From: Greg Kroah-Hartman Date: Thu, 21 Aug 2025 13:11:43 +0000 (+0200) Subject: 6.6-stable patches X-Git-Tag: v6.16.3~94 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=71bfe5e67b0602f0ba514c9b66591b9b161a0312;p=thirdparty%2Fkernel%2Fstable-queue.git 6.6-stable patches added patches: arm64-dts-ti-k3-am62-verdin-enable-pull-ups-on-i2c-buses.patch arm64-dts-ti-k3-am62a7-sk-fix-pinmux-for-main_uart1.patch arm64-dts-ti-k3-pinctrl-enable-schmitt-trigger-by-default.patch ata-libata-scsi-fix-ata_to_sense_error-status-handling.patch ata-libata-scsi-fix-cdl-control.patch btrfs-zoned-fix-write-time-activation-failure-for-metadata-block-group.patch crypto-qat-flush-misc-workqueue-during-device-shutdown.patch crypto-qat-lower-priority-for-skcipher-and-aead-algorithms.patch dt-bindings-display-sprd-sharkl3-dpu-fix-missing-clocks-constraints.patch dt-bindings-display-sprd-sharkl3-dsi-host-fix-missing-clocks-constraints.patch ext4-check-fast-symlink-for-ea_inode-correctly.patch ext4-don-t-try-to-clear-the-orphan_present-feature-block-device-is-r-o.patch ext4-fix-fsmap-end-of-range-reporting-with-bigalloc.patch ext4-fix-hole-length-calculation-overflow-in-non-extent-inodes.patch ext4-fix-reserved-gdt-blocks-handling-in-fsmap.patch ext4-use-kmalloc_array-for-array-space-allocation.patch ksmbd-extend-the-connection-limiting-mechanism-to-support-ipv6.patch ksmbd-fix-refcount-leak-causing-resource-not-released.patch lib-crypto-mips-chacha-fix-clang-build-and-remove-unneeded-byteswap.patch revert-vgacon-add-check-for-vc_origin-address-range-in-vgacon_scroll.patch scsi-mpi3mr-fix-race-between-config-read-submit-and-interrupt-completion.patch scsi-ufs-ufs-pci-fix-default-runtime-and-system-pm-levels.patch scsi-ufs-ufs-pci-fix-hibernate-state-transition-for-intel-mtl-like-host-controllers.patch tracing-fprobe-event-sanitize-wildcard-for-fprobe-event-name.patch --- diff --git a/queue-6.6/arm64-dts-ti-k3-am62-verdin-enable-pull-ups-on-i2c-buses.patch b/queue-6.6/arm64-dts-ti-k3-am62-verdin-enable-pull-ups-on-i2c-buses.patch new file mode 100644 index 0000000000..067394eecb --- /dev/null +++ b/queue-6.6/arm64-dts-ti-k3-am62-verdin-enable-pull-ups-on-i2c-buses.patch @@ -0,0 +1,58 @@ +From bdf4252f736cc1d2a8e3e633c70fe6c728f0756e Mon Sep 17 00:00:00 2001 +From: Emanuele Ghidoli +Date: Wed, 28 May 2025 13:07:37 +0200 +Subject: arm64: dts: ti: k3-am62-verdin: Enable pull-ups on I2C buses + +From: Emanuele Ghidoli + +commit bdf4252f736cc1d2a8e3e633c70fe6c728f0756e upstream. + +Enable internal bias pull-ups on the SoC-side I2C buses that do not have +external pull resistors populated on the SoM. This ensures proper +default line levels. + +Cc: stable@vger.kernel.org +Fixes: 316b80246b16 ("arm64: dts: ti: add verdin am62") +Signed-off-by: Emanuele Ghidoli +Reviewed-by: Francesco Dolcini +Link: https://lore.kernel.org/r/20250528110741.262336-1-ghidoliemanuele@gmail.com +Signed-off-by: Vignesh Raghavendra +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/ti/k3-am62-verdin.dtsi | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/arch/arm64/boot/dts/ti/k3-am62-verdin.dtsi ++++ b/arch/arm64/boot/dts/ti/k3-am62-verdin.dtsi +@@ -448,16 +448,16 @@ + /* Verdin I2C_2_DSI */ + pinctrl_i2c2: main-i2c2-default-pins { + pinctrl-single,pins = < +- AM62X_IOPAD(0x00b0, PIN_INPUT, 1) /* (K22) GPMC0_CSn2.I2C2_SCL */ /* SODIMM 55 */ +- AM62X_IOPAD(0x00b4, PIN_INPUT, 1) /* (K24) GPMC0_CSn3.I2C2_SDA */ /* SODIMM 53 */ ++ AM62X_IOPAD(0x00b0, PIN_INPUT_PULLUP, 1) /* (K22) GPMC0_CSn2.I2C2_SCL */ /* SODIMM 55 */ ++ AM62X_IOPAD(0x00b4, PIN_INPUT_PULLUP, 1) /* (K24) GPMC0_CSn3.I2C2_SDA */ /* SODIMM 53 */ + >; + }; + + /* Verdin I2C_4_CSI */ + pinctrl_i2c3: main-i2c3-default-pins { + pinctrl-single,pins = < +- AM62X_IOPAD(0x01d0, PIN_INPUT, 2) /* (A15) UART0_CTSn.I2C3_SCL */ /* SODIMM 95 */ +- AM62X_IOPAD(0x01d4, PIN_INPUT, 2) /* (B15) UART0_RTSn.I2C3_SDA */ /* SODIMM 93 */ ++ AM62X_IOPAD(0x01d0, PIN_INPUT_PULLUP, 2) /* (A15) UART0_CTSn.I2C3_SCL */ /* SODIMM 95 */ ++ AM62X_IOPAD(0x01d4, PIN_INPUT_PULLUP, 2) /* (B15) UART0_RTSn.I2C3_SDA */ /* SODIMM 93 */ + >; + }; + +@@ -729,8 +729,8 @@ + /* Verdin I2C_3_HDMI */ + pinctrl_mcu_i2c0: mcu-i2c0-default-pins { + pinctrl-single,pins = < +- AM62X_MCU_IOPAD(0x0044, PIN_INPUT, 0) /* (A8) MCU_I2C0_SCL */ /* SODIMM 59 */ +- AM62X_MCU_IOPAD(0x0048, PIN_INPUT, 0) /* (D10) MCU_I2C0_SDA */ /* SODIMM 57 */ ++ AM62X_MCU_IOPAD(0x0044, PIN_INPUT_PULLUP, 0) /* (A8) MCU_I2C0_SCL */ /* SODIMM 59 */ ++ AM62X_MCU_IOPAD(0x0048, PIN_INPUT_PULLUP, 0) /* (D10) MCU_I2C0_SDA */ /* SODIMM 57 */ + >; + }; + diff --git a/queue-6.6/arm64-dts-ti-k3-am62a7-sk-fix-pinmux-for-main_uart1.patch b/queue-6.6/arm64-dts-ti-k3-am62a7-sk-fix-pinmux-for-main_uart1.patch new file mode 100644 index 0000000000..10d57297d8 --- /dev/null +++ b/queue-6.6/arm64-dts-ti-k3-am62a7-sk-fix-pinmux-for-main_uart1.patch @@ -0,0 +1,38 @@ +From 8e44ac61abaae56fc6eb537a04ed78b458c5b984 Mon Sep 17 00:00:00 2001 +From: Hong Guan +Date: Mon, 7 Jul 2025 11:55:13 -0500 +Subject: arm64: dts: ti: k3-am62a7-sk: fix pinmux for main_uart1 + +From: Hong Guan + +commit 8e44ac61abaae56fc6eb537a04ed78b458c5b984 upstream. + +main_uart1 reserved for TIFS firmware traces is routed to the +onboard FT4232 via a FET switch which is connected to pin A21 and +B21 of the SoC and not E17 and C17. Fix it. + +Fixes: cf39ff15cc01a ("arm64: dts: ti: k3-am62a7-sk: Describe main_uart1 and wkup_uart") +Cc: stable@vger.kernel.org +Signed-off-by: Hong Guan +[bb@ti.com: expanded commit message] +Signed-off-by: Bryan Brattlof +Link: https://lore.kernel.org/r/20250707-uart-fixes-v1-1-8164147218b0@ti.com +Signed-off-by: Vignesh Raghavendra +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/ti/k3-am62a7-sk.dts | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm64/boot/dts/ti/k3-am62a7-sk.dts ++++ b/arch/arm64/boot/dts/ti/k3-am62a7-sk.dts +@@ -144,8 +144,8 @@ + + main_uart1_pins_default: main-uart1-default-pins { + pinctrl-single,pins = < +- AM62AX_IOPAD(0x01e8, PIN_INPUT, 1) /* (C17) I2C1_SCL.UART1_RXD */ +- AM62AX_IOPAD(0x01ec, PIN_OUTPUT, 1) /* (E17) I2C1_SDA.UART1_TXD */ ++ AM62AX_IOPAD(0x01ac, PIN_INPUT, 2) /* (B21) MCASP0_AFSR.UART1_RXD */ ++ AM62AX_IOPAD(0x01b0, PIN_OUTPUT, 2) /* (A21) MCASP0_ACLKR.UART1_TXD */ + AM62AX_IOPAD(0x0194, PIN_INPUT, 2) /* (C19) MCASP0_AXR3.UART1_CTSn */ + AM62AX_IOPAD(0x0198, PIN_OUTPUT, 2) /* (B19) MCASP0_AXR2.UART1_RTSn */ + >; diff --git a/queue-6.6/arm64-dts-ti-k3-pinctrl-enable-schmitt-trigger-by-default.patch b/queue-6.6/arm64-dts-ti-k3-pinctrl-enable-schmitt-trigger-by-default.patch new file mode 100644 index 0000000000..4ad5428dd2 --- /dev/null +++ b/queue-6.6/arm64-dts-ti-k3-pinctrl-enable-schmitt-trigger-by-default.patch @@ -0,0 +1,67 @@ +From 5b272127884bded21576a6ddceca13725a351c63 Mon Sep 17 00:00:00 2001 +From: Alexander Sverdlin +Date: Tue, 1 Jul 2025 12:54:35 +0200 +Subject: arm64: dts: ti: k3-pinctrl: Enable Schmitt Trigger by default + +From: Alexander Sverdlin + +commit 5b272127884bded21576a6ddceca13725a351c63 upstream. + +Switch Schmitt Trigger functions for PIN_INPUT* macros by default. This is +HW PoR configuration, the slew rate requirements without ST enabled are +pretty tough for these devices. We've noticed spurious GPIO interrupts even +with noise-free edges but not meeting slew rate requirements (3.3E+6 V/s +for 3.3v LVCMOS). + +It's not obvious why one might want to disable the PoR-enabled ST on any +pin. Just enable it by default. As it's not possible to provide OR-able +macros to disable the ST, shall anyone require it, provide a set of +new macros with _NOST suffix. + +Fixes: fe49f2d776f7 ("arm64: dts: ti: Use local header for pinctrl register values") +Cc: stable@vger.kernel.org +Signed-off-by: Alexander Sverdlin +Link: https://lore.kernel.org/r/20250701105437.3539924-1-alexander.sverdlin@siemens.com +[vigneshr@ti.com: Add Fixes tag] +Signed-off-by: Vignesh Raghavendra +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/ti/k3-pinctrl.h | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +--- a/arch/arm64/boot/dts/ti/k3-pinctrl.h ++++ b/arch/arm64/boot/dts/ti/k3-pinctrl.h +@@ -8,11 +8,16 @@ + #ifndef DTS_ARM64_TI_K3_PINCTRL_H + #define