From: Greg Kroah-Hartman Date: Mon, 21 Jul 2025 11:06:41 +0000 (+0200) Subject: 6.15-stable patches X-Git-Tag: v6.1.147~79 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a87bdcc2596c67382ad892bb42a0eff4b742a179;p=thirdparty%2Fkernel%2Fstable-queue.git 6.15-stable patches added patches: af_packet-fix-soft-lockup-issue-caused-by-tpacket_snd.patch af_packet-fix-the-so_sndtimeo-constraint-not-effective-on-tpacked_snd.patch alsa-hda-realtek-add-quirk-for-asus-rog-strix-g712lws.patch alsa-hda-realtek-fix-mute-led-for-hp-victus-16-r0xxx.patch arm64-dts-add-big-endian-property-back-into-watchdog-node.patch arm64-dts-freescale-imx8mm-verdin-keep-ldo5-always-on.patch arm64-dts-imx8mp-venice-gw71xx-fix-tpm-spi-frequency.patch arm64-dts-imx8mp-venice-gw72xx-fix-tpm-spi-frequency.patch arm64-dts-imx8mp-venice-gw73xx-fix-tpm-spi-frequency.patch arm64-dts-imx8mp-venice-gw74xx-fix-tpm-spi-frequency.patch arm64-dts-rockchip-list-all-cpu-supplies-on-armsom-sige5.patch arm64-dts-rockchip-use-cs-gpios-for-spi1-on-ringneck.patch bluetooth-btintel-check-if-controller-is-iso-capable-on-btintel_classify_pkt_type.patch cpuidle-psci-fix-cpuhotplug-routine-with-preempt_rt-y.patch dmaengine-mediatek-fix-a-flag-reuse-error-in-mtk_cqdma_tx_status.patch dmaengine-nbpfaxi-fix-memory-corruption-in-probe.patch drm-amd-display-disable-crtc-degamma-lut-for-dcn401.patch drm-amd-display-free-memory-allocation.patch drm-amdgpu-gfx8-reset-compute-ring-wptr-on-the-gpu-on-resume.patch drm-amdgpu-increase-reset-counter-only-on-success.patch drm-panfrost-fix-scheduler-workqueue-bug.patch fix-smb311-posix-special-file-creation-to-servers-which-do-not-advertise-reparse-support.patch io_uring-poll-fix-pollerr-handling.patch isofs-verify-inode-mode-when-loading-from-disk.patch memstick-core-zero-initialize-id_reg-in-h_memstick_read_dev_id.patch mmc-bcm2835-fix-dma_unmap_sg-nents-value.patch mmc-sdhci-pci-quirk-for-broken-command-queuing-on-intel-glk-based-positivo-models.patch mmc-sdhci_am654-workaround-for-errata-i2312.patch mptcp-make-fallback-action-and-fallback-decision-atomic.patch mptcp-plug-races-between-subflow-fail-and-subflow-creation.patch mptcp-reset-fallback-status-gracefully-at-disconnect-time.patch net-libwx-fix-the-using-of-rx-buffer-dma.patch net-libwx-properly-reset-rx-ring-descriptor.patch net-libwx-remove-duplicate-page_pool_put_full_page.patch net-mlx5-update-the-list-of-the-pci-supported-devices.patch net-stmmac-intel-populate-entire-system_counterval_t-in-get_time_fn-callback.patch netfs-fix-copy-to-cache-so-that-it-performs-collection-with-ceph-fscache.patch netfs-fix-race-between-cache-write-completion-and-all_queued-being-set.patch phonet-pep-move-call-to-pn_skb_get_dst_sockaddr-earlier-in-pep_sock_accept.patch pmdomain-governor-consider-cpu-latency-tolerance-from-pm_domain_cpu_gov.patch --- diff --git a/queue-6.15/af_packet-fix-soft-lockup-issue-caused-by-tpacket_snd.patch b/queue-6.15/af_packet-fix-soft-lockup-issue-caused-by-tpacket_snd.patch new file mode 100644 index 0000000000..e686a8aa79 --- /dev/null +++ b/queue-6.15/af_packet-fix-soft-lockup-issue-caused-by-tpacket_snd.patch @@ -0,0 +1,103 @@ +From 55f0bfc0370539213202f4ce1a07615327ac4713 Mon Sep 17 00:00:00 2001 +From: Yun Lu +Date: Fri, 11 Jul 2025 17:33:00 +0800 +Subject: af_packet: fix soft lockup issue caused by tpacket_snd() + +From: Yun Lu + +commit 55f0bfc0370539213202f4ce1a07615327ac4713 upstream. + +When MSG_DONTWAIT is not set, the tpacket_snd operation will wait for +pending_refcnt to decrement to zero before returning. The pending_refcnt +is decremented by 1 when the skb->destructor function is called, +indicating that the skb has been successfully sent and needs to be +destroyed. + +If an error occurs during this process, the tpacket_snd() function will +exit and return error, but pending_refcnt may not yet have decremented to +zero. Assuming the next send operation is executed immediately, but there +are no available frames to be sent in tx_ring (i.e., packet_current_frame +returns NULL), and skb is also NULL, the function will not execute +wait_for_completion_interruptible_timeout() to yield the CPU. Instead, it +will enter a do-while loop, waiting for pending_refcnt to be zero. Even +if the previous skb has completed transmission, the skb->destructor +function can only be invoked in the ksoftirqd thread (assuming NAPI +threading is enabled). When both the ksoftirqd thread and the tpacket_snd +operation happen to run on the same CPU, and the CPU trapped in the +do-while loop without yielding, the ksoftirqd thread will not get +scheduled to run. As a result, pending_refcnt will never be reduced to +zero, and the do-while loop cannot exit, eventually leading to a CPU soft +lockup issue. + +In fact, skb is true for all but the first iterations of that loop, and +as long as pending_refcnt is not zero, even if incremented by a previous +call, wait_for_completion_interruptible_timeout() should be executed to +yield the CPU, allowing the ksoftirqd thread to be scheduled. Therefore, +the execution condition of this function should be modified to check if +pending_refcnt is not zero, instead of check skb. + +- if (need_wait && skb) { ++ if (need_wait && packet_read_pending(&po->tx_ring)) { + +As a result, the judgment conditions are duplicated with the end code of +the while loop, and packet_read_pending() is a very expensive function. +Actually, this loop can only exit when ph is NULL, so the loop condition +can be changed to while (1), and in the "ph = NULL" branch, if the +subsequent condition of if is not met, the loop can break directly. Now, +the loop logic remains the same as origin but is clearer and more obvious. + +Fixes: 89ed5b519004 ("af_packet: Block execution of tasks waiting for transmit to complete in AF_PACKET") +Cc: stable@kernel.org +Suggested-by: LongJun Tang +Signed-off-by: Yun Lu +Reviewed-by: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/packet/af_packet.c | 23 +++++++++++------------ + 1 file changed, 11 insertions(+), 12 deletions(-) + +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -2846,15 +2846,21 @@ static int tpacket_snd(struct packet_soc + ph = packet_current_frame(po, &po->tx_ring, + TP_STATUS_SEND_REQUEST); + if (unlikely(ph == NULL)) { +- if (need_wait && skb) { ++ /* Note: packet_read_pending() might be slow if we ++ * have to call it as it's per_cpu variable, but in ++ * fast-path we don't have to call it, only when ph ++ * is NULL, we need to check the pending_refcnt. ++ */ ++ if (need_wait && packet_read_pending(&po->tx_ring)) { + timeo = wait_for_completion_interruptible_timeout(&po->skb_completion, timeo); + if (timeo <= 0) { + err = !timeo ? -ETIMEDOUT : -ERESTARTSYS; + goto out_put; + } +- } +- /* check for additional frames */ +- continue; ++ /* check for additional frames */ ++ continue; ++ } else ++ break; + } + + skb = NULL; +@@ -2943,14 +2949,7 @@ tpacket_error: + } + packet_increment_head(&po->tx_ring); + len_sum += tp_len; +- } while (likely((ph != NULL) || +- /* Note: packet_read_pending() might be slow if we have +- * to call it as it's per_cpu variable, but in fast-path +- * we already short-circuit the loop with the first +- * condition, and luckily don't have to go that path +- * anyway. +- */ +- (need_wait && packet_read_pending(&po->tx_ring)))); ++ } while (1); + + err = len_sum; + goto out_put; diff --git a/queue-6.15/af_packet-fix-the-so_sndtimeo-constraint-not-effective-on-tpacked_snd.patch b/queue-6.15/af_packet-fix-the-so_sndtimeo-constraint-not-effective-on-tpacked_snd.patch new file mode 100644 index 0000000000..0f3a1b17a0 --- /dev/null +++ b/queue-6.15/af_packet-fix-the-so_sndtimeo-constraint-not-effective-on-tpacked_snd.patch @@ -0,0 +1,59 @@ +From c1ba3c0cbdb5e53a8ec5d708e99cd4c497028a13 Mon Sep 17 00:00:00 2001 +From: Yun Lu +Date: Fri, 11 Jul 2025 17:32:59 +0800 +Subject: af_packet: fix the SO_SNDTIMEO constraint not effective on tpacked_snd() + +From: Yun Lu + +commit c1ba3c0cbdb5e53a8ec5d708e99cd4c497028a13 upstream. + +Due to the changes in commit 581073f626e3 ("af_packet: do not call +packet_read_pending() from tpacket_destruct_skb()"), every time +tpacket_destruct_skb() is executed, the skb_completion is marked as +completed. When wait_for_completion_interruptible_timeout() returns +completed, the pending_refcnt has not yet been reduced to zero. +Therefore, when ph is NULL, the wait function may need to be called +multiple times until packet_read_pending() finally returns zero. + +We should call sock_sndtimeo() only once, otherwise the SO_SNDTIMEO +constraint could be way off. + +Fixes: 581073f626e3 ("af_packet: do not call packet_read_pending() from tpacket_destruct_skb()") +Cc: stable@kernel.org +Suggested-by: Eric Dumazet +Signed-off-by: Yun Lu +Reviewed-by: Eric Dumazet +Reviewed-by: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/packet/af_packet.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -2785,7 +2785,7 @@ static int tpacket_snd(struct packet_soc + int len_sum = 0; + int status = TP_STATUS_AVAILABLE; + int hlen, tlen, copylen = 0; +- long timeo = 0; ++ long timeo; + + mutex_lock(&po->pg_vec_lock); + +@@ -2839,6 +2839,7 @@ static int tpacket_snd(struct packet_soc + if ((size_max > dev->mtu + reserve + VLAN_HLEN) && !vnet_hdr_sz) + size_max = dev->mtu + reserve + VLAN_HLEN; + ++ timeo = sock_sndtimeo(&po->sk, msg->msg_flags & MSG_DONTWAIT); + reinit_completion(&po->skb_completion); + + do { +@@ -2846,7 +2847,6 @@ static int tpacket_snd(struct packet_soc + TP_STATUS_SEND_REQUEST); + if (unlikely(ph == NULL)) { + if (need_wait && skb) { +- timeo = sock_sndtimeo(&po->sk, msg->msg_flags & MSG_DONTWAIT); + timeo = wait_for_completion_interruptible_timeout(&po->skb_completion, timeo); + if (timeo <= 0) { + err = !timeo ? -ETIMEDOUT : -ERESTARTSYS; diff --git a/queue-6.15/alsa-hda-realtek-add-quirk-for-asus-rog-strix-g712lws.patch b/queue-6.15/alsa-hda-realtek-add-quirk-for-asus-rog-strix-g712lws.patch new file mode 100644 index 0000000000..7fda0c6157 --- /dev/null +++ b/queue-6.15/alsa-hda-realtek-add-quirk-for-asus-rog-strix-g712lws.patch @@ -0,0 +1,32 @@ +From e201c19ddeed6b37f05617e529d8efa079657ed7 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 15 Jul 2025 08:29:04 +0200 +Subject: ALSA: hda/realtek: Add quirk for ASUS ROG Strix G712LWS + +From: Takashi Iwai + +commit e201c19ddeed6b37f05617e529d8efa079657ed7 upstream. + +ASUS ROG Strix G712LWS (PCI SSID 1043:1a83) requires the quirk for +ALC294 headset mode in order to make the speaker and headset I/O +working properly. + +Cc: +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220334 +Link: https://patch.msgid.link/20250715062906.11857-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10983,6 +10983,7 @@ static const struct hda_quirk alc269_fix + SND_PCI_QUIRK(0x1043, 0x1a13, "Asus G73Jw", ALC269_FIXUP_ASUS_G73JW), + SND_PCI_QUIRK(0x1043, 0x1a63, "ASUS UX3405MA", ALC245_FIXUP_CS35L41_SPI_2), + SND_PCI_QUIRK(0x1043, 0x1a83, "ASUS UM5302LA", ALC294_FIXUP_CS35L41_I2C_2), ++ SND_PCI_QUIRK(0x1043, 0x1a8e, "ASUS G712LWS", ALC294_FIXUP_LENOVO_MIC_LOCATION), + SND_PCI_QUIRK(0x1043, 0x1a8f, "ASUS UX582ZS", ALC245_FIXUP_CS35L41_SPI_2), + SND_PCI_QUIRK(0x1043, 0x1b11, "ASUS UX431DA", ALC294_FIXUP_ASUS_COEF_1B), + SND_PCI_QUIRK(0x1043, 0x1b13, "ASUS U41SV/GA403U", ALC285_FIXUP_ASUS_GA403U_HEADSET_MIC), diff --git a/queue-6.15/alsa-hda-realtek-fix-mute-led-for-hp-victus-16-r0xxx.patch b/queue-6.15/alsa-hda-realtek-fix-mute-led-for-hp-victus-16-r0xxx.patch new file mode 100644 index 0000000000..241d2123fe --- /dev/null +++ b/queue-6.15/alsa-hda-realtek-fix-mute-led-for-hp-victus-16-r0xxx.patch @@ -0,0 +1,34 @@ +From d9b99eb3d76a603442311926617654f0e35581d4 Mon Sep 17 00:00:00 2001 +From: Edip Hazuri +Date: Thu, 10 Jul 2025 16:18:12 +0300 +Subject: ALSA: hda/realtek - Fix mute LED for HP Victus 16-r0xxx + +From: Edip Hazuri + +commit d9b99eb3d76a603442311926617654f0e35581d4 upstream. + +The mute led on this laptop is using ALC245 but requires a quirk to work +This patch enables the existing quirk for the device. + +Tested on Victus 16-r0xxx Laptop. The LED behaviour works +as intended. + +Cc: +Signed-off-by: Edip Hazuri +Link: https://patch.msgid.link/20250710131812.27509-1-edip@medip.dev +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10791,6 +10791,7 @@ static const struct hda_quirk alc269_fix + SND_PCI_QUIRK(0x103c, 0x8b97, "HP", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), + SND_PCI_QUIRK(0x103c, 0x8bb3, "HP Slim OMEN", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x103c, 0x8bb4, "HP Slim OMEN", ALC287_FIXUP_CS35L41_I2C_2), ++ SND_PCI_QUIRK(0x103c, 0x8bbe, "HP Victus 16-r0xxx (MB 8BBE)", ALC245_FIXUP_HP_MUTE_LED_COEFBIT), + SND_PCI_QUIRK(0x103c, 0x8bc8, "HP Victus 15-fa1xxx", ALC245_FIXUP_HP_MUTE_LED_COEFBIT), + SND_PCI_QUIRK(0x103c, 0x8bcd, "HP Omen 16-xd0xxx", ALC245_FIXUP_HP_MUTE_LED_V1_COEFBIT), + SND_PCI_QUIRK(0x103c, 0x8bdd, "HP Envy 17", ALC287_FIXUP_CS35L41_I2C_2), diff --git a/queue-6.15/arm64-dts-add-big-endian-property-back-into-watchdog-node.patch b/queue-6.15/arm64-dts-add-big-endian-property-back-into-watchdog-node.patch new file mode 100644 index 0000000000..19e5c2dbf2 --- /dev/null +++ b/queue-6.15/arm64-dts-add-big-endian-property-back-into-watchdog-node.patch @@ -0,0 +1,44 @@ +From 720fd1cbc0a0f3acdb26aedb3092ab10fe05e7ae Mon Sep 17 00:00:00 2001 +From: Meng Li +Date: Sun, 8 Jun 2025 11:06:16 +0800 +Subject: arm64: dts: add big-endian property back into watchdog node + +From: Meng Li + +commit 720fd1cbc0a0f3acdb26aedb3092ab10fe05e7ae upstream. + +Watchdog doesn't work on NXP ls1046ardb board because in commit +7c8ffc5555cb("arm64: dts: layerscape: remove big-endian for mmc nodes"), +it intended to remove the big-endian from mmc node, but the big-endian of +watchdog node is also removed by accident. So, add watchdog big-endian +property back. + +In addition, add compatible string fsl,ls1046a-wdt, which allow big-endian +property. + +Fixes: 7c8ffc5555cb ("arm64: dts: layerscape: remove big-endian for mmc nodes") +Cc: stable@vger.kernel.org +Signed-off-by: Meng Li +Reviewed-by: Ahmad Fatoum +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/freescale/fsl-ls1046a.dtsi | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/arm64/boot/dts/freescale/fsl-ls1046a.dtsi ++++ b/arch/arm64/boot/dts/freescale/fsl-ls1046a.dtsi +@@ -687,11 +687,12 @@ + }; + + wdog0: watchdog@2ad0000 { +- compatible = "fsl,imx21-wdt"; ++ compatible = "fsl,ls1046a-wdt", "fsl,imx21-wdt"; + reg = <0x0 0x2ad0000 0x0 0x10000>; + interrupts = ; + clocks = <&clockgen QORIQ_CLK_PLATFORM_PLL + QORIQ_CLK_PLL_DIV(2)>; ++ big-endian; + }; + + edma0: dma-controller@2c00000 { diff --git a/queue-6.15/arm64-dts-freescale-imx8mm-verdin-keep-ldo5-always-on.patch b/queue-6.15/arm64-dts-freescale-imx8mm-verdin-keep-ldo5-always-on.patch new file mode 100644 index 0000000000..166cec80e1 --- /dev/null +++ b/queue-6.15/arm64-dts-freescale-imx8mm-verdin-keep-ldo5-always-on.patch @@ -0,0 +1,45 @@ +From fbe94be09fa81343d623a86ec64a742759b669b3 Mon Sep 17 00:00:00 2001 +From: Francesco Dolcini +Date: Mon, 23 Jun 2025 15:25:45 +0200 +Subject: arm64: dts: freescale: imx8mm-verdin: Keep LDO5 always on + +From: Francesco Dolcini + +commit fbe94be09fa81343d623a86ec64a742759b669b3 upstream. + +LDO5 regulator is used to power the i.MX8MM NVCC_SD2 I/O supply, that is +used for the SD2 card interface and also for some GPIOs. + +When the SD card interface is not enabled the regulator subsystem could +turn off this supply, since it is not used anywhere else, however this +will also remove the power to some other GPIOs, for example one I/O that +is used to power the ethernet phy, leading to a non working ethernet +interface. + +[ 31.820515] On-module +V3.3_1.8_SD (LDO5): disabling +[ 31.821761] PMIC_USDHC_VSELECT: disabling +[ 32.764949] fec 30be0000.ethernet end0: Link is Down + +Fix this keeping the LDO5 supply always on. + +Cc: stable@vger.kernel.org +Fixes: 6a57f224f734 ("arm64: dts: freescale: add initial support for verdin imx8m mini") +Fixes: f5aab0438ef1 ("regulator: pca9450: Fix enable register for LDO5") +Signed-off-by: Francesco Dolcini +Reviewed-by: Frank Li +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi +@@ -464,6 +464,7 @@ + }; + + reg_nvcc_sd: LDO5 { ++ regulator-always-on; + regulator-max-microvolt = <3300000>; + regulator-min-microvolt = <1800000>; + regulator-name = "On-module +V3.3_1.8_SD (LDO5)"; diff --git a/queue-6.15/arm64-dts-imx8mp-venice-gw71xx-fix-tpm-spi-frequency.patch b/queue-6.15/arm64-dts-imx8mp-venice-gw71xx-fix-tpm-spi-frequency.patch new file mode 100644 index 0000000000..8a0751aa18 --- /dev/null +++ b/queue-6.15/arm64-dts-imx8mp-venice-gw71xx-fix-tpm-spi-frequency.patch @@ -0,0 +1,38 @@ +From 528e2d3125ad8d783e922033a0a8e2adb17b400e Mon Sep 17 00:00:00 2001 +From: Tim Harvey +Date: Wed, 4 Jun 2025 15:56:27 -0700 +Subject: arm64: dts: imx8mp-venice-gw71xx: fix TPM SPI frequency + +From: Tim Harvey + +commit 528e2d3125ad8d783e922033a0a8e2adb17b400e upstream. + +The IMX8MPDS Table 37 [1] shows that the max SPI master read frequency +depends on the pins the interface is muxed behind with ECSPI2 +muxed behind ECSPI2 supporting up to 25MHz. + +Adjust the spi-max-frequency based on these findings. + +[1] https://www.nxp.com/webapp/Download?colCode=IMX8MPIEC + +Fixes: 1a8f6ff6a291 ("arm64: dts: imx8mp-venice-gw71xx: add TPM device") +Cc: stable@vger.kernel.org +Signed-off-by: Tim Harvey +Link: https://lore.kernel.org/stable/20250523173723.4167474-1-tharvey%40gateworks.com +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/freescale/imx8mp-venice-gw71xx.