From: Greg Kroah-Hartman Date: Fri, 22 Aug 2025 08:59:48 +0000 (+0200) Subject: 6.6-stable patches X-Git-Tag: v6.16.3~55 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5061d2c4b454a20fe6dc9e77bf146d4938ed4fb0;p=thirdparty%2Fkernel%2Fstable-queue.git 6.6-stable patches added patches: ata-fix-sata_mobile_lpm_policy-description-in-kconfig.patch ata-libata-scsi-return-aborted-command-when-missing-sense-and-result-tf.patch kbuild-userprogs-use-correct-linker-when-mixing-clang-and-gnu-ld.patch kvm-x86-take-irqfds.lock-when-adding-deleting-irq-bypass-producer.patch mm-ptdump-take-the-memory-hotplug-lock-inside-ptdump_walk_pgd.patch pm-runtime-simplify-pm_runtime_get_if_active-usage.patch pm-runtime-take-active-children-into-account-in-pm_runtime_get_if_in_use.patch s390-mm-remove-possible-false-positive-warning-in-pte_free_defer.patch usb-dwc3-imx8mp-fix-device-leak-at-unbind.patch wifi-mac80211-check-basic-rates-validity-in-sta_link_apply_parameters.patch --- diff --git a/queue-6.6/ata-fix-sata_mobile_lpm_policy-description-in-kconfig.patch b/queue-6.6/ata-fix-sata_mobile_lpm_policy-description-in-kconfig.patch new file mode 100644 index 0000000000..40c54a489d --- /dev/null +++ b/queue-6.6/ata-fix-sata_mobile_lpm_policy-description-in-kconfig.patch @@ -0,0 +1,79 @@ +From stable+bounces-172193-greg=kroah.com@vger.kernel.org Thu Aug 21 18:35:59 2025 +From: Sasha Levin +Date: Thu, 21 Aug 2025 12:28:07 -0400 +Subject: ata: Fix SATA_MOBILE_LPM_POLICY description in Kconfig +To: stable@vger.kernel.org +Cc: Damien Le Moal , Hannes Reinecke , Niklas Cassel , Sasha Levin +Message-ID: <20250821162807.792983-1-sashal@kernel.org> + +From: Damien Le Moal + +[ Upstream commit ed62a62a18bc144f73eadf866ae46842e8f6606e ] + +Improve the description of the possible default SATA link power +management policies and add the missing description for policy 5. +No functional changes. + +Fixes: a5ec5a7bfd1f ("ata: ahci: Support state with min power but Partial low power state") +Cc: stable@vger.kernel.org +Signed-off-by: Damien Le Moal +Reviewed-by: Hannes Reinecke +Reviewed-by: Niklas Cassel +[ Adjust context ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/Kconfig | 33 +++++++++++++++++++++++++-------- + 1 file changed, 25 insertions(+), 8 deletions(-) + +--- a/drivers/ata/Kconfig ++++ b/drivers/ata/Kconfig +@@ -117,7 +117,7 @@ config SATA_AHCI + + config SATA_MOBILE_LPM_POLICY + int "Default SATA Link Power Management policy for low power chipsets" +- range 0 4 ++ range 0 5 + default 0 + depends on SATA_AHCI + help +@@ -126,15 +126,32 @@ config SATA_MOBILE_LPM_POLICY + chipsets are typically found on most laptops but desktops and + servers now also widely use chipsets supporting low power modes. + +- The value set has the following meanings: ++ Each policy combines power saving states and features: ++ - Partial: The Phy logic is powered but is in a reduced power ++ state. The exit latency from this state is no longer than ++ 10us). ++ - Slumber: The Phy logic is powered but is in an even lower power ++ state. The exit latency from this state is potentially ++ longer, but no longer than 10ms. ++ - DevSleep: The Phy logic may be powered down. The exit latency from ++ this state is no longer than 20 ms, unless otherwise ++ specified by DETO in the device Identify Device Data log. ++ - HIPM: Host Initiated Power Management (host automatically ++ transitions to partial and slumber). ++ - DIPM: Device Initiated Power Management (device automatically ++ transitions to partial and slumber). ++ ++ The possible values for the default SATA link power management ++ policies are: + 0 => Keep firmware settings +- 1 => Maximum performance +- 2 => Medium power +- 3 => Medium power with Device Initiated PM enabled +- 4 => Minimum power ++ 1 => No power savings (maximum performance) ++ 2 => HIPM (Partial) ++ 3 => HIPM (Partial) and DIPM (Partial and Slumber) ++ 4 => HIPM (Partial and DevSleep) and DIPM (Partial and Slumber) ++ 5 => HIPM (Slumber and DevSleep) and DIPM (Partial and Slumber) + +- Note "Minimum power" is known to cause issues, including disk +- corruption, with some disks and should not be used. ++ Excluding the value 0, higher values represent policies with higher ++ power savings. + + config SATA_AHCI_PLATFORM + tristate "Platform AHCI SATA support" diff --git a/queue-6.6/ata-libata-scsi-return-aborted-command-when-missing-sense-and-result-tf.patch b/queue-6.6/ata-libata-scsi-return-aborted-command-when-missing-sense-and-result-tf.patch new file mode 100644 index 0000000000..ea1f85dde3 --- /dev/null +++ b/queue-6.6/ata-libata-scsi-return-aborted-command-when-missing-sense-and-result-tf.patch @@ -0,0 +1,85 @@ +From stable+bounces-172241-greg=kroah.com@vger.kernel.org Fri Aug 22 04:53:41 2025 +From: Damien Le