From: Greg Kroah-Hartman Date: Tue, 10 Dec 2024 09:21:02 +0000 (+0100) Subject: 6.12-stable patches X-Git-Tag: v6.6.65~27 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7e52e6c73b22e5e025e2565d87dd52721ab89634;p=thirdparty%2Fkernel%2Fstable-queue.git 6.12-stable patches added patches: alsa-hda-realtek-add-support-for-samsung-galaxy-book3-360-np730qfg.patch alsa-hda-realtek-enable-mute-and-micmute-led-on-hp-probook-430-g8.patch alsa-hda-realtek-fix-micmute-leds-don-t-work-on-hp-laptops.patch alsa-usb-audio-add-extra-pid-for-rme-digiface-usb.patch alsa-usb-audio-add-mixer-mapping-for-corsair-hs80.patch alsa-usb-audio-fix-a-dma-to-stack-memory-bug.patch arm64-ensure-bits-asid-are-masked-out-when-the-kernel-uses-8-bit-asids.patch arm64-mm-fix-zone_dma_limit-calculation.patch arm64-ptrace-fix-partial-setregset-for-nt_arm_fpmr.patch arm64-ptrace-fix-partial-setregset-for-nt_arm_poe.patch arm64-ptrace-fix-partial-setregset-for-nt_arm_tagged_addr_ctrl.patch bcache-revert-replacing-is_err_or_null-with-is_err-again.patch can-dev-can_set_termination-allow-sleeping-gpios.patch can-mcp251xfd-mcp251xfd_get_tef_len-work-around-erratum-ds80000789e-6.patch fs-smb-client-avoid-querying-smb2_op_query_wsl_ea-for-smb3-posix.patch fs-smb-client-cifs_prime_dcache-for-smb3-posix-reparse-points.patch fs-smb-client-implement-new-smb3-posix-type.patch io_uring-change-res2-parameter-type-in-io_uring_cmd_done.patch iommufd-fix-out_fput-in-iommufd_fault_alloc.patch ksmbd-fix-out-of-bounds-read-in-ksmbd_vfs_stream_read.patch ksmbd-fix-out-of-bounds-write-in-ksmbd_vfs_stream_write.patch loongarch-add-architecture-specific-huge_pte_clear.patch loongarch-kvm-protect-kvm_check_requests-with-srcu.patch net-mana-request-a-v2-response-version-for-mana_query_gf_stat.patch nilfs2-fix-potential-out-of-bounds-memory-access-in-nilfs_find_entry.patch pmdomain-imx-gpcv2-adjust-delay-after-power-up-handshake.patch revert-readahead-properly-shorten-readahead-when-falling-back-to-do_page_cache_ra.patch scsi-qla2xxx-fix-abort-in-bsg-timeout.patch scsi-qla2xxx-fix-nvme-and-npiv-connect-issue.patch scsi-qla2xxx-fix-use-after-free-on-unload.patch scsi-qla2xxx-remove-check-req_sg_cnt-should-be-equal-to-rsp_sg_cnt.patch scsi-qla2xxx-supported-speed-displayed-incorrectly-for-vports.patch scsi-ufs-core-add-missing-post-notify-for-power-mode-change.patch scsi-ufs-core-cancel-rtc-work-during-ufshcd_remove.patch scsi-ufs-core-sysfs-prevent-div-by-zero.patch scsi-ufs-pltfrm-disable-runtime-pm-during-removal-of-glue-drivers.patch scsi-ufs-pltfrm-drop-pm-runtime-reference-count-after-ufshcd_remove.patch scsi-ufs-qcom-only-free-platform-msis-when-esi-is-enabled.patch smb3.1.1-fix-posix-mounts-to-older-servers.patch tracing-fix-cmp_entries_dup-to-respect-sort-comparison-rules.patch watchdog-rti-of-honor-timeout-sec-property.patch --- diff --git a/queue-6.12/alsa-hda-realtek-add-support-for-samsung-galaxy-book3-360-np730qfg.patch b/queue-6.12/alsa-hda-realtek-add-support-for-samsung-galaxy-book3-360-np730qfg.patch new file mode 100644 index 00000000000..376b1bb48e5 --- /dev/null +++ b/queue-6.12/alsa-hda-realtek-add-support-for-samsung-galaxy-book3-360-np730qfg.patch @@ -0,0 +1,36 @@ +From e2974a220594c06f536e65dfd7b2447e0e83a1cb Mon Sep 17 00:00:00 2001 +From: Sahas Leelodharry +Date: Mon, 2 Dec 2024 03:28:33 +0000 +Subject: ALSA: hda/realtek: Add support for Samsung Galaxy Book3 360 (NP730QFG) + +From: Sahas Leelodharry + +commit e2974a220594c06f536e65dfd7b2447e0e83a1cb upstream. + +Fixes the 3.5mm headphone jack on the Samsung Galaxy Book 3 360 +NP730QFG laptop. +Unlike the other Galaxy Book3 series devices, this device only needs +the ALC298_FIXUP_SAMSUNG_HEADPHONE_VERY_QUIET quirk. +Verified changes on the device and compared with codec state in Windows. + +[ white-space fixes by tiwai ] + +Signed-off-by: Sahas Leelodharry +Cc: +Link: https://patch.msgid.link/QB1PR01MB40047D4CC1282DB7F1333124CC352@QB1PR01MB4004.CANPRD01.PROD.OUTLOOK.COM +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10753,6 +10753,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x144d, 0xc830, "Samsung Galaxy Book Ion (NT950XCJ-X716A)", ALC298_FIXUP_SAMSUNG_AMP), + SND_PCI_QUIRK(0x144d, 0xc832, "Samsung Galaxy Book Flex Alpha (NP730QCJ)", ALC256_FIXUP_SAMSUNG_HEADPHONE_VERY_QUIET), + SND_PCI_QUIRK(0x144d, 0xca03, "Samsung Galaxy Book2 Pro 360 (NP930QED)", ALC298_FIXUP_SAMSUNG_AMP), ++ SND_PCI_QUIRK(0x144d, 0xca06, "Samsung Galaxy Book3 360 (NP730QFG)", ALC298_FIXUP_SAMSUNG_HEADPHONE_VERY_QUIET), + SND_PCI_QUIRK(0x144d, 0xc868, "Samsung Galaxy Book2 Pro (NP930XED)", ALC298_FIXUP_SAMSUNG_AMP), + SND_PCI_QUIRK(0x144d, 0xc870, "Samsung Galaxy Book2 Pro (NP950XED)", ALC298_FIXUP_SAMSUNG_AMP_V2_2_AMPS), + SND_PCI_QUIRK(0x144d, 0xc872, "Samsung Galaxy Book2 Pro (NP950XEE)", ALC298_FIXUP_SAMSUNG_AMP_V2_2_AMPS), diff --git a/queue-6.12/alsa-hda-realtek-enable-mute-and-micmute-led-on-hp-probook-430-g8.patch b/queue-6.12/alsa-hda-realtek-enable-mute-and-micmute-led-on-hp-probook-430-g8.patch new file mode 100644 index 00000000000..77b5d005207 --- /dev/null +++ b/queue-6.12/alsa-hda-realtek-enable-mute-and-micmute-led-on-hp-probook-430-g8.patch @@ -0,0 +1,31 @@ +From 3a83f7baf1346aca885cb83cb888e835fef7c472 Mon Sep 17 00:00:00 2001 +From: Nazar Bilinskyi +Date: Sun, 1 Dec 2024 01:16:31 +0200 +Subject: ALSA: hda/realtek: Enable mute and micmute LED on HP ProBook 430 G8 + +From: Nazar Bilinskyi + +commit 3a83f7baf1346aca885cb83cb888e835fef7c472 upstream. + +HP ProBook 430 G8 has a mute and micmute LEDs that can be made to work +using quirk ALC236_FIXUP_HP_GPIO_LED. Enable already existing quirk. + +Signed-off-by: Nazar Bilinskyi +Cc: +Link: https://patch.msgid.link/20241130231631.8929-1-nbilinskyi@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10411,6 +10411,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x103c, 0x87b7, "HP Laptop 14-fq0xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2), + SND_PCI_QUIRK(0x103c, 0x87c8, "HP", ALC287_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x87d3, "HP Laptop 15-gw0xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2), ++ SND_PCI_QUIRK(0x103c, 0x87df, "HP ProBook 430 G8 Notebook PC", ALC236_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x87e5, "HP ProBook 440 G8 Notebook PC", ALC236_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x87e7, "HP ProBook 450 G8 Notebook PC", ALC236_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x87f1, "HP ProBook 630 G8 Notebook PC", ALC236_FIXUP_HP_GPIO_LED), diff --git a/queue-6.12/alsa-hda-realtek-fix-micmute-leds-don-t-work-on-hp-laptops.patch b/queue-6.12/alsa-hda-realtek-fix-micmute-leds-don-t-work-on-hp-laptops.patch new file mode 100644 index 00000000000..ba8ac097bda --- /dev/null +++ b/queue-6.12/alsa-hda-realtek-fix-micmute-leds-don-t-work-on-hp-laptops.patch @@ -0,0 +1,39 @@ +From 0d08f0eec961acdb0424a3e2cfb37cfb89154833 Mon Sep 17 00:00:00 2001 +From: Chris Chiu +Date: Mon, 2 Dec 2024 22:46:59 +0800 +Subject: ALSA: hda/realtek: fix micmute LEDs don't work on HP Laptops + +From: Chris Chiu + +commit 0d08f0eec961acdb0424a3e2cfb37cfb89154833 upstream. + +These HP laptops use Realtek HDA codec ALC3315 combined CS35L56 +Amplifiers. They need the quirk ALC285_FIXUP_HP_GPIO_LED to get +the micmute LED working. + +Signed-off-by: Chris Chiu +Reviewed-by: Simon Trimmer +Cc: +Link: https://patch.msgid.link/20241202144659.1553504-1-chris.chiu@canonical.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10592,7 +10592,13 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x103c, 0x8cdf, "HP SnowWhite", ALC287_FIXUP_CS35L41_I2C_2_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8ce0, "HP SnowWhite", ALC287_FIXUP_CS35L41_I2C_2_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8cf5, "HP ZBook Studio 16", ALC245_FIXUP_CS35L41_SPI_4_HP_GPIO_LED), ++ SND_PCI_QUIRK(0x103c, 0x8d01, "HP ZBook Power 14 G12", ALC285_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8d84, "HP EliteBook X G1i", ALC285_FIXUP_HP_GPIO_LED), ++ SND_PCI_QUIRK(0x103c, 0x8d91, "HP ZBook Firefly 14 G12", ALC285_FIXUP_HP_GPIO_LED), ++ SND_PCI_QUIRK(0x103c, 0x8d92, "HP ZBook Firefly 16 G12", ALC285_FIXUP_HP_GPIO_LED), ++ SND_PCI_QUIRK(0x103c, 0x8e18, "HP ZBook Firefly 14 G12A", ALC285_FIXUP_HP_GPIO_LED), ++ SND_PCI_QUIRK(0x103c, 0x8e19, "HP ZBook Firelfy 14 G12A", ALC285_FIXUP_HP_GPIO_LED), ++ SND_PCI_QUIRK(0x103c, 0x8e1a, "HP ZBook Firefly 14 G12A", ALC285_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x1043, 0x103e, "ASUS X540SA", ALC256_FIXUP_ASUS_MIC), + SND_PCI_QUIRK(0x1043, 0x103f, "ASUS TX300", ALC282_FIXUP_ASUS_TX300), + SND_PCI_QUIRK(0x1043, 0x106d, "Asus K53BE", ALC269_FIXUP_LIMIT_INT_MIC_BOOST), diff --git a/queue-6.12/alsa-usb-audio-add-extra-pid-for-rme-digiface-usb.patch b/queue-6.12/alsa-usb-audio-add-extra-pid-for-rme-digiface-usb.patch new file mode 100644 index 00000000000..67975d4eed4 --- /dev/null +++ b/queue-6.12/alsa-usb-audio-add-extra-pid-for-rme-digiface-usb.patch @@ -0,0 +1,408 @@ +From f09f0397db641f99f6c3e109283d82e3584bfb50 Mon Sep 17 00:00:00 2001 +From: Asahi Lina +Date: Mon, 2 Dec 2024 22:17:15 +0900 +Subject: ALSA: usb-audio: Add extra PID for RME Digiface USB + +From: Asahi Lina + +commit f09f0397db641f99f6c3e109283d82e3584bfb50 upstream. + +It seems there is an alternate version of the hardware with a different +PID. User testing reveals this still works with the same interface as far +as the kernel is concerned, so just add the extra PID. Thanks to Heiko +Engemann for testing with this version. + +Due to the way quirks-table.h is structured, that means we have to turn +the entire quirk struct into a macro to avoid duplicating it... + +Cc: stable@vger.kernel.org +Signed-off-by: Asahi Lina +Link: https://patch.msgid.link/20241202-rme-digiface-usb-id-v1-1-50f730d7a46e@asahilina.net +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/mixer_quirks.c | 1 + sound/usb/quirks-table.h | 341 +++++++++++++++++++++++------------------------ + sound/usb/quirks.c | 2 + 3 files changed, 176 insertions(+), 168 deletions(-) + +--- a/sound/usb/mixer_quirks.c ++++ b/sound/usb/mixer_quirks.c +@@ -4059,6 +4059,7 @@ int snd_usb_mixer_apply_create_quirk(str + err = snd_bbfpro_controls_create(mixer); + break; + case USB_ID(0x2a39, 0x3f8c): /* RME Digiface USB */ ++ case USB_ID(0x2a39, 0x3fa0): /* RME Digiface USB (alternate) */ + err = snd_rme_digiface_controls_create(mixer); + break; + case USB_ID(0x2b73, 0x0017): /* Pioneer DJ DJM-250MK2 */ +--- a/sound/usb/quirks-table.h ++++ b/sound/usb/quirks-table.h +@@ -3616,176 +3616,181 @@ YAMAHA_DEVICE(0x7010, "UB99"), + } + } + }, +-{ +- /* Only claim interface 0 */ +- .match_flags = USB_DEVICE_ID_MATCH_VENDOR | +- USB_DEVICE_ID_MATCH_PRODUCT | +- USB_DEVICE_ID_MATCH_INT_CLASS | +- USB_DEVICE_ID_MATCH_INT_NUMBER, +- .idVendor = 0x2a39, +- .idProduct = 0x3f8c, +- .bInterfaceClass = USB_CLASS_VENDOR_SPEC, +- .bInterfaceNumber = 0, +- QUIRK_DRIVER_INFO { +- QUIRK_DATA_COMPOSITE { ++#define QUIRK_RME_DIGIFACE(pid) \ ++{ \ ++ /* Only claim interface 0 */ \ ++ .match_flags = USB_DEVICE_ID_MATCH_VENDOR | \ ++ USB_DEVICE_ID_MATCH_PRODUCT | \ ++ USB_DEVICE_ID_MATCH_INT_CLASS | \ ++ USB_DEVICE_ID_MATCH_INT_NUMBER, \ ++ .idVendor = 0x2a39, \ ++ .idProduct = pid, \ ++ .bInterfaceClass = USB_CLASS_VENDOR_SPEC, \ ++ .bInterfaceNumber = 0, \ ++ QUIRK_DRIVER_INFO { \ ++ QUIRK_DATA_COMPOSITE { \ + /* + * Three modes depending on sample rate band, + * with different channel counts for in/out +- */ +- { QUIRK_DATA_STANDARD_MIXER(0) }, +- { +- QUIRK_DATA_AUDIOFORMAT(0) { +- .formats = SNDRV_PCM_FMTBIT_S32_LE, +- .channels = 34, // outputs +- .fmt_bits = 24, +- .iface = 0, +- .altsetting = 1, +- .altset_idx = 1, +- .endpoint = 0x02, +- .ep_idx = 1, +- .ep_attr = USB_ENDPOINT_XFER_ISOC | +- USB_ENDPOINT_SYNC_ASYNC, +- .rates = SNDRV_PCM_RATE_32000 | +- SNDRV_PCM_RATE_44100 | +- SNDRV_PCM_RATE_48000, +- .rate_min = 32000, +- .rate_max = 48000, +- .nr_rates = 3, +- .rate_table = (unsigned int[]) { +- 32000, 44100, 48000, +- }, +- .sync_ep = 0x81, +- .sync_iface = 0, +- .sync_altsetting = 1, +- .sync_ep_idx = 0, +- .implicit_fb = 1, +- }, +- }, +- { +- QUIRK_DATA_AUDIOFORMAT(0) { +- .formats = SNDRV_PCM_FMTBIT_S32_LE, +- .channels = 18, // outputs +- .fmt_bits = 24, +- .iface = 0, +- .altsetting = 1, +- .altset_idx = 1, +- .endpoint = 0x02, +- .ep_idx = 1, +- .ep_attr = USB_ENDPOINT_XFER_ISOC | +- USB_ENDPOINT_SYNC_ASYNC, +- .rates = SNDRV_PCM_RATE_64000 | +- SNDRV_PCM_RATE_88200 | +- SNDRV_PCM_RATE_96000, +- .rate_min = 64000, +- .rate_max = 96000, +- .nr_rates = 3, +- .rate_table = (unsigned int[]) { +- 64000, 88200, 96000, +- }, +- .sync_ep = 0x81, +- .sync_iface = 0, +- .sync_altsetting = 1, +- .sync_ep_idx = 0, +- .implicit_fb = 1, +- }, +- }, +- { +- QUIRK_DATA_AUDIOFORMAT(0) { +- .formats = SNDRV_PCM_FMTBIT_S32_LE, +- .channels = 10, // outputs +- .fmt_bits = 24, +- .iface = 0, +- .altsetting = 1, +- .altset_idx = 1, +- .endpoint = 0x02, +- .ep_idx = 1, +- .ep_attr = USB_ENDPOINT_XFER_ISOC | +- USB_ENDPOINT_SYNC_ASYNC, +- .rates = SNDRV_PCM_RATE_KNOT | +- SNDRV_PCM_RATE_176400 | +- SNDRV_PCM_RATE_192000, +- .rate_min = 128000, +- .rate_max = 192000, +- .nr_rates = 3, +- .rate_table = (unsigned int[]) { +- 128000, 176400, 192000, +- }, +- .sync_ep = 0x81, +- .sync_iface = 0, +- .sync_altsetting = 1, +- .sync_ep_idx = 0, +- .implicit_fb = 1, +- }, +- }, +- { +- QUIRK_DATA_AUDIOFORMAT(0) { +- .formats = SNDRV_PCM_FMTBIT_S32_LE, +- .channels = 32, // inputs +- .fmt_bits = 24, +- .iface = 0, +- .altsetting = 1, +- .altset_idx = 1, +- .endpoint = 0x81, +- .ep_attr = USB_ENDPOINT_XFER_ISOC | +- USB_ENDPOINT_SYNC_ASYNC, +- .rates = SNDRV_PCM_RATE_32000 | +- SNDRV_PCM_RATE_44100 | +- SNDRV_PCM_RATE_48000, +- .rate_min = 32000, +- .rate_max = 48000, +- .nr_rates = 3, +- .rate_table = (unsigned int[]) { +- 32000, 44100, 48000, +- } +- } +- }, +- { +- QUIRK_DATA_AUDIOFORMAT(0) { +- .formats = SNDRV_PCM_FMTBIT_S32_LE, +- .channels = 16, // inputs +- .fmt_bits = 24, +- .iface = 0, +- .altsetting = 1, +- .altset_idx = 1, +- .endpoint = 0x81, +- .ep_attr = USB_ENDPOINT_XFER_ISOC | +- USB_ENDPOINT_SYNC_ASYNC, +- .rates = SNDRV_PCM_RATE_64000 | +- SNDRV_PCM_RATE_88200 | +- SNDRV_PCM_RATE_96000, +- .rate_min = 64000, +- .rate_max = 96000, +- .nr_rates = 3, +- .rate_table = (unsigned int[]) { +- 64000, 88200, 96000, +- } +- } +- }, +- { +- QUIRK_DATA_AUDIOFORMAT(0) { +- .formats = SNDRV_PCM_FMTBIT_S32_LE, +- .channels = 8, // inputs +- .fmt_bits = 24, +- .iface = 0, +- .altsetting = 1, +- .altset_idx = 1, +- .endpoint = 0x81, +- .ep_attr = USB_ENDPOINT_XFER_ISOC | +- USB_ENDPOINT_SYNC_ASYNC, +- .rates = SNDRV_PCM_RATE_KNOT | +- SNDRV_PCM_RATE_176400 | +- SNDRV_PCM_RATE_192000, +- .rate_min = 128000, +- .rate_max = 192000, +- .nr_rates = 3, +- .rate_table = (unsigned int[]) { +- 128000, 176400, 192000, +- } +- } +- }, +- QUIRK_COMPOSITE_END +- } +- } +-}, ++ */ \ ++ { QUIRK_DATA_STANDARD_MIXER(0) }, \ ++ { \ ++ QUIRK_DATA_AUDIOFORMAT(0) { \ ++ .formats = SNDRV_PCM_FMTBIT_S32_LE, \ ++ .channels = 34, /* outputs */ \ ++ .fmt_bits = 24, \ ++ .iface = 0, \ ++ .altsetting = 1, \ ++ .altset_idx = 1, \ ++ .endpoint = 0x02, \ ++ .ep_idx = 1, \ ++ .ep_attr = USB_ENDPOINT_XFER_ISOC | \ ++ USB_ENDPOINT_SYNC_ASYNC, \ ++ .rates = SNDRV_PCM_RATE_32000 | \ ++ SNDRV_PCM_RATE_44100 | \ ++ SNDRV_PCM_RATE_48000, \ ++ .rate_min = 32000, \ ++ .rate_max = 48000, \ ++ .nr_rates = 3, \ ++ .rate_table = (unsigned int[]) { \ ++ 32000, 44100, 48000, \ ++ }, \ ++ .sync_ep = 0x81, \ ++ .sync_iface = 0, \ ++ .sync_altsetting = 1, \ ++ .sync_ep_idx = 0, \ ++ .implicit_fb = 1, \ ++ }, \ ++ }, \ ++ { \ ++ QUIRK_DATA_AUDIOFORMAT(0) { \ ++ .formats = SNDRV_PCM_FMTBIT_S32_LE, \ ++ .channels = 18, /* outputs */ \ ++ .fmt_bits = 24, \ ++ .iface = 0, \ ++ .altsetting = 1, \ ++ .altset_idx = 1, \ ++ .endpoint = 0x02, \ ++ .ep_idx = 1, \ ++ .ep_attr = USB_ENDPOINT_XFER_ISOC | \ ++ USB_ENDPOINT_SYNC_ASYNC, \ ++ .rates = SNDRV_PCM_RATE_64000 | \ ++ SNDRV_PCM_RATE_88200 | \ ++ SNDRV_PCM_RATE_96000, \ ++ .rate_min = 64000, \ ++ .rate_max = 96000, \ ++ .nr_rates = 3, \ ++ .rate_table = (unsigned int[]) { \ ++ 64000, 88200, 96000, \ ++ }, \ ++ .sync_ep = 0x81, \ ++ .sync_iface = 0, \ ++ .sync_altsetting = 1, \ ++ .sync_ep_idx = 0, \ ++ .implicit_fb = 1, \ ++ }, \ ++ }, \ ++ { \ ++ QUIRK_DATA_AUDIOFORMAT(0) { \ ++ .formats = SNDRV_PCM_FMTBIT_S32_LE, \ ++ .channels = 10, /* outputs */ \ ++ .fmt_bits = 24, \ ++ .iface = 0, \ ++ .altsetting = 1, \ ++ .altset_idx = 1, \ ++ .endpoint = 0x02, \ ++ .ep_idx = 1, \ ++ .ep_attr = USB_ENDPOINT_XFER_ISOC | \ ++ USB_ENDPOINT_SYNC_ASYNC, \ ++ .rates = SNDRV_PCM_RATE_KNOT | \ ++ SNDRV_PCM_RATE_176400 | \ ++ SNDRV_PCM_RATE_192000, \ ++ .rate_min = 128000, \ ++ .rate_max = 192000, \ ++ .nr_rates = 3, \ ++ .rate_table = (unsigned int[]) { \ ++ 128000, 176400, 192000, \ ++ }, \ ++ .sync_ep = 0x81, \ ++ .sync_iface = 0, \ ++ .sync_altsetting = 1, \ ++ .sync_ep_idx = 0, \ ++ .implicit_fb = 1, \ ++ }, \ ++ }, \ ++ { \ ++ QUIRK_DATA_AUDIOFORMAT(0) { \ ++ .formats = SNDRV_PCM_FMTBIT_S32_LE, \ ++ .channels = 32, /* inputs */ \ ++ .fmt_bits = 24, \ ++ .iface = 0, \ ++ .altsetting = 1, \ ++ .altset_idx = 1, \ ++ .endpoint = 0x81, \ ++ .ep_attr = USB_ENDPOINT_XFER_ISOC | \ ++ USB_ENDPOINT_SYNC_ASYNC, \ ++ .rates = SNDRV_PCM_RATE_32000 | \ ++ SNDRV_PCM_RATE_44100 | \ ++ SNDRV_PCM_RATE_48000, \ ++ .rate_min = 32000, \ ++ .rate_max = 48000, \ ++ .nr_rates = 3, \ ++ .rate_table = (unsigned int[]) { \ ++ 32000, 44100, 48000, \ ++ } \ ++ } \ ++ }, \ ++ { \ ++ QUIRK_DATA_AUDIOFORMAT(0) { \ ++ .formats = SNDRV_PCM_FMTBIT_S32_LE, \ ++ .channels = 16, /* inputs */ \ ++ .fmt_bits = 24, \ ++ .iface = 0, \ ++ .altsetting = 1, \ ++ .altset_idx = 1, \ ++ .endpoint = 0x81, \ ++ .ep_attr = USB_ENDPOINT_XFER_ISOC | \ ++ USB_ENDPOINT_SYNC_ASYNC, \ ++ .rates = SNDRV_PCM_RATE_64000 | \ ++ SNDRV_PCM_RATE_88200 | \ ++ SNDRV_PCM_RATE_96000, \ ++ .rate_min = 64000, \ ++ .rate_max = 96000, \ ++ .nr_rates = 3, \ ++ .rate_table = (unsigned int[]) { \ ++ 64000, 88200, 96000, \ ++ } \ ++ } \ ++ }, \ ++ { \ ++ QUIRK_DATA_AUDIOFORMAT(0) { \ ++ .formats = SNDRV_PCM_FMTBIT_S32_LE, \ ++ .channels = 8, /* inputs */ \ ++ .fmt_bits = 24, \ ++ .iface = 0, \ ++ .altsetting = 1, \ ++ .altset_idx = 1, \ ++ .endpoint = 0x81, \ ++ .ep_attr = USB_ENDPOINT_XFER_ISOC | \ ++ USB_ENDPOINT_SYNC_ASYNC, \ ++ .rates = SNDRV_PCM_RATE_KNOT | \ ++ SNDRV_PCM_RATE_176400 | \ ++ SNDRV_PCM_RATE_192000, \ ++ .rate_min = 128000, \ ++ .rate_max = 192000, \ ++ .nr_rates = 3, \ ++ .rate_table = (unsigned int[]) { \ ++ 128000, 176400, 192000, \ ++ } \ ++ } \ ++ }, \ ++ QUIRK_COMPOSITE_END \ ++ } \ ++ } \ ++} ++ ++QUIRK_RME_DIGIFACE(0x3f8c), ++QUIRK_RME_DIGIFACE(0x3fa0), ++ + #undef USB_DEVICE_VENDOR_SPEC + #undef USB_AUDIO_DEVICE +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -1665,6 +1665,7 @@ int snd_usb_apply_boot_quirk(struct usb_ + return snd_usb_motu_microbookii_boot_quirk(dev); + break; + case USB_ID(0x2a39, 0x3f8c): /* RME Digiface USB */ ++ case USB_ID(0x2a39, 0x3fa0): /* RME Digiface USB (alternate) */ + return snd_usb_rme_digiface_boot_quirk(dev); + } + +@@ -1878,6 +1879,7 @@ void snd_usb_set_format_quirk(struct snd + mbox3_set_format_quirk(subs, fmt); /* Digidesign Mbox 3 */ + break; + case USB_ID(0x2a39, 0x3f8c): /* RME Digiface USB */ ++ case USB_ID(0x2a39, 0x3fa0): /* RME Digiface USB (alternate) */ + rme_digiface_set_format_quirk(subs); + break; + } diff --git a/queue-6.12/alsa-usb-audio-add-mixer-mapping-for-corsair-hs80.patch b/queue-6.12/alsa-usb-audio-add-mixer-mapping-for-corsair-hs80.patch new file mode 100644 index 00000000000..dff293846ad --- /dev/null +++ b/queue-6.12/alsa-usb-audio-add-mixer-mapping-for-corsair-hs80.patch @@ -0,0 +1,43 @@ +From a7de2b873f3dbcda02d504536f1ec6dc50e3f6c4 Mon Sep 17 00:00:00 2001 +From: Marie Ramlow +Date: Sat, 30 Nov 2024 17:52:40 +0100 +Subject: ALSA: usb-audio: add mixer mapping for Corsair HS80 + +From: Marie Ramlow + +commit a7de2b873f3dbcda02d504536f1ec6dc50e3f6c4 upstream. + +The Corsair HS80 RGB Wireless is a USB headset with a mic and a sidetone +feature. It has the same quirk as the Virtuoso series. +This labels the mixers appropriately, so applications don't +move the sidetone volume when they actually intend to move the main +headset volume. + +Signed-off-by: Marie Ramlow +cc: +Link: https://patch.msgid.link/20241130165240.17838-1-me@nycode.dev +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/mixer_maps.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/sound/usb/mixer_maps.c ++++ b/sound/usb/mixer_maps.c +@@ -621,6 +621,16 @@ static const struct usbmix_ctl_map usbmi + .id = USB_ID(0x1b1c, 0x0a42), + .map = corsair_virtuoso_map, + }, ++ { ++ /* Corsair HS80 RGB Wireless (wired mode) */ ++ .id = USB_ID(0x1b1c, 0x0a6a), ++ .map = corsair_virtuoso_map, ++ }, ++ { ++ /* Corsair HS80 RGB Wireless (wireless mode) */ ++ .id = USB_ID(0x1b1c, 0x0a6b), ++ .map = corsair_virtuoso_map, ++ }, + { /* Gigabyte TRX40 Aorus Master (rear panel + front mic) */ + .id = USB_ID(0x0414, 0xa001), + .map = aorus_master_alc1220vb_map, diff --git a/queue-6.12/alsa-usb-audio-fix-a-dma-to-stack-memory-bug.patch b/queue-6.12/alsa-usb-audio-fix-a-dma-to-stack-memory-bug.patch new file mode 100644 index 00000000000..573250ff46c --- /dev/null +++ b/queue-6.12/alsa-usb-audio-fix-a-dma-to-stack-memory-bug.patch @@ -0,0 +1,125 @@ +From f7d306b47a24367302bd4fe846854e07752ffcd9 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Mon, 2 Dec 2024 15:57:54 +0300 +Subject: ALSA: usb-audio: Fix a DMA to stack memory bug + +From: Dan Carpenter + +commit f7d306b47a24367302bd4fe846854e07752ffcd9 upstream. + +The usb_get_descriptor() function does DMA so we're not allowed +to use a stack buffer for that. Doing DMA to the stack is not portable +all architectures. Move the "new_device_descriptor" from being stored +on the stack and allocate it with kmalloc() instead. + +Fixes: b909df18ce2a ("ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices") +Cc: stable@kernel.org +Signed-off-by: Dan Carpenter +Link: https://patch.msgid.link/60e3aa09-039d-46d2-934c-6f123026c2eb@stanley.mountain +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/quirks.c | 42 +++++++++++++++++++++++++++--------------- + 1 file changed, 27 insertions(+), 15 deletions(-) + +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -555,7 +555,7 @@ int snd_usb_create_quirk(struct snd_usb_ + static int snd_usb_extigy_boot_quirk(struct usb_device *dev, struct usb_interface *intf) + { + struct usb_host_config *config = dev->actconfig; +- struct usb_device_descriptor new_device_descriptor; ++ struct usb_device_descriptor *new_device_descriptor __free(kfree) = NULL; + int err; + + if (le16_to_cpu(get_cfg_desc(config)->wTotalLength) == EXTIGY_FIRMWARE_SIZE_OLD || +@@ -566,15 +566,19 @@ static int snd_usb_extigy_boot_quirk(str + 0x10, 0x43, 0x0001, 0x000a, NULL, 0); + if (err < 0) + dev_dbg(&dev->dev, "error sending boot message: %d\n", err); ++ ++ new_device_descriptor = kmalloc(sizeof(*new_device_descriptor), GFP_KERNEL); ++ if (!new_device_descriptor) ++ return -ENOMEM; + err = usb_get_descriptor(dev, USB_DT_DEVICE, 0, +- &new_device_descriptor, sizeof(new_device_descriptor)); ++ new_device_descriptor, sizeof(*new_device_descriptor)); + if (err < 0) + dev_dbg(&dev->dev, "error usb_get_descriptor: %d\n", err); +- if (new_device_descriptor.bNumConfigurations > dev->descriptor.bNumConfigurations) ++ if (new_device_descriptor->bNumConfigurations > dev->descriptor.bNumConfigurations) + dev_dbg(&dev->dev, "error too large bNumConfigurations: %d\n", +- new_device_descriptor.bNumConfigurations); ++ new_device_descriptor->bNumConfigurations); + else +- memcpy(&dev->descriptor, &new_device_descriptor, sizeof(dev->descriptor)); ++ memcpy(&dev->descriptor, new_device_descriptor, sizeof(dev->descriptor)); + err = usb_reset_configuration(dev); + if (err < 0) + dev_dbg(&dev->dev, "error usb_reset_configuration: %d\n", err); +@@ -906,7 +910,7 @@ static void mbox2_setup_48_24_magic(stru + static int snd_usb_mbox2_boot_quirk(struct usb_device *dev) + { + struct usb_host_config *config = dev->actconfig; +- struct usb_device_descriptor new_device_descriptor; ++ struct usb_device_descriptor *new_device_descriptor __free(kfree) = NULL; + int err; + u8 bootresponse[0x12]; + int fwsize; +@@ -941,15 +945,19 @@ static int snd_usb_mbox2_boot_quirk(stru + + dev_dbg(&dev->dev, "device initialised!\n"); + ++ new_device_descriptor = kmalloc(sizeof(*new_device_descriptor), GFP_KERNEL); ++ if (!new_device_descriptor) ++ return -ENOMEM; ++ + err = usb_get_descriptor(dev, USB_DT_DEVICE, 0, +- &new_device_descriptor, sizeof(new_device_descriptor)); ++ new_device_descriptor, sizeof(*new_device_descriptor)); + if (err < 0) + dev_dbg(&dev->dev, "error usb_get_descriptor: %d\n", err); +- if (new_device_descriptor.bNumConfigurations > dev->descriptor.bNumConfigurations) ++ if (new_device_descriptor->bNumConfigurations > dev->descriptor.bNumConfigurations) + dev_dbg(&dev->dev, "error too large bNumConfigurations: %d\n", +- new_device_descriptor.bNumConfigurations); ++ new_device_descriptor->bNumConfigurations); + else +- memcpy(&dev->descriptor, &new_device_descriptor, sizeof(dev->descriptor)); ++ memcpy(&dev->descriptor, new_device_descriptor, sizeof(dev->descriptor)); + + err = usb_reset_configuration(dev); + if (err < 0) +@@ -1259,7 +1267,7 @@ static void mbox3_setup_defaults(struct + static int snd_usb_mbox3_boot_quirk(struct usb_device *dev) + { + struct usb_host_config *config = dev->actconfig; +- struct usb_device_descriptor new_device_descriptor; ++ struct usb_device_descriptor *new_device_descriptor __free(kfree) = NULL; + int err; + int descriptor_size; + +@@ -1272,15 +1280,19 @@ static int snd_usb_mbox3_boot_quirk(stru + + dev_dbg(&dev->dev, "MBOX3: device initialised!\n"); + ++ new_device_descriptor = kmalloc(sizeof(*new_device_descriptor), GFP_KERNEL); ++ if (!new_device_descriptor) ++ return -ENOMEM; ++ + err = usb_get_descriptor(dev, USB_DT_DEVICE, 0, +- &new_device_descriptor, sizeof(new_device_descriptor)); ++ new_device_descriptor, sizeof(*new_device_descriptor)); + if (err < 0) + dev_dbg(&dev->dev, "MBOX3: error usb_get_descriptor: %d\n", err); +- if (new_device_descriptor.bNumConfigurations > dev->descriptor.bNumConfigurations) ++ if (new_device_descriptor->bNumConfigurations > dev->descriptor.bNumConfigurations) + dev_dbg(&dev->dev, "MBOX3: error too large bNumConfigurations: %d\n", +- new_device_descriptor.bNumConfigurations); ++ new_device_descriptor->bNumConfigurations); + else +- memcpy(&dev->descriptor, &new_device_descriptor, sizeof(dev->descriptor)); ++ memcpy(&dev->descriptor, new_device_descriptor, sizeof(dev->descriptor)); + + err = usb_reset_configuration(dev); + if (err < 0) diff --git a/queue-6.12/arm64-ensure-bits-asid-are-masked-out-when-the-kernel-uses-8-bit-asids.patch b/queue-6.12/arm64-ensure-bits-asid-are-masked-out-when-the-kernel-uses-8-bit-asids.patch new file mode 100644 index 00000000000..ead62aebdc8 --- /dev/null +++ b/queue-6.12/arm64-ensure-bits-asid-are-masked-out-when-the-kernel-uses-8-bit-asids.patch @@ -0,0 +1,59 @@ +From c0900d15d31c2597dd9f634c8be2b71762199890 Mon Sep 17 00:00:00 2001 +From: Catalin Marinas +Date: Tue, 3 Dec 2024 15:19:41 +0000 +Subject: arm64: Ensure bits ASID[15:8] are masked out when the kernel uses 8-bit ASIDs + +From: Catalin Marinas + +commit c0900d15d31c2597dd9f634c8be2b71762199890 upstream. + +Linux currently sets the TCR_EL1.AS bit unconditionally during CPU +bring-up. On an 8-bit ASID CPU, this is RES0 and ignored, otherwise +16-bit ASIDs are enabled. However, if running in a VM and the hypervisor +reports 8-bit ASIDs (ID_AA64MMFR0_EL1.ASIDBits == 0) on a 16-bit ASIDs +CPU, Linux uses bits 8 to 63 as a generation number for tracking old +process ASIDs. The bottom 8 bits of this generation end up being written +to TTBR1_EL1 and also used for the ASID-based TLBI operations as the +upper 8 bits of the ASID. Following an ASID roll-over event we can have +threads of the same application with the same 8-bit ASID but different +generation numbers running on separate CPUs. Both TLB caching and the +TLBI operations will end up using different actual 16-bit ASIDs for the +same process. + +A similar scenario can happen in a big.LITTLE configuration if the boot +CPU only uses 8-bit ASIDs while secondary CPUs have 16-bit ASIDs. + +Ensure that the ASID generation is only tracked by bits 16 and up, +leaving bits 15:8 as 0 if the kernel uses 8-bit ASIDs. Note that +clearing TCR_EL1.AS is not sufficient since the architecture requires +that the top 8 bits of the ASID passed to TLBI instructions are 0 rather +than ignored in such configuration. + +Cc: stable@vger.kernel.org +Cc: Will Deacon +Cc: Mark Rutland +Cc: Marc Zyngier +Cc: James Morse +Acked-by: Mark Rutland +Acked-by: Marc Zyngier +Link: https://lore.kernel.org/r/20241203151941.353796-1-catalin.marinas@arm.com +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/mm/context.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm64/mm/context.c ++++ b/arch/arm64/mm/context.c +@@ -32,9 +32,9 @@ static unsigned long nr_pinned_asids; + static unsigned long *pinned_asid_map; + + #define ASID_MASK (~GENMASK(asid_bits - 1, 0)) +-#define ASID_FIRST_VERSION (1UL << asid_bits) ++#define ASID_FIRST_VERSION (1UL << 16) + +-#define NUM_USER_ASIDS ASID_FIRST_VERSION ++#define NUM_USER_ASIDS (1UL << asid_bits) + #define ctxid2asid(asid) ((asid) & ~ASID_MASK) + #define asid2ctxid(asid, genid) ((asid) | (genid)) + diff --git a/queue-6.12/arm64-mm-fix-zone_dma_limit-calculation.patch b/queue-6.12/arm64-mm-fix-zone_dma_limit-calculation.patch new file mode 100644 index 00000000000..b8f7e165ad9 --- /dev/null +++ b/queue-6.12/arm64-mm-fix-zone_dma_limit-calculation.patch @@ -0,0 +1,68 @@ +From 56a708742a8bf127eb66798bfc9c9516c61f9930 Mon Sep 17 00:00:00 2001 +From: Yang Shi +Date: Mon, 25 Nov 2024 09:16:50 -0800 +Subject: arm64: mm: Fix zone_dma_limit calculation + +From: Yang Shi + +commit 56a708742a8bf127eb66798bfc9c9516c61f9930 upstream. + +Commit ba0fb44aed47 ("dma-mapping: replace zone_dma_bits by +zone_dma_limit") and subsequent patches changed how zone_dma_limit is +calculated to allow a reduced ZONE_DMA even when RAM starts above 4GB. +Commit 122c234ef4e1 ("arm64: mm: keep low RAM dma zone") further fixed +this to ensure ZONE_DMA remains below U32_MAX if RAM starts below 4GB, +especially on platforms that do not have IORT or DT description of the +device DMA ranges. While zone boundaries calculation was fixed by the +latter commit, zone_dma_limit, used to determine the GFP_DMA flag in the +core code, was not updated. This results in excessive use of GFP_DMA and +unnecessary ZONE_DMA allocations on some platforms. + +Update zone_dma_limit to match the actual upper bound of ZONE_DMA. + +Fixes: ba0fb44aed47 ("dma-mapping: replace zone_dma_bits by zone_dma_limit") +Cc: # 6.12.x +Reported-by: Yutang Jiang +Tested-by: Yutang Jiang +Signed-off-by: Yang Shi +Link: https://lore.kernel.org/r/20241125171650.77424-1-yang@os.amperecomputing.com +[catalin.marinas@arm.com: some tweaking of the commit log] +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/mm/init.c | 17 ++++++++--------- + 1 file changed, 8 insertions(+), 9 deletions(-) + +--- a/arch/arm64/mm/init.c ++++ b/arch/arm64/mm/init.c +@@ -116,15 +116,6 @@ static void __init arch_reserve_crashker + + static phys_addr_t __init max_zone_phys(phys_addr_t zone_limit) + { +- /** +- * Information we get from firmware (e.g. DT dma-ranges) describe DMA +- * bus constraints. Devices using DMA might have their own limitations. +- * Some of them rely on DMA zone in low 32-bit memory. Keep low RAM +- * DMA zone on platforms that have RAM there. +- */ +- if (memblock_start_of_DRAM() < U32_MAX) +- zone_limit = min(zone_limit, U32_MAX); +- + return min(zone_limit, memblock_end_of_DRAM() - 1) + 1; + } + +@@ -140,6 +131,14 @@ static void __init zone_sizes_init(void) + acpi_zone_dma_limit = acpi_iort_dma_get_max_cpu_address(); + dt_zone_dma_limit = of_dma_get_max_cpu_address(NULL); + zone_dma_limit = min(dt_zone_dma_limit, acpi_zone_dma_limit); ++ /* ++ * Information we get from firmware (e.g. DT dma-ranges) describe DMA ++ * bus constraints. Devices using DMA might have their own limitations. ++ * Some of them rely on DMA zone in low 32-bit memory. Keep low RAM ++ * DMA zone on platforms that have RAM there. ++ */ ++ if (memblock_start_of_DRAM() < U32_MAX) ++ zone_dma_limit = min(zone_dma_limit, U32_MAX); + arm64_dma_phys_limit = max_zone_phys(zone_dma_limit); + max_zone_pfns[ZONE_DMA] = PFN_DOWN(arm64_dma_phys_limit); + #endif diff --git a/queue-6.12/arm64-ptrace-fix-partial-setregset-for-nt_arm_fpmr.patch b/queue-6.12/arm64-ptrace-fix-partial-setregset-for-nt_arm_fpmr.patch new file mode 100644 index 00000000000..c4573e4aa5a --- /dev/null +++ b/queue-6.12/arm64-ptrace-fix-partial-setregset-for-nt_arm_fpmr.patch @@ -0,0 +1,79 @@ +From f5d71291841aecfe5d8435da2dfa7f58ccd18bc8 Mon Sep 17 00:00:00 2001 +From: Mark Rutland +Date: Thu, 5 Dec 2024 12:16:53 +0000 +Subject: arm64: ptrace: fix partial SETREGSET for NT_ARM_FPMR + +From: Mark Rutland + +commit f5d71291841aecfe5d8435da2dfa7f58ccd18bc8 upstream. + +Currently fpmr_set() doesn't initialize the temporary 'fpmr' variable, +and a SETREGSET call with a length of zero will leave this +uninitialized. Consequently an arbitrary value will be written back to +target->thread.uw.fpmr, potentially leaking up to 64 bits of memory from +the kernel stack. The read is limited to a specific slot on the stack, +and the issue does not provide a write mechanism. + +Fix this by initializing the temporary value before copying the regset +from userspace, as for other regsets (e.g. NT_PRSTATUS, NT_PRFPREG, +NT_ARM_SYSTEM_CALL). In the case of a zero-length write, the existing +contents of FPMR will be retained. + +Before this patch: + +| # ./fpmr-test +| Attempting to write NT_ARM_FPMR::fpmr = 0x900d900d900d900d +| SETREGSET(nt=0x40e, len=8) wrote 8 bytes +| +| Attempting to read NT_ARM_FPMR::fpmr +| GETREGSET(nt=0x40e, len=8) read 8 bytes +| Read NT_ARM_FPMR::fpmr = 0x900d900d900d900d +| +| Attempting to write NT_ARM_FPMR (zero length) +| SETREGSET(nt=0x40e, len=0) wrote 0 bytes +| +| Attempting to read NT_ARM_FPMR::fpmr +| GETREGSET(nt=0x40e, len=8) read 8 bytes +| Read NT_ARM_FPMR::fpmr = 0xffff800083963d50 + +After this patch: + +| # ./fpmr-test +| Attempting to write NT_ARM_FPMR::fpmr = 0x900d900d900d900d +| SETREGSET(nt=0x40e, len=8) wrote 8 bytes +| +| Attempting to read NT_ARM_FPMR::fpmr +| GETREGSET(nt=0x40e, len=8) read 8 bytes +| Read NT_ARM_FPMR::fpmr = 0x900d900d900d900d +| +| Attempting to write NT_ARM_FPMR (zero length) +| SETREGSET(nt=0x40e, len=0) wrote 0 bytes +| +| Attempting to read NT_ARM_FPMR::fpmr +| GETREGSET(nt=0x40e, len=8) read 8 bytes +| Read NT_ARM_FPMR::fpmr = 0x900d900d900d900d + +Fixes: 4035c22ef7d4 ("arm64/ptrace: Expose FPMR via ptrace") +Cc: # 6.9.x +Signed-off-by: Mark Rutland +Cc: Mark Brown +Cc: Will Deacon +Reviewed-by: Mark Brown +Link: https://lore.kernel.org/r/20241205121655.1824269-3-mark.rutland@arm.com +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kernel/ptrace.