From: Greg Kroah-Hartman Date: Fri, 6 Dec 2024 12:07:55 +0000 (+0100) Subject: 6.12-stable patches X-Git-Tag: v6.6.64~30 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8efe05004075cfdd58449a4c3d00bfe5af398f8f;p=thirdparty%2Fkernel%2Fstable-queue.git 6.12-stable patches added patches: ad7780-fix-division-by-zero-in-ad7780_write_raw.patch arm-9429-1-ioremap-sync-pgds-for-vmalloc-shadow.patch arm-9430-1-entry-do-a-dummy-read-from-vmap-shadow.patch arm-9431-1-mm-pair-atomic_set_release-with-_read_acquire.patch ceph-extract-entity-name-from-device-id.patch ceph-fix-cred-leak-in-ceph_mds_check_access.patch ceph-pass-cred-pointer-to-ceph_mds_auth_match.patch driver-core-fw_devlink-stop-trying-to-optimize-cycle-detection-logic.patch f2fs-fix-to-drop-all-discards-after-creating-snapshot-on-lvm-device.patch mm-slub-avoid-list-corruption-when-removing-a-slab-from-the-full-list.patch mtd-spinand-winbond-fix-512gw-01gw-01jw-and-02jw-ecc-information.patch mtd-spinand-winbond-fix-512gw-and-02jw-oob-layout.patch net-stmmac-set-initial-eee-policy-configuration.patch nvmem-core-check-read_only-flag-for-force_ro-in-bin_attr_nvmem_write.patch pci-imx6-fix-suspend-resume-support-on-i.mx6qdl.patch pci-qcom-disable-aspm-l0s-for-x1e80100.patch perf-jevents-fix-breakage-when-do-perf-stat-on-system-metric.patch remoteproc-qcom_q6v5_pas-disable-auto-boot-for-wpss.patch s390-entry-mark-irq-entries-to-fix-stack-depot-warnings.patch spmi-pmic-arb-fix-return-path-in-for_each_available_child_of_node.patch vfio-qat-fix-overflow-check-in-qat_vf_resume_write.patch --- diff --git a/queue-6.12/ad7780-fix-division-by-zero-in-ad7780_write_raw.patch b/queue-6.12/ad7780-fix-division-by-zero-in-ad7780_write_raw.patch new file mode 100644 index 00000000000..cb066480a93 --- /dev/null +++ b/queue-6.12/ad7780-fix-division-by-zero-in-ad7780_write_raw.patch @@ -0,0 +1,35 @@ +From c174b53e95adf2eece2afc56cd9798374919f99a Mon Sep 17 00:00:00 2001 +From: Zicheng Qu +Date: Mon, 28 Oct 2024 14:20:27 +0000 +Subject: ad7780: fix division by zero in ad7780_write_raw() + +From: Zicheng Qu + +commit c174b53e95adf2eece2afc56cd9798374919f99a upstream. + +In the ad7780_write_raw() , val2 can be zero, which might lead to a +division by zero error in DIV_ROUND_CLOSEST(). The ad7780_write_raw() +is based on iio_info's write_raw. While val is explicitly declared that +can be zero (in read mode), val2 is not specified to be non-zero. + +Fixes: 9085daa4abcc ("staging: iio: ad7780: add gain & filter gpio support") +Cc: stable@vger.kernel.org +Signed-off-by: Zicheng Qu +Link: https://patch.msgid.link/20241028142027.1032332-1-quzicheng@huawei.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/ad7780.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/adc/ad7780.c ++++ b/drivers/iio/adc/ad7780.c +@@ -152,7 +152,7 @@ static int ad7780_write_raw(struct iio_d + + switch (m) { + case IIO_CHAN_INFO_SCALE: +- if (val != 0) ++ if (val != 0 || val2 == 0) + return -EINVAL; + + vref = st->int_vref_mv * 1000000LL; diff --git a/queue-6.12/arm-9429-1-ioremap-sync-pgds-for-vmalloc-shadow.patch b/queue-6.12/arm-9429-1-ioremap-sync-pgds-for-vmalloc-shadow.patch new file mode 100644 index 00000000000..0440bb429d3 --- /dev/null +++ b/queue-6.12/arm-9429-1-ioremap-sync-pgds-for-vmalloc-shadow.patch @@ -0,0 +1,89 @@ +From d6e6a74d4cea853b5321eeabb69c611148eedefe Mon Sep 17 00:00:00 2001 +From: Linus Walleij +Date: Wed, 23 Oct 2024 13:03:14 +0100 +Subject: ARM: 9429/1: ioremap: Sync PGDs for VMALLOC shadow + +From: Linus Walleij + +commit d6e6a74d4cea853b5321eeabb69c611148eedefe upstream. + +When sync:ing the VMALLOC area to other CPUs, make sure to also +sync the KASAN shadow memory for the VMALLOC area, so that we +don't get stale entries for the shadow memory in the top level PGD. + +Since we are now copying PGDs in two instances, create a helper +function named memcpy_pgd() to do the actual copying, and +create a helper to map the addresses of VMALLOC_START and +VMALLOC_END into the corresponding shadow memory. + +Co-developed-by: Melon Liu + +Cc: stable@vger.kernel.org +Fixes: 565cbaad83d8 ("ARM: 9202/1: kasan: support CONFIG_KASAN_VMALLOC") +Link: https://lore.kernel.org/linux-arm-kernel/a1a1d062-f3a2-4d05-9836-3b098de9db6d@foss.st.com/ +Reported-by: Clement LE GOFFIC +Suggested-by: Mark Rutland +Suggested-by: Russell King (Oracle) +Acked-by: Mark Rutland +Signed-off-by: Linus Walleij +Signed-off-by: Russell King (Oracle) +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mm/ioremap.c | 33 +++++++++++++++++++++++++++++---- + 1 file changed, 29 insertions(+), 4 deletions(-) + +--- a/arch/arm/mm/ioremap.c ++++ b/arch/arm/mm/ioremap.c +@@ -23,6 +23,7 @@ + */ + #include + #include ++#include + #include + #include + #include +@@ -115,16 +116,40 @@ int ioremap_page(unsigned long virt, uns + } + EXPORT_SYMBOL(ioremap_page); + ++#ifdef CONFIG_KASAN ++static unsigned long arm_kasan_mem_to_shadow(unsigned long addr) ++{ ++ return (unsigned long)kasan_mem_to_shadow((void *)addr); ++} ++#else ++static unsigned long arm_kasan_mem_to_shadow(unsigned long addr) ++{ ++ return 0; ++} ++#endif ++ ++static void memcpy_pgd(struct mm_struct *mm, unsigned long start, ++ unsigned long end) ++{ ++ end = ALIGN(end, PGDIR_SIZE); ++ memcpy(pgd_offset(mm, start), pgd_offset_k(start), ++ sizeof(pgd_t) * (pgd_index(end) - pgd_index(start))); ++} ++ + void __check_vmalloc_seq(struct mm_struct *mm) + { + int seq; + + do { + seq = atomic_read(&init_mm.context.vmalloc_seq); +- memcpy(pgd_offset(mm, VMALLOC_START), +- pgd_offset_k(VMALLOC_START), +- sizeof(pgd_t) * (pgd_index(VMALLOC_END) - +- pgd_index(VMALLOC_START))); ++ memcpy_pgd(mm, VMALLOC_START, VMALLOC_END); ++ if (IS_ENABLED(CONFIG_KASAN_VMALLOC)) { ++ unsigned long start = ++ arm_kasan_mem_to_shadow(VMALLOC_START); ++ unsigned long end = ++ arm_kasan_mem_to_shadow(VMALLOC_END); ++ memcpy_pgd(mm, start, end); ++ } + /* + * Use a store-release so that other CPUs that observe the + * counter's new value are guaranteed to see the results of the diff --git a/queue-6.12/arm-9430-1-entry-do-a-dummy-read-from-vmap-shadow.patch b/queue-6.12/arm-9430-1-entry-do-a-dummy-read-from-vmap-shadow.patch new file mode 100644 index 00000000000..fa582533edd --- /dev/null +++ b/queue-6.12/arm-9430-1-entry-do-a-dummy-read-from-vmap-shadow.patch @@ -0,0 +1,50 @@ +From 44e9a3bb76e5f2eecd374c8176b2c5163c8bb2e2 Mon Sep 17 00:00:00 2001 +From: Linus Walleij +Date: Wed, 23 Oct 2024 13:04:44 +0100 +Subject: ARM: 9430/1: entry: Do a dummy read from VMAP shadow + +From: Linus Walleij + +commit 44e9a3bb76e5f2eecd374c8176b2c5163c8bb2e2 upstream. + +When switching task, in addition to a dummy read from the new +VMAP stack, also do a dummy read from the VMAP stack's +corresponding KASAN shadow memory to sync things up in +the new MM context. + +Cc: stable@vger.kernel.org +Fixes: a1c510d0adc6 ("ARM: implement support for vmap'ed stacks") +Link: https://lore.kernel.org/linux-arm-kernel/a1a1d062-f3a2-4d05-9836-3b098de9db6d@foss.st.com/ +Reported-by: Clement LE GOFFIC +Suggested-by: Ard Biesheuvel +Signed-off-by: Linus Walleij +Signed-off-by: Russell King (Oracle) +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/kernel/entry-armv.S | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/arch/arm/kernel/entry-armv.S ++++ b/arch/arm/kernel/entry-armv.S +@@ -25,6 +25,7 @@ + #include + #include + #include ++#include + + #include "entry-header.S" + #include +@@ -561,6 +562,13 @@ ENTRY(__switch_to) + @ entries covering the vmalloc region. + @ + ldr r2, [ip] ++#ifdef CONFIG_KASAN_VMALLOC ++ @ Also dummy read from the KASAN shadow memory for the new stack if we ++ @ are using KASAN ++ mov_l r2, KASAN_SHADOW_OFFSET ++ add r2, r2, ip, lsr #KASAN_SHADOW_SCALE_SHIFT ++ ldr r2, [r2] ++#endif + #endif + + @ When CONFIG_THREAD_INFO_IN_TASK=n, the