From: Greg Kroah-Hartman Date: Mon, 10 Mar 2025 11:17:55 +0000 (+0100) Subject: 6.6-stable patches X-Git-Tag: v5.4.291~61 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4bf01f09b01eb2313eeadbd0f817bace68123819;p=thirdparty%2Fkernel%2Fstable-queue.git 6.6-stable patches added patches: bus-mhi-host-pci_generic-use-pci_try_reset_function-to-avoid-deadlock.patch cdx-fix-possible-uaf-error-in-driver_override_show.patch char-misc-deallocate-static-minor-in-error-path.patch drivers-core-fix-device-leak-in-__fw_devlink_relax_cycles.patch drivers-virt-acrn-hsm-use-kzalloc-to-avoid-info-leak-in-pmcmd_ioctl.patch eeprom-digsy_mtc-make-gpio-lookup-table-match-the-device.patch iio-adc-at91-sama5d2_adc-fix-sama7g5-realbits-value.patch iio-dac-ad3552r-clear-reset-status-flag.patch iio-filter-admv8818-force-initialization-of-sdo.patch intel_th-pci-add-arrow-lake-support.patch intel_th-pci-add-panther-lake-h-support.patch intel_th-pci-add-panther-lake-p-u-support.patch kvm-svm-drop-debugctl-from-guest-s-effective-value.patch kvm-svm-suppress-debugctl.btf-on-amd.patch kvm-x86-explicitly-zero-eax-and-ebx-when-perfmon_v2-isn-t-supported-by-kvm.patch mei-me-add-panther-lake-p-did.patch slimbus-messaging-free-transaction-id-in-delayed-interrupt-scenario.patch --- diff --git a/queue-6.6/bus-mhi-host-pci_generic-use-pci_try_reset_function-to-avoid-deadlock.patch b/queue-6.6/bus-mhi-host-pci_generic-use-pci_try_reset_function-to-avoid-deadlock.patch new file mode 100644 index 0000000000..825f5e23da --- /dev/null +++ b/queue-6.6/bus-mhi-host-pci_generic-use-pci_try_reset_function-to-avoid-deadlock.patch @@ -0,0 +1,69 @@ +From a321d163de3d8aa38a6449ab2becf4b1581aed96 Mon Sep 17 00:00:00 2001 +From: Manivannan Sadhasivam +Date: Wed, 8 Jan 2025 19:09:27 +0530 +Subject: bus: mhi: host: pci_generic: Use pci_try_reset_function() to avoid deadlock + +From: Manivannan Sadhasivam + +commit a321d163de3d8aa38a6449ab2becf4b1581aed96 upstream. + +There are multiple places from where the recovery work gets scheduled +asynchronously. Also, there are multiple places where the caller waits +synchronously for the recovery to be completed. One such place is during +the PM shutdown() callback. + +If the device is not alive during recovery_work, it will try to reset the +device using pci_reset_function(). This function internally will take the +device_lock() first before resetting the device. By this time, if the lock +has already been acquired, then recovery_work will get stalled while +waiting for the lock. And if the lock was already acquired by the caller +which waits for the recovery_work to be completed, it will lead to +deadlock. + +This is what happened on the X1E80100 CRD device when the device died +before shutdown() callback. Driver core calls the driver's shutdown() +callback while holding the device_lock() leading to deadlock. + +And this deadlock scenario can occur on other paths as well, like during +the PM suspend() callback, where the driver core would hold the +device_lock() before calling driver's suspend() callback. And if the +recovery_work was already started, it could lead to deadlock. This is also +observed on the X1E80100 CRD. + +So to fix both issues, use pci_try_reset_function() in recovery_work. This +function first checks for the availability of the device_lock() before +trying to reset the device. If the lock is available, it will acquire it +and reset the device. Otherwise, it will return -EAGAIN. If that happens, +recovery_work will fail with the error message "Recovery failed" as not +much could be done. + +Cc: stable@vger.kernel.org # 5.12 +Reported-by: Johan Hovold +Closes: https://lore.kernel.org/mhi/Z1me8iaK7cwgjL92@hovoldconsulting.com +Fixes: 7389337f0a78 ("mhi: pci_generic: Add suspend/resume/recovery procedure") +Reviewed-by: Johan Hovold +Tested-by: Johan Hovold +Analyzed-by: Johan Hovold +Link: https://lore.kernel.org/mhi/Z2KKjWY2mPen6GPL@hovoldconsulting.com/ +Reviewed-by: Loic Poulain +Link: https://lore.kernel.org/r/20250108-mhi_recovery_fix-v1-1-a0a00a17da46@linaro.org +Signed-off-by: Manivannan Sadhasivam +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bus/mhi/host/pci_generic.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/bus/mhi/host/pci_generic.c ++++ b/drivers/bus/mhi/host/pci_generic.c +@@ -892,8 +892,9 @@ static void mhi_pci_recovery_work(struct + err_unprepare: + mhi_unprepare_after_power_down(mhi_cntrl); + err_try_reset: +- if (pci_reset_function(pdev)) +- dev_err(&pdev->dev, "Recovery failed\n"); ++ err = pci_try_reset_function(pdev); ++ if (err) ++ dev_err(&pdev->dev, "Recovery failed: %d\n", err); + } + + static void health_check(struct timer_list *t) diff --git a/queue-6.6/cdx-fix-possible-uaf-error-in-driver_override_show.patch b/queue-6.6/cdx-fix-possible-uaf-error-in-driver_override_show.patch new file mode 100644 index 0000000000..f6c3a85644 --- /dev/null +++ b/queue-6.6/cdx-fix-possible-uaf-error-in-driver_override_show.patch @@ -0,0 +1,56 @@ +From 91d44c1afc61a2fec37a9c7a3485368309391e0b Mon