DTS_ARM64_TI_K3_PINCTRL_H + ++#define ST_EN_SHIFT (14) + #define PULLUDEN_SHIFT (16) + #define PULLTYPESEL_SHIFT (17) + #define RXACTIVE_SHIFT (18) + #define DEBOUNCE_SHIFT (11) + ++/* Schmitt trigger configuration */ ++#define ST_DISABLE (0 << ST_EN_SHIFT) ++#define ST_ENABLE (1 << ST_EN_SHIFT) ++ + #define PULL_DISABLE (1 << PULLUDEN_SHIFT) + #define PULL_ENABLE (0 << PULLUDEN_SHIFT) + +@@ -26,9 +31,13 @@ + #define PIN_OUTPUT (INPUT_DISABLE | PULL_DISABLE) + #define PIN_OUTPUT_PULLUP (INPUT_DISABLE | PULL_UP) + #define PIN_OUTPUT_PULLDOWN (INPUT_DISABLE | PULL_DOWN) +-#define PIN_INPUT (INPUT_EN | PULL_DISABLE) +-#define PIN_INPUT_PULLUP (INPUT_EN | PULL_UP) +-#define PIN_INPUT_PULLDOWN (INPUT_EN | PULL_DOWN) ++#define PIN_INPUT (INPUT_EN | ST_ENABLE | PULL_DISABLE) ++#define PIN_INPUT_PULLUP (INPUT_EN | ST_ENABLE | PULL_UP) ++#define PIN_INPUT_PULLDOWN (INPUT_EN | ST_ENABLE | PULL_DOWN) ++/* Input configurations with Schmitt Trigger disabled */ ++#define PIN_INPUT_NOST (INPUT_EN | PULL_DISABLE) ++#define PIN_INPUT_PULLUP_NOST (INPUT_EN | PULL_UP) ++#define PIN_INPUT_PULLDOWN_NOST (INPUT_EN | PULL_DOWN) + + #define PIN_DEBOUNCE_DISABLE (0 << DEBOUNCE_SHIFT) + #define PIN_DEBOUNCE_CONF1 (1 << DEBOUNCE_SHIFT) diff --git a/queue-6.6/ata-libata-scsi-fix-ata_to_sense_error-status-handling.patch b/queue-6.6/ata-libata-scsi-fix-ata_to_sense_error-status-handling.patch new file mode 100644 index 0000000000..4a7900dade --- /dev/null +++ b/queue-6.6/ata-libata-scsi-fix-ata_to_sense_error-status-handling.patch @@ -0,0 +1,90 @@ +From cf3fc037623c54de48d2ec1a1ee686e2d1de2d45 Mon Sep 17 00:00:00 2001 +From: Damien Le Moal +Date: Tue, 29 Jul 2025 18:28:07 +0900 +Subject: ata: libata-scsi: Fix ata_to_sense_error() status handling + +From: Damien Le Moal + +commit cf3fc037623c54de48d2ec1a1ee686e2d1de2d45 upstream. + +Commit 8ae720449fca ("libata: whitespace fixes in ata_to_sense_error()") +inadvertantly added the entry 0x40 (ATA_DRDY) to the stat_table array in +the function ata_to_sense_error(). This entry ties a failed qc which has +a status filed equal to ATA_DRDY to the sense key ILLEGAL REQUEST with +the additional sense code UNALIGNED WRITE COMMAND. This entry will be +used to generate a failed qc sense key and sense code when the qc is +missing sense data and there is no match for the qc error field in the +sense_table array of ata_to_sense_error(). + +As a result, for a failed qc for which we failed to get sense data (e.g. +read log 10h failed if qc is an NCQ command, or REQUEST SENSE EXT +command failed for the non-ncq case, the user very often end up seeing +the completely misleading "unaligned write command" error, even if qc +was not a write command. E.g.: + +sd 0:0:0:0: [sda] tag#12 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_OK cmd_age=0s +sd 0:0:0:0: [sda] tag#12 Sense Key : Illegal Request [current] +sd 0:0:0:0: [sda] tag#12 Add. Sense: Unaligned write command +sd 0:0:0:0: [sda] tag#12 CDB: Read(10) 28 00 00 00 10 00 00 00 08 00 +I/O error, dev sda, sector 4096 op 0x0:(READ) flags 0x80700 phys_seg 1 prio class 0 + +Fix this by removing the ATA_DRDY entry from the stat_table array so +that we default to always returning ABORTED COMMAND without any +additional sense code, since we do not know any better. The entry 0x08 +(ATA_DRQ) is also removed since signaling ABORTED COMMAND with a parity +error is also misleading (as a parity error would likely be signaled +through a bus error). So for this case, also default to returning +ABORTED COMMAND without any additional sense code. With this, the +previous example error case becomes: + +sd 0:0:0:0: [sda] tag#17 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_OK cmd_age=0s +sd 0:0:0:0: [sda] tag#17 Sense Key : Aborted Command [current] +sd 0:0:0:0: [sda] tag#17 Add. Sense: No additional sense information +sd 0:0:0:0: [sda] tag#17 CDB: Read(10) 28 00 00 00 10 00 00 00 08 00 +I/O error, dev sda, sector 4096 op 0x0:(READ) flags 0x80700 phys_seg 1 prio class 0 + +Together with these fixes, refactor stat_table to make it more readable +by putting the entries comments in front of the entries and using the +defined status bits macros instead of hardcoded values. + +Reported-by: Lorenz Brun +Reported-by: Brandon Schwartz +Fixes: 8ae720449fca ("libata: whitespace fixes in ata_to_sense_error()") +Cc: stable@vger.kernel.org +Signed-off-by: Damien Le Moal +Reviewed-by: Hannes Reinecke +Reviewed-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/libata-scsi.c | 20 ++++++++------------ + 1 file changed, 8 insertions(+), 12 deletions(-) + +--- a/drivers/ata/libata-scsi.c ++++ b/drivers/ata/libata-scsi.c +@@ -856,18 +856,14 @@ static void ata_to_sense_error(unsigned + {0xFF, 0xFF, 0xFF, 0xFF}, // END mark + }; + static const unsigned char stat_table[][4] = { +- /* Must be first because BUSY means no other bits valid */ +- {0x80, ABORTED_COMMAND, 0x47, 0x00}, +- // Busy, fake parity for now +- {0x40, ILLEGAL_REQUEST, 0x21, 0x04}, +- // Device ready, unaligned write command +- {0x20, HARDWARE_ERROR, 0x44, 0x00}, +- // Device fault, internal target failure +- {0x08, ABORTED_COMMAND, 0x47, 0x00}, +- // Timed out in xfer, fake parity for now +- {0x04, RECOVERED_ERROR, 0x11, 0x00}, +- // Recovered ECC error Medium error, recovered +- {0xFF, 0xFF, 0xFF, 0xFF}, // END mark ++ /* Busy: must be first because BUSY means no other bits valid */ ++ { ATA_BUSY, ABORTED_COMMAND, 0x00, 0x00 }, ++ /* Device fault: INTERNAL TARGET FAILURE */ ++ { ATA_DF, HARDWARE_ERROR, 0x44, 0x00 }, ++ /* Corrected data error */ ++ { ATA_CORR, RECOVERED_ERROR, 0x00, 0x00 }, ++ ++ { 0xFF, 0xFF, 0xFF, 0xFF }, /* END mark */ + }; + + /* diff --git a/queue-6.6/ata-libata-scsi-fix-cdl-control.patch b/queue-6.6/ata-libata-scsi-fix-cdl-control.patch new file mode 100644 index 0000000000..4de1894daf --- /dev/null +++ b/queue-6.6/ata-libata-scsi-fix-cdl-control.patch @@ -0,0 +1,62 @@ +From 58768b0563916ddcb73d8ed26ede664915f8df31 Mon Sep 17 00:00:00 2001 +From: Igor Pylypiv +Date: Wed, 13 Aug 2025 19:22:56 -0700 +Subject: ata: libata-scsi: Fix CDL control + +From: Igor Pylypiv + +commit 58768b0563916ddcb73d8ed26ede664915f8df31 upstream. + +Delete extra checks for the ATA_DFLAG_CDL_ENABLED flag that prevent +SET FEATURES command from being issued to a drive when NCQ commands +are active. + +ata_mselect_control_ata_feature() sets / clears the ATA_DFLAG_CDL_ENABLED +flag during the translation of MODE SELECT to SET FEATURES. If SET FEATURES +gets deferred due to outstanding NCQ commands, the original MODE SELECT +command will be re-queued. When the re-queued MODE SELECT goes through +the ata_mselect_control_ata_feature() translation again, SET FEATURES +will not be issued because ATA_DFLAG_CDL_ENABLED has been already set or +cleared by the initial translation of MODE SELECT. + +The ATA_DFLAG_CDL_ENABLED checks in ata_mselect_control_ata_feature() +are safe to remove because scsi_cdl_enable() implements a similar logic +that avoids enabling CDL if it has been enabled already. + +Fixes: 17e897a45675 ("ata: libata-scsi: Improve CDL control") +Cc: stable@vger.kernel.org +Signed-off-by: Igor Pylypiv +Reviewed-by: Niklas Cassel +Signed-off-by: Damien Le Moal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/libata-scsi.c | 11 +++-------- + 1 file changed, 3 insertions(+), 8 deletions(-) + +--- a/drivers/ata/libata-scsi.c ++++ b/drivers/ata/libata-scsi.c +@@ -3782,21 +3782,16 @@ static int ata_mselect_control_ata_featu + /* Check cdl_ctrl */ + switch (buf[0] & 0x03) { + case 0: +- /* Disable CDL if it is enabled */ +- if (!