From: Sasha Levin Date: Fri, 20 Jun 2025 13:15:06 +0000 (-0400) Subject: Fixes for 6.6 X-Git-Tag: v5.4.295~132 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8c84313a2cf4596935ca6bbebdb2dfbe9f8431f1;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.6 Signed-off-by: Sasha Levin --- diff --git a/queue-6.6/acpi-add-missing-prototype-for-non-config_suspend-co.patch b/queue-6.6/acpi-add-missing-prototype-for-non-config_suspend-co.patch new file mode 100644 index 0000000000..d250a35d4f --- /dev/null +++ b/queue-6.6/acpi-add-missing-prototype-for-non-config_suspend-co.patch @@ -0,0 +1,60 @@ +From a7183ff11cc81566ab6148c24e0f3ef201c98112 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Apr 2025 13:36:55 -0500 +Subject: ACPI: Add missing prototype for non CONFIG_SUSPEND/CONFIG_X86 case + +From: Mario Limonciello + +[ Upstream commit e1bdbbc98279164d910d2de82a745f090a8b249f ] + +acpi_register_lps0_dev() and acpi_unregister_lps0_dev() may be used +in drivers that don't require CONFIG_SUSPEND or compile on !X86. + +Add prototypes for those cases. + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202502191627.fRgoBwcZ-lkp@intel.com/ +Signed-off-by: Mario Limonciello +Link: https://patch.msgid.link/20250407183656.1503446-1-superm1@kernel.org +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + include/linux/acpi.h | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/include/linux/acpi.h b/include/linux/acpi.h +index 1b76d2f83eac6..7c6f4006389da 100644 +--- a/include/linux/acpi.h ++++ b/include/linux/acpi.h +@@ -1098,13 +1098,13 @@ void acpi_os_set_prepare_extended_sleep(int (*func)(u8 sleep_state, + + acpi_status acpi_os_prepare_extended_sleep(u8 sleep_state, + u32 val_a, u32 val_b); +-#if defined(CONFIG_SUSPEND) && defined(CONFIG_X86) + struct acpi_s2idle_dev_ops { + struct list_head list_node; + void (*prepare)(void); + void (*check)(void); + void (*restore)(void); + }; ++#if defined(CONFIG_SUSPEND) && defined(CONFIG_X86) + int acpi_register_lps0_dev(struct acpi_s2idle_dev_ops *arg); + void acpi_unregister_lps0_dev(struct acpi_s2idle_dev_ops *arg); + int acpi_get_lps0_constraint(struct acpi_device *adev); +@@ -1113,6 +1113,13 @@ static inline int acpi_get_lps0_constraint(struct device *dev) + { + return ACPI_STATE_UNKNOWN; + } ++static inline int acpi_register_lps0_dev(struct acpi_s2idle_dev_ops *arg) ++{ ++ return -ENODEV; ++} ++static inline void acpi_unregister_lps0_dev(struct acpi_s2idle_dev_ops *arg) ++{ ++} + #endif /* CONFIG_SUSPEND && CONFIG_X86 */ + #ifndef CONFIG_IA64 + void arch_reserve_mem_area(acpi_physical_address addr, size_t size); +-- +2.39.5 + diff --git a/queue-6.6/acpi-battery-negate-current-when-discharging.patch b/queue-6.6/acpi-battery-negate-current-when-discharging.patch new file mode 100644 index 0000000000..10504b3e06 --- /dev/null +++ b/queue-6.6/acpi-battery-negate-current-when-discharging.patch @@ -0,0 +1,63 @@ +From 7c00816721c60e5a8862959f823ddc74ae3eacfb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 May 2025 12:41:45 +1000 +Subject: ACPI: battery: negate current when discharging + +From: Peter Marheine + +[ Upstream commit 234f71555019d308c6bc6f98c78c5551cb8cd56a ] + +The ACPI specification requires that battery rate is always positive, +but the kernel ABI for POWER_SUPPLY_PROP_CURRENT_NOW +(Documentation/ABI/testing/sysfs-class-power) specifies that it should +be negative when a battery is discharging. When reporting CURRENT_NOW, +massage the value to match the documented ABI. + +This only changes the sign of `current_now` and not `power_now` because +documentation doesn't describe any particular meaning for `power_now` so +leaving `power_now` unchanged is less likely to confuse userspace +unnecessarily, whereas becoming consistent with the documented ABI is +worth potentially confusing clients that read `current_now`. + +Signed-off-by: Peter Marheine +Link: https://patch.msgid.link/20250508024146.1436129-1-pmarheine@chromium.org +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/battery.c | 19 ++++++++++++++++--- + 1 file changed, 16 insertions(+), 3 deletions(-) + +diff --git a/drivers/acpi/battery.c b/drivers/acpi/battery.c +index e3cbaf3c3bbc1..cd3cbb7a36f85 100644 +--- a/drivers/acpi/battery.c ++++ b/drivers/acpi/battery.c +@@ -243,10 +243,23 @@ static int acpi_battery_get_property(struct power_supply *psy, + break; + case POWER_SUPPLY_PROP_CURRENT_NOW: + case POWER_SUPPLY_PROP_POWER_NOW: +- if (battery->rate_now == ACPI_BATTERY_VALUE_UNKNOWN) ++ if (battery->rate_now == ACPI_BATTERY_VALUE_UNKNOWN) { + ret = -ENODEV; +- else +- val->intval = battery->rate_now * 1000; ++ break; ++ } ++ ++ val->intval = battery->rate_now * 1000; ++ /* ++ * When discharging, the current should be reported as a ++ * negative number as per the power supply class interface ++ * definition. ++ */ ++ if (psp == POWER_SUPPLY_PROP_CURRENT_NOW && ++ (battery->state & ACPI_BATTERY_STATE_DISCHARGING) && ++ acpi_battery_handle_discharging(battery) ++ == POWER_SUPPLY_STATUS_DISCHARGING) ++ val->intval = -val->intval; ++ + break; + case POWER_SUPPLY_PROP_CHARGE_FULL_DESIGN: + case POWER_SUPPLY_PROP_ENERGY_FULL_DESIGN: +-- +2.39.5 + diff --git a/queue-6.6/acpi-bus-bail-out-if-acpi_kobj-registration-fails.patch b/queue-6.6/acpi-bus-bail-out-if-acpi_kobj-registration-fails.patch new file mode 100644 index 0000000000..66a041d486 --- /dev/null +++ b/queue-6.6/acpi-bus-bail-out-if-acpi_kobj-registration-fails.patch @@ -0,0 +1,43 @@ +From b259a36633fd64f275d2a8f3ec6ed29bc4039275 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 May 2025 20:51:11 +0200 +Subject: ACPI: bus: Bail out if acpi_kobj registration fails + +From: Armin Wolf + +[ Upstream commit 94a370fc8def6038dbc02199db9584b0b3690f1a ] + +The ACPI sysfs code will fail to initialize if acpi_kobj is NULL, +together with some ACPI drivers. + +Follow the other firmware subsystems and bail out if the kobject +cannot be registered. + +Signed-off-by: Armin Wolf +Link: https://patch.msgid.link/20250518185111.3560-2-W_Armin@gmx.de +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/bus.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/acpi/bus.c b/drivers/acpi/bus.c +index a4aa53b7e2bb3..645464f02363f 100644 +--- a/drivers/acpi/bus.c ++++ b/drivers/acpi/bus.c +@@ -1396,8 +1396,10 @@ static int __init acpi_init(void) + } + + acpi_kobj = kobject_create_and_add("acpi", firmware_kobj); +- if (!acpi_kobj) +- pr_debug("%s: kset create error\n", __func__); ++ if (!acpi_kobj) { ++ pr_err("Failed to register kobject\n"); ++ return -ENOMEM; ++ } + + init_prmt(); + acpi_init_pcc(); +-- +2.39.5 + diff --git a/queue-6.6/acpica-avoid-sequence-overread-in-call-to-strncmp.patch b/queue-6.6/acpica-avoid-sequence-overread-in-call-to-strncmp.patch new file mode 100644 index 0000000000..8f2fbda0d1 --- /dev/null +++ b/queue-6.6/acpica-avoid-sequence-overread-in-call-to-strncmp.patch @@ -0,0 +1,57 @@ +From d1275315231b2d854f7c4856764ce22fd3561865 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Apr 2025 21:30:27 +0200 +Subject: ACPICA: Avoid sequence overread in call to strncmp() + +From: Ahmed Salem + +[ Upstream commit 64b9dfd0776e9c38d733094859a09f13282ce6f8 ] + +ACPICA commit 8b83a8d88dfec59ea147fad35fc6deea8859c58c + +ap_get_table_length() checks if tables are valid by +calling ap_is_valid_header(). The latter then calls +ACPI_VALIDATE_RSDP_SIG(Table->Signature). + +ap_is_valid_header() accepts struct acpi_table_header as an argument, so +the signature size is always fixed to 4 bytes. + +The problem is when the string comparison is between ACPI-defined table +signature and ACPI_SIG_RSDP. Common ACPI table header specifies the +Signature field to be 4 bytes long[1], with the exception of the RSDP +structure whose signature is 8 bytes long "RSD PTR " (including the +trailing blank character)[2]. Calling strncmp(sig, rsdp_sig, 8) would +then result in a sequence overread[3] as sig would be smaller (4 bytes) +than the specified bound (8 bytes). + +As a workaround, pass the bound conditionally based on the size of the +signature being passed. + +Link: https://uefi.org/specs/ACPI/6.5_A/05_ACPI_Software_Programming_Model.html#system-description-table-header [1] +Link: https://uefi.org/specs/ACPI/6.5_A/05_ACPI_Software_Programming_Model.html#root-system-description-pointer-rsdp-structure [2] +Link: https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html#index-Wstringop-overread [3] +Link: https://github.com/acpica/acpica/commit/8b83a8d8 +Signed-off-by: Ahmed Salem +Signed-off-by: Rafael J. Wysocki +Link: https://patch.msgid.link/2248233.Mh6RI2rZIc@rjwysocki.net +Signed-off-by: Sasha Levin +--- + include/acpi/actypes.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/acpi/actypes.h b/include/acpi/actypes.h +index 85c2dcf2b7048..0a24200852415 100644 +--- a/include/acpi/actypes.h ++++ b/include/acpi/actypes.h +@@ -527,7 +527,7 @@ typedef u64 acpi_integer; + + /* Support for the special RSDP signature (8 characters) */ + +-#define ACPI_VALIDATE_RSDP_SIG(a) (!strncmp (ACPI_CAST_PTR (char, (a)), ACPI_SIG_RSDP, 8)) ++#define ACPI_VALIDATE_RSDP_SIG(a) (!strncmp (ACPI_CAST_PTR (char, (a)), ACPI_SIG_RSDP, (sizeof(a) < 8) ? ACPI_NAMESEG_SIZE : 8)) + #define ACPI_MAKE_RSDP_SIG(dest) (memcpy (ACPI_CAST_PTR (char, (dest)), ACPI_SIG_RSDP, 8)) + + /* Support for OEMx signature (x can be any character) */ +-- +2.39.5 + diff --git a/queue-6.6/acpica-fix-acpi-operand-cache-leak-in-dswstate.c.patch b/queue-6.6/acpica-fix-acpi-operand-cache-leak-in-dswstate.c.patch new file mode 100644 index 0000000000..7ea5853b3c --- /dev/null +++ b/queue-6.6/acpica-fix-acpi-operand-cache-leak-in-dswstate.c.patch @@ -0,0 +1,110 @@ +From 1ed3674ccfbd0218e90bcda860e942e0b1f520b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Mar 2025 21:05:24 +0100 +Subject: ACPICA: fix acpi operand cache leak in dswstate.c + +From: Seunghun Han + +[ Upstream commit 156fd20a41e776bbf334bd5e45c4f78dfc90ce1c ] + +ACPICA commit 987a3b5cf7175916e2a4b6ea5b8e70f830dfe732 + +I found an ACPI cache leak in ACPI early termination and boot continuing case. + +When early termination occurs due to malicious ACPI table, Linux kernel +terminates ACPI function and continues to boot process. While kernel terminates +ACPI function, kmem_cache_destroy() reports Acpi-Operand cache leak. + +Boot log of ACPI operand cache leak is as follows: +>[ 0.585957] ACPI: Added _OSI(Module Device) +>[ 0.587218] ACPI: Added _OSI(Processor Device) +>[ 0.588530] ACPI: Added _OSI(3.0 _SCP Extensions) +>[ 0.589790] ACPI: Added _OSI(Processor Aggregator Device) +>[ 0.591534] ACPI Error: Illegal I/O port address/length above 64K: C806E00000004002/0x2 (20170303/hwvalid-155) +>[ 0.594351] ACPI Exception: AE_LIMIT, Unable to initialize fixed events (20170303/evevent-88) +>[ 0.597858] ACPI: Unable to start the ACPI Interpreter +>[ 0.599162] ACPI Error: Could not remove SCI handler (20170303/evmisc-281) +>[ 0.601836] kmem_cache_destroy Acpi-Operand: Slab cache still has objects +>[ 0.603556] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.12.0-rc5 #26 +>[ 0.605159] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS virtual_box 12/01/2006 +>[ 0.609177] Call Trace: +>[ 0.610063] ? dump_stack+0x5c/0x81 +>[ 0.611118] ? kmem_cache_destroy+0x1aa/0x1c0 +>[ 0.612632] ? acpi_sleep_proc_init+0x27/0x27 +>[ 0.613906] ? acpi_os_delete_cache+0xa/0x10 +>[ 0.617986] ? acpi_ut_delete_caches+0x3f/0x7b +>[ 0.619293] ? acpi_terminate+0xa/0x14 +>[ 0.620394] ? acpi_init+0x2af/0x34f +>[ 0.621616] ? __class_create+0x4c/0x80 +>[ 0.623412] ? video_setup+0x7f/0x7f +>[ 0.624585] ? acpi_sleep_proc_init+0x27/0x27 +>[ 0.625861] ? do_one_initcall+0x4e/0x1a0 +>[ 0.627513] ? kernel_init_freeable+0x19e/0x21f +>[ 0.628972] ? rest_init+0x80/0x80 +>[ 0.630043] ? kernel_init+0xa/0x100 +>[ 0.631084] ? ret_from_fork+0x25/0x30 +>[ 0.633343] vgaarb: loaded +>[ 0.635036] EDAC MC: Ver: 3.0.0 +>[ 0.638601] PCI: Probing PCI hardware +>[ 0.639833] PCI host bridge to bus 0000:00 +>[ 0.641031] pci_bus 0000:00: root bus resource [io 0x0000-0xffff] +> ... Continue to boot and log is omitted ... + +I analyzed this memory leak in detail and found acpi_ds_obj_stack_pop_and_ +delete() function miscalculated the top of the stack. acpi_ds_obj_stack_push() +function uses walk_state->operand_index for start position of the top, but +acpi_ds_obj_stack_pop_and_delete() function considers index 0 for it. +Therefore, this causes acpi operand memory leak. + +This cache leak causes a security threat because an old kernel (<= 4.9) shows +memory locations of kernel functions in stack dump. Some malicious users +could use this information to neutralize kernel ASLR. + +I made a patch to fix ACPI operand cache leak. + +Link: https://github.com/acpica/acpica/commit/987a3b5c +Signed-off-by: Seunghun Han +Signed-off-by: Rafael J. Wysocki +Link: https://patch.msgid.link/4999480.31r3eYUQgx@rjwysocki.net +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/dsutils.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/acpi/acpica/dsutils.c b/drivers/acpi/acpica/dsutils.c +index fb9ed5e1da89d..2bdae8a25e084 100644 +--- a/drivers/acpi/acpica/dsutils.c ++++ b/drivers/acpi/acpica/dsutils.c +@@ -668,6 +668,8 @@ acpi_ds_create_operands(struct acpi_walk_state *walk_state, + union acpi_parse_object *arguments[ACPI_OBJ_NUM_OPERANDS]; + u32 arg_count = 0; + u32 index = walk_state->num_operands; ++ u32 prev_num_operands = walk_state->num_operands; ++ u32 new_num_operands; + u32 i; + + ACPI_FUNCTION_TRACE_PTR(ds_create_operands, first_arg); +@@ -696,6 +698,7 @@ acpi_ds_create_operands(struct acpi_walk_state *walk_state, + + /* Create the interpreter arguments, in reverse order */ + ++ new_num_operands = index; + index--; + for (i = 0; i < arg_count; i++) { + arg = arguments[index]; +@@ -720,7 +723,11 @@ acpi_ds_create_operands(struct acpi_walk_state *walk_state, + * pop everything off of the operand stack and delete those + * objects + */ +- acpi_ds_obj_stack_pop_and_delete(arg_count, walk_state); ++ walk_state->num_operands = i; ++ acpi_ds_obj_stack_pop_and_delete(new_num_operands, walk_state); ++ ++ /* Restore operand count */ ++ walk_state->num_operands = prev_num_operands; + + ACPI_EXCEPTION((AE_INFO, status, "While creating Arg %u", index)); + return_ACPI_STATUS(status); +-- +2.39.5 + diff --git a/queue-6.6/acpica-fix-acpi-parse-and-parseext-cache-leaks.patch b/queue-6.6/acpica-fix-acpi-parse-and-parseext-cache-leaks.patch new file mode 100644 index 0000000000..7cc2526e71 --- /dev/null +++ b/queue-6.6/acpica-fix-acpi-parse-and-parseext-cache-leaks.patch @@ -0,0 +1,236 @@ +From 38c590829bd8a8f44567ed5c00564472d43cfe9d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Mar 2025 21:06:21 +0100 +Subject: ACPICA: fix acpi parse and parseext cache leaks +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Seunghun Han + +[ Upstream commit bed18f0bdcd6737a938264a59d67923688696fc4 ] + +ACPICA commit 8829e70e1360c81e7a5a901b5d4f48330e021ea5 + +I'm Seunghun Han, and I work for National Security Research Institute of +South Korea. + +I have been doing a research on ACPI and found an ACPI cache leak in ACPI +early abort cases. + +Boot log of ACPI cache leak is as follows: +[ 0.352414] ACPI: Added _OSI(Module Device) +[ 0.353182] ACPI: Added _OSI(Processor Device) +[ 0.353182] ACPI: Added _OSI(3.0 _SCP Extensions) +[ 0.353182] ACPI: Added _OSI(Processor Aggregator Device) +[ 0.356028] ACPI: Unable to start the ACPI Interpreter +[ 0.356799] ACPI Error: Could not remove SCI handler (20170303/evmisc-281) +[ 0.360215] kmem_cache_destroy Acpi-State: Slab cache still has objects +[ 0.360648] CPU: 0 PID: 1 Comm: swapper/0 Tainted: G W +4.12.0-rc4-next-20170608+ #10 +[ 0.361273] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS +virtual_box 12/01/2006 +[ 0.361873] Call Trace: +[ 0.362243] ? dump_stack+0x5c/0x81 +[ 0.362591] ? kmem_cache_destroy+0x1aa/0x1c0 +[ 0.362944] ? acpi_sleep_proc_init+0x27/0x27 +[ 0.363296] ? acpi_os_delete_cache+0xa/0x10 +[ 0.363646] ? acpi_ut_delete_caches+0x6d/0x7b +[ 0.364000] ? acpi_terminate+0xa/0x14 +[ 0.364000] ? acpi_init+0x2af/0x34f +[ 0.364000] ? __class_create+0x4c/0x80 +[ 0.364000] ? video_setup+0x7f/0x7f +[ 0.364000] ? acpi_sleep_proc_init+0x27/0x27 +[ 0.364000] ? do_one_initcall+0x4e/0x1a0 +[ 0.364000] ? kernel_init_freeable+0x189/0x20a +[ 0.364000] ? rest_init+0xc0/0xc0 +[ 0.364000] ? kernel_init+0xa/0x100 +[ 0.364000] ? ret_from_fork+0x25/0x30 + +I analyzed this memory leak in detail. I found that “Acpi-State” cache and +“Acpi-Parse” cache were merged because the size of cache objects was same +slab cache size. + +I finally found “Acpi-Parse” cache and “Acpi-parse_ext” cache were leaked +using SLAB_NEVER_MERGE flag in kmem_cache_create() function. + +Real ACPI cache leak point is as follows: +[ 0.360101] ACPI: Added _OSI(Module Device) +[ 0.360101] ACPI: Added _OSI(Processor Device) +[ 0.360101] ACPI: Added _OSI(3.0 _SCP Extensions) +[ 0.361043] ACPI: Added _OSI(Processor Aggregator Device) +[ 0.364016] ACPI: Unable to start the ACPI Interpreter +[ 0.365061] ACPI Error: Could not remove SCI handler (20170303/evmisc-281) +[ 0.368174] kmem_cache_destroy Acpi-Parse: Slab cache still has objects +[ 0.369332] CPU: 1 PID: 1 Comm: swapper/0 Tainted: G W +4.12.0-rc4-next-20170608+ #8 +[ 0.371256] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS +virtual_box 12/01/2006 +[ 0.372000] Call Trace: +[ 0.372000] ? dump_stack+0x5c/0x81 +[ 0.372000] ? kmem_cache_destroy+0x1aa/0x1c0 +[ 0.372000] ? acpi_sleep_proc_init+0x27/0x27 +[ 0.372000] ? acpi_os_delete_cache+0xa/0x10 +[ 0.372000] ? acpi_ut_delete_caches+0x56/0x7b +[ 0.372000] ? acpi_terminate+0xa/0x14 +[ 0.372000] ? acpi_init+0x2af/0x34f +[ 0.372000] ? __class_create+0x4c/0x80 +[ 0.372000] ? video_setup+0x7f/0x7f +[ 0.372000] ? acpi_sleep_proc_init+0x27/0x27 +[ 0.372000] ? do_one_initcall+0x4e/0x1a0 +[ 0.372000] ? kernel_init_freeable+0x189/0x20a +[ 0.372000] ? rest_init+0xc0/0xc0 +[ 0.372000] ? kernel_init+0xa/0x100 +[ 0.372000] ? ret_from_fork+0x25/0x30 +[ 0.388039] kmem_cache_destroy Acpi-parse_ext: Slab cache still has objects +[ 0.389063] CPU: 1 PID: 1 Comm: swapper/0 Tainted: G W +4.12.0-rc4-next-20170608+ #8 +[ 0.390557] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS +virtual_box 12/01/2006 +[ 0.392000] Call Trace: +[ 0.392000] ? dump_stack+0x5c/0x81 +[ 0.392000] ? kmem_cache_destroy+0x1aa/0x1c0 +[ 0.392000] ? acpi_sleep_proc_init+0x27/0x27 +[ 0.392000] ? acpi_os_delete_cache+0xa/0x10 +[ 0.392000] ? acpi_ut_delete_caches+0x6d/0x7b +[ 0.392000] ? acpi_terminate+0xa/0x14 +[ 0.392000] ? acpi_init+0x2af/0x34f +[ 0.392000] ? __class_create+0x4c/0x80 +[ 0.392000] ? video_setup+0x7f/0x7f +[ 0.392000] ? acpi_sleep_proc_init+0x27/0x27 +[ 0.392000] ? do_one_initcall+0x4e/0x1a0 +[ 0.392000] ? kernel_init_freeable+0x189/0x20a +[ 0.392000] ? rest_init+0xc0/0xc0 +[ 0.392000] ? kernel_init+0xa/0x100 +[ 0.392000] ? ret_from_fork+0x25/0x30 + +When early abort is occurred due to invalid ACPI information, Linux kernel +terminates ACPI by calling acpi_terminate() function. The function calls +acpi_ut_delete_caches() function to delete local caches (acpi_gbl_namespace_ +cache, state_cache, operand_cache, ps_node_cache, ps_node_ext_cache). + +But the deletion codes in acpi_ut_delete_caches() function only delete +slab caches using kmem_cache_destroy() function, therefore the cache +objects should be flushed before acpi_ut_delete_caches() function. + +"Acpi-Parse" cache and "Acpi-ParseExt" cache are used in an AML parse +function, acpi_ps_parse_loop(). The function should complete all ops +using acpi_ps_complete_final_op() when an error occurs due to invalid +AML codes. +However, the current implementation of acpi_ps_complete_final_op() does not +complete all ops when it meets some errors and this cause cache leak. + +This cache leak has a security threat because an old kernel (<= 4.9) shows +memory locations of kernel functions in stack dump. Some malicious users +could use this information to neutralize kernel ASLR. + +To fix ACPI cache leak for enhancing security, I made a patch to complete all +ops unconditionally for acpi_ps_complete_final_op() function. + +I hope that this patch improves the security of Linux kernel. + +Thank you. + +Link: https://github.com/acpica/acpica/commit/8829e70e +Signed-off-by: Seunghun Han +Signed-off-by: Rafael J. Wysocki +Link: https://patch.msgid.link/2363774.ElGaqSPkdT@rjwysocki.net +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/psobject.c | 52 ++++++++++------------------------ + 1 file changed, 15 insertions(+), 37 deletions(-) + +diff --git a/drivers/acpi/acpica/psobject.c b/drivers/acpi/acpica/psobject.c +index 54471083ba545..0bce1baaa62b3 100644 +--- a/drivers/acpi/acpica/psobject.c ++++ b/drivers/acpi/acpica/psobject.c +@@ -636,7 +636,8 @@ acpi_status + acpi_ps_complete_final_op(struct acpi_walk_state *walk_state, + union acpi_parse_object *op, acpi_status status) + { +- acpi_status status2; ++ acpi_status return_status = status; ++ u8 ascending = TRUE; + + ACPI_FUNCTION_TRACE_PTR(ps_complete_final_op, walk_state); + +@@ -650,7 +651,7 @@ acpi_ps_complete_final_op(struct acpi_walk_state *walk_state, + op)); + do { + if (op) { +- if (walk_state->ascending_callback != NULL) { ++ if (ascending && walk_state->ascending_callback != NULL) { + walk_state->op = op; + walk_state->op_info = + acpi_ps_get_opcode_info(op->common. +@@ -672,49 +673,26 @@ acpi_ps_complete_final_op(struct acpi_walk_state *walk_state, + } + + if (status == AE_CTRL_TERMINATE) { +- status = AE_OK; +- +- /* Clean up */ +- do { +- if (op) { +- status2 = +- acpi_ps_complete_this_op +- (walk_state, op); +- if (ACPI_FAILURE +- (status2)) { +- return_ACPI_STATUS +- (status2); +- } +- } +- +- acpi_ps_pop_scope(& +- (walk_state-> +- parser_state), +- &op, +- &walk_state-> +- arg_types, +- &walk_state-> +- arg_count); +- +- } while (op); +- +- return_ACPI_STATUS(status); ++ ascending = FALSE; ++ return_status = AE_CTRL_TERMINATE; + } + + else if (ACPI_FAILURE(status)) { + + /* First error is most important */ + +- (void) +- acpi_ps_complete_this_op(walk_state, +- op); +- return_ACPI_STATUS(status); ++ ascending = FALSE; ++ return_status = status; + } + } + +- status2 = acpi_ps_complete_this_op(walk_state, op); +- if (ACPI_FAILURE(status2)) { +- return_ACPI_STATUS(status2); ++ status = acpi_ps_complete_this_op(walk_state, op); ++ if (ACPI_FAILURE(status)) { ++ ascending = FALSE; ++ if (ACPI_SUCCESS(return_status) || ++ return_status == AE_CTRL_TERMINATE) { ++ return_status = status; ++ } + } + } + +@@ -724,5 +702,5 @@ acpi_ps_complete_final_op(struct acpi_walk_state *walk_state, + + } while (op); + +- return_ACPI_STATUS(status); ++ return_ACPI_STATUS(return_status); + } +-- +2.39.5 + diff --git a/queue-6.6/acpica-utilities-fix-overflow-check-in-vsnprintf.patch b/queue-6.6/acpica-utilities-fix-overflow-check-in-vsnprintf.patch new file mode 100644 index 0000000000..a092196663 --- /dev/null +++ b/queue-6.6/acpica-utilities-fix-overflow-check-in-vsnprintf.patch @@ -0,0 +1,46 @@ +From 4e55cab9a464d2b313bf48ab323a17336b39fdbd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Apr 2025 21:21:52 +0200 +Subject: ACPICA: utilities: Fix overflow check in vsnprintf() + +From: gldrk + +[ Upstream commit 12b660251007e00a3e4d47ec62dbe3a7ace7023e ] + +ACPICA commit d9d59b7918514ae55063b93f3ec041b1a569bf49 + +The old version breaks sprintf on 64-bit systems for buffers +outside [0..UINT32_MAX]. + +Link: https://github.com/acpica/acpica/commit/d9d59b79 +Signed-off-by: Rafael J. Wysocki +Link: https://patch.msgid.link/4994935.GXAFRqVoOG@rjwysocki.net +Signed-off-by: gldrk +[ rjw: Added the tag from gldrk ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/utprint.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/drivers/acpi/acpica/utprint.c b/drivers/acpi/acpica/utprint.c +index 42b30b9f93128..7fad03c5252c3 100644 +--- a/drivers/acpi/acpica/utprint.c ++++ b/drivers/acpi/acpica/utprint.c +@@ -333,11 +333,8 @@ int vsnprintf(char *string, acpi_size size, const char *format, va_list args) + + pos = string; + +- if (size != ACPI_UINT32_MAX) { +- end = string + size; +- } else { +- end = ACPI_CAST_PTR(char, ACPI_UINT32_MAX); +- } ++ size = ACPI_MIN(size, ACPI_PTR_DIFF(ACPI_MAX_PTR, string)); ++ end = string + size; + + for (; *format; ++format) { + if (*format != '%') { +-- +2.39.5 + diff --git a/queue-6.6/arm-omap2-fix-l4ls-clk-domain-handling-in-standby.patch b/queue-6.6/arm-omap2-fix-l4ls-clk-domain-handling-in-standby.patch new file mode 100644 index 0000000000..29bc81b6f7 --- /dev/null +++ b/queue-6.6/arm-omap2-fix-l4ls-clk-domain-handling-in-standby.patch @@ -0,0 +1,87 @@ +From d50d29c9564d1ec3fd011f7956a7d99f0f9d6a98 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Mar 2025 16:00:39 -0700 +Subject: ARM: OMAP2+: Fix l4ls clk domain handling in STANDBY + +From: Sukrut Bellary + +[ Upstream commit 47fe74098f3dadba2f9cc1e507d813a4aa93f5f3 ] + +Don't put the l4ls clk domain to sleep in case of standby. +Since CM3 PM FW[1](ti-v4.1.y) doesn't wake-up/enable the l4ls clk domain +upon wake-up, CM3 PM FW fails to wake-up the MPU. + +[1] https://git.ti.com/cgit/processor-firmware/ti-amx3-cm3-pm-firmware/ + +Signed-off-by: Sukrut Bellary +Tested-by: Judith Mendez +Link: https://lore.kernel.org/r/20250318230042.3138542-2-sbellary@baylibre.com +Signed-off-by: Kevin Hilman +Signed-off-by: Sasha Levin +--- + arch/arm/mach-omap2/clockdomain.h | 1 + + arch/arm/mach-omap2/clockdomains33xx_data.c | 2 +- + arch/arm/mach-omap2/cm33xx.c | 14 +++++++++++++- + 3 files changed, 15 insertions(+), 2 deletions(-) + +diff --git a/arch/arm/mach-omap2/clockdomain.h b/arch/arm/mach-omap2/clockdomain.h +index c36fb27212615..86a2f9e5d0ef9 100644 +--- a/arch/arm/mach-omap2/clockdomain.h ++++ b/arch/arm/mach-omap2/clockdomain.h +@@ -48,6 +48,7 @@ + #define CLKDM_NO_AUTODEPS (1 << 4) + #define CLKDM_ACTIVE_WITH_MPU (1 << 5) + #define CLKDM_MISSING_IDLE_REPORTING (1 << 6) ++#define CLKDM_STANDBY_FORCE_WAKEUP BIT(7) + + #define CLKDM_CAN_HWSUP (CLKDM_CAN_ENABLE_AUTO | CLKDM_CAN_DISABLE_AUTO) + #define CLKDM_CAN_SWSUP (CLKDM_CAN_FORCE_SLEEP | CLKDM_CAN_FORCE_WAKEUP) +diff --git a/arch/arm/mach-omap2/clockdomains33xx_data.c b/arch/arm/mach-omap2/clockdomains33xx_data.c +index 87f4e927eb183..c05a3c07d4486 100644 +--- a/arch/arm/mach-omap2/clockdomains33xx_data.c ++++ b/arch/arm/mach-omap2/clockdomains33xx_data.c +@@ -19,7 +19,7 @@ static struct clockdomain l4ls_am33xx_clkdm = { + .pwrdm = { .name = "per_pwrdm" }, + .cm_inst = AM33XX_CM_PER_MOD, + .clkdm_offs = AM33XX_CM_PER_L4LS_CLKSTCTRL_OFFSET, +- .flags = CLKDM_CAN_SWSUP, ++ .flags = CLKDM_CAN_SWSUP | CLKDM_STANDBY_FORCE_WAKEUP, + }; + + static struct clockdomain l3s_am33xx_clkdm = { +diff --git a/arch/arm/mach-omap2/cm33xx.c b/arch/arm/mach-omap2/cm33xx.c +index c824d4e3db632..aaee67d097915 100644 +--- a/arch/arm/mach-omap2/cm33xx.c ++++ b/arch/arm/mach-omap2/cm33xx.c +@@ -20,6 +20,9 @@ + #include "cm-regbits-34xx.h" + #include "cm-regbits-33xx.h" + #include "prm33xx.h" ++#if IS_ENABLED(CONFIG_SUSPEND) ++#include ++#endif + + /* + * CLKCTRL_IDLEST_*: possible values for the CM_*_CLKCTRL.IDLEST bitfield: +@@ -328,8 +331,17 @@ static int am33xx_clkdm_clk_disable(struct clockdomain *clkdm) + { + bool hwsup = false; + ++#if IS_ENABLED(CONFIG_SUSPEND) ++ /* ++ * In case of standby, Don't put the l4ls clk domain to sleep. ++ * Since CM3 PM FW doesn't wake-up/enable the l4ls clk domain ++ * upon wake-up, CM3 PM FW fails to wake-up th MPU. ++ */ ++ if (pm_suspend_target_state == PM_SUSPEND_STANDBY && ++ (clkdm->flags & CLKDM_STANDBY_FORCE_WAKEUP)) ++ return 0; ++#endif + hwsup = am33xx_cm_is_clkdm_in_hwsup(clkdm->cm_inst, clkdm->clkdm_offs); +- + if (!hwsup && (clkdm->flags & CLKDM_CAN_FORCE_SLEEP)) + am33xx_clkdm_sleep(clkdm); + +-- +2.39.5 + diff --git a/queue-6.6/asoc-amd-yc-add-quirk-for-lenovo-yoga-pro-7-14asp9.patch b/queue-6.6/asoc-amd-yc-add-quirk-for-lenovo-yoga-pro-7-14asp9.patch new file mode 100644 index 0000000000..52e67af4ff --- /dev/null +++ b/queue-6.6/asoc-amd-yc-add-quirk-for-lenovo-yoga-pro-7-14asp9.patch @@ -0,0 +1,51 @@ +From a9bf973f0cb05ce65d5ae4f729cdab1c697495f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 May 2025 01:27:41 +0300 +Subject: ASoC: amd: yc: Add quirk for Lenovo Yoga Pro 7 14ASP9 + +From: Talhah Peerbhai + +[ Upstream commit a28206060dc5848a1a2a15b7f6ac6223d869084d ] + +Similar to many other Lenovo models with AMD chips, the Lenovo +Yoga Pro 7 14ASP9 (product name 83HN) requires a specific quirk +to ensure internal mic detection. This patch adds a quirk fixing this. + +Signed-off-by: Talhah Peerbhai +Link: https://patch.msgid.link/20250515222741.144616-1-talhah.peerbhai@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/amd/yc/acp6x-mach.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c +index 622df58a96942..9fdee74c28df2 100644 +--- a/sound/soc/amd/yc/acp6x-mach.c ++++ b/sound/soc/amd/yc/acp6x-mach.c +@@ -311,6 +311,13 @@ static const struct dmi_system_id yc_acp_quirk_table[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "83AS"), + } + }, ++ { ++ .driver_data = &acp6x_card, ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "83HN"), ++ } ++ }, + { + .driver_data = &acp6x_card, + .matches = { +@@ -360,7 +367,7 @@ static const struct dmi_system_id yc_acp_quirk_table[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "M5402RA"), + } + }, +- { ++ { + .driver_data = &acp6x_card, + .matches = { + DMI_MATCH(DMI_BOARD_VENDOR, "ASUSTeK COMPUTER INC."), +-- +2.39.5 + diff --git a/queue-6.6/asoc-tas2770-power-cycle-amp-on-isense-vsense-change.patch b/queue-6.6/asoc-tas2770-power-cycle-amp-on-isense-vsense-change.patch new file mode 100644 index 0000000000..22b840090b --- /dev/null +++ b/queue-6.6/asoc-tas2770-power-cycle-amp-on-isense-vsense-change.patch @@ -0,0 +1,73 @@ +From 829eb638f06341db7ba88902d1a1e9ea031225cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 6 Apr 2025 09:15:05 +1000 +Subject: ASoC: tas2770: Power cycle amp on ISENSE/VSENSE change + +From: Hector Martin + +[ Upstream commit f529c91be8a34ac12e7599bf87c65b6f4a2c9f5c ] + +The ISENSE/VSENSE blocks are only powered up when the amplifier +transitions from shutdown to active. This means that if those controls +are flipped on while the amplifier is already playing back audio, they +will have no effect. + +Fix this by forcing a power cycle around transitions in those controls. + +Reviewed-by: Neal Gompa +Signed-off-by: Hector Martin +Signed-off-by: James Calligeros +Link: https://patch.msgid.link/20250406-apple-codec-changes-v5-1-50a00ec850a3@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/tas2770.c | 30 ++++++++++++++++++++++++++++-- + 1 file changed, 28 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/codecs/tas2770.c b/sound/soc/codecs/tas2770.c +index 5c6b825c757b3..181b16530e5bc 100644 +--- a/sound/soc/codecs/tas2770.c ++++ b/sound/soc/codecs/tas2770.c +@@ -158,11 +158,37 @@ static const struct snd_kcontrol_new isense_switch = + static const struct snd_kcontrol_new vsense_switch = + SOC_DAPM_SINGLE("Switch", TAS2770_PWR_CTRL, 2, 1, 1); + ++static int sense_event(struct snd_soc_dapm_widget *w, ++ struct snd_kcontrol *kcontrol, int event) ++{ ++ struct snd_soc_component *component = snd_soc_dapm_to_component(w->dapm); ++ struct tas2770_priv *tas2770 = snd_soc_component_get_drvdata(component); ++ ++ /* ++ * Powering up ISENSE/VSENSE requires a trip through the shutdown state. ++ * Do that here to ensure that our changes are applied properly, otherwise ++ * we might end up with non-functional IVSENSE if playback started earlier, ++ * which would break software speaker protection. ++ */ ++ switch (event) { ++ case SND_SOC_DAPM_PRE_REG: ++ return snd_soc_component_update_bits(component, TAS2770_PWR_CTRL, ++ TAS2770_PWR_CTRL_MASK, ++ TAS2770_PWR_CTRL_SHUTDOWN); ++ case SND_SOC_DAPM_POST_REG: ++ return tas2770_update_pwr_ctrl(tas2770); ++ default: ++ return 0; ++ } ++} ++ + static const struct snd_soc_dapm_widget tas2770_dapm_widgets[] = { + SND_SOC_DAPM_AIF_IN("ASI1", "ASI1 Playback", 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_MUX("ASI1 Sel", SND_SOC_NOPM, 0, 0, &tas2770_asi1_mux), +- SND_SOC_DAPM_SWITCH("ISENSE", TAS2770_PWR_CTRL, 3, 1, &isense_switch), +- SND_SOC_DAPM_SWITCH("VSENSE", TAS2770_PWR_CTRL, 2, 1, &vsense_switch), ++ SND_SOC_DAPM_SWITCH_E("ISENSE", TAS2770_PWR_CTRL, 3, 1, &isense_switch, ++ sense_event, SND_SOC_DAPM_PRE_REG | SND_SOC_DAPM_POST_REG), ++ SND_SOC_DAPM_SWITCH_E("VSENSE", TAS2770_PWR_CTRL, 2, 1, &vsense_switch, ++ sense_event, SND_SOC_DAPM_PRE_REG | SND_SOC_DAPM_POST_REG), + SND_SOC_DAPM_DAC_E("DAC", NULL, SND_SOC_NOPM, 0, 0, tas2770_dac_event, + SND_SOC_DAPM_POST_PMU | SND_SOC_DAPM_PRE_PMD), + SND_SOC_DAPM_OUTPUT("OUT"), +-- +2.39.5 + diff --git a/queue-6.6/asoc-tegra210_ahub-add-check-to-of_device_get_match_.patch b/queue-6.6/asoc-tegra210_ahub-add-check-to-of_device_get_match_.patch new file mode 100644 index 0000000000..86f2a0554d --- /dev/null +++ b/queue-6.6/asoc-tegra210_ahub-add-check-to-of_device_get_match_.patch @@ -0,0 +1,36 @@ +From 4beebc3916ba01fd60bcd84c6b8bcc5d00692338 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 May 2025 20:37:44 +0800 +Subject: ASoC: tegra210_ahub: Add check to of_device_get_match_data() + +From: Yuanjun Gong + +[ Upstream commit 04cb269c204398763a620d426cbee43064854000 ] + +In tegra_ahub_probe(), check the result of function +of_device_get_match_data(), return an error code in case it fails. + +Signed-off-by: Yuanjun Gong +Link: https://patch.msgid.link/20250513123744.3041724-1-ruc_gongyuanjun@163.