From: Greg Kroah-Hartman Date: Sun, 24 Aug 2025 07:23:07 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v5.4.297~40 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=94614cdde331e57846f9eafddff6890da11eaa49;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: alsa-scarlett2-add-retry-on-eproto-from-scarlett2_usb_tx.patch block-make-req_op_zone_finish-a-write-operation.patch cdc-acm-fix-race-between-initial-clearing-halt-and-open.patch drm-sched-remove-optimization-that-causes-hang-when-killing-dependent-jobs.patch f2fs-fix-to-do-sanity-check-on-ino-and-xnid.patch hv_netvsc-fix-panic-during-namespace-deletion-with-vf.patch ice-fix-a-null-pointer-dereference-in-ice_copy_and_init_pkg.patch iio-hid-sensor-prox-fix-incorrect-offset-calculation.patch mm-zsmalloc-do-not-pass-__gfp_movable-if-config_compaction-n.patch mm-zsmalloc.c-convert-to-use-kmem_cache_zalloc-in-cache_alloc_zspage.patch net-usbnet-avoid-potential-rcu-stall-on-link_change-event.patch pci-acpi-fix-runtime-pm-ref-imbalance-on-hot-plug-capable-ports.patch pmdomain-governor-consider-cpu-latency-tolerance-from-pm_domain_cpu_gov.patch smb-client-fix-use-after-free-in-crypt_message-when-using-async-crypto.patch tracing-add-down_write-trace_event_sem-when-adding-trace-event.patch usb-cdc-acm-do-not-log-successful-probe-on-later-errors.patch usb-hub-avoid-warm-port-reset-during-usb3-disconnect.patch usb-hub-don-t-try-to-recover-devices-lost-during-warm-reset.patch usb-typec-fusb302-cache-pd-rx-state.patch x86-fpu-delay-instruction-pointer-fixup-until-after-warning.patch x86-mce-amd-add-default-names-for-mca-banks-and-blocks.patch --- diff --git a/queue-5.10/alsa-scarlett2-add-retry-on-eproto-from-scarlett2_usb_tx.patch b/queue-5.10/alsa-scarlett2-add-retry-on-eproto-from-scarlett2_usb_tx.patch new file mode 100644 index 0000000000..cf2819a4e1 --- /dev/null +++ b/queue-5.10/alsa-scarlett2-add-retry-on-eproto-from-scarlett2_usb_tx.patch @@ -0,0 +1,75 @@ +From stable+bounces-169432-greg=kroah.com@vger.kernel.org Wed Aug 13 18:04:13 2025 +From: Sasha Levin +Date: Wed, 13 Aug 2025 11:55:06 -0400 +Subject: ALSA: scarlett2: Add retry on -EPROTO from scarlett2_usb_tx() +To: stable@vger.kernel.org +Cc: "Geoffrey D. Bennett" , Takashi Iwai , Sasha Levin +Message-ID: <20250813155506.2051597-1-sashal@kernel.org> + +From: "Geoffrey D. Bennett" + +[ Upstream commit 8a15ca0ca51399b652b1bbb23b590b220cf03d62 ] + +During communication with Focusrite Scarlett Gen 2/3/4 USB audio +interfaces, -EPROTO is sometimes returned from scarlett2_usb_tx(), +snd_usb_ctl_msg() which can cause initialisation and control +operations to fail intermittently. + +This patch adds up to 5 retries in scarlett2_usb(), with a delay +starting at 5ms and doubling each time. This follows the same approach +as the fix for usb_set_interface() in endpoint.c (commit f406005e162b +("ALSA: usb-audio: Add retry on -EPROTO from usb_set_interface()")), +which resolved similar -EPROTO issues during device initialisation, +and is the same approach as in fcp.c:fcp_usb(). + +Fixes: 9e4d5c1be21f ("ALSA: usb-audio: Scarlett Gen 2 mixer interface") +Closes: https://github.com/geoffreybennett/linux-fcp/issues/41 +Cc: stable@vger.kernel.org +Signed-off-by: Geoffrey D. Bennett +Link: https://patch.msgid.link/aIdDO6ld50WQwNim@m.b4.vu +Signed-off-by: Takashi Iwai +[ Applied retry logic directly in scarlett2_usb() instead of scarlett2_usb_tx() ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/mixer_scarlett_gen2.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/sound/usb/mixer_scarlett_gen2.c ++++ b/sound/usb/mixer_scarlett_gen2.c +@@ -95,6 +95,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -591,6 +592,8 @@ static int scarlett2_usb( + u16 req_buf_size = sizeof(struct scarlett2_usb_packet) + req_size; + u16 resp_buf_size = sizeof(struct scarlett2_usb_packet) + resp_size; + struct scarlett2_usb_packet *req = NULL, *resp = NULL; ++ int retries = 0; ++ const int max_retries = 5; + int err = 0; + + req = kmalloc(req_buf_size, GFP_KERNEL); +@@ -614,6 +617,7 @@ static int scarlett2_usb( + if (req_size) + memcpy(req->data, req_data, req_size); + ++retry: + err = snd_usb_ctl_msg(mixer->chip->dev, + usb_sndctrlpipe(mixer->chip->dev, 0), + SCARLETT2_USB_VENDOR_SPECIFIC_CMD_REQ, +@@ -624,6 +628,10 @@ static int scarlett2_usb( + req_buf_size); + + if (err != req_buf_size) { ++ if (err == -EPROTO && ++retries <= max_retries) { ++ msleep(5 * (1 << (retries - 1))); ++ goto retry; ++ } + usb_audio_err( + mixer->chip, + "Scarlett Gen 2 USB request result cmd %x was %d\n", diff --git a/queue-5.10/block-make-req_op_zone_finish-a-write-operation.patch b/queue-5.10/block-make-req_op_zone_finish-a-write-operation.patch new file mode 100644 index 0000000000..3cd75454b4 --- /dev/null +++ b/queue-5.10/block-make-req_op_zone_finish-a-write-operation.patch @@ -0,0 +1,57 @@ +From stable+bounces-169872-greg=kroah.com@vger.kernel.org Sun Aug 17 03:49:36 2025 +From: Sasha Levin +Date: Sat, 16 Aug 2025 21:49:28 -0400 +Subject: block: Make REQ_OP_ZONE_FINISH a write operation +To: stable@vger.kernel.org +Cc: Damien Le Moal , Bart Van Assche , Johannes Thumshirn , Christoph Hellwig , Jens Axboe , Sasha Levin +Message-ID: <20250817014928.1329192-1-sashal@kernel.org> + +From: Damien Le Moal + +[ Upstream commit 3f66ccbaaef3a0c5bd844eab04e3207b4061c546 ] + +REQ_OP_ZONE_FINISH is defined as "12", which makes +op_is_write(REQ_OP_ZONE_FINISH) return false, despite the fact that a +zone finish operation is an operation that modifies a zone (transition +it to full) and so should be considered as a write operation (albeit +one that does not transfer any data to the device). + +Fix this by redefining REQ_OP_ZONE_FINISH to be an odd number (13), and +redefine REQ_OP_ZONE_RESET and REQ_OP_ZONE_RESET_ALL using sequential +odd numbers from that new value. + +Fixes: 6c1b1da58f8c ("block: add zone open, close and finish operations") +Cc: stable@vger.kernel.org +Signed-off-by: Damien Le Moal +Reviewed-by: Bart Van Assche +Reviewed-by: Johannes Thumshirn +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20250625093327.548866-2-dlemoal@kernel.org +Signed-off-by: Jens Axboe +[ Extra renames ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/blk_types.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/include/linux/blk_types.h ++++ b/include/linux/blk_types.h +@@ -353,13 +353,13 @@ enum req_opf { + /* Close a zone */ + REQ_OP_ZONE_CLOSE = 11, + /* Transition a zone to full */ +- REQ_OP_ZONE_FINISH = 12, ++ REQ_OP_ZONE_FINISH = 13, + /* write data at the current zone write pointer */ +- REQ_OP_ZONE_APPEND = 13, ++ REQ_OP_ZONE_APPEND = 15, + /* reset a zone write pointer */ +- REQ_OP_ZONE_RESET = 15, ++ REQ_OP_ZONE_RESET = 17, + /* reset all the zone present on the device */ +- REQ_OP_ZONE_RESET_ALL = 17, ++ REQ_OP_ZONE_RESET_ALL = 19, + + /* SCSI passthrough using struct scsi_request */ + REQ_OP_SCSI_IN = 32, diff --git a/queue-5.10/cdc-acm-fix-race-between-initial-clearing-halt-and-open.patch b/queue-5.10/cdc-acm-fix-race-between-initial-clearing-halt-and-open.patch new file mode 100644 index 0000000000..0591e7fc00 --- /dev/null +++ b/queue-5.10/cdc-acm-fix-race-between-initial-clearing-halt-and-open.patch @@ -0,0 +1,55 @@ +From stable+bounces-171671-greg=kroah.com@vger.kernel.org Tue Aug 19 01:08:49 2025 +From: Sasha Levin +Date: Mon, 18 Aug 2025 19:08:39 -0400 +Subject: cdc-acm: fix race between initial clearing halt and open +To: stable@vger.kernel.org +Cc: Oliver Neukum , stable , Greg Kroah-Hartman , Sasha Levin +Message-ID: <20250818230839.135733-2-sashal@kernel.org> + +From: Oliver Neukum + +[ Upstream commit 64690a90cd7c6db16d3af8616be1f4bf8d492850 ] + +On the devices that need their endpoints to get an +initial clear_halt, this needs to be done before +the devices can be opened. That means it needs to be +before the devices are registered. + +Fixes: 15bf722e6f6c0 ("cdc-acm: Add support of ATOL FPrint fiscal printers") +Cc: stable +Signed-off-by: Oliver Neukum +Link: https://lore.kernel.org/r/20250717141259.2345605-1-oneukum@suse.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/class/cdc-acm.