From: Greg Kroah-Hartman Date: Mon, 24 Feb 2025 10:55:22 +0000 (+0100) Subject: 6.12-stable patches X-Git-Tag: v6.6.80~22 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=45897edac4bbe89ad917015e1ef38d67c730d3d7;p=thirdparty%2Fkernel%2Fstable-queue.git 6.12-stable patches added patches: acct-block-access-to-kernel-internal-filesystems.patch acct-perform-last-write-from-workqueue.patch alsa-hda-add-error-check-for-snd_ctl_rename_id-in-snd_hda_create_dig_out_ctls.patch alsa-hda-conexant-add-quirk-for-hp-probook-450-g4-mute-led.patch arm64-dts-rockchip-disable-dma-for-uart5-on-px30-ringneck.patch arm64-dts-rockchip-fix-broken-tsadc-pinctrl-names-for-rk3588.patch arm64-dts-rockchip-move-uart5-pin-configuration-to-px30-ringneck-som.patch asoc-fsl_micfil-enable-default-case-in-micfil_set_quality.patch asoc-sof-pcm-clear-the-susbstream-pointer-to-null-on-close.patch asoc-sof-stream-ipc-check-for-cstream-nullity-in-sof_ipc_msg_data.patch drm-i915-ddi-fix-hdmi-port-width-programming-in-ddi_buf_ctl.patch drm-i915-dp-fix-error-handling-during-128b-132b-link-training.patch drm-i915-gt-use-spin_lock_irqsave-in-interruptible-context.patch drm-i915-make-sure-all-planes-in-use-by-the-joiner-have-their-crtc-included.patch drm-msm-dpu-disable-dither-in-phys-encoder-cleanup.patch drm-panel-jd9365da-h3-fix-reset-signal-polarity.patch drop_monitor-fix-incorrect-initialization-order.patch edac-qcom-correct-interrupt-enable-register-configuration.patch ftrace-correct-preemption-accounting-for-function-tracing.patch ftrace-do-not-add-duplicate-entries-in-subops-manager-ops.patch ftrace-fix-accounting-of-adding-subops-to-a-manager-ops.patch gpiolib-check-the-return-value-of-gpio_chip-get_direction.patch gpiolib-protect-gpio_chip-with-srcu-in-array_info-paths-in-multi-get-set.patch gve-set-xdp-redirect-target-only-when-it-is-available.patch io_uring-prevent-opcode-speculation.patch io_uring-rw-forbid-multishot-async-reads.patch irqchip-gic-v3-fix-rk3399-workaround-when-secure-interrupts-are-enabled.patch lib-iov_iter-fix-import_iovec_ubuf-iovec-management.patch mm-madvise-hugetlb-check-for-0-length-range-after-end-address-adjustment.patch mm-migrate_device-don-t-add-folio-to-be-freed-to-lru-in-migrate_device_finalize.patch mtd-rawnand-cadence-fix-error-code-in-cadence_nand_init.patch mtd-rawnand-cadence-fix-incorrect-device-in-dma_unmap_single.patch mtd-rawnand-cadence-use-dma_map_resource-for-sdma-address.patch mtd-spi-nor-sst-fix-sst-write-failure.patch nfp-bpf-add-check-for-nfp_app_ctrl_msg_alloc.patch perf-x86-intel-fix-event-constraints-for-lnc.patch s390-boot-fix-essa-detection.patch smb-client-add-check-for-next_buffer-in-receive_encrypted_standard.patch smb-client-fix-chmod-2-regression-with-attr_readonly.patch soc-loongson-loongson2_guts-add-check-for-devm_kstrdup.patch tee-optee-fix-supplicant-wait-loop.patch xfs-fix-online-repair-probing-when-config_xfs_online_repair-n.patch --- diff --git a/queue-6.12/acct-block-access-to-kernel-internal-filesystems.patch b/queue-6.12/acct-block-access-to-kernel-internal-filesystems.patch new file mode 100644 index 0000000000..436141adc8 --- /dev/null +++ b/queue-6.12/acct-block-access-to-kernel-internal-filesystems.patch @@ -0,0 +1,47 @@ +From 890ed45bde808c422c3c27d3285fc45affa0f930 Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Tue, 11 Feb 2025 18:16:00 +0100 +Subject: acct: block access to kernel internal filesystems + +From: Christian Brauner + +commit 890ed45bde808c422c3c27d3285fc45affa0f930 upstream. + +There's no point in allowing anything kernel internal nor procfs or +sysfs. + +Link: https://lore.kernel.org/r/20250127091811.3183623-1-quzicheng@huawei.com +Link: https://lore.kernel.org/r/20250211-work-acct-v1-2-1c16aecab8b3@kernel.org +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reviewed-by: Amir Goldstein +Reported-by: Zicheng Qu +Cc: stable@vger.kernel.org +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + kernel/acct.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/kernel/acct.c ++++ b/kernel/acct.c +@@ -243,6 +243,20 @@ static int acct_on(struct filename *path + return -EACCES; + } + ++ /* Exclude kernel kernel internal filesystems. */ ++ if (file_inode(file)->i_sb->s_flags & (SB_NOUSER | SB_KERNMOUNT)) { ++ kfree(acct); ++ filp_close(file, NULL); ++ return -EINVAL; ++ } ++ ++ /* Exclude procfs and sysfs. */ ++ if (file_inode(file)->i_sb->s_iflags & SB_I_USERNS_VISIBLE) { ++ kfree(acct); ++ filp_close(file, NULL); ++ return -EINVAL; ++ } ++ + if (!(file->f_mode & FMODE_CAN_WRITE)) { + kfree(acct); + filp_close(file, NULL); diff --git a/queue-6.12/acct-perform-last-write-from-workqueue.patch b/queue-6.12/acct-perform-last-write-from-workqueue.patch new file mode 100644 index 0000000000..ec296d38a5 --- /dev/null +++ b/queue-6.12/acct-perform-last-write-from-workqueue.patch @@ -0,0 +1,248 @@ +From 56d5f3eba3f5de0efdd556de4ef381e109b973a9 Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Tue, 11 Feb 2025 18:15:59 +0100 +Subject: acct: perform last write from workqueue + +From: Christian Brauner + +commit 56d5f3eba3f5de0efdd556de4ef381e109b973a9 upstream. + +In [1] it was reported that the acct(2) system call can be used to +trigger NULL deref in cases where it is set to write to a file that +triggers an internal lookup. This can e.g., happen when pointing acc(2) +to /sys/power/resume. At the point the where the write to this file +happens the calling task has already exited and called exit_fs(). A +lookup will thus trigger a NULL-deref when accessing current->fs. + +Reorganize the code so that the the final write happens from the +workqueue but with the caller's credentials. This preserves the +(strange) permission model and has almost no regression risk. + +This api should stop to exist though. + +Link: https://lore.kernel.org/r/20250127091811.3183623-1-quzicheng@huawei.com [1] +Link: https://lore.kernel.org/r/20250211-work-acct-v1-1-1c16aecab8b3@kernel.org +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Zicheng Qu +Cc: stable@vger.kernel.org +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + kernel/acct.c | 120 +++++++++++++++++++++++++++++++++------------------------- + 1 file changed, 70 insertions(+), 50 deletions(-) + +--- a/kernel/acct.c ++++ b/kernel/acct.c +@@ -103,48 +103,50 @@ struct bsd_acct_struct { + atomic_long_t count; + struct rcu_head rcu; + struct mutex lock; +- int active; ++ bool active; ++ bool check_space; + unsigned long needcheck; + struct file *file; + struct pid_namespace *ns; + struct work_struct work; + struct completion done; ++ acct_t ac; + }; + +-static void do_acct_process(struct bsd_acct_struct *acct); ++static void fill_ac(struct bsd_acct_struct *acct); ++static void acct_write_process(struct bsd_acct_struct *acct); + + /* + * Check the amount of free space and suspend/resume accordingly. + */ +-static int check_free_space(struct bsd_acct_struct *acct) ++static bool check_free_space(struct bsd_acct_struct *acct) + { + struct kstatfs sbuf; + +- if (time_is_after_jiffies(acct->needcheck)) +- goto out; ++ if (!acct->check_space) ++ return acct->active; + + /* May block */ + if (vfs_statfs(&acct->file->f_path, &sbuf)) +- goto out; ++ return acct->active; + + if (acct->active) { + u64 suspend = sbuf.f_blocks * SUSPEND; + do_div(suspend, 100); + if (sbuf.f_bavail <= suspend) { +- acct->active = 0; ++ acct->active = false; + pr_info("Process accounting paused\n"); + } + } else { + u64 resume = sbuf.f_blocks * RESUME; + do_div(resume, 100); + if (sbuf.f_bavail >= resume) { +- acct->active = 1; ++ acct->active = true; + pr_info("Process accounting resumed\n"); + } + } + + acct->needcheck = jiffies + ACCT_TIMEOUT*HZ; +-out: + return acct->active; + } + +@@ -189,7 +191,11 @@ static void acct_pin_kill(struct fs_pin + { + struct bsd_acct_struct *acct = to_acct(pin); + mutex_lock(&acct->lock); +- do_acct_process(acct); ++ /* ++ * Fill the accounting struct with the exiting task's info ++ * before punting to the workqueue. ++ */ ++ fill_ac(acct); + schedule_work(&acct->work); + wait_for_completion(&acct->done); + cmpxchg(&acct->ns->bacct, pin, NULL); +@@ -202,6 +208,9 @@ static void close_work(struct work_struc + { + struct bsd_acct_struct *acct = container_of(work, struct bsd_acct_struct, work); + struct file *file = acct->file; ++ ++ /* We were fired by acct_pin_kill() which holds acct->lock. */ ++ acct_write_process(acct); + if (file->f_op->flush) + file->f_op->flush(file, NULL); + __fput_sync(file); +@@ -430,13 +439,27 @@ static u32 encode_float(u64 value) + * do_exit() or when switching to a different output file. + */ + +-static void fill_ac(acct_t *ac) ++static void fill_ac(struct bsd_acct_struct *acct) + { + struct pacct_struct *pacct = ¤t->signal->pacct; ++ struct file *file = acct->file; ++ acct_t *ac = &acct->ac; + u64 elapsed, run_time; + time64_t btime; + struct tty_struct *tty; + ++ lockdep_assert_held(&acct->lock); ++ ++ if (time_is_after_jiffies(acct->needcheck)) { ++ acct->check_space = false; ++ ++ /* Don't fill in @ac if nothing will be written. */ ++ if (!acct->active) ++ return; ++ } else { ++ acct->check_space = true; ++ } ++ + /* + * Fill the accounting struct with the needed info as recorded + * by the different kernel functions. +@@ -484,64 +507,61 @@ static void fill_ac(acct_t *ac) + ac->ac_majflt = encode_comp_t(pacct->ac_majflt); + ac->ac_exitcode = pacct->ac_exitcode; + spin_unlock_irq(¤t->sighand->siglock); +-} +-/* +- * do_acct_process does all actual work. Caller holds the reference to file. +- */ +-static void do_acct_process(struct bsd_acct_struct *acct) +-{ +- acct_t ac; +- unsigned long flim; +- const struct cred *orig_cred; +- struct file *file = acct->file; +- +- /* +- * Accounting records are not subject to resource limits. +- */ +- flim = rlimit(RLIMIT_FSIZE); +- current->signal->rlim[RLIMIT_FSIZE].rlim_cur = RLIM_INFINITY; +- /* Perform file operations on behalf of whoever enabled accounting */ +- orig_cred = override_creds(file->f_cred); + +- /* +- * First check to see if there is enough free_space to continue +- * the process accounting system. +- */ +- if (!check_free_space(acct)) +- goto out; +- +- fill_ac(&ac); + /* we really need to bite the bullet and change layout */ +- ac.ac_uid = from_kuid_munged(file->f_cred->user_ns, orig_cred->uid); +- ac.ac_gid = from_kgid_munged(file->f_cred->user_ns, orig_cred->gid); ++ ac->ac_uid = from_kuid_munged(file->f_cred->user_ns, current_uid()); ++ ac->ac_gid = from_kgid_munged(file->f_cred->user_ns, current_gid()); + #if ACCT_VERSION == 1 || ACCT_VERSION == 2 + /* backward-compatible 16 bit fields */ +- ac.ac_uid16 = ac.ac_uid; +- ac.ac_gid16 = ac.ac_gid; ++ ac->ac_uid16 = ac->ac_uid; ++ ac->ac_gid16 = ac->ac_gid; + #elif ACCT_VERSION == 3 + { + struct pid_namespace *ns = acct->ns; + +- ac.ac_pid = task_tgid_nr_ns(current, ns); ++ ac->ac_pid = task_tgid_nr_ns(current, ns); + rcu_read_lock(); +- ac.ac_ppid = task_tgid_nr_ns(rcu_dereference(current->real_parent), +- ns); ++ ac->ac_ppid = task_tgid_nr_ns(rcu_dereference(current->real_parent), ns); + rcu_read_unlock(); + } + #endif ++} ++ ++static void acct_write_process(struct bsd_acct_struct *acct) ++{ ++ struct file *file = acct->file; ++ const struct cred *cred; ++ acct_t *ac = &acct->ac; ++ ++ /* Perform file operations on behalf of whoever enabled accounting */ ++ cred = override_creds(file->f_cred); ++ + /* +- * Get freeze protection. If the fs is frozen, just skip the write +- * as we could deadlock the system otherwise. ++ * First check to see if there is enough free_space to continue ++ * the process accounting system. Then get freeze protection. If ++ * the fs is frozen, just skip the write as we could deadlock ++ * the system otherwise. + */ +- if (file_start_write_trylock(file)) { ++ if (check_free_space(acct) && file_start_write_trylock(file)) { + /* it's been opened O_APPEND, so position is irrelevant */ + loff_t pos = 0; +- __kernel_write(file, &ac, sizeof(acct_t), &pos); ++ __kernel_write(file, ac, sizeof(acct_t), &pos); + file_end_write(file); + } +-out: ++ ++ revert_creds(cred); ++} ++ ++static void do_acct_process(struct bsd_acct_struct *acct) ++{ ++ unsigned long flim; ++ ++ /* Accounting records are not subject to resource limits. */ ++ flim = rlimit(RLIMIT_FSIZE); ++ current->signal->rlim[RLIMIT_FSIZE].rlim_cur = RLIM_INFINITY; ++ fill_ac(acct); ++ acct_write_process(acct); + current->signal->rlim[RLIMIT_FSIZE].rlim_cur = flim; +- revert_creds(orig_cred); + } + + /** diff --git a/queue-6.12/alsa-hda-add-error-check-for-snd_ctl_rename_id-in-snd_hda_create_dig_out_ctls.patch b/queue-6.12/alsa-hda-add-error-check-for-snd_ctl_rename_id-in-snd_hda_create_dig_out_ctls.patch new file mode 100644 index 0000000000..f9f1151c4c --- /dev/null +++ b/queue-6.12/alsa-hda-add-error-check-for-snd_ctl_rename_id-in-snd_hda_create_dig_out_ctls.patch @@ -0,0 +1,41 @@ +From 822b7ec657e99b44b874e052d8540d8b54fe8569 Mon Sep 17 00:00:00 2001 +From: Wentao Liang +Date: Thu, 13 Feb 2025 15:45:43 +0800 +Subject: ALSA: hda: Add error check for snd_ctl_rename_id() in snd_hda_create_dig_out_ctls() + +From: Wentao Liang + +commit 822b7ec657e99b44b874e052d8540d8b54fe8569 upstream. + +Check the return value of snd_ctl_rename_id() in +snd_hda_create_dig_out_ctls(). Ensure that failures +are properly handled. + +[ Note: the error cannot happen practically because the only error + condition in snd_ctl_rename_id() is the missing ID, but this is a + rename, hence it must be present. But for the code consistency, + it's safer to have always the proper return check -- tiwai ] + +Fixes: 5c219a340850 ("ALSA: hda: Fix kctl->id initialization") +Cc: stable@vger.kernel.org # 6.4+ +Signed-off-by: Wentao Liang +Link: https://patch.msgid.link/20250213074543.1620-1-vulab@iscas.ac.cn +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/hda_codec.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/sound/pci/hda/hda_codec.c ++++ b/sound/pci/hda/hda_codec.c +@@ -2470,7 +2470,9 @@ int snd_hda_create_dig_out_ctls(struct h + break; + id = kctl->id; + id.index = spdif_index; +- snd_ctl_rename_id(codec->card, &kctl->id, &id); ++ err = snd_ctl_rename_id(codec->card, &kctl->id, &id); ++ if (err < 0) ++ return err; + } + bus->primary_dig_out_type = HDA_PCM_TYPE_HDMI; + } diff --git a/queue-6.12/alsa-hda-conexant-add-quirk-for-hp-probook-450-g4-mute-led.patch b/queue-6.12/alsa-hda-conexant-add-quirk-for-hp-probook-450-g4-mute-led.patch new file mode 100644 index 0000000000..9561275a67 --- /dev/null +++ b/queue-6.12/alsa-hda-conexant-add-quirk-for-hp-probook-450-g4-mute-led.patch @@ -0,0 +1,31 @@ +From 6d1f86610f23b0bc334d6506a186f21a98f51392 Mon Sep 17 00:00:00 2001 +From: John Veness +Date: Mon, 17 Feb 2025 12:15:50 +0000 +Subject: ALSA: hda/conexant: Add quirk for HP ProBook 450 G4 mute LED + +From: John Veness + +commit 6d1f86610f23b0bc334d6506a186f21a98f51392 upstream. + +Allows the LED on the dedicated mute button on the HP ProBook 450 G4 +laptop to change colour correctly. + +Signed-off-by: John Veness +Cc: +Link: https://patch.msgid.link/2fb55d48-6991-4a42-b591-4c78f2fad8d7@pelago.org.uk +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_conexant.