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/tegra/tegra210_ahub.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/soc/tegra/tegra210_ahub.c b/sound/soc/tegra/tegra210_ahub.c +index ab3c6b2544d20..140cb27f73287 100644 +--- a/sound/soc/tegra/tegra210_ahub.c ++++ b/sound/soc/tegra/tegra210_ahub.c +@@ -1359,6 +1359,8 @@ static int tegra_ahub_probe(struct platform_device *pdev) + return -ENOMEM; + + ahub->soc_data = of_device_get_match_data(&pdev->dev); ++ if (!ahub->soc_data) ++ return -ENODEV; + + platform_set_drvdata(pdev, ahub); + +-- +2.39.5 + diff --git a/queue-6.6/bpf-check-rcu_read_lock_trace_held-in-bpf_map_lookup.patch b/queue-6.6/bpf-check-rcu_read_lock_trace_held-in-bpf_map_lookup.patch new file mode 100644 index 0000000000..80f052c6b5 --- /dev/null +++ b/queue-6.6/bpf-check-rcu_read_lock_trace_held-in-bpf_map_lookup.patch @@ -0,0 +1,43 @@ +From 54c9c91b4d37091052eeebe5601e08bc6fdffa3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 May 2025 14:25:34 +0800 +Subject: bpf: Check rcu_read_lock_trace_held() in bpf_map_lookup_percpu_elem() + +From: Hou Tao + +[ Upstream commit d4965578267e2e81f67c86e2608481e77e9c8569 ] + +bpf_map_lookup_percpu_elem() helper is also available for sleepable bpf +program. When BPF JIT is disabled or under 32-bit host, +bpf_map_lookup_percpu_elem() will not be inlined. Using it in a +sleepable bpf program will trigger the warning in +bpf_map_lookup_percpu_elem(), because the bpf program only holds +rcu_read_lock_trace lock. Therefore, add the missed check. + +Reported-by: syzbot+dce5aae19ae4d6399986@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/bpf/000000000000176a130617420310@google.com/ +Signed-off-by: Hou Tao +Link: https://lore.kernel.org/r/20250526062534.1105938-1-houtao@huaweicloud.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/helpers.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c +index 41d62405c8521..8f0b62b04deeb 100644 +--- a/kernel/bpf/helpers.c ++++ b/kernel/bpf/helpers.c +@@ -128,7 +128,8 @@ const struct bpf_func_proto bpf_map_peek_elem_proto = { + + BPF_CALL_3(bpf_map_lookup_percpu_elem, struct bpf_map *, map, void *, key, u32, cpu) + { +- WARN_ON_ONCE(!rcu_read_lock_held() && !rcu_read_lock_bh_held()); ++ WARN_ON_ONCE(!rcu_read_lock_held() && !rcu_read_lock_trace_held() && ++ !rcu_read_lock_bh_held()); + return (unsigned long) map->ops->map_lookup_percpu_elem(map, key, cpu); + } + +-- +2.39.5 + diff --git a/queue-6.6/bpf-sockmap-fix-data-lost-during-eagain-retries.patch b/queue-6.6/bpf-sockmap-fix-data-lost-during-eagain-retries.patch new file mode 100644 index 0000000000..540b6b4ada --- /dev/null +++ b/queue-6.6/bpf-sockmap-fix-data-lost-during-eagain-retries.patch @@ -0,0 +1,68 @@ +From deb962365eb08fc95a8f07144b3aac578ae8b72f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Apr 2025 22:21:20 +0800 +Subject: bpf, sockmap: Fix data lost during EAGAIN retries + +From: Jiayuan Chen + +[ Upstream commit 7683167196bd727ad5f3c3fc6a9ca70f54520a81 ] + +We call skb_bpf_redirect_clear() to clean _sk_redir before handling skb in +backlog, but when sk_psock_handle_skb() return EAGAIN due to sk_rcvbuf +limit, the redirect info in _sk_redir is not recovered. + +Fix skb redir loss during EAGAIN retries by restoring _sk_redir +information using skb_bpf_set_redir(). + +Before this patch: +''' +./bench sockmap -c 2 -p 1 -a --rx-verdict-ingress +Setting up benchmark 'sockmap'... +create socket fd c1:13 p1:14 c2:15 p2:16 +Benchmark 'sockmap' started. +Send Speed 1343.172 MB/s, BPF Speed 1343.238 MB/s, Rcv Speed 65.271 MB/s +Send Speed 1352.022 MB/s, BPF Speed 1352.088 MB/s, Rcv Speed 0 MB/s +Send Speed 1354.105 MB/s, BPF Speed 1354.105 MB/s, Rcv Speed 0 MB/s +Send Speed 1355.018 MB/s, BPF Speed 1354.887 MB/s, Rcv Speed 0 MB/s +''' +Due to the high send rate, the RX processing path may frequently hit the +sk_rcvbuf limit. Once triggered, incorrect _sk_redir will cause the flow +to mistakenly enter the "!ingress" path, leading to send failures. +(The Rcv speed depends on tcp_rmem). + +After this patch: +''' +./bench sockmap -c 2 -p 1 -a --rx-verdict-ingress +Setting up benchmark 'sockmap'... +create socket fd c1:13 p1:14 c2:15 p2:16 +Benchmark 'sockmap' started. +Send Speed 1347.236 MB/s, BPF Speed 1347.367 MB/s, Rcv Speed 65.402 MB/s +Send Speed 1353.320 MB/s, BPF Speed 1353.320 MB/s, Rcv Speed 65.536 MB/s +Send Speed 1353.186 MB/s, BPF Speed 1353.121 MB/s, Rcv Speed 65.536 MB/s +''' + +Signed-off-by: Jiayuan Chen +Link: https://lore.kernel.org/r/20250407142234.47591-2-jiayuan.chen@linux.dev +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + net/core/skmsg.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/core/skmsg.c b/net/core/skmsg.c +index 2076db464e936..c3169e1e63524 100644 +--- a/net/core/skmsg.c ++++ b/net/core/skmsg.c +@@ -689,7 +689,8 @@ static void sk_psock_backlog(struct work_struct *work) + if (ret <= 0) { + if (ret == -EAGAIN) { + sk_psock_skb_state(psock, state, len, off); +- ++ /* Restore redir info we cleared before */ ++ skb_bpf_set_redir(skb, psock->sk, ingress); + /* Delay slightly to prioritize any + * other work that might be here. + */ +-- +2.39.5 + diff --git a/queue-6.6/bpftool-fix-cgroup-command-to-only-show-cgroup-bpf-p.patch b/queue-6.6/bpftool-fix-cgroup-command-to-only-show-cgroup-bpf-p.patch new file mode 100644 index 0000000000..692c4585ce --- /dev/null +++ b/queue-6.6/bpftool-fix-cgroup-command-to-only-show-cgroup-bpf-p.patch @@ -0,0 +1,112 @@ +From b41168dd96898a5090c82df26a3ed10084493576 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 May 2025 13:32:32 -0700 +Subject: bpftool: Fix cgroup command to only show cgroup bpf programs + +From: Martin KaFai Lau + +[ Upstream commit b69d4413aa1961930fbf9ffad8376d577378daf9 ] + +The netkit program is not a cgroup bpf program and should not be shown +in the output of the "bpftool cgroup show" command. + +However, if the netkit device happens to have ifindex 3, +the "bpftool cgroup show" command will output the netkit +bpf program as well: + +> ip -d link show dev nk1 +3: nk1@if2: ... + link/ether ... + netkit mode ... + +> bpftool net show +tc: +nk1(3) netkit/peer tw_ns_nk2phy prog_id 469447 + +> bpftool cgroup show /sys/fs/cgroup/... +ID AttachType AttachFlags Name +... ... ... +469447 netkit_peer tw_ns_nk2phy + +The reason is that the target_fd (which is the cgroup_fd here) and +the target_ifindex are in a union in the uapi/linux/bpf.h. The bpftool +iterates all values in "enum bpf_attach_type" which includes +non cgroup attach types like netkit. The cgroup_fd is usually 3 here, +so the bug is triggered when the netkit ifindex just happens +to be 3 as well. + +The bpftool's cgroup.c already has a list of cgroup-only attach type +defined in "cgroup_attach_types[]". This patch fixes it by iterating +over "cgroup_attach_types[]" instead of "__MAX_BPF_ATTACH_TYPE". + +Cc: Quentin Monnet +Reported-by: Takshak Chahande +Signed-off-by: Martin KaFai Lau +Acked-by: Daniel Borkmann +Reviewed-by: Quentin Monnet +Link: https://lore.kernel.org/r/20250507203232.1420762-1-martin.lau@linux.dev +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + tools/bpf/bpftool/cgroup.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/tools/bpf/bpftool/cgroup.c b/tools/bpf/bpftool/cgroup.c +index ac846b0805b45..322490239166f 100644 +--- a/tools/bpf/bpftool/cgroup.c ++++ b/tools/bpf/bpftool/cgroup.c +@@ -284,11 +284,11 @@ static int show_bpf_progs(int cgroup_fd, enum bpf_attach_type type, + + static int do_show(int argc, char **argv) + { +- enum bpf_attach_type type; + int has_attached_progs; + const char *path; + int cgroup_fd; + int ret = -1; ++ unsigned int i; + + query_flags = 0; + +@@ -336,14 +336,14 @@ static int do_show(int argc, char **argv) + "AttachFlags", "Name"); + + btf_vmlinux = libbpf_find_kernel_btf(); +- for (type = 0; type < __MAX_BPF_ATTACH_TYPE; type++) { ++ for (i = 0; i < ARRAY_SIZE(cgroup_attach_types); i++) { + /* + * Not all attach types may be supported, so it's expected, + * that some requests will fail. + * If we were able to get the show for at least one + * attach type, let's return 0. + */ +- if (show_bpf_progs(cgroup_fd, type, 0) == 0) ++ if (show_bpf_progs(cgroup_fd, cgroup_attach_types[i], 0) == 0) + ret = 0; + } + +@@ -366,9 +366,9 @@ static int do_show(int argc, char **argv) + static int do_show_tree_fn(const char *fpath, const struct stat *sb, + int typeflag, struct FTW *ftw) + { +- enum bpf_attach_type type; + int has_attached_progs; + int cgroup_fd; ++ unsigned int i; + + if (typeflag != FTW_D) + return 0; +@@ -400,8 +400,8 @@ static int do_show_tree_fn(const char *fpath, const struct stat *sb, + } + + btf_vmlinux = libbpf_find_kernel_btf(); +- for (type = 0; type < __MAX_BPF_ATTACH_TYPE; type++) +- show_bpf_progs(cgroup_fd, type, ftw->level); ++ for (i = 0; i < ARRAY_SIZE(cgroup_attach_types); i++) ++ show_bpf_progs(cgroup_fd, cgroup_attach_types[i], ftw->level); + + if (errno == EINVAL) + /* Last attach type does not support query. +-- +2.39.5 + diff --git a/queue-6.6/bus-fsl-mc-increase-mc_cmd_completion_timeout_ms-val.patch b/queue-6.6/bus-fsl-mc-increase-mc_cmd_completion_timeout_ms-val.patch new file mode 100644 index 0000000000..169cd7b57b --- /dev/null +++ b/queue-6.6/bus-fsl-mc-increase-mc_cmd_completion_timeout_ms-val.patch @@ -0,0 +1,40 @@ +From 4403c65cae2a2b0c3133bbe689d9b594e6c54ac6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Apr 2025 13:58:14 +0300 +Subject: bus: fsl-mc: increase MC_CMD_COMPLETION_TIMEOUT_MS value + +From: Laurentiu Tudor + +[ Upstream commit 23d060136841c58c2f9ee8c08ad945d1879ead4b ] + +In case the MC firmware runs in debug mode with extensive prints pushed +to the console, the current timeout of 500ms is not enough. +Increase the timeout value so that we don't have any chance of wrongly +assuming that the firmware is not responding when it's just taking more +time. + +Signed-off-by: Laurentiu Tudor +Signed-off-by: Ioana Ciornei +Link: https://lore.kernel.org/r/20250408105814.2837951-7-ioana.ciornei@nxp.com +Signed-off-by: Christophe Leroy +Signed-off-by: Sasha Levin +--- + drivers/bus/fsl-mc/mc-sys.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/bus/fsl-mc/mc-sys.c b/drivers/bus/fsl-mc/mc-sys.c +index f2052cd0a0517..b22c59d57c8f0 100644 +--- a/drivers/bus/fsl-mc/mc-sys.c ++++ b/drivers/bus/fsl-mc/mc-sys.c +@@ -19,7 +19,7 @@ + /* + * Timeout in milliseconds to wait for the completion of an MC command + */ +-#define MC_CMD_COMPLETION_TIMEOUT_MS 500 ++#define MC_CMD_COMPLETION_TIMEOUT_MS 15000 + + /* + * usleep_range() min and max values used to throttle down polling +-- +2.39.5 + diff --git a/queue-6.6/clk-rockchip-rk3036-mark-ddrphy-as-critical.patch b/queue-6.6/clk-rockchip-rk3036-mark-ddrphy-as-critical.patch new file mode 100644 index 0000000000..cf26b9dac4 --- /dev/null +++ b/queue-6.6/clk-rockchip-rk3036-mark-ddrphy-as-critical.patch @@ -0,0 +1,37 @@ +From 7bd4a2d6673aa1ec7607201dcb17b30d72c10c68 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 3 May 2025 22:25:31 +0200 +Subject: clk: rockchip: rk3036: mark ddrphy as critical + +From: Heiko Stuebner + +[ Upstream commit 596a977b34a722c00245801a5774aa79cec4e81d ] + +The ddrphy is supplied by the dpll, but due to the limited number of PLLs +on the rk3036, the dpll also is used for other periperhals, like the GPU. + +So it happened, when the Lima driver turned off the gpu clock, this in +turn also disabled the dpll and thus the ram. + +Signed-off-by: Heiko Stuebner +Link: https://lore.kernel.org/r/20250503202532.992033-4-heiko@sntech.de +Signed-off-by: Sasha Levin +--- + drivers/clk/rockchip/clk-rk3036.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/clk/rockchip/clk-rk3036.c b/drivers/clk/rockchip/clk-rk3036.c +index d644bc155ec6e..f5f27535087a3 100644 +--- a/drivers/clk/rockchip/clk-rk3036.c ++++ b/drivers/clk/rockchip/clk-rk3036.c +@@ -431,6 +431,7 @@ static const char *const rk3036_critical_clocks[] __initconst = { + "hclk_peri", + "pclk_peri", + "pclk_ddrupctl", ++ "ddrphy", + }; + + static void __init rk3036_clk_init(struct device_node *np) +-- +2.39.5 + diff --git a/queue-6.6/clocksource-fix-the-cpus-choice-in-the-watchdog-per-.patch b/queue-6.6/clocksource-fix-the-cpus-choice-in-the-watchdog-per-.patch new file mode 100644 index 0000000000..42feee66a3 --- /dev/null +++ b/queue-6.6/clocksource-fix-the-cpus-choice-in-the-watchdog-per-.patch @@ -0,0 +1,60 @@ +From 9222392efd6742a2b647cbcce6e8249d505b8e9f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 23 Mar 2025 14:36:24 -0300 +Subject: clocksource: Fix the CPUs' choice in the watchdog per CPU + verification + +From: Guilherme G. Piccoli + +[ Upstream commit 08d7becc1a6b8c936e25d827becabfe3bff72a36 ] + +Right now, if the clocksource watchdog detects a clocksource skew, it might +perform a per CPU check, for example in the TSC case on x86. In other +words: supposing TSC is detected as unstable by the clocksource watchdog +running at CPU1, as part of marking TSC unstable the kernel will also run a +check of TSC readings on some CPUs to be sure it is synced between them +all. + +But that check happens only on some CPUs, not all of them; this choice is +based on the parameter "verify_n_cpus" and in some random cpumask +calculation. So, the watchdog runs such per CPU checks on up to +"verify_n_cpus" random CPUs among all online CPUs, with the risk of +repeating CPUs (that aren't double checked) in the cpumask random +calculation. + +But if "verify_n_cpus" > num_online_cpus(), it should skip the random +calculation and just go ahead and check the clocksource sync between +all online CPUs, without the risk of skipping some CPUs due to +duplicity in the random cpumask calculation. + +Tests in a 4 CPU laptop with TSC skew detected led to some cases of the per +CPU verification skipping some CPU even with verify_n_cpus=8, due to the +duplicity on random cpumask generation. Skipping the randomization when the +number of online CPUs is smaller than verify_n_cpus, solves that. + +Suggested-by: Thadeu Lima de Souza Cascardo +Signed-off-by: Guilherme G. Piccoli +Signed-off-by: Thomas Gleixner +Reviewed-by: Paul E. McKenney +Link: https://lore.kernel.org/all/20250323173857.372390-1-gpiccoli@igalia.com +Signed-off-by: Sasha Levin +--- + kernel/time/clocksource.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/time/clocksource.c b/kernel/time/clocksource.c +index 3130f24daf597..353829883e66d 100644 +--- a/kernel/time/clocksource.c ++++ b/kernel/time/clocksource.c +@@ -288,7 +288,7 @@ static void clocksource_verify_choose_cpus(void) + { + int cpu, i, n = verify_n_cpus; + +- if (n < 0) { ++ if (n < 0 || n >= num_online_cpus()) { + /* Check all of the CPUs. */ + cpumask_copy(&cpus_chosen, cpu_online_mask); + cpumask_clear_cpu(smp_processor_id(), &cpus_chosen); +-- +2.39.5 + diff --git a/queue-6.6/cpufreq-scmi-skip-scmi-devices-that-aren-t-used-by-t.patch b/queue-6.6/cpufreq-scmi-skip-scmi-devices-that-aren-t-used-by-t.patch new file mode 100644 index 0000000000..d26dbdef6a --- /dev/null +++ b/queue-6.6/cpufreq-scmi-skip-scmi-devices-that-aren-t-used-by-t.patch @@ -0,0 +1,89 @@ +From 86c3dfc7c9d869e8c25aba58295c78c2c2cd97af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 May 2025 20:53:12 -0700 +Subject: cpufreq: scmi: Skip SCMI devices that aren't used by the CPUs + +From: Mike Tipton + +[ Upstream commit 6c9bb86922728c7a4cceb99f131e00dd87514f20 ] + +Currently, all SCMI devices with performance domains attempt to register +a cpufreq driver, even if their performance domains aren't used to +control the CPUs. The cpufreq framework only supports registering a +single driver, so only the first device will succeed. And if that device +isn't used for the CPUs, then cpufreq will scale the wrong domains. + +To avoid this, return early from scmi_cpufreq_probe() if the probing +SCMI device isn't referenced by the CPU device phandles. + +This keeps the existing assumption that all CPUs are controlled by a +single SCMI device. + +Signed-off-by: Mike Tipton +Reviewed-by: Peng Fan +Reviewed-by: Cristian Marussi +Reviewed-by: Sudeep Holla +Tested-by: Cristian Marussi +Signed-off-by: Viresh Kumar +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/scmi-cpufreq.c | 36 +++++++++++++++++++++++++++++++++- + 1 file changed, 35 insertions(+), 1 deletion(-) + +diff --git a/drivers/cpufreq/scmi-cpufreq.c b/drivers/cpufreq/scmi-cpufreq.c +index e4989764efe2a..6ff77003a96ea 100644 +--- a/drivers/cpufreq/scmi-cpufreq.c ++++ b/drivers/cpufreq/scmi-cpufreq.c +@@ -299,6 +299,40 @@ static struct cpufreq_driver scmi_cpufreq_driver = { + .register_em = scmi_cpufreq_register_em, + }; + ++static bool scmi_dev_used_by_cpus(struct device *scmi_dev) ++{ ++ struct device_node *scmi_np = dev_of_node(scmi_dev); ++ struct device_node *cpu_np, *np; ++ struct device *cpu_dev; ++ int cpu, idx; ++ ++ if (!scmi_np) ++ return false; ++ ++ for_each_possible_cpu(cpu) { ++ cpu_dev = get_cpu_device(cpu); ++ if (!cpu_dev) ++ continue; ++ ++ cpu_np = dev_of_node(cpu_dev); ++ ++ np = of_parse_phandle(cpu_np, "clocks", 0); ++ of_node_put(np); ++ ++ if (np == scmi_np) ++ return true; ++ ++ idx = of_property_match_string(cpu_np, "power-domain-names", "perf"); ++ np = of_parse_phandle(cpu_np, "power-domains", idx); ++ of_node_put(np); ++ ++ if (np == scmi_np) ++ return true; ++ } ++ ++ return false; ++} ++ + static int scmi_cpufreq_probe(struct scmi_device *sdev) + { + int ret; +@@ -307,7 +341,7 @@ static int scmi_cpufreq_probe(struct scmi_device *sdev) + + handle = sdev->handle; + +- if (!handle) ++ if (!handle || !scmi_dev_used_by_cpus(dev)) + return -ENODEV; + + perf_ops = handle->devm_protocol_get(sdev, SCMI_PROTOCOL_PERF, &ph); +-- +2.39.5 + diff --git a/queue-6.6/emulex-benet-correct-command-version-selection-in-be.patch b/queue-6.6/emulex-benet-correct-command-version-selection-in-be.patch new file mode 100644 index 0000000000..580b1cc4bc --- /dev/null +++ b/queue-6.6/emulex-benet-correct-command-version-selection-in-be.patch @@ -0,0 +1,39 @@ +From 105fc8d81310348797545e84913c7a60c94bce1b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 May 2025 07:17:19 -0700 +Subject: emulex/benet: correct command version selection in be_cmd_get_stats() + +From: Alok Tiwari + +[ Upstream commit edb888d29748cee674006a52e544925dacc7728e ] + +Logic here always sets hdr->version to 2 if it is not a BE3 or Lancer chip, +even if it is BE2. Use 'else if' to prevent multiple assignments, setting +version 0 for BE2, version 1 for BE3 and Lancer, and version 2 for others. +Fixes potential incorrect version setting when BE2_chip and +BE3_chip/lancer_chip checks could both be true. + +Signed-off-by: Alok Tiwari +Link: https://patch.msgid.link/20250519141731.691136-1-alok.a.tiwari@oracle.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/emulex/benet/be_cmds.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/emulex/benet/be_cmds.c b/drivers/net/ethernet/emulex/benet/be_cmds.c +index 51b8377edd1d0..a89aa4ac0a064 100644 +--- a/drivers/net/ethernet/emulex/benet/be_cmds.c ++++ b/drivers/net/ethernet/emulex/benet/be_cmds.c +@@ -1609,7 +1609,7 @@ int be_cmd_get_stats(struct be_adapter *adapter, struct be_dma_mem *nonemb_cmd) + /* version 1 of the cmd is not supported only by BE2 */ + if (BE2_chip(adapter)) + hdr->version = 0; +- if (BE3_chip(adapter) || lancer_chip(adapter)) ++ else if (BE3_chip(adapter) || lancer_chip(adapter)) + hdr->version = 1; + else + hdr->version = 2; +-- +2.39.5 + diff --git a/queue-6.6/f2fs-fix-to-set-atomic-write-status-more-clear.patch b/queue-6.6/f2fs-fix-to-set-atomic-write-status-more-clear.patch new file mode 100644 index 0000000000..06f11bdde3 --- /dev/null +++ b/queue-6.6/f2fs-fix-to-set-atomic-write-status-more-clear.patch @@ -0,0 +1,81 @@ +From 0a8219186203493b3a82870d841eea9c500d4fd6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Mar 2025 13:56:06 +0800 +Subject: f2fs: fix to set atomic write status more clear + +From: Chao Yu + +[ Upstream commit db03c20c0850dc8d2bcabfa54b9438f7d666c863 ] + +1. After we start atomic write in a database file, before committing +all data, we'd better not set inode w/ vfs dirty status to avoid +redundant updates, instead, we only set inode w/ atomic dirty status. + +2. After we commit all data, before committing metadata, we need to +clear atomic dirty status, and set vfs dirty status to allow vfs flush +dirty inode. + +Cc: Daeho Jeong +Reported-by: Zhiguo Niu +Signed-off-by: Chao Yu +Reviewed-by: Daeho Jeong +Reviewed-by: Zhiguo Niu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/inode.c | 4 +++- + fs/f2fs/segment.c | 6 ++++++ + fs/f2fs/super.c | 4 +++- + 3 files changed, 12 insertions(+), 2 deletions(-) + +diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c +index 21d3eabe95e00..66721c2093c02 100644 +--- a/fs/f2fs/inode.c ++++ b/fs/f2fs/inode.c +@@ -35,7 +35,9 @@ void f2fs_mark_inode_dirty_sync(struct inode *inode, bool sync) + if (f2fs_inode_dirtied(inode, sync)) + return; + +- if (f2fs_is_atomic_file(inode)) ++ /* only atomic file w/ FI_ATOMIC_COMMITTED can be set vfs dirty */ ++ if (f2fs_is_atomic_file(inode) && ++ !is_inode_flag_set(inode, FI_ATOMIC_COMMITTED)) + return; + + mark_inode_dirty_sync(inode); +diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c +index 156d92b945258..c7714e954cb54 100644 +--- a/fs/f2fs/segment.c ++++ b/fs/f2fs/segment.c +@@ -372,7 +372,13 @@ static int __f2fs_commit_atomic_write(struct inode *inode) + } else { + sbi->committed_atomic_block += fi->atomic_write_cnt; + set_inode_flag(inode, FI_ATOMIC_COMMITTED); ++ ++ /* ++ * inode may has no FI_ATOMIC_DIRTIED flag due to no write ++ * before commit. ++ */ + if (is_inode_flag_set(inode, FI_ATOMIC_DIRTIED)) { ++ /* clear atomic dirty status and set vfs dirty status */ + clear_inode_flag(inode, FI_ATOMIC_DIRTIED); + f2fs_mark_inode_dirty_sync(inode, true); + } +diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c +index 50170e7cf3f9b..702137eafaa67 100644 +--- a/fs/f2fs/super.c ++++ b/fs/f2fs/super.c +@@ -1500,7 +1500,9 @@ int f2fs_inode_dirtied(struct inode *inode, bool sync) + } + spin_unlock(&sbi->inode_lock[DIRTY_META]); + +- if (!ret && f2fs_is_atomic_file(inode)) ++ /* if atomic write is not committed, set inode w/ atomic dirty */ ++ if (!ret && f2fs_is_atomic_file(inode) && ++ !is_inode_flag_set(inode, FI_ATOMIC_COMMITTED)) + set_inode_flag(inode, FI_ATOMIC_DIRTIED); + + return ret; +-- +2.39.5 + diff --git a/queue-6.6/f2fs-use-vmalloc-instead-of-kvmalloc-in-.init_-de-co.patch b/queue-6.6/f2fs-use-vmalloc-instead-of-kvmalloc-in-.init_-de-co.patch new file mode 100644 index 0000000000..5a87cf0bc1 --- /dev/null +++ b/queue-6.6/f2fs-use-vmalloc-instead-of-kvmalloc-in-.init_-de-co.patch @@ -0,0 +1,155 @@ +From 18e8b1b0e5040f8a6a189da13a3039c913eb9cc4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 May 2025 13:57:20 +0800 +Subject: f2fs: use vmalloc instead of kvmalloc in .init_{,de}compress_ctx + +From: Chao Yu + +[ Upstream commit 70dd07c888451503c3e93b6821e10d1ea1ec9930 ] + +.init_{,de}compress_ctx uses kvmalloc() to alloc memory, it will try +to allocate physically continuous page first, it may cause more memory +allocation pressure, let's use vmalloc instead to mitigate it. + +[Test] +cd /data/local/tmp +touch file +f2fs_io setflags compression file +f2fs_io getflags file +for i in $(seq 1 10); do sync; echo 3 > /proc/sys/vm/drop_caches;\ +time f2fs_io write 512 0 4096 zero osync file; truncate -s 0 file;\ +done + +[Result] +Before After Delta +21.243 21.694 -2.12% + +For compression, we recommend to use ioctl to compress file data in +background for workaround. + +For decompression, only zstd will be affected. + +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/compress.c | 23 ++++++++++------------- + fs/f2fs/f2fs.h | 5 +++++ + 2 files changed, 15 insertions(+), 13 deletions(-) + +diff --git a/fs/f2fs/compress.c b/fs/f2fs/compress.c +index f7ef69f44f3d8..e962de4ecaa2f 100644 +--- a/fs/f2fs/compress.c ++++ b/fs/f2fs/compress.c +@@ -176,8 +176,7 @@ void f2fs_compress_ctx_add_page(struct compress_ctx *cc, struct page *page) + #ifdef CONFIG_F2FS_FS_LZO + static int lzo_init_compress_ctx(struct compress_ctx *cc) + { +- cc->private = f2fs_kvmalloc(F2FS_I_SB(cc->inode), +- LZO1X_MEM_COMPRESS, GFP_NOFS); ++ cc->private = f2fs_vmalloc(LZO1X_MEM_COMPRESS); + if (!cc->private) + return -ENOMEM; + +@@ -187,7 +186,7 @@ static int lzo_init_compress_ctx(struct compress_ctx *cc) + + static void lzo_destroy_compress_ctx(struct compress_ctx *cc) + { +- kvfree(cc->private); ++ vfree(cc->private); + cc->private = NULL; + } + +@@ -244,7 +243,7 @@ static int lz4_init_compress_ctx(struct compress_ctx *cc) + size = LZ4HC_MEM_COMPRESS; + #endif + +- cc->private = f2fs_kvmalloc(F2FS_I_SB(cc->inode), size, GFP_NOFS); ++ cc->private = f2fs_vmalloc(size); + if (!cc->private) + return -ENOMEM; + +@@ -259,7 +258,7 @@ static int lz4_init_compress_ctx(struct compress_ctx *cc) + + static void lz4_destroy_compress_ctx(struct compress_ctx *cc) + { +- kvfree(cc->private); ++ vfree(cc->private); + cc->private = NULL; + } + +@@ -340,8 +339,7 @@ static int zstd_init_compress_ctx(struct compress_ctx *cc) + params = zstd_get_params(level, cc->rlen); + workspace_size = zstd_cstream_workspace_bound(¶ms.cParams); + +- workspace = f2fs_kvmalloc(F2FS_I_SB(cc->inode), +- workspace_size, GFP_NOFS); ++ workspace = f2fs_vmalloc(workspace_size); + if (!workspace) + return -ENOMEM; + +@@ -349,7 +347,7 @@ static int zstd_init_compress_ctx(struct compress_ctx *cc) + if (!stream) { + f2fs_err_ratelimited(F2FS_I_SB(cc->inode), + "%s zstd_init_cstream failed", __func__); +- kvfree(workspace); ++ vfree(workspace); + return -EIO; + } + +@@ -362,7 +360,7 @@ static int zstd_init_compress_ctx(struct compress_ctx *cc) + + static void zstd_destroy_compress_ctx(struct compress_ctx *cc) + { +- kvfree(cc->private); ++ vfree(cc->private); + cc->private = NULL; + cc->private2 = NULL; + } +@@ -421,8 +419,7 @@ static int zstd_init_decompress_ctx(struct decompress_io_ctx *dic) + + workspace_size = zstd_dstream_workspace_bound(max_window_size); + +- workspace = f2fs_kvmalloc(F2FS_I_SB(dic->inode), +- workspace_size, GFP_NOFS); ++ workspace = f2fs_vmalloc(workspace_size); + if (!workspace) + return -ENOMEM; + +@@ -430,7 +427,7 @@ static int zstd_init_decompress_ctx(struct decompress_io_ctx *dic) + if (!stream) { + f2fs_err_ratelimited(F2FS_I_SB(dic->inode), + "%s zstd_init_dstream failed", __func__); +- kvfree(workspace); ++ vfree(workspace); + return -EIO; + } + +@@ -442,7 +439,7 @@ static int zstd_init_decompress_ctx(struct decompress_io_ctx *dic) + + static void zstd_destroy_decompress_ctx(struct decompress_io_ctx *dic) + { +- kvfree(dic->private); ++ vfree(dic->private); + dic->private = NULL; + dic->private2 = NULL; + } +diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h +index 911c4c64d729d..2d9a86129bd8d 100644 +--- a/fs/f2fs/f2fs.h ++++ b/fs/f2fs/f2fs.h +@@ -3449,6 +3449,11 @@ static inline void *f2fs_kvzalloc(struct f2fs_sb_info *sbi, + return f2fs_kvmalloc(sbi, size, flags | __GFP_ZERO); + } + ++static inline void *f2fs_vmalloc(size_t size) ++{ ++ return vmalloc(size); ++} ++ + static inline int get_extra_isize(struct inode *inode) + { + return F2FS_I(inode)->i_extra_isize / sizeof(__le32); +-- +2.39.5 + diff --git a/queue-6.6/fbcon-make-sure-modelist-not-set-on-unregistered-con.patch b/queue-6.6/fbcon-make-sure-modelist-not-set-on-unregistered-con.patch new file mode 100644 index 0000000000..8e92e3d8a0 --- /dev/null +++ b/queue-6.6/fbcon-make-sure-modelist-not-set-on-unregistered-con.patch @@ -0,0 +1,65 @@ +From 1d57b6396ae42994e72449839988432ce7306128 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 May 2025 13:06:47 -0700 +Subject: fbcon: Make sure modelist not set on unregistered console + +From: Kees Cook + +[ Upstream commit cedc1b63394a866bf8663a3e40f4546f1d28c8d8 ] + +It looks like attempting to write to the "store_modes" sysfs node will +run afoul of unregistered consoles: + +UBSAN: array-index-out-of-bounds in drivers/video/fbdev/core/fbcon.c:122:28 +index -1 is out of range for type 'fb_info *[32]' +... + fbcon_info_from_console+0x192/0x1a0 drivers/video/fbdev/core/fbcon.c:122 + fbcon_new_modelist+0xbf/0x2d0 drivers/video/fbdev/core/fbcon.c:3048 + fb_new_modelist+0x328/0x440 drivers/video/fbdev/core/fbmem.c:673 + store_modes+0x1c9/0x3e0 drivers/video/fbdev/core/fbsysfs.c:113 + dev_attr_store+0x55/0x80 drivers/base/core.c:2439 + +static struct fb_info *fbcon_registered_fb[FB_MAX]; +... +static signed char con2fb_map[MAX_NR_CONSOLES]; +... +static struct fb_info *fbcon_info_from_console(int console) +... + return fbcon_registered_fb[con2fb_map[console]]; + +If con2fb_map contains a -1 things go wrong here. Instead, return NULL, +as callers of fbcon_info_from_console() are trying to compare against +existing "info" pointers, so error handling should kick in correctly. + +Reported-by: syzbot+a7d4444e7b6e743572f7@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/679d0a8f.050a0220.163cdc.000c.GAE@google.com/ +Signed-off-by: Kees Cook +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/core/fbcon.