From: Greg Kroah-Hartman Date: Fri, 22 Aug 2025 13:32:49 +0000 (+0200) Subject: 5.15-stable patches X-Git-Tag: v6.16.3~43 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a6b0ce2d2707e10d817895c7ba7bbd8a5b611722;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: alsa-scarlett2-add-retry-on-eproto-from-scarlett2_usb_tx.patch arm-9448-1-use-an-absolute-path-to-unified.h-in-kbuild_aflags.patch arm64-entry-mask-daif-in-cpu_switch_to-call_on_irq_stack.patch ata-fix-sata_mobile_lpm_policy-description-in-kconfig.patch block-make-req_op_zone_finish-a-write-operation.patch btrfs-populate-otime-when-logging-an-inode-item.patch bus-mhi-host-detect-events-pointing-to-unexpected-tres.patch drm-sched-remove-optimization-that-causes-hang-when-killing-dependent-jobs.patch f2fs-fix-to-do-sanity-check-on-ino-and-xnid.patch hv_netvsc-fix-panic-during-namespace-deletion-with-vf.patch ice-fix-a-null-pointer-dereference-in-ice_copy_and_init_pkg.patch iio-hid-sensor-prox-fix-incorrect-offset-calculation.patch iio-hid-sensor-prox-restore-lost-scale-assignments.patch kvm-vmx-flush-shadow-vmcs-on-emergency-reboot.patch mm-ptdump-take-the-memory-hotplug-lock-inside-ptdump_walk_pgd.patch net-enetc-fix-device-and-of-node-leak-at-probe.patch net-sched-ets-use-old-nbands-while-purging-unused-classes.patch net-sched-sch_ets-properly-init-all-active-drr-list-handles.patch net_sched-sch_ets-implement-lockless-ets_dump.patch nfs-create-an-nfs4_server_set_init_caps-function.patch nfs-fix-the-setting-of-capabilities-when-automounting-a-new-filesystem.patch pci-acpi-fix-runtime-pm-ref-imbalance-on-hot-plug-capable-ports.patch platform-chrome-cros_ec-make-cros_ec_unregister-return-void.patch platform-chrome-cros_ec-remove-unneeded-label-and-if-condition.patch platform-chrome-cros_ec-unregister-notifier-in-cros_ec_unregister.patch platform-chrome-cros_ec-use-per-device-lockdep-key.patch smb-client-fix-use-after-free-in-crypt_message-when-using-async-crypto.patch smb-server-fix-extension-string-in-ksmbd_extract_shortname.patch usb-dwc3-imx8mp-fix-device-leak-at-unbind.patch usb-hub-avoid-warm-port-reset-during-usb3-disconnect.patch usb-hub-don-t-try-to-recover-devices-lost-during-warm-reset.patch usb-musb-omap2430-convert-to-platform-remove-callback-returning-void.patch usb-musb-omap2430-fix-device-leak-at-unbind.patch usb-typec-fusb302-cache-pd-rx-state.patch x86-fpu-delay-instruction-pointer-fixup-until-after-warning.patch x86-mce-amd-add-default-names-for-mca-banks-and-blocks.patch --- diff --git a/queue-5.15/alsa-scarlett2-add-retry-on-eproto-from-scarlett2_usb_tx.patch b/queue-5.15/alsa-scarlett2-add-retry-on-eproto-from-scarlett2_usb_tx.patch new file mode 100644 index 0000000000..7d2fd13ec8 --- /dev/null +++ b/queue-5.15/alsa-scarlett2-add-retry-on-eproto-from-scarlett2_usb_tx.patch @@ -0,0 +1,72 @@ +From stable+bounces-169403-greg=kroah.com@vger.kernel.org Wed Aug 13 16:14:10 2025 +From: Sasha Levin +Date: Wed, 13 Aug 2025 10:10:27 -0400 +Subject: ALSA: scarlett2: Add retry on -EPROTO from scarlett2_usb_tx() +To: stable@vger.kernel.org +Cc: "Geoffrey D. Bennett" , Takashi Iwai , Sasha Levin +Message-ID: <20250813141027.2043326-1-sashal@kernel.org> + +From: "Geoffrey D. Bennett" + +[ Upstream commit 8a15ca0ca51399b652b1bbb23b590b220cf03d62 ] + +During communication with Focusrite Scarlett Gen 2/3/4 USB audio +interfaces, -EPROTO is sometimes returned from scarlett2_usb_tx(), +snd_usb_ctl_msg() which can cause initialisation and control +operations to fail intermittently. + +This patch adds up to 5 retries in scarlett2_usb(), with a delay +starting at 5ms and doubling each time. This follows the same approach +as the fix for usb_set_interface() in endpoint.c (commit f406005e162b +("ALSA: usb-audio: Add retry on -EPROTO from usb_set_interface()")), +which resolved similar -EPROTO issues during device initialisation, +and is the same approach as in fcp.c:fcp_usb(). + +Fixes: 9e4d5c1be21f ("ALSA: usb-audio: Scarlett Gen 2 mixer interface") +Closes: https://github.com/geoffreybennett/linux-fcp/issues/41 +Cc: stable@vger.kernel.org +Signed-off-by: Geoffrey D. Bennett +Link: https://patch.msgid.link/aIdDO6ld50WQwNim@m.b4.vu +Signed-off-by: Takashi Iwai +[ Applied patch to the older file name mixer_scarlett_gen2.c instead of mixer_scarlett2.c. ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/mixer_scarlett_gen2.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/sound/usb/mixer_scarlett_gen2.c ++++ b/sound/usb/mixer_scarlett_gen2.c +@@ -125,6 +125,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -1064,6 +1065,8 @@ static int scarlett2_usb( + u16 req_buf_size = sizeof(struct scarlett2_usb_packet) + req_size; + u16 resp_buf_size = sizeof(struct scarlett2_usb_packet) + resp_size; + struct scarlett2_usb_packet *req, *resp = NULL; ++ int retries = 0; ++ const int max_retries = 5; + int err; + + req = kmalloc(req_buf_size, GFP_KERNEL); +@@ -1087,10 +1090,15 @@ static int scarlett2_usb( + if (req_size) + memcpy(req->data, req_data, req_size); + ++retry: + err = scarlett2_usb_tx(dev, private->bInterfaceNumber, + req, req_buf_size); + + if (err != req_buf_size) { ++ if (err == -EPROTO && ++retries <= max_retries) { ++ msleep(5 * (1 << (retries - 1))); ++ goto retry; ++ } + usb_audio_err( + mixer->chip, + "Scarlett Gen 2/3 USB request result cmd %x was %d\n", diff --git a/queue-5.15/arm-9448-1-use-an-absolute-path-to-unified.h-in-kbuild_aflags.patch b/queue-5.15/arm-9448-1-use-an-absolute-path-to-unified.h-in-kbuild_aflags.patch new file mode 100644 index 0000000000..630a3df981 --- /dev/null +++ b/queue-5.15/arm-9448-1-use-an-absolute-path-to-unified.h-in-kbuild_aflags.patch @@ -0,0 +1,60 @@ +From stable+bounces-164978-greg=kroah.com@vger.kernel.org Mon Jul 28 16:55:51 2025 +From: Sasha Levin +Date: Mon, 28 Jul 2025 10:55:37 -0400 +Subject: ARM: 9448/1: Use an absolute path to unified.h in KBUILD_AFLAGS +To: stable@vger.kernel.org +Cc: Nathan Chancellor , KernelCI bot , Masahiro Yamada , Russell King , Sasha Levin +Message-ID: <20250728145537.2340885-1-sashal@kernel.org> + +From: Nathan Chancellor + +[ Upstream commit 87c4e1459e80bf65066f864c762ef4dc932fad4b ] + +After commit d5c8d6e0fa61 ("kbuild: Update assembler calls to use proper +flags and language target"), which updated as-instr to use the +'assembler-with-cpp' language option, the Kbuild version of as-instr +always fails internally for arch/arm with + + : fatal error: asm/unified.h: No such file or directory + compilation terminated. + +because '-include' flags are now taken into account by the compiler +driver and as-instr does not have '$(LINUXINCLUDE)', so unified.h is not +found. + +This went unnoticed at the time of the Kbuild change because the last +use of as-instr in Kbuild that arch/arm could reach was removed in 5.7 +by commit 541ad0150ca4 ("arm: Remove 32bit KVM host support") but a +stable backport of the Kbuild change to before that point exposed this +potential issue if one were to be reintroduced. + +Follow the general pattern of '-include' paths throughout the tree and +make unified.h absolute using '$(srctree)' to ensure KBUILD_AFLAGS can +be used independently. + +Closes: https://lore.kernel.org/CACo-S-1qbCX4WAVFA63dWfHtrRHZBTyyr2js8Lx=Az03XHTTHg@mail.gmail.com/ + +Cc: stable@vger.kernel.org +Fixes: d5c8d6e0fa61 ("kbuild: Update assembler calls to use proper flags and language target") +Reported-by: KernelCI bot +Reviewed-by: Masahiro Yamada +Signed-off-by: Nathan Chancellor +Signed-off-by: Russell King (Oracle) +[ adapted to missing -Wa ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/Makefile ++++ b/arch/arm/Makefile +@@ -126,7 +126,7 @@ endif + + # Need -Uarm for gcc < 3.x + KBUILD_CFLAGS +=$(CFLAGS_ABI) $(CFLAGS_ISA) $(arch-y) $(tune-y) $(call cc-option,-mshort-load-bytes,$(call cc-option,-malignment-traps,)) -msoft-float -Uarm +-KBUILD_AFLAGS +=$(CFLAGS_ABI) $(AFLAGS_ISA) $(arch-y) $(tune-y) -include asm/unified.h -msoft-float ++KBUILD_AFLAGS +=$(CFLAGS_ABI) $(AFLAGS_ISA) $(arch-y) $(tune-y) -include $(srctree)/arch/arm/include/asm/unified.h -msoft-float + + CHECKFLAGS += -D__arm__ + diff --git a/queue-5.15/arm64-entry-mask-daif-in-cpu_switch_to-call_on_irq_stack.patch b/queue-5.15/arm64-entry-mask-daif-in-cpu_switch_to-call_on_irq_stack.patch new file mode 100644 index 0000000000..b8e1d0a11d --- /dev/null +++ b/queue-5.15/arm64-entry-mask-daif-in-cpu_switch_to-call_on_irq_stack.patch @@ -0,0 +1,115 @@ +From stable+bounces-165061-greg=kroah.com@vger.kernel.org Tue Jul 29 14:44:34 2025 +From: Sasha Levin +Date: Tue, 29 Jul 2025 08:44:24 -0400 +Subject: arm64/entry: Mask DAIF in cpu_switch_to(), call_on_irq_stack() +To: stable@vger.kernel.org +Cc: Ada Couprie Diaz , Cristian Prundeanu , Will Deacon , Sasha Levin +Message-ID: <20250729124424.2699860-1-sashal@kernel.org> + +From: Ada Couprie Diaz + +[ Upstream commit d42e6c20de6192f8e4ab4cf10be8c694ef27e8cb ] + +`cpu_switch_to()` and `call_on_irq_stack()` manipulate SP to change +to different stacks along with the Shadow Call Stack if it is enabled. +Those two stack changes cannot be done atomically and both functions +can be interrupted by SErrors or Debug Exceptions which, though unlikely, +is very much broken : if interrupted, we can end up with mismatched stacks +and Shadow Call Stack leading to clobbered stacks. + +In `cpu_switch_to()`, it can happen when SP_EL0 points to the new task, +but x18 stills points to the old task's SCS. When the interrupt handler +tries to save the task's SCS pointer, it will save the old task +SCS pointer (x18) into the new task struct (pointed to by SP_EL0), +clobbering it. + +In `call_on_irq_stack()`, it can happen when switching from the task stack +to the IRQ stack and when switching back. In both cases, we can be +interrupted when the SCS pointer points to the IRQ SCS, but SP points to +the task stack. The nested interrupt handler pushes its return addresses +on the IRQ SCS. It then detects that SP points to the task stack, +calls `call_on_irq_stack()` and clobbers the task SCS pointer with +the IRQ SCS pointer, which it will also use ! + +This leads to tasks returning to addresses on the wrong SCS, +or even on the IRQ SCS, triggering kernel panics via CONFIG_VMAP_STACK +or FPAC if enabled. + +This is possible on a default config, but unlikely. +However, when enabling CONFIG_ARM64_PSEUDO_NMI, DAIF is unmasked and +instead the GIC is responsible for filtering what interrupts the CPU +should receive based on priority. +Given the goal of emulating NMIs, pseudo-NMIs can be received by the CPU +even in `cpu_switch_to()` and `call_on_irq_stack()`, possibly *very* +frequently depending on the system configuration and workload, leading +to unpredictable kernel panics. + +Completely mask DAIF in `cpu_switch_to()` and restore it when returning. +Do the same in `call_on_irq_stack()`, but restore and mask around +the branch. +Mask DAIF even if CONFIG_SHADOW_CALL_STACK is not enabled for consistency +of behaviour between all configurations. + +Introduce and use an assembly macro for saving and masking DAIF, +as the existing one saves but only masks IF. + +Cc: +Signed-off-by: Ada Couprie Diaz +Reported-by: Cristian Prundeanu +Fixes: 59b37fe52f49 ("arm64: Stash shadow stack pointer in the task struct on interrupt") +Tested-by: Cristian Prundeanu +Acked-by: Will Deacon +Link: https://lore.kernel.org/r/20250718142814.133329-1-ada.coupriediaz@arm.com +Signed-off-by: Will Deacon +[ removed duplicate save_and_disable_daif macro ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kernel/entry.S | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/arch/arm64/kernel/entry.S ++++ b/arch/arm64/kernel/entry.S +@@ -833,6 +833,7 @@ SYM_CODE_END(__bp_harden_el1_vectors) + * + */ + SYM_FUNC_START(cpu_switch_to) ++ save_and_disable_daif x11 + mov x10, #THREAD_CPU_CONTEXT + add x8, x0, x10 + mov x9, sp +@@ -856,6 +857,7 @@ SYM_FUNC_START(cpu_switch_to) + ptrauth_keys_install_kernel x1, x8, x9, x10 + scs_save x0 + scs_load_current ++ restore_irq x11 + ret + SYM_FUNC_END(cpu_switch_to) + NOKPROBE(cpu_switch_to) +@@ -882,6 +884,7 @@ NOKPROBE(ret_from_fork) + * Calls func(regs) using this CPU's irq stack and shadow irq stack. + */ + SYM_FUNC_START(call_on_irq_stack) ++ save_and_disable_daif x9 + #ifdef CONFIG_SHADOW_CALL_STACK + get_current_task x16 + scs_save x16 +@@ -896,8 +899,10 @@ SYM_FUNC_START(call_on_irq_stack) + + /* Move to the new stack and call the function there */ + add sp, x16, #IRQ_STACK_SIZE ++ restore_irq x9 + blr x1 + ++ save_and_disable_daif x9 + /* + * Restore the SP from the FP, and restore the FP and LR from the frame + * record. +@@ -905,6 +910,7 @@ SYM_FUNC_START(call_on_irq_stack) + mov sp, x29 + ldp x29, x30, [sp], #16 + scs_load_current ++ restore_irq x9 + ret + SYM_FUNC_END(call_on_irq_stack) + NOKPROBE(call_on_irq_stack) diff --git a/queue-5.15/ata-fix-sata_mobile_lpm_policy-description-in-kconfig.patch b/queue-5.15/ata-fix-sata_mobile_lpm_policy-description-in-kconfig.patch new file mode 100644 index 0000000000..3a8ee78969 --- /dev/null +++ b/queue-5.15/ata-fix-sata_mobile_lpm_policy-description-in-kconfig.patch @@ -0,0 +1,78 @@ +From stable+bounces-172210-greg=kroah.com@vger.kernel.org Thu Aug 21 20:09:07 2025 +From: Sasha Levin +Date: Thu, 21 Aug 2025 14:08:59 -0400 +Subject: ata: Fix SATA_MOBILE_LPM_POLICY description in Kconfig +To: stable@vger.kernel.org +Cc: Damien Le Moal , Hannes Reinecke , Niklas Cassel , Sasha Levin +Message-ID: <20250821180859.884176-1-sashal@kernel.org> + +From: Damien Le Moal + +[ Upstream commit ed62a62a18bc144f73eadf866ae46842e8f6606e ] + +Improve the description of the possible default SATA link power +management policies and add the missing description for policy 5. +No functional changes. + +Fixes: a5ec5a7bfd1f ("ata: ahci: Support state with min power but Partial low power state") +Cc: stable@vger.kernel.org +Signed-off-by: Damien Le Moal +Reviewed-by: Hannes Reinecke +Reviewed-by: Niklas Cassel +[ Adjust context ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/Kconfig | 33 +++++++++++++++++++++++++-------- + 1 file changed, 25 insertions(+), 8 deletions(-) + +--- a/drivers/ata/Kconfig ++++ b/drivers/ata/Kconfig +@@ -117,22 +117,39 @@ config SATA_AHCI + + config SATA_MOBILE_LPM_POLICY + int "Default SATA Link Power Management policy for mobile chipsets" +- range 0 4 ++ range 0 5 + default 0 + depends on SATA_AHCI + help + Select the Default SATA Link Power Management (LPM) policy to use + for mobile / laptop variants of chipsets / "South Bridges". + +- The value set has the following meanings: ++ Each policy combines power saving states and features: ++ - Partial: The Phy logic is powered but is in a reduced power ++ state. The exit latency from this state is no longer than ++ 10us). ++ - Slumber: The Phy logic is powered but is in an even lower power ++ state. The exit latency from this state is potentially ++ longer, but no longer than 10ms. ++ - DevSleep: The Phy logic may be powered down. The exit latency from ++ this state is no longer than 20 ms, unless otherwise ++ specified by DETO in the device Identify Device Data log. ++ - HIPM: Host Initiated Power Management (host automatically ++ transitions to partial and slumber). ++ - DIPM: Device Initiated Power Management (device automatically ++ transitions to partial and slumber). ++ ++ The possible values for the default SATA link power management ++ policies are: + 0 => Keep firmware settings +- 1 => Maximum performance +- 2 => Medium power +- 3 => Medium power with Device Initiated PM enabled +- 4 => Minimum power ++ 1 => No power savings (maximum performance) ++ 2 => HIPM (Partial) ++ 3 => HIPM (Partial) and DIPM (Partial and Slumber) ++ 4 => HIPM (Partial and DevSleep) and DIPM (Partial and Slumber) ++ 5 => HIPM (Slumber and DevSleep) and DIPM (Partial and Slumber) + +- Note "Minimum power" is known to cause issues, including disk +- corruption, with some disks and should not be used. ++ Excluding the value 0, higher values represent policies with higher ++ power savings. + + config SATA_AHCI_PLATFORM + tristate "Platform AHCI SATA support" diff --git a/queue-5.15/block-make-req_op_zone_finish-a-write-operation.patch b/queue-5.15/block-make-req_op_zone_finish-a-write-operation.patch new file mode 100644 index 0000000000..12af7ed8bd --- /dev/null +++ b/queue-5.15/block-make-req_op_zone_finish-a-write-operation.patch @@ -0,0 +1,57 @@ +From stable+bounces-169867-greg=kroah.com@vger.kernel.org Sat Aug 16 23:06:04 2025 +From: Sasha Levin +Date: Sat, 16 Aug 2025 17:05:52 -0400 +Subject: block: Make REQ_OP_ZONE_FINISH a write operation +To: stable@vger.kernel.org +Cc: Damien Le Moal , Bart Van Assche , Johannes Thumshirn , Christoph Hellwig , Jens Axboe , Sasha Levin +Message-ID: <20250816210552.1246430-1-sashal@kernel.org> + +From: Damien Le Moal + +[ Upstream commit 3f66ccbaaef3a0c5bd844eab04e3207b4061c546 ] + +REQ_OP_ZONE_FINISH is defined as "12", which makes +op_is_write(REQ_OP_ZONE_FINISH) return false, despite the fact that a +zone finish operation is an operation that modifies a zone (transition +it to full) and so should be considered as a write operation (albeit +one that does not transfer any data to the device). + +Fix this by redefining REQ_OP_ZONE_FINISH to be an odd number (13), and +redefine REQ_OP_ZONE_RESET and REQ_OP_ZONE_RESET_ALL using sequential +odd numbers from that new value. + +Fixes: 6c1b1da58f8c ("block: add zone open, close and finish operations") +Cc: stable@vger.kernel.org +Signed-off-by: Damien Le Moal +Reviewed-by: Bart Van Assche +Reviewed-by: Johannes Thumshirn +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20250625093327.548866-2-dlemoal@kernel.org +Signed-off-by: Jens Axboe +[ More renumbering... ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/blk_types.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/include/linux/blk_types.h ++++ b/include/linux/blk_types.h +@@ -341,13 +341,13 @@ enum req_opf { + /* Close a zone */ + REQ_OP_ZONE_CLOSE = 11, + /* Transition a zone to full */ +- REQ_OP_ZONE_FINISH = 12, ++ REQ_OP_ZONE_FINISH = 13, + /* write data at the current zone write pointer */ +- REQ_OP_ZONE_APPEND = 13, ++ REQ_OP_ZONE_APPEND = 15, + /* reset a zone write pointer */ +- REQ_OP_ZONE_RESET = 15, ++ REQ_OP_ZONE_RESET = 17, + /* reset all the zone present on the device */ +- REQ_OP_ZONE_RESET_ALL = 17, ++ REQ_OP_ZONE_RESET_ALL = 19, + + /* Driver private requests */ + REQ_OP_DRV_IN = 34, diff --git a/queue-5.15/btrfs-populate-otime-when-logging-an-inode-item.patch b/queue-5.15/btrfs-populate-otime-when-logging-an-inode-item.patch new file mode 100644 index 0000000000..d18d1ba4cf --- /dev/null +++ b/queue-5.15/btrfs-populate-otime-when-logging-an-inode-item.patch @@ -0,0 +1,116 @@ +From stable+bounces-171776-greg=kroah.com@vger.kernel.org Tue Aug 19 14:05:42 2025 +From: Sasha Levin +Date: Tue, 19 Aug 2025 08:04:02 -0400 +Subject: btrfs: populate otime when logging an inode item +To: stable@vger.kernel.org +Cc: Qu Wenruo , Filipe Manana , David Sterba , Sasha Levin +Message-ID: <20250819120402.453011-1-sashal@kernel.org> + +From: Qu Wenruo + +[ Upstream commit 1ef94169db0958d6de39f9ea6e063ce887342e2d ] + +[TEST FAILURE WITH EXPERIMENTAL FEATURES] +When running test case generic/508, the test case will fail with the new +btrfs shutdown support: + +generic/508 - output mismatch (see /home/adam/xfstests/results//generic/508.out.bad) +# --- tests/generic/508.out 2022-05-11 11:25:30.806666664 +0930 +# +++ /home/adam/xfstests/results//generic/508.out.bad 2025-07-02 14:53:22.401824212 +0930 +# @@ -1,2 +1,6 @@ +# QA output created by 508 +# Silence is golden +# +Before: +# +After : stat.btime = Thu Jan 1 09:30:00 1970 +# +Before: +# +After : stat.btime = Wed Jul 2 14:53:22 2025 +# ... +# (Run 'diff -u /home/adam/xfstests/tests/generic/508.out /home/adam/xfstests/results//generic/508.out.bad' to see the entire diff) +Ran: generic/508 +Failures: generic/508 +Failed 1 of 1 tests + +Please note that the test case requires shutdown support, thus the test +case will be skipped using the current upstream kernel, as it doesn't +have shutdown ioctl support. + +[CAUSE] +The direct cause the 0 time stamp in the log tree: + +leaf 30507008 items 2 free space 16057 generation 9 owner TREE_LOG +leaf 30507008 flags 0x1(WRITTEN) backref revision 1 +checksum stored e522548d +checksum calced e522548d +fs uuid 57d45451-481e-43e4-aa93-289ad707a3a0 +chunk uuid d52bd3fd-5163-4337-98a7-7986993ad398 + item 0 key (257 INODE_ITEM 0) itemoff 16123 itemsize 160 + generation 9 transid 9 size 0 nbytes 0 + block group 0 mode 100644 links 1 uid 0 gid 0 rdev 0 + sequence 1 flags 0x0(none) + atime 1751432947.492000000 (2025-07-02 14:39:07) + ctime 1751432947.492000000 (2025-07-02 14:39:07) + mtime 1751432947.492000000 (2025-07-02 14:39:07) + otime 0.0 (1970-01-01 09:30:00) <<< + +But the old fs tree has all the correct time stamp: + +btrfs-progs v6.12 +fs tree key (FS_TREE ROOT_ITEM 0) +leaf 30425088 items 2 free space 16061 generation 5 owner FS_TREE +leaf 30425088 flags 0x1(WRITTEN) backref revision 1 +checksum stored 48f6c57e +checksum calced 48f6c57e +fs uuid 57d45451-481e-43e4-aa93-289ad707a3a0 +chunk uuid d52bd3fd-5163-4337-98a7-7986993ad398 + item 0 key (256 INODE_ITEM 0) itemoff 16123 itemsize 160 + generation 3 transid 0 size 0 nbytes 16384 + block group 0 mode 40755 links 1 uid 0 gid 0 rdev 0 + sequence 0 flags 0x0(none) + atime 1751432947.0 (2025-07-02 14:39:07) + ctime 1751432947.0 (2025-07-02 14:39:07) + mtime 1751432947.0 (2025-07-02 14:39:07) + otime 1751432947.0 (2025-07-02 14:39:07) <<< + +The root cause is that fill_inode_item() in tree-log.c is only +populating a/c/m time, not the otime (or btime in statx output). + +Part of the reason is that, the vfs inode only has a/c/m time, no native +btime support yet. + +[FIX] +Thankfully btrfs has its otime stored in btrfs_inode::i_otime_sec and +btrfs_inode::i_otime_nsec. + +So what we really need is just fill the otime time stamp in +fill_inode_item() of tree-log.c + +There is another fill_inode_item() in inode.c, which is doing the proper +otime population. + +Fixes: 94edf4ae43a5 ("Btrfs: don't bother committing delayed inode updates when fsyncing") +CC: stable@vger.kernel.org +Reviewed-by: Filipe Manana +Signed-off-by: Qu Wenruo +Reviewed-by: David Sterba +Signed-off-by: David Sterba +[ timespec changes in older tree ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/tree-log.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -4000,6 +4000,11 @@ static void fill_inode_item(struct btrfs + btrfs_set_token_timespec_nsec(&token, &item->ctime, + inode->i_ctime.tv_nsec); + ++ btrfs_set_token_timespec_sec(&token, &item->otime, ++ BTRFS_I(inode)->i_otime.tv_sec); ++ btrfs_set_token_timespec_nsec(&token, &item->otime, ++ BTRFS_I(inode)->i_otime.tv_nsec); ++ + /* + * We do not need to set the nbytes field, in fact during a fast fsync + * its value may not even be correct, since a fast fsync does not wait diff --git a/queue-5.15/bus-mhi-host-detect-events-pointing-to-unexpected-tres.patch b/queue-5.15/bus-mhi-host-detect-events-pointing-to-unexpected-tres.patch new file mode 100644 index 0000000000..f72c975b7e --- /dev/null +++ b/queue-5.15/bus-mhi-host-detect-events-pointing-to-unexpected-tres.patch @@ -0,0 +1,83 @@ +From stable+bounces-172208-greg=kroah.com@vger.kernel.org Thu Aug 21 19:56:09 2025 +From: Sasha Levin +Date: Thu, 21 Aug 2025 13:56:00 -0400 +Subject: bus: mhi: host: Detect events pointing to unexpected TREs +To: stable@vger.kernel.org +Cc: Youssef Samir , Manivannan Sadhasivam , Jeff Hugo , Sasha Levin +Message-ID: <20250821175600.873291-1-sashal@kernel.org> + +From: Youssef Samir + +[ Upstream commit 5bd398e20f0833ae8a1267d4f343591a2dd20185 ] + +When a remote device sends a completion event to the host, it contains a +pointer to the consumed TRE. The host uses this pointer to process all of +the TREs between it and the host's local copy of the ring's read pointer. +This works when processing completion for chained transactions, but can +lead to nasty results if the device sends an event for a single-element +transaction with a read pointer that is multiple elements ahead of the +host's read pointer. + +For instance, if the host accesses an event ring while the device is +updating it, the pointer inside of the event might still point to an old +TRE. If the host uses the channel's xfer_cb() to directly free the buffer +pointed to by the TRE, the buffer will be double-freed. + +This behavior was observed on an ep that used upstream EP stack without +'commit 6f18d174b73d ("bus: mhi: ep: Update read pointer only after buffer +is written")'. Where the device updated the events ring pointer before +updating the event contents, so it left a window where the host was able to +access the stale data the event pointed to, before the device had the +chance to update them. The usual pattern was that the host received an +event pointing to a TRE that is not immediately after the last processed +one, so it got treated as if it was a chained transaction, processing all +of the TREs in between the two read pointers. + +This commit aims to harden the host by ensuring transactions where the +event points to a TRE that isn't local_rp + 1 are chained. + +Fixes: 1d3173a3bae7 ("bus: mhi: core: Add support for processing events from client device") +Signed-off-by: Youssef Samir +[mani: added stable tag and reworded commit message] +Signed-off-by: Manivannan Sadhasivam +Reviewed-by: Jeff Hugo +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20250714163039.3438985-1-quic_yabdulra@quicinc.com +[ Replaced missing MHI_TRE_DATA_GET_CHAIN macro with direct bit 0 check on dword[1]. ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bus/mhi/host/main.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +--- a/drivers/bus/mhi/host/main.c ++++ b/drivers/bus/mhi/host/main.c +@@ -594,7 +594,7 @@ static int parse_xfer_event(struct mhi_c + { + dma_addr_t ptr = MHI_TRE_GET_EV_PTR(event); + struct mhi_ring_element *local_rp, *ev_tre; +- void *dev_rp; ++ void *dev_rp, *next_rp; + struct mhi_buf_info *buf_info; + u16 xfer_len; + +@@ -613,6 +613,19 @@ static int parse_xfer_event(struct mhi_c + result.dir = mhi_chan->dir; + + local_rp = tre_ring->rp; ++ ++ next_rp = local_rp + 1; ++ if (next_rp >= tre_ring->base + tre_ring->len) ++ next_rp = tre_ring->base; ++ /* Check if the event points to an unexpected TRE. ++ * Chain flag is bit 0 of dword[1] in the TRE. ++ */ ++ if (dev_rp != next_rp && !(le32_to_cpu(local_rp->dword[1]) & 0x1)) { ++ dev_err(&mhi_cntrl->mhi_dev->dev, ++ "Event element points to an unexpected TRE\n"); ++ break; ++ } ++ + while (local_rp != dev_rp) { + buf_info = buf_ring->rp; + /* If it's the last TRE, get length from the event */ diff --git a/queue-5.15/drm-sched-remove-optimization-that-causes-hang-when-killing-dependent-jobs.patch b/queue-5.15/drm-sched-remove-optimization-that-causes-hang-when-killing-dependent-jobs.patch new file mode 100644 index 0000000000..c79ecf75d5 --- /dev/null +++ b/queue-5.15/drm-sched-remove-optimization-that-causes-hang-when-killing-dependent-jobs.patch @@ -0,0 +1,89 @@ +From stable+bounces-165095-greg=kroah.com@vger.kernel.org Tue Jul 29 18:16:50 2025 +From: Sasha Levin +Date: Tue, 29 Jul 2025 12:16:38 -0400 +Subject: drm/sched: Remove optimization that causes hang when killing dependent jobs +To: stable@vger.kernel.org +Cc: "Lin.Cao" , "Christian König" , "Philipp Stanner" , "Sasha Levin" +Message-ID: <20250729161638.2745002-1-sashal@kernel.org> + +From: "Lin.Cao" + +[ Upstream commit 15f77764e90a713ee3916ca424757688e4f565b9 ] + +When application A submits jobs and application B submits a job with a +dependency on A's fence, the normal flow wakes up the scheduler after +processing each job. However, the optimization in +drm_sched_entity_add_dependency_cb() uses a callback that only clears +dependencies without waking up the scheduler. + +When application A is killed before its jobs can run, the callback gets +triggered but only clears the dependency without waking up the scheduler, +causing the scheduler to enter sleep state and application B to hang. + +Remove the optimization by deleting drm_sched_entity_clear_dep() and its +usage, ensuring the scheduler is always woken up when dependencies are +cleared. + +Fixes: 777dbd458c89 ("drm/amdgpu: drop a dummy wakeup scheduler") +Cc: stable@vger.kernel.org # v4.6+ +Signed-off-by: Lin.Cao +Reviewed-by: Christian König +Signed-off-by: Philipp Stanner +Link: https://lore.kernel.org/r/20250717084453.921097-1-lincao12@amd.com +[ Changed drm_sched_wakeup_if_can_queue() calls to drm_sched_wakeup() ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/scheduler/sched_entity.c | 27 ++++----------------------- + 1 file changed, 4 insertions(+), 23 deletions(-) + +--- a/drivers/gpu/drm/scheduler/sched_entity.c ++++ b/drivers/gpu/drm/scheduler/sched_entity.c +@@ -317,21 +317,8 @@ void drm_sched_entity_destroy(struct drm + EXPORT_SYMBOL(drm_sched_entity_destroy); + + /* +- * drm_sched_entity_clear_dep - callback to clear the entities dependency +- */ +-static void drm_sched_entity_clear_dep(struct dma_fence *f, +- struct dma_fence_cb *cb) +-{ +- struct drm_sched_entity *entity = +- container_of(cb, struct drm_sched_entity, cb); +- +- entity->dependency = NULL; +- dma_fence_put(f); +-} +- +-/* +- * drm_sched_entity_clear_dep - callback to clear the entities dependency and +- * wake up scheduler ++ * drm_sched_entity_wakeup - callback to clear the entity's dependency and ++ * wake up the scheduler + */ + static void drm_sched_entity_wakeup(struct dma_fence *f, + struct dma_fence_cb *cb) +@@ -339,7 +326,8 @@ static void drm_sched_entity_wakeup(stru + struct drm_sched_entity *entity = + container_of(cb, struct drm_sched_entity, cb); + +- drm_sched_entity_clear_dep(f, cb); ++ entity->dependency = NULL; ++ dma_fence_put(f); + drm_sched_wakeup(entity->rq->sched); + } + +@@ -395,13 +383,6 @@ static bool drm_sched_entity_add_depende + fence = dma_fence_get(&s_fence->scheduled); + dma_fence_put(entity->dependency); + entity->dependency = fence; +- if (!dma_fence_add_callback(fence, &entity->cb, +- drm_sched_entity_clear_dep)) +- return true; +- +- /* Ignore it when it is already scheduled */ +- dma_fence_put(fence); +- return false; + } + + if (!dma_fence_add_callback(entity->dependency, &entity->cb, diff --git a/queue-5.15/f2fs-fix-to-do-sanity-check-on-ino-and-xnid.patch b/queue-5.15/f2fs-fix-to-do-sanity-check-on-ino-and-xnid.patch new file mode 100644 index 0000000000..ea29f4224c --- /dev/null +++ b/queue-5.15/f2fs-fix-to-do-sanity-check-on-ino-and-xnid.patch @@ -0,0 +1,106 @@ +From stable+bounces-164651-greg=kroah.com@vger.kernel.org Thu Jul 24 19:44:07 2025 +From: Sasha Levin +Date: Thu, 24 Jul 2025 13:43:58 -0400 +Subject: f2fs: fix to do sanity check on ino and xnid +To: stable@vger.kernel.org +Cc: Chao Yu , syzbot+cc448dcdc7ae0b4e4ffa@syzkaller.appspotmail.com, Jaegeuk Kim , Sasha Levin +Message-ID: <20250724174358.1407937-1-sashal@kernel.org> + +From: Chao Yu + +[ Upstream commit 061cf3a84bde038708eb0f1d065b31b7c2456533 ] + +syzbot reported a f2fs bug as below: + +INFO: task syz-executor140:5308 blocked for more than 143 seconds. + Not tainted 6.14.0-rc7-syzkaller-00069-g81e4f8d68c66 #0 +"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. +task:syz-executor140 state:D stack:24016 pid:5308 tgid:5308 ppid:5306 task_flags:0x400140 flags:0x00000006 +Call Trace: + + context_switch kernel/sched/core.c:5378 [inline] + __schedule+0x190e/0x4c90 kernel/sched/core.c:6765 + __schedule_loop kernel/sched/core.c:6842 [inline] + schedule+0x14b/0x320 kernel/sched/core.c:6857 + io_schedule+0x8d/0x110 kernel/sched/core.c:7690 + folio_wait_bit_common+0x839/0xee0 mm/filemap.c:1317 + __folio_lock mm/filemap.c:1664 [inline] + folio_lock include/linux/pagemap.h:1163 [inline] + __filemap_get_folio+0x147/0xb40 mm/filemap.c:1917 + pagecache_get_page+0x2c/0x130 mm/folio-compat.c:87 + find_get_page_flags include/linux/pagemap.h:842 [inline] + f2fs_grab_cache_page+0x2b/0x320 fs/f2fs/f2fs.h:2776 + __get_node_page+0x131/0x11b0 fs/f2fs/node.c:1463 + read_xattr_block+0xfb/0x190 fs/f2fs/xattr.c:306 + lookup_all_xattrs fs/f2fs/xattr.c:355 [inline] + f2fs_getxattr+0x676/0xf70 fs/f2fs/xattr.c:533 + __f2fs_get_acl+0x52/0x870 fs/f2fs/acl.c:179 + f2fs_acl_create fs/f2fs/acl.c:375 [inline] + f2fs_init_acl+0xd7/0x9b0 fs/f2fs/acl.c:418 + f2fs_init_inode_metadata+0xa0f/0x1050 fs/f2fs/dir.c:539 + f2fs_add_inline_entry+0x448/0x860 fs/f2fs/inline.c:666 + f2fs_add_dentry+0xba/0x1e0 fs/f2fs/dir.c:765 + f2fs_do_add_link+0x28c/0x3a0 fs/f2fs/dir.c:808 + f2fs_add_link fs/f2fs/f2fs.h:3616 [inline] + f2fs_mknod+0x2e8/0x5b0 fs/f2fs/namei.c:766 + vfs_mknod+0x36d/0x3b0 fs/namei.c:4191 + unix_bind_bsd net/unix/af_unix.c:1286 [inline] + unix_bind+0x563/0xe30 net/unix/af_unix.c:1379 + __sys_bind_socket net/socket.c:1817 [inline] + __sys_bind+0x1e4/0x290 net/socket.c:1848 + __do_sys_bind net/socket.c:1853 [inline] + __se_sys_bind net/socket.c:1851 [inline] + __x64_sys_bind+0x7a/0x90 net/socket.c:1851 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Let's dump and check metadata of corrupted inode, it shows its xattr_nid +is the same to its i_ino. + +dump.f2fs -i 3 chaseyu.img.raw +i_xattr_nid [0x 3 : 3] + +So that, during mknod in the corrupted directory, it tries to get and +lock inode page twice, result in deadlock. + +- f2fs_mknod + - f2fs_add_inline_entry + - f2fs_get_inode_page --- lock dir's inode page + - f2fs_init_acl + - f2fs_acl_create(dir,..) + - __f2fs_get_acl + - f2fs_getxattr + - lookup_all_xattrs + - __get_node_page --- try to lock dir's inode page + +In order to fix this, let's add sanity check on ino and xnid. + +Cc: stable@vger.kernel.org +Reported-by: syzbot+cc448dcdc7ae0b4e4ffa@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/linux-f2fs-devel/67e06150.050a0220.21942d.0005.GAE@google.com +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +[ add set_sbi_flag(sbi, SBI_NEED_FSCK) to match error handling pattern ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/inode.