .stat_name = cpu_to_be32(RX_BUFFERS_POSTED), +- .value = cpu_to_be64(priv->rx[0].fill_cnt), ++ .value = cpu_to_be64(priv->rx[idx].fill_cnt), + .queue_id = cpu_to_be32(idx), + }; + } +-- +2.39.5 + diff --git a/queue-6.12/hisi_acc_vfio_pci-add-eq-and-aeq-interruption-restor.patch b/queue-6.12/hisi_acc_vfio_pci-add-eq-and-aeq-interruption-restor.patch new file mode 100644 index 0000000000..63ae4d90b8 --- /dev/null +++ b/queue-6.12/hisi_acc_vfio_pci-add-eq-and-aeq-interruption-restor.patch @@ -0,0 +1,65 @@ +From bb334ba3b26a3db21a37e9ca1b1851041bb17217 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 10 May 2025 16:11:51 +0800 +Subject: hisi_acc_vfio_pci: add eq and aeq interruption restore + +From: Longfang Liu + +[ Upstream commit 3495cec0787721ba7a9d5c19d0bbb66d182de584 ] + +In order to ensure that the task packets of the accelerator +device are not lost during the migration process, it is necessary +to send an EQ and AEQ command to the device after the live migration +is completed and to update the completion position of the task queue. + +Let the device recheck the completed tasks data and if there are +uncollected packets, device resend a task completion interrupt +to the software. + +Fixes: b0eed085903e ("hisi_acc_vfio_pci: Add support for VFIO live migration") +Signed-off-by: Longfang Liu +Reviewed-by: Shameer Kolothum +Link: https://lore.kernel.org/r/20250510081155.55840-3-liulongfang@huawei.com +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c b/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c +index ec38977336778..81e9a4d362fbc 100644 +--- a/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c ++++ b/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c +@@ -470,6 +470,19 @@ static int vf_qm_get_match_data(struct hisi_acc_vf_core_device *hisi_acc_vdev, + return 0; + } + ++static void vf_qm_xeqc_save(struct hisi_qm *qm, ++ struct hisi_acc_vf_migration_file *migf) ++{ ++ struct acc_vf_data *vf_data = &migf->vf_data; ++ u16 eq_head, aeq_head; ++ ++ eq_head = vf_data->qm_eqc_dw[0] & 0xFFFF; ++ qm_db(qm, 0, QM_DOORBELL_CMD_EQ, eq_head, 0); ++ ++ aeq_head = vf_data->qm_aeqc_dw[0] & 0xFFFF; ++ qm_db(qm, 0, QM_DOORBELL_CMD_AEQ, aeq_head, 0); ++} ++ + static int vf_qm_load_data(struct hisi_acc_vf_core_device *hisi_acc_vdev, + struct hisi_acc_vf_migration_file *migf) + { +@@ -566,6 +579,9 @@ static int vf_qm_state_save(struct hisi_acc_vf_core_device *hisi_acc_vdev, + } + + migf->total_length = sizeof(struct acc_vf_data); ++ /* Save eqc and aeqc interrupt information */ ++ vf_qm_xeqc_save(vf_qm, migf); ++ + return 0; + } + +-- +2.39.5 + diff --git a/queue-6.12/hisi_acc_vfio_pci-bugfix-live-migration-function-wit.patch b/queue-6.12/hisi_acc_vfio_pci-bugfix-live-migration-function-wit.patch new file mode 100644 index 0000000000..87e80c54d3 --- /dev/null +++ b/queue-6.12/hisi_acc_vfio_pci-bugfix-live-migration-function-wit.patch @@ -0,0 +1,81 @@ +From 0e0c3f5832f1b15946ecf264ce739b4c6b050f74 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 10 May 2025 16:11:54 +0800 +Subject: hisi_acc_vfio_pci: bugfix live migration function without VF device + driver + +From: Longfang Liu + +[ Upstream commit 2777a40998deb36f96b6afc48bd397cf58a4edf0 ] + +If the VF device driver is not loaded in the Guest OS and we attempt to +perform device data migration, the address of the migrated data will +be NULL. +The live migration recovery operation on the destination side will +access a null address value, which will cause access errors. + +Therefore, live migration of VMs without added VF device drivers +does not require device data migration. +In addition, when the queue address data obtained by the destination +is empty, device queue recovery processing will not be performed. + +Fixes: b0eed085903e ("hisi_acc_vfio_pci: Add support for VFIO live migration") +Signed-off-by: Longfang Liu +Reviewed-by: Shameer Kolothum +Link: https://lore.kernel.org/r/20250510081155.55840-6-liulongfang@huawei.com +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + .../vfio/pci/hisilicon/hisi_acc_vfio_pci.c | 22 +++++++++++++------ + 1 file changed, 15 insertions(+), 7 deletions(-) + +diff --git a/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c b/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c +index 81e9a4d362fbc..68300fcd3c41b 100644 +--- a/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c ++++ b/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c +@@ -426,13 +426,6 @@ static int vf_qm_check_match(struct hisi_acc_vf_core_device *hisi_acc_vdev, + return -EINVAL; + } + +- ret = qm_write_regs(vf_qm, QM_VF_STATE, &vf_data->vf_qm_state, 1); +- if (ret) { +- dev_err(dev, "failed to write QM_VF_STATE\n"); +- return ret; +- } +- +- hisi_acc_vdev->vf_qm_state = vf_data->vf_qm_state; + hisi_acc_vdev->match_done = true; + return 0; + } +@@ -498,6 +491,20 @@ static int vf_qm_load_data(struct hisi_acc_vf_core_device *hisi_acc_vdev, + if (migf->total_length < sizeof(struct acc_vf_data)) + return -EINVAL; + ++ if (!vf_data->eqe_dma || !vf_data->aeqe_dma || ++ !vf_data->sqc_dma || !vf_data->cqc_dma) { ++ dev_info(dev, "resume dma addr is NULL!\n"); ++ hisi_acc_vdev->vf_qm_state = QM_NOT_READY; ++ return 0; ++ } ++ ++ ret = qm_write_regs(qm, QM_VF_STATE, &vf_data->vf_qm_state, 1); ++ if (ret) { ++ dev_err(dev, "failed to write QM_VF_STATE\n"); ++ return -EINVAL; ++ } ++ hisi_acc_vdev->vf_qm_state = vf_data->vf_qm_state; ++ + qm->eqe_dma = vf_data->eqe_dma; + qm->aeqe_dma = vf_data->aeqe_dma; + qm->sqc_dma = vf_data->sqc_dma; +@@ -1371,6 +1378,7 @@ static int hisi_acc_vfio_pci_migrn_init_dev(struct vfio_device *core_vdev) + hisi_acc_vdev->vf_id = pci_iov_vf_id(pdev) + 1; + hisi_acc_vdev->pf_qm = pf_qm; + hisi_acc_vdev->vf_dev = pdev; ++ hisi_acc_vdev->vf_qm_state = QM_NOT_READY; + mutex_init(&hisi_acc_vdev->state_mutex); + + core_vdev->migration_flags = VFIO_MIGRATION_STOP_COPY | VFIO_MIGRATION_PRE_COPY; +-- +2.39.5 + diff --git a/queue-6.12/hisi_acc_vfio_pci-fix-xqe-dma-address-error.patch b/queue-6.12/hisi_acc_vfio_pci-fix-xqe-dma-address-error.patch new file mode 100644 index 0000000000..c7ad54db1a --- /dev/null +++ b/queue-6.12/hisi_acc_vfio_pci-fix-xqe-dma-address-error.patch @@ -0,0 +1,155 @@ +From f0370c25111ee76682c5cf67c9252ac8be73d944 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 10 May 2025 16:11:50 +0800 +Subject: hisi_acc_vfio_pci: fix XQE dma address error + +From: Longfang Liu + +[ Upstream commit 8bb7170c5a055ea17c6857c256ee73c10ff872eb ] + +The dma addresses of EQE and AEQE are wrong after migration and +results in guest kernel-mode encryption services failure. +Comparing the definition of hardware registers, we found that +there was an error when the data read from the register was +combined into an address. Therefore, the address combination +sequence needs to be corrected. + +Even after fixing the above problem, we still have an issue +where the Guest from an old kernel can get migrated to +new kernel and may result in wrong data. + +In order to ensure that the address is correct after migration, +if an old magic number is detected, the dma address needs to be +updated. + +Fixes: b0eed085903e ("hisi_acc_vfio_pci: Add support for VFIO live migration") +Signed-off-by: Longfang Liu +Reviewed-by: Shameer Kolothum +Link: https://lore.kernel.org/r/20250510081155.55840-2-liulongfang@huawei.com +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + .../vfio/pci/hisilicon/hisi_acc_vfio_pci.c | 41 ++++++++++++++++--- + .../vfio/pci/hisilicon/hisi_acc_vfio_pci.h | 14 ++++++- + 2 files changed, 47 insertions(+), 8 deletions(-) + +diff --git a/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c b/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c +index 0d632ba5d2a3c..ec38977336778 100644 +--- a/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c ++++ b/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c +@@ -350,6 +350,32 @@ static int vf_qm_func_stop(struct hisi_qm *qm) + return hisi_qm_mb(qm, QM_MB_CMD_PAUSE_QM, 0, 0, 0); + } + ++static int vf_qm_version_check(struct acc_vf_data *vf_data, struct device *dev) ++{ ++ switch (vf_data->acc_magic) { ++ case ACC_DEV_MAGIC_V2: ++ if (vf_data->major_ver != ACC_DRV_MAJOR_VER) { ++ dev_info(dev, "migration driver version<%u.%u> not match!\n", ++ vf_data->major_ver, vf_data->minor_ver); ++ return -EINVAL; ++ } ++ break; ++ case ACC_DEV_MAGIC_V1: ++ /* Correct dma address */ ++ vf_data->eqe_dma = vf_data->qm_eqc_dw[QM_XQC_ADDR_HIGH]; ++ vf_data->eqe_dma <<= QM_XQC_ADDR_OFFSET; ++ vf_data->eqe_dma |= vf_data->qm_eqc_dw[QM_XQC_ADDR_LOW]; ++ vf_data->aeqe_dma = vf_data->qm_aeqc_dw[QM_XQC_ADDR_HIGH]; ++ vf_data->aeqe_dma <<= QM_XQC_ADDR_OFFSET; ++ vf_data->aeqe_dma |= vf_data->qm_aeqc_dw[QM_XQC_ADDR_LOW]; ++ break; ++ default: ++ return -EINVAL; ++ } ++ ++ return 0; ++} ++ + static int vf_qm_check_match(struct hisi_acc_vf_core_device *hisi_acc_vdev, + struct hisi_acc_vf_migration_file *migf) + { +@@ -363,7 +389,8 @@ static int vf_qm_check_match(struct hisi_acc_vf_core_device *hisi_acc_vdev, + if (migf->total_length < QM_MATCH_SIZE || hisi_acc_vdev->match_done) + return 0; + +- if (vf_data->acc_magic != ACC_DEV_MAGIC) { ++ ret = vf_qm_version_check(vf_data, dev); ++ if (ret) { + dev_err(dev, "failed to match ACC_DEV_MAGIC\n"); + return -EINVAL; + } +@@ -418,7 +445,9 @@ static int vf_qm_get_match_data(struct hisi_acc_vf_core_device *hisi_acc_vdev, + int vf_id = hisi_acc_vdev->vf_id; + int ret; + +- vf_data->acc_magic = ACC_DEV_MAGIC; ++ vf_data->acc_magic = ACC_DEV_MAGIC_V2; ++ vf_data->major_ver = ACC_DRV_MAJOR_VER; ++ vf_data->minor_ver = ACC_DRV_MINOR_VER; + /* Save device id */ + vf_data->dev_id = hisi_acc_vdev->vf_dev->device; + +@@ -516,12 +545,12 @@ static int vf_qm_state_save(struct hisi_acc_vf_core_device *hisi_acc_vdev, + return -EINVAL; + + /* Every reg is 32 bit, the dma address is 64 bit. */ +- vf_data->eqe_dma = vf_data->qm_eqc_dw[1]; ++ vf_data->eqe_dma = vf_data->qm_eqc_dw[QM_XQC_ADDR_HIGH]; + vf_data->eqe_dma <<= QM_XQC_ADDR_OFFSET; +- vf_data->eqe_dma |= vf_data->qm_eqc_dw[0]; +- vf_data->aeqe_dma = vf_data->qm_aeqc_dw[1]; ++ vf_data->eqe_dma |= vf_data->qm_eqc_dw[QM_XQC_ADDR_LOW]; ++ vf_data->aeqe_dma = vf_data->qm_aeqc_dw[QM_XQC_ADDR_HIGH]; + vf_data->aeqe_dma <<= QM_XQC_ADDR_OFFSET; +- vf_data->aeqe_dma |= vf_data->qm_aeqc_dw[0]; ++ vf_data->aeqe_dma |= vf_data->qm_aeqc_dw[QM_XQC_ADDR_LOW]; + + /* Through SQC_BT/CQC_BT to get sqc and cqc address */ + ret = qm_get_sqc(vf_qm, &vf_data->sqc_dma); +diff --git a/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.h b/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.h +index 5bab46602fad2..465284168906b 100644 +--- a/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.h ++++ b/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.h +@@ -38,6 +38,9 @@ + #define QM_REG_ADDR_OFFSET 0x0004 + + #define QM_XQC_ADDR_OFFSET 32U ++#define QM_XQC_ADDR_LOW 0x1 ++#define QM_XQC_ADDR_HIGH 0x2 ++ + #define QM_VF_AEQ_INT_MASK 0x0004 + #define QM_VF_EQ_INT_MASK 0x000c + #define QM_IFC_INT_SOURCE_V 0x0020 +@@ -49,10 +52,15 @@ + #define QM_EQC_DW0 0X8000 + #define QM_AEQC_DW0 0X8020 + ++#define ACC_DRV_MAJOR_VER 1 ++#define ACC_DRV_MINOR_VER 0 ++ ++#define ACC_DEV_MAGIC_V1 0XCDCDCDCDFEEDAACC ++#define ACC_DEV_MAGIC_V2 0xAACCFEEDDECADEDE ++ + struct acc_vf_data { + #define QM_MATCH_SIZE offsetofend(struct acc_vf_data, qm_rsv_state) + /* QM match information */ +-#define ACC_DEV_MAGIC 0XCDCDCDCDFEEDAACC + u64 acc_magic; + u32 qp_num; + u32 dev_id; +@@ -60,7 +68,9 @@ struct acc_vf_data { + u32 qp_base; + u32 vf_qm_state; + /* QM reserved match information */ +- u32 qm_rsv_state[3]; ++ u16 major_ver; ++ u16 minor_ver; ++ u32 qm_rsv_state[2]; + + /* QM RW regs */ + u32 aeq_int_mask; +-- +2.39.5 + diff --git a/queue-6.12/hwmon-asus-ec-sensors-check-sensor-index-in-read_str.patch b/queue-6.12/hwmon-asus-ec-sensors-check-sensor-index-in-read_str.patch new file mode 100644 index 0000000000..77dd31908f --- /dev/null +++ b/queue-6.12/hwmon-asus-ec-sensors-check-sensor-index-in-read_str.patch @@ -0,0 +1,48 @@ +From 2500cca6454a67173782100aad8b6112952d4d38 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Apr 2025 23:26:54 +0300 +Subject: hwmon: (asus-ec-sensors) check sensor index in read_string() + +From: Alexei Safin + +[ Upstream commit 25be318324563c63cbd9cb53186203a08d2f83a1 ] + +Prevent a potential invalid memory access when the requested sensor +is not found. + +find_ec_sensor_index() may return a negative value (e.g. -ENOENT), +but its result was used without checking, which could lead to +undefined behavior when passed to get_sensor_info(). + +Add a proper check to return -EINVAL if sensor_index is negative. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: d0ddfd241e57 ("hwmon: (asus-ec-sensors) add driver for ASUS EC") +Signed-off-by: Alexei Safin +Link: https://lore.kernel.org/r/20250424202654.5902-1-a.safin@rosa.ru +[groeck: Return error code returned from find_ec_sensor_index] +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/asus-ec-sensors.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/hwmon/asus-ec-sensors.c b/drivers/hwmon/asus-ec-sensors.c +index 9555366aeaf0d..fdc157c7394d9 100644 +--- a/drivers/hwmon/asus-ec-sensors.c ++++ b/drivers/hwmon/asus-ec-sensors.c +@@ -910,6 +910,10 @@ static int asus_ec_hwmon_read_string(struct device *dev, + { + struct ec_sensors_data *state = dev_get_drvdata(dev); + int sensor_index = find_ec_sensor_index(state, type, channel); ++ ++ if (sensor_index < 0) ++ return sensor_index; ++ + *str = get_sensor_info(state, sensor_index)->label; + + return 0; +-- +2.39.5 + diff --git a/queue-6.12/ib-cm-use-rwlock-for-mad-agent-lock.patch b/queue-6.12/ib-cm-use-rwlock-for-mad-agent-lock.patch new file mode 100644 index 0000000000..fbc8973700 --- /dev/null +++ b/queue-6.12/ib-cm-use-rwlock-for-mad-agent-lock.patch @@ -0,0 +1,117 @@ +From 71b1913191cfdca8cdb7656befcce5d44c09901b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Feb 2025 17:56:12 +0000 +Subject: IB/cm: use rwlock for MAD agent lock + +From: Jacob Moroni + +[ Upstream commit 4dab26bed543584577b64b36aadb8b5b165bf44f ] + +In workloads where there are many processes establishing connections using +RDMA CM in parallel (large scale MPI), there can be heavy contention for +mad_agent_lock in cm_alloc_msg. + +This contention can occur while inside of a spin_lock_irq region, leading +to interrupts being disabled for extended durations on many +cores. Furthermore, it leads to the serialization of rdma_create_ah calls, +which has negative performance impacts for NICs which are capable of +processing multiple address handle creations in parallel. + +The end result is the machine becoming unresponsive, hung task warnings, +netdev TX timeouts, etc. + +Since the lock appears to be only for protection from cm_remove_one, it +can be changed to a rwlock to resolve these issues. + +Reproducer: + +Server: + for i in $(seq 1 512); do + ucmatose -c 32 -p $((i + 5000)) & + done + +Client: + for i in $(seq 1 512); do + ucmatose -c 32 -p $((i + 5000)) -s 10.2.0.52 & + done + +Fixes: 76039ac9095f ("IB/cm: Protect cm_dev, cm_ports and mad_agent with kref and lock") +Link: https://patch.msgid.link/r/20250220175612.2763122-1-jmoroni@google.com +Signed-off-by: Jacob Moroni +Acked-by: Eric Dumazet +Reviewed-by: Zhu Yanjun +Reviewed-by: Jason Gunthorpe +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/cm.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/drivers/infiniband/core/cm.c b/drivers/infiniband/core/cm.c +index 07fb8d3c037f0..d45e3909dafe1 100644 +--- a/drivers/infiniband/core/cm.c ++++ b/drivers/infiniband/core/cm.c +@@ -166,7 +166,7 @@ struct cm_port { + struct cm_device { + struct kref kref; + struct list_head list; +- spinlock_t mad_agent_lock; ++ rwlock_t mad_agent_lock; + struct ib_device *ib_device; + u8 ack_delay; + int going_down; +@@ -284,7 +284,7 @@ static struct ib_mad_send_buf *cm_alloc_msg(struct cm_id_private *cm_id_priv) + if (!cm_id_priv->av.port) + return ERR_PTR(-EINVAL); + +- spin_lock(&cm_id_priv->av.port->cm_dev->mad_agent_lock); ++ read_lock(&cm_id_priv->av.port->cm_dev->mad_agent_lock); + mad_agent = cm_id_priv->av.port->mad_agent; + if (!mad_agent) { + m = ERR_PTR(-EINVAL); +@@ -315,7 +315,7 @@ static struct ib_mad_send_buf *cm_alloc_msg(struct cm_id_private *cm_id_priv) + m->context[0] = cm_id_priv; + + out: +- spin_unlock(&cm_id_priv->av.port->cm_dev->mad_agent_lock); ++ read_unlock(&cm_id_priv->av.port->cm_dev->mad_agent_lock); + return m; + } + +@@ -1294,10 +1294,10 @@ static __be64 cm_form_tid(struct cm_id_private *cm_id_priv) + if (!cm_id_priv->av.port) + return cpu_to_be64(low_tid); + +- spin_lock(&cm_id_priv->av.port->cm_dev->mad_agent_lock); ++ read_lock(&cm_id_priv->av.port->cm_dev->mad_agent_lock); + if (cm_id_priv->av.port->mad_agent) + hi_tid = ((u64)cm_id_priv->av.port->mad_agent->hi_tid) << 32; +- spin_unlock(&cm_id_priv->av.port->cm_dev->mad_agent_lock); ++ read_unlock(&cm_id_priv->av.port->cm_dev->mad_agent_lock); + return cpu_to_be64(hi_tid | low_tid); + } + +@@ -4374,7 +4374,7 @@ static int cm_add_one(struct ib_device *ib_device) + return -ENOMEM; + + kref_init(&cm_dev->kref); +- spin_lock_init(&cm_dev->mad_agent_lock); ++ rwlock_init(&cm_dev->mad_agent_lock); + cm_dev->ib_device = ib_device; + cm_dev->ack_delay = ib_device->attrs.local_ca_ack_delay; + cm_dev->going_down = 0; +@@ -4490,9 +4490,9 @@ static void cm_remove_one(struct ib_device *ib_device, void *client_data) + * The above ensures no call paths from the work are running, + * the remaining paths all take the mad_agent_lock. + */ +- spin_lock(&cm_dev->mad_agent_lock); ++ write_lock(&cm_dev->mad_agent_lock); + port->mad_agent = NULL; +- spin_unlock(&cm_dev->mad_agent_lock); ++ write_unlock(&cm_dev->mad_agent_lock); + ib_unregister_mad_agent(mad_agent); + ib_port_unregister_client_groups(ib_device, i, + cm_counter_groups); +-- +2.39.5 + diff --git a/queue-6.12/ice-create-new-tx-scheduler-nodes-for-new-queues-onl.patch b/queue-6.12/ice-create-new-tx-scheduler-nodes-for-new-queues-onl.patch new file mode 100644 index 0000000000..40edcbe184 --- /dev/null +++ b/queue-6.12/ice-create-new-tx-scheduler-nodes-for-new-queues-onl.patch @@ -0,0 +1,72 @@ +From 93edaa1fad360bed343016b3264b85db79751abe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 May 2025 12:55:28 +0200 +Subject: ice: create new Tx scheduler nodes for new queues only + +From: Michal Kubiak + +[ Upstream commit 6fa2942578472c9cab13a8fc1dae0d830193e0a1 ] + +The current implementation of the Tx scheduler tree attempts +to create nodes for all Tx queues, ignoring the fact that some +queues may already exist in the tree. For example, if the VSI +already has 128 Tx queues and the user requests for 16 new queues, +the Tx scheduler will compute the tree for 272 queues (128 existing +queues + 144 new queues), instead of 144 queues (128 existing queues +and 16 new queues). +Fix that by modifying the node count calculation algorithm to skip +the queues that already exist in the tree. + +Fixes: 5513b920a4f7 ("ice: Update Tx scheduler tree for VSI multi-Tx queue support") +Reviewed-by: Dawid Osuchowski +Reviewed-by: Przemek Kitszel +Reviewed-by: Jacob Keller +Signed-off-by: Michal Kubiak +Reviewed-by: Simon Horman +Tested-by: Jesse Brandeburg +Tested-by: Saritha Sanigani (A Contingent Worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_sched.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_sched.c b/drivers/net/ethernet/intel/ice/ice_sched.c +index 6ca13c5dcb14e..6524875b34d39 100644 +--- a/drivers/net/ethernet/intel/ice/ice_sched.c ++++ b/drivers/net/ethernet/intel/ice/ice_sched.c +@@ -1604,16 +1604,16 @@ ice_sched_get_agg_node(struct ice_port_info *pi, struct ice_sched_node *tc_node, + /** + * ice_sched_calc_vsi_child_nodes - calculate number of VSI child nodes + * @hw: pointer to the HW struct +- * @num_qs: number of queues ++ * @num_new_qs: number of new queues that will be added to the tree + * @num_nodes: num nodes array + * + * This function calculates the number of VSI child nodes based on the + * number of queues. + */ + static void +-ice_sched_calc_vsi_child_nodes(struct ice_hw *hw, u16 num_qs, u16 *num_nodes) ++ice_sched_calc_vsi_child_nodes(struct ice_hw *hw, u16 num_new_qs, u16 *num_nodes) + { +- u16 num = num_qs; ++ u16 num = num_new_qs; + u8 i, qgl, vsil; + + qgl = ice_sched_get_qgrp_layer(hw); +@@ -1863,8 +1863,9 @@ ice_sched_update_vsi_child_nodes(struct ice_port_info *pi, u16 vsi_handle, + return status; + } + +- if (new_numqs) +- ice_sched_calc_vsi_child_nodes(hw, new_numqs, new_num_nodes); ++ ice_sched_calc_vsi_child_nodes(hw, new_numqs - prev_numqs, ++ new_num_nodes); ++ + /* Keep the max number of queue configuration all the time. Update the + * tree only if number of queues > previous number of queues. This may + * leave some extra nodes in the tree if number of queues < previous +-- +2.39.5 + diff --git a/queue-6.12/ice-fix-rebuilding-the-tx-scheduler-tree-for-large-q.patch b/queue-6.12/ice-fix-rebuilding-the-tx-scheduler-tree-for-large-q.patch new file mode 100644 index 0000000000..450b81d7f2 --- /dev/null +++ b/queue-6.12/ice-fix-rebuilding-the-tx-scheduler-tree-for-large-q.patch @@ -0,0 +1,313 @@ +From a453454277f39b885bdd808f4f8378dd4da20c30 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 May 2025 12:55:29 +0200 +Subject: ice: fix rebuilding the Tx scheduler tree for large queue counts + +From: Michal Kubiak + +[ Upstream commit 73145e6d81070d34a21431c9e0d7aaf2f29ca048 ] + +The current implementation of the Tx scheduler allows the tree to be +rebuilt as the user adds more Tx queues to the VSI. In such a case, +additional child nodes are added to the tree to support the new number +of queues. +Unfortunately, this algorithm does not take into account that the limit +of the VSI support node may be exceeded, so an additional node in the +VSI layer may be required to handle all the requested queues. + +Such a scenario occurs when adding XDP Tx queues on machines with many +CPUs. Although the driver still respects the queue limit returned by +the FW, the Tx scheduler was unable to add those queues to its tree +and returned one of the errors below. + +Such a scenario occurs when adding XDP Tx queues on machines with many +CPUs (e.g. at least 321 CPUs, if there is already 128 Tx/Rx queue pairs). +Although the driver still respects the queue limit returned by the FW, +the Tx scheduler was unable to add those queues to its tree and returned +the following errors: + + Failed VSI LAN queue config for XDP, error: -5 +or: + Failed to set LAN Tx queue context, error: -22 + +Fix this problem by extending the tree rebuild algorithm to check if the +current VSI node can support the requested number of queues. If it +cannot, create as many additional VSI support nodes as necessary to +handle all the required Tx queues. Symmetrically, adjust the VSI node +removal algorithm to remove all nodes associated with the given VSI. +Also, make the search for the next free VSI node more restrictive. That is, +add queue group nodes only to the VSI support nodes that have a matching +VSI handle. +Finally, fix the comment describing the tree update algorithm to better +reflect the current scenario. + +Fixes: b0153fdd7e8a ("ice: update VSI config dynamically") +Reviewed-by: Dawid Osuchowski +Reviewed-by: Przemek Kitszel +Signed-off-by: Michal Kubiak +Reviewed-by: Simon Horman +Tested-by: Jesse Brandeburg +Tested-by: Saritha Sanigani (A Contingent Worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_sched.c | 170 +++++++++++++++++---- + 1 file changed, 142 insertions(+), 28 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_sched.c b/drivers/net/ethernet/intel/ice/ice_sched.c +index 6524875b34d39..d9d09296d1d48 100644 +--- a/drivers/net/ethernet/intel/ice/ice_sched.c ++++ b/drivers/net/ethernet/intel/ice/ice_sched.c +@@ -84,6 +84,27 @@ ice_sched_find_node_by_teid(struct ice_sched_node *start_node, u32 teid) + return NULL; + } + ++/** ++ * ice_sched_find_next_vsi_node - find the next node for a given VSI ++ * @vsi_node: VSI support node to start search with ++ * ++ * Return: Next VSI support node, or NULL. ++ * ++ * The function returns a pointer to the next node from the VSI layer ++ * assigned to the given VSI, or NULL if there is no such a node. ++ */ ++static struct ice_sched_node * ++ice_sched_find_next_vsi_node(struct ice_sched_node *vsi_node) ++{ ++ unsigned int vsi_handle = vsi_node->vsi_handle; ++ ++ while ((vsi_node = vsi_node->sibling) != NULL) ++ if (vsi_node->vsi_handle == vsi_handle) ++ break; ++ ++ return vsi_node; ++} ++ + /** + * ice_aqc_send_sched_elem_cmd - send scheduling elements cmd + * @hw: pointer to the HW struct +@@ -1084,8 +1105,10 @@ ice_sched_add_nodes_to_layer(struct ice_port_info *pi, + if (parent->num_children < max_child_nodes) { + new_num_nodes = max_child_nodes - parent->num_children; + } else { +- /* This parent is full, try the next sibling */ +- parent = parent->sibling; ++ /* This parent is full, ++ * try the next available sibling. ++ */ ++ parent = ice_sched_find_next_vsi_node(parent); + /* Don't modify the first node TEID memory if the + * first node was added already in the above call. + * Instead send some temp memory for all other +@@ -1528,12 +1551,23 @@ ice_sched_get_free_qparent(struct ice_port_info *pi, u16 vsi_handle, u8 tc, + /* get the first queue group node from VSI sub-tree */ + qgrp_node = ice_sched_get_first_node(pi, vsi_node, qgrp_layer); + while (qgrp_node) { ++ struct ice_sched_node *next_vsi_node; ++ + /* make sure the qgroup node is part of the VSI subtree */ + if (ice_sched_find_node_in_subtree(pi->hw, vsi_node, qgrp_node)) + if (qgrp_node->num_children < max_children && + qgrp_node->owner == owner) + break; + qgrp_node = qgrp_node->sibling; ++ if (qgrp_node) ++ continue; ++ ++ next_vsi_node = ice_sched_find_next_vsi_node(vsi_node); ++ if (!next_vsi_node) ++ break; ++ ++ vsi_node = next_vsi_node; ++ qgrp_node = ice_sched_get_first_node(pi, vsi_node, qgrp_layer); + } + + /* Select the best queue group */ +@@ -1779,7 +1813,11 @@ ice_sched_add_vsi_support_nodes(struct ice_port_info *pi, u16 vsi_handle, + if (!parent) + return -EIO; + +- if (i == vsil) ++ /* Do not modify the VSI handle for already existing VSI nodes, ++ * (if no new VSI node was added to the tree). ++ * Assign the VSI handle only to newly added VSI nodes. ++ */ ++ if (i == vsil && num_added) + parent->vsi_handle = vsi_handle; + } + +@@ -1812,6 +1850,41 @@ ice_sched_add_vsi_to_topo(struct ice_port_info *pi, u16 vsi_handle, u8 tc) + num_nodes); + } + ++/** ++ * ice_sched_recalc_vsi_support_nodes - recalculate VSI support nodes count ++ * @hw: pointer to the HW struct ++ * @vsi_node: pointer to the leftmost VSI node that needs to be extended ++ * @new_numqs: new number of queues that has to be handled by the VSI ++ * @new_num_nodes: pointer to nodes count table to modify the VSI layer entry ++ * ++ * This function recalculates the number of supported nodes that need to ++ * be added after adding more Tx queues for a given VSI. ++ * The number of new VSI support nodes that shall be added will be saved ++ * to the @new_num_nodes table for the VSI layer. ++ */ ++static void ++ice_sched_recalc_vsi_support_nodes(struct ice_hw *hw, ++ struct ice_sched_node *vsi_node, ++ unsigned int new_numqs, u16 *new_num_nodes) ++{ ++ u32 vsi_nodes_cnt = 1; ++ u32 max_queue_cnt = 1; ++ u32 qgl, vsil; ++ ++ qgl = ice_sched_get_qgrp_layer(hw); ++ vsil = ice_sched_get_vsi_layer(hw); ++ ++ for (u32 i = vsil; i <= qgl; i++) ++ max_queue_cnt *= hw->max_children[i]; ++ ++ while ((vsi_node = ice_sched_find_next_vsi_node(vsi_node)) != NULL) ++ vsi_nodes_cnt++; ++ ++ if (new_numqs > (max_queue_cnt * vsi_nodes_cnt)) ++ new_num_nodes[vsil] = DIV_ROUND_UP(new_numqs, max_queue_cnt) - ++ vsi_nodes_cnt; ++} ++ + /** + * ice_sched_update_vsi_child_nodes - update VSI child nodes + * @pi: port information structure +@@ -1863,16 +1936,25 @@ ice_sched_update_vsi_child_nodes(struct ice_port_info *pi, u16 vsi_handle, + return status; + } + ++ ice_sched_recalc_vsi_support_nodes(hw, vsi_node, ++ new_numqs, new_num_nodes); + ice_sched_calc_vsi_child_nodes(hw, new_numqs - prev_numqs, + new_num_nodes); + +- /* Keep the max number of queue configuration all the time. Update the +- * tree only if number of queues > previous number of queues. This may ++ /* Never decrease the number of queues in the tree. Update the tree ++ * only if number of queues > previous number of queues. This may + * leave some extra nodes in the tree if number of queues < previous + * number but that wouldn't harm anything. Removing those extra nodes + * may complicate the code if those nodes are part of SRL or + * individually rate limited. ++ * Also, add the required VSI support nodes if the existing ones cannot ++ * handle the requested new number of queues. + */ ++ status = ice_sched_add_vsi_support_nodes(pi, vsi_handle, tc_node, ++ new_num_nodes); ++ if (status) ++ return status; ++ + status = ice_sched_add_vsi_child_nodes(pi, vsi_handle, tc_node, + new_num_nodes, owner); + if (status) +@@ -2013,6 +2095,58 @@ static bool ice_sched_is_leaf_node_present(struct ice_sched_node *node) + return (node->info.data.elem_type == ICE_AQC_ELEM_TYPE_LEAF); + } + ++/** ++ * ice_sched_rm_vsi_subtree - remove all nodes assigned to a given VSI ++ * @pi: port information structure ++ * @vsi_node: pointer to the leftmost node of the VSI to be removed ++ * @owner: LAN or RDMA ++ * @tc: TC number ++ * ++ * Return: Zero in case of success, or -EBUSY if the VSI has leaf nodes in TC. ++ * ++ * This function removes all the VSI support nodes associated with a given VSI ++ * and its LAN or RDMA children nodes from the scheduler tree. ++ */ ++static int ++ice_sched_rm_vsi_subtree(struct ice_port_info *pi, ++ struct ice_sched_node *vsi_node, u8 owner, u8 tc) ++{ ++ u16 vsi_handle = vsi_node->vsi_handle; ++ bool all_vsi_nodes_removed = true; ++ int j = 0; ++ ++ while (vsi_node) { ++ struct ice_sched_node *next_vsi_node; ++ ++ if (ice_sched_is_leaf_node_present(vsi_node)) { ++ ice_debug(pi->hw, ICE_DBG_SCHED, "VSI has leaf nodes in TC %d\n", tc); ++ return -EBUSY; ++ } ++ while (j < vsi_node->num_children) { ++ if (vsi_node->children[j]->owner == owner) ++ ice_free_sched_node(pi, vsi_node->children[j]); ++ else ++ j++; ++ } ++ ++ next_vsi_node = ice_sched_find_next_vsi_node(vsi_node); ++ ++ /* remove the VSI if it has no children */ ++ if (!vsi_node->num_children) ++ ice_free_sched_node(pi, vsi_node); ++ else ++ all_vsi_nodes_removed = false; ++ ++ vsi_node = next_vsi_node; ++ } ++ ++ /* clean up aggregator related VSI info if any */ ++ if (all_vsi_nodes_removed) ++ ice_sched_rm_agg_vsi_info(pi, vsi_handle); ++ ++ return 0; ++} ++ + /** + * ice_sched_rm_vsi_cfg - remove the VSI and its children nodes + * @pi: port information structure +@@ -2039,7 +2173,6 @@ ice_sched_rm_vsi_cfg(struct ice_port_info *pi, u16 vsi_handle, u8 owner) + + ice_for_each_traffic_class(i) { + struct ice_sched_node *vsi_node, *tc_node; +- u8 j = 0; + + tc_node = ice_sched_get_tc_node(pi, i); + if (!tc_node) +@@ -2049,31 +2182,12 @@ ice_sched_rm_vsi_cfg(struct ice_port_info *pi, u16 vsi_handle, u8 owner) + if (!vsi_node) + continue; + +- if (ice_sched_is_leaf_node_present(vsi_node)) { +- ice_debug(pi->hw, ICE_DBG_SCHED, "VSI has leaf nodes in TC %d\n", i); +- status = -EBUSY; ++ status = ice_sched_rm_vsi_subtree(pi, vsi_node, owner, i); ++ if (status) + goto exit_sched_rm_vsi_cfg; +- } +- while (j < vsi_node->num_children) { +- if (vsi_node->children[j]->owner == owner) { +- ice_free_sched_node(pi, vsi_node->children[j]); + +- /* reset the counter again since the num +- * children will be updated after node removal +- */ +- j = 0; +- } else { +- j++; +- } +- } +- /* remove the VSI if it has no children */ +- if (!vsi_node->num_children) { +- ice_free_sched_node(pi, vsi_node); +- vsi_ctx->sched.vsi_node[i] = NULL; ++ vsi_ctx->sched.vsi_node[i] = NULL; + +- /* clean up aggregator related VSI info if any */ +- ice_sched_rm_agg_vsi_info(pi, vsi_handle); +- } + if (owner == ICE_SCHED_NODE_OWNER_LAN) + vsi_ctx->sched.max_lanq[i] = 0; + else +-- +2.39.5 + diff --git a/queue-6.12/ice-fix-tx-scheduler-error-handling-in-xdp-callback.patch b/queue-6.12/ice-fix-tx-scheduler-error-handling-in-xdp-callback.patch new file mode 100644 index 0000000000..fb630b213c --- /dev/null +++ b/queue-6.12/ice-fix-tx-scheduler-error-handling-in-xdp-callback.patch @@ -0,0 +1,182 @@ +From 3deab5e7f659f8162c7d9c78e85f5209244fc3de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 May 2025 12:55:27 +0200 +Subject: ice: fix Tx scheduler error handling in XDP callback + +From: Michal Kubiak + +[ Upstream commit 0153f36041b8e52019ebfa8629c13bf8f9b0a951 ] + +When the XDP program is loaded, the XDP callback adds new Tx queues. +This means that the callback must update the Tx scheduler with the new +queue number. In the event of a Tx scheduler failure, the XDP callback +should also fail and roll back any changes previously made for XDP +preparation. + +The previous implementation had a bug that not all changes made by the +XDP callback were rolled back. This caused the crash with the following +call trace: + +[ +9.549584] ice 0000:ca:00.0: Failed VSI LAN queue config for XDP, error: -5 +[ +0.382335] Oops: general protection fault, probably for non-canonical address 0x50a2250a90495525: 0000 [#1] SMP NOPTI +[ +0.010710] CPU: 103 UID: 0 PID: 0 Comm: swapper/103 Not tainted 6.14.0-net-next-mar-31+ #14 PREEMPT(voluntary) +[ +0.010175] Hardware name: Intel Corporation M50CYP2SBSTD/M50CYP2SBSTD, BIOS SE5C620.86B.01.01.0005.2202160810 02/16/2022 +[ +0.010946] RIP: 0010:__ice_update_sample+0x39/0xe0 [ice] + +[...] + +[ +0.002715] Call Trace: +[ +0.002452] +[ +0.002021] ? __die_body.cold+0x19/0x29 +[ +0.003922] ? die_addr+0x3c/0x60 +[ +0.003319] ? exc_general_protection+0x17c/0x400 +[ +0.004707] ? asm_exc_general_protection+0x26/0x30 +[ +0.004879] ? __ice_update_sample+0x39/0xe0 [ice] +[ +0.004835] ice_napi_poll+0x665/0x680 [ice] +[ +0.004320] __napi_poll+0x28/0x190 +[ +0.003500] net_rx_action+0x198/0x360 +[ +0.003752] ? update_rq_clock+0x39/0x220 +[ +0.004013] handle_softirqs+0xf1/0x340 +[ +0.003840] ? sched_clock_cpu+0xf/0x1f0 +[ +0.003925] __irq_exit_rcu+0xc2/0xe0 +[ +0.003665] common_interrupt+0x85/0xa0 +[ +0.003839] +[ +0.002098] +[ +0.002106] asm_common_interrupt+0x26/0x40 +[ +0.004184] RIP: 0010:cpuidle_enter_state+0xd3/0x690 + +Fix this by performing the missing unmapping of XDP queues from +q_vectors and setting the XDP rings pointer back to NULL after all those +queues are released. +Also, add an immediate exit from the XDP callback in case of ring +preparation failure. + +Fixes: efc2214b6047 ("ice: Add support for XDP") +Reviewed-by: Dawid Osuchowski +Reviewed-by: Przemek Kitszel +Reviewed-by: Jacob Keller +Signed-off-by: Michal Kubiak +Reviewed-by: Aleksandr Loktionov +Reviewed-by: Simon Horman +Tested-by: Jesse Brandeburg +Tested-by: Saritha Sanigani (A Contingent Worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_main.c | 47 ++++++++++++++++------- + 1 file changed, 33 insertions(+), 14 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c +index 63d2105fce933..d1abd21cfc647 100644 +--- a/drivers/net/ethernet/intel/ice/ice_main.c ++++ b/drivers/net/ethernet/intel/ice/ice_main.c +@@ -2761,6 +2761,27 @@ void ice_map_xdp_rings(struct ice_vsi *vsi) + } + } + ++/** ++ * ice_unmap_xdp_rings - Unmap XDP rings from interrupt vectors ++ * @vsi: the VSI with XDP rings being unmapped ++ */ ++static void ice_unmap_xdp_rings(struct ice_vsi *vsi) ++{ ++ int v_idx; ++ ++ ice_for_each_q_vector(vsi, v_idx) { ++ struct ice_q_vector *q_vector = vsi->q_vectors[v_idx]; ++ struct ice_tx_ring *ring; ++ ++ ice_for_each_tx_ring(ring, q_vector->tx) ++ if (!ring->tx_buf || !ice_ring_is_xdp(ring)) ++ break; ++ ++ /* restore the value of last node prior to XDP setup */ ++ q_vector->tx.tx_ring = ring; ++ } ++} ++ + /** + * ice_prepare_xdp_rings - Allocate, configure and setup Tx rings for XDP + * @vsi: VSI to bring up Tx rings used by XDP +@@ -2824,7 +2845,7 @@ int ice_prepare_xdp_rings(struct ice_vsi *vsi, struct bpf_prog *prog, + if (status) { + dev_err(dev, "Failed VSI LAN queue config for XDP, error: %d\n", + status); +- goto clear_xdp_rings; ++ goto unmap_xdp_rings; + } + + /* assign the prog only when it's not already present on VSI; +@@ -2840,6 +2861,8 @@ int ice_prepare_xdp_rings(struct ice_vsi *vsi, struct bpf_prog *prog, + ice_vsi_assign_bpf_prog(vsi, prog); + + return 0; ++unmap_xdp_rings: ++ ice_unmap_xdp_rings(vsi); + clear_xdp_rings: + ice_for_each_xdp_txq(vsi, i) + if (vsi->xdp_rings[i]) { +@@ -2856,6 +2879,8 @@ int ice_prepare_xdp_rings(struct ice_vsi *vsi, struct bpf_prog *prog, + mutex_unlock(&pf->avail_q_mutex); + + devm_kfree(dev, vsi->xdp_rings); ++ vsi->xdp_rings = NULL; ++ + return -ENOMEM; + } + +@@ -2871,7 +2896,7 @@ int ice_destroy_xdp_rings(struct ice_vsi *vsi, enum ice_xdp_cfg cfg_type) + { + u16 max_txqs[ICE_MAX_TRAFFIC_CLASS] = { 0 }; + struct ice_pf *pf = vsi->back; +- int i, v_idx; ++ int i; + + /* q_vectors are freed in reset path so there's no point in detaching + * rings +@@ -2879,17 +2904,7 @@ int ice_destroy_xdp_rings(struct ice_vsi *vsi, enum ice_xdp_cfg cfg_type) + if (cfg_type == ICE_XDP_CFG_PART) + goto free_qmap; + +- ice_for_each_q_vector(vsi, v_idx) { +- struct ice_q_vector *q_vector = vsi->q_vectors[v_idx]; +- struct ice_tx_ring *ring; +- +- ice_for_each_tx_ring(ring, q_vector->tx) +- if (!ring->tx_buf || !ice_ring_is_xdp(ring)) +- break; +- +- /* restore the value of last node prior to XDP setup */ +- q_vector->tx.tx_ring = ring; +- } ++ ice_unmap_xdp_rings(vsi); + + free_qmap: + mutex_lock(&pf->avail_q_mutex); +@@ -3034,11 +3049,14 @@ ice_xdp_setup_prog(struct ice_vsi *vsi, struct bpf_prog *prog, + xdp_ring_err = ice_vsi_determine_xdp_res(vsi); + if (xdp_ring_err) { + NL_SET_ERR_MSG_MOD(extack, "Not enough Tx resources for XDP"); ++ goto resume_if; + } else { + xdp_ring_err = ice_prepare_xdp_rings(vsi, prog, + ICE_XDP_CFG_FULL); +- if (xdp_ring_err) ++ if (xdp_ring_err) { + NL_SET_ERR_MSG_MOD(extack, "Setting up XDP Tx resources failed"); ++ goto resume_if; ++ } + } + xdp_features_set_redirect_target(vsi->netdev, true); + /* reallocate Rx queues that are used for zero-copy */ +@@ -3056,6 +3074,7 @@ ice_xdp_setup_prog(struct ice_vsi *vsi, struct bpf_prog *prog, + NL_SET_ERR_MSG_MOD(extack, "Freeing XDP Rx resources failed"); + } + ++resume_if: + if (if_running) + ret = ice_up(vsi); + +-- +2.39.5 + diff --git a/queue-6.12/idpf-avoid-mailbox-timeout-delays-during-reset.patch b/queue-6.12/idpf-avoid-mailbox-timeout-delays-during-reset.patch new file mode 100644 index 0000000000..ca4b99527c --- /dev/null +++ b/queue-6.12/idpf-avoid-mailbox-timeout-delays-during-reset.patch @@ -0,0 +1,101 @@ +From 528ff5feff0c2e19326be3c5b54009b20709236c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 May 2025 11:47:15 -0700 +Subject: idpf: avoid mailbox timeout delays during reset + +From: Emil Tantilov + +[ Upstream commit 9dc63d8ff182150d7d7b318ab9389702a2c0a292 ] + +Mailbox operations are not possible while the driver is in reset. +Operations that require MBX exchange with the control plane will result +in long delays if executed while a reset is in progress: + +ethtool -L combined 8& echo 1 > /sys/class/net//device/reset +idpf 0000:83:00.0: HW reset detected +idpf 0000:83:00.0: Device HW Reset initiated +idpf 0000:83:00.0: Transaction timed-out (op:504 cookie:be00 vc_op:504 salt:be timeout:2000ms) +idpf 0000:83:00.0: Transaction timed-out (op:508 cookie:bf00 vc_op:508 salt:bf timeout:2000ms) +idpf 0000:83:00.0: Transaction timed-out (op:512 cookie:c000 vc_op:512 salt:c0 timeout:2000ms) +idpf 0000:83:00.0: Transaction timed-out (op:510 cookie:c100 vc_op:510 salt:c1 timeout:2000ms) +idpf 0000:83:00.0: Transaction timed-out (op:509 cookie:c200 vc_op:509 salt:c2 timeout:60000ms) +idpf 0000:83:00.0: Transaction timed-out (op:509 cookie:c300 vc_op:509 salt:c3 timeout:60000ms) +idpf 0000:83:00.0: Transaction timed-out (op:505 cookie:c400 vc_op:505 salt:c4 timeout:60000ms) +idpf 0000:83:00.0: Failed to configure queues for vport 0, -62 + +Disable mailbox communication in case of a reset, unless it's done during +a driver load, where the virtchnl operations are needed to configure the +device. + +Fixes: 8077c727561aa ("idpf: add controlq init and reset checks") +Co-developed-by: Joshua Hay +Signed-off-by: Joshua Hay +Signed-off-by: Emil Tantilov +Reviewed-by: Ahmed Zaki +Reviewed-by: Aleksandr Loktionov +Reviewed-by: Simon Horman +Tested-by: Samuel Salin +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/idpf/idpf_lib.c | 18 +++++++++++++----- + .../net/ethernet/intel/idpf/idpf_virtchnl.c | 2 +- + .../net/ethernet/intel/idpf/idpf_virtchnl.h | 1 + + 3 files changed, 15 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/intel/idpf/idpf_lib.c b/drivers/net/ethernet/intel/idpf/idpf_lib.c +index 615e74d038457..ba645ab22d394 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_lib.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_lib.c +@@ -1802,11 +1802,19 @@ void idpf_vc_event_task(struct work_struct *work) + if (test_bit(IDPF_REMOVE_IN_PROG, adapter->flags)) + return; + +- if (test_bit(IDPF_HR_FUNC_RESET, adapter->flags) || +- test_bit(IDPF_HR_DRV_LOAD, adapter->flags)) { +- set_bit(IDPF_HR_RESET_IN_PROG, adapter->flags); +- idpf_init_hard_reset(adapter); +- } ++ if (test_bit(IDPF_HR_FUNC_RESET, adapter->flags)) ++ goto func_reset; ++ ++ if (test_bit(IDPF_HR_DRV_LOAD, adapter->flags)) ++ goto drv_load; ++ ++ return; ++ ++func_reset: ++ idpf_vc_xn_shutdown(adapter->vcxn_mngr); ++drv_load: ++ set_bit(IDPF_HR_RESET_IN_PROG, adapter->flags); ++ idpf_init_hard_reset(adapter); + } + + /** +diff --git a/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c b/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c +index 99bdb95bf2266..151beea20d343 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c +@@ -376,7 +376,7 @@ static void idpf_vc_xn_init(struct idpf_vc_xn_manager *vcxn_mngr) + * All waiting threads will be woken-up and their transaction aborted. Further + * operations on that object will fail. + */ +-static void idpf_vc_xn_shutdown(struct idpf_vc_xn_manager *vcxn_mngr) ++void idpf_vc_xn_shutdown(struct idpf_vc_xn_manager *vcxn_mngr) + { + int i; + +diff --git a/drivers/net/ethernet/intel/idpf/idpf_virtchnl.h b/drivers/net/ethernet/intel/idpf/idpf_virtchnl.h +index 83da5d8da56bf..23271cf0a2160 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_virtchnl.h ++++ b/drivers/net/ethernet/intel/idpf/idpf_virtchnl.h +@@ -66,5 +66,6 @@ int idpf_send_get_stats_msg(struct idpf_vport *vport); + int idpf_send_set_sriov_vfs_msg(struct idpf_adapter *adapter, u16 num_vfs); + int idpf_send_get_set_rss_key_msg(struct idpf_vport *vport, bool get); + int idpf_send_get_set_rss_lut_msg(struct idpf_vport *vport, bool get); ++void idpf_vc_xn_shutdown(struct idpf_vc_xn_manager *vcxn_mngr); + + #endif /* _IDPF_VIRTCHNL_H_ */ +-- +2.39.5 + diff --git a/queue-6.12/idpf-fix-a-race-in-txq-wakeup.patch b/queue-6.12/idpf-fix-a-race-in-txq-wakeup.patch new file mode 100644 index 0000000000..1560f88bc1 --- /dev/null +++ b/queue-6.12/idpf-fix-a-race-in-txq-wakeup.patch @@ -0,0 +1,183 @@ +From e4e50860f14cbf5cdc34f6fcd24fe4310876534e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 May 2025 17:06:17 +0000 +Subject: idpf: fix a race in txq wakeup + +From: Brian Vazquez + +[ Upstream commit 7292af042bcf22e2c18b96ed250f78498a5b28ab ] + +Add a helper function to correctly handle the lockless +synchronization when the sender needs to block. The paradigm is + + if (no_resources()) { + stop_queue(); + barrier(); + if (!no_resources()) + restart_queue(); + } + +netif_subqueue_maybe_stop already handles the paradigm correctly, but +the code split the check for resources in three parts, the first one +(descriptors) followed the protocol, but the other two (completions and +tx_buf) were only doing the first part and so race prone. + +Luckily netif_subqueue_maybe_stop macro already allows you to use a +function to evaluate the start/stop conditions so the fix only requires +the right helper function to evaluate all the conditions at once. + +The patch removes idpf_tx_maybe_stop_common since it's no longer needed +and instead adjusts separately the conditions for singleq and splitq. + +Note that idpf_tx_buf_hw_update doesn't need to check for resources +since that will be covered in idpf_tx_splitq_frame. + +To reproduce: + +Reduce the threshold for pending completions to increase the chances of +hitting this pause by changing your kernel: + +drivers/net/ethernet/intel/idpf/idpf_txrx.h + +-#define IDPF_TX_COMPLQ_OVERFLOW_THRESH(txcq) ((txcq)->desc_count >> 1) ++#define IDPF_TX_COMPLQ_OVERFLOW_THRESH(txcq) ((txcq)->desc_count >> 4) + +Use pktgen to force the host to push small pkts very aggressively: + +./pktgen_sample02_multiqueue.sh -i eth1 -s 100 -6 -d $IP -m $MAC \ + -p 10000-10000 -t 16 -n 0 -v -x -c 64 + +Fixes: 6818c4d5b3c2 ("idpf: add splitq start_xmit") +Reviewed-by: Jacob Keller +Reviewed-by: Madhu Chittim +Signed-off-by: Josh Hay +Signed-off-by: Brian Vazquez +Signed-off-by: Luigi Rizzo +Reviewed-by: Simon Horman +Tested-by: Samuel Salin +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + .../ethernet/intel/idpf/idpf_singleq_txrx.c | 9 ++-- + drivers/net/ethernet/intel/idpf/idpf_txrx.c | 45 +++++++------------ + drivers/net/ethernet/intel/idpf/idpf_txrx.h | 8 ---- + 3 files changed, 22 insertions(+), 40 deletions(-) + +diff --git a/drivers/net/ethernet/intel/idpf/idpf_singleq_txrx.c b/drivers/net/ethernet/intel/idpf/idpf_singleq_txrx.c +index dfd7cf1d9aa0a..a986dd5725559 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_singleq_txrx.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_singleq_txrx.c +@@ -362,17 +362,18 @@ netdev_tx_t idpf_tx_singleq_frame(struct sk_buff *skb, + { + struct idpf_tx_offload_params offload = { }; + struct idpf_tx_buf *first; ++ int csum, tso, needed; + unsigned int count; + __be16 protocol; +- int csum, tso; + + count = idpf_tx_desc_count_required(tx_q, skb); + if (unlikely(!count)) + return idpf_tx_drop_skb(tx_q, skb); + +- if (idpf_tx_maybe_stop_common(tx_q, +- count + IDPF_TX_DESCS_PER_CACHE_LINE + +- IDPF_TX_DESCS_FOR_CTX)) { ++ needed = count + IDPF_TX_DESCS_PER_CACHE_LINE + IDPF_TX_DESCS_FOR_CTX; ++ if (!netif_subqueue_maybe_stop(tx_q->netdev, tx_q->idx, ++ IDPF_DESC_UNUSED(tx_q), ++ needed, needed)) { + idpf_tx_buf_hw_update(tx_q, tx_q->next_to_use, false); + + u64_stats_update_begin(&tx_q->stats_sync); +diff --git a/drivers/net/ethernet/intel/idpf/idpf_txrx.c b/drivers/net/ethernet/intel/idpf/idpf_txrx.c +index 623bf17f87f9c..c6c36de58b9d1 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_txrx.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_txrx.c +@@ -2132,6 +2132,19 @@ void idpf_tx_splitq_build_flow_desc(union idpf_tx_flex_desc *desc, + desc->flow.qw1.compl_tag = cpu_to_le16(params->compl_tag); + } + ++/* Global conditions to tell whether the txq (and related resources) ++ * has room to allow the use of "size" descriptors. ++ */ ++static int idpf_txq_has_room(struct idpf_tx_queue *tx_q, u32 size) ++{ ++ if (IDPF_DESC_UNUSED(tx_q) < size || ++ IDPF_TX_COMPLQ_PENDING(tx_q->txq_grp) > ++ IDPF_TX_COMPLQ_OVERFLOW_THRESH(tx_q->txq_grp->complq) || ++ IDPF_TX_BUF_RSV_LOW(tx_q)) ++ return 0; ++ return 1; ++} ++ + /** + * idpf_tx_maybe_stop_splitq - 1st level check for Tx splitq stop conditions + * @tx_q: the queue to be checked +@@ -2142,29 +2155,11 @@ void idpf_tx_splitq_build_flow_desc(union idpf_tx_flex_desc *desc, + static int idpf_tx_maybe_stop_splitq(struct idpf_tx_queue *tx_q, + unsigned int descs_needed) + { +- if (idpf_tx_maybe_stop_common(tx_q, descs_needed)) +- goto out; +- +- /* If there are too many outstanding completions expected on the +- * completion queue, stop the TX queue to give the device some time to +- * catch up +- */ +- if (unlikely(IDPF_TX_COMPLQ_PENDING(tx_q->txq_grp) > +- IDPF_TX_COMPLQ_OVERFLOW_THRESH(tx_q->txq_grp->complq))) +- goto splitq_stop; +- +- /* Also check for available book keeping buffers; if we are low, stop +- * the queue to wait for more completions +- */ +- if (unlikely(IDPF_TX_BUF_RSV_LOW(tx_q))) +- goto splitq_stop; +- +- return 0; +- +-splitq_stop: +- netif_stop_subqueue(tx_q->netdev, tx_q->idx); ++ if (netif_subqueue_maybe_stop(tx_q->netdev, tx_q->idx, ++ idpf_txq_has_room(tx_q, descs_needed), ++ 1, 1)) ++ return 0; + +-out: + u64_stats_update_begin(&tx_q->stats_sync); + u64_stats_inc(&tx_q->q_stats.q_busy); + u64_stats_update_end(&tx_q->stats_sync); +@@ -2190,12 +2185,6 @@ void idpf_tx_buf_hw_update(struct idpf_tx_queue *tx_q, u32 val, + nq = netdev_get_tx_queue(tx_q->netdev, tx_q->idx); + tx_q->next_to_use = val; + +- if (idpf_tx_maybe_stop_common(tx_q, IDPF_TX_DESC_NEEDED)) { +- u64_stats_update_begin(&tx_q->stats_sync); +- u64_stats_inc(&tx_q->q_stats.q_busy); +- u64_stats_update_end(&tx_q->stats_sync); +- } +- + /* Force memory writes to complete before letting h/w + * know there are new descriptors to fetch. (Only + * applicable for weak-ordered memory model archs, +diff --git a/drivers/net/ethernet/intel/idpf/idpf_txrx.h b/drivers/net/ethernet/intel/idpf/idpf_txrx.h +index 9c1fe84108ed2..ffeeaede6cf8f 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_txrx.h ++++ b/drivers/net/ethernet/intel/idpf/idpf_txrx.h +@@ -1052,12 +1052,4 @@ bool idpf_rx_singleq_buf_hw_alloc_all(struct idpf_rx_queue *rxq, + u16 cleaned_count); + int idpf_tso(struct sk_buff *skb, struct idpf_tx_offload_params *off); + +-static inline bool idpf_tx_maybe_stop_common(struct idpf_tx_queue *tx_q, +- u32 needed) +-{ +- return !netif_subqueue_maybe_stop(tx_q->netdev, tx_q->idx, +- IDPF_DESC_UNUSED(tx_q), +- needed, needed); +-} +- + #endif /* !_IDPF_TXRX_H_ */ +-- +2.39.5 + diff --git a/queue-6.12/iio-adc-ad7124-fix-3db-filter-frequency-reading.patch b/queue-6.12/iio-adc-ad7124-fix-3db-filter-frequency-reading.patch new file mode 100644 index 0000000000..6a1be624ca --- /dev/null +++ b/queue-6.12/iio-adc-ad7124-fix-3db-filter-frequency-reading.patch @@ -0,0 +1,45 @@ +From fa1258226e85ecbc0e49d2a560879f38a7e03d28 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Mar 2025 12:52:47 +0100 +Subject: iio: adc: ad7124: Fix 3dB filter frequency reading +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 8712e4986e7ce42a14c762c4c350f290989986a5 ] + +The sinc4 filter has a factor 0.23 between Output Data Rate and f_{3dB} +and for sinc3 the factor is 0.272 according to the data sheets for +ad7124-4 (Rev. E.) and ad7124-8 (Rev. F). + +Fixes: cef2760954cf ("iio: adc: ad7124: add 3db filter") +Signed-off-by: Uwe Kleine-König +Reviewed-by: Marcelo Schmitt +Link: https://patch.msgid.link/20250317115247.3735016-6-u.kleine-koenig@baylibre.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/ad7124.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/iio/adc/ad7124.c b/drivers/iio/adc/ad7124.c +index 30a7392c4f8b9..9c9e0c950b427 100644 +--- a/drivers/iio/adc/ad7124.c ++++ b/drivers/iio/adc/ad7124.c +@@ -300,9 +300,9 @@ static int ad7124_get_3db_filter_freq(struct ad7124_state *st, + + switch (st->channels[channel].cfg.filter_type) { + case AD7124_SINC3_FILTER: +- return DIV_ROUND_CLOSEST(fadc * 230, 1000); ++ return DIV_ROUND_CLOSEST(fadc * 272, 1000); + case AD7124_SINC4_FILTER: +- return DIV_ROUND_CLOSEST(fadc * 262, 1000); ++ return DIV_ROUND_CLOSEST(fadc * 230, 1000); + default: + return -EINVAL; + } +-- +2.39.5 + diff --git a/queue-6.12/iio-adc-mcp3911-fix-device-dependent-mappings-for-co.patch b/queue-6.12/iio-adc-mcp3911-fix-device-dependent-mappings-for-co.patch new file mode 100644 index 0000000000..9a629d9406 --- /dev/null +++ b/queue-6.12/iio-adc-mcp3911-fix-device-dependent-mappings-for-co.patch @@ -0,0 +1,171 @@ +From 07740871118a3cf948d235eaaf3b8503c33d29c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Apr 2025 08:54:11 +0200 +Subject: iio: adc: mcp3911: fix device dependent mappings for conversion + result registers + +From: Marcus Folkesson + +[ Upstream commit f62c49d8f32d6ce8871b01795498352775aa61db ] + +The conversion result registers differs between devices. Make sure the +mapping is correct by using a device dependent .get_raw() callback function. + +Fixes: 732ad34260d3 ("iio: adc: mcp3911: add support for the whole MCP39xx family") +Co-developed-by: Lukas Rauber +Signed-off-by: Lukas Rauber +Signed-off-by: Marcus Folkesson +Reviewed-by: Andy Shevchenko +Link: https://patch.msgid.link/20250428-mcp3911-fixes-v2-1-406e39330c3d@gmail.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/mcp3911.c | 39 ++++++++++++++++++++++++++++++++++----- + 1 file changed, 34 insertions(+), 5 deletions(-) + +diff --git a/drivers/iio/adc/mcp3911.c b/drivers/iio/adc/mcp3911.c +index b097f04172c80..4bd6b5aac4fe8 100644 +--- a/drivers/iio/adc/mcp3911.c ++++ b/drivers/iio/adc/mcp3911.c +@@ -6,7 +6,7 @@ + * Copyright (C) 2018 Kent Gustavsson + */ + #include +-#include ++#include + #include + #include + #include +@@ -79,6 +79,8 @@ + #define MCP3910_CONFIG1_CLKEXT BIT(6) + #define MCP3910_CONFIG1_VREFEXT BIT(7) + ++#define MCP3910_CHANNEL(ch) (MCP3911_REG_CHANNEL0 + (ch)) ++ + #define MCP3910_REG_OFFCAL_CH0 0x0f + #define MCP3910_OFFCAL(ch) (MCP3910_REG_OFFCAL_CH0 + (ch) * 6) + +@@ -110,6 +112,7 @@ struct mcp3911_chip_info { + int (*get_offset)(struct mcp3911 *adc, int channel, int *val); + int (*set_offset)(struct mcp3911 *adc, int channel, int val); + int (*set_scale)(struct mcp3911 *adc, int channel, u32 val); ++ int (*get_raw)(struct mcp3911 *adc, int channel, int *val); + }; + + struct mcp3911 { +@@ -170,6 +173,18 @@ static int mcp3911_update(struct mcp3911 *adc, u8 reg, u32 mask, u32 val, u8 len + return mcp3911_write(adc, reg, val, len); + } + ++static int mcp3911_read_s24(struct mcp3911 *const adc, u8 const reg, s32 *const val) ++{ ++ u32 uval; ++ int const ret = mcp3911_read(adc, reg, &uval, 3); ++ ++ if (ret) ++ return ret; ++ ++ *val = sign_extend32(uval, 23); ++ return ret; ++} ++ + static int mcp3910_enable_offset(struct mcp3911 *adc, bool enable) + { + unsigned int mask = MCP3910_CONFIG0_EN_OFFCAL; +@@ -194,6 +209,11 @@ static int mcp3910_set_offset(struct mcp3911 *adc, int channel, int val) + return adc->chip->enable_offset(adc, 1); + } + ++static int mcp3910_get_raw(struct mcp3911 *adc, int channel, s32 *val) ++{ ++ return mcp3911_read_s24(adc, MCP3910_CHANNEL(channel), val); ++} ++ + static int mcp3911_enable_offset(struct mcp3911 *adc, bool enable) + { + unsigned int mask = MCP3911_STATUSCOM_EN_OFFCAL; +@@ -218,6 +238,11 @@ static int mcp3911_set_offset(struct mcp3911 *adc, int channel, int val) + return adc->chip->enable_offset(adc, 1); + } + ++static int mcp3911_get_raw(struct mcp3911 *adc, int channel, s32 *val) ++{ ++ return mcp3911_read_s24(adc, MCP3911_CHANNEL(channel), val); ++} ++ + static int mcp3910_get_osr(struct mcp3911 *adc, u32 *val) + { + int ret; +@@ -321,12 +346,9 @@ static int mcp3911_read_raw(struct iio_dev *indio_dev, + guard(mutex)(&adc->lock); + switch (mask) { + case IIO_CHAN_INFO_RAW: +- ret = mcp3911_read(adc, +- MCP3911_CHANNEL(channel->channel), val, 3); ++ ret = adc->chip->get_raw(adc, channel->channel, val); + if (ret) + return ret; +- +- *val = sign_extend32(*val, 23); + return IIO_VAL_INT; + case IIO_CHAN_INFO_OFFSET: + ret = adc->chip->get_offset(adc, channel->channel, val); +@@ -799,6 +821,7 @@ static const struct mcp3911_chip_info mcp3911_chip_info[] = { + .get_offset = mcp3910_get_offset, + .set_offset = mcp3910_set_offset, + .set_scale = mcp3910_set_scale, ++ .get_raw = mcp3910_get_raw, + }, + [MCP3911] = { + .channels = mcp3911_channels, +@@ -810,6 +833,7 @@ static const struct mcp3911_chip_info mcp3911_chip_info[] = { + .get_offset = mcp3911_get_offset, + .set_offset = mcp3911_set_offset, + .set_scale = mcp3911_set_scale, ++ .get_raw = mcp3911_get_raw, + }, + [MCP3912] = { + .channels = mcp3912_channels, +@@ -821,6 +845,7 @@ static const struct mcp3911_chip_info mcp3911_chip_info[] = { + .get_offset = mcp3910_get_offset, + .set_offset = mcp3910_set_offset, + .set_scale = mcp3910_set_scale, ++ .get_raw = mcp3910_get_raw, + }, + [MCP3913] = { + .channels = mcp3913_channels, +@@ -832,6 +857,7 @@ static const struct mcp3911_chip_info mcp3911_chip_info[] = { + .get_offset = mcp3910_get_offset, + .set_offset = mcp3910_set_offset, + .set_scale = mcp3910_set_scale, ++ .get_raw = mcp3910_get_raw, + }, + [MCP3914] = { + .channels = mcp3914_channels, +@@ -843,6 +869,7 @@ static const struct mcp3911_chip_info mcp3911_chip_info[] = { + .get_offset = mcp3910_get_offset, + .set_offset = mcp3910_set_offset, + .set_scale = mcp3910_set_scale, ++ .get_raw = mcp3910_get_raw, + }, + [MCP3918] = { + .channels = mcp3918_channels, +@@ -854,6 +881,7 @@ static const struct mcp3911_chip_info mcp3911_chip_info[] = { + .get_offset = mcp3910_get_offset, + .set_offset = mcp3910_set_offset, + .set_scale = mcp3910_set_scale, ++ .get_raw = mcp3910_get_raw, + }, + [MCP3919] = { + .channels = mcp3919_channels, +@@ -865,6 +893,7 @@ static const struct mcp3911_chip_info mcp3911_chip_info[] = { + .get_offset = mcp3910_get_offset, + .set_offset = mcp3910_set_offset, + .set_scale = mcp3910_set_scale, ++ .get_raw = mcp3910_get_raw, + }, + }; + static const struct of_device_id mcp3911_dt_ids[] = { +-- +2.39.5 + diff --git a/queue-6.12/iio-adc-pac1934-fix-typo-in-documentation-link.patch b/queue-6.12/iio-adc-pac1934-fix-typo-in-documentation-link.patch new file mode 100644 index 0000000000..d6d6ec0c47 --- /dev/null +++ b/queue-6.12/iio-adc-pac1934-fix-typo-in-documentation-link.patch @@ -0,0 +1,40 @@ +From af42ecfed66c621062c1536894382e7f79db63c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Apr 2025 11:06:33 +0300 +Subject: iio: adc: PAC1934: fix typo in documentation link + +From: Marius Cristea + +[ Upstream commit 52c43d80fa8370eb877fc63b1fc1eec67e1b1410 ] + +Fix a typo,(PAC1934 -> PAC193X), into the link from an application note +related to the ACPI device definition. + +Fixes: 0fb528c8255b ("iio: adc: adding support for PAC193x") +Reported-by: Matteo Martelli +Closes: https://patch.msgid.link/172794015844.2520.11909797050797595912@njaxe.localdomain +Signed-off-by: Marius Cristea +Reviewed-by: David Lechner +Link: https://patch.msgid.link/20250424-pac1934-doc_link-v1-1-9832445cb270@microchip.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/pac1934.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/iio/adc/pac1934.c b/drivers/iio/adc/pac1934.c +index 7ef249d832866..c3f9fa307b84c 100644 +--- a/drivers/iio/adc/pac1934.c ++++ b/drivers/iio/adc/pac1934.c +@@ -1081,7 +1081,7 @@ static int pac1934_chip_identify(struct pac1934_chip_info *info) + + /* + * documentation related to the ACPI device definition +- * https://ww1.microchip.com/downloads/aemDocuments/documents/OTH/ApplicationNotes/ApplicationNotes/PAC1934-Integration-Notes-for-Microsoft-Windows-10-and-Windows-11-Driver-Support-DS00002534.pdf ++ * https://ww1.microchip.com/downloads/aemDocuments/documents/OTH/ApplicationNotes/ApplicationNotes/PAC193X-Integration-Notes-for-Microsoft-Windows-10-and-Windows-11-Driver-Support-DS00002534.pdf + */ + static int pac1934_acpi_parse_channel_config(struct i2c_client *client, + struct pac1934_chip_info *info) +-- +2.39.5 + diff --git a/queue-6.12/iio-filter-admv8818-fix-band-4-state-15.patch b/queue-6.12/iio-filter-admv8818-fix-band-4-state-15.patch new file mode 100644 index 0000000000..635d140c6a --- /dev/null +++ b/queue-6.12/iio-filter-admv8818-fix-band-4-state-15.patch @@ -0,0 +1,37 @@ +From fa5347e4d27767ce16dc364d59707bc15571edbb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Mar 2025 13:48:27 -0400 +Subject: iio: filter: admv8818: fix band 4, state 15 + +From: Sam Winchenbach + +[ Upstream commit ef0ce24f590ac075d5eda11f2d6434b303333ed6 ] + +Corrects the upper range of LPF Band 4 from 18.5 GHz to 18.85 GHz per +the ADMV8818 datasheet + +Fixes: f34fe888ad05 ("iio:filter:admv8818: add support for ADMV8818") +Signed-off-by: Sam Winchenbach +Link: https://patch.msgid.link/20250328174831.227202-3-sam.winchenbach@framepointer.org +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/filter/admv8818.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/iio/filter/admv8818.c b/drivers/iio/filter/admv8818.c +index d85b7d3de8660..3d8740caa1455 100644 +--- a/drivers/iio/filter/admv8818.c ++++ b/drivers/iio/filter/admv8818.c +@@ -103,7 +103,7 @@ static const unsigned long long freq_range_lpf[4][2] = { + {2050000000ULL, 3850000000ULL}, + {3350000000ULL, 7250000000ULL}, + {7000000000, 13000000000}, +- {12550000000, 18500000000} ++ {12550000000, 18850000000} + }; + + static const struct regmap_config admv8818_regmap_config = { +-- +2.39.5 + diff --git a/queue-6.12/iio-filter-admv8818-fix-integer-overflow.patch b/queue-6.12/iio-filter-admv8818-fix-integer-overflow.patch new file mode 100644 index 0000000000..8054f434cc --- /dev/null +++ b/queue-6.12/iio-filter-admv8818-fix-integer-overflow.patch @@ -0,0 +1,37 @@ +From f743f1e15ec88563b885123211d9359b333123f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Mar 2025 13:48:28 -0400 +Subject: iio: filter: admv8818: fix integer overflow + +From: Sam Winchenbach + +[ Upstream commit fb6009a28d77edec4eb548b5875dae8c79b88467 ] + +HZ_PER_MHZ is only unsigned long. This math overflows, leading to +incorrect results. + +Fixes: f34fe888ad05 ("iio:filter:admv8818: add support for ADMV8818") +Signed-off-by: Sam Winchenbach +Link: https://patch.msgid.link/20250328174831.227202-4-sam.winchenbach@framepointer.org +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/filter/admv8818.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/iio/filter/admv8818.c b/drivers/iio/filter/admv8818.c +index 3d8740caa1455..cd3aff9a2f7bf 100644 +--- a/drivers/iio/filter/admv8818.c ++++ b/drivers/iio/filter/admv8818.c +@@ -154,7 +154,7 @@ static int __admv8818_hpf_select(struct admv8818_state *st, u64 freq) + } + + /* Close HPF frequency gap between 12 and 12.5 GHz */ +- if (freq >= 12000 * HZ_PER_MHZ && freq <= 12500 * HZ_PER_MHZ) { ++ if (freq >= 12000ULL * HZ_PER_MHZ && freq < 12500ULL * HZ_PER_MHZ) { + hpf_band = 3; + hpf_step = 15; + } +-- +2.39.5 + diff --git a/queue-6.12/iio-filter-admv8818-fix-range-calculation.patch b/queue-6.12/iio-filter-admv8818-fix-range-calculation.patch new file mode 100644 index 0000000000..d2c518cc1a --- /dev/null +++ b/queue-6.12/iio-filter-admv8818-fix-range-calculation.patch @@ -0,0 +1,550 @@ +From f8d8b8eaebcb7d82ecb59d234bc5dc747763c81c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Mar 2025 13:48:29 -0400 +Subject: iio: filter: admv8818: fix range calculation + +From: Sam Winchenbach + +[ Upstream commit d542db7095d322bfcdc8e306db6f8c48358c9619 ] + +Search for the minimum error while ensuring that the LPF corner +frequency is greater than the target, and the HPF corner frequency +is lower than the target + +This fixes issues where the range calculations were suboptimal. + +Add two new DTS properties to set the margin between the input frequency +and the calculated corner frequency + +Below is a generated table of the differences between the old algorithm +and the new. This is a sweep from 0 to 20 GHz in 10 MHz steps. +=== HPF === +freq = 1750 MHz, 3db: bypass => 1750 MHz +freq = 3400 MHz, 3db: 3310 => 3400 MHz +freq = 3410 MHz, 3db: 3310 => 3400 MHz +freq = 3420 MHz, 3db: 3310 => 3400 MHz +freq = 3660 MHz, 3db: 3550 => 3656 MHz +freq = 6600 MHz, 3db: 6479 => 6600 MHz +freq = 6610 MHz, 3db: 6479 => 6600 MHz +freq = 6620 MHz, 3db: 6479 => 6600 MHz +freq = 6630 MHz, 3db: 6479 => 6600 MHz +freq = 6640 MHz, 3db: 6479 => 6600 MHz +freq = 6650 MHz, 3db: 6479 => 6600 MHz +freq = 6660 MHz, 3db: 6479 => 6600 MHz +freq = 6670 MHz, 3db: 6479 => 6600 MHz +freq = 6680 MHz, 3db: 6479 => 6600 MHz +freq = 6690 MHz, 3db: 6479 => 6600 MHz +freq = 6700 MHz, 3db: 6479 => 6600 MHz +freq = 6710 MHz, 3db: 6479 => 6600 MHz +freq = 6720 MHz, 3db: 6479 => 6600 MHz +freq = 6730 MHz, 3db: 6479 => 6600 MHz +freq = 6960 MHz, 3db: 6736 => 6960 MHz +freq = 6970 MHz, 3db: 6736 => 6960 MHz +freq = 6980 MHz, 3db: 6736 => 6960 MHz +freq = 6990 MHz, 3db: 6736 => 6960 MHz +freq = 7320 MHz, 3db: 7249 => 7320 MHz +freq = 7330 MHz, 3db: 7249 => 7320 MHz +freq = 7340 MHz, 3db: 7249 => 7320 MHz +freq = 7350 MHz, 3db: 7249 => 7320 MHz +freq = 7360 MHz, 3db: 7249 => 7320 MHz +freq = 7370 MHz, 3db: 7249 => 7320 MHz +freq = 7380 MHz, 3db: 7249 => 7320 MHz +freq = 7390 MHz, 3db: 7249 => 7320 MHz +freq = 7400 MHz, 3db: 7249 => 7320 MHz +freq = 7410 MHz, 3db: 7249 => 7320 MHz +freq = 7420 MHz, 3db: 7249 => 7320 MHz +freq = 7430 MHz, 3db: 7249 => 7320 MHz +freq = 7440 MHz, 3db: 7249 => 7320 MHz +freq = 7450 MHz, 3db: 7249 => 7320 MHz +freq = 7460 MHz, 3db: 7249 => 7320 MHz +freq = 7470 MHz, 3db: 7249 => 7320 MHz +freq = 7480 MHz, 3db: 7249 => 7320 MHz +freq = 7490 MHz, 3db: 7249 => 7320 MHz +freq = 7500 MHz, 3db: 7249 => 7320 MHz +freq = 12500 MHz, 3db: 12000 => 12500 MHz + +=== LPF === +freq = 2050 MHz, 3db: bypass => 2050 MHz +freq = 2170 MHz, 3db: 2290 => 2170 MHz +freq = 2290 MHz, 3db: 2410 => 2290 MHz +freq = 2410 MHz, 3db: 2530 => 2410 MHz +freq = 2530 MHz, 3db: 2650 => 2530 MHz +freq = 2650 MHz, 3db: 2770 => 2650 MHz +freq = 2770 MHz, 3db: 2890 => 2770 MHz +freq = 2890 MHz, 3db: 3010 => 2890 MHz +freq = 3010 MHz, 3db: 3130 => 3010 MHz +freq = 3130 MHz, 3db: 3250 => 3130 MHz +freq = 3250 MHz, 3db: 3370 => 3250 MHz +freq = 3260 MHz, 3db: 3370 => 3350 MHz +freq = 3270 MHz, 3db: 3370 => 3350 MHz +freq = 3280 MHz, 3db: 3370 => 3350 MHz +freq = 3290 MHz, 3db: 3370 => 3350 MHz +freq = 3300 MHz, 3db: 3370 => 3350 MHz +freq = 3310 MHz, 3db: 3370 => 3350 MHz +freq = 3320 MHz, 3db: 3370 => 3350 MHz +freq = 3330 MHz, 3db: 3370 => 3350 MHz +freq = 3340 MHz, 3db: 3370 => 3350 MHz +freq = 3350 MHz, 3db: 3370 => 3350 MHz +freq = 3370 MHz, 3db: 3490 => 3370 MHz +freq = 3490 MHz, 3db: 3610 => 3490 MHz +freq = 3610 MHz, 3db: 3730 => 3610 MHz +freq = 3730 MHz, 3db: 3850 => 3730 MHz +freq = 3850 MHz, 3db: 3870 => 3850 MHz +freq = 3870 MHz, 3db: 4130 => 3870 MHz +freq = 4130 MHz, 3db: 4390 => 4130 MHz +freq = 4390 MHz, 3db: 4650 => 4390 MHz +freq = 4650 MHz, 3db: 4910 => 4650 MHz +freq = 4910 MHz, 3db: 5170 => 4910 MHz +freq = 5170 MHz, 3db: 5430 => 5170 MHz +freq = 5430 MHz, 3db: 5690 => 5430 MHz +freq = 5690 MHz, 3db: 5950 => 5690 MHz +freq = 5950 MHz, 3db: 6210 => 5950 MHz +freq = 6210 MHz, 3db: 6470 => 6210 MHz +freq = 6470 MHz, 3db: 6730 => 6470 MHz +freq = 6730 MHz, 3db: 6990 => 6730 MHz +freq = 6990 MHz, 3db: 7250 => 6990 MHz +freq = 7000 MHz, 3db: 7250 => 7000 MHz +freq = 7250 MHz, 3db: 7400 => 7250 MHz +freq = 7400 MHz, 3db: 7800 => 7400 MHz +freq = 7800 MHz, 3db: 8200 => 7800 MHz +freq = 8200 MHz, 3db: 8600 => 8200 MHz +freq = 8600 MHz, 3db: 9000 => 8600 MHz +freq = 9000 MHz, 3db: 9400 => 9000 MHz +freq = 9400 MHz, 3db: 9800 => 9400 MHz +freq = 9800 MHz, 3db: 10200 => 9800 MHz +freq = 10200 MHz, 3db: 10600 => 10200 MHz +freq = 10600 MHz, 3db: 11000 => 10600 MHz +freq = 11000 MHz, 3db: 11400 => 11000 MHz +freq = 11400 MHz, 3db: 11800 => 11400 MHz +freq = 11800 MHz, 3db: 12200 => 11800 MHz +freq = 12200 MHz, 3db: 12600 => 12200 MHz +freq = 12210 MHz, 3db: 12600 => 12550 MHz +freq = 12220 MHz, 3db: 12600 => 12550 MHz +freq = 12230 MHz, 3db: 12600 => 12550 MHz +freq = 12240 MHz, 3db: 12600 => 12550 MHz +freq = 12250 MHz, 3db: 12600 => 12550 MHz +freq = 12260 MHz, 3db: 12600 => 12550 MHz +freq = 12270 MHz, 3db: 12600 => 12550 MHz +freq = 12280 MHz, 3db: 12600 => 12550 MHz +freq = 12290 MHz, 3db: 12600 => 12550 MHz +freq = 12300 MHz, 3db: 12600 => 12550 MHz +freq = 12310 MHz, 3db: 12600 => 12550 MHz +freq = 12320 MHz, 3db: 12600 => 12550 MHz +freq = 12330 MHz, 3db: 12600 => 12550 MHz +freq = 12340 MHz, 3db: 12600 => 12550 MHz +freq = 12350 MHz, 3db: 12600 => 12550 MHz +freq = 12360 MHz, 3db: 12600 => 12550 MHz +freq = 12370 MHz, 3db: 12600 => 12550 MHz +freq = 12380 MHz, 3db: 12600 => 12550 MHz +freq = 12390 MHz, 3db: 12600 => 12550 MHz +freq = 12400 MHz, 3db: 12600 => 12550 MHz +freq = 12410 MHz, 3db: 12600 => 12550 MHz +freq = 12420 MHz, 3db: 12600 => 12550 MHz +freq = 12430 MHz, 3db: 12600 => 12550 MHz +freq = 12440 MHz, 3db: 12600 => 12550 MHz +freq = 12450 MHz, 3db: 12600 => 12550 MHz +freq = 12460 MHz, 3db: 12600 => 12550 MHz +freq = 12470 MHz, 3db: 12600 => 12550 MHz +freq = 12480 MHz, 3db: 12600 => 12550 MHz +freq = 12490 MHz, 3db: 12600 => 12550 MHz +freq = 12500 MHz, 3db: 12600 => 12550 MHz +freq = 12510 MHz, 3db: 12600 => 12550 MHz +freq = 12520 MHz, 3db: 12600 => 12550 MHz +freq = 12530 MHz, 3db: 12600 => 12550 MHz +freq = 12540 MHz, 3db: 12600 => 12550 MHz +freq = 12550 MHz, 3db: 12600 => 12550 MHz +freq = 12600 MHz, 3db: 13000 => 12600 MHz +freq = 12610 MHz, 3db: 13000 => 12970 MHz +freq = 12620 MHz, 3db: 13000 => 12970 MHz +freq = 12630 MHz, 3db: 13000 => 12970 MHz +freq = 12640 MHz, 3db: 13000 => 12970 MHz +freq = 12650 MHz, 3db: 13000 => 12970 MHz +freq = 12660 MHz, 3db: 13000 => 12970 MHz +freq = 12670 MHz, 3db: 13000 => 12970 MHz +freq = 12680 MHz, 3db: 13000 => 12970 MHz +freq = 12690 MHz, 3db: 13000 => 12970 MHz +freq = 12700 MHz, 3db: 13000 => 12970 MHz +freq = 12710 MHz, 3db: 13000 => 12970 MHz +freq = 12720 MHz, 3db: 13000 => 12970 MHz +freq = 12730 MHz, 3db: 13000 => 12970 MHz +freq = 12740 MHz, 3db: 13000 => 12970 MHz +freq = 12750 MHz, 3db: 13000 => 12970 MHz +freq = 12760 MHz, 3db: 13000 => 12970 MHz +freq = 12770 MHz, 3db: 13000 => 12970 MHz +freq = 12780 MHz, 3db: 13000 => 12970 MHz +freq = 12790 MHz, 3db: 13000 => 12970 MHz +freq = 12800 MHz, 3db: 13000 => 12970 MHz +freq = 12810 MHz, 3db: 13000 => 12970 MHz +freq = 12820 MHz, 3db: 13000 => 12970 MHz +freq = 12830 MHz, 3db: 13000 => 12970 MHz +freq = 12840 MHz, 3db: 13000 => 12970 MHz +freq = 12850 MHz, 3db: 13000 => 12970 MHz +freq = 12860 MHz, 3db: 13000 => 12970 MHz +freq = 12870 MHz, 3db: 13000 => 12970 MHz +freq = 12880 MHz, 3db: 13000 => 12970 MHz +freq = 12890 MHz, 3db: 13000 => 12970 MHz +freq = 12900 MHz, 3db: 13000 => 12970 MHz +freq = 12910 MHz, 3db: 13000 => 12970 MHz +freq = 12920 MHz, 3db: 13000 => 12970 MHz +freq = 12930 MHz, 3db: 13000 => 12970 MHz +freq = 12940 MHz, 3db: 13000 => 12970 MHz +freq = 12950 MHz, 3db: 13000 => 12970 MHz +freq = 12960 MHz, 3db: 13000 => 12970 MHz +freq = 12970 MHz, 3db: 13000 => 12970 MHz +freq = 13000 MHz, 3db: 13390 => 13000 MHz +freq = 13390 MHz, 3db: 13810 => 13390 MHz +freq = 13810 MHz, 3db: 14230 => 13810 MHz +freq = 14230 MHz, 3db: 14650 => 14230 MHz +freq = 14650 MHz, 3db: 15070 => 14650 MHz +freq = 15070 MHz, 3db: 15490 => 15070 MHz +freq = 15490 MHz, 3db: 15910 => 15490 MHz +freq = 15910 MHz, 3db: 16330 => 15910 MHz +freq = 16330 MHz, 3db: 16750 => 16330 MHz +freq = 16750 MHz, 3db: 17170 => 16750 MHz +freq = 17170 MHz, 3db: 17590 => 17170 MHz +freq = 17590 MHz, 3db: 18010 => 17590 MHz +freq = 18010 MHz, 3db: 18430 => 18010 MHz +freq = 18430 MHz, 3db: 18850 => 18430 MHz +freq = 18850 MHz, 3db: bypass => 18850 MHz + +Fixes: f34fe888ad05 ("iio:filter:admv8818: add support for ADMV8818") +Signed-off-by: Sam Winchenbach +Link: https://patch.msgid.link/20250328174831.227202-5-sam.winchenbach@framepointer.org +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/filter/admv8818.c | 205 +++++++++++++++++++++++++--------- + 1 file changed, 152 insertions(+), 53 deletions(-) + +diff --git a/drivers/iio/filter/admv8818.c b/drivers/iio/filter/admv8818.c +index cd3aff9a2f7bf..380e119b3cf54 100644 +--- a/drivers/iio/filter/admv8818.c ++++ b/drivers/iio/filter/admv8818.c +@@ -14,6 +14,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -70,6 +71,16 @@ + #define ADMV8818_HPF_WR0_MSK GENMASK(7, 4) + #define ADMV8818_LPF_WR0_MSK GENMASK(3, 0) + ++#define ADMV8818_BAND_BYPASS 0 ++#define ADMV8818_BAND_MIN 1 ++#define ADMV8818_BAND_MAX 4 ++#define ADMV8818_BAND_CORNER_LOW 0 ++#define ADMV8818_BAND_CORNER_HIGH 1 ++ ++#define ADMV8818_STATE_MIN 0 ++#define ADMV8818_STATE_MAX 15 ++#define ADMV8818_NUM_STATES 16 ++ + enum { + ADMV8818_BW_FREQ, + ADMV8818_CENTER_FREQ +@@ -90,16 +101,20 @@ struct admv8818_state { + struct mutex lock; + unsigned int filter_mode; + u64 cf_hz; ++ u64 lpf_margin_hz; ++ u64 hpf_margin_hz; + }; + +-static const unsigned long long freq_range_hpf[4][2] = { ++static const unsigned long long freq_range_hpf[5][2] = { ++ {0ULL, 0ULL}, /* bypass */ + {1750000000ULL, 3550000000ULL}, + {3400000000ULL, 7250000000ULL}, + {6600000000, 12000000000}, + {12500000000, 19900000000} + }; + +-static const unsigned long long freq_range_lpf[4][2] = { ++static const unsigned long long freq_range_lpf[5][2] = { ++ {U64_MAX, U64_MAX}, /* bypass */ + {2050000000ULL, 3850000000ULL}, + {3350000000ULL, 7250000000ULL}, + {7000000000, 13000000000}, +@@ -121,44 +136,59 @@ static const char * const admv8818_modes[] = { + + static int __admv8818_hpf_select(struct admv8818_state *st, u64 freq) + { +- unsigned int hpf_step = 0, hpf_band = 0, i, j; +- u64 freq_step; +- int ret; ++ int band, state, ret; ++ unsigned int hpf_state = ADMV8818_STATE_MIN, hpf_band = ADMV8818_BAND_BYPASS; ++ u64 freq_error, min_freq_error, freq_corner, freq_step; + +- if (freq < freq_range_hpf[0][0]) ++ if (freq < freq_range_hpf[ADMV8818_BAND_MIN][ADMV8818_BAND_CORNER_LOW]) + goto hpf_write; + +- if (freq > freq_range_hpf[3][1]) { +- hpf_step = 15; +- hpf_band = 4; +- ++ if (freq >= freq_range_hpf[ADMV8818_BAND_MAX][ADMV8818_BAND_CORNER_HIGH]) { ++ hpf_state = ADMV8818_STATE_MAX; ++ hpf_band = ADMV8818_BAND_MAX; + goto hpf_write; + } + +- for (i = 0; i < 4; i++) { +- freq_step = div_u64((freq_range_hpf[i][1] - +- freq_range_hpf[i][0]), 15); ++ /* Close HPF frequency gap between 12 and 12.5 GHz */ ++ if (freq >= 12000ULL * HZ_PER_MHZ && freq < 12500ULL * HZ_PER_MHZ) { ++ hpf_state = ADMV8818_STATE_MAX; ++ hpf_band = 3; ++ goto hpf_write; ++ } + +- if (freq > freq_range_hpf[i][0] && +- (freq < freq_range_hpf[i][1] + freq_step)) { +- hpf_band = i + 1; ++ min_freq_error = U64_MAX; ++ for (band = ADMV8818_BAND_MIN; band <= ADMV8818_BAND_MAX; band++) { ++ /* ++ * This (and therefore all other ranges) have a corner ++ * frequency higher than the target frequency. ++ */ ++ if (freq_range_hpf[band][ADMV8818_BAND_CORNER_LOW] > freq) ++ break; + +- for (j = 1; j <= 16; j++) { +- if (freq < (freq_range_hpf[i][0] + (freq_step * j))) { +- hpf_step = j - 1; +- break; +- } ++ freq_step = freq_range_hpf[band][ADMV8818_BAND_CORNER_HIGH] - ++ freq_range_hpf[band][ADMV8818_BAND_CORNER_LOW]; ++ freq_step = div_u64(freq_step, ADMV8818_NUM_STATES - 1); ++ ++ for (state = ADMV8818_STATE_MIN; state <= ADMV8818_STATE_MAX; state++) { ++ freq_corner = freq_range_hpf[band][ADMV8818_BAND_CORNER_LOW] + ++ freq_step * state; ++ ++ /* ++ * This (and therefore all other states) have a corner ++ * frequency higher than the target frequency. ++ */ ++ if (freq_corner > freq) ++ break; ++ ++ freq_error = freq - freq_corner; ++ if (freq_error < min_freq_error) { ++ min_freq_error = freq_error; ++ hpf_state = state; ++ hpf_band = band; + } +- break; + } + } + +- /* Close HPF frequency gap between 12 and 12.5 GHz */ +- if (freq >= 12000ULL * HZ_PER_MHZ && freq < 12500ULL * HZ_PER_MHZ) { +- hpf_band = 3; +- hpf_step = 15; +- } +- + hpf_write: + ret = regmap_update_bits(st->regmap, ADMV8818_REG_WR0_SW, + ADMV8818_SW_IN_SET_WR0_MSK | +@@ -170,7 +200,7 @@ static int __admv8818_hpf_select(struct admv8818_state *st, u64 freq) + + return regmap_update_bits(st->regmap, ADMV8818_REG_WR0_FILTER, + ADMV8818_HPF_WR0_MSK, +- FIELD_PREP(ADMV8818_HPF_WR0_MSK, hpf_step)); ++ FIELD_PREP(ADMV8818_HPF_WR0_MSK, hpf_state)); + } + + static int admv8818_hpf_select(struct admv8818_state *st, u64 freq) +@@ -186,31 +216,52 @@ static int admv8818_hpf_select(struct admv8818_state *st, u64 freq) + + static int __admv8818_lpf_select(struct admv8818_state *st, u64 freq) + { +- unsigned int lpf_step = 0, lpf_band = 0, i, j; +- u64 freq_step; +- int ret; ++ int band, state, ret; ++ unsigned int lpf_state = ADMV8818_STATE_MIN, lpf_band = ADMV8818_BAND_BYPASS; ++ u64 freq_error, min_freq_error, freq_corner, freq_step; + +- if (freq > freq_range_lpf[3][1]) ++ if (freq > freq_range_lpf[ADMV8818_BAND_MAX][ADMV8818_BAND_CORNER_HIGH]) + goto lpf_write; + +- if (freq < freq_range_lpf[0][0]) { +- lpf_band = 1; +- ++ if (freq < freq_range_lpf[ADMV8818_BAND_MIN][ADMV8818_BAND_CORNER_LOW]) { ++ lpf_state = ADMV8818_STATE_MIN; ++ lpf_band = ADMV8818_BAND_MIN; + goto lpf_write; + } + +- for (i = 0; i < 4; i++) { +- if (freq > freq_range_lpf[i][0] && freq < freq_range_lpf[i][1]) { +- lpf_band = i + 1; +- freq_step = div_u64((freq_range_lpf[i][1] - freq_range_lpf[i][0]), 15); ++ min_freq_error = U64_MAX; ++ for (band = ADMV8818_BAND_MAX; band >= ADMV8818_BAND_MIN; --band) { ++ /* ++ * At this point the highest corner frequency of ++ * all remaining ranges is below the target. ++ * LPF corner should be >= the target. ++ */ ++ if (freq > freq_range_lpf[band][ADMV8818_BAND_CORNER_HIGH]) ++ break; ++ ++ freq_step = freq_range_lpf[band][ADMV8818_BAND_CORNER_HIGH] - ++ freq_range_lpf[band][ADMV8818_BAND_CORNER_LOW]; ++ freq_step = div_u64(freq_step, ADMV8818_NUM_STATES - 1); ++ ++ for (state = ADMV8818_STATE_MAX; state >= ADMV8818_STATE_MIN; --state) { + +- for (j = 0; j <= 15; j++) { +- if (freq < (freq_range_lpf[i][0] + (freq_step * j))) { +- lpf_step = j; +- break; +- } ++ freq_corner = freq_range_lpf[band][ADMV8818_BAND_CORNER_LOW] + ++ state * freq_step; ++ ++ /* ++ * At this point all other states in range will ++ * place the corner frequency below the target ++ * LPF corner should >= the target. ++ */ ++ if (freq > freq_corner) ++ break; ++ ++ freq_error = freq_corner - freq; ++ if (freq_error < min_freq_error) { ++ min_freq_error = freq_error; ++ lpf_state = state; ++ lpf_band = band; + } +- break; + } + } + +@@ -225,7 +276,7 @@ static int __admv8818_lpf_select(struct admv8818_state *st, u64 freq) + + return regmap_update_bits(st->regmap, ADMV8818_REG_WR0_FILTER, + ADMV8818_LPF_WR0_MSK, +- FIELD_PREP(ADMV8818_LPF_WR0_MSK, lpf_step)); ++ FIELD_PREP(ADMV8818_LPF_WR0_MSK, lpf_state)); + } + + static int admv8818_lpf_select(struct admv8818_state *st, u64 freq) +@@ -242,16 +293,28 @@ static int admv8818_lpf_select(struct admv8818_state *st, u64 freq) + static int admv8818_rfin_band_select(struct admv8818_state *st) + { + int ret; ++ u64 hpf_corner_target, lpf_corner_target; + + st->cf_hz = clk_get_rate(st->clkin); + ++ /* Check for underflow */ ++ if (st->cf_hz > st->hpf_margin_hz) ++ hpf_corner_target = st->cf_hz - st->hpf_margin_hz; ++ else ++ hpf_corner_target = 0; ++ ++ /* Check for overflow */ ++ lpf_corner_target = st->cf_hz + st->lpf_margin_hz; ++ if (lpf_corner_target < st->cf_hz) ++ lpf_corner_target = U64_MAX; ++ + mutex_lock(&st->lock); + +- ret = __admv8818_hpf_select(st, st->cf_hz); ++ ret = __admv8818_hpf_select(st, hpf_corner_target); + if (ret) + goto exit; + +- ret = __admv8818_lpf_select(st, st->cf_hz); ++ ret = __admv8818_lpf_select(st, lpf_corner_target); + exit: + mutex_unlock(&st->lock); + return ret; +@@ -278,8 +341,11 @@ static int __admv8818_read_hpf_freq(struct admv8818_state *st, u64 *hpf_freq) + + hpf_state = FIELD_GET(ADMV8818_HPF_WR0_MSK, data); + +- *hpf_freq = div_u64(freq_range_hpf[hpf_band - 1][1] - freq_range_hpf[hpf_band - 1][0], 15); +- *hpf_freq = freq_range_hpf[hpf_band - 1][0] + (*hpf_freq * hpf_state); ++ *hpf_freq = freq_range_hpf[hpf_band][ADMV8818_BAND_CORNER_HIGH] - ++ freq_range_hpf[hpf_band][ADMV8818_BAND_CORNER_LOW]; ++ *hpf_freq = div_u64(*hpf_freq, ADMV8818_NUM_STATES - 1); ++ *hpf_freq = freq_range_hpf[hpf_band][ADMV8818_BAND_CORNER_LOW] + ++ (*hpf_freq * hpf_state); + + return ret; + } +@@ -316,8 +382,11 @@ static int __admv8818_read_lpf_freq(struct admv8818_state *st, u64 *lpf_freq) + + lpf_state = FIELD_GET(ADMV8818_LPF_WR0_MSK, data); + +- *lpf_freq = div_u64(freq_range_lpf[lpf_band - 1][1] - freq_range_lpf[lpf_band - 1][0], 15); +- *lpf_freq = freq_range_lpf[lpf_band - 1][0] + (*lpf_freq * lpf_state); ++ *lpf_freq = freq_range_lpf[lpf_band][ADMV8818_BAND_CORNER_HIGH] - ++ freq_range_lpf[lpf_band][ADMV8818_BAND_CORNER_LOW]; ++ *lpf_freq = div_u64(*lpf_freq, ADMV8818_NUM_STATES - 1); ++ *lpf_freq = freq_range_lpf[lpf_band][ADMV8818_BAND_CORNER_LOW] + ++ (*lpf_freq * lpf_state); + + return ret; + } +@@ -641,6 +710,32 @@ static int admv8818_clk_setup(struct admv8818_state *st) + return devm_add_action_or_reset(&spi->dev, admv8818_clk_notifier_unreg, st); + } + ++static int admv8818_read_properties(struct admv8818_state *st) ++{ ++ struct spi_device *spi = st->spi; ++ u32 mhz; ++ int ret; ++ ++ ret = device_property_read_u32(&spi->dev, "adi,lpf-margin-mhz", &mhz); ++ if (ret == 0) ++ st->lpf_margin_hz = (u64)mhz * HZ_PER_MHZ; ++ else if (ret == -EINVAL) ++ st->lpf_margin_hz = 0; ++ else ++ return ret; ++ ++ ++ ret = device_property_read_u32(&spi->dev, "adi,hpf-margin-mhz", &mhz); ++ if (ret == 0) ++ st->hpf_margin_hz = (u64)mhz * HZ_PER_MHZ; ++ else if (ret == -EINVAL) ++ st->hpf_margin_hz = 0; ++ else if (ret < 0) ++ return ret; ++ ++ return 0; ++} ++ + static int admv8818_probe(struct spi_device *spi) + { + struct iio_dev *indio_dev; +@@ -672,6 +767,10 @@ static int admv8818_probe(struct spi_device *spi) + + mutex_init(&st->lock); + ++ ret = admv8818_read_properties(st); ++ if (ret) ++ return ret; ++ + ret = admv8818_init(st); + if (ret) + return ret; +-- +2.39.5 + diff --git a/queue-6.12/iio-filter-admv8818-support-frequencies-2-32.patch b/queue-6.12/iio-filter-admv8818-support-frequencies-2-32.patch new file mode 100644 index 0000000000..fbfab6e45a --- /dev/null +++ b/queue-6.12/iio-filter-admv8818-support-frequencies-2-32.patch @@ -0,0 +1,71 @@ +From 04c641bbd58155324e019720355b74cfd9897ade Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Mar 2025 13:48:31 -0400 +Subject: iio: filter: admv8818: Support frequencies >= 2^32 + +From: Brian Pellegrino + +[ Upstream commit 9016776f1301627de78a633bda7c898425a56572 ] + +This patch allows writing u64 values to the ADMV8818's high and low-pass +filter frequencies. It includes the following changes: + +- Rejects negative frequencies in admv8818_write_raw. +- Adds a write_raw_get_fmt function to admv8818's iio_info, returning + IIO_VAL_INT_64 for the high and low-pass filter 3dB frequency channels. + +Fixes: f34fe888ad05 ("iio:filter:admv8818: add support for ADMV8818") +Signed-off-by: Brian Pellegrino +Signed-off-by: Sam Winchenbach +Link: https://patch.msgid.link/20250328174831.227202-7-sam.winchenbach@framepointer.org +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/filter/admv8818.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/drivers/iio/filter/admv8818.c b/drivers/iio/filter/admv8818.c +index 380e119b3cf54..cc8ce0fe74e7c 100644 +--- a/drivers/iio/filter/admv8818.c ++++ b/drivers/iio/filter/admv8818.c +@@ -402,6 +402,19 @@ static int admv8818_read_lpf_freq(struct admv8818_state *st, u64 *lpf_freq) + return ret; + } + ++static int admv8818_write_raw_get_fmt(struct iio_dev *indio_dev, ++ struct iio_chan_spec const *chan, ++ long mask) ++{ ++ switch (mask) { ++ case IIO_CHAN_INFO_LOW_PASS_FILTER_3DB_FREQUENCY: ++ case IIO_CHAN_INFO_HIGH_PASS_FILTER_3DB_FREQUENCY: ++ return IIO_VAL_INT_64; ++ default: ++ return -EINVAL; ++ } ++} ++ + static int admv8818_write_raw(struct iio_dev *indio_dev, + struct iio_chan_spec const *chan, + int val, int val2, long info) +@@ -410,6 +423,9 @@ static int admv8818_write_raw(struct iio_dev *indio_dev, + + u64 freq = ((u64)val2 << 32 | (u32)val); + ++ if ((s64)freq < 0) ++ return -EINVAL; ++ + switch (info) { + case IIO_CHAN_INFO_LOW_PASS_FILTER_3DB_FREQUENCY: + return admv8818_lpf_select(st, freq); +@@ -571,6 +587,7 @@ static int admv8818_set_mode(struct iio_dev *indio_dev, + + static const struct iio_info admv8818_info = { + .write_raw = admv8818_write_raw, ++ .write_raw_get_fmt = admv8818_write_raw_get_fmt, + .read_raw = admv8818_read_raw, + .debugfs_reg_access = &admv8818_reg_access, + }; +-- +2.39.5 + diff --git a/queue-6.12/iommu-protect-against-overflow-in-iommu_pgsize.patch b/queue-6.12/iommu-protect-against-overflow-in-iommu_pgsize.patch new file mode 100644 index 0000000000..ae0f9e7f18 --- /dev/null +++ b/queue-6.12/iommu-protect-against-overflow-in-iommu_pgsize.patch @@ -0,0 +1,56 @@ +From 3c2dfdb9c407e5bf42a25e3985cb37f48c6ae7ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Apr 2025 10:08:37 -0300 +Subject: iommu: Protect against overflow in iommu_pgsize() + +From: Jason Gunthorpe + +[ Upstream commit e586e22974d2b7acbef3c6c3e01b2d5ce69efe33 ] + +On a 32 bit system calling: + iommu_map(0, 0x40000000) + +When using the AMD V1 page table type with a domain->pgsize of 0xfffff000 +causes iommu_pgsize() to miscalculate a result of: + size=0x40000000 count=2 + +count should be 1. This completely corrupts the mapping process. + +This is because the final test to adjust the pagesize malfunctions when +the addition overflows. Use check_add_overflow() to prevent this. + +Fixes: b1d99dc5f983 ("iommu: Hook up '->unmap_pages' driver callback") +Signed-off-by: Jason Gunthorpe +Reviewed-by: Lu Baolu +Link: https://lore.kernel.org/r/0-v1-3ad28fc2e3a3+163327-iommu_overflow_pgsize_jgg@nvidia.com +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/iommu.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c +index 879009adef407..0ad55649e2d00 100644 +--- a/drivers/iommu/iommu.c ++++ b/drivers/iommu/iommu.c +@@ -2394,6 +2394,7 @@ static size_t iommu_pgsize(struct iommu_domain *domain, unsigned long iova, + unsigned int pgsize_idx, pgsize_idx_next; + unsigned long pgsizes; + size_t offset, pgsize, pgsize_next; ++ size_t offset_end; + unsigned long addr_merge = paddr | iova; + + /* Page sizes supported by the hardware and small enough for @size */ +@@ -2434,7 +2435,8 @@ static size_t iommu_pgsize(struct iommu_domain *domain, unsigned long iova, + * If size is big enough to accommodate the larger page, reduce + * the number of smaller pages. + */ +- if (offset + pgsize_next <= size) ++ if (!check_add_overflow(offset, pgsize_next, &offset_end) && ++ offset_end <= size) + size = offset; + + out_set_count: +-- +2.39.5 + diff --git a/queue-6.12/iommu-remove-duplicate-selection-of-dmar_table.patch b/queue-6.12/iommu-remove-duplicate-selection-of-dmar_table.patch new file mode 100644 index 0000000000..2c22d50b52 --- /dev/null +++ b/queue-6.12/iommu-remove-duplicate-selection-of-dmar_table.patch @@ -0,0 +1,36 @@ +From f0f68b7bb02d1d53683b6bfa31ba09f1fa5acd62 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 May 2025 15:10:44 +0200 +Subject: iommu: remove duplicate selection of DMAR_TABLE + +From: Rolf Eike Beer + +[ Upstream commit 9548feff840a05d61783e6316d08ed37e115f3b1 ] + +This is already done in intel/Kconfig. + +Fixes: 70bad345e622 ("iommu: Fix compilation without CONFIG_IOMMU_INTEL") +Signed-off-by: Rolf Eike Beer +Reviewed-by: Lu Baolu +Link: https://lore.kernel.org/r/2232605.Mh6RI2rZIc@devpool92.emlix.com +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/iommu/Kconfig b/drivers/iommu/Kconfig +index b3aa1f5d53218..1469ad0794f28 100644 +--- a/drivers/iommu/Kconfig ++++ b/drivers/iommu/Kconfig +@@ -199,7 +199,6 @@ source "drivers/iommu/iommufd/Kconfig" + config IRQ_REMAP + bool "Support for Interrupt Remapping" + depends on X86_64 && X86_IO_APIC && PCI_MSI && ACPI +- select DMAR_TABLE if INTEL_IOMMU + help + Supports Interrupt remapping for IO-APIC and MSI devices. + To use x2apic mode in the CPU's which support x2APIC enhancements or +-- +2.39.5 + diff --git a/queue-6.12/iov_iter-use-iov_offset-for-length-calculation-in-io.patch b/queue-6.12/iov_iter-use-iov_offset-for-length-calculation-in-io.patch new file mode 100644 index 0000000000..33c5240d39 --- /dev/null +++ b/queue-6.12/iov_iter-use-iov_offset-for-length-calculation-in-io.patch @@ -0,0 +1,89 @@ +From 5c815ff0917c670c4296f2f769b9ede8cac4263f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Apr 2025 15:28:48 +0530 +Subject: iov_iter: use iov_offset for length calculation in + iov_iter_aligned_bvec + +From: Nitesh Shetty + +[ Upstream commit 334d7c4fb60cf21e0abac134d92fe49e9b04377e ] + +If iov_offset is non-zero, then we need to consider iov_offset in length +calculation, otherwise we might pass smaller IOs such as 512 bytes, in +below scenario [1]. + +This issue is reproducible using lib-uring test/fixed-seg.c application +with fixed buffer on a 512 LBA formatted device. + +[1] + +At present we pass the alignment check, for 512 LBA formatted devices, +len_mask = 511 when IO is smaller, i->count = 512 has an offset, +i->io_offset = 3584 with bvec values, bvec->bv_offset = 256, +bvec->bv_len = 3840. In short, the first 256 bytes are in the current +page, next 256 bytes are in the another page. Ideally we expect to +fail the IO. + +I can think of 2 userspace scenarios where we experience this. + +a: From userspace, we observe a different behaviour when device LBA + size is 512 vs 4096 bytes. For 4096 LBA formatted device, I see the + same liburing test [2] failing, whereas 512 the test passes without + this. This is reproducible everytime. + + [2] https://github.com/axboe/liburing/ + +b: Although I was not able to reproduce the below condition, but I + suspect below case should be possible from user space for devices + with 512 LBA formatted device. Lets say from userspace while + allocating a virtually single chunk of memory, if we get 2 physical + chunk of memory, and IO happens to be at the boundary of first + physical chunk with length crossing first chunk, then we allow IOs + to proceed and hence we might map wrong physical address length and + proceed with IO rather than failing. + +: --- a/test/fixed-seg.c +: +++ b/test/fixed-seg.c +: @@ -64,7 +64,7 @@ static int test(struct io_uring *ring, int fd, int +: vec_off) +: return T_EXIT_FAIL; +: } +: +: - ret = read_it(ring, fd, 4096, vec_off); +: + ret = read_it(ring, fd, 4096, 7*512 + 256); +: if (ret) { +: fprintf(stderr, "4096 0 failed\n"); +: return T_EXIT_FAIL; + +Effectively this is a write crossing the page boundary. + +Link: https://lkml.kernel.org/r/20250428095849.11709-1-nj.shetty@samsung.com +Fixes: 2263639f96f2 ("iov_iter: streamline iovec/bvec alignment iteration") +Reviewed-by: Jens Axboe +Reviewed-by: Anuj Gupta +Signed-off-by: Nitesh Shetty +Cc: Al Viro +Cc: Christian Brauner +Cc: Keith Busch +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + lib/iov_iter.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/iov_iter.c b/lib/iov_iter.c +index bdb37d572e97c..8ede6be556a96 100644 +--- a/lib/iov_iter.c ++++ b/lib/iov_iter.c +@@ -820,7 +820,7 @@ static bool iov_iter_aligned_bvec(const struct iov_iter *i, unsigned addr_mask, + size_t size = i->count; + + do { +- size_t len = bvec->bv_len; ++ size_t len = bvec->bv_len - skip; + + if (len > size) + len = size; +-- +2.39.5 + diff --git a/queue-6.12/kernfs-relax-constraint-in-draining-guard.patch b/queue-6.12/kernfs-relax-constraint-in-draining-guard.patch new file mode 100644 index 0000000000..9d2a35d5ff --- /dev/null +++ b/queue-6.12/kernfs-relax-constraint-in-draining-guard.patch @@ -0,0 +1,88 @@ +From 00a74da29f7a3a1982e4e4397ec9c7c68856ee9f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 May 2025 14:12:00 +0200 +Subject: kernfs: Relax constraint in draining guard +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Michal Koutný + +[ Upstream commit 071d8e4c2a3b0999a9b822e2eb8854784a350f8a ] + +The active reference lifecycle provides the break/unbreak mechanism but +the active reference is not truly active after unbreak -- callers don't +use it afterwards but it's important for proper pairing of kn->active +counting. Assuming this mechanism is in place, the WARN check in +kernfs_should_drain_open_files() is too sensitive -- it may transiently +catch those (rightful) callers between +kernfs_unbreak_active_protection() and kernfs_put_active() as found out by Chen +Ridong: + + kernfs_remove_by_name_ns kernfs_get_active // active=1 + __kernfs_remove // active=0x80000002 + kernfs_drain ... + wait_event + //waiting (active == 0x80000001) + kernfs_break_active_protection + // active = 0x80000001 + // continue + kernfs_unbreak_active_protection + // active = 0x80000002 + ... + kernfs_should_drain_open_files + // warning occurs + kernfs_put_active + +To avoid the false positives (mind panic_on_warn) remove the check altogether. +(This is meant as quick fix, I think active reference break/unbreak may be +simplified with larger rework.) + +Fixes: bdb2fd7fc56e1 ("kernfs: Skip kernfs_drain_open_files() more aggressively") +Link: https://lore.kernel.org/r/kmmrseckjctb4gxcx2rdminrjnq2b4ipf7562nvfd432ld5v5m@2byj5eedkb2o/ + +Cc: Chen Ridong +Signed-off-by: Michal Koutný +Acked-by: Tejun Heo +Link: https://lore.kernel.org/r/20250505121201.879823-1-mkoutny@suse.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + fs/kernfs/dir.c | 5 +++-- + fs/kernfs/file.c | 3 ++- + 2 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/fs/kernfs/dir.c b/fs/kernfs/dir.c +index 458519e416fe7..5dc90a498e75d 100644 +--- a/fs/kernfs/dir.c ++++ b/fs/kernfs/dir.c +@@ -1560,8 +1560,9 @@ void kernfs_break_active_protection(struct kernfs_node *kn) + * invoked before finishing the kernfs operation. Note that while this + * function restores the active reference, it doesn't and can't actually + * restore the active protection - @kn may already or be in the process of +- * being removed. Once kernfs_break_active_protection() is invoked, that +- * protection is irreversibly gone for the kernfs operation instance. ++ * being drained and removed. Once kernfs_break_active_protection() is ++ * invoked, that protection is irreversibly gone for the kernfs operation ++ * instance. + * + * While this function may be called at any point after + * kernfs_break_active_protection() is invoked, its most useful location +diff --git a/fs/kernfs/file.c b/fs/kernfs/file.c +index 8502ef68459b9..1943c8bd479bf 100644 +--- a/fs/kernfs/file.c ++++ b/fs/kernfs/file.c +@@ -778,8 +778,9 @@ bool kernfs_should_drain_open_files(struct kernfs_node *kn) + /* + * @kn being deactivated guarantees that @kn->attr.open can't change + * beneath us making the lockless test below safe. ++ * Callers post kernfs_unbreak_active_protection may be counted in ++ * kn->active by now, do not WARN_ON because of them. + */ +- WARN_ON_ONCE(atomic_read(&kn->active) != KN_DEACTIVATED_BIAS); + + rcu_read_lock(); + on = rcu_dereference(kn->attr.open); +-- +2.39.5 + diff --git a/queue-6.12/kselftest-cpufreq-get-rid-of-double-suspend-in-rtcwa.patch b/queue-6.12/kselftest-cpufreq-get-rid-of-double-suspend-in-rtcwa.patch new file mode 100644 index 0000000000..49a16fd64a --- /dev/null +++ b/queue-6.12/kselftest-cpufreq-get-rid-of-double-suspend-in-rtcwa.patch @@ -0,0 +1,52 @@ +From 23df6196522205a39234db070456af8f2ee967ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Apr 2025 10:55:49 -0400 +Subject: kselftest: cpufreq: Get rid of double suspend in rtcwake case +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nícolas F. R. A. Prado + +[ Upstream commit 23b88515a318680337f21d0a2fceee8038ccffc8 ] + +Commit 0b631ed3ce92 ("kselftest: cpufreq: Add RTC wakeup alarm") added +support for automatic wakeup in the suspend routine of the cpufreq +kselftest by using rtcwake, however it left the manual power state +change in the common path. The end result is that when running the +cpufreq kselftest with '-t suspend_rtc' or '-t hibernate_rtc', the +system will go to sleep and be woken up by the RTC, but then immediately +go to sleep again with no wakeup programmed, so it will sleep forever in +an automated testing setup. + +Fix this by moving the manual power state change so that it only happens +when not using rtcwake. + +Link: https://lore.kernel.org/r/20250430-ksft-cpufreq-suspend-rtc-double-fix-v1-1-dc17a729c5a7@collabora.com +Fixes: 0b631ed3ce92 ("kselftest: cpufreq: Add RTC wakeup alarm") +Signed-off-by: Nícolas F. R. A. Prado +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/cpufreq/cpufreq.sh | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/cpufreq/cpufreq.sh b/tools/testing/selftests/cpufreq/cpufreq.sh +index e350c521b4675..3aad9db921b53 100755 +--- a/tools/testing/selftests/cpufreq/cpufreq.sh ++++ b/tools/testing/selftests/cpufreq/cpufreq.sh +@@ -244,9 +244,10 @@ do_suspend() + printf "Failed to suspend using RTC wake alarm\n" + return 1 + fi ++ else ++ echo $filename > $SYSFS/power/state + fi + +- echo $filename > $SYSFS/power/state + printf "Came out of $1\n" + + printf "Do basic tests after finishing $1 to verify cpufreq state\n\n" +-- +2.39.5 + diff --git a/queue-6.12/ktls-sockmap-fix-missing-uncharge-operation.patch b/queue-6.12/ktls-sockmap-fix-missing-uncharge-operation.patch new file mode 100644 index 0000000000..b4f94521cc --- /dev/null +++ b/queue-6.12/ktls-sockmap-fix-missing-uncharge-operation.patch @@ -0,0 +1,59 @@ +From fc64dfb4e5be3315a124a408aa16517804f5c1cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Apr 2025 13:59:57 +0800 +Subject: ktls, sockmap: Fix missing uncharge operation + +From: Jiayuan Chen + +[ Upstream commit 79f0c39ae7d3dc628c01b02f23ca5d01f9875040 ] + +When we specify apply_bytes, we divide the msg into multiple segments, +each with a length of 'send', and every time we send this part of the data +using tcp_bpf_sendmsg_redir(), we use sk_msg_return_zero() to uncharge the +memory of the specified 'send' size. + +However, if the first segment of data fails to send, for example, the +peer's buffer is full, we need to release all of the msg. When releasing +the msg, we haven't uncharged the memory of the subsequent segments. + +This modification does not make significant logical changes, but only +fills in the missing uncharge places. + +This issue has existed all along, until it was exposed after we added the +apply test in test_sockmap: +commit 3448ad23b34e ("selftests/bpf: Add apply_bytes test to test_txmsg_redir_wait_sndmem in test_sockmap") + +Fixes: d3b18ad31f93 ("tls: add bpf support to sk_msg handling") +Reported-by: Cong Wang +Closes: https://lore.kernel.org/bpf/aAmIi0vlycHtbXeb@pop-os.localdomain/T/#t +Signed-off-by: Jiayuan Chen +Signed-off-by: Martin KaFai Lau +Acked-by: John Fastabend +Reviewed-by: Cong Wang +Link: https://lore.kernel.org/r/20250425060015.6968-2-jiayuan.chen@linux.dev +Signed-off-by: Sasha Levin +--- + net/tls/tls_sw.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c +index b3cae4dd4f499..8fb5925f2389e 100644 +--- a/net/tls/tls_sw.c ++++ b/net/tls/tls_sw.c +@@ -908,6 +908,13 @@ static int bpf_exec_tx_verdict(struct sk_msg *msg, struct sock *sk, + &msg_redir, send, flags); + lock_sock(sk); + if (err < 0) { ++ /* Regardless of whether the data represented by ++ * msg_redir is sent successfully, we have already ++ * uncharged it via sk_msg_return_zero(). The ++ * msg->sg.size represents the remaining unprocessed ++ * data, which needs to be uncharged here. ++ */ ++ sk_mem_uncharge(sk, msg->sg.size); + *copied -= sk_msg_free_nocharge(sk, &msg_redir); + msg->sg.size = 0; + } +-- +2.39.5 + diff --git a/queue-6.12/kunit-fix-wrong-parameter-to-kunit_deactivate_static.patch b/queue-6.12/kunit-fix-wrong-parameter-to-kunit_deactivate_static.patch new file mode 100644 index 0000000000..36e683372c --- /dev/null +++ b/queue-6.12/kunit-fix-wrong-parameter-to-kunit_deactivate_static.patch @@ -0,0 +1,41 @@ +From 17a93542b9ae4c825fa5775b460a1c99dc152d29 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 May 2025 08:20:49 +0000 +Subject: kunit: Fix wrong parameter to kunit_deactivate_static_stub() + +From: Tzung-Bi Shih + +[ Upstream commit 772e50a76ee664e75581624f512df4e45582605a ] + +kunit_deactivate_static_stub() accepts real_fn_addr instead of +replacement_addr. In the case, it always passes NULL to +kunit_deactivate_static_stub(). + +Fix it. + +Link: https://lore.kernel.org/r/20250520082050.2254875-1-tzungbi@kernel.org +Fixes: e047c5eaa763 ("kunit: Expose 'static stub' API to redirect functions") +Signed-off-by: Tzung-Bi Shih +Reviewed-by: David Gow +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + lib/kunit/static_stub.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/kunit/static_stub.c b/lib/kunit/static_stub.c +index 92b2cccd5e763..484fd85251b41 100644 +--- a/lib/kunit/static_stub.c ++++ b/lib/kunit/static_stub.c +@@ -96,7 +96,7 @@ void __kunit_activate_static_stub(struct kunit *test, + + /* If the replacement address is NULL, deactivate the stub. */ + if (!replacement_addr) { +- kunit_deactivate_static_stub(test, replacement_addr); ++ kunit_deactivate_static_stub(test, real_fn_addr); + return; + } + +-- +2.39.5 + diff --git a/queue-6.12/kunit-usercopy-disable-u64-test-on-32-bit-sparc.patch b/queue-6.12/kunit-usercopy-disable-u64-test-on-32-bit-sparc.patch new file mode 100644 index 0000000000..8a8f4659fb --- /dev/null +++ b/queue-6.12/kunit-usercopy-disable-u64-test-on-32-bit-sparc.patch @@ -0,0 +1,45 @@ +From 130b0c404fdfacba31719c09864c1b0b065ee122 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Apr 2025 14:44:19 +0200 +Subject: kunit/usercopy: Disable u64 test on 32-bit SPARC +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Weißschuh + +[ Upstream commit 0d6efa20e384a41a7f4afdcd8a0aec442c19d33e ] + +usercopy of 64 bit values does not work on 32-bit SPARC: + + # usercopy_test_valid: EXPECTATION FAILED at lib/tests/usercopy_kunit.c:209 + Expected val_u64 == 0x5a5b5c5d6a6b6c6d, but + val_u64 == 1515936861 (0x5a5b5c5d) + 0x5a5b5c5d6a6b6c6d == 6510899242581322861 (0x5a5b5c5d6a6b6c6d) + +Disable the test. + +Fixes: 4c5d7bc63775 ("usercopy: Add tests for all get_user() sizes") +Signed-off-by: Thomas Weißschuh +Link: https://lore.kernel.org/r/20250416-kunit-sparc-usercopy-v1-1-a772054db3af@linutronix.de +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + lib/usercopy_kunit.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/usercopy_kunit.c b/lib/usercopy_kunit.c +index 77fa00a13df77..80f8abe10968c 100644 +--- a/lib/usercopy_kunit.c ++++ b/lib/usercopy_kunit.c +@@ -27,6 +27,7 @@ + !defined(CONFIG_MICROBLAZE) && \ + !defined(CONFIG_NIOS2) && \ + !defined(CONFIG_PPC32) && \ ++ !defined(CONFIG_SPARC32) && \ + !defined(CONFIG_SUPERH)) + # define TEST_U64 + #endif +-- +2.39.5 + diff --git a/queue-6.12/libbpf-fix-buffer-overflow-in-bpf_object__init_prog.patch b/queue-6.12/libbpf-fix-buffer-overflow-in-bpf_object__init_prog.patch new file mode 100644 index 0000000000..29c77478bc --- /dev/null +++ b/queue-6.12/libbpf-fix-buffer-overflow-in-bpf_object__init_prog.patch @@ -0,0 +1,106 @@ +From 7e298153609c06cbdc09f66f5e2e229f3eb7b41e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Apr 2025 17:50:14 +0200 +Subject: libbpf: Fix buffer overflow in bpf_object__init_prog + +From: Viktor Malik + +[ Upstream commit ee684de5c1b0ac01821320826baec7da93f3615b ] + +As shown in [1], it is possible to corrupt a BPF ELF file such that +arbitrary BPF instructions are loaded by libbpf. This can be done by +setting a symbol (BPF program) section offset to a large (unsigned) +number such that