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/boot/dts/freescale/imx8mp-venice-gw71xx.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mp-venice-gw71xx.dtsi +@@ -70,7 +70,7 @@ + tpm@1 { + compatible = "atmel,attpm20p", "tcg,tpm_tis-spi"; + reg = <0x1>; +- spi-max-frequency = <36000000>; ++ spi-max-frequency = <25000000>; + }; + }; + diff --git a/queue-6.15/arm64-dts-imx8mp-venice-gw72xx-fix-tpm-spi-frequency.patch b/queue-6.15/arm64-dts-imx8mp-venice-gw72xx-fix-tpm-spi-frequency.patch new file mode 100644 index 0000000000..388c13d060 --- /dev/null +++ b/queue-6.15/arm64-dts-imx8mp-venice-gw72xx-fix-tpm-spi-frequency.patch @@ -0,0 +1,37 @@ +From b25344753c53a5524ba80280ce68f2046e559ce0 Mon Sep 17 00:00:00 2001 +From: Tim Harvey +Date: Wed, 4 Jun 2025 15:56:28 -0700 +Subject: arm64: dts: imx8mp-venice-gw72xx: fix TPM SPI frequency + +From: Tim Harvey + +commit b25344753c53a5524ba80280ce68f2046e559ce0 upstream. + +The IMX8MPDS Table 37 [1] shows that the max SPI master read frequency +depends on the pins the interface is muxed behind with ECSPI2 +muxed behind ECSPI2 supporting up to 25MHz. + +Adjust the spi-max-frequency based on these findings. + +[1] https://www.nxp.com/webapp/Download?colCode=IMX8MPIEC + +Fixes: 5016f22028e4 ("arm64: dts: imx8mp-venice-gw72xx: add TPM device") +Cc: stable@vger.kernel.org +Signed-off-by: Tim Harvey +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/freescale/imx8mp-venice-gw72xx.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/boot/dts/freescale/imx8mp-venice-gw72xx.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mp-venice-gw72xx.dtsi +@@ -110,7 +110,7 @@ + tpm@1 { + compatible = "atmel,attpm20p", "tcg,tpm_tis-spi"; + reg = <0x1>; +- spi-max-frequency = <36000000>; ++ spi-max-frequency = <25000000>; + }; + }; + diff --git a/queue-6.15/arm64-dts-imx8mp-venice-gw73xx-fix-tpm-spi-frequency.patch b/queue-6.15/arm64-dts-imx8mp-venice-gw73xx-fix-tpm-spi-frequency.patch new file mode 100644 index 0000000000..0f6addcbff --- /dev/null +++ b/queue-6.15/arm64-dts-imx8mp-venice-gw73xx-fix-tpm-spi-frequency.patch @@ -0,0 +1,37 @@ +From 1fc02c2086003c5fdaa99cde49a987992ff1aae4 Mon Sep 17 00:00:00 2001 +From: Tim Harvey +Date: Wed, 4 Jun 2025 15:56:29 -0700 +Subject: arm64: dts: imx8mp-venice-gw73xx: fix TPM SPI frequency + +From: Tim Harvey + +commit 1fc02c2086003c5fdaa99cde49a987992ff1aae4 upstream. + +The IMX8MPDS Table 37 [1] shows that the max SPI master read frequency +depends on the pins the interface is muxed behind with ECSPI2 +muxed behind ECSPI2 supporting up to 25MHz. + +Adjust the spi-max-frequency based on these findings. + +[1] https://www.nxp.com/webapp/Download?colCode=IMX8MPIEC + +Fixes: 2b3ab9d81ab4 ("arm64: dts: imx8mp-venice-gw73xx: add TPM device") +Cc: stable@vger.kernel.org +Signed-off-by: Tim Harvey +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/freescale/imx8mp-venice-gw73xx.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/boot/dts/freescale/imx8mp-venice-gw73xx.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mp-venice-gw73xx.dtsi +@@ -122,7 +122,7 @@ + tpm@1 { + compatible = "atmel,attpm20p", "tcg,tpm_tis-spi"; + reg = <0x1>; +- spi-max-frequency = <36000000>; ++ spi-max-frequency = <25000000>; + }; + }; + diff --git a/queue-6.15/arm64-dts-imx8mp-venice-gw74xx-fix-tpm-spi-frequency.patch b/queue-6.15/arm64-dts-imx8mp-venice-gw74xx-fix-tpm-spi-frequency.patch new file mode 100644 index 0000000000..9f92738fd1 --- /dev/null +++ b/queue-6.15/arm64-dts-imx8mp-venice-gw74xx-fix-tpm-spi-frequency.patch @@ -0,0 +1,37 @@ +From 0bdaca0922175478ddeadf8e515faa5269f6fae6 Mon Sep 17 00:00:00 2001 +From: Tim Harvey +Date: Wed, 4 Jun 2025 15:56:30 -0700 +Subject: arm64: dts: imx8mp-venice-gw74xx: fix TPM SPI frequency + +From: Tim Harvey + +commit 0bdaca0922175478ddeadf8e515faa5269f6fae6 upstream. + +The IMX8MPDS Table 37 [1] shows that the max SPI master read frequency +depends on the pins the interface is muxed behind with ECSPI2 +muxed behind ECSPI2 supporting up to 25MHz. + +Adjust the spi-max-frequency based on these findings. + +[1] https://www.nxp.com/webapp/Download?colCode=IMX8MPIEC + +Fixes: 531936b218d8 ("arm64: dts: imx8mp-venice-gw74xx: update to revB PCB") +Cc: stable@vger.kernel.org +Signed-off-by: Tim Harvey +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/freescale/imx8mp-venice-gw74xx.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/boot/dts/freescale/imx8mp-venice-gw74xx.dts ++++ b/arch/arm64/boot/dts/freescale/imx8mp-venice-gw74xx.dts +@@ -201,7 +201,7 @@ + tpm@0 { + compatible = "atmel,attpm20p", "tcg,tpm_tis-spi"; + reg = <0x0>; +- spi-max-frequency = <36000000>; ++ spi-max-frequency = <25000000>; + }; + }; + diff --git a/queue-6.15/arm64-dts-rockchip-list-all-cpu-supplies-on-armsom-sige5.patch b/queue-6.15/arm64-dts-rockchip-list-all-cpu-supplies-on-armsom-sige5.patch new file mode 100644 index 0000000000..af4e2fe9a9 --- /dev/null +++ b/queue-6.15/arm64-dts-rockchip-list-all-cpu-supplies-on-armsom-sige5.patch @@ -0,0 +1,75 @@ +From c76bcc7d1f24e90a2d7b98d1e523d7524269fc56 Mon Sep 17 00:00:00 2001 +From: Alexey Charkov +Date: Sat, 14 Jun 2025 22:14:33 +0400 +Subject: arm64: dts: rockchip: list all CPU supplies on ArmSoM Sige5 + +From: Alexey Charkov + +commit c76bcc7d1f24e90a2d7b98d1e523d7524269fc56 upstream. + +List both CPU supply regulators which drive the little and big CPU +clusters, respectively, so that cpufreq can pick them up. + +Without this patch the cpufreq governor attempts to raise the big CPU +frequency under high load, while its supply voltage stays at 850000 uV. +This causes system instability and, in my case, random reboots. + +With this patch, supply voltages are adjusted in step with frequency +changes from 700000-737000 uV in idle to 950000 uV under full load, +and the system appears to be stable. + +While at this, list all CPU supplies for completeness. + +Cc: stable@vger.kernel.org +Fixes: 40f742b07ab2 ("arm64: dts: rockchip: Add rk3576-armsom-sige5 board") +Reviewed-by: Nicolas Frattaroli +Tested-by: Nicolas Frattaroli +Signed-off-by: Alexey Charkov +Link: https://lore.kernel.org/r/20250614-sige5-updates-v2-1-3bb31b02623c@gmail.com +Signed-off-by: Heiko Stuebner +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/rockchip/rk3576-armsom-sige5.dts | 28 +++++++++++++++++++ + 1 file changed, 28 insertions(+) + +--- a/arch/arm64/boot/dts/rockchip/rk3576-armsom-sige5.dts ++++ b/arch/arm64/boot/dts/rockchip/rk3576-armsom-sige5.dts +@@ -177,10 +177,38 @@ + }; + }; + ++&cpu_b0 { ++ cpu-supply = <&vdd_cpu_big_s0>; ++}; ++ ++&cpu_b1 { ++ cpu-supply = <&vdd_cpu_big_s0>; ++}; ++ ++&cpu_b2 { ++ cpu-supply = <&vdd_cpu_big_s0>; ++}; ++ ++&cpu_b3 { ++ cpu-supply = <&vdd_cpu_big_s0>; ++}; ++ + &cpu_l0 { + cpu-supply = <&vdd_cpu_lit_s0>; + }; + ++&cpu_l1 { ++ cpu-supply = <&vdd_cpu_lit_s0>; ++}; ++ ++&cpu_l2 { ++ cpu-supply = <&vdd_cpu_lit_s0>; ++}; ++ ++&cpu_l3 { ++ cpu-supply = <&vdd_cpu_lit_s0>; ++}; ++ + &gmac0 { + phy-mode = "rgmii-id"; + clock_in_out = "output"; diff --git a/queue-6.15/arm64-dts-rockchip-use-cs-gpios-for-spi1-on-ringneck.patch b/queue-6.15/arm64-dts-rockchip-use-cs-gpios-for-spi1-on-ringneck.patch new file mode 100644 index 0000000000..dc5f46053a --- /dev/null +++ b/queue-6.15/arm64-dts-rockchip-use-cs-gpios-for-spi1-on-ringneck.patch @@ -0,0 +1,92 @@ +From 53b6445ad08f07b6f4a84f1434f543196009ed89 Mon Sep 17 00:00:00 2001 +From: Jakob Unterwurzacher +Date: Fri, 27 Jun 2025 15:17:12 +0200 +Subject: arm64: dts: rockchip: use cs-gpios for spi1 on ringneck +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jakob Unterwurzacher + +commit 53b6445ad08f07b6f4a84f1434f543196009ed89 upstream. + +Hardware CS has a very slow rise time of about 6us, +causing transmission errors when CS does not reach +high between transaction. + +It looks like it's not driven actively when transitioning +from low to high but switched to input, so only the CPU +pull-up pulls it high, slowly. Transitions from high to low +are fast. On the oscilloscope, CS looks like an irregular sawtooth +pattern like this: + _____ + ^ / | + ^ /| / | + /| / | / | + / | / | / | +___/ |___/ |_____/ |___ + +With cs-gpios we have a CS rise time of about 20ns, as it should be, +and CS looks rectangular. + +This fixes the data errors when running a flashcp loop against a +m25p40 spi flash. + +With the Rockchip 6.1 kernel we see the same slow rise time, but +for some reason CS is always high for long enough to reach a solid +high. + +The RK3399 and RK3588 SoCs use the same SPI driver, so we also +checked our "Puma" (RK3399) and "Tiger" (RK3588) boards. +They do not have this problem. Hardware CS rise time is good. + +Fixes: c484cf93f61b ("arm64: dts: rockchip: add PX30-µQ7 (Ringneck) SoM with Haikou baseboard") +Cc: stable@vger.kernel.org +Reviewed-by: Quentin Schulz +Signed-off-by: Jakob Unterwurzacher +Link: https://lore.kernel.org/r/20250627131715.1074308-1-jakob.unterwurzacher@cherry.de +Signed-off-by: Heiko Stuebner +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/rockchip/px30-ringneck.dtsi | 23 +++++++++++++++++++++++ + 1 file changed, 23 insertions(+) + +--- a/arch/arm64/boot/dts/rockchip/px30-ringneck.dtsi ++++ b/arch/arm64/boot/dts/rockchip/px30-ringneck.dtsi +@@ -363,6 +363,18 @@ + <0 RK_PA7 RK_FUNC_GPIO &pcfg_pull_up>; + }; + }; ++ ++ spi1 { ++ spi1_csn0_gpio_pin: spi1-csn0-gpio-pin { ++ rockchip,pins = ++ <3 RK_PB1 RK_FUNC_GPIO &pcfg_pull_up_4ma>; ++ }; ++ ++ spi1_csn1_gpio_pin: spi1-csn1-gpio-pin { ++ rockchip,pins = ++ <3 RK_PB2 RK_FUNC_GPIO &pcfg_pull_up_4ma>; ++ }; ++ }; + }; + + &pmu_io_domains { +@@ -380,6 +392,17 @@ + vqmmc-supply = <&vccio_sd>; + }; + ++&spi1 { ++ /* ++ * Hardware CS has a very slow rise time of about 6us, ++ * causing transmission errors. ++ * With cs-gpios we have a rise time of about 20ns. ++ */ ++ cs-gpios = <&gpio3 RK_PB1 GPIO_ACTIVE_LOW>, <&gpio3 RK_PB2 GPIO_ACTIVE_LOW>; ++ pinctrl-names = "default"; ++ pinctrl-0 = <&spi1_clk &spi1_csn0_gpio_pin &spi1_csn1_gpio_pin &spi1_miso &spi1_mosi>; ++}; ++ + &tsadc { + status = "okay"; + }; diff --git a/queue-6.15/bluetooth-btintel-check-if-controller-is-iso-capable-on-btintel_classify_pkt_type.patch b/queue-6.15/bluetooth-btintel-check-if-controller-is-iso-capable-on-btintel_classify_pkt_type.patch new file mode 100644 index 0000000000..f3e1181e15 --- /dev/null +++ b/queue-6.15/bluetooth-btintel-check-if-controller-is-iso-capable-on-btintel_classify_pkt_type.patch @@ -0,0 +1,46 @@ +From 6ec3185fbc3528f2284c347fb9bd8be6fa672ed4 Mon Sep 17 00:00:00 2001 +From: Luiz Augusto von Dentz +Date: Wed, 9 Jul 2025 15:02:56 -0400 +Subject: Bluetooth: btintel: Check if controller is ISO capable on btintel_classify_pkt_type + +From: Luiz Augusto von Dentz + +commit 6ec3185fbc3528f2284c347fb9bd8be6fa672ed4 upstream. + +Due to what seem to be a bug with variant version returned by some +firmwares the code may set hdev->classify_pkt_type with +btintel_classify_pkt_type when in fact the controller doesn't even +support ISO channels feature but may use the handle range expected from +a controllers that does causing the packets to be reclassified as ISO +causing several bugs. + +To fix the above btintel_classify_pkt_type will attempt to check if the +controller really supports ISO channels and in case it doesn't don't +reclassify even if the handle range is considered to be ISO, this is +considered safer than trying to fix the specific controller/firmware +version as that could change over time and causing similar problems in +the future. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=219553 +Link: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2100565 +Link: https://github.com/StarLabsLtd/firmware/issues/180 +Fixes: f25b7fd36cc3 ("Bluetooth: Add vendor-specific packet classification for ISO data") +Cc: stable@vger.kernel.org +Signed-off-by: Luiz Augusto von Dentz +Tested-by: Sean Rhodes +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/btintel.