From: Greg Kroah-Hartman Date: Tue, 8 Jul 2025 15:15:59 +0000 (+0200) Subject: 6.15-stable patches X-Git-Tag: v5.15.187~28 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5563a3ad1851da24ce610eeb4f43c9fd0502de3d;p=thirdparty%2Fkernel%2Fstable-queue.git 6.15-stable patches added patches: cifs-all-initializations-for-tcon-should-happen-in-tcon_info_alloc.patch dma-buf-fix-timeout-handling-in-dma_resv_wait_timeout-v2.patch dt-bindings-i2c-realtek-rtl9301-fix-missing-reg-constraint.patch hid-appletb-kbd-fix-slab-use-after-free-bug-in-appletb_kbd_probe.patch i2c-designware-fix-an-initialization-issue.patch iommu-rockchip-prevent-iommus-dead-loop-when-two-masters-share-one-iommu.patch iommu-vt-d-assign-devtlb-cache-tag-on-ats-enablement.patch logitech-c-270-even-more-broken.patch optee-ffa-fix-sleep-in-atomic-context.patch powercap-intel_rapl-do-not-change-clamping-bit-if-enable-bit-cannot-be-changed.patch riscv-cpu_ops_sbi-use-static-array-for-boot_data.patch smb-client-fix-readdir-returning-wrong-type-with-posix-extensions.patch --- diff --git a/queue-6.15/cifs-all-initializations-for-tcon-should-happen-in-tcon_info_alloc.patch b/queue-6.15/cifs-all-initializations-for-tcon-should-happen-in-tcon_info_alloc.patch new file mode 100644 index 0000000000..e78a4cc28c --- /dev/null +++ b/queue-6.15/cifs-all-initializations-for-tcon-should-happen-in-tcon_info_alloc.patch @@ -0,0 +1,82 @@ +From 74ebd02163fde05baa23129e06dde4b8f0f2377a Mon Sep 17 00:00:00 2001 +From: Shyam Prasad N +Date: Mon, 30 Jun 2025 23:09:34 +0530 +Subject: cifs: all initializations for tcon should happen in tcon_info_alloc + +From: Shyam Prasad N + +commit 74ebd02163fde05baa23129e06dde4b8f0f2377a upstream. + +Today, a few work structs inside tcon are initialized inside +cifs_get_tcon and not in tcon_info_alloc. As a result, if a tcon +is obtained from tcon_info_alloc, but not called as a part of +cifs_get_tcon, we may trip over. + +Cc: +Signed-off-by: Shyam Prasad N +Reviewed-by: Paulo Alcantara (Red Hat) +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/cifsproto.h | 1 + + fs/smb/client/connect.c | 8 +------- + fs/smb/client/misc.c | 6 ++++++ + 3 files changed, 8 insertions(+), 7 deletions(-) + +--- a/fs/smb/client/cifsproto.h ++++ b/fs/smb/client/cifsproto.h +@@ -136,6 +136,7 @@ extern int SendReceiveBlockingLock(const + struct smb_hdr *out_buf, + int *bytes_returned); + ++void smb2_query_server_interfaces(struct work_struct *work); + void + cifs_signal_cifsd_for_reconnect(struct TCP_Server_Info *server, + bool all_channels); +--- a/fs/smb/client/connect.c ++++ b/fs/smb/client/connect.c +@@ -97,7 +97,7 @@ static int reconn_set_ipaddr_from_hostna + return rc; + } + +-static void smb2_query_server_interfaces(struct work_struct *work) ++void smb2_query_server_interfaces(struct work_struct *work) + { + int rc; + int xid; +@@ -2880,20 +2880,14 @@ cifs_get_tcon(struct cifs_ses *ses, stru + tcon->max_cached_dirs = ctx->max_cached_dirs; + tcon->nodelete = ctx->nodelete; + tcon->local_lease = ctx->local_lease; +- INIT_LIST_HEAD(&tcon->pending_opens); + tcon->status = TID_GOOD; + +- INIT_DELAYED_WORK(&tcon->query_interfaces, +- smb2_query_server_interfaces); + if (ses->server->dialect >= SMB30_PROT_ID && + (ses->server->capabilities & SMB2_GLOBAL_CAP_MULTI_CHANNEL)) { + /* schedule query interfaces poll */ + queue_delayed_work(cifsiod_wq, &tcon->query_interfaces, + (SMB_INTERFACE_POLL_INTERVAL * HZ)); + } +-#ifdef CONFIG_CIFS_DFS_UPCALL +- INIT_DELAYED_WORK(&tcon->dfs_cache_work, dfs_cache_refresh); +-#endif + spin_lock(&cifs_tcp_ses_lock); + list_add(&tcon->tcon_list, &ses->tcon_list); + spin_unlock(&cifs_tcp_ses_lock); +--- a/fs/smb/client/misc.c ++++ b/fs/smb/client/misc.c +@@ -151,6 +151,12 @@ tcon_info_alloc(bool dir_leases_enabled, + #ifdef CONFIG_CIFS_DFS_UPCALL + INIT_LIST_HEAD(&ret_buf->dfs_ses_list); + #endif ++ INIT_LIST_HEAD(&ret_buf->pending_opens); ++ INIT_DELAYED_WORK(&ret_buf->query_interfaces, ++ smb2_query_server_interfaces); ++#ifdef CONFIG_CIFS_DFS_UPCALL ++ INIT_DELAYED_WORK(&ret_buf->dfs_cache_work, dfs_cache_refresh); ++#endif + + return ret_buf; + } diff --git a/queue-6.15/dma-buf-fix-timeout-handling-in-dma_resv_wait_timeout-v2.patch b/queue-6.15/dma-buf-fix-timeout-handling-in-dma_resv_wait_timeout-v2.patch new file mode 100644 index 0000000000..e358397f5d --- /dev/null +++ b/queue-6.15/dma-buf-fix-timeout-handling-in-dma_resv_wait_timeout-v2.patch @@ -0,0 +1,56 @@ +From 2b95a7db6e0f75587bffddbb490399cbb87e4985 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20K=C3=B6nig?