overflows and points +before the section data in the memory. + +Consider the situation below where: +- prog_start = sec_start + symbol_offset <-- size_t overflow here +- prog_end = prog_start + prog_size + + prog_start sec_start prog_end sec_end + | | | | + v v v v + .....................|################################|............ + +The report in [1] also provides a corrupted BPF ELF which can be used as +a reproducer: + + $ readelf -S crash + Section Headers: + [Nr] Name Type Address Offset + Size EntSize Flags Link Info Align + ... + [ 2] uretprobe.mu[...] PROGBITS 0000000000000000 00000040 + 0000000000000068 0000000000000000 AX 0 0 8 + + $ readelf -s crash + Symbol table '.symtab' contains 8 entries: + Num: Value Size Type Bind Vis Ndx Name + ... + 6: ffffffffffffffb8 104 FUNC GLOBAL DEFAULT 2 handle_tp + +Here, the handle_tp prog has section offset ffffffffffffffb8, i.e. will +point before the actual memory where section 2 is allocated. + +This is also reported by AddressSanitizer: + + ================================================================= + ==1232==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7c7302fe0000 at pc 0x7fc3046e4b77 bp 0x7ffe64677cd0 sp 0x7ffe64677490 + READ of size 104 at 0x7c7302fe0000 thread T0 + #0 0x7fc3046e4b76 in memcpy (/lib64/libasan.so.8+0xe4b76) + #1 0x00000040df3e in bpf_object__init_prog /src/libbpf/src/libbpf.c:856 + #2 0x00000040df3e in bpf_object__add_programs /src/libbpf/src/libbpf.c:928 + #3 0x00000040df3e in bpf_object__elf_collect /src/libbpf/src/libbpf.c:3930 + #4 0x00000040df3e in bpf_object_open /src/libbpf/src/libbpf.c:8067 + #5 0x00000040f176 in bpf_object__open_file /src/libbpf/src/libbpf.c:8090 + #6 0x000000400c16 in main /poc/poc.c:8 + #7 0x7fc3043d25b4 in __libc_start_call_main (/lib64/libc.so.6+0x35b4) + #8 0x7fc3043d2667 in __libc_start_main@@GLIBC_2.34 (/lib64/libc.so.6+0x3667) + #9 0x000000400b34 in _start (/poc/poc+0x400b34) + + 0x7c7302fe0000 is located 64 bytes before 104-byte region [0x7c7302fe0040,0x7c7302fe00a8) + allocated by thread T0 here: + #0 0x7fc3046e716b in malloc (/lib64/libasan.so.8+0xe716b) + #1 0x7fc3045ee600 in __libelf_set_rawdata_wrlock (/lib64/libelf.so.1+0xb600) + #2 0x7fc3045ef018 in __elf_getdata_rdlock (/lib64/libelf.so.1+0xc018) + #3 0x00000040642f in elf_sec_data /src/libbpf/src/libbpf.c:3740 + +The problem here is that currently, libbpf only checks that the program +end is within the section bounds. There used to be a check +`while (sec_off < sec_sz)` in bpf_object__add_programs, however, it was +removed by commit 6245947c1b3c ("libbpf: Allow gaps in BPF program +sections to support overriden weak functions"). + +Add a check for detecting the overflow of `sec_off + prog_sz` to +bpf_object__init_prog to fix this issue. + +[1] https://github.com/lmarch2/poc/blob/main/libbpf/libbpf.md + +Fixes: 6245947c1b3c ("libbpf: Allow gaps in BPF program sections to support overriden weak functions") +Reported-by: lmarch2 <2524158037@qq.com> +Signed-off-by: Viktor Malik +Signed-off-by: Andrii Nakryiko +Reviewed-by: Shung-Hsi Yu +Link: https://github.com/lmarch2/poc/blob/main/libbpf/libbpf.md +Link: https://lore.kernel.org/bpf/20250415155014.397603-1-vmalik@redhat.com +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/libbpf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c +index 6e4d417604fa0..069ffe5da96e5 100644 +--- a/tools/lib/bpf/libbpf.c ++++ b/tools/lib/bpf/libbpf.c +@@ -887,7 +887,7 @@ bpf_object__add_programs(struct bpf_object *obj, Elf_Data *sec_data, + return -LIBBPF_ERRNO__FORMAT; + } + +- if (sec_off + prog_sz > sec_sz) { ++ if (sec_off + prog_sz > sec_sz || sec_off + prog_sz < sec_off) { + pr_warn("sec '%s': program at offset %zu crosses section boundary\n", + sec_name, sec_off); + return -LIBBPF_ERRNO__FORMAT; +-- +2.39.5 + diff --git a/queue-6.12/libbpf-fix-event-name-too-long-error.patch b/queue-6.12/libbpf-fix-event-name-too-long-error.patch new file mode 100644 index 0000000000..4205822755 --- /dev/null +++ b/queue-6.12/libbpf-fix-event-name-too-long-error.patch @@ -0,0 +1,160 @@ +From 044a394543ea7045672bf4d05dc43fafe4f5b9be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Apr 2025 09:48:46 +0800 +Subject: libbpf: Fix event name too long error + +From: Feng Yang + +[ Upstream commit 4dde20b1aa85d69c4281eaac9a7cfa7d2b62ecf0 ] + +When the binary path is excessively long, the generated probe_name in libbpf +exceeds the kernel's MAX_EVENT_NAME_LEN limit (64 bytes). +This causes legacy uprobe event attachment to fail with error code -22. + +The fix reorders the fields to place the unique ID before the name. +This ensures that even if truncation occurs via snprintf, the unique ID +remains intact, preserving event name uniqueness. Additionally, explicit +checks with MAX_EVENT_NAME_LEN are added to enforce length constraints. + +Before Fix: + ./test_progs -t attach_probe/kprobe-long_name + ...... + libbpf: failed to add legacy kprobe event for 'bpf_testmod_looooooooooooooooooooooooooooooong_name+0x0': -EINVAL + libbpf: prog 'handle_kprobe': failed to create kprobe 'bpf_testmod_looooooooooooooooooooooooooooooong_name+0x0' perf event: -EINVAL + test_attach_kprobe_long_event_name:FAIL:attach_kprobe_long_event_name unexpected error: -22 + test_attach_probe:PASS:uprobe_ref_ctr_cleanup 0 nsec + #13/11 attach_probe/kprobe-long_name:FAIL + #13 attach_probe:FAIL + + ./test_progs -t attach_probe/uprobe-long_name + ...... + libbpf: failed to add legacy uprobe event for /root/linux-bpf/bpf-next/tools/testing/selftests/bpf/test_progs:0x13efd9: -EINVAL + libbpf: prog 'handle_uprobe': failed to create uprobe '/root/linux-bpf/bpf-next/tools/testing/selftests/bpf/test_progs:0x13efd9' perf event: -EINVAL + test_attach_uprobe_long_event_name:FAIL:attach_uprobe_long_event_name unexpected error: -22 + #13/10 attach_probe/uprobe-long_name:FAIL + #13 attach_probe:FAIL +After Fix: + ./test_progs -t attach_probe/uprobe-long_name + #13/10 attach_probe/uprobe-long_name:OK + #13 attach_probe:OK + Summary: 1/1 PASSED, 0 SKIPPED, 0 FAILED + + ./test_progs -t attach_probe/kprobe-long_name + #13/11 attach_probe/kprobe-long_name:OK + #13 attach_probe:OK + Summary: 1/1 PASSED, 0 SKIPPED, 0 FAILED + +Fixes: 46ed5fc33db9 ("libbpf: Refactor and simplify legacy kprobe code") +Fixes: cc10623c6810 ("libbpf: Add legacy uprobe attaching support") +Signed-off-by: Hengqi Chen +Signed-off-by: Feng Yang +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20250417014848.59321-2-yangfeng59949@163.com +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/libbpf.c | 43 ++++++++++++++++-------------------------- + 1 file changed, 16 insertions(+), 27 deletions(-) + +diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c +index 069ffe5da96e5..976fabd5d4dbc 100644 +--- a/tools/lib/bpf/libbpf.c ++++ b/tools/lib/bpf/libbpf.c +@@ -60,6 +60,8 @@ + #define BPF_FS_MAGIC 0xcafe4a11 + #endif + ++#define MAX_EVENT_NAME_LEN 64 ++ + #define BPF_FS_DEFAULT_PATH "/sys/fs/bpf" + + #define BPF_INSN_SZ (sizeof(struct bpf_insn)) +@@ -11039,16 +11041,16 @@ static const char *tracefs_available_filter_functions_addrs(void) + : TRACEFS"/available_filter_functions_addrs"; + } + +-static void gen_kprobe_legacy_event_name(char *buf, size_t buf_sz, +- const char *kfunc_name, size_t offset) ++static void gen_probe_legacy_event_name(char *buf, size_t buf_sz, ++ const char *name, size_t offset) + { + static int index = 0; + int i; + +- snprintf(buf, buf_sz, "libbpf_%u_%s_0x%zx_%d", getpid(), kfunc_name, offset, +- __sync_fetch_and_add(&index, 1)); ++ snprintf(buf, buf_sz, "libbpf_%u_%d_%s_0x%zx", getpid(), ++ __sync_fetch_and_add(&index, 1), name, offset); + +- /* sanitize binary_path in the probe name */ ++ /* sanitize name in the probe name */ + for (i = 0; buf[i]; i++) { + if (!isalnum(buf[i])) + buf[i] = '_'; +@@ -11174,9 +11176,9 @@ int probe_kern_syscall_wrapper(int token_fd) + + return pfd >= 0 ? 1 : 0; + } else { /* legacy mode */ +- char probe_name[128]; ++ char probe_name[MAX_EVENT_NAME_LEN]; + +- gen_kprobe_legacy_event_name(probe_name, sizeof(probe_name), syscall_name, 0); ++ gen_probe_legacy_event_name(probe_name, sizeof(probe_name), syscall_name, 0); + if (add_kprobe_event_legacy(probe_name, false, syscall_name, 0) < 0) + return 0; + +@@ -11233,10 +11235,10 @@ bpf_program__attach_kprobe_opts(const struct bpf_program *prog, + func_name, offset, + -1 /* pid */, 0 /* ref_ctr_off */); + } else { +- char probe_name[256]; ++ char probe_name[MAX_EVENT_NAME_LEN]; + +- gen_kprobe_legacy_event_name(probe_name, sizeof(probe_name), +- func_name, offset); ++ gen_probe_legacy_event_name(probe_name, sizeof(probe_name), ++ func_name, offset); + + legacy_probe = strdup(probe_name); + if (!legacy_probe) +@@ -11744,20 +11746,6 @@ static int attach_uprobe_multi(const struct bpf_program *prog, long cookie, stru + return ret; + } + +-static void gen_uprobe_legacy_event_name(char *buf, size_t buf_sz, +- const char *binary_path, uint64_t offset) +-{ +- int i; +- +- snprintf(buf, buf_sz, "libbpf_%u_%s_0x%zx", getpid(), binary_path, (size_t)offset); +- +- /* sanitize binary_path in the probe name */ +- for (i = 0; buf[i]; i++) { +- if (!isalnum(buf[i])) +- buf[i] = '_'; +- } +-} +- + static inline int add_uprobe_event_legacy(const char *probe_name, bool retprobe, + const char *binary_path, size_t offset) + { +@@ -12173,13 +12161,14 @@ bpf_program__attach_uprobe_opts(const struct bpf_program *prog, pid_t pid, + pfd = perf_event_open_probe(true /* uprobe */, retprobe, binary_path, + func_offset, pid, ref_ctr_off); + } else { +- char probe_name[PATH_MAX + 64]; ++ char probe_name[MAX_EVENT_NAME_LEN]; + + if (ref_ctr_off) + return libbpf_err_ptr(-EINVAL); + +- gen_uprobe_legacy_event_name(probe_name, sizeof(probe_name), +- binary_path, func_offset); ++ gen_probe_legacy_event_name(probe_name, sizeof(probe_name), ++ strrchr(binary_path, '/') ? : binary_path, ++ func_offset); + + legacy_probe = strdup(probe_name); + if (!legacy_probe) +-- +2.39.5 + diff --git a/queue-6.12/libbpf-remove-sample_period-init-in-perf_buffer.patch b/queue-6.12/libbpf-remove-sample_period-init-in-perf_buffer.patch new file mode 100644 index 0000000000..5b61fa8ad0 --- /dev/null +++ b/queue-6.12/libbpf-remove-sample_period-init-in-perf_buffer.patch @@ -0,0 +1,39 @@ +From 3f35b7dcce1f683a33b9be105c569d9bf24c82bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Apr 2025 00:39:01 +0800 +Subject: libbpf: Remove sample_period init in perf_buffer + +From: Tao Chen + +[ Upstream commit 64821d25f05ac468d435e61669ae745ce5a633ea ] + +It seems that sample_period is not used in perf buffer. Actually, only +wakeup_events are meaningful to enable events aggregation for wakeup notification. +Remove sample_period setting code to avoid confusion. + +Fixes: fb84b8224655 ("libbpf: add perf buffer API") +Signed-off-by: Tao Chen +Signed-off-by: Andrii Nakryiko +Acked-by: Jiri Olsa +Acked-by: Namhyung Kim +Link: https://lore.kernel.org/bpf/20250423163901.2983689-1-chen.dylane@linux.dev +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/libbpf.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c +index 976fabd5d4dbc..c6eceae4d6ff6 100644 +--- a/tools/lib/bpf/libbpf.c ++++ b/tools/lib/bpf/libbpf.c +@@ -13245,7 +13245,6 @@ struct perf_buffer *perf_buffer__new(int map_fd, size_t page_cnt, + attr.config = PERF_COUNT_SW_BPF_OUTPUT; + attr.type = PERF_TYPE_SOFTWARE; + attr.sample_type = PERF_SAMPLE_RAW; +- attr.sample_period = sample_period; + attr.wakeup_events = sample_period; + + p.attr = &attr; +-- +2.39.5 + diff --git a/queue-6.12/libbpf-use-proper-errno-value-in-linker.patch b/queue-6.12/libbpf-use-proper-errno-value-in-linker.patch new file mode 100644 index 0000000000..7abf096b87 --- /dev/null +++ b/queue-6.12/libbpf-use-proper-errno-value-in-linker.patch @@ -0,0 +1,49 @@ +From 2068acba3c4f13831d30af22eb217a8e4192c03f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Apr 2025 12:08:20 +0000 +Subject: libbpf: Use proper errno value in linker + +From: Anton Protopopov + +[ Upstream commit 358b1c0f56ebb6996fcec7dcdcf6bae5dcbc8b6c ] + +Return values of the linker_append_sec_data() and the +linker_append_elf_relos() functions are propagated all the +way up to users of libbpf API. In some error cases these +functions return -1 which will be seen as -EPERM from user's +point of view. Instead, return a more reasonable -EINVAL. + +Fixes: faf6ed321cf6 ("libbpf: Add BPF static linker APIs") +Signed-off-by: Anton Protopopov +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20250430120820.2262053-1-a.s.protopopov@gmail.com +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/linker.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/lib/bpf/linker.c b/tools/lib/bpf/linker.c +index 179f6b31cbd6f..d4ab9315afe71 100644 +--- a/tools/lib/bpf/linker.c ++++ b/tools/lib/bpf/linker.c +@@ -1220,7 +1220,7 @@ static int linker_append_sec_data(struct bpf_linker *linker, struct src_obj *obj + } else { + if (!secs_match(dst_sec, src_sec)) { + pr_warn("ELF sections %s are incompatible\n", src_sec->sec_name); +- return -1; ++ return -EINVAL; + } + + /* "license" and "version" sections are deduped */ +@@ -2067,7 +2067,7 @@ static int linker_append_elf_relos(struct bpf_linker *linker, struct src_obj *ob + } + } else if (!secs_match(dst_sec, src_sec)) { + pr_warn("sections %s are not compatible\n", src_sec->sec_name); +- return -1; ++ return -EINVAL; + } + + /* shdr->sh_link points to SYMTAB */ +-- +2.39.5 + diff --git a/queue-6.12/libbpf-use-proper-errno-value-in-nlattr.patch b/queue-6.12/libbpf-use-proper-errno-value-in-nlattr.patch new file mode 100644 index 0000000000..59b9601d8d --- /dev/null +++ b/queue-6.12/libbpf-use-proper-errno-value-in-nlattr.patch @@ -0,0 +1,75 @@ +From 0e0e9d13a90d0cc2aa8a3c78723c88dcdf0b2ee3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 10 May 2025 18:20:11 +0000 +Subject: libbpf: Use proper errno value in nlattr + +From: Anton Protopopov + +[ Upstream commit fd5fd538a1f4b34cee6823ba0ddda2f7a55aca96 ] + +Return value of the validate_nla() function can be propagated all the +way up to users of libbpf API. In case of error this libbpf version +of validate_nla returns -1 which will be seen as -EPERM from user's +point of view. Instead, return a more reasonable -EINVAL. + +Fixes: bbf48c18ee0c ("libbpf: add error reporting in XDP") +Suggested-by: Andrii Nakryiko +Signed-off-by: Anton Protopopov +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20250510182011.2246631-1-a.s.protopopov@gmail.com +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/nlattr.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +diff --git a/tools/lib/bpf/nlattr.c b/tools/lib/bpf/nlattr.c +index 975e265eab3bf..06663f9ea581f 100644 +--- a/tools/lib/bpf/nlattr.c ++++ b/tools/lib/bpf/nlattr.c +@@ -63,16 +63,16 @@ static int validate_nla(struct nlattr *nla, int maxtype, + minlen = nla_attr_minlen[pt->type]; + + if (libbpf_nla_len(nla) < minlen) +- return -1; ++ return -EINVAL; + + if (pt->maxlen && libbpf_nla_len(nla) > pt->maxlen) +- return -1; ++ return -EINVAL; + + if (pt->type == LIBBPF_NLA_STRING) { + char *data = libbpf_nla_data(nla); + + if (data[libbpf_nla_len(nla) - 1] != '\0') +- return -1; ++ return -EINVAL; + } + + return 0; +@@ -118,19 +118,18 @@ int libbpf_nla_parse(struct nlattr *tb[], int maxtype, struct nlattr *head, + if (policy) { + err = validate_nla(nla, maxtype, policy); + if (err < 0) +- goto errout; ++ return err; + } + +- if (tb[type]) ++ if (tb[type]) { + pr_warn("Attribute of type %#x found multiple times in message, " + "previous attribute is being ignored.\n", type); ++ } + + tb[type] = nla; + } + +- err = 0; +-errout: +- return err; ++ return 0; + } + + /** +-- +2.39.5 + diff --git a/queue-6.12/loop-add-file_start_write-and-file_end_write.patch b/queue-6.12/loop-add-file_start_write-and-file_end_write.patch new file mode 100644 index 0000000000..a58acf7473 --- /dev/null +++ b/queue-6.12/loop-add-file_start_write-and-file_end_write.patch @@ -0,0 +1,63 @@ +From 9b59ec1c2537ceced079ae60aad1f9dc719d116e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 May 2025 23:34:05 +0800 +Subject: loop: add file_start_write() and file_end_write() + +From: Ming Lei + +[ Upstream commit 39d86db34e41b96bd86f1955cd0ce6cd9c5fca4c ] + +file_start_write() and file_end_write() should be added around ->write_iter(). + +Recently we switch to ->write_iter() from vfs_iter_write(), and the +implied file_start_write() and file_end_write() are lost. + +Also we never add them for dio code path, so add them back for covering +both. + +Cc: Jeff Moyer +Fixes: f2fed441c69b ("loop: stop using vfs_iter_{read,write} for buffered I/O") +Fixes: bc07c10a3603 ("block: loop: support DIO & AIO") +Signed-off-by: Ming Lei +Link: https://lore.kernel.org/r/20250527153405.837216-1-ming.lei@redhat.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/loop.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/block/loop.c b/drivers/block/loop.c +index 0843d229b0f76..e9a197474b9d8 100644 +--- a/drivers/block/loop.c ++++ b/drivers/block/loop.c +@@ -323,11 +323,14 @@ static void lo_complete_rq(struct request *rq) + static void lo_rw_aio_do_completion(struct loop_cmd *cmd) + { + struct request *rq = blk_mq_rq_from_pdu(cmd); ++ struct loop_device *lo = rq->q->queuedata; + + if (!atomic_dec_and_test(&cmd->ref)) + return; + kfree(cmd->bvec); + cmd->bvec = NULL; ++ if (req_op(rq) == REQ_OP_WRITE) ++ file_end_write(lo->lo_backing_file); + if (likely(!blk_should_fake_timeout(rq->q))) + blk_mq_complete_request(rq); + } +@@ -402,9 +405,10 @@ static int lo_rw_aio(struct loop_device *lo, struct loop_cmd *cmd, + cmd->iocb.ki_flags = 0; + } + +- if (rw == ITER_SOURCE) ++ if (rw == ITER_SOURCE) { ++ file_start_write(lo->lo_backing_file); + ret = file->f_op->write_iter(&cmd->iocb, &iter); +- else ++ } else + ret = file->f_op->read_iter(&cmd->iocb, &iter); + + lo_rw_aio_do_completion(cmd); +-- +2.39.5 + diff --git a/queue-6.12/m68k-mac-fix-macintosh_config-for-mac-ii.patch b/queue-6.12/m68k-mac-fix-macintosh_config-for-mac-ii.patch new file mode 100644 index 0000000000..62b2b2ab58 --- /dev/null +++ b/queue-6.12/m68k-mac-fix-macintosh_config-for-mac-ii.patch @@ -0,0 +1,46 @@ +From 6434aba57febb8b427d5f325e64b2b02304967c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Apr 2025 10:07:26 +1000 +Subject: m68k: mac: Fix macintosh_config for Mac II + +From: Finn Thain + +[ Upstream commit 52ae3f5da7e5adbe3d1319573b55dac470abb83c ] + +When booted on my Mac II, the kernel prints this: + + Detected Macintosh model: 6 + Apple Macintosh Unknown + +The catch-all entry ("Unknown") is mac_data_table[0] which is only needed +in the unlikely event that the bootinfo model ID can't be matched. +When model ID is 6, the search should begin and end at mac_data_table[1]. +Fix the off-by-one error that causes this problem. + +Cc: Joshua Thompson +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Finn Thain +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/d0f30a551064ca4810b1c48d5a90954be80634a9.1745453246.git.fthain@linux-m68k.org +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + arch/m68k/mac/config.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/m68k/mac/config.c b/arch/m68k/mac/config.c +index e324410ef239c..d26c7f4f8c360 100644 +--- a/arch/m68k/mac/config.c ++++ b/arch/m68k/mac/config.c +@@ -793,7 +793,7 @@ static void __init mac_identify(void) + } + + macintosh_config = mac_data_table; +- for (m = macintosh_config; m->ident != -1; m++) { ++ for (m = &mac_data_table[1]; m->ident != -1; m++) { + if (m->ident == model) { + macintosh_config = m; + break; +-- +2.39.5 + diff --git a/queue-6.12/mailbox-imx-fix-txdb_v2-sending.patch b/queue-6.12/mailbox-imx-fix-txdb_v2-sending.patch new file mode 100644 index 0000000000..62a4db8e7b --- /dev/null +++ b/queue-6.12/mailbox-imx-fix-txdb_v2-sending.patch @@ -0,0 +1,73 @@ +From 5f82a546395b08369d45d662b2d3a08f5abea6ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 25 May 2025 16:47:24 +0800 +Subject: mailbox: imx: Fix TXDB_V2 sending + +From: Peng Fan + +[ Upstream commit f5cb07ec6aabd1bb56adbdeb5f0d70cb524db2cd ] + +i.MX95 features several processing domains, Cortex-M7, Cortex-A55 +secure, Cortex-A55 non-secure. Each domain could communicate with +SCMI firmware with a dedicated MU. But the current NXP SCMI firmware +is not a RTOS, all processing logic codes are in interrupt context. +So if high priority Cortex-M7 is communicating with SCMI firmware and +requires a bit more time to handle the SCMI call, Linux MU TXDB_V2 +will be timeout with high possiblity in 1000us(the current value in +imx-mailbox.c). Per NXP SCMI firmware design, if timeout, there is +no recover logic, so SCMI agents should never timeout and always +wait until the check condition met. + +Based on the upper reason, enlarge the timeout value to 10ms which +is less chance to timeout, and retry if timeout really happends. + +Fixes: 5bfe4067d350 ("mailbox: imx: support channel type tx doorbell v2") +Signed-off-by: Peng Fan +Signed-off-by: Jassi Brar +Signed-off-by: Sasha Levin +--- + drivers/mailbox/imx-mailbox.c | 21 +++++++++++++++------ + 1 file changed, 15 insertions(+), 6 deletions(-) + +diff --git a/drivers/mailbox/imx-mailbox.c b/drivers/mailbox/imx-mailbox.c +index f815dab3be50c..0657bd3d8f97b 100644 +--- a/drivers/mailbox/imx-mailbox.c ++++ b/drivers/mailbox/imx-mailbox.c +@@ -226,7 +226,7 @@ static int imx_mu_generic_tx(struct imx_mu_priv *priv, + { + u32 *arg = data; + u32 val; +- int ret; ++ int ret, count; + + switch (cp->type) { + case IMX_MU_TYPE_TX: +@@ -240,11 +240,20 @@ static int imx_mu_generic_tx(struct imx_mu_priv *priv, + case IMX_MU_TYPE_TXDB_V2: + imx_mu_write(priv, IMX_MU_xCR_GIRn(priv->dcfg->type, cp->idx), + priv->dcfg->xCR[IMX_MU_GCR]); +- ret = readl_poll_timeout(priv->base + priv->dcfg->xCR[IMX_MU_GCR], val, +- !(val & IMX_MU_xCR_GIRn(priv->dcfg->type, cp->idx)), +- 0, 1000); +- if (ret) +- dev_warn_ratelimited(priv->dev, "channel type: %d failure\n", cp->type); ++ ret = -ETIMEDOUT; ++ count = 0; ++ while (ret && (count < 10)) { ++ ret = ++ readl_poll_timeout(priv->base + priv->dcfg->xCR[IMX_MU_GCR], val, ++ !(val & IMX_MU_xCR_GIRn(priv->dcfg->type, cp->idx)), ++ 0, 10000); ++ ++ if (ret) { ++ dev_warn_ratelimited(priv->dev, ++ "channel type: %d timeout, %d times, retry\n", ++ cp->type, ++count); ++ } ++ } + break; + default: + dev_warn_ratelimited(priv->dev, "Send data on wrong channel type: %d\n", cp->type); +-- +2.39.5 + diff --git a/queue-6.12/mailbox-mtk-cmdq-refine-gce_gctl_value-setting.patch b/queue-6.12/mailbox-mtk-cmdq-refine-gce_gctl_value-setting.patch new file mode 100644 index 0000000000..b4a5004a73 --- /dev/null +++ b/queue-6.12/mailbox-mtk-cmdq-refine-gce_gctl_value-setting.patch @@ -0,0 +1,144 @@ +From 67dc75acd90feb0393fd1d2296af0875d8a0c790 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Apr 2025 11:55:47 +0800 +Subject: mailbox: mtk-cmdq: Refine GCE_GCTL_VALUE setting + +From: Jason-JH Lin + +[ Upstream commit 9fcebcb37c3e0a4b6eb40768cc5a5faebf166fbe ] + +Add cmdq_gctl_value_toggle() to configure GCE_CTRL_BY_SW and GCE_DDR_EN +together in the same GCE_GCTL_VALUE register. + +For the SoCs whose GCE is located in MMINFRA and uses MMINFRA_AO power, +this allows it to be written without enabling the clocks. Otherwise, all +GCE registers should be written after the GCE clocks are enabled. +Move this function into cmdq_runtime_resume() and cmdq_runtime_suspend() +to ensure it is called when the GCE clock is enabled. + +Fixes: 7abd037aa581 ("mailbox: mtk-cmdq: add gce ddr enable support flow") +Signed-off-by: Jason-JH Lin +Reviewed-by: AngeloGioacchino Del Regno +Signed-off-by: Jassi Brar +Signed-off-by: Sasha Levin +--- + drivers/mailbox/mtk-cmdq-mailbox.c | 51 +++++++++++++----------------- + 1 file changed, 22 insertions(+), 29 deletions(-) + +diff --git a/drivers/mailbox/mtk-cmdq-mailbox.c b/drivers/mailbox/mtk-cmdq-mailbox.c +index 9c43ed9bdd37b..d24f71819c3d6 100644 +--- a/drivers/mailbox/mtk-cmdq-mailbox.c ++++ b/drivers/mailbox/mtk-cmdq-mailbox.c +@@ -92,18 +92,6 @@ struct gce_plat { + u32 gce_num; + }; + +-static void cmdq_sw_ddr_enable(struct cmdq *cmdq, bool enable) +-{ +- WARN_ON(clk_bulk_enable(cmdq->pdata->gce_num, cmdq->clocks)); +- +- if (enable) +- writel(GCE_DDR_EN | GCE_CTRL_BY_SW, cmdq->base + GCE_GCTL_VALUE); +- else +- writel(GCE_CTRL_BY_SW, cmdq->base + GCE_GCTL_VALUE); +- +- clk_bulk_disable(cmdq->pdata->gce_num, cmdq->clocks); +-} +- + u8 cmdq_get_shift_pa(struct mbox_chan *chan) + { + struct cmdq *cmdq = container_of(chan->mbox, struct cmdq, mbox); +@@ -112,6 +100,19 @@ u8 cmdq_get_shift_pa(struct mbox_chan *chan) + } + EXPORT_SYMBOL(cmdq_get_shift_pa); + ++static void cmdq_gctl_value_toggle(struct cmdq *cmdq, bool ddr_enable) ++{ ++ u32 val = cmdq->pdata->control_by_sw ? GCE_CTRL_BY_SW : 0; ++ ++ if (!cmdq->pdata->control_by_sw && !cmdq->pdata->sw_ddr_en) ++ return; ++ ++ if (cmdq->pdata->sw_ddr_en && ddr_enable) ++ val |= GCE_DDR_EN; ++ ++ writel(val, cmdq->base + GCE_GCTL_VALUE); ++} ++ + static int cmdq_thread_suspend(struct cmdq *cmdq, struct cmdq_thread *thread) + { + u32 status; +@@ -140,16 +141,10 @@ static void cmdq_thread_resume(struct cmdq_thread *thread) + static void cmdq_init(struct cmdq *cmdq) + { + int i; +- u32 gctl_regval = 0; + + WARN_ON(clk_bulk_enable(cmdq->pdata->gce_num, cmdq->clocks)); +- if (cmdq->pdata->control_by_sw) +- gctl_regval = GCE_CTRL_BY_SW; +- if (cmdq->pdata->sw_ddr_en) +- gctl_regval |= GCE_DDR_EN; + +- if (gctl_regval) +- writel(gctl_regval, cmdq->base + GCE_GCTL_VALUE); ++ cmdq_gctl_value_toggle(cmdq, true); + + writel(CMDQ_THR_ACTIVE_SLOT_CYCLES, cmdq->base + CMDQ_THR_SLOT_CYCLES); + for (i = 0; i <= CMDQ_MAX_EVENT; i++) +@@ -315,14 +310,21 @@ static irqreturn_t cmdq_irq_handler(int irq, void *dev) + static int cmdq_runtime_resume(struct device *dev) + { + struct cmdq *cmdq = dev_get_drvdata(dev); ++ int ret; + +- return clk_bulk_enable(cmdq->pdata->gce_num, cmdq->clocks); ++ ret = clk_bulk_enable(cmdq->pdata->gce_num, cmdq->clocks); ++ if (ret) ++ return ret; ++ ++ cmdq_gctl_value_toggle(cmdq, true); ++ return 0; + } + + static int cmdq_runtime_suspend(struct device *dev) + { + struct cmdq *cmdq = dev_get_drvdata(dev); + ++ cmdq_gctl_value_toggle(cmdq, false); + clk_bulk_disable(cmdq->pdata->gce_num, cmdq->clocks); + return 0; + } +@@ -347,9 +349,6 @@ static int cmdq_suspend(struct device *dev) + if (task_running) + dev_warn(dev, "exist running task(s) in suspend\n"); + +- if (cmdq->pdata->sw_ddr_en) +- cmdq_sw_ddr_enable(cmdq, false); +- + return pm_runtime_force_suspend(dev); + } + +@@ -360,9 +359,6 @@ static int cmdq_resume(struct device *dev) + WARN_ON(pm_runtime_force_resume(dev)); + cmdq->suspended = false; + +- if (cmdq->pdata->sw_ddr_en) +- cmdq_sw_ddr_enable(cmdq, true); +- + return 0; + } + +@@ -370,9 +366,6 @@ static void cmdq_remove(struct platform_device *pdev) + { + struct cmdq *cmdq = platform_get_drvdata(pdev); + +- if (cmdq->pdata->sw_ddr_en) +- cmdq_sw_ddr_enable(cmdq, false); +- + if (!IS_ENABLED(CONFIG_PM)) + cmdq_runtime_suspend(&pdev->dev); + +-- +2.39.5 + diff --git a/queue-6.12/media-rkvdec-fix-frame-size-enumeration.patch b/queue-6.12/media-rkvdec-fix-frame-size-enumeration.patch new file mode 100644 index 0000000000..5c485d1a12 --- /dev/null +++ b/queue-6.12/media-rkvdec-fix-frame-size-enumeration.patch @@ -0,0 +1,56 @@ +From 96d540578d19fea78c457e2d74cc1fc2a21d0f2f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Feb 2025 10:40:33 +0100 +Subject: media: rkvdec: Fix frame size enumeration + +From: Jonas Karlman + +[ Upstream commit f270005b99fa19fee9a6b4006e8dee37c10f1944 ] + +The VIDIOC_ENUM_FRAMESIZES ioctl should return all frame sizes (i.e. +width and height in pixels) that the device supports for the given pixel +format. + +It doesn't make a lot of sense to return the frame-sizes in a stepwise +manner, which is used to enforce hardware alignments requirements for +CAPTURE buffers, for coded formats. + +Instead, applications should receive an indication, about the maximum +supported frame size for that hardware decoder, via a continuous +frame-size enumeration. + +Fixes: cd33c830448b ("media: rkvdec: Add the rkvdec driver") +Suggested-by: Alex Bee +Signed-off-by: Jonas Karlman +Reviewed-by: Nicolas Dufresne +Signed-off-by: Nicolas Dufresne +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/staging/media/rkvdec/rkvdec.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/staging/media/rkvdec/rkvdec.c b/drivers/staging/media/rkvdec/rkvdec.c +index ac398b5a97360..a1d941b0be00b 100644 +--- a/drivers/staging/media/rkvdec/rkvdec.c ++++ b/drivers/staging/media/rkvdec/rkvdec.c +@@ -213,8 +213,14 @@ static int rkvdec_enum_framesizes(struct file *file, void *priv, + if (!fmt) + return -EINVAL; + +- fsize->type = V4L2_FRMSIZE_TYPE_STEPWISE; +- fsize->stepwise = fmt->frmsize; ++ fsize->type = V4L2_FRMSIZE_TYPE_CONTINUOUS; ++ fsize->stepwise.min_width = 1; ++ fsize->stepwise.max_width = fmt->frmsize.max_width; ++ fsize->stepwise.step_width = 1; ++ fsize->stepwise.min_height = 1; ++ fsize->stepwise.max_height = fmt->frmsize.max_height; ++ fsize->stepwise.step_height = 1; ++ + return 0; + } + +-- +2.39.5 + diff --git a/queue-6.12/media-verisilicon-free-post-processor-buffers-on-err.patch b/queue-6.12/media-verisilicon-free-post-processor-buffers-on-err.patch new file mode 100644 index 0000000000..7f97f3d865 --- /dev/null +++ b/queue-6.12/media-verisilicon-free-post-processor-buffers-on-err.patch @@ -0,0 +1,47 @@ +From 660b993a5b3a7481a1381c746f6818d6fd2ec4f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Apr 2025 15:24:47 -0400 +Subject: media: verisilicon: Free post processor buffers on error + +From: Detlev Casanova + +[ Upstream commit 11beb0fc346e00c412b3bfd19013206f6b655604 ] + +During initialization, the post processor allocates the same number of +buffers as the buf queue. +As the init function is called in streamon(), if an allocation fails, +streamon will return an error and streamoff() will not be called, keeping +all post processor buffers allocated. + +To avoid that, all post proc buffers are freed in case of an allocation +error. + +Fixes: 26711491a807 ("media: verisilicon: Refactor postprocessor to store more buffers") +Signed-off-by: Detlev Casanova +Reviewed-by: Nicolas Dufresne +Signed-off-by: Nicolas Dufresne +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/platform/verisilicon/hantro_postproc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/platform/verisilicon/hantro_postproc.c b/drivers/media/platform/verisilicon/hantro_postproc.c +index 232c93eea7eea..18cad5ac92d8d 100644 +--- a/drivers/media/platform/verisilicon/hantro_postproc.c ++++ b/drivers/media/platform/verisilicon/hantro_postproc.c +@@ -260,8 +260,10 @@ int hantro_postproc_init(struct hantro_ctx *ctx) + + for (i = 0; i < num_buffers; i++) { + ret = hantro_postproc_alloc(ctx, i); +- if (ret) ++ if (ret) { ++ hantro_postproc_free(ctx); + return ret; ++ } + } + + return 0; +-- +2.39.5 + diff --git a/queue-6.12/mei-vsc-cast-tx_buf-to-__be32-when-passed-to-cpu_to_.patch b/queue-6.12/mei-vsc-cast-tx_buf-to-__be32-when-passed-to-cpu_to_.patch new file mode 100644 index 0000000000..26e6e76898 --- /dev/null +++ b/queue-6.12/mei-vsc-cast-tx_buf-to-__be32-when-passed-to-cpu_to_.patch @@ -0,0 +1,68 @@ +From 7e7e19e99db5eb193fa5c809f315f3d362acba70 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 May 2025 11:07:28 +0200 +Subject: mei: vsc: Cast tx_buf to (__be32 *) when passed to + cpu_to_be32_array() + +From: Hans de Goede + +[ Upstream commit 97ce0fe2b7240d47d9124daa92217e478c21a3ba ] + +Commit f88c0c72ffb0 ("mei: vsc: Use struct vsc_tp_packet as vsc-tp tx_buf +and rx_buf type") changed the type of tx_buf from "void *" to "struct +vsc_tp_packet *" and added a cast to (u32 *) when passing it to +cpu_to_be32_array() and the same change was made for rx_buf. + +This triggers the type-check warning in sparse: + +vsc-tp.c:327:28: sparse: expected restricted __be32 [usertype] *dst +vsc-tp.c:327:28: sparse: got unsigned int [usertype] * + +vsc-tp.c:343:42: sparse: expected restricted __be32 const [usertype] *src +vsc-tp.c:343:42: sparse: got unsigned int [usertype] * + +Fix this by casting to (__be32 *) instead. + +Note actually changing the type of the buffers to "be32 *" is not an option +this buffer does actually contain a "struct vsc_tp_packet" and is used +as such most of the time. vsc_tp_rom_xfer() re-uses the buffers as just +dumb arrays of 32 bit words to talk to the device before the firmware has +booted, to avoid needing to allocate a separate buffer. + +Fixes: f88c0c72ffb0 ("mei: vsc: Use struct vsc_tp_packet as vsc-tp tx_buf and rx_buf type") +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202505071634.kZ0I7Va6-lkp@intel.com/ +Signed-off-by: Hans de Goede +Reviewed-by: Sakari Ailus +Link: https://lore.kernel.org/r/20250507090728.115910-1-hdegoede@redhat.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/mei/vsc-tp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/misc/mei/vsc-tp.c b/drivers/misc/mei/vsc-tp.c +index ad7c7f1573191..5e44b518f36c7 100644 +--- a/drivers/misc/mei/vsc-tp.c ++++ b/drivers/misc/mei/vsc-tp.c +@@ -324,7 +324,7 @@ int vsc_tp_rom_xfer(struct vsc_tp *tp, const void *obuf, void *ibuf, size_t len) + guard(mutex)(&tp->mutex); + + /* rom xfer is big endian */ +- cpu_to_be32_array((u32 *)tp->tx_buf, obuf, words); ++ cpu_to_be32_array((__be32 *)tp->tx_buf, obuf, words); + + ret = read_poll_timeout(gpiod_get_value_cansleep, ret, + !ret, VSC_TP_ROM_XFER_POLL_DELAY_US, +@@ -340,7 +340,7 @@ int vsc_tp_rom_xfer(struct vsc_tp *tp, const void *obuf, void *ibuf, size_t len) + return ret; + + if (ibuf) +- be32_to_cpu_array(ibuf, (u32 *)tp->rx_buf, words); ++ be32_to_cpu_array(ibuf, (__be32 *)tp->rx_buf, words); + + return ret; + } +-- +2.39.5 + diff --git a/queue-6.12/mfd-exynos-lpass-avoid-calling-exynos_lpass_disable-.patch b/queue-6.12/mfd-exynos-lpass-avoid-calling-exynos_lpass_disable-.patch new file mode 100644 index 0000000000..5a100febc1 --- /dev/null +++ b/queue-6.12/mfd-exynos-lpass-avoid-calling-exynos_lpass_disable-.patch @@ -0,0 +1,38 @@ +From 059953c5f435f07420925d34cd92d8c6c840b5a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Apr 2025 17:00:34 +0200 +Subject: mfd: exynos-lpass: Avoid calling exynos_lpass_disable() twice in + exynos_lpass_remove() + +From: Christophe JAILLET + +[ Upstream commit b70b84556eeca5262d290e8619fe0af5b7664a52 ] + +exynos_lpass_disable() is called twice in the remove function. Remove +one of these calls. + +Fixes: 90f447170c6f ("mfd: exynos-lpass: Add runtime PM support") +Signed-off-by: Christophe JAILLET +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/74d69e8de10308c9855db6d54155a3de4b11abfd.1745247209.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/exynos-lpass.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/mfd/exynos-lpass.c b/drivers/mfd/exynos-lpass.c +index eedcfc22c3325..e36805f07282e 100644 +--- a/drivers/mfd/exynos-lpass.c ++++ b/drivers/mfd/exynos-lpass.c +@@ -141,7 +141,6 @@ static void exynos_lpass_remove(struct platform_device *pdev) + { + struct exynos_lpass *lpass = platform_get_drvdata(pdev); + +- exynos_lpass_disable(lpass); + pm_runtime_disable(&pdev->dev); + if (!pm_runtime_status_suspended(&pdev->dev)) + exynos_lpass_disable(lpass); +-- +2.39.5 + diff --git a/queue-6.12/mfd-exynos-lpass-fix-an-error-handling-path-in-exyno.patch b/queue-6.12/mfd-exynos-lpass-fix-an-error-handling-path-in-exyno.patch new file mode 100644 index 0000000000..b359b85ab6 --- /dev/null +++ b/queue-6.12/mfd-exynos-lpass-fix-an-error-handling-path-in-exyno.patch @@ -0,0 +1,51 @@ +From 6238143a75074e0f947c14177b87e2da16dd02e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Apr 2025 17:00:33 +0200 +Subject: mfd: exynos-lpass: Fix an error handling path in exynos_lpass_probe() + +From: Christophe JAILLET + +[ Upstream commit 484f0f59f09edd1f6fa63703c12eb30d72a519ac ] + +If an error occurs after a successful regmap_init_mmio(), regmap_exit() +should be called as already done in the .remove() function. + +Switch to devm_regmap_init_mmio() to avoid the leak and simplify the +.remove() function. + +Fixes: c414df12bdf7 ("mfd: exynos-lpass: Add missing remove() function") +Signed-off-by: Christophe JAILLET +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/38414eecb1096840946756ae86887aea2a489c1b.1745247209.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/exynos-lpass.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/mfd/exynos-lpass.c b/drivers/mfd/exynos-lpass.c +index e58990c85ed87..eedcfc22c3325 100644 +--- a/drivers/mfd/exynos-lpass.c ++++ b/drivers/mfd/exynos-lpass.c +@@ -122,8 +122,8 @@ static int exynos_lpass_probe(struct platform_device *pdev) + if (IS_ERR(lpass->sfr0_clk)) + return PTR_ERR(lpass->sfr0_clk); + +- lpass->top = regmap_init_mmio(dev, base_top, +- &exynos_lpass_reg_conf); ++ lpass->top = devm_regmap_init_mmio(dev, base_top, ++ &exynos_lpass_reg_conf); + if (IS_ERR(lpass->top)) { + dev_err(dev, "LPASS top regmap initialization failed\n"); + return PTR_ERR(lpass->top); +@@ -145,7 +145,6 @@ static void exynos_lpass_remove(struct platform_device *pdev) + pm_runtime_disable(&pdev->dev); + if (!pm_runtime_status_suspended(&pdev->dev)) + exynos_lpass_disable(lpass); +- regmap_exit(lpass->top); + } + + static int __maybe_unused exynos_lpass_suspend(struct device *dev) +-- +2.39.5 + diff --git a/queue-6.12/mfd-stmpe-spi-correct-the-name-used-in-module_device.patch b/queue-6.12/mfd-stmpe-spi-correct-the-name-used-in-module_device.patch new file mode 100644 index 0000000000..f8ca004fbc --- /dev/null +++ b/queue-6.12/mfd-stmpe-spi-correct-the-name-used-in-module_device.patch @@ -0,0 +1,40 @@ +From 211a20cd489398f4e2b9e3ccc62e2b828b6e1305 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 26 Apr 2025 18:16:32 +0200 +Subject: mfd: stmpe-spi: Correct the name used in MODULE_DEVICE_TABLE + +From: Alexey Gladkov + +[ Upstream commit 59d60c16ed41475f3b5f7b605e75fbf8e3628720 ] + +The name used in the macro does not exist. + +drivers/mfd/stmpe-spi.c:132:26: error: use of undeclared identifier 'stmpe_id' + 132 | MODULE_DEVICE_TABLE(spi, stmpe_id); + +Fixes: e789995d5c61 ("mfd: Add support for STMPE SPI interface") +Signed-off-by: Alexey Gladkov +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/79d5a847303e45a46098f2d827d3d8a249a32be3.1745591072.git.legion@kernel.org +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/stmpe-spi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mfd/stmpe-spi.c b/drivers/mfd/stmpe-spi.c +index 792236f56399a..b9cc85ea2c401 100644 +--- a/drivers/mfd/stmpe-spi.c ++++ b/drivers/mfd/stmpe-spi.c +@@ -129,7 +129,7 @@ static const struct spi_device_id stmpe_spi_id[] = { + { "stmpe2403", STMPE2403 }, + { } + }; +-MODULE_DEVICE_TABLE(spi, stmpe_id); ++MODULE_DEVICE_TABLE(spi, stmpe_spi_id); + + static struct spi_driver stmpe_spi_driver = { + .driver = { +-- +2.39.5 + diff --git a/queue-6.12/mips-loongson64-add-missing-interrupt-cells-for-loon.patch b/queue-6.12/mips-loongson64-add-missing-interrupt-cells-for-loon.patch new file mode 100644 index 0000000000..ea350bdca0 --- /dev/null +++ b/queue-6.12/mips-loongson64-add-missing-interrupt-cells-for-loon.patch @@ -0,0 +1,43 @@ +From eaadd914aa631dfeffcd0a9112fcaa62dcf7cc56 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Apr 2025 11:45:48 +0800 +Subject: MIPS: Loongson64: Add missing '#interrupt-cells' for loongson64c_ls7a +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: WangYuli + +[ Upstream commit 6d223b8ffcd1593d032b71875def2daa71c53111 ] + +Similar to commit 98a9e2ac3755 ("MIPS: Loongson64: DTS: Fix msi node for ls7a"). + +Fix follow warnings: + arch/mips/boot/dts/loongson/loongson64c_4core_ls7a.dts:28.31-36.4: Warning (interrupt_provider): /bus@10000000/msi-controller@2ff00000: Missing '#interrupt-cells' in interrupt provider + arch/mips/boot/dts/loongson/loongson64c_4core_ls7a.dtb: Warning (interrupt_map): Failed prerequisite 'interrupt_provider' + +Fixes: 24af105962c8 ("MIPS: Loongson64: DeviceTree for LS7A PCH") +Tested-by: WangYuli +Signed-off-by: WangYuli +Reviewed-by: Philippe Mathieu-Daudé +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/boot/dts/loongson/loongson64c_4core_ls7a.dts | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/mips/boot/dts/loongson/loongson64c_4core_ls7a.dts b/arch/mips/boot/dts/loongson/loongson64c_4core_ls7a.dts +index c7ea4f1c0bb21..6c277ab83d4b9 100644 +--- a/arch/mips/boot/dts/loongson/loongson64c_4core_ls7a.dts ++++ b/arch/mips/boot/dts/loongson/loongson64c_4core_ls7a.dts +@@ -29,6 +29,7 @@ + compatible = "loongson,pch-msi-1.0"; + reg = <0 0x2ff00000 0 0x8>; + interrupt-controller; ++ #interrupt-cells = <1>; + msi-controller; + loongson,msi-base-vec = <64>; + loongson,msi-num-vecs = <64>; +-- +2.39.5 + diff --git a/queue-6.12/mtd-nand-ecc-mxic-fix-use-of-uninitialized-variable-.patch b/queue-6.12/mtd-nand-ecc-mxic-fix-use-of-uninitialized-variable-.patch new file mode 100644 index 0000000000..58b014c5d8 --- /dev/null +++ b/queue-6.12/mtd-nand-ecc-mxic-fix-use-of-uninitialized-variable-.patch @@ -0,0 +1,47 @@ +From 302233a471267455f24219cf9c99ce4ad62d7135 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Apr 2025 00:39:06 +0300 +Subject: mtd: nand: ecc-mxic: Fix use of uninitialized variable ret + +From: Mikhail Arkhipov + +[ Upstream commit d95846350aac72303036a70c4cdc69ae314aa26d ] + +If ctx->steps is zero, the loop processing ECC steps is skipped, +and the variable ret remains uninitialized. It is later checked +and returned, which leads to undefined behavior and may cause +unpredictable results in user space or kernel crashes. + +This scenario can be triggered in edge cases such as misconfigured +geometry, ECC engine misuse, or if ctx->steps is not validated +after initialization. + +Initialize ret to zero before the loop to ensure correct and safe +behavior regardless of the ctx->steps value. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 48e6633a9fa2 ("mtd: nand: mxic-ecc: Add Macronix external ECC engine support") +Signed-off-by: Mikhail Arkhipov +Signed-off-by: Miquel Raynal +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/ecc-mxic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mtd/nand/ecc-mxic.c b/drivers/mtd/nand/ecc-mxic.c +index 47e10945b8d27..63cb206269dd9 100644 +--- a/drivers/mtd/nand/ecc-mxic.c ++++ b/drivers/mtd/nand/ecc-mxic.c +@@ -614,7 +614,7 @@ static int mxic_ecc_finish_io_req_external(struct nand_device *nand, + { + struct mxic_ecc_engine *mxic = nand_to_mxic(nand); + struct mxic_ecc_ctx *ctx = nand_to_ecc_ctx(nand); +- int nents, step, ret; ++ int nents, step, ret = 0; + + if (req->mode == MTD_OPS_RAW) + return 0; +-- +2.39.5 + diff --git a/queue-6.12/net-dsa-b53-allow-rgmii-for-bcm63xx-rgmii-ports.patch b/queue-6.12/net-dsa-b53-allow-rgmii-for-bcm63xx-rgmii-ports.patch new file mode 100644 index 0000000000..65aecf1460 --- /dev/null +++ b/queue-6.12/net-dsa-b53-allow-rgmii-for-bcm63xx-rgmii-ports.patch @@ -0,0 +1,46 @@ +From 08be2a17785412a739ff0c3fedb59535bb4dc6ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Jun 2025 21:39:52 +0200 +Subject: net: dsa: b53: allow RGMII for bcm63xx RGMII ports + +From: Jonas Gorski + +[ Upstream commit 5ea0d42c1980e6d10e5cb56a78021db5bfcebaaf ] + +Add RGMII to supported interfaces for BCM63xx RGMII ports so they can be +actually used in RGMII mode. + +Without this, phylink will fail to configure them: + +[ 3.580000] b53-switch 10700000.switch GbE3 (uninitialized): validation of rgmii with support 0000000,00000000,00000000,000062ff and advertisement 0000000,00000000,00000000,000062ff failed: -EINVAL +[ 3.600000] b53-switch 10700000.switch GbE3 (uninitialized): failed to connect to PHY: -EINVAL +[ 3.610000] b53-switch 10700000.switch GbE3 (uninitialized): error -22 setting up PHY for tree 0, switch 0, port 4 + +Fixes: ce3bf94871f7 ("net: dsa: b53: add support for BCM63xx RGMIIs") +Reviewed-by: Florian Fainelli +Signed-off-by: Jonas Gorski +Link: https://patch.msgid.link/20250602193953.1010487-5-jonas.gorski@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/b53/b53_common.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c +index 2747a507e3ce9..a17a3083180b0 100644 +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -1441,6 +1441,10 @@ static void b53_phylink_get_caps(struct dsa_switch *ds, int port, + __set_bit(PHY_INTERFACE_MODE_MII, config->supported_interfaces); + __set_bit(PHY_INTERFACE_MODE_REVMII, config->supported_interfaces); + ++ /* BCM63xx RGMII ports support RGMII */ ++ if (is63xx(dev) && in_range(port, B53_63XX_RGMII0, 4)) ++ phy_interface_set_rgmii(config->supported_interfaces); ++ + config->mac_capabilities = MAC_ASYM_PAUSE | MAC_SYM_PAUSE | + MAC_10 | MAC_100; + +-- +2.39.5 + diff --git a/queue-6.12/net-dsa-b53-do-not-enable-rgmii-delay-on-bcm63xx.patch b/queue-6.12/net-dsa-b53-do-not-enable-rgmii-delay-on-bcm63xx.patch new file mode 100644 index 0000000000..aa4b889442 --- /dev/null +++ b/queue-6.12/net-dsa-b53-do-not-enable-rgmii-delay-on-bcm63xx.patch @@ -0,0 +1,59 @@ +From 5010f59dee29a9e6b90fd2b66e3d44b5c268ebd4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Jun 2025 21:39:50 +0200 +Subject: net: dsa: b53: do not enable RGMII delay on bcm63xx + +From: Jonas Gorski + +[ Upstream commit 4af523551d876ab8b8057d1e5303a860fd736fcb ] + +bcm63xx's RGMII ports are always in MAC mode, never in PHY mode, so we +shouldn't enable any delays and let the PHY handle any delays as +necessary. + +This fixes using RGMII ports with normal PHYs like BCM54612E, which will +handle the delay in the PHY. + +Fixes: ce3bf94871f7 ("net: dsa: b53: add support for BCM63xx RGMIIs") +Signed-off-by: Jonas Gorski +Reviewed-by: Florian Fainelli +Link: https://patch.msgid.link/20250602193953.1010487-3-jonas.gorski@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/b53/b53_common.c | 19 +------------------ + 1 file changed, 1 insertion(+), 18 deletions(-) + +diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c +index 0168ad495e6c9..2747a507e3ce9 100644 +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -1326,24 +1326,7 @@ static void b53_adjust_63xx_rgmii(struct dsa_switch *ds, int port, + off = B53_RGMII_CTRL_P(port); + + b53_read8(dev, B53_CTRL_PAGE, off, &rgmii_ctrl); +- +- switch (interface) { +- case PHY_INTERFACE_MODE_RGMII_ID: +- rgmii_ctrl |= (RGMII_CTRL_DLL_RXC | RGMII_CTRL_DLL_TXC); +- break; +- case PHY_INTERFACE_MODE_RGMII_RXID: +- rgmii_ctrl &= ~(RGMII_CTRL_DLL_TXC); +- rgmii_ctrl |= RGMII_CTRL_DLL_RXC; +- break; +- case PHY_INTERFACE_MODE_RGMII_TXID: +- rgmii_ctrl &= ~(RGMII_CTRL_DLL_RXC); +- rgmii_ctrl |= RGMII_CTRL_DLL_TXC; +- break; +- case PHY_INTERFACE_MODE_RGMII: +- default: +- rgmii_ctrl &= ~(RGMII_CTRL_DLL_RXC | RGMII_CTRL_DLL_TXC); +- break; +- } ++ rgmii_ctrl &= ~(RGMII_CTRL_DLL_RXC | RGMII_CTRL_DLL_TXC); + + if (port != dev->imp_port) { + if (is63268(dev)) +-- +2.39.5 + diff --git a/queue-6.12/net-dsa-b53-do-not-touch-dll_iqqd-on-bcm53115.patch b/queue-6.12/net-dsa-b53-do-not-touch-dll_iqqd-on-bcm53115.patch new file mode 100644 index 0000000000..76c2512a81 --- /dev/null +++ b/queue-6.12/net-dsa-b53-do-not-touch-dll_iqqd-on-bcm53115.patch @@ -0,0 +1,69 @@ +From 4459eaabbd1509c512f9b672be50010a20c4d10c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Jun 2025 21:39:53 +0200 +Subject: net: dsa: b53: do not touch DLL_IQQD on bcm53115 + +From: Jonas Gorski + +[ Upstream commit bc1a65eb81a21e2aa3c3dca058ee8adf687b6ef5 ] + +According to OpenMDK, bit 2 of the RGMII register has a different +meaning for BCM53115 [1]: + +"DLL_IQQD 1: In the IDDQ mode, power is down0: Normal function + mode" + +Configuring RGMII delay works without setting this bit, so let's keep it +at the default. For other chips, we always set it, so not clearing it +is not an issue. + +One would assume BCM53118 works the same, but OpenMDK is not quite sure +what this bit actually means [2]: + +"BYPASS_IMP_2NS_DEL #1: In the IDDQ mode, power is down#0: Normal + function mode1: Bypass dll65_2ns_del IP0: Use + dll65_2ns_del IP" + +So lets keep setting it for now. + +[1] https://github.com/Broadcom-Network-Switching-Software/OpenMDK/blob/master/cdk/PKG/chip/bcm53115/bcm53115_a0_defs.h#L19871 +[2] https://github.com/Broadcom-Network-Switching-Software/OpenMDK/blob/master/cdk/PKG/chip/bcm53118/bcm53118_a0_defs.h#L14392 + +Fixes: 967dd82ffc52 ("net: dsa: b53: Add support for Broadcom RoboSwitch") +Signed-off-by: Jonas Gorski +Link: https://patch.msgid.link/20250602193953.1010487-6-jonas.gorski@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/b53/b53_common.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c +index a17a3083180b0..79039c0941c20 100644 +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -1356,8 +1356,7 @@ static void b53_adjust_531x5_rgmii(struct dsa_switch *ds, int port, + * tx_clk aligned timing (restoring to reset defaults) + */ + b53_read8(dev, B53_CTRL_PAGE, off, &rgmii_ctrl); +- rgmii_ctrl &= ~(RGMII_CTRL_DLL_RXC | RGMII_CTRL_DLL_TXC | +- RGMII_CTRL_TIMING_SEL); ++ rgmii_ctrl &= ~(RGMII_CTRL_DLL_RXC | RGMII_CTRL_DLL_TXC); + + /* PHY_INTERFACE_MODE_RGMII_TXID means TX internal delay, make + * sure that we enable the port TX clock internal delay to +@@ -1377,7 +1376,10 @@ static void b53_adjust_531x5_rgmii(struct dsa_switch *ds, int port, + rgmii_ctrl |= RGMII_CTRL_DLL_TXC; + if (interface == PHY_INTERFACE_MODE_RGMII) + rgmii_ctrl |= RGMII_CTRL_DLL_TXC | RGMII_CTRL_DLL_RXC; +- rgmii_ctrl |= RGMII_CTRL_TIMING_SEL; ++ ++ if (dev->chip_id != BCM53115_DEVICE_ID) ++ rgmii_ctrl |= RGMII_CTRL_TIMING_SEL; ++ + b53_write8(dev, B53_CTRL_PAGE, off, rgmii_ctrl); + + dev_info(ds->dev, "Configured port %d for %s\n", port, +-- +2.39.5 + diff --git a/queue-6.12/net-dsa-tag_brcm-legacy-fix-pskb_may_pull-length.patch b/queue-6.12/net-dsa-tag_brcm-legacy-fix-pskb_may_pull-length.patch new file mode 100644 index 0000000000..a9fb718468 --- /dev/null +++ b/queue-6.12/net-dsa-tag_brcm-legacy-fix-pskb_may_pull-length.patch @@ -0,0 +1,41 @@ +From 8af340d4be765b61e6c27889c4cf0157f031b597 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 May 2025 14:44:06 +0200 +Subject: net: dsa: tag_brcm: legacy: fix pskb_may_pull length +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Álvaro Fernández Rojas + +[ Upstream commit efdddc4484859082da6c7877ed144c8121c8ea55 ] + +BRCM_LEG_PORT_ID was incorrectly used for pskb_may_pull length. +The correct check is BRCM_LEG_TAG_LEN + VLAN_HLEN, or 10 bytes. + +Fixes: 964dbf186eaa ("net: dsa: tag_brcm: add support for legacy tags") +Signed-off-by: Álvaro Fernández Rojas +Reviewed-by: Florian Fainelli +Link: https://patch.msgid.link/20250529124406.2513779-1-noltari@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/dsa/tag_brcm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/dsa/tag_brcm.c b/net/dsa/tag_brcm.c +index 8c3c068728e51..fe75821623a4f 100644 +--- a/net/dsa/tag_brcm.c ++++ b/net/dsa/tag_brcm.c +@@ -257,7 +257,7 @@ static struct sk_buff *brcm_leg_tag_rcv(struct sk_buff *skb, + int source_port; + u8 *brcm_tag; + +- if (unlikely(!pskb_may_pull(skb, BRCM_LEG_PORT_ID))) ++ if (unlikely(!pskb_may_pull(skb, BRCM_LEG_TAG_LEN + VLAN_HLEN))) + return NULL; + + brcm_tag = dsa_etype_header_pos_rx(skb); +-- +2.39.5 + diff --git a/queue-6.12/net-fix-checksum-update-for-ila-adj-transport.patch b/queue-6.12/net-fix-checksum-update-for-ila-adj-transport.patch new file mode 100644 index 0000000000..f1ef2adbce --- /dev/null +++ b/queue-6.12/net-fix-checksum-update-for-ila-adj-transport.patch @@ -0,0 +1,167 @@ +From 3ca632ad4268007d16e3d4006f349ed9eff4d2a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 May 2025 12:28:05 +0200 +Subject: net: Fix checksum update for ILA adj-transport + +From: Paul Chaignon + +[ Upstream commit 6043b794c7668c19dabc4a93c75b924a19474d59 ] + +During ILA address translations, the L4 checksums can be handled in +different ways. One of them, adj-transport, consist in parsing the +transport layer and updating any found checksum. This logic relies on +inet_proto_csum_replace_by_diff and produces an incorrect skb->csum when +in state CHECKSUM_COMPLETE. + +This bug can be reproduced with a simple ILA to SIR mapping, assuming +packets are received with CHECKSUM_COMPLETE: + + $ ip a show dev eth0 + 14: eth0@if15: mtu 1500 qdisc noqueue state UP group default qlen 1000 + link/ether 62:ae:35:9e:0f:8d brd ff:ff:ff:ff:ff:ff link-netnsid 0 + inet6 3333:0:0:1::c078/64 scope global + valid_lft forever preferred_lft forever + inet6 fd00:10:244:1::c078/128 scope global nodad + valid_lft forever preferred_lft forever + inet6 fe80::60ae:35ff:fe9e:f8d/64 scope link proto kernel_ll + valid_lft forever preferred_lft forever + $ ip ila add loc_match fd00:10:244:1 loc 3333:0:0:1 \ + csum-mode adj-transport ident-type luid dev eth0 + +Then I hit [fd00:10:244:1::c078]:8000 with a server listening only on +[3333:0:0:1::c078]:8000. With the bug, the SYN packet is dropped with +SKB_DROP_REASON_TCP_CSUM after inet_proto_csum_replace_by_diff changed +skb->csum. The translation and drop are visible on pwru [1] traces: + + IFACE TUPLE FUNC + eth0:9 [fd00:10:244:3::3d8]:51420->[fd00:10:244:1::c078]:8000(tcp) ipv6_rcv + eth0:9 [fd00:10:244:3::3d8]:51420->[fd00:10:244:1::c078]:8000(tcp) ip6_rcv_core + eth0:9 [fd00:10:244:3::3d8]:51420->[fd00:10:244:1::c078]:8000(tcp) nf_hook_slow + eth0:9 [fd00:10:244:3::3d8]:51420->[fd00:10:244:1::c078]:8000(tcp) inet_proto_csum_replace_by_diff + eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) tcp_v6_early_demux + eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) ip6_route_input + eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) ip6_input + eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) ip6_input_finish + eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) ip6_protocol_deliver_rcu + eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) raw6_local_deliver + eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) ipv6_raw_deliver + eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) tcp_v6_rcv + eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) __skb_checksum_complete + eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) kfree_skb_reason(SKB_DROP_REASON_TCP_CSUM) + eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) skb_release_head_state + eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) skb_release_data + eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) skb_free_head + eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) kfree_skbmem + +This is happening because inet_proto_csum_replace_by_diff is updating +skb->csum when it shouldn't. The L4 checksum is updated such that it +"cancels" the IPv6 address change in terms of checksum computation, so +the impact on skb->csum is null. + +Note this would be different for an IPv4 packet since three fields +would be updated: the IPv4 address, the IP checksum, and the L4 +checksum. Two would cancel each other and skb->csum would still need +to be updated to take the L4 checksum change into account. + +This patch fixes it by passing an ipv6 flag to +inet_proto_csum_replace_by_diff, to skip the skb->csum update if we're +in the IPv6 case. Note the behavior of the only other user of +inet_proto_csum_replace_by_diff, the BPF subsystem, is left as is in +this patch and fixed in the subsequent patch. + +With the fix, using the reproduction from above, I can confirm +skb->csum is not touched by inet_proto_csum_replace_by_diff and the TCP +SYN proceeds to the application after the ILA translation. + +Link: https://github.com/cilium/pwru [1] +Fixes: 65d7ab8de582 ("net: Identifier Locator Addressing module") +Signed-off-by: Paul Chaignon +Acked-by: Daniel Borkmann +Link: https://patch.msgid.link/b5539869e3550d46068504feb02d37653d939c0b.1748509484.git.paul.chaignon@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/checksum.h | 2 +- + net/core/filter.c | 2 +- + net/core/utils.c | 4 ++-- + net/ipv6/ila/ila_common.c | 6 +++--- + 4 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/include/net/checksum.h b/include/net/checksum.h +index 1338cb92c8e72..28b101f26636e 100644 +--- a/include/net/checksum.h ++++ b/include/net/checksum.h +@@ -158,7 +158,7 @@ void inet_proto_csum_replace16(__sum16 *sum, struct sk_buff *skb, + const __be32 *from, const __be32 *to, + bool pseudohdr); + void inet_proto_csum_replace_by_diff(__sum16 *sum, struct sk_buff *skb, +- __wsum diff, bool pseudohdr); ++ __wsum diff, bool pseudohdr, bool ipv6); + + static __always_inline + void inet_proto_csum_replace2(__sum16 *sum, struct sk_buff *skb, +diff --git a/net/core/filter.c b/net/core/filter.c +index 99b23fd2f509c..e0d978c1a4cdc 100644 +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -1999,7 +1999,7 @@ BPF_CALL_5(bpf_l4_csum_replace, struct sk_buff *, skb, u32, offset, + if (unlikely(from != 0)) + return -EINVAL; + +- inet_proto_csum_replace_by_diff(ptr, skb, to, is_pseudo); ++ inet_proto_csum_replace_by_diff(ptr, skb, to, is_pseudo, false); + break; + case 2: + inet_proto_csum_replace2(ptr, skb, from, to, is_pseudo); +diff --git a/net/core/utils.c b/net/core/utils.c +index 27f4cffaae05d..b8c21a859e27b 100644 +--- a/net/core/utils.c ++++ b/net/core/utils.c +@@ -473,11 +473,11 @@ void inet_proto_csum_replace16(__sum16 *sum, struct sk_buff *skb, + EXPORT_SYMBOL(inet_proto_csum_replace16); + + void inet_proto_csum_replace_by_diff(__sum16 *sum, struct sk_buff *skb, +- __wsum diff, bool pseudohdr) ++ __wsum diff, bool pseudohdr, bool ipv6) + { + if (skb->ip_summed != CHECKSUM_PARTIAL) { + csum_replace_by_diff(sum, diff); +- if (skb->ip_summed == CHECKSUM_COMPLETE && pseudohdr) ++ if (skb->ip_summed == CHECKSUM_COMPLETE && pseudohdr && !ipv6) + skb->csum = ~csum_sub(diff, skb->csum); + } else if (pseudohdr) { + *sum = ~csum_fold(csum_add(diff, csum_unfold(*sum))); +diff --git a/net/ipv6/ila/ila_common.c b/net/ipv6/ila/ila_common.c +index 95e9146918cc6..b8d43ed4689db 100644 +--- a/net/ipv6/ila/ila_common.c ++++ b/net/ipv6/ila/ila_common.c +@@ -86,7 +86,7 @@ static void ila_csum_adjust_transport(struct sk_buff *skb, + + diff = get_csum_diff(ip6h, p); + inet_proto_csum_replace_by_diff(&th->check, skb, +- diff, true); ++ diff, true, true); + } + break; + case NEXTHDR_UDP: +@@ -97,7 +97,7 @@ static void ila_csum_adjust_transport(struct sk_buff *skb, + if (uh->check || skb->ip_summed == CHECKSUM_PARTIAL) { + diff = get_csum_diff(ip6h, p); + inet_proto_csum_replace_by_diff(&uh->check, skb, +- diff, true); ++ diff, true, true); + if (!uh->check) + uh->check = CSUM_MANGLED_0; + } +@@ -111,7 +111,7 @@ static void ila_csum_adjust_transport(struct sk_buff *skb, + + diff = get_csum_diff(ip6h, p); + inet_proto_csum_replace_by_diff(&ih->icmp6_cksum, skb, +- diff, true); ++ diff, true, true); + } + break; + } +-- +2.39.5 + diff --git a/queue-6.12/net-fix-udp-gso-skb_segment-after-pull-from-frag_lis.patch b/queue-6.12/net-fix-udp-gso-skb_segment-after-pull-from-frag_lis.patch new file mode 100644 index 0000000000..fbd6bdcaf1 --- /dev/null +++ b/queue-6.12/net-fix-udp-gso-skb_segment-after-pull-from-frag_lis.patch @@ -0,0 +1,107 @@ +From a392f34c2eed60204b34c017f8cc6ac95085e3c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 May 2025 09:26:08 +0800 +Subject: net: fix udp gso skb_segment after pull from frag_list + +From: Shiming Cheng + +[ Upstream commit 3382a1ed7f778db841063f5d7e317ac55f9e7f72 ] + +Commit a1e40ac5b5e9 ("net: gso: fix udp gso fraglist segmentation after +pull from frag_list") detected invalid geometry in frag_list skbs and +redirects them from skb_segment_list to more robust skb_segment. But some +packets with modified geometry can also hit bugs in that code. We don't +know how many such cases exist. Addressing each one by one also requires +touching the complex skb_segment code, which risks introducing bugs for +other types of skbs. Instead, linearize all these packets that fail the +basic invariants on gso fraglist skbs. That is more robust. + +If only part of the fraglist payload is pulled into head_skb, it will +always cause exception when splitting skbs by skb_segment. For detailed +call stack information, see below. + +Valid SKB_GSO_FRAGLIST skbs +- consist of two or more segments +- the head_skb holds the protocol headers plus first gso_size +- one or more frag_list skbs hold exactly one segment +- all but the last must be gso_size + +Optional datapath hooks such as NAT and BPF (bpf_skb_pull_data) can +modify fraglist skbs, breaking these invariants. + +In extreme cases they pull one part of data into skb linear. For UDP, +this causes three payloads with lengths of (11,11,10) bytes were +pulled tail to become (12,10,10) bytes. + +The skbs no longer meets the above SKB_GSO_FRAGLIST conditions because +payload was pulled into head_skb, it needs to be linearized before pass +to regular skb_segment. + + skb_segment+0xcd0/0xd14 + __udp_gso_segment+0x334/0x5f4 + udp4_ufo_fragment+0x118/0x15c + inet_gso_segment+0x164/0x338 + skb_mac_gso_segment+0xc4/0x13c + __skb_gso_segment+0xc4/0x124 + validate_xmit_skb+0x9c/0x2c0 + validate_xmit_skb_list+0x4c/0x80 + sch_direct_xmit+0x70/0x404 + __dev_queue_xmit+0x64c/0xe5c + neigh_resolve_output+0x178/0x1c4 + ip_finish_output2+0x37c/0x47c + __ip_finish_output+0x194/0x240 + ip_finish_output+0x20/0xf4 + ip_output+0x100/0x1a0 + NF_HOOK+0xc4/0x16c + ip_forward+0x314/0x32c + ip_rcv+0x90/0x118 + __netif_receive_skb+0x74/0x124 + process_backlog+0xe8/0x1a4 + __napi_poll+0x5c/0x1f8 + net_rx_action+0x154/0x314 + handle_softirqs+0x154/0x4b8 + + [118.376811] [C201134] rxq0_pus: [name:bug&]kernel BUG at net/core/skbuff.c:4278! + [118.376829] [C201134] rxq0_pus: [name:traps&]Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP + [118.470774] [C201134] rxq0_pus: [name:mrdump&]Kernel Offset: 0x178cc00000 from 0xffffffc008000000 + [118.470810] [C201134] rxq0_pus: [name:mrdump&]PHYS_OFFSET: 0x40000000 + [118.470827] [C201134] rxq0_pus: [name:mrdump&]pstate: 60400005 (nZCv daif +PAN -UAO) + [118.470848] [C201134] rxq0_pus: [name:mrdump&]pc : [0xffffffd79598aefc] skb_segment+0xcd0/0xd14 + [118.470900] [C201134] rxq0_pus: [name:mrdump&]lr : [0xffffffd79598a5e8] skb_segment+0x3bc/0xd14 + [118.470928] [C201134] rxq0_pus: [name:mrdump&]sp : ffffffc008013770 + +Fixes: a1e40ac5b5e9 ("gso: fix udp gso fraglist segmentation after pull from frag_list") +Signed-off-by: Shiming Cheng +Reviewed-by: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/udp_offload.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/ipv4/udp_offload.c b/net/ipv4/udp_offload.c +index da5d4aea1b591..845730184c5d3 100644 +--- a/net/ipv4/udp_offload.c ++++ b/net/ipv4/udp_offload.c +@@ -332,6 +332,7 @@ struct sk_buff *__udp_gso_segment(struct sk_buff *gso_skb, + bool copy_dtor; + __sum16 check; + __be16 newlen; ++ int ret = 0; + + mss = skb_shinfo(gso_skb)->gso_size; + if (gso_skb->len <= sizeof(*uh) + mss) +@@ -360,6 +361,10 @@ struct sk_buff *__udp_gso_segment(struct sk_buff *gso_skb, + if (skb_pagelen(gso_skb) - sizeof(*uh) == skb_shinfo(gso_skb)->gso_size) + return __udp_gso_segment_list(gso_skb, features, is_ipv6); + ++ ret = __skb_linearize(gso_skb); ++ if (ret) ++ return ERR_PTR(ret); ++ + /* Setup csum, as fraglist skips this in udp4_gro_receive. */ + gso_skb->csum_start = skb_transport_header(gso_skb) - gso_skb->head; + gso_skb->csum_offset = offsetof(struct udphdr, check); +-- +2.39.5 + diff --git a/queue-6.12/net-lan743x-fix-phy-reset-handling-during-initializa.patch b/queue-6.12/net-lan743x-fix-phy-reset-handling-during-initializa.patch new file mode 100644 index 0000000000..5f3cb8f16a --- /dev/null +++ b/queue-6.12/net-lan743x-fix-phy-reset-handling-during-initializa.patch @@ -0,0 +1,65 @@ +From 7502a74ecc34db5e09cbb9b588f20c3e8f3b5e01 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 May 2025 11:00:48 +0530 +Subject: net: lan743x: Fix PHY reset handling during initialization and WOL + +From: Thangaraj Samynathan + +[ Upstream commit 82d1096ca8b5dbb3158d707e6fb3ad21c3403a49 ] + +Remove lan743x_phy_init from lan743x_hardware_init as it resets the PHY +registers, causing WOL to fail on subsequent attempts. Add a call to +lan743x_hw_reset_phy in the probe function to ensure the PHY is reset +during device initialization. + +Fixes: 23f0703c125be ("lan743x: Add main source files for new lan743x driver") +Signed-off-by: Thangaraj Samynathan +Reviewed-by: Andrew Lunn +Link: https://patch.msgid.link/20250526053048.287095-3-thangaraj.s@microchip.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/microchip/lan743x_main.c | 13 ++++--------- + 1 file changed, 4 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/microchip/lan743x_main.c b/drivers/net/ethernet/microchip/lan743x_main.c +index 8d53a35a2b561..9836fbbea0cc2 100644 +--- a/drivers/net/ethernet/microchip/lan743x_main.c ++++ b/drivers/net/ethernet/microchip/lan743x_main.c +@@ -1346,11 +1346,6 @@ static int lan743x_hw_reset_phy(struct lan743x_adapter *adapter) + 50000, 1000000); + } + +-static int lan743x_phy_init(struct lan743x_adapter *adapter) +-{ +- return lan743x_hw_reset_phy(adapter); +-} +- + static void lan743x_phy_interface_select(struct lan743x_adapter *adapter) + { + u32 id_rev; +@@ -3505,10 +3500,6 @@ static int lan743x_hardware_init(struct lan743x_adapter *adapter, + if (ret) + return ret; + +- ret = lan743x_phy_init(adapter); +- if (ret) +- return ret; +- + ret = lan743x_ptp_init(adapter); + if (ret) + return ret; +@@ -3642,6 +3633,10 @@ static int lan743x_pcidev_probe(struct pci_dev *pdev, + if (ret) + goto cleanup_pci; + ++ ret = lan743x_hw_reset_phy(adapter); ++ if (ret) ++ goto cleanup_pci; ++ + ret = lan743x_hardware_init(adapter, pdev); + if (ret) + goto cleanup_pci; +-- +2.39.5 + diff --git a/queue-6.12/net-lan743x-rename-lan743x_reset_phy-to-lan743x_hw_r.patch b/queue-6.12/net-lan743x-rename-lan743x_reset_phy-to-lan743x_hw_r.patch new file mode 100644 index 0000000000..8602434e63 --- /dev/null +++ b/queue-6.12/net-lan743x-rename-lan743x_reset_phy-to-lan743x_hw_r.patch @@ -0,0 +1,47 @@ +From 2d82c5b7700ca9685a4ca46b01c27573bab525df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 May 2025 11:00:47 +0530 +Subject: net: lan743x: rename lan743x_reset_phy to lan743x_hw_reset_phy + +From: Thangaraj Samynathan + +[ Upstream commit 68927eb52d0af04863584930db06075d2610e194 ] + +rename the function to lan743x_hw_reset_phy to better describe it +operation. + +Fixes: 23f0703c125be ("lan743x: Add main source files for new lan743x driver") +Signed-off-by: Thangaraj Samynathan +Reviewed-by: Andrew Lunn +Link: https://patch.msgid.link/20250526053048.287095-2-thangaraj.s@microchip.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/microchip/lan743x_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/microchip/lan743x_main.c b/drivers/net/ethernet/microchip/lan743x_main.c +index 812ad9d61676a..8d53a35a2b561 100644 +--- a/drivers/net/ethernet/microchip/lan743x_main.c ++++ b/drivers/net/ethernet/microchip/lan743x_main.c +@@ -1330,7 +1330,7 @@ static int lan743x_mac_set_mtu(struct lan743x_adapter *adapter, int new_mtu) + } + + /* PHY */ +-static int lan743x_phy_reset(struct lan743x_adapter *adapter) ++static int lan743x_hw_reset_phy(struct lan743x_adapter *adapter) + { + u32 data; + +@@ -1348,7 +1348,7 @@ static int lan743x_phy_reset(struct lan743x_adapter *adapter) + + static int lan743x_phy_init(struct lan743x_adapter *adapter) + { +- return lan743x_phy_reset(adapter); ++ return lan743x_hw_reset_phy(adapter); + } + + static void lan743x_phy_interface_select(struct lan743x_adapter *adapter) +-- +2.39.5 + diff --git a/queue-6.12/net-lan966x-fix-1-step-timestamping-over-ipv4-or-ipv.patch b/queue-6.12/net-lan966x-fix-1-step-timestamping-over-ipv4-or-ipv.patch new file mode 100644 index 0000000000..1f115fb900 --- /dev/null +++ b/queue-6.12/net-lan966x-fix-1-step-timestamping-over-ipv4-or-ipv.patch @@ -0,0 +1,168 @@ +From 4546c20e0b435b8a2062495c502365cf2396a651 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 May 2025 14:41:59 +0200 +Subject: net: lan966x: Fix 1-step timestamping over ipv4 or ipv6 + +From: Horatiu Vultur + +[ Upstream commit 57ee9584fd8606deef66d7b65fa4dcf94f6843aa ] + +When enabling 1-step timestamping for ptp frames that are over udpv4 or +udpv6 then the inserted timestamp is added at the wrong offset in the +frame, meaning that will modify the frame at the wrong place, so the +frame will be malformed. +To fix this, the HW needs to know which kind of frame it is to know +where to insert the timestamp. For that there is a field in the IFH that +says the PDU_TYPE, which can be NONE which is the default value, +IPV4 or IPV6. Therefore make sure to set the PDU_TYPE so the HW knows +where to insert the timestamp. +Like I mention before the issue is not seen with L2 frames because by +default the PDU_TYPE has a value of 0, which represents the L2 frames. + +Fixes: 77eecf25bd9d2f ("net: lan966x: Update extraction/injection for timestamping") +Signed-off-by: Horatiu Vultur +Link: https://patch.msgid.link/20250521124159.2713525-1-horatiu.vultur@microchip.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + .../ethernet/microchip/lan966x/lan966x_main.c | 6 +++ + .../ethernet/microchip/lan966x/lan966x_main.h | 5 ++ + .../ethernet/microchip/lan966x/lan966x_ptp.c | 49 ++++++++++++++----- + 3 files changed, 47 insertions(+), 13 deletions(-) + +diff --git a/drivers/net/ethernet/microchip/lan966x/lan966x_main.c b/drivers/net/ethernet/microchip/lan966x/lan966x_main.c +index 534d4716d5f7d..73832bba93270 100644 +--- a/drivers/net/ethernet/microchip/lan966x/lan966x_main.c ++++ b/drivers/net/ethernet/microchip/lan966x/lan966x_main.c +@@ -353,6 +353,11 @@ static void lan966x_ifh_set_rew_op(void *ifh, u64 rew_op) + lan966x_ifh_set(ifh, rew_op, IFH_POS_REW_CMD, IFH_WID_REW_CMD); + } + ++static void lan966x_ifh_set_oam_type(void *ifh, u64 oam_type) ++{ ++ lan966x_ifh_set(ifh, oam_type, IFH_POS_PDU_TYPE, IFH_WID_PDU_TYPE); ++} ++ + static void lan966x_ifh_set_timestamp(void *ifh, u64 timestamp) + { + lan966x_ifh_set(ifh, timestamp, IFH_POS_TIMESTAMP, IFH_WID_TIMESTAMP); +@@ -380,6 +385,7 @@ static netdev_tx_t lan966x_port_xmit(struct sk_buff *skb, + return err; + + lan966x_ifh_set_rew_op(ifh, LAN966X_SKB_CB(skb)->rew_op); ++ lan966x_ifh_set_oam_type(ifh, LAN966X_SKB_CB(skb)->pdu_type); + lan966x_ifh_set_timestamp(ifh, LAN966X_SKB_CB(skb)->ts_id); + } + +diff --git a/drivers/net/ethernet/microchip/lan966x/lan966x_main.h b/drivers/net/ethernet/microchip/lan966x/lan966x_main.h +index 25cb2f61986f6..bd3d19cea0034 100644 +--- a/drivers/net/ethernet/microchip/lan966x/lan966x_main.h ++++ b/drivers/net/ethernet/microchip/lan966x/lan966x_main.h +@@ -75,6 +75,10 @@ + #define IFH_REW_OP_ONE_STEP_PTP 0x3 + #define IFH_REW_OP_TWO_STEP_PTP 0x4 + ++#define IFH_PDU_TYPE_NONE 0 ++#define IFH_PDU_TYPE_IPV4 7 ++#define IFH_PDU_TYPE_IPV6 8 ++ + #define FDMA_RX_DCB_MAX_DBS 1 + #define FDMA_TX_DCB_MAX_DBS 1 + +@@ -254,6 +258,7 @@ struct lan966x_phc { + + struct lan966x_skb_cb { + u8 rew_op; ++ u8 pdu_type; + u16 ts_id; + unsigned long jiffies; + }; +diff --git a/drivers/net/ethernet/microchip/lan966x/lan966x_ptp.c b/drivers/net/ethernet/microchip/lan966x/lan966x_ptp.c +index 63905bb5a63a8..87e5e81d40dc6 100644 +--- a/drivers/net/ethernet/microchip/lan966x/lan966x_ptp.c ++++ b/drivers/net/ethernet/microchip/lan966x/lan966x_ptp.c +@@ -322,34 +322,55 @@ void lan966x_ptp_hwtstamp_get(struct lan966x_port *port, + *cfg = phc->hwtstamp_config; + } + +-static int lan966x_ptp_classify(struct lan966x_port *port, struct sk_buff *skb) ++static void lan966x_ptp_classify(struct lan966x_port *port, struct sk_buff *skb, ++ u8 *rew_op, u8 *pdu_type) + { + struct ptp_header *header; + u8 msgtype; + int type; + +- if (port->ptp_tx_cmd == IFH_REW_OP_NOOP) +- return IFH_REW_OP_NOOP; ++ if (port->ptp_tx_cmd == IFH_REW_OP_NOOP) { ++ *rew_op = IFH_REW_OP_NOOP; ++ *pdu_type = IFH_PDU_TYPE_NONE; ++ return; ++ } + + type = ptp_classify_raw(skb); +- if (type == PTP_CLASS_NONE) +- return IFH_REW_OP_NOOP; ++ if (type == PTP_CLASS_NONE) { ++ *rew_op = IFH_REW_OP_NOOP; ++ *pdu_type = IFH_PDU_TYPE_NONE; ++ return; ++ } + + header = ptp_parse_header(skb, type); +- if (!header) +- return IFH_REW_OP_NOOP; ++ if (!header) { ++ *rew_op = IFH_REW_OP_NOOP; ++ *pdu_type = IFH_PDU_TYPE_NONE; ++ return; ++ } + +- if (port->ptp_tx_cmd == IFH_REW_OP_TWO_STEP_PTP) +- return IFH_REW_OP_TWO_STEP_PTP; ++ if (type & PTP_CLASS_L2) ++ *pdu_type = IFH_PDU_TYPE_NONE; ++ if (type & PTP_CLASS_IPV4) ++ *pdu_type = IFH_PDU_TYPE_IPV4; ++ if (type & PTP_CLASS_IPV6) ++ *pdu_type = IFH_PDU_TYPE_IPV6; ++ ++ if (port->ptp_tx_cmd == IFH_REW_OP_TWO_STEP_PTP) { ++ *rew_op = IFH_REW_OP_TWO_STEP_PTP; ++ return; ++ } + + /* If it is sync and run 1 step then set the correct operation, + * otherwise run as 2 step + */ + msgtype = ptp_get_msgtype(header, type); +- if ((msgtype & 0xf) == 0) +- return IFH_REW_OP_ONE_STEP_PTP; ++ if ((msgtype & 0xf) == 0) { ++ *rew_op = IFH_REW_OP_ONE_STEP_PTP; ++ return; ++ } + +- return IFH_REW_OP_TWO_STEP_PTP; ++ *rew_op = IFH_REW_OP_TWO_STEP_PTP; + } + + static void lan966x_ptp_txtstamp_old_release(struct lan966x_port *port) +@@ -374,10 +395,12 @@ int lan966x_ptp_txtstamp_request(struct lan966x_port *port, + { + struct lan966x *lan966x = port->lan966x; + unsigned long flags; ++ u8 pdu_type; + u8 rew_op; + +- rew_op = lan966x_ptp_classify(port, skb); ++ lan966x_ptp_classify(port, skb, &rew_op, &pdu_type); + LAN966X_SKB_CB(skb)->rew_op = rew_op; ++ LAN966X_SKB_CB(skb)->pdu_type = pdu_type; + + if (rew_op != IFH_REW_OP_TWO_STEP_PTP) + return 0; +-- +2.39.5 + diff --git a/queue-6.12/net-lan966x-make-sure-to-insert-the-vlan-tags-also-i.patch b/queue-6.12/net-lan966x-make-sure-to-insert-the-vlan-tags-also-i.patch new file mode 100644 index 0000000000..3b5594fcee --- /dev/null +++ b/queue-6.12/net-lan966x-make-sure-to-insert-the-vlan-tags-also-i.patch @@ -0,0 +1,112 @@ +From c5ff2fcc6b34b3146e0c406f276f338986e88013 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 May 2025 11:36:19 +0200 +Subject: net: lan966x: Make sure to insert the vlan tags also in host mode + +From: Horatiu Vultur + +[ Upstream commit 27eab4c644236a9324084a70fe79e511cbd07393 ] + +When running these commands on DUT (and similar at the other end) +ip link set dev eth0 up +ip link add link eth0 name eth0.10 type vlan id 10 +ip addr add 10.0.0.1/24 dev eth0.10 +ip link set dev eth0.10 up +ping 10.0.0.2 + +The ping will fail. + +The reason why is failing is because, the network interfaces for lan966x +have a flag saying that the HW can insert the vlan tags into the +frames(NETIF_F_HW_VLAN_CTAG_TX). Meaning that the frames that are +transmitted don't have the vlan tag inside the skb data, but they have +it inside the skb. We already get that vlan tag and put it in the IFH +but the problem is that we don't configure the HW to rewrite the frame +when the interface is in host mode. +The fix consists in actually configuring the HW to insert the vlan tag +if it is different than 0. + +Reviewed-by: Maxime Chevallier +Fixes: 6d2c186afa5d ("net: lan966x: Add vlan support.") +Signed-off-by: Horatiu Vultur +Link: https://patch.msgid.link/20250528093619.3738998-1-horatiu.vultur@microchip.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + .../ethernet/microchip/lan966x/lan966x_main.c | 1 + + .../ethernet/microchip/lan966x/lan966x_main.h | 1 + + .../microchip/lan966x/lan966x_switchdev.c | 1 + + .../ethernet/microchip/lan966x/lan966x_vlan.c | 21 +++++++++++++++++++ + 4 files changed, 24 insertions(+) + +diff --git a/drivers/net/ethernet/microchip/lan966x/lan966x_main.c b/drivers/net/ethernet/microchip/lan966x/lan966x_main.c +index 73832bba93270..b34e015eedf9b 100644 +--- a/drivers/net/ethernet/microchip/lan966x/lan966x_main.c ++++ b/drivers/net/ethernet/microchip/lan966x/lan966x_main.c +@@ -880,6 +880,7 @@ static int lan966x_probe_port(struct lan966x *lan966x, u32 p, + lan966x_vlan_port_set_vlan_aware(port, 0); + lan966x_vlan_port_set_vid(port, HOST_PVID, false, false); + lan966x_vlan_port_apply(port); ++ lan966x_vlan_port_rew_host(port); + + return 0; + } +diff --git a/drivers/net/ethernet/microchip/lan966x/lan966x_main.h b/drivers/net/ethernet/microchip/lan966x/lan966x_main.h +index bd3d19cea0034..8aa39497818fe 100644 +--- a/drivers/net/ethernet/microchip/lan966x/lan966x_main.h ++++ b/drivers/net/ethernet/microchip/lan966x/lan966x_main.h +@@ -497,6 +497,7 @@ void lan966x_vlan_port_apply(struct lan966x_port *port); + bool lan966x_vlan_cpu_member_cpu_vlan_mask(struct lan966x *lan966x, u16 vid); + void lan966x_vlan_port_set_vlan_aware(struct lan966x_port *port, + bool vlan_aware); ++void lan966x_vlan_port_rew_host(struct lan966x_port *port); + int lan966x_vlan_port_set_vid(struct lan966x_port *port, + u16 vid, + bool pvid, +diff --git a/drivers/net/ethernet/microchip/lan966x/lan966x_switchdev.c b/drivers/net/ethernet/microchip/lan966x/lan966x_switchdev.c +index 1c88120eb291a..bcb4db76b75cd 100644 +--- a/drivers/net/ethernet/microchip/lan966x/lan966x_switchdev.c ++++ b/drivers/net/ethernet/microchip/lan966x/lan966x_switchdev.c +@@ -297,6 +297,7 @@ static void lan966x_port_bridge_leave(struct lan966x_port *port, + lan966x_vlan_port_set_vlan_aware(port, false); + lan966x_vlan_port_set_vid(port, HOST_PVID, false, false); + lan966x_vlan_port_apply(port); ++ lan966x_vlan_port_rew_host(port); + } + + int lan966x_port_changeupper(struct net_device *dev, +diff --git a/drivers/net/ethernet/microchip/lan966x/lan966x_vlan.c b/drivers/net/ethernet/microchip/lan966x/lan966x_vlan.c +index fa34a739c748e..7da22520724ce 100644 +--- a/drivers/net/ethernet/microchip/lan966x/lan966x_vlan.c ++++ b/drivers/net/ethernet/microchip/lan966x/lan966x_vlan.c +@@ -149,6 +149,27 @@ void lan966x_vlan_port_set_vlan_aware(struct lan966x_port *port, + port->vlan_aware = vlan_aware; + } + ++/* When the interface is in host mode, the interface should not be vlan aware ++ * but it should insert all the tags that it gets from the network stack. ++ * The tags are not in the data of the frame but actually in the skb and the ifh ++ * is configured already to get this tag. So what we need to do is to update the ++ * rewriter to insert the vlan tag for all frames which have a vlan tag ++ * different than 0. ++ */ ++void lan966x_vlan_port_rew_host(struct lan966x_port *port) ++{ ++ struct lan966x *lan966x = port->lan966x; ++ u32 val; ++ ++ /* Tag all frames except when VID=0*/ ++ val = REW_TAG_CFG_TAG_CFG_SET(2); ++ ++ /* Update only some bits in the register */ ++ lan_rmw(val, ++ REW_TAG_CFG_TAG_CFG, ++ lan966x, REW_TAG_CFG(port->chip_port)); ++} ++ + void lan966x_vlan_port_apply(struct lan966x_port *port) + { + struct lan966x *lan966x = port->lan966x; +-- +2.39.5 + diff --git a/queue-6.12/net-mlx4_en-prevent-potential-integer-overflow-calcu.patch b/queue-6.12/net-mlx4_en-prevent-potential-integer-overflow-calcu.patch new file mode 100644 index 0000000000..0ee48d5a13 --- /dev/null +++ b/queue-6.12/net-mlx4_en-prevent-potential-integer-overflow-calcu.patch @@ -0,0 +1,41 @@ +From e02703d5442cf0c0f7fd9a0f0d907c7d2b10b278 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 May 2025 11:11:09 +0300 +Subject: net/mlx4_en: Prevent potential integer overflow calculating Hz + +From: Dan Carpenter + +[ Upstream commit 54d34165b4f786d7fea8412a18fb4a54c1eab623 ] + +The "freq" variable is in terms of MHz and "max_val_cycles" is in terms +of Hz. The fact that "max_val_cycles" is a u64 suggests that support +for high frequency is intended but the "freq_khz * 1000" would overflow +the u32 type if we went above 4GHz. Use unsigned long long type for the +mutliplication to prevent that. + +Fixes: 31c128b66e5b ("net/mlx4_en: Choose time-stamping shift value according to HW frequency") +Signed-off-by: Dan Carpenter +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/aDbFHe19juIJKjsb@stanley.mountain +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx4/en_clock.