From: Greg Kroah-Hartman Date: Sun, 29 Jun 2025 12:52:19 +0000 (+0200) Subject: 6.15-stable patches X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2395ad0c42f1b6495402268a54224e35c6a3daa2;p=thirdparty%2Fkernel%2Fstable-queue.git 6.15-stable patches added patches: asoc-amd-yc-add-dmi-quirk-for-lenovo-ideapad-slim-5-15.patch ata-ahci-use-correct-dmi-identifier-for-asuspro-d840sa-lpm-quirk.patch drm-amd-display-add-sanity-checks-for-drm_edid_raw.patch drm-amdgpu-mes-add-compatibility-checks-for-set_hw_resource_1.patch drm-dp-change-aux-dpcd-probe-address-from-dpcd_rev-to-lane0_1_status.patch drm-i915-snps_hdmi_pll-fix-64-bit-divisor-truncation-by-using-div64_u64.patch drm-xe-display-add-check-for-alloc_ordered_workqueue.patch drm-xe-move-dpt-l2-flush-to-a-more-sensible-place.patch drm-xe-move-dsb-l2-flush-to-a-more-sensible-place.patch fs-proc-task_mmu-fix-page_is_pfnzero-detection-for-the-huge-zero-folio.patch fuse-fix-runtime-warning-on-truncate_folio_batch_exceptionals.patch i2c-imx-fix-emulated-smbus-block-read.patch i2c-omap-fix-an-error-handling-path-in-omap_i2c_probe.patch i2c-robotfuzz-osif-disable-zero-length-read-messages.patch i2c-tiny-usb-disable-zero-length-read-messages.patch io_uring-don-t-assume-uaddr-alignment-in-io_vec_fill_bvec.patch io_uring-rsrc-don-t-rely-on-user-vaddr-alignment.patch io_uring-rsrc-fix-folio-unpinning.patch lib-group_cpus-fix-null-pointer-dereference-from-group_cpus_evenly.patch loongarch-kvm-add-address-alignment-check-for-iocsr-emulation.patch loongarch-kvm-avoid-overflow-with-array-index.patch loongarch-kvm-check-interrupt-route-from-physical-cpu.patch loongarch-kvm-check-validity-of-num_cpu-from-user-space.patch loongarch-kvm-disable-updating-of-num_cpu-and-feature.patch loongarch-kvm-fix-interrupt-route-update-with-eiointc.patch mm-damon-sysfs-schemes-free-old-damon_sysfs_scheme_filter-memcg_path-on-write.patch revert-riscv-define-task_size_max-for-__access_ok.patch revert-riscv-misaligned-fix-sleeping-function-called-during-misaligned-access-handling.patch riscv-export-boot_cpu_hartid.patch riscv-vector-fix-context-save-restore-with-xtheadvector.patch s390-pkey-prevent-overflow-in-size-calculation-for-memdup_user.patch scripts-gdb-fix-dentry_name-lookup.patch smb-client-fix-regression-with-native-smb-symlinks.patch smb-client-remove-t-from-tp_printk-statements.patch --- diff --git a/queue-6.15/asoc-amd-yc-add-dmi-quirk-for-lenovo-ideapad-slim-5-15.patch b/queue-6.15/asoc-amd-yc-add-dmi-quirk-for-lenovo-ideapad-slim-5-15.patch new file mode 100644 index 0000000000..ee95b6606b --- /dev/null +++ b/queue-6.15/asoc-amd-yc-add-dmi-quirk-for-lenovo-ideapad-slim-5-15.patch @@ -0,0 +1,37 @@ +From bf39286adc5e10ce3e32eb86ad316ae56f3b52a0 Mon Sep 17 00:00:00 2001 +From: Oliver Schramm +Date: Sun, 22 Jun 2025 00:30:01 +0200 +Subject: ASoC: amd: yc: Add DMI quirk for Lenovo IdeaPad Slim 5 15 + +From: Oliver Schramm + +commit bf39286adc5e10ce3e32eb86ad316ae56f3b52a0 upstream. + +It's smaller brother has already received the patch to enable the microphone, +now add it too to the DMI quirk table. + +Cc: stable@vger.kernel.org +Signed-off-by: Oliver Schramm +Link: https://patch.msgid.link/20250621223000.11817-2-oliver.schramm97@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/amd/yc/acp6x-mach.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/sound/soc/amd/yc/acp6x-mach.c ++++ b/sound/soc/amd/yc/acp6x-mach.c +@@ -356,6 +356,13 @@ static const struct dmi_system_id yc_acp + { + .driver_data = &acp6x_card, + .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "83J3"), ++ } ++ }, ++ { ++ .driver_data = &acp6x_card, ++ .matches = { + DMI_MATCH(DMI_BOARD_VENDOR, "ASUSTeK COMPUTER INC."), + DMI_MATCH(DMI_PRODUCT_NAME, "UM5302TA"), + } diff --git a/queue-6.15/ata-ahci-use-correct-dmi-identifier-for-asuspro-d840sa-lpm-quirk.patch b/queue-6.15/ata-ahci-use-correct-dmi-identifier-for-asuspro-d840sa-lpm-quirk.patch new file mode 100644 index 0000000000..1e931c8897 --- /dev/null +++ b/queue-6.15/ata-ahci-use-correct-dmi-identifier-for-asuspro-d840sa-lpm-quirk.patch @@ -0,0 +1,41 @@ +From 3e0809b1664b9dc650d9dbca9a2d3ac690d4f661 Mon Sep 17 00:00:00 2001 +From: Niklas Cassel +Date: Tue, 24 Jun 2025 09:40:30 +0200 +Subject: ata: ahci: Use correct DMI identifier for ASUSPRO-D840SA LPM quirk + +From: Niklas Cassel + +commit 3e0809b1664b9dc650d9dbca9a2d3ac690d4f661 upstream. + +ASUS store the board name in DMI_PRODUCT_NAME rather than +DMI_PRODUCT_VERSION. (Apparently it is only Lenovo that stores the +model-name in DMI_PRODUCT_VERSION.) + +Use the correct DMI identifier, DMI_PRODUCT_NAME, to match the +ASUSPRO-D840SA board, such that the quirk actually gets applied. + +Cc: stable@vger.kernel.org +Reported-by: Andy Yang +Tested-by: Andy Yang +Closes: https://lore.kernel.org/linux-ide/aFb3wXAwJSSJUB7o@ryzen/ +Fixes: b5acc3628898 ("ata: ahci: Disallow LPM for ASUSPRO-D840SA motherboard") +Reviewed-by: Hans de Goede +Reviewed-by: Damien Le Moal +Link: https://lore.kernel.org/r/20250624074029.963028-2-cassel@kernel.org +Signed-off-by: Niklas Cassel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/ahci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/ata/ahci.c ++++ b/drivers/ata/ahci.c +@@ -1456,7 +1456,7 @@ static bool ahci_broken_lpm(struct pci_d + { + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), +- DMI_MATCH(DMI_PRODUCT_VERSION, "ASUSPRO D840MB_M840SA"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "ASUSPRO D840MB_M840SA"), + }, + /* 320 is broken, there is no known good version. */ + }, diff --git a/queue-6.15/drm-amd-display-add-sanity-checks-for-drm_edid_raw.patch b/queue-6.15/drm-amd-display-add-sanity-checks-for-drm_edid_raw.patch new file mode 100644 index 0000000000..3b41a9b1d5 --- /dev/null +++ b/queue-6.15/drm-amd-display-add-sanity-checks-for-drm_edid_raw.patch @@ -0,0 +1,42 @@ +From 6847b3b6e84ef37451c074e6a8db3fbd250c8dbf Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 16 Jun 2025 18:08:41 +0200 +Subject: drm/amd/display: Add sanity checks for drm_edid_raw() + +From: Takashi Iwai + +commit 6847b3b6e84ef37451c074e6a8db3fbd250c8dbf upstream. + +When EDID is retrieved via drm_edid_raw(), it doesn't guarantee to +return proper EDID bytes the caller wants: it may be either NULL (that +leads to an Oops) or with too long bytes over the fixed size raw_edid +array (that may lead to memory corruption). The latter was reported +actually when connected with a bad adapter. + +Add sanity checks for drm_edid_raw() to address the above corner +cases, and return EDID_BAD_INPUT accordingly. + +Fixes: 48edb2a4256e ("drm/amd/display: switch amdgpu_dm_connector to use struct drm_edid") +Link: https://bugzilla.suse.com/show_bug.cgi?id=1236415 +Signed-off-by: Takashi Iwai +Signed-off-by: Alex Deucher +(cherry picked from commit 648d3f4d209725d51900d6a3ed46b7b600140cdf) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_helpers.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_helpers.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_helpers.c +@@ -1016,6 +1016,10 @@ enum dc_edid_status dm_helpers_read_loca + return EDID_NO_RESPONSE; + + edid = drm_edid_raw(drm_edid); // FIXME: Get rid of drm_edid_raw() ++ if (!edid || ++ edid->extensions >= sizeof(sink->dc_edid.raw_edid) / EDID_LENGTH) ++ return EDID_BAD_INPUT; ++ + sink->dc_edid.length = EDID_LENGTH * (edid->extensions + 1); + memmove(sink->dc_edid.raw_edid, (uint8_t *)edid, sink->dc_edid.length); + diff --git a/queue-6.15/drm-amdgpu-mes-add-compatibility-checks-for-set_hw_resource_1.patch b/queue-6.15/drm-amdgpu-mes-add-compatibility-checks-for-set_hw_resource_1.patch new file mode 100644 index 0000000000..284bd057c2 --- /dev/null +++ b/queue-6.15/drm-amdgpu-mes-add-compatibility-checks-for-set_hw_resource_1.patch @@ -0,0 +1,58 @@ +From 99579c55c3d6132a5236926652c0a72a526b809d Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Tue, 20 May 2025 10:02:14 -0400 +Subject: drm/amdgpu/mes: add compatibility checks for set_hw_resource_1 + +From: Alex Deucher + +commit 99579c55c3d6132a5236926652c0a72a526b809d upstream. + +Seems some older MES firmware versions do not properly support +this packet. Add back some the compatibility checks. + +v2: switch to fw version check (Shaoyun) + +Fixes: f81cd793119e ("drm/amd/amdgpu: Fix MES init sequence") +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4295 +Cc: Shaoyun Liu +Reviewed-by: shaoyun.liu +Signed-off-by: Alex Deucher +(cherry picked from commit 0180e0a5dd5c6ff118043ee42dbbbddaf881f283) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/mes_v11_0.c | 10 ++++++---- + drivers/gpu/drm/amd/amdgpu/mes_v12_0.c | 3 ++- + 2 files changed, 8 insertions(+), 5 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/mes_v11_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/mes_v11_0.c +@@ -1649,10 +1649,12 @@ static int mes_v11_0_hw_init(struct amdg + if (r) + goto failure; + +- r = mes_v11_0_set_hw_resources_1(&adev->mes); +- if (r) { +- DRM_ERROR("failed mes_v11_0_set_hw_resources_1, r=%d\n", r); +- goto failure; ++ if ((adev->mes.sched_version & AMDGPU_MES_VERSION_MASK) >= 0x50) { ++ r = mes_v11_0_set_hw_resources_1(&adev->mes); ++ if (r) { ++ DRM_ERROR("failed mes_v11_0_set_hw_resources_1, r=%d\n", r); ++ goto failure; ++ } + } + + r = mes_v11_0_query_sched_status(&adev->mes); +--- a/drivers/gpu/drm/amd/amdgpu/mes_v12_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/mes_v12_0.c +@@ -1761,7 +1761,8 @@ static int mes_v12_0_hw_init(struct amdg + if (r) + goto failure; + +- mes_v12_0_set_hw_resources_1(&adev->mes, AMDGPU_MES_SCHED_PIPE); ++ if ((adev->mes.sched_version & AMDGPU_MES_VERSION_MASK) >= 0x4b) ++ mes_v12_0_set_hw_resources_1(&adev->mes, AMDGPU_MES_SCHED_PIPE); + + mes_v12_0_init_aggregated_doorbell(&adev->mes); + diff --git a/queue-6.15/drm-dp-change-aux-dpcd-probe-address-from-dpcd_rev-to-lane0_1_status.patch b/queue-6.15/drm-dp-change-aux-dpcd-probe-address-from-dpcd_rev-to-lane0_1_status.patch new file mode 100644 index 0000000000..8163475e68 --- /dev/null +++ b/queue-6.15/drm-dp-change-aux-dpcd-probe-address-from-dpcd_rev-to-lane0_1_status.patch @@ -0,0 +1,50 @@ +From a3ef3c2da675a8a564c8bea1a511cdd0a2a9aa49 Mon Sep 17 00:00:00 2001 +From: Imre Deak +Date: Thu, 5 Jun 2025 11:28:46 +0300 +Subject: drm/dp: Change AUX DPCD probe address from DPCD_REV to LANE0_1_STATUS +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Imre Deak + +commit a3ef3c2da675a8a564c8bea1a511cdd0a2a9aa49 upstream. + +Reading DPCD registers has side-effects in general. In particular +accessing registers outside of the link training register range +(0x102-0x106, 0x202-0x207, 0x200c-0x200f, 0x2216) is explicitly +forbidden by the DP v2.1 Standard, see + +3.6.5.1 DPTX AUX Transaction Handling Mandates +3.6.7.4 128b/132b DP Link Layer LTTPR Link Training Mandates + +Based on my tests, accessing the DPCD_REV register during the link +training of an UHBR TBT DP tunnel sink leads to link training failures. + +Solve the above by using the DP_LANE0_1_STATUS (0x202) register for the +DPCD register access quirk. + +Cc: +Cc: Ville Syrjälä +Cc: Jani Nikula +Acked-by: Jani Nikula +Signed-off-by: Imre Deak +Link: https://lore.kernel.org/r/20250605082850.65136-2-imre.deak@intel.com +(cherry picked from commit a40c5d727b8111b5db424a1e43e14a1dcce1e77f) +Signed-off-by: Joonas Lahtinen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/display/drm_dp_helper.