(dev->flags & ATA_DFLAG_CDL_ENABLED)) +- return 0; ++ /* Disable CDL */ + ata_dev_dbg(dev, "Disabling CDL\n"); + cdl_action = 0; + dev->flags &= ~ATA_DFLAG_CDL_ENABLED; + break; + case 0x02: + /* +- * Enable CDL if not already enabled. Since this is mutually +- * exclusive with NCQ priority, allow this only if NCQ priority +- * is disabled. ++ * Enable CDL. Since CDL is mutually exclusive with NCQ ++ * priority, allow this only if NCQ priority is disabled. + */ +- if (dev->flags & ATA_DFLAG_CDL_ENABLED) +- return 0; + if (dev->flags & ATA_DFLAG_NCQ_PRIO_ENABLED) { + ata_dev_err(dev, + "NCQ priority must be disabled to enable CDL\n"); diff --git a/queue-6.6/btrfs-zoned-fix-write-time-activation-failure-for-metadata-block-group.patch b/queue-6.6/btrfs-zoned-fix-write-time-activation-failure-for-metadata-block-group.patch new file mode 100644 index 0000000000..03f19c5a42 --- /dev/null +++ b/queue-6.6/btrfs-zoned-fix-write-time-activation-failure-for-metadata-block-group.patch @@ -0,0 +1,55 @@ +From 5c4b93f4c8e5c53574c1a48d66a27a2c68b414af Mon Sep 17 00:00:00 2001 +From: Naohiro Aota +Date: Wed, 16 Jul 2025 16:59:54 +0900 +Subject: btrfs: zoned: fix write time activation failure for metadata block group + +From: Naohiro Aota + +commit 5c4b93f4c8e5c53574c1a48d66a27a2c68b414af upstream. + +Since commit 13bb483d32ab ("btrfs: zoned: activate metadata block group on +write time"), we activate a metadata block group at the write time. If the +zone capacity is small enough, we can allocate the entire region before the +first write. Then, we hit the btrfs_zoned_bg_is_full() in +btrfs_zone_activate() and the activation fails. + +For a data block group, we activate it at the allocation time and we should +check the fullness condition in the caller side. Add, a WARN to check the +fullness condition. + +For a metadata block group, we don't need the fullness check because we +activate it at the write time. Instead, activating it once it is written +should be invalid. Catch that with a WARN too. + +Fixes: 13bb483d32ab ("btrfs: zoned: activate metadata block group on write time") +CC: stable@vger.kernel.org # 6.6+ +Reviewed-by: Johannes Thumshirn +Signed-off-by: Naohiro Aota +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/zoned.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/fs/btrfs/zoned.c ++++ b/fs/btrfs/zoned.c +@@ -1992,10 +1992,15 @@ bool btrfs_zone_activate(struct btrfs_bl + goto out_unlock; + } + +- /* No space left */ +- if (btrfs_zoned_bg_is_full(block_group)) { +- ret = false; +- goto out_unlock; ++ if (block_group->flags & BTRFS_BLOCK_GROUP_DATA) { ++ /* The caller should check if the block group is full. */ ++ if (WARN_ON_ONCE(btrfs_zoned_bg_is_full(block_group))) { ++ ret = false; ++ goto out_unlock; ++ } ++ } else { ++ /* Since it is already written, it should have been active. */ ++ WARN_ON_ONCE(block_group->meta_write_pointer != block_group->start); + } + + for (i = 0; i < map->num_stripes; i++) { diff --git a/queue-6.6/crypto-qat-flush-misc-workqueue-during-device-shutdown.patch b/queue-6.6/crypto-qat-flush-misc-workqueue-during-device-shutdown.patch new file mode 100644 index 0000000000..66b52a07a0 --- /dev/null +++ b/queue-6.6/crypto-qat-flush-misc-workqueue-during-device-shutdown.patch @@ -0,0 +1,83 @@ +From 3d4df408ba9bad2b205c7fb8afc1836a6a4ca88a Mon Sep 17 00:00:00 2001 +From: Giovanni Cabiddu +Date: Fri, 11 Jul 2025 13:27:43 +0100 +Subject: crypto: qat - flush misc workqueue during device shutdown + +From: Giovanni Cabiddu + +commit 3d4df408ba9bad2b205c7fb8afc1836a6a4ca88a upstream. + +Repeated loading and unloading of a device specific QAT driver, for +example qat_4xxx, in a tight loop can lead to a crash due to a +use-after-free scenario. This occurs when a power management (PM) +interrupt triggers just before the device-specific driver (e.g., +qat_4xxx.ko) is unloaded, while the core driver (intel_qat.ko) remains +loaded. + +Since the driver uses a shared workqueue (`qat_misc_wq`) across all +devices and owned by intel_qat.ko, a deferred routine from the +device-specific driver may still be pending in the queue. If this +routine executes after the driver is unloaded, it can dereference freed +memory, resulting in a page fault and kernel crash like the following: + + BUG: unable to handle page fault for address: ffa000002e50a01c + #PF: supervisor read access in kernel mode + RIP: 0010:pm_bh_handler+0x1d2/0x250 [intel_qat] + Call Trace: + pm_bh_handler+0x1d2/0x250 [intel_qat] + process_one_work+0x171/0x340 + worker_thread+0x277/0x3a0 + kthread+0xf0/0x120 + ret_from_fork+0x2d/0x50 + +To prevent this, flush the misc workqueue during device shutdown to +ensure that all pending work items are completed before the driver is +unloaded. + +Note: This approach may slightly increase shutdown latency if the +workqueue contains jobs from other devices, but it ensures correctness +and stability. + +Fixes: e5745f34113b ("crypto: qat - enable power management for QAT GEN4") +Signed-off-by: Giovanni Cabiddu +Cc: stable@vger.kernel.org +Reviewed-by: Ahsan Atta +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/intel/qat/qat_common/adf_common_drv.h | 1 + + drivers/crypto/intel/qat/qat_common/adf_init.c | 1 + + drivers/crypto/intel/qat/qat_common/adf_isr.c | 5 +++++ + 3 files changed, 7 insertions(+) + +--- a/drivers/crypto/intel/qat/qat_common/adf_common_drv.h ++++ b/drivers/crypto/intel/qat/qat_common/adf_common_drv.h +@@ -193,6 +193,7 @@ void adf_exit_misc_wq(void); + bool adf_misc_wq_queue_work(struct work_struct *work); + bool adf_misc_wq_queue_delayed_work(struct delayed_work *work, + unsigned long delay); ++void adf_misc_wq_flush(void); + #if defined(CONFIG_PCI_IOV) + int adf_sriov_configure(struct pci_dev *pdev, int numvfs); + void adf_disable_sriov(struct adf_accel_dev *accel_dev); +--- a/drivers/crypto/intel/qat/qat_common/adf_init.c ++++ b/drivers/crypto/intel/qat/qat_common/adf_init.c +@@ -381,6 +381,7 @@ static void adf_dev_shutdown(struct adf_ + hw_data->exit_admin_comms(accel_dev); + + adf_cleanup_etr_data(accel_dev); ++ adf_misc_wq_flush(); + adf_dev_restore(accel_dev); + } + +--- a/drivers/crypto/intel/qat/qat_common/adf_isr.c ++++ b/drivers/crypto/intel/qat/qat_common/adf_isr.c +@@ -386,3 +386,8 @@ bool adf_misc_wq_queue_delayed_work(stru + { + return queue_delayed_work(adf_misc_wq, work, delay); + } ++ ++void adf_misc_wq_flush(void) ++{ ++ flush_workqueue(adf_misc_wq); ++} diff --git a/queue-6.6/crypto-qat-lower-priority-for-skcipher-and-aead-algorithms.patch b/queue-6.6/crypto-qat-lower-priority-for-skcipher-and-aead-algorithms.patch new file mode 100644 index 0000000000..c3a35c6229 --- /dev/null +++ b/queue-6.6/crypto-qat-lower-priority-for-skcipher-and-aead-algorithms.patch @@ -0,0 +1,81 @@ +From 8024774190a5ef2af2c5846f60a50b23e0980a32 Mon Sep 17 00:00:00 2001 +From: Giovanni Cabiddu +Date: Fri, 13 Jun 2025 11:32:27 +0100 +Subject: crypto: qat - lower priority for skcipher and aead algorithms + +From: Giovanni Cabiddu + +commit 8024774190a5ef2af2c5846f60a50b23e0980a32 upstream. + +Most kernel applications utilizing the crypto API operate synchronously +and on small buffer sizes, therefore do not benefit from QAT acceleration. + +Reduce the priority of QAT implementations for both skcipher and aead +algorithms, allowing more suitable alternatives to be selected by default. + +Signed-off-by: Giovanni Cabiddu +Link: https://lore.kernel.org/all/20250613012357.GA3603104@google.com/ +Cc: stable@vger.kernel.org +Acked-by: Eric Biggers +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/intel/qat/qat_common/qat_algs.