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_conexant.c ++++ b/sound/pci/hda/patch_conexant.c +@@ -1080,6 +1080,7 @@ static const struct hda_quirk cxt5066_fi + SND_PCI_QUIRK(0x103c, 0x814f, "HP ZBook 15u G3", CXT_FIXUP_MUTE_LED_GPIO), + SND_PCI_QUIRK(0x103c, 0x8174, "HP Spectre x360", CXT_FIXUP_HP_SPECTRE), + SND_PCI_QUIRK(0x103c, 0x822e, "HP ProBook 440 G4", CXT_FIXUP_MUTE_LED_GPIO), ++ SND_PCI_QUIRK(0x103c, 0x8231, "HP ProBook 450 G4", CXT_FIXUP_MUTE_LED_GPIO), + SND_PCI_QUIRK(0x103c, 0x828c, "HP EliteBook 840 G4", CXT_FIXUP_HP_DOCK), + SND_PCI_QUIRK(0x103c, 0x8299, "HP 800 G3 SFF", CXT_FIXUP_HP_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x103c, 0x829a, "HP 800 G3 DM", CXT_FIXUP_HP_MIC_NO_PRESENCE), diff --git a/queue-6.12/arm64-dts-rockchip-disable-dma-for-uart5-on-px30-ringneck.patch b/queue-6.12/arm64-dts-rockchip-disable-dma-for-uart5-on-px30-ringneck.patch new file mode 100644 index 0000000000..c47bb5efca --- /dev/null +++ b/queue-6.12/arm64-dts-rockchip-disable-dma-for-uart5-on-px30-ringneck.patch @@ -0,0 +1,47 @@ +From 5ae4dca718eacd0a56173a687a3736eb7e627c77 Mon Sep 17 00:00:00 2001 +From: Lukasz Czechowski +Date: Tue, 21 Jan 2025 13:56:04 +0100 +Subject: arm64: dts: rockchip: Disable DMA for uart5 on px30-ringneck +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Lukasz Czechowski + +commit 5ae4dca718eacd0a56173a687a3736eb7e627c77 upstream. + +UART controllers without flow control seem to behave unstable +in case DMA is enabled. The issues were indicated in the message: +https://lore.kernel.org/linux-arm-kernel/CAMdYzYpXtMocCtCpZLU_xuWmOp2Ja_v0Aj0e6YFNRA-yV7u14g@mail.gmail.com/ +In case of PX30-uQ7 Ringneck SoM, it was noticed that after couple +of hours of UART communication, the CPU stall was occurring, +leading to the system becoming unresponsive. +After disabling the DMA, extensive UART communication tests for +up to two weeks were performed, and no issues were further +observed. +The flow control pins for uart5 are not available on PX30-uQ7 +Ringneck, as configured by pinctrl-0, so the DMA nodes were +removed on SoM dtsi. + +Cc: stable@vger.kernel.org +Fixes: c484cf93f61b ("arm64: dts: rockchip: add PX30-µQ7 (Ringneck) SoM with Haikou baseboard") +Reviewed-by: Quentin Schulz +Signed-off-by: Lukasz Czechowski +Link: https://lore.kernel.org/r/20250121125604.3115235-3-lukasz.czechowski@thaumatec.com +Signed-off-by: Heiko Stuebner +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/rockchip/px30-ringneck.dtsi | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/arm64/boot/dts/rockchip/px30-ringneck.dtsi ++++ b/arch/arm64/boot/dts/rockchip/px30-ringneck.dtsi +@@ -374,6 +374,8 @@ + }; + + &uart5 { ++ /delete-property/ dmas; ++ /delete-property/ dma-names; + pinctrl-0 = <&uart5_xfer>; + }; + diff --git a/queue-6.12/arm64-dts-rockchip-fix-broken-tsadc-pinctrl-names-for-rk3588.patch b/queue-6.12/arm64-dts-rockchip-fix-broken-tsadc-pinctrl-names-for-rk3588.patch new file mode 100644 index 0000000000..21d5eae2b9 --- /dev/null +++ b/queue-6.12/arm64-dts-rockchip-fix-broken-tsadc-pinctrl-names-for-rk3588.patch @@ -0,0 +1,43 @@ +From 5c8f9a05336cf5cadbd57ad461621b386aadb762 Mon Sep 17 00:00:00 2001 +From: Alexander Shiyan +Date: Thu, 30 Jan 2025 08:38:49 +0300 +Subject: arm64: dts: rockchip: Fix broken tsadc pinctrl names for rk3588 + +From: Alexander Shiyan + +commit 5c8f9a05336cf5cadbd57ad461621b386aadb762 upstream. + +The tsadc driver does not handle pinctrl "gpio" and "otpout". +Let's use the correct pinctrl names "default" and "sleep". +Additionally, Alexey Charkov's testing [1] has established that +it is necessary for pinctrl state to reference the &tsadc_shut_org +configuration rather than &tsadc_shut for the driver to function correctly. + +[1] https://lkml.org/lkml/2025/1/24/966 + +Fixes: 32641b8ab1a5 ("arm64: dts: rockchip: add rk3588 thermal sensor") +Cc: stable@vger.kernel.org +Reviewed-by: Dragan Simic +Signed-off-by: Alexander Shiyan +Link: https://lore.kernel.org/r/20250130053849.4902-1-eagle.alexander923@gmail.com +Signed-off-by: Heiko Stuebner +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/rockchip/rk3588-base.dtsi | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/arm64/boot/dts/rockchip/rk3588-base.dtsi ++++ b/arch/arm64/boot/dts/rockchip/rk3588-base.dtsi +@@ -2626,9 +2626,9 @@ + rockchip,hw-tshut-temp = <120000>; + rockchip,hw-tshut-mode = <0>; /* tshut mode 0:CRU 1:GPIO */ + rockchip,hw-tshut-polarity = <0>; /* tshut polarity 0:LOW 1:HIGH */ +- pinctrl-0 = <&tsadc_gpio_func>; +- pinctrl-1 = <&tsadc_shut>; +- pinctrl-names = "gpio", "otpout"; ++ pinctrl-0 = <&tsadc_shut_org>; ++ pinctrl-1 = <&tsadc_gpio_func>; ++ pinctrl-names = "default", "sleep"; + #thermal-sensor-cells = <1>; + status = "disabled"; + }; diff --git a/queue-6.12/arm64-dts-rockchip-move-uart5-pin-configuration-to-px30-ringneck-som.patch b/queue-6.12/arm64-dts-rockchip-move-uart5-pin-configuration-to-px30-ringneck-som.patch new file mode 100644 index 0000000000..3168bae481 --- /dev/null +++ b/queue-6.12/arm64-dts-rockchip-move-uart5-pin-configuration-to-px30-ringneck-som.patch @@ -0,0 +1,53 @@ +From 4eee627ea59304cdd66c5d4194ef13486a6c44fc Mon Sep 17 00:00:00 2001 +From: Lukasz Czechowski +Date: Tue, 21 Jan 2025 13:56:03 +0100 +Subject: arm64: dts: rockchip: Move uart5 pin configuration to px30 ringneck SoM + +From: Lukasz Czechowski + +commit 4eee627ea59304cdd66c5d4194ef13486a6c44fc upstream. + +In the PX30-uQ7 (Ringneck) SoM, the hardware CTS and RTS pins for +uart5 cannot be used for the UART CTS/RTS, because they are already +allocated for different purposes. CTS pin is routed to SUS_S3# +signal, while RTS pin is used internally and is not available on +Q7 connector. Move definition of the pinctrl-0 property from +px30-ringneck-haikou.dts to px30-ringneck.dtsi. + +This commit is a dependency to next commit in the patch series, +that disables DMA for uart5. + +Cc: stable@vger.kernel.org +Reviewed-by: Quentin Schulz +Signed-off-by: Lukasz Czechowski +Link: https://lore.kernel.org/r/20250121125604.3115235-2-lukasz.czechowski@thaumatec.com +Signed-off-by: Heiko Stuebner +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/rockchip/px30-ringneck-haikou.dts | 1 - + arch/arm64/boot/dts/rockchip/px30-ringneck.dtsi | 4 ++++ + 2 files changed, 4 insertions(+), 1 deletion(-) + +--- a/arch/arm64/boot/dts/rockchip/px30-ringneck-haikou.dts ++++ b/arch/arm64/boot/dts/rockchip/px30-ringneck-haikou.dts +@@ -226,7 +226,6 @@ + }; + + &uart5 { +- pinctrl-0 = <&uart5_xfer>; + rts-gpios = <&gpio0 RK_PB5 GPIO_ACTIVE_HIGH>; + status = "okay"; + }; +--- a/arch/arm64/boot/dts/rockchip/px30-ringneck.dtsi ++++ b/arch/arm64/boot/dts/rockchip/px30-ringneck.dtsi +@@ -373,6 +373,10 @@ + status = "okay"; + }; + ++&uart5 { ++ pinctrl-0 = <&uart5_xfer>; ++}; ++ + /* Mule UCAN */ + &usb_host0_ehci { + status = "okay"; diff --git a/queue-6.12/asoc-fsl_micfil-enable-default-case-in-micfil_set_quality.patch b/queue-6.12/asoc-fsl_micfil-enable-default-case-in-micfil_set_quality.patch new file mode 100644 index 0000000000..60371205bd --- /dev/null +++ b/queue-6.12/asoc-fsl_micfil-enable-default-case-in-micfil_set_quality.patch @@ -0,0 +1,41 @@ +From a8c9a453387640dbe45761970f41301a6985e7fa Mon Sep 17 00:00:00 2001 +From: Nikita Zhandarovich +Date: Thu, 16 Jan 2025 06:24:36 -0800 +Subject: ASoC: fsl_micfil: Enable default case in micfil_set_quality() + +From: Nikita Zhandarovich + +commit a8c9a453387640dbe45761970f41301a6985e7fa upstream. + +If 'micfil->quality' received from micfil_quality_set() somehow ends +up with an unpredictable value, switch() operator will fail to +initialize local variable qsel before regmap_update_bits() tries +to utilize it. + +While it is unlikely, play it safe and enable a default case that +returns -EINVAL error. + +Found by Linux Verification Center (linuxtesting.org) with static +analysis tool SVACE. + +Fixes: bea1d61d5892 ("ASoC: fsl_micfil: rework quality setting") +Cc: stable@vger.kernel.org +Signed-off-by: Nikita Zhandarovich +Link: https://patch.msgid.link/20250116142436.22389-1-n.zhandarovich@fintech.ru +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/fsl/fsl_micfil.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/soc/fsl/fsl_micfil.c ++++ b/sound/soc/fsl/fsl_micfil.c +@@ -156,6 +156,8 @@ static int micfil_set_quality(struct fsl + case QUALITY_VLOW2: + qsel = MICFIL_QSEL_VLOW2_QUALITY; + break; ++ default: ++ return -EINVAL; + } + + return regmap_update_bits(micfil->regmap, REG_MICFIL_CTRL2, diff --git a/queue-6.12/asoc-sof-pcm-clear-the-susbstream-pointer-to-null-on-close.patch b/queue-6.12/asoc-sof-pcm-clear-the-susbstream-pointer-to-null-on-close.patch new file mode 100644 index 0000000000..f24a18e951 --- /dev/null +++ b/queue-6.12/asoc-sof-pcm-clear-the-susbstream-pointer-to-null-on-close.patch @@ -0,0 +1,43 @@ +From 46c7b901e2a03536df5a3cb40b3b26e2be505df6 Mon Sep 17 00:00:00 2001 +From: Peter Ujfalusi +Date: Wed, 5 Feb 2025 15:52:32 +0200 +Subject: ASoC: SOF: pcm: Clear the susbstream pointer to NULL on close + +From: Peter Ujfalusi + +commit 46c7b901e2a03536df5a3cb40b3b26e2be505df6 upstream. + +The spcm->stream[substream->stream].substream is set during open and was +left untouched. After the first PCM stream it will never be NULL and we +have code which checks for substream NULLity as indication if the stream is +active or not. +For the compressed cstream pointer the same has been done, this change will +correct the handling of PCM streams. + +Fixes: 090349a9feba ("ASoC: SOF: Add support for compress API for stream data/offset") +Cc: stable@vger.kernel.org +Reported-by: Curtis Malainey +Closes: https://github.com/thesofproject/linux/pull/5214 +Signed-off-by: Peter Ujfalusi +Reviewed-by: Daniel Baluta +Reviewed-by: Ranjani Sridharan +Reviewed-by: Bard Liao +Reviewed-by: Curtis Malainey +Link: https://patch.msgid.link/20250205135232.19762-3-peter.ujfalusi@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/sof/pcm.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/soc/sof/pcm.c ++++ b/sound/soc/sof/pcm.c +@@ -511,6 +511,8 @@ static int sof_pcm_close(struct snd_soc_ + */ + } + ++ spcm->stream[substream->stream].substream = NULL; ++ + return 0; + } + diff --git a/queue-6.12/asoc-sof-stream-ipc-check-for-cstream-nullity-in-sof_ipc_msg_data.patch b/queue-6.12/asoc-sof-stream-ipc-check-for-cstream-nullity-in-sof_ipc_msg_data.patch new file mode 100644 index 0000000000..10586e5a43 --- /dev/null +++ b/queue-6.12/asoc-sof-stream-ipc-check-for-cstream-nullity-in-sof_ipc_msg_data.patch @@ -0,0 +1,52 @@ +From d8d99c3b5c485f339864aeaa29f76269cc0ea975 Mon Sep 17 00:00:00 2001 +From: Peter Ujfalusi +Date: Wed, 5 Feb 2025 15:52:31 +0200 +Subject: ASoC: SOF: stream-ipc: Check for cstream nullity in sof_ipc_msg_data() + +From: Peter Ujfalusi + +commit d8d99c3b5c485f339864aeaa29f76269cc0ea975 upstream. + +The nullity of sps->cstream should be checked similarly as it is done in +sof_set_stream_data_offset() function. +Assuming that it is not NULL if sps->stream is NULL is incorrect and can +lead to NULL pointer dereference. + +Fixes: 090349a9feba ("ASoC: SOF: Add support for compress API for stream data/offset") +Cc: stable@vger.kernel.org +Reported-by: Curtis Malainey +Closes: https://github.com/thesofproject/linux/pull/5214 +Signed-off-by: Peter Ujfalusi +Reviewed-by: Daniel Baluta +Reviewed-by: Ranjani Sridharan +Reviewed-by: Bard Liao +Reviewed-by: Curtis Malainey +Link: https://patch.msgid.link/20250205135232.19762-2-peter.ujfalusi@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/sof/stream-ipc.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/sound/soc/sof/stream-ipc.c ++++ b/sound/soc/sof/stream-ipc.c +@@ -43,7 +43,7 @@ int sof_ipc_msg_data(struct snd_sof_dev + return -ESTRPIPE; + + posn_offset = stream->posn_offset; +- } else { ++ } else if (sps->cstream) { + + struct sof_compr_stream *sstream = sps->cstream->runtime->private_data; + +@@ -51,6 +51,10 @@ int sof_ipc_msg_data(struct snd_sof_dev + return -ESTRPIPE; + + posn_offset = sstream->posn_offset; ++ ++ } else { ++ dev_err(sdev->dev, "%s: No stream opened\n", __func__); ++ return -EINVAL; + } + + snd_sof_dsp_mailbox_read(sdev, posn_offset, p, sz); diff --git a/queue-6.12/drm-i915-ddi-fix-hdmi-port-width-programming-in-ddi_buf_ctl.patch b/queue-6.12/drm-i915-ddi-fix-hdmi-port-width-programming-in-ddi_buf_ctl.patch new file mode 100644 index 0000000000..35b80529f9 --- /dev/null +++ b/queue-6.12/drm-i915-ddi-fix-hdmi-port-width-programming-in-ddi_buf_ctl.patch @@ -0,0 +1,47 @@ +From 166ce267ae3f96e439d8ccc838e8ec4d8b4dab73 Mon Sep 17 00:00:00 2001 +From: Imre Deak +Date: Fri, 14 Feb 2025 16:19:52 +0200 +Subject: drm/i915/ddi: Fix HDMI port width programming in DDI_BUF_CTL + +From: Imre Deak + +commit 166ce267ae3f96e439d8ccc838e8ec4d8b4dab73 upstream. + +Fix the port width programming in the DDI_BUF_CTL register on MTLP+, +where this had an off-by-one error. + +Cc: # v6.5+ +Fixes: b66a8abaa48a ("drm/i915/display/mtl: Fill port width in DDI_BUF_/TRANS_DDI_FUNC_/PORT_BUF_CTL for HDMI") +Reviewed-by: Jani Nikula +Signed-off-by: Imre Deak +Link: https://patchwork.freedesktop.org/patch/msgid/20250214142001.552916-3-imre.deak@intel.com +(cherry picked from commit b2ecdabe46d23db275f94cd7c46ca414a144818b) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/display/intel_ddi.c | 2 +- + drivers/gpu/drm/i915/i915_reg.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/i915/display/intel_ddi.c ++++ b/drivers/gpu/drm/i915/display/intel_ddi.c +@@ -3363,7 +3363,7 @@ static void intel_enable_ddi_hdmi(struct + intel_de_rmw(dev_priv, XELPDP_PORT_BUF_CTL1(dev_priv, port), + XELPDP_PORT_WIDTH_MASK | XELPDP_PORT_REVERSAL, port_buf); + +- buf_ctl |= DDI_PORT_WIDTH(lane_count); ++ buf_ctl |= DDI_PORT_WIDTH(crtc_state->lane_count); + + if (DISPLAY_VER(dev_priv) >= 20) + buf_ctl |= XE2LPD_DDI_BUF_D2D_LINK_ENABLE; +--- a/drivers/gpu/drm/i915/i915_reg.h ++++ b/drivers/gpu/drm/i915/i915_reg.h +@@ -3869,7 +3869,7 @@ enum skl_power_gate { + #define DDI_BUF_IS_IDLE (1 << 7) + #define DDI_BUF_CTL_TC_PHY_OWNERSHIP REG_BIT(6) + #define DDI_A_4_LANES (1 << 4) +-#define DDI_PORT_WIDTH(width) (((width) - 1) << 1) ++#define DDI_PORT_WIDTH(width) (((width) == 3 ? 4 : ((width) - 1)) << 1) + #define DDI_PORT_WIDTH_MASK (7 << 1) + #define DDI_PORT_WIDTH_SHIFT 1 + #define DDI_INIT_DISPLAY_DETECTED (1 << 0) diff --git a/queue-6.12/drm-i915-dp-fix-error-handling-during-128b-132b-link-training.patch b/queue-6.12/drm-i915-dp-fix-error-handling-during-128b-132b-link-training.patch new file mode 100644 index 0000000000..4168a726ab --- /dev/null +++ b/queue-6.12/drm-i915-dp-fix-error-handling-during-128b-132b-link-training.patch @@ -0,0 +1,73 @@ +From b9275eabe31e6679ae12c46a4a0a18d622db4570 Mon Sep 17 00:00:00 2001 +From: Imre Deak +Date: Tue, 18 Feb 2025 00:38:27 +0200 +Subject: drm/i915/dp: Fix error handling during 128b/132b link training + +From: Imre Deak + +commit b9275eabe31e6679ae12c46a4a0a18d622db4570 upstream. + +At the end of a 128b/132b link training sequence, the HW expects the +transcoder training pattern to be set to TPS2 and from that to normal +mode (disabling the training pattern). Transitioning from TPS1 directly +to normal mode leaves the transcoder in a stuck state, resulting in +page-flip timeouts later in the modeset sequence. + +Atm, in case of a failure during link training, the transcoder may be +still set to output the TPS1 pattern. Later the transcoder is then set +from TPS1 directly to normal mode in intel_dp_stop_link_train(), leading +to modeset failures later as described above. Fix this by setting the +training patter to TPS2, if the link training failed at any point. + +The clue in the specification about the above HW behavior is the +explicit mention that TPS2 must be set after the link training sequence +(and there isn't a similar requirement specified for the 8b/10b link +training), see the Bspec links below. + +v2: Add bspec aspect/link to the commit log. (Jani) + +Bspec: 54128, 65448, 68849 +Cc: stable@vger.kernel.org # v5.18+ +Cc: Jani Nikula +Signed-off-by: Imre Deak +Acked-by: Jani Nikula +Link: https://patchwork.freedesktop.org/patch/msgid/20250217223828.1166093-2-imre.deak@intel.com +Signed-off-by: Rodrigo Vivi +(cherry picked from commit 8b4bbaf8ddc1f68f3ee96a706f65fdb1bcd9d355) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/display/intel_dp_link_training.