Sep 17 00:00:00 2001 +From: Qiu-ji Chen +Date: Sat, 18 Jan 2025 15:08:33 +0800 +Subject: cdx: Fix possible UAF error in driver_override_show() + +From: Qiu-ji Chen + +commit 91d44c1afc61a2fec37a9c7a3485368309391e0b upstream. + +Fixed a possible UAF problem in driver_override_show() in drivers/cdx/cdx.c + +This function driver_override_show() is part of DEVICE_ATTR_RW, which +includes both driver_override_show() and driver_override_store(). +These functions can be executed concurrently in sysfs. + +The driver_override_store() function uses driver_set_override() to +update the driver_override value, and driver_set_override() internally +locks the device (device_lock(dev)). If driver_override_show() reads +cdx_dev->driver_override without locking, it could potentially access +a freed pointer if driver_override_store() frees the string +concurrently. This could lead to printing a kernel address, which is a +security risk since DEVICE_ATTR can be read by all users. + +Additionally, a similar pattern is used in drivers/amba/bus.c, as well +as many other bus drivers, where device_lock() is taken in the show +function, and it has been working without issues. + +This potential bug was detected by our experimental static analysis +tool, which analyzes locking APIs and paired functions to identify +data races and atomicity violations. + +Fixes: 1f86a00c1159 ("bus/fsl-mc: add support for 'driver_override' in the mc-bus") +Cc: stable +Signed-off-by: Qiu-ji Chen +Link: https://lore.kernel.org/r/20250118070833.27201-1-chenqiuji666@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/cdx/cdx.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/cdx/cdx.c ++++ b/drivers/cdx/cdx.c +@@ -365,8 +365,12 @@ static ssize_t driver_override_show(stru + struct device_attribute *attr, char *buf) + { + struct cdx_device *cdx_dev = to_cdx_device(dev); ++ ssize_t len; + +- return sysfs_emit(buf, "%s\n", cdx_dev->driver_override); ++ device_lock(dev); ++ len = sysfs_emit(buf, "%s\n", cdx_dev->driver_override); ++ device_unlock(dev); ++ return len; + } + static DEVICE_ATTR_RW(driver_override); + diff --git a/queue-6.6/char-misc-deallocate-static-minor-in-error-path.patch b/queue-6.6/char-misc-deallocate-static-minor-in-error-path.patch new file mode 100644 index 0000000000..fc6d5db3f5 --- /dev/null +++ b/queue-6.6/char-misc-deallocate-static-minor-in-error-path.patch @@ -0,0 +1,34 @@ +From 6d991f569c5ef6eaeadf1238df2c36e3975233ad Mon Sep 17 00:00:00 2001 +From: Thadeu Lima de Souza Cascardo +Date: Thu, 23 Jan 2025 09:32:49 -0300 +Subject: char: misc: deallocate static minor in error path + +From: Thadeu Lima de Souza Cascardo + +commit 6d991f569c5ef6eaeadf1238df2c36e3975233ad upstream. + +When creating sysfs files fail, the allocated minor must be freed such that +it can be later reused. That is specially harmful for static minor numbers, +since those would always fail to register later on. + +Fixes: 6d04d2b554b1 ("misc: misc_minor_alloc to use ida for all dynamic/misc dynamic minors") +Cc: stable +Signed-off-by: Thadeu Lima de Souza Cascardo +Link: https://lore.kernel.org/r/20250123123249.4081674-5-cascardo@igalia.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/misc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/char/misc.c ++++ b/drivers/char/misc.c +@@ -264,8 +264,8 @@ int misc_register(struct miscdevice *mis + device_create_with_groups(&misc_class, misc->parent, dev, + misc, misc->groups, "%s", misc->name); + if (IS_ERR(misc->this_device)) { ++ misc_minor_free(misc->minor); + if (is_dynamic) { +- misc_minor_free(misc->minor); + misc->minor = MISC_DYNAMIC_MINOR; + } + err = PTR_ERR(misc->this_device); diff --git a/queue-6.6/drivers-core-fix-device-leak-in-__fw_devlink_relax_cycles.patch b/queue-6.6/drivers-core-fix-device-leak-in-__fw_devlink_relax_cycles.patch new file mode 100644 index 0000000000..dac7c85052 --- /dev/null +++ b/queue-6.6/drivers-core-fix-device-leak-in-__fw_devlink_relax_cycles.patch @@ -0,0 +1,35 @@ +From 78eb41f518f414378643ab022241df2a9dcd008b Mon Sep 17 00:00:00 2001 +From: Luca Ceresoli +Date: Thu, 13 Feb 2025 15:05:13 +0100 +Subject: drivers: core: fix device leak in __fw_devlink_relax_cycles() + +From: Luca Ceresoli + +commit 78eb41f518f414378643ab022241df2a9dcd008b upstream. + +Commit bac3b10b78e5 ("driver core: fw_devlink: Stop trying to optimize +cycle detection logic") introduced a new struct device *con_dev and a +get_dev_from_fwnode() call to get it, but without adding a corresponding +put_device(). + +Closes: https://lore.kernel.org/all/20241204124826.2e055091@booty/ +Fixes: bac3b10b78e5 ("driver core: fw_devlink: Stop trying to optimize cycle detection logic") +Cc: stable@vger.kernel.org +Reviewed-by: Saravana Kannan +Signed-off-by: Luca Ceresoli +Link: https://lore.kernel.org/r/20250213-fix__fw_devlink_relax_cycles_missing_device_put-v2-1-8cd3b03e6a3f@bootlin.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/core.