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -1517,6 +1517,12 @@ skip_countries: + usb_driver_claim_interface(&acm_driver, data_interface, acm); + usb_set_intfdata(data_interface, acm); + ++ if (quirks & CLEAR_HALT_CONDITIONS) { ++ /* errors intentionally ignored */ ++ usb_clear_halt(usb_dev, acm->in); ++ usb_clear_halt(usb_dev, acm->out); ++ } ++ + tty_dev = tty_port_register_device(&acm->port, acm_tty_driver, minor, + &control_interface->dev); + if (IS_ERR(tty_dev)) { +@@ -1524,11 +1530,6 @@ skip_countries: + goto alloc_fail6; + } + +- if (quirks & CLEAR_HALT_CONDITIONS) { +- usb_clear_halt(usb_dev, acm->in); +- usb_clear_halt(usb_dev, acm->out); +- } +- + dev_info(&intf->dev, "ttyACM%d: USB ACM device\n", minor); + + return 0; diff --git a/queue-5.10/drm-sched-remove-optimization-that-causes-hang-when-killing-dependent-jobs.patch b/queue-5.10/drm-sched-remove-optimization-that-causes-hang-when-killing-dependent-jobs.patch new file mode 100644 index 0000000000..62795c9820 --- /dev/null +++ b/queue-5.10/drm-sched-remove-optimization-that-causes-hang-when-killing-dependent-jobs.patch @@ -0,0 +1,85 @@ +From stable+bounces-165099-greg=kroah.com@vger.kernel.org Tue Jul 29 18:44:45 2025 +From: Sasha Levin +Date: Tue, 29 Jul 2025 12:44:08 -0400 +Subject: drm/sched: Remove optimization that causes hang when killing dependent jobs +To: stable@vger.kernel.org +Cc: "Lin.Cao" , "Christian König" , "Philipp Stanner" , "Sasha Levin" +Message-ID: <20250729164408.2790772-1-sashal@kernel.org> + +From: "Lin.Cao" + +[ Upstream commit 15f77764e90a713ee3916ca424757688e4f565b9 ] + +When application A submits jobs and application B submits a job with a +dependency on A's fence, the normal flow wakes up the scheduler after +processing each job. However, the optimization in +drm_sched_entity_add_dependency_cb() uses a callback that only clears +dependencies without waking up the scheduler. + +When application A is killed before its jobs can run, the callback gets +triggered but only clears the dependency without waking up the scheduler, +causing the scheduler to enter sleep state and application B to hang. + +Remove the optimization by deleting drm_sched_entity_clear_dep() and its +usage, ensuring the scheduler is always woken up when dependencies are +cleared. + +Fixes: 777dbd458c89 ("drm/amdgpu: drop a dummy wakeup scheduler") +Cc: stable@vger.kernel.org # v4.6+ +Signed-off-by: Lin.Cao +Reviewed-by: Christian König +Signed-off-by: Philipp Stanner +Link: https://lore.kernel.org/r/20250717084453.921097-1-lincao12@amd.com +[ adjust context ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/scheduler/sched_entity.c | 23 ++--------------------- + 1 file changed, 2 insertions(+), 21 deletions(-) + +--- a/drivers/gpu/drm/scheduler/sched_entity.c ++++ b/drivers/gpu/drm/scheduler/sched_entity.c +@@ -314,19 +314,6 @@ void drm_sched_entity_destroy(struct drm + EXPORT_SYMBOL(drm_sched_entity_destroy); + + /** +- * drm_sched_entity_clear_dep - callback to clear the entities dependency +- */ +-static void drm_sched_entity_clear_dep(struct dma_fence *f, +- struct dma_fence_cb *cb) +-{ +- struct drm_sched_entity *entity = +- container_of(cb, struct drm_sched_entity, cb); +- +- entity->dependency = NULL; +- dma_fence_put(f); +-} +- +-/** + * drm_sched_entity_clear_dep - callback to clear the entities dependency and + * wake up scheduler + */ +@@ -336,7 +323,8 @@ static void drm_sched_entity_wakeup(stru + struct drm_sched_entity *entity = + container_of(cb, struct drm_sched_entity, cb); + +- drm_sched_entity_clear_dep(f, cb); ++ entity->dependency = NULL; ++ dma_fence_put(f); + drm_sched_wakeup(entity->rq->sched); + } + +@@ -392,13 +380,6 @@ static bool drm_sched_entity_add_depende + fence = dma_fence_get(&s_fence->scheduled); + dma_fence_put(entity->dependency); + entity->dependency = fence; +- if (!dma_fence_add_callback(fence, &entity->cb, +- drm_sched_entity_clear_dep)) +- return true; +- +- /* Ignore it when it is already scheduled */ +- dma_fence_put(fence); +- return false; + } + + if (!dma_fence_add_callback(entity->dependency, &entity->cb, diff --git a/queue-5.10/f2fs-fix-to-do-sanity-check-on-ino-and-xnid.patch b/queue-5.10/f2fs-fix-to-do-sanity-check-on-ino-and-xnid.patch new file mode 100644 index 0000000000..5c52390bd1 --- /dev/null +++ b/queue-5.10/f2fs-fix-to-do-sanity-check-on-ino-and-xnid.patch @@ -0,0 +1,106 @@ +From stable+bounces-164652-greg=kroah.com@vger.kernel.org Thu Jul 24 19:47:29 2025 +From: Sasha Levin +Date: Thu, 24 Jul 2025 13:47:16 -0400 +Subject: f2fs: fix to do sanity check on ino and xnid +To: stable@vger.kernel.org +Cc: Chao Yu , syzbot+cc448dcdc7ae0b4e4ffa@syzkaller.appspotmail.com, Jaegeuk Kim , Sasha Levin +Message-ID: <20250724174716.1409709-1-sashal@kernel.org> + +From: Chao Yu + +[ Upstream commit 061cf3a84bde038708eb0f1d065b31b7c2456533 ] + +syzbot reported a f2fs bug as below: + +INFO: task syz-executor140:5308 blocked for more than 143 seconds. + Not tainted 6.14.0-rc7-syzkaller-00069-g81e4f8d68c66 #0 +"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. +task:syz-executor140 state:D stack:24016 pid:5308 tgid:5308 ppid:5306 task_flags:0x400140 flags:0x00000006 +Call Trace: + + context_switch kernel/sched/core.c:5378 [inline] + __schedule+0x190e/0x4c90 kernel/sched/core.c:6765 + __schedule_loop kernel/sched/core.c:6842 [inline] + schedule+0x14b/0x320 kernel/sched/core.c:6857 + io_schedule+0x8d/0x110 kernel/sched/core.c:7690 + folio_wait_bit_common+0x839/0xee0 mm/filemap.c:1317 + __folio_lock mm/filemap.c:1664 [inline] + folio_lock include/linux/pagemap.h:1163 [inline] + __filemap_get_folio+0x147/0xb40 mm/filemap.c:1917 + pagecache_get_page+0x2c/0x130 mm/folio-compat.c:87 + find_get_page_flags include/linux/pagemap.h:842 [inline] + f2fs_grab_cache_page+0x2b/0x320 fs/f2fs/f2fs.h:2776 + __get_node_page+0x131/0x11b0 fs/f2fs/node.c:1463 + read_xattr_block+0xfb/0x190 fs/f2fs/xattr.c:306 + lookup_all_xattrs fs/f2fs/xattr.c:355 [inline] + f2fs_getxattr+0x676/0xf70 fs/f2fs/xattr.c:533 + __f2fs_get_acl+0x52/0x870 fs/f2fs/acl.c:179 + f2fs_acl_create fs/f2fs/acl.c:375 [inline] + f2fs_init_acl+0xd7/0x9b0 fs/f2fs/acl.c:418 + f2fs_init_inode_metadata+0xa0f/0x1050 fs/f2fs/dir.c:539 + f2fs_add_inline_entry+0x448/0x860 fs/f2fs/inline.c:666 + f2fs_add_dentry+0xba/0x1e0 fs/f2fs/dir.c:765 + f2fs_do_add_link+0x28c/0x3a0 fs/f2fs/dir.c:808 + f2fs_add_link fs/f2fs/f2fs.h:3616 [inline] + f2fs_mknod+0x2e8/0x5b0 fs/f2fs/namei.c:766 + vfs_mknod+0x36d/0x3b0 fs/namei.c:4191 + unix_bind_bsd net/unix/af_unix.c:1286 [inline] + unix_bind+0x563/0xe30 net/unix/af_unix.c:1379 + __sys_bind_socket net/socket.c:1817 [inline] + __sys_bind+0x1e4/0x290 net/socket.c:1848 + __do_sys_bind net/socket.c:1853 [inline] + __se_sys_bind net/socket.c:1851 [inline] + __x64_sys_bind+0x7a/0x90 net/socket.c:1851 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Let's dump and check metadata of corrupted inode, it shows its xattr_nid +is the same to its i_ino. + +dump.f2fs -i 3 chaseyu.img.raw +i_xattr_nid [0x 3 : 3] + +So that, during mknod in the corrupted directory, it tries to get and +lock inode page twice, result in deadlock. + +- f2fs_mknod + - f2fs_add_inline_entry + - f2fs_get_inode_page --- lock dir's inode page + - f2fs_init_acl + - f2fs_acl_create(dir,..) + - __f2fs_get_acl + - f2fs_getxattr + - lookup_all_xattrs + - __get_node_page --- try to lock dir's inode page + +In order to fix this, let's add sanity check on ino and xnid. + +Cc: stable@vger.kernel.org +Reported-by: syzbot+cc448dcdc7ae0b4e4ffa@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/linux-f2fs-devel/67e06150.050a0220.21942d.0005.GAE@google.com +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +[ add set_sbi_flag(sbi, SBI_NEED_FSCK) to match error handling pattern ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/inode.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/fs/f2fs/inode.c ++++ b/fs/f2fs/inode.c +@@ -222,6 +222,13 @@ static bool sanity_check_inode(struct in + return false; + } + ++ if (ino_of_node(node_page) == fi->i_xattr_nid) { ++ set_sbi_flag(sbi, SBI_NEED_FSCK); ++ f2fs_warn(sbi, "%s: corrupted inode i_ino=%lx, xnid=%x, run fsck to fix.", ++ __func__, inode->i_ino, fi->i_xattr_nid); ++ return false; ++ } ++ + if (f2fs_sb_has_flexible_inline_xattr(sbi) + && !f2fs_has_extra_attr(inode)) { + set_sbi_flag(sbi, SBI_NEED_FSCK); diff --git a/queue-5.10/hv_netvsc-fix-panic-during-namespace-deletion-with-vf.patch b/queue-5.10/hv_netvsc-fix-panic-during-namespace-deletion-with-vf.patch new file mode 100644 index 0000000000..b549a10139 --- /dev/null +++ b/queue-5.10/hv_netvsc-fix-panic-during-namespace-deletion-with-vf.patch @@ -0,0 +1,149 @@ +From stable+bounces-171774-greg=kroah.com@vger.kernel.org Tue Aug 19 14:02:42 2025 +From: Sasha Levin +Date: Tue, 19 Aug 2025 08:01:27 -0400 +Subject: hv_netvsc: Fix panic during namespace deletion with VF +To: stable@vger.kernel.org +Cc: Haiyang Zhang , Jakub Kicinski , Sasha Levin +Message-ID: <20250819120127.451817-1-sashal@kernel.org> + +From: Haiyang Zhang + +[ Upstream commit 33caa208dba6fa639e8a92fd0c8320b652e5550c ] + +The existing code move the VF NIC to new namespace when NETDEV_REGISTER is +received on netvsc NIC. During deletion of the namespace, +default_device_exit_batch() >> default_device_exit_net() is called. When +netvsc NIC is moved back and registered to the default namespace, it +automatically brings VF NIC back to the default namespace. This will cause +the default_device_exit_net() >> for_each_netdev_safe loop unable to detect +the list end, and hit NULL ptr: + +[ 231.449420] mana 7870:00:00.0 enP30832s1: Moved VF to namespace with: eth0 +[ 231.449656] BUG: kernel NULL pointer dereference, address: 0000000000000010 +[ 231.450246] #PF: supervisor read access in kernel mode +[ 