From: Greg Kroah-Hartman Date: Sat, 6 Sep 2025 19:16:32 +0000 (+0200) Subject: 6.16-stable patches X-Git-Tag: v5.4.299~45 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4450779c8128faad49bb3f9f1754be5162d649b6;p=thirdparty%2Fkernel%2Fstable-queue.git 6.16-stable patches added patches: audit-fix-out-of-bounds-read-in-audit_compare_dname_path.patch batman-adv-fix-oob-read-write-in-network-coding-decode.patch cifs-prevent-null-pointer-dereference-in-utf16-conversion.patch drm-amd-display-clear-the-cur_enable-register-on-dcn314-w-out-dpp-pg.patch drm-amdgpu-drop-hw-access-in-non-dc-audio-fini.patch drm-amdgpu-mes11-make-mes_misc_op_change_config-failure-non-fatal.patch drm-amdgpu-sdma-bump-firmware-version-checks-for-user-queue-support.patch drm-dp-change-aux-dpcd-probe-address-from-lane0_1_status-to-training_pattern_set.patch drm-xe-fix-incorrect-migration-of-backed-up-object-to-vram.patch e1000e-fix-heap-overflow-in-e1000_set_eeprom.patch kasan-fix-gcc-mem-intrinsic-prefix-with-sw-tags.patch kunit-kasan_test-disable-fortify-string-checker-on-kasan_strings-test.patch microchip-lan865x-fix-lan8651-autoloading.patch microchip-lan865x-fix-module-autoloading.patch net-dsa-mv88e6xxx-fix-fwnode-reference-leaks-in-mv88e6xxx_port_setup_leds.patch net-ethernet-oa_tc6-handle-failure-of-spi_setup.patch net-pcs-rzn1-miic-correct-modctrl-register-offset.patch nouveau-fix-disabling-the-nonstall-irq-due-to-storm-code.patch nouveau-membar-before-between-semaphore-writes-and-the-interrupt.patch ocfs2-prevent-release-journal-inode-after-journal-shutdown.patch of_numa-fix-uninitialized-memory-nodes-causing-kernel-panic.patch platform-x86-amd-pmc-add-tuxedo-ib-pro-gen10-amd-to-spurious-8042-quirks-list.patch proc-fix-missing-pde_set_flags-for-net-proc-files.patch sched-fix-sched_numa_find_nth_cpu-if-mask-offline.patch scsi-lpfc-fix-buffer-free-clear-order-in-deferred-receive-path.patch soc-qcom-mdt_loader-deal-with-zero-e_shentsize.patch spi-microchip-core-qspi-stop-checking-viability-of-op-max_freq-in-supports_op-callback.patch wifi-mac80211-do-not-permit-40-mhz-eht-operation-on-5-6-ghz.patch wifi-mt76-mt7925-fix-the-wrong-bss-cleanup-for-sap.patch wifi-mt76-mt7925-skip-eht-mld-tlv-on-non-mld-and-pass-conn_state-for-sta_cmd.patch wifi-mt76-mt7925u-use-connac3-tx-aggr-check-in-tx-complete.patch wifi-mt76-mt7996-initialize-hdr-before-passing-to-skb_put_data.patch wifi-mwifiex-initialize-the-chan_stats-array-to-zero.patch --- diff --git a/queue-6.16/audit-fix-out-of-bounds-read-in-audit_compare_dname_path.patch b/queue-6.16/audit-fix-out-of-bounds-read-in-audit_compare_dname_path.patch new file mode 100644 index 0000000000..47b092e423 --- /dev/null +++ b/queue-6.16/audit-fix-out-of-bounds-read-in-audit_compare_dname_path.patch @@ -0,0 +1,44 @@ +From 4540f1d23e7f387880ce46d11b5cd3f27248bf8d Mon Sep 17 00:00:00 2001 +From: Stanislav Fort +Date: Tue, 2 Sep 2025 14:00:49 +0300 +Subject: audit: fix out-of-bounds read in audit_compare_dname_path() + +From: Stanislav Fort + +commit 4540f1d23e7f387880ce46d11b5cd3f27248bf8d upstream. + +When a watch on dir=/ is combined with an fsnotify event for a +single-character name directly under / (e.g., creating /a), an +out-of-bounds read can occur in audit_compare_dname_path(). + +The helper parent_len() returns 1 for "/". In audit_compare_dname_path(), +when parentlen equals the full path length (1), the code sets p = path + 1 +and pathlen = 1 - 1 = 0. The subsequent loop then dereferences +p[pathlen - 1] (i.e., p[-1]), causing an out-of-bounds read. + +Fix this by adding a pathlen > 0 check to the while loop condition +to prevent the out-of-bounds access. + +Cc: stable@vger.kernel.org +Fixes: e92eebb0d611 ("audit: fix suffixed '/' filename matching") +Reported-by: Stanislav Fort +Suggested-by: Linus Torvalds +Signed-off-by: Stanislav Fort +[PM: subject tweak, sign-off email fixes] +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman +--- + kernel/auditfilter.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/auditfilter.c ++++ b/kernel/auditfilter.c +@@ -1326,7 +1326,7 @@ int audit_compare_dname_path(const struc + + /* handle trailing slashes */ + pathlen -= parentlen; +- while (p[pathlen - 1] == '/') ++ while (pathlen > 0 && p[pathlen - 1] == '/') + pathlen--; + + if (pathlen != dlen) diff --git a/queue-6.16/batman-adv-fix-oob-read-write-in-network-coding-decode.patch b/queue-6.16/batman-adv-fix-oob-read-write-in-network-coding-decode.patch new file mode 100644 index 0000000000..b3ca6e46e7 --- /dev/null +++ b/queue-6.16/batman-adv-fix-oob-read-write-in-network-coding-decode.patch @@ -0,0 +1,44 @@ +From d77b6ff0ce35a6d0b0b7b9581bc3f76d041d4087 Mon Sep 17 00:00:00 2001 +From: Stanislav Fort +Date: Sun, 31 Aug 2025 16:56:23 +0200 +Subject: batman-adv: fix OOB read/write in network-coding decode + +From: Stanislav Fort + +commit d77b6ff0ce35a6d0b0b7b9581bc3f76d041d4087 upstream. + +batadv_nc_skb_decode_packet() trusts coded_len and checks only against +skb->len. XOR starts at sizeof(struct batadv_unicast_packet), reducing +payload headroom, and the source skb length is not verified, allowing an +out-of-bounds read and a small out-of-bounds write. + +Validate that coded_len fits within the payload area of both destination +and source sk_buffs before XORing. + +Fixes: 2df5278b0267 ("batman-adv: network coding - receive coded packets and decode them") +Cc: stable@vger.kernel.org +Reported-by: Stanislav Fort +Signed-off-by: Stanislav Fort +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/network-coding.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/net/batman-adv/network-coding.c ++++ b/net/batman-adv/network-coding.c +@@ -1687,7 +1687,12 @@ batadv_nc_skb_decode_packet(struct batad + + coding_len = ntohs(coded_packet_tmp.coded_len); + +- if (coding_len > skb->len) ++ /* ensure dst buffer is large enough (payload only) */ ++ if (coding_len + h_size > skb->len) ++ return NULL; ++ ++ /* ensure src buffer is large enough (payload only) */ ++ if (coding_len + h_size > nc_packet->skb->len) + return NULL; + + /* Here the magic is reversed: diff --git a/queue-6.16/cifs-prevent-null-pointer-dereference-in-utf16-conversion.patch b/queue-6.16/cifs-prevent-null-pointer-dereference-in-utf16-conversion.patch new file mode 100644 index 0000000000..886695454b --- /dev/null +++ b/queue-6.16/cifs-prevent-null-pointer-dereference-in-utf16-conversion.patch @@ -0,0 +1,39 @@ +From 70bccd9855dae56942f2b18a08ba137bb54093a0 Mon Sep 17 00:00:00 2001 +From: Makar Semyonov +Date: Thu, 4 Sep 2025 15:28:41 +0300 +Subject: cifs: prevent NULL pointer dereference in UTF16 conversion + +From: Makar Semyonov + +commit 70bccd9855dae56942f2b18a08ba137bb54093a0 upstream. + +There can be a NULL pointer dereference bug here. NULL is passed to +__cifs_sfu_make_node without checks, which passes it unchecked to +cifs_strndup_to_utf16, which in turn passes it to +cifs_local_to_utf16_bytes where '*from' is dereferenced, causing a crash. + +This patch adds a check for NULL 'src' in cifs_strndup_to_utf16 and +returns NULL early to prevent dereferencing NULL pointer. + +Found by Linux Verification Center (linuxtesting.org) with SVACE + +Signed-off-by: Makar Semyonov +Cc: stable@vger.kernel.org +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/cifs_unicode.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/smb/client/cifs_unicode.c ++++ b/fs/smb/client/cifs_unicode.c +@@ -629,6 +629,9 @@ cifs_strndup_to_utf16(const char *src, c + int len; + __le16 *dst; + ++ if (!src) ++ return NULL; ++ + len = cifs_local_to_utf16_bytes(src, maxlen, cp); + len += 2; /* NULL */ + dst = kmalloc(len, GFP_KERNEL); diff --git a/queue-6.16/drm-amd-display-clear-the-cur_enable-register-on-dcn314-w-out-dpp-pg.patch b/queue-6.16/drm-amd-display-clear-the-cur_enable-register-on-dcn314-w-out-dpp-pg.patch new file mode 100644 index 0000000000..67c633c8ad --- /dev/null +++ b/queue-6.16/drm-amd-display-clear-the-cur_enable-register-on-dcn314-w-out-dpp-pg.patch @@ -0,0 +1,181 @@ +From 3ebf766c35464ebdeefb6068246267147503dc04 Mon Sep 17 00:00:00 2001 +From: Ivan Lipski +Date: Wed, 20 Aug 2025 15:46:52 -0400 +Subject: drm/amd/display: Clear the CUR_ENABLE register on DCN314 w/out DPP PG + +From: Ivan Lipski + +commit 3ebf766c35464ebdeefb6068246267147503dc04 upstream. + +[Why&How] +ON DCN314, clearing DPP SW structure without power gating it can cause a +double cursor in full screen with non-native scaling. + +A W/A that clears CURSOR0_CONTROL cursor_enable flag if +dcn10_plane_atomic_power_down is called and DPP power gating is disabled. + +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4168 +Reviewed-by: Sun peng (Leo) Li +Signed-off-by: Ivan Lipski +Signed-off-by: Alex Hung +Tested-by: Dan Wheeler +Signed-off-by: Alex Deucher +(cherry picked from commit 645f74f1dc119dad5a2c7bbc05cc315e76883011) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/dpp/dcn10/dcn10_dpp.c | 9 + + drivers/gpu/drm/amd/display/dc/dpp/dcn10/dcn10_dpp.h | 2 + drivers/gpu/drm/amd/display/dc/dpp/dcn30/dcn30_dpp.c | 1 + drivers/gpu/drm/amd/display/dc/hwss/dcn314/dcn314_hwseq.c | 72 ++++++++++++++ + drivers/gpu/drm/amd/display/dc/hwss/dcn314/dcn314_hwseq.h | 2 + drivers/gpu/drm/amd/display/dc/hwss/dcn314/dcn314_init.c | 1 + drivers/gpu/drm/amd/display/dc/inc/hw/dpp.h | 3 + 7 files changed, 90 insertions(+) + +--- a/drivers/gpu/drm/amd/display/dc/dpp/dcn10/dcn10_dpp.c ++++ b/drivers/gpu/drm/amd/display/dc/dpp/dcn10/dcn10_dpp.c +@@ -520,6 +520,15 @@ void dpp1_dppclk_control( + REG_UPDATE(DPP_CONTROL, DPP_CLOCK_ENABLE, 0); + } + ++void dpp_force_disable_cursor(struct dpp *dpp_base) ++{ ++ struct dcn10_dpp *dpp = TO_DCN10_DPP(dpp_base); ++ ++ /* Force disable cursor */ ++ REG_UPDATE(CURSOR0_CONTROL, CUR0_ENABLE, 0); ++ dpp_base->pos.cur0_ctl.bits.cur0_enable = 0; ++} ++ + static const struct dpp_funcs dcn10_dpp_funcs = { + .dpp_read_state = dpp_read_state, + .dpp_reset = dpp_reset, +--- a/drivers/gpu/drm/amd/display/dc/dpp/dcn10/dcn10_dpp.h ++++ b/drivers/gpu/drm/amd/display/dc/dpp/dcn10/dcn10_dpp.h +@@ -1525,4 +1525,6 @@ void dpp1_construct(struct dcn10_dpp *dp + + void dpp1_cm_get_gamut_remap(struct dpp *dpp_base, + struct dpp_grph_csc_adjustment *adjust); ++void dpp_force_disable_cursor(struct dpp *dpp_base); ++ + #endif +--- a/drivers/gpu/drm/amd/display/dc/dpp/dcn30/dcn30_dpp.c ++++ b/drivers/gpu/drm/amd/display/dc/dpp/dcn30/dcn30_dpp.c +@@ -1494,6 +1494,7 @@ static struct dpp_funcs dcn30_dpp_funcs + .dpp_dppclk_control = dpp1_dppclk_control, + .dpp_set_hdr_multiplier = dpp3_set_hdr_multiplier, + .dpp_get_gamut_remap = dpp3_cm_get_gamut_remap, ++ .dpp_force_disable_cursor = dpp_force_disable_cursor, + }; + + +--- a/drivers/gpu/drm/amd/display/dc/hwss/dcn314/dcn314_hwseq.c ++++ b/drivers/gpu/drm/amd/display/dc/hwss/dcn314/dcn314_hwseq.c +@@ -528,3 +528,75 @@ void dcn314_disable_link_output(struct d + + apply_symclk_on_tx_off_wa(link); + } ++ ++/** ++ * dcn314_dpp_pg_control - DPP power gate control. ++ * ++ * @hws: dce_hwseq reference. ++ * @dpp_inst: DPP instance reference. ++ * @power_on: true if we want to enable power gate, false otherwise. ++ * ++ * Enable or disable power gate in the specific DPP instance. ++ * If power gating is disabled, will force disable cursor in the DPP instance. ++ */ ++void dcn314_dpp_pg_control( ++ struct dce_hwseq *hws, ++ unsigned int dpp_inst, ++ bool power_on) ++{ ++ uint32_t power_gate = power_on ? 0 : 1; ++ uint32_t pwr_status = power_on ? 