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/base/core.c ++++ b/drivers/base/core.c +@@ -2026,6 +2026,7 @@ static bool __fw_devlink_relax_cycles(st + out: + sup_handle->flags &= ~FWNODE_FLAG_VISITED; + put_device(sup_dev); ++ put_device(con_dev); + put_device(par_dev); + return ret; + } diff --git a/queue-6.6/drivers-virt-acrn-hsm-use-kzalloc-to-avoid-info-leak-in-pmcmd_ioctl.patch b/queue-6.6/drivers-virt-acrn-hsm-use-kzalloc-to-avoid-info-leak-in-pmcmd_ioctl.patch new file mode 100644 index 0000000000..cbf819d0d1 --- /dev/null +++ b/queue-6.6/drivers-virt-acrn-hsm-use-kzalloc-to-avoid-info-leak-in-pmcmd_ioctl.patch @@ -0,0 +1,54 @@ +From 819cec1dc47cdeac8f5dd6ba81c1dbee2a68c3bb Mon Sep 17 00:00:00 2001 +From: Haoyu Li +Date: Thu, 30 Jan 2025 19:58:11 +0800 +Subject: drivers: virt: acrn: hsm: Use kzalloc to avoid info leak in pmcmd_ioctl + +From: Haoyu Li + +commit 819cec1dc47cdeac8f5dd6ba81c1dbee2a68c3bb upstream. + +In the "pmcmd_ioctl" function, three memory objects allocated by +kmalloc are initialized by "hcall_get_cpu_state", which are then +copied to user space. The initializer is indeed implemented in +"acrn_hypercall2" (arch/x86/include/asm/acrn.h). There is a risk of +information leakage due to uninitialized bytes. + +Fixes: 3d679d5aec64 ("virt: acrn: Introduce interfaces to query C-states and P-states allowed by hypervisor") +Signed-off-by: Haoyu Li +Cc: stable +Acked-by: Fei Li +Link: https://lore.kernel.org/r/20250130115811.92424-1-lihaoyu499@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/virt/acrn/hsm.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/virt/acrn/hsm.c ++++ b/drivers/virt/acrn/hsm.c +@@ -49,7 +49,7 @@ static int pmcmd_ioctl(u64 cmd, void __u + switch (cmd & PMCMD_TYPE_MASK) { + case ACRN_PMCMD_GET_PX_CNT: + case ACRN_PMCMD_GET_CX_CNT: +- pm_info = kmalloc(sizeof(u64), GFP_KERNEL); ++ pm_info = kzalloc(sizeof(u64), GFP_KERNEL); + if (!pm_info) + return -ENOMEM; + +@@ -64,7 +64,7 @@ static int pmcmd_ioctl(u64 cmd, void __u + kfree(pm_info); + break; + case ACRN_PMCMD_GET_PX_DATA: +- px_data = kmalloc(sizeof(*px_data), GFP_KERNEL); ++ px_data = kzalloc(sizeof(*px_data), GFP_KERNEL); + if (!px_data) + return -ENOMEM; + +@@ -79,7 +79,7 @@ static int pmcmd_ioctl(u64 cmd, void __u + kfree(px_data); + break; + case ACRN_PMCMD_GET_CX_DATA: +- cx_data = kmalloc(sizeof(*cx_data), GFP_KERNEL); ++ cx_data = kzalloc(sizeof(*cx_data), GFP_KERNEL); + if (!cx_data) + return -ENOMEM; + diff --git a/queue-6.6/eeprom-digsy_mtc-make-gpio-lookup-table-match-the-device.patch b/queue-6.6/eeprom-digsy_mtc-make-gpio-lookup-table-match-the-device.patch new file mode 100644 index 0000000000..356e2357fc --- /dev/null +++ b/queue-6.6/eeprom-digsy_mtc-make-gpio-lookup-table-match-the-device.patch @@ -0,0 +1,35 @@ +From 038ef0754aae76f79b147b8867f9250e6a976872 Mon Sep 17 00:00:00 2001 +From: Andy Shevchenko +Date: Fri, 7 Feb 2025 00:03:11 +0200 +Subject: eeprom: digsy_mtc: Make GPIO lookup table match the device + +From: Andy Shevchenko + +commit 038ef0754aae76f79b147b8867f9250e6a976872 upstream. + +The dev_id value in the GPIO lookup table must match to +the device instance name, which in this case is combined +of name and platform device ID, i.e. "spi_gpio.1". But +the table assumed that there was no platform device ID +defined, which is wrong. Fix the dev_id value accordingly. + +Fixes: 9b00bc7b901f ("spi: spi-gpio: Rewrite to use GPIO descriptors") +Cc: stable +Signed-off-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20250206220311.1554075-1-andriy.shevchenko@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/eeprom/digsy_mtc_eeprom.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/misc/eeprom/digsy_mtc_eeprom.c ++++ b/drivers/misc/eeprom/digsy_mtc_eeprom.c +@@ -60,7 +60,7 @@ static struct platform_device digsy_mtc_ + }; + + static struct gpiod_lookup_table eeprom_spi_gpiod_table = { +- .dev_id = "spi_gpio", ++ .dev_id = "spi_gpio.1", + .table = { + GPIO_LOOKUP("gpio@b00", GPIO_EEPROM_CLK, + "sck", GPIO_ACTIVE_HIGH), diff --git a/queue-6.6/iio-adc-at91-sama5d2_adc-fix-sama7g5-realbits-value.patch b/queue-6.6/iio-adc-at91-sama5d2_adc-fix-sama7g5-realbits-value.patch new file mode 100644 index 0000000000..8936f6ae81 --- /dev/null +++ b/queue-6.6/iio-adc-at91-sama5d2_adc-fix-sama7g5-realbits-value.patch @@ -0,0 +1,134 @@ +From aa5119c36d19639397d29ef305aa53a5ecd72b27 Mon Sep 17 00:00:00 2001 +From: Nayab Sayed +Date: Wed, 15 Jan 2025 11:37:04 +0530 +Subject: iio: adc: at91-sama5d2_adc: fix sama7g5 realbits value + +From: Nayab Sayed + +commit aa5119c36d19639397d29ef305aa53a5ecd72b27 upstream. + +The number of valid bits in SAMA7G5 ADC channel data register are 16. +Hence changing the realbits value to 16 + +Fixes: 840bf6cb983f ("iio: adc: at91-sama5d2_adc: add support for sama7g5 device") +Signed-off-by: Nayab Sayed +Link: https://patch.msgid.link/20250115-fix-sama7g5-adc-realbits-v2-1-58a6e4087584@microchip.