update of SP itself is what diff --git a/queue-6.12/arm-9431-1-mm-pair-atomic_set_release-with-_read_acquire.patch b/queue-6.12/arm-9431-1-mm-pair-atomic_set_release-with-_read_acquire.patch new file mode 100644 index 00000000000..cce8d4d8b7e --- /dev/null +++ b/queue-6.12/arm-9431-1-mm-pair-atomic_set_release-with-_read_acquire.patch @@ -0,0 +1,42 @@ +From 93ee385254d53849c01dd8ab9bc9d02790ee7f0e Mon Sep 17 00:00:00 2001 +From: Linus Walleij +Date: Wed, 23 Oct 2024 13:05:34 +0100 +Subject: ARM: 9431/1: mm: Pair atomic_set_release() with _read_acquire() + +From: Linus Walleij + +commit 93ee385254d53849c01dd8ab9bc9d02790ee7f0e upstream. + +The code for syncing vmalloc memory PGD pointers is using +atomic_read() in pair with atomic_set_release() but the +proper pairing is atomic_read_acquire() paired with +atomic_set_release(). + +This is done to clearly instruct the compiler to not +reorder the memcpy() or similar calls inside the section +so that we do not observe changes to init_mm. memcpy() +calls should be identified by the compiler as having +unpredictable side effects, but let's try to be on the +safe side. + +Cc: stable@vger.kernel.org +Fixes: d31e23aff011 ("ARM: mm: make vmalloc_seq handling SMP safe") +Suggested-by: Mark Rutland +Signed-off-by: Linus Walleij +Signed-off-by: Russell King (Oracle) +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mm/ioremap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/mm/ioremap.c ++++ b/arch/arm/mm/ioremap.c +@@ -141,7 +141,7 @@ void __check_vmalloc_seq(struct mm_struc + int seq; + + do { +- seq = atomic_read(&init_mm.context.vmalloc_seq); ++ seq = atomic_read_acquire(&init_mm.context.vmalloc_seq); + memcpy_pgd(mm, VMALLOC_START, VMALLOC_END); + if (IS_ENABLED(CONFIG_KASAN_VMALLOC)) { + unsigned long start = diff --git a/queue-6.12/ceph-extract-entity-name-from-device-id.patch b/queue-6.12/ceph-extract-entity-name-from-device-id.patch new file mode 100644 index 00000000000..b28ca63b064 --- /dev/null +++ b/queue-6.12/ceph-extract-entity-name-from-device-id.patch @@ -0,0 +1,53 @@ +From 955710afcb3bb63e21e186451ed5eba85fa14d0b Mon Sep 17 00:00:00 2001 +From: Patrick Donnelly +Date: Sat, 12 Oct 2024 20:54:11 -0400 +Subject: ceph: extract entity name from device id + +From: Patrick Donnelly + +commit 955710afcb3bb63e21e186451ed5eba85fa14d0b upstream. + +Previously, the "name" in the new device syntax "@." +was ignored because (presumably) tests were done using mount.ceph which +also passed the entity name using "-o name=foo". If mounting is done +without the mount.ceph helper, the new device id syntax fails to set +the name properly. + +Cc: stable@vger.kernel.org +Link: https://tracker.ceph.com/issues/68516 +Signed-off-by: Patrick Donnelly +Reviewed-by: Ilya Dryomov +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman +--- + fs/ceph/super.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/fs/ceph/super.c ++++ b/fs/ceph/super.c +@@ -285,7 +285,9 @@ static int ceph_parse_new_source(const c + size_t len; + struct ceph_fsid fsid; + struct ceph_parse_opts_ctx *pctx = fc->fs_private; ++ struct ceph_options *opts = pctx->copts; + struct ceph_mount_options *fsopt = pctx->opts; ++ const char *name_start = dev_name; + char *fsid_start, *fs_name_start; + + if (*dev_name_end != '=') { +@@ -296,8 +298,14 @@ static int ceph_parse_new_source(const c + fsid_start = strchr(dev_name, '@'); + if (!fsid_start) + return invalfc(fc, "missing cluster fsid"); +- ++fsid_start; /* start of cluster fsid */ ++ len = fsid_start - name_start; ++ kfree(opts->name); ++ opts->name = kstrndup(name_start, len, GFP_KERNEL); ++ if (!opts->name) ++ return -ENOMEM; ++ dout("using %s entity name", opts->name); + ++ ++fsid_start; /* start of cluster fsid */ + fs_name_start = strchr(fsid_start, '.'); + if (!fs_name_start) + return invalfc(fc, "missing file system name"); diff --git a/queue-6.12/ceph-fix-cred-leak-in-ceph_mds_check_access.patch b/queue-6.12/ceph-fix-cred-leak-in-ceph_mds_check_access.patch new file mode 100644 index 00000000000..17674484133 --- /dev/null +++ b/queue-6.12/ceph-fix-cred-leak-in-ceph_mds_check_access.patch @@ -0,0 +1,41 @@ +From c5cf420303256dcd6ff175643e9e9558543c2047 Mon Sep 17 00:00:00 2001 +From: Max Kellermann +Date: Sat, 23 Nov 2024 08:21:21 +0100 +Subject: ceph: fix cred leak in ceph_mds_check_access() + +From: Max Kellermann + +commit c5cf420303256dcd6ff175643e9e9558543c2047 upstream. + +get_current_cred() increments the reference counter, but the +put_cred() call was missing. + +Cc: stable@vger.kernel.org +Fixes: 596afb0b8933 ("ceph: add ceph_mds_check_access() helper") +Signed-off-by: Max Kellermann +Reviewed-by: Xiubo Li +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman +--- + fs/ceph/mds_client.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/ceph/mds_client.c ++++ b/fs/ceph/mds_client.c +@@ -5736,6 +5736,7 @@ int ceph_mds_check_access(struct ceph_md + + err = ceph_mds_auth_match(mdsc, s, cred, tpath); + if (err < 0) { ++ put_cred(cred); + return err; + } else if (err > 0) { + /* always follow the last auth caps' permision */ +@@ -5751,6 +5752,8 @@ int ceph_mds_check_access(struct ceph_md + } + } + ++ put_cred(cred); ++ + doutc(cl, "root_squash_perms %d, rw_perms_s %p\n", root_squash_perms, + rw_perms_s); + if (root_squash_perms && rw_perms_s == NULL) { diff --git a/queue-6.12/ceph-pass-cred-pointer-to-ceph_mds_auth_match.patch b/queue-6.12/ceph-pass-cred-pointer-to-ceph_mds_auth_match.patch new file mode 100644 index 00000000000..dc3afbd2d47 --- /dev/null +++ b/queue-6.12/ceph-pass-cred-pointer-to-ceph_mds_auth_match.patch @@ -0,0 +1,48 @@ +From 23426309a4064b25a961e1c72961d8bfc7c8c990 Mon Sep 17 00:00:00 2001 +From: Max Kellermann +Date: Sat, 23 Nov 2024 08:21:20 +0100 +Subject: ceph: pass cred pointer to ceph_mds_auth_match() + +From: Max Kellermann + +commit 23426309a4064b25a961e1c72961d8bfc7c8c990 upstream. + +This eliminates a redundant get_current_cred() call, because +ceph_mds_check_access() has already obtained this pointer. + +As a side effect, this also fixes a reference leak in +ceph_mds_auth_match(): by omitting the get_current_cred() call, no +additional cred reference is taken. + +Cc: stable@vger.kernel.org +Fixes: 596afb0b8933 ("ceph: add ceph_mds_check_access() helper") +Signed-off-by: Max Kellermann +Reviewed-by: Xiubo Li +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman +--- + fs/ceph/mds_client.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/ceph/mds_client.c ++++ b/fs/ceph/mds_client.c +@@ -5609,9 +5609,9 @@ void send_flush_mdlog(struct ceph_mds_se + + static int ceph_mds_auth_match(struct ceph_mds_client *mdsc, + struct ceph_mds_cap_auth *auth, ++ const struct cred *cred, + char *tpath) + { +- const struct cred *cred = get_current_cred(); + u32 caller_uid = from_kuid(&init_user_ns, cred->fsuid); + u32 caller_gid = from_kgid(&init_user_ns, cred->fsgid); + struct ceph_client *cl = mdsc->fsc->client; +@@ -5734,7 +5734,7 @@ int ceph_mds_check_access(struct ceph_md + for (i = 0; i < mdsc->s_cap_auths_num; i++) { + struct ceph_mds_cap_auth *s = &mdsc->s_cap_auths[i]; + +- err = ceph_mds_auth_match(mdsc, s, tpath); ++ err = ceph_mds_auth_match(mdsc, s, cred, tpath); + if (err < 0) { + return err; + } else if (err > 0) { diff --git a/queue-6.12/driver-core-fw_devlink-stop-trying-to-optimize-cycle-detection-logic.patch b/queue-6.12/driver-core-fw_devlink-stop-trying-to-optimize-cycle-detection-logic.patch new file mode 100644 index 00000000000..67072c98160 --- /dev/null +++ b/queue-6.12/driver-core-fw_devlink-stop-trying-to-optimize-cycle-detection-logic.patch @@ -0,0 +1,162 @@ +From bac3b10b78e54b7da3cede397258f75a2180609b Mon Sep 17 00:00:00 2001 +From: Saravana Kannan +Date: Wed, 30 Oct 2024 10:10:07 -0700 +Subject: driver core: fw_devlink: Stop trying to optimize cycle detection logic + +From: Saravana Kannan + +commit bac3b10b78e54b7da3cede397258f75a2180609b upstream. + +In attempting to optimize fw_devlink runtime, I introduced numerous cycle +detection bugs by foregoing cycle detection logic under specific +conditions. Each fix has further narrowed the conditions for optimization. + +It's time to give up on these optimization attempts and just run the cycle +detection logic every time fw_devlink tries to create a device link. + +The specific bug report that triggered this fix involved a supplier fwnode +that never gets a device created for it. Instead, the supplier fwnode is +represented by the device that corresponds to an ancestor fwnode. + +In this case, fw_devlink didn't do any cycle detection because the cycle +detection logic is only run when a device link is created between the +devices that correspond to the actual consumer and supplier fwnodes. + +With this change, fw_devlink will run cycle detection logic even when +creating SYNC_STATE_ONLY proxy device links from a device that is an +ancestor of a consumer fwnode. + +Reported-by: Tomi Valkeinen +Closes: https://lore.kernel.org/all/1a1ab663-d068-40fb-8c94-f0715403d276@ideasonboard.com/ +Fixes: 6442d79d880c ("driver core: fw_devlink: Improve detection of overlapping cycles") +Cc: stable +Tested-by: Tomi Valkeinen +Signed-off-by: Saravana Kannan +Link: https://lore.kernel.org/r/20241030171009.1853340-1-saravanak@google.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/core.c | 55 ++++++++++++++++++++++------------------------------ + 1 file changed, 24 insertions(+), 31 deletions(-) + +--- a/drivers/base/core.c ++++ b/drivers/base/core.c +@@ -1989,10 +1989,10 @@ static struct device *fwnode_get_next_pa + * + * Return true if one or more cycles were found. Otherwise, return false. + */ +-static bool __fw_devlink_relax_cycles(struct device *con, ++static bool __fw_devlink_relax_cycles(struct fwnode_handle *con_handle, + struct fwnode_handle *sup_handle) + { +- struct device *sup_dev = NULL, *par_dev = NULL; ++ struct device *sup_dev = NULL, *par_dev = NULL, *con_dev = NULL; + struct fwnode_link *link; + struct device_link *dev_link; + bool ret = false; +@@ -2009,22 +2009,22 @@ static bool __fw_devlink_relax_cycles(st + + sup_handle->flags |= FWNODE_FLAG_VISITED; + +- sup_dev = get_dev_from_fwnode(sup_handle); +- + /* Termination condition. */ +- if (sup_dev == con) { ++ if (sup_handle == con_handle) { + pr_debug("----- cycle: start -----\n"); + ret = true; + goto out; + } + ++ sup_dev = get_dev_from_fwnode(sup_handle); ++ con_dev = get_dev_from_fwnode(con_handle); + /* + * If sup_dev is bound to a driver and @con hasn't started binding to a + * driver, sup_dev can't be a consumer of @con. So, no need to check + * further. + */ + if (sup_dev && sup_dev->links.status == DL_DEV_DRIVER_BOUND && +- con->links.status == DL_DEV_NO_DRIVER) { ++ con_dev && con_dev->links.status == DL_DEV_NO_DRIVER) { + ret = false; + goto out; + } +@@ -2033,7 +2033,7 @@ static bool __fw_devlink_relax_cycles(st + if (link->flags & FWLINK_FLAG_IGNORE) + continue; + +- if (__fw_devlink_relax_cycles(con, link->supplier)) { ++ if (__fw_devlink_relax_cycles(con_handle, link->supplier)) { + __fwnode_link_cycle(link); + ret = true; + } +@@ -2048,7 +2048,7 @@ static bool __fw_devlink_relax_cycles(st + else + par_dev = fwnode_get_next_parent_dev(sup_handle); + +- if (par_dev && __fw_devlink_relax_cycles(con, par_dev->fwnode)) { ++ if (par_dev && __fw_devlink_relax_cycles(con_handle, par_dev->fwnode)) { + pr_debug("%pfwf: cycle: child of %pfwf\n", sup_handle, + par_dev->fwnode); + ret = true; +@@ -2066,7 +2066,7 @@ static bool __fw_devlink_relax_cycles(st + !(dev_link->flags & DL_FLAG_CYCLE)) + continue; + +- if (__fw_devlink_relax_cycles(con, ++ if (__fw_devlink_relax_cycles(con_handle, + dev_link->supplier->fwnode)) { + pr_debug("%pfwf: cycle: depends on %pfwf\n", sup_handle, + dev_link->supplier->fwnode); +@@ -2114,11 +2114,6 @@ static int fw_devlink_create_devlink(str + if (link->flags & FWLINK_FLAG_IGNORE) + return 0; + +- if (con->fwnode == link->consumer) +- flags = fw_devlink_get_flags(link->flags); +- else +- flags = FW_DEVLINK_FLAGS_PERMISSIVE; +- + /* + * In some cases, a device P might also be a supplier to its child node + * C. However, this would defer the probe of C until the probe of P +@@ -2139,25 +2134,23 @@ static int fw_devlink_create_devlink(str + return -EINVAL; + + /* +- * SYNC_STATE_ONLY device links don't block probing and supports cycles. +- * So, one might expect that cycle detection isn't necessary for them. +- * However, if the device link was marked as SYNC_STATE_ONLY because +- * it's part of a cycle, then we still need to do cycle detection. This +- * is because the consumer and supplier might be part of multiple cycles +- * and we need to detect all those cycles. ++ * Don't try to optimize by not calling the cycle detection logic under ++ * certain conditions. There's always some corner case that won't get ++ * detected. + */ +- if (!device_link_flag_is_sync_state_only(flags) || +- flags & DL_FLAG_CYCLE) { +- device_links_write_lock(); +- if (__fw_devlink_relax_cycles(con, sup_handle)) { +- __fwnode_link_cycle(link); +- flags = fw_devlink_get_flags(link->flags); +- pr_debug("----- cycle: end -----\n"); +- dev_info(con, "Fixed dependency cycle(s) with %pfwf\n", +- sup_handle); +- } +- device_links_write_unlock(); ++ device_links_write_lock(); ++ if (__fw_devlink_relax_cycles(link->consumer, sup_handle)) { ++ __fwnode_link_cycle(link); ++ pr_debug("----- cycle: end -----\n"); ++ pr_info("%pfwf: Fixed dependency cycle(s) with %pfwf\n", ++ link->consumer, sup_handle); + } ++ device_links_write_unlock(); ++ ++ if (con->fwnode == link->consumer) ++ flags = fw_devlink_get_flags(link->flags); ++ else ++ flags = FW_DEVLINK_FLAGS_PERMISSIVE; + + if (sup_handle->flags & FWNODE_FLAG_NOT_DEVICE) + sup_dev = fwnode_get_next_parent_dev(sup_handle); diff --git a/queue-6.12/f2fs-fix-to-drop-all-discards-after-creating-snapshot-on-lvm-device.patch b/queue-6.12/f2fs-fix-to-drop-all-discards-after-creating-snapshot-on-lvm-device.patch new file mode 100644 index 00000000000..37c606c05b1 --- /dev/null +++ b/queue-6.12/f2fs-fix-to-drop-all-discards-after-creating-snapshot-on-lvm-device.patch @@ -0,0 +1,106 @@ +From bc8aeb04fd80cb8cfae3058445c84410fd0beb5e Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Thu, 21 Nov 2024 22:17:16 +0800 +Subject: f2fs: fix to drop all discards after creating snapshot on lvm device + +From: Chao Yu + +commit bc8aeb04fd80cb8cfae3058445c84410fd0beb5e upstream. + +Piergiorgio reported a bug in bugzilla as below: + +------------[ cut here ]------------ +WARNING: CPU: 2 PID: 969 at fs/f2fs/segment.c:1330 +RIP: 0010:__submit_discard_cmd+0x27d/0x400 [f2fs] +Call Trace: + __issue_discard_cmd+0x1ca/0x350 [f2fs] + issue_discard_thread+0x191/0x480 [f2fs] + kthread+0xcf/0x100 + ret_from_fork+0x31/0x50 + ret_from_fork_asm+0x1a/0x30 + +w/ below testcase, it can reproduce this bug quickly: +- pvcreate /dev/vdb +- vgcreate myvg1 /dev/vdb +- lvcreate -L 1024m -n mylv1 myvg1 +- mount /dev/myvg1/mylv1 /mnt/f2fs +- dd if=/dev/zero of=/mnt/f2fs/file bs=1M count=20 +- sync +- rm /mnt/f2fs/file +- sync +- lvcreate -L 1024m -s -n mylv1-snapshot /dev/myvg1/mylv1 +- umount /mnt/f2fs + +The root cause is: it will update discard_max_bytes of mounted lvm +device to zero after creating snapshot on this lvm device, then, +__submit_discard_cmd() will pass parameter @nr_sects w/ zero value +to __blkdev_issue_discard(), it returns a NULL bio pointer, result +in panic. + +This patch changes as below for fixing: +1. Let's drop all remained discards in f2fs_unfreeze() if snapshot +of lvm device is created. +2. Checking discard_max_bytes