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/bluetooth/btintel.c ++++ b/drivers/bluetooth/btintel.c +@@ -2670,7 +2670,7 @@ static u8 btintel_classify_pkt_type(stru + * Distinguish ISO data packets form ACL data packets + * based on their connection handle value range. + */ +- if (hci_skb_pkt_type(skb) == HCI_ACLDATA_PKT) { ++ if (iso_capable(hdev) && hci_skb_pkt_type(skb) == HCI_ACLDATA_PKT) { + __u16 handle = __le16_to_cpu(hci_acl_hdr(skb)->handle); + + if (hci_handle(handle) >= BTINTEL_ISODATA_HANDLE_BASE) diff --git a/queue-6.15/cpuidle-psci-fix-cpuhotplug-routine-with-preempt_rt-y.patch b/queue-6.15/cpuidle-psci-fix-cpuhotplug-routine-with-preempt_rt-y.patch new file mode 100644 index 0000000000..39d92e6455 --- /dev/null +++ b/queue-6.15/cpuidle-psci-fix-cpuhotplug-routine-with-preempt_rt-y.patch @@ -0,0 +1,115 @@ +From 621a88dbfe9006c318a0cafbd12e677ccfe006e7 Mon Sep 17 00:00:00 2001 +From: Daniel Lezcano +Date: Wed, 9 Jul 2025 17:47:28 +0200 +Subject: cpuidle: psci: Fix cpuhotplug routine with PREEMPT_RT=y + +From: Daniel Lezcano + +commit 621a88dbfe9006c318a0cafbd12e677ccfe006e7 upstream. + +Currently cpu hotplug with the PREEMPT_RT option set in the kernel is +not supported because the underlying generic power domain functions +used in the cpu hotplug callbacks are incompatible from a lock point +of view. This situation prevents the suspend to idle to reach the +deepest idle state for the "cluster" as identified in the +undermentioned commit. + +Use the compatible ones when PREEMPT_RT is enabled and remove the +boolean disabling the hotplug callbacks with this option. + +With this change the platform can reach the deepest idle state +allowing at suspend time to consume less power. + +Tested-on Lenovo T14s with the following script: + +echo 0 > /sys/devices/system/cpu/cpu3/online +BEFORE=$(cat /sys/kernel/debug/pm_genpd/power-domain-cpu-cluster0/idle_states | grep S0 | awk '{ print $3 }') ; +rtcwake -s 1 -m mem; +AFTER=$(cat /sys/kernel/debug/pm_genpd/power-domain-cpu-cluster0/idle_states | grep S0 | awk '{ print $3 }'); +if [ $BEFORE -lt $AFTER ]; then + echo "Test successful" +else + echo "Test failed" +fi +echo 1 > /sys/devices/system/cpu/cpu3/online + +Fixes: 1c4b2932bd62 ("cpuidle: psci: Enable the hierarchical topology for s2idle on PREEMPT_RT") +Cc: Raghavendra Kakarla +Signed-off-by: Daniel Lezcano +Reviewed-by: Sudeep Holla +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20250709154728.733920-1-daniel.lezcano@linaro.org +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/cpuidle/cpuidle-psci.c | 23 ++++++++++++----------- + 1 file changed, 12 insertions(+), 11 deletions(-) + +--- a/drivers/cpuidle/cpuidle-psci.c ++++ b/drivers/cpuidle/cpuidle-psci.c +@@ -39,7 +39,6 @@ struct psci_cpuidle_data { + static DEFINE_PER_CPU_READ_MOSTLY(struct psci_cpuidle_data, psci_cpuidle_data); + static DEFINE_PER_CPU(u32, domain_state); + static bool psci_cpuidle_use_syscore; +-static bool psci_cpuidle_use_cpuhp; + + void psci_set_domain_state(u32 state) + { +@@ -108,8 +107,12 @@ static int psci_idle_cpuhp_up(unsigned i + { + struct device *pd_dev = __this_cpu_read(psci_cpuidle_data.dev); + +- if (pd_dev) +- pm_runtime_get_sync(pd_dev); ++ if (pd_dev) { ++ if (!IS_ENABLED(CONFIG_PREEMPT_RT)) ++ pm_runtime_get_sync(pd_dev); ++ else ++ dev_pm_genpd_resume(pd_dev); ++ } + + return 0; + } +@@ -119,7 +122,11 @@ static int psci_idle_cpuhp_down(unsigned + struct device *pd_dev = __this_cpu_read(psci_cpuidle_data.dev); + + if (pd_dev) { +- pm_runtime_put_sync(pd_dev); ++ if (!IS_ENABLED(CONFIG_PREEMPT_RT)) ++ pm_runtime_put_sync(pd_dev); ++ else ++ dev_pm_genpd_suspend(pd_dev); ++ + /* Clear domain state to start fresh at next online. */ + psci_set_domain_state(0); + } +@@ -180,9 +187,6 @@ static void psci_idle_init_cpuhp(void) + { + int err; + +- if (!psci_cpuidle_use_cpuhp) +- return; +- + err = cpuhp_setup_state_nocalls(CPUHP_AP_CPU_PM_STARTING, + "cpuidle/psci:online", + psci_idle_cpuhp_up, +@@ -243,10 +247,8 @@ static int psci_dt_cpu_init_topology(str + * s2ram and s2idle. + */ + drv->states[state_count - 1].enter_s2idle = psci_enter_s2idle_domain_idle_state; +- if (!IS_ENABLED(CONFIG_PREEMPT_RT)) { ++ if (!IS_ENABLED(CONFIG_PREEMPT_RT)) + drv->states[state_count - 1].enter = psci_enter_domain_idle_state; +- psci_cpuidle_use_cpuhp = true; +- } + + return 0; + } +@@ -323,7 +325,6 @@ static void psci_cpu_deinit_idle(int cpu + + dt_idle_detach_cpu(data->dev); + psci_cpuidle_use_syscore = false; +- psci_cpuidle_use_cpuhp = false; + } + + static int psci_idle_init_cpu(struct device *dev, int cpu) diff --git a/queue-6.15/dmaengine-mediatek-fix-a-flag-reuse-error-in-mtk_cqdma_tx_status.patch b/queue-6.15/dmaengine-mediatek-fix-a-flag-reuse-error-in-mtk_cqdma_tx_status.patch new file mode 100644 index 0000000000..045f0d2b96 --- /dev/null +++ b/queue-6.15/dmaengine-mediatek-fix-a-flag-reuse-error-in-mtk_cqdma_tx_status.patch @@ -0,0 +1,44 @@ +From 8eba2187391e5ab49940cd02d6bd45a5617f4daf Mon Sep 17 00:00:00 2001 +From: Qiu-ji Chen +Date: Fri, 6 Jun 2025 17:00:17 +0800 +Subject: dmaengine: mediatek: Fix a flag reuse error in mtk_cqdma_tx_status() + +From: Qiu-ji Chen + +commit 8eba2187391e5ab49940cd02d6bd45a5617f4daf upstream. + +Fixed a flag reuse bug in the mtk_cqdma_tx_status() function. + +Fixes: 157ae5ffd76a ("dmaengine: mediatek: Fix a possible deadlock error in mtk_cqdma_tx_status()") +Cc: stable@vger.kernel.org +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202505270641.MStzJUfU-lkp@intel.com/ +Signed-off-by: Qiu-ji Chen +Reviewed-by: Eugen Hristev +Reviewed-by: AngeloGioacchino Del Regno +Link: https://lore.kernel.org/r/20250606090017.5436-1-chenqiuji666@gmail.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/mediatek/mtk-cqdma.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/dma/mediatek/mtk-cqdma.c b/drivers/dma/mediatek/mtk-cqdma.c +index 47c8adfdc155..9f0c41ca7770 100644 +--- a/drivers/dma/mediatek/mtk-cqdma.c ++++ b/drivers/dma/mediatek/mtk-cqdma.c +@@ -449,9 +449,9 @@ static enum dma_status mtk_cqdma_tx_status(struct dma_chan *c, + return ret; + + spin_lock_irqsave(&cvc->pc->lock, flags); +- spin_lock_irqsave(&cvc->vc.lock, flags); ++ spin_lock(&cvc->vc.lock); + vd = mtk_cqdma_find_active_desc(c, cookie); +- spin_unlock_irqrestore(&cvc->vc.lock, flags); ++ spin_unlock(&cvc->vc.lock); + spin_unlock_irqrestore(&cvc->pc->lock, flags); + + if (vd) { +-- +2.50.1 + diff --git a/queue-6.15/dmaengine-nbpfaxi-fix-memory-corruption-in-probe.patch b/queue-6.15/dmaengine-nbpfaxi-fix-memory-corruption-in-probe.patch new file mode 100644 index 0000000000..f2c2d27060 --- /dev/null +++ b/queue-6.15/dmaengine-nbpfaxi-fix-memory-corruption-in-probe.patch @@ -0,0 +1,77 @@ +From 188c6ba1dd925849c5d94885c8bbdeb0b3dcf510 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 1 Jul 2025 17:31:40 -0500 +Subject: dmaengine: nbpfaxi: Fix memory corruption in probe() + +From: Dan Carpenter + +commit 188c6ba1dd925849c5d94885c8bbdeb0b3dcf510 upstream. + +The nbpf->chan[] array is allocated earlier in the nbpf_probe() function +and it has "num_channels" elements. These three loops iterate one +element farther than they should and corrupt memory. + +The changes to the second loop are more involved. In this case, we're +copying data from the irqbuf[] array into the nbpf->chan[] array. If +the data in irqbuf[i] is the error IRQ then we skip it, so the iterators +are not in sync. I added a check to ensure that we don't go beyond the +end of the irqbuf[] array. I'm pretty sure this can't happen, but it +seemed harmless to add a check. + +On the other hand, after the loop has ended there is a check to ensure +that the "chan" iterator is where we expect it to be. In the original +code we went one element beyond the end of the array so the iterator +wasn't in the correct place and it would always return -EINVAL. However, +now it will always be in the correct place. I deleted the check since +we know the result. + +Cc: stable@vger.kernel.org +Fixes: b45b262cefd5 ("dmaengine: add a driver for AMBA AXI NBPF DMAC IP cores") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/b13c5225-7eff-448c-badc-a2c98e9bcaca@sabinyo.mountain +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/nbpfaxi.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +--- a/drivers/dma/nbpfaxi.c ++++ b/drivers/dma/nbpfaxi.c +@@ -1351,7 +1351,7 @@ static int nbpf_probe(struct platform_de + if (irqs == 1) { + eirq = irqbuf[0]; + +- for (i = 0; i <= num_channels; i++) ++ for (i = 0; i < num_channels; i++) + nbpf->chan[i].irq = irqbuf[0]; + } else { + eirq = platform_get_irq_byname(pdev, "error"); +@@ -1361,16 +1361,15 @@ static int nbpf_probe(struct platform_de + if (irqs == num_channels + 1) { + struct nbpf_channel *chan; + +- for (i = 0, chan = nbpf->chan; i <= num_channels; ++ for (i = 0, chan = nbpf->chan; i < num_channels; + i++, chan++) { + /* Skip the error IRQ */ + if (irqbuf[i] == eirq) + i++; ++ if (i >= ARRAY_SIZE(irqbuf)) ++ return -EINVAL; + chan->irq = irqbuf[i]; + } +- +- if (chan != nbpf->chan + num_channels) +- return -EINVAL; + } else { + /* 2 IRQs and more than one channel */ + if (irqbuf[0] == eirq) +@@ -1378,7 +1377,7 @@ static int nbpf_probe(struct platform_de + else + irq = irqbuf[0]; + +- for (i = 0; i <= num_channels; i++) ++ for (i = 0; i < num_channels; i++) + nbpf->chan[i].irq = irq; + } + } diff --git a/queue-6.15/drm-amd-display-disable-crtc-degamma-lut-for-dcn401.patch b/queue-6.15/drm-amd-display-disable-crtc-degamma-lut-for-dcn401.patch new file mode 100644 index 0000000000..56f7d6eb22 --- /dev/null +++ b/queue-6.15/drm-amd-display-disable-crtc-degamma-lut-for-dcn401.patch @@ -0,0 +1,66 @@ +From 97a0f2b5f4d4afcec34376e4428e157ce95efa71 Mon Sep 17 00:00:00 2001 +From: Melissa Wen +Date: Mon, 7 Jul 2025 16:52:05 -0400 +Subject: drm/amd/display: Disable CRTC degamma LUT for DCN401 + +From: Melissa Wen + +commit 97a0f2b5f4d4afcec34376e4428e157ce95efa71 upstream. + +In DCN401 pre-blending degamma LUT isn't affecting cursor as in previous +DCN version. As this is not the behavior close to what is expected for +CRTC degamma LUT, disable CRTC degamma LUT property in this HW. + +Link: https://gitlab.freedesktop.org/drm/amd/-/issues/4176 +--- + +When enabling HDR on KDE, it takes the first CRTC 1D LUT available and +apply a color transformation (Gamma 2.2 -> PQ). AMD driver usually +advertises a CRTC degamma LUT as the first CRTC 1D LUT, but it's +actually applied pre-blending. In previous HW version, it seems to work +fine because the 1D LUT was applied to cursor too, but DCN401 presents a +different behavior and the 1D LUT isn't affecting the hardware cursor. + +To address the wrong gamma on cursor with HDR (see the link), I came up +with this patch that disables CRTC degamma LUT in this hw, since it +presents a different behavior than others. With this KDE sees CRTC +regamma LUT as the first post-blending 1D LUT available. This is +actually more consistent with AMD color pipeline. It was tested by the +reporter, since I don't have the HW available for local testing and +debugging. + +Melissa +--- + +Reviewed-by: Harry Wentland +Signed-off-by: Melissa Wen +Signed-off-by: Ivan Lipski +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +(cherry picked from commit 340231cdceec2c45995d773a358ca3c341f151aa) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c +@@ -737,7 +737,16 @@ int amdgpu_dm_crtc_init(struct amdgpu_di + * support programmable degamma anywhere. + */ + is_dcn = dm->adev->dm.dc->caps.color.dpp.dcn_arch; +- drm_crtc_enable_color_mgmt(&acrtc->base, is_dcn ? MAX_COLOR_LUT_ENTRIES : 0, ++ /* Dont't enable DRM CRTC degamma property for DCN401 since the ++ * pre-blending degamma LUT doesn't apply to cursor, and therefore ++ * can't work similar to a post-blending degamma LUT as in other hw ++ * versions. ++ * TODO: revisit it once KMS plane color API is merged. ++ */ ++ drm_crtc_enable_color_mgmt(&acrtc->base, ++ (is_dcn && ++ dm->adev->dm.dc->ctx->dce_version != DCN_VERSION_4_01) ? ++ MAX_COLOR_LUT_ENTRIES : 0, + true, MAX_COLOR_LUT_ENTRIES); + + drm_mode_crtc_set_gamma_size(&acrtc->base, MAX_COLOR_LEGACY_LUT_ENTRIES); diff --git a/queue-6.15/drm-amd-display-free-memory-allocation.patch b/queue-6.15/drm-amd-display-free-memory-allocation.patch new file mode 100644 index 0000000000..c347828849 --- /dev/null +++ b/queue-6.15/drm-amd-display-free-memory-allocation.patch @@ -0,0 +1,44 @@ +From b2ee9fa0fe6416e16c532f61b909c79b5d4ed282 Mon Sep 17 00:00:00 2001 +From: Clayton King +Date: Thu, 19 Jun 2025 13:54:26 -0400 +Subject: drm/amd/display: Free memory allocation + +From: Clayton King + +commit b2ee9fa0fe6416e16c532f61b909c79b5d4ed282 upstream. + +[WHY] + +Free memory to avoid memory leak + +Reviewed-by: Joshua Aberback +Signed-off-by: Clayton King +Signed-off-by: Ivan Lipski +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +(cherry picked from commit fa699acb8e9be2341ee318077fa119acc7d5f329) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/clk_mgr/dcn401/dcn401_clk_mgr.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn401/dcn401_clk_mgr.c ++++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn401/dcn401_clk_mgr.c +@@ -1565,7 +1565,7 @@ struct clk_mgr_internal *dcn401_clk_mgr_ + clk_mgr->base.bw_params = kzalloc(sizeof(*clk_mgr->base.bw_params), GFP_KERNEL); + if (!clk_mgr->base.bw_params) { + BREAK_TO_DEBUGGER(); +- kfree(clk_mgr); ++ kfree(clk_mgr401); + return NULL; + } + +@@ -1576,6 +1576,7 @@ struct clk_mgr_internal *dcn401_clk_mgr_ + if (!clk_mgr->wm_range_table) { + BREAK_TO_DEBUGGER(); + kfree(clk_mgr->base.bw_params); ++ kfree(clk_mgr401); + return NULL; + } + diff --git a/queue-6.15/drm-amdgpu-gfx8-reset-compute-ring-wptr-on-the-gpu-on-resume.patch b/queue-6.15/drm-amdgpu-gfx8-reset-compute-ring-wptr-on-the-gpu-on-resume.patch new file mode 100644 index 0000000000..954e4e1fc8 --- /dev/null +++ b/queue-6.15/drm-amdgpu-gfx8-reset-compute-ring-wptr-on-the-gpu-on-resume.patch @@ -0,0 +1,36 @@ +From 83261934015c434fabb980a3e613b01d9976e877 Mon Sep 17 00:00:00 2001 +From: Eeli Haapalainen +Date: Mon, 14 Jul 2025 08:13:09 +0300 +Subject: drm/amdgpu/gfx8: reset compute ring wptr on the GPU on resume + +From: Eeli Haapalainen + +commit 83261934015c434fabb980a3e613b01d9976e877 upstream. + +Commit 42cdf6f687da ("drm/amdgpu/gfx8: always restore kcq MQDs") made the +ring pointer always to be reset on resume from suspend. This caused compute +rings to fail since the reset was done without also resetting it for the +firmware. Reset wptr on the GPU to avoid a disconnect between the driver +and firmware wptr. + +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3911 +Fixes: 42cdf6f687da ("drm/amdgpu/gfx8: always restore kcq MQDs") +Signed-off-by: Eeli Haapalainen +Signed-off-by: Alex Deucher +(cherry picked from commit 2becafc319db3d96205320f31cc0de4ee5a93747) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c +@@ -4664,6 +4664,7 @@ static int gfx_v8_0_kcq_init_queue(struc + memcpy(mqd, adev->gfx.mec.mqd_backup[mqd_idx], sizeof(struct vi_mqd_allocation)); + /* reset ring buffer */ + ring->wptr = 0; ++ atomic64_set((atomic64_t *)ring->wptr_cpu_addr, 0); + amdgpu_ring_clear_ring(ring); + } + return 0; diff --git a/queue-6.15/drm-amdgpu-increase-reset-counter-only-on-success.patch b/queue-6.15/drm-amdgpu-increase-reset-counter-only-on-success.patch new file mode 100644 index 0000000000..534bebf41a --- /dev/null +++ b/queue-6.15/drm-amdgpu-increase-reset-counter-only-on-success.patch @@ -0,0 +1,53 @@ +From 86790e300d8b7bbadaad5024e308c52f1222128f Mon Sep 17 00:00:00 2001 +From: Lijo Lazar +Date: Mon, 14 Jul 2025 10:37:00 +0530 +Subject: drm/amdgpu: Increase reset counter only on success + +From: Lijo Lazar + +commit 86790e300d8b7bbadaad5024e308c52f1222128f upstream. + +Increment the reset counter only if soft recovery succeeded. This is +consistent with a ring hard reset behaviour where counter gets +incremented only if hard reset succeeded. + +Signed-off-by: Lijo Lazar +Reviewed-by: Hawking Zhang +Reviewed-by: Alex Deucher +Signed-off-by: Alex Deucher +(cherry picked from commit 25c314aa3ec3d30e4ee282540e2096b5c66a2437) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c +@@ -463,6 +463,7 @@ bool amdgpu_ring_soft_recovery(struct am + { + unsigned long flags; + ktime_t deadline; ++ bool ret; + + if (unlikely(ring->adev->debug_disable_soft_recovery)) + return false; +@@ -477,12 +478,16 @@ bool amdgpu_ring_soft_recovery(struct am + dma_fence_set_error(fence, -ENODATA); + spin_unlock_irqrestore(fence->lock, flags); + +- atomic_inc(&ring->adev->gpu_reset_counter); + while (!dma_fence_is_signaled(fence) && + ktime_to_ns(ktime_sub(deadline, ktime_get())) > 0) + ring->funcs->soft_recovery(ring, vmid); + +- return dma_fence_is_signaled(fence); ++ ret = dma_fence_is_signaled(fence); ++ /* increment the counter only if soft reset worked */ ++ if (ret) ++ atomic_inc(&ring->adev->gpu_reset_counter); ++ ++ return ret; + } + + /* diff --git a/queue-6.15/drm-panfrost-fix-scheduler-workqueue-bug.patch b/queue-6.15/drm-panfrost-fix-scheduler-workqueue-bug.patch new file mode 100644 index 0000000000..3b7292feac --- /dev/null +++ b/queue-6.15/drm-panfrost-fix-scheduler-workqueue-bug.patch @@ -0,0 +1,56 @@ +From cb345f954eacd162601e7d07ca2f0f0a17b54ee3 Mon Sep 17 00:00:00 2001 +From: Philipp Stanner +Date: Wed, 9 Jul 2025 12:29:58 +0200 +Subject: drm/panfrost: Fix scheduler workqueue bug + +From: Philipp Stanner + +commit cb345f954eacd162601e7d07ca2f0f0a17b54ee3 upstream. + +When the GPU scheduler was ported to using a struct for its +initialization parameters, it was overlooked that panfrost creates a +distinct workqueue for timeout handling. + +The pointer to this new workqueue is not initialized to the struct, +resulting in NULL being passed to the scheduler, which then uses the +system_wq for timeout handling. + +Set the correct workqueue to the init args struct. + +Cc: stable@vger.kernel.org # 6.15+ +Fixes: 796a9f55a8d1 ("drm/sched: Use struct for drm_sched_init() params") +Reported-by: Tvrtko Ursulin +Closes: https://lore.kernel.org/dri-devel/b5d0921c-7cbf-4d55-aa47-c35cd7861c02@igalia.com/ +Signed-off-by: Philipp Stanner +Reviewed-by: Tvrtko Ursulin +Reviewed-by: Steven Price +Signed-off-by: Steven Price +Link: https://lore.kernel.org/r/20250709102957.100849-2-phasta@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/panfrost/panfrost_job.