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/fs/f2fs/inode.c ++++ b/fs/f2fs/inode.c +@@ -226,6 +226,13 @@ static bool sanity_check_inode(struct in + return false; + } + ++ if (ino_of_node(node_page) == fi->i_xattr_nid) { ++ set_sbi_flag(sbi, SBI_NEED_FSCK); ++ f2fs_warn(sbi, "%s: corrupted inode i_ino=%lx, xnid=%x, run fsck to fix.", ++ __func__, inode->i_ino, fi->i_xattr_nid); ++ return false; ++ } ++ + if (f2fs_sb_has_flexible_inline_xattr(sbi) + && !f2fs_has_extra_attr(inode)) { + set_sbi_flag(sbi, SBI_NEED_FSCK); diff --git a/queue-5.15/hv_netvsc-fix-panic-during-namespace-deletion-with-vf.patch b/queue-5.15/hv_netvsc-fix-panic-during-namespace-deletion-with-vf.patch new file mode 100644 index 0000000000..92b8ae99ca --- /dev/null +++ b/queue-5.15/hv_netvsc-fix-panic-during-namespace-deletion-with-vf.patch @@ -0,0 +1,149 @@ +From stable+bounces-171771-greg=kroah.com@vger.kernel.org Tue Aug 19 13:54:56 2025 +From: Sasha Levin +Date: Tue, 19 Aug 2025 07:53:45 -0400 +Subject: hv_netvsc: Fix panic during namespace deletion with VF +To: stable@vger.kernel.org +Cc: Haiyang Zhang , Jakub Kicinski , Sasha Levin +Message-ID: <20250819115346.448012-1-sashal@kernel.org> + +From: Haiyang Zhang + +[ Upstream commit 33caa208dba6fa639e8a92fd0c8320b652e5550c ] + +The existing code move the VF NIC to new namespace when NETDEV_REGISTER is +received on netvsc NIC. During deletion of the namespace, +default_device_exit_batch() >> default_device_exit_net() is called. When +netvsc NIC is moved back and registered to the default namespace, it +automatically brings VF NIC back to the default namespace. This will cause +the default_device_exit_net() >> for_each_netdev_safe loop unable to detect +the list end, and hit NULL ptr: + +[ 231.449420] mana 7870:00:00.0 enP30832s1: Moved VF to namespace with: eth0 +[ 231.449656] BUG: kernel NULL pointer dereference, address: 0000000000000010 +[ 231.450246] #PF: supervisor read access in kernel mode +[ 231.450579] #PF: error_code(0x0000) - not-present page +[ 231.450916] PGD 17b8a8067 P4D 0 +[ 231.451163] Oops: Oops: 0000 [#1] SMP NOPTI +[ 231.451450] CPU: 82 UID: 0 PID: 1394 Comm: kworker/u768:1 Not tainted 6.16.0-rc4+ #3 VOLUNTARY +[ 231.452042] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 11/21/2024 +[ 231.452692] Workqueue: netns cleanup_net +[ 231.452947] RIP: 0010:default_device_exit_batch+0x16c/0x3f0 +[ 231.453326] Code: c0 0c f5 b3 e8 d5 db fe ff 48 85 c0 74 15 48 c7 c2 f8 fd ca b2 be 10 00 00 00 48 8d 7d c0 e8 7b 77 25 00 49 8b 86 28 01 00 00 <48> 8b 50 10 4c 8b 2a 4c 8d 62 f0 49 83 ed 10 4c 39 e0 0f 84 d6 00 +[ 231.454294] RSP: 0018:ff75fc7c9bf9fd00 EFLAGS: 00010246 +[ 231.454610] RAX: 0000000000000000 RBX: 0000000000000002 RCX: 61c8864680b583eb +[ 231.455094] RDX: ff1fa9f71462d800 RSI: ff75fc7c9bf9fd38 RDI: 0000000030766564 +[ 231.455686] RBP: ff75fc7c9bf9fd78 R08: 0000000000000000 R09: 0000000000000000 +[ 231.456126] R10: 0000000000000001 R11: 0000000000000004 R12: ff1fa9f70088e340 +[ 231.456621] R13: ff1fa9f70088e340 R14: ffffffffb3f50c20 R15: ff1fa9f7103e6340 +[ 231.457161] FS: 0000000000000000(0000) GS:ff1faa6783a08000(0000) knlGS:0000000000000000 +[ 231.457707] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 231.458031] CR2: 0000000000000010 CR3: 0000000179ab2006 CR4: 0000000000b73ef0 +[ 231.458434] Call Trace: +[ 231.458600] +[ 231.458777] ops_undo_list+0x100/0x220 +[ 231.459015] cleanup_net+0x1b8/0x300 +[ 231.459285] process_one_work+0x184/0x340 + +To fix it, move the ns change to a workqueue, and take rtnl_lock to avoid +changing the netdev list when default_device_exit_net() is using it. + +Cc: stable@vger.kernel.org +Fixes: 4c262801ea60 ("hv_netvsc: Fix VF namespace also in synthetic NIC NETDEV_REGISTER event") +Signed-off-by: Haiyang Zhang +Link: https://patch.msgid.link/1754511711-11188-1-git-send-email-haiyangz@linux.microsoft.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/hyperv/hyperv_net.h | 3 +++ + drivers/net/hyperv/netvsc_drv.c | 29 ++++++++++++++++++++++++++++- + 2 files changed, 31 insertions(+), 1 deletion(-) + +--- a/drivers/net/hyperv/hyperv_net.h ++++ b/drivers/net/hyperv/hyperv_net.h +@@ -1032,6 +1032,7 @@ struct net_device_context { + struct net_device __rcu *vf_netdev; + struct netvsc_vf_pcpu_stats __percpu *vf_stats; + struct delayed_work vf_takeover; ++ struct delayed_work vfns_work; + + /* 1: allocated, serial number is valid. 0: not allocated */ + u32 vf_alloc; +@@ -1046,6 +1047,8 @@ struct net_device_context { + struct netvsc_device_info *saved_netvsc_dev_info; + }; + ++void netvsc_vfns_work(struct work_struct *w); ++ + /* Per channel data */ + struct netvsc_channel { + struct vmbus_channel *channel; +--- a/drivers/net/hyperv/netvsc_drv.c ++++ b/drivers/net/hyperv/netvsc_drv.c +@@ -2565,6 +2565,7 @@ static int netvsc_probe(struct hv_device + spin_lock_init(&net_device_ctx->lock); + INIT_LIST_HEAD(&net_device_ctx->reconfig_events); + INIT_DELAYED_WORK(&net_device_ctx->vf_takeover, netvsc_vf_setup); ++ INIT_DELAYED_WORK(&net_device_ctx->vfns_work, netvsc_vfns_work); + + net_device_ctx->vf_stats + = netdev_alloc_pcpu_stats(struct netvsc_vf_pcpu_stats); +@@ -2703,6 +2704,8 @@ static int netvsc_remove(struct hv_devic + cancel_delayed_work_sync(&ndev_ctx->dwork); + + rtnl_lock(); ++ cancel_delayed_work_sync(&ndev_ctx->vfns_work); ++ + nvdev = rtnl_dereference(ndev_ctx->nvdev); + if (nvdev) { + cancel_work_sync(&nvdev->subchan_work); +@@ -2745,6 +2748,7 @@ static int netvsc_suspend(struct hv_devi + cancel_delayed_work_sync(&ndev_ctx->dwork); + + rtnl_lock(); ++ cancel_delayed_work_sync(&ndev_ctx->vfns_work); + + nvdev = rtnl_dereference(ndev_ctx->nvdev); + if (nvdev == NULL) { +@@ -2838,6 +2842,27 @@ static void netvsc_event_set_vf_ns(struc + } + } + ++void netvsc_vfns_work(struct work_struct *w) ++{ ++ struct net_device_context *ndev_ctx = ++ container_of(w, struct net_device_context, vfns_work.work); ++ struct net_device *ndev; ++ ++ if (!rtnl_trylock()) { ++ schedule_delayed_work(&ndev_ctx->vfns_work, 1); ++ return; ++ } ++ ++ ndev = hv_get_drvdata(ndev_ctx->device_ctx); ++ if (!ndev) ++ goto out; ++ ++ netvsc_event_set_vf_ns(ndev); ++ ++out: ++ rtnl_unlock(); ++} ++ + /* + * On Hyper-V, every VF interface is matched with a corresponding + * synthetic interface. The synthetic interface is presented first +@@ -2848,10 +2873,12 @@ static int netvsc_netdev_event(struct no + unsigned long event, void *ptr) + { + struct net_device *event_dev = netdev_notifier_info_to_dev(ptr); ++ struct net_device_context *ndev_ctx; + int ret = 0; + + if (event_dev->netdev_ops == &device_ops && event == NETDEV_REGISTER) { +- netvsc_event_set_vf_ns(event_dev); ++ ndev_ctx = netdev_priv(event_dev); ++ schedule_delayed_work(&ndev_ctx->vfns_work, 0); + return NOTIFY_DONE; + } + diff --git a/queue-5.15/ice-fix-a-null-pointer-dereference-in-ice_copy_and_init_pkg.patch b/queue-5.15/ice-fix-a-null-pointer-dereference-in-ice_copy_and_init_pkg.patch new file mode 100644 index 0000000000..c556f16c74 --- /dev/null +++ b/queue-5.15/ice-fix-a-null-pointer-dereference-in-ice_copy_and_init_pkg.patch @@ -0,0 +1,41 @@ +From stable+bounces-165121-greg=kroah.com@vger.kernel.org Tue Jul 29 21:17:09 2025 +From: Sasha Levin +Date: Tue, 29 Jul 2025 15:16:44 -0400 +Subject: ice: Fix a null pointer dereference in ice_copy_and_init_pkg() +To: stable@vger.kernel.org +Cc: Haoxiang Li , Michal Swiatkowski , Aleksandr Loktionov , Simon Horman , Rinitha S , Tony Nguyen , Sasha Levin +Message-ID: <20250729191644.2869910-1-sashal@kernel.org> + +From: Haoxiang Li + +[ Upstream commit 4ff12d82dac119b4b99b5a78b5af3bf2474c0a36 ] + +Add check for the return value of devm_kmemdup() +to prevent potential null pointer dereference. + +Fixes: c76488109616 ("ice: Implement Dynamic Device Personalization (DDP) download") +Cc: stable@vger.kernel.org +Signed-off-by: Haoxiang Li +Reviewed-by: Michal Swiatkowski +Reviewed-by: Aleksandr Loktionov +Reviewed-by: Simon Horman +Tested-by: Rinitha S (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +[ applied the patch to ice_flex_pipe.c instead of ice_ddp.c ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/ice/ice_flex_pipe.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/ethernet/intel/ice/ice_flex_pipe.c ++++ b/drivers/net/ethernet/intel/ice/ice_flex_pipe.c +@@ -1448,6 +1448,8 @@ enum ice_status ice_copy_and_init_pkg(st + return ICE_ERR_PARAM; + + buf_copy = devm_kmemdup(ice_hw_to_dev(hw), buf, len, GFP_KERNEL); ++ if (!buf_copy) ++ return ICE_ERR_NO_MEMORY; + + status = ice_init_pkg(hw, buf_copy, len); + if (status) { diff --git a/queue-5.15/iio-hid-sensor-prox-fix-incorrect-offset-calculation.patch b/queue-5.15/iio-hid-sensor-prox-fix-incorrect-offset-calculation.patch new file mode 100644 index 0000000000..78a7d0ec4b --- /dev/null +++ b/queue-5.15/iio-hid-sensor-prox-fix-incorrect-offset-calculation.patch @@ -0,0 +1,42 @@ +From stable+bounces-164623-greg=kroah.com@vger.kernel.org Thu Jul 24 17:14:09 2025 +From: Sasha Levin +Date: Thu, 24 Jul 2025 11:14:00 -0400 +Subject: iio: hid-sensor-prox: Fix incorrect OFFSET calculation +To: stable@vger.kernel.org +Cc: Zhang Lixu , Srinivas Pandruvada , Jonathan Cameron , Sasha Levin +Message-ID: <20250724151400.1363747-1-sashal@kernel.org> + +From: Zhang Lixu + +[ Upstream commit 79dabbd505210e41c88060806c92c052496dd61c ] + +The OFFSET calculation in the prox_read_raw() was incorrectly using the +unit exponent, which is intended for SCALE calculations. + +Remove the incorrect OFFSET calculation and set it to a fixed value of 0. + +Cc: stable@vger.kernel.org +Fixes: 39a3a0138f61 ("iio: hid-sensors: Added Proximity Sensor Driver") +Signed-off-by: Zhang Lixu +Acked-by: Srinivas Pandruvada +Link: https://patch.msgid.link/20250331055022.1149736-4-lixu.zhang@intel.com +Signed-off-by: Jonathan Cameron +[ adapted prox_attr array access to single structure member access ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/light/hid-sensor-prox.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/iio/light/hid-sensor-prox.c ++++ b/drivers/iio/light/hid-sensor-prox.c +@@ -103,8 +103,7 @@ static int prox_read_raw(struct iio_dev + ret_type = prox_state->scale_precision; + break; + case IIO_CHAN_INFO_OFFSET: +- *val = hid_sensor_convert_exponent( +- prox_state->prox_attr.unit_expo); ++ *val = 0; + ret_type = IIO_VAL_INT; + break; + case IIO_CHAN_INFO_SAMP_FREQ: diff --git a/queue-5.15/iio-hid-sensor-prox-restore-lost-scale-assignments.patch b/queue-5.15/iio-hid-sensor-prox-restore-lost-scale-assignments.patch new file mode 100644 index 0000000000..a54e8af468 --- /dev/null +++ b/queue-5.15/iio-hid-sensor-prox-restore-lost-scale-assignments.patch @@ -0,0 +1,50 @@ +From stable+bounces-164640-greg=kroah.com@vger.kernel.org Thu Jul 24 18:27:43 2025 +From: Sasha Levin +Date: Thu, 24 Jul 2025 12:27:03 -0400 +Subject: iio: hid-sensor-prox: Restore lost scale assignments +To: stable@vger.kernel.org +Cc: Zhang Lixu , Srinivas Pandruvada , Jonathan Cameron , Sasha Levin +Message-ID: <20250724162703.1368510-1-sashal@kernel.org> + +From: Zhang Lixu + +[ Upstream commit 83ded7cfaccccd2f4041769c313b58b4c9e265ad ] + +The variables `scale_pre_decml`, `scale_post_decml`, and `scale_precision` +were assigned in commit d68c592e02f6 ("iio: hid-sensor-prox: Fix scale not +correct issue"), but due to a merge conflict in +commit 9c15db92a8e5 ("Merge tag 'iio-for-5.13a' of +https://git.kernel.org/pub/scm/linux/kernel/git/jic23/iio into staging-next"), +these assignments were lost. + +Add back lost assignments and replace `st->prox_attr` with +`st->prox_attr[0]` because commit 596ef5cf654b ("iio: hid-sensor-prox: Add +support for more channels") changed `prox_attr` to an array. + +Cc: stable@vger.kernel.org # 5.13+ +Fixes: 9c15db92a8e5 ("Merge tag 'iio-for-5.13a' of https://git.kernel.org/pub/scm/linux/kernel/git/jic23/iio into staging-next") +Signed-off-by: Zhang Lixu +Acked-by: Srinivas Pandruvada +Link: https://patch.msgid.link/20250331055022.1149736-2-lixu.zhang@intel.com +Signed-off-by: Jonathan Cameron +[ changed st->prox_attr[0] array access to st->prox_attr single struct member ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/light/hid-sensor-prox.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/iio/light/hid-sensor-prox.c ++++ b/drivers/iio/light/hid-sensor-prox.c +@@ -222,6 +222,11 @@ static int prox_parse_report(struct plat + dev_dbg(&pdev->dev, "prox %x:%x\n", st->prox_attr.index, + st->prox_attr.report_id); + ++ st->scale_precision = hid_sensor_format_scale(hsdev->usage, ++ &st->prox_attr, ++ &st->scale_pre_decml, ++ &st->scale_post_decml); ++ + return ret; + } + diff --git a/queue-5.15/kvm-vmx-flush-shadow-vmcs-on-emergency-reboot.patch b/queue-5.15/kvm-vmx-flush-shadow-vmcs-on-emergency-reboot.patch new file mode 100644 index 0000000000..947241b711 --- /dev/null +++ b/queue-5.15/kvm-vmx-flush-shadow-vmcs-on-emergency-reboot.patch @@ -0,0 +1,53 @@ +From stable+bounces-164655-greg=kroah.com@vger.kernel.org Thu Jul 24 20:11:44 2025 +From: Sasha Levin +Date: Thu, 24 Jul 2025 14:11:34 -0400 +Subject: KVM: VMX: Flush shadow VMCS on emergency reboot +To: stable@vger.kernel.org +Cc: Chao Gao , Kai Huang , Sean Christopherson , Sasha Levin +Message-ID: <20250724181134.1457856-1-sashal@kernel.org> + +From: Chao Gao + +[ Upstream commit a0ee1d5faff135e28810f29e0f06328c66f89852 ] + +Ensure the shadow VMCS cache is evicted during an emergency reboot to +prevent potential memory corruption if the cache is evicted after reboot. + +This issue was identified through code inspection, as __loaded_vmcs_clear() +flushes both the normal VMCS and the shadow VMCS. + +Avoid checking the "launched" state during an emergency reboot, unlike the +behavior in __loaded_vmcs_clear(). This is important because reboot NMIs +can interfere with operations like copy_shadow_to_vmcs12(), where shadow +VMCSes are loaded directly using VMPTRLD. In such cases, if NMIs occur +right after the VMCS load, the shadow VMCSes will be active but the +"launched" state may not be set. + +Fixes: 16f5b9034b69 ("KVM: nVMX: Copy processor-specific shadow-vmcs to VMCS12") +Cc: stable@vger.kernel.org +Signed-off-by: Chao Gao +Reviewed-by: Kai Huang +Link: https://lore.kernel.org/r/20250324140849.2099723-1-chao.gao@intel.com +Signed-off-by: Sean Christopherson +[ adjusted context ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/vmx/vmx.