= +Date: Tue, 28 Jan 2025 10:47:48 +0100 +Subject: dma-buf: fix timeout handling in dma_resv_wait_timeout v2 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Christian König + +commit 2b95a7db6e0f75587bffddbb490399cbb87e4985 upstream. + +Even the kerneldoc says that with a zero timeout the function should not +wait for anything, but still return 1 to indicate that the fences are +signaled now. + +Unfortunately that isn't what was implemented, instead of only returning +1 we also waited for at least one jiffies. + +Fix that by adjusting the handling to what the function is actually +documented to do. + +v2: improve code readability + +Reported-by: Marek Olšák +Reported-by: Lucas Stach +Signed-off-by: Christian König +Reviewed-by: Lucas Stach +Cc: +Link: https://lore.kernel.org/r/20250129105841.1806-1-christian.koenig@amd.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma-buf/dma-resv.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/drivers/dma-buf/dma-resv.c ++++ b/drivers/dma-buf/dma-resv.c +@@ -685,11 +685,13 @@ long dma_resv_wait_timeout(struct dma_re + dma_resv_iter_begin(&cursor, obj, usage); + dma_resv_for_each_fence_unlocked(&cursor, fence) { + +- ret = dma_fence_wait_timeout(fence, intr, ret); +- if (ret <= 0) { +- dma_resv_iter_end(&cursor); +- return ret; +- } ++ ret = dma_fence_wait_timeout(fence, intr, timeout); ++ if (ret <= 0) ++ break; ++ ++ /* Even for zero timeout the return value is 1 */ ++ if (timeout) ++ timeout = ret; + } + dma_resv_iter_end(&cursor); + diff --git a/queue-6.15/dt-bindings-i2c-realtek-rtl9301-fix-missing-reg-constraint.patch b/queue-6.15/dt-bindings-i2c-realtek-rtl9301-fix-missing-reg-constraint.patch new file mode 100644 index 0000000000..ce21834785 --- /dev/null +++ b/queue-6.15/dt-bindings-i2c-realtek-rtl9301-fix-missing-reg-constraint.patch @@ -0,0 +1,34 @@ +From 5f05fc6e2218db7ecc52c60eb34b707fe69262c2 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Wed, 2 Jul 2025 08:15:31 +0200 +Subject: dt-bindings: i2c: realtek,rtl9301: Fix missing 'reg' constraint + +From: Krzysztof Kozlowski + +commit 5f05fc6e2218db7ecc52c60eb34b707fe69262c2 upstream. + +Lists should have fixed amount if items, so add missing constraint to +the 'reg' property (only one address space entry). + +Fixes: c5eda0333076 ("dt-bindings: i2c: Add Realtek RTL I2C Controller") +Cc: # v6.13+ +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Andi Shyti +Link: https://lore.kernel.org/r/20250702061530.6940-2-krzysztof.kozlowski@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/i2c/realtek,rtl9301-i2c.yaml | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/Documentation/devicetree/bindings/i2c/realtek,rtl9301-i2c.yaml ++++ b/Documentation/devicetree/bindings/i2c/realtek,rtl9301-i2c.yaml +@@ -26,7 +26,8 @@ properties: + - const: realtek,rtl9301-i2c + + reg: +- description: Register offset and size this I2C controller. ++ items: ++ - description: Register offset and size this I2C controller. + + "#address-cells": + const: 1 diff --git a/queue-6.15/hid-appletb-kbd-fix-slab-use-after-free-bug-in-appletb_kbd_probe.patch b/queue-6.15/hid-appletb-kbd-fix-slab-use-after-free-bug-in-appletb_kbd_probe.patch new file mode 100644 index 0000000000..81fb64b4d0 --- /dev/null +++ b/queue-6.15/hid-appletb-kbd-fix-slab-use-after-free-bug-in-appletb_kbd_probe.patch @@ -0,0 +1,127 @@ +From 38224c472a038fa9ccd4085511dd9f3d6119dbf9 Mon Sep 17 00:00:00 2001 +From: Qasim Ijaz +Date: Tue, 24 Jun 2025 13:52:56 +0100 +Subject: HID: appletb-kbd: fix slab use-after-free bug in appletb_kbd_probe + +From: Qasim Ijaz + +commit 38224c472a038fa9ccd4085511dd9f3d6119dbf9 upstream. + +In probe appletb_kbd_probe() a "struct appletb_kbd *kbd" is allocated +via devm_kzalloc() to store touch bar keyboard related data. +Later on if backlight_device_get_by_name() finds a backlight device +with name "appletb_backlight" a timer (kbd->inactivity_timer) is setup +with appletb_inactivity_timer() and the timer is armed to run after +appletb_tb_dim_timeout (60) seconds. + +A use-after-free is triggered when failure occurs after the timer is +armed. This ultimately means probe failure occurs and as a result the +"struct appletb_kbd *kbd" which is device managed memory is freed. +After 60 seconds the timer will have expired and __run_timers will +attempt to access the timer (kbd->inactivity_timer) however the kdb +structure has been freed causing a use-after free. + +[ 71.636938] ================================================================== +[ 71.637915] BUG: KASAN: slab-use-after-free in __run_timers+0x7ad/0x890 +[ 71.637915] Write of size 8 at addr ffff8881178c5958 by task swapper/1/0 +[ 71.637915] +[ 71.637915] CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Not tainted 6.16.0-rc2-00318-g739a6c93cc75-dirty #12 