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx4/en_clock.c b/drivers/net/ethernet/mellanox/mlx4/en_clock.c +index cd754cd76bde1..d73a2044dc266 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/en_clock.c ++++ b/drivers/net/ethernet/mellanox/mlx4/en_clock.c +@@ -249,7 +249,7 @@ static const struct ptp_clock_info mlx4_en_ptp_clock_info = { + static u32 freq_to_shift(u16 freq) + { + u32 freq_khz = freq * 1000; +- u64 max_val_cycles = freq_khz * 1000 * MLX4_EN_WRAP_AROUND_SEC; ++ u64 max_val_cycles = freq_khz * 1000ULL * MLX4_EN_WRAP_AROUND_SEC; + u64 max_val_cycles_rounded = 1ULL << fls64(max_val_cycles - 1); + /* calculate max possible multiplier in order to fit in 64bit */ + u64 max_mul = div64_u64(ULLONG_MAX, max_val_cycles_rounded); +-- +2.39.5 + diff --git a/queue-6.12/net-mlx5-avoid-using-xso.real_dev-unnecessarily.patch b/queue-6.12/net-mlx5-avoid-using-xso.real_dev-unnecessarily.patch new file mode 100644 index 0000000000..ec823416ac --- /dev/null +++ b/queue-6.12/net-mlx5-avoid-using-xso.real_dev-unnecessarily.patch @@ -0,0 +1,115 @@ +From d78989e58d25445fbdbbaca9fdd629f5c0b02954 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Apr 2025 10:49:53 +0300 +Subject: net/mlx5: Avoid using xso.real_dev unnecessarily + +From: Cosmin Ratiu + +[ Upstream commit d79444e8c3d40b11f5e155e5591d53bd1e512e1f ] + +xso.real_dev is the active device of an offloaded xfrm state and is +managed by bonding. As such, it's subject to change when states are +migrated to a new device. Using it in places other than +offloading/unoffloading the states is risky. + +This commit saves the device into the driver-specific struct +mlx5e_ipsec_sa_entry and switches mlx5e_ipsec_init_macs() and +mlx5e_ipsec_netevent_event() to make use of it. + +Additionally, mlx5e_xfrm_update_stats() used xso.real_dev to validate +that correct net locks are held. But in a bonding config, the net of the +master device is the same as the underlying devices, and the net is +already a local var, so use that instead. + +The only remaining references to xso.real_dev are now in the +.xdo_dev_state_add() / .xdo_dev_state_delete() path. + +Signed-off-by: Cosmin Ratiu +Reviewed-by: Leon Romanovsky +Reviewed-by: Nikolay Aleksandrov +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + .../ethernet/mellanox/mlx5/core/en_accel/ipsec.c | 16 +++++----------- + .../ethernet/mellanox/mlx5/core/en_accel/ipsec.h | 1 + + 2 files changed, 6 insertions(+), 11 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c +index 1baf8933a07cb..94edfd7713b5d 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c +@@ -266,8 +266,7 @@ static void mlx5e_ipsec_init_macs(struct mlx5e_ipsec_sa_entry *sa_entry, + struct mlx5_accel_esp_xfrm_attrs *attrs) + { + struct mlx5_core_dev *mdev = mlx5e_ipsec_sa2dev(sa_entry); +- struct xfrm_state *x = sa_entry->x; +- struct net_device *netdev; ++ struct net_device *netdev = sa_entry->dev; + struct neighbour *n; + u8 addr[ETH_ALEN]; + const void *pkey; +@@ -277,8 +276,6 @@ static void mlx5e_ipsec_init_macs(struct mlx5e_ipsec_sa_entry *sa_entry, + attrs->type != XFRM_DEV_OFFLOAD_PACKET) + return; + +- netdev = x->xso.real_dev; +- + mlx5_query_mac_address(mdev, addr); + switch (attrs->dir) { + case XFRM_DEV_OFFLOAD_IN: +@@ -707,6 +704,7 @@ static int mlx5e_xfrm_add_state(struct xfrm_state *x, + return -ENOMEM; + + sa_entry->x = x; ++ sa_entry->dev = netdev; + sa_entry->ipsec = ipsec; + /* Check if this SA is originated from acquire flow temporary SA */ + if (x->xso.flags & XFRM_DEV_OFFLOAD_FLAG_ACQ) +@@ -849,8 +847,6 @@ static int mlx5e_ipsec_netevent_event(struct notifier_block *nb, + struct mlx5e_ipsec_sa_entry *sa_entry; + struct mlx5e_ipsec *ipsec; + struct neighbour *n = ptr; +- struct net_device *netdev; +- struct xfrm_state *x; + unsigned long idx; + + if (event != NETEVENT_NEIGH_UPDATE || !(n->nud_state & NUD_VALID)) +@@ -870,11 +866,9 @@ static int mlx5e_ipsec_netevent_event(struct notifier_block *nb, + continue; + } + +- x = sa_entry->x; +- netdev = x->xso.real_dev; + data = sa_entry->work->data; + +- neigh_ha_snapshot(data->addr, n, netdev); ++ neigh_ha_snapshot(data->addr, n, sa_entry->dev); + queue_work(ipsec->wq, &sa_entry->work->work); + } + +@@ -1005,8 +999,8 @@ static void mlx5e_xfrm_update_stats(struct xfrm_state *x) + size_t headers; + + lockdep_assert(lockdep_is_held(&x->lock) || +- lockdep_is_held(&dev_net(x->xso.real_dev)->xfrm.xfrm_cfg_mutex) || +- lockdep_is_held(&dev_net(x->xso.real_dev)->xfrm.xfrm_state_lock)); ++ lockdep_is_held(&net->xfrm.xfrm_cfg_mutex) || ++ lockdep_is_held(&net->xfrm.xfrm_state_lock)); + + if (x->xso.flags & XFRM_DEV_OFFLOAD_FLAG_ACQ) + return; +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h +index 7d943e93cf6dc..9aff779c77c89 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h +@@ -260,6 +260,7 @@ struct mlx5e_ipsec_limits { + struct mlx5e_ipsec_sa_entry { + struct mlx5e_ipsec_esn_state esn_state; + struct xfrm_state *x; ++ struct net_device *dev; + struct mlx5e_ipsec *ipsec; + struct mlx5_accel_esp_xfrm_attrs attrs; + void (*set_iv_op)(struct sk_buff *skb, struct xfrm_state *x, +-- +2.39.5 + diff --git a/queue-6.12/net-ncsi-fix-gcps-64-bit-member-variables.patch b/queue-6.12/net-ncsi-fix-gcps-64-bit-member-variables.patch new file mode 100644 index 0000000000..7faf7fc78f --- /dev/null +++ b/queue-6.12/net-ncsi-fix-gcps-64-bit-member-variables.patch @@ -0,0 +1,161 @@ +From 61b893b05fd2c5490fb84fa45aeb99123c003622 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Apr 2025 18:23:08 -0700 +Subject: net: ncsi: Fix GCPS 64-bit member variables + +From: Hari Kalavakunta + +[ Upstream commit e8a1bd8344054ce27bebf59f48e3f6bc10bc419b ] + +Correct Get Controller Packet Statistics (GCPS) 64-bit wide member +variables, as per DSP0222 v1.0.0 and forward specs. The Driver currently +collects these stats, but they are yet to be exposed to the user. +Therefore, no user impact. + +Statistics fixes: +Total Bytes Received (byte range 28..35) +Total Bytes Transmitted (byte range 36..43) +Total Unicast Packets Received (byte range 44..51) +Total Multicast Packets Received (byte range 52..59) +Total Broadcast Packets Received (byte range 60..67) +Total Unicast Packets Transmitted (byte range 68..75) +Total Multicast Packets Transmitted (byte range 76..83) +Total Broadcast Packets Transmitted (byte range 84..91) +Valid Bytes Received (byte range 204..11) + +Signed-off-by: Hari Kalavakunta +Reviewed-by: Paul Fertser +Link: https://patch.msgid.link/20250410012309.1343-1-kalavakunta.hari.prasad@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ncsi/internal.h | 21 ++++++++++----------- + net/ncsi/ncsi-pkt.h | 23 +++++++++++------------ + net/ncsi/ncsi-rsp.c | 21 ++++++++++----------- + 3 files changed, 31 insertions(+), 34 deletions(-) + +diff --git a/net/ncsi/internal.h b/net/ncsi/internal.h +index 4e0842df5234e..2c260f33b55cc 100644 +--- a/net/ncsi/internal.h ++++ b/net/ncsi/internal.h +@@ -143,16 +143,15 @@ struct ncsi_channel_vlan_filter { + }; + + struct ncsi_channel_stats { +- u32 hnc_cnt_hi; /* Counter cleared */ +- u32 hnc_cnt_lo; /* Counter cleared */ +- u32 hnc_rx_bytes; /* Rx bytes */ +- u32 hnc_tx_bytes; /* Tx bytes */ +- u32 hnc_rx_uc_pkts; /* Rx UC packets */ +- u32 hnc_rx_mc_pkts; /* Rx MC packets */ +- u32 hnc_rx_bc_pkts; /* Rx BC packets */ +- u32 hnc_tx_uc_pkts; /* Tx UC packets */ +- u32 hnc_tx_mc_pkts; /* Tx MC packets */ +- u32 hnc_tx_bc_pkts; /* Tx BC packets */ ++ u64 hnc_cnt; /* Counter cleared */ ++ u64 hnc_rx_bytes; /* Rx bytes */ ++ u64 hnc_tx_bytes; /* Tx bytes */ ++ u64 hnc_rx_uc_pkts; /* Rx UC packets */ ++ u64 hnc_rx_mc_pkts; /* Rx MC packets */ ++ u64 hnc_rx_bc_pkts; /* Rx BC packets */ ++ u64 hnc_tx_uc_pkts; /* Tx UC packets */ ++ u64 hnc_tx_mc_pkts; /* Tx MC packets */ ++ u64 hnc_tx_bc_pkts; /* Tx BC packets */ + u32 hnc_fcs_err; /* FCS errors */ + u32 hnc_align_err; /* Alignment errors */ + u32 hnc_false_carrier; /* False carrier detection */ +@@ -181,7 +180,7 @@ struct ncsi_channel_stats { + u32 hnc_tx_1023_frames; /* Tx 512-1023 bytes frames */ + u32 hnc_tx_1522_frames; /* Tx 1024-1522 bytes frames */ + u32 hnc_tx_9022_frames; /* Tx 1523-9022 bytes frames */ +- u32 hnc_rx_valid_bytes; /* Rx valid bytes */ ++ u64 hnc_rx_valid_bytes; /* Rx valid bytes */ + u32 hnc_rx_runt_pkts; /* Rx error runt packets */ + u32 hnc_rx_jabber_pkts; /* Rx error jabber packets */ + u32 ncsi_rx_cmds; /* Rx NCSI commands */ +diff --git a/net/ncsi/ncsi-pkt.h b/net/ncsi/ncsi-pkt.h +index f2f3b5c1b9412..24edb27379724 100644 +--- a/net/ncsi/ncsi-pkt.h ++++ b/net/ncsi/ncsi-pkt.h +@@ -252,16 +252,15 @@ struct ncsi_rsp_gp_pkt { + /* Get Controller Packet Statistics */ + struct ncsi_rsp_gcps_pkt { + struct ncsi_rsp_pkt_hdr rsp; /* Response header */ +- __be32 cnt_hi; /* Counter cleared */ +- __be32 cnt_lo; /* Counter cleared */ +- __be32 rx_bytes; /* Rx bytes */ +- __be32 tx_bytes; /* Tx bytes */ +- __be32 rx_uc_pkts; /* Rx UC packets */ +- __be32 rx_mc_pkts; /* Rx MC packets */ +- __be32 rx_bc_pkts; /* Rx BC packets */ +- __be32 tx_uc_pkts; /* Tx UC packets */ +- __be32 tx_mc_pkts; /* Tx MC packets */ +- __be32 tx_bc_pkts; /* Tx BC packets */ ++ __be64 cnt; /* Counter cleared */ ++ __be64 rx_bytes; /* Rx bytes */ ++ __be64 tx_bytes; /* Tx bytes */ ++ __be64 rx_uc_pkts; /* Rx UC packets */ ++ __be64 rx_mc_pkts; /* Rx MC packets */ ++ __be64 rx_bc_pkts; /* Rx BC packets */ ++ __be64 tx_uc_pkts; /* Tx UC packets */ ++ __be64 tx_mc_pkts; /* Tx MC packets */ ++ __be64 tx_bc_pkts; /* Tx BC packets */ + __be32 fcs_err; /* FCS errors */ + __be32 align_err; /* Alignment errors */ + __be32 false_carrier; /* False carrier detection */ +@@ -290,11 +289,11 @@ struct ncsi_rsp_gcps_pkt { + __be32 tx_1023_frames; /* Tx 512-1023 bytes frames */ + __be32 tx_1522_frames; /* Tx 1024-1522 bytes frames */ + __be32 tx_9022_frames; /* Tx 1523-9022 bytes frames */ +- __be32 rx_valid_bytes; /* Rx valid bytes */ ++ __be64 rx_valid_bytes; /* Rx valid bytes */ + __be32 rx_runt_pkts; /* Rx error runt packets */ + __be32 rx_jabber_pkts; /* Rx error jabber packets */ + __be32 checksum; /* Checksum */ +-}; ++} __packed __aligned(4); + + /* Get NCSI Statistics */ + struct ncsi_rsp_gns_pkt { +diff --git a/net/ncsi/ncsi-rsp.c b/net/ncsi/ncsi-rsp.c +index 4a8ce2949faea..8668888c5a2f9 100644 +--- a/net/ncsi/ncsi-rsp.c ++++ b/net/ncsi/ncsi-rsp.c +@@ -926,16 +926,15 @@ static int ncsi_rsp_handler_gcps(struct ncsi_request *nr) + + /* Update HNC's statistics */ + ncs = &nc->stats; +- ncs->hnc_cnt_hi = ntohl(rsp->cnt_hi); +- ncs->hnc_cnt_lo = ntohl(rsp->cnt_lo); +- ncs->hnc_rx_bytes = ntohl(rsp->rx_bytes); +- ncs->hnc_tx_bytes = ntohl(rsp->tx_bytes); +- ncs->hnc_rx_uc_pkts = ntohl(rsp->rx_uc_pkts); +- ncs->hnc_rx_mc_pkts = ntohl(rsp->rx_mc_pkts); +- ncs->hnc_rx_bc_pkts = ntohl(rsp->rx_bc_pkts); +- ncs->hnc_tx_uc_pkts = ntohl(rsp->tx_uc_pkts); +- ncs->hnc_tx_mc_pkts = ntohl(rsp->tx_mc_pkts); +- ncs->hnc_tx_bc_pkts = ntohl(rsp->tx_bc_pkts); ++ ncs->hnc_cnt = be64_to_cpu(rsp->cnt); ++ ncs->hnc_rx_bytes = be64_to_cpu(rsp->rx_bytes); ++ ncs->hnc_tx_bytes = be64_to_cpu(rsp->tx_bytes); ++ ncs->hnc_rx_uc_pkts = be64_to_cpu(rsp->rx_uc_pkts); ++ ncs->hnc_rx_mc_pkts = be64_to_cpu(rsp->rx_mc_pkts); ++ ncs->hnc_rx_bc_pkts = be64_to_cpu(rsp->rx_bc_pkts); ++ ncs->hnc_tx_uc_pkts = be64_to_cpu(rsp->tx_uc_pkts); ++ ncs->hnc_tx_mc_pkts = be64_to_cpu(rsp->tx_mc_pkts); ++ ncs->hnc_tx_bc_pkts = be64_to_cpu(rsp->tx_bc_pkts); + ncs->hnc_fcs_err = ntohl(rsp->fcs_err); + ncs->hnc_align_err = ntohl(rsp->align_err); + ncs->hnc_false_carrier = ntohl(rsp->false_carrier); +@@ -964,7 +963,7 @@ static int ncsi_rsp_handler_gcps(struct ncsi_request *nr) + ncs->hnc_tx_1023_frames = ntohl(rsp->tx_1023_frames); + ncs->hnc_tx_1522_frames = ntohl(rsp->tx_1522_frames); + ncs->hnc_tx_9022_frames = ntohl(rsp->tx_9022_frames); +- ncs->hnc_rx_valid_bytes = ntohl(rsp->rx_valid_bytes); ++ ncs->hnc_rx_valid_bytes = be64_to_cpu(rsp->rx_valid_bytes); + ncs->hnc_rx_runt_pkts = ntohl(rsp->rx_runt_pkts); + ncs->hnc_rx_jabber_pkts = ntohl(rsp->rx_jabber_pkts); + +-- +2.39.5 + diff --git a/queue-6.12/net-openvswitch-fix-the-dead-loop-of-mpls-parse.patch b/queue-6.12/net-openvswitch-fix-the-dead-loop-of-mpls-parse.patch new file mode 100644 index 0000000000..09b0151892 --- /dev/null +++ b/queue-6.12/net-openvswitch-fix-the-dead-loop-of-mpls-parse.patch @@ -0,0 +1,75 @@ +From a796258ee4187cb747d0b3972aae0f18a2b5aa25 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 May 2025 03:41:43 +0000 +Subject: net: openvswitch: Fix the dead loop of MPLS parse + +From: Faicker Mo + +[ Upstream commit 0bdc924bfb319fb10d1113cbf091fc26fb7b1f99 ] + +The unexpected MPLS packet may not end with the bottom label stack. +When there are many stacks, The label count value has wrapped around. +A dead loop occurs, soft lockup/CPU stuck finally. + +stack backtrace: +UBSAN: array-index-out-of-bounds in /build/linux-0Pa0xK/linux-5.15.0/net/openvswitch/flow.c:662:26 +index -1 is out of range for type '__be32 [3]' +CPU: 34 PID: 0 Comm: swapper/34 Kdump: loaded Tainted: G OE 5.15.0-121-generic #131-Ubuntu +Hardware name: Dell Inc. PowerEdge C6420/0JP9TF, BIOS 2.12.2 07/14/2021 +Call Trace: + + show_stack+0x52/0x5c + dump_stack_lvl+0x4a/0x63 + dump_stack+0x10/0x16 + ubsan_epilogue+0x9/0x36 + __ubsan_handle_out_of_bounds.cold+0x44/0x49 + key_extract_l3l4+0x82a/0x840 [openvswitch] + ? kfree_skbmem+0x52/0xa0 + key_extract+0x9c/0x2b0 [openvswitch] + ovs_flow_key_extract+0x124/0x350 [openvswitch] + ovs_vport_receive+0x61/0xd0 [openvswitch] + ? kernel_init_free_pages.part.0+0x4a/0x70 + ? get_page_from_freelist+0x353/0x540 + netdev_port_receive+0xc4/0x180 [openvswitch] + ? netdev_port_receive+0x180/0x180 [openvswitch] + netdev_frame_hook+0x1f/0x40 [openvswitch] + __netif_receive_skb_core.constprop.0+0x23a/0xf00 + __netif_receive_skb_list_core+0xfa/0x240 + netif_receive_skb_list_internal+0x18e/0x2a0 + napi_complete_done+0x7a/0x1c0 + bnxt_poll+0x155/0x1c0 [bnxt_en] + __napi_poll+0x30/0x180 + net_rx_action+0x126/0x280 + ? bnxt_msix+0x67/0x80 [bnxt_en] + handle_softirqs+0xda/0x2d0 + irq_exit_rcu+0x96/0xc0 + common_interrupt+0x8e/0xa0 + + +Fixes: fbdcdd78da7c ("Change in Openvswitch to support MPLS label depth of 3 in ingress direction") +Signed-off-by: Faicker Mo +Acked-by: Ilya Maximets +Reviewed-by: Aaron Conole +Link: https://patch.msgid.link/259D3404-575D-4A6D-B263-1DF59A67CF89@zenlayer.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/openvswitch/flow.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/openvswitch/flow.c b/net/openvswitch/flow.c +index 8a848ce72e291..b80bd3a907739 100644 +--- a/net/openvswitch/flow.c ++++ b/net/openvswitch/flow.c +@@ -788,7 +788,7 @@ static int key_extract_l3l4(struct sk_buff *skb, struct sw_flow_key *key) + memset(&key->ipv4, 0, sizeof(key->ipv4)); + } + } else if (eth_p_mpls(key->eth.type)) { +- u8 label_count = 1; ++ size_t label_count = 1; + + memset(&key->mpls, 0, sizeof(key->mpls)); + skb_set_inner_network_header(skb, skb->mac_len); +-- +2.39.5 + diff --git a/queue-6.12/net-phy-clear-phydev-devlink-when-the-link-is-delete.patch b/queue-6.12/net-phy-clear-phydev-devlink-when-the-link-is-delete.patch new file mode 100644 index 0000000000..aee954284e --- /dev/null +++ b/queue-6.12/net-phy-clear-phydev-devlink-when-the-link-is-delete.patch @@ -0,0 +1,61 @@ +From e2d4caab7b256749a9a19e0e20a71cfaa5244c45 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 May 2025 16:37:59 +0800 +Subject: net: phy: clear phydev->devlink when the link is deleted + +From: Wei Fang + +[ Upstream commit 0795b05a59b1371b18ffbf09d385296b12e9f5d5 ] + +There is a potential crash issue when disabling and re-enabling the +network port. When disabling the network port, phy_detach() calls +device_link_del() to remove the device link, but it does not clear +phydev->devlink, so phydev->devlink is not a NULL pointer. Then the +network port is re-enabled, but if phy_attach_direct() fails before +calling device_link_add(), the code jumps to the "error" label and +calls phy_detach(). Since phydev->devlink retains the old value from +the previous attach/detach cycle, device_link_del() uses the old value, +which accesses a NULL pointer and causes a crash. The simplified crash +log is as follows. + +[ 24.702421] Call trace: +[ 24.704856] device_link_put_kref+0x20/0x120 +[ 24.709124] device_link_del+0x30/0x48 +[ 24.712864] phy_detach+0x24/0x168 +[ 24.716261] phy_attach_direct+0x168/0x3a4 +[ 24.720352] phylink_fwnode_phy_connect+0xc8/0x14c +[ 24.725140] phylink_of_phy_connect+0x1c/0x34 + +Therefore, phydev->devlink needs to be cleared when the device link is +deleted. + +Fixes: bc66fa87d4fd ("net: phy: Add link between phy dev and mac dev") +Signed-off-by: Wei Fang +Reviewed-by: Andrew Lunn +Reviewed-by: Florian Fainelli +Link: https://patch.msgid.link/20250523083759.3741168-1-wei.fang@nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/phy_device.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c +index 8af44224480f1..13dea33d86ffa 100644 +--- a/drivers/net/phy/phy_device.c ++++ b/drivers/net/phy/phy_device.c +@@ -2010,8 +2010,10 @@ void phy_detach(struct phy_device *phydev) + struct module *ndev_owner = NULL; + struct mii_bus *bus; + +- if (phydev->devlink) ++ if (phydev->devlink) { + device_link_del(phydev->devlink); ++ phydev->devlink = NULL; ++ } + + if (phydev->sysfs_links) { + if (dev) +-- +2.39.5 + diff --git a/queue-6.12/net-phy-fix-up-const-issues-in-to_mdio_device-and-to.patch b/queue-6.12/net-phy-fix-up-const-issues-in-to_mdio_device-and-to.patch new file mode 100644 index 0000000000..a68fa7cd96 --- /dev/null +++ b/queue-6.12/net-phy-fix-up-const-issues-in-to_mdio_device-and-to.patch @@ -0,0 +1,63 @@ +From e8b22bb04dfc3ba2f5947023c390c4007b61af3f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 May 2025 13:21:47 +0200 +Subject: net: phy: fix up const issues in to_mdio_device() and to_phy_device() + +From: Greg Kroah-Hartman + +[ Upstream commit e9cb929670a1e98b592b30f03f06e9e20110f318 ] + +Both to_mdio_device() and to_phy_device() "throw away" the const pointer +attribute passed to them and return a non-const pointer, which generally +is not a good thing overall. Fix this up by using container_of_const() +which was designed for this very problem. + +Cc: Alexander Lobakin +Cc: Andrew Lunn +Cc: Heiner Kallweit +Cc: Russell King +Fixes: 7eab14de73a8 ("mdio, phy: fix -Wshadow warnings triggered by nested container_of()") +Signed-off-by: Greg Kroah-Hartman +Link: https://patch.msgid.link/2025052246-conduit-glory-8fc9@gregkh +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/linux/mdio.h | 5 +---- + include/linux/phy.h | 5 +---- + 2 files changed, 2 insertions(+), 8 deletions(-) + +diff --git a/include/linux/mdio.h b/include/linux/mdio.h +index efeca5bd7600b..84b0805918372 100644 +--- a/include/linux/mdio.h ++++ b/include/linux/mdio.h +@@ -45,10 +45,7 @@ struct mdio_device { + unsigned int reset_deassert_delay; + }; + +-static inline struct mdio_device *to_mdio_device(const struct device *dev) +-{ +- return container_of(dev, struct mdio_device, dev); +-} ++#define to_mdio_device(__dev) container_of_const(__dev, struct mdio_device, dev) + + /* struct mdio_driver_common: Common to all MDIO drivers */ + struct mdio_driver_common { +diff --git a/include/linux/phy.h b/include/linux/phy.h +index 945264f457d8a..dfc7b97f9648d 100644 +--- a/include/linux/phy.h ++++ b/include/linux/phy.h +@@ -792,10 +792,7 @@ struct phy_device { + #define PHY_F_NO_IRQ 0x80000000 + #define PHY_F_RXC_ALWAYS_ON 0x40000000 + +-static inline struct phy_device *to_phy_device(const struct device *dev) +-{ +- return container_of(to_mdio_device(dev), struct phy_device, mdio); +-} ++#define to_phy_device(__dev) container_of_const(to_mdio_device(__dev), struct phy_device, mdio) + + /** + * struct phy_tdr_config - Configuration of a TDR raw test +-- +2.39.5 + diff --git a/queue-6.12/net-phy-mscc-fix-memory-leak-when-using-one-step-tim.patch b/queue-6.12/net-phy-mscc-fix-memory-leak-when-using-one-step-tim.patch new file mode 100644 index 0000000000..195f225cb6 --- /dev/null +++ b/queue-6.12/net-phy-mscc-fix-memory-leak-when-using-one-step-tim.patch @@ -0,0 +1,62 @@ +From ec926b47e815ab36863b77b23ad9c6fd288ce050 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 May 2025 13:57:22 +0200 +Subject: net: phy: mscc: Fix memory leak when using one step timestamping + +From: Horatiu Vultur + +[ Upstream commit 846992645b25ec4253167e3f931e4597eb84af56 ] + +Fix memory leak when running one-step timestamping. When running +one-step sync timestamping, the HW is configured to insert the TX time +into the frame, so there is no reason to keep the skb anymore. As in +this case the HW will never generate an interrupt to say that the frame +was timestamped, then the frame will never released. +Fix this by freeing the frame in case of one-step timestamping. + +Fixes: 7d272e63e0979d ("net: phy: mscc: timestamping and PHC support") +Signed-off-by: Horatiu Vultur +Link: https://patch.msgid.link/20250522115722.2827199-1-horatiu.vultur@microchip.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/mscc/mscc_ptp.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/phy/mscc/mscc_ptp.c b/drivers/net/phy/mscc/mscc_ptp.c +index 738a8822fcf01..0173aa3b4ead1 100644 +--- a/drivers/net/phy/mscc/mscc_ptp.c ++++ b/drivers/net/phy/mscc/mscc_ptp.c +@@ -1163,18 +1163,24 @@ static void vsc85xx_txtstamp(struct mii_timestamper *mii_ts, + container_of(mii_ts, struct vsc8531_private, mii_ts); + + if (!vsc8531->ptp->configured) +- return; ++ goto out; + +- if (vsc8531->ptp->tx_type == HWTSTAMP_TX_OFF) { +- kfree_skb(skb); +- return; +- } ++ if (vsc8531->ptp->tx_type == HWTSTAMP_TX_OFF) ++ goto out; ++ ++ if (vsc8531->ptp->tx_type == HWTSTAMP_TX_ONESTEP_SYNC) ++ if (ptp_msg_is_sync(skb, type)) ++ goto out; + + skb_shinfo(skb)->tx_flags |= SKBTX_IN_PROGRESS; + + mutex_lock(&vsc8531->ts_lock); + __skb_queue_tail(&vsc8531->ptp->tx_queue, skb); + mutex_unlock(&vsc8531->ts_lock); ++ return; ++ ++out: ++ kfree_skb(skb); + } + + static bool vsc85xx_rxtstamp(struct mii_timestamper *mii_ts, +-- +2.39.5 + diff --git a/queue-6.12/net-phy-mscc-stop-clearing-the-the-udpv4-checksum-fo.patch b/queue-6.12/net-phy-mscc-stop-clearing-the-the-udpv4-checksum-fo.patch new file mode 100644 index 0000000000..c0689a66a6 --- /dev/null +++ b/queue-6.12/net-phy-mscc-stop-clearing-the-the-udpv4-checksum-fo.patch @@ -0,0 +1,47 @@ +From cbf3cbfc22672c560b1d92770ac64ee1af22133d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 May 2025 10:27:16 +0200 +Subject: net: phy: mscc: Stop clearing the the UDPv4 checksum for L2 frames + +From: Horatiu Vultur + +[ Upstream commit 57a92d14659df3e7e7e0052358c8cc68bbbc3b5e ] + +We have noticed that when PHY timestamping is enabled, L2 frames seems +to be modified by changing two 2 bytes with a value of 0. The place were +these 2 bytes seems to be random(or I couldn't find a pattern). In most +of the cases the userspace can ignore these frames but if for example +those 2 bytes are in the correction field there is nothing to do. This +seems to happen when configuring the HW for IPv4 even that the flow is +not enabled. +These 2 bytes correspond to the UDPv4 checksum and once we don't enable +clearing the checksum when using L2 frames then the frame doesn't seem +to be changed anymore. + +Fixes: 7d272e63e0979d ("net: phy: mscc: timestamping and PHC support") +Signed-off-by: Horatiu Vultur +Link: https://patch.msgid.link/20250523082716.2935895-1-horatiu.vultur@microchip.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/phy/mscc/mscc_ptp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/phy/mscc/mscc_ptp.c b/drivers/net/phy/mscc/mscc_ptp.c +index 0173aa3b4ead1..ce49f3ac6939b 100644 +--- a/drivers/net/phy/mscc/mscc_ptp.c ++++ b/drivers/net/phy/mscc/mscc_ptp.c +@@ -943,7 +943,9 @@ static int vsc85xx_ip1_conf(struct phy_device *phydev, enum ts_blk blk, + /* UDP checksum offset in IPv4 packet + * according to: https://tools.ietf.org/html/rfc768 + */ +- val |= IP1_NXT_PROT_UDP_CHKSUM_OFF(26) | IP1_NXT_PROT_UDP_CHKSUM_CLEAR; ++ val |= IP1_NXT_PROT_UDP_CHKSUM_OFF(26); ++ if (enable) ++ val |= IP1_NXT_PROT_UDP_CHKSUM_CLEAR; + vsc85xx_ts_write_csr(phydev, blk, MSCC_ANA_IP1_NXT_PROT_UDP_CHKSUM, + val); + +-- +2.39.5 + diff --git a/queue-6.12/net-stmmac-make-sure-that-ptp_rate-is-not-0-before-c.patch b/queue-6.12/net-stmmac-make-sure-that-ptp_rate-is-not-0-before-c.patch new file mode 100644 index 0000000000..08ae2a8c86 --- /dev/null +++ b/queue-6.12/net-stmmac-make-sure-that-ptp_rate-is-not-0-before-c.patch @@ -0,0 +1,88 @@ +From 4e795fcb94d15f86cd9fe5a5808c29ad1bffbdcf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 May 2025 11:07:23 +0200 +Subject: net: stmmac: make sure that ptp_rate is not 0 before configuring + timestamping +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alexis Lothoré + +[ Upstream commit 030ce919e114a111e83b7976ecb3597cefd33f26 ] + +The stmmac platform drivers that do not open-code the clk_ptp_rate value +after having retrieved the default one from the device-tree can end up +with 0 in clk_ptp_rate (as clk_get_rate can return 0). It will +eventually propagate up to PTP initialization when bringing up the +interface, leading to a divide by 0: + + Division by zero in kernel. + CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.30-00001-g48313bd5768a #22 + Hardware name: STM32 (Device Tree Support) + Call trace: + unwind_backtrace from show_stack+0x18/0x1c + show_stack from dump_stack_lvl+0x6c/0x8c + dump_stack_lvl from Ldiv0_64+0x8/0x18 + Ldiv0_64 from stmmac_init_tstamp_counter+0x190/0x1a4 + stmmac_init_tstamp_counter from stmmac_hw_setup+0xc1c/0x111c + stmmac_hw_setup from __stmmac_open+0x18c/0x434 + __stmmac_open from stmmac_open+0x3c/0xbc + stmmac_open from __dev_open+0xf4/0x1ac + __dev_open from __dev_change_flags+0x1cc/0x224 + __dev_change_flags from dev_change_flags+0x24/0x60 + dev_change_flags from ip_auto_config+0x2e8/0x11a0 + ip_auto_config from do_one_initcall+0x84/0x33c + do_one_initcall from kernel_init_freeable+0x1b8/0x214 + kernel_init_freeable from kernel_init+0x24/0x140 + kernel_init from ret_from_fork+0x14/0x28 + Exception stack(0xe0815fb0 to 0xe0815ff8) + +Prevent this division by 0 by adding an explicit check and error log +about the actual issue. While at it, remove the same check from +stmmac_ptp_register, which then becomes duplicate + +Fixes: 19d857c9038e ("stmmac: Fix calculations for ptp counters when clock input = 50Mhz.") +Signed-off-by: Alexis Lothoré +Reviewed-by: Yanteng Si +Reviewed-by: Maxime Chevallier +Link: https://patch.msgid.link/20250529-stmmac_tstamp_div-v4-1-d73340a794d5@bootlin.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 5 +++++ + drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c | 2 +- + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +index 918d7f2e8ba99..f68e3ece919cc 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -835,6 +835,11 @@ int stmmac_init_tstamp_counter(struct stmmac_priv *priv, u32 systime_flags) + if (!(priv->dma_cap.time_stamp || priv->dma_cap.atime_stamp)) + return -EOPNOTSUPP; + ++ if (!priv->plat->clk_ptp_rate) { ++ netdev_err(priv->dev, "Invalid PTP clock rate"); ++ return -EINVAL; ++ } ++ + stmmac_config_hw_tstamping(priv, priv->ptpaddr, systime_flags); + priv->systime_flags = systime_flags; + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c +index a6b1de9a251dd..5c85040a1b937 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c +@@ -303,7 +303,7 @@ void stmmac_ptp_register(struct stmmac_priv *priv) + + /* Calculate the clock domain crossing (CDC) error if necessary */ + priv->plat->cdc_error_adj = 0; +- if (priv->plat->has_gmac4 && priv->plat->clk_ptp_rate) ++ if (priv->plat->has_gmac4) + priv->plat->cdc_error_adj = (2 * NSEC_PER_SEC) / priv->plat->clk_ptp_rate; + + stmmac_ptp_clock_ops.n_per_out = priv->dma_cap.pps_out_num; +-- +2.39.5 + diff --git a/queue-6.12/net-stmmac-make-sure-that-ptp_rate-is-not-0-before-c.patch-7636 b/queue-6.12/net-stmmac-make-sure-that-ptp_rate-is-not-0-before-c.patch-7636 new file mode 100644 index 0000000000..0e2139bdd2 --- /dev/null +++ b/queue-6.12/net-stmmac-make-sure-that-ptp_rate-is-not-0-before-c.patch-7636 @@ -0,0 +1,48 @@ +From ea7cfcb6cd7bcbb0c5526b5aa7f96c7a65563d2a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 May 2025 11:07:24 +0200 +Subject: net: stmmac: make sure that ptp_rate is not 0 before configuring EST +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alexis Lothoré + +[ Upstream commit cbefe2ffa7784525ec5d008ba87c7add19ec631a ] + +If the ptp_rate recorded earlier in the driver happens to be 0, this +bogus value will propagate up to EST configuration, where it will +trigger a division by 0. + +Prevent this division by 0 by adding the corresponding check and error +code. + +Suggested-by: Maxime Chevallier +Signed-off-by: Alexis Lothoré +Fixes: 8572aec3d0dc ("net: stmmac: Add basic EST support for XGMAC") +Link: https://patch.msgid.link/20250529-stmmac_tstamp_div-v4-2-d73340a794d5@bootlin.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_est.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_est.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_est.c +index c9693f77e1f61..ac6f2e3a3fcd2 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_est.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_est.c +@@ -32,6 +32,11 @@ static int est_configure(struct stmmac_priv *priv, struct stmmac_est *cfg, + int i, ret = 0; + u32 ctrl; + ++ if (!ptp_rate) { ++ netdev_warn(priv->dev, "Invalid PTP rate"); ++ return -EINVAL; ++ } ++ + ret |= est_write(est_addr, EST_BTR_LOW, cfg->btr[0], false); + ret |= est_write(est_addr, EST_BTR_HIGH, cfg->btr[1], false); + ret |= est_write(est_addr, EST_TER, cfg->ter, false); +-- +2.39.5 + diff --git a/queue-6.12/net-stmmac-platform-guarantee-uniqueness-of-bus_id.patch b/queue-6.12/net-stmmac-platform-guarantee-uniqueness-of-bus_id.patch new file mode 100644 index 0000000000..4d5bfc05f1 --- /dev/null +++ b/queue-6.12/net-stmmac-platform-guarantee-uniqueness-of-bus_id.patch @@ -0,0 +1,68 @@ +From 315c0a757579b3ac015bd822a5c638a093104a21 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 May 2025 13:56:23 +0200 +Subject: net: stmmac: platform: guarantee uniqueness of bus_id + +From: Quentin Schulz + +[ Upstream commit eb7fd7aa35bfcc1e1fda4ecc42ccfcb526cdc780 ] + +bus_id is currently derived from the ethernetX alias. If one is missing +for the device, 0 is used. If ethernet0 points to another stmmac device +or if there are 2+ stmmac devices without an ethernet alias, then bus_id +will be 0 for all of those. + +This is an issue because the bus_id is used to generate the mdio bus id +(new_bus->id in drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c +stmmac_mdio_register) and this needs to be unique. + +This allows to avoid needing to define ethernet aliases for devices with +multiple stmmac controllers (such as the Rockchip RK3588) for multiple +stmmac devices to probe properly. + +Obviously, the bus_id isn't guaranteed to be stable across reboots if no +alias is set for the device but that is easily fixed by simply adding an +alias if this is desired. + +Fixes: 25c83b5c2e82 ("dt:net:stmmac: Add support to dwmac version 3.610 and 3.710") +Signed-off-by: Quentin Schulz +Reviewed-by: Maxime Chevallier +Link: https://patch.msgid.link/20250527-stmmac-mdio-bus_id-v2-1-a5ca78454e3c@cherry.de +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c +index aaf008bdbbcd4..8fd868b671a26 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c +@@ -419,6 +419,7 @@ stmmac_probe_config_dt(struct platform_device *pdev, u8 *mac) + struct device_node *np = pdev->dev.of_node; + struct plat_stmmacenet_data *plat; + struct stmmac_dma_cfg *dma_cfg; ++ static int bus_id = -ENODEV; + int phy_mode; + void *ret; + int rc; +@@ -454,8 +455,14 @@ stmmac_probe_config_dt(struct platform_device *pdev, u8 *mac) + of_property_read_u32(np, "max-speed", &plat->max_speed); + + plat->bus_id = of_alias_get_id(np, "ethernet"); +- if (plat->bus_id < 0) +- plat->bus_id = 0; ++ if (plat->bus_id < 0) { ++ if (bus_id < 0) ++ bus_id = of_alias_get_highest_id("ethernet"); ++ /* No ethernet alias found, init at -1 so first bus_id is 0 */ ++ if (bus_id < 0) ++ bus_id = -1; ++ plat->bus_id = ++bus_id; ++ } + + /* Default to phy auto-detection */ + plat->phy_addr = -1; +-- +2.39.5 + diff --git a/queue-6.12/net-ti-icssg-prueth-fix-swapped-tx-stats-for-mii-int.patch b/queue-6.12/net-ti-icssg-prueth-fix-swapped-tx-stats-for-mii-int.patch new file mode 100644 index 0000000000..fbe5a3bebf --- /dev/null +++ b/queue-6.12/net-ti-icssg-prueth-fix-swapped-tx-stats-for-mii-int.patch @@ -0,0 +1,47 @@ +From f13ac1d4c14c7aa9ef47e4d948a53a975939aa54 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Jun 2025 10:59:04 +0530 +Subject: net: ti: icssg-prueth: Fix swapped TX stats for MII interfaces. + +From: Meghana Malladi + +[ Upstream commit 919d763d609428c2680ec8159257d9655f002f89 ] + +In MII mode, Tx lines are swapped for port0 and port1, which means +Tx port0 receives data from PRU1 and the Tx port1 receives data from +PRU0. This is an expected hardware behavior and reading the Tx stats +needs to be handled accordingly in the driver. Update the driver to +read Tx stats from the PRU1 for port0 and PRU0 for port1. + +Fixes: c1e10d5dc7a1 ("net: ti: icssg-prueth: Add ICSSG Stats") +Signed-off-by: Meghana Malladi +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250603052904.431203-1-m-malladi@ti.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ti/icssg/icssg_stats.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/net/ethernet/ti/icssg/icssg_stats.c b/drivers/net/ethernet/ti/icssg/icssg_stats.c +index 6f0edae38ea24..172ae38381b45 100644 +--- a/drivers/net/ethernet/ti/icssg/icssg_stats.c ++++ b/drivers/net/ethernet/ti/icssg/icssg_stats.c +@@ -29,6 +29,14 @@ void emac_update_hardware_stats(struct prueth_emac *emac) + spin_lock(&prueth->stats_lock); + + for (i = 0; i < ARRAY_SIZE(icssg_all_miig_stats); i++) { ++ /* In MII mode TX lines are swapped inside ICSSG, so read Tx stats ++ * from slice1 for port0 and slice0 for port1 to get accurate Tx ++ * stats for a given port ++ */ ++ if (emac->phy_if == PHY_INTERFACE_MODE_MII && ++ icssg_all_miig_stats[i].offset >= ICSSG_TX_PACKET_OFFSET && ++ icssg_all_miig_stats[i].offset <= ICSSG_TX_BYTE_OFFSET) ++ base = stats_base[slice ^ 1]; + regmap_read(prueth->miig_rt, + base + icssg_all_miig_stats[i].offset, + &val); +-- +2.39.5 + diff --git a/queue-6.12/net-tipc-fix-refcount-warning-in-tipc_aead_encrypt.patch b/queue-6.12/net-tipc-fix-refcount-warning-in-tipc_aead_encrypt.patch new file mode 100644 index 0000000000..a192ee9743 --- /dev/null +++ b/queue-6.12/net-tipc-fix-refcount-warning-in-tipc_aead_encrypt.patch @@ -0,0 +1,57 @@ +From 1b98711ee7e22b5025e9f44031efc18255fcc810 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 May 2025 16:35:44 +0000 +Subject: net: tipc: fix refcount warning in tipc_aead_encrypt + +From: Charalampos Mitrodimas + +[ Upstream commit f29ccaa07cf3d35990f4d25028cc55470d29372b ] + +syzbot reported a refcount warning [1] caused by calling get_net() on +a network namespace that is being destroyed (refcount=0). This happens +when a TIPC discovery timer fires during network namespace cleanup. + +The recently added get_net() call in commit e279024617134 ("net/tipc: +fix slab-use-after-free Read in tipc_aead_encrypt_done") attempts to +hold a reference to the network namespace. However, if the namespace +is already being destroyed, its refcount might be zero, leading to the +use-after-free warning. + +Replace get_net() with maybe_get_net(), which safely checks if the +refcount is non-zero before incrementing it. If the namespace is being +destroyed, return -ENODEV early, after releasing the bearer reference. + +[1]: https://lore.kernel.org/all/68342b55.a70a0220.253bc2.0091.GAE@google.com/T/#m12019cf9ae77e1954f666914640efa36d52704a2 + +Reported-by: syzbot+f0c4a4aba757549ae26c@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/68342b55.a70a0220.253bc2.0091.GAE@google.com/T/#m12019cf9ae77e1954f666914640efa36d52704a2 +Fixes: e27902461713 ("net/tipc: fix slab-use-after-free Read in tipc_aead_encrypt_done") +Signed-off-by: Charalampos Mitrodimas +Reviewed-by: Tung Nguyen +Link: https://patch.msgid.link/20250527-net-tipc-warning-v2-1-df3dc398a047@posteo.net +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/tipc/crypto.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net/tipc/crypto.c b/net/tipc/crypto.c +index 8584893b47851..79f91b6ca8c84 100644 +--- a/net/tipc/crypto.c ++++ b/net/tipc/crypto.c +@@ -818,7 +818,11 @@ static int tipc_aead_encrypt(struct tipc_aead *aead, struct sk_buff *skb, + } + + /* Get net to avoid freed tipc_crypto when delete namespace */ +- get_net(aead->crypto->net); ++ if (!maybe_get_net(aead->crypto->net)) { ++ tipc_bearer_put(b); ++ rc = -ENODEV; ++ goto exit; ++ } + + /* Now, do encrypt */ + rc = crypto_aead_encrypt(req); +-- +2.39.5 + diff --git a/queue-6.12/net-usb-aqc111-fix-error-handling-of-usbnet-read-cal.patch b/queue-6.12/net-usb-aqc111-fix-error-handling-of-usbnet-read-cal.patch new file mode 100644 index 0000000000..cf5dc05eeb --- /dev/null +++ b/queue-6.12/net-usb-aqc111-fix-error-handling-of-usbnet-read-cal.patch @@ -0,0 +1,106 @@ +From f9dbcafe884bc1fcebc6746cf5faf6a31ca361da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 May 2025 14:32:39 +0300 +Subject: net: usb: aqc111: fix error handling of usbnet read calls + +From: Nikita Zhandarovich + +[ Upstream commit 405b0d610745fb5e84fc2961d9b960abb9f3d107 ] + +Syzkaller, courtesy of syzbot, identified an error (see report [1]) in +aqc111 driver, caused by incomplete sanitation of usb read calls' +results. This problem is quite similar to the one fixed in commit +920a9fa27e78 ("net: asix: add proper error handling of usb read errors"). + +For instance, usbnet_read_cmd() may read fewer than 'size' bytes, +even if the caller expected the full amount, and aqc111_read_cmd() +will not check its result properly. As [1] shows, this may lead +to MAC address in aqc111_bind() being only partly initialized, +triggering KMSAN warnings. + +Fix the issue by verifying that the number of bytes read is +as expected and not less. + +[1] Partial syzbot report: +BUG: KMSAN: uninit-value in is_valid_ether_addr include/linux/etherdevice.h:208 [inline] +BUG: KMSAN: uninit-value in usbnet_probe+0x2e57/0x4390 drivers/net/usb/usbnet.c:1830 + is_valid_ether_addr include/linux/etherdevice.h:208 [inline] + usbnet_probe+0x2e57/0x4390 drivers/net/usb/usbnet.c:1830 + usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396 + call_driver_probe drivers/base/dd.c:-1 [inline] + really_probe+0x4d1/0xd90 drivers/base/dd.c:658 + __driver_probe_device+0x268/0x380 drivers/base/dd.c:800 +... + +Uninit was stored to memory at: + dev_addr_mod+0xb0/0x550 net/core/dev_addr_lists.c:582 + __dev_addr_set include/linux/netdevice.h:4874 [inline] + eth_hw_addr_set include/linux/etherdevice.h:325 [inline] + aqc111_bind+0x35f/0x1150 drivers/net/usb/aqc111.c:717 + usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772 + usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396 +... + +Uninit was stored to memory at: + ether_addr_copy include/linux/etherdevice.h:305 [inline] + aqc111_read_perm_mac drivers/net/usb/aqc111.c:663 [inline] + aqc111_bind+0x794/0x1150 drivers/net/usb/aqc111.c:713 + usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772 + usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396 + call_driver_probe drivers/base/dd.c:-1 [inline] +... + +Local variable buf.i created at: + aqc111_read_perm_mac drivers/net/usb/aqc111.c:656 [inline] + aqc111_bind+0x221/0x1150 drivers/net/usb/aqc111.c:713 + usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772 + +Reported-by: syzbot+3b6b9ff7b80430020c7b@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=3b6b9ff7b80430020c7b +Tested-by: syzbot+3b6b9ff7b80430020c7b@syzkaller.appspotmail.com +Fixes: df2d59a2ab6c ("net: usb: aqc111: Add support for getting and setting of MAC address") +Signed-off-by: Nikita Zhandarovich +Link: https://patch.msgid.link/20250520113240.2369438-1-n.zhandarovich@fintech.ru +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/usb/aqc111.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/usb/aqc111.c b/drivers/net/usb/aqc111.c +index ff5be2cbf17b9..453a2cf82753f 100644 +--- a/drivers/net/usb/aqc111.c ++++ b/drivers/net/usb/aqc111.c +@@ -30,10 +30,13 @@ static int aqc111_read_cmd_nopm(struct usbnet *dev, u8 cmd, u16 value, + ret = usbnet_read_cmd_nopm(dev, cmd, USB_DIR_IN | USB_TYPE_VENDOR | + USB_RECIP_DEVICE, value, index, data, size); + +- if (unlikely(ret < 0)) ++ if (unlikely(ret < size)) { ++ ret = ret < 0 ? ret : -ENODATA; ++ + netdev_warn(dev->net, + "Failed to read(0x%x) reg index 0x%04x: %d\n", + cmd, index, ret); ++ } + + return ret; + } +@@ -46,10 +49,13 @@ static int aqc111_read_cmd(struct usbnet *dev, u8 cmd, u16 value, + ret = usbnet_read_cmd(dev, cmd, USB_DIR_IN | USB_TYPE_VENDOR | + USB_RECIP_DEVICE, value, index, data, size); + +- if (unlikely(ret < 0)) ++ if (unlikely(ret < size)) { ++ ret = ret < 0 ? ret : -ENODATA; ++ + netdev_warn(dev->net, + "Failed to read(0x%x) reg index 0x%04x: %d\n", + cmd, index, ret); ++ } + + return ret; + } +-- +2.39.5 + diff --git a/queue-6.12/net-wwan-mhi_wwan_mbim-use-correct-mux_id-for-multip.patch b/queue-6.12/net-wwan-mhi_wwan_mbim-use-correct-mux_id-for-multip.patch new file mode 100644 index 0000000000..2ad81446fc --- /dev/null +++ b/queue-6.12/net-wwan-mhi_wwan_mbim-use-correct-mux_id-for-multip.patch @@ -0,0 +1,69 @@ +From a38f60acbcef42ad251ced5a9b87ca777e7bacfa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Jun 2025 11:12:04 +0200 +Subject: net: wwan: mhi_wwan_mbim: use correct mux_id for multiplexing + +From: Daniele Palmas + +[ Upstream commit 501fe52aa908c96f2c9b8d54767938a1a5960354 ] + +Recent Qualcomm chipsets like SDX72/75 require MBIM sessionId mapping +to muxId in the range (0x70-0x8F) for the PCIe tethered use. + +This has been partially addressed by the referenced commit, mapping +the default data call to muxId = 112, but the multiplexed data calls +scenario was not properly considered, mapping sessionId = 1 to muxId +1, while it should have been 113. + +Fix this by moving the session_id assignment logic to mhi_mbim_newlink, +in order to map sessionId = n to muxId = n + WDS_BIND_MUX_DATA_PORT_MUX_ID. + +Fixes: 65bc58c3dcad ("net: wwan: mhi: make default data link id configurable") +Signed-off-by: Daniele Palmas +Reviewed-by: Loic Poulain +Link: https://patch.msgid.link/20250603091204.2802840-1-dnlplm@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/wwan/mhi_wwan_mbim.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/wwan/mhi_wwan_mbim.c b/drivers/net/wwan/mhi_wwan_mbim.c +index 8755c5e6a65b3..c814fbd756a1e 100644 +--- a/drivers/net/wwan/mhi_wwan_mbim.c ++++ b/drivers/net/wwan/mhi_wwan_mbim.c +@@ -550,8 +550,8 @@ static int mhi_mbim_newlink(void *ctxt, struct net_device *ndev, u32 if_id, + struct mhi_mbim_link *link = wwan_netdev_drvpriv(ndev); + struct mhi_mbim_context *mbim = ctxt; + +- link->session = if_id; + link->mbim = mbim; ++ link->session = mhi_mbim_get_link_mux_id(link->mbim->mdev->mhi_cntrl) + if_id; + link->ndev = ndev; + u64_stats_init(&link->rx_syncp); + u64_stats_init(&link->tx_syncp); +@@ -607,7 +607,7 @@ static int mhi_mbim_probe(struct mhi_device *mhi_dev, const struct mhi_device_id + { + struct mhi_controller *cntrl = mhi_dev->mhi_cntrl; + struct mhi_mbim_context *mbim; +- int err, link_id; ++ int err; + + mbim = devm_kzalloc(&mhi_dev->dev, sizeof(*mbim), GFP_KERNEL); + if (!mbim) +@@ -628,11 +628,8 @@ static int mhi_mbim_probe(struct mhi_device *mhi_dev, const struct mhi_device_id + /* Number of transfer descriptors determines size of the queue */ + mbim->rx_queue_sz = mhi_get_free_desc_count(mhi_dev, DMA_FROM_DEVICE); + +- /* Get the corresponding mux_id from mhi */ +- link_id = mhi_mbim_get_link_mux_id(cntrl); +- + /* Register wwan link ops with MHI controller representing WWAN instance */ +- return wwan_register_ops(&cntrl->mhi_dev->dev, &mhi_mbim_wwan_ops, mbim, link_id); ++ return wwan_register_ops(&cntrl->mhi_dev->dev, &mhi_mbim_wwan_ops, mbim, 0); + } + + static void mhi_mbim_remove(struct mhi_device *mhi_dev) +-- +2.39.5 + diff --git a/queue-6.12/net-wwan-t7xx-fix-napi-rx-poll-issue.patch b/queue-6.12/net-wwan-t7xx-fix-napi-rx-poll-issue.patch new file mode 100644 index 0000000000..051e640248 --- /dev/null +++ b/queue-6.12/net-wwan-t7xx-fix-napi-rx-poll-issue.patch @@ -0,0 +1,103 @@ +From ae8d1682dc1f4b4e8ce7e63ff8887e1c9c36d3f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 May 2025 11:16:48 +0800 +Subject: net: wwan: t7xx: Fix napi rx poll issue + +From: Jinjian Song + +[ Upstream commit 905fe0845bb27e4eed2ca27ea06e6c4847f1b2b1 ] + +When driver handles the napi rx polling requests, the netdev might +have been released by the dellink logic triggered by the disconnect +operation on user plane. However, in the logic of processing skb in +polling, an invalid netdev is still being used, which causes a panic. + +BUG: kernel NULL pointer dereference, address: 00000000000000f1 +Oops: 0000 [#1] PREEMPT SMP NOPTI +RIP: 0010:dev_gro_receive+0x3a/0x620 +[...] +Call Trace: + + ? __die_body+0x68/0xb0 + ? page_fault_oops+0x379/0x3e0 + ? exc_page_fault+0x4f/0xa0 + ? asm_exc_page_fault+0x22/0x30 + ? __pfx_t7xx_ccmni_recv_skb+0x10/0x10 [mtk_t7xx (HASH:1400 7)] + ? dev_gro_receive+0x3a/0x620 + napi_gro_receive+0xad/0x170 + t7xx_ccmni_recv_skb+0x48/0x70 [mtk_t7xx (HASH:1400 7)] + t7xx_dpmaif_napi_rx_poll+0x590/0x800 [mtk_t7xx (HASH:1400 7)] + net_rx_action+0x103/0x470 + irq_exit_rcu+0x13a/0x310 + sysvec_apic_timer_interrupt+0x56/0x90 + + +Fixes: 5545b7b9f294 ("net: wwan: t7xx: Add NAPI support") +Signed-off-by: Jinjian Song +Link: https://patch.msgid.link/20250530031648.5592-1-jinjian.song@fibocom.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/wwan/t7xx/t7xx_netdev.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/wwan/t7xx/t7xx_netdev.c b/drivers/net/wwan/t7xx/t7xx_netdev.c +index 91fa082e9cab8..fc0a7cb181df2 100644 +--- a/drivers/net/wwan/t7xx/t7xx_netdev.c ++++ b/drivers/net/wwan/t7xx/t7xx_netdev.c +@@ -302,7 +302,7 @@ static int t7xx_ccmni_wwan_newlink(void *ctxt, struct net_device *dev, u32 if_id + ccmni->ctlb = ctlb; + ccmni->dev = dev; + atomic_set(&ccmni->usage, 0); +- ctlb->ccmni_inst[if_id] = ccmni; ++ WRITE_ONCE(ctlb->ccmni_inst[if_id], ccmni); + + ret = register_netdevice(dev); + if (ret) +@@ -324,6 +324,7 @@ static void t7xx_ccmni_wwan_dellink(void *ctxt, struct net_device *dev, struct l + if (WARN_ON(ctlb->ccmni_inst[if_id] != ccmni)) + return; + ++ WRITE_ONCE(ctlb->ccmni_inst[if_id], NULL); + unregister_netdevice(dev); + } + +@@ -419,7 +420,7 @@ static void t7xx_ccmni_recv_skb(struct t7xx_ccmni_ctrl *ccmni_ctlb, struct sk_bu + + skb_cb = T7XX_SKB_CB(skb); + netif_id = skb_cb->netif_idx; +- ccmni = ccmni_ctlb->ccmni_inst[netif_id]; ++ ccmni = READ_ONCE(ccmni_ctlb->ccmni_inst[netif_id]); + if (!ccmni) { + dev_kfree_skb(skb); + return; +@@ -441,7 +442,7 @@ static void t7xx_ccmni_recv_skb(struct t7xx_ccmni_ctrl *ccmni_ctlb, struct sk_bu + + static void t7xx_ccmni_queue_tx_irq_notify(struct t7xx_ccmni_ctrl *ctlb, int qno) + { +- struct t7xx_ccmni *ccmni = ctlb->ccmni_inst[0]; ++ struct t7xx_ccmni *ccmni = READ_ONCE(ctlb->ccmni_inst[0]); + struct netdev_queue *net_queue; + + if (netif_running(ccmni->dev) && atomic_read(&ccmni->usage) > 0) { +@@ -453,7 +454,7 @@ static void t7xx_ccmni_queue_tx_irq_notify(struct t7xx_ccmni_ctrl *ctlb, int qno + + static void t7xx_ccmni_queue_tx_full_notify(struct t7xx_ccmni_ctrl *ctlb, int qno) + { +- struct t7xx_ccmni *ccmni = ctlb->ccmni_inst[0]; ++ struct t7xx_ccmni *ccmni = READ_ONCE(ctlb->ccmni_inst[0]); + struct netdev_queue *net_queue; + + if (atomic_read(&ccmni->usage) > 0) { +@@ -471,7 +472,7 @@ static void t7xx_ccmni_queue_state_notify(struct t7xx_pci_dev *t7xx_dev, + if (ctlb->md_sta != MD_STATE_READY) + return; + +- if (!ctlb->ccmni_inst[0]) { ++ if (!READ_ONCE(ctlb->ccmni_inst[0])) { + dev_warn(&t7xx_dev->pdev->dev, "No netdev registered yet\n"); + return; + } +-- +2.39.5 + diff --git a/queue-6.12/net-xilinx-axienet-fix-tx-skb-circular-buffer-occupa.patch b/queue-6.12/net-xilinx-axienet-fix-tx-skb-circular-buffer-occupa.patch new file mode 100644 index 0000000000..07dbbfab39 --- /dev/null +++ b/queue-6.12/net-xilinx-axienet-fix-tx-skb-circular-buffer-occupa.patch @@ -0,0 +1,60 @@ +From 75499fcf0e0c622c8815737cc4120f6092c6c584 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 May 2025 23:46:08 +0530 +Subject: net: xilinx: axienet: Fix Tx skb circular buffer occupancy check in + dmaengine xmit + +From: Suraj Gupta + +[ Upstream commit 32374234ab0101881e7d0c6a8ef7ebce566c46c9 ] + +In Dmaengine flow, driver maintains struct skbuf_dma_descriptor rings each +element of which corresponds to a skb. In Tx datapath, compare available +space in skb ring with number of skbs instead of skb fragments. +Replace x * (MAX_SKB_FRAGS) in netif_txq_completed_wake() and +netif_txq_maybe_stop() with x * (1 skb) to fix the comparison. + +Fixes: 6a91b846af85 ("net: axienet: Introduce dmaengine support") +Signed-off-by: Suraj Gupta +Reviewed-by: Sean Anderson +Link: https://patch.msgid.link/20250521181608.669554-1-suraj.gupta2@amd.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c +index fe3438abcd253..2d47b35443af0 100644 +--- a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c ++++ b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c +@@ -843,7 +843,7 @@ static void axienet_dma_tx_cb(void *data, const struct dmaengine_result *result) + dev_consume_skb_any(skbuf_dma->skb); + netif_txq_completed_wake(txq, 1, len, + CIRC_SPACE(lp->tx_ring_head, lp->tx_ring_tail, TX_BD_NUM_MAX), +- 2 * MAX_SKB_FRAGS); ++ 2); + } + + /** +@@ -877,7 +877,7 @@ axienet_start_xmit_dmaengine(struct sk_buff *skb, struct net_device *ndev) + + dma_dev = lp->tx_chan->device; + sg_len = skb_shinfo(skb)->nr_frags + 1; +- if (CIRC_SPACE(lp->tx_ring_head, lp->tx_ring_tail, TX_BD_NUM_MAX) <= sg_len) { ++ if (CIRC_SPACE(lp->tx_ring_head, lp->tx_ring_tail, TX_BD_NUM_MAX) <= 1) { + netif_stop_queue(ndev); + if (net_ratelimit()) + netdev_warn(ndev, "TX ring unexpectedly full\n"); +@@ -927,7 +927,7 @@ axienet_start_xmit_dmaengine(struct sk_buff *skb, struct net_device *ndev) + txq = skb_get_tx_queue(lp->ndev, skb); + netdev_tx_sent_queue(txq, skb->len); + netif_txq_maybe_stop(txq, CIRC_SPACE(lp->tx_ring_head, lp->tx_ring_tail, TX_BD_NUM_MAX), +- MAX_SKB_FRAGS + 1, 2 * MAX_SKB_FRAGS); ++ 1, 2); + + dmaengine_submit(dma_tx_desc); + dma_async_issue_pending(lp->tx_chan); +-- +2.39.5 + diff --git a/queue-6.12/netfilter-bridge-move-specific-fragmented-packet-to-.patch b/queue-6.12/netfilter-bridge-move-specific-fragmented-packet-to-.patch new file mode 100644 index 0000000000..446c4ba1e0 --- /dev/null +++ b/queue-6.12/netfilter-bridge-move-specific-fragmented-packet-to-.patch @@ -0,0 +1,96 @@ +From c4f8d65ce08516d29956828a74b7c4c16c96e3b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Apr 2025 17:29:53 +0800 +Subject: netfilter: bridge: Move specific fragmented packet to slow_path + instead of dropping it + +From: Huajian Yang + +[ Upstream commit aa04c6f45b9224b949aa35d4fa5f8d0ba07b23d4 ] + +The config NF_CONNTRACK_BRIDGE will change the bridge forwarding for +fragmented packets. + +The original bridge does not know that it is a fragmented packet and +forwards it directly, after NF_CONNTRACK_BRIDGE is enabled, function +nf_br_ip_fragment and br_ip6_fragment will check the headroom. + +In original br_forward, insufficient headroom of skb may indeed exist, +but there's still a way to save the skb in the device driver after +dev_queue_xmit.So droping the skb will change the original bridge +forwarding in some cases. + +Fixes: 3c171f496ef5 ("netfilter: bridge: add connection tracking system") +Signed-off-by: Huajian Yang +Reviewed-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/bridge/netfilter/nf_conntrack_bridge.c | 12 ++++++------ + net/ipv6/netfilter.c | 12 ++++++------ + 2 files changed, 12 insertions(+), 12 deletions(-) + +diff --git a/net/bridge/netfilter/nf_conntrack_bridge.c b/net/bridge/netfilter/nf_conntrack_bridge.c +index 816bb0fde718e..6482de4d87509 100644 +--- a/net/bridge/netfilter/nf_conntrack_bridge.c ++++ b/net/bridge/netfilter/nf_conntrack_bridge.c +@@ -60,19 +60,19 @@ static int nf_br_ip_fragment(struct net *net, struct sock *sk, + struct ip_fraglist_iter iter; + struct sk_buff *frag; + +- if (first_len - hlen > mtu || +- skb_headroom(skb) < ll_rs) ++ if (first_len - hlen > mtu) + goto blackhole; + +- if (skb_cloned(skb)) ++ if (skb_cloned(skb) || ++ skb_headroom(skb) < ll_rs) + goto slow_path; + + skb_walk_frags(skb, frag) { +- if (frag->len > mtu || +- skb_headroom(frag) < hlen + ll_rs) ++ if (frag->len > mtu) + goto blackhole; + +- if (skb_shared(frag)) ++ if (skb_shared(frag) || ++ skb_headroom(frag) < hlen + ll_rs) + goto slow_path; + } + +diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c +index 581ce055bf520..4541836ee3da2 100644 +--- a/net/ipv6/netfilter.c ++++ b/net/ipv6/netfilter.c +@@ -164,20 +164,20 @@ int br_ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb, + struct ip6_fraglist_iter iter; + struct sk_buff *frag2; + +- if (first_len - hlen > mtu || +- skb_headroom(skb) < (hroom + sizeof(struct frag_hdr))) ++ if (first_len - hlen > mtu) + goto blackhole; + +- if (skb_cloned(skb)) ++ if (skb_cloned(skb) || ++ skb_headroom(skb) < (hroom + sizeof(struct frag_hdr))) + goto slow_path; + + skb_walk_frags(skb, frag2) { +- if (frag2->len > mtu || +- skb_headroom(frag2) < (hlen + hroom + sizeof(struct frag_hdr))) ++ if (frag2->len > mtu) + goto blackhole; + + /* Partially cloned skb? */ +- if (skb_shared(frag2)) ++ if (skb_shared(frag2) || ++ skb_headroom(frag2) < (hlen + hroom + sizeof(struct frag_hdr))) + goto slow_path; + } + +-- +2.39.5 + diff --git a/queue-6.12/netfilter-nf_nat-also-check-reverse-tuple-to-obtain-.patch b/queue-6.12/netfilter-nf_nat-also-check-reverse-tuple-to-obtain-.patch new file mode 100644 index 0000000000..8b69b60228 --- /dev/null +++ b/queue-6.12/netfilter-nf_nat-also-check-reverse-tuple-to-obtain-.patch @@ -0,0 +1,103 @@ +From 23ea0195d4c8944afa1af37c636a0254886e9ca5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 May 2025 12:34:02 +0200 +Subject: netfilter: nf_nat: also check reverse tuple to obtain clashing entry + +From: Florian Westphal + +[ Upstream commit 50d9ce9679dd50df2dc51ada717fa875bc248fad ] + +The logic added in the blamed commit was supposed to only omit nat source +port allocation if neither the existing nor the new entry are subject to +NAT. + +However, its not enough to lookup the conntrack based on the proposed +tuple, we must also check the reverse direction. + +Otherwise there are esoteric cases where the collision is in the reverse +direction because that colliding connection has a port rewrite, but the +new entry doesn't. In this case, we only check the new entry and then +erronously conclude that no clash exists anymore. + + The existing (udp) tuple is: + a:p -> b:P, with nat translation to s:P, i.e. pure daddr rewrite, + reverse tuple in conntrack table is s:P -> a:p. + +When another UDP packet is sent directly to s, i.e. a:p->s:P, this is +correctly detected as a colliding entry: tuple is taken by existing reply +tuple in reverse direction. + +But the colliding conntrack is only searched for with unreversed +direction, and we can't find such entry matching a:p->s:P. + +The incorrect conclusion is that the clashing entry has timed out and +that no port address translation is required. + +Such conntrack will then be discarded at nf_confirm time because the +proposed reverse direction clashes with an existing mapping in the +conntrack table. + +Search for the reverse tuple too, this will then check the NAT bits of +the colliding entry and triggers port reallocation. + +Followp patch extends nft_nat.sh selftest to cover this scenario. + +The IPS_SEQ_ADJUST change is also a bug fix: +Instead of checking for SEQ_ADJ this tested for SEEN_REPLY and ASSURED +by accident -- _BIT is only for use with the test_bit() API. + +This bug has little consequence in practice, because the sequence number +adjustments are only useful for TCP which doesn't support clash resolution. + +The existing test case (conntrack_reverse_clash.sh) exercise a race +condition path (parallel conntrack creation on different CPUs), so +the colliding entries have neither SEEN_REPLY nor ASSURED set. + +Thanks to Yafang Shao and Shaun Brady for an initial investigation +of this bug. + +Fixes: d8f84a9bc7c4 ("netfilter: nf_nat: don't try nat source port reallocation for reverse dir clash") +Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1795 +Reported-by: Yafang Shao +Reported-by: Shaun Brady +Signed-off-by: Florian Westphal +Tested-by: Yafang Shao +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_nat_core.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c +index 4085c436e3062..02f10a46fab7c 100644 +--- a/net/netfilter/nf_nat_core.c ++++ b/net/netfilter/nf_nat_core.c +@@ -248,7 +248,7 @@ static noinline bool + nf_nat_used_tuple_new(const struct nf_conntrack_tuple *tuple, + const struct nf_conn *ignored_ct) + { +- static const unsigned long uses_nat = IPS_NAT_MASK | IPS_SEQ_ADJUST_BIT; ++ static const unsigned long uses_nat = IPS_NAT_MASK | IPS_SEQ_ADJUST; + const struct nf_conntrack_tuple_hash *thash; + const struct nf_conntrack_zone *zone; + struct nf_conn *ct; +@@ -287,8 +287,14 @@ nf_nat_used_tuple_new(const struct nf_conntrack_tuple *tuple, + zone = nf_ct_zone(ignored_ct); + + thash = nf_conntrack_find_get(net, zone, tuple); +- if (unlikely(!thash)) /* clashing entry went away */ +- return false; ++ if (unlikely(!thash)) { ++ struct nf_conntrack_tuple reply; ++ ++ nf_ct_invert_tuple(&reply, tuple); ++ thash = nf_conntrack_find_get(net, zone, &reply); ++ if (!thash) /* clashing entry went away */ ++ return false; ++ } + + ct = nf_ct_tuplehash_to_ctrack(thash); + +-- +2.39.5 + diff --git a/queue-6.12/netfilter-nf_set_pipapo_avx2-fix-initial-map-fill.patch b/queue-6.12/netfilter-nf_set_pipapo_avx2-fix-initial-map-fill.patch new file mode 100644 index 0000000000..841a679326 --- /dev/null +++ b/queue-6.12/netfilter-nf_set_pipapo_avx2-fix-initial-map-fill.patch @@ -0,0 +1,68 @@ +From a1e97f786535c5dc87dbb7c673460cfd746968ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 May 2025 14:20:44 +0200 +Subject: netfilter: nf_set_pipapo_avx2: fix initial map fill + +From: Florian Westphal + +[ Upstream commit ea77c397bff8b6d59f6d83dae1425b08f465e8b5 ] + +If the first field doesn't cover the entire start map, then we must zero +out the remainder, else we leak those bits into the next match round map. + +The early fix was incomplete and did only fix up the generic C +implementation. + +A followup patch adds a test case to nft_concat_range.sh. + +Fixes: 791a615b7ad2 ("netfilter: nf_set_pipapo: fix initial map fill") +Signed-off-by: Florian Westphal +Reviewed-by: Stefano Brivio +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_set_pipapo_avx2.c | 21 ++++++++++++++++++++- + 1 file changed, 20 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nft_set_pipapo_avx2.c b/net/netfilter/nft_set_pipapo_avx2.c +index c15db28c5ebc4..be7c16c79f711 100644 +--- a/net/netfilter/nft_set_pipapo_avx2.c ++++ b/net/netfilter/nft_set_pipapo_avx2.c +@@ -1113,6 +1113,25 @@ bool nft_pipapo_avx2_estimate(const struct nft_set_desc *desc, u32 features, + return true; + } + ++/** ++ * pipapo_resmap_init_avx2() - Initialise result map before first use ++ * @m: Matching data, including mapping table ++ * @res_map: Result map ++ * ++ * Like pipapo_resmap_init() but do not set start map bits covered by the first field. ++ */ ++static inline void pipapo_resmap_init_avx2(const struct nft_pipapo_match *m, unsigned long *res_map) ++{ ++ const struct nft_pipapo_field *f = m->f; ++ int i; ++ ++ /* Starting map doesn't need to be set to all-ones for this implementation, ++ * but we do need to zero the remaining bits, if any. ++ */ ++ for (i = f->bsize; i < m->bsize_max; i++) ++ res_map[i] = 0ul; ++} ++ + /** + * nft_pipapo_avx2_lookup() - Lookup function for AVX2 implementation + * @net: Network namespace +@@ -1171,7 +1190,7 @@ bool nft_pipapo_avx2_lookup(const struct net *net, const struct nft_set *set, + res = scratch->map + (map_index ? m->bsize_max : 0); + fill = scratch->map + (map_index ? 0 : m->bsize_max); + +- /* Starting map doesn't need to be set for this implementation */ ++ pipapo_resmap_init_avx2(m, res); + + nft_pipapo_avx2_prepare(); + +-- +2.39.5 + diff --git a/queue-6.12/netfilter-nf_tables-nft_fib-consistent-l3mdev-handli.patch b/queue-6.12/netfilter-nf_tables-nft_fib-consistent-l3mdev-handli.patch new file mode 100644 index 0000000000..2a7430a69e --- /dev/null +++ b/queue-6.12/netfilter-nf_tables-nft_fib-consistent-l3mdev-handli.patch @@ -0,0 +1,167 @@ +From 56e2ebd79ad4a0c6aefe6f69ebeeee48154d5e61 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 May 2025 11:38:48 +0200 +Subject: netfilter: nf_tables: nft_fib: consistent l3mdev handling + +From: Florian Westphal + +[ Upstream commit 9a119669fb1924cd9658c16da39a5a585e129e50 ] + +fib has two modes: +1. Obtain output device according to source or destination address +2. Obtain the type of the address, e.g. local, unicast, multicast. + +'fib daddr type' should return 'local' if the address is configured +in this netns or unicast otherwise. + +'fib daddr . iif type' should return 'local' if the address is configured +on the input interface or unicast otherwise, i.e. more restrictive. + +However, if the interface is part of a VRF, then 'fib daddr type' +returns unicast even if the address is configured on the incoming +interface. + +This is broken for both ipv4 and ipv6. + +In the ipv4 case, inet_dev_addr_type must only be used if the +'iif' or 'oif' (strict mode) was requested. + +Else inet_addr_type_dev_table() needs to be used and the correct +dev argument must be passed as well so the correct fib (vrf) table +is used. + +In the ipv6 case, the bug is similar, without strict mode, dev is NULL +so .flowi6_l3mdev will be set to 0. + +Add a new 'nft_fib_l3mdev_master_ifindex_rcu()' helper and use that +to init the .l3mdev structure member. + +For ipv6, use it from nft_fib6_flowi_init() which gets called from +both the 'type' and the 'route' mode eval functions. + +This provides consistent behaviour for all modes for both ipv4 and ipv6: +If strict matching is requested, the input respectively output device +of the netfilter hooks is used. + +Otherwise, use skb->dev to obtain the l3mdev ifindex. + +Without this, most type checks in updated nft_fib.sh selftest fail: + + FAIL: did not find veth0 . 10.9.9.1 . local in fibtype4 + FAIL: did not find veth0 . dead:1::1 . local in fibtype6 + FAIL: did not find veth0 . dead:9::1 . local in fibtype6 + FAIL: did not find tvrf . 10.0.1.1 . local in fibtype4 + FAIL: did not find tvrf . 10.9.9.1 . local in fibtype4 + FAIL: did not find tvrf . dead:1::1 . local in fibtype6 + FAIL: did not find tvrf . dead:9::1 . local in fibtype6 + FAIL: fib expression address types match (iif in vrf) + +(fib errounously returns 'unicast' for all of them, even + though all of these addresses are local to the vrf). + +Fixes: f6d0cbcf09c5 ("netfilter: nf_tables: add fib expression") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/net/netfilter/nft_fib.h | 9 +++++++++ + net/ipv4/netfilter/nft_fib_ipv4.c | 11 +++++++++-- + net/ipv6/netfilter/nft_fib_ipv6.c | 4 +--- + 3 files changed, 19 insertions(+), 5 deletions(-) + +diff --git a/include/net/netfilter/nft_fib.h b/include/net/netfilter/nft_fib.h +index 6e202ed5e63f3..7370fba844efc 100644 +--- a/include/net/netfilter/nft_fib.h ++++ b/include/net/netfilter/nft_fib.h +@@ -2,6 +2,7 @@ + #ifndef _NFT_FIB_H_ + #define _NFT_FIB_H_ + ++#include + #include + + struct nft_fib { +@@ -39,6 +40,14 @@ static inline bool nft_fib_can_skip(const struct nft_pktinfo *pkt) + return nft_fib_is_loopback(pkt->skb, indev); + } + ++static inline int nft_fib_l3mdev_master_ifindex_rcu(const struct nft_pktinfo *pkt, ++ const struct net_device *iif) ++{ ++ const struct net_device *dev = iif ? iif : pkt->skb->dev; ++ ++ return l3mdev_master_ifindex_rcu(dev); ++} ++ + int nft_fib_dump(struct sk_buff *skb, const struct nft_expr *expr, bool reset); + int nft_fib_init(const struct nft_ctx *ctx, const struct nft_expr *expr, + const struct nlattr * const tb[]); +diff --git a/net/ipv4/netfilter/nft_fib_ipv4.c b/net/ipv4/netfilter/nft_fib_ipv4.c +index d25d717c121f0..f514eb52b8d4b 100644 +--- a/net/ipv4/netfilter/nft_fib_ipv4.c ++++ b/net/ipv4/netfilter/nft_fib_ipv4.c +@@ -49,7 +49,12 @@ void nft_fib4_eval_type(const struct nft_expr *expr, struct nft_regs *regs, + else + addr = iph->saddr; + +- *dst = inet_dev_addr_type(nft_net(pkt), dev, addr); ++ if (priv->flags & (NFTA_FIB_F_IIF | NFTA_FIB_F_OIF)) { ++ *dst = inet_dev_addr_type(nft_net(pkt), dev, addr); ++ return; ++ } ++ ++ *dst = inet_addr_type_dev_table(nft_net(pkt), pkt->skb->dev, addr); + } + EXPORT_SYMBOL_GPL(nft_fib4_eval_type); + +@@ -64,8 +69,8 @@ void nft_fib4_eval(const struct nft_expr *expr, struct nft_regs *regs, + struct flowi4 fl4 = { + .flowi4_scope = RT_SCOPE_UNIVERSE, + .flowi4_iif = LOOPBACK_IFINDEX, ++ .flowi4_proto = pkt->tprot, + .flowi4_uid = sock_net_uid(nft_net(pkt), NULL), +- .flowi4_l3mdev = l3mdev_master_ifindex_rcu(nft_in(pkt)), + }; + const struct net_device *oif; + const struct net_device *found; +@@ -89,6 +94,8 @@ void nft_fib4_eval(const struct nft_expr *expr, struct nft_regs *regs, + else + oif = NULL; + ++ fl4.flowi4_l3mdev = nft_fib_l3mdev_master_ifindex_rcu(pkt, oif); ++ + iph = skb_header_pointer(pkt->skb, noff, sizeof(_iph), &_iph); + if (!iph) { + regs->verdict.code = NFT_BREAK; +diff --git a/net/ipv6/netfilter/nft_fib_ipv6.c b/net/ipv6/netfilter/nft_fib_ipv6.c +index f1f5640da6728..421036a3605b4 100644 +--- a/net/ipv6/netfilter/nft_fib_ipv6.c ++++ b/net/ipv6/netfilter/nft_fib_ipv6.c +@@ -50,6 +50,7 @@ static int nft_fib6_flowi_init(struct flowi6 *fl6, const struct nft_fib *priv, + fl6->flowi6_mark = pkt->skb->mark; + + fl6->flowlabel = (*(__be32 *)iph) & IPV6_FLOWINFO_MASK; ++ fl6->flowi6_l3mdev = nft_fib_l3mdev_master_ifindex_rcu(pkt, dev); + + return lookup_flags; + } +@@ -73,8 +74,6 @@ static u32 __nft_fib6_eval_type(const struct nft_fib *priv, + else if (priv->flags & NFTA_FIB_F_OIF) + dev = nft_out(pkt); + +- fl6.flowi6_l3mdev = l3mdev_master_ifindex_rcu(dev); +- + nft_fib6_flowi_init(&fl6, priv, pkt, dev, iph); + + if (dev && nf_ipv6_chk_addr(nft_net(pkt), &fl6.daddr, dev, true)) +@@ -166,7 +165,6 @@ void nft_fib6_eval(const struct nft_expr *expr, struct nft_regs *regs, + .flowi6_iif = LOOPBACK_IFINDEX, + .flowi6_proto = pkt->tprot, + .flowi6_uid = sock_net_uid(nft_net(pkt), NULL), +- .flowi6_l3mdev = l3mdev_master_ifindex_rcu(nft_in(pkt)), + }; + struct rt6_info *rt; + int lookup_flags; +-- +2.39.5 + diff --git a/queue-6.12/netfilter-nf_tables-nft_fib_ipv6-fix-vrf-ipv4-ipv6-r.patch b/queue-6.12/netfilter-nf_tables-nft_fib_ipv6-fix-vrf-ipv4-ipv6-r.patch new file mode 100644 index 0000000000..b4c6025bd7 --- /dev/null +++ b/queue-6.12/netfilter-nf_tables-nft_fib_ipv6-fix-vrf-ipv4-ipv6-r.patch @@ -0,0 +1,80 @@ +From 1877cf0b78cddf31510c6bda955b20cd99cc9510 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 May 2025 11:38:47 +0200 +Subject: netfilter: nf_tables: nft_fib_ipv6: fix VRF ipv4/ipv6 result + discrepancy + +From: Florian Westphal + +[ Upstream commit 8b53f46eb430fe5b42d485873b85331d2de2c469 ] + +With a VRF, ipv4 and ipv6 FIB expression behave differently. + + fib daddr . iif oif + +Will return the input interface name for ipv4, but the real device +for ipv6. Example: + +If VRF device name is tvrf and real (incoming) device is veth0. +First round is ok, both ipv4 and ipv6 will yield 'veth0'. + +But in the second round (incoming device will be set to "tvrf"), ipv4 +will yield "tvrf" whereas ipv6 returns "veth0" for the second round too. + +This makes ipv6 behave like ipv4. + +A followup patch will add a test case for this, without this change +it will fail with: + get element inet t fibif6iif { tvrf . dead:1::99 . tvrf } + ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + FAIL: did not find tvrf . dead:1::99 . tvrf in fibif6iif + +Alternatively we could either not do anything at all or change +ipv4 to also return the lower/real device, however, nft (userspace) +doc says "iif: if fib lookup provides a route then check its output +interface is identical to the packets input interface." which is what +the nft fib ipv4 behaviour is. + +Fixes: f6d0cbcf09c5 ("netfilter: nf_tables: add fib expression") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/ipv6/netfilter/nft_fib_ipv6.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/net/ipv6/netfilter/nft_fib_ipv6.c b/net/ipv6/netfilter/nft_fib_ipv6.c +index 7fd9d7b21cd42..f1f5640da6728 100644 +--- a/net/ipv6/netfilter/nft_fib_ipv6.c ++++ b/net/ipv6/netfilter/nft_fib_ipv6.c +@@ -158,6 +158,7 @@ void nft_fib6_eval(const struct nft_expr *expr, struct nft_regs *regs, + { + const struct nft_fib *priv = nft_expr_priv(expr); + int noff = skb_network_offset(pkt->skb); ++ const struct net_device *found = NULL; + const struct net_device *oif = NULL; + u32 *dest = ®s->data[priv->dreg]; + struct ipv6hdr *iph, _iph; +@@ -203,11 +204,15 @@ void nft_fib6_eval(const struct nft_expr *expr, struct nft_regs *regs, + if (rt->rt6i_flags & (RTF_REJECT | RTF_ANYCAST | RTF_LOCAL)) + goto put_rt_err; + +- if (oif && oif != rt->rt6i_idev->dev && +- l3mdev_master_ifindex_rcu(rt->rt6i_idev->dev) != oif->ifindex) +- goto put_rt_err; ++ if (!oif) { ++ found = rt->rt6i_idev->dev; ++ } else { ++ if (oif == rt->rt6i_idev->dev || ++ l3mdev_master_ifindex_rcu(rt->rt6i_idev->dev) == oif->ifindex) ++ found = oif; ++ } + +- nft_fib_store_result(dest, priv, rt->rt6i_idev->dev); ++ nft_fib_store_result(dest, priv, found); + put_rt_err: + ip6_rt_put(rt); + } +-- +2.39.5 + diff --git a/queue-6.12/netfilter-nft_quota-match-correctly-when-the-quota-j.patch b/queue-6.12/netfilter-nft_quota-match-correctly-when-the-quota-j.patch new file mode 100644 index 0000000000..f812b39aa8 --- /dev/null +++ b/queue-6.12/netfilter-nft_quota-match-correctly-when-the-quota-j.patch @@ -0,0 +1,78 @@ +From 1b4a01ffacc9bef20d352ee22c52a9d7539de763 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Apr 2025 15:49:30 +0000 +Subject: netfilter: nft_quota: match correctly when the quota just depleted + +From: Zhongqiu Duan + +[ Upstream commit bfe7cfb65c753952735c3eed703eba9a8b96a18d ] + +The xt_quota compares skb length with remaining quota, but the nft_quota +compares it with consumed bytes. + +The xt_quota can match consumed bytes up to quota at maximum. But the +nft_quota break match when consumed bytes equal to quota. + +i.e., nft_quota match consumed bytes in [0, quota - 1], not [0, quota]. + +Fixes: 795595f68d6c ("netfilter: nft_quota: dump consumed quota") +Signed-off-by: Zhongqiu Duan +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_quota.c | 20 +++++++++++++------- + 1 file changed, 13 insertions(+), 7 deletions(-) + +diff --git a/net/netfilter/nft_quota.c b/net/netfilter/nft_quota.c +index 9b2d7463d3d32..df0798da2329b 100644 +--- a/net/netfilter/nft_quota.c ++++ b/net/netfilter/nft_quota.c +@@ -19,10 +19,16 @@ struct nft_quota { + }; + + static inline bool nft_overquota(struct nft_quota *priv, +- const struct sk_buff *skb) ++ const struct sk_buff *skb, ++ bool *report) + { +- return atomic64_add_return(skb->len, priv->consumed) >= +- atomic64_read(&priv->quota); ++ u64 consumed = atomic64_add_return(skb->len, priv->consumed); ++ u64 quota = atomic64_read(&priv->quota); ++ ++ if (report) ++ *report = consumed >= quota; ++ ++ return consumed > quota; + } + + static inline bool nft_quota_invert(struct nft_quota *priv) +@@ -34,7 +40,7 @@ static inline void nft_quota_do_eval(struct nft_quota *priv, + struct nft_regs *regs, + const struct nft_pktinfo *pkt) + { +- if (nft_overquota(priv, pkt->skb) ^ nft_quota_invert(priv)) ++ if (nft_overquota(priv, pkt->skb, NULL) ^ nft_quota_invert(priv)) + regs->verdict.code = NFT_BREAK; + } + +@@ -51,13 +57,13 @@ static void nft_quota_obj_eval(struct nft_object *obj, + const struct nft_pktinfo *pkt) + { + struct nft_quota *priv = nft_obj_data(obj); +- bool overquota; ++ bool overquota, report; + +- overquota = nft_overquota(priv, pkt->skb); ++ overquota = nft_overquota(priv, pkt->skb, &report); + if (overquota ^ nft_quota_invert(priv)) + regs->verdict.code = NFT_BREAK; + +- if (overquota && ++ if (report && + !test_and_set_bit(NFT_QUOTA_DEPLETED_BIT, &priv->flags)) + nft_obj_notify(nft_net(pkt), obj->key.table, obj, 0, 0, + NFT_MSG_NEWOBJ, 0, nft_pf(pkt), 0, GFP_ATOMIC); +-- +2.39.5 + diff --git a/queue-6.12/netfilter-nft_set_pipapo-prevent-overflow-in-lookup-.patch b/queue-6.12/netfilter-nft_set_pipapo-prevent-overflow-in-lookup-.patch new file mode 100644 index 0000000000..761975895c --- /dev/null +++ b/queue-6.12/netfilter-nft_set_pipapo-prevent-overflow-in-lookup-.patch @@ -0,0 +1,157 @@ +From e3e9c7829bb520f38ed3709f5f532f60e8123916 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Apr 2025 21:52:43 +0200 +Subject: netfilter: nft_set_pipapo: prevent overflow in lookup table + allocation + +From: Pablo Neira Ayuso + +[ Upstream commit 4c5c6aa9967dbe55bd017bb509885928d0f31206 ] + +When calculating the lookup table size, ensure the following +multiplication does not overflow: + +- desc->field_len[] maximum value is U8_MAX multiplied by + NFT_PIPAPO_GROUPS_PER_BYTE(f) that can be 2, worst case. +- NFT_PIPAPO_BUCKETS(f->bb) is 2^8, worst case. +- sizeof(unsigned long), from sizeof(*f->lt), lt in + struct nft_pipapo_field. + +Then, use check_mul_overflow() to multiply by bucket size and then use +check_add_overflow() to the alignment for avx2 (if needed). Finally, add +lt_size_check_overflow() helper and use it to consolidate this. + +While at it, replace leftover allocation using the GFP_KERNEL to +GFP_KERNEL_ACCOUNT for consistency, in pipapo_resize(). + +Fixes: 3c4287f62044 ("nf_tables: Add set type for arbitrary concatenation of ranges") +Signed-off-by: Pablo Neira Ayuso +Reviewed-by: Stefano Brivio +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_set_pipapo.c | 58 ++++++++++++++++++++++++++-------- + 1 file changed, 44 insertions(+), 14 deletions(-) + +diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c +index 7be342b495f5f..0529e4ef75207 100644 +--- a/net/netfilter/nft_set_pipapo.c ++++ b/net/netfilter/nft_set_pipapo.c +@@ -683,6 +683,30 @@ static int pipapo_realloc_mt(struct nft_pipapo_field *f, + return 0; + } + ++ ++/** ++ * lt_calculate_size() - Get storage size for lookup table with overflow check ++ * @groups: Amount of bit groups ++ * @bb: Number of bits grouped together in lookup table buckets ++ * @bsize: Size of each bucket in lookup table, in longs ++ * ++ * Return: allocation size including alignment overhead, negative on overflow ++ */ ++static ssize_t lt_calculate_size(unsigned int groups, unsigned int bb, ++ unsigned int bsize) ++{ ++ ssize_t ret = groups * NFT_PIPAPO_BUCKETS(bb) * sizeof(long); ++ ++ if (check_mul_overflow(ret, bsize, &ret)) ++ return -1; ++ if (check_add_overflow(ret, NFT_PIPAPO_ALIGN_HEADROOM, &ret)) ++ return -1; ++ if (ret > INT_MAX) ++ return -1; ++ ++ return ret; ++} ++ + /** + * pipapo_resize() - Resize lookup or mapping table, or both + * @f: Field containing lookup and mapping tables +@@ -701,6 +725,7 @@ static int pipapo_resize(struct nft_pipapo_field *f, + long *new_lt = NULL, *new_p, *old_lt = f->lt, *old_p; + unsigned int new_bucket_size, copy; + int group, bucket, err; ++ ssize_t lt_size; + + if (rules >= NFT_PIPAPO_RULE0_MAX) + return -ENOSPC; +@@ -719,10 +744,11 @@ static int pipapo_resize(struct nft_pipapo_field *f, + else + copy = new_bucket_size; + +- new_lt = kvzalloc(f->groups * NFT_PIPAPO_BUCKETS(f->bb) * +- new_bucket_size * sizeof(*new_lt) + +- NFT_PIPAPO_ALIGN_HEADROOM, +- GFP_KERNEL); ++ lt_size = lt_calculate_size(f->groups, f->bb, new_bucket_size); ++ if (lt_size < 0) ++ return -ENOMEM; ++ ++ new_lt = kvzalloc(lt_size, GFP_KERNEL_ACCOUNT); + if (!new_lt) + return -ENOMEM; + +@@ -907,7 +933,7 @@ static void pipapo_lt_bits_adjust(struct nft_pipapo_field *f) + { + unsigned int groups, bb; + unsigned long *new_lt; +- size_t lt_size; ++ ssize_t lt_size; + + lt_size = f->groups * NFT_PIPAPO_BUCKETS(f->bb) * f->bsize * + sizeof(*f->lt); +@@ -917,15 +943,17 @@ static void pipapo_lt_bits_adjust(struct nft_pipapo_field *f) + groups = f->groups * 2; + bb = NFT_PIPAPO_GROUP_BITS_LARGE_SET; + +- lt_size = groups * NFT_PIPAPO_BUCKETS(bb) * f->bsize * +- sizeof(*f->lt); ++ lt_size = lt_calculate_size(groups, bb, f->bsize); ++ if (lt_size < 0) ++ return; + } else if (f->bb == NFT_PIPAPO_GROUP_BITS_LARGE_SET && + lt_size < NFT_PIPAPO_LT_SIZE_LOW) { + groups = f->groups / 2; + bb = NFT_PIPAPO_GROUP_BITS_SMALL_SET; + +- lt_size = groups * NFT_PIPAPO_BUCKETS(bb) * f->bsize * +- sizeof(*f->lt); ++ lt_size = lt_calculate_size(groups, bb, f->bsize); ++ if (lt_size < 0) ++ return; + + /* Don't increase group width if the resulting lookup table size + * would exceed the upper size threshold for a "small" set. +@@ -936,7 +964,7 @@ static void pipapo_lt_bits_adjust(struct nft_pipapo_field *f) + return; + } + +- new_lt = kvzalloc(lt_size + NFT_PIPAPO_ALIGN_HEADROOM, GFP_KERNEL_ACCOUNT); ++ new_lt = kvzalloc(lt_size, GFP_KERNEL_ACCOUNT); + if (!new_lt) + return; + +@@ -1451,13 +1479,15 @@ static struct nft_pipapo_match *pipapo_clone(struct nft_pipapo_match *old) + + for (i = 0; i < old->field_count; i++) { + unsigned long *new_lt; ++ ssize_t lt_size; + + memcpy(dst, src, offsetof(struct nft_pipapo_field, lt)); + +- new_lt = kvzalloc(src->groups * NFT_PIPAPO_BUCKETS(src->bb) * +- src->bsize * sizeof(*dst->lt) + +- NFT_PIPAPO_ALIGN_HEADROOM, +- GFP_KERNEL_ACCOUNT); ++ lt_size = lt_calculate_size(src->groups, src->bb, src->bsize); ++ if (lt_size < 0) ++ goto out_lt; ++ ++ new_lt = kvzalloc(lt_size, GFP_KERNEL_ACCOUNT); + if (!new_lt) + goto out_lt; + +-- +2.39.5 + diff --git a/queue-6.12/netfilter-nft_tunnel-fix-geneve_opt-dump.patch b/queue-6.12/netfilter-nft_tunnel-fix-geneve_opt-dump.patch new file mode 100644 index 0000000000..6ed7c66c58 --- /dev/null +++ b/queue-6.12/netfilter-nft_tunnel-fix-geneve_opt-dump.patch @@ -0,0 +1,71 @@ +From c2813e68195a13865904898ddc0dec1ea9502ce8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 May 2025 11:41:08 +0200 +Subject: netfilter: nft_tunnel: fix geneve_opt dump + +From: Fernando Fernandez Mancera + +[ Upstream commit 22a9613de4c29d7d0770bfb8a5a9d73eb8df7dad ] + +When dumping a nft_tunnel with more than one geneve_opt configured the +netlink attribute hierarchy should be as follow: + + NFTA_TUNNEL_KEY_OPTS + | + |--NFTA_TUNNEL_KEY_OPTS_GENEVE + | | + | |--NFTA_TUNNEL_KEY_GENEVE_CLASS + | |--NFTA_TUNNEL_KEY_GENEVE_TYPE + | |--NFTA_TUNNEL_KEY_GENEVE_DATA + | + |--NFTA_TUNNEL_KEY_OPTS_GENEVE + | | + | |--NFTA_TUNNEL_KEY_GENEVE_CLASS + | |--NFTA_TUNNEL_KEY_GENEVE_TYPE + | |--NFTA_TUNNEL_KEY_GENEVE_DATA + | + |--NFTA_TUNNEL_KEY_OPTS_GENEVE + ... + +Otherwise, userspace tools won't be able to fetch the geneve options +configured correctly. + +Fixes: 925d844696d9 ("netfilter: nft_tunnel: add support for geneve opts") +Signed-off-by: Fernando Fernandez Mancera +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_tunnel.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c +index 0d99786c322e8..e18d322290fb0 100644 +--- a/net/netfilter/nft_tunnel.c ++++ b/net/netfilter/nft_tunnel.c +@@ -624,10 +624,10 @@ static int nft_tunnel_opts_dump(struct sk_buff *skb, + struct geneve_opt *opt; + int offset = 0; + +- inner = nla_nest_start_noflag(skb, NFTA_TUNNEL_KEY_OPTS_GENEVE); +- if (!inner) +- goto failure; + while (opts->len > offset) { ++ inner = nla_nest_start_noflag(skb, NFTA_TUNNEL_KEY_OPTS_GENEVE); ++ if (!inner) ++ goto failure; + opt = (struct geneve_opt *)(opts->u.data + offset); + if (nla_put_be16(skb, NFTA_TUNNEL_KEY_GENEVE_CLASS, + opt->opt_class) || +@@ -637,8 +637,8 @@ static int nft_tunnel_opts_dump(struct sk_buff *skb, + opt->length * 4, opt->opt_data)) + goto inner_failure; + offset += sizeof(*opt) + opt->length * 4; ++ nla_nest_end(skb, inner); + } +- nla_nest_end(skb, inner); + } + nla_nest_end(skb, nest); + return 0; +-- +2.39.5 + diff --git a/queue-6.12/netfilter-xtables-support-arpt_mark-and-ipv6-optstri.patch b/queue-6.12/netfilter-xtables-support-arpt_mark-and-ipv6-optstri.patch new file mode 100644 index 0000000000..c89a058580 --- /dev/null +++ b/queue-6.12/netfilter-xtables-support-arpt_mark-and-ipv6-optstri.patch @@ -0,0 +1,67 @@ +From 9baf67a1c32db16df4ced05225576648cc88b88c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 May 2025 16:12:13 +0200 +Subject: netfilter: xtables: support arpt_mark and ipv6 optstrip for + iptables-nft only builds + +From: Florian Westphal + +[ Upstream commit c38eb2973c18d34a8081d173a6ad298461f4a37c ] + +Its now possible to build a kernel that has no support for the classic +xtables get/setsockopt interfaces and builtin tables. + +In this case, we have CONFIG_IP6_NF_MANGLE=n and +CONFIG_IP_NF_ARPTABLES=n. + +For optstript, the ipv6 code is so small that we can enable it if +netfilter ipv6 support exists. For mark, check if either classic +arptables or NFT_ARP_COMPAT is set. + +Fixes: a9525c7f6219 ("netfilter: xtables: allow xtables-nft only builds") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/xt_TCPOPTSTRIP.c | 4 ++-- + net/netfilter/xt_mark.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/netfilter/xt_TCPOPTSTRIP.c b/net/netfilter/xt_TCPOPTSTRIP.c +index 30e99464171b7..93f064306901c 100644 +--- a/net/netfilter/xt_TCPOPTSTRIP.c ++++ b/net/netfilter/xt_TCPOPTSTRIP.c +@@ -91,7 +91,7 @@ tcpoptstrip_tg4(struct sk_buff *skb, const struct xt_action_param *par) + return tcpoptstrip_mangle_packet(skb, par, ip_hdrlen(skb)); + } + +-#if IS_ENABLED(CONFIG_IP6_NF_MANGLE) ++#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) + static unsigned int + tcpoptstrip_tg6(struct sk_buff *skb, const struct xt_action_param *par) + { +@@ -119,7 +119,7 @@ static struct xt_target tcpoptstrip_tg_reg[] __read_mostly = { + .targetsize = sizeof(struct xt_tcpoptstrip_target_info), + .me = THIS_MODULE, + }, +-#if IS_ENABLED(CONFIG_IP6_NF_MANGLE) ++#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) + { + .name = "TCPOPTSTRIP", + .family = NFPROTO_IPV6, +diff --git a/net/netfilter/xt_mark.c b/net/netfilter/xt_mark.c +index 65b965ca40ea7..59b9d04400cac 100644 +--- a/net/netfilter/xt_mark.c ++++ b/net/netfilter/xt_mark.c +@@ -48,7 +48,7 @@ static struct xt_target mark_tg_reg[] __read_mostly = { + .targetsize = sizeof(struct xt_mark_tginfo2), + .me = THIS_MODULE, + }, +-#if IS_ENABLED(CONFIG_IP_NF_ARPTABLES) ++#if IS_ENABLED(CONFIG_IP_NF_ARPTABLES) || IS_ENABLED(CONFIG_NFT_COMPAT_ARP) + { + .name = "MARK", + .revision = 2, +-- +2.39.5 + diff --git a/queue-6.12/nfs-clear-sb_rdonly-before-getting-superblock.patch b/queue-6.12/nfs-clear-sb_rdonly-before-getting-superblock.patch new file mode 100644 index 0000000000..c2257f5f38 --- /dev/null +++ b/queue-6.12/nfs-clear-sb_rdonly-before-getting-superblock.patch @@ -0,0 +1,68 @@ +From 3d2a359072ce8f4198916a54b15a03528e8e485d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Mar 2025 21:05:32 +0800 +Subject: nfs: clear SB_RDONLY before getting superblock + +From: Li Lingfeng + +[ Upstream commit 8cd9b785943c57a136536250da80ba1eb6f8eb18 ] + +As described in the link, commit 52cb7f8f1778 ("nfs: ignore SB_RDONLY when +mounting nfs") removed the check for the ro flag when determining whether +to share the superblock, which caused issues when mounting different +subdirectories under the same export directory via NFSv3. However, this +change did not affect NFSv4. + +For NFSv3: +1) A single superblock is created for the initial mount. +2) When mounted read-only, this superblock carries the SB_RDONLY flag. +3) Before commit 52cb7f8f1778 ("nfs: ignore SB_RDONLY when mounting nfs"): +Subsequent rw mounts would not share the existing ro superblock due to +flag mismatch, creating a new superblock without SB_RDONLY. +After the commit: + The SB_RDONLY flag is ignored during superblock comparison, and this leads + to sharing the existing superblock even for rw mounts. + Ultimately results in write operations being rejected at the VFS layer. + +For NFSv4: +1) Multiple superblocks are created and the last one will be kept. +2) The actually used superblock for ro mounts doesn't carry SB_RDONLY flag. +Therefore, commit 52cb7f8f1778 doesn't affect NFSv4 mounts. + +Clear SB_RDONLY before getting superblock when NFS_MOUNT_UNSHARED is not +set to fix it. + +Fixes: 52cb7f8f1778 ("nfs: ignore SB_RDONLY when mounting nfs") +Closes: https://lore.kernel.org/all/12d7ea53-1202-4e21-a7ef-431c94758ce5@app.fastmail.com/T/ +Signed-off-by: Li Lingfeng +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/super.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/fs/nfs/super.c b/fs/nfs/super.c +index ae5c5e39afa03..44e5cb00e2ccf 100644 +--- a/fs/nfs/super.c ++++ b/fs/nfs/super.c +@@ -1303,8 +1303,17 @@ int nfs_get_tree_common(struct fs_context *fc) + if (IS_ERR(server)) + return PTR_ERR(server); + ++ /* ++ * When NFS_MOUNT_UNSHARED is not set, NFS forces the sharing of a ++ * superblock among each filesystem that mounts sub-directories ++ * belonging to a single exported root path. ++ * To prevent interference between different filesystems, the ++ * SB_RDONLY flag should be removed from the superblock. ++ */ + if (server->flags & NFS_MOUNT_UNSHARED) + compare_super = NULL; ++ else ++ fc->sb_flags &= ~SB_RDONLY; + + /* -o noac implies -o sync */ + if (server->flags & NFS_MOUNT_NOAC) +-- +2.39.5 + diff --git a/queue-6.12/nfs-ignore-sb_rdonly-when-remounting-nfs.patch b/queue-6.12/nfs-ignore-sb_rdonly-when-remounting-nfs.patch new file mode 100644 index 0000000000..9434a456ce --- /dev/null +++ b/queue-6.12/nfs-ignore-sb_rdonly-when-remounting-nfs.patch @@ -0,0 +1,72 @@ +From 8f674efd3aa3b14ce82c54af33cc424da6b266a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Mar 2025 21:05:33 +0800 +Subject: nfs: ignore SB_RDONLY when remounting nfs + +From: Li Lingfeng + +[ Upstream commit 80c4de6ab44c14e910117a02f2f8241ffc6ec54a ] + +In some scenarios, when mounting NFS, more than one superblock may be +created. The final superblock used is the last one created, but only the +first superblock carries the ro flag passed from user space. If a ro flag +is added to the superblock via remount, it will trigger the issue +described in Link[1]. + +Link[2] attempted to address this by marking the superblock as ro during +the initial mount. However, this introduced a new problem in scenarios +where multiple mount points share the same superblock: +[root@a ~]# mount /dev/sdb /mnt/sdb +[root@a ~]# echo "/mnt/sdb *(rw,no_root_squash)" > /etc/exports +[root@a ~]# echo "/mnt/sdb/test_dir2 *(ro,no_root_squash)" >> /etc/exports +[root@a ~]# systemctl restart nfs-server +[root@a ~]# mount -t nfs -o rw 127.0.0.1:/mnt/sdb/test_dir1 /mnt/test_mp1 +[root@a ~]# mount | grep nfs4 +127.0.0.1:/mnt/sdb/test_dir1 on /mnt/test_mp1 type nfs4 (rw,relatime,... +[root@a ~]# mount -t nfs -o ro 127.0.0.1:/mnt/sdb/test_dir2 /mnt/test_mp2 +[root@a ~]# mount | grep nfs4 +127.0.0.1:/mnt/sdb/test_dir1 on /mnt/test_mp1 type nfs4 (ro,relatime,... +127.0.0.1:/mnt/sdb/test_dir2 on /mnt/test_mp2 type nfs4 (ro,relatime,... +[root@a ~]# + +When mounting the second NFS, the shared superblock is marked as ro, +causing the previous NFS mount to become read-only. + +To resolve both issues, the ro flag is no longer applied to the superblock +during remount. Instead, the ro flag on the mount is used to control +whether the mount point is read-only. + +Fixes: 281cad46b34d ("NFS: Create a submount rpc_op") +Link[1]: https://lore.kernel.org/all/20240604112636.236517-3-lilingfeng@huaweicloud.com/ +Link[2]: https://lore.kernel.org/all/20241130035818.1459775-1-lilingfeng3@huawei.com/ +Signed-off-by: Li Lingfeng +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/super.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/fs/nfs/super.c b/fs/nfs/super.c +index 44e5cb00e2ccf..da5286514d8c7 100644 +--- a/fs/nfs/super.c ++++ b/fs/nfs/super.c +@@ -1046,6 +1046,16 @@ int nfs_reconfigure(struct fs_context *fc) + + sync_filesystem(sb); + ++ /* ++ * The SB_RDONLY flag has been removed from the superblock during ++ * mounts to prevent interference between different filesystems. ++ * Similarly, it is also necessary to ignore the SB_RDONLY flag ++ * during reconfiguration; otherwise, it may also result in the ++ * creation of redundant superblocks when mounting a directory with ++ * different rw and ro flags multiple times. ++ */ ++ fc->sb_flags_mask &= ~SB_RDONLY; ++ + /* + * Userspace mount programs that send binary options generally send + * them populated with default values. We have no way to know which +-- +2.39.5 + diff --git a/queue-6.12/nilfs2-add-pointer-check-for-nilfs_direct_propagate.patch b/queue-6.12/nilfs2-add-pointer-check-for-nilfs_direct_propagate.patch new file mode 100644 index 0000000000..e80d57843e --- /dev/null +++ b/queue-6.12/nilfs2-add-pointer-check-for-nilfs_direct_propagate.patch @@ -0,0 +1,56 @@ +From c99e68a5819e3c31d698576029dbe1830e97bc24 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Apr 2025 02:37:07 +0900 +Subject: nilfs2: add pointer check for nilfs_direct_propagate() + +From: Wentao Liang + +[ Upstream commit f43f02429295486059605997bc43803527d69791 ] + +Patch series "nilfs2: improve sanity checks in dirty state propagation". + +This fixes one missed check for block mapping anomalies and one improper +return of an error code during a preparation step for log writing, thereby +improving checking for filesystem corruption on writeback. + +This patch (of 2): + +In nilfs_direct_propagate(), the printer get from nilfs_direct_get_ptr() +need to be checked to ensure it is not an invalid pointer. + +If the pointer value obtained by nilfs_direct_get_ptr() is +NILFS_BMAP_INVALID_PTR, means that the metadata (in this case, i_bmap in +the nilfs_inode_info struct) that should point to the data block at the +buffer head of the argument is corrupted and the data block is orphaned, +meaning that the file system has lost consistency. + +Add a value check and return -EINVAL when it is an invalid pointer. + +Link: https://lkml.kernel.org/r/20250428173808.6452-1-konishi.ryusuke@gmail.com +Link: https://lkml.kernel.org/r/20250428173808.6452-2-konishi.ryusuke@gmail.com +Fixes: 36a580eb489f ("nilfs2: direct block mapping") +Signed-off-by: Wentao Liang +Signed-off-by: Ryusuke Konishi +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + fs/nilfs2/direct.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/nilfs2/direct.c b/fs/nilfs2/direct.c +index 893ab36824cc2..2d8dc6b35b547 100644 +--- a/fs/nilfs2/direct.c ++++ b/fs/nilfs2/direct.c +@@ -273,6 +273,9 @@ static int nilfs_direct_propagate(struct nilfs_bmap *bmap, + dat = nilfs_bmap_get_dat(bmap); + key = nilfs_bmap_data_get_key(bmap, bh); + ptr = nilfs_direct_get_ptr(bmap, key); ++ if (ptr == NILFS_BMAP_INVALID_PTR) ++ return -EINVAL; ++ + if (!buffer_nilfs_volatile(bh)) { + oldreq.pr_entry_nr = ptr; + newreq.pr_entry_nr = ptr; +-- +2.39.5 + diff --git a/queue-6.12/nilfs2-do-not-propagate-enoent-error-from-nilfs_btre.patch b/queue-6.12/nilfs2-do-not-propagate-enoent-error-from-nilfs_btre.patch new file mode 100644 index 0000000000..8f0f0bc40d --- /dev/null +++ b/queue-6.12/nilfs2-do-not-propagate-enoent-error-from-nilfs_btre.patch @@ -0,0 +1,55 @@ +From 24788519309edcc13bb309855342a6e1a9a75f24 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Apr 2025 02:37:08 +0900 +Subject: nilfs2: do not propagate ENOENT error from nilfs_btree_propagate() + +From: Ryusuke Konishi + +[ Upstream commit 8e39fbb1edbb4ec9d7c1124f403877fc167fcecd ] + +In preparation for writing logs, in nilfs_btree_propagate(), which makes +parent and ancestor node blocks dirty starting from a modified data block +or b-tree node block, if the starting block does not belong to the b-tree, +i.e. is isolated, nilfs_btree_do_lookup() called within the function +fails with -ENOENT. + +In this case, even though -ENOENT is an internal code, it is propagated to +the log writer via nilfs_bmap_propagate() and may be erroneously returned +to system calls such as fsync(). + +Fix this issue by changing the error code to -EINVAL in this case, and +having the bmap layer detect metadata corruption and convert the error +code appropriately. + +Link: https://lkml.kernel.org/r/20250428173808.6452-3-konishi.ryusuke@gmail.com +Fixes: 1f5abe7e7dbc ("nilfs2: replace BUG_ON and BUG calls triggerable from ioctl") +Signed-off-by: Ryusuke Konishi +Cc: Wentao Liang +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + fs/nilfs2/btree.