before submitting discard during +__submit_discard_cmd(). + +Cc: stable@vger.kernel.org +Fixes: 35ec7d574884 ("f2fs: split discard command in prior to block layer") +Reported-by: Piergiorgio Sartor +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219484 +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/segment.c | 16 +++++++++------- + fs/f2fs/super.c | 12 ++++++++++++ + 2 files changed, 21 insertions(+), 7 deletions(-) + +--- a/fs/f2fs/segment.c ++++ b/fs/f2fs/segment.c +@@ -1290,16 +1290,18 @@ static int __submit_discard_cmd(struct f + wait_list, issued); + return 0; + } +- +- /* +- * Issue discard for conventional zones only if the device +- * supports discard. +- */ +- if (!bdev_max_discard_sectors(bdev)) +- return -EOPNOTSUPP; + } + #endif + ++ /* ++ * stop issuing discard for any of below cases: ++ * 1. device is conventional zone, but it doesn't support discard. ++ * 2. device is regulare device, after snapshot it doesn't support ++ * discard. ++ */ ++ if (!bdev_max_discard_sectors(bdev)) ++ return -EOPNOTSUPP; ++ + trace_f2fs_issue_discard(bdev, dc->di.start, dc->di.len); + + lstart = dc->di.lstart; +--- a/fs/f2fs/super.c ++++ b/fs/f2fs/super.c +@@ -1748,6 +1748,18 @@ static int f2fs_freeze(struct super_bloc + + static int f2fs_unfreeze(struct super_block *sb) + { ++ struct f2fs_sb_info *sbi = F2FS_SB(sb); ++ ++ /* ++ * It will update discard_max_bytes of mounted lvm device to zero ++ * after creating snapshot on this lvm device, let's drop all ++ * remained discards. ++ * We don't need to disable real-time discard because discard_max_bytes ++ * will recover after removal of snapshot. ++ */ ++ if (test_opt(sbi, DISCARD) && !f2fs_hw_support_discard(sbi)) ++ f2fs_issue_discard_timeout(sbi); ++ + clear_sbi_flag(F2FS_SB(sb), SBI_IS_FREEZING); + return 0; + } diff --git a/queue-6.12/mm-slub-avoid-list-corruption-when-removing-a-slab-from-the-full-list.patch b/queue-6.12/mm-slub-avoid-list-corruption-when-removing-a-slab-from-the-full-list.patch new file mode 100644 index 00000000000..20b164f53ef --- /dev/null +++ b/queue-6.12/mm-slub-avoid-list-corruption-when-removing-a-slab-from-the-full-list.patch @@ -0,0 +1,138 @@ +From dbc16915279a548a204154368da23d402c141c81 Mon Sep 17 00:00:00 2001 +From: "yuan.gao" +Date: Fri, 18 Oct 2024 14:44:35 +0800 +Subject: mm/slub: Avoid list corruption when removing a slab from the full list + +From: yuan.gao + +commit dbc16915279a548a204154368da23d402c141c81 upstream. + +Boot with slub_debug=UFPZ. + +If allocated object failed in alloc_consistency_checks, all objects of +the slab will be marked as used, and then the slab will be removed from +the partial list. + +When an object belonging to the slab got freed later, the remove_full() +function is called. Because the slab is neither on the partial list nor +on the full list, it eventually lead to a list corruption (actually a +list poison being detected). + +So we need to mark and isolate the slab page with metadata corruption, +do not put it back in circulation. + +Because the debug caches avoid all the fastpaths, reusing the frozen bit +to mark slab page with metadata corruption seems to be fine. + +[ 4277.385669] list_del corruption, ffffea00044b3e50->next is LIST_POISON1 (dead000000000100) +[ 4277.387023] ------------[ cut here ]------------ +[ 4277.387880] kernel BUG at lib/list_debug.c:56! +[ 4277.388680] invalid opcode: 0000 [#1] PREEMPT SMP PTI +[ 4277.389562] CPU: 5 PID: 90 Comm: kworker/5:1 Kdump: loaded Tainted: G OE 6.6.1-1 #1 +[ 4277.392113] Workqueue: xfs-inodegc/vda1 xfs_inodegc_worker [xfs] +[ 4277.393551] RIP: 0010:__list_del_entry_valid_or_report+0x7b/0xc0 +[ 4277.394518] Code: 48 91 82 e8 37 f9 9a ff 0f 0b 48 89 fe 48 c7 c7 28 49 91 82 e8 26 f9 9a ff 0f 0b 48 89 fe 48 c7 c7 58 49 91 +[ 4277.397292] RSP: 0018:ffffc90000333b38 EFLAGS: 00010082 +[ 4277.398202] RAX: 000000000000004e RBX: ffffea00044b3e50 RCX: 0000000000000000 +[ 4277.399340] RDX: 0000000000000002 RSI: ffffffff828f8715 RDI: 00000000ffffffff +[ 4277.400545] RBP: ffffea00044b3e40 R08: 0000000000000000 R09: ffffc900003339f0 +[ 4277.401710] R10: 0000000000000003 R11: ffffffff82d44088 R12: ffff888112cf9910 +[ 4277.402887] R13: 0000000000000001 R14: 0000000000000001 R15: ffff8881000424c0 +[ 4277.404049] FS: 0000000000000000(0000) GS:ffff88842fd40000(0000) knlGS:0000000000000000 +[ 4277.405357] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 4277.406389] CR2: 00007f2ad0b24000 CR3: 0000000102a3a006 CR4: 00000000007706e0 +[ 4277.407589] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 4277.408780] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 4277.410000] PKRU: 55555554 +[ 4277.410645] Call Trace: +[ 4277.411234] +[ 4277.411777] ? die+0x32/0x80 +[ 4277.412439] ? do_trap+0xd6/0x100 +[ 4277.413150] ? __list_del_entry_valid_or_report+0x7b/0xc0 +[ 4277.414158] ? do_error_trap+0x6a/0x90 +[ 4277.414948] ? __list_del_entry_valid_or_report+0x7b/0xc0 +[ 4277.415915] ? exc_invalid_op+0x4c/0x60 +[ 4277.416710] ? __list_del_entry_valid_or_report+0x7b/0xc0 +[ 4277.417675] ? asm_exc_invalid_op+0x16/0x20 +[ 4277.418482] ? __list_del_entry_valid_or_report+0x7b/0xc0 +[ 4277.419466] ? __list_del_entry_valid_or_report+0x7b/0xc0 +[ 4277.420410] free_to_partial_list+0x515/0x5e0 +[ 4277.421242] ? xfs_iext_remove+0x41a/0xa10 [xfs] +[ 4277.422298] xfs_iext_remove+0x41a/0xa10 [xfs] +[ 4277.423316] ? xfs_inodegc_worker+0xb4/0x1a0 [xfs] +[ 4277.424383] xfs_bmap_del_extent_delay+0x4fe/0x7d0 [xfs] +[ 4277.425490] __xfs_bunmapi+0x50d/0x840 [xfs] +[ 4277.426445] xfs_itruncate_extents_flags+0x13a/0x490 [xfs] +[ 4277.427553] xfs_inactive_truncate+0xa3/0x120 [xfs] +[ 4277.428567] xfs_inactive+0x22d/0x290 [xfs] +[ 4277.429500] xfs_inodegc_worker+0xb4/0x1a0 [xfs] +[ 4277.430479] process_one_work+0x171/0x340 +[ 4277.431227] worker_thread+0x277/0x390 +[ 4277.431962] ? __pfx_worker_thread+0x10/0x10 +[ 4277.432752] kthread+0xf0/0x120 +[ 4277.433382] ? __pfx_kthread+0x10/0x10 +[ 4277.434134] ret_from_fork+0x2d/0x50 +[ 4277.434837] ? __pfx_kthread+0x10/0x10 +[ 4277.435566] ret_from_fork_asm+0x1b/0x30 +[ 4277.436280] + +Fixes: 643b113849d8 ("slub: enable tracking of full slabs") +Suggested-by: Hyeonggon Yoo <42.hyeyoo@gmail.com> +Suggested-by: Vlastimil Babka +Cc: +Signed-off-by: yuan.gao +Reviewed-by: Hyeonggon Yoo <42.hyeyoo@gmail.com> +Acked-by: Christoph Lameter +Signed-off-by: Vlastimil Babka +Signed-off-by: Greg Kroah-Hartman +--- + mm/slab.h | 5 +++++ + mm/slub.c | 9 ++++++++- + 2 files changed, 13 insertions(+), 1 deletion(-) + +--- a/mm/slab.h ++++ b/mm/slab.h +@@ -73,6 +73,11 @@ struct slab { + struct { + unsigned inuse:16; + unsigned objects:15; ++ /* ++ * If slab debugging is enabled then the ++ * frozen bit can be reused to indicate ++ * that the slab was corrupted ++ */ + unsigned frozen:1; + }; + }; +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -1423,6 +1423,11 @@ static int check_slab(struct kmem_cache + slab->inuse, slab->objects); + return 0; + } ++ if (slab->frozen) { ++ slab_err(s, slab, "Slab disabled since SLUB metadata consistency check failed"); ++ return 0; ++ } ++ + /* Slab_pad_check fixes things up after itself */ + slab_pad_check(s, slab); + return 1; +@@ -1603,6 +1608,7 @@ bad: + slab_fix(s, "Marking all objects used"); + slab->inuse = slab->objects; + slab->freelist = NULL; ++ slab->frozen = 1; /* mark consistency-failed slab as frozen */ + } + return false; + } +@@ -2744,7 +2750,8 @@ static void *alloc_single_from_partial(s + slab->inuse++; + + if (!alloc_debug_processing(s, slab, object, orig_size)) { +- remove_partial(n, slab); ++ if (folio_test_slab(slab_folio(slab))) ++ remove_partial(n, slab); + return NULL; + } + diff --git a/queue-6.12/mtd-spinand-winbond-fix-512gw-01gw-01jw-and-02jw-ecc-information.patch