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/arch/x86/kvm/vmx/vmx.c ++++ b/arch/x86/kvm/vmx/vmx.c +@@ -681,8 +681,11 @@ static void crash_vmclear_local_loaded_v + struct loaded_vmcs *v; + + list_for_each_entry(v, &per_cpu(loaded_vmcss_on_cpu, cpu), +- loaded_vmcss_on_cpu_link) ++ loaded_vmcss_on_cpu_link) { + vmcs_clear(v->vmcs); ++ if (v->shadow_vmcs) ++ vmcs_clear(v->shadow_vmcs); ++ } + } + #endif /* CONFIG_KEXEC_CORE */ + diff --git a/queue-5.15/mm-ptdump-take-the-memory-hotplug-lock-inside-ptdump_walk_pgd.patch b/queue-5.15/mm-ptdump-take-the-memory-hotplug-lock-inside-ptdump_walk_pgd.patch new file mode 100644 index 0000000000..0b3134d01b --- /dev/null +++ b/queue-5.15/mm-ptdump-take-the-memory-hotplug-lock-inside-ptdump_walk_pgd.patch @@ -0,0 +1,114 @@ +From stable+bounces-171809-greg=kroah.com@vger.kernel.org Tue Aug 19 17:06:04 2025 +From: Sasha Levin +Date: Tue, 19 Aug 2025 11:00:30 -0400 +Subject: mm/ptdump: take the memory hotplug lock inside ptdump_walk_pgd() +To: stable@vger.kernel.org +Cc: Anshuman Khandual , David Hildenbrand , Dev Jain , Alexander Gordeev , Catalin Marinas , Will Deacon , Ryan Roberts , Paul Walmsley , Palmer Dabbelt , Gerald Schaefer , Heiko Carstens , Vasily Gorbik , Christian Borntraeger , Sven Schnelle , Andrew Morton , Sasha Levin +Message-ID: <20250819150030.528447-1-sashal@kernel.org> + +From: Anshuman Khandual + +[ Upstream commit 59305202c67fea50378dcad0cc199dbc13a0e99a ] + +Memory hot remove unmaps and tears down various kernel page table regions +as required. The ptdump code can race with concurrent modifications of +the kernel page tables. When leaf entries are modified concurrently, the +dump code may log stale or inconsistent information for a VA range, but +this is otherwise not harmful. + +But when intermediate levels of kernel page table are freed, the dump code +will continue to use memory that has been freed and potentially +reallocated for another purpose. In such cases, the ptdump code may +dereference bogus addresses, leading to a number of potential problems. + +To avoid the above mentioned race condition, platforms such as arm64, +riscv and s390 take memory hotplug lock, while dumping kernel page table +via the sysfs interface /sys/kernel/debug/kernel_page_tables. + +Similar race condition exists while checking for pages that might have +been marked W+X via /sys/kernel/debug/kernel_page_tables/check_wx_pages +which in turn calls ptdump_check_wx(). Instead of solving this race +condition again, let's just move the memory hotplug lock inside generic +ptdump_check_wx() which will benefit both the scenarios. + +Drop get_online_mems() and put_online_mems() combination from all existing +platform ptdump code paths. + +Link: https://lkml.kernel.org/r/20250620052427.2092093-1-anshuman.khandual@arm.com +Fixes: bbd6ec605c0f ("arm64/mm: Enable memory hot remove") +Signed-off-by: Anshuman Khandual +Acked-by: David Hildenbrand +Reviewed-by: Dev Jain +Acked-by: Alexander Gordeev [s390] +Cc: Catalin Marinas +Cc: Will Deacon +Cc: Ryan Roberts +Cc: Paul Walmsley +Cc: Palmer Dabbelt +Cc: Alexander Gordeev +Cc: Gerald Schaefer +Cc: Heiko Carstens +Cc: Vasily Gorbik +Cc: Christian Borntraeger +Cc: Sven Schnelle +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/mm/ptdump_debugfs.c | 3 --- + arch/s390/mm/dump_pagetables.c | 2 -- + mm/ptdump.c | 2 ++ + 3 files changed, 2 insertions(+), 5 deletions(-) + +--- a/arch/arm64/mm/ptdump_debugfs.c ++++ b/arch/arm64/mm/ptdump_debugfs.c +@@ -1,6 +1,5 @@ + // SPDX-License-Identifier: GPL-2.0 + #include +-#include + #include + + #include +@@ -9,9 +8,7 @@ static int ptdump_show(struct seq_file * + { + struct ptdump_info *info = m->private; + +- get_online_mems(); + ptdump_walk(m, info); +- put_online_mems(); + return 0; + } + DEFINE_SHOW_ATTRIBUTE(ptdump); +--- a/arch/s390/mm/dump_pagetables.c ++++ b/arch/s390/mm/dump_pagetables.c +@@ -227,11 +227,9 @@ static int ptdump_show(struct seq_file * + .marker = address_markers, + }; + +- get_online_mems(); + mutex_lock(&cpa_mutex); + ptdump_walk_pgd(&st.ptdump, &init_mm, NULL); + mutex_unlock(&cpa_mutex); +- put_online_mems(); + return 0; + } + DEFINE_SHOW_ATTRIBUTE(ptdump); +--- a/mm/ptdump.c ++++ b/mm/ptdump.c +@@ -144,6 +144,7 @@ void ptdump_walk_pgd(struct ptdump_state + { + const struct ptdump_range *range = st->range; + ++ get_online_mems(); + mmap_write_lock(mm); + while (range->start != range->end) { + walk_page_range_novma(mm, range->start, range->end, +@@ -151,6 +152,7 @@ void ptdump_walk_pgd(struct ptdump_state + range++; + } + mmap_write_unlock(mm); ++ put_online_mems(); + + /* Flush out the last page */ + st->note_page(st, 0, -1, 0); diff --git a/queue-5.15/net-enetc-fix-device-and-of-node-leak-at-probe.patch b/queue-5.15/net-enetc-fix-device-and-of-node-leak-at-probe.patch new file mode 100644 index 0000000000..729d313c67 --- /dev/null +++ b/queue-5.15/net-enetc-fix-device-and-of-node-leak-at-probe.patch @@ -0,0 +1,66 @@ +From stable+bounces-169819-greg=kroah.com@vger.kernel.org Fri Aug 15 22:04:58 2025 +From: Sasha Levin +Date: Fri, 15 Aug 2025 16:03:37 -0400 +Subject: net: enetc: fix device and OF node leak at probe +To: stable@vger.kernel.org +Cc: Johan Hovold , Vladimir Oltean , Simon Horman , Jakub Kicinski , Sasha Levin +Message-ID: <20250815200337.201844-1-sashal@kernel.org> + +From: Johan Hovold + +[ Upstream commit 70458f8a6b44daf3ad39f0d9b6d1097c8a7780ed ] + +Make sure to drop the references to the IERB OF node and platform device +taken by of_parse_phandle() and of_find_device_by_node() during probe. + +Fixes: e7d48e5fbf30 ("net: enetc: add a mini driver for the Integrated Endpoint Register Block") +Cc: stable@vger.kernel.org # 5.13 +Cc: Vladimir Oltean +Signed-off-by: Johan Hovold +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250725171213.880-3-johan@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/enetc/enetc_pf.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/freescale/enetc/enetc_pf.c ++++ b/drivers/net/ethernet/freescale/enetc/enetc_pf.c +@@ -1206,6 +1206,7 @@ static int enetc_pf_register_with_ierb(s + struct device_node *node = pdev->dev.of_node; + struct platform_device *ierb_pdev; + struct device_node *ierb_node; ++ int ret; + + /* Don't register with the IERB if the PF itself is disabled */ + if (!node || !of_device_is_available(node)) +@@ -1213,16 +1214,25 @@ static int enetc_pf_register_with_ierb(s + + ierb_node = of_find_compatible_node(NULL, NULL, + "fsl,ls1028a-enetc-ierb"); +- if (!ierb_node || !of_device_is_available(ierb_node)) ++ if (!ierb_node) + return -ENODEV; + ++ if (!of_device_is_available(ierb_node)) { ++ of_node_put(ierb_node); ++ return -ENODEV; ++ } ++ + ierb_pdev = of_find_device_by_node(ierb_node); + of_node_put(ierb_node); + + if (!ierb_pdev) + return -EPROBE_DEFER; + +- return enetc_ierb_register_pf(ierb_pdev, pdev); ++ ret = enetc_ierb_register_pf(ierb_pdev, pdev); ++ ++ put_device(&ierb_pdev->dev); ++ ++ return ret; + } + + static int enetc_pf_probe(struct pci_dev *pdev, diff --git a/queue-5.15/net-sched-ets-use-old-nbands-while-purging-unused-classes.patch b/queue-5.15/net-sched-ets-use-old-nbands-while-purging-unused-classes.patch new file mode 100644 index 0000000000..0a1b697198 --- /dev/null +++ b/queue-5.15/net-sched-ets-use-old-nbands-while-purging-unused-classes.patch @@ -0,0 +1,119 @@ +From stable+bounces-171781-greg=kroah.com@vger.kernel.org Tue Aug 19 14:15:39 2025 +From: Sasha Levin +Date: Tue, 19 Aug 2025 08:15:30 -0400 +Subject: net/sched: ets: use old 'nbands' while purging unused classes +To: stable@vger.kernel.org +Cc: Davide Caratti , Li Shuang , Petr Machata , Ivan Vecera , Jakub Kicinski , Sasha Levin +Message-ID: <20250819121530.461591-3-sashal@kernel.org> + +From: Davide Caratti + +[ Upstream commit 87c6efc5ce9c126ae4a781bc04504b83780e3650 ] + +Shuang reported sch_ets test-case [1] crashing in ets_class_qlen_notify() +after recent changes from Lion [2]. The problem is: in ets_qdisc_change() +we purge unused DWRR queues; the value of 'q->nbands' is the new one, and +the cleanup should be done with the old one. The problem is here since my +first attempts to fix ets_qdisc_change(), but it surfaced again after the +recent qdisc len accounting fixes. Fix it purging idle DWRR queues before +assigning a new value of 'q->nbands', so that all purge operations find a +consistent configuration: + + - old 'q->nbands' because it's needed by ets_class_find() + - old 'q->nstrict' because it's needed by ets_class_is_strict() + + BUG: kernel NULL pointer dereference, address: 0000000000000000 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 0 P4D 0 + Oops: Oops: 0000 [#1] SMP NOPTI + CPU: 62 UID: 0 PID: 39457 Comm: tc Kdump: loaded Not tainted 6.12.0-116.el10.x86_64 #1 PREEMPT(voluntary) + Hardware name: Dell Inc. PowerEdge R640/06DKY5, BIOS 2.12.2 07/09/2021 + RIP: 0010:__list_del_entry_valid_or_report+0x4/0x80 + Code: ff 4c 39 c7 0f 84 39 19 8e ff b8 01 00 00 00 c3 cc cc cc cc 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa <48> 8b 17 48 8b 4f 08 48 85 d2 0f 84 56 19 8e ff 48 85 c9 0f 84 ab + RSP: 0018:ffffba186009f400 EFLAGS: 00010202 + RAX: 00000000000000d6 RBX: 0000000000000000 RCX: 0000000000000004 + RDX: ffff9f0fa29b69c0 RSI: 0000000000000000 RDI: 0000000000000000 + RBP: ffffffffc12c2400 R08: 0000000000000008 R09: 0000000000000004 + R10: ffffffffffffffff R11: 0000000000000004 R12: 0000000000000000 + R13: ffff9f0f8cfe0000 R14: 0000000000100005 R15: 0000000000000000 + FS: 00007f2154f37480(0000) GS:ffff9f269c1c0000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000000000 CR3: 00000001530be001 CR4: 00000000007726f0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + PKRU: 55555554 + Call Trace: + + ets_class_qlen_notify+0x65/0x90 [sch_ets] + qdisc_tree_reduce_backlog+0x74/0x110 + ets_qdisc_change+0x630/0xa40 [sch_ets] + __tc_modify_qdisc.constprop.0+0x216/0x7f0 + tc_modify_qdisc+0x7c/0x120 + rtnetlink_rcv_msg+0x145/0x3f0 + netlink_rcv_skb+0x53/0x100 + netlink_unicast+0x245/0x390 + netlink_sendmsg+0x21b/0x470 + ____sys_sendmsg+0x39d/0x3d0 + ___sys_sendmsg+0x9a/0xe0 + __sys_sendmsg+0x7a/0xd0 + do_syscall_64+0x7d/0x160 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + RIP: 0033:0x7f2155114084 + Code: 89 02 b8 ff ff ff ff eb bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 80 3d 25 f0 0c 00 00 74 13 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 89 54 24 1c 48 89 + RSP: 002b:00007fff1fd7a988 EFLAGS: 00000202 ORIG_RAX: 000000000000002e + RAX: ffffffffffffffda RBX: 0000560ec063e5e0 RCX: 00007f2155114084 + RDX: 0000000000000000 RSI: 00007fff1fd7a9f0 RDI: 0000000000000003 + RBP: 00007fff1fd7aa60 R08: 0000000000000010 R09: 000000000000003f + R10: 0000560ee9b3a010 R11: 0000000000000202 R12: 00007fff1fd7aae0 + R13: 000000006891ccde R14: 0000560ec063e5e0 R15: 00007fff1fd7aad0 + + + [1] https://lore.kernel.org/netdev/e08c7f4a6882f260011909a868311c6e9b54f3e4.1639153474.git.dcaratti@redhat.com/ + [2] https://lore.kernel.org/netdev/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.com/ + +Cc: stable@vger.kernel.org +Fixes: 103406b38c60 ("net/sched: Always pass notifications when child class becomes empty") +Fixes: c062f2a0b04d ("net/sched: sch_ets: don't remove idle classes from the round-robin list") +Fixes: dcc68b4d8084 ("net: sch_ets: Add a new Qdisc") +Reported-by: Li Shuang +Closes: https://issues.redhat.com/browse/RHEL-108026 +Reviewed-by: Petr Machata +Co-developed-by: Ivan Vecera +Signed-off-by: Ivan Vecera +Signed-off-by: Davide Caratti +Link: https://patch.msgid.link/7928ff6d17db47a2ae7cc205c44777b1f1950545.1755016081.git.dcaratti@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_ets.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/net/sched/sch_ets.c ++++ b/net/sched/sch_ets.c +@@ -664,6 +664,12 @@ static int ets_qdisc_change(struct Qdisc + + sch_tree_lock(sch); + ++ for (i = nbands; i < oldbands; i++) { ++ if (i >= q->nstrict && q->classes[i].qdisc->q.qlen) ++ list_del_init(&q->classes[i].alist); ++ qdisc_purge_queue(q->classes[i].qdisc); ++ } ++ + WRITE_ONCE(q->nbands, nbands); + for (i = nstrict; i < q->nstrict; i++) { + if (q->classes[i].qdisc->q.qlen) { +@@ -671,11 +677,6 @@ static int ets_qdisc_change(struct Qdisc + q->classes[i].deficit = quanta[i]; + } + } +- for (i = q->nbands; i < oldbands; i++) { +- if (i >= q->nstrict && q->classes[i].qdisc->q.qlen) +- list_del_init(&q->classes[i].alist); +- qdisc_purge_queue(q->classes[i].qdisc); +- } + WRITE_ONCE(q->nstrict, nstrict); + memcpy(q->prio2band, priomap, sizeof(priomap)); + diff --git a/queue-5.15/net-sched-sch_ets-properly-init-all-active-drr-list-handles.patch b/queue-5.15/net-sched-sch_ets-properly-init-all-active-drr-list-handles.patch new file mode 100644 index 0000000000..2dd5b09109 --- /dev/null +++ b/queue-5.15/net-sched-sch_ets-properly-init-all-active-drr-list-handles.patch @@ -0,0 +1,75 @@ +From stable+bounces-171779-greg=kroah.com@vger.kernel.org Tue Aug 19 14:15:36 2025 +From: Sasha Levin +Date: Tue, 19 Aug 2025 08:15:28 -0400 +Subject: net/sched: sch_ets: properly init all active DRR list handles +To: stable@vger.kernel.org +Cc: Davide Caratti , Cong Wang , "David S. Miller" , Sasha Levin +Message-ID: <20250819121530.461591-1-sashal@kernel.org> + +From: Davide Caratti + +[ Upstream commit 454d3e1ae057a1e09a15905b06b860f60d6c14d0 ] + +leaf classes of ETS qdiscs are served in strict priority or deficit round +robin (DRR), depending on the value of 'nstrict'. Since this value can be +changed while traffic is running, we need to be sure that the active list +of DRR classes can be updated at any time, so: + +1) call INIT_LIST_HEAD(&alist) on all leaf classes in .init(), before the + first packet hits any of them. +2) ensure that 'alist' is not overwritten with zeros when a leaf class is + no more strict priority nor DRR (i.e. array elements beyond 'nbands'). + +Link: https://lore.kernel.org/netdev/YS%2FoZ+f0Nr8eQkzH@dcaratti.users.ipa.redhat.com +Suggested-by: Cong Wang +Signed-off-by: Davide Caratti +Signed-off-by: David S. Miller +Stable-dep-of: 87c6efc5ce9c ("net/sched: ets: use old 'nbands' while purging unused classes") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_ets.