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/arm64/kernel/ptrace.c ++++ b/arch/arm64/kernel/ptrace.c +@@ -719,6 +719,8 @@ static int fpmr_set(struct task_struct * + if (!system_supports_fpmr()) + return -EINVAL; + ++ fpmr = target->thread.uw.fpmr; ++ + ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &fpmr, 0, count); + if (ret) + return ret; diff --git a/queue-6.12/arm64-ptrace-fix-partial-setregset-for-nt_arm_poe.patch b/queue-6.12/arm64-ptrace-fix-partial-setregset-for-nt_arm_poe.patch new file mode 100644 index 00000000000..1884a8c82b8 --- /dev/null +++ b/queue-6.12/arm64-ptrace-fix-partial-setregset-for-nt_arm_poe.patch @@ -0,0 +1,79 @@ +From 594bfc4947c4fcabba1318d8384c61a29a6b89fb Mon Sep 17 00:00:00 2001 +From: Mark Rutland +Date: Thu, 5 Dec 2024 12:16:54 +0000 +Subject: arm64: ptrace: fix partial SETREGSET for NT_ARM_POE + +From: Mark Rutland + +commit 594bfc4947c4fcabba1318d8384c61a29a6b89fb upstream. + +Currently poe_set() doesn't initialize the temporary 'ctrl' variable, +and a SETREGSET call with a length of zero will leave this +uninitialized. Consequently an arbitrary value will be written back to +target->thread.por_el0, potentially leaking up to 64 bits of memory from +the kernel stack. The read is limited to a specific slot on the stack, +and the issue does not provide a write mechanism. + +Fix this by initializing the temporary value before copying the regset +from userspace, as for other regsets (e.g. NT_PRSTATUS, NT_PRFPREG, +NT_ARM_SYSTEM_CALL). In the case of a zero-length write, the existing +contents of POR_EL1 will be retained. + +Before this patch: + +| # ./poe-test +| Attempting to write NT_ARM_POE::por_el0 = 0x900d900d900d900d +| SETREGSET(nt=0x40f, len=8) wrote 8 bytes +| +| Attempting to read NT_ARM_POE::por_el0 +| GETREGSET(nt=0x40f, len=8) read 8 bytes +| Read NT_ARM_POE::por_el0 = 0x900d900d900d900d +| +| Attempting to write NT_ARM_POE (zero length) +| SETREGSET(nt=0x40f, len=0) wrote 0 bytes +| +| Attempting to read NT_ARM_POE::por_el0 +| GETREGSET(nt=0x40f, len=8) read 8 bytes +| Read NT_ARM_POE::por_el0 = 0xffff8000839c3d50 + +After this patch: + +| # ./poe-test +| Attempting to write NT_ARM_POE::por_el0 = 0x900d900d900d900d +| SETREGSET(nt=0x40f, len=8) wrote 8 bytes +| +| Attempting to read NT_ARM_POE::por_el0 +| GETREGSET(nt=0x40f, len=8) read 8 bytes +| Read NT_ARM_POE::por_el0 = 0x900d900d900d900d +| +| Attempting to write NT_ARM_POE (zero length) +| SETREGSET(nt=0x40f, len=0) wrote 0 bytes +| +| Attempting to read NT_ARM_POE::por_el0 +| GETREGSET(nt=0x40f, len=8) read 8 bytes +| Read NT_ARM_POE::por_el0 = 0x900d900d900d900d + +Fixes: 175198199262 ("arm64/ptrace: add support for FEAT_POE") +Cc: # 6.12.x +Signed-off-by: Mark Rutland +Cc: Joey Gouly +Cc: Will Deacon +Reviewed-by: Mark Brown +Link: https://lore.kernel.org/r/20241205121655.1824269-4-mark.rutland@arm.com +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kernel/ptrace.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/arm64/kernel/ptrace.c ++++ b/arch/arm64/kernel/ptrace.c +@@ -1469,6 +1469,8 @@ static int poe_set(struct task_struct *t + if (!system_supports_poe()) + return -EINVAL; + ++ ctrl = target->thread.por_el0; ++ + ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &ctrl, 0, -1); + if (ret) + return ret; diff --git a/queue-6.12/arm64-ptrace-fix-partial-setregset-for-nt_arm_tagged_addr_ctrl.patch b/queue-6.12/arm64-ptrace-fix-partial-setregset-for-nt_arm_tagged_addr_ctrl.patch new file mode 100644 index 00000000000..067b06abab1 --- /dev/null +++ b/queue-6.12/arm64-ptrace-fix-partial-setregset-for-nt_arm_tagged_addr_ctrl.patch @@ -0,0 +1,69 @@ +From ca62d90085f4af36de745883faab9f8a7cbb45d3 Mon Sep 17 00:00:00 2001 +From: Mark Rutland +Date: Thu, 5 Dec 2024 12:16:52 +0000 +Subject: arm64: ptrace: fix partial SETREGSET for NT_ARM_TAGGED_ADDR_CTRL + +From: Mark Rutland + +commit ca62d90085f4af36de745883faab9f8a7cbb45d3 upstream. + +Currently tagged_addr_ctrl_set() doesn't initialize the temporary 'ctrl' +variable, and a SETREGSET call with a length of zero will leave this +uninitialized. Consequently tagged_addr_ctrl_set() will consume an +arbitrary value, potentially leaking up to 64 bits of memory from the +kernel stack. The read is limited to a specific slot on the stack, and +the issue does not provide a write mechanism. + +As set_tagged_addr_ctrl() only accepts values where bits [63:4] zero and +rejects other values, a partial SETREGSET attempt will randomly succeed +or fail depending on the value of the uninitialized value, and the +exposure is significantly limited. + +Fix this by initializing the temporary value before copying the regset +from userspace, as for other regsets (e.g. NT_PRSTATUS, NT_PRFPREG, +NT_ARM_SYSTEM_CALL). In the case of a zero-length write, the existing +value of the tagged address ctrl will be retained. + +The NT_ARM_TAGGED_ADDR_CTRL regset is only visible in the +user_aarch64_view used by a native AArch64 task to manipulate another +native AArch64 task. As get_tagged_addr_ctrl() only returns an error +value when called for a compat task, tagged_addr_ctrl_get() and +tagged_addr_ctrl_set() should never observe an error value from +get_tagged_addr_ctrl(). Add a WARN_ON_ONCE() to both to indicate that +such an error would be unexpected, and error handlnig is not missing in +either case. + +Fixes: 2200aa7154cb ("arm64: mte: ptrace: Add NT_ARM_TAGGED_ADDR_CTRL regset") +Cc: # 5.10.x +Signed-off-by: Mark Rutland +Cc: Will Deacon +Reviewed-by: Mark Brown +Link: https://lore.kernel.org/r/20241205121655.1824269-2-mark.rutland@arm.com +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kernel/ptrace.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/arch/arm64/kernel/ptrace.c ++++ b/arch/arm64/kernel/ptrace.c +@@ -1418,7 +1418,7 @@ static int tagged_addr_ctrl_get(struct t + { + long ctrl = get_tagged_addr_ctrl(target); + +- if (IS_ERR_VALUE(ctrl)) ++ if (WARN_ON_ONCE(IS_ERR_VALUE(ctrl))) + return ctrl; + + return membuf_write(&to, &ctrl, sizeof(ctrl)); +@@ -1432,6 +1432,10 @@ static int tagged_addr_ctrl_set(struct t + int ret; + long ctrl; + ++ ctrl = get_tagged_addr_ctrl(target); ++ if (WARN_ON_ONCE(IS_ERR_VALUE(ctrl))) ++ return ctrl; ++ + ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &ctrl, 0, -1); + if (ret) + return ret; diff --git a/queue-6.12/bcache-revert-replacing-is_err_or_null-with-is_err-again.patch b/queue-6.12/bcache-revert-replacing-is_err_or_null-with-is_err-again.patch new file mode 100644 index 00000000000..b6934b4b7f4 --- /dev/null +++ b/queue-6.12/bcache-revert-replacing-is_err_or_null-with-is_err-again.patch @@ -0,0 +1,46 @@ +From b2e382ae12a63560fca35050498e19e760adf8c0 Mon Sep 17 00:00:00 2001 +From: Liequan Che +Date: Mon, 2 Dec 2024 19:56:38 +0800 +Subject: bcache: revert replacing IS_ERR_OR_NULL with IS_ERR again + +From: Liequan Che + +commit b2e382ae12a63560fca35050498e19e760adf8c0 upstream. + +Commit 028ddcac477b ("bcache: Remove unnecessary NULL point check in +node allocations") leads a NULL pointer deference in cache_set_flush(). + +1721 if (!IS_ERR_OR_NULL(c->root)) +1722 list_add(&c->root->list, &c->btree_cache); + +>From the above code in cache_set_flush(), if previous registration code +fails before allocating c->root, it is possible c->root is NULL as what +it is initialized. __bch_btree_node_alloc() never returns NULL but +c->root is possible to be NULL at above line 1721. + +This patch replaces IS_ERR() by IS_ERR_OR_NULL() to fix this. + +Fixes: 028ddcac477b ("bcache: Remove unnecessary NULL point check in node allocations") +Signed-off-by: Liequan Che +Cc: stable@vger.kernel.org +Cc: Zheng Wang +Reviewed-by: Mingzhe Zou +Signed-off-by: Coly Li +Link: https://lore.kernel.org/r/20241202115638.28957-1-colyli@suse.de +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/bcache/super.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -1718,7 +1718,7 @@ static CLOSURE_CALLBACK(cache_set_flush) + if (!IS_ERR_OR_NULL(c->gc_thread)) + kthread_stop(c->gc_thread); + +- if (!IS_ERR(c->root)) ++ if (!IS_ERR_OR_NULL(c->root)) + list_add(&c->root->list, &c->btree_cache); + + /* diff --git a/queue-6.12/can-dev-can_set_termination-allow-sleeping-gpios.patch b/queue-6.12/can-dev-can_set_termination-allow-sleeping-gpios.patch new file mode 100644 index 00000000000..11fa5086b56 --- /dev/null +++ b/queue-6.12/can-dev-can_set_termination-allow-sleeping-gpios.patch @@ -0,0 +1,49 @@ +From ee1dfbdd8b4b6de85e96ae2059dc9c1bdb6b49b5 Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Thu, 21 Nov 2024 11:08:25 +0100 +Subject: can: dev: can_set_termination(): allow sleeping GPIOs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marc Kleine-Budde + +commit ee1dfbdd8b4b6de85e96ae2059dc9c1bdb6b49b5 upstream. + +In commit 6e86a1543c37 ("can: dev: provide optional GPIO based +termination support") GPIO based termination support was added. + +For no particular reason that patch uses gpiod_set_value() to set the +GPIO. This leads to the following warning, if the systems uses a +sleeping GPIO, i.e. behind an I2C port expander: + +| WARNING: CPU: 0 PID: 379 at /drivers/gpio/gpiolib.c:3496 gpiod_set_value+0x50/0x6c +| CPU: 0 UID: 0 PID: 379 Comm: ip Not tainted 6.11.0-20241016-1 #1 823affae360cc91126e4d316d7a614a8bf86236c + +Replace gpiod_set_value() by gpiod_set_value_cansleep() to allow the +use of sleeping GPIOs. + +Cc: Nicolai Buchwitz +Cc: Lino Sanfilippo +Cc: stable@vger.kernel.org +Reported-by: Leonard Göhrs +Tested-by: Leonard Göhrs +Fixes: 6e86a1543c37 ("can: dev: provide optional GPIO based termination support") +Link: https://patch.msgid.link/20241121-dev-fix-can_set_termination-v1-1-41fa6e29216d@pengutronix.de +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/dev/dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/can/dev/dev.c ++++ b/drivers/net/can/dev/dev.c +@@ -468,7 +468,7 @@ static int can_set_termination(struct ne + else + set = 0; + +- gpiod_set_value(priv->termination_gpio, set); ++ gpiod_set_value_cansleep(priv->termination_gpio, set); + + return 0; + } diff --git a/queue-6.12/can-mcp251xfd-mcp251xfd_get_tef_len-work-around-erratum-ds80000789e-6.patch b/queue-6.12/can-mcp251xfd-mcp251xfd_get_tef_len-work-around-erratum-ds80000789e-6.patch new file mode 100644 index 00000000000..baf5e813ea4 --- /dev/null +++ b/queue-6.12/can-mcp251xfd-mcp251xfd_get_tef_len-work-around-erratum-ds80000789e-6.patch @@ -0,0 +1,98 @@ +From 30447a1bc0e066e492552b3e5ffeb63c1605dfe2 Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Sun, 24 Nov 2024 18:42:56 +0100 +Subject: can: mcp251xfd: mcp251xfd_get_tef_len(): work around erratum DS80000789E 6. + +From: Marc Kleine-Budde + +commit 30447a1bc0e066e492552b3e5ffeb63c1605dfe2 upstream. + +Commit b8e0ddd36ce9 ("can: mcp251xfd: tef: prepare to workaround +broken TEF FIFO tail index erratum") introduced +mcp251xfd_get_tef_len() to get the number of unhandled transmit events +from the Transmit Event FIFO (TEF). + +As the TEF has no head index, the driver uses the TX-FIFO's tail index +instead, assuming that send frames are completed. + +When calculating the number of unhandled TEF events, that commit +didn't take mcp2518fd erratum DS80000789E 6. into account. According +to that erratum, the FIFOCI bits of a FIFOSTA register, here the +TX-FIFO tail index might be corrupted. + +However here it seems the bit indicating that the TX-FIFO is +empty (MCP251XFD_REG_FIFOSTA_TFERFFIF) is not correct while the +TX-FIFO tail index is. + +Assume that the TX-FIFO is indeed empty if: +- Chip's head and tail index are equal (len == 0). +- The TX-FIFO is less than half full. + (The TX-FIFO empty case has already been checked at the + beginning of this function.) +- No free buffers in the TX ring. + +If the TX-FIFO is assumed to be empty, assume that the TEF is full and +return the number of elements in the TX-FIFO (which equals the number +of TEF elements). + +If these assumptions are false, the driver might read to many objects +from the TEF. mcp251xfd_handle_tefif_one() checks the sequence numbers +and will refuse to process old events. + +Reported-by: Renjaya Raga Zenta +Closes: https://patch.msgid.link/CAJ7t6HgaeQ3a_OtfszezU=zB-FqiZXqrnATJ3UujNoQJJf7GgA@mail.gmail.com +Fixes: b8e0ddd36ce9 ("can: mcp251xfd: tef: prepare to workaround broken TEF FIFO tail index erratum") +Tested-by: Renjaya Raga Zenta +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20241126-mcp251xfd-fix-length-calculation-v2-1-c2ed516ed6ba@pengutronix.de +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c | 29 +++++++++++++++++++++++++- + 1 file changed, 28 insertions(+), 1 deletion(-) + +--- a/drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c ++++ b/drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c +@@ -21,6 +21,11 @@ static inline bool mcp251xfd_tx_fifo_sta + return fifo_sta & MCP251XFD_REG_FIFOSTA_TFERFFIF; + } + ++static inline bool mcp251xfd_tx_fifo_sta_less_than_half_full(u32 fifo_sta) ++{ ++ return fifo_sta & MCP251XFD_REG_FIFOSTA_TFHRFHIF; ++} ++ + static inline int + mcp251xfd_tef_tail_get_from_chip(const struct mcp251xfd_priv *priv, + u8 *tef_tail) +@@ -147,7 +152,29 @@ mcp251xfd_get_tef_len(struct mcp251xfd_p + BUILD_BUG_ON(sizeof(tx_ring->obj_num) != sizeof(len)); + + len = (chip_tx_tail << shift) - (tail << shift); +- *len_p = len >> shift; ++ len >>= shift; ++ ++ /* According to mcp2518fd erratum DS80000789E 6. the FIFOCI ++ * bits of a FIFOSTA register, here the TX-FIFO tail index ++ * might be corrupted. ++ * ++ * However here it seems the bit indicating that the TX-FIFO ++ * is empty (MCP251XFD_REG_FIFOSTA_TFERFFIF) is not correct ++ * while the TX-FIFO tail index is. ++ * ++ * We assume the TX-FIFO is empty, i.e. all pending CAN frames ++ * haven been send, if: ++ * - Chip's head and tail index are equal (len == 0). ++ * - The TX-FIFO is less than half full. ++ * (The TX-FIFO empty case has already been checked at the ++ * beginning of this function.) ++ * - No free buffers in the TX ring. ++ */ ++ if (len == 0 && mcp251xfd_tx_fifo_sta_less_than_half_full(fifo_sta) && ++ mcp251xfd_get_tx_free(tx_ring) == 0) ++ len = tx_ring->obj_num; ++ ++ *len_p = len; + + return 0; + } diff --git a/queue-6.12/fs-smb-client-avoid-querying-smb2_op_query_wsl_ea-for-smb3-posix.patch b/queue-6.12/fs-smb-client-avoid-querying-smb2_op_query_wsl_ea-for-smb3-posix.patch new file mode 100644 index 00000000000..3306b3e8142 --- /dev/null +++ b/queue-6.12/fs-smb-client-avoid-querying-smb2_op_query_wsl_ea-for-smb3-posix.patch @@ -0,0 +1,32 @@ +From ca4b2c4607433033e9c4f4659f809af4261d8992 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Fri, 15 Nov 2024 13:15:50 +0100 +Subject: fs/smb/client: avoid querying SMB2_OP_QUERY_WSL_EA for SMB3 POSIX + +From: Ralph Boehme + +commit ca4b2c4607433033e9c4f4659f809af4261d8992 upstream. + +Avoid extra roundtrip + +Cc: stable@vger.kernel.org +Acked-by: Paulo Alcantara (Red Hat) +Signed-off-by: Ralph Boehme +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/smb2inode.