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/panfrost/panfrost_job.c b/drivers/gpu/drm/panfrost/panfrost_job.c +index 5657106c2f7d..15e2d505550f 100644 +--- a/drivers/gpu/drm/panfrost/panfrost_job.c ++++ b/drivers/gpu/drm/panfrost/panfrost_job.c +@@ -841,7 +841,6 @@ int panfrost_job_init(struct panfrost_device *pfdev) + .num_rqs = DRM_SCHED_PRIORITY_COUNT, + .credit_limit = 2, + .timeout = msecs_to_jiffies(JOB_TIMEOUT_MS), +- .timeout_wq = pfdev->reset.wq, + .name = "pan_js", + .dev = pfdev->dev, + }; +@@ -879,6 +878,7 @@ int panfrost_job_init(struct panfrost_device *pfdev) + pfdev->reset.wq = alloc_ordered_workqueue("panfrost-reset", 0); + if (!pfdev->reset.wq) + return -ENOMEM; ++ args.timeout_wq = pfdev->reset.wq; + + for (j = 0; j < NUM_JOB_SLOTS; j++) { + js->queue[j].fence_context = dma_fence_context_alloc(1); +-- +2.50.1 + diff --git a/queue-6.15/fix-smb311-posix-special-file-creation-to-servers-which-do-not-advertise-reparse-support.patch b/queue-6.15/fix-smb311-posix-special-file-creation-to-servers-which-do-not-advertise-reparse-support.patch new file mode 100644 index 0000000000..ec2d84ca7c --- /dev/null +++ b/queue-6.15/fix-smb311-posix-special-file-creation-to-servers-which-do-not-advertise-reparse-support.patch @@ -0,0 +1,58 @@ +From 8767cb3fbd514c4cf85b4f516ca30388e846f540 Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Mon, 14 Jul 2025 22:16:19 -0500 +Subject: Fix SMB311 posix special file creation to servers which do not advertise reparse support + +From: Steve French + +commit 8767cb3fbd514c4cf85b4f516ca30388e846f540 upstream. + +Some servers (including Samba), support the SMB3.1.1 POSIX Extensions (which use reparse +points for handling special files) but do not properly advertise file system attribute +FILE_SUPPORTS_REPARSE_POINTS. Although we don't check for this attribute flag when +querying special file information, we do check it when creating special files which +causes them to fail unnecessarily. If we have negotiated SMB3.1.1 POSIX Extensions +with the server we can expect the server to support creating special files via +reparse points, and even if the server fails the operation due to really forbidding +creating special files, then it should be no problem and is more likely to return a +more accurate rc in any case (e.g. EACCES instead of EOPNOTSUPP). + +Allow creating special files as long as the server supports either reparse points +or the SMB3.1.1 POSIX Extensions (note that if the "sfu" mount option is specified +it uses a different way of storing special files that does not rely on reparse points). + +Cc: +Fixes: 6c06be908ca19 ("cifs: Check if server supports reparse points before using them") +Acked-by: Ralph Boehme +Acked-by: Paulo Alcantara (Red Hat) +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/smb2inode.c | 3 ++- + fs/smb/client/smb2ops.c | 3 ++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +--- a/fs/smb/client/smb2inode.c ++++ b/fs/smb/client/smb2inode.c +@@ -1346,7 +1346,8 @@ struct inode *smb2_get_reparse_inode(str + * empty object on the server. + */ + if (!(le32_to_cpu(tcon->fsAttrInfo.Attributes) & FILE_SUPPORTS_REPARSE_POINTS)) +- return ERR_PTR(-EOPNOTSUPP); ++ if (!tcon->posix_extensions) ++ return ERR_PTR(-EOPNOTSUPP); + + oparms = CIFS_OPARMS(cifs_sb, tcon, full_path, + SYNCHRONIZE | DELETE | +--- a/fs/smb/client/smb2ops.c ++++ b/fs/smb/client/smb2ops.c +@@ -5246,7 +5246,8 @@ static int smb2_make_node(unsigned int x + if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_UNX_EMUL) { + rc = cifs_sfu_make_node(xid, inode, dentry, tcon, + full_path, mode, dev); +- } else if (le32_to_cpu(tcon->fsAttrInfo.Attributes) & FILE_SUPPORTS_REPARSE_POINTS) { ++ } else if ((le32_to_cpu(tcon->fsAttrInfo.Attributes) & FILE_SUPPORTS_REPARSE_POINTS) ++ || (tcon->posix_extensions)) { + rc = smb2_mknod_reparse(xid, inode, dentry, tcon, + full_path, mode, dev); + } diff --git a/queue-6.15/io_uring-poll-fix-pollerr-handling.patch b/queue-6.15/io_uring-poll-fix-pollerr-handling.patch new file mode 100644 index 0000000000..bd5711cd82 --- /dev/null +++ b/queue-6.15/io_uring-poll-fix-pollerr-handling.patch @@ -0,0 +1,71 @@ +From c7cafd5b81cc07fb402e3068d134c21e60ea688c Mon Sep 17 00:00:00 2001 +From: Pavel Begunkov +Date: Wed, 16 Jul 2025 17:20:17 +0100 +Subject: io_uring/poll: fix POLLERR handling + +From: Pavel Begunkov + +commit c7cafd5b81cc07fb402e3068d134c21e60ea688c upstream. + +8c8492ca64e7 ("io_uring/net: don't retry connect operation on EPOLLERR") +is a little dirty hack that +1) wrongfully assumes that POLLERR equals to a failed request, which +breaks all POLLERR users, e.g. all error queue recv interfaces. +2) deviates the connection request behaviour from connect(2), and +3) racy and solved at a wrong level. + +Nothing can be done with 2) now, and 3) is beyond the scope of the +patch. At least solve 1) by moving the hack out of generic poll handling +into io_connect(). + +Cc: stable@vger.kernel.org +Fixes: 8c8492ca64e79 ("io_uring/net: don't retry connect operation on EPOLLERR") +Signed-off-by: Pavel Begunkov +Link: https://lore.kernel.org/r/3dc89036388d602ebd84c28e5042e457bdfc952b.1752682444.git.asml.silence@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/net.c | 12 ++++++++---- + io_uring/poll.c | 2 -- + 2 files changed, 8 insertions(+), 6 deletions(-) + +--- a/io_uring/net.c ++++ b/io_uring/net.c +@@ -1749,9 +1749,11 @@ int io_connect(struct io_kiocb *req, uns + int ret; + bool force_nonblock = issue_flags & IO_URING_F_NONBLOCK; + +- if (unlikely(req->flags & REQ_F_FAIL)) { +- ret = -ECONNRESET; +- goto out; ++ if (connect->in_progress) { ++ struct poll_table_struct pt = { ._key = EPOLLERR }; ++ ++ if (vfs_poll(req->file, &pt) & EPOLLERR) ++ goto get_sock_err; + } + + file_flags = force_nonblock ? O_NONBLOCK : 0; +@@ -1776,8 +1778,10 @@ int io_connect(struct io_kiocb *req, uns + * which means the previous result is good. For both of these, + * grab the sock_error() and use that for the completion. + */ +- if (ret == -EBADFD || ret == -EISCONN) ++ if (ret == -EBADFD || ret == -EISCONN) { ++get_sock_err: + ret = sock_error(sock_from_file(req->file)->sk); ++ } + } + if (ret == -ERESTARTSYS) + ret = -EINTR; +--- a/io_uring/poll.c ++++ b/io_uring/poll.c +@@ -273,8 +273,6 @@ static int io_poll_check_events(struct i + return IOU_POLL_REISSUE; + } + } +- if (unlikely(req->cqe.res & EPOLLERR)) +- req_set_fail(req); + if (req->apoll_events & EPOLLONESHOT) + return IOU_POLL_DONE; + diff --git a/queue-6.15/isofs-verify-inode-mode-when-loading-from-disk.patch b/queue-6.15/isofs-verify-inode-mode-when-loading-from-disk.patch new file mode 100644 index 0000000000..b8fa70c012 --- /dev/null +++ b/queue-6.15/isofs-verify-inode-mode-when-loading-from-disk.patch @@ -0,0 +1,43 @@ +From 0a9e7405131380b57e155f10242b2e25d2e51852 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Wed, 9 Jul 2025 11:55:46 +0200 +Subject: isofs: Verify inode mode when loading from disk + +From: Jan Kara + +commit 0a9e7405131380b57e155f10242b2e25d2e51852 upstream. + +Verify that the inode mode is sane when loading it from the disk to +avoid complaints from VFS about setting up invalid inodes. + +Reported-by: syzbot+895c23f6917da440ed0d@syzkaller.appspotmail.com +CC: stable@vger.kernel.org +Signed-off-by: Jan Kara +Link: https://lore.kernel.org/20250709095545.31062-2-jack@suse.cz +Acked-by: Christian Brauner +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/isofs/inode.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/fs/isofs/inode.c ++++ b/fs/isofs/inode.c +@@ -1440,9 +1440,16 @@ static int isofs_read_inode(struct inode + inode->i_op = &page_symlink_inode_operations; + inode_nohighmem(inode); + inode->i_data.a_ops = &isofs_symlink_aops; +- } else ++ } else if (S_ISCHR(inode->i_mode) || S_ISBLK(inode->i_mode) || ++ S_ISFIFO(inode->i_mode) || S_ISSOCK(inode->i_mode)) { + /* XXX - parse_rock_ridge_inode() had already set i_rdev. */ + init_special_inode(inode, inode->i_mode, inode->i_rdev); ++ } else { ++ printk(KERN_DEBUG "ISOFS: Invalid file type 0%04o for inode %lu.\n", ++ inode->i_mode, inode->i_ino); ++ ret = -EIO; ++ goto fail; ++ } + + ret = 0; + out: diff --git a/queue-6.15/memstick-core-zero-initialize-id_reg-in-h_memstick_read_dev_id.patch b/queue-6.15/memstick-core-zero-initialize-id_reg-in-h_memstick_read_dev_id.patch new file mode 100644 index 0000000000..d721fb56a7 --- /dev/null +++ b/queue-6.15/memstick-core-zero-initialize-id_reg-in-h_memstick_read_dev_id.patch @@ -0,0 +1,47 @@ +From 21b34a3a204ed616373a12ec17dc127ebe51eab3 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Tue, 15 Jul 2025 15:56:05 -0700 +Subject: memstick: core: Zero initialize id_reg in h_memstick_read_dev_id() + +From: Nathan Chancellor + +commit 21b34a3a204ed616373a12ec17dc127ebe51eab3 upstream. + +A new warning in clang [1] points out that id_reg is uninitialized then +passed to memstick_init_req() as a const pointer: + + drivers/memstick/core/memstick.c:330:59: error: variable 'id_reg' is uninitialized when passed as a const pointer argument here [-Werror,-Wuninitialized-const-pointer] + 330 | memstick_init_req(&card->current_mrq, MS_TPC_READ_REG, &id_reg, + | ^~~~~~ + +Commit de182cc8e882 ("drivers/memstick/core/memstick.c: avoid -Wnonnull +warning") intentionally passed this variable uninitialized to avoid an +-Wnonnull warning from a NULL value that was previously there because +id_reg is never read from the call to memstick_init_req() in +h_memstick_read_dev_id(). Just zero initialize id_reg to avoid the +warning, which is likely happening in the majority of builds using +modern compilers that support '-ftrivial-auto-var-init=zero'. + +Cc: stable@vger.kernel.org +Fixes: de182cc8e882 ("drivers/memstick/core/memstick.c: avoid -Wnonnull warning") +Link: https://github.com/llvm/llvm-project/commit/00dacf8c22f065cb52efb14cd091d441f19b319e [1] +Closes: https://github.com/ClangBuiltLinux/linux/issues/2105 +Signed-off-by: Nathan Chancellor +Link: https://lore.kernel.org/r/20250715-memstick-fix-uninit-const-pointer-v1-1-f6753829c27a@kernel.org +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/memstick/core/memstick.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/memstick/core/memstick.c ++++ b/drivers/memstick/core/memstick.c +@@ -324,7 +324,7 @@ EXPORT_SYMBOL(memstick_init_req); + static int h_memstick_read_dev_id(struct memstick_dev *card, + struct memstick_request **mrq) + { +- struct ms_id_register id_reg; ++ struct ms_id_register id_reg = {}; + + if (!(*mrq)) { + memstick_init_req(&card->current_mrq, MS_TPC_READ_REG, &id_reg, diff --git a/queue-6.15/mmc-bcm2835-fix-dma_unmap_sg-nents-value.patch b/queue-6.15/mmc-bcm2835-fix-dma_unmap_sg-nents-value.patch new file mode 100644 index 0000000000..4f996a6717 --- /dev/null +++ b/queue-6.15/mmc-bcm2835-fix-dma_unmap_sg-nents-value.patch @@ -0,0 +1,34 @@ +From ff09b71bf9daeca4f21d6e5e449641c9fad75b53 Mon Sep 17 00:00:00 2001 +From: Thomas Fourier +Date: Mon, 30 Jun 2025 11:35:07 +0200 +Subject: mmc: bcm2835: Fix dma_unmap_sg() nents value + +From: Thomas Fourier + +commit ff09b71bf9daeca4f21d6e5e449641c9fad75b53 upstream. + +The dma_unmap_sg() functions should be called with the same nents as the +dma_map_sg(), not the value the map function returned. + +Fixes: 2f5da678351f ("mmc: bcm2835: Properly handle dmaengine_prep_slave_sg") +Signed-off-by: Thomas Fourier +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20250630093510.82871-2-fourier.thomas@gmail.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/bcm2835.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/mmc/host/bcm2835.c ++++ b/drivers/mmc/host/bcm2835.c +@@ -503,7 +503,8 @@ void bcm2835_prepare_dma(struct bcm2835_ + DMA_PREP_INTERRUPT | DMA_CTRL_ACK); + + if (!desc) { +- dma_unmap_sg(dma_chan->device->dev, data->sg, sg_len, dir_data); ++ dma_unmap_sg(dma_chan->device->dev, data->sg, data->sg_len, ++ dir_data); + return; + } + diff --git a/queue-6.15/mmc-sdhci-pci-quirk-for-broken-command-queuing-on-intel-glk-based-positivo-models.patch b/queue-6.15/mmc-sdhci-pci-quirk-for-broken-command-queuing-on-intel-glk-based-positivo-models.patch new file mode 100644 index 0000000000..f7b6de2f6b --- /dev/null +++ b/queue-6.15/mmc-sdhci-pci-quirk-for-broken-command-queuing-on-intel-glk-based-positivo-models.patch @@ -0,0 +1,38 @@ +From 50c78f398e92fafa1cbba3469c95fe04b2e4206d Mon Sep 17 00:00:00 2001 +From: Edson Juliano Drosdeck +Date: Thu, 26 Jun 2025 08:24:42 -0300 +Subject: mmc: sdhci-pci: Quirk for broken command queuing on Intel GLK-based Positivo models + +From: Edson Juliano Drosdeck + +commit 50c78f398e92fafa1cbba3469c95fe04b2e4206d upstream. + +Disable command queuing on Intel GLK-based Positivo models. + +Without this quirk, CQE (Command Queuing Engine) causes instability +or I/O errors during operation. Disabling it ensures stable +operation on affected devices. + +Signed-off-by: Edson Juliano Drosdeck +Fixes: bedf9fc01ff1 ("mmc: sdhci: Workaround broken command queuing on Intel GLK") +Cc: stable@vger.kernel.org +Acked-by: Adrian Hunter +Link: https://lore.kernel.org/r/20250626112442.9791-1-edson.drosdeck@gmail.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/sdhci-pci-core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/mmc/host/sdhci-pci-core.c ++++ b/drivers/mmc/host/sdhci-pci-core.c +@@ -913,7 +913,8 @@ static bool glk_broken_cqhci(struct sdhc + { + return slot->chip->pdev->device == PCI_DEVICE_ID_INTEL_GLK_EMMC && + (dmi_match(DMI_BIOS_VENDOR, "LENOVO") || +- dmi_match(DMI_SYS_VENDOR, "IRBIS")); ++ dmi_match(DMI_SYS_VENDOR, "IRBIS") || ++ dmi_match(DMI_SYS_VENDOR, "Positivo Tecnologia SA")); + } + + static bool jsl_broken_hs400es(struct sdhci_pci_slot *slot) diff --git a/queue-6.15/mmc-sdhci_am654-workaround-for-errata-i2312.patch b/queue-6.15/mmc-sdhci_am654-workaround-for-errata-i2312.patch new file mode 100644 index 0000000000..9431b9749f --- /dev/null +++ b/queue-6.15/mmc-sdhci_am654-workaround-for-errata-i2312.patch @@ -0,0 +1,62 @@ +From 6d0b1c01847fedd7c85a5cdf59b8cfc7d14512e6 Mon Sep 17 00:00:00 2001 +From: Judith Mendez +Date: Thu, 26 Jun 2025 18:14:52 -0500 +Subject: mmc: sdhci_am654: Workaround for Errata i2312 + +From: Judith Mendez + +commit 6d0b1c01847fedd7c85a5cdf59b8cfc7d14512e6 upstream. + +Errata i2312 [0] for K3 silicon mentions the maximum obtainable +timeout through MMC host controller is 700ms. And for commands taking +longer than 700ms, hardware timeout should be disabled and software +timeout should be used. + +The workaround for Errata i2312 can be achieved by adding +SDHCI_QUIRK2_DISABLE_HW_TIMEOUT quirk in sdhci_am654. + +[0] https://www.ti.com/lit/pdf/sprz487 + +Signed-off-by: Judith Mendez +Acked-by: Adrian Hunter +Fixes: 41fd4caeb00b ("mmc: sdhci_am654: Add Initial Support for AM654 SDHCI driver") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20250626231452.3460987-1-jm@ti.