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/net/sched/sch_ets.c ++++ b/net/sched/sch_ets.c +@@ -666,7 +666,6 @@ static int ets_qdisc_change(struct Qdisc + + q->nbands = nbands; + for (i = nstrict; i < q->nstrict; i++) { +- INIT_LIST_HEAD(&q->classes[i].alist); + if (q->classes[i].qdisc->q.qlen) { + list_add_tail(&q->classes[i].alist, &q->active); + q->classes[i].deficit = quanta[i]; +@@ -694,7 +693,11 @@ static int ets_qdisc_change(struct Qdisc + ets_offload_change(sch); + for (i = q->nbands; i < oldbands; i++) { + qdisc_put(q->classes[i].qdisc); +- memset(&q->classes[i], 0, sizeof(q->classes[i])); ++ q->classes[i].qdisc = NULL; ++ q->classes[i].quantum = 0; ++ q->classes[i].deficit = 0; ++ memset(&q->classes[i].bstats, 0, sizeof(q->classes[i].bstats)); ++ memset(&q->classes[i].qstats, 0, sizeof(q->classes[i].qstats)); + } + return 0; + } +@@ -703,7 +706,7 @@ static int ets_qdisc_init(struct Qdisc * + struct netlink_ext_ack *extack) + { + struct ets_sched *q = qdisc_priv(sch); +- int err; ++ int err, i; + + if (!opt) + return -EINVAL; +@@ -713,6 +716,9 @@ static int ets_qdisc_init(struct Qdisc * + return err; + + INIT_LIST_HEAD(&q->active); ++ for (i = 0; i < TCQ_ETS_MAX_BANDS; i++) ++ INIT_LIST_HEAD(&q->classes[i].alist); ++ + return ets_qdisc_change(sch, opt, extack); + } + diff --git a/queue-5.15/net_sched-sch_ets-implement-lockless-ets_dump.patch b/queue-5.15/net_sched-sch_ets-implement-lockless-ets_dump.patch new file mode 100644 index 0000000000..ba3aee91b3 --- /dev/null +++ b/queue-5.15/net_sched-sch_ets-implement-lockless-ets_dump.patch @@ -0,0 +1,106 @@ +From stable+bounces-171780-greg=kroah.com@vger.kernel.org Tue Aug 19 14:15:38 2025 +From: Sasha Levin +Date: Tue, 19 Aug 2025 08:15:29 -0400 +Subject: net_sched: sch_ets: implement lockless ets_dump() +To: stable@vger.kernel.org +Cc: Eric Dumazet , Simon Horman , "David S. Miller" , Sasha Levin +Message-ID: <20250819121530.461591-2-sashal@kernel.org> + +From: Eric Dumazet + +[ Upstream commit c5f1dde7f731e7bf2e7c169ca42cb4989fc2f8b9 ] + +Instead of relying on RTNL, ets_dump() can use READ_ONCE() +annotations, paired with WRITE_ONCE() ones in ets_change(). + +Signed-off-by: Eric Dumazet +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Stable-dep-of: 87c6efc5ce9c ("net/sched: ets: use old 'nbands' while purging unused classes") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_ets.c | 25 ++++++++++++++----------- + 1 file changed, 14 insertions(+), 11 deletions(-) + +--- a/net/sched/sch_ets.c ++++ b/net/sched/sch_ets.c +@@ -664,7 +664,7 @@ static int ets_qdisc_change(struct Qdisc + + sch_tree_lock(sch); + +- q->nbands = nbands; ++ WRITE_ONCE(q->nbands, nbands); + for (i = nstrict; i < q->nstrict; i++) { + if (q->classes[i].qdisc->q.qlen) { + list_add_tail(&q->classes[i].alist, &q->active); +@@ -676,11 +676,11 @@ static int ets_qdisc_change(struct Qdisc + list_del_init(&q->classes[i].alist); + qdisc_purge_queue(q->classes[i].qdisc); + } +- q->nstrict = nstrict; ++ WRITE_ONCE(q->nstrict, nstrict); + memcpy(q->prio2band, priomap, sizeof(priomap)); + + for (i = 0; i < q->nbands; i++) +- q->classes[i].quantum = quanta[i]; ++ WRITE_ONCE(q->classes[i].quantum, quanta[i]); + + for (i = oldbands; i < q->nbands; i++) { + q->classes[i].qdisc = queues[i]; +@@ -694,7 +694,7 @@ static int ets_qdisc_change(struct Qdisc + for (i = q->nbands; i < oldbands; i++) { + qdisc_put(q->classes[i].qdisc); + q->classes[i].qdisc = NULL; +- q->classes[i].quantum = 0; ++ WRITE_ONCE(q->classes[i].quantum, 0); + q->classes[i].deficit = 0; + memset(&q->classes[i].bstats, 0, sizeof(q->classes[i].bstats)); + memset(&q->classes[i].qstats, 0, sizeof(q->classes[i].qstats)); +@@ -751,6 +751,7 @@ static int ets_qdisc_dump(struct Qdisc * + struct ets_sched *q = qdisc_priv(sch); + struct nlattr *opts; + struct nlattr *nest; ++ u8 nbands, nstrict; + int band; + int prio; + int err; +@@ -763,21 +764,22 @@ static int ets_qdisc_dump(struct Qdisc * + if (!opts) + goto nla_err; + +- if (nla_put_u8(skb, TCA_ETS_NBANDS, q->nbands)) ++ nbands = READ_ONCE(q->nbands); ++ if (nla_put_u8(skb, TCA_ETS_NBANDS, nbands)) + goto nla_err; + +- if (q->nstrict && +- nla_put_u8(skb, TCA_ETS_NSTRICT, q->nstrict)) ++ nstrict = READ_ONCE(q->nstrict); ++ if (nstrict && nla_put_u8(skb, TCA_ETS_NSTRICT, nstrict)) + goto nla_err; + +- if (q->nbands > q->nstrict) { ++ if (nbands > nstrict) { + nest = nla_nest_start(skb, TCA_ETS_QUANTA); + if (!nest) + goto nla_err; + +- for (band = q->nstrict; band < q->nbands; band++) { ++ for (band = nstrict; band < nbands; band++) { + if (nla_put_u32(skb, TCA_ETS_QUANTA_BAND, +- q->classes[band].quantum)) ++ READ_ONCE(q->classes[band].quantum))) + goto nla_err; + } + +@@ -789,7 +791,8 @@ static int ets_qdisc_dump(struct Qdisc * + goto nla_err; + + for (prio = 0; prio <= TC_PRIO_MAX; prio++) { +- if (nla_put_u8(skb, TCA_ETS_PRIOMAP_BAND, q->prio2band[prio])) ++ if (nla_put_u8(skb, TCA_ETS_PRIOMAP_BAND, ++ READ_ONCE(q->prio2band[prio]))) + goto nla_err; + } + diff --git a/queue-5.15/nfs-create-an-nfs4_server_set_init_caps-function.patch b/queue-5.15/nfs-create-an-nfs4_server_set_init_caps-function.patch new file mode 100644 index 0000000000..710f4e5710 --- /dev/null +++ b/queue-5.15/nfs-create-an-nfs4_server_set_init_caps-function.patch @@ -0,0 +1,96 @@ +From stable+bounces-169817-greg=kroah.com@vger.kernel.org Fri Aug 15 22:04:08 2025 +From: Sasha Levin +Date: Fri, 15 Aug 2025 16:03:29 -0400 +Subject: NFS: Create an nfs4_server_set_init_caps() function +To: stable@vger.kernel.org +Cc: Anna Schumaker , Trond Myklebust , Sasha Levin +Message-ID: <20250815200330.201734-1-sashal@kernel.org> + +From: Anna Schumaker + +[ Upstream commit 01dde76e471229e3437a2686c572f4980b2c483e ] + +And call it before doing an FSINFO probe to reset to the baseline +capabilities before probing. + +Signed-off-by: Anna Schumaker +Signed-off-by: Trond Myklebust +Stable-dep-of: b01f21cacde9 ("NFS: Fix the setting of capabilities when automounting a new filesystem") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/internal.h | 1 + + fs/nfs/nfs4client.c | 33 +++++++++++++++++++-------------- + fs/nfs/nfs4proc.c | 2 ++ + 3 files changed, 22 insertions(+), 14 deletions(-) + +--- a/fs/nfs/internal.h ++++ b/fs/nfs/internal.h +@@ -219,6 +219,7 @@ extern struct nfs_client * + nfs4_find_client_sessionid(struct net *, const struct sockaddr *, + struct nfs4_sessionid *, u32); + extern struct nfs_server *nfs_create_server(struct fs_context *); ++extern void nfs4_server_set_init_caps(struct nfs_server *); + extern struct nfs_server *nfs4_create_server(struct fs_context *); + extern struct nfs_server *nfs4_create_referral_server(struct fs_context *); + extern int nfs4_update_server(struct nfs_server *server, const char *hostname, +--- a/fs/nfs/nfs4client.c ++++ b/fs/nfs/nfs4client.c +@@ -1065,6 +1065,24 @@ static void nfs4_session_limit_xasize(st + #endif + } + ++void nfs4_server_set_init_caps(struct nfs_server *server) ++{ ++ /* Set the basic capabilities */ ++ server->caps |= server->nfs_client->cl_mvops->init_caps; ++ if (server->flags & NFS_MOUNT_NORDIRPLUS) ++ server->caps &= ~NFS_CAP_READDIRPLUS; ++ if (server->nfs_client->cl_proto == XPRT_TRANSPORT_RDMA) ++ server->caps &= ~NFS_CAP_READ_PLUS; ++ ++ /* ++ * Don't use NFS uid/gid mapping if we're using AUTH_SYS or lower ++ * authentication. ++ */ ++ if (nfs4_disable_idmapping && ++ server->client->cl_auth->au_flavor == RPC_AUTH_UNIX) ++ server->caps |= NFS_CAP_UIDGID_NOMAP; ++} ++ + static int nfs4_server_common_setup(struct nfs_server *server, + struct nfs_fh *mntfh, bool auth_probe) + { +@@ -1084,20 +1102,7 @@ static int nfs4_server_common_setup(stru + if (error < 0) + goto out; + +- /* Set the basic capabilities */ +- server->caps |= server->nfs_client->cl_mvops->init_caps; +- if (server->flags & NFS_MOUNT_NORDIRPLUS) +- server->caps &= ~NFS_CAP_READDIRPLUS; +- if (server->nfs_client->cl_proto == XPRT_TRANSPORT_RDMA) +- server->caps &= ~NFS_CAP_READ_PLUS; +- /* +- * Don't use NFS uid/gid mapping if we're using AUTH_SYS or lower +- * authentication. +- */ +- if (nfs4_disable_idmapping && +- server->client->cl_auth->au_flavor == RPC_AUTH_UNIX) +- server->caps |= NFS_CAP_UIDGID_NOMAP; +- ++ nfs4_server_set_init_caps(server); + + /* Probe the root fh to retrieve its FSID and filehandle */ + error = nfs4_get_rootfh(server, mntfh, auth_probe); +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -3968,6 +3968,8 @@ int nfs4_server_capabilities(struct nfs_ + .interruptible = true, + }; + int err; ++ ++ nfs4_server_set_init_caps(server); + do { + err = nfs4_handle_exception(server, + _nfs4_server_capabilities(server, fhandle), diff --git a/queue-5.15/nfs-fix-the-setting-of-capabilities-when-automounting-a-new-filesystem.patch b/queue-5.15/nfs-fix-the-setting-of-capabilities-when-automounting-a-new-filesystem.patch new file mode 100644 index 0000000000..e317dbfca3 --- /dev/null +++ b/queue-5.15/nfs-fix-the-setting-of-capabilities-when-automounting-a-new-filesystem.patch @@ -0,0 +1,168 @@ +From stable+bounces-169818-greg=kroah.com@vger.kernel.org Fri Aug 15 22:04:09 2025 +From: Sasha Levin +Date: Fri, 15 Aug 2025 16:03:30 -0400 +Subject: NFS: Fix the setting of capabilities when automounting a new filesystem +To: stable@vger.kernel.org +Cc: Trond Myklebust , Benjamin Coddington , Sasha Levin +Message-ID: <20250815200330.201734-2-sashal@kernel.org> + +From: Trond Myklebust + +[ Upstream commit b01f21cacde9f2878492cf318fee61bf4ccad323 ] + +Capabilities cannot be inherited when we cross into a new filesystem. +They need to be reset to the minimal defaults, and then probed for +again. + +Fixes: 54ceac451598 ("NFS: Share NFS superblocks per-protocol per-server per-FSID") +Cc: stable@vger.kernel.org +Reviewed-by: Benjamin Coddington +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/client.c | 44 ++++++++++++++++++++++++++++++++++++++++++-- + fs/nfs/internal.h | 2 +- + fs/nfs/nfs4client.c | 20 +------------------- + fs/nfs/nfs4proc.c | 2 +- + 4 files changed, 45 insertions(+), 23 deletions(-) + +--- a/fs/nfs/client.c ++++ b/fs/nfs/client.c +@@ -661,6 +661,44 @@ struct nfs_client *nfs_init_client(struc + } + EXPORT_SYMBOL_GPL(nfs_init_client); + ++static void nfs4_server_set_init_caps(struct nfs_server *server) ++{ ++#if IS_ENABLED(CONFIG_NFS_V4) ++ /* Set the basic capabilities */ ++ server->caps = server->nfs_client->cl_mvops->init_caps; ++ if (server->flags & NFS_MOUNT_NORDIRPLUS) ++ server->caps &= ~NFS_CAP_READDIRPLUS; ++ if (server->nfs_client->cl_proto == XPRT_TRANSPORT_RDMA) ++ server->caps &= ~NFS_CAP_READ_PLUS; ++ ++ /* ++ * Don't use NFS uid/gid mapping if we're using AUTH_SYS or lower ++ * authentication. ++ */ ++ if (nfs4_disable_idmapping && ++ server->client->cl_auth->au_flavor == RPC_AUTH_UNIX) ++ server->caps |= NFS_CAP_UIDGID_NOMAP; ++#endif ++} ++ ++void nfs_server_set_init_caps(struct nfs_server *server) ++{ ++ switch (server->nfs_client->rpc_ops->version) { ++ case 2: ++ server->caps = NFS_CAP_HARDLINKS | NFS_CAP_SYMLINKS; ++ break; ++ case 3: ++ server->caps = NFS_CAP_HARDLINKS | NFS_CAP_SYMLINKS; ++ if (!(server->flags & NFS_MOUNT_NORDIRPLUS)) ++ server->caps |= NFS_CAP_READDIRPLUS; ++ break; ++ default: ++ nfs4_server_set_init_caps(server); ++ break; ++ } ++} ++EXPORT_SYMBOL_GPL(nfs_server_set_init_caps); ++ + /* + * Create a version 2 or 3 client + */ +@@ -699,7 +737,6 @@ static int nfs_init_server(struct nfs_se + /* Initialise the client representation from the mount data */ + server->flags = ctx->flags; + server->options = ctx->options; +- server->caps |= NFS_CAP_HARDLINKS | NFS_CAP_SYMLINKS; + + switch (clp->rpc_ops->version) { + case 2: +@@ -735,6 +772,8 @@ static int nfs_init_server(struct nfs_se + if (error < 0) + goto error; + ++ nfs_server_set_init_caps(server); ++ + /* Preserve the values of mount_server-related mount options */ + if (ctx->mount_server.addrlen) { + memcpy(&server->mountd_address, &ctx->mount_server.address, +@@ -884,7 +923,6 @@ void nfs_server_copy_userdata(struct nfs + target->acregmax = source->acregmax; + target->acdirmin = source->acdirmin; + target->acdirmax = source->acdirmax; +- target->caps = source->caps; + target->options = source->options; + target->auth_info = source->auth_info; + target->port = source->port; +@@ -1095,6 +1133,8 @@ struct nfs_server *nfs_clone_server(stru + if (error < 0) + goto out_free_server; + ++ nfs_server_set_init_caps(server); ++ + /* probe the filesystem info for this server filesystem */ + error = nfs_probe_fsinfo(server, fh, fattr_fsinfo); + if (error < 0) +--- a/fs/nfs/internal.h ++++ b/fs/nfs/internal.h +@@ -219,7 +219,7 @@ extern struct nfs_client * + nfs4_find_client_sessionid(struct net *, const struct sockaddr *, + struct nfs4_sessionid *, u32); + extern struct nfs_server *nfs_create_server(struct fs_context *); +-extern void nfs4_server_set_init_caps(struct nfs_server *); ++extern void nfs_server_set_init_caps(struct nfs_server *); + extern struct nfs_server *nfs4_create_server(struct fs_context *); + extern struct nfs_server *nfs4_create_referral_server(struct fs_context *); + extern int nfs4_update_server(struct nfs_server *server, const char *hostname, +--- a/fs/nfs/nfs4client.c ++++ b/fs/nfs/nfs4client.c +@@ -1065,24 +1065,6 @@ static void nfs4_session_limit_xasize(st + #endif + } + +-void nfs4_server_set_init_caps(struct nfs_server *server) +-{ +- /* Set the basic capabilities */ +- server->caps |= server->nfs_client->cl_mvops->init_caps; +- if (server->flags & NFS_MOUNT_NORDIRPLUS) +- server->caps &= ~NFS_CAP_READDIRPLUS; +- if (server->nfs_client->cl_proto == XPRT_TRANSPORT_RDMA) +- server->caps &= ~NFS_CAP_READ_PLUS; +- +- /* +- * Don't use NFS uid/gid mapping if we're using AUTH_SYS or lower +- * authentication. +- */ +- if (nfs4_disable_idmapping && +- server->client->cl_auth->au_flavor == RPC_AUTH_UNIX) +- server->caps |= NFS_CAP_UIDGID_NOMAP; +-} +- + static int nfs4_server_common_setup(struct nfs_server *server, + struct nfs_fh *mntfh, bool auth_probe) + { +@@ -1102,7 +1084,7 @@ static int nfs4_server_common_setup(stru + if (error < 0) + goto out; + +- nfs4_server_set_init_caps(server); ++ nfs_server_set_init_caps(server); + + /* Probe the root fh to retrieve its FSID and filehandle */ + error = nfs4_get_rootfh(server, mntfh, auth_probe); +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -3969,7 +3969,7 @@ int nfs4_server_capabilities(struct nfs_ + }; + int err; + +- nfs4_server_set_init_caps(server); ++ nfs_server_set_init_caps(server); + do { + err = nfs4_handle_exception(server, + _nfs4_server_capabilities(server, fhandle), diff --git a/queue-5.15/pci-acpi-fix-runtime-pm-ref-imbalance-on-hot-plug-capable-ports.patch b/queue-5.15/pci-acpi-fix-runtime-pm-ref-imbalance-on-hot-plug-capable-ports.patch new file mode 100644 index 0000000000..ed1628152b --- /dev/null +++ b/queue-5.15/pci-acpi-fix-runtime-pm-ref-imbalance-on-hot-plug-capable-ports.patch @@ -0,0 +1,141 @@ +From stable+bounces-169873-greg=kroah.com@vger.kernel.org Sun Aug 17 04:26:02 2025 +From: Sasha Levin +Date: Sat, 16 Aug 2025 22:25:53 -0400 +Subject: PCI/ACPI: Fix runtime PM ref imbalance on Hot-Plug Capable ports +To: stable@vger.kernel.org +Cc: Lukas Wunner , Laurent Bigonville , Mario Limonciello , Bjorn Helgaas , "Rafael J. Wysocki" , Sasha Levin +Message-ID: <20250817022553.1336244-1-sashal@kernel.org> + +From: Lukas Wunner + +[ Upstream commit 6cff20ce3b92ffbf2fc5eb9e5a030b3672aa414a ] + +pci_bridge_d3_possible() is called from both pcie_portdrv_probe() and +pcie_portdrv_remove() to determine whether runtime power management shall +be enabled (on probe) or disabled (on remove) on a PCIe port. + +The underlying assumption is that pci_bridge_d3_possible() always returns +the same value, else a runtime PM reference imbalance would occur. That +assumption is not given if the PCIe port is inaccessible on remove due to +hot-unplug: pci_bridge_d3_possible() calls pciehp_is_native(), which +accesses Config Space to determine whether the port is Hot-Plug Capable. +An inaccessible port returns "all ones", which is converted to "all +zeroes" by pcie_capability_read_dword(). Hence the port no longer seems +Hot-Plug Capable on remove even though it was on probe. + +The resulting runtime PM ref imbalance causes warning messages such as: + + pcieport 0000:02:04.0: Runtime PM usage count underflow! + +Avoid the Config Space access (and thus the runtime PM ref imbalance) by +caching the Hot-Plug Capable bit in struct pci_dev. + +The struct already contains an "is_hotplug_bridge" flag, which however is +not only set on Hot-Plug Capable PCIe ports, but also Conventional PCI +Hot-Plug bridges and ACPI slots. The flag identifies bridges which are +allocated additional MMIO and bus number resources to allow for hierarchy +expansion. + +The kernel is somewhat sloppily using "is_hotplug_bridge" in a number of +places to identify Hot-Plug Capable PCIe ports, even though the flag +encompasses other devices. Subsequent commits replace these occurrences +with the new flag to clearly delineate Hot-Plug Capable PCIe ports from +other kinds of hotplug bridges. + +Document the existing "is_hotplug_bridge" and the new "is_pciehp" flag +and document the (non-obvious) requirement that pci_bridge_d3_possible() +always returns the same value across the entire lifetime of a bridge, +including its hot-removal. + +Fixes: 5352a44a561d ("PCI: pciehp: Make pciehp_is_native() stricter") +Reported-by: Laurent Bigonville +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220216 +Reported-by: Mario Limonciello +Closes: https://lore.kernel.org/r/20250609020223.269407-3-superm1@kernel.org/ +Link: https://lore.kernel.org/all/20250620025535.3425049-3-superm1@kernel.org/T/#u +Signed-off-by: Lukas Wunner +Signed-off-by: Bjorn Helgaas +Acked-by: Rafael J. Wysocki +Cc: stable@vger.kernel.org # v4.18+ +Link: https://patch.msgid.link/fe5dcc3b2e62ee1df7905d746bde161eb1b3291c.1752390101.git.lukas@wunner.de +[ changed "recent enough PCIe ports" comment to "some PCIe ports" ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/pci-acpi.c | 4 +--- + drivers/pci/pci.c | 8 ++++++-- + drivers/pci/probe.c | 2 +- + include/linux/pci.h | 10 +++++++++- + 4 files changed, 17 insertions(+), 7 deletions(-) + +--- a/drivers/pci/pci-acpi.c ++++ b/drivers/pci/pci-acpi.c +@@ -792,13 +792,11 @@ int pci_acpi_program_hp_params(struct pc + bool pciehp_is_native(struct pci_dev *bridge) + { + const struct pci_host_bridge *host; +- u32 slot_cap; + + if (!IS_ENABLED(CONFIG_HOTPLUG_PCI_PCIE)) + return false; + +- pcie_capability_read_dword(bridge, PCI_EXP_SLTCAP, &slot_cap); +- if (!