b/queue-6.12/mtd-spinand-winbond-fix-512gw-01gw-01jw-and-02jw-ecc-information.patch new file mode 100644 index 00000000000..fd678422e3b --- /dev/null +++ b/queue-6.12/mtd-spinand-winbond-fix-512gw-01gw-01jw-and-02jw-ecc-information.patch @@ -0,0 +1,87 @@ +From fee9b240916df82a8b07aef0fdfe96785417a164 Mon Sep 17 00:00:00 2001 +From: Miquel Raynal +Date: Wed, 9 Oct 2024 14:50:00 +0200 +Subject: mtd: spinand: winbond: Fix 512GW, 01GW, 01JW and 02JW ECC information + +From: Miquel Raynal + +commit fee9b240916df82a8b07aef0fdfe96785417a164 upstream. + +These four chips: +* W25N512GW +* W25N01GW +* W25N01JW +* W25N02JW +all require a single bit of ECC strength and thus feature an on-die +Hamming-like ECC engine. There is no point in filling a ->get_status() +callback for them because the main ECC status bytes are located in +standard places, and retrieving the number of bitflips in case of +corrected chunk is both useless and unsupported (if there are bitflips, +then there is 1 at most, so no need to query the chip for that). + +Without this change, a kernel warning triggers every time a bit flips. + +Fixes: 6a804fb72de5 ("mtd: spinand: winbond: add support for serial NAND flash") +Cc: stable@vger.kernel.org +Signed-off-by: Miquel Raynal +Reviewed-by: Frieder Schrempf +Link: https://lore.kernel.org/linux-mtd/20241009125002.191109-3-miquel.raynal@bootlin.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/spi/winbond.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/drivers/mtd/nand/spi/winbond.c ++++ b/drivers/mtd/nand/spi/winbond.c +@@ -201,30 +201,30 @@ static const struct spinand_info winbond + SPINAND_INFO("W25N01JW", + SPINAND_ID(SPINAND_READID_METHOD_OPCODE_DUMMY, 0xbc, 0x21), + NAND_MEMORG(1, 2048, 64, 64, 1024, 20, 1, 1, 1), +- NAND_ECCREQ(4, 512), ++ NAND_ECCREQ(1, 512), + SPINAND_INFO_OP_VARIANTS(&read_cache_variants, + &write_cache_variants, + &update_cache_variants), + 0, +- SPINAND_ECCINFO(&w25m02gv_ooblayout, w25n02kv_ecc_get_status)), ++ SPINAND_ECCINFO(&w25m02gv_ooblayout, NULL)), + SPINAND_INFO("W25N02JWZEIF", + SPINAND_ID(SPINAND_READID_METHOD_OPCODE_DUMMY, 0xbf, 0x22), + NAND_MEMORG(1, 2048, 64, 64, 1024, 20, 1, 2, 1), +- NAND_ECCREQ(4, 512), ++ NAND_ECCREQ(1, 512), + SPINAND_INFO_OP_VARIANTS(&read_cache_variants, + &write_cache_variants, + &update_cache_variants), + 0, +- SPINAND_ECCINFO(&w25m02gv_ooblayout, w25n02kv_ecc_get_status)), ++ SPINAND_ECCINFO(&w25m02gv_ooblayout, NULL)), + SPINAND_INFO("W25N512GW", + SPINAND_ID(SPINAND_READID_METHOD_OPCODE_DUMMY, 0xba, 0x20), + NAND_MEMORG(1, 2048, 64, 64, 512, 10, 1, 1, 1), +- NAND_ECCREQ(4, 512), ++ NAND_ECCREQ(1, 512), + SPINAND_INFO_OP_VARIANTS(&read_cache_variants, + &write_cache_variants, + &update_cache_variants), + 0, +- SPINAND_ECCINFO(&w25m02gv_ooblayout, w25n02kv_ecc_get_status)), ++ SPINAND_ECCINFO(&w25m02gv_ooblayout, NULL)), + SPINAND_INFO("W25N02KWZEIR", + SPINAND_ID(SPINAND_READID_METHOD_OPCODE_DUMMY, 0xba, 0x22), + NAND_MEMORG(1, 2048, 128, 64, 2048, 40, 1, 1, 1), +@@ -237,12 +237,12 @@ static const struct spinand_info winbond + SPINAND_INFO("W25N01GWZEIG", + SPINAND_ID(SPINAND_READID_METHOD_OPCODE_DUMMY, 0xba, 0x21), + NAND_MEMORG(1, 2048, 64, 64, 1024, 20, 1, 1, 1), +- NAND_ECCREQ(4, 512), ++ NAND_ECCREQ(1, 512), + SPINAND_INFO_OP_VARIANTS(&read_cache_variants, + &write_cache_variants, + &update_cache_variants), + 0, +- SPINAND_ECCINFO(&w25m02gv_ooblayout, w25n02kv_ecc_get_status)), ++ SPINAND_ECCINFO(&w25m02gv_ooblayout, NULL)), + SPINAND_INFO("W25N04KV", + SPINAND_ID(SPINAND_READID_METHOD_OPCODE_DUMMY, 0xaa, 0x23), + NAND_MEMORG(1, 2048, 128, 64, 4096, 40, 2, 1, 1), diff --git a/queue-6.12/mtd-spinand-winbond-fix-512gw-and-02jw-oob-layout.patch b/queue-6.12/mtd-spinand-winbond-fix-512gw-and-02jw-oob-layout.patch new file mode 100644 index 00000000000..54b60578a5f --- /dev/null +++ b/queue-6.12/mtd-spinand-winbond-fix-512gw-and-02jw-oob-layout.patch @@ -0,0 +1,42 @@ +From c1247de51cab53fc357a73804c11fb4fba55b2d9 Mon Sep 17 00:00:00 2001 +From: Miquel Raynal +Date: Wed, 9 Oct 2024 14:49:59 +0200 +Subject: mtd: spinand: winbond: Fix 512GW and 02JW OOB layout + +From: Miquel Raynal + +commit c1247de51cab53fc357a73804c11fb4fba55b2d9 upstream. + +Both W25N512GW and W25N02JW chips have 64 bytes of OOB and thus cannot +use the layout for 128 bytes OOB. Reference the correct layout instead. + +Fixes: 6a804fb72de5 ("mtd: spinand: winbond: add support for serial NAND flash") +Cc: stable@vger.kernel.org +Signed-off-by: Miquel Raynal +Reviewed-by: Frieder Schrempf +Link: https://lore.kernel.org/linux-mtd/20241009125002.191109-2-miquel.raynal@bootlin.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/spi/winbond.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/mtd/nand/spi/winbond.c ++++ b/drivers/mtd/nand/spi/winbond.c +@@ -215,7 +215,7 @@ static const struct spinand_info winbond + &write_cache_variants, + &update_cache_variants), + 0, +- SPINAND_ECCINFO(&w25n02kv_ooblayout, w25n02kv_ecc_get_status)), ++ SPINAND_ECCINFO(&w25m02gv_ooblayout, w25n02kv_ecc_get_status)), + SPINAND_INFO("W25N512GW", + SPINAND_ID(SPINAND_READID_METHOD_OPCODE_DUMMY, 0xba, 0x20), + NAND_MEMORG(1, 2048, 64, 64, 512, 10, 1, 1, 1), +@@ -224,7 +224,7 @@ static const struct spinand_info winbond + &write_cache_variants, + &update_cache_variants), + 0, +- SPINAND_ECCINFO(&w25n02kv_ooblayout, w25n02kv_ecc_get_status)), ++ SPINAND_ECCINFO(&w25m02gv_ooblayout, w25n02kv_ecc_get_status)), + SPINAND_INFO("W25N02KWZEIR", + SPINAND_ID(SPINAND_READID_METHOD_OPCODE_DUMMY, 0xba, 0x22), + NAND_MEMORG(1, 2048, 128, 64, 2048, 40, 1, 1, 1), diff --git a/queue-6.12/net-stmmac-set-initial-eee-policy-configuration.patch b/queue-6.12/net-stmmac-set-initial-eee-policy-configuration.patch new file mode 100644 index 00000000000..1d6199c2ef2 --- /dev/null +++ b/queue-6.12/net-stmmac-set-initial-eee-policy-configuration.patch @@ -0,0 +1,35 @@ +From 59c5e1411a0a13ebb930f4ebba495cc4eb14f8f2 Mon Sep 17 00:00:00 2001 +From: Choong Yong Liang +Date: Wed, 20 Nov 2024 16:38:18 +0800 +Subject: net: stmmac: set initial EEE policy configuration + +From: Choong Yong Liang + +commit 59c5e1411a0a13ebb930f4ebba495cc4eb14f8f2 upstream. + +Set the initial eee_cfg values to have 'ethtool --show-eee ' display +the initial EEE configuration. + +Fixes: 49168d1980e2 ("net: phy: Add phy_support_eee() indicating MAC support EEE") +Cc: +Signed-off-by: Choong Yong Liang +Reviewed-by: Jacob Keller +Link: https://patch.msgid.link/20241120083818.1079456-1-yong.liang.choong@linux.intel.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -1205,6 +1205,9 @@ static int stmmac_init_phy(struct net_de + return -ENODEV; + } + ++ if (priv->dma_cap.eee) ++ phy_support_eee(phydev); ++ + ret = phylink_connect_phy(priv->phylink, phydev); + } else { + fwnode_handle_put(phy_fwnode); diff --git a/queue-6.12/nvmem-core-check-read_only-flag-for-force_ro-in-bin_attr_nvmem_write.patch b/queue-6.12/nvmem-core-check-read_only-flag-for-force_ro-in-bin_attr_nvmem_write.patch new file mode 100644 index 00000000000..5df217094b3 --- /dev/null +++ b/queue-6.12/nvmem-core-check-read_only-flag-for-force_ro-in-bin_attr_nvmem_write.patch @@ -0,0 +1,35 @@ +From da9596955c05966768364ab1cad2f43fcddc6f06 Mon Sep 17 00:00:00 2001 +From: Marek Vasut +Date: Wed, 30 Oct 2024 14:02:53 +0000 +Subject: nvmem: core: Check read_only flag for force_ro in bin_attr_nvmem_write() + +From: Marek Vasut + +commit da9596955c05966768364ab1cad2f43fcddc6f06 upstream. + +The bin_attr_nvmem_write() must check the read_only flag and block +writes on read-only devices, now that a nvmem device can be switched +between read-write and read-only mode at runtime using the force_ro +attribute. Add the missing check. + +Fixes: 9d7eb234ac7a ("nvmem: core: Implement force_ro sysfs attribute") +Cc: Stable@vger.kernel.org +Signed-off-by: Marek Vasut +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20241030140253.40445-2-srinivas.kandagatla@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvmem/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/nvmem/core.c ++++ b/drivers/nvmem/core.c +@@ -267,7 +267,7 @@ static ssize_t bin_attr_nvmem_write(stru + + count = round_down(count, nvmem->word_size); + +- if (!nvmem->reg_write) ++ if (!nvmem->reg_write || nvmem->read_only) + return -EPERM; + + rc = nvmem_reg_write(nvmem, pos, buf, count); diff --git a/queue-6.12/pci-imx6-fix-suspend-resume-support-on-i.mx6qdl.patch b/queue-6.12/pci-imx6-fix-suspend-resume-support-on-i.mx6qdl.patch new file mode 100644 index 00000000000..321ab6393af --- /dev/null +++ b/queue-6.12/pci-imx6-fix-suspend-resume-support-on-i.mx6qdl.patch @@ -0,0 +1,139 @@ +From 0a726f542d7c8cc0f9c5ed7df5a4bd4b59ac21b3 Mon Sep 17 00:00:00 2001 +From: Stefan Eichenberger +Date: Wed, 30 Oct 2024 11:32:45 +0100 +Subject: PCI: imx6: Fix suspend/resume support on i.MX6QDL +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Stefan Eichenberger + +commit 0a726f542d7c8cc0f9c5ed7df5a4bd4b59ac21b3 upstream. + +The suspend/resume functionality is currently broken on the i.MX6QDL +platform, as documented in the NXP errata (ERR005723): + + https://www.nxp.com/docs/en/errata/IMX6DQCE.pdf + +This patch addresses the issue by sharing most of the suspend/resume +sequences used by other i.MX devices, while avoiding modifications to +critical registers that disrupt the PCIe functionality. It targets the +same problem as the following downstream commit: + + https://github.com/nxp-imx/linux-imx/commit/4e92355e1f79d225ea842511fcfd42b343b32995 + +Unlike the downstream commit, this patch also resets the connected PCIe +device if possible. Without this reset, certain drivers, such as ath10k +or iwlwifi, will crash on resume. The device reset is also done by the +driver on other i.MX platforms, making this patch consistent with +existing practices. + +Upon resuming, the kernel will hang and display an error. Here's an +example of the error encountered with the ath10k driver: + + ath10k_pci 0000:01:00.0: Unable to change power state from D3hot to D0, device inaccessible + Unhandled fault: imprecise external abort (0x1406) at 0x0106f944 + +Without this patch, suspend/resume will fail on i.MX6QDL devices if a +PCIe device is connected. + +Link: https://lore.kernel.org/r/20241030103250.83640-1-eichest@gmail.com +Signed-off-by: Stefan Eichenberger +[kwilczynski: commit log, added tag for stable releases] +Signed-off-by: Krzysztof Wilczyński +Reviewed-by: Manivannan Sadhasivam +Acked-by: Richard Zhu +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/controller/dwc/pci-imx6.c | 57 +++++++++++++++++++++++++++------- + 1 file changed, 46 insertions(+), 11 deletions(-) + +--- a/drivers/pci/controller/dwc/pci-imx6.c ++++ b/drivers/pci/controller/dwc/pci-imx6.c +@@ -82,6 +82,11 @@ enum imx_pcie_variants { + #define IMX_PCIE_FLAG_HAS_SERDES BIT(6) + #define IMX_PCIE_FLAG_SUPPORT_64BIT BIT(7) + #define IMX_PCIE_FLAG_CPU_ADDR_FIXUP BIT(8) ++/* ++ * Because of ERR005723 (PCIe does not support L2 power down) we need to ++ * workaround suspend resume on some devices which are affected by this errata. ++ */ ++#define IMX_PCIE_FLAG_BROKEN_SUSPEND BIT(9) + + #define imx_check_flag(pci, val) (pci->drvdata->flags & val) + +@@ -1237,9 +1242,19 @@ static int imx_pcie_suspend_noirq(struct + return 0; + + imx_pcie_msi_save_restore(imx_pcie, true); +- imx_pcie_pm_turnoff(imx_pcie); +- imx_pcie_stop_link(imx_pcie->pci); +- imx_pcie_host_exit(pp); ++ if (imx_check_flag(imx_pcie, IMX_PCIE_FLAG_BROKEN_SUSPEND)) { ++ /* ++ * The minimum for a workaround would be to set PERST# and to ++ * set the PCIE_TEST_PD flag. However, we can also disable the ++ * clock which saves some power. ++ */ ++ imx_pcie_assert_core_reset(imx_pcie); ++ imx_pcie->drvdata->enable_ref_clk(imx_pcie, false); ++ } else { ++ imx_pcie_pm_turnoff(imx_pcie); ++ imx_pcie_stop_link(imx_pcie->pci); ++ imx_pcie_host_exit(pp); ++ } + + return 0; + } +@@ -1253,14 +1268,32 @@ static int imx_pcie_resume_noirq(struct + if (!(imx_pcie->drvdata->flags & IMX_PCIE_FLAG_SUPPORTS_SUSPEND)) + return 0; + +- ret = imx_pcie_host_init(pp); +- if (ret) +- return ret; +- imx_pcie_msi_save_restore(imx_pcie, false); +- dw_pcie_setup_rc(pp); ++ if (imx_check_flag(imx_pcie, IMX_PCIE_FLAG_BROKEN_SUSPEND)) { ++ ret = imx_pcie->drvdata->enable_ref_clk(imx_pcie, true); ++ if (ret) ++ return ret; ++ ret = imx_pcie_deassert_core_reset(imx_pcie); ++ if (ret) ++ return ret; ++ /* ++ * Using PCIE_TEST_PD seems to disable MSI and powers down the ++ * root complex. This is why we have to setup the rc again and ++ * why we have to restore the MSI register. ++ */ ++ ret = dw_pcie_setup_rc(&imx_pcie->pci->pp); ++ if (ret) ++ return ret; ++ imx_pcie_msi_save_restore(imx_pcie, false); ++ } else { ++ ret = imx_pcie_host_init(pp); ++ if (ret) ++ return ret; ++ imx_pcie_msi_save_restore(imx_pcie, false); ++ dw_pcie_setup_rc(pp); + +- if (imx_pcie->link_is_up) +- imx_pcie_start_link(imx_pcie->pci); ++ if (imx_pcie->link_is_up) ++ imx_pcie_start_link(imx_pcie->pci); ++ } + + return 0; + } +@@ -1485,7 +1518,9 @@ static const struct imx_pcie_drvdata drv + [IMX6Q] = { + .variant = IMX6Q, + .flags = IMX_PCIE_FLAG_IMX_PHY | +- IMX_PCIE_FLAG_IMX_SPEED_CHANGE, ++ IMX_PCIE_FLAG_IMX_SPEED_CHANGE | ++ IMX_PCIE_FLAG_BROKEN_SUSPEND | ++ IMX_PCIE_FLAG_SUPPORTS_SUSPEND, + .dbi_length = 0x200, + .gpr = "fsl,imx6q-iomuxc-gpr", + .clk_names = imx6q_clks, diff --git a/queue-6.12/pci-qcom-disable-aspm-l0s-for-x1e80100.patch b/queue-6.12/pci-qcom-disable-aspm-l0s-for-x1e80100.patch new file mode 100644 index 00000000000..6fe2088f7c2 --- /dev/null +++ b/queue-6.12/pci-qcom-disable-aspm-l0s-for-x1e80100.patch @@ -0,0 +1,44 @@ +From fba6045161d686adc102b6ef71b2fd1e5f90a616 Mon Sep 17 00:00:00 2001 +From: Qiang Yu +Date: Thu, 31 Oct 2024 20:09:01 -0700 +Subject: PCI: qcom: Disable ASPM L0s for X1E80100 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Qiang Yu + +commit fba6045161d686adc102b6ef71b2fd1e5f90a616 upstream. + +Currently, the cfg_1_9_0 which is being used for X1E80100 doesn't disable +ASPM L0s. However, hardware team recommends to disable L0s as the PHY init +sequence is not tuned support L0s. Hence reuse cfg_sc8280xp for X1E80100. + +Note that the config_sid() callback is not present in cfg_sc8280xp, don't +concern about this because config_sid() callback is originally a no-op +for X1E80100. + +Fixes: 6d0c39324c5f ("PCI: qcom: Add X1E80100 PCIe support") +Link: https://lore.kernel.org/r/20241101030902.579789-5-quic_qianyu@quicinc.com +Signed-off-by: Qiang Yu +Signed-off-by: Krzysztof Wilczyński +Reviewed-by: Dmitry Baryshkov +Reviewed-by: Johan Hovold +Reviewed-by: Manivannan Sadhasivam +Cc: # 6.9 +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/controller/dwc/pcie-qcom.