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/i915/display/intel_dp_link_training.c ++++ b/drivers/gpu/drm/i915/display/intel_dp_link_training.c +@@ -1561,7 +1561,7 @@ intel_dp_128b132b_link_train(struct inte + + if (wait_for(intel_dp_128b132b_intra_hop(intel_dp, crtc_state) == 0, 500)) { + lt_err(intel_dp, DP_PHY_DPRX, "128b/132b intra-hop not clear\n"); +- return false; ++ goto out; + } + + if (intel_dp_128b132b_lane_eq(intel_dp, crtc_state) && +@@ -1573,6 +1573,19 @@ intel_dp_128b132b_link_train(struct inte + passed ? "passed" : "failed", + crtc_state->port_clock, crtc_state->lane_count); + ++out: ++ /* ++ * Ensure that the training pattern does get set to TPS2 even in case ++ * of a failure, as is the case at the end of a passing link training ++ * and what is expected by the transcoder. Leaving TPS1 set (and ++ * disabling the link train mode in DP_TP_CTL later from TPS1 directly) ++ * would result in a stuck transcoder HW state and flip-done timeouts ++ * later in the modeset sequence. ++ */ ++ if (!passed) ++ intel_dp_program_link_training_pattern(intel_dp, crtc_state, ++ DP_PHY_DPRX, DP_TRAINING_PATTERN_2); ++ + return passed; + } + diff --git a/queue-6.12/drm-i915-gt-use-spin_lock_irqsave-in-interruptible-context.patch b/queue-6.12/drm-i915-gt-use-spin_lock_irqsave-in-interruptible-context.patch new file mode 100644 index 0000000000..ccd016dea3 --- /dev/null +++ b/queue-6.12/drm-i915-gt-use-spin_lock_irqsave-in-interruptible-context.patch @@ -0,0 +1,53 @@ +From e49477f7f78598295551d486ecc7f020d796432e Mon Sep 17 00:00:00 2001 +From: Krzysztof Karas +Date: Thu, 16 Jan 2025 10:40:46 +0000 +Subject: drm/i915/gt: Use spin_lock_irqsave() in interruptible context + +From: Krzysztof Karas + +commit e49477f7f78598295551d486ecc7f020d796432e upstream. + +spin_lock/unlock() functions used in interrupt contexts could +result in a deadlock, as seen in GitLab issue #13399, +which occurs when interrupt comes in while holding a lock. + +Try to remedy the problem by saving irq state before spin lock +acquisition. + +v2: add irqs' state save/restore calls to all locks/unlocks in + signal_irq_work() execution (Maciej) + +v3: use with spin_lock_irqsave() in guc_lrc_desc_unpin() instead + of other lock/unlock calls and add Fixes and Cc tags (Tvrtko); + change title and commit message + +Fixes: 2f2cc53b5fe7 ("drm/i915/guc: Close deregister-context race against CT-loss") +Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/13399 +Signed-off-by: Krzysztof Karas +Cc: # v6.9+ +Reviewed-by: Maciej Patelczyk +Reviewed-by: Andi Shyti +Signed-off-by: Andi Shyti +Link: https://patchwork.freedesktop.org/patch/msgid/pusppq5ybyszau2oocboj3mtj5x574gwij323jlclm5zxvimmu@mnfg6odxbpsv +(cherry picked from commit c088387ddd6482b40f21ccf23db1125e8fa4af7e) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c ++++ b/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c +@@ -3425,10 +3425,10 @@ static inline int guc_lrc_desc_unpin(str + */ + ret = deregister_context(ce, ce->guc_id.id); + if (ret) { +- spin_lock(&ce->guc_state.lock); ++ spin_lock_irqsave(&ce->guc_state.lock, flags); + set_context_registered(ce); + clr_context_destroyed(ce); +- spin_unlock(&ce->guc_state.lock); ++ spin_unlock_irqrestore(&ce->guc_state.lock, flags); + /* + * As gt-pm is awake at function entry, intel_wakeref_put_async merely decrements + * the wakeref immediately but per function spec usage call this after unlock. diff --git a/queue-6.12/drm-i915-make-sure-all-planes-in-use-by-the-joiner-have-their-crtc-included.patch b/queue-6.12/drm-i915-make-sure-all-planes-in-use-by-the-joiner-have-their-crtc-included.patch new file mode 100644 index 0000000000..fd3e7af7b7 --- /dev/null +++ b/queue-6.12/drm-i915-make-sure-all-planes-in-use-by-the-joiner-have-their-crtc-included.patch @@ -0,0 +1,71 @@ +From 07fb70d82e0df085980246bf17bc12537588795f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= +Date: Wed, 12 Feb 2025 18:43:21 +0200 +Subject: drm/i915: Make sure all planes in use by the joiner have their crtc included +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ville Syrjälä + +commit 07fb70d82e0df085980246bf17bc12537588795f upstream. + +Any active plane needs to have its crtc included in the atomic +state. For planes enabled via uapi that is all handler in the core. +But when we use a plane for joiner the uapi code things the plane +is disabled and therefore doesn't have a crtc. So we need to pull +those in by hand. We do it first thing in +intel_joiner_add_affected_crtcs() so that any newly added crtc will +subsequently pull in all of its joined crtcs as well. + +The symptoms from failing to do this are: +- duct tape in the form of commit 1d5b09f8daf8 ("drm/i915: Fix NULL + ptr deref by checking new_crtc_state") +- the plane's hw state will get overwritten by the disabled + uapi state if it can't find the uapi counterpart plane in + the atomic state from where it should copy the correct state + +Cc: stable@vger.kernel.org +Reviewed-by: Maarten Lankhorst +Signed-off-by: Ville Syrjälä +Link: https://patchwork.freedesktop.org/patch/msgid/20250212164330.16891-2-ville.syrjala@linux.intel.com +(cherry picked from commit 91077d1deb5374eb8be00fb391710f00e751dc4b) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/display/intel_display.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +--- a/drivers/gpu/drm/i915/display/intel_display.c ++++ b/drivers/gpu/drm/i915/display/intel_display.c +@@ -6369,12 +6369,30 @@ static int intel_async_flip_check_hw(str + static int intel_joiner_add_affected_crtcs(struct intel_atomic_state *state) + { + struct drm_i915_private *i915 = to_i915(state->base.dev); ++ const struct intel_plane_state *plane_state; + struct intel_crtc_state *crtc_state; ++ struct intel_plane *plane; + struct intel_crtc *crtc; + u8 affected_pipes = 0; + u8 modeset_pipes = 0; + int i; + ++ /* ++ * Any plane which is in use by the joiner needs its crtc. ++ * Pull those in first as this will not have happened yet ++ * if the plane remains disabled according to uapi. ++ */ ++ for_each_new_intel_plane_in_state(state, plane, plane_state, i) { ++ crtc = to_intel_crtc(plane_state->hw.crtc); ++ if (!crtc) ++ continue; ++ ++ crtc_state = intel_atomic_get_crtc_state(&state->base, crtc); ++ if (IS_ERR(crtc_state)) ++ return PTR_ERR(crtc_state); ++ } ++ ++ /* Now pull in all joined crtcs */ + for_each_new_intel_crtc_in_state(state, crtc, crtc_state, i) { + affected_pipes |= crtc_state->joiner_pipes; + if (intel_crtc_needs_modeset(crtc_state)) diff --git a/queue-6.12/drm-msm-dpu-disable-dither-in-phys-encoder-cleanup.patch b/queue-6.12/drm-msm-dpu-disable-dither-in-phys-encoder-cleanup.patch new file mode 100644 index 0000000000..7121009325 --- /dev/null +++ b/queue-6.12/drm-msm-dpu-disable-dither-in-phys-encoder-cleanup.patch @@ -0,0 +1,42 @@ +From f063ac6b55df03ed25996bdc84d9e1c50147cfa1 Mon Sep 17 00:00:00 2001 +From: Jessica Zhang +Date: Tue, 11 Feb 2025 19:59:19 -0800 +Subject: drm/msm/dpu: Disable dither in phys encoder cleanup + +From: Jessica Zhang + +commit f063ac6b55df03ed25996bdc84d9e1c50147cfa1 upstream. + +Disable pingpong dither in dpu_encoder_helper_phys_cleanup(). + +This avoids the issue where an encoder unknowingly uses dither after +reserving a pingpong block that was previously bound to an encoder that +had enabled dither. + +Cc: stable@vger.kernel.org +Reported-by: Dmitry Baryshkov +Closes: https://lore.kernel.org/all/jr7zbj5w7iq4apg3gofuvcwf4r2swzqjk7sshwcdjll4mn6ctt@l2n3qfpujg3q/ +Signed-off-by: Jessica Zhang +Reviewed-by: Dmitry Baryshkov +Reviewed-by: Abhinav Kumar +Fixes: 3c128638a07d ("drm/msm/dpu: add support for dither block in display") +Patchwork: https://patchwork.freedesktop.org/patch/636517/ +Link: https://lore.kernel.org/r/20250211-dither-disable-v1-1-ac2cb455f6b9@quicinc.com +Signed-off-by: Abhinav Kumar +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c +@@ -2125,6 +2125,9 @@ void dpu_encoder_helper_phys_cleanup(str + } + } + ++ if (phys_enc->hw_pp && phys_enc->hw_pp->ops.setup_dither) ++ phys_enc->hw_pp->ops.setup_dither(phys_enc->hw_pp, NULL); ++ + /* reset the merge 3D HW block */ + if (phys_enc->hw_pp && phys_enc->hw_pp->merge_3d) { + phys_enc->hw_pp->merge_3d->ops.setup_3d_mode(phys_enc->hw_pp->merge_3d, diff --git a/queue-6.12/drm-panel-jd9365da-h3-fix-reset-signal-polarity.patch b/queue-6.12/drm-panel-jd9365da-h3-fix-reset-signal-polarity.patch new file mode 100644 index 0000000000..d150434f38 --- /dev/null +++ b/queue-6.12/drm-panel-jd9365da-h3-fix-reset-signal-polarity.patch @@ -0,0 +1,70 @@ +From a8972d5a49b408248294b5ecbdd0a085e4726349 Mon Sep 17 00:00:00 2001 +From: Hugo Villeneuve +Date: Fri, 27 Sep 2024 09:53:05 -0400 +Subject: drm: panel: jd9365da-h3: fix reset signal polarity + +From: Hugo Villeneuve + +commit a8972d5a49b408248294b5ecbdd0a085e4726349 upstream. + +In jadard_prepare() a reset pulse is generated with the following +statements (delays ommited for clarity): + + gpiod_set_value(jadard->reset, 1); --> Deassert reset + gpiod_set_value(jadard->reset, 0); --> Assert reset for 10ms + gpiod_set_value(jadard->reset, 1); --> Deassert reset + +However, specifying second argument of "0" to gpiod_set_value() means to +deassert the GPIO, and "1" means to assert it. If the reset signal is +defined as GPIO_ACTIVE_LOW in the DTS, the above statements will +incorrectly generate the reset pulse (inverted) and leave it asserted +(LOW) at the end of jadard_prepare(). + +Fix reset behavior by inverting gpiod_set_value() second argument +in jadard_prepare(). Also modify second argument to devm_gpiod_get() +in jadard_dsi_probe() to assert the reset when probing. + +Do not modify it in jadard_unprepare() as it is already properly +asserted with "1", which seems to be the intended behavior. + +Fixes: 6b818c533dd8 ("drm: panel: Add Jadard JD9365DA-H3 DSI panel") +Cc: stable@vger.kernel.org +Signed-off-by: Hugo Villeneuve +Reviewed-by: Neil Armstrong +Reviewed-by: Linus Walleij +Link: https://lore.kernel.org/r/20240927135306.857617-1-hugo@hugovil.com +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20240927135306.857617-1-hugo@hugovil.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/panel/panel-jadard-jd9365da-h3.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/panel/panel-jadard-jd9365da-h3.c ++++ b/drivers/gpu/drm/panel/panel-jadard-jd9365da-h3.c +@@ -109,13 +109,13 @@ static int jadard_prepare(struct drm_pan + if (jadard->desc->lp11_to_reset_delay_ms) + msleep(jadard->desc->lp11_to_reset_delay_ms); + +- gpiod_set_value(jadard->reset, 1); ++ gpiod_set_value(jadard->reset, 0); + msleep(5); + +- gpiod_set_value(jadard->reset, 0); ++ gpiod_set_value(jadard->reset, 1); + msleep(10); + +- gpiod_set_value(jadard->reset, 1); ++ gpiod_set_value(jadard->reset, 0); + msleep(130); + + ret = jadard->desc->init(jadard); +@@ -1130,7 +1130,7 @@ static int jadard_dsi_probe(struct mipi_ + dsi->format = desc->format; + dsi->lanes = desc->lanes; + +- jadard->reset = devm_gpiod_get(dev, "reset", GPIOD_OUT_LOW); ++ jadard->reset = devm_gpiod_get(dev, "reset", GPIOD_OUT_HIGH); + if (IS_ERR(jadard->reset)) { + DRM_DEV_ERROR(&dsi->dev, "failed to get our reset GPIO\n"); + return PTR_ERR(jadard->reset); diff --git a/queue-6.12/drop_monitor-fix-incorrect-initialization-order.patch b/queue-6.12/drop_monitor-fix-incorrect-initialization-order.patch new file mode 100644 index 0000000000..4d35946ada --- /dev/null +++ b/queue-6.12/drop_monitor-fix-incorrect-initialization-order.patch @@ -0,0 +1,137 @@ +From 07b598c0e6f06a0f254c88dafb4ad50f8a8c6eea Mon Sep 17 00:00:00 2001 +From: Gavrilov Ilia +Date: Thu, 13 Feb 2025 15:20:55 +0000 +Subject: drop_monitor: fix incorrect initialization order + +From: Gavrilov Ilia + +commit 07b598c0e6f06a0f254c88dafb4ad50f8a8c6eea upstream. + +Syzkaller reports the following bug: + +BUG: spinlock bad magic on CPU#1, syz-executor.0/7995 + lock: 0xffff88805303f3e0, .magic: 00000000, .owner: /-1, .owner_cpu: 0 +CPU: 1 PID: 7995 Comm: syz-executor.0 Tainted: G E 5.10.209+ #1 +Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x119/0x179 lib/dump_stack.c:118 + debug_spin_lock_before kernel/locking/spinlock_debug.c:83 [inline] + do_raw_spin_lock+0x1f6/0x270 kernel/locking/spinlock_debug.c:112 + __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:117 [inline] + _raw_spin_lock_irqsave+0x50/0x70 kernel/locking/spinlock.c:159 + reset_per_cpu_data+0xe6/0x240 [drop_monitor] + net_dm_cmd_trace+0x43d/0x17a0 [drop_monitor] + genl_family_rcv_msg_doit+0x22f/0x330 net/netlink/genetlink.c:739 + genl_family_rcv_msg net/netlink/genetlink.c:783 [inline] + genl_rcv_msg+0x341/0x5a0 net/netlink/genetlink.c:800 + netlink_rcv_skb+0x14d/0x440 net/netlink/af_netlink.c:2497 + genl_rcv+0x29/0x40 net/netlink/genetlink.c:811 + netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline] + netlink_unicast+0x54b/0x800 net/netlink/af_netlink.c:1348 + netlink_sendmsg+0x914/0xe00 net/netlink/af_netlink.c:1916 + sock_sendmsg_nosec net/socket.c:651 [inline] + __sock_sendmsg+0x157/0x190 net/socket.c:663 + ____sys_sendmsg+0x712/0x870 net/socket.c:2378 + ___sys_sendmsg+0xf8/0x170 net/socket.c:2432 + __sys_sendmsg+0xea/0x1b0 net/socket.c:2461 + do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x62/0xc7 +RIP: 0033:0x7f3f9815aee9 +Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f3f972bf0c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 00007f3f9826d050 RCX: 00007f3f9815aee9 +RDX: 0000000020000000 RSI: 0000000020001300 RDI: 0000000000000007 +RBP: 00007f3f981b63bd R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 000000000000006e R14: 00007f3f9826d050 R15: 00007ffe01ee6768 + +If drop_monitor is built as a kernel module, syzkaller may have time +to send a netlink NET_DM_CMD_START message during the module loading. +This will call the net_dm_monitor_start() function that uses +a spinlock that has not yet been initialized. + +To fix this, let's place resource initialization above the registration +of a generic netlink family. + +Found by InfoTeCS on behalf of Linux Verification Center +(linuxtesting.org) with Syzkaller. + +Fixes: 9a8afc8d3962 ("Network Drop Monitor: Adding drop monitor implementation & Netlink protocol") +Cc: stable@vger.kernel.org +Signed-off-by: Ilia Gavrilov +Reviewed-by: Ido Schimmel +Link: https://patch.msgid.link/20250213152054.2785669-1-Ilia.Gavrilov@infotecs.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/core/drop_monitor.c | 29 ++++++++++++++--------------- + 1 file changed, 14 insertions(+), 15 deletions(-) + +--- a/net/core/drop_monitor.c ++++ b/net/core/drop_monitor.c +@@ -1734,30 +1734,30 @@ static int __init init_net_drop_monitor( + return -ENOSPC; + } + +- rc = genl_register_family(&net_drop_monitor_family); +- if (rc) { +- pr_err("Could not create drop monitor netlink family\n"); +- return rc; ++ for_each_possible_cpu(cpu) { ++ net_dm_cpu_data_init(cpu); ++ net_dm_hw_cpu_data_init(cpu); + } +- WARN_ON(net_drop_monitor_family.mcgrp_offset != NET_DM_GRP_ALERT); + + rc = register_netdevice_notifier(&dropmon_net_notifier); + if (rc < 0) { + pr_crit("Failed to register netdevice notifier\n"); ++ return rc; ++ } ++ ++ rc = genl_register_family(&net_drop_monitor_family); ++ if (rc) { ++ pr_err("Could not create drop monitor netlink family\n"); + goto out_unreg; + } ++ WARN_ON(net_drop_monitor_family.mcgrp_offset != NET_DM_GRP_ALERT); + + rc = 0; + +- for_each_possible_cpu(cpu) { +- net_dm_cpu_data_init(cpu); +- net_dm_hw_cpu_data_init(cpu); +- } +- + goto out; + + out_unreg: +- genl_unregister_family(&net_drop_monitor_family); ++ WARN_ON(unregister_netdevice_notifier(&dropmon_net_notifier)); + out: + return rc; + } +@@ -1766,19 +1766,18 @@ static void exit_net_drop_monitor(void) + { + int cpu; + +- BUG_ON(unregister_netdevice_notifier(&dropmon_net_notifier)); +- + /* + * Because of the module_get/put we do in the trace state change path + * we are guaranteed not to have any current users when we get here + */ ++ BUG_ON(genl_unregister_family(&net_drop_monitor_family)); ++ ++ BUG_ON(unregister_netdevice_notifier(&dropmon_net_notifier)); + + for_each_possible_cpu(cpu) { + net_dm_hw_cpu_data_fini(cpu); + net_dm_cpu_data_fini(cpu); + } +- +- BUG_ON(genl_unregister_family(&net_drop_monitor_family)); + } + + module_init(init_net_drop_monitor); diff --git a/queue-6.12/edac-qcom-correct-interrupt-enable-register-configuration.patch b/queue-6.12/edac-qcom-correct-interrupt-enable-register-configuration.patch new file mode 100644 index 0000000000..617aefa3ef --- /dev/null +++ b/queue-6.12/edac-qcom-correct-interrupt-enable-register-configuration.patch @@ -0,0 +1,49 @@ +From c158647c107358bf1be579f98e4bb705c1953292 Mon Sep 17 00:00:00 2001 +From: Komal Bajaj +Date: Tue, 19 Nov 2024 12:16:08 +0530 +Subject: EDAC/qcom: Correct interrupt enable register configuration + +From: Komal Bajaj + +commit c158647c107358bf1be579f98e4bb705c1953292 upstream. + +The previous implementation incorrectly configured the cmn_interrupt_2_enable +register for interrupt handling. Using cmn_interrupt_2_enable to configure +Tag, Data RAM ECC interrupts would lead to issues like double handling of the +interrupts (EL1 and EL3) as cmn_interrupt_2_enable is meant to be configured +for interrupts which needs to be handled by EL3. + +EL1 LLCC EDAC driver needs to use cmn_interrupt_0_enable register to configure +Tag, Data RAM ECC interrupts instead of cmn_interrupt_2_enable. + +Fixes: 27450653f1db ("drivers: edac: Add EDAC driver support for QCOM SoCs") +Signed-off-by: Komal Bajaj +Signed-off-by: Borislav Petkov (AMD) +Reviewed-by: Manivannan Sadhasivam +Cc: +Link: https://lore.kernel.org/r/20241119064608.12326-1-quic_kbajaj@quicinc.