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/at91-sama5d2_adc.c | 68 +++++++++++++++++++++---------------- + 1 file changed, 40 insertions(+), 28 deletions(-) + +--- a/drivers/iio/adc/at91-sama5d2_adc.c ++++ b/drivers/iio/adc/at91-sama5d2_adc.c +@@ -329,7 +329,7 @@ static const struct at91_adc_reg_layout + #define AT91_HWFIFO_MAX_SIZE_STR "128" + #define AT91_HWFIFO_MAX_SIZE 128 + +-#define AT91_SAMA5D2_CHAN_SINGLE(index, num, addr) \ ++#define AT91_SAMA_CHAN_SINGLE(index, num, addr, rbits) \ + { \ + .type = IIO_VOLTAGE, \ + .channel = num, \ +@@ -337,7 +337,7 @@ static const struct at91_adc_reg_layout + .scan_index = index, \ + .scan_type = { \ + .sign = 'u', \ +- .realbits = 14, \ ++ .realbits = rbits, \ + .storagebits = 16, \ + }, \ + .info_mask_separate = BIT(IIO_CHAN_INFO_RAW), \ +@@ -350,7 +350,13 @@ static const struct at91_adc_reg_layout + .indexed = 1, \ + } + +-#define AT91_SAMA5D2_CHAN_DIFF(index, num, num2, addr) \ ++#define AT91_SAMA5D2_CHAN_SINGLE(index, num, addr) \ ++ AT91_SAMA_CHAN_SINGLE(index, num, addr, 14) ++ ++#define AT91_SAMA7G5_CHAN_SINGLE(index, num, addr) \ ++ AT91_SAMA_CHAN_SINGLE(index, num, addr, 16) ++ ++#define AT91_SAMA_CHAN_DIFF(index, num, num2, addr, rbits) \ + { \ + .type = IIO_VOLTAGE, \ + .differential = 1, \ +@@ -360,7 +366,7 @@ static const struct at91_adc_reg_layout + .scan_index = index, \ + .scan_type = { \ + .sign = 's', \ +- .realbits = 14, \ ++ .realbits = rbits, \ + .storagebits = 16, \ + }, \ + .info_mask_separate = BIT(IIO_CHAN_INFO_RAW), \ +@@ -373,6 +379,12 @@ static const struct at91_adc_reg_layout + .indexed = 1, \ + } + ++#define AT91_SAMA5D2_CHAN_DIFF(index, num, num2, addr) \ ++ AT91_SAMA_CHAN_DIFF(index, num, num2, addr, 14) ++ ++#define AT91_SAMA7G5_CHAN_DIFF(index, num, num2, addr) \ ++ AT91_SAMA_CHAN_DIFF(index, num, num2, addr, 16) ++ + #define AT91_SAMA5D2_CHAN_TOUCH(num, name, mod) \ + { \ + .type = IIO_POSITIONRELATIVE, \ +@@ -666,30 +678,30 @@ static const struct iio_chan_spec at91_s + }; + + static const struct iio_chan_spec at91_sama7g5_adc_channels[] = { +- AT91_SAMA5D2_CHAN_SINGLE(0, 0, 0x60), +- AT91_SAMA5D2_CHAN_SINGLE(1, 1, 0x64), +- AT91_SAMA5D2_CHAN_SINGLE(2, 2, 0x68), +- AT91_SAMA5D2_CHAN_SINGLE(3, 3, 0x6c), +- AT91_SAMA5D2_CHAN_SINGLE(4, 4, 0x70), +- AT91_SAMA5D2_CHAN_SINGLE(5, 5, 0x74), +- AT91_SAMA5D2_CHAN_SINGLE(6, 6, 0x78), +- AT91_SAMA5D2_CHAN_SINGLE(7, 7, 0x7c), +- AT91_SAMA5D2_CHAN_SINGLE(8, 8, 0x80), +- AT91_SAMA5D2_CHAN_SINGLE(9, 9, 0x84), +- AT91_SAMA5D2_CHAN_SINGLE(10, 10, 0x88), +- AT91_SAMA5D2_CHAN_SINGLE(11, 11, 0x8c), +- AT91_SAMA5D2_CHAN_SINGLE(12, 12, 0x90), +- AT91_SAMA5D2_CHAN_SINGLE(13, 13, 0x94), +- AT91_SAMA5D2_CHAN_SINGLE(14, 14, 0x98), +- AT91_SAMA5D2_CHAN_SINGLE(15, 15, 0x9c), +- AT91_SAMA5D2_CHAN_DIFF(16, 0, 1, 0x60), +- AT91_SAMA5D2_CHAN_DIFF(17, 2, 3, 0x68), +- AT91_SAMA5D2_CHAN_DIFF(18, 4, 5, 0x70), +- AT91_SAMA5D2_CHAN_DIFF(19, 6, 7, 0x78), +- AT91_SAMA5D2_CHAN_DIFF(20, 8, 9, 0x80), +- AT91_SAMA5D2_CHAN_DIFF(21, 10, 11, 0x88), +- AT91_SAMA5D2_CHAN_DIFF(22, 12, 13, 0x90), +- AT91_SAMA5D2_CHAN_DIFF(23, 14, 15, 0x98), ++ AT91_SAMA7G5_CHAN_SINGLE(0, 0, 0x60), ++ AT91_SAMA7G5_CHAN_SINGLE(1, 1, 0x64), ++ AT91_SAMA7G5_CHAN_SINGLE(2, 2, 0x68), ++ AT91_SAMA7G5_CHAN_SINGLE(3, 3, 0x6c), ++ AT91_SAMA7G5_CHAN_SINGLE(4, 4, 0x70), ++ AT91_SAMA7G5_CHAN_SINGLE(5, 5, 0x74), ++ AT91_SAMA7G5_CHAN_SINGLE(6, 6, 0x78), ++ AT91_SAMA7G5_CHAN_SINGLE(7, 7, 0x7c), ++ AT91_SAMA7G5_CHAN_SINGLE(8, 8, 0x80), ++ AT91_SAMA7G5_CHAN_SINGLE(9, 9, 0x84), ++ AT91_SAMA7G5_CHAN_SINGLE(10, 10, 0x88), ++ AT91_SAMA7G5_CHAN_SINGLE(11, 11, 0x8c), ++ AT91_SAMA7G5_CHAN_SINGLE(12, 12, 0x90), ++ AT91_SAMA7G5_CHAN_SINGLE(13, 13, 0x94), ++ AT91_SAMA7G5_CHAN_SINGLE(14, 14, 0x98), ++ AT91_SAMA7G5_CHAN_SINGLE(15, 15, 0x9c), ++ AT91_SAMA7G5_CHAN_DIFF(16, 0, 1, 0x60), ++ AT91_SAMA7G5_CHAN_DIFF(17, 2, 3, 0x68), ++ AT91_SAMA7G5_CHAN_DIFF(18, 4, 5, 0x70), ++ AT91_SAMA7G5_CHAN_DIFF(19, 6, 7, 0x78), ++ AT91_SAMA7G5_CHAN_DIFF(20, 8, 9, 0x80), ++ AT91_SAMA7G5_CHAN_DIFF(21, 10, 11, 0x88), ++ AT91_SAMA7G5_CHAN_DIFF(22, 12, 13, 0x90), ++ AT91_SAMA7G5_CHAN_DIFF(23, 14, 15, 0x98), + IIO_CHAN_SOFT_TIMESTAMP(24), + AT91_SAMA5D2_CHAN_TEMP(AT91_SAMA7G5_ADC_TEMP_CHANNEL, "temp", 0xdc), + }; diff --git a/queue-6.6/iio-dac-ad3552r-clear-reset-status-flag.patch b/queue-6.6/iio-dac-ad3552r-clear-reset-status-flag.patch new file mode 100644 index 0000000000..07c473375d --- /dev/null +++ b/queue-6.6/iio-dac-ad3552r-clear-reset-status-flag.patch @@ -0,0 +1,42 @@ +From e17b9f20da7d2bc1f48878ab2230523b2512d965 Mon Sep 17 00:00:00 2001 +From: Angelo Dureghello +Date: Sat, 25 Jan 2025 17:24:32 +0100 +Subject: iio: dac: ad3552r: clear reset status flag + +From: Angelo Dureghello + +commit e17b9f20da7d2bc1f48878ab2230523b2512d965 upstream. + +Clear reset status flag, to keep error status register clean after reset +(ad3552r manual, rev B table 38). + +Reset error flag was left to 1, so debugging registers, the "Error +Status Register" was dirty (0x01). It is important to clear this bit, so +if there is any reset event over normal working mode, it is possible to +detect it. + +Fixes: 8f2b54824b28 ("drivers:iio:dac: Add AD3552R driver support") +Signed-off-by: Angelo Dureghello +Link: https://patch.msgid.link/20250125-wip-bl-ad3552r-clear-reset-v2-1-aa3a27f3ff8c@baylibre.