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/sdhci_am654.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/mmc/host/sdhci_am654.c ++++ b/drivers/mmc/host/sdhci_am654.c +@@ -613,7 +613,8 @@ static const struct sdhci_ops sdhci_am65 + static const struct sdhci_pltfm_data sdhci_am654_pdata = { + .ops = &sdhci_am654_ops, + .quirks = SDHCI_QUIRK_MULTIBLOCK_READ_ACMD12, +- .quirks2 = SDHCI_QUIRK2_PRESET_VALUE_BROKEN, ++ .quirks2 = SDHCI_QUIRK2_PRESET_VALUE_BROKEN | ++ SDHCI_QUIRK2_DISABLE_HW_TIMEOUT, + }; + + static const struct sdhci_am654_driver_data sdhci_am654_sr1_drvdata = { +@@ -643,7 +644,8 @@ static const struct sdhci_ops sdhci_j721 + static const struct sdhci_pltfm_data sdhci_j721e_8bit_pdata = { + .ops = &sdhci_j721e_8bit_ops, + .quirks = SDHCI_QUIRK_MULTIBLOCK_READ_ACMD12, +- .quirks2 = SDHCI_QUIRK2_PRESET_VALUE_BROKEN, ++ .quirks2 = SDHCI_QUIRK2_PRESET_VALUE_BROKEN | ++ SDHCI_QUIRK2_DISABLE_HW_TIMEOUT, + }; + + static const struct sdhci_am654_driver_data sdhci_j721e_8bit_drvdata = { +@@ -667,7 +669,8 @@ static const struct sdhci_ops sdhci_j721 + static const struct sdhci_pltfm_data sdhci_j721e_4bit_pdata = { + .ops = &sdhci_j721e_4bit_ops, + .quirks = SDHCI_QUIRK_MULTIBLOCK_READ_ACMD12, +- .quirks2 = SDHCI_QUIRK2_PRESET_VALUE_BROKEN, ++ .quirks2 = SDHCI_QUIRK2_PRESET_VALUE_BROKEN | ++ SDHCI_QUIRK2_DISABLE_HW_TIMEOUT, + }; + + static const struct sdhci_am654_driver_data sdhci_j721e_4bit_drvdata = { diff --git a/queue-6.15/mptcp-make-fallback-action-and-fallback-decision-atomic.patch b/queue-6.15/mptcp-make-fallback-action-and-fallback-decision-atomic.patch new file mode 100644 index 0000000000..122e3111b1 --- /dev/null +++ b/queue-6.15/mptcp-make-fallback-action-and-fallback-decision-atomic.patch @@ -0,0 +1,379 @@ +From f8a1d9b18c5efc76784f5a326e905f641f839894 Mon Sep 17 00:00:00 2001 +From: Paolo Abeni +Date: Mon, 14 Jul 2025 18:41:44 +0200 +Subject: mptcp: make fallback action and fallback decision atomic + +From: Paolo Abeni + +commit f8a1d9b18c5efc76784f5a326e905f641f839894 upstream. + +Syzkaller reported the following splat: + + WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 __mptcp_do_fallback net/mptcp/protocol.h:1223 [inline] + WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 mptcp_do_fallback net/mptcp/protocol.h:1244 [inline] + WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 check_fully_established net/mptcp/options.c:982 [inline] + WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 mptcp_incoming_options+0x21a8/0x2510 net/mptcp/options.c:1153 + Modules linked in: + CPU: 1 UID: 0 PID: 7704 Comm: syz.3.1419 Not tainted 6.16.0-rc3-gbd5ce2324dba #20 PREEMPT(voluntary) + Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 + RIP: 0010:__mptcp_do_fallback net/mptcp/protocol.h:1223 [inline] + RIP: 0010:mptcp_do_fallback net/mptcp/protocol.h:1244 [inline] + RIP: 0010:check_fully_established net/mptcp/options.c:982 [inline] + RIP: 0010:mptcp_incoming_options+0x21a8/0x2510 net/mptcp/options.c:1153 + Code: 24 18 e8 bb 2a 00 fd e9 1b df ff ff e8 b1 21 0f 00 e8 ec 5f c4 fc 44 0f b7 ac 24 b0 00 00 00 e9 54 f1 ff ff e8 d9 5f c4 fc 90 <0f> 0b 90 e9 b8 f4 ff ff e8 8b 2a 00 fd e9 8d e6 ff ff e8 81 2a 00 + RSP: 0018:ffff8880a3f08448 EFLAGS: 00010246 + RAX: 0000000000000000 RBX: ffff8880180a8000 RCX: ffffffff84afcf45 + RDX: ffff888090223700 RSI: ffffffff84afdaa7 RDI: 0000000000000001 + RBP: ffff888017955780 R08: 0000000000000001 R09: 0000000000000000 + R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 + R13: ffff8880180a8910 R14: ffff8880a3e9d058 R15: 0000000000000000 + FS: 00005555791b8500(0000) GS:ffff88811c495000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 000000110c2800b7 CR3: 0000000058e44000 CR4: 0000000000350ef0 + Call Trace: + + tcp_reset+0x26f/0x2b0 net/ipv4/tcp_input.c:4432 + tcp_validate_incoming+0x1057/0x1b60 net/ipv4/tcp_input.c:5975 + tcp_rcv_established+0x5b5/0x21f0 net/ipv4/tcp_input.c:6166 + tcp_v4_do_rcv+0x5dc/0xa70 net/ipv4/tcp_ipv4.c:1925 + tcp_v4_rcv+0x3473/0x44a0 net/ipv4/tcp_ipv4.c:2363 + ip_protocol_deliver_rcu+0xba/0x480 net/ipv4/ip_input.c:205 + ip_local_deliver_finish+0x2f1/0x500 net/ipv4/ip_input.c:233 + NF_HOOK include/linux/netfilter.h:317 [inline] + NF_HOOK include/linux/netfilter.h:311 [inline] + ip_local_deliver+0x1be/0x560 net/ipv4/ip_input.c:254 + dst_input include/net/dst.h:469 [inline] + ip_rcv_finish net/ipv4/ip_input.c:447 [inline] + NF_HOOK include/linux/netfilter.h:317 [inline] + NF_HOOK include/linux/netfilter.h:311 [inline] + ip_rcv+0x514/0x810 net/ipv4/ip_input.c:567 + __netif_receive_skb_one_core+0x197/0x1e0 net/core/dev.c:5975 + __netif_receive_skb+0x1f/0x120 net/core/dev.c:6088 + process_backlog+0x301/0x1360 net/core/dev.c:6440 + __napi_poll.constprop.0+0xba/0x550 net/core/dev.c:7453 + napi_poll net/core/dev.c:7517 [inline] + net_rx_action+0xb44/0x1010 net/core/dev.c:7644 + handle_softirqs+0x1d0/0x770 kernel/softirq.c:579 + do_softirq+0x3f/0x90 kernel/softirq.c:480 + + + __local_bh_enable_ip+0xed/0x110 kernel/softirq.c:407 + local_bh_enable include/linux/bottom_half.h:33 [inline] + inet_csk_listen_stop+0x2c5/0x1070 net/ipv4/inet_connection_sock.c:1524 + mptcp_check_listen_stop.part.0+0x1cc/0x220 net/mptcp/protocol.c:2985 + mptcp_check_listen_stop net/mptcp/mib.h:118 [inline] + __mptcp_close+0x9b9/0xbd0 net/mptcp/protocol.c:3000 + mptcp_close+0x2f/0x140 net/mptcp/protocol.c:3066 + inet_release+0xed/0x200 net/ipv4/af_inet.c:435 + inet6_release+0x4f/0x70 net/ipv6/af_inet6.c:487 + __sock_release+0xb3/0x270 net/socket.c:649 + sock_close+0x1c/0x30 net/socket.c:1439 + __fput+0x402/0xb70 fs/file_table.c:465 + task_work_run+0x150/0x240 kernel/task_work.c:227 + resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] + exit_to_user_mode_loop+0xd4/0xe0 kernel/entry/common.c:114 + exit_to_user_mode_prepare include/linux/entry-common.h:330 [inline] + syscall_exit_to_user_mode_work include/linux/entry-common.h:414 [inline] + syscall_exit_to_user_mode include/linux/entry-common.h:449 [inline] + do_syscall_64+0x245/0x360 arch/x86/entry/syscall_64.c:100 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + RIP: 0033:0x7fc92f8a36ad + Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 + RSP: 002b:00007ffcf52802d8 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4 + RAX: 0000000000000000 RBX: 00007ffcf52803a8 RCX: 00007fc92f8a36ad + RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003 + RBP: 00007fc92fae7ba0 R08: 0000000000000001 R09: 0000002800000000 + R10: 00007fc92f700000 R11: 0000000000000246 R12: 00007fc92fae5fac + R13: 00007fc92fae5fa0 R14: 0000000000026d00 R15: 0000000000026c51 + + irq event stamp: 4068 + hardirqs last enabled at (4076): [] __up_console_sem+0x76/0x80 kernel/printk/printk.c:344 + hardirqs last disabled at (4085): [] __up_console_sem+0x5b/0x80 kernel/printk/printk.c:342 + softirqs last enabled at (3096): [] local_bh_enable include/linux/bottom_half.h:33 [inline] + softirqs last enabled at (3096): [] inet_csk_listen_stop+0x2c0/0x1070 net/ipv4/inet_connection_sock.c:1524 + softirqs last disabled at (3097): [] do_softirq+0x3f/0x90 kernel/softirq.c:480 + +Since we need to track the 'fallback is possible' condition and the +fallback status separately, there are a few possible races open between +the check and the actual fallback action. + +Add a spinlock to protect the fallback related information and use it +close all the possible related races. While at it also remove the +too-early clearing of allow_infinite_fallback in __mptcp_subflow_connect(): +the field will be correctly cleared by subflow_finish_connect() if/when +the connection will complete successfully. + +If fallback is not possible, as per RFC, reset the current subflow. + +Since the fallback operation can now fail and return value should be +checked, rename the helper accordingly. + +Fixes: 0530020a7c8f ("mptcp: track and update contiguous data status") +Cc: stable@vger.kernel.org +Reported-by: Matthieu Baerts +Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/570 +Reported-by: syzbot+5cf807c20386d699b524@syzkaller.appspotmail.com +Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/555 +Signed-off-by: Paolo Abeni +Reviewed-by: Matthieu Baerts (NGI0) +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20250714-net-mptcp-fallback-races-v1-1-391aff963322@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/options.c | 3 ++- + net/mptcp/protocol.c | 40 +++++++++++++++++++++++++++++++++++----- + net/mptcp/protocol.h | 26 +++++++++++++++++++------- + net/mptcp/subflow.c | 11 +++++------ + 4 files changed, 61 insertions(+), 19 deletions(-) + +--- a/net/mptcp/options.c ++++ b/net/mptcp/options.c +@@ -978,8 +978,9 @@ static bool check_fully_established(stru + if (subflow->mp_join) + goto reset; + subflow->mp_capable = 0; ++ if (!mptcp_try_fallback(ssk)) ++ goto reset; + pr_fallback(msk); +- mptcp_do_fallback(ssk); + return false; + } + +--- a/net/mptcp/protocol.c ++++ b/net/mptcp/protocol.c +@@ -558,10 +558,9 @@ static bool mptcp_check_data_fin(struct + + static void mptcp_dss_corruption(struct mptcp_sock *msk, struct sock *ssk) + { +- if (READ_ONCE(msk->allow_infinite_fallback)) { ++ if (mptcp_try_fallback(ssk)) { + MPTCP_INC_STATS(sock_net(ssk), + MPTCP_MIB_DSSCORRUPTIONFALLBACK); +- mptcp_do_fallback(ssk); + } else { + MPTCP_INC_STATS(sock_net(ssk), MPTCP_MIB_DSSCORRUPTIONRESET); + mptcp_subflow_reset(ssk); +@@ -801,6 +800,14 @@ static bool __mptcp_finish_join(struct m + if (sk->sk_state != TCP_ESTABLISHED) + return false; + ++ spin_lock_bh(&msk->fallback_lock); ++ if (__mptcp_check_fallback(msk)) { ++ spin_unlock_bh(&msk->fallback_lock); ++ return false; ++ } ++ mptcp_subflow_joined(msk, ssk); ++ spin_unlock_bh(&msk->fallback_lock); ++ + /* attach to msk socket only after we are sure we will deal with it + * at close time + */ +@@ -809,7 +816,6 @@ static bool __mptcp_finish_join(struct m + + mptcp_subflow_ctx(ssk)->subflow_id = msk->subflow_id++; + mptcp_sockopt_sync_locked(msk, ssk); +- mptcp_subflow_joined(msk, ssk); + mptcp_stop_tout_timer(sk); + __mptcp_propagate_sndbuf(sk, ssk); + return true; +@@ -1134,10 +1140,14 @@ static void mptcp_update_infinite_map(st + mpext->infinite_map = 1; + mpext->data_len = 0; + ++ if (!mptcp_try_fallback(ssk)) { ++ mptcp_subflow_reset(ssk); ++ return; ++ } ++ + MPTCP_INC_STATS(sock_net(ssk), MPTCP_MIB_INFINITEMAPTX); + mptcp_subflow_ctx(ssk)->send_infinite_map = 0; + pr_fallback(msk); +- mptcp_do_fallback(ssk); + } + + #define MPTCP_MAX_GSO_SIZE (GSO_LEGACY_MAX_SIZE - (MAX_TCP_HEADER + 1)) +@@ -2541,9 +2551,9 @@ static void mptcp_check_fastclose(struct + + static void __mptcp_retrans(struct sock *sk) + { ++ struct mptcp_sendmsg_info info = { .data_lock_held = true, }; + struct mptcp_sock *msk = mptcp_sk(sk); + struct mptcp_subflow_context *subflow; +- struct mptcp_sendmsg_info info = {}; + struct mptcp_data_frag *dfrag; + struct sock *ssk; + int ret, err; +@@ -2588,6 +2598,18 @@ static void __mptcp_retrans(struct sock + info.sent = 0; + info.limit = READ_ONCE(msk->csum_enabled) ? dfrag->data_len : + dfrag->already_sent; ++ ++ /* ++ * make the whole retrans decision, xmit, disallow ++ * fallback atomic ++ */ ++ spin_lock_bh(&msk->fallback_lock); ++ if (__mptcp_check_fallback(msk)) { ++ spin_unlock_bh(&msk->fallback_lock); ++ release_sock(ssk); ++ return; ++ } ++ + while (info.sent < info.limit) { + ret = mptcp_sendmsg_frag(sk, ssk, dfrag, &info); + if (ret <= 0) +@@ -2603,6 +2625,7 @@ static void __mptcp_retrans(struct sock + info.size_goal); + WRITE_ONCE(msk->allow_infinite_fallback, false); + } ++ spin_unlock_bh(&msk->fallback_lock); + + release_sock(ssk); + } +@@ -2736,6 +2759,7 @@ static void __mptcp_init_sock(struct soc + msk->last_ack_recv = tcp_jiffies32; + + mptcp_pm_data_init(msk); ++ spin_lock_init(&msk->fallback_lock); + + /* re-use the csk retrans timer for MPTCP-level retrans */ + timer_setup(&msk->sk.icsk_retransmit_timer, mptcp_retransmit_timer, 0); +@@ -3522,7 +3546,13 @@ bool mptcp_finish_join(struct sock *ssk) + + /* active subflow, already present inside the conn_list */ + if (!list_empty(&subflow->node)) { ++ spin_lock_bh(&msk->fallback_lock); ++ if (__mptcp_check_fallback(msk)) { ++ spin_unlock_bh(&msk->fallback_lock); ++ return false; ++ } + mptcp_subflow_joined(msk, ssk); ++ spin_unlock_bh(&msk->fallback_lock); + mptcp_propagate_sndbuf(parent, ssk); + return true; + } +--- a/net/mptcp/protocol.h ++++ b/net/mptcp/protocol.h +@@ -350,6 +350,10 @@ struct mptcp_sock { + u32 subflow_id; + u32 setsockopt_seq; + char ca_name[TCP_CA_NAME_MAX]; ++ ++ spinlock_t fallback_lock; /* protects fallback and ++ * allow_infinite_fallback ++ */ + }; + + #define mptcp_data_lock(sk) spin_lock_bh(&(sk)->sk_lock.slock) +@@ -1208,15 +1212,21 @@ static inline bool mptcp_check_fallback( + return __mptcp_check_fallback(msk); + } + +-static inline void __mptcp_do_fallback(struct mptcp_sock *msk) ++static inline bool __mptcp_try_fallback(struct mptcp_sock *msk) + { + if (__mptcp_check_fallback(msk)) { + pr_debug("TCP fallback already done (msk=%p)\n", msk); +- return; ++ return true; + } +- if (WARN_ON_ONCE(!READ_ONCE(msk->allow_infinite_fallback))) +- return; ++ spin_lock_bh(&msk->fallback_lock); ++ if (!msk->allow_infinite_fallback) { ++ spin_unlock_bh(&msk->fallback_lock); ++ return false; ++ } ++ + set_bit(MPTCP_FALLBACK_DONE, &msk->flags); ++ spin_unlock_bh(&msk->fallback_lock); ++ return true; + } + + static inline bool __mptcp_has_initial_subflow(const struct mptcp_sock *msk) +@@ -1228,14 +1238,15 @@ static inline bool __mptcp_has_initial_s + TCPF_SYN_RECV | TCPF_LISTEN)); + } + +-static inline void mptcp_do_fallback(struct sock *ssk) ++static inline bool mptcp_try_fallback(struct sock *ssk) + { + struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(ssk); + struct sock *sk = subflow->conn; + struct mptcp_sock *msk; + + msk = mptcp_sk(sk); +- __mptcp_do_fallback(msk); ++ if (!__mptcp_try_fallback(msk)) ++ return false; + if (READ_ONCE(msk->snd_data_fin_enable) && !(ssk->sk_shutdown & SEND_SHUTDOWN)) { + gfp_t saved_allocation = ssk->sk_allocation; + +@@ -1247,6 +1258,7 @@ static inline void mptcp_do_fallback(str + tcp_shutdown(ssk, SEND_SHUTDOWN); + ssk->sk_allocation = saved_allocation; + } ++ return true; + } + + #define pr_fallback(a) pr_debug("%s:fallback to TCP (msk=%p)\n", __func__, a) +@@ -1256,7 +1268,7 @@ static inline void mptcp_subflow_early_f + { + pr_fallback(msk); + subflow->request_mptcp = 0; +- __mptcp_do_fallback(msk); ++ WARN_ON_ONCE(!__mptcp_try_fallback(msk)); + } + + static inline bool mptcp_check_infinite_map(struct sk_buff *skb) +--- a/net/mptcp/subflow.c ++++ b/net/mptcp/subflow.c +@@ -543,9 +543,11 @@ static void subflow_finish_connect(struc + mptcp_get_options(skb, &mp_opt); + if (subflow->request_mptcp) { + if (!