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/smb/client/smb2inode.c ++++ b/fs/smb/client/smb2inode.c +@@ -943,7 +943,8 @@ int smb2_query_path_info(const unsigned + if (rc || !data->reparse_point) + goto out; + +- cmds[num_cmds++] = SMB2_OP_QUERY_WSL_EA; ++ if (!tcon->posix_extensions) ++ cmds[num_cmds++] = SMB2_OP_QUERY_WSL_EA; + /* + * Skip SMB2_OP_GET_REPARSE if symlink already parsed in create + * response. diff --git a/queue-6.12/fs-smb-client-cifs_prime_dcache-for-smb3-posix-reparse-points.patch b/queue-6.12/fs-smb-client-cifs_prime_dcache-for-smb3-posix-reparse-points.patch new file mode 100644 index 00000000000..4e3dc2101a3 --- /dev/null +++ b/queue-6.12/fs-smb-client-cifs_prime_dcache-for-smb3-posix-reparse-points.patch @@ -0,0 +1,54 @@ +From 8cb0bc5436351de8a11eef13b7367d64cc0d6c68 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Mon, 25 Nov 2024 16:19:56 +0100 +Subject: fs/smb/client: cifs_prime_dcache() for SMB3 POSIX reparse points + +From: Ralph Boehme + +commit 8cb0bc5436351de8a11eef13b7367d64cc0d6c68 upstream. + +Spares an extra revalidation request + +Cc: stable@vger.kernel.org +Acked-by: Paulo Alcantara (Red Hat) +Signed-off-by: Ralph Boehme +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/readdir.c | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +--- a/fs/smb/client/readdir.c ++++ b/fs/smb/client/readdir.c +@@ -71,6 +71,8 @@ cifs_prime_dcache(struct dentry *parent, + struct inode *inode; + struct super_block *sb = parent->d_sb; + struct cifs_sb_info *cifs_sb = CIFS_SB(sb); ++ bool posix = cifs_sb_master_tcon(cifs_sb)->posix_extensions; ++ bool reparse_need_reval = false; + DECLARE_WAIT_QUEUE_HEAD_ONSTACK(wq); + int rc; + +@@ -85,7 +87,21 @@ cifs_prime_dcache(struct dentry *parent, + * this spares us an invalidation. + */ + retry: +- if ((fattr->cf_cifsattrs & ATTR_REPARSE) || ++ if (posix) { ++ switch (fattr->cf_mode & S_IFMT) { ++ case S_IFLNK: ++ case S_IFBLK: ++ case S_IFCHR: ++ reparse_need_reval = true; ++ break; ++ default: ++ break; ++ } ++ } else if (fattr->cf_cifsattrs & ATTR_REPARSE) { ++ reparse_need_reval = true; ++ } ++ ++ if (reparse_need_reval || + (fattr->cf_flags & CIFS_FATTR_NEED_REVAL)) + return; + diff --git a/queue-6.12/fs-smb-client-implement-new-smb3-posix-type.patch b/queue-6.12/fs-smb-client-implement-new-smb3-posix-type.patch new file mode 100644 index 00000000000..82f4a3c84eb --- /dev/null +++ b/queue-6.12/fs-smb-client-implement-new-smb3-posix-type.patch @@ -0,0 +1,346 @@ +From 6a832bc8bbb22350f7ffe6ecb2d36f261bb96023 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Fri, 15 Nov 2024 19:21:04 +0100 +Subject: fs/smb/client: Implement new SMB3 POSIX type + +From: Ralph Boehme + +commit 6a832bc8bbb22350f7ffe6ecb2d36f261bb96023 upstream. + +Fixes special files against current Samba. + +On the Samba server: + +insgesamt 20 +131958 brw-r--r-- 1 root root 0, 0 15. Nov 12:04 blockdev +131965 crw-r--r-- 1 root root 1, 1 15. Nov 12:04 chardev +131966 prw-r--r-- 1 samba samba 0 15. Nov 12:05 fifo +131953 -rw-rwxrw-+ 2 samba samba 4 18. Nov 11:37 file +131953 -rw-rwxrw-+ 2 samba samba 4 18. Nov 11:37 hardlink +131957 lrwxrwxrwx 1 samba samba 4 15. Nov 12:03 symlink -> file +131954 -rwxrwxr-x+ 1 samba samba 0 18. Nov 15:28 symlinkoversmb + +Before: + +ls: cannot access '/mnt/smb3unix/posix/blockdev': No data available +ls: cannot access '/mnt/smb3unix/posix/chardev': No data available +ls: cannot access '/mnt/smb3unix/posix/symlinkoversmb': No data available +ls: cannot access '/mnt/smb3unix/posix/fifo': No data available +ls: cannot access '/mnt/smb3unix/posix/symlink': No data available +total 16 + ? -????????? ? ? ? ? ? blockdev + ? -????????? ? ? ? ? ? chardev + ? -????????? ? ? ? ? ? fifo +131953 -rw-rwxrw- 2 root samba 4 Nov 18 11:37 file +131953 -rw-rwxrw- 2 root samba 4 Nov 18 11:37 hardlink + ? -????????? ? ? ? ? ? symlink + ? -????????? ? ? ? ? ? symlinkoversmb + +After: + +insgesamt 21 +131958 brw-r--r-- 1 root root 0, 0 15. Nov 12:04 blockdev +131965 crw-r--r-- 1 root root 1, 1 15. Nov 12:04 chardev +131966 prw-r--r-- 1 root samba 0 15. Nov 12:05 fifo +131953 -rw-rwxrw- 2 root samba 4 18. Nov 11:37 file +131953 -rw-rwxrw- 2 root samba 4 18. Nov 11:37 hardlink +131957 lrwxrwxrwx 1 root samba 4 15. Nov 12:03 symlink -> file +131954 lrwxrwxr-x 1 root samba 23 18. Nov 15:28 symlinkoversmb -> mnt/smb3unix/posix/file + +Cc: stable@vger.kernel.org +Acked-by: Paulo Alcantara (Red Hat) +Signed-off-by: Ralph Boehme +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/cifsproto.h | 1 + fs/smb/client/inode.c | 89 +++++++++++++++++++++++++++++++++++++++++----- + fs/smb/client/readdir.c | 35 ++++++++---------- + fs/smb/client/reparse.c | 84 ++++++++++++++++++++++++++----------------- + 4 files changed, 149 insertions(+), 60 deletions(-) + +--- a/fs/smb/client/cifsproto.h ++++ b/fs/smb/client/cifsproto.h +@@ -677,6 +677,7 @@ int __cifs_sfu_make_node(unsigned int xi + int cifs_sfu_make_node(unsigned int xid, struct inode *inode, + struct dentry *dentry, struct cifs_tcon *tcon, + const char *full_path, umode_t mode, dev_t dev); ++umode_t wire_mode_to_posix(u32 wire); + + #ifdef CONFIG_CIFS_DFS_UPCALL + static inline int get_dfs_path(const unsigned int xid, struct cifs_ses *ses, +--- a/fs/smb/client/inode.c ++++ b/fs/smb/client/inode.c +@@ -724,6 +724,84 @@ static int cifs_sfu_mode(struct cifs_fat + #endif + } + ++#define POSIX_TYPE_FILE 0 ++#define POSIX_TYPE_DIR 1 ++#define POSIX_TYPE_SYMLINK 2 ++#define POSIX_TYPE_CHARDEV 3 ++#define POSIX_TYPE_BLKDEV 4 ++#define POSIX_TYPE_FIFO 5 ++#define POSIX_TYPE_SOCKET 6 ++ ++#define POSIX_X_OTH 0000001 ++#define POSIX_W_OTH 0000002 ++#define POSIX_R_OTH 0000004 ++#define POSIX_X_GRP 0000010 ++#define POSIX_W_GRP 0000020 ++#define POSIX_R_GRP 0000040 ++#define POSIX_X_USR 0000100 ++#define POSIX_W_USR 0000200 ++#define POSIX_R_USR 0000400 ++#define POSIX_STICKY 0001000 ++#define POSIX_SET_GID 0002000 ++#define POSIX_SET_UID 0004000 ++ ++#define POSIX_OTH_MASK 0000007 ++#define POSIX_GRP_MASK 0000070 ++#define POSIX_USR_MASK 0000700 ++#define POSIX_PERM_MASK 0000777 ++#define POSIX_FILETYPE_MASK 0070000 ++ ++#define POSIX_FILETYPE_SHIFT 12 ++ ++static u32 wire_perms_to_posix(u32 wire) ++{ ++ u32 mode = 0; ++ ++ mode |= (wire & POSIX_X_OTH) ? S_IXOTH : 0; ++ mode |= (wire & POSIX_W_OTH) ? S_IWOTH : 0; ++ mode |= (wire & POSIX_R_OTH) ? S_IROTH : 0; ++ mode |= (wire & POSIX_X_GRP) ? S_IXGRP : 0; ++ mode |= (wire & POSIX_W_GRP) ? S_IWGRP : 0; ++ mode |= (wire & POSIX_R_GRP) ? S_IRGRP : 0; ++ mode |= (wire & POSIX_X_USR) ? S_IXUSR : 0; ++ mode |= (wire & POSIX_W_USR) ? S_IWUSR : 0; ++ mode |= (wire & POSIX_R_USR) ? S_IRUSR : 0; ++ mode |= (wire & POSIX_STICKY) ? S_ISVTX : 0; ++ mode |= (wire & POSIX_SET_GID) ? S_ISGID : 0; ++ mode |= (wire & POSIX_SET_UID) ? S_ISUID : 0; ++ ++ return mode; ++} ++ ++static u32 posix_filetypes[] = { ++ S_IFREG, ++ S_IFDIR, ++ S_IFLNK, ++ S_IFCHR, ++ S_IFBLK, ++ S_IFIFO, ++ S_IFSOCK ++}; ++ ++static u32 wire_filetype_to_posix(u32 wire_type) ++{ ++ if (wire_type >= ARRAY_SIZE(posix_filetypes)) { ++ pr_warn("Unexpected type %u", wire_type); ++ return 0; ++ } ++ return posix_filetypes[wire_type]; ++} ++ ++umode_t wire_mode_to_posix(u32 wire) ++{ ++ u32 wire_type; ++ u32 mode; ++ ++ wire_type = (wire & POSIX_FILETYPE_MASK) >> POSIX_FILETYPE_SHIFT; ++ mode = (wire_perms_to_posix(wire) | wire_filetype_to_posix(wire_type)); ++ return (umode_t)mode; ++} ++ + /* Fill a cifs_fattr struct with info from POSIX info struct */ + static void smb311_posix_info_to_fattr(struct cifs_fattr *fattr, + struct cifs_open_info_data *data, +@@ -760,20 +838,13 @@ static void smb311_posix_info_to_fattr(s + fattr->cf_bytes = le64_to_cpu(info->AllocationSize); + fattr->cf_createtime = le64_to_cpu(info->CreationTime); + fattr->cf_nlink = le32_to_cpu(info->HardLinks); +- fattr->cf_mode = (umode_t) le32_to_cpu(info->Mode); ++ fattr->cf_mode = wire_mode_to_posix(le32_to_cpu(info->Mode)); + + if (cifs_open_data_reparse(data) && + cifs_reparse_point_to_fattr(cifs_sb, fattr, data)) + goto out_reparse; + +- fattr->cf_mode &= ~S_IFMT; +- if (fattr->cf_cifsattrs & ATTR_DIRECTORY) { +- fattr->cf_mode |= S_IFDIR; +- fattr->cf_dtype = DT_DIR; +- } else { /* file */ +- fattr->cf_mode |= S_IFREG; +- fattr->cf_dtype = DT_REG; +- } ++ fattr->cf_dtype = S_DT(fattr->cf_mode); + + out_reparse: + if (S_ISLNK(fattr->cf_mode)) { +--- a/fs/smb/client/readdir.c ++++ b/fs/smb/client/readdir.c +@@ -241,31 +241,28 @@ cifs_posix_to_fattr(struct cifs_fattr *f + fattr->cf_nlink = le32_to_cpu(info->HardLinks); + fattr->cf_cifsattrs = le32_to_cpu(info->DosAttributes); + +- /* +- * Since we set the inode type below we need to mask off +- * to avoid strange results if bits set above. +- * XXX: why not make server&client use the type bits? +- */ +- fattr->cf_mode = le32_to_cpu(info->Mode) & ~S_IFMT; ++ if (fattr->cf_cifsattrs & ATTR_REPARSE) ++ fattr->cf_cifstag = le32_to_cpu(info->ReparseTag); ++ ++ /* The Mode field in the response can now include the file type as well */ ++ fattr->cf_mode = wire_mode_to_posix(le32_to_cpu(info->Mode)); ++ fattr->cf_dtype = S_DT(le32_to_cpu(info->Mode)); ++ ++ switch (fattr->cf_mode & S_IFMT) { ++ case S_IFLNK: ++ case S_IFBLK: ++ case S_IFCHR: ++ fattr->cf_flags |= CIFS_FATTR_NEED_REVAL; ++ break; ++ default: ++ break; ++ } + + cifs_dbg(FYI, "posix fattr: dev %d, reparse %d, mode %o\n", + le32_to_cpu(info->DeviceId), + le32_to_cpu(info->ReparseTag), + le32_to_cpu(info->Mode)); + +- if (fattr->cf_cifsattrs & ATTR_DIRECTORY) { +- fattr->cf_mode |= S_IFDIR; +- fattr->cf_dtype = DT_DIR; +- } else { +- /* +- * mark anything that is not a dir as regular +- * file. special files should have the REPARSE +- * attribute and will be marked as needing revaluation +- */ +- fattr->cf_mode |= S_IFREG; +- fattr->cf_dtype = DT_REG; +- } +- + sid_to_id(cifs_sb, &parsed.owner, fattr, SIDOWNER); + sid_to_id(cifs_sb, &parsed.group, fattr, SIDGROUP); + } +--- a/fs/smb/client/reparse.c ++++ b/fs/smb/client/reparse.c +@@ -730,44 +730,60 @@ out: + fattr->cf_dtype = S_DT(fattr->cf_mode); + } + +-bool cifs_reparse_point_to_fattr(struct cifs_sb_info *cifs_sb, +- struct cifs_fattr *fattr, +- struct cifs_open_info_data *data) ++static bool posix_reparse_to_fattr(struct cifs_sb_info *cifs_sb, ++ struct cifs_fattr *fattr, ++ struct cifs_open_info_data *data) + { + struct reparse_posix_data *buf = data->reparse.posix; +- u32 tag = data->reparse.tag; + +- if (tag == IO_REPARSE_TAG_NFS && buf) { +- if (le16_to_cpu(buf->ReparseDataLength) < sizeof(buf->InodeType)) ++ ++ if (buf == NULL) ++ return true; ++ ++ if (le16_to_cpu(buf->ReparseDataLength) < sizeof(buf->InodeType)) { ++ WARN_ON_ONCE(1); ++ return false; ++ } ++ ++ switch (le64_to_cpu(buf->InodeType)) { ++ case NFS_SPECFILE_CHR: ++ if (le16_to_cpu(buf->ReparseDataLength) != sizeof(buf->InodeType) + 8) { ++ WARN_ON_ONCE(1); + return false; +- switch (le64_to_cpu(buf->InodeType)) { +- case NFS_SPECFILE_CHR: +- if (le16_to_cpu(buf->ReparseDataLength) != sizeof(buf->InodeType) + 8) +- return false; +- fattr->cf_mode |= S_IFCHR; +- fattr->cf_rdev = reparse_mkdev(buf->DataBuffer); +- break; +- case NFS_SPECFILE_BLK: +- if (le16_to_cpu(buf->ReparseDataLength) != sizeof(buf->InodeType) + 8) +- return false; +- fattr->cf_mode |= S_IFBLK; +- fattr->cf_rdev = reparse_mkdev(buf->DataBuffer); +- break; +- case NFS_SPECFILE_FIFO: +- fattr->cf_mode |= S_IFIFO; +- break; +- case NFS_SPECFILE_SOCK: +- fattr->cf_mode |= S_IFSOCK; +- break; +- case NFS_SPECFILE_LNK: +- fattr->cf_mode |= S_IFLNK; +- break; +- default: ++ } ++ fattr->cf_mode |= S_IFCHR; ++ fattr->cf_rdev = reparse_mkdev(buf->DataBuffer); ++ break; ++ case NFS_SPECFILE_BLK: ++ if (le16_to_cpu(buf->ReparseDataLength) != sizeof(buf->InodeType) + 8) { + WARN_ON_ONCE(1); + return false; + } +- goto out; ++ fattr->cf_mode |= S_IFBLK; ++ fattr->cf_rdev = reparse_mkdev(buf->DataBuffer); ++ break; ++ case NFS_SPECFILE_FIFO: ++ fattr->cf_mode |= S_IFIFO; ++ break; ++ case NFS_SPECFILE_SOCK: ++ fattr->cf_mode |= S_IFSOCK; ++ break; ++ case NFS_SPECFILE_LNK: ++ fattr->cf_mode |= S_IFLNK; ++ break; ++ default: ++ WARN_ON_ONCE(1); ++ return false; + } ++ return true; ++} ++ ++bool cifs_reparse_point_to_fattr(struct cifs_sb_info *cifs_sb, ++ struct cifs_fattr *fattr, ++ struct cifs_open_info_data *data) ++{ ++ u32 tag = data->reparse.tag; ++ bool ok; + + switch (tag) { + case IO_REPARSE_TAG_INTERNAL: +@@ -787,15 +803,19 @@ bool cifs_reparse_point_to_fattr(struct + case IO_REPARSE_TAG_LX_BLK: + wsl_to_fattr(data, cifs_sb, tag, fattr); + break; ++ case IO_REPARSE_TAG_NFS: ++ ok = posix_reparse_to_fattr(cifs_sb, fattr, data); ++ if (!ok) ++ return false; ++ break; + case 0: /* SMB1 symlink */ + case IO_REPARSE_TAG_SYMLINK: +- case IO_REPARSE_TAG_NFS: + fattr->cf_mode |= S_IFLNK; + break; + default: + return false; + } +-out: ++ + fattr->cf_dtype = S_DT(fattr->cf_mode); + return true; + } diff --git a/queue-6.12/io_uring-change-res2-parameter-type-in-io_uring_cmd_done.patch b/queue-6.12/io_uring-change-res2-parameter-type-in-io_uring_cmd_done.patch new file mode 100644 index 00000000000..e689913f3bb --- /dev/null +++ b/queue-6.12/io_uring-change-res2-parameter-type-in-io_uring_cmd_done.patch @@ -0,0 +1,63 @@ +From a07d2d7930c75e6bf88683b376d09ab1f3fed2aa Mon Sep 17 00:00:00 2001 +From: Bernd Schubert +Date: Tue, 3 Dec 2024 11:31:05 +0100 +Subject: io_uring: Change res2 parameter type in io_uring_cmd_done + +From: Bernd Schubert + +commit a07d2d7930c75e6bf88683b376d09ab1f3fed2aa upstream. + +Change the type of the res2 parameter in io_uring_cmd_done from ssize_t +to u64. This aligns the parameter type with io_req_set_cqe32_extra, +which expects u64 arguments. +The change eliminates potential issues on 32-bit architectures where +ssize_t might be 32-bit. + +Only user of passing res2 is drivers/nvme/host/ioctl.c and it actually +passes u64. + +Fixes: ee692a21e9bf ("fs,io_uring: add infrastructure for uring-cmd") +Cc: stable@vger.kernel.org +Reviewed-by: Kanchan Joshi +Tested-by: Li Zetao +Reviewed-by: Li Zetao +Signed-off-by: Bernd Schubert +Link: https://lore.kernel.org/r/20241203-io_uring_cmd_done-res2-as-u64-v2-1-5e59ae617151@ddn.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/io_uring/cmd.h | 4 ++-- + io_uring/uring_cmd.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +--- a/include/linux/io_uring/cmd.h ++++ b/include/linux/io_uring/cmd.h +@@ -43,7 +43,7 @@ int io_uring_cmd_import_fixed(u64 ubuf, + * Note: the caller should never hard code @issue_flags and is only allowed + * to pass the mask provided by the core io_uring code. + */ +-void io_uring_cmd_done(struct io_uring_cmd *cmd, ssize_t ret, ssize_t res2, ++void io_uring_cmd_done(struct io_uring_cmd *cmd, ssize_t ret, u64 res2, + unsigned issue_flags); + + void __io_uring_cmd_do_in_task(struct io_uring_cmd *ioucmd, +@@ -67,7 +67,7 @@ static inline int io_uring_cmd_import_fi + return -EOPNOTSUPP; + } + static inline void io_uring_cmd_done(struct io_uring_cmd *cmd, ssize_t ret, +- ssize_t ret2, unsigned issue_flags) ++ u64 ret2, unsigned issue_flags) + { + } + static inline void __io_uring_cmd_do_in_task(struct io_uring_cmd *ioucmd, +--- a/io_uring/uring_cmd.c ++++ b/io_uring/uring_cmd.c +@@ -147,7 +147,7 @@ static inline void io_req_set_cqe32_extr + * Called by consumers of io_uring_cmd, if they originally returned + * -EIOCBQUEUED upon receiving the command. + */ +-void io_uring_cmd_done(struct io_uring_cmd *ioucmd, ssize_t ret, ssize_t res2, ++void io_uring_cmd_done(struct io_uring_cmd *ioucmd, ssize_t ret, u64 res2, + unsigned issue_flags) + { + struct io_kiocb *req = cmd_to_io_kiocb(ioucmd); diff --git a/queue-6.12/iommufd-fix-out_fput-in-iommufd_fault_alloc.patch b/queue-6.12/iommufd-fix-out_fput-in-iommufd_fault_alloc.patch new file mode 100644 index 00000000000..a326dff4081 --- /dev/null +++ b/queue-6.12/iommufd-fix-out_fput-in-iommufd_fault_alloc.patch @@ -0,0 +1,57 @@ +From af7f4780514f850322b2959032ecaa96e4b26472 Mon Sep 17 00:00:00 2001 +From: Nicolin Chen +Date: Tue, 3 Dec 2024 00:02:54 -0800 +Subject: iommufd: Fix out_fput in iommufd_fault_alloc() + +From: Nicolin Chen + +commit af7f4780514f850322b2959032ecaa96e4b26472 upstream. + +As fput() calls the file->f_op->release op, where fault obj and ictx are +getting released, there is no need to release these two after fput() one +more time, which would result in imbalanced refcounts: + refcount_t: decrement hit 0; leaking memory. + WARNING: CPU: 48 PID: 2369 at lib/refcount.c:31 refcount_warn_saturate+0x60/0x230 + Call trace: + refcount_warn_saturate+0x60/0x230 (P) + refcount_warn_saturate+0x60/0x230 (L) + iommufd_fault_fops_release+0x9c/0xe0 [iommufd] + ... + VFS: Close: file count is 0 (f_op=iommufd_fops [iommufd]) + WARNING: CPU: 48 PID: 2369 at fs/open.c:1507 filp_flush+0x3c/0xf0 + Call trace: + filp_flush+0x3c/0xf0 (P) + filp_flush+0x3c/0xf0 (L) + __arm64_sys_close+0x34/0x98 + ... + imbalanced put on file reference count + WARNING: CPU: 48 PID: 2369 at fs/file.c:74 __file_ref_put+0x100/0x138 + Call trace: + __file_ref_put+0x100/0x138 (P) + __file_ref_put+0x100/0x138 (L) + __fput_sync+0x4c/0xd0 + +Drop those two lines to fix the warnings above. + +Cc: stable@vger.kernel.org +Fixes: 07838f7fd529 ("iommufd: Add iommufd fault object") +Link: https://patch.msgid.link/r/b5651beb3a6b1adeef26fffac24607353bf67ba1.1733212723.git.nicolinc@nvidia.com +Signed-off-by: Nicolin Chen +Reviewed-by: Yi Liu +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/iommufd/fault.