0 : 2; ++ ++ ++ if (hws->ctx->dc->debug.disable_dpp_power_gate) { ++ /* Workaround for DCN314 with disabled power gating */ ++ if (!power_on) { ++ ++ /* Force disable cursor if power gating is disabled */ ++ struct dpp *dpp = hws->ctx->dc->res_pool->dpps[dpp_inst]; ++ if (dpp && dpp->funcs->dpp_force_disable_cursor) ++ dpp->funcs->dpp_force_disable_cursor(dpp); ++ } ++ return; ++ } ++ if (REG(DOMAIN1_PG_CONFIG) == 0) ++ return; ++ ++ switch (dpp_inst) { ++ case 0: /* DPP0 */ ++ REG_UPDATE(DOMAIN1_PG_CONFIG, ++ DOMAIN1_POWER_GATE, power_gate); ++ ++ REG_WAIT(DOMAIN1_PG_STATUS, ++ DOMAIN1_PGFSM_PWR_STATUS, pwr_status, ++ 1, 1000); ++ break; ++ case 1: /* DPP1 */ ++ REG_UPDATE(DOMAIN3_PG_CONFIG, ++ DOMAIN3_POWER_GATE, power_gate); ++ ++ REG_WAIT(DOMAIN3_PG_STATUS, ++ DOMAIN3_PGFSM_PWR_STATUS, pwr_status, ++ 1, 1000); ++ break; ++ case 2: /* DPP2 */ ++ REG_UPDATE(DOMAIN5_PG_CONFIG, ++ DOMAIN5_POWER_GATE, power_gate); ++ ++ REG_WAIT(DOMAIN5_PG_STATUS, ++ DOMAIN5_PGFSM_PWR_STATUS, pwr_status, ++ 1, 1000); ++ break; ++ case 3: /* DPP3 */ ++ REG_UPDATE(DOMAIN7_PG_CONFIG, ++ DOMAIN7_POWER_GATE, power_gate); ++ ++ REG_WAIT(DOMAIN7_PG_STATUS, ++ DOMAIN7_PGFSM_PWR_STATUS, pwr_status, ++ 1, 1000); ++ break; ++ default: ++ BREAK_TO_DEBUGGER(); ++ break; ++ } ++} +--- a/drivers/gpu/drm/amd/display/dc/hwss/dcn314/dcn314_hwseq.h ++++ b/drivers/gpu/drm/amd/display/dc/hwss/dcn314/dcn314_hwseq.h +@@ -47,4 +47,6 @@ void dcn314_dpp_root_clock_control(struc + + void dcn314_disable_link_output(struct dc_link *link, const struct link_resource *link_res, enum signal_type signal); + ++void dcn314_dpp_pg_control(struct dce_hwseq *hws, unsigned int dpp_inst, bool power_on); ++ + #endif /* __DC_HWSS_DCN314_H__ */ +--- a/drivers/gpu/drm/amd/display/dc/hwss/dcn314/dcn314_init.c ++++ b/drivers/gpu/drm/amd/display/dc/hwss/dcn314/dcn314_init.c +@@ -141,6 +141,7 @@ static const struct hwseq_private_funcs + .enable_power_gating_plane = dcn314_enable_power_gating_plane, + .dpp_root_clock_control = dcn314_dpp_root_clock_control, + .hubp_pg_control = dcn31_hubp_pg_control, ++ .dpp_pg_control = dcn314_dpp_pg_control, + .program_all_writeback_pipes_in_tree = dcn30_program_all_writeback_pipes_in_tree, + .update_odm = dcn314_update_odm, + .dsc_pg_control = dcn314_dsc_pg_control, +--- a/drivers/gpu/drm/amd/display/dc/inc/hw/dpp.h ++++ b/drivers/gpu/drm/amd/display/dc/inc/hw/dpp.h +@@ -349,6 +349,9 @@ struct dpp_funcs { + struct dpp *dpp_base, + enum dc_color_space color_space, + struct dc_csc_transform cursor_csc_color_matrix); ++ ++ void (*dpp_force_disable_cursor)(struct dpp *dpp_base); ++ + }; + + diff --git a/queue-6.16/drm-amdgpu-drop-hw-access-in-non-dc-audio-fini.patch b/queue-6.16/drm-amdgpu-drop-hw-access-in-non-dc-audio-fini.patch new file mode 100644 index 0000000000..6f98e3e24f --- /dev/null +++ b/queue-6.16/drm-amdgpu-drop-hw-access-in-non-dc-audio-fini.patch @@ -0,0 +1,105 @@ +From 71403f58b4bb6c13b71c05505593a355f697fd94 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Wed, 6 Aug 2025 10:47:50 -0400 +Subject: drm/amdgpu: drop hw access in non-DC audio fini + +From: Alex Deucher + +commit 71403f58b4bb6c13b71c05505593a355f697fd94 upstream. + +We already disable the audio pins in hw_fini so +there is no need to do it again in sw_fini. + +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4481 +Cc: oushixiong +Signed-off-by: Alex Deucher +(cherry picked from commit 5eeb16ca727f11278b2917fd4311a7d7efb0bbd6) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/dce_v10_0.c | 5 ----- + drivers/gpu/drm/amd/amdgpu/dce_v11_0.c | 5 ----- + drivers/gpu/drm/amd/amdgpu/dce_v6_0.c | 5 ----- + drivers/gpu/drm/amd/amdgpu/dce_v8_0.c | 5 ----- + 4 files changed, 20 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/dce_v10_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/dce_v10_0.c +@@ -1462,17 +1462,12 @@ static int dce_v10_0_audio_init(struct a + + static void dce_v10_0_audio_fini(struct amdgpu_device *adev) + { +- int i; +- + if (!amdgpu_audio) + return; + + if (!adev->mode_info.audio.enabled) + return; + +- for (i = 0; i < adev->mode_info.audio.num_pins; i++) +- dce_v10_0_audio_enable(adev, &adev->mode_info.audio.pin[i], false); +- + adev->mode_info.audio.enabled = false; + } + +--- a/drivers/gpu/drm/amd/amdgpu/dce_v11_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/dce_v11_0.c +@@ -1511,17 +1511,12 @@ static int dce_v11_0_audio_init(struct a + + static void dce_v11_0_audio_fini(struct amdgpu_device *adev) + { +- int i; +- + if (!amdgpu_audio) + return; + + if (!adev->mode_info.audio.enabled) + return; + +- for (i = 0; i < adev->mode_info.audio.num_pins; i++) +- dce_v11_0_audio_enable(adev, &adev->mode_info.audio.pin[i], false); +- + adev->mode_info.audio.enabled = false; + } + +--- a/drivers/gpu/drm/amd/amdgpu/dce_v6_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/dce_v6_0.c +@@ -1451,17 +1451,12 @@ static int dce_v6_0_audio_init(struct am + + static void dce_v6_0_audio_fini(struct amdgpu_device *adev) + { +- int i; +- + if (!amdgpu_audio) + return; + + if (!adev->mode_info.audio.enabled) + return; + +- for (i = 0; i < adev->mode_info.audio.num_pins; i++) +- dce_v6_0_audio_enable(adev, &adev->mode_info.audio.pin[i], false); +- + adev->mode_info.audio.enabled = false; + } + +--- a/drivers/gpu/drm/amd/amdgpu/dce_v8_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/dce_v8_0.c +@@ -1443,17 +1443,12 @@ static int dce_v8_0_audio_init(struct am + + static void dce_v8_0_audio_fini(struct amdgpu_device *adev) + { +- int i; +- + if (!amdgpu_audio) + return; + + if (!adev->mode_info.audio.enabled) + return; + +- for (i = 0; i < adev->mode_info.audio.num_pins; i++) +- dce_v8_0_audio_enable(adev, &adev->mode_info.audio.pin[i], false); +- + adev->mode_info.audio.enabled = false; + } + diff --git a/queue-6.16/drm-amdgpu-mes11-make-mes_misc_op_change_config-failure-non-fatal.patch b/queue-6.16/drm-amdgpu-mes11-make-mes_misc_op_change_config-failure-non-fatal.patch new file mode 100644 index 0000000000..24df32e7cf --- /dev/null +++ b/queue-6.16/drm-amdgpu-mes11-make-mes_misc_op_change_config-failure-non-fatal.patch @@ -0,0 +1,37 @@ +From 5171848bdfb8bf87f38331d3f8c0fd5e2b676d3e Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Wed, 27 Aug 2025 14:24:31 -0400 +Subject: drm/amdgpu/mes11: make MES_MISC_OP_CHANGE_CONFIG failure non-fatal + +From: Alex Deucher + +commit 5171848bdfb8bf87f38331d3f8c0fd5e2b676d3e upstream. + +If the firmware is too old, just warn and return success. + +Fixes: 27b791514789 ("drm/amdgpu/mes: keep enforce isolation up to date") +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4414 +Cc: shaoyun.Liu@amd.com +Reviewed-by: Shaoyun.liu +Signed-off-by: Alex Deucher +(cherry picked from commit 9f28af76fab0948b59673f69c10aeec47de11c60) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/mes_v11_0.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/mes_v11_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/mes_v11_0.c +@@ -641,8 +641,9 @@ static int mes_v11_0_misc_op(struct amdg + break; + case MES_MISC_OP_CHANGE_CONFIG: + if ((mes->adev->mes.sched_version & AMDGPU_MES_VERSION_MASK) < 0x63) { +- dev_err(mes->adev->dev, "MES FW version must be larger than 0x63 to support limit single process feature.\n"); +- return -EINVAL; ++ dev_warn_once(mes->adev->dev, ++ "MES FW version must be larger than 0x63 to support limit single process feature.\n"); ++ return 0; + } + misc_pkt.opcode = MESAPI_MISC__CHANGE_CONFIG; + misc_pkt.change_config.opcode = diff --git a/queue-6.16/drm-amdgpu-sdma-bump-firmware-version-checks-for-user-queue-support.patch b/queue-6.16/drm-amdgpu-sdma-bump-firmware-version-checks-for-user-queue-support.patch new file mode 100644 index 0000000000..6b724f3fbf --- /dev/null +++ b/queue-6.16/drm-amdgpu-sdma-bump-firmware-version-checks-for-user-queue-support.patch @@ -0,0 +1,49 @@ +From 2d41a4bfee6e9941ff19728c691ab00d19cf882a Mon Sep 17 00:00:00 2001 +From: "Jesse.Zhang" +Date: Wed, 27 Aug 2025 13:29:17 +0800 +Subject: drm/amdgpu/sdma: bump firmware version checks for user queue support + +From: Jesse.Zhang + +commit 2d41a4bfee6e9941ff19728c691ab00d19cf882a upstream. + +Using the previous firmware could lead to problems with +PROTECTED_FENCE_SIGNAL commands, specifically causing register +conflicts between MCU_DBG0 and MCU_DBG1. + +The updated firmware versions ensure proper alignment +and unification of the SDMA_SUBOP_PROTECTED_FENCE_SIGNAL value with SDMA 7.x, +resolving these hardware coordination issues + +Fixes: e8cca30d8b34 ("drm/amdgpu/sdma6: add ucode version checks for userq support") +Acked-by: Alex Deucher +Signed-off-by: Jesse Zhang +Signed-off-by: Alex Deucher +(cherry picked from commit aab8b689aded255425db3d80c0030d1ba02fe2ef) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/sdma_v6_0.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/sdma_v6_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/sdma_v6_0.c +@@ -1376,15 +1376,15 @@ static int sdma_v6_0_sw_init(struct amdg + + switch (amdgpu_ip_version(adev, SDMA0_HWIP, 0)) { + case IP_VERSION(6, 0, 0): +- if ((adev->sdma.instance[0].fw_version >= 24) && !adev->sdma.disable_uq) ++ if ((adev->sdma.instance[0].fw_version >= 27) && !adev->sdma.disable_uq) + adev->userq_funcs[AMDGPU_HW_IP_DMA] = &userq_mes_funcs; + break; + case IP_VERSION(6, 0, 2): +- if ((adev->sdma.instance[0].fw_version >= 21) && !adev->sdma.disable_uq) ++ if ((adev->sdma.instance[0].fw_version >= 23) && !adev->sdma.disable_uq) + adev->userq_funcs[AMDGPU_HW_IP_DMA] = &userq_mes_funcs; + break; + case IP_VERSION(6, 0, 3): +- if ((adev->sdma.instance[0].fw_version >= 25) && !adev->sdma.disable_uq) ++ if ((adev->sdma.instance[0].fw_version >= 27) && !adev->sdma.disable_uq) + adev->userq_funcs[AMDGPU_HW_IP_DMA] = &userq_mes_funcs; + break; + default: diff --git a/queue-6.16/drm-dp-change-aux-dpcd-probe-address-from-lane0_1_status-to-training_pattern_set.patch b/queue-6.16/drm-dp-change-aux-dpcd-probe-address-from-lane0_1_status-to-training_pattern_set.patch new file mode 100644 index 0000000000..50ed473c44 --- /dev/null +++ b/queue-6.16/drm-dp-change-aux-dpcd-probe-address-from-lane0_1_status-to-training_pattern_set.patch @@ -0,0 +1,87 @@ +From d34d6feaf4a76833effcec0b148b65946b04cde8 Mon Sep 17 00:00:00 2001 +From: Imre Deak +Date: Wed, 9 Jul 2025 00:23:31 +0300 +Subject: drm/dp: Change AUX DPCD probe address from LANE0_1_STATUS to TRAINING_PATTERN_SET +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Imre Deak + +commit d34d6feaf4a76833effcec0b148b65946b04cde8 upstream. + +Commit a3ef3c2da675 ("drm/dp: Change AUX DPCD probe address from +DPCD_REV to LANE0_1_STATUS") stopped using the DPCD_REV register for +DPCD probing, since this results in link training failures at least when +using an Intel Barlow Ridge TBT hub at UHBR link rates (the +DP_INTRA_HOP_AUX_REPLY_INDICATION never getting cleared after the failed +link training). Since accessing DPCD_REV during link training is +prohibited by the DP Standard, LANE0_1_STATUS (0x202) was used instead, +as it falls within the Standard's valid register address range +(0x102-0x106, 0x202-0x207, 0x200c-0x200f, 0x2216) and it fixed the link +training on the above TBT hub. + +However, reading the LANE0_1_STATUS register also has a side-effect at +least on a Novatek eDP panel, as reported on the Closes: link below, +resulting in screen flickering on that panel. One clear side-effect when +doing the 1-byte probe reads from LANE0_1_STATUS during link training +before reading out the full 6 byte link status starting at the same +address is that the panel will report the link training as completed +with voltage swing 0. This is different from the normal, flicker-free +scenario when no DPCD probing is done, the panel reporting the link +training complete with voltage swing 2. + +Using the TRAINING_PATTERN_SET register for DPCD probing doesn't have +the above side-effect, the panel will link train with voltage swing 2 as +expected and it will stay flicker-free. This register is also in the +above valid register range and is unlikely to have a side-effect as that +of LANE0_1_STATUS: Reading LANE0_1_STATUS is part of the link training +CR/EQ sequences and so it may cause a state change in the sink - even if +inadvertently as I suspect in the case of the above Novatek panel. As +opposed to this, reading TRAINING_PATTERN_SET is not part of the link +training sequence (it must be only written once at the beginning of the +CR/EQ sequences), so it's unlikely to cause any state change in the +sink. + +As a side-note, this Novatek panel also lacks support for TPS3, while +claiming support for HBR2, which violates the DP Standard (the Standard +mandating TPS3 for HBR2). + +Besides the Novatek panel (PSR 1), which this change fixes, I also +verified the change on a Samsung (PSR 1) and an Analogix (PSR 2) eDP +panel as well as on the Intel Barlow Ridge TBT hub. + +Note that in the drm-tip tree (targeting the v6.17 kernel version) the +i915 and xe drivers keep DPCD probing enabled only for the panel known +to require this (HP ZR24w), hence those drivers in drm-tip are not +affected by the above problem. + +Cc: Ville Syrjälä +Cc: Jani Nikula +Fixes: a3ef3c2da675 ("drm/dp: Change AUX DPCD probe address from DPCD_REV to LANE0_1_STATUS") +Reported-and-tested-by: Paul Menzel +Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/14558 +Reviewed-by: Jonathan Cavitt +Acked-by: Thomas Zimmermann +Link: https://lore.kernel.org/r/20250708212331.112898-1-imre.deak@intel.com +(cherry picked from commit bba9aa41654036534d86b198f5647a9ce15ebd7f) +[Imre: Rebased on drm-intel-fixes] +Signed-off-by: Imre Deak +Signed-off-by: Rodrigo Vivi +[Rodrigo: Changed original commit hash to match with the one propagated in fixes] +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/display/drm_dp_helper.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/display/drm_dp_helper.c ++++ b/drivers/gpu/drm/display/drm_dp_helper.c +@@ -725,7 +725,7 @@ ssize_t drm_dp_dpcd_read(struct drm_dp_a + * monitor doesn't power down exactly after the throw away read. + */ + if (!aux->is_remote) { +- ret = drm_dp_dpcd_probe(aux, DP_DPCD_REV); ++ ret = drm_dp_dpcd_probe(aux, DP_TRAINING_PATTERN_SET); + if (ret < 0) + return ret; + } diff --git a/queue-6.16/drm-xe-fix-incorrect-migration-of-backed-up-object-to-vram.patch b/queue-6.16/drm-xe-fix-incorrect-migration-of-backed-up-object-to-vram.patch new file mode 100644 index 0000000000..592e813cad --- /dev/null +++ b/queue-6.16/drm-xe-fix-incorrect-migration-of-backed-up-object-to-vram.patch @@ -0,0 +1,48 @@ +From 379b3c983fc0257c183052278832ac68e3ccd33b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Thomas=20Hellstr=C3=B6m?