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/crypto/intel/qat/qat_common/qat_algs.c ++++ b/drivers/crypto/intel/qat/qat_common/qat_algs.c +@@ -1277,7 +1277,7 @@ static struct aead_alg qat_aeads[] = { { + .base = { + .cra_name = "authenc(hmac(sha1),cbc(aes))", + .cra_driver_name = "qat_aes_cbc_hmac_sha1", +- .cra_priority = 4001, ++ .cra_priority = 100, + .cra_flags = CRYPTO_ALG_ASYNC | CRYPTO_ALG_ALLOCATES_MEMORY, + .cra_blocksize = AES_BLOCK_SIZE, + .cra_ctxsize = sizeof(struct qat_alg_aead_ctx), +@@ -1294,7 +1294,7 @@ static struct aead_alg qat_aeads[] = { { + .base = { + .cra_name = "authenc(hmac(sha256),cbc(aes))", + .cra_driver_name = "qat_aes_cbc_hmac_sha256", +- .cra_priority = 4001, ++ .cra_priority = 100, + .cra_flags = CRYPTO_ALG_ASYNC | CRYPTO_ALG_ALLOCATES_MEMORY, + .cra_blocksize = AES_BLOCK_SIZE, + .cra_ctxsize = sizeof(struct qat_alg_aead_ctx), +@@ -1311,7 +1311,7 @@ static struct aead_alg qat_aeads[] = { { + .base = { + .cra_name = "authenc(hmac(sha512),cbc(aes))", + .cra_driver_name = "qat_aes_cbc_hmac_sha512", +- .cra_priority = 4001, ++ .cra_priority = 100, + .cra_flags = CRYPTO_ALG_ASYNC | CRYPTO_ALG_ALLOCATES_MEMORY, + .cra_blocksize = AES_BLOCK_SIZE, + .cra_ctxsize = sizeof(struct qat_alg_aead_ctx), +@@ -1329,7 +1329,7 @@ static struct aead_alg qat_aeads[] = { { + static struct skcipher_alg qat_skciphers[] = { { + .base.cra_name = "cbc(aes)", + .base.cra_driver_name = "qat_aes_cbc", +- .base.cra_priority = 4001, ++ .base.cra_priority = 100, + .base.cra_flags = CRYPTO_ALG_ASYNC | CRYPTO_ALG_ALLOCATES_MEMORY, + .base.cra_blocksize = AES_BLOCK_SIZE, + .base.cra_ctxsize = sizeof(struct qat_alg_skcipher_ctx), +@@ -1347,7 +1347,7 @@ static struct skcipher_alg qat_skciphers + }, { + .base.cra_name = "ctr(aes)", + .base.cra_driver_name = "qat_aes_ctr", +- .base.cra_priority = 4001, ++ .base.cra_priority = 100, + .base.cra_flags = CRYPTO_ALG_ASYNC | CRYPTO_ALG_ALLOCATES_MEMORY, + .base.cra_blocksize = 1, + .base.cra_ctxsize = sizeof(struct qat_alg_skcipher_ctx), +@@ -1365,7 +1365,7 @@ static struct skcipher_alg qat_skciphers + }, { + .base.cra_name = "xts(aes)", + .base.cra_driver_name = "qat_aes_xts", +- .base.cra_priority = 4001, ++ .base.cra_priority = 100, + .base.cra_flags = CRYPTO_ALG_ASYNC | CRYPTO_ALG_NEED_FALLBACK | + CRYPTO_ALG_ALLOCATES_MEMORY, + .base.cra_blocksize = AES_BLOCK_SIZE, diff --git a/queue-6.6/dt-bindings-display-sprd-sharkl3-dpu-fix-missing-clocks-constraints.patch b/queue-6.6/dt-bindings-display-sprd-sharkl3-dpu-fix-missing-clocks-constraints.patch new file mode 100644 index 0000000000..5938139a18 --- /dev/null +++ b/queue-6.6/dt-bindings-display-sprd-sharkl3-dpu-fix-missing-clocks-constraints.patch @@ -0,0 +1,34 @@ +From 934da599e694d476f493d3927a30414e98a81561 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Sun, 20 Jul 2025 14:30:04 +0200 +Subject: dt-bindings: display: sprd,sharkl3-dpu: Fix missing clocks constraints + +From: Krzysztof Kozlowski + +commit 934da599e694d476f493d3927a30414e98a81561 upstream. + +'minItems' alone does not impose upper bound, unlike 'maxItems' which +implies lower bound. Add missing clock constraint so the list will have +exact number of items (clocks). + +Fixes: 8cae15c60cf0 ("dt-bindings: display: add Unisoc's dpu bindings") +Cc: stable@vger.kernel.org +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20250720123003.37662-3-krzysztof.kozlowski@linaro.org +Signed-off-by: Rob Herring (Arm) +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/display/sprd/sprd,sharkl3-dpu.yaml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/Documentation/devicetree/bindings/display/sprd/sprd,sharkl3-dpu.yaml ++++ b/Documentation/devicetree/bindings/display/sprd/sprd,sharkl3-dpu.yaml +@@ -25,7 +25,7 @@ properties: + maxItems: 1 + + clocks: +- minItems: 2 ++ maxItems: 2 + + clock-names: + items: diff --git a/queue-6.6/dt-bindings-display-sprd-sharkl3-dsi-host-fix-missing-clocks-constraints.patch b/queue-6.6/dt-bindings-display-sprd-sharkl3-dsi-host-fix-missing-clocks-constraints.patch new file mode 100644 index 0000000000..1c3f0ddaf9 --- /dev/null +++ b/queue-6.6/dt-bindings-display-sprd-sharkl3-dsi-host-fix-missing-clocks-constraints.patch @@ -0,0 +1,34 @@ +From 2558df8c13ae3bd6c303b28f240ceb0189519c91 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Sun, 20 Jul 2025 14:30:05 +0200 +Subject: dt-bindings: display: sprd,sharkl3-dsi-host: Fix missing clocks constraints + +From: Krzysztof Kozlowski + +commit 2558df8c13ae3bd6c303b28f240ceb0189519c91 upstream. + +'minItems' alone does not impose upper bound, unlike 'maxItems' which +implies lower bound. Add missing clock constraint so the list will have +exact number of items (clocks). + +Fixes: 2295bbd35edb ("dt-bindings: display: add Unisoc's mipi dsi controller bindings") +Cc: stable@vger.kernel.org +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20250720123003.37662-4-krzysztof.kozlowski@linaro.org +Signed-off-by: Rob Herring (Arm) +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/display/sprd/sprd,sharkl3-dsi-host.yaml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/Documentation/devicetree/bindings/display/sprd/sprd,sharkl3-dsi-host.yaml ++++ b/Documentation/devicetree/bindings/display/sprd/sprd,sharkl3-dsi-host.yaml +@@ -20,7 +20,7 @@ properties: + maxItems: 2 + + clocks: +- minItems: 1 ++ maxItems: 1 + + clock-names: + items: diff --git a/queue-6.6/ext4-check-fast-symlink-for-ea_inode-correctly.patch b/queue-6.6/ext4-check-fast-symlink-for-ea_inode-correctly.patch new file mode 100644 index 0000000000..cf74be9123 --- /dev/null +++ b/queue-6.6/ext4-check-fast-symlink-for-ea_inode-correctly.patch @@ -0,0 +1,63 @@ +From b4cc4a4077268522e3d0d34de4b2dc144e2330fa Mon Sep 17 00:00:00 2001 +From: Andreas Dilger +Date: Wed, 16 Jul 2025 19:36:42 -0600 +Subject: ext4: check fast symlink for ea_inode correctly + +From: Andreas Dilger + +commit b4cc4a4077268522e3d0d34de4b2dc144e2330fa upstream. + +The check for a fast symlink in the presence of only an +external xattr inode is incorrect. If a fast symlink does +not have an xattr block (i_file_acl == 0), but does have +an external xattr inode that increases inode i_blocks, then +the check for a fast symlink will incorrectly fail and +__ext4_iget()->ext4_ind_check_inode() will report the inode +is corrupt when it "validates" i_data[] on the next read: + + # ln -s foo /mnt/tmp/bar + # setfattr -h -n trusted.test \ + -v "$(yes | head -n 4000)" /mnt/tmp/bar + # umount /mnt/tmp + # mount /mnt/tmp + # ls -l /mnt/tmp + ls: cannot access '/mnt/tmp/bar': Structure needs cleaning + total 4 + ? l?????????? ? ? ? ? ? bar + # dmesg | tail -1 + EXT4-fs error (device dm-8): __ext4_iget:5098: + inode #24578: block 7303014: comm ls: invalid block + +(note that "block 7303014" = 0x6f6f66 = "foo" in LE order). + +ext4_inode_is_fast_symlink() should check the superblock +EXT4_FEATURE_INCOMPAT_EA_INODE feature flag, not the inode +EXT4_EA_INODE_FL, since the latter is only set on the xattr +inode itself, and not on the inode that uses this xattr. + +Cc: stable@vger.kernel.org +Fixes: fc82228a5e38 ("ext4: support fast symlinks from ext3 file systems") +Signed-off-by: Andreas Dilger +Reviewed-by: Li Dongyang +Reviewed-by: Alex Zhuravlev +Reviewed-by: Oleg Drokin +Reviewed-on: https://review.whamcloud.com/59879 +Lustre-bug-id: https://jira.whamcloud.com/browse/LU-19121 +Link: https://patch.msgid.link/20250717063709.757077-1-adilger@dilger.ca +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/inode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -146,7 +146,7 @@ static int ext4_meta_trans_blocks(struct + */ + int ext4_inode_is_fast_symlink(struct inode *inode) + { +- if (!(EXT4_I(inode)->i_flags & EXT4_EA_INODE_FL)) { ++ if (!ext4_has_feature_ea_inode(inode->i_sb)) { + int ea_blocks = EXT4_I(inode)->i_file_acl ? + EXT4_CLUSTER_SIZE(inode->i_sb) >> 9 : 0; + diff --git a/queue-6.6/ext4-don-t-try-to-clear-the-orphan_present-feature-block-device-is-r-o.patch b/queue-6.6/ext4-don-t-try-to-clear-the-orphan_present-feature-block-device-is-r-o.patch new file mode 100644 index 0000000000..721c64aeaa --- /dev/null +++ b/queue-6.6/ext4-don-t-try-to-clear-the-orphan_present-feature-block-device-is-r-o.patch @@ -0,0 +1,48 @@ +From c5e104a91e7b6fa12c1dc2d8bf84abb7ef9b89ad Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Thu, 7 Aug 2025 09:35:20 -0400 +Subject: ext4: don't try to clear the orphan_present feature block device is r/o + +From: Theodore Ts'o + +commit c5e104a91e7b6fa12c1dc2d8bf84abb7ef9b89ad upstream. + +When the file system is frozen in preparation for taking an LVM +snapshot, the journal is checkpointed and if the orphan_file feature +is enabled, and the orphan file is empty, we clear the orphan_present +feature flag. But if there are pending inodes that need to be removed +the orphan_present feature flag can't be cleared. + +The problem comes if the block device is read-only. In that case, we +can't process the orphan inode list, so it is skipped in +ext4_orphan_cleanup(). But then in ext4_mark_recovery_complete(), +this results in the ext4 error "Orphan file not empty on read-only fs" +firing and the file system mount is aborted. + +Fix this by clearing the needs_recovery flag in the block device is +read-only. We do this after the call to ext4_load_and_init-journal() +since there are some error checks need to be done in case the journal +needs to be replayed and the block device is read-only, or if the +block device containing the externa journal is read-only, etc. + +Cc: stable@kernel.org +Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108271 +Cc: stable@vger.kernel.org +Fixes: 02f310fcf47f ("ext4: Speedup ext4 orphan inode handling") +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/super.