Moal +Date: Fri, 22 Aug 2025 11:50:39 +0900 +Subject: ata: libata-scsi: Return aborted command when missing sense and result TF +To: stable@vger.kernel.org +Message-ID: <20250822025039.244614-1-dlemoal@kernel.org> + +From: Damien Le Moal + +Commit d2be9ea9a75550a35c5127a6c2633658bc38c76b upstream. + +ata_gen_ata_sense() is always called for a failed qc missing sense data +so that a sense key, code and code qualifier can be generated using +ata_to_sense_error() from the qc status and error fields of its result +task file. However, if the qc does not have its result task file filled, +ata_gen_ata_sense() returns early without setting a sense key. + +Improve this by defaulting to returning ABORTED COMMAND without any +additional sense code, since we do not know the reason for the failure. +The same fix is also applied in ata_gen_passthru_sense() with the +additional check that the qc failed (qc->err_mask is set). + +Fixes: 816be86c7993 ("ata: libata-scsi: Check ATA_QCFLAG_RTF_FILLED before using result_tf") +Cc: stable@vger.kernel.org +Signed-off-by: Damien Le Moal +Reviewed-by: Hannes Reinecke +Reviewed-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/libata-scsi.c | 27 +++++++++++++++------------ + 1 file changed, 15 insertions(+), 12 deletions(-) + +--- a/drivers/ata/libata-scsi.c ++++ b/drivers/ata/libata-scsi.c +@@ -935,6 +935,8 @@ static void ata_gen_passthru_sense(struc + if (!(qc->flags & ATA_QCFLAG_RTF_FILLED)) { + ata_dev_dbg(dev, + "missing result TF: can't generate ATA PT sense data\n"); ++ if (qc->err_mask) ++ ata_scsi_set_sense(dev, cmd, ABORTED_COMMAND, 0, 0); + return; + } + +@@ -992,8 +994,8 @@ static void ata_gen_ata_sense(struct ata + + if (!(qc->flags & ATA_QCFLAG_RTF_FILLED)) { + ata_dev_dbg(dev, +- "missing result TF: can't generate sense data\n"); +- return; ++ "Missing result TF: reporting aborted command\n"); ++ goto aborted; + } + + /* Use ata_to_sense_error() to map status register bits +@@ -1004,19 +1006,20 @@ static void ata_gen_ata_sense(struct ata + ata_to_sense_error(qc->ap->print_id, tf->status, tf->error, + &sense_key, &asc, &ascq); + ata_scsi_set_sense(dev, cmd, sense_key, asc, ascq); +- } else { +- /* Could not decode error */ +- ata_dev_warn(dev, "could not decode error status 0x%x err_mask 0x%x\n", +- tf->status, qc->err_mask); +- ata_scsi_set_sense(dev, cmd, ABORTED_COMMAND, 0, 0); +- return; +- } + +- block = ata_tf_read_block(&qc->result_tf, dev); +- if (block == U64_MAX) ++ block = ata_tf_read_block(&qc->result_tf, dev); ++ if (block != U64_MAX) ++ scsi_set_sense_information(sb, SCSI_SENSE_BUFFERSIZE, ++ block); + return; ++ } + +- scsi_set_sense_information(sb, SCSI_SENSE_BUFFERSIZE, block); ++ /* Could not decode error */ ++ ata_dev_warn(dev, ++ "Could not decode error 0x%x, status 0x%x (err_mask=0x%x)\n", ++ tf->error, tf->status, qc->err_mask); ++aborted: ++ ata_scsi_set_sense(dev, cmd, ABORTED_COMMAND, 0, 0); + } + + void ata_scsi_sdev_config(struct scsi_device *sdev) diff --git a/queue-6.6/kbuild-userprogs-use-correct-linker-when-mixing-clang-and-gnu-ld.patch b/queue-6.6/kbuild-userprogs-use-correct-linker-when-mixing-clang-and-gnu-ld.patch new file mode 100644 index 0000000000..6e05badeb5 --- /dev/null +++ b/queue-6.6/kbuild-userprogs-use-correct-linker-when-mixing-clang-and-gnu-ld.patch @@ -0,0 +1,44 @@ +From stable+bounces-172216-greg=kroah.com@vger.kernel.org Thu Aug 21 20:30:56 2025 +From: Nathan Chancellor +Date: Thu, 21 Aug 2025 11:29:49 -0700 +Subject: kbuild: userprogs: use correct linker when mixing clang and GNU ld +To: gregkh@linuxfoundation.org, sashal@kernel.org +Cc: stable@vger.kernel.org, nathan@kernel.org, thomas.weissschuh@linutronix.de +Message-ID: <20250821182949.1216551-1-nathan@kernel.org> + +From: Thomas Weißschuh + +commit 936599ca514973d44a766b7376c6bbdc96b6a8cc upstream. + +The userprogs infrastructure does not expect clang being used with GNU ld +and in that case uses /usr/bin/ld for linking, not the configured $(LD). +This fallback is problematic as it will break when cross-compiling. +Mixing clang and GNU ld is used for example when building for SPARC64, +as ld.lld is not sufficient; see Documentation/kbuild/llvm.rst. + +Relax the check around --ld-path so it gets used for all linkers. + +Fixes: dfc1b168a8c4 ("kbuild: userprogs: use correct lld when linking through clang") +Cc: stable@vger.kernel.org +Signed-off-by: Thomas Weißschuh +Reviewed-by: Nathan Chancellor +Signed-off-by: Masahiro Yamada +[nathan: Work around wrapping '--ld-path' in cc-option in older stable + branches due to older minimum LLVM version] +Signed-off-by: Nathan Chancellor +Signed-off-by: Greg Kroah-Hartman +--- + Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/Makefile ++++ b/Makefile +@@ -1061,7 +1061,7 @@ KBUILD_USERCFLAGS += $(filter -m32 -m64 + KBUILD_USERLDFLAGS += $(filter -m32 -m64 --target=%, $(KBUILD_CPPFLAGS) $(KBUILD_CFLAGS)) + + # userspace programs are linked via the compiler, use the correct linker +-ifeq ($(CONFIG_CC_IS_CLANG)$(CONFIG_LD_IS_LLD),yy) ++ifdef CONFIG_CC_IS_CLANG + KBUILD_USERLDFLAGS += $(call cc-option, --ld-path=$(LD)) + endif + diff --git a/queue-6.6/kvm-x86-take-irqfds.lock-when-adding-deleting-irq-bypass-producer.patch b/queue-6.6/kvm-x86-take-irqfds.lock-when-adding-deleting-irq-bypass-producer.patch new file mode 100644 index 0000000000..b475a850ba --- /dev/null +++ b/queue-6.6/kvm-x86-take-irqfds.lock-when-adding-deleting-irq-bypass-producer.patch @@ -0,0 +1,81 @@ +From f1fb088d9cecde5c3066d8ff8846789667519b7d Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Fri, 4 Apr 2025 12:38:19 -0700 +Subject: KVM: x86: Take irqfds.lock when adding/deleting IRQ bypass producer + +From: Sean Christopherson + +commit f1fb088d9cecde5c3066d8ff8846789667519b7d upstream. + +Take irqfds.lock when adding/deleting an IRQ bypass producer to ensure +irqfd->producer isn't modified while kvm_irq_routing_update() is running. +The only lock held when a producer is added/removed is irqbypass's mutex. + +Fixes: 872768800652 ("KVM: x86: select IRQ_BYPASS_MANAGER") +Cc: stable@vger.kernel.org +Signed-off-by: Sean Christopherson +Message-ID: <20250404193923.1413163-5-seanjc@google.com> +Signed-off-by: Paolo Bonzini +[sean: account for lack of kvm_x86_call()] +Signed-off-by: Sean Christopherson +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/x86.c | 18 +++++++++++++++--- + 1 file changed, 15 insertions(+), 3 deletions(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -13266,16 +13266,22 @@ int kvm_arch_irq_bypass_add_producer(str + { + struct kvm_kernel_irqfd *irqfd = + container_of(cons, struct kvm_kernel_irqfd, consumer); ++ struct kvm *kvm = irqfd->kvm; + int ret; + +- irqfd->producer = prod; + kvm_arch_start_assignment(irqfd->kvm); ++ ++ spin_lock_irq(&kvm->irqfds.lock); ++ irqfd->producer = prod; ++ + ret = static_call(kvm_x86_pi_update_irte)(irqfd->kvm, + prod->irq, irqfd->gsi, 1); +- + if (ret) + kvm_arch_end_assignment(irqfd->kvm); + ++ spin_unlock_irq(&kvm->irqfds.lock); ++ ++ + return ret; + } + +@@ -13285,9 +13291,9 @@ void kvm_arch_irq_bypass_del_producer(st + int ret; + struct kvm_kernel_irqfd *irqfd = + container_of(cons, struct kvm_kernel_irqfd, consumer); ++ struct kvm *kvm = irqfd->kvm; + + WARN_ON(irqfd->producer != prod); +- irqfd->producer = NULL; + + /* + * When producer of consumer is unregistered, we change back to +@@ -13295,11 +13301,17 @@ void kvm_arch_irq_bypass_del_producer(st + * when the irq is masked/disabled or the consumer side (KVM + * int this case doesn't want to receive the interrupts. + */ ++ spin_lock_irq(&kvm->irqfds.lock); ++ irqfd->producer = NULL; ++ + ret = static_call(kvm_x86_pi_update_irte)(irqfd->kvm, prod->irq, irqfd->gsi, 0); + if (ret) + printk(KERN_INFO "irq bypass consumer (token %p) unregistration" + " fails: %d\n", irqfd->consumer.token, ret); + ++ spin_unlock_irq(&kvm->irqfds.lock); ++ ++ + kvm_arch_end_assignment(irqfd->kvm); + } + diff --git a/queue-6.6/mm-ptdump-take-the-memory-hotplug-lock-inside-ptdump_walk_pgd.patch b/queue-6.6/mm-ptdump-take-the-memory-hotplug-lock-inside-ptdump_walk_pgd.patch new file mode 100644 index 0000000000..a8829dfe62 --- /dev/null +++ b/queue-6.6/mm-ptdump-take-the-memory-hotplug-lock-inside-ptdump_walk_pgd.patch @@ -0,0 +1,111 @@ +From 59305202c67fea50378dcad0cc199dbc13a0e99a Mon Sep 17 00:00:00 2001 +From: Anshuman Khandual +Date: Fri, 20 Jun 2025 10:54:27 +0530 +Subject: mm/ptdump: take the memory hotplug lock inside ptdump_walk_pgd() + +From: Anshuman Khandual + +commit 59305202c67fea50378dcad0cc199dbc13a0e99a upstream. + +Memory hot remove unmaps and tears down various kernel page table regions +as required. The ptdump code can race with concurrent modifications of +the kernel page tables. When leaf entries are modified concurrently, the +dump code may log stale or inconsistent information for a VA range, but +this is otherwise not harmful. + +But when intermediate levels of kernel page table are freed, the dump code +will continue to use memory that has been freed and potentially +reallocated for another purpose. In such cases, the ptdump code may +dereference bogus addresses, leading to a number of potential problems. + +To avoid the above mentioned race condition, platforms such as arm64, +riscv and s390 take memory hotplug lock, while dumping kernel page table +via the sysfs interface /sys/kernel/debug/kernel_page_tables. + +Similar race condition exists while checking for pages that might have +been marked W+X via /sys/kernel/debug/kernel_page_tables/check_wx_pages +which in turn calls ptdump_check_wx(). Instead