PREEMPT(voluntary) +[ 71.637915] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 +[ 71.637915] Call Trace: +[ 71.637915] +[ 71.637915] dump_stack_lvl+0x53/0x70 +[ 71.637915] print_report+0xce/0x670 +[ 71.637915] ? __run_timers+0x7ad/0x890 +[ 71.637915] kasan_report+0xce/0x100 +[ 71.637915] ? __run_timers+0x7ad/0x890 +[ 71.637915] __run_timers+0x7ad/0x890 +[ 71.637915] ? __pfx___run_timers+0x10/0x10 +[ 71.637915] ? update_process_times+0xfc/0x190 +[ 71.637915] ? __pfx_update_process_times+0x10/0x10 +[ 71.637915] ? _raw_spin_lock_irq+0x80/0xe0 +[ 71.637915] ? _raw_spin_lock_irq+0x80/0xe0 +[ 71.637915] ? __pfx__raw_spin_lock_irq+0x10/0x10 +[ 71.637915] run_timer_softirq+0x141/0x240 +[ 71.637915] ? __pfx_run_timer_softirq+0x10/0x10 +[ 71.637915] ? __pfx___hrtimer_run_queues+0x10/0x10 +[ 71.637915] ? kvm_clock_get_cycles+0x18/0x30 +[ 71.637915] ? ktime_get+0x60/0x140 +[ 71.637915] handle_softirqs+0x1b8/0x5c0 +[ 71.637915] ? __pfx_handle_softirqs+0x10/0x10 +[ 71.637915] irq_exit_rcu+0xaf/0xe0 +[ 71.637915] sysvec_apic_timer_interrupt+0x6c/0x80 +[ 71.637915] +[ 71.637915] +[ 71.637915] Allocated by task 39: +[ 71.637915] kasan_save_stack+0x33/0x60 +[ 71.637915] kasan_save_track+0x14/0x30 +[ 71.637915] __kasan_kmalloc+0x8f/0xa0 +[ 71.637915] __kmalloc_node_track_caller_noprof+0x195/0x420 +[ 71.637915] devm_kmalloc+0x74/0x1e0 +[ 71.637915] appletb_kbd_probe+0x37/0x3c0 +[ 71.637915] hid_device_probe+0x2d1/0x680 +[ 71.637915] really_probe+0x1c3/0x690 +[ 71.637915] __driver_probe_device+0x247/0x300 +[ 71.637915] driver_probe_device+0x49/0x210 +[...] +[ 71.637915] +[ 71.637915] Freed by task 39: +[ 71.637915] kasan_save_stack+0x33/0x60 +[ 71.637915] kasan_save_track+0x14/0x30 +[ 71.637915] kasan_save_free_info+0x3b/0x60 +[ 71.637915] __kasan_slab_free+0x37/0x50 +[ 71.637915] kfree+0xcf/0x360 +[ 71.637915] devres_release_group+0x1f8/0x3c0 +[ 71.637915] hid_device_probe+0x315/0x680 +[ 71.637915] really_probe+0x1c3/0x690 +[ 71.637915] __driver_probe_device+0x247/0x300 +[ 71.637915] driver_probe_device+0x49/0x210 +[...] + +The root cause of the issue is that the timer is not disarmed +on failure paths leading to it remaining active and accessing +freed memory. To fix this call timer_delete_sync() to deactivate +the timer. + +Another small issue is that timer_delete_sync is called +unconditionally in appletb_kbd_remove(), fix this by checking +for a valid kbd->backlight_dev before calling timer_delete_sync. + +Fixes: 93a0fc489481 ("HID: hid-appletb-kbd: add support for automatic brightness control while using the touchbar") +Cc: stable@vger.kernel.org +Signed-off-by: Qasim Ijaz +Reviewed-by: Aditya Garg +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-appletb-kbd.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/hid/hid-appletb-kbd.c ++++ b/drivers/hid/hid-appletb-kbd.c +@@ -437,8 +437,10 @@ static int appletb_kbd_probe(struct hid_ + unregister_handler: + input_unregister_handler(&kbd->inp_handler); + close_hw: +- if (kbd->backlight_dev) ++ if (kbd->backlight_dev) { + put_device(&kbd->backlight_dev->dev); ++ timer_delete_sync(&kbd->inactivity_timer); ++ } + hid_hw_close(hdev); + stop_hw: + hid_hw_stop(hdev); +@@ -452,10 +454,10 @@ static void appletb_kbd_remove(struct hi + appletb_kbd_set_mode(kbd, APPLETB_KBD_MODE_OFF); + + input_unregister_handler(&kbd->inp_handler); +- timer_delete_sync(&kbd->inactivity_timer); +- +- if (kbd->backlight_dev) ++ if (kbd->backlight_dev) { + put_device(&kbd->backlight_dev->dev); ++ timer_delete_sync(&kbd->inactivity_timer); ++ } + + hid_hw_close(hdev); + hid_hw_stop(hdev); diff --git a/queue-6.15/i2c-designware-fix-an-initialization-issue.patch b/queue-6.15/i2c-designware-fix-an-initialization-issue.patch new file mode 100644 index 0000000000..66df6e1291 --- /dev/null +++ b/queue-6.15/i2c-designware-fix-an-initialization-issue.patch @@ -0,0 +1,39 @@ +From 3d30048958e0d43425f6d4e76565e6249fa71050 Mon Sep 17 00:00:00 2001 +From: "Michael J. Ruhl" +Date: Fri, 27 Jun 2025 10:35:11 -0400 +Subject: i2c/designware: Fix an initialization issue + +From: Michael J. Ruhl + +commit 3d30048958e0d43425f6d4e76565e6249fa71050 upstream. + +The i2c_dw_xfer_init() function requires msgs and msg_write_idx from the +dev context to be initialized. + +amd_i2c_dw_xfer_quirk() inits msgs and msgs_num, but not msg_write_idx. + +This could allow an out of bounds access (of msgs). + +Initialize msg_write_idx before calling i2c_dw_xfer_init(). + +Reviewed-by: Andy Shevchenko +Fixes: 17631e8ca2d3 ("i2c: designware: Add driver support for AMD NAVI GPU") +Cc: # v5.13+ +Signed-off-by: Michael J. Ruhl +Signed-off-by: Andi Shyti +Link: https://lore.kernel.org/r/20250627143511.489570-1-michael.j.ruhl@intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-designware-master.