(slot_cap & PCI_EXP_SLTCAP_HPC)) ++ if (!bridge->is_pciehp) + return false; + + if (pcie_ports_native) +--- a/drivers/pci/pci.c ++++ b/drivers/pci/pci.c +@@ -2921,8 +2921,12 @@ static const struct dmi_system_id bridge + * pci_bridge_d3_possible - Is it possible to put the bridge into D3 + * @bridge: Bridge to check + * +- * This function checks if it is possible to move the bridge to D3. +- * Currently we only allow D3 for recent enough PCIe ports and Thunderbolt. ++ * Currently we only allow D3 for some PCIe ports and for Thunderbolt. ++ * ++ * Return: Whether it is possible to move the bridge to D3. ++ * ++ * The return value is guaranteed to be constant across the entire lifetime ++ * of the bridge, including its hot-removal. + */ + bool pci_bridge_d3_possible(struct pci_dev *bridge) + { +--- a/drivers/pci/probe.c ++++ b/drivers/pci/probe.c +@@ -1590,7 +1590,7 @@ void set_pcie_hotplug_bridge(struct pci_ + + pcie_capability_read_dword(pdev, PCI_EXP_SLTCAP, ®32); + if (reg32 & PCI_EXP_SLTCAP_HPC) +- pdev->is_hotplug_bridge = 1; ++ pdev->is_hotplug_bridge = pdev->is_pciehp = 1; + } + + static void set_pcie_thunderbolt(struct pci_dev *dev) +--- a/include/linux/pci.h ++++ b/include/linux/pci.h +@@ -317,7 +317,14 @@ struct pci_sriov; + struct pci_p2pdma; + struct rcec_ea; + +-/* The pci_dev structure describes PCI devices */ ++/* struct pci_dev - describes a PCI device ++ * ++ * @is_hotplug_bridge: Hotplug bridge of any kind (e.g. PCIe Hot-Plug Capable, ++ * Conventional PCI Hot-Plug, ACPI slot). ++ * Such bridges are allocated additional MMIO and bus ++ * number resources to allow for hierarchy expansion. ++ * @is_pciehp: PCIe Hot-Plug Capable bridge. ++ */ + struct pci_dev { + struct list_head bus_list; /* Node in per-bus list */ + struct pci_bus *bus; /* Bus this device is on */ +@@ -440,6 +447,7 @@ struct pci_dev { + unsigned int is_physfn:1; + unsigned int is_virtfn:1; + unsigned int is_hotplug_bridge:1; ++ unsigned int is_pciehp:1; + unsigned int shpc_managed:1; /* SHPC owned by shpchp */ + unsigned int is_thunderbolt:1; /* Thunderbolt controller */ + /* diff --git a/queue-5.15/platform-chrome-cros_ec-make-cros_ec_unregister-return-void.patch b/queue-5.15/platform-chrome-cros_ec-make-cros_ec_unregister-return-void.patch new file mode 100644 index 0000000000..0c588ccd70 --- /dev/null +++ b/queue-5.15/platform-chrome-cros_ec-make-cros_ec_unregister-return-void.patch @@ -0,0 +1,103 @@ +From stable+bounces-172164-greg=kroah.com@vger.kernel.org Thu Aug 21 17:14:19 2025 +From: Sasha Levin +Date: Thu, 21 Aug 2025 11:08:41 -0400 +Subject: platform/chrome: cros_ec: Make cros_ec_unregister() return void +To: stable@vger.kernel.org +Cc: "Uwe Kleine-König" , "Guenter Roeck" , "Lee Jones" , "Mark Brown" , "Sasha Levin" +Message-ID: <20250821150844.754065-1-sashal@kernel.org> + +From: Uwe Kleine-König + +[ Upstream commit afb0a80e63d67e957b5d0eb4ade301aff6e13c8c ] + +Up to now cros_ec_unregister() returns zero unconditionally. Make it +return void instead which makes it easier to see in the callers that +there is no error to handle. + +Also the return value of i2c, platform and spi remove callbacks is +ignored anyway. + +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20211020071753.wltjslmimb6wtlp5@pengutronix.de +Signed-off-by: Uwe Kleine-König +Acked-by: Lee Jones +Link: https://lore.kernel.org/r/20220123175201.34839-5-u.kleine-koenig@pengutronix.de +Signed-off-by: Mark Brown +Stable-dep-of: e23749534619 ("platform/chrome: cros_ec: Unregister notifier in cros_ec_unregister()") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/chrome/cros_ec.c | 4 +--- + drivers/platform/chrome/cros_ec.h | 2 +- + drivers/platform/chrome/cros_ec_i2c.c | 4 +++- + drivers/platform/chrome/cros_ec_lpc.c | 4 +++- + drivers/platform/chrome/cros_ec_spi.c | 4 +++- + 5 files changed, 11 insertions(+), 7 deletions(-) + +--- a/drivers/platform/chrome/cros_ec.c ++++ b/drivers/platform/chrome/cros_ec.c +@@ -306,13 +306,11 @@ EXPORT_SYMBOL(cros_ec_register); + * + * Return: 0 on success or negative error code. + */ +-int cros_ec_unregister(struct cros_ec_device *ec_dev) ++void cros_ec_unregister(struct cros_ec_device *ec_dev) + { + if (ec_dev->pd) + platform_device_unregister(ec_dev->pd); + platform_device_unregister(ec_dev->ec); +- +- return 0; + } + EXPORT_SYMBOL(cros_ec_unregister); + +--- a/drivers/platform/chrome/cros_ec.h ++++ b/drivers/platform/chrome/cros_ec.h +@@ -11,7 +11,7 @@ + #include + + int cros_ec_register(struct cros_ec_device *ec_dev); +-int cros_ec_unregister(struct cros_ec_device *ec_dev); ++void cros_ec_unregister(struct cros_ec_device *ec_dev); + + int cros_ec_suspend(struct cros_ec_device *ec_dev); + int cros_ec_resume(struct cros_ec_device *ec_dev); +--- a/drivers/platform/chrome/cros_ec_i2c.c ++++ b/drivers/platform/chrome/cros_ec_i2c.c +@@ -313,7 +313,9 @@ static int cros_ec_i2c_remove(struct i2c + { + struct cros_ec_device *ec_dev = i2c_get_clientdata(client); + +- return cros_ec_unregister(ec_dev); ++ cros_ec_unregister(ec_dev); ++ ++ return 0; + } + + #ifdef CONFIG_PM_SLEEP +--- a/drivers/platform/chrome/cros_ec_lpc.c ++++ b/drivers/platform/chrome/cros_ec_lpc.c +@@ -439,7 +439,9 @@ static int cros_ec_lpc_remove(struct pla + acpi_remove_notify_handler(adev->handle, ACPI_ALL_NOTIFY, + cros_ec_lpc_acpi_notify); + +- return cros_ec_unregister(ec_dev); ++ cros_ec_unregister(ec_dev); ++ ++ return 0; + } + + static const struct acpi_device_id cros_ec_lpc_acpi_device_ids[] = { +--- a/drivers/platform/chrome/cros_ec_spi.c ++++ b/drivers/platform/chrome/cros_ec_spi.c +@@ -790,7 +790,9 @@ static int cros_ec_spi_remove(struct spi + { + struct cros_ec_device *ec_dev = spi_get_drvdata(spi); + +- return cros_ec_unregister(ec_dev); ++ cros_ec_unregister(ec_dev); ++ ++ return 0; + } + + #ifdef CONFIG_PM_SLEEP diff --git a/queue-5.15/platform-chrome-cros_ec-remove-unneeded-label-and-if-condition.patch b/queue-5.15/platform-chrome-cros_ec-remove-unneeded-label-and-if-condition.patch new file mode 100644 index 0000000000..b9c3944dab --- /dev/null +++ b/queue-5.15/platform-chrome-cros_ec-remove-unneeded-label-and-if-condition.patch @@ -0,0 +1,75 @@ +From stable+bounces-172166-greg=kroah.com@vger.kernel.org Thu Aug 21 17:14:23 2025 +From: Sasha Levin +Date: Thu, 21 Aug 2025 11:08:43 -0400 +Subject: platform/chrome: cros_ec: remove unneeded label and if-condition +To: stable@vger.kernel.org +Cc: Tzung-Bi Shih , Guenter Roeck , Sasha Levin +Message-ID: <20250821150844.754065-3-sashal@kernel.org> + +From: Tzung-Bi Shih + +[ Upstream commit 554ec02c97254962bbb0a8776c3160d294fc7e51 ] + +Both `ec_dev->ec` and `ec_dev->pd` are initialized to NULL at the +beginning of cros_ec_register(). Also, platform_device_unregister() +takes care if the given platform_device is NULL. + +Remove the unneeded goto-label and if-condition. + +Signed-off-by: Tzung-Bi Shih +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20230308031247.2866401-1-tzungbi@kernel.org +Stable-dep-of: e23749534619 ("platform/chrome: cros_ec: Unregister notifier in cros_ec_unregister()") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/chrome/cros_ec.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +--- a/drivers/platform/chrome/cros_ec.c ++++ b/drivers/platform/chrome/cros_ec.c +@@ -207,7 +207,7 @@ int cros_ec_register(struct cros_ec_devi + err = cros_ec_query_all(ec_dev); + if (err) { + dev_err(dev, "Cannot identify the EC: error %d\n", err); +- goto destroy_mutex; ++ goto exit; + } + + if (ec_dev->irq > 0) { +@@ -219,7 +219,7 @@ int cros_ec_register(struct cros_ec_devi + if (err) { + dev_err(dev, "Failed to request IRQ %d: %d", + ec_dev->irq, err); +- goto destroy_mutex; ++ goto exit; + } + } + +@@ -231,7 +231,7 @@ int cros_ec_register(struct cros_ec_devi + dev_err(ec_dev->dev, + "Failed to create CrOS EC platform device\n"); + err = PTR_ERR(ec_dev->ec); +- goto destroy_mutex; ++ goto exit; + } + + if (ec_dev->max_passthru) { +@@ -297,7 +297,6 @@ int cros_ec_register(struct cros_ec_devi + exit: + platform_device_unregister(ec_dev->ec); + platform_device_unregister(ec_dev->pd); +-destroy_mutex: + mutex_destroy(&ec_dev->lock); + lockdep_unregister_key(&ec_dev->lockdep_key); + return err; +@@ -314,8 +313,7 @@ EXPORT_SYMBOL(cros_ec_register); + */ + void cros_ec_unregister(struct cros_ec_device *ec_dev) + { +- if (ec_dev->pd) +- platform_device_unregister(ec_dev->pd); ++ platform_device_unregister(ec_dev->pd); + platform_device_unregister(ec_dev->ec); + mutex_destroy(&ec_dev->lock); + lockdep_unregister_key(&ec_dev->lockdep_key); diff --git a/queue-5.15/platform-chrome-cros_ec-unregister-notifier-in-cros_ec_unregister.patch b/queue-5.15/platform-chrome-cros_ec-unregister-notifier-in-cros_ec_unregister.patch new file mode 100644 index 0000000000..ac7ed04ab7 --- /dev/null +++ b/queue-5.15/platform-chrome-cros_ec-unregister-notifier-in-cros_ec_unregister.patch @@ -0,0 +1,40 @@ +From stable+bounces-172167-greg=kroah.com@vger.kernel.org Thu Aug 21 17:14:27 2025 +From: Sasha Levin +Date: Thu, 21 Aug 2025 11:08:44 -0400 +Subject: platform/chrome: cros_ec: Unregister notifier in cros_ec_unregister() +To: stable@vger.kernel.org +Cc: Tzung-Bi Shih , Benson Leung , Sasha Levin +Message-ID: <20250821150844.754065-4-sashal@kernel.org> + +From: Tzung-Bi Shih + +[ Upstream commit e2374953461947eee49f69b3e3204ff080ef31b1 ] + +The blocking notifier is registered in cros_ec_register(); however, it +isn't unregistered in cros_ec_unregister(). + +Fix it. + +Fixes: 42cd0ab476e2 ("platform/chrome: cros_ec: Query EC protocol version if EC transitions between RO/RW") +Cc: stable@vger.kernel.org +Reviewed-by: Benson Leung +Link: https://lore.kernel.org/r/20250722120513.234031-1-tzungbi@kernel.org +Signed-off-by: Tzung-Bi Shih +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/chrome/cros_ec.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/platform/chrome/cros_ec.c ++++ b/drivers/platform/chrome/cros_ec.c +@@ -313,6 +313,9 @@ EXPORT_SYMBOL(cros_ec_register); + */ + void cros_ec_unregister(struct cros_ec_device *ec_dev) + { ++ if (ec_dev->mkbp_event_supported) ++ blocking_notifier_chain_unregister(&ec_dev->event_notifier, ++ &ec_dev->notifier_ready); + platform_device_unregister(ec_dev->pd); + platform_device_unregister(ec_dev->ec); + mutex_destroy(&ec_dev->lock); diff --git a/queue-5.15/platform-chrome-cros_ec-use-per-device-lockdep-key.patch b/queue-5.15/platform-chrome-cros_ec-use-per-device-lockdep-key.patch new file mode 100644 index 0000000000..a8b556b7b4 --- /dev/null +++ b/queue-5.15/platform-chrome-cros_ec-use-per-device-lockdep-key.patch @@ -0,0 +1,144 @@ +From stable+bounces-172165-greg=kroah.com@vger.kernel.org Thu Aug 21 17:15:13 2025 +From: Sasha Levin +Date: Thu, 21 Aug 2025 11:08:42 -0400 +Subject: platform/chrome: cros_ec: Use per-device lockdep key +To: stable@vger.kernel.org +Cc: Chen-Yu Tsai , Tzung-Bi Shih , Sasha Levin +Message-ID: <20250821150844.754065-2-sashal@kernel.org> + +From: Chen-Yu Tsai + +[ Upstream commit 961a325becd9a142ae5c8b258e5c2f221f8bfac8 ] + +Lockdep reports a bogus possible deadlock on MT8192 Chromebooks due to +the following lock sequences: + +1. lock(i2c_register_adapter) [1]; lock(&ec_dev->lock) +2. lock(&ec_dev->lock); lock(prepare_lock); + +The actual dependency chains are much longer. The shortened version +looks somewhat like: + +1. cros-ec-rpmsg on mtk-scp + ec_dev->lock -> prepare_lock +2. In rt5682_i2c_probe() on native I2C bus: + prepare_lock -> regmap->lock -> (possibly) i2c_adapter->bus_lock +3. In rt5682_i2c_probe() on native I2C bus: + regmap->lock -> i2c_adapter->bus_lock +4. In sbs_probe() on i2c-cros-ec-tunnel I2C bus attached on cros-ec: + i2c_adapter->bus_lock -> ec_dev->lock + +While lockdep is correct that the shared lockdep classes have a circular +dependency, it is bogus because + + a) 2+3 happen on a native I2C bus + b) 4 happens on the actual EC on ChromeOS devices + c) 1 happens on the SCP coprocessor on MediaTek Chromebooks that just + happens to expose a cros-ec interface, but does not have an + i2c-cros-ec-tunnel I2C bus + +In short, the "dependencies" are actually on different devices. + +Setup a per-device lockdep key for cros_ec devices so lockdep can tell +the two instances apart. This helps with getting rid of the bogus +lockdep warning. For ChromeOS devices that only have one cros-ec +instance this doesn't change anything. + +Also add a missing mutex_destroy, just to make the teardown complete. + +[1] This is likely the per I2C bus lock with shared lockdep class + +Signed-off-by: Chen-Yu Tsai +Signed-off-by: Tzung-Bi Shih +Link: https://lore.kernel.org/r/20230111074146.2624496-1-wenst@chromium.org +Stable-dep-of: e23749534619 ("platform/chrome: cros_ec: Unregister notifier in cros_ec_unregister()") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/chrome/cros_ec.c | 14 +++++++++++--- + include/linux/platform_data/cros_ec_proto.h | 4 ++++ + 2 files changed, 15 insertions(+), 3 deletions(-) + +--- a/drivers/platform/chrome/cros_ec.c ++++ b/drivers/platform/chrome/cros_ec.c +@@ -200,12 +200,14 @@ int cros_ec_register(struct cros_ec_devi + if (!ec_dev->dout) + return -ENOMEM; + ++ lockdep_register_key(&ec_dev->lockdep_key); + mutex_init(&ec_dev->lock); ++ lockdep_set_class(&ec_dev->lock, &ec_dev->lockdep_key); + + err = cros_ec_query_all(ec_dev); + if (err) { + dev_err(dev, "Cannot identify the EC: error %d\n", err); +- return err; ++ goto destroy_mutex; + } + + if (ec_dev->irq > 0) { +@@ -217,7 +219,7 @@ int cros_ec_register(struct cros_ec_devi + if (err) { + dev_err(dev, "Failed to request IRQ %d: %d", + ec_dev->irq, err); +- return err; ++ goto destroy_mutex; + } + } + +@@ -228,7 +230,8 @@ int cros_ec_register(struct cros_ec_devi + if (IS_ERR(ec_dev->ec)) { + dev_err(ec_dev->dev, + "Failed to create CrOS EC platform device\n"); +- return PTR_ERR(ec_dev->ec); ++ err = PTR_ERR(ec_dev->ec); ++ goto destroy_mutex; + } + + if (ec_dev->max_passthru) { +@@ -294,6 +297,9 @@ int cros_ec_register(struct cros_ec_devi + exit: + platform_device_unregister(ec_dev->ec); + platform_device_unregister(ec_dev->pd); ++destroy_mutex: ++ mutex_destroy(&ec_dev->lock); ++ lockdep_unregister_key(&ec_dev->lockdep_key); + return err; + } + EXPORT_SYMBOL(cros_ec_register); +@@ -311,6 +317,8 @@ void cros_ec_unregister(struct cros_ec_d + if (ec_dev->pd) + platform_device_unregister(ec_dev->pd); + platform_device_unregister(ec_dev->ec); ++ mutex_destroy(&ec_dev->lock); ++ lockdep_unregister_key(&ec_dev->lockdep_key); + } + EXPORT_SYMBOL(cros_ec_unregister); + +--- a/include/linux/platform_data/cros_ec_proto.h ++++ b/include/linux/platform_data/cros_ec_proto.h +@@ -9,6 +9,7 @@ + #define __LINUX_CROS_EC_PROTO_H + + #include ++#include + #include + #include + +@@ -114,6 +115,8 @@ struct cros_ec_command { + * command. The caller should check msg.result for the EC's result + * code. + * @pkt_xfer: Send packet to EC and get response. ++ * @lockdep_key: Lockdep class for each instance. Unused if CONFIG_LOCKDEP is ++ * not enabled. + * @lock: One transaction at a time. + * @mkbp_event_supported: 0 if MKBP not supported. Otherwise its value is + * the maximum