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/nilfs2/btree.c b/fs/nilfs2/btree.c +index ef5061bb56da1..9c51a4ac2627f 100644 +--- a/fs/nilfs2/btree.c ++++ b/fs/nilfs2/btree.c +@@ -2103,11 +2103,13 @@ static int nilfs_btree_propagate(struct nilfs_bmap *btree, + + ret = nilfs_btree_do_lookup(btree, path, key, NULL, level + 1, 0); + if (ret < 0) { +- if (unlikely(ret == -ENOENT)) ++ if (unlikely(ret == -ENOENT)) { + nilfs_crit(btree->b_inode->i_sb, + "writing node/leaf block does not appear in b-tree (ino=%lu) at key=%llu, level=%d", + btree->b_inode->i_ino, + (unsigned long long)key, level); ++ ret = -EINVAL; ++ } + goto out; + } + +-- +2.39.5 + diff --git a/queue-6.12/nvme-fix-command-limits-status-code.patch b/queue-6.12/nvme-fix-command-limits-status-code.patch new file mode 100644 index 0000000000..33523a6cf0 --- /dev/null +++ b/queue-6.12/nvme-fix-command-limits-status-code.patch @@ -0,0 +1,124 @@ +From 2aead4b445abaf4fb9789dd3c5c4456f979bfb90 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 May 2025 13:20:37 -0700 +Subject: nvme: fix command limits status code + +From: Keith Busch + +[ Upstream commit 10f4a7cd724e34b7a6ff96e57ac49dc0cadececc ] + +The command specific status code, 0x183, was introduced in the NVMe 2.0 +specification defined to "Command Size Limits Exceeded" and only ever +applied to DSM and Copy commands. Fix the name and, remove the +incorrect translation to error codes and special treatment in the +target code for it. + +Fixes: 3b7c33b28a44d4 ("nvme.h: add Write Zeroes definitions") +Cc: Chaitanya Kulkarni +Reviewed-by: Chaitanya Kulkarni +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/constants.c | 2 +- + drivers/nvme/host/core.c | 1 - + drivers/nvme/host/pr.c | 2 -- + drivers/nvme/target/core.c | 9 +-------- + drivers/nvme/target/io-cmd-bdev.c | 9 +-------- + include/linux/nvme.h | 2 +- + 6 files changed, 4 insertions(+), 21 deletions(-) + +diff --git a/drivers/nvme/host/constants.c b/drivers/nvme/host/constants.c +index 2b9e6cfaf2a80..1a0058be58210 100644 +--- a/drivers/nvme/host/constants.c ++++ b/drivers/nvme/host/constants.c +@@ -145,7 +145,7 @@ static const char * const nvme_statuses[] = { + [NVME_SC_BAD_ATTRIBUTES] = "Conflicting Attributes", + [NVME_SC_INVALID_PI] = "Invalid Protection Information", + [NVME_SC_READ_ONLY] = "Attempted Write to Read Only Range", +- [NVME_SC_ONCS_NOT_SUPPORTED] = "ONCS Not Supported", ++ [NVME_SC_CMD_SIZE_LIM_EXCEEDED ] = "Command Size Limits Exceeded", + [NVME_SC_ZONE_BOUNDARY_ERROR] = "Zoned Boundary Error", + [NVME_SC_ZONE_FULL] = "Zone Is Full", + [NVME_SC_ZONE_READ_ONLY] = "Zone Is Read Only", +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index 98dad1bdff440..eca764fede48f 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -284,7 +284,6 @@ static blk_status_t nvme_error_status(u16 status) + case NVME_SC_NS_NOT_READY: + return BLK_STS_TARGET; + case NVME_SC_BAD_ATTRIBUTES: +- case NVME_SC_ONCS_NOT_SUPPORTED: + case NVME_SC_INVALID_OPCODE: + case NVME_SC_INVALID_FIELD: + case NVME_SC_INVALID_NS: +diff --git a/drivers/nvme/host/pr.c b/drivers/nvme/host/pr.c +index dc7922f226004..80dd09aa01a3b 100644 +--- a/drivers/nvme/host/pr.c ++++ b/drivers/nvme/host/pr.c +@@ -82,8 +82,6 @@ static int nvme_status_to_pr_err(int status) + return PR_STS_SUCCESS; + case NVME_SC_RESERVATION_CONFLICT: + return PR_STS_RESERVATION_CONFLICT; +- case NVME_SC_ONCS_NOT_SUPPORTED: +- return -EOPNOTSUPP; + case NVME_SC_BAD_ATTRIBUTES: + case NVME_SC_INVALID_OPCODE: + case NVME_SC_INVALID_FIELD: +diff --git a/drivers/nvme/target/core.c b/drivers/nvme/target/core.c +index ed2424f8a396e..4606c88136669 100644 +--- a/drivers/nvme/target/core.c ++++ b/drivers/nvme/target/core.c +@@ -62,14 +62,7 @@ inline u16 errno_to_nvme_status(struct nvmet_req *req, int errno) + return NVME_SC_LBA_RANGE | NVME_STATUS_DNR; + case -EOPNOTSUPP: + req->error_loc = offsetof(struct nvme_common_command, opcode); +- switch (req->cmd->common.opcode) { +- case nvme_cmd_dsm: +- case nvme_cmd_write_zeroes: +- return NVME_SC_ONCS_NOT_SUPPORTED | NVME_STATUS_DNR; +- default: +- return NVME_SC_INVALID_OPCODE | NVME_STATUS_DNR; +- } +- break; ++ return NVME_SC_INVALID_OPCODE | NVME_STATUS_DNR; + case -ENODATA: + req->error_loc = offsetof(struct nvme_rw_command, nsid); + return NVME_SC_ACCESS_DENIED; +diff --git a/drivers/nvme/target/io-cmd-bdev.c b/drivers/nvme/target/io-cmd-bdev.c +index eaf31c823cbe8..73ecbc13c5b23 100644 +--- a/drivers/nvme/target/io-cmd-bdev.c ++++ b/drivers/nvme/target/io-cmd-bdev.c +@@ -145,15 +145,8 @@ u16 blk_to_nvme_status(struct nvmet_req *req, blk_status_t blk_sts) + req->error_loc = offsetof(struct nvme_rw_command, slba); + break; + case BLK_STS_NOTSUPP: ++ status = NVME_SC_INVALID_OPCODE | NVME_STATUS_DNR; + req->error_loc = offsetof(struct nvme_common_command, opcode); +- switch (req->cmd->common.opcode) { +- case nvme_cmd_dsm: +- case nvme_cmd_write_zeroes: +- status = NVME_SC_ONCS_NOT_SUPPORTED | NVME_STATUS_DNR; +- break; +- default: +- status = NVME_SC_INVALID_OPCODE | NVME_STATUS_DNR; +- } + break; + case BLK_STS_MEDIUM: + status = NVME_SC_ACCESS_DENIED; +diff --git a/include/linux/nvme.h b/include/linux/nvme.h +index 1c101f6fad2f3..84d4f0657b7a8 100644 +--- a/include/linux/nvme.h ++++ b/include/linux/nvme.h +@@ -1954,7 +1954,7 @@ enum { + NVME_SC_BAD_ATTRIBUTES = 0x180, + NVME_SC_INVALID_PI = 0x181, + NVME_SC_READ_ONLY = 0x182, +- NVME_SC_ONCS_NOT_SUPPORTED = 0x183, ++ NVME_SC_CMD_SIZE_LIM_EXCEEDED = 0x183, + + /* + * I/O Command Set Specific - Fabrics commands: +-- +2.39.5 + diff --git a/queue-6.12/ocfs2-fix-possible-memory-leak-in-ocfs2_finish_quota.patch b/queue-6.12/ocfs2-fix-possible-memory-leak-in-ocfs2_finish_quota.patch new file mode 100644 index 0000000000..ce618444ec --- /dev/null +++ b/queue-6.12/ocfs2-fix-possible-memory-leak-in-ocfs2_finish_quota.patch @@ -0,0 +1,50 @@ +From 750972cd6f64d463cf09b219861f2d771e69a327 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Apr 2025 09:56:27 +0300 +Subject: ocfs2: fix possible memory leak in ocfs2_finish_quota_recovery + +From: Murad Masimov + +[ Upstream commit cdc3ed3035d0fe934aa1d9b78ce256752fd3bb7d ] + +If ocfs2_finish_quota_recovery() exits due to an error before passing all +rc_list elements to ocfs2_recover_local_quota_file() then it can lead to a +memory leak as rc_list may still contain elements that have to be freed. + +Release all memory allocated by ocfs2_add_recovery_chunk() using +ocfs2_free_quota_recovery() instead of kfree(). + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Link: https://lkml.kernel.org/r/20250402065628.706359-2-m.masimov@mt-integration.ru +Fixes: 2205363dce74 ("ocfs2: Implement quota recovery") +Signed-off-by: Murad Masimov +Reviewed-by: Jan Kara +Reviewed-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Jun Piao +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + fs/ocfs2/quota_local.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/ocfs2/quota_local.c b/fs/ocfs2/quota_local.c +index e272429da3db3..de7f12858729a 100644 +--- a/fs/ocfs2/quota_local.c ++++ b/fs/ocfs2/quota_local.c +@@ -674,7 +674,7 @@ int ocfs2_finish_quota_recovery(struct ocfs2_super *osb, + break; + } + out: +- kfree(rec); ++ ocfs2_free_quota_recovery(rec); + return status; + } + +-- +2.39.5 + diff --git a/queue-6.12/octeontx2-pf-qos-perform-cache-sync-on-send-queue-te.patch b/queue-6.12/octeontx2-pf-qos-perform-cache-sync-on-send-queue-te.patch new file mode 100644 index 0000000000..a845fc67e3 --- /dev/null +++ b/queue-6.12/octeontx2-pf-qos-perform-cache-sync-on-send-queue-te.patch @@ -0,0 +1,70 @@ +From 60a6b09490db9f6a640221ed4cb7a7542e5f87b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 May 2025 15:17:41 +0530 +Subject: octeontx2-pf: QOS: Perform cache sync on send queue teardown + +From: Hariprasad Kelam + +[ Upstream commit 479c58016099d19686e36f6c50f912360839a7fa ] + +QOS is designed to create a new send queue whenever a class +is created, ensuring proper shaping and scheduling. However, +when multiple send queues are created and deleted in a loop, +SMMU errors are observed. + +This patch addresses the issue by performing an data cache sync +during the teardown of QOS send queues. + +Fixes: ab6dddd2a669 ("octeontx2-pf: qos send queues management") +Signed-off-by: Hariprasad Kelam +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250522094742.1498295-1-hkelam@marvell.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + .../ethernet/marvell/octeontx2/nic/qos_sq.c | 22 +++++++++++++++++++ + 1 file changed, 22 insertions(+) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/qos_sq.c b/drivers/net/ethernet/marvell/octeontx2/nic/qos_sq.c +index 9d887bfc31089..ac9345644068e 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/qos_sq.c ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/qos_sq.c +@@ -256,6 +256,26 @@ int otx2_qos_enable_sq(struct otx2_nic *pfvf, int qidx) + return err; + } + ++static int otx2_qos_nix_npa_ndc_sync(struct otx2_nic *pfvf) ++{ ++ struct ndc_sync_op *req; ++ int rc; ++ ++ mutex_lock(&pfvf->mbox.lock); ++ ++ req = otx2_mbox_alloc_msg_ndc_sync_op(&pfvf->mbox); ++ if (!req) { ++ mutex_unlock(&pfvf->mbox.lock); ++ return -ENOMEM; ++ } ++ ++ req->nix_lf_tx_sync = true; ++ req->npa_lf_sync = true; ++ rc = otx2_sync_mbox_msg(&pfvf->mbox); ++ mutex_unlock(&pfvf->mbox.lock); ++ return rc; ++} ++ + void otx2_qos_disable_sq(struct otx2_nic *pfvf, int qidx) + { + struct otx2_qset *qset = &pfvf->qset; +@@ -285,6 +305,8 @@ void otx2_qos_disable_sq(struct otx2_nic *pfvf, int qidx) + + otx2_qos_sqb_flush(pfvf, sq_idx); + otx2_smq_flush(pfvf, otx2_get_smq_idx(pfvf, sq_idx)); ++ /* NIX/NPA NDC sync */ ++ otx2_qos_nix_npa_ndc_sync(pfvf); + otx2_cleanup_tx_cqes(pfvf, cq); + + mutex_lock(&pfvf->mbox.lock); +-- +2.39.5 + diff --git a/queue-6.12/octeontx2-pf-qos-refactor-tc_htb_leaf_del_last-callb.patch b/queue-6.12/octeontx2-pf-qos-refactor-tc_htb_leaf_del_last-callb.patch new file mode 100644 index 0000000000..6c1a0f2233 --- /dev/null +++ b/queue-6.12/octeontx2-pf-qos-refactor-tc_htb_leaf_del_last-callb.patch @@ -0,0 +1,60 @@ +From e86de2494493044564ac224ade4b33e95e01cb9b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 May 2025 17:28:42 +0530 +Subject: octeontx2-pf: QOS: Refactor TC_HTB_LEAF_DEL_LAST callback + +From: Hariprasad Kelam + +[ Upstream commit 67af4ec948e8ce3ea53a9cf614d01fddf172e56d ] + +This patch addresses below issues, + +1. Active traffic on the leaf node must be stopped before its send queue + is reassigned to the parent. This patch resolves the issue by marking + the node as 'Inner'. + +2. During a system reboot, the interface receives TC_HTB_LEAF_DEL + and TC_HTB_LEAF_DEL_LAST callbacks to delete its HTB queues. + In the case of TC_HTB_LEAF_DEL_LAST, although the same send queue + is reassigned to the parent, the current logic still attempts to update + the real number of queues, leadning to below warnings + + New queues can't be registered after device unregistration. + WARNING: CPU: 0 PID: 6475 at net/core/net-sysfs.c:1714 + netdev_queue_update_kobjects+0x1e4/0x200 + +Fixes: 5e6808b4c68d ("octeontx2-pf: Add support for HTB offload") +Signed-off-by: Hariprasad Kelam +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250522115842.1499666-1-hkelam@marvell.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/nic/qos.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/qos.c b/drivers/net/ethernet/marvell/octeontx2/nic/qos.c +index 35acc07bd9648..5765bac119f0e 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/qos.c ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/qos.c +@@ -1638,6 +1638,7 @@ static int otx2_qos_leaf_del_last(struct otx2_nic *pfvf, u16 classid, bool force + if (!node->is_static) + dwrr_del_node = true; + ++ WRITE_ONCE(node->qid, OTX2_QOS_QID_INNER); + /* destroy the leaf node */ + otx2_qos_disable_sq(pfvf, qid); + otx2_qos_destroy_node(pfvf, node); +@@ -1682,9 +1683,6 @@ static int otx2_qos_leaf_del_last(struct otx2_nic *pfvf, u16 classid, bool force + } + kfree(new_cfg); + +- /* update tx_real_queues */ +- otx2_qos_update_tx_netdev_queues(pfvf); +- + return 0; + } + +-- +2.39.5 + diff --git a/queue-6.12/of-unittest-unlock-on-error-in-unittest_data_add.patch b/queue-6.12/of-unittest-unlock-on-error-in-unittest_data_add.patch new file mode 100644 index 0000000000..42fc22f540 --- /dev/null +++ b/queue-6.12/of-unittest-unlock-on-error-in-unittest_data_add.patch @@ -0,0 +1,61 @@ +From dd55e44db50bf81a635c91c44bf5de84ded2de7a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Apr 2025 11:05:40 +0300 +Subject: of: unittest: Unlock on error in unittest_data_add() + +From: Dan Carpenter + +[ Upstream commit 493e6cb63a21e9f009dc4c209fd311f2bb777656 ] + +The of_overlay_mutex_unlock() was accidentally deleted if "of_root" is +NULL. Change this to a goto unlock. + +Fixes: d1eabd218ede ("of: unittest: treat missing of_root as error instead of fixing up") +Signed-off-by: Dan Carpenter +Reviewed-by: Stephen Boyd +Link: https://lore.kernel.org/r/aBHZ1DvXiBcZkWmk@stanley.mountain +Signed-off-by: Rob Herring (Arm) +Signed-off-by: Sasha Levin +--- + drivers/of/unittest.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/of/unittest.c b/drivers/of/unittest.c +index 576e9beefc7c8..9a72f75e5c2d8 100644 +--- a/drivers/of/unittest.c ++++ b/drivers/of/unittest.c +@@ -1916,15 +1916,16 @@ static int __init unittest_data_add(void) + rc = of_resolve_phandles(unittest_data_node); + if (rc) { + pr_err("%s: Failed to resolve phandles (rc=%i)\n", __func__, rc); +- of_overlay_mutex_unlock(); +- return -EINVAL; ++ rc = -EINVAL; ++ goto unlock; + } + + /* attach the sub-tree to live tree */ + if (!of_root) { + pr_warn("%s: no live tree to attach sub-tree\n", __func__); + kfree(unittest_data); +- return -ENODEV; ++ rc = -ENODEV; ++ goto unlock; + } + + EXPECT_BEGIN(KERN_INFO, +@@ -1943,9 +1944,10 @@ static int __init unittest_data_add(void) + EXPECT_END(KERN_INFO, + "Duplicate name in testcase-data, renamed to \"duplicate-name#1\""); + ++unlock: + of_overlay_mutex_unlock(); + +- return 0; ++ return rc; + } + + #ifdef CONFIG_OF_OVERLAY +-- +2.39.5 + diff --git a/queue-6.12/overflow-fix-direct-struct-member-initialization-in-.patch b/queue-6.12/overflow-fix-direct-struct-member-initialization-in-.patch new file mode 100644 index 0000000000..5b2ef004cf --- /dev/null +++ b/queue-6.12/overflow-fix-direct-struct-member-initialization-in-.patch @@ -0,0 +1,85 @@ +From 78b28633e68212597137fcc17ec3bb59223f8f1f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 May 2025 18:44:43 -0600 +Subject: overflow: Fix direct struct member initialization in _DEFINE_FLEX() + +From: Gustavo A. R. Silva + +[ Upstream commit 47e36ed7840661a9f7fb53554a1b04a5f8daffea ] + +Currently, to statically initialize the struct members of the `type` +object created by _DEFINE_FLEX(), the internal `obj` member must be +explicitly referenced at the call site. See: + +struct flex { + int a; + int b; + struct foo flex_array[]; +}; + +_DEFINE_FLEX(struct flex, instance, flex_array, + FIXED_SIZE, = { + .obj = { + .a = 0, + .b = 1, + }, + }); + +This leaks _DEFINE_FLEX() internal implementation details and make +the helper harder to use and read. + +Fix this and allow for a more natural and intuitive C99 init-style: + +_DEFINE_FLEX(struct flex, instance, flex_array, + FIXED_SIZE, = { + .a = 0, + .b = 1, + }); + +Note that before these changes, the `initializer` argument was optional, +but now it's required. + +Also, update "counter" member initialization in DEFINE_FLEX(). + +Fixes: 26dd68d293fd ("overflow: add DEFINE_FLEX() for on-stack allocs") +Signed-off-by: Gustavo A. R. Silva +Link: https://lore.kernel.org/r/aBQVeyKfLOkO9Yss@kspp +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + include/linux/overflow.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/include/linux/overflow.h b/include/linux/overflow.h +index 0c7e3dcfe8670..823a53cd9a193 100644 +--- a/include/linux/overflow.h ++++ b/include/linux/overflow.h +@@ -396,7 +396,7 @@ static inline size_t __must_check size_sub(size_t minuend, size_t subtrahend) + * @name: Name for a variable to define. + * @member: Name of the array member. + * @count: Number of elements in the array; must be compile-time const. +- * @initializer: initializer expression (could be empty for no init). ++ * @initializer: Initializer expression (e.g., pass `= { }` at minimum). + */ + #define _DEFINE_FLEX(type, name, member, count, initializer...) \ + _Static_assert(__builtin_constant_p(count), \ +@@ -404,7 +404,7 @@ static inline size_t __must_check size_sub(size_t minuend, size_t subtrahend) + union { \ + u8 bytes[struct_size_t(type, member, count)]; \ + type obj; \ +- } name##_u initializer; \ ++ } name##_u = { .obj initializer }; \ + type *name = (type *)&name##_u + + /** +@@ -438,6 +438,6 @@ static inline size_t __must_check size_sub(size_t minuend, size_t subtrahend) + * Use __struct_size(@NAME) to get compile-time size of it afterwards. + */ + #define DEFINE_FLEX(TYPE, NAME, MEMBER, COUNTER, COUNT) \ +- _DEFINE_FLEX(TYPE, NAME, MEMBER, COUNT, = { .obj.COUNTER = COUNT, }) ++ _DEFINE_FLEX(TYPE, NAME, MEMBER, COUNT, = { .COUNTER = COUNT, }) + + #endif /* __LINUX_OVERFLOW_H */ +-- +2.39.5 + diff --git a/queue-6.12/page_pool-fix-use-after-free-in-page_pool_recycle_in.patch b/queue-6.12/page_pool-fix-use-after-free-in-page_pool_recycle_in.patch new file mode 100644 index 0000000000..c9e0783a34 --- /dev/null +++ b/queue-6.12/page_pool-fix-use-after-free-in-page_pool_recycle_in.patch @@ -0,0 +1,149 @@ +From 4193003e01f600e542047b76e342891da57c52b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 May 2025 19:41:52 +0800 +Subject: page_pool: Fix use-after-free in page_pool_recycle_in_ring +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dong Chenchen + +[ Upstream commit 271683bb2cf32e5126c592b5d5e6a756fa374fd9 ] + +syzbot reported a uaf in page_pool_recycle_in_ring: + +BUG: KASAN: slab-use-after-free in lock_release+0x151/0xa30 kernel/locking/lockdep.c:5862 +Read of size 8 at addr ffff8880286045a0 by task syz.0.284/6943 + +CPU: 0 UID: 0 PID: 6943 Comm: syz.0.284 Not tainted 6.13.0-rc3-syzkaller-gdfa94ce54f41 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 +Call Trace: + + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:378 [inline] + print_report+0x169/0x550 mm/kasan/report.c:489 + kasan_report+0x143/0x180 mm/kasan/report.c:602 + lock_release+0x151/0xa30 kernel/locking/lockdep.c:5862 + __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:165 [inline] + _raw_spin_unlock_bh+0x1b/0x40 kernel/locking/spinlock.c:210 + spin_unlock_bh include/linux/spinlock.h:396 [inline] + ptr_ring_produce_bh include/linux/ptr_ring.h:164 [inline] + page_pool_recycle_in_ring net/core/page_pool.c:707 [inline] + page_pool_put_unrefed_netmem+0x748/0xb00 net/core/page_pool.c:826 + page_pool_put_netmem include/net/page_pool/helpers.h:323 [inline] + page_pool_put_full_netmem include/net/page_pool/helpers.h:353 [inline] + napi_pp_put_page+0x149/0x2b0 net/core/skbuff.c:1036 + skb_pp_recycle net/core/skbuff.c:1047 [inline] + skb_free_head net/core/skbuff.c:1094 [inline] + skb_release_data+0x6c4/0x8a0 net/core/skbuff.c:1125 + skb_release_all net/core/skbuff.c:1190 [inline] + __kfree_skb net/core/skbuff.c:1204 [inline] + sk_skb_reason_drop+0x1c9/0x380 net/core/skbuff.c:1242 + kfree_skb_reason include/linux/skbuff.h:1263 [inline] + __skb_queue_purge_reason include/linux/skbuff.h:3343 [inline] + +root cause is: + +page_pool_recycle_in_ring + ptr_ring_produce + spin_lock(&r->producer_lock); + WRITE_ONCE(r->queue[r->producer++], ptr) + //recycle last page to pool + page_pool_release + page_pool_scrub + page_pool_empty_ring + ptr_ring_consume + page_pool_return_page //release all page + __page_pool_destroy + free_percpu(pool->recycle_stats); + free(pool) //free + + spin_unlock(&r->producer_lock); //pool->ring uaf read + recycle_stat_inc(pool, ring); + +page_pool can be free while page pool recycle the last page in ring. +Add producer-lock barrier to page_pool_release to prevent the page +pool from being free before all pages have been recycled. + +recycle_stat_inc() is empty when CONFIG_PAGE_POOL_STATS is not +enabled, which will trigger Wempty-body build warning. Add definition +for pool stat macro to fix warning. + +Suggested-by: Jakub Kicinski +Link: https://lore.kernel.org/netdev/20250513083123.3514193-1-dongchenchen2@huawei.com +Fixes: ff7d6b27f894 ("page_pool: refurbish version of page_pool code") +Reported-by: syzbot+204a4382fcb3311f3858@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=204a4382fcb3311f3858 +Signed-off-by: Dong Chenchen +Reviewed-by: Toke Høiland-Jørgensen +Reviewed-by: Mina Almasry +Link: https://patch.msgid.link/20250527114152.3119109-1-dongchenchen2@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/page_pool.c | 27 ++++++++++++++------------- + 1 file changed, 14 insertions(+), 13 deletions(-) + +diff --git a/net/core/page_pool.c b/net/core/page_pool.c +index a49b7f3e25dd6..0f23b3126bdaf 100644 +--- a/net/core/page_pool.c ++++ b/net/core/page_pool.c +@@ -151,9 +151,9 @@ u64 *page_pool_ethtool_stats_get(u64 *data, const void *stats) + EXPORT_SYMBOL(page_pool_ethtool_stats_get); + + #else +-#define alloc_stat_inc(pool, __stat) +-#define recycle_stat_inc(pool, __stat) +-#define recycle_stat_add(pool, __stat, val) ++#define alloc_stat_inc(...) do { } while (0) ++#define recycle_stat_inc(...) do { } while (0) ++#define recycle_stat_add(...) do { } while (0) + #endif + + static bool page_pool_producer_lock(struct page_pool *pool) +@@ -734,19 +734,16 @@ void page_pool_return_page(struct page_pool *pool, netmem_ref netmem) + + static bool page_pool_recycle_in_ring(struct page_pool *pool, netmem_ref netmem) + { +- int ret; +- /* BH protection not needed if current is softirq */ +- if (in_softirq()) +- ret = ptr_ring_produce(&pool->ring, (__force void *)netmem); +- else +- ret = ptr_ring_produce_bh(&pool->ring, (__force void *)netmem); ++ bool in_softirq, ret; + +- if (!ret) { ++ /* BH protection not needed if current is softirq */ ++ in_softirq = page_pool_producer_lock(pool); ++ ret = !__ptr_ring_produce(&pool->ring, (__force void *)netmem); ++ if (ret) + recycle_stat_inc(pool, ring); +- return true; +- } ++ page_pool_producer_unlock(pool, in_softirq); + +- return false; ++ return ret; + } + + /* Only allow direct recycling in special circumstances, into the +@@ -1104,10 +1101,14 @@ static void page_pool_scrub(struct page_pool *pool) + + static int page_pool_release(struct page_pool *pool) + { ++ bool in_softirq; + int inflight; + + page_pool_scrub(pool); + inflight = page_pool_inflight(pool, true); ++ /* Acquire producer lock to make sure producers have exited. */ ++ in_softirq = page_pool_producer_lock(pool); ++ page_pool_producer_unlock(pool, in_softirq); + if (!inflight) + __page_pool_destroy(pool); + +-- +2.39.5 + diff --git a/queue-6.12/page_pool-move-pp_magic-check-into-helper-functions.patch b/queue-6.12/page_pool-move-pp_magic-check-into-helper-functions.patch new file mode 100644 index 0000000000..edda4be3f7 --- /dev/null +++ b/queue-6.12/page_pool-move-pp_magic-check-into-helper-functions.patch @@ -0,0 +1,179 @@ +From 939cc8be19708861048678ba6ea497d56c151d8c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Apr 2025 12:41:36 +0200 +Subject: page_pool: Move pp_magic check into helper functions +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Toke Høiland-Jørgensen + +[ Upstream commit cd3c93167da0e760b5819246eae7a4ea30fd014b ] + +Since we are about to stash some more information into the pp_magic +field, let's move the magic signature checks into a pair of helper +functions so it can be changed in one place. + +Reviewed-by: Mina Almasry +Tested-by: Yonglong Liu +Acked-by: Jesper Dangaard Brouer +Reviewed-by: Ilias Apalodimas +Signed-off-by: Toke Høiland-Jørgensen +Link: https://patch.msgid.link/20250409-page-pool-track-dma-v9-1-6a9ef2e0cba8@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/en/xdp.c | 4 ++-- + include/linux/mm.h | 20 +++++++++++++++++++ + mm/page_alloc.c | 8 ++------ + net/core/netmem_priv.h | 5 +++++ + net/core/skbuff.c | 16 ++------------- + net/core/xdp.c | 4 ++-- + 6 files changed, 33 insertions(+), 24 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/xdp.c b/drivers/net/ethernet/mellanox/mlx5/core/en/xdp.c +index 08ab0999f7b31..14192da4b8ed0 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/xdp.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/xdp.c +@@ -706,8 +706,8 @@ static void mlx5e_free_xdpsq_desc(struct mlx5e_xdpsq *sq, + xdpi = mlx5e_xdpi_fifo_pop(xdpi_fifo); + page = xdpi.page.page; + +- /* No need to check ((page->pp_magic & ~0x3UL) == PP_SIGNATURE) +- * as we know this is a page_pool page. ++ /* No need to check page_pool_page_is_pp() as we ++ * know this is a page_pool page. + */ + page_pool_recycle_direct(page->pp, page); + } while (++n < num); +diff --git a/include/linux/mm.h b/include/linux/mm.h +index 8617adc6becd1..412f5efe3ae79 100644 +--- a/include/linux/mm.h ++++ b/include/linux/mm.h +@@ -4243,4 +4243,24 @@ static inline void pgalloc_tag_copy(struct folio *new, struct folio *old) + } + #endif /* CONFIG_MEM_ALLOC_PROFILING */ + ++/* Mask used for checking in page_pool_page_is_pp() below. page->pp_magic is ++ * OR'ed with PP_SIGNATURE after the allocation in order to preserve bit 0 for ++ * the head page of compound page and bit 1 for pfmemalloc page. ++ * page_is_pfmemalloc() is checked in __page_pool_put_page() to avoid recycling ++ * the pfmemalloc page. ++ */ ++#define PP_MAGIC_MASK ~0x3UL ++ ++#ifdef CONFIG_PAGE_POOL ++static inline bool page_pool_page_is_pp(struct page *page) ++{ ++ return (page->pp_magic & PP_MAGIC_MASK) == PP_SIGNATURE; ++} ++#else ++static inline bool page_pool_page_is_pp(struct page *page) ++{ ++ return false; ++} ++#endif ++ + #endif /* _LINUX_MM_H */ +diff --git a/mm/page_alloc.c b/mm/page_alloc.c +index 882903f42300b..752576749db9d 100644 +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -872,9 +872,7 @@ static inline bool page_expected_state(struct page *page, + #ifdef CONFIG_MEMCG + page->memcg_data | + #endif +-#ifdef CONFIG_PAGE_POOL +- ((page->pp_magic & ~0x3UL) == PP_SIGNATURE) | +-#endif ++ page_pool_page_is_pp(page) | + (page->flags & check_flags))) + return false; + +@@ -901,10 +899,8 @@ static const char *page_bad_reason(struct page *page, unsigned long flags) + if (unlikely(page->memcg_data)) + bad_reason = "page still charged to cgroup"; + #endif +-#ifdef CONFIG_PAGE_POOL +- if (unlikely((page->pp_magic & ~0x3UL) == PP_SIGNATURE)) ++ if (unlikely(page_pool_page_is_pp(page))) + bad_reason = "page_pool leak"; +-#endif + return bad_reason; + } + +diff --git a/net/core/netmem_priv.h b/net/core/netmem_priv.h +index 7eadb8393e002..f33162fd281c2 100644 +--- a/net/core/netmem_priv.h ++++ b/net/core/netmem_priv.h +@@ -18,6 +18,11 @@ static inline void netmem_clear_pp_magic(netmem_ref netmem) + __netmem_clear_lsb(netmem)->pp_magic = 0; + } + ++static inline bool netmem_is_pp(netmem_ref netmem) ++{ ++ return (netmem_get_pp_magic(netmem) & PP_MAGIC_MASK) == PP_SIGNATURE; ++} ++ + static inline void netmem_set_pp(netmem_ref netmem, struct page_pool *pool) + { + __netmem_clear_lsb(netmem)->pp = pool; +diff --git a/net/core/skbuff.c b/net/core/skbuff.c +index f220306731dac..fdb36165c58f5 100644 +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -925,11 +925,6 @@ static void skb_clone_fraglist(struct sk_buff *skb) + skb_get(list); + } + +-static bool is_pp_netmem(netmem_ref netmem) +-{ +- return (netmem_get_pp_magic(netmem) & ~0x3UL) == PP_SIGNATURE; +-} +- + int skb_pp_cow_data(struct page_pool *pool, struct sk_buff **pskb, + unsigned int headroom) + { +@@ -1027,14 +1022,7 @@ bool napi_pp_put_page(netmem_ref netmem) + { + netmem = netmem_compound_head(netmem); + +- /* page->pp_magic is OR'ed with PP_SIGNATURE after the allocation +- * in order to preserve any existing bits, such as bit 0 for the +- * head page of compound page and bit 1 for pfmemalloc page, so +- * mask those bits for freeing side when doing below checking, +- * and page_is_pfmemalloc() is checked in __page_pool_put_page() +- * to avoid recycling the pfmemalloc page. +- */ +- if (unlikely(!is_pp_netmem(netmem))) ++ if (unlikely(!netmem_is_pp(netmem))) + return false; + + page_pool_put_full_netmem(netmem_get_pp(netmem), netmem, false); +@@ -1074,7 +1062,7 @@ static int skb_pp_frag_ref(struct sk_buff *skb) + + for (i = 0; i < shinfo->nr_frags; i++) { + head_netmem = netmem_compound_head(shinfo->frags[i].netmem); +- if (likely(is_pp_netmem(head_netmem))) ++ if (likely(netmem_is_pp(head_netmem))) + page_pool_ref_netmem(head_netmem); + else + page_ref_inc(netmem_to_page(head_netmem)); +diff --git a/net/core/xdp.c b/net/core/xdp.c +index bcc5551c6424b..23e7d736718b0 100644 +--- a/net/core/xdp.c ++++ b/net/core/xdp.c +@@ -381,8 +381,8 @@ void __xdp_return(void *data, struct xdp_mem_info *mem, bool napi_direct, + page = virt_to_head_page(data); + if (napi_direct && xdp_return_frame_no_direct()) + napi_direct = false; +- /* No need to check ((page->pp_magic & ~0x3UL) == PP_SIGNATURE) +- * as mem->type knows this a page_pool page ++ /* No need to check netmem_is_pp() as mem->type knows this a ++ * page_pool page + */ + page_pool_put_full_page(page->pp, page, napi_direct); + break; +-- +2.39.5 + diff --git a/queue-6.12/page_pool-track-dma-mapped-pages-and-unmap-them-when.patch b/queue-6.12/page_pool-track-dma-mapped-pages-and-unmap-them-when.patch new file mode 100644 index 0000000000..17b626b610 --- /dev/null +++ b/queue-6.12/page_pool-track-dma-mapped-pages-and-unmap-them-when.patch @@ -0,0 +1,427 @@ +From 78e27e4bf4beb4427f4873e360b15e414c201906 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Apr 2025 12:41:37 +0200 +Subject: page_pool: Track DMA-mapped pages and unmap them when destroying the + pool +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Toke Høiland-Jørgensen + +[ Upstream commit ee62ce7a1d909ccba0399680a03c2dee83bcae95 ] + +When enabling DMA mapping in page_pool, pages are kept DMA mapped until +they are released from the pool, to avoid the overhead of re-mapping the +pages every time they are used. This causes resource leaks and/or +crashes when there are pages still outstanding while the device is torn +down, because page_pool will attempt an unmap through a non-existent DMA +device on the subsequent page return. + +To fix this, implement a simple tracking of outstanding DMA-mapped pages +in page pool using an xarray. This was first suggested by Mina[0], and +turns out to be fairly straight forward: We simply store pointers to +pages directly in the xarray with xa_alloc() when they are first DMA +mapped, and remove them from the array on unmap. Then, when a page pool +is torn down, it can simply walk the xarray and unmap all pages still +present there before returning, which also allows us to get rid of the +get/put_device() calls in page_pool. Using xa_cmpxchg(), no additional +synchronisation is needed, as a page will only ever be unmapped once. + +To avoid having to walk the entire xarray on unmap to find the page +reference, we stash the ID assigned by xa_alloc() into the page +structure itself, using the upper bits of the pp_magic field. This +requires a couple of defines to avoid conflicting with the +POINTER_POISON_DELTA define, but this is all evaluated at compile-time, +so does not affect run-time performance. The bitmap calculations in this +patch gives the following number of bits for different architectures: + +- 23 bits on 32-bit architectures +- 21 bits on PPC64 (because of the definition of ILLEGAL_POINTER_VALUE) +- 32 bits on other 64-bit architectures + +Stashing a value into the unused bits of pp_magic does have the effect +that it can make the value stored there lie outside the unmappable +range (as governed by the mmap_min_addr sysctl), for architectures that +don't define ILLEGAL_POINTER_VALUE. This means that if one of the +pointers that is aliased to the pp_magic field (such as page->lru.next) +is dereferenced while the page is owned by page_pool, that could lead to +a dereference into userspace, which is a security concern. The risk of +this is mitigated by the fact that (a) we always clear pp_magic before +releasing a page from page_pool, and (b) this would need a +use-after-free bug for struct page, which can have many other risks +since page->lru.next is used as a generic list pointer in multiple +places in the kernel. As such, with this patch we take the position that +this risk is negligible in practice. For more discussion, see[1]. + +Since all the tracking added in this patch is performed on DMA +map/unmap, no additional code is needed in the fast path, meaning the +performance overhead of this tracking is negligible there. A +micro-benchmark shows that the total overhead of the tracking itself is +about 400 ns (39 cycles(tsc) 395.218 ns; sum for both map and unmap[2]). +Since this cost is only paid on DMA map and unmap, it seems like an +acceptable cost to fix the late unmap issue. Further optimisation can +narrow the cases where this cost is paid (for instance by eliding the +tracking when DMA map/unmap is a no-op). + +The extra memory needed to track the pages is neatly encapsulated inside +xarray, which uses the 'struct xa_node' structure to track items. This +structure is 576 bytes long, with slots for 64 items, meaning that a +full node occurs only 9 bytes of overhead per slot it tracks (in +practice, it probably won't be this efficient, but in any case it should +be an acceptable overhead). + +[0] https://lore.kernel.org/all/CAHS8izPg7B5DwKfSuzz-iOop_YRbk3Sd6Y4rX7KBG9DcVJcyWg@mail.gmail.com/ +[1] https://lore.kernel.org/r/20250320023202.GA25514@openwall.com +[2] https://lore.kernel.org/r/ae07144c-9295-4c9d-a400-153bb689fe9e@huawei.com + +Reported-by: Yonglong Liu +Closes: https://lore.kernel.org/r/8743264a-9700-4227-a556-5f931c720211@huawei.com +Fixes: ff7d6b27f894 ("page_pool: refurbish version of page_pool code") +Suggested-by: Mina Almasry +Reviewed-by: Mina Almasry +Reviewed-by: Jesper Dangaard Brouer +Tested-by: Jesper Dangaard Brouer +Tested-by: Qiuling Ren +Tested-by: Yuying Ma +Tested-by: Yonglong Liu +Acked-by: Jesper Dangaard Brouer +Signed-off-by: Toke Høiland-Jørgensen +Link: https://patch.msgid.link/20250409-page-pool-track-dma-v9-2-6a9ef2e0cba8@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/linux/mm.h | 46 ++++++++++++++++++-- + include/linux/poison.h | 4 ++ + include/net/page_pool/types.h | 6 +++ + net/core/netmem_priv.h | 28 +++++++++++- + net/core/page_pool.c | 81 +++++++++++++++++++++++++++++------ + 5 files changed, 147 insertions(+), 18 deletions(-) + +diff --git a/include/linux/mm.h b/include/linux/mm.h +index 412f5efe3ae79..059ca4767e148 100644 +--- a/include/linux/mm.h ++++ b/include/linux/mm.h +@@ -4243,13 +4243,51 @@ static inline void pgalloc_tag_copy(struct folio *new, struct folio *old) + } + #endif /* CONFIG_MEM_ALLOC_PROFILING */ + ++/* ++ * DMA mapping IDs for page_pool ++ * ++ * When DMA-mapping a page, page_pool allocates an ID (from an xarray) and ++ * stashes it in the upper bits of page->pp_magic. We always want to be able to ++ * unambiguously identify page pool pages (using page_pool_page_is_pp()). Non-PP ++ * pages can have arbitrary kernel pointers stored in the same field as pp_magic ++ * (since it overlaps with page->lru.next), so we must ensure that we cannot ++ * mistake a valid kernel pointer with any of the values we write into this ++ * field. ++ * ++ * On architectures that set POISON_POINTER_DELTA, this is already ensured, ++ * since this value becomes part of PP_SIGNATURE; meaning we can just use the ++ * space between the PP_SIGNATURE value (without POISON_POINTER_DELTA), and the ++ * lowest bits of POISON_POINTER_DELTA. On arches where POISON_POINTER_DELTA is ++ * 0, we make sure that we leave the two topmost bits empty, as that guarantees ++ * we won't mistake a valid kernel pointer for a value we set, regardless of the ++ * VMSPLIT setting. ++ * ++ * Altogether, this means that the number of bits available is constrained by ++ * the size of an unsigned long (at the upper end, subtracting two bits per the ++ * above), and the definition of PP_SIGNATURE (with or without ++ * POISON_POINTER_DELTA). ++ */ ++#define PP_DMA_INDEX_SHIFT (1 + __fls(PP_SIGNATURE - POISON_POINTER_DELTA)) ++#if POISON_POINTER_DELTA > 0 ++/* PP_SIGNATURE includes POISON_POINTER_DELTA, so limit the size of the DMA ++ * index to not overlap with that if set ++ */ ++#define PP_DMA_INDEX_BITS MIN(32, __ffs(POISON_POINTER_DELTA) - PP_DMA_INDEX_SHIFT) ++#else ++/* Always leave out the topmost two; see above. */ ++#define PP_DMA_INDEX_BITS MIN(32, BITS_PER_LONG - PP_DMA_INDEX_SHIFT - 2) ++#endif ++ ++#define PP_DMA_INDEX_MASK GENMASK(PP_DMA_INDEX_BITS + PP_DMA_INDEX_SHIFT - 1, \ ++ PP_DMA_INDEX_SHIFT) ++ + /* Mask used for checking in page_pool_page_is_pp() below. page->pp_magic is + * OR'ed with PP_SIGNATURE after the allocation in order to preserve bit 0 for +- * the head page of compound page and bit 1 for pfmemalloc page. +- * page_is_pfmemalloc() is checked in __page_pool_put_page() to avoid recycling +- * the pfmemalloc page. ++ * the head page of compound page and bit 1 for pfmemalloc page, as well as the ++ * bits used for the DMA index. page_is_pfmemalloc() is checked in ++ * __page_pool_put_page() to avoid recycling the pfmemalloc page. + */ +-#define PP_MAGIC_MASK ~0x3UL ++#define PP_MAGIC_MASK ~(PP_DMA_INDEX_MASK | 0x3UL) + + #ifdef CONFIG_PAGE_POOL + static inline bool page_pool_page_is_pp(struct page *page) +diff --git a/include/linux/poison.h b/include/linux/poison.h +index 331a9a996fa87..8ca2235f78d5d 100644 +--- a/include/linux/poison.h ++++ b/include/linux/poison.h +@@ -70,6 +70,10 @@ + #define KEY_DESTROY 0xbd + + /********** net/core/page_pool.c **********/ ++/* ++ * page_pool uses additional free bits within this value to store data, see the ++ * definition of PP_DMA_INDEX_MASK in mm.h ++ */ + #define PP_SIGNATURE (0x40 + POISON_POINTER_DELTA) + + /********** net/core/skbuff.c **********/ +diff --git a/include/net/page_pool/types.h b/include/net/page_pool/types.h +index c022c410abe39..f53e2c90b6866 100644 +--- a/include/net/page_pool/types.h ++++ b/include/net/page_pool/types.h +@@ -6,6 +6,7 @@ + #include + #include + #include ++#include + #include + + #define PP_FLAG_DMA_MAP BIT(0) /* Should page_pool do the DMA +@@ -33,6 +34,9 @@ + #define PP_FLAG_ALL (PP_FLAG_DMA_MAP | PP_FLAG_DMA_SYNC_DEV | \ + PP_FLAG_SYSTEM_POOL | PP_FLAG_ALLOW_UNREADABLE_NETMEM) + ++/* Index limit to stay within PP_DMA_INDEX_BITS for DMA indices */ ++#define PP_DMA_INDEX_LIMIT XA_LIMIT(1, BIT(PP_DMA_INDEX_BITS) - 1) ++ + /* + * Fast allocation side cache array/stack + * +@@ -216,6 +220,8 @@ struct page_pool { + + void *mp_priv; + ++ struct xarray dma_mapped; ++ + #ifdef CONFIG_PAGE_POOL_STATS + /* recycle stats are per-cpu to avoid locking */ + struct page_pool_recycle_stats __percpu *recycle_stats; +diff --git a/net/core/netmem_priv.h b/net/core/netmem_priv.h +index f33162fd281c2..cd95394399b40 100644 +--- a/net/core/netmem_priv.h ++++ b/net/core/netmem_priv.h +@@ -5,7 +5,7 @@ + + static inline unsigned long netmem_get_pp_magic(netmem_ref netmem) + { +- return __netmem_clear_lsb(netmem)->pp_magic; ++ return __netmem_clear_lsb(netmem)->pp_magic & ~PP_DMA_INDEX_MASK; + } + + static inline void netmem_or_pp_magic(netmem_ref netmem, unsigned long pp_magic) +@@ -15,6 +15,8 @@ static inline void netmem_or_pp_magic(netmem_ref netmem, unsigned long pp_magic) + + static inline void netmem_clear_pp_magic(netmem_ref netmem) + { ++ WARN_ON_ONCE(__netmem_clear_lsb(netmem)->pp_magic & PP_DMA_INDEX_MASK); ++ + __netmem_clear_lsb(netmem)->pp_magic = 0; + } + +@@ -33,4 +35,28 @@ static inline void netmem_set_dma_addr(netmem_ref netmem, + { + __netmem_clear_lsb(netmem)->dma_addr = dma_addr; + } ++ ++static inline unsigned long netmem_get_dma_index(netmem_ref netmem) ++{ ++ unsigned long magic; ++ ++ if (WARN_ON_ONCE(netmem_is_net_iov(netmem))) ++ return 0; ++ ++ magic = __netmem_clear_lsb(netmem)->pp_magic; ++ ++ return (magic & PP_DMA_INDEX_MASK) >> PP_DMA_INDEX_SHIFT; ++} ++ ++static inline void netmem_set_dma_index(netmem_ref netmem, ++ unsigned long id) ++{ ++ unsigned long magic; ++ ++ if (WARN_ON_ONCE(netmem_is_net_iov(netmem))) ++ return; ++ ++ magic = netmem_get_pp_magic(netmem) | (id << PP_DMA_INDEX_SHIFT); ++ __netmem_clear_lsb(netmem)->pp_magic = magic; ++} + #endif +diff --git a/net/core/page_pool.c b/net/core/page_pool.c +index c8ce069605c42..a49b7f3e25dd6 100644 +--- a/net/core/page_pool.c ++++ b/net/core/page_pool.c +@@ -273,8 +273,7 @@ static int page_pool_init(struct page_pool *pool, + /* Driver calling page_pool_create() also call page_pool_destroy() */ + refcount_set(&pool->user_cnt, 1); + +- if (pool->dma_map) +- get_device(pool->p.dev); ++ xa_init_flags(&pool->dma_mapped, XA_FLAGS_ALLOC1); + + if (pool->slow.flags & PP_FLAG_ALLOW_UNREADABLE_NETMEM) { + /* We rely on rtnl_lock()ing to make sure netdev_rx_queue +@@ -312,9 +311,7 @@ static int page_pool_init(struct page_pool *pool, + static void page_pool_uninit(struct page_pool *pool) + { + ptr_ring_cleanup(&pool->ring, NULL); +- +- if (pool->dma_map) +- put_device(pool->p.dev); ++ xa_destroy(&pool->dma_mapped); + + #ifdef CONFIG_PAGE_POOL_STATS + if (!pool->system) +@@ -455,13 +452,21 @@ page_pool_dma_sync_for_device(const struct page_pool *pool, + netmem_ref netmem, + u32 dma_sync_size) + { +- if (pool->dma_sync && dma_dev_need_sync(pool->p.dev)) +- __page_pool_dma_sync_for_device(pool, netmem, dma_sync_size); ++ if (pool->dma_sync && dma_dev_need_sync(pool->p.dev)) { ++ rcu_read_lock(); ++ /* re-check under rcu_read_lock() to sync with page_pool_scrub() */ ++ if (pool->dma_sync) ++ __page_pool_dma_sync_for_device(pool, netmem, ++ dma_sync_size); ++ rcu_read_unlock(); ++ } + } + +-static bool page_pool_dma_map(struct page_pool *pool, netmem_ref netmem) ++static bool page_pool_dma_map(struct page_pool *pool, netmem_ref netmem, gfp_t gfp) + { + dma_addr_t dma; ++ int err; ++ u32 id; + + /* Setup DMA mapping: use 'struct page' area for storing DMA-addr + * since dma_addr_t can be either 32 or 64 bits and does not always fit +@@ -475,15 +480,30 @@ static bool page_pool_dma_map(struct page_pool *pool, netmem_ref netmem) + if (dma_mapping_error(pool->p.dev, dma)) + return false; + +- if (page_pool_set_dma_addr_netmem(netmem, dma)) ++ if (page_pool_set_dma_addr_netmem(netmem, dma)) { ++ WARN_ONCE(1, "unexpected DMA address, please report to netdev@"); + goto unmap_failed; ++ } ++ ++ if (in_softirq()) ++ err = xa_alloc(&pool->dma_mapped, &id, netmem_to_page(netmem), ++ PP_DMA_INDEX_LIMIT, gfp); ++ else ++ err = xa_alloc_bh(&pool->dma_mapped, &id, netmem_to_page(netmem), ++ PP_DMA_INDEX_LIMIT, gfp); ++ if (err) { ++ WARN_ONCE(err != -ENOMEM, "couldn't track DMA mapping, please report to netdev@"); ++ goto unset_failed; ++ } + ++ netmem_set_dma_index(netmem, id); + page_pool_dma_sync_for_device(pool, netmem, pool->p.max_len); + + return true; + ++unset_failed: ++ page_pool_set_dma_addr_netmem(netmem, 0); + unmap_failed: +- WARN_ONCE(1, "unexpected DMA address, please report to netdev@"); + dma_unmap_page_attrs(pool->p.dev, dma, + PAGE_SIZE << pool->p.order, pool->p.dma_dir, + DMA_ATTR_SKIP_CPU_SYNC | DMA_ATTR_WEAK_ORDERING); +@@ -500,7 +520,7 @@ static struct page *__page_pool_alloc_page_order(struct page_pool *pool, + if (unlikely(!page)) + return NULL; + +- if (pool->dma_map && unlikely(!page_pool_dma_map(pool, page_to_netmem(page)))) { ++ if (pool->dma_map && unlikely(!page_pool_dma_map(pool, page_to_netmem(page), gfp))) { + put_page(page); + return NULL; + } +@@ -547,7 +567,7 @@ static noinline netmem_ref __page_pool_alloc_pages_slow(struct page_pool *pool, + */ + for (i = 0; i < nr_pages; i++) { + netmem = pool->alloc.cache[i]; +- if (dma_map && unlikely(!page_pool_dma_map(pool, netmem))) { ++ if (dma_map && unlikely(!page_pool_dma_map(pool, netmem, gfp))) { + put_page(netmem_to_page(netmem)); + continue; + } +@@ -649,6 +669,8 @@ void page_pool_clear_pp_info(netmem_ref netmem) + static __always_inline void __page_pool_release_page_dma(struct page_pool *pool, + netmem_ref netmem) + { ++ struct page *old, *page = netmem_to_page(netmem); ++ unsigned long id; + dma_addr_t dma; + + if (!pool->dma_map) +@@ -657,6 +679,17 @@ static __always_inline void __page_pool_release_page_dma(struct page_pool *pool, + */ + return; + ++ id = netmem_get_dma_index(netmem); ++ if (!id) ++ return; ++ ++ if (in_softirq()) ++ old = xa_cmpxchg(&pool->dma_mapped, id, page, NULL, 0); ++ else ++ old = xa_cmpxchg_bh(&pool->dma_mapped, id, page, NULL, 0); ++ if (old != page) ++ return; ++ + dma = page_pool_get_dma_addr_netmem(netmem); + + /* When page is unmapped, it cannot be returned to our pool */ +@@ -664,6 +697,7 @@ static __always_inline void __page_pool_release_page_dma(struct page_pool *pool, + PAGE_SIZE << pool->p.order, pool->p.dma_dir, + DMA_ATTR_SKIP_CPU_SYNC | DMA_ATTR_WEAK_ORDERING); + page_pool_set_dma_addr_netmem(netmem, 0); ++ netmem_set_dma_index(netmem, 0); + } + + /* Disconnects a page (from a page_pool). API users can have a need +@@ -1038,8 +1072,29 @@ static void page_pool_empty_alloc_cache_once(struct page_pool *pool) + + static void page_pool_scrub(struct page_pool *pool) + { ++ unsigned long id; ++ void *ptr; ++ + page_pool_empty_alloc_cache_once(pool); +- pool->destroy_cnt++; ++ if (!pool->destroy_cnt++ && pool->dma_map) { ++ if (pool->dma_sync) { ++ /* Disable page_pool_dma_sync_for_device() */ ++ pool->dma_sync = false; ++ ++ /* Make sure all concurrent returns that may see the old ++ * value of dma_sync (and thus perform a sync) have ++ * finished before doing the unmapping below. Skip the ++ * wait if the device doesn't actually need syncing, or ++ * if there are no outstanding mapped pages. ++ */ ++ if (dma_dev_need_sync(pool->p.dev) && ++ !xa_empty(&pool->dma_mapped)) ++ synchronize_net(); ++ } ++ ++ xa_for_each(&pool->dma_mapped, id, ptr) ++ __page_pool_release_page_dma(pool, page_to_netmem(ptr)); ++ } + + /* No more consumers should exist, but producers could still + * be in-flight. +-- +2.39.5 + diff --git a/queue-6.12/path_overmount-avoid-false-negatives.patch b/queue-6.12/path_overmount-avoid-false-negatives.patch new file mode 100644 index 0000000000..8001789439 --- /dev/null +++ b/queue-6.12/path_overmount-avoid-false-negatives.patch @@ -0,0 +1,68 @@ +From 9cef5777c7fce137eba4f9315587ff536e36e552 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 1 Jun 2025 14:02:26 -0400 +Subject: path_overmount(): avoid false negatives + +From: Al Viro + +[ Upstream commit 5f31c549382bcddbbd754c72c5433b19420d485d ] + +Holding namespace_sem is enough to make sure that result remains valid. +It is *not* enough to avoid false negatives from __lookup_mnt(). Mounts +can be unhashed outside of namespace_sem (stuck children getting detached +on final mntput() of lazy-umounted mount) and having an unrelated mount +removed from the hash chain while we traverse it may end up with false +negative from __lookup_mnt(). We need to sample and recheck the seqlock +component of mount_lock... + +Bug predates the introduction of path_overmount() - it had come from +the code in finish_automount() that got abstracted into that helper. + +Reviewed-by: Christian Brauner +Fixes: 26df6034fdb2 ("fix automount/automount race properly") +Fixes: 6ac392815628 ("fs: allow to mount beneath top mount") +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + fs/namespace.c | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +diff --git a/fs/namespace.c b/fs/namespace.c +index c1ac585e41e36..1cb236af29bec 100644 +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -3176,18 +3176,25 @@ static int do_set_group(struct path *from_path, struct path *to_path) + * Check if path is overmounted, i.e., if there's a mount on top of + * @path->mnt with @path->dentry as mountpoint. + * +- * Context: This function expects namespace_lock() to be held. ++ * Context: namespace_sem must be held at least shared. ++ * MUST NOT be called under lock_mount_hash() (there one should just ++ * call __lookup_mnt() and check if it returns NULL). + * Return: If path is overmounted true is returned, false if not. + */ + static inline bool path_overmounted(const struct path *path) + { ++ unsigned seq = read_seqbegin(&mount_lock); ++ bool no_child; ++ + rcu_read_lock(); +- if (unlikely(__lookup_mnt(path->mnt, path->dentry))) { +- rcu_read_unlock(); +- return true; +- } ++ no_child = !__lookup_mnt(path->mnt, path->dentry); + rcu_read_unlock(); +- return false; ++ if (need_seqretry(&mount_lock, seq)) { ++ read_seqlock_excl(&mount_lock); ++ no_child = !__lookup_mnt(path->mnt, path->dentry); ++ read_sequnlock_excl(&mount_lock); ++ } ++ return unlikely(!no_child); + } + + /** +-- +2.39.5 + diff --git a/queue-6.12/pci-acpi-fix-allocated-memory-release-on-error-in-pc.patch b/queue-6.12/pci-acpi-fix-allocated-memory-release-on-error-in-pc.patch new file mode 100644 index 0000000000..9ec4edc2cc --- /dev/null +++ b/queue-6.12/pci-acpi-fix-allocated-memory-release-on-error-in-pc.patch @@ -0,0 +1,80 @@ +From bf97eef322d7af3ffa6d5ccfb1663fed37fec5cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Apr 2025 14:06:03 +0800 +Subject: PCI/ACPI: Fix allocated memory release on error in + pci_acpi_scan_root() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Zhe Qiao + +[ Upstream commit 631b2af2f35737750af284be22e63da56bf20139 ] + +In the pci_acpi_scan_root() function, when creating a PCI bus fails, +we need to free up the previously allocated memory, which can avoid +invalid memory usage and save resources. + +Fixes: 789befdfa389 ("arm64: PCI: Migrate ACPI related functions to pci-acpi.c") +Signed-off-by: Zhe Qiao +[kwilczynski: commit log] +Signed-off-by: Krzysztof Wilczyński +Acked-by: Rafael J. Wysocki +Link: https://lore.kernel.org/r/20250430060603.381504-1-qiaozhe@iscas.ac.cn +Signed-off-by: Sasha Levin +--- + drivers/pci/pci-acpi.c | 23 +++++++++++++---------- + 1 file changed, 13 insertions(+), 10 deletions(-) + +diff --git a/drivers/pci/pci-acpi.c b/drivers/pci/pci-acpi.c +index af370628e5839..b78e0e4173244 100644 +--- a/drivers/pci/pci-acpi.c ++++ b/drivers/pci/pci-acpi.c +@@ -1676,24 +1676,19 @@ struct pci_bus *pci_acpi_scan_root(struct acpi_pci_root *root) + return NULL; + + root_ops = kzalloc(sizeof(*root_ops), GFP_KERNEL); +- if (!root_ops) { +- kfree(ri); +- return NULL; +- } ++ if (!root_ops) ++ goto free_ri; + + ri->cfg = pci_acpi_setup_ecam_mapping(root); +- if (!ri->cfg) { +- kfree(ri); +- kfree(root_ops); +- return NULL; +- } ++ if (!ri->cfg) ++ goto free_root_ops; + + root_ops->release_info = pci_acpi_generic_release_info; + root_ops->prepare_resources = pci_acpi_root_prepare_resources; + root_ops->pci_ops = (struct pci_ops *)&ri->cfg->ops->pci_ops; + bus = acpi_pci_root_create(root, root_ops, &ri->common, ri->cfg); + if (!bus) +- return NULL; ++ goto free_cfg; + + /* If we must preserve the resource configuration, claim now */ + host = pci_find_host_bridge(bus); +@@ -1710,6 +1705,14 @@ struct pci_bus *pci_acpi_scan_root(struct acpi_pci_root *root) + pcie_bus_configure_settings(child); + + return bus; ++ ++free_cfg: ++ pci_ecam_free(ri->cfg); ++free_root_ops: ++ kfree(root_ops); ++free_ri: ++ kfree(ri); ++ return NULL; + } + + void pcibios_add_bus(struct pci_bus *bus) +-- +2.39.5 + diff --git a/queue-6.12/pci-apple-use-gpiod_set_value_cansleep-in-probe-flow.patch b/queue-6.12/pci-apple-use-gpiod_set_value_cansleep-in-probe-flow.patch new file mode 100644 index 0000000000..a6299638fc --- /dev/null +++ b/queue-6.12/pci-apple-use-gpiod_set_value_cansleep-in-probe-flow.patch @@ -0,0 +1,52 @@ +From daa24734ef9e904c553ccd1608357a7c908c4a30 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Apr 2025 10:17:11 +0100 +Subject: PCI: apple: Use gpiod_set_value_cansleep in probe flow + +From: Hector Martin + +[ Upstream commit 7334364f9de79a9a236dd0243ba574b8d2876e89 ] + +We're allowed to sleep here, so tell the GPIO core by using +gpiod_set_value_cansleep instead of gpiod_set_value. + +Fixes: 1e33888fbe44 ("PCI: apple: Add initial hardware bring-up") +Signed-off-by: Hector Martin +Signed-off-by: Alyssa Rosenzweig +Signed-off-by: Marc Zyngier +Signed-off-by: Manivannan Sadhasivam +Tested-by: Janne Grunau +Reviewed-by: Rob Herring (Arm) +Reviewed-by: Manivannan Sadhasivam +Acked-by: Alyssa Rosenzweig +Link: https://patch.msgid.link/20250401091713.2765724-12-maz@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/pcie-apple.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/pci/controller/pcie-apple.c b/drivers/pci/controller/pcie-apple.c +index fefab2758a064..ddc65368e77d1 100644 +--- a/drivers/pci/controller/pcie-apple.c ++++ b/drivers/pci/controller/pcie-apple.c +@@ -541,7 +541,7 @@ static int apple_pcie_setup_port(struct apple_pcie *pcie, + rmw_set(PORT_APPCLK_EN, port->base + PORT_APPCLK); + + /* Assert PERST# before setting up the clock */ +- gpiod_set_value(reset, 1); ++ gpiod_set_value_cansleep(reset, 1); + + ret = apple_pcie_setup_refclk(pcie, port); + if (ret < 0) +@@ -552,7 +552,7 @@ static int apple_pcie_setup_port(struct apple_pcie *pcie, + + /* Deassert PERST# */ + rmw_set(PORT_PERST_OFF, port->base + PORT_PERST); +- gpiod_set_value(reset, 0); ++ gpiod_set_value_cansleep(reset, 0); + + /* Wait for 100ms after PERST# deassertion (PCIe r5.0, 6.6.1) */ + msleep(100); +-- +2.39.5 + diff --git a/queue-6.12/pci-cadence-fix-runtime-atomic-count-underflow.patch b/queue-6.12/pci-cadence-fix-runtime-atomic-count-underflow.patch new file mode 100644 index 0000000000..b627dcdd90 --- /dev/null +++ b/queue-6.12/pci-cadence-fix-runtime-atomic-count-underflow.patch @@ -0,0 +1,53 @@ +From 0907359a099618a952ffcd0d73abd1283bac3fb3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Apr 2025 21:30:58 +0800 +Subject: PCI: cadence: Fix runtime atomic count underflow + +From: Hans Zhang <18255117159@163.com> + +[ Upstream commit 8805f32a96d3b97cef07999fa6f52112678f7e65 ] + +If the call to pci_host_probe() in cdns_pcie_host_setup() fails, PM +runtime count is decremented in the error path using pm_runtime_put_sync(). +But the runtime count is not incremented by this driver, but only by the +callers (cdns_plat_pcie_probe/j721e_pcie_probe). And the callers also +decrement the runtime PM count in their error path. So this leads to the +below warning from the PM core: + + "runtime PM usage count underflow!" + +So fix it by getting rid of pm_runtime_put_sync() in the error path and +directly return the errno. + +Fixes: 49e427e6bdd1 ("Merge branch 'pci/host-probe-refactor'") +Signed-off-by: Hans Zhang <18255117159@163.com> +Signed-off-by: Manivannan Sadhasivam +Link: https://patch.msgid.link/20250419133058.162048-1-18255117159@163.com +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/cadence/pcie-cadence-host.c | 11 +---------- + 1 file changed, 1 insertion(+), 10 deletions(-) + +diff --git a/drivers/pci/controller/cadence/pcie-cadence-host.c b/drivers/pci/controller/cadence/pcie-cadence-host.c +index 8af95e9da7cec..741e10a575ec7 100644 +--- a/drivers/pci/controller/cadence/pcie-cadence-host.c ++++ b/drivers/pci/controller/cadence/pcie-cadence-host.c +@@ -570,14 +570,5 @@ int cdns_pcie_host_setup(struct cdns_pcie_rc *rc) + if (!bridge->ops) + bridge->ops = &cdns_pcie_host_ops; + +- ret = pci_host_probe(bridge); +- if (ret < 0) +- goto err_init; +- +- return 0; +- +- err_init: +- pm_runtime_put_sync(dev); +- +- return ret; ++ return pci_host_probe(bridge); + } +-- +2.39.5 + diff --git a/queue-6.12/pci-dpc-initialize-aer_err_info-before-using-it.patch b/queue-6.12/pci-dpc-initialize-aer_err_info-before-using-it.patch new file mode 100644 index 0000000000..af4ab0bd37 --- /dev/null +++ b/queue-6.12/pci-dpc-initialize-aer_err_info-before-using-it.patch @@ -0,0 +1,46 @@ +From 210a2dae059844b2425295bae93204e9ec48cae5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 May 2025 18:21:07 -0500 +Subject: PCI/DPC: Initialize aer_err_info before using it +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Bjorn Helgaas + +[ Upstream commit a424b598e6a6c1e69a2bb801d6fd16e805ab2c38 ] + +Previously the struct aer_err_info "info" was allocated on the stack +without being initialized, so it contained junk except for the fields we +explicitly set later. + +Initialize "info" at declaration so it starts as all zeros. + +Fixes: 8aefa9b0d910 ("PCI/DPC: Print AER status in DPC event handling") +Signed-off-by: Bjorn Helgaas +Tested-by: Krzysztof Wilczyński +Reviewed-by: Kuppuswamy Sathyanarayanan +Reviewed-by: Ilpo Järvinen +Reviewed-by: Jonathan Cameron +Link: https://patch.msgid.link/20250522232339.1525671-2-helgaas@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/pci/pcie/dpc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pci/pcie/dpc.c b/drivers/pci/pcie/dpc.c +index 2b6ef7efa3c11..8096e4858553e 100644 +--- a/drivers/pci/pcie/dpc.c ++++ b/drivers/pci/pcie/dpc.c +@@ -260,7 +260,7 @@ static int dpc_get_aer_uncorrect_severity(struct pci_dev *dev, + void dpc_process_error(struct pci_dev *pdev) + { + u16 cap = pdev->dpc_cap, status, source, reason, ext_reason; +- struct aer_err_info info; ++ struct aer_err_info info = {}; + + pci_read_config_word(pdev, cap + PCI_EXP_DPC_STATUS, &status); + pci_read_config_word(pdev, cap + PCI_EXP_DPC_SOURCE_ID, &source); +-- +2.39.5 + diff --git a/queue-6.12/pci-dpc-log-error-source-id-only-when-valid.patch b/queue-6.12/pci-dpc-log-error-source-id-only-when-valid.patch new file mode 100644 index 0000000000..eb8496a3af --- /dev/null +++ b/queue-6.12/pci-dpc-log-error-source-id-only-when-valid.patch @@ -0,0 +1,133 @@ +From 8ace132a26ece4685ab8b0680a9ec888cdf58520 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 May 2025 18:21:08 -0500 +Subject: PCI/DPC: Log Error Source ID only when valid +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Bjorn Helgaas + +[ Upstream commit a0b62cc310239c7f1323fb20bd3789f21bdd8615 ] + +DPC Error Source ID is only valid when the DPC Trigger Reason indicates +that DPC was triggered due to reception of an ERR_NONFATAL or ERR_FATAL +Message (PCIe r6.0, sec 7.9.14.5). + +When DPC was triggered by ERR_NONFATAL (PCI_EXP_DPC_STATUS_TRIGGER_RSN_NFE) +or ERR_FATAL (PCI_EXP_DPC_STATUS_TRIGGER_RSN_FE) from a downstream device, +log the Error Source ID (decoded into domain/bus/device/function). Don't +print the source otherwise, since it's not valid. + +For DPC trigger due to reception of ERR_NONFATAL or ERR_FATAL, the dmesg +logging changes: + + - pci 0000:00:01.0: DPC: containment event, status:0x000d source:0x0200 + - pci 0000:00:01.0: DPC: ERR_FATAL detected + + pci 0000:00:01.0: DPC: containment event, status:0x000d, ERR_FATAL received from 0000:02:00.0 + +and when DPC triggered for other reasons, where DPC Error Source ID is +undefined, e.g., unmasked uncorrectable error: + + - pci 0000:00:01.0: DPC: containment event, status:0x0009 source:0x0200 + - pci 0000:00:01.0: DPC: unmasked uncorrectable error detected + + pci 0000:00:01.0: DPC: containment event, status:0x0009: unmasked uncorrectable error detected + +Previously the "containment event" message was at KERN_INFO and the +"%s detected" message was at KERN_WARNING. Now the single message is at +KERN_WARNING. + +Fixes: 26e515713342 ("PCI: Add Downstream Port Containment driver") +Signed-off-by: Bjorn Helgaas +Tested-by: Krzysztof Wilczyński +Reviewed-by: Kuppuswamy Sathyanarayanan +Reviewed-by: Jonathan Cameron +Reviewed-by: Ilpo Järvinen +Link: https://patch.msgid.link/20250522232339.1525671-3-helgaas@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/pci/pcie/dpc.c | 66 +++++++++++++++++++++++------------------- + 1 file changed, 37 insertions(+), 29 deletions(-) + +diff --git a/drivers/pci/pcie/dpc.c b/drivers/pci/pcie/dpc.c +index 8096e4858553e..cdc54315d879f 100644 +--- a/drivers/pci/pcie/dpc.c ++++ b/drivers/pci/pcie/dpc.c +@@ -263,37 +263,45 @@ void dpc_process_error(struct pci_dev *pdev) + struct aer_err_info info = {}; + + pci_read_config_word(pdev, cap + PCI_EXP_DPC_STATUS, &status); +- pci_read_config_word(pdev, cap + PCI_EXP_DPC_SOURCE_ID, &source); +- +- pci_info(pdev, "containment event, status:%#06x source:%#06x\n", +- status, source); + + reason = status & PCI_EXP_DPC_STATUS_TRIGGER_RSN; +- ext_reason = status & PCI_EXP_DPC_STATUS_TRIGGER_RSN_EXT; +- pci_warn(pdev, "%s detected\n", +- (reason == PCI_EXP_DPC_STATUS_TRIGGER_RSN_UNCOR) ? +- "unmasked uncorrectable error" : +- (reason == PCI_EXP_DPC_STATUS_TRIGGER_RSN_NFE) ? +- "ERR_NONFATAL" : +- (reason == PCI_EXP_DPC_STATUS_TRIGGER_RSN_FE) ? +- "ERR_FATAL" : +- (ext_reason == PCI_EXP_DPC_STATUS_TRIGGER_RSN_RP_PIO) ? +- "RP PIO error" : +- (ext_reason == PCI_EXP_DPC_STATUS_TRIGGER_RSN_SW_TRIGGER) ? +- "software trigger" : +- "reserved error"); +- +- /* show RP PIO error detail information */ +- if (pdev->dpc_rp_extensions && +- reason == PCI_EXP_DPC_STATUS_TRIGGER_RSN_IN_EXT && +- ext_reason == PCI_EXP_DPC_STATUS_TRIGGER_RSN_RP_PIO) +- dpc_process_rp_pio_error(pdev); +- else if (reason == PCI_EXP_DPC_STATUS_TRIGGER_RSN_UNCOR && +- dpc_get_aer_uncorrect_severity(pdev, &info) && +- aer_get_device_error_info(pdev, &info)) { +- aer_print_error(pdev, &info); +- pci_aer_clear_nonfatal_status(pdev); +- pci_aer_clear_fatal_status(pdev); ++ ++ switch (reason) { ++ case PCI_EXP_DPC_STATUS_TRIGGER_RSN_UNCOR: ++ pci_warn(pdev, "containment event, status:%#06x: unmasked uncorrectable error detected\n", ++ status); ++ if (dpc_get_aer_uncorrect_severity(pdev, &info) && ++ aer_get_device_error_info(pdev, &info)) { ++ aer_print_error(pdev, &info); ++ pci_aer_clear_nonfatal_status(pdev); ++ pci_aer_clear_fatal_status(pdev); ++ } ++ break; ++ case PCI_EXP_DPC_STATUS_TRIGGER_RSN_NFE: ++ case PCI_EXP_DPC_STATUS_TRIGGER_RSN_FE: ++ pci_read_config_word(pdev, cap + PCI_EXP_DPC_SOURCE_ID, ++ &source); ++ pci_warn(pdev, "containment event, status:%#06x, %s received from %04x:%02x:%02x.%d\n", ++ status, ++ (reason == PCI_EXP_DPC_STATUS_TRIGGER_RSN_FE) ? ++ "ERR_FATAL" : "ERR_NONFATAL", ++ pci_domain_nr(pdev->bus), PCI_BUS_NUM(source), ++ PCI_SLOT(source), PCI_FUNC(source)); ++ break; ++ case PCI_EXP_DPC_STATUS_TRIGGER_RSN_IN_EXT: ++ ext_reason = status & PCI_EXP_DPC_STATUS_TRIGGER_RSN_EXT; ++ pci_warn(pdev, "containment event, status:%#06x: %s detected\n", ++ status, ++ (ext_reason == PCI_EXP_DPC_STATUS_TRIGGER_RSN_RP_PIO) ? ++ "RP PIO error" : ++ (ext_reason == PCI_EXP_DPC_STATUS_TRIGGER_RSN_SW_TRIGGER) ? ++ "software trigger" : ++ "reserved error"); ++ /* show RP PIO error detail information */ ++ if (ext_reason == PCI_EXP_DPC_STATUS_TRIGGER_RSN_RP_PIO && ++ pdev->dpc_rp_extensions) ++ dpc_process_rp_pio_error(pdev); ++ break; + } + } + +-- +2.39.5 + diff --git a/queue-6.12/pci-endpoint-retain-fixed-size-bar-size-as-well-as-a.patch b/queue-6.12/pci-endpoint-retain-fixed-size-bar-size-as-well-as-a.patch new file mode 100644 index 0000000000..7011d78dba --- /dev/null +++ b/queue-6.12/pci-endpoint-retain-fixed-size-bar-size-as-well-as-a.patch @@ -0,0 +1,126 @@ +From 6d569094b1f073a34c1006cf3c0ccfa3da77ce73 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Apr 2025 10:34:04 +0200 +Subject: PCI: endpoint: Retain fixed-size BAR size as well as aligned size + +From: Jerome Brunet + +[ Upstream commit 793908d60b8745c386b9f4e29eb702f74ceb0886 ] + +When allocating space for an endpoint function on a BAR with a fixed size, +the size saved in 'struct pci_epf_bar.size' should be the fixed size as +expected by pci_epc_set_bar(). + +However, if pci_epf_alloc_space() increased the allocation size to +accommodate iATU alignment requirements, it previously saved the larger +aligned size in .size, which broke pci_epc_set_bar(). + +To solve this, keep the fixed BAR size in .size and save the aligned size +in a new .aligned_size for use when deallocating it. + +Fixes: 2a9a801620ef ("PCI: endpoint: Add support to specify alignment for buffers allocated to BARs") +Signed-off-by: Jerome Brunet +[mani: commit message fixup] +Signed-off-by: Manivannan Sadhasivam +[bhelgaas: more specific subject, commit log, wrap comment to match file] +Signed-off-by: Bjorn Helgaas +Reviewed-by: Niklas Cassel +Link: https://patch.msgid.link/20250424-pci-ep-size-alignment-v5-1-2d4ec2af23f5@baylibre.com +Signed-off-by: Sasha Levin +--- + drivers/pci/endpoint/pci-epf-core.c | 22 +++++++++++++++------- + include/linux/pci-epf.h | 3 +++ + 2 files changed, 18 insertions(+), 7 deletions(-) + +diff --git a/drivers/pci/endpoint/pci-epf-core.c b/drivers/pci/endpoint/pci-epf-core.c +index 50bc2892a36c5..963d2f3aa5d47 100644 +--- a/drivers/pci/endpoint/pci-epf-core.c ++++ b/drivers/pci/endpoint/pci-epf-core.c +@@ -236,12 +236,13 @@ void pci_epf_free_space(struct pci_epf *epf, void *addr, enum pci_barno bar, + } + + dev = epc->dev.parent; +- dma_free_coherent(dev, epf_bar[bar].size, addr, ++ dma_free_coherent(dev, epf_bar[bar].aligned_size, addr, + epf_bar[bar].phys_addr); + + epf_bar[bar].phys_addr = 0; + epf_bar[bar].addr = NULL; + epf_bar[bar].size = 0; ++ epf_bar[bar].aligned_size = 0; + epf_bar[bar].barno = 0; + epf_bar[bar].flags = 0; + } +@@ -264,7 +265,7 @@ void *pci_epf_alloc_space(struct pci_epf *epf, size_t size, enum pci_barno bar, + enum pci_epc_interface_type type) + { + u64 bar_fixed_size = epc_features->bar[bar].fixed_size; +- size_t align = epc_features->align; ++ size_t aligned_size, align = epc_features->align; + struct pci_epf_bar *epf_bar; + dma_addr_t phys_addr; + struct pci_epc *epc; +@@ -281,12 +282,18 @@ void *pci_epf_alloc_space(struct pci_epf *epf, size_t size, enum pci_barno bar, + return NULL; + } + size = bar_fixed_size; ++ } else { ++ /* BAR size must be power of two */ ++ size = roundup_pow_of_two(size); + } + +- if (align) +- size = ALIGN(size, align); +- else +- size = roundup_pow_of_two(size); ++ /* ++ * Allocate enough memory to accommodate the iATU alignment ++ * requirement. In most cases, this will be the same as .size but ++ * it might be different if, for example, the fixed size of a BAR ++ * is smaller than align. ++ */ ++ aligned_size = align ? ALIGN(size, align) : size; + + if (type == PRIMARY_INTERFACE) { + epc = epf->epc; +@@ -297,7 +304,7 @@ void *pci_epf_alloc_space(struct pci_epf *epf, size_t size, enum pci_barno bar, + } + + dev = epc->dev.parent; +- space = dma_alloc_coherent(dev, size, &phys_addr, GFP_KERNEL); ++ space = dma_alloc_coherent(dev, aligned_size, &phys_addr, GFP_KERNEL); + if (!space) { + dev_err(dev, "failed to allocate mem space\n"); + return NULL; +@@ -306,6 +313,7 @@ void *pci_epf_alloc_space(struct pci_epf *epf, size_t size, enum pci_barno bar, + epf_bar[bar].phys_addr = phys_addr; + epf_bar[bar].addr = space; + epf_bar[bar].size = size; ++ epf_bar[bar].aligned_size = aligned_size; + epf_bar[bar].barno = bar; + if (upper_32_bits(size) || epc_features->bar[bar].only_64bit) + epf_bar[bar].flags |= PCI_BASE_ADDRESS_MEM_TYPE_64; +diff --git a/include/linux/pci-epf.h b/include/linux/pci-epf.h +index 18a3aeb62ae4e..cd6f8f4bc4540 100644 +--- a/include/linux/pci-epf.h ++++ b/include/linux/pci-epf.h +@@ -114,6 +114,8 @@ struct pci_epf_driver { + * @phys_addr: physical address that should be mapped to the BAR + * @addr: virtual address corresponding to the @phys_addr + * @size: the size of the address space present in BAR ++ * @aligned_size: the size actually allocated to accommodate the iATU alignment ++ * requirement + * @barno: BAR number + * @flags: flags that are set for the BAR + */ +@@ -121,6 +123,7 @@ struct pci_epf_bar { + dma_addr_t phys_addr; + void *addr; + size_t size; ++ size_t aligned_size; + enum pci_barno barno; + int flags; + }; +-- +2.39.5 + diff --git a/queue-6.12/pci-explicitly-put-devices-into-d0-when-initializing.patch b/queue-6.12/pci-explicitly-put-devices-into-d0-when-initializing.patch new file mode 100644 index 0000000000..300cbc0362 --- /dev/null +++ b/queue-6.12/pci-explicitly-put-devices-into-d0-when-initializing.patch @@ -0,0 +1,108 @@ +From 738fdb3f3df44bafcb5c26d5725164f26679d196 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Apr 2025 23:31:32 -0500 +Subject: PCI: Explicitly put devices into D0 when initializing + +From: Mario Limonciello + +[ Upstream commit 4d4c10f763d7808fbade28d83d237411603bca05 ] + +AMD BIOS team has root caused an issue that NVMe storage failed to come +back from suspend to a lack of a call to _REG when NVMe device was probed. + +112a7f9c8edbf ("PCI/ACPI: Call _REG when transitioning D-states") added +support for calling _REG when transitioning D-states, but this only works +if the device actually "transitions" D-states. + +967577b062417 ("PCI/PM: Keep runtime PM enabled for unbound PCI devices") +added support for runtime PM on PCI devices, but never actually +'explicitly' sets the device to D0. + +To make sure that devices are in D0 and that platform methods such as +_REG are called, explicitly set all devices into D0 during initialization. + +Fixes: 967577b062417 ("PCI/PM: Keep runtime PM enabled for unbound PCI devices") +Signed-off-by: Mario Limonciello +Signed-off-by: Bjorn Helgaas +Tested-by: Denis Benato +Tested-By: Yijun Shen +Tested-By: David Perry +Reviewed-by: Rafael J. Wysocki +Link: https://patch.msgid.link/20250424043232.1848107-1-superm1@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/pci/pci-driver.c | 6 ------ + drivers/pci/pci.c | 13 ++++++++++--- + drivers/pci/pci.h | 1 + + 3 files changed, 11 insertions(+), 9 deletions(-) + +diff --git a/drivers/pci/pci-driver.c b/drivers/pci/pci-driver.c +index 35270172c8331..a90990157e0b7 100644 +--- a/drivers/pci/pci-driver.c ++++ b/drivers/pci/pci-driver.c +@@ -555,12 +555,6 @@ static void pci_pm_default_resume(struct pci_dev *pci_dev) + pci_enable_wake(pci_dev, PCI_D0, false); + } + +-static void pci_pm_power_up_and_verify_state(struct pci_dev *pci_dev) +-{ +- pci_power_up(pci_dev); +- pci_update_current_state(pci_dev, PCI_D0); +-} +- + static void pci_pm_default_resume_early(struct pci_dev *pci_dev) + { + pci_pm_power_up_and_verify_state(pci_dev); +diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c +index 7ca5422feb2d4..1a6639dbe81b3 100644 +--- a/drivers/pci/pci.c ++++ b/drivers/pci/pci.c +@@ -3185,6 +3185,12 @@ void pci_d3cold_disable(struct pci_dev *dev) + } + EXPORT_SYMBOL_GPL(pci_d3cold_disable); + ++void pci_pm_power_up_and_verify_state(struct pci_dev *pci_dev) ++{ ++ pci_power_up(pci_dev); ++ pci_update_current_state(pci_dev, PCI_D0); ++} ++ + /** + * pci_pm_init - Initialize PM functions of given PCI device + * @dev: PCI device to handle. +@@ -3195,9 +3201,6 @@ void pci_pm_init(struct pci_dev *dev) + u16 status; + u16 pmc; + +- pm_runtime_forbid(&dev->dev); +- pm_runtime_set_active(&dev->dev); +- pm_runtime_enable(&dev->dev); + device_enable_async_suspend(&dev->dev); + dev->wakeup_prepared = false; + +@@ -3259,6 +3262,10 @@ void pci_pm_init(struct pci_dev *dev) + pci_read_config_word(dev, PCI_STATUS, &status); + if (status & PCI_STATUS_IMM_READY) + dev->imm_ready = 1; ++ pci_pm_power_up_and_verify_state(dev); ++ pm_runtime_forbid(&dev->dev); ++ pm_runtime_set_active(&dev->dev); ++ pm_runtime_enable(&dev->dev); + } + + static unsigned long pci_ea_flags(struct pci_dev *dev, u8 prop) +diff --git a/drivers/pci/pci.h b/drivers/pci/pci.h +index 65df6d2ac0032..c1a5874eeb6cf 100644 +--- a/drivers/pci/pci.h ++++ b/drivers/pci/pci.h +@@ -146,6 +146,7 @@ void pci_dev_adjust_pme(struct pci_dev *dev); + void pci_dev_complete_resume(struct pci_dev *pci_dev); + void pci_config_pm_runtime_get(struct pci_dev *dev); + void pci_config_pm_runtime_put(struct pci_dev *dev); ++void pci_pm_power_up_and_verify_state(struct pci_dev *pci_dev); + void pci_pm_init(struct pci_dev *dev); + void pci_ea_init(struct pci_dev *dev); + void pci_msi_init(struct pci_dev *dev); +-- +2.39.5 + diff --git a/queue-6.12/pci-print-the-actual-delay-time-in-pci_bridge_wait_f.patch b/queue-6.12/pci-print-the-actual-delay-time-in-pci_bridge_wait_f.patch new file mode 100644 index 0000000000..80d54395be --- /dev/null +++ b/queue-6.12/pci-print-the-actual-delay-time-in-pci_bridge_wait_f.patch @@ -0,0 +1,45 @@ +From 5951b8285b89c60ac4df07c294be4c13fe500acc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Apr 2025 10:15:06 +1000 +Subject: PCI: Print the actual delay time in + pci_bridge_wait_for_secondary_bus() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Wilfred Mallawa + +[ Upstream commit d24eba726aadf8778f2907dd42281c6380b0ccaa ] + +Print the delay amount that pcie_wait_for_link_delay() is invoked with +instead of the hardcoded 1000ms value in the debug info print. + +Fixes: 7b3ba09febf4 ("PCI/PM: Shorten pci_bridge_wait_for_secondary_bus() wait time for slow links") +Signed-off-by: Wilfred Mallawa +Signed-off-by: Bjorn Helgaas +Reviewed-by: Damien Le Moal +Reviewed-by: Kuppuswamy Sathyanarayanan +Reviewed-by: Mika Westerberg +Reviewed-by: Ilpo Järvinen +Link: https://patch.msgid.link/20250414001505.21243-2-wilfred.opensource@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/pci/pci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c +index 25c07af1686b9..7ca5422feb2d4 100644 +--- a/drivers/pci/pci.c ++++ b/drivers/pci/pci.c +@@ -4945,7 +4945,7 @@ int pci_bridge_wait_for_secondary_bus(struct pci_dev *dev, char *reset_type) + delay); + if (!pcie_wait_for_link_delay(dev, true, delay)) { + /* Did not train, no need to wait any further */ +- pci_info(dev, "Data Link Layer Link Active not set in 1000 msec\n"); ++ pci_info(dev, "Data Link Layer Link Active not set in %d msec\n", delay); + return -ENOTTY; + } + +-- +2.39.5 + diff --git a/queue-6.12/pci-rcar-gen4-set-ep-bar4-fixed-size.patch b/queue-6.12/pci-rcar-gen4-set-ep-bar4-fixed-size.patch new file mode 100644 index 0000000000..c3d407c0a9 --- /dev/null +++ b/queue-6.12/pci-rcar-gen4-set-ep-bar4-fixed-size.patch @@ -0,0 +1,37 @@ +From 9f1771d54c6bd3784cbc145948bcef1cb51fac9a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Mar 2025 15:30:44 +0100 +Subject: PCI: rcar-gen4: set ep BAR4 fixed size + +From: Jerome Brunet + +[ Upstream commit b584ab12d59f646b9254b2b16ff197d612fd4935 ] + +On rcar-gen4, the ep BAR4 has a fixed size of 256B. Document this +constraint in the epc features of the platform. + +Fixes: e311b3834dfa ("PCI: rcar-gen4: Add endpoint mode support") +Signed-off-by: Jerome Brunet +Signed-off-by: Manivannan Sadhasivam +Reviewed-by: Manivannan Sadhasivam +Link: https://patch.msgid.link/20250328-rcar-gen4-bar4-v1-1-10bb6ce9ee7f@baylibre.com +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/dwc/pcie-rcar-gen4.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/pci/controller/dwc/pcie-rcar-gen4.c b/drivers/pci/controller/dwc/pcie-rcar-gen4.c +index 3a5511c3f7d97..5d77a01648606 100644 +--- a/drivers/pci/controller/dwc/pcie-rcar-gen4.c ++++ b/drivers/pci/controller/dwc/pcie-rcar-gen4.c +@@ -403,6 +403,7 @@ static const struct pci_epc_features rcar_gen4_pcie_epc_features = { + .msix_capable = false, + .bar[BAR_1] = { .type = BAR_RESERVED, }, + .bar[BAR_3] = { .type = BAR_RESERVED, }, ++ .bar[BAR_4] = { .type = BAR_FIXED, .fixed_size = 256 }, + .bar[BAR_5] = { .type = BAR_RESERVED, }, + .align = SZ_1M, + }; +-- +2.39.5 + diff --git a/queue-6.12/perf-amlogic-replace-smp_processor_id-with-raw_smp_p.patch b/queue-6.12/perf-amlogic-replace-smp_processor_id-with-raw_smp_p.patch new file mode 100644 index 0000000000..1609632218 --- /dev/null +++ b/queue-6.12/perf-amlogic-replace-smp_processor_id-with-raw_smp_p.patch @@ -0,0 +1,80 @@ +From 3b9d391654cbe85a14673d77541e8a97e7fdc97c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Apr 2025 12:02:03 +0530 +Subject: perf/amlogic: Replace smp_processor_id() with raw_smp_processor_id() + in meson_ddr_pmu_create() + +From: Anand Moon + +[ Upstream commit 097469a2b0f12b91b4f27b9e9e4f2c46484cde30 ] + +The Amlogic DDR PMU driver meson_ddr_pmu_create() function incorrectly uses +smp_processor_id(), which assumes disabled preemption. This leads to kernel +warnings during module loading because meson_ddr_pmu_create() can be called +in a preemptible context. + +Following kernel warning and stack trace: +[ 31.745138] [ T2289] BUG: using smp_processor_id() in preemptible [00000000] code: (udev-worker)/2289 +[ 31.745154] [ T2289] caller is debug_smp_processor_id+0x28/0x38 +[ 31.745172] [ T2289] CPU: 4 UID: 0 PID: 2289 Comm: (udev-worker) Tainted: GW 6.14.0-0-MANJARO-ARM #1 59519addcbca6ba8de735e151fd7b9e97aac7ff0 +[ 31.745181] [ T2289] Tainted: [W]=WARN +[ 31.745183] [ T2289] Hardware name: Hardkernel ODROID-N2Plus (DT) +[ 31.745188] [ T2289] Call trace: +[ 31.745191] [ T2289] show_stack+0x28/0x40 (C) +[ 31.745199] [ T2289] dump_stack_lvl+0x4c/0x198 +[ 31.745205] [ T2289] dump_stack+0x20/0x50 +[ 31.745209] [ T2289] check_preemption_disabled+0xec/0xf0 +[ 31.745213] [ T2289] debug_smp_processor_id+0x28/0x38 +[ 31.745216] [ T2289] meson_ddr_pmu_create+0x200/0x560 [meson_ddr_pmu_g12 8095101c49676ad138d9961e3eddaee10acca7bd] +[ 31.745237] [ T2289] g12_ddr_pmu_probe+0x20/0x38 [meson_ddr_pmu_g12 8095101c49676ad138d9961e3eddaee10acca7bd] +[ 31.745246] [ T2289] platform_probe+0x98/0xe0 +[ 31.745254] [ T2289] really_probe+0x144/0x3f8 +[ 31.745258] [ T2289] __driver_probe_device+0xb8/0x180 +[ 31.745261] [ T2289] driver_probe_device+0x54/0x268 +[ 31.745264] [ T2289] __driver_attach+0x11c/0x288 +[ 31.745267] [ T2289] bus_for_each_dev+0xfc/0x160 +[ 31.745274] [ T2289] driver_attach+0x34/0x50 +[ 31.745277] [ T2289] bus_add_driver+0x160/0x2b0 +[ 31.745281] [ T2289] driver_register+0x78/0x120 +[ 31.745285] [ T2289] __platform_driver_register+0x30/0x48 +[ 31.745288] [ T2289] init_module+0x30/0xfe0 [meson_ddr_pmu_g12 8095101c49676ad138d9961e3eddaee10acca7bd] +[ 31.745298] [ T2289] do_one_initcall+0x11c/0x438 +[ 31.745303] [ T2289] do_init_module+0x68/0x228 +[ 31.745311] [ T2289] load_module+0x118c/0x13a8 +[ 31.745315] [ T2289] __arm64_sys_finit_module+0x274/0x390 +[ 31.745320] [ T2289] invoke_syscall+0x74/0x108 +[ 31.745326] [ T2289] el0_svc_common+0x90/0xf8 +[ 31.745330] [ T2289] do_el0_svc+0x2c/0x48 +[ 31.745333] [ T2289] el0_svc+0x60/0x150 +[ 31.745337] [ T2289] el0t_64_sync_handler+0x80/0x118 +[ 31.745341] [ T2289] el0t_64_sync+0x1b8/0x1c0 + +Changes replaces smp_processor_id() with raw_smp_processor_id() to +ensure safe CPU ID retrieval in preemptible contexts. + +Cc: Jiucheng Xu +Fixes: 2016e2113d35 ("perf/amlogic: Add support for Amlogic meson G12 SoC DDR PMU driver") +Signed-off-by: Anand Moon +Link: https://lore.kernel.org/r/20250407063206.5211-1-linux.amoon@gmail.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/perf/amlogic/meson_ddr_pmu_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/perf/amlogic/meson_ddr_pmu_core.c b/drivers/perf/amlogic/meson_ddr_pmu_core.c +index 07446d784a1a6..c1e755c356a33 100644 +--- a/drivers/perf/amlogic/meson_ddr_pmu_core.c ++++ b/drivers/perf/amlogic/meson_ddr_pmu_core.c +@@ -511,7 +511,7 @@ int meson_ddr_pmu_create(struct platform_device *pdev) + + fmt_attr_fill(pmu->info.hw_info->fmt_attr); + +- pmu->cpu = smp_processor_id(); ++ pmu->cpu = raw_smp_processor_id(); + + name = devm_kasprintf(&pdev->dev, GFP_KERNEL, DDR_PERF_DEV_NAME); + if (!name) +-- +2.39.5 + diff --git a/queue-6.12/perf-arm-ni-fix-missing-platform_set_drvdata.patch b/queue-6.12/perf-arm-ni-fix-missing-platform_set_drvdata.patch new file mode 100644 index 0000000000..c044fa70b2 --- /dev/null +++ b/queue-6.12/perf-arm-ni-fix-missing-platform_set_drvdata.patch @@ -0,0 +1,37 @@ +From 4b2896f1b7e61b0185d382c3302f6dadb8aabe89 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Apr 2025 13:42:48 +0800 +Subject: perf: arm-ni: Fix missing platform_set_drvdata() + +From: Hongbo Yao + +[ Upstream commit fc5106088d6db75df61308ef6de314d1f7959646 ] + +Add missing platform_set_drvdata in arm_ni_probe(), otherwise +calling platform_get_drvdata() in remove returns NULL. + +Fixes: 4d5a7680f2b4 ("perf: Add driver for Arm NI-700 interconnect PMU") +Signed-off-by: Hongbo Yao +Reviewed-by: Robin Murphy +Link: https://lore.kernel.org/r/20250401054248.3985814-1-andy.xu@hj-micro.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/perf/arm-ni.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/perf/arm-ni.c b/drivers/perf/arm-ni.c +index 3f3d2e0f91fa7..b87d3a9ba7d54 100644 +--- a/drivers/perf/arm-ni.c ++++ b/drivers/perf/arm-ni.c +@@ -661,6 +661,7 @@ static int arm_ni_probe(struct platform_device *pdev) + ni->num_cds = num_cds; + ni->part = part; + ni->id = atomic_fetch_inc(&id); ++ platform_set_drvdata(pdev, ni); + + for (int v = 0; v < cfg.num_components; v++) { + reg = readl_relaxed(cfg.base + NI_CHILD_PTR(v)); +-- +2.39.5 + diff --git a/queue-6.12/perf-arm-ni-unregister-pmus-on-probe-failure.patch b/queue-6.12/perf-arm-ni-unregister-pmus-on-probe-failure.patch new file mode 100644 index 0000000000..4d0cef9510 --- /dev/null +++ b/queue-6.12/perf-arm-ni-unregister-pmus-on-probe-failure.patch @@ -0,0 +1,119 @@ +From bd2b8ed76f57a041c4f245154240f858b9c0cda9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Apr 2025 15:09:18 +0800 +Subject: perf: arm-ni: Unregister PMUs on probe failure + +From: Hongbo Yao + +[ Upstream commit 7f57afde6a44d9e044885e1125034edd4fda02e8 ] + +When a resource allocation fails in one clock domain of an NI device, +we need to properly roll back all previously registered perf PMUs in +other clock domains of the same device. + +Otherwise, it can lead to kernel panics. + +Calling arm_ni_init+0x0/0xff8 [arm_ni] @ 2374 +arm-ni ARMHCB70:00: Failed to request PMU region 0x1f3c13000 +arm-ni ARMHCB70:00: probe with driver arm-ni failed with error -16 +list_add corruption: next->prev should be prev (fffffd01e9698a18), +but was 0000000000000000. (next=ffff10001a0decc8). +pstate: 6340009 (nZCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--) +pc : list_add_valid_or_report+0x7c/0xb8 +lr : list_add_valid_or_report+0x7c/0xb8 +Call trace: + __list_add_valid_or_report+0x7c/0xb8 + perf_pmu_register+0x22c/0x3a0 + arm_ni_probe+0x554/0x70c [arm_ni] + platform_probe+0x70/0xe8 + really_probe+0xc6/0x4d8 + driver_probe_device+0x48/0x170 + __driver_attach+0x8e/0x1c0 + bus_for_each_dev+0x64/0xf0 + driver_add+0x138/0x260 + bus_add_driver+0x68/0x138 + __platform_driver_register+0x2c/0x40 + arm_ni_init+0x14/0x2a [arm_ni] + do_init_module+0x36/0x298 +---[ end trace 0000000000000000 ]--- +Kernel panic - not syncing: Oops - BUG: Fatal exception +SMP: stopping secondary CPUs + +Fixes: 4d5a7680f2b4 ("perf: Add driver for Arm NI-700 interconnect PMU") +Signed-off-by: Hongbo Yao +Reviewed-by: Robin Murphy +Link: https://lore.kernel.org/r/20250403070918.4153839-1-andy.xu@hj-micro.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/perf/arm-ni.c | 39 +++++++++++++++++++++------------------ + 1 file changed, 21 insertions(+), 18 deletions(-) + +diff --git a/drivers/perf/arm-ni.c b/drivers/perf/arm-ni.c +index 90fcfe693439e..3f3d2e0f91fa7 100644 +--- a/drivers/perf/arm-ni.c ++++ b/drivers/perf/arm-ni.c +@@ -576,6 +576,23 @@ static int arm_ni_init_cd(struct arm_ni *ni, struct arm_ni_node *node, u64 res_s + return err; + } + ++static void arm_ni_remove(struct platform_device *pdev) ++{ ++ struct arm_ni *ni = platform_get_drvdata(pdev); ++ ++ for (int i = 0; i < ni->num_cds; i++) { ++ struct arm_ni_cd *cd = ni->cds + i; ++ ++ if (!cd->pmu_base) ++ continue; ++ ++ writel_relaxed(0, cd->pmu_base + NI_PMCR); ++ writel_relaxed(U32_MAX, cd->pmu_base + NI_PMINTENCLR); ++ perf_pmu_unregister(&cd->pmu); ++ cpuhp_state_remove_instance_nocalls(arm_ni_hp_state, &cd->cpuhp_node); ++ } ++} ++ + static void arm_ni_probe_domain(void __iomem *base, struct arm_ni_node *node) + { + u32 reg = readl_relaxed(base + NI_NODE_TYPE); +@@ -657,8 +674,11 @@ static int arm_ni_probe(struct platform_device *pdev) + reg = readl_relaxed(pd.base + NI_CHILD_PTR(c)); + arm_ni_probe_domain(base + reg, &cd); + ret = arm_ni_init_cd(ni, &cd, res->start); +- if (ret) ++ if (ret) { ++ ni->cds[cd.id].pmu_base = NULL; ++ arm_ni_remove(pdev); + return ret; ++ } + } + } + } +@@ -666,23 +686,6 @@ static int arm_ni_probe(struct platform_device *pdev) + return 0; + } + +-static void arm_ni_remove(struct platform_device *pdev) +-{ +- struct arm_ni *ni = platform_get_drvdata(pdev); +- +- for (int i = 0; i < ni->num_cds; i++) { +- struct arm_ni_cd *cd = ni->cds + i; +- +- if (!cd->pmu_base) +- continue; +- +- writel_relaxed(0, cd->pmu_base + NI_PMCR); +- writel_relaxed(U32_MAX, cd->pmu_base + NI_PMINTENCLR); +- perf_pmu_unregister(&cd->pmu); +- cpuhp_state_remove_instance_nocalls(arm_ni_hp_state, &cd->cpuhp_node); +- } +-} +- + #ifdef CONFIG_OF + static const struct of_device_id arm_ni_of_match[] = { + { .compatible = "arm,ni-700" }, +-- +2.39.5 + diff --git a/queue-6.12/perf-build-warn-when-libdebuginfod-devel-files-are-n.patch b/queue-6.12/perf-build-warn-when-libdebuginfod-devel-files-are-n.patch new file mode 100644 index 0000000000..6c99b3df18 --- /dev/null +++ b/queue-6.12/perf-build-warn-when-libdebuginfod-devel-files-are-n.patch @@ -0,0 +1,111 @@ +From 9d46c464bac6526f24bd3fc1ebdc4fabe0729177 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Apr 2025 11:37:20 -0300 +Subject: perf build: Warn when libdebuginfod devel files are not available + +From: Arnaldo Carvalho de Melo + +[ Upstream commit 4fce4b91fd1aabb326c46e237eb4b19ab72598f8 ] + +While working on 'perf version --build-options' I noticed that: + + $ perf version --build-options + perf version 6.15.rc1.g312a07a00d31 + aio: [ on ] # HAVE_AIO_SUPPORT + bpf: [ on ] # HAVE_LIBBPF_SUPPORT + bpf_skeletons: [ on ] # HAVE_BPF_SKEL + debuginfod: [ OFF ] # HAVE_DEBUGINFOD_SUPPORT + + +And looking at tools/perf/Makefile.config I also noticed that it is not +opt-in, meaning we will attempt to build with it in all normal cases. + +So add the usual warning at build time to let the user know that +something recommended is missing, now we see: + + Makefile.config:563: No elfutils/debuginfod.h found, no debuginfo server support, please install elfutils-debuginfod-client-devel or equivalent + +And after following the recommendation: + + $ perf check feature debuginfod + debuginfod: [ on ] # HAVE_DEBUGINFOD_SUPPORT + $ ldd ~/bin/perf | grep debuginfo + libdebuginfod.so.1 => /lib64/libdebuginfod.so.1 (0x00007fee5cf5f000) + $ + +With this feature on several perf tools will fetch what is needed and +not require all the contents of the debuginfo packages, for instance: + + # rpm -qa | grep kernel-debuginfo + # pahole --running_kernel_vmlinux + pahole: couldn't find a vmlinux that matches the running kernel + HINT: Maybe you're inside a container or missing a debuginfo package? + # + # perf trace -e open* perf probe --vars icmp_rcv + 0.000 ( 0.005 ms): perf/97391 openat(dfd: CWD, filename: "/etc/ld.so.cache", flags: RDONLY|CLOEXEC) = 3 + 0.014 ( 0.004 ms): perf/97391 openat(dfd: CWD, filename: "/lib64/libm.so.6", flags: RDONLY|CLOEXEC) = 3 + + 32130.100 ( 0.008 ms): perf/97391 openat(dfd: CWD, filename: "/root/.cache/debuginfod_client/aa3c82b4a13f9c0e0301bebb20fe958c4db6f362/debuginfo") = 3 + + Available variables at icmp_rcv + @ + struct sk_buff* skb + + # + # pahole --running_kernel_vmlinux + /root/.cache/debuginfod_client/aa3c82b4a13f9c0e0301bebb20fe958c4db6f362/debuginfo + # file /root/.cache/debuginfod_client/aa3c82b4a13f9c0e0301bebb20fe958c4db6f362/debuginfo + /root/.cache/debuginfod_client/aa3c82b4a13f9c0e0301bebb20fe958c4db6f362/debuginfo: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, BuildID[sha1]=aa3c82b4a13f9c0e0301bebb20fe958c4db6f362, with debug_info, not stripped + # ls -la /root/.cache/debuginfod_client/aa3c82b4a13f9c0e0301bebb20fe958c4db6f362/debuginfo + -r--------. 1 root root 475401512 Mar 27 21:00 /root/.cache/debuginfod_client/aa3c82b4a13f9c0e0301bebb20fe958c4db6f362/debuginfo + # + +Then, cached: + + # perf stat --null perf probe --vars icmp_rcv + Available variables at icmp_rcv + @ + struct sk_buff* skb + + Performance counter stats for 'perf probe --vars icmp_rcv': + + 0.671389041 seconds time elapsed + + 0.519176000 seconds user + 0.150860000 seconds sys + +Fixes: c7a14fdcb3fa7736 ("perf build-ids: Fall back to debuginfod query if debuginfo not found") +Tested-by: Ingo Molnar +Cc: Adrian Hunter +Cc: Dmitriy Vyukov +Cc: Howard Chu +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Kan Liang +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Frank Ch. Eigler +Link: https://lore.kernel.org/r/Z_dkNDj9EPFwPqq1@gmail.com +[ Folded patch from Ingo to have the debian/ubuntu devel package added build warning message ] +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/Makefile.config | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tools/perf/Makefile.config b/tools/perf/Makefile.config +index b102a4c525e4b..a2034fa183254 100644 +--- a/tools/perf/Makefile.config ++++ b/tools/perf/Makefile.config +@@ -569,6 +569,8 @@ ifndef NO_LIBELF + ifeq ($(feature-libdebuginfod), 1) + CFLAGS += -DHAVE_DEBUGINFOD_SUPPORT + EXTLIBS += -ldebuginfod ++ else ++ $(warning No elfutils/debuginfod.h found, no debuginfo server support, please install libdebuginfod-dev/elfutils-debuginfod-client-devel or equivalent) + endif + endif + +-- +2.39.5 + diff --git a/queue-6.12/perf-callchain-always-populate-the-addr_location-map.patch b/queue-6.12/perf-callchain-always-populate-the-addr_location-map.patch new file mode 100644 index 0000000000..227efb69f0 --- /dev/null +++ b/queue-6.12/perf-callchain-always-populate-the-addr_location-map.patch @@ -0,0 +1,147 @@ +From 60904a67bf571b4b5c8796cec29fab4370110182 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 May 2025 21:39:37 -0700 +Subject: perf callchain: Always populate the addr_location map when adding IP +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ian Rogers + +[ Upstream commit a913ef6fd883c05bd6538ed21ee1e773f0d750b7 ] + +Dropping symbols also meant the callchain maps wasn't populated, but +the callchain map is needed to find the DSO. + +Plumb the symbols option better, falling back to thread__find_map() +rather than thread__find_symbol() when symbols are disabled. + +Fixes: 02b2705017d2e5ad ("perf callchain: Allow symbols to be optional when resolving a callchain") +Signed-off-by: Ian Rogers +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Andi Kleen +Cc: Athira Rajeev +Cc: Ben Gainey +Cc: Chaitanya S Prakash +Cc: Charlie Jenkins +Cc: Chun-Tse Shao +Cc: Colin Ian King +Cc: Dmitriy Vyukov +Cc: Dr. David Alan Gilbert +Cc: Graham Woodward +Cc: Howard Chu +Cc: Ilkka Koskinen +Cc: Ingo Molnar +Cc: James Clark +Cc: Jiri Olsa +Cc: John Garry +Cc: Kajol Jain +Cc: Kan Liang +Cc: Krzysztof Łopatowski +Cc: Leo Yan +Cc: Levi Yun +Cc: Li Huafei +Cc: linux-arm-kernel@lists.infradead.org +Cc: Mark Rutland +Cc: Martin LiÅ¡ka +Cc: Masami Hiramatsu +Cc: Matt Fleming +Cc: Mike Leach +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Ravi Bangoria +Cc: Song Liu +Cc: Steinar H. Gunderson +Cc: Stephen Brennan +Cc: Steve Clevenger +Cc: Thomas Falcon +Cc: Veronika Molnarova +Cc: Weilin Wang +Cc: Will Deacon +Cc: Yicong Yang +Cc: Yujie Liu +Cc: Zhongqiu Han +Cc: Zixian Cai +Link: https://lore.kernel.org/r/20250529044000.759937-2-irogers@google.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/machine.c | 6 ++++-- + tools/perf/util/thread.c | 8 ++++++-- + tools/perf/util/thread.h | 2 +- + 3 files changed, 11 insertions(+), 5 deletions(-) + +diff --git a/tools/perf/util/machine.c b/tools/perf/util/machine.c +index 9be2f4479f525..20fd742984e3c 100644 +--- a/tools/perf/util/machine.c ++++ b/tools/perf/util/machine.c +@@ -1974,7 +1974,7 @@ static void ip__resolve_ams(struct thread *thread, + * Thus, we have to try consecutively until we find a match + * or else, the symbol is unknown + */ +- thread__find_cpumode_addr_location(thread, ip, &al); ++ thread__find_cpumode_addr_location(thread, ip, /*symbols=*/true, &al); + + ams->addr = ip; + ams->al_addr = al.addr; +@@ -2076,7 +2076,7 @@ static int add_callchain_ip(struct thread *thread, + al.sym = NULL; + al.srcline = NULL; + if (!cpumode) { +- thread__find_cpumode_addr_location(thread, ip, &al); ++ thread__find_cpumode_addr_location(thread, ip, symbols, &al); + } else { + if (ip >= PERF_CONTEXT_MAX) { + switch (ip) { +@@ -2104,6 +2104,8 @@ static int add_callchain_ip(struct thread *thread, + } + if (symbols) + thread__find_symbol(thread, *cpumode, ip, &al); ++ else ++ thread__find_map(thread, *cpumode, ip, &al); + } + + if (al.sym != NULL) { +diff --git a/tools/perf/util/thread.c b/tools/perf/util/thread.c +index 0ffdd52d86d70..309d573eac9a9 100644 +--- a/tools/perf/util/thread.c ++++ b/tools/perf/util/thread.c +@@ -406,7 +406,7 @@ int thread__fork(struct thread *thread, struct thread *parent, u64 timestamp, bo + } + + void thread__find_cpumode_addr_location(struct thread *thread, u64 addr, +- struct addr_location *al) ++ bool symbols, struct addr_location *al) + { + size_t i; + const u8 cpumodes[] = { +@@ -417,7 +417,11 @@ void thread__find_cpumode_addr_location(struct thread *thread, u64 addr, + }; + + for (i = 0; i < ARRAY_SIZE(cpumodes); i++) { +- thread__find_symbol(thread, cpumodes[i], addr, al); ++ if (symbols) ++ thread__find_symbol(thread, cpumodes[i], addr, al); ++ else ++ thread__find_map(thread, cpumodes[i], addr, al); ++ + if (al->map) + break; + } +diff --git a/tools/perf/util/thread.h b/tools/perf/util/thread.h +index 6cbf6eb2812e0..1fb32e7d62a4d 100644 +--- a/tools/perf/util/thread.h ++++ b/tools/perf/util/thread.h +@@ -122,7 +122,7 @@ struct symbol *thread__find_symbol_fb(struct thread *thread, u8 cpumode, + u64 addr, struct addr_location *al); + + void thread__find_cpumode_addr_location(struct thread *thread, u64 addr, +- struct addr_location *al); ++ bool symbols, struct addr_location *al); + + int thread__memcpy(struct thread *thread, struct machine *machine, + void *buf, u64 ip, int len, bool *is64bit); +-- +2.39.5 + diff --git a/queue-6.12/perf-core-fix-broken-throttling-when-max_samples_per.patch b/queue-6.12/perf-core-fix-broken-throttling-when-max_samples_per.patch new file mode 100644 index 0000000000..4664fcc7be --- /dev/null +++ b/queue-6.12/perf-core-fix-broken-throttling-when-max_samples_per.patch @@ -0,0 +1,64 @@ +From 0328ffb93677d013a4f0f45b4d4d1eb1fab13904 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Apr 2025 22:16:35 +0800 +Subject: perf/core: Fix broken throttling when max_samples_per_tick=1 + +From: Qing Wang + +[ Upstream commit f51972e6f8b9a737b2b3eb588069acb538fa72de ] + +According to the throttling mechanism, the pmu interrupts number can not +exceed the max_samples_per_tick in one tick. But this mechanism is +ineffective when max_samples_per_tick=1, because the throttling check is +skipped during the first interrupt and only performed when the second +interrupt arrives. + +Perhaps this bug may cause little influence in one tick, but if in a +larger time scale, the problem can not be underestimated. + +When max_samples_per_tick = 1: +Allowed-interrupts-per-second max-samples-per-second default-HZ ARCH +200 100 100 X86 +500 250 250 ARM64 +... +Obviously, the pmu interrupt number far exceed the user's expect. + +Fixes: e050e3f0a71b ("perf: Fix broken interrupt rate throttling") +Signed-off-by: Qing Wang +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/20250405141635.243786-3-wangqing7171@gmail.com +Signed-off-by: Sasha Levin +--- + kernel/events/core.