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/dac/ad3552r.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/iio/dac/ad3552r.c ++++ b/drivers/iio/dac/ad3552r.c +@@ -703,6 +703,12 @@ static int ad3552r_reset(struct ad3552r_ + return ret; + } + ++ /* Clear reset error flag, see ad3552r manual, rev B table 38. */ ++ ret = ad3552r_write_reg(dac, AD3552R_REG_ADDR_ERR_STATUS, ++ AD3552R_MASK_RESET_STATUS); ++ if (ret) ++ return ret; ++ + return ad3552r_update_reg_field(dac, + addr_mask_map[AD3552R_ADDR_ASCENSION][0], + addr_mask_map[AD3552R_ADDR_ASCENSION][1], diff --git a/queue-6.6/iio-filter-admv8818-force-initialization-of-sdo.patch b/queue-6.6/iio-filter-admv8818-force-initialization-of-sdo.patch new file mode 100644 index 0000000000..5f1c8ced55 --- /dev/null +++ b/queue-6.6/iio-filter-admv8818-force-initialization-of-sdo.patch @@ -0,0 +1,56 @@ +From cc2c3540d9477a9931fb0fd851fcaeba524a5b35 Mon Sep 17 00:00:00 2001 +From: Sam Winchenbach +Date: Mon, 3 Feb 2025 13:34:34 +0000 +Subject: iio: filter: admv8818: Force initialization of SDO + +From: Sam Winchenbach + +commit cc2c3540d9477a9931fb0fd851fcaeba524a5b35 upstream. + +When a weak pull-up is present on the SDO line, regmap_update_bits fails +to write both the SOFTRESET and SDOACTIVE bits because it incorrectly +reads them as already set. + +Since the soft reset disables the SDO line, performing a +read-modify-write operation on ADI_SPI_CONFIG_A to enable the SDO line +doesn't make sense. This change directly writes to the register instead +of using regmap_update_bits. + +Fixes: f34fe888ad05 ("iio:filter:admv8818: add support for ADMV8818") +Signed-off-by: Sam Winchenbach +Link: https://patch.msgid.link/SA1P110MB106904C961B0F3FAFFED74C0BCF5A@SA1P110MB1069.NAMP110.PROD.OUTLOOK.COM +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/filter/admv8818.c | 14 ++++---------- + 1 file changed, 4 insertions(+), 10 deletions(-) + +--- a/drivers/iio/filter/admv8818.c ++++ b/drivers/iio/filter/admv8818.c +@@ -574,21 +574,15 @@ static int admv8818_init(struct admv8818 + struct spi_device *spi = st->spi; + unsigned int chip_id; + +- ret = regmap_update_bits(st->regmap, ADMV8818_REG_SPI_CONFIG_A, +- ADMV8818_SOFTRESET_N_MSK | +- ADMV8818_SOFTRESET_MSK, +- FIELD_PREP(ADMV8818_SOFTRESET_N_MSK, 1) | +- FIELD_PREP(ADMV8818_SOFTRESET_MSK, 1)); ++ ret = regmap_write(st->regmap, ADMV8818_REG_SPI_CONFIG_A, ++ ADMV8818_SOFTRESET_N_MSK | ADMV8818_SOFTRESET_MSK); + if (ret) { + dev_err(&spi->dev, "ADMV8818 Soft Reset failed.\n"); + return ret; + } + +- ret = regmap_update_bits(st->regmap, ADMV8818_REG_SPI_CONFIG_A, +- ADMV8818_SDOACTIVE_N_MSK | +- ADMV8818_SDOACTIVE_MSK, +- FIELD_PREP(ADMV8818_SDOACTIVE_N_MSK, 1) | +- FIELD_PREP(ADMV8818_SDOACTIVE_MSK, 1)); ++ ret = regmap_write(st->regmap, ADMV8818_REG_SPI_CONFIG_A, ++ ADMV8818_SDOACTIVE_N_MSK | ADMV8818_SDOACTIVE_MSK); + if (ret) { + dev_err(&spi->dev, "ADMV8818 SDO Enable failed.\n"); + return ret; diff --git a/queue-6.6/intel_th-pci-add-arrow-lake-support.patch b/queue-6.6/intel_th-pci-add-arrow-lake-support.patch new file mode 100644 index 0000000000..05c2bb4c7a --- /dev/null +++ b/queue-6.6/intel_th-pci-add-arrow-lake-support.patch @@ -0,0 +1,35 @@ +From b5edccae9f447a92d475267d94c33f4926963eec Mon Sep 17 00:00:00 2001 +From: Pawel Chmielewski +Date: Tue, 11 Feb 2025 20:50:15 +0200 +Subject: intel_th: pci: Add Arrow Lake support + +From: Pawel Chmielewski + +commit b5edccae9f447a92d475267d94c33f4926963eec upstream. + +Add support for the Trace Hub in Arrow Lake. + +Signed-off-by: Pawel Chmielewski +Signed-off-by: Alexander Shishkin +Reviewed-by: Andy Shevchenko +Cc: stable@kernel.org +Link: https://lore.kernel.org/r/20250211185017.1759193-4-alexander.shishkin@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwtracing/intel_th/pci.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/hwtracing/intel_th/pci.c ++++ b/drivers/hwtracing/intel_th/pci.c +@@ -330,6 +330,11 @@ static const struct pci_device_id intel_ + .driver_data = (kernel_ulong_t)&intel_th_2x, + }, + { ++ /* Arrow Lake */ ++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x7724), ++ .driver_data = (kernel_ulong_t)&intel_th_2x, ++ }, ++ { + /* Alder Lake CPU */ + PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x466f), + .driver_data = (kernel_ulong_t)&intel_th_2x, diff --git a/queue-6.6/intel_th-pci-add-panther-lake-h-support.patch b/queue-6.6/intel_th-pci-add-panther-lake-h-support.patch new file mode 100644 index 0000000000..748e3ae9e7 --- /dev/null +++ b/queue-6.6/intel_th-pci-add-panther-lake-h-support.patch @@ -0,0 +1,34 @@ +From a70034d6c0d5f3cdee40bb00a578e17fd2ebe426 Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Tue, 11 Feb 2025 20:50:16 +0200 +Subject: intel_th: pci: Add Panther Lake-H support + +From: Alexander Shishkin + +commit a70034d6c0d5f3cdee40bb00a578e17fd2ebe426 upstream. + +Add support for the Trace Hub in Panther Lake-H. + +Signed-off-by: Alexander Shishkin +Reviewed-by: Andy Shevchenko +Cc: stable@kernel.org +Link: https://lore.kernel.org/r/20250211185017.1759193-5-alexander.shishkin@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwtracing/intel_th/pci.