supported version of the MKBP host event +@@ -159,6 +162,7 @@ struct cros_ec_device { + struct cros_ec_command *msg); + int (*pkt_xfer)(struct cros_ec_device *ec, + struct cros_ec_command *msg); ++ struct lock_class_key lockdep_key; + struct mutex lock; + u8 mkbp_event_supported; + bool host_sleep_v1; diff --git a/queue-5.15/series b/queue-5.15/series index 1aef91c761..df9d33dcd6 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -507,3 +507,39 @@ mm-drop-the-assumption-that-vm_shared-always-implies-writable.patch mm-update-memfd-seal-write-check-to-include-f_seal_write.patch mm-reinstate-ability-to-map-write-sealed-memfd-mappings-read-only.patch selftests-memfd-add-test-for-mapping-write-sealed-memfd-read-only.patch +ice-fix-a-null-pointer-dereference-in-ice_copy_and_init_pkg.patch +drm-sched-remove-optimization-that-causes-hang-when-killing-dependent-jobs.patch +arm64-entry-mask-daif-in-cpu_switch_to-call_on_irq_stack.patch +arm-9448-1-use-an-absolute-path-to-unified.h-in-kbuild_aflags.patch +f2fs-fix-to-do-sanity-check-on-ino-and-xnid.patch +iio-hid-sensor-prox-restore-lost-scale-assignments.patch +iio-hid-sensor-prox-fix-incorrect-offset-calculation.patch +x86-mce-amd-add-default-names-for-mca-banks-and-blocks.patch +usb-hub-avoid-warm-port-reset-during-usb3-disconnect.patch +usb-hub-don-t-try-to-recover-devices-lost-during-warm-reset.patch +smb-client-fix-use-after-free-in-crypt_message-when-using-async-crypto.patch +x86-fpu-delay-instruction-pointer-fixup-until-after-warning.patch +alsa-scarlett2-add-retry-on-eproto-from-scarlett2_usb_tx.patch +smb-server-fix-extension-string-in-ksmbd_extract_shortname.patch +hv_netvsc-fix-panic-during-namespace-deletion-with-vf.patch +usb-typec-fusb302-cache-pd-rx-state.patch +pci-acpi-fix-runtime-pm-ref-imbalance-on-hot-plug-capable-ports.patch +block-make-req_op_zone_finish-a-write-operation.patch +net-enetc-fix-device-and-of-node-leak-at-probe.patch +nfs-create-an-nfs4_server_set_init_caps-function.patch +nfs-fix-the-setting-of-capabilities-when-automounting-a-new-filesystem.patch +mm-ptdump-take-the-memory-hotplug-lock-inside-ptdump_walk_pgd.patch +usb-musb-omap2430-convert-to-platform-remove-callback-returning-void.patch +usb-musb-omap2430-fix-device-leak-at-unbind.patch +ata-fix-sata_mobile_lpm_policy-description-in-kconfig.patch +bus-mhi-host-detect-events-pointing-to-unexpected-tres.patch +usb-dwc3-imx8mp-fix-device-leak-at-unbind.patch +platform-chrome-cros_ec-make-cros_ec_unregister-return-void.patch +platform-chrome-cros_ec-use-per-device-lockdep-key.patch +platform-chrome-cros_ec-remove-unneeded-label-and-if-condition.patch +platform-chrome-cros_ec-unregister-notifier-in-cros_ec_unregister.patch +net-sched-sch_ets-properly-init-all-active-drr-list-handles.patch +net_sched-sch_ets-implement-lockless-ets_dump.patch +net-sched-ets-use-old-nbands-while-purging-unused-classes.patch +kvm-vmx-flush-shadow-vmcs-on-emergency-reboot.patch +btrfs-populate-otime-when-logging-an-inode-item.patch diff --git a/queue-5.15/smb-client-fix-use-after-free-in-crypt_message-when-using-async-crypto.patch b/queue-5.15/smb-client-fix-use-after-free-in-crypt_message-when-using-async-crypto.patch new file mode 100644 index 0000000000..85376aacd1 --- /dev/null +++ b/queue-5.15/smb-client-fix-use-after-free-in-crypt_message-when-using-async-crypto.patch @@ -0,0 +1,85 @@ +From stable+bounces-164306-greg=kroah.com@vger.kernel.org Wed Jul 23 00:00:22 2025 +From: Sasha Levin +Date: Tue, 22 Jul 2025 17:58:19 -0400 +Subject: smb: client: fix use-after-free in crypt_message when using async crypto +To: stable@vger.kernel.org +Cc: Wang Zhaolong , Paulo Alcantara , Steve French , Sasha Levin +Message-ID: <20250722215819.981600-1-sashal@kernel.org> + +From: Wang Zhaolong + +[ Upstream commit b220bed63330c0e1733dc06ea8e75d5b9962b6b6 ] + +The CVE-2024-50047 fix removed asynchronous crypto handling from +crypt_message(), assuming all crypto operations are synchronous. +However, when hardware crypto accelerators are used, this can cause +use-after-free crashes: + + crypt_message() + // Allocate the creq buffer containing the req + creq = smb2_get_aead_req(..., &req); + + // Async encryption returns -EINPROGRESS immediately + rc = enc ? crypto_aead_encrypt(req) : crypto_aead_decrypt(req); + + // Free creq while async operation is still in progress + kvfree_sensitive(creq, ...); + +Hardware crypto modules often implement async AEAD operations for +performance. When crypto_aead_encrypt/decrypt() returns -EINPROGRESS, +the operation completes asynchronously. Without crypto_wait_req(), +the function immediately frees the request buffer, leading to crashes +when the driver later accesses the freed memory. + +This results in a use-after-free condition when the hardware crypto +driver later accesses the freed request structure, leading to kernel +crashes with NULL pointer dereferences. + +The issue occurs because crypto_alloc_aead() with mask=0 doesn't +guarantee synchronous operation. Even without CRYPTO_ALG_ASYNC in +the mask, async implementations can be selected. + +Fix by restoring the async crypto handling: +- DECLARE_CRYPTO_WAIT(wait) for completion tracking +- aead_request_set_callback() for async completion notification +- crypto_wait_req() to wait for operation completion + +This ensures the request buffer isn't freed until the crypto operation +completes, whether synchronous or asynchronous, while preserving the +CVE-2024-50047 fix. + +Fixes: b0abcd65ec54 ("smb: client: fix UAF in async decryption") +Link: https://lore.kernel.org/all/8b784a13-87b0-4131-9ff9-7a8993538749@huaweicloud.com/ +Cc: stable@vger.kernel.org +Reviewed-by: Paulo Alcantara (Red Hat) +Signed-off-by: Wang Zhaolong +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/smb2ops.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -4552,6 +4552,7 @@ crypt_message(struct TCP_Server_Info *se + u8 key[SMB3_ENC_DEC_KEY_SIZE]; + struct aead_request *req; + u8 *iv; ++ DECLARE_CRYPTO_WAIT(wait); + unsigned int crypt_len = le32_to_cpu(tr_hdr->OriginalMessageSize); + void *creq; + +@@ -4600,7 +4601,11 @@ crypt_message(struct TCP_Server_Info *se + aead_request_set_crypt(req, sg, sg, crypt_len, iv); + aead_request_set_ad(req, assoc_data_len); + +- rc = enc ? crypto_aead_encrypt(req) : crypto_aead_decrypt(req); ++ aead_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG, ++ crypto_req_done, &wait); ++ ++ rc = crypto_wait_req(enc ? crypto_aead_encrypt(req) ++ : crypto_aead_decrypt(req), &wait); + + if (!rc && enc) + memcpy(&tr_hdr->Signature, sign, SMB2_SIGNATURE_SIZE); diff --git a/queue-5.15/smb-server-fix-extension-string-in-ksmbd_extract_shortname.patch b/queue-5.15/smb-server-fix-extension-string-in-ksmbd_extract_shortname.patch new file mode 100644 index 0000000000..7c920cb54a --- /dev/null +++ b/queue-5.15/smb-server-fix-extension-string-in-ksmbd_extract_shortname.patch @@ -0,0 +1,42 @@ +From stable+bounces-169391-greg=kroah.com@vger.kernel.org Wed Aug 13 15:32:28 2025 +From: Sasha Levin +Date: Wed, 13 Aug 2025 09:32:18 -0400 +Subject: smb: server: Fix extension string in ksmbd_extract_shortname() +To: stable@vger.kernel.org +Cc: Thorsten Blum , Namjae Jeon , Steve French , Sasha Levin +Message-ID: <20250813133218.2035014-1-sashal@kernel.org> + +From: Thorsten Blum + +[ Upstream commit 8e7d178d06e8937454b6d2f2811fa6a15656a214 ] + +In ksmbd_extract_shortname(), strscpy() is incorrectly called with the +length of the source string (excluding the NUL terminator) rather than +the size of the destination buffer. This results in "__" being copied +to 'extension' rather than "___" (two underscores instead of three). + +Use the destination buffer size instead to ensure that the string "___" +(three underscores) is copied correctly. + +Cc: stable@vger.kernel.org +Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") +Signed-off-by: Thorsten Blum +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/ksmbd/smb_common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/ksmbd/smb_common.c ++++ b/fs/ksmbd/smb_common.c +@@ -508,7 +508,7 @@ int ksmbd_extract_shortname(struct ksmbd + + p = strrchr(longname, '.'); + if (p == longname) { /*name starts with a dot*/ +- strscpy(extension, "___", strlen("___")); ++ strscpy(extension, "___", sizeof(extension)); + } else { + if (p) { + p++; diff --git a/queue-5.15/usb-dwc3-imx8mp-fix-device-leak-at-unbind.patch b/queue-5.15/usb-dwc3-imx8mp-fix-device-leak-at-unbind.patch new file mode 100644 index 0000000000..5135c4d88f --- /dev/null +++ b/queue-5.15/usb-dwc3-imx8mp-fix-device-leak-at-unbind.patch @@ -0,0 +1,56 @@ +From sashal@kernel.org Thu Aug 21 19:55:15 2025 +From: Sasha Levin +Date: Thu, 21 Aug 2025 13:55:11 -0400 +Subject: usb: dwc3: imx8mp: fix device leak at unbind +To: stable@vger.kernel.org +Cc: Johan Hovold , Li Jun , Greg Kroah-Hartman , Sasha Levin +Message-ID: <20250821175511.873013-1-sashal@kernel.org> + +From: Johan Hovold + +[ Upstream commit 086a0e516f7b3844e6328a5c69e2708b66b0ce18 ] + +Make sure to drop the reference to the dwc3 device taken by +of_find_device_by_node() on probe errors and on driver unbind. + +Fixes: 6dd2565989b4 ("usb: dwc3: add imx8mp dwc3 glue layer driver") +Cc: stable@vger.kernel.org # 5.12 +Cc: Li Jun +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20250724091910.21092-2-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/dwc3-imx8mp.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/usb/dwc3/dwc3-imx8mp.c ++++ b/drivers/usb/dwc3/dwc3-imx8mp.c +@@ -183,7 +183,7 @@ static int dwc3_imx8mp_probe(struct plat + IRQF_ONESHOT, dev_name(dev), dwc3_imx); + if (err) { + dev_err(dev, "failed to request IRQ #%d --> %d\n", irq, err); +- goto depopulate; ++ goto put_dwc3; + } + + device_set_wakeup_capable(dev, true); +@@ -191,6 +191,8 @@ static int dwc3_imx8mp_probe(struct plat + + return 0; + ++put_dwc3: ++ put_device(&dwc3_imx->dwc3->dev); + depopulate: + of_platform_depopulate(dev); + err_node_put: +@@ -211,6 +213,8 @@ static int dwc3_imx8mp_remove(struct pla + struct dwc3_imx8mp *dwc3_imx = platform_get_drvdata(pdev); + struct device *dev = &pdev->dev; + ++ put_device(&dwc3_imx->dwc3->dev); ++ + pm_runtime_get_sync(dev); + of_platform_depopulate(dev); + diff --git a/queue-5.15/usb-hub-avoid-warm-port-reset-during-usb3-disconnect.patch b/queue-5.15/usb-hub-avoid-warm-port-reset-during-usb3-disconnect.patch new file mode 100644 index 0000000000..b2a697986f --- /dev/null +++ b/queue-5.15/usb-hub-avoid-warm-port-reset-during-usb3-disconnect.patch @@ -0,0 +1,102 @@ +From stable+bounces-164316-greg=kroah.com@vger.kernel.org Wed Jul 23 01:14:54 2025 +From: Sasha Levin +Date: Tue, 22 Jul 2025 19:14:42 -0400 +Subject: usb: hub: avoid warm port reset during USB3 disconnect +To: stable@vger.kernel.org +Cc: Mathias Nyman , Mark Pearson , Greg Kroah-Hartman , Sasha Levin +Message-ID: <20250722231443.999927-1-sashal@kernel.org> + +From: Mathias Nyman + +[ Upstream commit f59f93cd1d720809466c7fd5aa16a236156c672b ] + +During disconnect USB-3 ports often go via SS.Inactive link error state +before the missing terminations are noticed, and link finally goes to +RxDetect state + +Avoid immediately warm-resetting ports in SS.Inactive state. +Let ports settle for a while and re-read the link status a few times 20ms +apart to see if the ports transitions out of SS.Inactive. + +According to USB 3.x spec 7.5.2, a port in SS.Inactive should +automatically check for missing far-end receiver termination every +12 ms (SSInactiveQuietTimeout) + +The futile multiple warm reset retries of a disconnected device takes +a lot of time, also the resetting of a removed devices has caused cases +where the reset bit got stuck for a long time on xHCI roothub. +This lead to issues in detecting new devices connected to the same port +shortly after. + +Tested-by: Mark Pearson +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20211210111653.1378381-1-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Stable-dep-of: 2521106fc732 ("usb: hub: Don't try to recover devices lost during warm reset.") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/core/hub.c | 26 ++++++++++++++++++++------ + 1 file changed, 20 insertions(+), 6 deletions(-) + +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -2857,6 +2857,8 @@ static unsigned hub_is_wusb(struct usb_h + #define PORT_INIT_TRIES 4 + #endif /* CONFIG_USB_FEW_INIT_RETRIES */ + ++#define DETECT_DISCONNECT_TRIES 5 ++ + #define HUB_ROOT_RESET_TIME 60 /* times are in msec */ + #define HUB_SHORT_RESET_TIME 10 + #define HUB_BH_RESET_TIME 50 +@@ -5681,6 +5683,7 @@ static void port_event(struct usb_hub *h + struct usb_device *udev = port_dev->child; + struct usb_device *hdev = hub->hdev; + u16 portstatus, portchange; ++ int i = 0; + + connect_change = test_bit(port1, hub->change_bits); + clear_bit(port1, hub->event_bits); +@@ -5757,17 +5760,27 @@ static void port_event(struct usb_hub *h + connect_change = 1; + + /* +- * Warm reset a USB3 protocol port if it's in +- * SS.Inactive state. +- */ +- if (hub_port_warm_reset_required(hub, port1, portstatus)) { +- dev_dbg(&port_dev->dev, "do warm reset\n"); +- if (!udev || !(portstatus & USB_PORT_STAT_CONNECTION) ++ * Avoid trying to recover a USB3 SS.Inactive port with a warm reset if ++ * the device was disconnected. A 12ms disconnect detect timer in ++ * SS.Inactive state transitions the port to RxDetect automatically. ++ * SS.Inactive link error state is common during device disconnect. ++ */ ++ while (hub_port_warm_reset_required(hub, port1, portstatus)) { ++ if ((i++ < DETECT_DISCONNECT_TRIES) && udev) { ++ u16 unused; ++ ++ msleep(20); ++ hub_port_status(hub, port1, &portstatus, &unused); ++ dev_dbg(&port_dev->dev, "Wait for inactive link disconnect detect\n"); ++ continue; ++ } else if (!udev || !(portstatus & USB_PORT_STAT_CONNECTION) + || udev->state == USB_STATE_NOTATTACHED) { ++ dev_dbg(&port_dev->dev, "do warm reset, port only\n"); + if (hub_port_reset(hub, port1, NULL, + HUB_BH_RESET_TIME, true) < 0) + hub_port_disable(hub, port1, 1); + } else { ++ dev_dbg(&port_dev->dev, "do warm reset, full device\n"); + usb_unlock_port(port_dev); + usb_lock_device(udev); + usb_reset_device(udev); +@@ -5775,6 +5788,7 @@ static void port_event(struct usb_hub *h + usb_lock_port(port_dev); + connect_change = 0; + } ++ break; + } + + if (connect_change) diff --git a/queue-5.15/usb-hub-don-t-try-to-recover-devices-lost-during-warm-reset.patch b/queue-5.15/usb-hub-don-t-try-to-recover-devices-lost-during-warm-reset.patch new file mode 100644 index 0000000000..caa4bfa6be --- /dev/null +++ b/queue-5.15/usb-hub-don-t-try-to-recover-devices-lost-during-warm-reset.patch @@ -0,0 +1,91 @@ +From stable+bounces-164317-greg=kroah.com@vger.kernel.org Wed Jul 23 01:14:55 2025 +From: Sasha Levin +Date: Tue, 22 Jul 2025 19:14:43 -0400 +Subject: usb: hub: Don't try to recover devices lost during warm reset. +To: stable@vger.kernel.org +Cc: "Mathias Nyman" , "Łukasz Bartosik" , "Alan Stern" , "Greg Kroah-Hartman" , "Sasha Levin" +Message-ID: <20250722231443.999927-2-sashal@kernel.org> + +From: Mathias Nyman + +[ Upstream commit 2521106fc732b0b75fd3555c689b1ed1d29d273c ] + +Hub driver warm-resets ports in SS.Inactive or Compliance mode to +recover a possible connected device. The port reset code correctly +detects if a connection is lost during reset, but hub driver +port_event() fails to take this into account in some cases. +port_event() ends up using stale values and assumes there is a +connected device, and will try all means to recover it, including +power-cycling the port. + +Details: +This case was triggered when xHC host was suspended with DbC (Debug +Capability) enabled and connected. DbC turns one xHC port into a simple +usb debug device, allowing debugging a system with an A-to-A USB debug +cable. + +xhci DbC code disables DbC when xHC is system suspended to D3, and +enables it back during resume. +We essentially end up with two hosts connected to each other during +suspend, and, for a short while during resume, until DbC is enabled back. +The suspended xHC host notices some activity on the roothub port, but +can't train the link due to being suspended, so xHC hardware sets a CAS +(Cold Attach Status) flag for this port to inform xhci host driver that +the port needs to be warm reset once xHC resumes. + +CAS is xHCI specific, and not part of USB specification, so xhci driver +tells usb core that the port has a connection and link is in compliance +mode. Recovery from complinace mode is similar to CAS recovery. + +xhci CAS driver support that fakes a compliance mode connection was added +in commit 8bea2bd37df0 ("usb: Add support for root hub port status CAS") + +Once xHCI resumes and DbC is enabled back, all activity on the xHC +roothub host side port disappears. The hub driver will anyway think +port has a connection and link is in compliance mode, and hub driver +will try to recover it. + +The port power-cycle during recovery seems to cause issues to the active +DbC connection. + +Fix this by clearing connect_change flag if hub_port_reset() returns +-ENOTCONN, thus avoiding the whole unnecessary port recovery and +initialization attempt. + +Cc: stable@vger.kernel.org +Fixes: 8bea2bd37df0 ("usb: Add support for root hub port status CAS") +Tested-by: Łukasz Bartosik +Signed-off-by: Mathias Nyman +Acked-by: Alan Stern +Link: https://lore.kernel.org/r/20250623133947.3144608-1-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/core/hub.