231.450579] #PF: error_code(0x0000) - not-present page +[ 231.450916] PGD 17b8a8067 P4D 0 +[ 231.451163] Oops: Oops: 0000 [#1] SMP NOPTI +[ 231.451450] CPU: 82 UID: 0 PID: 1394 Comm: kworker/u768:1 Not tainted 6.16.0-rc4+ #3 VOLUNTARY +[ 231.452042] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 11/21/2024 +[ 231.452692] Workqueue: netns cleanup_net +[ 231.452947] RIP: 0010:default_device_exit_batch+0x16c/0x3f0 +[ 231.453326] Code: c0 0c f5 b3 e8 d5 db fe ff 48 85 c0 74 15 48 c7 c2 f8 fd ca b2 be 10 00 00 00 48 8d 7d c0 e8 7b 77 25 00 49 8b 86 28 01 00 00 <48> 8b 50 10 4c 8b 2a 4c 8d 62 f0 49 83 ed 10 4c 39 e0 0f 84 d6 00 +[ 231.454294] RSP: 0018:ff75fc7c9bf9fd00 EFLAGS: 00010246 +[ 231.454610] RAX: 0000000000000000 RBX: 0000000000000002 RCX: 61c8864680b583eb +[ 231.455094] RDX: ff1fa9f71462d800 RSI: ff75fc7c9bf9fd38 RDI: 0000000030766564 +[ 231.455686] RBP: ff75fc7c9bf9fd78 R08: 0000000000000000 R09: 0000000000000000 +[ 231.456126] R10: 0000000000000001 R11: 0000000000000004 R12: ff1fa9f70088e340 +[ 231.456621] R13: ff1fa9f70088e340 R14: ffffffffb3f50c20 R15: ff1fa9f7103e6340 +[ 231.457161] FS: 0000000000000000(0000) GS:ff1faa6783a08000(0000) knlGS:0000000000000000 +[ 231.457707] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 231.458031] CR2: 0000000000000010 CR3: 0000000179ab2006 CR4: 0000000000b73ef0 +[ 231.458434] Call Trace: +[ 231.458600] +[ 231.458777] ops_undo_list+0x100/0x220 +[ 231.459015] cleanup_net+0x1b8/0x300 +[ 231.459285] process_one_work+0x184/0x340 + +To fix it, move the ns change to a workqueue, and take rtnl_lock to avoid +changing the netdev list when default_device_exit_net() is using it. + +Cc: stable@vger.kernel.org +Fixes: 4c262801ea60 ("hv_netvsc: Fix VF namespace also in synthetic NIC NETDEV_REGISTER event") +Signed-off-by: Haiyang Zhang +Link: https://patch.msgid.link/1754511711-11188-1-git-send-email-haiyangz@linux.microsoft.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/hyperv/hyperv_net.h | 3 +++ + drivers/net/hyperv/netvsc_drv.c | 29 ++++++++++++++++++++++++++++- + 2 files changed, 31 insertions(+), 1 deletion(-) + +--- a/drivers/net/hyperv/hyperv_net.h ++++ b/drivers/net/hyperv/hyperv_net.h +@@ -985,6 +985,7 @@ struct net_device_context { + struct net_device __rcu *vf_netdev; + struct netvsc_vf_pcpu_stats __percpu *vf_stats; + struct delayed_work vf_takeover; ++ struct delayed_work vfns_work; + + /* 1: allocated, serial number is valid. 0: not allocated */ + u32 vf_alloc; +@@ -999,6 +1000,8 @@ struct net_device_context { + struct netvsc_device_info *saved_netvsc_dev_info; + }; + ++void netvsc_vfns_work(struct work_struct *w); ++ + /* Per channel data */ + struct netvsc_channel { + struct vmbus_channel *channel; +--- a/drivers/net/hyperv/netvsc_drv.c ++++ b/drivers/net/hyperv/netvsc_drv.c +@@ -2541,6 +2541,7 @@ static int netvsc_probe(struct hv_device + spin_lock_init(&net_device_ctx->lock); + INIT_LIST_HEAD(&net_device_ctx->reconfig_events); + INIT_DELAYED_WORK(&net_device_ctx->vf_takeover, netvsc_vf_setup); ++ INIT_DELAYED_WORK(&net_device_ctx->vfns_work, netvsc_vfns_work); + + net_device_ctx->vf_stats + = netdev_alloc_pcpu_stats(struct netvsc_vf_pcpu_stats); +@@ -2679,6 +2680,8 @@ static int netvsc_remove(struct hv_devic + cancel_delayed_work_sync(&ndev_ctx->dwork); + + rtnl_lock(); ++ cancel_delayed_work_sync(&ndev_ctx->vfns_work); ++ + nvdev = rtnl_dereference(ndev_ctx->nvdev); + if (nvdev) { + cancel_work_sync(&nvdev->subchan_work); +@@ -2721,6 +2724,7 @@ static int netvsc_suspend(struct hv_devi + cancel_delayed_work_sync(&ndev_ctx->dwork); + + rtnl_lock(); ++ cancel_delayed_work_sync(&ndev_ctx->vfns_work); + + nvdev = rtnl_dereference(ndev_ctx->nvdev); + if (nvdev == NULL) { +@@ -2814,6 +2818,27 @@ static void netvsc_event_set_vf_ns(struc + } + } + ++void netvsc_vfns_work(struct work_struct *w) ++{ ++ struct net_device_context *ndev_ctx = ++ container_of(w, struct net_device_context, vfns_work.work); ++ struct net_device *ndev; ++ ++ if (!rtnl_trylock()) { ++ schedule_delayed_work(&ndev_ctx->vfns_work, 1); ++ return; ++ } ++ ++ ndev = hv_get_drvdata(ndev_ctx->device_ctx); ++ if (!ndev) ++ goto out; ++ ++ netvsc_event_set_vf_ns(ndev); ++ ++out: ++ rtnl_unlock(); ++} ++ + /* + * On Hyper-V, every VF interface is matched with a corresponding + * synthetic interface. The synthetic interface is presented first +@@ -2824,10 +2849,12 @@ static int netvsc_netdev_event(struct no + unsigned long event, void *ptr) + { + struct net_device *event_dev = netdev_notifier_info_to_dev(ptr); ++ struct net_device_context *ndev_ctx; + int ret = 0; + + if (event_dev->netdev_ops == &device_ops && event == NETDEV_REGISTER) { +- netvsc_event_set_vf_ns(event_dev); ++ ndev_ctx = netdev_priv(event_dev); ++ schedule_delayed_work(&ndev_ctx->vfns_work, 0); + return NOTIFY_DONE; + } + diff --git a/queue-5.10/ice-fix-a-null-pointer-dereference-in-ice_copy_and_init_pkg.patch b/queue-5.10/ice-fix-a-null-pointer-dereference-in-ice_copy_and_init_pkg.patch new file mode 100644 index 0000000000..4a4ff46fd1 --- /dev/null +++ b/queue-5.10/ice-fix-a-null-pointer-dereference-in-ice_copy_and_init_pkg.patch @@ -0,0 +1,41 @@ +From stable+bounces-165122-greg=kroah.com@vger.kernel.org Tue Jul 29 21:25:38 2025 +From: Sasha Levin +Date: Tue, 29 Jul 2025 15:25:14 -0400 +Subject: ice: Fix a null pointer dereference in ice_copy_and_init_pkg() +To: stable@vger.kernel.org +Cc: Haoxiang Li , Michal Swiatkowski , Aleksandr Loktionov , Simon Horman , Rinitha S , Tony Nguyen , Sasha Levin +Message-ID: <20250729192514.2872668-1-sashal@kernel.org> + +From: Haoxiang Li + +[ Upstream commit 4ff12d82dac119b4b99b5a78b5af3bf2474c0a36 ] + +Add check for the return value of devm_kmemdup() +to prevent potential null pointer dereference. + +Fixes: c76488109616 ("ice: Implement Dynamic Device Personalization (DDP) download") +Cc: stable@vger.kernel.org +Signed-off-by: Haoxiang Li +Reviewed-by: Michal Swiatkowski +Reviewed-by: Aleksandr Loktionov +Reviewed-by: Simon Horman +Tested-by: Rinitha S (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +[ applied the patch to ice_flex_pipe.c instead of ice_ddp.c ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/ice/ice_flex_pipe.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/ethernet/intel/ice/ice_flex_pipe.c ++++ b/drivers/net/ethernet/intel/ice/ice_flex_pipe.c +@@ -1449,6 +1449,8 @@ enum ice_status ice_copy_and_init_pkg(st + return ICE_ERR_PARAM; + + buf_copy = devm_kmemdup(ice_hw_to_dev(hw), buf, len, GFP_KERNEL); ++ if (!buf_copy) ++ return ICE_ERR_NO_MEMORY; + + status = ice_init_pkg(hw, buf_copy, len); + if (status) { diff --git a/queue-5.10/iio-hid-sensor-prox-fix-incorrect-offset-calculation.patch b/queue-5.10/iio-hid-sensor-prox-fix-incorrect-offset-calculation.patch new file mode 100644 index 0000000000..fcc9375f2b --- /dev/null +++ b/queue-5.10/iio-hid-sensor-prox-fix-incorrect-offset-calculation.patch @@ -0,0 +1,42 @@ +From stable+bounces-164644-greg=kroah.com@vger.kernel.org Thu Jul 24 18:40:11 2025 +From: Sasha Levin +Date: Thu, 24 Jul 2025 12:39:37 -0400 +Subject: iio: hid-sensor-prox: Fix incorrect OFFSET calculation +To: stable@vger.kernel.org +Cc: Zhang Lixu , Srinivas Pandruvada , Jonathan Cameron , Sasha Levin +Message-ID: <20250724163937.1390174-1-sashal@kernel.org> + +From: Zhang Lixu + +[ Upstream commit 79dabbd505210e41c88060806c92c052496dd61c ] + +The OFFSET calculation in the prox_read_raw() was incorrectly using the +unit exponent, which is intended for SCALE calculations. + +Remove the incorrect OFFSET calculation and set it to a fixed value of 0. + +Cc: stable@vger.kernel.org +Fixes: 39a3a0138f61 ("iio: hid-sensors: Added Proximity Sensor Driver") +Signed-off-by: Zhang Lixu +Acked-by: Srinivas Pandruvada +Link: https://patch.msgid.link/20250331055022.1149736-4-lixu.zhang@intel.com +Signed-off-by: Jonathan Cameron +[ adapted prox_attr array access to single structure member access ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/light/hid-sensor-prox.