From: Greg Kroah-Hartman Date: Fri, 29 Aug 2025 14:23:39 +0000 (+0200) Subject: 6.16-stable patches X-Git-Tag: v5.4.298~26 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=95d6979bfff6377ce5f917fd389b865a17371afb;p=thirdparty%2Fkernel%2Fstable-queue.git 6.16-stable patches added patches: platform-x86-int3472-add-hpd-pin-support.patch vhost-net-protect-ubufs-with-rcu-read-lock-in-vhost_net_ubuf_put.patch --- diff --git a/queue-6.16/io_uring-io-wq-add-check-free-worker-before-create-n.patch b/queue-6.16/io_uring-io-wq-add-check-free-worker-before-create-n.patch index 54e879cf48..b9035e24f2 100644 --- a/queue-6.16/io_uring-io-wq-add-check-free-worker-before-create-n.patch +++ b/queue-6.16/io_uring-io-wq-add-check-free-worker-before-create-n.patch @@ -34,14 +34,12 @@ Link: https://lore.kernel.org/r/20250813120214.18729-1-changfengnan@bytedance.co Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin --- - io_uring/io-wq.c | 8 ++++++++ + io_uring/io-wq.c | 8 ++++++++ 1 file changed, 8 insertions(+) -diff --git a/io_uring/io-wq.c b/io_uring/io-wq.c -index be91edf34f013..17dfaa0395c46 100644 --- a/io_uring/io-wq.c +++ b/io_uring/io-wq.c -@@ -357,6 +357,13 @@ static void create_worker_cb(struct callback_head *cb) +@@ -357,6 +357,13 @@ static void create_worker_cb(struct call worker = container_of(cb, struct io_worker, create_work); wq = worker->wq; acct = worker->acct; @@ -55,7 +53,7 @@ index be91edf34f013..17dfaa0395c46 100644 raw_spin_lock(&acct->workers_lock); if (acct->nr_workers < acct->max_workers) { -@@ -367,6 +374,7 @@ static void create_worker_cb(struct callback_head *cb) +@@ -367,6 +374,7 @@ static void create_worker_cb(struct call if (do_create) { create_io_worker(wq, acct); } else { @@ -63,6 +61,3 @@ index be91edf34f013..17dfaa0395c46 100644 atomic_dec(&acct->nr_running); io_worker_ref_put(wq); } --- -2.50.1 - diff --git a/queue-6.16/platform-x86-int3472-add-hpd-pin-support.patch b/queue-6.16/platform-x86-int3472-add-hpd-pin-support.patch new file mode 100644 index 0000000000..a4e2580388 --- /dev/null +++ b/queue-6.16/platform-x86-int3472-add-hpd-pin-support.patch @@ -0,0 +1,74 @@ +From a032fe30cf09b6723ab61a05aee057311b00f9e1 Mon Sep 17 00:00:00 2001 +From: Dongcheng Yan +Date: Fri, 25 Apr 2025 18:43:30 +0800 +Subject: platform/x86: int3472: add hpd pin support +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dongcheng Yan + +commit a032fe30cf09b6723ab61a05aee057311b00f9e1 upstream. + +Typically HDMI to MIPI CSI-2 bridges have a pin to signal image data is +being received. On the host side this is wired to a GPIO for polling or +interrupts. This includes the Lontium HDMI to MIPI CSI-2 bridges +lt6911uxe and lt6911uxc. + +The GPIO "hpd" is used already by other HDMI to CSI-2 bridges, use it +here as well. + +Signed-off-by: Dongcheng Yan +Reviewed-by: Sakari Ailus +Acked-by: Ilpo Järvinen +Reviewed-by: Hans de Goede +Reviewed-by: Andy Shevchenko +Fixes: 20244cbafbd6 ("media: i2c: change lt6911uxe irq_gpio name to "hpd"") +Cc: stable@vger.kernel.org +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/x86/intel/int3472/discrete.c | 6 ++++++ + include/linux/platform_data/x86/int3472.h | 1 + + 2 files changed, 7 insertions(+) + +--- a/drivers/platform/x86/intel/int3472/discrete.c ++++ b/drivers/platform/x86/intel/int3472/discrete.c +@@ -193,6 +193,10 @@ static void int3472_get_con_id_and_polar + *con_id = "privacy-led"; + *gpio_flags = GPIO_ACTIVE_HIGH; + break; ++ case INT3472_GPIO_TYPE_HOTPLUG_DETECT: ++ *con_id = "hpd"; ++ *gpio_flags = GPIO_ACTIVE_HIGH; ++ break; + case INT3472_GPIO_TYPE_POWER_ENABLE: + *con_id = "avdd"; + *gpio_flags = GPIO_ACTIVE_HIGH; +@@ -223,6 +227,7 @@ static void int3472_get_con_id_and_polar + * 0x0b Power enable + * 0x0c Clock enable + * 0x0d Privacy LED ++ * 0x13 Hotplug detect + * + * There are some known platform specific quirks where that does not quite + * hold up; for example where a pin with type 0x01 (Power down) is mapped to +@@ -292,6 +297,7 @@ static int