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/display/drm_dp_helper.c ++++ b/drivers/gpu/drm/display/drm_dp_helper.c +@@ -723,7 +723,7 @@ ssize_t drm_dp_dpcd_read(struct drm_dp_a + * monitor doesn't power down exactly after the throw away read. + */ + if (!aux->is_remote) { +- ret = drm_dp_dpcd_probe(aux, DP_DPCD_REV); ++ ret = drm_dp_dpcd_probe(aux, DP_LANE0_1_STATUS); + if (ret < 0) + return ret; + } diff --git a/queue-6.15/drm-i915-snps_hdmi_pll-fix-64-bit-divisor-truncation-by-using-div64_u64.patch b/queue-6.15/drm-i915-snps_hdmi_pll-fix-64-bit-divisor-truncation-by-using-div64_u64.patch new file mode 100644 index 0000000000..656be5e324 --- /dev/null +++ b/queue-6.15/drm-i915-snps_hdmi_pll-fix-64-bit-divisor-truncation-by-using-div64_u64.patch @@ -0,0 +1,55 @@ +From 9205999e9f13a07cb29d5a8836c25afdca186007 Mon Sep 17 00:00:00 2001 +From: Ankit Nautiyal +Date: Wed, 18 Jun 2025 18:39:50 +0530 +Subject: drm/i915/snps_hdmi_pll: Fix 64-bit divisor truncation by using div64_u64 + +From: Ankit Nautiyal + +commit 9205999e9f13a07cb29d5a8836c25afdca186007 upstream. + +DIV_ROUND_CLOSEST_ULL uses do_div(), which expects a 32-bit divisor. +When passing a 64-bit constant like CURVE2_MULTIPLIER, the value is +silently truncated to u32, potentially leading to incorrect results +on large divisors. + +Replace DIV_ROUND_CLOSEST_ULL with DIV64_U64_ROUND_CLOSEST which correctly +handles full 64-bit division. + +v2: Use DIV64_U64_ROUND_CLOSEST instead of div64_u64 macro. (Jani) + +Fixes: 5947642004bf ("drm/i915/display: Add support for SNPS PHY HDMI PLL algorithm for DG2") +Reported-by: Vas Novikov +Closes: https://lore.kernel.org/all/8d7c7958-9558-4c8a-a81a-e9310f2d8852@gmail.com/ +Cc: Ankit Nautiyal +Cc: Suraj Kandpal +Cc: Jani Nikula +Cc: Vas Novikov +Cc: stable@vger.kernel.org # v6.15+ +Reviewed-by: Jani Nikula +Signed-off-by: Ankit Nautiyal +Link: https://lore.kernel.org/r/20250618130951.1596587-2-ankit.k.nautiyal@intel.com +(cherry picked from commit b300a175a11e6a934d728317dc39787723cc7917) +Signed-off-by: Joonas Lahtinen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/display/intel_snps_hdmi_pll.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/i915/display/intel_snps_hdmi_pll.c b/drivers/gpu/drm/i915/display/intel_snps_hdmi_pll.c +index 74bb3bedf30f..5111bdc3075b 100644 +--- a/drivers/gpu/drm/i915/display/intel_snps_hdmi_pll.c ++++ b/drivers/gpu/drm/i915/display/intel_snps_hdmi_pll.c +@@ -103,8 +103,8 @@ static void get_ana_cp_int_prop(u64 vco_clk, + DIV_ROUND_DOWN_ULL(curve_1_interpolated, CURVE0_MULTIPLIER))); + + ana_cp_int_temp = +- DIV_ROUND_CLOSEST_ULL(DIV_ROUND_DOWN_ULL(adjusted_vco_clk1, curve_2_scaled1), +- CURVE2_MULTIPLIER); ++ DIV64_U64_ROUND_CLOSEST(DIV_ROUND_DOWN_ULL(adjusted_vco_clk1, curve_2_scaled1), ++ CURVE2_MULTIPLIER); + + *ana_cp_int = max(1, min(ana_cp_int_temp, 127)); + +-- +2.50.0 + diff --git a/queue-6.15/drm-xe-display-add-check-for-alloc_ordered_workqueue.patch b/queue-6.15/drm-xe-display-add-check-for-alloc_ordered_workqueue.patch new file mode 100644 index 0000000000..497ae99c5f --- /dev/null +++ b/queue-6.15/drm-xe-display-add-check-for-alloc_ordered_workqueue.patch @@ -0,0 +1,39 @@ +From 62207293479e6c03ef498a70f2914c51f4d31d2c Mon Sep 17 00:00:00 2001 +From: Haoxiang Li +Date: Fri, 16 May 2025 15:16:55 +0300 +Subject: drm/xe/display: Add check for alloc_ordered_workqueue() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Haoxiang Li + +commit 62207293479e6c03ef498a70f2914c51f4d31d2c upstream. + +Add check for the return value of alloc_ordered_workqueue() +in xe_display_create() to catch potential exception. + +Fixes: 44e694958b95 ("drm/xe/display: Implement display support") +Cc: stable@vger.kernel.org +Signed-off-by: Haoxiang Li +Reviewed-by: Matthew Auld +Link: https://lore.kernel.org/r/4ee1b0e5d1626ce1dde2e82af05c2edaed50c3aa.1747397638.git.jani.nikula@intel.com +Signed-off-by: Jani Nikula +(cherry picked from commit 5b62d63395d5b7d4094e7cd380bccae4b25415cb) +Signed-off-by: Thomas Hellström +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/xe/display/xe_display.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/gpu/drm/xe/display/xe_display.c ++++ b/drivers/gpu/drm/xe/display/xe_display.c +@@ -104,6 +104,8 @@ int xe_display_create(struct xe_device * + spin_lock_init(&xe->display.fb_tracking.lock); + + xe->display.hotplug.dp_wq = alloc_ordered_workqueue("xe-dp", 0); ++ if (!xe->display.hotplug.dp_wq) ++ return -ENOMEM; + + return drmm_add_action_or_reset(&xe->drm, display_destroy, NULL); + } diff --git a/queue-6.15/drm-xe-move-dpt-l2-flush-to-a-more-sensible-place.patch b/queue-6.15/drm-xe-move-dpt-l2-flush-to-a-more-sensible-place.patch new file mode 100644 index 0000000000..f7743ef4f6 --- /dev/null +++ b/queue-6.15/drm-xe-move-dpt-l2-flush-to-a-more-sensible-place.patch @@ -0,0 +1,51 @@ +From f16873f42a06b620669d48a4b5c3f888cb3653a1 Mon Sep 17 00:00:00 2001 +From: Matthew Auld +Date: Fri, 6 Jun 2025 11:45:48 +0100 +Subject: drm/xe: move DPT l2 flush to a more sensible place +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Matthew Auld + +commit f16873f42a06b620669d48a4b5c3f888cb3653a1 upstream. + +Only need the flush for DPT host updates here. Normal GGTT updates don't +need special flush. + +Fixes: 01570b446939 ("drm/xe/bmg: implement Wa_16023588340") +Signed-off-by: Matthew Auld +Cc: Maarten Lankhorst +Cc: stable@vger.kernel.org # v6.12+ +Reviewed-by: Ville Syrjälä +Reviewed-by: Lucas De Marchi +Link: https://lore.kernel.org/r/20250606104546.1996818-4-matthew.auld@intel.com +Signed-off-by: Lucas De Marchi +(cherry picked from commit 35db1da40c8cfd7511dc42f342a133601eb45449) +Signed-off-by: Thomas Hellström +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/xe/display/xe_fb_pin.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/xe/display/xe_fb_pin.c ++++ b/drivers/gpu/drm/xe/display/xe_fb_pin.c +@@ -164,6 +164,9 @@ static int __xe_pin_fb_vma_dpt(const str + + vma->dpt = dpt; + vma->node = dpt->ggtt_node[tile0->id]; ++ ++ /* Ensure DPT writes are flushed */ ++ xe_device_l2_flush(xe); + return 0; + } + +@@ -333,8 +336,6 @@ static struct i915_vma *__xe_pin_fb_vma( + if (ret) + goto err_unpin; + +- /* Ensure DPT writes are flushed */ +- xe_device_l2_flush(xe); + return vma; + + err_unpin: diff --git a/queue-6.15/drm-xe-move-dsb-l2-flush-to-a-more-sensible-place.patch b/queue-6.15/drm-xe-move-dsb-l2-flush-to-a-more-sensible-place.patch new file mode 100644 index 0000000000..35cb7f7bca --- /dev/null +++ b/queue-6.15/drm-xe-move-dsb-l2-flush-to-a-more-sensible-place.patch @@ -0,0 +1,71 @@ +From a4b1b51ae132ac199412028a2df7b6c267888190 Mon Sep 17 00:00:00 2001 +From: Maarten Lankhorst +Date: Fri, 6 Jun 2025 11:45:47 +0100 +Subject: drm/xe: Move DSB l2 flush to a more sensible place +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maarten Lankhorst + +commit a4b1b51ae132ac199412028a2df7b6c267888190 upstream. + +Flushing l2 is only needed after all data has been written. + +Fixes: 01570b446939 ("drm/xe/bmg: implement Wa_16023588340") +Signed-off-by: Maarten Lankhorst +Cc: Matthew Auld +Cc: stable@vger.kernel.org # v6.12+ +Reviewed-by: Matthew Auld +Signed-off-by: Matthew Auld +Reviewed-by: Lucas De Marchi +Reviewed-by: Ville Syrjälä +Link: https://lore.kernel.org/r/20250606104546.1996818-3-matthew.auld@intel.com +Signed-off-by: Lucas De Marchi +(cherry picked from commit 0dd2dd0182bc444a62652e89d08c7f0e4fde15ba) +Signed-off-by: Thomas Hellström +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/xe/display/xe_dsb_buffer.c | 11 ++++------- + 1 file changed, 4 insertions(+), 7 deletions(-) + +--- a/drivers/gpu/drm/xe/display/xe_dsb_buffer.c ++++ b/drivers/gpu/drm/xe/display/xe_dsb_buffer.c +@@ -17,10 +17,7 @@ u32 intel_dsb_buffer_ggtt_offset(struct + + void intel_dsb_buffer_write(struct intel_dsb_buffer *dsb_buf, u32 idx, u32 val) + { +- struct xe_device *xe = dsb_buf->vma->bo->tile->xe; +- + iosys_map_wr(&dsb_buf->vma->bo->vmap, idx * 4, u32, val); +- xe_device_l2_flush(xe); + } + + u32 intel_dsb_buffer_read(struct intel_dsb_buffer *dsb_buf, u32 idx) +@@ -30,12 +27,9 @@ u32 intel_dsb_buffer_read(struct intel_d + + void intel_dsb_buffer_memset(struct intel_dsb_buffer *dsb_buf, u32 idx, u32 val, size_t size) + { +- struct xe_device *xe = dsb_buf->vma->bo->tile->xe; +- + WARN_ON(idx > (dsb_buf->buf_size - size) / sizeof(*dsb_buf->cmd_buf)); + + iosys_map_memset(&dsb_buf->vma->bo->vmap, idx * 4, val, size); +- xe_device_l2_flush(xe); + } + + bool intel_dsb_buffer_create(struct intel_crtc *crtc, struct intel_dsb_buffer *dsb_buf, size_t size) +@@ -74,9 +68,12 @@ void intel_dsb_buffer_cleanup(struct int + + void intel_dsb_buffer_flush_map(struct intel_dsb_buffer *dsb_buf) + { ++ struct xe_device *xe = dsb_buf->vma->bo->tile->xe; ++ + /* + * The memory barrier here is to ensure coherency of DSB vs MMIO, + * both for weak ordering archs and discrete cards. + */ +- xe_device_wmb(dsb_buf->vma->bo->tile->xe); ++ xe_device_wmb(xe); ++ xe_device_l2_flush(xe); + } diff --git a/queue-6.15/fs-proc-task_mmu-fix-page_is_pfnzero-detection-for-the-huge-zero-folio.patch b/queue-6.15/fs-proc-task_mmu-fix-page_is_pfnzero-detection-for-the-huge-zero-folio.patch new file mode 100644 index 0000000000..75248d05b2 --- /dev/null +++ b/queue-6.15/fs-proc-task_mmu-fix-page_is_pfnzero-detection-for-the-huge-zero-folio.patch @@ -0,0 +1,39 @@ +From 4a5e85f4eb8fd18b1266342d100e4f0849544ca0 Mon Sep 17 00:00:00 2001 +From: David Hildenbrand +Date: Tue, 17 Jun 2025 16:35:32 +0200 +Subject: fs/proc/task_mmu: fix PAGE_IS_PFNZERO detection for the huge zero folio + +From: David Hildenbrand + +commit 4a5e85f4eb8fd18b1266342d100e4f0849544ca0 upstream. + +is_zero_pfn() does not work for the huge zero folio. Fix it by using +is_huge_zero_pmd(). + +This can cause the PAGEMAP_SCAN ioctl against /proc/pid/pagemap to +present pages as PAGE_IS_PRESENT rather than as PAGE_IS_PFNZERO. + +Found by code inspection. + +Link: https://lkml.kernel.org/r/20250617143532.2375383-1-david@redhat.com +Fixes: 52526ca7fdb9 ("fs/proc/task_mmu: implement IOCTL to get and optionally clear info about PTEs") +Signed-off-by: David Hildenbrand +Cc: Muhammad Usama Anjum +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/proc/task_mmu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/proc/task_mmu.c ++++ b/fs/proc/task_mmu.c +@@ -2179,7 +2179,7 @@ static unsigned long pagemap_thp_categor + categories |= PAGE_IS_FILE; + } + +- if (is_zero_pfn(pmd_pfn(pmd))) ++ if (is_huge_zero_pmd(pmd)) + categories |= PAGE_IS_PFNZERO; + if (pmd_soft_dirty(pmd)) + categories |= PAGE_IS_SOFT_DIRTY; diff --git a/queue-6.15/fuse-fix-runtime-warning-on-truncate_folio_batch_exceptionals.patch b/queue-6.15/fuse-fix-runtime-warning-on-truncate_folio_batch_exceptionals.patch