= +Date: Thu, 28 Aug 2025 15:48:37 +0200 +Subject: drm/xe: Fix incorrect migration of backed-up object to VRAM +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Hellström + +commit 379b3c983fc0257c183052278832ac68e3ccd33b upstream. + +If an object is backed up to shmem it is incorrectly identified +as not having valid data by the move code. This means moving +to VRAM skips the -EMULTIHOP step and the bo is cleared. This +causes all sorts of weird behaviour on DGFX if an already evicted +object is targeted by the shrinker. + +Fix this by using ttm_tt_is_swapped() to identify backed-up +objects. + +Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/5996 +Fixes: 00c8efc3180f ("drm/xe: Add a shrinker for xe bos") +Cc: Matthew Brost +Cc: Matthew Auld +Cc: # v6.15+ +Signed-off-by: Thomas Hellström +Reviewed-by: Matthew Auld +Link: https://lore.kernel.org/r/20250828134837.5709-1-thomas.hellstrom@linux.intel.com +(cherry picked from commit 1047bd82794a1eab64d643f196d09171ce983f44) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/xe/xe_bo.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/gpu/drm/xe/xe_bo.c ++++ b/drivers/gpu/drm/xe/xe_bo.c +@@ -803,8 +803,7 @@ static int xe_bo_move(struct ttm_buffer_ + return ret; + } + +- tt_has_data = ttm && (ttm_tt_is_populated(ttm) || +- (ttm->page_flags & TTM_TT_FLAG_SWAPPED)); ++ tt_has_data = ttm && (ttm_tt_is_populated(ttm) || ttm_tt_is_swapped(ttm)); + + move_lacks_source = !old_mem || (handle_system_ccs ? (!bo->ccs_cleared) : + (!mem_type_is_vram(old_mem_type) && !tt_has_data)); diff --git a/queue-6.16/e1000e-fix-heap-overflow-in-e1000_set_eeprom.patch b/queue-6.16/e1000e-fix-heap-overflow-in-e1000_set_eeprom.patch new file mode 100644 index 0000000000..654f41dd83 --- /dev/null +++ b/queue-6.16/e1000e-fix-heap-overflow-in-e1000_set_eeprom.patch @@ -0,0 +1,55 @@ +From 90fb7db49c6dbac961c6b8ebfd741141ffbc8545 Mon Sep 17 00:00:00 2001 +From: Vitaly Lifshits +Date: Sun, 17 Aug 2025 12:25:47 +0300 +Subject: e1000e: fix heap overflow in e1000_set_eeprom + +From: Vitaly Lifshits + +commit 90fb7db49c6dbac961c6b8ebfd741141ffbc8545 upstream. + +Fix a possible heap overflow in e1000_set_eeprom function by adding +input validation for the requested length of the change in the EEPROM. +In addition, change the variable type from int to size_t for better +code practices and rearrange declarations to RCT. + +Cc: stable@vger.kernel.org +Fixes: bc7f75fa9788 ("[E1000E]: New pci-express e1000 driver (currently for ICH9 devices only)") +Co-developed-by: Mikael Wessel +Signed-off-by: Mikael Wessel +Signed-off-by: Vitaly Lifshits +Tested-by: Mor Bar-Gabay +Signed-off-by: Tony Nguyen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/e1000e/ethtool.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/intel/e1000e/ethtool.c ++++ b/drivers/net/ethernet/intel/e1000e/ethtool.c +@@ -549,12 +549,12 @@ static int e1000_set_eeprom(struct net_d + { + struct e1000_adapter *adapter = netdev_priv(netdev); + struct e1000_hw *hw = &adapter->hw; ++ size_t total_len, max_len; + u16 *eeprom_buff; +- void *ptr; +- int max_len; ++ int ret_val = 0; + int first_word; + int last_word; +- int ret_val = 0; ++ void *ptr; + u16 i; + + if (eeprom->len == 0) +@@ -569,6 +569,10 @@ static int e1000_set_eeprom(struct net_d + + max_len = hw->nvm.word_size * 2; + ++ if (check_add_overflow(eeprom->offset, eeprom->len, &total_len) || ++ total_len > max_len) ++ return -EFBIG; ++ + first_word = eeprom->offset >> 1; + last_word = (eeprom->offset + eeprom->len - 1) >> 1; + eeprom_buff = kmalloc(max_len, GFP_KERNEL); diff --git a/queue-6.16/kasan-fix-gcc-mem-intrinsic-prefix-with-sw-tags.patch b/queue-6.16/kasan-fix-gcc-mem-intrinsic-prefix-with-sw-tags.patch new file mode 100644 index 0000000000..35034180a6 --- /dev/null +++ b/queue-6.16/kasan-fix-gcc-mem-intrinsic-prefix-with-sw-tags.patch @@ -0,0 +1,74 @@ +From 51337a9a3a404fde0f5337662ffc7699793dfeb5 Mon Sep 17 00:00:00 2001 +From: Ada Couprie Diaz +Date: Thu, 21 Aug 2025 13:07:35 +0100 +Subject: kasan: fix GCC mem-intrinsic prefix with sw tags + +From: Ada Couprie Diaz + +commit 51337a9a3a404fde0f5337662ffc7699793dfeb5 upstream. + +GCC doesn't support "hwasan-kernel-mem-intrinsic-prefix", only +"asan-kernel-mem-intrinsic-prefix"[0], while LLVM supports both. This is +already taken into account when checking +"CONFIG_CC_HAS_KASAN_MEMINTRINSIC_PREFIX", but not in the KASAN Makefile +adding those parameters when "CONFIG_KASAN_SW_TAGS" is enabled. + +Replace the version check with "CONFIG_CC_HAS_KASAN_MEMINTRINSIC_PREFIX", +which already validates that mem-intrinsic prefix parameter can be used, +and choose the correct name depending on compiler. + +GCC 13 and above trigger "CONFIG_CC_HAS_KASAN_MEMINTRINSIC_PREFIX" which +prevents `mem{cpy,move,set}()` being redefined in "mm/kasan/shadow.c" +since commit 36be5cba99f6 ("kasan: treat meminstrinsic as builtins in +uninstrumented files"), as we expect the compiler to prefix those calls +with `__(hw)asan_` instead. But as the option passed to GCC has been +incorrect, the compiler has not been emitting those prefixes, effectively +never calling the instrumented versions of `mem{cpy,move,set}()` with +"CONFIG_KASAN_SW_TAGS" enabled. + +If "CONFIG_FORTIFY_SOURCES" is enabled, this issue would be mitigated as +it redefines `mem{cpy,move,set}()` and properly aliases the +`__underlying_mem*()` that will be called to the instrumented versions. + +Link: https://lkml.kernel.org/r/20250821120735.156244-1-ada.coupriediaz@arm.com +Link: https://gcc.gnu.org/onlinedocs/gcc-13.4.0/gcc/Optimize-Options.html [0] +Signed-off-by: Ada Couprie Diaz +Fixes: 36be5cba99f6 ("kasan: treat meminstrinsic as builtins in uninstrumented files") +Reviewed-by: Yeoreum Yun +Cc: Alexander Potapenko +Cc: Andrey Konovalov +Cc: Andrey Ryabinin +Cc: Dmitriy Vyukov +Cc: Marco Elver +Cc: Marc Rutland +Cc: Michael Ellerman +Cc: Nathan Chancellor +Cc: Vincenzo Frascino +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + scripts/Makefile.kasan | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/scripts/Makefile.kasan ++++ b/scripts/Makefile.kasan +@@ -86,10 +86,14 @@ kasan_params += hwasan-instrument-stack= + hwasan-use-short-granules=0 \ + hwasan-inline-all-checks=0 + +-# Instrument memcpy/memset/memmove calls by using instrumented __hwasan_mem*(). +-ifeq ($(call clang-min-version, 150000)$(call gcc-min-version, 130000),y) +- kasan_params += hwasan-kernel-mem-intrinsic-prefix=1 +-endif ++# Instrument memcpy/memset/memmove calls by using instrumented __(hw)asan_mem*(). ++ifdef CONFIG_CC_HAS_KASAN_MEMINTRINSIC_PREFIX ++ ifdef CONFIG_CC_IS_GCC ++ kasan_params += asan-kernel-mem-intrinsic-prefix=1 ++ else ++ kasan_params += hwasan-kernel-mem-intrinsic-prefix=1 ++ endif ++endif # CONFIG_CC_HAS_KASAN_MEMINTRINSIC_PREFIX + + endif # CONFIG_KASAN_SW_TAGS + diff --git a/queue-6.16/kunit-kasan_test-disable-fortify-string-checker-on-kasan_strings-test.patch b/queue-6.16/kunit-kasan_test-disable-fortify-string-checker-on-kasan_strings-test.patch new file mode 100644 index 0000000000..6401177b7c --- /dev/null +++ b/queue-6.16/kunit-kasan_test-disable-fortify-string-checker-on-kasan_strings-test.patch @@ -0,0 +1,60 @@ +From 7a19afee6fb39df63ddea7ce78976d8c521178c6 Mon Sep 17 00:00:00 2001 +From: Yeoreum Yun +Date: Fri, 1 Aug 2025 13:02:36 +0100 +Subject: kunit: kasan_test: disable fortify string checker on kasan_strings() test + +From: Yeoreum Yun + +commit 7a19afee6fb39df63ddea7ce78976d8c521178c6 upstream. + +Similar to commit 09c6304e38e4 ("kasan: test: fix compatibility with +FORTIFY_SOURCE") the kernel is panicing in kasan_string(). + +This is due to the `src` and `ptr` not being hidden from the optimizer +which would disable the runtime fortify string checker. + +Call trace: + __fortify_panic+0x10/0x20 (P) + kasan_strings+0x980/0x9b0 + kunit_try_run_case+0x68/0x190 + kunit_generic_run_threadfn_adapter+0x34/0x68 + kthread+0x1c4/0x228 + ret_from_fork+0x10/0x20 + Code: d503233f a9bf7bfd 910003fd 9424b243 (d4210000) + ---[ end trace 0000000000000000 ]--- + note: kunit_try_catch[128] exited with irqs disabled + note: kunit_try_catch[128] exited with preempt_count 1 + # kasan_strings: try faulted: last +** replaying previous printk message ** + # kasan_strings: try faulted: last line seen mm/kasan/kasan_test_c.c:1600 + # kasan_strings: internal error occurred preventing test case from running: -4 + +Link: https://lkml.kernel.org/r/20250801120236.2962642-1-yeoreum.yun@arm.com +Fixes: 73228c7ecc5e ("KASAN: port KASAN Tests to KUnit") +Signed-off-by: Yeoreum Yun +Cc: Alexander Potapenko +Cc: Andrey Konovalov +Cc: Andrey Ryabinin +Cc: Dmitriy Vyukov +Cc: Vincenzo Frascino +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/kasan/kasan_test_c.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/mm/kasan/kasan_test_c.c ++++ b/mm/kasan/kasan_test_c.c +@@ -1578,9 +1578,11 @@ static void kasan_strings(struct kunit * + + ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO); + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); ++ OPTIMIZER_HIDE_VAR(ptr); + + src = kmalloc(KASAN_GRANULE_SIZE, GFP_KERNEL | __GFP_ZERO); + strscpy(src, "f0cacc1a0000000", KASAN_GRANULE_SIZE); ++ OPTIMIZER_HIDE_VAR(src); + + /* + * Make sure that strscpy() does not trigger KASAN if it overreads into diff --git a/queue-6.16/microchip-lan865x-fix-lan8651-autoloading.patch b/queue-6.16/microchip-lan865x-fix-lan8651-autoloading.patch new file mode 100644 index 0000000000..fbd61e2423 --- /dev/null +++ b/queue-6.16/microchip-lan865x-fix-lan8651-autoloading.patch @@ -0,0 +1,40 @@ +From ca47c44d36a9ad3268d17f89789104a471c07f81 Mon Sep 17 00:00:00 2001 +From: Stefan Wahren +Date: Wed, 27 Aug 2025 13:53:41 +0200 +Subject: microchip: lan865x: Fix LAN8651 autoloading + +From: Stefan Wahren + +commit ca47c44d36a9ad3268d17f89789104a471c07f81 upstream. + +Add missing IDs for LAN8651 devices, which are also defined in the +DT bindings. + +Fixes: 5cd2340cb6a3 ("microchip: lan865x: add driver support for Microchip's LAN865X MAC-PHY") +Signed-off-by: Stefan Wahren +Cc: stable@kernel.org +Reviewed-by: Jacob Keller +Link: https://patch.msgid.link/20250827115341.34608-4-wahrenst@gmx.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/microchip/lan865x/lan865x.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/ethernet/microchip/lan865x/lan865x.c ++++ b/drivers/net/ethernet/microchip/lan865x/lan865x.c +@@ -425,12 +425,14 @@ static void lan865x_remove(struct spi_de + + static const struct spi_device_id lan865x_ids[] = { + { .name = "lan8650" }, ++ { .name = "lan8651" }, + {}, + }; + MODULE_DEVICE_TABLE(spi, lan865x_ids); + + static const struct of_device_id lan865x_dt_ids[] = { + { .compatible = "microchip,lan8650" }, ++ { .compatible = "microchip,lan8651" }, + { /* Sentinel */ } + }; + MODULE_DEVICE_TABLE(of, lan865x_dt_ids); diff --git a/queue-6.16/microchip-lan865x-fix-module-autoloading.patch b/queue-6.16/microchip-lan865x-fix-module-autoloading.patch new file mode 100644 index 0000000000..08a2e24abf --- /dev/null +++ b/queue-6.16/microchip-lan865x-fix-module-autoloading.patch @@ -0,0 +1,49 @@ +From c7217963eb779be0a7627dd2121152fa6786ecf7 Mon Sep 17 00:00:00 2001 +From: Stefan Wahren +Date: Wed, 27 Aug 2025 13:53:40 +0200 +Subject: microchip: lan865x: Fix module autoloading + +From: Stefan Wahren + +commit c7217963eb779be0a7627dd2121152fa6786ecf7 upstream. + +Add MODULE_DEVICE_TABLE(), so modules could be properly autoloaded +based on the alias from spi_device_id table. While at this, fix +the misleading variable name (spidev is unrelated to this driver). + +Fixes: 5cd2340cb6a3 ("microchip: lan865x: add driver support for Microchip's LAN865X MAC-PHY") +Signed-off-by: Stefan Wahren +Cc: stable@kernel.org +Reviewed-by: Andrew Lunn +Reviewed-by: Jacob Keller +Link: https://patch.msgid.link/20250827115341.34608-3-wahrenst@gmx.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/microchip/lan865x/lan865x.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/microchip/lan865x/lan865x.c ++++ b/drivers/net/ethernet/microchip/lan865x/lan865x.c +@@ -423,10 +423,11 @@ static void lan865x_remove(struct spi_de + free_netdev(priv->netdev); + } + +-static const struct spi_device_id spidev_spi_ids[] = { ++static const struct spi_device_id lan865x_ids[] = { + { .name = "lan8650" }, + {}, + }; ++MODULE_DEVICE_TABLE(spi, lan865x_ids); + + static const struct of_device_id lan865x_dt_ids[] = { + { .compatible = "microchip,lan8650" }, +@@ -441,7 +442,7 @@ static struct spi_driver lan865x_driver + }, + .probe = lan865x_probe, + .remove = lan865x_remove, +- .id_table = spidev_spi_ids, ++ .id_table = lan865x_ids, + }; + module_spi_driver(lan865x_driver); + diff --git a/queue-6.16/net-dsa-mv88e6xxx-fix-fwnode-reference-leaks-in-mv88e6xxx_port_setup_leds.patch b/queue-6.16/net-dsa-mv88e6xxx-fix-fwnode-reference-leaks-in-mv88e6xxx_port_setup_leds.patch new file mode 100644 index 0000000000..5cc9a89a51 --- /dev/null +++ b/queue-6.16/net-dsa-mv88e6xxx-fix-fwnode-reference-leaks-in-mv88e6xxx_port_setup_leds.patch @@ -0,0 +1,72 @@ +From f63e7c8a83892781f6ceb55566f9497639c44555 Mon Sep 17 00:00:00 2001 +From: Miaoqian Lin +Date: Mon, 1 Sep 2025 15:32:23 +0800 +Subject: net: dsa: mv88e6xxx: Fix fwnode reference leaks in mv88e6xxx_port_setup_leds + +From: Miaoqian Lin + +commit f63e7c8a83892781f6ceb55566f9497639c44555 upstream. + +Fix multiple fwnode reference leaks: + +1. The function calls fwnode_get_named_child_node() to get the "leds" node, + but never calls fwnode_handle_put(leds) to release this reference. + +2. Within the fwnode_for_each_child_node() loop, the early return + paths that don't properly release the "led" fwnode reference. + +This fix follows the same pattern as commit d029edefed39 +("net dsa: qca8k: fix usages of device_get_named_child_node()") + +Fixes: 94a2a84f5e9e ("net: dsa: mv88e6xxx: Support LED control") +Cc: stable@vger.kernel.org +Signed-off-by: Miaoqian Lin +Reviewed-by: Linus Walleij +Link: https://patch.msgid.link/20250901073224.2273103-1-linmq006@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/mv88e6xxx/leds.