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/iio/light/hid-sensor-prox.c ++++ b/drivers/iio/light/hid-sensor-prox.c +@@ -101,8 +101,7 @@ static int prox_read_raw(struct iio_dev + ret_type = prox_state->scale_precision; + break; + case IIO_CHAN_INFO_OFFSET: +- *val = hid_sensor_convert_exponent( +- prox_state->prox_attr.unit_expo); ++ *val = 0; + ret_type = IIO_VAL_INT; + break; + case IIO_CHAN_INFO_SAMP_FREQ: diff --git a/queue-5.10/mm-zsmalloc-do-not-pass-__gfp_movable-if-config_compaction-n.patch b/queue-5.10/mm-zsmalloc-do-not-pass-__gfp_movable-if-config_compaction-n.patch new file mode 100644 index 0000000000..7273f33e0e --- /dev/null +++ b/queue-5.10/mm-zsmalloc-do-not-pass-__gfp_movable-if-config_compaction-n.patch @@ -0,0 +1,58 @@ +From stable+bounces-165088-greg=kroah.com@vger.kernel.org Tue Jul 29 17:09:42 2025 +From: Sasha Levin +Date: Tue, 29 Jul 2025 11:09:29 -0400 +Subject: mm/zsmalloc: do not pass __GFP_MOVABLE if CONFIG_COMPACTION=n +To: stable@vger.kernel.org +Cc: Harry Yoo , David Hildenbrand , Sergey Senozhatsky , Minchan Kim , Andrew Morton , Sasha Levin +Message-ID: <20250729150929.2729341-2-sashal@kernel.org> + +From: Harry Yoo + +[ Upstream commit 694d6b99923eb05a8fd188be44e26077d19f0e21 ] + +Commit 48b4800a1c6a ("zsmalloc: page migration support") added support for +migrating zsmalloc pages using the movable_operations migration framework. +However, the commit did not take into account that zsmalloc supports +migration only when CONFIG_COMPACTION is enabled. Tracing shows that +zsmalloc was still passing the __GFP_MOVABLE flag even when compaction is +not supported. + +This can result in unmovable pages being allocated from movable page +blocks (even without stealing page blocks), ZONE_MOVABLE and CMA area. + +Possible user visible effects: +- Some ZONE_MOVABLE memory can be not actually movable +- CMA allocation can fail because of this +- Increased memory fragmentation due to ignoring the page mobility + grouping feature +I'm not really sure who uses kernels without compaction support, though :( + +To fix this, clear the __GFP_MOVABLE flag when +!IS_ENABLED(CONFIG_COMPACTION). + +Link: https://lkml.kernel.org/r/20250704103053.6913-1-harry.yoo@oracle.com +Fixes: 48b4800a1c6a ("zsmalloc: page migration support") +Signed-off-by: Harry Yoo +Acked-by: David Hildenbrand +Reviewed-by: Sergey Senozhatsky +Cc: Minchan Kim +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/zsmalloc.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/mm/zsmalloc.c ++++ b/mm/zsmalloc.c +@@ -1067,6 +1067,9 @@ static struct zspage *alloc_zspage(struc + if (!zspage) + return NULL; + ++ if (!IS_ENABLED(CONFIG_COMPACTION)) ++ gfp &= ~__GFP_MOVABLE; ++ + zspage->magic = ZSPAGE_MAGIC; + migrate_lock_init(zspage); + diff --git a/queue-5.10/mm-zsmalloc.c-convert-to-use-kmem_cache_zalloc-in-cache_alloc_zspage.patch b/queue-5.10/mm-zsmalloc.c-convert-to-use-kmem_cache_zalloc-in-cache_alloc_zspage.patch new file mode 100644 index 0000000000..9801450f7d --- /dev/null +++ b/queue-5.10/mm-zsmalloc.c-convert-to-use-kmem_cache_zalloc-in-cache_alloc_zspage.patch @@ -0,0 +1,48 @@ +From stable+bounces-165087-greg=kroah.com@vger.kernel.org Tue Jul 29 17:09:40 2025 +From: Sasha Levin +Date: Tue, 29 Jul 2025 11:09:28 -0400 +Subject: mm/zsmalloc.c: convert to use kmem_cache_zalloc in cache_alloc_zspage() +To: stable@vger.kernel.org +Cc: Miaohe Lin , Sergey Senozhatsky , Minchan Kim , Andrew Morton , Linus Torvalds , Sasha Levin +Message-ID: <20250729150929.2729341-1-sashal@kernel.org> + +From: Miaohe Lin + +[ Upstream commit f0231305acd53375c6cf736971bf5711105dd6bb ] + +We always memset the zspage allocated via cache_alloc_zspage. So it's +more convenient to use kmem_cache_zalloc in cache_alloc_zspage than caller +do it manually. + +Link: https://lkml.kernel.org/r/20210114120032.25885-1-linmiaohe@huawei.com +Signed-off-by: Miaohe Lin +Reviewed-by: Sergey Senozhatsky +Cc: Minchan Kim +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Stable-dep-of: 694d6b99923e ("mm/zsmalloc: do not pass __GFP_MOVABLE if CONFIG_COMPACTION=n") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/zsmalloc.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/mm/zsmalloc.c ++++ b/mm/zsmalloc.c +@@ -357,7 +357,7 @@ static void cache_free_handle(struct zs_ + + static struct zspage *cache_alloc_zspage(struct zs_pool *pool, gfp_t flags) + { +- return kmem_cache_alloc(pool->zspage_cachep, ++ return kmem_cache_zalloc(pool->zspage_cachep, + flags & ~(__GFP_HIGHMEM|__GFP_MOVABLE)); + } + +@@ -1067,7 +1067,6 @@ static struct zspage *alloc_zspage(struc + if (!zspage) + return NULL; + +- memset(zspage, 0, sizeof(struct zspage)); + zspage->magic = ZSPAGE_MAGIC; + migrate_lock_init(zspage); + diff --git a/queue-5.10/net-usbnet-avoid-potential-rcu-stall-on-link_change-event.patch b/queue-5.10/net-usbnet-avoid-potential-rcu-stall-on-link_change-event.patch new file mode 100644 index 0000000000..56bfcbd683 --- /dev/null +++ b/queue-5.10/net-usbnet-avoid-potential-rcu-stall-on-link_change-event.patch @@ -0,0 +1,125 @@ +From stable+bounces-169394-greg=kroah.com@vger.kernel.org Wed Aug 13 15:48:18 2025 +From: Sasha Levin +Date: Wed, 13 Aug 2025 09:44:55 -0400 +Subject: net: usbnet: Avoid potential RCU stall on LINK_CHANGE event +To: stable@vger.kernel.org +Cc: John Ernberg , Jakub Kicinski , Sasha Levin +Message-ID: <20250813134455.2037227-1-sashal@kernel.org> + +From: John Ernberg + +[ Upstream commit 0d9cfc9b8cb17dbc29a98792d36ec39a1cf1395f ] + +The Gemalto Cinterion PLS83-W modem (cdc_ether) is emitting confusing link +up and down events when the WWAN interface is activated on the modem-side. + +Interrupt URBs will in consecutive polls grab: +* Link Connected +* Link Disconnected +* Link Connected + +Where the last Connected is then a stable link state. + +When the system is under load this may cause the unlink_urbs() work in +__handle_link_change() to not complete before the next usbnet_link_change() +call turns the carrier on again, allowing rx_submit() to queue new SKBs. + +In that event the URB queue is filled faster than it can drain, ending up +in a RCU stall: + + rcu: INFO: rcu_sched detected expedited stalls on CPUs/tasks: { 0-.... } 33108 jiffies s: 201 root: 0x1/. + rcu: blocking rcu_node structures (internal RCU debug): + Sending NMI from CPU 1 to CPUs 0: + NMI backtrace for cpu 0 + + Call trace: + arch_local_irq_enable+0x4/0x8 + local_bh_enable+0x18/0x20 + __netdev_alloc_skb+0x18c/0x1cc + rx_submit+0x68/0x1f8 [usbnet] + rx_alloc_submit+0x4c/0x74 [usbnet] + usbnet_bh+0x1d8/0x218 [usbnet] + usbnet_bh_tasklet+0x10/0x18 [usbnet] + tasklet_action_common+0xa8/0x110 + tasklet_action+0x2c/0x34 + handle_softirqs+0x2cc/0x3a0 + __do_softirq+0x10/0x18 + ____do_softirq+0xc/0x14 + call_on_irq_stack+0x24/0x34 + do_softirq_own_stack+0x18/0x20 + __irq_exit_rcu+0xa8/0xb8 + irq_exit_rcu+0xc/0x30 + el1_interrupt+0x34/0x48 + el1h_64_irq_handler+0x14/0x1c + el1h_64_irq+0x68/0x6c + _raw_spin_unlock_irqrestore+0x38/0x48 + xhci_urb_dequeue+0x1ac/0x45c [xhci_hcd] + unlink1+0xd4/0xdc [usbcore] + usb_hcd_unlink_urb+0x70/0xb0 [usbcore] + usb_unlink_urb+0x24/0x44 [usbcore] + unlink_urbs.constprop.0.isra.0+0x64/0xa8 [usbnet] + __handle_link_change+0x34/0x70 [usbnet] + usbnet_deferred_kevent+0x1c0/0x320 [usbnet] + process_scheduled_works+0x2d0/0x48c + worker_thread+0x150/0x1dc + kthread+0xd8/0xe8 + ret_from_fork+0x10/0x20 + +Get around the problem by delaying the carrier on to the scheduled work. + +This needs a new flag to keep track of the necessary action. + +The carrier ok check cannot be removed as it remains required for the +LINK_RESET event flow. + +Fixes: 4b49f58fff00 ("usbnet: handle link change") +Cc: stable@vger.kernel.org +Signed-off-by: John Ernberg +Link: https://patch.msgid.link/20250723102526.1305339-1-john.ernberg@actia.se +Signed-off-by: Jakub Kicinski +[ adjust context in header ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/usbnet.c | 11 ++++++++--- + include/linux/usb/usbnet.h | 1 + + 2 files changed, 9 insertions(+), 3 deletions(-) + +--- a/drivers/net/usb/usbnet.c ++++ b/drivers/net/usb/usbnet.c +@@ -1080,6 +1080,9 @@ static void __handle_link_change(struct + * tx queue is stopped by netcore after link becomes off + */ + } else { ++ if (test_and_clear_bit(EVENT_LINK_CARRIER_ON, &dev->flags)) ++ netif_carrier_on(dev->net); ++ + /* submitting URBs for reading packets */ + tasklet_schedule(&dev->bh); + } +@@ -1960,10 +1963,12 @@ EXPORT_SYMBOL(usbnet_manage_power); + void usbnet_link_change(struct usbnet *dev, bool link, bool need_reset) + { + /* update link after link is reseted */ +- if (link && !need_reset) +- netif_carrier_on(dev->net); +- else ++ if (link && !need_reset) { ++ set_bit(EVENT_LINK_CARRIER_ON, &dev->flags); ++ } else { ++ clear_bit(EVENT_LINK_CARRIER_ON, &dev->flags); + netif_carrier_off(dev->net); ++ } + + if (need_reset && link) + usbnet_defer_kevent(dev, EVENT_LINK_RESET); +--- a/include/linux/usb/usbnet.h ++++ b/include/linux/usb/usbnet.h +@@ -83,6 +83,7 @@ struct usbnet { + # define EVENT_LINK_CHANGE 11 + # define EVENT_SET_RX_MODE 12 + # define EVENT_NO_IP_ALIGN 13 ++# define EVENT_LINK_CARRIER_ON 14 + u32 rx_speed; /* in bps - NOT Mbps */ + u32 tx_speed; /* in bps - NOT Mbps */ + }; diff --git a/queue-5.10/pci-acpi-fix-runtime-pm-ref-imbalance-on-hot-plug-capable-ports.patch b/queue-5.10/pci-acpi-fix-runtime-pm-ref-imbalance-on-hot-plug-capable-ports.patch new file mode 100644 index 0000000000..f666884a5a --- /dev/null +++ b/queue-5.10/pci-acpi-fix-runtime-pm-ref-imbalance-on-hot-plug-capable-ports.patch @@ -0,0 +1,125 @@ +From stable+bounces-169886-greg=kroah.com@vger.kernel.org Sun Aug 17 15:18:53 2025 +From: Sasha Levin +Date: Sun, 17 Aug 2025 09:18:01 -0400 +Subject: PCI/ACPI: Fix runtime PM ref imbalance on Hot-Plug Capable ports +To: stable@vger.kernel.org +Cc: Lukas Wunner , Laurent Bigonville , Mario Limonciello , Bjorn Helgaas , "Rafael