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -5398,6 +5398,8 @@ static int __ext4_fill_super(struct fs_c + err = ext4_load_and_init_journal(sb, es, ctx); + if (err) + goto failed_mount3a; ++ if (bdev_read_only(sb->s_bdev)) ++ needs_recovery = 0; + } else if (test_opt(sb, NOLOAD) && !sb_rdonly(sb) && + ext4_has_feature_journal_needs_recovery(sb)) { + ext4_msg(sb, KERN_ERR, "required journal recovery " diff --git a/queue-6.6/ext4-fix-fsmap-end-of-range-reporting-with-bigalloc.patch b/queue-6.6/ext4-fix-fsmap-end-of-range-reporting-with-bigalloc.patch new file mode 100644 index 0000000000..ad1a346b01 --- /dev/null +++ b/queue-6.6/ext4-fix-fsmap-end-of-range-reporting-with-bigalloc.patch @@ -0,0 +1,120 @@ +From bae76c035bf0852844151e68098c9b7cd63ef238 Mon Sep 17 00:00:00 2001 +From: Ojaswin Mujoo +Date: Tue, 5 Aug 2025 14:00:30 +0530 +Subject: ext4: fix fsmap end of range reporting with bigalloc + +From: Ojaswin Mujoo + +commit bae76c035bf0852844151e68098c9b7cd63ef238 upstream. + +With bigalloc enabled, the logic to report last extent has a bug since +we try to use cluster units instead of block units. This can cause an +issue where extra incorrect entries might be returned back to the +user. This was flagged by generic/365 with 64k bs and -O bigalloc. + +** Details of issue ** + +The issue was noticed on 5G 64k blocksize FS with -O bigalloc which has +only 1 bg. + +$ xfs_io -c "fsmap -d" /mnt/scratch + + 0: 253:48 [0..127]: static fs metadata 128 /* sb */ + 1: 253:48 [128..255]: special 102:1 128 /* gdt */ + 3: 253:48 [256..383]: special 102:3 128 /* block bitmap */ + 4: 253:48 [384..2303]: unknown 1920 /* flex bg empty space */ + 5: 253:48 [2304..2431]: special 102:4 128 /* inode bitmap */ + 6: 253:48 [2432..4351]: unknown 1920 /* flex bg empty space */ + 7: 253:48 [4352..6911]: inodes 2560 + 8: 253:48 [6912..538623]: unknown 531712 + 9: 253:48 [538624..10485759]: free space 9947136 + +The issue can be seen with: + +$ xfs_io -c "fsmap -d 0 3" /mnt/scratch + + 0: 253:48 [0..127]: static fs metadata 128 + 1: 253:48 [384..2047]: unknown 1664 + +Only the first entry was expected to be returned but we get 2. This is +because: + +ext4_getfsmap_datadev() + first_cluster, last_cluster = 0 + ... + info->gfi_last = true; + ext4_getfsmap_datadev_helper(sb, end_ag, last_cluster + 1, 0, info); + fsb = C2B(1) = 16 + fslen = 0 + ... + /* Merge in any relevant extents from the meta_list */ + list_for_each_entry_safe(p, tmp, &info->gfi_meta_list, fmr_list) { + ... + // since fsb = 16, considers all metadata which starts before 16 blockno + iter 1: error = ext4_getfsmap_helper(sb, info, p); // p = sb (0,1), nop + info->gfi_next_fsblk = 1 + iter 2: error = ext4_getfsmap_helper(sb, info, p); // p = gdt (1,2), nop + info->gfi_next_fsblk = 2 + iter 3: error = ext4_getfsmap_helper(sb, info, p); // p = blk bitmap (2,3), nop + info->gfi_next_fsblk = 3 + iter 4: error = ext4_getfsmap_helper(sb, info, p); // p = ino bitmap (18,19) + if (rec_blk > info->gfi_next_fsblk) { // (18 > 3) + // emits an extra entry ** BUG ** + } + } + +Fix this by directly calling ext4_getfsmap_datadev() with a dummy +record that has fmr_physical set to (end_fsb + 1) instead of +last_cluster + 1. By using the block instead of cluster we get the +correct behavior. + +Replacing ext4_getfsmap_datadev_helper() with ext4_getfsmap_helper() +is okay since the gfi_lastfree and metadata checks in +ext4_getfsmap_datadev_helper() are anyways redundant when we only want +to emit the last allocated block of the range, as we have already +taken care of emitting metadata and any last free blocks. + +Cc: stable@kernel.org +Reported-by: Disha Goel +Fixes: 4a622e4d477b ("ext4: fix FS_IOC_GETFSMAP handling") +Signed-off-by: Ojaswin Mujoo +Reviewed-by: Darrick J. Wong +Link: https://patch.msgid.link/e7472c8535c9c5ec10f425f495366864ea12c9da.1754377641.git.ojaswin@linux.ibm.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/fsmap.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +--- a/fs/ext4/fsmap.c ++++ b/fs/ext4/fsmap.c +@@ -526,6 +526,7 @@ static int ext4_getfsmap_datadev(struct + ext4_group_t end_ag; + ext4_grpblk_t first_cluster; + ext4_grpblk_t last_cluster; ++ struct ext4_fsmap irec; + int error = 0; + + bofs = le32_to_cpu(sbi->s_es->s_first_data_block); +@@ -609,10 +610,18 @@ static int ext4_getfsmap_datadev(struct + goto err; + } + +- /* Report any gaps at the end of the bg */ ++ /* ++ * The dummy record below will cause ext4_getfsmap_helper() to report ++ * any allocated blocks at the end of the range. ++ */ ++ irec.fmr_device = 0; ++ irec.fmr_physical = end_fsb + 1; ++ irec.fmr_length = 0; ++ irec.fmr_owner = EXT4_FMR_OWN_FREE; ++ irec.fmr_flags = 0; ++ + info->gfi_last = true; +- error = ext4_getfsmap_datadev_helper(sb, end_ag, last_cluster + 1, +- 0, info); ++ error = ext4_getfsmap_helper(sb, info, &irec); + if (error) + goto err; + diff --git a/queue-6.6/ext4-fix-hole-length-calculation-overflow-in-non-extent-inodes.patch b/queue-6.6/ext4-fix-hole-length-calculation-overflow-in-non-extent-inodes.patch new file mode 100644 index 0000000000..8009203e7d --- /dev/null +++ b/queue-6.6/ext4-fix-hole-length-calculation-overflow-in-non-extent-inodes.patch @@ -0,0 +1,80 @@ +From 02c7f7219ac0e2277b3379a3a0e9841ef464b6d4 Mon Sep 17 00:00:00 2001 +From: Zhang Yi +Date: Mon, 11 Aug 2025 14:45:32 +0800 +Subject: ext4: fix hole length calculation overflow in non-extent inodes + +From: Zhang Yi + +commit 02c7f7219ac0e2277b3379a3a0e9841ef464b6d4 upstream. + +In a filesystem with a block size larger than 4KB, the hole length +calculation for a non-extent inode in ext4_ind_map_blocks() can easily +exceed INT_MAX. Then it could return a zero length hole and trigger the +following waring and infinite in the iomap infrastructure. + + ------------[ cut here ]------------ + WARNING: CPU: 3 PID: 434101 at fs/iomap/iter.c:34 iomap_iter_done+0x148/0x190 + CPU: 3 UID: 0 PID: 434101 Comm: fsstress Not tainted 6.16.0-rc7+ #128 PREEMPT(voluntary) + Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022 + pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) + pc : iomap_iter_done+0x148/0x190 + lr : iomap_iter+0x174/0x230 + sp : ffff8000880af740 + x29: ffff8000880af740 x28: ffff0000db8e6840 x27: 0000000000000000 + x26: 0000000000000000 x25: ffff8000880af830 x24: 0000004000000000 + x23: 0000000000000002 x22: 000001bfdbfa8000 x21: ffffa6a41c002e48 + x20: 0000000000000001 x19: ffff8000880af808 x18: 0000000000000000 + x17: 0000000000000000 x16: ffffa6a495ee6cd0 x15: 0000000000000000 + x14: 00000000000003d4 x13: 00000000fa83b2da x12: 0000b236fc95f18c + x11: ffffa6a4978b9c08 x10: 0000000000001da0 x9 : ffffa6a41c1a2a44 + x8 : ffff8000880af5c8 x7 : 0000000001000000 x6 : 0000000000000000 + x5 : 0000000000000004 x4 : 000001bfdbfa8000 x3 : 0000000000000000 + x2 : 0000000000000000 x1 : 0000004004030000 x0 : 0000000000000000 + Call trace: + iomap_iter_done+0x148/0x190 (P) + iomap_iter+0x174/0x230 + iomap_fiemap+0x154/0x1d8 + ext4_fiemap+0x110/0x140 [ext4] + do_vfs_ioctl+0x4b8/0xbc0 + __arm64_sys_ioctl+0x8c/0x120 + invoke_syscall+0x6c/0x100 + el0_svc_common.constprop.0+0x48/0xf0 + do_el0_svc+0x24/0x38 + el0_svc+0x38/0x120 + el0t_64_sync_handler+0x10c/0x138 + el0t_64_sync+0x198/0x1a0 + ---[ end trace 0000000000000000 ]--- + +Cc: stable@kernel.org +Fixes: facab4d9711e ("ext4: return hole from ext4_map_blocks()") +Reported-by: Qu Wenruo +Closes: https://lore.kernel.org/linux-ext4/9b650a52-9672-4604-a765-bb6be55d1e4a@gmx.com/ +Tested-by: Qu Wenruo +Signed-off-by: Zhang Yi +Link: https://patch.msgid.link/20250811064532.1788289-1-yi.zhang@huaweicloud.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/indirect.