From: Greg Kroah-Hartman Date: Sun, 24 Aug 2025 08:54:49 +0000 (+0200) Subject: 5.15-stable patches X-Git-Tag: v5.4.297~29 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=74462fdda5a592f1a11b7a46fa7c5d074072569d;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: asm-generic-add-memory-barrier-dma_mb.patch drm-amd-display-don-t-overclock-dce-6-by-15.patch drm-dp-change-aux-dpcd-probe-address-from-dpcd_rev-to-lane0_1_status.patch f2fs-fix-to-avoid-out-of-boundary-access-in-dnode-page.patch iio-adc-ad_sigma_delta-change-to-buffer-predisable.patch locking-barriers-kcsan-support-generic-instrumentation.patch media-camss-convert-to-platform-remove-callback-returning-void.patch media-qcom-camss-cleanup-media-device-allocated-resource-on-error-path.patch media-venus-add-support-for-ssr-trigger-using-fault-injection.patch media-venus-protect-against-spurious-interrupts-during-probe.patch mptcp-disable-add_addr-retransmission-when-timeout-is-0.patch pwm-mediatek-fix-duty-and-period-setting.patch pwm-mediatek-handle-hardware-enable-and-clock-enable-separately.patch pwm-mediatek-implement-.apply-callback.patch scsi-mpi3mr-drop-unnecessary-volatile-from-__iomem-pointers.patch scsi-mpi3mr-serialize-admin-queue-bar-writes-on-32-bit-systems.patch scsi-ufs-exynos-fix-programming-of-hci_utrl_nexus_type.patch soc-qcom-mdt_loader-ensure-we-don-t-read-past-the-elf-header.patch wifi-ath11k-fix-dest-ring-buffer-corruption-when-ring-is-full.patch --- diff --git a/queue-5.15/asm-generic-add-memory-barrier-dma_mb.patch b/queue-5.15/asm-generic-add-memory-barrier-dma_mb.patch new file mode 100644 index 0000000000..0574a7851a --- /dev/null +++ b/queue-5.15/asm-generic-add-memory-barrier-dma_mb.patch @@ -0,0 +1,81 @@ +From stable+bounces-172507-greg=kroah.com@vger.kernel.org Fri Aug 22 21:35:10 2025 +From: Sasha Levin +Date: Fri, 22 Aug 2025 15:35:01 -0400 +Subject: asm-generic: Add memory barrier dma_mb() +To: stable@vger.kernel.org +Cc: Kefeng Wang , Arnd Bergmann , Marco Elver , Will Deacon , Sasha Levin +Message-ID: <20250822193502.1445377-2-sashal@kernel.org> + +From: Kefeng Wang + +[ Upstream commit ed59dfd9509d172e4920994ed9cbebf93b0050cc ] + +The memory barrier dma_mb() is introduced by commit a76a37777f2c +("iommu/arm-smmu-v3: Ensure queue is read after updating prod pointer"), +which is used to ensure that prior (both reads and writes) accesses +to memory by a CPU are ordered w.r.t. a subsequent MMIO write. + +Reviewed-by: Arnd Bergmann # for asm-generic +Signed-off-by: Kefeng Wang +Reviewed-by: Marco Elver +Link: https://lore.kernel.org/r/20220523113126.171714-2-wangkefeng.wang@huawei.com +Signed-off-by: Will Deacon +Stable-dep-of: aa6956150f82 ("wifi: ath11k: fix dest ring-buffer corruption when ring is full") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/memory-barriers.txt | 11 ++++++----- + include/asm-generic/barrier.h | 8 ++++++++ + 2 files changed, 14 insertions(+), 5 deletions(-) + +--- a/Documentation/memory-barriers.txt ++++ b/Documentation/memory-barriers.txt +@@ -1894,6 +1894,7 @@ There are some more advanced barrier fun + + (*) dma_wmb(); + (*) dma_rmb(); ++ (*) dma_mb(); + + These are for use with consistent memory to guarantee the ordering + of writes or reads of shared memory accessible to both the CPU and a +@@ -1925,11 +1926,11 @@ There are some more advanced barrier fun + The dma_rmb() allows us guarantee the device has released ownership + before we read the data from the descriptor, and the dma_wmb() allows + us to guarantee the data is written to the descriptor before the device +- can see it now has ownership. Note that, when using writel(), a prior +- wmb() is not needed to guarantee that the cache coherent memory writes +- have completed before writing to the MMIO region. The cheaper +- writel_relaxed() does not provide this guarantee and must not be used +- here. ++ can see it now has ownership. The dma_mb() implies both a dma_rmb() and ++ a dma_wmb(). Note that, when using writel(), a prior wmb() is not needed ++ to guarantee that the cache coherent memory writes have completed before ++ writing to the MMIO region. The cheaper writel_relaxed() does not provide ++ this guarantee and must not be used here. + + See the subsection "Kernel I/O barrier effects" for more information on + relaxed I/O accessors and the Documentation/core-api/dma-api.rst file for +--- a/include/asm-generic/barrier.h ++++ b/include/asm-generic/barrier.h +@@ -37,6 +37,10 @@ + #define wmb() do { kcsan_wmb(); __wmb(); } while (0) + #endif + ++#ifdef __dma_mb ++#define dma_mb() do { kcsan_mb(); __dma_mb(); } while (0) ++#endif ++ + #ifdef __dma_rmb + #define dma_rmb() do { kcsan_rmb(); __dma_rmb(); } while (0) + #endif +@@ -64,6 +68,10 @@ + #define wmb() mb() + #endif + ++#ifndef dma_mb ++#define dma_mb() mb() ++#endif ++ + #ifndef dma_rmb + #define dma_rmb() rmb() + #endif diff --git a/queue-5.15/drm-amd-display-don-t-overclock-dce-6-by-15.patch b/queue-5.15/drm-amd-display-don-t-overclock-dce-6-by-15.patch new file mode 100644 index 0000000000..6f6e3b777f --- /dev/null +++ b/queue-5.15/drm-amd-display-don-t-overclock-dce-6-by-15.patch @@ -0,0 +1,55 @@ +From stable+bounces-172676-greg=kroah.com@vger.kernel.org Sun Aug 24 03:01:54 2025 +From: Sasha Levin +Date: Sat, 23 Aug 2025 21:01:40 -0400 +Subject: drm/amd/display: Don't overclock DCE 6 by 15% +To: stable@vger.kernel.org +Cc: "Timur Kristóf" , "Alex Deucher" , "Rodrigo Siqueira" , "Alex Hung" , "Sasha Levin" +Message-ID: <20250824010140.2569605-1-sashal@kernel.org> + +From: Timur Kristóf + +[ Upstream commit cb7b7ae53b557d168b4af5cd8549f3eff920bfb5 ] + +The extra 15% clock was added as a workaround for a Polaris issue +which uses DCE 11, and should not have been used on DCE 6 which +is already hardcoded to the highest possible display clock. +Unfortunately, the extra 15% was mistakenly copied and kept +even on code paths which don't affect Polaris. + +This commit fixes that and also adds a check to make sure +not to exceed the maximum DCE 6 display clock. + +Fixes: 8cd61c313d8b ("drm/amd/display: Raise dispclk value for Polaris") +Fixes: dc88b4a684d2 ("drm/amd/display: make clk mgr soc specific") +Fixes: 3ecb3b794e2c ("drm/amd/display: dc/clk_mgr: add support for SI parts (v2)") +Signed-off-by: Timur Kristóf +Acked-by: Alex Deucher +Reviewed-by: Rodrigo Siqueira +Reviewed-by: Alex Hung +Signed-off-by: Alex Deucher +(cherry picked from commit 427980c1cbd22bb256b9385f5ce73c0937562408) +Cc: stable@vger.kernel.org +[ `MIN` => `min` ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/clk_mgr/dce60/dce60_clk_mgr.