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c +index 7a6f9a3cb3ba3..75996ef9992e4 100644 +--- a/drivers/video/fbdev/core/fbcon.c ++++ b/drivers/video/fbdev/core/fbcon.c +@@ -115,9 +115,14 @@ static signed char con2fb_map_boot[MAX_NR_CONSOLES]; + + static struct fb_info *fbcon_info_from_console(int console) + { ++ signed char fb; + WARN_CONSOLE_UNLOCKED(); + +- return fbcon_registered_fb[con2fb_map[console]]; ++ fb = con2fb_map[console]; ++ if (fb < 0 || fb >= ARRAY_SIZE(fbcon_registered_fb)) ++ return NULL; ++ ++ return fbcon_registered_fb[fb]; + } + + static int logo_lines; +-- +2.39.5 + diff --git a/queue-6.6/fs-xattr.c-fix-simple_xattr_list.patch b/queue-6.6/fs-xattr.c-fix-simple_xattr_list.patch new file mode 100644 index 0000000000..dc2deb6977 --- /dev/null +++ b/queue-6.6/fs-xattr.c-fix-simple_xattr_list.patch @@ -0,0 +1,44 @@ +From 5ddb07e5ad7d259b1ef0c766d85e697d9143576a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Jun 2025 12:51:16 -0400 +Subject: fs/xattr.c: fix simple_xattr_list() + +From: Stephen Smalley + +[ Upstream commit 800d0b9b6a8b1b354637b4194cc167ad1ce2bdd3 ] + +commit 8b0ba61df5a1 ("fs/xattr.c: fix simple_xattr_list to always +include security.* xattrs") failed to reset err after the call to +security_inode_listsecurity(), which returns the length of the +returned xattr name. This results in simple_xattr_list() incorrectly +returning this length even if a POSIX acl is also set on the inode. + +Reported-by: Collin Funk +Closes: https://lore.kernel.org/selinux/8734ceal7q.fsf@gmail.com/ +Reported-by: Paul Eggert +Closes: https://bugzilla.redhat.com/show_bug.cgi?id=2369561 +Fixes: 8b0ba61df5a1 ("fs/xattr.c: fix simple_xattr_list to always include security.* xattrs") + +Signed-off-by: Stephen Smalley +Link: https://lore.kernel.org/20250605165116.2063-1-stephen.smalley.work@gmail.com +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/xattr.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/xattr.c b/fs/xattr.c +index 5fed22c22a2be..7574d24b982ef 100644 +--- a/fs/xattr.c ++++ b/fs/xattr.c +@@ -1342,6 +1342,7 @@ ssize_t simple_xattr_list(struct inode *inode, struct simple_xattrs *xattrs, + buffer += err; + } + remaining_size -= err; ++ err = 0; + + read_lock(&xattrs->lock); + for (rbp = rb_first(&xattrs->rb_root); rbp; rbp = rb_next(rbp)) { +-- +2.39.5 + diff --git a/queue-6.6/gpiolib-of-add-polarity-quirk-for-s5m8767.patch b/queue-6.6/gpiolib-of-add-polarity-quirk-for-s5m8767.patch new file mode 100644 index 0000000000..772e06bad4 --- /dev/null +++ b/queue-6.6/gpiolib-of-add-polarity-quirk-for-s5m8767.patch @@ -0,0 +1,46 @@ +From 19bab0216588940161f075cf62f83a37915e32bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Mar 2025 08:49:44 +0800 +Subject: gpiolib: of: Add polarity quirk for s5m8767 + +From: Peng Fan + +[ Upstream commit 4e310626eb4df52a31a142c1360fead0fcbd3793 ] + +This is prepare patch for switching s5m8767 regulator driver to +use GPIO descriptor. DTS for exynos5250 spring incorrectly specifies +"active low" polarity for the DVS and DS line. But per datasheet, +they are actually active high. So add polarity quirk for it. + +Signed-off-by: Peng Fan +Reviewed-by: Linus Walleij +Link: https://lore.kernel.org/r/20250327004945.563765-1-peng.fan@oss.nxp.com +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpiolib-of.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/gpio/gpiolib-of.c b/drivers/gpio/gpiolib-of.c +index a0a2a0f75bba4..c1e83b2926ae4 100644 +--- a/drivers/gpio/gpiolib-of.c ++++ b/drivers/gpio/gpiolib-of.c +@@ -203,6 +203,15 @@ static void of_gpio_try_fixup_polarity(const struct device_node *np, + */ + { "lantiq,pci-xway", "gpio-reset", false }, + #endif ++#if IS_ENABLED(CONFIG_REGULATOR_S5M8767) ++ /* ++ * According to S5M8767, the DVS and DS pin are ++ * active-high signals. However, exynos5250-spring.dts use ++ * active-low setting. ++ */ ++ { "samsung,s5m8767-pmic", "s5m8767,pmic-buck-dvs-gpios", true }, ++ { "samsung,s5m8767-pmic", "s5m8767,pmic-buck-ds-gpios", true }, ++#endif + #if IS_ENABLED(CONFIG_TOUCHSCREEN_TSC2005) + /* + * DTS for Nokia N900 incorrectly specified "active high" +-- +2.39.5 + diff --git a/queue-6.6/i2c-designware-invoke-runtime-suspend-on-quick-slave.patch b/queue-6.6/i2c-designware-invoke-runtime-suspend-on-quick-slave.patch new file mode 100644 index 0000000000..dce061d97f --- /dev/null +++ b/queue-6.6/i2c-designware-invoke-runtime-suspend-on-quick-slave.patch @@ -0,0 +1,79 @@ +From 6e3f3ec5217a299083089354f505e79e7bae6f1b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Apr 2025 10:33:03 +0800 +Subject: i2c: designware: Invoke runtime suspend on quick slave + re-registration + +From: Tan En De + +[ Upstream commit 2fe2b969d911a09abcd6a47401a3c66c38a310e6 ] + +Replaced pm_runtime_put() with pm_runtime_put_sync_suspend() to ensure +the runtime suspend is invoked immediately when unregistering a slave. +This prevents a race condition where suspend was skipped when +unregistering and registering slave in quick succession. + +For example, consider the rapid sequence of +`delete_device -> new_device -> delete_device -> new_device`. +In this sequence, it is observed that the dw_i2c_plat_runtime_suspend() +might not be invoked after `delete_device` operation. + +This is because after `delete_device` operation, when the +pm_runtime_put() is about to trigger suspend, the following `new_device` +operation might race and cancel the suspend. + +If that happens, during the `new_device` operation, +dw_i2c_plat_runtime_resume() is skipped (since there was no suspend), which +means `i_dev->init()`, i.e. i2c_dw_init_slave(), is skipped. +Since i2c_dw_init_slave() is skipped, i2c_dw_configure_fifo_slave() is +skipped too, which leaves `DW_IC_INTR_MASK` unconfigured. If we inspect +the interrupt mask register using devmem, it will show as zero. + +Example shell script to reproduce the issue: +``` + #!/bin/sh + + SLAVE_LADDR=0x1010 + SLAVE_BUS=13 + NEW_DEVICE=/sys/bus/i2c/devices/i2c-$SLAVE_BUS/new_device + DELETE_DEVICE=/sys/bus/i2c/devices/i2c-$SLAVE_BUS/delete_device + + # Create initial device + echo slave-24c02 $SLAVE_LADDR > $NEW_DEVICE + sleep 2 + + # Rapid sequence of + # delete_device -> new_device -> delete_device -> new_device + echo $SLAVE_LADDR > $DELETE_DEVICE + echo slave-24c02 $SLAVE_LADDR > $NEW_DEVICE + echo $SLAVE_LADDR > $DELETE_DEVICE + echo slave-24c02 $SLAVE_LADDR > $NEW_DEVICE + + # Using devmem to inspect IC_INTR_MASK will show as zero +``` + +Signed-off-by: Tan En De +Acked-by: Jarkko Nikula +Link: https://lore.kernel.org/r/20250412023303.378600-1-ende.tan@starfivetech.com +Signed-off-by: Andi Shyti +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-designware-slave.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/i2c/busses/i2c-designware-slave.c b/drivers/i2c/busses/i2c-designware-slave.c +index 345b532a2b455..ea4c4955fe264 100644 +--- a/drivers/i2c/busses/i2c-designware-slave.c ++++ b/drivers/i2c/busses/i2c-designware-slave.c +@@ -91,7 +91,7 @@ static int i2c_dw_unreg_slave(struct i2c_client *slave) + i2c_dw_disable(dev); + synchronize_irq(dev->irq); + dev->slave = NULL; +- pm_runtime_put(dev->dev); ++ pm_runtime_put_sync_suspend(dev->dev); + + return 0; + } +-- +2.39.5 + diff --git a/queue-6.6/i2c-npcm-add-clock-toggle-recovery.patch b/queue-6.6/i2c-npcm-add-clock-toggle-recovery.patch new file mode 100644 index 0000000000..4d03591079 --- /dev/null +++ b/queue-6.6/i2c-npcm-add-clock-toggle-recovery.patch @@ -0,0 +1,49 @@ +From e10816e2098cbb44bfa90c7a71374314a235d0bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Mar 2025 19:32:50 +0000 +Subject: i2c: npcm: Add clock toggle recovery + +From: Tali Perry + +[ Upstream commit 38010591a0fc3203f1cee45b01ab358b72dd9ab2 ] + +During init of the bus, the module checks that the bus is idle. +If one of the lines are stuck try to recover them first before failing. +Sometimes SDA and SCL are low if improper reset occurs (e.g., reboot). + +Signed-off-by: Tali Perry +Signed-off-by: Mohammed Elbadry +Reviewed-by: Mukesh Kumar Savaliya +Link: https://lore.kernel.org/r/20250328193252.1570811-1-mohammed.0.elbadry@gmail.com +Signed-off-by: Andi Shyti +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-npcm7xx.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-npcm7xx.c b/drivers/i2c/busses/i2c-npcm7xx.c +index 91f508d50e7ab..5b3987460976e 100644 +--- a/drivers/i2c/busses/i2c-npcm7xx.c ++++ b/drivers/i2c/busses/i2c-npcm7xx.c +@@ -1971,10 +1971,14 @@ static int npcm_i2c_init_module(struct npcm_i2c *bus, enum i2c_mode mode, + + /* Check HW is OK: SDA and SCL should be high at this point. */ + if ((npcm_i2c_get_SDA(&bus->adap) == 0) || (npcm_i2c_get_SCL(&bus->adap) == 0)) { +- dev_err(bus->dev, "I2C%d init fail: lines are low\n", bus->num); +- dev_err(bus->dev, "SDA=%d SCL=%d\n", npcm_i2c_get_SDA(&bus->adap), +- npcm_i2c_get_SCL(&bus->adap)); +- return -ENXIO; ++ dev_warn(bus->dev, " I2C%d SDA=%d SCL=%d, attempting to recover\n", bus->num, ++ npcm_i2c_get_SDA(&bus->adap), npcm_i2c_get_SCL(&bus->adap)); ++ if (npcm_i2c_recovery_tgclk(&bus->adap)) { ++ dev_err(bus->dev, "I2C%d init fail: SDA=%d SCL=%d\n", ++ bus->num, npcm_i2c_get_SDA(&bus->adap), ++ npcm_i2c_get_SCL(&bus->adap)); ++ return -ENXIO; ++ } + } + + npcm_i2c_int_enable(bus, true); +-- +2.39.5 + diff --git a/queue-6.6/i2c-tegra-check-msg-length-in-smbus-block-read.patch b/queue-6.6/i2c-tegra-check-msg-length-in-smbus-block-read.patch new file mode 100644 index 0000000000..955beb79c4 --- /dev/null +++ b/queue-6.6/i2c-tegra-check-msg-length-in-smbus-block-read.patch @@ -0,0 +1,40 @@ +From 35dc6f1701c94b9a56ea02d13c9dad05c63cd49a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Apr 2025 11:03:20 +0530 +Subject: i2c: tegra: check msg length in SMBUS block read + +From: Akhil R + +[ Upstream commit a6e04f05ce0b070ab39d5775580e65c7d943da0b ] + +For SMBUS block read, do not continue to read if the message length +passed from the device is '0' or greater than the maximum allowed bytes. + +Signed-off-by: Akhil R +Acked-by: Thierry Reding +Link: https://lore.kernel.org/r/20250424053320.19211-1-akhilrajeev@nvidia.com +Signed-off-by: Andi Shyti +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-tegra.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/i2c/busses/i2c-tegra.c b/drivers/i2c/busses/i2c-tegra.c +index 91be04b534fe6..08a81daedc115 100644 +--- a/drivers/i2c/busses/i2c-tegra.c ++++ b/drivers/i2c/busses/i2c-tegra.c +@@ -1397,6 +1397,11 @@ static int tegra_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[], + ret = tegra_i2c_xfer_msg(i2c_dev, &msgs[i], MSG_END_CONTINUE); + if (ret) + break; ++ ++ /* Validate message length before proceeding */ ++ if (msgs[i].buf[0] == 0 || msgs[i].buf[0] > I2C_SMBUS_BLOCK_MAX) ++ break; ++ + /* Set the msg length from first byte */ + msgs[i].len += msgs[i].buf[0]; + dev_dbg(i2c_dev->dev, "reading %d bytes\n", msgs[i].len); +-- +2.39.5 + diff --git a/queue-6.6/i40e-fix-mmio-write-access-to-an-invalid-page-in-i40.patch b/queue-6.6/i40e-fix-mmio-write-access-to-an-invalid-page-in-i40.patch new file mode 100644 index 0000000000..125ee6740f --- /dev/null +++ b/queue-6.6/i40e-fix-mmio-write-access-to-an-invalid-page-in-i40.patch @@ -0,0 +1,48 @@ +From f3d3ebf1300c8bd064ec9cc4f61c4ace377da2d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Mar 2025 14:16:02 +0900 +Subject: i40e: fix MMIO write access to an invalid page in i40e_clear_hw + +From: Kyungwook Boo + +[ Upstream commit 015bac5daca978448f2671478c553ce1f300c21e ] + +When the device sends a specific input, an integer underflow can occur, leading +to MMIO write access to an invalid page. + +Prevent the integer underflow by changing the type of related variables. + +Signed-off-by: Kyungwook Boo +Link: https://lore.kernel.org/lkml/ffc91764-1142-4ba2-91b6-8c773f6f7095@gmail.com/T/ +Reviewed-by: Przemek Kitszel +Reviewed-by: Simon Horman +Reviewed-by: Aleksandr Loktionov +Tested-by: Rinitha S (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_common.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_common.c b/drivers/net/ethernet/intel/i40e/i40e_common.c +index 4d7caa1199719..5d46a8e5376da 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_common.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_common.c +@@ -1067,10 +1067,11 @@ int i40e_pf_reset(struct i40e_hw *hw) + void i40e_clear_hw(struct i40e_hw *hw) + { + u32 num_queues, base_queue; +- u32 num_pf_int; +- u32 num_vf_int; ++ s32 num_pf_int; ++ s32 num_vf_int; + u32 num_vfs; +- u32 i, j; ++ s32 i; ++ u32 j; + u32 val; + u32 eol = 0x7ff; + +-- +2.39.5 + diff --git a/queue-6.6/ice-fix-check-for-existing-switch-rule.patch b/queue-6.6/ice-fix-check-for-existing-switch-rule.patch new file mode 100644 index 0000000000..b5010e4920 --- /dev/null +++ b/queue-6.6/ice-fix-check-for-existing-switch-rule.patch @@ -0,0 +1,56 @@ +From f78008119773e23191f5a7e35787fc80cf70eedb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Feb 2025 09:50:35 +0100 +Subject: ice: fix check for existing switch rule + +From: Mateusz Pacuszka + +[ Upstream commit a808691df39b52cd9db861b118e88e18b63e2299 ] + +In case the rule already exists and another VSI wants to subscribe to it +new VSI list is being created and both VSIs are moved to it. +Currently, the check for already existing VSI with the same rule is done +based on fdw_id.hw_vsi_id, which applies only to LOOKUP_RX flag. +Change it to vsi_handle. This is software VSI ID, but it can be applied +here, because vsi_map itself is also based on it. + +Additionally change return status in case the VSI already exists in the +VSI map to "Already exists". Such case should be handled by the caller. + +Signed-off-by: Mateusz Pacuszka +Reviewed-by: Przemek Kitszel +Reviewed-by: Michal Swiatkowski +Signed-off-by: Larysa Zaremba +Reviewed-by: Simon Horman +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_switch.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_switch.c b/drivers/net/ethernet/intel/ice/ice_switch.c +index 19f730a68fa21..ac004ef1d724d 100644 +--- a/drivers/net/ethernet/intel/ice/ice_switch.c ++++ b/drivers/net/ethernet/intel/ice/ice_switch.c +@@ -3024,7 +3024,7 @@ ice_add_update_vsi_list(struct ice_hw *hw, + u16 vsi_handle_arr[2]; + + /* A rule already exists with the new VSI being added */ +- if (cur_fltr->fwd_id.hw_vsi_id == new_fltr->fwd_id.hw_vsi_id) ++ if (cur_fltr->vsi_handle == new_fltr->vsi_handle) + return -EEXIST; + + vsi_handle_arr[0] = cur_fltr->vsi_handle; +@@ -5991,7 +5991,7 @@ ice_adv_add_update_vsi_list(struct ice_hw *hw, + + /* A rule already exists with the new VSI being added */ + if (test_bit(vsi_handle, m_entry->vsi_list_info->vsi_map)) +- return 0; ++ return -EEXIST; + + /* Update the previously created VSI list set with + * the new VSI ID passed in +-- +2.39.5 + diff --git a/queue-6.6/iommu-amd-ensure-ga-log-notifier-callbacks-finish-ru.patch b/queue-6.6/iommu-amd-ensure-ga-log-notifier-callbacks-finish-ru.patch new file mode 100644 index 0000000000..0ecef851d1 --- /dev/null +++ b/queue-6.6/iommu-amd-ensure-ga-log-notifier-callbacks-finish-ru.patch @@ -0,0 +1,43 @@ +From 700357c4a71a0d705612526d08184cc5c435ee29 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Mar 2025 20:10:48 -0700 +Subject: iommu/amd: Ensure GA log notifier callbacks finish running before + module unload + +From: Sean Christopherson + +[ Upstream commit 94c721ea03c7078163f41dbaa101ac721ddac329 ] + +Synchronize RCU when unregistering KVM's GA log notifier to ensure all +in-flight interrupt handlers complete before KVM-the module is unloaded. + +Signed-off-by: Sean Christopherson +Link: https://lore.kernel.org/r/20250315031048.2374109-1-seanjc@google.com +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/amd/iommu.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/iommu/amd/iommu.c b/drivers/iommu/amd/iommu.c +index 83c5d786686d0..a5d6d786dba52 100644 +--- a/drivers/iommu/amd/iommu.c ++++ b/drivers/iommu/amd/iommu.c +@@ -780,6 +780,14 @@ int amd_iommu_register_ga_log_notifier(int (*notifier)(u32)) + { + iommu_ga_log_notifier = notifier; + ++ /* ++ * Ensure all in-flight IRQ handlers run to completion before returning ++ * to the caller, e.g. to ensure module code isn't unloaded while it's ++ * being executed in the IRQ handler. ++ */ ++ if (!notifier) ++ synchronize_rcu(); ++ + return 0; + } + EXPORT_SYMBOL(amd_iommu_register_ga_log_notifier); +-- +2.39.5 + diff --git a/queue-6.6/ipv4-route-use-this_cpu_inc-for-stats-on-preempt_rt.patch b/queue-6.6/ipv4-route-use-this_cpu_inc-for-stats-on-preempt_rt.patch new file mode 100644 index 0000000000..614e8547b0 --- /dev/null +++ b/queue-6.6/ipv4-route-use-this_cpu_inc-for-stats-on-preempt_rt.patch @@ -0,0 +1,44 @@ +From 1b01f8096ca818b5e8f41c2687faa06aae99f960 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 May 2025 11:27:24 +0200 +Subject: ipv4/route: Use this_cpu_inc() for stats on PREEMPT_RT + +From: Sebastian Andrzej Siewior + +[ Upstream commit 1c0829788a6e6e165846b9bedd0b908ef16260b6 ] + +The statistics are incremented with raw_cpu_inc() assuming it always +happens with bottom half disabled. Without per-CPU locking in +local_bh_disable() on PREEMPT_RT this is no longer true. + +Use this_cpu_inc() on PREEMPT_RT for the increment to not worry about +preemption. + +Cc: David Ahern +Signed-off-by: Sebastian Andrzej Siewior +Link: https://patch.msgid.link/20250512092736.229935-4-bigeasy@linutronix.de +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv4/route.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/ipv4/route.c b/net/ipv4/route.c +index 97dc30a03dbf2..8ee1ad2d8c13f 100644 +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -192,7 +192,11 @@ const __u8 ip_tos2prio[16] = { + EXPORT_SYMBOL(ip_tos2prio); + + static DEFINE_PER_CPU(struct rt_cache_stat, rt_cache_stat); ++#ifndef CONFIG_PREEMPT_RT + #define RT_CACHE_STAT_INC(field) raw_cpu_inc(rt_cache_stat.field) ++#else ++#define RT_CACHE_STAT_INC(field) this_cpu_inc(rt_cache_stat.field) ++#endif + + #ifdef CONFIG_PROC_FS + static void *rt_cache_seq_start(struct seq_file *seq, loff_t *pos) +-- +2.39.5 + diff --git a/queue-6.6/libbpf-add-identical-pointer-detection-to-btf_dedup_.patch b/queue-6.6/libbpf-add-identical-pointer-detection-to-btf_dedup_.patch new file mode 100644 index 0000000000..4ecc04ba98 --- /dev/null +++ b/queue-6.6/libbpf-add-identical-pointer-detection-to-btf_dedup_.patch @@ -0,0 +1,71 @@ +From 4365c55b886430f88ea8cb37be7a05bf45228576 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Apr 2025 17:10:42 +0100 +Subject: libbpf: Add identical pointer detection to btf_dedup_is_equiv() + +From: Alan Maguire + +[ Upstream commit 8e64c387c942229c551d0f23de4d9993d3a2acb6 ] + +Recently as a side-effect of + +commit ac053946f5c4 ("compiler.h: introduce TYPEOF_UNQUAL() macro") + +issues were observed in deduplication between modules and kernel BTF +such that a large number of kernel types were not deduplicated so +were found in module BTF (task_struct, bpf_prog etc). The root cause +appeared to be a failure to dedup struct types, specifically those +with members that were pointers with __percpu annotations. + +The issue in dedup is at the point that we are deduplicating structures, +we have not yet deduplicated reference types like pointers. If multiple +copies of a pointer point at the same (deduplicated) integer as in this +case, we do not see them as identical. Special handling already exists +to deal with structures and arrays, so add pointer handling here too. + +Reported-by: Alexei Starovoitov +Signed-off-by: Alan Maguire +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20250429161042.2069678-1-alan.maguire@oracle.com +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/btf.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/tools/lib/bpf/btf.c b/tools/lib/bpf/btf.c +index 8484b563b53d0..2e9f28cece3ff 100644 +--- a/tools/lib/bpf/btf.c ++++ b/tools/lib/bpf/btf.c +@@ -3922,6 +3922,19 @@ static bool btf_dedup_identical_structs(struct btf_dedup *d, __u32 id1, __u32 id + return true; + } + ++static bool btf_dedup_identical_ptrs(struct btf_dedup *d, __u32 id1, __u32 id2) ++{ ++ struct btf_type *t1, *t2; ++ ++ t1 = btf_type_by_id(d->btf, id1); ++ t2 = btf_type_by_id(d->btf, id2); ++ ++ if (!btf_is_ptr(t1) || !btf_is_ptr(t2)) ++ return false; ++ ++ return t1->type == t2->type; ++} ++ + /* + * Check equivalence of BTF type graph formed by candidate struct/union (we'll + * call it "candidate graph" in this description for brevity) to a type graph +@@ -4054,6 +4067,9 @@ static int btf_dedup_is_equiv(struct btf_dedup *d, __u32 cand_id, + */ + if (btf_dedup_identical_structs(d, hypot_type_id, cand_id)) + return 1; ++ /* A similar case is again observed for PTRs. */ ++ if (btf_dedup_identical_ptrs(d, hypot_type_id, cand_id)) ++ return 1; + return 0; + } + +-- +2.39.5 + diff --git a/queue-6.6/mmc-add-quirk-to-disable-ddr50-tuning.patch b/queue-6.6/mmc-add-quirk-to-disable-ddr50-tuning.patch new file mode 100644 index 0000000000..2af1b4d1e8 --- /dev/null +++ b/queue-6.6/mmc-add-quirk-to-disable-ddr50-tuning.patch @@ -0,0 +1,134 @@ +From f7cc672036a8a68060883108af1d89ede95fd9c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Mar 2025 17:13:37 -0500 +Subject: mmc: Add quirk to disable DDR50 tuning + +From: Erick Shepherd + +[ Upstream commit 9510b38dc0ba358c93cbf5ee7c28820afb85937b ] + +Adds the MMC_QUIRK_NO_UHS_DDR50_TUNING quirk and updates +mmc_execute_tuning() to return 0 if that quirk is set. This fixes an +issue on certain Swissbit SD cards that do not support DDR50 tuning +where tuning requests caused I/O errors to be thrown. + +Signed-off-by: Erick Shepherd +Acked-by: Adrian Hunter +Link: https://lore.kernel.org/r/20250331221337.1414534-1-erick.shepherd@ni.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/core/card.h | 6 ++++++ + drivers/mmc/core/quirks.h | 10 ++++++++++ + drivers/mmc/core/sd.c | 32 ++++++++++++++++++++++++-------- + include/linux/mmc/card.h | 1 + + 4 files changed, 41 insertions(+), 8 deletions(-) + +diff --git a/drivers/mmc/core/card.h b/drivers/mmc/core/card.h +index 8476754b1b170..fe0b2fa3bb89d 100644 +--- a/drivers/mmc/core/card.h ++++ b/drivers/mmc/core/card.h +@@ -86,6 +86,7 @@ struct mmc_fixup { + #define CID_MANFID_MICRON 0x13 + #define CID_MANFID_SAMSUNG 0x15 + #define CID_MANFID_APACER 0x27 ++#define CID_MANFID_SWISSBIT 0x5D + #define CID_MANFID_KINGSTON 0x70 + #define CID_MANFID_HYNIX 0x90 + #define CID_MANFID_KINGSTON_SD 0x9F +@@ -291,4 +292,9 @@ static inline int mmc_card_broken_sd_poweroff_notify(const struct mmc_card *c) + return c->quirks & MMC_QUIRK_BROKEN_SD_POWEROFF_NOTIFY; + } + ++static inline int mmc_card_no_uhs_ddr50_tuning(const struct mmc_card *c) ++{ ++ return c->quirks & MMC_QUIRK_NO_UHS_DDR50_TUNING; ++} ++ + #endif +diff --git a/drivers/mmc/core/quirks.h b/drivers/mmc/core/quirks.h +index 89b512905be14..7f893bafaa607 100644 +--- a/drivers/mmc/core/quirks.h ++++ b/drivers/mmc/core/quirks.h +@@ -34,6 +34,16 @@ static const struct mmc_fixup __maybe_unused mmc_sd_fixups[] = { + MMC_QUIRK_BROKEN_SD_CACHE | MMC_QUIRK_BROKEN_SD_POWEROFF_NOTIFY, + EXT_CSD_REV_ANY), + ++ /* ++ * Swissbit series S46-u cards throw I/O errors during tuning requests ++ * after the initial tuning request expectedly times out. This has ++ * only been observed on cards manufactured on 01/2019 that are using ++ * Bay Trail host controllers. ++ */ ++ _FIXUP_EXT("0016G", CID_MANFID_SWISSBIT, 0x5342, 2019, 1, ++ 0, -1ull, SDIO_ANY_ID, SDIO_ANY_ID, add_quirk_sd, ++ MMC_QUIRK_NO_UHS_DDR50_TUNING, EXT_CSD_REV_ANY), ++ + END_FIXUP + }; + +diff --git a/drivers/mmc/core/sd.c b/drivers/mmc/core/sd.c +index f02c3e5eb5c85..a06f3011e2b58 100644 +--- a/drivers/mmc/core/sd.c ++++ b/drivers/mmc/core/sd.c +@@ -618,6 +618,29 @@ static int sd_set_current_limit(struct mmc_card *card, u8 *status) + return 0; + } + ++/* ++ * Determine if the card should tune or not. ++ */ ++static bool mmc_sd_use_tuning(struct mmc_card *card) ++{ ++ /* ++ * SPI mode doesn't define CMD19 and tuning is only valid for SDR50 and ++ * SDR104 mode SD-cards. Note that tuning is mandatory for SDR104. ++ */ ++ if (mmc_host_is_spi(card->host)) ++ return false; ++ ++ switch (card->host->ios.timing) { ++ case MMC_TIMING_UHS_SDR50: ++ case MMC_TIMING_UHS_SDR104: ++ return true; ++ case MMC_TIMING_UHS_DDR50: ++ return !mmc_card_no_uhs_ddr50_tuning(card); ++ } ++ ++ return false; ++} ++ + /* + * UHS-I specific initialization procedure + */ +@@ -661,14 +684,7 @@ static int mmc_sd_init_uhs_card(struct mmc_card *card) + if (err) + goto out; + +- /* +- * SPI mode doesn't define CMD19 and tuning is only valid for SDR50 and +- * SDR104 mode SD-cards. Note that tuning is mandatory for SDR104. +- */ +- if (!mmc_host_is_spi(card->host) && +- (card->host->ios.timing == MMC_TIMING_UHS_SDR50 || +- card->host->ios.timing == MMC_TIMING_UHS_DDR50 || +- card->host->ios.timing == MMC_TIMING_UHS_SDR104)) { ++ if (mmc_sd_use_tuning(card)) { + err = mmc_execute_tuning(card); + + /* +diff --git a/include/linux/mmc/card.h b/include/linux/mmc/card.h +index afa575e362a47..7c6da19fff9f0 100644 +--- a/include/linux/mmc/card.h ++++ b/include/linux/mmc/card.h +@@ -297,6 +297,7 @@ struct mmc_card { + #define MMC_QUIRK_BROKEN_SD_CACHE (1<<15) /* Disable broken SD cache support */ + #define MMC_QUIRK_BROKEN_CACHE_FLUSH (1<<16) /* Don't flush cache until the write has occurred */ + #define MMC_QUIRK_BROKEN_SD_POWEROFF_NOTIFY (1<<17) /* Disable broken SD poweroff notify support */ ++#define MMC_QUIRK_NO_UHS_DDR50_TUNING (1<<18) /* Disable DDR50 tuning */ + + bool written_flag; /* Indicates eMMC has been written since power on */ + bool reenable_cmdq; /* Re-enable Command Queue */ +-- +2.39.5 + diff --git a/queue-6.6/mmc-sdhci-esdhc-imx-save-tuning-value-when-card-stay.patch b/queue-6.6/mmc-sdhci-esdhc-imx-save-tuning-value-when-card-stay.patch new file mode 100644 index 0000000000..3d53ee02f9 --- /dev/null +++ b/queue-6.6/mmc-sdhci-esdhc-imx-save-tuning-value-when-card-stay.patch @@ -0,0 +1,191 @@ +From be50d4547d1bcaf10c2e69fdd87c90f10b1f326e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Mar 2025 19:25:17 +0800 +Subject: mmc: sdhci-esdhc-imx: Save tuning value when card stays powered in + suspend + +From: Luke Wang + +[ Upstream commit c63d25cdc59ae2891b39ba2da950910291d9bcbf ] + +For SoCs like i.MX6UL(L/Z) and i.MX7D, USDHC powers off completely during +system power management (PM), causing the internal tuning status to be +lost. To address this, save the tuning value when system suspend and +restore it for any command issued after system resume when re-tuning is +held. + +A typical case involves SDIO WiFi devices with the MMC_PM_KEEP_POWER and +MMC_PM_WAKE_SDIO_IRQ flag, which retain power during system PM. To +conserve power, WiFi switches to 1-bit mode and restores 4-bit mode upon +resume. As per the specification, tuning commands are not supported in +1-bit mode. When sending CMD52 to restore 4-bit mode, re-tuning must be +held. However, CMD52 still requires a correct sample point to avoid CRC +errors, necessitating preservation of the previous tuning value. + +Signed-off-by: Luke Wang +Acked-by: Adrian Hunter +Link: https://lore.kernel.org/r/20250328112517.2624806-1-ziniu.wang_1@nxp.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/sdhci-esdhc-imx.c | 88 +++++++++++++++++++++++++++++- + 1 file changed, 86 insertions(+), 2 deletions(-) + +diff --git a/drivers/mmc/host/sdhci-esdhc-imx.c b/drivers/mmc/host/sdhci-esdhc-imx.c +index e4e9b84f210b2..28ece6839aead 100644 +--- a/drivers/mmc/host/sdhci-esdhc-imx.c ++++ b/drivers/mmc/host/sdhci-esdhc-imx.c +@@ -80,6 +80,8 @@ + #define ESDHC_TUNE_CTRL_STEP 1 + #define ESDHC_TUNE_CTRL_MIN 0 + #define ESDHC_TUNE_CTRL_MAX ((1 << 7) - 1) ++#define ESDHC_TUNE_CTRL_STATUS_TAP_SEL_PRE_MASK GENMASK(30, 24) ++#define ESDHC_TUNE_CTRL_STATUS_DLY_CELL_SET_PRE_MASK GENMASK(14, 8) + + /* strobe dll register */ + #define ESDHC_STROBE_DLL_CTRL 0x70 +@@ -231,6 +233,7 @@ struct esdhc_platform_data { + unsigned int tuning_step; /* The delay cell steps in tuning procedure */ + unsigned int tuning_start_tap; /* The start delay cell point in tuning procedure */ + unsigned int strobe_dll_delay_target; /* The delay cell for strobe pad (read clock) */ ++ unsigned int saved_tuning_delay_cell; /* save the value of tuning delay cell */ + }; + + struct esdhc_soc_data { +@@ -1052,7 +1055,7 @@ static void esdhc_reset_tuning(struct sdhci_host *host) + { + struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host); + struct pltfm_imx_data *imx_data = sdhci_pltfm_priv(pltfm_host); +- u32 ctrl; ++ u32 ctrl, tuning_ctrl; + int ret; + + /* Reset the tuning circuit */ +@@ -1066,6 +1069,16 @@ static void esdhc_reset_tuning(struct sdhci_host *host) + writel(0, host->ioaddr + ESDHC_TUNE_CTRL_STATUS); + } else if (imx_data->socdata->flags & ESDHC_FLAG_STD_TUNING) { + writel(ctrl, host->ioaddr + ESDHC_MIX_CTRL); ++ /* ++ * enable the std tuning just in case it cleared in ++ * sdhc_esdhc_tuning_restore. ++ */ ++ tuning_ctrl = readl(host->ioaddr + ESDHC_TUNING_CTRL); ++ if (!