of solving this race +condition again, let's just move the memory hotplug lock inside generic +ptdump_check_wx() which will benefit both the scenarios. + +Drop get_online_mems() and put_online_mems() combination from all existing +platform ptdump code paths. + +Link: https://lkml.kernel.org/r/20250620052427.2092093-1-anshuman.khandual@arm.com +Fixes: bbd6ec605c0f ("arm64/mm: Enable memory hot remove") +Signed-off-by: Anshuman Khandual +Acked-by: David Hildenbrand +Reviewed-by: Dev Jain +Acked-by: Alexander Gordeev [s390] +Cc: Catalin Marinas +Cc: Will Deacon +Cc: Ryan Roberts +Cc: Paul Walmsley +Cc: Palmer Dabbelt +Cc: Alexander Gordeev +Cc: Gerald Schaefer +Cc: Heiko Carstens +Cc: Vasily Gorbik +Cc: Christian Borntraeger +Cc: Sven Schnelle +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/mm/ptdump_debugfs.c | 3 --- + arch/s390/mm/dump_pagetables.c | 2 -- + mm/ptdump.c | 2 ++ + 3 files changed, 2 insertions(+), 5 deletions(-) + +--- a/arch/arm64/mm/ptdump_debugfs.c ++++ b/arch/arm64/mm/ptdump_debugfs.c +@@ -1,6 +1,5 @@ + // SPDX-License-Identifier: GPL-2.0 + #include +-#include + #include + + #include +@@ -9,9 +8,7 @@ static int ptdump_show(struct seq_file * + { + struct ptdump_info *info = m->private; + +- get_online_mems(); + ptdump_walk(m, info); +- put_online_mems(); + return 0; + } + DEFINE_SHOW_ATTRIBUTE(ptdump); +--- a/arch/s390/mm/dump_pagetables.c ++++ b/arch/s390/mm/dump_pagetables.c +@@ -249,11 +249,9 @@ static int ptdump_show(struct seq_file * + .marker = address_markers, + }; + +- get_online_mems(); + mutex_lock(&cpa_mutex); + ptdump_walk_pgd(&st.ptdump, &init_mm, NULL); + mutex_unlock(&cpa_mutex); +- put_online_mems(); + return 0; + } + DEFINE_SHOW_ATTRIBUTE(ptdump); +--- a/mm/ptdump.c ++++ b/mm/ptdump.c +@@ -152,6 +152,7 @@ void ptdump_walk_pgd(struct ptdump_state + { + const struct ptdump_range *range = st->range; + ++ get_online_mems(); + mmap_write_lock(mm); + while (range->start != range->end) { + walk_page_range_novma(mm, range->start, range->end, +@@ -159,6 +160,7 @@ void ptdump_walk_pgd(struct ptdump_state + range++; + } + mmap_write_unlock(mm); ++ put_online_mems(); + + /* Flush out the last page */ + st->note_page(st, 0, -1, 0); diff --git a/queue-6.6/pm-runtime-simplify-pm_runtime_get_if_active-usage.patch b/queue-6.6/pm-runtime-simplify-pm_runtime_get_if_active-usage.patch new file mode 100644 index 0000000000..510e562537 --- /dev/null +++ b/queue-6.6/pm-runtime-simplify-pm_runtime_get_if_active-usage.patch @@ -0,0 +1,236 @@ +From stable+bounces-172195-greg=kroah.com@vger.kernel.org Thu Aug 21 18:36:03 2025 +From: Sasha Levin +Date: Thu, 21 Aug 2025 12:28:32 -0400 +Subject: PM: runtime: Simplify pm_runtime_get_if_active() usage +To: stable@vger.kernel.org +Cc: Sakari Ailus , Alex Elder , Laurent Pinchart , Takashi Iwai , Jacek Lawrynowicz , Rodrigo Vivi , Bjorn Helgaas , "Rafael J. Wysocki" , Sasha Levin +Message-ID: <20250821162833.814231-1-sashal@kernel.org> + +From: Sakari Ailus + +[ Upstream commit c0ef3df8dbaef51ee4cfd58a471adf2eaee6f6b3 ] + +There are two ways to opportunistically increment a device's runtime PM +usage count, calling either pm_runtime_get_if_active() or +pm_runtime_get_if_in_use(). The former has an argument to tell whether to +ignore the usage count or not, and the latter simply calls the former with +ign_usage_count set to false. The other users that want to ignore the +usage_count will have to explicitly set that argument to true which is a +bit cumbersome. + +To make this function more practical to use, remove the ign_usage_count +argument from the function. The main implementation is in a static +function called pm_runtime_get_conditional() and implementations of +pm_runtime_get_if_active() and pm_runtime_get_if_in_use() are moved to +runtime.c. + +Signed-off-by: Sakari Ailus +Reviewed-by: Alex Elder +Reviewed-by: Laurent Pinchart +Acked-by: Takashi Iwai # sound/ +Reviewed-by: Jacek Lawrynowicz # drivers/accel/ivpu/ +Acked-by: Rodrigo Vivi # drivers/gpu/drm/i915/ +Reviewed-by: Rodrigo Vivi +Acked-by: Bjorn Helgaas # drivers/pci/ +Signed-off-by: Rafael J. Wysocki +[ Removed changes to code that didn't exist in older trees ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/power/runtime_pm.rst | 5 +--- + drivers/base/power/runtime.c | 35 ++++++++++++++++++++++++++++++-- + drivers/gpu/drm/i915/intel_runtime_pm.c | 5 +++- + drivers/media/i2c/ccs/ccs-core.c | 2 - + drivers/net/ipa/ipa_smp2p.c | 2 - + drivers/pci/pci.c | 2 - + drivers/ufs/core/ufshcd-priv.h | 2 - + include/linux/pm_runtime.h | 18 ++-------------- + sound/hda/hdac_device.c | 2 - + 9 files changed, 47 insertions(+), 26 deletions(-) + +--- a/Documentation/power/runtime_pm.rst ++++ b/Documentation/power/runtime_pm.rst +@@ -398,10 +398,9 @@ drivers/base/power/runtime.c