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +--- a/drivers/gpu/drm/amd/display/dc/clk_mgr/dce60/dce60_clk_mgr.c ++++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/dce60/dce60_clk_mgr.c +@@ -112,11 +112,9 @@ static void dce60_update_clocks(struct c + { + struct clk_mgr_internal *clk_mgr_dce = TO_CLK_MGR_INTERNAL(clk_mgr_base); + struct dm_pp_power_level_change_request level_change_req; +- int patched_disp_clk = context->bw_ctx.bw.dce.dispclk_khz; +- +- /*TODO: W/A for dal3 linux, investigate why this works */ +- if (!clk_mgr_dce->dfs_bypass_active) +- patched_disp_clk = patched_disp_clk * 115 / 100; ++ const int max_disp_clk = ++ clk_mgr_dce->max_clks_by_state[DM_PP_CLOCKS_STATE_PERFORMANCE].display_clk_khz; ++ int patched_disp_clk = min(max_disp_clk, context->bw_ctx.bw.dce.dispclk_khz); + + level_change_req.power_level = dce_get_required_clocks_state(clk_mgr_base, context); + /* get max clock state from PPLIB */ diff --git a/queue-5.15/drm-dp-change-aux-dpcd-probe-address-from-dpcd_rev-to-lane0_1_status.patch b/queue-5.15/drm-dp-change-aux-dpcd-probe-address-from-dpcd_rev-to-lane0_1_status.patch new file mode 100644 index 0000000000..57f614c3e7 --- /dev/null +++ b/queue-5.15/drm-dp-change-aux-dpcd-probe-address-from-dpcd_rev-to-lane0_1_status.patch @@ -0,0 +1,50 @@ +From stable+bounces-172599-greg=kroah.com@vger.kernel.org Sat Aug 23 15:55:26 2025 +From: Sasha Levin +Date: Sat, 23 Aug 2025 09:55:20 -0400 +Subject: drm/dp: Change AUX DPCD probe address from DPCD_REV to LANE0_1_STATUS +To: stable@vger.kernel.org +Cc: "Imre Deak" , "Ville Syrjälä" , "Jani Nikula" , "Jani Nikula" , "Sasha Levin" +Message-ID: <20250823135520.2154797-1-sashal@kernel.org> + +From: Imre Deak + +[ Upstream commit a40c5d727b8111b5db424a1e43e14a1dcce1e77f ] + +Reading DPCD registers has side-effects in general. In particular +accessing registers outside of the link training register range +(0x102-0x106, 0x202-0x207, 0x200c-0x200f, 0x2216) is explicitly +forbidden by the DP v2.1 Standard, see + +3.6.5.1 DPTX AUX Transaction Handling Mandates +3.6.7.4 128b/132b DP Link Layer LTTPR Link Training Mandates + +Based on my tests, accessing the DPCD_REV register during the link +training of an UHBR TBT DP tunnel sink leads to link training failures. + +Solve the above by using the DP_LANE0_1_STATUS (0x202) register for the +DPCD register access quirk. + +Cc: +Cc: Ville Syrjälä +Cc: Jani Nikula +Acked-by: Jani Nikula +Signed-off-by: Imre Deak +Link: https://lore.kernel.org/r/20250605082850.65136-2-imre.deak@intel.com +[ call to drm_dp_dpcd_access() instead of drm_dp_dpcd_probe() ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_dp_helper.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/drm_dp_helper.c ++++ b/drivers/gpu/drm/drm_dp_helper.c +@@ -336,7 +336,7 @@ ssize_t drm_dp_dpcd_read(struct drm_dp_a + * monitor doesn't power down exactly after the throw away read. + */ + if (!aux->is_remote) { +- ret = drm_dp_dpcd_access(aux, DP_AUX_NATIVE_READ, DP_DPCD_REV, ++ ret = drm_dp_dpcd_access(aux, DP_AUX_NATIVE_READ, DP_LANE0_1_STATUS, + buffer, 1); + if (ret != 1) + goto out; diff --git a/queue-5.15/f2fs-fix-to-avoid-out-of-boundary-access-in-dnode-page.patch b/queue-5.15/f2fs-fix-to-avoid-out-of-boundary-access-in-dnode-page.patch new file mode 100644 index 0000000000..c02d09eb96 --- /dev/null +++ b/queue-5.15/f2fs-fix-to-avoid-out-of-boundary-access-in-dnode-page.patch @@ -0,0 +1,76 @@ +From stable+bounces-172551-greg=kroah.com@vger.kernel.org Sat Aug 23 05:59:07 2025 +From: Sasha Levin +Date: Fri, 22 Aug 2025 23:58:56 -0400 +Subject: f2fs: fix to avoid out-of-boundary access in dnode page +To: stable@vger.kernel.org +Cc: Chao Yu , stable@kernel.org, Jiaming Zhang , Jaegeuk Kim , Sasha Levin +Message-ID: <20250823035856.1823032-1-sashal@kernel.org> + +From: Chao Yu + +[ Upstream commit 77de19b6867f2740cdcb6c9c7e50d522b47847a4 ] + +As Jiaming Zhang reported: + + + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0x1c1/0x2a0 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:378 [inline] + print_report+0x17e/0x800 mm/kasan/report.c:480 + kasan_report+0x147/0x180 mm/kasan/report.c:593 + data_blkaddr fs/f2fs/f2fs.h:3053 [inline] + f2fs_data_blkaddr fs/f2fs/f2fs.h:3058 [inline] + f2fs_get_dnode_of_data+0x1a09/0x1c40 fs/f2fs/node.c:855 + f2fs_reserve_block+0x53/0x310 fs/f2fs/data.c:1195 + prepare_write_begin fs/f2fs/data.c:3395 [inline] + f2fs_write_begin+0xf39/0x2190 fs/f2fs/data.c:3594 + generic_perform_write+0x2c7/0x910 mm/filemap.c:4112 + f2fs_buffered_write_iter fs/f2fs/file.c:4988 [inline] + f2fs_file_write_iter+0x1ec8/0x2410 fs/f2fs/file.c:5216 + new_sync_write fs/read_write.c:593 [inline] + vfs_write+0x546/0xa90 fs/read_write.c:686 + ksys_write+0x149/0x250 fs/read_write.c:738 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xf3/0x3d0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +The root cause is in the corrupted image, there is a dnode has the same +node id w/ its inode, so during f2fs_get_dnode_of_data(), it tries to +access block address in dnode at offset 934, however it parses the dnode +as inode node, so that get_dnode_addr() returns 360, then it tries to +access page address from 360 + 934 * 4 = 4096 w/ 4 bytes. + +To fix this issue, let's add sanity check for node id of all direct nodes +during f2fs_get_dnode_of_data(). + +Cc: stable@kernel.org +Reported-by: Jiaming Zhang +Closes: https://groups.google.com/g/syzkaller/c/-ZnaaOOfO3M +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +[ replaced f2fs_err_ratelimited() with f2fs_err() ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/node.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/fs/f2fs/node.c ++++ b/fs/f2fs/node.c +@@ -798,6 +798,16 @@ int f2fs_get_dnode_of_data(struct dnode_ + for (i = 1; i <= level; i++) { + bool done = false; + ++ if (nids[i] && nids[i] == dn->inode->i_ino) { ++ err = -EFSCORRUPTED; ++ f2fs_err(sbi, ++ "inode mapping table is corrupted, run fsck to fix it, " ++ "ino:%lu, nid:%u, level:%d, offset:%d", ++ dn->inode->i_ino, nids[i], level, offset[level]); ++ set_sbi_flag(sbi, SBI_NEED_FSCK); ++ goto release_pages; ++ } ++ + if (!nids[i] && mode == ALLOC_NODE) { + /* alloc new node */ + if (!f2fs_alloc_nid(sbi, &(nids[i]))) { diff --git a/queue-5.15/iio-adc-ad_sigma_delta-change-to-buffer-predisable.patch b/queue-5.15/iio-adc-ad_sigma_delta-change-to-buffer-predisable.patch new file mode 100644 index 0000000000..c132e1ecd1 --- /dev/null +++ b/queue-5.15/iio-adc-ad_sigma_delta-change-to-buffer-predisable.patch @@ -0,0 +1,51 @@ +From stable+bounces-172483-greg=kroah.com@vger.kernel.org Fri Aug 22 19:46:17 2025 +From: Sasha Levin +Date: Fri, 22 Aug 2025 13:46:08 -0400 +Subject: iio: adc: ad_sigma_delta: change to buffer predisable +To: stable@vger.kernel.org +Cc: "David Lechner" , "Nuno Sá" , "Jonathan Cameron" , "Sasha Levin" +Message-ID: <20250822174608.1341735-1-sashal@kernel.org> + +From: David Lechner + +[ Upstream commit 66d4374d97f85516b5a22418c5e798aed2606dec ] + +Change the buffer disable callback from postdisable to predisable. +This balances the existing posteanble callback. Using postdisable +with posteanble can be problematic, for example, if update_scan_mode +fails, it would call postdisable without ever having called posteanble, +so the drivers using this would be in an unexpected state when +postdisable was called. + +Fixes: af3008485ea0 ("iio:adc: Add common code for ADI Sigma Delta devices") +Signed-off-by: David Lechner +Reviewed-by: Nuno Sá +Link: https://patch.msgid.link/20250703-iio-adc-ad_sigma_delta-buffer-predisable-v1-1-f2ab85138f1f@baylibre.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/ad_sigma_delta.