(mp_opt.suboptions & OPTION_MPTCP_MPC_SYNACK)) { ++ if (!mptcp_try_fallback(sk)) ++ goto do_reset; ++ + MPTCP_INC_STATS(sock_net(sk), + MPTCP_MIB_MPCAPABLEACTIVEFALLBACK); +- mptcp_do_fallback(sk); + pr_fallback(msk); + goto fallback; + } +@@ -1397,7 +1399,7 @@ fallback: + return true; + } + +- if (!READ_ONCE(msk->allow_infinite_fallback)) { ++ if (!mptcp_try_fallback(ssk)) { + /* fatal protocol error, close the socket. + * subflow_error_report() will introduce the appropriate barriers + */ +@@ -1415,8 +1417,6 @@ reset: + WRITE_ONCE(subflow->data_avail, false); + return false; + } +- +- mptcp_do_fallback(ssk); + } + + skb = skb_peek(&ssk->sk_receive_queue); +@@ -1681,7 +1681,6 @@ int __mptcp_subflow_connect(struct sock + /* discard the subflow socket */ + mptcp_sock_graft(ssk, sk->sk_socket); + iput(SOCK_INODE(sf)); +- WRITE_ONCE(msk->allow_infinite_fallback, false); + mptcp_stop_tout_timer(sk); + return 0; + +@@ -1853,7 +1852,7 @@ static void subflow_state_change(struct + + msk = mptcp_sk(parent); + if (subflow_simultaneous_connect(sk)) { +- mptcp_do_fallback(sk); ++ WARN_ON_ONCE(!mptcp_try_fallback(sk)); + pr_fallback(msk); + subflow->conn_finished = 1; + mptcp_propagate_state(parent, sk, subflow, NULL); diff --git a/queue-6.15/mptcp-plug-races-between-subflow-fail-and-subflow-creation.patch b/queue-6.15/mptcp-plug-races-between-subflow-fail-and-subflow-creation.patch new file mode 100644 index 0000000000..330fd3fd45 --- /dev/null +++ b/queue-6.15/mptcp-plug-races-between-subflow-fail-and-subflow-creation.patch @@ -0,0 +1,189 @@ +From def5b7b2643ebba696fc60ddf675dca13f073486 Mon Sep 17 00:00:00 2001 +From: Paolo Abeni +Date: Mon, 14 Jul 2025 18:41:45 +0200 +Subject: mptcp: plug races between subflow fail and subflow creation + +From: Paolo Abeni + +commit def5b7b2643ebba696fc60ddf675dca13f073486 upstream. + +We have races similar to the one addressed by the previous patch between +subflow failing and additional subflow creation. They are just harder to +trigger. + +The solution is similar. Use a separate flag to track the condition +'socket state prevent any additional subflow creation' protected by the +fallback lock. + +The socket fallback makes such flag true, and also receiving or sending +an MP_FAIL option. + +The field 'allow_infinite_fallback' is now always touched under the +relevant lock, we can drop the ONCE annotation on write. + +Fixes: 478d770008b0 ("mptcp: send out MP_FAIL when data checksum fails") +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Abeni +Reviewed-by: Matthieu Baerts (NGI0) +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20250714-net-mptcp-fallback-races-v1-2-391aff963322@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/pm.c | 8 +++++++- + net/mptcp/protocol.c | 11 ++++++----- + net/mptcp/protocol.h | 7 +++++-- + net/mptcp/subflow.c | 19 ++++++++++++++----- + 4 files changed, 32 insertions(+), 13 deletions(-) + +--- a/net/mptcp/pm.c ++++ b/net/mptcp/pm.c +@@ -761,8 +761,14 @@ void mptcp_pm_mp_fail_received(struct so + + pr_debug("fail_seq=%llu\n", fail_seq); + +- if (!READ_ONCE(msk->allow_infinite_fallback)) ++ /* After accepting the fail, we can't create any other subflows */ ++ spin_lock_bh(&msk->fallback_lock); ++ if (!msk->allow_infinite_fallback) { ++ spin_unlock_bh(&msk->fallback_lock); + return; ++ } ++ msk->allow_subflows = false; ++ spin_unlock_bh(&msk->fallback_lock); + + if (!subflow->fail_tout) { + pr_debug("send MP_FAIL response and infinite map\n"); +--- a/net/mptcp/protocol.c ++++ b/net/mptcp/protocol.c +@@ -789,7 +789,7 @@ void mptcp_data_ready(struct sock *sk, s + static void mptcp_subflow_joined(struct mptcp_sock *msk, struct sock *ssk) + { + mptcp_subflow_ctx(ssk)->map_seq = READ_ONCE(msk->ack_seq); +- WRITE_ONCE(msk->allow_infinite_fallback, false); ++ msk->allow_infinite_fallback = false; + mptcp_event(MPTCP_EVENT_SUB_ESTABLISHED, msk, ssk, GFP_ATOMIC); + } + +@@ -801,7 +801,7 @@ static bool __mptcp_finish_join(struct m + return false; + + spin_lock_bh(&msk->fallback_lock); +- if (__mptcp_check_fallback(msk)) { ++ if (!msk->allow_subflows) { + spin_unlock_bh(&msk->fallback_lock); + return false; + } +@@ -2623,7 +2623,7 @@ static void __mptcp_retrans(struct sock + len = max(copied, len); + tcp_push(ssk, 0, info.mss_now, tcp_sk(ssk)->nonagle, + info.size_goal); +- WRITE_ONCE(msk->allow_infinite_fallback, false); ++ msk->allow_infinite_fallback = false; + } + spin_unlock_bh(&msk->fallback_lock); + +@@ -2751,7 +2751,8 @@ static void __mptcp_init_sock(struct soc + WRITE_ONCE(msk->first, NULL); + inet_csk(sk)->icsk_sync_mss = mptcp_sync_mss; + WRITE_ONCE(msk->csum_enabled, mptcp_is_checksum_enabled(sock_net(sk))); +- WRITE_ONCE(msk->allow_infinite_fallback, true); ++ msk->allow_infinite_fallback = true; ++ msk->allow_subflows = true; + msk->recovery = false; + msk->subflow_id = 1; + msk->last_data_sent = tcp_jiffies32; +@@ -3547,7 +3548,7 @@ bool mptcp_finish_join(struct sock *ssk) + /* active subflow, already present inside the conn_list */ + if (!list_empty(&subflow->node)) { + spin_lock_bh(&msk->fallback_lock); +- if (__mptcp_check_fallback(msk)) { ++ if (!msk->allow_subflows) { + spin_unlock_bh(&msk->fallback_lock); + return false; + } +--- a/net/mptcp/protocol.h ++++ b/net/mptcp/protocol.h +@@ -346,13 +346,15 @@ struct mptcp_sock { + u64 rtt_us; /* last maximum rtt of subflows */ + } rcvq_space; + u8 scaling_ratio; ++ bool allow_subflows; + + u32 subflow_id; + u32 setsockopt_seq; + char ca_name[TCP_CA_NAME_MAX]; + +- spinlock_t fallback_lock; /* protects fallback and +- * allow_infinite_fallback ++ spinlock_t fallback_lock; /* protects fallback, ++ * allow_infinite_fallback and ++ * allow_join + */ + }; + +@@ -1224,6 +1226,7 @@ static inline bool __mptcp_try_fallback( + return false; + } + ++ msk->allow_subflows = false; + set_bit(MPTCP_FALLBACK_DONE, &msk->flags); + spin_unlock_bh(&msk->fallback_lock); + return true; +--- a/net/mptcp/subflow.c ++++ b/net/mptcp/subflow.c +@@ -1304,20 +1304,29 @@ static void subflow_sched_work_if_closed + mptcp_schedule_work(sk); + } + +-static void mptcp_subflow_fail(struct mptcp_sock *msk, struct sock *ssk) ++static bool mptcp_subflow_fail(struct mptcp_sock *msk, struct sock *ssk) + { + struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(ssk); + unsigned long fail_tout; + ++ /* we are really failing, prevent any later subflow join */ ++ spin_lock_bh(&msk->fallback_lock); ++ if (!msk->allow_infinite_fallback) { ++ spin_unlock_bh(&msk->fallback_lock); ++ return false; ++ } ++ msk->allow_subflows = false; ++ spin_unlock_bh(&msk->fallback_lock); ++ + /* graceful failure can happen only on the MPC subflow */ + if (WARN_ON_ONCE(ssk != READ_ONCE(msk->first))) +- return; ++ return false; + + /* since the close timeout take precedence on the fail one, + * no need to start the latter when the first is already set + */ + if (sock_flag((struct sock *)msk, SOCK_DEAD)) +- return; ++ return true; + + /* we don't need extreme accuracy here, use a zero fail_tout as special + * value meaning no fail timeout at all; +@@ -1329,6 +1338,7 @@ static void mptcp_subflow_fail(struct mp + tcp_send_ack(ssk); + + mptcp_reset_tout_timer(msk, subflow->fail_tout); ++ return true; + } + + static bool subflow_check_data_avail(struct sock *ssk) +@@ -1389,12 +1399,11 @@ fallback: + (subflow->mp_join || subflow->valid_csum_seen)) { + subflow->send_mp_fail = 1; + +- if (!READ_ONCE(msk->allow_infinite_fallback)) { ++ if (!mptcp_subflow_fail(msk, ssk)) { + subflow->reset_transient = 0; + subflow->reset_reason = MPTCP_RST_EMIDDLEBOX; + goto reset; + } +- mptcp_subflow_fail(msk, ssk); + WRITE_ONCE(subflow->data_avail, true); + return true; + } diff --git a/queue-6.15/mptcp-reset-fallback-status-gracefully-at-disconnect-time.patch b/queue-6.15/mptcp-reset-fallback-status-gracefully-at-disconnect-time.patch new file mode 100644 index 0000000000..9d3de80725 --- /dev/null +++ b/queue-6.15/mptcp-reset-fallback-status-gracefully-at-disconnect-time.patch @@ -0,0 +1,50 @@ +From da9b2fc7b73d147d88abe1922de5ab72d72d7756 Mon Sep 17 00:00:00 2001 +From: Paolo Abeni +Date: Mon, 14 Jul 2025 18:41:46 +0200 +Subject: mptcp: reset fallback status gracefully at disconnect() time + +From: Paolo Abeni + +commit da9b2fc7b73d147d88abe1922de5ab72d72d7756 upstream. + +mptcp_disconnect() clears the fallback bit unconditionally, without +touching the associated flags. + +The bit clear is safe, as no fallback operation can race with that -- +all subflow are already in TCP_CLOSE status thanks to the previous +FASTCLOSE -- but we need to consistently reset all the fallback related +status. + +Also acquire the relevant lock, to avoid fouling static analyzers. + +Fixes: b29fcfb54cd7 ("mptcp: full disconnect implementation") +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Abeni +Reviewed-by: Matthieu Baerts (NGI0) +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20250714-net-mptcp-fallback-races-v1-3-391aff963322@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/protocol.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/net/mptcp/protocol.c ++++ b/net/mptcp/protocol.c +@@ -3140,7 +3140,16 @@ static int mptcp_disconnect(struct sock + * subflow + */ + mptcp_destroy_common(msk, MPTCP_CF_FASTCLOSE); ++ ++ /* The first subflow is already in TCP_CLOSE status, the following ++ * can't overlap with a fallback anymore ++ */ ++ spin_lock_bh(&msk->fallback_lock); ++ msk->allow_subflows = true; ++ msk->allow_infinite_fallback = true; + WRITE_ONCE(msk->flags, 0); ++ spin_unlock_bh(&msk->fallback_lock); ++ + msk->cb_flags = 0; + msk->recovery = false; + WRITE_ONCE(msk->can_ack, false); diff --git a/queue-6.15/net-libwx-fix-the-using-of-rx-buffer-dma.patch b/queue-6.15/net-libwx-fix-the-using-of-rx-buffer-dma.patch new file mode 100644 index 0000000000..f38249dbe4 --- /dev/null +++ b/queue-6.15/net-libwx-fix-the-using-of-rx-buffer-dma.patch @@ -0,0 +1,60 @@ +From 5fd77cc6bd9b368431a815a780e407b7781bcca0 Mon Sep 17 00:00:00 2001 +From: Jiawen Wu +Date: Mon, 14 Jul 2025 10:47:54 +0800 +Subject: net: libwx: fix the using of Rx buffer DMA + +From: Jiawen Wu + +commit 5fd77cc6bd9b368431a815a780e407b7781bcca0 upstream. + +The wx_rx_buffer structure contained two DMA address fields: 'dma' and +'page_dma'. However, only 'page_dma' was actually initialized and used +to program the Rx descriptor. But 'dma' was uninitialized and used in +some paths. + +This could lead to undefined behavior, including DMA errors or +use-after-free, if the uninitialized 'dma' was used. Althrough such +error has not yet occurred, it is worth fixing in the code. + +Fixes: 3c47e8ae113a ("net: libwx: Support to receive packets in NAPI") +Cc: stable@vger.kernel.org +Signed-off-by: Jiawen Wu +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250714024755.17512-3-jiawenwu@trustnetic.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/wangxun/libwx/wx_lib.c | 4 ++-- + drivers/net/ethernet/wangxun/libwx/wx_type.h | 1 - + 2 files changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/wangxun/libwx/wx_lib.c ++++ b/drivers/net/ethernet/wangxun/libwx/wx_lib.c +@@ -306,7 +306,7 @@ static bool wx_alloc_mapped_page(struct + return false; + dma = page_pool_get_dma_addr(page); + +- bi->page_dma = dma; ++ bi->dma = dma; + bi->page = page; + bi->page_offset = 0; + +@@ -343,7 +343,7 @@ void wx_alloc_rx_buffers(struct wx_ring + DMA_FROM_DEVICE); + + rx_desc->read.pkt_addr = +- cpu_to_le64(bi->page_dma + bi->page_offset); ++ cpu_to_le64(bi->dma + bi->page_offset); + + rx_desc++; + bi++; +--- a/drivers/net/ethernet/wangxun/libwx/wx_type.h ++++ b/drivers/net/ethernet/wangxun/libwx/wx_type.h +@@ -947,7 +947,6 @@ struct wx_tx_buffer { + struct wx_rx_buffer { + struct sk_buff *skb; + dma_addr_t dma; +- dma_addr_t page_dma; + struct page *page; + unsigned int page_offset; + }; diff --git a/queue-6.15/net-libwx-properly-reset-rx-ring-descriptor.patch b/queue-6.15/net-libwx-properly-reset-rx-ring-descriptor.patch new file mode 100644 index 0000000000..67c59e56ea --- /dev/null +++ b/queue-6.15/net-libwx-properly-reset-rx-ring-descriptor.patch @@ -0,0 +1,124 @@ +From d992ed7e1b687ad7df0763d3e015a5358646210b Mon Sep 17 00:00:00 2001 +From: Jiawen Wu +Date: Mon, 14 Jul 2025 10:47:55 +0800 +Subject: net: libwx: properly reset Rx ring descriptor + +From: Jiawen Wu + +commit d992ed7e1b687ad7df0763d3e015a5358646210b upstream. + +When device reset is triggered by feature changes such as toggling Rx +VLAN offload, wx->do_reset() is called to reinitialize Rx rings. The +hardware descriptor ring may retain stale values from previous sessions. +And only set the length to 0 in rx_desc[0] would result in building +malformed SKBs. Fix it to ensure a clean slate after device reset. + +[ 549.186435] [ C16] ------------[ cut here ]------------ +[ 549.186457] [ C16] kernel BUG at net/core/skbuff.c:2814! +[ 549.186468] [ C16] Oops: invalid opcode: 0000 [#1] SMP NOPTI +[ 549.186472] [ C16] CPU: 16 UID: 0 PID: 0 Comm: swapper/16 Kdump: loaded Not tainted 6.16.0-rc4+ #23 PREEMPT(voluntary) +[ 549.186476] [ C16] Hardware name: Micro-Star International Co., Ltd. MS-7E16/X670E GAMING PLUS WIFI (MS-7E16), BIOS 1.90 12/31/2024 +[ 549.186478] [ C16] RIP: 0010:__pskb_pull_tail+0x3ff/0x510 +[ 549.186484] [ C16] Code: 06 f0 ff 4f 34 74 7b 4d 8b 8c 24 c8 00 00 00 45 8b 84 24 c0 00 00 00 e9 c8 fd ff ff 48 c7 44 24 08 00 00 00 00 e9 5e fe ff ff <0f> 0b 31 c0 e9 23 90 5b ff 41 f7 c6 ff 0f 00 00 75 bf 49 8b 06 a8 +[ 549.186487] [ C16] RSP: 0018:ffffb391c0640d70 EFLAGS: 00010282 +[ 549.186490] [ C16] RAX: 00000000fffffff2 RBX: ffff8fe7e4d40200 RCX: 00000000fffffff2 +[ 549.186492] [ C16] RDX: ffff8fe7c3a4bf8e RSI: 0000000000000180 RDI: ffff8fe7c3a4bf40 +[ 549.186494] [ C16] RBP: ffffb391c0640da8 R08: ffff8fe7c3a4c0c0 R09: 000000000000000e +[ 549.186496] [ C16] R10: ffffb391c0640d88 R11: 000000000000000e R12: ffff8fe7e4d40200 +[ 549.186497] [ C16] R13: 00000000fffffff2 R14: ffff8fe7fa01a000 R15: 00000000fffffff2 +[ 549.186499] [ C16] FS: 0000000000000000(0000) GS:ffff8fef5ae40000(0000) knlGS:0000000000000000 +[ 549.186502] [ C16] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 549.186503] [ C16] CR2: 00007f77d81d6000 CR3: 000000051a032000 CR4: 0000000000750ef0 +[ 549.186505] [ C16] PKRU: 55555554 +[ 549.186507] [ C16] Call Trace: +[ 549.186510] [ C16] +[ 549.186513] [ C16] ? srso_alias_return_thunk+0x5/0xfbef5 +[ 549.186517] [ C16] __skb_pad+0xc7/0xf0 +[ 549.186523] [ C16] wx_clean_rx_irq+0x355/0x3b0 [libwx] +[ 549.186533] [ C16] wx_poll+0x92/0x120 [libwx] +[ 549.186540] [ C16] __napi_poll+0x28/0x190 +[ 549.186544] [ C16] net_rx_action+0x301/0x3f0 +[ 549.186548] [ C16] ? srso_alias_return_thunk+0x5/0xfbef5 +[ 549.186551] [ C16] ? __raw_spin_lock_irqsave+0x1e/0x50 +[ 549.186554] [ C16] ? srso_alias_return_thunk+0x5/0xfbef5 +[ 549.186557] [ C16] ? wake_up_nohz_cpu+0x35/0x160 +[ 549.186559] [ C16] ? srso_alias_return_thunk+0x5/0xfbef5 +[ 549.186563] [ C16] handle_softirqs+0xf9/0x2c0 +[ 549.186568] [ C16] __irq_exit_rcu+0xc7/0x130 +[ 549.186572] [ C16] common_interrupt+0xb8/0xd0 +[ 549.186576] [ C16] +[ 549.186577] [ C16] +[ 549.186579] [ C16] asm_common_interrupt+0x22/0x40 +[ 549.186582] [ C16] RIP: 0010:cpuidle_enter_state+0xc2/0x420 +[ 549.186585] [ C16] Code: 00 00 e8 11 0e 5e ff e8 ac f0 ff ff 49 89 c5 0f 1f 44 00 00 31 ff e8 0d ed 5c ff 45 84 ff 0f 85 40 02 00 00 fb 0f 1f 44 00 00 <45> 85 f6 0f 88 84 01 00 00 49 63 d6 48 8d 04 52 48 8d 04 82 49 8d +[ 549.186587] [ C16] RSP: 0018:ffffb391c0277e78 EFLAGS: 00000246 +[ 549.186590] [ C16] RAX: ffff8fef5ae40000 RBX: 0000000000000003 RCX: 0000000000000000 +[ 549.186591] [ C16] RDX: 0000007fde0faac5 RSI: ffffffff826e53f6 RDI: ffffffff826fa9b3 +[ 549.186593] [ C16] RBP: ffff8fe7c3a20800 R08: 0000000000000002 R09: 0000000000000000 +[ 549.186595] [ C16] R10: 0000000000000000 R11: 000000000000ffff R12: ffffffff82ed7a40 +[ 549.186596] [ C16] R13: 0000007fde0faac5 R14: 0000000000000003 R15: 0000000000000000 +[ 549.186601] [ C16] ? cpuidle_enter_state+0xb3/0x420 +[ 549.186605] [ C16] cpuidle_enter+0x29/0x40 +[ 549.186609] [ C16] cpuidle_idle_call+0xfd/0x170 +[ 549.186613] [ C16] do_idle+0x7a/0xc0 +[ 549.186616] [ C16] cpu_startup_entry+0x25/0x30 +[ 549.186618] [ C16] start_secondary+0x117/0x140 +[ 549.186623] [ C16] common_startup_64+0x13e/0x148 +[ 549.186628] [ C16] + +Fixes: 3c47e8ae113a ("net: libwx: Support to receive packets in NAPI") +Cc: stable@vger.kernel.org +Signed-off-by: Jiawen Wu +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250714024755.17512-4-jiawenwu@trustnetic.