new file mode 100644 index 0000000000..9ec79f0fd5 --- /dev/null +++ b/queue-6.15/fuse-fix-runtime-warning-on-truncate_folio_batch_exceptionals.patch @@ -0,0 +1,108 @@ +From befd9a71d859ea625eaa84dae1b243efb3df3eca Mon Sep 17 00:00:00 2001 +From: Haiyue Wang +Date: Sun, 22 Jun 2025 01:13:51 +0800 +Subject: fuse: fix runtime warning on truncate_folio_batch_exceptionals() + +From: Haiyue Wang + +commit befd9a71d859ea625eaa84dae1b243efb3df3eca upstream. + +The WARN_ON_ONCE is introduced on truncate_folio_batch_exceptionals() to +capture whether the filesystem has removed all DAX entries or not. + +And the fix has been applied on the filesystem xfs and ext4 by the commit +0e2f80afcfa6 ("fs/dax: ensure all pages are idle prior to filesystem +unmount"). + +Apply the missed fix on filesystem fuse to fix the runtime warning: + +[ 2.011450] ------------[ cut here ]------------ +[ 2.011873] WARNING: CPU: 0 PID: 145 at mm/truncate.c:89 truncate_folio_batch_exceptionals+0x272/0x2b0 +[ 2.012468] Modules linked in: +[ 2.012718] CPU: 0 UID: 1000 PID: 145 Comm: weston Not tainted 6.16.0-rc2-WSL2-STABLE #2 PREEMPT(undef) +[ 2.013292] RIP: 0010:truncate_folio_batch_exceptionals+0x272/0x2b0 +[ 2.013704] Code: 48 63 d0 41 29 c5 48 8d 1c d5 00 00 00 00 4e 8d 6c 2a 01 49 c1 e5 03 eb 09 48 83 c3 08 49 39 dd 74 83 41 f6 44 1c 08 01 74 ef <0f> 0b 49 8b 34 1e 48 89 ef e8 10 a2 17 00 eb df 48 8b 7d 00 e8 35 +[ 2.014845] RSP: 0018:ffffa47ec33f3b10 EFLAGS: 00010202 +[ 2.015279] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 +[ 2.015884] RDX: 0000000000000000 RSI: ffffa47ec33f3ca0 RDI: ffff98aa44f3fa80 +[ 2.016377] RBP: ffff98aa44f3fbf0 R08: ffffa47ec33f3ba8 R09: 0000000000000000 +[ 2.016942] R10: 0000000000000001 R11: 0000000000000000 R12: ffffa47ec33f3ca0 +[ 2.017437] R13: 0000000000000008 R14: ffffa47ec33f3ba8 R15: 0000000000000000 +[ 2.017972] FS: 000079ce006afa40(0000) GS:ffff98aade441000(0000) knlGS:0000000000000000 +[ 2.018510] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 2.018987] CR2: 000079ce03e74000 CR3: 000000010784f006 CR4: 0000000000372eb0 +[ 2.019518] Call Trace: +[ 2.019729] +[ 2.019901] truncate_inode_pages_range+0xd8/0x400 +[ 2.020280] ? timerqueue_add+0x66/0xb0 +[ 2.020574] ? get_nohz_timer_target+0x2a/0x140 +[ 2.020904] ? timerqueue_add+0x66/0xb0 +[ 2.021231] ? timerqueue_del+0x2e/0x50 +[ 2.021646] ? __remove_hrtimer+0x39/0x90 +[ 2.022017] ? srso_alias_untrain_ret+0x1/0x10 +[ 2.022497] ? psi_group_change+0x136/0x350 +[ 2.023046] ? _raw_spin_unlock+0xe/0x30 +[ 2.023514] ? finish_task_switch.isra.0+0x8d/0x280 +[ 2.024068] ? __schedule+0x532/0xbd0 +[ 2.024551] fuse_evict_inode+0x29/0x190 +[ 2.025131] evict+0x100/0x270 +[ 2.025641] ? _atomic_dec_and_lock+0x39/0x50 +[ 2.026316] ? __pfx_generic_delete_inode+0x10/0x10 +[ 2.026843] __dentry_kill+0x71/0x180 +[ 2.027335] dput+0xeb/0x1b0 +[ 2.027725] __fput+0x136/0x2b0 +[ 2.028054] __x64_sys_close+0x3d/0x80 +[ 2.028469] do_syscall_64+0x6d/0x1b0 +[ 2.028832] ? clear_bhb_loop+0x30/0x80 +[ 2.029182] ? clear_bhb_loop+0x30/0x80 +[ 2.029533] ? clear_bhb_loop+0x30/0x80 +[ 2.029902] entry_SYSCALL_64_after_hwframe+0x76/0x7e +[ 2.030423] RIP: 0033:0x79ce03d0d067 +[ 2.030820] Code: b8 ff ff ff ff e9 3e ff ff ff 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 41 c3 48 83 ec 18 89 7c 24 0c e8 c3 a7 f8 ff +[ 2.032354] RSP: 002b:00007ffef0498948 EFLAGS: 00000246 ORIG_RAX: 0000000000000003 +[ 2.032939] RAX: ffffffffffffffda RBX: 00007ffef0498960 RCX: 000079ce03d0d067 +[ 2.033612] RDX: 0000000000000003 RSI: 0000000000001000 RDI: 000000000000000d +[ 2.034289] RBP: 00007ffef0498a30 R08: 000000000000000d R09: 0000000000000000 +[ 2.034944] R10: 00007ffef0498978 R11: 0000000000000246 R12: 0000000000000001 +[ 2.035610] R13: 00007ffef0498960 R14: 000079ce03e09ce0 R15: 0000000000000003 +[ 2.036301] +[ 2.036532] ---[ end trace 0000000000000000 ]--- + +Link: https://lkml.kernel.org/r/20250621171507.3770-1-haiyuewa@163.com +Fixes: bde708f1a65d ("fs/dax: always remove DAX page-cache entries when breaking layouts") +Signed-off-by: Haiyue Wang +Cc: Alistair Popple +Cc: Dan Williams +Cc: Miklos Szeredi +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/fuse/inode.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c +index bfe8d8af46f3..9572bdef49ee 100644 +--- a/fs/fuse/inode.c ++++ b/fs/fuse/inode.c +@@ -9,6 +9,7 @@ + #include "fuse_i.h" + #include "dev_uring_i.h" + ++#include + #include + #include + #include +@@ -162,6 +163,9 @@ static void fuse_evict_inode(struct inode *inode) + /* Will write inode on close/munmap and in all other dirtiers */ + WARN_ON(inode->i_state & I_DIRTY_INODE); + ++ if (FUSE_IS_DAX(inode)) ++ dax_break_layout_final(inode); ++ + truncate_inode_pages_final(&inode->i_data); + clear_inode(inode); + if (inode->i_sb->s_flags & SB_ACTIVE) { +-- +2.50.0 + diff --git a/queue-6.15/i2c-imx-fix-emulated-smbus-block-read.patch b/queue-6.15/i2c-imx-fix-emulated-smbus-block-read.patch new file mode 100644 index 0000000000..87ecc1fdef --- /dev/null +++ b/queue-6.15/i2c-imx-fix-emulated-smbus-block-read.patch @@ -0,0 +1,64 @@ +From a5d0b9e32745277644cda8d7d334e7080bd339bf Mon Sep 17 00:00:00 2001 +From: Lukasz Kucharczyk +Date: Tue, 20 May 2025 14:22:52 +0200 +Subject: i2c: imx: fix emulated smbus block read + +From: Lukasz Kucharczyk + +commit a5d0b9e32745277644cda8d7d334e7080bd339bf upstream. + +Acknowledge the byte count submitted by the target. +When I2C_SMBUS_BLOCK_DATA read operation is executed by +i2c_smbus_xfer_emulated(), the length of the second (read) message is set +to 1. Length of the block is supposed to be obtained from the target by the +underlying bus driver. +The i2c_imx_isr_read() function should emit the acknowledge on i2c bus +after reading the first byte (i.e., byte count) while processing such +message (as defined in Section 6.5.7 of System Management Bus +Specification [1]). Without this acknowledge, the target does not submit +subsequent bytes and the controller only reads 0xff's. + +In addition, store the length of block data obtained from the target in +the buffer provided by i2c_smbus_xfer_emulated() - otherwise the first +byte of actual data is erroneously interpreted as length of the data +block. + +[1] https://smbus.org/specs/SMBus_3_3_20240512.pdf + +Fixes: 5f5c2d4579ca ("i2c: imx: prevent rescheduling in non dma mode") +Signed-off-by: Lukasz Kucharczyk +Cc: # v6.13+ +Acked-by: Oleksij Rempel +Reviewed-by: Stefan Eichenberger +Reviewed-by: Carlos Song +Signed-off-by: Andi Shyti +Link: https://lore.kernel.org/r/20250520122252.1475403-1-lukasz.kucharczyk@leica-geosystems.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-imx.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/i2c/busses/i2c-imx.c b/drivers/i2c/busses/i2c-imx.c +index e5732b0557fb..205cc132fdec 100644 +--- a/drivers/i2c/busses/i2c-imx.c ++++ b/drivers/i2c/busses/i2c-imx.c +@@ -1008,7 +1008,7 @@ static inline int i2c_imx_isr_read(struct imx_i2c_struct *i2c_imx) + /* setup bus to read data */ + temp = imx_i2c_read_reg(i2c_imx, IMX_I2C_I2CR); + temp &= ~I2CR_MTX; +- if (i2c_imx->msg->len - 1) ++ if ((i2c_imx->msg->len - 1) || (i2c_imx->msg->flags & I2C_M_RECV_LEN)) + temp &= ~I2CR_TXAK; + + imx_i2c_write_reg(temp, i2c_imx, IMX_I2C_I2CR); +@@ -1063,6 +1063,7 @@ static inline void i2c_imx_isr_read_block_data_len(struct imx_i2c_struct *i2c_im + wake_up(&i2c_imx->queue); + } + i2c_imx->msg->len += len; ++ i2c_imx->msg->buf[i2c_imx->msg_buf_idx++] = len; + } + + static irqreturn_t i2c_imx_master_isr(struct imx_i2c_struct *i2c_imx, unsigned int status) +-- +2.50.0 + diff --git a/queue-6.15/i2c-omap-fix-an-error-handling-path-in-omap_i2c_probe.patch b/queue-6.15/i2c-omap-fix-an-error-handling-path-in-omap_i2c_probe.patch new file mode 100644 index 0000000000..d7048c3a1e --- /dev/null +++ b/queue-6.15/i2c-omap-fix-an-error-handling-path-in-omap_i2c_probe.patch @@ -0,0 +1,55 @@ +From 666c23af755dccca8c25b5d5200ca28153c69a05 Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET +Date: Sat, 14 Jun 2025 16:59:26 +0200 +Subject: i2c: omap: Fix an error handling path in omap_i2c_probe() + +From: Christophe JAILLET + +commit 666c23af755dccca8c25b5d5200ca28153c69a05 upstream. + +If an error occurs after calling mux_state_select(), mux_state_deselect() +should be called as already done in the remove function. + +Fixes: b6ef830c60b6 ("i2c: omap: Add support for setting mux") +Signed-off-by: Christophe JAILLET +Cc: # v6.15+ +Signed-off-by: Andi Shyti +Link: https://lore.kernel.org/r/998542981b6d2435c057dd8b9fe71743927babab.1749913149.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-omap.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-omap.c b/drivers/i2c/busses/i2c-omap.c +index f1cc26ac5b80..8b01df3cc8e9 100644 +--- a/drivers/i2c/busses/i2c-omap.c ++++ b/drivers/i2c/busses/i2c-omap.c +@@ -1461,13 +1461,13 @@ omap_i2c_probe(struct platform_device *pdev) + if (IS_ERR(mux_state)) { + r = PTR_ERR(mux_state); + dev_dbg(&pdev->dev, "failed to get I2C mux: %d\n", r); +- goto err_disable_pm; ++ goto err_put_pm; + } + omap->mux_state = mux_state; + r = mux_state_select(omap->mux_state); + if (r) { + dev_err(&pdev->dev, "failed to select I2C mux: %d\n", r); +- goto err_disable_pm; ++ goto err_put_pm; + } + } + +@@ -1515,6 +1515,9 @@ omap_i2c_probe(struct platform_device *pdev) + + err_unuse_clocks: + omap_i2c_write_reg(omap, OMAP_I2C_CON_REG, 0); ++ if (omap->mux_state) ++ mux_state_deselect(omap->mux_state); ++err_put_pm: + pm_runtime_dont_use_autosuspend(omap->dev); + pm_runtime_put_sync(omap->dev); + err_disable_pm: +-- +2.50.0 + diff --git a/queue-6.15/i2c-robotfuzz-osif-disable-zero-length-read-messages.patch b/queue-6.15/i2c-robotfuzz-osif-disable-zero-length-read-messages.patch new file mode 100644 index 0000000000..f80fc3674c --- /dev/null +++ b/queue-6.15/i2c-robotfuzz-osif-disable-zero-length-read-messages.patch @@ -0,0 +1,47 @@ +From 56ad91c1aa9c18064348edf69308080b03c9dc48 Mon Sep 17 00:00:00 2001 +From: Wolfram Sang +Date: Thu, 22 May 2025 08:42:35 +0200 +Subject: i2c: robotfuzz-osif: disable zero-length read messages + +From: Wolfram Sang + +commit 56ad91c1aa9c18064348edf69308080b03c9dc48 upstream. + +This driver passes the length of an i2c_msg directly to +usb_control_msg(). If the message is now a read and of length 0, it +violates the USB protocol and a warning will be printed. Enable the +I2C_AQ_NO_ZERO_LEN_READ quirk for this adapter thus forbidding 0-length +read messages altogether. + +Fixes: 83e53a8f120f ("i2c: Add bus driver for for OSIF USB i2c device.") +Signed-off-by: Wolfram Sang +Cc: # v3.14+ +Signed-off-by: Andi Shyti +Link: https://lore.kernel.org/r/20250522064234.3721-2-wsa+renesas@sang-engineering.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-robotfuzz-osif.