J. Wysocki" , Sasha Levin +Message-ID: <20250817131801.1432444-1-sashal@kernel.org> + +From: Lukas Wunner + +[ Upstream commit 6cff20ce3b92ffbf2fc5eb9e5a030b3672aa414a ] + +pci_bridge_d3_possible() is called from both pcie_portdrv_probe() and +pcie_portdrv_remove() to determine whether runtime power management shall +be enabled (on probe) or disabled (on remove) on a PCIe port. + +The underlying assumption is that pci_bridge_d3_possible() always returns +the same value, else a runtime PM reference imbalance would occur. That +assumption is not given if the PCIe port is inaccessible on remove due to +hot-unplug: pci_bridge_d3_possible() calls pciehp_is_native(), which +accesses Config Space to determine whether the port is Hot-Plug Capable. +An inaccessible port returns "all ones", which is converted to "all +zeroes" by pcie_capability_read_dword(). Hence the port no longer seems +Hot-Plug Capable on remove even though it was on probe. + +The resulting runtime PM ref imbalance causes warning messages such as: + + pcieport 0000:02:04.0: Runtime PM usage count underflow! + +Avoid the Config Space access (and thus the runtime PM ref imbalance) by +caching the Hot-Plug Capable bit in struct pci_dev. + +The struct already contains an "is_hotplug_bridge" flag, which however is +not only set on Hot-Plug Capable PCIe ports, but also Conventional PCI +Hot-Plug bridges and ACPI slots. The flag identifies bridges which are +allocated additional MMIO and bus number resources to allow for hierarchy +expansion. + +The kernel is somewhat sloppily using "is_hotplug_bridge" in a number of +places to identify Hot-Plug Capable PCIe ports, even though the flag +encompasses other devices. Subsequent commits replace these occurrences +with the new flag to clearly delineate Hot-Plug Capable PCIe ports from +other kinds of hotplug bridges. + +Document the existing "is_hotplug_bridge" and the new "is_pciehp" flag +and document the (non-obvious) requirement that pci_bridge_d3_possible() +always returns the same value across the entire lifetime of a bridge, +including its hot-removal. + +Fixes: 5352a44a561d ("PCI: pciehp: Make pciehp_is_native() stricter") +Reported-by: Laurent Bigonville +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220216 +Reported-by: Mario Limonciello +Closes: https://lore.kernel.org/r/20250609020223.269407-3-superm1@kernel.org/ +Link: https://lore.kernel.org/all/20250620025535.3425049-3-superm1@kernel.org/T/#u +Signed-off-by: Lukas Wunner +Signed-off-by: Bjorn Helgaas +Acked-by: Rafael J. Wysocki +Cc: stable@vger.kernel.org # v4.18+ +Link: https://patch.msgid.link/fe5dcc3b2e62ee1df7905d746bde161eb1b3291c.1752390101.git.lukas@wunner.de +[ Adjust surrounding documentation changes ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/pci-acpi.c | 4 +--- + drivers/pci/pci.c | 8 ++++++-- + drivers/pci/probe.c | 2 +- + include/linux/pci.h | 1 + + 4 files changed, 9 insertions(+), 6 deletions(-) + +--- a/drivers/pci/pci-acpi.c ++++ b/drivers/pci/pci-acpi.c +@@ -791,13 +791,11 @@ int pci_acpi_program_hp_params(struct pc + bool pciehp_is_native(struct pci_dev *bridge) + { + const struct pci_host_bridge *host; +- u32 slot_cap; + + if (!IS_ENABLED(CONFIG_HOTPLUG_PCI_PCIE)) + return false; + +- pcie_capability_read_dword(bridge, PCI_EXP_SLTCAP, &slot_cap); +- if (!(slot_cap & PCI_EXP_SLTCAP_HPC)) ++ if (!bridge->is_pciehp) + return false; + + if (pcie_ports_native) +--- a/drivers/pci/pci.c ++++ b/drivers/pci/pci.c +@@ -2860,8 +2860,12 @@ static const struct dmi_system_id bridge + * pci_bridge_d3_possible - Is it possible to put the bridge into D3 + * @bridge: Bridge to check + * +- * This function checks if it is possible to move the bridge to D3. +- * Currently we only allow D3 for recent enough PCIe ports and Thunderbolt. ++ * Currently we only allow D3 for some PCIe ports and for Thunderbolt. ++ * ++ * Return: Whether it is possible to move the bridge to D3. ++ * ++ * The return value is guaranteed to be constant across the entire lifetime ++ * of the bridge, including its hot-removal. + */ + bool pci_bridge_d3_possible(struct pci_dev *bridge) + { +--- a/drivers/pci/probe.c ++++ b/drivers/pci/probe.c +@@ -1582,7 +1582,7 @@ void set_pcie_hotplug_bridge(struct pci_ + + pcie_capability_read_dword(pdev, PCI_EXP_SLTCAP, ®32); + if (reg32 & PCI_EXP_SLTCAP_HPC) +- pdev->is_hotplug_bridge = 1; ++ pdev->is_hotplug_bridge = pdev->is_pciehp = 1; + } + + static void set_pcie_thunderbolt(struct pci_dev *dev) +--- a/include/linux/pci.h ++++ b/include/linux/pci.h +@@ -439,6 +439,7 @@ struct pci_dev { + unsigned int is_virtfn:1; + unsigned int reset_fn:1; + unsigned int is_hotplug_bridge:1; ++ unsigned int is_pciehp:1; + unsigned int shpc_managed:1; /* SHPC owned by shpchp */ + unsigned int is_thunderbolt:1; /* Thunderbolt controller */ + /* diff --git a/queue-5.10/pmdomain-governor-consider-cpu-latency-tolerance-from-pm_domain_cpu_gov.patch b/queue-5.10/pmdomain-governor-consider-cpu-latency-tolerance-from-pm_domain_cpu_gov.patch new file mode 100644 index 0000000000..4da55ea687 --- /dev/null +++ b/queue-5.10/pmdomain-governor-consider-cpu-latency-tolerance-from-pm_domain_cpu_gov.patch @@ -0,0 +1,114 @@ +From stable+bounces-163717-greg=kroah.com@vger.kernel.org Tue Jul 22 15:44:41 2025 +From: Sasha Levin +Date: Tue, 22 Jul 2025 09:44:28 -0400 +Subject: pmdomain: governor: Consider CPU latency tolerance from pm_domain_cpu_gov +To: stable@vger.kernel.org +Cc: Maulik Shah , Ulf Hansson , Sasha Levin +Message-ID: <20250722134428.946158-1-sashal@kernel.org> + +From: Maulik Shah + +[ Upstream commit 500ba33284416255b9a5b50ace24470b6fe77ea5 ] + +pm_domain_cpu_gov is selecting a cluster idle state but does not consider +latency tolerance of child CPUs. This results in deeper cluster idle state +whose latency does not meet latency tolerance requirement. + +Select deeper idle state only if global and device latency tolerance of all +child CPUs meet. + +Test results on SM8750 with 300 usec PM-QoS on CPU0 which is less than +domain idle state entry (2150) + exit (1983) usec latency mentioned in +devicetree, demonstrate the issue. + + # echo 300 > /sys/devices/system/cpu/cpu0/power/pm_qos_resume_latency_us + +Before: (Usage is incrementing) +====== + # cat /sys/kernel/debug/pm_genpd/power-domain-cluster0/idle_states + State Time Spent(ms) Usage Rejected Above Below + S0 29817 537 8 270 0 + + # cat /sys/kernel/debug/pm_genpd/power-domain-cluster0/idle_states + State Time Spent(ms) Usage Rejected Above Below + S0 30348 542 8 271 0 + +After: (Usage is not incrementing due to latency tolerance) +====== + # cat /sys/kernel/debug/pm_genpd/power-domain-cluster0/idle_states + State Time Spent(ms) Usage Rejected Above Below + S0 39319 626 14 307 0 + + # cat /sys/kernel/debug/pm_genpd/power-domain-cluster0/idle_states + State Time Spent(ms) Usage Rejected Above Below + S0 39319 626 14 307 0 + +Signed-off-by: Maulik Shah +Fixes: e94999688e3a ("PM / Domains: Add genpd governor for CPUs") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20250709-pmdomain_qos-v2-1-976b12257899@oss.qualcomm.com +Signed-off-by: Ulf Hansson +[ adapted file path from drivers/pmdomain/governor.c to drivers/base/power/domain_governor.c ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/power/domain_governor.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +--- a/drivers/base/power/domain_governor.c ++++ b/drivers/base/power/domain_governor.c +@@ -8,6 +8,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -254,6 +255,8 @@ static bool cpu_power_down_ok(struct dev + struct generic_pm_domain *genpd = pd_to_genpd(pd); + struct cpuidle_device *dev; + ktime_t domain_wakeup, next_hrtimer; ++ struct device *cpu_dev; ++ s64 cpu_constraint, global_constraint; + s64 idle_duration_ns; + int cpu, i; + +@@ -264,6 +267,7 @@ static bool cpu_power_down_ok(struct dev + if (!