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -5684,6 +5684,7 @@ static void port_event(struct usb_hub *h + struct usb_device *hdev = hub->hdev; + u16 portstatus, portchange; + int i = 0; ++ int err; + + connect_change = test_bit(port1, hub->change_bits); + clear_bit(port1, hub->event_bits); +@@ -5776,8 +5777,11 @@ static void port_event(struct usb_hub *h + } else if (!udev || !(portstatus & USB_PORT_STAT_CONNECTION) + || udev->state == USB_STATE_NOTATTACHED) { + dev_dbg(&port_dev->dev, "do warm reset, port only\n"); +- if (hub_port_reset(hub, port1, NULL, +- HUB_BH_RESET_TIME, true) < 0) ++ err = hub_port_reset(hub, port1, NULL, ++ HUB_BH_RESET_TIME, true); ++ if (!udev && err == -ENOTCONN) ++ connect_change = 0; ++ else if (err < 0) + hub_port_disable(hub, port1, 1); + } else { + dev_dbg(&port_dev->dev, "do warm reset, full device\n"); diff --git a/queue-5.15/usb-musb-omap2430-convert-to-platform-remove-callback-returning-void.patch b/queue-5.15/usb-musb-omap2430-convert-to-platform-remove-callback-returning-void.patch new file mode 100644 index 0000000000..a105854ece --- /dev/null +++ b/queue-5.15/usb-musb-omap2430-convert-to-platform-remove-callback-returning-void.patch @@ -0,0 +1,60 @@ +From sashal@kernel.org Thu Aug 21 17:10:01 2025 +From: Sasha Levin +Date: Thu, 21 Aug 2025 11:09:56 -0400 +Subject: usb: musb: omap2430: Convert to platform remove callback returning void +To: stable@vger.kernel.org +Cc: "Uwe Kleine-König" , "Greg Kroah-Hartman" , "Sasha Levin" +Message-ID: <20250821150957.756147-1-sashal@kernel.org> + +From: Uwe Kleine-König + +[ Upstream commit cb020bf52253327fe382e10bcae02a4f1da33c04 ] + +The .remove() callback for a platform driver returns an int which makes +many driver authors wrongly assume it's possible to do error handling by +returning an error code. However the value returned is (mostly) ignored +and this typically results in resource leaks. To improve here there is a +quest to make the remove callback return void. In the first step of this +quest all drivers are converted to .remove_new() which already returns +void. + +Trivially convert this driver from always returning zero in the remove +callback to the void returning variant. + +Signed-off-by: Uwe Kleine-König +Link: https://lore.kernel.org/r/20230405141009.3400693-8-u.kleine-koenig@pengutronix.de +Signed-off-by: Greg Kroah-Hartman +Stable-dep-of: 1473e9e7679b ("usb: musb: omap2430: fix device leak at unbind") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/musb/omap2430.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/usb/musb/omap2430.c ++++ b/drivers/usb/musb/omap2430.c +@@ -435,14 +435,12 @@ err0: + return ret; + } + +-static int omap2430_remove(struct platform_device *pdev) ++static void omap2430_remove(struct platform_device *pdev) + { + struct omap2430_glue *glue = platform_get_drvdata(pdev); + + platform_device_unregister(glue->musb); + pm_runtime_disable(glue->dev); +- +- return 0; + } + + #ifdef CONFIG_PM +@@ -574,7 +572,7 @@ MODULE_DEVICE_TABLE(of, omap2430_id_tabl + + static struct platform_driver omap2430_driver = { + .probe = omap2430_probe, +- .remove = omap2430_remove, ++ .remove_new = omap2430_remove, + .driver = { + .name = "musb-omap2430", + .pm = DEV_PM_OPS, diff --git a/queue-5.15/usb-musb-omap2430-fix-device-leak-at-unbind.patch b/queue-5.15/usb-musb-omap2430-fix-device-leak-at-unbind.patch new file mode 100644 index 0000000000..36d2dfc776 --- /dev/null +++ b/queue-5.15/usb-musb-omap2430-fix-device-leak-at-unbind.patch @@ -0,0 +1,66 @@ +From sashal@kernel.org Thu Aug 21 17:10:02 2025 +From: Sasha Levin +Date: Thu, 21 Aug 2025 11:09:57 -0400 +Subject: usb: musb: omap2430: fix device leak at unbind +To: stable@vger.kernel.org +Cc: Johan Hovold , Roger Quadros , Greg Kroah-Hartman , Sasha Levin +Message-ID: <20250821150957.756147-2-sashal@kernel.org> + +From: Johan Hovold + +[ Upstream commit 1473e9e7679bd4f5a62d1abccae894fb86de280f ] + +Make sure to drop the reference to the control device taken by +of_find_device_by_node() during probe when the driver is unbound. + +Fixes: 8934d3e4d0e7 ("usb: musb: omap2430: Don't use omap_get_control_dev()") +Cc: stable@vger.kernel.org # 3.13 +Cc: Roger Quadros +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20250724091910.21092-5-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +[ Removed populate_irqs-related goto changes ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/musb/omap2430.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/drivers/usb/musb/omap2430.c ++++ b/drivers/usb/musb/omap2430.c +@@ -406,13 +406,13 @@ static int omap2430_probe(struct platfor + ARRAY_SIZE(musb_resources)); + if (ret) { + dev_err(&pdev->dev, "failed to add resources\n"); +- goto err2; ++ goto err_put_control_otghs; + } + + ret = platform_device_add_data(musb, pdata, sizeof(*pdata)); + if (ret) { + dev_err(&pdev->dev, "failed to add platform_data\n"); +- goto err2; ++ goto err_put_control_otghs; + } + + pm_runtime_enable(glue->dev); +@@ -427,7 +427,9 @@ static int omap2430_probe(struct platfor + + err3: + pm_runtime_disable(glue->dev); +- ++err_put_control_otghs: ++ if (!IS_ERR(glue->control_otghs)) ++ put_device(glue->control_otghs); + err2: + platform_device_put(musb); + +@@ -441,6 +443,8 @@ static void omap2430_remove(struct platf + + platform_device_unregister(glue->musb); + pm_runtime_disable(glue->dev); ++ if (!IS_ERR(glue->control_otghs)) ++ put_device(glue->control_otghs); + } + + #ifdef CONFIG_PM diff --git a/queue-5.15/usb-typec-fusb302-cache-pd-rx-state.patch b/queue-5.15/usb-typec-fusb302-cache-pd-rx-state.patch new file mode 100644 index 0000000000..39d59f6b33 --- /dev/null +++ b/queue-5.15/usb-typec-fusb302-cache-pd-rx-state.patch @@ -0,0 +1,98 @@ +From stable+bounces-171665-greg=kroah.com@vger.kernel.org Tue Aug 19 00:46:57 2025 +From: Sasha Levin +Date: Mon, 18 Aug 2025 18:46:47 -0400 +Subject: usb: typec: fusb302: cache PD RX state +To: stable@vger.kernel.org +Cc: Sebastian Reichel , stable , Heikki Krogerus , Greg Kroah-Hartman , Sasha Levin +Message-ID: <20250818224647.124559-1-sashal@kernel.org> + +From: Sebastian Reichel + +[ Upstream commit 1e61f6ab08786d66a11cfc51e13d6f08a6b06c56 ] + +This patch fixes a race condition communication error, which ends up in +PD hard resets when losing the race. Some systems, like the Radxa ROCK +5B are powered through USB-C without any backup power source and use a +FUSB302 chip to do the PD negotiation. This means it is quite important +to avoid hard resets, since that effectively kills the system's +power-supply. + +I've found the following race condition while debugging unplanned power +loss during booting the board every now and then: + +1. lots of TCPM/FUSB302/PD initialization stuff +2. TCPM ends up in SNK_WAIT_CAPABILITIES (tcpm_set_pd_rx is enabled here) +3. the remote PD source does not send anything, so TCPM does a SOFT RESET +4. TCPM ends up in SNK_WAIT_CAPABILITIES for the second time + (tcpm_set_pd_rx is enabled again, even though it is still on) + +At this point I've seen broken CRC good messages being send by the +FUSB302 with a logic analyzer sniffing the CC lines. Also it looks like +messages are being lost and things generally going haywire with one of +the two sides doing a hard reset once a broken CRC good message was send +to the bus. + +I think the system is running into a race condition, that the FIFOs are +being cleared and/or the automatic good CRC message generation flag is +being updated while a message is already arriving. + +Let's avoid this by caching the PD RX enabled state, as we have already +processed anything in the FIFOs and are in a good state. As a side +effect that this also optimizes I2C bus usage :) + +As far as I can tell the problem theoretically also exists when TCPM +enters SNK_WAIT_CAPABILITIES the first time, but I believe this is less +critical for the following reason: + +On devices like the ROCK 5B, which are powered through a TCPM backed +USB-C port, the bootloader must have done some prior PD communication +(initial communication must happen within 5 seconds after plugging the +USB-C plug). This means the first time the kernel TCPM state machine +reaches SNK_WAIT_CAPABILITIES, the remote side is not sending messages +actively. On other devices a hard reset simply adds some extra delay and +things should be good afterwards. + +Fixes: c034a43e72dda ("staging: typec: Fairchild FUSB302 Type-c chip driver") +Cc: stable +Signed-off-by: Sebastian Reichel +Reviewed-by: Heikki Krogerus +Link: https://lore.kernel.org/r/20250704-fusb302-race-condition-fix-v1-1-239012c0e27a@kernel.org +Signed-off-by: Greg Kroah-Hartman +[ replaced str_on_off(on) with ternary operator ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/tcpm/fusb302.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/usb/typec/tcpm/fusb302.c ++++ b/drivers/usb/typec/tcpm/fusb302.c +@@ -103,6 +103,7 @@ struct fusb302_chip { + bool vconn_on; + bool vbus_on; + bool charge_on; ++ bool pd_rx_on; + bool vbus_present; + enum typec_cc_polarity cc_polarity; + enum typec_cc_status cc1; +@@ -841,6 +842,11 @@ static int tcpm_set_pd_rx(struct tcpc_de + int ret = 0; + + mutex_lock(&chip->lock); ++ if (chip->pd_rx_on == on) { ++ fusb302_log(chip, "pd is already %s", on ? "on" : "off"); ++ goto done; ++ } ++ + ret = fusb302_pd_rx_flush(chip); + if (ret < 0) { + fusb302_log(chip, "cannot flush pd rx buffer, ret=%d", ret); +@@ -863,6 +869,8 @@ static int tcpm_set_pd_rx(struct tcpc_de + on ? "on" : "off", ret); + goto done; + } ++ ++ chip->pd_rx_on = on; + fusb302_log(chip, "pd := %s", on ? "on" : "off"); + done: + mutex_unlock(&chip->lock); diff --git a/queue-5.15/x86-fpu-delay-instruction-pointer-fixup-until-after-warning.patch b/queue-5.15/x86-fpu-delay-instruction-pointer-fixup-until-after-warning.patch new file mode 100644 index 0000000000..d049dfd6c3 --- /dev/null +++ b/queue-5.15/x86-fpu-delay-instruction-pointer-fixup-until-after-warning.patch @@ -0,0 +1,62 @@ +From stable+bounces-169434-greg=kroah.com@vger.kernel.org Wed Aug 13 18:05:56 2025 +From: Sasha Levin +Date: Wed, 13 Aug 2025 11:59:47 -0400 +Subject: x86/fpu: Delay instruction pointer fixup until after warning +To: stable@vger.kernel.org +Cc: Dave Hansen , Chao Gao , Alison Schofield , Peter Zijlstra , Sasha Levin +Message-ID: <20250813155947.2053690-1-sashal@kernel.org> + +From: Dave Hansen + +[ Upstream commit 1cec9ac2d071cfd2da562241aab0ef701355762a ] + +Right now, if XRSTOR fails a console message like this is be printed: + + Bad FPU state detected at restore_fpregs_from_fpstate+0x9a/0x170, reinitializing FPU registers. + +However, the text location (...+0x9a in this case) is the instruction +*AFTER* the XRSTOR. The highlighted instruction in the "Code:" dump +also points one instruction late. + +The reason is that the "fixup" moves RIP up to pass the bad XRSTOR and +keep on running after returning from the #GP handler. But it does this +fixup before warning. + +The resulting warning output is nonsensical because it looks like the +non-FPU-related instruction is #GP'ing. + +Do not fix up RIP until after printing the warning. Do this by using +the more generic and standard ex_handler_default(). + +Fixes: d5c8028b4788 ("x86/fpu: Reinitialize FPU registers if restoring FPU state fails") +Signed-off-by: Dave Hansen +Reviewed-by: Chao Gao +Acked-by: Alison Schofield +Acked-by: Peter Zijlstra (Intel) +Cc:stable@vger.kernel.org +Link: https://lore.kernel.org/all/20250624210148.97126F9E%40davehans-spike.ostc.intel.com +[ Replace fpu_reset_from_exception_fixup() with __restore_fpregs_from_fpstate() ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/mm/extable.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/arch/x86/mm/extable.c ++++ b/arch/x86/mm/extable.c +@@ -60,13 +60,12 @@ static bool ex_handler_fault(const struc + static bool ex_handler_fprestore(const struct exception_table_entry *fixup, + struct pt_regs *regs) + { +- regs->ip = ex_fixup_addr(fixup); +- + WARN_ONCE(1, "Bad FPU state detected at %pB, reinitializing FPU registers.", + (void *)instruction_pointer(regs)); + + __restore_fpregs_from_fpstate(&init_fpstate, xfeatures_mask_fpstate()); +- return true; ++ ++ return ex_handler_default(fixup, regs); + } + + static bool ex_handler_uaccess(const struct exception_table_entry *fixup, diff --git a/queue-5.15/x86-mce-amd-add-default-names-for-mca-banks-and-blocks.patch b/queue-5.15/x86-mce-amd-add-default-names-for-mca-banks-and-blocks.patch new file mode 100644 index 0000000000..78af2126f8 --- /dev/null +++ b/queue-5.15/x86-mce-amd-add-default-names-for-mca-banks-and-blocks.patch @@ -0,0 +1,62 @@ +From stable+bounces-164362-greg=kroah.com@vger.kernel.org Wed Jul 23 05:57:32 2025 +From: Sasha Levin +Date: Tue, 22 Jul 2025 23:57:21 -0400 +Subject: x86/mce/amd: Add default names for MCA banks and blocks +To: stable@vger.kernel.org +Cc: Yazen Ghannam , Borislav Petkov , Sasha Levin +Message-ID: <20250723035721.1044134-1-sashal@kernel.org> + +From: Yazen Ghannam + +[ Upstream commit d66e1e90b16055d2f0ee76e5384e3f119c3c2773 ] + +Ensure that sysfs init doesn't fail for new/unrecognized bank types or if +a bank has additional blocks available. + +Most MCA banks have a single thresholding block, so the block takes the same +name as the bank. + +Unified Memory Controllers (UMCs) are a special case where there are two +blocks and each has a unique name. + +However, the microarchitecture allows for five blocks. Any new MCA bank types +with more than one block will be missing names for the extra blocks. The MCE +sysfs will fail to initialize in this case. + +Fixes: 87a6d4091bd7 ("x86/mce/AMD: Update sysfs bank names for SMCA systems") +Signed-off-by: Yazen Ghannam +Signed-off-by: Borislav Petkov (AMD) +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/20250624-wip-mca-updates-v4-3-236dd74f645f@amd.com +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/cpu/mce/amd.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +--- a/arch/x86/kernel/cpu/mce/amd.c ++++ b/arch/x86/kernel/cpu/mce/amd.c +@@ -1228,13 +1228,20 @@ static const char *get_name(unsigned int + } + + bank_type = smca_get_bank_type(bank); +- if (bank_type >= N_SMCA_BANK_TYPES) +- return NULL; + + if (b && bank_type == SMCA_UMC) { + if (b->block < ARRAY_SIZE(smca_umc_block_names)) + return smca_umc_block_names[b->block]; +- return NULL; ++ } ++ ++ if (b && b->block) { ++ snprintf(buf_mcatype, MAX_MCATYPE_NAME_LEN, "th_block_%u", b->block); ++ return buf_mcatype; ++ } ++ ++ if (bank_type >= N_SMCA_BANK_TYPES) { ++ snprintf(buf_mcatype, MAX_MCATYPE_NAME_LEN, "th_bank_%u", bank); ++ return buf_mcatype; + } + + if (smca_banks[bank].hwid->count == 1)