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/i2c/busses/i2c-robotfuzz-osif.c ++++ b/drivers/i2c/busses/i2c-robotfuzz-osif.c +@@ -111,6 +111,11 @@ static u32 osif_func(struct i2c_adapter + return I2C_FUNC_I2C | I2C_FUNC_SMBUS_EMUL; + } + ++/* prevent invalid 0-length usb_control_msg */ ++static const struct i2c_adapter_quirks osif_quirks = { ++ .flags = I2C_AQ_NO_ZERO_LEN_READ, ++}; ++ + static const struct i2c_algorithm osif_algorithm = { + .xfer = osif_xfer, + .functionality = osif_func, +@@ -143,6 +148,7 @@ static int osif_probe(struct usb_interfa + + priv->adapter.owner = THIS_MODULE; + priv->adapter.class = I2C_CLASS_HWMON; ++ priv->adapter.quirks = &osif_quirks; + priv->adapter.algo = &osif_algorithm; + priv->adapter.algo_data = priv; + snprintf(priv->adapter.name, sizeof(priv->adapter.name), diff --git a/queue-6.15/i2c-tiny-usb-disable-zero-length-read-messages.patch b/queue-6.15/i2c-tiny-usb-disable-zero-length-read-messages.patch new file mode 100644 index 0000000000..dd174a4726 --- /dev/null +++ b/queue-6.15/i2c-tiny-usb-disable-zero-length-read-messages.patch @@ -0,0 +1,47 @@ +From cbdb25ccf7566eee0c2b945e35cb98baf9ed0aa6 Mon Sep 17 00:00:00 2001 +From: Wolfram Sang +Date: Thu, 22 May 2025 08:43:49 +0200 +Subject: i2c: tiny-usb: disable zero-length read messages + +From: Wolfram Sang + +commit cbdb25ccf7566eee0c2b945e35cb98baf9ed0aa6 upstream. + +This driver passes the length of an i2c_msg directly to +usb_control_msg(). If the message is now a read and of length 0, it +violates the USB protocol and a warning will be printed. Enable the +I2C_AQ_NO_ZERO_LEN_READ quirk for this adapter thus forbidding 0-length +read messages altogether. + +Fixes: e8c76eed2ecd ("i2c: New i2c-tiny-usb bus driver") +Signed-off-by: Wolfram Sang +Cc: # v2.6.22+ +Signed-off-by: Andi Shyti +Link: https://lore.kernel.org/r/20250522064349.3823-2-wsa+renesas@sang-engineering.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-tiny-usb.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/i2c/busses/i2c-tiny-usb.c ++++ b/drivers/i2c/busses/i2c-tiny-usb.c +@@ -138,6 +138,11 @@ out: + return ret; + } + ++/* prevent invalid 0-length usb_control_msg */ ++static const struct i2c_adapter_quirks usb_quirks = { ++ .flags = I2C_AQ_NO_ZERO_LEN_READ, ++}; ++ + /* This is the actual algorithm we define */ + static const struct i2c_algorithm usb_algorithm = { + .xfer = usb_xfer, +@@ -246,6 +251,7 @@ static int i2c_tiny_usb_probe(struct usb + /* setup i2c adapter description */ + dev->adapter.owner = THIS_MODULE; + dev->adapter.class = I2C_CLASS_HWMON; ++ dev->adapter.quirks = &usb_quirks; + dev->adapter.algo = &usb_algorithm; + dev->adapter.algo_data = dev; + snprintf(dev->adapter.name, sizeof(dev->adapter.name), diff --git a/queue-6.15/io_uring-don-t-assume-uaddr-alignment-in-io_vec_fill_bvec.patch b/queue-6.15/io_uring-don-t-assume-uaddr-alignment-in-io_vec_fill_bvec.patch new file mode 100644 index 0000000000..61bf97f8ed --- /dev/null +++ b/queue-6.15/io_uring-don-t-assume-uaddr-alignment-in-io_vec_fill_bvec.patch @@ -0,0 +1,54 @@ +From e1d7727b73a1f78035316ac35ee184d477059f0b Mon Sep 17 00:00:00 2001 +From: Pavel Begunkov +Date: Tue, 24 Jun 2025 14:40:35 +0100 +Subject: io_uring: don't assume uaddr alignment in io_vec_fill_bvec + +From: Pavel Begunkov + +commit e1d7727b73a1f78035316ac35ee184d477059f0b upstream. + +There is no guaranteed alignment for user pointers. Don't use mask +trickery and adjust the offset by bv_offset. + +Cc: stable@vger.kernel.org +Reported-by: David Hildenbrand +Fixes: 9ef4cbbcb4ac3 ("io_uring: add infra for importing vectored reg buffers") +Signed-off-by: Pavel Begunkov +Link: https://lore.kernel.org/io-uring/19530391f5c361a026ac9b401ff8e123bde55d98.1750771718.git.asml.silence@gmail.com/ +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/rsrc.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/io_uring/rsrc.c b/io_uring/rsrc.c +index afc67530f912..f2b31fb68992 100644 +--- a/io_uring/rsrc.c ++++ b/io_uring/rsrc.c +@@ -1339,7 +1339,6 @@ static int io_vec_fill_bvec(int ddir, struct iov_iter *iter, + { + unsigned long folio_size = 1 << imu->folio_shift; + unsigned long folio_mask = folio_size - 1; +- u64 folio_addr = imu->ubuf & ~folio_mask; + struct bio_vec *res_bvec = vec->bvec; + size_t total_len = 0; + unsigned bvec_idx = 0; +@@ -1361,8 +1360,13 @@ static int io_vec_fill_bvec(int ddir, struct iov_iter *iter, + if (unlikely(check_add_overflow(total_len, iov_len, &total_len))) + return -EOVERFLOW; + +- /* by using folio address it also accounts for bvec offset */ +- offset = buf_addr - folio_addr; ++ offset = buf_addr - imu->ubuf; ++ /* ++ * Only the first bvec can have non zero bv_offset, account it ++ * here and work with full folios below. ++ */ ++ offset += imu->bvec[0].bv_offset; ++ + src_bvec = imu->bvec + (offset >> imu->folio_shift); + offset &= folio_mask; + +-- +2.50.0 + diff --git a/queue-6.15/io_uring-rsrc-don-t-rely-on-user-vaddr-alignment.patch b/queue-6.15/io_uring-rsrc-don-t-rely-on-user-vaddr-alignment.patch new file mode 100644 index 0000000000..753c325a4d --- /dev/null +++ b/queue-6.15/io_uring-rsrc-don-t-rely-on-user-vaddr-alignment.patch @@ -0,0 +1,58 @@ +From 3a3c6d61577dbb23c09df3e21f6f9eda1ecd634b Mon Sep 17 00:00:00 2001 +From: Pavel Begunkov +Date: Tue, 24 Jun 2025 14:40:34 +0100 +Subject: io_uring/rsrc: don't rely on user vaddr alignment + +From: Pavel Begunkov + +commit 3a3c6d61577dbb23c09df3e21f6f9eda1ecd634b upstream. + +There is no guaranteed alignment for user pointers, however the +calculation of an offset of the first page into a folio after coalescing +uses some weird bit mask logic, get rid of it. + +Cc: stable@vger.kernel.org +Reported-by: David Hildenbrand +Fixes: a8edbb424b139 ("io_uring/rsrc: enable multi-hugepage buffer coalescing") +Signed-off-by: Pavel Begunkov +Link: https://lore.kernel.org/io-uring/e387b4c78b33f231105a601d84eefd8301f57954.1750771718.git.asml.silence@gmail.com/ +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/rsrc.c | 7 ++++++- + io_uring/rsrc.h | 1 + + 2 files changed, 7 insertions(+), 1 deletion(-) + +--- a/io_uring/rsrc.c ++++ b/io_uring/rsrc.c +@@ -738,6 +738,7 @@ bool io_check_coalesce_buffer(struct pag + + data->nr_pages_mid = folio_nr_pages(folio); + data->folio_shift = folio_shift(folio); ++ data->first_folio_page_idx = folio_page_idx(folio, page_array[0]); + + /* + * Check if pages are contiguous inside a folio, and all folios have +@@ -831,7 +832,11 @@ static struct io_rsrc_node *io_sqe_buffe + if (coalesced) + imu->folio_shift = data.folio_shift; + refcount_set(&imu->refs, 1); +- off = (unsigned long) iov->iov_base & ((1UL << imu->folio_shift) - 1); ++ ++ off = (unsigned long)iov->iov_base & ~PAGE_MASK; ++ if (coalesced) ++ off += data.first_folio_page_idx << PAGE_SHIFT; ++ + node->buf = imu; + ret = 0; + +--- a/io_uring/rsrc.h ++++ b/io_uring/rsrc.h +@@ -49,6 +49,7 @@ struct io_imu_folio_data { + unsigned int nr_pages_mid; + unsigned int folio_shift; + unsigned int nr_folios; ++ unsigned long first_folio_page_idx; + }; + + bool io_rsrc_cache_init(struct io_ring_ctx *ctx); diff --git a/queue-6.15/io_uring-rsrc-fix-folio-unpinning.patch b/queue-6.15/io_uring-rsrc-fix-folio-unpinning.patch new file mode 100644 index 0000000000..942c04e440 --- /dev/null +++ b/queue-6.15/io_uring-rsrc-fix-folio-unpinning.patch @@ -0,0 +1,77 @@ +From 5afb4bf9fc62d828647647ec31745083637132e4 Mon Sep 17 00:00:00 2001 +From: Pavel Begunkov +Date: Tue, 24 Jun 2025 14:40:33 +0100 +Subject: io_uring/rsrc: fix folio unpinning + +From: Pavel Begunkov + +commit 5afb4bf9fc62d828647647ec31745083637132e4 upstream. + +syzbot complains about an unmapping failure: + +[ 108.070381][ T14] kernel BUG at mm/gup.c:71! +[ 108.070502][ T14] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP +[ 108.123672][ T14] Hardware name: QEMU KVM Virtual Machine, BIOS edk2-20250221-8.fc42 02/21/2025 +[ 108.127458][ T14] Workqueue: iou_exit io_ring_exit_work +[ 108.174205][ T14] Call trace: +[ 108.175649][ T14] sanity_check_pinned_pages+0x7cc/0x7d0 (P) +[ 108.178138][ T14] unpin_user_page+0x80/0x10c +[ 108.180189][ T14] io_release_ubuf+0x84/0xf8 +[ 108.182196][ T14] io_free_rsrc_node+0x250/0x57c +[ 108.184345][ T14] io_rsrc_data_free+0x148/0x298 +[ 108.186493][ T14] io_sqe_buffers_unregister+0x84/0xa0 +[ 108.188991][ T14] io_ring_ctx_free+0x48/0x480 +[ 108.191057][ T14] io_ring_exit_work+0x764/0x7d8 +[ 108.193207][ T14] process_one_work+0x7e8/0x155c +[ 108.195431][ T14] worker_thread+0x958/0xed8 +[ 108.197561][ T14] kthread+0x5fc/0x75c +[ 108.199362][ T14] ret_from_fork+0x10/0x20 + +We can pin a tail page of a folio, but then io_uring will try to unpin +the head page of the folio. While it should be fine in terms of keeping +the page actually alive, mm folks say it's wrong and triggers a debug +warning. Use unpin_user_folio() instead of unpin_user_page*. + +Cc: stable@vger.kernel.org +Debugged-by: David Hildenbrand +Reported-by: syzbot+1d335893772467199ab6@syzkaller.appspotmail.com +Closes: https://lkml.kernel.org/r/683f1551.050a0220.55ceb.0017.GAE@google.com +Fixes: a8edbb424b139 ("io_uring/rsrc: enable multi-hugepage buffer coalescing") +Signed-off-by: Pavel Begunkov +Link: https://lore.kernel.org/io-uring/a28b0f87339ac2acf14a645dad1e95bbcbf18acd.1750771718.git.asml.silence@gmail.com/ +[axboe: adapt to current tree, massage commit message] +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/rsrc.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/io_uring/rsrc.c ++++ b/io_uring/rsrc.c +@@ -112,8 +112,11 @@ static void io_release_ubuf(void *priv) + struct io_mapped_ubuf *imu = priv; + unsigned int i; + +- for (i = 0; i < imu->nr_bvecs; i++) +- unpin_user_page(imu->bvec[i].bv_page); ++ for (i = 0; i < imu->nr_bvecs; i++) { ++ struct folio *folio = page_folio(imu->bvec[i].bv_page); ++ ++ unpin_user_folio(folio, 1); ++ } + } + + static struct io_mapped_ubuf *io_alloc_imu(struct io_ring_ctx *ctx, +@@ -844,8 +847,10 @@ done: + if (ret) { + if (imu) + io_free_imu(ctx, imu); +- if (pages) +- unpin_user_pages(pages, nr_pages); ++ if (pages) { ++ for (i = 0; i < nr_pages; i++) ++ unpin_user_folio(page_folio(pages[i]), 1); ++ } + io_cache_free(&ctx->node_cache, node); + node = ERR_PTR(ret); + } diff --git a/queue-6.15/lib-group_cpus-fix-null-pointer-dereference-from-group_cpus_evenly.patch b/queue-6.15/lib-group_cpus-fix-null-pointer-dereference-from-group_cpus_evenly.patch new file mode 100644 index 0000000000..9ddea0e18e --- /dev/null +++ b/queue-6.15/lib-group_cpus-fix-null-pointer-dereference-from-group_cpus_evenly.patch @@ -0,0 +1,85 @@ +From df831e97739405ecbaddb85516bc7d4d1c933d6b Mon Sep 17 00:00:00 2001 +From: Yu Kuai +Date: Thu, 19 Jun 2025 21:26:55 +0800 +Subject: lib/group_cpus: fix NULL pointer dereference from group_cpus_evenly() + +From: Yu Kuai + +commit df831e97739405ecbaddb85516bc7d4d1c933d6b upstream. + +While testing null_blk with configfs, echo 0 > poll_queues will trigger +following panic: + +BUG: kernel NULL pointer dereference, address: 0000000000000010 +Oops: Oops: 0000 [#1] SMP NOPTI +CPU: 27 UID: 0 PID: 920 Comm: bash Not tainted 6.15.0-02023-gadbdb95c8696-dirty #1238 PREEMPT(undef) +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 +RIP: 0010:__bitmap_or+0x48/0x70 +Call Trace: + + __group_cpus_evenly+0x822/0x8c0 + group_cpus_evenly+0x2d9/0x490 + blk_mq_map_queues+0x1e/0x110 + null_map_queues+0xc9/0x170 [null_blk] + blk_mq_update_queue_map+0xdb/0x160 + blk_mq_update_nr_hw_queues+0x22b/0x560 + nullb_update_nr_hw_queues+0x71/0xf0 [null_blk] + nullb_device_poll_queues_store+0xa4/0x130 [null_blk] + configfs_write_iter+0x109/0x1d0 + vfs_write+0x26e/0x6f0 + ksys_write+0x79/0x180 + __x64_sys_write+0x1d/0x30 + x64_sys_call+0x45c4/0x45f0 + do_syscall_64+0xa5/0x240 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + +Root cause is that numgrps is set to 0, and ZERO_SIZE_PTR is returned from +kcalloc(), and later ZERO_SIZE_PTR will be deferenced. + +Fix the problem by checking numgrps first in group_cpus_evenly(), and +return NULL directly if numgrps is zero. + +[yukuai3@huawei.com: also fix the non-SMP version] + Link: https://lkml.kernel.org/r/20250620010958.1265984-1-yukuai1@huaweicloud.com +Link: https://lkml.kernel.org/r/20250619132655.3318883-1-yukuai1@huaweicloud.com +Fixes: 6a6dcae8f486 ("blk-mq: Build default queue map via group_cpus_evenly()") +Signed-off-by: Yu Kuai +Reviewed-by: Ming Lei +Reviewed-by: Jens Axboe +Cc: ErKun Yang +Cc: John Garry +Cc: Thomas Gleinxer +Cc: "zhangyi (F)" +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + lib/group_cpus.