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/edac/qcom_edac.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/edac/qcom_edac.c ++++ b/drivers/edac/qcom_edac.c +@@ -95,7 +95,7 @@ static int qcom_llcc_core_setup(struct l + * Configure interrupt enable registers such that Tag, Data RAM related + * interrupts are propagated to interrupt controller for servicing + */ +- ret = regmap_update_bits(llcc_bcast_regmap, drv->edac_reg_offset->cmn_interrupt_2_enable, ++ ret = regmap_update_bits(llcc_bcast_regmap, drv->edac_reg_offset->cmn_interrupt_0_enable, + TRP0_INTERRUPT_ENABLE, + TRP0_INTERRUPT_ENABLE); + if (ret) +@@ -113,7 +113,7 @@ static int qcom_llcc_core_setup(struct l + if (ret) + return ret; + +- ret = regmap_update_bits(llcc_bcast_regmap, drv->edac_reg_offset->cmn_interrupt_2_enable, ++ ret = regmap_update_bits(llcc_bcast_regmap, drv->edac_reg_offset->cmn_interrupt_0_enable, + DRP0_INTERRUPT_ENABLE, + DRP0_INTERRUPT_ENABLE); + if (ret) diff --git a/queue-6.12/ftrace-correct-preemption-accounting-for-function-tracing.patch b/queue-6.12/ftrace-correct-preemption-accounting-for-function-tracing.patch new file mode 100644 index 0000000000..a4245ae225 --- /dev/null +++ b/queue-6.12/ftrace-correct-preemption-accounting-for-function-tracing.patch @@ -0,0 +1,62 @@ +From 57b76bedc5c52c66968183b5ef57234894c25ce7 Mon Sep 17 00:00:00 2001 +From: Sebastian Andrzej Siewior +Date: Thu, 20 Feb 2025 15:07:49 +0100 +Subject: ftrace: Correct preemption accounting for function tracing. + +From: Sebastian Andrzej Siewior + +commit 57b76bedc5c52c66968183b5ef57234894c25ce7 upstream. + +The function tracer should record the preemption level at the point when +the function is invoked. If the tracing subsystem decrement the +preemption counter it needs to correct this before feeding the data into +the trace buffer. This was broken in the commit cited below while +shifting the preempt-disabled section. + +Use tracing_gen_ctx_dec() which properly subtracts one from the +preemption counter on a preemptible kernel. + +Cc: stable@vger.kernel.org +Cc: Wander Lairson Costa +Cc: Masami Hiramatsu +Cc: Mathieu Desnoyers +Cc: Thomas Gleixner +Link: https://lore.kernel.org/20250220140749.pfw8qoNZ@linutronix.de +Fixes: ce5e48036c9e7 ("ftrace: disable preemption when recursion locked") +Signed-off-by: Sebastian Andrzej Siewior +Tested-by: Wander Lairson Costa +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_functions.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/kernel/trace/trace_functions.c ++++ b/kernel/trace/trace_functions.c +@@ -193,7 +193,7 @@ function_trace_call(unsigned long ip, un + if (bit < 0) + return; + +- trace_ctx = tracing_gen_ctx(); ++ trace_ctx = tracing_gen_ctx_dec(); + + cpu = smp_processor_id(); + data = per_cpu_ptr(tr->array_buffer.data, cpu); +@@ -298,7 +298,6 @@ function_no_repeats_trace_call(unsigned + struct trace_array *tr = op->private; + struct trace_array_cpu *data; + unsigned int trace_ctx; +- unsigned long flags; + int bit; + int cpu; + +@@ -325,8 +324,7 @@ function_no_repeats_trace_call(unsigned + if (is_repeat_check(tr, last_info, ip, parent_ip)) + goto out; + +- local_save_flags(flags); +- trace_ctx = tracing_gen_ctx_flags(flags); ++ trace_ctx = tracing_gen_ctx_dec(); + process_repeats(tr, ip, parent_ip, last_info, trace_ctx); + + trace_function(tr, ip, parent_ip, trace_ctx); diff --git a/queue-6.12/ftrace-do-not-add-duplicate-entries-in-subops-manager-ops.patch b/queue-6.12/ftrace-do-not-add-duplicate-entries-in-subops-manager-ops.patch new file mode 100644 index 0000000000..238298bbce --- /dev/null +++ b/queue-6.12/ftrace-do-not-add-duplicate-entries-in-subops-manager-ops.patch @@ -0,0 +1,42 @@ +From 8eb4b09e0bbd30981305643229fe7640ad41b667 Mon Sep 17 00:00:00 2001 +From: Steven Rostedt +Date: Thu, 20 Feb 2025 15:20:11 -0500 +Subject: ftrace: Do not add duplicate entries in subops manager ops + +From: Steven Rostedt + +commit 8eb4b09e0bbd30981305643229fe7640ad41b667 upstream. + +Check if a function is already in the manager ops of a subops. A manager +ops contains multiple subops, and if two or more subops are tracing the +same function, the manager ops only needs a single entry in its hash. + +Cc: stable@vger.kernel.org +Cc: Mark Rutland +Cc: Mathieu Desnoyers +Cc: Andrew Morton +Cc: Sven Schnelle +Cc: Vasily Gorbik +Cc: Alexander Gordeev +Link: https://lore.kernel.org/20250220202055.226762894@goodmis.org +Fixes: 4f554e955614f ("ftrace: Add ftrace_set_filter_ips function") +Tested-by: Heiko Carstens +Reviewed-by: Masami Hiramatsu (Google) +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/ftrace.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -5758,6 +5758,9 @@ __ftrace_match_addr(struct ftrace_hash * + return -ENOENT; + free_hash_entry(hash, entry); + return 0; ++ } else if (__ftrace_lookup_ip(hash, ip) != NULL) { ++ /* Already exists */ ++ return 0; + } + + entry = add_hash_entry(hash, ip); diff --git a/queue-6.12/ftrace-fix-accounting-of-adding-subops-to-a-manager-ops.patch b/queue-6.12/ftrace-fix-accounting-of-adding-subops-to-a-manager-ops.patch new file mode 100644 index 0000000000..3c98b9537c --- /dev/null +++ b/queue-6.12/ftrace-fix-accounting-of-adding-subops-to-a-manager-ops.patch @@ -0,0 +1,144 @@ +From 38b14061947fa546491656e3f5e388d4fedf8dba Mon Sep 17 00:00:00 2001 +From: Steven Rostedt +Date: Thu, 20 Feb 2025 15:20:10 -0500 +Subject: ftrace: Fix accounting of adding subops to a manager ops + +From: Steven Rostedt + +commit 38b14061947fa546491656e3f5e388d4fedf8dba upstream. + +Function graph uses a subops and manager ops mechanism to attach to +ftrace. The manager ops connects to ftrace and the functions it connects +to is defined by a list of subops that it manages. + +The function hash that defines what the above ops attaches to limits the +functions to attach if the hash has any content. If the hash is empty, it +means to trace all functions. + +The creation of the manager ops hash is done by iterating over all the +subops hashes. If any of the subops hashes is empty, it means that the +manager ops hash must trace all functions as well. + +The issue is in the creation of the manager ops. When a second subops is +attached, a new hash is created by starting it as NULL and adding the +subops one at a time. But the NULL ops is mistaken as an empty hash, and +once an empty hash is found, it stops the loop of subops and just enables +all functions. + + # echo "f:myevent1 kernel_clone" >> /sys/kernel/tracing/dynamic_events + # cat /sys/kernel/tracing/enabled_functions +kernel_clone (1) tramp: 0xffffffffc0309000 (ftrace_graph_func+0x0/0x60) ->ftrace_graph_func+0x0/0x60 + + # echo "f:myevent2 schedule_timeout" >> /sys/kernel/tracing/dynamic_events + # cat /sys/kernel/tracing/enabled_functions +trace_initcall_start_cb (1) tramp: 0xffffffffc0309000 (ftrace_graph_func+0x0/0x60) ->ftrace_graph_func+0x0/0x60 +run_init_process (1) tramp: 0xffffffffc0309000 (ftrace_graph_func+0x0/0x60) ->ftrace_graph_func+0x0/0x60 +try_to_run_init_process (1) tramp: 0xffffffffc0309000 (ftrace_graph_func+0x0/0x60) ->ftrace_graph_func+0x0/0x60 +x86_pmu_show_pmu_cap (1) tramp: 0xffffffffc0309000 (ftrace_graph_func+0x0/0x60) ->ftrace_graph_func+0x0/0x60 +cleanup_rapl_pmus (1) tramp: 0xffffffffc0309000 (ftrace_graph_func+0x0/0x60) ->ftrace_graph_func+0x0/0x60 +uncore_free_pcibus_map (1) tramp: 0xffffffffc0309000 (ftrace_graph_func+0x0/0x60) ->ftrace_graph_func+0x0/0x60 +uncore_types_exit (1) tramp: 0xffffffffc0309000 (ftrace_graph_func+0x0/0x60) ->ftrace_graph_func+0x0/0x60 +uncore_pci_exit.part.0 (1) tramp: 0xffffffffc0309000 (ftrace_graph_func+0x0/0x60) ->ftrace_graph_func+0x0/0x60 +kvm_shutdown (1) tramp: 0xffffffffc0309000 (ftrace_graph_func+0x0/0x60) ->ftrace_graph_func+0x0/0x60 +vmx_dump_msrs (1) tramp: 0xffffffffc0309000 (ftrace_graph_func+0x0/0x60) ->ftrace_graph_func+0x0/0x60 +vmx_cleanup_l1d_flush (1) tramp: 0xffffffffc0309000 (ftrace_graph_func+0x0/0x60) ->ftrace_graph_func+0x0/0x60 +[..] + +Fix this by initializing the new hash to NULL and if the hash is NULL do +not treat it as an empty hash but instead allocate by copying the content +of the first sub ops. Then on subsequent iterations, the new hash will not +be NULL, but the content of the previous subops. If that first subops +attached to all functions, then new hash may assume that the manager ops +also needs to attach to all functions. + +Cc: stable@vger.kernel.org +Cc: Masami Hiramatsu +Cc: Mark Rutland +Cc: Mathieu Desnoyers +Cc: Andrew Morton +Cc: Heiko Carstens +Cc: Sven Schnelle +Cc: Vasily Gorbik +Cc: Alexander Gordeev +Link: https://lore.kernel.org/20250220202055.060300046@goodmis.org +Fixes: 5fccc7552ccbc ("ftrace: Add subops logic to allow one ops to manage many") +Reviewed-by: Masami Hiramatsu (Google) +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/ftrace.c | 33 ++++++++++++++++++++++----------- + 1 file changed, 22 insertions(+), 11 deletions(-) + +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -3219,15 +3219,22 @@ static struct ftrace_hash *copy_hash(str + * The filter_hash updates uses just the append_hash() function + * and the notrace_hash does not. + */ +-static int append_hash(struct ftrace_hash **hash, struct ftrace_hash *new_hash) ++static int append_hash(struct ftrace_hash **hash, struct ftrace_hash *new_hash, ++ int size_bits) + { + struct ftrace_func_entry *entry; + int size; + int i; + +- /* An empty hash does everything */ +- if (ftrace_hash_empty(*hash)) +- return 0; ++ if (*hash) { ++ /* An empty hash does everything */ ++ if (ftrace_hash_empty(*hash)) ++ return 0; ++ } else { ++ *hash = alloc_ftrace_hash(size_bits); ++ if (!*hash) ++ return -ENOMEM; ++ } + + /* If new_hash has everything make hash have everything */ + if (ftrace_hash_empty(new_hash)) { +@@ -3291,16 +3298,18 @@ static int intersect_hash(struct ftrace_ + /* Return a new hash that has a union of all @ops->filter_hash entries */ + static struct ftrace_hash *append_hashes(struct ftrace_ops *ops) + { +- struct ftrace_hash *new_hash; ++ struct ftrace_hash *new_hash = NULL; + struct ftrace_ops *subops; ++ int size_bits; + int ret; + +- new_hash = alloc_ftrace_hash(ops->func_hash->filter_hash->size_bits); +- if (!new_hash) +- return NULL; ++ if (ops->func_hash->filter_hash) ++ size_bits = ops->func_hash->filter_hash->size_bits; ++ else ++ size_bits = FTRACE_HASH_DEFAULT_BITS; + + list_for_each_entry(subops, &ops->subop_list, list) { +- ret = append_hash(&new_hash, subops->func_hash->filter_hash); ++ ret = append_hash(&new_hash, subops->func_hash->filter_hash, size_bits); + if (ret < 0) { + free_ftrace_hash(new_hash); + return NULL; +@@ -3309,7 +3318,8 @@ static struct ftrace_hash *append_hashes + if (ftrace_hash_empty(new_hash)) + break; + } +- return new_hash; ++ /* Can't return NULL as that means this failed */ ++ return new_hash ? : EMPTY_HASH; + } + + /* Make @ops trace evenything except what all its subops do not trace */ +@@ -3504,7 +3514,8 @@ int ftrace_startup_subops(struct ftrace_ + filter_hash = alloc_and_copy_ftrace_hash(size_bits, ops->func_hash->filter_hash); + if (!filter_hash) + return -ENOMEM; +- ret = append_hash(&filter_hash, subops->func_hash->filter_hash); ++ ret = append_hash(&filter_hash, subops->func_hash->filter_hash, ++ size_bits); + if (ret < 0) { + free_ftrace_hash(filter_hash); + return ret; diff --git a/queue-6.12/gpiolib-check-the-return-value-of-gpio_chip-get_direction.patch b/queue-6.12/gpiolib-check-the-return-value-of-gpio_chip-get_direction.patch new file mode 100644 index 0000000000..9dc88a4ef7 --- /dev/null +++ b/queue-6.12/gpiolib-check-the-return-value-of-gpio_chip-get_direction.patch @@ -0,0 +1,90 @@ +From 9d846b1aebbe488f245f1aa463802ff9c34cc078 Mon Sep 17 00:00:00 2001 +From: Bartosz Golaszewski +Date: Mon, 10 Feb 2025 11:51:55 +0100 +Subject: gpiolib: check the return value of gpio_chip::get_direction() + +From: Bartosz Golaszewski + +commit 9d846b1aebbe488f245f1aa463802ff9c34cc078 upstream. + +As per the API contract - gpio_chip::get_direction() may fail and return +a negative error number. However, we treat it as if it always returned 0 +or 1. Check the return value of the callback and propagate the error +number up the stack. + +Cc: stable@vger.kernel.org +Reviewed-by: Linus Walleij +Link: https://lore.kernel.org/r/20250210-gpio-sanitize-retvals-v1-1-12ea88506cb2@linaro.org +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpiolib.c | 44 +++++++++++++++++++++++++++++--------------- + 1 file changed, 29 insertions(+), 15 deletions(-) + +--- a/drivers/gpio/gpiolib.c ++++ b/drivers/gpio/gpiolib.c +@@ -1059,8 +1059,11 @@ int gpiochip_add_data_with_key(struct gp + struct gpio_desc *desc = &gdev->descs[desc_index]; + + if (gc->get_direction && gpiochip_line_is_valid(gc, desc_index)) { +- assign_bit(FLAG_IS_OUT, +- &desc->flags, !gc->get_direction(gc, desc_index)); ++ ret = gc->get_direction(gc, desc_index); ++ if (ret < 0) ++ goto err_cleanup_desc_srcu; ++ ++ assign_bit(FLAG_IS_OUT, &desc->flags, !ret); + } else { + assign_bit(FLAG_IS_OUT, + &desc->flags, !gc->direction_input); +@@ -2702,13 +2705,18 @@ int gpiod_direction_input(struct gpio_de + if (guard.gc->direction_input) { + ret = guard.gc->direction_input(guard.gc, + gpio_chip_hwgpio(desc)); +- } else if (guard.gc->get_direction && +- (guard.gc->get_direction(guard.gc, +- gpio_chip_hwgpio(desc)) != 1)) { +- gpiod_warn(desc, +- "%s: missing direction_input() operation and line is output\n", +- __func__); +- return -EIO; ++ } else if (guard.gc->get_direction) { ++ ret = guard.gc->get_direction(guard.gc, ++ gpio_chip_hwgpio(desc)); ++ if (ret < 0) ++ return ret; ++ ++ if (ret != GPIO_LINE_DIRECTION_IN) { ++ gpiod_warn(desc, ++ "%s: missing direction_input() operation and line is output\n", ++ __func__); ++ return -EIO; ++ } + } + if (ret == 0) { + clear_bit(FLAG_IS_OUT, &desc->flags); +@@ -2746,12 +2754,18 @@ static int gpiod_direction_output_raw_co + gpio_chip_hwgpio(desc), val); + } else { + /* Check that we are in output mode if we can */ +- if (guard.gc->get_direction && +- guard.gc->get_direction(guard.gc, gpio_chip_hwgpio(desc))) { +- gpiod_warn(desc, +- "%s: missing direction_output() operation\n", +- __func__); +- return -EIO; ++ if (guard.gc->get_direction) { ++ ret = guard.gc->get_direction(guard.gc, ++ gpio_chip_hwgpio(desc)); ++ if (ret < 0) ++ return ret; ++ ++ if (ret != GPIO_LINE_DIRECTION_OUT) { ++ gpiod_warn(desc, ++ "%s: missing direction_output() operation\n", ++ __func__); ++ return -EIO; ++ } + } + /* + * If we can't actively set the direction, we are some diff --git a/queue-6.12/gpiolib-protect-gpio_chip-with-srcu-in-array_info-paths-in-multi-get-set.patch b/queue-6.12/gpiolib-protect-gpio_chip-with-srcu-in-array_info-paths-in-multi-get-set.patch new file mode 100644 index 0000000000..992547a650 --- /dev/null +++ b/queue-6.12/gpiolib-protect-gpio_chip-with-srcu-in-array_info-paths-in-multi-get-set.patch @@ -0,0 +1,197 @@ +From 81570d6a7ad37033c7895811551a5a9023706eda Mon Sep 17 00:00:00 2001 +From: Bartosz Golaszewski +Date: Sat, 15 Feb 2025 10:56:55 +0100 +Subject: gpiolib: protect gpio_chip with SRCU in array_info paths in multi get/set + +From: Bartosz Golaszewski + +commit 