skl_int3472_handle_gpio_resou + switch (type) { + case INT3472_GPIO_TYPE_RESET: + case INT3472_GPIO_TYPE_POWERDOWN: ++ case INT3472_GPIO_TYPE_HOTPLUG_DETECT: + ret = skl_int3472_map_gpio_to_sensor(int3472, agpio, con_id, gpio_flags); + if (ret) + err_msg = "Failed to map GPIO pin to sensor\n"; +--- a/include/linux/platform_data/x86/int3472.h ++++ b/include/linux/platform_data/x86/int3472.h +@@ -27,6 +27,7 @@ + #define INT3472_GPIO_TYPE_CLK_ENABLE 0x0c + #define INT3472_GPIO_TYPE_PRIVACY_LED 0x0d + #define INT3472_GPIO_TYPE_HANDSHAKE 0x12 ++#define INT3472_GPIO_TYPE_HOTPLUG_DETECT 0x13 + + #define INT3472_PDEV_MAX_NAME_LEN 23 + #define INT3472_MAX_SENSOR_GPIOS 3 diff --git a/queue-6.16/series b/queue-6.16/series index d6a2d767ce..848ae1e826 100644 --- a/queue-6.16/series +++ b/queue-6.16/series @@ -23,3 +23,5 @@ asoc-rt1320-fix-random-cycle-mute-issue.patch erofs-fallback-to-normal-access-if-dax-is-not-suppor.patch erofs-fix-atomic-context-detection-when-config_debug.patch io_uring-io-wq-add-check-free-worker-before-create-n.patch +platform-x86-int3472-add-hpd-pin-support.patch +vhost-net-protect-ubufs-with-rcu-read-lock-in-vhost_net_ubuf_put.patch diff --git a/queue-6.16/vhost-net-protect-ubufs-with-rcu-read-lock-in-vhost_net_ubuf_put.patch b/queue-6.16/vhost-net-protect-ubufs-with-rcu-read-lock-in-vhost_net_ubuf_put.patch new file mode 100644 index 0000000000..9d745a3b7f --- /dev/null +++ b/queue-6.16/vhost-net-protect-ubufs-with-rcu-read-lock-in-vhost_net_ubuf_put.patch @@ -0,0 +1,79 @@ +From dd54bcf86c91a4455b1f95cbc8e9ac91205f3193 Mon Sep 17 00:00:00 2001 +From: Nikolay Kuratov +Date: Tue, 5 Aug 2025 16:09:17 +0300 +Subject: vhost/net: Protect ubufs with rcu read lock in vhost_net_ubuf_put() + +From: Nikolay Kuratov + +commit dd54bcf86c91a4455b1f95cbc8e9ac91205f3193 upstream. + +When operating on struct vhost_net_ubuf_ref, the following execution +sequence is theoretically possible: +CPU0 is finalizing DMA operation CPU1 is doing VHOST_NET_SET_BACKEND + // ubufs->refcount == 2 +vhost_net_ubuf_put() vhost_net_ubuf_put_wait_and_free(oldubufs) + vhost_net_ubuf_put_and_wait() + vhost_net_ubuf_put() + int r = atomic_sub_return(1, &ubufs->refcount); + // r = 1 +int r = atomic_sub_return(1, &ubufs->refcount); +// r = 0 + wait_event(ubufs->wait, !atomic_read(&ubufs->refcount)); + // no wait occurs here because condition is already true + kfree(ubufs); +if (unlikely(!r)) + wake_up(&ubufs->wait); // use-after-free + +This leads to use-after-free on ubufs access. This happens because CPU1 +skips waiting for wake_up() when refcount is already zero. + +To prevent that use a read-side RCU critical section in vhost_net_ubuf_put(), +as suggested by Hillf Danton. For this lock to take effect, free ubufs with +kfree_rcu(). + +Cc: stable@vger.kernel.org +Fixes: 0ad8b480d6ee9 ("vhost: fix ref cnt checking deadlock") +Reported-by: Andrey Ryabinin +Suggested-by: Hillf Danton +Signed-off-by: Nikolay Kuratov +Message-Id: <20250805130917.727332-1-kniv@yandex-team.ru> +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vhost/net.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/vhost/net.c ++++ b/drivers/vhost/net.c +@@ -96,6 +96,7 @@ struct vhost_net_ubuf_ref { + atomic_t refcount; + wait_queue_head_t wait; + struct vhost_virtqueue *vq; ++ struct rcu_head rcu; + }; + + #define VHOST_NET_BATCH 64 +@@ -247,9 +248,13 @@ vhost_net_ubuf_alloc(struct vhost_virtqu + + static int vhost_net_ubuf_put(struct vhost_net_ubuf_ref *ubufs) + { +- int r = atomic_sub_return(1, &ubufs->refcount); ++ int r; ++ ++ rcu_read_lock(); ++ r = atomic_sub_return(1, &ubufs->refcount); + if (unlikely(!r)) + wake_up(&ubufs->wait); ++ rcu_read_unlock(); + return r; + } + +@@ -262,7 +267,7 @@ static void vhost_net_ubuf_put_and_wait( + static void vhost_net_ubuf_put_wait_and_free(struct vhost_net_ubuf_ref *ubufs) + { + vhost_net_ubuf_put_and_wait(ubufs); +- kfree(ubufs); ++ kfree_rcu(ubufs, rcu); + } + + static void vhost_net_clear_ubuf_info(struct vhost_net *n)