From: Greg Kroah-Hartman Date: Fri, 22 Aug 2025 14:00:07 +0000 (+0200) Subject: 6.12-stable patches X-Git-Tag: v6.16.3~39 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=648bf62cac551a9d24eacaf3a9219afff6f1af95;p=thirdparty%2Fkernel%2Fstable-queue.git 6.12-stable patches added patches: io_uring-futex-ensure-io_futex_wait-cleans-up-properly-on-failure.patch iommu-arm-smmu-v3-fix-smmu_domain-nr_ats_masters-decrement.patch iov_iter-iterate_folioq-fix-handling-of-offset-folio-size.patch mmc-sdhci-pci-gli-add-a-new-function-to-simplify-the-code.patch --- diff --git a/queue-6.12/io_uring-futex-ensure-io_futex_wait-cleans-up-properly-on-failure.patch b/queue-6.12/io_uring-futex-ensure-io_futex_wait-cleans-up-properly-on-failure.patch new file mode 100644 index 0000000000..1a471baf9e --- /dev/null +++ b/queue-6.12/io_uring-futex-ensure-io_futex_wait-cleans-up-properly-on-failure.patch @@ -0,0 +1,48 @@ +From 508c1314b342b78591f51c4b5dadee31a88335df Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Thu, 21 Aug 2025 13:23:21 -0600 +Subject: io_uring/futex: ensure io_futex_wait() cleans up properly on failure + +From: Jens Axboe + +commit 508c1314b342b78591f51c4b5dadee31a88335df upstream. + +The io_futex_data is allocated upfront and assigned to the io_kiocb +async_data field, but the request isn't marked with REQ_F_ASYNC_DATA +at that point. Those two should always go together, as the flag tells +io_uring whether the field is valid or not. + +Additionally, on failure cleanup, the futex handler frees the data but +does not clear ->async_data. Clear the data and the flag in the error +path as well. + +Thanks to Trend Micro Zero Day Initiative and particularly ReDress for +reporting this. + +Cc: stable@vger.kernel.org +Fixes: 194bb58c6090 ("io_uring: add support for futex wake and wait") +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/futex.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/io_uring/futex.c ++++ b/io_uring/futex.c +@@ -337,6 +337,7 @@ int io_futex_wait(struct io_kiocb *req, + goto done_unlock; + } + ++ req->flags |= REQ_F_ASYNC_DATA; + req->async_data = ifd; + ifd->q = futex_q_init; + ifd->q.bitset = iof->futex_mask; +@@ -359,6 +360,8 @@ done: + if (ret < 0) + req_set_fail(req); + io_req_set_res(req, ret, 0); ++ req->async_data = NULL; ++ req->flags &= ~REQ_F_ASYNC_DATA; + kfree(ifd); + return IOU_OK; + } diff --git a/queue-6.12/iommu-arm-smmu-v3-fix-smmu_domain-nr_ats_masters-decrement.patch b/queue-6.12/iommu-arm-smmu-v3-fix-smmu_domain-nr_ats_masters-decrement.patch new file mode 100644 index 0000000000..651af7f1e1 --- /dev/null +++ b/queue-6.12/iommu-arm-smmu-v3-fix-smmu_domain-nr_ats_masters-decrement.patch @@ -0,0 +1,53 @@ +From 685ca577b408ffd9c5a4057a2acc0cd3e6978b36 Mon Sep 17 00:00:00 2001 +From: Nicolin Chen +Date: Thu, 31 Jul 2025 20:01:27 -0700 +Subject: iommu/arm-smmu-v3: Fix smmu_domain->nr_ats_masters decrement + +From: Nicolin Chen + +commit 685ca577b408ffd9c5a4057a2acc0cd3e6978b36 upstream. + +The arm_smmu_attach_commit() updates master->ats_enabled before calling +arm_smmu_remove_master_domain() that is supposed to clean up everything +in the old domain, including the old domain's nr_ats_masters. So, it is +supposed to use the old ats_enabled state of the device, not an updated +state. + +This isn't a problem if switching between two domains where: + - old ats_enabled = false; new ats_enabled = false + - old ats_enabled = true; new ats_enabled = true +but can fail cases where: + - old ats_enabled = false; new ats_enabled = true + (old domain should keep the counter but incorrectly decreased it) + - old ats_enabled = true; new ats_enabled = false + (old domain needed to decrease the counter but incorrectly missed it) + +Update master->ats_enabled after arm_smmu_remove_master_domain() to fix +this. + +Fixes: 7497f4211f4f ("iommu/arm-smmu-v3: Make changing domains be hitless for ATS") +Cc: stable@vger.kernel.org +Signed-off-by: Nicolin Chen +Acked-by: Will Deacon +Reviewed-by: Jason Gunthorpe +Reviewed-by: Pranjal Shrivastava +Link: https://lore.kernel.org/r/20250801030127.2006979-1-nicolinc@nvidia.com +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c ++++ b/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c +@@ -2778,9 +2778,9 @@ static void arm_smmu_attach_commit(struc + /* ATS is being switched off, invalidate the entire ATC */ + arm_smmu_atc_inv_master(master, IOMMU_NO_PASID); + } +- master->ats_enabled = state->ats_enabled; + + arm_smmu_remove_master_domain(master, state->old_domain, state->ssid); ++ master->ats_enabled = state->ats_enabled; + } + + static int arm_smmu_attach_dev(struct iommu_domain *domain, struct device *dev) diff --git a/queue-6.12/iov_iter-iterate_folioq-fix-handling-of-offset-folio-size.patch b/queue-6.12/iov_iter-iterate_folioq-fix-handling-of-offset-folio-size.patch new file mode 100644 index 0000000000..e26fb43198 --- /dev/null +++ b/queue-6.12/iov_iter-iterate_folioq-fix-handling-of-offset-folio-size.patch @@ -0,0 +1,87 @@ +From 808471ddb0fa785559c3e7aee59be20a13b46ef5 Mon Sep 17 00:00:00 2001 +From: Dominique Martinet +Date: Wed, 13 Aug 2025 15:04:55 +0900 +Subject: iov_iter: iterate_folioq: fix handling of offset >= folio size + +From: Dominique Martinet + +commit 808471ddb0fa785559c3e7aee59be20a13b46ef5 upstream. + +It's apparently possible to get an iov advanced all the way up to the end +of the current page we're looking at, e.g. + +(gdb) p *iter +$24 = {iter_type = 4 '\004', nofault = false, data_source = false, iov_offset = 4096, {__ubuf_iovec = { + iov_base = 0xffff88800f5bc000, iov_len = 655}, {{__iov = 0xffff88800f5bc000, kvec = 0xffff88800f5bc000, + bvec = 0xffff88800f5bc000, folioq = 0xffff88800f5bc000, xarray = 0xffff88800f5bc000, + ubuf = 0xffff88800f5bc000}, count = 655}}, {nr_segs = 2, folioq_slot = 2 '\002', xarray_start = 2}} + +Where iov_offset is 4k with 4k-sized folios + +This should have been fine because we're only in the 2nd slot and there's +another one after this, but iterate_folioq should not try to map a folio +that skips the whole size, and more importantly part here does not end up +zero (because 'PAGE_SIZE - skip % PAGE_SIZE' ends up PAGE_SIZE and not +zero..), so skip forward to the "advance to next folio" code + +Link: https://lkml.kernel.org/r/20250813-iot_iter_folio-v3-0-a0ffad2b665a@codewreck.org +Link: https://lkml.kernel.org/r/20250813-iot_iter_folio-v3-1-a0ffad2b665a@codewreck.org +Signed-off-by: Dominique Martinet +Fixes: db0aa2e9566f ("mm: Define struct folio_queue and ITER_FOLIOQ to handle a sequence of folios") +Reported-by: Maximilian Bosch +Reported-by: Ryan Lahfa +Reported-by: Christian Theune +Reported-by: Arnout Engelen +Link: https://lkml.kernel.org/r/D4LHHUNLG79Y.12PI0X6BEHRHW@mbosch.me/ +Acked-by: David Howells +Cc: Al Viro +Cc: Christian Brauner +Cc: Matthew Wilcox (Oracle) +Cc: [6.12+] +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/iov_iter.h | 20 +++++++++++--------- + 1 file changed, 11 insertions(+), 9 deletions(-) + +diff --git a/include/linux/iov_iter.h b/include/linux/iov_iter.h +index c4aa58032faf..f9a17fbbd398 100644 +--- a/include/linux/iov_iter.h ++++ b/include/linux/iov_iter.h +@@ -160,7 +160,7 @@ size_t iterate_folioq(struct iov_iter *iter, size_t len, void *priv, void *priv2 + + do { + struct folio *folio = folioq_folio(folioq, slot); +- size_t part, remain, consumed; ++ size_t part, remain = 0, consumed; + size_t fsize; + void *base; + +@@ -168,14 +168,16 @@ size_t iterate_folioq(struct iov_iter *iter, size_t len, void *priv, void *priv2 + break; + + fsize = folioq_folio_size(folioq, slot); +- base = kmap_local_folio(folio, skip); +- part = umin(len, PAGE_SIZE - skip % PAGE_SIZE); +- remain = step(base, progress, part, priv, priv2); +- kunmap_local(base); +- consumed = part - remain; +- len -= consumed; +- progress += consumed; +- skip += consumed; ++ if (skip < fsize) { ++ base = kmap_local_folio(folio, skip); ++ part = umin(len, PAGE_SIZE - skip % PAGE_SIZE); ++ remain = step(base, progress, part, priv, priv2); ++ kunmap_local(base); ++ consumed = part - remain; ++ len -= consumed; ++ progress += consumed; ++ skip += consumed; ++ } + if (skip >= fsize) { + skip = 0; + slot++; +-- +2.50.1 + diff --git a/queue-6.12/mmc-sdhci-pci-gli-add-a-new-function-to-simplify-the-code.patch b/queue-6.12/mmc-sdhci-pci-gli-add-a-new-function-to-simplify-the-code.patch new file mode 100644 index 0000000000..c21324606a --- /dev/null +++ b/queue-6.12/mmc-sdhci-pci-gli-add-a-new-function-to-simplify-the-code.patch @@ -0,0 +1,91 @@ +From dec8b38be4b35cae5f7fa086daf2631e2cfa09c1 Mon Sep 17 00:00:00 2001 +From: Victor Shih +Date: Thu, 31 Jul 2025 14:57:50 +0800 +Subject: mmc: sdhci-pci-gli: Add a new function to simplify the code + +From: Victor Shih + +commit dec8b38be4b35cae5f7fa086daf2631e2cfa09c1 upstream. + +In preparation to fix replay timer timeout, add +sdhci_gli_mask_replay_timer_timeout() function +to simplify some of the code, allowing it to be re-used. + +Signed-off-by: Victor Shih +Fixes: 1ae1d2d6e555 ("mmc: sdhci-pci-gli: Add Genesys Logic GL9763E support") +Cc: stable@vger.kernel.org +Acked-by: Adrian Hunter +Link: https://lore.kernel.org/r/20250731065752.450231-2-victorshihgli@gmail.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/sdhci-pci-gli.c | 30 ++++++++++++++++-------------- + 1 file changed, 16 insertions(+), 14 deletions(-) + +--- a/drivers/mmc/host/sdhci-pci-gli.c ++++ b/drivers/mmc/host/sdhci-pci-gli.c +@@ -215,6 +215,20 @@ + #define GLI_MAX_TUNING_LOOP 40 + + /* Genesys Logic chipset */ ++static void sdhci_gli_mask_replay_timer_timeout(struct pci_dev *pdev) ++{ ++ int aer; ++ u32 value; ++ ++ /* mask the replay timer timeout of AER */ ++ aer = pci_find_ext_capability(pdev, PCI_EXT_CAP_ID_ERR); ++ if (aer) { ++ pci_read_config_dword(pdev, aer + PCI_ERR_COR_MASK, &value); ++ value |= PCI_ERR_COR_REP_TIMER; ++ pci_write_config_dword(pdev, aer + PCI_ERR_COR_MASK, value); ++ } ++} ++ + static inline void gl9750_wt_on(struct sdhci_host *host) + { + u32 wt_value; +@@ -535,7 +549,6 @@ static void gl9750_hw_setting(struct sdh + { + struct sdhci_pci_slot *slot = sdhci_priv(host); + struct pci_dev *pdev; +- int aer; + u32 value; + + pdev = slot->chip->pdev; +@@ -554,12 +567,7 @@ static void gl9750_hw_setting(struct sdh + pci_set_power_state(pdev, PCI_D0); + + /* mask the replay timer timeout of AER */ +- aer = pci_find_ext_capability(pdev, PCI_EXT_CAP_ID_ERR); +- if (aer) { +- pci_read_config_dword(pdev, aer + PCI_ERR_COR_MASK, &value); +- value |= PCI_ERR_COR_REP_TIMER; +- pci_write_config_dword(pdev, aer + PCI_ERR_COR_MASK, value); +- } ++ sdhci_gli_mask_replay_timer_timeout(pdev); + + gl9750_wt_off(host); + } +@@ -734,7 +742,6 @@ static void sdhci_gl9755_set_clock(struc + static void gl9755_hw_setting(struct sdhci_pci_slot *slot) + { + struct pci_dev *pdev = slot->chip->pdev; +- int aer; + u32 value; + + gl9755_wt_on(pdev); +@@ -769,12 +776,7 @@ static void gl9755_hw_setting(struct sdh + pci_set_power_state(pdev, PCI_D0); + + /* mask the replay timer timeout of AER */ +- aer = pci_find_ext_capability(pdev, PCI_EXT_CAP_ID_ERR); +- if (aer) { +- pci_read_config_dword(pdev, aer + PCI_ERR_COR_MASK, &value); +- value |= PCI_ERR_COR_REP_TIMER; +- pci_write_config_dword(pdev, aer + PCI_ERR_COR_MASK, value); +- } ++ sdhci_gli_mask_replay_timer_timeout(pdev); + + gl9755_wt_off(pdev); + } diff --git a/queue-6.12/series b/queue-6.12/series index 11b386f4bb..9c94baa7cd 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -160,3 +160,7 @@ io_uring-net-commit-partial-buffers-on-retry.patch ata-libata-scsi-return-aborted-command-when-missing-sense-and-result-tf.patch sched_ext-initialize-built-in-idle-state-before-ops.init.patch revert-can-ti_hecc-fix-woverflow-compiler-warning.patch +io_uring-futex-ensure-io_futex_wait-cleans-up-properly-on-failure.patch +iov_iter-iterate_folioq-fix-handling-of-offset-folio-size.patch +iommu-arm-smmu-v3-fix-smmu_domain-nr_ats_masters-decrement.patch +mmc-sdhci-pci-gli-add-a-new-function-to-simplify-the-code.patch