81570d6a7ad37033c7895811551a5a9023706eda upstream. + +During the locking rework in GPIOLIB, we omitted one important use-case, +namely: setting and getting values for GPIO descriptor arrays with +array_info present. + +This patch does two things: first it makes struct gpio_array store the +address of the underlying GPIO device and not chip. Next: it protects +the chip with SRCU from removal in gpiod_get_array_value_complex() and +gpiod_set_array_value_complex(). + +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20250215095655.23152-1-brgl@bgdev.pl +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpiolib.c | 48 +++++++++++++++++++++++++++++++++--------------- + drivers/gpio/gpiolib.h | 4 ++-- + 2 files changed, 35 insertions(+), 17 deletions(-) + +--- a/drivers/gpio/gpiolib.c ++++ b/drivers/gpio/gpiolib.c +@@ -3082,6 +3082,8 @@ static int gpiod_get_raw_value_commit(co + static int gpio_chip_get_multiple(struct gpio_chip *gc, + unsigned long *mask, unsigned long *bits) + { ++ lockdep_assert_held(&gc->gpiodev->srcu); ++ + if (gc->get_multiple) + return gc->get_multiple(gc, mask, bits); + if (gc->get) { +@@ -3112,6 +3114,7 @@ int gpiod_get_array_value_complex(bool r + struct gpio_array *array_info, + unsigned long *value_bitmap) + { ++ struct gpio_chip *gc; + int ret, i = 0; + + /* +@@ -3123,10 +3126,15 @@ int gpiod_get_array_value_complex(bool r + array_size <= array_info->size && + (void *)array_info == desc_array + array_info->size) { + if (!can_sleep) +- WARN_ON(array_info->chip->can_sleep); ++ WARN_ON(array_info->gdev->can_sleep); + +- ret = gpio_chip_get_multiple(array_info->chip, +- array_info->get_mask, ++ guard(srcu)(&array_info->gdev->srcu); ++ gc = srcu_dereference(array_info->gdev->chip, ++ &array_info->gdev->srcu); ++ if (!gc) ++ return -ENODEV; ++ ++ ret = gpio_chip_get_multiple(gc, array_info->get_mask, + value_bitmap); + if (ret) + return ret; +@@ -3407,6 +3415,8 @@ static void gpiod_set_raw_value_commit(s + static void gpio_chip_set_multiple(struct gpio_chip *gc, + unsigned long *mask, unsigned long *bits) + { ++ lockdep_assert_held(&gc->gpiodev->srcu); ++ + if (gc->set_multiple) { + gc->set_multiple(gc, mask, bits); + } else { +@@ -3424,6 +3434,7 @@ int gpiod_set_array_value_complex(bool r + struct gpio_array *array_info, + unsigned long *value_bitmap) + { ++ struct gpio_chip *gc; + int i = 0; + + /* +@@ -3435,14 +3446,19 @@ int gpiod_set_array_value_complex(bool r + array_size <= array_info->size && + (void *)array_info == desc_array + array_info->size) { + if (!can_sleep) +- WARN_ON(array_info->chip->can_sleep); ++ WARN_ON(array_info->gdev->can_sleep); ++ ++ guard(srcu)(&array_info->gdev->srcu); ++ gc = srcu_dereference(array_info->gdev->chip, ++ &array_info->gdev->srcu); ++ if (!gc) ++ return -ENODEV; + + if (!raw && !bitmap_empty(array_info->invert_mask, array_size)) + bitmap_xor(value_bitmap, value_bitmap, + array_info->invert_mask, array_size); + +- gpio_chip_set_multiple(array_info->chip, array_info->set_mask, +- value_bitmap); ++ gpio_chip_set_multiple(gc, array_info->set_mask, value_bitmap); + + i = find_first_zero_bit(array_info->set_mask, array_size); + if (i == array_size) +@@ -4698,9 +4714,10 @@ struct gpio_descs *__must_check gpiod_ge + { + struct gpio_desc *desc; + struct gpio_descs *descs; ++ struct gpio_device *gdev; + struct gpio_array *array_info = NULL; +- struct gpio_chip *gc; + int count, bitmap_size; ++ unsigned long dflags; + size_t descs_size; + + count = gpiod_count(dev, con_id); +@@ -4721,7 +4738,7 @@ struct gpio_descs *__must_check gpiod_ge + + descs->desc[descs->ndescs] = desc; + +- gc = gpiod_to_chip(desc); ++ gdev = gpiod_to_gpio_device(desc); + /* + * If pin hardware number of array member 0 is also 0, select + * its chip as a candidate for fast bitmap processing path. +@@ -4729,8 +4746,8 @@ struct gpio_descs *__must_check gpiod_ge + if (descs->ndescs == 0 && gpio_chip_hwgpio(desc) == 0) { + struct gpio_descs *array; + +- bitmap_size = BITS_TO_LONGS(gc->ngpio > count ? +- gc->ngpio : count); ++ bitmap_size = BITS_TO_LONGS(gdev->ngpio > count ? ++ gdev->ngpio : count); + + array = krealloc(descs, descs_size + + struct_size(array_info, invert_mask, 3 * bitmap_size), +@@ -4750,7 +4767,7 @@ struct gpio_descs *__must_check gpiod_ge + + array_info->desc = descs->desc; + array_info->size = count; +- array_info->chip = gc; ++ array_info->gdev = gdev; + bitmap_set(array_info->get_mask, descs->ndescs, + count - descs->ndescs); + bitmap_set(array_info->set_mask, descs->ndescs, +@@ -4763,7 +4780,7 @@ struct gpio_descs *__must_check gpiod_ge + continue; + + /* Unmark array members which don't belong to the 'fast' chip */ +- if (array_info->chip != gc) { ++ if (array_info->gdev != gdev) { + __clear_bit(descs->ndescs, array_info->get_mask); + __clear_bit(descs->ndescs, array_info->set_mask); + } +@@ -4786,9 +4803,10 @@ struct gpio_descs *__must_check gpiod_ge + array_info->set_mask); + } + } else { ++ dflags = READ_ONCE(desc->flags); + /* Exclude open drain or open source from fast output */ +- if (gpiochip_line_is_open_drain(gc, descs->ndescs) || +- gpiochip_line_is_open_source(gc, descs->ndescs)) ++ if (test_bit(FLAG_OPEN_DRAIN, &dflags) || ++ test_bit(FLAG_OPEN_SOURCE, &dflags)) + __clear_bit(descs->ndescs, + array_info->set_mask); + /* Identify 'fast' pins which require invertion */ +@@ -4800,7 +4818,7 @@ struct gpio_descs *__must_check gpiod_ge + if (array_info) + dev_dbg(dev, + "GPIO array info: chip=%s, size=%d, get_mask=%lx, set_mask=%lx, invert_mask=%lx\n", +- array_info->chip->label, array_info->size, ++ array_info->gdev->label, array_info->size, + *array_info->get_mask, *array_info->set_mask, + *array_info->invert_mask); + return descs; +--- a/drivers/gpio/gpiolib.h ++++ b/drivers/gpio/gpiolib.h +@@ -110,7 +110,7 @@ extern const char *const gpio_suffixes[] + * + * @desc: Array of pointers to the GPIO descriptors + * @size: Number of elements in desc +- * @chip: Parent GPIO chip ++ * @gdev: Parent GPIO device + * @get_mask: Get mask used in fastpath + * @set_mask: Set mask used in fastpath + * @invert_mask: Invert mask used in fastpath +@@ -122,7 +122,7 @@ extern const char *const gpio_suffixes[] + struct gpio_array { + struct gpio_desc **desc; + unsigned int size; +- struct gpio_chip *chip; ++ struct gpio_device *gdev; + unsigned long *get_mask; + unsigned long *set_mask; + unsigned long invert_mask[]; diff --git a/queue-6.12/gve-set-xdp-redirect-target-only-when-it-is-available.patch b/queue-6.12/gve-set-xdp-redirect-target-only-when-it-is-available.patch new file mode 100644 index 0000000000..323f985fb5 --- /dev/null +++ b/queue-6.12/gve-set-xdp-redirect-target-only-when-it-is-available.patch @@ -0,0 +1,80 @@ +From 415cadd505464d9a11ff5e0f6e0329c127849da5 Mon Sep 17 00:00:00 2001 +From: Joshua Washington +Date: Fri, 14 Feb 2025 14:43:59 -0800 +Subject: gve: set xdp redirect target only when it is available + +From: Joshua Washington + +commit 415cadd505464d9a11ff5e0f6e0329c127849da5 upstream. + +Before this patch the NETDEV_XDP_ACT_NDO_XMIT XDP feature flag is set by +default as part of driver initialization, and is never cleared. However, +this flag differs from others in that it is used as an indicator for +whether the driver is ready to perform the ndo_xdp_xmit operation as +part of an XDP_REDIRECT. Kernel helpers +xdp_features_(set|clear)_redirect_target exist to convey this meaning. + +This patch ensures that the netdev is only reported as a redirect target +when XDP queues exist to forward traffic. + +Fixes: 39a7f4aa3e4a ("gve: Add XDP REDIRECT support for GQI-QPL format") +Cc: stable@vger.kernel.org +Reviewed-by: Praveen Kaligineedi +Reviewed-by: Jeroen de Borst +Signed-off-by: Joshua Washington +Link: https://patch.msgid.link/20250214224417.1237818-1-joshwash@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/google/gve/gve.h | 10 ++++++++++ + drivers/net/ethernet/google/gve/gve_main.c | 6 +++++- + 2 files changed, 15 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/google/gve/gve.h ++++ b/drivers/net/ethernet/google/gve/gve.h +@@ -1110,6 +1110,16 @@ static inline u32 gve_xdp_tx_start_queue + return gve_xdp_tx_queue_id(priv, 0); + } + ++static inline bool gve_supports_xdp_xmit(struct gve_priv *priv) ++{ ++ switch (priv->queue_format) { ++ case GVE_GQI_QPL_FORMAT: ++ return true; ++ default: ++ return false; ++ } ++} ++ + /* gqi napi handler defined in gve_main.c */ + int gve_napi_poll(struct napi_struct *napi, int budget); + +--- a/drivers/net/ethernet/google/gve/gve_main.c ++++ b/drivers/net/ethernet/google/gve/gve_main.c +@@ -1895,6 +1895,8 @@ static void gve_turndown(struct gve_priv + /* Stop tx queues */ + netif_tx_disable(priv->dev); + ++ xdp_features_clear_redirect_target(priv->dev); ++ + gve_clear_napi_enabled(priv); + gve_clear_report_stats(priv); + +@@ -1955,6 +1957,9 @@ static void gve_turnup(struct gve_priv * + napi_schedule(&block->napi); + } + ++ if (priv->num_xdp_queues && gve_supports_xdp_xmit(priv)) ++ xdp_features_set_redirect_target(priv->dev, false); ++ + gve_set_napi_enabled(priv); + } + +@@ -2229,7 +2234,6 @@ static void gve_set_netdev_xdp_features( + if (priv->queue_format == GVE_GQI_QPL_FORMAT) { + xdp_features = NETDEV_XDP_ACT_BASIC; + xdp_features |= NETDEV_XDP_ACT_REDIRECT; +- xdp_features |= NETDEV_XDP_ACT_NDO_XMIT; + xdp_features |= NETDEV_XDP_ACT_XSK_ZEROCOPY; + } else { + xdp_features = 0; diff --git a/queue-6.12/io_uring-prevent-opcode-speculation.patch b/queue-6.12/io_uring-prevent-opcode-speculation.patch new file mode 100644 index 0000000000..bfe082634d --- /dev/null +++ b/queue-6.12/io_uring-prevent-opcode-speculation.patch @@ -0,0 +1,34 @@ +From 1e988c3fe1264708f4f92109203ac5b1d65de50b Mon Sep 17 00:00:00 2001 +From: Pavel Begunkov +Date: Fri, 14 Feb 2025 22:48:15 +0000 +Subject: io_uring: prevent opcode speculation + +From: Pavel Begunkov + +commit 1e988c3fe1264708f4f92109203ac5b1d65de50b upstream. + +sqe->opcode is used for different tables, make sure we santitise it +against speculations. + +Cc: stable@vger.kernel.org +Fixes: d3656344fea03 ("io_uring: add lookup table for various opcode needs") +Signed-off-by: Pavel Begunkov +Reviewed-by: Li Zetao +Link: https://lore.kernel.org/r/7eddbf31c8ca0a3947f8ed98271acc2b4349c016.1739568408.git.asml.silence@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/io_uring.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/io_uring/io_uring.c ++++ b/io_uring/io_uring.c +@@ -2053,6 +2053,8 @@ static int io_init_req(struct io_ring_ct + req->opcode = 0; + return io_init_fail_req(req, -EINVAL); + } ++ opcode = array_index_nospec(opcode, IORING_OP_LAST); ++ + def = &io_issue_defs[opcode]; + if (unlikely(sqe_flags & ~SQE_COMMON_FLAGS)) { + /* enforce forwards compatibility on users */ diff --git a/queue-6.12/io_uring-rw-forbid-multishot-async-reads.patch b/queue-6.12/io_uring-rw-forbid-multishot-async-reads.patch new file mode 100644 index 0000000000..8c9cf3dad2 --- /dev/null +++ b/queue-6.12/io_uring-rw-forbid-multishot-async-reads.patch @@ -0,0 +1,56 @@ +From 67b0025d19f99fb9fbb8b62e6975553c183f3a16 Mon Sep 17 00:00:00 2001 +From: Pavel Begunkov +Date: Wed, 19 Feb 2025 01:33:37 +0000 +Subject: io_uring/rw: forbid multishot async reads + +From: Pavel Begunkov + +commit 67b0025d19f99fb9fbb8b62e6975553c183f3a16 upstream. + +At the moment we can't sanely handle queuing an async request from a +multishot context, so disable them. It shouldn't matter as pollable +files / socekts don't normally do async. + +Patching it in __io_read() is not the cleanest way, but it's simpler +than other options, so let's fix it there and clean up on top. + +Cc: stable@vger.kernel.org +Reported-by: chase xd +Fixes: fc68fcda04910 ("io_uring/rw: add support for IORING_OP_READ_MULTISHOT") +Signed-off-by: Pavel Begunkov +Link: https://lore.kernel.org/r/7d51732c125159d17db4fe16f51ec41b936973f8.1739919038.git.asml.silence@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/rw.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +--- a/io_uring/rw.c ++++ b/io_uring/rw.c +@@ -862,7 +862,15 @@ static int __io_read(struct io_kiocb *re + if (unlikely(ret)) + return ret; + +- ret = io_iter_do_read(rw, &io->iter); ++ if (unlikely(req->opcode == IORING_OP_READ_MULTISHOT)) { ++ void *cb_copy = rw->kiocb.ki_complete; ++ ++ rw->kiocb.ki_complete = NULL; ++ ret = io_iter_do_read(rw, &io->iter); ++ rw->kiocb.ki_complete = cb_copy; ++ } else { ++ ret = io_iter_do_read(rw, &io->iter); ++ } + + /* + * Some file systems like to return -EOPNOTSUPP for an IOCB_NOWAIT +@@ -887,7 +895,8 @@ static int __io_read(struct io_kiocb *re + } else if (ret == -EIOCBQUEUED) { + return IOU_ISSUE_SKIP_COMPLETE; + } else if (ret == req->cqe.res || ret <= 0 || !force_nonblock || +- (req->flags & REQ_F_NOWAIT) || !need_complete_io(req)) { ++ (req->flags & REQ_F_NOWAIT) || !need_complete_io(req) || ++ (issue_flags & IO_URING_F_MULTISHOT)) { + /* read all, failed, already did sync or don't want to retry */ + goto done; + } diff --git a/queue-6.12/irqchip-gic-v3-fix-rk3399-workaround-when-secure-interrupts-are-enabled.patch b/queue-6.12/irqchip-gic-v3-fix-rk3399-workaround-when-secure-interrupts-are-enabled.patch new file mode 100644 index 0000000000..ac21ba11b2 --- /dev/null +++ b/queue-6.12/irqchip-gic-v3-fix-rk3399-workaround-when-secure-interrupts-are-enabled.patch @@ -0,0 +1,153 @@ +From 4cb77793842a351b39a030f77caebace3524840e Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Sat, 15 Feb 2025 18:52:41 +0000 +Subject: irqchip/gic-v3: Fix rk3399 workaround when secure interrupts are enabled + +From: Marc Zyngier + +commit 4cb77793842a351b39a030f77caebace3524840e upstream. + +Christoph reports that their rk3399 system dies since commit 773c05f417fa1 +("irqchip/gic-v3: Work around insecure GIC integrations"). + +It appears that some rk3399 have secure payloads, and that the firmware +sets SCR_EL3.FIQ==1. Obivously, disabling security in that configuration +leads to even more problems. + +Revisit the workaround by: + + - making it rk3399 specific + - checking whether Group-0 is available, which is a good proxy + for SCR_EL3.FIQ being 0 + - either apply the workaround if Group-0 is available, or disable + pseudo-NMIs if not + +Note that this doesn't mean that the secure side is able to receive +interrupts, as all interrupts are made non-secure anyway. + +Clearly, nobody ever tested secure interrupts on this platform. + +Fixes: 773c05f417fa1 ("irqchip/gic-v3: Work around insecure GIC integrations") +Reported-by: Christoph Fritz +Signed-off-by: Marc Zyngier +Signed-off-by: Thomas Gleixner +Tested-by: Christoph Fritz +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/all/20250215185241.3768218-1-maz@kernel.org +Closes: https://lore.kernel.org/r/b1266652fb64857246e8babdf268d0df8f0c36d9.camel@googlemail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/irqchip/irq-gic-v3.c | 49 ++++++++++++++++++++++++++++-------- + 1 file changed, 38 insertions(+), 11 deletions(-) + +diff --git a/drivers/irqchip/irq-gic-v3.c b/drivers/irqchip/irq-gic-v3.c +index 76dce0aac246..270d7a4d85a6 100644 +--- a/drivers/irqchip/irq-gic-v3.c ++++ b/drivers/irqchip/irq-gic-v3.c +@@ -44,6 +44,7 @@ static u8 dist_prio_nmi __ro_after_init = GICV3_PRIO_NMI; + #define FLAGS_WORKAROUND_GICR_WAKER_MSM8996 (1ULL << 0) + #define FLAGS_WORKAROUND_CAVIUM_ERRATUM_38539 (1ULL << 1) + #define FLAGS_WORKAROUND_ASR_ERRATUM_8601001 (1ULL << 2) ++#define FLAGS_WORKAROUND_INSECURE (1ULL << 3) + + #define GIC_IRQ_TYPE_PARTITION (GIC_IRQ_TYPE_LPI + 1) + +@@ -83,6 +84,8 @@ static DEFINE_STATIC_KEY_TRUE(supports_deactivate_key); + #define GIC_LINE_NR min(GICD_TYPER_SPIS(gic_data.rdists.gicd_typer), 1020U) + #define GIC_ESPI_NR GICD_TYPER_ESPIS(gic_data.rdists.gicd_typer) + ++static bool nmi_support_forbidden; ++ + /* + * There are 16 SGIs, though we only actually use 8 in Linux. The other 8 SGIs + * are potentially stolen by the secure side. Some code, especially code dealing +@@ -163,21 +166,27 @@ static void __init gic_prio_init(void) + { + bool ds; + ++ cpus_have_group0 = gic_has_group0(); ++ + ds = gic_dist_security_disabled(); +- if (!ds) { +- u32 val; ++ if ((gic_data.flags & FLAGS_WORKAROUND_INSECURE) && !ds) { ++ if (cpus_have_group0) { ++ u32 val; + +- val = readl_relaxed(gic_data.dist_base + GICD_CTLR); +- val |= GICD_CTLR_DS; +- writel_relaxed(val, gic_data.dist_base + GICD_CTLR); ++ val = readl_relaxed(gic_data.dist_base + GICD_CTLR); ++ val |= GICD_CTLR_DS; ++ writel_relaxed(val, gic_data.dist_base + GICD_CTLR); + +- ds = gic_dist_security_disabled(); +- if (ds) +- pr_warn("Broken GIC integration, security disabled"); ++ ds = gic_dist_security_disabled(); ++ if (ds) ++ pr_warn("Broken GIC integration, security disabled\n"); ++ } else { ++ pr_warn("Broken GIC integration, pNMI forbidden\n"); ++ nmi_support_forbidden = true; ++ } + } + + cpus_have_security_disabled = ds; +- cpus_have_group0 = gic_has_group0(); + + /* + * How priority values are used by the GIC depends on two things: +@@ -209,7 +218,7 @@ static void __init gic_prio_init(void) + * be in the non-secure range, we program the non-secure values into + * the distributor to match the PMR values we want. + */ +- if (cpus_have_group0 & !cpus_have_security_disabled) { ++ if (cpus_have_group0 && !cpus_have_security_disabled) { + dist_prio_irq = __gicv3_prio_to_ns(dist_prio_irq); + dist_prio_nmi = __gicv3_prio_to_ns(dist_prio_nmi); + } +@@ -1922,6 +1931,18 @@ static bool gic_enable_quirk_arm64_2941627(void *data) + return true; + } + ++static bool gic_enable_quirk_rk3399(void *data) ++{ ++ struct gic_chip_data *d = data; ++ ++ if (of_machine_is_compatible("rockchip,rk3399")) { ++ d->flags |= FLAGS_WORKAROUND_INSECURE; ++ return true; ++ } ++ ++ return false; ++} ++ + static bool rd_set_non_coherent(void *data) + { + struct gic_chip_data *d = data; +@@ -1996,6 +2017,12 @@ static const struct gic_quirk gic_quirks[] = { + .property = "dma-noncoherent", + .init = rd_set_non_coherent, + }, ++ { ++ .desc = "GICv3: Insecure RK3399 integration", ++ .iidr = 0x0000043b, ++ .mask = 0xff000fff, ++ .init = gic_enable_quirk_rk3399, ++ }, + { + } + }; +@@ -2004,7 +2031,7 @@ static void gic_enable_nmi_support(void) + { + int i; + +- if (!gic_prio_masking_enabled()) ++ if (!gic_prio_masking_enabled() || nmi_support_forbidden) + return; + + rdist_nmi_refs = kcalloc(gic_data.ppi_nr + SGI_NR, +-- +2.48.1 + diff --git a/queue-6.12/lib-iov_iter-fix-import_iovec_ubuf-iovec-management.patch b/queue-6.12/lib-iov_iter-fix-import_iovec_ubuf-iovec-management.patch new file mode 100644 index 0000000000..6eb33825b7 --- /dev/null +++ b/queue-6.12/lib-iov_iter-fix-import_iovec_ubuf-iovec-management.patch @@ -0,0 +1,46 @@ +From f4b78260fc678ccd7169f32dc9f3bfa3b93931c7 Mon Sep 17 00:00:00 2001 +From: Pavel Begunkov +Date: Fri, 31 Jan 2025 14:13:15 +0000 +Subject: lib/iov_iter: fix import_iovec_ubuf iovec management + +From: Pavel Begunkov + +commit f4b78260fc678ccd7169f32dc9f3bfa3b93931c7 upstream. + +import_iovec() says that it should always be fine to kfree the iovec +returned in @iovp regardless of the error code. __import_iovec_ubuf() +never reallocates it and thus should clear the pointer even in cases when +copy_iovec_*() fail. + +Link: https://lkml.kernel.org/r/378ae26923ffc20fd5e41b4360d673bf47b1775b.1738332461.git.asml.silence@gmail.com +Fixes: 3b2deb0e46da ("iov_iter: import single vector iovecs as ITER_UBUF") +Signed-off-by: Pavel Begunkov +Reviewed-by: Jens Axboe +Cc: Al Viro +Cc: Christian Brauner +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + lib/iov_iter.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/lib/iov_iter.c ++++ b/lib/iov_iter.c +@@ -1428,6 +1428,8 @@ static ssize_t __import_iovec_ubuf(int t + struct iovec *iov = *iovp; + ssize_t ret; + ++ *iovp = NULL; ++ + if (compat) + ret = copy_compat_iovec_from_user(iov, uvec, 1); + else +@@ -1438,7 +1440,6 @@ static ssize_t __import_iovec_ubuf(int t + ret = import_ubuf(type, iov->iov_base, iov->iov_len, i); + if (unlikely(ret)) + return ret; +- *iovp = NULL; + return i->count; + } + diff --git a/queue-6.12/mm-madvise-hugetlb-check-for-0-length-range-after-end-address-adjustment.patch b/queue-6.12/mm-madvise-hugetlb-check-for-0-length-range-after-end-address-adjustment.patch new file mode 100644 index 0000000000..5af50f6665 --- /dev/null +++ b/queue-6.12/mm-madvise-hugetlb-check-for-0-length-range-after-end-address-adjustment.patch @@ -0,0 +1,78 @@ +From 2ede647a6fde3e54a6bfda7cf01c716649655900 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ricardo=20Ca=C3=B1uelo=20Navarro?= +Date: Mon, 3 Feb 2025 08:52:06 +0100 +Subject: mm,madvise,hugetlb: check for 0-length range after end address adjustment +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ricardo Cañuelo Navarro + +commit 2ede647a6fde3e54a6bfda7cf01c716649655900 upstream. + +Add a sanity check to madvise_dontneed_free() to address a corner case in +madvise where a race condition causes the current vma being processed to +be backed by a different page size. + +During a madvise(MADV_DONTNEED) call on a memory region registered with a +userfaultfd, there's a period of time where the process mm lock is +temporarily released in order to send a UFFD_EVENT_REMOVE and let +userspace handle the event. During this time, the vma covering the +current address range may change due to an explicit mmap done concurrently +by another thread. + +If, after that change, the memory region, which was originally backed by +4KB pages, is now backed by hugepages, the end address is rounded down to +a hugepage boundary to avoid data loss (see "Fixes" below). This rounding +may cause the end address to be truncated to the same address as the +start. + +Make this corner case follow the same semantics as in other similar cases +where the requested region has zero length (ie. return 0). + +This will make madvise_walk_vmas() continue to the next vma in the range +(this time holding the process mm lock) which, due to the prev pointer +becoming stale because of the vma change, will be the same hugepage-backed +vma that was just checked before. The next time madvise_dontneed_free() +runs for this vma, if the start address isn't aligned to a hugepage +boundary, it'll return -EINVAL, which is also in line with the madvise +api. + +From userspace perspective, madvise() will return EINVAL because the start +address isn't aligned according to the new vma alignment requirements +(hugepage), even though it was correctly page-aligned when the call was +issued. + +Link: https://lkml.kernel.org/r/20250203075206.1452208-1-rcn@igalia.com +Fixes: 8ebe0a5eaaeb ("mm,madvise,hugetlb: fix unexpected data loss with MADV_DONTNEED on hugetlbfs") +Signed-off-by: Ricardo Cañuelo Navarro +Reviewed-by: Oscar Salvador +Cc: Florent Revest +Cc: Rik van Riel +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/madvise.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/mm/madvise.c ++++ b/mm/madvise.c +@@ -920,7 +920,16 @@ static long madvise_dontneed_free(struct + */ + end = vma->vm_end; + } +- VM_WARN_ON(start >= end); ++ /* ++ * If the memory region between start and end was ++ * originally backed by 4kB pages and then remapped to ++ * be backed by hugepages while mmap_lock was dropped, ++ * the adjustment for hugetlb vma above may have rounded ++ * end down to the start address. ++ */ ++ if (start == end) ++ return 0; ++ VM_WARN_ON(start > end); + } + + if (behavior == MADV_DONTNEED || behavior == MADV_DONTNEED_LOCKED) diff --git a/queue-6.12/mm-migrate_device-don-t-add-folio-to-be-freed-to-lru-in-migrate_device_finalize.patch b/queue-6.12/mm-migrate_device-don-t-add-folio-to-be-freed-to-lru-in-migrate_device_finalize.patch new file mode 100644 index 0000000000..97391cf10a --- /dev/null +++ b/queue-6.12/mm-migrate_device-don-t-add-folio-to-be-freed-to-lru-in-migrate_device_finalize.patch @@ -0,0 +1,115 @@ +From 41cddf83d8b00f29fd105e7a0777366edc69a5cf Mon Sep 17 00:00:00 2001 +From: David Hildenbrand +Date: Mon, 10 Feb 2025 17:13:17 +0100 +Subject: mm/migrate_device: don't add folio to be freed to LRU in migrate_device_finalize() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: David Hildenbrand + +commit 41cddf83d8b00f29fd105e7a0777366edc69a5cf upstream. + +If migration succeeded, we called +folio_migrate_flags()->mem_cgroup_migrate() to migrate the memcg from the +old to the new folio. This will set memcg_data of the old folio to 0. + +Similarly, if migration failed, memcg_data of the dst folio is left unset. + +If we call folio_putback_lru() on such folios (memcg_data == 0), we will +add the folio to be freed to the LRU, making memcg code unhappy. Running +the hmm selftests: + + # ./hmm-tests + ... + # RUN hmm.hmm_device_private.migrate ... + [ 102.078007][T14893] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x7ff27d200 pfn:0x13cc00 + [ 102.079974][T14893] anon flags: 0x17ff00000020018(uptodate|dirty|swapbacked|node=0|zone=2|lastcpupid=0x7ff) + [ 102.082037][T14893] raw: 017ff00000020018 dead000000000100 dead000000000122 ffff8881353896c9 + [ 102.083687][T14893] raw: 00000007ff27d200 0000000000000000 00000001ffffffff 0000000000000000 + [ 102.085331][T14893] page dumped because: VM_WARN_ON_ONCE_FOLIO(!memcg && !mem_cgroup_disabled()) + [ 102.087230][T14893] ------------[ cut here ]------------ + [ 102.088279][T14893] WARNING: CPU: 0 PID: 14893 at ./include/linux/memcontrol.h:726 folio_lruvec_lock_irqsave+0x10e/0x170 + [ 102.090478][T14893] Modules linked in: + [ 102.091244][T14893] CPU: 0 UID: 0 PID: 14893 Comm: hmm-tests Not tainted 6.13.0-09623-g6c216bc522fd #151 + [ 102.093089][T14893] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 + [ 102.094848][T14893] RIP: 0010:folio_lruvec_lock_irqsave+0x10e/0x170 + [ 102.096104][T14893] Code: ... + [ 102.099908][T14893] RSP: 0018:ffffc900236c37b0 EFLAGS: 00010293 + [ 102.101152][T14893] RAX: 0000000000000000 RBX: ffffea0004f30000 RCX: ffffffff8183f426 + [ 102.102684][T14893] RDX: ffff8881063cb880 RSI: ffffffff81b8117f RDI: ffff8881063cb880 + [ 102.104227][T14893] RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000 + [ 102.105757][T14893] R10: 0000000000000001 R11: 0000000000000002 R12: ffffc900236c37d8 + [ 102.107296][T14893] R13: ffff888277a2bcb0 R14: 000000000000001f R15: 0000000000000000 + [ 102.108830][T14893] FS: 00007ff27dbdd740(0000) GS:ffff888277a00000(0000) knlGS:0000000000000000 + [ 102.110643][T14893] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [ 102.111924][T14893] CR2: 00007ff27d400000 CR3: 000000010866e000 CR4: 0000000000750ef0 + [ 102.113478][T14893] PKRU: 55555554 + [ 102.114172][T14893] Call Trace: + [ 102.114805][T14893] + [ 102.115397][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170 + [ 102.116547][T14893] ? __warn.cold+0x110/0x210 + [ 102.117461][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170 + [ 102.118667][T14893] ? report_bug+0x1b9/0x320 + [ 102.119571][T14893] ? handle_bug+0x54/0x90 + [ 102.120494][T14893] ? exc_invalid_op+0x17/0x50 + [ 102.121433][T14893] ? asm_exc_invalid_op+0x1a/0x20 + [ 102.122435][T14893] ? __wake_up_klogd.part.0+0x76/0xd0 + [ 102.123506][T14893] ? dump_page+0x4f/0x60 + [ 102.124352][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170 + [ 102.125500][T14893] folio_batch_move_lru+0xd4/0x200 + [ 102.126577][T14893] ? __pfx_lru_add+0x10/0x10 + [ 102.127505][T14893] __folio_batch_add_and_move+0x391/0x720 + [ 102.128633][T14893] ? __pfx_lru_add+0x10/0x10 + [ 102.129550][T14893] folio_putback_lru+0x16/0x80 + [ 102.130564][T14893] migrate_device_finalize+0x9b/0x530 + [ 102.131640][T14893] dmirror_migrate_to_device.constprop.0+0x7c5/0xad0 + [ 102.133047][T14893] dmirror_fops_unlocked_ioctl+0x89b/0xc80 + +Likely, nothing else goes wrong: putting the last folio reference will +remove the folio from the LRU again. So besides memcg complaining, adding +the folio to be freed to the LRU is just an unnecessary step. + +The new flow resembles what we have in migrate_folio_move(): add the dst +to the lru, remove migration ptes, unlock and unref dst. + +Link: https://lkml.kernel.org/r/20250210161317.717936-1-david@redhat.com +Fixes: 8763cb45ab96 ("mm/migrate: new memory migration helper for use with device memory") +Signed-off-by: David Hildenbrand +Cc: Jérôme Glisse +Cc: John Hubbard +Cc: Alistair Popple +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/migrate_device.c | 13 ++++--------- + 1 file changed, 4 insertions(+), 9 deletions(-) + +--- a/mm/migrate_device.c ++++ b/mm/migrate_device.c +@@ -840,20 +840,15 @@ void migrate_device_finalize(unsigned lo + dst = src; + } + ++ if (!folio_is_zone_device(dst)) ++ folio_add_lru(dst); + remove_migration_ptes(src, dst, 0); + folio_unlock(src); +- +- if (folio_is_zone_device(src)) +- folio_put(src); +- else +- folio_putback_lru(src); ++ folio_put(src); + + if (dst != src) { + folio_unlock(dst); +- if (folio_is_zone_device(dst)) +- folio_put(dst); +- else +- folio_putback_lru(dst); ++ folio_put(dst); + } + } + } diff --git a/queue-6.12/mtd-rawnand-cadence-fix-error-code-in-cadence_nand_init.patch b/queue-6.12/mtd-rawnand-cadence-fix-error-code-in-cadence_nand_init.patch new file mode 100644 index 0000000000..1f965bafee --- /dev/null +++ b/queue-6.12/mtd-rawnand-cadence-fix-error-code-in-cadence_nand_init.patch @@ -0,0 +1,39 @@ +From 2b9df00cded911e2ca2cfae5c45082166b24f8aa Mon Sep 17 00:00:00 2001 +From: Niravkumar L Rabara +Date: Mon, 10 Feb 2025 13:35:49 +0800 +Subject: mtd: rawnand: cadence: fix error code in cadence_nand_init() + +From: Niravkumar L Rabara + +commit 2b9df00cded911e2ca2cfae5c45082166b24f8aa upstream. + +Replace dma_request_channel() with dma_request_chan_by_mask() and use +helper functions to return proper error code instead of fixed -EBUSY. + +Fixes: ec4ba01e894d ("mtd: rawnand: Add new Cadence NAND driver to MTD subsystem") +Cc: stable@vger.kernel.org +Signed-off-by: Niravkumar L Rabara +Signed-off-by: Miquel Raynal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/raw/cadence-nand-controller.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +--- a/drivers/mtd/nand/raw/cadence-nand-controller.c ++++ b/drivers/mtd/nand/raw/cadence-nand-controller.c +@@ -2904,11 +2904,10 @@ static int cadence_nand_init(struct cdns + dma_cap_set(DMA_MEMCPY, mask); + + if (cdns_ctrl->caps1->has_dma) { +- cdns_ctrl->dmac = dma_request_channel(mask, NULL, NULL); +- if (!cdns_ctrl->dmac) { +- dev_err(cdns_ctrl->dev, +- "Unable to get a DMA channel\n"); +- ret = -EBUSY; ++ cdns_ctrl->dmac = dma_request_chan_by_mask(&mask); ++ if (IS_ERR(cdns_ctrl->dmac)) { ++ ret = dev_err_probe(cdns_ctrl->dev, PTR_ERR(cdns_ctrl->dmac), ++ "%d: Failed to get a DMA channel\n", ret); + goto disable_irq; + } + } diff --git a/queue-6.12/mtd-rawnand-cadence-fix-incorrect-device-in-dma_unmap_single.patch b/queue-6.12/mtd-rawnand-cadence-fix-incorrect-device-in-dma_unmap_single.patch new file mode 100644 index 0000000000..7d9c19e556 --- /dev/null +++ b/queue-6.12/mtd-rawnand-cadence-fix-incorrect-device-in-dma_unmap_single.patch @@ -0,0 +1,39 @@ +From f37d135b42cb484bdecee93f56b9f483214ede78 Mon Sep 17 00:00:00 2001 +From: Niravkumar L Rabara +Date: Mon, 10 Feb 2025 13:35:51 +0800 +Subject: mtd: rawnand: cadence: fix incorrect device in dma_unmap_single + +From: Niravkumar L Rabara + +commit f37d135b42cb484bdecee93f56b9f483214ede78 upstream. + +dma_map_single is using physical/bus device (DMA) but dma_unmap_single +is using framework device(NAND controller), which is incorrect. +Fixed dma_unmap_single to use correct physical/bus device. + +Fixes: ec4ba01e894d ("mtd: rawnand: Add new Cadence NAND driver to MTD subsystem") +Cc: stable@vger.kernel.org +Signed-off-by: Niravkumar L Rabara +Signed-off-by: Miquel Raynal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/raw/cadence-nand-controller.