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/kernel/events/core.c b/kernel/events/core.c +index 285a4548450bd..8352376d82154 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -9715,14 +9715,14 @@ __perf_event_account_interrupt(struct perf_event *event, int throttle) + hwc->interrupts = 1; + } else { + hwc->interrupts++; +- if (unlikely(throttle && +- hwc->interrupts > max_samples_per_tick)) { +- __this_cpu_inc(perf_throttled_count); +- tick_dep_set_cpu(smp_processor_id(), TICK_DEP_BIT_PERF_EVENTS); +- hwc->interrupts = MAX_INTERRUPTS; +- perf_log_throttle(event, 0); +- ret = 1; +- } ++ } ++ ++ if (unlikely(throttle && hwc->interrupts >= max_samples_per_tick)) { ++ __this_cpu_inc(perf_throttled_count); ++ tick_dep_set_cpu(smp_processor_id(), TICK_DEP_BIT_PERF_EVENTS); ++ hwc->interrupts = MAX_INTERRUPTS; ++ perf_log_throttle(event, 0); ++ ret = 1; + } + + if (event->attr.freq) { +-- +2.39.5 + diff --git a/queue-6.12/perf-intel-pt-fix-pebs-via-pt-data_src.patch b/queue-6.12/perf-intel-pt-fix-pebs-via-pt-data_src.patch new file mode 100644 index 0000000000..a79ce692aa --- /dev/null +++ b/queue-6.12/perf-intel-pt-fix-pebs-via-pt-data_src.patch @@ -0,0 +1,334 @@ +From f7838b0adf907c6c243d75c596b242e3a5253c44 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 May 2025 12:39:30 +0300 +Subject: perf intel-pt: Fix PEBS-via-PT data_src + +From: Adrian Hunter + +[ Upstream commit e00eac6b5b6d956f38d8880c44bf7fd9954063c3 ] + +The Fixes commit did not add support for decoding PEBS-via-PT data_src. +Fix by adding support. + +PEBS-via-PT is a feature of some E-core processors, starting with +processors based on Tremont microarchitecture. Because the kernel only +supports Intel PT features that are on all processors, there is no support +for PEBS-via-PT on hybrids. + +Currently that leaves processors based on Tremont, Gracemont and Crestmont, +however there are no events on Tremont that produce data_src information, +and for Gracemont and Crestmont there are only: + + mem-loads event=0xd0,umask=0x5,ldlat=3 + mem-stores event=0xd0,umask=0x6 + +Affected processors include Alder Lake N (Gracemont), Sierra Forest +(Crestmont) and Grand Ridge (Crestmont). + +Example: + + # perf record -d -e intel_pt/branch=0/ -e mem-loads/aux-output/pp uname + + Before: + + # perf.before script --itrace=o -Fdata_src + 0 |OP No|LVL N/A|SNP N/A|TLB N/A|LCK No|BLK N/A + 0 |OP No|LVL N/A|SNP N/A|TLB N/A|LCK No|BLK N/A + + After: + + # perf script --itrace=o -Fdata_src + 10268100142 |OP LOAD|LVL L1 hit|SNP None|TLB L1 or L2 hit|LCK No|BLK N/A + 10450100442 |OP LOAD|LVL L2 hit|SNP None|TLB L2 miss|LCK No|BLK N/A + +Fixes: 975846eddf907297 ("perf intel-pt: Add memory information to synthesized PEBS sample") +Reviewed-by: Kan Liang +Signed-off-by: Adrian Hunter +Cc: Alexander Shishkin +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Namhyung Kim +Link: https://lore.kernel.org/r/20250512093932.79854-2-adrian.hunter@intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/intel-pt.c | 205 ++++++++++++++++++++++++++++++++++++- + 1 file changed, 202 insertions(+), 3 deletions(-) + +diff --git a/tools/perf/util/intel-pt.c b/tools/perf/util/intel-pt.c +index fd2597613f3dc..61f10578e1212 100644 +--- a/tools/perf/util/intel-pt.c ++++ b/tools/perf/util/intel-pt.c +@@ -127,6 +127,7 @@ struct intel_pt { + + bool single_pebs; + bool sample_pebs; ++ int pebs_data_src_fmt; + struct evsel *pebs_evsel; + + u64 evt_sample_type; +@@ -175,6 +176,7 @@ enum switch_state { + struct intel_pt_pebs_event { + struct evsel *evsel; + u64 id; ++ int data_src_fmt; + }; + + struct intel_pt_queue { +@@ -2232,7 +2234,146 @@ static void intel_pt_add_lbrs(struct branch_stack *br_stack, + } + } + +-static int intel_pt_do_synth_pebs_sample(struct intel_pt_queue *ptq, struct evsel *evsel, u64 id) ++#define P(a, b) PERF_MEM_S(a, b) ++#define OP_LH (P(OP, LOAD) | P(LVL, HIT)) ++#define LEVEL(x) P(LVLNUM, x) ++#define REM P(REMOTE, REMOTE) ++#define SNOOP_NONE_MISS (P(SNOOP, NONE) | P(SNOOP, MISS)) ++ ++#define PERF_PEBS_DATA_SOURCE_GRT_MAX 0x10 ++#define PERF_PEBS_DATA_SOURCE_GRT_MASK (PERF_PEBS_DATA_SOURCE_GRT_MAX - 1) ++ ++/* Based on kernel __intel_pmu_pebs_data_source_grt() and pebs_data_source */ ++static const u64 pebs_data_source_grt[PERF_PEBS_DATA_SOURCE_GRT_MAX] = { ++ P(OP, LOAD) | P(LVL, MISS) | LEVEL(L3) | P(SNOOP, NA), /* L3 miss|SNP N/A */ ++ OP_LH | P(LVL, L1) | LEVEL(L1) | P(SNOOP, NONE), /* L1 hit|SNP None */ ++ OP_LH | P(LVL, LFB) | LEVEL(LFB) | P(SNOOP, NONE), /* LFB/MAB hit|SNP None */ ++ OP_LH | P(LVL, L2) | LEVEL(L2) | P(SNOOP, NONE), /* L2 hit|SNP None */ ++ OP_LH | P(LVL, L3) | LEVEL(L3) | P(SNOOP, NONE), /* L3 hit|SNP None */ ++ OP_LH | P(LVL, L3) | LEVEL(L3) | P(SNOOP, HIT), /* L3 hit|SNP Hit */ ++ OP_LH | P(LVL, L3) | LEVEL(L3) | P(SNOOP, HITM), /* L3 hit|SNP HitM */ ++ OP_LH | P(LVL, L3) | LEVEL(L3) | P(SNOOP, HITM), /* L3 hit|SNP HitM */ ++ OP_LH | P(LVL, L3) | LEVEL(L3) | P(SNOOPX, FWD), /* L3 hit|SNP Fwd */ ++ OP_LH | P(LVL, REM_CCE1) | REM | LEVEL(L3) | P(SNOOP, HITM), /* Remote L3 hit|SNP HitM */ ++ OP_LH | P(LVL, LOC_RAM) | LEVEL(RAM) | P(SNOOP, HIT), /* RAM hit|SNP Hit */ ++ OP_LH | P(LVL, REM_RAM1) | REM | LEVEL(L3) | P(SNOOP, HIT), /* Remote L3 hit|SNP Hit */ ++ OP_LH | P(LVL, LOC_RAM) | LEVEL(RAM) | SNOOP_NONE_MISS, /* RAM hit|SNP None or Miss */ ++ OP_LH | P(LVL, REM_RAM1) | LEVEL(RAM) | REM | SNOOP_NONE_MISS, /* Remote RAM hit|SNP None or Miss */ ++ OP_LH | P(LVL, IO) | LEVEL(NA) | P(SNOOP, NONE), /* I/O hit|SNP None */ ++ OP_LH | P(LVL, UNC) | LEVEL(NA) | P(SNOOP, NONE), /* Uncached hit|SNP None */ ++}; ++ ++/* Based on kernel __intel_pmu_pebs_data_source_cmt() and pebs_data_source */ ++static const u64 pebs_data_source_cmt[PERF_PEBS_DATA_SOURCE_GRT_MAX] = { ++ P(OP, LOAD) | P(LVL, MISS) | LEVEL(L3) | P(SNOOP, NA), /* L3 miss|SNP N/A */ ++ OP_LH | P(LVL, L1) | LEVEL(L1) | P(SNOOP, NONE), /* L1 hit|SNP None */ ++ OP_LH | P(LVL, LFB) | LEVEL(LFB) | P(SNOOP, NONE), /* LFB/MAB hit|SNP None */ ++ OP_LH | P(LVL, L2) | LEVEL(L2) | P(SNOOP, NONE), /* L2 hit|SNP None */ ++ OP_LH | P(LVL, L3) | LEVEL(L3) | P(SNOOP, NONE), /* L3 hit|SNP None */ ++ OP_LH | P(LVL, L3) | LEVEL(L3) | P(SNOOP, MISS), /* L3 hit|SNP Hit */ ++ OP_LH | P(LVL, L3) | LEVEL(L3) | P(SNOOP, HIT), /* L3 hit|SNP HitM */ ++ OP_LH | P(LVL, L3) | LEVEL(L3) | P(SNOOPX, FWD), /* L3 hit|SNP HitM */ ++ OP_LH | P(LVL, L3) | LEVEL(L3) | P(SNOOP, HITM), /* L3 hit|SNP Fwd */ ++ OP_LH | P(LVL, REM_CCE1) | REM | LEVEL(L3) | P(SNOOP, HITM), /* Remote L3 hit|SNP HitM */ ++ OP_LH | P(LVL, LOC_RAM) | LEVEL(RAM) | P(SNOOP, NONE), /* RAM hit|SNP Hit */ ++ OP_LH | LEVEL(RAM) | REM | P(SNOOP, NONE), /* Remote L3 hit|SNP Hit */ ++ OP_LH | LEVEL(RAM) | REM | P(SNOOPX, FWD), /* RAM hit|SNP None or Miss */ ++ OP_LH | LEVEL(RAM) | REM | P(SNOOP, HITM), /* Remote RAM hit|SNP None or Miss */ ++ OP_LH | P(LVL, IO) | LEVEL(NA) | P(SNOOP, NONE), /* I/O hit|SNP None */ ++ OP_LH | P(LVL, UNC) | LEVEL(NA) | P(SNOOP, NONE), /* Uncached hit|SNP None */ ++}; ++ ++/* Based on kernel pebs_set_tlb_lock() */ ++static inline void pebs_set_tlb_lock(u64 *val, bool tlb, bool lock) ++{ ++ /* ++ * TLB access ++ * 0 = did not miss 2nd level TLB ++ * 1 = missed 2nd level TLB ++ */ ++ if (tlb) ++ *val |= P(TLB, MISS) | P(TLB, L2); ++ else ++ *val |= P(TLB, HIT) | P(TLB, L1) | P(TLB, L2); ++ ++ /* locked prefix */ ++ if (lock) ++ *val |= P(LOCK, LOCKED); ++} ++ ++/* Based on kernel __grt_latency_data() */ ++static u64 intel_pt_grt_latency_data(u8 dse, bool tlb, bool lock, bool blk, ++ const u64 *pebs_data_source) ++{ ++ u64 val; ++ ++ dse &= PERF_PEBS_DATA_SOURCE_GRT_MASK; ++ val = pebs_data_source[dse]; ++ ++ pebs_set_tlb_lock(&val, tlb, lock); ++ ++ if (blk) ++ val |= P(BLK, DATA); ++ else ++ val |= P(BLK, NA); ++ ++ return val; ++} ++ ++/* Default value for data source */ ++#define PERF_MEM_NA (PERF_MEM_S(OP, NA) |\ ++ PERF_MEM_S(LVL, NA) |\ ++ PERF_MEM_S(SNOOP, NA) |\ ++ PERF_MEM_S(LOCK, NA) |\ ++ PERF_MEM_S(TLB, NA) |\ ++ PERF_MEM_S(LVLNUM, NA)) ++ ++enum DATA_SRC_FORMAT { ++ DATA_SRC_FORMAT_ERR = -1, ++ DATA_SRC_FORMAT_NA = 0, ++ DATA_SRC_FORMAT_GRT = 1, ++ DATA_SRC_FORMAT_CMT = 2, ++}; ++ ++/* Based on kernel grt_latency_data() and cmt_latency_data */ ++static u64 intel_pt_get_data_src(u64 mem_aux_info, int data_src_fmt) ++{ ++ switch (data_src_fmt) { ++ case DATA_SRC_FORMAT_GRT: { ++ union { ++ u64 val; ++ struct { ++ unsigned int dse:4; ++ unsigned int locked:1; ++ unsigned int stlb_miss:1; ++ unsigned int fwd_blk:1; ++ unsigned int reserved:25; ++ }; ++ } x = {.val = mem_aux_info}; ++ return intel_pt_grt_latency_data(x.dse, x.stlb_miss, x.locked, x.fwd_blk, ++ pebs_data_source_grt); ++ } ++ case DATA_SRC_FORMAT_CMT: { ++ union { ++ u64 val; ++ struct { ++ unsigned int dse:5; ++ unsigned int locked:1; ++ unsigned int stlb_miss:1; ++ unsigned int fwd_blk:1; ++ unsigned int reserved:24; ++ }; ++ } x = {.val = mem_aux_info}; ++ return intel_pt_grt_latency_data(x.dse, x.stlb_miss, x.locked, x.fwd_blk, ++ pebs_data_source_cmt); ++ } ++ default: ++ return PERF_MEM_NA; ++ } ++} ++ ++static int intel_pt_do_synth_pebs_sample(struct intel_pt_queue *ptq, struct evsel *evsel, ++ u64 id, int data_src_fmt) + { + const struct intel_pt_blk_items *items = &ptq->state->items; + struct perf_sample sample = { .ip = 0, }; +@@ -2350,6 +2491,18 @@ static int intel_pt_do_synth_pebs_sample(struct intel_pt_queue *ptq, struct evse + } + } + ++ if (sample_type & PERF_SAMPLE_DATA_SRC) { ++ if (items->has_mem_aux_info && data_src_fmt) { ++ if (data_src_fmt < 0) { ++ pr_err("Intel PT missing data_src info\n"); ++ return -1; ++ } ++ sample.data_src = intel_pt_get_data_src(items->mem_aux_info, data_src_fmt); ++ } else { ++ sample.data_src = PERF_MEM_NA; ++ } ++ } ++ + if (sample_type & PERF_SAMPLE_TRANSACTION && items->has_tsx_aux_info) { + u64 ax = items->has_rax ? items->rax : 0; + /* Refer kernel's intel_hsw_transaction() */ +@@ -2368,9 +2521,10 @@ static int intel_pt_synth_single_pebs_sample(struct intel_pt_queue *ptq) + { + struct intel_pt *pt = ptq->pt; + struct evsel *evsel = pt->pebs_evsel; ++ int data_src_fmt = pt->pebs_data_src_fmt; + u64 id = evsel->core.id[0]; + +- return intel_pt_do_synth_pebs_sample(ptq, evsel, id); ++ return intel_pt_do_synth_pebs_sample(ptq, evsel, id, data_src_fmt); + } + + static int intel_pt_synth_pebs_sample(struct intel_pt_queue *ptq) +@@ -2395,7 +2549,7 @@ static int intel_pt_synth_pebs_sample(struct intel_pt_queue *ptq) + hw_id); + return intel_pt_synth_single_pebs_sample(ptq); + } +- err = intel_pt_do_synth_pebs_sample(ptq, pe->evsel, pe->id); ++ err = intel_pt_do_synth_pebs_sample(ptq, pe->evsel, pe->id, pe->data_src_fmt); + if (err) + return err; + } +@@ -3355,6 +3509,49 @@ static int intel_pt_process_itrace_start(struct intel_pt *pt, + event->itrace_start.tid); + } + ++/* ++ * Events with data_src are identified by L1_Hit_Indication ++ * refer https://github.com/intel/perfmon ++ */ ++static int intel_pt_data_src_fmt(struct intel_pt *pt, struct evsel *evsel) ++{ ++ struct perf_env *env = pt->machine->env; ++ int fmt = DATA_SRC_FORMAT_NA; ++ ++ if (!env->cpuid) ++ return DATA_SRC_FORMAT_ERR; ++ ++ /* ++ * PEBS-via-PT is only supported on E-core non-hybrid. Of those only ++ * Gracemont and Crestmont have data_src. Check for: ++ * Alderlake N (Gracemont) ++ * Sierra Forest (Crestmont) ++ * Grand Ridge (Crestmont) ++ */ ++ ++ if (!strncmp(env->cpuid, "GenuineIntel,6,190,", 19)) ++ fmt = DATA_SRC_FORMAT_GRT; ++ ++ if (!strncmp(env->cpuid, "GenuineIntel,6,175,", 19) || ++ !strncmp(env->cpuid, "GenuineIntel,6,182,", 19)) ++ fmt = DATA_SRC_FORMAT_CMT; ++ ++ if (fmt == DATA_SRC_FORMAT_NA) ++ return fmt; ++ ++ /* ++ * Only data_src events are: ++ * mem-loads event=0xd0,umask=0x5 ++ * mem-stores event=0xd0,umask=0x6 ++ */ ++ if (evsel->core.attr.type == PERF_TYPE_RAW && ++ ((evsel->core.attr.config & 0xffff) == 0x5d0 || ++ (evsel->core.attr.config & 0xffff) == 0x6d0)) ++ return fmt; ++ ++ return DATA_SRC_FORMAT_NA; ++} ++ + static int intel_pt_process_aux_output_hw_id(struct intel_pt *pt, + union perf_event *event, + struct perf_sample *sample) +@@ -3375,6 +3572,7 @@ static int intel_pt_process_aux_output_hw_id(struct intel_pt *pt, + + ptq->pebs[hw_id].evsel = evsel; + ptq->pebs[hw_id].id = sample->id; ++ ptq->pebs[hw_id].data_src_fmt = intel_pt_data_src_fmt(pt, evsel); + + return 0; + } +@@ -3924,6 +4122,7 @@ static void intel_pt_setup_pebs_events(struct intel_pt *pt) + } + pt->single_pebs = true; + pt->sample_pebs = true; ++ pt->pebs_data_src_fmt = intel_pt_data_src_fmt(pt, evsel); + pt->pebs_evsel = evsel; + } + } +-- +2.39.5 + diff --git a/queue-6.12/perf-record-fix-incorrect-user-regs-comments.patch b/queue-6.12/perf-record-fix-incorrect-user-regs-comments.patch new file mode 100644 index 0000000000..9e2f4044e9 --- /dev/null +++ b/queue-6.12/perf-record-fix-incorrect-user-regs-comments.patch @@ -0,0 +1,46 @@ +From f4bf775f7c8876e810ebd17b01ecb8fcf7a1cc96 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Apr 2025 06:08:10 +0000 +Subject: perf record: Fix incorrect --user-regs comments + +From: Dapeng Mi + +[ Upstream commit a4a859eb6704a8aa46aa1cec5396c8d41383a26b ] + +The comment of "--user-regs" option is not correct, fix it. + +"on interrupt," -> "in user space," + +Fixes: 84c417422798c897 ("perf record: Support direct --user-regs arguments") +Reviewed-by: Ian Rogers +Signed-off-by: Dapeng Mi +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Andi Kleen +Cc: Ingo Molnar +Cc: Kan Liang +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: https://lore.kernel.org/r/20250403060810.196028-1-dapeng1.mi@linux.intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-record.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/builtin-record.c b/tools/perf/builtin-record.c +index adbaf80b398c1..ab9035573a15e 100644 +--- a/tools/perf/builtin-record.c ++++ b/tools/perf/builtin-record.c +@@ -3471,7 +3471,7 @@ static struct option __record_options[] = { + "sample selected machine registers on interrupt," + " use '-I?' to list register names", parse_intr_regs), + OPT_CALLBACK_OPTARG(0, "user-regs", &record.opts.sample_user_regs, NULL, "any register", +- "sample selected machine registers on interrupt," ++ "sample selected machine registers in user space," + " use '--user-regs=?' to list register names", parse_user_regs), + OPT_BOOLEAN(0, "running-time", &record.opts.running_time, + "Record running/enabled time of read (:S) events"), +-- +2.39.5 + diff --git a/queue-6.12/perf-scripts-python-exported-sql-viewer.py-fix-patte.patch b/queue-6.12/perf-scripts-python-exported-sql-viewer.py-fix-patte.patch new file mode 100644 index 0000000000..9a5b7c345f --- /dev/null +++ b/queue-6.12/perf-scripts-python-exported-sql-viewer.py-fix-patte.patch @@ -0,0 +1,53 @@ +From 05031880e49fb66a02e0edd63b99c5af6c33f789 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 May 2025 12:39:32 +0300 +Subject: perf scripts python: exported-sql-viewer.py: Fix pattern matching + with Python 3 + +From: Adrian Hunter + +[ Upstream commit 17e548405a81665fd14cee960db7d093d1396400 ] + +The script allows the user to enter patterns to find symbols. + +The pattern matching characters are converted for use in SQL. + +For PostgreSQL the conversion involves using the Python maketrans() +method which is slightly different in Python 3 compared with Python 2. + +Fix to work in Python 3. + +Fixes: beda0e725e5f06ac ("perf script python: Add Python3 support to exported-sql-viewer.py") +Signed-off-by: Adrian Hunter +Cc: Alexander Shishkin +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Kan Liang +Cc: Namhyung Kim +Cc: Tony Jones +Link: https://lore.kernel.org/r/20250512093932.79854-4-adrian.hunter@intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/scripts/python/exported-sql-viewer.py | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/tools/perf/scripts/python/exported-sql-viewer.py b/tools/perf/scripts/python/exported-sql-viewer.py +index 121cf61ba1b34..e0b2e7268ef68 100755 +--- a/tools/perf/scripts/python/exported-sql-viewer.py ++++ b/tools/perf/scripts/python/exported-sql-viewer.py +@@ -680,7 +680,10 @@ class CallGraphModelBase(TreeModel): + s = value.replace("%", "\\%") + s = s.replace("_", "\\_") + # Translate * and ? into SQL LIKE pattern characters % and _ +- trans = string.maketrans("*?", "%_") ++ if sys.version_info[0] == 3: ++ trans = str.maketrans("*?", "%_") ++ else: ++ trans = string.maketrans("*?", "%_") + match = " LIKE '" + str(s).translate(trans) + "'" + else: + match = " GLOB '" + str(value) + "'" +-- +2.39.5 + diff --git a/queue-6.12/perf-symbol-fix-use-after-free-in-filename__read_bui.patch b/queue-6.12/perf-symbol-fix-use-after-free-in-filename__read_bui.patch new file mode 100644 index 0000000000..ceebe61e6d --- /dev/null +++ b/queue-6.12/perf-symbol-fix-use-after-free-in-filename__read_bui.patch @@ -0,0 +1,290 @@ +From 17d259b833794276fd4565328cfd167106e483e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 May 2025 20:26:31 -0700 +Subject: perf symbol: Fix use-after-free in filename__read_build_id +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ian Rogers + +[ Upstream commit fef8f648bb47726d96a5701fe31ed606268da73d ] + +The same buf is used for the program headers and reading notes. As the +notes memory may be reallocated then this corrupts the memory pointed +to by the phdr. Using the same buffer is in any case a logic +error. Rather than deal with the duplicated code, introduce an elf32 +boolean and a union for either the elf32 or elf64 headers that are in +use. Let the program headers have their own memory and grow the buffer +for notes as necessary. + +Before `perf list -j` compiled with asan would crash with: +``` +==4176189==ERROR: AddressSanitizer: heap-use-after-free on address 0x5160000070b8 at pc 0x555d3b15075b bp 0x7ffebb5a8090 sp 0x7ffebb5a8088 +READ of size 8 at 0x5160000070b8 thread T0 + #0 0x555d3b15075a in filename__read_build_id tools/perf/util/symbol-minimal.c:212:25 + #1 0x555d3ae43aff in filename__sprintf_build_id tools/perf/util/build-id.c:110:8 +... + +0x5160000070b8 is located 312 bytes inside of 560-byte region [0x516000006f80,0x5160000071b0) +freed by thread T0 here: + #0 0x555d3ab21840 in realloc (perf+0x264840) (BuildId: 12dff2f6629f738e5012abdf0e90055518e70b5e) + #1 0x555d3b1506e7 in filename__read_build_id tools/perf/util/symbol-minimal.c:206:11 +... + +previously allocated by thread T0 here: + #0 0x555d3ab21423 in malloc (perf+0x264423) (BuildId: 12dff2f6629f738e5012abdf0e90055518e70b5e) + #1 0x555d3b1503a2 in filename__read_build_id tools/perf/util/symbol-minimal.c:182:9 +... +``` + +Note: this bug is long standing and not introduced by the other asan +fix in commit fa9c4977fbfb ("perf symbol-minimal: Fix double free in +filename__read_build_id"). + +Fixes: b691f64360ecec49 ("perf symbols: Implement poor man's ELF parser") +Signed-off-by: Ian Rogers +Link: https://lore.kernel.org/r/20250528032637.198960-2-irogers@google.com +Cc: Mark Rutland +Cc: Gary Guo +Cc: Alex Gaynor +Cc: Boqun Feng +Cc: Howard Chu +Cc: Alice Ryhl +Cc: Dmitry Vyukov +Cc: Peter Zijlstra +Cc: Adrian Hunter +Cc: Weilin Wang +Cc: Andreas Hindborg +Cc: Arnaldo Carvalho de Melo +Cc: Danilo Krummrich +Cc: Jiri Olsa +Cc: Namhyung Kim +Cc: Miguel Ojeda +Cc: James Clark +Cc: Jiapeng Chong +Cc: Andi Kleen +Cc: Alexander Shishkin +Cc: Kan Liang +Cc: Stephen Brennan +Cc: Benno Lossin +Cc: Björn Roy Baron +Cc: Ingo Molnar +Cc: Trevor Gross +Cc: linux-kernel@vger.kernel.org +Cc: linux-perf-users@vger.kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/symbol-minimal.c | 168 +++++++++++++------------------ + 1 file changed, 70 insertions(+), 98 deletions(-) + +diff --git a/tools/perf/util/symbol-minimal.c b/tools/perf/util/symbol-minimal.c +index d8da3da01fe6b..36c1d3090689f 100644 +--- a/tools/perf/util/symbol-minimal.c ++++ b/tools/perf/util/symbol-minimal.c +@@ -90,11 +90,23 @@ int filename__read_build_id(const char *filename, struct build_id *bid) + { + FILE *fp; + int ret = -1; +- bool need_swap = false; ++ bool need_swap = false, elf32; + u8 e_ident[EI_NIDENT]; +- size_t buf_size; +- void *buf; + int i; ++ union { ++ struct { ++ Elf32_Ehdr ehdr32; ++ Elf32_Phdr *phdr32; ++ }; ++ struct { ++ Elf64_Ehdr ehdr64; ++ Elf64_Phdr *phdr64; ++ }; ++ } hdrs; ++ void *phdr; ++ size_t phdr_size; ++ void *buf = NULL; ++ size_t buf_size = 0; + + fp = fopen(filename, "r"); + if (fp == NULL) +@@ -108,119 +120,79 @@ int filename__read_build_id(const char *filename, struct build_id *bid) + goto out; + + need_swap = check_need_swap(e_ident[EI_DATA]); ++ elf32 = e_ident[EI_CLASS] == ELFCLASS32; + +- /* for simplicity */ +- fseek(fp, 0, SEEK_SET); +- +- if (e_ident[EI_CLASS] == ELFCLASS32) { +- Elf32_Ehdr ehdr; +- Elf32_Phdr *phdr; +- +- if (fread(&ehdr, sizeof(ehdr), 1, fp) != 1) +- goto out; ++ if (fread(elf32 ? (void *)&hdrs.ehdr32 : (void *)&hdrs.ehdr64, ++ elf32 ? sizeof(hdrs.ehdr32) : sizeof(hdrs.ehdr64), ++ 1, fp) != 1) ++ goto out; + +- if (need_swap) { +- ehdr.e_phoff = bswap_32(ehdr.e_phoff); +- ehdr.e_phentsize = bswap_16(ehdr.e_phentsize); +- ehdr.e_phnum = bswap_16(ehdr.e_phnum); ++ if (need_swap) { ++ if (elf32) { ++ hdrs.ehdr32.e_phoff = bswap_32(hdrs.ehdr32.e_phoff); ++ hdrs.ehdr32.e_phentsize = bswap_16(hdrs.ehdr32.e_phentsize); ++ hdrs.ehdr32.e_phnum = bswap_16(hdrs.ehdr32.e_phnum); ++ } else { ++ hdrs.ehdr64.e_phoff = bswap_64(hdrs.ehdr64.e_phoff); ++ hdrs.ehdr64.e_phentsize = bswap_16(hdrs.ehdr64.e_phentsize); ++ hdrs.ehdr64.e_phnum = bswap_16(hdrs.ehdr64.e_phnum); + } ++ } ++ phdr_size = elf32 ? hdrs.ehdr32.e_phentsize * hdrs.ehdr32.e_phnum ++ : hdrs.ehdr64.e_phentsize * hdrs.ehdr64.e_phnum; ++ phdr = malloc(phdr_size); ++ if (phdr == NULL) ++ goto out; + +- buf_size = ehdr.e_phentsize * ehdr.e_phnum; +- buf = malloc(buf_size); +- if (buf == NULL) +- goto out; +- +- fseek(fp, ehdr.e_phoff, SEEK_SET); +- if (fread(buf, buf_size, 1, fp) != 1) +- goto out_free; +- +- for (i = 0, phdr = buf; i < ehdr.e_phnum; i++, phdr++) { +- void *tmp; +- long offset; +- +- if (need_swap) { +- phdr->p_type = bswap_32(phdr->p_type); +- phdr->p_offset = bswap_32(phdr->p_offset); +- phdr->p_filesz = bswap_32(phdr->p_filesz); +- } +- +- if (phdr->p_type != PT_NOTE) +- continue; +- +- offset = phdr->p_offset; +- if (phdr->p_filesz > buf_size) { +- buf_size = phdr->p_filesz; +- tmp = realloc(buf, buf_size); +- if (tmp == NULL) +- goto out_free; +- buf = tmp; +- } +- fseek(fp, offset, SEEK_SET); +- if (fread(buf, phdr->p_filesz, 1, fp) != 1) +- goto out_free; ++ fseek(fp, elf32 ? hdrs.ehdr32.e_phoff : hdrs.ehdr64.e_phoff, SEEK_SET); ++ if (fread(phdr, phdr_size, 1, fp) != 1) ++ goto out_free; + +- ret = read_build_id(buf, phdr->p_filesz, bid, need_swap); +- if (ret == 0) { +- ret = bid->size; +- break; +- } +- } +- } else { +- Elf64_Ehdr ehdr; +- Elf64_Phdr *phdr; ++ if (elf32) ++ hdrs.phdr32 = phdr; ++ else ++ hdrs.phdr64 = phdr; + +- if (fread(&ehdr, sizeof(ehdr), 1, fp) != 1) +- goto out; ++ for (i = 0; i < elf32 ? hdrs.ehdr32.e_phnum : hdrs.ehdr64.e_phnum; i++) { ++ size_t p_filesz; + + if (need_swap) { +- ehdr.e_phoff = bswap_64(ehdr.e_phoff); +- ehdr.e_phentsize = bswap_16(ehdr.e_phentsize); +- ehdr.e_phnum = bswap_16(ehdr.e_phnum); ++ if (elf32) { ++ hdrs.phdr32[i].p_type = bswap_32(hdrs.phdr32[i].p_type); ++ hdrs.phdr32[i].p_offset = bswap_32(hdrs.phdr32[i].p_offset); ++ hdrs.phdr32[i].p_filesz = bswap_32(hdrs.phdr32[i].p_offset); ++ } else { ++ hdrs.phdr64[i].p_type = bswap_32(hdrs.phdr64[i].p_type); ++ hdrs.phdr64[i].p_offset = bswap_64(hdrs.phdr64[i].p_offset); ++ hdrs.phdr64[i].p_filesz = bswap_64(hdrs.phdr64[i].p_filesz); ++ } + } ++ if ((elf32 ? hdrs.phdr32[i].p_type : hdrs.phdr64[i].p_type) != PT_NOTE) ++ continue; + +- buf_size = ehdr.e_phentsize * ehdr.e_phnum; +- buf = malloc(buf_size); +- if (buf == NULL) +- goto out; +- +- fseek(fp, ehdr.e_phoff, SEEK_SET); +- if (fread(buf, buf_size, 1, fp) != 1) +- goto out_free; +- +- for (i = 0, phdr = buf; i < ehdr.e_phnum; i++, phdr++) { ++ p_filesz = elf32 ? hdrs.phdr32[i].p_filesz : hdrs.phdr64[i].p_filesz; ++ if (p_filesz > buf_size) { + void *tmp; +- long offset; +- +- if (need_swap) { +- phdr->p_type = bswap_32(phdr->p_type); +- phdr->p_offset = bswap_64(phdr->p_offset); +- phdr->p_filesz = bswap_64(phdr->p_filesz); +- } +- +- if (phdr->p_type != PT_NOTE) +- continue; + +- offset = phdr->p_offset; +- if (phdr->p_filesz > buf_size) { +- buf_size = phdr->p_filesz; +- tmp = realloc(buf, buf_size); +- if (tmp == NULL) +- goto out_free; +- buf = tmp; +- } +- fseek(fp, offset, SEEK_SET); +- if (fread(buf, phdr->p_filesz, 1, fp) != 1) ++ buf_size = p_filesz; ++ tmp = realloc(buf, buf_size); ++ if (tmp == NULL) + goto out_free; ++ buf = tmp; ++ } ++ fseek(fp, elf32 ? hdrs.phdr32[i].p_offset : hdrs.phdr64[i].p_offset, SEEK_SET); ++ if (fread(buf, p_filesz, 1, fp) != 1) ++ goto out_free; + +- ret = read_build_id(buf, phdr->p_filesz, bid, need_swap); +- if (ret == 0) { +- ret = bid->size; +- break; +- } ++ ret = read_build_id(buf, p_filesz, bid, need_swap); ++ if (ret == 0) { ++ ret = bid->size; ++ break; + } + } + out_free: + free(buf); ++ free(phdr); + out: + fclose(fp); + return ret; +-- +2.39.5 + diff --git a/queue-6.12/perf-symbol-minimal-fix-double-free-in-filename__rea.patch b/queue-6.12/perf-symbol-minimal-fix-double-free-in-filename__rea.patch new file mode 100644 index 0000000000..99aca1ad2d --- /dev/null +++ b/queue-6.12/perf-symbol-minimal-fix-double-free-in-filename__rea.patch @@ -0,0 +1,123 @@ +From a8b1b3adad2ba62a84f2f9df3690a8df27d47fac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 May 2025 00:00:03 -0700 +Subject: perf symbol-minimal: Fix double free in filename__read_build_id + +From: Ian Rogers + +[ Upstream commit fa9c4977fbfbca182f9e410d57b3f98356a9d917 ] + +Running the "perf script task-analyzer tests" with address sanitizer +showed a double free: +``` +FAIL: "test_csv_extended_times" Error message: "Failed to find required string:'Out-Out;'." +================================================================= +==19190==ERROR: AddressSanitizer: attempting double-free on 0x50b000017b10 in thread T0: + #0 0x55da9601c78a in free (perf+0x26078a) (BuildId: e7ef50e08970f017a96fde6101c5e2491acc674a) + #1 0x55da96640c63 in filename__read_build_id tools/perf/util/symbol-minimal.c:221:2 + +0x50b000017b10 is located 0 bytes inside of 112-byte region [0x50b000017b10,0x50b000017b80) +freed by thread T0 here: + #0 0x55da9601ce40 in realloc (perf+0x260e40) (BuildId: e7ef50e08970f017a96fde6101c5e2491acc674a) + #1 0x55da96640ad6 in filename__read_build_id tools/perf/util/symbol-minimal.c:204:10 + +previously allocated by thread T0 here: + #0 0x55da9601ca23 in malloc (perf+0x260a23) (BuildId: e7ef50e08970f017a96fde6101c5e2491acc674a) + #1 0x55da966407e7 in filename__read_build_id tools/perf/util/symbol-minimal.c:181:9 + +SUMMARY: AddressSanitizer: double-free (perf+0x26078a) (BuildId: e7ef50e08970f017a96fde6101c5e2491acc674a) in free +==19190==ABORTING +FAIL: "invocation of perf script report task-analyzer --csv-summary csvsummary --summary-extended command failed" Error message: "" +FAIL: "test_csvsummary_extended" Error message: "Failed to find required string:'Out-Out;'." +---- end(-1) ---- +132: perf script task-analyzer tests : FAILED! +``` + +The buf_size if always set to phdr->p_filesz, but that may be 0 +causing a free and realloc to return NULL. This is treated in +filename__read_build_id like a failure and the buffer is freed again. + +To avoid this problem only grow buf, meaning the buf_size will never +be 0. This also reduces the number of memory (re)allocations. + +Fixes: b691f64360ecec49 ("perf symbols: Implement poor man's ELF parser") +Signed-off-by: Ian Rogers +Acked-by: Namhyung Kim +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Ingo Molnar +Cc: Jiri Olsa +Cc: Kan Liang +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: https://lore.kernel.org/r/20250501070003.22251-1-irogers@google.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/symbol-minimal.c | 34 +++++++++++++++++--------------- + 1 file changed, 18 insertions(+), 16 deletions(-) + +diff --git a/tools/perf/util/symbol-minimal.c b/tools/perf/util/symbol-minimal.c +index c6f369b5d893f..d8da3da01fe6b 100644 +--- a/tools/perf/util/symbol-minimal.c ++++ b/tools/perf/util/symbol-minimal.c +@@ -147,18 +147,19 @@ int filename__read_build_id(const char *filename, struct build_id *bid) + if (phdr->p_type != PT_NOTE) + continue; + +- buf_size = phdr->p_filesz; + offset = phdr->p_offset; +- tmp = realloc(buf, buf_size); +- if (tmp == NULL) +- goto out_free; +- +- buf = tmp; ++ if (phdr->p_filesz > buf_size) { ++ buf_size = phdr->p_filesz; ++ tmp = realloc(buf, buf_size); ++ if (tmp == NULL) ++ goto out_free; ++ buf = tmp; ++ } + fseek(fp, offset, SEEK_SET); +- if (fread(buf, buf_size, 1, fp) != 1) ++ if (fread(buf, phdr->p_filesz, 1, fp) != 1) + goto out_free; + +- ret = read_build_id(buf, buf_size, bid, need_swap); ++ ret = read_build_id(buf, phdr->p_filesz, bid, need_swap); + if (ret == 0) { + ret = bid->size; + break; +@@ -199,18 +200,19 @@ int filename__read_build_id(const char *filename, struct build_id *bid) + if (phdr->p_type != PT_NOTE) + continue; + +- buf_size = phdr->p_filesz; + offset = phdr->p_offset; +- tmp = realloc(buf, buf_size); +- if (tmp == NULL) +- goto out_free; +- +- buf = tmp; ++ if (phdr->p_filesz > buf_size) { ++ buf_size = phdr->p_filesz; ++ tmp = realloc(buf, buf_size); ++ if (tmp == NULL) ++ goto out_free; ++ buf = tmp; ++ } + fseek(fp, offset, SEEK_SET); +- if (fread(buf, buf_size, 1, fp) != 1) ++ if (fread(buf, phdr->p_filesz, 1, fp) != 1) + goto out_free; + +- ret = read_build_id(buf, buf_size, bid, need_swap); ++ ret = read_build_id(buf, phdr->p_filesz, bid, need_swap); + if (ret == 0) { + ret = bid->size; + break; +-- +2.39.5 + diff --git a/queue-6.12/perf-tests-fix-perf-report-tests-installation.patch b/queue-6.12/perf-tests-fix-perf-report-tests-installation.patch new file mode 100644 index 0000000000..f3b9c33e70 --- /dev/null +++ b/queue-6.12/perf-tests-fix-perf-report-tests-installation.patch @@ -0,0 +1,44 @@ +From 519ed0c5647ea7485099f474dc45d2dd634435f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Jan 2025 19:26:00 +0100 +Subject: perf tests: Fix 'perf report' tests installation + +From: Michael Petlan + +[ Upstream commit 4bfe27140edf8dd1322326c79f5ae8d29ff7e43d ] + +There was a copy-paste mistake in the installation commands. + +Also, we need to install stderr-whitelist.txt file, which contains +allowed messages that are printed on stderr and should not cause test +fail. + +Fixes: 097fe67df1aa9cc7 ("perf testsuite: Install perf-report tests in the 'make install-tests -C tools/perf' target") +Signed-off-by: Michael Petlan +Cc: Ian Rogers +Cc: Namhyung Kim +Link: https://lore.kernel.org/r/20250113182605.130719-6-vmolnaro@redhat.com +Signed-off-by: Veronika Molnarova +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/Makefile.perf | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/tools/perf/Makefile.perf b/tools/perf/Makefile.perf +index 8ee59ecb14110..b61c355fbdeed 100644 +--- a/tools/perf/Makefile.perf ++++ b/tools/perf/Makefile.perf +@@ -1143,7 +1143,8 @@ install-tests: all install-gtk + $(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/tests/shell/base_probe'; \ + $(INSTALL) tests/shell/base_probe/*.sh '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/tests/shell/base_probe'; \ + $(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/tests/shell/base_report'; \ +- $(INSTALL) tests/shell/base_probe/*.sh '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/tests/shell/base_report'; \ ++ $(INSTALL) tests/shell/base_report/*.sh '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/tests/shell/base_report'; \ ++ $(INSTALL) tests/shell/base_report/*.txt '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/tests/shell/base_report'; \ + $(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/tests/shell/coresight' ; \ + $(INSTALL) tests/shell/coresight/*.sh '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/tests/shell/coresight' + $(Q)$(MAKE) -C tests/shell/coresight install-tests +-- +2.39.5 + diff --git a/queue-6.12/perf-tests-switch-tracking-fix-timestamp-comparison.patch b/queue-6.12/perf-tests-switch-tracking-fix-timestamp-comparison.patch new file mode 100644 index 0000000000..d73f05af04 --- /dev/null +++ b/queue-6.12/perf-tests-switch-tracking-fix-timestamp-comparison.patch @@ -0,0 +1,102 @@ +From 8b3f844f0751b3a070a721877edd17dc29d46203 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Mar 2025 18:27:59 +0100 +Subject: perf tests switch-tracking: Fix timestamp comparison + +From: Leo Yan + +[ Upstream commit 628e124404b3db5e10e17228e680a2999018ab33 ] + +The test might fail on the Arm64 platform with the error: + + # perf test -vvv "Track with sched_switch" + Missing sched_switch events + # + +The issue is caused by incorrect handling of timestamp comparisons. The +comparison result, a signed 64-bit value, was being directly cast to an +int, leading to incorrect sorting for sched events. + +The case does not fail everytime, usually I can trigger the failure +after run 20 ~ 30 times: + + # while true; do perf test "Track with sched_switch"; done + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : FAILED! + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : FAILED! + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + +I used cross compiler to build Perf tool on my host machine and tested on +Debian / Juno board. Generally, I think this issue is not very specific +to GCC versions. As both internal CI and my local env can reproduce the +issue. + +My Host Build compiler: + + # aarch64-linux-gnu-gcc --version + aarch64-linux-gnu-gcc (Ubuntu 13.3.0-6ubuntu2~24.04) 13.3.0 + +Juno Board: + + # lsb_release -a + No LSB modules are available. + Distributor ID: Debian + Description: Debian GNU/Linux 12 (bookworm) + Release: 12 + Codename: bookworm + +Fix this by explicitly returning 0, 1, or -1 based on whether the result +is zero, positive, or negative. + +Fixes: d44bc558297222d9 ("perf tests: Add a test for tracking with sched_switch") +Reviewed-by: Ian Rogers +Signed-off-by: Leo Yan +Cc: Adrian Hunter +Cc: James Clark +Cc: Kan Liang +Cc: Namhyung Kim +Link: https://lore.kernel.org/r/20250331172759.115604-1-leo.yan@arm.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/tests/switch-tracking.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/tests/switch-tracking.c b/tools/perf/tests/switch-tracking.c +index 5cab17a1942e6..ee43d8fa2ed67 100644 +--- a/tools/perf/tests/switch-tracking.c ++++ b/tools/perf/tests/switch-tracking.c +@@ -258,7 +258,7 @@ static int compar(const void *a, const void *b) + const struct event_node *nodeb = b; + s64 cmp = nodea->event_time - nodeb->event_time; + +- return cmp; ++ return cmp < 0 ? -1 : (cmp > 0 ? 1 : 0); + } + + static int process_events(struct evlist *evlist, +-- +2.39.5 + diff --git a/queue-6.12/perf-trace-always-print-return-value-for-syscalls-re.patch b/queue-6.12/perf-trace-always-print-return-value-for-syscalls-re.patch new file mode 100644 index 0000000000..948851e0e1 --- /dev/null +++ b/queue-6.12/perf-trace-always-print-return-value-for-syscalls-re.patch @@ -0,0 +1,67 @@ +From 5d513721b7200243340ff31fa8eb151eb337f0b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Apr 2025 12:04:12 -0400 +Subject: perf trace: Always print return value for syscalls returning a pid + +From: Anubhav Shelat + +[ Upstream commit c7a48ea9b919e2fa0e4a1d9938fdb03e9afe276c ] + +The syscalls that were consistently observed were set_robust_list and +rseq. This is because perf cannot find their child process. + +This change ensures that the return value is always printed. + +Before: + 0.256 ( 0.001 ms): set_robust_list(head: 0x7f09c77dba20, len: 24) = + 0.259 ( 0.001 ms): rseq(rseq: 0x7f09c77dc0e0, rseq_len: 32, sig: 1392848979) = +After: + 0.270 ( 0.002 ms): set_robust_list(head: 0x7f0bb14a6a20, len: 24) = 0 + 0.273 ( 0.002 ms): rseq(rseq: 0x7f0bb14a70e0, rseq_len: 32, sig: 1392848979) = 0 + +Committer notes: + +As discussed in the thread in the Link: tag below, these two don't +return a pid, but for syscalls returning one, we need to print the +result and if we manage to find the children in 'perf trace' data +structures, then print its name as well. + +Fixes: 11c8e39f5133aed9 ("perf trace: Infrastructure to show COMM strings for syscalls returning PIDs") +Reviewed-by: Howard Chu +Signed-off-by: Anubhav Shelat +Acked-by: Namhyung Kim +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Dapeng Mi +Cc: Ian Rogers +Cc: Ingo Molnar +Cc: James Clark +Cc: Jiri Olsa +Cc: Kan Liang +Cc: Mark Rutland +Cc: Michael Petlan +Cc: Peter Zijlstra +Link: https://lore.kernel.org/r/20250403160411.159238-2-ashelat@redhat.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-trace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/builtin-trace.c b/tools/perf/builtin-trace.c +index ee82e858ab200..ebe4fad0d4751 100644 +--- a/tools/perf/builtin-trace.c ++++ b/tools/perf/builtin-trace.c +@@ -2873,8 +2873,8 @@ errno_print: { + else if (sc->fmt->errpid) { + struct thread *child = machine__find_thread(trace->host, ret, ret); + ++ fprintf(trace->output, "%ld", ret); + if (child != NULL) { +- fprintf(trace->output, "%ld", ret); + if (thread__comm_set(child)) + fprintf(trace->output, " (%s)", thread__comm_str(child)); + thread__put(child); +-- +2.39.5 + diff --git a/queue-6.12/perf-trace-fix-leaks-of-struct-thread-in-set_filter_.patch b/queue-6.12/perf-trace-fix-leaks-of-struct-thread-in-set_filter_.patch new file mode 100644 index 0000000000..486c374543 --- /dev/null +++ b/queue-6.12/perf-trace-fix-leaks-of-struct-thread-in-set_filter_.patch @@ -0,0 +1,51 @@ +From ae0b8b60cc026e9bfd33d8a780eb63767270ff74 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Apr 2025 22:42:13 -0700 +Subject: perf trace: Fix leaks of 'struct thread' in set_filter_loop_pids() + +From: Namhyung Kim + +[ Upstream commit 30d20fb1f84ad5c92706fe2c6cbb2d4cc293e671 ] + +I've found some leaks from 'perf trace -a'. + +It seems there are more leaks but this is what I can find for now. + +Fixes: 082ab9a18e532864 ("perf trace: Filter out 'sshd' in the tracer ancestry in syswide tracing") +Reviewed-by: Howard Chu +Signed-off-by: Namhyung Kim +Cc: Adrian Hunter +Cc: Ian Rogers +Cc: Ingo Molnar +Cc: Jiri Olsa +Cc: Kan Liang +Cc: Peter Zijlstra +Link: https://lore.kernel.org/r/20250403054213.7021-1-namhyung@kernel.org +[ split from a larget patch ] +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-trace.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/tools/perf/builtin-trace.c b/tools/perf/builtin-trace.c +index ecd26e058baf6..ee82e858ab200 100644 +--- a/tools/perf/builtin-trace.c ++++ b/tools/perf/builtin-trace.c +@@ -3986,10 +3986,13 @@ static int trace__set_filter_loop_pids(struct trace *trace) + if (!strcmp(thread__comm_str(parent), "sshd") || + strstarts(thread__comm_str(parent), "gnome-terminal")) { + pids[nr++] = thread__tid(parent); ++ thread__put(parent); + break; + } ++ thread__put(thread); + thread = parent; + } ++ thread__put(thread); + + err = evlist__append_tp_filter_pids(trace->evlist, nr, pids); + if (!err && trace->filter_pids.map) +-- +2.39.5 + diff --git a/queue-6.12/perf-trace-set-errpid-to-false-for-rseq-and-set_robu.patch b/queue-6.12/perf-trace-set-errpid-to-false-for-rseq-and-set_robu.patch new file mode 100644 index 0000000000..5ef904ddb2 --- /dev/null +++ b/queue-6.12/perf-trace-set-errpid-to-false-for-rseq-and-set_robu.patch @@ -0,0 +1,60 @@ +From a8ae6e7f5b188f07b35bcd98cfae38baf1e75c81 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 May 2025 10:33:35 -0400 +Subject: perf trace: Set errpid to false for rseq and set_robust_list + +From: Anubhav Shelat + +[ Upstream commit 8c56bfe53bd881c7b598c54a3a06216743c57bbc ] + +The 'rseq' and 'set_robust_list' syscalls don't return a pid, so set +errpid for both to false. + +Fixes: 0c1019e3463b263a ("perf trace: Mark the 'rseq' arg in the rseq syscall as coming from user space") +Fixes: 1de5b5dcb8353f36 ("perf trace: Mark the 'head' arg in the set_robust_list syscall as coming from user space") +Signed-off-by: Anubhav Shelat +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Dapeng Mi +Cc: Ian Rogers +Cc: Ingo Molnar +Cc: James Clark +Cc: Jiri Olsa +Cc: Kan Liang +Cc: Mark Rutland +Cc: Michael Petlan +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: https://lore.kernel.org/r/20250529143334.1469669-2-ashelat@redhat.com +[ Remove explicit .errpid = false, omitting its initialization zeroes it, as noted by Namhyung ] +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-trace.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/perf/builtin-trace.c b/tools/perf/builtin-trace.c +index ebe4fad0d4751..f77e4f4b6f03e 100644 +--- a/tools/perf/builtin-trace.c ++++ b/tools/perf/builtin-trace.c +@@ -1327,7 +1327,7 @@ static const struct syscall_fmt syscall_fmts[] = { + .arg = { [0] = { .scnprintf = SCA_FDAT, /* olddirfd */ }, + [2] = { .scnprintf = SCA_FDAT, /* newdirfd */ }, + [4] = { .scnprintf = SCA_RENAMEAT2_FLAGS, /* flags */ }, }, }, +- { .name = "rseq", .errpid = true, ++ { .name = "rseq", + .arg = { [0] = { .from_user = true /* rseq */, }, }, }, + { .name = "rt_sigaction", + .arg = { [0] = { .scnprintf = SCA_SIGNUM, /* sig */ }, }, }, +@@ -1351,7 +1351,7 @@ static const struct syscall_fmt syscall_fmts[] = { + { .name = "sendto", + .arg = { [3] = { .scnprintf = SCA_MSG_FLAGS, /* flags */ }, + [4] = SCA_SOCKADDR_FROM_USER(addr), }, }, +- { .name = "set_robust_list", .errpid = true, ++ { .name = "set_robust_list", + .arg = { [0] = { .from_user = true /* head */, }, }, }, + { .name = "set_tid_address", .errpid = true, }, + { .name = "setitimer", +-- +2.39.5 + diff --git a/queue-6.12/perf-ui-browser-hists-set-actions-thread-before-call.patch b/queue-6.12/perf-ui-browser-hists-set-actions-thread-before-call.patch new file mode 100644 index 0000000000..a4eb2de385 --- /dev/null +++ b/queue-6.12/perf-ui-browser-hists-set-actions-thread-before-call.patch @@ -0,0 +1,62 @@ +From fef285332cf96404121dca174e37ec02e964e61e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Apr 2025 21:58:19 -0300 +Subject: perf ui browser hists: Set actions->thread before calling + do_zoom_thread() + +From: Arnaldo Carvalho de Melo + +[ Upstream commit 1741189d843a1d5ef38538bc52a3760e2e46cb2e ] + +In 7cecb7fe8388d5c3 ("perf hists: Move sort__has_comm into struct +perf_hpp_list") it assumes that act->thread is set prior to calling +do_zoom_thread(). + +This doesn't happen when we use ESC or the Left arrow key to Zoom out of +a specific thread, making this operation not to work and we get stuck +into the thread zoom. + +In 6422184b087ff435 ("perf hists browser: Simplify zooming code using +pstack_peek()") it says no need to set actions->thread, and at that +point that was true, but in 7cecb7fe8388d5c3 a actions->thread == NULL +check was added before the zoom out of thread could kick in. + +We can zoom out using the alternative 't' thread zoom toggle hotkey to +finally set actions->thread before calling do_zoom_thread() and zoom +out, but lets also fix the ESC/Zoom out of thread case. + +Fixes: 7cecb7fe8388d5c3 ("perf hists: Move sort__has_comm into struct perf_hpp_list") +Reported-by: Ingo Molnar +Tested-by: Ingo Molnar +Cc: Adrian Hunter +Cc: Ian Rogers +Cc: James Clark +Cc: Jiri Olsa +Cc: Kan Liang +Cc: Namhyung Kim +Link: https://lore.kernel.org/r/Z_TYux5fUg2pW-pF@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/ui/browsers/hists.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/ui/browsers/hists.c b/tools/perf/ui/browsers/hists.c +index 49ba82bf33918..3283b6313bab8 100644 +--- a/tools/perf/ui/browsers/hists.c ++++ b/tools/perf/ui/browsers/hists.c +@@ -3267,10 +3267,10 @@ static int evsel__hists_browse(struct evsel *evsel, int nr_events, const char *h + /* + * No need to set actions->dso here since + * it's just to remove the current filter. +- * Ditto for thread below. + */ + do_zoom_dso(browser, actions); + } else if (top == &browser->hists->thread_filter) { ++ actions->thread = thread; + do_zoom_thread(browser, actions); + } else if (top == &browser->hists->socket_filter) { + do_zoom_socket(browser, actions); +-- +2.39.5 + diff --git a/queue-6.12/perf-x86-amd-uncore-prevent-umc-counters-from-satura.patch b/queue-6.12/perf-x86-amd-uncore-prevent-umc-counters-from-satura.patch new file mode 100644 index 0000000000..5f4ce37b9b --- /dev/null +++ b/queue-6.12/perf-x86-amd-uncore-prevent-umc-counters-from-satura.patch @@ -0,0 +1,86 @@ +From 27f45e6720d9b7bcb2694b818dece74d5fdd29af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Apr 2025 09:13:03 +0530 +Subject: perf/x86/amd/uncore: Prevent UMC counters from saturating + +From: Sandipan Das + +[ Upstream commit 2492e5aba2be064d0604ae23ae0770ecc0168192 ] + +Unlike L3 and DF counters, UMC counters (PERF_CTRs) set the Overflow bit +(bit 48) and saturate on overflow. A subsequent pmu->read() of the event +reports an incorrect accumulated count as there is no difference between +the previous and the current values of the counter. + +To avoid this, inspect the current counter value and proactively reset +the corresponding PERF_CTR register on every pmu->read(). Combined with +the periodic reads initiated by the hrtimer, the counters never get a +chance saturate but the resolution reduces to 47 bits. + +Fixes: 25e56847821f ("perf/x86/amd/uncore: Add memory controller support") +Signed-off-by: Sandipan Das +Signed-off-by: Ingo Molnar +Reviewed-by: Song Liu +Acked-by: Peter Zijlstra +Link: https://lore.kernel.org/r/dee9c8af2c6d66814cf4c6224529c144c620cf2c.1744906694.git.sandipan.das@amd.com +Signed-off-by: Sasha Levin +--- + arch/x86/events/amd/uncore.c | 35 ++++++++++++++++++++++++++++++++++- + 1 file changed, 34 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/events/amd/uncore.c b/arch/x86/events/amd/uncore.c +index 675250598c324..cdf7bf0298362 100644 +--- a/arch/x86/events/amd/uncore.c ++++ b/arch/x86/events/amd/uncore.c +@@ -889,6 +889,39 @@ static void amd_uncore_umc_start(struct perf_event *event, int flags) + perf_event_update_userpage(event); + } + ++static void amd_uncore_umc_read(struct perf_event *event) ++{ ++ struct hw_perf_event *hwc = &event->hw; ++ u64 prev, new, shift; ++ s64 delta; ++ ++ shift = COUNTER_SHIFT + 1; ++ prev = local64_read(&hwc->prev_count); ++ ++ /* ++ * UMC counters do not have RDPMC assignments. Read counts directly ++ * from the corresponding PERF_CTR. ++ */ ++ rdmsrl(hwc->event_base, new); ++ ++ /* ++ * Unlike the other uncore counters, UMC counters saturate and set the ++ * Overflow bit (bit 48) on overflow. Since they do not roll over, ++ * proactively reset the corresponding PERF_CTR when bit 47 is set so ++ * that the counter never gets a chance to saturate. ++ */ ++ if (new & BIT_ULL(63 - COUNTER_SHIFT)) { ++ wrmsrl(hwc->event_base, 0); ++ local64_set(&hwc->prev_count, 0); ++ } else { ++ local64_set(&hwc->prev_count, new); ++ } ++ ++ delta = (new << shift) - (prev << shift); ++ delta >>= shift; ++ local64_add(delta, &event->count); ++} ++ + static + void amd_uncore_umc_ctx_scan(struct amd_uncore *uncore, unsigned int cpu) + { +@@ -966,7 +999,7 @@ int amd_uncore_umc_ctx_init(struct amd_uncore *uncore, unsigned int cpu) + .del = amd_uncore_del, + .start = amd_uncore_umc_start, + .stop = amd_uncore_stop, +- .read = amd_uncore_read, ++ .read = amd_uncore_umc_read, + .capabilities = PERF_PMU_CAP_NO_EXCLUDE | PERF_PMU_CAP_NO_INTERRUPT, + .module = THIS_MODULE, + }; +-- +2.39.5 + diff --git a/queue-6.12/perf-x86-amd-uncore-remove-unused-struct-amd_uncore_.patch b/queue-6.12/perf-x86-amd-uncore-remove-unused-struct-amd_uncore_.patch new file mode 100644 index 0000000000..8f176ce273 --- /dev/null +++ b/queue-6.12/perf-x86-amd-uncore-remove-unused-struct-amd_uncore_.patch @@ -0,0 +1,35 @@ +From c5757b29ef73f1668dab4a4b11aa193e60fb8098 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Apr 2025 09:12:59 +0530 +Subject: perf/x86/amd/uncore: Remove unused 'struct amd_uncore_ctx::node' + member + +From: Sandipan Das + +[ Upstream commit 4f81cc2d1bf91a49d33eb6578b58db2518deef01 ] + +Fixes: d6389d3ccc13 ("perf/x86/amd/uncore: Refactor uncore management") +Signed-off-by: Sandipan Das +Signed-off-by: Ingo Molnar +Acked-by: Peter Zijlstra +Link: https://lore.kernel.org/r/30f9254c2de6c4318dd0809ef85a1677f68eef10.1744906694.git.sandipan.das@amd.com +Signed-off-by: Sasha Levin +--- + arch/x86/events/amd/uncore.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/arch/x86/events/amd/uncore.c b/arch/x86/events/amd/uncore.c +index 0bfde2ea5cb8c..675250598c324 100644 +--- a/arch/x86/events/amd/uncore.c ++++ b/arch/x86/events/amd/uncore.c +@@ -38,7 +38,6 @@ struct amd_uncore_ctx { + int refcnt; + int cpu; + struct perf_event **events; +- struct hlist_node node; + }; + + struct amd_uncore_pmu { +-- +2.39.5 + diff --git a/queue-6.12/phy-qcom-qmp-usb-fix-an-null-vs-is_err-bug.patch b/queue-6.12/phy-qcom-qmp-usb-fix-an-null-vs-is_err-bug.patch new file mode 100644 index 0000000000..e240338856 --- /dev/null +++ b/queue-6.12/phy-qcom-qmp-usb-fix-an-null-vs-is_err-bug.patch @@ -0,0 +1,56 @@ +From ac712bd10710f4202be63d7c41fa6aa72d24b9ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Apr 2025 07:50:50 -0500 +Subject: phy: qcom-qmp-usb: Fix an NULL vs IS_ERR() bug + +From: Chenyuan Yang + +[ Upstream commit d14402a38c2d868cacb1facaf9be908ca6558e59 ] + +The qmp_usb_iomap() helper function currently returns the raw result of +devm_ioremap() for non-exclusive mappings. Since devm_ioremap() may return +a NULL pointer and the caller only checks error pointers with IS_ERR(), +NULL could bypass the check and lead to an invalid dereference. + +Fix the issue by checking if devm_ioremap() returns NULL. When it does, +qmp_usb_iomap() now returns an error pointer via IOMEM_ERR_PTR(-ENOMEM), +ensuring safe and consistent error handling. + +Signed-off-by: Chenyuan Yang +Fixes: a5d6b1ac56cb ("phy: qcom-qmp-usb: fix memleak on probe deferral") +CC: Johan Hovold +CC: Krzysztof Kozlowski +Reviewed-by: Johan Hovold +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20250414125050.2118619-1-chenyuan0y@gmail.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/qualcomm/phy-qcom-qmp-usb.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/phy/qualcomm/phy-qcom-qmp-usb.c b/drivers/phy/qualcomm/phy-qcom-qmp-usb.c +index 8e2cd2c178d6b..c12efd127a612 100644 +--- a/drivers/phy/qualcomm/phy-qcom-qmp-usb.c ++++ b/drivers/phy/qualcomm/phy-qcom-qmp-usb.c +@@ -2044,12 +2044,16 @@ static void __iomem *qmp_usb_iomap(struct device *dev, struct device_node *np, + int index, bool exclusive) + { + struct resource res; ++ void __iomem *mem; + + if (!exclusive) { + if (of_address_to_resource(np, index, &res)) + return IOMEM_ERR_PTR(-EINVAL); + +- return devm_ioremap(dev, res.start, resource_size(&res)); ++ mem = devm_ioremap(dev, res.start, resource_size(&res)); ++ if (!mem) ++ return IOMEM_ERR_PTR(-ENOMEM); ++ return mem; + } + + return devm_of_iomap(dev, np, index, NULL); +-- +2.39.5 + diff --git a/queue-6.12/phy-rockchip-samsung-hdptx-do-no-set-rk_hdptx_phy-ra.patch b/queue-6.12/phy-rockchip-samsung-hdptx-do-no-set-rk_hdptx_phy-ra.patch new file mode 100644 index 0000000000..077879facd --- /dev/null +++ b/queue-6.12/phy-rockchip-samsung-hdptx-do-no-set-rk_hdptx_phy-ra.patch @@ -0,0 +1,53 @@ +From 4fb71840ae649da1189230226b2f99a3273487d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Mar 2025 14:35:38 +0200 +Subject: phy: rockchip: samsung-hdptx: Do no set rk_hdptx_phy->rate in case of + errors + +From: Cristian Ciocaltea + +[ Upstream commit 1f4d382769e3b38dfc498c806811dae856e40f31 ] + +Ensure rk_hdptx_ropll_tmds_cmn_config() updates hdptx->rate only after +all the other operations have been successful. + +Fixes: c4b09c562086 ("phy: phy-rockchip-samsung-hdptx: Add clock provider support") +Signed-off-by: Cristian Ciocaltea +Link: https://lore.kernel.org/r/20250318-phy-sam-hdptx-bpc-v6-4-8cb1678e7663@collabora.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/rockchip/phy-rockchip-samsung-hdptx.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/phy/rockchip/phy-rockchip-samsung-hdptx.c b/drivers/phy/rockchip/phy-rockchip-samsung-hdptx.c +index 70526c67ca0f1..5547f8df8e717 100644 +--- a/drivers/phy/rockchip/phy-rockchip-samsung-hdptx.c ++++ b/drivers/phy/rockchip/phy-rockchip-samsung-hdptx.c +@@ -781,9 +781,7 @@ static int rk_hdptx_ropll_tmds_cmn_config(struct rk_hdptx_phy *hdptx, + { + const struct ropll_config *cfg = NULL; + struct ropll_config rc = {0}; +- int i; +- +- hdptx->rate = rate * 100; ++ int ret, i; + + for (i = 0; i < ARRAY_SIZE(ropll_tmds_cfg); i++) + if (rate == ropll_tmds_cfg[i].bit_rate) { +@@ -842,7 +840,11 @@ static int rk_hdptx_ropll_tmds_cmn_config(struct rk_hdptx_phy *hdptx, + regmap_update_bits(hdptx->regmap, CMN_REG(0086), PLL_PCG_CLK_EN, + PLL_PCG_CLK_EN); + +- return rk_hdptx_post_enable_pll(hdptx); ++ ret = rk_hdptx_post_enable_pll(hdptx); ++ if (!ret) ++ hdptx->rate = rate * 100; ++ ++ return ret; + } + + static int rk_hdptx_ropll_tmds_mode_config(struct rk_hdptx_phy *hdptx, +-- +2.39.5 + diff --git a/queue-6.12/phy-rockchip-samsung-hdptx-fix-clock-ratio-setup.patch b/queue-6.12/phy-rockchip-samsung-hdptx-fix-clock-ratio-setup.patch new file mode 100644 index 0000000000..38df54f4ea --- /dev/null +++ b/queue-6.12/phy-rockchip-samsung-hdptx-fix-clock-ratio-setup.patch @@ -0,0 +1,51 @@ +From ec24509436bed8a6e992d28815a2b988c9d7fe2a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Mar 2025 14:35:37 +0200 +Subject: phy: rockchip: samsung-hdptx: Fix clock ratio setup + +From: Cristian Ciocaltea + +[ Upstream commit 0422253ac1919fea8292381c85f11a9decff1bb1 ] + +The switch from 1/10 to 1/40 clock ratio must happen when exceeding the +340 MHz rate limit of HDMI 1.4, i.e. when entering the HDMI 2.0 domain, +and not before. + +Therefore, use the correct comparison operator '>' instead of '>=' when +checking the max rate. While at it, introduce a define for this rate +limit constant. + +Fixes: 553be2830c5f ("phy: rockchip: Add Samsung HDMI/eDP Combo PHY driver") +Reviewed-by: Dmitry Baryshkov +Signed-off-by: Cristian Ciocaltea +Link: https://lore.kernel.org/r/20250318-phy-sam-hdptx-bpc-v6-3-8cb1678e7663@collabora.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/rockchip/phy-rockchip-samsung-hdptx.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/phy/rockchip/phy-rockchip-samsung-hdptx.c b/drivers/phy/rockchip/phy-rockchip-samsung-hdptx.c +index 9b99fdd43f5f5..70526c67ca0f1 100644 +--- a/drivers/phy/rockchip/phy-rockchip-samsung-hdptx.c ++++ b/drivers/phy/rockchip/phy-rockchip-samsung-hdptx.c +@@ -192,6 +192,7 @@ + #define LN3_TX_SER_RATE_SEL_HBR2 BIT(3) + #define LN3_TX_SER_RATE_SEL_HBR3 BIT(2) + ++#define HDMI14_MAX_RATE 340000000 + #define HDMI20_MAX_RATE 600000000 + + struct lcpll_config { +@@ -851,7 +852,7 @@ static int rk_hdptx_ropll_tmds_mode_config(struct rk_hdptx_phy *hdptx, + + regmap_write(hdptx->regmap, LNTOP_REG(0200), 0x06); + +- if (rate >= 3400000) { ++ if (rate > HDMI14_MAX_RATE / 100) { + /* For 1/40 bitrate clk */ + rk_hdptx_multi_reg_write(hdptx, rk_hdtpx_tmds_lntop_highbr_seq); + } else { +-- +2.39.5 + diff --git a/queue-6.12/pinctrl-at91-fix-possible-out-of-boundary-access.patch b/queue-6.12/pinctrl-at91-fix-possible-out-of-boundary-access.patch new file mode 100644 index 0000000000..ec863b2541 --- /dev/null +++ b/queue-6.12/pinctrl-at91-fix-possible-out-of-boundary-access.patch @@ -0,0 +1,50 @@ +From 004871de07b4bf06f0f5eb96e35ac64f4f904d5c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 May 2025 23:08:07 +0300 +Subject: pinctrl: at91: Fix possible out-of-boundary access + +From: Andy Shevchenko + +[ Upstream commit 762ef7d1e6eefad9896560bfcb9bcf7f1b6df9c1 ] + +at91_gpio_probe() doesn't check that given OF alias is not available or +something went wrong when trying to get it. This might have consequences +when accessing gpio_chips array with that value as an index. Note, that +BUG() can be compiled out and hence won't actually perform the required +checks. + +Fixes: 6732ae5cb47c ("ARM: at91: add pinctrl support") +Signed-off-by: Andy Shevchenko +Closes: https://lore.kernel.org/r/202505052343.UHF1Zo93-lkp@intel.com/ +Link: https://lore.kernel.org/20250508200807.1384558-1-andriy.shevchenko@linux.intel.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/pinctrl-at91.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/pinctrl/pinctrl-at91.c b/drivers/pinctrl/pinctrl-at91.c +index 93ab277d9943c..fbe74e4ef320c 100644 +--- a/drivers/pinctrl/pinctrl-at91.c ++++ b/drivers/pinctrl/pinctrl-at91.c +@@ -1819,12 +1819,16 @@ static int at91_gpio_probe(struct platform_device *pdev) + struct at91_gpio_chip *at91_chip = NULL; + struct gpio_chip *chip; + struct pinctrl_gpio_range *range; ++ int alias_idx; + int ret = 0; + int irq, i; +- int alias_idx = of_alias_get_id(np, "gpio"); + uint32_t ngpio; + char **names; + ++ alias_idx = of_alias_get_id(np, "gpio"); ++ if (alias_idx < 0) ++ return alias_idx; ++ + BUG_ON(alias_idx >= ARRAY_SIZE(gpio_chips)); + if (gpio_chips[alias_idx]) + return dev_err_probe(dev, -EBUSY, "%d slot is occupied.\n", alias_idx); +-- +2.39.5 + diff --git a/queue-6.12/pm-em-fix-potential-division-by-zero-error-in-em_com.patch b/queue-6.12/pm-em-fix-potential-division-by-zero-error-in-em_com.patch new file mode 100644 index 0000000000..b0e070b54b --- /dev/null +++ b/queue-6.12/pm-em-fix-potential-division-by-zero-error-in-em_com.patch @@ -0,0 +1,46 @@ +From 21059a740b20a2057b524b9a95df2cdae31e6a38 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Apr 2025 09:06:13 +0800 +Subject: PM: EM: Fix potential division-by-zero error in em_compute_costs() + +From: Yaxiong Tian + +[ Upstream commit 179c0c7044a378198adb36f2a12410ab68cc730a ] + +When the device is of a non-CPU type, table[i].performance won't be +initialized in the previous em_init_performance(), resulting in division +by zero when calculating costs in em_compute_costs(). + +Since the 'cost' algorithm is only used for EAS energy efficiency +calculations and is currently not utilized by other device drivers, we +should add the _is_cpu_device(dev) check to prevent this division-by-zero +issue. + +Fixes: 1b600da51073 ("PM: EM: Optimize em_cpu_energy() and remove division") +Signed-off-by: Yaxiong Tian +Reviewed-by: Lukasz Luba +Link: https://patch.msgid.link/tencent_7F99ED4767C1AF7889D0D8AD50F34859CE06@qq.com +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + kernel/power/energy_model.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/kernel/power/energy_model.c b/kernel/power/energy_model.c +index 4e1778071d704..1c9fe741fe6d5 100644 +--- a/kernel/power/energy_model.c ++++ b/kernel/power/energy_model.c +@@ -233,6 +233,10 @@ static int em_compute_costs(struct device *dev, struct em_perf_state *table, + unsigned long prev_cost = ULONG_MAX; + int i, ret; + ++ /* This is needed only for CPUs and EAS skip other devices */ ++ if (!_is_cpu_device(dev)) ++ return 0; ++ + /* Compute the cost of each performance state. */ + for (i = nr_states - 1; i >= 0; i--) { + unsigned long power_res, cost; +-- +2.39.5 + diff --git a/queue-6.12/pm-sleep-fix-power.is_suspended-cleanup-for-direct-c.patch b/queue-6.12/pm-sleep-fix-power.is_suspended-cleanup-for-direct-c.patch new file mode 100644 index 0000000000..3975ed7c9f --- /dev/null +++ b/queue-6.12/pm-sleep-fix-power.is_suspended-cleanup-for-direct-c.patch @@ -0,0 +1,60 @@ +From 30aef22b71a43ab6609c9b4a79a981399fa1f4a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Jun 2025 18:19:27 +0200 +Subject: PM: sleep: Fix power.is_suspended cleanup for direct-complete devices + +From: Rafael J. Wysocki + +[ Upstream commit d46c4c839c20a599a0eb8d73708ce401f9c7d06d ] + +Commit 03f1444016b7 ("PM: sleep: Fix handling devices with direct_complete +set on errors") caused power.is_suspended to be set for devices with +power.direct_complete set, but it forgot to ensure the clearing of that +flag for them in device_resume(), so power.is_suspended is still set for +them during the next system suspend-resume cycle. + +If that cycle is aborted in dpm_suspend(), the subsequent invocation of +dpm_resume() will trigger a device_resume() call for every device and +because power.is_suspended is set for the devices in question, they will +not be skipped by device_resume() as expected which causes scary error +messages to be logged (as appropriate). + +To address this issue, move the clearing of power.is_suspended in +device_resume() immediately after the power.is_suspended check so it +will be always cleared for all devices processed by that function. + +Fixes: 03f1444016b7 ("PM: sleep: Fix handling devices with direct_complete set on errors") +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4280 +Reported-and-tested-by: Chris Bainbridge +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Mario Limonciello +Link: https://patch.msgid.link/4990586.GXAFRqVoOG@rjwysocki.net +Signed-off-by: Sasha Levin +--- + drivers/base/power/main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/base/power/main.c b/drivers/base/power/main.c +index 1abe61f11525d..faf4cdec23f04 100644 +--- a/drivers/base/power/main.c ++++ b/drivers/base/power/main.c +@@ -916,6 +916,8 @@ static void device_resume(struct device *dev, pm_message_t state, bool async) + if (!dev->power.is_suspended) + goto Complete; + ++ dev->power.is_suspended = false; ++ + if (dev->power.direct_complete) { + /* Match the pm_runtime_disable() in __device_suspend(). */ + pm_runtime_enable(dev); +@@ -971,7 +973,6 @@ static void device_resume(struct device *dev, pm_message_t state, bool async) + + End: + error = dpm_run_callback(callback, dev, state, info); +- dev->power.is_suspended = false; + + device_unlock(dev); + dpm_watchdog_clear(&wd); +-- +2.39.5 + diff --git a/queue-6.12/pm-sleep-print-pm-debug-messages-during-hibernation.patch b/queue-6.12/pm-sleep-print-pm-debug-messages-during-hibernation.patch new file mode 100644 index 0000000000..df721a7940 --- /dev/null +++ b/queue-6.12/pm-sleep-print-pm-debug-messages-during-hibernation.patch @@ -0,0 +1,80 @@ +From 4e15d9f3c211bfb3a01b814a4f72451ca11c43bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 May 2025 14:51:47 +0200 +Subject: PM: sleep: Print PM debug messages during hibernation + +From: Rafael J. Wysocki + +[ Upstream commit 1b17d4525bca3916644c41e01522df8fa0f8b90b ] + +Commit cdb8c100d8a4 ("include/linux/suspend.h: Only show pm_pr_dbg +messages at suspend/resume") caused PM debug messages to only be +printed during system-wide suspend and resume in progress, but it +forgot about hibernation. + +Address this by adding a check for hibernation in progress to +pm_debug_messages_should_print(). + +Fixes: cdb8c100d8a4 ("include/linux/suspend.h: Only show pm_pr_dbg messages at suspend/resume") +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Mario Limonciello +Link: https://patch.msgid.link/4998903.GXAFRqVoOG@rjwysocki.net +Signed-off-by: Sasha Levin +--- + kernel/power/hibernate.c | 5 +++++ + kernel/power/main.c | 3 ++- + kernel/power/power.h | 4 ++++ + 3 files changed, 11 insertions(+), 1 deletion(-) + +diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c +index d8bad1eeedd3e..85008ead2ac91 100644 +--- a/kernel/power/hibernate.c ++++ b/kernel/power/hibernate.c +@@ -89,6 +89,11 @@ void hibernate_release(void) + atomic_inc(&hibernate_atomic); + } + ++bool hibernation_in_progress(void) ++{ ++ return !atomic_read(&hibernate_atomic); ++} ++ + bool hibernation_available(void) + { + return nohibernate == 0 && +diff --git a/kernel/power/main.c b/kernel/power/main.c +index 6254814d48171..0622e7dacf172 100644 +--- a/kernel/power/main.c ++++ b/kernel/power/main.c +@@ -613,7 +613,8 @@ bool pm_debug_messages_on __read_mostly; + + bool pm_debug_messages_should_print(void) + { +- return pm_debug_messages_on && pm_suspend_target_state != PM_SUSPEND_ON; ++ return pm_debug_messages_on && (hibernation_in_progress() || ++ pm_suspend_target_state != PM_SUSPEND_ON); + } + EXPORT_SYMBOL_GPL(pm_debug_messages_should_print); + +diff --git a/kernel/power/power.h b/kernel/power/power.h +index de0e6b1077f23..6d1ec7b23e844 100644 +--- a/kernel/power/power.h ++++ b/kernel/power/power.h +@@ -71,10 +71,14 @@ extern void enable_restore_image_protection(void); + static inline void enable_restore_image_protection(void) {} + #endif /* CONFIG_STRICT_KERNEL_RWX */ + ++extern bool hibernation_in_progress(void); ++ + #else /* !CONFIG_HIBERNATION */ + + static inline void hibernate_reserved_size_init(void) {} + static inline void hibernate_image_size_init(void) {} ++ ++static inline bool hibernation_in_progress(void) { return false; } + #endif /* !CONFIG_HIBERNATION */ + + #define power_attr(_name) \ +-- +2.39.5 + diff --git a/queue-6.12/pm-wakeup-delete-space-in-the-end-of-string-shown-by.patch b/queue-6.12/pm-wakeup-delete-space-in-the-end-of-string-shown-by.patch new file mode 100644 index 0000000000..598928ab79 --- /dev/null +++ b/queue-6.12/pm-wakeup-delete-space-in-the-end-of-string-shown-by.patch @@ -0,0 +1,45 @@ +From 56ebb03f182b1411ca399e2b1f22a479a98347bc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 May 2025 17:26:51 +0800 +Subject: PM: wakeup: Delete space in the end of string shown by + pm_show_wakelocks() + +From: Zijun Hu + +[ Upstream commit f0050a3e214aa941b78ad4caf122a735a24d81a6 ] + +pm_show_wakelocks() is called to generate a string when showing +attributes /sys/power/wake_(lock|unlock), but the string ends +with an unwanted space that was added back by mistake by commit +c9d967b2ce40 ("PM: wakeup: simplify the output logic of +pm_show_wakelocks()"). + +Remove the unwanted space. + +Fixes: c9d967b2ce40 ("PM: wakeup: simplify the output logic of pm_show_wakelocks()") +Signed-off-by: Zijun Hu +Link: https://patch.msgid.link/20250505-fix_power-v1-1-0f7f2c2f338c@quicinc.com +[ rjw: Changelog edits ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + kernel/power/wakelock.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/kernel/power/wakelock.c b/kernel/power/wakelock.c +index 52571dcad768b..4e941999a53ba 100644 +--- a/kernel/power/wakelock.c ++++ b/kernel/power/wakelock.c +@@ -49,6 +49,9 @@ ssize_t pm_show_wakelocks(char *buf, bool show_active) + len += sysfs_emit_at(buf, len, "%s ", wl->name); + } + ++ if (len > 0) ++ --len; ++ + len += sysfs_emit_at(buf, len, "\n"); + + mutex_unlock(&wakelocks_lock); +-- +2.39.5 + diff --git a/queue-6.12/power-reset-at91-reset-optimize-at91_reset.patch b/queue-6.12/power-reset-at91-reset-optimize-at91_reset.patch new file mode 100644 index 0000000000..a6e35a12fb --- /dev/null +++ b/queue-6.12/power-reset-at91-reset-optimize-at91_reset.patch @@ -0,0 +1,56 @@ +From 1553ce6397b6d4e0cedd78ab9548a7f3886b5b1d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Mar 2025 08:38:09 +0300 +Subject: power: reset: at91-reset: Optimize at91_reset() + +From: Alexander Shiyan + +[ Upstream commit 62d48983f215bf1dd48665913318101fa3414dcf ] + +This patch adds a small optimization to the low-level at91_reset() +function, which includes: +- Removes the extra branch, since the following store operations + already have proper condition checks. +- Removes the definition of the clobber register r4, since it is + no longer used in the code. + +Fixes: fcd0532fac2a ("power: reset: at91-reset: make at91sam9g45_restart() generic") +Signed-off-by: Alexander Shiyan +Reviewed-by: Alexandre Belloni +Link: https://lore.kernel.org/r/20250307053809.20245-1-eagle.alexander923@gmail.com +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/reset/at91-reset.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/power/reset/at91-reset.c b/drivers/power/reset/at91-reset.c +index 16512654295f5..f1e0a0857a90c 100644 +--- a/drivers/power/reset/at91-reset.c ++++ b/drivers/power/reset/at91-reset.c +@@ -129,12 +129,11 @@ static int at91_reset(struct notifier_block *this, unsigned long mode, + " str %4, [%0, %6]\n\t" + /* Disable SDRAM1 accesses */ + "1: tst %1, #0\n\t" +- " beq 2f\n\t" + " strne %3, [%1, #" __stringify(AT91_DDRSDRC_RTR) "]\n\t" + /* Power down SDRAM1 */ + " strne %4, [%1, %6]\n\t" + /* Reset CPU */ +- "2: str %5, [%2, #" __stringify(AT91_RSTC_CR) "]\n\t" ++ " str %5, [%2, #" __stringify(AT91_RSTC_CR) "]\n\t" + + " b .\n\t" + : +@@ -145,7 +144,7 @@ static int at91_reset(struct notifier_block *this, unsigned long mode, + "r" cpu_to_le32(AT91_DDRSDRC_LPCB_POWER_DOWN), + "r" (reset->data->reset_args), + "r" (reset->ramc_lpr) +- : "r4"); ++ ); + + return NOTIFY_DONE; + } +-- +2.39.5 + diff --git a/queue-6.12/powerpc-crash-fix-non-smp-kexec-preparation.patch b/queue-6.12/powerpc-crash-fix-non-smp-kexec-preparation.patch new file mode 100644 index 0000000000..60a6cd7bbe --- /dev/null +++ b/queue-6.12/powerpc-crash-fix-non-smp-kexec-preparation.patch @@ -0,0 +1,43 @@ +From abed6b6a5c6f3770a025cc963e34662858b37ee7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Feb 2025 10:20:54 -0600 +Subject: powerpc/crash: Fix non-smp kexec preparation + +From: Eddie James + +[ Upstream commit 882b25af265de8e05c66f72b9a29f6047102958f ] + +In non-smp configurations, crash_kexec_prepare is never called in +the crash shutdown path. One result of this is that the crashing_cpu +variable is never set, preventing crash_save_cpu from storing the +NT_PRSTATUS elf note in the core dump. + +Fixes: c7255058b543 ("powerpc/crash: save cpu register data in crash_smp_send_stop()") +Signed-off-by: Eddie James +Reviewed-by: Hari Bathini +Signed-off-by: Madhavan Srinivasan +Link: https://patch.msgid.link/20250211162054.857762-1-eajames@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kexec/crash.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/arch/powerpc/kexec/crash.c b/arch/powerpc/kexec/crash.c +index 9ac3266e49652..a325c1c02f96d 100644 +--- a/arch/powerpc/kexec/crash.c ++++ b/arch/powerpc/kexec/crash.c +@@ -359,7 +359,10 @@ void default_machine_crash_shutdown(struct pt_regs *regs) + if (TRAP(regs) == INTERRUPT_SYSTEM_RESET) + is_via_system_reset = 1; + +- crash_smp_send_stop(); ++ if (IS_ENABLED(CONFIG_SMP)) ++ crash_smp_send_stop(); ++ else ++ crash_kexec_prepare(); + + crash_save_cpu(regs, crashing_cpu); + +-- +2.39.5 + diff --git a/queue-6.12/powerpc-do-not-build-ppc_save_regs.o-always.patch b/queue-6.12/powerpc-do-not-build-ppc_save_regs.o-always.patch new file mode 100644 index 0000000000..a7d38e2320 --- /dev/null +++ b/queue-6.12/powerpc-do-not-build-ppc_save_regs.o-always.patch @@ -0,0 +1,44 @@ +From f1fa23b735d0499d18370a88bc8fd04e3f48a7a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Apr 2025 12:53:05 +0200 +Subject: powerpc: do not build ppc_save_regs.o always + +From: Jiri Slaby (SUSE) + +[ Upstream commit 497b7794aef03d525a5be05ae78dd7137c6861a5 ] + +The Fixes commit below tried to add CONFIG_PPC_BOOK3S to one of the +conditions to enable the build of ppc_save_regs.o. But it failed to do +so, in fact. The commit omitted to add a dollar sign. + +Therefore, ppc_save_regs.o is built always these days (as +"(CONFIG_PPC_BOOK3S)" is never an empty string). + +Fix this by adding the missing dollar sign. + +Signed-off-by: Jiri Slaby (SUSE) +Fixes: fc2a5a6161a2 ("powerpc/64s: ppc_save_regs is now needed for all 64s builds") +Acked-by: Stephen Rothwell +Signed-off-by: Madhavan Srinivasan +Link: https://patch.msgid.link/20250417105305.397128-1-jirislaby@kernel.org +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/kernel/Makefile b/arch/powerpc/kernel/Makefile +index f43c1198768c6..b4006a4a11216 100644 +--- a/arch/powerpc/kernel/Makefile ++++ b/arch/powerpc/kernel/Makefile +@@ -162,7 +162,7 @@ endif + + obj64-$(CONFIG_PPC_TRANSACTIONAL_MEM) += tm.o + +-ifneq ($(CONFIG_XMON)$(CONFIG_KEXEC_CORE)(CONFIG_PPC_BOOK3S),) ++ifneq ($(CONFIG_XMON)$(CONFIG_KEXEC_CORE)$(CONFIG_PPC_BOOK3S),) + obj-y += ppc_save_regs.o + endif + +-- +2.39.5 + diff --git a/queue-6.12/powerpc-pseries-iommu-fix-kmemleak-in-tce-table-user.patch b/queue-6.12/powerpc-pseries-iommu-fix-kmemleak-in-tce-table-user.patch new file mode 100644 index 0000000000..f176c38ec5 --- /dev/null +++ b/queue-6.12/powerpc-pseries-iommu-fix-kmemleak-in-tce-table-user.patch @@ -0,0 +1,83 @@ +From 8e767ce6c1dfa98e93ef90b79681e2c62cb837aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 May 2025 17:46:53 -0500 +Subject: powerpc/pseries/iommu: Fix kmemleak in TCE table userspace view + +From: Gaurav Batra + +[ Upstream commit d36e3f11fe8b55b801bdbe84ad51f612b1bd84da ] + +When a device is opened by a userspace driver, via VFIO interface, DMA +window is created. This DMA window has TCE Table and a corresponding +data for userview of TCE table. + +When the userspace driver closes the device, all the above infrastructure +is free'ed and the device control given back to kernel. Both DMA window +and TCE table is getting free'ed. But due to a code bug, userview of the +TCE table is not getting free'ed. This is resulting in a memory leak. + +Befow is the information from KMEMLEAK + +unreferenced object 0xc008000022af0000 (size 16777216): + comm "senlib_unit_tes", pid 9346, jiffies 4294983174 + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace (crc 0): + kmemleak_vmalloc+0xc8/0x1a0 + __vmalloc_node_range+0x284/0x340 + vzalloc+0x58/0x70 + spapr_tce_create_table+0x4b0/0x8d0 + tce_iommu_create_table+0xcc/0x170 [vfio_iommu_spapr_tce] + tce_iommu_create_window+0x144/0x2f0 [vfio_iommu_spapr_tce] + tce_iommu_ioctl.part.0+0x59c/0xc90 [vfio_iommu_spapr_tce] + vfio_fops_unl_ioctl+0x88/0x280 [vfio] + sys_ioctl+0xf4/0x160 + system_call_exception+0x164/0x310 + system_call_vectored_common+0xe8/0x278 +unreferenced object 0xc008000023b00000 (size 4194304): + comm "senlib_unit_tes", pid 9351, jiffies 4294984116 + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace (crc 0): + kmemleak_vmalloc+0xc8/0x1a0 + __vmalloc_node_range+0x284/0x340 + vzalloc+0x58/0x70 + spapr_tce_create_table+0x4b0/0x8d0 + tce_iommu_create_table+0xcc/0x170 [vfio_iommu_spapr_tce] + tce_iommu_create_window+0x144/0x2f0 [vfio_iommu_spapr_tce] + tce_iommu_create_default_window+0x88/0x120 [vfio_iommu_spapr_tce] + tce_iommu_ioctl.part.0+0x57c/0xc90 [vfio_iommu_spapr_tce] + vfio_fops_unl_ioctl+0x88/0x280 [vfio] + sys_ioctl+0xf4/0x160 + system_call_exception+0x164/0x310 + system_call_vectored_common+0xe8/0x278 + +Fixes: f431a8cde7f1 ("powerpc/iommu: Reimplement the iommu_table_group_ops for pSeries") +Signed-off-by: Gaurav Batra +Reviewed-by: Nilay Shroff +Reviewed-by: Ritesh Harjani (IBM) +Signed-off-by: Madhavan Srinivasan +Link: https://patch.msgid.link/20250512224653.35697-1-gbatra@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/pseries/iommu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/platforms/pseries/iommu.c b/arch/powerpc/platforms/pseries/iommu.c +index d6ebc19fb99c5..eec333dd2e598 100644 +--- a/arch/powerpc/platforms/pseries/iommu.c ++++ b/arch/powerpc/platforms/pseries/iommu.c +@@ -197,7 +197,7 @@ static void tce_iommu_userspace_view_free(struct iommu_table *tbl) + + static void tce_free_pSeries(struct iommu_table *tbl) + { +- if (!tbl->it_userspace) ++ if (tbl->it_userspace) + tce_iommu_userspace_view_free(tbl); + } + +-- +2.39.5 + diff --git a/queue-6.12/randstruct-gcc-plugin-fix-attribute-addition.patch b/queue-6.12/randstruct-gcc-plugin-fix-attribute-addition.patch new file mode 100644 index 0000000000..361c446c1e --- /dev/null +++ b/queue-6.12/randstruct-gcc-plugin-fix-attribute-addition.patch @@ -0,0 +1,134 @@ +From f7cbc742d9375e9c5bc9966d2030cad37f613500 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 May 2025 15:18:28 -0700 +Subject: randstruct: gcc-plugin: Fix attribute addition + +From: Kees Cook + +[ Upstream commit f39f18f3c3531aa802b58a20d39d96e82eb96c14 ] + +Based on changes in the 2021 public version of the randstruct +out-of-tree GCC plugin[1], more carefully update the attributes on +resulting decls, to avoid tripping checks in GCC 15's +comptypes_check_enum_int() when it has been configured with +"--enable-checking=misc": + +arch/arm64/kernel/kexec_image.c:132:14: internal compiler error: in comptypes_check_enum_int, at c/c-typeck.cc:1519 + 132 | const struct kexec_file_ops kexec_image_ops = { + | ^~~~~~~~~~~~~~ + internal_error(char const*, ...), at gcc/gcc/diagnostic-global-context.cc:517 + fancy_abort(char const*, int, char const*), at gcc/gcc/diagnostic.cc:1803 + comptypes_check_enum_int(tree_node*, tree_node*, bool*), at gcc/gcc/c/c-typeck.cc:1519 + ... + +Link: https://archive.org/download/grsecurity/grsecurity-3.1-5.10.41-202105280954.patch.gz [1] +Reported-by: Thiago Jung Bauermann +Closes: https://github.com/KSPP/linux/issues/367 +Closes: https://lore.kernel.org/lkml/20250530000646.104457-1-thiago.bauermann@linaro.org/ +Reported-by: Ingo Saitz +Closes: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104745 +Fixes: 313dd1b62921 ("gcc-plugins: Add the randstruct plugin") +Tested-by: Thiago Jung Bauermann +Link: https://lore.kernel.org/r/20250530221824.work.623-kees@kernel.org +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + scripts/gcc-plugins/gcc-common.h | 32 +++++++++++++++++++ + scripts/gcc-plugins/randomize_layout_plugin.c | 22 ++++++------- + 2 files changed, 43 insertions(+), 11 deletions(-) + +diff --git a/scripts/gcc-plugins/gcc-common.h b/scripts/gcc-plugins/gcc-common.h +index 3222c1070444f..ef12c8f929eda 100644 +--- a/scripts/gcc-plugins/gcc-common.h ++++ b/scripts/gcc-plugins/gcc-common.h +@@ -123,6 +123,38 @@ static inline tree build_const_char_string(int len, const char *str) + return cstr; + } + ++static inline void __add_type_attr(tree type, const char *attr, tree args) ++{ ++ tree oldattr; ++ ++ if (type == NULL_TREE) ++ return; ++ oldattr = lookup_attribute(attr, TYPE_ATTRIBUTES(type)); ++ if (oldattr != NULL_TREE) { ++ gcc_assert(TREE_VALUE(oldattr) == args || TREE_VALUE(TREE_VALUE(oldattr)) == TREE_VALUE(args)); ++ return; ++ } ++ ++ TYPE_ATTRIBUTES(type) = copy_list(TYPE_ATTRIBUTES(type)); ++ TYPE_ATTRIBUTES(type) = tree_cons(get_identifier(attr), args, TYPE_ATTRIBUTES(type)); ++} ++ ++static inline void add_type_attr(tree type, const char *attr, tree args) ++{ ++ tree main_variant = TYPE_MAIN_VARIANT(type); ++ ++ __add_type_attr(TYPE_CANONICAL(type), attr, args); ++ __add_type_attr(TYPE_CANONICAL(main_variant), attr, args); ++ __add_type_attr(main_variant, attr, args); ++ ++ for (type = TYPE_NEXT_VARIANT(main_variant); type; type = TYPE_NEXT_VARIANT(type)) { ++ if (!lookup_attribute(attr, TYPE_ATTRIBUTES(type))) ++ TYPE_ATTRIBUTES(type) = TYPE_ATTRIBUTES(main_variant); ++ ++ __add_type_attr(TYPE_CANONICAL(type), attr, args); ++ } ++} ++ + #define PASS_INFO(NAME, REF, ID, POS) \ + struct register_pass_info NAME##_pass_info = { \ + .pass = make_##NAME##_pass(), \ +diff --git a/scripts/gcc-plugins/randomize_layout_plugin.c b/scripts/gcc-plugins/randomize_layout_plugin.c +index 971a1908a8cc4..ff65a4f87f240 100644 +--- a/scripts/gcc-plugins/randomize_layout_plugin.c ++++ b/scripts/gcc-plugins/randomize_layout_plugin.c +@@ -73,6 +73,9 @@ static tree handle_randomize_layout_attr(tree *node, tree name, tree args, int f + + if (TYPE_P(*node)) { + type = *node; ++ } else if (TREE_CODE(*node) == FIELD_DECL) { ++ *no_add_attrs = false; ++ return NULL_TREE; + } else { + gcc_assert(TREE_CODE(*node) == TYPE_DECL); + type = TREE_TYPE(*node); +@@ -348,15 +351,14 @@ static int relayout_struct(tree type) + TREE_CHAIN(newtree[i]) = newtree[i+1]; + TREE_CHAIN(newtree[num_fields - 1]) = NULL_TREE; + ++ add_type_attr(type, "randomize_performed", NULL_TREE); ++ add_type_attr(type, "designated_init", NULL_TREE); ++ if (has_flexarray) ++ add_type_attr(type, "has_flexarray", NULL_TREE); ++ + main_variant = TYPE_MAIN_VARIANT(type); +- for (variant = main_variant; variant; variant = TYPE_NEXT_VARIANT(variant)) { ++ for (variant = main_variant; variant; variant = TYPE_NEXT_VARIANT(variant)) + TYPE_FIELDS(variant) = newtree[0]; +- TYPE_ATTRIBUTES(variant) = copy_list(TYPE_ATTRIBUTES(variant)); +- TYPE_ATTRIBUTES(variant) = tree_cons(get_identifier("randomize_performed"), NULL_TREE, TYPE_ATTRIBUTES(variant)); +- TYPE_ATTRIBUTES(variant) = tree_cons(get_identifier("designated_init"), NULL_TREE, TYPE_ATTRIBUTES(variant)); +- if (has_flexarray) +- TYPE_ATTRIBUTES(type) = tree_cons(get_identifier("has_flexarray"), NULL_TREE, TYPE_ATTRIBUTES(type)); +- } + + /* + * force a re-layout of the main variant +@@ -424,10 +426,8 @@ static void randomize_type(tree type) + if (lookup_attribute("randomize_layout", TYPE_ATTRIBUTES(TYPE_MAIN_VARIANT(type))) || is_pure_ops_struct(type)) + relayout_struct(type); + +- for (variant = TYPE_MAIN_VARIANT(type); variant; variant = TYPE_NEXT_VARIANT(variant)) { +- TYPE_ATTRIBUTES(type) = copy_list(TYPE_ATTRIBUTES(type)); +- TYPE_ATTRIBUTES(type) = tree_cons(get_identifier("randomize_considered"), NULL_TREE, TYPE_ATTRIBUTES(type)); +- } ++ add_type_attr(type, "randomize_considered", NULL_TREE); ++ + #ifdef __DEBUG_PLUGIN + fprintf(stderr, "Marking randomize_considered on struct %s\n", ORIG_TYPE_NAME(type)); + #ifdef __DEBUG_VERBOSE +-- +2.39.5 + diff --git a/queue-6.12/randstruct-gcc-plugin-remove-bogus-void-member.patch b/queue-6.12/randstruct-gcc-plugin-remove-bogus-void-member.patch new file mode 100644 index 0000000000..2c52e37f9f --- /dev/null +++ b/queue-6.12/randstruct-gcc-plugin-remove-bogus-void-member.patch @@ -0,0 +1,119 @@ +From 211ae5643d10560f6763355298dc41f5a9652db8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 26 Apr 2025 00:37:52 -0700 +Subject: randstruct: gcc-plugin: Remove bogus void member +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kees Cook + +[ Upstream commit e136a4062174a9a8d1c1447ca040ea81accfa6a8 ] + +When building the randomized replacement tree of struct members, the +randstruct GCC plugin would insert, as the first member, a 0-sized void +member. This appears as though it was done to catch non-designated +("unnamed") static initializers, which wouldn't be stable since they +depend on the original struct layout order. + +This was accomplished by having the side-effect of the "void member" +tripping an assert in GCC internals (count_type_elements) if the member +list ever needed to be counted (e.g. for figuring out the order of members +during a non-designated initialization), which would catch impossible type +(void) in the struct: + +security/landlock/fs.c: In function ‘hook_file_ioctl_common’: +security/landlock/fs.c:1745:61: internal compiler error: in count_type_elements, at expr.cc:7075 + 1745 | .u.op = &(struct lsm_ioctlop_audit) { + | ^ + +static HOST_WIDE_INT +count_type_elements (const_tree type, bool for_ctor_p) +{ + switch (TREE_CODE (type)) +... + case VOID_TYPE: + default: + gcc_unreachable (); + } +} + +However this is a redundant safety measure since randstruct uses the +__designated_initializer attribute both internally and within the +__randomized_layout attribute macro so that this would be enforced +by the compiler directly even when randstruct was not enabled (via +-Wdesignated-init). + +A recent change in Landlock ended up tripping the same member counting +routine when using a full-struct copy initializer as part of an anonymous +initializer. This, however, is a false positive as the initializer is +copying between identical structs (and hence identical layouts). The +"path" member is "struct path", a randomized struct, and is being copied +to from another "struct path", the "f_path" member: + + landlock_log_denial(landlock_cred(file->f_cred), &(struct landlock_request) { + .type = LANDLOCK_REQUEST_FS_ACCESS, + .audit = { + .type = LSM_AUDIT_DATA_IOCTL_OP, + .u.op = &(struct lsm_ioctlop_audit) { + .path = file->f_path, + .cmd = cmd, + }, + }, + ... + +As can be seen with the coming randstruct KUnit test, there appears to +be no behavioral problems with this kind of initialization when the void +member is removed from the randstruct GCC plugin, so remove it. + +Reported-by: "Dr. David Alan Gilbert" +Closes: https://lore.kernel.org/lkml/Z_PRaKx7q70MKgCA@gallifrey/ +Reported-by: Mark Brown +Closes: https://lore.kernel.org/lkml/20250407-kbuild-disable-gcc-plugins-v1-1-5d46ae583f5e@kernel.org/ +Reported-by: WangYuli +Closes: https://lore.kernel.org/lkml/337D5D4887277B27+3c677db3-a8b9-47f0-93a4-7809355f1381@uniontech.com/ +Fixes: 313dd1b62921 ("gcc-plugins: Add the randstruct plugin") +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + scripts/gcc-plugins/randomize_layout_plugin.c | 18 +----------------- + 1 file changed, 1 insertion(+), 17 deletions(-) + +diff --git a/scripts/gcc-plugins/randomize_layout_plugin.c b/scripts/gcc-plugins/randomize_layout_plugin.c +index 5694df3da2e95..971a1908a8cc4 100644 +--- a/scripts/gcc-plugins/randomize_layout_plugin.c ++++ b/scripts/gcc-plugins/randomize_layout_plugin.c +@@ -344,29 +344,13 @@ static int relayout_struct(tree type) + + shuffle(type, (tree *)newtree, shuffle_length); + +- /* +- * set up a bogus anonymous struct field designed to error out on unnamed struct initializers +- * as gcc provides no other way to detect such code +- */ +- list = make_node(FIELD_DECL); +- TREE_CHAIN(list) = newtree[0]; +- TREE_TYPE(list) = void_type_node; +- DECL_SIZE(list) = bitsize_zero_node; +- DECL_NONADDRESSABLE_P(list) = 1; +- DECL_FIELD_BIT_OFFSET(list) = bitsize_zero_node; +- DECL_SIZE_UNIT(list) = size_zero_node; +- DECL_FIELD_OFFSET(list) = size_zero_node; +- DECL_CONTEXT(list) = type; +- // to satisfy the constify plugin +- TREE_READONLY(list) = 1; +- + for (i = 0; i < num_fields - 1; i++) + TREE_CHAIN(newtree[i]) = newtree[i+1]; + TREE_CHAIN(newtree[num_fields - 1]) = NULL_TREE; + + main_variant = TYPE_MAIN_VARIANT(type); + for (variant = main_variant; variant; variant = TYPE_NEXT_VARIANT(variant)) { +- TYPE_FIELDS(variant) = list; ++ TYPE_FIELDS(variant) = newtree[0]; + TYPE_ATTRIBUTES(variant) = copy_list(TYPE_ATTRIBUTES(variant)); + TYPE_ATTRIBUTES(variant) = tree_cons(get_identifier("randomize_performed"), NULL_TREE, TYPE_ATTRIBUTES(variant)); + TYPE_ATTRIBUTES(variant) = tree_cons(get_identifier("designated_init"), NULL_TREE, TYPE_ATTRIBUTES(variant)); +-- +2.39.5 + diff --git a/queue-6.12/rcu-cpu_stall_cputime-fix-the-hardirq-count-for-x86-.patch b/queue-6.12/rcu-cpu_stall_cputime-fix-the-hardirq-count-for-x86-.patch new file mode 100644 index 0000000000..6036c881d7 --- /dev/null +++ b/queue-6.12/rcu-cpu_stall_cputime-fix-the-hardirq-count-for-x86-.patch @@ -0,0 +1,104 @@ +From 984c89e017cbd153d0bf89359fb863194070b906 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 16 Feb 2025 16:41:09 +0800 +Subject: rcu/cpu_stall_cputime: fix the hardirq count for x86 architecture + +From: Yongliang Gao + +[ Upstream commit da6b85598af30e9fec34d82882d7e1e39f3da769 ] + +When counting the number of hardirqs in the x86 architecture, +it is essential to add arch_irq_stat_cpu to ensure accuracy. + +For example, a CPU loop within the rcu_read_lock function. + +Before: +[ 70.910184] rcu: INFO: rcu_preempt self-detected stall on CPU +[ 70.910436] rcu: 3-....: (4999 ticks this GP) idle=*** +[ 70.910711] rcu: hardirqs softirqs csw/system +[ 70.910870] rcu: number: 0 657 0 +[ 70.911024] rcu: cputime: 0 0 2498 ==> 2498(ms) +[ 70.911278] rcu: (t=5001 jiffies g=3677 q=29 ncpus=8) + +After: +[ 68.046132] rcu: INFO: rcu_preempt self-detected stall on CPU +[ 68.046354] rcu: 2-....: (4999 ticks this GP) idle=*** +[ 68.046628] rcu: hardirqs softirqs csw/system +[ 68.046793] rcu: number: 2498 663 0 +[ 68.046951] rcu: cputime: 0 0 2496 ==> 2496(ms) +[ 68.047244] rcu: (t=5000 jiffies g=3825 q=4 ncpus=8) + +Fixes: be42f00b73a0 ("rcu: Add RCU stall diagnosis information") +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202501090842.SfI6QPGS-lkp@intel.com/ +Signed-off-by: Yongliang Gao +Reviewed-by: Neeraj Upadhyay +Link: https://lore.kernel.org/r/20250216084109.3109837-1-leonylgao@gmail.com +Signed-off-by: Boqun Feng +Signed-off-by: Joel Fernandes +Signed-off-by: Sasha Levin +--- + kernel/rcu/tree.c | 10 +++++++--- + kernel/rcu/tree.h | 2 +- + kernel/rcu/tree_stall.h | 4 ++-- + 3 files changed, 10 insertions(+), 6 deletions(-) + +diff --git a/kernel/rcu/tree.c b/kernel/rcu/tree.c +index 4ed8632195217..cefa831c8cb32 100644 +--- a/kernel/rcu/tree.c ++++ b/kernel/rcu/tree.c +@@ -802,6 +802,10 @@ static int rcu_watching_snap_save(struct rcu_data *rdp) + return 0; + } + ++#ifndef arch_irq_stat_cpu ++#define arch_irq_stat_cpu(cpu) 0 ++#endif ++ + /* + * Returns positive if the specified CPU has passed through a quiescent state + * by virtue of being in or having passed through an dynticks idle state since +@@ -937,9 +941,9 @@ static int rcu_watching_snap_recheck(struct rcu_data *rdp) + rsrp->cputime_irq = kcpustat_field(kcsp, CPUTIME_IRQ, cpu); + rsrp->cputime_softirq = kcpustat_field(kcsp, CPUTIME_SOFTIRQ, cpu); + rsrp->cputime_system = kcpustat_field(kcsp, CPUTIME_SYSTEM, cpu); +- rsrp->nr_hardirqs = kstat_cpu_irqs_sum(rdp->cpu); +- rsrp->nr_softirqs = kstat_cpu_softirqs_sum(rdp->cpu); +- rsrp->nr_csw = nr_context_switches_cpu(rdp->cpu); ++ rsrp->nr_hardirqs = kstat_cpu_irqs_sum(cpu) + arch_irq_stat_cpu(cpu); ++ rsrp->nr_softirqs = kstat_cpu_softirqs_sum(cpu); ++ rsrp->nr_csw = nr_context_switches_cpu(cpu); + rsrp->jiffies = jiffies; + rsrp->gp_seq = rdp->gp_seq; + } +diff --git a/kernel/rcu/tree.h b/kernel/rcu/tree.h +index a9a811d9d7a37..1bba2225e7448 100644 +--- a/kernel/rcu/tree.h ++++ b/kernel/rcu/tree.h +@@ -168,7 +168,7 @@ struct rcu_snap_record { + u64 cputime_irq; /* Accumulated cputime of hard irqs */ + u64 cputime_softirq;/* Accumulated cputime of soft irqs */ + u64 cputime_system; /* Accumulated cputime of kernel tasks */ +- unsigned long nr_hardirqs; /* Accumulated number of hard irqs */ ++ u64 nr_hardirqs; /* Accumulated number of hard irqs */ + unsigned int nr_softirqs; /* Accumulated number of soft irqs */ + unsigned long long nr_csw; /* Accumulated number of task switches */ + unsigned long jiffies; /* Track jiffies value */ +diff --git a/kernel/rcu/tree_stall.h b/kernel/rcu/tree_stall.h +index 4432db6d0b99b..4d524a2212a8d 100644 +--- a/kernel/rcu/tree_stall.h ++++ b/kernel/rcu/tree_stall.h +@@ -457,8 +457,8 @@ static void print_cpu_stat_info(int cpu) + rsr.cputime_system = kcpustat_field(kcsp, CPUTIME_SYSTEM, cpu); + + pr_err("\t hardirqs softirqs csw/system\n"); +- pr_err("\t number: %8ld %10d %12lld\n", +- kstat_cpu_irqs_sum(cpu) - rsrp->nr_hardirqs, ++ pr_err("\t number: %8lld %10d %12lld\n", ++ kstat_cpu_irqs_sum(cpu) + arch_irq_stat_cpu(cpu) - rsrp->nr_hardirqs, + kstat_cpu_softirqs_sum(cpu) - rsrp->nr_softirqs, + nr_context_switches_cpu(cpu) - rsrp->nr_csw); + pr_err("\tcputime: %8lld %10lld %12lld ==> %d(ms)\n", +-- +2.39.5 + diff --git a/queue-6.12/rdma-cma-fix-hang-when-cma_netevent_callback-fails-t.patch b/queue-6.12/rdma-cma-fix-hang-when-cma_netevent_callback-fails-t.patch new file mode 100644 index 0000000000..3865dff94c --- /dev/null +++ b/queue-6.12/rdma-cma-fix-hang-when-cma_netevent_callback-fails-t.patch @@ -0,0 +1,52 @@ +From 0079575625726ba89174d8ac95d6f0bce8380650 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 May 2025 14:36:02 +0300 +Subject: RDMA/cma: Fix hang when cma_netevent_callback fails to queue_work + +From: Jack Morgenstein + +[ Upstream commit 92a251c3df8ea1991cd9fe00f1ab0cfce18d7711 ] + +The cited commit fixed a crash when cma_netevent_callback was called for +a cma_id while work on that id from a previous call had not yet started. +The work item was re-initialized in the second call, which corrupted the +work item currently in the work queue. + +However, it left a problem when queue_work fails (because the item is +still pending in the work queue from a previous call). In this case, +cma_id_put (which is called in the work handler) is therefore not +called. This results in a userspace process hang (zombie process). + +Fix this by calling cma_id_put() if queue_work fails. + +Fixes: 45f5dcdd0497 ("RDMA/cma: Fix workqueue crash in cma_netevent_work_handler") +Link: https://patch.msgid.link/r/4f3640b501e48d0166f312a64fdadf72b059bd04.1747827103.git.leon@kernel.org +Signed-off-by: Jack Morgenstein +Signed-off-by: Feng Liu +Reviewed-by: Vlad Dumitrescu +Signed-off-by: Leon Romanovsky +Reviewed-by: Sharath Srinivasan +Reviewed-by: Kalesh AP +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/cma.