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/iommu/iommufd/fault.c ++++ b/drivers/iommu/iommufd/fault.c +@@ -415,8 +415,6 @@ out_put_fdno: + put_unused_fd(fdno); + out_fput: + fput(filep); +- refcount_dec(&fault->obj.users); +- iommufd_ctx_put(fault->ictx); + out_abort: + iommufd_object_abort_and_destroy(ucmd->ictx, &fault->obj); + diff --git a/queue-6.12/ksmbd-fix-out-of-bounds-read-in-ksmbd_vfs_stream_read.patch b/queue-6.12/ksmbd-fix-out-of-bounds-read-in-ksmbd_vfs_stream_read.patch new file mode 100644 index 00000000000..df645c66ced --- /dev/null +++ b/queue-6.12/ksmbd-fix-out-of-bounds-read-in-ksmbd_vfs_stream_read.patch @@ -0,0 +1,37 @@ +From fc342cf86e2dc4d2edb0fc2ff5e28b6c7845adb9 Mon Sep 17 00:00:00 2001 +From: Jordy Zomer +Date: Thu, 28 Nov 2024 09:32:45 +0900 +Subject: ksmbd: fix Out-of-Bounds Read in ksmbd_vfs_stream_read + +From: Jordy Zomer + +commit fc342cf86e2dc4d2edb0fc2ff5e28b6c7845adb9 upstream. + +An offset from client could be a negative value, It could lead +to an out-of-bounds read from the stream_buf. +Note that this issue is coming when setting +'vfs objects = streams_xattr parameter' in ksmbd.conf. + +Cc: stable@vger.kernel.org # v5.15+ +Reported-by: Jordy Zomer +Signed-off-by: Jordy Zomer +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/smb2pdu.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -6651,6 +6651,10 @@ int smb2_read(struct ksmbd_work *work) + } + + offset = le64_to_cpu(req->Offset); ++ if (offset < 0) { ++ err = -EINVAL; ++ goto out; ++ } + length = le32_to_cpu(req->Length); + mincount = le32_to_cpu(req->MinimumCount); + diff --git a/queue-6.12/ksmbd-fix-out-of-bounds-write-in-ksmbd_vfs_stream_write.patch b/queue-6.12/ksmbd-fix-out-of-bounds-write-in-ksmbd_vfs_stream_write.patch new file mode 100644 index 00000000000..ad597d33b25 --- /dev/null +++ b/queue-6.12/ksmbd-fix-out-of-bounds-write-in-ksmbd_vfs_stream_write.patch @@ -0,0 +1,35 @@ +From 313dab082289e460391c82d855430ec8a28ddf81 Mon Sep 17 00:00:00 2001 +From: Jordy Zomer +Date: Thu, 28 Nov 2024 09:33:25 +0900 +Subject: ksmbd: fix Out-of-Bounds Write in ksmbd_vfs_stream_write + +From: Jordy Zomer + +commit 313dab082289e460391c82d855430ec8a28ddf81 upstream. + +An offset from client could be a negative value, It could allows +to write data outside the bounds of the allocated buffer. +Note that this issue is coming when setting +'vfs objects = streams_xattr parameter' in ksmbd.conf. + +Cc: stable@vger.kernel.org # v5.15+ +Reported-by: Jordy Zomer +Signed-off-by: Jordy Zomer +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/smb2pdu.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -6868,6 +6868,8 @@ int smb2_write(struct ksmbd_work *work) + } + + offset = le64_to_cpu(req->Offset); ++ if (offset < 0) ++ return -EINVAL; + length = le32_to_cpu(req->Length); + + if (req->Channel == SMB2_CHANNEL_RDMA_V1 || diff --git a/queue-6.12/loongarch-add-architecture-specific-huge_pte_clear.patch b/queue-6.12/loongarch-add-architecture-specific-huge_pte_clear.patch new file mode 100644 index 00000000000..8ba8aee35b1 --- /dev/null +++ b/queue-6.12/loongarch-add-architecture-specific-huge_pte_clear.patch @@ -0,0 +1,99 @@ +From 7cd1f5f77925ae905a57296932f0f9ef0dc364f8 Mon Sep 17 00:00:00 2001 +From: Bibo Mao +Date: Mon, 2 Dec 2024 16:42:08 +0800 +Subject: LoongArch: Add architecture specific huge_pte_clear() + +From: Bibo Mao + +commit 7cd1f5f77925ae905a57296932f0f9ef0dc364f8 upstream. + +When executing mm selftests run_vmtests.sh, there is such an error: + + BUG: Bad page state in process uffd-unit-tests pfn:00000 + page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x0 + flags: 0xffff0000002000(reserved|node=0|zone=0|lastcpupid=0xffff) + raw: 00ffff0000002000 ffffbf0000000008 ffffbf0000000008 0000000000000000 + raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 + page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set + Modules linked in: snd_seq_dummy snd_seq snd_seq_device rfkill vfat fat + virtio_balloon efi_pstore virtio_net pstore net_failover failover fuse + nfnetlink virtio_scsi virtio_gpu virtio_dma_buf dm_multipath efivarfs + CPU: 2 UID: 0 PID: 1913 Comm: uffd-unit-tests Not tainted 6.12.0 #184 + Hardware name: QEMU QEMU Virtual Machine, BIOS unknown 2/2/2022 + Stack : 900000047c8ac000 0000000000000000 9000000000223a7c 900000047c8ac000 + 900000047c8af690 900000047c8af698 0000000000000000 900000047c8af7d8 + 900000047c8af7d0 900000047c8af7d0 900000047c8af5b0 0000000000000001 + 0000000000000001 900000047c8af698 10b3c7d53da40d26 0000010000000000 + 0000000000000022 0000000fffffffff fffffffffe000000 ffff800000000000 + 000000000000002f 0000800000000000 000000017a6d4000 90000000028f8940 + 0000000000000000 0000000000000000 90000000025aa5e0 9000000002905000 + 0000000000000000 90000000028f8940 ffff800000000000 0000000000000000 + 0000000000000000 0000000000000000 9000000000223a94 000000012001839c + 00000000000000b0 0000000000000004 0000000000000000 0000000000071c1d + ... + Call Trace: + [<9000000000223a94>] show_stack+0x5c/0x180 + [<9000000001c3fd64>] dump_stack_lvl+0x6c/0xa0 + [<900000000056aa08>] bad_page+0x1a0/0x1f0 + [<9000000000574978>] free_unref_folios+0xbf0/0xd20 + [<90000000004e65cc>] folios_put_refs+0x1a4/0x2b8 + [<9000000000599a0c>] free_pages_and_swap_cache+0x164/0x260 + [<9000000000547698>] tlb_batch_pages_flush+0xa8/0x1c0 + [<9000000000547f30>] tlb_finish_mmu+0xa8/0x218 + [<9000000000543cb8>] exit_mmap+0x1a0/0x360 + [<9000000000247658>] __mmput+0x78/0x200 + [<900000000025583c>] do_exit+0x43c/0xde8 + [<9000000000256490>] do_group_exit+0x68/0x110 + [<9000000000256554>] sys_exit_group+0x1c/0x20 + [<9000000001c413b4>] do_syscall+0x94/0x130 + [<90000000002216d8>] handle_syscall+0xb8/0x158 + Disabling lock debugging due to kernel taint + BUG: non-zero pgtables_bytes on freeing mm: -16384 + +On LoongArch system, invalid huge pte entry should be invalid_pte_table +or a single _PAGE_HUGE bit rather than a zero value. And it should be +the same with invalid pmd entry, since pmd_none() is called by function +free_pgd_range() and pmd_none() return 0 by huge_pte_clear(). So single +_PAGE_HUGE bit is also treated as a valid pte table and free_pte_range() +will be called in free_pmd_range(). + + free_pmd_range() + pmd = pmd_offset(pud, addr); + do { + next = pmd_addr_end(addr, end); + if (pmd_none_or_clear_bad(pmd)) + continue; + free_pte_range(tlb, pmd, addr); + } while (pmd++, addr = next, addr != end); + +Here invalid_pte_table is used for both invalid huge pte entry and +pmd entry. + +Cc: stable@vger.kernel.org +Fixes: 09cfefb7fa70 ("LoongArch: Add memory management") +Signed-off-by: Bibo Mao +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman +--- + arch/loongarch/include/asm/hugetlb.h | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/arch/loongarch/include/asm/hugetlb.h ++++ b/arch/loongarch/include/asm/hugetlb.h +@@ -29,6 +29,16 @@ static inline int prepare_hugepage_range + return 0; + } + ++#define __HAVE_ARCH_HUGE_PTE_CLEAR ++static inline void huge_pte_clear(struct mm_struct *mm, unsigned long addr, ++ pte_t *ptep, unsigned long sz) ++{ ++ pte_t clear; ++ ++ pte_val(clear) = (unsigned long)invalid_pte_table; ++ set_pte_at(mm, addr, ptep, clear); ++} ++ + #define __HAVE_ARCH_HUGE_PTEP_GET_AND_CLEAR + static inline pte_t huge_ptep_get_and_clear(struct mm_struct *mm, + unsigned long addr, pte_t *ptep) diff --git a/queue-6.12/loongarch-kvm-protect-kvm_check_requests-with-srcu.patch b/queue-6.12/loongarch-kvm-protect-kvm_check_requests-with-srcu.patch new file mode 100644 index 00000000000..0bf71cbcb5c --- /dev/null +++ b/queue-6.12/loongarch-kvm-protect-kvm_check_requests-with-srcu.patch @@ -0,0 +1,73 @@ +From 589e6cc7597655bed7b8543b8286925f631f597c Mon Sep 17 00:00:00 2001 +From: Huacai Chen +Date: Mon, 2 Dec 2024 16:42:10 +0800 +Subject: LoongArch: KVM: Protect kvm_check_requests() with SRCU + +From: Huacai Chen + +commit 589e6cc7597655bed7b8543b8286925f631f597c upstream. + +When we enable lockdep we get such a warning: + + ============================= + WARNING: suspicious RCU usage + 6.12.0-rc7+ #1891 Tainted: G W + ----------------------------- + include/linux/kvm_host.h:1043 suspicious rcu_dereference_check() usage! + other info that might help us debug this: + rcu_scheduler_active = 2, debug_locks = 1 + 1 lock held by qemu-system-loo/948: + #0: 90000001184a00a8 (&vcpu->mutex){+.+.}-{4:4}, at: kvm_vcpu_ioctl+0xf4/0xe20 [kvm] + stack backtrace: + CPU: 0 UID: 0 PID: 948 Comm: qemu-system-loo Tainted: G W 6.12.0-rc7+ #1891 + Tainted: [W]=WARN + Hardware name: Loongson Loongson-3A5000-7A1000-1w-CRB/Loongson-LS3A5000-7A1000-1w-CRB, BIOS vUDK2018-LoongArch-V2.0.0-prebeta9 10/21/2022 + Stack : 0000000000000089 9000000005a0db9c 90000000071519c8 900000012c578000 + 900000012c57b920 0000000000000000 900000012c57b928 9000000007e53788 + 900000000815bcc8 900000000815bcc0 900000012c57b790 0000000000000001 + 0000000000000001 4b031894b9d6b725 0000000004dec000 90000001003299c0 + 0000000000000414 0000000000000001 000000000000002d 0000000000000003 + 0000000000000030 00000000000003b4 0000000004dec000 90000001184a0000 + 900000000806d000 9000000007e53788 00000000000000b4 0000000000000004 + 0000000000000004 0000000000000000 0000000000000000 9000000107baf600 + 9000000008916000 9000000007e53788 9000000005924778 0000000010000044 + 00000000000000b0 0000000000000004 0000000000000000 0000000000071c1d + ... + Call Trace: + [<9000000005924778>] show_stack+0x38/0x180 + [<90000000071519c4>] dump_stack_lvl+0x94/0xe4 + [<90000000059eb754>] lockdep_rcu_suspicious+0x194/0x240 + [] kvm_gfn_to_hva_cache_init+0xfc/0x120 [kvm] + [] kvm_pre_enter_guest+0x3a4/0x520 [kvm] + [] kvm_handle_exit+0x23c/0x480 [kvm] + +Fix it by protecting kvm_check_requests() with SRCU. + +Cc: stable@vger.kernel.org +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman +--- + arch/loongarch/kvm/vcpu.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/loongarch/kvm/vcpu.c ++++ b/arch/loongarch/kvm/vcpu.c +@@ -240,7 +240,7 @@ static void kvm_late_check_requests(stru + */ + static int kvm_enter_guest_check(struct kvm_vcpu *vcpu) + { +- int ret; ++ int idx, ret; + + /* + * Check conditions before entering the guest +@@ -249,7 +249,9 @@ static int kvm_enter_guest_check(struct + if (ret < 0) + return ret; + ++ idx = srcu_read_lock(&vcpu->kvm->srcu); + ret = kvm_check_requests(vcpu); ++ srcu_read_unlock(&vcpu->kvm->srcu, idx); + + return ret; + } diff --git a/queue-6.12/net-mana-request-a-v2-response-version-for-mana_query_gf_stat.patch b/queue-6.12/net-mana-request-a-v2-response-version-for-mana_query_gf_stat.patch new file mode 100644 index 00000000000..6d1e4099c09 --- /dev/null +++ b/queue-6.12/net-mana-request-a-v2-response-version-for-mana_query_gf_stat.patch @@ -0,0 +1,36 @@ +From 31f1b55d5d7e531cd827419e5d71c19f24de161c Mon Sep 17 00:00:00 2001 +From: Shradha Gupta +Date: Tue, 3 Dec 2024 21:48:20 -0800 +Subject: net :mana :Request a V2 response version for MANA_QUERY_GF_STAT + +From: Shradha Gupta + +commit 31f1b55d5d7e531cd827419e5d71c19f24de161c upstream. + +The current requested response version(V1) for MANA_QUERY_GF_STAT query +results in STATISTICS_FLAGS_TX_ERRORS_GDMA_ERROR value being set to +0 always. +In order to get the correct value for this counter we request the response +version to be V2. + +Cc: stable@vger.kernel.org +Fixes: e1df5202e879 ("net :mana :Add remaining GDMA stats for MANA to ethtool") +Signed-off-by: Shradha Gupta +Reviewed-by: Haiyang Zhang +Link: https://patch.msgid.link/1733291300-12593-1-git-send-email-shradhagupta@linux.microsoft.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/microsoft/mana/mana_en.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/microsoft/mana/mana_en.c ++++ b/drivers/net/ethernet/microsoft/mana/mana_en.c +@@ -2439,6 +2439,7 @@ void mana_query_gf_stats(struct mana_por + + mana_gd_init_req_hdr(&req.hdr, MANA_QUERY_GF_STAT, + sizeof(req), sizeof(resp)); ++ req.hdr.resp.msg_version = GDMA_MESSAGE_V2; + req.req_stats = STATISTICS_FLAGS_RX_DISCARDS_NO_WQE | + STATISTICS_FLAGS_RX_ERRORS_VPORT_DISABLED | + STATISTICS_FLAGS_HC_RX_BYTES | diff --git a/queue-6.12/nilfs2-fix-potential-out-of-bounds-memory-access-in-nilfs_find_entry.patch b/queue-6.12/nilfs2-fix-potential-out-of-bounds-memory-access-in-nilfs_find_entry.patch new file mode 100644 index 00000000000..d5a34b5420e --- /dev/null +++ b/queue-6.12/nilfs2-fix-potential-out-of-bounds-memory-access-in-nilfs_find_entry.patch @@ -0,0 +1,53 @@ +From 985ebec4ab0a28bb5910c3b1481a40fbf7f9e61d Mon Sep 17 00:00:00 2001 +From: Ryusuke Konishi +Date: Wed, 20 Nov 2024 02:23:37 +0900 +Subject: nilfs2: fix potential out-of-bounds memory access in nilfs_find_entry() + +From: Ryusuke Konishi + +commit 985ebec4ab0a28bb5910c3b1481a40fbf7f9e61d upstream. + +Syzbot reported that when searching for records in a directory where the +inode's i_size is corrupted and has a large value, memory access outside +the folio/page range may occur, or a use-after-free bug may be detected if +KASAN is enabled. + +This is because nilfs_last_byte(), which is called by nilfs_find_entry() +and others to calculate the number of valid bytes of directory data in a +page from i_size and the page index, loses the upper 32 bits of the 64-bit +size information due to an inappropriate type of local variable to which +the i_size value is assigned. + +This caused a large byte offset value due to underflow in the end address +calculation in the calling nilfs_find_entry(), resulting in memory access +that exceeds the folio/page size. + +Fix this issue by changing the type of the local variable causing the bit +loss from "unsigned int" to "u64". The return value of nilfs_last_byte() +is also of type "unsigned int", but it is truncated so as not to exceed +PAGE_SIZE and no bit loss occurs, so no change is required. + +Link: https://lkml.kernel.org/r/20241119172403.9292-1-konishi.ryusuke@gmail.com +Fixes: 2ba466d74ed7 ("nilfs2: directory entry operations") +Signed-off-by: Ryusuke Konishi +Reported-by: syzbot+96d5d14c47d97015c624@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=96d5d14c47d97015c624 +Tested-by: syzbot+96d5d14c47d97015c624@syzkaller.appspotmail.com +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/nilfs2/dir.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/nilfs2/dir.c ++++ b/fs/nilfs2/dir.c +@@ -70,7 +70,7 @@ static inline unsigned int nilfs_chunk_s + */ + static unsigned int nilfs_last_byte(struct inode *inode, unsigned long page_nr) + { +- unsigned int last_byte = inode->i_size; ++ u64 last_byte = inode->i_size; + + last_byte -= page_nr << PAGE_SHIFT; + if (last_byte > PAGE_SIZE) diff --git a/queue-6.12/pmdomain-imx-gpcv2-adjust-delay-after-power-up-handshake.patch b/queue-6.12/pmdomain-imx-gpcv2-adjust-delay-after-power-up-handshake.patch new file mode 100644 index 00000000000..5c90c273d0f --- /dev/null +++ b/queue-6.12/pmdomain-imx-gpcv2-adjust-delay-after-power-up-handshake.patch @@ -0,0 +1,77 @@ +From 2379fb937de5333991c567eefd7d11b98977d059 Mon Sep 17 00:00:00 2001 +From: Shengjiu Wang +Date: Thu, 21 Nov 2024 15:52:31 +0800 +Subject: pmdomain: imx: gpcv2: Adjust delay after power up handshake + +From: Shengjiu Wang + +commit 2379fb937de5333991c567eefd7d11b98977d059 upstream. + +The udelay(5) is not enough, sometimes below kernel panic +still be triggered: + +[ 4.012973] Kernel panic - not syncing: Asynchronous SError Interrupt +[ 4.012976] CPU: 2 UID: 0 PID: 186 Comm: (udev-worker) Not tainted 6.12.0-rc2-0.0.0-devel-00004-g8b1b79e88956 #1 +[ 4.012982] Hardware name: Toradex Verdin iMX8M Plus WB on Dahlia Board (DT) +[ 4.012985] Call trace: +[...] +[ 4.013029] arm64_serror_panic+0x64/0x70 +[ 4.013034] do_serror+0x3c/0x70 +[ 4.013039] el1h_64_error_handler+0x30/0x54 +[ 4.013046] el1h_64_error+0x64/0x68 +[ 4.013050] clk_imx8mp_audiomix_runtime_resume+0x38/0x48 +[ 4.013059] __genpd_runtime_resume+0x30/0x80 +[ 4.013066] genpd_runtime_resume+0x114/0x29c +[ 4.013073] __rpm_callback+0x48/0x1e0 +[ 4.013079] rpm_callback+0x68/0x80 +[ 4.013084] rpm_resume+0x3bc/0x6a0 +[ 4.013089] __pm_runtime_resume+0x50/0x9c +[ 4.013095] pm_runtime_get_suppliers+0x60/0x8c +[ 4.013101] __driver_probe_device+0x4c/0x14c +[ 4.013108] driver_probe_device+0x3c/0x120 +[ 4.013114] __driver_attach+0xc4/0x200 +[ 4.013119] bus_for_each_dev+0x7c/0xe0 +[ 4.013125] driver_attach+0x24/0x30 +[ 4.013130] bus_add_driver+0x110/0x240 +[ 4.013135] driver_register+0x68/0x124 +[ 4.013142] __platform_driver_register+0x24/0x30 +[ 4.013149] sdma_driver_init+0x20/0x1000 [imx_sdma] +[ 4.013163] do_one_initcall+0x60/0x1e0 +[ 4.013168] do_init_module+0x5c/0x21c +[ 4.013175] load_module+0x1a98/0x205c +[ 4.013181] init_module_from_file+0x88/0xd4 +[ 4.013187] __arm64_sys_finit_module+0x258/0x350 +[ 4.013194] invoke_syscall.constprop.0+0x50/0xe0 +[ 4.013202] do_el0_svc+0xa8/0xe0 +[ 4.013208] el0_svc+0x3c/0x140 +[ 4.013215] el0t_64_sync_handler+0x120/0x12c +[ 4.013222] el0t_64_sync+0x190/0x194 +[ 4.013228] SMP: stopping secondary