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/mtd/nand/raw/cadence-nand-controller.c ++++ b/drivers/mtd/nand/raw/cadence-nand-controller.c +@@ -1863,12 +1863,12 @@ static int cadence_nand_slave_dma_transf + dma_async_issue_pending(cdns_ctrl->dmac); + wait_for_completion(&finished); + +- dma_unmap_single(cdns_ctrl->dev, buf_dma, len, dir); ++ dma_unmap_single(dma_dev->dev, buf_dma, len, dir); + + return 0; + + err_unmap: +- dma_unmap_single(cdns_ctrl->dev, buf_dma, len, dir); ++ dma_unmap_single(dma_dev->dev, buf_dma, len, dir); + + err: + dev_dbg(cdns_ctrl->dev, "Fall back to CPU I/O\n"); diff --git a/queue-6.12/mtd-rawnand-cadence-use-dma_map_resource-for-sdma-address.patch b/queue-6.12/mtd-rawnand-cadence-use-dma_map_resource-for-sdma-address.patch new file mode 100644 index 0000000000..4a7f224443 --- /dev/null +++ b/queue-6.12/mtd-rawnand-cadence-use-dma_map_resource-for-sdma-address.patch @@ -0,0 +1,116 @@ +From d76d22b5096c5b05208fd982b153b3f182350b19 Mon Sep 17 00:00:00 2001 +From: Niravkumar L Rabara +Date: Mon, 10 Feb 2025 13:35:50 +0800 +Subject: mtd: rawnand: cadence: use dma_map_resource for sdma address + +From: Niravkumar L Rabara + +commit d76d22b5096c5b05208fd982b153b3f182350b19 upstream. + +Remap the slave DMA I/O resources to enhance driver portability. +Using a physical address causes DMA translation failure when the +ARM SMMU is enabled. + +Fixes: ec4ba01e894d ("mtd: rawnand: Add new Cadence NAND driver to MTD subsystem") +Cc: stable@vger.kernel.org +Signed-off-by: Niravkumar L Rabara +Signed-off-by: Miquel Raynal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/raw/cadence-nand-controller.c | 29 +++++++++++++++++++++---- + 1 file changed, 25 insertions(+), 4 deletions(-) + +--- a/drivers/mtd/nand/raw/cadence-nand-controller.c ++++ b/drivers/mtd/nand/raw/cadence-nand-controller.c +@@ -471,6 +471,8 @@ struct cdns_nand_ctrl { + struct { + void __iomem *virt; + dma_addr_t dma; ++ dma_addr_t iova_dma; ++ u32 size; + } io; + + int irq; +@@ -1835,11 +1837,11 @@ static int cadence_nand_slave_dma_transf + } + + if (dir == DMA_FROM_DEVICE) { +- src_dma = cdns_ctrl->io.dma; ++ src_dma = cdns_ctrl->io.iova_dma; + dst_dma = buf_dma; + } else { + src_dma = buf_dma; +- dst_dma = cdns_ctrl->io.dma; ++ dst_dma = cdns_ctrl->io.iova_dma; + } + + tx = dmaengine_prep_dma_memcpy(cdns_ctrl->dmac, dst_dma, src_dma, len, +@@ -2869,6 +2871,7 @@ cadence_nand_irq_cleanup(int irqnum, str + static int cadence_nand_init(struct cdns_nand_ctrl *cdns_ctrl) + { + dma_cap_mask_t mask; ++ struct dma_device *dma_dev = cdns_ctrl->dmac->device; + int ret; + + cdns_ctrl->cdma_desc = dma_alloc_coherent(cdns_ctrl->dev, +@@ -2912,6 +2915,16 @@ static int cadence_nand_init(struct cdns + } + } + ++ cdns_ctrl->io.iova_dma = dma_map_resource(dma_dev->dev, cdns_ctrl->io.dma, ++ cdns_ctrl->io.size, ++ DMA_BIDIRECTIONAL, 0); ++ ++ ret = dma_mapping_error(dma_dev->dev, cdns_ctrl->io.iova_dma); ++ if (ret) { ++ dev_err(cdns_ctrl->dev, "Failed to map I/O resource to DMA\n"); ++ goto dma_release_chnl; ++ } ++ + nand_controller_init(&cdns_ctrl->controller); + INIT_LIST_HEAD(&cdns_ctrl->chips); + +@@ -2922,18 +2935,22 @@ static int cadence_nand_init(struct cdns + if (ret) { + dev_err(cdns_ctrl->dev, "Failed to register MTD: %d\n", + ret); +- goto dma_release_chnl; ++ goto unmap_dma_resource; + } + + kfree(cdns_ctrl->buf); + cdns_ctrl->buf = kzalloc(cdns_ctrl->buf_size, GFP_KERNEL); + if (!cdns_ctrl->buf) { + ret = -ENOMEM; +- goto dma_release_chnl; ++ goto unmap_dma_resource; + } + + return 0; + ++unmap_dma_resource: ++ dma_unmap_resource(dma_dev->dev, cdns_ctrl->io.iova_dma, ++ cdns_ctrl->io.size, DMA_BIDIRECTIONAL, 0); ++ + dma_release_chnl: + if (cdns_ctrl->dmac) + dma_release_channel(cdns_ctrl->dmac); +@@ -2955,6 +2972,8 @@ free_buf_desc: + static void cadence_nand_remove(struct cdns_nand_ctrl *cdns_ctrl) + { + cadence_nand_chips_cleanup(cdns_ctrl); ++ dma_unmap_resource(cdns_ctrl->dmac->device->dev, cdns_ctrl->io.iova_dma, ++ cdns_ctrl->io.size, DMA_BIDIRECTIONAL, 0); + cadence_nand_irq_cleanup(cdns_ctrl->irq, cdns_ctrl); + kfree(cdns_ctrl->buf); + dma_free_coherent(cdns_ctrl->dev, sizeof(struct cadence_nand_cdma_desc), +@@ -3019,7 +3038,9 @@ static int cadence_nand_dt_probe(struct + cdns_ctrl->io.virt = devm_platform_get_and_ioremap_resource(ofdev, 1, &res); + if (IS_ERR(cdns_ctrl->io.virt)) + return PTR_ERR(cdns_ctrl->io.virt); ++ + cdns_ctrl->io.dma = res->start; ++ cdns_ctrl->io.size = resource_size(res); + + dt->clk = devm_clk_get(cdns_ctrl->dev, "nf_clk"); + if (IS_ERR(dt->clk)) diff --git a/queue-6.12/mtd-spi-nor-sst-fix-sst-write-failure.patch b/queue-6.12/mtd-spi-nor-sst-fix-sst-write-failure.patch new file mode 100644 index 0000000000..bb2350f0e3 --- /dev/null +++ b/queue-6.12/mtd-spi-nor-sst-fix-sst-write-failure.patch @@ -0,0 +1,88 @@ +From 539bd20352832b9244238a055eb169ccf1c41ff6 Mon Sep 17 00:00:00 2001 +From: Amit Kumar Mahapatra +Date: Thu, 13 Feb 2025 11:15:46 +0530 +Subject: mtd: spi-nor: sst: Fix SST write failure +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Amit Kumar Mahapatra + +commit 539bd20352832b9244238a055eb169ccf1c41ff6 upstream. + +'commit 18bcb4aa54ea ("mtd: spi-nor: sst: Factor out common write operation +to `sst_nor_write_data()`")' introduced a bug where only one byte of data +is written, regardless of the number of bytes passed to +sst_nor_write_data(), causing a kernel crash during the write operation. +Ensure the correct number of bytes are written as passed to +sst_nor_write_data(). + +Call trace: +[ 57.400180] ------------[ cut here ]------------ +[ 57.404842] While writing 2 byte written 1 bytes +[ 57.409493] WARNING: CPU: 0 PID: 737 at drivers/mtd/spi-nor/sst.c:187 sst_nor_write_data+0x6c/0x74 +[ 57.418464] Modules linked in: +[ 57.421517] CPU: 0 UID: 0 PID: 737 Comm: mtd_debug Not tainted 6.12.0-g5ad04afd91f9 #30 +[ 57.429517] Hardware name: Xilinx Versal A2197 Processor board revA - x-prc-02 revA (DT) +[ 57.437600] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) +[ 57.444557] pc : sst_nor_write_data+0x6c/0x74 +[ 57.448911] lr : sst_nor_write_data+0x6c/0x74 +[ 57.453264] sp : ffff80008232bb40 +[ 57.456570] x29: ffff80008232bb40 x28: 0000000000010000 x27: 0000000000000001 +[ 57.463708] x26: 000000000000ffff x25: 0000000000000000 x24: 0000000000000000 +[ 57.470843] x23: 0000000000010000 x22: ffff80008232bbf0 x21: ffff000816230000 +[ 57.477978] x20: ffff0008056c0080 x19: 0000000000000002 x18: 0000000000000006 +[ 57.485112] x17: 0000000000000000 x16: 0000000000000000 x15: ffff80008232b580 +[ 57.492246] x14: 0000000000000000 x13: ffff8000816d1530 x12: 00000000000004a4 +[ 57.499380] x11: 000000000000018c x10: ffff8000816fd530 x9 : ffff8000816d1530 +[ 57.506515] x8 : 00000000fffff7ff x7 : ffff8000816fd530 x6 : 0000000000000001 +[ 57.513649] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000 +[ 57.520782] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0008049b0000 +[ 57.527916] Call trace: +[ 57.530354] sst_nor_write_data+0x6c/0x74 +[ 57.534361] sst_nor_write+0xb4/0x18c +[ 57.538019] mtd_write_oob_std+0x7c/0x88 +[ 57.541941] mtd_write_oob+0x70/0xbc +[ 57.545511] mtd_write+0x68/0xa8 +[ 57.548733] mtdchar_write+0x10c/0x290 +[ 57.552477] vfs_write+0xb4/0x3a8 +[ 57.555791] ksys_write+0x74/0x10c +[ 57.559189] __arm64_sys_write+0x1c/0x28 +[ 57.563109] invoke_syscall+0x54/0x11c +[ 57.566856] el0_svc_common.constprop.0+0xc0/0xe0 +[ 57.571557] do_el0_svc+0x1c/0x28 +[ 57.574868] el0_svc+0x30/0xcc +[ 57.577921] el0t_64_sync_handler+0x120/0x12c +[ 57.582276] el0t_64_sync+0x190/0x194 +[ 57.585933] ---[ end trace 0000000000000000 ]--- + +Cc: stable@vger.kernel.org +Fixes: 18bcb4aa54ea ("mtd: spi-nor: sst: Factor out common write operation to `sst_nor_write_data()`") +Signed-off-by: Amit Kumar Mahapatra +Reviewed-by: Pratyush Yadav +Reviewed-by: Tudor Ambarus +Reviewed-by: Bence Csókás +[pratyush@kernel.org: add Cc stable tag] +Signed-off-by: Pratyush Yadav +Link: https://lore.kernel.org/r/20250213054546.2078121-1-amit.kumar-mahapatra@amd.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/spi-nor/sst.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mtd/spi-nor/sst.c b/drivers/mtd/spi-nor/sst.c +index b5ad7118c49a..175211fe6a5e 100644 +--- a/drivers/mtd/spi-nor/sst.c ++++ b/drivers/mtd/spi-nor/sst.c +@@ -174,7 +174,7 @@ static int sst_nor_write_data(struct spi_nor *nor, loff_t to, size_t len, + int ret; + + nor->program_opcode = op; +- ret = spi_nor_write_data(nor, to, 1, buf); ++ ret = spi_nor_write_data(nor, to, len, buf); + if (ret < 0) + return ret; + WARN(ret != len, "While writing %zu byte written %i bytes\n", len, ret); +-- +2.48.1 + diff --git a/queue-6.12/nfp-bpf-add-check-for-nfp_app_ctrl_msg_alloc.patch b/queue-6.12/nfp-bpf-add-check-for-nfp_app_ctrl_msg_alloc.patch new file mode 100644 index 0000000000..5b82a1ce7f --- /dev/null +++ b/queue-6.12/nfp-bpf-add-check-for-nfp_app_ctrl_msg_alloc.patch @@ -0,0 +1,33 @@ +From 878e7b11736e062514e58f3b445ff343e6705537 Mon Sep 17 00:00:00 2001 +From: Haoxiang Li +Date: Tue, 18 Feb 2025 11:04:09 +0800 +Subject: nfp: bpf: Add check for nfp_app_ctrl_msg_alloc() + +From: Haoxiang Li + +commit 878e7b11736e062514e58f3b445ff343e6705537 upstream. + +Add check for the return value of nfp_app_ctrl_msg_alloc() in +nfp_bpf_cmsg_alloc() to prevent null pointer dereference. + +Fixes: ff3d43f7568c ("nfp: bpf: implement helpers for FW map ops") +Cc: stable@vger.kernel.org +Signed-off-by: Haoxiang Li +Link: https://patch.msgid.link/20250218030409.2425798-1-haoxiang_li2024@163.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/netronome/nfp/bpf/cmsg.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/ethernet/netronome/nfp/bpf/cmsg.c ++++ b/drivers/net/ethernet/netronome/nfp/bpf/cmsg.c +@@ -20,6 +20,8 @@ nfp_bpf_cmsg_alloc(struct nfp_app_bpf *b + struct sk_buff *skb; + + skb = nfp_app_ctrl_msg_alloc(bpf->app, size, GFP_KERNEL); ++ if (!skb) ++ return NULL; + skb_put(skb, size); + + return skb; diff --git a/queue-6.12/perf-x86-intel-fix-event-constraints-for-lnc.patch b/queue-6.12/perf-x86-intel-fix-event-constraints-for-lnc.patch new file mode 100644 index 0000000000..5a8eac3e4a --- /dev/null +++ b/queue-6.12/perf-x86-intel-fix-event-constraints-for-lnc.patch @@ -0,0 +1,83 @@ +From 782cffeec9ad96daa64ffb2d527b2a052fb02552 Mon Sep 17 00:00:00 2001 +From: Kan Liang +Date: Wed, 19 Feb 2025 06:10:05 -0800 +Subject: perf/x86/intel: Fix event constraints for LNC + +From: Kan Liang + +commit 782cffeec9ad96daa64ffb2d527b2a052fb02552 upstream. + +According to the latest event list, update the event constraint tables +for Lion Cove core. + +The general rule (the event codes < 0x90 are restricted to counters +0-3.) has been removed. There is no restriction for most of the +performance monitoring events. + +Fixes: a932aa0e868f ("perf/x86: Add Lunar Lake and Arrow Lake support") +Reported-by: Amiri Khalil +Signed-off-by: Kan Liang +Signed-off-by: Peter Zijlstra (Intel) +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/20250219141005.2446823-1-kan.liang@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/events/intel/core.c | 20 +++++++------------- + arch/x86/events/intel/ds.c | 2 +- + 2 files changed, 8 insertions(+), 14 deletions(-) + +--- a/arch/x86/events/intel/core.c ++++ b/arch/x86/events/intel/core.c +@@ -397,34 +397,28 @@ static struct event_constraint intel_lnc + METRIC_EVENT_CONSTRAINT(INTEL_TD_METRIC_FETCH_LAT, 6), + METRIC_EVENT_CONSTRAINT(INTEL_TD_METRIC_MEM_BOUND, 7), + ++ INTEL_EVENT_CONSTRAINT(0x20, 0xf), ++ ++ INTEL_UEVENT_CONSTRAINT(0x012a, 0xf), ++ INTEL_UEVENT_CONSTRAINT(0x012b, 0xf), + INTEL_UEVENT_CONSTRAINT(0x0148, 0x4), + INTEL_UEVENT_CONSTRAINT(0x0175, 0x4), + + INTEL_EVENT_CONSTRAINT(0x2e, 0x3ff), + INTEL_EVENT_CONSTRAINT(0x3c, 0x3ff), +- /* +- * Generally event codes < 0x90 are restricted to counters 0-3. +- * The 0x2E and 0x3C are exception, which has no restriction. +- */ +- INTEL_EVENT_CONSTRAINT_RANGE(0x01, 0x8f, 0xf), + +- INTEL_UEVENT_CONSTRAINT(0x01a3, 0xf), +- INTEL_UEVENT_CONSTRAINT(0x02a3, 0xf), + INTEL_UEVENT_CONSTRAINT(0x08a3, 0x4), + INTEL_UEVENT_CONSTRAINT(0x0ca3, 0x4), + INTEL_UEVENT_CONSTRAINT(0x04a4, 0x1), + INTEL_UEVENT_CONSTRAINT(0x08a4, 0x1), + INTEL_UEVENT_CONSTRAINT(0x10a4, 0x1), + INTEL_UEVENT_CONSTRAINT(0x01b1, 0x8), ++ INTEL_UEVENT_CONSTRAINT(0x01cd, 0x3fc), + INTEL_UEVENT_CONSTRAINT(0x02cd, 0x3), +- INTEL_EVENT_CONSTRAINT(0xce, 0x1), + + INTEL_EVENT_CONSTRAINT_RANGE(0xd0, 0xdf, 0xf), +- /* +- * Generally event codes >= 0x90 are likely to have no restrictions. +- * The exception are defined as above. +- */ +- INTEL_EVENT_CONSTRAINT_RANGE(0x90, 0xfe, 0x3ff), ++ ++ INTEL_UEVENT_CONSTRAINT(0x00e0, 0xf), + + EVENT_CONSTRAINT_END + }; +--- a/arch/x86/events/intel/ds.c ++++ b/arch/x86/events/intel/ds.c +@@ -1178,7 +1178,7 @@ struct event_constraint intel_lnc_pebs_e + INTEL_FLAGS_UEVENT_CONSTRAINT(0x100, 0x100000000ULL), /* INST_RETIRED.PREC_DIST */ + INTEL_FLAGS_UEVENT_CONSTRAINT(0x0400, 0x800000000ULL), + +- INTEL_HYBRID_LDLAT_CONSTRAINT(0x1cd, 0x3ff), ++ INTEL_HYBRID_LDLAT_CONSTRAINT(0x1cd, 0x3fc), + INTEL_HYBRID_STLAT_CONSTRAINT(0x2cd, 0x3), + INTEL_FLAGS_UEVENT_CONSTRAINT_DATALA_LD(0x11d0, 0xf), /* MEM_INST_RETIRED.STLB_MISS_LOADS */ + INTEL_FLAGS_UEVENT_CONSTRAINT_DATALA_ST(0x12d0, 0xf), /* MEM_INST_RETIRED.STLB_MISS_STORES */ diff --git a/queue-6.12/s390-boot-fix-essa-detection.patch b/queue-6.12/s390-boot-fix-essa-detection.patch new file mode 100644 index 0000000000..d9020132dc --- /dev/null +++ b/queue-6.12/s390-boot-fix-essa-detection.patch @@ -0,0 +1,39 @@ +From c3a589fd9fcbf295a7402a4b188dc9277d505f4f Mon Sep 17 00:00:00 2001 +From: Heiko Carstens +Date: Tue, 18 Feb 2025 12:11:34 +0100 +Subject: s390/boot: Fix ESSA detection + +From: Heiko Carstens + +commit c3a589fd9fcbf295a7402a4b188dc9277d505f4f upstream. + +The cmma_test_essa() inline assembly uses tmp as input and output, however +tmp is specified as output only, which allows the compiler to optimize the +initialization of tmp away. + +Therefore the ESSA detection may or may not work depending on previous +contents of the register that the compiler selected for tmp. + +Fix this by using the correct constraint modifier. + +Fixes: 468a3bc2b7b9 ("s390/cmma: move parsing of cmma kernel parameter to early boot code") +Cc: stable@vger.kernel.org +Signed-off-by: Heiko Carstens +Reviewed-by: Vasily Gorbik +Signed-off-by: Vasily Gorbik +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/boot/startup.