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/hwtracing/intel_th/pci.c ++++ b/drivers/hwtracing/intel_th/pci.c +@@ -335,6 +335,11 @@ static const struct pci_device_id intel_ + .driver_data = (kernel_ulong_t)&intel_th_2x, + }, + { ++ /* Panther Lake-H */ ++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0xe324), ++ .driver_data = (kernel_ulong_t)&intel_th_2x, ++ }, ++ { + /* Alder Lake CPU */ + PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x466f), + .driver_data = (kernel_ulong_t)&intel_th_2x, diff --git a/queue-6.6/intel_th-pci-add-panther-lake-p-u-support.patch b/queue-6.6/intel_th-pci-add-panther-lake-p-u-support.patch new file mode 100644 index 0000000000..98128db206 --- /dev/null +++ b/queue-6.6/intel_th-pci-add-panther-lake-p-u-support.patch @@ -0,0 +1,34 @@ +From 49114ff05770264ae233f50023fc64a719a9dcf9 Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Tue, 11 Feb 2025 20:50:17 +0200 +Subject: intel_th: pci: Add Panther Lake-P/U support + +From: Alexander Shishkin + +commit 49114ff05770264ae233f50023fc64a719a9dcf9 upstream. + +Add support for the Trace Hub in Panther Lake-P/U. + +Signed-off-by: Alexander Shishkin +Reviewed-by: Andy Shevchenko +Cc: stable@kernel.org +Link: https://lore.kernel.org/r/20250211185017.1759193-6-alexander.shishkin@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwtracing/intel_th/pci.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/hwtracing/intel_th/pci.c ++++ b/drivers/hwtracing/intel_th/pci.c +@@ -340,6 +340,11 @@ static const struct pci_device_id intel_ + .driver_data = (kernel_ulong_t)&intel_th_2x, + }, + { ++ /* Panther Lake-P/U */ ++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0xe424), ++ .driver_data = (kernel_ulong_t)&intel_th_2x, ++ }, ++ { + /* Alder Lake CPU */ + PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x466f), + .driver_data = (kernel_ulong_t)&intel_th_2x, diff --git a/queue-6.6/kvm-svm-drop-debugctl-from-guest-s-effective-value.patch b/queue-6.6/kvm-svm-drop-debugctl-from-guest-s-effective-value.patch new file mode 100644 index 0000000000..60f6a0f675 --- /dev/null +++ b/queue-6.6/kvm-svm-drop-debugctl-from-guest-s-effective-value.patch @@ -0,0 +1,84 @@ +From ee89e8013383d50a27ea9bf3c8a69eed6799856f Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Thu, 27 Feb 2025 14:24:06 -0800 +Subject: KVM: SVM: Drop DEBUGCTL[5:2] from guest's effective value +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Sean Christopherson + +commit ee89e8013383d50a27ea9bf3c8a69eed6799856f upstream. + +Drop bits 5:2 from the guest's effective DEBUGCTL value, as AMD changed +the architectural behavior of the bits and broke backwards compatibility. +On CPUs without BusLockTrap (or at least, in APMs from before ~2023), +bits 5:2 controlled the behavior of external pins: + + Performance-Monitoring/Breakpoint Pin-Control (PBi)—Bits 5:2, read/write. + Software uses thesebits to control the type of information reported by + the four external performance-monitoring/breakpoint pins on the + processor. When a PBi bit is cleared to 0, the corresponding external pin + (BPi) reports performance-monitor information. When a PBi bit is set to + 1, the corresponding external pin (BPi) reports breakpoint information. + +With the introduction of BusLockTrap, presumably to be compatible with +Intel CPUs, AMD redefined bit 2 to be BLCKDB: + + Bus Lock #DB Trap (BLCKDB)—Bit 2, read/write. Software sets this bit to + enable generation of a #DB trap following successful execution of a bus + lock when CPL is > 0. + +and redefined bits 5:3 (and bit 6) as "6:3 Reserved MBZ". + +Ideally, KVM would treat bits 5:2 as reserved. Defer that change to a +feature cleanup to avoid breaking existing guest in LTS kernels. For now, +drop the bits to retain backwards compatibility (of a sort). + +Note, dropping bits 5:2 is still a guest-visible change, e.g. if the guest +is enabling LBRs *and* the legacy PBi bits, then the state of the PBi bits +is visible to the guest, whereas now the guest will always see '0'. + +Reported-by: Ravi Bangoria +Cc: stable@vger.kernel.org +Reviewed-and-tested-by: Ravi Bangoria +Link: https://lore.kernel.org/r/20250227222411.3490595-2-seanjc@google.com +Signed-off-by: Sean Christopherson +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/svm/svm.c | 12 ++++++++++++ + arch/x86/kvm/svm/svm.h | 2 +- + 2 files changed, 13 insertions(+), 1 deletion(-) + +--- a/arch/x86/kvm/svm/svm.c ++++ b/arch/x86/kvm/svm/svm.c +@@ -3156,6 +3156,18 @@ static int svm_set_msr(struct kvm_vcpu * + kvm_pr_unimpl_wrmsr(vcpu, ecx, data); + break; + } ++ ++ /* ++ * AMD changed the architectural behavior of bits 5:2. On CPUs ++ * without BusLockTrap, bits 5:2 control "external pins", but ++ * on CPUs that support BusLockDetect, bit 2 enables BusLockTrap ++ * and bits 