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/i2c/busses/i2c-designware-master.c ++++ b/drivers/i2c/busses/i2c-designware-master.c +@@ -363,6 +363,7 @@ static int amd_i2c_dw_xfer_quirk(struct + + dev->msgs = msgs; + dev->msgs_num = num_msgs; ++ dev->msg_write_idx = 0; + i2c_dw_xfer_init(dev); + + /* Initiate messages read/write transaction */ diff --git a/queue-6.15/iommu-rockchip-prevent-iommus-dead-loop-when-two-masters-share-one-iommu.patch b/queue-6.15/iommu-rockchip-prevent-iommus-dead-loop-when-two-masters-share-one-iommu.patch new file mode 100644 index 0000000000..7fa447785f --- /dev/null +++ b/queue-6.15/iommu-rockchip-prevent-iommus-dead-loop-when-two-masters-share-one-iommu.patch @@ -0,0 +1,46 @@ +From 62e062a29ad5133f67c20b333ba0a952a99161ae Mon Sep 17 00:00:00 2001 +From: Simon Xue +Date: Mon, 23 Jun 2025 10:00:18 +0800 +Subject: iommu/rockchip: prevent iommus dead loop when two masters share one IOMMU + +From: Simon Xue + +commit 62e062a29ad5133f67c20b333ba0a952a99161ae upstream. + +When two masters share an IOMMU, calling ops->of_xlate during +the second master's driver init may overwrite iommu->domain set +by the first. This causes the check if (iommu->domain == domain) +in rk_iommu_attach_device() to fail, resulting in the same +iommu->node being added twice to &rk_domain->iommus, which can +lead to an infinite loop in subsequent &rk_domain->iommus operations. + +Cc: +Fixes: 25c2325575cc ("iommu/rockchip: Add missing set_platform_dma_ops callback") +Signed-off-by: Simon Xue +Reviewed-by: Robin Murphy +Link: https://lore.kernel.org/r/20250623020018.584802-1-xxm@rock-chips.com +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/rockchip-iommu.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/iommu/rockchip-iommu.c ++++ b/drivers/iommu/rockchip-iommu.c +@@ -1155,7 +1155,6 @@ static int rk_iommu_of_xlate(struct devi + return -ENOMEM; + + data->iommu = platform_get_drvdata(iommu_dev); +- data->iommu->domain = &rk_identity_domain; + dev_iommu_priv_set(dev, data); + + platform_device_put(iommu_dev); +@@ -1193,6 +1192,8 @@ static int rk_iommu_probe(struct platfor + if (!iommu) + return -ENOMEM; + ++ iommu->domain = &rk_identity_domain; ++ + platform_set_drvdata(pdev, iommu); + iommu->dev = dev; + iommu->num_mmu = 0; diff --git a/queue-6.15/iommu-vt-d-assign-devtlb-cache-tag-on-ats-enablement.patch b/queue-6.15/iommu-vt-d-assign-devtlb-cache-tag-on-ats-enablement.patch new file mode 100644 index 0000000000..2b1d3c854b --- /dev/null +++ b/queue-6.15/iommu-vt-d-assign-devtlb-cache-tag-on-ats-enablement.patch @@ -0,0 +1,80 @@ +From 25b1b75bbaf96331750fb01302825069657b2ff8 Mon Sep 17 00:00:00 2001 +From: Lu Baolu +Date: Sat, 28 Jun 2025 18:03:51 +0800 +Subject: iommu/vt-d: Assign devtlb cache tag on ATS enablement + +From: Lu Baolu + +commit 25b1b75bbaf96331750fb01302825069657b2ff8 upstream. + +Commit <4f1492efb495> ("iommu/vt-d: Revert ATS timing change to fix boot +failure") placed the enabling of ATS in the probe_finalize callback. This +occurs after the default domain attachment, which is when the ATS cache +tag is assigned. Consequently, the device TLB cache tag is missed when the +domain is attached, leading to the device TLB not being invalidated in the +iommu_unmap paths. + +Fix this by assigning the CACHE_TAG_DEVTLB cache tag when ATS is enabled. + +Fixes: 4f1492efb495 ("iommu/vt-d: Revert ATS timing change to fix boot failure") +Cc: stable@vger.kernel.org +Suggested-by: Kevin Tian +Signed-off-by: Lu Baolu +Tested-by: Shuicheng Lin +Reviewed-by: Kevin Tian +Link: https://lore.kernel.org/r/20250625050135.3129955-1-baolu.lu@linux.intel.com +Link: https://lore.kernel.org/r/20250628100351.3198955-2-baolu.lu@linux.intel.com +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/intel/cache.c | 5 ++--- + drivers/iommu/intel/iommu.c | 11 ++++++++++- + drivers/iommu/intel/iommu.h | 2 ++ + 3 files changed, 14 insertions(+), 4 deletions(-) + +--- a/drivers/iommu/intel/cache.c ++++ b/drivers/iommu/intel/cache.c +@@ -40,9 +40,8 @@ static bool cache_tage_match(struct cach + } + + /* Assign a cache tag with specified type to domain. */ +-static int cache_tag_assign(struct dmar_domain *domain, u16 did, +- struct device *dev, ioasid_t pasid, +- enum cache_tag_type type) ++int cache_tag_assign(struct dmar_domain *domain, u16 did, struct device *dev, ++ ioasid_t pasid, enum cache_tag_type type) + { + struct device_domain_info *info = dev_iommu_priv_get(dev); + struct intel_iommu *iommu = info->iommu; +--- a/drivers/iommu/intel/iommu.c ++++ b/drivers/iommu/intel/iommu.c +@@ -3819,8 +3819,17 @@ static