(genpd->flags & GENPD_FLAG_CPU_DOMAIN)) + return true; + ++ global_constraint = cpu_latency_qos_limit(); + /* + * Find the next wakeup for any of the online CPUs within the PM domain + * and its subdomains. Note, we only need the genpd->cpus, as it already +@@ -277,8 +281,16 @@ static bool cpu_power_down_ok(struct dev + if (ktime_before(next_hrtimer, domain_wakeup)) + domain_wakeup = next_hrtimer; + } ++ ++ cpu_dev = get_cpu_device(cpu); ++ if (cpu_dev) { ++ cpu_constraint = dev_pm_qos_raw_resume_latency(cpu_dev); ++ if (cpu_constraint < global_constraint) ++ global_constraint = cpu_constraint; ++ } + } + ++ global_constraint *= NSEC_PER_USEC; + /* The minimum idle duration is from now - until the next wakeup. */ + idle_duration_ns = ktime_to_ns(ktime_sub(domain_wakeup, ktime_get())); + if (idle_duration_ns <= 0) +@@ -291,8 +303,10 @@ static bool cpu_power_down_ok(struct dev + */ + i = genpd->state_idx; + do { +- if (idle_duration_ns >= (genpd->states[i].residency_ns + +- genpd->states[i].power_off_latency_ns)) { ++ if ((idle_duration_ns >= (genpd->states[i].residency_ns + ++ genpd->states[i].power_off_latency_ns)) && ++ (global_constraint >= (genpd->states[i].power_on_latency_ns + ++ genpd->states[i].power_off_latency_ns))) { + genpd->state_idx = i; + return true; + } diff --git a/queue-5.10/series b/queue-5.10/series index b82d3a209c..84372b19d0 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -413,3 +413,24 @@ usb-storage-realtek_cr-use-correct-byte-order-for-bcs-residue.patch usb-storage-ignore-driver-cd-mode-for-realtek-multi-mode-wi-fi-dongles.patch usb-dwc3-ignore-late-xfernotready-event-to-prevent-halt-timeout.patch kbuild-userprogs-use-correct-linker-when-mixing-clang-and-gnu-ld.patch +f2fs-fix-to-do-sanity-check-on-ino-and-xnid.patch +iio-hid-sensor-prox-fix-incorrect-offset-calculation.patch +x86-mce-amd-add-default-names-for-mca-banks-and-blocks.patch +usb-hub-avoid-warm-port-reset-during-usb3-disconnect.patch +usb-hub-don-t-try-to-recover-devices-lost-during-warm-reset.patch +smb-client-fix-use-after-free-in-crypt_message-when-using-async-crypto.patch +tracing-add-down_write-trace_event_sem-when-adding-trace-event.patch +pmdomain-governor-consider-cpu-latency-tolerance-from-pm_domain_cpu_gov.patch +ice-fix-a-null-pointer-dereference-in-ice_copy_and_init_pkg.patch +drm-sched-remove-optimization-that-causes-hang-when-killing-dependent-jobs.patch +mm-zsmalloc.c-convert-to-use-kmem_cache_zalloc-in-cache_alloc_zspage.patch +mm-zsmalloc-do-not-pass-__gfp_movable-if-config_compaction-n.patch +x86-fpu-delay-instruction-pointer-fixup-until-after-warning.patch +alsa-scarlett2-add-retry-on-eproto-from-scarlett2_usb_tx.patch +net-usbnet-avoid-potential-rcu-stall-on-link_change-event.patch +usb-typec-fusb302-cache-pd-rx-state.patch +pci-acpi-fix-runtime-pm-ref-imbalance-on-hot-plug-capable-ports.patch +block-make-req_op_zone_finish-a-write-operation.patch +hv_netvsc-fix-panic-during-namespace-deletion-with-vf.patch +usb-cdc-acm-do-not-log-successful-probe-on-later-errors.patch +cdc-acm-fix-race-between-initial-clearing-halt-and-open.patch diff --git a/queue-5.10/smb-client-fix-use-after-free-in-crypt_message-when-using-async-crypto.patch b/queue-5.10/smb-client-fix-use-after-free-in-crypt_message-when-using-async-crypto.patch new file mode 100644 index 0000000000..bb567c888c --- /dev/null +++ b/queue-5.10/smb-client-fix-use-after-free-in-crypt_message-when-using-async-crypto.patch @@ -0,0 +1,85 @@ +From stable+bounces-164307-greg=kroah.com@vger.kernel.org Wed Jul 23 00:00:40 2025 +From: Sasha Levin +Date: Tue, 22 Jul 2025 17:59:01 -0400 +Subject: smb: client: fix use-after-free in crypt_message when using async crypto +To: stable@vger.kernel.org +Cc: Wang Zhaolong , Paulo Alcantara , Steve French , Sasha Levin +Message-ID: <20250722215901.981691-1-sashal@kernel.org> + +From: Wang Zhaolong + +[ Upstream commit b220bed63330c0e1733dc06ea8e75d5b9962b6b6 ] + +The CVE-2024-50047 fix removed asynchronous crypto handling from +crypt_message(), assuming all crypto operations are synchronous. +However, when hardware crypto accelerators are used, this can cause +use-after-free crashes: + + crypt_message() + // Allocate the creq buffer containing the req + creq = smb2_get_aead_req(..., &req); + + // Async encryption returns -EINPROGRESS immediately + rc = enc ? crypto_aead_encrypt(req) : crypto_aead_decrypt(req); + + // Free creq while async operation is still in progress + kvfree_sensitive(creq, ...); + +Hardware crypto modules often implement async AEAD operations for +performance. When crypto_aead_encrypt/decrypt() returns -EINPROGRESS, +the operation completes asynchronously. Without crypto_wait_req(), +the function immediately frees the request buffer, leading to crashes +when the driver later accesses the freed memory. + +This results in a use-after-free condition when the hardware crypto +driver later accesses the freed request structure, leading to kernel +crashes with NULL pointer dereferences. + +The issue occurs because crypto_alloc_aead() with mask=0 doesn't +guarantee synchronous operation. Even without CRYPTO_ALG_ASYNC in +the mask, async implementations can be selected. + +Fix by restoring the async crypto handling: +- DECLARE_CRYPTO_WAIT(wait) for completion tracking +- aead_request_set_callback() for async completion notification +- crypto_wait_req() to wait for operation completion + +This ensures the request buffer isn't freed until the crypto operation +completes, whether synchronous or asynchronous, while preserving the +CVE-2024-50047 fix. + +Fixes: b0abcd65ec54 ("smb: client: fix UAF in async decryption") +Link: https://lore.kernel.org/all/8b784a13-87b0-4131-9ff9-7a8993538749@huaweicloud.com/ +Cc: stable@vger.kernel.org +Reviewed-by: Paulo Alcantara (Red Hat) +Signed-off-by: Wang Zhaolong +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/smb2ops.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -4302,6 +4302,7 @@ crypt_message(struct TCP_Server_Info *se + u8 key[SMB3_ENC_DEC_KEY_SIZE]; + struct aead_request *req; + u8 *iv; ++ DECLARE_CRYPTO_WAIT(wait); + unsigned int crypt_len = le32_to_cpu(tr_hdr->OriginalMessageSize); + void *creq; + +@@ -4350,7 +4351,11 @@ crypt_message(struct TCP_Server_Info *se + aead_request_set_crypt(req, sg, sg, crypt_len, iv); + aead_request_set_ad(req, assoc_data_len); + +- rc = enc ? crypto_aead_encrypt(req) : crypto_aead_decrypt(req); ++ aead_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG, ++ crypto_req_done, &wait); ++ ++ rc = crypto_wait_req(enc ? crypto_aead_encrypt(req) ++ : crypto_aead_decrypt(req), &wait); + + if (!rc && enc) + memcpy(&tr_hdr->Signature, sign, SMB2_SIGNATURE_SIZE); diff --git a/queue-5.10/tracing-add-down_write-trace_event_sem-when-adding-trace-event.patch b/queue-5.10/tracing-add-down_write-trace_event_sem-when-adding-trace-event.patch new file mode 100644 index 0000000000..209c6f3435 --- /dev/null +++ b/queue-5.10/tracing-add-down_write-trace_event_sem-when-adding-trace-event.patch @@ -0,0 +1,62 @@ +From stable+bounces-164083-greg=kroah.com@vger.kernel.org Tue Jul 22 16:09:52 2025 +From: Sasha Levin +Date: Tue, 22 Jul 2025 10:06:16 -0400 +Subject: tracing: Add down_write(trace_event_sem) when adding trace event +To: stable@vger.kernel.org +Cc: Steven Rostedt , Mathieu Desnoyers , Masami Hiramatsu , Fusheng Huang , Sasha Levin +Message-ID: <20250722140616.951726-1-sashal@kernel.org> + +From: Steven Rostedt + +[ Upstream commit b5e8acc14dcb314a9b61ff19dcd9fdd0d88f70df ] + +When a module is loaded, it adds trace events defined by the module. It +may also need to modify the modules trace printk formats to replace enum +names with their values. + +If two modules are loaded at the same time, the adding of the event to the +ftrace_events list can corrupt the walking of the list in the code that is +modifying the printk format strings and crash the kernel. + +The addition of the event should take the trace_event_sem for write while +it adds the new event. + +Also add a lockdep_assert_held() on that semaphore in +__trace_add_event_dirs() as it iterates the list. + +Cc: stable@vger.kernel.org +Cc: Mathieu Desnoyers +Acked-by: Masami Hiramatsu (Google) +Link: https://lore.kernel.org/20250718223158.799bfc0c@batman.local.home +Reported-by: Fusheng Huang(黄富生) +Closes: https://lore.kernel.org/all/20250717105007.46ccd18f@batman.local.home/ +Fixes: 110bf2b764eb6 ("tracing: add protection around module events unload") +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_events.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/kernel/trace/trace_events.c ++++ b/kernel/trace/trace_events.c +@@ -2324,7 +2324,10 @@ __register_event(struct trace_event_call + if (ret < 0) + return ret; + ++ down_write(&trace_event_sem); + list_add(&call->list, &ftrace_events); ++ up_write(&trace_event_sem); ++ + call->mod = mod; + + return 0; +@@ -2710,6 +2713,8 @@ __trace_add_event_dirs(struct trace_arra + struct trace_event_call *call; + int ret; + ++ lockdep_assert_held(&trace_event_sem); ++ + list_for_each_entry(call, &ftrace_events, list) { + ret = __trace_add_new_event(call, tr); + if (ret < 0) diff --git a/queue-5.10/usb-cdc-acm-do-not-log-successful-probe-on-later-errors.patch b/queue-5.10/usb-cdc-acm-do-not-log-successful-probe-on-later-errors.patch new file mode 100644 index 0000000000..03426cc747 --- /dev/null +++ b/queue-5.10/usb-cdc-acm-do-not-log-successful-probe-on-later-errors.patch @@ -0,0 +1,45 @@ +From stable+bounces-171670-greg=kroah.com@vger.kernel.org Tue Aug 19 01:08:47 2025 +From: Sasha Levin +Date: Mon, 18 Aug 2025 19:08:38 -0400 +Subject: USB: cdc-acm: do not log successful probe on later errors +To: stable@vger.kernel.org +Cc: Johan Hovold , Greg Kroah-Hartman , Sasha Levin +Message-ID: <20250818230839.135733-1-sashal@kernel.org> + +From: Johan Hovold + +[ Upstream commit 79579411826647fd573dbe301c4d933bc90e4be7 ] + +Do not log the successful-probe message until the tty device has been +registered. + +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20210322155318.9837-9-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +Stable-dep-of: 64690a90cd7c ("cdc-acm: fix race between initial clearing halt and open") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/class/cdc-acm.