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/lib/group_cpus.c ++++ b/lib/group_cpus.c +@@ -352,6 +352,9 @@ struct cpumask *group_cpus_evenly(unsign + int ret = -ENOMEM; + struct cpumask *masks = NULL; + ++ if (numgrps == 0) ++ return NULL; ++ + if (!zalloc_cpumask_var(&nmsk, GFP_KERNEL)) + return NULL; + +@@ -426,8 +429,12 @@ struct cpumask *group_cpus_evenly(unsign + #else /* CONFIG_SMP */ + struct cpumask *group_cpus_evenly(unsigned int numgrps) + { +- struct cpumask *masks = kcalloc(numgrps, sizeof(*masks), GFP_KERNEL); ++ struct cpumask *masks; + ++ if (numgrps == 0) ++ return NULL; ++ ++ masks = kcalloc(numgrps, sizeof(*masks), GFP_KERNEL); + if (!masks) + return NULL; + diff --git a/queue-6.15/loongarch-kvm-add-address-alignment-check-for-iocsr-emulation.patch b/queue-6.15/loongarch-kvm-add-address-alignment-check-for-iocsr-emulation.patch new file mode 100644 index 0000000000..fe2b0d4662 --- /dev/null +++ b/queue-6.15/loongarch-kvm-add-address-alignment-check-for-iocsr-emulation.patch @@ -0,0 +1,53 @@ +From 9159c5e733cfa35ec863fa81960a3e7435f831fb Mon Sep 17 00:00:00 2001 +From: Bibo Mao +Date: Fri, 27 Jun 2025 18:27:44 +0800 +Subject: LoongArch: KVM: Add address alignment check for IOCSR emulation + +From: Bibo Mao + +commit 9159c5e733cfa35ec863fa81960a3e7435f831fb upstream. + +IOCSR instruction supports 1/2/4/8 bytes access, the address should be +naturally aligned with its access size. Here address alignment check is +added in the EIOINTC kernel emulation. + +Cc: stable@vger.kernel.org +Fixes: 3956a52bc05b ("LoongArch: KVM: Add EIOINTC read and write functions") +Signed-off-by: Bibo Mao +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman +--- + arch/loongarch/kvm/intc/eiointc.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/arch/loongarch/kvm/intc/eiointc.c b/arch/loongarch/kvm/intc/eiointc.c +index 9c47456b805c..236cbf979167 100644 +--- a/arch/loongarch/kvm/intc/eiointc.c ++++ b/arch/loongarch/kvm/intc/eiointc.c +@@ -305,6 +305,11 @@ static int kvm_eiointc_read(struct kvm_vcpu *vcpu, + return -EINVAL; + } + ++ if (addr & (len - 1)) { ++ kvm_err("%s: eiointc not aligned addr %llx len %d\n", __func__, addr, len); ++ return -EINVAL; ++ } ++ + vcpu->kvm->stat.eiointc_read_exits++; + spin_lock_irqsave(&eiointc->lock, flags); + switch (len) { +@@ -676,6 +681,11 @@ static int kvm_eiointc_write(struct kvm_vcpu *vcpu, + return -EINVAL; + } + ++ if (addr & (len - 1)) { ++ kvm_err("%s: eiointc not aligned addr %llx len %d\n", __func__, addr, len); ++ return -EINVAL; ++ } ++ + vcpu->kvm->stat.eiointc_write_exits++; + spin_lock_irqsave(&eiointc->lock, flags); + switch (len) { +-- +2.50.0 + diff --git a/queue-6.15/loongarch-kvm-avoid-overflow-with-array-index.patch b/queue-6.15/loongarch-kvm-avoid-overflow-with-array-index.patch new file mode 100644 index 0000000000..4a3bc56893 --- /dev/null +++ b/queue-6.15/loongarch-kvm-avoid-overflow-with-array-index.patch @@ -0,0 +1,99 @@ +From 080e8d2ecdfde588897aa8a87a8884061f4dbbbb Mon Sep 17 00:00:00 2001 +From: Bibo Mao +Date: Thu, 26 Jun 2025 20:07:27 +0800 +Subject: LoongArch: KVM: Avoid overflow with array index + +From: Bibo Mao + +commit 080e8d2ecdfde588897aa8a87a8884061f4dbbbb upstream. + +The variable index is modified and reused as array index when modify +register EIOINTC_ENABLE. There will be array index overflow problem. + +Cc: stable@vger.kernel.org +Fixes: 3956a52bc05b ("LoongArch: KVM: Add EIOINTC read and write functions") +Signed-off-by: Bibo Mao +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman +--- + arch/loongarch/kvm/intc/eiointc.c | 17 +++++++---------- + 1 file changed, 7 insertions(+), 10 deletions(-) + +diff --git a/arch/loongarch/kvm/intc/eiointc.c b/arch/loongarch/kvm/intc/eiointc.c +index f39929d7bf8a..9c47456b805c 100644 +--- a/arch/loongarch/kvm/intc/eiointc.c ++++ b/arch/loongarch/kvm/intc/eiointc.c +@@ -436,17 +436,16 @@ static int loongarch_eiointc_writew(struct kvm_vcpu *vcpu, + break; + case EIOINTC_ENABLE_START ... EIOINTC_ENABLE_END: + index = (offset - EIOINTC_ENABLE_START) >> 1; +- old_data = s->enable.reg_u32[index]; ++ old_data = s->enable.reg_u16[index]; + s->enable.reg_u16[index] = data; + /* + * 1: enable irq. + * update irq when isr is set. + */ + data = s->enable.reg_u16[index] & ~old_data & s->isr.reg_u16[index]; +- index = index << 1; + for (i = 0; i < sizeof(data); i++) { + u8 mask = (data >> (i * 8)) & 0xff; +- eiointc_enable_irq(vcpu, s, index + i, mask, 1); ++ eiointc_enable_irq(vcpu, s, index * 2 + i, mask, 1); + } + /* + * 0: disable irq. +@@ -455,7 +454,7 @@ static int loongarch_eiointc_writew(struct kvm_vcpu *vcpu, + data = ~s->enable.reg_u16[index] & old_data & s->isr.reg_u16[index]; + for (i = 0; i < sizeof(data); i++) { + u8 mask = (data >> (i * 8)) & 0xff; +- eiointc_enable_irq(vcpu, s, index, mask, 0); ++ eiointc_enable_irq(vcpu, s, index * 2 + i, mask, 0); + } + break; + case EIOINTC_BOUNCE_START ... EIOINTC_BOUNCE_END: +@@ -529,10 +528,9 @@ static int loongarch_eiointc_writel(struct kvm_vcpu *vcpu, + * update irq when isr is set. + */ + data = s->enable.reg_u32[index] & ~old_data & s->isr.reg_u32[index]; +- index = index << 2; + for (i = 0; i < sizeof(data); i++) { + u8 mask = (data >> (i * 8)) & 0xff; +- eiointc_enable_irq(vcpu, s, index + i, mask, 1); ++ eiointc_enable_irq(vcpu, s, index * 4 + i, mask, 1); + } + /* + * 0: disable irq. +@@ -541,7 +539,7 @@ static int loongarch_eiointc_writel(struct kvm_vcpu *vcpu, + data = ~s->enable.reg_u32[index] & old_data & s->isr.reg_u32[index]; + for (i = 0; i < sizeof(data); i++) { + u8 mask = (data >> (i * 8)) & 0xff; +- eiointc_enable_irq(vcpu, s, index, mask, 0); ++ eiointc_enable_irq(vcpu, s, index * 4 + i, mask, 0); + } + break; + case EIOINTC_BOUNCE_START ... EIOINTC_BOUNCE_END: +@@ -615,10 +613,9 @@ static int loongarch_eiointc_writeq(struct kvm_vcpu *vcpu, + * update irq when isr is set. + */ + data = s->enable.reg_u64[index] & ~old_data & s->isr.reg_u64[index]; +- index = index << 3; + for (i = 0; i < sizeof(data); i++) { + u8 mask = (data >> (i * 8)) & 0xff; +- eiointc_enable_irq(vcpu, s, index + i, mask, 1); ++ eiointc_enable_irq(vcpu, s, index * 8 + i, mask, 1); + } + /* + * 0: disable irq. +@@ -627,7 +624,7 @@ static int loongarch_eiointc_writeq(struct kvm_vcpu *vcpu, + data = ~s->enable.reg_u64[index] & old_data & s->isr.reg_u64[index]; + for (i = 0; i < sizeof(data); i++) { + u8 mask = (data >> (i * 8)) & 0xff; +- eiointc_enable_irq(vcpu, s, index, mask, 0); ++ eiointc_enable_irq(vcpu, s, index * 8 + i, mask, 0); + } + break; + case EIOINTC_BOUNCE_START ... EIOINTC_BOUNCE_END: +-- +2.50.0 + diff --git a/queue-6.15/loongarch-kvm-check-interrupt-route-from-physical-cpu.patch b/queue-6.15/loongarch-kvm-check-interrupt-route-from-physical-cpu.patch new file mode 100644 index 0000000000..556445bee0 --- /dev/null +++ b/queue-6.15/loongarch-kvm-check-interrupt-route-from-physical-cpu.patch @@ -0,0 +1,84 @@ +From 45515c643d0abb75c2cc760a6bc6b235eadafd66 Mon Sep 17 00:00:00 2001 +From: Bibo Mao +Date: Fri, 27 Jun 2025 18:27:44 +0800 +Subject: LoongArch: KVM: Check interrupt route from physical CPU + +From: Bibo Mao + +commit 45515c643d0abb75c2cc760a6bc6b235eadafd66 upstream. + +With EIOINTC interrupt controller, physical CPU ID is set for irq route. +However the function kvm_get_vcpu() is used to get destination vCPU when +delivering irq. With API kvm_get_vcpu(), the logical CPU ID is used. + +With API kvm_get_vcpu_by_cpuid(), vCPU ID can be searched from physical +CPU ID. + +Cc: stable@vger.kernel.org +Fixes: 3956a52bc05b ("LoongArch: KVM: Add EIOINTC read and write functions") +Signed-off-by: Bibo Mao +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman +--- + arch/loongarch/kvm/intc/eiointc.c | 24 ++++++++++++++++++------ + 1 file changed, 18 insertions(+), 6 deletions(-) + +diff --git a/arch/loongarch/kvm/intc/eiointc.c b/arch/loongarch/kvm/intc/eiointc.c +index 8d3f48e2a7f0..644fb7785c07 100644 +--- a/arch/loongarch/kvm/intc/eiointc.c ++++ b/arch/loongarch/kvm/intc/eiointc.c +@@ -9,7 +9,8 @@ + + static void eiointc_set_sw_coreisr(struct loongarch_eiointc *s) + { +- int ipnum, cpu, irq_index, irq_mask, irq; ++ int ipnum, cpu, cpuid, irq_index, irq_mask, irq; ++ struct kvm_vcpu *vcpu; + + for (irq = 0; irq < EIOINTC_IRQS; irq++) { + ipnum = s->ipmap.reg_u8[irq / 32]; +@@ -20,7 +21,12 @@ static void eiointc_set_sw_coreisr(struct loongarch_eiointc *s) + irq_index = irq / 32; + irq_mask = BIT(irq & 0x1f); + +- cpu = s->coremap.reg_u8[irq]; ++ cpuid = s->coremap.reg_u8[irq]; ++ vcpu = kvm_get_vcpu_by_cpuid(s->kvm, cpuid); ++ if (!vcpu) ++ continue; ++ ++ cpu = vcpu->vcpu_id; + if (!!(s->coreisr.reg_u32[cpu][irq_index] & irq_mask)) + set_bit(irq, s->sw_coreisr[cpu][ipnum]); + else +@@ -68,17 +74,23 @@ static void eiointc_update_irq(struct loongarch_eiointc *s, int irq, int level) + static inline void eiointc_update_sw_coremap(struct loongarch_eiointc *s, + int irq, u64 val, u32 len, bool notify) + { +- int i, cpu; ++ int i, cpu, cpuid; ++ struct kvm_vcpu *vcpu; + + for (i = 0; i < len; i++) { +- cpu = val & 0xff; ++ cpuid = val & 0xff; + val = val >> 8; + + if (!(s->status & BIT(EIOINTC_ENABLE_CPU_ENCODE))) { +- cpu = ffs(cpu) - 1; +- cpu = (cpu >= 4) ? 0 : cpu; ++ cpuid = ffs(cpuid) - 1; ++ cpuid = (cpuid >= 4) ? 0 : cpuid; + } + ++ vcpu = kvm_get_vcpu_by_cpuid(s->kvm, cpuid); ++ if (!vcpu) ++ continue; ++ ++ cpu = vcpu->vcpu_id; + if (s->sw_coremap[irq + i] == cpu) + continue; + +-- +2.50.0 + diff --git a/queue-6.15/loongarch-kvm-check-validity-of-num_cpu-from-user-space.patch b/queue-6.15/loongarch-kvm-check-validity-of-num_cpu-from-user-space.patch new file mode 100644 index 0000000000..329caf5441 --- /dev/null +++ b/queue-6.15/loongarch-kvm-check-validity-of-num_cpu-from-user-space.patch @@ -0,0 +1,80 @@ +From cc8d5b209e09d3b52bca1ffe00045876842d96ae Mon Sep 17 00:00:00 2001 +From: Bibo Mao +Date: Fri, 27 Jun 2025 18:27:44 +0800 +Subject: LoongArch: KVM: Check validity of "num_cpu" from user space + +From: Bibo Mao + +commit cc8d5b209e09d3b52bca1ffe00045876842d96ae upstream. + +The maximum supported cpu number is EIOINTC_ROUTE_MAX_VCPUS about +irqchip EIOINTC, here add validation about cpu number to avoid array +pointer overflow. + +Cc: stable@vger.kernel.org +Fixes: 1ad7efa552fd ("LoongArch: KVM: Add EIOINTC user mode read and write functions") +Signed-off-by: Bibo Mao +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman +--- + arch/loongarch/kvm/intc/eiointc.