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/wangxun/libwx/wx_hw.c | 7 +++---- + drivers/net/ethernet/wangxun/libwx/wx_lib.c | 5 +++++ + 2 files changed, 8 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/wangxun/libwx/wx_hw.c ++++ b/drivers/net/ethernet/wangxun/libwx/wx_hw.c +@@ -1699,7 +1699,6 @@ static void wx_configure_rx_ring(struct + struct wx_ring *ring) + { + u16 reg_idx = ring->reg_idx; +- union wx_rx_desc *rx_desc; + u64 rdba = ring->dma; + u32 rxdctl; + +@@ -1729,9 +1728,9 @@ static void wx_configure_rx_ring(struct + memset(ring->rx_buffer_info, 0, + sizeof(struct wx_rx_buffer) * ring->count); + +- /* initialize Rx descriptor 0 */ +- rx_desc = WX_RX_DESC(ring, 0); +- rx_desc->wb.upper.length = 0; ++ /* reset ntu and ntc to place SW in sync with hardware */ ++ ring->next_to_clean = 0; ++ ring->next_to_use = 0; + + /* enable receive descriptor ring */ + wr32m(wx, WX_PX_RR_CFG(reg_idx), +--- a/drivers/net/ethernet/wangxun/libwx/wx_lib.c ++++ b/drivers/net/ethernet/wangxun/libwx/wx_lib.c +@@ -356,6 +356,8 @@ void wx_alloc_rx_buffers(struct wx_ring + + /* clear the status bits for the next_to_use descriptor */ + rx_desc->wb.upper.status_error = 0; ++ /* clear the length for the next_to_use descriptor */ ++ rx_desc->wb.upper.length = 0; + + cleaned_count--; + } while (cleaned_count); +@@ -2303,6 +2305,9 @@ static void wx_clean_rx_ring(struct wx_r + } + } + ++ /* Zero out the descriptor ring */ ++ memset(rx_ring->desc, 0, rx_ring->size); ++ + rx_ring->next_to_alloc = 0; + rx_ring->next_to_clean = 0; + rx_ring->next_to_use = 0; diff --git a/queue-6.15/net-libwx-remove-duplicate-page_pool_put_full_page.patch b/queue-6.15/net-libwx-remove-duplicate-page_pool_put_full_page.patch new file mode 100644 index 0000000000..87398ce536 --- /dev/null +++ b/queue-6.15/net-libwx-remove-duplicate-page_pool_put_full_page.patch @@ -0,0 +1,135 @@ +From 1b7e585c04cd5f0731dd25ffd396277e55fae0e6 Mon Sep 17 00:00:00 2001 +From: Jiawen Wu +Date: Mon, 14 Jul 2025 10:47:53 +0800 +Subject: net: libwx: remove duplicate page_pool_put_full_page() + +From: Jiawen Wu + +commit 1b7e585c04cd5f0731dd25ffd396277e55fae0e6 upstream. + +page_pool_put_full_page() should only be invoked when freeing Rx buffers +or building a skb if the size is too short. At other times, the pages +need to be reused. So remove the redundant page put. In the original +code, double free pages cause kernel panic: + +[ 876.949834] __irq_exit_rcu+0xc7/0x130 +[ 876.949836] common_interrupt+0xb8/0xd0 +[ 876.949838] +[ 876.949838] +[ 876.949840] asm_common_interrupt+0x22/0x40 +[ 876.949841] RIP: 0010:cpuidle_enter_state+0xc2/0x420 +[ 876.949843] Code: 00 00 e8 d1 1d 5e ff e8 ac f0 ff ff 49 89 c5 0f 1f 44 00 00 31 ff e8 cd fc 5c ff 45 84 ff 0f 85 40 02 00 00 fb 0f 1f 44 00 00 <45> 85 f6 0f 88 84 01 00 00 49 63 d6 48 8d 04 52 48 8d 04 82 49 8d +[ 876.949844] RSP: 0018:ffffaa7340267e78 EFLAGS: 00000246 +[ 876.949845] RAX: ffff9e3f135be000 RBX: 0000000000000002 RCX: 0000000000000000 +[ 876.949846] RDX: 000000cc2dc4cb7c RSI: ffffffff89ee49ae RDI: ffffffff89ef9f9e +[ 876.949847] RBP: ffff9e378f940800 R08: 0000000000000002 R09: 00000000000000ed +[ 876.949848] R10: 000000000000afc8 R11: ffff9e3e9e5a9b6c R12: ffffffff8a6d8580 +[ 876.949849] R13: 000000cc2dc4cb7c R14: 0000000000000002 R15: 0000000000000000 +[ 876.949852] ? cpuidle_enter_state+0xb3/0x420 +[ 876.949855] cpuidle_enter+0x29/0x40 +[ 876.949857] cpuidle_idle_call+0xfd/0x170 +[ 876.949859] do_idle+0x7a/0xc0 +[ 876.949861] cpu_startup_entry+0x25/0x30 +[ 876.949862] start_secondary+0x117/0x140 +[ 876.949864] common_startup_64+0x13e/0x148 +[ 876.949867] +[ 876.949868] ---[ end trace 0000000000000000 ]--- +[ 876.949869] ------------[ cut here ]------------ +[ 876.949870] list_del corruption, ffffead40445a348->next is NULL +[ 876.949873] WARNING: CPU: 14 PID: 0 at lib/list_debug.c:52 __list_del_entry_valid_or_report+0x67/0x120 +[ 876.949875] Modules linked in: snd_hrtimer(E) bnep(E) binfmt_misc(E) amdgpu(E) squashfs(E) vfat(E) loop(E) fat(E) amd_atl(E) snd_hda_codec_realtek(E) intel_rapl_msr(E) snd_hda_codec_generic(E) intel_rapl_common(E) snd_hda_scodec_component(E) snd_hda_codec_hdmi(E) snd_hda_intel(E) edac_mce_amd(E) snd_intel_dspcfg(E) snd_hda_codec(E) snd_hda_core(E) amdxcp(E) kvm_amd(E) snd_hwdep(E) gpu_sched(E) drm_panel_backlight_quirks(E) cec(E) snd_pcm(E) drm_buddy(E) snd_seq_dummy(E) drm_ttm_helper(E) btusb(E) kvm(E) snd_seq_oss(E) btrtl(E) ttm(E) btintel(E) snd_seq_midi(E) btbcm(E) drm_exec(E) snd_seq_midi_event(E) i2c_algo_bit(E) snd_rawmidi(E) bluetooth(E) drm_suballoc_helper(E) irqbypass(E) snd_seq(E) ghash_clmulni_intel(E) sha512_ssse3(E) drm_display_helper(E) aesni_intel(E) snd_seq_device(E) rfkill(E) snd_timer(E) gf128mul(E) drm_client_lib(E) drm_kms_helper(E) snd(E) i2c_piix4(E) joydev(E) soundcore(E) wmi_bmof(E) ccp(E) k10temp(E) i2c_smbus(E) gpio_amdpt(E) i2c_designware_platform(E) gpio_generic(E) sg(E) +[ 876.949914] i2c_designware_core(E) sch_fq_codel(E) parport_pc(E) drm(E) ppdev(E) lp(E) parport(E) fuse(E) nfnetlink(E) ip_tables(E) ext4 crc16 mbcache jbd2 sd_mod sfp mdio_i2c i2c_core txgbe ahci ngbe pcs_xpcs libahci libwx r8169 phylink libata realtek ptp pps_core video wmi +[ 876.949933] CPU: 14 UID: 0 PID: 0 Comm: swapper/14 Kdump: loaded Tainted: G W E 6.16.0-rc2+ #20 PREEMPT(voluntary) +[ 876.949935] Tainted: [W]=WARN, [E]=UNSIGNED_MODULE +[ 876.949936] Hardware name: Micro-Star International Co., Ltd. MS-7E16/X670E GAMING PLUS WIFI (MS-7E16), BIOS 1.90 12/31/2024 +[ 876.949936] RIP: 0010:__list_del_entry_valid_or_report+0x67/0x120 +[ 876.949938] Code: 00 00 00 48 39 7d 08 0f 85 a6 00 00 00 5b b8 01 00 00 00 5d 41 5c e9 73 0d 93 ff 48 89 fe 48 c7 c7 a0 31 e8 89 e8 59 7c b3 ff <0f> 0b 31 c0 5b 5d 41 5c e9 57 0d 93 ff 48 89 fe 48 c7 c7 c8 31 e8 +[ 876.949940] RSP: 0018:ffffaa73405d0c60 EFLAGS: 00010282 +[ 876.949941] RAX: 0000000000000000 RBX: ffffead40445a348 RCX: 0000000000000000 +[ 876.949942] RDX: 0000000000000105 RSI: 0000000000000001 RDI: 00000000ffffffff +[ 876.949943] RBP: 0000000000000000 R08: 000000010006dfde R09: ffffffff8a47d150 +[ 876.949944] R10: ffffffff8a47d150 R11: 0000000000000003 R12: dead000000000122 +[ 876.949945] R13: ffff9e3e9e5af700 R14: ffffead40445a348 R15: ffff9e3e9e5af720 +[ 876.949946] FS: 0000000000000000(0000) GS:ffff9e3f135be000(0000) knlGS:0000000000000000 +[ 876.949947] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 876.949948] CR2: 00007fa58b480048 CR3: 0000000156724000 CR4: 0000000000750ef0 +[ 876.949949] PKRU: 55555554 +[ 876.949950] Call Trace: +[ 876.949951] +[ 876.949952] __rmqueue_pcplist+0x53/0x2c0 +[ 876.949955] alloc_pages_bulk_noprof+0x2e0/0x660 +[ 876.949958] __page_pool_alloc_pages_slow+0xa9/0x400 +[ 876.949961] page_pool_alloc_pages+0xa/0x20 +[ 876.949963] wx_alloc_rx_buffers+0xd7/0x110 [libwx] +[ 876.949967] wx_clean_rx_irq+0x262/0x430 [libwx] +[ 876.949971] wx_poll+0x92/0x130 [libwx] +[ 876.949975] __napi_poll+0x28/0x190 +[ 876.949977] net_rx_action+0x301/0x3f0 +[ 876.949980] ? srso_alias_return_thunk+0x5/0xfbef5 +[ 876.949981] ? profile_tick+0x30/0x70 +[ 876.949983] ? srso_alias_return_thunk+0x5/0xfbef5 +[ 876.949984] ? srso_alias_return_thunk+0x5/0xfbef5 +[ 876.949986] ? timerqueue_add+0xa3/0xc0 +[ 876.949988] ? srso_alias_return_thunk+0x5/0xfbef5 +[ 876.949989] ? __raise_softirq_irqoff+0x16/0x70 +[ 876.949991] ? srso_alias_return_thunk+0x5/0xfbef5 +[ 876.949993] ? srso_alias_return_thunk+0x5/0xfbef5 +[ 876.949994] ? wx_msix_clean_rings+0x41/0x50 [libwx] +[ 876.949998] handle_softirqs+0xf9/0x2c0 + +Fixes: 3c47e8ae113a ("net: libwx: Support to receive packets in NAPI") +Cc: stable@vger.kernel.org +Signed-off-by: Jiawen Wu +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250714024755.17512-2-jiawenwu@trustnetic.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/wangxun/libwx/wx_lib.c | 11 ----------- + drivers/net/ethernet/wangxun/libwx/wx_type.h | 1 - + 2 files changed, 12 deletions(-) + +--- a/drivers/net/ethernet/wangxun/libwx/wx_lib.c ++++ b/drivers/net/ethernet/wangxun/libwx/wx_lib.c +@@ -173,10 +173,6 @@ static void wx_dma_sync_frag(struct wx_r + skb_frag_off(frag), + skb_frag_size(frag), + DMA_FROM_DEVICE); +- +- /* If the page was released, just unmap it. */ +- if (unlikely(WX_CB(skb)->page_released)) +- page_pool_put_full_page(rx_ring->page_pool, rx_buffer->page, false); + } + + static struct wx_rx_buffer *wx_get_rx_buffer(struct wx_ring *rx_ring, +@@ -226,10 +222,6 @@ static void wx_put_rx_buffer(struct wx_r + struct sk_buff *skb, + int rx_buffer_pgcnt) + { +- if (!IS_ERR(skb) && WX_CB(skb)->dma == rx_buffer->dma) +- /* the page has been released from the ring */ +- WX_CB(skb)->page_released = true; +- + /* clear contents of rx_buffer */ + rx_buffer->page = NULL; + rx_buffer->skb = NULL; +@@ -2288,9 +2280,6 @@ static void wx_clean_rx_ring(struct wx_r + if (rx_buffer->skb) { + struct sk_buff *skb = rx_buffer->skb; + +- if (WX_CB(skb)->page_released) +- page_pool_put_full_page(rx_ring->page_pool, rx_buffer->page, false); +- + dev_kfree_skb(skb); + } + +--- a/drivers/net/ethernet/wangxun/libwx/wx_type.h ++++ b/drivers/net/ethernet/wangxun/libwx/wx_type.h +@@ -859,7 +859,6 @@ enum wx_reset_type { + struct wx_cb { + dma_addr_t dma; + u16 append_cnt; /* number of skb's appended */ +- bool page_released; + bool dma_released; + }; + diff --git a/queue-6.15/net-mlx5-update-the-list-of-the-pci-supported-devices.patch b/queue-6.15/net-mlx5-update-the-list-of-the-pci-supported-devices.patch new file mode 100644 index 0000000000..65c245ea6a --- /dev/null +++ b/queue-6.15/net-mlx5-update-the-list-of-the-pci-supported-devices.patch @@ -0,0 +1,34 @@ +From ad4f6df4f384905bc85f9fbfc1c0c198fb563286 Mon Sep 17 00:00:00 2001 +From: Maor Gottlieb +Date: Wed, 16 Jul 2025 10:29:29 +0300 +Subject: net/mlx5: Update the list of the PCI supported devices + +From: Maor Gottlieb + +commit ad4f6df4f384905bc85f9fbfc1c0c198fb563286 upstream. + +Add the upcoming ConnectX-10 device ID to the table of supported +PCI device IDs. + +Cc: stable@vger.kernel.org +Signed-off-by: Maor Gottlieb +Reviewed-by: Mark Bloch +Reviewed-by: Eran Ben Elisha +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/1752650969-148501-1-git-send-email-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/main.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c +@@ -2257,6 +2257,7 @@ static const struct pci_device_id mlx5_c + { PCI_VDEVICE(MELLANOX, 0x1021) }, /* ConnectX-7 */ + { PCI_VDEVICE(MELLANOX, 0x1023) }, /* ConnectX-8 */ + { PCI_VDEVICE(MELLANOX, 0x1025) }, /* ConnectX-9 */ ++ { PCI_VDEVICE(MELLANOX, 0x1027) }, /* ConnectX-10 */ + { PCI_VDEVICE(MELLANOX, 0xa2d2) }, /* BlueField integrated ConnectX-5 network controller */ + { PCI_VDEVICE(MELLANOX, 0xa2d3), MLX5_PCI_DEV_IS_VF}, /* BlueField integrated ConnectX-5 network controller VF */ + { PCI_VDEVICE(MELLANOX, 0xa2d6) }, /* BlueField-2 integrated ConnectX-6 Dx network controller */ diff --git a/queue-6.15/net-stmmac-intel-populate-entire-system_counterval_t-in-get_time_fn-callback.patch b/queue-6.15/net-stmmac-intel-populate-entire-system_counterval_t-in-get_time_fn-callback.patch new file mode 100644 index 0000000000..3ee5eab333 --- /dev/null +++ b/queue-6.15/net-stmmac-intel-populate-entire-system_counterval_t-in-get_time_fn-callback.patch @@ -0,0 +1,55 @@ +From e6176ab107ec6e57a752a97ba9f7c34a23034262 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Markus=20Bl=C3=B6chl?= +Date: Sun, 13 Jul 2025 22:21:41 +0200 +Subject: net: stmmac: intel: populate entire system_counterval_t in get_time_fn() callback +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Markus Blöchl + +commit e6176ab107ec6e57a752a97ba9f7c34a23034262 upstream. + +get_time_fn() callback implementations are expected to fill out the +entire system_counterval_t struct as it may be initially uninitialized. + +This broke with the removal of convert_art_to_tsc() helper functions +which left use_nsecs uninitialized. + +Initially assign the entire struct with default values. + +Fixes: f5e1d0db3f02 ("stmmac: intel: Remove convert_art_to_tsc()") +Cc: stable@vger.kernel.org +Signed-off-by: Markus Blöchl +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250713-stmmac_crossts-v1-1-31bfe051b5cb@blochl.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/dwmac-intel.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-intel.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-intel.c +@@ -433,6 +433,12 @@ static int intel_crosststamp(ktime_t *de + return -ETIMEDOUT; + } + ++ *system = (struct system_counterval_t) { ++ .cycles = 0, ++ .cs_id = CSID_X86_ART, ++ .use_nsecs = false, ++ }; ++ + num_snapshot = (readl(ioaddr + GMAC_TIMESTAMP_STATUS) & + GMAC_TIMESTAMP_ATSNS_MASK) >> + GMAC_TIMESTAMP_ATSNS_SHIFT; +@@ -448,7 +454,7 @@ static int intel_crosststamp(ktime_t *de + } + + system->cycles *= intel_priv->crossts_adj; +- system->cs_id = CSID_X86_ART; ++ + priv->plat->flags &= ~STMMAC_FLAG_INT_SNAPSHOT_EN; + + return 0; diff --git a/queue-6.15/netfs-fix-copy-to-cache-so-that-it-performs-collection-with-ceph-fscache.patch b/queue-6.15/netfs-fix-copy-to-cache-so-that-it-performs-collection-with-ceph-fscache.patch new file mode 100644 index 0000000000..b386d9ac7f --- /dev/null +++ b/queue-6.15/netfs-fix-copy-to-cache-so-that-it-performs-collection-with-ceph-fscache.patch @@ -0,0 +1,55 @@ +From 4c238e30774e3022a505fa54311273add7570f13 Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Fri, 11 Jul 2025 16:10:00 +0100 +Subject: netfs: Fix copy-to-cache so that it performs collection with ceph+fscache + +From: David Howells + +commit 4c238e30774e3022a505fa54311273add7570f13 upstream. + +The netfs copy-to-cache that is used by Ceph with local caching sets up a +new request to write data just read to the cache. The request is started +and then left to look after itself whilst the app continues. The request +gets notified by the backing fs upon completion of the async DIO write, but +then tries to wake up the app because NETFS_RREQ_OFFLOAD_COLLECTION isn't +set - but the app isn't waiting there, and so the request just hangs. + +Fix this by setting NETFS_RREQ_OFFLOAD_COLLECTION which causes the +notification from the backing filesystem to put the collection onto a work +queue instead. + +Fixes: e2d46f2ec332 ("netfs: Change the read result collector to only use one work item") +Reported-by: Max Kellermann +Link: https://lore.kernel.org/r/CAKPOu+8z_ijTLHdiCYGU_Uk7yYD=shxyGLwfe-L7AV3DhebS3w@mail.gmail.com/ +Signed-off-by: David Howells +Link: https://lore.kernel.org/20250711151005.2956810-2-dhowells@redhat.com +Reviewed-by: Paulo Alcantara (Red Hat) +cc: Paulo Alcantara +cc: Viacheslav Dubeyko +cc: Alex Markuze +cc: Ilya Dryomov +cc: netfs@lists.linux.dev +cc: ceph-devel@vger.kernel.org +cc: linux-fsdevel@vger.kernel.org +cc: stable@vger.kernel.org +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/netfs/read_pgpriv2.