5:3 are reserved-to-zero. Sadly, old KVM allowed ++ * the guest to set bits 5:2 despite not actually virtualizing ++ * Performance-Monitoring/Breakpoint external pins. Drop bits ++ * 5:2 for backwards compatibility. ++ */ ++ data &= ~GENMASK(5, 2); ++ + if (data & DEBUGCTL_RESERVED_BITS) + return 1; + +--- a/arch/x86/kvm/svm/svm.h ++++ b/arch/x86/kvm/svm/svm.h +@@ -533,7 +533,7 @@ static inline bool is_vnmi_enabled(struc + /* svm.c */ + #define MSR_INVALID 0xffffffffU + +-#define DEBUGCTL_RESERVED_BITS (~(0x3fULL)) ++#define DEBUGCTL_RESERVED_BITS (~(DEBUGCTLMSR_BTF | DEBUGCTLMSR_LBR)) + + extern bool dump_invalid_vmcb; + diff --git a/queue-6.6/kvm-svm-suppress-debugctl.btf-on-amd.patch b/queue-6.6/kvm-svm-suppress-debugctl.btf-on-amd.patch new file mode 100644 index 0000000000..ce230718e8 --- /dev/null +++ b/queue-6.6/kvm-svm-suppress-debugctl.btf-on-amd.patch @@ -0,0 +1,64 @@ +From d0eac42f5cecce009d315655bee341304fbe075e Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Thu, 27 Feb 2025 14:24:07 -0800 +Subject: KVM: SVM: Suppress DEBUGCTL.BTF on AMD + +From: Sean Christopherson + +commit d0eac42f5cecce009d315655bee341304fbe075e upstream. + +Mark BTF as reserved in DEBUGCTL on AMD, as KVM doesn't actually support +BTF, and fully enabling BTF virtualization is non-trivial due to +interactions with the emulator, guest_debug, #DB interception, nested SVM, +etc. + +Don't inject #GP if the guest attempts to set BTF, as there's no way to +communicate lack of support to the guest, and instead suppress the flag +and treat the WRMSR as (partially) unsupported. + +In short, make KVM behave the same on AMD and Intel (VMX already squashes +BTF). + +Note, due to other bugs in KVM's handling of DEBUGCTL, the only way BTF +has "worked" in any capacity is if the guest simultaneously enables LBRs. + +Reported-by: Ravi Bangoria +Cc: stable@vger.kernel.org +Reviewed-and-tested-by: Ravi Bangoria +Link: https://lore.kernel.org/r/20250227222411.3490595-3-seanjc@google.com +Signed-off-by: Sean Christopherson +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/svm/svm.c | 9 +++++++++ + arch/x86/kvm/svm/svm.h | 2 +- + 2 files changed, 10 insertions(+), 1 deletion(-) + +--- a/arch/x86/kvm/svm/svm.c ++++ b/arch/x86/kvm/svm/svm.c +@@ -3168,6 +3168,15 @@ static int svm_set_msr(struct kvm_vcpu * + */ + data &= ~GENMASK(5, 2); + ++ /* ++ * Suppress BTF as KVM doesn't virtualize BTF, but there's no ++ * way to communicate lack of support to the guest. ++ */ ++ if (data & DEBUGCTLMSR_BTF) { ++ kvm_pr_unimpl_wrmsr(vcpu, MSR_IA32_DEBUGCTLMSR, data); ++ data &= ~DEBUGCTLMSR_BTF; ++ } ++ + if (data & DEBUGCTL_RESERVED_BITS) + return 1; + +--- a/arch/x86/kvm/svm/svm.h ++++ b/arch/x86/kvm/svm/svm.h +@@ -533,7 +533,7 @@ static inline bool is_vnmi_enabled(struc + /* svm.c */ + #define MSR_INVALID 0xffffffffU + +-#define DEBUGCTL_RESERVED_BITS (~(DEBUGCTLMSR_BTF | DEBUGCTLMSR_LBR)) ++#define DEBUGCTL_RESERVED_BITS (~DEBUGCTLMSR_LBR) + + extern bool dump_invalid_vmcb; + diff --git a/queue-6.6/kvm-x86-explicitly-zero-eax-and-ebx-when-perfmon_v2-isn-t-supported-by-kvm.patch b/queue-6.6/kvm-x86-explicitly-zero-eax-and-ebx-when-perfmon_v2-isn-t-supported-by-kvm.patch new file mode 100644 index 0000000000..e5b8b96238 --- /dev/null +++ b/queue-6.6/kvm-x86-explicitly-zero-eax-and-ebx-when-perfmon_v2-isn-t-supported-by-kvm.patch @@ -0,0 +1,43 @@ +From f9dc8fb3afc968042bdaf4b6e445a9272071c9f3 Mon Sep 17 00:00:00 2001 +From: Xiaoyao Li +Date: Tue, 4 Mar 2025 03:23:14 -0500 +Subject: KVM: x86: Explicitly zero EAX and EBX when PERFMON_V2 isn't supported by KVM + +From: Xiaoyao Li + +commit f9dc8fb3afc968042bdaf4b6e445a9272071c9f3 upstream. + +Fix a goof where KVM sets CPUID.0x80000022.EAX to CPUID.0x80000022.EBX +instead of zeroing both when PERFMON_V2 isn't supported by KVM. In +practice, barring a buggy CPU (or vCPU model when running nested) only the +!enable_pmu case is affected, as KVM always supports PERFMON_V2 if it's +available in hardware, i.e. CPUID.0x80000022.EBX will be '0' if PERFMON_V2 +is unsupported. + +For the !enable_pmu case, the bug is relatively benign as KVM will refuse +to enable PMU capabilities, but a VMM that reflects KVM's supported CPUID +into the guest could inadvertently induce #GPs in the guest due to +advertising support for MSRs that KVM refuses to emulate. + +Fixes: 94cdeebd8211 ("KVM: x86/cpuid: Add AMD CPUID ExtPerfMonAndDbg leaf 0x80000022") +Signed-off-by: Xiaoyao Li +Link: https://lore.kernel.org/r/20250304082314.472202-3-xiaoyao.li@intel.com +[sean: massage shortlog and changelog, tag for stable] +Cc: stable@vger.kernel.org +Signed-off-by: Sean Christopherson +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/cpuid.