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +--- a/arch/loongarch/kvm/intc/eiointc.c ++++ b/arch/loongarch/kvm/intc/eiointc.c +@@ -784,7 +784,7 @@ static int kvm_eiointc_ctrl_access(struc + int ret = 0; + unsigned long flags; + unsigned long type = (unsigned long)attr->attr; +- u32 i, start_irq; ++ u32 i, start_irq, val; + void __user *data; + struct loongarch_eiointc *s = dev->kvm->arch.eiointc; + +@@ -792,8 +792,14 @@ static int kvm_eiointc_ctrl_access(struc + spin_lock_irqsave(&s->lock, flags); + switch (type) { + case KVM_DEV_LOONGARCH_EXTIOI_CTRL_INIT_NUM_CPU: +- if (copy_from_user(&s->num_cpu, data, 4)) ++ if (copy_from_user(&val, data, 4)) + ret = -EFAULT; ++ else { ++ if (val >= EIOINTC_ROUTE_MAX_VCPUS) ++ ret = -EINVAL; ++ else ++ s->num_cpu = val; ++ } + break; + case KVM_DEV_LOONGARCH_EXTIOI_CTRL_INIT_FEATURE: + if (copy_from_user(&s->features, data, 4)) +@@ -821,7 +827,7 @@ static int kvm_eiointc_regs_access(struc + struct kvm_device_attr *attr, + bool is_write) + { +- int addr, cpuid, offset, ret = 0; ++ int addr, cpu, offset, ret = 0; + unsigned long flags; + void *p = NULL; + void __user *data; +@@ -829,7 +835,7 @@ static int kvm_eiointc_regs_access(struc + + s = dev->kvm->arch.eiointc; + addr = attr->attr; +- cpuid = addr >> 16; ++ cpu = addr >> 16; + addr &= 0xffff; + data = (void __user *)attr->addr; + switch (addr) { +@@ -854,8 +860,11 @@ static int kvm_eiointc_regs_access(struc + p = &s->isr.reg_u32[offset]; + break; + case EIOINTC_COREISR_START ... EIOINTC_COREISR_END: ++ if (cpu >= s->num_cpu) ++ return -EINVAL; ++ + offset = (addr - EIOINTC_COREISR_START) / 4; +- p = &s->coreisr.reg_u32[cpuid][offset]; ++ p = &s->coreisr.reg_u32[cpu][offset]; + break; + case EIOINTC_COREMAP_START ... EIOINTC_COREMAP_END: + offset = (addr - EIOINTC_COREMAP_START) / 4; diff --git a/queue-6.15/loongarch-kvm-disable-updating-of-num_cpu-and-feature.patch b/queue-6.15/loongarch-kvm-disable-updating-of-num_cpu-and-feature.patch new file mode 100644 index 0000000000..019918cef3 --- /dev/null +++ b/queue-6.15/loongarch-kvm-disable-updating-of-num_cpu-and-feature.patch @@ -0,0 +1,47 @@ +From 955853cf83657faa58572ef3f08b44f0f88885c1 Mon Sep 17 00:00:00 2001 +From: Bibo Mao +Date: Fri, 27 Jun 2025 18:27:44 +0800 +Subject: LoongArch: KVM: Disable updating of "num_cpu" and "feature" + +From: Bibo Mao + +commit 955853cf83657faa58572ef3f08b44f0f88885c1 upstream. + +Property "num_cpu" and "feature" are read-only once eiointc is created, +which are set with KVM_DEV_LOONGARCH_EXTIOI_GRP_CTRL attr group before +device creation. + +Attr group KVM_DEV_LOONGARCH_EXTIOI_GRP_SW_STATUS is to update register +and software state for migration and reset usage, property "num_cpu" and +"feature" can not be update again if it is created already. + +Here discard write operation with property "num_cpu" and "feature" in +attr group KVM_DEV_LOONGARCH_EXTIOI_GRP_CTRL. + +Cc: stable@vger.kernel.org +Fixes: 1ad7efa552fd ("LoongArch: KVM: Add EIOINTC user mode read and write functions") +Signed-off-by: Bibo Mao +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman +--- + arch/loongarch/kvm/intc/eiointc.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/arch/loongarch/kvm/intc/eiointc.c ++++ b/arch/loongarch/kvm/intc/eiointc.c +@@ -905,9 +905,15 @@ static int kvm_eiointc_sw_status_access( + data = (void __user *)attr->addr; + switch (addr) { + case KVM_DEV_LOONGARCH_EXTIOI_SW_STATUS_NUM_CPU: ++ if (is_write) ++ return ret; ++ + p = &s->num_cpu; + break; + case KVM_DEV_LOONGARCH_EXTIOI_SW_STATUS_FEATURE: ++ if (is_write) ++ return ret; ++ + p = &s->features; + break; + case KVM_DEV_LOONGARCH_EXTIOI_SW_STATUS_STATE: diff --git a/queue-6.15/loongarch-kvm-fix-interrupt-route-update-with-eiointc.patch b/queue-6.15/loongarch-kvm-fix-interrupt-route-update-with-eiointc.patch new file mode 100644 index 0000000000..9a7299193f --- /dev/null +++ b/queue-6.15/loongarch-kvm-fix-interrupt-route-update-with-eiointc.patch @@ -0,0 +1,83 @@ +From c34bbc2c990700ba07b271fc7c8113b0bc3e4093 Mon Sep 17 00:00:00 2001 +From: Bibo Mao +Date: Fri, 27 Jun 2025 18:27:44 +0800 +Subject: LoongArch: KVM: Fix interrupt route update with EIOINTC + +From: Bibo Mao + +commit c34bbc2c990700ba07b271fc7c8113b0bc3e4093 upstream. + +With function eiointc_update_sw_coremap(), there is forced assignment +like val = *(u64 *)pvalue. Parameter pvalue may be pointer to char type +or others, there is problem with forced assignment with u64 type. + +Here the detailed value is passed rather address pointer. + +Cc: stable@vger.kernel.org +Fixes: 3956a52bc05b ("LoongArch: KVM: Add EIOINTC read and write functions") +Signed-off-by: Bibo Mao +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman +--- + arch/loongarch/kvm/intc/eiointc.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +--- a/arch/loongarch/kvm/intc/eiointc.c ++++ b/arch/loongarch/kvm/intc/eiointc.c +@@ -66,10 +66,9 @@ static void eiointc_update_irq(struct lo + } + + static inline void eiointc_update_sw_coremap(struct loongarch_eiointc *s, +- int irq, void *pvalue, u32 len, bool notify) ++ int irq, u64 val, u32 len, bool notify) + { + int i, cpu; +- u64 val = *(u64 *)pvalue; + + for (i = 0; i < len; i++) { + cpu = val & 0xff; +@@ -403,7 +402,7 @@ static int loongarch_eiointc_writeb(stru + irq = offset - EIOINTC_COREMAP_START; + index = irq; + s->coremap.reg_u8[index] = data; +- eiointc_update_sw_coremap(s, irq, (void *)&data, sizeof(data), true); ++ eiointc_update_sw_coremap(s, irq, data, sizeof(data), true); + break; + default: + ret = -EINVAL; +@@ -488,7 +487,7 @@ static int loongarch_eiointc_writew(stru + irq = offset - EIOINTC_COREMAP_START; + index = irq >> 1; + s->coremap.reg_u16[index] = data; +- eiointc_update_sw_coremap(s, irq, (void *)&data, sizeof(data), true); ++ eiointc_update_sw_coremap(s, irq, data, sizeof(data), true); + break; + default: + ret = -EINVAL; +@@ -573,7 +572,7 @@ static int loongarch_eiointc_writel(stru + irq = offset - EIOINTC_COREMAP_START; + index = irq >> 2; + s->coremap.reg_u32[index] = data; +- eiointc_update_sw_coremap(s, irq, (void *)&data, sizeof(data), true); ++ eiointc_update_sw_coremap(s, irq, data, sizeof(data), true); + break; + default: + ret = -EINVAL; +@@ -658,7 +657,7 @@ static int loongarch_eiointc_writeq(stru + irq = offset - EIOINTC_COREMAP_START; + index = irq >> 3; + s->coremap.reg_u64[index] = data; +- eiointc_update_sw_coremap(s, irq, (void *)&data, sizeof(data), true); ++ eiointc_update_sw_coremap(s, irq, data, sizeof(data), true); + break; + default: + ret = -EINVAL; +@@ -822,7 +821,7 @@ static int kvm_eiointc_ctrl_access(struc + for (i = 0; i < (EIOINTC_IRQS / 4); i++) { + start_irq = i * 4; + eiointc_update_sw_coremap(s, start_irq, +- (void *)&s->coremap.reg_u32[i], sizeof(u32), false); ++ s->coremap.reg_u32[i], sizeof(u32), false); + } + break; + default: diff --git a/queue-6.15/mm-damon-sysfs-schemes-free-old-damon_sysfs_scheme_filter-memcg_path-on-write.patch b/queue-6.15/mm-damon-sysfs-schemes-free-old-damon_sysfs_scheme_filter-memcg_path-on-write.patch new file mode 100644 index 0000000000..ca6f42d0f0 --- /dev/null +++ b/queue-6.15/mm-damon-sysfs-schemes-free-old-damon_sysfs_scheme_filter-memcg_path-on-write.patch @@ -0,0 +1,36 @@ +From 4f489fe6afb395dbc79840efa3c05440b760d883 Mon Sep 17 00:00:00 2001 +From: SeongJae Park +Date: Thu, 19 Jun 2025 11:36:07 -0700 +Subject: mm/damon/sysfs-schemes: free old damon_sysfs_scheme_filter->memcg_path on write + +From: SeongJae Park + +commit 4f489fe6afb395dbc79840efa3c05440b760d883 upstream. + +memcg_path_store() assigns a newly allocated memory buffer to +filter->memcg_path, without deallocating the previously allocated and +assigned memory buffer. As a result, users can leak kernel memory by +continuously writing a data to memcg_path DAMOS sysfs file. Fix the leak +by deallocating the previously set memory buffer. + +Link: https://lkml.kernel.org/r/20250619183608.6647-2-sj@kernel.org +Fixes: 7ee161f18b5d ("mm/damon/sysfs-schemes: implement filter directory") +Signed-off-by: SeongJae Park +Cc: Shuah Khan +Cc: [6.3.x] +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/damon/sysfs-schemes.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/mm/damon/sysfs-schemes.c ++++ b/mm/damon/sysfs-schemes.c +@@ -471,6 +471,7 @@ static ssize_t memcg_path_store(struct k + return -ENOMEM; + + strscpy(path, buf, count + 1); ++ kfree(filter->memcg_path); + filter->memcg_path = path; + return count; + } diff --git a/queue-6.15/revert-riscv-define-task_size_max-for-__access_ok.patch b/queue-6.15/revert-riscv-define-task_size_max-for-__access_ok.patch new file mode 100644 index 0000000000..40353b77c7 --- /dev/null +++ b/queue-6.15/revert-riscv-define-task_size_max-for-__access_ok.patch @@ -0,0 +1,58 @@ +From 890ba5be6335dbbbc99af14ea007befb5f83f174 Mon Sep 17 00:00:00 2001 +From: Nam Cao +Date: Thu, 19 Jun 2025 17:58:58 +0200 +Subject: Revert "riscv: Define TASK_SIZE_MAX for __access_ok()" + +From: Nam Cao + +commit 890ba5be6335dbbbc99af14ea007befb5f83f174 upstream. + +This reverts commit ad5643cf2f69 ("riscv: Define TASK_SIZE_MAX for +__access_ok()"). + +This commit changes TASK_SIZE_MAX to be LONG_MAX to optimize access_ok(), +because the previous TASK_SIZE_MAX (default to TASK_SIZE) requires some +computation. + +The reasoning was that all user addresses are less than LONG_MAX, and all +kernel addresses are greater than LONG_MAX. Therefore access_ok() can +filter kernel addresses. + +Addresses between TASK_SIZE and LONG_MAX are not valid user addresses, but +access_ok() let them pass. That was thought to be okay, because they are +not valid addresses at hardware level. + +Unfortunately, one case is missed: get_user_pages_fast() happily accepts +addresses between TASK_SIZE and LONG_MAX. futex(), for instance, uses +get_user_pages_fast(). This causes the problem reported by Robert [1]. + +Therefore, revert this commit. TASK_SIZE_MAX is changed to the default: +TASK_SIZE. + +This unfortunately reduces performance, because TASK_SIZE is more expensive +to compute compared to LONG_MAX. But correctness first, we can think about +optimization later, if required. + +Reported-by: +Closes: https://lore.kernel.org/linux-riscv/77605.1750245028@localhost/ +Signed-off-by: Nam Cao +Cc: stable@vger.kernel.org +Reviewed-by: Alexandre Ghiti +Fixes: ad5643cf2f69 ("riscv: Define TASK_SIZE_MAX for __access_ok()") +Link: https://lore.kernel.org/r/20250619155858.1249789-1-namcao@linutronix.de +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/include/asm/pgtable.h | 1 - + 1 file changed, 1 deletion(-) + +--- a/arch/riscv/include/asm/pgtable.h ++++ b/arch/riscv/include/asm/pgtable.h +@@ -980,7 +980,6 @@ static inline pte_t pte_swp_clear_exclus + */ + #ifdef CONFIG_64BIT + #define TASK_SIZE_64 (PGDIR_SIZE * PTRS_PER_PGD / 2) +-#define TASK_SIZE_MAX LONG_MAX + + #ifdef CONFIG_COMPAT + #define TASK_SIZE_32 (_AC(0x80000000, UL) - PAGE_SIZE) diff --git a/queue-6.15/revert-riscv-misaligned-fix-sleeping-function-called-during-misaligned-access-handling.patch b/queue-6.15/revert-riscv-misaligned-fix-sleeping-function-called-during-misaligned-access-handling.patch new file mode 100644 index 0000000000..0be8343214 --- /dev/null +++ b/queue-6.15/revert-riscv-misaligned-fix-sleeping-function-called-during-misaligned-access-handling.patch @@ -0,0 +1,59 @@ +From 2f73c62d4e13df67380ff6faca39eec2bf08dd93 Mon Sep 17 00:00:00 2001 +From: Nam Cao +Date: Fri, 20 Jun 2025 13:09:39 +0200 +Subject: Revert "riscv: misaligned: fix sleeping function called during misaligned access handling" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nam Cao + +commit 2f73c62d4e13df67380ff6faca39eec2bf08dd93 upstream. + +This reverts commit 61a74ad25462 ("riscv: misaligned: fix sleeping function +called during misaligned access handling"). The commit addresses a sleeping +in atomic context problem, but it is not the correct fix as explained by +Clément: + +"Using nofault would lead to failure to read from user memory that is paged +out for instance. This is not really acceptable, we should handle user +misaligned access even at an address that would generate a page fault." + +This bug has been properly fixed by commit 453805f0a28f ("riscv: +misaligned: enable IRQs while handling misaligned accesses"). + +Revert this improper fix. + +Link: https://lore.kernel.org/linux-riscv/b779beed-e44e-4a5e-9551-4647682b0d21@rivosinc.com/ +Signed-off-by: Nam Cao +Cc: stable@vger.kernel.org +Reviewed-by: Clément Léger +Reviewed-by: Alexandre Ghiti +Fixes: 61a74ad25462 ("riscv: misaligned: fix sleeping function called during misaligned access handling") +Link: https://lore.kernel.org/r/20250620110939.1642735-1-namcao@linutronix.de +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/kernel/traps_misaligned.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/riscv/kernel/traps_misaligned.c ++++ b/arch/riscv/kernel/traps_misaligned.c +@@ -453,7 +453,7 @@ static int handle_scalar_misaligned_load + + val.data_u64 = 0; + if (user_mode(regs)) { +- if (copy_from_user_nofault(&val, (u8 __user *)addr, len)) ++ if (copy_from_user(&val, (u8 __user *)addr, len)) + return -1; + } else { + memcpy(&val, (u8 *)addr, len); +@@ -554,7 +554,7 @@ static int handle_scalar_misaligned_stor + return -EOPNOTSUPP; + + if (user_mode(regs)) { +- if (copy_to_user_nofault((u8 __user *)addr, &val, len)) ++ if (copy_to_user((u8 __user *)addr, &val, len)) + return -1; + } else { + memcpy((u8 *)addr, &val, len); diff --git a/queue-6.15/riscv-export-boot_cpu_hartid.patch b/queue-6.15/riscv-export-boot_cpu_hartid.patch new file mode 100644 index 0000000000..dcf2aeef39 --- /dev/null +++ b/queue-6.15/riscv-export-boot_cpu_hartid.patch @@ -0,0 +1,45 @@ +From c5136add3f9b4c23b8bbe5f4d722c95d4cfb936e Mon Sep 17 00:00:00 2001 +From: Klara Modin +Date: Tue, 17 Jun 2025 14:58:47 +0200 +Subject: riscv: export boot_cpu_hartid + +From: Klara Modin + +commit c5136add3f9b4c23b8bbe5f4d722c95d4cfb936e upstream. + +The mailbox controller driver for the Microchip Inter-processor +Communication can be built as a module. It uses cpuid_to_hartid_map and +commit 4783ce32b080 ("riscv: export __cpuid_to_hartid_map") enables that +to work for SMP. However, cpuid_to_hartid_map uses boot_cpu_hartid on +non-SMP kernels and this driver can be useful in such configurations[1]. + +Export boot_cpu_hartid so the driver can be built as a module on non-SMP +kernels as well. + +Link: https://lore.kernel.org/lkml/20250617-confess-reimburse-876101e099cb@spud/ [1] +Cc: stable@vger.kernel.org +Fixes: e4b1d67e7141 ("mailbox: add Microchip IPC support") +Signed-off-by: Klara Modin +Acked-by: Conor Dooley +Link: https://lore.kernel.org/r/20250617125847.23829-1-klarasmodin@gmail.com +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/kernel/setup.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/riscv/kernel/setup.c b/arch/riscv/kernel/setup.c +index f7c9a1caa83e..14888e5ea19a 100644 +--- a/arch/riscv/kernel/setup.c ++++ b/arch/riscv/kernel/setup.c +@@ -50,6 +50,7 @@ atomic_t hart_lottery __section(".sdata") + #endif + ; + unsigned long boot_cpu_hartid; ++EXPORT_SYMBOL_GPL(boot_cpu_hartid); + + /* + * Place kernel memory regions on the resource tree so that +-- +2.50.0 + diff --git a/queue-6.15/riscv-vector-fix-context-save-restore-with-xtheadvector.patch b/queue-6.15/riscv-vector-fix-context-save-restore-with-xtheadvector.patch new file mode 100644 index 0000000000..4430bf445e --- /dev/null +++ b/queue-6.15/riscv-vector-fix-context-save-restore-with-xtheadvector.patch @@ -0,0 +1,60 @@ +From 4262bd0d9cc704ea1365ac00afc1272400c2cbef Mon Sep 17 00:00:00 2001 +From: Han Gao +Date: Fri, 23 May 2025 18:25:56 +0800 +Subject: riscv: vector: Fix context save/restore with xtheadvector + +From: Han Gao + +commit 4262bd0d9cc704ea1365ac00afc1272400c2cbef upstream. + +Previously only v0-v7 were correctly saved/restored, +and the context of v8-v31 are damanged. +Correctly save/restore v8-v31 to avoid breaking userspace. + +Fixes: d863910eabaf ("riscv: vector: Support xtheadvector save/restore") +Cc: stable@vger.kernel.org +Signed-off-by: Han Gao +Tested-by: Xiongchuan Tan +Reviewed-by: Charlie Jenkins +Reviewed-by: Yanteng Si +Reviewed-by: Andy Chiu +Link: https://lore.kernel.org/r/9b9eb2337f3d5336ce813721f8ebea51e0b2b553.1747994822.git.rabenda.cn@gmail.com +Signed-off-by: Alexandre Ghiti +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/include/asm/vector.h | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/arch/riscv/include/asm/vector.h ++++ b/arch/riscv/include/asm/vector.h +@@ -200,11 +200,11 @@ static inline void __riscv_v_vstate_save + THEAD_VSETVLI_T4X0E8M8D1 + THEAD_VSB_V_V0T0 + "add t0, t0, t4\n\t" +- THEAD_VSB_V_V0T0 ++ THEAD_VSB_V_V8T0 + "add t0, t0, t4\n\t" +- THEAD_VSB_V_V0T0 ++ THEAD_VSB_V_V16T0 + "add t0, t0, t4\n\t" +- THEAD_VSB_V_V0T0 ++ THEAD_VSB_V_V24T0 + : : "r" (datap) : "memory", "t0", "t4"); + } else { + asm volatile ( +@@ -236,11 +236,11 @@ static inline void __riscv_v_vstate_rest + THEAD_VSETVLI_T4X0E8M8D1 + THEAD_VLB_V_V0T0 + "add t0, t0, t4\n\t" +- THEAD_VLB_V_V0T0 ++ THEAD_VLB_V_V8T0 + "add t0, t0, t4\n\t" +- THEAD_VLB_V_V0T0 ++ THEAD_VLB_V_V16T0 + "add t0, t0, t4\n\t" +- THEAD_VLB_V_V0T0 ++ THEAD_VLB_V_V24T0 + : : "r" (datap) : "memory", "t0", "t4"); + } else { + asm volatile ( diff --git a/queue-6.15/s390-pkey-prevent-overflow-in-size-calculation-for-memdup_user.patch b/queue-6.15/s390-pkey-prevent-overflow-in-size-calculation-for-memdup_user.patch new file mode 100644 index 0000000000..684d3224ad --- /dev/null +++ b/queue-6.15/s390-pkey-prevent-overflow-in-size-calculation-for-memdup_user.patch @@ -0,0 +1,47 @@ +From 7360ee47599af91a1d5f4e74d635d9408a54e489 Mon Sep 17 00:00:00 2001 +From: Fedor Pchelkin +Date: Wed, 11 Jun 2025 22:20:10 +0300 +Subject: s390/pkey: Prevent overflow in size calculation for memdup_user() + +From: Fedor Pchelkin + +commit 7360ee47599af91a1d5f4e74d635d9408a54e489 upstream. + +Number of apqn target list entries contained in 'nr_apqns' variable is +determined by userspace via an ioctl call so the result of the product in +calculation of size passed to memdup_user() may overflow. + +In this case the actual size of the allocated area and the value +describing it won't be in sync leading to various types of unpredictable +behaviour later. + +Use a proper memdup_array_user() helper which returns an error if an +overflow is detected. Note that it is different from when nr_apqns is +initially zero - that case is considered valid and should be handled in +subsequent pkey_handler implementations. + +Found by Linux Verification Center (linuxtesting.org). + +Fixes: f2bbc96e7cfa ("s390/pkey: add CCA AES cipher key support") +Cc: stable@vger.kernel.org +Signed-off-by: Fedor Pchelkin +Reviewed-by: Holger Dengler +Reviewed-by: Heiko Carstens +Link: https://lore.kernel.org/r/20250611192011.206057-1-pchelkin@ispras.ru +Signed-off-by: Alexander Gordeev +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/crypto/pkey_api.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/s390/crypto/pkey_api.c ++++ b/drivers/s390/crypto/pkey_api.c +@@ -85,7 +85,7 @@ static void *_copy_apqns_from_user(void + if (!uapqns || nr_apqns == 0) + return NULL; + +- return memdup_user(uapqns, nr_apqns * sizeof(struct pkey_apqn)); ++ return memdup_array_user(uapqns, nr_apqns, sizeof(struct pkey_apqn)); + } + + static int pkey_ioctl_genseck(struct pkey_genseck __user *ugs) diff --git a/queue-6.15/scripts-gdb-fix-dentry_name-lookup.patch b/queue-6.15/scripts-gdb-fix-dentry_name-lookup.patch new file mode 100644 index 0000000000..5ef82d4e30 --- /dev/null +++ b/queue-6.15/scripts-gdb-fix-dentry_name-lookup.patch @@ -0,0 +1,51 @@ +From 79300ac805b672a84b64d80d4cbc374d83411599 Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Thu, 19 Jun 2025 15:51:05 -0700 +Subject: scripts/gdb: fix dentry_name() lookup + +From: Florian Fainelli + +commit 79300ac805b672a84b64d80d4cbc374d83411599 upstream. + +The "d_iname" member was replaced with "d_shortname.string" in the commit +referenced in the Fixes tag. This prevented the GDB script "lx-mount" +command to properly function: + +(gdb) lx-mounts + mount super_block devname pathname fstype options +0xff11000002d21180 0xff11000002d24800 rootfs / rootfs rw 0 0 +0xff11000002e18a80 0xff11000003713000 /dev/root / ext4 rw,relatime 0 0 +Python Exception : There is no member named d_iname. +Error occurred in Python: There is no member named d_iname. + +Link: https://lkml.kernel.org/r/20250619225105.320729-1-florian.fainelli@broadcom.com +Fixes: 58cf9c383c5c ("dcache: back inline names with a struct-wrapped array of unsigned long") +Signed-off-by: Florian Fainelli +Cc: Al Viro +Cc: Jan Kara +Cc: Jan Kiszka +Cc: Jeff Layton +Cc: Kieran Bingham +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + scripts/gdb/linux/vfs.