and include + nonzero, increment the counter and return 1; otherwise return 0 without + changing the counter + +- `int pm_runtime_get_if_active(struct device *dev, bool ign_usage_count);` ++ `int pm_runtime_get_if_active(struct device *dev);` + - return -EINVAL if 'power.disable_depth' is nonzero; otherwise, if the +- runtime PM status is RPM_ACTIVE, and either ign_usage_count is true +- or the device's usage_count is non-zero, increment the counter and ++ runtime PM status is RPM_ACTIVE, increment the counter and + return 1; otherwise return 0 without changing the counter + + `void pm_runtime_put_noidle(struct device *dev);` +--- a/drivers/base/power/runtime.c ++++ b/drivers/base/power/runtime.c +@@ -1175,7 +1175,7 @@ int __pm_runtime_resume(struct device *d + EXPORT_SYMBOL_GPL(__pm_runtime_resume); + + /** +- * pm_runtime_get_if_active - Conditionally bump up device usage counter. ++ * pm_runtime_get_conditional - Conditionally bump up device usage counter. + * @dev: Device to handle. + * @ign_usage_count: Whether or not to look at the current usage counter value. + * +@@ -1196,7 +1196,7 @@ EXPORT_SYMBOL_GPL(__pm_runtime_resume); + * The caller is responsible for decrementing the runtime PM usage counter of + * @dev after this function has returned a positive value for it. + */ +-int pm_runtime_get_if_active(struct device *dev, bool ign_usage_count) ++static int pm_runtime_get_conditional(struct device *dev, bool ign_usage_count) + { + unsigned long flags; + int retval; +@@ -1217,9 +1217,40 @@ int pm_runtime_get_if_active(struct devi + + return retval; + } ++ ++/** ++ * pm_runtime_get_if_active - Bump up runtime PM usage counter if the device is ++ * in active state ++ * @dev: Target device. ++ * ++ * Increment the runtime PM usage counter of @dev if its runtime PM status is ++ * %RPM_ACTIVE, in which case it returns 1. If the device is in a different ++ * state, 0 is returned. -EINVAL is returned if runtime PM is disabled for the ++ * device, in which case also the usage_count will remain unmodified. ++ */ ++int pm_runtime_get_if_active(struct device *dev) ++{ ++ return pm_runtime_get_conditional(dev, true); ++} + EXPORT_SYMBOL_GPL(pm_runtime_get_if_active); + + /** ++ * pm_runtime_get_if_in_use - Conditionally bump up runtime PM usage counter. ++ * @dev: Target device. ++ * ++ * Increment the runtime PM usage counter of @dev if its runtime PM status is ++ * %RPM_ACTIVE and its runtime PM usage counter is greater than 0, in which case ++ * it returns 1. If the device is in a different state or its usage_count is 0, ++ * 0 is returned. -EINVAL is returned if runtime PM is disabled for the device, ++ * in which case also the usage_count will remain unmodified. ++ */ ++int pm_runtime_get_if_in_use(struct device *dev) ++{ ++ return pm_runtime_get_conditional(dev, false); ++} ++EXPORT_SYMBOL_GPL(pm_runtime_get_if_in_use); ++ ++/** + * __pm_runtime_set_status - Set runtime PM status of a device. + * @dev: Device to handle. + * @status: New runtime PM status of the device. +--- a/drivers/gpu/drm/i915/intel_runtime_pm.c ++++ b/drivers/gpu/drm/i915/intel_runtime_pm.c +@@ -434,7 +434,10 @@ static intel_wakeref_t __intel_runtime_p + * function, since the power state is undefined. This applies + * atm to the late/early system suspend/resume handlers. + */ +- if (pm_runtime_get_if_active(rpm->kdev, ignore_usecount) <= 0) ++ if ((ignore_usecount && ++ pm_runtime_get_if_active(rpm->kdev) <= 0) || ++ (!ignore_usecount && ++ pm_runtime_get_if_in_use(rpm->kdev) <= 0)) + return 0; + } + +--- a/drivers/media/i2c/ccs/ccs-core.c ++++ b/drivers/media/i2c/ccs/ccs-core.c +@@ -665,7 +665,7 @@ static int ccs_set_ctrl(struct v4l2_ctrl + break; + } + +- pm_status = pm_runtime_get_if_active(&client->dev, true); ++ pm_status = pm_runtime_get_if_active(&client->dev); + if (!pm_status) + return 0; + +--- a/drivers/net/ipa/ipa_smp2p.c ++++ b/drivers/net/ipa/ipa_smp2p.c +@@ -92,7 +92,7 @@ static void ipa_smp2p_notify(struct ipa_ + return; + + dev = &smp2p->ipa->pdev->dev; +- smp2p->power_on = pm_runtime_get_if_active(dev, true) > 0; ++ smp2p->power_on = pm_runtime_get_if_active(dev) > 0; + + /* Signal whether the IPA power is enabled */ + mask = BIT(smp2p->enabled_bit); +--- a/drivers/pci/pci.c ++++ b/drivers/pci/pci.c +@@ -2475,7 +2475,7 @@ static void pci_pme_list_scan(struct wor + * course of the call. + */ + if (bdev) { +- bref = pm_runtime_get_if_active(bdev, true); ++ bref = pm_runtime_get_if_active(bdev); + if (!bref) + continue; + +--- a/drivers/ufs/core/ufshcd-priv.h ++++ b/drivers/ufs/core/ufshcd-priv.h +@@ -326,7 +326,7 @@ static inline int ufshcd_rpm_get_sync(st + + static inline int ufshcd_rpm_get_if_active(struct ufs_hba *hba) + { +- return pm_runtime_get_if_active(&hba->ufs_device_wlun->sdev_gendev, true); ++ return pm_runtime_get_if_active(&hba->ufs_device_wlun->sdev_gendev); + } + + static inline int ufshcd_rpm_put_sync(struct ufs_hba *hba) +--- a/include/linux/pm_runtime.h ++++ b/include/linux/pm_runtime.h +@@ -73,7 +73,8 @@ extern int pm_runtime_force_resume(struc + extern int __pm_runtime_idle(struct device *dev, int rpmflags); + extern int __pm_runtime_suspend(struct device *dev, int rpmflags); + extern int __pm_runtime_resume(struct device *dev, int rpmflags); +-extern int pm_runtime_get_if_active(struct device *dev, bool ign_usage_count); ++extern int pm_runtime_get_if_active(struct device *dev); ++extern int pm_runtime_get_if_in_use(struct device *dev); + extern int pm_schedule_suspend(struct device *dev, unsigned int delay); + extern int __pm_runtime_set_status(struct device *dev, unsigned int status); + extern int pm_runtime_barrier(struct device *dev); +@@ -96,18 +97,6 @@ extern void pm_runtime_release_supplier( + extern int devm_pm_runtime_enable(struct device *dev); + + /** +- * pm_runtime_get_if_in_use - Conditionally bump up runtime PM usage counter. +- * @dev: Target device. +- * +- * Increment the runtime PM usage counter of @dev if its runtime PM status is +- * %RPM_ACTIVE and its runtime PM usage counter is greater than 0. +- */ +-static inline int pm_runtime_get_if_in_use(struct device *dev) +-{ +- return pm_runtime_get_if_active(dev, false); +-} +- +-/** + * pm_suspend_ignore_children - Set runtime PM behavior regarding children. + * @dev: Target device. + * @enable: Whether or not to ignore possible dependencies on children. +@@ -277,8 +266,7 @@ static inline int pm_runtime_get_if_in_u + { + return -EINVAL; + } +-static inline int pm_runtime_get_if_active(struct device *dev, +- bool ign_usage_count) ++static inline int pm_runtime_get_if_active(struct device *dev) + { + return -EINVAL; + } +--- a/sound/hda/hdac_device.c ++++ b/sound/hda/hdac_device.c +@@ -611,7 +611,7 @@ EXPORT_SYMBOL_GPL(snd_hdac_power_up_pm); + int snd_hdac_keep_power_up(struct hdac_device *codec) + { + if (!atomic_inc_not_zero(&codec->in_pm)) { +- int ret = pm_runtime_get_if_active(&codec->dev, true); ++ int ret = pm_runtime_get_if_active(&codec->dev); + if (!ret) + return -1; + if (ret < 0) diff --git a/queue-6.6/pm-runtime-take-active-children-into-account-in-pm_runtime_get_if_in_use.patch b/queue-6.6/pm-runtime-take-active-children-into-account-in-pm_runtime_get_if_in_use.patch new file mode 100644 index 0000000000..0bd31576fe --- /dev/null +++ b/queue-6.6/pm-runtime-take-active-children-into-account-in-pm_runtime_get_if_in_use.patch @@ -0,0 +1,85 @@ +From stable+bounces-172196-greg=kroah.com@vger.kernel.org Thu Aug 21 18:36:05 2025 +From: Sasha Levin +Date: Thu, 21 Aug 2025 12:28:33 -0400 +Subject: PM: runtime: Take active children into account in pm_runtime_get_if_in_use() +To: stable@vger.kernel.org +Cc: "Rafael J. Wysocki" , Ulf Hansson , Sakari Ailus , Sasha Levin +Message-ID: <20250821162833.814231-2-sashal@kernel.org> + +From: "Rafael J. Wysocki" + +[ Upstream commit 51888393cc64dd0462d0b96c13ab94873abbc030 ] + +For all practical purposes, there is no difference between the situation +in which a given device is not ignoring children and its active child +count is nonzero and the situation in which its runtime PM usage counter +is nonzero. However, pm_runtime_get_if_in_use() will only increment the +device's usage counter and return 1 in the latter case. + +For consistency, make it do so in the former case either by adjusting +pm_runtime_get_conditional() and update the related kerneldoc comments +accordingly. + +Fixes: c111566bea7c ("PM: runtime: Add pm_runtime_get_if_active()") +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Ulf Hansson +Reviewed-by: Sakari Ailus +Cc: 5.10+ # 5.10+: c0ef3df8dbae: PM: runtime: Simplify pm_runtime_get_if_active() usage +Cc: 5.10+ # 5.10+ +Link: https://patch.msgid.link/12700973.O9o76ZdvQC@rjwysocki.net +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/power/runtime.c | 27 ++++++++++++++++++--------- + 1 file changed, 18 insertions(+), 9 deletions(-) + +--- a/drivers/base/power/runtime.c ++++ b/drivers/base/power/runtime.c +@@ -1181,10 +1181,12 @@ EXPORT_SYMBOL_GPL(__pm_runtime_resume); + * + * Return -EINVAL if runtime PM is disabled for @dev. + * +- * Otherwise, if the runtime PM status of @dev is %RPM_ACTIVE and either +- * @ign_usage_count is %true or the runtime PM usage counter of @dev is not +- * zero, increment the usage counter of @dev and return 1. Otherwise, return 0 +- * without changing the usage counter. ++ * Otherwise, if its runtime PM status is %RPM_ACTIVE and (1) @ign_usage_count ++ * is set, or (2) @dev is not ignoring children and its active child count is ++ * nonero, or (3) the runtime PM usage counter of @dev is not