(tuning_ctrl & ESDHC_STD_TUNING_EN)) { ++ tuning_ctrl |= ESDHC_STD_TUNING_EN; ++ writel(tuning_ctrl, host->ioaddr + ESDHC_TUNING_CTRL); ++ } ++ + ctrl = readl(host->ioaddr + SDHCI_AUTO_CMD_STATUS); + ctrl &= ~ESDHC_MIX_CTRL_SMPCLK_SEL; + ctrl &= ~ESDHC_MIX_CTRL_EXE_TUNE; +@@ -1144,7 +1157,8 @@ static void esdhc_prepare_tuning(struct sdhci_host *host, u32 val) + reg |= ESDHC_MIX_CTRL_EXE_TUNE | ESDHC_MIX_CTRL_SMPCLK_SEL | + ESDHC_MIX_CTRL_FBCLK_SEL; + writel(reg, host->ioaddr + ESDHC_MIX_CTRL); +- writel(val << 8, host->ioaddr + ESDHC_TUNE_CTRL_STATUS); ++ writel(FIELD_PREP(ESDHC_TUNE_CTRL_STATUS_DLY_CELL_SET_PRE_MASK, val), ++ host->ioaddr + ESDHC_TUNE_CTRL_STATUS); + dev_dbg(mmc_dev(host->mmc), + "tuning with delay 0x%x ESDHC_TUNE_CTRL_STATUS 0x%x\n", + val, readl(host->ioaddr + ESDHC_TUNE_CTRL_STATUS)); +@@ -1532,6 +1546,57 @@ static void sdhci_esdhc_imx_hwinit(struct sdhci_host *host) + } + } + ++static void sdhc_esdhc_tuning_save(struct sdhci_host *host) ++{ ++ struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host); ++ struct pltfm_imx_data *imx_data = sdhci_pltfm_priv(pltfm_host); ++ u32 reg; ++ ++ /* ++ * SD/eMMC do not need this tuning save because it will re-init ++ * after system resume back. ++ * Here save the tuning delay value for SDIO device since it may ++ * keep power during system PM. And for usdhc, only SDR50 and ++ * SDR104 mode for SDIO device need to do tuning, and need to ++ * save/restore. ++ */ ++ if (host->timing == MMC_TIMING_UHS_SDR50 || ++ host->timing == MMC_TIMING_UHS_SDR104) { ++ reg = readl(host->ioaddr + ESDHC_TUNE_CTRL_STATUS); ++ reg = FIELD_GET(ESDHC_TUNE_CTRL_STATUS_TAP_SEL_PRE_MASK, reg); ++ imx_data->boarddata.saved_tuning_delay_cell = reg; ++ } ++} ++ ++static void sdhc_esdhc_tuning_restore(struct sdhci_host *host) ++{ ++ struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host); ++ struct pltfm_imx_data *imx_data = sdhci_pltfm_priv(pltfm_host); ++ u32 reg; ++ ++ if (host->timing == MMC_TIMING_UHS_SDR50 || ++ host->timing == MMC_TIMING_UHS_SDR104) { ++ /* ++ * restore the tuning delay value actually is a ++ * manual tuning method, so clear the standard ++ * tuning enable bit here. Will set back this ++ * ESDHC_STD_TUNING_EN in esdhc_reset_tuning() ++ * when trigger re-tuning. ++ */ ++ reg = readl(host->ioaddr + ESDHC_TUNING_CTRL); ++ reg &= ~ESDHC_STD_TUNING_EN; ++ writel(reg, host->ioaddr + ESDHC_TUNING_CTRL); ++ ++ reg = readl(host->ioaddr + ESDHC_MIX_CTRL); ++ reg |= ESDHC_MIX_CTRL_SMPCLK_SEL | ESDHC_MIX_CTRL_FBCLK_SEL; ++ writel(reg, host->ioaddr + ESDHC_MIX_CTRL); ++ ++ writel(FIELD_PREP(ESDHC_TUNE_CTRL_STATUS_DLY_CELL_SET_PRE_MASK, ++ imx_data->boarddata.saved_tuning_delay_cell), ++ host->ioaddr + ESDHC_TUNE_CTRL_STATUS); ++ } ++} ++ + static void esdhc_cqe_enable(struct mmc_host *mmc) + { + struct sdhci_host *host = mmc_priv(mmc); +@@ -1856,6 +1921,15 @@ static int sdhci_esdhc_suspend(struct device *dev) + if (host->tuning_mode != SDHCI_TUNING_MODE_3) + mmc_retune_needed(host->mmc); + ++ /* ++ * For the device need to keep power during system PM, need ++ * to save the tuning delay value just in case the usdhc ++ * lost power during system PM. ++ */ ++ if (mmc_card_keep_power(host->mmc) && mmc_card_wake_sdio_irq(host->mmc) && ++ esdhc_is_usdhc(imx_data)) ++ sdhc_esdhc_tuning_save(host); ++ + ret = sdhci_suspend_host(host); + if (ret) + return ret; +@@ -1872,6 +1946,8 @@ static int sdhci_esdhc_suspend(struct device *dev) + static int sdhci_esdhc_resume(struct device *dev) + { + struct sdhci_host *host = dev_get_drvdata(dev); ++ struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host); ++ struct pltfm_imx_data *imx_data = sdhci_pltfm_priv(pltfm_host); + int ret; + + ret = pinctrl_pm_select_default_state(dev); +@@ -1885,6 +1961,14 @@ static int sdhci_esdhc_resume(struct device *dev) + if (ret) + return ret; + ++ /* ++ * restore the saved tuning delay value for the device which keep ++ * power during system PM. ++ */ ++ if (mmc_card_keep_power(host->mmc) && mmc_card_wake_sdio_irq(host->mmc) && ++ esdhc_is_usdhc(imx_data)) ++ sdhc_esdhc_tuning_restore(host); ++ + if (host->mmc->caps2 & MMC_CAP2_CQE) + ret = cqhci_resume(host->mmc); + +-- +2.39.5 + diff --git a/queue-6.6/net-atlantic-generate-software-timestamp-just-before.patch b/queue-6.6/net-atlantic-generate-software-timestamp-just-before.patch new file mode 100644 index 0000000000..ec18109c7e --- /dev/null +++ b/queue-6.6/net-atlantic-generate-software-timestamp-just-before.patch @@ -0,0 +1,49 @@ +From afa8c77d75dd9cb8d5f40f43641f7615a77be4dd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 10 May 2025 21:48:10 +0800 +Subject: net: atlantic: generate software timestamp just before the doorbell + +From: Jason Xing + +[ Upstream commit 285ad7477559b6b5ceed10ba7ecfed9d17c0e7c6 ] + +Make sure the call of skb_tx_timestamp is as close as possible to the +doorbell. + +Signed-off-by: Jason Xing +Link: https://patch.msgid.link/20250510134812.48199-2-kerneljasonxing@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/aquantia/atlantic/aq_main.c | 1 - + drivers/net/ethernet/aquantia/atlantic/aq_nic.c | 2 ++ + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_main.c b/drivers/net/ethernet/aquantia/atlantic/aq_main.c +index 0b2a52199914b..75d436c906968 100644 +--- a/drivers/net/ethernet/aquantia/atlantic/aq_main.c ++++ b/drivers/net/ethernet/aquantia/atlantic/aq_main.c +@@ -123,7 +123,6 @@ static netdev_tx_t aq_ndev_start_xmit(struct sk_buff *skb, struct net_device *nd + } + #endif + +- skb_tx_timestamp(skb); + return aq_nic_xmit(aq_nic, skb); + } + +diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_nic.c b/drivers/net/ethernet/aquantia/atlantic/aq_nic.c +index c9b0d57696a48..07392174f6437 100644 +--- a/drivers/net/ethernet/aquantia/atlantic/aq_nic.c ++++ b/drivers/net/ethernet/aquantia/atlantic/aq_nic.c +@@ -898,6 +898,8 @@ int aq_nic_xmit(struct aq_nic_s *self, struct sk_buff *skb) + + frags = aq_nic_map_skb(self, skb, ring); + ++ skb_tx_timestamp(skb); ++ + if (likely(frags)) { + err = self->aq_hw_ops->hw_ring_tx_xmit(self->aq_hw, + ring, frags); +-- +2.39.5 + diff --git a/queue-6.6/net-bridge-mcast-re-implement-br_multicast_-enable-d.patch b/queue-6.6/net-bridge-mcast-re-implement-br_multicast_-enable-d.patch new file mode 100644 index 0000000000..5943f68a82 --- /dev/null +++ b/queue-6.6/net-bridge-mcast-re-implement-br_multicast_-enable-d.patch @@ -0,0 +1,173 @@ +From 903643dc4926f1f70eabdbb99c206046c249c0b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Apr 2025 15:43:12 +0200 +Subject: net: bridge: mcast: re-implement br_multicast_{enable, disable}_port + functions + +From: Yong Wang + +[ Upstream commit 4b30ae9adb047dd0a7982975ec3933c529537026 ] + +When a bridge port STP state is changed from BLOCKING/DISABLED to +FORWARDING, the port's igmp query timer will NOT re-arm itself if the +bridge has been configured as per-VLAN multicast snooping. + +Solve this by choosing the correct multicast context(s) to enable/disable +port multicast based on whether per-VLAN multicast snooping is enabled or +not, i.e. using per-{port, VLAN} context in case of per-VLAN multicast +snooping by re-implementing br_multicast_enable_port() and +br_multicast_disable_port() functions. + +Before the patch, the IGMP query does not happen in the last step of the +following test sequence, i.e. no growth for tx counter: + # ip link add name br1 up type bridge vlan_filtering 1 mcast_snooping 1 mcast_vlan_snooping 1 mcast_querier 1 mcast_stats_enabled 1 + # bridge vlan global set vid 1 dev br1 mcast_snooping 1 mcast_querier 1 mcast_query_interval 100 mcast_startup_query_count 0 + # ip link add name swp1 up master br1 type dummy + # bridge link set dev swp1 state 0 + # ip -j -p stats show dev swp1 group xstats_slave subgroup bridge suite mcast | jq '.[]["multicast"]["igmp_queries"]["tx_v2"]' +1 + # sleep 1 + # ip -j -p stats show dev swp1 group xstats_slave subgroup bridge suite mcast | jq '.[]["multicast"]["igmp_queries"]["tx_v2"]' +1 + # bridge link set dev swp1 state 3 + # sleep 2 + # ip -j -p stats show dev swp1 group xstats_slave subgroup bridge suite mcast | jq '.[]["multicast"]["igmp_queries"]["tx_v2"]' +1 + +After the patch, the IGMP query happens in the last step of the test: + # ip link add name br1 up type bridge vlan_filtering 1 mcast_snooping 1 mcast_vlan_snooping 1 mcast_querier 1 mcast_stats_enabled 1 + # bridge vlan global set vid 1 dev br1 mcast_snooping 1 mcast_querier 1 mcast_query_interval 100 mcast_startup_query_count 0 + # ip link add name swp1 up master br1 type dummy + # bridge link set dev swp1 state 0 + # ip -j -p stats show dev swp1 group xstats_slave subgroup bridge suite mcast | jq '.[]["multicast"]["igmp_queries"]["tx_v2"]' +1 + # sleep 1 + # ip -j -p stats show dev swp1 group xstats_slave subgroup bridge suite mcast | jq '.[]["multicast"]["igmp_queries"]["tx_v2"]' +1 + # bridge link set dev swp1 state 3 + # sleep 2 + # ip -j -p stats show dev swp1 group xstats_slave subgroup bridge suite mcast | jq '.[]["multicast"]["igmp_queries"]["tx_v2"]' +3 + +Signed-off-by: Yong Wang +Reviewed-by: Andy Roulin +Reviewed-by: Ido Schimmel +Signed-off-by: Petr Machata +Acked-by: Nikolay Aleksandrov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/bridge/br_multicast.c | 77 +++++++++++++++++++++++++++++++++++---- + 1 file changed, 69 insertions(+), 8 deletions(-) + +diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c +index ea71a64f915f9..fa16ee88ec396 100644 +--- a/net/bridge/br_multicast.c ++++ b/net/bridge/br_multicast.c +@@ -2104,12 +2104,17 @@ static void __br_multicast_enable_port_ctx(struct net_bridge_mcast_port *pmctx) + } + } + +-void br_multicast_enable_port(struct net_bridge_port *port) ++static void br_multicast_enable_port_ctx(struct net_bridge_mcast_port *pmctx) + { +- struct net_bridge *br = port->br; ++ struct net_bridge *br = pmctx->port->br; + + spin_lock_bh(&br->multicast_lock); +- __br_multicast_enable_port_ctx(&port->multicast_ctx); ++ if (br_multicast_port_ctx_is_vlan(pmctx) && ++ !(pmctx->vlan->priv_flags & BR_VLFLAG_MCAST_ENABLED)) { ++ spin_unlock_bh(&br->multicast_lock); ++ return; ++ } ++ __br_multicast_enable_port_ctx(pmctx); + spin_unlock_bh(&br->multicast_lock); + } + +@@ -2136,11 +2141,67 @@ static void __br_multicast_disable_port_ctx(struct net_bridge_mcast_port *pmctx) + br_multicast_rport_del_notify(pmctx, del); + } + ++static void br_multicast_disable_port_ctx(struct net_bridge_mcast_port *pmctx) ++{ ++ struct net_bridge *br = pmctx->port->br; ++ ++ spin_lock_bh(&br->multicast_lock); ++ if (br_multicast_port_ctx_is_vlan(pmctx) && ++ !(pmctx->vlan->priv_flags & BR_VLFLAG_MCAST_ENABLED)) { ++ spin_unlock_bh(&br->multicast_lock); ++ return; ++ } ++ ++ __br_multicast_disable_port_ctx(pmctx); ++ spin_unlock_bh(&br->multicast_lock); ++} ++ ++static void br_multicast_toggle_port(struct net_bridge_port *port, bool on) ++{ ++#if IS_ENABLED(CONFIG_BRIDGE_VLAN_FILTERING) ++ if (br_opt_get(port->br, BROPT_MCAST_VLAN_SNOOPING_ENABLED)) { ++ struct net_bridge_vlan_group *vg; ++ struct net_bridge_vlan *vlan; ++ ++ rcu_read_lock(); ++ vg = nbp_vlan_group_rcu(port); ++ if (!vg) { ++ rcu_read_unlock(); ++ return; ++ } ++ ++ /* iterate each vlan, toggle vlan multicast context */ ++ list_for_each_entry_rcu(vlan, &vg->vlan_list, vlist) { ++ struct net_bridge_mcast_port *pmctx = ++ &vlan->port_mcast_ctx; ++ u8 state = br_vlan_get_state(vlan); ++ /* enable vlan multicast context when state is ++ * LEARNING or FORWARDING ++ */ ++ if (on && br_vlan_state_allowed(state, true)) ++ br_multicast_enable_port_ctx(pmctx); ++ else ++ br_multicast_disable_port_ctx(pmctx); ++ } ++ rcu_read_unlock(); ++ return; ++ } ++#endif ++ /* toggle port multicast context when vlan snooping is disabled */ ++ if (on) ++ br_multicast_enable_port_ctx(&port->multicast_ctx); ++ else ++ br_multicast_disable_port_ctx(&port->multicast_ctx); ++} ++ ++void br_multicast_enable_port(struct net_bridge_port *port) ++{ ++ br_multicast_toggle_port(port, true); ++} ++ + void br_multicast_disable_port(struct net_bridge_port *port) + { +- spin_lock_bh(&port->br->multicast_lock); +- __br_multicast_disable_port_ctx(&port->multicast_ctx); +- spin_unlock_bh(&port->br->multicast_lock); ++ br_multicast_toggle_port(port, false); + } + + static int __grp_src_delete_marked(struct net_bridge_port_group *pg) +@@ -4329,9 +4390,9 @@ int br_multicast_toggle_vlan_snooping(struct net_bridge *br, bool on, + __br_multicast_open(&br->multicast_ctx); + list_for_each_entry(p, &br->port_list, list) { + if (on) +- br_multicast_disable_port(p); ++ br_multicast_disable_port_ctx(&p->multicast_ctx); + else +- br_multicast_enable_port(p); ++ br_multicast_enable_port_ctx(&p->multicast_ctx); + } + + list_for_each_entry(vlan, &vg->vlan_list, vlist) +-- +2.39.5 + diff --git a/queue-6.6/net-bridge-mcast-update-multicast-contex-when-vlan-s.patch b/queue-6.6/net-bridge-mcast-update-multicast-contex-when-vlan-s.patch new file mode 100644 index 0000000000..f65d15e6bc --- /dev/null +++ b/queue-6.6/net-bridge-mcast-update-multicast-contex-when-vlan-s.patch @@ -0,0 +1,165 @@ +From baf6e2d2af1505e41a2824d47da5ffe75559f78f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Apr 2025 15:43:13 +0200 +Subject: net: bridge: mcast: update multicast contex when vlan state is + changed + +From: Yong Wang + +[ Upstream commit 6c131043eaf1be2a6cc2d228f92ceb626fbcc0f3 ] + +When the vlan STP state is changed, which could be manipulated by +"bridge vlan" commands, similar to port STP state, this also impacts +multicast behaviors such as igmp query. In the scenario of per-VLAN +snooping, there's a need to update the corresponding multicast context +to re-arm the port query timer when vlan state becomes "forwarding" etc. + +Update br_vlan_set_state() function to enable vlan multicast context +in such scenario. + +Before the patch, the IGMP query does not happen in the last step of the +following test sequence, i.e. no growth for tx counter: + # ip link add name br1 up type bridge vlan_filtering 1 mcast_snooping 1 mcast_vlan_snooping 1 mcast_querier 1 mcast_stats_enabled 1 + # bridge vlan global set vid 1 dev br1 mcast_snooping 1 mcast_querier 1 mcast_query_interval 100 mcast_startup_query_count 0 + # ip link add name swp1 up master br1 type dummy + # sleep 1 + # bridge vlan set vid 1 dev swp1 state 4 + # ip -j -p stats show dev swp1 group xstats_slave subgroup bridge suite mcast | jq '.[]["multicast"]["igmp_queries"]["tx_v2"]' +1 + # sleep 1 + # ip -j -p stats show dev swp1 group xstats_slave subgroup bridge suite mcast | jq '.[]["multicast"]["igmp_queries"]["tx_v2"]' +1 + # bridge vlan set vid 1 dev swp1 state 3 + # sleep 2 + # ip -j -p stats show dev swp1 group xstats_slave subgroup bridge suite mcast | jq '.[]["multicast"]["igmp_queries"]["tx_v2"]' +1 + +After the patch, the IGMP query happens in the last step of the test: + # ip link add name br1 up type bridge vlan_filtering 1 mcast_snooping 1 mcast_vlan_snooping 1 mcast_querier 1 mcast_stats_enabled 1 + # bridge vlan global set vid 1 dev br1 mcast_snooping 1 mcast_querier 1 mcast_query_interval 100 mcast_startup_query_count 0 + # ip link add name swp1 up master br1 type dummy + # sleep 1 + # bridge vlan set vid 1 dev swp1 state 4 + # ip -j -p stats show dev swp1 group xstats_slave subgroup bridge suite mcast | jq '.[]["multicast"]["igmp_queries"]["tx_v2"]' +1 + # sleep 1 + # ip -j -p stats show dev swp1 group xstats_slave subgroup bridge suite mcast | jq '.[]["multicast"]["igmp_queries"]["tx_v2"]' +1 + # bridge vlan set vid 1 dev swp1 state 3 + # sleep 2 + # ip -j -p stats show dev swp1 group xstats_slave subgroup bridge suite mcast | jq '.[]["multicast"]["igmp_queries"]["tx_v2"]' +3 + +Signed-off-by: Yong Wang +Reviewed-by: Andy Roulin +Reviewed-by: Ido Schimmel +Signed-off-by: Petr Machata +Acked-by: Nikolay Aleksandrov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/bridge/br_mst.c | 4 ++-- + net/bridge/br_multicast.c | 26 ++++++++++++++++++++++++++ + net/bridge/br_private.h | 11 ++++++++++- + 3 files changed, 38 insertions(+), 3 deletions(-) + +diff --git a/net/bridge/br_mst.c b/net/bridge/br_mst.c +index 1820f09ff59ce..3f24b4ee49c27 100644 +--- a/net/bridge/br_mst.c ++++ b/net/bridge/br_mst.c +@@ -80,10 +80,10 @@ static void br_mst_vlan_set_state(struct net_bridge_vlan_group *vg, + if (br_vlan_get_state(v) == state) + return; + +- br_vlan_set_state(v, state); +- + if (v->vid == vg->pvid) + br_vlan_set_pvid_state(vg, state); ++ ++ br_vlan_set_state(v, state); + } + + int br_mst_set_state(struct net_bridge_port *p, u16 msti, u8 state, +diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c +index c38244d60ff86..ea71a64f915f9 100644 +--- a/net/bridge/br_multicast.c ++++ b/net/bridge/br_multicast.c +@@ -4210,6 +4210,32 @@ static void __br_multicast_stop(struct net_bridge_mcast *brmctx) + #endif + } + ++void br_multicast_update_vlan_mcast_ctx(struct net_bridge_vlan *v, u8 state) ++{ ++#if IS_ENABLED(CONFIG_BRIDGE_VLAN_FILTERING) ++ struct net_bridge *br; ++ ++ if (!br_vlan_should_use(v)) ++ return; ++ ++ if (br_vlan_is_master(v)) ++ return; ++ ++ br = v->port->br; ++ ++ if (!br_opt_get(br, BROPT_MCAST_VLAN_SNOOPING_ENABLED)) ++ return; ++ ++ if (br_vlan_state_allowed(state, true)) ++ br_multicast_enable_port_ctx(&v->port_mcast_ctx); ++ ++ /* Multicast is not disabled for the vlan when it goes in ++ * blocking state because the timers will expire and stop by ++ * themselves without sending more queries. ++ */ ++#endif ++} ++ + void br_multicast_toggle_one_vlan(struct net_bridge_vlan *vlan, bool on) + { + struct net_bridge *br; +diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h +index 9197b511e4597..067d47b8eb8ff 100644 +--- a/net/bridge/br_private.h ++++ b/net/bridge/br_private.h +@@ -1043,6 +1043,7 @@ void br_multicast_port_ctx_init(struct net_bridge_port *port, + struct net_bridge_vlan *vlan, + struct net_bridge_mcast_port *pmctx); + void br_multicast_port_ctx_deinit(struct net_bridge_mcast_port *pmctx); ++void br_multicast_update_vlan_mcast_ctx(struct net_bridge_vlan *v, u8 state); + void br_multicast_toggle_one_vlan(struct net_bridge_vlan *vlan, bool on); + int br_multicast_toggle_vlan_snooping(struct net_bridge *br, bool on, + struct netlink_ext_ack *extack); +@@ -1479,6 +1480,11 @@ static inline void br_multicast_port_ctx_deinit(struct net_bridge_mcast_port *pm + { + } + ++static inline void br_multicast_update_vlan_mcast_ctx(struct net_bridge_vlan *v, ++ u8 state) ++{ ++} ++ + static inline void br_multicast_toggle_one_vlan(struct net_bridge_vlan *vlan, + bool on) + { +@@ -1830,7 +1836,9 @@ bool br_vlan_global_opts_can_enter_range(const struct net_bridge_vlan *v_curr, + bool br_vlan_global_opts_fill(struct sk_buff *skb, u16 vid, u16 vid_range, + const struct net_bridge_vlan *v_opts); + +-/* vlan state manipulation helpers using *_ONCE to annotate lock-free access */ ++/* vlan state manipulation helpers using *_ONCE to annotate lock-free access, ++ * while br_vlan_set_state() may access data protected by multicast_lock. ++ */ + static inline u8 br_vlan_get_state(const struct net_bridge_vlan *v) + { + return READ_ONCE(v->state); +@@ -1839,6 +1847,7 @@ static inline u8 br_vlan_get_state(const struct net_bridge_vlan *v) + static inline void br_vlan_set_state(struct net_bridge_vlan *v, u8 state) + { + WRITE_ONCE(v->state, state); ++ br_multicast_update_vlan_mcast_ctx(v, state); + } + + static inline u8 br_vlan_get_pvid_state(const struct net_bridge_vlan_group *vg) +-- +2.39.5 + diff --git a/queue-6.6/net-dlink-add-synchronization-for-stats-update.patch b/queue-6.6/net-dlink-add-synchronization-for-stats-update.patch new file mode 100644 index 0000000000..109d66a247 --- /dev/null +++ b/queue-6.6/net-dlink-add-synchronization-for-stats-update.patch @@ -0,0 +1,102 @@ +From a8f270a4c6bee7c9b7480750fad1660c40da8364 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 May 2025 16:53:31 +0900 +Subject: net: dlink: add synchronization for stats update + +From: Moon Yeounsu + +[ Upstream commit 12889ce926e9a9baf6b83d809ba316af539b89e2 ] + +This patch synchronizes code that accesses from both user-space +and IRQ contexts. The `get_stats()` function can be called from both +context. + +`dev->stats.tx_errors` and `dev->stats.collisions` are also updated +in the `tx_errors()` function. Therefore, these fields must also be +protected by synchronized. + +There is no code that accessses `dev->stats.tx_errors` between the +previous and updated lines, so the updating point can be moved. + +Signed-off-by: Moon Yeounsu +Link: https://patch.msgid.link/20250515075333.48290-1-yyyynoom@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/dlink/dl2k.c | 14 +++++++++++++- + drivers/net/ethernet/dlink/dl2k.h | 2 ++ + 2 files changed, 15 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/dlink/dl2k.c b/drivers/net/ethernet/dlink/dl2k.c +index ce46f3ac3b5a1..fad5a72d3b167 100644 +--- a/drivers/net/ethernet/dlink/dl2k.c ++++ b/drivers/net/ethernet/dlink/dl2k.c +@@ -146,6 +146,8 @@ rio_probe1 (struct pci_dev *pdev, const struct pci_device_id *ent) + np->ioaddr = ioaddr; + np->chip_id = chip_idx; + np->pdev = pdev; ++ ++ spin_lock_init(&np->stats_lock); + spin_lock_init (&np->tx_lock); + spin_lock_init (&np->rx_lock); + +@@ -866,7 +868,6 @@ tx_error (struct net_device *dev, int tx_status) + frame_id = (tx_status & 0xffff0000); + printk (KERN_ERR "%s: Transmit error, TxStatus %4.4x, FrameId %d.\n", + dev->name, tx_status, frame_id); +- dev->stats.tx_errors++; + /* Ttransmit Underrun */ + if (tx_status & 0x10) { + dev->stats.tx_fifo_errors++; +@@ -903,9 +904,15 @@ tx_error (struct net_device *dev, int tx_status) + rio_set_led_mode(dev); + /* Let TxStartThresh stay default value */ + } ++ ++ spin_lock(&np->stats_lock); + /* Maximum Collisions */ + if (tx_status & 0x08) + dev->stats.collisions++; ++ ++ dev->stats.tx_errors++; ++ spin_unlock(&np->stats_lock); ++ + /* Restart the Tx */ + dw32(MACCtrl, dr16(MACCtrl) | TxEnable); + } +@@ -1074,7 +1081,9 @@ get_stats (struct net_device *dev) + int i; + #endif + unsigned int stat_reg; ++ unsigned long flags; + ++ spin_lock_irqsave(&np->stats_lock, flags); + /* All statistics registers need to be acknowledged, + else statistic overflow could cause problems */ + +@@ -1124,6 +1133,9 @@ get_stats (struct net_device *dev) + dr16(TCPCheckSumErrors); + dr16(UDPCheckSumErrors); + dr16(IPCheckSumErrors); ++ ++ spin_unlock_irqrestore(&np->stats_lock, flags); ++ + return &dev->stats; + } + +diff --git a/drivers/net/ethernet/dlink/dl2k.h b/drivers/net/ethernet/dlink/dl2k.h +index 0e33e2eaae960..56aff2f0bdbfa 100644 +--- a/drivers/net/ethernet/dlink/dl2k.h ++++ b/drivers/net/ethernet/dlink/dl2k.h +@@ -372,6 +372,8 @@ struct netdev_private { + struct pci_dev *pdev; + void __iomem *ioaddr; + void __iomem *eeprom_addr; ++ // To ensure synchronization when stats are updated. ++ spinlock_t stats_lock; + spinlock_t tx_lock; + spinlock_t rx_lock; + unsigned int rx_buf_sz; /* Based on MTU+slack. */ +-- +2.39.5 + diff --git a/queue-6.6/net-ethernet-cortina-use-toe-tso-on-all-tcp.patch b/queue-6.6/net-ethernet-cortina-use-toe-tso-on-all-tcp.patch new file mode 100644 index 0000000000..d1ea130783 --- /dev/null +++ b/queue-6.6/net-ethernet-cortina-use-toe-tso-on-all-tcp.patch @@ -0,0 +1,132 @@ +From 4e32834f3795a97125a8ce1e7b2113158c4c2040 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Apr 2025 11:26:58 +0200 +Subject: net: ethernet: cortina: Use TOE/TSO on all TCP + +From: Linus Walleij + +[ Upstream commit 6a07e3af4973402fa199a80036c10060b922c92c ] + +It is desireable to push the hardware accelerator to also +process non-segmented TCP frames: we pass the skb->len +to the "TOE/TSO" offloader and it will handle them. + +Without this quirk the driver becomes unstable and lock +up and and crash. + +I do not know exactly why, but it is probably due to the +TOE (TCP offload engine) feature that is coupled with the +segmentation feature - it is not possible to turn one +part off and not the other, either both TOE and TSO are +active, or neither of them. + +Not having the TOE part active seems detrimental, as if +that hardware feature is not really supposed to be turned +off. + +The datasheet says: + + "Based on packet parsing and TCP connection/NAT table + lookup results, the NetEngine puts the packets + belonging to the same TCP connection to the same queue + for the software to process. The NetEngine puts + incoming packets to the buffer or series of buffers + for a jumbo packet. With this hardware acceleration, + IP/TCP header parsing, checksum validation and + connection lookup are offloaded from the software + processing." + +After numerous tests with the hardware locking up after +something between minutes and hours depending on load +using iperf3 I have concluded this is necessary to stabilize +the hardware. + +Signed-off-by: Linus Walleij +Link: https://patch.msgid.link/20250408-gemini-ethernet-tso-always-v1-1-e669f932359c@linaro.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cortina/gemini.c | 37 +++++++++++++++++++++------ + 1 file changed, 29 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/ethernet/cortina/gemini.c b/drivers/net/ethernet/cortina/gemini.c +index 5af98fba74803..fce2ff1e1d834 100644 +--- a/drivers/net/ethernet/cortina/gemini.c ++++ b/drivers/net/ethernet/cortina/gemini.c +@@ -1148,6 +1148,7 @@ static int gmac_map_tx_bufs(struct net_device *netdev, struct sk_buff *skb, + struct gmac_txdesc *txd; + skb_frag_t *skb_frag; + dma_addr_t mapping; ++ bool tcp = false; + void *buffer; + u16 mss; + int ret; +@@ -1155,6 +1156,13 @@ static int gmac_map_tx_bufs(struct net_device *netdev, struct sk_buff *skb, + word1 = skb->len; + word3 = SOF_BIT; + ++ /* Determine if we are doing TCP */ ++ if (skb->protocol == htons(ETH_P_IP)) ++ tcp = (ip_hdr(skb)->protocol == IPPROTO_TCP); ++ else ++ /* IPv6 */ ++ tcp = (ipv6_hdr(skb)->nexthdr == IPPROTO_TCP); ++ + mss = skb_shinfo(skb)->gso_size; + if (mss) { + /* This means we are dealing with TCP and skb->len is the +@@ -1167,8 +1175,26 @@ static int gmac_map_tx_bufs(struct net_device *netdev, struct sk_buff *skb, + mss, skb->len); + word1 |= TSS_MTU_ENABLE_BIT; + word3 |= mss; ++ } else if (tcp) { ++ /* Even if we are not using TSO, use the hardware offloader ++ * for transferring the TCP frame: this hardware has partial ++ * TCP awareness (called TOE - TCP Offload Engine) and will ++ * according to the datasheet put packets belonging to the ++ * same TCP connection in the same queue for the TOE/TSO ++ * engine to process. The engine will deal with chopping ++ * up frames that exceed ETH_DATA_LEN which the ++ * checksumming engine cannot handle (see below) into ++ * manageable chunks. It flawlessly deals with quite big ++ * frames and frames containing custom DSA EtherTypes. ++ */ ++ mss = netdev->mtu + skb_tcp_all_headers(skb); ++ mss = min(mss, skb->len); ++ netdev_dbg(netdev, "TOE/TSO len %04x mtu %04x mss %04x\n", ++ skb->len, netdev->mtu, mss); ++ word1 |= TSS_MTU_ENABLE_BIT; ++ word3 |= mss; + } else if (skb->len >= ETH_FRAME_LEN) { +- /* Hardware offloaded checksumming isn't working on frames ++ /* Hardware offloaded checksumming isn't working on non-TCP frames + * bigger than 1514 bytes. A hypothesis about this is that the + * checksum buffer is only 1518 bytes, so when the frames get + * bigger they get truncated, or the last few bytes get +@@ -1185,21 +1211,16 @@ static int gmac_map_tx_bufs(struct net_device *netdev, struct sk_buff *skb, + } + + if (skb->ip_summed == CHECKSUM_PARTIAL) { +- int tcp = 0; +- + /* We do not switch off the checksumming on non TCP/UDP + * frames: as is shown from tests, the checksumming engine + * is smart enough to see that a frame is not actually TCP + * or UDP and then just pass it through without any changes + * to the frame. + */ +- if (skb->protocol == htons(ETH_P_IP)) { ++ if (skb->protocol == htons(ETH_P_IP)) + word1 |= TSS_IP_CHKSUM_BIT; +- tcp = ip_hdr(skb)->protocol == IPPROTO_TCP; +- } else { /* IPv6 */ ++ else + word1 |= TSS_IPV6_ENABLE_BIT; +- tcp = ipv6_hdr(skb)->nexthdr == IPPROTO_TCP; +- } + + word1 |= tcp ? TSS_TCP_CHKSUM_BIT : TSS_UDP_CHKSUM_BIT; + } +-- +2.39.5 + diff --git a/queue-6.6/net-ethernet-ti-am65-cpsw-handle-eprobe_defer.patch b/queue-6.6/net-ethernet-ti-am65-cpsw-handle-eprobe_defer.patch new file mode 100644 index 0000000000..770266a332 --- /dev/null +++ b/queue-6.6/net-ethernet-ti-am65-cpsw-handle-eprobe_defer.patch @@ -0,0 +1,81 @@ +From af36a136323f5c46f7c7f0a004923b6452580d21 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Apr 2025 10:43:36 +0200 +Subject: net: ethernet: ti: am65-cpsw: handle -EPROBE_DEFER + +From: Michael Walle + +[ Upstream commit 09737cb80b8686ffca4ed1805fee745d5c85604d ] + +of_get_mac_address() might fetch the MAC address from NVMEM and that +driver might not have been loaded. In that case, -EPROBE_DEFER is +returned. Right now, this will trigger an immediate fallback to +am65_cpsw_am654_get_efuse_macid() possibly resulting in a random MAC +address although the MAC address is stored in the referenced NVMEM. + +Fix it by handling the -EPROBE_DEFER return code correctly. This also +means that the creation of the MDIO device has to be moved to a later +stage as -EPROBE_DEFER must not be returned after child devices are +created. + +Signed-off-by: Michael Walle +Reviewed-by: Andrew Lunn +Link: https://patch.msgid.link/20250414084336.4017237-3-mwalle@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ti/am65-cpsw-nuss.c | 24 +++++++++++++----------- + 1 file changed, 13 insertions(+), 11 deletions(-) + +diff --git a/drivers/net/ethernet/ti/am65-cpsw-nuss.c b/drivers/net/ethernet/ti/am65-cpsw-nuss.c +index c379a958380ce..28cc23736a69b 100644 +--- a/drivers/net/ethernet/ti/am65-cpsw-nuss.c ++++ b/drivers/net/ethernet/ti/am65-cpsw-nuss.c +@@ -2089,7 +2089,9 @@ static int am65_cpsw_nuss_init_slave_ports(struct am65_cpsw_common *common) + goto of_node_put; + + ret = of_get_mac_address(port_np, port->slave.mac_addr); +- if (ret) { ++ if (ret == -EPROBE_DEFER) { ++ goto of_node_put; ++ } else if (ret) { + am65_cpsw_am654_get_efuse_macid(port_np, + port->port_id, + port->slave.mac_addr); +@@ -2949,6 +2951,16 @@ static int am65_cpsw_nuss_probe(struct platform_device *pdev) + return ret; + } + ++ am65_cpsw_nuss_get_ver(common); ++ ++ ret = am65_cpsw_nuss_init_host_p(common); ++ if (ret) ++ goto err_pm_clear; ++ ++ ret = am65_cpsw_nuss_init_slave_ports(common); ++ if (ret) ++ goto err_pm_clear; ++ + node = of_get_child_by_name(dev->of_node, "mdio"); + if (!node) { + dev_warn(dev, "MDIO node not found\n"); +@@ -2965,16 +2977,6 @@ static int am65_cpsw_nuss_probe(struct platform_device *pdev) + } + of_node_put(node); + +- am65_cpsw_nuss_get_ver(common); +- +- ret = am65_cpsw_nuss_init_host_p(common); +- if (ret) +- goto err_of_clear; +- +- ret = am65_cpsw_nuss_init_slave_ports(common); +- if (ret) +- goto err_of_clear; +- + /* init common data */ + ale_params.dev = dev; + ale_params.ale_ageout = AM65_CPSW_ALE_AGEOUT_DEFAULT; +-- +2.39.5 + diff --git a/queue-6.6/net-lan743x-modify-the-eeprom-and-otp-size-for-pci1x.patch b/queue-6.6/net-lan743x-modify-the-eeprom-and-otp-size-for-pci1x.patch new file mode 100644 index 0000000000..d523fc18c2 --- /dev/null +++ b/queue-6.6/net-lan743x-modify-the-eeprom-and-otp-size-for-pci1x.patch @@ -0,0 +1,89 @@ +From afda92b5b7d8eb548ea1ceb9908724d80b66236a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 May 2025 23:03:26 +0530 +Subject: net: lan743x: Modify the EEPROM and OTP size for PCI1xxxx devices + +From: Rengarajan S + +[ Upstream commit 3b9935586a9b54d2da27901b830d3cf46ad66a1e ] + +Maximum OTP and EEPROM size for hearthstone PCI1xxxx devices are 8 Kb +and 64 Kb respectively. Adjust max size definitions and return correct +EEPROM length based on device. Also prevent out-of-bound read/write. + +Signed-off-by: Rengarajan S +Link: https://patch.msgid.link/20250523173326.18509-1-rengarajan.s@microchip.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/microchip/lan743x_ethtool.