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/iio/adc/ad_sigma_delta.c ++++ b/drivers/iio/adc/ad_sigma_delta.c +@@ -371,7 +371,7 @@ err_unlock: + return ret; + } + +-static int ad_sd_buffer_postdisable(struct iio_dev *indio_dev) ++static int ad_sd_buffer_predisable(struct iio_dev *indio_dev) + { + struct ad_sigma_delta *sigma_delta = iio_device_get_drvdata(indio_dev); + +@@ -432,7 +432,7 @@ static irqreturn_t ad_sd_trigger_handler + + static const struct iio_buffer_setup_ops ad_sd_buffer_setup_ops = { + .postenable = &ad_sd_buffer_postenable, +- .postdisable = &ad_sd_buffer_postdisable, ++ .predisable = &ad_sd_buffer_predisable, + .validate_scan_mask = &iio_validate_scan_mask_onehot, + }; + diff --git a/queue-5.15/locking-barriers-kcsan-support-generic-instrumentation.patch b/queue-5.15/locking-barriers-kcsan-support-generic-instrumentation.patch new file mode 100644 index 0000000000..ba574ee0e9 --- /dev/null +++ b/queue-5.15/locking-barriers-kcsan-support-generic-instrumentation.patch @@ -0,0 +1,70 @@ +From stable+bounces-172508-greg=kroah.com@vger.kernel.org Fri Aug 22 21:35:12 2025 +From: Sasha Levin +Date: Fri, 22 Aug 2025 15:35:00 -0400 +Subject: locking/barriers, kcsan: Support generic instrumentation +To: stable@vger.kernel.org +Cc: Marco Elver , "Paul E. McKenney" , Sasha Levin +Message-ID: <20250822193502.1445377-1-sashal@kernel.org> + +From: Marco Elver + +[ Upstream commit 2505a51ac6f249956735e0a369e2404f96eebef0 ] + +Thus far only smp_*() barriers had been defined by asm-generic/barrier.h +based on __smp_*() barriers, because the !SMP case is usually generic. + +With the introduction of instrumentation, it also makes sense to have +asm-generic/barrier.h assist in the definition of instrumented versions +of mb(), rmb(), wmb(), dma_rmb(), and dma_wmb(). + +Because there is no requirement to distinguish the !SMP case, the +definition can be simpler: we can avoid also providing fallbacks for the +__ prefixed cases, and only check if `defined(__)`, to finally +define the KCSAN-instrumented versions. + +This also allows for the compiler to complain if an architecture +accidentally defines both the normal and __ prefixed variant. + +Signed-off-by: Marco Elver +Signed-off-by: Paul E. McKenney +Stable-dep-of: aa6956150f82 ("wifi: ath11k: fix dest ring-buffer corruption when ring is full") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/asm-generic/barrier.h | 25 +++++++++++++++++++++++++ + 1 file changed, 25 insertions(+) + +--- a/include/asm-generic/barrier.h ++++ b/include/asm-generic/barrier.h +@@ -21,6 +21,31 @@ + #endif + + /* ++ * Architectures that want generic instrumentation can define __ prefixed ++ * variants of all barriers. ++ */ ++ ++#ifdef __mb ++#define mb() do { kcsan_mb(); __mb(); } while (0) ++#endif ++ ++#ifdef __rmb ++#define rmb() do { kcsan_rmb(); __rmb(); } while (0) ++#endif ++ ++#ifdef __wmb ++#define wmb() do { kcsan_wmb(); __wmb(); } while (0) ++#endif ++ ++#ifdef __dma_rmb ++#define dma_rmb() do { kcsan_rmb(); __dma_rmb(); } while (0) ++#endif ++ ++#ifdef __dma_wmb ++#define dma_wmb() do { kcsan_wmb(); __dma_wmb(); } while (0) ++#endif ++ ++/* + * Force strict CPU ordering. And yes, this is required on UP too when we're + * talking to devices. + * diff --git a/queue-5.15/media-camss-convert-to-platform-remove-callback-returning-void.patch b/queue-5.15/media-camss-convert-to-platform-remove-callback-returning-void.patch new file mode 100644 index 0000000000..d5c02014e3 --- /dev/null +++ b/queue-5.15/media-camss-convert-to-platform-remove-callback-returning-void.patch @@ -0,0 +1,61 @@ +From stable+bounces-172546-greg=kroah.com@vger.kernel.org Sat Aug 23 05:36:04 2025 +From: Sasha Levin +Date: Fri, 22 Aug 2025 23:35:53 -0400 +Subject: media: camss: Convert to platform remove callback returning void +To: stable@vger.kernel.org +Cc: "Uwe Kleine-König" , "Hans Verkuil" , "Sasha Levin" +Message-ID: <20250823033554.1801998-1-sashal@kernel.org> + +From: Uwe Kleine-König + +[ Upstream commit 428bbf4be4018aefa26e4d6531779fa8925ecaaf ] + +The .remove() callback for a platform driver returns an int which makes +many driver authors wrongly assume it's possible to do error handling by +returning an error code. However the value returned is (mostly) ignored +and this typically results in resource leaks. To improve here there is a +quest to make the remove callback return void. In the first step of this +quest all drivers are converted to .remove_new() which already returns +void. + +Trivially convert this driver from always returning zero in the remove +callback to the void returning variant. + +Signed-off-by: Uwe Kleine-König +Signed-off-by: Hans Verkuil +Stable-dep-of: 69080ec3d0da ("media: qcom: camss: cleanup media device allocated resource on error path") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/qcom/camss/camss.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/media/platform/qcom/camss/camss.c ++++ b/drivers/media/platform/qcom/camss/camss.c +@@ -1477,7 +1477,7 @@ void camss_delete(struct camss *camss) + * + * Always returns 0. + */ +-static int camss_remove(struct platform_device *pdev) ++static void camss_remove(struct platform_device *pdev) + { + struct camss *camss = platform_get_drvdata(pdev); + +@@ -1487,8 +1487,6 @@ static int camss_remove(struct platform_ + + if (atomic_read(&camss->ref_count) == 0) + camss_delete(camss); +- +- return 0; + } + + static const struct of_device_id camss_dt_match[] = { +@@ -1519,7 +1517,7 @@ static const struct dev_pm_ops camss_pm_ + + static struct platform_driver qcom_camss_driver = { + .probe = camss_probe, +- .remove = camss_remove, ++ .remove_new = camss_remove, + .driver = { + .name = "qcom-camss", + .of_match_table = camss_dt_match, diff --git a/queue-5.15/media-qcom-camss-cleanup-media-device-allocated-resource-on-error-path.patch b/queue-5.15/media-qcom-camss-cleanup-media-device-allocated-resource-on-error-path.patch new file mode 100644 index 0000000000..415eccb967 --- /dev/null +++ b/queue-5.15/media-qcom-camss-cleanup-media-device-allocated-resource-on-error-path.patch @@ -0,0 +1,51 @@ +From stable+bounces-172547-greg=kroah.com@vger.kernel.org Sat Aug 23 05:36:05 2025 +From: Sasha Levin +Date: Fri, 22 Aug 2025 23:35:54 -0400 +Subject: media: qcom: camss: cleanup media device allocated resource on error path +To: stable@vger.kernel.org +Cc: Sasha Levin , Vladimir Zapolskiy , Bryan O'Donoghue , Bryan O'Donoghue , Hans Verkuil +Message-ID: <20250823033554.1801998-2-sashal@kernel.org> + +From: Sasha Levin + +[ Upstream commit 69080ec3d0daba8a894025476c98ab16b5a505a4 ] + +A call to media_device_init() requires media_device_cleanup() counterpart +to complete cleanup and release any allocated resources. + +This has been done in the driver .remove() right from the beginning, but +error paths on .probe() shall also be fixed. + +Fixes: a1d7c116fcf7 ("media: camms: Add core files") +Cc: stable@vger.kernel.org +Signed-off-by: Vladimir Zapolskiy +Reviewed-by: Bryan O'Donoghue +Signed-off-by: Bryan O'Donoghue +Signed-off-by: Hans Verkuil +[ adapted error label from err_genpd_cleanup to err_cleanup ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/qcom/camss/camss.