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kvm/cpuid.c ++++ b/arch/x86/kvm/cpuid.c +@@ -1307,7 +1307,7 @@ static inline int __do_cpuid_func(struct + + entry->ecx = entry->edx = 0; + if (!enable_pmu || !kvm_cpu_cap_has(X86_FEATURE_PERFMON_V2)) { +- entry->eax = entry->ebx; ++ entry->eax = entry->ebx = 0; + break; + } + diff --git a/queue-6.6/mei-me-add-panther-lake-p-did.patch b/queue-6.6/mei-me-add-panther-lake-p-did.patch new file mode 100644 index 0000000000..8a98903c0d --- /dev/null +++ b/queue-6.6/mei-me-add-panther-lake-p-did.patch @@ -0,0 +1,44 @@ +From a8e8ffcc3afce2ee5fb70162aeaef3f03573ee1e Mon Sep 17 00:00:00 2001 +From: Alexander Usyskin +Date: Sun, 9 Feb 2025 13:05:50 +0200 +Subject: mei: me: add panther lake P DID + +From: Alexander Usyskin + +commit a8e8ffcc3afce2ee5fb70162aeaef3f03573ee1e upstream. + +Add Panther Lake P device id. + +Cc: stable +Co-developed-by: Tomas Winkler +Signed-off-by: Tomas Winkler +Signed-off-by: Alexander Usyskin +Link: https://lore.kernel.org/r/20250209110550.1582982-1-alexander.usyskin@intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/mei/hw-me-regs.h | 2 ++ + drivers/misc/mei/pci-me.c | 2 ++ + 2 files changed, 4 insertions(+) + +--- a/drivers/misc/mei/hw-me-regs.h ++++ b/drivers/misc/mei/hw-me-regs.h +@@ -117,6 +117,8 @@ + + #define MEI_DEV_ID_LNL_M 0xA870 /* Lunar Lake Point M */ + ++#define MEI_DEV_ID_PTL_P 0xE470 /* Panther Lake P */ ++ + /* + * MEI HW Section + */ +--- a/drivers/misc/mei/pci-me.c ++++ b/drivers/misc/mei/pci-me.c +@@ -124,6 +124,8 @@ static const struct pci_device_id mei_me + + {MEI_PCI_DEVICE(MEI_DEV_ID_LNL_M, MEI_ME_PCH15_CFG)}, + ++ {MEI_PCI_DEVICE(MEI_DEV_ID_PTL_P, MEI_ME_PCH15_CFG)}, ++ + /* required last entry */ + {0, } + }; diff --git a/queue-6.6/series b/queue-6.6/series index dfd3312a91..5d66d97b8f 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -108,3 +108,20 @@ usb-gadget-check-bmattributes-only-if-configuration-is-valid.patch kbuild-userprogs-use-correct-lld-when-linking-through-clang.patch xhci-pci-fix-indentation-in-the-pci-device-id-definitions.patch usb-xhci-enable-the-trb-overfetch-quirk-on-via-vl805.patch +kvm-svm-drop-debugctl-from-guest-s-effective-value.patch +kvm-svm-suppress-debugctl.btf-on-amd.patch +kvm-x86-explicitly-zero-eax-and-ebx-when-perfmon_v2-isn-t-supported-by-kvm.patch +cdx-fix-possible-uaf-error-in-driver_override_show.patch +mei-me-add-panther-lake-p-did.patch +intel_th-pci-add-arrow-lake-support.patch +intel_th-pci-add-panther-lake-h-support.patch +intel_th-pci-add-panther-lake-p-u-support.patch +char-misc-deallocate-static-minor-in-error-path.patch +drivers-core-fix-device-leak-in-__fw_devlink_relax_cycles.patch +slimbus-messaging-free-transaction-id-in-delayed-interrupt-scenario.patch +bus-mhi-host-pci_generic-use-pci_try_reset_function-to-avoid-deadlock.patch +eeprom-digsy_mtc-make-gpio-lookup-table-match-the-device.patch +drivers-virt-acrn-hsm-use-kzalloc-to-avoid-info-leak-in-pmcmd_ioctl.patch +iio-filter-admv8818-force-initialization-of-sdo.patch +iio-dac-ad3552r-clear-reset-status-flag.patch +iio-adc-at91-sama5d2_adc-fix-sama7g5-realbits-value.patch diff --git a/queue-6.6/slimbus-messaging-free-transaction-id-in-delayed-interrupt-scenario.patch b/queue-6.6/slimbus-messaging-free-transaction-id-in-delayed-interrupt-scenario.patch new file mode 100644 index 0000000000..f326806a4b --- /dev/null +++ b/queue-6.6/slimbus-messaging-free-transaction-id-in-delayed-interrupt-scenario.patch @@ -0,0 +1,55 @@ +From dcb0d43ba8eb9517e70b1a0e4b0ae0ab657a0e5a Mon Sep 17 00:00:00 2001 +From: Visweswara Tanuku +Date: Fri, 24 Jan 2025 04:57:40 -0800 +Subject: slimbus: messaging: Free transaction ID in delayed interrupt scenario + +From: Visweswara Tanuku + +commit dcb0d43ba8eb9517e70b1a0e4b0ae0ab657a0e5a upstream. + +In case of interrupt delay for any reason, slim_do_transfer() +returns timeout error but the transaction ID (TID) is not freed. +This results into invalid memory access inside +qcom_slim_ngd_rx_msgq_cb() due to invalid TID. + +Fix the issue by freeing the TID in slim_do_transfer() before +returning timeout error to avoid invalid memory access. + +Call trace: +__memcpy_fromio+0x20/0x190 +qcom_slim_ngd_rx_msgq_cb+0x130/0x290 [slim_qcom_ngd_ctrl] +vchan_complete+0x2a0/0x4a0 +tasklet_action_common+0x274/0x700 +tasklet_action+0x28/0x3c +_stext+0x188/0x620 +run_ksoftirqd+0x34/0x74 +smpboot_thread_fn+0x1d8/0x464 +kthread+0x178/0x238 +ret_from_fork+0x10/0x20 +Code: aa0003e8 91000429 f100044a 3940002b (3800150b) +---[ end trace 0fe00bec2b975c99 ]--- +Kernel panic - not syncing: Oops: Fatal exception in interrupt. + +Fixes: afbdcc7c384b ("slimbus: Add messaging APIs to slimbus framework") +Cc: stable +Signed-off-by: Visweswara Tanuku +Link: https://lore.kernel.org/r/20250124125740.16897-1-quic_vtanuku@quicinc.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/slimbus/messaging.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/slimbus/messaging.c ++++ b/drivers/slimbus/messaging.c +@@ -147,8 +147,9 @@ int slim_do_transfer(struct slim_control + } + + ret = ctrl->xfer_msg(ctrl, txn); +- +- if (!ret && need_tid && !txn->msg->comp) { ++ if (ret == -ETIMEDOUT) { ++ slim_free_txn_tid(ctrl, txn); ++ } else if (!ret && need_tid && !txn->msg->comp) { + unsigned long ms = txn->rl + HZ; + + timeout = wait_for_completion_timeout(txn->comp,