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/microchip/lan743x_ethtool.c b/drivers/net/ethernet/microchip/lan743x_ethtool.c +index 72b3092d35f71..39a58c3578a02 100644 +--- a/drivers/net/ethernet/microchip/lan743x_ethtool.c ++++ b/drivers/net/ethernet/microchip/lan743x_ethtool.c +@@ -18,6 +18,8 @@ + #define EEPROM_MAC_OFFSET (0x01) + #define MAX_EEPROM_SIZE (512) + #define MAX_OTP_SIZE (1024) ++#define MAX_HS_OTP_SIZE (8 * 1024) ++#define MAX_HS_EEPROM_SIZE (64 * 1024) + #define OTP_INDICATOR_1 (0xF3) + #define OTP_INDICATOR_2 (0xF7) + +@@ -272,6 +274,9 @@ static int lan743x_hs_otp_read(struct lan743x_adapter *adapter, u32 offset, + int ret; + int i; + ++ if (offset + length > MAX_HS_OTP_SIZE) ++ return -EINVAL; ++ + ret = lan743x_hs_syslock_acquire(adapter, LOCK_TIMEOUT_MAX_CNT); + if (ret < 0) + return ret; +@@ -320,6 +325,9 @@ static int lan743x_hs_otp_write(struct lan743x_adapter *adapter, u32 offset, + int ret; + int i; + ++ if (offset + length > MAX_HS_OTP_SIZE) ++ return -EINVAL; ++ + ret = lan743x_hs_syslock_acquire(adapter, LOCK_TIMEOUT_MAX_CNT); + if (ret < 0) + return ret; +@@ -497,6 +505,9 @@ static int lan743x_hs_eeprom_read(struct lan743x_adapter *adapter, + u32 val; + int i; + ++ if (offset + length > MAX_HS_EEPROM_SIZE) ++ return -EINVAL; ++ + retval = lan743x_hs_syslock_acquire(adapter, LOCK_TIMEOUT_MAX_CNT); + if (retval < 0) + return retval; +@@ -539,6 +550,9 @@ static int lan743x_hs_eeprom_write(struct lan743x_adapter *adapter, + u32 val; + int i; + ++ if (offset + length > MAX_HS_EEPROM_SIZE) ++ return -EINVAL; ++ + retval = lan743x_hs_syslock_acquire(adapter, LOCK_TIMEOUT_MAX_CNT); + if (retval < 0) + return retval; +@@ -604,9 +618,9 @@ static int lan743x_ethtool_get_eeprom_len(struct net_device *netdev) + struct lan743x_adapter *adapter = netdev_priv(netdev); + + if (adapter->flags & LAN743X_ADAPTER_FLAG_OTP) +- return MAX_OTP_SIZE; ++ return adapter->is_pci11x1x ? MAX_HS_OTP_SIZE : MAX_OTP_SIZE; + +- return MAX_EEPROM_SIZE; ++ return adapter->is_pci11x1x ? MAX_HS_EEPROM_SIZE : MAX_EEPROM_SIZE; + } + + static int lan743x_ethtool_get_eeprom(struct net_device *netdev, +-- +2.39.5 + diff --git a/queue-6.6/net-macb-check-return-value-of-dma_set_mask_and_cohe.patch b/queue-6.6/net-macb-check-return-value-of-dma_set_mask_and_cohe.patch new file mode 100644 index 0000000000..e00f888c0a --- /dev/null +++ b/queue-6.6/net-macb-check-return-value-of-dma_set_mask_and_cohe.patch @@ -0,0 +1,42 @@ +From 91c69024f3feb21a3599135614f6ba7539061997 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 25 May 2025 21:20:31 -0600 +Subject: net: macb: Check return value of dma_set_mask_and_coherent() + +From: Sergio Perez Gonzalez + +[ Upstream commit 3920a758800762917177a6b5ab39707d8e376fe6 ] + +Issue flagged by coverity. Add a safety check for the return value +of dma_set_mask_and_coherent, go to a safe exit if it returns error. + +Link: https://scan7.scan.coverity.com/#/project-view/53936/11354?selectedIssue=1643754 +Signed-off-by: Sergio Perez Gonzalez +Reviewed-by: Claudiu Beznea +Link: https://patch.msgid.link/20250526032034.84900-1-sperezglz@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cadence/macb_main.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c +index 6f45f4d9fba71..534e7f7bca4c2 100644 +--- a/drivers/net/ethernet/cadence/macb_main.c ++++ b/drivers/net/ethernet/cadence/macb_main.c +@@ -5070,7 +5070,11 @@ static int macb_probe(struct platform_device *pdev) + + #ifdef CONFIG_ARCH_DMA_ADDR_T_64BIT + if (GEM_BFEXT(DAW64, gem_readl(bp, DCFG6))) { +- dma_set_mask_and_coherent(&pdev->dev, DMA_BIT_MASK(44)); ++ err = dma_set_mask_and_coherent(&pdev->dev, DMA_BIT_MASK(44)); ++ if (err) { ++ dev_err(&pdev->dev, "failed to set DMA mask\n"); ++ goto err_out_free_netdev; ++ } + bp->hw_dma_cap |= HW_DMA_CAP_64B; + } + #endif +-- +2.39.5 + diff --git a/queue-6.6/net-mlx4-add-sof_timestamping_tx_software-flag-when-.patch b/queue-6.6/net-mlx4-add-sof_timestamping_tx_software-flag-when-.patch new file mode 100644 index 0000000000..2e8aa86754 --- /dev/null +++ b/queue-6.6/net-mlx4-add-sof_timestamping_tx_software-flag-when-.patch @@ -0,0 +1,37 @@ +From 7f98720ef73a7a8232f64732e4a267615291b3fd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 10 May 2025 17:34:42 +0800 +Subject: net: mlx4: add SOF_TIMESTAMPING_TX_SOFTWARE flag when getting ts info + +From: Jason Xing + +[ Upstream commit b86bcfee30576b752302c55693fff97242b35dfd ] + +As mlx4 has implemented skb_tx_timestamp() in mlx4_en_xmit(), the +SOFTWARE flag is surely needed when users are trying to get timestamp +information. + +Signed-off-by: Jason Xing +Reviewed-by: Tariq Toukan +Link: https://patch.msgid.link/20250510093442.79711-1-kerneljasonxing@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx4/en_ethtool.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c b/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c +index 164a13272faa2..07dced3c2b1c0 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c ++++ b/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c +@@ -1916,6 +1916,7 @@ static int mlx4_en_get_ts_info(struct net_device *dev, + if (mdev->dev->caps.flags2 & MLX4_DEV_CAP_FLAG2_TS) { + info->so_timestamping |= + SOF_TIMESTAMPING_TX_HARDWARE | ++ SOF_TIMESTAMPING_TX_SOFTWARE | + SOF_TIMESTAMPING_RX_HARDWARE | + SOF_TIMESTAMPING_RAW_HARDWARE; + +-- +2.39.5 + diff --git a/queue-6.6/net-vertexcom-mse102x-return-code-for-mse102x_rx_pkt.patch b/queue-6.6/net-vertexcom-mse102x-return-code-for-mse102x_rx_pkt.patch new file mode 100644 index 0000000000..2cd4e2892e --- /dev/null +++ b/queue-6.6/net-vertexcom-mse102x-return-code-for-mse102x_rx_pkt.patch @@ -0,0 +1,92 @@ +From ad626eb5d36c1bfa4e625671d33816415a739bf5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 May 2025 14:04:34 +0200 +Subject: net: vertexcom: mse102x: Return code for mse102x_rx_pkt_spi + +From: Stefan Wahren + +[ Upstream commit 4ecf56f4b66011b583644bf9a62188d05dfcd78c ] + +The MSE102x doesn't provide any interrupt register, so the only way +to handle the level interrupt is to fetch the whole packet from +the MSE102x internal buffer via SPI. So in cases the interrupt +handler fails to do this, it should return IRQ_NONE. This allows +the core to disable the interrupt in case the issue persists +and prevent an interrupt storm. + +Signed-off-by: Stefan Wahren +Link: https://patch.msgid.link/20250509120435.43646-6-wahrenst@gmx.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/vertexcom/mse102x.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/vertexcom/mse102x.c b/drivers/net/ethernet/vertexcom/mse102x.c +index 060a566bc6aae..c902f8761d5d4 100644 +--- a/drivers/net/ethernet/vertexcom/mse102x.c ++++ b/drivers/net/ethernet/vertexcom/mse102x.c +@@ -306,7 +306,7 @@ static void mse102x_dump_packet(const char *msg, int len, const char *data) + data, len, true); + } + +-static void mse102x_rx_pkt_spi(struct mse102x_net *mse) ++static irqreturn_t mse102x_rx_pkt_spi(struct mse102x_net *mse) + { + struct sk_buff *skb; + unsigned int rxalign; +@@ -327,7 +327,7 @@ static void mse102x_rx_pkt_spi(struct mse102x_net *mse) + mse102x_tx_cmd_spi(mse, CMD_CTR); + ret = mse102x_rx_cmd_spi(mse, (u8 *)&rx); + if (ret) +- return; ++ return IRQ_NONE; + + cmd_resp = be16_to_cpu(rx); + if ((cmd_resp & CMD_MASK) != CMD_RTS) { +@@ -360,7 +360,7 @@ static void mse102x_rx_pkt_spi(struct mse102x_net *mse) + rxalign = ALIGN(rxlen + DET_SOF_LEN + DET_DFT_LEN, 4); + skb = netdev_alloc_skb_ip_align(mse->ndev, rxalign); + if (!skb) +- return; ++ return IRQ_NONE; + + /* 2 bytes Start of frame (before ethernet header) + * 2 bytes Data frame tail (after ethernet frame) +@@ -370,7 +370,7 @@ static void mse102x_rx_pkt_spi(struct mse102x_net *mse) + if (mse102x_rx_frame_spi(mse, rxpkt, rxlen, drop)) { + mse->ndev->stats.rx_errors++; + dev_kfree_skb(skb); +- return; ++ return IRQ_HANDLED; + } + + if (netif_msg_pktdata(mse)) +@@ -381,6 +381,8 @@ static void mse102x_rx_pkt_spi(struct mse102x_net *mse) + + mse->ndev->stats.rx_packets++; + mse->ndev->stats.rx_bytes += rxlen; ++ ++ return IRQ_HANDLED; + } + + static int mse102x_tx_pkt_spi(struct mse102x_net *mse, struct sk_buff *txb, +@@ -512,12 +514,13 @@ static irqreturn_t mse102x_irq(int irq, void *_mse) + { + struct mse102x_net *mse = _mse; + struct mse102x_net_spi *mses = to_mse102x_spi(mse); ++ irqreturn_t ret; + + mutex_lock(&mses->lock); +- mse102x_rx_pkt_spi(mse); ++ ret = mse102x_rx_pkt_spi(mse); + mutex_unlock(&mses->lock); + +- return IRQ_HANDLED; ++ return ret; + } + + static int mse102x_net_open(struct net_device *ndev) +-- +2.39.5 + diff --git a/queue-6.6/octeontx2-pf-add-error-log-forcn10k_map_unmap_rq_pol.patch b/queue-6.6/octeontx2-pf-add-error-log-forcn10k_map_unmap_rq_pol.patch new file mode 100644 index 0000000000..0141c33754 --- /dev/null +++ b/queue-6.6/octeontx2-pf-add-error-log-forcn10k_map_unmap_rq_pol.patch @@ -0,0 +1,47 @@ +From 9eae2dcb3800faa184ed6cbd1c6d8d6abaf23f88 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Apr 2025 11:26:02 +0800 +Subject: octeontx2-pf: Add error log forcn10k_map_unmap_rq_policer() + +From: Wentao Liang + +[ Upstream commit 9c056ec6dd1654b1420dafbbe2a69718850e6ff2 ] + +The cn10k_free_matchall_ipolicer() calls the cn10k_map_unmap_rq_policer() +for each queue in a for loop without checking for any errors. + +Check the return value of the cn10k_map_unmap_rq_policer() function during +each loop, and report a warning if the function fails. + +Signed-off-by: Wentao Liang +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250408032602.2909-1-vulab@iscas.ac.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/nic/cn10k.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/cn10k.c b/drivers/net/ethernet/marvell/octeontx2/nic/cn10k.c +index 7417087b6db59..a2807a1e4f4a6 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/cn10k.c ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/cn10k.c +@@ -352,9 +352,12 @@ int cn10k_free_matchall_ipolicer(struct otx2_nic *pfvf) + mutex_lock(&pfvf->mbox.lock); + + /* Remove RQ's policer mapping */ +- for (qidx = 0; qidx < hw->rx_queues; qidx++) +- cn10k_map_unmap_rq_policer(pfvf, qidx, +- hw->matchall_ipolicer, false); ++ for (qidx = 0; qidx < hw->rx_queues; qidx++) { ++ rc = cn10k_map_unmap_rq_policer(pfvf, qidx, hw->matchall_ipolicer, false); ++ if (rc) ++ dev_warn(pfvf->dev, "Failed to unmap RQ %d's policer (error %d).", ++ qidx, rc); ++ } + + rc = cn10k_free_leaf_profile(pfvf, hw->matchall_ipolicer); + +-- +2.39.5 + diff --git a/queue-6.6/openvswitch-stricter-validation-for-the-userspace-ac.patch b/queue-6.6/openvswitch-stricter-validation-for-the-userspace-ac.patch new file mode 100644 index 0000000000..8c6a4c9f4c --- /dev/null +++ b/queue-6.6/openvswitch-stricter-validation-for-the-userspace-ac.patch @@ -0,0 +1,45 @@ +From ac6d7d66bda5c5276c39ddbc14fb44107a28aae2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 May 2025 10:08:24 +0200 +Subject: openvswitch: Stricter validation for the userspace action + +From: Eelco Chaudron + +[ Upstream commit 88906f55954131ed2d3974e044b7fb48129b86ae ] + +This change enhances the robustness of validate_userspace() by ensuring +that all Netlink attributes are fully contained within the parent +attribute. The previous use of nla_parse_nested_deprecated() could +silently skip trailing or malformed attributes, as it stops parsing at +the first invalid entry. + +By switching to nla_parse_deprecated_strict(), we make sure only fully +validated attributes are copied for later use. + +Signed-off-by: Eelco Chaudron +Reviewed-by: Simon Horman +Acked-by: Ilya Maximets +Link: https://patch.msgid.link/67eb414e2d250e8408bb8afeb982deca2ff2b10b.1747037304.git.echaudro@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/openvswitch/flow_netlink.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c +index 089ab1826e1d5..eb85384a376be 100644 +--- a/net/openvswitch/flow_netlink.c ++++ b/net/openvswitch/flow_netlink.c +@@ -3035,7 +3035,8 @@ static int validate_userspace(const struct nlattr *attr) + struct nlattr *a[OVS_USERSPACE_ATTR_MAX + 1]; + int error; + +- error = nla_parse_nested_deprecated(a, OVS_USERSPACE_ATTR_MAX, attr, ++ error = nla_parse_deprecated_strict(a, OVS_USERSPACE_ATTR_MAX, ++ nla_data(attr), nla_len(attr), + userspace_policy, NULL); + if (error) + return error; +-- +2.39.5 + diff --git a/queue-6.6/pinctrl-armada-37xx-propagate-error-from-armada_37xx.patch b/queue-6.6/pinctrl-armada-37xx-propagate-error-from-armada_37xx.patch new file mode 100644 index 0000000000..60afab4012 --- /dev/null +++ b/queue-6.6/pinctrl-armada-37xx-propagate-error-from-armada_37xx.patch @@ -0,0 +1,41 @@ +From 90c33cff893886a394c78f050f2379fbbcf69433 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 May 2025 21:18:38 +0200 +Subject: pinctrl: armada-37xx: propagate error from + armada_37xx_pmx_set_by_name() + +From: Gabor Juhos + +[ Upstream commit 4229c28323db141eda69cb99427be75d3edba071 ] + +The regmap_update_bits() function can fail, so propagate its error +up to the stack instead of silently ignoring that. + +Signed-off-by: Imre Kaloz +Reviewed-by: Andrew Lunn +Signed-off-by: Gabor Juhos +Link: https://lore.kernel.org/20250514-pinctrl-a37xx-fixes-v2-7-07e9ac1ab737@gmail.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/mvebu/pinctrl-armada-37xx.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c b/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c +index 1a39fd97a9005..1d9aa4e76a23b 100644 +--- a/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c ++++ b/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c +@@ -358,9 +358,7 @@ static int armada_37xx_pmx_set_by_name(struct pinctrl_dev *pctldev, + + val = grp->val[func]; + +- regmap_update_bits(info->regmap, reg, mask, val); +- +- return 0; ++ return regmap_update_bits(info->regmap, reg, mask, val); + } + + static int armada_37xx_pmx_set(struct pinctrl_dev *pctldev, +-- +2.39.5 + diff --git a/queue-6.6/pinctrl-armada-37xx-propagate-error-from-armada_37xx.patch-1752 b/queue-6.6/pinctrl-armada-37xx-propagate-error-from-armada_37xx.patch-1752 new file mode 100644 index 0000000000..25a6c289e4 --- /dev/null +++ b/queue-6.6/pinctrl-armada-37xx-propagate-error-from-armada_37xx.patch-1752 @@ -0,0 +1,45 @@ +From f068b241434e5d36324f2b94058655de7fdf9ae1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 May 2025 21:18:35 +0200 +Subject: pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get() + +From: Gabor Juhos + +[ Upstream commit 57273ff8bb16f3842c2597b5bbcd49e7fa12edf7 ] + +The regmap_read() function can fail, so propagate its error up to +the stack instead of silently ignoring that. + +Signed-off-by: Imre Kaloz +Reviewed-by: Andrew Lunn +Signed-off-by: Gabor Juhos +Link: https://lore.kernel.org/20250514-pinctrl-a37xx-fixes-v2-4-07e9ac1ab737@gmail.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/mvebu/pinctrl-armada-37xx.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c b/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c +index a9e665ea0f617..ef87a6045e073 100644 +--- a/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c ++++ b/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c +@@ -443,11 +443,14 @@ static int armada_37xx_gpio_get(struct gpio_chip *chip, unsigned int offset) + struct armada_37xx_pinctrl *info = gpiochip_get_data(chip); + unsigned int reg = INPUT_VAL; + unsigned int val, mask; ++ int ret; + + armada_37xx_update_reg(®, &offset); + mask = BIT(offset); + +- regmap_read(info->regmap, reg, &val); ++ ret = regmap_read(info->regmap, reg, &val); ++ if (ret) ++ return ret; + + return (val & mask) != 0; + } +-- +2.39.5 + diff --git a/queue-6.6/pinctrl-armada-37xx-propagate-error-from-armada_37xx.patch-31198 b/queue-6.6/pinctrl-armada-37xx-propagate-error-from-armada_37xx.patch-31198 new file mode 100644 index 0000000000..8f93d20e92 --- /dev/null +++ b/queue-6.6/pinctrl-armada-37xx-propagate-error-from-armada_37xx.patch-31198 @@ -0,0 +1,52 @@ +From 88fa2e6022dace2a9d8572869bb9b5c437db778a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 May 2025 21:18:36 +0200 +Subject: pinctrl: armada-37xx: propagate error from + armada_37xx_pmx_gpio_set_direction() + +From: Gabor Juhos + +[ Upstream commit bfa0ff804ffa8b1246ade8be08de98c9eb19d16f ] + +The armada_37xx_gpio_direction_{in,out}put() functions can fail, so +propagate their error values back to the stack instead of silently +ignoring those. + +Signed-off-by: Imre Kaloz +Reviewed-by: Andrew Lunn +Signed-off-by: Gabor Juhos +Link: https://lore.kernel.org/20250514-pinctrl-a37xx-fixes-v2-5-07e9ac1ab737@gmail.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/mvebu/pinctrl-armada-37xx.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c b/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c +index 8008bad481b7d..a9e665ea0f617 100644 +--- a/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c ++++ b/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c +@@ -472,16 +472,17 @@ static int armada_37xx_pmx_gpio_set_direction(struct pinctrl_dev *pctldev, + { + struct armada_37xx_pinctrl *info = pinctrl_dev_get_drvdata(pctldev); + struct gpio_chip *chip = range->gc; ++ int ret; + + dev_dbg(info->dev, "gpio_direction for pin %u as %s-%d to %s\n", + offset, range->name, offset, input ? "input" : "output"); + + if (input) +- armada_37xx_gpio_direction_input(chip, offset); ++ ret = armada_37xx_gpio_direction_input(chip, offset); + else +- armada_37xx_gpio_direction_output(chip, offset, 0); ++ ret = armada_37xx_gpio_direction_output(chip, offset, 0); + +- return 0; ++ return ret; + } + + static int armada_37xx_gpio_request_enable(struct pinctrl_dev *pctldev, +-- +2.39.5 + diff --git a/queue-6.6/pinctrl-armada-37xx-propagate-error-from-armada_37xx.patch-4152 b/queue-6.6/pinctrl-armada-37xx-propagate-error-from-armada_37xx.patch-4152 new file mode 100644 index 0000000000..353170d5aa --- /dev/null +++ b/queue-6.6/pinctrl-armada-37xx-propagate-error-from-armada_37xx.patch-4152 @@ -0,0 +1,45 @@ +From 96990fe942a68a8b434f6674d138a6c5d2757b69 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 May 2025 21:18:37 +0200 +Subject: pinctrl: armada-37xx: propagate error from + armada_37xx_gpio_get_direction() + +From: Gabor Juhos + +[ Upstream commit 6481c0a83367b0672951ccc876fbae7ee37b594b ] + +The regmap_read() function can fail, so propagate its error up to +the stack instead of silently ignoring that. + +Signed-off-by: Imre Kaloz +Reviewed-by: Andrew Lunn +Signed-off-by: Gabor Juhos +Link: https://lore.kernel.org/20250514-pinctrl-a37xx-fixes-v2-6-07e9ac1ab737@gmail.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/mvebu/pinctrl-armada-37xx.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c b/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c +index 1d9aa4e76a23b..8008bad481b7d 100644 +--- a/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c ++++ b/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c +@@ -400,10 +400,13 @@ static int armada_37xx_gpio_get_direction(struct gpio_chip *chip, + struct armada_37xx_pinctrl *info = gpiochip_get_data(chip); + unsigned int reg = OUTPUT_EN; + unsigned int val, mask; ++ int ret; + + armada_37xx_update_reg(®, &offset); + mask = BIT(offset); +- regmap_read(info->regmap, reg, &val); ++ ret = regmap_read(info->regmap, reg, &val); ++ if (ret) ++ return ret; + + if (val & mask) + return GPIO_LINE_DIRECTION_OUT; +-- +2.39.5 + diff --git a/queue-6.6/pinctrl-mcp23s08-reset-all-pins-to-input-at-probe.patch b/queue-6.6/pinctrl-mcp23s08-reset-all-pins-to-input-at-probe.patch new file mode 100644 index 0000000000..8c8582d3f1 --- /dev/null +++ b/queue-6.6/pinctrl-mcp23s08-reset-all-pins-to-input-at-probe.patch @@ -0,0 +1,47 @@ +From a3c6d06e5f8382afccddb3e009d465924331b186 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Mar 2025 16:17:45 +0100 +Subject: pinctrl: mcp23s08: Reset all pins to input at probe + +From: Mike Looijmans + +[ Upstream commit 3ede3f8b4b4b399b0ca41e44959f80d5cf84fc98 ] + +At startup, the driver just assumes that all registers have their +default values. But after a soft reset, the chip will just be in the +state it was, and some pins may have been configured as outputs. Any +modification of the output register will cause these pins to be driven +low, which leads to unexpected/unwanted effects. To prevent this from +happening, set the chip's IO configuration register to a known safe +mode (all inputs) before toggling any other bits. + +Signed-off-by: Mike Looijmans +Link: https://lore.kernel.org/20250314151803.28903-1-mike.looijmans@topic.nl +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/pinctrl-mcp23s08.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/pinctrl/pinctrl-mcp23s08.c b/drivers/pinctrl/pinctrl-mcp23s08.c +index fd97b6ee2a8d1..ca45c1f36a89b 100644 +--- a/drivers/pinctrl/pinctrl-mcp23s08.c ++++ b/drivers/pinctrl/pinctrl-mcp23s08.c +@@ -612,6 +612,14 @@ int mcp23s08_probe_one(struct mcp23s08 *mcp, struct device *dev, + + mcp->reset_gpio = devm_gpiod_get_optional(dev, "reset", GPIOD_OUT_LOW); + ++ /* ++ * Reset the chip - we don't really know what state it's in, so reset ++ * all pins to input first to prevent surprises. ++ */ ++ ret = mcp_write(mcp, MCP_IODIR, mcp->chip.ngpio == 16 ? 0xFFFF : 0xFF); ++ if (ret < 0) ++ return ret; ++ + /* verify MCP_IOCON.SEQOP = 0, so sequential reads work, + * and MCP_IOCON.HAEN = 1, so we work with all chips. + */ +-- +2.39.5 + diff --git a/queue-6.6/platform-x86-amd-pmc-clear-metrics-table-at-start-of.patch b/queue-6.6/platform-x86-amd-pmc-clear-metrics-table-at-start-of.patch new file mode 100644 index 0000000000..8b4d476ad8 --- /dev/null +++ b/queue-6.6/platform-x86-amd-pmc-clear-metrics-table-at-start-of.patch @@ -0,0 +1,49 @@ +From ca67719caafd3a857a767e56f382b55557785049 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Jun 2025 08:24:08 -0500 +Subject: platform/x86/amd: pmc: Clear metrics table at start of cycle +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mario Limonciello + +[ Upstream commit 4dbd11796f3a8eb95647507befc41995458a4023 ] + +The area of memory that contains the metrics table may contain garbage +when the cycle starts. This normally doesn't matter because the cycle +itself will populate it with valid data, however commit 9f5595d5f03fd +("platform/x86/amd: pmc: Require at least 2.5 seconds between HW sleep +cycles") started to use it during the check() phase. Depending upon +what garbage is in the table it's possible that the system will wait +2.5 seconds for even the first cycle, which will be visible to a user. + +To prevent this from happening explicitly clear the table when logging +is started. + +Fixes: 9f5595d5f03fd ("platform/x86/amd: pmc: Require at least 2.5 seconds between HW sleep cycles") +Signed-off-by: Mario Limonciello +Link: https://lore.kernel.org/r/20250603132412.3555302-1-superm1@kernel.org +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/amd/pmc/pmc.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/platform/x86/amd/pmc/pmc.c b/drivers/platform/x86/amd/pmc/pmc.c +index 946a546cd9dd0..af5cc8aa7988c 100644 +--- a/drivers/platform/x86/amd/pmc/pmc.c ++++ b/drivers/platform/x86/amd/pmc/pmc.c +@@ -332,6 +332,8 @@ static int amd_pmc_setup_smu_logging(struct amd_pmc_dev *dev) + return -ENOMEM; + } + ++ memset_io(dev->smu_virt_addr, 0, sizeof(struct smu_metrics)); ++ + /* Start the logging */ + amd_pmc_send_cmd(dev, 0, NULL, SMU_MSG_LOG_RESET, false); + amd_pmc_send_cmd(dev, 0, NULL, SMU_MSG_LOG_START, false); +-- +2.39.5 + diff --git a/queue-6.6/platform-x86-dell_rbu-fix-list-usage.patch b/queue-6.6/platform-x86-dell_rbu-fix-list-usage.patch new file mode 100644 index 0000000000..c590f65e1d --- /dev/null +++ b/queue-6.6/platform-x86-dell_rbu-fix-list-usage.patch @@ -0,0 +1,54 @@ +From b38f499cedd29d7f190ccaec7f41f4572552c29e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Jun 2025 13:46:56 -0500 +Subject: platform/x86: dell_rbu: Fix list usage +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Stuart Hayes + +[ Upstream commit 61ce04601e0d8265ec6d2ffa6df5a7e1bce64854 ] + +Pass the correct list head to list_for_each_entry*() when looping through +the packet list. + +Without this patch, reading the packet data via sysfs will show the data +incorrectly (because it starts at the wrong packet), and clearing the +packet list will result in a NULL pointer dereference. + +Fixes: d19f359fbdc6 ("platform/x86: dell_rbu: don't open code list_for_each_entry*()") +Signed-off-by: Stuart Hayes +Link: https://lore.kernel.org/r/20250609184659.7210-3-stuart.w.hayes@gmail.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/dell/dell_rbu.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/platform/x86/dell/dell_rbu.c b/drivers/platform/x86/dell/dell_rbu.c +index 9f51e0fcab04e..4d2b5f6dd513f 100644 +--- a/drivers/platform/x86/dell/dell_rbu.c ++++ b/drivers/platform/x86/dell/dell_rbu.c +@@ -292,7 +292,7 @@ static int packet_read_list(char *data, size_t * pread_length) + remaining_bytes = *pread_length; + bytes_read = rbu_data.packet_read_count; + +- list_for_each_entry(newpacket, (&packet_data_head.list)->next, list) { ++ list_for_each_entry(newpacket, &packet_data_head.list, list) { + bytes_copied = do_packet_read(pdest, newpacket, + remaining_bytes, bytes_read, &temp_count); + remaining_bytes -= bytes_copied; +@@ -315,7 +315,7 @@ static void packet_empty_list(void) + { + struct packet_data *newpacket, *tmp; + +- list_for_each_entry_safe(newpacket, tmp, (&packet_data_head.list)->next, list) { ++ list_for_each_entry_safe(newpacket, tmp, &packet_data_head.list, list) { + list_del(&newpacket->list); + + /* +-- +2.39.5 + diff --git a/queue-6.6/platform-x86-dell_rbu-stop-overwriting-data-buffer.patch b/queue-6.6/platform-x86-dell_rbu-stop-overwriting-data-buffer.patch new file mode 100644 index 0000000000..2dea75a82b --- /dev/null +++ b/queue-6.6/platform-x86-dell_rbu-stop-overwriting-data-buffer.patch @@ -0,0 +1,55 @@ +From 8492af382156386e0bdd7789c68658596eac9de3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Jun 2025 13:46:58 -0500 +Subject: platform/x86: dell_rbu: Stop overwriting data buffer +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Stuart Hayes + +[ Upstream commit f4b0fa38d5fefe9aed6ed831f3bd3538c168ee19 ] + +The dell_rbu driver will use memset() to clear the data held by each +packet when it is no longer needed (when the driver is unloaded, the +packet size is changed, etc). + +The amount of memory that is cleared (before this patch) is the normal +packet size. However, the last packet in the list may be smaller. + +Fix this to only clear the memory actually used by each packet, to prevent +it from writing past the end of data buffer. + +Because the packet data buffers are allocated with __get_free_pages() (in +page-sized increments), this bug could only result in a buffer being +overwritten when a packet size larger than one page is used. The only user +of the dell_rbu module should be the Dell BIOS update program, which uses +a packet size of 4096, so no issues should be seen without the patch, it +just blocks the possiblity. + +Fixes: 6c54c28e69f2 ("[PATCH] dell_rbu: new Dell BIOS update driver") +Signed-off-by: Stuart Hayes +Link: https://lore.kernel.org/r/20250609184659.7210-5-stuart.w.hayes@gmail.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/dell/dell_rbu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/dell/dell_rbu.c b/drivers/platform/x86/dell/dell_rbu.c +index 4d2b5f6dd513f..fee20866b41e4 100644 +--- a/drivers/platform/x86/dell/dell_rbu.c ++++ b/drivers/platform/x86/dell/dell_rbu.c +@@ -322,7 +322,7 @@ static void packet_empty_list(void) + * zero out the RBU packet memory before freeing + * to make sure there are no stale RBU packets left in memory + */ +- memset(newpacket->data, 0, rbu_data.packetsize); ++ memset(newpacket->data, 0, newpacket->length); + set_memory_wb((unsigned long)newpacket->data, + 1 << newpacket->ordernum); + free_pages((unsigned long) newpacket->data, +-- +2.39.5 + diff --git a/queue-6.6/pm-runtime-fix-denying-of-auto-suspend-in-pm_suspend.patch b/queue-6.6/pm-runtime-fix-denying-of-auto-suspend-in-pm_suspend.patch new file mode 100644 index 0000000000..843a477605 --- /dev/null +++ b/queue-6.6/pm-runtime-fix-denying-of-auto-suspend-in-pm_suspend.patch @@ -0,0 +1,61 @@ +From 48f3e6ccbe5068e6ea28147b78b52a2b2adef8a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 May 2025 12:11:25 +0530 +Subject: PM: runtime: fix denying of auto suspend in pm_suspend_timer_fn() + +From: Charan Teja Kalla + +[ Upstream commit 40d3b40dce375d6f1c1dbf08d79eed3aed6c691d ] + +pm_runtime_put_autosuspend() schedules a hrtimer to expire +at "dev->power.timer_expires". If the hrtimer's callback, +pm_suspend_timer_fn(), observes that the current time equals +"dev->power.timer_expires", it unexpectedly bails out instead of +proceeding with runtime suspend. + +pm_suspend_timer_fn(): + + if (expires > 0 && expires < ktime_get_mono_fast_ns()) { + dev->power.timer_expires = 0; + rpm_suspend(..) + } + +Additionally, as ->timer_expires is not cleared, all the future auto +suspend requests will not schedule hrtimer to perform auto suspend. + +rpm_suspend(): + + if ((rpmflags & RPM_AUTO) &&...) { + if (!(dev->power.timer_expires && ...) { <-- this will fail. + hrtimer_start_range_ns(&dev->power.suspend_timer,...); + } + } + +Fix this by as well checking if current time reaches the set expiration. + +Co-developed-by: Patrick Daly +Signed-off-by: Patrick Daly +Signed-off-by: Charan Teja Kalla +Link: https://patch.msgid.link/20250515064125.1211561-1-quic_charante@quicinc.com +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/base/power/runtime.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/base/power/runtime.c b/drivers/base/power/runtime.c +index 0af26cf8c0059..0d43bf5b6cecb 100644 +--- a/drivers/base/power/runtime.c ++++ b/drivers/base/power/runtime.c +@@ -1001,7 +1001,7 @@ static enum hrtimer_restart pm_suspend_timer_fn(struct hrtimer *timer) + * If 'expires' is after the current time, we've been called + * too early. + */ +- if (expires > 0 && expires < ktime_get_mono_fast_ns()) { ++ if (expires > 0 && expires <= ktime_get_mono_fast_ns()) { + dev->power.timer_expires = 0; + rpm_suspend(dev, dev->power.timer_autosuspends ? + (RPM_ASYNC | RPM_AUTO) : RPM_ASYNC); +-- +2.39.5 + diff --git a/queue-6.6/power-supply-bq27xxx-retrieve-again-when-busy.patch b/queue-6.6/power-supply-bq27xxx-retrieve-again-when-busy.patch new file mode 100644 index 0000000000..7288396d34 --- /dev/null +++ b/queue-6.6/power-supply-bq27xxx-retrieve-again-when-busy.patch @@ -0,0 +1,90 @@ +From 536e8a9242a7fb4ecda4191897eb11be1693ac9e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Apr 2025 11:40:47 +0800 +Subject: power: supply: bq27xxx: Retrieve again when busy +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jerry Lv + +[ Upstream commit f16d9fb6cf03fdbdefa41a8b32ba1e57afb7ae3d ] + +Multiple applications may access the battery gauge at the same time, so +the gauge may be busy and EBUSY will be returned. The driver will set a +flag to record the EBUSY state, and this flag will be kept until the next +periodic update. When this flag is set, bq27xxx_battery_get_property() +will just return ENODEV until the flag is updated. + +Even if the gauge was busy during the last accessing attempt, returning +ENODEV is not ideal, and can cause confusion in the applications layer. + +Instead, retry accessing the I2C to update the flag is as expected, for +the gauge typically recovers from busy state within a few milliseconds. +If still failed to access the gauge, the real error code would be returned +instead of ENODEV (as suggested by Pali Rohár). + +Reviewed-by: Pali Rohár +Signed-off-by: Jerry Lv +Link: https://lore.kernel.org/r/20250415-foo-fix-v2-1-5b45a395e4cc@axis.com +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/bq27xxx_battery.c | 2 +- + drivers/power/supply/bq27xxx_battery_i2c.c | 13 ++++++++++++- + 2 files changed, 13 insertions(+), 2 deletions(-) + +diff --git a/drivers/power/supply/bq27xxx_battery.c b/drivers/power/supply/bq27xxx_battery.c +index 23c8736567574..e51fa2c694bc6 100644 +--- a/drivers/power/supply/bq27xxx_battery.c ++++ b/drivers/power/supply/bq27xxx_battery.c +@@ -2044,7 +2044,7 @@ static int bq27xxx_battery_get_property(struct power_supply *psy, + mutex_unlock(&di->lock); + + if (psp != POWER_SUPPLY_PROP_PRESENT && di->cache.flags < 0) +- return -ENODEV; ++ return di->cache.flags; + + switch (psp) { + case POWER_SUPPLY_PROP_STATUS: +diff --git a/drivers/power/supply/bq27xxx_battery_i2c.c b/drivers/power/supply/bq27xxx_battery_i2c.c +index 886e0a8e2abd1..8877fa333cd02 100644 +--- a/drivers/power/supply/bq27xxx_battery_i2c.c ++++ b/drivers/power/supply/bq27xxx_battery_i2c.c +@@ -6,6 +6,7 @@ + * Andrew F. Davis + */ + ++#include + #include + #include + #include +@@ -32,6 +33,7 @@ static int bq27xxx_battery_i2c_read(struct bq27xxx_device_info *di, u8 reg, + struct i2c_msg msg[2]; + u8 data[2]; + int ret; ++ int retry = 0; + + if (!client->adapter) + return -ENODEV; +@@ -48,7 +50,16 @@ static int bq27xxx_battery_i2c_read(struct bq27xxx_device_info *di, u8 reg, + else + msg[1].len = 2; + +- ret = i2c_transfer(client->adapter, msg, ARRAY_SIZE(msg)); ++ do { ++ ret = i2c_transfer(client->adapter, msg, ARRAY_SIZE(msg)); ++ if (ret == -EBUSY && ++retry < 3) { ++ /* sleep 10 milliseconds when busy */ ++ usleep_range(10000, 11000); ++ continue; ++ } ++ break; ++ } while (1); ++ + if (ret < 0) + return ret; + +-- +2.39.5 + diff --git a/queue-6.6/power-supply-collie-fix-wakeup-source-leaks-on-devic.patch b/queue-6.6/power-supply-collie-fix-wakeup-source-leaks-on-devic.patch new file mode 100644 index 0000000000..fa18c80237 --- /dev/null +++ b/queue-6.6/power-supply-collie-fix-wakeup-source-leaks-on-devic.patch @@ -0,0 +1,35 @@ +From ee3080207e5ebdb66a2f56c485d1c8ce25ca1a93 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 6 Apr 2025 22:27:29 +0200 +Subject: power: supply: collie: Fix wakeup source leaks on device unbind + +From: Krzysztof Kozlowski + +[ Upstream commit c73d19f89cb03c43abbbfa3b9caa1b8fc719764c ] + +Device can be unbound, so driver must also release memory for the wakeup +source. + +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20250406202730.55096-1-krzysztof.kozlowski@linaro.org +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/collie_battery.