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c +index 176d0b3e44887..81bc24a346d37 100644 +--- a/drivers/infiniband/core/cma.c ++++ b/drivers/infiniband/core/cma.c +@@ -5231,7 +5231,8 @@ static int cma_netevent_callback(struct notifier_block *self, + neigh->ha, ETH_ALEN)) + continue; + cma_id_get(current_id); +- queue_work(cma_wq, ¤t_id->id.net_work); ++ if (!queue_work(cma_wq, ¤t_id->id.net_work)) ++ cma_id_put(current_id); + } + out: + spin_unlock_irqrestore(&id_table_lock, flags); +-- +2.39.5 + diff --git a/queue-6.12/rdma-hns-include-hnae3.h-in-hns_roce_hw_v2.h.patch b/queue-6.12/rdma-hns-include-hnae3.h-in-hns_roce_hw_v2.h.patch new file mode 100644 index 0000000000..8feadec401 --- /dev/null +++ b/queue-6.12/rdma-hns-include-hnae3.h-in-hns_roce_hw_v2.h.patch @@ -0,0 +1,93 @@ +From a83244e40b8235333981eba9b041170cbe61b481 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Apr 2025 21:27:49 +0800 +Subject: RDMA/hns: Include hnae3.h in hns_roce_hw_v2.h + +From: Junxian Huang + +[ Upstream commit 2b11d33de23262cb20d1dcb24b586dbb8f54d463 ] + +hns_roce_hw_v2.h has a direct dependency on hnae3.h due to the +inline function hns_roce_write64(), but it doesn't include this +header currently. This leads to that files including +hns_roce_hw_v2.h must also include hnae3.h to avoid compilation +errors, even if they themselves don't really rely on hnae3.h. +This doesn't make sense, hns_roce_hw_v2.h should include hnae3.h +directly. + +Fixes: d3743fa94ccd ("RDMA/hns: Fix the chip hanging caused by sending doorbell during reset") +Signed-off-by: Junxian Huang +Link: https://patch.msgid.link/20250421132750.1363348-6-huangjunxian6@hisilicon.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_ah.c | 1 - + drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 1 - + drivers/infiniband/hw/hns/hns_roce_hw_v2.h | 1 + + drivers/infiniband/hw/hns/hns_roce_main.c | 1 - + drivers/infiniband/hw/hns/hns_roce_restrack.c | 1 - + 5 files changed, 1 insertion(+), 4 deletions(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_ah.c b/drivers/infiniband/hw/hns/hns_roce_ah.c +index 4fc5b9d5fea87..307c35888b300 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_ah.c ++++ b/drivers/infiniband/hw/hns/hns_roce_ah.c +@@ -33,7 +33,6 @@ + #include + #include + #include +-#include "hnae3.h" + #include "hns_roce_device.h" + #include "hns_roce_hw_v2.h" + +diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +index f5c3e560df58d..985b9d7d69f20 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +@@ -43,7 +43,6 @@ + #include + #include + +-#include "hnae3.h" + #include "hns_roce_common.h" + #include "hns_roce_device.h" + #include "hns_roce_cmd.h" +diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.h b/drivers/infiniband/hw/hns/hns_roce_hw_v2.h +index 91a5665465ffb..bc7466830eaf9 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.h ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.h +@@ -34,6 +34,7 @@ + #define _HNS_ROCE_HW_V2_H + + #include ++#include "hnae3.h" + + #define HNS_ROCE_V2_MAX_RC_INL_INN_SZ 32 + #define HNS_ROCE_V2_MTT_ENTRY_SZ 64 +diff --git a/drivers/infiniband/hw/hns/hns_roce_main.c b/drivers/infiniband/hw/hns/hns_roce_main.c +index 8d0b63d4b50a6..e7a497cc125cc 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_main.c ++++ b/drivers/infiniband/hw/hns/hns_roce_main.c +@@ -37,7 +37,6 @@ + #include + #include + #include +-#include "hnae3.h" + #include "hns_roce_common.h" + #include "hns_roce_device.h" + #include "hns_roce_hem.h" +diff --git a/drivers/infiniband/hw/hns/hns_roce_restrack.c b/drivers/infiniband/hw/hns/hns_roce_restrack.c +index 356d988169497..f637b73b946e4 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_restrack.c ++++ b/drivers/infiniband/hw/hns/hns_roce_restrack.c +@@ -4,7 +4,6 @@ + #include + #include + #include +-#include "hnae3.h" + #include "hns_roce_common.h" + #include "hns_roce_device.h" + #include "hns_roce_hw_v2.h" +-- +2.39.5 + diff --git a/queue-6.12/rdma-mlx5-fix-error-flow-upon-firmware-failure-for-r.patch b/queue-6.12/rdma-mlx5-fix-error-flow-upon-firmware-failure-for-r.patch new file mode 100644 index 0000000000..89da9e5da7 --- /dev/null +++ b/queue-6.12/rdma-mlx5-fix-error-flow-upon-firmware-failure-for-r.patch @@ -0,0 +1,140 @@ +From 7339e42ad3500cd65909692b1be2ba740b52af2e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Apr 2025 14:34:07 +0300 +Subject: RDMA/mlx5: Fix error flow upon firmware failure for RQ destruction + +From: Patrisious Haddad + +[ Upstream commit 5d2ea5aebbb2f3ebde4403f9c55b2b057e5dd2d6 ] + +Upon RQ destruction if the firmware command fails which is the +last resource to be destroyed some SW resources were already cleaned +regardless of the failure. + +Now properly rollback the object to its original state upon such failure. + +In order to avoid a use-after free in case someone tries to destroy the +object again, which results in the following kernel trace: +refcount_t: underflow; use-after-free. +WARNING: CPU: 0 PID: 37589 at lib/refcount.c:28 refcount_warn_saturate+0xf4/0x148 +Modules linked in: rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_umad(OE) mlx5_ib(OE) rfkill mlx5_core(OE) mlxdevm(OE) ib_uverbs(OE) ib_core(OE) psample mlxfw(OE) mlx_compat(OE) macsec tls pci_hyperv_intf sunrpc vfat fat virtio_net net_failover failover fuse loop nfnetlink vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vmw_vmci vsock xfs crct10dif_ce ghash_ce sha2_ce sha256_arm64 sha1_ce virtio_console virtio_gpu virtio_blk virtio_dma_buf virtio_mmio dm_mirror dm_region_hash dm_log dm_mod xpmem(OE) +CPU: 0 UID: 0 PID: 37589 Comm: python3 Kdump: loaded Tainted: G OE ------- --- 6.12.0-54.el10.aarch64 #1 +Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE +Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 +pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) +pc : refcount_warn_saturate+0xf4/0x148 +lr : refcount_warn_saturate+0xf4/0x148 +sp : ffff80008b81b7e0 +x29: ffff80008b81b7e0 x28: ffff000133d51600 x27: 0000000000000001 +x26: 0000000000000000 x25: 00000000ffffffea x24: ffff00010ae80f00 +x23: ffff00010ae80f80 x22: ffff0000c66e5d08 x21: 0000000000000000 +x20: ffff0000c66e0000 x19: ffff00010ae80340 x18: 0000000000000006 +x17: 0000000000000000 x16: 0000000000000020 x15: ffff80008b81b37f +x14: 0000000000000000 x13: 2e656572662d7265 x12: ffff80008283ef78 +x11: ffff80008257efd0 x10: ffff80008283efd0 x9 : ffff80008021ed90 +x8 : 0000000000000001 x7 : 00000000000bffe8 x6 : c0000000ffff7fff +x5 : ffff0001fb8e3408 x4 : 0000000000000000 x3 : ffff800179993000 +x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000133d51600 +Call trace: + refcount_warn_saturate+0xf4/0x148 + mlx5_core_put_rsc+0x88/0xa0 [mlx5_ib] + mlx5_core_destroy_rq_tracked+0x64/0x98 [mlx5_ib] + mlx5_ib_destroy_wq+0x34/0x80 [mlx5_ib] + ib_destroy_wq_user+0x30/0xc0 [ib_core] + uverbs_free_wq+0x28/0x58 [ib_uverbs] + destroy_hw_idr_uobject+0x34/0x78 [ib_uverbs] + uverbs_destroy_uobject+0x48/0x240 [ib_uverbs] + __uverbs_cleanup_ufile+0xd4/0x1a8 [ib_uverbs] + uverbs_destroy_ufile_hw+0x48/0x120 [ib_uverbs] + ib_uverbs_close+0x2c/0x100 [ib_uverbs] + __fput+0xd8/0x2f0 + __fput_sync+0x50/0x70 + __arm64_sys_close+0x40/0x90 + invoke_syscall.constprop.0+0x74/0xd0 + do_el0_svc+0x48/0xe8 + el0_svc+0x44/0x1d0 + el0t_64_sync_handler+0x120/0x130 + el0t_64_sync+0x1a4/0x1a8 + +Fixes: e2013b212f9f ("net/mlx5_core: Add RQ and SQ event handling") +Signed-off-by: Patrisious Haddad +Link: https://patch.msgid.link/3181433ccdd695c63560eeeb3f0c990961732101.1745839855.git.leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx5/qpc.c | 30 ++++++++++++++++++++++++++++-- + include/linux/mlx5/driver.h | 1 + + 2 files changed, 29 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/hw/mlx5/qpc.c b/drivers/infiniband/hw/mlx5/qpc.c +index d3dcc272200af..146d03ae40bd9 100644 +--- a/drivers/infiniband/hw/mlx5/qpc.c ++++ b/drivers/infiniband/hw/mlx5/qpc.c +@@ -21,8 +21,10 @@ mlx5_get_rsc(struct mlx5_qp_table *table, u32 rsn) + spin_lock_irqsave(&table->lock, flags); + + common = radix_tree_lookup(&table->tree, rsn); +- if (common) ++ if (common && !common->invalid) + refcount_inc(&common->refcount); ++ else ++ common = NULL; + + spin_unlock_irqrestore(&table->lock, flags); + +@@ -178,6 +180,18 @@ static int create_resource_common(struct mlx5_ib_dev *dev, + return 0; + } + ++static void modify_resource_common_state(struct mlx5_ib_dev *dev, ++ struct mlx5_core_qp *qp, ++ bool invalid) ++{ ++ struct mlx5_qp_table *table = &dev->qp_table; ++ unsigned long flags; ++ ++ spin_lock_irqsave(&table->lock, flags); ++ qp->common.invalid = invalid; ++ spin_unlock_irqrestore(&table->lock, flags); ++} ++ + static void destroy_resource_common(struct mlx5_ib_dev *dev, + struct mlx5_core_qp *qp) + { +@@ -609,8 +623,20 @@ int mlx5_core_create_rq_tracked(struct mlx5_ib_dev *dev, u32 *in, int inlen, + int mlx5_core_destroy_rq_tracked(struct mlx5_ib_dev *dev, + struct mlx5_core_qp *rq) + { ++ int ret; ++ ++ /* The rq destruction can be called again in case it fails, hence we ++ * mark the common resource as invalid and only once FW destruction ++ * is completed successfully we actually destroy the resources. ++ */ ++ modify_resource_common_state(dev, rq, true); ++ ret = destroy_rq_tracked(dev, rq->qpn, rq->uid); ++ if (ret) { ++ modify_resource_common_state(dev, rq, false); ++ return ret; ++ } + destroy_resource_common(dev, rq); +- return destroy_rq_tracked(dev, rq->qpn, rq->uid); ++ return 0; + } + + static void destroy_sq_tracked(struct mlx5_ib_dev *dev, u32 sqn, u16 uid) +diff --git a/include/linux/mlx5/driver.h b/include/linux/mlx5/driver.h +index d4b2c09cd5fec..da9749739abde 100644 +--- a/include/linux/mlx5/driver.h ++++ b/include/linux/mlx5/driver.h +@@ -395,6 +395,7 @@ struct mlx5_core_rsc_common { + enum mlx5_res_type res; + refcount_t refcount; + struct completion free; ++ bool invalid; + }; + + struct mlx5_uars_page { +-- +2.39.5 + diff --git a/queue-6.12/remoteproc-k3-dsp-drop-check-performed-in-k3_dsp_rpr.patch b/queue-6.12/remoteproc-k3-dsp-drop-check-performed-in-k3_dsp_rpr.patch new file mode 100644 index 0000000000..8e06c07b11 --- /dev/null +++ b/queue-6.12/remoteproc-k3-dsp-drop-check-performed-in-k3_dsp_rpr.patch @@ -0,0 +1,64 @@ +From d454123c10a6858d1178d298455ddd96414a568f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 May 2025 11:14:36 +0530 +Subject: remoteproc: k3-dsp: Drop check performed in + k3_dsp_rproc_{mbox_callback/kick} + +From: Siddharth Vadapalli + +[ Upstream commit 349d62ab207f55f039c3ddb40b36e95c2f0b3ed0 ] + +Commit ea1d6fb5b571 ("remoteproc: k3-dsp: Acquire mailbox handle during +probe routine") introduced a check in the "k3_dsp_rproc_mbox_callback()" +and "k3_dsp_rproc_kick()" callbacks, causing them to exit if the remote +core's state is "RPROC_DETACHED". However, the "__rproc_attach()" +function that is responsible for attaching to a remote core, updates the +state of the remote core to "RPROC_ATTACHED" only after invoking +"rproc_start_subdevices()". + +The "rproc_start_subdevices()" function triggers the probe of the Virtio +RPMsg devices associated with the remote core, which require that the +"k3_dsp_rproc_kick()" and "k3_dsp_rproc_mbox_callback()" callbacks are +functional. Hence, drop the check in the callbacks. + +Fixes: ea1d6fb5b571 ("remoteproc: k3-dsp: Acquire mailbox handle during probe routine") +Signed-off-by: Siddharth Vadapalli +Signed-off-by: Beleswar Padhi +Tested-by: Judith Mendez +Reviewed-by: Andrew Davis +Link: https://lore.kernel.org/r/20250513054510.3439842-3-b-padhi@ti.com +Signed-off-by: Mathieu Poirier +Signed-off-by: Sasha Levin +--- + drivers/remoteproc/ti_k3_dsp_remoteproc.c | 8 -------- + 1 file changed, 8 deletions(-) + +diff --git a/drivers/remoteproc/ti_k3_dsp_remoteproc.c b/drivers/remoteproc/ti_k3_dsp_remoteproc.c +index 8be3f631c1920..2ae0655ddf1d2 100644 +--- a/drivers/remoteproc/ti_k3_dsp_remoteproc.c ++++ b/drivers/remoteproc/ti_k3_dsp_remoteproc.c +@@ -115,10 +115,6 @@ static void k3_dsp_rproc_mbox_callback(struct mbox_client *client, void *data) + const char *name = kproc->rproc->name; + u32 msg = omap_mbox_message(data); + +- /* Do not forward messages from a detached core */ +- if (kproc->rproc->state == RPROC_DETACHED) +- return; +- + dev_dbg(dev, "mbox msg: 0x%x\n", msg); + + switch (msg) { +@@ -159,10 +155,6 @@ static void k3_dsp_rproc_kick(struct rproc *rproc, int vqid) + mbox_msg_t msg = (mbox_msg_t)vqid; + int ret; + +- /* Do not forward messages to a detached core */ +- if (kproc->rproc->state == RPROC_DETACHED) +- return; +- + /* send the index of the triggered virtqueue in the mailbox payload */ + ret = mbox_send_message(kproc->mbox, (void *)msg); + if (ret < 0) +-- +2.39.5 + diff --git a/queue-6.12/remoteproc-k3-r5-drop-check-performed-in-k3_r5_rproc.patch b/queue-6.12/remoteproc-k3-r5-drop-check-performed-in-k3_r5_rproc.patch new file mode 100644 index 0000000000..f192eb2d41 --- /dev/null +++ b/queue-6.12/remoteproc-k3-r5-drop-check-performed-in-k3_r5_rproc.patch @@ -0,0 +1,64 @@ +From 13b6ed5e7c06a735b165008c9a9aa4300e75e6df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 May 2025 11:14:35 +0530 +Subject: remoteproc: k3-r5: Drop check performed in + k3_r5_rproc_{mbox_callback/kick} + +From: Siddharth Vadapalli + +[ Upstream commit 9995dbfc2235efabdb3759606d522e1a7ec3bdcb ] + +Commit f3f11cfe8907 ("remoteproc: k3-r5: Acquire mailbox handle during +probe routine") introduced a check in the "k3_r5_rproc_mbox_callback()" +and "k3_r5_rproc_kick()" callbacks, causing them to exit if the remote +core's state is "RPROC_DETACHED". However, the "__rproc_attach()" +function that is responsible for attaching to a remote core, updates +the state of the remote core to "RPROC_ATTACHED" only after invoking +"rproc_start_subdevices()". + +The "rproc_start_subdevices()" function triggers the probe of the Virtio +RPMsg devices associated with the remote core, which require that the +"k3_r5_rproc_kick()" and "k3_r5_rproc_mbox_callback()" callbacks are +functional. Hence, drop the check in the callbacks. + +Fixes: f3f11cfe8907 ("remoteproc: k3-r5: Acquire mailbox handle during probe routine") +Signed-off-by: Siddharth Vadapalli +Signed-off-by: Beleswar Padhi +Tested-by: Judith Mendez +Reviewed-by: Andrew Davis +Link: https://lore.kernel.org/r/20250513054510.3439842-2-b-padhi@ti.com +Signed-off-by: Mathieu Poirier +Signed-off-by: Sasha Levin +--- + drivers/remoteproc/ti_k3_r5_remoteproc.c | 8 -------- + 1 file changed, 8 deletions(-) + +diff --git a/drivers/remoteproc/ti_k3_r5_remoteproc.c b/drivers/remoteproc/ti_k3_r5_remoteproc.c +index 747ee467da88c..4894461aa65f3 100644 +--- a/drivers/remoteproc/ti_k3_r5_remoteproc.c ++++ b/drivers/remoteproc/ti_k3_r5_remoteproc.c +@@ -194,10 +194,6 @@ static void k3_r5_rproc_mbox_callback(struct mbox_client *client, void *data) + const char *name = kproc->rproc->name; + u32 msg = omap_mbox_message(data); + +- /* Do not forward message from a detached core */ +- if (kproc->rproc->state == RPROC_DETACHED) +- return; +- + dev_dbg(dev, "mbox msg: 0x%x\n", msg); + + switch (msg) { +@@ -233,10 +229,6 @@ static void k3_r5_rproc_kick(struct rproc *rproc, int vqid) + mbox_msg_t msg = (mbox_msg_t)vqid; + int ret; + +- /* Do not forward message to a detached core */ +- if (kproc->rproc->state == RPROC_DETACHED) +- return; +- + /* send the index of the triggered virtqueue in the mailbox payload */ + ret = mbox_send_message(kproc->mbox, (void *)msg); + if (ret < 0) +-- +2.39.5 + diff --git a/queue-6.12/remoteproc-qcom_wcnss_iris-add-missing-put_device-on.patch b/queue-6.12/remoteproc-qcom_wcnss_iris-add-missing-put_device-on.patch new file mode 100644 index 0000000000..4d895bc2fe --- /dev/null +++ b/queue-6.12/remoteproc-qcom_wcnss_iris-add-missing-put_device-on.patch @@ -0,0 +1,44 @@ +From b7119adf089802e17210db08c6430eb882637f6f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Apr 2025 13:59:51 +0300 +Subject: remoteproc: qcom_wcnss_iris: Add missing put_device() on error in + probe + +From: Dan Carpenter + +[ Upstream commit 0cb4b1b97041d8a1f773425208ded253c1cb5869 ] + +The device_del() call matches with the device_add() but we also need +to call put_device() to trigger the qcom_iris_release(). + +Fixes: 1fcef985c8bd ("remoteproc: qcom: wcnss: Fix race with iris probe") +Signed-off-by: Dan Carpenter +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/4604f7e0-3217-4095-b28a-3ff8b5afad3a@stanley.mountain +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/remoteproc/qcom_wcnss_iris.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/remoteproc/qcom_wcnss_iris.c b/drivers/remoteproc/qcom_wcnss_iris.c +index dd36fd077911a..1e197f7734742 100644 +--- a/drivers/remoteproc/qcom_wcnss_iris.c ++++ b/drivers/remoteproc/qcom_wcnss_iris.c +@@ -197,6 +197,7 @@ struct qcom_iris *qcom_iris_probe(struct device *parent, bool *use_48mhz_xo) + + err_device_del: + device_del(&iris->dev); ++ put_device(&iris->dev); + + return ERR_PTR(ret); + } +@@ -204,4 +205,5 @@ struct qcom_iris *qcom_iris_probe(struct device *parent, bool *use_48mhz_xo) + void qcom_iris_remove(struct qcom_iris *iris) + { + device_del(&iris->dev); ++ put_device(&iris->dev); + } +-- +2.39.5 + diff --git a/queue-6.12/risc-v-kvm-lock-the-correct-mp_state-during-reset.patch b/queue-6.12/risc-v-kvm-lock-the-correct-mp_state-during-reset.patch new file mode 100644 index 0000000000..d22fc40e4c --- /dev/null +++ b/queue-6.12/risc-v-kvm-lock-the-correct-mp_state-during-reset.patch @@ -0,0 +1,45 @@ +From 0d244389074f98d2408cd884b64127ac68b0b8a4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 May 2025 12:47:28 +0200 +Subject: RISC-V: KVM: lock the correct mp_state during reset +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Radim Krčmář + +[ Upstream commit 7917be170928189fefad490d1a1237fdfa6b856f ] + +Currently, the kvm_riscv_vcpu_sbi_system_reset() function locks +vcpu->arch.mp_state_lock when updating tmp->arch.mp_state.mp_state +which is incorrect hence fix it. + +Fixes: 2121cadec45a ("RISCV: KVM: Introduce mp_state_lock to avoid lock inversion") +Signed-off-by: Radim Krčmář +Reviewed-by: Anup Patel +Link: https://lore.kernel.org/r/20250523104725.2894546-4-rkrcmar@ventanamicro.com +Signed-off-by: Anup Patel +Signed-off-by: Sasha Levin +--- + arch/riscv/kvm/vcpu_sbi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/riscv/kvm/vcpu_sbi.c b/arch/riscv/kvm/vcpu_sbi.c +index 6e704ed86a83a..635c67ed36653 100644 +--- a/arch/riscv/kvm/vcpu_sbi.c ++++ b/arch/riscv/kvm/vcpu_sbi.c +@@ -139,9 +139,9 @@ void kvm_riscv_vcpu_sbi_system_reset(struct kvm_vcpu *vcpu, + struct kvm_vcpu *tmp; + + kvm_for_each_vcpu(i, tmp, vcpu->kvm) { +- spin_lock(&vcpu->arch.mp_state_lock); ++ spin_lock(&tmp->arch.mp_state_lock); + WRITE_ONCE(tmp->arch.mp_state.mp_state, KVM_MP_STATE_STOPPED); +- spin_unlock(&vcpu->arch.mp_state_lock); ++ spin_unlock(&tmp->arch.mp_state_lock); + } + kvm_make_all_cpus_request(vcpu->kvm, KVM_REQ_SLEEP); + +-- +2.39.5 + diff --git a/queue-6.12/riscv-misaligned-fix-sleeping-function-called-during.patch b/queue-6.12/riscv-misaligned-fix-sleeping-function-called-during.patch new file mode 100644 index 0000000000..4e3a99355e --- /dev/null +++ b/queue-6.12/riscv-misaligned-fix-sleeping-function-called-during.patch @@ -0,0 +1,71 @@ +From 7d72dd44d787c4d26d483cc5713c1e7e02498636 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Apr 2025 15:38:50 +0800 +Subject: riscv: misaligned: fix sleeping function called during misaligned + access handling + +From: Nylon Chen + +[ Upstream commit 61a74ad254628ccd9e88838c3c622885dfb6c588 ] + +Use copy_from_user_nofault() and copy_to_user_nofault() instead of +copy_from/to_user functions in the misaligned access trap handlers. + +The following bug report was found when executing misaligned memory +accesses: + +BUG: sleeping function called from invalid context at ./include/linux/uaccess.h:162 +in_atomic(): 0, irqs_disabled(): 1, non_block: 0, pid: 115, name: two +preempt_count: 0, expected: 0 +CPU: 0 UID: 0 PID: 115 Comm: two Not tainted 6.14.0-rc5 #24 +Hardware name: riscv-virtio,qemu (DT) +Call Trace: + [] dump_backtrace+0x1c/0x24 + [] show_stack+0x28/0x34 + [] dump_stack_lvl+0x4a/0x68 + [] dump_stack+0x14/0x1c + [] __might_resched+0xfa/0x104 + [] __might_sleep+0x3e/0x62 + [] __might_fault+0x1c/0x24 + [] _copy_from_user+0x28/0xaa + [] handle_misaligned_store+0x204/0x254 + [] do_trap_store_misaligned+0x24/0xee + [] handle_exception+0x146/0x152 + +Fixes: b686ecdeacf6 ("riscv: misaligned: Restrict user access to kernel memory") +Fixes: 441381506ba7 ("riscv: misaligned: remove CONFIG_RISCV_M_MODE specific code") + +Signed-off-by: Zong Li +Signed-off-by: Nylon Chen +Link: https://lore.kernel.org/r/20250411073850.3699180-3-nylon.chen@sifive.com +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +--- + arch/riscv/kernel/traps_misaligned.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/riscv/kernel/traps_misaligned.c b/arch/riscv/kernel/traps_misaligned.c +index d14bfc23e315b..36ac96eac9c9e 100644 +--- a/arch/riscv/kernel/traps_misaligned.c ++++ b/arch/riscv/kernel/traps_misaligned.c +@@ -429,7 +429,7 @@ int handle_misaligned_load(struct pt_regs *regs) + + val.data_u64 = 0; + if (user_mode(regs)) { +- if (copy_from_user(&val, (u8 __user *)addr, len)) ++ if (copy_from_user_nofault(&val, (u8 __user *)addr, len)) + return -1; + } else { + memcpy(&val, (u8 *)addr, len); +@@ -530,7 +530,7 @@ int handle_misaligned_store(struct pt_regs *regs) + return -EOPNOTSUPP; + + if (user_mode(regs)) { +- if (copy_to_user((u8 __user *)addr, &val, len)) ++ if (copy_to_user_nofault((u8 __user *)addr, &val, len)) + return -1; + } else { + memcpy((u8 *)addr, &val, len); +-- +2.39.5 + diff --git a/queue-6.12/rpmsg-qcom_smd-fix-uninitialized-return-variable-in-.patch b/queue-6.12/rpmsg-qcom_smd-fix-uninitialized-return-variable-in-.patch new file mode 100644 index 0000000000..bc290ddb35 --- /dev/null +++ b/queue-6.12/rpmsg-qcom_smd-fix-uninitialized-return-variable-in-.patch @@ -0,0 +1,38 @@ +From 1273879bcc89ef9c182b21403cfba2380178ca3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Apr 2025 20:22:05 +0300 +Subject: rpmsg: qcom_smd: Fix uninitialized return variable in + __qcom_smd_send() + +From: Dan Carpenter + +[ Upstream commit 5de775df3362090a6e90046d1f2d83fe62489aa0 ] + +The "ret" variable isn't initialized if we don't enter the loop. For +example, if "channel->state" is not SMD_CHANNEL_OPENED. + +Fixes: 33e3820dda88 ("rpmsg: smd: Use spinlock in tx path") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/aAkhvV0nSbrsef1P@stanley.mountain +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/rpmsg/qcom_smd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/rpmsg/qcom_smd.c b/drivers/rpmsg/qcom_smd.c +index 43f601c84b4fc..79d35ab43729e 100644 +--- a/drivers/rpmsg/qcom_smd.c ++++ b/drivers/rpmsg/qcom_smd.c +@@ -746,7 +746,7 @@ static int __qcom_smd_send(struct qcom_smd_channel *channel, const void *data, + __le32 hdr[5] = { cpu_to_le32(len), }; + int tlen = sizeof(hdr) + len; + unsigned long flags; +- int ret; ++ int ret = 0; + + /* Word aligned channels only accept word size aligned data */ + if (channel->info_word && len % 4) +-- +2.39.5 + diff --git a/queue-6.12/rtc-loongson-add-missing-alarm-notifications-for-acp.patch b/queue-6.12/rtc-loongson-add-missing-alarm-notifications-for-acp.patch new file mode 100644 index 0000000000..496fe05722 --- /dev/null +++ b/queue-6.12/rtc-loongson-add-missing-alarm-notifications-for-acp.patch @@ -0,0 +1,52 @@ +From ded6ba72272b744b9c4cda51779d011bbd5fc864 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 May 2025 16:44:16 +0800 +Subject: rtc: loongson: Add missing alarm notifications for ACPI RTC events + +From: Liu Dalin + +[ Upstream commit 5af9f1fa576874b24627d4c05e3a84672204c200 ] + +When an application sets and enables an alarm on Loongson RTC devices, +the alarm notification fails to propagate to userspace because the +ACPI event handler omits calling rtc_update_irq(). + +As a result, processes waiting via select() or poll() on RTC device +files fail to receive alarm notifications. + +The ACPI interrupt is also triggered multiple times. In loongson_rtc_handler, +we need to clear TOY_MATCH0_REG to resolve this issue. + +Fixes: 09471d8f5b39 ("rtc: loongson: clear TOY_MATCH0_REG in loongson_rtc_isr()") +Fixes: 1b733a9ebc3d ("rtc: Add rtc driver for the Loongson family chips") +Signed-off-by: Liu Dalin +Reviewed-by: Binbin Zhou +Link: https://lore.kernel.org/r/20250509084416.7979-1-liudalin@kylinsec.com.cn +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-loongson.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/rtc/rtc-loongson.c b/drivers/rtc/rtc-loongson.c +index 90e9d97a86b48..c9d5b91a6544d 100644 +--- a/drivers/rtc/rtc-loongson.c ++++ b/drivers/rtc/rtc-loongson.c +@@ -129,6 +129,14 @@ static u32 loongson_rtc_handler(void *id) + { + struct loongson_rtc_priv *priv = (struct loongson_rtc_priv *)id; + ++ rtc_update_irq(priv->rtcdev, 1, RTC_AF | RTC_IRQF); ++ ++ /* ++ * The TOY_MATCH0_REG should be cleared 0 here, ++ * otherwise the interrupt cannot be cleared. ++ */ ++ regmap_write(priv->regmap, TOY_MATCH0_REG, 0); ++ + spin_lock(&priv->lock); + /* Disable RTC alarm wakeup and interrupt */ + writel(readl(priv->pm_base + PM1_EN_REG) & ~RTC_EN, +-- +2.39.5 + diff --git a/queue-6.12/rtc-sh-assign-correct-interrupts-with-dt.patch b/queue-6.12/rtc-sh-assign-correct-interrupts-with-dt.patch new file mode 100644 index 0000000000..d57362f1d5 --- /dev/null +++ b/queue-6.12/rtc-sh-assign-correct-interrupts-with-dt.patch @@ -0,0 +1,51 @@ +From 573208cf8918e4ae0f732bb0d43321a67113ba83 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Feb 2025 14:42:56 +0100 +Subject: rtc: sh: assign correct interrupts with DT + +From: Wolfram Sang + +[ Upstream commit 8f2efdbc303fe7baa83843d3290dd6ea5ba3276c ] + +The DT bindings for this driver define the interrupts in the order as +they are numbered in the interrupt controller. The old platform_data, +however, listed them in a different order. So, for DT based platforms, +they are mixed up. Assign them specifically for DT, so we can keep the +bindings stable. After the fix, 'rtctest' passes again on the Renesas +Genmai board (RZ-A1 / R7S72100). + +Fixes: dab5aec64bf5 ("rtc: sh: add support for rza series") +Signed-off-by: Wolfram Sang +Link: https://lore.kernel.org/r/20250227134256.9167-11-wsa+renesas@sang-engineering.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-sh.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/drivers/rtc/rtc-sh.c b/drivers/rtc/rtc-sh.c +index 27a191fa3704c..e66c9c6fd3724 100644 +--- a/drivers/rtc/rtc-sh.c ++++ b/drivers/rtc/rtc-sh.c +@@ -485,9 +485,15 @@ static int __init sh_rtc_probe(struct platform_device *pdev) + return -ENOENT; + } + +- rtc->periodic_irq = ret; +- rtc->carry_irq = platform_get_irq(pdev, 1); +- rtc->alarm_irq = platform_get_irq(pdev, 2); ++ if (!pdev->dev.of_node) { ++ rtc->periodic_irq = ret; ++ rtc->carry_irq = platform_get_irq(pdev, 1); ++ rtc->alarm_irq = platform_get_irq(pdev, 2); ++ } else { ++ rtc->alarm_irq = ret; ++ rtc->periodic_irq = platform_get_irq(pdev, 1); ++ rtc->carry_irq = platform_get_irq(pdev, 2); ++ } + + res = platform_get_resource(pdev, IORESOURCE_IO, 0); + if (!res) +-- +2.39.5 + diff --git a/queue-6.12/rust-alloc-add-missing-invariant-in-vec-set_len.patch b/queue-6.12/rust-alloc-add-missing-invariant-in-vec-set_len.patch new file mode 100644 index 0000000000..cf0710771e --- /dev/null +++ b/queue-6.12/rust-alloc-add-missing-invariant-in-vec-set_len.patch @@ -0,0 +1,40 @@ +From 2155a6a8df829f7b8eb891593c6cd7903aed5d01 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 15 Mar 2025 16:43:02 +0100 +Subject: rust: alloc: add missing invariant in Vec::set_len() + +From: Danilo Krummrich + +[ Upstream commit fb1bf1067de979c89ae33589e0466d6ce0dde204 ] + +When setting a new length, we have to justify that the set length +represents the exact number of elements stored in the vector. + +Reviewed-by: Benno Lossin +Reported-by: Alice Ryhl +Closes: https://lore.kernel.org/rust-for-linux/20250311-iov-iter-v1-4-f6c9134ea824@google.com +Fixes: 2aac4cd7dae3 ("rust: alloc: implement kernel `Vec` type") +Link: https://lore.kernel.org/r/20250315154436.65065-2-dakr@kernel.org +Signed-off-by: Danilo Krummrich +Signed-off-by: Sasha Levin +--- + rust/kernel/alloc/kvec.rs | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/rust/kernel/alloc/kvec.rs b/rust/kernel/alloc/kvec.rs +index 87a71fd40c3ca..f62204fe563f5 100644 +--- a/rust/kernel/alloc/kvec.rs ++++ b/rust/kernel/alloc/kvec.rs +@@ -196,6 +196,9 @@ where + #[inline] + pub unsafe fn set_len(&mut self, new_len: usize) { + debug_assert!(new_len <= self.capacity()); ++ ++ // INVARIANT: By the safety requirements of this method `new_len` represents the exact ++ // number of elements stored within `self`. + self.len = new_len; + } + +-- +2.39.5 + diff --git a/queue-6.12/s390-bpf-store-backchain-even-for-leaf-progs.patch b/queue-6.12/s390-bpf-store-backchain-even-for-leaf-progs.patch new file mode 100644 index 0000000000..94163c527d --- /dev/null +++ b/queue-6.12/s390-bpf-store-backchain-even-for-leaf-progs.patch @@ -0,0 +1,68 @@ +From 3b59196e068be0cae6b14197659efcc72282a63d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 May 2025 14:26:15 +0200 +Subject: s390/bpf: Store backchain even for leaf progs + +From: Ilya Leoshkevich + +[ Upstream commit 5f55f2168432298f5a55294831ab6a76a10cb3c3 ] + +Currently a crash in a leaf prog (caused by a bug) produces the +following call trace: + + [<000003ff600ebf00>] bpf_prog_6df0139e1fbf2789_fentry+0x20/0x78 + [<0000000000000000>] 0x0 + +This is because leaf progs do not store backchain. Fix by making all +progs do it. This is what GCC and Clang-generated code does as well. +Now the call trace looks like this: + + [<000003ff600eb0f2>] bpf_prog_6df0139e1fbf2789_fentry+0x2a/0x80 + [<000003ff600ed096>] bpf_trampoline_201863462940+0x96/0xf4 + [<000003ff600e3a40>] bpf_prog_05f379658fdd72f2_classifier_0+0x58/0xc0 + [<000003ffe0aef070>] bpf_test_run+0x210/0x390 + [<000003ffe0af0dc2>] bpf_prog_test_run_skb+0x25a/0x668 + [<000003ffe038a90e>] __sys_bpf+0xa46/0xdb0 + [<000003ffe038ad0c>] __s390x_sys_bpf+0x44/0x50 + [<000003ffe0defea8>] __do_syscall+0x150/0x280 + [<000003ffe0e01d5c>] system_call+0x74/0x98 + +Fixes: 054623105728 ("s390/bpf: Add s390x eBPF JIT compiler backend") +Signed-off-by: Ilya Leoshkevich +Link: https://lore.kernel.org/r/20250512122717.54878-1-iii@linux.ibm.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + arch/s390/net/bpf_jit_comp.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +diff --git a/arch/s390/net/bpf_jit_comp.c b/arch/s390/net/bpf_jit_comp.c +index 9d440a0b729eb..64bb8b71013ae 100644 +--- a/arch/s390/net/bpf_jit_comp.c ++++ b/arch/s390/net/bpf_jit_comp.c +@@ -605,17 +605,15 @@ static void bpf_jit_prologue(struct bpf_jit *jit, struct bpf_prog *fp, + } + /* Setup stack and backchain */ + if (is_first_pass(jit) || (jit->seen & SEEN_STACK)) { +- if (is_first_pass(jit) || (jit->seen & SEEN_FUNC)) +- /* lgr %w1,%r15 (backchain) */ +- EMIT4(0xb9040000, REG_W1, REG_15); ++ /* lgr %w1,%r15 (backchain) */ ++ EMIT4(0xb9040000, REG_W1, REG_15); + /* la %bfp,STK_160_UNUSED(%r15) (BPF frame pointer) */ + EMIT4_DISP(0x41000000, BPF_REG_FP, REG_15, STK_160_UNUSED); + /* aghi %r15,-STK_OFF */ + EMIT4_IMM(0xa70b0000, REG_15, -(STK_OFF + stack_depth)); +- if (is_first_pass(jit) || (jit->seen & SEEN_FUNC)) +- /* stg %w1,152(%r15) (backchain) */ +- EMIT6_DISP_LH(0xe3000000, 0x0024, REG_W1, REG_0, +- REG_15, 152); ++ /* stg %w1,152(%r15) (backchain) */ ++ EMIT6_DISP_LH(0xe3000000, 0x0024, REG_W1, REG_0, ++ REG_15, 152); + } + } + +-- +2.39.5 + diff --git a/queue-6.12/sched-core-tweak-wait_task_inactive-to-force-dequeue.patch b/queue-6.12/sched-core-tweak-wait_task_inactive-to-force-dequeue.patch new file mode 100644 index 0000000000..b2df430b4c --- /dev/null +++ b/queue-6.12/sched-core-tweak-wait_task_inactive-to-force-dequeue.patch @@ -0,0 +1,65 @@ +From 2566b2de2e694cdf4390e418c527dbec2e9c8c48 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Apr 2025 08:07:26 -0700 +Subject: sched/core: Tweak wait_task_inactive() to force dequeue sched_delayed + tasks + +From: John Stultz + +[ Upstream commit b7ca5743a2604156d6083b88cefacef983f3a3a6 ] + +It was reported that in 6.12, smpboot_create_threads() was +taking much longer then in 6.6. + +I narrowed down the call path to: + smpboot_create_threads() + -> kthread_create_on_cpu() + -> kthread_bind() + -> __kthread_bind_mask() + ->wait_task_inactive() + +Where in wait_task_inactive() we were regularly hitting the +queued case, which sets a 1 tick timeout, which when called +multiple times in a row, accumulates quickly into a long +delay. + +I noticed disabling the DELAY_DEQUEUE sched feature recovered +the performance, and it seems the newly create tasks are usually +sched_delayed and left on the runqueue. + +So in wait_task_inactive() when we see the task +p->se.sched_delayed, manually dequeue the sched_delayed task +with DEQUEUE_DELAYED, so we don't have to constantly wait a +tick. + +Fixes: 152e11f6df29 ("sched/fair: Implement delayed dequeue") +Reported-by: peter-yc.chang@mediatek.com +Signed-off-by: John Stultz +Signed-off-by: Peter Zijlstra (Intel) +Tested-by: K Prateek Nayak +Link: https://lkml.kernel.org/r/20250429150736.3778580-1-jstultz@google.com +Signed-off-by: Sasha Levin +--- + kernel/sched/core.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/kernel/sched/core.c b/kernel/sched/core.c +index 814abc7ad994a..51f36de5990a3 100644 +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -2229,6 +2229,12 @@ unsigned long wait_task_inactive(struct task_struct *p, unsigned int match_state + * just go back and repeat. + */ + rq = task_rq_lock(p, &rf); ++ /* ++ * If task is sched_delayed, force dequeue it, to avoid always ++ * hitting the tick timeout in the queued case ++ */ ++ if (p->se.sched_delayed) ++ dequeue_task(rq, p, DEQUEUE_SLEEP | DEQUEUE_DELAYED); + trace_sched_wait_task(p); + running = task_on_cpu(rq, p); + queued = task_on_rq_queued(p); +-- +2.39.5 + diff --git a/queue-6.12/sched-fix-trace_sched_switch-.prev_state.patch b/queue-6.12/sched-fix-trace_sched_switch-.prev_state.patch new file mode 100644 index 0000000000..c9975881c6 --- /dev/null +++ b/queue-6.12/sched-fix-trace_sched_switch-.prev_state.patch @@ -0,0 +1,53 @@ +From 65355069737845130b3608a8e6ea646fa148a1be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Mar 2025 22:23:23 +0100 +Subject: sched: Fix trace_sched_switch(.prev_state) + +From: Peter Zijlstra + +[ Upstream commit 8feb053d53194382fcfb68231296fdc220497ea6 ] + +Gabriele noted that in case of signal_pending_state(), the tracepoint +sees a stale task-state. + +Fixes: fa2c3254d7cf ("sched/tracing: Don't re-read p->state when emitting sched_switch event") +Reported-by: Gabriele Monaco +Signed-off-by: Peter Zijlstra (Intel) +Cc: Valentin Schneider +Signed-off-by: Sasha Levin +--- + kernel/sched/core.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/kernel/sched/core.c b/kernel/sched/core.c +index e9bb1b4c58421..814abc7ad994a 100644 +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -6517,12 +6517,14 @@ pick_next_task(struct rq *rq, struct task_struct *prev, struct rq_flags *rf) + * Otherwise marks the task's __state as RUNNING + */ + static bool try_to_block_task(struct rq *rq, struct task_struct *p, +- unsigned long task_state) ++ unsigned long *task_state_p) + { ++ unsigned long task_state = *task_state_p; + int flags = DEQUEUE_NOCLOCK; + + if (signal_pending_state(task_state, p)) { + WRITE_ONCE(p->__state, TASK_RUNNING); ++ *task_state_p = TASK_RUNNING; + return false; + } + +@@ -6656,7 +6658,7 @@ static void __sched notrace __schedule(int sched_mode) + goto picked; + } + } else if (!preempt && prev_state) { +- try_to_block_task(rq, prev, prev_state); ++ try_to_block_task(rq, prev, &prev_state); + switch_count = &prev->nvcsw; + } + +-- +2.39.5 + diff --git a/queue-6.12/scsi-hisi_sas-call-i_t_nexus-after-soft-reset-for-sa.patch b/queue-6.12/scsi-hisi_sas-call-i_t_nexus-after-soft-reset-for-sa.patch new file mode 100644 index 0000000000..636c4ffc5b --- /dev/null +++ b/queue-6.12/scsi-hisi_sas-call-i_t_nexus-after-soft-reset-for-sa.patch @@ -0,0 +1,79 @@ +From a25802ecf9bab5899819d6a787b97ea302a75a6a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Apr 2025 16:08:44 +0800 +Subject: scsi: hisi_sas: Call I_T_nexus after soft reset for SATA disk + +From: Yihang Li + +[ Upstream commit e4d953ca557e02edd3aed7390043e1b8ad1c9723 ] + +In commit 21c7e972475e ("scsi: hisi_sas: Disable SATA disk phy for severe +I_T nexus reset failure"), if the softreset fails upon certain +conditions, the PHY connected to the disk is disabled directly. Manual +recovery is required, which is inconvenient for users in actual use. + +In addition, SATA disks do not support simultaneous connection of multiple +hosts. Therefore, when multiple controllers are connected to a SATA disk +at the same time, the controller which is connected later failed to issue +an ATA softreset to the SATA disk. As a result, the PHY associated with +the disk is disabled and cannot be automatically recovered. + +Now that, we will not focus on the execution result of softreset. No +matter whether the execution is successful or not, we will directly carry +out I_T_nexus_reset. + +Fixes: 21c7e972475e ("scsi: hisi_sas: Disable SATA disk phy for severe I_T nexus reset failure") +Signed-off-by: Yihang Li +Link: https://lore.kernel.org/r/20250414080845.1220997-4-liyihang9@huawei.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/hisi_sas/hisi_sas_main.c | 29 +++++---------------------- + 1 file changed, 5 insertions(+), 24 deletions(-) + +diff --git a/drivers/scsi/hisi_sas/hisi_sas_main.c b/drivers/scsi/hisi_sas/hisi_sas_main.c +index e98e6b2b9f570..d9500b7306905 100644 +--- a/drivers/scsi/hisi_sas/hisi_sas_main.c ++++ b/drivers/scsi/hisi_sas/hisi_sas_main.c +@@ -1850,33 +1850,14 @@ static int hisi_sas_I_T_nexus_reset(struct domain_device *device) + } + hisi_sas_dereg_device(hisi_hba, device); + +- rc = hisi_sas_debug_I_T_nexus_reset(device); +- if (rc == TMF_RESP_FUNC_COMPLETE && dev_is_sata(device)) { +- struct sas_phy *local_phy; +- ++ if (dev_is_sata(device)) { + rc = hisi_sas_softreset_ata_disk(device); +- switch (rc) { +- case -ECOMM: +- rc = -ENODEV; +- break; +- case TMF_RESP_FUNC_FAILED: +- case -EMSGSIZE: +- case -EIO: +- local_phy = sas_get_local_phy(device); +- rc = sas_phy_enable(local_phy, 0); +- if (!rc) { +- local_phy->enabled = 0; +- dev_err(dev, "Disabled local phy of ATA disk %016llx due to softreset fail (%d)\n", +- SAS_ADDR(device->sas_addr), rc); +- rc = -ENODEV; +- } +- sas_put_local_phy(local_phy); +- break; +- default: +- break; +- } ++ if (rc == TMF_RESP_FUNC_FAILED) ++ dev_err(dev, "ata disk %016llx reset (%d)\n", ++ SAS_ADDR(device->sas_addr), rc); + } + ++ rc = hisi_sas_debug_I_T_nexus_reset(device); + if ((rc == TMF_RESP_FUNC_COMPLETE) || (rc == -ENODEV)) + hisi_sas_release_task(hisi_hba, device); + +-- +2.39.5 + diff --git a/queue-6.12/scsi-qedf-use-designated-initializer-for-struct-qed_.patch b/queue-6.12/scsi-qedf-use-designated-initializer-for-struct-qed_.patch new file mode 100644 index 0000000000..2fa62fb37e --- /dev/null +++ b/queue-6.12/scsi-qedf-use-designated-initializer-for-struct-qed_.patch @@ -0,0 +1,43 @@ +From 037b5858c2775e1d5a6861cb06a31853b0bfd051 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 May 2025 15:41:57 -0700 +Subject: scsi: qedf: Use designated initializer for struct qed_fcoe_cb_ops + +From: Kees Cook + +[ Upstream commit d8720235d5b5cad86c1f07f65117ef2a96f8bec7 ] + +Recent fixes to the randstruct GCC plugin allowed it to notice +that this structure is entirely function pointers and is therefore +subject to randomization, but doing so requires that it always use +designated initializers. Explicitly specify the "common" member as being +initialized. Silences: + +drivers/scsi/qedf/qedf_main.c:702:9: error: positional initialization of field in 'struct' declared with 'designated_init' attribute [-Werror=designated-init] + 702 | { + | ^ + +Fixes: 035f7f87b729 ("randstruct: Enable Clang support") +Link: https://lore.kernel.org/r/20250502224156.work.617-kees@kernel.org +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + drivers/scsi/qedf/qedf_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/qedf/qedf_main.c b/drivers/scsi/qedf/qedf_main.c +index e979ec1478c18..e895bd25098fd 100644 +--- a/drivers/scsi/qedf/qedf_main.c ++++ b/drivers/scsi/qedf/qedf_main.c +@@ -699,7 +699,7 @@ static u32 qedf_get_login_failures(void *cookie) + } + + static struct qed_fcoe_cb_ops qedf_cb_ops = { +- { ++ .common = { + .link_update = qedf_link_update, + .bw_update = qedf_bw_update, + .schedule_recovery_handler = qedf_schedule_recovery_handler, +-- +2.39.5 + diff --git a/queue-6.12/scsi-smartpqi-fix-smp_processor_id-call-trace-for-pr.patch b/queue-6.12/scsi-smartpqi-fix-smp_processor_id-call-trace-for-pr.patch new file mode 100644 index 0000000000..a1f93684d6 --- /dev/null +++ b/queue-6.12/scsi-smartpqi-fix-smp_processor_id-call-trace-for-pr.patch @@ -0,0 +1,69 @@ +From 0213d1d62031b72b6743a0d94c96b190a0596dd7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Apr 2025 13:32:28 -0500 +Subject: scsi: smartpqi: Fix smp_processor_id() call trace for preemptible + kernels + +From: Yi Zhang + +[ Upstream commit 42d033cf4b517e91c187ad2fbd7b30fdc6d2d62c ] + +Correct kernel call trace when calling smp_processor_id() when called in +preemptible kernels by using raw_smp_processor_id(). + +smp_processor_id() checks to see if preemption is disabled and if not, +issue an error message followed by a call to dump_stack(). + +Brief example of call trace: +kernel: check_preemption_disabled: 436 callbacks suppressed +kernel: BUG: using smp_processor_id() in preemptible [00000000] + code: kworker/u1025:0/2354 +kernel: caller is pqi_scsi_queue_command+0x183/0x310 [smartpqi] +kernel: CPU: 129 PID: 2354 Comm: kworker/u1025:0 +kernel: ... +kernel: Workqueue: writeback wb_workfn (flush-253:0) +kernel: Call Trace: +kernel: +kernel: dump_stack_lvl+0x34/0x48 +kernel: check_preemption_disabled+0xdd/0xe0 +kernel: pqi_scsi_queue_command+0x183/0x310 [smartpqi] +kernel: ... + +Fixes: 283dcc1b142e ("scsi: smartpqi: add counter for parity write stream requests") +Reviewed-by: Scott Benesh +Reviewed-by: Mike McGowen +Tested-by: Don Brace +Signed-off-by: Yi Zhang +Signed-off-by: Don Brace +Link: https://lore.kernel.org/r/20250423183229.538572-5-don.brace@microchip.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/smartpqi/smartpqi_init.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/smartpqi/smartpqi_init.c b/drivers/scsi/smartpqi/smartpqi_init.c +index d919a74746a05..8cc9f924a8ae6 100644 +--- a/drivers/scsi/smartpqi/smartpqi_init.c ++++ b/drivers/scsi/smartpqi/smartpqi_init.c +@@ -5990,7 +5990,7 @@ static bool pqi_is_parity_write_stream(struct pqi_ctrl_info *ctrl_info, + pqi_stream_data->next_lba = rmd.first_block + + rmd.block_cnt; + pqi_stream_data->last_accessed = jiffies; +- per_cpu_ptr(device->raid_io_stats, smp_processor_id())->write_stream_cnt++; ++ per_cpu_ptr(device->raid_io_stats, raw_smp_processor_id())->write_stream_cnt++; + return true; + } + +@@ -6069,7 +6069,7 @@ static int pqi_scsi_queue_command(struct Scsi_Host *shost, struct scsi_cmnd *scm + rc = pqi_raid_bypass_submit_scsi_cmd(ctrl_info, device, scmd, queue_group); + if (rc == 0 || rc == SCSI_MLQUEUE_HOST_BUSY) { + raid_bypassed = true; +- per_cpu_ptr(device->raid_io_stats, smp_processor_id())->raid_bypass_cnt++; ++ per_cpu_ptr(device->raid_io_stats, raw_smp_processor_id())->raid_bypass_cnt++; + } + } + if (!raid_bypassed) +-- +2.39.5 + diff --git a/queue-6.12/scsi-ufs-mcq-delete-ufshcd_release_scsi_cmd-in-ufshc.patch b/queue-6.12/scsi-ufs-mcq-delete-ufshcd_release_scsi_cmd-in-ufshc.patch new file mode 100644 index 0000000000..99c5e26b5a --- /dev/null +++ b/queue-6.12/scsi-ufs-mcq-delete-ufshcd_release_scsi_cmd-in-ufshc.patch @@ -0,0 +1,58 @@ +From 4b1972b36f41d6ac3ddd2d9986291b205cfa3c70 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 May 2025 16:38:12 +0800 +Subject: scsi: ufs: mcq: Delete ufshcd_release_scsi_cmd() in + ufshcd_mcq_abort() + +From: ping.gao + +[ Upstream commit 53755903b9357e69b2dd6a02fafbb1e30c741895 ] + +After UFS_ABORT_TASK has been processed successfully, the host will +generate MCQ IRQ for ABORT TAG with response OCS_ABORTED. This results in +ufshcd_compl_one_cqe() calling ufshcd_release_scsi_cmd(). + +But ufshcd_mcq_abort() already calls ufshcd_release_scsi_cmd(), resulting +in __ufshcd_release() being called twice. This means +hba->clk_gating.active_reqs will be decreased twice, making it go +negative. + +Delete ufshcd_release_scsi_cmd() in ufshcd_mcq_abort(). + +Fixes: f1304d442077 ("scsi: ufs: mcq: Added ufshcd_mcq_abort()") +Signed-off-by: ping.gao +Link: https://lore.kernel.org/r/20250516083812.3894396-1-ping.gao@samsung.com +Reviewed-by: Peter Wang +Reviewed-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/ufs/core/ufs-mcq.c | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/drivers/ufs/core/ufs-mcq.c b/drivers/ufs/core/ufs-mcq.c +index 45b04f3c37764..420e943bb73a7 100644 +--- a/drivers/ufs/core/ufs-mcq.c ++++ b/drivers/ufs/core/ufs-mcq.c +@@ -670,7 +670,6 @@ int ufshcd_mcq_abort(struct scsi_cmnd *cmd) + int tag = scsi_cmd_to_rq(cmd)->tag; + struct ufshcd_lrb *lrbp = &hba->lrb[tag]; + struct ufs_hw_queue *hwq; +- unsigned long flags; + int err; + + /* Skip task abort in case previous aborts failed and report failure */ +@@ -709,10 +708,5 @@ int ufshcd_mcq_abort(struct scsi_cmnd *cmd) + return FAILED; + } + +- spin_lock_irqsave(&hwq->cq_lock, flags); +- if (ufshcd_cmd_inflight(lrbp->cmd)) +- ufshcd_release_scsi_cmd(hba, lrbp); +- spin_unlock_irqrestore(&hwq->cq_lock, flags); +- + return SUCCESS; + } +-- +2.39.5 + diff --git a/queue-6.12/scsi-ufs-qcom-prevent-calling-phy_exit-before-phy_in.patch b/queue-6.12/scsi-ufs-qcom-prevent-calling-phy_exit-before-phy_in.patch new file mode 100644 index 0000000000..24885fb02b --- /dev/null +++ b/queue-6.12/scsi-ufs-qcom-prevent-calling-phy_exit-before-phy_in.patch @@ -0,0 +1,44 @@ +From 9f5a9531206f62f216723520d0cb9c472bc6d323 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 May 2025 21:08:12 +0530 +Subject: scsi: ufs: qcom: Prevent calling phy_exit() before phy_init() + +From: Nitin Rawat + +[ Upstream commit 7831003165d37ecb7b33843fcee05cada0359a82 ] + +Prevent calling phy_exit() before phy_init() to avoid abnormal power +count and the following warning during boot up. + +[5.146763] phy phy-1d80000.phy.0: phy_power_on was called before phy_init + +Fixes: 7bac65687510 ("scsi: ufs: qcom: Power off the PHY if it was already powered on in ufs_qcom_power_up_sequence()") +Signed-off-by: Nitin Rawat +Link: https://lore.kernel.org/r/20250526153821.7918-2-quic_nitirawa@quicinc.com +Reviewed-by: Konrad Dybcio +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/ufs/host/ufs-qcom.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/ufs/host/ufs-qcom.c b/drivers/ufs/host/ufs-qcom.c +index 4557b1bcd6356..a715f377d0a80 100644 +--- a/drivers/ufs/host/ufs-qcom.c ++++ b/drivers/ufs/host/ufs-qcom.c +@@ -366,10 +366,9 @@ static int ufs_qcom_power_up_sequence(struct ufs_hba *hba) + if (ret) + return ret; + +- if (phy->power_count) { ++ if (phy->power_count) + phy_power_off(phy); +- phy_exit(phy); +- } ++ + + /* phy initialization - calibrate the phy */ + ret = phy_init(phy); +-- +2.39.5 + diff --git a/queue-6.12/seg6-fix-validation-of-nexthop-addresses.patch b/queue-6.12/seg6-fix-validation-of-nexthop-addresses.patch new file mode 100644 index 0000000000..665cc3df7d --- /dev/null +++ b/queue-6.12/seg6-fix-validation-of-nexthop-addresses.patch @@ -0,0 +1,48 @@ +From 254316ea7758c3eea243af842b27040db5529efb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Jun 2025 14:32:52 +0300 +Subject: seg6: Fix validation of nexthop addresses + +From: Ido Schimmel + +[ Upstream commit 7632fedb266d93ed0ed9f487133e6c6314a9b2d1 ] + +The kernel currently validates that the length of the provided nexthop +address does not exceed the specified length. This can lead to the +kernel reading uninitialized memory if user space provided a shorter +length than the specified one. + +Fix by validating that the provided length exactly matches the specified +one. + +Fixes: d1df6fd8a1d2 ("ipv6: sr: define core operations for seg6local lightweight tunnel") +Reviewed-by: Petr Machata +Signed-off-by: Ido Schimmel +Reviewed-by: David Ahern +Link: https://patch.msgid.link/20250604113252.371528-1-idosch@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/seg6_local.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/net/ipv6/seg6_local.c b/net/ipv6/seg6_local.c +index c74705ead9849..e445a0a45568d 100644 +--- a/net/ipv6/seg6_local.c ++++ b/net/ipv6/seg6_local.c +@@ -1644,10 +1644,8 @@ static const struct nla_policy seg6_local_policy[SEG6_LOCAL_MAX + 1] = { + [SEG6_LOCAL_SRH] = { .type = NLA_BINARY }, + [SEG6_LOCAL_TABLE] = { .type = NLA_U32 }, + [SEG6_LOCAL_VRFTABLE] = { .type = NLA_U32 }, +- [SEG6_LOCAL_NH4] = { .type = NLA_BINARY, +- .len = sizeof(struct in_addr) }, +- [SEG6_LOCAL_NH6] = { .type = NLA_BINARY, +- .len = sizeof(struct in6_addr) }, ++ [SEG6_LOCAL_NH4] = NLA_POLICY_EXACT_LEN(sizeof(struct in_addr)), ++ [SEG6_LOCAL_NH6] = NLA_POLICY_EXACT_LEN(sizeof(struct in6_addr)), + [SEG6_LOCAL_IIF] = { .type = NLA_U32 }, + [SEG6_LOCAL_OIF] = { .type = NLA_U32 }, + [SEG6_LOCAL_BPF] = { .type = NLA_NESTED }, +-- +2.39.5 + diff --git a/queue-6.12/selftests-bpf-fix-bpf_nf-selftest-failure.patch b/queue-6.12/selftests-bpf-fix-bpf_nf-selftest-failure.patch new file mode 100644 index 0000000000..ac88e3f2b1 --- /dev/null +++ b/queue-6.12/selftests-bpf-fix-bpf_nf-selftest-failure.patch @@ -0,0 +1,43 @@ +From 0618f0f68ef330038d2616fefae1f2610f956278 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Apr 2025 15:26:33 +0530 +Subject: selftests/bpf: Fix bpf_nf selftest failure + +From: Saket Kumar Bhaskar + +[ Upstream commit 967e8def1100cb4b08c28a54d27ce69563fdf281 ] + +For systems with missing iptables-legacy tool this selftest fails. + +Add check to find if iptables-legacy tool is available and skip the +test if the tool is missing. + +Fixes: de9c8d848d90 ("selftests/bpf: S/iptables/iptables-legacy/ in the bpf_nf and xdp_synproxy test") +Signed-off-by: Saket Kumar Bhaskar +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20250409095633.33653-1-skb99@linux.ibm.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/prog_tests/bpf_nf.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/tools/testing/selftests/bpf/prog_tests/bpf_nf.c b/tools/testing/selftests/bpf/prog_tests/bpf_nf.c +index a4a1f93878d40..fad98f01e2c06 100644 +--- a/tools/testing/selftests/bpf/prog_tests/bpf_nf.c ++++ b/tools/testing/selftests/bpf/prog_tests/bpf_nf.c +@@ -63,6 +63,12 @@ static void test_bpf_nf_ct(int mode) + .repeat = 1, + ); + ++ if (SYS_NOFAIL("iptables-legacy --version")) { ++ fprintf(stdout, "Missing required iptables-legacy tool\n"); ++ test__skip(); ++ return; ++ } ++ + skel = test_bpf_nf__open_and_load(); + if (!ASSERT_OK_PTR(skel, "test_bpf_nf__open_and_load")) + return; +-- +2.39.5 + diff --git a/queue-6.12/selftests-bpf-fix-caps-for-__xlated-jited_unpriv.patch b/queue-6.12/selftests-bpf-fix-caps-for-__xlated-jited_unpriv.patch new file mode 100644 index 0000000000..ffdec19f3b --- /dev/null +++ b/queue-6.12/selftests-bpf-fix-caps-for-__xlated-jited_unpriv.patch @@ -0,0 +1,70 @@ +From 73c19a077e52b4b916fc548524d16367fd008d96 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 May 2025 09:35:52 +0200 +Subject: selftests/bpf: Fix caps for __xlated/jited_unpriv + +From: Luis Gerhorst + +[ Upstream commit cf15cdc0f0f39a5c6315200808ec3e3995b0c2d2 ] + +Currently, __xlated_unpriv and __jited_unpriv do not work because the +BPF syscall will overwrite info.jited_prog_len and info.xlated_prog_len +with 0 if the process is not bpf_capable(). This bug was not noticed +before, because there is no test that actually uses +__xlated_unpriv/__jited_unpriv. + +To resolve this, simply restore the capabilities earlier (but still +after loading the program). Adding this here unconditionally is fine +because the function first checks that the capabilities were initialized +before attempting to restore them. + +This will be important later when we add tests that check whether a +speculation barrier was inserted in the correct location. + +Signed-off-by: Luis Gerhorst +Fixes: 9c9f73391310 ("selftests/bpf: allow checking xlated programs in verifier_* tests") +Fixes: 7d743e4c759c ("selftests/bpf: __jited test tag to check disassembly after jit") +Acked-by: Kumar Kartikeya Dwivedi +Tested-by: Eduard Zingerman +Link: https://lore.kernel.org/r/20250501073603.1402960-2-luis.gerhorst@fau.de +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/test_loader.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/tools/testing/selftests/bpf/test_loader.c b/tools/testing/selftests/bpf/test_loader.c +index 3e9b009580d4e..7f69d7b5bd4d4 100644 +--- a/tools/testing/selftests/bpf/test_loader.c ++++ b/tools/testing/selftests/bpf/test_loader.c +@@ -970,6 +970,14 @@ void run_subtest(struct test_loader *tester, + emit_verifier_log(tester->log_buf, false /*force*/); + validate_msgs(tester->log_buf, &subspec->expect_msgs, emit_verifier_log); + ++ /* Restore capabilities because the kernel will silently ignore requests ++ * for program info (such as xlated program text) if we are not ++ * bpf-capable. Also, for some reason test_verifier executes programs ++ * with all capabilities restored. Do the same here. ++ */ ++ if (restore_capabilities(&caps)) ++ goto tobj_cleanup; ++ + if (subspec->expect_xlated.cnt) { + err = get_xlated_program_text(bpf_program__fd(tprog), + tester->log_buf, tester->log_buf_sz); +@@ -995,12 +1003,6 @@ void run_subtest(struct test_loader *tester, + } + + if (should_do_test_run(spec, subspec)) { +- /* For some reason test_verifier executes programs +- * with all capabilities restored. Do the same here. +- */ +- if (restore_capabilities(&caps)) +- goto tobj_cleanup; +- + /* Do bpf_map__attach_struct_ops() for each struct_ops map. + * This should trigger bpf_struct_ops->reg callback on kernel side. + */ +-- +2.39.5 + diff --git a/queue-6.12/selftests-net-build-net-lib-dependency-in-all-target.patch b/queue-6.12/selftests-net-build-net-lib-dependency-in-all-target.patch new file mode 100644 index 0000000000..be0e710238 --- /dev/null +++ b/queue-6.12/selftests-net-build-net-lib-dependency-in-all-target.patch @@ -0,0 +1,40 @@ +From 7a3b2fb58b65ae85cc50c207666c6aa2227a6010 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 1 Jun 2025 21:29:13 +0700 +Subject: selftests: net: build net/lib dependency in all target + +From: Bui Quang Minh + +[ Upstream commit d3f2a9587ebe68f5067f9ff624f9a83dfb911f60 ] + +We have the logic to include net/lib automatically for net related +selftests. However, currently, this logic is only in install target +which means only `make install` will have net/lib included. This commit +adds the logic to all target so that all `make`, `make run_tests` and +`make install` will have net/lib included in net related selftests. + +Signed-off-by: Bui Quang Minh +Link: https://patch.msgid.link/20250601142914.13379-1-minhquangbui99@gmail.com +Fixes: b86761ff6374 ("selftests: net: add scaffolding for Netlink tests in Python") +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/Makefile b/tools/testing/selftests/Makefile +index 9cf769d415687..85c5f39131d34 100644 +--- a/tools/testing/selftests/Makefile ++++ b/tools/testing/selftests/Makefile +@@ -196,7 +196,7 @@ export KHDR_INCLUDES + + all: + @ret=1; \ +- for TARGET in $(TARGETS); do \ ++ for TARGET in $(TARGETS) $(INSTALL_DEP_TARGETS); do \ + BUILD_TARGET=$$BUILD/$$TARGET; \ + mkdir $$BUILD_TARGET -p; \ + $(MAKE) OUTPUT=$$BUILD_TARGET -C $$TARGET \ +-- +2.39.5 + diff --git a/queue-6.12/selftests-seccomp-fix-negative_enosys-tracer-tests-o.patch b/queue-6.12/selftests-seccomp-fix-negative_enosys-tracer-tests-o.patch new file mode 100644 index 0000000000..dcff456fda --- /dev/null +++ b/queue-6.12/selftests-seccomp-fix-negative_enosys-tracer-tests-o.patch @@ -0,0 +1,50 @@ +From 2c1ea366f086f0bde41755f34587801a33420ae7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 May 2025 12:56:22 +0100 +Subject: selftests/seccomp: fix negative_ENOSYS tracer tests on arm32 + +From: Terry Tritton + +[ Upstream commit 73989c998814d82c71d523c104c398925470d59e ] + +TRACE_syscall.ptrace.negative_ENOSYS and TRACE_syscall.seccomp.negative_ENOSYS +on arm32 are being reported as failures instead of skipping. + +The teardown_trace_fixture function sets the test to KSFT_FAIL in case of a +non 0 return value from the tracer process. +Due to _metadata now being shared between the forked processes the tracer is +returning the KSFT_SKIP value set by the tracee which is non 0. + +Remove the setting of the _metadata.exit_code in teardown_trace_fixture. + +Fixes: 24cf65a62266 ("selftests/harness: Share _metadata between forked processes") +Signed-off-by: Terry Tritton +Link: https://lore.kernel.org/r/20250509115622.64775-1-terry.tritton@linaro.org +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/seccomp/seccomp_bpf.c | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c +index abc32e4352df3..60c84d935a2b0 100644 +--- a/tools/testing/selftests/seccomp/seccomp_bpf.c ++++ b/tools/testing/selftests/seccomp/seccomp_bpf.c +@@ -1618,14 +1618,8 @@ void teardown_trace_fixture(struct __test_metadata *_metadata, + { + if (tracer) { + int status; +- /* +- * Extract the exit code from the other process and +- * adopt it for ourselves in case its asserts failed. +- */ + ASSERT_EQ(0, kill(tracer, SIGUSR1)); + ASSERT_EQ(tracer, waitpid(tracer, &status, 0)); +- if (WEXITSTATUS(status)) +- _metadata->exit_code = KSFT_FAIL; + } + } + +-- +2.39.5 + diff --git a/queue-6.12/selftests-seccomp-fix-syscall_restart-test-for-arm-c.patch b/queue-6.12/selftests-seccomp-fix-syscall_restart-test-for-arm-c.patch new file mode 100644 index 0000000000..719c472443 --- /dev/null +++ b/queue-6.12/selftests-seccomp-fix-syscall_restart-test-for-arm-c.patch @@ -0,0 +1,53 @@ +From 684f919a003867a1ded803015d1650e4fb0a038b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 27 Apr 2025 09:40:58 +0000 +Subject: selftests/seccomp: fix syscall_restart test for arm compat + +From: Neill Kapron + +[ Upstream commit 797002deed03491215a352ace891749b39741b69 ] + +The inconsistencies in the systcall ABI between arm and arm-compat can +can cause a failure in the syscall_restart test due to the logic +attempting to work around the differences. The 'machine' field for an +ARM64 device running in compat mode can report 'armv8l' or 'armv8b' +which matches with the string 'arm' when only examining the first three +characters of the string. + +This change adds additional validation to the workaround logic to make +sure we only take the arm path when running natively, not in arm-compat. + +Fixes: 256d0afb11d6 ("selftests/seccomp: build and pass on arm64") +Signed-off-by: Neill Kapron +Link: https://lore.kernel.org/r/20250427094103.3488304-2-nkapron@google.com +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/seccomp/seccomp_bpf.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c +index 8c3a73461475b..abc32e4352df3 100644 +--- a/tools/testing/selftests/seccomp/seccomp_bpf.c ++++ b/tools/testing/selftests/seccomp/seccomp_bpf.c +@@ -3155,12 +3155,15 @@ TEST(syscall_restart) + ret = get_syscall(_metadata, child_pid); + #if defined(__arm__) + /* +- * FIXME: + * - native ARM registers do NOT expose true syscall. + * - compat ARM registers on ARM64 DO expose true syscall. ++ * - values of utsbuf.machine include 'armv8l' or 'armb8b' ++ * for ARM64 running in compat mode. + */ + ASSERT_EQ(0, uname(&utsbuf)); +- if (strncmp(utsbuf.machine, "arm", 3) == 0) { ++ if ((strncmp(utsbuf.machine, "arm", 3) == 0) && ++ (strncmp(utsbuf.machine, "armv8l", 6) != 0) && ++ (strncmp(utsbuf.machine, "armv8b", 6) != 0)) { + EXPECT_EQ(__NR_nanosleep, ret); + } else + #endif +-- +2.39.5 + diff --git a/queue-6.12/serial-fix-potential-null-ptr-deref-in-mlb_usio_prob.patch b/queue-6.12/serial-fix-potential-null-ptr-deref-in-mlb_usio_prob.patch new file mode 100644 index 0000000000..2f31228ffa --- /dev/null +++ b/queue-6.12/serial-fix-potential-null-ptr-deref-in-mlb_usio_prob.patch @@ -0,0 +1,43 @@ +From 01ce1659e45f0fb6126404f20bd1a911e6765e29 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Apr 2025 15:03:39 +0800 +Subject: serial: Fix potential null-ptr-deref in mlb_usio_probe() + +From: Henry Martin + +[ Upstream commit 86bcae88c9209e334b2f8c252f4cc66beb261886 ] + +devm_ioremap() can return NULL on error. Currently, mlb_usio_probe() +does not check for this case, which could result in a NULL pointer +dereference. + +Add NULL check after devm_ioremap() to prevent this issue. + +Fixes: ba44dc043004 ("serial: Add Milbeaut serial control") +Signed-off-by: Henry Martin +Link: https://lore.kernel.org/r/20250403070339.64990-1-bsdhenrymartin@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/milbeaut_usio.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/milbeaut_usio.c b/drivers/tty/serial/milbeaut_usio.c +index fb082ee73d5b2..9b54f017f2e8a 100644 +--- a/drivers/tty/serial/milbeaut_usio.c ++++ b/drivers/tty/serial/milbeaut_usio.c +@@ -523,7 +523,10 @@ static int mlb_usio_probe(struct platform_device *pdev) + } + port->membase = devm_ioremap(&pdev->dev, res->start, + resource_size(res)); +- ++ if (!port->membase) { ++ ret = -ENOMEM; ++ goto failed; ++ } + ret = platform_get_irq_byname(pdev, "rx"); + mlb_usio_irq[index][RX] = ret; + +-- +2.39.5 + diff --git a/queue-6.12/series b/queue-6.12/series new file mode 100644 index 0000000000..dbee420f20 --- /dev/null +++ b/queue-6.12/series @@ -0,0 +1,397 @@ +tools-x86-kcpuid-fix-error-handling.patch +x86-idle-remove-mfences-for-x86_bug_clflush_monitor-.patch +crypto-sun8i-ce-hash-fix-error-handling-in-sun8i_ce_.patch +sched-fix-trace_sched_switch-.prev_state.patch +perf-x86-amd-uncore-remove-unused-struct-amd_uncore_.patch +perf-x86-amd-uncore-prevent-umc-counters-from-satura.patch +gfs2-replace-sd_aspace-with-sd_inode.patch +gfs2-gfs2_create_inode-error-handling-fix.patch +perf-core-fix-broken-throttling-when-max_samples_per.patch +crypto-sun8i-ce-cipher-fix-error-handling-in-sun8i_c.patch +crypto-sun8i-ss-do-not-use-sg_dma_len-before-calling.patch +powerpc-do-not-build-ppc_save_regs.o-always.patch +powerpc-crash-fix-non-smp-kexec-preparation.patch +sched-core-tweak-wait_task_inactive-to-force-dequeue.patch +x86-microcode-amd-do-not-return-error-when-microcode.patch +crypto-sun8i-ce-undo-runtime-pm-changes-during-drive.patch +x86-cpu-sanitize-cpuid-0x80000000-output.patch +x86-insn-fix-opcode-map-rex2-superscript-tags.patch +brd-fix-aligned_sector-from-brd_do_discard.patch +brd-fix-discard-end-sector.patch +kselftest-cpufreq-get-rid-of-double-suspend-in-rtcwa.patch +crypto-marvell-cesa-handle-zero-length-skcipher-requ.patch +crypto-marvell-cesa-avoid-empty-transfer-descriptor.patch +erofs-fix-file-handle-encoding-for-64-bit-nids.patch +erofs-avoid-using-multiple-devices-with-different-ty.patch +powerpc-pseries-iommu-fix-kmemleak-in-tce-table-user.patch +btrfs-scrub-update-device-stats-when-an-error-is-det.patch +btrfs-scrub-fix-a-wrong-error-type-when-metadata-byt.patch +btrfs-fix-invalid-data-space-release-when-truncating.patch +rcu-cpu_stall_cputime-fix-the-hardirq-count-for-x86-.patch +crypto-lrw-only-add-ecb-if-it-is-not-already-there.patch +crypto-xts-only-add-ecb-if-it-is-not-already-there.patch +crypto-sun8i-ce-move-fallback-ahash_request-to-the-e.patch +kunit-fix-wrong-parameter-to-kunit_deactivate_static.patch +crypto-api-redo-lookup-on-eexist.patch +acpica-exserial-don-t-forget-to-handle-ffixedhw-opre.patch +tools-nolibc-types.h-fix-mismatched-parenthesis-in-m.patch +asoc-tas2764-enable-main-irqs.patch +asoc-mediatek-mt8195-set-etdm1-2-in-out-to-comp_dumm.patch +edac-skx_common-fix-general-protection-fault.patch +edac-skx_common-i10nm-fix-the-loss-of-saved-rrl-for-.patch +tools-nolibc-fix-integer-overflow-in-i-64-toa_r-and.patch +spi-tegra210-quad-fix-x1_x2_x4-encoding-and-support-.patch +spi-tegra210-quad-remove-redundant-error-handling-co.patch +spi-tegra210-quad-modify-chip-select-cs-deactivation.patch +power-reset-at91-reset-optimize-at91_reset.patch +pm-em-fix-potential-division-by-zero-error-in-em_com.patch +asoc-sof-ipc4-pcm-adjust-pipeline_list-pipelines-all.patch +asoc-sof-amd-add-missing-acp-descriptor-field.patch +pm-wakeup-delete-space-in-the-end-of-string-shown-by.patch +acpi-resource-fix-a-typo-for-mechrevo-in-irq1_edge_l.patch +x86-mtrr-check-if-fixed-range-mtrrs-exist-in-mtrr_sa.patch +pm-sleep-print-pm-debug-messages-during-hibernation.patch +thermal-drivers-mediatek-lvts-fix-debugfs-unregister.patch +acpi-osi-stop-advertising-support-for-3.0-_scp-exten.patch +spi-sh-msiof-fix-maximum-dma-transfer-size.patch +asoc-apple-mca-constrain-channels-according-to-tdm-m.patch +alsa-core-fix-up-bus-match-const-issues.patch +drm-vmwgfx-add-seqno-waiter-for-sync_files.patch +drm-vmwgfx-add-error-path-for-xa_store-in-vmw_bo_add.patch +drm-vmwgfx-fix-dumb-buffer-leak.patch +drm-xe-d3cold-set-power-state-to-d3cold-during-s2idl.patch +drm-vc4-tests-use-return-instead-of-assert.patch +drm-amd-pp-fix-potential-null-pointer-dereference-in.patch +media-rkvdec-fix-frame-size-enumeration.patch +arm64-fpsimd-avoid-res0-bits-in-the-sme-trap-handler.patch +arm64-fpsimd-discard-stale-cpu-state-when-handling-s.patch +arm64-fpsimd-don-t-corrupt-fpmr-when-streaming-mode-.patch +arm64-fpsimd-avoid-clobbering-kernel-fpsimd-state-wi.patch +arm64-fpsimd-reset-fpmr-upon-exec.patch +arm64-fpsimd-fix-merging-of-fpsimd-state-during-sign.patch +drm-panthor-fix-gpu_coherency_ace-_lite-definitions.patch +drm-panthor-update-panthor_mmu-irq-mask-when-needed.patch +perf-arm-ni-unregister-pmus-on-probe-failure.patch +perf-arm-ni-fix-missing-platform_set_drvdata.patch +drm-panel-samsung-sofef00-drop-s6e3fc2x01-support.patch +drm-bridge-lt9611uxc-fix-an-error-handling-path-in-l.patch +fs-ntfs3-handle-hdr_first_de-return-value.patch +fs-ntfs3-add-missing-direct_io-in-ntfs_aops_cmpr.patch +kunit-usercopy-disable-u64-test-on-32-bit-sparc.patch +watchdog-exar-shorten-identity-name-to-fit-correctly.patch +m68k-mac-fix-macintosh_config-for-mac-ii.patch +firmware-psci-fix-refcount-leak-in-psci_dt_init.patch +arm64-support-arm64_va_bits-52-when-setting-arch_mma.patch +arm64-fpsimd-avoid-warning-when-sve_to_fpsimd-is-unu.patch +selftests-seccomp-fix-syscall_restart-test-for-arm-c.patch +drm-msm-dpu-enable-smartdma-on-sm8150.patch +drm-msm-dpu-enable-smartdma-on-sc8180x.patch +drm-rcar-du-fix-memory-leak-in-rcar_du_vsps_init.patch +drm-vkms-adjust-vkms_state-active_planes-allocation-.patch +drm-tegra-rgb-fix-the-unbound-reference-count.patch +firmware-sdei-allow-sdei-initialization-without-acpi.patch +arm64-fpsimd-do-not-discard-modified-sve-state.patch +overflow-fix-direct-struct-member-initialization-in-.patch +scsi-qedf-use-designated-initializer-for-struct-qed_.patch +perf-amlogic-replace-smp_processor_id-with-raw_smp_p.patch +selftests-seccomp-fix-negative_enosys-tracer-tests-o.patch +drm-msm-a6xx-disable-rgb565_predicator-on-adreno-7c3.patch +drm-mediatek-mtk_drm_drv-fix-kobject-put-for-mtk_mut.patch +drm-mediatek-fix-kobject-put-for-component-sub-drive.patch +drm-mediatek-mtk_drm_drv-unbind-secondary-mmsys-comp.patch +media-verisilicon-free-post-processor-buffers-on-err.patch +svcrdma-reduce-the-number-of-rdma_rw-contexts-per-qp.patch +xen-x86-fix-initial-memory-balloon-target.patch +wifi-ath11k-fix-node-corruption-in-ar-arvifs-list.patch +wifi-ath12k-fix-memory-leak-during-vdev_id-mismatch.patch +wifi-ath12k-fix-invalid-memory-access-while-forming-.patch +ib-cm-use-rwlock-for-mad-agent-lock.patch +bpf-check-link_create.flags-parameter-for-multi_kpro.patch +selftests-bpf-fix-bpf_nf-selftest-failure.patch +bpf-fix-ktls-panic-with-sockmap.patch +bpf-sockmap-fix-duplicated-data-transmission.patch +bpf-sockmap-fix-panic-when-calling-skb_linearize.patch +f2fs-zone-fix-to-avoid-inconsistence-in-between-sit-.patch +wifi-ath12k-fix-cleanup-path-after-mhi-init.patch +wifi-ath12k-fix-wmi-tag-for-eht-rate-in-peer-assoc.patch +wifi-ath12k-fix-buffer-overflow-in-debugfs.patch +f2fs-clean-up-unnecessary-indentation.patch +f2fs-prevent-the-current-section-from-being-selected.patch +f2fs-fix-to-do-sanity-check-on-sbi-total_valid_block.patch +page_pool-move-pp_magic-check-into-helper-functions.patch +page_pool-track-dma-mapped-pages-and-unmap-them-when.patch +net-ncsi-fix-gcps-64-bit-member-variables.patch +libbpf-fix-buffer-overflow-in-bpf_object__init_prog.patch +net-mlx5-avoid-using-xso.real_dev-unnecessarily.patch +xfrm-use-xdo.dev-instead-of-xdo.real_dev.patch +wifi-rtw88-sdio-map-mgmt-frames-to-queue-tx_desc_qse.patch +wifi-rtw88-sdio-call-rtw_sdio_indicate_tx_status-unc.patch +wifi-rtw88-do-not-ignore-hardware-read-error-during-.patch +wifi-ath12k-fix-invalid-access-to-memory.patch +wifi-ath12k-add-msdu-length-validation-for-tkip-mic-.patch +wifi-ath12k-fix-the-qos-control-field-offset-to-buil.patch +wifi-ath12k-fix-node-corruption-in-ar-arvifs-list.patch +rdma-hns-include-hnae3.h-in-hns_roce_hw_v2.h.patch +scsi-hisi_sas-call-i_t_nexus-after-soft-reset-for-sa.patch +libbpf-fix-event-name-too-long-error.patch +libbpf-remove-sample_period-init-in-perf_buffer.patch +use-thread-safe-function-pointer-in-libbpf_print.patch +iommu-protect-against-overflow-in-iommu_pgsize.patch +bonding-assign-random-address-if-device-address-is-s.patch +f2fs-clean-up-w-fscrypt_is_bounce_page.patch +f2fs-fix-to-detect-gcing-page-in-f2fs_is_cp_guarante.patch +scsi-smartpqi-fix-smp_processor_id-call-trace-for-pr.patch +libbpf-use-proper-errno-value-in-linker.patch +bpf-allow-xdp-dev-bound-programs-to-perform-xdp_redi.patch +netfilter-bridge-move-specific-fragmented-packet-to-.patch +netfilter-nft_quota-match-correctly-when-the-quota-j.patch +netfilter-nft_set_pipapo-prevent-overflow-in-lookup-.patch +rdma-mlx5-fix-error-flow-upon-firmware-failure-for-r.patch +bpf-fix-uninitialized-values-in-bpf_-core-probe-_rea.patch +tracing-move-histogram-trigger-variables-from-stack-.patch +clk-qcom-camcc-sm6350-add-_wait_val-values-for-gdscs.patch +clk-qcom-dispcc-sm6350-add-_wait_val-values-for-gdsc.patch +clk-qcom-gcc-sm6350-add-_wait_val-values-for-gdscs.patch +clk-qcom-gpucc-sm6350-add-_wait_val-values-for-gdscs.patch +bpftool-fix-regression-of-bpftool-cgroup-tree-einval.patch +clk-bcm-rpi-add-null-check-in-raspberrypi_clk_regist.patch +wifi-iwlfiwi-mvm-fix-the-rate-reporting.patch +efi-libstub-describe-missing-out-parameter-in-efi_lo.patch +selftests-bpf-fix-caps-for-__xlated-jited_unpriv.patch +tracing-rename-event_trigger_alloc-to-trigger_data_a.patch +tracing-fix-error-handling-in-event_trigger_parse.patch +of-unittest-unlock-on-error-in-unittest_data_add.patch +ktls-sockmap-fix-missing-uncharge-operation.patch +libbpf-use-proper-errno-value-in-nlattr.patch +pinctrl-at91-fix-possible-out-of-boundary-access.patch +bpf-fix-warn-in-get_bpf_raw_tp_regs.patch +dt-bindings-soc-fsl-qman-fqd-fix-reserved-memory.yam.patch +clk-qcom-gcc-msm8939-fix-mclk0-mclk1-for-24-mhz.patch +s390-bpf-store-backchain-even-for-leaf-progs.patch +wifi-rtw89-pci-enlarge-retry-times-of-rx-tag-to-1000.patch +wifi-rtw88-fix-the-para-buffer-size-to-avoid-reading.patch +wifi-rtw89-fix-firmware-scan-delay-unit-for-wifi-6-c.patch +iommu-remove-duplicate-selection-of-dmar_table.patch +wifi-ath12k-fix-memory-leak-in-ath12k_service_ready_.patch +hisi_acc_vfio_pci-fix-xqe-dma-address-error.patch +hisi_acc_vfio_pci-add-eq-and-aeq-interruption-restor.patch +hisi_acc_vfio_pci-bugfix-live-migration-function-wit.patch +wifi-ath9k_htc-abort-software-beacon-handling-if-dis.patch +scsi-ufs-mcq-delete-ufshcd_release_scsi_cmd-in-ufshc.patch +kernfs-relax-constraint-in-draining-guard.patch +bluetooth-iso-fix-not-using-sid-from-adv-report.patch +wifi-mt76-mt7996-fix-null-ptr-deref-in-mt7996_mmio_w.patch +wifi-mt76-mt7915-fix-null-ptr-deref-in-mt7915_mmio_w.patch +wifi-mt76-mt7925-prevent-multiple-scan-commands.patch +wifi-mt76-mt7925-refine-the-sniffer-commnad.patch +wifi-mt76-mt7925-ensure-all-mcu-commands-wait-for-re.patch +wifi-mt76-mt7996-set-eht-max-ampdu-length-capability.patch +wifi-mt76-mt7996-fix-rx-buffer-size-of-mcu-event.patch +bpf-revert-bpf-remove-unnecessary-rcu_read_-lock-unl.patch +netfilter-xtables-support-arpt_mark-and-ipv6-optstri.patch +netfilter-nf_tables-nft_fib_ipv6-fix-vrf-ipv4-ipv6-r.patch +vfio-type1-fix-error-unwind-in-migration-dirty-bitma.patch +bluetooth-mgmt-iterate-over-mesh-commands-in-mgmt_me.patch +bluetooth-btintel-check-dsbr-size-from-efi-variable.patch +bpf-sockmap-avoid-using-sk_socket-after-free-when-se.patch +netfilter-nf_tables-nft_fib-consistent-l3mdev-handli.patch +netfilter-nft_tunnel-fix-geneve_opt-dump.patch +risc-v-kvm-lock-the-correct-mp_state-during-reset.patch +net-usb-aqc111-fix-error-handling-of-usbnet-read-cal.patch +vsock-virtio-fix-rx_bytes-accounting-for-stream-sock.patch +rdma-cma-fix-hang-when-cma_netevent_callback-fails-t.patch +net-lan966x-fix-1-step-timestamping-over-ipv4-or-ipv.patch +net-xilinx-axienet-fix-tx-skb-circular-buffer-occupa.patch +bpf-avoid-__bpf_prog_ret0_warn-when-jit-fails.patch +net-phy-clear-phydev-devlink-when-the-link-is-delete.patch +net-phy-fix-up-const-issues-in-to_mdio_device-and-to.patch +net-lan743x-rename-lan743x_reset_phy-to-lan743x_hw_r.patch +net-lan743x-fix-phy-reset-handling-during-initializa.patch +net-phy-mscc-fix-memory-leak-when-using-one-step-tim.patch +octeontx2-pf-qos-perform-cache-sync-on-send-queue-te.patch +octeontx2-pf-qos-refactor-tc_htb_leaf_del_last-callb.patch +calipso-don-t-call-calipso-functions-for-af_inet-sk.patch +net-openvswitch-fix-the-dead-loop-of-mpls-parse.patch +net-phy-mscc-stop-clearing-the-the-udpv4-checksum-fo.patch +f2fs-use-d_inode-dentry-cleanup-dentry-d_inode.patch +f2fs-fix-to-correct-check-conditions-in-f2fs_cross_r.patch +arm64-dts-qcom-x1e80100-mark-usb_2-as-dma-coherent.patch +arm64-dts-qcom-sm8650-setup-gpu-thermal-with-higher-.patch +arm64-dts-qcom-sm8650-add-missing-cpu-cfg-interconne.patch +arm64-dts-qcom-x1e80100-romulus-keep-l12b-and-l15b-a.patch +arm64-dts-qcom-sdm845-starqltechn-remove-wifi.patch +arm64-dts-qcom-sdm845-starqltechn-fix-usb-regulator-.patch +arm64-dts-qcom-sdm845-starqltechn-refactor-node-orde.patch +arm64-dts-qcom-sdm845-starqltechn-remove-excess-rese.patch +arm64-dts-qcom-sm8350-reenable-crypto-cryptobam.patch +arm64-dts-qcom-sm8250-fix-cpu7-opp-table.patch +arm64-dts-qcom-sc8280xp-x13s-drop-duplicate-dmic-sup.patch +arm64-dts-qcom-ipq9574-fix-usb-vdd-info.patch +arm64-dts-rockchip-move-shmem-memory-to-reserved-mem.patch +arm-dts-at91-usb_a9263-fix-gpio-for-dataflash-chip-s.patch +arm-dts-at91-at91sam9263-fix-nand-chip-selects.patch +arm64-dts-mediatek-mt8195-reparent-vdec1-2-and-venc1.patch +arm64-dts-qcom-sdm660-xiaomi-lavender-add-missing-sd.patch +arm64-dts-mt8183-add-port-node-to-mt8183.dtsi.patch +arm64-dts-imx8mm-beacon-fix-rtc-capacitive-load.patch +arm64-dts-imx8mn-beacon-fix-rtc-capacitive-load.patch +arm64-dts-imx8mp-beacon-fix-rtc-capacitive-load.patch +arm64-dts-imx8mm-beacon-set-sai5-mclk-direction-to-o.patch +arm64-dts-imx8mn-beacon-set-sai5-mclk-direction-to-o.patch +arm64-dts-mediatek-mt6357-drop-regulator-fixed-compa.patch +arm64-dts-mt6359-add-missing-compatible-property-to-.patch +arm64-dts-qcom-sdm660-lavender-add-missing-usb-phy-s.patch +arm64-dts-qcom-sda660-ifc6560-fix-dt-validate-warnin.patch +arm64-dts-rockchip-add-vcc-supply-to-spi-flash-on-rk.patch +arm64-dts-rockchip-update-emmc-for-nanopi-r5-series.patch +arm64-tegra-drop-remaining-serial-clock-names-and-re.patch +arm64-tegra-add-uartd-serial-alias-for-jetson-tx1-mo.patch +arm64-dts-ti-k3-j721e-common-proc-board-enable-ospi1.patch +soc-qcom-smp2p-fix-fallback-to-qcom-ipc-parse.patch +squashfs-check-return-result-of-sb_min_blocksize.patch +ocfs2-fix-possible-memory-leak-in-ocfs2_finish_quota.patch +nilfs2-add-pointer-check-for-nilfs_direct_propagate.patch +nilfs2-do-not-propagate-enoent-error-from-nilfs_btre.patch +bus-fsl-mc-fix-double-free-on-mc_dev.patch +dt-bindings-vendor-prefixes-add-liontron-name.patch +arm-dts-qcom-apq8064-add-missing-clocks-to-the-timer.patch +arm-dts-qcom-apq8064-merge-hw-splinlock-into-corresp.patch +arm-dts-qcom-apq8064-move-replicator-out-of-soc-node.patch +arm64-defconfig-mediatek-enable-phy-drivers.patch +arm64-dts-rockchip-disable-unrouted-usb-controllers-.patch +arm64-dts-qcom-qcm2290-fix-some-of-qup-interconnects.patch +arm64-dts-renesas-white-hawk-ard-audio-fix-tpu0-grou.patch +arm64-dts-mt6359-rename-rtc-node-to-match-binding-ex.patch +arm-aspeed-don-t-select-sram.patch +soc-aspeed-lpc-fix-impossible-judgment-condition.patch +soc-aspeed-add-null-check-in-aspeed_lpc_enable_snoop.patch +fbdev-core-fbcvt-avoid-division-by-0-in-fb_cvt_hperi.patch +randstruct-gcc-plugin-remove-bogus-void-member.patch +randstruct-gcc-plugin-fix-attribute-addition.patch +perf-build-warn-when-libdebuginfod-devel-files-are-n.patch +perf-ui-browser-hists-set-actions-thread-before-call.patch +dm-don-t-change-md-if-dm_table_set_restrictions-fail.patch +dm-free-table-mempools-if-not-used-in-__bind.patch +backlight-pm8941-add-null-check-in-wled_configure.patch +x86-irq-ensure-initial-pir-loads-are-performed-exact.patch +mtd-nand-ecc-mxic-fix-use-of-uninitialized-variable-.patch +hwmon-asus-ec-sensors-check-sensor-index-in-read_str.patch +perf-symbol-minimal-fix-double-free-in-filename__rea.patch +dm-fix-dm_blk_report_zones.patch +dm-flakey-error-all-ios-when-num_features-is-absent.patch +dm-flakey-make-corrupting-read-bios-work.patch +perf-trace-fix-leaks-of-struct-thread-in-set_filter_.patch +perf-tests-fix-perf-report-tests-installation.patch +perf-intel-pt-fix-pebs-via-pt-data_src.patch +perf-scripts-python-exported-sql-viewer.py-fix-patte.patch +remoteproc-qcom_wcnss_iris-add-missing-put_device-on.patch +remoteproc-k3-r5-drop-check-performed-in-k3_r5_rproc.patch +remoteproc-k3-dsp-drop-check-performed-in-k3_dsp_rpr.patch +rpmsg-qcom_smd-fix-uninitialized-return-variable-in-.patch +mfd-exynos-lpass-fix-an-error-handling-path-in-exyno.patch +mfd-exynos-lpass-avoid-calling-exynos_lpass_disable-.patch +mfd-stmpe-spi-correct-the-name-used-in-module_device.patch +drivers-hv-always-select-config_sysfb-for-hyper-v-gu.patch +perf-tests-switch-tracking-fix-timestamp-comparison.patch +mailbox-imx-fix-txdb_v2-sending.patch +mailbox-mtk-cmdq-refine-gce_gctl_value-setting.patch +perf-symbol-fix-use-after-free-in-filename__read_bui.patch +perf-record-fix-incorrect-user-regs-comments.patch +perf-trace-always-print-return-value-for-syscalls-re.patch +nfs-clear-sb_rdonly-before-getting-superblock.patch +nfs-ignore-sb_rdonly-when-remounting-nfs.patch +perf-trace-set-errpid-to-false-for-rseq-and-set_robu.patch +perf-callchain-always-populate-the-addr_location-map.patch +cifs-fix-validation-of-smb1-query-reparse-point-resp.patch +rust-alloc-add-missing-invariant-in-vec-set_len.patch +rtc-sh-assign-correct-interrupts-with-dt.patch +phy-rockchip-samsung-hdptx-fix-clock-ratio-setup.patch +phy-rockchip-samsung-hdptx-do-no-set-rk_hdptx_phy-ra.patch +pci-print-the-actual-delay-time-in-pci_bridge_wait_f.patch +pci-rcar-gen4-set-ep-bar4-fixed-size.patch +pci-cadence-fix-runtime-atomic-count-underflow.patch +pci-apple-use-gpiod_set_value_cansleep-in-probe-flow.patch +pci-explicitly-put-devices-into-d0-when-initializing.patch +phy-qcom-qmp-usb-fix-an-null-vs-is_err-bug.patch +dmaengine-ti-add-null-check-in-udma_probe.patch +pci-acpi-fix-allocated-memory-release-on-error-in-pc.patch +pci-dpc-initialize-aer_err_info-before-using-it.patch +pci-dpc-log-error-source-id-only-when-valid.patch +rtc-loongson-add-missing-alarm-notifications-for-acp.patch +pci-endpoint-retain-fixed-size-bar-size-as-well-as-a.patch +usb-renesas_usbhs-reorder-clock-handling-and-power-m.patch +serial-fix-potential-null-ptr-deref-in-mlb_usio_prob.patch +thunderbolt-fix-a-logic-error-in-wake-on-connect.patch +iio-filter-admv8818-fix-band-4-state-15.patch +iio-filter-admv8818-fix-integer-overflow.patch +iio-filter-admv8818-fix-range-calculation.patch +iio-filter-admv8818-support-frequencies-2-32.patch +iio-adc-ad7124-fix-3db-filter-frequency-reading.patch +usb-acpi-prevent-null-pointer-dereference-in-usb_acp.patch +mips-loongson64-add-missing-interrupt-cells-for-loon.patch +coresight-fixes-device-s-owner-field-for-registered-.patch +coresight-catu-introduce-refcount-and-spinlock-for-e.patch +counter-interrupt-cnt-protect-enable-disable-ops-wit.patch +fpga-fix-potential-null-pointer-deref-in-fpga_mgr_te.patch +coresight-prevent-deactivate-active-config-while-ena.patch +vt-remove-vt_resize-and-vt_resizex-from-vt_compat_io.patch +mei-vsc-cast-tx_buf-to-__be32-when-passed-to-cpu_to_.patch +iio-adc-pac1934-fix-typo-in-documentation-link.patch +iio-adc-mcp3911-fix-device-dependent-mappings-for-co.patch +usb-serial-bus-fix-const-issue-in-usb_serial_device_.patch +usb-gadget-udc-fix-const-issue-in-gadget_match_drive.patch +usb-typec-fix-const-issue-in-typec_match.patch +loop-add-file_start_write-and-file_end_write.patch +drm-xe-make-xe_gt_freq-part-of-the-documentation.patch +fix-sock_exceed_buf_limit-not-being-triggered-in-__s.patch +page_pool-fix-use-after-free-in-page_pool_recycle_in.patch +net-stmmac-platform-guarantee-uniqueness-of-bus_id.patch +gve-fix-rx_buffers_posted-stat-to-report-per-queue-f.patch +net-tipc-fix-refcount-warning-in-tipc_aead_encrypt.patch +driver-net-ethernet-mtk_star_emac-fix-suspend-resume.patch +net-mlx4_en-prevent-potential-integer-overflow-calcu.patch +net-lan966x-make-sure-to-insert-the-vlan-tags-also-i.patch +spi-bcm63xx-spi-fix-shared-reset.patch +spi-bcm63xx-hsspi-fix-shared-reset.patch +bluetooth-l2cap-fix-not-responding-with-l2cap_cr_le_.patch +ice-fix-tx-scheduler-error-handling-in-xdp-callback.patch +ice-create-new-tx-scheduler-nodes-for-new-queues-onl.patch +ice-fix-rebuilding-the-tx-scheduler-tree-for-large-q.patch +idpf-fix-a-race-in-txq-wakeup.patch +idpf-avoid-mailbox-timeout-delays-during-reset.patch +net-dsa-tag_brcm-legacy-fix-pskb_may_pull-length.patch +net-stmmac-make-sure-that-ptp_rate-is-not-0-before-c.patch +net-stmmac-make-sure-that-ptp_rate-is-not-0-before-c.patch-7636 +net-fix-checksum-update-for-ila-adj-transport.patch +drm-i915-guc-check-if-expecting-reply-before-decreme.patch +drm-i915-psr-fix-using-wrong-mask-in-reg_field_prep.patch +drm-i915-guc-handle-race-condition-where-wakeref-cou.patch +net-fix-udp-gso-skb_segment-after-pull-from-frag_lis.patch +net-wwan-t7xx-fix-napi-rx-poll-issue.patch +vmxnet3-correctly-report-gso-type-for-udp-tunnels.patch +selftests-net-build-net-lib-dependency-in-all-target.patch +pm-sleep-fix-power.is_suspended-cleanup-for-direct-c.patch +nvme-fix-command-limits-status-code.patch +gve-add-missing-null-check-for-gve_alloc_pending_pac.patch +drm-panel-simple-fix-the-warnings-for-the-evervision.patch +netfilter-nf_set_pipapo_avx2-fix-initial-map-fill.patch +netfilter-nf_nat-also-check-reverse-tuple-to-obtain-.patch +net-ti-icssg-prueth-fix-swapped-tx-stats-for-mii-int.patch +net-dsa-b53-do-not-enable-rgmii-delay-on-bcm63xx.patch +net-dsa-b53-allow-rgmii-for-bcm63xx-rgmii-ports.patch +net-dsa-b53-do-not-touch-dll_iqqd-on-bcm53115.patch +wifi-cfg80211-mac80211-correctly-parse-s1g-beacon-op.patch +net-wwan-mhi_wwan_mbim-use-correct-mux_id-for-multip.patch +wireguard-device-enable-threaded-napi.patch +seg6-fix-validation-of-nexthop-addresses.patch +riscv-misaligned-fix-sleeping-function-called-during.patch +scsi-ufs-qcom-prevent-calling-phy_exit-before-phy_in.patch +asoc-codecs-hda-fix-rpm-usage-count-underflow.patch +asoc-intel-avs-fix-deadlock-when-the-failing-ipc-is-.patch +asoc-intel-avs-verify-content-returned-by-parse_int_.patch +asoc-ti-omap-hdmi-re-add-dai_link-platform-to-fix-ca.patch +iov_iter-use-iov_offset-for-length-calculation-in-io.patch +path_overmount-avoid-false-negatives.patch +fix-propagation-graph-breakage-by-move_mount_set_gro.patch +do_change_type-refuse-to-operate-on-unmounted-not-ou.patch +tools-power-turbostat-fix-amd-package-energy-reporti.patch diff --git a/queue-6.12/soc-aspeed-add-null-check-in-aspeed_lpc_enable_snoop.patch b/queue-6.12/soc-aspeed-add-null-check-in-aspeed_lpc_enable_snoop.patch new file mode 100644 index 0000000000..8c1af2b964 --- /dev/null +++ b/queue-6.12/soc-aspeed-add-null-check-in-aspeed_lpc_enable_snoop.patch @@ -0,0 +1,73 @@ +From 01d6330aba94c1487d3eec7023baf5982bb8b8f7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 May 2025 16:00:44 +0930 +Subject: soc: aspeed: Add NULL check in aspeed_lpc_enable_snoop() + +From: Henry Martin + +[ Upstream commit f1706e0e1a74b095cbc60375b9b1e6205f5f4c98 ] + +devm_kasprintf() returns NULL when memory allocation fails. Currently, +aspeed_lpc_enable_snoop() does not check for this case, which results in a +NULL pointer dereference. + +Add NULL check after devm_kasprintf() to prevent this issue. + +Fixes: 3772e5da4454 ("drivers/misc: Aspeed LPC snoop output using misc chardev") +Signed-off-by: Henry Martin +Link: https://patch.msgid.link/20250401074647.21300-1-bsdhenrymartin@gmail.com +[arj: Fix Fixes: tag to use subject from 3772e5da4454] +Signed-off-by: Andrew Jeffery +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + drivers/soc/aspeed/aspeed-lpc-snoop.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +diff --git a/drivers/soc/aspeed/aspeed-lpc-snoop.c b/drivers/soc/aspeed/aspeed-lpc-snoop.c +index f06edc4cc5ea4..d2e63277f0aa9 100644 +--- a/drivers/soc/aspeed/aspeed-lpc-snoop.c ++++ b/drivers/soc/aspeed/aspeed-lpc-snoop.c +@@ -200,11 +200,15 @@ static int aspeed_lpc_enable_snoop(struct aspeed_lpc_snoop *lpc_snoop, + lpc_snoop->chan[channel].miscdev.minor = MISC_DYNAMIC_MINOR; + lpc_snoop->chan[channel].miscdev.name = + devm_kasprintf(dev, GFP_KERNEL, "%s%d", DEVICE_NAME, channel); ++ if (!lpc_snoop->chan[channel].miscdev.name) { ++ rc = -ENOMEM; ++ goto err_free_fifo; ++ } + lpc_snoop->chan[channel].miscdev.fops = &snoop_fops; + lpc_snoop->chan[channel].miscdev.parent = dev; + rc = misc_register(&lpc_snoop->chan[channel].miscdev); + if (rc) +- return rc; ++ goto err_free_fifo; + + /* Enable LPC snoop channel at requested port */ + switch (channel) { +@@ -221,7 +225,8 @@ static int aspeed_lpc_enable_snoop(struct aspeed_lpc_snoop *lpc_snoop, + hicrb_en = HICRB_ENSNP1D; + break; + default: +- return -EINVAL; ++ rc = -EINVAL; ++ goto err_misc_deregister; + } + + regmap_update_bits(lpc_snoop->regmap, HICR5, hicr5_en, hicr5_en); +@@ -231,6 +236,12 @@ static int aspeed_lpc_enable_snoop(struct aspeed_lpc_snoop *lpc_snoop, + regmap_update_bits(lpc_snoop->regmap, HICRB, + hicrb_en, hicrb_en); + ++ return 0; ++ ++err_misc_deregister: ++ misc_deregister(&lpc_snoop->chan[channel].miscdev); ++err_free_fifo: ++ kfifo_free(&lpc_snoop->chan[channel].fifo); + return rc; + } + +-- +2.39.5 + diff --git a/queue-6.12/soc-aspeed-lpc-fix-impossible-judgment-condition.patch b/queue-6.12/soc-aspeed-lpc-fix-impossible-judgment-condition.patch new file mode 100644 index 0000000000..20549c4303 --- /dev/null +++ b/queue-6.12/soc-aspeed-lpc-fix-impossible-judgment-condition.patch @@ -0,0 +1,46 @@ +From 71ab866d054476b047e3a9fffa89c8d2713a90b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 May 2025 16:00:43 +0930 +Subject: soc: aspeed: lpc: Fix impossible judgment condition +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Su Hui + +[ Upstream commit d9f0a97e859bdcef51f9c187b1eb712eb13fd3ff ] + +smatch error: +drivers/soc/aspeed/aspeed-lpc-snoop.c:169 +aspeed_lpc_snoop_config_irq() warn: platform_get_irq() does not return zero + +platform_get_irq() return non-zero IRQ number or negative error code, +change '!lpc_snoop->irq' to 'lpc_snoop->irq < 0' to fix this. + +Fixes: 9f4f9ae81d0a ("drivers/misc: add Aspeed LPC snoop driver") +Signed-off-by: Su Hui +Reviewed-by: Dan Carpenter +Link: https://lore.kernel.org/r/20231027020703.1231875-1-suhui@nfschina.com +Signed-off-by: Andrew Jeffery +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + drivers/soc/aspeed/aspeed-lpc-snoop.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/soc/aspeed/aspeed-lpc-snoop.c b/drivers/soc/aspeed/aspeed-lpc-snoop.c +index 888b5840c0150..f06edc4cc5ea4 100644 +--- a/drivers/soc/aspeed/aspeed-lpc-snoop.c ++++ b/drivers/soc/aspeed/aspeed-lpc-snoop.c +@@ -166,7 +166,7 @@ static int aspeed_lpc_snoop_config_irq(struct aspeed_lpc_snoop *lpc_snoop, + int rc; + + lpc_snoop->irq = platform_get_irq(pdev, 0); +- if (!lpc_snoop->irq) ++ if (lpc_snoop->irq < 0) + return -ENODEV; + + rc = devm_request_irq(dev, lpc_snoop->irq, +-- +2.39.5 + diff --git a/queue-6.12/soc-qcom-smp2p-fix-fallback-to-qcom-ipc-parse.patch b/queue-6.12/soc-qcom-smp2p-fix-fallback-to-qcom-ipc-parse.patch new file mode 100644 index 0000000000..fa6976f619 --- /dev/null +++ b/queue-6.12/soc-qcom-smp2p-fix-fallback-to-qcom-ipc-parse.patch @@ -0,0 +1,44 @@ +From ee350b8f696476fa96bedfcc1ee4aa2481d62403 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Apr 2025 04:04:17 +0200 +Subject: soc: qcom: smp2p: Fix fallback to qcom,ipc parse +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Barnabás Czémán + +[ Upstream commit 421777a02bbd9cdabe0ae05a69ee06253150589d ] + +mbox_request_channel() returning value was changed in case of error. +It uses returning value of of_parse_phandle_with_args(). +It is returning with -ENOENT instead of -ENODEV when no mboxes property +exists. + +Fixes: 24fdd5074b20 ("mailbox: use error ret code of of_parse_phandle_with_args()") +Signed-off-by: Barnabás Czémán +Reviewed-by: Stephan Gerhold +Tested-by: Stephan Gerhold # msm8939 +Link: https://lore.kernel.org/r/20250421-fix-qcom-smd-v1-2-574d071d3f27@mainlining.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/soc/qcom/smp2p.