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -1510,8 +1510,6 @@ skip_countries: + acm->nb_index = 0; + acm->nb_size = 0; + +- dev_info(&intf->dev, "ttyACM%d: USB ACM device\n", minor); +- + acm->line.dwDTERate = cpu_to_le32(9600); + acm->line.bDataBits = 8; + acm_set_line(acm, &acm->line); +@@ -1531,6 +1529,8 @@ skip_countries: + usb_clear_halt(usb_dev, acm->out); + } + ++ dev_info(&intf->dev, "ttyACM%d: USB ACM device\n", minor); ++ + return 0; + alloc_fail6: + if (!acm->combined_interfaces) { diff --git a/queue-5.10/usb-hub-avoid-warm-port-reset-during-usb3-disconnect.patch b/queue-5.10/usb-hub-avoid-warm-port-reset-during-usb3-disconnect.patch new file mode 100644 index 0000000000..72e1644961 --- /dev/null +++ b/queue-5.10/usb-hub-avoid-warm-port-reset-during-usb3-disconnect.patch @@ -0,0 +1,102 @@ +From stable+bounces-164312-greg=kroah.com@vger.kernel.org Wed Jul 23 00:51:01 2025 +From: Sasha Levin +Date: Tue, 22 Jul 2025 18:50:49 -0400 +Subject: usb: hub: avoid warm port reset during USB3 disconnect +To: stable@vger.kernel.org +Cc: Mathias Nyman , Mark Pearson , Greg Kroah-Hartman , Sasha Levin +Message-ID: <20250722225050.997941-1-sashal@kernel.org> + +From: Mathias Nyman + +[ Upstream commit f59f93cd1d720809466c7fd5aa16a236156c672b ] + +During disconnect USB-3 ports often go via SS.Inactive link error state +before the missing terminations are noticed, and link finally goes to +RxDetect state + +Avoid immediately warm-resetting ports in SS.Inactive state. +Let ports settle for a while and re-read the link status a few times 20ms +apart to see if the ports transitions out of SS.Inactive. + +According to USB 3.x spec 7.5.2, a port in SS.Inactive should +automatically check for missing far-end receiver termination every +12 ms (SSInactiveQuietTimeout) + +The futile multiple warm reset retries of a disconnected device takes +a lot of time, also the resetting of a removed devices has caused cases +where the reset bit got stuck for a long time on xHCI roothub. +This lead to issues in detecting new devices connected to the same port +shortly after. + +Tested-by: Mark Pearson +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20211210111653.1378381-1-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Stable-dep-of: 2521106fc732 ("usb: hub: Don't try to recover devices lost during warm reset.") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/core/hub.c | 26 ++++++++++++++++++++------ + 1 file changed, 20 insertions(+), 6 deletions(-) + +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -2884,6 +2884,8 @@ static unsigned hub_is_wusb(struct usb_h + #define PORT_INIT_TRIES 4 + #endif /* CONFIG_USB_FEW_INIT_RETRIES */ + ++#define DETECT_DISCONNECT_TRIES 5 ++ + #define HUB_ROOT_RESET_TIME 60 /* times are in msec */ + #define HUB_SHORT_RESET_TIME 10 + #define HUB_BH_RESET_TIME 50 +@@ -5685,6 +5687,7 @@ static void port_event(struct usb_hub *h + struct usb_device *udev = port_dev->child; + struct usb_device *hdev = hub->hdev; + u16 portstatus, portchange; ++ int i = 0; + + connect_change = test_bit(port1, hub->change_bits); + clear_bit(port1, hub->event_bits); +@@ -5761,17 +5764,27 @@ static void port_event(struct usb_hub *h + connect_change = 1; + + /* +- * Warm reset a USB3 protocol port if it's in +- * SS.Inactive state. +- */ +- if (hub_port_warm_reset_required(hub, port1, portstatus)) { +- dev_dbg(&port_dev->dev, "do warm reset\n"); +- if (!udev || !(portstatus & USB_PORT_STAT_CONNECTION) ++ * Avoid trying to recover a USB3 SS.Inactive port with a warm reset if ++ * the device was disconnected. A 12ms disconnect detect timer in ++ * SS.Inactive state transitions the port to RxDetect automatically. ++ * SS.Inactive link error state is common during device disconnect. ++ */ ++ while (hub_port_warm_reset_required(hub, port1, portstatus)) { ++ if ((i++ < DETECT_DISCONNECT_TRIES) && udev) { ++ u16 unused; ++ ++ msleep(20); ++ hub_port_status(hub, port1, &portstatus, &unused); ++ dev_dbg(&port_dev->dev, "Wait for inactive link disconnect detect\n"); ++ continue; ++ } else if (!udev || !(portstatus & USB_PORT_STAT_CONNECTION) + || udev->state == USB_STATE_NOTATTACHED) { ++ dev_dbg(&port_dev->dev, "do warm reset, port only\n"); + if (hub_port_reset(hub, port1, NULL, + HUB_BH_RESET_TIME, true) < 0) + hub_port_disable(hub, port1, 1); + } else { ++ dev_dbg(&port_dev->dev, "do warm reset, full device\n"); + usb_unlock_port(port_dev); + usb_lock_device(udev); + usb_reset_device(udev); +@@ -5779,6 +5792,7 @@ static void port_event(struct usb_hub *h + usb_lock_port(port_dev); + connect_change = 0; + } ++ break; + } + + if (connect_change) diff --git a/queue-5.10/usb-hub-don-t-try-to-recover-devices-lost-during-warm-reset.patch b/queue-5.10/usb-hub-don-t-try-to-recover-devices-lost-during-warm-reset.patch new file mode 100644 index 0000000000..17bcfef2e6 --- /dev/null +++ b/queue-5.10/usb-hub-don-t-try-to-recover-devices-lost-during-warm-reset.patch @@ -0,0 +1,91 @@ +From stable+bounces-164313-greg=kroah.com@vger.kernel.org Wed Jul 23 00:51:03 2025 +From: Sasha Levin +Date: Tue, 22 Jul 2025 18:50:50 -0400 +Subject: usb: hub: Don't try to recover devices lost during warm reset. +To: stable@vger.kernel.org +Cc: "Mathias Nyman" , "Łukasz Bartosik" , "Alan Stern" , "Greg Kroah-Hartman" , "Sasha Levin" +Message-ID: <20250722225050.997941-2-sashal@kernel.org> + +From: Mathias Nyman + +[ Upstream commit 2521106fc732b0b75fd3555c689b1ed1d29d273c ] + +Hub driver warm-resets ports in SS.Inactive or Compliance mode to +recover a possible connected device. The port reset code correctly +detects if a connection is lost during reset, but hub driver +port_event() fails to take this into account in some cases. +port_event() ends up using stale values and assumes there is a +connected device, and will try all means to recover it, including +power-cycling the port. + +Details: +This case was triggered when xHC host was suspended with DbC (Debug +Capability) enabled and connected. DbC turns one xHC port into a simple +usb debug device, allowing debugging a system with an A-to-A USB debug +cable. + +xhci DbC code disables DbC when xHC is system suspended to D3, and +enables it back during resume. +We essentially end up with two hosts connected to each other during +suspend, and, for a short while during resume, until DbC is enabled back. +The suspended xHC host notices some activity on the roothub port, but +can't train the link due to being suspended, so xHC hardware sets a CAS +(Cold Attach Status) flag for this port to inform xhci host driver that +the port needs to be warm reset once xHC resumes. + +CAS is xHCI specific, and not part of USB specification, so xhci driver +tells usb core that the port has a connection and link is in compliance +mode. Recovery from complinace mode is similar to CAS recovery. + +xhci CAS driver support that fakes a compliance mode connection was added +in commit 8bea2bd37df0 ("usb: Add support for root hub port status CAS") + +Once xHCI resumes and DbC is enabled back, all activity on the xHC +roothub host side port disappears. The hub driver will anyway think +port has a connection and link is in compliance mode, and hub driver +will try to recover it. + +The port power-cycle during recovery seems to cause issues to the active +DbC connection. + +Fix this by clearing connect_change flag if hub_port_reset() returns +-ENOTCONN, thus avoiding the whole unnecessary port recovery and +initialization attempt. + +Cc: stable@vger.kernel.org +Fixes: 8bea2bd37df0 ("usb: Add support for root hub port status CAS") +Tested-by: Łukasz Bartosik +Signed-off-by: Mathias Nyman +Acked-by: Alan Stern +Link: https://lore.kernel.org/r/20250623133947.3144608-1-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/core/hub.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -5688,6 +5688,7 @@ static void port_event(struct usb_hub *h + struct usb_device *hdev = hub->hdev; + u16 portstatus, portchange; + int i = 0; ++ int err; + + connect_change = test_bit(port1, hub->change_bits); + clear_bit(port1, hub->event_bits); +@@ -5780,8 +5781,11 @@ static void port_event(struct usb_hub *h + } else if (!udev || !