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/power/supply/collie_battery.c b/drivers/power/supply/collie_battery.c +index 68390bd1004f0..3daf7befc0bf6 100644 +--- a/drivers/power/supply/collie_battery.c ++++ b/drivers/power/supply/collie_battery.c +@@ -440,6 +440,7 @@ static int collie_bat_probe(struct ucb1x00_dev *dev) + + static void collie_bat_remove(struct ucb1x00_dev *dev) + { ++ device_init_wakeup(&ucb->dev, 0); + free_irq(gpiod_to_irq(collie_bat_main.gpio_full), &collie_bat_main); + power_supply_unregister(collie_bat_bu.psy); + power_supply_unregister(collie_bat_main.psy); +-- +2.39.5 + diff --git a/queue-6.6/powerpc-eeh-fix-missing-pe-bridge-reconfiguration-du.patch b/queue-6.6/powerpc-eeh-fix-missing-pe-bridge-reconfiguration-du.patch new file mode 100644 index 0000000000..94b33ef4cf --- /dev/null +++ b/queue-6.6/powerpc-eeh-fix-missing-pe-bridge-reconfiguration-du.patch @@ -0,0 +1,67 @@ +From 65bc0a9455db04d6193600a6d40a59d351614f6a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 May 2025 02:29:28 -0400 +Subject: powerpc/eeh: Fix missing PE bridge reconfiguration during VFIO EEH + recovery + +From: Narayana Murty N + +[ Upstream commit 33bc69cf6655cf60829a803a45275f11a74899e5 ] + +VFIO EEH recovery for PCI passthrough devices fails on PowerNV and pseries +platforms due to missing host-side PE bridge reconfiguration. In the +current implementation, eeh_pe_configure() only performs RTAS or OPAL-based +bridge reconfiguration for native host devices, but skips it entirely for +PEs managed through VFIO in guest passthrough scenarios. + +This leads to incomplete EEH recovery when a PCI error affects a +passthrough device assigned to a QEMU/KVM guest. Although VFIO triggers the +EEH recovery flow through VFIO_EEH_PE_ENABLE ioctl, the platform-specific +bridge reconfiguration step is silently bypassed. As a result, the PE's +config space is not fully restored, causing subsequent config space access +failures or EEH freeze-on-access errors inside the guest. + +This patch fixes the issue by ensuring that eeh_pe_configure() always +invokes the platform's configure_bridge() callback (e.g., +pseries_eeh_phb_configure_bridge) even for VFIO-managed PEs. This ensures +that RTAS or OPAL calls to reconfigure the PE bridge are correctly issued +on the host side, restoring the PE's configuration space after an EEH +event. + +This fix is essential for reliable EEH recovery in QEMU/KVM guests using +VFIO PCI passthrough on PowerNV and pseries systems. + +Tested with: +- QEMU/KVM guest using VFIO passthrough (IBM Power9,(lpar)Power11 host) +- Injected EEH errors with pseries EEH errinjct tool on host, recovery + verified on qemu guest. +- Verified successful config space access and CAP_EXP DevCtl restoration + after recovery + +Fixes: 212d16cdca2d ("powerpc/eeh: EEH support for VFIO PCI device") +Signed-off-by: Narayana Murty N +Reviewed-by: Vaibhav Jain +Reviewed-by: Ganesh Goudar +Signed-off-by: Madhavan Srinivasan +Link: https://patch.msgid.link/20250508062928.146043-1-nnmlinux@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/eeh.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/powerpc/kernel/eeh.c b/arch/powerpc/kernel/eeh.c +index ab316e155ea9f..2e286bba2f645 100644 +--- a/arch/powerpc/kernel/eeh.c ++++ b/arch/powerpc/kernel/eeh.c +@@ -1516,6 +1516,8 @@ int eeh_pe_configure(struct eeh_pe *pe) + /* Invalid PE ? */ + if (!pe) + return -ENODEV; ++ else ++ ret = eeh_ops->configure_bridge(pe); + + return ret; + } +-- +2.39.5 + diff --git a/queue-6.6/powerpc-vdso-fix-build-of-vdso32-with-pcrel.patch b/queue-6.6/powerpc-vdso-fix-build-of-vdso32-with-pcrel.patch new file mode 100644 index 0000000000..db7946cef5 --- /dev/null +++ b/queue-6.6/powerpc-vdso-fix-build-of-vdso32-with-pcrel.patch @@ -0,0 +1,71 @@ +From a1ddc9468573f9baff6ba04fbb2a688ab9329b3f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 May 2025 20:14:55 +0200 +Subject: powerpc/vdso: Fix build of VDSO32 with pcrel + +From: Christophe Leroy + +[ Upstream commit b93755f408325170edb2156c6a894ed1cae5f4f6 ] + +Building vdso32 on power10 with pcrel leads to following errors: + + VDSO32A arch/powerpc/kernel/vdso/gettimeofday-32.o + arch/powerpc/kernel/vdso/gettimeofday.S: Assembler messages: + arch/powerpc/kernel/vdso/gettimeofday.S:40: Error: syntax error; found `@', expected `,' + arch/powerpc/kernel/vdso/gettimeofday.S:71: Info: macro invoked from here + arch/powerpc/kernel/vdso/gettimeofday.S:40: Error: junk at end of line: `@notoc' + arch/powerpc/kernel/vdso/gettimeofday.S:71: Info: macro invoked from here + ... + make[2]: *** [arch/powerpc/kernel/vdso/Makefile:85: arch/powerpc/kernel/vdso/gettimeofday-32.o] Error 1 + make[1]: *** [arch/powerpc/Makefile:388: vdso_prepare] Error 2 + +Once the above is fixed, the following happens: + + VDSO32C arch/powerpc/kernel/vdso/vgettimeofday-32.o + cc1: error: '-mpcrel' requires '-mcmodel=medium' + make[2]: *** [arch/powerpc/kernel/vdso/Makefile:89: arch/powerpc/kernel/vdso/vgettimeofday-32.o] Error 1 + make[1]: *** [arch/powerpc/Makefile:388: vdso_prepare] Error 2 + make: *** [Makefile:251: __sub-make] Error 2 + +Make sure pcrel version of CFUNC() macro is used only for powerpc64 +builds and remove -mpcrel for powerpc32 builds. + +Fixes: 7e3a68be42e1 ("powerpc/64: vmlinux support building with PCREL addresing") +Signed-off-by: Christophe Leroy +Signed-off-by: Madhavan Srinivasan +Link: https://patch.msgid.link/1fa3453f07d42a50a70114da9905bf7b73304fca.1747073669.git.christophe.leroy@csgroup.eu +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/ppc_asm.h | 2 +- + arch/powerpc/kernel/vdso/Makefile | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/powerpc/include/asm/ppc_asm.h b/arch/powerpc/include/asm/ppc_asm.h +index e7792aa135105..fa79265328665 100644 +--- a/arch/powerpc/include/asm/ppc_asm.h ++++ b/arch/powerpc/include/asm/ppc_asm.h +@@ -183,7 +183,7 @@ + /* + * Used to name C functions called from asm + */ +-#ifdef CONFIG_PPC_KERNEL_PCREL ++#if defined(__powerpc64__) && defined(CONFIG_PPC_KERNEL_PCREL) + #define CFUNC(name) name@notoc + #else + #define CFUNC(name) name +diff --git a/arch/powerpc/kernel/vdso/Makefile b/arch/powerpc/kernel/vdso/Makefile +index d5defff8472da..47a9533a4dc1d 100644 +--- a/arch/powerpc/kernel/vdso/Makefile ++++ b/arch/powerpc/kernel/vdso/Makefile +@@ -50,7 +50,7 @@ ldflags-$(CONFIG_LD_ORPHAN_WARN) += -Wl,--orphan-handling=$(CONFIG_LD_ORPHAN_WAR + ldflags-y += $(filter-out $(CC_AUTO_VAR_INIT_ZERO_ENABLER) $(CC_FLAGS_FTRACE) -Wa$(comma)%, $(KBUILD_CFLAGS)) + + CC32FLAGS := -m32 +-CC32FLAGSREMOVE := -mcmodel=medium -mabi=elfv1 -mabi=elfv2 -mcall-aixdesc ++CC32FLAGSREMOVE := -mcmodel=medium -mabi=elfv1 -mabi=elfv2 -mcall-aixdesc -mpcrel + ifdef CONFIG_CC_IS_CLANG + # This flag is supported by clang for 64-bit but not 32-bit so it will cause + # an unused command line flag warning for this file. +-- +2.39.5 + diff --git a/queue-6.6/revert-bus-ti-sysc-probe-for-l4_wkup-and-l4_cfg-inte.patch b/queue-6.6/revert-bus-ti-sysc-probe-for-l4_wkup-and-l4_cfg-inte.patch new file mode 100644 index 0000000000..42bf53d085 --- /dev/null +++ b/queue-6.6/revert-bus-ti-sysc-probe-for-l4_wkup-and-l4_cfg-inte.patch @@ -0,0 +1,112 @@ +From 4f45f5b4ec977e9373075a70bb32bb7b5f9feeb1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Apr 2025 11:06:34 +0200 +Subject: Revert "bus: ti-sysc: Probe for l4_wkup and l4_cfg interconnect + devices first" + +From: Alexander Sverdlin + +[ Upstream commit 36305857b1ead8f6ca033a913162ebc09bee0b43 ] + +This reverts commit 4700a00755fb5a4bb5109128297d6fd2d1272ee6. + +It breaks target-module@2b300050 ("ti,sysc-omap2") probe on AM62x in a case +when minimally-configured system tries to network-boot: + +[ 6.888776] probe of 2b300050.target-module returned 517 after 258 usecs +[ 17.129637] probe of 2b300050.target-module returned 517 after 708 usecs +[ 17.137397] platform 2b300050.target-module: deferred probe pending: (reason unknown) +[ 26.878471] Waiting up to 100 more seconds for network. + +There are minimal configurations possible when the deferred device is not +being probed any more (because everything else has been successfully +probed) and deferral lists are not processed any more. + +Stable mmc enumeration can be achieved by filling /aliases node properly +(4700a00755fb commit's rationale). + +After revert: + +[ 9.006816] IP-Config: Complete: +[ 9.010058] device=lan0, ... + +Tested-by: Andreas Kemnade # GTA04, Panda, BT200 +Reviewed-by: Tony Lindgren +Signed-off-by: Alexander Sverdlin +Link: https://lore.kernel.org/r/20250401090643.2776793-1-alexander.sverdlin@siemens.com +Signed-off-by: Kevin Hilman +Signed-off-by: Sasha Levin +--- + drivers/bus/ti-sysc.c | 49 ------------------------------------------- + 1 file changed, 49 deletions(-) + +diff --git a/drivers/bus/ti-sysc.c b/drivers/bus/ti-sysc.c +index 65163312dab8a..46d7410f6f0fc 100644 +--- a/drivers/bus/ti-sysc.c ++++ b/drivers/bus/ti-sysc.c +@@ -667,51 +667,6 @@ static int sysc_parse_and_check_child_range(struct sysc *ddata) + return 0; + } + +-/* Interconnect instances to probe before l4_per instances */ +-static struct resource early_bus_ranges[] = { +- /* am3/4 l4_wkup */ +- { .start = 0x44c00000, .end = 0x44c00000 + 0x300000, }, +- /* omap4/5 and dra7 l4_cfg */ +- { .start = 0x4a000000, .end = 0x4a000000 + 0x300000, }, +- /* omap4 l4_wkup */ +- { .start = 0x4a300000, .end = 0x4a300000 + 0x30000, }, +- /* omap5 and dra7 l4_wkup without dra7 dcan segment */ +- { .start = 0x4ae00000, .end = 0x4ae00000 + 0x30000, }, +-}; +- +-static atomic_t sysc_defer = ATOMIC_INIT(10); +- +-/** +- * sysc_defer_non_critical - defer non_critical interconnect probing +- * @ddata: device driver data +- * +- * We want to probe l4_cfg and l4_wkup interconnect instances before any +- * l4_per instances as l4_per instances depend on resources on l4_cfg and +- * l4_wkup interconnects. +- */ +-static int sysc_defer_non_critical(struct sysc *ddata) +-{ +- struct resource *res; +- int i; +- +- if (!atomic_read(&sysc_defer)) +- return 0; +- +- for (i = 0; i < ARRAY_SIZE(early_bus_ranges); i++) { +- res = &early_bus_ranges[i]; +- if (ddata->module_pa >= res->start && +- ddata->module_pa <= res->end) { +- atomic_set(&sysc_defer, 0); +- +- return 0; +- } +- } +- +- atomic_dec_if_positive(&sysc_defer); +- +- return -EPROBE_DEFER; +-} +- + static struct device_node *stdout_path; + + static void sysc_init_stdout_path(struct sysc *ddata) +@@ -937,10 +892,6 @@ static int sysc_map_and_check_registers(struct sysc *ddata) + if (error) + return error; + +- error = sysc_defer_non_critical(ddata); +- if (error) +- return error; +- + sysc_check_children(ddata); + + if (!of_property_present(np, "reg")) +-- +2.39.5 + diff --git a/queue-6.6/scsi-lpfc-fix-lpfc_check_sli_ndlp-handling-for-gen_r.patch b/queue-6.6/scsi-lpfc-fix-lpfc_check_sli_ndlp-handling-for-gen_r.patch new file mode 100644 index 0000000000..8ac59ad221 --- /dev/null +++ b/queue-6.6/scsi-lpfc-fix-lpfc_check_sli_ndlp-handling-for-gen_r.patch @@ -0,0 +1,40 @@ +From a983584b77a471f2880becd30df7d58fa5bc1bf3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Apr 2025 12:47:59 -0700 +Subject: scsi: lpfc: Fix lpfc_check_sli_ndlp() handling for GEN_REQUEST64 + commands + +From: Justin Tee + +[ Upstream commit 05ae6c9c7315d844fbc15afe393f5ba5e5771126 ] + +In lpfc_check_sli_ndlp(), the get_job_els_rsp64_did remote_id assignment +does not apply for GEN_REQUEST64 commands as it only has meaning for a +ELS_REQUEST64 command. So, if (iocb->ndlp == ndlp) is false, we could +erroneously return the wrong value. Fix by replacing the fallthrough +statement with a break statement before the remote_id check. + +Signed-off-by: Justin Tee +Link: https://lore.kernel.org/r/20250425194806.3585-2-justintee8345@gmail.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_hbadisc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/lpfc/lpfc_hbadisc.c b/drivers/scsi/lpfc/lpfc_hbadisc.c +index 5c9bc8af3c2df..ff44283338771 100644 +--- a/drivers/scsi/lpfc/lpfc_hbadisc.c ++++ b/drivers/scsi/lpfc/lpfc_hbadisc.c +@@ -5101,7 +5101,7 @@ lpfc_check_sli_ndlp(struct lpfc_hba *phba, + case CMD_GEN_REQUEST64_CR: + if (iocb->ndlp == ndlp) + return 1; +- fallthrough; ++ break; + case CMD_ELS_REQUEST64_CR: + if (remote_id == ndlp->nlp_DID) + return 1; +-- +2.39.5 + diff --git a/queue-6.6/scsi-lpfc-use-memcpy-for-bios-version.patch b/queue-6.6/scsi-lpfc-use-memcpy-for-bios-version.patch new file mode 100644 index 0000000000..2b262bbf0f --- /dev/null +++ b/queue-6.6/scsi-lpfc-use-memcpy-for-bios-version.patch @@ -0,0 +1,47 @@ +From c238481287c2a033cee444139ca1117888d25c7e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Apr 2025 13:34:22 +0200 +Subject: scsi: lpfc: Use memcpy() for BIOS version + +From: Daniel Wagner + +[ Upstream commit ae82eaf4aeea060bb736c3e20c0568b67c701d7d ] + +The strlcat() with FORTIFY support is triggering a panic because it +thinks the target buffer will overflow although the correct target +buffer size is passed in. + +Anyway, instead of memset() with 0 followed by a strlcat(), just use +memcpy() and ensure that the resulting buffer is NULL terminated. + +BIOSVersion is only used for the lpfc_printf_log() which expects a +properly terminated string. + +Signed-off-by: Daniel Wagner +Link: https://lore.kernel.org/r/20250409-fix-lpfc-bios-str-v1-1-05dac9e51e13@kernel.org +Reviewed-by: Justin Tee +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_sli.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c +index 4a9fa00eeb798..4cf935b7223af 100644 +--- a/drivers/scsi/lpfc/lpfc_sli.c ++++ b/drivers/scsi/lpfc/lpfc_sli.c +@@ -6014,9 +6014,9 @@ lpfc_sli4_get_ctl_attr(struct lpfc_hba *phba) + phba->sli4_hba.flash_id = bf_get(lpfc_cntl_attr_flash_id, cntl_attr); + phba->sli4_hba.asic_rev = bf_get(lpfc_cntl_attr_asic_rev, cntl_attr); + +- memset(phba->BIOSVersion, 0, sizeof(phba->BIOSVersion)); +- strlcat(phba->BIOSVersion, (char *)cntl_attr->bios_ver_str, ++ memcpy(phba->BIOSVersion, cntl_attr->bios_ver_str, + sizeof(phba->BIOSVersion)); ++ phba->BIOSVersion[sizeof(phba->BIOSVersion) - 1] = '\0'; + + lpfc_printf_log(phba, KERN_INFO, LOG_SLI, + "3086 lnk_type:%d, lnk_numb:%d, bios_ver:%s, " +-- +2.39.5 + diff --git a/queue-6.6/sctp-do-not-wake-readers-in-__sctp_write_space.patch b/queue-6.6/sctp-do-not-wake-readers-in-__sctp_write_space.patch new file mode 100644 index 0000000000..6fdedd6f53 --- /dev/null +++ b/queue-6.6/sctp-do-not-wake-readers-in-__sctp_write_space.patch @@ -0,0 +1,42 @@ +From 74024eb9f976dd9c2197311c595f7fc588768e68 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 May 2025 10:17:28 +0200 +Subject: sctp: Do not wake readers in __sctp_write_space() + +From: Petr Malat + +[ Upstream commit af295892a7abbf05a3c2ba7abc4d81bb448623d6 ] + +Function __sctp_write_space() doesn't set poll key, which leads to +ep_poll_callback() waking up all waiters, not only these waiting +for the socket being writable. Set the key properly using +wake_up_interruptible_poll(), which is preferred over the sync +variant, as writers are not woken up before at least half of the +queue is available. Also, TCP does the same. + +Signed-off-by: Petr Malat +Acked-by: Xin Long +Link: https://patch.msgid.link/20250516081727.1361451-1-oss@malat.biz +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sctp/socket.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/sctp/socket.c b/net/sctp/socket.c +index b84c5e0a76f52..adc04e88f349f 100644 +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -9094,7 +9094,8 @@ static void __sctp_write_space(struct sctp_association *asoc) + wq = rcu_dereference(sk->sk_wq); + if (wq) { + if (waitqueue_active(&wq->wait)) +- wake_up_interruptible(&wq->wait); ++ wake_up_interruptible_poll(&wq->wait, EPOLLOUT | ++ EPOLLWRNORM | EPOLLWRBAND); + + /* Note that we try to include the Async I/O support + * here by modeling from the current TCP/UDP code. +-- +2.39.5 + diff --git a/queue-6.6/series b/queue-6.6/series index 5b2406d703..dfc9e3c23c 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -113,3 +113,95 @@ iio-accel-fxls8962af-fix-temperature-scan-element-sign.patch mm-hugetlb-fix-huge_pmd_unshare-vs-gup-fast-race.patch iio-imu-inv_icm42600-fix-temperature-calculation.patch iio-adc-ad7606_spi-fix-reg-write-value-mask.patch +acpica-fix-acpi-operand-cache-leak-in-dswstate.c.patch +asoc-amd-yc-add-quirk-for-lenovo-yoga-pro-7-14asp9.patch +clocksource-fix-the-cpus-choice-in-the-watchdog-per-.patch +tools-nolibc-use-intmax-definitions-from-compiler.patch +power-supply-collie-fix-wakeup-source-leaks-on-devic.patch +mmc-add-quirk-to-disable-ddr50-tuning.patch +acpica-avoid-sequence-overread-in-call-to-strncmp.patch +mmc-sdhci-esdhc-imx-save-tuning-value-when-card-stay.patch +asoc-tas2770-power-cycle-amp-on-isense-vsense-change.patch +acpi-bus-bail-out-if-acpi_kobj-registration-fails.patch +acpi-add-missing-prototype-for-non-config_suspend-co.patch +acpica-fix-acpi-parse-and-parseext-cache-leaks.patch +power-supply-bq27xxx-retrieve-again-when-busy.patch +acpica-utilities-fix-overflow-check-in-vsnprintf.patch +asoc-tegra210_ahub-add-check-to-of_device_get_match_.patch +gpiolib-of-add-polarity-quirk-for-s5m8767.patch +pm-runtime-fix-denying-of-auto-suspend-in-pm_suspend.patch +acpi-battery-negate-current-when-discharging.patch +net-macb-check-return-value-of-dma_set_mask_and_cohe.patch +net-lan743x-modify-the-eeprom-and-otp-size-for-pci1x.patch +tipc-use-kfree_sensitive-for-aead-cleanup.patch +f2fs-use-vmalloc-instead-of-kvmalloc-in-.init_-de-co.patch +bpf-check-rcu_read_lock_trace_held-in-bpf_map_lookup.patch +i2c-designware-invoke-runtime-suspend-on-quick-slave.patch +wifi-mt76-mt7996-drop-fragments-with-multicast-or-br.patch +emulex-benet-correct-command-version-selection-in-be.patch +wifi-mt76-mt76x2-add-support-for-liteon-wn4516r-wn45.patch +wifi-mt76-mt7921-add-160-mhz-ap-for-mt7922-device.patch +sctp-do-not-wake-readers-in-__sctp_write_space.patch +cpufreq-scmi-skip-scmi-devices-that-aren-t-used-by-t.patch +i2c-tegra-check-msg-length-in-smbus-block-read.patch +i2c-npcm-add-clock-toggle-recovery.patch +net-dlink-add-synchronization-for-stats-update.patch +wifi-ath12k-fix-macro-definition-hal_rx_msdu_pkt_len.patch +wifi-ath12k-fix-a-possible-dead-lock-caused-by-ab-ba.patch +wifi-ath11k-fix-qmi-memory-reuse-logic.patch +wifi-rtw89-leave-idle-mode-when-setting-wep-encrypti.patch +tcp-always-seek-for-minimal-rtt-in-tcp_rcv_rtt_updat.patch +tcp-fix-initial-tp-rcvq_space.space-value-for-passiv.patch +x86-sgx-prevent-attempts-to-reclaim-poisoned-pages.patch +ipv4-route-use-this_cpu_inc-for-stats-on-preempt_rt.patch +openvswitch-stricter-validation-for-the-userspace-ac.patch +net-atlantic-generate-software-timestamp-just-before.patch +pinctrl-armada-37xx-propagate-error-from-armada_37xx.patch +pinctrl-armada-37xx-propagate-error-from-armada_37xx.patch-4152 +pinctrl-armada-37xx-propagate-error-from-armada_37xx.patch-31198 +pinctrl-armada-37xx-propagate-error-from-armada_37xx.patch-1752 +net-mlx4-add-sof_timestamping_tx_software-flag-when-.patch +net-vertexcom-mse102x-return-code-for-mse102x_rx_pkt.patch +wireless-purelifi-plfxlc-fix-memory-leak-in-plfxlc_u.patch +wifi-mac80211-do-not-offer-a-mesh-path-if-forwarding.patch +bpftool-fix-cgroup-command-to-only-show-cgroup-bpf-p.patch +clk-rockchip-rk3036-mark-ddrphy-as-critical.patch +libbpf-add-identical-pointer-detection-to-btf_dedup_.patch +scsi-lpfc-fix-lpfc_check_sli_ndlp-handling-for-gen_r.patch +iommu-amd-ensure-ga-log-notifier-callbacks-finish-ru.patch +wifi-iwlwifi-pcie-make-sure-to-lock-rxq-read.patch +wifi-mac80211_hwsim-prevent-tsf-from-setting-if-beac.patch +wifi-mac80211-vlan-traffic-in-multicast-path.patch +wifi-iwlwifi-add-missing-module_firmware-for-qu-c0-j.patch +net-bridge-mcast-update-multicast-contex-when-vlan-s.patch +net-bridge-mcast-re-implement-br_multicast_-enable-d.patch +vxlan-do-not-treat-dst-cache-initialization-errors-a.patch +net-ethernet-ti-am65-cpsw-handle-eprobe_defer.patch +software-node-correct-a-oob-check-in-software_node_g.patch +pinctrl-mcp23s08-reset-all-pins-to-input-at-probe.patch +wifi-ath12k-fix-failed-to-set-mhi-state-error-during.patch +scsi-lpfc-use-memcpy-for-bios-version.patch +sock-correct-error-checking-condition-for-assign-rel.patch +i40e-fix-mmio-write-access-to-an-invalid-page-in-i40.patch +ice-fix-check-for-existing-switch-rule.patch +usbnet-asix-ax88772-leave-the-carrier-control-to-phy.patch +f2fs-fix-to-set-atomic-write-status-more-clear.patch +bpf-sockmap-fix-data-lost-during-eagain-retries.patch +net-ethernet-cortina-use-toe-tso-on-all-tcp.patch +octeontx2-pf-add-error-log-forcn10k_map_unmap_rq_pol.patch +wifi-ath11k-determine-pm-policy-based-on-machine-mod.patch +wifi-ath12k-fix-link-valid-field-initialization-in-t.patch +wifi-ath12k-fix-incorrect-ce-addresses.patch +wifi-ath12k-pass-correct-values-of-center-freq1-and-.patch +fbcon-make-sure-modelist-not-set-on-unregistered-con.patch +watchdog-da9052_wdt-respect-twdmin.patch +bus-fsl-mc-increase-mc_cmd_completion_timeout_ms-val.patch +arm-omap2-fix-l4ls-clk-domain-handling-in-standby.patch +tee-prevent-size-calculation-wraparound-on-32-bit-ke.patch +revert-bus-ti-sysc-probe-for-l4_wkup-and-l4_cfg-inte.patch +fs-xattr.c-fix-simple_xattr_list.patch +platform-x86-amd-pmc-clear-metrics-table-at-start-of.patch +platform-x86-dell_rbu-fix-list-usage.patch +platform-x86-dell_rbu-stop-overwriting-data-buffer.patch +powerpc-vdso-fix-build-of-vdso32-with-pcrel.patch +powerpc-eeh-fix-missing-pe-bridge-reconfiguration-du.patch diff --git a/queue-6.6/sock-correct-error-checking-condition-for-assign-rel.patch b/queue-6.6/sock-correct-error-checking-condition-for-assign-rel.patch new file mode 100644 index 0000000000..6be32335b9 --- /dev/null +++ b/queue-6.6/sock-correct-error-checking-condition-for-assign-rel.patch @@ -0,0 +1,49 @@ +From c71916911f6488fc2713e18d515850716245d232 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Apr 2025 09:01:27 +0800 +Subject: sock: Correct error checking condition for + (assign|release)_proto_idx() + +From: Zijun Hu + +[ Upstream commit faeefc173be40512341b102cf1568aa0b6571acd ] + +(assign|release)_proto_idx() wrongly check find_first_zero_bit() failure +by condition '(prot->inuse_idx == PROTO_INUSE_NR - 1)' obviously. + +Fix by correcting the condition to '(prot->inuse_idx == PROTO_INUSE_NR)' + +Signed-off-by: Zijun Hu +Reviewed-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20250410-fix_net-v2-1-d69e7c5739a4@quicinc.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/sock.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/core/sock.c b/net/core/sock.c +index 84ba3f67bca97..ec48690b5174e 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -3817,7 +3817,7 @@ static int assign_proto_idx(struct proto *prot) + { + prot->inuse_idx = find_first_zero_bit(proto_inuse_idx, PROTO_INUSE_NR); + +- if (unlikely(prot->inuse_idx == PROTO_INUSE_NR - 1)) { ++ if (unlikely(prot->inuse_idx == PROTO_INUSE_NR)) { + pr_err("PROTO_INUSE_NR exhausted\n"); + return -ENOSPC; + } +@@ -3828,7 +3828,7 @@ static int assign_proto_idx(struct proto *prot) + + static void release_proto_idx(struct proto *prot) + { +- if (prot->inuse_idx != PROTO_INUSE_NR - 1) ++ if (prot->inuse_idx != PROTO_INUSE_NR) + clear_bit(prot->inuse_idx, proto_inuse_idx); + } + #else +-- +2.39.5 + diff --git a/queue-6.6/software-node-correct-a-oob-check-in-software_node_g.patch b/queue-6.6/software-node-correct-a-oob-check-in-software_node_g.patch new file mode 100644 index 0000000000..e6ed694e01 --- /dev/null +++ b/queue-6.6/software-node-correct-a-oob-check-in-software_node_g.patch @@ -0,0 +1,42 @@ +From 51357b356ff7959ec32c5d82c9b8a0ff06fd888b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Apr 2025 19:36:52 +0800 +Subject: software node: Correct a OOB check in + software_node_get_reference_args() + +From: Zijun Hu + +[ Upstream commit 31e4e12e0e9609850cefd4b2e1adf782f56337d6 ] + +software_node_get_reference_args() wants to get @index-th element, so +the property value requires at least '(index + 1) * sizeof(*ref)' bytes +but that can not be guaranteed by current OOB check, and may cause OOB +for malformed property. + +Fix by using as OOB check '((index + 1) * sizeof(*ref) > prop->length)'. + +Reviewed-by: Sakari Ailus +Signed-off-by: Zijun Hu +Link: https://lore.kernel.org/r/20250414-fix_swnode-v2-1-9c9e6ae11eab@quicinc.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/base/swnode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/base/swnode.c b/drivers/base/swnode.c +index 079bd14bdedc7..a7a3e3b66bb5e 100644 +--- a/drivers/base/swnode.c ++++ b/drivers/base/swnode.c +@@ -518,7 +518,7 @@ software_node_get_reference_args(const struct fwnode_handle *fwnode, + if (prop->is_inline) + return -EINVAL; + +- if (index * sizeof(*ref) >= prop->length) ++ if ((index + 1) * sizeof(*ref) > prop->length) + return -ENOENT; + + ref_array = prop->pointer; +-- +2.39.5 + diff --git a/queue-6.6/tcp-always-seek-for-minimal-rtt-in-tcp_rcv_rtt_updat.patch b/queue-6.6/tcp-always-seek-for-minimal-rtt-in-tcp_rcv_rtt_updat.patch new file mode 100644 index 0000000000..f07016ef76 --- /dev/null +++ b/queue-6.6/tcp-always-seek-for-minimal-rtt-in-tcp_rcv_rtt_updat.patch @@ -0,0 +1,71 @@ +From 268c8a628ea202aa59d0483ff882fc1eac1f9b8d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 May 2025 19:39:15 +0000 +Subject: tcp: always seek for minimal rtt in tcp_rcv_rtt_update() + +From: Eric Dumazet + +[ Upstream commit b879dcb1aeeca278eacaac0b1e2425b1c7599f9f ] + +tcp_rcv_rtt_update() goal is to maintain an estimation of the RTT +in tp->rcv_rtt_est.rtt_us, used by tcp_rcv_space_adjust() + +When TCP TS are enabled, tcp_rcv_rtt_update() is using +EWMA to smooth the samples. + +Change this to immediately latch the incoming value if it +is lower than tp->rcv_rtt_est.rtt_us, so that tcp_rcv_space_adjust() +does not overshoot tp->rcvq_space.space and sk->sk_rcvbuf. + +Signed-off-by: Eric Dumazet +Link: https://patch.msgid.link/20250513193919.1089692-8-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_input.c | 22 ++++++++-------------- + 1 file changed, 8 insertions(+), 14 deletions(-) + +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index a172248b66783..994c563b35f32 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -671,10 +671,12 @@ EXPORT_SYMBOL(tcp_initialize_rcv_mss); + */ + static void tcp_rcv_rtt_update(struct tcp_sock *tp, u32 sample, int win_dep) + { +- u32 new_sample = tp->rcv_rtt_est.rtt_us; +- long m = sample; ++ u32 new_sample, old_sample = tp->rcv_rtt_est.rtt_us; ++ long m = sample << 3; + +- if (new_sample != 0) { ++ if (old_sample == 0 || m < old_sample) { ++ new_sample = m; ++ } else { + /* If we sample in larger samples in the non-timestamp + * case, we could grossly overestimate the RTT especially + * with chatty applications or bulk transfer apps which +@@ -685,17 +687,9 @@ static void tcp_rcv_rtt_update(struct tcp_sock *tp, u32 sample, int win_dep) + * else with timestamps disabled convergence takes too + * long. + */ +- if (!win_dep) { +- m -= (new_sample >> 3); +- new_sample += m; +- } else { +- m <<= 3; +- if (m < new_sample) +- new_sample = m; +- } +- } else { +- /* No previous measure. */ +- new_sample = m << 3; ++ if (win_dep) ++ return; ++ new_sample = old_sample - (old_sample >> 3) + sample; + } + + tp->rcv_rtt_est.rtt_us = new_sample; +-- +2.39.5 + diff --git a/queue-6.6/tcp-fix-initial-tp-rcvq_space.space-value-for-passiv.patch b/queue-6.6/tcp-fix-initial-tp-rcvq_space.space-value-for-passiv.patch new file mode 100644 index 0000000000..7ecf702797 --- /dev/null +++ b/queue-6.6/tcp-fix-initial-tp-rcvq_space.space-value-for-passiv.patch @@ -0,0 +1,52 @@ +From a71ef2b4f267a35a45f85e35035690ea74235c6b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 May 2025 19:39:14 +0000 +Subject: tcp: fix initial tp->rcvq_space.space value for passive TS enabled + flows + +From: Eric Dumazet + +[ Upstream commit cd171461b90a2d2cf230943df60d580174633718 ] + +tcp_rcv_state_process() must tweak tp->advmss for TS enabled flows +before the call to tcp_init_transfer() / tcp_init_buffer_space(). + +Otherwise tp->rcvq_space.space is off by 120 bytes +(TCP_INIT_CWND * TCPOLEN_TSTAMP_ALIGNED). + +Signed-off-by: Eric Dumazet +Reviewed-by: Wei Wang +Link: https://patch.msgid.link/20250513193919.1089692-7-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_input.