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/media/platform/qcom/camss/camss.c ++++ b/drivers/media/platform/qcom/camss/camss.c +@@ -1396,7 +1396,7 @@ static int camss_probe(struct platform_d + ret = v4l2_device_register(camss->dev, &camss->v4l2_dev); + if (ret < 0) { + dev_err(dev, "Failed to register V4L2 device: %d\n", ret); +- goto err_cleanup; ++ goto err_media_cleanup; + } + + ret = camss_register_entities(camss); +@@ -1438,6 +1438,8 @@ err_register_subdevs: + camss_unregister_entities(camss); + err_register_entities: + v4l2_device_unregister(&camss->v4l2_dev); ++err_media_cleanup: ++ media_device_cleanup(&camss->media_dev); + err_cleanup: + v4l2_async_notifier_cleanup(&camss->notifier); + err_free: diff --git a/queue-5.15/media-venus-add-support-for-ssr-trigger-using-fault-injection.patch b/queue-5.15/media-venus-add-support-for-ssr-trigger-using-fault-injection.patch new file mode 100644 index 0000000000..d7784aa4c0 --- /dev/null +++ b/queue-5.15/media-venus-add-support-for-ssr-trigger-using-fault-injection.patch @@ -0,0 +1,112 @@ +From stable+bounces-172543-greg=kroah.com@vger.kernel.org Sat Aug 23 04:50:44 2025 +From: Sasha Levin +Date: Fri, 22 Aug 2025 22:50:34 -0400 +Subject: media: venus: Add support for SSR trigger using fault injection +To: stable@vger.kernel.org +Cc: Dikshita Agarwal , Stanimir Varbanov , Stephen Boyd , Mauro Carvalho Chehab , Sasha Levin +Message-ID: <20250823025035.1695132-1-sashal@kernel.org> + +From: Dikshita Agarwal + +[ Upstream commit 748b080f21678f2988b0da2d2b396a6f928d9b2c ] + +Here we introduce a new fault injection for SSR trigger. + +To trigger the SSR: + echo 100 > /sys/kernel/debug/venus/fail_ssr/probability + echo 1 > /sys/kernel/debug/venus/fail_ssr/times + +Co-developed-by: Stanimir Varbanov +Signed-off-by: Stanimir Varbanov +Signed-off-by: Dikshita Agarwal +Reviewed-by: Stephen Boyd +Signed-off-by: Mauro Carvalho Chehab +Stable-dep-of: 3200144a2fa4 ("media: venus: protect against spurious interrupts during probe") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/qcom/venus/core.c | 15 ++++++++++++++- + drivers/media/platform/qcom/venus/dbgfs.c | 9 +++++++++ + drivers/media/platform/qcom/venus/dbgfs.h | 13 +++++++++++++ + 3 files changed, 36 insertions(+), 1 deletion(-) + +--- a/drivers/media/platform/qcom/venus/core.c ++++ b/drivers/media/platform/qcom/venus/core.c +@@ -263,6 +263,19 @@ static void venus_assign_register_offset + } + } + ++static irqreturn_t venus_isr_thread(int irq, void *dev_id) ++{ ++ struct venus_core *core = dev_id; ++ irqreturn_t ret; ++ ++ ret = hfi_isr_thread(irq, dev_id); ++ ++ if (ret == IRQ_HANDLED && venus_fault_inject_ssr()) ++ hfi_core_trigger_ssr(core, HFI_TEST_SSR_SW_ERR_FATAL); ++ ++ return ret; ++} ++ + static int venus_probe(struct platform_device *pdev) + { + struct device *dev = &pdev->dev; +@@ -319,7 +332,7 @@ static int venus_probe(struct platform_d + mutex_init(&core->lock); + INIT_DELAYED_WORK(&core->work, venus_sys_error_handler); + +- ret = devm_request_threaded_irq(dev, core->irq, hfi_isr, hfi_isr_thread, ++ ret = devm_request_threaded_irq(dev, core->irq, hfi_isr, venus_isr_thread, + IRQF_TRIGGER_HIGH | IRQF_ONESHOT, + "venus", core); + if (ret) +--- a/drivers/media/platform/qcom/venus/dbgfs.c ++++ b/drivers/media/platform/qcom/venus/dbgfs.c +@@ -4,13 +4,22 @@ + */ + + #include ++#include + + #include "core.h" + ++#ifdef CONFIG_FAULT_INJECTION ++DECLARE_FAULT_ATTR(venus_ssr_attr); ++#endif ++ + void venus_dbgfs_init(struct venus_core *core) + { + core->root = debugfs_create_dir("venus", NULL); + debugfs_create_x32("fw_level", 0644, core->root, &venus_fw_debug); ++ ++#ifdef CONFIG_FAULT_INJECTION ++ fault_create_debugfs_attr("fail_ssr", core->root, &venus_ssr_attr); ++#endif + } + + void venus_dbgfs_deinit(struct venus_core *core) +--- a/drivers/media/platform/qcom/venus/dbgfs.h ++++ b/drivers/media/platform/qcom/venus/dbgfs.h +@@ -4,8 +4,21 @@ + #ifndef __VENUS_DBGFS_H__ + #define __VENUS_DBGFS_H__ + ++#include ++ + struct venus_core; + ++#ifdef CONFIG_FAULT_INJECTION ++extern struct fault_attr venus_ssr_attr; ++static inline bool venus_fault_inject_ssr(void) ++{ ++ return should_fail(&venus_ssr_attr, 1); ++} ++#else ++static inline bool venus_fault_inject_ssr(void) { return false; } ++#endif ++ ++ + void venus_dbgfs_init(struct venus_core *core); + void venus_dbgfs_deinit(struct venus_core *core); + diff --git a/queue-5.15/media-venus-protect-against-spurious-interrupts-during-probe.patch b/queue-5.15/media-venus-protect-against-spurious-interrupts-during-probe.patch new file mode 100644 index 0000000000..cca92e7e20 --- /dev/null +++ b/queue-5.15/media-venus-protect-against-spurious-interrupts-during-probe.patch @@ -0,0 +1,56 @@ +From stable+bounces-172544-greg=kroah.com@vger.kernel.org Sat Aug 23 04:50:47 2025 +From: Sasha Levin +Date: Fri, 22 Aug 2025 22:50:35 -0400 +Subject: media: venus: protect against spurious interrupts during probe +To: stable@vger.kernel.org +Cc: Jorge Ramirez-Ortiz , Bryan O'Donoghue , Vikash Garodia , Dikshita Agarwal , Bryan O'Donoghue , Hans Verkuil , Sasha Levin +Message-ID: <20250823025035.1695132-2-sashal@kernel.org> + +From: Jorge Ramirez-Ortiz + +[ Upstream commit 3200144a2fa4209dc084a19941b9b203b43580f0 ] + +Make sure the interrupt handler is initialized before the interrupt is +registered. + +If the IRQ is registered before hfi_create(), it's possible that an +interrupt fires before the handler setup is complete, leading to a NULL +dereference. + +This error condition has been observed during system boot on Rb3Gen2. + +Fixes: af2c3834c8ca ("[media] media: venus: adding core part and helper functions") +Cc: stable@vger.kernel.org +Signed-off-by: Jorge Ramirez-Ortiz +Reviewed-by: Bryan O'Donoghue +Reviewed-by: Vikash Garodia +Reviewed-by: Dikshita Agarwal +Tested-by: Dikshita Agarwal # RB5 +Signed-off-by: Bryan O'Donoghue +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/qcom/venus/core.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/media/platform/qcom/venus/core.c ++++ b/drivers/media/platform/qcom/venus/core.c +@@ -332,13 +332,13 @@ static int venus_probe(struct platform_d + mutex_init(&core->lock); + INIT_DELAYED_WORK(&core->work, venus_sys_error_handler); + +- ret = devm_request_threaded_irq(dev, core->irq, hfi_isr, venus_isr_thread, +- IRQF_TRIGGER_HIGH | IRQF_ONESHOT, +- "venus", core); ++ ret = hfi_create(core, &venus_core_ops); + if (ret) + goto err_core_put; + +- ret = hfi_create(core, &venus_core_ops); ++ ret = devm_request_threaded_irq(dev, core->irq, hfi_isr, venus_isr_thread, ++ IRQF_TRIGGER_HIGH | IRQF_ONESHOT, ++ "venus", core); + if (ret) + goto err_core_put; + diff --git a/queue-5.15/mptcp-disable-add_addr-retransmission-when-timeout-is-0.patch b/queue-5.15/mptcp-disable-add_addr-retransmission-when-timeout-is-0.patch new file mode 100644 index 0000000000..b744712567 --- /dev/null +++ b/queue-5.15/mptcp-disable-add_addr-retransmission-when-timeout-is-0.patch @@ -0,0 +1,96 @@ +From stable+bounces-172617-greg=kroah.com@vger.kernel.org Sat Aug 23 17:22:42 2025 +From: Sasha Levin +Date: Sat, 23 Aug 2025 11:22:28 -0400 +Subject: mptcp: disable add_addr retransmission when timeout is 0 +To: stable@vger.kernel.org +Cc: Geliang Tang , Matthieu Baerts , Jakub Kicinski , Sasha Levin +Message-ID: <20250823152229.2272429-1-sashal@kernel.org> + +From: Geliang Tang + +[ Upstream commit f5ce0714623cffd00bf2a83e890d09c609b7f50a ] + +When add_addr_timeout was set to 0, this caused the ADD_ADDR to be +retransmitted immediately, which looks like a buggy behaviour. Instead, +interpret 0 as "no retransmissions needed". + +The documentation is updated to explicitly state that setting the timeout +to 0 disables retransmission. + +Fixes: 93f323b9cccc ("mptcp: add a new sysctl add_addr_timeout") +Cc: stable@vger.kernel.org +Suggested-by: Matthieu Baerts +Signed-off-by: Geliang Tang +Reviewed-by: Matthieu Baerts (NGI0) +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20250815-net-mptcp-misc-fixes-6-17-rc2-v1-5-521fe9957892@kernel.org +Signed-off-by: Jakub Kicinski +[ pm.c => pm_netlink.c , drop mptcp_pm_alloc_anno_list hunk ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/networking/mptcp-sysctl.rst | 2 ++ + net/mptcp/pm_netlink.c | 13 ++++++++++--- + 2 files changed, 12 insertions(+), 3 deletions(-) + +--- a/Documentation/networking/mptcp-sysctl.rst ++++ b/Documentation/networking/mptcp-sysctl.rst +@@ -20,6 +20,8 @@ add_addr_timeout - INTEGER (seconds) + resent to an MPTCP peer that has not acknowledged a previous + ADD_ADDR message. + ++ Do not retransmit if set to 0. ++ + The default value matches TCP_RTO_MAX. This is a per-namespace + sysctl. + +--- a/net/mptcp/pm_netlink.c ++++ b/net/mptcp/pm_netlink.c +@@ -316,6 +316,7 @@ static void mptcp_pm_add_timer(struct ti + struct mptcp_pm_add_entry *entry = from_timer(entry, timer, add_timer); + struct mptcp_sock *msk = entry->sock; + struct sock *sk = (struct sock *)msk; ++ unsigned int timeout; + + pr_debug("msk=%p\n", msk); + +@@ -333,6 +334,10 @@ static void mptcp_pm_add_timer(struct ti + goto out; + } + ++ timeout = mptcp_get_add_addr_timeout(sock_net(sk)); ++ if (!timeout) ++ goto out; ++ + spin_lock_bh(&msk->pm.lock); + + if (!mptcp_pm_should_add_signal_addr(msk)) { +@@ -344,7 +349,7 @@ static void mptcp_pm_add_timer(struct ti + + if (entry->retrans_times < ADD_ADDR_RETRANS_MAX) + sk_reset_timer(sk, timer, +- jiffies + mptcp_get_add_addr_timeout(sock_net(sk))); ++ jiffies + timeout); + + spin_unlock_bh(&msk->pm.lock); + +@@ -386,6 +391,7 @@ static bool mptcp_pm_alloc_anno_list(str + struct mptcp_pm_add_entry *add_entry = NULL; + struct sock *sk = (struct sock *)msk; + struct net *net = sock_net(sk); ++ unsigned int timeout; + + lockdep_assert_held(&msk->pm.lock); + +@@ -403,8 +409,9 @@ static bool mptcp_pm_alloc_anno_list(str + add_entry->retrans_times = 0; + + timer_setup(&add_entry->add_timer, mptcp_pm_add_timer, 0); +- sk_reset_timer(sk, &add_entry->add_timer, +- jiffies + mptcp_get_add_addr_timeout(net)); ++ timeout = mptcp_get_add_addr_timeout(net); ++ if (timeout) ++ sk_reset_timer(sk, &add_entry->add_timer, jiffies + timeout); + + return true; + } diff --git a/queue-5.15/pwm-mediatek-fix-duty-and-period-setting.patch b/queue-5.15/pwm-mediatek-fix-duty-and-period-setting.patch new file mode 100644 index 0000000000..8ddc4b0963 --- /dev/null +++ b/queue-5.15/pwm-mediatek-fix-duty-and-period-setting.patch @@ -0,0 +1,82 @@ +From stable+bounces-172495-greg=kroah.com@vger.kernel.org Fri Aug 22 20:50:19 2025 +From: Sasha Levin +Date: Fri, 22 Aug 2025 14:50:02 -0400 +Subject: pwm: mediatek: Fix duty and period setting +To: stable@vger.kernel.org +Cc: "Uwe Kleine-König" , "AngeloGioacchino Del Regno" , "Uwe Kleine-König" , "Sasha Levin" +Message-ID: <20250822185002.1400911-3-sashal@kernel.org> + +From: Uwe Kleine-König + +[ Upstream commit f21d136caf8171f94159d975ea4620c164431bd9 ] + +The period generated by the hardware is + + (PWMDWIDTH + 1) << CLKDIV) / freq + +according to my tests with a signal analyser and also the documentation. + +The current algorithm doesn't consider the `+ 1` part and so configures +slightly too high periods. The same issue exists for the duty cycle +setting. So subtract 1 from both the register values for period and +duty cycle. If period is 0, bail out, if duty_cycle is 0, just disable +the PWM which results in a constant low output. + +Fixes: caf065f8fd58 ("pwm: Add MediaTek PWM support") +Signed-off-by: Uwe Kleine-König +Reviewed-by: AngeloGioacchino Del Regno +Link: https://lore.kernel.org/r/6d1fa87a76f8020bfe3171529b8e19baffceab10.1753717973.git.u.kleine-koenig@baylibre.com +Cc: stable@vger.kernel.org +Signed-off-by: Uwe Kleine-König +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pwm/pwm-mediatek.c | 21 ++++++++++++++------- + 1 file changed, 14 insertions(+), 7 deletions(-) + +--- a/drivers/pwm/pwm-mediatek.c ++++ b/drivers/pwm/pwm-mediatek.c +@@ -163,7 +163,10 @@ static int pwm_mediatek_config(struct pw + do_div(resolution, clk_rate); + + cnt_period = DIV_ROUND_CLOSEST_ULL((u64)period_ns * 1000, resolution); +- while (cnt_period > 8191) { ++ if (!cnt_period) ++ return -EINVAL; ++ ++ while (cnt_period > 8192) { + resolution *= 2; + clkdiv++; + cnt_period = DIV_ROUND_CLOSEST_ULL((u64)period_ns * 1000, +@@ -186,9 +189,16 @@ static int pwm_mediatek_config(struct pw + } + + cnt_duty = DIV_ROUND_CLOSEST_ULL((u64)duty_ns * 1000, resolution); ++ + pwm_mediatek_writel(pc, pwm->hwpwm, PWMCON, BIT(15) | clkdiv); +- pwm_mediatek_writel(pc, pwm->hwpwm, reg_width, cnt_period); +- pwm_mediatek_writel(pc, pwm->hwpwm, reg_thres, cnt_duty); ++ pwm_mediatek_writel(pc, pwm->hwpwm, reg_width, cnt_period - 1); ++ ++ if (cnt_duty) { ++ pwm_mediatek_writel(pc, pwm->hwpwm, reg_thres, cnt_duty - 1); ++ pwm_mediatek_enable(chip, pwm); ++ } else { ++ pwm_mediatek_disable(chip, pwm); ++ } + + out: + pwm_mediatek_clk_disable(chip, pwm); +@@ -217,11 +227,8 @@ static int pwm_mediatek_apply(struct pwm + if (err) + return err; + +- if (!pwm->state.enabled) { ++ if (!pwm->state.enabled) + err = pwm_mediatek_clk_enable(chip, pwm); +- if (!err) +- pwm_mediatek_enable(chip, pwm); +- } + + return err; + } diff --git a/queue-5.15/pwm-mediatek-handle-hardware-enable-and-clock-enable-separately.patch b/queue-5.15/pwm-mediatek-handle-hardware-enable-and-clock-enable-separately.patch new file mode 100644 index 0000000000..5268d42df4 --- /dev/null +++ b/queue-5.15/pwm-mediatek-handle-hardware-enable-and-clock-enable-separately.patch @@ -0,0 +1,123 @@ +From stable+bounces-172494-greg=kroah.com@vger.kernel.org Fri Aug 22 20:52:18 2025 +From: Sasha Levin +Date: Fri, 22 Aug 2025 14:50:01 -0400 +Subject: pwm: mediatek: Handle hardware enable and clock enable separately +To: stable@vger.kernel.org +Cc: "Uwe Kleine-König" , "AngeloGioacchino Del Regno" , "Uwe Kleine-König" , "Sasha Levin" +Message-ID: <20250822185002.1400911-2-sashal@kernel.org> + +From: Uwe Kleine-König + +[ Upstream commit 704d918341c378c5f9505dfdf32d315e256d3846 ] + +Stop handling the clocks in pwm_mediatek_enable() and +pwm_mediatek_disable(). This is a preparing change for the next commit +that requires that clocks and the enable bit are handled separately. + +Also move these two functions a bit further up in the source file to +make them usable in pwm_mediatek_config(), which is needed in the next +commit, too. + +Signed-off-by: Uwe Kleine-König +Reviewed-by: AngeloGioacchino Del Regno +Link: https://lore.kernel.org/r/55c94fe2917ece152ee1e998f4675642a7716f13.1753717973.git.u.kleine-koenig@baylibre.com +Cc: stable@vger.kernel.org +Signed-off-by: Uwe Kleine-König +Stable-dep-of: f21d136caf81 ("pwm: mediatek: Fix duty and period setting") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pwm/pwm-mediatek.c | 60 +++++++++++++++++++++------------------------ + 1 file changed, 28 insertions(+), 32 deletions(-) + +--- a/drivers/pwm/pwm-mediatek.c ++++ b/drivers/pwm/pwm-mediatek.c +@@ -114,6 +114,26 @@ static inline void pwm_mediatek_writel(s + writel(value, chip->regs + pwm_mediatek_reg_offset[num] + offset); + } + ++static void pwm_mediatek_enable(struct pwm_chip *chip, struct pwm_device *pwm) ++{ ++ struct pwm_mediatek_chip *pc = to_pwm_mediatek_chip(chip); ++ u32 value; ++ ++ value = readl(pc->regs); ++ value |= BIT(pwm->hwpwm); ++ writel(value, pc->regs); ++} ++ ++static void pwm_mediatek_disable(struct pwm_chip *chip, struct pwm_device *pwm) ++{ ++ struct pwm_mediatek_chip *pc = to_pwm_mediatek_chip(chip); ++ u32 value; ++ ++ value = readl(pc->regs); ++ value &= ~BIT(pwm->hwpwm); ++ writel(value, pc->regs); ++} ++ + static int pwm_mediatek_config(struct pwm_chip *chip, struct pwm_device *pwm, + int duty_ns, int period_ns) + { +@@ -176,35 +196,6 @@ out: + return ret; + } + +-static int pwm_mediatek_enable(struct pwm_chip *chip, struct pwm_device *pwm) +-{ +- struct pwm_mediatek_chip *pc = to_pwm_mediatek_chip(chip); +- u32 value; +- int ret; +- +- ret = pwm_mediatek_clk_enable(chip, pwm); +- if (ret < 0) +- return ret; +- +- value = readl(pc->regs); +- value |= BIT(pwm->hwpwm); +- writel(value, pc->regs); +- +- return 0; +-} +- +-static void pwm_mediatek_disable(struct pwm_chip *chip, struct pwm_device *pwm) +-{ +- struct pwm_mediatek_chip *pc = to_pwm_mediatek_chip(chip); +- u32 value; +- +- value = readl(pc->regs); +- value &= ~BIT(pwm->hwpwm); +- writel(value, pc->regs); +- +- pwm_mediatek_clk_disable(chip, pwm); +-} +- + static int pwm_mediatek_apply(struct pwm_chip *chip, struct pwm_device *pwm, + const struct pwm_state *state) + { +@@ -214,8 +205,10 @@ static int pwm_mediatek_apply(struct pwm + return -EINVAL; + + if (!state->enabled) { +- if (pwm->state.enabled) ++ if (pwm->state.enabled) { + pwm_mediatek_disable(chip, pwm); ++ pwm_mediatek_clk_disable(chip, pwm); ++ } + + return 0; + } +@@ -224,8 +217,11 @@ static int pwm_mediatek_apply(struct pwm + if (err) + return err; + +- if (!pwm->state.enabled) +- err = pwm_mediatek_enable(chip, pwm); ++ if (!pwm->state.enabled) { ++ err = pwm_mediatek_clk_enable(chip, pwm); ++ if (!err) ++ pwm_mediatek_enable(chip, pwm); ++ } + + return err; + } diff --git a/queue-5.15/pwm-mediatek-implement-.apply-callback.patch b/queue-5.15/pwm-mediatek-implement-.apply-callback.patch new file mode 100644 index 0000000000..8cc0cff10e --- /dev/null +++ b/queue-5.15/pwm-mediatek-implement-.apply-callback.patch @@ -0,0 +1,67 @@ +From stable+bounces-172493-greg=kroah.com@vger.kernel.org Fri Aug 22 20:52:16 2025 +From: Sasha Levin +Date: Fri, 22 Aug 2025 14:50:00 -0400 +Subject: pwm: mediatek: Implement .apply() callback +To: stable@vger.kernel.org +Cc: "Uwe Kleine-König" , "AngeloGioacchino Del Regno" , "Thierry Reding" , "Sasha Levin" +Message-ID: <20250822185002.1400911-1-sashal@kernel.org> + +From: Uwe Kleine-König + +[ Upstream commit 758de66f4bd2cac2b1d71db917c65c3d611d4e74 ] + +To eventually get rid of all legacy drivers convert this driver to the +modern world implementing .apply(). +This just pushed a variant of pwm_apply_legacy() into the driver that was +slightly simplified because the driver doesn't provide a .set_polarity() +callback. + +Signed-off-by: Uwe Kleine-König +Reviewed-by: AngeloGioacchino Del Regno +Signed-off-by: Thierry Reding +Stable-dep-of: f21d136caf81 ("pwm: mediatek: Fix duty and period setting") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pwm/pwm-mediatek.c | 29 ++++++++++++++++++++++++++--- + 1 file changed, 26 insertions(+), 3 deletions(-) + +--- a/drivers/pwm/pwm-mediatek.c ++++ b/drivers/pwm/pwm-mediatek.c +@@ -205,10 +205,33 @@ static void pwm_mediatek_disable(struct + pwm_mediatek_clk_disable(chip, pwm); + } + ++static int pwm_mediatek_apply(struct pwm_chip *chip, struct pwm_device *pwm, ++ const struct pwm_state *state) ++{ ++ int err; ++ ++ if (state->polarity != PWM_POLARITY_NORMAL) ++ return -EINVAL; ++ ++ if (!state->enabled) { ++ if (pwm->state.enabled) ++ pwm_mediatek_disable(chip, pwm); ++ ++ return 0; ++ } ++ ++ err = pwm_mediatek_config(pwm->chip, pwm, state->duty_cycle, state->period); ++ if (err) ++ return err; ++ ++ if (!pwm->state.enabled) ++ err = pwm_mediatek_enable(chip, pwm); ++ ++ return err; ++} ++ + static const struct pwm_ops pwm_mediatek_ops = { +- .config = pwm_mediatek_config, +- .enable = pwm_mediatek_enable, +- .disable = pwm_mediatek_disable, ++ .apply = pwm_mediatek_apply, + .owner = THIS_MODULE, + }; + diff --git a/queue-5.15/scsi-mpi3mr-drop-unnecessary-volatile-from-__iomem-pointers.patch b/queue-5.15/scsi-mpi3mr-drop-unnecessary-volatile-from-__iomem-pointers.patch new file mode 100644 index 0000000000..ae113a255b --- /dev/null +++ b/queue-5.15/scsi-mpi3mr-drop-unnecessary-volatile-from-__iomem-pointers.patch @@ -0,0 +1,56 @@ +From stable+bounces-172472-greg=kroah.com@vger.kernel.org Fri Aug 22 19:02:57 2025 +From: Sasha Levin +Date: Fri, 22 Aug 2025 13:02:37 -0400 +Subject: scsi: mpi3mr: Drop unnecessary volatile from __iomem pointers +To: stable@vger.kernel.org +Cc: Ranjan Kumar , "Martin K. Petersen" , Sasha Levin +Message-ID: <20250822170238.1319698-1-sashal@kernel.org> + +From: Ranjan Kumar + +[ Upstream commit 6853885b21cb1d7157cc14c9d30cc17141565bae ] + +The volatile qualifier is redundant for __iomem pointers. + +Cleaned up usage in mpi3mr_writeq() and sysif_regs pointer as per +Upstream compliance. + +Signed-off-by: Ranjan Kumar +Link: https://lore.kernel.org/r/20250627194539.48851-3-ranjan.kumar@broadcom.com +Signed-off-by: Martin K. Petersen +Stable-dep-of: c91e140c82eb ("scsi: mpi3mr: Serialize admin queue BAR writes on 32-bit systems") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/mpi3mr/mpi3mr.h | 2 +- + drivers/scsi/mpi3mr/mpi3mr_fw.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/scsi/mpi3mr/mpi3mr.h ++++ b/drivers/scsi/mpi3mr/mpi3mr.h +@@ -714,7 +714,7 @@ struct mpi3mr_ioc { + char name[MPI3MR_NAME_LENGTH]; + char driver_name[MPI3MR_NAME_LENGTH]; + +- volatile struct mpi3_sysif_registers __iomem *sysif_regs; ++ struct mpi3_sysif_registers __iomem *sysif_regs; + resource_size_t sysif_regs_phys; + int bars; + u64 dma_mask; +--- a/drivers/scsi/mpi3mr/mpi3mr_fw.c ++++ b/drivers/scsi/mpi3mr/mpi3mr_fw.c +@@ -11,12 +11,12 @@ + #include + + #if defined(writeq) && defined(CONFIG_64BIT) +-static inline void mpi3mr_writeq(__u64 b, volatile void __iomem *addr) ++static inline void mpi3mr_writeq(__u64 b, void __iomem *addr) + { + writeq(b, addr); + } + #else +-static inline void mpi3mr_writeq(__u64 b, volatile void __iomem *addr) ++static inline void mpi3mr_writeq(__u64 b, void __iomem *addr) + { + __u64 data_out = b; + diff --git a/queue-5.15/scsi-mpi3mr-serialize-admin-queue-bar-writes-on-32-bit-systems.patch b/queue-5.15/scsi-mpi3mr-serialize-admin-queue-bar-writes-on-32-bit-systems.patch new file mode 100644 index 