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +--- a/drivers/net/dsa/mv88e6xxx/leds.c ++++ b/drivers/net/dsa/mv88e6xxx/leds.c +@@ -779,7 +779,8 @@ int mv88e6xxx_port_setup_leds(struct mv8 + continue; + if (led_num > 1) { + dev_err(dev, "invalid LED specified port %d\n", port); +- return -EINVAL; ++ ret = -EINVAL; ++ goto err_put_led; + } + + if (led_num == 0) +@@ -823,17 +824,25 @@ int mv88e6xxx_port_setup_leds(struct mv8 + init_data.devname_mandatory = true; + init_data.devicename = kasprintf(GFP_KERNEL, "%s:0%d:0%d", chip->info->name, + port, led_num); +- if (!init_data.devicename) +- return -ENOMEM; ++ if (!init_data.devicename) { ++ ret = -ENOMEM; ++ goto err_put_led; ++ } + + ret = devm_led_classdev_register_ext(dev, l, &init_data); + kfree(init_data.devicename); + + if (ret) { + dev_err(dev, "Failed to init LED %d for port %d", led_num, port); +- return ret; ++ goto err_put_led; + } + } + ++ fwnode_handle_put(leds); + return 0; ++ ++err_put_led: ++ fwnode_handle_put(led); ++ fwnode_handle_put(leds); ++ return ret; + } diff --git a/queue-6.16/net-ethernet-oa_tc6-handle-failure-of-spi_setup.patch b/queue-6.16/net-ethernet-oa_tc6-handle-failure-of-spi_setup.patch new file mode 100644 index 0000000000..2b1e871846 --- /dev/null +++ b/queue-6.16/net-ethernet-oa_tc6-handle-failure-of-spi_setup.patch @@ -0,0 +1,36 @@ +From b3852ae3105ec1048535707545d23c1e519c190f Mon Sep 17 00:00:00 2001 +From: Stefan Wahren +Date: Wed, 27 Aug 2025 13:53:39 +0200 +Subject: net: ethernet: oa_tc6: Handle failure of spi_setup + +From: Stefan Wahren + +commit b3852ae3105ec1048535707545d23c1e519c190f upstream. + +There is no guarantee that spi_setup succeed, so properly handle +the error case. + +Fixes: aa58bec064ab ("net: ethernet: oa_tc6: implement register write operation") +Signed-off-by: Stefan Wahren +Cc: stable@kernel.org +Reviewed-by: Andrew Lunn +Reviewed-by: Jacob Keller +Link: https://patch.msgid.link/20250827115341.34608-2-wahrenst@gmx.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/oa_tc6.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/oa_tc6.c ++++ b/drivers/net/ethernet/oa_tc6.c +@@ -1249,7 +1249,8 @@ struct oa_tc6 *oa_tc6_init(struct spi_de + + /* Set the SPI controller to pump at realtime priority */ + tc6->spi->rt = true; +- spi_setup(tc6->spi); ++ if (spi_setup(tc6->spi) < 0) ++ return NULL; + + tc6->spi_ctrl_tx_buf = devm_kzalloc(&tc6->spi->dev, + OA_TC6_CTRL_SPI_BUF_SIZE, diff --git a/queue-6.16/net-pcs-rzn1-miic-correct-modctrl-register-offset.patch b/queue-6.16/net-pcs-rzn1-miic-correct-modctrl-register-offset.patch new file mode 100644 index 0000000000..da617ce86c --- /dev/null +++ b/queue-6.16/net-pcs-rzn1-miic-correct-modctrl-register-offset.patch @@ -0,0 +1,49 @@ +From a7195a3d67dace056af7ca65144a11874df79562 Mon Sep 17 00:00:00 2001 +From: Lad Prabhakar +Date: Mon, 1 Sep 2025 12:20:19 +0100 +Subject: net: pcs: rzn1-miic: Correct MODCTRL register offset + +From: Lad Prabhakar + +commit a7195a3d67dace056af7ca65144a11874df79562 upstream. + +Correct the Mode Control Register (MODCTRL) offset for RZ/N MIIC. +According to the R-IN Engine and Ethernet Peripherals Manual (Rev.1.30) +[0], Table 10.1 "Ethernet Accessory Register List", MODCTRL is at offset +0x8, not 0x20 as previously defined. + +Offset 0x20 actually maps to the Port Trigger Control Register (PTCTRL), +which controls PTP_MODE[3:0] and RGMII_CLKSEL[4]. Using this incorrect +definition prevented the driver from configuring the SW_MODE[4:0] bits +in MODCTRL, which control the internal connection of Ethernet ports. As +a result, the MIIC could not be switched into the correct mode, leading +to link setup failures and non-functional Ethernet ports on affected +systems. + +[0] https://www.renesas.com/en/document/mah/rzn1d-group-rzn1s-group-rzn1l-group-users-manual-r-engine-and-ethernet-peripherals?r=1054571 + +Fixes: 7dc54d3b8d91 ("net: pcs: add Renesas MII converter driver") +Cc: stable@kernel.org +Signed-off-by: Lad Prabhakar +Reviewed-by: Wolfram Sang +Reviewed-by: Russell King (Oracle) +Reviewed-by: Geert Uytterhoeven +Tested-by: Wolfram Sang +Link: https://patch.msgid.link/20250901112019.16278-1-prabhakar.mahadev-lad.rj@bp.renesas.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/pcs/pcs-rzn1-miic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/pcs/pcs-rzn1-miic.c ++++ b/drivers/net/pcs/pcs-rzn1-miic.c +@@ -19,7 +19,7 @@ + #define MIIC_PRCMD 0x0 + #define MIIC_ESID_CODE 0x4 + +-#define MIIC_MODCTRL 0x20 ++#define MIIC_MODCTRL 0x8 + #define MIIC_MODCTRL_SW_MODE GENMASK(4, 0) + + #define MIIC_CONVCTRL(port) (0x100 + (port) * 4) diff --git a/queue-6.16/nouveau-fix-disabling-the-nonstall-irq-due-to-storm-code.patch b/queue-6.16/nouveau-fix-disabling-the-nonstall-irq-due-to-storm-code.patch new file mode 100644 index 0000000000..99ebf412bf --- /dev/null +++ b/queue-6.16/nouveau-fix-disabling-the-nonstall-irq-due-to-storm-code.patch @@ -0,0 +1,147 @@ +From 0ef5c4e4dbbfcebaa9b2eca18097b43016727dfe Mon Sep 17 00:00:00 2001 +From: Dave Airlie +Date: Fri, 29 Aug 2025 12:16:32 +1000 +Subject: nouveau: fix disabling the nonstall irq due to storm code + +From: Dave Airlie + +commit 0ef5c4e4dbbfcebaa9b2eca18097b43016727dfe upstream. + +Nouveau has code that when it gets an IRQ with no allowed handler +it disables it to avoid storms. + +However with nonstall interrupts, we often disable them from +the drm driver, but still request their emission via the push submission. + +Just don't disable nonstall irqs ever in normal operation, the +event handling code will filter them out, and the driver will +just enable/disable them at load time. + +This fixes timeouts we've been seeing on/off for a long time, +but they became a lot more noticeable on Blackwell. + +This doesn't fix all of them, there is a subsequent fence emission +fix to fix the last few. + +Fixes: 3ebd64aa3c4f ("drm/nouveau/intr: support multiple trees, and explicit interfaces") +Cc: stable@vger.kernel.org +Signed-off-by: Dave Airlie +Link: https://lore.kernel.org/r/20250829021633.1674524-1-airlied@gmail.com +[ Fix a typo and a minor checkpatch.pl warning; remove "v2" from commit + subject. - Danilo ] +Signed-off-by: Danilo Krummrich +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/nouveau/nvkm/engine/fifo/base.c | 2 + + drivers/gpu/drm/nouveau/nvkm/engine/fifo/ga100.c | 23 +++++++++++------ + drivers/gpu/drm/nouveau/nvkm/engine/fifo/ga102.c | 1 + drivers/gpu/drm/nouveau/nvkm/engine/fifo/priv.h | 2 + + drivers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/fifo.c | 1 + 5 files changed, 21 insertions(+), 8 deletions(-) + +--- a/drivers/gpu/drm/nouveau/nvkm/engine/fifo/base.c ++++ b/drivers/gpu/drm/nouveau/nvkm/engine/fifo/base.c +@@ -350,6 +350,8 @@ nvkm_fifo_dtor(struct nvkm_engine *engin + nvkm_chid_unref(&fifo->chid); + + nvkm_event_fini(&fifo->nonstall.event); ++ if (fifo->func->nonstall_dtor) ++ fifo->func->nonstall_dtor(fifo); + mutex_destroy(&fifo->mutex); + + if (fifo->func->dtor) +--- a/drivers/gpu/drm/nouveau/nvkm/engine/fifo/ga100.c ++++ b/drivers/gpu/drm/nouveau/nvkm/engine/fifo/ga100.c +@@ -517,19 +517,11 @@ ga100_fifo_nonstall_intr(struct nvkm_int + static void + ga100_fifo_nonstall_block(struct nvkm_event *event, int type, int index) + { +- struct nvkm_fifo *fifo = container_of(event, typeof(*fifo), nonstall.event); +- struct nvkm_runl *runl = nvkm_runl_get(fifo, index, 0); +- +- nvkm_inth_block(&runl->nonstall.inth); + } + + static void + ga100_fifo_nonstall_allow(struct nvkm_event *event, int type, int index) + { +- struct nvkm_fifo *fifo = container_of(event, typeof(*fifo), nonstall.event); +- struct nvkm_runl *runl = nvkm_runl_get(fifo, index, 0); +- +- nvkm_inth_allow(&runl->nonstall.inth); + } + + const struct nvkm_event_func +@@ -564,12 +556,26 @@ ga100_fifo_nonstall_ctor(struct nvkm_fif + if (ret) + return ret; + ++ nvkm_inth_allow(&runl->nonstall.inth); ++ + nr = max(nr, runl->id + 1); + } + + return nr; + } + ++void ++ga100_fifo_nonstall_dtor(struct nvkm_fifo *fifo) ++{ ++ struct nvkm_runl *runl; ++ ++ nvkm_runl_foreach(runl, fifo) { ++ if (runl->nonstall.vector < 0) ++ continue; ++ nvkm_inth_block(&runl->nonstall.inth); ++ } ++} ++ + int + ga100_fifo_runl_ctor(struct nvkm_fifo *fifo) + { +@@ -599,6 +605,7 @@ ga100_fifo = { + .runl_ctor = ga100_fifo_runl_ctor, + .mmu_fault = &tu102_fifo_mmu_fault, + .nonstall_ctor = ga100_fifo_nonstall_ctor, ++ .nonstall_dtor = ga100_fifo_nonstall_dtor, + .nonstall = &ga100_fifo_nonstall, + .runl = &ga100_runl, + .runq = &ga100_runq, +--- a/drivers/gpu/drm/nouveau/nvkm/engine/fifo/ga102.c ++++ b/drivers/gpu/drm/nouveau/nvkm/engine/fifo/ga102.c +@@ -30,6 +30,7 @@ ga102_fifo = { + .runl_ctor = ga100_fifo_runl_ctor, + .mmu_fault = &tu102_fifo_mmu_fault, + .nonstall_ctor = ga100_fifo_nonstall_ctor, ++ .nonstall_dtor = ga100_fifo_nonstall_dtor, + .nonstall = &ga100_fifo_nonstall, + .runl = &ga100_runl, + .runq = &ga100_runq, +--- a/drivers/gpu/drm/nouveau/nvkm/engine/fifo/priv.h ++++ b/drivers/gpu/drm/nouveau/nvkm/engine/fifo/priv.h +@@ -41,6 +41,7 @@ struct nvkm_fifo_func { + void (*start)(struct nvkm_fifo *, unsigned long *); + + int (*nonstall_ctor)(struct nvkm_fifo *); ++ void (*nonstall_dtor)(struct nvkm_fifo *); + const struct nvkm_event_func *nonstall; + + const struct nvkm_runl_func *runl; +@@ -200,6 +201,7 @@ u32 tu102_chan_doorbell_handle(struct nv + + int ga100_fifo_runl_ctor(struct nvkm_fifo *); + int ga100_fifo_nonstall_ctor(struct nvkm_fifo *); ++void ga100_fifo_nonstall_dtor(struct nvkm_fifo *); + extern const struct nvkm_event_func ga100_fifo_nonstall; + extern const struct nvkm_runl_func ga100_runl; + extern const struct nvkm_runq_func ga100_runq; +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/fifo.c ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/fifo.c +@@ -601,6 +601,7 @@ r535_fifo_new(const struct nvkm_fifo_fun + rm->chan.func = &r535_chan; + rm->nonstall = &ga100_fifo_nonstall; + rm->nonstall_ctor = ga100_fifo_nonstall_ctor; ++ rm->nonstall_dtor = ga100_fifo_nonstall_dtor; + + return nvkm_fifo_new_(rm, device, type, inst, pfifo); + } diff --git a/queue-6.16/nouveau-membar-before-between-semaphore-writes-and-the-interrupt.patch b/queue-6.16/nouveau-membar-before-between-semaphore-writes-and-the-interrupt.patch new file mode 100644 index 0000000000..6c806843b8 --- /dev/null +++ b/queue-6.16/nouveau-membar-before-between-semaphore-writes-and-the-interrupt.patch @@ -0,0 +1,149 @@ +From 2cb66ae6040fd3cb058c3391b180f378fc0e3e2f Mon Sep 17 00:00:00 2001 +From: Faith Ekstrand +Date: Fri, 29 Aug 2025 12:16:33 +1000 +Subject: nouveau: Membar before between semaphore writes and the interrupt + +From: Faith Ekstrand + +commit 2cb66ae6040fd3cb058c3391b180f378fc0e3e2f upstream. + +This ensures that the memory write and the interrupt are properly +ordered and we won't wake up the kernel before the semaphore write has +hit memory. + +Fixes: b1ca384772b6 ("drm/nouveau/gv100-: switch to volta semaphore methods") +Cc: stable@vger.kernel.org +Signed-off-by: Faith Ekstrand +Signed-off-by: Dave Airlie +Link: https://lore.kernel.org/r/20250829021633.1674524-2-airlied@gmail.com +Signed-off-by: Danilo Krummrich +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/nouveau/gv100_fence.c | 7 +- + .../drm/nouveau/include/nvhw/class/clc36f.h | 85 +++++++++++++++++++ + 2 files changed, 91 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/nouveau/gv100_fence.c b/drivers/gpu/drm/nouveau/gv100_fence.c +index cccdeca72002..317e516c4ec7 100644 +--- a/drivers/gpu/drm/nouveau/gv100_fence.c ++++ b/drivers/gpu/drm/nouveau/gv100_fence.c +@@ -18,7 +18,7 @@ gv100_fence_emit32(struct nouveau_channel *chan, u64 virtual, u32 sequence) + struct nvif_push *push = &chan->chan.push; + int ret; + +- ret = PUSH_WAIT(push, 8); ++ ret = PUSH_WAIT(push, 13); + if (ret) + return ret; + +@@ -32,6 +32,11 @@ gv100_fence_emit32(struct nouveau_channel *chan, u64 virtual, u32 sequence) + NVDEF(NVC36F, SEM_EXECUTE, PAYLOAD_SIZE, 32BIT) | + NVDEF(NVC36F, SEM_EXECUTE, RELEASE_TIMESTAMP, DIS)); + ++ PUSH_MTHD(push, NVC36F, MEM_OP_A, 0, ++ MEM_OP_B, 0, ++ MEM_OP_C, NVDEF(NVC36F, MEM_OP_C, MEMBAR_TYPE, SYS_MEMBAR), ++ MEM_OP_D, NVDEF(NVC36F, MEM_OP_D, OPERATION, MEMBAR)); ++ + PUSH_MTHD(push, NVC36F, NON_STALL_INTERRUPT, 0); + + PUSH_KICK(push); +diff --git a/drivers/gpu/drm/nouveau/include/nvhw/class/clc36f.h b/drivers/gpu/drm/nouveau/include/nvhw/class/clc36f.h +index 8735dda4c8a7..338f74b9f501 100644 +--- a/drivers/gpu/drm/nouveau/include/nvhw/class/clc36f.h ++++ b/drivers/gpu/drm/nouveau/include/nvhw/class/clc36f.h +@@ -7,6 +7,91 @@ + + #define NVC36F_NON_STALL_INTERRUPT (0x00000020) + #define NVC36F_NON_STALL_INTERRUPT_HANDLE 31:0 ++// NOTE - MEM_OP_A and MEM_OP_B have been replaced in gp100 with methods for ++// specifying the page address for a targeted TLB invalidate and the uTLB for ++// a targeted REPLAY_CANCEL for UVM. ++// The previous MEM_OP_A/B functionality is in MEM_OP_C/D, with slightly ++// rearranged fields. ++#define NVC36F_MEM_OP_A (0x00000028) ++#define NVC36F_MEM_OP_A_TLB_INVALIDATE_CANCEL_TARGET_CLIENT_UNIT_ID 5:0 // only relevant for REPLAY_CANCEL_TARGETED ++#define NVC36F_MEM_OP_A_TLB_INVALIDATE_INVALIDATION_SIZE 5:0 // Used to specify size of invalidate, used for invalidates which are not of the REPLAY_CANCEL_TARGETED type ++#define NVC36F_MEM_OP_A_TLB_INVALIDATE_CANCEL_TARGET_GPC_ID 10:6 // only relevant for REPLAY_CANCEL_TARGETED ++#define NVC36F_MEM_OP_A_TLB_INVALIDATE_CANCEL_MMU_ENGINE_ID 6:0 // only relevant for REPLAY_CANCEL_VA_GLOBAL ++#define NVC36F_MEM_OP_A_TLB_INVALIDATE_SYSMEMBAR 11:11 ++#define NVC36F_MEM_OP_A_TLB_INVALIDATE_SYSMEMBAR_EN 0x00000001 ++#define NVC36F_MEM_OP_A_TLB_INVALIDATE_SYSMEMBAR_DIS 0x00000000 ++#define NVC36F_MEM_OP_A_TLB_INVALIDATE_TARGET_ADDR_LO 31:12 ++#define NVC36F_MEM_OP_B (0x0000002c) ++#define NVC36F_MEM_OP_B_TLB_INVALIDATE_TARGET_ADDR_HI 31:0 ++#define NVC36F_MEM_OP_C (0x00000030) ++#define NVC36F_MEM_OP_C_MEMBAR_TYPE 2:0 ++#define NVC36F_MEM_OP_C_MEMBAR_TYPE_SYS_MEMBAR 0x00000000 ++#define NVC36F_MEM_OP_C_MEMBAR_TYPE_MEMBAR 0x00000001 ++#define NVC36F_MEM_OP_C_TLB_INVALIDATE_PDB 0:0 ++#define NVC36F_MEM_OP_C_TLB_INVALIDATE_PDB_ONE 0x00000000 ++#define NVC36F_MEM_OP_C_TLB_INVALIDATE_PDB_ALL 0x00000001 // Probably nonsensical for MMU_TLB_INVALIDATE_TARGETED ++#define NVC36F_MEM_OP_C_TLB_INVALIDATE_GPC 1:1 ++#define NVC36F_MEM_OP_C_TLB_INVALIDATE_GPC_ENABLE 0x00000000 ++#define NVC36F_MEM_OP_C_TLB_INVALIDATE_GPC_DISABLE 0x00000001 ++#define NVC36F_MEM_OP_C_TLB_INVALIDATE_REPLAY 4:2 // only relevant if GPC ENABLE ++#define NVC36F_MEM_OP_C_TLB_INVALIDATE_REPLAY_NONE 0x00000000 ++#define NVC36F_MEM_OP_C_TLB_INVALIDATE_REPLAY_START 0x00000001 ++#define NVC36F_MEM_OP_C_TLB_INVALIDATE_REPLAY_START_ACK_ALL 0x00000002 ++#define NVC36F_MEM_OP_C_TLB_INVALIDATE_REPLAY_CANCEL_TARGETED 0x00000003 ++#define NVC36F_MEM_OP_C_TLB_INVALIDATE_REPLAY_CANCEL_GLOBAL 0x00000004 ++#define NVC36F_MEM_OP_C_TLB_INVALIDATE_REPLAY_CANCEL_VA_GLOBAL 0x00000005 ++#define NVC36F_MEM_OP_C_TLB_INVALIDATE_ACK_TYPE 6:5 // only relevant if GPC ENABLE ++#define NVC36F_MEM_OP_C_TLB_INVALIDATE_ACK_TYPE_NONE 0x00000000 ++#define NVC36F_MEM_OP_C_TLB_INVALIDATE_ACK_TYPE_GLOBALLY 0x00000001 ++#define NVC36F_MEM_OP_C_TLB_INVALIDATE_ACK_TYPE_INTRANODE 0x00000002 ++#define NVC36F_MEM_OP_C_TLB_INVALIDATE_ACCESS_TYPE 9:7 //only relevant for REPLAY_CANCEL_VA_GLOBAL ++#define NVC36F_MEM_OP_C_TLB_INVALIDATE_ACCESS_TYPE_VIRT_READ 0 ++#define NVC36F_MEM_OP_C_TLB_INVALIDATE_ACCESS_TYPE_VIRT_WRITE 1 ++#define NVC36F_MEM_OP_C_TLB_INVALIDATE_ACCESS_TYPE_VIRT_ATOMIC_STRONG 2 ++#define NVC36F_MEM_OP_C_TLB_INVALIDATE_ACCESS_TYPE_VIRT_RSVRVD 3 ++#define NVC36F_MEM_OP_C_TLB_INVALIDATE_ACCESS_TYPE_VIRT_ATOMIC_WEAK 4 ++#define NVC36F_MEM_OP_C_TLB_INVALIDATE_ACCESS_TYPE_VIRT_ATOMIC_ALL 5 ++#define NVC36F_MEM_OP_C_TLB_INVALIDATE_ACCESS_TYPE_VIRT_WRITE_AND_ATOMIC 6 ++#define NVC36F_MEM_OP_C_TLB_INVALIDATE_ACCESS_TYPE_VIRT_ALL 7 ++#define NVC36F_MEM_OP_C_TLB_INVALIDATE_PAGE_TABLE_LEVEL 9:7 // Invalidate affects this level and all below ++#define NVC36F_MEM_OP_C_TLB_INVALIDATE_PAGE_TABLE_LEVEL_ALL 0x00000000 // Invalidate tlb caches at all levels of the page table ++#define NVC36F_MEM_OP_C_TLB_INVALIDATE_PAGE_TABLE_LEVEL_PTE_ONLY 0x00000001 ++#define NVC36F_MEM_OP_C_TLB_INVALIDATE_PAGE_TABLE_LEVEL_UP_TO_PDE0 0x00000002 ++#define NVC36F_MEM_OP_C_TLB_INVALIDATE_PAGE_TABLE_LEVEL_UP_TO_PDE1 0x00000003 ++#define NVC36F_MEM_OP_C_TLB_INVALIDATE_PAGE_TABLE_LEVEL_UP_TO_PDE2 0x00000004 ++#define NVC36F_MEM_OP_C_TLB_INVALIDATE_PAGE_TABLE_LEVEL_UP_TO_PDE3 0x00000005 ++#define NVC36F_MEM_OP_C_TLB_INVALIDATE_PAGE_TABLE_LEVEL_UP_TO_PDE4 0x00000006 ++#define NVC36F_MEM_OP_C_TLB_INVALIDATE_PAGE_TABLE_LEVEL_UP_TO_PDE5 0x00000007 ++#define NVC36F_MEM_OP_C_TLB_INVALIDATE_PDB_APERTURE 11:10 // only relevant if PDB_ONE ++#define NVC36F_MEM_OP_C_TLB_INVALIDATE_PDB_APERTURE_VID_MEM 0x00000000 ++#define NVC36F_MEM_OP_C_TLB_INVALIDATE_PDB_APERTURE_SYS_MEM_COHERENT 0x00000002 ++#define NVC36F_MEM_OP_C_TLB_INVALIDATE_PDB_APERTURE_SYS_MEM_NONCOHERENT 0x00000003 ++#define NVC36F_MEM_OP_C_TLB_INVALIDATE_PDB_ADDR_LO 31:12 // only relevant if PDB_ONE ++#define NVC36F_MEM_OP_C_ACCESS_COUNTER_CLR_TARGETED_NOTIFY_TAG 19:0 ++// MEM_OP_D MUST be preceded by MEM_OPs A-C. ++#define NVC36F_MEM_OP_D (0x00000034) ++#define NVC36F_MEM_OP_D_TLB_INVALIDATE_PDB_ADDR_HI 26:0 // only relevant if PDB_ONE ++#define NVC36F_MEM_OP_D_OPERATION 31:27 ++#define NVC36F_MEM_OP_D_OPERATION_MEMBAR 0x00000005 ++#define NVC36F_MEM_OP_D_OPERATION_MMU_TLB_INVALIDATE 0x00000009 ++#define NVC36F_MEM_OP_D_OPERATION_MMU_TLB_INVALIDATE_TARGETED 0x0000000a ++#define NVC36F_MEM_OP_D_OPERATION_L2_PEERMEM_INVALIDATE 0x0000000d ++#define NVC36F_MEM_OP_D_OPERATION_L2_SYSMEM_INVALIDATE 0x0000000e ++// CLEAN_LINES is an alias for Tegra/GPU IP usage ++#define NVC36F_MEM_OP_B_OPERATION_L2_INVALIDATE_CLEAN_LINES 0x0000000e ++#define NVC36F_MEM_OP_D_OPERATION_L2_CLEAN_COMPTAGS 0x0000000f ++#define NVC36F_MEM_OP_D_OPERATION_L2_FLUSH_DIRTY 0x00000010 ++#define NVC36F_MEM_OP_D_OPERATION_L2_WAIT_FOR_SYS_PENDING_READS 0x00000015 ++#define NVC36F_MEM_OP_D_OPERATION_ACCESS_COUNTER_CLR 0x00000016 ++#define NVC36F_MEM_OP_D_ACCESS_COUNTER_CLR_TYPE 1:0 ++#define NVC36F_MEM_OP_D_ACCESS_COUNTER_CLR_TYPE_MIMC 0x00000000 ++#define NVC36F_MEM_OP_D_ACCESS_COUNTER_CLR_TYPE_MOMC 0x00000001 ++#define NVC36F_MEM_OP_D_ACCESS_COUNTER_CLR_TYPE_ALL 0x00000002 ++#define NVC36F_MEM_OP_D_ACCESS_COUNTER_CLR_TYPE_TARGETED 0x00000003 ++#define NVC36F_MEM_OP_D_ACCESS_COUNTER_CLR_TARGETED_TYPE 2:2 ++#define NVC36F_MEM_OP_D_ACCESS_COUNTER_CLR_TARGETED_TYPE_MIMC 0x00000000 ++#define NVC36F_MEM_OP_D_ACCESS_COUNTER_CLR_TARGETED_TYPE_MOMC 0x00000001 ++#define NVC36F_MEM_OP_D_ACCESS_COUNTER_CLR_TARGETED_BANK 6:3 + #define NVC36F_SEM_ADDR_LO (0x0000005c) + #define NVC36F_SEM_ADDR_LO_OFFSET 31:2 + #define NVC36F_SEM_ADDR_HI (0x00000060) +-- +2.51.0 + diff --git a/queue-6.16/ocfs2-prevent-release-journal-inode-after-journal-shutdown.patch b/queue-6.16/ocfs2-prevent-release-journal-inode-after-journal-shutdown.patch new file mode 100644 index 0000000000..e77f6946ab --- /dev/null +++ b/queue-6.16/ocfs2-prevent-release-journal-inode-after-journal-shutdown.patch @@ -0,0 +1,58 @@ +From f46e8ef8bb7b452584f2e75337b619ac51a7cadf Mon Sep 17 00:00:00 2001 +From: Edward Adam Davis +Date: Tue, 19 Aug 2025 21:41:02 +0800 +Subject: ocfs2: prevent release journal inode after journal shutdown + +From: Edward Adam Davis + +commit f46e8ef8bb7b452584f2e75337b619ac51a7cadf upstream. + +Before calling ocfs2_delete_osb(), ocfs2_journal_shutdown() has already +been executed in ocfs2_dismount_volume(), so osb->journal must be NULL. +Therefore, the following calltrace will inevitably fail when it reaches +jbd2_journal_release_jbd_inode(). + +ocfs2_dismount_volume()-> + ocfs2_delete_osb()-> + ocfs2_free_slot_info()-> + __ocfs2_free_slot_info()-> + evict()-> + ocfs2_evict_inode()-> + ocfs2_clear_inode()-> + jbd2_journal_release_jbd_inode(osb->journal->j_journal, + +Adding osb->journal checks will prevent null-ptr-deref during the above +execution path. + +Link: https://lkml.kernel.org/r/tencent_357489BEAEE4AED74CBD67D246DBD2C4C606@qq.com +Fixes: da5e7c87827e ("ocfs2: cleanup journal init and shutdown") +Signed-off-by: Edward Adam Davis +Reported-by: syzbot+47d8cb2f2cc1517e515a@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=47d8cb2f2cc1517e515a +Tested-by: syzbot+47d8cb2f2cc1517e515a@syzkaller.appspotmail.com +Reviewed-by: Mark Tinguely +Reviewed-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Jun Piao +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/inode.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/ocfs2/inode.c ++++ b/fs/ocfs2/inode.c +@@ -1219,6 +1219,9 @@ static void ocfs2_clear_inode(struct ino + * the journal is flushed before journal shutdown. Thus it is safe to + * have inodes get cleaned up after journal shutdown. + */ ++ if (!osb->journal) ++ return; ++ + jbd2_journal_release_jbd_inode(osb->journal->j_journal, + &oi->ip_jinode); + } diff --git a/queue-6.16/of_numa-fix-uninitialized-memory-nodes-causing-kernel-panic.patch b/queue-6.16/of_numa-fix-uninitialized-memory-nodes-causing-kernel-panic.patch new file mode 100644 index 0000000000..d6c86044a8 --- /dev/null +++ b/queue-6.16/of_numa-fix-uninitialized-memory-nodes-causing-kernel-panic.patch @@ -0,0 +1,133 @@ +From ee4d098cbc9160f573b5c1b5a51d6158efdb2896 Mon Sep 17 00:00:00 2001 +From: Yin Tirui +Date: Tue, 19 Aug 2025 15:55:10 +0800 +Subject: of_numa: fix uninitialized memory nodes causing kernel panic + +From: Yin Tirui + +commit ee4d098cbc9160f573b5c1b5a51d6158efdb2896 upstream. + +When there are memory-only nodes (nodes without CPUs), these nodes are not +properly initialized, causing kernel panic during boot. + +of_numa_init + of_numa_parse_cpu_nodes + node_set(nid, numa_nodes_parsed); + of_numa_parse_memory_nodes + +In of_numa_parse_cpu_nodes, numa_nodes_parsed gets updated only for nodes +containing CPUs. Memory-only nodes should have been updated in +of_numa_parse_memory_nodes, but they weren't. + +Subsequently, when free_area_init() attempts to access NODE_DATA() for +these uninitialized memory nodes, the kernel panics due to NULL pointer +dereference. + +This can be reproduced on ARM64 QEMU with 1 CPU and 2 memory nodes: + +qemu-system-aarch64 \ +-cpu host -nographic \ +-m 4G -smp 1 \ +-machine virt,accel=kvm,gic-version=3,iommu=smmuv3 \ +-object memory-backend-ram,size=2G,id=mem0 \ +-object memory-backend-ram,size=2G,id=mem1 \ +-numa node,nodeid=0,memdev=mem0 \ +-numa node,nodeid=1,memdev=mem1 \ +-kernel $IMAGE \ +-hda $DISK \ +-append "console=ttyAMA0 root=/dev/vda rw earlycon" + +[ 0.000000] Booting Linux on physical CPU 0x0000000000 [0x481fd010] +[ 0.000000] Linux version 6.17.0-rc1-00001-gabb4b3daf18c-dirty (yintirui@local) (gcc (GCC) 12.3.1, GNU ld (GNU Binutils) 2.41) #52 SMP PREEMPT Mon Aug 18 09:49:40 CST 2025 +[ 0.000000] KASLR enabled +[ 0.000000] random: crng init done +[ 0.000000] Machine model: linux,dummy-virt +[ 0.000000] efi: UEFI not found. +[ 0.000000] earlycon: pl11 at MMIO 0x0000000009000000 (options '') +[ 0.000000] printk: legacy bootconsole [pl11] enabled +[ 0.000000] OF: reserved mem: Reserved memory: No reserved-memory node in the DT +[ 0.000000] NODE_DATA(0) allocated [mem 0xbfffd9c0-0xbfffffff] +[ 0.000000] node 1 must be removed before remove section 23 +[ 0.000000] Zone ranges: +[ 0.000000] DMA [mem 0x0000000040000000-0x00000000ffffffff] +[ 0.000000] DMA32 empty +[ 0.000000] Normal [mem 0x0000000100000000-0x000000013fffffff] +[ 0.000000] Movable zone start for each node +[ 0.000000] Early memory node ranges +[ 0.000000] node 0: [mem 0x0000000040000000-0x00000000bfffffff] +[ 0.000000] node 1: [mem 0x00000000c0000000-0x000000013fffffff] +[ 0.000000] Initmem setup node 0 [mem 0x0000000040000000-0x00000000bfffffff] +[ 0.000000] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a0 +[ 0.000000] Mem abort info: +[ 0.000000] ESR = 0x0000000096000004 +[ 0.000000] EC = 0x25: DABT (current EL), IL = 32 bits +[ 0.000000] SET = 0, FnV = 0 +[ 0.000000] EA = 0, S1PTW = 0 +[ 0.000000] FSC = 0x04: level 0 translation fault +[ 0.000000] Data abort info: +[ 0.000000] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 +[ 0.000000] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 +[ 0.000000] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 +[ 0.000000] [00000000000000a0] user address but active_mm is swapper +[ 0.000000] Internal error: Oops: 0000000096000004 [#1] SMP +[ 0.000000] Modules linked in: +[ 0.000000] CPU: 0 UID: 0 PID: 0 Comm: swapper Not tainted 6.17.0-rc1-00001-g760c6dabf762-dirty #54 PREEMPT +[ 0.000000] Hardware name: linux,dummy-virt (DT) +[ 0.000000] pstate: 800000c5 (Nzcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) +[ 0.000000] pc : free_area_init+0x50c/0xf9c +[ 0.000000] lr : free_area_init+0x5c0/0xf9c +[ 0.000000] sp : ffffa02ca0f33c00 +[ 0.000000] x29: ffffa02ca0f33cb0 x28: 0000000000000000 x27: 0000000000000000 +[ 0.000000] x26: 4ec4ec4ec4ec4ec5 x25: 00000000000c0000 x24: 00000000000c0000 +[ 0.000000] x23: 0000000000040000 x22: 0000000000000000 x21: ffffa02ca0f3b368 +[ 0.000000] x20: ffffa02ca14c7b98 x19: 0000000000000000 x18: 0000000000000002 +[ 0.000000] x17: 000000000000cacc x16: 0000000000000001 x15: 0000000000000001 +[ 0.000000] x14: 0000000080000000 x13: 0000000000000018 x12: 0000000000000002 +[ 0.000000] x11: ffffa02ca0fd4f00 x10: ffffa02ca14bab20 x9 : ffffa02ca14bab38 +[ 0.000000] x8 : 00000000000c0000 x7 : 0000000000000001 x6 : 0000000000000002 +[ 0.000000] x5 : 0000000140000000 x4 : ffffa02ca0f33c90 x3 : ffffa02ca0f33ca0 +[ 0.000000] x2 : ffffa02ca0f33c98 x1 : 0000000080000000 x0 : 0000000000000001 +[ 0.000000] Call trace: +[ 0.000000] free_area_init+0x50c/0xf9c (P) +[ 0.000000] bootmem_init+0x110/0x1dc +[ 0.000000] setup_arch+0x278/0x60c +[ 0.000000] start_kernel+0x70/0x748 +[ 0.000000] __primary_switched+0x88/0x90 +[ 0.000000] Code: d503201f b98093e0 52800016 f8607a93 (f9405260) +[ 0.000000] ---[ end trace 0000000000000000 ]--- +[ 0.000000] Kernel panic - not syncing: Attempted to kill the idle task! +[ 0.000000] ---[ end Kernel panic - not syncing: Attempted to kill the idle task! ]--- + +Link: https://lkml.kernel.org/r/20250819075510.2079961-1-yintirui@huawei.com +Fixes: 767507654c22 ("arch_numa: switch over to numa_memblks") +Signed-off-by: Yin Tirui +Acked-by: David Hildenbrand +Acked-by: Mike Rapoport (Microsoft) +Reviewed-by: Kefeng Wang +Cc: Chen Jun +Cc: Dan Williams +Cc: Joanthan Cameron +Cc: Rob Herring +Cc: Saravana Kannan +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + drivers/of/of_numa.