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index 994c563b35f32..66d6ad6d633c5 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -6699,6 +6699,9 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb) + if (!tp->srtt_us) + tcp_synack_rtt_meas(sk, req); + ++ if (tp->rx_opt.tstamp_ok) ++ tp->advmss -= TCPOLEN_TSTAMP_ALIGNED; ++ + if (req) { + tcp_rcv_synrecv_state_fastopen(sk); + } else { +@@ -6723,9 +6726,6 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb) + tp->snd_wnd = ntohs(th->window) << tp->rx_opt.snd_wscale; + tcp_init_wl(tp, TCP_SKB_CB(skb)->seq); + +- if (tp->rx_opt.tstamp_ok) +- tp->advmss -= TCPOLEN_TSTAMP_ALIGNED; +- + if (!inet_csk(sk)->icsk_ca_ops->cong_control) + tcp_update_pacing_rate(sk); + +-- +2.39.5 + diff --git a/queue-6.6/tee-prevent-size-calculation-wraparound-on-32-bit-ke.patch b/queue-6.6/tee-prevent-size-calculation-wraparound-on-32-bit-ke.patch new file mode 100644 index 0000000000..18f2f7b426 --- /dev/null +++ b/queue-6.6/tee-prevent-size-calculation-wraparound-on-32-bit-ke.patch @@ -0,0 +1,87 @@ +From 6b70bce9fa4fbbda92f357bae4feda97b24d1256 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Apr 2025 15:06:43 +0200 +Subject: tee: Prevent size calculation wraparound on 32-bit kernels + +From: Jann Horn + +[ Upstream commit 39bb67edcc582b3b386a9ec983da67fa8a10ec03 ] + +The current code around TEE_IOCTL_PARAM_SIZE() is a bit wrong on +32-bit kernels: Multiplying a user-provided 32-bit value with the +size of a structure can wrap around on such platforms. + +Fix it by using saturating arithmetic for the size calculation. + +This has no security consequences because, in all users of +TEE_IOCTL_PARAM_SIZE(), the subsequent kcalloc() implicitly checks +for wrapping. + +Signed-off-by: Jann Horn +Signed-off-by: Jens Wiklander +Tested-by: Rouven Czerwinski +Signed-off-by: Sasha Levin +--- + drivers/tee/tee_core.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/drivers/tee/tee_core.c b/drivers/tee/tee_core.c +index 0eb342de0b001..d7ad16f262b2e 100644 +--- a/drivers/tee/tee_core.c ++++ b/drivers/tee/tee_core.c +@@ -10,6 +10,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -19,7 +20,7 @@ + + #define TEE_NUM_DEVICES 32 + +-#define TEE_IOCTL_PARAM_SIZE(x) (sizeof(struct tee_param) * (x)) ++#define TEE_IOCTL_PARAM_SIZE(x) (size_mul(sizeof(struct tee_param), (x))) + + #define TEE_UUID_NS_NAME_SIZE 128 + +@@ -487,7 +488,7 @@ static int tee_ioctl_open_session(struct tee_context *ctx, + if (copy_from_user(&arg, uarg, sizeof(arg))) + return -EFAULT; + +- if (sizeof(arg) + TEE_IOCTL_PARAM_SIZE(arg.num_params) != buf.buf_len) ++ if (size_add(sizeof(arg), TEE_IOCTL_PARAM_SIZE(arg.num_params)) != buf.buf_len) + return -EINVAL; + + if (arg.num_params) { +@@ -565,7 +566,7 @@ static int tee_ioctl_invoke(struct tee_context *ctx, + if (copy_from_user(&arg, uarg, sizeof(arg))) + return -EFAULT; + +- if (sizeof(arg) + TEE_IOCTL_PARAM_SIZE(arg.num_params) != buf.buf_len) ++ if (size_add(sizeof(arg), TEE_IOCTL_PARAM_SIZE(arg.num_params)) != buf.buf_len) + return -EINVAL; + + if (arg.num_params) { +@@ -699,7 +700,7 @@ static int tee_ioctl_supp_recv(struct tee_context *ctx, + if (get_user(num_params, &uarg->num_params)) + return -EFAULT; + +- if (sizeof(*uarg) + TEE_IOCTL_PARAM_SIZE(num_params) != buf.buf_len) ++ if (size_add(sizeof(*uarg), TEE_IOCTL_PARAM_SIZE(num_params)) != buf.buf_len) + return -EINVAL; + + params = kcalloc(num_params, sizeof(struct tee_param), GFP_KERNEL); +@@ -798,7 +799,7 @@ static int tee_ioctl_supp_send(struct tee_context *ctx, + get_user(num_params, &uarg->num_params)) + return -EFAULT; + +- if (sizeof(*uarg) + TEE_IOCTL_PARAM_SIZE(num_params) > buf.buf_len) ++ if (size_add(sizeof(*uarg), TEE_IOCTL_PARAM_SIZE(num_params)) > buf.buf_len) + return -EINVAL; + + params = kcalloc(num_params, sizeof(struct tee_param), GFP_KERNEL); +-- +2.39.5 + diff --git a/queue-6.6/tipc-use-kfree_sensitive-for-aead-cleanup.patch b/queue-6.6/tipc-use-kfree_sensitive-for-aead-cleanup.patch new file mode 100644 index 0000000000..9187dd9a65 --- /dev/null +++ b/queue-6.6/tipc-use-kfree_sensitive-for-aead-cleanup.patch @@ -0,0 +1,45 @@ +From faa79febf2d89218e54bc4a90ec4781dfdcc1c15 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 May 2025 11:47:17 +0000 +Subject: tipc: use kfree_sensitive() for aead cleanup + +From: Zilin Guan + +[ Upstream commit c8ef20fe7274c5766a317f9193b70bed717b6b3d ] + +The tipc_aead_free() function currently uses kfree() to release the aead +structure. However, this structure contains sensitive information, such +as key's SALT value, which should be securely erased from memory to +prevent potential leakage. + +To enhance security, replace kfree() with kfree_sensitive() when freeing +the aead structure. This change ensures that sensitive data is explicitly +cleared before memory deallocation, aligning with the approach used in +tipc_aead_init() and adhering to best practices for handling confidential +information. + +Signed-off-by: Zilin Guan +Reviewed-by: Tung Nguyen +Link: https://patch.msgid.link/20250523114717.4021518-1-zilin@seu.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/tipc/crypto.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/tipc/crypto.c b/net/tipc/crypto.c +index 79f91b6ca8c84..ea5bb131ebd06 100644 +--- a/net/tipc/crypto.c ++++ b/net/tipc/crypto.c +@@ -425,7 +425,7 @@ static void tipc_aead_free(struct rcu_head *rp) + } + free_percpu(aead->tfm_entry); + kfree_sensitive(aead->key); +- kfree(aead); ++ kfree_sensitive(aead); + } + + static int tipc_aead_users(struct tipc_aead __rcu *aead) +-- +2.39.5 + diff --git a/queue-6.6/tools-nolibc-use-intmax-definitions-from-compiler.patch b/queue-6.6/tools-nolibc-use-intmax-definitions-from-compiler.patch new file mode 100644 index 0000000000..07691e71ef --- /dev/null +++ b/queue-6.6/tools-nolibc-use-intmax-definitions-from-compiler.patch @@ -0,0 +1,46 @@ +From 992231694721078a70b7adc16f60b4d115f0e431 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Apr 2025 11:00:39 +0200 +Subject: tools/nolibc: use intmax definitions from compiler +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Weißschuh + +[ Upstream commit e5407c0820ea5fa7117b85ed32b724af73156d63 ] + +The printf format checking in the compiler uses the intmax types from +the compiler, not libc. This can lead to compiler errors. + +Instead use the types already provided by the compiler. + +Example issue with clang 19 for arm64: + +nolibc-test.c:30:2: error: format specifies type 'uintmax_t' (aka 'unsigned long') but the argument has type 'uintmax_t' (aka 'unsigned long long') [-Werror,-Wformat] + +Signed-off-by: Thomas Weißschuh +Acked-by: Willy Tarreau +Signed-off-by: Sasha Levin +--- + tools/include/nolibc/stdint.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/include/nolibc/stdint.h b/tools/include/nolibc/stdint.h +index 6665e272e2132..87a2b09e2dda5 100644 +--- a/tools/include/nolibc/stdint.h ++++ b/tools/include/nolibc/stdint.h +@@ -39,8 +39,8 @@ typedef size_t uint_fast32_t; + typedef int64_t int_fast64_t; + typedef uint64_t uint_fast64_t; + +-typedef int64_t intmax_t; +-typedef uint64_t uintmax_t; ++typedef __INTMAX_TYPE__ intmax_t; ++typedef __UINTMAX_TYPE__ uintmax_t; + + /* limits of integral types */ + +-- +2.39.5 + diff --git a/queue-6.6/usbnet-asix-ax88772-leave-the-carrier-control-to-phy.patch b/queue-6.6/usbnet-asix-ax88772-leave-the-carrier-control-to-phy.patch new file mode 100644 index 0000000000..1d90bbd358 --- /dev/null +++ b/queue-6.6/usbnet-asix-ax88772-leave-the-carrier-control-to-phy.patch @@ -0,0 +1,156 @@ +From c6f7b1858e9579257daf606cd34454786de4fd2d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Apr 2025 13:59:41 +0200 +Subject: usbnet: asix AX88772: leave the carrier control to phylink +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Krzysztof Hałasa + +[ Upstream commit 4145f00227ee80f21ab274e9cd9c09758e9bcf3d ] + +ASIX AX88772B based USB 10/100 Ethernet adapter doesn't come +up ("carrier off"), despite the built-in 100BASE-FX PHY positive link +indication. The internal PHY is configured (using EEPROM) in fixed +100 Mbps full duplex mode. + +The primary problem appears to be using carrier_netif_{on,off}() while, +at the same time, delegating carrier management to phylink. Use only the +latter and remove "manual control" in the asix driver. + +I don't have any other AX88772 board here, but the problem doesn't seem +specific to a particular board or settings - it's probably +timing-dependent. + +Remove unused asix_adjust_link() as well. + +Signed-off-by: Krzysztof Hałasa +Tested-by: Oleksij Rempel +Link: https://patch.msgid.link/m3plhmdfte.fsf_-_@t19.piap.pl +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/asix.h | 1 - + drivers/net/usb/asix_common.c | 22 ---------------------- + drivers/net/usb/asix_devices.c | 17 ++++------------- + 3 files changed, 4 insertions(+), 36 deletions(-) + +diff --git a/drivers/net/usb/asix.h b/drivers/net/usb/asix.h +index 74162190bccc1..8531b804021aa 100644 +--- a/drivers/net/usb/asix.h ++++ b/drivers/net/usb/asix.h +@@ -224,7 +224,6 @@ int asix_write_rx_ctl(struct usbnet *dev, u16 mode, int in_pm); + + u16 asix_read_medium_status(struct usbnet *dev, int in_pm); + int asix_write_medium_mode(struct usbnet *dev, u16 mode, int in_pm); +-void asix_adjust_link(struct net_device *netdev); + + int asix_write_gpio(struct usbnet *dev, u16 value, int sleep, int in_pm); + +diff --git a/drivers/net/usb/asix_common.c b/drivers/net/usb/asix_common.c +index 72ffc89b477ad..7fd763917ae2c 100644 +--- a/drivers/net/usb/asix_common.c ++++ b/drivers/net/usb/asix_common.c +@@ -414,28 +414,6 @@ int asix_write_medium_mode(struct usbnet *dev, u16 mode, int in_pm) + return ret; + } + +-/* set MAC link settings according to information from phylib */ +-void asix_adjust_link(struct net_device *netdev) +-{ +- struct phy_device *phydev = netdev->phydev; +- struct usbnet *dev = netdev_priv(netdev); +- u16 mode = 0; +- +- if (phydev->link) { +- mode = AX88772_MEDIUM_DEFAULT; +- +- if (phydev->duplex == DUPLEX_HALF) +- mode &= ~AX_MEDIUM_FD; +- +- if (phydev->speed != SPEED_100) +- mode &= ~AX_MEDIUM_PS; +- } +- +- asix_write_medium_mode(dev, mode, 0); +- phy_print_status(phydev); +- usbnet_link_change(dev, phydev->link, 0); +-} +- + int asix_write_gpio(struct usbnet *dev, u16 value, int sleep, int in_pm) + { + int ret; +diff --git a/drivers/net/usb/asix_devices.c b/drivers/net/usb/asix_devices.c +index ec4dcf89cbedd..119295f5f3b35 100644 +--- a/drivers/net/usb/asix_devices.c ++++ b/drivers/net/usb/asix_devices.c +@@ -752,7 +752,6 @@ static void ax88772_mac_link_down(struct phylink_config *config, + struct usbnet *dev = netdev_priv(to_net_dev(config->dev)); + + asix_write_medium_mode(dev, 0, 0); +- usbnet_link_change(dev, false, false); + } + + static void ax88772_mac_link_up(struct phylink_config *config, +@@ -783,7 +782,6 @@ static void ax88772_mac_link_up(struct phylink_config *config, + m |= AX_MEDIUM_RFC; + + asix_write_medium_mode(dev, m, 0); +- usbnet_link_change(dev, true, false); + } + + static const struct phylink_mac_ops ax88772_phylink_mac_ops = { +@@ -1350,10 +1348,9 @@ static const struct driver_info ax88772_info = { + .description = "ASIX AX88772 USB 2.0 Ethernet", + .bind = ax88772_bind, + .unbind = ax88772_unbind, +- .status = asix_status, + .reset = ax88772_reset, + .stop = ax88772_stop, +- .flags = FLAG_ETHER | FLAG_FRAMING_AX | FLAG_LINK_INTR | FLAG_MULTI_PACKET, ++ .flags = FLAG_ETHER | FLAG_FRAMING_AX | FLAG_MULTI_PACKET, + .rx_fixup = asix_rx_fixup_common, + .tx_fixup = asix_tx_fixup, + }; +@@ -1362,11 +1359,9 @@ static const struct driver_info ax88772b_info = { + .description = "ASIX AX88772B USB 2.0 Ethernet", + .bind = ax88772_bind, + .unbind = ax88772_unbind, +- .status = asix_status, + .reset = ax88772_reset, + .stop = ax88772_stop, +- .flags = FLAG_ETHER | FLAG_FRAMING_AX | FLAG_LINK_INTR | +- FLAG_MULTI_PACKET, ++ .flags = FLAG_ETHER | FLAG_FRAMING_AX | FLAG_MULTI_PACKET, + .rx_fixup = asix_rx_fixup_common, + .tx_fixup = asix_tx_fixup, + .data = FLAG_EEPROM_MAC, +@@ -1376,11 +1371,9 @@ static const struct driver_info lxausb_t1l_info = { + .description = "Linux Automation GmbH USB 10Base-T1L", + .bind = ax88772_bind, + .unbind = ax88772_unbind, +- .status = asix_status, + .reset = ax88772_reset, + .stop = ax88772_stop, +- .flags = FLAG_ETHER | FLAG_FRAMING_AX | FLAG_LINK_INTR | +- FLAG_MULTI_PACKET, ++ .flags = FLAG_ETHER | FLAG_FRAMING_AX | FLAG_MULTI_PACKET, + .rx_fixup = asix_rx_fixup_common, + .tx_fixup = asix_tx_fixup, + .data = FLAG_EEPROM_MAC, +@@ -1412,10 +1405,8 @@ static const struct driver_info hg20f9_info = { + .description = "HG20F9 USB 2.0 Ethernet", + .bind = ax88772_bind, + .unbind = ax88772_unbind, +- .status = asix_status, + .reset = ax88772_reset, +- .flags = FLAG_ETHER | FLAG_FRAMING_AX | FLAG_LINK_INTR | +- FLAG_MULTI_PACKET, ++ .flags = FLAG_ETHER | FLAG_FRAMING_AX | FLAG_MULTI_PACKET, + .rx_fixup = asix_rx_fixup_common, + .tx_fixup = asix_tx_fixup, + .data = FLAG_EEPROM_MAC, +-- +2.39.5 + diff --git a/queue-6.6/vxlan-do-not-treat-dst-cache-initialization-errors-a.patch b/queue-6.6/vxlan-do-not-treat-dst-cache-initialization-errors-a.patch new file mode 100644 index 0000000000..dec741a07e --- /dev/null +++ b/queue-6.6/vxlan-do-not-treat-dst-cache-initialization-errors-a.patch @@ -0,0 +1,75 @@ +From ea4cf48a97d1a551702a6f3fd100efd2fb7f0f75 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Apr 2025 15:11:41 +0300 +Subject: vxlan: Do not treat dst cache initialization errors as fatal + +From: Ido Schimmel + +[ Upstream commit 20c76dadc783759fd3819d289c72be590660cc8b ] + +FDB entries are allocated in an atomic context as they can be added from +the data path when learning is enabled. + +After converting the FDB hash table to rhashtable, the insertion rate +will be much higher (*) which will entail a much higher rate of per-CPU +allocations via dst_cache_init(). + +When adding a large number of entries (e.g., 256k) in a batch, a small +percentage (< 0.02%) of these per-CPU allocations will fail [1]. This +does not happen with the current code since the insertion rate is low +enough to give the per-CPU allocator a chance to asynchronously create +new chunks of per-CPU memory. + +Given that: + +a. Only a small percentage of these per-CPU allocations fail. + +b. The scenario where this happens might not be the most realistic one. + +c. The driver can work correctly without dst caches. The dst_cache_*() +APIs first check that the dst cache was properly initialized. + +d. The dst caches are not always used (e.g., 'tos inherit'). + +It seems reasonable to not treat these allocation failures as fatal. + +Therefore, do not bail when dst_cache_init() fails and suppress warnings +by specifying '__GFP_NOWARN'. + +[1] percpu: allocation failed, size=40 align=8 atomic=1, atomic alloc failed, no space left + +(*) 97% reduction in average latency of vxlan_fdb_update() when adding +256k entries in a batch. + +Reviewed-by: Petr Machata +Signed-off-by: Ido Schimmel +Link: https://patch.msgid.link/20250415121143.345227-14-idosch@nvidia.com +Reviewed-by: Nikolay Aleksandrov +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/vxlan/vxlan_core.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/vxlan/vxlan_core.c b/drivers/net/vxlan/vxlan_core.c +index 2ed879a0abc6c..1b6b6acd34894 100644 +--- a/drivers/net/vxlan/vxlan_core.c ++++ b/drivers/net/vxlan/vxlan_core.c +@@ -606,10 +606,10 @@ static int vxlan_fdb_append(struct vxlan_fdb *f, + if (rd == NULL) + return -ENOMEM; + +- if (dst_cache_init(&rd->dst_cache, GFP_ATOMIC)) { +- kfree(rd); +- return -ENOMEM; +- } ++ /* The driver can work correctly without a dst cache, so do not treat ++ * dst cache initialization errors as fatal. ++ */ ++ dst_cache_init(&rd->dst_cache, GFP_ATOMIC | __GFP_NOWARN); + + rd->remote_ip = *ip; + rd->remote_port = port; +-- +2.39.5 + diff --git a/queue-6.6/watchdog-da9052_wdt-respect-twdmin.patch b/queue-6.6/watchdog-da9052_wdt-respect-twdmin.patch new file mode 100644 index 0000000000..b332beb2b6 --- /dev/null +++ b/queue-6.6/watchdog-da9052_wdt-respect-twdmin.patch @@ -0,0 +1,39 @@ +From 1b21dcff2d5fe5ad00346fe45c9b23d985ea91f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Mar 2025 09:29:51 +0100 +Subject: watchdog: da9052_wdt: respect TWDMIN + +From: Marcus Folkesson + +[ Upstream commit 325f510fcd9cda5a44bcb662b74ba4e3dabaca10 ] + +We have to wait at least the minimium time for the watchdog window +(TWDMIN) before writings to the wdt register after the +watchdog is activated. +Otherwise the chip will assert TWD_ERROR and power down to reset mode. + +Signed-off-by: Marcus Folkesson +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20250326-da9052-fixes-v3-4-a38a560fef0e@gmail.com +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/da9052_wdt.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/watchdog/da9052_wdt.c b/drivers/watchdog/da9052_wdt.c +index d708c091bf1b1..180526220d8c4 100644 +--- a/drivers/watchdog/da9052_wdt.c ++++ b/drivers/watchdog/da9052_wdt.c +@@ -164,6 +164,7 @@ static int da9052_wdt_probe(struct platform_device *pdev) + da9052_wdt = &driver_data->wdt; + + da9052_wdt->timeout = DA9052_DEF_TIMEOUT; ++ da9052_wdt->min_hw_heartbeat_ms = DA9052_TWDMIN; + da9052_wdt->info = &da9052_wdt_info; + da9052_wdt->ops = &da9052_wdt_ops; + da9052_wdt->parent = dev; +-- +2.39.5 + diff --git a/queue-6.6/wifi-ath11k-determine-pm-policy-based-on-machine-mod.patch b/queue-6.6/wifi-ath11k-determine-pm-policy-based-on-machine-mod.patch new file mode 100644 index 0000000000..6012a539e8 --- /dev/null +++ b/queue-6.6/wifi-ath11k-determine-pm-policy-based-on-machine-mod.patch @@ -0,0 +1,140 @@ +From dd66fe116daa41e23848e2d7f9972e508fa10b25 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Mar 2025 13:32:24 +0800 +Subject: wifi: ath11k: determine PM policy based on machine model + +From: Baochen Qiang + +[ Upstream commit ce8669a27016354dfa8bf3c954255cb9f3583bae ] + +To handle the Lenovo unexpected wakeup issue [1], previously we revert +commit 166a490f59ac ("wifi: ath11k: support hibernation"). So currently +WLAN target is put into WoWLAN mode during suspend. This is a temporary +solution as it does not work on machines where WLAN power is cut off. + +The thought here is that we do WoWLAN suspend on Lenovo machines while +do non-WoWLAN suspend (which is done in the reverted commit) on other +machines. This requires us to identify Lenovo machines from others. +For that purpose, read board vendor and product name from DMI interface, +match it against all known affected machines. If there is a match, choose +WoWLAN suspend mode, else choose non-WoWLAN mode. Save the mode in ab +for later reference. + +[1] https://bugzilla.kernel.org/show_bug.cgi?id=219196 + +Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.30 + +Tested-by: Muhammad Usama Anjum +Tested-by: Takashi Iwai +Signed-off-by: Baochen Qiang +Link: https://patch.msgid.link/20250328-ath11k-bring-hibernation-back-v3-1-23405ae23431@quicinc.com +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/core.c | 55 ++++++++++++++++++++++++++ + drivers/net/wireless/ath/ath11k/core.h | 7 ++++ + 2 files changed, 62 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath11k/core.c b/drivers/net/wireless/ath/ath11k/core.c +index 609d8387c41f3..0e8ff839cae23 100644 +--- a/drivers/net/wireless/ath/ath11k/core.c ++++ b/drivers/net/wireless/ath/ath11k/core.c +@@ -704,6 +704,52 @@ static const struct ath11k_hw_params ath11k_hw_params[] = { + }, + }; + ++static const struct dmi_system_id ath11k_pm_quirk_table[] = { ++ { ++ .driver_data = (void *)ATH11K_PM_WOW, ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "21J4"), ++ }, ++ }, ++ { ++ .driver_data = (void *)ATH11K_PM_WOW, ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "21K4"), ++ }, ++ }, ++ { ++ .driver_data = (void *)ATH11K_PM_WOW, ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "21K6"), ++ }, ++ }, ++ { ++ .driver_data = (void *)ATH11K_PM_WOW, ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "21K8"), ++ }, ++ }, ++ { ++ .driver_data = (void *)ATH11K_PM_WOW, ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "21KA"), ++ }, ++ }, ++ { ++ .driver_data = (void *)ATH11K_PM_WOW, ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "21F9"), ++ }, ++ }, ++ {} ++}; ++ + static inline struct ath11k_pdev *ath11k_core_get_single_pdev(struct ath11k_base *ab) + { + WARN_ON(!ab->hw_params.single_pdev_only); +@@ -2018,8 +2064,17 @@ EXPORT_SYMBOL(ath11k_core_pre_init); + + int ath11k_core_init(struct ath11k_base *ab) + { ++ const struct dmi_system_id *dmi_id; + int ret; + ++ dmi_id = dmi_first_match(ath11k_pm_quirk_table); ++ if (dmi_id) ++ ab->pm_policy = (kernel_ulong_t)dmi_id->driver_data; ++ else ++ ab->pm_policy = ATH11K_PM_DEFAULT; ++ ++ ath11k_dbg(ab, ATH11K_DBG_BOOT, "pm policy %u\n", ab->pm_policy); ++ + ret = ath11k_core_soc_create(ab); + if (ret) { + ath11k_err(ab, "failed to create soc core: %d\n", ret); +diff --git a/drivers/net/wireless/ath/ath11k/core.h b/drivers/net/wireless/ath/ath11k/core.h +index 555deafd8399a..812a174f74c0b 100644 +--- a/drivers/net/wireless/ath/ath11k/core.h ++++ b/drivers/net/wireless/ath/ath11k/core.h +@@ -842,6 +842,11 @@ struct ath11k_msi_config { + u16 hw_rev; + }; + ++enum ath11k_pm_policy { ++ ATH11K_PM_DEFAULT, ++ ATH11K_PM_WOW, ++}; ++ + /* Master structure to hold the hw data which may be used in core module */ + struct ath11k_base { + enum ath11k_hw_rev hw_rev; +@@ -994,6 +999,8 @@ struct ath11k_base { + } testmode; + #endif + ++ enum ath11k_pm_policy pm_policy; ++ + /* must be last */ + u8 drv_priv[] __aligned(sizeof(void *)); + }; +-- +2.39.5 + diff --git a/queue-6.6/wifi-ath11k-fix-qmi-memory-reuse-logic.patch b/queue-6.6/wifi-ath11k-fix-qmi-memory-reuse-logic.patch new file mode 100644 index 0000000000..648861c94a --- /dev/null +++ b/queue-6.6/wifi-ath11k-fix-qmi-memory-reuse-logic.patch @@ -0,0 +1,70 @@ +From 1df3eec100db2b0798d727cabdcca2e293c92c5d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Apr 2025 13:02:41 +0500 +Subject: wifi: ath11k: Fix QMI memory reuse logic + +From: Muhammad Usama Anjum + +[ Upstream commit cd2e7bae92bd7e65063ab8d04721d2b711ba4cbe ] + +Firmware requests 2 segments at first. The first segment is of 6799360 +whose allocation fails due to dma remapping not available. The success +is returned to firmware. Then firmware asks for 22 smaller segments +instead of 2 big ones. Those get allocated successfully. At suspend/ +hibernation time, these segments aren't freed as they will be reused +by firmware after resuming. + +After resuming, the firmware asks for the 2 segments again with the +first segment of 6799360 size. Since chunk->vaddr is not NULL, the +type and size are compared with the previous type and size to know if +it can be reused or not. Unfortunately, it is detected that it cannot +be reused and this first smaller segment is freed. Then we continue to +allocate 6799360 size memory which fails and ath11k_qmi_free_target_mem_chunk() +is called which frees the second smaller segment as well. Later success +is returned to firmware which asks for 22 smaller segments again. But +as we had freed 2 segments already, we'll allocate the first 2 new +smaller segments again and reuse the remaining 20. Hence 20 small +segments are being reused instead of 22. + +Add skip logic when vaddr is set, but size/type don't match. Use the +same skip and success logic as used when dma_alloc_coherent() fails. +By skipping, the possibility of resume failure due to kernel failing to +allocate memory for QMI can be avoided. + + kernel: ath11k_pci 0000:03:00.0: failed to allocate dma memory for qmi (524288 B type 1) + ath11k_pci 0000:03:00.0: failed to allocate qmi target memory: -22 + +Tested-on: WCN6855 WLAN.HSP.1.1-03926.13-QCAHSPSWPL_V2_SILICONZ_CE-2.52297.6 + +Signed-off-by: Muhammad Usama Anjum +Reviewed-by: Baochen Qiang +Link: https://patch.msgid.link/20250428080242.466901-1-usama.anjum@collabora.com +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/qmi.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath11k/qmi.c b/drivers/net/wireless/ath/ath11k/qmi.c +index fa46e645009cf..91e31f30d2c80 100644 +--- a/drivers/net/wireless/ath/ath11k/qmi.c ++++ b/drivers/net/wireless/ath/ath11k/qmi.c +@@ -1989,6 +1989,15 @@ static int ath11k_qmi_alloc_target_mem_chunk(struct ath11k_base *ab) + chunk->prev_size == chunk->size) + continue; + ++ if (ab->qmi.mem_seg_count <= ATH11K_QMI_FW_MEM_REQ_SEGMENT_CNT) { ++ ath11k_dbg(ab, ATH11K_DBG_QMI, ++ "size/type mismatch (current %d %u) (prev %d %u), try later with small size\n", ++ chunk->size, chunk->type, ++ chunk->prev_size, chunk->prev_type); ++ ab->qmi.target_mem_delayed = true; ++ return 0; ++ } ++ + /* cannot reuse the existing chunk */ + dma_free_coherent(ab->dev, chunk->prev_size, + chunk->vaddr, chunk->paddr); +-- +2.39.5 + diff --git a/queue-6.6/wifi-ath12k-fix-a-possible-dead-lock-caused-by-ab-ba.patch b/queue-6.6/wifi-ath12k-fix-a-possible-dead-lock-caused-by-ab-ba.patch new file mode 100644 index 0000000000..0530a6c5f1 --- /dev/null +++ b/queue-6.6/wifi-ath12k-fix-a-possible-dead-lock-caused-by-ab-ba.patch @@ -0,0 +1,56 @@ +From 027d5f7b2fa46bd6bcb45a7435c2b2043f54c40e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Apr 2025 10:55:34 +0800 +Subject: wifi: ath12k: fix a possible dead lock caused by ab->base_lock + +From: Baochen Qiang + +[ Upstream commit ef115c265a21e3c11deee7f73bd1061775a7bf20 ] + +spin_lock/spin_unlock are used in ath12k_reg_chan_list_event +to acquire/release ab->base_lock. For now this is safe because +that function is only called in soft IRQ context. + +But ath12k_reg_chan_list_event() will be called from process +context in an upcoming patch, and this can result in a deadlock +if ab->base_lock is acquired in process context and then soft +IRQ occurs on the same CPU and tries to acquire that lock. + +Fix it by using spin_lock_bh and spin_unlock_bh instead. + +Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3 + +Signed-off-by: Baochen Qiang +Reviewed-by: Vasanthakumar Thiagarajan +Link: https://patch.msgid.link/20250418-ath12k-6g-lp-vlp-v1-1-c869c86cad60@quicinc.com +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath12k/wmi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath12k/wmi.c b/drivers/net/wireless/ath/ath12k/wmi.c +index a0ac2f350934f..31af940bc5722 100644 +--- a/drivers/net/wireless/ath/ath12k/wmi.c ++++ b/drivers/net/wireless/ath/ath12k/wmi.c +@@ -5503,7 +5503,7 @@ static int ath12k_reg_chan_list_event(struct ath12k_base *ab, struct sk_buff *sk + goto fallback; + } + +- spin_lock(&ab->base_lock); ++ spin_lock_bh(&ab->base_lock); + if (test_bit(ATH12K_FLAG_REGISTERED, &ab->dev_flags)) { + /* Once mac is registered, ar is valid and all CC events from + * fw is considered to be received due to user requests +@@ -5527,7 +5527,7 @@ static int ath12k_reg_chan_list_event(struct ath12k_base *ab, struct sk_buff *sk + ab->default_regd[pdev_idx] = regd; + } + ab->dfs_region = reg_info->dfs_region; +- spin_unlock(&ab->base_lock); ++ spin_unlock_bh(&ab->base_lock); + + goto mem_free; + +-- +2.39.5 + diff --git a/queue-6.6/wifi-ath12k-fix-failed-to-set-mhi-state-error-during.patch b/queue-6.6/wifi-ath12k-fix-failed-to-set-mhi-state-error-during.patch new file mode 100644 index 0000000000..7c631b3235 --- /dev/null +++ b/queue-6.6/wifi-ath12k-fix-failed-to-set-mhi-state-error-during.patch @@ -0,0 +1,61 @@ +From e4ea7697677d0856caf65d8418abb36ffc31a792 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Apr 2025 11:36:31 +0530 +Subject: wifi: ath12k: fix failed to set mhi state error during reboot with + hardware grouping + +From: Aditya Kumar Singh + +[ Upstream commit dce7aec6b1f74b0a46b901ab8de1f7bd0515f733 ] + +With hardware grouping, during reboot, whenever a device is removed, it +powers down itself and all its partner devices in the same group. Now this +is done by all devices and hence there is multiple power down for devices +and hence the following error messages can be seen: + +ath12k_pci 0002:01:00.0: failed to set mhi state POWER_OFF(3) in current mhi state (0x0) +ath12k_pci 0002:01:00.0: failed to set mhi state: POWER_OFF(3) +ath12k_pci 0002:01:00.0: failed to set mhi state DEINIT(1) in current mhi state (0x0) +ath12k_pci 0002:01:00.0: failed to set mhi state: DEINIT(1) +ath12k_pci 0003:01:00.0: failed to set mhi state POWER_OFF(3) in current mhi state (0x0) +ath12k_pci 0003:01:00.0: failed to set mhi state: POWER_OFF(3) +ath12k_pci 0003:01:00.0: failed to set mhi state DEINIT(1) in current mhi state (0x0) +ath12k_pci 0003:01:00.0: failed to set mhi state: DEINIT(1) +ath12k_pci 0004:01:00.0: failed to set mhi state POWER_OFF(3) in current mhi state (0x0) +ath12k_pci 0004:01:00.0: failed to set mhi state: POWER_OFF(3) + +To prevent this, check if the ATH12K_PCI_FLAG_INIT_DONE flag is already +set before powering down. If it is set, it indicates that another partner +device has already performed the power down, and this device can skip this +step. + +Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.3.1-00173-QCAHKSWPL_SILICONZ-1 +Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1 +Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3 + +Signed-off-by: Aditya Kumar Singh +Reviewed-by: Vasanthakumar Thiagarajan +Link: https://patch.msgid.link/20250408-fix_reboot_issues_with_hw_grouping-v4-3-95e7bf048595@oss.qualcomm.com +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath12k/pci.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath12k/pci.c b/drivers/net/wireless/ath/ath12k/pci.c +index 5fd80f90ecafe..7dfbabf0637d2 100644 +--- a/drivers/net/wireless/ath/ath12k/pci.c ++++ b/drivers/net/wireless/ath/ath12k/pci.c +@@ -1153,6 +1153,9 @@ void ath12k_pci_power_down(struct ath12k_base *ab) + { + struct ath12k_pci *ab_pci = ath12k_pci_priv(ab); + ++ if (!test_bit(ATH12K_PCI_FLAG_INIT_DONE, &ab_pci->flags)) ++ return; ++ + /* restore aspm in case firmware bootup fails */ + ath12k_pci_aspm_restore(ab_pci); + +-- +2.39.5 + diff --git a/queue-6.6/wifi-ath12k-fix-incorrect-ce-addresses.patch b/queue-6.6/wifi-ath12k-fix-incorrect-ce-addresses.patch new file mode 100644 index 0000000000..beef9c51db --- /dev/null +++ b/queue-6.6/wifi-ath12k-fix-incorrect-ce-addresses.patch @@ -0,0 +1,57 @@ +From 41541614afdedcad19c2c6342fac10fe05a37385 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Mar 2025 16:22:39 +0530 +Subject: wifi: ath12k: fix incorrect CE addresses + +From: Balamurugan S + +[ Upstream commit 60031d9c3589c7983fd1deb4a4c0bebf0929890e ] + +In the current ath12k implementation, the CE addresses +CE_HOST_IE_ADDRESS and CE_HOST_IE_2_ADDRESS are incorrect. These +values were inherited from ath11k, but ath12k does not currently use +them. + +However, the Ath12k AHB support relies on these addresses. Therefore, +correct the CE addresses for ath12k. + +Tested-on: IPQ5332 hw1.0 AHB WLAN.WBE.1.3.1-00130-QCAHKSWPL_SILICONZ-1 +Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.1.1-00210-QCAHKSWPL_SILICONZ-1 + +Signed-off-by: Balamurugan S +Reviewed-by: Vasanthakumar Thiagarajan +Signed-off-by: Raj Kumar Bhagat +Link: https://patch.msgid.link/20250321-ath12k-ahb-v12-2-bb389ed76ae5@quicinc.com +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath12k/ce.