CPUs + +The correct way is to wait handshake, but it needs BUS clock of +BLK-CTL be enabled, which is in separate driver. So delay is the +only option here. The udelay(10) is a data got by experiment. + +Fixes: e8dc41afca16 ("pmdomain: imx: gpcv2: Add delay after power up handshake") +Reported-by: Francesco Dolcini +Closes: https://lore.kernel.org/lkml/20241007132555.GA53279@francesco-nb/ +Signed-off-by: Shengjiu Wang +Cc: stable@vger.kernel.org +Message-ID: <20241121075231.3910922-1-shengjiu.wang@nxp.com> +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pmdomain/imx/gpcv2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/pmdomain/imx/gpcv2.c ++++ b/drivers/pmdomain/imx/gpcv2.c +@@ -403,7 +403,7 @@ static int imx_pgc_power_up(struct gener + * already reaches target before udelay() + */ + regmap_read_bypassed(domain->regmap, domain->regs->hsk, ®_val); +- udelay(5); ++ udelay(10); + } + + /* Disable reset clocks for all devices in the domain */ diff --git a/queue-6.12/revert-readahead-properly-shorten-readahead-when-falling-back-to-do_page_cache_ra.patch b/queue-6.12/revert-readahead-properly-shorten-readahead-when-falling-back-to-do_page_cache_ra.patch new file mode 100644 index 00000000000..77555bd85cf --- /dev/null +++ b/queue-6.12/revert-readahead-properly-shorten-readahead-when-falling-back-to-do_page_cache_ra.patch @@ -0,0 +1,57 @@ +From a220d6b95b1ae12c7626283d7609f0a1438e6437 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Tue, 26 Nov 2024 15:52:08 +0100 +Subject: Revert "readahead: properly shorten readahead when falling back to do_page_cache_ra()" + +From: Jan Kara + +commit a220d6b95b1ae12c7626283d7609f0a1438e6437 upstream. + +This reverts commit 7c877586da3178974a8a94577b6045a48377ff25. + +Anders and Philippe have reported that recent kernels occasionally hang +when used with NFS in readahead code. The problem has been bisected to +7c877586da3 ("readahead: properly shorten readahead when falling back to +do_page_cache_ra()"). The cause of the problem is that ra->size can be +shrunk by read_pages() call and subsequently we end up calling +do_page_cache_ra() with negative (read huge positive) number of pages. +Let's revert 7c877586da3 for now until we can find a proper way how the +logic in read_pages() and page_cache_ra_order() can coexist. This can +lead to reduced readahead throughput due to readahead window confusion but +that's better than outright hangs. + +Link: https://lkml.kernel.org/r/20241126145208.985-1-jack@suse.cz +Fixes: 7c877586da31 ("readahead: properly shorten readahead when falling back to do_page_cache_ra()") +Reported-by: Anders Blomdell +Reported-by: Philippe Troin +Signed-off-by: Jan Kara +Tested-by: Philippe Troin +Cc: Matthew Wilcox +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/readahead.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/mm/readahead.c ++++ b/mm/readahead.c +@@ -453,8 +453,7 @@ void page_cache_ra_order(struct readahea + struct file_ra_state *ra, unsigned int new_order) + { + struct address_space *mapping = ractl->mapping; +- pgoff_t start = readahead_index(ractl); +- pgoff_t index = start; ++ pgoff_t index = readahead_index(ractl); + unsigned int min_order = mapping_min_folio_order(mapping); + pgoff_t limit = (i_size_read(mapping->host) - 1) >> PAGE_SHIFT; + pgoff_t mark = index + ra->size - ra->async_size; +@@ -517,7 +516,7 @@ void page_cache_ra_order(struct readahea + if (!err) + return; + fallback: +- do_page_cache_ra(ractl, ra->size - (index - start), ra->async_size); ++ do_page_cache_ra(ractl, ra->size, ra->async_size); + } + + static unsigned long ractl_max_pages(struct readahead_control *ractl, diff --git a/queue-6.12/scsi-qla2xxx-fix-abort-in-bsg-timeout.patch b/queue-6.12/scsi-qla2xxx-fix-abort-in-bsg-timeout.patch new file mode 100644 index 00000000000..92e476aff4c --- /dev/null +++ b/queue-6.12/scsi-qla2xxx-fix-abort-in-bsg-timeout.patch @@ -0,0 +1,227 @@ +From c423263082ee8ccfad59ab33e3d5da5dc004c21e Mon Sep 17 00:00:00 2001 +From: Quinn Tran +Date: Fri, 15 Nov 2024 18:33:07 +0530 +Subject: scsi: qla2xxx: Fix abort in bsg timeout + +From: Quinn Tran + +commit c423263082ee8ccfad59ab33e3d5da5dc004c21e upstream. + +Current abort of bsg on timeout prematurely clears the +outstanding_cmds[]. Abort does not allow FW to return the IOCB/SRB. In +addition, bsg_job_done() is not called to return the BSG (i.e. leak). + +Abort the outstanding bsg/SRB and wait for the completion. The +completion IOCB will wake up the bsg_timeout thread. If abort is not +successful, then driver will forcibly call bsg_job_done() and free the +srb. + +Err Inject: + + - qaucli -z + - assign CT Passthru IOCB's NportHandle with another initiator + nport handle to trigger timeout. Remote port will drop CT request. + - bsg_job_done is properly called as part of cleanup + +kernel: qla2xxx [0000:21:00.1]-7012:7: qla2x00_process_ct : 286 : Error Inject. +kernel: qla2xxx [0000:21:00.1]-7016:7: bsg rqst type: FC_BSG_HST_CT else type: 101 - loop-id=1 portid=fffffa. +kernel: qla2xxx [0000:21:00.1]-70bb:7: qla24xx_bsg_timeout CMD timeout. bsg ptr ffff9971a42f0838 msgcode 80000004 vendor cmd fa010000 +kernel: qla2xxx [0000:21:00.1]-507c:7: Abort command issued - hdl=4b, type=5 +kernel: qla2xxx [0000:21:00.1]-5040:7: ELS-CT pass-through-ct pass-through error hdl=4b comp_status-status=0x5 error subcode 1=0x0 error subcode 2=0xaf882e80. +kernel: qla2xxx [0000:21:00.1]-7009:7: qla2x00_bsg_job_done: sp hdl 4b, result=70000 bsg ptr ffff9971a42f0838 +kernel: qla2xxx [0000:21:00.1]-802c:7: Aborting bsg ffff9971a42f0838 sp=ffff99760b87ba80 handle=4b rval=0 +kernel: qla2xxx [0000:21:00.1]-708a:7: bsg abort success. bsg ffff9971a42f0838 sp=ffff99760b87ba80 handle=0x4b +kernel: qla2xxx [0000:21:00.1]-7012:7: qla2x00_process_ct : 286 : Error Inject. +kernel: qla2xxx [0000:21:00.1]-7016:7: bsg rqst type: FC_BSG_HST_CT else type: 101 - loop-id=1 portid=fffffa. +kernel: qla2xxx [0000:21:00.1]-70bb:7: qla24xx_bsg_timeout CMD timeout. bsg ptr ffff9971a42f43b8 msgcode 80000004 vendor cmd fa010000 +kernel: qla2xxx [0000:21:00.1]-7012:7: qla_bsg_found : 2206 : Error Inject 2. +kernel: qla2xxx [0000:21:00.1]-802c:7: Aborting bsg ffff9971a42f43b8 sp=ffff99762c304440 handle=5e rval=5 +kernel: qla2xxx [0000:21:00.1]-704f:7: bsg abort fail. bsg=ffff9971a42f43b8 sp=ffff99762c304440 rval=5. +kernel: qla2xxx [0000:21:00.1]-7051:7: qla_bsg_found bsg_job_done : bsg ffff9971a42f43b8 result 0xfffffffa sp ffff99762c304440. + +Cc: stable@vger.kernel.org +Fixes: c449b4198701 ("scsi: qla2xxx: Use QP lock to search for bsg") +Signed-off-by: Quinn Tran +Signed-off-by: Nilesh Javali +Link: https://lore.kernel.org/r/20241115130313.46826-2-njavali@marvell.com +Reviewed-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_bsg.c | 114 +++++++++++++++++++++++++++++++++-------- + 1 file changed, 92 insertions(+), 22 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_bsg.c ++++ b/drivers/scsi/qla2xxx/qla_bsg.c +@@ -24,6 +24,7 @@ void qla2x00_bsg_job_done(srb_t *sp, int + { + struct bsg_job *bsg_job = sp->u.bsg_job; + struct fc_bsg_reply *bsg_reply = bsg_job->reply; ++ struct completion *comp = sp->comp; + + ql_dbg(ql_dbg_user, sp->vha, 0x7009, + "%s: sp hdl %x, result=%x bsg ptr %p\n", +@@ -35,6 +36,9 @@ void qla2x00_bsg_job_done(srb_t *sp, int + bsg_reply->result = res; + bsg_job_done(bsg_job, bsg_reply->result, + bsg_reply->reply_payload_rcv_len); ++ ++ if (comp) ++ complete(comp); + } + + void qla2x00_bsg_sp_free(srb_t *sp) +@@ -3061,7 +3065,7 @@ skip_chip_chk: + + static bool qla_bsg_found(struct qla_qpair *qpair, struct bsg_job *bsg_job) + { +- bool found = false; ++ bool found, do_bsg_done; + struct fc_bsg_reply *bsg_reply = bsg_job->reply; + scsi_qla_host_t *vha = shost_priv(fc_bsg_to_shost(bsg_job)); + struct qla_hw_data *ha = vha->hw; +@@ -3069,6 +3073,11 @@ static bool qla_bsg_found(struct qla_qpa + int cnt; + unsigned long flags; + struct req_que *req; ++ int rval; ++ DECLARE_COMPLETION_ONSTACK(comp); ++ uint32_t ratov_j; ++ ++ found = do_bsg_done = false; + + spin_lock_irqsave(qpair->qp_lock_ptr, flags); + req = qpair->req; +@@ -3080,42 +3089,104 @@ static bool qla_bsg_found(struct qla_qpa + sp->type == SRB_ELS_CMD_HST || + sp->type == SRB_ELS_CMD_HST_NOLOGIN) && + sp->u.bsg_job == bsg_job) { +- req->outstanding_cmds[cnt] = NULL; +- spin_unlock_irqrestore(qpair->qp_lock_ptr, flags); +- +- if (!ha->flags.eeh_busy && ha->isp_ops->abort_command(sp)) { +- ql_log(ql_log_warn, vha, 0x7089, +- "mbx abort_command failed.\n"); +- bsg_reply->result = -EIO; +- } else { +- ql_dbg(ql_dbg_user, vha, 0x708a, +- "mbx abort_command success.\n"); +- bsg_reply->result = 0; +- } +- /* ref: INIT */ +- kref_put(&sp->cmd_kref, qla2x00_sp_release); + + found = true; +- goto done; ++ sp->comp = ∁ ++ break; + } + } + spin_unlock_irqrestore(qpair->qp_lock_ptr, flags); + +-done: +- return found; ++ if (!found) ++ return false; ++ ++ if (ha->flags.eeh_busy) { ++ /* skip over abort. EEH handling will return the bsg. Wait for it */ ++ rval = QLA_SUCCESS; ++ ql_dbg(ql_dbg_user, vha, 0x802c, ++ "eeh encounter. bsg %p sp=%p handle=%x \n", ++ bsg_job, sp, sp->handle); ++ } else { ++ rval = ha->isp_ops->abort_command(sp); ++ ql_dbg(ql_dbg_user, vha, 0x802c, ++ "Aborting bsg %p sp=%p handle=%x rval=%x\n", ++ bsg_job, sp, sp->handle, rval); ++ } ++ ++ switch (rval) { ++ case QLA_SUCCESS: ++ /* Wait for the command completion. */ ++ ratov_j = ha->r_a_tov / 10 * 4 * 1000; ++ ratov_j = msecs_to_jiffies(ratov_j); ++ ++ if (!wait_for_completion_timeout(&comp, ratov_j)) { ++ ql_log(ql_log_info, vha, 0x7089, ++ "bsg abort timeout. bsg=%p sp=%p handle %#x .\n", ++ bsg_job, sp, sp->handle); ++ ++ do_bsg_done = true; ++ } else { ++ /* fw had returned the bsg */ ++ ql_dbg(ql_dbg_user, vha, 0x708a, ++ "bsg abort success. bsg %p sp=%p handle=%#x\n", ++ bsg_job, sp, sp->handle); ++ do_bsg_done = false; ++ } ++ break; ++ default: ++ ql_log(ql_log_info, vha, 0x704f, ++ "bsg abort fail. bsg=%p sp=%p rval=%x.\n", ++ bsg_job, sp, rval); ++ ++ do_bsg_done = true; ++ break; ++ } ++ ++ if (!do_bsg_done) ++ return true; ++ ++ spin_lock_irqsave(qpair->qp_lock_ptr, flags); ++ /* ++ * recheck to make sure it's still the same bsg_job due to ++ * qp_lock_ptr was released earlier. ++ */ ++ if (req->outstanding_cmds[cnt] && ++ req->outstanding_cmds[cnt]->u.bsg_job != bsg_job) { ++ /* fw had returned the bsg */ ++ spin_unlock_irqrestore(qpair->qp_lock_ptr, flags); ++ return true; ++ } ++ req->outstanding_cmds[cnt] = NULL; ++ spin_unlock_irqrestore(qpair->qp_lock_ptr, flags); ++ ++ /* ref: INIT */ ++ sp->comp = NULL; ++ kref_put(&sp->cmd_kref, qla2x00_sp_release); ++ bsg_reply->result = -ENXIO; ++ bsg_reply->reply_payload_rcv_len = 0; ++ ++ ql_dbg(ql_dbg_user, vha, 0x7051, ++ "%s bsg_job_done : bsg %p result %#x sp %p.\n", ++ __func__, bsg_job, bsg_reply->result, sp); ++ ++ bsg_job_done(bsg_job, bsg_reply->result, bsg_reply->reply_payload_rcv_len); ++ ++ return true; + } + + int + qla24xx_bsg_timeout(struct bsg_job *bsg_job) + { +- struct fc_bsg_reply *bsg_reply = bsg_job->reply; ++ struct fc_bsg_request *bsg_request = bsg_job->request; + scsi_qla_host_t *vha = shost_priv(fc_bsg_to_shost(bsg_job)); + struct qla_hw_data *ha = vha->hw; + int i; + struct qla_qpair *qpair; + +- ql_log(ql_log_info, vha, 0x708b, "%s CMD timeout. bsg ptr %p.\n", +- __func__, bsg_job); ++ ql_log(ql_log_info, vha, 0x708b, ++ "%s CMD timeout. bsg ptr %p msgcode %x vendor cmd %x\n", ++ __func__, bsg_job, bsg_request->msgcode, ++ bsg_request->rqst_data.h_vendor.vendor_cmd[0]); + + if (qla2x00_isp_reg_stat(ha)) { + ql_log(ql_log_info, vha, 0x9007, +@@ -3136,7 +3207,6 @@ qla24xx_bsg_timeout(struct bsg_job *bsg_ + } + + ql_log(ql_log_info, vha, 0x708b, "SRB not found to abort.\n"); +- bsg_reply->result = -ENXIO; + + done: + return 0; diff --git a/queue-6.12/scsi-qla2xxx-fix-nvme-and-npiv-connect-issue.patch b/queue-6.12/scsi-qla2xxx-fix-nvme-and-npiv-connect-issue.patch new file mode 100644 index 00000000000..8465dac219f --- /dev/null +++ b/queue-6.12/scsi-qla2xxx-fix-nvme-and-npiv-connect-issue.patch @@ -0,0 +1,46 @@ +From 4812b7796c144f63a1094f79a5eb8fbdad8d7ebc Mon Sep 17 00:00:00 2001 +From: Quinn Tran +Date: Fri, 15 Nov 2024 18:33:11 +0530 +Subject: scsi: qla2xxx: Fix NVMe and NPIV connect issue + +From: Quinn Tran + +commit 4812b7796c144f63a1094f79a5eb8fbdad8d7ebc upstream. + +NVMe controller fails to send connect command due to failure to locate +hw context buffer for NVMe queue 0 (blk_mq_hw_ctx, hctx_idx=0). The +cause of the issue is NPIV host did not initialize the vha->irq_offset +field. This field is given to blk-mq (blk_mq_pci_map_queues) to help +locate the beginning of IO Queues which in turn help locate NVMe queue +0. + +Initialize this field to allow NVMe to work properly with NPIV host. + + kernel: nvme nvme5: Connect command failed, errno: -18 + kernel: nvme nvme5: qid 0: secure concatenation is not supported + kernel: nvme nvme5: NVME-FC{5}: create_assoc failed, assoc_id 2e9100 ret 401 + kernel: nvme nvme5: NVME-FC{5}: reset: Reconnect attempt failed (401) + kernel: nvme nvme5: NVME-FC{5}: Reconnect attempt in 2 seconds + +Cc: stable@vger.kernel.org +Fixes: f0783d43dde4 ("scsi: qla2xxx: Use correct number of vectors for online CPUs") +Signed-off-by: Quinn Tran +Signed-off-by: Nilesh Javali +Link: https://lore.kernel.org/r/20241115130313.46826-6-njavali@marvell.com +Reviewed-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_mid.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/scsi/qla2xxx/qla_mid.c ++++ b/drivers/scsi/qla2xxx/qla_mid.c +@@ -506,6 +506,7 @@ qla24xx_create_vhost(struct fc_vport *fc + return(NULL); + } + ++ vha->irq_offset = QLA_BASE_VECTORS; + host = vha->host; + fc_vport->dd_data = vha; + /* New host info */ diff --git a/queue-6.12/scsi-qla2xxx-fix-use-after-free-on-unload.patch b/queue-6.12/scsi-qla2xxx-fix-use-after-free-on-unload.patch new file mode 100644 index 00000000000..f488d9701c0 --- /dev/null +++ b/queue-6.12/scsi-qla2xxx-fix-use-after-free-on-unload.patch @@ -0,0 +1,98 @@ +From 07c903db0a2ff84b68efa1a74a4de353ea591eb0 Mon Sep 17 00:00:00 2001 +From: Quinn Tran +Date: Fri, 15 Nov 2024 18:33:08 +0530 +Subject: scsi: qla2xxx: Fix use after free on unload + +From: Quinn Tran + +commit 07c903db0a2ff84b68efa1a74a4de353ea591eb0 upstream. + +System crash is observed with stack trace warning of use after +free. There are 2 signals to tell dpc_thread to terminate (UNLOADING +flag and kthread_stop). + +On setting the UNLOADING flag when dpc_thread happens to run at the time +and sees the flag, this causes dpc_thread to exit and clean up +itself. When kthread_stop is called for final cleanup, this causes use +after free. + +Remove UNLOADING signal to terminate dpc_thread. Use the kthread_stop +as the main signal to exit dpc_thread. + +[596663.812935] kernel BUG at mm/slub.c:294! +[596663.812950] invalid opcode: 0000 [#1] SMP PTI +[596663.812957] CPU: 13 PID: 1475935 Comm: rmmod Kdump: loaded Tainted: G IOE --------- - - 4.18.0-240.el8.x86_64 #1 +[596663.812960] Hardware name: HP ProLiant DL380p Gen8, BIOS P70 08/20/2012 +[596663.812974] RIP: 0010:__slab_free+0x17d/0x360 + +... +[596663.813008] Call Trace: +[596663.813022] ? __dentry_kill+0x121/0x170 +[596663.813030] ? _cond_resched+0x15/0x30 +[596663.813034] ? _cond_resched+0x15/0x30 +[596663.813039] ? wait_for_completion+0x35/0x190 +[596663.813048] ? try_to_wake_up+0x63/0x540 +[596663.813055] free_task+0x5a/0x60 +[596663.813061] kthread_stop+0xf3/0x100 +[596663.813103] qla2x00_remove_one+0x284/0x440 [qla2xxx] + +Cc: stable@vger.kernel.org +Signed-off-by: Quinn Tran +Signed-off-by: Nilesh Javali +Link: https://lore.kernel.org/r/20241115130313.46826-3-njavali@marvell.com +Reviewed-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_os.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_os.c ++++ b/drivers/scsi/qla2xxx/qla_os.c +@@ -6902,12 +6902,15 @@ qla2x00_do_dpc(void *data) + set_user_nice(current, MIN_NICE); + + set_current_state(TASK_INTERRUPTIBLE); +- while (!kthread_should_stop()) { ++ while (1) { + ql_dbg(ql_dbg_dpc, base_vha, 0x4000, + "DPC handler sleeping.\n"); + + schedule(); + ++ if (kthread_should_stop()) ++ break; ++ + if (test_and_clear_bit(DO_EEH_RECOVERY, &base_vha->dpc_flags)) + qla_pci_set_eeh_busy(base_vha); + +@@ -6920,15 +6923,16 @@ qla2x00_do_dpc(void *data) + goto end_loop; + } + ++ if (test_bit(UNLOADING, &base_vha->dpc_flags)) ++ /* don't do any work. Wait to be terminated by kthread_stop */ ++ goto end_loop; ++ + ha->dpc_active = 1; + + ql_dbg(ql_dbg_dpc + ql_dbg_verbose, base_vha, 0x4001, + "DPC handler waking up, dpc_flags=0x%lx.