void intel_iommu_probe_finalize(s + !pci_enable_pasid(to_pci_dev(dev), info->pasid_supported & ~1)) + info->pasid_enabled = 1; + +- if (sm_supported(iommu) && !dev_is_real_dma_subdevice(dev)) ++ if (sm_supported(iommu) && !dev_is_real_dma_subdevice(dev)) { + iommu_enable_pci_ats(info); ++ /* Assign a DEVTLB cache tag to the default domain. */ ++ if (info->ats_enabled && info->domain) { ++ u16 did = domain_id_iommu(info->domain, iommu); ++ ++ if (cache_tag_assign(info->domain, did, dev, ++ IOMMU_NO_PASID, CACHE_TAG_DEVTLB)) ++ iommu_disable_pci_ats(info); ++ } ++ } + iommu_enable_pci_pri(info); + } + +--- a/drivers/iommu/intel/iommu.h ++++ b/drivers/iommu/intel/iommu.h +@@ -1277,6 +1277,8 @@ struct cache_tag { + unsigned int users; + }; + ++int cache_tag_assign(struct dmar_domain *domain, u16 did, struct device *dev, ++ ioasid_t pasid, enum cache_tag_type type); + int cache_tag_assign_domain(struct dmar_domain *domain, + struct device *dev, ioasid_t pasid); + void cache_tag_unassign_domain(struct dmar_domain *domain, diff --git a/queue-6.15/logitech-c-270-even-more-broken.patch b/queue-6.15/logitech-c-270-even-more-broken.patch new file mode 100644 index 0000000000..b1ed04e6ac --- /dev/null +++ b/queue-6.15/logitech-c-270-even-more-broken.patch @@ -0,0 +1,32 @@ +From cee4392a57e14a799fbdee193bc4c0de65b29521 Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Thu, 5 Jun 2025 14:28:45 +0200 +Subject: Logitech C-270 even more broken + +From: Oliver Neukum + +commit cee4392a57e14a799fbdee193bc4c0de65b29521 upstream. + +Some varieties of this device don't work with +RESET_RESUME alone. + +Signed-off-by: Oliver Neukum +Cc: stable +Link: https://lore.kernel.org/r/20250605122852.1440382-1-oneukum@suse.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/core/quirks.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -227,7 +227,8 @@ static const struct usb_device_id usb_qu + { USB_DEVICE(0x046a, 0x0023), .driver_info = USB_QUIRK_RESET_RESUME }, + + /* Logitech HD Webcam C270 */ +- { USB_DEVICE(0x046d, 0x0825), .driver_info = USB_QUIRK_RESET_RESUME }, ++ { USB_DEVICE(0x046d, 0x0825), .driver_info = USB_QUIRK_RESET_RESUME | ++ USB_QUIRK_NO_LPM}, + + /* Logitech HD Pro Webcams C920, C920-C, C922, C925e and C930e */ + { USB_DEVICE(0x046d, 0x082d), .driver_info = USB_QUIRK_DELAY_INIT }, diff --git a/queue-6.15/optee-ffa-fix-sleep-in-atomic-context.patch b/queue-6.15/optee-ffa-fix-sleep-in-atomic-context.patch new file mode 100644 index 0000000000..810e998a1a --- /dev/null +++ b/queue-6.15/optee-ffa-fix-sleep-in-atomic-context.patch @@ -0,0 +1,151 @@ +From 312d02adb959ea199372f375ada06e0186f651e4 Mon Sep 17 00:00:00 2001 +From: Jens Wiklander +Date: Mon, 2 Jun 2025 14:04:35 +0200 +Subject: optee: ffa: fix sleep in atomic context + +From: Jens Wiklander + +commit 312d02adb959ea199372f375ada06e0186f651e4 upstream. + +The OP-TEE driver registers the function notif_callback() for FF-A +notifications. However, this function is called in an atomic context +leading to errors like this when processing asynchronous notifications: + + | BUG: sleeping function called from invalid context at kernel/locking/mutex.c:258 + | in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 9, name: kworker/0:0 + | preempt_count: 1, expected: 0 + | RCU nest depth: 0, expected: 0 + | CPU: 0 UID: 0 PID: 9 Comm: kworker/0:0 Not tainted 6.14.0-00019-g657536ebe0aa #13 + | Hardware name: linux,dummy-virt (DT) + | Workqueue: ffa_pcpu_irq_notification notif_pcpu_irq_work_fn + | Call trace: + | show_stack+0x18/0x24 (C) + | dump_stack_lvl+0x78/0x90 + | dump_stack+0x18/0x24 + | __might_resched+0x114/0x170 + | __might_sleep+0x48/0x98 + | mutex_lock+0x24/0x80 + | optee_get_msg_arg+0x7c/0x21c + | simple_call_with_arg+0x50/0xc0 + | optee_do_bottom_half+0x14/0x20 + | notif_callback+0x3c/0x48 + | handle_notif_callbacks+0x9c/0xe0 + | notif_get_and_handle+0x40/0x88 + | generic_exec_single+0x80/0xc0 + | smp_call_function_single+0xfc/0x1a0 + | notif_pcpu_irq_work_fn+0x2c/0x38 + | process_one_work+0x14c/0x2b4 + | worker_thread+0x2e4/0x3e0 + | kthread+0x13c/0x210 + | ret_from_fork+0x10/0x20 + +Fix this by adding work queue to process the notification in a +non-atomic context. + +Fixes: d0476a59de06 ("optee: ffa_abi: add asynchronous notifications") +Cc: stable@vger.kernel.org +Reviewed-by: Sumit Garg +Tested-by: Sudeep Holla +Link: https://lore.kernel.org/r/20250602120452.2507084-1-jens.wiklander@linaro.org +Signed-off-by: Jens Wiklander +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tee/optee/ffa_abi.c | 41 +++++++++++++++++++++++++++++--------- + drivers/tee/optee/optee_private.h | 2 + + 2 files changed, 34 insertions(+), 9 