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath12k/ce.h b/drivers/net/wireless/ath/ath12k/ce.h +index 857bc5f9e946a..f9547a3945e44 100644 +--- a/drivers/net/wireless/ath/ath12k/ce.h ++++ b/drivers/net/wireless/ath/ath12k/ce.h +@@ -1,7 +1,7 @@ + /* SPDX-License-Identifier: BSD-3-Clause-Clear */ + /* + * Copyright (c) 2018-2021 The Linux Foundation. All rights reserved. +- * Copyright (c) 2021-2022, 2024 Qualcomm Innovation Center, Inc. All rights reserved. ++ * Copyright (c) 2021-2022, 2024-2025 Qualcomm Innovation Center, Inc. All rights reserved. + */ + + #ifndef ATH12K_CE_H +@@ -39,8 +39,8 @@ + #define PIPEDIR_INOUT_H2H 4 /* bidirectional, host to host */ + + /* CE address/mask */ +-#define CE_HOST_IE_ADDRESS 0x00A1803C +-#define CE_HOST_IE_2_ADDRESS 0x00A18040 ++#define CE_HOST_IE_ADDRESS 0x75804C ++#define CE_HOST_IE_2_ADDRESS 0x758050 + #define CE_HOST_IE_3_ADDRESS CE_HOST_IE_ADDRESS + + #define CE_HOST_IE_3_SHIFT 0xC +-- +2.39.5 + diff --git a/queue-6.6/wifi-ath12k-fix-link-valid-field-initialization-in-t.patch b/queue-6.6/wifi-ath12k-fix-link-valid-field-initialization-in-t.patch new file mode 100644 index 0000000000..a4d1677e0b --- /dev/null +++ b/queue-6.6/wifi-ath12k-fix-link-valid-field-initialization-in-t.patch @@ -0,0 +1,44 @@ +From be856e46c1407005e7f77dafeedd3a36df5d4f8d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Mar 2025 11:55:09 +0530 +Subject: wifi: ath12k: fix link valid field initialization in the monitor Rx + +From: Hari Chandrakanthan + +[ Upstream commit 2826139f9295821fe2b049318a1cc057ec003131 ] + +Currently, the link_valid field is not initialized in the monitor Rx path. +This can result in random values for the link_valid and link_id leads to +undefined behaviour in mac80211. Therefore, initialize the link_valid +field in the monitor Rx path. + +Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.3.1-00173-QCAHKSWPL_SILICONZ-1 +Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3 + +Signed-off-by: Hari Chandrakanthan +Tested-by: Nicolas Escande +Reviewed-by: Vasanthakumar Thiagarajan +Signed-off-by: Karthikeyan Periyasamy +Link: https://patch.msgid.link/20250324062518.2752822-2-quic_periyasa@quicinc.com +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath12k/dp_mon.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath12k/dp_mon.c b/drivers/net/wireless/ath/ath12k/dp_mon.c +index 35f22a4a16cf2..69bf75ebd7518 100644 +--- a/drivers/net/wireless/ath/ath12k/dp_mon.c ++++ b/drivers/net/wireless/ath/ath12k/dp_mon.c +@@ -1077,6 +1077,8 @@ static void ath12k_dp_mon_rx_deliver_msdu(struct ath12k *ar, struct napi_struct + bool is_mcbc = rxcb->is_mcbc; + bool is_eapol_tkip = rxcb->is_eapol; + ++ status->link_valid = 0; ++ + if ((status->encoding == RX_ENC_HE) && !(status->flag & RX_FLAG_RADIOTAP_HE) && + !(status->flag & RX_FLAG_SKIP_MONITOR)) { + he = skb_push(msdu, sizeof(known)); +-- +2.39.5 + diff --git a/queue-6.6/wifi-ath12k-fix-macro-definition-hal_rx_msdu_pkt_len.patch b/queue-6.6/wifi-ath12k-fix-macro-definition-hal_rx_msdu_pkt_len.patch new file mode 100644 index 0000000000..6021bffa4c --- /dev/null +++ b/queue-6.6/wifi-ath12k-fix-macro-definition-hal_rx_msdu_pkt_len.patch @@ -0,0 +1,44 @@ +From 3e0ab3e85cded1adfd6917a68f02175c5a6c77b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Apr 2025 10:34:39 +0800 +Subject: wifi: ath12k: fix macro definition HAL_RX_MSDU_PKT_LENGTH_GET + +From: Kang Yang + +[ Upstream commit a69bbf89d751ba2d6da21d773c4e29c91c5e53c4 ] + +Currently, HAL_RX_MSDU_PKT_LENGTH_GET uses u32_get_bits to obtain the +MSDU length from the MSDU description. + +This is not right. Because all halphy descriptions are little endian. + +So use le32_get_bits for HAL_RX_MSDU_PKT_LENGTH_GET. + +Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3 +Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.3.1-00173-QCAHKSWPL_SILICONZ-1 + +Signed-off-by: Kang Yang +Reviewed-by: Vasanthakumar Thiagarajan +Link: https://patch.msgid.link/20250421023444.1778-9-kang.yang@oss.qualcomm.com +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath12k/hal_desc.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath12k/hal_desc.h b/drivers/net/wireless/ath/ath12k/hal_desc.h +index 1bb840c2bef57..5fd9232ad101e 100644 +--- a/drivers/net/wireless/ath/ath12k/hal_desc.h ++++ b/drivers/net/wireless/ath/ath12k/hal_desc.h +@@ -683,7 +683,7 @@ enum hal_rx_msdu_desc_reo_dest_ind { + #define RX_MSDU_DESC_INFO0_DECAP_FORMAT GENMASK(30, 29) + + #define HAL_RX_MSDU_PKT_LENGTH_GET(val) \ +- (u32_get_bits((val), RX_MSDU_DESC_INFO0_MSDU_LENGTH)) ++ (le32_get_bits((val), RX_MSDU_DESC_INFO0_MSDU_LENGTH)) + + struct rx_msdu_desc { + __le32 info0; +-- +2.39.5 + diff --git a/queue-6.6/wifi-ath12k-pass-correct-values-of-center-freq1-and-.patch b/queue-6.6/wifi-ath12k-pass-correct-values-of-center-freq1-and-.patch new file mode 100644 index 0000000000..87d9bb9638 --- /dev/null +++ b/queue-6.6/wifi-ath12k-pass-correct-values-of-center-freq1-and-.patch @@ -0,0 +1,63 @@ +From 16d8fe30cbb868eafb77118c526de79cf6fece4a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Mar 2025 15:23:14 +0530 +Subject: wifi: ath12k: Pass correct values of center freq1 and center freq2 + for 160 MHz + +From: Suraj P Kizhakkethil + +[ Upstream commit b1b01e46a3db5ad44d1e4691ba37c1e0832cd5cf ] + +Currently, for 160 MHz bandwidth, center frequency1 and +center frequency2 are not passed correctly to the firmware. +Set center frequency1 as the center frequency +of the primary 80 MHz channel segment and center frequency2 as +the center frequency of the 160 MHz channel and pass the values +to the firmware. + +Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.3.1-00173-QCAHKSWPL_SILICONZ-1 + +Signed-off-by: Suraj P Kizhakkethil +Reviewed-by: Aditya Kumar Singh +Link: https://patch.msgid.link/20250304095315.3050325-2-quic_surapk@quicinc.com +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath12k/wmi.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath12k/wmi.c b/drivers/net/wireless/ath/ath12k/wmi.c +index 31af940bc5722..958ac4ed5c349 100644 +--- a/drivers/net/wireless/ath/ath12k/wmi.c ++++ b/drivers/net/wireless/ath/ath12k/wmi.c +@@ -951,14 +951,24 @@ int ath12k_wmi_vdev_down(struct ath12k *ar, u8 vdev_id) + static void ath12k_wmi_put_wmi_channel(struct ath12k_wmi_channel_params *chan, + struct wmi_vdev_start_req_arg *arg) + { ++ u32 center_freq1 = arg->band_center_freq1; ++ + memset(chan, 0, sizeof(*chan)); + + chan->mhz = cpu_to_le32(arg->freq); +- chan->band_center_freq1 = cpu_to_le32(arg->band_center_freq1); +- if (arg->mode == MODE_11AC_VHT80_80) ++ chan->band_center_freq1 = cpu_to_le32(center_freq1); ++ if (arg->mode == MODE_11BE_EHT160) { ++ if (arg->freq > center_freq1) ++ chan->band_center_freq1 = cpu_to_le32(center_freq1 + 40); ++ else ++ chan->band_center_freq1 = cpu_to_le32(center_freq1 - 40); ++ ++ chan->band_center_freq2 = cpu_to_le32(center_freq1); ++ } else if (arg->mode == MODE_11BE_EHT80_80) { + chan->band_center_freq2 = cpu_to_le32(arg->band_center_freq2); +- else ++ } else { + chan->band_center_freq2 = 0; ++ } + + chan->info |= le32_encode_bits(arg->mode, WMI_CHAN_INFO_MODE); + if (arg->passive) +-- +2.39.5 + diff --git a/queue-6.6/wifi-iwlwifi-add-missing-module_firmware-for-qu-c0-j.patch b/queue-6.6/wifi-iwlwifi-add-missing-module_firmware-for-qu-c0-j.patch new file mode 100644 index 0000000000..0974a06c87 --- /dev/null +++ b/queue-6.6/wifi-iwlwifi-add-missing-module_firmware-for-qu-c0-j.patch @@ -0,0 +1,46 @@ +From f172986fcfee01900c2cfcc1de7abfb937a578bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Mar 2024 20:02:27 +0200 +Subject: wifi: iwlwifi: Add missing MODULE_FIRMWARE for Qu-c0-jf-b0 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Víctor Gonzalo + +[ Upstream commit 2b801487ac3be7bec561ae62d1a6c4d6f5283f8c ] + +The module metadata for the firmware file iwlwifi-Qu-c0-jf-b0-* is missing. + +Signed-off-by: Víctor Gonzalo +Link: https://patch.msgid.link/20240313180227.2224780-1-victor.gonzalo@anddroptable.net +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/cfg/22000.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/wireless/intel/iwlwifi/cfg/22000.c b/drivers/net/wireless/intel/iwlwifi/cfg/22000.c +index d594694206b33..906f2790f5619 100644 +--- a/drivers/net/wireless/intel/iwlwifi/cfg/22000.c ++++ b/drivers/net/wireless/intel/iwlwifi/cfg/22000.c +@@ -44,6 +44,8 @@ + IWL_QU_C_HR_B_FW_PRE "-" __stringify(api) ".ucode" + #define IWL_QU_B_JF_B_MODULE_FIRMWARE(api) \ + IWL_QU_B_JF_B_FW_PRE "-" __stringify(api) ".ucode" ++#define IWL_QU_C_JF_B_MODULE_FIRMWARE(api) \ ++ IWL_QU_C_JF_B_FW_PRE "-" __stringify(api) ".ucode" + #define IWL_CC_A_MODULE_FIRMWARE(api) \ + IWL_CC_A_FW_PRE "-" __stringify(api) ".ucode" + +@@ -423,6 +425,7 @@ const struct iwl_cfg iwl_cfg_quz_a0_hr_b0 = { + MODULE_FIRMWARE(IWL_QU_B_HR_B_MODULE_FIRMWARE(IWL_22000_UCODE_API_MAX)); + MODULE_FIRMWARE(IWL_QU_C_HR_B_MODULE_FIRMWARE(IWL_22000_UCODE_API_MAX)); + MODULE_FIRMWARE(IWL_QU_B_JF_B_MODULE_FIRMWARE(IWL_22000_UCODE_API_MAX)); ++MODULE_FIRMWARE(IWL_QU_C_JF_B_MODULE_FIRMWARE(IWL_22000_UCODE_API_MAX)); + MODULE_FIRMWARE(IWL_QUZ_A_HR_B_MODULE_FIRMWARE(IWL_22000_UCODE_API_MAX)); + MODULE_FIRMWARE(IWL_QUZ_A_JF_B_MODULE_FIRMWARE(IWL_22000_UCODE_API_MAX)); + MODULE_FIRMWARE(IWL_CC_A_MODULE_FIRMWARE(IWL_22000_UCODE_API_MAX)); +-- +2.39.5 + diff --git a/queue-6.6/wifi-iwlwifi-pcie-make-sure-to-lock-rxq-read.patch b/queue-6.6/wifi-iwlwifi-pcie-make-sure-to-lock-rxq-read.patch new file mode 100644 index 0000000000..44a58c189e --- /dev/null +++ b/queue-6.6/wifi-iwlwifi-pcie-make-sure-to-lock-rxq-read.patch @@ -0,0 +1,58 @@ +From 013eff382badb54195cb42efd4f3d926dc7749ed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Apr 2025 15:38:30 +0300 +Subject: wifi: iwlwifi: pcie: make sure to lock rxq->read + +From: Miri Korenblit + +[ Upstream commit 1cc2c48c4af81bed5ddbe9f2c9d6e20fa163acf9 ] + +rxq->read is accessed without the rxq->lock in a few places, +Make sure to have the lock there. + +Signed-off-by: Miri Korenblit +Reviewed-by: Emmanuel Grumbach +Tested-by: Emmanuel Grumbach +Link: https://patch.msgid.link/20250424153620.73725f207aaa.I1a3e4b6c5fd370e029fdacfcdc9ee335788afa98@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/pcie/trans.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c +index e9807fcca6ad1..5c2e8d2883976 100644 +--- a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c +@@ -2701,6 +2701,8 @@ static ssize_t iwl_dbgfs_rx_queue_read(struct file *file, + for (i = 0; i < trans->num_rx_queues && pos < bufsz; i++) { + struct iwl_rxq *rxq = &trans_pcie->rxq[i]; + ++ spin_lock_bh(&rxq->lock); ++ + pos += scnprintf(buf + pos, bufsz - pos, "queue#: %2d\n", + i); + pos += scnprintf(buf + pos, bufsz - pos, "\tread: %u\n", +@@ -2721,6 +2723,7 @@ static ssize_t iwl_dbgfs_rx_queue_read(struct file *file, + pos += scnprintf(buf + pos, bufsz - pos, + "\tclosed_rb_num: Not Allocated\n"); + } ++ spin_unlock_bh(&rxq->lock); + } + ret = simple_read_from_buffer(user_buf, count, ppos, buf, pos); + kfree(buf); +@@ -3385,8 +3388,11 @@ iwl_trans_pcie_dump_data(struct iwl_trans *trans, + /* Dump RBs is supported only for pre-9000 devices (1 queue) */ + struct iwl_rxq *rxq = &trans_pcie->rxq[0]; + /* RBs */ ++ spin_lock_bh(&rxq->lock); + num_rbs = iwl_get_closed_rb_stts(trans, rxq); + num_rbs = (num_rbs - rxq->read) & RX_QUEUE_MASK; ++ spin_unlock_bh(&rxq->lock); ++ + len += num_rbs * (sizeof(*data) + + sizeof(struct iwl_fw_error_dump_rb) + + (PAGE_SIZE << trans_pcie->rx_page_order)); +-- +2.39.5 + diff --git a/queue-6.6/wifi-mac80211-do-not-offer-a-mesh-path-if-forwarding.patch b/queue-6.6/wifi-mac80211-do-not-offer-a-mesh-path-if-forwarding.patch new file mode 100644 index 0000000000..95b3fe0b9b --- /dev/null +++ b/queue-6.6/wifi-mac80211-do-not-offer-a-mesh-path-if-forwarding.patch @@ -0,0 +1,67 @@ +From 6a7b37813e5f846f19c1bc17f9945dd80b551e2d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Apr 2025 21:10:42 +0200 +Subject: wifi: mac80211: do not offer a mesh path if forwarding is disabled + +From: Benjamin Berg + +[ Upstream commit cf1b684a06170d253b47d6a5287821de976435bd ] + +When processing a PREQ the code would always check whether we have a +mesh path locally and reply accordingly. However, when forwarding is +disabled then we should not reply with this information as we will not +forward data packets down that path. + +Move the check for dot11MeshForwarding up in the function and skip the +mesh path lookup in that case. In the else block, set forward to false +so that the rest of the function becomes a no-op and the +dot11MeshForwarding check does not need to be duplicated. + +This explains an effect observed in the Freifunk community where mesh +forwarding is disabled. In that case a mesh with three STAs and only bad +links in between them, individual STAs would occionally have indirect +mpath entries. This should not have happened. + +Signed-off-by: Benjamin Berg +Reviewed-by: Rouven Czerwinski +Link: https://patch.msgid.link/20250430191042.3287004-1-benjamin@sipsolutions.net +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/mesh_hwmp.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/mac80211/mesh_hwmp.c b/net/mac80211/mesh_hwmp.c +index c6395551f5df0..54930b06c3a4a 100644 +--- a/net/mac80211/mesh_hwmp.c ++++ b/net/mac80211/mesh_hwmp.c +@@ -634,7 +634,7 @@ static void hwmp_preq_frame_process(struct ieee80211_sub_if_data *sdata, + mesh_path_add_gate(mpath); + } + rcu_read_unlock(); +- } else { ++ } else if (ifmsh->mshcfg.dot11MeshForwarding) { + rcu_read_lock(); + mpath = mesh_path_lookup(sdata, target_addr); + if (mpath) { +@@ -652,6 +652,8 @@ static void hwmp_preq_frame_process(struct ieee80211_sub_if_data *sdata, + } + } + rcu_read_unlock(); ++ } else { ++ forward = false; + } + + if (reply) { +@@ -669,7 +671,7 @@ static void hwmp_preq_frame_process(struct ieee80211_sub_if_data *sdata, + } + } + +- if (forward && ifmsh->mshcfg.dot11MeshForwarding) { ++ if (forward) { + u32 preq_id; + u8 hopcount; + +-- +2.39.5 + diff --git a/queue-6.6/wifi-mac80211-vlan-traffic-in-multicast-path.patch b/queue-6.6/wifi-mac80211-vlan-traffic-in-multicast-path.patch new file mode 100644 index 0000000000..04c7c12d1b --- /dev/null +++ b/queue-6.6/wifi-mac80211-vlan-traffic-in-multicast-path.patch @@ -0,0 +1,45 @@ +From 943a590f213e17ddb51d3f6fa7c841aa3b26ba22 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Mar 2025 14:31:25 -0700 +Subject: wifi: mac80211: VLAN traffic in multicast path + +From: Muna Sinada + +[ Upstream commit 1a4a6a22552ca9d723f28a1fe35eab1b9b3d8b33 ] + +Currently for MLO, sending out multicast frames on each link is handled by +mac80211 only when IEEE80211_HW_MLO_MCAST_MULTI_LINK_TX flag is not set. + +Dynamic VLAN multicast traffic utilizes software encryption. +Due to this, mac80211 should handle transmitting multicast frames on +all links for multicast VLAN traffic. + +Signed-off-by: Muna Sinada +Link: https://patch.msgid.link/20250325213125.1509362-4-muna.sinada@oss.qualcomm.com +[remove unnecessary parentheses] +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/tx.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c +index 45a093d3f1fa7..ec5469add68a2 100644 +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -4507,8 +4507,10 @@ netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb, + IEEE80211_TX_CTRL_MLO_LINK_UNSPEC, + NULL); + } else if (ieee80211_vif_is_mld(&sdata->vif) && +- sdata->vif.type == NL80211_IFTYPE_AP && +- !ieee80211_hw_check(&sdata->local->hw, MLO_MCAST_MULTI_LINK_TX)) { ++ ((sdata->vif.type == NL80211_IFTYPE_AP && ++ !ieee80211_hw_check(&sdata->local->hw, MLO_MCAST_MULTI_LINK_TX)) || ++ (sdata->vif.type == NL80211_IFTYPE_AP_VLAN && ++ !sdata->wdev.use_4addr))) { + ieee80211_mlo_multicast_tx(dev, skb); + } else { + normal: +-- +2.39.5 + diff --git a/queue-6.6/wifi-mac80211_hwsim-prevent-tsf-from-setting-if-beac.patch b/queue-6.6/wifi-mac80211_hwsim-prevent-tsf-from-setting-if-beac.patch new file mode 100644 index 0000000000..57980fe560 --- /dev/null +++ b/queue-6.6/wifi-mac80211_hwsim-prevent-tsf-from-setting-if-beac.patch @@ -0,0 +1,42 @@ +From 4a241acbc834f24babe6f87a5a7aafe66d401847 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Apr 2025 22:15:53 +0800 +Subject: wifi: mac80211_hwsim: Prevent tsf from setting if beacon is disabled + +From: Edward Adam Davis + +[ Upstream commit c575f5374be7a5c4be4acb9fe6be3a4669d94674 ] + +Setting tsf is meaningless if beacon is disabled, so check that beacon +is enabled before setting tsf. + +Reported-by: syzbot+064815c6cd721082a52a@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=064815c6cd721082a52a +Tested-by: syzbot+064815c6cd721082a52a@syzkaller.appspotmail.com +Signed-off-by: Edward Adam Davis +Link: https://patch.msgid.link/tencent_3609AC2EFAAED68CA5A7E3C6D212D1C67806@qq.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/virtual/mac80211_hwsim.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/wireless/virtual/mac80211_hwsim.c b/drivers/net/wireless/virtual/mac80211_hwsim.c +index d86a1bd7aab08..f5f48f7e6d26e 100644 +--- a/drivers/net/wireless/virtual/mac80211_hwsim.c ++++ b/drivers/net/wireless/virtual/mac80211_hwsim.c +@@ -1201,6 +1201,11 @@ static void mac80211_hwsim_set_tsf(struct ieee80211_hw *hw, + /* MLD not supported here */ + u32 bcn_int = data->link_data[0].beacon_int; + u64 delta = abs(tsf - now); ++ struct ieee80211_bss_conf *conf; ++ ++ conf = link_conf_dereference_protected(vif, data->link_data[0].link_id); ++ if (conf && !conf->enable_beacon) ++ return; + + /* adjust after beaconing with new timestamp at old TBTT */ + if (tsf > now) { +-- +2.39.5 + diff --git a/queue-6.6/wifi-mt76-mt76x2-add-support-for-liteon-wn4516r-wn45.patch b/queue-6.6/wifi-mt76-mt76x2-add-support-for-liteon-wn4516r-wn45.patch new file mode 100644 index 0000000000..255e2496a3 --- /dev/null +++ b/queue-6.6/wifi-mt76-mt76x2-add-support-for-liteon-wn4516r-wn45.patch @@ -0,0 +1,86 @@ +From fa55d15bd37c2f2411343a12b6c901878f752198 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Apr 2025 16:39:14 +0200 +Subject: wifi: mt76: mt76x2: Add support for LiteOn WN4516R,WN4519R + +From: Henk Vergonet + +[ Upstream commit 3c0e4f606d8693795a2c965d6f4987b1bfc31097 ] + +Adds support for: + - LiteOn WN4516R + - LiteOn WN4519R + Both use: + - A nonstandard USB connector + - Mediatek chipset MT7600U + - ASIC revision: 76320044 + +Disabled VHT support on ASIC revision 76320044: + + This fixes the 5G connectibity issue on LiteOn WN4519R module + see https://github.com/openwrt/mt76/issues/971 + + And may also fix the 5G issues on the XBox One Wireless Adapter + see https://github.com/openwrt/mt76/issues/200 + + I have looked at the FCC info related to the MT7632U chip as mentioned in here: + https://github.com/openwrt/mt76/issues/459 + These confirm the chipset does not support 'ac' mode and hence VHT should be turned of. + +Signed-off-by: Henk Vergonet +Acked-by: Lorenzo Bianconi +Link: https://patch.msgid.link/20250418143914.31384-1-henk.vergonet@gmail.com +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt76x2/usb.c | 2 ++ + .../net/wireless/mediatek/mt76/mt76x2/usb_init.c | 13 ++++++++++++- + 2 files changed, 14 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt76x2/usb.c b/drivers/net/wireless/mediatek/mt76/mt76x2/usb.c +index 70d3895762b4c..00248e2b21ea7 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt76x2/usb.c ++++ b/drivers/net/wireless/mediatek/mt76/mt76x2/usb.c +@@ -17,6 +17,8 @@ static const struct usb_device_id mt76x2u_device_table[] = { + { USB_DEVICE(0x057c, 0x8503) }, /* Avm FRITZ!WLAN AC860 */ + { USB_DEVICE(0x7392, 0xb711) }, /* Edimax EW 7722 UAC */ + { USB_DEVICE(0x0e8d, 0x7632) }, /* HC-M7662BU1 */ ++ { USB_DEVICE(0x0471, 0x2126) }, /* LiteOn WN4516R module, nonstandard USB connector */ ++ { USB_DEVICE(0x0471, 0x7600) }, /* LiteOn WN4519R module, nonstandard USB connector */ + { USB_DEVICE(0x2c4e, 0x0103) }, /* Mercury UD13 */ + { USB_DEVICE(0x0846, 0x9053) }, /* Netgear A6210 */ + { USB_DEVICE(0x045e, 0x02e6) }, /* XBox One Wireless Adapter */ +diff --git a/drivers/net/wireless/mediatek/mt76/mt76x2/usb_init.c b/drivers/net/wireless/mediatek/mt76/mt76x2/usb_init.c +index 33a14365ec9b9..3b55628115115 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt76x2/usb_init.c ++++ b/drivers/net/wireless/mediatek/mt76/mt76x2/usb_init.c +@@ -191,6 +191,7 @@ int mt76x2u_register_device(struct mt76x02_dev *dev) + { + struct ieee80211_hw *hw = mt76_hw(dev); + struct mt76_usb *usb = &dev->mt76.usb; ++ bool vht; + int err; + + INIT_DELAYED_WORK(&dev->cal_work, mt76x2u_phy_calibrate); +@@ -217,7 +218,17 @@ int mt76x2u_register_device(struct mt76x02_dev *dev) + + /* check hw sg support in order to enable AMSDU */ + hw->max_tx_fragments = dev->mt76.usb.sg_en ? MT_TX_SG_MAX_SIZE : 1; +- err = mt76_register_device(&dev->mt76, true, mt76x02_rates, ++ switch (dev->mt76.rev) { ++ case 0x76320044: ++ /* these ASIC revisions do not support VHT */ ++ vht = false; ++ break; ++ default: ++ vht = true; ++ break; ++ } ++ ++ err = mt76_register_device(&dev->mt76, vht, mt76x02_rates, + ARRAY_SIZE(mt76x02_rates)); + if (err) + goto fail; +-- +2.39.5 + diff --git a/queue-6.6/wifi-mt76-mt7921-add-160-mhz-ap-for-mt7922-device.patch b/queue-6.6/wifi-mt76-mt7921-add-160-mhz-ap-for-mt7922-device.patch new file mode 100644 index 0000000000..e647aa9dab --- /dev/null +++ b/queue-6.6/wifi-mt76-mt7921-add-160-mhz-ap-for-mt7922-device.patch @@ -0,0 +1,38 @@ +From 3c0002c640bca28b6a3b86902ab2badf138c8c73 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 10 May 2025 19:53:09 -0500 +Subject: wifi: mt76: mt7921: add 160 MHz AP for mt7922 device + +From: Samuel Williams + +[ Upstream commit 7011faebe543f8f094fdb3281d0ec9e1eab81309 ] + +This allows mt7922 in hostapd mode to transmit up to 1.4 Gbps. + +Signed-off-by: Samuel Williams +Link: https://patch.msgid.link/20250511005316.1118961-1-sam8641@gmail.com +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7921/main.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/main.c b/drivers/net/wireless/mediatek/mt76/mt7921/main.c +index 31ef58e2a3d2a..8e2ec39563317 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7921/main.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7921/main.c +@@ -83,6 +83,11 @@ mt7921_init_he_caps(struct mt792x_phy *phy, enum nl80211_band band, + he_cap_elem->phy_cap_info[9] |= + IEEE80211_HE_PHY_CAP9_TX_1024_QAM_LESS_THAN_242_TONE_RU | + IEEE80211_HE_PHY_CAP9_RX_1024_QAM_LESS_THAN_242_TONE_RU; ++ ++ if (is_mt7922(phy->mt76->dev)) { ++ he_cap_elem->phy_cap_info[0] |= ++ IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_160MHZ_IN_5G; ++ } + break; + case NL80211_IFTYPE_STATION: + he_cap_elem->mac_cap_info[1] |= +-- +2.39.5 + diff --git a/queue-6.6/wifi-mt76-mt7996-drop-fragments-with-multicast-or-br.patch b/queue-6.6/wifi-mt76-mt7996-drop-fragments-with-multicast-or-br.patch new file mode 100644 index 0000000000..78241ae740 --- /dev/null +++ b/queue-6.6/wifi-mt76-mt7996-drop-fragments-with-multicast-or-br.patch @@ -0,0 +1,44 @@ +From 63f84f5e9b864b217e12de373ca6eacd9494f352 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 May 2025 11:29:47 +0800 +Subject: wifi: mt76: mt7996: drop fragments with multicast or broadcast RA + +From: Benjamin Lin + +[ Upstream commit 80fda1cd7b0a1edd0849dc71403a070d0922118d ] + +IEEE 802.11 fragmentation can only be applied to unicast frames. +Therefore, drop fragments with multicast or broadcast RA. This patch +addresses vulnerabilities such as CVE-2020-26145. + +Signed-off-by: Benjamin Lin +Signed-off-by: Shayne Chen +Link: https://patch.msgid.link/20250515032952.1653494-4-shayne.chen@mediatek.com +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7996/mac.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c +index 35d9673ec0d8f..8fa16f95e6a7b 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c +@@ -650,6 +650,14 @@ mt7996_mac_fill_rx(struct mt7996_dev *dev, struct sk_buff *skb) + status->last_amsdu = amsdu_info == MT_RXD4_LAST_AMSDU_FRAME; + } + ++ /* IEEE 802.11 fragmentation can only be applied to unicast frames. ++ * Hence, drop fragments with multicast/broadcast RA. ++ * This check fixes vulnerabilities, like CVE-2020-26145. ++ */ ++ if ((ieee80211_has_morefrags(fc) || seq_ctrl & IEEE80211_SCTL_FRAG) && ++ FIELD_GET(MT_RXD3_NORMAL_ADDR_TYPE, rxd3) != MT_RXD3_NORMAL_U2M) ++ return -EINVAL; ++ + hdr_gap = (u8 *)rxd - skb->data + 2 * remove_pad; + if (hdr_trans && ieee80211_has_morefrags(fc)) { + if (mt7996_reverse_frag0_hdr_trans(skb, hdr_gap)) +-- +2.39.5 + diff --git a/queue-6.6/wifi-rtw89-leave-idle-mode-when-setting-wep-encrypti.patch b/queue-6.6/wifi-rtw89-leave-idle-mode-when-setting-wep-encrypti.patch new file mode 100644 index 0000000000..479bbc5f4f --- /dev/null +++ b/queue-6.6/wifi-rtw89-leave-idle-mode-when-setting-wep-encrypti.patch @@ -0,0 +1,49 @@ +From 4971901bf6bd97b3f5a04501d1d202cf73b2b033 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 May 2025 11:12:03 +0800 +Subject: wifi: rtw89: leave idle mode when setting WEP encryption for AP mode + +From: Dian-Syuan Yang + +[ Upstream commit d105652b33245162867ac769bea336976e67efb8 ] + +Due to mac80211 triggering the hardware to enter idle mode, it fails +to install WEP key causing connected station can't ping successfully. +Currently, it forces the hardware to leave idle mode before driver +adding WEP keys. + +Signed-off-by: Dian-Syuan Yang +Signed-off-by: Ping-Ke Shih +Link: https://patch.msgid.link/20250507031203.8256-1-pkshih@realtek.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtw89/cam.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/wireless/realtek/rtw89/cam.c b/drivers/net/wireless/realtek/rtw89/cam.c +index f5301c2bbf133..9a0ffaddb8360 100644 +--- a/drivers/net/wireless/realtek/rtw89/cam.c ++++ b/drivers/net/wireless/realtek/rtw89/cam.c +@@ -6,6 +6,7 @@ + #include "debug.h" + #include "fw.h" + #include "mac.h" ++#include "ps.h" + + static struct sk_buff * + rtw89_cam_get_sec_key_cmd(struct rtw89_dev *rtwdev, +@@ -333,9 +334,11 @@ int rtw89_cam_sec_key_add(struct rtw89_dev *rtwdev, + + switch (key->cipher) { + case WLAN_CIPHER_SUITE_WEP40: ++ rtw89_leave_ips_by_hwflags(rtwdev); + hw_key_type = RTW89_SEC_KEY_TYPE_WEP40; + break; + case WLAN_CIPHER_SUITE_WEP104: ++ rtw89_leave_ips_by_hwflags(rtwdev); + hw_key_type = RTW89_SEC_KEY_TYPE_WEP104; + break; + case WLAN_CIPHER_SUITE_CCMP: +-- +2.39.5 + diff --git a/queue-6.6/wireless-purelifi-plfxlc-fix-memory-leak-in-plfxlc_u.patch b/queue-6.6/wireless-purelifi-plfxlc-fix-memory-leak-in-plfxlc_u.patch new file mode 100644 index 0000000000..a6fbc8e7d4 --- /dev/null +++ b/queue-6.6/wireless-purelifi-plfxlc-fix-memory-leak-in-plfxlc_u.patch @@ -0,0 +1,39 @@ +From 76155a6e6dc3473e9640196ab48a912df320cdd9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 27 Apr 2025 10:57:45 +0100 +Subject: wireless: purelifi: plfxlc: fix memory leak in plfxlc_usb_wreq_asyn() + +From: Salah Triki + +[ Upstream commit 63a9a727d373fa5b8ce509eef50dbc45e0f745b9 ] + +Add usb_free_urb() in the error path to prevent memory leak. + +Signed-off-by: Salah Triki +Link: https://patch.msgid.link/aA3_maPlEJzO7wrL@pc +[fix subject] +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/purelifi/plfxlc/usb.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/purelifi/plfxlc/usb.c b/drivers/net/wireless/purelifi/plfxlc/usb.c +index 311676c1ece0a..8151bc5e00ccc 100644 +--- a/drivers/net/wireless/purelifi/plfxlc/usb.c ++++ b/drivers/net/wireless/purelifi/plfxlc/usb.c +@@ -503,8 +503,10 @@ int plfxlc_usb_wreq_async(struct plfxlc_usb *usb, const u8 *buffer, + (void *)buffer, buffer_len, complete_fn, context); + + r = usb_submit_urb(urb, GFP_ATOMIC); +- if (r) ++ if (r) { ++ usb_free_urb(urb); + dev_err(&udev->dev, "Async write submit failed (%d)\n", r); ++ } + + return r; + } +-- +2.39.5 + diff --git a/queue-6.6/x86-sgx-prevent-attempts-to-reclaim-poisoned-pages.patch b/queue-6.6/x86-sgx-prevent-attempts-to-reclaim-poisoned-pages.patch new file mode 100644 index 0000000000..719549dc12 --- /dev/null +++ b/queue-6.6/x86-sgx-prevent-attempts-to-reclaim-poisoned-pages.patch @@ -0,0 +1,87 @@ +From 5be90f5e6fc5649ef544b9c4c08d51b917e85aa9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 May 2025 01:04:29 +0200 +Subject: x86/sgx: Prevent attempts to reclaim poisoned pages + +From: Andrew Zaborowski + +[ Upstream commit ed16618c380c32c68c06186d0ccbb0d5e0586e59 ] + +TL;DR: SGX page reclaim touches the page to copy its contents to +secondary storage. SGX instructions do not gracefully handle machine +checks. Despite this, the existing SGX code will try to reclaim pages +that it _knows_ are poisoned. Avoid even trying to reclaim poisoned pages. + +The longer story: + +Pages used by an enclave only get epc_page->poison set in +arch_memory_failure() but they currently stay on sgx_active_page_list until +sgx_encl_release(), with the SGX_EPC_PAGE_RECLAIMER_TRACKED flag untouched. + +epc_page->poison is not checked in the reclaimer logic meaning that, if other +conditions are met, an attempt will be made to reclaim an EPC page that was +poisoned. This is bad because 1. we don't want that page to end up added +to another enclave and 2. it is likely to cause one core to shut down +and the kernel to panic. + +Specifically, reclaiming uses microcode operations including "EWB" which +accesses the EPC page contents to encrypt and write them out to non-SGX +memory. Those operations cannot handle MCEs in their accesses other than +by putting the executing core into a special shutdown state (affecting +both threads with HT.) The kernel will subsequently panic on the +remaining cores seeing the core didn't enter MCE handler(s) in time. + +Call sgx_unmark_page_reclaimable() to remove the affected EPC page from +sgx_active_page_list on memory error to stop it being considered for +reclaiming. + +Testing epc_page->poison in sgx_reclaim_pages() would also work but I assume +it's better to add code in the less likely paths. + +The affected EPC page is not added to &node->sgx_poison_page_list until +later in sgx_encl_release()->sgx_free_epc_page() when it is EREMOVEd. +Membership on other lists doesn't change to avoid changing any of the +lists' semantics except for sgx_active_page_list. There's a "TBD" comment +in arch_memory_failure() about pre-emptive actions, the goal here is not +to address everything that it may imply. + +This also doesn't completely close the time window when a memory error +notification will be fatal (for a not previously poisoned EPC page) -- +the MCE can happen after sgx_reclaim_pages() has selected its candidates +or even *inside* a microcode operation (actually easy to trigger due to +the amount of time spent in them.) + +The spinlock in sgx_unmark_page_reclaimable() is safe because +memory_failure() runs in process context and no spinlocks are held, +explicitly noted in a mm/memory-failure.c comment. + +Signed-off-by: Andrew Zaborowski +Signed-off-by: Ingo Molnar +Acked-by: Dave Hansen +Cc: H. Peter Anvin +Cc: Linus Torvalds +Cc: Tony Luck +Cc: balrogg@gmail.com +Cc: linux-sgx@vger.kernel.org +Link: https://lore.kernel.org/r/20250508230429.456271-1-andrew.zaborowski@intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/sgx/main.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/x86/kernel/cpu/sgx/main.c b/arch/x86/kernel/cpu/sgx/main.c +index c7f8c3200e8d7..0db6eeeeb6720 100644 +--- a/arch/x86/kernel/cpu/sgx/main.c ++++ b/arch/x86/kernel/cpu/sgx/main.c +@@ -718,6 +718,8 @@ int arch_memory_failure(unsigned long pfn, int flags) + goto out; + } + ++ sgx_unmark_page_reclaimable(page); ++ + /* + * TBD: Add additional plumbing to enable pre-emptive + * action for asynchronous poison notification. Until +-- +2.39.5 +