0000000000..656338f44b --- /dev/null +++ b/queue-5.15/scsi-mpi3mr-serialize-admin-queue-bar-writes-on-32-bit-systems.patch @@ -0,0 +1,105 @@ +From stable+bounces-172473-greg=kroah.com@vger.kernel.org Fri Aug 22 19:05:16 2025 +From: Sasha Levin +Date: Fri, 22 Aug 2025 13:02:38 -0400 +Subject: scsi: mpi3mr: Serialize admin queue BAR writes on 32-bit systems +To: stable@vger.kernel.org +Cc: Ranjan Kumar , "Martin K. Petersen" , Sasha Levin +Message-ID: <20250822170238.1319698-2-sashal@kernel.org> + +From: Ranjan Kumar + +[ Upstream commit c91e140c82eb58724c435f623702e51cc7896646 ] + +On 32-bit systems, 64-bit BAR writes to admin queue registers are +performed as two 32-bit writes. Without locking, this can cause partial +writes when accessed concurrently. + +Updated per-queue spinlocks is used to serialize these writes and prevent +race conditions. + +Fixes: 824a156633df ("scsi: mpi3mr: Base driver code") +Cc: stable@vger.kernel.org +Signed-off-by: Ranjan Kumar +Link: https://lore.kernel.org/r/20250627194539.48851-4-ranjan.kumar@broadcom.com +Signed-off-by: Martin K. Petersen +[ Adapt context in struct mpi3mr_ioc ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/mpi3mr/mpi3mr.h | 4 ++++ + drivers/scsi/mpi3mr/mpi3mr_fw.c | 15 +++++++++++---- + drivers/scsi/mpi3mr/mpi3mr_os.c | 2 ++ + 3 files changed, 17 insertions(+), 4 deletions(-) + +--- a/drivers/scsi/mpi3mr/mpi3mr.h ++++ b/drivers/scsi/mpi3mr/mpi3mr.h +@@ -701,6 +701,8 @@ struct scmd_priv { + * @driver_info: Driver, Kernel, OS information to firmware + * @change_count: Topology change count + * @op_reply_q_offset: Operational reply queue offset with MSIx ++ * @adm_req_q_bar_writeq_lock: Admin request queue lock ++ * @adm_reply_q_bar_writeq_lock: Admin reply queue lock + */ + struct mpi3mr_ioc { + struct list_head list; +@@ -828,6 +830,8 @@ struct mpi3mr_ioc { + struct mpi3_driver_info_layout driver_info; + u16 change_count; + u16 op_reply_q_offset; ++ spinlock_t adm_req_q_bar_writeq_lock; ++ spinlock_t adm_reply_q_bar_writeq_lock; + }; + + /** +--- a/drivers/scsi/mpi3mr/mpi3mr_fw.c ++++ b/drivers/scsi/mpi3mr/mpi3mr_fw.c +@@ -11,17 +11,22 @@ + #include + + #if defined(writeq) && defined(CONFIG_64BIT) +-static inline void mpi3mr_writeq(__u64 b, void __iomem *addr) ++static inline void mpi3mr_writeq(__u64 b, void __iomem *addr, ++ spinlock_t *write_queue_lock) + { + writeq(b, addr); + } + #else +-static inline void mpi3mr_writeq(__u64 b, void __iomem *addr) ++static inline void mpi3mr_writeq(__u64 b, void __iomem *addr, ++ spinlock_t *write_queue_lock) + { + __u64 data_out = b; ++ unsigned long flags; + ++ spin_lock_irqsave(write_queue_lock, flags); + writel((u32)(data_out), addr); + writel((u32)(data_out >> 32), (addr + 4)); ++ spin_unlock_irqrestore(write_queue_lock, flags); + } + #endif + +@@ -2183,9 +2188,11 @@ static int mpi3mr_setup_admin_qpair(stru + (mrioc->num_admin_req); + writel(num_admin_entries, &mrioc->sysif_regs->admin_queue_num_entries); + mpi3mr_writeq(mrioc->admin_req_dma, +- &mrioc->sysif_regs->admin_request_queue_address); ++ &mrioc->sysif_regs->admin_request_queue_address, ++ &mrioc->adm_req_q_bar_writeq_lock); + mpi3mr_writeq(mrioc->admin_reply_dma, +- &mrioc->sysif_regs->admin_reply_queue_address); ++ &mrioc->sysif_regs->admin_reply_queue_address, ++ &mrioc->adm_reply_q_bar_writeq_lock); + writel(mrioc->admin_req_pi, &mrioc->sysif_regs->admin_request_queue_pi); + writel(mrioc->admin_reply_ci, &mrioc->sysif_regs->admin_reply_queue_ci); + return retval; +--- a/drivers/scsi/mpi3mr/mpi3mr_os.c ++++ b/drivers/scsi/mpi3mr/mpi3mr_os.c +@@ -3796,6 +3796,8 @@ mpi3mr_probe(struct pci_dev *pdev, const + spin_lock_init(&mrioc->tgtdev_lock); + spin_lock_init(&mrioc->watchdog_lock); + spin_lock_init(&mrioc->chain_buf_lock); ++ spin_lock_init(&mrioc->adm_req_q_bar_writeq_lock); ++ spin_lock_init(&mrioc->adm_reply_q_bar_writeq_lock); + + INIT_LIST_HEAD(&mrioc->fwevt_list); + INIT_LIST_HEAD(&mrioc->tgtdev_list); diff --git a/queue-5.15/scsi-ufs-exynos-fix-programming-of-hci_utrl_nexus_type.patch b/queue-5.15/scsi-ufs-exynos-fix-programming-of-hci_utrl_nexus_type.patch new file mode 100644 index 0000000000..753d15d959 --- /dev/null +++ b/queue-5.15/scsi-ufs-exynos-fix-programming-of-hci_utrl_nexus_type.patch @@ -0,0 +1,58 @@ +From stable+bounces-172481-greg=kroah.com@vger.kernel.org Fri Aug 22 19:30:03 2025 +From: Sasha Levin +Date: Fri, 22 Aug 2025 13:29:55 -0400 +Subject: scsi: ufs: exynos: Fix programming of HCI_UTRL_NEXUS_TYPE +To: stable@vger.kernel.org +Cc: "André Draszik" , "Bart Van Assche" , "Peter Griffin" , "Martin K. Petersen" , "Sasha Levin" +Message-ID: <20250822172955.1334600-1-sashal@kernel.org> + +From: André Draszik + +[ Upstream commit 01aad16c2257ab8ff33b152b972c9f2e1af47912 ] + +On Google gs101, the number of UTP transfer request slots (nutrs) is 32, +and in this case the driver ends up programming the UTRL_NEXUS_TYPE +incorrectly as 0. + +This is because the left hand side of the shift is 1, which is of type +int, i.e. 31 bits wide. Shifting by more than that width results in +undefined behaviour. + +Fix this by switching to the BIT() macro, which applies correct type +casting as required. This ensures the correct value is written to +UTRL_NEXUS_TYPE (0xffffffff on gs101), and it also fixes a UBSAN shift +warning: + + UBSAN: shift-out-of-bounds in drivers/ufs/host/ufs-exynos.c:1113:21 + shift exponent 32 is too large for 32-bit type 'int' + +For consistency, apply the same change to the nutmrs / UTMRL_NEXUS_TYPE +write. + +Fixes: 55f4b1f73631 ("scsi: ufs: ufs-exynos: Add UFS host support for Exynos SoCs") +Cc: stable@vger.kernel.org +Signed-off-by: André Draszik +Link: https://lore.kernel.org/r/20250707-ufs-exynos-shift-v1-1-1418e161ae40@linaro.org +Reviewed-by: Bart Van Assche +Reviewed-by: Peter Griffin +Signed-off-by: Martin K. Petersen +[ Adjusted path from drivers/ufs/host to drivers/scsi/ufs ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/ufs/ufs-exynos.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/ufs/ufs-exynos.c ++++ b/drivers/scsi/ufs/ufs-exynos.c +@@ -837,8 +837,8 @@ static int exynos_ufs_post_link(struct u + hci_writel(ufs, 0xa, HCI_DATA_REORDER); + hci_writel(ufs, PRDT_SET_SIZE(12), HCI_TXPRDT_ENTRY_SIZE); + hci_writel(ufs, PRDT_SET_SIZE(12), HCI_RXPRDT_ENTRY_SIZE); +- hci_writel(ufs, (1 << hba->nutrs) - 1, HCI_UTRL_NEXUS_TYPE); +- hci_writel(ufs, (1 << hba->nutmrs) - 1, HCI_UTMRL_NEXUS_TYPE); ++ hci_writel(ufs, BIT(hba->nutrs) - 1, HCI_UTRL_NEXUS_TYPE); ++ hci_writel(ufs, BIT(hba->nutmrs) - 1, HCI_UTMRL_NEXUS_TYPE); + hci_writel(ufs, 0xf, HCI_AXIDMA_RWDATA_BURST_LEN); + + if (ufs->opts & EXYNOS_UFS_OPT_SKIP_CONNECTION_ESTAB) diff --git a/queue-5.15/series b/queue-5.15/series index f2bdcf063b..943ac27de4 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -589,3 +589,22 @@ usb-storage-realtek_cr-use-correct-byte-order-for-bcs-residue.patch usb-storage-ignore-driver-cd-mode-for-realtek-multi-mode-wi-fi-dongles.patch usb-dwc3-ignore-late-xfernotready-event-to-prevent-halt-timeout.patch usb-dwc3-remove-warn_on-for-device-endpoint-command-timeouts.patch +drm-amd-display-don-t-overclock-dce-6-by-15.patch +mptcp-disable-add_addr-retransmission-when-timeout-is-0.patch +drm-dp-change-aux-dpcd-probe-address-from-dpcd_rev-to-lane0_1_status.patch +f2fs-fix-to-avoid-out-of-boundary-access-in-dnode-page.patch +media-camss-convert-to-platform-remove-callback-returning-void.patch +media-qcom-camss-cleanup-media-device-allocated-resource-on-error-path.patch +media-venus-add-support-for-ssr-trigger-using-fault-injection.patch +media-venus-protect-against-spurious-interrupts-during-probe.patch +locking-barriers-kcsan-support-generic-instrumentation.patch +asm-generic-add-memory-barrier-dma_mb.patch +wifi-ath11k-fix-dest-ring-buffer-corruption-when-ring-is-full.patch +soc-qcom-mdt_loader-ensure-we-don-t-read-past-the-elf-header.patch +iio-adc-ad_sigma_delta-change-to-buffer-predisable.patch +scsi-ufs-exynos-fix-programming-of-hci_utrl_nexus_type.patch +scsi-mpi3mr-drop-unnecessary-volatile-from-__iomem-pointers.patch +scsi-mpi3mr-serialize-admin-queue-bar-writes-on-32-bit-systems.patch +pwm-mediatek-implement-.apply-callback.patch +pwm-mediatek-handle-hardware-enable-and-clock-enable-separately.patch +pwm-mediatek-fix-duty-and-period-setting.patch diff --git a/queue-5.15/soc-qcom-mdt_loader-ensure-we-don-t-read-past-the-elf-header.patch b/queue-5.15/soc-qcom-mdt_loader-ensure-we-don-t-read-past-the-elf-header.patch new file mode 100644 index 0000000000..838d92d114 --- /dev/null +++ b/queue-5.15/soc-qcom-mdt_loader-ensure-we-don-t-read-past-the-elf-header.patch @@ -0,0 +1,109 @@ +From stable+bounces-172488-greg=kroah.com@vger.kernel.org Fri Aug 22 20:09:10 2025 +From: Sasha Levin +Date: Fri, 22 Aug 2025 14:09:02 -0400 +Subject: soc: qcom: mdt_loader: Ensure we don't read past the ELF header +To: stable@vger.kernel.org +Cc: Bjorn Andersson , Doug Anderson , Dmitry Baryshkov , Bjorn Andersson , Sasha Levin +Message-ID: <20250822180902.1356815-1-sashal@kernel.org> + +From: Bjorn Andersson + +[ Upstream commit 9f9967fed9d066ed3dae9372b45ffa4f6fccfeef ] + +When the MDT loader is used in remoteproc, the ELF header is sanitized +beforehand, but that's not necessary the case for other clients. + +Validate the size of the firmware buffer to ensure that we don't read +past the end as we iterate over the header. e_phentsize and e_shentsize +are validated as well, to ensure that the assumptions about step size in +the traversal are valid. + +Fixes: 2aad40d911ee ("remoteproc: Move qcom_mdt_loader into drivers/soc/qcom") +Cc: stable@vger.kernel.org +Reported-by: Doug Anderson +Signed-off-by: Bjorn Andersson +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20250610-mdt-loader-validation-and-fixes-v2-1-f7073e9ab899@oss.qualcomm.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soc/qcom/mdt_loader.c | 41 +++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 41 insertions(+) + +--- a/drivers/soc/qcom/mdt_loader.c ++++ b/drivers/soc/qcom/mdt_loader.c +@@ -12,11 +12,43 @@ + #include + #include + #include ++#include + #include + #include + #include + #include + ++static bool mdt_header_valid(const struct firmware *fw) ++{ ++ const struct elf32_hdr *ehdr; ++ size_t phend; ++ size_t shend; ++ ++ if (fw->size < sizeof(*ehdr)) ++ return false; ++ ++ ehdr = (struct elf32_hdr *)fw->data; ++ ++ if (memcmp(ehdr->e_ident, ELFMAG, SELFMAG)) ++ return false; ++ ++ if (ehdr->e_phentsize != sizeof(struct elf32_phdr)) ++ return false; ++ ++ phend = size_add(size_mul(sizeof(struct elf32_phdr), ehdr->e_phnum), ehdr->e_phoff); ++ if (phend > fw->size) ++ return false; ++ ++ if (ehdr->e_shentsize != sizeof(struct elf32_shdr)) ++ return false; ++ ++ shend = size_add(size_mul(sizeof(struct elf32_shdr), ehdr->e_shnum), ehdr->e_shoff); ++ if (shend > fw->size) ++ return false; ++ ++ return true; ++} ++ + static bool mdt_phdr_valid(const struct elf32_phdr *phdr) + { + if (phdr->p_type != PT_LOAD) +@@ -46,6 +78,9 @@ ssize_t qcom_mdt_get_size(const struct f + phys_addr_t max_addr = 0; + int i; + ++ if (!mdt_header_valid(fw)) ++ return -EINVAL; ++ + ehdr = (struct elf32_hdr *)fw->data; + phdrs = (struct elf32_phdr *)(ehdr + 1); + +@@ -92,6 +127,9 @@ void *qcom_mdt_read_metadata(const struc + size_t ehdr_size; + void *data; + ++ if (!mdt_header_valid(fw)) ++ return ERR_PTR(-EINVAL); ++ + ehdr = (struct elf32_hdr *)fw->data; + phdrs = (struct elf32_phdr *)(ehdr + 1); + +@@ -151,6 +189,9 @@ static int __qcom_mdt_load(struct device + if (!fw || !mem_region || !mem_phys || !mem_size) + return -EINVAL; + ++ if (!mdt_header_valid(fw)) ++ return -EINVAL; ++ + ehdr = (struct elf32_hdr *)fw->data; + phdrs = (struct elf32_phdr *)(ehdr + 1); + diff --git a/queue-5.15/wifi-ath11k-fix-dest-ring-buffer-corruption-when-ring-is-full.patch b/queue-5.15/wifi-ath11k-fix-dest-ring-buffer-corruption-when-ring-is-full.patch new file mode 100644 index 0000000000..b71536b017 --- /dev/null +++ b/queue-5.15/wifi-ath11k-fix-dest-ring-buffer-corruption-when-ring-is-full.patch @@ -0,0 +1,65 @@ +From stable+bounces-172509-greg=kroah.com@vger.kernel.org Fri Aug 22 21:35:13 2025 +From: Sasha Levin +Date: Fri, 22 Aug 2025 15:35:02 -0400 +Subject: wifi: ath11k: fix dest ring-buffer corruption when ring is full +To: stable@vger.kernel.org +Cc: Johan Hovold , Baochen Qiang , Jeff Johnson , Sasha Levin +Message-ID: <20250822193502.1445377-3-sashal@kernel.org> + +From: Johan Hovold + +[ Upstream commit aa6956150f820e6a6deba44be325ddfcb5b10f88 ] + +Add the missing memory barriers to make sure that destination ring +descriptors are read before updating the tail pointer (and passing +ownership to the device) to avoid memory corruption on weakly ordered +architectures like aarch64 when the ring is full. + +Tested-on: WCN6855 hw2.1 WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41 + +Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices") +Cc: stable@vger.kernel.org # 5.6 +Signed-off-by: Johan Hovold +Reviewed-by: Baochen Qiang +Link: https://patch.msgid.link/20250604143457.26032-6-johan+linaro@kernel.org +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath11k/hal.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/ath/ath11k/hal.c ++++ b/drivers/net/wireless/ath/ath11k/hal.c +@@ -789,7 +789,6 @@ void ath11k_hal_srng_access_end(struct a + { + lockdep_assert_held(&srng->lock); + +- /* TODO: See if we need a write memory barrier here */ + if (srng->flags & HAL_SRNG_FLAGS_LMAC_RING) { + /* For LMAC rings, ring pointer updates are done through FW and + * hence written to a shared memory location that is read by FW +@@ -804,7 +803,11 @@ void ath11k_hal_srng_access_end(struct a + WRITE_ONCE(*srng->u.src_ring.hp_addr, srng->u.src_ring.hp); + } else { + srng->u.dst_ring.last_hp = *srng->u.dst_ring.hp_addr; +- *srng->u.dst_ring.tp_addr = srng->u.dst_ring.tp; ++ /* Make sure descriptor is read before updating the ++ * tail pointer. ++ */ ++ dma_mb(); ++ WRITE_ONCE(*srng->u.dst_ring.tp_addr, srng->u.dst_ring.tp); + } + } else { + if (srng->ring_dir == HAL_SRNG_DIR_SRC) { +@@ -820,6 +823,10 @@ void ath11k_hal_srng_access_end(struct a + srng->u.src_ring.hp); + } else { + srng->u.dst_ring.last_hp = *srng->u.dst_ring.hp_addr; ++ /* Make sure descriptor is read before updating the ++ * tail pointer. ++ */ ++ mb(); + ath11k_hif_write32(ab, + (unsigned long)srng->u.dst_ring.tp_addr - + (unsigned long)ab->mem,