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/ext4/indirect.c ++++ b/fs/ext4/indirect.c +@@ -539,7 +539,7 @@ int ext4_ind_map_blocks(handle_t *handle + int indirect_blks; + int blocks_to_boundary = 0; + int depth; +- int count = 0; ++ u64 count = 0; + ext4_fsblk_t first_block = 0; + + trace_ext4_ind_map_blocks_enter(inode, map->m_lblk, map->m_len, flags); +@@ -588,7 +588,7 @@ int ext4_ind_map_blocks(handle_t *handle + count++; + /* Fill in size of a hole we found */ + map->m_pblk = 0; +- map->m_len = min_t(unsigned int, map->m_len, count); ++ map->m_len = umin(map->m_len, count); + goto cleanup; + } + diff --git a/queue-6.6/ext4-fix-reserved-gdt-blocks-handling-in-fsmap.patch b/queue-6.6/ext4-fix-reserved-gdt-blocks-handling-in-fsmap.patch new file mode 100644 index 0000000000..14a3792072 --- /dev/null +++ b/queue-6.6/ext4-fix-reserved-gdt-blocks-handling-in-fsmap.patch @@ -0,0 +1,53 @@ +From 3ffbdd1f1165f1b2d6a94d1b1aabef57120deaf7 Mon Sep 17 00:00:00 2001 +From: Ojaswin Mujoo +Date: Tue, 5 Aug 2025 14:00:31 +0530 +Subject: ext4: fix reserved gdt blocks handling in fsmap + +From: Ojaswin Mujoo + +commit 3ffbdd1f1165f1b2d6a94d1b1aabef57120deaf7 upstream. + +In some cases like small FSes with no meta_bg and where the resize +doesn't need extra gdt blocks as it can fit in the current one, +s_reserved_gdt_blocks is set as 0, which causes fsmap to emit a 0 +length entry, which is incorrect. + + $ mkfs.ext4 -b 65536 -O bigalloc /dev/sda 5G + $ mount /dev/sda /mnt/scratch + $ xfs_io -c "fsmap -d" /mnt/scartch + + 0: 253:48 [0..127]: static fs metadata 128 + 1: 253:48 [128..255]: special 102:1 128 + 2: 253:48 [256..255]: special 102:2 0 <---- 0 len entry + 3: 253:48 [256..383]: special 102:3 128 + +Fix this by adding a check for this case. + +Cc: stable@kernel.org +Fixes: 0c9ec4beecac ("ext4: support GETFSMAP ioctls") +Signed-off-by: Ojaswin Mujoo +Reviewed-by: Darrick J. Wong +Link: https://patch.msgid.link/08781b796453a5770112aa96ad14c864fbf31935.1754377641.git.ojaswin@linux.ibm.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/fsmap.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/fs/ext4/fsmap.c ++++ b/fs/ext4/fsmap.c +@@ -393,6 +393,14 @@ static unsigned int ext4_getfsmap_find_s + /* Reserved GDT blocks */ + if (!ext4_has_feature_meta_bg(sb) || metagroup < first_meta_bg) { + len = le16_to_cpu(sbi->s_es->s_reserved_gdt_blocks); ++ ++ /* ++ * mkfs.ext4 can set s_reserved_gdt_blocks as 0 in some cases, ++ * check for that. ++ */ ++ if (!len) ++ return 0; ++ + error = ext4_getfsmap_fill(meta_list, fsb, len, + EXT4_FMR_OWN_RESV_GDT); + if (error) diff --git a/queue-6.6/ext4-use-kmalloc_array-for-array-space-allocation.patch b/queue-6.6/ext4-use-kmalloc_array-for-array-space-allocation.patch new file mode 100644 index 0000000000..a996e73b3e --- /dev/null +++ b/queue-6.6/ext4-use-kmalloc_array-for-array-space-allocation.patch @@ -0,0 +1,35 @@ +From 76dba1fe277f6befd6ef650e1946f626c547387a Mon Sep 17 00:00:00 2001 +From: Liao Yuanhong +Date: Mon, 11 Aug 2025 20:58:16 +0800 +Subject: ext4: use kmalloc_array() for array space allocation + +From: Liao Yuanhong + +commit 76dba1fe277f6befd6ef650e1946f626c547387a upstream. + +Replace kmalloc(size * sizeof) with kmalloc_array() for safer memory +allocation and overflow prevention. + +Cc: stable@kernel.org +Signed-off-by: Liao Yuanhong +Link: https://patch.msgid.link/20250811125816.570142-1-liaoyuanhong@vivo.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/orphan.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/fs/ext4/orphan.c ++++ b/fs/ext4/orphan.c +@@ -590,8 +590,9 @@ int ext4_init_orphan_info(struct super_b + } + oi->of_blocks = inode->i_size >> sb->s_blocksize_bits; + oi->of_csum_seed = EXT4_I(inode)->i_csum_seed; +- oi->of_binfo = kmalloc(oi->of_blocks*sizeof(struct ext4_orphan_block), +- GFP_KERNEL); ++ oi->of_binfo = kmalloc_array(oi->of_blocks, ++ sizeof(struct ext4_orphan_block), ++ GFP_KERNEL); + if (!oi->of_binfo) { + ret = -ENOMEM; + goto out_put; diff --git a/queue-6.6/ksmbd-extend-the-connection-limiting-mechanism-to-support-ipv6.patch b/queue-6.6/ksmbd-extend-the-connection-limiting-mechanism-to-support-ipv6.patch new file mode 100644 index 0000000000..32dffc953b --- /dev/null +++ b/queue-6.6/ksmbd-extend-the-connection-limiting-mechanism-to-support-ipv6.patch @@ -0,0 +1,93 @@ +From c0d41112f1a5828c194b59cca953114bc3776ef2 Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Sun, 17 Aug 2025 09:48:40 +0900 +Subject: ksmbd: extend the connection limiting mechanism to support IPv6 + +From: Namjae Jeon + +commit c0d41112f1a5828c194b59cca953114bc3776ef2 upstream. + +Update the connection tracking logic to handle both IPv4 and IPv6 +address families. + +Cc: stable@vger.kernel.org +Fixes: e6bb91939740 ("ksmbd: limit repeated connections from clients with the same IP") +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/connection.h | 7 ++++++- + fs/smb/server/transport_tcp.c | 26 +++++++++++++++++++++++--- + 2 files changed, 29 insertions(+), 4 deletions(-) + +--- a/fs/smb/server/connection.h ++++ b/fs/smb/server/connection.h +@@ -45,7 +45,12 @@ struct ksmbd_conn { + struct mutex srv_mutex; + int status; + unsigned int cli_cap; +- __be32 inet_addr; ++ union { ++ __be32 inet_addr; ++#if IS_ENABLED(CONFIG_IPV6) ++ u8 inet6_addr[16]; ++#endif ++ }; + char *request_buf; + struct ksmbd_transport *transport; + struct nls_table *local_nls; +--- a/fs/smb/server/transport_tcp.c ++++ b/fs/smb/server/transport_tcp.c +@@ -87,7 +87,14 @@ static struct tcp_transport *alloc_trans + return NULL; + } + ++#if IS_ENABLED(CONFIG_IPV6) ++ if (client_sk->sk->sk_family == AF_INET6) ++ memcpy(&conn->inet6_addr, &client_sk->sk->sk_v6_daddr, 16); ++ else ++ conn->inet_addr = inet_sk(client_sk->sk)->inet_daddr; ++#else + conn->inet_addr = inet_sk(client_sk->sk)->inet_daddr; ++#endif + conn->transport = KSMBD_TRANS(t); + KSMBD_TRANS(t)->conn = conn; + KSMBD_TRANS(t)->ops = &ksmbd_tcp_transport_ops; +@@ -231,7 +238,6 @@ static int ksmbd_kthread_fn(void *p) + { + struct socket *client_sk = NULL; + struct interface *iface = (struct interface *)p; +- struct inet_sock *csk_inet; + struct ksmbd_conn *conn; + int ret; + +@@ -254,13 +260,27 @@ static int ksmbd_kthread_fn(void *p) + /* + * Limits repeated connections from clients with the same IP. + */ +- csk_inet = inet_sk(client_sk->sk); + down_read(&conn_list_lock); + list_for_each_entry(conn, &conn_list, conns_list) +- if (csk_inet->inet_daddr == conn->inet_addr) { ++#if IS_ENABLED(CONFIG_IPV6) ++ if (client_sk->sk->sk_family == AF_INET6) { ++ if (memcmp(&client_sk->sk->sk_v6_daddr, ++ &conn->inet6_addr, 16) == 0) { ++ ret = -EAGAIN; ++ break; ++ } ++ } else if (inet_sk(client_sk->sk)->inet_daddr == ++ conn->inet_addr) { + ret = -EAGAIN; + break; + } ++#else ++ if (inet_sk(client_sk->sk)->inet_daddr == ++ conn->inet_addr) { ++ ret = -EAGAIN; ++ break; ++ } ++#endif + up_read(&conn_list_lock); + if (ret == -EAGAIN) + continue; diff --git a/queue-6.6/ksmbd-fix-refcount-leak-causing-resource-not-released.patch b/queue-6.6/ksmbd-fix-refcount-leak-causing-resource-not-released.patch new file mode 100644 index 0000000000..a591a62431 --- /dev/null +++ b/queue-6.6/ksmbd-fix-refcount-leak-causing-resource-not-released.patch @@ -0,0 +1,61 @@ +From 89bb430f621124af39bb31763c4a8b504c9651e2 Mon Sep 17 00:00:00 2001 +From: Ziyan Xu +Date: Sat, 16 Aug 2025 10:20:05 +0900 +Subject: ksmbd: fix refcount leak causing resource not released + +From: Ziyan Xu + +commit 89bb430f621124af39bb31763c4a8b504c9651e2 upstream. + +When ksmbd_conn_releasing(opinfo->conn) returns true,the refcount was not +decremented properly, causing a refcount leak that prevents the count from +reaching zero and the memory from being released. + +Cc: stable@vger.kernel.org +Signed-off-by: Ziyan Xu +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/oplock.