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/netfs/read_pgpriv2.c b/fs/netfs/read_pgpriv2.c +index 5bbe906a551d..080d2a6a51d9 100644 +--- a/fs/netfs/read_pgpriv2.c ++++ b/fs/netfs/read_pgpriv2.c +@@ -110,6 +110,7 @@ static struct netfs_io_request *netfs_pgpriv2_begin_copy_to_cache( + if (!creq->io_streams[1].avail) + goto cancel_put; + ++ __set_bit(NETFS_RREQ_OFFLOAD_COLLECTION, &creq->flags); + trace_netfs_write(creq, netfs_write_trace_copy_to_cache); + netfs_stat(&netfs_n_wh_copy_to_cache); + rreq->copy_to_cache = creq; +-- +2.50.1 + diff --git a/queue-6.15/netfs-fix-race-between-cache-write-completion-and-all_queued-being-set.patch b/queue-6.15/netfs-fix-race-between-cache-write-completion-and-all_queued-being-set.patch new file mode 100644 index 0000000000..5ca07f5985 --- /dev/null +++ b/queue-6.15/netfs-fix-race-between-cache-write-completion-and-all_queued-being-set.patch @@ -0,0 +1,130 @@ +From 89635eae076cd8eaa5cb752f66538c9dc6c9fdc3 Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Fri, 11 Jul 2025 16:10:01 +0100 +Subject: netfs: Fix race between cache write completion and ALL_QUEUED being set + +From: David Howells + +commit 89635eae076cd8eaa5cb752f66538c9dc6c9fdc3 upstream. + +When netfslib is issuing subrequests, the subrequests start processing +immediately and may complete before we reach the end of the issuing +function. At the end of the issuing function we set NETFS_RREQ_ALL_QUEUED +to indicate to the collector that we aren't going to issue any more subreqs +and that it can do the final notifications and cleanup. + +Now, this isn't a problem if the request is synchronous +(NETFS_RREQ_OFFLOAD_COLLECTION is unset) as the result collection will be +done in-thread and we're guaranteed an opportunity to run the collector. + +However, if the request is asynchronous, collection is primarily triggered +by the termination of subrequests queuing it on a workqueue. Now, a race +can occur here if the app thread sets ALL_QUEUED after the last subrequest +terminates. + +This can happen most easily with the copy2cache code (as used by Ceph) +where, in the collection routine of a read request, an asynchronous write +request is spawned to copy data to the cache. Folios are added to the +write request as they're unlocked, but there may be a delay before +ALL_QUEUED is set as the write subrequests may complete before we get +there. + +If all the write subreqs have finished by the ALL_QUEUED point, no further +events happen and the collection never happens, leaving the request +hanging. + +Fix this by queuing the collector after setting ALL_QUEUED. This is a bit +heavy-handed and it may be sufficient to do it only if there are no extant +subreqs. + +Also add a tracepoint to cross-reference both requests in a copy-to-request +operation and add a trace to the netfs_rreq tracepoint to indicate the +setting of ALL_QUEUED. + +Fixes: e2d46f2ec332 ("netfs: Change the read result collector to only use one work item") +Reported-by: Max Kellermann +Link: https://lore.kernel.org/r/CAKPOu+8z_ijTLHdiCYGU_Uk7yYD=shxyGLwfe-L7AV3DhebS3w@mail.gmail.com/ +Signed-off-by: David Howells +Link: https://lore.kernel.org/20250711151005.2956810-3-dhowells@redhat.com +Reviewed-by: Paulo Alcantara (Red Hat) +cc: Paulo Alcantara +cc: Viacheslav Dubeyko +cc: Alex Markuze +cc: Ilya Dryomov +cc: netfs@lists.linux.dev +cc: ceph-devel@vger.kernel.org +cc: linux-fsdevel@vger.kernel.org +cc: stable@vger.kernel.org +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/netfs/read_pgpriv2.c | 4 ++++ + include/trace/events/netfs.h | 30 ++++++++++++++++++++++++++++++ + 2 files changed, 34 insertions(+) + +--- a/fs/netfs/read_pgpriv2.c ++++ b/fs/netfs/read_pgpriv2.c +@@ -111,6 +111,7 @@ static struct netfs_io_request *netfs_pg + goto cancel_put; + + __set_bit(NETFS_RREQ_OFFLOAD_COLLECTION, &creq->flags); ++ trace_netfs_copy2cache(rreq, creq); + trace_netfs_write(creq, netfs_write_trace_copy_to_cache); + netfs_stat(&netfs_n_wh_copy_to_cache); + rreq->copy_to_cache = creq; +@@ -155,6 +156,9 @@ void netfs_pgpriv2_end_copy_to_cache(str + netfs_issue_write(creq, &creq->io_streams[1]); + smp_wmb(); /* Write lists before ALL_QUEUED. */ + set_bit(NETFS_RREQ_ALL_QUEUED, &creq->flags); ++ trace_netfs_rreq(rreq, netfs_rreq_trace_end_copy_to_cache); ++ if (list_empty_careful(&creq->io_streams[1].subrequests)) ++ netfs_wake_collector(creq); + + netfs_put_request(creq, netfs_rreq_trace_put_return); + creq->copy_to_cache = NULL; +--- a/include/trace/events/netfs.h ++++ b/include/trace/events/netfs.h +@@ -55,6 +55,7 @@ + EM(netfs_rreq_trace_complete, "COMPLET") \ + EM(netfs_rreq_trace_dirty, "DIRTY ") \ + EM(netfs_rreq_trace_done, "DONE ") \ ++ EM(netfs_rreq_trace_end_copy_to_cache, "END-C2C") \ + EM(netfs_rreq_trace_free, "FREE ") \ + EM(netfs_rreq_trace_recollect, "RECLLCT") \ + EM(netfs_rreq_trace_redirty, "REDIRTY") \ +@@ -550,6 +551,35 @@ TRACE_EVENT(netfs_write, + __entry->start, __entry->start + __entry->len - 1) + ); + ++TRACE_EVENT(netfs_copy2cache, ++ TP_PROTO(const struct netfs_io_request *rreq, ++ const struct netfs_io_request *creq), ++ ++ TP_ARGS(rreq, creq), ++ ++ TP_STRUCT__entry( ++ __field(unsigned int, rreq) ++ __field(unsigned int, creq) ++ __field(unsigned int, cookie) ++ __field(unsigned int, ino) ++ ), ++ ++ TP_fast_assign( ++ struct netfs_inode *__ctx = netfs_inode(rreq->inode); ++ struct fscache_cookie *__cookie = netfs_i_cookie(__ctx); ++ __entry->rreq = rreq->debug_id; ++ __entry->creq = creq->debug_id; ++ __entry->cookie = __cookie ? __cookie->debug_id : 0; ++ __entry->ino = rreq->inode->i_ino; ++ ), ++ ++ TP_printk("R=%08x CR=%08x c=%08x i=%x ", ++ __entry->rreq, ++ __entry->creq, ++ __entry->cookie, ++ __entry->ino) ++ ); ++ + TRACE_EVENT(netfs_collect, + TP_PROTO(const struct netfs_io_request *wreq), + diff --git a/queue-6.15/phonet-pep-move-call-to-pn_skb_get_dst_sockaddr-earlier-in-pep_sock_accept.patch b/queue-6.15/phonet-pep-move-call-to-pn_skb_get_dst_sockaddr-earlier-in-pep_sock_accept.patch new file mode 100644 index 0000000000..c4e963b7db --- /dev/null +++ b/queue-6.15/phonet-pep-move-call-to-pn_skb_get_dst_sockaddr-earlier-in-pep_sock_accept.patch @@ -0,0 +1,50 @@ +From 17ba793f381eb813596d6de1cc6820bcbda5ed8b Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Tue, 15 Jul 2025 16:15:40 -0700 +Subject: phonet/pep: Move call to pn_skb_get_dst_sockaddr() earlier in pep_sock_accept() + +From: Nathan Chancellor + +commit 17ba793f381eb813596d6de1cc6820bcbda5ed8b upstream. + +A new warning in clang [1] points out a place in pep_sock_accept() where +dst is uninitialized then passed as a const pointer to pep_find_pipe(): + + net/phonet/pep.c:829:37: error: variable 'dst' is uninitialized when passed as a const pointer argument here [-Werror,-Wuninitialized-const-pointer] + 829 | newsk = pep_find_pipe(&pn->hlist, &dst, pipe_handle); + | ^~~: + +Move the call to pn_skb_get_dst_sockaddr(), which initializes dst, to +before the call to pep_find_pipe(), so that dst is consistently used +initialized throughout the function. + +Cc: stable@vger.kernel.org +Fixes: f7ae8d59f661 ("Phonet: allocate sock from accept syscall rather than soft IRQ") +Link: https://github.com/llvm/llvm-project/commit/00dacf8c22f065cb52efb14cd091d441f19b319e [1] +Closes: https://github.com/ClangBuiltLinux/linux/issues/2101 +Signed-off-by: Nathan Chancellor +Link: https://patch.msgid.link/20250715-net-phonet-fix-uninit-const-pointer-v1-1-8efd1bd188b3@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/phonet/pep.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/phonet/pep.c ++++ b/net/phonet/pep.c +@@ -826,6 +826,7 @@ static struct sock *pep_sock_accept(stru + } + + /* Check for duplicate pipe handle */ ++ pn_skb_get_dst_sockaddr(skb, &dst); + newsk = pep_find_pipe(&pn->hlist, &dst, pipe_handle); + if (unlikely(newsk)) { + __sock_put(newsk); +@@ -850,7 +851,6 @@ static struct sock *pep_sock_accept(stru + newsk->sk_destruct = pipe_destruct; + + newpn = pep_sk(newsk); +- pn_skb_get_dst_sockaddr(skb, &dst); + pn_skb_get_src_sockaddr(skb, &src); + newpn->pn_sk.sobject = pn_sockaddr_get_object(&dst); + newpn->pn_sk.dobject = pn_sockaddr_get_object(&src); diff --git a/queue-6.15/pmdomain-governor-consider-cpu-latency-tolerance-from-pm_domain_cpu_gov.patch b/queue-6.15/pmdomain-governor-consider-cpu-latency-tolerance-from-pm_domain_cpu_gov.patch new file mode 100644 index 0000000000..d33e67724c --- /dev/null +++ b/queue-6.15/pmdomain-governor-consider-cpu-latency-tolerance-from-pm_domain_cpu_gov.patch @@ -0,0 +1,109 @@ +From 500ba33284416255b9a5b50ace24470b6fe77ea5 Mon Sep 17 00:00:00 2001 +From: Maulik Shah +Date: Wed, 9 Jul 2025 14:00:11 +0530 +Subject: pmdomain: governor: Consider CPU latency tolerance from pm_domain_cpu_gov + +From: Maulik Shah + +commit 500ba33284416255b9a5b50ace24470b6fe77ea5 upstream. + +pm_domain_cpu_gov is selecting a cluster idle state but does not consider +latency tolerance of child CPUs. This results in deeper cluster idle state +whose latency does not meet latency tolerance requirement. + +Select deeper idle state only if global and device latency tolerance of all +child CPUs meet. + +Test results on SM8750 with 300 usec PM-QoS on CPU0 which is less than +domain idle state entry (2150) + exit (1983) usec latency mentioned in +devicetree, demonstrate the issue. + + # echo 300 > /sys/devices/system/cpu/cpu0/power/pm_qos_resume_latency_us + +Before: (Usage is incrementing) +====== + # cat /sys/kernel/debug/pm_genpd/power-domain-cluster0/idle_states + State Time Spent(ms) Usage Rejected Above Below + S0 29817 537 8 270 0 + + # cat /sys/kernel/debug/pm_genpd/power-domain-cluster0/idle_states + State Time Spent(ms) Usage Rejected Above Below + S0 30348 542 8 271 0 + +After: (Usage is not incrementing due to latency tolerance) +====== + # cat /sys/kernel/debug/pm_genpd/power-domain-cluster0/idle_states + State Time Spent(ms) Usage Rejected Above Below + S0 39319 626 14 307 0 + + # cat /sys/kernel/debug/pm_genpd/power-domain-cluster0/idle_states + State Time Spent(ms) Usage Rejected Above Below + S0 39319 626 14 307 0 + +Signed-off-by: Maulik Shah +Fixes: e94999688e3a ("PM / Domains: Add genpd governor for CPUs") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20250709-pmdomain_qos-v2-1-976b12257899@oss.qualcomm.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pmdomain/governor.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +--- a/drivers/pmdomain/governor.c ++++ b/drivers/pmdomain/governor.c +@@ -8,6 +8,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -349,6 +350,8 @@ static bool cpu_power_down_ok(struct dev + struct cpuidle_device *dev; + ktime_t domain_wakeup, next_hrtimer; + ktime_t now = ktime_get(); ++ struct device *cpu_dev; ++ s64 cpu_constraint, global_constraint; + s64 idle_duration_ns; + int cpu, i; + +@@ -359,6 +362,7 @@ static bool cpu_power_down_ok(struct dev + if (!(genpd->flags & GENPD_FLAG_CPU_DOMAIN)) + return true; + ++ global_constraint = cpu_latency_qos_limit(); + /* + * Find the next wakeup for any of the online CPUs within the PM domain + * and its subdomains. Note, we only need the genpd->cpus, as it already +@@ -372,8 +376,16 @@ static bool cpu_power_down_ok(struct dev + if (ktime_before(next_hrtimer, domain_wakeup)) + domain_wakeup = next_hrtimer; + } ++ ++ cpu_dev = get_cpu_device(cpu); ++ if (cpu_dev) { ++ cpu_constraint = dev_pm_qos_raw_resume_latency(cpu_dev); ++ if (cpu_constraint < global_constraint) ++ global_constraint = cpu_constraint; ++ } + } + ++ global_constraint *= NSEC_PER_USEC; + /* The minimum idle duration is from now - until the next wakeup. */ + idle_duration_ns = ktime_to_ns(ktime_sub(domain_wakeup, now)); + if (idle_duration_ns <= 0) +@@ -389,8 +401,10 @@ static bool cpu_power_down_ok(struct dev + */ + i = genpd->state_idx; + do { +- if (idle_duration_ns >= (genpd->states[i].residency_ns + +- genpd->states[i].power_off_latency_ns)) { ++ if ((idle_duration_ns >= (genpd->states[i].residency_ns + ++ genpd->states[i].power_off_latency_ns)) && ++ (global_constraint >= (genpd->states[i].power_on_latency_ns + ++ genpd->states[i].power_off_latency_ns))) { + genpd->state_idx = i; + return true; + } diff --git a/queue-6.15/series b/queue-6.15/series index 73c65bf9d0..40bc922cd8 100644 --- a/queue-6.15/series +++ b/queue-6.15/series @@ -30,3 +30,43 @@ tracing-add-down_write-trace_event_sem-when-adding-trace-event.patch tracing-osnoise-fix-crash-in-timerlat_dump_stack.patch rust-init-fix-generics-in-_init-macros.patch objtool-rust-add-one-more-noreturn-rust-function-for-rust-1.89.0.patch +drm-amdgpu-gfx8-reset-compute-ring-wptr-on-the-gpu-on-resume.patch +drm-panfrost-fix-scheduler-workqueue-bug.patch +drm-amdgpu-increase-reset-counter-only-on-success.patch +drm-amd-display-disable-crtc-degamma-lut-for-dcn401.patch +drm-amd-display-free-memory-allocation.patch +netfs-fix-copy-to-cache-so-that-it-performs-collection-with-ceph-fscache.patch +netfs-fix-race-between-cache-write-completion-and-all_queued-being-set.patch +alsa-hda-realtek-fix-mute-led-for-hp-victus-16-r0xxx.patch +alsa-hda-realtek-add-quirk-for-asus-rog-strix-g712lws.patch +io_uring-poll-fix-pollerr-handling.patch +fix-smb311-posix-special-file-creation-to-servers-which-do-not-advertise-reparse-support.patch +mptcp-make-fallback-action-and-fallback-decision-atomic.patch +mptcp-plug-races-between-subflow-fail-and-subflow-creation.patch +mptcp-reset-fallback-status-gracefully-at-disconnect-time.patch +phonet-pep-move-call-to-pn_skb_get_dst_sockaddr-earlier-in-pep_sock_accept.patch +net-mlx5-update-the-list-of-the-pci-supported-devices.patch +arm64-dts-imx8mp-venice-gw74xx-fix-tpm-spi-frequency.patch +arm64-dts-add-big-endian-property-back-into-watchdog-node.patch +arm64-dts-freescale-imx8mm-verdin-keep-ldo5-always-on.patch +arm64-dts-imx8mp-venice-gw71xx-fix-tpm-spi-frequency.patch +arm64-dts-imx8mp-venice-gw72xx-fix-tpm-spi-frequency.patch +arm64-dts-imx8mp-venice-gw73xx-fix-tpm-spi-frequency.patch +arm64-dts-rockchip-list-all-cpu-supplies-on-armsom-sige5.patch +arm64-dts-rockchip-use-cs-gpios-for-spi1-on-ringneck.patch +af_packet-fix-the-so_sndtimeo-constraint-not-effective-on-tpacked_snd.patch +af_packet-fix-soft-lockup-issue-caused-by-tpacket_snd.patch +bluetooth-btintel-check-if-controller-is-iso-capable-on-btintel_classify_pkt_type.patch +cpuidle-psci-fix-cpuhotplug-routine-with-preempt_rt-y.patch +dmaengine-mediatek-fix-a-flag-reuse-error-in-mtk_cqdma_tx_status.patch +dmaengine-nbpfaxi-fix-memory-corruption-in-probe.patch +isofs-verify-inode-mode-when-loading-from-disk.patch +memstick-core-zero-initialize-id_reg-in-h_memstick_read_dev_id.patch +mmc-bcm2835-fix-dma_unmap_sg-nents-value.patch +mmc-sdhci-pci-quirk-for-broken-command-queuing-on-intel-glk-based-positivo-models.patch +mmc-sdhci_am654-workaround-for-errata-i2312.patch +net-stmmac-intel-populate-entire-system_counterval_t-in-get_time_fn-callback.patch +net-libwx-remove-duplicate-page_pool_put_full_page.patch +net-libwx-fix-the-using-of-rx-buffer-dma.patch +net-libwx-properly-reset-rx-ring-descriptor.patch +pmdomain-governor-consider-cpu-latency-tolerance-from-pm_domain_cpu_gov.patch