(portstatus & USB_PORT_STAT_CONNECTION) + || udev->state == USB_STATE_NOTATTACHED) { + dev_dbg(&port_dev->dev, "do warm reset, port only\n"); +- if (hub_port_reset(hub, port1, NULL, +- HUB_BH_RESET_TIME, true) < 0) ++ err = hub_port_reset(hub, port1, NULL, ++ HUB_BH_RESET_TIME, true); ++ if (!udev && err == -ENOTCONN) ++ connect_change = 0; ++ else if (err < 0) + hub_port_disable(hub, port1, 1); + } else { + dev_dbg(&port_dev->dev, "do warm reset, full device\n"); diff --git a/queue-5.10/usb-typec-fusb302-cache-pd-rx-state.patch b/queue-5.10/usb-typec-fusb302-cache-pd-rx-state.patch new file mode 100644 index 0000000000..e325113d65 --- /dev/null +++ b/queue-5.10/usb-typec-fusb302-cache-pd-rx-state.patch @@ -0,0 +1,98 @@ +From stable+bounces-171668-greg=kroah.com@vger.kernel.org Tue Aug 19 00:54:38 2025 +From: Sasha Levin +Date: Mon, 18 Aug 2025 18:54:25 -0400 +Subject: usb: typec: fusb302: cache PD RX state +To: stable@vger.kernel.org +Cc: Sebastian Reichel , stable , Heikki Krogerus , Greg Kroah-Hartman , Sasha Levin +Message-ID: <20250818225425.129459-1-sashal@kernel.org> + +From: Sebastian Reichel + +[ Upstream commit 1e61f6ab08786d66a11cfc51e13d6f08a6b06c56 ] + +This patch fixes a race condition communication error, which ends up in +PD hard resets when losing the race. Some systems, like the Radxa ROCK +5B are powered through USB-C without any backup power source and use a +FUSB302 chip to do the PD negotiation. This means it is quite important +to avoid hard resets, since that effectively kills the system's +power-supply. + +I've found the following race condition while debugging unplanned power +loss during booting the board every now and then: + +1. lots of TCPM/FUSB302/PD initialization stuff +2. TCPM ends up in SNK_WAIT_CAPABILITIES (tcpm_set_pd_rx is enabled here) +3. the remote PD source does not send anything, so TCPM does a SOFT RESET +4. TCPM ends up in SNK_WAIT_CAPABILITIES for the second time + (tcpm_set_pd_rx is enabled again, even though it is still on) + +At this point I've seen broken CRC good messages being send by the +FUSB302 with a logic analyzer sniffing the CC lines. Also it looks like +messages are being lost and things generally going haywire with one of +the two sides doing a hard reset once a broken CRC good message was send +to the bus. + +I think the system is running into a race condition, that the FIFOs are +being cleared and/or the automatic good CRC message generation flag is +being updated while a message is already arriving. + +Let's avoid this by caching the PD RX enabled state, as we have already +processed anything in the FIFOs and are in a good state. As a side +effect that this also optimizes I2C bus usage :) + +As far as I can tell the problem theoretically also exists when TCPM +enters SNK_WAIT_CAPABILITIES the first time, but I believe this is less +critical for the following reason: + +On devices like the ROCK 5B, which are powered through a TCPM backed +USB-C port, the bootloader must have done some prior PD communication +(initial communication must happen within 5 seconds after plugging the +USB-C plug). This means the first time the kernel TCPM state machine +reaches SNK_WAIT_CAPABILITIES, the remote side is not sending messages +actively. On other devices a hard reset simply adds some extra delay and +things should be good afterwards. + +Fixes: c034a43e72dda ("staging: typec: Fairchild FUSB302 Type-c chip driver") +Cc: stable +Signed-off-by: Sebastian Reichel +Reviewed-by: Heikki Krogerus +Link: https://lore.kernel.org/r/20250704-fusb302-race-condition-fix-v1-1-239012c0e27a@kernel.org +Signed-off-by: Greg Kroah-Hartman +[ replaced str_on_off(on) with ternary operator ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/tcpm/fusb302.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/usb/typec/tcpm/fusb302.c ++++ b/drivers/usb/typec/tcpm/fusb302.c +@@ -103,6 +103,7 @@ struct fusb302_chip { + bool vconn_on; + bool vbus_on; + bool charge_on; ++ bool pd_rx_on; + bool vbus_present; + enum typec_cc_polarity cc_polarity; + enum typec_cc_status cc1; +@@ -841,6 +842,11 @@ static int tcpm_set_pd_rx(struct tcpc_de + int ret = 0; + + mutex_lock(&chip->lock); ++ if (chip->pd_rx_on == on) { ++ fusb302_log(chip, "pd is already %s", on ? "on" : "off"); ++ goto done; ++ } ++ + ret = fusb302_pd_rx_flush(chip); + if (ret < 0) { + fusb302_log(chip, "cannot flush pd rx buffer, ret=%d", ret); +@@ -863,6 +869,8 @@ static int tcpm_set_pd_rx(struct tcpc_de + on ? "on" : "off", ret); + goto done; + } ++ ++ chip->pd_rx_on = on; + fusb302_log(chip, "pd := %s", on ? "on" : "off"); + done: + mutex_unlock(&chip->lock); diff --git a/queue-5.10/x86-fpu-delay-instruction-pointer-fixup-until-after-warning.patch b/queue-5.10/x86-fpu-delay-instruction-pointer-fixup-until-after-warning.patch new file mode 100644 index 0000000000..fcca114a75 --- /dev/null +++ b/queue-5.10/x86-fpu-delay-instruction-pointer-fixup-until-after-warning.patch @@ -0,0 +1,62 @@ +From stable+bounces-169438-greg=kroah.com@vger.kernel.org Wed Aug 13 18:29:55 2025 +From: Sasha Levin +Date: Wed, 13 Aug 2025 12:24:25 -0400 +Subject: x86/fpu: Delay instruction pointer fixup until after warning +To: stable@vger.kernel.org +Cc: Dave Hansen , Chao Gao , Alison Schofield , Peter Zijlstra , Sasha Levin +Message-ID: <20250813162425.2060269-1-sashal@kernel.org> + +From: Dave Hansen + +[ Upstream commit 1cec9ac2d071cfd2da562241aab0ef701355762a ] + +Right now, if XRSTOR fails a console message like this is be printed: + + Bad FPU state detected at restore_fpregs_from_fpstate+0x9a/0x170, reinitializing FPU registers. + +However, the text location (...+0x9a in this case) is the instruction +*AFTER* the XRSTOR. The highlighted instruction in the "Code:" dump +also points one instruction late. + +The reason is that the "fixup" moves RIP up to pass the bad XRSTOR and +keep on running after returning from the #GP handler. But it does this +fixup before warning. + +The resulting warning output is nonsensical because it looks like the +non-FPU-related instruction is #GP'ing. + +Do not fix up RIP until after printing the warning. Do this by using +the more generic and standard ex_handler_default(). + +Fixes: d5c8028b4788 ("x86/fpu: Reinitialize FPU registers if restoring FPU state fails") +Signed-off-by: Dave Hansen +Reviewed-by: Chao Gao +Acked-by: Alison Schofield +Acked-by: Peter Zijlstra (Intel) +Cc:stable@vger.kernel.org +Link: https://lore.kernel.org/all/20250624210148.97126F9E%40davehans-spike.ostc.intel.com +[ Adapted ex_handler_default() call ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/mm/extable.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/arch/x86/mm/extable.c ++++ b/arch/x86/mm/extable.c +@@ -60,13 +60,12 @@ __visible bool ex_handler_fprestore(cons + unsigned long error_code, + unsigned long fault_addr) + { +- regs->ip = ex_fixup_addr(fixup); +- + WARN_ONCE(1, "Bad FPU state detected at %pB, reinitializing FPU registers.", + (void *)instruction_pointer(regs)); + + __copy_kernel_to_fpregs(&init_fpstate, -1); +- return true; ++ ++ return ex_handler_default(fixup, regs, trapnr, error_code, fault_addr); + } + EXPORT_SYMBOL_GPL(ex_handler_fprestore); + diff --git a/queue-5.10/x86-mce-amd-add-default-names-for-mca-banks-and-blocks.patch b/queue-5.10/x86-mce-amd-add-default-names-for-mca-banks-and-blocks.patch new file mode 100644 index 0000000000..99a8cda397 --- /dev/null +++ b/queue-5.10/x86-mce-amd-add-default-names-for-mca-banks-and-blocks.patch @@ -0,0 +1,63 @@ +From stable+bounces-164363-greg=kroah.com@vger.kernel.org Wed Jul 23 06:04:47 2025 +From: Sasha Levin +Date: Wed, 23 Jul 2025 00:04:37 -0400 +Subject: x86/mce/amd: Add default names for MCA banks and blocks +To: stable@vger.kernel.org +Cc: Yazen Ghannam , Borislav Petkov , Sasha Levin +Message-ID: <20250723040437.1045199-1-sashal@kernel.org> + +From: Yazen Ghannam + +[ Upstream commit d66e1e90b16055d2f0ee76e5384e3f119c3c2773 ] + +Ensure that sysfs init doesn't fail for new/unrecognized bank types or if +a bank has additional blocks available. + +Most MCA banks have a single thresholding block, so the block takes the same +name as the bank. + +Unified Memory Controllers (UMCs) are a special case where there are two +blocks and each has a unique name. + +However, the microarchitecture allows for five blocks. Any new MCA bank types +with more than one block will be missing names for the extra blocks. The MCE +sysfs will fail to initialize in this case. + +Fixes: 87a6d4091bd7 ("x86/mce/AMD: Update sysfs bank names for SMCA systems") +Signed-off-by: Yazen Ghannam +Signed-off-by: Borislav Petkov (AMD) +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/20250624-wip-mca-updates-v4-3-236dd74f645f@amd.com +[ adapted get_name() function signature ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/cpu/mce/amd.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +--- a/arch/x86/kernel/cpu/mce/amd.c ++++ b/arch/x86/kernel/cpu/mce/amd.c +@@ -1215,13 +1215,20 @@ static const char *get_name(unsigned int + } + + bank_type = smca_get_bank_type(bank); +- if (bank_type >= N_SMCA_BANK_TYPES) +- return NULL; + + if (b && bank_type == SMCA_UMC) { + if (b->block < ARRAY_SIZE(smca_umc_block_names)) + return smca_umc_block_names[b->block]; +- return NULL; ++ } ++ ++ if (b && b->block) { ++ snprintf(buf_mcatype, MAX_MCATYPE_NAME_LEN, "th_block_%u", b->block); ++ return buf_mcatype; ++ } ++ ++ if (bank_type >= N_SMCA_BANK_TYPES) { ++ snprintf(buf_mcatype, MAX_MCATYPE_NAME_LEN, "th_bank_%u", bank); ++ return buf_mcatype; + } + + if (smca_banks[bank].hwid->count == 1)