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +--- a/fs/smb/server/oplock.c ++++ b/fs/smb/server/oplock.c +@@ -1102,8 +1102,10 @@ void smb_send_parent_lease_break_noti(st + if (!atomic_inc_not_zero(&opinfo->refcount)) + continue; + +- if (ksmbd_conn_releasing(opinfo->conn)) ++ if (ksmbd_conn_releasing(opinfo->conn)) { ++ opinfo_put(opinfo); + continue; ++ } + + oplock_break(opinfo, SMB2_OPLOCK_LEVEL_NONE, NULL); + opinfo_put(opinfo); +@@ -1139,8 +1141,11 @@ void smb_lazy_parent_lease_break_close(s + if (!atomic_inc_not_zero(&opinfo->refcount)) + continue; + +- if (ksmbd_conn_releasing(opinfo->conn)) ++ if (ksmbd_conn_releasing(opinfo->conn)) { ++ opinfo_put(opinfo); + continue; ++ } ++ + oplock_break(opinfo, SMB2_OPLOCK_LEVEL_NONE, NULL); + opinfo_put(opinfo); + } +@@ -1343,8 +1348,10 @@ void smb_break_all_levII_oplock(struct k + if (!atomic_inc_not_zero(&brk_op->refcount)) + continue; + +- if (ksmbd_conn_releasing(brk_op->conn)) ++ if (ksmbd_conn_releasing(brk_op->conn)) { ++ opinfo_put(brk_op); + continue; ++ } + + if (brk_op->is_lease && (brk_op->o_lease->state & + (~(SMB2_LEASE_READ_CACHING_LE | diff --git a/queue-6.6/lib-crypto-mips-chacha-fix-clang-build-and-remove-unneeded-byteswap.patch b/queue-6.6/lib-crypto-mips-chacha-fix-clang-build-and-remove-unneeded-byteswap.patch new file mode 100644 index 0000000000..9ef2e5e6a9 --- /dev/null +++ b/queue-6.6/lib-crypto-mips-chacha-fix-clang-build-and-remove-unneeded-byteswap.patch @@ -0,0 +1,104 @@ +From 22375adaa0d9fbba9646c8e2b099c6e87c97bfae Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Thu, 19 Jun 2025 15:55:35 -0700 +Subject: lib/crypto: mips/chacha: Fix clang build and remove unneeded byteswap + +From: Eric Biggers + +commit 22375adaa0d9fbba9646c8e2b099c6e87c97bfae upstream. + +The MIPS32r2 ChaCha code has never been buildable with the clang +assembler. First, clang doesn't support the 'rotl' pseudo-instruction: + + error: unknown instruction, did you mean: rol, rotr? + +Second, clang requires that both operands of the 'wsbh' instruction be +explicitly given: + + error: too few operands for instruction + +To fix this, align the code with the real instruction set by (1) using +the real instruction 'rotr' instead of the nonstandard pseudo- +instruction 'rotl', and (2) explicitly giving both operands to 'wsbh'. + +To make removing the use of 'rotl' a bit easier, also remove the +unnecessary special-casing for big endian CPUs at +.Lchacha_mips_xor_bytes. The tail handling is actually +endian-independent since it processes one byte at a time. On big endian +CPUs the old code byte-swapped SAVED_X, then iterated through it in +reverse order. But the byteswap and reverse iteration canceled out. + +Tested with chacha20poly1305-selftest in QEMU using "-M malta" with both +little endian and big endian mips32r2 kernels. + +Fixes: 49aa7c00eddf ("crypto: mips/chacha - import 32r2 ChaCha code from Zinc") +Cc: stable@vger.kernel.org +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202505080409.EujEBwA0-lkp@intel.com/ +Link: https://lore.kernel.org/r/20250619225535.679301-1-ebiggers@kernel.org +Signed-off-by: Eric Biggers +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/crypto/chacha-core.S | 20 +++++++------------- + 1 file changed, 7 insertions(+), 13 deletions(-) + +--- a/arch/mips/crypto/chacha-core.S ++++ b/arch/mips/crypto/chacha-core.S +@@ -55,17 +55,13 @@ + #if __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ + #define MSB 0 + #define LSB 3 +-#define ROTx rotl +-#define ROTR(n) rotr n, 24 + #define CPU_TO_LE32(n) \ +- wsbh n; \ ++ wsbh n, n; \ + rotr n, 16; + #else + #define MSB 3 + #define LSB 0 +-#define ROTx rotr + #define CPU_TO_LE32(n) +-#define ROTR(n) + #endif + + #define FOR_EACH_WORD(x) \ +@@ -192,10 +188,10 @@ CONCAT3(.Lchacha_mips_xor_aligned_, PLUS + xor X(W), X(B); \ + xor X(Y), X(C); \ + xor X(Z), X(D); \ +- rotl X(V), S; \ +- rotl X(W), S; \ +- rotl X(Y), S; \ +- rotl X(Z), S; ++ rotr X(V), 32 - S; \ ++ rotr X(W), 32 - S; \ ++ rotr X(Y), 32 - S; \ ++ rotr X(Z), 32 - S; + + .text + .set reorder +@@ -372,21 +368,19 @@ chacha_crypt_arch: + /* First byte */ + lbu T1, 0(IN) + addiu $at, BYTES, 1 +- CPU_TO_LE32(SAVED_X) +- ROTR(SAVED_X) + xor T1, SAVED_X + sb T1, 0(OUT) + beqz $at, .Lchacha_mips_xor_done + /* Second byte */ + lbu T1, 1(IN) + addiu $at, BYTES, 2 +- ROTx SAVED_X, 8 ++ rotr SAVED_X, 8 + xor T1, SAVED_X + sb T1, 1(OUT) + beqz $at, .Lchacha_mips_xor_done + /* Third byte */ + lbu T1, 2(IN) +- ROTx SAVED_X, 8 ++ rotr SAVED_X, 8 + xor T1, SAVED_X + sb T1, 2(OUT) + b .Lchacha_mips_xor_done diff --git a/queue-6.6/revert-vgacon-add-check-for-vc_origin-address-range-in-vgacon_scroll.patch b/queue-6.6/revert-vgacon-add-check-for-vc_origin-address-range-in-vgacon_scroll.patch new file mode 100644 index 0000000000..fb1c5317a6 --- /dev/null +++ b/queue-6.6/revert-vgacon-add-check-for-vc_origin-address-range-in-vgacon_scroll.patch @@ -0,0 +1,40 @@ +From e4fc307d8e24f122402907ebf585248cad52841d Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Sat, 2 Aug 2025 21:34:37 +0200 +Subject: Revert "vgacon: Add check for vc_origin address range in vgacon_scroll()" + +From: Helge Deller + +commit e4fc307d8e24f122402907ebf585248cad52841d upstream. + +This reverts commit 864f9963ec6b4b76d104d595ba28110b87158003. + +The patch is wrong as it checks vc_origin against vc_screenbuf, +while in text mode it should compare against vga_vram_base. + +As such it broke VGA text scrolling, which can be reproduced like this: +(1) boot a kernel that is configured to use text mode VGA-console +(2) type commands: ls -l /usr/bin | less -S +(3) scroll up/down with cursor-down/up keys + +Reported-by: Jari Ruusu +Cc: stable@vger.kernel.org +Cc: Yi Yang +Cc: GONG Ruiqi +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/console/vgacon.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/video/console/vgacon.c ++++ b/drivers/video/console/vgacon.c +@@ -1139,7 +1139,7 @@ static bool vgacon_scroll(struct vc_data + c->vc_screenbuf_size - delta); + c->vc_origin = vga_vram_end - c->vc_screenbuf_size; + vga_rolled_over = 0; +- } else if (oldo - delta >= (unsigned long)c->vc_screenbuf) ++ } else + c->vc_origin -= delta; + c->vc_scr_end = c->vc_origin + c->vc_screenbuf_size; + scr_memsetw((u16 *) (c->vc_origin), c->vc_video_erase_char, diff --git a/queue-6.6/scsi-mpi3mr-fix-race-between-config-read-submit-and-interrupt-completion.patch b/queue-6.6/scsi-mpi3mr-fix-race-between-config-read-submit-and-interrupt-completion.patch new file mode 100644 index 0000000000..b21a40e9bb --- /dev/null +++ b/queue-6.6/scsi-mpi3mr-fix-race-between-config-read-submit-and-interrupt-completion.patch @@ -0,0 +1,40 @@ +From e6327c4acf925bb6d6d387d76fc3bd94471e10d8 Mon Sep 17 00:00:00 2001 +From: Ranjan Kumar +Date: Sat, 28 Jun 2025 01:15:36 +0530 +Subject: scsi: mpi3mr: Fix race between config read submit and interrupt completion + +From: Ranjan Kumar + +commit e6327c4acf925bb6d6d387d76fc3bd94471e10d8 upstream. + +The "is_waiting" flag was updated after calling complete(), which could +lead to a race where the waiting thread wakes up before the flag is +cleared. This may cause a missed wakeup or stale state check. + +Reorder the operations to update "is_waiting" before signaling completion +to ensure consistent state. + +Fixes: 824a156633df ("scsi: mpi3mr: Base driver code") +Cc: stable@vger.kernel.org +Co-developed-by: Chandrakanth Patil +Signed-off-by: Chandrakanth Patil +Signed-off-by: Ranjan Kumar +Link: https://lore.kernel.org/r/20250627194539.48851-2-ranjan.kumar@broadcom.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/mpi3mr/mpi3mr_fw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/mpi3mr/mpi3mr_fw.c ++++ b/drivers/scsi/mpi3mr/mpi3mr_fw.c +@@ -411,8 +411,8 @@ static void mpi3mr_process_admin_reply_d + MPI3MR_SENSE_BUF_SZ); + } + if (cmdptr->is_waiting) { +- complete(&cmdptr->done); + cmdptr->is_waiting = 0; ++ complete(&cmdptr->done); + } else if (cmdptr->callback) + cmdptr->callback(mrioc, cmdptr); + } diff --git a/queue-6.6/scsi-ufs-ufs-pci-fix-default-runtime-and-system-pm-levels.patch b/queue-6.6/scsi-ufs-ufs-pci-fix-default-runtime-and-system-pm-levels.patch new file mode 100644 index 0000000000..59d5cc2126 --- /dev/null +++ b/queue-6.6/scsi-ufs-ufs-pci-fix-default-runtime-and-system-pm-levels.patch @@ -0,0 +1,62 @@ +From 6de7435e6b81fe52c0ab4c7e181f6b5decd18eb1 Mon Sep 17 00:00:00 2001 +From: Adrian Hunter +Date: Wed, 23 Jul 2025 19:58:50 +0300 +Subject: scsi: ufs: ufs-pci: Fix default runtime and system PM levels + +From: Adrian Hunter + +commit 6de7435e6b81fe52c0ab4c7e181f6b5decd18eb1 upstream. + +Intel MTL-like host controllers support auto-hibernate. Using +auto-hibernate with manual (driver initiated) hibernate produces more +complex operation. For example, the host controller will have to exit +auto-hibernate simply to allow the driver to enter hibernate state +manually. That is not recommended. + +The default rpm_lvl and spm_lvl is 3, which includes manual hibernate. + +Change the default values to 2, which does not. + +Note, to be simpler to backport to stable kernels, utilize the UFS PCI +driver's ->late_init() call back. Recent commits have made it possible +to set up a controller-specific default in the regular ->init() call +back, but not all stable kernels have those changes. + +Fixes: 4049f7acef3e ("scsi: ufs: ufs-pci: Add support for Intel MTL") +Cc: stable@vger.kernel.org +Signed-off-by: Adrian Hunter +Link: https://lore.kernel.org/r/20250723165856.145750-3-adrian.hunter@intel.com +Reviewed-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ufs/host/ufshcd-pci.