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/soc/qcom/smp2p.c b/drivers/soc/qcom/smp2p.c +index cefcbd61c6281..95d8a8f728db5 100644 +--- a/drivers/soc/qcom/smp2p.c ++++ b/drivers/soc/qcom/smp2p.c +@@ -578,7 +578,7 @@ static int qcom_smp2p_probe(struct platform_device *pdev) + smp2p->mbox_client.knows_txdone = true; + smp2p->mbox_chan = mbox_request_channel(&smp2p->mbox_client, 0); + if (IS_ERR(smp2p->mbox_chan)) { +- if (PTR_ERR(smp2p->mbox_chan) != -ENODEV) ++ if (PTR_ERR(smp2p->mbox_chan) != -ENOENT) + return PTR_ERR(smp2p->mbox_chan); + + smp2p->mbox_chan = NULL; +-- +2.39.5 + diff --git a/queue-6.12/spi-bcm63xx-hsspi-fix-shared-reset.patch b/queue-6.12/spi-bcm63xx-hsspi-fix-shared-reset.patch new file mode 100644 index 0000000000..6797041ea3 --- /dev/null +++ b/queue-6.12/spi-bcm63xx-hsspi-fix-shared-reset.patch @@ -0,0 +1,42 @@ +From c80916f1a6e553a2375d1cfccc661f222bbe2a84 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 May 2025 15:09:15 +0200 +Subject: spi: bcm63xx-hsspi: fix shared reset +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Álvaro Fernández Rojas + +[ Upstream commit 3d6d84c8f2f66d3fd6a43a1e2ce8e6b54c573960 ] + +Some bmips SoCs (bcm6362, bcm63268) share the same SPI reset for both SPI +and HSSPI controllers, so reset shouldn't be exclusive. + +Fixes: 0eeadddbf09a ("spi: bcm63xx-hsspi: add reset support") +Reported-by: Jonas Gorski +Signed-off-by: Álvaro Fernández Rojas +Reviewed-by: Florian Fainelli +Link: https://patch.msgid.link/20250529130915.2519590-3-noltari@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-bcm63xx-hsspi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-bcm63xx-hsspi.c b/drivers/spi/spi-bcm63xx-hsspi.c +index 1ca857c2a4aa3..8df12efeea21c 100644 +--- a/drivers/spi/spi-bcm63xx-hsspi.c ++++ b/drivers/spi/spi-bcm63xx-hsspi.c +@@ -745,7 +745,7 @@ static int bcm63xx_hsspi_probe(struct platform_device *pdev) + if (IS_ERR(clk)) + return PTR_ERR(clk); + +- reset = devm_reset_control_get_optional_exclusive(dev, NULL); ++ reset = devm_reset_control_get_optional_shared(dev, NULL); + if (IS_ERR(reset)) + return PTR_ERR(reset); + +-- +2.39.5 + diff --git a/queue-6.12/spi-bcm63xx-spi-fix-shared-reset.patch b/queue-6.12/spi-bcm63xx-spi-fix-shared-reset.patch new file mode 100644 index 0000000000..18dd4f4d1c --- /dev/null +++ b/queue-6.12/spi-bcm63xx-spi-fix-shared-reset.patch @@ -0,0 +1,42 @@ +From 1b7b9184f0ae4eca32fe5f2ef2eaf82360d49079 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 May 2025 15:09:14 +0200 +Subject: spi: bcm63xx-spi: fix shared reset +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Álvaro Fernández Rojas + +[ Upstream commit 5ad20e3d8cfe3b2e42bbddc7e0ebaa74479bb589 ] + +Some bmips SoCs (bcm6362, bcm63268) share the same SPI reset for both SPI +and HSSPI controllers, so reset shouldn't be exclusive. + +Fixes: 38807adeaf1e ("spi: bcm63xx-spi: add reset support") +Reported-by: Jonas Gorski +Signed-off-by: Álvaro Fernández Rojas +Reviewed-by: Florian Fainelli +Link: https://patch.msgid.link/20250529130915.2519590-2-noltari@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-bcm63xx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-bcm63xx.c b/drivers/spi/spi-bcm63xx.c +index ef3a7226db125..a95badb7b7114 100644 +--- a/drivers/spi/spi-bcm63xx.c ++++ b/drivers/spi/spi-bcm63xx.c +@@ -523,7 +523,7 @@ static int bcm63xx_spi_probe(struct platform_device *pdev) + return PTR_ERR(clk); + } + +- reset = devm_reset_control_get_optional_exclusive(dev, NULL); ++ reset = devm_reset_control_get_optional_shared(dev, NULL); + if (IS_ERR(reset)) + return PTR_ERR(reset); + +-- +2.39.5 + diff --git a/queue-6.12/spi-sh-msiof-fix-maximum-dma-transfer-size.patch b/queue-6.12/spi-sh-msiof-fix-maximum-dma-transfer-size.patch new file mode 100644 index 0000000000..5d1620edbf --- /dev/null +++ b/queue-6.12/spi-sh-msiof-fix-maximum-dma-transfer-size.patch @@ -0,0 +1,71 @@ +From ac209607acfa44f517490da2b354831d65ccd32b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 May 2025 15:32:06 +0200 +Subject: spi: sh-msiof: Fix maximum DMA transfer size + +From: Geert Uytterhoeven + +[ Upstream commit 0941d5166629cb766000530945e54b4e49680c68 ] + +The maximum amount of data to transfer in a single DMA request is +calculated from the FIFO sizes (which is technically not 100% correct, +but a simplification, as it is limited by the maximum word count values +in the Transmit and Control Data Registers). However, in case there is +both data to transmit and to receive, the transmit limit is overwritten +by the receive limit. + +Fix this by using the minimum applicable FIFO size instead. Move the +calculation outside the loop, so it is not repeated for each individual +DMA transfer. + +As currently tx_fifo_size is always equal to rx_fifo_size, this bug had +no real impact. + +Fixes: fe78d0b7691c0274 ("spi: sh-msiof: Fix FIFO size to 64 word from 256 word") +Signed-off-by: Geert Uytterhoeven +Link: https://patch.msgid.link/d9961767a97758b2614f2ee8afe1bd56dc900a60.1747401908.git.geert+renesas@glider.be +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-sh-msiof.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/drivers/spi/spi-sh-msiof.c b/drivers/spi/spi-sh-msiof.c +index 3519656515ea1..1870f8c852131 100644 +--- a/drivers/spi/spi-sh-msiof.c ++++ b/drivers/spi/spi-sh-msiof.c +@@ -918,6 +918,7 @@ static int sh_msiof_transfer_one(struct spi_controller *ctlr, + void *rx_buf = t->rx_buf; + unsigned int len = t->len; + unsigned int bits = t->bits_per_word; ++ unsigned int max_wdlen = 256; + unsigned int bytes_per_word; + unsigned int words; + int n; +@@ -931,17 +932,17 @@ static int sh_msiof_transfer_one(struct spi_controller *ctlr, + if (!spi_controller_is_target(p->ctlr)) + sh_msiof_spi_set_clk_regs(p, t); + ++ if (tx_buf) ++ max_wdlen = min(max_wdlen, p->tx_fifo_size); ++ if (rx_buf) ++ max_wdlen = min(max_wdlen, p->rx_fifo_size); ++ + while (ctlr->dma_tx && len > 15) { + /* + * DMA supports 32-bit words only, hence pack 8-bit and 16-bit + * words, with byte resp. word swapping. + */ +- unsigned int l = 0; +- +- if (tx_buf) +- l = min(round_down(len, 4), p->tx_fifo_size * 4); +- if (rx_buf) +- l = min(round_down(len, 4), p->rx_fifo_size * 4); ++ unsigned int l = min(round_down(len, 4), max_wdlen * 4); + + if (bits <= 8) { + copy32 = copy_bswap32; +-- +2.39.5 + diff --git a/queue-6.12/spi-tegra210-quad-fix-x1_x2_x4-encoding-and-support-.patch b/queue-6.12/spi-tegra210-quad-fix-x1_x2_x4-encoding-and-support-.patch new file mode 100644 index 0000000000..889320118a --- /dev/null +++ b/queue-6.12/spi-tegra210-quad-fix-x1_x2_x4-encoding-and-support-.patch @@ -0,0 +1,85 @@ +From f0372dbdfad74ed7d42cf53b3b3fe1192bad21ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Apr 2025 11:06:01 +0000 +Subject: spi: tegra210-quad: Fix X1_X2_X4 encoding and support x4 transfers + +From: Vishwaroop A + +[ Upstream commit dcb06c638a1174008a985849fa30fc0da7d08904 ] + +This patch corrects the QSPI_COMMAND_X1_X2_X4 and QSPI_ADDRESS_X1_X2_X4 +macros to properly encode the bus width for x1, x2, and x4 transfers. +Although these macros were previously incorrect, they were not being +used in the driver, so no functionality was affected. + +The patch updates tegra_qspi_cmd_config() and tegra_qspi_addr_config() +function calls to use the actual bus width from the transfer, instead of +hardcoding it to 0 (which implied x1 mode). This change enables proper +support for x1, x2, and x4 data transfers by correctly configuring the +interface width for commands and addresses. + +These modifications improve the QSPI driver's flexibility and prepare it +for future use cases that may require different bus widths for commands +and addresses. + +Fixes: 1b8342cc4a38 ("spi: tegra210-quad: combined sequence mode") +Signed-off-by: Vishwaroop A +Link: https://patch.msgid.link/20250416110606.2737315-2-va@nvidia.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-tegra210-quad.c | 12 ++++-------- + 1 file changed, 4 insertions(+), 8 deletions(-) + +diff --git a/drivers/spi/spi-tegra210-quad.c b/drivers/spi/spi-tegra210-quad.c +index 2d48ad844fb80..fd6863e89cddd 100644 +--- a/drivers/spi/spi-tegra210-quad.c ++++ b/drivers/spi/spi-tegra210-quad.c +@@ -134,7 +134,7 @@ + #define QSPI_COMMAND_VALUE_SET(X) (((x) & 0xFF) << 0) + + #define QSPI_CMB_SEQ_CMD_CFG 0x1a0 +-#define QSPI_COMMAND_X1_X2_X4(x) (((x) & 0x3) << 13) ++#define QSPI_COMMAND_X1_X2_X4(x) ((((x) >> 1) & 0x3) << 13) + #define QSPI_COMMAND_X1_X2_X4_MASK (0x03 << 13) + #define QSPI_COMMAND_SDR_DDR BIT(12) + #define QSPI_COMMAND_SIZE_SET(x) (((x) & 0xFF) << 0) +@@ -147,7 +147,7 @@ + #define QSPI_ADDRESS_VALUE_SET(X) (((x) & 0xFFFF) << 0) + + #define QSPI_CMB_SEQ_ADDR_CFG 0x1ac +-#define QSPI_ADDRESS_X1_X2_X4(x) (((x) & 0x3) << 13) ++#define QSPI_ADDRESS_X1_X2_X4(x) ((((x) >> 1) & 0x3) << 13) + #define QSPI_ADDRESS_X1_X2_X4_MASK (0x03 << 13) + #define QSPI_ADDRESS_SDR_DDR BIT(12) + #define QSPI_ADDRESS_SIZE_SET(x) (((x) & 0xFF) << 0) +@@ -1036,10 +1036,6 @@ static u32 tegra_qspi_addr_config(bool is_ddr, u8 bus_width, u8 len) + { + u32 addr_config = 0; + +- /* Extract Address configuration and value */ +- is_ddr = 0; //Only SDR mode supported +- bus_width = 0; //X1 mode +- + if (is_ddr) + addr_config |= QSPI_ADDRESS_SDR_DDR; + else +@@ -1079,13 +1075,13 @@ static int tegra_qspi_combined_seq_xfer(struct tegra_qspi *tqspi, + switch (transfer_phase) { + case CMD_TRANSFER: + /* X1 SDR mode */ +- cmd_config = tegra_qspi_cmd_config(false, 0, ++ cmd_config = tegra_qspi_cmd_config(false, xfer->tx_nbits, + xfer->len); + cmd_value = *((const u8 *)(xfer->tx_buf)); + break; + case ADDR_TRANSFER: + /* X1 SDR mode */ +- addr_config = tegra_qspi_addr_config(false, 0, ++ addr_config = tegra_qspi_addr_config(false, xfer->tx_nbits, + xfer->len); + address_value = *((const u32 *)(xfer->tx_buf)); + break; +-- +2.39.5 + diff --git a/queue-6.12/spi-tegra210-quad-modify-chip-select-cs-deactivation.patch b/queue-6.12/spi-tegra210-quad-modify-chip-select-cs-deactivation.patch new file mode 100644 index 0000000000..b4f05a59a8 --- /dev/null +++ b/queue-6.12/spi-tegra210-quad-modify-chip-select-cs-deactivation.patch @@ -0,0 +1,51 @@ +From 19f51cad591a109d62f7d3e1a3f20ebd84ac786c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Apr 2025 11:06:03 +0000 +Subject: spi: tegra210-quad: modify chip select (CS) deactivation + +From: Vishwaroop A + +[ Upstream commit d8966b65413390d1b5b706886987caac05fbe024 ] + +Modify the chip select (CS) deactivation and inter-transfer delay +execution only during the DATA_TRANSFER phase when the cs_change +flag is not set. This ensures proper CS handling and timing between +transfers while eliminating redundant operations. + +Fixes: 1b8342cc4a38 ("spi: tegra210-quad: combined sequence mode") +Signed-off-by: Vishwaroop A +Link: https://patch.msgid.link/20250416110606.2737315-4-va@nvidia.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-tegra210-quad.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/spi/spi-tegra210-quad.c b/drivers/spi/spi-tegra210-quad.c +index 30ed4120a2ef1..92348ebc60c78 100644 +--- a/drivers/spi/spi-tegra210-quad.c ++++ b/drivers/spi/spi-tegra210-quad.c +@@ -1159,16 +1159,16 @@ static int tegra_qspi_combined_seq_xfer(struct tegra_qspi *tqspi, + ret = -EIO; + goto exit; + } +- if (!xfer->cs_change) { +- tegra_qspi_transfer_end(spi); +- spi_transfer_delay_exec(xfer); +- } + break; + default: + ret = -EINVAL; + goto exit; + } + msg->actual_length += xfer->len; ++ if (!xfer->cs_change && transfer_phase == DATA_TRANSFER) { ++ tegra_qspi_transfer_end(spi); ++ spi_transfer_delay_exec(xfer); ++ } + transfer_phase++; + } + ret = 0; +-- +2.39.5 + diff --git a/queue-6.12/spi-tegra210-quad-remove-redundant-error-handling-co.patch b/queue-6.12/spi-tegra210-quad-remove-redundant-error-handling-co.patch new file mode 100644 index 0000000000..2e6d4a0130 --- /dev/null +++ b/queue-6.12/spi-tegra210-quad-remove-redundant-error-handling-co.patch @@ -0,0 +1,40 @@ +From 0d052b28ad1fe592070a0357167ed81a352b2fda Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Apr 2025 11:06:02 +0000 +Subject: spi: tegra210-quad: remove redundant error handling code + +From: Vishwaroop A + +[ Upstream commit 400d9f1a27cc2fceabdb1ed93eaf0b89b6d32ba5 ] + +Remove unnecessary error handling code that terminated transfers and +executed delay on errors. This code was redundant as error handling is +already done at a higher level in the SPI core. + +Fixes: 1b8342cc4a38 ("spi: tegra210-quad: combined sequence mode") +Signed-off-by: Vishwaroop A +Link: https://patch.msgid.link/20250416110606.2737315-3-va@nvidia.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-tegra210-quad.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/spi/spi-tegra210-quad.c b/drivers/spi/spi-tegra210-quad.c +index fd6863e89cddd..30ed4120a2ef1 100644 +--- a/drivers/spi/spi-tegra210-quad.c ++++ b/drivers/spi/spi-tegra210-quad.c +@@ -1175,10 +1175,6 @@ static int tegra_qspi_combined_seq_xfer(struct tegra_qspi *tqspi, + + exit: + msg->status = ret; +- if (ret < 0) { +- tegra_qspi_transfer_end(spi); +- spi_transfer_delay_exec(xfer); +- } + + return ret; + } +-- +2.39.5 + diff --git a/queue-6.12/squashfs-check-return-result-of-sb_min_blocksize.patch b/queue-6.12/squashfs-check-return-result-of-sb_min_blocksize.patch new file mode 100644 index 0000000000..d950d22570 --- /dev/null +++ b/queue-6.12/squashfs-check-return-result-of-sb_min_blocksize.patch @@ -0,0 +1,66 @@ +From ead92c7eca357409707014e0af941dd880176ef8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Apr 2025 03:47:47 +0100 +Subject: Squashfs: check return result of sb_min_blocksize + +From: Phillip Lougher + +[ Upstream commit 734aa85390ea693bb7eaf2240623d41b03705c84 ] + +Syzkaller reports an "UBSAN: shift-out-of-bounds in squashfs_bio_read" bug. + +Syzkaller forks multiple processes which after mounting the Squashfs +filesystem, issues an ioctl("/dev/loop0", LOOP_SET_BLOCK_SIZE, 0x8000). +Now if this ioctl occurs at the same time another process is in the +process of mounting a Squashfs filesystem on /dev/loop0, the failure +occurs. When this happens the following code in squashfs_fill_super() +fails. + +---- +msblk->devblksize = sb_min_blocksize(sb, SQUASHFS_DEVBLK_SIZE); +msblk->devblksize_log2 = ffz(~msblk->devblksize); +---- + +sb_min_blocksize() returns 0, which means msblk->devblksize is set to 0. + +As a result, ffz(~msblk->devblksize) returns 64, and msblk->devblksize_log2 +is set to 64. + +This subsequently causes the + +UBSAN: shift-out-of-bounds in fs/squashfs/block.c:195:36 +shift exponent 64 is too large for 64-bit type 'u64' (aka +'unsigned long long') + +This commit adds a check for a 0 return by sb_min_blocksize(). + +Link: https://lkml.kernel.org/r/20250409024747.876480-1-phillip@squashfs.org.uk +Fixes: 0aa666190509 ("Squashfs: super block operations") +Reported-by: syzbot+65761fc25a137b9c8c6e@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/67f0dd7a.050a0220.0a13.0230.GAE@google.com/ +Signed-off-by: Phillip Lougher +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + fs/squashfs/super.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/fs/squashfs/super.c b/fs/squashfs/super.c +index 22e812808e5cf..3a27d4268b3c4 100644 +--- a/fs/squashfs/super.c ++++ b/fs/squashfs/super.c +@@ -202,6 +202,11 @@ static int squashfs_fill_super(struct super_block *sb, struct fs_context *fc) + msblk->panic_on_errors = (opts->errors == Opt_errors_panic); + + msblk->devblksize = sb_min_blocksize(sb, SQUASHFS_DEVBLK_SIZE); ++ if (!msblk->devblksize) { ++ errorf(fc, "squashfs: unable to set blocksize\n"); ++ return -EINVAL; ++ } ++ + msblk->devblksize_log2 = ffz(~msblk->devblksize); + + mutex_init(&msblk->meta_index_mutex); +-- +2.39.5 + diff --git a/queue-6.12/svcrdma-reduce-the-number-of-rdma_rw-contexts-per-qp.patch b/queue-6.12/svcrdma-reduce-the-number-of-rdma_rw-contexts-per-qp.patch new file mode 100644 index 0000000000..1b427af882 --- /dev/null +++ b/queue-6.12/svcrdma-reduce-the-number-of-rdma_rw-contexts-per-qp.patch @@ -0,0 +1,95 @@ +From a71112757d097207930b399beef1b3884eedb158 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Apr 2025 15:36:49 -0400 +Subject: svcrdma: Reduce the number of rdma_rw contexts per-QP + +From: Chuck Lever + +[ Upstream commit 59243315890578a040a2d50ae9e001a2ef2fcb62 ] + +There is an upper bound on the number of rdma_rw contexts that can +be created per QP. + +This invisible upper bound is because rdma_create_qp() adds one or +more additional SQEs for each ctxt that the ULP requests via +qp_attr.cap.max_rdma_ctxs. The QP's actual Send Queue length is on +the order of the sum of qp_attr.cap.max_send_wr and a factor times +qp_attr.cap.max_rdma_ctxs. The factor can be up to three, depending +on whether MR operations are required before RDMA Reads. + +This limit is not visible to RDMA consumers via dev->attrs. When the +limit is surpassed, QP creation fails with -ENOMEM. For example: + +svcrdma's estimate of the number of rdma_rw contexts it needs is +three times the number of pages in RPCSVC_MAXPAGES. When MAXPAGES +is about 260, the internally-computed SQ length should be: + +64 credits + 10 backlog + 3 * (3 * 260) = 2414 + +Which is well below the advertised qp_max_wr of 32768. + +If RPCSVC_MAXPAGES is increased to 4MB, that's 1040 pages: + +64 credits + 10 backlog + 3 * (3 * 1040) = 9434 + +However, QP creation fails. Dynamic printk for mlx5 shows: + +calc_sq_size:618:(pid 1514): send queue size (9326 * 256 / 64 -> 65536) exceeds limits(32768) + +Although 9326 is still far below qp_max_wr, QP creation still +fails. + +Because the total SQ length calculation is opaque to RDMA consumers, +there doesn't seem to be much that can be done about this except for +consumers to try to keep the requested rdma_rw ctxt count low. + +Fixes: 2da0f610e733 ("svcrdma: Increase the per-transport rw_ctx count") +Reviewed-by: NeilBrown +Reviewed-by: Christoph Hellwig +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + net/sunrpc/xprtrdma/svc_rdma_transport.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/net/sunrpc/xprtrdma/svc_rdma_transport.c b/net/sunrpc/xprtrdma/svc_rdma_transport.c +index aca8bdf65d729..ca6172822b68a 100644 +--- a/net/sunrpc/xprtrdma/svc_rdma_transport.c ++++ b/net/sunrpc/xprtrdma/svc_rdma_transport.c +@@ -406,12 +406,12 @@ static void svc_rdma_xprt_done(struct rpcrdma_notification *rn) + */ + static struct svc_xprt *svc_rdma_accept(struct svc_xprt *xprt) + { ++ unsigned int ctxts, rq_depth, maxpayload; + struct svcxprt_rdma *listen_rdma; + struct svcxprt_rdma *newxprt = NULL; + struct rdma_conn_param conn_param; + struct rpcrdma_connect_private pmsg; + struct ib_qp_init_attr qp_attr; +- unsigned int ctxts, rq_depth; + struct ib_device *dev; + int ret = 0; + RPC_IFDEBUG(struct sockaddr *sap); +@@ -462,12 +462,14 @@ static struct svc_xprt *svc_rdma_accept(struct svc_xprt *xprt) + newxprt->sc_max_bc_requests = 2; + } + +- /* Arbitrarily estimate the number of rw_ctxs needed for +- * this transport. This is enough rw_ctxs to make forward +- * progress even if the client is using one rkey per page +- * in each Read chunk. ++ /* Arbitrary estimate of the needed number of rdma_rw contexts. + */ +- ctxts = 3 * RPCSVC_MAXPAGES; ++ maxpayload = min(xprt->xpt_server->sv_max_payload, ++ RPCSVC_MAXPAYLOAD_RDMA); ++ ctxts = newxprt->sc_max_requests * 3 * ++ rdma_rw_mr_factor(dev, newxprt->sc_port_num, ++ maxpayload >> PAGE_SHIFT); ++ + newxprt->sc_sq_depth = rq_depth + ctxts; + if (newxprt->sc_sq_depth > dev->attrs.max_qp_wr) + newxprt->sc_sq_depth = dev->attrs.max_qp_wr; +-- +2.39.5 + diff --git a/queue-6.12/thermal-drivers-mediatek-lvts-fix-debugfs-unregister.patch b/queue-6.12/thermal-drivers-mediatek-lvts-fix-debugfs-unregister.patch new file mode 100644 index 0000000000..bc96a81709 --- /dev/null +++ b/queue-6.12/thermal-drivers-mediatek-lvts-fix-debugfs-unregister.patch @@ -0,0 +1,79 @@ +From b55275b4c8aa74c3e27167a06805cd4d3b2b96f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Apr 2025 10:38:52 +0200 +Subject: thermal/drivers/mediatek/lvts: Fix debugfs unregister on failure + +From: AngeloGioacchino Del Regno + +[ Upstream commit b49825661af93d9b8d7236f914803f136896f8fd ] + +When running the probe function for this driver, the function +lvts_debugfs_init() gets called in lvts_domain_init() which, in +turn, gets called in lvts_probe() before registering threaded +interrupt handlers. + +Even though it's unlikely, the last call may fail and, if it does, +there's nothing removing the already created debugfs folder and +files. + +In order to fix that, instead of calling the lvts debugfs cleanup +function upon failure, register a devm action that will take care +of calling that upon failure or driver removal. + +Since devm was used, also delete the call to lvts_debugfs_exit() +in the lvts_remove() callback, as now that's done automatically. + +Fixes: f5f633b18234 ("thermal/drivers/mediatek: Add the Low Voltage Thermal Sensor driver") +Signed-off-by: AngeloGioacchino Del Regno +Reviewed-by: Chen-Yu Tsai +Link: https://lore.kernel.org/r/20250402083852.20624-1-angelogioacchino.delregno@collabora.com +Signed-off-by: Daniel Lezcano +Signed-off-by: Sasha Levin +--- + drivers/thermal/mediatek/lvts_thermal.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/drivers/thermal/mediatek/lvts_thermal.c b/drivers/thermal/mediatek/lvts_thermal.c +index 3295b27ab70d2..944c28a0c4736 100644 +--- a/drivers/thermal/mediatek/lvts_thermal.c ++++ b/drivers/thermal/mediatek/lvts_thermal.c +@@ -209,6 +209,13 @@ static const struct debugfs_reg32 lvts_regs[] = { + LVTS_DEBUG_FS_REGS(LVTS_CLKEN), + }; + ++static void lvts_debugfs_exit(void *data) ++{ ++ struct lvts_domain *lvts_td = data; ++ ++ debugfs_remove_recursive(lvts_td->dom_dentry); ++} ++ + static int lvts_debugfs_init(struct device *dev, struct lvts_domain *lvts_td) + { + struct debugfs_regset32 *regset; +@@ -241,12 +248,7 @@ static int lvts_debugfs_init(struct device *dev, struct lvts_domain *lvts_td) + debugfs_create_regset32("registers", 0400, dentry, regset); + } + +- return 0; +-} +- +-static void lvts_debugfs_exit(struct lvts_domain *lvts_td) +-{ +- debugfs_remove_recursive(lvts_td->dom_dentry); ++ return devm_add_action_or_reset(dev, lvts_debugfs_exit, lvts_td); + } + + #else +@@ -1352,8 +1354,6 @@ static void lvts_remove(struct platform_device *pdev) + + for (i = 0; i < lvts_td->num_lvts_ctrl; i++) + lvts_ctrl_set_enable(&lvts_td->lvts_ctrl[i], false); +- +- lvts_debugfs_exit(lvts_td); + } + + static const struct lvts_ctrl_data mt7988_lvts_ap_data_ctrl[] = { +-- +2.39.5 + diff --git a/queue-6.12/thunderbolt-fix-a-logic-error-in-wake-on-connect.patch b/queue-6.12/thunderbolt-fix-a-logic-error-in-wake-on-connect.patch new file mode 100644 index 0000000000..ea1d8ead38 --- /dev/null +++ b/queue-6.12/thunderbolt-fix-a-logic-error-in-wake-on-connect.patch @@ -0,0 +1,51 @@ +From 8ed86c5ebaa1f27d4701002fd29a0725f289fc0c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Apr 2025 10:14:44 -0500 +Subject: thunderbolt: Fix a logic error in wake on connect + +From: Mario Limonciello + +[ Upstream commit 1a760d10ded372d113a0410c42be246315bbc2ff ] + +commit a5cfc9d65879c ("thunderbolt: Add wake on connect/disconnect +on USB4 ports") introduced a sysfs file to control wake up policy +for a given USB4 port that defaulted to disabled. + +However when testing commit 4bfeea6ec1c02 ("thunderbolt: Use wake +on connect and disconnect over suspend") I found that it was working +even without making changes to the power/wakeup file (which defaults +to disabled). This is because of a logic error doing a bitwise or +of the wake-on-connect flag with device_may_wakeup() which should +have been a logical AND. + +Adjust the logic so that policy is only applied when wakeup is +actually enabled. + +Fixes: a5cfc9d65879c ("thunderbolt: Add wake on connect/disconnect on USB4 ports") +Signed-off-by: Mario Limonciello +Signed-off-by: Mika Westerberg +Signed-off-by: Sasha Levin +--- + drivers/thunderbolt/usb4.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/thunderbolt/usb4.c b/drivers/thunderbolt/usb4.c +index 402fdf8b1cdec..57821b6f4e468 100644 +--- a/drivers/thunderbolt/usb4.c ++++ b/drivers/thunderbolt/usb4.c +@@ -440,10 +440,10 @@ int usb4_switch_set_wake(struct tb_switch *sw, unsigned int flags) + bool configured = val & PORT_CS_19_PC; + usb4 = port->usb4; + +- if (((flags & TB_WAKE_ON_CONNECT) | ++ if (((flags & TB_WAKE_ON_CONNECT) && + device_may_wakeup(&usb4->dev)) && !configured) + val |= PORT_CS_19_WOC; +- if (((flags & TB_WAKE_ON_DISCONNECT) | ++ if (((flags & TB_WAKE_ON_DISCONNECT) && + device_may_wakeup(&usb4->dev)) && configured) + val |= PORT_CS_19_WOD; + if ((flags & TB_WAKE_ON_USB4) && configured) +-- +2.39.5 + diff --git a/queue-6.12/tools-nolibc-fix-integer-overflow-in-i-64-toa_r-and.patch b/queue-6.12/tools-nolibc-fix-integer-overflow-in-i-64-toa_r-and.patch new file mode 100644 index 0000000000..c463abdf84 --- /dev/null +++ b/queue-6.12/tools-nolibc-fix-integer-overflow-in-i-64-toa_r-and.patch @@ -0,0 +1,49 @@ +From 3d9cf29f620f9beeb2591ca99ff4bad8b01a39dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Apr 2025 12:46:22 +0200 +Subject: tools/nolibc: fix integer overflow in i{64,}toa_r() and +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Weißschuh + +[ Upstream commit 4d231a7df1a85c7572b67a4666cb73adb977fbf6 ] + +In twos complement the most negative number can not be negated. + +Fixes: b1c21e7d99cd ("tools/nolibc/stdlib: add i64toa() and u64toa()") +Fixes: 66c397c4d2e1 ("tools/nolibc/stdlib: replace the ltoa() function with more efficient ones") +Signed-off-by: Thomas Weißschuh +Acked-by: Willy Tarreau +Link: https://lore.kernel.org/r/20250419-nolibc-ubsan-v2-5-060b8a016917@weissschuh.net +Signed-off-by: Sasha Levin +--- + tools/include/nolibc/stdlib.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/include/nolibc/stdlib.h b/tools/include/nolibc/stdlib.h +index 75aa273c23a61..4dd421ef4c021 100644 +--- a/tools/include/nolibc/stdlib.h ++++ b/tools/include/nolibc/stdlib.h +@@ -274,7 +274,7 @@ int itoa_r(long in, char *buffer) + int len = 0; + + if (in < 0) { +- in = -in; ++ in = -(unsigned long)in; + *(ptr++) = '-'; + len++; + } +@@ -410,7 +410,7 @@ int i64toa_r(int64_t in, char *buffer) + int len = 0; + + if (in < 0) { +- in = -in; ++ in = -(uint64_t)in; + *(ptr++) = '-'; + len++; + } +-- +2.39.5 + diff --git a/queue-6.12/tools-nolibc-types.h-fix-mismatched-parenthesis-in-m.patch b/queue-6.12/tools-nolibc-types.h-fix-mismatched-parenthesis-in-m.patch new file mode 100644 index 0000000000..b2986133c7 --- /dev/null +++ b/queue-6.12/tools-nolibc-types.h-fix-mismatched-parenthesis-in-m.patch @@ -0,0 +1,40 @@ +From 84a4e78af4fe894964f0789cca0fde980285acfe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Apr 2025 15:36:24 +0800 +Subject: tools/nolibc/types.h: fix mismatched parenthesis in minor() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jemmy Wong + +[ Upstream commit 9c138ac9392228835b520fd4dbb07e636b34a867 ] + +Fix an imbalance where opening parentheses exceed closing ones. + +Fixes: eba6d00d38e7c ("tools/nolibc/types: move makedev to types.h and make it a macro") +Signed-off-by: Jemmy Wong +Acked-by: Willy Tarreau +Link: https://lore.kernel.org/r/20250411073624.22153-1-jemmywong512@gmail.com +Signed-off-by: Thomas Weißschuh +Signed-off-by: Sasha Levin +--- + tools/include/nolibc/types.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/include/nolibc/types.h b/tools/include/nolibc/types.h +index b26a5d0c417c7..32d0929c633bb 100644 +--- a/tools/include/nolibc/types.h ++++ b/tools/include/nolibc/types.h +@@ -201,7 +201,7 @@ struct stat { + /* WARNING, it only deals with the 4096 first majors and 256 first minors */ + #define makedev(major, minor) ((dev_t)((((major) & 0xfff) << 8) | ((minor) & 0xff))) + #define major(dev) ((unsigned int)(((dev) >> 8) & 0xfff)) +-#define minor(dev) ((unsigned int)(((dev) & 0xff)) ++#define minor(dev) ((unsigned int)((dev) & 0xff)) + + #ifndef offsetof + #define offsetof(TYPE, FIELD) ((size_t) &((TYPE *)0)->FIELD) +-- +2.39.5 + diff --git a/queue-6.12/tools-power-turbostat-fix-amd-package-energy-reporti.patch b/queue-6.12/tools-power-turbostat-fix-amd-package-energy-reporti.patch new file mode 100644 index 0000000000..e1687ea7be --- /dev/null +++ b/queue-6.12/tools-power-turbostat-fix-amd-package-energy-reporti.patch @@ -0,0 +1,126 @@ +From 8b0b03bad77bbc27d04d1144590c85aab58cd6d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 May 2025 17:18:25 +0530 +Subject: tools/power turbostat: Fix AMD package-energy reporting + +From: Gautham R. Shenoy + +[ Upstream commit adb49732c8c63665dd3476e8e6b7c67a0f851245 ] + +commit 05a2f07db888 ("tools/power turbostat: read RAPL counters via +perf") that adds support to read RAPL counters via perf defines the +notion of a RAPL domain_id which is set to physical_core_id on +platforms which support per_core_rapl counters (Eg: AMD processors +Family 17h onwards) and is set to the physical_package_id on all the +other platforms. + +However, the physical_core_id is only unique within a package and on +platforms with multiple packages more than one core can have the same +physical_core_id and thus the same domain_id. (For eg, the first cores +of each package have the physical_core_id = 0). This results in all +these cores with the same physical_core_id using the same entry in the +rapl_counter_info_perdomain[]. Since rapl_perf_init() skips the +perf-initialization for cores whose domain_ids have already been +visited, cores that have the same physical_core_id always read the +perf file corresponding to the physical_core_id of the first package +and thus the package-energy is incorrectly reported to be the same +value for different packages. + +Note: This issue only arises when RAPL counters are read via perf and +not when they are read via MSRs since in the latter case the MSRs are +read separately on each core. + +Fix this issue by associating each CPU with rapl_core_id which is +unique across all the packages in the system. + +Fixes: 05a2f07db888 ("tools/power turbostat: read RAPL counters via perf") +Signed-off-by: Gautham R. Shenoy +Signed-off-by: Len Brown +Signed-off-by: Sasha Levin +--- + tools/power/x86/turbostat/turbostat.c | 41 +++++++++++++++++++++++---- + 1 file changed, 36 insertions(+), 5 deletions(-) + +diff --git a/tools/power/x86/turbostat/turbostat.c b/tools/power/x86/turbostat/turbostat.c +index 12424bf08551d..4c322586730d4 100644 +--- a/tools/power/x86/turbostat/turbostat.c ++++ b/tools/power/x86/turbostat/turbostat.c +@@ -4491,6 +4491,38 @@ unsigned long pmt_read_counter(struct pmt_counter *ppmt, unsigned int domain_id) + return (value & value_mask) >> value_shift; + } + ++ ++/* Rapl domain enumeration helpers */ ++static inline int get_rapl_num_domains(void) ++{ ++ int num_packages = topo.max_package_id + 1; ++ int num_cores_per_package; ++ int num_cores; ++ ++ if (!platform->has_per_core_rapl) ++ return num_packages; ++ ++ num_cores_per_package = topo.max_core_id + 1; ++ num_cores = num_cores_per_package * num_packages; ++ ++ return num_cores; ++} ++ ++static inline int get_rapl_domain_id(int cpu) ++{ ++ int nr_cores_per_package = topo.max_core_id + 1; ++ int rapl_core_id; ++ ++ if (!platform->has_per_core_rapl) ++ return cpus[cpu].physical_package_id; ++ ++ /* Compute the system-wide unique core-id for @cpu */ ++ rapl_core_id = cpus[cpu].physical_core_id; ++ rapl_core_id += cpus[cpu].physical_package_id * nr_cores_per_package; ++ ++ return rapl_core_id; ++} ++ + /* + * get_counters(...) + * migrate to cpu +@@ -4544,7 +4576,7 @@ int get_counters(struct thread_data *t, struct core_data *c, struct pkg_data *p) + goto done; + + if (platform->has_per_core_rapl) { +- status = get_rapl_counters(cpu, c->core_id, c, p); ++ status = get_rapl_counters(cpu, get_rapl_domain_id(cpu), c, p); + if (status != 0) + return status; + } +@@ -4610,7 +4642,7 @@ int get_counters(struct thread_data *t, struct core_data *c, struct pkg_data *p) + p->sys_lpi = cpuidle_cur_sys_lpi_us; + + if (!platform->has_per_core_rapl) { +- status = get_rapl_counters(cpu, p->package_id, c, p); ++ status = get_rapl_counters(cpu, get_rapl_domain_id(cpu), c, p); + if (status != 0) + return status; + } +@@ -7570,7 +7602,7 @@ void linux_perf_init(void) + + void rapl_perf_init(void) + { +- const unsigned int num_domains = (platform->has_per_core_rapl ? topo.max_core_id : topo.max_package_id) + 1; ++ const unsigned int num_domains = get_rapl_num_domains(); + bool *domain_visited = calloc(num_domains, sizeof(bool)); + + rapl_counter_info_perdomain = calloc(num_domains, sizeof(*rapl_counter_info_perdomain)); +@@ -7611,8 +7643,7 @@ void rapl_perf_init(void) + continue; + + /* Skip already seen and handled RAPL domains */ +- next_domain = +- platform->has_per_core_rapl ? cpus[cpu].physical_core_id : cpus[cpu].physical_package_id; ++ next_domain = get_rapl_domain_id(cpu); + + assert(next_domain < num_domains); + +-- +2.39.5 + diff --git a/queue-6.12/tools-x86-kcpuid-fix-error-handling.patch b/queue-6.12/tools-x86-kcpuid-fix-error-handling.patch new file mode 100644 index 0000000000..013838810f --- /dev/null +++ b/queue-6.12/tools-x86-kcpuid-fix-error-handling.patch @@ -0,0 +1,168 @@ +From 1fa011117260ddef9acc043dd2ab63ce902cafae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Mar 2025 15:20:22 +0100 +Subject: tools/x86/kcpuid: Fix error handling + +From: Ahmed S. Darwish + +[ Upstream commit 116edfe173d0c59ec2aa87fb91f2f31d477b61b3 ] + +Error handling in kcpuid is unreliable. On malloc() failures, the code +prints an error then just goes on. The error messages are also printed +to standard output instead of standard error. + +Use err() and errx() from to direct all error messages to +standard error and automatically exit the program. Use err() to include +the errno information, and errx() otherwise. Use warnx() for warnings. + +While at it, alphabetically reorder the header includes. + +[ mingo: Fix capitalization in the help text while at it. ] + +Fixes: c6b2f240bf8d ("tools/x86: Add a kcpuid tool to show raw CPU features") +Reported-by: Remington Brasga +Signed-off-by: Ahmed S. Darwish +Signed-off-by: Ingo Molnar +Cc: H. Peter Anvin +Cc: Linus Torvalds +Cc: Josh Poimboeuf +Link: https://lore.kernel.org/r/20250324142042.29010-2-darwi@linutronix.de +Closes: https://lkml.kernel.org/r/20240926223557.2048-1-rbrasga@uci.edu +Signed-off-by: Sasha Levin +--- + tools/arch/x86/kcpuid/kcpuid.c | 47 +++++++++++++++++----------------- + 1 file changed, 23 insertions(+), 24 deletions(-) + +diff --git a/tools/arch/x86/kcpuid/kcpuid.c b/tools/arch/x86/kcpuid/kcpuid.c +index 1b25c0a95d3f9..40a9e59c2fd56 100644 +--- a/tools/arch/x86/kcpuid/kcpuid.c ++++ b/tools/arch/x86/kcpuid/kcpuid.c +@@ -1,11 +1,12 @@ + // SPDX-License-Identifier: GPL-2.0 + #define _GNU_SOURCE + +-#include ++#include ++#include + #include ++#include + #include + #include +-#include + + #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0])) + #define min(a, b) (((a) < (b)) ? (a) : (b)) +@@ -145,14 +146,14 @@ static bool cpuid_store(struct cpuid_range *range, u32 f, int subleaf, + if (!func->leafs) { + func->leafs = malloc(sizeof(struct subleaf)); + if (!func->leafs) +- perror("malloc func leaf"); ++ err(EXIT_FAILURE, NULL); + + func->nr = 1; + } else { + s = func->nr; + func->leafs = realloc(func->leafs, (s + 1) * sizeof(*leaf)); + if (!func->leafs) +- perror("realloc f->leafs"); ++ err(EXIT_FAILURE, NULL); + + func->nr++; + } +@@ -211,7 +212,7 @@ struct cpuid_range *setup_cpuid_range(u32 input_eax) + + range = malloc(sizeof(struct cpuid_range)); + if (!range) +- perror("malloc range"); ++ err(EXIT_FAILURE, NULL); + + if (input_eax & 0x80000000) + range->is_ext = true; +@@ -220,7 +221,7 @@ struct cpuid_range *setup_cpuid_range(u32 input_eax) + + range->funcs = malloc(sizeof(struct cpuid_func) * idx_func); + if (!range->funcs) +- perror("malloc range->funcs"); ++ err(EXIT_FAILURE, NULL); + + range->nr = idx_func; + memset(range->funcs, 0, sizeof(struct cpuid_func) * idx_func); +@@ -395,8 +396,8 @@ static int parse_line(char *line) + return 0; + + err_exit: +- printf("Warning: wrong line format:\n"); +- printf("\tline[%d]: %s\n", flines, line); ++ warnx("Wrong line format:\n" ++ "\tline[%d]: %s", flines, line); + return -1; + } + +@@ -418,10 +419,8 @@ static void parse_text(void) + file = fopen("./cpuid.csv", "r"); + } + +- if (!file) { +- printf("Fail to open '%s'\n", filename); +- return; +- } ++ if (!file) ++ err(EXIT_FAILURE, "%s", filename); + + while (1) { + ret = getline(&line, &len, file); +@@ -530,7 +529,7 @@ static inline struct cpuid_func *index_to_func(u32 index) + func_idx = index & 0xffff; + + if ((func_idx + 1) > (u32)range->nr) { +- printf("ERR: invalid input index (0x%x)\n", index); ++ warnx("Invalid input index (0x%x)", index); + return NULL; + } + return &range->funcs[func_idx]; +@@ -562,7 +561,7 @@ static void show_info(void) + return; + } + +- printf("ERR: invalid input subleaf (0x%x)\n", user_sub); ++ warnx("Invalid input subleaf (0x%x)", user_sub); + } + + show_func(func); +@@ -593,15 +592,15 @@ static void setup_platform_cpuid(void) + + static void usage(void) + { +- printf("kcpuid [-abdfhr] [-l leaf] [-s subleaf]\n" +- "\t-a|--all Show both bit flags and complex bit fields info\n" +- "\t-b|--bitflags Show boolean flags only\n" +- "\t-d|--detail Show details of the flag/fields (default)\n" +- "\t-f|--flags Specify the cpuid csv file\n" +- "\t-h|--help Show usage info\n" +- "\t-l|--leaf=index Specify the leaf you want to check\n" +- "\t-r|--raw Show raw cpuid data\n" +- "\t-s|--subleaf=sub Specify the subleaf you want to check\n" ++ warnx("kcpuid [-abdfhr] [-l leaf] [-s subleaf]\n" ++ "\t-a|--all Show both bit flags and complex bit fields info\n" ++ "\t-b|--bitflags Show boolean flags only\n" ++ "\t-d|--detail Show details of the flag/fields (default)\n" ++ "\t-f|--flags Specify the CPUID CSV file\n" ++ "\t-h|--help Show usage info\n" ++ "\t-l|--leaf=index Specify the leaf you want to check\n" ++ "\t-r|--raw Show raw CPUID data\n" ++ "\t-s|--subleaf=sub Specify the subleaf you want to check" + ); + } + +@@ -652,7 +651,7 @@ static int parse_options(int argc, char *argv[]) + user_sub = strtoul(optarg, NULL, 0); + break; + default: +- printf("%s: Invalid option '%c'\n", argv[0], optopt); ++ warnx("Invalid option '%c'", optopt); + return -1; + } + +-- +2.39.5 + diff --git a/queue-6.12/tracing-fix-error-handling-in-event_trigger_parse.patch b/queue-6.12/tracing-fix-error-handling-in-event_trigger_parse.patch new file mode 100644 index 0000000000..10c9c59764 --- /dev/null +++ b/queue-6.12/tracing-fix-error-handling-in-event_trigger_parse.patch @@ -0,0 +1,55 @@ +From 62424fa872027b576392ffcac191e51d11692d3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 May 2025 10:53:07 -0400 +Subject: tracing: Fix error handling in event_trigger_parse() + +From: Miaoqian Lin + +[ Upstream commit c5dd28e7fb4f63475b50df4f58311df92939d011 ] + +According to trigger_data_alloc() doc, trigger_data_free() should be +used to free an event_trigger_data object. This fixes a mismatch introduced +when kzalloc was replaced with trigger_data_alloc without updating +the corresponding deallocation calls. + +Cc: Masami Hiramatsu +Cc: Mark Rutland +Cc: Andrew Morton +Cc: Mathieu Desnoyers +Cc: Tom Zanussi +Link: https://lore.kernel.org/20250507145455.944453325@goodmis.org +Link: https://lore.kernel.org/20250318112737.4174-1-linmq006@gmail.com +Fixes: e1f187d09e11 ("tracing: Have existing event_command.parse() implementations use helpers") +Signed-off-by: Miaoqian Lin +[ SDR: Changed event_trigger_alloc/free() to trigger_data_alloc/free() ] +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace_events_trigger.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/kernel/trace/trace_events_trigger.c b/kernel/trace/trace_events_trigger.c +index e85d434f176a0..d5dbda9b0e4b0 100644 +--- a/kernel/trace/trace_events_trigger.c ++++ b/kernel/trace/trace_events_trigger.c +@@ -1016,7 +1016,7 @@ event_trigger_parse(struct event_command *cmd_ops, + + if (remove) { + event_trigger_unregister(cmd_ops, file, glob+1, trigger_data); +- kfree(trigger_data); ++ trigger_data_free(trigger_data); + ret = 0; + goto out; + } +@@ -1043,7 +1043,7 @@ event_trigger_parse(struct event_command *cmd_ops, + + out_free: + event_trigger_reset_filter(cmd_ops, trigger_data); +- kfree(trigger_data); ++ trigger_data_free(trigger_data); + goto out; + } + +-- +2.39.5 + diff --git a/queue-6.12/tracing-move-histogram-trigger-variables-from-stack-.patch b/queue-6.12/tracing-move-histogram-trigger-variables-from-stack-.patch new file mode 100644 index 0000000000..9d2817fc73 --- /dev/null +++ b/queue-6.12/tracing-move-histogram-trigger-variables-from-stack-.patch @@ -0,0 +1,239 @@ +From 183291f4710f943f20298a6c6c801b048141ad74 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Apr 2025 12:38:51 -0400 +Subject: tracing: Move histogram trigger variables from stack to per CPU + structure + +From: Steven Rostedt + +[ Upstream commit 7ab0fc61ce73040f89b12d76a8279995ec283541 ] + +The histogram trigger has three somewhat large arrays on the kernel stack: + + unsigned long entries[HIST_STACKTRACE_DEPTH]; + u64 var_ref_vals[TRACING_MAP_VARS_MAX]; + char compound_key[HIST_KEY_SIZE_MAX]; + +Checking the function event_hist_trigger() stack frame size, it currently +uses 816 bytes for its stack frame due to these variables! + +Instead, allocate a per CPU structure that holds these arrays for each +context level (normal, softirq, irq and NMI). That is, each CPU will have +4 of these structures. This will be allocated when the first histogram +trigger is enabled and freed when the last is disabled. When the +histogram callback triggers, it will request this structure. The request +will disable preemption, get the per CPU structure at the index of the +per CPU variable, and increment that variable. + +The callback will use the arrays in this structure to perform its work and +then release the structure. That in turn will simply decrement the per CPU +index and enable preemption. + +Moving the variables from the kernel stack to the per CPU structure brings +the stack frame of event_hist_trigger() down to just 112 bytes. + +Cc: Mathieu Desnoyers +Cc: Tom Zanussi +Link: https://lore.kernel.org/20250407123851.74ea8d58@gandalf.local.home +Fixes: 067fe038e70f6 ("tracing: Add variable reference handling to hist triggers") +Reviewed-by: Masami Hiramatsu (Google) +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace_events_hist.c | 120 +++++++++++++++++++++++++++---- + 1 file changed, 105 insertions(+), 15 deletions(-) + +diff --git a/kernel/trace/trace_events_hist.c b/kernel/trace/trace_events_hist.c +index 4ebafc655223a..c56375848e088 100644 +--- a/kernel/trace/trace_events_hist.c ++++ b/kernel/trace/trace_events_hist.c +@@ -5249,17 +5249,94 @@ hist_trigger_actions(struct hist_trigger_data *hist_data, + } + } + ++/* ++ * The hist_pad structure is used to save information to create ++ * a histogram from the histogram trigger. It's too big to store ++ * on the stack, so when the histogram trigger is initialized ++ * a percpu array of 4 hist_pad structures is allocated. ++ * This will cover every context from normal, softirq, irq and NMI ++ * in the very unlikely event that a tigger happens at each of ++ * these contexts and interrupts a currently active trigger. ++ */ ++struct hist_pad { ++ unsigned long entries[HIST_STACKTRACE_DEPTH]; ++ u64 var_ref_vals[TRACING_MAP_VARS_MAX]; ++ char compound_key[HIST_KEY_SIZE_MAX]; ++}; ++ ++static struct hist_pad __percpu *hist_pads; ++static DEFINE_PER_CPU(int, hist_pad_cnt); ++static refcount_t hist_pad_ref; ++ ++/* One hist_pad for every context (normal, softirq, irq, NMI) */ ++#define MAX_HIST_CNT 4 ++ ++static int alloc_hist_pad(void) ++{ ++ lockdep_assert_held(&event_mutex); ++ ++ if (refcount_read(&hist_pad_ref)) { ++ refcount_inc(&hist_pad_ref); ++ return 0; ++ } ++ ++ hist_pads = __alloc_percpu(sizeof(struct hist_pad) * MAX_HIST_CNT, ++ __alignof__(struct hist_pad)); ++ if (!hist_pads) ++ return -ENOMEM; ++ ++ refcount_set(&hist_pad_ref, 1); ++ return 0; ++} ++ ++static void free_hist_pad(void) ++{ ++ lockdep_assert_held(&event_mutex); ++ ++ if (!refcount_dec_and_test(&hist_pad_ref)) ++ return; ++ ++ free_percpu(hist_pads); ++ hist_pads = NULL; ++} ++ ++static struct hist_pad *get_hist_pad(void) ++{ ++ struct hist_pad *hist_pad; ++ int cnt; ++ ++ if (WARN_ON_ONCE(!hist_pads)) ++ return NULL; ++ ++ preempt_disable(); ++ ++ hist_pad = per_cpu_ptr(hist_pads, smp_processor_id()); ++ ++ if (this_cpu_read(hist_pad_cnt) == MAX_HIST_CNT) { ++ preempt_enable(); ++ return NULL; ++ } ++ ++ cnt = this_cpu_inc_return(hist_pad_cnt) - 1; ++ ++ return &hist_pad[cnt]; ++} ++ ++static void put_hist_pad(void) ++{ ++ this_cpu_dec(hist_pad_cnt); ++ preempt_enable(); ++} ++ + static void event_hist_trigger(struct event_trigger_data *data, + struct trace_buffer *buffer, void *rec, + struct ring_buffer_event *rbe) + { + struct hist_trigger_data *hist_data = data->private_data; + bool use_compound_key = (hist_data->n_keys > 1); +- unsigned long entries[HIST_STACKTRACE_DEPTH]; +- u64 var_ref_vals[TRACING_MAP_VARS_MAX]; +- char compound_key[HIST_KEY_SIZE_MAX]; + struct tracing_map_elt *elt = NULL; + struct hist_field *key_field; ++ struct hist_pad *hist_pad; + u64 field_contents; + void *key = NULL; + unsigned int i; +@@ -5267,12 +5344,18 @@ static void event_hist_trigger(struct event_trigger_data *data, + if (unlikely(!rbe)) + return; + +- memset(compound_key, 0, hist_data->key_size); ++ hist_pad = get_hist_pad(); ++ if (!hist_pad) ++ return; ++ ++ memset(hist_pad->compound_key, 0, hist_data->key_size); + + for_each_hist_key_field(i, hist_data) { + key_field = hist_data->fields[i]; + + if (key_field->flags & HIST_FIELD_FL_STACKTRACE) { ++ unsigned long *entries = hist_pad->entries; ++ + memset(entries, 0, HIST_STACKTRACE_SIZE); + if (key_field->field) { + unsigned long *stack, n_entries; +@@ -5296,26 +5379,31 @@ static void event_hist_trigger(struct event_trigger_data *data, + } + + if (use_compound_key) +- add_to_key(compound_key, key, key_field, rec); ++ add_to_key(hist_pad->compound_key, key, key_field, rec); + } + + if (use_compound_key) +- key = compound_key; ++ key = hist_pad->compound_key; + + if (hist_data->n_var_refs && +- !resolve_var_refs(hist_data, key, var_ref_vals, false)) +- return; ++ !resolve_var_refs(hist_data, key, hist_pad->var_ref_vals, false)) ++ goto out; + + elt = tracing_map_insert(hist_data->map, key); + if (!elt) +- return; ++ goto out; + +- hist_trigger_elt_update(hist_data, elt, buffer, rec, rbe, var_ref_vals); ++ hist_trigger_elt_update(hist_data, elt, buffer, rec, rbe, hist_pad->var_ref_vals); + +- if (resolve_var_refs(hist_data, key, var_ref_vals, true)) +- hist_trigger_actions(hist_data, elt, buffer, rec, rbe, key, var_ref_vals); ++ if (resolve_var_refs(hist_data, key, hist_pad->var_ref_vals, true)) { ++ hist_trigger_actions(hist_data, elt, buffer, rec, rbe, ++ key, hist_pad->var_ref_vals); ++ } + + hist_poll_wakeup(); ++ ++ out: ++ put_hist_pad(); + } + + static void hist_trigger_stacktrace_print(struct seq_file *m, +@@ -6160,6 +6248,9 @@ static int event_hist_trigger_init(struct event_trigger_data *data) + { + struct hist_trigger_data *hist_data = data->private_data; + ++ if (alloc_hist_pad() < 0) ++ return -ENOMEM; ++ + if (!data->ref && hist_data->attrs->name) + save_named_trigger(hist_data->attrs->name, data); + +@@ -6204,6 +6295,7 @@ static void event_hist_trigger_free(struct event_trigger_data *data) + + destroy_hist_data(hist_data); + } ++ free_hist_pad(); + } + + static struct event_trigger_ops event_hist_trigger_ops = { +@@ -6219,9 +6311,7 @@ static int event_hist_trigger_named_init(struct event_trigger_data *data) + + save_named_trigger(data->named_data->name, data); + +- event_hist_trigger_init(data->named_data); +- +- return 0; ++ return event_hist_trigger_init(data->named_data); + } + + static void event_hist_trigger_named_free(struct event_trigger_data *data) +-- +2.39.5 + diff --git a/queue-6.12/tracing-rename-event_trigger_alloc-to-trigger_data_a.patch b/queue-6.12/tracing-rename-event_trigger_alloc-to-trigger_data_a.patch new file mode 100644 index 0000000000..948604cab7 --- /dev/null +++ b/queue-6.12/tracing-rename-event_trigger_alloc-to-trigger_data_a.patch @@ -0,0 +1,126 @@ +From 9d9913c0dd02f9f4bb59d595675daa48653718a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 May 2025 10:53:06 -0400 +Subject: tracing: Rename event_trigger_alloc() to trigger_data_alloc() + +From: Steven Rostedt + +[ Upstream commit f2947c4b7d0f235621c5daf78aecfbd6e22c05e5 ] + +The function event_trigger_alloc() creates an event_trigger_data +descriptor and states that it needs to be freed via event_trigger_free(). +This is incorrect, it needs to be freed by trigger_data_free() as +event_trigger_free() adds ref counting. + +Rename event_trigger_alloc() to trigger_data_alloc() and state that it +needs to be freed via trigger_data_free(). This naming convention +was introducing bugs. + +Cc: Masami Hiramatsu +Cc: Mark Rutland +Cc: Mathieu Desnoyers +Cc: Andrew Morton +Cc: Tom Zanussi +Link: https://lore.kernel.org/20250507145455.776436410@goodmis.org +Fixes: 86599dbe2c527 ("tracing: Add helper functions to simplify event_command.parse() callback handling") +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace.h | 8 +++----- + kernel/trace/trace_events_hist.c | 2 +- + kernel/trace/trace_events_trigger.c | 16 ++++++++-------- + 3 files changed, 12 insertions(+), 14 deletions(-) + +diff --git a/kernel/trace/trace.h b/kernel/trace/trace.h +index 82da3ac140242..57e1af1d3e6d4 100644 +--- a/kernel/trace/trace.h ++++ b/kernel/trace/trace.h +@@ -1731,6 +1731,9 @@ extern int event_enable_register_trigger(char *glob, + extern void event_enable_unregister_trigger(char *glob, + struct event_trigger_data *test, + struct trace_event_file *file); ++extern struct event_trigger_data * ++trigger_data_alloc(struct event_command *cmd_ops, char *cmd, char *param, ++ void *private_data); + extern void trigger_data_free(struct event_trigger_data *data); + extern int event_trigger_init(struct event_trigger_data *data); + extern int trace_event_trigger_enable_disable(struct trace_event_file *file, +@@ -1757,11 +1760,6 @@ extern bool event_trigger_check_remove(const char *glob); + extern bool event_trigger_empty_param(const char *param); + extern int event_trigger_separate_filter(char *param_and_filter, char **param, + char **filter, bool param_required); +-extern struct event_trigger_data * +-event_trigger_alloc(struct event_command *cmd_ops, +- char *cmd, +- char *param, +- void *private_data); + extern int event_trigger_parse_num(char *trigger, + struct event_trigger_data *trigger_data); + extern int event_trigger_set_filter(struct event_command *cmd_ops, +diff --git a/kernel/trace/trace_events_hist.c b/kernel/trace/trace_events_hist.c +index c56375848e088..3379e14d38e9b 100644 +--- a/kernel/trace/trace_events_hist.c ++++ b/kernel/trace/trace_events_hist.c +@@ -6798,7 +6798,7 @@ static int event_hist_trigger_parse(struct event_command *cmd_ops, + return PTR_ERR(hist_data); + } + +- trigger_data = event_trigger_alloc(cmd_ops, cmd, param, hist_data); ++ trigger_data = trigger_data_alloc(cmd_ops, cmd, param, hist_data); + if (!trigger_data) { + ret = -ENOMEM; + goto out_free; +diff --git a/kernel/trace/trace_events_trigger.c b/kernel/trace/trace_events_trigger.c +index 27e21488d5741..e85d434f176a0 100644 +--- a/kernel/trace/trace_events_trigger.c ++++ b/kernel/trace/trace_events_trigger.c +@@ -825,7 +825,7 @@ int event_trigger_separate_filter(char *param_and_filter, char **param, + } + + /** +- * event_trigger_alloc - allocate and init event_trigger_data for a trigger ++ * trigger_data_alloc - allocate and init event_trigger_data for a trigger + * @cmd_ops: The event_command operations for the trigger + * @cmd: The cmd string + * @param: The param string +@@ -836,14 +836,14 @@ int event_trigger_separate_filter(char *param_and_filter, char **param, + * trigger_ops to assign to the event_trigger_data. @private_data can + * also be passed in and associated with the event_trigger_data. + * +- * Use event_trigger_free() to free an event_trigger_data object. ++ * Use trigger_data_free() to free an event_trigger_data object. + * + * Return: The trigger_data object success, NULL otherwise + */ +-struct event_trigger_data *event_trigger_alloc(struct event_command *cmd_ops, +- char *cmd, +- char *param, +- void *private_data) ++struct event_trigger_data *trigger_data_alloc(struct event_command *cmd_ops, ++ char *cmd, ++ char *param, ++ void *private_data) + { + struct event_trigger_data *trigger_data; + struct event_trigger_ops *trigger_ops; +@@ -1010,7 +1010,7 @@ event_trigger_parse(struct event_command *cmd_ops, + return ret; + + ret = -ENOMEM; +- trigger_data = event_trigger_alloc(cmd_ops, cmd, param, file); ++ trigger_data = trigger_data_alloc(cmd_ops, cmd, param, file); + if (!trigger_data) + goto out; + +@@ -1814,7 +1814,7 @@ int event_enable_trigger_parse(struct event_command *cmd_ops, + enable_data->enable = enable; + enable_data->file = event_enable_file; + +- trigger_data = event_trigger_alloc(cmd_ops, cmd, param, enable_data); ++ trigger_data = trigger_data_alloc(cmd_ops, cmd, param, enable_data); + if (!trigger_data) { + kfree(enable_data); + goto out; +-- +2.39.5 + diff --git a/queue-6.12/usb-acpi-prevent-null-pointer-dereference-in-usb_acp.patch b/queue-6.12/usb-acpi-prevent-null-pointer-dereference-in-usb_acp.patch new file mode 100644 index 0000000000..b2e0315d60 --- /dev/null +++ b/queue-6.12/usb-acpi-prevent-null-pointer-dereference-in-usb_acp.patch @@ -0,0 +1,48 @@ +From 1d443f2772190a014035fba306906b8fa0e4f29b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Apr 2025 14:50:32 -0500 +Subject: usb: acpi: Prevent null pointer dereference in + usb_acpi_add_usb4_devlink() + +From: Chenyuan Yang + +[ Upstream commit 73fb0ec9436ae87bcae067ce35d6cdd72bade86c ] + +As demonstrated by the fix for update_port_device_state, +commit 12783c0b9e2c ("usb: core: Prevent null pointer dereference in update_port_device_state"), +usb_hub_to_struct_hub() can return NULL in certain scenarios, +such as during hub driver unbind or teardown race conditions, +even if the underlying usb_device structure exists. + +Plus, all other places that call usb_hub_to_struct_hub() in the same file +do check for NULL return values. + +If usb_hub_to_struct_hub() returns NULL, the subsequent access to +hub->ports[udev->portnum - 1] will cause a null pointer dereference. + +Signed-off-by: Chenyuan Yang +Fixes: f1bfb4a6fed6 ("usb: acpi: add device link between tunneled USB3 device and USB4 Host Interface") +Acked-by: Alan Stern +Link: https://lore.kernel.org/r/20250417195032.1811338-1-chenyuan0y@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/core/usb-acpi.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/usb/core/usb-acpi.c b/drivers/usb/core/usb-acpi.c +index 03c22114214b5..494e21a11cd26 100644 +--- a/drivers/usb/core/usb-acpi.c ++++ b/drivers/usb/core/usb-acpi.c +@@ -165,6 +165,8 @@ static int usb_acpi_add_usb4_devlink(struct usb_device *udev) + return 0; + + hub = usb_hub_to_struct_hub(udev->parent); ++ if (!hub) ++ return 0; + port_dev = hub->ports[udev->portnum - 1]; + + struct fwnode_handle *nhi_fwnode __free(fwnode_handle) = +-- +2.39.5 + diff --git a/queue-6.12/usb-gadget-udc-fix-const-issue-in-gadget_match_drive.patch b/queue-6.12/usb-gadget-udc-fix-const-issue-in-gadget_match_drive.patch new file mode 100644 index 0000000000..76189a1c7e --- /dev/null +++ b/queue-6.12/usb-gadget-udc-fix-const-issue-in-gadget_match_drive.patch @@ -0,0 +1,38 @@ +From e46d1b735e62546a115dcbc7b628291425c24c4e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 May 2025 15:41:40 +0200 +Subject: USB: gadget: udc: fix const issue in gadget_match_driver() + +From: Greg Kroah-Hartman + +[ Upstream commit 5f5cc794fac605afd3bef8065e33096aeacf6257 ] + +gadget_match_driver() takes a const pointer, and then decides to cast it +away into a non-const one, which is not a good thing to do overall. Fix +this up by properly setting the pointers to be const to preserve that +attribute. + +Fixes: d69d80484598 ("driver core: have match() callback in struct bus_type take a const *") +Link: https://lore.kernel.org/r/2025052139-rash-unsaddle-7c5e@gregkh +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/gadget/udc/core.c b/drivers/usb/gadget/udc/core.c +index 4b3d5075621aa..d709e24c1fd42 100644 +--- a/drivers/usb/gadget/udc/core.c ++++ b/drivers/usb/gadget/udc/core.c +@@ -1570,7 +1570,7 @@ static int gadget_match_driver(struct device *dev, const struct device_driver *d + { + struct usb_gadget *gadget = dev_to_usb_gadget(dev); + struct usb_udc *udc = gadget->udc; +- struct usb_gadget_driver *driver = container_of(drv, ++ const struct usb_gadget_driver *driver = container_of(drv, + struct usb_gadget_driver, driver); + + /* If the driver specifies a udc_name, it must match the UDC's name */ +-- +2.39.5 + diff --git a/queue-6.12/usb-renesas_usbhs-reorder-clock-handling-and-power-m.patch b/queue-6.12/usb-renesas_usbhs-reorder-clock-handling-and-power-m.patch new file mode 100644 index 0000000000..2279ef2e65 --- /dev/null +++ b/queue-6.12/usb-renesas_usbhs-reorder-clock-handling-and-power-m.patch @@ -0,0 +1,192 @@ +From f0eeb4ce225719483c411a0fd1e2f3b4b63db60d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Apr 2025 11:50:02 +0100 +Subject: usb: renesas_usbhs: Reorder clock handling and power management in + probe + +From: Lad Prabhakar + +[ Upstream commit ffb34a60ce86656ba12d46e91f1ccc71dd221251 ] + +Reorder the initialization sequence in `usbhs_probe()` to enable runtime +PM before accessing registers, preventing potential crashes due to +uninitialized clocks. + +Currently, in the probe path, registers are accessed before enabling the +clocks, leading to a synchronous external abort on the RZ/V2H SoC. +The problematic call flow is as follows: + + usbhs_probe() + usbhs_sys_clock_ctrl() + usbhs_bset() + usbhs_write() + iowrite16() <-- Register access before enabling clocks + +Since `iowrite16()` is performed without ensuring the required clocks are +enabled, this can lead to access errors. To fix this, enable PM runtime +early in the probe function and ensure clocks are acquired before register +access, preventing crashes like the following on RZ/V2H: + +[13.272640] Internal error: synchronous external abort: 0000000096000010 [#1] PREEMPT SMP +[13.280814] Modules linked in: cec renesas_usbhs(+) drm_kms_helper fuse drm backlight ipv6 +[13.289088] CPU: 1 UID: 0 PID: 195 Comm: (udev-worker) Not tainted 6.14.0-rc7+ #98 +[13.296640] Hardware name: Renesas RZ/V2H EVK Board based on r9a09g057h44 (DT) +[13.303834] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) +[13.310770] pc : usbhs_bset+0x14/0x4c [renesas_usbhs] +[13.315831] lr : usbhs_probe+0x2e4/0x5ac [renesas_usbhs] +[13.321138] sp : ffff8000827e3850 +[13.324438] x29: ffff8000827e3860 x28: 0000000000000000 x27: ffff8000827e3ca0 +[13.331554] x26: ffff8000827e3ba0 x25: ffff800081729668 x24: 0000000000000025 +[13.338670] x23: ffff0000c0f08000 x22: 0000000000000000 x21: ffff0000c0f08010 +[13.345783] x20: 0000000000000000 x19: ffff0000c3b52080 x18: 00000000ffffffff +[13.352895] x17: 0000000000000000 x16: 0000000000000000 x15: ffff8000827e36ce +[13.360009] x14: 00000000000003d7 x13: 00000000000003d7 x12: 0000000000000000 +[13.367122] x11: 0000000000000000 x10: 0000000000000aa0 x9 : ffff8000827e3750 +[13.374235] x8 : ffff0000c1850b00 x7 : 0000000003826060 x6 : 000000000000001c +[13.381347] x5 : 000000030d5fcc00 x4 : ffff8000825c0000 x3 : 0000000000000000 +[13.388459] x2 : 0000000000000400 x1 : 0000000000000000 x0 : ffff0000c3b52080 +[13.395574] Call trace: +[13.398013] usbhs_bset+0x14/0x4c [renesas_usbhs] (P) +[13.403076] platform_probe+0x68/0xdc +[13.406738] really_probe+0xbc/0x2c0 +[13.410306] __driver_probe_device+0x78/0x120 +[13.414653] driver_probe_device+0x3c/0x154 +[13.418825] __driver_attach+0x90/0x1a0 +[13.422647] bus_for_each_dev+0x7c/0xe0 +[13.426470] driver_attach+0x24/0x30 +[13.430032] bus_add_driver+0xe4/0x208 +[13.433766] driver_register+0x68/0x130 +[13.437587] __platform_driver_register+0x24/0x30 +[13.442273] renesas_usbhs_driver_init+0x20/0x1000 [renesas_usbhs] +[13.448450] do_one_initcall+0x60/0x1d4 +[13.452276] do_init_module+0x54/0x1f8 +[13.456014] load_module+0x1754/0x1c98 +[13.459750] init_module_from_file+0x88/0xcc +[13.464004] __arm64_sys_finit_module+0x1c4/0x328 +[13.468689] invoke_syscall+0x48/0x104 +[13.472426] el0_svc_common.constprop.0+0xc0/0xe0 +[13.477113] do_el0_svc+0x1c/0x28 +[13.480415] el0_svc+0x30/0xcc +[13.483460] el0t_64_sync_handler+0x10c/0x138 +[13.487800] el0t_64_sync+0x198/0x19c +[13.491453] Code: 2a0103e1 12003c42 12003c63 8b010084 (79400084) +[13.497522] ---[ end trace 0000000000000000 ]--- + +Fixes: f1407d5c66240 ("usb: renesas_usbhs: Add Renesas USBHS common code") +Signed-off-by: Lad Prabhakar +Reviewed-by: Yoshihiro Shimoda +Tested-by: Yoshihiro Shimoda +Link: https://lore.kernel.org/r/20250407105002.107181-4-prabhakar.mahadev-lad.rj@bp.renesas.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/renesas_usbhs/common.c | 50 +++++++++++++++++++++++------- + 1 file changed, 38 insertions(+), 12 deletions(-) + +diff --git a/drivers/usb/renesas_usbhs/common.c b/drivers/usb/renesas_usbhs/common.c +index 7324de52d9505..161786e9b7e47 100644 +--- a/drivers/usb/renesas_usbhs/common.c ++++ b/drivers/usb/renesas_usbhs/common.c +@@ -685,10 +685,29 @@ static int usbhs_probe(struct platform_device *pdev) + INIT_DELAYED_WORK(&priv->notify_hotplug_work, usbhsc_notify_hotplug); + spin_lock_init(usbhs_priv_to_lock(priv)); + ++ /* ++ * Acquire clocks and enable power management (PM) early in the ++ * probe process, as the driver accesses registers during ++ * initialization. Ensure the device is active before proceeding. ++ */ ++ pm_runtime_enable(dev); ++ ++ ret = usbhsc_clk_get(dev, priv); ++ if (ret) ++ goto probe_pm_disable; ++ ++ ret = pm_runtime_resume_and_get(dev); ++ if (ret) ++ goto probe_clk_put; ++ ++ ret = usbhsc_clk_prepare_enable(priv); ++ if (ret) ++ goto probe_pm_put; ++ + /* call pipe and module init */ + ret = usbhs_pipe_probe(priv); + if (ret < 0) +- return ret; ++ goto probe_clk_dis_unprepare; + + ret = usbhs_fifo_probe(priv); + if (ret < 0) +@@ -705,10 +724,6 @@ static int usbhs_probe(struct platform_device *pdev) + if (ret) + goto probe_fail_rst; + +- ret = usbhsc_clk_get(dev, priv); +- if (ret) +- goto probe_fail_clks; +- + /* + * deviece reset here because + * USB device might be used in boot loader. +@@ -721,7 +736,7 @@ static int usbhs_probe(struct platform_device *pdev) + if (ret) { + dev_warn(dev, "USB function not selected (GPIO)\n"); + ret = -ENOTSUPP; +- goto probe_end_mod_exit; ++ goto probe_assert_rest; + } + } + +@@ -735,14 +750,19 @@ static int usbhs_probe(struct platform_device *pdev) + ret = usbhs_platform_call(priv, hardware_init, pdev); + if (ret < 0) { + dev_err(dev, "platform init failed.\n"); +- goto probe_end_mod_exit; ++ goto probe_assert_rest; + } + + /* reset phy for connection */ + usbhs_platform_call(priv, phy_reset, pdev); + +- /* power control */ +- pm_runtime_enable(dev); ++ /* ++ * Disable the clocks that were enabled earlier in the probe path, ++ * and let the driver handle the clocks beyond this point. ++ */ ++ usbhsc_clk_disable_unprepare(priv); ++ pm_runtime_put(dev); ++ + if (!usbhs_get_dparam(priv, runtime_pwctrl)) { + usbhsc_power_ctrl(priv, 1); + usbhs_mod_autonomy_mode(priv); +@@ -759,9 +779,7 @@ static int usbhs_probe(struct platform_device *pdev) + + return ret; + +-probe_end_mod_exit: +- usbhsc_clk_put(priv); +-probe_fail_clks: ++probe_assert_rest: + reset_control_assert(priv->rsts); + probe_fail_rst: + usbhs_mod_remove(priv); +@@ -769,6 +787,14 @@ static int usbhs_probe(struct platform_device *pdev) + usbhs_fifo_remove(priv); + probe_end_pipe_exit: + usbhs_pipe_remove(priv); ++probe_clk_dis_unprepare: ++ usbhsc_clk_disable_unprepare(priv); ++probe_pm_put: ++ pm_runtime_put(dev); ++probe_clk_put: ++ usbhsc_clk_put(priv); ++probe_pm_disable: ++ pm_runtime_disable(dev); + + dev_info(dev, "probe failed (%d)\n", ret); + +-- +2.39.5 + diff --git a/queue-6.12/usb-serial-bus-fix-const-issue-in-usb_serial_device_.patch b/queue-6.12/usb-serial-bus-fix-const-issue-in-usb_serial_device_.patch new file mode 100644 index 0000000000..7476548cea --- /dev/null +++ b/queue-6.12/usb-serial-bus-fix-const-issue-in-usb_serial_device_.patch @@ -0,0 +1,38 @@ +From 212b3be266bc49bae1a28436dec0f184edc48b24 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 May 2025 15:41:34 +0200 +Subject: USB: serial: bus: fix const issue in usb_serial_device_match() + +From: Greg Kroah-Hartman + +[ Upstream commit 92cd405b648605db4da866f3b9818b271ae84ef0 ] + +usb_serial_device_match() takes a const pointer, and then decides to +cast it away into a non-const one, which is not a good thing to do +overall. Fix this up by properly setting the pointers to be const to +preserve that attribute. + +Fixes: d69d80484598 ("driver core: have match() callback in struct bus_type take a const *") +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Sasha Levin +--- + drivers/usb/serial/bus.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/serial/bus.c b/drivers/usb/serial/bus.c +index d200e2c29a8ff..45cb78864c96d 100644 +--- a/drivers/usb/serial/bus.c ++++ b/drivers/usb/serial/bus.c +@@ -17,7 +17,7 @@ static int usb_serial_device_match(struct device *dev, + const struct device_driver *drv) + { + const struct usb_serial_port *port = to_usb_serial_port(dev); +- struct usb_serial_driver *driver = to_usb_serial_driver(drv); ++ const struct usb_serial_driver *driver = to_usb_serial_driver(drv); + + /* + * drivers are already assigned to ports in serial_probe so it's +-- +2.39.5 + diff --git a/queue-6.12/usb-typec-fix-const-issue-in-typec_match.patch b/queue-6.12/usb-typec-fix-const-issue-in-typec_match.patch new file mode 100644 index 0000000000..e4c0f273f9 --- /dev/null +++ b/queue-6.12/usb-typec-fix-const-issue-in-typec_match.patch @@ -0,0 +1,39 @@ +From 285fbdaf8f5c785351256fad135375590569ccb6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 May 2025 15:35:24 +0200 +Subject: USB: typec: fix const issue in typec_match() + +From: Greg Kroah-Hartman + +[ Upstream commit ae4432e01dd967a64f6670a152d91d5328032726 ] + +typec_match() takes a const pointer, and then decides to cast it away +into a non-const one, which is not a good thing to do overall. Fix this +up by properly setting the pointers to be const to preserve that +attribute. + +Reviewed-by: Heikki Krogerus +Link: https://lore.kernel.org/r/2025052126-scholar-stainless-ad55@gregkh +Fixes: d69d80484598 ("driver core: have match() callback in struct bus_type take a const *") +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/typec/bus.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/typec/bus.c b/drivers/usb/typec/bus.c +index aa879253d3b81..13044ee5be10d 100644 +--- a/drivers/usb/typec/bus.c ++++ b/drivers/usb/typec/bus.c +@@ -449,7 +449,7 @@ ATTRIBUTE_GROUPS(typec); + + static int typec_match(struct device *dev, const struct device_driver *driver) + { +- struct typec_altmode_driver *drv = to_altmode_driver(driver); ++ const struct typec_altmode_driver *drv = to_altmode_driver(driver); + struct typec_altmode *altmode = to_typec_altmode(dev); + const struct typec_device_id *id; + +-- +2.39.5 + diff --git a/queue-6.12/use-thread-safe-function-pointer-in-libbpf_print.patch b/queue-6.12/use-thread-safe-function-pointer-in-libbpf_print.patch new file mode 100644 index 0000000000..46378a696e --- /dev/null +++ b/queue-6.12/use-thread-safe-function-pointer-in-libbpf_print.patch @@ -0,0 +1,39 @@ +From 588545cac9aa0bf8bcda1dd8dbe9e67cbc6cdc54 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Apr 2025 18:14:57 -0400 +Subject: Use thread-safe function pointer in libbpf_print + +From: Jonathan Wiepert + +[ Upstream commit 91dbac4076537b464639953c055c460d2bdfc7ea ] + +This patch fixes a thread safety bug where libbpf_print uses the +global variable storing the print function pointer rather than the local +variable that had the print function set via __atomic_load_n. + +Fixes: f1cb927cdb62 ("libbpf: Ensure print callback usage is thread-safe") +Signed-off-by: Jonathan Wiepert +Signed-off-by: Andrii Nakryiko +Acked-by: Mykyta Yatsenko +Link: https://lore.kernel.org/bpf/20250424221457.793068-1-jonathan.wiepert@gmail.com +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/libbpf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c +index c6eceae4d6ff6..bb24f6bac2073 100644 +--- a/tools/lib/bpf/libbpf.c ++++ b/tools/lib/bpf/libbpf.c +@@ -285,7 +285,7 @@ void libbpf_print(enum libbpf_print_level level, const char *format, ...) + old_errno = errno; + + va_start(args, format); +- __libbpf_pr(level, format, args); ++ print_fn(level, format, args); + va_end(args); + + errno = old_errno; +-- +2.39.5 + diff --git a/queue-6.12/vfio-type1-fix-error-unwind-in-migration-dirty-bitma.patch b/queue-6.12/vfio-type1-fix-error-unwind-in-migration-dirty-bitma.patch new file mode 100644 index 0000000000..a63e7e5750 --- /dev/null +++ b/queue-6.12/vfio-type1-fix-error-unwind-in-migration-dirty-bitma.patch @@ -0,0 +1,45 @@ +From c945f37c67f3e62e768607d5be0dc4ff2ebb27fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 May 2025 11:46:47 +0800 +Subject: vfio/type1: Fix error unwind in migration dirty bitmap allocation + +From: Li RongQing + +[ Upstream commit 4518e5a60c7fbf0cdff393c2681db39d77b4f87e ] + +When setting up dirty page tracking at the vfio IOMMU backend for +device migration, if an error is encountered allocating a tracking +bitmap, the unwind loop fails to free previously allocated tracking +bitmaps. This occurs because the wrong loop index is used to +generate the tracking object. This results in unintended memory +usage for the life of the current DMA mappings where bitmaps were +successfully allocated. + +Use the correct loop index to derive the tracking object for +freeing during unwind. + +Fixes: d6a4c185660c ("vfio iommu: Implementation of ioctl for dirty pages tracking") +Signed-off-by: Li RongQing +Link: https://lore.kernel.org/r/20250521034647.2877-1-lirongqing@baidu.com +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/vfio/vfio_iommu_type1.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c +index bf391b40e576f..8338cfd61fe14 100644 +--- a/drivers/vfio/vfio_iommu_type1.c ++++ b/drivers/vfio/vfio_iommu_type1.c +@@ -294,7 +294,7 @@ static int vfio_dma_bitmap_alloc_all(struct vfio_iommu *iommu, size_t pgsize) + struct rb_node *p; + + for (p = rb_prev(n); p; p = rb_prev(p)) { +- struct vfio_dma *dma = rb_entry(n, ++ struct vfio_dma *dma = rb_entry(p, + struct vfio_dma, node); + + vfio_dma_bitmap_free(dma); +-- +2.39.5 + diff --git a/queue-6.12/vmxnet3-correctly-report-gso-type-for-udp-tunnels.patch b/queue-6.12/vmxnet3-correctly-report-gso-type-for-udp-tunnels.patch new file mode 100644 index 0000000000..75b1a77da9 --- /dev/null +++ b/queue-6.12/vmxnet3-correctly-report-gso-type-for-udp-tunnels.patch @@ -0,0 +1,82 @@ +From a5384451f8371febbb5dc1e2e0e17a503edee28f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 May 2025 15:27:00 +0000 +Subject: vmxnet3: correctly report gso type for UDP tunnels + +From: Ronak Doshi + +[ Upstream commit 982d30c30eaa2ec723df42e3bf526c014c1dbb88 ] + +Commit 3d010c8031e3 ("udp: do not accept non-tunnel GSO skbs landing +in a tunnel") added checks in linux stack to not accept non-tunnel +GRO packets landing in a tunnel. This exposed an issue in vmxnet3 +which was not correctly reporting GRO packets for tunnel packets. + +This patch fixes this issue by setting correct GSO type for the +tunnel packets. + +Currently, vmxnet3 does not support reporting inner fields for LRO +tunnel packets. The issue is not seen for egress drivers that do not +use skb inner fields. The workaround is to enable tnl-segmentation +offload on the egress interfaces if the driver supports it. This +problem pre-exists this patch fix and can be addressed as a separate +future patch. + +Fixes: dacce2be3312 ("vmxnet3: add geneve and vxlan tunnel offload support") +Signed-off-by: Ronak Doshi +Acked-by: Guolin Yang +Link: https://patch.msgid.link/20250530152701.70354-1-ronak.doshi@broadcom.com +[pabeni@redhat.com: dropped the changelog] +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/vmxnet3/vmxnet3_drv.c | 26 ++++++++++++++++++++++++++ + 1 file changed, 26 insertions(+) + +diff --git a/drivers/net/vmxnet3/vmxnet3_drv.c b/drivers/net/vmxnet3/vmxnet3_drv.c +index 151d7cdfc4802..c48c2de6f961f 100644 +--- a/drivers/net/vmxnet3/vmxnet3_drv.c ++++ b/drivers/net/vmxnet3/vmxnet3_drv.c +@@ -1560,6 +1560,30 @@ vmxnet3_get_hdr_len(struct vmxnet3_adapter *adapter, struct sk_buff *skb, + return (hlen + (hdr.tcp->doff << 2)); + } + ++static void ++vmxnet3_lro_tunnel(struct sk_buff *skb, __be16 ip_proto) ++{ ++ struct udphdr *uh = NULL; ++ ++ if (ip_proto == htons(ETH_P_IP)) { ++ struct iphdr *iph = (struct iphdr *)skb->data; ++ ++ if (iph->protocol == IPPROTO_UDP) ++ uh = (struct udphdr *)(iph + 1); ++ } else { ++ struct ipv6hdr *iph = (struct ipv6hdr *)skb->data; ++ ++ if (iph->nexthdr == IPPROTO_UDP) ++ uh = (struct udphdr *)(iph + 1); ++ } ++ if (uh) { ++ if (uh->check) ++ skb_shinfo(skb)->gso_type |= SKB_GSO_UDP_TUNNEL_CSUM; ++ else ++ skb_shinfo(skb)->gso_type |= SKB_GSO_UDP_TUNNEL; ++ } ++} ++ + static int + vmxnet3_rq_rx_complete(struct vmxnet3_rx_queue *rq, + struct vmxnet3_adapter *adapter, int quota) +@@ -1873,6 +1897,8 @@ vmxnet3_rq_rx_complete(struct vmxnet3_rx_queue *rq, + if (segCnt != 0 && mss != 0) { + skb_shinfo(skb)->gso_type = rcd->v4 ? + SKB_GSO_TCPV4 : SKB_GSO_TCPV6; ++ if (encap_lro) ++ vmxnet3_lro_tunnel(skb, skb->protocol); + skb_shinfo(skb)->gso_size = mss; + skb_shinfo(skb)->gso_segs = segCnt; + } else if ((segCnt != 0 || skb->len > mtu) && !encap_lro) { +-- +2.39.5 + diff --git a/queue-6.12/vsock-virtio-fix-rx_bytes-accounting-for-stream-sock.patch b/queue-6.12/vsock-virtio-fix-rx_bytes-accounting-for-stream-sock.patch new file mode 100644 index 0000000000..fcbf83bac6 --- /dev/null +++ b/queue-6.12/vsock-virtio-fix-rx_bytes-accounting-for-stream-sock.patch @@ -0,0 +1,163 @@ +From b244e5171ac15b32de84f0aad3e84bcfb13d7cd6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 May 2025 14:17:05 +0200 +Subject: vsock/virtio: fix `rx_bytes` accounting for stream sockets +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Stefano Garzarella + +[ Upstream commit 45ca7e9f0730ae36fc610e675b990e9cc9ca0714 ] + +In `struct virtio_vsock_sock`, we maintain two counters: +- `rx_bytes`: used internally to track how many bytes have been read. + This supports mechanisms like .stream_has_data() and sock_rcvlowat(). +- `fwd_cnt`: used for the credit mechanism to inform available receive + buffer space to the remote peer. + +These counters are updated via virtio_transport_inc_rx_pkt() and +virtio_transport_dec_rx_pkt(). + +Since the beginning with commit 06a8fc78367d ("VSOCK: Introduce +virtio_vsock_common.ko"), we call virtio_transport_dec_rx_pkt() in +virtio_transport_stream_do_dequeue() only when we consume the entire +packet, so partial reads, do not update `rx_bytes` and `fwd_cnt`. + +This is fine for `fwd_cnt`, because we still have space used for the +entire packet, and we don't want to update the credit for the other +peer until we free the space of the entire packet. However, this +causes `rx_bytes` to be stale on partial reads. + +Previously, this didn’t cause issues because `rx_bytes` was used only by +.stream_has_data(), and any unread portion of a packet implied data was +still available. However, since commit 93b808876682 +("virtio/vsock: fix logic which reduces credit update messages"), we now +rely on `rx_bytes` to determine if a credit update should be sent when +the data in the RX queue drops below SO_RCVLOWAT value. + +This patch fixes the accounting by updating `rx_bytes` with the number +of bytes actually read, even on partial reads, while leaving `fwd_cnt` +untouched until the packet is fully consumed. Also introduce a new +`buf_used` counter to check that the remote peer is honoring the given +credit; this was previously done via `rx_bytes`. + +Fixes: 93b808876682 ("virtio/vsock: fix logic which reduces credit update messages") +Signed-off-by: Stefano Garzarella +Link: https://patch.msgid.link/20250521121705.196379-1-sgarzare@redhat.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + include/linux/virtio_vsock.h | 1 + + net/vmw_vsock/virtio_transport_common.c | 26 +++++++++++++++---------- + 2 files changed, 17 insertions(+), 10 deletions(-) + +diff --git a/include/linux/virtio_vsock.h b/include/linux/virtio_vsock.h +index 0387d64e2c66c..36fb3edfa403d 100644 +--- a/include/linux/virtio_vsock.h ++++ b/include/linux/virtio_vsock.h +@@ -140,6 +140,7 @@ struct virtio_vsock_sock { + u32 last_fwd_cnt; + u32 rx_bytes; + u32 buf_alloc; ++ u32 buf_used; + struct sk_buff_head rx_queue; + u32 msg_count; + }; +diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c +index 7f7de6d880965..2c9b1011cdcc8 100644 +--- a/net/vmw_vsock/virtio_transport_common.c ++++ b/net/vmw_vsock/virtio_transport_common.c +@@ -441,18 +441,20 @@ static int virtio_transport_send_pkt_info(struct vsock_sock *vsk, + static bool virtio_transport_inc_rx_pkt(struct virtio_vsock_sock *vvs, + u32 len) + { +- if (vvs->rx_bytes + len > vvs->buf_alloc) ++ if (vvs->buf_used + len > vvs->buf_alloc) + return false; + + vvs->rx_bytes += len; ++ vvs->buf_used += len; + return true; + } + + static void virtio_transport_dec_rx_pkt(struct virtio_vsock_sock *vvs, +- u32 len) ++ u32 bytes_read, u32 bytes_dequeued) + { +- vvs->rx_bytes -= len; +- vvs->fwd_cnt += len; ++ vvs->rx_bytes -= bytes_read; ++ vvs->buf_used -= bytes_dequeued; ++ vvs->fwd_cnt += bytes_dequeued; + } + + void virtio_transport_inc_tx_pkt(struct virtio_vsock_sock *vvs, struct sk_buff *skb) +@@ -581,11 +583,11 @@ virtio_transport_stream_do_dequeue(struct vsock_sock *vsk, + size_t len) + { + struct virtio_vsock_sock *vvs = vsk->trans; +- size_t bytes, total = 0; + struct sk_buff *skb; + u32 fwd_cnt_delta; + bool low_rx_bytes; + int err = -EFAULT; ++ size_t total = 0; + u32 free_space; + + spin_lock_bh(&vvs->rx_lock); +@@ -597,6 +599,8 @@ virtio_transport_stream_do_dequeue(struct vsock_sock *vsk, + } + + while (total < len && !skb_queue_empty(&vvs->rx_queue)) { ++ size_t bytes, dequeued = 0; ++ + skb = skb_peek(&vvs->rx_queue); + + bytes = min_t(size_t, len - total, +@@ -620,12 +624,12 @@ virtio_transport_stream_do_dequeue(struct vsock_sock *vsk, + VIRTIO_VSOCK_SKB_CB(skb)->offset += bytes; + + if (skb->len == VIRTIO_VSOCK_SKB_CB(skb)->offset) { +- u32 pkt_len = le32_to_cpu(virtio_vsock_hdr(skb)->len); +- +- virtio_transport_dec_rx_pkt(vvs, pkt_len); ++ dequeued = le32_to_cpu(virtio_vsock_hdr(skb)->len); + __skb_unlink(skb, &vvs->rx_queue); + consume_skb(skb); + } ++ ++ virtio_transport_dec_rx_pkt(vvs, bytes, dequeued); + } + + fwd_cnt_delta = vvs->fwd_cnt - vvs->last_fwd_cnt; +@@ -781,7 +785,7 @@ static int virtio_transport_seqpacket_do_dequeue(struct vsock_sock *vsk, + msg->msg_flags |= MSG_EOR; + } + +- virtio_transport_dec_rx_pkt(vvs, pkt_len); ++ virtio_transport_dec_rx_pkt(vvs, pkt_len, pkt_len); + kfree_skb(skb); + } + +@@ -1735,6 +1739,7 @@ int virtio_transport_read_skb(struct vsock_sock *vsk, skb_read_actor_t recv_acto + struct sock *sk = sk_vsock(vsk); + struct virtio_vsock_hdr *hdr; + struct sk_buff *skb; ++ u32 pkt_len; + int off = 0; + int err; + +@@ -1752,7 +1757,8 @@ int virtio_transport_read_skb(struct vsock_sock *vsk, skb_read_actor_t recv_acto + if (le32_to_cpu(hdr->flags) & VIRTIO_VSOCK_SEQ_EOM) + vvs->msg_count--; + +- virtio_transport_dec_rx_pkt(vvs, le32_to_cpu(hdr->len)); ++ pkt_len = le32_to_cpu(hdr->len); ++ virtio_transport_dec_rx_pkt(vvs, pkt_len, pkt_len); + spin_unlock_bh(&vvs->rx_lock); + + virtio_transport_send_credit_update(vsk); +-- +2.39.5 + diff --git a/queue-6.12/vt-remove-vt_resize-and-vt_resizex-from-vt_compat_io.patch b/queue-6.12/vt-remove-vt_resize-and-vt_resizex-from-vt_compat_io.patch new file mode 100644 index 0000000000..f2bd3445df --- /dev/null +++ b/queue-6.12/vt-remove-vt_resize-and-vt_resizex-from-vt_compat_io.patch @@ -0,0 +1,39 @@ +From 85eddd15a537bf7a58573c7ce9a57f39657955b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 May 2025 11:30:52 -0400 +Subject: vt: remove VT_RESIZE and VT_RESIZEX from vt_compat_ioctl() + +From: Nicolas Pitre + +[ Upstream commit c4c7ead7b86c1e7f11c64915b7e5bb6d2e242691 ] + +They are listed amon those cmd values that "treat 'arg' as an integer" +which is wrong. They should instead fall into the default case. Probably +nobody ever relied on that code since 2009 but still. + +Fixes: e92166517e3c ("tty: handle VT specific compat ioctls in vt driver") +Signed-off-by: Nicolas Pitre +Reviewed-by: Jiri Slaby +Link: https://lore.kernel.org/r/pr214s15-36r8-6732-2pop-159nq85o48r7@syhkavp.arg +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/vt/vt_ioctl.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/tty/vt/vt_ioctl.c b/drivers/tty/vt/vt_ioctl.c +index 4b91072f3a4e9..1f2bdd2e1cc59 100644 +--- a/drivers/tty/vt/vt_ioctl.c ++++ b/drivers/tty/vt/vt_ioctl.c +@@ -1103,8 +1103,6 @@ long vt_compat_ioctl(struct tty_struct *tty, + case VT_WAITACTIVE: + case VT_RELDISP: + case VT_DISALLOCATE: +- case VT_RESIZE: +- case VT_RESIZEX: + return vt_ioctl(tty, cmd, arg); + + /* +-- +2.39.5 + diff --git a/queue-6.12/watchdog-exar-shorten-identity-name-to-fit-correctly.patch b/queue-6.12/watchdog-exar-shorten-identity-name-to-fit-correctly.patch new file mode 100644 index 0000000000..eb9c192548 --- /dev/null +++ b/queue-6.12/watchdog-exar-shorten-identity-name-to-fit-correctly.patch @@ -0,0 +1,44 @@ +From 6161f9fd67f4a664be39f2e5611fb9d95c5e9c23 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Apr 2025 15:52:49 -0700 +Subject: watchdog: exar: Shorten identity name to fit correctly + +From: Kees Cook + +[ Upstream commit 8e28276a569addb8a2324439ae473848ee52b056 ] + +The static initializer for struct watchdog_info::identity is too long +and gets initialized without a trailing NUL byte. Since the length +of "identity" is part of UAPI and tied to ioctls, just shorten +the name of the device. Avoids the warning seen with GCC 15's +-Wunterminated-string-initialization option: + +drivers/watchdog/exar_wdt.c:224:27: warning: initializer-string for array of 'unsigned char' truncates NUL terminator but destination lacks 'nonstring' attribute (33 chars into 32 available) [-Wunterminated-string-initialization] + 224 | .identity = "Exar/MaxLinear XR28V38x Watchdog", + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Fixes: 81126222bd3a ("watchdog: Exar/MaxLinear XR28V38x driver") +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20250415225246.work.458-kees@kernel.org +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + drivers/watchdog/exar_wdt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/watchdog/exar_wdt.c b/drivers/watchdog/exar_wdt.c +index 7c61ff3432711..c2e3bb08df899 100644 +--- a/drivers/watchdog/exar_wdt.c ++++ b/drivers/watchdog/exar_wdt.c +@@ -221,7 +221,7 @@ static const struct watchdog_info exar_wdt_info = { + .options = WDIOF_KEEPALIVEPING | + WDIOF_SETTIMEOUT | + WDIOF_MAGICCLOSE, +- .identity = "Exar/MaxLinear XR28V38x Watchdog", ++ .identity = "Exar XR28V38x Watchdog", + }; + + static const struct watchdog_ops exar_wdt_ops = { +-- +2.39.5 + diff --git a/queue-6.12/wifi-ath11k-fix-node-corruption-in-ar-arvifs-list.patch b/queue-6.12/wifi-ath11k-fix-node-corruption-in-ar-arvifs-list.patch new file mode 100644 index 0000000000..e674ce1e16 --- /dev/null +++ b/queue-6.12/wifi-ath11k-fix-node-corruption-in-ar-arvifs-list.patch @@ -0,0 +1,83 @@ +From 6ed722b8b71011bab233de563994f97a5d9806a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Mar 2025 13:31:45 +0800 +Subject: wifi: ath11k: fix node corruption in ar->arvifs list + +From: Stone Zhang + +[ Upstream commit 31e98e277ae47f56632e4d663b1d4fd12ba33ea8 ] + +In current WLAN recovery code flow, ath11k_core_halt() only +reinitializes the "arvifs" list head. This will cause the +list node immediately following the list head to become an +invalid list node. Because the prev of that node still points +to the list head "arvifs", but the next of the list head "arvifs" +no longer points to that list node. + +When a WLAN recovery occurs during the execution of a vif +removal, and it happens before the spin_lock_bh(&ar->data_lock) +in ath11k_mac_op_remove_interface(), list_del() will detect the +previously mentioned situation, thereby triggering a kernel panic. + +The fix is to remove and reinitialize all vif list nodes from the +list head "arvifs" during WLAN halt. The reinitialization is to make +the list nodes valid, ensuring that the list_del() in +ath11k_mac_op_remove_interface() can execute normally. + +Call trace: +__list_del_entry_valid_or_report+0xb8/0xd0 +ath11k_mac_op_remove_interface+0xb0/0x27c [ath11k] +drv_remove_interface+0x48/0x194 [mac80211] +ieee80211_do_stop+0x6e0/0x844 [mac80211] +ieee80211_stop+0x44/0x17c [mac80211] +__dev_close_many+0xac/0x150 +__dev_change_flags+0x194/0x234 +dev_change_flags+0x24/0x6c +devinet_ioctl+0x3a0/0x670 +inet_ioctl+0x200/0x248 +sock_do_ioctl+0x60/0x118 +sock_ioctl+0x274/0x35c +__arm64_sys_ioctl+0xac/0xf0 +invoke_syscall+0x48/0x114 +... + +Tested-on: QCA6698AQ hw2.1 PCI WLAN.HSP.1.1-04591-QCAHSPSWPL_V1_V2_SILICONZ_IOE-1 + +Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices") +Signed-off-by: Stone Zhang +Link: https://patch.msgid.link/20250320053145.3445187-1-quic_stonez@quicinc.com +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/core.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath11k/core.c b/drivers/net/wireless/ath/ath11k/core.c +index 7eba6ee054ffe..674c4763333f3 100644 +--- a/drivers/net/wireless/ath/ath11k/core.c ++++ b/drivers/net/wireless/ath/ath11k/core.c +@@ -1915,6 +1915,7 @@ static int ath11k_core_reconfigure_on_crash(struct ath11k_base *ab) + void ath11k_core_halt(struct ath11k *ar) + { + struct ath11k_base *ab = ar->ab; ++ struct list_head *pos, *n; + + lockdep_assert_held(&ar->conf_mutex); + +@@ -1929,7 +1930,12 @@ void ath11k_core_halt(struct ath11k *ar) + + rcu_assign_pointer(ab->pdevs_active[ar->pdev_idx], NULL); + synchronize_rcu(); +- INIT_LIST_HEAD(&ar->arvifs); ++ ++ spin_lock_bh(&ar->data_lock); ++ list_for_each_safe(pos, n, &ar->arvifs) ++ list_del_init(pos); ++ spin_unlock_bh(&ar->data_lock); ++ + idr_init(&ar->txmgmt_idr); + } + +-- +2.39.5 + diff --git a/queue-6.12/wifi-ath12k-add-msdu-length-validation-for-tkip-mic-.patch b/queue-6.12/wifi-ath12k-add-msdu-length-validation-for-tkip-mic-.patch new file mode 100644 index 0000000000..864c1cbab9 --- /dev/null +++ b/queue-6.12/wifi-ath12k-add-msdu-length-validation-for-tkip-mic-.patch @@ -0,0 +1,55 @@ +From 6b4965b08ad4b51f62bb797a765a50a6d805743f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Apr 2025 07:49:03 +0530 +Subject: wifi: ath12k: Add MSDU length validation for TKIP MIC error + +From: P Praneesh + +[ Upstream commit 763216fe6c5df95d122c71ef34c342427c987820 ] + +In the WBM error path, while processing TKIP MIC errors, MSDU length +is fetched from the hal_rx_desc's msdu_end. This MSDU length is +directly passed to skb_put() without validation. In stress test +scenarios, the WBM error ring may receive invalid descriptors, which +could lead to an invalid MSDU length. + +To fix this, add a check to drop the skb when the calculated MSDU +length is greater than the skb size. + +Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.3.1-00173-QCAHKSWPL_SILICONZ-1 +Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3 + +Fixes: d889913205cf ("wifi: ath12k: driver for Qualcomm Wi-Fi 7 devices") +Signed-off-by: P Praneesh +Signed-off-by: Nithyanantham Paramasivam +Reviewed-by: Vasanthakumar Thiagarajan +Link: https://patch.msgid.link/20250416021903.3178962-1-nithyanantham.paramasivam@oss.qualcomm.com +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath12k/dp_rx.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath12k/dp_rx.c b/drivers/net/wireless/ath/ath12k/dp_rx.c +index 9c730b7009fe5..c2652bc8a02fd 100644 +--- a/drivers/net/wireless/ath/ath12k/dp_rx.c ++++ b/drivers/net/wireless/ath/ath12k/dp_rx.c +@@ -3686,6 +3686,15 @@ static bool ath12k_dp_rx_h_tkip_mic_err(struct ath12k *ar, struct sk_buff *msdu, + + l3pad_bytes = ath12k_dp_rx_h_l3pad(ab, desc); + msdu_len = ath12k_dp_rx_h_msdu_len(ab, desc); ++ ++ if ((hal_rx_desc_sz + l3pad_bytes + msdu_len) > DP_RX_BUFFER_SIZE) { ++ ath12k_dbg(ab, ATH12K_DBG_DATA, ++ "invalid msdu len in tkip mic err %u\n", msdu_len); ++ ath12k_dbg_dump(ab, ATH12K_DBG_DATA, NULL, "", desc, ++ sizeof(*desc)); ++ return true; ++ } ++ + skb_put(msdu, hal_rx_desc_sz + l3pad_bytes + msdu_len); + skb_pull(msdu, hal_rx_desc_sz + l3pad_bytes); + +-- +2.39.5 + diff --git a/queue-6.12/wifi-ath12k-fix-buffer-overflow-in-debugfs.patch b/queue-6.12/wifi-ath12k-fix-buffer-overflow-in-debugfs.patch new file mode 100644 index 0000000000..cfed6df487 --- /dev/null +++ b/queue-6.12/wifi-ath12k-fix-buffer-overflow-in-debugfs.patch @@ -0,0 +1,39 @@ +From 6229e13a2bc98ae31ead3cbb6ee3245b4987bd69 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Apr 2025 14:01:25 +0300 +Subject: wifi: ath12k: Fix buffer overflow in debugfs + +From: Dan Carpenter + +[ Upstream commit 8c7a5031a6b0d42e640fbd2d5d05f61f74e32dce ] + +If the user tries to write more than 32 bytes then it results in memory +corruption. Fortunately, this is debugfs so it's limited to root users. + +Fixes: 3f73c24f28b3 ("wifi: ath12k: Add support to enable debugfs_htt_stats") +Signed-off-by: Dan Carpenter +Reviewed-by: Vasanthakumar Thiagarajan +Link: https://patch.msgid.link/35daefbd-d493-41d9-b192-96177d521b40@stanley.mountain +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath12k/debugfs_htt_stats.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath12k/debugfs_htt_stats.c b/drivers/net/wireless/ath/ath12k/debugfs_htt_stats.c +index f1b7e74aefe42..6f2e7ecc66af7 100644 +--- a/drivers/net/wireless/ath/ath12k/debugfs_htt_stats.c ++++ b/drivers/net/wireless/ath/ath12k/debugfs_htt_stats.c +@@ -1646,6 +1646,9 @@ static ssize_t ath12k_write_htt_stats_type(struct file *file, + const int size = 32; + int num_args; + ++ if (count > size) ++ return -EINVAL; ++ + char *buf __free(kfree) = kzalloc(size, GFP_KERNEL); + if (!buf) + return -ENOMEM; +-- +2.39.5 + diff --git a/queue-6.12/wifi-ath12k-fix-cleanup-path-after-mhi-init.patch b/queue-6.12/wifi-ath12k-fix-cleanup-path-after-mhi-init.patch new file mode 100644 index 0000000000..584affafd0 --- /dev/null +++ b/queue-6.12/wifi-ath12k-fix-cleanup-path-after-mhi-init.patch @@ -0,0 +1,48 @@ +From eabbab56ed263265442df7608653a0959caaf87e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Apr 2025 15:34:29 +0530 +Subject: wifi: ath12k: fix cleanup path after mhi init + +From: Raj Kumar Bhagat + +[ Upstream commit 6177c97fb6f05bf0473a2806e3bece7e77693209 ] + +Currently, the 'err_pci_msi_free' label is misplaced, causing the cleanup +sequence to be incorrect. Fix this by moving the 'err_pci_msi_free' label +to the correct position after 'err_irq_affinity_cleanup'. + +Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.3.1-00209-QCAHKSWPL_SILICONZ-1 + +Fixes: a3012f206d07 ("wifi: ath12k: set IRQ affinity to CPU0 in case of one MSI vector") +Signed-off-by: Raj Kumar Bhagat +Reviewed-by: Vasanthakumar Thiagarajan +Link: https://patch.msgid.link/20250403-ath12k-cleanup-v1-1-ad8f67b0e9cf@quicinc.com +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath12k/pci.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath12k/pci.c b/drivers/net/wireless/ath/ath12k/pci.c +index 45d537066345a..1068cc07bc9f6 100644 +--- a/drivers/net/wireless/ath/ath12k/pci.c ++++ b/drivers/net/wireless/ath/ath12k/pci.c +@@ -1514,12 +1514,12 @@ static int ath12k_pci_probe(struct pci_dev *pdev, + err_mhi_unregister: + ath12k_mhi_unregister(ab_pci); + +-err_pci_msi_free: +- ath12k_pci_msi_free(ab_pci); +- + err_irq_affinity_cleanup: + ath12k_pci_set_irq_affinity_hint(ab_pci, NULL); + ++err_pci_msi_free: ++ ath12k_pci_msi_free(ab_pci); ++ + err_pci_free_region: + ath12k_pci_free_region(ab_pci); + +-- +2.39.5 + diff --git a/queue-6.12/wifi-ath12k-fix-invalid-access-to-memory.patch b/queue-6.12/wifi-ath12k-fix-invalid-access-to-memory.patch new file mode 100644 index 0000000000..bb3f900a36 --- /dev/null +++ b/queue-6.12/wifi-ath12k-fix-invalid-access-to-memory.patch @@ -0,0 +1,64 @@ +From 5f1a0a1c3be61f2d8db91ab179eefc188cb87e3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Apr 2025 10:23:27 +0530 +Subject: wifi: ath12k: fix invalid access to memory + +From: Sarika Sharma + +[ Upstream commit 9f17747fbda6fca934854463873c4abf8061491d ] + +In ath12k_dp_rx_msdu_coalesce(), rxcb is fetched from skb and boolean +is_continuation is part of rxcb. +Currently, after freeing the skb, the rxcb->is_continuation accessed +again which is wrong since the memory is already freed. +This might lead use-after-free error. + +Hence, fix by locally defining bool is_continuation from rxcb, +so that after freeing skb, is_continuation can be used. + +Compile tested only. + +Fixes: d889913205cf ("wifi: ath12k: driver for Qualcomm Wi-Fi 7 devices") +Signed-off-by: Sarika Sharma +Reviewed-by: Vasanthakumar Thiagarajan +Link: https://patch.msgid.link/20250408045327.1632222-1-quic_sarishar@quicinc.com +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath12k/dp_rx.