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/pci/controller/dwc/pcie-qcom.c ++++ b/drivers/pci/controller/dwc/pcie-qcom.c +@@ -1845,7 +1845,7 @@ static const struct of_device_id qcom_pc + { .compatible = "qcom,pcie-sm8450-pcie0", .data = &cfg_1_9_0 }, + { .compatible = "qcom,pcie-sm8450-pcie1", .data = &cfg_1_9_0 }, + { .compatible = "qcom,pcie-sm8550", .data = &cfg_1_9_0 }, +- { .compatible = "qcom,pcie-x1e80100", .data = &cfg_1_9_0 }, ++ { .compatible = "qcom,pcie-x1e80100", .data = &cfg_sc8280xp }, + { } + }; + diff --git a/queue-6.12/perf-jevents-fix-breakage-when-do-perf-stat-on-system-metric.patch b/queue-6.12/perf-jevents-fix-breakage-when-do-perf-stat-on-system-metric.patch new file mode 100644 index 00000000000..eafff1b415e --- /dev/null +++ b/queue-6.12/perf-jevents-fix-breakage-when-do-perf-stat-on-system-metric.patch @@ -0,0 +1,147 @@ +From 4a159e6049f319bef6f9e6d2ccdd322f57d24830 Mon Sep 17 00:00:00 2001 +From: Xu Yang +Date: Thu, 7 Nov 2024 08:20:28 -0800 +Subject: perf jevents: fix breakage when do perf stat on system metric +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Xu Yang + +commit 4a159e6049f319bef6f9e6d2ccdd322f57d24830 upstream. + +When do perf stat on sys metric, perf tool output nothing now: + + $ perf stat -a -M imx95_ddr_read.all -I 1000 + $ + +This command runs on an arm64 machine and the Soc has one DDR hw pmu +except one armv8_cortex_a55 pmu. Their maps show as follows: + +const struct pmu_events_map pmu_events_map[] = { +{ + .arch = "arm64", + .cpuid = "0x00000000410fd050", + .event_table = { + .pmus = pmu_events__arm_cortex_a55, + .num_pmus = ARRAY_SIZE(pmu_events__arm_cortex_a55) + }, + .metric_table = { + .pmus = NULL, + .num_pmus = 0 + } +}, + +static const struct pmu_sys_events pmu_sys_event_tables[] = { +{ + .event_table = { + .pmus = pmu_events__freescale_imx95_sys, + .num_pmus = ARRAY_SIZE(pmu_events__freescale_imx95_sys) + }, + .metric_table = { + .pmus = pmu_metrics__freescale_imx95_sys, + .num_pmus = ARRAY_SIZE(pmu_metrics__freescale_imx95_sys) + }, + .name = "pmu_events__freescale_imx95_sys", +}, + +Currently, pmu_metrics_table__find() will return NULL when only do perf +stat on sys metric. Then parse_groups() will never be called to parse +sys metric_name, finally perf tool will exit directly. This should be a +common problem. + +To fix the issue, this will keep the logic before commit f20c15d13f01 +("perf pmu-events: Remember the perf_events_map for a PMU") to return a +empty metric table rather than a NULL pointer. + +This should be fine since the removed part just check if the table match +provided metric_name. Without these code, the code in parse_groups() +will also check the validity of metrci_name too. + +Fixes: f20c15d13f017d4b ("perf pmu-events: Remember the perf_events_map for a PMU") +Reviewed-by: James Clark +Signed-off-by: Xu Yang +Tested-by: Xu Yang +Acked-by: Ian Rogers +Cc: Adrian Hunter +Cc: Albert Ou +Cc: Alexander Shishkin +Cc: Alexandre Ghiti +Cc: Athira Rajeev +Cc: Benjamin Gray +Cc: Ben Zong-You Xie +Cc: Bibo Mao +Cc: Clément Le Goffic +Cc: Dima Kogan +Cc: Dr. David Alan Gilbert +Cc: Huacai Chen +Cc: Ingo Molnar +Cc: Jiri Olsa +Cc: John Garry +Cc: Kan Liang +Cc: Leo Yan +Cc: Mark Rutland +Cc: Masami Hiramatsu +Cc: Mike Leach +Cc: Namhyung Kim +Cc: Palmer Dabbelt +Cc: Paul Walmsley +Cc: Peter Zijlstra +Cc: Ravi Bangoria +Cc: Sandipan Das +Cc: Will Deacon +Cc: Yicong Yang +Cc: linux-arm-kernel@lists.infradead.org +Cc: linux-riscv@lists.infradead.org +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20241107162035.52206-2-irogers@google.com +Signed-off-by: Ian Rogers +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/pmu-events/empty-pmu-events.c | 12 +----------- + tools/perf/pmu-events/jevents.py | 12 +----------- + 2 files changed, 2 insertions(+), 22 deletions(-) + +--- a/tools/perf/pmu-events/empty-pmu-events.c ++++ b/tools/perf/pmu-events/empty-pmu-events.c +@@ -539,17 +539,7 @@ const struct pmu_metrics_table *perf_pmu + if (!map) + return NULL; + +- if (!pmu) +- return &map->metric_table; +- +- for (size_t i = 0; i < map->metric_table.num_pmus; i++) { +- const struct pmu_table_entry *table_pmu = &map->metric_table.pmus[i]; +- const char *pmu_name = &big_c_string[table_pmu->pmu_name.offset]; +- +- if (pmu__name_match(pmu, pmu_name)) +- return &map->metric_table; +- } +- return NULL; ++ return &map->metric_table; + } + + const struct pmu_events_table *find_core_events_table(const char *arch, const char *cpuid) +--- a/tools/perf/pmu-events/jevents.py ++++ b/tools/perf/pmu-events/jevents.py +@@ -1089,17 +1089,7 @@ const struct pmu_metrics_table *perf_pmu + if (!map) + return NULL; + +- if (!pmu) +- return &map->metric_table; +- +- for (size_t i = 0; i < map->metric_table.num_pmus; i++) { +- const struct pmu_table_entry *table_pmu = &map->metric_table.pmus[i]; +- const char *pmu_name = &big_c_string[table_pmu->pmu_name.offset]; +- +- if (pmu__name_match(pmu, pmu_name)) +- return &map->metric_table; +- } +- return NULL; ++ return &map->metric_table; + } + + const struct pmu_events_table *find_core_events_table(const char *arch, const char *cpuid) diff --git a/queue-6.12/remoteproc-qcom_q6v5_pas-disable-auto-boot-for-wpss.patch b/queue-6.12/remoteproc-qcom_q6v5_pas-disable-auto-boot-for-wpss.patch new file mode 100644 index 00000000000..ae8040cbf13 --- /dev/null +++ b/queue-6.12/remoteproc-qcom_q6v5_pas-disable-auto-boot-for-wpss.patch @@ -0,0 +1,48 @@ +From 8a47704d64c9afda80e7f399ba2cf898cfcc45b2 Mon Sep 17 00:00:00 2001 +From: Balaji Pothunoori +Date: Fri, 18 Oct 2024 16:29:11 +0530 +Subject: remoteproc: qcom_q6v5_pas: disable auto boot for wpss + +From: Balaji Pothunoori + +commit 8a47704d64c9afda80e7f399ba2cf898cfcc45b2 upstream. + +Currently, the rproc "atomic_t power" variable is incremented during: +a. WPSS rproc auto boot. +b. AHB power on for ath11k. + +During AHB power off (rmmod ath11k_ahb.ko), rproc_shutdown fails +to unload the WPSS firmware because the rproc->power value is '2', +causing the atomic_dec_and_test(&rproc->power) condition to fail. + +Consequently, during AHB power on (insmod ath11k_ahb.ko), +QMI_WLANFW_HOST_CAP_REQ_V01 fails due to the host and firmware QMI +states being out of sync. + +Fixes: 300ed425dfa9 ("remoteproc: qcom_q6v5_pas: Add SC7280 ADSP, CDSP & WPSS") +Cc: stable@vger.kernel.org +Signed-off-by: Balaji Pothunoori +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20241018105911.165415-1-quic_bpothuno@quicinc.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/remoteproc/qcom_q6v5_pas.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/remoteproc/qcom_q6v5_pas.c b/drivers/remoteproc/qcom_q6v5_pas.c +index 5034d214ac13..96da94b5d2c2 100644 +--- a/drivers/remoteproc/qcom_q6v5_pas.c ++++ b/drivers/remoteproc/qcom_q6v5_pas.c +@@ -1356,7 +1356,7 @@ static const struct adsp_data sc7280_wpss_resource = { + .crash_reason_smem = 626, + .firmware_name = "wpss.mdt", + .pas_id = 6, +- .auto_boot = true, ++ .auto_boot = false, + .proxy_pd_names = (char*[]){ + "cx", + "mx", +-- +2.47.1 + diff --git a/queue-6.12/s390-entry-mark-irq-entries-to-fix-stack-depot-warnings.patch b/queue-6.12/s390-entry-mark-irq-entries-to-fix-stack-depot-warnings.patch new file mode 100644 index 00000000000..0af82a54479 --- /dev/null +++ b/queue-6.12/s390-entry-mark-irq-entries-to-fix-stack-depot-warnings.patch @@ -0,0 +1,89 @@ +From 45c9f2b856a075a34873d00788d2e8a250c1effd Mon Sep 17 00:00:00 2001 +From: Vasily Gorbik +Date: Tue, 19 Nov 2024 14:54:07 +0100 +Subject: s390/entry: Mark IRQ entries to fix stack depot warnings + +From: Vasily Gorbik + +commit 45c9f2b856a075a34873d00788d2e8a250c1effd upstream. + +The stack depot filters out everything outside of the top interrupt +context as an uninteresting or irrelevant part of the stack traces. This +helps with stack trace de-duplication, avoiding an explosion of saved +stack traces that share the same IRQ context code path but originate +from different randomly interrupted points, eventually exhausting the +stack depot. + +Filtering uses in_irqentry_text() to identify functions within the +.irqentry.text and .softirqentry.text sections, which then become the +last stack trace entries being saved. + +While __do_softirq() is placed into the .softirqentry.text section by +common code, populating .irqentry.text is architecture-specific. + +Currently, the .irqentry.text section on s390 is empty, which prevents +stack depot filtering and de-duplication and could result in warnings +like: + +Stack depot reached limit capacity +WARNING: CPU: 0 PID: 286113 at lib/stackdepot.c:252 depot_alloc_stack+0x39a/0x3c8 + +with PREEMPT and KASAN enabled. + +Fix this by moving the IO/EXT interrupt