deletions(-) + +--- a/drivers/tee/optee/ffa_abi.c ++++ b/drivers/tee/optee/ffa_abi.c +@@ -728,12 +728,21 @@ static bool optee_ffa_exchange_caps(stru + return true; + } + ++static void notif_work_fn(struct work_struct *work) ++{ ++ struct optee_ffa *optee_ffa = container_of(work, struct optee_ffa, ++ notif_work); ++ struct optee *optee = container_of(optee_ffa, struct optee, ffa); ++ ++ optee_do_bottom_half(optee->ctx); ++} ++ + static void notif_callback(int notify_id, void *cb_data) + { + struct optee *optee = cb_data; + + if (notify_id == optee->ffa.bottom_half_value) +- optee_do_bottom_half(optee->ctx); ++ queue_work(optee->ffa.notif_wq, &optee->ffa.notif_work); + else + optee_notif_send(optee, notify_id); + } +@@ -817,9 +826,11 @@ static void optee_ffa_remove(struct ffa_ + struct optee *optee = ffa_dev_get_drvdata(ffa_dev); + u32 bottom_half_id = optee->ffa.bottom_half_value; + +- if (bottom_half_id != U32_MAX) ++ if (bottom_half_id != U32_MAX) { + ffa_dev->ops->notifier_ops->notify_relinquish(ffa_dev, + bottom_half_id); ++ destroy_workqueue(optee->ffa.notif_wq); ++ } + optee_remove_common(optee); + + mutex_destroy(&optee->ffa.mutex); +@@ -835,6 +846,13 @@ static int optee_ffa_async_notif_init(st + u32 notif_id = 0; + int rc; + ++ INIT_WORK(&optee->ffa.notif_work, notif_work_fn); ++ optee->ffa.notif_wq = create_workqueue("optee_notification"); ++ if (!optee->ffa.notif_wq) { ++ rc = -EINVAL; ++ goto err; ++ } ++ + while (true) { + rc = ffa_dev->ops->notifier_ops->notify_request(ffa_dev, + is_per_vcpu, +@@ -851,19 +869,24 @@ static int optee_ffa_async_notif_init(st + * notifications in that case. + */ + if (rc != -EACCES) +- return rc; ++ goto err_wq; + notif_id++; + if (notif_id >= OPTEE_FFA_MAX_ASYNC_NOTIF_VALUE) +- return rc; ++ goto err_wq; + } + optee->ffa.bottom_half_value = notif_id; + + rc = enable_async_notif(optee); +- if (rc < 0) { +- ffa_dev->ops->notifier_ops->notify_relinquish(ffa_dev, +- notif_id); +- optee->ffa.bottom_half_value = U32_MAX; +- } ++ if (rc < 0) ++ goto err_rel; ++ ++ return 0; ++err_rel: ++ ffa_dev->ops->notifier_ops->notify_relinquish(ffa_dev, notif_id); ++err_wq: ++ destroy_workqueue(optee->ffa.notif_wq); ++err: ++ optee->ffa.bottom_half_value = U32_MAX; + + return rc; + } +--- a/drivers/tee/optee/optee_private.h ++++ b/drivers/tee/optee/optee_private.h +@@ -165,6 +165,8 @@ struct optee_ffa { + /* Serializes access to @global_ids */ + struct mutex mutex; + struct rhashtable global_ids; ++ struct workqueue_struct *notif_wq; ++ struct work_struct notif_work; + }; + + struct optee; diff --git a/queue-6.15/powercap-intel_rapl-do-not-change-clamping-bit-if-enable-bit-cannot-be-changed.patch b/queue-6.15/powercap-intel_rapl-do-not-change-clamping-bit-if-enable-bit-cannot-be-changed.patch new file mode 100644 index 0000000000..20702294f5 --- /dev/null +++ b/queue-6.15/powercap-intel_rapl-do-not-change-clamping-bit-if-enable-bit-cannot-be-changed.patch @@ -0,0 +1,68 @@ +From 964209202ebe1569c858337441e87ef0f9d71416 Mon Sep 17 00:00:00 2001 +From: Zhang Rui +Date: Thu, 19 Jun 2025 15:13:40 +0800 +Subject: powercap: intel_rapl: Do not change CLAMPING bit if ENABLE bit cannot be changed + +From: Zhang Rui + +commit 964209202ebe1569c858337441e87ef0f9d71416 upstream. + +PL1 cannot be disabled on some platforms. The ENABLE bit is still set +after software clears it. This behavior leads to a scenario where, upon +user request to disable the Power Limit through the powercap sysfs, the +ENABLE bit remains set while the CLAMPING bit is inadvertently cleared. + +According to the Intel Software Developer's Manual, the CLAMPING bit, +"When set, allows the processor to go below the OS requested P states in +order to maintain the power below specified Platform Power Limit value." + +Thus this means the system may operate at higher power levels than +intended on such platforms. + +Enhance the code to check ENABLE bit after writing to it, and stop +further processing if ENABLE bit cannot be changed. + +Reported-by: Srinivas Pandruvada +Fixes: 2d281d8196e3 ("PowerCap: Introduce Intel RAPL power capping driver") +Cc: All applicable +Signed-off-by: Zhang Rui +Link: https://patch.msgid.link/20250619071340.384782-1-rui.zhang@intel.com +[ rjw: Use str_enabled_disabled() instead of open-coded equivalent ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/powercap/intel_rapl_common.c | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +--- a/drivers/powercap/intel_rapl_common.c ++++ b/drivers/powercap/intel_rapl_common.c +@@ -340,12 +340,28 @@ static int set_domain_enable(struct powe + { + struct rapl_domain *rd = power_zone_to_rapl_domain(power_zone); + struct rapl_defaults *defaults = get_defaults(rd->rp); ++ u64 val; + int ret; + + cpus_read_lock(); + ret = rapl_write_pl_data(rd, POWER_LIMIT1, PL_ENABLE, mode); +- if (!ret && defaults->set_floor_freq) ++ if (ret) ++ goto end; ++ ++ ret = rapl_read_pl_data(rd, POWER_LIMIT1, PL_ENABLE, false, &val); ++ if (ret) ++ goto end; ++ ++ if (mode != val) { ++ pr_debug("%s cannot be %s\n", power_zone->name, ++ str_enabled_disabled(mode)); ++ goto end; ++ } ++ ++ if (defaults->set_floor_freq) + defaults->set_floor_freq(rd, mode); ++ ++end: + cpus_read_unlock(); + + return ret; diff --git a/queue-6.15/riscv-cpu_ops_sbi-use-static-array-for-boot_data.patch b/queue-6.15/riscv-cpu_ops_sbi-use-static-array-for-boot_data.patch new file mode 100644 index 0000000000..052386da50 --- /dev/null +++ b/queue-6.15/riscv-cpu_ops_sbi-use-static-array-for-boot_data.patch @@ -0,0 +1,115 @@ +From 2b29be967ae456fc09c320d91d52278cf721be1e Mon Sep 17 00:00:00 2001 +From: Vivian Wang +Date: Tue, 24 Jun 2025 16:04:46 +0800 +Subject: riscv: cpu_ops_sbi: Use static array for boot_data + +From: Vivian Wang + +commit 2b29be967ae456fc09c320d91d52278cf721be1e upstream. + +Since commit 6b9f29b81b15 ("riscv: Enable pcpu page first chunk +allocator"), if NUMA is enabled, the page percpu allocator may be used +on very sparse configurations, or when requested on boot with +percpu_alloc=page. + +In that case, percpu data gets put in the vmalloc area. However, +sbi_hsm_hart_start() needs the physical address of a sbi_hart_boot_data, +and simply assumes that __pa() would work. This causes the just started +hart to immediately access an invalid address and hang. + +Fortunately, struct sbi_hart_boot_data is not too large, so we can +simply allocate an array for boot_data statically, putting it in the +kernel image. + +This fixes NUMA=y SMP boot on Sophgo SG2042. + +To reproduce on QEMU: Set CONFIG_NUMA=y and CONFIG_DEBUG_VIRTUAL=y, then +run with: + + qemu-system-riscv64 -M virt -smp 2 -nographic \ + -kernel arch/riscv/boot/Image \ + -append "percpu_alloc=page" + +Kernel output: + +[ 0.000000] Booting Linux on hartid 0 +[ 0.000000] Linux version 6.16.0-rc1 (dram@sakuya) (riscv64-unknown-linux-gnu-gcc (GCC) 14.2.1 20250322, GNU ld (GNU Binutils) 2.44) #11 SMP Tue Jun 24 14:56:22 CST 2025 +... +[ 0.000000] percpu: 28 4K pages/cpu s85784 r8192 d20712 +... +[ 0.083192] smp: Bringing up secondary CPUs ... +[ 0.086722] ------------[ cut here ]------------ +[ 0.086849] virt_to_phys used for non-linear address: (____ptrval____) (0xff2000000001d080) +[ 0.088001] WARNING: CPU: 0 PID: 1 at arch/riscv/mm/physaddr.c:14 __virt_to_phys+0xae/0xe8 +[ 0.088376] Modules linked in: +[ 0.088656] CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.16.0-rc1 #11 NONE +[ 0.088833] Hardware name: riscv-virtio,qemu (DT) +[ 0.088948] epc : __virt_to_phys+0xae/0xe8 +[ 0.089001] ra : __virt_to_phys+0xae/0xe8 +[ 0.089037] epc : ffffffff80021eaa ra : ffffffff80021eaa sp : ff2000000004bbc0 +[ 0.089057] gp : ffffffff817f49c0 tp : ff60000001d60000 t0 : 5f6f745f74726976 +[ 0.089076] t1 : 0000000000000076 t2 : 705f6f745f747269 s0 : ff2000000004bbe0 +[ 0.089095] s1 : ff2000000001d080 a0 : 0000000000000000 a1 : 0000000000000000 +[ 0.089113] a2 : 0000000000000000 a3 : 0000000000000000 a4 : 0000000000000000 +[ 0.089131] a5 : 0000000000000000 a6 : 0000000000000000 a7 : 0000000000000000 +[ 0.089155] s2 : ffffffff8130dc00 s3 : 0000000000000001 s4 : 0000000000000001 +[ 0.089174] s5 : ffffffff8185eff8 s6 : ff2000007f1eb000 s7 : ffffffff8002a2ec +[ 0.089193] s8 : 0000000000000001 s9 : 0000000000000001 s10: 0000000000000000 +[ 0.089211] s11: 0000000000000000 t3 : ffffffff8180a9f7 t4 : ffffffff8180a9f7 +[ 0.089960] t5 : ffffffff8180a9f8 t6 : ff2000000004b9d8 +[ 0.089984] status: 0000000200000120 badaddr: ffffffff80021eaa cause: 0000000000000003 +[ 0.090101] [] __virt_to_phys+0xae/0xe8 +[ 0.090228] [] sbi_cpu_start+0x6e/0xe8 +[ 0.090247] [] __cpu_up+0x1e/0x8c +[ 0.090260] [] bringup_cpu+0x42/0x258 +[ 0.090277] [] cpuhp_invoke_callback+0xe0/0x40c +[ 0.090292] [] __cpuhp_invoke_callback_range+0x68/0xfc +[ 0.090320] [] _cpu_up+0x11a/0x244 +[ 0.090334] [] cpu_up+0x52/0x90 +[ 0.090384] [] bringup_nonboot_cpus+0x78/0x118 +[ 0.090411] [] smp_init+0x34/0xb8 +[ 0.090425] [] kernel_init_freeable+0x148/0x2e4 +[ 0.090442] [] kernel_init+0x1e/0x14c +[ 0.090455] [] ret_from_fork_kernel+0xe/0xf0 +[ 0.090471] [] ret_from_fork_kernel_asm+0x16/0x18 +[ 0.090560] ---[ end trace 0000000000000000 ]--- +[ 1.179875] CPU1: failed to come online +[ 1.190324] smp: Brought up 1 node, 1 CPU + +Cc: stable@vger.kernel.org +Reported-by: Han Gao +Fixes: 6b9f29b81b15 ("riscv: Enable pcpu page first chunk allocator") +Reviewed-by: Alexandre Ghiti +Tested-by: Alexandre Ghiti +Signed-off-by: Vivian Wang +Link: https://lore.kernel.org/r/20250624-riscv-hsm-boot-data-array-v1-1-50b5eeafbe61@iscas.ac.cn +Signed-off-by: Alexandre Ghiti +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/kernel/cpu_ops_sbi.