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +--- a/drivers/ufs/host/ufshcd-pci.c ++++ b/drivers/ufs/host/ufshcd-pci.c +@@ -465,10 +465,23 @@ static int ufs_intel_adl_init(struct ufs + return ufs_intel_common_init(hba); + } + ++static void ufs_intel_mtl_late_init(struct ufs_hba *hba) ++{ ++ hba->rpm_lvl = UFS_PM_LVL_2; ++ hba->spm_lvl = UFS_PM_LVL_2; ++} ++ + static int ufs_intel_mtl_init(struct ufs_hba *hba) + { ++ struct ufs_host *ufs_host; ++ int err; ++ + hba->caps |= UFSHCD_CAP_CRYPTO | UFSHCD_CAP_WB_EN; +- return ufs_intel_common_init(hba); ++ err = ufs_intel_common_init(hba); ++ /* Get variant after it is set in ufs_intel_common_init() */ ++ ufs_host = ufshcd_get_variant(hba); ++ ufs_host->late_init = ufs_intel_mtl_late_init; ++ return err; + } + + static struct ufs_hba_variant_ops ufs_intel_cnl_hba_vops = { diff --git a/queue-6.6/scsi-ufs-ufs-pci-fix-hibernate-state-transition-for-intel-mtl-like-host-controllers.patch b/queue-6.6/scsi-ufs-ufs-pci-fix-hibernate-state-transition-for-intel-mtl-like-host-controllers.patch new file mode 100644 index 0000000000..fe12782005 --- /dev/null +++ b/queue-6.6/scsi-ufs-ufs-pci-fix-hibernate-state-transition-for-intel-mtl-like-host-controllers.patch @@ -0,0 +1,72 @@ +From 4428ddea832cfdb63e476eb2e5c8feb5d36057fe Mon Sep 17 00:00:00 2001 +From: Archana Patni +Date: Wed, 23 Jul 2025 19:58:49 +0300 +Subject: scsi: ufs: ufs-pci: Fix hibernate state transition for Intel MTL-like host controllers + +From: Archana Patni + +commit 4428ddea832cfdb63e476eb2e5c8feb5d36057fe upstream. + +UFSHCD core disables the UIC completion interrupt when issuing UIC +hibernation commands, and re-enables it afterwards if it was enabled to +start with, refer ufshcd_uic_pwr_ctrl(). For Intel MTL-like host +controllers, accessing the register to re-enable the interrupt disrupts +the state transition. + +Use hibern8_notify variant operation to disable the interrupt during the +entire hibernation, thereby preventing the disruption. + +Fixes: 4049f7acef3e ("scsi: ufs: ufs-pci: Add support for Intel MTL") +Cc: stable@vger.kernel.org +Signed-off-by: Archana Patni +Link: https://lore.kernel.org/r/20250723165856.145750-2-adrian.hunter@intel.com +Reviewed-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ufs/host/ufshcd-pci.c | 27 +++++++++++++++++++++++++++ + 1 file changed, 27 insertions(+) + +--- a/drivers/ufs/host/ufshcd-pci.c ++++ b/drivers/ufs/host/ufshcd-pci.c +@@ -213,6 +213,32 @@ out: + return ret; + } + ++static void ufs_intel_ctrl_uic_compl(struct ufs_hba *hba, bool enable) ++{ ++ u32 set = ufshcd_readl(hba, REG_INTERRUPT_ENABLE); ++ ++ if (enable) ++ set |= UIC_COMMAND_COMPL; ++ else ++ set &= ~UIC_COMMAND_COMPL; ++ ufshcd_writel(hba, set, REG_INTERRUPT_ENABLE); ++} ++ ++static void ufs_intel_mtl_h8_notify(struct ufs_hba *hba, ++ enum uic_cmd_dme cmd, ++ enum ufs_notify_change_status status) ++{ ++ /* ++ * Disable UIC COMPL INTR to prevent access to UFSHCI after ++ * checking HCS.UPMCRS ++ */ ++ if (status == PRE_CHANGE && cmd == UIC_CMD_DME_HIBER_ENTER) ++ ufs_intel_ctrl_uic_compl(hba, false); ++ ++ if (status == POST_CHANGE && cmd == UIC_CMD_DME_HIBER_EXIT) ++ ufs_intel_ctrl_uic_compl(hba, true); ++} ++ + #define INTEL_ACTIVELTR 0x804 + #define INTEL_IDLELTR 0x808 + +@@ -487,6 +513,7 @@ static struct ufs_hba_variant_ops ufs_in + .init = ufs_intel_mtl_init, + .exit = ufs_intel_common_exit, + .hce_enable_notify = ufs_intel_hce_enable_notify, ++ .hibern8_notify = ufs_intel_mtl_h8_notify, + .link_startup_notify = ufs_intel_link_startup_notify, + .resume = ufs_intel_resume, + .device_reset = ufs_intel_device_reset, diff --git a/queue-6.6/series b/queue-6.6/series index 76895f9d17..55b7656099 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -339,3 +339,27 @@ bus-mhi-host-fix-endianness-of-bhi-vector-table.patch bus-mhi-host-detect-events-pointing-to-unexpected-tres.patch vt-keyboard-don-t-process-unicode-characters-in-k_off-mode.patch vt-defkeymap-map-keycodes-above-127-to-k_hole.patch +lib-crypto-mips-chacha-fix-clang-build-and-remove-unneeded-byteswap.patch +crypto-qat-lower-priority-for-skcipher-and-aead-algorithms.patch +crypto-qat-flush-misc-workqueue-during-device-shutdown.patch +revert-vgacon-add-check-for-vc_origin-address-range-in-vgacon_scroll.patch +ksmbd-fix-refcount-leak-causing-resource-not-released.patch +ksmbd-extend-the-connection-limiting-mechanism-to-support-ipv6.patch +tracing-fprobe-event-sanitize-wildcard-for-fprobe-event-name.patch +ext4-check-fast-symlink-for-ea_inode-correctly.patch +ext4-fix-fsmap-end-of-range-reporting-with-bigalloc.patch +ext4-fix-reserved-gdt-blocks-handling-in-fsmap.patch +ext4-don-t-try-to-clear-the-orphan_present-feature-block-device-is-r-o.patch +ext4-use-kmalloc_array-for-array-space-allocation.patch +ext4-fix-hole-length-calculation-overflow-in-non-extent-inodes.patch +btrfs-zoned-fix-write-time-activation-failure-for-metadata-block-group.patch +arm64-dts-ti-k3-pinctrl-enable-schmitt-trigger-by-default.patch +arm64-dts-ti-k3-am62a7-sk-fix-pinmux-for-main_uart1.patch +arm64-dts-ti-k3-am62-verdin-enable-pull-ups-on-i2c-buses.patch +dt-bindings-display-sprd-sharkl3-dpu-fix-missing-clocks-constraints.patch +dt-bindings-display-sprd-sharkl3-dsi-host-fix-missing-clocks-constraints.patch +scsi-mpi3mr-fix-race-between-config-read-submit-and-interrupt-completion.patch +ata-libata-scsi-fix-ata_to_sense_error-status-handling.patch +scsi-ufs-ufs-pci-fix-hibernate-state-transition-for-intel-mtl-like-host-controllers.patch +scsi-ufs-ufs-pci-fix-default-runtime-and-system-pm-levels.patch +ata-libata-scsi-fix-cdl-control.patch diff --git a/queue-6.6/tracing-fprobe-event-sanitize-wildcard-for-fprobe-event-name.patch b/queue-6.6/tracing-fprobe-event-sanitize-wildcard-for-fprobe-event-name.patch new file mode 100644 index 0000000000..fbfb831841 --- /dev/null +++ b/queue-6.6/tracing-fprobe-event-sanitize-wildcard-for-fprobe-event-name.patch @@ -0,0 +1,41 @@ +From ec879e1a0be8007aa232ffedcf6a6445dfc1a3d7 Mon Sep 17 00:00:00 2001 +From: "Masami Hiramatsu (Google)" +Date: Sat, 16 Aug 2025 23:10:51 +0900 +Subject: tracing: fprobe-event: Sanitize wildcard for fprobe event name + +From: Masami Hiramatsu (Google) + +commit ec879e1a0be8007aa232ffedcf6a6445dfc1a3d7 upstream. + +Fprobe event accepts wildcards for the target functions, but unless user +specifies its event name, it makes an event with the wildcards. + + /sys/kernel/tracing # echo 'f mutex*' >> dynamic_events + /sys/kernel/tracing # cat dynamic_events + f:fprobes/mutex*__entry mutex* + /sys/kernel/tracing # ls events/fprobes/ + enable filter mutex*__entry + +To fix this, replace the wildcard ('*') with an underscore. + +Link: https://lore.kernel.org/all/175535345114.282990.12294108192847938710.stgit@devnote2/ + +Fixes: 334e5519c375 ("tracing/probes: Add fprobe events for tracing function entry and exit.") +Signed-off-by: Masami Hiramatsu (Google) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/trace/trace.h ++++ b/kernel/trace/trace.h +@@ -2053,7 +2053,7 @@ static inline bool is_good_system_name(c + static inline void sanitize_event_name(char *name) + { + while (*name++ != '\0') +- if (*name == ':' || *name == '.') ++ if (*name == ':' || *name == '.' || *name == '*') + *name = '_'; + } +