handlers from .kprobes.text into +the .irqentry.text section and updating the kprobes blacklist to include +the .irqentry.text section. + +This is done only for asynchronous interrupts and explicitly not for +program checks, which are synchronous and where the context beyond the +program check is important to preserve. Despite machine checks being +somewhat in between, they are extremely rare, and preserving context +when possible is also of value. + +SVCs and Restart Interrupts are not relevant, one being always at the +boundary to user space and the other being a one-time thing. + +IRQ entries filtering is also optionally used in ftrace function graph, +where the same logic applies. + +Cc: stable@vger.kernel.org # 5.15+ +Reviewed-by: Heiko Carstens +Signed-off-by: Vasily Gorbik +Signed-off-by: Heiko Carstens +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/kernel/entry.S | 4 ++++ + arch/s390/kernel/kprobes.c | 6 ++++++ + 2 files changed, 10 insertions(+) + +--- a/arch/s390/kernel/entry.S ++++ b/arch/s390/kernel/entry.S +@@ -450,9 +450,13 @@ SYM_CODE_START(\name) + SYM_CODE_END(\name) + .endm + ++ .section .irqentry.text, "ax" ++ + INT_HANDLER ext_int_handler,__LC_EXT_OLD_PSW,do_ext_irq + INT_HANDLER io_int_handler,__LC_IO_OLD_PSW,do_io_irq + ++ .section .kprobes.text, "ax" ++ + /* + * Machine check handler routines + */ +--- a/arch/s390/kernel/kprobes.c ++++ b/arch/s390/kernel/kprobes.c +@@ -489,6 +489,12 @@ int __init arch_init_kprobes(void) + return 0; + } + ++int __init arch_populate_kprobe_blacklist(void) ++{ ++ return kprobe_add_area_blacklist((unsigned long)__irqentry_text_start, ++ (unsigned long)__irqentry_text_end); ++} ++ + int arch_trampoline_kprobe(struct kprobe *p) + { + return 0; diff --git a/queue-6.12/series b/queue-6.12/series index bbb78d65c9b..df48a931183 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -52,3 +52,24 @@ mm-damon-vaddr-fix-issue-in-damon_va_evenly_split_region.patch powerpc-vdso-drop-mstack-protector-guard-flags-in-32-bit-files-with-clang.patch cpufreq-scmi-fix-cleanup-path-when-boost-enablement-fails.patch clk-qcom-gcc-qcs404-fix-initial-rate-of-gpll3.patch +ad7780-fix-division-by-zero-in-ad7780_write_raw.patch +nvmem-core-check-read_only-flag-for-force_ro-in-bin_attr_nvmem_write.patch +driver-core-fw_devlink-stop-trying-to-optimize-cycle-detection-logic.patch +spmi-pmic-arb-fix-return-path-in-for_each_available_child_of_node.patch +arm-9429-1-ioremap-sync-pgds-for-vmalloc-shadow.patch +s390-entry-mark-irq-entries-to-fix-stack-depot-warnings.patch +arm-9430-1-entry-do-a-dummy-read-from-vmap-shadow.patch +arm-9431-1-mm-pair-atomic_set_release-with-_read_acquire.patch +net-stmmac-set-initial-eee-policy-configuration.patch +vfio-qat-fix-overflow-check-in-qat_vf_resume_write.patch +pci-qcom-disable-aspm-l0s-for-x1e80100.patch +perf-jevents-fix-breakage-when-do-perf-stat-on-system-metric.patch +remoteproc-qcom_q6v5_pas-disable-auto-boot-for-wpss.patch +pci-imx6-fix-suspend-resume-support-on-i.mx6qdl.patch +mm-slub-avoid-list-corruption-when-removing-a-slab-from-the-full-list.patch +f2fs-fix-to-drop-all-discards-after-creating-snapshot-on-lvm-device.patch +ceph-extract-entity-name-from-device-id.patch +ceph-pass-cred-pointer-to-ceph_mds_auth_match.patch +ceph-fix-cred-leak-in-ceph_mds_check_access.patch +mtd-spinand-winbond-fix-512gw-and-02jw-oob-layout.patch +mtd-spinand-winbond-fix-512gw-01gw-01jw-and-02jw-ecc-information.patch diff --git a/queue-6.12/spmi-pmic-arb-fix-return-path-in-for_each_available_child_of_node.patch b/queue-6.12/spmi-pmic-arb-fix-return-path-in-for_each_available_child_of_node.patch new file mode 100644 index 00000000000..3481ef83401 --- /dev/null +++ b/queue-6.12/spmi-pmic-arb-fix-return-path-in-for_each_available_child_of_node.patch @@ -0,0 +1,46 @@ +From 77adf4b1f3e1fdb319f7ee515e5924bb77df3916 Mon Sep 17 00:00:00 2001 +From: Javier Carrasco +Date: Fri, 8 Nov 2024 16:28:26 -0800 +Subject: spmi: pmic-arb: fix return path in for_each_available_child_of_node() + +From: Javier Carrasco + +commit 77adf4b1f3e1fdb319f7ee515e5924bb77df3916 upstream. + +This loop requires explicit calls to of_node_put() upon early exits +(break, goto, return) to decrement the child refcounter and avoid memory +leaks if the child is not required out of the loop. + +A more robust solution is using the scoped variant of the macro, which +automatically calls of_node_put() when the child goes out of scope. + +Cc: stable@vger.kernel.org +Fixes: 979987371739 ("spmi: pmic-arb: Add multi bus support") +Signed-off-by: Javier Carrasco +Link: https://lore.kernel.org/r/20241001-spmi-pmic-arb-scoped-v1-1-5872bab34ed6@gmail.com +Reviewed-by: Neil Armstrong +Signed-off-by: Stephen Boyd +Link: https://lore.kernel.org/r/20241109002829.160973-2-sboyd@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spmi/spmi-pmic-arb.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/spmi/spmi-pmic-arb.c ++++ b/drivers/spmi/spmi-pmic-arb.c +@@ -1763,14 +1763,13 @@ static int spmi_pmic_arb_register_buses( + { + struct device *dev = &pdev->dev; + struct device_node *node = dev->of_node; +- struct device_node *child; + int ret; + + /* legacy mode doesn't provide child node for the bus */ + if (of_device_is_compatible(node, "qcom,spmi-pmic-arb")) + return spmi_pmic_arb_bus_init(pdev, node, pmic_arb); + +- for_each_available_child_of_node(node, child) { ++ for_each_available_child_of_node_scoped(node, child) { + if (of_node_name_eq(child, "spmi")) { + ret = spmi_pmic_arb_bus_init(pdev, child, pmic_arb); + if (ret) diff --git a/queue-6.12/vfio-qat-fix-overflow-check-in-qat_vf_resume_write.patch b/queue-6.12/vfio-qat-fix-overflow-check-in-qat_vf_resume_write.patch new file mode 100644 index 00000000000..b6af24dc3c5 --- /dev/null +++ b/queue-6.12/vfio-qat-fix-overflow-check-in-qat_vf_resume_write.patch @@ -0,0 +1,52 @@ +From 9283b7392570421c22a6c8058614f5b76a46b81c Mon Sep 17 00:00:00 2001 +From: Giovanni Cabiddu +Date: Mon, 21 Oct 2024 13:37:53 +0100 +Subject: vfio/qat: fix overflow check in qat_vf_resume_write() + +From: Giovanni Cabiddu + +commit 9283b7392570421c22a6c8058614f5b76a46b81c upstream. + +The unsigned variable `size_t len` is cast to the signed type `loff_t` +when passed to the function check_add_overflow(). This function considers +the type of the destination, which is of type loff_t (signed), +potentially leading to an overflow. This issue is similar to the one +described in the link below. + +Remove the cast. + +Note that even if check_add_overflow() is bypassed, by setting `len` to +a value that is greater than LONG_MAX (which is considered as a negative +value after the cast), the function copy_from_user(), invoked a few lines +later, will not perform any copy and return `len` as (len > INT_MAX) +causing qat_vf_resume_write() to fail with -EFAULT. + +Fixes: bb208810b1ab ("vfio/qat: Add vfio_pci driver for Intel QAT SR-IOV VF devices") +CC: stable@vger.kernel.org # 6.10+ +Link: https://lore.kernel.org/all/138bd2e2-ede8-4bcc-aa7b-f3d9de167a37@moroto.mountain +Reported-by: Zijie Zhao +Signed-off-by: Giovanni Cabiddu +Reviewed-by: Xin Zeng +Link: https://lore.kernel.org/r/20241021123843.42979-1-giovanni.cabiddu@intel.com +Signed-off-by: Alex Williamson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vfio/pci/qat/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/vfio/pci/qat/main.c b/drivers/vfio/pci/qat/main.c +index be3644ced17b..c78cb6de9390 100644 +--- a/drivers/vfio/pci/qat/main.c ++++ b/drivers/vfio/pci/qat/main.c +@@ -304,7 +304,7 @@ static ssize_t qat_vf_resume_write(struct file *filp, const char __user *buf, + offs = &filp->f_pos; + + if (*offs < 0 || +- check_add_overflow((loff_t)len, *offs, &end)) ++ check_add_overflow(len, *offs, &end)) + return -EOVERFLOW; + + if (end > mig_dev->state_size) +-- +2.47.1 +