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/of/of_numa.c ++++ b/drivers/of/of_numa.c +@@ -59,8 +59,11 @@ static int __init of_numa_parse_memory_n + r = -EINVAL; + } + +- for (i = 0; !r && !of_address_to_resource(np, i, &rsrc); i++) ++ for (i = 0; !r && !of_address_to_resource(np, i, &rsrc); i++) { + r = numa_add_memblk(nid, rsrc.start, rsrc.end + 1); ++ if (!r) ++ node_set(nid, numa_nodes_parsed); ++ } + + if (!i || r) { + of_node_put(np); diff --git a/queue-6.16/platform-x86-amd-pmc-add-tuxedo-ib-pro-gen10-amd-to-spurious-8042-quirks-list.patch b/queue-6.16/platform-x86-amd-pmc-add-tuxedo-ib-pro-gen10-amd-to-spurious-8042-quirks-list.patch new file mode 100644 index 0000000000..bb099f8f5c --- /dev/null +++ b/queue-6.16/platform-x86-amd-pmc-add-tuxedo-ib-pro-gen10-amd-to-spurious-8042-quirks-list.patch @@ -0,0 +1,52 @@ +From c96f86217bb28e019403bb8f59eacd8ad5a7ad1a Mon Sep 17 00:00:00 2001 +From: Christoffer Sandberg +Date: Wed, 27 Aug 2025 15:13:51 +0200 +Subject: platform/x86/amd/pmc: Add TUXEDO IB Pro Gen10 AMD to spurious 8042 quirks list +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Christoffer Sandberg + +commit c96f86217bb28e019403bb8f59eacd8ad5a7ad1a upstream. + +Prevents instant wakeup ~1s after suspend. + +It seems to be kernel/system dependent if the IRQ actually manages to wake +the system every time or if it gets ignored (and everything works as +expected). + +Signed-off-by: Christoffer Sandberg +Signed-off-by: Werner Sembach +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20250827131424.16436-1-wse@tuxedocomputers.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/x86/amd/pmc/pmc-quirks.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/drivers/platform/x86/amd/pmc/pmc-quirks.c ++++ b/drivers/platform/x86/amd/pmc/pmc-quirks.c +@@ -248,6 +248,20 @@ static const struct dmi_system_id fwbug_ + DMI_MATCH(DMI_PRODUCT_NAME, "Lafite Pro V 14M"), + } + }, ++ { ++ .ident = "TUXEDO InfinityBook Pro 14/15 AMD Gen10", ++ .driver_data = &quirk_spurious_8042, ++ .matches = { ++ DMI_MATCH(DMI_BOARD_NAME, "XxHP4NAx"), ++ } ++ }, ++ { ++ .ident = "TUXEDO InfinityBook Pro 14/15 AMD Gen10", ++ .driver_data = &quirk_spurious_8042, ++ .matches = { ++ DMI_MATCH(DMI_BOARD_NAME, "XxKK4NAx_XxSP4NAx"), ++ } ++ }, + {} + }; + diff --git a/queue-6.16/proc-fix-missing-pde_set_flags-for-net-proc-files.patch b/queue-6.16/proc-fix-missing-pde_set_flags-for-net-proc-files.patch new file mode 100644 index 0000000000..225d39b544 --- /dev/null +++ b/queue-6.16/proc-fix-missing-pde_set_flags-for-net-proc-files.patch @@ -0,0 +1,132 @@ +From 2ce3d282bd5050fca8577defeff08ada0d55d062 Mon Sep 17 00:00:00 2001 +From: wangzijie +Date: Mon, 18 Aug 2025 20:31:02 +0800 +Subject: proc: fix missing pde_set_flags() for net proc files +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: wangzijie + +commit 2ce3d282bd5050fca8577defeff08ada0d55d062 upstream. + +To avoid potential UAF issues during module removal races, we use +pde_set_flags() to save proc_ops flags in PDE itself before +proc_register(), and then use pde_has_proc_*() helpers instead of directly +dereferencing pde->proc_ops->*. + +However, the pde_set_flags() call was missing when creating net related +proc files. This omission caused incorrect behavior which FMODE_LSEEK was +being cleared inappropriately in proc_reg_open() for net proc files. Lars +reported it in this link[1]. + +Fix this by ensuring pde_set_flags() is called when register proc entry, +and add NULL check for proc_ops in pde_set_flags(). + +[wangzijie1@honor.com: stash pde->proc_ops in a local const variable, per Christian] + Link: https://lkml.kernel.org/r/20250821105806.1453833-1-wangzijie1@honor.com +Link: https://lkml.kernel.org/r/20250818123102.959595-1-wangzijie1@honor.com +Link: https://lore.kernel.org/all/20250815195616.64497967@chagall.paradoxon.rec/ [1] +Fixes: ff7ec8dc1b64 ("proc: use the same treatment to check proc_lseek as ones for proc_read_iter et.al") +Signed-off-by: wangzijie +Reported-by: Lars Wendler +Tested-by: Stefano Brivio +Tested-by: Petr Vaněk +Tested by: Lars Wendler +Cc: Alexei Starovoitov +Cc: Alexey Dobriyan +Cc: Al Viro +Cc: "Edgecombe, Rick P" +Cc: Greg Kroah-Hartman +Cc: Jiri Slaby +Cc: Kirill A. Shutemov +Cc: wangzijie +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/proc/generic.c | 38 +++++++++++++++++++++----------------- + 1 file changed, 21 insertions(+), 17 deletions(-) + +--- a/fs/proc/generic.c ++++ b/fs/proc/generic.c +@@ -364,6 +364,25 @@ static const struct inode_operations pro + .setattr = proc_notify_change, + }; + ++static void pde_set_flags(struct proc_dir_entry *pde) ++{ ++ const struct proc_ops *proc_ops = pde->proc_ops; ++ ++ if (!proc_ops) ++ return; ++ ++ if (proc_ops->proc_flags & PROC_ENTRY_PERMANENT) ++ pde->flags |= PROC_ENTRY_PERMANENT; ++ if (proc_ops->proc_read_iter) ++ pde->flags |= PROC_ENTRY_proc_read_iter; ++#ifdef CONFIG_COMPAT ++ if (proc_ops->proc_compat_ioctl) ++ pde->flags |= PROC_ENTRY_proc_compat_ioctl; ++#endif ++ if (proc_ops->proc_lseek) ++ pde->flags |= PROC_ENTRY_proc_lseek; ++} ++ + /* returns the registered entry, or frees dp and returns NULL on failure */ + struct proc_dir_entry *proc_register(struct proc_dir_entry *dir, + struct proc_dir_entry *dp) +@@ -371,6 +390,8 @@ struct proc_dir_entry *proc_register(str + if (proc_alloc_inum(&dp->low_ino)) + goto out_free_entry; + ++ pde_set_flags(dp); ++ + write_lock(&proc_subdir_lock); + dp->parent = dir; + if (pde_subdir_insert(dir, dp) == false) { +@@ -559,20 +580,6 @@ struct proc_dir_entry *proc_create_reg(c + return p; + } + +-static void pde_set_flags(struct proc_dir_entry *pde) +-{ +- if (pde->proc_ops->proc_flags & PROC_ENTRY_PERMANENT) +- pde->flags |= PROC_ENTRY_PERMANENT; +- if (pde->proc_ops->proc_read_iter) +- pde->flags |= PROC_ENTRY_proc_read_iter; +-#ifdef CONFIG_COMPAT +- if (pde->proc_ops->proc_compat_ioctl) +- pde->flags |= PROC_ENTRY_proc_compat_ioctl; +-#endif +- if (pde->proc_ops->proc_lseek) +- pde->flags |= PROC_ENTRY_proc_lseek; +-} +- + struct proc_dir_entry *proc_create_data(const char *name, umode_t mode, + struct proc_dir_entry *parent, + const struct proc_ops *proc_ops, void *data) +@@ -583,7 +590,6 @@ struct proc_dir_entry *proc_create_data( + if (!p) + return NULL; + p->proc_ops = proc_ops; +- pde_set_flags(p); + return proc_register(parent, p); + } + EXPORT_SYMBOL(proc_create_data); +@@ -634,7 +640,6 @@ struct proc_dir_entry *proc_create_seq_p + p->proc_ops = &proc_seq_ops; + p->seq_ops = ops; + p->state_size = state_size; +- pde_set_flags(p); + return proc_register(parent, p); + } + EXPORT_SYMBOL(proc_create_seq_private); +@@ -665,7 +670,6 @@ struct proc_dir_entry *proc_create_singl + return NULL; + p->proc_ops = &proc_single_ops; + p->single_show = show; +- pde_set_flags(p); + return proc_register(parent, p); + } + EXPORT_SYMBOL(proc_create_single_data); diff --git a/queue-6.16/sched-fix-sched_numa_find_nth_cpu-if-mask-offline.patch b/queue-6.16/sched-fix-sched_numa_find_nth_cpu-if-mask-offline.patch new file mode 100644 index 0000000000..e3da261ec9 --- /dev/null +++ b/queue-6.16/sched-fix-sched_numa_find_nth_cpu-if-mask-offline.patch @@ -0,0 +1,110 @@ +From 5ebf512f335053a42482ebff91e46c6dc156bf8c Mon Sep 17 00:00:00 2001 +From: Christian Loehle +Date: Wed, 3 Sep 2025 16:48:32 +0100 +Subject: sched: Fix sched_numa_find_nth_cpu() if mask offline + +From: Christian Loehle + +commit 5ebf512f335053a42482ebff91e46c6dc156bf8c upstream. + +sched_numa_find_nth_cpu() uses a bsearch to look for the 'closest' +CPU in sched_domains_numa_masks and given cpus mask. However they +might not intersect if all CPUs in the cpus mask are offline. bsearch +will return NULL in that case, bail out instead of dereferencing a +bogus pointer. + +The previous behaviour lead to this bug when using maxcpus=4 on an +rk3399 (LLLLbb) (i.e. booting with all big CPUs offline): + +[ 1.422922] Unable to handle kernel paging request at virtual address ffffff8000000000 +[ 1.423635] Mem abort info: +[ 1.423889] ESR = 0x0000000096000006 +[ 1.424227] EC = 0x25: DABT (current EL), IL = 32 bits +[ 1.424715] SET = 0, FnV = 0 +[ 1.424995] EA = 0, S1PTW = 0 +[ 1.425279] FSC = 0x06: level 2 translation fault +[ 1.425735] Data abort info: +[ 1.425998] ISV = 0, ISS = 0x00000006, ISS2 = 0x00000000 +[ 1.426499] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 +[ 1.426952] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 +[ 1.427428] swapper pgtable: 4k pages, 39-bit VAs, pgdp=0000000004a9f000 +[ 1.428038] [ffffff8000000000] pgd=18000000f7fff403, p4d=18000000f7fff403, pud=18000000f7fff403, pmd=0000000000000000 +[ 1.429014] Internal error: Oops: 0000000096000006 [#1] SMP +[ 1.429525] Modules linked in: +[ 1.429813] CPU: 3 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.17.0-rc4-dirty #343 PREEMPT +[ 1.430559] Hardware name: Pine64 RockPro64 v2.1 (DT) +[ 1.431012] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) +[ 1.431634] pc : sched_numa_find_nth_cpu+0x2a0/0x488 +[ 1.432094] lr : sched_numa_find_nth_cpu+0x284/0x488 +[ 1.432543] sp : ffffffc084e1b960 +[ 1.432843] x29: ffffffc084e1b960 x28: ffffff80078a8800 x27: ffffffc0846eb1d0 +[ 1.433495] x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000 +[ 1.434144] x23: 0000000000000000 x22: fffffffffff7f093 x21: ffffffc081de6378 +[ 1.434792] x20: 0000000000000000 x19: 0000000ffff7f093 x18: 00000000ffffffff +[ 1.435441] x17: 3030303866666666 x16: 66663d736b73616d x15: ffffffc104e1b5b7 +[ 1.436091] x14: 0000000000000000 x13: ffffffc084712860 x12: 0000000000000372 +[ 1.436739] x11: 0000000000000126 x10: ffffffc08476a860 x9 : ffffffc084712860 +[ 1.437389] x8 : 00000000ffffefff x7 : ffffffc08476a860 x6 : 0000000000000000 +[ 1.438036] x5 : 000000000000bff4 x4 : 0000000000000000 x3 : 0000000000000000 +[ 1.438683] x2 : 0000000000000000 x1 : ffffffc0846eb000 x0 : ffffff8000407b68 +[ 1.439332] Call trace: +[ 1.439559] sched_numa_find_nth_cpu+0x2a0/0x488 (P) +[ 1.440016] smp_call_function_any+0xc8/0xd0 +[ 1.440416] armv8_pmu_init+0x58/0x27c +[ 1.440770] armv8_cortex_a72_pmu_init+0x20/0x2c +[ 1.441199] arm_pmu_device_probe+0x1e4/0x5e8 +[ 1.441603] armv8_pmu_device_probe+0x1c/0x28 +[ 1.442007] platform_probe+0x5c/0xac +[ 1.442347] really_probe+0xbc/0x298 +[ 1.442683] __driver_probe_device+0x78/0x12c +[ 1.443087] driver_probe_device+0xdc/0x160 +[ 1.443475] __driver_attach+0x94/0x19c +[ 1.443833] bus_for_each_dev+0x74/0xd4 +[ 1.444190] driver_attach+0x24/0x30 +[ 1.444525] bus_add_driver+0xe4/0x208 +[ 1.444874] driver_register+0x60/0x128 +[ 1.445233] __platform_driver_register+0x24/0x30 +[ 1.445662] armv8_pmu_driver_init+0x28/0x4c +[ 1.446059] do_one_initcall+0x44/0x25c +[ 1.446416] kernel_init_freeable+0x1dc/0x3bc +[ 1.446820] kernel_init+0x20/0x1d8 +[ 1.447151] ret_from_fork+0x10/0x20 +[ 1.447493] Code: 90022e21 f000e5f5 910de2b5 2a1703e2 (f8767803) +[ 1.448040] ---[ end trace 0000000000000000 ]--- +[ 1.448483] note: swapper/0[1] exited with preempt_count 1 +[ 1.449047] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b +[ 1.449741] SMP: stopping secondary CPUs +[ 1.450105] Kernel Offset: disabled +[ 1.450419] CPU features: 0x000000,00080000,20002001,0400421b +[ 1.450935] Memory Limit: none +[ 1.451217] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b ]--- + +Yury: with the fix, the function returns cpu == nr_cpu_ids, and later in + + smp_call_function_any -> + smp_call_function_single -> + generic_exec_single + +we test the cpu for '>= nr_cpu_ids' and return -ENXIO. So everything is +handled correctly. + +Fixes: cd7f55359c90 ("sched: add sched_numa_find_nth_cpu()") +Cc: stable@vger.kernel.org +Signed-off-by: Christian Loehle +Signed-off-by: Yury Norov (NVIDIA) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/sched/topology.