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/s390/boot/startup.c ++++ b/arch/s390/boot/startup.c +@@ -75,7 +75,7 @@ static int cmma_test_essa(void) + : [reg1] "=&d" (reg1), + [reg2] "=&a" (reg2), + [rc] "+&d" (rc), +- [tmp] "=&d" (tmp), ++ [tmp] "+&d" (tmp), + "+Q" (get_lowcore()->program_new_psw), + "=Q" (old) + : [psw_old] "a" (&old), diff --git a/queue-6.12/series b/queue-6.12/series index 45a993d90e..0a681ff7ab 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -103,3 +103,45 @@ nvme-ioctl-add-missing-space-in-err-message.patch bpf-skip-non-exist-keys-in-generic_map_lookup_batch.patch drm-nouveau-pmu-fix-gp10b-firmware-guard.patch irqchip-jcore-aic-clocksource-drivers-jcore-fix-jcor.patch +drm-panel-jd9365da-h3-fix-reset-signal-polarity.patch +drm-msm-dpu-disable-dither-in-phys-encoder-cleanup.patch +drm-i915-make-sure-all-planes-in-use-by-the-joiner-have-their-crtc-included.patch +drm-i915-dp-fix-error-handling-during-128b-132b-link-training.patch +drm-i915-ddi-fix-hdmi-port-width-programming-in-ddi_buf_ctl.patch +drm-i915-gt-use-spin_lock_irqsave-in-interruptible-context.patch +io_uring-rw-forbid-multishot-async-reads.patch +io_uring-prevent-opcode-speculation.patch +gpiolib-check-the-return-value-of-gpio_chip-get_direction.patch +gpiolib-protect-gpio_chip-with-srcu-in-array_info-paths-in-multi-get-set.patch +tee-optee-fix-supplicant-wait-loop.patch +drop_monitor-fix-incorrect-initialization-order.patch +mm-migrate_device-don-t-add-folio-to-be-freed-to-lru-in-migrate_device_finalize.patch +arm64-dts-rockchip-fix-broken-tsadc-pinctrl-names-for-rk3588.patch +arm64-dts-rockchip-move-uart5-pin-configuration-to-px30-ringneck-som.patch +arm64-dts-rockchip-disable-dma-for-uart5-on-px30-ringneck.patch +soc-loongson-loongson2_guts-add-check-for-devm_kstrdup.patch +s390-boot-fix-essa-detection.patch +xfs-fix-online-repair-probing-when-config_xfs_online_repair-n.patch +lib-iov_iter-fix-import_iovec_ubuf-iovec-management.patch +smb-client-fix-chmod-2-regression-with-attr_readonly.patch +nfp-bpf-add-check-for-nfp_app_ctrl_msg_alloc.patch +gve-set-xdp-redirect-target-only-when-it-is-available.patch +asoc-sof-stream-ipc-check-for-cstream-nullity-in-sof_ipc_msg_data.patch +asoc-fsl_micfil-enable-default-case-in-micfil_set_quality.patch +alsa-hda-add-error-check-for-snd_ctl_rename_id-in-snd_hda_create_dig_out_ctls.patch +alsa-hda-conexant-add-quirk-for-hp-probook-450-g4-mute-led.patch +asoc-sof-pcm-clear-the-susbstream-pointer-to-null-on-close.patch +acct-perform-last-write-from-workqueue.patch +acct-block-access-to-kernel-internal-filesystems.patch +mm-madvise-hugetlb-check-for-0-length-range-after-end-address-adjustment.patch +mtd-spi-nor-sst-fix-sst-write-failure.patch +mtd-rawnand-cadence-fix-error-code-in-cadence_nand_init.patch +mtd-rawnand-cadence-use-dma_map_resource-for-sdma-address.patch +mtd-rawnand-cadence-fix-incorrect-device-in-dma_unmap_single.patch +perf-x86-intel-fix-event-constraints-for-lnc.patch +irqchip-gic-v3-fix-rk3399-workaround-when-secure-interrupts-are-enabled.patch +smb-client-add-check-for-next_buffer-in-receive_encrypted_standard.patch +edac-qcom-correct-interrupt-enable-register-configuration.patch +ftrace-correct-preemption-accounting-for-function-tracing.patch +ftrace-fix-accounting-of-adding-subops-to-a-manager-ops.patch +ftrace-do-not-add-duplicate-entries-in-subops-manager-ops.patch diff --git a/queue-6.12/smb-client-add-check-for-next_buffer-in-receive_encrypted_standard.patch b/queue-6.12/smb-client-add-check-for-next_buffer-in-receive_encrypted_standard.patch new file mode 100644 index 0000000000..a83be2b888 --- /dev/null +++ b/queue-6.12/smb-client-add-check-for-next_buffer-in-receive_encrypted_standard.patch @@ -0,0 +1,34 @@ +From 860ca5e50f73c2a1cef7eefc9d39d04e275417f7 Mon Sep 17 00:00:00 2001 +From: Haoxiang Li +Date: Mon, 17 Feb 2025 15:20:38 +0800 +Subject: smb: client: Add check for next_buffer in receive_encrypted_standard() + +From: Haoxiang Li + +commit 860ca5e50f73c2a1cef7eefc9d39d04e275417f7 upstream. + +Add check for the return value of cifs_buf_get() and cifs_small_buf_get() +in receive_encrypted_standard() to prevent null pointer dereference. + +Fixes: eec04ea11969 ("smb: client: fix OOB in receive_encrypted_standard()") +Cc: stable@vger.kernel.org +Signed-off-by: Haoxiang Li +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/smb2ops.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/smb/client/smb2ops.c ++++ b/fs/smb/client/smb2ops.c +@@ -4991,6 +4991,10 @@ one_more: + next_buffer = (char *)cifs_buf_get(); + else + next_buffer = (char *)cifs_small_buf_get(); ++ if (!next_buffer) { ++ cifs_server_dbg(VFS, "No memory for (large) SMB response\n"); ++ return -1; ++ } + memcpy(next_buffer, buf + next_cmd, pdu_length - next_cmd); + } + diff --git a/queue-6.12/smb-client-fix-chmod-2-regression-with-attr_readonly.patch b/queue-6.12/smb-client-fix-chmod-2-regression-with-attr_readonly.patch new file mode 100644 index 0000000000..63bb607993 --- /dev/null +++ b/queue-6.12/smb-client-fix-chmod-2-regression-with-attr_readonly.patch @@ -0,0 +1,57 @@ +From 654292a0b264e9b8c51b98394146218a21612aa1 Mon Sep 17 00:00:00 2001 +From: Paulo Alcantara +Date: Sun, 16 Feb 2025 18:02:47 -0300 +Subject: smb: client: fix chmod(2) regression with ATTR_READONLY + +From: Paulo Alcantara + +commit 654292a0b264e9b8c51b98394146218a21612aa1 upstream. + +When the user sets a file or directory as read-only (e.g. ~S_IWUGO), +the client will set the ATTR_READONLY attribute by sending an +SMB2_SET_INFO request to the server in cifs_setattr_{,nounix}(), but +cifsInodeInfo::cifsAttrs will be left unchanged as the client will +only update the new file attributes in the next call to +{smb311_posix,cifs}_get_inode_info() with the new metadata filled in +@data parameter. + +Commit a18280e7fdea ("smb: cilent: set reparse mount points as +automounts") mistakenly removed the @data NULL check when calling +is_inode_cache_good(), which broke the above case as the new +ATTR_READONLY attribute would end up not being updated on files with a +read lease. + +Fix this by updating the inode whenever we have cached metadata in +@data parameter. + +Reported-by: Horst Reiterer +Closes: https://lore.kernel.org/r/85a16504e09147a195ac0aac1c801280@fabasoft.com +Fixes: a18280e7fdea ("smb: cilent: set reparse mount points as automounts") +Cc: stable@vger.kernel.org +Signed-off-by: Paulo Alcantara (Red Hat) +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/inode.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/smb/client/inode.c ++++ b/fs/smb/client/inode.c +@@ -1381,7 +1381,7 @@ int cifs_get_inode_info(struct inode **i + struct cifs_fattr fattr = {}; + int rc; + +- if (is_inode_cache_good(*inode)) { ++ if (!data && is_inode_cache_good(*inode)) { + cifs_dbg(FYI, "No need to revalidate cached inode sizes\n"); + return 0; + } +@@ -1480,7 +1480,7 @@ int smb311_posix_get_inode_info(struct i + struct cifs_fattr fattr = {}; + int rc; + +- if (is_inode_cache_good(*inode)) { ++ if (!data && is_inode_cache_good(*inode)) { + cifs_dbg(FYI, "No need to revalidate cached inode sizes\n"); + return 0; + } diff --git a/queue-6.12/soc-loongson-loongson2_guts-add-check-for-devm_kstrdup.patch b/queue-6.12/soc-loongson-loongson2_guts-add-check-for-devm_kstrdup.patch new file mode 100644 index 0000000000..dc50729a91 --- /dev/null +++ b/queue-6.12/soc-loongson-loongson2_guts-add-check-for-devm_kstrdup.patch @@ -0,0 +1,37 @@ +From e31e3f6c0ce473f7ce1e70d54ac8e3ed190509f8 Mon Sep 17 00:00:00 2001 +From: Haoxiang Li +Date: Thu, 20 Feb 2025 16:17:14 +0800 +Subject: soc: loongson: loongson2_guts: Add check for devm_kstrdup() + +From: Haoxiang Li + +commit e31e3f6c0ce473f7ce1e70d54ac8e3ed190509f8 upstream. + +Add check for the return value of devm_kstrdup() in +loongson2_guts_probe() to catch potential exception. + +Fixes: b82621ac8450 ("soc: loongson: add GUTS driver for loongson-2 platforms") +Cc: stable@vger.kernel.org +Signed-off-by: Haoxiang Li +Link: https://lore.kernel.org/r/20250220081714.2676828-1-haoxiang_li2024@163.com +Signed-off-by: Arnd Bergmann +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soc/loongson/loongson2_guts.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/soc/loongson/loongson2_guts.c ++++ b/drivers/soc/loongson/loongson2_guts.c +@@ -114,8 +114,11 @@ static int loongson2_guts_probe(struct p + if (of_property_read_string(root, "model", &machine)) + of_property_read_string_index(root, "compatible", 0, &machine); + of_node_put(root); +- if (machine) ++ if (machine) { + soc_dev_attr.machine = devm_kstrdup(dev, machine, GFP_KERNEL); ++ if (!soc_dev_attr.machine) ++ return -ENOMEM; ++ } + + svr = loongson2_guts_get_svr(); + soc_die = loongson2_soc_die_match(svr, loongson2_soc_die); diff --git a/queue-6.12/tee-optee-fix-supplicant-wait-loop.patch b/queue-6.12/tee-optee-fix-supplicant-wait-loop.patch new file mode 100644 index 0000000000..ca1f7fead4 --- /dev/null +++ b/queue-6.12/tee-optee-fix-supplicant-wait-loop.patch @@ -0,0 +1,93 @@ +From 70b0d6b0a199c5a3ee6c72f5e61681ed6f759612 Mon Sep 17 00:00:00 2001 +From: Sumit Garg +Date: Tue, 4 Feb 2025 13:04:18 +0530 +Subject: tee: optee: Fix supplicant wait loop + +From: Sumit Garg + +commit 70b0d6b0a199c5a3ee6c72f5e61681ed6f759612 upstream. + +OP-TEE supplicant is a user-space daemon and it's possible for it +be hung or crashed or killed in the middle of processing an OP-TEE +RPC call. It becomes more complicated when there is incorrect shutdown +ordering of the supplicant process vs the OP-TEE client application which +can eventually lead to system hang-up waiting for the closure of the +client application. + +Allow the client process waiting in kernel for supplicant response to +be killed rather than indefinitely waiting in an unkillable state. Also, +a normal uninterruptible wait should not have resulted in the hung-task +watchdog getting triggered, but the endless loop would. + +This fixes issues observed during system reboot/shutdown when supplicant +got hung for some reason or gets crashed/killed which lead to client +getting hung in an unkillable state. It in turn lead to system being in +hung up state requiring hard power off/on to recover. + +Fixes: 4fb0a5eb364d ("tee: add OP-TEE driver") +Suggested-by: Arnd Bergmann +Cc: stable@vger.kernel.org +Signed-off-by: Sumit Garg +Reviewed-by: Arnd Bergmann +Reviewed-by: Jens Wiklander +Signed-off-by: Arnd Bergmann +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tee/optee/supp.c | 35 ++++++++--------------------------- + 1 file changed, 8 insertions(+), 27 deletions(-) + +--- a/drivers/tee/optee/supp.c ++++ b/drivers/tee/optee/supp.c +@@ -80,7 +80,6 @@ u32 optee_supp_thrd_req(struct tee_conte + struct optee *optee = tee_get_drvdata(ctx->teedev); + struct optee_supp *supp = &optee->supp; + struct optee_supp_req *req; +- bool interruptable; + u32 ret; + + /* +@@ -111,36 +110,18 @@ u32 optee_supp_thrd_req(struct tee_conte + /* + * Wait for supplicant to process and return result, once we've + * returned from wait_for_completion(&req->c) successfully we have +- * exclusive access again. ++ * exclusive access again. Allow the wait to be killable such that ++ * the wait doesn't turn into an indefinite state if the supplicant ++ * gets hung for some reason. + */ +- while (wait_for_completion_interruptible(&req->c)) { ++ if (wait_for_completion_killable(&req->c)) { + mutex_lock(&supp->mutex); +- interruptable = !supp->ctx; +- if (interruptable) { +- /* +- * There's no supplicant available and since the +- * supp->mutex currently is held none can +- * become available until the mutex released +- * again. +- * +- * Interrupting an RPC to supplicant is only +- * allowed as a way of slightly improving the user +- * experience in case the supplicant hasn't been +- * started yet. During normal operation the supplicant +- * will serve all requests in a timely manner and +- * interrupting then wouldn't make sense. +- */ +- if (req->in_queue) { +- list_del(&req->link); +- req->in_queue = false; +- } ++ if (req->in_queue) { ++ list_del(&req->link); ++ req->in_queue = false; + } + mutex_unlock(&supp->mutex); +- +- if (interruptable) { +- req->ret = TEEC_ERROR_COMMUNICATION; +- break; +- } ++ req->ret = TEEC_ERROR_COMMUNICATION; + } + + ret = req->ret; diff --git a/queue-6.12/xfs-fix-online-repair-probing-when-config_xfs_online_repair-n.patch b/queue-6.12/xfs-fix-online-repair-probing-when-config_xfs_online_repair-n.patch new file mode 100644 index 0000000000..8d444e9087 --- /dev/null +++ b/queue-6.12/xfs-fix-online-repair-probing-when-config_xfs_online_repair-n.patch @@ -0,0 +1,143 @@ +From 66314e9a57a050f95cb0ebac904f5ab047a8926e Mon Sep 17 00:00:00 2001 +From: "Darrick J. Wong" +Date: Sun, 2 Feb 2025 16:50:14 -0800 +Subject: xfs: fix online repair probing when CONFIG_XFS_ONLINE_REPAIR=n + +From: Darrick J. Wong + +commit 66314e9a57a050f95cb0ebac904f5ab047a8926e upstream. + +I received a report from the release engineering side of the house that +xfs_scrub without the -n flag (aka fix it mode) would try to fix a +broken filesystem even on a kernel that doesn't have online repair built +into it: + + # xfs_scrub -dTvn /mnt/test + EXPERIMENTAL xfs_scrub program in use! Use at your own risk! + Phase 1: Find filesystem geometry. + /mnt/test: using 1 threads to scrub. + Phase 1: Memory used: 132k/0k (108k/25k), time: 0.00/ 0.00/ 0.00s + + Phase 4: Repair filesystem. + + Info: /mnt/test/some/victimdir directory entries: Attempting repair. (repair.c line 351) + Corruption: /mnt/test/some/victimdir directory entries: Repair unsuccessful; offline repair required. (repair.c line 204) + +Source: https://blogs.oracle.com/linux/post/xfs-online-filesystem-repair + +It is strange that xfs_scrub doesn't refuse to run, because the kernel +is supposed to return EOPNOTSUPP if we actually needed to run a repair, +and xfs_io's repair subcommand will perror that. And yet: + + # xfs_io -x -c 'repair probe' /mnt/test + # + +The first problem is commit dcb660f9222fd9 (4.15) which should have had +xchk_probe set the CORRUPT OFLAG so that any of the repair machinery +will get called at all. + +It turns out that some refactoring that happened in the 6.6-6.8 era +broke the operation of this corner case. What we *really* want to +happen is that all the predicates that would steer xfs_scrub_metadata() +towards calling xrep_attempt() should function the same way that they do +when repair is compiled in; and then xrep_attempt gets to return the +fatal EOPNOTSUPP error code that causes the probe to fail. + +Instead, commit 8336a64eb75cba (6.6) started the failwhale swimming by +hoisting OFLAG checking logic into a helper whose non-repair stub always +returns false, causing scrub to return "repair not needed" when in fact +the repair is not supported. Prior to that commit, the oflag checking +that was open-coded in scrub.c worked correctly. + +Similarly, in commit 4bdfd7d15747b1 (6.8) we hoisted the IFLAG_REPAIR +and ALREADY_FIXED logic into a helper whose non-repair stub always +returns false, so we never enter the if test body that would have called +xrep_attempt, let alone fail to decode the OFLAGs correctly. + +The final insult (yes, we're doing The Naked Gun now) is commit +48a72f60861f79 (6.8) in which we hoisted the "are we going to try a +repair?" predicate into yet another function with a non-repair stub +always returns false. + +Fix xchk_probe to trigger xrep_probe if repair is enabled, or return +EOPNOTSUPP directly if it is not. For all the other scrub types, we +need to fix the header predicates so that the ->repair functions (which +are all xrep_notsupported) get called to return EOPNOTSUPP. Commit +48a72 is tagged here because the scrub code prior to LTS 6.12 are +incomplete and not worth patching. + +Reported-by: David Flynn +Cc: # v6.8 +Fixes: 8336a64eb75c ("xfs: don't complain about unfixed metadata when repairs were injected") +Signed-off-by: "Darrick J. Wong" +Reviewed-by: Christoph Hellwig +Signed-off-by: Carlos Maiolino +Signed-off-by: Greg Kroah-Hartman +--- + fs/xfs/scrub/common.h | 5 ----- + fs/xfs/scrub/repair.h | 11 ++++++++++- + fs/xfs/scrub/scrub.c | 12 ++++++++++++ + 3 files changed, 22 insertions(+), 6 deletions(-) + +--- a/fs/xfs/scrub/common.h ++++ b/fs/xfs/scrub/common.h +@@ -179,7 +179,6 @@ static inline bool xchk_skip_xref(struct + bool xchk_dir_looks_zapped(struct xfs_inode *dp); + bool xchk_pptr_looks_zapped(struct xfs_inode *ip); + +-#ifdef CONFIG_XFS_ONLINE_REPAIR + /* Decide if a repair is required. */ + static inline bool xchk_needs_repair(const struct xfs_scrub_metadata *sm) + { +@@ -199,10 +198,6 @@ static inline bool xchk_could_repair(con + return (sc->sm->sm_flags & XFS_SCRUB_IFLAG_REPAIR) && + !(sc->flags & XREP_ALREADY_FIXED); + } +-#else +-# define xchk_needs_repair(sc) (false) +-# define xchk_could_repair(sc) (false) +-#endif /* CONFIG_XFS_ONLINE_REPAIR */ + + int xchk_metadata_inode_forks(struct xfs_scrub *sc); + +--- a/fs/xfs/scrub/repair.h ++++ b/fs/xfs/scrub/repair.h +@@ -163,7 +163,16 @@ bool xrep_buf_verify_struct(struct xfs_b + #else + + #define xrep_ino_dqattach(sc) (0) +-#define xrep_will_attempt(sc) (false) ++ ++/* ++ * When online repair is not built into the kernel, we still want to attempt ++ * the repair so that the stub xrep_attempt below will return EOPNOTSUPP. ++ */ ++static inline bool xrep_will_attempt(const struct xfs_scrub *sc) ++{ ++ return (sc->sm->sm_flags & XFS_SCRUB_IFLAG_FORCE_REBUILD) || ++ xchk_needs_repair(sc->sm); ++} + + static inline int + xrep_attempt( +--- a/fs/xfs/scrub/scrub.c ++++ b/fs/xfs/scrub/scrub.c +@@ -149,6 +149,18 @@ xchk_probe( + if (xchk_should_terminate(sc, &error)) + return error; + ++ /* ++ * If the caller is probing to see if repair works but repair isn't ++ * built into the kernel, return EOPNOTSUPP because that's the signal ++ * that userspace expects. If online repair is built in, set the ++ * CORRUPT flag (without any of the usual tracing/logging) to force us ++ * into xrep_probe. ++ */ ++ if (xchk_could_repair(sc)) { ++ if (!IS_ENABLED(CONFIG_XFS_ONLINE_REPAIR)) ++ return -EOPNOTSUPP; ++ sc->sm->sm_flags |= XFS_SCRUB_OFLAG_CORRUPT; ++ } + return 0; + } +