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath12k/dp_rx.c b/drivers/net/wireless/ath/ath12k/dp_rx.c +index 5fcf3a465eda8..9c730b7009fe5 100644 +--- a/drivers/net/wireless/ath/ath12k/dp_rx.c ++++ b/drivers/net/wireless/ath/ath12k/dp_rx.c +@@ -1762,6 +1762,7 @@ static int ath12k_dp_rx_msdu_coalesce(struct ath12k *ar, + struct hal_rx_desc *ldesc; + int space_extra, rem_len, buf_len; + u32 hal_rx_desc_sz = ar->ab->hal.hal_desc_sz; ++ bool is_continuation; + + /* As the msdu is spread across multiple rx buffers, + * find the offset to the start of msdu for computing +@@ -1810,7 +1811,8 @@ static int ath12k_dp_rx_msdu_coalesce(struct ath12k *ar, + rem_len = msdu_len - buf_first_len; + while ((skb = __skb_dequeue(msdu_list)) != NULL && rem_len > 0) { + rxcb = ATH12K_SKB_RXCB(skb); +- if (rxcb->is_continuation) ++ is_continuation = rxcb->is_continuation; ++ if (is_continuation) + buf_len = DP_RX_BUFFER_SIZE - hal_rx_desc_sz; + else + buf_len = rem_len; +@@ -1828,7 +1830,7 @@ static int ath12k_dp_rx_msdu_coalesce(struct ath12k *ar, + dev_kfree_skb_any(skb); + + rem_len -= buf_len; +- if (!rxcb->is_continuation) ++ if (!is_continuation) + break; + } + +-- +2.39.5 + diff --git a/queue-6.12/wifi-ath12k-fix-invalid-memory-access-while-forming-.patch b/queue-6.12/wifi-ath12k-fix-invalid-memory-access-while-forming-.patch new file mode 100644 index 0000000000..5713687cc5 --- /dev/null +++ b/queue-6.12/wifi-ath12k-fix-invalid-memory-access-while-forming-.patch @@ -0,0 +1,185 @@ +From 02091a7dc91883b9e33e2018dabe45573ca04845 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Apr 2025 23:35:43 +0530 +Subject: wifi: ath12k: Fix invalid memory access while forming 802.11 header + +From: P Praneesh + +[ Upstream commit be908d2360341f8bbc982fff5a5e4f8030c17f74 ] + +While forming the 802.11 header from the rx descriptor, skb_push() is +performed for the 802.11 header length and then calls +ath12k_dp_rx_desc_get_dot11_hdr(). Since skb_push() moves the skb->data +pointer backwards by the 802.11 header length, the rx descriptor points to +a different memory area than intended, causing invalid information to be +fetched from the rx descriptor. + +Also, when IV and ICV are not stripped from the given MSDU, mac80211 +performs PN validation for these MSDUs, which requires the crypto header. +Before forming the crypto header from the given rx descriptor, skb_push() +is performed for the crypto header length, which overwrites the memory +pointed to by the rx descriptor, causing invalid information to form the +802.11 header. + +Fix these issues by moving all rx descriptor accesses before the skb_push() +operation which ensures the proper 802.11 headers are generated from the +given rx descriptor and removing ath12k_dp_rxdesc_get_mpdu_frame_ctrl() +for filling frame control, as this information is already fetched by +ath12k_dp_rx_desc_get_dot11_hdr(). + +Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1 +Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3 + +Fixes: d889913205cf ("wifi: ath12k: driver for Qualcomm Wi-Fi 7 devices") +Co-developed-by: Karthikeyan Periyasamy +Signed-off-by: Karthikeyan Periyasamy +Signed-off-by: P Praneesh +Link: https://patch.msgid.link/20250402180543.2670947-1-praneesh.p@oss.qualcomm.com +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath12k/dp_rx.c | 27 +++++++++---------------- + drivers/net/wireless/ath/ath12k/hal.c | 19 ----------------- + drivers/net/wireless/ath/ath12k/hal.h | 1 - + 3 files changed, 9 insertions(+), 38 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath12k/dp_rx.c b/drivers/net/wireless/ath/ath12k/dp_rx.c +index 4cbba96121a11..5fcf3a465eda8 100644 +--- a/drivers/net/wireless/ath/ath12k/dp_rx.c ++++ b/drivers/net/wireless/ath/ath12k/dp_rx.c +@@ -228,12 +228,6 @@ static void ath12k_dp_rx_desc_get_crypto_header(struct ath12k_base *ab, + ab->hal_rx_ops->rx_desc_get_crypto_header(desc, crypto_hdr, enctype); + } + +-static u16 ath12k_dp_rxdesc_get_mpdu_frame_ctrl(struct ath12k_base *ab, +- struct hal_rx_desc *desc) +-{ +- return ab->hal_rx_ops->rx_desc_get_mpdu_frame_ctl(desc); +-} +- + static inline u8 ath12k_dp_rx_get_msdu_src_link(struct ath12k_base *ab, + struct hal_rx_desc *desc) + { +@@ -2067,10 +2061,13 @@ static void ath12k_get_dot11_hdr_from_rx_desc(struct ath12k *ar, + struct hal_rx_desc *rx_desc = rxcb->rx_desc; + struct ath12k_base *ab = ar->ab; + size_t hdr_len, crypto_len; +- struct ieee80211_hdr *hdr; ++ struct ieee80211_hdr hdr; + u16 qos_ctl; +- __le16 fc; +- u8 *crypto_hdr; ++ u8 *crypto_hdr, mesh_ctrl; ++ ++ ath12k_dp_rx_desc_get_dot11_hdr(ab, rx_desc, &hdr); ++ hdr_len = ieee80211_hdrlen(hdr.frame_control); ++ mesh_ctrl = ath12k_dp_rx_h_mesh_ctl_present(ab, rx_desc); + + if (!(status->flag & RX_FLAG_IV_STRIPPED)) { + crypto_len = ath12k_dp_rx_crypto_param_len(ar, enctype); +@@ -2078,22 +2075,16 @@ static void ath12k_get_dot11_hdr_from_rx_desc(struct ath12k *ar, + ath12k_dp_rx_desc_get_crypto_header(ab, rx_desc, crypto_hdr, enctype); + } + +- fc = cpu_to_le16(ath12k_dp_rxdesc_get_mpdu_frame_ctrl(ab, rx_desc)); +- hdr_len = ieee80211_hdrlen(fc); + skb_push(msdu, hdr_len); +- hdr = (struct ieee80211_hdr *)msdu->data; +- hdr->frame_control = fc; +- +- /* Get wifi header from rx_desc */ +- ath12k_dp_rx_desc_get_dot11_hdr(ab, rx_desc, hdr); ++ memcpy(msdu->data, &hdr, min(hdr_len, sizeof(hdr))); + + if (rxcb->is_mcbc) + status->flag &= ~RX_FLAG_PN_VALIDATED; + + /* Add QOS header */ +- if (ieee80211_is_data_qos(hdr->frame_control)) { ++ if (ieee80211_is_data_qos(hdr.frame_control)) { + qos_ctl = rxcb->tid; +- if (ath12k_dp_rx_h_mesh_ctl_present(ab, rx_desc)) ++ if (mesh_ctrl) + qos_ctl |= IEEE80211_QOS_CTL_MESH_CONTROL_PRESENT; + + /* TODO: Add other QoS ctl fields when required */ +diff --git a/drivers/net/wireless/ath/ath12k/hal.c b/drivers/net/wireless/ath/ath12k/hal.c +index ca04bfae8bdcc..2e3fce70386f8 100644 +--- a/drivers/net/wireless/ath/ath12k/hal.c ++++ b/drivers/net/wireless/ath/ath12k/hal.c +@@ -511,11 +511,6 @@ static void ath12k_hw_qcn9274_rx_desc_get_crypto_hdr(struct hal_rx_desc *desc, + crypto_hdr[7] = HAL_RX_MPDU_INFO_PN_GET_BYTE2(desc->u.qcn9274.mpdu_start.pn[1]); + } + +-static u16 ath12k_hw_qcn9274_rx_desc_get_mpdu_frame_ctl(struct hal_rx_desc *desc) +-{ +- return __le16_to_cpu(desc->u.qcn9274.mpdu_start.frame_ctrl); +-} +- + static int ath12k_hal_srng_create_config_qcn9274(struct ath12k_base *ab) + { + struct ath12k_hal *hal = &ab->hal; +@@ -736,7 +731,6 @@ const struct hal_rx_ops hal_rx_qcn9274_ops = { + .rx_desc_is_da_mcbc = ath12k_hw_qcn9274_rx_desc_is_da_mcbc, + .rx_desc_get_dot11_hdr = ath12k_hw_qcn9274_rx_desc_get_dot11_hdr, + .rx_desc_get_crypto_header = ath12k_hw_qcn9274_rx_desc_get_crypto_hdr, +- .rx_desc_get_mpdu_frame_ctl = ath12k_hw_qcn9274_rx_desc_get_mpdu_frame_ctl, + .dp_rx_h_msdu_done = ath12k_hw_qcn9274_dp_rx_h_msdu_done, + .dp_rx_h_l4_cksum_fail = ath12k_hw_qcn9274_dp_rx_h_l4_cksum_fail, + .dp_rx_h_ip_cksum_fail = ath12k_hw_qcn9274_dp_rx_h_ip_cksum_fail, +@@ -975,11 +969,6 @@ ath12k_hw_qcn9274_compact_rx_desc_get_crypto_hdr(struct hal_rx_desc *desc, + HAL_RX_MPDU_INFO_PN_GET_BYTE2(desc->u.qcn9274_compact.mpdu_start.pn[1]); + } + +-static u16 ath12k_hw_qcn9274_compact_rx_desc_get_mpdu_frame_ctl(struct hal_rx_desc *desc) +-{ +- return __le16_to_cpu(desc->u.qcn9274_compact.mpdu_start.frame_ctrl); +-} +- + static bool ath12k_hw_qcn9274_compact_dp_rx_h_msdu_done(struct hal_rx_desc *desc) + { + return !!le32_get_bits(desc->u.qcn9274_compact.msdu_end.info14, +@@ -1080,8 +1069,6 @@ const struct hal_rx_ops hal_rx_qcn9274_compact_ops = { + .rx_desc_is_da_mcbc = ath12k_hw_qcn9274_compact_rx_desc_is_da_mcbc, + .rx_desc_get_dot11_hdr = ath12k_hw_qcn9274_compact_rx_desc_get_dot11_hdr, + .rx_desc_get_crypto_header = ath12k_hw_qcn9274_compact_rx_desc_get_crypto_hdr, +- .rx_desc_get_mpdu_frame_ctl = +- ath12k_hw_qcn9274_compact_rx_desc_get_mpdu_frame_ctl, + .dp_rx_h_msdu_done = ath12k_hw_qcn9274_compact_dp_rx_h_msdu_done, + .dp_rx_h_l4_cksum_fail = ath12k_hw_qcn9274_compact_dp_rx_h_l4_cksum_fail, + .dp_rx_h_ip_cksum_fail = ath12k_hw_qcn9274_compact_dp_rx_h_ip_cksum_fail, +@@ -1330,11 +1317,6 @@ static void ath12k_hw_wcn7850_rx_desc_get_crypto_hdr(struct hal_rx_desc *desc, + crypto_hdr[7] = HAL_RX_MPDU_INFO_PN_GET_BYTE2(desc->u.wcn7850.mpdu_start.pn[1]); + } + +-static u16 ath12k_hw_wcn7850_rx_desc_get_mpdu_frame_ctl(struct hal_rx_desc *desc) +-{ +- return __le16_to_cpu(desc->u.wcn7850.mpdu_start.frame_ctrl); +-} +- + static int ath12k_hal_srng_create_config_wcn7850(struct ath12k_base *ab) + { + struct ath12k_hal *hal = &ab->hal; +@@ -1555,7 +1537,6 @@ const struct hal_rx_ops hal_rx_wcn7850_ops = { + .rx_desc_is_da_mcbc = ath12k_hw_wcn7850_rx_desc_is_da_mcbc, + .rx_desc_get_dot11_hdr = ath12k_hw_wcn7850_rx_desc_get_dot11_hdr, + .rx_desc_get_crypto_header = ath12k_hw_wcn7850_rx_desc_get_crypto_hdr, +- .rx_desc_get_mpdu_frame_ctl = ath12k_hw_wcn7850_rx_desc_get_mpdu_frame_ctl, + .dp_rx_h_msdu_done = ath12k_hw_wcn7850_dp_rx_h_msdu_done, + .dp_rx_h_l4_cksum_fail = ath12k_hw_wcn7850_dp_rx_h_l4_cksum_fail, + .dp_rx_h_ip_cksum_fail = ath12k_hw_wcn7850_dp_rx_h_ip_cksum_fail, +diff --git a/drivers/net/wireless/ath/ath12k/hal.h b/drivers/net/wireless/ath/ath12k/hal.h +index 8a78bb9a10bc1..1fdd573532b93 100644 +--- a/drivers/net/wireless/ath/ath12k/hal.h ++++ b/drivers/net/wireless/ath/ath12k/hal.h +@@ -1068,7 +1068,6 @@ struct hal_rx_ops { + bool (*rx_desc_is_da_mcbc)(struct hal_rx_desc *desc); + void (*rx_desc_get_dot11_hdr)(struct hal_rx_desc *desc, + struct ieee80211_hdr *hdr); +- u16 (*rx_desc_get_mpdu_frame_ctl)(struct hal_rx_desc *desc); + void (*rx_desc_get_crypto_header)(struct hal_rx_desc *desc, + u8 *crypto_hdr, + enum hal_encrypt_type enctype); +-- +2.39.5 + diff --git a/queue-6.12/wifi-ath12k-fix-memory-leak-during-vdev_id-mismatch.patch b/queue-6.12/wifi-ath12k-fix-memory-leak-during-vdev_id-mismatch.patch new file mode 100644 index 0000000000..9f6c9e3052 --- /dev/null +++ b/queue-6.12/wifi-ath12k-fix-memory-leak-during-vdev_id-mismatch.patch @@ -0,0 +1,68 @@ +From 817b0f1a530fd7eed11b358b3ee85ad28389a95a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Apr 2025 23:10:32 +0530 +Subject: wifi: ath12k: Fix memory leak during vdev_id mismatch + +From: P Praneesh + +[ Upstream commit 75ec94db880b1e4b4f9182885d60db0db6e2ee56 ] + +Currently driver enables vdev_id check as part of the bank configuration +in ath12k_dp_tx_get_vdev_bank_config(). This check ensures that the vdev_id +configured in the bank register aligns with the vdev_id in the packet's +address search table within the firmware. If there is a mismatch, the +firmware forwards the packet with the HTT status +HAL_WBM_REL_HTT_TX_COMP_STATUS_VDEVID_MISMATCH. Since driver does not +handle this vdev_id mismatch HTT status, the corresponding buffers are not +freed properly, causing a memory leak. Fix this issue by adding handling to +free the buffers when a vdev_id mismatch HTT status is encountered. + +Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1 +Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ- + +Fixes: d889913205cf ("wifi: ath12k: driver for Qualcomm Wi-Fi 7 devices") +Signed-off-by: P Praneesh +Link: https://patch.msgid.link/20250402174032.2651221-1-praneesh.p@oss.qualcomm.com +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath12k/dp_tx.c | 1 + + drivers/net/wireless/ath/ath12k/hal_desc.h | 3 ++- + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath12k/dp_tx.c b/drivers/net/wireless/ath/ath12k/dp_tx.c +index 201ffdb8c44ae..734e3da4cbf19 100644 +--- a/drivers/net/wireless/ath/ath12k/dp_tx.c ++++ b/drivers/net/wireless/ath/ath12k/dp_tx.c +@@ -566,6 +566,7 @@ ath12k_dp_tx_process_htt_tx_complete(struct ath12k_base *ab, + case HAL_WBM_REL_HTT_TX_COMP_STATUS_TTL: + case HAL_WBM_REL_HTT_TX_COMP_STATUS_REINJ: + case HAL_WBM_REL_HTT_TX_COMP_STATUS_INSPECT: ++ case HAL_WBM_REL_HTT_TX_COMP_STATUS_VDEVID_MISMATCH: + ath12k_dp_tx_free_txbuf(ab, msdu, mac_id, tx_ring); + break; + case HAL_WBM_REL_HTT_TX_COMP_STATUS_MEC_NOTIFY: +diff --git a/drivers/net/wireless/ath/ath12k/hal_desc.h b/drivers/net/wireless/ath/ath12k/hal_desc.h +index 4f745cfd7d8e7..c68998e9667c9 100644 +--- a/drivers/net/wireless/ath/ath12k/hal_desc.h ++++ b/drivers/net/wireless/ath/ath12k/hal_desc.h +@@ -1,7 +1,7 @@ + /* SPDX-License-Identifier: BSD-3-Clause-Clear */ + /* + * Copyright (c) 2018-2021 The Linux Foundation. All rights reserved. +- * Copyright (c) 2021-2022, 2024 Qualcomm Innovation Center, Inc. All rights reserved. ++ * Copyright (c) 2021-2022, 2024-2025 Qualcomm Innovation Center, Inc. All rights reserved. + */ + #include "core.h" + +@@ -1296,6 +1296,7 @@ enum hal_wbm_htt_tx_comp_status { + HAL_WBM_REL_HTT_TX_COMP_STATUS_REINJ, + HAL_WBM_REL_HTT_TX_COMP_STATUS_INSPECT, + HAL_WBM_REL_HTT_TX_COMP_STATUS_MEC_NOTIFY, ++ HAL_WBM_REL_HTT_TX_COMP_STATUS_VDEVID_MISMATCH, + HAL_WBM_REL_HTT_TX_COMP_STATUS_MAX, + }; + +-- +2.39.5 + diff --git a/queue-6.12/wifi-ath12k-fix-memory-leak-in-ath12k_service_ready_.patch b/queue-6.12/wifi-ath12k-fix-memory-leak-in-ath12k_service_ready_.patch new file mode 100644 index 0000000000..c272f55a7e --- /dev/null +++ b/queue-6.12/wifi-ath12k-fix-memory-leak-in-ath12k_service_ready_.patch @@ -0,0 +1,65 @@ +From 8b4f20f8e95fb3b2133654e7acb5f81fddad8954 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Apr 2025 10:25:38 +0530 +Subject: wifi: ath12k: fix memory leak in ath12k_service_ready_ext_event + +From: Rajat Soni + +[ Upstream commit 89142d34d5602c7447827beb181fa06eb08b9d5c ] + +Currently, in ath12k_service_ready_ext_event(), svc_rdy_ext.mac_phy_caps +is not freed in the failure case, causing a memory leak. The following +trace is observed in kmemleak: + +unreferenced object 0xffff8b3eb5789c00 (size 1024): + comm "softirq", pid 0, jiffies 4294942577 + hex dump (first 32 bytes): + 00 00 00 00 01 00 00 00 00 00 00 00 7b 00 00 10 ............{... + 01 00 00 00 00 00 00 00 01 00 00 00 1f 38 00 00 .............8.. + backtrace (crc 44e1c357): + __kmalloc_noprof+0x30b/0x410 + ath12k_wmi_mac_phy_caps_parse+0x84/0x100 [ath12k] + ath12k_wmi_tlv_iter+0x5e/0x140 [ath12k] + ath12k_wmi_svc_rdy_ext_parse+0x308/0x4c0 [ath12k] + ath12k_wmi_tlv_iter+0x5e/0x140 [ath12k] + ath12k_service_ready_ext_event.isra.0+0x44/0xd0 [ath12k] + ath12k_wmi_op_rx+0x2eb/0xd70 [ath12k] + ath12k_htc_rx_completion_handler+0x1f4/0x330 [ath12k] + ath12k_ce_recv_process_cb+0x218/0x300 [ath12k] + ath12k_pci_ce_workqueue+0x1b/0x30 [ath12k] + process_one_work+0x219/0x680 + bh_worker+0x198/0x1f0 + tasklet_action+0x13/0x30 + handle_softirqs+0xca/0x460 + __irq_exit_rcu+0xbe/0x110 + irq_exit_rcu+0x9/0x30 + +Free svc_rdy_ext.mac_phy_caps in the error case to fix this memory leak. + +Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1 + +Fixes: d889913205cf ("wifi: ath12k: driver for Qualcomm Wi-Fi 7 devices") +Signed-off-by: Rajat Soni +Signed-off-by: Raj Kumar Bhagat +Link: https://patch.msgid.link/20250430-wmi-mem-leak-v1-1-fcc9b49c2ddc@quicinc.com +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath12k/wmi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/ath/ath12k/wmi.c b/drivers/net/wireless/ath/ath12k/wmi.c +index b2e586811858e..17ac54047f9a7 100644 +--- a/drivers/net/wireless/ath/ath12k/wmi.c ++++ b/drivers/net/wireless/ath/ath12k/wmi.c +@@ -4372,6 +4372,7 @@ static int ath12k_service_ready_ext_event(struct ath12k_base *ab, + return 0; + + err: ++ kfree(svc_rdy_ext.mac_phy_caps); + ath12k_wmi_free_dbring_caps(ab); + return ret; + } +-- +2.39.5 + diff --git a/queue-6.12/wifi-ath12k-fix-node-corruption-in-ar-arvifs-list.patch b/queue-6.12/wifi-ath12k-fix-node-corruption-in-ar-arvifs-list.patch new file mode 100644 index 0000000000..3fe5934303 --- /dev/null +++ b/queue-6.12/wifi-ath12k-fix-node-corruption-in-ar-arvifs-list.patch @@ -0,0 +1,79 @@ +From 1ff20d0eda462f25fad0cfc4556ce61ae5127cec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Apr 2025 07:47:24 +0530 +Subject: wifi: ath12k: fix node corruption in ar->arvifs list + +From: Maharaja Kennadyrajan + +[ Upstream commit 823435bd23108d6f8be89ea2d025c0e2e3769c51 ] + +In current WLAN recovery code flow, ath12k_core_halt() only reinitializes +the "arvifs" list head. This will cause the list node immediately following +the list head to become an invalid list node. Because the prev of that node +still points to the list head "arvifs", but the next of the list head +"arvifs" no longer points to that list node. + +When a WLAN recovery occurs during the execution of a vif removal, and it +happens before the spin_lock_bh(&ar->data_lock) in +ath12k_mac_vdev_delete(), list_del() will detect the previously mentioned +situation, thereby triggering a kernel panic. + +The fix is to remove and reinitialize all vif list nodes from the list head +"arvifs" during WLAN halt. The reinitialization is to make the list nodes +valid, ensuring that the list_del() in ath12k_mac_vdev_delete() can execute +normally. + +Call trace: +__list_del_entry_valid_or_report+0xd4/0x100 (P) +ath12k_mac_remove_link_interface.isra.0+0xf8/0x2e4 [ath12k] +ath12k_scan_vdev_clean_work+0x40/0x164 [ath12k] +cfg80211_wiphy_work+0xfc/0x100 +process_one_work+0x164/0x2d0 +worker_thread+0x254/0x380 +kthread+0xfc/0x100 +ret_from_fork+0x10/0x20 + +The change is mostly copied from the ath11k patch: +https://lore.kernel.org/all/20250320053145.3445187-1-quic_stonez@quicinc.com/ + +Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1 + +Fixes: d889913205cf ("wifi: ath12k: driver for Qualcomm Wi-Fi 7 devices") +Signed-off-by: Maharaja Kennadyrajan +Reviewed-by: Vasanthakumar Thiagarajan +Link: https://patch.msgid.link/20250416021724.2162519-1-maharaja.kennadyrajan@oss.qualcomm.com +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath12k/core.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath12k/core.c b/drivers/net/wireless/ath/ath12k/core.c +index 8bb8ee98188bf..c3c76e2680629 100644 +--- a/drivers/net/wireless/ath/ath12k/core.c ++++ b/drivers/net/wireless/ath/ath12k/core.c +@@ -1004,6 +1004,7 @@ static void ath12k_rfkill_work(struct work_struct *work) + + void ath12k_core_halt(struct ath12k *ar) + { ++ struct list_head *pos, *n; + struct ath12k_base *ab = ar->ab; + + lockdep_assert_held(&ar->conf_mutex); +@@ -1019,7 +1020,12 @@ void ath12k_core_halt(struct ath12k *ar) + + rcu_assign_pointer(ab->pdevs_active[ar->pdev_idx], NULL); + synchronize_rcu(); +- INIT_LIST_HEAD(&ar->arvifs); ++ ++ spin_lock_bh(&ar->data_lock); ++ list_for_each_safe(pos, n, &ar->arvifs) ++ list_del_init(pos); ++ spin_unlock_bh(&ar->data_lock); ++ + idr_init(&ar->txmgmt_idr); + } + +-- +2.39.5 + diff --git a/queue-6.12/wifi-ath12k-fix-the-qos-control-field-offset-to-buil.patch b/queue-6.12/wifi-ath12k-fix-the-qos-control-field-offset-to-buil.patch new file mode 100644 index 0000000000..85ccde96fc --- /dev/null +++ b/queue-6.12/wifi-ath12k-fix-the-qos-control-field-offset-to-buil.patch @@ -0,0 +1,68 @@ +From b597c68c43ff318f954926c82eddb890559b445a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Apr 2025 00:11:02 +0530 +Subject: wifi: ath12k: Fix the QoS control field offset to build QoS header + +From: Ramasamy Kaliappan + +[ Upstream commit 8599d4cc4191c8c1af34207a8b9414acca4afb59 ] + +Currently, in the mac80211 layer, received EAPOL packets are dropped +when the HT control field is present in the QoS header. This issue +arises due to an incorrect QoS control field offset used to build +the QoS header in the MSDU data, leading to a corrupted header in the +mac80211 layer. This issue also applies to other frames that contain +the QoS control field, such as QoS data or Null frames. To resolve +this, use ieee80211_get_qos_ctl() to obtain the correct QoS control +offset from the MSDU data. Additionally, ensure the QoS control header +is copied in little-endian format within the MSDU data. + +Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1 +Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3 + +Fixes: d889913205cf ("wifi: ath12k: driver for Qualcomm Wi-Fi 7 devices") +Signed-off-by: Ramasamy Kaliappan +Signed-off-by: Nithyanantham Paramasivam +Reviewed-by: Vasanthakumar Thiagarajan +Link: https://patch.msgid.link/20250415184102.2707300-1-nithyanantham.paramasivam@oss.qualcomm.com +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath12k/dp_rx.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath12k/dp_rx.c b/drivers/net/wireless/ath/ath12k/dp_rx.c +index c2652bc8a02fd..1623298ba2c47 100644 +--- a/drivers/net/wireless/ath/ath12k/dp_rx.c ++++ b/drivers/net/wireless/ath/ath12k/dp_rx.c +@@ -2064,7 +2064,7 @@ static void ath12k_get_dot11_hdr_from_rx_desc(struct ath12k *ar, + struct ath12k_base *ab = ar->ab; + size_t hdr_len, crypto_len; + struct ieee80211_hdr hdr; +- u16 qos_ctl; ++ __le16 qos_ctl; + u8 *crypto_hdr, mesh_ctrl; + + ath12k_dp_rx_desc_get_dot11_hdr(ab, rx_desc, &hdr); +@@ -2085,13 +2085,13 @@ static void ath12k_get_dot11_hdr_from_rx_desc(struct ath12k *ar, + + /* Add QOS header */ + if (ieee80211_is_data_qos(hdr.frame_control)) { +- qos_ctl = rxcb->tid; ++ struct ieee80211_hdr *qos_ptr = (struct ieee80211_hdr *)msdu->data; ++ ++ qos_ctl = cpu_to_le16(rxcb->tid & IEEE80211_QOS_CTL_TID_MASK); + if (mesh_ctrl) +- qos_ctl |= IEEE80211_QOS_CTL_MESH_CONTROL_PRESENT; ++ qos_ctl |= cpu_to_le16(IEEE80211_QOS_CTL_MESH_CONTROL_PRESENT); + +- /* TODO: Add other QoS ctl fields when required */ +- memcpy(msdu->data + (hdr_len - IEEE80211_QOS_CTL_LEN), +- &qos_ctl, IEEE80211_QOS_CTL_LEN); ++ memcpy(ieee80211_get_qos_ctl(qos_ptr), &qos_ctl, IEEE80211_QOS_CTL_LEN); + } + } + +-- +2.39.5 + diff --git a/queue-6.12/wifi-ath12k-fix-wmi-tag-for-eht-rate-in-peer-assoc.patch b/queue-6.12/wifi-ath12k-fix-wmi-tag-for-eht-rate-in-peer-assoc.patch new file mode 100644 index 0000000000..718742b68d --- /dev/null +++ b/queue-6.12/wifi-ath12k-fix-wmi-tag-for-eht-rate-in-peer-assoc.patch @@ -0,0 +1,42 @@ +From 27407b6fa10cc94794f0df3393fa61270c318a91 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Apr 2025 20:53:41 +0530 +Subject: wifi: ath12k: Fix WMI tag for EHT rate in peer assoc + +From: Ramya Gnanasekar + +[ Upstream commit 1a0e65750b55d2cf5de4a9bf7d6d55718784bdb7 ] + +Incorrect WMI tag is used for EHT rate update from host to firmware +while encoding peer assoc WMI. + +Correct the WMI tag used for EHT rate update from WMI_TAG_HE_RATE_SET +to the proper tag. This ensures firmware does not mistakenly update HE rate during parsing. + +Found during code review. Compile tested only. + +Fixes: 5b70ec6036c1 ("wifi: ath12k: add WMI support for EHT peer") +Signed-off-by: Ramya Gnanasekar +Link: https://patch.msgid.link/20250409152341.944628-1-ramya.gnanasekar@oss.qualcomm.com +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath12k/wmi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath12k/wmi.c b/drivers/net/wireless/ath/ath12k/wmi.c +index 30836a09d5506..b2e586811858e 100644 +--- a/drivers/net/wireless/ath/ath12k/wmi.c ++++ b/drivers/net/wireless/ath/ath12k/wmi.c +@@ -2157,7 +2157,7 @@ int ath12k_wmi_send_peer_assoc_cmd(struct ath12k *ar, + + for (i = 0; i < arg->peer_eht_mcs_count; i++) { + eht_mcs = ptr; +- eht_mcs->tlv_header = ath12k_wmi_tlv_cmd_hdr(WMI_TAG_HE_RATE_SET, ++ eht_mcs->tlv_header = ath12k_wmi_tlv_cmd_hdr(WMI_TAG_EHT_RATE_SET, + sizeof(*eht_mcs)); + + eht_mcs->rx_mcs_set = cpu_to_le32(arg->peer_eht_rx_mcs_set[i]); +-- +2.39.5 + diff --git a/queue-6.12/wifi-ath9k_htc-abort-software-beacon-handling-if-dis.patch b/queue-6.12/wifi-ath9k_htc-abort-software-beacon-handling-if-dis.patch new file mode 100644 index 0000000000..24cf741b97 --- /dev/null +++ b/queue-6.12/wifi-ath9k_htc-abort-software-beacon-handling-if-dis.patch @@ -0,0 +1,48 @@ +From 563e2fcbebc8796120504def36d7eb240b7be1e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Apr 2025 13:22:16 +0200 +Subject: wifi: ath9k_htc: Abort software beacon handling if disabled +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Toke Høiland-Jørgensen + +[ Upstream commit ac4e317a95a1092b5da5b9918b7118759342641c ] + +A malicious USB device can send a WMI_SWBA_EVENTID event from an +ath9k_htc-managed device before beaconing has been enabled. This causes +a device-by-zero error in the driver, leading to either a crash or an +out of bounds read. + +Prevent this by aborting the handling in ath9k_htc_swba() if beacons are +not enabled. + +Reported-by: Robert Morris +Closes: https://lore.kernel.org/r/88967.1743099372@localhost +Fixes: 832f6a18fc2a ("ath9k_htc: Add beacon slots") +Signed-off-by: Toke Høiland-Jørgensen +Link: https://patch.msgid.link/20250402112217.58533-1-toke@toke.dk +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/htc_drv_beacon.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_beacon.c b/drivers/net/wireless/ath/ath9k/htc_drv_beacon.c +index 547634f82183d..81fa7cbad8921 100644 +--- a/drivers/net/wireless/ath/ath9k/htc_drv_beacon.c ++++ b/drivers/net/wireless/ath/ath9k/htc_drv_beacon.c +@@ -290,6 +290,9 @@ void ath9k_htc_swba(struct ath9k_htc_priv *priv, + struct ath_common *common = ath9k_hw_common(priv->ah); + int slot; + ++ if (!priv->cur_beacon_conf.enable_beacon) ++ return; ++ + if (swba->beacon_pending != 0) { + priv->beacon.bmisscnt++; + if (priv->beacon.bmisscnt > BSTUCK_THRESHOLD) { +-- +2.39.5 + diff --git a/queue-6.12/wifi-cfg80211-mac80211-correctly-parse-s1g-beacon-op.patch b/queue-6.12/wifi-cfg80211-mac80211-correctly-parse-s1g-beacon-op.patch new file mode 100644 index 0000000000..3dadad003d --- /dev/null +++ b/queue-6.12/wifi-cfg80211-mac80211-correctly-parse-s1g-beacon-op.patch @@ -0,0 +1,245 @@ +From 32debeda413f3940edb821bc48bf2fa01af34c74 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Jun 2025 15:35:38 +1000 +Subject: wifi: cfg80211/mac80211: correctly parse S1G beacon optional elements + +From: Lachlan Hodges + +[ Upstream commit 1e1f706fc2ce90eaaf3480b3d5f27885960d751c ] + +S1G beacons are not traditional beacons but a type of extension frame. +Extension frames contain the frame control and duration fields, followed +by zero or more optional fields before the frame body. These optional +fields are distinct from the variable length elements. + +The presence of optional fields is indicated in the frame control field. +To correctly locate the elements offset, the frame control must be parsed +to identify which optional fields are present. Currently, mac80211 parses +S1G beacons based on fixed assumptions about the frame layout, without +inspecting the frame control field. This can result in incorrect offsets +to the "variable" portion of the frame. + +Properly parse S1G beacon frames by using the field lengths defined in +IEEE 802.11-2024, section 9.3.4.3, ensuring that the elements offset is +calculated accurately. + +Fixes: 9eaffe5078ca ("cfg80211: convert S1G beacon to scan results") +Fixes: cd418ba63f0c ("mac80211: convert S1G beacon to scan results") +Signed-off-by: Lachlan Hodges +Link: https://patch.msgid.link/20250603053538.468562-1-lachlan.hodges@morsemicro.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + include/linux/ieee80211.h | 79 ++++++++++++++++++++++++++++++++++----- + net/mac80211/mlme.c | 7 +--- + net/mac80211/scan.c | 11 +++--- + net/wireless/scan.c | 18 ++++----- + 4 files changed, 83 insertions(+), 32 deletions(-) + +diff --git a/include/linux/ieee80211.h b/include/linux/ieee80211.h +index 777f6aa8efa7b..d07c1f0ad3de3 100644 +--- a/include/linux/ieee80211.h ++++ b/include/linux/ieee80211.h +@@ -111,6 +111,8 @@ + + /* bits unique to S1G beacon */ + #define IEEE80211_S1G_BCN_NEXT_TBTT 0x100 ++#define IEEE80211_S1G_BCN_CSSID 0x200 ++#define IEEE80211_S1G_BCN_ANO 0x400 + + /* see 802.11ah-2016 9.9 NDP CMAC frames */ + #define IEEE80211_S1G_1MHZ_NDP_BITS 25 +@@ -153,9 +155,6 @@ + + #define IEEE80211_ANO_NETTYPE_WILD 15 + +-/* bits unique to S1G beacon */ +-#define IEEE80211_S1G_BCN_NEXT_TBTT 0x100 +- + /* control extension - for IEEE80211_FTYPE_CTL | IEEE80211_STYPE_CTL_EXT */ + #define IEEE80211_CTL_EXT_POLL 0x2000 + #define IEEE80211_CTL_EXT_SPR 0x3000 +@@ -627,6 +626,42 @@ static inline bool ieee80211_is_s1g_beacon(__le16 fc) + cpu_to_le16(IEEE80211_FTYPE_EXT | IEEE80211_STYPE_S1G_BEACON); + } + ++/** ++ * ieee80211_s1g_has_next_tbtt - check if IEEE80211_S1G_BCN_NEXT_TBTT ++ * @fc: frame control bytes in little-endian byteorder ++ * Return: whether or not the frame contains the variable-length ++ * next TBTT field ++ */ ++static inline bool ieee80211_s1g_has_next_tbtt(__le16 fc) ++{ ++ return ieee80211_is_s1g_beacon(fc) && ++ (fc & cpu_to_le16(IEEE80211_S1G_BCN_NEXT_TBTT)); ++} ++ ++/** ++ * ieee80211_s1g_has_ano - check if IEEE80211_S1G_BCN_ANO ++ * @fc: frame control bytes in little-endian byteorder ++ * Return: whether or not the frame contains the variable-length ++ * ANO field ++ */ ++static inline bool ieee80211_s1g_has_ano(__le16 fc) ++{ ++ return ieee80211_is_s1g_beacon(fc) && ++ (fc & cpu_to_le16(IEEE80211_S1G_BCN_ANO)); ++} ++ ++/** ++ * ieee80211_s1g_has_cssid - check if IEEE80211_S1G_BCN_CSSID ++ * @fc: frame control bytes in little-endian byteorder ++ * Return: whether or not the frame contains the variable-length ++ * compressed SSID field ++ */ ++static inline bool ieee80211_s1g_has_cssid(__le16 fc) ++{ ++ return ieee80211_is_s1g_beacon(fc) && ++ (fc & cpu_to_le16(IEEE80211_S1G_BCN_CSSID)); ++} ++ + /** + * ieee80211_is_s1g_short_beacon - check if frame is an S1G short beacon + * @fc: frame control bytes in little-endian byteorder +@@ -1245,16 +1280,40 @@ struct ieee80211_ext { + u8 change_seq; + u8 variable[0]; + } __packed s1g_beacon; +- struct { +- u8 sa[ETH_ALEN]; +- __le32 timestamp; +- u8 change_seq; +- u8 next_tbtt[3]; +- u8 variable[0]; +- } __packed s1g_short_beacon; + } u; + } __packed __aligned(2); + ++/** ++ * ieee80211_s1g_optional_len - determine length of optional S1G beacon fields ++ * @fc: frame control bytes in little-endian byteorder ++ * Return: total length in bytes of the optional fixed-length fields ++ * ++ * S1G beacons may contain up to three optional fixed-length fields that ++ * precede the variable-length elements. Whether these fields are present ++ * is indicated by flags in the frame control field. ++ * ++ * From IEEE 802.11-2024 section 9.3.4.3: ++ * - Next TBTT field may be 0 or 3 bytes ++ * - Short SSID field may be 0 or 4 bytes ++ * - Access Network Options (ANO) field may be 0 or 1 byte ++ */ ++static inline size_t ++ieee80211_s1g_optional_len(__le16 fc) ++{ ++ size_t len = 0; ++ ++ if (ieee80211_s1g_has_next_tbtt(fc)) ++ len += 3; ++ ++ if (ieee80211_s1g_has_cssid(fc)) ++ len += 4; ++ ++ if (ieee80211_s1g_has_ano(fc)) ++ len += 1; ++ ++ return len; ++} ++ + #define IEEE80211_TWT_CONTROL_NDP BIT(0) + #define IEEE80211_TWT_CONTROL_RESP_MODE BIT(1) + #define IEEE80211_TWT_CONTROL_NEG_TYPE_BROADCAST BIT(3) +diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c +index 8fa9b9dd46118..16bb3db67eaac 100644 +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -6728,11 +6728,8 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_link_data *link, + bssid = ieee80211_get_bssid(hdr, len, sdata->vif.type); + if (ieee80211_is_s1g_beacon(mgmt->frame_control)) { + struct ieee80211_ext *ext = (void *) mgmt; +- +- if (ieee80211_is_s1g_short_beacon(ext->frame_control)) +- variable = ext->u.s1g_short_beacon.variable; +- else +- variable = ext->u.s1g_beacon.variable; ++ variable = ext->u.s1g_beacon.variable + ++ ieee80211_s1g_optional_len(ext->frame_control); + } + + baselen = (u8 *) variable - (u8 *) mgmt; +diff --git a/net/mac80211/scan.c b/net/mac80211/scan.c +index adb88c06b5982..ce6d5857214eb 100644 +--- a/net/mac80211/scan.c ++++ b/net/mac80211/scan.c +@@ -260,6 +260,7 @@ void ieee80211_scan_rx(struct ieee80211_local *local, struct sk_buff *skb) + struct ieee80211_mgmt *mgmt = (void *)skb->data; + struct ieee80211_bss *bss; + struct ieee80211_channel *channel; ++ struct ieee80211_ext *ext; + size_t min_hdr_len = offsetof(struct ieee80211_mgmt, + u.probe_resp.variable); + +@@ -269,12 +270,10 @@ void ieee80211_scan_rx(struct ieee80211_local *local, struct sk_buff *skb) + return; + + if (ieee80211_is_s1g_beacon(mgmt->frame_control)) { +- if (ieee80211_is_s1g_short_beacon(mgmt->frame_control)) +- min_hdr_len = offsetof(struct ieee80211_ext, +- u.s1g_short_beacon.variable); +- else +- min_hdr_len = offsetof(struct ieee80211_ext, +- u.s1g_beacon); ++ ext = (struct ieee80211_ext *)mgmt; ++ min_hdr_len = ++ offsetof(struct ieee80211_ext, u.s1g_beacon.variable) + ++ ieee80211_s1g_optional_len(ext->frame_control); + } + + if (skb->len < min_hdr_len) +diff --git a/net/wireless/scan.c b/net/wireless/scan.c +index f0dd1f448d4d4..d80ab1725f28d 100644 +--- a/net/wireless/scan.c ++++ b/net/wireless/scan.c +@@ -3213,6 +3213,7 @@ cfg80211_inform_bss_frame_data(struct wiphy *wiphy, + const u8 *ie; + size_t ielen; + u64 tsf; ++ size_t s1g_optional_len; + + if (WARN_ON(!mgmt)) + return NULL; +@@ -3227,12 +3228,11 @@ cfg80211_inform_bss_frame_data(struct wiphy *wiphy, + + if (ieee80211_is_s1g_beacon(mgmt->frame_control)) { + ext = (void *) mgmt; +- if (ieee80211_is_s1g_short_beacon(mgmt->frame_control)) +- min_hdr_len = offsetof(struct ieee80211_ext, +- u.s1g_short_beacon.variable); +- else +- min_hdr_len = offsetof(struct ieee80211_ext, +- u.s1g_beacon.variable); ++ s1g_optional_len = ++ ieee80211_s1g_optional_len(ext->frame_control); ++ min_hdr_len = ++ offsetof(struct ieee80211_ext, u.s1g_beacon.variable) + ++ s1g_optional_len; + } else { + /* same for beacons */ + min_hdr_len = offsetof(struct ieee80211_mgmt, +@@ -3248,11 +3248,7 @@ cfg80211_inform_bss_frame_data(struct wiphy *wiphy, + const struct ieee80211_s1g_bcn_compat_ie *compat; + const struct element *elem; + +- if (ieee80211_is_s1g_short_beacon(mgmt->frame_control)) +- ie = ext->u.s1g_short_beacon.variable; +- else +- ie = ext->u.s1g_beacon.variable; +- ++ ie = ext->u.s1g_beacon.variable + s1g_optional_len; + elem = cfg80211_find_elem(WLAN_EID_S1G_BCN_COMPAT, ie, ielen); + if (!elem) + return NULL; +-- +2.39.5 + diff --git a/queue-6.12/wifi-iwlfiwi-mvm-fix-the-rate-reporting.patch b/queue-6.12/wifi-iwlfiwi-mvm-fix-the-rate-reporting.patch new file mode 100644 index 0000000000..44e68b7511 --- /dev/null +++ b/queue-6.12/wifi-iwlfiwi-mvm-fix-the-rate-reporting.patch @@ -0,0 +1,49 @@ +From dc98a86233e380b375cef72914fda9fa11c4bcf6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 3 May 2025 22:44:32 +0300 +Subject: wifi: iwlfiwi: mvm: Fix the rate reporting + +From: Ilan Peer + +[ Upstream commit 8f7561209eda7d6998708f06376e8dd2dc52f3b8 ] + +The rate validation in mac80211 considers a rate to be valid iff both +the rate index and the count are positive. When the rate scaling is +managed in the driver and not enough traffic passed to set the actual +rate, the driver set the rate to be the optimal rate. However, the rate +count is not set and thus the rate is considered not valid. Fix it by +setting the count to 1. + +Fixes: 3e99b4d28219 ("wifi: mac80211: Sanity check tx bitrate if not provided by driver") +Signed-off-by: Ilan Peer +Reviewed-by: Johannes Berg +Signed-off-by: Miri Korenblit +Link: https://patch.msgid.link/20250503224232.0d1d1e022d63.I76833c14ba1d66f9bea5c32b25a54d8b36f229ba@changeid +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/rs.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/rs.c b/drivers/net/wireless/intel/iwlwifi/mvm/rs.c +index a8c4e354e2ce7..5f8f245804443 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/rs.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/rs.c +@@ -2,6 +2,7 @@ + /****************************************************************************** + * + * Copyright(c) 2005 - 2014, 2018 - 2023 Intel Corporation. All rights reserved. ++ * Copyright(c) 2025 Intel Corporation + * Copyright(c) 2013 - 2015 Intel Mobile Communications GmbH + * Copyright(c) 2016 - 2017 Intel Deutschland GmbH + *****************************************************************************/ +@@ -2709,6 +2710,7 @@ static void rs_drv_get_rate(void *mvm_r, struct ieee80211_sta *sta, + optimal_rate); + iwl_mvm_hwrate_to_tx_rate_v1(last_ucode_rate, info->band, + &txrc->reported_rate); ++ txrc->reported_rate.count = 1; + } + spin_unlock_bh(&lq_sta->pers.lock); + } +-- +2.39.5 + diff --git a/queue-6.12/wifi-mt76-mt7915-fix-null-ptr-deref-in-mt7915_mmio_w.patch b/queue-6.12/wifi-mt76-mt7915-fix-null-ptr-deref-in-mt7915_mmio_w.patch new file mode 100644 index 0000000000..719dff368c --- /dev/null +++ b/queue-6.12/wifi-mt76-mt7915-fix-null-ptr-deref-in-mt7915_mmio_w.patch @@ -0,0 +1,51 @@ +From 56d5cf6294b6e0a7b520877a456522bc78ea9081 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Apr 2025 14:19:00 +0800 +Subject: wifi: mt76: mt7915: Fix null-ptr-deref in mt7915_mmio_wed_init() + +From: Henry Martin + +[ Upstream commit efb95439c1477bbc955cacd0179c35e7861b437c ] + +devm_ioremap() returns NULL on error. Currently, mt7915_mmio_wed_init() +does not check for this case, which results in a NULL pointer +dereference. + +Prevent null pointer dereference in mt7915_mmio_wed_init(). + +Fixes: 4f831d18d12d ("wifi: mt76: mt7915: enable WED RX support") +Signed-off-by: Henry Martin +Link: https://patch.msgid.link/20250407061900.85317-1-bsdhenrymartin@gmail.com +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7915/mmio.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mmio.c b/drivers/net/wireless/mediatek/mt76/mt7915/mmio.c +index 2e7604eed27b0..a6245c3ccef48 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7915/mmio.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7915/mmio.c +@@ -649,6 +649,9 @@ int mt7915_mmio_wed_init(struct mt7915_dev *dev, void *pdev_ptr, + wed->wlan.base = devm_ioremap(dev->mt76.dev, + pci_resource_start(pci_dev, 0), + pci_resource_len(pci_dev, 0)); ++ if (!wed->wlan.base) ++ return -ENOMEM; ++ + wed->wlan.phy_base = pci_resource_start(pci_dev, 0); + wed->wlan.wpdma_int = pci_resource_start(pci_dev, 0) + + MT_INT_WED_SOURCE_CSR; +@@ -676,6 +679,9 @@ int mt7915_mmio_wed_init(struct mt7915_dev *dev, void *pdev_ptr, + wed->wlan.bus_type = MTK_WED_BUS_AXI; + wed->wlan.base = devm_ioremap(dev->mt76.dev, res->start, + resource_size(res)); ++ if (!wed->wlan.base) ++ return -ENOMEM; ++ + wed->wlan.phy_base = res->start; + wed->wlan.wpdma_int = res->start + MT_INT_SOURCE_CSR; + wed->wlan.wpdma_mask = res->start + MT_INT_MASK_CSR; +-- +2.39.5 + diff --git a/queue-6.12/wifi-mt76-mt7925-ensure-all-mcu-commands-wait-for-re.patch b/queue-6.12/wifi-mt76-mt7925-ensure-all-mcu-commands-wait-for-re.patch new file mode 100644 index 0000000000..bbe9af583e --- /dev/null +++ b/queue-6.12/wifi-mt76-mt7925-ensure-all-mcu-commands-wait-for-re.patch @@ -0,0 +1,103 @@ +From 6583ce5e27a8cc98f12849d4071ad82891f66455 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Apr 2025 09:39:54 +0800 +Subject: wifi: mt76: mt7925: ensure all MCU commands wait for response + +From: Michael Lo + +[ Upstream commit aa97ff5782cf01cf2163593e1f57bbde63a06047 ] + +Modify MCU command sending functions to wait for a response, +ensuring consistent behavior across all commands and improves +reliability by confirming that each command is processed +successfully. + +Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt7925 chips") +Signed-off-by: Michael Lo +Signed-off-by: Ming Yen Hsieh +Link: https://patch.msgid.link/20250414013954.1151774-3-mingyen.hsieh@mediatek.com +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7925/mcu.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c +index 9a9900eba5020..a19c108ad4b5c 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c +@@ -769,7 +769,7 @@ int mt7925_mcu_fw_log_2_host(struct mt792x_dev *dev, u8 ctrl) + int ret; + + ret = mt76_mcu_send_and_get_msg(&dev->mt76, MCU_UNI_CMD(WSYS_CONFIG), +- &req, sizeof(req), false, NULL); ++ &req, sizeof(req), true, NULL); + return ret; + } + +@@ -1411,7 +1411,7 @@ int mt7925_mcu_set_eeprom(struct mt792x_dev *dev) + }; + + return mt76_mcu_send_and_get_msg(&dev->mt76, MCU_UNI_CMD(EFUSE_CTRL), +- &req, sizeof(req), false, NULL); ++ &req, sizeof(req), true, NULL); + } + EXPORT_SYMBOL_GPL(mt7925_mcu_set_eeprom); + +@@ -2741,7 +2741,7 @@ int mt7925_mcu_set_dbdc(struct mt76_phy *phy, bool enable) + conf->band = 0; /* unused */ + + err = mt76_mcu_skb_send_msg(mdev, skb, MCU_UNI_CMD(SET_DBDC_PARMS), +- false); ++ true); + + return err; + } +@@ -2859,7 +2859,7 @@ int mt7925_mcu_hw_scan(struct mt76_phy *phy, struct ieee80211_vif *vif, + } + + err = mt76_mcu_skb_send_msg(mdev, skb, MCU_UNI_CMD(SCAN_REQ), +- false); ++ true); + if (err < 0) + clear_bit(MT76_HW_SCANNING, &phy->state); + +@@ -2965,7 +2965,7 @@ int mt7925_mcu_sched_scan_req(struct mt76_phy *phy, + } + + return mt76_mcu_skb_send_msg(mdev, skb, MCU_UNI_CMD(SCAN_REQ), +- false); ++ true); + } + EXPORT_SYMBOL_GPL(mt7925_mcu_sched_scan_req); + +@@ -3001,7 +3001,7 @@ mt7925_mcu_sched_scan_enable(struct mt76_phy *phy, + clear_bit(MT76_HW_SCHED_SCANNING, &phy->state); + + return mt76_mcu_skb_send_msg(mdev, skb, MCU_UNI_CMD(SCAN_REQ), +- false); ++ true); + } + + int mt7925_mcu_cancel_hw_scan(struct mt76_phy *phy, +@@ -3040,7 +3040,7 @@ int mt7925_mcu_cancel_hw_scan(struct mt76_phy *phy, + } + + return mt76_mcu_send_msg(phy->dev, MCU_UNI_CMD(SCAN_REQ), +- &req, sizeof(req), false); ++ &req, sizeof(req), true); + } + EXPORT_SYMBOL_GPL(mt7925_mcu_cancel_hw_scan); + +@@ -3145,7 +3145,7 @@ int mt7925_mcu_set_channel_domain(struct mt76_phy *phy) + memcpy(__skb_push(skb, sizeof(req)), &req, sizeof(req)); + + return mt76_mcu_skb_send_msg(dev, skb, MCU_UNI_CMD(SET_DOMAIN_INFO), +- false); ++ true); + } + EXPORT_SYMBOL_GPL(mt7925_mcu_set_channel_domain); + +-- +2.39.5 + diff --git a/queue-6.12/wifi-mt76-mt7925-prevent-multiple-scan-commands.patch b/queue-6.12/wifi-mt76-mt7925-prevent-multiple-scan-commands.patch new file mode 100644 index 0000000000..3d473b5d91 --- /dev/null +++ b/queue-6.12/wifi-mt76-mt7925-prevent-multiple-scan-commands.patch @@ -0,0 +1,38 @@ +From e50930d9bc3aa6a762a49fdcbc20e570e52b5949 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Apr 2025 09:39:52 +0800 +Subject: wifi: mt76: mt7925: prevent multiple scan commands + +From: Ming Yen Hsieh + +[ Upstream commit 122f270aca2c86d7de264ab67161c845e0691d73 ] + +Add a check to ensure only one scan command is active at a time +by testing the MT76_HW_SCANNING state. + +Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt7925 chips") +Signed-off-by: Ming Yen Hsieh +Link: https://patch.msgid.link/20250414013954.1151774-1-mingyen.hsieh@mediatek.com +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7925/mcu.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c +index 2396e1795fe17..7ad9e1eaaa8f3 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c +@@ -2771,6 +2771,9 @@ int mt7925_mcu_hw_scan(struct mt76_phy *phy, struct ieee80211_vif *vif, + struct tlv *tlv; + int max_len; + ++ if (test_bit(MT76_HW_SCANNING, &phy->state)) ++ return -EBUSY; ++ + max_len = sizeof(*hdr) + sizeof(*req) + sizeof(*ssid) + + sizeof(*bssid) + sizeof(*chan_info) + + sizeof(*misc) + sizeof(*ie); +-- +2.39.5 + diff --git a/queue-6.12/wifi-mt76-mt7925-refine-the-sniffer-commnad.patch b/queue-6.12/wifi-mt76-mt7925-refine-the-sniffer-commnad.patch new file mode 100644 index 0000000000..233a65c96b --- /dev/null +++ b/queue-6.12/wifi-mt76-mt7925-refine-the-sniffer-commnad.patch @@ -0,0 +1,37 @@ +From 97e25abc39178a9525fd2b841e333365f2ea75ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Apr 2025 09:39:53 +0800 +Subject: wifi: mt76: mt7925: refine the sniffer commnad + +From: Ming Yen Hsieh + +[ Upstream commit bd02eebfc0b3502fe8322cf229b4c801416d1007 ] + +Remove a duplicate call to `mt76_mcu_send_msg` to fix redundant operations +in the sniffer command handling. + +Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt7925 chips") +Signed-off-by: Ming Yen Hsieh +Link: https://patch.msgid.link/20250414013954.1151774-2-mingyen.hsieh@mediatek.com +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7925/mcu.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c +index 7ad9e1eaaa8f3..9a9900eba5020 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c +@@ -2087,8 +2087,6 @@ int mt7925_mcu_set_sniffer(struct mt792x_dev *dev, struct ieee80211_vif *vif, + }, + }; + +- mt76_mcu_send_msg(&dev->mt76, MCU_UNI_CMD(SNIFFER), &req, sizeof(req), true); +- + return mt76_mcu_send_msg(&dev->mt76, MCU_UNI_CMD(SNIFFER), &req, sizeof(req), + true); + } +-- +2.39.5 + diff --git a/queue-6.12/wifi-mt76-mt7996-fix-null-ptr-deref-in-mt7996_mmio_w.patch b/queue-6.12/wifi-mt76-mt7996-fix-null-ptr-deref-in-mt7996_mmio_w.patch new file mode 100644 index 0000000000..6c2f1d2bb0 --- /dev/null +++ b/queue-6.12/wifi-mt76-mt7996-fix-null-ptr-deref-in-mt7996_mmio_w.patch @@ -0,0 +1,41 @@ +From 02c507ca625ef9c02570b047abd02f0b010b2f10 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Apr 2025 11:23:49 +0800 +Subject: wifi: mt76: mt7996: Fix null-ptr-deref in mt7996_mmio_wed_init() + +From: Henry Martin + +[ Upstream commit 8f30e2b059757d8711a823e4c9c023db62a1d171 ] + +devm_ioremap() returns NULL on error. Currently, mt7996_mmio_wed_init() +does not check for this case, which results in a NULL pointer +dereference. + +Prevent null pointer dereference in mt7996_mmio_wed_init() + +Fixes: 83eafc9251d6 ("wifi: mt76: mt7996: add wed tx support") +Signed-off-by: Henry Martin +Link: https://patch.msgid.link/20250407032349.83360-1-bsdhenrymartin@gmail.com +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7996/mmio.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mmio.c b/drivers/net/wireless/mediatek/mt76/mt7996/mmio.c +index b6209ed1cfe01..bffee73b780cb 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7996/mmio.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7996/mmio.c +@@ -323,6 +323,9 @@ int mt7996_mmio_wed_init(struct mt7996_dev *dev, void *pdev_ptr, + wed->wlan.base = devm_ioremap(dev->mt76.dev, + pci_resource_start(pci_dev, 0), + pci_resource_len(pci_dev, 0)); ++ if (!wed->wlan.base) ++ return -ENOMEM; ++ + wed->wlan.phy_base = pci_resource_start(pci_dev, 0); + + if (hif2) { +-- +2.39.5 + diff --git a/queue-6.12/wifi-mt76-mt7996-fix-rx-buffer-size-of-mcu-event.patch b/queue-6.12/wifi-mt76-mt7996-fix-rx-buffer-size-of-mcu-event.patch new file mode 100644 index 0000000000..1e4cbbd732 --- /dev/null +++ b/queue-6.12/wifi-mt76-mt7996-fix-rx-buffer-size-of-mcu-event.patch @@ -0,0 +1,71 @@ +From 87850cf8abab2c4640f516c1f8391ef2e0916c61 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 May 2025 11:29:50 +0800 +Subject: wifi: mt76: mt7996: fix RX buffer size of MCU event + +From: Shayne Chen + +[ Upstream commit 42cb27af34de4acf680606fad2c1f2932110591f ] + +Some management frames are first processed by the firmware and then +passed to the driver through the MCU event rings. In CONNAC3, event rings +do not support scatter-gather and have a size limitation of 2048 bytes. +If a packet sized between 1728 and 2048 bytes arrives from an event ring, +the ring will hang because the driver attempts to use scatter-gather to +process it. + +To fix this, include the size of struct skb_shared_info in the MCU RX +buffer size to prevent scatter-gather from being used for event skb in +mt76_dma_rx_fill_buf(). + +Fixes: 98686cd21624 ("wifi: mt76: mt7996: add driver for MediaTek Wi-Fi 7 (802.11be) devices") +Co-developed-by: Peter Chiu +Signed-off-by: Peter Chiu +Signed-off-by: Shayne Chen +Link: https://patch.msgid.link/20250515032952.1653494-7-shayne.chen@mediatek.com +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7996/dma.c | 4 ++-- + drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h | 3 +++ + 2 files changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/dma.c b/drivers/net/wireless/mediatek/mt76/mt7996/dma.c +index 69a7d9b2e38bd..4b68d2fc5e094 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7996/dma.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7996/dma.c +@@ -493,7 +493,7 @@ int mt7996_dma_init(struct mt7996_dev *dev) + ret = mt76_queue_alloc(dev, &dev->mt76.q_rx[MT_RXQ_MCU], + MT_RXQ_ID(MT_RXQ_MCU), + MT7996_RX_MCU_RING_SIZE, +- MT_RX_BUF_SIZE, ++ MT7996_RX_MCU_BUF_SIZE, + MT_RXQ_RING_BASE(MT_RXQ_MCU)); + if (ret) + return ret; +@@ -502,7 +502,7 @@ int mt7996_dma_init(struct mt7996_dev *dev) + ret = mt76_queue_alloc(dev, &dev->mt76.q_rx[MT_RXQ_MCU_WA], + MT_RXQ_ID(MT_RXQ_MCU_WA), + MT7996_RX_MCU_RING_SIZE_WA, +- MT_RX_BUF_SIZE, ++ MT7996_RX_MCU_BUF_SIZE, + MT_RXQ_RING_BASE(MT_RXQ_MCU_WA)); + if (ret) + return ret; +diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h b/drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h +index ab8c9070630b0..425fd030bee00 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h ++++ b/drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h +@@ -28,6 +28,9 @@ + #define MT7996_RX_RING_SIZE 1536 + #define MT7996_RX_MCU_RING_SIZE 512 + #define MT7996_RX_MCU_RING_SIZE_WA 1024 ++/* scatter-gather of mcu event is not supported in connac3 */ ++#define MT7996_RX_MCU_BUF_SIZE (2048 + \ ++ SKB_DATA_ALIGN(sizeof(struct skb_shared_info))) + + #define MT7996_FIRMWARE_WA "mediatek/mt7996/mt7996_wa.bin" + #define MT7996_FIRMWARE_WM "mediatek/mt7996/mt7996_wm.bin" +-- +2.39.5 + diff --git a/queue-6.12/wifi-mt76-mt7996-set-eht-max-ampdu-length-capability.patch b/queue-6.12/wifi-mt76-mt7996-set-eht-max-ampdu-length-capability.patch new file mode 100644 index 0000000000..6994d61ec5 --- /dev/null +++ b/queue-6.12/wifi-mt76-mt7996-set-eht-max-ampdu-length-capability.patch @@ -0,0 +1,40 @@ +From 716351c4b0822e1c2f8b740d6fd7209b406ba44c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 May 2025 11:29:46 +0800 +Subject: wifi: mt76: mt7996: set EHT max ampdu length capability + +From: Peter Chiu + +[ Upstream commit 8b2f574845e33d02e7fbad2d3192a8b717567afa ] + +Set the max AMPDU length in the EHT MAC CAP. Without this patch, the +peer station cannot obtain the correct capability, which prevents +achieving peak throughput on the 2 GHz band. + +Fixes: 1816ad9381e0 ("wifi: mt76: mt7996: add max mpdu len capability") +Signed-off-by: Peter Chiu +Signed-off-by: Shayne Chen +Link: https://patch.msgid.link/20250515032952.1653494-3-shayne.chen@mediatek.com +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7996/init.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/init.c b/drivers/net/wireless/mediatek/mt76/mt7996/init.c +index d8a013812d1e3..c550385541143 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7996/init.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7996/init.c +@@ -1193,6 +1193,9 @@ mt7996_init_eht_caps(struct mt7996_phy *phy, enum nl80211_band band, + u8_encode_bits(IEEE80211_EHT_MAC_CAP0_MAX_MPDU_LEN_11454, + IEEE80211_EHT_MAC_CAP0_MAX_MPDU_LEN_MASK); + ++ eht_cap_elem->mac_cap_info[1] |= ++ IEEE80211_EHT_MAC_CAP1_MAX_AMPDU_LEN_MASK; ++ + eht_cap_elem->phy_cap_info[0] = + IEEE80211_EHT_PHY_CAP0_NDP_4_EHT_LFT_32_GI | + IEEE80211_EHT_PHY_CAP0_SU_BEAMFORMER | +-- +2.39.5 + diff --git a/queue-6.12/wifi-rtw88-do-not-ignore-hardware-read-error-during-.patch b/queue-6.12/wifi-rtw88-do-not-ignore-hardware-read-error-during-.patch new file mode 100644 index 0000000000..ade7c55826 --- /dev/null +++ b/queue-6.12/wifi-rtw88-do-not-ignore-hardware-read-error-during-.patch @@ -0,0 +1,42 @@ +From 075b33f894cde80e9b646a904e579c3b26248a64 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Apr 2025 12:07:20 +0300 +Subject: wifi: rtw88: do not ignore hardware read error during DPK + +From: Dmitry Antipov + +[ Upstream commit 20d3c19bd8f9b498173c198eadf54580c8caa336 ] + +In 'rtw8822c_dpk_cal_coef1()', do not ignore error returned +by 'check_hw_ready()' but issue a warning to denote possible +DPK issue. Compile tested only. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 5227c2ee453d ("rtw88: 8822c: add SW DPK support") +Suggested-by: Ping-Ke Shih +Signed-off-by: Dmitry Antipov +Signed-off-by: Ping-Ke Shih +Link: https://patch.msgid.link/20250415090720.194048-1-dmantipov@yandex.ru +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtw88/rtw8822c.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/realtek/rtw88/rtw8822c.c b/drivers/net/wireless/realtek/rtw88/rtw8822c.c +index 1dbe1cdbc3fd4..3157cd834233d 100644 +--- a/drivers/net/wireless/realtek/rtw88/rtw8822c.c ++++ b/drivers/net/wireless/realtek/rtw88/rtw8822c.c +@@ -3993,7 +3993,8 @@ static void rtw8822c_dpk_cal_coef1(struct rtw_dev *rtwdev) + rtw_write32(rtwdev, REG_NCTL0, 0x00001148); + rtw_write32(rtwdev, REG_NCTL0, 0x00001149); + +- check_hw_ready(rtwdev, 0x2d9c, MASKBYTE0, 0x55); ++ if (!check_hw_ready(rtwdev, 0x2d9c, MASKBYTE0, 0x55)) ++ rtw_warn(rtwdev, "DPK stuck, performance may be suboptimal"); + + rtw_write8(rtwdev, 0x1b10, 0x0); + rtw_write32_mask(rtwdev, REG_NCTL0, BIT_SUBPAGE, 0x0000000c); +-- +2.39.5 + diff --git a/queue-6.12/wifi-rtw88-fix-the-para-buffer-size-to-avoid-reading.patch b/queue-6.12/wifi-rtw88-fix-the-para-buffer-size-to-avoid-reading.patch new file mode 100644 index 0000000000..fe37945de9 --- /dev/null +++ b/queue-6.12/wifi-rtw88-fix-the-para-buffer-size-to-avoid-reading.patch @@ -0,0 +1,48 @@ +From d88332839de13e4b367a54be8d18997e1db8385e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 May 2025 12:13:04 +0000 +Subject: wifi: rtw88: fix the 'para' buffer size to avoid reading out of + bounds + +From: Alexey Kodanev + +[ Upstream commit 4c2c372de2e108319236203cce6de44d70ae15cd ] + +Set the size to 6 instead of 2, since 'para' array is passed to +'rtw_fw_bt_wifi_control(rtwdev, para[0], ¶[1])', which reads +5 bytes: + +void rtw_fw_bt_wifi_control(struct rtw_dev *rtwdev, u8 op_code, u8 *data) +{ + ... + SET_BT_WIFI_CONTROL_DATA1(h2c_pkt, *data); + SET_BT_WIFI_CONTROL_DATA2(h2c_pkt, *(data + 1)); + ... + SET_BT_WIFI_CONTROL_DATA5(h2c_pkt, *(data + 4)); + +Detected using the static analysis tool - Svace. +Fixes: 4136214f7c46 ("rtw88: add BT co-existence support") +Signed-off-by: Alexey Kodanev +Signed-off-by: Ping-Ke Shih +Link: https://patch.msgid.link/20250513121304.124141-1-aleksei.kodanev@bell-sw.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtw88/coex.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/realtek/rtw88/coex.c b/drivers/net/wireless/realtek/rtw88/coex.c +index a99776af56c27..c476e65c4d71e 100644 +--- a/drivers/net/wireless/realtek/rtw88/coex.c ++++ b/drivers/net/wireless/realtek/rtw88/coex.c +@@ -309,7 +309,7 @@ static void rtw_coex_tdma_timer_base(struct rtw_dev *rtwdev, u8 type) + { + struct rtw_coex *coex = &rtwdev->coex; + struct rtw_coex_stat *coex_stat = &coex->stat; +- u8 para[2] = {0}; ++ u8 para[6] = {}; + u8 times; + u16 tbtt_interval = coex_stat->wl_beacon_interval; + +-- +2.39.5 + diff --git a/queue-6.12/wifi-rtw88-sdio-call-rtw_sdio_indicate_tx_status-unc.patch b/queue-6.12/wifi-rtw88-sdio-call-rtw_sdio_indicate_tx_status-unc.patch new file mode 100644 index 0000000000..39cfcc50b5 --- /dev/null +++ b/queue-6.12/wifi-rtw88-sdio-call-rtw_sdio_indicate_tx_status-unc.patch @@ -0,0 +1,46 @@ +From 0f1cc188a688debabedba87ac0433798ebd73b98 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Apr 2025 15:42:16 +0000 +Subject: wifi: rtw88: sdio: call rtw_sdio_indicate_tx_status unconditionally + +From: Zhen XIN + +[ Upstream commit fc5f5a0ec463ae6a07850428bd3082947e01d276 ] + +The rtw88-sdio do not work in AP mode due to the lack of TX status report +for management frames. + +Make the invocation of rtw_sdio_indicate_tx_status unconditional and cover +all packet queues + +Tested-on: rtl8723ds + +Fixes: 65371a3f14e7 ("wifi: rtw88: sdio: Add HCI implementation for SDIO based chipsets") +Signed-off-by: Zhen XIN +Reviewed-by: Martin Blumenstingl +Signed-off-by: Ping-Ke Shih +Link: https://patch.msgid.link/20250410154217.1849977-2-zhen.xin@nokia-sbell.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtw88/sdio.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtw88/sdio.c b/drivers/net/wireless/realtek/rtw88/sdio.c +index 0316a0bec96e2..5b8e88c9759d1 100644 +--- a/drivers/net/wireless/realtek/rtw88/sdio.c ++++ b/drivers/net/wireless/realtek/rtw88/sdio.c +@@ -1225,10 +1225,7 @@ static void rtw_sdio_process_tx_queue(struct rtw_dev *rtwdev, + return; + } + +- if (queue <= RTW_TX_QUEUE_VO) +- rtw_sdio_indicate_tx_status(rtwdev, skb); +- else +- dev_kfree_skb_any(skb); ++ rtw_sdio_indicate_tx_status(rtwdev, skb); + } + + static void rtw_sdio_tx_handler(struct work_struct *work) +-- +2.39.5 + diff --git a/queue-6.12/wifi-rtw88-sdio-map-mgmt-frames-to-queue-tx_desc_qse.patch b/queue-6.12/wifi-rtw88-sdio-map-mgmt-frames-to-queue-tx_desc_qse.patch new file mode 100644 index 0000000000..a4bb52120c --- /dev/null +++ b/queue-6.12/wifi-rtw88-sdio-map-mgmt-frames-to-queue-tx_desc_qse.patch @@ -0,0 +1,46 @@ +From d0444f11f7cdf9a491c98e6cc21b4be0c76f9e99 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Apr 2025 15:42:17 +0000 +Subject: wifi: rtw88: sdio: map mgmt frames to queue TX_DESC_QSEL_MGMT + +From: Zhen XIN + +[ Upstream commit b2effcdc237979dcc533d446a792fc54fd0e1213 ] + +The rtw88-sdio do not work in AP mode due to the lack of TX status report +for management frames. + +Map the management frames to queue TX_DESC_QSEL_MGMT, which enables the +chip to generate TX reports for these frames + +Tested-on: rtl8723ds + +Fixes: 65371a3f14e7 ("wifi: rtw88: sdio: Add HCI implementation for SDIO based chipsets") +Signed-off-by: Zhen XIN +Reviewed-by: Martin Blumenstingl +Signed-off-by: Ping-Ke Shih +Link: https://patch.msgid.link/20250410154217.1849977-3-zhen.xin@nokia-sbell.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtw88/sdio.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtw88/sdio.c b/drivers/net/wireless/realtek/rtw88/sdio.c +index 1d62b38526c48..0316a0bec96e2 100644 +--- a/drivers/net/wireless/realtek/rtw88/sdio.c ++++ b/drivers/net/wireless/realtek/rtw88/sdio.c +@@ -718,10 +718,7 @@ static u8 rtw_sdio_get_tx_qsel(struct rtw_dev *rtwdev, struct sk_buff *skb, + case RTW_TX_QUEUE_H2C: + return TX_DESC_QSEL_H2C; + case RTW_TX_QUEUE_MGMT: +- if (rtw_chip_wcpu_11n(rtwdev)) +- return TX_DESC_QSEL_HIGH; +- else +- return TX_DESC_QSEL_MGMT; ++ return TX_DESC_QSEL_MGMT; + case RTW_TX_QUEUE_HI0: + return TX_DESC_QSEL_HIGH; + default: +-- +2.39.5 + diff --git a/queue-6.12/wifi-rtw89-fix-firmware-scan-delay-unit-for-wifi-6-c.patch b/queue-6.12/wifi-rtw89-fix-firmware-scan-delay-unit-for-wifi-6-c.patch new file mode 100644 index 0000000000..9913bc5788 --- /dev/null +++ b/queue-6.12/wifi-rtw89-fix-firmware-scan-delay-unit-for-wifi-6-c.patch @@ -0,0 +1,38 @@ +From c3bb8d653bb663e522f683349cea6c5e4fffe813 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 May 2025 20:52:03 +0800 +Subject: wifi: rtw89: fix firmware scan delay unit for WiFi 6 chips + +From: Chin-Yen Lee + +[ Upstream commit 3cc35394fac15d533639c9c9e42f28d28936a4a0 ] + +The scan delay unit of firmware command for WiFi 6 chips is +microsecond, but is wrong set now and lead to abnormal work +for net-detect. Correct the unit to avoid the error. + +Fixes: e99dd80c8a18 ("wifi: rtw89: wow: add delay option for net-detect") +Signed-off-by: Chin-Yen Lee +Signed-off-by: Ping-Ke Shih +Link: https://patch.msgid.link/20250513125203.6858-1-pkshih@realtek.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtw89/fw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/realtek/rtw89/fw.c b/drivers/net/wireless/realtek/rtw89/fw.c +index e5c90050e7115..7dbce3b10a7de 100644 +--- a/drivers/net/wireless/realtek/rtw89/fw.c ++++ b/drivers/net/wireless/realtek/rtw89/fw.c +@@ -5016,7 +5016,7 @@ int rtw89_fw_h2c_scan_list_offload_be(struct rtw89_dev *rtwdev, int ch_num, + return 0; + } + +-#define RTW89_SCAN_DELAY_TSF_UNIT 104800 ++#define RTW89_SCAN_DELAY_TSF_UNIT 1000000 + int rtw89_fw_h2c_scan_offload_ax(struct rtw89_dev *rtwdev, + struct rtw89_scan_option *option, + struct rtw89_vif_link *rtwvif_link, +-- +2.39.5 + diff --git a/queue-6.12/wifi-rtw89-pci-enlarge-retry-times-of-rx-tag-to-1000.patch b/queue-6.12/wifi-rtw89-pci-enlarge-retry-times-of-rx-tag-to-1000.patch new file mode 100644 index 0000000000..6b557be84a --- /dev/null +++ b/queue-6.12/wifi-rtw89-pci-enlarge-retry-times-of-rx-tag-to-1000.patch @@ -0,0 +1,44 @@ +From 9b750e951dc2d2cab8fa92934c7362cac324154d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 May 2025 09:34:33 +0800 +Subject: wifi: rtw89: pci: enlarge retry times of RX tag to 1000 + +From: Ping-Ke Shih + +[ Upstream commit dda27a47c036d981ec664ac57e044a21035ffe12 ] + +RX tag is sequence number to ensure RX DMA is complete. On platform +Gigabyte X870 AORUS ELITE WIFI7, sometimes it needs longer retry times +to complete RX DMA, or driver throws warnings and connection drops: + + rtw89_8922ae 0000:07:00.0: failed to update 162 RXBD info: -11 + rtw89_8922ae 0000:07:00.0: failed to update 163 RXBD info: -11 + rtw89_8922ae 0000:07:00.0: failed to update 32 RXBD info: -11 + rtw89_8922ae 0000:07:00.0: failed to release TX skbs + +Fixes: 0bc7d1d4e63c ("wifi: rtw89: pci: validate RX tag for RXQ and RPQ") +Reported-by: Samuel Reyes +Closes: https://lore.kernel.org/linux-wireless/f4355539f3ac46bbaf9c586d059a8cbb@realtek.com/T/#t +Signed-off-by: Ping-Ke Shih +Link: https://patch.msgid.link/20250509013433.7573-1-pkshih@realtek.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtw89/pci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/realtek/rtw89/pci.c b/drivers/net/wireless/realtek/rtw89/pci.c +index 0ac84f968994b..e203d3b2a8274 100644 +--- a/drivers/net/wireless/realtek/rtw89/pci.c ++++ b/drivers/net/wireless/realtek/rtw89/pci.c +@@ -228,7 +228,7 @@ int rtw89_pci_sync_skb_for_device_and_validate_rx_info(struct rtw89_dev *rtwdev, + struct sk_buff *skb) + { + struct rtw89_pci_rx_info *rx_info = RTW89_PCI_RX_SKB_CB(skb); +- int rx_tag_retry = 100; ++ int rx_tag_retry = 1000; + int ret; + + do { +-- +2.39.5 + diff --git a/queue-6.12/wireguard-device-enable-threaded-napi.patch b/queue-6.12/wireguard-device-enable-threaded-napi.patch new file mode 100644 index 0000000000..4a569eb386 --- /dev/null +++ b/queue-6.12/wireguard-device-enable-threaded-napi.patch @@ -0,0 +1,79 @@ +From c395cd940ffdf0358c86262fc842a0165163a76a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Jun 2025 14:06:16 +0200 +Subject: wireguard: device: enable threaded NAPI +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mirco Barone + +[ Upstream commit db9ae3b6b43c79b1ba87eea849fd65efa05b4b2e ] + +Enable threaded NAPI by default for WireGuard devices in response to low +performance behavior that we observed when multiple tunnels (and thus +multiple wg devices) are deployed on a single host. This affects any +kind of multi-tunnel deployment, regardless of whether the tunnels share +the same endpoints or not (i.e., a VPN concentrator type of gateway +would also be affected). + +The problem is caused by the fact that, in case of a traffic surge that +involves multiple tunnels at the same time, the polling of the NAPI +instance of all these wg devices tends to converge onto the same core, +causing underutilization of the CPU and bottlenecking performance. + +This happens because NAPI polling is hosted by default in softirq +context, but the WireGuard driver only raises this softirq after the rx +peer queue has been drained, which doesn't happen during high traffic. +In this case, the softirq already active on a core is reused instead of +raising a new one. + +As a result, once two or more tunnel softirqs have been scheduled on +the same core, they remain pinned there until the surge ends. + +In our experiments, this almost always leads to all tunnel NAPIs being +handled on a single core shortly after a surge begins, limiting +scalability to less than 3× the performance of a single tunnel, despite +plenty of unused CPU cores being available. + +The proposed mitigation is to enable threaded NAPI for all WireGuard +devices. This moves the NAPI polling context to a dedicated per-device +kernel thread, allowing the scheduler to balance the load across all +available cores. + +On our 32-core gateways, enabling threaded NAPI yields a ~4× performance +improvement with 16 tunnels, increasing throughput from ~13 Gbps to +~48 Gbps. Meanwhile, CPU usage on the receiver (which is the bottleneck) +jumps from 20% to 100%. + +We have found no performance regressions in any scenario we tested. +Single-tunnel throughput remains unchanged. + +More details are available in our Netdev paper. + +Link: https://netdevconf.info/0x18/docs/netdev-0x18-paper23-talk-paper.pdf +Signed-off-by: Mirco Barone +Fixes: e7096c131e51 ("net: WireGuard secure network tunnel") +Signed-off-by: Jason A. Donenfeld +Link: https://patch.msgid.link/20250605120616.2808744-1-Jason@zx2c4.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/wireguard/device.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireguard/device.c b/drivers/net/wireguard/device.c +index 45e9b908dbfb0..acb9ce7a626af 100644 +--- a/drivers/net/wireguard/device.c ++++ b/drivers/net/wireguard/device.c +@@ -364,6 +364,7 @@ static int wg_newlink(struct net *src_net, struct net_device *dev, + if (ret < 0) + goto err_free_handshake_queue; + ++ dev_set_threaded(dev, true); + ret = register_netdevice(dev); + if (ret < 0) + goto err_uninit_ratelimiter; +-- +2.39.5 + diff --git a/queue-6.12/x86-cpu-sanitize-cpuid-0x80000000-output.patch b/queue-6.12/x86-cpu-sanitize-cpuid-0x80000000-output.patch new file mode 100644 index 0000000000..2cd0e15ee3 --- /dev/null +++ b/queue-6.12/x86-cpu-sanitize-cpuid-0x80000000-output.patch @@ -0,0 +1,92 @@ +From 845ad8e83b25f0b270c84aef6efb587d3c91fb0f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 May 2025 07:04:13 +0200 +Subject: x86/cpu: Sanitize CPUID(0x80000000) output + +From: Ahmed S. Darwish + +[ Upstream commit cc663ba3fe383a628a812f893cc98aafff39ab04 ] + +CPUID(0x80000000).EAX returns the max extended CPUID leaf available. On +x86-32 machines without an extended CPUID range, a CPUID(0x80000000) +query will just repeat the output of the last valid standard CPUID leaf +on the CPU; i.e., a garbage values. Current tip:x86/cpu code protects against +this by doing: + + eax = cpuid_eax(0x80000000); + c->extended_cpuid_level = eax; + + if ((eax & 0xffff0000) == 0x80000000) { + // CPU has an extended CPUID range. Check for 0x80000001 + if (eax >= 0x80000001) { + cpuid(0x80000001, ...); + } + } + +This is correct so far. Afterwards though, the same possibly broken EAX +value is used to check the availability of other extended CPUID leaves: + + if (c->extended_cpuid_level >= 0x80000007) + ... + if (c->extended_cpuid_level >= 0x80000008) + ... + if (c->extended_cpuid_level >= 0x8000000a) + ... + if (c->extended_cpuid_level >= 0x8000001f) + ... + +which is invalid. Fix this by immediately setting the CPU's max extended +CPUID leaf to zero if CPUID(0x80000000).EAX doesn't indicate a valid +CPUID extended range. + +While at it, add a comment, similar to kernel/head_32.S, clarifying the +CPUID(0x80000000) sanity check. + +References: 8a50e5135af0 ("x86-32: Use symbolic constants, safer CPUID when enabling EFER.NX") +Fixes: 3da99c977637 ("x86: make (early)_identify_cpu more the same between 32bit and 64 bit") +Signed-off-by: Ahmed S. Darwish +Signed-off-by: Ingo Molnar +Cc: Andrew Cooper +Cc: H. Peter Anvin +Cc: John Ogness +Cc: x86-cpuid@lists.linux.dev +Link: https://lore.kernel.org/r/20250506050437.10264-3-darwi@linutronix.de +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/common.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c +index 39e9ec3dea985..b487754455236 100644 +--- a/arch/x86/kernel/cpu/common.c ++++ b/arch/x86/kernel/cpu/common.c +@@ -1007,17 +1007,18 @@ void get_cpu_cap(struct cpuinfo_x86 *c) + c->x86_capability[CPUID_D_1_EAX] = eax; + } + +- /* AMD-defined flags: level 0x80000001 */ ++ /* ++ * Check if extended CPUID leaves are implemented: Max extended ++ * CPUID leaf must be in the 0x80000001-0x8000ffff range. ++ */ + eax = cpuid_eax(0x80000000); +- c->extended_cpuid_level = eax; ++ c->extended_cpuid_level = ((eax & 0xffff0000) == 0x80000000) ? eax : 0; + +- if ((eax & 0xffff0000) == 0x80000000) { +- if (eax >= 0x80000001) { +- cpuid(0x80000001, &eax, &ebx, &ecx, &edx); ++ if (c->extended_cpuid_level >= 0x80000001) { ++ cpuid(0x80000001, &eax, &ebx, &ecx, &edx); + +- c->x86_capability[CPUID_8000_0001_ECX] = ecx; +- c->x86_capability[CPUID_8000_0001_EDX] = edx; +- } ++ c->x86_capability[CPUID_8000_0001_ECX] = ecx; ++ c->x86_capability[CPUID_8000_0001_EDX] = edx; + } + + if (c->extended_cpuid_level >= 0x80000007) { +-- +2.39.5 + diff --git a/queue-6.12/x86-idle-remove-mfences-for-x86_bug_clflush_monitor-.patch b/queue-6.12/x86-idle-remove-mfences-for-x86_bug_clflush_monitor-.patch new file mode 100644 index 0000000000..13ad410a05 --- /dev/null +++ b/queue-6.12/x86-idle-remove-mfences-for-x86_bug_clflush_monitor-.patch @@ -0,0 +1,120 @@ +From 66c08e6ab71f2b8d5ba58df26fd73df2c5eef325 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Apr 2025 18:24:58 +0100 +Subject: x86/idle: Remove MFENCEs for X86_BUG_CLFLUSH_MONITOR in + mwait_idle_with_hints() and prefer_mwait_c1_over_halt() + +From: Andrew Cooper + +[ Upstream commit 1f13c60d84e880df6698441026e64f84c7110c49 ] + +The following commit, 12 years ago: + + 7e98b7192046 ("x86, idle: Use static_cpu_has() for CLFLUSH workaround, add barriers") + +added barriers around the CLFLUSH in mwait_idle_with_hints(), justified with: + + ... and add memory barriers around it since the documentation is explicit + that CLFLUSH is only ordered with respect to MFENCE. + +This also triggered, 11 years ago, the same adjustment in: + + f8e617f45829 ("sched/idle/x86: Optimize unnecessary mwait_idle() resched IPIs") + +during development, although it failed to get the static_cpu_has_bug() treatment. + +X86_BUG_CLFLUSH_MONITOR (a.k.a the AAI65 errata) is specific to Intel CPUs, +and the SDM currently states: + + Executions of the CLFLUSH instruction are ordered with respect to each + other and with respect to writes, locked read-modify-write instructions, + and fence instructions[1]. + +With footnote 1 reading: + + Earlier versions of this manual specified that executions of the CLFLUSH + instruction were ordered only by the MFENCE instruction. All processors + implementing the CLFLUSH instruction also order it relative to the other + operations enumerated above. + +i.e. The SDM was incorrect at the time, and barriers should not have been +inserted. Double checking the original AAI65 errata (not available from +intel.com any more) shows no mention of barriers either. + +Note: If this were a general codepath, the MFENCEs would be needed, because + AMD CPUs of the same vintage do sport otherwise-unordered CLFLUSHs. + +Remove the unnecessary barriers. Furthermore, use a plain alternative(), +rather than static_cpu_has_bug() and/or no optimisation. The workaround +is a single instruction. + +Use an explicit %rax pointer rather than a general memory operand, because +MONITOR takes the pointer implicitly in the same way. + +[ mingo: Cleaned up the commit a bit. ] + +Fixes: 7e98b7192046 ("x86, idle: Use static_cpu_has() for CLFLUSH workaround, add barriers") +Signed-off-by: Andrew Cooper +Signed-off-by: Ingo Molnar +Acked-by: Dave Hansen +Acked-by: Borislav Petkov (AMD) +Cc: "H. Peter Anvin" +Cc: Peter Zijlstra +Cc: Rik van Riel +Cc: Linus Torvalds +Cc: Andy Lutomirski +Cc: Brian Gerst +Cc: Juergen Gross +Cc: Rafael J. Wysocki +Link: https://lore.kernel.org/r/20250402172458.1378112-1-andrew.cooper3@citrix.com +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/mwait.h | 9 +++------ + arch/x86/kernel/process.c | 9 +++------ + 2 files changed, 6 insertions(+), 12 deletions(-) + +diff --git a/arch/x86/include/asm/mwait.h b/arch/x86/include/asm/mwait.h +index 920426d691ce7..3e4e85f71a6ad 100644 +--- a/arch/x86/include/asm/mwait.h ++++ b/arch/x86/include/asm/mwait.h +@@ -117,13 +117,10 @@ static __always_inline void __sti_mwait(unsigned long eax, unsigned long ecx) + static __always_inline void mwait_idle_with_hints(unsigned long eax, unsigned long ecx) + { + if (static_cpu_has_bug(X86_BUG_MONITOR) || !current_set_polling_and_test()) { +- if (static_cpu_has_bug(X86_BUG_CLFLUSH_MONITOR)) { +- mb(); +- clflush((void *)¤t_thread_info()->flags); +- mb(); +- } ++ const void *addr = ¤t_thread_info()->flags; + +- __monitor((void *)¤t_thread_info()->flags, 0, 0); ++ alternative_input("", "clflush (%[addr])", X86_BUG_CLFLUSH_MONITOR, [addr] "a" (addr)); ++ __monitor(addr, 0, 0); + + if (!need_resched()) { + if (ecx & 1) { +diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c +index c7ce3655b7078..8a9ddc4adf51b 100644 +--- a/arch/x86/kernel/process.c ++++ b/arch/x86/kernel/process.c +@@ -906,13 +906,10 @@ static __init bool prefer_mwait_c1_over_halt(void) + static __cpuidle void mwait_idle(void) + { + if (!current_set_polling_and_test()) { +- if (this_cpu_has(X86_BUG_CLFLUSH_MONITOR)) { +- mb(); /* quirk */ +- clflush((void *)¤t_thread_info()->flags); +- mb(); /* quirk */ +- } ++ const void *addr = ¤t_thread_info()->flags; + +- __monitor((void *)¤t_thread_info()->flags, 0, 0); ++ alternative_input("", "clflush (%[addr])", X86_BUG_CLFLUSH_MONITOR, [addr] "a" (addr)); ++ __monitor(addr, 0, 0); + if (!need_resched()) { + __sti_mwait(0, 0); + raw_local_irq_disable(); +-- +2.39.5 + diff --git a/queue-6.12/x86-insn-fix-opcode-map-rex2-superscript-tags.patch b/queue-6.12/x86-insn-fix-opcode-map-rex2-superscript-tags.patch new file mode 100644 index 0000000000..e89b9df2e2 --- /dev/null +++ b/queue-6.12/x86-insn-fix-opcode-map-rex2-superscript-tags.patch @@ -0,0 +1,203 @@ +From 1ccca1f22d3fd033f92f345f3a0647cf8402e741 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Apr 2025 10:48:10 +0900 +Subject: x86/insn: Fix opcode map (!REX2) superscript tags + +From: Masami Hiramatsu (Google) + +[ Upstream commit ca698ec2f07873a448d53c580795c4e023c75393 ] + +Commit: + + 159039af8c07 ("x86/insn: x86/insn: Add support for REX2 prefix to the instruction decoder opcode map") + +added (!REX2) superscript with a space, but the correct format requires ',' +for concatination with other superscript tags. + +Add ',' to generate correct insn attribute tables. + +I confirmed with following command: + + arch/x86/lib/x86-opcode-map.txt | grep e8 | head -n 1 + [0xe8] = INAT_MAKE_IMM(INAT_IMM_VWORD32) | INAT_FORCE64 | INAT_NO_REX2, + +Fixes: 159039af8c07 ("x86/insn: x86/insn: Add support for REX2 prefix to the instruction decoder opcode map") +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Ingo Molnar +Cc: H. Peter Anvin +Cc: Adrian Hunter +Cc: Peter Zijlstra +Link: https://lore.kernel.org/r/174580489027.388420.15539375184727726142.stgit@devnote2 +Signed-off-by: Sasha Levin +--- + arch/x86/lib/x86-opcode-map.txt | 50 +++++++++++++-------------- + tools/arch/x86/lib/x86-opcode-map.txt | 50 +++++++++++++-------------- + 2 files changed, 50 insertions(+), 50 deletions(-) + +diff --git a/arch/x86/lib/x86-opcode-map.txt b/arch/x86/lib/x86-opcode-map.txt +index f5dd84eb55dcd..cd3fd5155f6ec 100644 +--- a/arch/x86/lib/x86-opcode-map.txt ++++ b/arch/x86/lib/x86-opcode-map.txt +@@ -35,7 +35,7 @@ + # - (!F3) : the last prefix is not 0xF3 (including non-last prefix case) + # - (66&F2): Both 0x66 and 0xF2 prefixes are specified. + # +-# REX2 Prefix ++# REX2 Prefix Superscripts + # - (!REX2): REX2 is not allowed + # - (REX2): REX2 variant e.g. JMPABS + +@@ -286,10 +286,10 @@ df: ESC + # Note: "forced64" is Intel CPU behavior: they ignore 0x66 prefix + # in 64-bit mode. AMD CPUs accept 0x66 prefix, it causes RIP truncation + # to 16 bits. In 32-bit mode, 0x66 is accepted by both Intel and AMD. +-e0: LOOPNE/LOOPNZ Jb (f64) (!REX2) +-e1: LOOPE/LOOPZ Jb (f64) (!REX2) +-e2: LOOP Jb (f64) (!REX2) +-e3: JrCXZ Jb (f64) (!REX2) ++e0: LOOPNE/LOOPNZ Jb (f64),(!REX2) ++e1: LOOPE/LOOPZ Jb (f64),(!REX2) ++e2: LOOP Jb (f64),(!REX2) ++e3: JrCXZ Jb (f64),(!REX2) + e4: IN AL,Ib (!REX2) + e5: IN eAX,Ib (!REX2) + e6: OUT Ib,AL (!REX2) +@@ -298,10 +298,10 @@ e7: OUT Ib,eAX (!REX2) + # in "near" jumps and calls is 16-bit. For CALL, + # push of return address is 16-bit wide, RSP is decremented by 2 + # but is not truncated to 16 bits, unlike RIP. +-e8: CALL Jz (f64) (!REX2) +-e9: JMP-near Jz (f64) (!REX2) +-ea: JMP-far Ap (i64) (!REX2) +-eb: JMP-short Jb (f64) (!REX2) ++e8: CALL Jz (f64),(!REX2) ++e9: JMP-near Jz (f64),(!REX2) ++ea: JMP-far Ap (i64),(!REX2) ++eb: JMP-short Jb (f64),(!REX2) + ec: IN AL,DX (!REX2) + ed: IN eAX,DX (!REX2) + ee: OUT DX,AL (!REX2) +@@ -478,22 +478,22 @@ AVXcode: 1 + 7f: movq Qq,Pq | vmovdqa Wx,Vx (66) | vmovdqa32/64 Wx,Vx (66),(evo) | vmovdqu Wx,Vx (F3) | vmovdqu32/64 Wx,Vx (F3),(evo) | vmovdqu8/16 Wx,Vx (F2),(ev) + # 0x0f 0x80-0x8f + # Note: "forced64" is Intel CPU behavior (see comment about CALL insn). +-80: JO Jz (f64) (!REX2) +-81: JNO Jz (f64) (!REX2) +-82: JB/JC/JNAE Jz (f64) (!REX2) +-83: JAE/JNB/JNC Jz (f64) (!REX2) +-84: JE/JZ Jz (f64) (!REX2) +-85: JNE/JNZ Jz (f64) (!REX2) +-86: JBE/JNA Jz (f64) (!REX2) +-87: JA/JNBE Jz (f64) (!REX2) +-88: JS Jz (f64) (!REX2) +-89: JNS Jz (f64) (!REX2) +-8a: JP/JPE Jz (f64) (!REX2) +-8b: JNP/JPO Jz (f64) (!REX2) +-8c: JL/JNGE Jz (f64) (!REX2) +-8d: JNL/JGE Jz (f64) (!REX2) +-8e: JLE/JNG Jz (f64) (!REX2) +-8f: JNLE/JG Jz (f64) (!REX2) ++80: JO Jz (f64),(!REX2) ++81: JNO Jz (f64),(!REX2) ++82: JB/JC/JNAE Jz (f64),(!REX2) ++83: JAE/JNB/JNC Jz (f64),(!REX2) ++84: JE/JZ Jz (f64),(!REX2) ++85: JNE/JNZ Jz (f64),(!REX2) ++86: JBE/JNA Jz (f64),(!REX2) ++87: JA/JNBE Jz (f64),(!REX2) ++88: JS Jz (f64),(!REX2) ++89: JNS Jz (f64),(!REX2) ++8a: JP/JPE Jz (f64),(!REX2) ++8b: JNP/JPO Jz (f64),(!REX2) ++8c: JL/JNGE Jz (f64),(!REX2) ++8d: JNL/JGE Jz (f64),(!REX2) ++8e: JLE/JNG Jz (f64),(!REX2) ++8f: JNLE/JG Jz (f64),(!REX2) + # 0x0f 0x90-0x9f + 90: SETO Eb | kmovw/q Vk,Wk | kmovb/d Vk,Wk (66) + 91: SETNO Eb | kmovw/q Mv,Vk | kmovb/d Mv,Vk (66) +diff --git a/tools/arch/x86/lib/x86-opcode-map.txt b/tools/arch/x86/lib/x86-opcode-map.txt +index f5dd84eb55dcd..cd3fd5155f6ec 100644 +--- a/tools/arch/x86/lib/x86-opcode-map.txt ++++ b/tools/arch/x86/lib/x86-opcode-map.txt +@@ -35,7 +35,7 @@ + # - (!F3) : the last prefix is not 0xF3 (including non-last prefix case) + # - (66&F2): Both 0x66 and 0xF2 prefixes are specified. + # +-# REX2 Prefix ++# REX2 Prefix Superscripts + # - (!REX2): REX2 is not allowed + # - (REX2): REX2 variant e.g. JMPABS + +@@ -286,10 +286,10 @@ df: ESC + # Note: "forced64" is Intel CPU behavior: they ignore 0x66 prefix + # in 64-bit mode. AMD CPUs accept 0x66 prefix, it causes RIP truncation + # to 16 bits. In 32-bit mode, 0x66 is accepted by both Intel and AMD. +-e0: LOOPNE/LOOPNZ Jb (f64) (!REX2) +-e1: LOOPE/LOOPZ Jb (f64) (!REX2) +-e2: LOOP Jb (f64) (!REX2) +-e3: JrCXZ Jb (f64) (!REX2) ++e0: LOOPNE/LOOPNZ Jb (f64),(!REX2) ++e1: LOOPE/LOOPZ Jb (f64),(!REX2) ++e2: LOOP Jb (f64),(!REX2) ++e3: JrCXZ Jb (f64),(!REX2) + e4: IN AL,Ib (!REX2) + e5: IN eAX,Ib (!REX2) + e6: OUT Ib,AL (!REX2) +@@ -298,10 +298,10 @@ e7: OUT Ib,eAX (!REX2) + # in "near" jumps and calls is 16-bit. For CALL, + # push of return address is 16-bit wide, RSP is decremented by 2 + # but is not truncated to 16 bits, unlike RIP. +-e8: CALL Jz (f64) (!REX2) +-e9: JMP-near Jz (f64) (!REX2) +-ea: JMP-far Ap (i64) (!REX2) +-eb: JMP-short Jb (f64) (!REX2) ++e8: CALL Jz (f64),(!REX2) ++e9: JMP-near Jz (f64),(!REX2) ++ea: JMP-far Ap (i64),(!REX2) ++eb: JMP-short Jb (f64),(!REX2) + ec: IN AL,DX (!REX2) + ed: IN eAX,DX (!REX2) + ee: OUT DX,AL (!REX2) +@@ -478,22 +478,22 @@ AVXcode: 1 + 7f: movq Qq,Pq | vmovdqa Wx,Vx (66) | vmovdqa32/64 Wx,Vx (66),(evo) | vmovdqu Wx,Vx (F3) | vmovdqu32/64 Wx,Vx (F3),(evo) | vmovdqu8/16 Wx,Vx (F2),(ev) + # 0x0f 0x80-0x8f + # Note: "forced64" is Intel CPU behavior (see comment about CALL insn). +-80: JO Jz (f64) (!REX2) +-81: JNO Jz (f64) (!REX2) +-82: JB/JC/JNAE Jz (f64) (!REX2) +-83: JAE/JNB/JNC Jz (f64) (!REX2) +-84: JE/JZ Jz (f64) (!REX2) +-85: JNE/JNZ Jz (f64) (!REX2) +-86: JBE/JNA Jz (f64) (!REX2) +-87: JA/JNBE Jz (f64) (!REX2) +-88: JS Jz (f64) (!REX2) +-89: JNS Jz (f64) (!REX2) +-8a: JP/JPE Jz (f64) (!REX2) +-8b: JNP/JPO Jz (f64) (!REX2) +-8c: JL/JNGE Jz (f64) (!REX2) +-8d: JNL/JGE Jz (f64) (!REX2) +-8e: JLE/JNG Jz (f64) (!REX2) +-8f: JNLE/JG Jz (f64) (!REX2) ++80: JO Jz (f64),(!REX2) ++81: JNO Jz (f64),(!REX2) ++82: JB/JC/JNAE Jz (f64),(!REX2) ++83: JAE/JNB/JNC Jz (f64),(!REX2) ++84: JE/JZ Jz (f64),(!REX2) ++85: JNE/JNZ Jz (f64),(!REX2) ++86: JBE/JNA Jz (f64),(!REX2) ++87: JA/JNBE Jz (f64),(!REX2) ++88: JS Jz (f64),(!REX2) ++89: JNS Jz (f64),(!REX2) ++8a: JP/JPE Jz (f64),(!REX2) ++8b: JNP/JPO Jz (f64),(!REX2) ++8c: JL/JNGE Jz (f64),(!REX2) ++8d: JNL/JGE Jz (f64),(!REX2) ++8e: JLE/JNG Jz (f64),(!REX2) ++8f: JNLE/JG Jz (f64),(!REX2) + # 0x0f 0x90-0x9f + 90: SETO Eb | kmovw/q Vk,Wk | kmovb/d Vk,Wk (66) + 91: SETNO Eb | kmovw/q Mv,Vk | kmovb/d Mv,Vk (66) +-- +2.39.5 + diff --git a/queue-6.12/x86-irq-ensure-initial-pir-loads-are-performed-exact.patch b/queue-6.12/x86-irq-ensure-initial-pir-loads-are-performed-exact.patch new file mode 100644 index 0000000000..f6406ab17e --- /dev/null +++ b/queue-6.12/x86-irq-ensure-initial-pir-loads-are-performed-exact.patch @@ -0,0 +1,39 @@ +From eb1a2d81df1a3261169c7100167ee76c5f357128 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Apr 2025 09:34:40 -0700 +Subject: x86/irq: Ensure initial PIR loads are performed exactly once + +From: Sean Christopherson + +[ Upstream commit 600e9606046ac3b9b7a3f0500d08a179df84c45e ] + +Ensure the PIR is read exactly once at the start of handle_pending_pir(), +to guarantee that checking for an outstanding posted interrupt in a given +chuck doesn't reload the chunk from the "real" PIR. Functionally, a reload +is benign, but it would defeat the purpose of pre-loading into a copy. + +Fixes: 1b03d82ba15e ("x86/irq: Install posted MSI notification handler") +Reviewed-by: Thomas Gleixner +Link: https://lore.kernel.org/r/20250401163447.846608-2-seanjc@google.com +Signed-off-by: Sean Christopherson +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/irq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/irq.c b/arch/x86/kernel/irq.c +index feca4f20b06aa..85fa2db38dc42 100644 +--- a/arch/x86/kernel/irq.c ++++ b/arch/x86/kernel/irq.c +@@ -414,7 +414,7 @@ static __always_inline bool handle_pending_pir(u64 *pir, struct pt_regs *regs) + bool handled = false; + + for (i = 0; i < 4; i++) +- pir_copy[i] = pir[i]; ++ pir_copy[i] = READ_ONCE(pir[i]); + + for (i = 0; i < 4; i++) { + if (!pir_copy[i]) +-- +2.39.5 + diff --git a/queue-6.12/x86-microcode-amd-do-not-return-error-when-microcode.patch b/queue-6.12/x86-microcode-amd-do-not-return-error-when-microcode.patch new file mode 100644 index 0000000000..95ccadc26d --- /dev/null +++ b/queue-6.12/x86-microcode-amd-do-not-return-error-when-microcode.patch @@ -0,0 +1,46 @@ +From ecc5edcdf75cc07f348c5735c74414758f519c7d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Apr 2025 05:34:24 +0000 +Subject: x86/microcode/AMD: Do not return error when microcode update is not + necessary + +From: Annie Li + +[ Upstream commit b43dc4ab097859c24e2a6993119c927cffc856aa ] + +After + + 6f059e634dcd("x86/microcode: Clarify the late load logic"), + +if the load is up-to-date, the AMD side returns UCODE_OK which leads to +load_late_locked() returning -EBADFD. + +Handle UCODE_OK in the switch case to avoid this error. + + [ bp: Massage commit message. ] + +Fixes: 6f059e634dcd ("x86/microcode: Clarify the late load logic") +Signed-off-by: Annie Li +Signed-off-by: Borislav Petkov (AMD) +Link: https://lore.kernel.org/20250430053424.77438-1-jiayanli@google.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/microcode/core.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/x86/kernel/cpu/microcode/core.c b/arch/x86/kernel/cpu/microcode/core.c +index 079f046ee26d1..e8021d3e58824 100644 +--- a/arch/x86/kernel/cpu/microcode/core.c ++++ b/arch/x86/kernel/cpu/microcode/core.c +@@ -696,6 +696,8 @@ static int load_late_locked(void) + return load_late_stop_cpus(true); + case UCODE_NFOUND: + return -ENOENT; ++ case UCODE_OK: ++ return 0; + default: + return -EBADFD; + } +-- +2.39.5 + diff --git a/queue-6.12/x86-mtrr-check-if-fixed-range-mtrrs-exist-in-mtrr_sa.patch b/queue-6.12/x86-mtrr-check-if-fixed-range-mtrrs-exist-in-mtrr_sa.patch new file mode 100644 index 0000000000..18449404a5 --- /dev/null +++ b/queue-6.12/x86-mtrr-check-if-fixed-range-mtrrs-exist-in-mtrr_sa.patch @@ -0,0 +1,47 @@ +From d03a85e6f6e35b913ee23a2ea81e3780957851d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 May 2025 17:06:33 +0000 +Subject: x86/mtrr: Check if fixed-range MTRRs exist in + mtrr_save_fixed_ranges() + +From: Jiaqing Zhao + +[ Upstream commit 824c6384e8d9275d4ec7204f3f79a4ac6bc10379 ] + +When suspending, save_processor_state() calls mtrr_save_fixed_ranges() +to save fixed-range MTRRs. + +On platforms without fixed-range MTRRs like the ACRN hypervisor which +has removed fixed-range MTRR emulation, accessing these MSRs will +trigger an unchecked MSR access error. Make sure fixed-range MTRRs are +supported before access to prevent such error. + +Since mtrr_state.have_fixed is only set when MTRRs are present and +enabled, checking the CPU feature flag in mtrr_save_fixed_ranges() is +unnecessary. + +Fixes: 3ebad5905609 ("[PATCH] x86: Save and restore the fixed-range MTRRs of the BSP when suspending") +Signed-off-by: Jiaqing Zhao +Signed-off-by: Borislav Petkov (AMD) +Link: https://lore.kernel.org/20250509170633.3411169-2-jiaqing.zhao@linux.intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/mtrr/generic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/cpu/mtrr/generic.c b/arch/x86/kernel/cpu/mtrr/generic.c +index 7b29ebda024f4..1ececfce7a46a 100644 +--- a/arch/x86/kernel/cpu/mtrr/generic.c ++++ b/arch/x86/kernel/cpu/mtrr/generic.c +@@ -591,7 +591,7 @@ static void get_fixed_ranges(mtrr_type *frs) + + void mtrr_save_fixed_ranges(void *info) + { +- if (boot_cpu_has(X86_FEATURE_MTRR)) ++ if (mtrr_state.have_fixed) + get_fixed_ranges(mtrr_state.fixed_ranges); + } + +-- +2.39.5 + diff --git a/queue-6.12/xen-x86-fix-initial-memory-balloon-target.patch b/queue-6.12/xen-x86-fix-initial-memory-balloon-target.patch new file mode 100644 index 0000000000..bb10fac54e --- /dev/null +++ b/queue-6.12/xen-x86-fix-initial-memory-balloon-target.patch @@ -0,0 +1,69 @@ +From 4479daa6ef4aa83d8679e2270383fe12ab9447d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 May 2025 10:04:26 +0200 +Subject: xen/x86: fix initial memory balloon target +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Roger Pau Monne + +[ Upstream commit 74287971dbb3fe322bb316afd9e7fb5807e23bee ] + +When adding extra memory regions as ballooned pages also adjust the balloon +target, otherwise when the balloon driver is started it will populate +memory to match the target value and consume all the extra memory regions +added. + +This made the usage of the Xen `dom0_mem=,max:` command line parameter for +dom0 not work as expected, as the target won't be adjusted and when the +balloon is started it will populate memory straight to the 'max:' value. +It would equally affect domUs that have memory != maxmem. + +Kernels built with CONFIG_XEN_UNPOPULATED_ALLOC are not affected, because +the extra memory regions are consumed by the unpopulated allocation driver, +and then balloon_add_regions() becomes a no-op. + +Reported-by: John +Fixes: 87af633689ce ('x86/xen: fix balloon target initialization for PVH dom0') +Signed-off-by: Roger Pau Monné +Reviewed-by: Juergen Gross +Tested-by: Marek Marczykowski-Górecki +Message-ID: <20250514080427.28129-1-roger.pau@citrix.com> +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + drivers/xen/balloon.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/drivers/xen/balloon.c b/drivers/xen/balloon.c +index 4bd31242bd773..e47bb157aa090 100644 +--- a/drivers/xen/balloon.c ++++ b/drivers/xen/balloon.c +@@ -700,15 +700,18 @@ static int __init balloon_add_regions(void) + + /* + * Extra regions are accounted for in the physmap, but need +- * decreasing from current_pages to balloon down the initial +- * allocation, because they are already accounted for in +- * total_pages. ++ * decreasing from current_pages and target_pages to balloon ++ * down the initial allocation, because they are already ++ * accounted for in total_pages. + */ +- if (extra_pfn_end - start_pfn >= balloon_stats.current_pages) { ++ pages = extra_pfn_end - start_pfn; ++ if (pages >= balloon_stats.current_pages || ++ pages >= balloon_stats.target_pages) { + WARN(1, "Extra pages underflow current target"); + return -ERANGE; + } +- balloon_stats.current_pages -= extra_pfn_end - start_pfn; ++ balloon_stats.current_pages -= pages; ++ balloon_stats.target_pages -= pages; + } + + return 0; +-- +2.39.5 + diff --git a/queue-6.12/xfrm-use-xdo.dev-instead-of-xdo.real_dev.patch b/queue-6.12/xfrm-use-xdo.dev-instead-of-xdo.real_dev.patch new file mode 100644 index 0000000000..2693c3938a --- /dev/null +++ b/queue-6.12/xfrm-use-xdo.dev-instead-of-xdo.real_dev.patch @@ -0,0 +1,80 @@ +From 6a937ece849239cf57408192cc8bbc744422247c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Apr 2025 10:49:54 +0300 +Subject: xfrm: Use xdo.dev instead of xdo.real_dev + +From: Cosmin Ratiu + +[ Upstream commit 25ac138f58e7d5c8bffa31e8891418d2819180c4 ] + +The policy offload struct was reused from the state offload and +real_dev was copied from dev, but it was never set to anything else. +Simplify the code by always using xdo.dev for policies. + +Signed-off-by: Cosmin Ratiu +Reviewed-by: Leon Romanovsky +Reviewed-by: Nikolay Aleksandrov +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c | 2 +- + net/xfrm/xfrm_device.c | 2 -- + net/xfrm/xfrm_state.c | 2 -- + 3 files changed, 1 insertion(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c +index 94edfd7713b5d..39dcbf863421a 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c +@@ -1135,7 +1135,7 @@ mlx5e_ipsec_build_accel_pol_attrs(struct mlx5e_ipsec_pol_entry *pol_entry, + static int mlx5e_xfrm_add_policy(struct xfrm_policy *x, + struct netlink_ext_ack *extack) + { +- struct net_device *netdev = x->xdo.real_dev; ++ struct net_device *netdev = x->xdo.dev; + struct mlx5e_ipsec_pol_entry *pol_entry; + struct mlx5e_priv *priv; + int err; +diff --git a/net/xfrm/xfrm_device.c b/net/xfrm/xfrm_device.c +index b33c4591e09a4..32ad8f3fc81e8 100644 +--- a/net/xfrm/xfrm_device.c ++++ b/net/xfrm/xfrm_device.c +@@ -373,7 +373,6 @@ int xfrm_dev_policy_add(struct net *net, struct xfrm_policy *xp, + + xdo->dev = dev; + netdev_tracker_alloc(dev, &xdo->dev_tracker, GFP_ATOMIC); +- xdo->real_dev = dev; + xdo->type = XFRM_DEV_OFFLOAD_PACKET; + switch (dir) { + case XFRM_POLICY_IN: +@@ -395,7 +394,6 @@ int xfrm_dev_policy_add(struct net *net, struct xfrm_policy *xp, + err = dev->xfrmdev_ops->xdo_dev_policy_add(xp, extack); + if (err) { + xdo->dev = NULL; +- xdo->real_dev = NULL; + xdo->type = XFRM_DEV_OFFLOAD_UNSPECIFIED; + xdo->dir = 0; + netdev_put(dev, &xdo->dev_tracker); +diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c +index abd725386cb60..7a298058fc16c 100644 +--- a/net/xfrm/xfrm_state.c ++++ b/net/xfrm/xfrm_state.c +@@ -1487,7 +1487,6 @@ xfrm_state_find(const xfrm_address_t *daddr, const xfrm_address_t *saddr, + xso->type = XFRM_DEV_OFFLOAD_PACKET; + xso->dir = xdo->dir; + xso->dev = xdo->dev; +- xso->real_dev = xdo->real_dev; + xso->flags = XFRM_DEV_OFFLOAD_FLAG_ACQ; + netdev_hold(xso->dev, &xso->dev_tracker, GFP_ATOMIC); + error = xso->dev->xfrmdev_ops->xdo_dev_state_add(x, NULL); +@@ -1495,7 +1494,6 @@ xfrm_state_find(const xfrm_address_t *daddr, const xfrm_address_t *saddr, + xso->dir = 0; + netdev_put(xso->dev, &xso->dev_tracker); + xso->dev = NULL; +- xso->real_dev = NULL; + xso->type = XFRM_DEV_OFFLOAD_UNSPECIFIED; + x->km.state = XFRM_STATE_DEAD; + to_put = x; +-- +2.39.5 +