zero, increment ++ * the usage counter of @dev and return 1. ++ * ++ * Otherwise, return 0 without changing the usage counter. + * + * If @ign_usage_count is %true, this function can be used to prevent suspending + * the device when its runtime PM status is %RPM_ACTIVE. +@@ -1206,7 +1208,8 @@ static int pm_runtime_get_conditional(st + retval = -EINVAL; + } else if (dev->power.runtime_status != RPM_ACTIVE) { + retval = 0; +- } else if (ign_usage_count) { ++ } else if (ign_usage_count || (!dev->power.ignore_children && ++ atomic_read(&dev->power.child_count) > 0)) { + retval = 1; + atomic_inc(&dev->power.usage_count); + } else { +@@ -1239,10 +1242,16 @@ EXPORT_SYMBOL_GPL(pm_runtime_get_if_acti + * @dev: Target device. + * + * Increment the runtime PM usage counter of @dev if its runtime PM status is +- * %RPM_ACTIVE and its runtime PM usage counter is greater than 0, in which case +- * it returns 1. If the device is in a different state or its usage_count is 0, +- * 0 is returned. -EINVAL is returned if runtime PM is disabled for the device, +- * in which case also the usage_count will remain unmodified. ++ * %RPM_ACTIVE and its runtime PM usage counter is greater than 0 or it is not ++ * ignoring children and its active child count is nonzero. 1 is returned in ++ * this case. ++ * ++ * If @dev is in a different state or it is not in use (that is, its usage ++ * counter is 0, or it is ignoring children, or its active child count is 0), ++ * 0 is returned. ++ * ++ * -EINVAL is returned if runtime PM is disabled for the device, in which case ++ * also the usage counter of @dev is not updated. + */ + int pm_runtime_get_if_in_use(struct device *dev) + { diff --git a/queue-6.6/s390-mm-remove-possible-false-positive-warning-in-pte_free_defer.patch b/queue-6.6/s390-mm-remove-possible-false-positive-warning-in-pte_free_defer.patch new file mode 100644 index 0000000000..30e90bea6f --- /dev/null +++ b/queue-6.6/s390-mm-remove-possible-false-positive-warning-in-pte_free_defer.patch @@ -0,0 +1,56 @@ +From 5647f61ad9171e8f025558ed6dc5702c56a33ba3 Mon Sep 17 00:00:00 2001 +From: Gerald Schaefer +Date: Wed, 9 Jul 2025 20:34:30 +0200 +Subject: s390/mm: Remove possible false-positive warning in pte_free_defer() + +From: Gerald Schaefer + +commit 5647f61ad9171e8f025558ed6dc5702c56a33ba3 upstream. + +Commit 8211dad627981 ("s390: add pte_free_defer() for pgtables sharing +page") added a warning to pte_free_defer(), on our request. It was meant +to warn if this would ever be reached for KVM guest mappings, because +the page table would be freed w/o a gmap_unlink(). THP mappings are not +allowed for KVM guests on s390, so this should never happen. + +However, it is possible that the warning is triggered in a valid case as +false-positive. + +s390_enable_sie() takes the mmap_lock, marks all VMAs as VM_NOHUGEPAGE and +splits possibly existing THP guest mappings. mm->context.has_pgste is set +to 1 before that, to prevent races with the mm_has_pgste() check in +MADV_HUGEPAGE. + +khugepaged drops the mmap_lock for file mappings and might run in parallel, +before a vma is marked VM_NOHUGEPAGE, but after mm->context.has_pgste was +set to 1. If it finds file mappings to collapse, it will eventually call +pte_free_defer(). This will trigger the warning, but it is a valid case +because gmap is not yet set up, and the THP mappings will be split again. + +Therefore, remove the warning and the comment. + +Fixes: 8211dad627981 ("s390: add pte_free_defer() for pgtables sharing page") +Cc: # 6.6+ +Reviewed-by: Alexander Gordeev +Reviewed-by: Claudio Imbrenda +Signed-off-by: Gerald Schaefer +Signed-off-by: Alexander Gordeev +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/mm/pgalloc.c | 5 ----- + 1 file changed, 5 deletions(-) + +--- a/arch/s390/mm/pgalloc.c ++++ b/arch/s390/mm/pgalloc.c +@@ -456,11 +456,6 @@ void pte_free_defer(struct mm_struct *mm + page = virt_to_page(pgtable); + SetPageActive(page); + page_table_free(mm, (unsigned long *)pgtable); +- /* +- * page_table_free() does not do the pgste gmap_unlink() which +- * page_table_free_rcu() does: warn us if pgste ever reaches here. +- */ +- WARN_ON_ONCE(mm_has_pgste(mm)); + } + #endif /* CONFIG_TRANSPARENT_HUGEPAGE */ + diff --git a/queue-6.6/series b/queue-6.6/series index 5540c58775..470342081e 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -458,3 +458,13 @@ btrfs-send-keep-the-current-inode-s-path-cached.patch btrfs-send-avoid-path-allocation-for-the-current-inode-when-issuing-commands.patch btrfs-send-use-fallocate-for-hole-punching-with-send-stream-v2.patch btrfs-send-make-fs_path_len-inline-and-constify-its-argument.patch +s390-mm-remove-possible-false-positive-warning-in-pte_free_defer.patch +kvm-x86-take-irqfds.lock-when-adding-deleting-irq-bypass-producer.patch +wifi-mac80211-check-basic-rates-validity-in-sta_link_apply_parameters.patch +mm-ptdump-take-the-memory-hotplug-lock-inside-ptdump_walk_pgd.patch +usb-dwc3-imx8mp-fix-device-leak-at-unbind.patch +ata-fix-sata_mobile_lpm_policy-description-in-kconfig.patch +pm-runtime-simplify-pm_runtime_get_if_active-usage.patch +pm-runtime-take-active-children-into-account-in-pm_runtime_get_if_in_use.patch +ata-libata-scsi-return-aborted-command-when-missing-sense-and-result-tf.patch +kbuild-userprogs-use-correct-linker-when-mixing-clang-and-gnu-ld.patch diff --git a/queue-6.6/usb-dwc3-imx8mp-fix-device-leak-at-unbind.patch b/queue-6.6/usb-dwc3-imx8mp-fix-device-leak-at-unbind.patch new file mode 100644 index 0000000000..95d3d534ee --- /dev/null +++ b/queue-6.6/usb-dwc3-imx8mp-fix-device-leak-at-unbind.patch @@ -0,0 +1,56 @@ +From sashal@kernel.org Thu Aug 21 18:28:25 2025 +From: Sasha Levin +Date: Thu, 21 Aug 2025 12:28:22 -0400 +Subject: usb: dwc3: imx8mp: fix device leak at unbind +To: stable@vger.kernel.org +Cc: Johan Hovold , Li Jun , Greg Kroah-Hartman , Sasha Levin +Message-ID: <20250821162822.805636-1-sashal@kernel.org> + +From: Johan Hovold + +[ Upstream commit 086a0e516f7b3844e6328a5c69e2708b66b0ce18 ] + +Make sure to drop the reference to the dwc3 device taken by +of_find_device_by_node() on probe errors and on driver unbind. + +Fixes: 6dd2565989b4 ("usb: dwc3: add imx8mp dwc3 glue layer driver") +Cc: stable@vger.kernel.org # 5.12 +Cc: Li Jun +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20250724091910.21092-2-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/dwc3-imx8mp.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/usb/dwc3/dwc3-imx8mp.c ++++ b/drivers/usb/dwc3/dwc3-imx8mp.c +@@ -244,7 +244,7 @@ static int dwc3_imx8mp_probe(struct plat + IRQF_ONESHOT, dev_name(dev), dwc3_imx); + if (err) { + dev_err(dev, "failed to request IRQ #%d --> %d\n", irq, err); +- goto depopulate; ++ goto put_dwc3; + } + + device_set_wakeup_capable(dev, true); +@@ -252,6 +252,8 @@ static int dwc3_imx8mp_probe(struct plat + + return 0; + ++put_dwc3: ++ put_device(&dwc3_imx->dwc3->dev); + depopulate: + of_platform_depopulate(dev); + err_node_put: +@@ -272,6 +274,8 @@ static void dwc3_imx8mp_remove(struct pl + struct dwc3_imx8mp *dwc3_imx = platform_get_drvdata(pdev); + struct device *dev = &pdev->dev; + ++ put_device(&dwc3_imx->dwc3->dev); ++ + pm_runtime_get_sync(dev); + of_platform_depopulate(dev); + diff --git a/queue-6.6/wifi-mac80211-check-basic-rates-validity-in-sta_link_apply_parameters.patch b/queue-6.6/wifi-mac80211-check-basic-rates-validity-in-sta_link_apply_parameters.patch new file mode 100644 index 0000000000..a681c9b51f --- /dev/null +++ b/queue-6.6/wifi-mac80211-check-basic-rates-validity-in-sta_link_apply_parameters.patch @@ -0,0 +1,54 @@ +From 16ee3ea8faef8ff042acc15867a6c458c573de61 Mon Sep 17 00:00:00 2001 +From: Mikhail Lobanov +Date: Mon, 17 Mar 2025 13:31:37 +0300 +Subject: wifi: mac80211: check basic rates validity in sta_link_apply_parameters + +From: Mikhail Lobanov + +commit 16ee3ea8faef8ff042acc15867a6c458c573de61 upstream. + +When userspace sets supported rates for a new station via +NL80211_CMD_NEW_STATION, it might send a list that's empty +or contains only invalid values. Currently, we process these +values in sta_link_apply_parameters() without checking the result of +ieee80211_parse_bitrates(), which can lead to an empty rates bitmap. + +A similar issue was addressed for NL80211_CMD_SET_BSS in commit +ce04abc3fcc6 ("wifi: mac80211: check basic rates validity"). +This patch applies the same approach in sta_link_apply_parameters() +for NL80211_CMD_NEW_STATION, ensuring there is at least one valid +rate by inspecting the result of ieee80211_parse_bitrates(). + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Fixes: b95eb7f0eee4 ("wifi: cfg80211/mac80211: separate link params from station params") +Signed-off-by: Mikhail Lobanov +Link: https://patch.msgid.link/20250317103139.17625-1-m.lobanov@rosa.ru +Signed-off-by: Johannes Berg +Signed-off-by: "Hanne-Lotta Mäenpää" +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/cfg.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -1847,12 +1847,12 @@ static int sta_link_apply_parameters(str + } + + if (params->supported_rates && +- params->supported_rates_len) { +- ieee80211_parse_bitrates(link->conf->chandef.width, +- sband, params->supported_rates, +- params->supported_rates_len, +- &link_sta->pub->supp_rates[sband->band]); +- } ++ params->supported_rates_len && ++ !ieee80211_parse_bitrates(link->conf->chandef.width, ++ sband, params->supported_rates, ++ params->supported_rates_len, ++ &link_sta->pub->supp_rates[sband->band])) ++ return -EINVAL; + + if (params->ht_capa) + ieee80211_ht_cap_ie_to_sta_ht_cap(sdata, sband,