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/kernel/sched/topology.c ++++ b/kernel/sched/topology.c +@@ -2212,6 +2212,8 @@ int sched_numa_find_nth_cpu(const struct + goto unlock; + + hop_masks = bsearch(&k, k.masks, sched_domains_numa_levels, sizeof(k.masks[0]), hop_cmp); ++ if (!hop_masks) ++ goto unlock; + hop = hop_masks - k.masks; + + ret = hop ? diff --git a/queue-6.16/scsi-lpfc-fix-buffer-free-clear-order-in-deferred-receive-path.patch b/queue-6.16/scsi-lpfc-fix-buffer-free-clear-order-in-deferred-receive-path.patch new file mode 100644 index 0000000000..88c5bfb37a --- /dev/null +++ b/queue-6.16/scsi-lpfc-fix-buffer-free-clear-order-in-deferred-receive-path.patch @@ -0,0 +1,70 @@ +From 9dba9a45c348e8460da97c450cddf70b2056deb3 Mon Sep 17 00:00:00 2001 +From: John Evans +Date: Thu, 28 Aug 2025 12:40:08 +0800 +Subject: scsi: lpfc: Fix buffer free/clear order in deferred receive path + +From: John Evans + +commit 9dba9a45c348e8460da97c450cddf70b2056deb3 upstream. + +Fix a use-after-free window by correcting the buffer release sequence in +the deferred receive path. The code freed the RQ buffer first and only +then cleared the context pointer under the lock. Concurrent paths (e.g., +ABTS and the repost path) also inspect and release the same pointer under +the lock, so the old order could lead to double-free/UAF. + +Note that the repost path already uses the correct pattern: detach the +pointer under the lock, then free it after dropping the lock. The +deferred path should do the same. + +Fixes: 472e146d1cf3 ("scsi: lpfc: Correct upcalling nvmet_fc transport during io done downcall") +Cc: stable@vger.kernel.org +Signed-off-by: John Evans +Link: https://lore.kernel.org/r/20250828044008.743-1-evans1210144@gmail.com +Reviewed-by: Justin Tee +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/lpfc/lpfc_nvmet.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/scsi/lpfc/lpfc_nvmet.c ++++ b/drivers/scsi/lpfc/lpfc_nvmet.c +@@ -1243,7 +1243,7 @@ lpfc_nvmet_defer_rcv(struct nvmet_fc_tar + struct lpfc_nvmet_tgtport *tgtp; + struct lpfc_async_xchg_ctx *ctxp = + container_of(rsp, struct lpfc_async_xchg_ctx, hdlrctx.fcp_req); +- struct rqb_dmabuf *nvmebuf = ctxp->rqb_buffer; ++ struct rqb_dmabuf *nvmebuf; + struct lpfc_hba *phba = ctxp->phba; + unsigned long iflag; + +@@ -1251,13 +1251,18 @@ lpfc_nvmet_defer_rcv(struct nvmet_fc_tar + lpfc_nvmeio_data(phba, "NVMET DEFERRCV: xri x%x sz %d CPU %02x\n", + ctxp->oxid, ctxp->size, raw_smp_processor_id()); + ++ spin_lock_irqsave(&ctxp->ctxlock, iflag); ++ nvmebuf = ctxp->rqb_buffer; + if (!nvmebuf) { ++ spin_unlock_irqrestore(&ctxp->ctxlock, iflag); + lpfc_printf_log(phba, KERN_INFO, LOG_NVME_IOERR, + "6425 Defer rcv: no buffer oxid x%x: " + "flg %x ste %x\n", + ctxp->oxid, ctxp->flag, ctxp->state); + return; + } ++ ctxp->rqb_buffer = NULL; ++ spin_unlock_irqrestore(&ctxp->ctxlock, iflag); + + tgtp = phba->targetport->private; + if (tgtp) +@@ -1265,9 +1270,6 @@ lpfc_nvmet_defer_rcv(struct nvmet_fc_tar + + /* Free the nvmebuf since a new buffer already replaced it */ + nvmebuf->hrq->rqbp->rqb_free_buffer(phba, nvmebuf); +- spin_lock_irqsave(&ctxp->ctxlock, iflag); +- ctxp->rqb_buffer = NULL; +- spin_unlock_irqrestore(&ctxp->ctxlock, iflag); + } + + /** diff --git a/queue-6.16/series b/queue-6.16/series index 9c788c00dd..155e13b655 100644 --- a/queue-6.16/series +++ b/queue-6.16/series @@ -107,3 +107,36 @@ mm-move-page-table-sync-declarations-to-linux-pgtable.h.patch mm-introduce-and-use-pgd-p4d-_populate_kernel.patch mm-fix-possible-deadlock-in-kmemleak.patch mm-slub-avoid-wake-up-kswapd-in-set_track_prepare.patch +sched-fix-sched_numa_find_nth_cpu-if-mask-offline.patch +kasan-fix-gcc-mem-intrinsic-prefix-with-sw-tags.patch +kunit-kasan_test-disable-fortify-string-checker-on-kasan_strings-test.patch +ocfs2-prevent-release-journal-inode-after-journal-shutdown.patch +proc-fix-missing-pde_set_flags-for-net-proc-files.patch +of_numa-fix-uninitialized-memory-nodes-causing-kernel-panic.patch +soc-qcom-mdt_loader-deal-with-zero-e_shentsize.patch +wifi-mac80211-do-not-permit-40-mhz-eht-operation-on-5-6-ghz.patch +wifi-mwifiex-initialize-the-chan_stats-array-to-zero.patch +wifi-mt76-mt7925u-use-connac3-tx-aggr-check-in-tx-complete.patch +wifi-mt76-mt7996-initialize-hdr-before-passing-to-skb_put_data.patch +wifi-mt76-mt7925-fix-the-wrong-bss-cleanup-for-sap.patch +wifi-mt76-mt7925-skip-eht-mld-tlv-on-non-mld-and-pass-conn_state-for-sta_cmd.patch +net-ethernet-oa_tc6-handle-failure-of-spi_setup.patch +spi-microchip-core-qspi-stop-checking-viability-of-op-max_freq-in-supports_op-callback.patch +drm-xe-fix-incorrect-migration-of-backed-up-object-to-vram.patch +drm-amdgpu-drop-hw-access-in-non-dc-audio-fini.patch +drm-amdgpu-mes11-make-mes_misc_op_change_config-failure-non-fatal.patch +drm-amd-display-clear-the-cur_enable-register-on-dcn314-w-out-dpp-pg.patch +drm-amdgpu-sdma-bump-firmware-version-checks-for-user-queue-support.patch +platform-x86-amd-pmc-add-tuxedo-ib-pro-gen10-amd-to-spurious-8042-quirks-list.patch +scsi-lpfc-fix-buffer-free-clear-order-in-deferred-receive-path.patch +nouveau-fix-disabling-the-nonstall-irq-due-to-storm-code.patch +nouveau-membar-before-between-semaphore-writes-and-the-interrupt.patch +audit-fix-out-of-bounds-read-in-audit_compare_dname_path.patch +batman-adv-fix-oob-read-write-in-network-coding-decode.patch +cifs-prevent-null-pointer-dereference-in-utf16-conversion.patch +e1000e-fix-heap-overflow-in-e1000_set_eeprom.patch +net-dsa-mv88e6xxx-fix-fwnode-reference-leaks-in-mv88e6xxx_port_setup_leds.patch +net-pcs-rzn1-miic-correct-modctrl-register-offset.patch +microchip-lan865x-fix-module-autoloading.patch +microchip-lan865x-fix-lan8651-autoloading.patch +drm-dp-change-aux-dpcd-probe-address-from-lane0_1_status-to-training_pattern_set.patch diff --git a/queue-6.16/soc-qcom-mdt_loader-deal-with-zero-e_shentsize.patch b/queue-6.16/soc-qcom-mdt_loader-deal-with-zero-e_shentsize.patch new file mode 100644 index 0000000000..0d29dde494 --- /dev/null +++ b/queue-6.16/soc-qcom-mdt_loader-deal-with-zero-e_shentsize.patch @@ -0,0 +1,55 @@ +From 25daf9af0ac1bf12490b723b5efaf8dcc85980bc Mon Sep 17 00:00:00 2001 +From: Bjorn Andersson +Date: Wed, 30 Jul 2025 15:51:51 -0500 +Subject: soc: qcom: mdt_loader: Deal with zero e_shentsize + +From: Bjorn Andersson + +commit 25daf9af0ac1bf12490b723b5efaf8dcc85980bc upstream. + +Firmware that doesn't provide section headers leave both e_shentsize and +e_shnum 0, which obvious isn't compatible with the newly introduced +stricter checks. + +Make the section-related checks conditional on either of these values +being non-zero. + +Fixes: 9f9967fed9d0 ("soc: qcom: mdt_loader: Ensure we don't read past the ELF header") +Reported-by: Val Packett +Closes: https://lore.kernel.org/all/ece307c3-7d65-440f-babd-88cf9705b908@packett.cool/ +Reported-by: Neil Armstrong +Closes: https://lore.kernel.org/all/aec9cd03-6fc2-4dc8-b937-8b7cf7bf4128@linaro.org/ +Signed-off-by: Bjorn Andersson +Fixes: 9f35ab0e53cc ("soc: qcom: mdt_loader: Fix error return values in mdt_header_valid()") +Tested-by: Neil Armstrong # on SM8650-QRD +Reviewed-by: Dmitry Baryshkov +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20250730-mdt-loader-shentsize-zero-v1-1-04f43186229c@oss.qualcomm.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soc/qcom/mdt_loader.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/drivers/soc/qcom/mdt_loader.c ++++ b/drivers/soc/qcom/mdt_loader.c +@@ -39,12 +39,14 @@ static bool mdt_header_valid(const struc + if (phend > fw->size) + return false; + +- if (ehdr->e_shentsize != sizeof(struct elf32_shdr)) +- return false; ++ if (ehdr->e_shentsize || ehdr->e_shnum) { ++ if (ehdr->e_shentsize != sizeof(struct elf32_shdr)) ++ return false; + +- shend = size_add(size_mul(sizeof(struct elf32_shdr), ehdr->e_shnum), ehdr->e_shoff); +- if (shend > fw->size) +- return false; ++ shend = size_add(size_mul(sizeof(struct elf32_shdr), ehdr->e_shnum), ehdr->e_shoff); ++ if (shend > fw->size) ++ return false; ++ } + + return true; + } diff --git a/queue-6.16/spi-microchip-core-qspi-stop-checking-viability-of-op-max_freq-in-supports_op-callback.patch b/queue-6.16/spi-microchip-core-qspi-stop-checking-viability-of-op-max_freq-in-supports_op-callback.patch new file mode 100644 index 0000000000..e7d80d697b --- /dev/null +++ b/queue-6.16/spi-microchip-core-qspi-stop-checking-viability-of-op-max_freq-in-supports_op-callback.patch @@ -0,0 +1,60 @@ +From 89e7353f522f5cf70cb48c01ce2dcdcb275b8022 Mon Sep 17 00:00:00 2001 +From: Conor Dooley +Date: Mon, 25 Aug 2025 12:53:28 +0100 +Subject: spi: microchip-core-qspi: stop checking viability of op->max_freq in supports_op callback + +From: Conor Dooley + +commit 89e7353f522f5cf70cb48c01ce2dcdcb275b8022 upstream. + +In commit 13529647743d9 ("spi: microchip-core-qspi: Support per spi-mem +operation frequency switches") the logic for checking the viability of +op->max_freq in mchp_coreqspi_setup_clock() was copied into +mchp_coreqspi_supports_op(). Unfortunately, op->max_freq is not valid +when this function is called during probe but is instead zero. +Accordingly, baud_rate_val is calculated to be INT_MAX due to division +by zero, causing probe of the attached memory device to fail. + +Seemingly spi-microchip-core-qspi was the only driver that had such a +modification made to its supports_op callback when the per_op_freq +capability was added, so just remove it to restore prior functionality. + +CC: stable@vger.kernel.org +Reported-by: Valentina Fernandez +Fixes: 13529647743d9 ("spi: microchip-core-qspi: Support per spi-mem operation frequency switches") +Signed-off-by: Conor Dooley +Message-ID: <20250825-during-ploy-939bdd068593@spud> +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-microchip-core-qspi.c | 12 ------------ + 1 file changed, 12 deletions(-) + +--- a/drivers/spi/spi-microchip-core-qspi.c ++++ b/drivers/spi/spi-microchip-core-qspi.c +@@ -458,10 +458,6 @@ error: + + static bool mchp_coreqspi_supports_op(struct spi_mem *mem, const struct spi_mem_op *op) + { +- struct mchp_coreqspi *qspi = spi_controller_get_devdata(mem->spi->controller); +- unsigned long clk_hz; +- u32 baud_rate_val; +- + if (!spi_mem_default_supports_op(mem, op)) + return false; + +@@ -484,14 +480,6 @@ static bool mchp_coreqspi_supports_op(st + return false; + } + +- clk_hz = clk_get_rate(qspi->clk); +- if (!clk_hz) +- return false; +- +- baud_rate_val = DIV_ROUND_UP(clk_hz, 2 * op->max_freq); +- if (baud_rate_val > MAX_DIVIDER || baud_rate_val < MIN_DIVIDER) +- return false; +- + return true; + } + diff --git a/queue-6.16/wifi-mac80211-do-not-permit-40-mhz-eht-operation-on-5-6-ghz.patch b/queue-6.16/wifi-mac80211-do-not-permit-40-mhz-eht-operation-on-5-6-ghz.patch new file mode 100644 index 0000000000..b9b00636e0 --- /dev/null +++ b/queue-6.16/wifi-mac80211-do-not-permit-40-mhz-eht-operation-on-5-6-ghz.patch @@ -0,0 +1,125 @@ +From 75575e2d252afb29fdbcbeec4d67e042007add52 Mon Sep 17 00:00:00 2001 +From: Benjamin Berg +Date: Tue, 26 Aug 2025 20:26:01 +0300 +Subject: wifi: mac80211: do not permit 40 MHz EHT operation on 5/6 GHz + +From: Benjamin Berg + +commit 75575e2d252afb29fdbcbeec4d67e042007add52 upstream. + +The EHT PHY requirements state that 80 MHz must be supported on the 5 +and 6 GHz bands unless the STA is 20 MHz only. So if the channel width +is limited to 40 MHz on a band other than 2.4 GHz, then disable EHT and +downgrade to HE. + +The primary case where this can happen is if the hardware disables +puncturing using IEEE80211_HW_DISALLOW_PUNCTURING. + +Signed-off-by: Benjamin Berg +Cc: stable@vger.kernel.org +Reviewed-by: Johannes Berg +Signed-off-by: Miri Korenblit +Link: https://patch.msgid.link/20250826202553.a6582f3abf57.Ic670429dc7127f68c818b4290d950ebfb5a0b9e1@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/mlme.c | 8 ++++++++ + net/mac80211/tests/chan-mode.c | 30 +++++++++++++++++++++++++----- + 2 files changed, 33 insertions(+), 5 deletions(-) + +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -1193,6 +1193,14 @@ again: + "required MCSes not supported, disabling EHT\n"); + } + ++ if (conn->mode >= IEEE80211_CONN_MODE_EHT && ++ channel->band != NL80211_BAND_2GHZ && ++ conn->bw_limit == IEEE80211_CONN_BW_LIMIT_40) { ++ conn->mode = IEEE80211_CONN_MODE_HE; ++ link_id_info(sdata, link_id, ++ "required bandwidth not supported, disabling EHT\n"); ++ } ++ + /* the mode can only decrease, so this must terminate */ + if (ap_mode != conn->mode) { + kfree(elems); +--- a/net/mac80211/tests/chan-mode.c ++++ b/net/mac80211/tests/chan-mode.c +@@ -2,7 +2,7 @@ + /* + * KUnit tests for channel mode functions + * +- * Copyright (C) 2024 Intel Corporation ++ * Copyright (C) 2024-2025 Intel Corporation + */ + #include + #include +@@ -28,6 +28,10 @@ static const struct determine_chan_mode_ + u8 vht_basic_mcs_1_4, vht_basic_mcs_5_8; + u8 he_basic_mcs_1_4, he_basic_mcs_5_8; + u8 eht_mcs7_min_nss; ++ u16 eht_disabled_subchannels; ++ u8 eht_bw; ++ enum ieee80211_conn_bw_limit conn_bw_limit; ++ enum ieee80211_conn_bw_limit expected_bw_limit; + int error; + } determine_chan_mode_cases[] = { + { +@@ -128,6 +132,14 @@ static const struct determine_chan_mode_ + .conn_mode = IEEE80211_CONN_MODE_EHT, + .eht_mcs7_min_nss = 0x15, + .error = EINVAL, ++ }, { ++ .desc = "80 MHz EHT is downgraded to 40 MHz HE due to puncturing", ++ .conn_mode = IEEE80211_CONN_MODE_EHT, ++ .expected_mode = IEEE80211_CONN_MODE_HE, ++ .conn_bw_limit = IEEE80211_CONN_BW_LIMIT_80, ++ .expected_bw_limit = IEEE80211_CONN_BW_LIMIT_40, ++ .eht_disabled_subchannels = 0x08, ++ .eht_bw = IEEE80211_EHT_OPER_CHAN_WIDTH_80MHZ, + } + }; + KUNIT_ARRAY_PARAM_DESC(determine_chan_mode, determine_chan_mode_cases, desc) +@@ -138,7 +150,7 @@ static void test_determine_chan_mode(str + struct t_sdata *t_sdata = T_SDATA(test); + struct ieee80211_conn_settings conn = { + .mode = params->conn_mode, +- .bw_limit = IEEE80211_CONN_BW_LIMIT_20, ++ .bw_limit = params->conn_bw_limit, + }; + struct cfg80211_bss cbss = { + .channel = &t_sdata->band_5ghz.channels[0], +@@ -191,14 +203,21 @@ static void test_determine_chan_mode(str + 0x7f, 0x01, 0x00, 0x88, 0x88, 0x88, 0x00, 0x00, + 0x00, + /* EHT Operation */ +- WLAN_EID_EXTENSION, 0x09, WLAN_EID_EXT_EHT_OPERATION, +- 0x01, params->eht_mcs7_min_nss ? params->eht_mcs7_min_nss : 0x11, +- 0x00, 0x00, 0x00, 0x00, 0x24, 0x00, ++ WLAN_EID_EXTENSION, 0x0b, WLAN_EID_EXT_EHT_OPERATION, ++ 0x03, params->eht_mcs7_min_nss ? params->eht_mcs7_min_nss : 0x11, ++ 0x00, 0x00, 0x00, params->eht_bw, ++ params->eht_bw == IEEE80211_EHT_OPER_CHAN_WIDTH_80MHZ ? 42 : 36, ++ 0x00, ++ u16_get_bits(params->eht_disabled_subchannels, 0xff), ++ u16_get_bits(params->eht_disabled_subchannels, 0xff00), + }; + struct ieee80211_chan_req chanreq = {}; + struct cfg80211_chan_def ap_chandef = {}; + struct ieee802_11_elems *elems; + ++ /* To force EHT downgrade to HE on punctured 80 MHz downgraded to 40 MHz */ ++ set_bit(IEEE80211_HW_DISALLOW_PUNCTURING, t_sdata->local.hw.flags); ++ + if (params->strict) + set_bit(IEEE80211_HW_STRICT, t_sdata->local.hw.flags); + else +@@ -237,6 +256,7 @@ static void test_determine_chan_mode(str + } else { + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, elems); + KUNIT_ASSERT_EQ(test, conn.mode, params->expected_mode); ++ KUNIT_ASSERT_EQ(test, conn.bw_limit, params->expected_bw_limit); + } + } + diff --git a/queue-6.16/wifi-mt76-mt7925-fix-the-wrong-bss-cleanup-for-sap.patch b/queue-6.16/wifi-mt76-mt7925-fix-the-wrong-bss-cleanup-for-sap.patch new file mode 100644 index 0000000000..402f9a5857 --- /dev/null +++ b/queue-6.16/wifi-mt76-mt7925-fix-the-wrong-bss-cleanup-for-sap.patch @@ -0,0 +1,34 @@ +From 55424e7b9eeb141d9c8d8a8740ee131c28490425 Mon Sep 17 00:00:00 2001 +From: Ming Yen Hsieh +Date: Mon, 28 Jul 2025 13:26:12 +0800 +Subject: wifi: mt76: mt7925: fix the wrong bss cleanup for SAP + +From: Ming Yen Hsieh + +commit 55424e7b9eeb141d9c8d8a8740ee131c28490425 upstream. + +When in SAP mode, if a STA disconnect, the SAP's BSS +should not be cleared. + +Fixes: 0ebb60da8416 ("wifi: mt76: mt7925: adjust rm BSS flow to prevent next connection failure") +Cc: stable@vger.kernel.org +Signed-off-by: Ming Yen Hsieh +Link: https://patch.msgid.link/20250728052612.39751-1-mingyen.hsieh@mediatek.com +Signed-off-by: Felix Fietkau +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/mediatek/mt76/mt7925/main.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/wireless/mediatek/mt76/mt7925/main.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7925/main.c +@@ -1191,6 +1191,9 @@ mt7925_mac_sta_remove_links(struct mt792 + struct mt792x_bss_conf *mconf; + struct mt792x_link_sta *mlink; + ++ if (vif->type == NL80211_IFTYPE_AP) ++ break; ++ + link_sta = mt792x_sta_to_link_sta(vif, sta, link_id); + if (!link_sta) + continue; diff --git a/queue-6.16/wifi-mt76-mt7925-skip-eht-mld-tlv-on-non-mld-and-pass-conn_state-for-sta_cmd.patch b/queue-6.16/wifi-mt76-mt7925-skip-eht-mld-tlv-on-non-mld-and-pass-conn_state-for-sta_cmd.patch new file mode 100644 index 0000000000..c64edad47a --- /dev/null +++ b/queue-6.16/wifi-mt76-mt7925-skip-eht-mld-tlv-on-non-mld-and-pass-conn_state-for-sta_cmd.patch @@ -0,0 +1,66 @@ +From dd6e89cad9951acef3723f3f21b2e892a23b371b Mon Sep 17 00:00:00 2001 +From: Ming Yen Hsieh +Date: Mon, 18 Aug 2025 11:02:01 +0800 +Subject: wifi: mt76: mt7925: skip EHT MLD TLV on non-MLD and pass conn_state for sta_cmd + +From: Ming Yen Hsieh + +commit dd6e89cad9951acef3723f3f21b2e892a23b371b upstream. + +Return early in mt7925_mcu_sta_eht_mld_tlv() for non-MLD vifs to avoid bogus +MLD TLVs, and pass the proper connection state to sta_basic TLV. + +Cc: stable@vger.kernel.org +Fixes: cb1353ef3473 ("wifi: mt76: mt7925: integrate *mlo_sta_cmd and *sta_cmd") +Reported-by: Tal Inbar +Tested-by: Tal Inbar +Signed-off-by: Ming Yen Hsieh +Link: https://patch.msgid.link/20250818030201.997940-1-mingyen.hsieh@mediatek.com +Signed-off-by: Felix Fietkau +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/mediatek/mt76/mt7925/mcu.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c +@@ -1834,13 +1834,13 @@ mt7925_mcu_sta_eht_mld_tlv(struct sk_buf + struct tlv *tlv; + u16 eml_cap; + ++ if (!ieee80211_vif_is_mld(vif)) ++ return; ++ + tlv = mt76_connac_mcu_add_tlv(skb, STA_REC_EHT_MLD, sizeof(*eht_mld)); + eht_mld = (struct sta_rec_eht_mld *)tlv; + eht_mld->mld_type = 0xff; + +- if (!ieee80211_vif_is_mld(vif)) +- return; +- + ext_capa = cfg80211_get_iftype_ext_capa(wiphy, + ieee80211_vif_type_p2p(vif)); + if (!ext_capa) +@@ -1912,6 +1912,7 @@ mt7925_mcu_sta_cmd(struct mt76_phy *phy, + struct mt76_dev *dev = phy->dev; + struct mt792x_bss_conf *mconf; + struct sk_buff *skb; ++ int conn_state; + + mconf = mt792x_vif_to_link(mvif, info->wcid->link_id); + +@@ -1920,10 +1921,13 @@ mt7925_mcu_sta_cmd(struct mt76_phy *phy, + if (IS_ERR(skb)) + return PTR_ERR(skb); + ++ conn_state = info->enable ? CONN_STATE_PORT_SECURE : ++ CONN_STATE_DISCONNECT; ++ + if (info->enable && info->link_sta) { + mt76_connac_mcu_sta_basic_tlv(dev, skb, info->link_conf, + info->link_sta, +- info->enable, info->newly); ++ conn_state, info->newly); + mt7925_mcu_sta_phy_tlv(skb, info->vif, info->link_sta); + mt7925_mcu_sta_ht_tlv(skb, info->link_sta); + mt7925_mcu_sta_vht_tlv(skb, info->link_sta); diff --git a/queue-6.16/wifi-mt76-mt7925u-use-connac3-tx-aggr-check-in-tx-complete.patch b/queue-6.16/wifi-mt76-mt7925u-use-connac3-tx-aggr-check-in-tx-complete.patch new file mode 100644 index 0000000000..5fe8c7a08c --- /dev/null +++ b/queue-6.16/wifi-mt76-mt7925u-use-connac3-tx-aggr-check-in-tx-complete.patch @@ -0,0 +1,37 @@ +From c22769de25095c6777e8acb68a1349a3257fc955 Mon Sep 17 00:00:00 2001 +From: Ming Yen Hsieh +Date: Mon, 18 Aug 2025 10:02:03 +0800 +Subject: wifi: mt76: mt7925u: use connac3 tx aggr check in tx complete + +From: Ming Yen Hsieh + +commit c22769de25095c6777e8acb68a1349a3257fc955 upstream. + +MT7925 is a connac3 device; using the connac2 helper mis-parses +TXWI and breaks AMPDU/BA accounting. Use the connac3-specific +helper mt7925_tx_check_aggr() instead, + +Cc: stable@vger.kernel.org +Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt7925 chips") +Reported-by: Nick Morrow +Tested-by: Nick Morrow +Tested-on: Netgear A9000 USB WiFi adapter +Signed-off-by: Ming Yen Hsieh +Link: https://patch.msgid.link/20250818020203.992338-1-mingyen.hsieh@mediatek.com +Signed-off-by: Felix Fietkau +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/mediatek/mt76/mt7925/mac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/mediatek/mt76/mt7925/mac.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7925/mac.c +@@ -1449,7 +1449,7 @@ void mt7925_usb_sdio_tx_complete_skb(str + sta = wcid_to_sta(wcid); + + if (sta && likely(e->skb->protocol != cpu_to_be16(ETH_P_PAE))) +- mt76_connac2_tx_check_aggr(sta, txwi); ++ mt7925_tx_check_aggr(sta, e->skb, wcid); + + skb_pull(e->skb, headroom); + mt76_tx_complete_skb(mdev, e->wcid, e->skb); diff --git a/queue-6.16/wifi-mt76-mt7996-initialize-hdr-before-passing-to-skb_put_data.patch b/queue-6.16/wifi-mt76-mt7996-initialize-hdr-before-passing-to-skb_put_data.patch new file mode 100644 index 0000000000..ea44834824 --- /dev/null +++ b/queue-6.16/wifi-mt76-mt7996-initialize-hdr-before-passing-to-skb_put_data.patch @@ -0,0 +1,55 @@ +From 87b07a1fbc6b5c23d3b3584ab4288bc9106d3274 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Tue, 15 Jul 2025 15:33:25 -0700 +Subject: wifi: mt76: mt7996: Initialize hdr before passing to skb_put_data() + +From: Nathan Chancellor + +commit 87b07a1fbc6b5c23d3b3584ab4288bc9106d3274 upstream. + +A new warning in clang [1] points out a couple of places where a hdr +variable is not initialized then passed along to skb_put_data(). + + drivers/net/wireless/mediatek/mt76/mt7996/mcu.c:1894:21: warning: variable 'hdr' is uninitialized when passed as a const pointer argument here [-Wuninitialized-const-pointer] + 1894 | skb_put_data(skb, &hdr, sizeof(hdr)); + | ^~~ + drivers/net/wireless/mediatek/mt76/mt7996/mcu.c:3386:21: warning: variable 'hdr' is uninitialized when passed as a const pointer argument here [-Wuninitialized-const-pointer] + 3386 | skb_put_data(skb, &hdr, sizeof(hdr)); + | ^~~ + +Zero initialize these headers as done in other places in the driver when +there is nothing stored in the header. + +Cc: stable@vger.kernel.org +Fixes: 98686cd21624 ("wifi: mt76: mt7996: add driver for MediaTek Wi-Fi 7 (802.11be) devices") +Link: https://github.com/llvm/llvm-project/commit/00dacf8c22f065cb52efb14cd091d441f19b319e [1] +Closes: https://github.com/ClangBuiltLinux/linux/issues/2104 +Signed-off-by: Nathan Chancellor +Link: https://patch.msgid.link/20250715-mt7996-fix-uninit-const-pointer-v1-1-b5d8d11d7b78@kernel.org +Signed-off-by: Felix Fietkau +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/mediatek/mt76/mt7996/mcu.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c +@@ -1879,8 +1879,8 @@ mt7996_mcu_get_mmps_mode(enum ieee80211_ + int mt7996_mcu_set_fixed_rate_ctrl(struct mt7996_dev *dev, + void *data, u16 version) + { ++ struct uni_header hdr = {}; + struct ra_fixed_rate *req; +- struct uni_header hdr; + struct sk_buff *skb; + struct tlv *tlv; + int len; +@@ -3377,7 +3377,7 @@ int mt7996_mcu_set_hdr_trans(struct mt79 + { + struct { + u8 __rsv[4]; +- } __packed hdr; ++ } __packed hdr = {}; + struct hdr_trans_blacklist *req_blacklist; + struct hdr_trans_en *req_en; + struct sk_buff *skb; diff --git a/queue-6.16/wifi-mwifiex-initialize-the-chan_stats-array-to-zero.patch b/queue-6.16/wifi-mwifiex-initialize-the-chan_stats-array-to-zero.patch new file mode 100644 index 0000000000..0f05fe1e54 --- /dev/null +++ b/queue-6.16/wifi-mwifiex-initialize-the-chan_stats-array-to-zero.patch @@ -0,0 +1,70 @@ +From 0e20450829ca3c1dbc2db536391537c57a40fe0b Mon Sep 17 00:00:00 2001 +From: Qianfeng Rong +Date: Fri, 15 Aug 2025 10:30:50 +0800 +Subject: wifi: mwifiex: Initialize the chan_stats array to zero + +From: Qianfeng Rong + +commit 0e20450829ca3c1dbc2db536391537c57a40fe0b upstream. + +The adapter->chan_stats[] array is initialized in +mwifiex_init_channel_scan_gap() with vmalloc(), which doesn't zero out +memory. The array is filled in mwifiex_update_chan_statistics() +and then the user can query the data in mwifiex_cfg80211_dump_survey(). + +There are two potential issues here. What if the user calls +mwifiex_cfg80211_dump_survey() before the data has been filled in. +Also the mwifiex_update_chan_statistics() function doesn't necessarily +initialize the whole array. Since the array was not initialized at +the start that could result in an information leak. + +Also this array is pretty small. It's a maximum of 900 bytes so it's +more appropriate to use kcalloc() instead vmalloc(). + +Cc: stable@vger.kernel.org +Fixes: bf35443314ac ("mwifiex: channel statistics support for mwifiex") +Suggested-by: Dan Carpenter +Signed-off-by: Qianfeng Rong +Reviewed-by: Dan Carpenter +Link: https://patch.msgid.link/20250815023055.477719-1-rongqianfeng@vivo.com +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/marvell/mwifiex/cfg80211.c | 5 +++-- + drivers/net/wireless/marvell/mwifiex/main.c | 4 ++-- + 2 files changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/net/wireless/marvell/mwifiex/cfg80211.c ++++ b/drivers/net/wireless/marvell/mwifiex/cfg80211.c +@@ -4668,8 +4668,9 @@ int mwifiex_init_channel_scan_gap(struct + * additional active scan request for hidden SSIDs on passive channels. + */ + adapter->num_in_chan_stats = 2 * (n_channels_bg + n_channels_a); +- adapter->chan_stats = vmalloc(array_size(sizeof(*adapter->chan_stats), +- adapter->num_in_chan_stats)); ++ adapter->chan_stats = kcalloc(adapter->num_in_chan_stats, ++ sizeof(*adapter->chan_stats), ++ GFP_KERNEL); + + if (!adapter->chan_stats) + return -ENOMEM; +--- a/drivers/net/wireless/marvell/mwifiex/main.c ++++ b/drivers/net/wireless/marvell/mwifiex/main.c +@@ -642,7 +642,7 @@ static int _mwifiex_fw_dpc(const struct + goto done; + + err_add_intf: +- vfree(adapter->chan_stats); ++ kfree(adapter->chan_stats); + err_init_chan_scan: + wiphy_unregister(adapter->wiphy); + wiphy_free(adapter->wiphy); +@@ -1485,7 +1485,7 @@ static void mwifiex_uninit_sw(struct mwi + wiphy_free(adapter->wiphy); + adapter->wiphy = NULL; + +- vfree(adapter->chan_stats); ++ kfree(adapter->chan_stats); + mwifiex_free_cmd_buffers(adapter); + } +