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/scripts/gdb/linux/vfs.py b/scripts/gdb/linux/vfs.py +index c77b9ce75f6d..b5fbb18ccb77 100644 +--- a/scripts/gdb/linux/vfs.py ++++ b/scripts/gdb/linux/vfs.py +@@ -22,7 +22,7 @@ def dentry_name(d): + if parent == d or parent == 0: + return "" + p = dentry_name(d['d_parent']) + "/" +- return p + d['d_iname'].string() ++ return p + d['d_shortname']['string'].string() + + class DentryName(gdb.Function): + """Return string of the full path of a dentry. +-- +2.50.0 + diff --git a/queue-6.15/series b/queue-6.15/series index c746afd772..5c03570b55 100644 --- a/queue-6.15/series +++ b/queue-6.15/series @@ -94,3 +94,37 @@ io_uring-zcrx-split-out-memory-holders-from-area.patch io_uring-zcrx-fix-area-release-on-registration-failu.patch drm-i915-display-add-check-for-alloc_ordered_workque.patch af_unix-don-t-leave-consecutive-consumed-oob-skbs.patch +i2c-omap-fix-an-error-handling-path-in-omap_i2c_probe.patch +i2c-imx-fix-emulated-smbus-block-read.patch +i2c-tiny-usb-disable-zero-length-read-messages.patch +i2c-robotfuzz-osif-disable-zero-length-read-messages.patch +loongarch-kvm-avoid-overflow-with-array-index.patch +loongarch-kvm-check-validity-of-num_cpu-from-user-space.patch +loongarch-kvm-disable-updating-of-num_cpu-and-feature.patch +loongarch-kvm-add-address-alignment-check-for-iocsr-emulation.patch +loongarch-kvm-fix-interrupt-route-update-with-eiointc.patch +loongarch-kvm-check-interrupt-route-from-physical-cpu.patch +fuse-fix-runtime-warning-on-truncate_folio_batch_exceptionals.patch +scripts-gdb-fix-dentry_name-lookup.patch +ata-ahci-use-correct-dmi-identifier-for-asuspro-d840sa-lpm-quirk.patch +smb-client-remove-t-from-tp_printk-statements.patch +mm-damon-sysfs-schemes-free-old-damon_sysfs_scheme_filter-memcg_path-on-write.patch +smb-client-fix-regression-with-native-smb-symlinks.patch +riscv-vector-fix-context-save-restore-with-xtheadvector.patch +asoc-amd-yc-add-dmi-quirk-for-lenovo-ideapad-slim-5-15.patch +riscv-export-boot_cpu_hartid.patch +s390-pkey-prevent-overflow-in-size-calculation-for-memdup_user.patch +io_uring-rsrc-fix-folio-unpinning.patch +io_uring-rsrc-don-t-rely-on-user-vaddr-alignment.patch +io_uring-don-t-assume-uaddr-alignment-in-io_vec_fill_bvec.patch +fs-proc-task_mmu-fix-page_is_pfnzero-detection-for-the-huge-zero-folio.patch +lib-group_cpus-fix-null-pointer-dereference-from-group_cpus_evenly.patch +revert-riscv-define-task_size_max-for-__access_ok.patch +revert-riscv-misaligned-fix-sleeping-function-called-during-misaligned-access-handling.patch +drm-dp-change-aux-dpcd-probe-address-from-dpcd_rev-to-lane0_1_status.patch +drm-amd-display-add-sanity-checks-for-drm_edid_raw.patch +drm-amdgpu-mes-add-compatibility-checks-for-set_hw_resource_1.patch +drm-xe-display-add-check-for-alloc_ordered_workqueue.patch +drm-i915-snps_hdmi_pll-fix-64-bit-divisor-truncation-by-using-div64_u64.patch +drm-xe-move-dsb-l2-flush-to-a-more-sensible-place.patch +drm-xe-move-dpt-l2-flush-to-a-more-sensible-place.patch diff --git a/queue-6.15/smb-client-fix-regression-with-native-smb-symlinks.patch b/queue-6.15/smb-client-fix-regression-with-native-smb-symlinks.patch new file mode 100644 index 0000000000..3461ebd89d --- /dev/null +++ b/queue-6.15/smb-client-fix-regression-with-native-smb-symlinks.patch @@ -0,0 +1,77 @@ +From ff8abbd248c1f52df0c321690b88454b13ff54b2 Mon Sep 17 00:00:00 2001 +From: Paulo Alcantara +Date: Sun, 22 Jun 2025 14:13:40 -0300 +Subject: smb: client: fix regression with native SMB symlinks + +From: Paulo Alcantara + +commit ff8abbd248c1f52df0c321690b88454b13ff54b2 upstream. + +Some users and customers reported that their backup/copy tools started +to fail when the directory being copied contained symlink targets that +the client couldn't parse - even when those symlinks weren't followed. + +Fix this by allowing lstat(2) and readlink(2) to succeed even when the +client can't resolve the symlink target, restoring old behavior. + +Cc: linux-cifs@vger.kernel.org +Cc: stable@vger.kernel.org +Reported-by: Remy Monsen +Closes: https://lore.kernel.org/r/CAN+tdP7y=jqw3pBndZAGjQv0ObFq8Q=+PUDHgB36HdEz9QA6FQ@mail.gmail.com +Reported-by: Pierguido Lambri +Fixes: 12b466eb52d9 ("cifs: Fix creating and resolving absolute NT-style symlinks") +Signed-off-by: Paulo Alcantara (Red Hat) +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/reparse.c | 20 ++++---------------- + 1 file changed, 4 insertions(+), 16 deletions(-) + +diff --git a/fs/smb/client/reparse.c b/fs/smb/client/reparse.c +index 511611206dab..1c40e42e4d89 100644 +--- a/fs/smb/client/reparse.c ++++ b/fs/smb/client/reparse.c +@@ -875,15 +875,8 @@ int smb2_parse_native_symlink(char **target, const char *buf, unsigned int len, + abs_path += sizeof("\\DosDevices\\")-1; + else if (strstarts(abs_path, "\\GLOBAL??\\")) + abs_path += sizeof("\\GLOBAL??\\")-1; +- else { +- /* Unhandled absolute symlink, points outside of DOS/Win32 */ +- cifs_dbg(VFS, +- "absolute symlink '%s' cannot be converted from NT format " +- "because points to unknown target\n", +- smb_target); +- rc = -EIO; +- goto out; +- } ++ else ++ goto out_unhandled_target; + + /* Sometimes path separator after \?? is double backslash */ + if (abs_path[0] == '\\') +@@ -910,13 +903,7 @@ int smb2_parse_native_symlink(char **target, const char *buf, unsigned int len, + abs_path++; + abs_path[0] = drive_letter; + } else { +- /* Unhandled absolute symlink. Report an error. */ +- cifs_dbg(VFS, +- "absolute symlink '%s' cannot be converted from NT format " +- "because points to unknown target\n", +- smb_target); +- rc = -EIO; +- goto out; ++ goto out_unhandled_target; + } + + abs_path_len = strlen(abs_path)+1; +@@ -966,6 +953,7 @@ int smb2_parse_native_symlink(char **target, const char *buf, unsigned int len, + * These paths have same format as Linux symlinks, so no + * conversion is needed. + */ ++out_unhandled_target: + linux_target = smb_target; + smb_target = NULL; + } +-- +2.50.0 + diff --git a/queue-6.15/smb-client-remove-t-from-tp_printk-statements.patch b/queue-6.15/smb-client-remove-t-from-tp_printk-statements.patch new file mode 100644 index 0000000000..3cd9dccb95 --- /dev/null +++ b/queue-6.15/smb-client-remove-t-from-tp_printk-statements.patch @@ -0,0 +1,137 @@ +From e97f9540ce001503a4539f337da742c1dfa7d86a Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Wed, 25 Jun 2025 10:13:04 +0200 +Subject: smb: client: remove \t from TP_printk statements + +From: Stefan Metzmacher + +commit e97f9540ce001503a4539f337da742c1dfa7d86a upstream. + +The generate '[FAILED TO PARSE]' strings in trace-cmd report output like this: + + rm-5298 [001] 6084.533748493: smb3_exit_err: [FAILED TO PARSE] xid=972 func_name=cifs_rmdir rc=-39 + rm-5298 [001] 6084.533959234: smb3_enter: [FAILED TO PARSE] xid=973 func_name=cifs_closedir + rm-5298 [001] 6084.533967630: smb3_close_enter: [FAILED TO PARSE] xid=973 fid=94489281833 tid=1 sesid=96758029877361 + rm-5298 [001] 6084.534004008: smb3_cmd_enter: [FAILED TO PARSE] tid=1 sesid=96758029877361 cmd=6 mid=566 + rm-5298 [001] 6084.552248232: smb3_cmd_done: [FAILED TO PARSE] tid=1 sesid=96758029877361 cmd=6 mid=566 + rm-5298 [001] 6084.552280542: smb3_close_done: [FAILED TO PARSE] xid=973 fid=94489281833 tid=1 sesid=96758029877361 + rm-5298 [001] 6084.552316034: smb3_exit_done: [FAILED TO PARSE] xid=973 func_name=cifs_closedir + +Cc: stable@vger.kernel.org +Signed-off-by: Stefan Metzmacher +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/trace.h | 24 ++++++++++++------------ + 1 file changed, 12 insertions(+), 12 deletions(-) + +--- a/fs/smb/client/trace.h ++++ b/fs/smb/client/trace.h +@@ -140,7 +140,7 @@ DECLARE_EVENT_CLASS(smb3_rw_err_class, + __entry->len = len; + __entry->rc = rc; + ), +- TP_printk("\tR=%08x[%x] xid=%u sid=0x%llx tid=0x%x fid=0x%llx offset=0x%llx len=0x%x rc=%d", ++ TP_printk("R=%08x[%x] xid=%u sid=0x%llx tid=0x%x fid=0x%llx offset=0x%llx len=0x%x rc=%d", + __entry->rreq_debug_id, __entry->rreq_debug_index, + __entry->xid, __entry->sesid, __entry->tid, __entry->fid, + __entry->offset, __entry->len, __entry->rc) +@@ -190,7 +190,7 @@ DECLARE_EVENT_CLASS(smb3_other_err_class + __entry->len = len; + __entry->rc = rc; + ), +- TP_printk("\txid=%u sid=0x%llx tid=0x%x fid=0x%llx offset=0x%llx len=0x%x rc=%d", ++ TP_printk("xid=%u sid=0x%llx tid=0x%x fid=0x%llx offset=0x%llx len=0x%x rc=%d", + __entry->xid, __entry->sesid, __entry->tid, __entry->fid, + __entry->offset, __entry->len, __entry->rc) + ) +@@ -247,7 +247,7 @@ DECLARE_EVENT_CLASS(smb3_copy_range_err_ + __entry->len = len; + __entry->rc = rc; + ), +- TP_printk("\txid=%u sid=0x%llx tid=0x%x source fid=0x%llx source offset=0x%llx target fid=0x%llx target offset=0x%llx len=0x%x rc=%d", ++ TP_printk("xid=%u sid=0x%llx tid=0x%x source fid=0x%llx source offset=0x%llx target fid=0x%llx target offset=0x%llx len=0x%x rc=%d", + __entry->xid, __entry->sesid, __entry->tid, __entry->target_fid, + __entry->src_offset, __entry->target_fid, __entry->target_offset, __entry->len, __entry->rc) + ) +@@ -298,7 +298,7 @@ DECLARE_EVENT_CLASS(smb3_copy_range_done + __entry->target_offset = target_offset; + __entry->len = len; + ), +- TP_printk("\txid=%u sid=0x%llx tid=0x%x source fid=0x%llx source offset=0x%llx target fid=0x%llx target offset=0x%llx len=0x%x", ++ TP_printk("xid=%u sid=0x%llx tid=0x%x source fid=0x%llx source offset=0x%llx target fid=0x%llx target offset=0x%llx len=0x%x", + __entry->xid, __entry->sesid, __entry->tid, __entry->target_fid, + __entry->src_offset, __entry->target_fid, __entry->target_offset, __entry->len) + ) +@@ -482,7 +482,7 @@ DECLARE_EVENT_CLASS(smb3_fd_class, + __entry->tid = tid; + __entry->sesid = sesid; + ), +- TP_printk("\txid=%u sid=0x%llx tid=0x%x fid=0x%llx", ++ TP_printk("xid=%u sid=0x%llx tid=0x%x fid=0x%llx", + __entry->xid, __entry->sesid, __entry->tid, __entry->fid) + ) + +@@ -521,7 +521,7 @@ DECLARE_EVENT_CLASS(smb3_fd_err_class, + __entry->sesid = sesid; + __entry->rc = rc; + ), +- TP_printk("\txid=%u sid=0x%llx tid=0x%x fid=0x%llx rc=%d", ++ TP_printk("xid=%u sid=0x%llx tid=0x%x fid=0x%llx rc=%d", + __entry->xid, __entry->sesid, __entry->tid, __entry->fid, + __entry->rc) + ) +@@ -794,7 +794,7 @@ DECLARE_EVENT_CLASS(smb3_cmd_err_class, + __entry->status = status; + __entry->rc = rc; + ), +- TP_printk("\tsid=0x%llx tid=0x%x cmd=%u mid=%llu status=0x%x rc=%d", ++ TP_printk("sid=0x%llx tid=0x%x cmd=%u mid=%llu status=0x%x rc=%d", + __entry->sesid, __entry->tid, __entry->cmd, __entry->mid, + __entry->status, __entry->rc) + ) +@@ -829,7 +829,7 @@ DECLARE_EVENT_CLASS(smb3_cmd_done_class, + __entry->cmd = cmd; + __entry->mid = mid; + ), +- TP_printk("\tsid=0x%llx tid=0x%x cmd=%u mid=%llu", ++ TP_printk("sid=0x%llx tid=0x%x cmd=%u mid=%llu", + __entry->sesid, __entry->tid, + __entry->cmd, __entry->mid) + ) +@@ -867,7 +867,7 @@ DECLARE_EVENT_CLASS(smb3_mid_class, + __entry->when_sent = when_sent; + __entry->when_received = when_received; + ), +- TP_printk("\tcmd=%u mid=%llu pid=%u, when_sent=%lu when_rcv=%lu", ++ TP_printk("cmd=%u mid=%llu pid=%u, when_sent=%lu when_rcv=%lu", + __entry->cmd, __entry->mid, __entry->pid, __entry->when_sent, + __entry->when_received) + ) +@@ -898,7 +898,7 @@ DECLARE_EVENT_CLASS(smb3_exit_err_class, + __assign_str(func_name); + __entry->rc = rc; + ), +- TP_printk("\t%s: xid=%u rc=%d", ++ TP_printk("%s: xid=%u rc=%d", + __get_str(func_name), __entry->xid, __entry->rc) + ) + +@@ -924,7 +924,7 @@ DECLARE_EVENT_CLASS(smb3_sync_err_class, + __entry->ino = ino; + __entry->rc = rc; + ), +- TP_printk("\tino=%lu rc=%d", ++ TP_printk("ino=%lu rc=%d", + __entry->ino, __entry->rc) + ) + +@@ -950,7 +950,7 @@ DECLARE_EVENT_CLASS(smb3_enter_exit_clas + __entry->xid = xid; + __assign_str(func_name); + ), +- TP_printk("\t%s: xid=%u", ++ TP_printk("%s: xid=%u", + __get_str(func_name), __entry->xid) + ) +