\n", + base_vha->dpc_flags); + +- if (test_bit(UNLOADING, &base_vha->dpc_flags)) +- break; +- + if (IS_P3P_TYPE(ha)) { + if (IS_QLA8044(ha)) { + if (test_and_clear_bit(ISP_UNRECOVERABLE, +@@ -7241,9 +7245,6 @@ end_loop: + */ + ha->dpc_active = 0; + +- /* Cleanup any residual CTX SRBs. */ +- qla2x00_abort_all_cmds(base_vha, DID_NO_CONNECT << 16); +- + return 0; + } + diff --git a/queue-6.12/scsi-qla2xxx-remove-check-req_sg_cnt-should-be-equal-to-rsp_sg_cnt.patch b/queue-6.12/scsi-qla2xxx-remove-check-req_sg_cnt-should-be-equal-to-rsp_sg_cnt.patch new file mode 100644 index 00000000000..b28421c5b8c --- /dev/null +++ b/queue-6.12/scsi-qla2xxx-remove-check-req_sg_cnt-should-be-equal-to-rsp_sg_cnt.patch @@ -0,0 +1,45 @@ +From 833c70e212fc40d3e98da941796f4c7bcaecdf58 Mon Sep 17 00:00:00 2001 +From: Saurav Kashyap +Date: Fri, 15 Nov 2024 18:33:10 +0530 +Subject: scsi: qla2xxx: Remove check req_sg_cnt should be equal to rsp_sg_cnt + +From: Saurav Kashyap + +commit 833c70e212fc40d3e98da941796f4c7bcaecdf58 upstream. + +Firmware supports multiple sg_cnt for request and response for CT +commands, so remove the redundant check. A check is there where sg_cnt +for request and response should be same. This is not required as driver +and FW have code to handle multiple and different sg_cnt on request and +response. + +Cc: stable@vger.kernel.org +Signed-off-by: Saurav Kashyap +Signed-off-by: Nilesh Javali +Link: https://lore.kernel.org/r/20241115130313.46826-5-njavali@marvell.com +Reviewed-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_bsg.c | 10 ---------- + 1 file changed, 10 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_bsg.c ++++ b/drivers/scsi/qla2xxx/qla_bsg.c +@@ -494,16 +494,6 @@ qla2x00_process_ct(struct bsg_job *bsg_j + goto done; + } + +- if ((req_sg_cnt != bsg_job->request_payload.sg_cnt) || +- (rsp_sg_cnt != bsg_job->reply_payload.sg_cnt)) { +- ql_log(ql_log_warn, vha, 0x7011, +- "request_sg_cnt: %x dma_request_sg_cnt: %x reply_sg_cnt:%x " +- "dma_reply_sg_cnt: %x\n", bsg_job->request_payload.sg_cnt, +- req_sg_cnt, bsg_job->reply_payload.sg_cnt, rsp_sg_cnt); +- rval = -EAGAIN; +- goto done_unmap_sg; +- } +- + if (!vha->flags.online) { + ql_log(ql_log_warn, vha, 0x7012, + "Host is not online.\n"); diff --git a/queue-6.12/scsi-qla2xxx-supported-speed-displayed-incorrectly-for-vports.patch b/queue-6.12/scsi-qla2xxx-supported-speed-displayed-incorrectly-for-vports.patch new file mode 100644 index 00000000000..48f361e1eb9 --- /dev/null +++ b/queue-6.12/scsi-qla2xxx-supported-speed-displayed-incorrectly-for-vports.patch @@ -0,0 +1,36 @@ +From e4e268f898c8a08f0a1188677e15eadbc06e98f6 Mon Sep 17 00:00:00 2001 +From: Anil Gurumurthy +Date: Fri, 15 Nov 2024 18:33:12 +0530 +Subject: scsi: qla2xxx: Supported speed displayed incorrectly for VPorts + +From: Anil Gurumurthy + +commit e4e268f898c8a08f0a1188677e15eadbc06e98f6 upstream. + +The fc_function_template for vports was missing the +.show_host_supported_speeds. The base port had the same. + +Add .show_host_supported_speeds to the vport template as well. + +Cc: stable@vger.kernel.org +Fixes: 2c3dfe3f6ad8 ("[SCSI] qla2xxx: add support for NPIV") +Signed-off-by: Anil Gurumurthy +Signed-off-by: Nilesh Javali +Link: https://lore.kernel.org/r/20241115130313.46826-7-njavali@marvell.com +Reviewed-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_attr.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/scsi/qla2xxx/qla_attr.c ++++ b/drivers/scsi/qla2xxx/qla_attr.c +@@ -3304,6 +3304,7 @@ struct fc_function_template qla2xxx_tran + .show_host_node_name = 1, + .show_host_port_name = 1, + .show_host_supported_classes = 1, ++ .show_host_supported_speeds = 1, + + .get_host_port_id = qla2x00_get_host_port_id, + .show_host_port_id = 1, diff --git a/queue-6.12/scsi-ufs-core-add-missing-post-notify-for-power-mode-change.patch b/queue-6.12/scsi-ufs-core-add-missing-post-notify-for-power-mode-change.patch new file mode 100644 index 00000000000..b9dd2588510 --- /dev/null +++ b/queue-6.12/scsi-ufs-core-add-missing-post-notify-for-power-mode-change.patch @@ -0,0 +1,78 @@ +From 7f45ed5f0cd5ccbbec79adc6c48a67d6a85fba56 Mon Sep 17 00:00:00 2001 +From: Peter Wang +Date: Fri, 22 Nov 2024 10:49:43 +0800 +Subject: scsi: ufs: core: Add missing post notify for power mode change + +From: Peter Wang + +commit 7f45ed5f0cd5ccbbec79adc6c48a67d6a85fba56 upstream. + +When the power mode change is successful but the power mode hasn't +actually changed, the post notification was missed. Similar to the +approach with hibernate/clock scale/hce enable, having pre/post +notifications in the same function will make it easier to maintain. + +Additionally, supplement the description of power parameters for the +pwr_change_notify callback. + +Fixes: 7eb584db73be ("ufs: refactor configuring power mode") +Cc: stable@vger.kernel.org #6.11.x +Signed-off-by: Peter Wang +Link: https://lore.kernel.org/r/20241122024943.30589-1-peter.wang@mediatek.com +Reviewed-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ufs/core/ufshcd.c | 7 ++++--- + include/ufs/ufshcd.h | 10 ++++++---- + 2 files changed, 10 insertions(+), 7 deletions(-) + +--- a/drivers/ufs/core/ufshcd.c ++++ b/drivers/ufs/core/ufshcd.c +@@ -4684,9 +4684,6 @@ static int ufshcd_change_power_mode(stru + dev_err(hba->dev, + "%s: power mode change failed %d\n", __func__, ret); + } else { +- ufshcd_vops_pwr_change_notify(hba, POST_CHANGE, NULL, +- pwr_mode); +- + memcpy(&hba->pwr_info, pwr_mode, + sizeof(struct ufs_pa_layer_attr)); + } +@@ -4715,6 +4712,10 @@ int ufshcd_config_pwr_mode(struct ufs_hb + + ret = ufshcd_change_power_mode(hba, &final_params); + ++ if (!ret) ++ ufshcd_vops_pwr_change_notify(hba, POST_CHANGE, NULL, ++ &final_params); ++ + return ret; + } + EXPORT_SYMBOL_GPL(ufshcd_config_pwr_mode); +--- a/include/ufs/ufshcd.h ++++ b/include/ufs/ufshcd.h +@@ -308,7 +308,9 @@ struct ufs_pwr_mode_info { + * to allow variant specific Uni-Pro initialization. + * @pwr_change_notify: called before and after a power mode change + * is carried out to allow vendor spesific capabilities +- * to be set. ++ * to be set. PRE_CHANGE can modify final_params based ++ * on desired_pwr_mode, but POST_CHANGE must not alter ++ * the final_params parameter + * @setup_xfer_req: called before any transfer request is issued + * to set some things + * @setup_task_mgmt: called before any task management request is issued +@@ -350,9 +352,9 @@ struct ufs_hba_variant_ops { + int (*link_startup_notify)(struct ufs_hba *, + enum ufs_notify_change_status); + int (*pwr_change_notify)(struct ufs_hba *, +- enum ufs_notify_change_status status, +- struct ufs_pa_layer_attr *, +- struct ufs_pa_layer_attr *); ++ enum ufs_notify_change_status status, ++ struct ufs_pa_layer_attr *desired_pwr_mode, ++ struct ufs_pa_layer_attr *final_params); + void (*setup_xfer_req)(struct ufs_hba *hba, int tag, + bool is_scsi_cmd); + void (*setup_task_mgmt)(struct ufs_hba *, int, u8); diff --git a/queue-6.12/scsi-ufs-core-cancel-rtc-work-during-ufshcd_remove.patch b/queue-6.12/scsi-ufs-core-cancel-rtc-work-during-ufshcd_remove.patch new file mode 100644 index 00000000000..315de15ea0d --- /dev/null +++ b/queue-6.12/scsi-ufs-core-cancel-rtc-work-during-ufshcd_remove.patch @@ -0,0 +1,52 @@ +From 1695c4361d35b7bdadd7b34f99c9c07741e181e5 Mon Sep 17 00:00:00 2001 +From: Manivannan Sadhasivam +Date: Mon, 11 Nov 2024 23:18:30 +0530 +Subject: scsi: ufs: core: Cancel RTC work during ufshcd_remove() + +From: Manivannan Sadhasivam + +commit 1695c4361d35b7bdadd7b34f99c9c07741e181e5 upstream. + +Currently, RTC work is only cancelled during __ufshcd_wl_suspend(). When +ufshcd is removed in ufshcd_remove(), RTC work is not cancelled. Due to +this, any further trigger of the RTC work after ufshcd_remove() would +result in a NULL pointer dereference as below: + +Unable to handle kernel NULL pointer dereference at virtual address 00000000000002a4 +Workqueue: events ufshcd_rtc_work +Call trace: + _raw_spin_lock_irqsave+0x34/0x8c + pm_runtime_get_if_active+0x24/0xb4 + ufshcd_rtc_work+0x124/0x19c + process_scheduled_works+0x18c/0x2d8 + worker_thread+0x144/0x280 + kthread+0x11c/0x128 + ret_from_fork+0x10/0x20 + +Since RTC work accesses the ufshcd internal structures, it should be cancelled +when ufshcd is removed. So do that in ufshcd_remove(), as per the order in +ufshcd_init(). + +Cc: stable@vger.kernel.org # 6.8 +Fixes: 6bf999e0eb41 ("scsi: ufs: core: Add UFS RTC support") +Signed-off-by: Manivannan Sadhasivam +Link: https://lore.kernel.org/r/20241111-ufs_bug_fix-v1-1-45ad8b62f02e@linaro.org +Reviewed-by: Peter Wang +Reviewed-by: Bean Huo +Reviewed-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ufs/core/ufshcd.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/ufs/core/ufshcd.c ++++ b/drivers/ufs/core/ufshcd.c +@@ -10264,6 +10264,7 @@ void ufshcd_remove(struct ufs_hba *hba) + ufs_hwmon_remove(hba); + ufs_bsg_remove(hba); + ufs_sysfs_remove_nodes(hba->dev); ++ cancel_delayed_work_sync(&hba->ufs_rtc_update_work); + blk_mq_destroy_queue(hba->tmf_queue); + blk_put_queue(hba->tmf_queue); + blk_mq_free_tag_set(&hba->tmf_tag_set); diff --git a/queue-6.12/scsi-ufs-core-sysfs-prevent-div-by-zero.patch b/queue-6.12/scsi-ufs-core-sysfs-prevent-div-by-zero.patch new file mode 100644 index 00000000000..899249716b2 --- /dev/null +++ b/queue-6.12/scsi-ufs-core-sysfs-prevent-div-by-zero.patch @@ -0,0 +1,44 @@ +From eb48e9fc0028bed94a40a9352d065909f19e333c Mon Sep 17 00:00:00 2001 +From: Gwendal Grignou +Date: Tue, 19 Nov 2024 22:25:22 -0800 +Subject: scsi: ufs: core: sysfs: Prevent div by zero + +From: Gwendal Grignou + +commit eb48e9fc0028bed94a40a9352d065909f19e333c upstream. + +Prevent a division by 0 when monitoring is not enabled. + +Fixes: 1d8613a23f3c ("scsi: ufs: core: Introduce HBA performance monitor sysfs nodes") +Cc: stable@vger.kernel.org +Signed-off-by: Gwendal Grignou +Link: https://lore.kernel.org/r/20241120062522.917157-1-gwendal@chromium.org +Reviewed-by: Can Guo +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ufs/core/ufs-sysfs.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/ufs/core/ufs-sysfs.c ++++ b/drivers/ufs/core/ufs-sysfs.c +@@ -670,6 +670,9 @@ static ssize_t read_req_latency_avg_show + struct ufs_hba *hba = dev_get_drvdata(dev); + struct ufs_hba_monitor *m = &hba->monitor; + ++ if (!m->nr_req[READ]) ++ return sysfs_emit(buf, "0\n"); ++ + return sysfs_emit(buf, "%llu\n", div_u64(ktime_to_us(m->lat_sum[READ]), + m->nr_req[READ])); + } +@@ -737,6 +740,9 @@ static ssize_t write_req_latency_avg_sho + struct ufs_hba *hba = dev_get_drvdata(dev); + struct ufs_hba_monitor *m = &hba->monitor; + ++ if (!m->nr_req[WRITE]) ++ return sysfs_emit(buf, "0\n"); ++ + return sysfs_emit(buf, "%llu\n", div_u64(ktime_to_us(m->lat_sum[WRITE]), + m->nr_req[WRITE])); + } diff --git a/queue-6.12/scsi-ufs-pltfrm-disable-runtime-pm-during-removal-of-glue-drivers.patch b/queue-6.12/scsi-ufs-pltfrm-disable-runtime-pm-during-removal-of-glue-drivers.patch new file mode 100644 index 00000000000..3c8457c6b59 --- /dev/null +++ b/queue-6.12/scsi-ufs-pltfrm-disable-runtime-pm-during-removal-of-glue-drivers.patch @@ -0,0 +1,177 @@ +From d3326e6a3f9bf1e075be2201fb704c2fdf19e2b7 Mon Sep 17 00:00:00 2001 +From: Manivannan Sadhasivam +Date: Mon, 11 Nov 2024 23:18:32 +0530 +Subject: scsi: ufs: pltfrm: Disable runtime PM during removal of glue drivers + +From: Manivannan Sadhasivam + +commit d3326e6a3f9bf1e075be2201fb704c2fdf19e2b7 upstream. + +When the UFSHCD platform glue drivers are removed, runtime PM should be +disabled using pm_runtime_disable() to balance the enablement done in +ufshcd_pltfrm_init(). This is also reported by PM core when the glue driver +is removed and inserted again: + +ufshcd-qcom 1d84000.ufshc: Unbalanced pm_runtime_enable! + +So disable runtime PM using a new helper API ufshcd_pltfrm_remove(), that +also takes care of removing ufshcd. This helper should be called during the +remove() stage of glue drivers. + +Cc: stable@vger.kernel.org # 3.12 +Fixes: 62694735ca95 ("[SCSI] ufs: Add runtime PM support for UFS host controller driver") +Signed-off-by: Manivannan Sadhasivam +Link: https://lore.kernel.org/r/20241111-ufs_bug_fix-v1-3-45ad8b62f02e@linaro.org +Reviewed-by: Peter Wang +Reviewed-by: Bean Huo +Reviewed-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ufs/host/cdns-pltfrm.c | 4 +--- + drivers/ufs/host/tc-dwc-g210-pltfrm.c | 4 +--- + drivers/ufs/host/ufs-exynos.c | 2 +- + drivers/ufs/host/ufs-hisi.c | 4 +--- + drivers/ufs/host/ufs-mediatek.c | 4 +--- + drivers/ufs/host/ufs-qcom.c | 2 +- + drivers/ufs/host/ufs-renesas.c | 4 +--- + drivers/ufs/host/ufs-sprd.c | 4 +--- + drivers/ufs/host/ufshcd-pltfrm.c | 13 +++++++++++++ + drivers/ufs/host/ufshcd-pltfrm.h | 1 + + 10 files changed, 22 insertions(+), 20 deletions(-) + +--- a/drivers/ufs/host/cdns-pltfrm.c ++++ b/drivers/ufs/host/cdns-pltfrm.c +@@ -307,9 +307,7 @@ static int cdns_ufs_pltfrm_probe(struct + */ + static void cdns_ufs_pltfrm_remove(struct platform_device *pdev) + { +- struct ufs_hba *hba = platform_get_drvdata(pdev); +- +- ufshcd_remove(hba); ++ ufshcd_pltfrm_remove(pdev); + } + + static const struct dev_pm_ops cdns_ufs_dev_pm_ops = { +--- a/drivers/ufs/host/tc-dwc-g210-pltfrm.c ++++ b/drivers/ufs/host/tc-dwc-g210-pltfrm.c +@@ -76,10 +76,8 @@ static int tc_dwc_g210_pltfm_probe(struc + */ + static void tc_dwc_g210_pltfm_remove(struct platform_device *pdev) + { +- struct ufs_hba *hba = platform_get_drvdata(pdev); +- + pm_runtime_get_sync(&(pdev)->dev); +- ufshcd_remove(hba); ++ ufshcd_pltfrm_remove(pdev); + } + + static const struct dev_pm_ops tc_dwc_g210_pltfm_pm_ops = { +--- a/drivers/ufs/host/ufs-exynos.c ++++ b/drivers/ufs/host/ufs-exynos.c +@@ -1964,7 +1964,7 @@ static void exynos_ufs_remove(struct pla + struct exynos_ufs *ufs = ufshcd_get_variant(hba); + + pm_runtime_get_sync(&(pdev)->dev); +- ufshcd_remove(hba); ++ ufshcd_pltfrm_remove(pdev); + + phy_power_off(ufs->phy); + phy_exit(ufs->phy); +--- a/drivers/ufs/host/ufs-hisi.c ++++ b/drivers/ufs/host/ufs-hisi.c +@@ -576,9 +576,7 @@ static int ufs_hisi_probe(struct platfor + + static void ufs_hisi_remove(struct platform_device *pdev) + { +- struct ufs_hba *hba = platform_get_drvdata(pdev); +- +- ufshcd_remove(hba); ++ ufshcd_pltfrm_remove(pdev); + } + + static const struct dev_pm_ops ufs_hisi_pm_ops = { +--- a/drivers/ufs/host/ufs-mediatek.c ++++ b/drivers/ufs/host/ufs-mediatek.c +@@ -1869,10 +1869,8 @@ out: + */ + static void ufs_mtk_remove(struct platform_device *pdev) + { +- struct ufs_hba *hba = platform_get_drvdata(pdev); +- + pm_runtime_get_sync(&(pdev)->dev); +- ufshcd_remove(hba); ++ ufshcd_pltfrm_remove(pdev); + } + + #ifdef CONFIG_PM_SLEEP +--- a/drivers/ufs/host/ufs-qcom.c ++++ b/drivers/ufs/host/ufs-qcom.c +@@ -1846,7 +1846,7 @@ static void ufs_qcom_remove(struct platf + struct ufs_qcom_host *host = ufshcd_get_variant(hba); + + pm_runtime_get_sync(&(pdev)->dev); +- ufshcd_remove(hba); ++ ufshcd_pltfrm_remove(pdev); + if (host->esi_enabled) + platform_device_msi_free_irqs_all(hba->dev); + } +--- a/drivers/ufs/host/ufs-renesas.c ++++ b/drivers/ufs/host/ufs-renesas.c +@@ -390,9 +390,7 @@ static int ufs_renesas_probe(struct plat + + static void ufs_renesas_remove(struct platform_device *pdev) + { +- struct ufs_hba *hba = platform_get_drvdata(pdev); +- +- ufshcd_remove(hba); ++ ufshcd_pltfrm_remove(pdev); + } + + static struct platform_driver ufs_renesas_platform = { +--- a/drivers/ufs/host/ufs-sprd.c ++++ b/drivers/ufs/host/ufs-sprd.c +@@ -427,10 +427,8 @@ static int ufs_sprd_probe(struct platfor + + static void ufs_sprd_remove(struct platform_device *pdev) + { +- struct ufs_hba *hba = platform_get_drvdata(pdev); +- + pm_runtime_get_sync(&(pdev)->dev); +- ufshcd_remove(hba); ++ ufshcd_pltfrm_remove(pdev); + } + + static const struct dev_pm_ops ufs_sprd_pm_ops = { +--- a/drivers/ufs/host/ufshcd-pltfrm.c ++++ b/drivers/ufs/host/ufshcd-pltfrm.c +@@ -524,6 +524,19 @@ out: + } + EXPORT_SYMBOL_GPL(ufshcd_pltfrm_init); + ++/** ++ * ufshcd_pltfrm_remove - Remove ufshcd platform ++ * @pdev: pointer to Platform device handle ++ */ ++void ufshcd_pltfrm_remove(struct platform_device *pdev) ++{ ++ struct ufs_hba *hba = platform_get_drvdata(pdev); ++ ++ ufshcd_remove(hba); ++ pm_runtime_disable(&pdev->dev); ++} ++EXPORT_SYMBOL_GPL(ufshcd_pltfrm_remove); ++ + MODULE_AUTHOR("Santosh Yaragnavi "); + MODULE_AUTHOR("Vinayak Holikatti "); + MODULE_DESCRIPTION("UFS host controller Platform bus based glue driver"); +--- a/drivers/ufs/host/ufshcd-pltfrm.h ++++ b/drivers/ufs/host/ufshcd-pltfrm.h +@@ -31,6 +31,7 @@ int ufshcd_negotiate_pwr_params(const st + void ufshcd_init_host_params(struct ufs_host_params *host_params); + int ufshcd_pltfrm_init(struct platform_device *pdev, + const struct ufs_hba_variant_ops *vops); ++void ufshcd_pltfrm_remove(struct platform_device *pdev); + int ufshcd_populate_vreg(struct device *dev, const char *name, + struct ufs_vreg **out_vreg, bool skip_current); + diff --git a/queue-6.12/scsi-ufs-pltfrm-drop-pm-runtime-reference-count-after-ufshcd_remove.patch b/queue-6.12/scsi-ufs-pltfrm-drop-pm-runtime-reference-count-after-ufshcd_remove.patch new file mode 100644 index 00000000000..4e8b324ca87 --- /dev/null +++ b/queue-6.12/scsi-ufs-pltfrm-drop-pm-runtime-reference-count-after-ufshcd_remove.patch @@ -0,0 +1,114 @@ +From 1745dcdb7227102e16248a324c600b9121c8f6df Mon Sep 17 00:00:00 2001 +From: Manivannan Sadhasivam +Date: Mon, 11 Nov 2024 23:18:33 +0530 +Subject: scsi: ufs: pltfrm: Drop PM runtime reference count after ufshcd_remove() + +From: Manivannan Sadhasivam + +commit 1745dcdb7227102e16248a324c600b9121c8f6df upstream. + +During the remove stage of glue drivers, some of them are incrementing the +reference count using pm_runtime_get_sync(), before removing the ufshcd +using ufshcd_remove(). But they are not dropping that reference count after +ufshcd_remove() to balance the refcount. + +So drop the reference count by calling pm_runtime_put_noidle() after +ufshcd_remove(). Since the behavior is applicable to all glue drivers, move +the PM handling to ufshcd_pltfrm_remove(). + +Cc: stable@vger.kernel.org # 3.12 +Fixes: 62694735ca95 ("[SCSI] ufs: Add runtime PM support for UFS host controller driver") +Signed-off-by: Manivannan Sadhasivam +Link: https://lore.kernel.org/r/20241111-ufs_bug_fix-v1-4-45ad8b62f02e@linaro.org +Reviewed-by: Peter Wang +Reviewed-by: Bean Huo +Reviewed-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ufs/host/tc-dwc-g210-pltfrm.c | 1 - + drivers/ufs/host/ufs-exynos.c | 1 - + drivers/ufs/host/ufs-mediatek.c | 1 - + drivers/ufs/host/ufs-qcom.c | 1 - + drivers/ufs/host/ufs-sprd.c | 1 - + drivers/ufs/host/ufshcd-pltfrm.c | 2 ++ + 6 files changed, 2 insertions(+), 5 deletions(-) + +diff --git a/drivers/ufs/host/tc-dwc-g210-pltfrm.c b/drivers/ufs/host/tc-dwc-g210-pltfrm.c +index 113e0ef7b2cf..c6f8565ede21 100644 +--- a/drivers/ufs/host/tc-dwc-g210-pltfrm.c ++++ b/drivers/ufs/host/tc-dwc-g210-pltfrm.c +@@ -76,7 +76,6 @@ static int tc_dwc_g210_pltfm_probe(struct platform_device *pdev) + */ + static void tc_dwc_g210_pltfm_remove(struct platform_device *pdev) + { +- pm_runtime_get_sync(&(pdev)->dev); + ufshcd_pltfrm_remove(pdev); + } + +diff --git a/drivers/ufs/host/ufs-exynos.c b/drivers/ufs/host/ufs-exynos.c +index b20f6526777a..9d4db13e142d 100644 +--- a/drivers/ufs/host/ufs-exynos.c ++++ b/drivers/ufs/host/ufs-exynos.c +@@ -1992,7 +1992,6 @@ static void exynos_ufs_remove(struct platform_device *pdev) + struct ufs_hba *hba = platform_get_drvdata(pdev); + struct exynos_ufs *ufs = ufshcd_get_variant(hba); + +- pm_runtime_get_sync(&(pdev)->dev); + ufshcd_pltfrm_remove(pdev); + + phy_power_off(ufs->phy); +diff --git a/drivers/ufs/host/ufs-mediatek.c b/drivers/ufs/host/ufs-mediatek.c +index b444146419de..ffe4d03a0f38 100644 +--- a/drivers/ufs/host/ufs-mediatek.c ++++ b/drivers/ufs/host/ufs-mediatek.c +@@ -1879,7 +1879,6 @@ static int ufs_mtk_probe(struct platform_device *pdev) + */ + static void ufs_mtk_remove(struct platform_device *pdev) + { +- pm_runtime_get_sync(&(pdev)->dev); + ufshcd_pltfrm_remove(pdev); + } + +diff --git a/drivers/ufs/host/ufs-qcom.c b/drivers/ufs/host/ufs-qcom.c +index 3762337d7576..73b4fec8221a 100644 +--- a/drivers/ufs/host/ufs-qcom.c ++++ b/drivers/ufs/host/ufs-qcom.c +@@ -1863,7 +1863,6 @@ static void ufs_qcom_remove(struct platform_device *pdev) + struct ufs_hba *hba = platform_get_drvdata(pdev); + struct ufs_qcom_host *host = ufshcd_get_variant(hba); + +- pm_runtime_get_sync(&(pdev)->dev); + ufshcd_pltfrm_remove(pdev); + if (host->esi_enabled) + platform_device_msi_free_irqs_all(hba->dev); +diff --git a/drivers/ufs/host/ufs-sprd.c b/drivers/ufs/host/ufs-sprd.c +index e455890cf7d4..d220978c2d8c 100644 +--- a/drivers/ufs/host/ufs-sprd.c ++++ b/drivers/ufs/host/ufs-sprd.c +@@ -427,7 +427,6 @@ static int ufs_sprd_probe(struct platform_device *pdev) + + static void ufs_sprd_remove(struct platform_device *pdev) + { +- pm_runtime_get_sync(&(pdev)->dev); + ufshcd_pltfrm_remove(pdev); + } + +diff --git a/drivers/ufs/host/ufshcd-pltfrm.c b/drivers/ufs/host/ufshcd-pltfrm.c +index bad5b1303eb6..b8dadd0a2f4c 100644 +--- a/drivers/ufs/host/ufshcd-pltfrm.c ++++ b/drivers/ufs/host/ufshcd-pltfrm.c +@@ -532,8 +532,10 @@ void ufshcd_pltfrm_remove(struct platform_device *pdev) + { + struct ufs_hba *hba = platform_get_drvdata(pdev); + ++ pm_runtime_get_sync(&pdev->dev); + ufshcd_remove(hba); + pm_runtime_disable(&pdev->dev); ++ pm_runtime_put_noidle(&pdev->dev); + } + EXPORT_SYMBOL_GPL(ufshcd_pltfrm_remove); + +-- +2.47.1 + diff --git a/queue-6.12/scsi-ufs-qcom-only-free-platform-msis-when-esi-is-enabled.patch b/queue-6.12/scsi-ufs-qcom-only-free-platform-msis-when-esi-is-enabled.patch new file mode 100644 index 00000000000..670d0e686ec --- /dev/null +++ b/queue-6.12/scsi-ufs-qcom-only-free-platform-msis-when-esi-is-enabled.patch @@ -0,0 +1,60 @@ +From 64506b3d23a337e98a74b18dcb10c8619365f2bd Mon Sep 17 00:00:00 2001 +From: Manivannan Sadhasivam +Date: Mon, 11 Nov 2024 23:18:31 +0530 +Subject: scsi: ufs: qcom: Only free platform MSIs when ESI is enabled + +From: Manivannan Sadhasivam + +commit 64506b3d23a337e98a74b18dcb10c8619365f2bd upstream. + +Otherwise, it will result in a NULL pointer dereference as below: + +Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008 +Call trace: + mutex_lock+0xc/0x54 + platform_device_msi_free_irqs_all+0x14/0x20 + ufs_qcom_remove+0x34/0x48 [ufs_qcom] + platform_remove+0x28/0x44 + device_remove+0x4c/0x80 + device_release_driver_internal+0xd8/0x178 + driver_detach+0x50/0x9c + bus_remove_driver+0x6c/0xbc + driver_unregister+0x30/0x60 + platform_driver_unregister+0x14/0x20 + ufs_qcom_pltform_exit+0x18/0xb94 [ufs_qcom] + __arm64_sys_delete_module+0x180/0x260 + invoke_syscall+0x44/0x100 + el0_svc_common.constprop.0+0xc0/0xe0 + do_el0_svc+0x1c/0x28 + el0_svc+0x34/0xdc + el0t_64_sync_handler+0xc0/0xc4 + el0t_64_sync+0x190/0x194 + +Cc: stable@vger.kernel.org # 6.3 +Fixes: 519b6274a777 ("scsi: ufs: qcom: Add MCQ ESI config vendor specific ops") +Signed-off-by: Manivannan Sadhasivam +Link: https://lore.kernel.org/r/20241111-ufs_bug_fix-v1-2-45ad8b62f02e@linaro.org +Reviewed-by: Bean Huo +Reviewed-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ufs/host/ufs-qcom.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/ufs/host/ufs-qcom.c ++++ b/drivers/ufs/host/ufs-qcom.c +@@ -1843,10 +1843,12 @@ static int ufs_qcom_probe(struct platfor + static void ufs_qcom_remove(struct platform_device *pdev) + { + struct ufs_hba *hba = platform_get_drvdata(pdev); ++ struct ufs_qcom_host *host = ufshcd_get_variant(hba); + + pm_runtime_get_sync(&(pdev)->dev); + ufshcd_remove(hba); +- platform_device_msi_free_irqs_all(hba->dev); ++ if (host->esi_enabled) ++ platform_device_msi_free_irqs_all(hba->dev); + } + + static const struct of_device_id ufs_qcom_of_match[] __maybe_unused = { diff --git a/queue-6.12/series b/queue-6.12/series index c1d8a99d038..5747f258f0d 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -130,3 +130,44 @@ x86-cpu-amd-warn-when-setting-efer.autoibrs-if-and-o.patch rust-allow-clippy-needless_lifetimes.patch hid-i2c-hid-revert-to-using-power-commands-to-wake-on-resume.patch hid-wacom-fix-when-get-product-name-maybe-null-pointer.patch +loongarch-add-architecture-specific-huge_pte_clear.patch +loongarch-kvm-protect-kvm_check_requests-with-srcu.patch +ksmbd-fix-out-of-bounds-read-in-ksmbd_vfs_stream_read.patch +ksmbd-fix-out-of-bounds-write-in-ksmbd_vfs_stream_write.patch +watchdog-rti-of-honor-timeout-sec-property.patch +can-dev-can_set_termination-allow-sleeping-gpios.patch +can-mcp251xfd-mcp251xfd_get_tef_len-work-around-erratum-ds80000789e-6.patch +tracing-fix-cmp_entries_dup-to-respect-sort-comparison-rules.patch +net-mana-request-a-v2-response-version-for-mana_query_gf_stat.patch +iommufd-fix-out_fput-in-iommufd_fault_alloc.patch +arm64-mm-fix-zone_dma_limit-calculation.patch +arm64-ensure-bits-asid-are-masked-out-when-the-kernel-uses-8-bit-asids.patch +arm64-ptrace-fix-partial-setregset-for-nt_arm_tagged_addr_ctrl.patch +arm64-ptrace-fix-partial-setregset-for-nt_arm_fpmr.patch +arm64-ptrace-fix-partial-setregset-for-nt_arm_poe.patch +alsa-usb-audio-fix-a-dma-to-stack-memory-bug.patch +alsa-usb-audio-add-extra-pid-for-rme-digiface-usb.patch +alsa-hda-realtek-fix-micmute-leds-don-t-work-on-hp-laptops.patch +alsa-usb-audio-add-mixer-mapping-for-corsair-hs80.patch +alsa-hda-realtek-enable-mute-and-micmute-led-on-hp-probook-430-g8.patch +alsa-hda-realtek-add-support-for-samsung-galaxy-book3-360-np730qfg.patch +scsi-qla2xxx-fix-abort-in-bsg-timeout.patch +scsi-qla2xxx-fix-nvme-and-npiv-connect-issue.patch +scsi-qla2xxx-supported-speed-displayed-incorrectly-for-vports.patch +scsi-qla2xxx-fix-use-after-free-on-unload.patch +scsi-qla2xxx-remove-check-req_sg_cnt-should-be-equal-to-rsp_sg_cnt.patch +scsi-ufs-core-sysfs-prevent-div-by-zero.patch +scsi-ufs-core-cancel-rtc-work-during-ufshcd_remove.patch +scsi-ufs-qcom-only-free-platform-msis-when-esi-is-enabled.patch +scsi-ufs-pltfrm-disable-runtime-pm-during-removal-of-glue-drivers.patch +scsi-ufs-core-add-missing-post-notify-for-power-mode-change.patch +nilfs2-fix-potential-out-of-bounds-memory-access-in-nilfs_find_entry.patch +fs-smb-client-avoid-querying-smb2_op_query_wsl_ea-for-smb3-posix.patch +fs-smb-client-implement-new-smb3-posix-type.patch +fs-smb-client-cifs_prime_dcache-for-smb3-posix-reparse-points.patch +smb3.1.1-fix-posix-mounts-to-older-servers.patch +io_uring-change-res2-parameter-type-in-io_uring_cmd_done.patch +bcache-revert-replacing-is_err_or_null-with-is_err-again.patch +revert-readahead-properly-shorten-readahead-when-falling-back-to-do_page_cache_ra.patch +pmdomain-imx-gpcv2-adjust-delay-after-power-up-handshake.patch +scsi-ufs-pltfrm-drop-pm-runtime-reference-count-after-ufshcd_remove.patch diff --git a/queue-6.12/smb3.1.1-fix-posix-mounts-to-older-servers.patch b/queue-6.12/smb3.1.1-fix-posix-mounts-to-older-servers.patch new file mode 100644 index 00000000000..c21885918ef --- /dev/null +++ b/queue-6.12/smb3.1.1-fix-posix-mounts-to-older-servers.patch @@ -0,0 +1,82 @@ +From ddca5023091588eb303e3c0097d95c325992d05f Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Wed, 4 Dec 2024 17:46:00 -0600 +Subject: smb3.1.1: fix posix mounts to older servers + +From: Steve French + +commit ddca5023091588eb303e3c0097d95c325992d05f upstream. + +Some servers which implement the SMB3.1.1 POSIX extensions did not +set the file type in the mode in the infolevel 100 response. +With the recent changes for checking the file type via the mode field, +this can cause the root directory to be reported incorrectly and +mounts (e.g. to ksmbd) to fail. + +Fixes: 6a832bc8bbb2 ("fs/smb/client: Implement new SMB3 POSIX type") +Cc: stable@vger.kernel.org +Acked-by: Paulo Alcantara (Red Hat) +Cc: Ralph Boehme +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/cifsproto.h | 2 +- + fs/smb/client/inode.c | 11 ++++++++--- + fs/smb/client/readdir.c | 3 ++- + 3 files changed, 11 insertions(+), 5 deletions(-) + +--- a/fs/smb/client/cifsproto.h ++++ b/fs/smb/client/cifsproto.h +@@ -677,7 +677,7 @@ int __cifs_sfu_make_node(unsigned int xi + int cifs_sfu_make_node(unsigned int xid, struct inode *inode, + struct dentry *dentry, struct cifs_tcon *tcon, + const char *full_path, umode_t mode, dev_t dev); +-umode_t wire_mode_to_posix(u32 wire); ++umode_t wire_mode_to_posix(u32 wire, bool is_dir); + + #ifdef CONFIG_CIFS_DFS_UPCALL + static inline int get_dfs_path(const unsigned int xid, struct cifs_ses *ses, +--- a/fs/smb/client/inode.c ++++ b/fs/smb/client/inode.c +@@ -792,13 +792,17 @@ static u32 wire_filetype_to_posix(u32 wi + return posix_filetypes[wire_type]; + } + +-umode_t wire_mode_to_posix(u32 wire) ++umode_t wire_mode_to_posix(u32 wire, bool is_dir) + { + u32 wire_type; + u32 mode; + + wire_type = (wire & POSIX_FILETYPE_MASK) >> POSIX_FILETYPE_SHIFT; +- mode = (wire_perms_to_posix(wire) | wire_filetype_to_posix(wire_type)); ++ /* older servers do not set POSIX file type in the mode field in the response */ ++ if ((wire_type == 0) && is_dir) ++ mode = wire_perms_to_posix(wire) | S_IFDIR; ++ else ++ mode = (wire_perms_to_posix(wire) | wire_filetype_to_posix(wire_type)); + return (umode_t)mode; + } + +@@ -838,7 +842,8 @@ static void smb311_posix_info_to_fattr(s + fattr->cf_bytes = le64_to_cpu(info->AllocationSize); + fattr->cf_createtime = le64_to_cpu(info->CreationTime); + fattr->cf_nlink = le32_to_cpu(info->HardLinks); +- fattr->cf_mode = wire_mode_to_posix(le32_to_cpu(info->Mode)); ++ fattr->cf_mode = wire_mode_to_posix(le32_to_cpu(info->Mode), ++ fattr->cf_cifsattrs & ATTR_DIRECTORY); + + if (cifs_open_data_reparse(data) && + cifs_reparse_point_to_fattr(cifs_sb, fattr, data)) +--- a/fs/smb/client/readdir.c ++++ b/fs/smb/client/readdir.c +@@ -261,7 +261,8 @@ cifs_posix_to_fattr(struct cifs_fattr *f + fattr->cf_cifstag = le32_to_cpu(info->ReparseTag); + + /* The Mode field in the response can now include the file type as well */ +- fattr->cf_mode = wire_mode_to_posix(le32_to_cpu(info->Mode)); ++ fattr->cf_mode = wire_mode_to_posix(le32_to_cpu(info->Mode), ++ fattr->cf_cifsattrs & ATTR_DIRECTORY); + fattr->cf_dtype = S_DT(le32_to_cpu(info->Mode)); + + switch (fattr->cf_mode & S_IFMT) { diff --git a/queue-6.12/tracing-fix-cmp_entries_dup-to-respect-sort-comparison-rules.patch b/queue-6.12/tracing-fix-cmp_entries_dup-to-respect-sort-comparison-rules.patch new file mode 100644 index 00000000000..eede3b0fba3 --- /dev/null +++ b/queue-6.12/tracing-fix-cmp_entries_dup-to-respect-sort-comparison-rules.patch @@ -0,0 +1,52 @@ +From e63fbd5f6810ed756bbb8a1549c7d4132968baa9 Mon Sep 17 00:00:00 2001 +From: Kuan-Wei Chiu +Date: Wed, 4 Dec 2024 04:22:28 +0800 +Subject: tracing: Fix cmp_entries_dup() to respect sort() comparison rules + +From: Kuan-Wei Chiu + +commit e63fbd5f6810ed756bbb8a1549c7d4132968baa9 upstream. + +The cmp_entries_dup() function used as the comparator for sort() +violated the symmetry and transitivity properties required by the +sorting algorithm. Specifically, it returned 1 whenever memcmp() was +non-zero, which broke the following expectations: + +* Symmetry: If x < y, then y > x. +* Transitivity: If x < y and y < z, then x < z. + +These violations could lead to incorrect sorting and failure to +correctly identify duplicate elements. + +Fix the issue by directly returning the result of memcmp(), which +adheres to the required comparison properties. + +Cc: stable@vger.kernel.org +Fixes: 08d43a5fa063 ("tracing: Add lock-free tracing_map") +Link: https://lore.kernel.org/20241203202228.1274403-1-visitorckw@gmail.com +Signed-off-by: Kuan-Wei Chiu +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/tracing_map.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +--- a/kernel/trace/tracing_map.c ++++ b/kernel/trace/tracing_map.c +@@ -845,15 +845,11 @@ int tracing_map_init(struct tracing_map + static int cmp_entries_dup(const void *A, const void *B) + { + const struct tracing_map_sort_entry *a, *b; +- int ret = 0; + + a = *(const struct tracing_map_sort_entry **)A; + b = *(const struct tracing_map_sort_entry **)B; + +- if (memcmp(a->key, b->key, a->elt->map->key_size)) +- ret = 1; +- +- return ret; ++ return memcmp(a->key, b->key, a->elt->map->key_size); + } + + static int cmp_entries_sum(const void *A, const void *B) diff --git a/queue-6.12/watchdog-rti-of-honor-timeout-sec-property.patch b/queue-6.12/watchdog-rti-of-honor-timeout-sec-property.patch new file mode 100644 index 00000000000..bc1af5d3a17 --- /dev/null +++ b/queue-6.12/watchdog-rti-of-honor-timeout-sec-property.patch @@ -0,0 +1,49 @@ +From 4962ee045d8f06638714d801ab0fb72f89c16690 Mon Sep 17 00:00:00 2001 +From: Alexander Sverdlin +Date: Thu, 7 Nov 2024 21:38:28 +0100 +Subject: watchdog: rti: of: honor timeout-sec property + +From: Alexander Sverdlin + +commit 4962ee045d8f06638714d801ab0fb72f89c16690 upstream. + +Currently "timeout-sec" Device Tree property is being silently ignored: +even though watchdog_init_timeout() is being used, the driver always passes +"heartbeat" == DEFAULT_HEARTBEAT == 60 as argument. + +Fix this by setting struct watchdog_device::timeout to DEFAULT_HEARTBEAT +and passing real module parameter value to watchdog_init_timeout() (which +may now be 0 if not specified). + +Cc: stable@vger.kernel.org +Fixes: 2d63908bdbfb ("watchdog: Add K3 RTI watchdog support") +Signed-off-by: Alexander Sverdlin +Reviewed-by: Vignesh Raghavendra +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20241107203830.1068456-1-alexander.sverdlin@siemens.com +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Greg Kroah-Hartman +--- + drivers/watchdog/rti_wdt.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/watchdog/rti_wdt.c ++++ b/drivers/watchdog/rti_wdt.c +@@ -61,7 +61,7 @@ + + #define MAX_HW_ERROR 250 + +-static int heartbeat = DEFAULT_HEARTBEAT; ++static int heartbeat; + + /* + * struct to hold data for each WDT device +@@ -252,6 +252,7 @@ static int rti_wdt_probe(struct platform + wdd->min_timeout = 1; + wdd->max_hw_heartbeat_ms = (WDT_PRELOAD_MAX << WDT_PRELOAD_SHIFT) / + wdt->freq * 1000; ++ wdd->timeout = DEFAULT_HEARTBEAT; + wdd->parent = dev; + + watchdog_set_drvdata(wdd, wdt);