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/riscv/kernel/cpu_ops_sbi.c ++++ b/arch/riscv/kernel/cpu_ops_sbi.c +@@ -18,10 +18,10 @@ const struct cpu_operations cpu_ops_sbi; + + /* + * Ordered booting via HSM brings one cpu at a time. However, cpu hotplug can +- * be invoked from multiple threads in parallel. Define a per cpu data ++ * be invoked from multiple threads in parallel. Define an array of boot data + * to handle that. + */ +-static DEFINE_PER_CPU(struct sbi_hart_boot_data, boot_data); ++static struct sbi_hart_boot_data boot_data[NR_CPUS]; + + static int sbi_hsm_hart_start(unsigned long hartid, unsigned long saddr, + unsigned long priv) +@@ -67,7 +67,7 @@ static int sbi_cpu_start(unsigned int cp + unsigned long boot_addr = __pa_symbol(secondary_start_sbi); + unsigned long hartid = cpuid_to_hartid_map(cpuid); + unsigned long hsm_data; +- struct sbi_hart_boot_data *bdata = &per_cpu(boot_data, cpuid); ++ struct sbi_hart_boot_data *bdata = &boot_data[cpuid]; + + /* Make sure tidle is updated */ + smp_mb(); diff --git a/queue-6.15/series b/queue-6.15/series index 47e214daa9..343404703e 100644 --- a/queue-6.15/series +++ b/queue-6.15/series @@ -153,3 +153,15 @@ usb-dwc3-abort-suspend-on-soft-disconnect-failure.patch usb-dwc3-gadget-fix-trb-reclaim-logic-for-short-transfers-and-zlps.patch usb-chipidea-udc-disconnect-reconnect-from-host-when-do-suspend-resume.patch usb-acpi-fix-device-link-removal.patch +smb-client-fix-readdir-returning-wrong-type-with-posix-extensions.patch +cifs-all-initializations-for-tcon-should-happen-in-tcon_info_alloc.patch +dma-buf-fix-timeout-handling-in-dma_resv_wait_timeout-v2.patch +hid-appletb-kbd-fix-slab-use-after-free-bug-in-appletb_kbd_probe.patch +dt-bindings-i2c-realtek-rtl9301-fix-missing-reg-constraint.patch +i2c-designware-fix-an-initialization-issue.patch +logitech-c-270-even-more-broken.patch +optee-ffa-fix-sleep-in-atomic-context.patch +iommu-rockchip-prevent-iommus-dead-loop-when-two-masters-share-one-iommu.patch +iommu-vt-d-assign-devtlb-cache-tag-on-ats-enablement.patch +powercap-intel_rapl-do-not-change-clamping-bit-if-enable-bit-cannot-be-changed.patch +riscv-cpu_ops_sbi-use-static-array-for-boot_data.patch diff --git a/queue-6.15/smb-client-fix-readdir-returning-wrong-type-with-posix-extensions.patch b/queue-6.15/smb-client-fix-readdir-returning-wrong-type-with-posix-extensions.patch new file mode 100644 index 0000000000..4c4255d8b4 --- /dev/null +++ b/queue-6.15/smb-client-fix-readdir-returning-wrong-type-with-posix-extensions.patch @@ -0,0 +1,43 @@ +From b8f89cb723b9e66f5dbd7199e4036fee34fb0de0 Mon Sep 17 00:00:00 2001 +From: Philipp Kerling +Date: Sun, 29 Jun 2025 19:05:05 +0200 +Subject: smb: client: fix readdir returning wrong type with POSIX extensions + +From: Philipp Kerling + +commit b8f89cb723b9e66f5dbd7199e4036fee34fb0de0 upstream. + +When SMB 3.1.1 POSIX Extensions are negotiated, userspace applications +using readdir() or getdents() calls without stat() on each individual file +(such as a simple "ls" or "find") would misidentify file types and exhibit +strange behavior such as not descending into directories. The reason for +this behavior is an oversight in the cifs_posix_to_fattr conversion +function. Instead of extracting the entry type for cf_dtype from the +properly converted cf_mode field, it tries to extract the type from the +PDU. While the wire representation of the entry mode is similar in +structure to POSIX stat(), the assignments of the entry types are +different. Applying the S_DT macro to cf_mode instead yields the correct +result. This is also what the equivalent function +smb311_posix_info_to_fattr in inode.c already does for stat() etc.; which +is why "ls -l" would give the correct file type but "ls" would not (as +identified by the colors). + +Cc: stable@vger.kernel.org +Signed-off-by: Philipp Kerling +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/readdir.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/smb/client/readdir.c ++++ b/fs/smb/client/readdir.c +@@ -263,7 +263,7 @@ cifs_posix_to_fattr(struct cifs_fattr *f + /* The Mode field in the response can now include the file type as well */ + fattr->cf_mode = wire_mode_to_posix(le32_to_cpu(info->Mode), + fattr->cf_cifsattrs & ATTR_DIRECTORY); +- fattr->cf_dtype = S_DT(le32_to_cpu(info->Mode)); ++ fattr->cf_dtype = S_DT(fattr->cf_mode); + + switch (fattr->cf_mode & S_IFMT) { + case S_IFLNK: