From: Greg Kroah-Hartman Date: Thu, 21 Aug 2025 13:37:56 +0000 (+0200) Subject: 6.16-stable patches X-Git-Tag: v6.16.3~85 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=aa6494baf1116a00cae9cc6e64a6da06d6dee9de;p=thirdparty%2Fkernel%2Fstable-queue.git 6.16-stable patches added patches: amdgpu-amdgpu_discovery-increase-timeout-limit-for-ifwi-init.patch asoc-sof-amd-acp-loader-use-gfp_kernel-for-dma-allocations-in-resume-context.patch block-restore-default-wbt-enablement.patch f2fs-fix-to-avoid-out-of-boundary-access-in-dnode-page.patch i2c-qcom-geni-fix-i2c-frequency-table-to-achieve-accurate-bus-rates.patch iomap-fix-broken-data-integrity-guarantees-for-o_sync-writes.patch jbd2-prevent-softlockup-in-jbd2_log_do_checkpoint.patch kasan-test-fix-protection-against-compiler-elision.patch kbuild-userprogs-use-correct-linker-when-mixing-clang-and-gnu-ld.patch mark-xe-driver-as-broken-if-kernel-page-size-is-not-4kb.patch media-gspca-add-bounds-checking-to-firmware-parser.patch media-hi556-correct-the-test-pattern-configuration.patch media-imx-fix-a-potential-memory-leak-in-imx_media_csc_scaler_device_init.patch media-ipu6-isys-use-correct-pads-for-xlate_streams.patch media-ivsc-fix-crash-at-shutdown-due-to-missing-mei_cldev_disable-calls.patch media-mt9m114-fix-deadlock-in-get_frame_interval-set_frame_interval.patch media-ov2659-fix-memory-leaks-in-ov2659_probe.patch media-pisp_be-fix-pm_runtime-underrun-in-probe.patch media-rainshadow-cec-fix-toctou-race-condition-in-rain_interrupt.patch media-usbtv-lock-resolution-while-streaming.patch media-v4l2-ctrls-don-t-reset-handler-s-error-in-v4l2_ctrl_handler_free.patch media-verisilicon-fix-av1-decoder-clock-frequency.patch media-vivid-fix-wrong-pixel_array-control-size.patch mfd-mt6397-do-not-use-generic-name-for-keypad-sub-devices.patch mtd-rawnand-fsmc-add-missing-check-after-dma-map.patch mtd-rawnand-renesas-add-missing-check-after-dma-map.patch mtd-spi-nor-fix-spi_nor_try_unlock_all.patch mtd-spinand-propagate-spinand_wait-errors-from-spinand_write_page.patch open_tree_attr-do-not-allow-id-mapping-changes-without-open_tree_clone.patch parisc-check-region-is-readable-by-user-in-raw_copy_from_user.patch parisc-define-and-use-set_pte_at.patch parisc-drop-warn_on_once-from-flush_cache_vmap.patch parisc-makefile-explain-that-64bit-requires-both-32-bit-and-64-bit-compilers.patch parisc-rename-pte_needs_flush-to-pte_needs_cache_flush-in-cache.c.patch parisc-revise-__get_user-to-probe-user-read-access.patch parisc-revise-gateway-lws-calls-to-probe-user-read-access.patch parisc-try-to-fixup-kernel-exception-in-bad_area_nosemaphore-path-of-do_page_fault.patch parisc-update-comments-in-make_insert_tlb.patch pci-endpoint-fix-configfs-group-list-head-handling.patch pci-endpoint-fix-configfs-group-removal-on-driver-teardown.patch pci-fix-link-speed-calculation-on-retrain-failure.patch pci-imx6-add-imx8mm_ep-and-imx8mp_ep-fixed-256-byte-bar-4-in-epc_features.patch pci-imx6-add-imx8mq_ep-third-64-bit-bar-in-epc_features.patch pci-imx6-delay-link-start-until-configfs-start-written.patch pci-imx6-remove-apps_reset-toggling-from-imx_pcie_-assert-deassert-_core_reset.patch pci-portdrv-use-is_pciehp-instead-of-is_hotplug_bridge.patch phy-qcom-phy-qcom-m31-update-ipq5332-m31-usb-phy-initialization-sequence.patch proc-proc_maps_open-allow-proc_mem_open-to-return-null.patch readahead-fix-return-value-of-page_cache_next_miss-when-no-hole-is-found.patch soc-tegra-pmc-ensure-power-domains-are-in-a-known-state.patch vhost-vsock-avoid-allocating-arbitrarily-sized-skbs.patch vsock-virtio-validate-length-in-packet-header-before-skb_put.patch --- diff --git a/queue-6.16/amdgpu-amdgpu_discovery-increase-timeout-limit-for-ifwi-init.patch b/queue-6.16/amdgpu-amdgpu_discovery-increase-timeout-limit-for-ifwi-init.patch new file mode 100644 index 0000000000..2a3926217c --- /dev/null +++ b/queue-6.16/amdgpu-amdgpu_discovery-increase-timeout-limit-for-ifwi-init.patch @@ -0,0 +1,42 @@ +From 928587381b54b1b6c62736486b1dc6cb16c568c2 Mon Sep 17 00:00:00 2001 +From: Xaver Hugl +Date: Fri, 1 Aug 2025 00:49:51 +0200 +Subject: amdgpu/amdgpu_discovery: increase timeout limit for IFWI init + +From: Xaver Hugl + +commit 928587381b54b1b6c62736486b1dc6cb16c568c2 upstream. + +With a timeout of only 1 second, my rx 5700XT fails to initialize, +so this increases the timeout to 2s. + +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3697 +Signed-off-by: Xaver Hugl +Signed-off-by: Alex Deucher +(cherry picked from commit 9ed3d7bdf2dcdf1a1196630fab89a124526e9cc2) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c +@@ -276,7 +276,7 @@ static int amdgpu_discovery_read_binary_ + u32 msg; + + if (!amdgpu_sriov_vf(adev)) { +- /* It can take up to a second for IFWI init to complete on some dGPUs, ++ /* It can take up to two second for IFWI init to complete on some dGPUs, + * but generally it should be in the 60-100ms range. Normally this starts + * as soon as the device gets power so by the time the OS loads this has long + * completed. However, when a card is hotplugged via e.g., USB4, we need to +@@ -284,7 +284,7 @@ static int amdgpu_discovery_read_binary_ + * continue. + */ + +- for (i = 0; i < 1000; i++) { ++ for (i = 0; i < 2000; i++) { + msg = RREG32(mmMP0_SMN_C2PMSG_33); + if (msg & 0x80000000) + break; diff --git a/queue-6.16/asoc-sof-amd-acp-loader-use-gfp_kernel-for-dma-allocations-in-resume-context.patch b/queue-6.16/asoc-sof-amd-acp-loader-use-gfp_kernel-for-dma-allocations-in-resume-context.patch new file mode 100644 index 0000000000..c901aa05a2 --- /dev/null +++ b/queue-6.16/asoc-sof-amd-acp-loader-use-gfp_kernel-for-dma-allocations-in-resume-context.patch @@ -0,0 +1,60 @@ +From eb3bb145280b6c857a748731a229698e4a7cf37b Mon Sep 17 00:00:00 2001 +From: Muhammad Usama Anjum +Date: Sat, 26 Jul 2025 00:02:54 +0500 +Subject: ASoC: SOF: amd: acp-loader: Use GFP_KERNEL for DMA allocations in resume context + +From: Muhammad Usama Anjum + +commit eb3bb145280b6c857a748731a229698e4a7cf37b upstream. + +Replace GFP_ATOMIC with GFP_KERNEL for dma_alloc_coherent() calls. This +change improves memory allocation reliability during firmware loading, +particularly during system resume when memory pressure is high. Because +of using GFP_KERNEL, reclaim can happen which can reduce the probability +of failure. + +Fixes memory allocation failures observed during system resume with +fragmented memory conditions. + + snd_sof_amd_vangogh 0000:04:00.5: error: failed to load DSP firmware after resume -12 + +Fixes: 145d7e5ae8f4e ("ASoC: SOF: amd: add option to use sram for data bin loading") +Fixes: 7e51a9e38ab20 ("ASoC: SOF: amd: Add fw loader and renoir dsp ops to load firmware") +Cc: stable@vger.kernel.org +Signed-off-by: Muhammad Usama Anjum +Link: https://patch.msgid.link/20250725190254.1081184-1-usama.anjum@collabora.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/sof/amd/acp-loader.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/sound/soc/sof/amd/acp-loader.c ++++ b/sound/soc/sof/amd/acp-loader.c +@@ -65,7 +65,7 @@ int acp_dsp_block_write(struct snd_sof_d + dma_size = page_count * ACP_PAGE_SIZE; + adata->bin_buf = dma_alloc_coherent(&pci->dev, dma_size, + &adata->sha_dma_addr, +- GFP_ATOMIC); ++ GFP_KERNEL); + if (!adata->bin_buf) + return -ENOMEM; + } +@@ -77,7 +77,7 @@ int acp_dsp_block_write(struct snd_sof_d + adata->data_buf = dma_alloc_coherent(&pci->dev, + ACP_DEFAULT_DRAM_LENGTH, + &adata->dma_addr, +- GFP_ATOMIC); ++ GFP_KERNEL); + if (!adata->data_buf) + return -ENOMEM; + } +@@ -90,7 +90,7 @@ int acp_dsp_block_write(struct snd_sof_d + adata->sram_data_buf = dma_alloc_coherent(&pci->dev, + ACP_DEFAULT_SRAM_LENGTH, + &adata->sram_dma_addr, +- GFP_ATOMIC); ++ GFP_KERNEL); + if (!adata->sram_data_buf) + return -ENOMEM; + } diff --git a/queue-6.16/block-restore-default-wbt-enablement.patch b/queue-6.16/block-restore-default-wbt-enablement.patch new file mode 100644 index 0000000000..929e1b082f --- /dev/null +++ b/queue-6.16/block-restore-default-wbt-enablement.patch @@ -0,0 +1,61 @@ +From 8f5845e0743bf3512b71b3cb8afe06c192d6acc4 Mon Sep 17 00:00:00 2001 +From: Julian Sun +Date: Tue, 12 Aug 2025 23:42:57 +0800 +Subject: block: restore default wbt enablement + +From: Julian Sun + +commit 8f5845e0743bf3512b71b3cb8afe06c192d6acc4 upstream. + +The commit 245618f8e45f ("block: protect wbt_lat_usec using +q->elevator_lock") protected wbt_enable_default() with +q->elevator_lock; however, it also placed wbt_enable_default() +before blk_queue_flag_set(QUEUE_FLAG_REGISTERED, q);, resulting +in wbt failing to be enabled. + +Moreover, the protection of wbt_enable_default() by q->elevator_lock +was removed in commit 78c271344b6f ("block: move wbt_enable_default() +out of queue freezing from sched ->exit()"), so we can directly fix +this issue by placing wbt_enable_default() after +blk_queue_flag_set(QUEUE_FLAG_REGISTERED, q);. + +Additionally, this issue also causes the inability to read the +wbt_lat_usec file, and the scenario is as follows: + +root@q:/sys/block/sda/queue# cat wbt_lat_usec +cat: wbt_lat_usec: Invalid argument + +root@q:/data00/sjc/linux# ls /sys/kernel/debug/block/sda/rqos +cannot access '/sys/kernel/debug/block/sda/rqos': No such file or directory + +root@q:/data00/sjc/linux# find /sys -name wbt +/sys/kernel/debug/tracing/events/wbt + +After testing with this patch, wbt can be enabled normally. + +Signed-off-by: Julian Sun +Cc: stable@vger.kernel.org +Fixes: 245618f8e45f ("block: protect wbt_lat_usec using q->elevator_lock") +Reviewed-by: Nilay Shroff +Reviewed-by: Yu Kuai +Reviewed-by: Ming Lei +Link: https://lore.kernel.org/r/20250812154257.57540-1-sunjunchao@bytedance.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + block/blk-sysfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/block/blk-sysfs.c ++++ b/block/blk-sysfs.c +@@ -876,9 +876,9 @@ int blk_register_queue(struct gendisk *d + + if (queue_is_mq(q)) + elevator_set_default(q); +- wbt_enable_default(disk); + + blk_queue_flag_set(QUEUE_FLAG_REGISTERED, q); ++ wbt_enable_default(disk); + + /* Now everything is ready and send out KOBJ_ADD uevent */ + kobject_uevent(&disk->queue_kobj, KOBJ_ADD); diff --git a/queue-6.16/f2fs-fix-to-avoid-out-of-boundary-access-in-dnode-page.patch b/queue-6.16/f2fs-fix-to-avoid-out-of-boundary-access-in-dnode-page.patch new file mode 100644 index 0000000000..66e313979f --- /dev/null +++ b/queue-6.16/f2fs-fix-to-avoid-out-of-boundary-access-in-dnode-page.patch @@ -0,0 +1,71 @@ +From 77de19b6867f2740cdcb6c9c7e50d522b47847a4 Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Thu, 17 Jul 2025 21:26:33 +0800 +Subject: f2fs: fix to avoid out-of-boundary access in dnode page + +From: Chao Yu + +commit 77de19b6867f2740cdcb6c9c7e50d522b47847a4 upstream. + +As Jiaming Zhang reported: + + + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0x1c1/0x2a0 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:378 [inline] + print_report+0x17e/0x800 mm/kasan/report.c:480 + kasan_report+0x147/0x180 mm/kasan/report.c:593 + data_blkaddr fs/f2fs/f2fs.h:3053 [inline] + f2fs_data_blkaddr fs/f2fs/f2fs.h:3058 [inline] + f2fs_get_dnode_of_data+0x1a09/0x1c40 fs/f2fs/node.c:855 + f2fs_reserve_block+0x53/0x310 fs/f2fs/data.c:1195 + prepare_write_begin fs/f2fs/data.c:3395 [inline] + f2fs_write_begin+0xf39/0x2190 fs/f2fs/data.c:3594 + generic_perform_write+0x2c7/0x910 mm/filemap.c:4112 + f2fs_buffered_write_iter fs/f2fs/file.c:4988 [inline] + f2fs_file_write_iter+0x1ec8/0x2410 fs/f2fs/file.c:5216 + new_sync_write fs/read_write.c:593 [inline] + vfs_write+0x546/0xa90 fs/read_write.c:686 + ksys_write+0x149/0x250 fs/read_write.c:738 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xf3/0x3d0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +The root cause is in the corrupted image, there is a dnode has the same +node id w/ its inode, so during f2fs_get_dnode_of_data(), it tries to +access block address in dnode at offset 934, however it parses the dnode +as inode node, so that get_dnode_addr() returns 360, then it tries to +access page address from 360 + 934 * 4 = 4096 w/ 4 bytes. + +To fix this issue, let's add sanity check for node id of all direct nodes +during f2fs_get_dnode_of_data(). + +Cc: stable@kernel.org +Reported-by: Jiaming Zhang +Closes: https://groups.google.com/g/syzkaller/c/-ZnaaOOfO3M +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/node.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/fs/f2fs/node.c ++++ b/fs/f2fs/node.c +@@ -816,6 +816,16 @@ int f2fs_get_dnode_of_data(struct dnode_ + for (i = 1; i <= level; i++) { + bool done = false; + ++ if (nids[i] && nids[i] == dn->inode->i_ino) { ++ err = -EFSCORRUPTED; ++ f2fs_err_ratelimited(sbi, ++ "inode mapping table is corrupted, run fsck to fix it, " ++ "ino:%lu, nid:%u, level:%d, offset:%d", ++ dn->inode->i_ino, nids[i], level, offset[level]); ++ set_sbi_flag(sbi, SBI_NEED_FSCK); ++ goto release_pages; ++ } ++ + if (!nids[i] && mode == ALLOC_NODE) { + /* alloc new node */ + if (!f2fs_alloc_nid(sbi, &(nids[i]))) { diff --git a/queue-6.16/i2c-qcom-geni-fix-i2c-frequency-table-to-achieve-accurate-bus-rates.patch b/queue-6.16/i2c-qcom-geni-fix-i2c-frequency-table-to-achieve-accurate-bus-rates.patch new file mode 100644 index 0000000000..f8b383eb25 --- /dev/null +++ b/queue-6.16/i2c-qcom-geni-fix-i2c-frequency-table-to-achieve-accurate-bus-rates.patch @@ -0,0 +1,44 @@ +From 85c34532849dae0fdcf880900ac9d7718a73fd1b Mon Sep 17 00:00:00 2001 +From: Kathiravan Thirumoorthy +Date: Tue, 13 May 2025 16:38:33 +0530 +Subject: i2c: qcom-geni: fix I2C frequency table to achieve accurate bus rates +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kathiravan Thirumoorthy + +commit 85c34532849dae0fdcf880900ac9d7718a73fd1b upstream. + +Update the I2C frequency table to match the recommended values +specified in the I2C hardware programming guide. In the current IPQ5424 +configuration where 32MHz is the source clock, the I2C bus frequencies do +not meet expectations—for instance, 363KHz is achieved instead of the +expected 400KHz. + +Fixes: 506bb2ab0075 ("i2c: qcom-geni: Support systems with 32MHz serial engine clock") +Signed-off-by: Kathiravan Thirumoorthy +Cc: # v6.13+ +Reviewed-by: Mukesh Kumar Savaliya +Signed-off-by: Andi Shyti +Link: https://lore.kernel.org/r/20250513-i2c-bus-freq-v1-1-9a333ad5757f@oss.qualcomm.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-qcom-geni.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/i2c/busses/i2c-qcom-geni.c ++++ b/drivers/i2c/busses/i2c-qcom-geni.c +@@ -155,9 +155,9 @@ static const struct geni_i2c_clk_fld gen + + /* source_clock = 32 MHz */ + static const struct geni_i2c_clk_fld geni_i2c_clk_map_32mhz[] = { +- { I2C_MAX_STANDARD_MODE_FREQ, 8, 14, 18, 40 }, +- { I2C_MAX_FAST_MODE_FREQ, 4, 3, 11, 20 }, +- { I2C_MAX_FAST_MODE_PLUS_FREQ, 2, 3, 6, 15 }, ++ { I2C_MAX_STANDARD_MODE_FREQ, 8, 14, 18, 38 }, ++ { I2C_MAX_FAST_MODE_FREQ, 4, 3, 9, 19 }, ++ { I2C_MAX_FAST_MODE_PLUS_FREQ, 2, 3, 5, 15 }, + {} + }; + diff --git a/queue-6.16/iomap-fix-broken-data-integrity-guarantees-for-o_sync-writes.patch b/queue-6.16/iomap-fix-broken-data-integrity-guarantees-for-o_sync-writes.patch new file mode 100644 index 0000000000..3e3b35e30d --- /dev/null +++ b/queue-6.16/iomap-fix-broken-data-integrity-guarantees-for-o_sync-writes.patch @@ -0,0 +1,58 @@ +From 6b65028e2b51c023a816eabffea88980fdd5564e Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Wed, 30 Jul 2025 12:28:41 +0200 +Subject: iomap: Fix broken data integrity guarantees for O_SYNC writes + +From: Jan Kara + +commit 6b65028e2b51c023a816eabffea88980fdd5564e upstream. + +Commit d279c80e0bac ("iomap: inline iomap_dio_bio_opflags()") has broken +the logic in iomap_dio_bio_iter() in a way that when the device does +support FUA (or has no writeback cache) and the direct IO happens to +freshly allocated or unwritten extents, we will *not* issue fsync after +completing direct IO O_SYNC / O_DSYNC write because the +IOMAP_DIO_WRITE_THROUGH flag stays mistakenly set. Fix the problem by +clearing IOMAP_DIO_WRITE_THROUGH whenever we do not perform FUA write as +it was originally intended. + +CC: John Garry +CC: Ritesh Harjani (IBM) +Fixes: d279c80e0bac ("iomap: inline iomap_dio_bio_opflags()") +CC: stable@vger.kernel.org +Signed-off-by: Jan Kara +Link: https://lore.kernel.org/20250730102840.20470-2-jack@suse.cz +Reviewed-by: Ritesh Harjani (IBM) +Reviewed-by: John Garry +Reviewed-by: Darrick J. Wong +Reviewed-by: Christoph Hellwig +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/iomap/direct-io.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/fs/iomap/direct-io.c ++++ b/fs/iomap/direct-io.c +@@ -368,14 +368,14 @@ static int iomap_dio_bio_iter(struct iom + if (iomap->flags & IOMAP_F_SHARED) + dio->flags |= IOMAP_DIO_COW; + +- if (iomap->flags & IOMAP_F_NEW) { ++ if (iomap->flags & IOMAP_F_NEW) + need_zeroout = true; +- } else if (iomap->type == IOMAP_MAPPED) { +- if (iomap_dio_can_use_fua(iomap, dio)) +- bio_opf |= REQ_FUA; +- else +- dio->flags &= ~IOMAP_DIO_WRITE_THROUGH; +- } ++ else if (iomap->type == IOMAP_MAPPED && ++ iomap_dio_can_use_fua(iomap, dio)) ++ bio_opf |= REQ_FUA; ++ ++ if (!(bio_opf & REQ_FUA)) ++ dio->flags &= ~IOMAP_DIO_WRITE_THROUGH; + + /* + * We can only do deferred completion for pure overwrites that diff --git a/queue-6.16/jbd2-prevent-softlockup-in-jbd2_log_do_checkpoint.patch b/queue-6.16/jbd2-prevent-softlockup-in-jbd2_log_do_checkpoint.patch new file mode 100644 index 0000000000..02c25c1a82 --- /dev/null +++ b/queue-6.16/jbd2-prevent-softlockup-in-jbd2_log_do_checkpoint.patch @@ -0,0 +1,73 @@ +From 9d98cf4632258720f18265a058e62fde120c0151 Mon Sep 17 00:00:00 2001 +From: Baokun Li +Date: Tue, 12 Aug 2025 14:37:52 +0800 +Subject: jbd2: prevent softlockup in jbd2_log_do_checkpoint() + +From: Baokun Li + +commit 9d98cf4632258720f18265a058e62fde120c0151 upstream. + +Both jbd2_log_do_checkpoint() and jbd2_journal_shrink_checkpoint_list() +periodically release j_list_lock after processing a batch of buffers to +avoid long hold times on the j_list_lock. However, since both functions +contend for j_list_lock, the combined time spent waiting and processing +can be significant. + +jbd2_journal_shrink_checkpoint_list() explicitly calls cond_resched() when +need_resched() is true to avoid softlockups during prolonged operations. +But jbd2_log_do_checkpoint() only exits its loop when need_resched() is +true, relying on potentially sleeping functions like __flush_batch() or +wait_on_buffer() to trigger rescheduling. If those functions do not sleep, +the kernel may hit a softlockup. + +watchdog: BUG: soft lockup - CPU#3 stuck for 156s! [kworker/u129:2:373] +CPU: 3 PID: 373 Comm: kworker/u129:2 Kdump: loaded Not tainted 6.6.0+ #10 +Hardware name: Huawei TaiShan 2280 /BC11SPCD, BIOS 1.27 06/13/2017 +Workqueue: writeback wb_workfn (flush-7:2) +pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) +pc : native_queued_spin_lock_slowpath+0x358/0x418 +lr : jbd2_log_do_checkpoint+0x31c/0x438 [jbd2] +Call trace: + native_queued_spin_lock_slowpath+0x358/0x418 + jbd2_log_do_checkpoint+0x31c/0x438 [jbd2] + __jbd2_log_wait_for_space+0xfc/0x2f8 [jbd2] + add_transaction_credits+0x3bc/0x418 [jbd2] + start_this_handle+0xf8/0x560 [jbd2] + jbd2__journal_start+0x118/0x228 [jbd2] + __ext4_journal_start_sb+0x110/0x188 [ext4] + ext4_do_writepages+0x3dc/0x740 [ext4] + ext4_writepages+0xa4/0x190 [ext4] + do_writepages+0x94/0x228 + __writeback_single_inode+0x48/0x318 + writeback_sb_inodes+0x204/0x590 + __writeback_inodes_wb+0x54/0xf8 + wb_writeback+0x2cc/0x3d8 + wb_do_writeback+0x2e0/0x2f8 + wb_workfn+0x80/0x2a8 + process_one_work+0x178/0x3e8 + worker_thread+0x234/0x3b8 + kthread+0xf0/0x108 + ret_from_fork+0x10/0x20 + +So explicitly call cond_resched() in jbd2_log_do_checkpoint() to avoid +softlockup. + +Cc: stable@kernel.org +Signed-off-by: Baokun Li +Link: https://patch.msgid.link/20250812063752.912130-1-libaokun@huaweicloud.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/jbd2/checkpoint.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/jbd2/checkpoint.c ++++ b/fs/jbd2/checkpoint.c +@@ -285,6 +285,7 @@ restart: + retry: + if (batch_count) + __flush_batch(journal, &batch_count); ++ cond_resched(); + spin_lock(&journal->j_list_lock); + goto restart; + } diff --git a/queue-6.16/kasan-test-fix-protection-against-compiler-elision.patch b/queue-6.16/kasan-test-fix-protection-against-compiler-elision.patch new file mode 100644 index 0000000000..8db7e9dc0c --- /dev/null +++ b/queue-6.16/kasan-test-fix-protection-against-compiler-elision.patch @@ -0,0 +1,50 @@ +From 475356fe2814f2f0b188da8bf0f1fcc579d81272 Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Mon, 28 Jul 2025 22:11:54 +0200 +Subject: kasan/test: fix protection against compiler elision + +From: Jann Horn + +commit 475356fe2814f2f0b188da8bf0f1fcc579d81272 upstream. + +The kunit test is using assignments to +"static volatile void *kasan_ptr_result" to prevent elision of memory +loads, but that's not working: +In this variable definition, the "volatile" applies to the "void", not to +the pointer. +To make "volatile" apply to the pointer as intended, it must follow +after the "*". + +This makes the kasan_memchr test pass again on my system. The +kasan_strings test is still failing because all the definitions of +load_unaligned_zeropad() are lacking explicit instrumentation hooks and +ASAN does not instrument asm() memory operands. + +Link: https://lkml.kernel.org/r/20250728-kasan-kunit-fix-volatile-v1-1-e7157c9af82d@google.com +Fixes: 5f1c8108e7ad ("mm:kasan: fix sparse warnings: Should it be static?") +Signed-off-by: Jann Horn +Cc: Alexander Potapenko +Cc: Andrey Konovalov +Cc: Andrey Ryabinin +Cc: Dmitriy Vyukov +Cc: Jann Horn +Cc: Nihar Chaithanya +Cc: Vincenzo Frascino +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/kasan/kasan_test_c.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/kasan/kasan_test_c.c ++++ b/mm/kasan/kasan_test_c.c +@@ -47,7 +47,7 @@ static struct { + * Some tests use these global variables to store return values from function + * calls that could otherwise be eliminated by the compiler as dead code. + */ +-static volatile void *kasan_ptr_result; ++static void *volatile kasan_ptr_result; + static volatile int kasan_int_result; + + /* Probe for console output: obtains test_status lines of interest. */ diff --git a/queue-6.16/kbuild-userprogs-use-correct-linker-when-mixing-clang-and-gnu-ld.patch b/queue-6.16/kbuild-userprogs-use-correct-linker-when-mixing-clang-and-gnu-ld.patch new file mode 100644 index 0000000000..f2128a03fc --- /dev/null +++ b/queue-6.16/kbuild-userprogs-use-correct-linker-when-mixing-clang-and-gnu-ld.patch @@ -0,0 +1,41 @@ +From 936599ca514973d44a766b7376c6bbdc96b6a8cc Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Thomas=20Wei=C3=9Fschuh?= +Date: Mon, 28 Jul 2025 15:47:37 +0200 +Subject: kbuild: userprogs: use correct linker when mixing clang and GNU ld +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Weißschuh + +commit 936599ca514973d44a766b7376c6bbdc96b6a8cc upstream. + +The userprogs infrastructure does not expect clang being used with GNU ld +and in that case uses /usr/bin/ld for linking, not the configured $(LD). +This fallback is problematic as it will break when cross-compiling. +Mixing clang and GNU ld is used for example when building for SPARC64, +as ld.lld is not sufficient; see Documentation/kbuild/llvm.rst. + +Relax the check around --ld-path so it gets used for all linkers. + +Fixes: dfc1b168a8c4 ("kbuild: userprogs: use correct lld when linking through clang") +Cc: stable@vger.kernel.org +Signed-off-by: Thomas Weißschuh +Reviewed-by: Nathan Chancellor +Signed-off-by: Masahiro Yamada +Signed-off-by: Greg Kroah-Hartman +--- + Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/Makefile ++++ b/Makefile +@@ -1134,7 +1134,7 @@ KBUILD_USERCFLAGS += $(filter -m32 -m64 + KBUILD_USERLDFLAGS += $(filter -m32 -m64 --target=%, $(KBUILD_CPPFLAGS) $(KBUILD_CFLAGS)) + + # userspace programs are linked via the compiler, use the correct linker +-ifeq ($(CONFIG_CC_IS_CLANG)$(CONFIG_LD_IS_LLD),yy) ++ifdef CONFIG_CC_IS_CLANG + KBUILD_USERLDFLAGS += --ld-path=$(LD) + endif + diff --git a/queue-6.16/mark-xe-driver-as-broken-if-kernel-page-size-is-not-4kb.patch b/queue-6.16/mark-xe-driver-as-broken-if-kernel-page-size-is-not-4kb.patch new file mode 100644 index 0000000000..b103e121cb --- /dev/null +++ b/queue-6.16/mark-xe-driver-as-broken-if-kernel-page-size-is-not-4kb.patch @@ -0,0 +1,39 @@ +From 022906afdf90327bce33d52fb4fb41b6c7d618fb Mon Sep 17 00:00:00 2001 +From: Simon Richter +Date: Sat, 2 Aug 2025 11:40:36 +0900 +Subject: Mark xe driver as BROKEN if kernel page size is not 4kB +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Simon Richter + +commit 022906afdf90327bce33d52fb4fb41b6c7d618fb upstream. + +This driver, for the time being, assumes that the kernel page size is 4kB, +so it fails on loong64 and aarch64 with 16kB pages, and ppc64el with 64kB +pages. + +Signed-off-by: Simon Richter +Reviewed-by: Thomas Hellström +Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs") +Cc: stable@vger.kernel.org # v6.8+ +Signed-off-by: Thomas Hellström +Link: https://lore.kernel.org/r/20250802024152.3021-1-Simon.Richter@hogyros.de +(cherry picked from commit 0521a868222ffe636bf202b6e9d29292c1e19c62) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/xe/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/xe/Kconfig ++++ b/drivers/gpu/drm/xe/Kconfig +@@ -5,6 +5,7 @@ config DRM_XE + depends on KUNIT || !KUNIT + depends on INTEL_VSEC || !INTEL_VSEC + depends on X86_PLATFORM_DEVICES || !(X86 && ACPI) ++ depends on PAGE_SIZE_4KB || COMPILE_TEST || BROKEN + select INTERVAL_TREE + # we need shmfs for the swappable backing store, and in particular + # the shmem_readpage() which depends upon tmpfs diff --git a/queue-6.16/media-gspca-add-bounds-checking-to-firmware-parser.patch b/queue-6.16/media-gspca-add-bounds-checking-to-firmware-parser.patch new file mode 100644 index 0000000000..8939ed836f --- /dev/null +++ b/queue-6.16/media-gspca-add-bounds-checking-to-firmware-parser.patch @@ -0,0 +1,56 @@ +From aef89c0b2417da79cb2062a95476288f9f203ab0 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 28 May 2025 23:22:14 +0300 +Subject: media: gspca: Add bounds checking to firmware parser + +From: Dan Carpenter + +commit aef89c0b2417da79cb2062a95476288f9f203ab0 upstream. + +This sd_init() function reads the firmware. The firmware data holds a +series of records and the function reads each record and sends the data +to the device. The request_ihex_firmware() function +calls ihex_validate_fw() which ensures that the total length of all the +records won't read out of bounds of the fw->data[]. + +However, a potential issue is if there is a single very large +record (larger than PAGE_SIZE) and that would result in memory +corruption. Generally we trust the firmware, but it's always better to +double check. + +Fixes: 49b61ec9b5af ("[media] gspca: Add new vicam subdriver") +Cc: stable@vger.kernel.org +Signed-off-by: Dan Carpenter +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/gspca/vicam.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/drivers/media/usb/gspca/vicam.c ++++ b/drivers/media/usb/gspca/vicam.c +@@ -227,6 +227,7 @@ static int sd_init(struct gspca_dev *gsp + const struct ihex_binrec *rec; + const struct firmware *fw; + u8 *firmware_buf; ++ int len; + + ret = request_ihex_firmware(&fw, VICAM_FIRMWARE, + &gspca_dev->dev->dev); +@@ -241,9 +242,14 @@ static int sd_init(struct gspca_dev *gsp + goto exit; + } + for (rec = (void *)fw->data; rec; rec = ihex_next_binrec(rec)) { +- memcpy(firmware_buf, rec->data, be16_to_cpu(rec->len)); ++ len = be16_to_cpu(rec->len); ++ if (len > PAGE_SIZE) { ++ ret = -EINVAL; ++ break; ++ } ++ memcpy(firmware_buf, rec->data, len); + ret = vicam_control_msg(gspca_dev, 0xff, 0, 0, firmware_buf, +- be16_to_cpu(rec->len)); ++ len); + if (ret < 0) + break; + } diff --git a/queue-6.16/media-hi556-correct-the-test-pattern-configuration.patch b/queue-6.16/media-hi556-correct-the-test-pattern-configuration.patch new file mode 100644 index 0000000000..9930ee9f7b --- /dev/null +++ b/queue-6.16/media-hi556-correct-the-test-pattern-configuration.patch @@ -0,0 +1,95 @@ +From 020f602b068c9ce18d5056d02c8302199377d98d Mon Sep 17 00:00:00 2001 +From: Bingbu Cao +Date: Mon, 30 Jun 2025 17:04:20 +0800 +Subject: media: hi556: correct the test pattern configuration + +From: Bingbu Cao + +commit 020f602b068c9ce18d5056d02c8302199377d98d upstream. + +Hynix hi556 support 8 test pattern modes: +hi556_test_pattern_menu[] = { +{ + "Disabled", + "Solid Colour", + "100% Colour Bars", + "Fade To Grey Colour Bars", + "PN9", + "Gradient Horizontal", + "Gradient Vertical", + "Check Board", + "Slant Pattern", +} + +The test pattern is set by a 8-bit register according to the +specification. ++--------+-------------------------------+ +| BIT[0] | Solid color | ++--------+-------------------------------+ +| BIT[1] | Color bar | ++--------+-------------------------------+ +| BIT[2] | Fade to grey color bar | ++--------+-------------------------------+ +| BIT[3] | PN9 | ++--------+-------------------------------+ +| BIT[4] | Gradient horizontal | ++--------+-------------------------------+ +| BIT[5] | Gradient vertical | ++--------+-------------------------------+ +| BIT[6] | Check board | ++--------+-------------------------------+ +| BIT[7] | Slant pattern | ++--------+-------------------------------+ +Based on function above, current test pattern programming is wrong. +This patch fixes it by 'BIT(pattern - 1)'. If pattern is 0, driver +will disable the test pattern generation and set the pattern to 0. + +Fixes: e62138403a84 ("media: hi556: Add support for Hi-556 sensor") +Cc: stable@vger.kernel.org +Signed-off-by: Bingbu Cao +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/hi556.c | 28 +++++++++++++++------------- + 1 file changed, 15 insertions(+), 13 deletions(-) + +--- a/drivers/media/i2c/hi556.c ++++ b/drivers/media/i2c/hi556.c +@@ -756,21 +756,23 @@ static int hi556_test_pattern(struct hi5 + int ret; + u32 val; + +- if (pattern) { +- ret = hi556_read_reg(hi556, HI556_REG_ISP, +- HI556_REG_VALUE_08BIT, &val); +- if (ret) +- return ret; +- +- ret = hi556_write_reg(hi556, HI556_REG_ISP, +- HI556_REG_VALUE_08BIT, +- val | HI556_REG_ISP_TPG_EN); +- if (ret) +- return ret; +- } ++ ret = hi556_read_reg(hi556, HI556_REG_ISP, ++ HI556_REG_VALUE_08BIT, &val); ++ if (ret) ++ return ret; ++ ++ val = pattern ? (val | HI556_REG_ISP_TPG_EN) : ++ (val & ~HI556_REG_ISP_TPG_EN); ++ ++ ret = hi556_write_reg(hi556, HI556_REG_ISP, ++ HI556_REG_VALUE_08BIT, val); ++ if (ret) ++ return ret; ++ ++ val = pattern ? BIT(pattern - 1) : 0; + + return hi556_write_reg(hi556, HI556_REG_TEST_PATTERN, +- HI556_REG_VALUE_08BIT, pattern); ++ HI556_REG_VALUE_08BIT, val); + } + + static int hi556_set_ctrl(struct v4l2_ctrl *ctrl) diff --git a/queue-6.16/media-imx-fix-a-potential-memory-leak-in-imx_media_csc_scaler_device_init.patch b/queue-6.16/media-imx-fix-a-potential-memory-leak-in-imx_media_csc_scaler_device_init.patch new file mode 100644 index 0000000000..36fda55715 --- /dev/null +++ b/queue-6.16/media-imx-fix-a-potential-memory-leak-in-imx_media_csc_scaler_device_init.patch @@ -0,0 +1,35 @@ +From fc5f8aec77704373ee804b5dba0e0e5029c0f180 Mon Sep 17 00:00:00 2001 +From: Haoxiang Li +Date: Thu, 27 Feb 2025 15:44:51 +0800 +Subject: media: imx: fix a potential memory leak in imx_media_csc_scaler_device_init() + +From: Haoxiang Li + +commit fc5f8aec77704373ee804b5dba0e0e5029c0f180 upstream. + +Add video_device_release() in label 'err_m2m' to release the memory +allocated by video_device_alloc() and prevent potential memory leaks. +Remove the reduntant code in label 'err_m2m'. + +Fixes: a8ef0488cc59 ("media: imx: add csc/scaler mem2mem device") +Cc: stable@vger.kernel.org +Signed-off-by: Haoxiang Li +Reviewed-by: Dan Carpenter +Signed-off-by: Nicolas Dufresne +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/media/imx/imx-media-csc-scaler.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/media/imx/imx-media-csc-scaler.c ++++ b/drivers/staging/media/imx/imx-media-csc-scaler.c +@@ -912,7 +912,7 @@ imx_media_csc_scaler_device_init(struct + return &priv->vdev; + + err_m2m: +- video_set_drvdata(vfd, NULL); ++ video_device_release(vfd); + err_vfd: + kfree(priv); + return ERR_PTR(ret); diff --git a/queue-6.16/media-ipu6-isys-use-correct-pads-for-xlate_streams.patch b/queue-6.16/media-ipu6-isys-use-correct-pads-for-xlate_streams.patch new file mode 100644 index 0000000000..d86bd68b77 --- /dev/null +++ b/queue-6.16/media-ipu6-isys-use-correct-pads-for-xlate_streams.patch @@ -0,0 +1,50 @@ +From ff49672a28f3a856717f09d61380e524e243121f Mon Sep 17 00:00:00 2001 +From: Sakari Ailus +Date: Tue, 3 Jun 2025 00:08:51 +0300 +Subject: media: ipu6: isys: Use correct pads for xlate_streams() + +From: Sakari Ailus + +commit ff49672a28f3a856717f09d61380e524e243121f upstream. + +The pad argument to v4l2_subdev_state_xlate_streams() is incorrect, static +pad number is used for the source pad even though the pad number is +dependent on the stream. Fix it. + +Fixes: 3a5c59ad926b ("media: ipu6: Rework CSI-2 sub-device streaming control") +Cc: stable@vger.kernel.org +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/pci/intel/ipu6/ipu6-isys-csi2.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/media/pci/intel/ipu6/ipu6-isys-csi2.c ++++ b/drivers/media/pci/intel/ipu6/ipu6-isys-csi2.c +@@ -354,9 +354,9 @@ static int ipu6_isys_csi2_enable_streams + remote_pad = media_pad_remote_pad_first(&sd->entity.pads[CSI2_PAD_SINK]); + remote_sd = media_entity_to_v4l2_subdev(remote_pad->entity); + +- sink_streams = v4l2_subdev_state_xlate_streams(state, CSI2_PAD_SRC, +- CSI2_PAD_SINK, +- &streams_mask); ++ sink_streams = ++ v4l2_subdev_state_xlate_streams(state, pad, CSI2_PAD_SINK, ++ &streams_mask); + + ret = ipu6_isys_csi2_calc_timing(csi2, &timing, CSI2_ACCINV); + if (ret) +@@ -384,9 +384,9 @@ static int ipu6_isys_csi2_disable_stream + struct media_pad *remote_pad; + u64 sink_streams; + +- sink_streams = v4l2_subdev_state_xlate_streams(state, CSI2_PAD_SRC, +- CSI2_PAD_SINK, +- &streams_mask); ++ sink_streams = ++ v4l2_subdev_state_xlate_streams(state, pad, CSI2_PAD_SINK, ++ &streams_mask); + + remote_pad = media_pad_remote_pad_first(&sd->entity.pads[CSI2_PAD_SINK]); + remote_sd = media_entity_to_v4l2_subdev(remote_pad->entity); diff --git a/queue-6.16/media-ivsc-fix-crash-at-shutdown-due-to-missing-mei_cldev_disable-calls.patch b/queue-6.16/media-ivsc-fix-crash-at-shutdown-due-to-missing-mei_cldev_disable-calls.patch new file mode 100644 index 0000000000..53e227c639 --- /dev/null +++ b/queue-6.16/media-ivsc-fix-crash-at-shutdown-due-to-missing-mei_cldev_disable-calls.patch @@ -0,0 +1,82 @@ +From 0c92c49fc688cfadacc47ae99b06a31237702e9e Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Sat, 21 Jun 2025 16:00:52 +0200 +Subject: media: ivsc: Fix crash at shutdown due to missing mei_cldev_disable() calls + +From: Hans de Goede + +commit 0c92c49fc688cfadacc47ae99b06a31237702e9e upstream. + +Both the ACE and CSI driver are missing a mei_cldev_disable() call in +their remove() function. + +This causes the mei_cl client to stay part of the mei_device->file_list +list even though its memory is freed by mei_cl_bus_dev_release() calling +kfree(cldev->cl). + +This leads to a use-after-free when mei_vsc_remove() runs mei_stop() +which first removes all mei bus devices calling mei_ace_remove() and +mei_csi_remove() followed by mei_cl_bus_dev_release() and then calls +mei_cl_all_disconnect() which walks over mei_device->file_list dereferecing +the just freed cldev->cl. + +And mei_vsc_remove() it self is run at shutdown because of the +platform_device_unregister(tp->pdev) in vsc_tp_shutdown() + +When building a kernel with KASAN this leads to the following KASAN report: + +[ 106.634504] ================================================================== +[ 106.634623] BUG: KASAN: slab-use-after-free in mei_cl_set_disconnected (drivers/misc/mei/client.c:783) mei +[ 106.634683] Read of size 4 at addr ffff88819cb62018 by task systemd-shutdow/1 +[ 106.634729] +[ 106.634767] Tainted: [E]=UNSIGNED_MODULE +[ 106.634770] Hardware name: Dell Inc. XPS 16 9640/09CK4V, BIOS 1.12.0 02/10/2025 +[ 106.634773] Call Trace: +[ 106.634777] +... +[ 106.634871] kasan_report (mm/kasan/report.c:221 mm/kasan/report.c:636) +[ 106.634901] mei_cl_set_disconnected (drivers/misc/mei/client.c:783) mei +[ 106.634921] mei_cl_all_disconnect (drivers/misc/mei/client.c:2165 (discriminator 4)) mei +[ 106.634941] mei_reset (drivers/misc/mei/init.c:163) mei +... +[ 106.635042] mei_stop (drivers/misc/mei/init.c:348) mei +[ 106.635062] mei_vsc_remove (drivers/misc/mei/mei_dev.h:784 drivers/misc/mei/platform-vsc.c:393) mei_vsc +[ 106.635066] platform_remove (drivers/base/platform.c:1424) + +Add the missing mei_cldev_disable() calls so that the mei_cl gets removed +from mei_device->file_list before it is freed to fix this. + +Fixes: 78876f71b3e9 ("media: pci: intel: ivsc: Add ACE submodule") +Fixes: 29006e196a56 ("media: pci: intel: ivsc: Add CSI submodule") +Cc: stable@vger.kernel.org +Signed-off-by: Hans de Goede +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/pci/intel/ivsc/mei_ace.c | 2 ++ + drivers/media/pci/intel/ivsc/mei_csi.c | 2 ++ + 2 files changed, 4 insertions(+) + +--- a/drivers/media/pci/intel/ivsc/mei_ace.c ++++ b/drivers/media/pci/intel/ivsc/mei_ace.c +@@ -529,6 +529,8 @@ static void mei_ace_remove(struct mei_cl + + ace_set_camera_owner(ace, ACE_CAMERA_IVSC); + ++ mei_cldev_disable(cldev); ++ + mutex_destroy(&ace->lock); + } + +--- a/drivers/media/pci/intel/ivsc/mei_csi.c ++++ b/drivers/media/pci/intel/ivsc/mei_csi.c +@@ -760,6 +760,8 @@ static void mei_csi_remove(struct mei_cl + + pm_runtime_disable(&cldev->dev); + ++ mei_cldev_disable(cldev); ++ + mutex_destroy(&csi->lock); + } + diff --git a/queue-6.16/media-mt9m114-fix-deadlock-in-get_frame_interval-set_frame_interval.patch b/queue-6.16/media-mt9m114-fix-deadlock-in-get_frame_interval-set_frame_interval.patch new file mode 100644 index 0000000000..dbd3133416 --- /dev/null +++ b/queue-6.16/media-mt9m114-fix-deadlock-in-get_frame_interval-set_frame_interval.patch @@ -0,0 +1,68 @@ +From 298d1471cf83d5a2a05970e41822a2403f451086 Mon Sep 17 00:00:00 2001 +From: Mathis Foerst +Date: Thu, 22 May 2025 16:35:10 +0200 +Subject: media: mt9m114: Fix deadlock in get_frame_interval/set_frame_interval + +From: Mathis Foerst + +commit 298d1471cf83d5a2a05970e41822a2403f451086 upstream. + +Getting / Setting the frame interval using the V4L2 subdev pad ops +get_frame_interval/set_frame_interval causes a deadlock, as the +subdev state is locked in the [1] but also in the driver itself. + +In [2] it's described that the caller is responsible to acquire and +release the lock in this case. Therefore, acquiring the lock in the +driver is wrong. + +Remove the lock acquisitions/releases from mt9m114_ifp_get_frame_interval() +and mt9m114_ifp_set_frame_interval(). + +[1] drivers/media/v4l2-core/v4l2-subdev.c - line 1129 +[2] Documentation/driver-api/media/v4l2-subdev.rst + +Fixes: 24d756e914fc ("media: i2c: Add driver for onsemi MT9M114 camera sensor") +Cc: stable@vger.kernel.org +Signed-off-by: Mathis Foerst +Reviewed-by: Laurent Pinchart +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/mt9m114.c | 8 -------- + 1 file changed, 8 deletions(-) + +--- a/drivers/media/i2c/mt9m114.c ++++ b/drivers/media/i2c/mt9m114.c +@@ -1599,13 +1599,9 @@ static int mt9m114_ifp_get_frame_interva + if (interval->which != V4L2_SUBDEV_FORMAT_ACTIVE) + return -EINVAL; + +- mutex_lock(sensor->ifp.hdl.lock); +- + ival->numerator = 1; + ival->denominator = sensor->ifp.frame_rate; + +- mutex_unlock(sensor->ifp.hdl.lock); +- + return 0; + } + +@@ -1624,8 +1620,6 @@ static int mt9m114_ifp_set_frame_interva + if (interval->which != V4L2_SUBDEV_FORMAT_ACTIVE) + return -EINVAL; + +- mutex_lock(sensor->ifp.hdl.lock); +- + if (ival->numerator != 0 && ival->denominator != 0) + sensor->ifp.frame_rate = min_t(unsigned int, + ival->denominator / ival->numerator, +@@ -1639,8 +1633,6 @@ static int mt9m114_ifp_set_frame_interva + if (sensor->streaming) + ret = mt9m114_set_frame_rate(sensor); + +- mutex_unlock(sensor->ifp.hdl.lock); +- + return ret; + } + diff --git a/queue-6.16/media-ov2659-fix-memory-leaks-in-ov2659_probe.patch b/queue-6.16/media-ov2659-fix-memory-leaks-in-ov2659_probe.patch new file mode 100644 index 0000000000..513ccae47c --- /dev/null +++ b/queue-6.16/media-ov2659-fix-memory-leaks-in-ov2659_probe.patch @@ -0,0 +1,42 @@ +From 76142b137b968d47b35cdd8d1dc924677d319c8b Mon Sep 17 00:00:00 2001 +From: Zhang Shurong +Date: Sun, 6 Jul 2025 00:31:09 +0800 +Subject: media: ov2659: Fix memory leaks in ov2659_probe() + +From: Zhang Shurong + +commit 76142b137b968d47b35cdd8d1dc924677d319c8b upstream. + +ov2659_probe() doesn't properly free control handler resources in failure +paths, causing memory leaks. Add v4l2_ctrl_handler_free() to prevent these +memory leaks and reorder the ctrl_handler assignment for better code flow. + +Fixes: c4c0283ab3cd ("[media] media: i2c: add support for omnivision's ov2659 sensor") +Cc: stable@vger.kernel.org +Signed-off-by: Zhang Shurong +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/ov2659.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/media/i2c/ov2659.c ++++ b/drivers/media/i2c/ov2659.c +@@ -1469,14 +1469,15 @@ static int ov2659_probe(struct i2c_clien + V4L2_CID_TEST_PATTERN, + ARRAY_SIZE(ov2659_test_pattern_menu) - 1, + 0, 0, ov2659_test_pattern_menu); +- ov2659->sd.ctrl_handler = &ov2659->ctrls; + + if (ov2659->ctrls.error) { + dev_err(&client->dev, "%s: control initialization error %d\n", + __func__, ov2659->ctrls.error); ++ v4l2_ctrl_handler_free(&ov2659->ctrls); + return ov2659->ctrls.error; + } + ++ ov2659->sd.ctrl_handler = &ov2659->ctrls; + sd = &ov2659->sd; + client->flags |= I2C_CLIENT_SCCB; + diff --git a/queue-6.16/media-pisp_be-fix-pm_runtime-underrun-in-probe.patch b/queue-6.16/media-pisp_be-fix-pm_runtime-underrun-in-probe.patch new file mode 100644 index 0000000000..786ab8a40b --- /dev/null +++ b/queue-6.16/media-pisp_be-fix-pm_runtime-underrun-in-probe.patch @@ -0,0 +1,83 @@ +From e9bb2eacc7222ff8210903eb3b7d56709cc53228 Mon Sep 17 00:00:00 2001 +From: Jacopo Mondi +Date: Mon, 26 Aug 2024 15:30:54 +0200 +Subject: media: pisp_be: Fix pm_runtime underrun in probe + +From: Jacopo Mondi + +commit e9bb2eacc7222ff8210903eb3b7d56709cc53228 upstream. + +During the probe() routine, the PiSP BE driver needs to power up the +interface in order to identify and initialize the hardware. + +The driver resumes the interface by calling the +pispbe_runtime_resume() function directly, without going +through the pm_runtime helpers, but later suspends it by calling +pm_runtime_put_autosuspend(). + +This causes a PM usage count imbalance at probe time, notified by the +runtime_pm framework with the below message in the system log: + + pispbe 1000880000.pisp_be: Runtime PM usage count underflow! + +Fix this by resuming the interface using the pm runtime helpers instead +of calling the resume function directly and use the pm_runtime framework +in the probe() error path. While at it, remove manual suspend of the +interface in the remove() function. The driver cannot be unloaded if in +use, so simply disable runtime pm. + +To simplify the implementation, make the driver depend on PM as the +RPI5 platform where the ISP is integrated in uses the PM framework by +default. + +Fixes: 12187bd5d4f8 ("media: raspberrypi: Add support for PiSP BE") +Cc: stable@vger.kernel.org +Tested-by: Naushir Patuck +Reviewed-by: Naushir Patuck +Reviewed-by: Laurent Pinchart +Signed-off-by: Jacopo Mondi +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/raspberrypi/pisp_be/Kconfig | 1 + + drivers/media/platform/raspberrypi/pisp_be/pisp_be.c | 5 ++--- + 2 files changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/media/platform/raspberrypi/pisp_be/Kconfig ++++ b/drivers/media/platform/raspberrypi/pisp_be/Kconfig +@@ -3,6 +3,7 @@ config VIDEO_RASPBERRYPI_PISP_BE + depends on V4L_PLATFORM_DRIVERS + depends on VIDEO_DEV + depends on ARCH_BCM2835 || COMPILE_TEST ++ depends on PM + select VIDEO_V4L2_SUBDEV_API + select MEDIA_CONTROLLER + select VIDEOBUF2_DMA_CONTIG +--- a/drivers/media/platform/raspberrypi/pisp_be/pisp_be.c ++++ b/drivers/media/platform/raspberrypi/pisp_be/pisp_be.c +@@ -1726,7 +1726,7 @@ static int pispbe_probe(struct platform_ + pm_runtime_use_autosuspend(pispbe->dev); + pm_runtime_enable(pispbe->dev); + +- ret = pispbe_runtime_resume(pispbe->dev); ++ ret = pm_runtime_resume_and_get(pispbe->dev); + if (ret) + goto pm_runtime_disable_err; + +@@ -1748,7 +1748,7 @@ static int pispbe_probe(struct platform_ + disable_devs_err: + pispbe_destroy_devices(pispbe); + pm_runtime_suspend_err: +- pispbe_runtime_suspend(pispbe->dev); ++ pm_runtime_put(pispbe->dev); + pm_runtime_disable_err: + pm_runtime_dont_use_autosuspend(pispbe->dev); + pm_runtime_disable(pispbe->dev); +@@ -1762,7 +1762,6 @@ static void pispbe_remove(struct platfor + + pispbe_destroy_devices(pispbe); + +- pispbe_runtime_suspend(pispbe->dev); + pm_runtime_dont_use_autosuspend(pispbe->dev); + pm_runtime_disable(pispbe->dev); + } diff --git a/queue-6.16/media-rainshadow-cec-fix-toctou-race-condition-in-rain_interrupt.patch b/queue-6.16/media-rainshadow-cec-fix-toctou-race-condition-in-rain_interrupt.patch new file mode 100644 index 0000000000..860bc54f4b --- /dev/null +++ b/queue-6.16/media-rainshadow-cec-fix-toctou-race-condition-in-rain_interrupt.patch @@ -0,0 +1,54 @@ +From 7af160aea26c7dc9e6734d19306128cce156ec40 Mon Sep 17 00:00:00 2001 +From: Gui-Dong Han +Date: Fri, 6 Jun 2025 03:04:59 +0000 +Subject: media: rainshadow-cec: fix TOCTOU race condition in rain_interrupt() + +From: Gui-Dong Han + +commit 7af160aea26c7dc9e6734d19306128cce156ec40 upstream. + +In the interrupt handler rain_interrupt(), the buffer full check on +rain->buf_len is performed before acquiring rain->buf_lock. This +creates a Time-of-Check to Time-of-Use (TOCTOU) race condition, as +rain->buf_len is concurrently accessed and modified in the work +handler rain_irq_work_handler() under the same lock. + +Multiple interrupt invocations can race, with each reading buf_len +before it becomes full and then proceeding. This can lead to both +interrupts attempting to write to the buffer, incrementing buf_len +beyond its capacity (DATA_SIZE) and causing a buffer overflow. + +Fix this bug by moving the spin_lock() to before the buffer full +check. This ensures that the check and the subsequent buffer modification +are performed atomically, preventing the race condition. An corresponding +spin_unlock() is added to the overflow path to correctly release the +lock. + +This possible bug was found by an experimental static analysis tool +developed by our team. + +Fixes: 0f314f6c2e77 ("[media] rainshadow-cec: new RainShadow Tech HDMI CEC driver") +Cc: stable@vger.kernel.org +Signed-off-by: Gui-Dong Han +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/cec/usb/rainshadow/rainshadow-cec.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/media/cec/usb/rainshadow/rainshadow-cec.c ++++ b/drivers/media/cec/usb/rainshadow/rainshadow-cec.c +@@ -171,11 +171,12 @@ static irqreturn_t rain_interrupt(struct + { + struct rain *rain = serio_get_drvdata(serio); + ++ spin_lock(&rain->buf_lock); + if (rain->buf_len == DATA_SIZE) { ++ spin_unlock(&rain->buf_lock); + dev_warn_once(rain->dev, "buffer overflow\n"); + return IRQ_HANDLED; + } +- spin_lock(&rain->buf_lock); + rain->buf_len++; + rain->buf[rain->buf_wr_idx] = data; + rain->buf_wr_idx = (rain->buf_wr_idx + 1) & 0xff; diff --git a/queue-6.16/media-usbtv-lock-resolution-while-streaming.patch b/queue-6.16/media-usbtv-lock-resolution-while-streaming.patch new file mode 100644 index 0000000000..841ca89499 --- /dev/null +++ b/queue-6.16/media-usbtv-lock-resolution-while-streaming.patch @@ -0,0 +1,39 @@ +From 7e40e0bb778907b2441bff68d73c3eb6b6cd319f Mon Sep 17 00:00:00 2001 +From: Ludwig Disterhof +Date: Mon, 28 Apr 2025 20:16:50 +0200 +Subject: media: usbtv: Lock resolution while streaming + +From: Ludwig Disterhof + +commit 7e40e0bb778907b2441bff68d73c3eb6b6cd319f upstream. + +When an program is streaming (ffplay) and another program (qv4l2) +changes the TV standard from NTSC to PAL, the kernel crashes due to trying +to copy to unmapped memory. + +Changing from NTSC to PAL increases the resolution in the usbtv struct, +but the video plane buffer isn't adjusted, so it overflows. + +Fixes: 0e0fe3958fdd13d ("[media] usbtv: Add support for PAL video source") +Cc: stable@vger.kernel.org +Signed-off-by: Ludwig Disterhof +Signed-off-by: Hans Verkuil +[hverkuil: call vb2_is_busy instead of vb2_is_streaming] +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/usbtv/usbtv-video.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/media/usb/usbtv/usbtv-video.c ++++ b/drivers/media/usb/usbtv/usbtv-video.c +@@ -73,6 +73,10 @@ static int usbtv_configure_for_norm(stru + } + + if (params) { ++ if (vb2_is_busy(&usbtv->vb2q) && ++ (usbtv->width != params->cap_width || ++ usbtv->height != params->cap_height)) ++ return -EBUSY; + usbtv->width = params->cap_width; + usbtv->height = params->cap_height; + usbtv->n_chunks = usbtv->width * usbtv->height diff --git a/queue-6.16/media-v4l2-ctrls-don-t-reset-handler-s-error-in-v4l2_ctrl_handler_free.patch b/queue-6.16/media-v4l2-ctrls-don-t-reset-handler-s-error-in-v4l2_ctrl_handler_free.patch new file mode 100644 index 0000000000..56ec38fd52 --- /dev/null +++ b/queue-6.16/media-v4l2-ctrls-don-t-reset-handler-s-error-in-v4l2_ctrl_handler_free.patch @@ -0,0 +1,44 @@ +From 5a0400aca5fa7c6b8ba456c311a460e733571c88 Mon Sep 17 00:00:00 2001 +From: Sakari Ailus +Date: Thu, 8 May 2025 18:55:38 +0300 +Subject: media: v4l2-ctrls: Don't reset handler's error in v4l2_ctrl_handler_free() + +From: Sakari Ailus + +commit 5a0400aca5fa7c6b8ba456c311a460e733571c88 upstream. + +It's a common pattern in drivers to free the control handler's resources +and then return the handler's error code on drivers' error handling paths. +Alas, the v4l2_ctrl_handler_free() function also zeroes the error field, +effectively indicating successful return to the caller. + +There's no apparent need to touch the error field while releasing the +control handler's resources and cleaning up stale pointers. Not touching +the handler's error field is a more certain way to address this problem +than changing all the users, in which case the pattern would be likely to +re-emerge in new drivers. + +Do just that, don't touch the control handler's error field in +v4l2_ctrl_handler_free(). + +Fixes: 0996517cf8ea ("V4L/DVB: v4l2: Add new control handling framework") +Cc: stable@vger.kernel.org +Signed-off-by: Sakari Ailus +Reviewed-by: Hans Verkuil +Reviewed-by: Laurent Pinchart +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/v4l2-core/v4l2-ctrls-core.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/media/v4l2-core/v4l2-ctrls-core.c ++++ b/drivers/media/v4l2-core/v4l2-ctrls-core.c +@@ -1661,7 +1661,6 @@ void v4l2_ctrl_handler_free(struct v4l2_ + kvfree(hdl->buckets); + hdl->buckets = NULL; + hdl->cached = NULL; +- hdl->error = 0; + mutex_unlock(hdl->lock); + mutex_destroy(&hdl->_lock); + } diff --git a/queue-6.16/media-verisilicon-fix-av1-decoder-clock-frequency.patch b/queue-6.16/media-verisilicon-fix-av1-decoder-clock-frequency.patch new file mode 100644 index 0000000000..a1feb60388 --- /dev/null +++ b/queue-6.16/media-verisilicon-fix-av1-decoder-clock-frequency.patch @@ -0,0 +1,57 @@ +From 01350185fe02ae3ea2c12d578e06af0d5186f33e Mon Sep 17 00:00:00 2001 +From: Nicolas Dufresne +Date: Mon, 17 Feb 2025 16:46:54 -0500 +Subject: media: verisilicon: Fix AV1 decoder clock frequency + +From: Nicolas Dufresne + +commit 01350185fe02ae3ea2c12d578e06af0d5186f33e upstream. + +The desired clock frequency was correctly set to 400MHz in the device tree +but was lowered by the driver to 300MHz breaking 4K 60Hz content playback. +Fix the issue by removing the driver call to clk_set_rate(), which reduce +the amount of board specific code. + +Fixes: 003afda97c65 ("media: verisilicon: Enable AV1 decoder on rk3588") +Cc: stable@vger.kernel.org +Reviewed-by: Benjamin Gaignard +Reviewed-by: Philipp Zabel +Signed-off-by: Nicolas Dufresne +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/verisilicon/rockchip_vpu_hw.c | 9 --------- + 1 file changed, 9 deletions(-) + +--- a/drivers/media/platform/verisilicon/rockchip_vpu_hw.c ++++ b/drivers/media/platform/verisilicon/rockchip_vpu_hw.c +@@ -17,7 +17,6 @@ + + #define RK3066_ACLK_MAX_FREQ (300 * 1000 * 1000) + #define RK3288_ACLK_MAX_FREQ (400 * 1000 * 1000) +-#define RK3588_ACLK_MAX_FREQ (300 * 1000 * 1000) + + #define ROCKCHIP_VPU981_MIN_SIZE 64 + +@@ -454,13 +453,6 @@ static int rk3066_vpu_hw_init(struct han + return 0; + } + +-static int rk3588_vpu981_hw_init(struct hantro_dev *vpu) +-{ +- /* Bump ACLKs to max. possible freq. to improve performance. */ +- clk_set_rate(vpu->clocks[0].clk, RK3588_ACLK_MAX_FREQ); +- return 0; +-} +- + static int rockchip_vpu_hw_init(struct hantro_dev *vpu) + { + /* Bump ACLK to max. possible freq. to improve performance. */ +@@ -821,7 +813,6 @@ const struct hantro_variant rk3588_vpu98 + .codec_ops = rk3588_vpu981_codec_ops, + .irqs = rk3588_vpu981_irqs, + .num_irqs = ARRAY_SIZE(rk3588_vpu981_irqs), +- .init = rk3588_vpu981_hw_init, + .clk_names = rk3588_vpu981_vpu_clk_names, + .num_clocks = ARRAY_SIZE(rk3588_vpu981_vpu_clk_names) + }; diff --git a/queue-6.16/media-vivid-fix-wrong-pixel_array-control-size.patch b/queue-6.16/media-vivid-fix-wrong-pixel_array-control-size.patch new file mode 100644 index 0000000000..5e88f5f347 --- /dev/null +++ b/queue-6.16/media-vivid-fix-wrong-pixel_array-control-size.patch @@ -0,0 +1,52 @@ +From 3e43442d4994c9e1e202c98129a87e330f7faaed Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Sun, 6 Jul 2025 12:55:40 +0200 +Subject: media: vivid: fix wrong pixel_array control size + +From: Hans Verkuil + +commit 3e43442d4994c9e1e202c98129a87e330f7faaed upstream. + +The pixel_array control size was calculated incorrectly: +the dimensions were swapped (dims[0] should be the height), and the +values should be the width or height divided by PIXEL_ARRAY_DIV +and rounded up. So don't use roundup, but use DIV_ROUND_UP instead. + +This bug is harmless in the sense that nothing will break, except that +it consumes way too much memory for this control. + +Fixes: 6bc7643d1b9c ("media: vivid: add pixel_array test control") +Cc: +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/test-drivers/vivid/vivid-ctrls.c | 3 ++- + drivers/media/test-drivers/vivid/vivid-vid-cap.c | 4 ++-- + 2 files changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/media/test-drivers/vivid/vivid-ctrls.c ++++ b/drivers/media/test-drivers/vivid/vivid-ctrls.c +@@ -244,7 +244,8 @@ static const struct v4l2_ctrl_config viv + .min = 0x00, + .max = 0xff, + .step = 1, +- .dims = { 640 / PIXEL_ARRAY_DIV, 360 / PIXEL_ARRAY_DIV }, ++ .dims = { DIV_ROUND_UP(360, PIXEL_ARRAY_DIV), ++ DIV_ROUND_UP(640, PIXEL_ARRAY_DIV) }, + }; + + static const struct v4l2_ctrl_config vivid_ctrl_s32_array = { +--- a/drivers/media/test-drivers/vivid/vivid-vid-cap.c ++++ b/drivers/media/test-drivers/vivid/vivid-vid-cap.c +@@ -454,8 +454,8 @@ void vivid_update_format_cap(struct vivi + if (keep_controls) + return; + +- dims[0] = roundup(dev->src_rect.width, PIXEL_ARRAY_DIV); +- dims[1] = roundup(dev->src_rect.height, PIXEL_ARRAY_DIV); ++ dims[0] = DIV_ROUND_UP(dev->src_rect.height, PIXEL_ARRAY_DIV); ++ dims[1] = DIV_ROUND_UP(dev->src_rect.width, PIXEL_ARRAY_DIV); + v4l2_ctrl_modify_dimensions(dev->pixel_array, dims); + } + diff --git a/queue-6.16/mfd-mt6397-do-not-use-generic-name-for-keypad-sub-devices.patch b/queue-6.16/mfd-mt6397-do-not-use-generic-name-for-keypad-sub-devices.patch new file mode 100644 index 0000000000..dbe8a3d2b5 --- /dev/null +++ b/queue-6.16/mfd-mt6397-do-not-use-generic-name-for-keypad-sub-devices.patch @@ -0,0 +1,83 @@ +From 92ab1e41569416c639643cd75eea2379190a65f2 Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Mon, 30 Jun 2025 16:01:06 -0700 +Subject: mfd: mt6397: Do not use generic name for keypad sub-devices + +From: Dmitry Torokhov + +commit 92ab1e41569416c639643cd75eea2379190a65f2 upstream. + +Do not use "mtk-pmic-keys" when creating sub-device for the keypad to +make sure the keypad driver will only bind to the sub-device if it has +support for the variant/has matching compatible. + +Cc: stable@vger.kernel.org +Fixes: 6e31bb8d3a63 ("mfd: mt6397: Add initial support for MT6328") +Fixes: de58cee8c6b8 ("mfd: mt6397-core: Add MT6357 PMIC support") +Fixes: 4a901e305011 ("mfd: mt6397-core: Add resources for PMIC keys for MT6359") +Reported-by: Louis-Alexis Eyraud +Signed-off-by: Dmitry Torokhov +Tested-by: Louis-Alexis Eyraud # on +Link: https://lore.kernel.org/r/r4k3pgd3ew3ypne7ernxuzwgniiyvzosbce4cfajbcu7equblt@yato35tjb3lw +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mfd/mt6397-core.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/mfd/mt6397-core.c ++++ b/drivers/mfd/mt6397-core.c +@@ -136,7 +136,7 @@ static const struct mfd_cell mt6323_devs + .name = "mt6323-led", + .of_compatible = "mediatek,mt6323-led" + }, { +- .name = "mtk-pmic-keys", ++ .name = "mt6323-keys", + .num_resources = ARRAY_SIZE(mt6323_keys_resources), + .resources = mt6323_keys_resources, + .of_compatible = "mediatek,mt6323-keys" +@@ -153,7 +153,7 @@ static const struct mfd_cell mt6328_devs + .name = "mt6328-regulator", + .of_compatible = "mediatek,mt6328-regulator" + }, { +- .name = "mtk-pmic-keys", ++ .name = "mt6328-keys", + .num_resources = ARRAY_SIZE(mt6328_keys_resources), + .resources = mt6328_keys_resources, + .of_compatible = "mediatek,mt6328-keys" +@@ -175,7 +175,7 @@ static const struct mfd_cell mt6357_devs + .name = "mt6357-sound", + .of_compatible = "mediatek,mt6357-sound" + }, { +- .name = "mtk-pmic-keys", ++ .name = "mt6357-keys", + .num_resources = ARRAY_SIZE(mt6357_keys_resources), + .resources = mt6357_keys_resources, + .of_compatible = "mediatek,mt6357-keys" +@@ -196,7 +196,7 @@ static const struct mfd_cell mt6331_mt63 + .name = "mt6332-regulator", + .of_compatible = "mediatek,mt6332-regulator" + }, { +- .name = "mtk-pmic-keys", ++ .name = "mt6331-keys", + .num_resources = ARRAY_SIZE(mt6331_keys_resources), + .resources = mt6331_keys_resources, + .of_compatible = "mediatek,mt6331-keys" +@@ -240,7 +240,7 @@ static const struct mfd_cell mt6359_devs + }, + { .name = "mt6359-sound", }, + { +- .name = "mtk-pmic-keys", ++ .name = "mt6359-keys", + .num_resources = ARRAY_SIZE(mt6359_keys_resources), + .resources = mt6359_keys_resources, + .of_compatible = "mediatek,mt6359-keys" +@@ -272,7 +272,7 @@ static const struct mfd_cell mt6397_devs + .name = "mt6397-pinctrl", + .of_compatible = "mediatek,mt6397-pinctrl", + }, { +- .name = "mtk-pmic-keys", ++ .name = "mt6397-keys", + .num_resources = ARRAY_SIZE(mt6397_keys_resources), + .resources = mt6397_keys_resources, + .of_compatible = "mediatek,mt6397-keys" diff --git a/queue-6.16/mtd-rawnand-fsmc-add-missing-check-after-dma-map.patch b/queue-6.16/mtd-rawnand-fsmc-add-missing-check-after-dma-map.patch new file mode 100644 index 0000000000..84c2bdd651 --- /dev/null +++ b/queue-6.16/mtd-rawnand-fsmc-add-missing-check-after-dma-map.patch @@ -0,0 +1,33 @@ +From 6c4dab38431fee3d39a841d66ba6f2890b31b005 Mon Sep 17 00:00:00 2001 +From: Thomas Fourier +Date: Mon, 7 Jul 2025 09:39:37 +0200 +Subject: mtd: rawnand: fsmc: Add missing check after DMA map + +From: Thomas Fourier + +commit 6c4dab38431fee3d39a841d66ba6f2890b31b005 upstream. + +The DMA map functions can fail and should be tested for errors. + +Fixes: 4774fb0a48aa ("mtd: nand/fsmc: Add DMA support") +Cc: stable@vger.kernel.org +Signed-off-by: Thomas Fourier +Rule: add +Link: https://lore.kernel.org/stable/20250702065806.20983-2-fourier.thomas%40gmail.com +Signed-off-by: Miquel Raynal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/raw/fsmc_nand.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/mtd/nand/raw/fsmc_nand.c ++++ b/drivers/mtd/nand/raw/fsmc_nand.c +@@ -503,6 +503,8 @@ static int dma_xfer(struct fsmc_nand_dat + + dma_dev = chan->device; + dma_addr = dma_map_single(dma_dev->dev, buffer, len, direction); ++ if (dma_mapping_error(dma_dev->dev, dma_addr)) ++ return -EINVAL; + + if (direction == DMA_TO_DEVICE) { + dma_src = dma_addr; diff --git a/queue-6.16/mtd-rawnand-renesas-add-missing-check-after-dma-map.patch b/queue-6.16/mtd-rawnand-renesas-add-missing-check-after-dma-map.patch new file mode 100644 index 0000000000..bae2a91751 --- /dev/null +++ b/queue-6.16/mtd-rawnand-renesas-add-missing-check-after-dma-map.patch @@ -0,0 +1,42 @@ +From 79e441ee47949376e3bc20f085cf017b70523d0f Mon Sep 17 00:00:00 2001 +From: Thomas Fourier +Date: Wed, 2 Jul 2025 10:01:06 +0200 +Subject: mtd: rawnand: renesas: Add missing check after DMA map + +From: Thomas Fourier + +commit 79e441ee47949376e3bc20f085cf017b70523d0f upstream. + +The DMA map functions can fail and should be tested for errors. + +Fixes: d8701fe890ec ("mtd: rawnand: renesas: Add new NAND controller driver") +Cc: stable@vger.kernel.org +Signed-off-by: Thomas Fourier +Signed-off-by: Miquel Raynal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/raw/renesas-nand-controller.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/mtd/nand/raw/renesas-nand-controller.c ++++ b/drivers/mtd/nand/raw/renesas-nand-controller.c +@@ -426,6 +426,9 @@ static int rnandc_read_page_hw_ecc(struc + /* Configure DMA */ + dma_addr = dma_map_single(rnandc->dev, rnandc->buf, mtd->writesize, + DMA_FROM_DEVICE); ++ if (dma_mapping_error(rnandc->dev, dma_addr)) ++ return -ENOMEM; ++ + writel(dma_addr, rnandc->regs + DMA_ADDR_LOW_REG); + writel(mtd->writesize, rnandc->regs + DMA_CNT_REG); + writel(DMA_TLVL_MAX, rnandc->regs + DMA_TLVL_REG); +@@ -606,6 +609,9 @@ static int rnandc_write_page_hw_ecc(stru + /* Configure DMA */ + dma_addr = dma_map_single(rnandc->dev, (void *)rnandc->buf, mtd->writesize, + DMA_TO_DEVICE); ++ if (dma_mapping_error(rnandc->dev, dma_addr)) ++ return -ENOMEM; ++ + writel(dma_addr, rnandc->regs + DMA_ADDR_LOW_REG); + writel(mtd->writesize, rnandc->regs + DMA_CNT_REG); + writel(DMA_TLVL_MAX, rnandc->regs + DMA_TLVL_REG); diff --git a/queue-6.16/mtd-spi-nor-fix-spi_nor_try_unlock_all.patch b/queue-6.16/mtd-spi-nor-fix-spi_nor_try_unlock_all.patch new file mode 100644 index 0000000000..62be927681 --- /dev/null +++ b/queue-6.16/mtd-spi-nor-fix-spi_nor_try_unlock_all.patch @@ -0,0 +1,115 @@ +From 2e3a7476ec3989e77270b9481e76e137824b17c0 Mon Sep 17 00:00:00 2001 +From: Michael Walle +Date: Tue, 1 Jul 2025 16:04:26 +0200 +Subject: mtd: spi-nor: Fix spi_nor_try_unlock_all() + +From: Michael Walle + +commit 2e3a7476ec3989e77270b9481e76e137824b17c0 upstream. + +Commit ff67592cbdfc ("mtd: spi-nor: Introduce spi_nor_set_mtd_info()") +moved all initialization of the mtd fields at the end of spi_nor_scan(). +Normally, the mtd info is only needed for the mtd ops on the device, +with one exception: spi_nor_try_unlock_all(), which will also make use +of the mtd->size parameter. With that commit, the size will always be +zero because it is not initialized. Fix that by not using the size of +the mtd_info struct, but use the size from struct spi_nor_flash_parameter. + +Fixes: ff67592cbdfc ("mtd: spi-nor: Introduce spi_nor_set_mtd_info()") +Cc: stable@vger.kernel.org +Reported-by: Jean-Marc Ranger +Closes: https://lore.kernel.org/all/DM6PR06MB561177323DC5207E34AF2A06C547A@DM6PR06MB5611.namprd06.prod.outlook.com/ +Tested-by: Jean-Marc Ranger +Signed-off-by: Michael Walle +Reviewed-by: Pratyush Yadav +Signed-off-by: Pratyush Yadav +Link: https://lore.kernel.org/r/20250701140426.2355182-1-mwalle@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/spi-nor/swp.c | 19 ++++++++----------- + 1 file changed, 8 insertions(+), 11 deletions(-) + +--- a/drivers/mtd/spi-nor/swp.c ++++ b/drivers/mtd/spi-nor/swp.c +@@ -56,7 +56,6 @@ static u64 spi_nor_get_min_prot_length_s + static void spi_nor_get_locked_range_sr(struct spi_nor *nor, u8 sr, loff_t *ofs, + u64 *len) + { +- struct mtd_info *mtd = &nor->mtd; + u64 min_prot_len; + u8 mask = spi_nor_get_sr_bp_mask(nor); + u8 tb_mask = spi_nor_get_sr_tb_mask(nor); +@@ -77,13 +76,13 @@ static void spi_nor_get_locked_range_sr( + min_prot_len = spi_nor_get_min_prot_length_sr(nor); + *len = min_prot_len << (bp - 1); + +- if (*len > mtd->size) +- *len = mtd->size; ++ if (*len > nor->params->size) ++ *len = nor->params->size; + + if (nor->flags & SNOR_F_HAS_SR_TB && sr & tb_mask) + *ofs = 0; + else +- *ofs = mtd->size - *len; ++ *ofs = nor->params->size - *len; + } + + /* +@@ -158,7 +157,6 @@ static bool spi_nor_is_unlocked_sr(struc + */ + static int spi_nor_sr_lock(struct spi_nor *nor, loff_t ofs, u64 len) + { +- struct mtd_info *mtd = &nor->mtd; + u64 min_prot_len; + int ret, status_old, status_new; + u8 mask = spi_nor_get_sr_bp_mask(nor); +@@ -183,7 +181,7 @@ static int spi_nor_sr_lock(struct spi_no + can_be_bottom = false; + + /* If anything above us is unlocked, we can't use 'top' protection */ +- if (!spi_nor_is_locked_sr(nor, ofs + len, mtd->size - (ofs + len), ++ if (!spi_nor_is_locked_sr(nor, ofs + len, nor->params->size - (ofs + len), + status_old)) + can_be_top = false; + +@@ -195,11 +193,11 @@ static int spi_nor_sr_lock(struct spi_no + + /* lock_len: length of region that should end up locked */ + if (use_top) +- lock_len = mtd->size - ofs; ++ lock_len = nor->params->size - ofs; + else + lock_len = ofs + len; + +- if (lock_len == mtd->size) { ++ if (lock_len == nor->params->size) { + val = mask; + } else { + min_prot_len = spi_nor_get_min_prot_length_sr(nor); +@@ -248,7 +246,6 @@ static int spi_nor_sr_lock(struct spi_no + */ + static int spi_nor_sr_unlock(struct spi_nor *nor, loff_t ofs, u64 len) + { +- struct mtd_info *mtd = &nor->mtd; + u64 min_prot_len; + int ret, status_old, status_new; + u8 mask = spi_nor_get_sr_bp_mask(nor); +@@ -273,7 +270,7 @@ static int spi_nor_sr_unlock(struct spi_ + can_be_top = false; + + /* If anything above us is locked, we can't use 'bottom' protection */ +- if (!spi_nor_is_unlocked_sr(nor, ofs + len, mtd->size - (ofs + len), ++ if (!spi_nor_is_unlocked_sr(nor, ofs + len, nor->params->size - (ofs + len), + status_old)) + can_be_bottom = false; + +@@ -285,7 +282,7 @@ static int spi_nor_sr_unlock(struct spi_ + + /* lock_len: length of region that should remain locked */ + if (use_top) +- lock_len = mtd->size - (ofs + len); ++ lock_len = nor->params->size - (ofs + len); + else + lock_len = ofs; + diff --git a/queue-6.16/mtd-spinand-propagate-spinand_wait-errors-from-spinand_write_page.patch b/queue-6.16/mtd-spinand-propagate-spinand_wait-errors-from-spinand_write_page.patch new file mode 100644 index 0000000000..c606fef604 --- /dev/null +++ b/queue-6.16/mtd-spinand-propagate-spinand_wait-errors-from-spinand_write_page.patch @@ -0,0 +1,37 @@ +From 091d9e35b85b0f8f7e1c73535299f91364a5c73a Mon Sep 17 00:00:00 2001 +From: Gabor Juhos +Date: Tue, 8 Jul 2025 15:11:00 +0200 +Subject: mtd: spinand: propagate spinand_wait() errors from spinand_write_page() + +From: Gabor Juhos + +commit 091d9e35b85b0f8f7e1c73535299f91364a5c73a upstream. + +Since commit 3d1f08b032dc ("mtd: spinand: Use the external ECC engine +logic") the spinand_write_page() function ignores the errors returned +by spinand_wait(). Change the code to propagate those up to the stack +as it was done before the offending change. + +Cc: stable@vger.kernel.org +Fixes: 3d1f08b032dc ("mtd: spinand: Use the external ECC engine logic") +Signed-off-by: Gabor Juhos +Signed-off-by: Miquel Raynal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/spi/core.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/mtd/nand/spi/core.c ++++ b/drivers/mtd/nand/spi/core.c +@@ -688,7 +688,10 @@ int spinand_write_page(struct spinand_de + SPINAND_WRITE_INITIAL_DELAY_US, + SPINAND_WRITE_POLL_DELAY_US, + &status); +- if (!ret && (status & STATUS_PROG_FAILED)) ++ if (ret) ++ return ret; ++ ++ if (status & STATUS_PROG_FAILED) + return -EIO; + + return nand_ecc_finish_io_req(nand, (struct nand_page_io_req *)req); diff --git a/queue-6.16/open_tree_attr-do-not-allow-id-mapping-changes-without-open_tree_clone.patch b/queue-6.16/open_tree_attr-do-not-allow-id-mapping-changes-without-open_tree_clone.patch new file mode 100644 index 0000000000..8975a57305 --- /dev/null +++ b/queue-6.16/open_tree_attr-do-not-allow-id-mapping-changes-without-open_tree_clone.patch @@ -0,0 +1,47 @@ +From 9308366f062129d52e0ee3f7a019f7dd41db33df Mon Sep 17 00:00:00 2001 +From: Aleksa Sarai +Date: Fri, 8 Aug 2025 03:55:05 +1000 +Subject: open_tree_attr: do not allow id-mapping changes without OPEN_TREE_CLONE + +From: Aleksa Sarai + +commit 9308366f062129d52e0ee3f7a019f7dd41db33df upstream. + +As described in commit 7a54947e727b ('Merge patch series "fs: allow +changing idmappings"'), open_tree_attr(2) was necessary in order to +allow for a detached mount to be created and have its idmappings changed +without the risk of any racing threads operating on it. For this reason, +mount_setattr(2) still does not allow for id-mappings to be changed. + +However, there was a bug in commit 2462651ffa76 ("fs: allow changing +idmappings") which allowed users to bypass this restriction by calling +open_tree_attr(2) *without* OPEN_TREE_CLONE. + +can_idmap_mount() prevented this bug from allowing an attached +mountpoint's id-mapping from being modified (thanks to an is_anon_ns() +check), but this still allows for detached (but visible) mounts to have +their be id-mapping changed. This risks the same UAF and locking issues +as described in the merge commit, and was likely unintentional. + +Fixes: 2462651ffa76 ("fs: allow changing idmappings") +Cc: stable@vger.kernel.org # v6.15+ +Signed-off-by: Aleksa Sarai +Link: https://lore.kernel.org/20250808-open_tree_attr-bugfix-idmap-v1-1-0ec7bc05646c@cyphar.com +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/namespace.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -5302,7 +5302,8 @@ SYSCALL_DEFINE5(open_tree_attr, int, dfd + int ret; + struct mount_kattr kattr = {}; + +- kattr.kflags = MOUNT_KATTR_IDMAP_REPLACE; ++ if (flags & OPEN_TREE_CLONE) ++ kattr.kflags = MOUNT_KATTR_IDMAP_REPLACE; + if (flags & AT_RECURSIVE) + kattr.kflags |= MOUNT_KATTR_RECURSE; + diff --git a/queue-6.16/parisc-check-region-is-readable-by-user-in-raw_copy_from_user.patch b/queue-6.16/parisc-check-region-is-readable-by-user-in-raw_copy_from_user.patch new file mode 100644 index 0000000000..28a9ebdcd2 --- /dev/null +++ b/queue-6.16/parisc-check-region-is-readable-by-user-in-raw_copy_from_user.patch @@ -0,0 +1,103 @@ +From 91428ca9320edbab1211851d82429d33b9cd73ef Mon Sep 17 00:00:00 2001 +From: John David Anglin +Date: Mon, 21 Jul 2025 15:39:26 -0400 +Subject: parisc: Check region is readable by user in raw_copy_from_user() + +From: John David Anglin + +commit 91428ca9320edbab1211851d82429d33b9cd73ef upstream. + +Because of the way the _PAGE_READ is handled in the parisc PTE, an +access interruption is not generated when the kernel reads from a +region where the _PAGE_READ is zero. The current code was written +assuming read access faults would also occur in the kernel. + +This change adds user access checks to raw_copy_from_user(). The +prober_user() define checks whether user code has read access to +a virtual address. Note that page faults are not handled in the +exception support for the probe instruction. For this reason, we +precede the probe by a ldb access check. + +Signed-off-by: John David Anglin +Signed-off-by: Helge Deller +Cc: stable@vger.kernel.org # v5.12+ +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/include/asm/special_insns.h | 28 ++++++++++++++++++++++++++++ + arch/parisc/lib/memcpy.c | 19 ++++++++++++++++++- + 2 files changed, 46 insertions(+), 1 deletion(-) + +--- a/arch/parisc/include/asm/special_insns.h ++++ b/arch/parisc/include/asm/special_insns.h +@@ -32,6 +32,34 @@ + pa; \ + }) + ++/** ++ * prober_user() - Probe user read access ++ * @sr: Space regster. ++ * @va: Virtual address. ++ * ++ * Return: Non-zero if address is accessible. ++ * ++ * Due to the way _PAGE_READ is handled in TLB entries, we need ++ * a special check to determine whether a user address is accessible. ++ * The ldb instruction does the initial access check. If it is ++ * successful, the probe instruction checks user access rights. ++ */ ++#define prober_user(sr, va) ({ \ ++ unsigned long read_allowed; \ ++ __asm__ __volatile__( \ ++ "copy %%r0,%0\n" \ ++ "8:\tldb 0(%%sr%1,%2),%%r0\n" \ ++ "\tproberi (%%sr%1,%2),%3,%0\n" \ ++ "9:\n" \ ++ ASM_EXCEPTIONTABLE_ENTRY(8b, 9b, \ ++ "or %%r0,%%r0,%%r0") \ ++ : "=&r" (read_allowed) \ ++ : "i" (sr), "r" (va), "i" (PRIV_USER) \ ++ : "memory" \ ++ ); \ ++ read_allowed; \ ++}) ++ + #define CR_EIEM 15 /* External Interrupt Enable Mask */ + #define CR_CR16 16 /* CR16 Interval Timer */ + #define CR_EIRR 23 /* External Interrupt Request Register */ +--- a/arch/parisc/lib/memcpy.c ++++ b/arch/parisc/lib/memcpy.c +@@ -12,6 +12,7 @@ + #include + #include + #include ++#include + + #define get_user_space() mfsp(SR_USER) + #define get_kernel_space() SR_KERNEL +@@ -32,9 +33,25 @@ EXPORT_SYMBOL(raw_copy_to_user); + unsigned long raw_copy_from_user(void *dst, const void __user *src, + unsigned long len) + { ++ unsigned long start = (unsigned long) src; ++ unsigned long end = start + len; ++ unsigned long newlen = len; ++ + mtsp(get_user_space(), SR_TEMP1); + mtsp(get_kernel_space(), SR_TEMP2); +- return pa_memcpy(dst, (void __force *)src, len); ++ ++ /* Check region is user accessible */ ++ if (start) ++ while (start < end) { ++ if (!prober_user(SR_TEMP1, start)) { ++ newlen = (start - (unsigned long) src); ++ break; ++ } ++ start += PAGE_SIZE; ++ /* align to page boundry which may have different permission */ ++ start = PAGE_ALIGN_DOWN(start); ++ } ++ return len - newlen + pa_memcpy(dst, (void __force *)src, newlen); + } + EXPORT_SYMBOL(raw_copy_from_user); + diff --git a/queue-6.16/parisc-define-and-use-set_pte_at.patch b/queue-6.16/parisc-define-and-use-set_pte_at.patch new file mode 100644 index 0000000000..fd10c6193e --- /dev/null +++ b/queue-6.16/parisc-define-and-use-set_pte_at.patch @@ -0,0 +1,58 @@ +From 802e55488bc2cc1ab6423b720255a785ccac42ce Mon Sep 17 00:00:00 2001 +From: John David Anglin +Date: Mon, 21 Jul 2025 16:06:21 -0400 +Subject: parisc: Define and use set_pte_at() + +From: John David Anglin + +commit 802e55488bc2cc1ab6423b720255a785ccac42ce upstream. + +When a PTE is changed, we need to flush the PTE. set_pte_at() +was lost in the folio update. PA-RISC version is the same as +the generic version. + +Signed-off-by: John David Anglin +Signed-off-by: Helge Deller +Cc: stable@vger.kernel.org # v5.12+ +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/include/asm/pgtable.h | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/arch/parisc/include/asm/pgtable.h ++++ b/arch/parisc/include/asm/pgtable.h +@@ -276,7 +276,7 @@ extern unsigned long *empty_zero_page; + #define pte_none(x) (pte_val(x) == 0) + #define pte_present(x) (pte_val(x) & _PAGE_PRESENT) + #define pte_user(x) (pte_val(x) & _PAGE_USER) +-#define pte_clear(mm, addr, xp) set_pte(xp, __pte(0)) ++#define pte_clear(mm, addr, xp) set_pte_at((mm), (addr), (xp), __pte(0)) + + #define pmd_flag(x) (pmd_val(x) & PxD_FLAG_MASK) + #define pmd_address(x) ((unsigned long)(pmd_val(x) &~ PxD_FLAG_MASK) << PxD_VALUE_SHIFT) +@@ -392,6 +392,7 @@ static inline void set_ptes(struct mm_st + } + } + #define set_ptes set_ptes ++#define set_pte_at(mm, addr, ptep, pte) set_ptes(mm, addr, ptep, pte, 1) + + /* Used for deferring calls to flush_dcache_page() */ + +@@ -456,7 +457,7 @@ static inline int ptep_test_and_clear_yo + if (!pte_young(pte)) { + return 0; + } +- set_pte(ptep, pte_mkold(pte)); ++ set_pte_at(vma->vm_mm, addr, ptep, pte_mkold(pte)); + return 1; + } + +@@ -466,7 +467,7 @@ pte_t ptep_clear_flush(struct vm_area_st + struct mm_struct; + static inline void ptep_set_wrprotect(struct mm_struct *mm, unsigned long addr, pte_t *ptep) + { +- set_pte(ptep, pte_wrprotect(*ptep)); ++ set_pte_at(mm, addr, ptep, pte_wrprotect(*ptep)); + } + + #define pte_same(A,B) (pte_val(A) == pte_val(B)) diff --git a/queue-6.16/parisc-drop-warn_on_once-from-flush_cache_vmap.patch b/queue-6.16/parisc-drop-warn_on_once-from-flush_cache_vmap.patch new file mode 100644 index 0000000000..8d172384be --- /dev/null +++ b/queue-6.16/parisc-drop-warn_on_once-from-flush_cache_vmap.patch @@ -0,0 +1,30 @@ +From 4eab1c27ce1f0e89ab67b01bf1e4e4c75215708a Mon Sep 17 00:00:00 2001 +From: John David Anglin +Date: Mon, 21 Jul 2025 16:18:41 -0400 +Subject: parisc: Drop WARN_ON_ONCE() from flush_cache_vmap + +From: John David Anglin + +commit 4eab1c27ce1f0e89ab67b01bf1e4e4c75215708a upstream. + +I have observed warning to occassionally trigger. + +Signed-off-by: John David Anglin +Signed-off-by: Helge Deller +Cc: stable@vger.kernel.org # v5.12+ +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/kernel/cache.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/parisc/kernel/cache.c ++++ b/arch/parisc/kernel/cache.c +@@ -841,7 +841,7 @@ void flush_cache_vmap(unsigned long star + } + + vm = find_vm_area((void *)start); +- if (WARN_ON_ONCE(!vm)) { ++ if (!vm) { + flush_cache_all(); + return; + } diff --git a/queue-6.16/parisc-makefile-explain-that-64bit-requires-both-32-bit-and-64-bit-compilers.patch b/queue-6.16/parisc-makefile-explain-that-64bit-requires-both-32-bit-and-64-bit-compilers.patch new file mode 100644 index 0000000000..30ff9fb46f --- /dev/null +++ b/queue-6.16/parisc-makefile-explain-that-64bit-requires-both-32-bit-and-64-bit-compilers.patch @@ -0,0 +1,37 @@ +From 305ab0a748c52eeaeb01d8cff6408842d19e5cb5 Mon Sep 17 00:00:00 2001 +From: Randy Dunlap +Date: Wed, 25 Jun 2025 00:30:54 -0700 +Subject: parisc: Makefile: explain that 64BIT requires both 32-bit and 64-bit compilers + +From: Randy Dunlap + +commit 305ab0a748c52eeaeb01d8cff6408842d19e5cb5 upstream. + +For building a 64-bit kernel, both 32-bit and 64-bit VDSO binaries +are built, so both 32-bit and 64-bit compilers (and tools) should be +in the PATH environment variable. + +Signed-off-by: Randy Dunlap +Cc: "James E.J. Bottomley" +Cc: Helge Deller +Cc: linux-parisc@vger.kernel.org +Signed-off-by: Helge Deller +Cc: stable@vger.kernel.org # v5.3+ +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/Makefile | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/parisc/Makefile ++++ b/arch/parisc/Makefile +@@ -39,7 +39,9 @@ endif + + export LD_BFD + +-# Set default 32 bits cross compilers for vdso ++# Set default 32 bits cross compilers for vdso. ++# This means that for 64BIT, both the 64-bit tools and the 32-bit tools ++# need to be in the path. + CC_ARCHES_32 = hppa hppa2.0 hppa1.1 + CC_SUFFIXES = linux linux-gnu unknown-linux-gnu suse-linux + CROSS32_COMPILE := $(call cc-cross-prefix, \ diff --git a/queue-6.16/parisc-rename-pte_needs_flush-to-pte_needs_cache_flush-in-cache.c.patch b/queue-6.16/parisc-rename-pte_needs_flush-to-pte_needs_cache_flush-in-cache.c.patch new file mode 100644 index 0000000000..dda7f53435 --- /dev/null +++ b/queue-6.16/parisc-rename-pte_needs_flush-to-pte_needs_cache_flush-in-cache.c.patch @@ -0,0 +1,40 @@ +From 52ce9406a9625c4498c4eaa51e7a7ed9dcb9db16 Mon Sep 17 00:00:00 2001 +From: John David Anglin +Date: Mon, 21 Jul 2025 15:56:04 -0400 +Subject: parisc: Rename pte_needs_flush() to pte_needs_cache_flush() in cache.c + +From: John David Anglin + +commit 52ce9406a9625c4498c4eaa51e7a7ed9dcb9db16 upstream. + +The local name used in cache.c conflicts the declaration in +include/asm-generic/tlb.h. + +Signed-off-by: John David Anglin +Signed-off-by: Helge Deller +Cc: stable@vger.kernel.org # v5.12+ +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/kernel/cache.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/parisc/kernel/cache.c ++++ b/arch/parisc/kernel/cache.c +@@ -429,7 +429,7 @@ static inline pte_t *get_ptep(struct mm_ + return ptep; + } + +-static inline bool pte_needs_flush(pte_t pte) ++static inline bool pte_needs_cache_flush(pte_t pte) + { + return (pte_val(pte) & (_PAGE_PRESENT | _PAGE_ACCESSED | _PAGE_NO_CACHE)) + == (_PAGE_PRESENT | _PAGE_ACCESSED); +@@ -630,7 +630,7 @@ static void flush_cache_page_if_present( + ptep = get_ptep(vma->vm_mm, vmaddr); + if (ptep) { + pte = ptep_get(ptep); +- needs_flush = pte_needs_flush(pte); ++ needs_flush = pte_needs_cache_flush(pte); + pte_unmap(ptep); + } + if (needs_flush) diff --git a/queue-6.16/parisc-revise-__get_user-to-probe-user-read-access.patch b/queue-6.16/parisc-revise-__get_user-to-probe-user-read-access.patch new file mode 100644 index 0000000000..8bcb269e1e --- /dev/null +++ b/queue-6.16/parisc-revise-__get_user-to-probe-user-read-access.patch @@ -0,0 +1,59 @@ +From 89f686a0fb6e473a876a9a60a13aec67a62b9a7e Mon Sep 17 00:00:00 2001 +From: John David Anglin +Date: Fri, 25 Jul 2025 13:51:32 -0400 +Subject: parisc: Revise __get_user() to probe user read access + +From: John David Anglin + +commit 89f686a0fb6e473a876a9a60a13aec67a62b9a7e upstream. + +Because of the way read access support is implemented, read access +interruptions are only triggered at privilege levels 2 and 3. The +kernel executes at privilege level 0, so __get_user() never triggers +a read access interruption (code 26). Thus, it is currently possible +for user code to access a read protected address via a system call. + +Fix this by probing read access rights at privilege level 3 (PRIV_USER) +and setting __gu_err to -EFAULT (-14) if access isn't allowed. + +Note the cmpiclr instruction does a 32-bit compare because COND macro +doesn't work inside asm. + +Signed-off-by: John David Anglin +Signed-off-by: Helge Deller +Cc: stable@vger.kernel.org # v5.12+ +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/include/asm/uaccess.h | 21 ++++++++++++++++++--- + 1 file changed, 18 insertions(+), 3 deletions(-) + +--- a/arch/parisc/include/asm/uaccess.h ++++ b/arch/parisc/include/asm/uaccess.h +@@ -42,9 +42,24 @@ + __gu_err; \ + }) + +-#define __get_user(val, ptr) \ +-({ \ +- __get_user_internal(SR_USER, val, ptr); \ ++#define __probe_user_internal(sr, error, ptr) \ ++({ \ ++ __asm__("\tproberi (%%sr%1,%2),%3,%0\n" \ ++ "\tcmpiclr,= 1,%0,%0\n" \ ++ "\tldi %4,%0\n" \ ++ : "=r"(error) \ ++ : "i"(sr), "r"(ptr), "i"(PRIV_USER), \ ++ "i"(-EFAULT)); \ ++}) ++ ++#define __get_user(val, ptr) \ ++({ \ ++ register long __gu_err; \ ++ \ ++ __gu_err = __get_user_internal(SR_USER, val, ptr); \ ++ if (likely(!__gu_err)) \ ++ __probe_user_internal(SR_USER, __gu_err, ptr); \ ++ __gu_err; \ + }) + + #define __get_user_asm(sr, val, ldx, ptr) \ diff --git a/queue-6.16/parisc-revise-gateway-lws-calls-to-probe-user-read-access.patch b/queue-6.16/parisc-revise-gateway-lws-calls-to-probe-user-read-access.patch new file mode 100644 index 0000000000..98caceeccb --- /dev/null +++ b/queue-6.16/parisc-revise-gateway-lws-calls-to-probe-user-read-access.patch @@ -0,0 +1,108 @@ +From f6334f4ae9a4e962ba74b026e1d965dfdf8cbef8 Mon Sep 17 00:00:00 2001 +From: John David Anglin +Date: Fri, 25 Jul 2025 12:12:14 -0400 +Subject: parisc: Revise gateway LWS calls to probe user read access + +From: John David Anglin + +commit f6334f4ae9a4e962ba74b026e1d965dfdf8cbef8 upstream. + +We use load and stbys,e instructions to trigger memory reference +interruptions without writing to memory. Because of the way read +access support is implemented, read access interruptions are only +triggered at privilege levels 2 and 3. The kernel and gateway +page execute at privilege level 0, so this code never triggers +a read access interruption. Thus, it is currently possible for +user code to execute a LWS compare and swap operation at an +address that is read protected at privilege level 3 (PRIV_USER). + +Fix this by probing read access rights at privilege level 3 and +branching to lws_fault if access isn't allowed. + +Signed-off-by: John David Anglin +Signed-off-by: Helge Deller +Cc: stable@vger.kernel.org # v5.12+ +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/kernel/syscall.S | 30 +++++++++++++++++++++--------- + 1 file changed, 21 insertions(+), 9 deletions(-) + +--- a/arch/parisc/kernel/syscall.S ++++ b/arch/parisc/kernel/syscall.S +@@ -613,6 +613,9 @@ lws_compare_and_swap32: + lws_compare_and_swap: + /* Trigger memory reference interruptions without writing to memory */ + 1: ldw 0(%r26), %r28 ++ proberi (%r26), PRIV_USER, %r28 ++ comb,=,n %r28, %r0, lws_fault /* backwards, likely not taken */ ++ nop + 2: stbys,e %r0, 0(%r26) + + /* Calculate 8-bit hash index from virtual address */ +@@ -767,6 +770,9 @@ cas2_lock_start: + copy %r26, %r28 + depi_safe 0, 31, 2, %r28 + 10: ldw 0(%r28), %r1 ++ proberi (%r28), PRIV_USER, %r1 ++ comb,=,n %r1, %r0, lws_fault /* backwards, likely not taken */ ++ nop + 11: stbys,e %r0, 0(%r28) + + /* Calculate 8-bit hash index from virtual address */ +@@ -951,41 +957,47 @@ atomic_xchg_begin: + + /* 8-bit exchange */ + 1: ldb 0(%r24), %r20 ++ proberi (%r24), PRIV_USER, %r20 ++ comb,=,n %r20, %r0, lws_fault /* backwards, likely not taken */ ++ nop + copy %r23, %r20 + depi_safe 0, 31, 2, %r20 + b atomic_xchg_start + 2: stbys,e %r0, 0(%r20) +- nop +- nop +- nop + + /* 16-bit exchange */ + 3: ldh 0(%r24), %r20 ++ proberi (%r24), PRIV_USER, %r20 ++ comb,=,n %r20, %r0, lws_fault /* backwards, likely not taken */ ++ nop + copy %r23, %r20 + depi_safe 0, 31, 2, %r20 + b atomic_xchg_start + 4: stbys,e %r0, 0(%r20) +- nop +- nop +- nop + + /* 32-bit exchange */ + 5: ldw 0(%r24), %r20 ++ proberi (%r24), PRIV_USER, %r20 ++ comb,=,n %r20, %r0, lws_fault /* backwards, likely not taken */ ++ nop + b atomic_xchg_start + 6: stbys,e %r0, 0(%r23) + nop + nop +- nop +- nop +- nop + + /* 64-bit exchange */ + #ifdef CONFIG_64BIT + 7: ldd 0(%r24), %r20 ++ proberi (%r24), PRIV_USER, %r20 ++ comb,=,n %r20, %r0, lws_fault /* backwards, likely not taken */ ++ nop + 8: stdby,e %r0, 0(%r23) + #else + 7: ldw 0(%r24), %r20 + 8: ldw 4(%r24), %r20 ++ proberi (%r24), PRIV_USER, %r20 ++ comb,=,n %r20, %r0, lws_fault /* backwards, likely not taken */ ++ nop + copy %r23, %r20 + depi_safe 0, 31, 2, %r20 + 9: stbys,e %r0, 0(%r20) diff --git a/queue-6.16/parisc-try-to-fixup-kernel-exception-in-bad_area_nosemaphore-path-of-do_page_fault.patch b/queue-6.16/parisc-try-to-fixup-kernel-exception-in-bad_area_nosemaphore-path-of-do_page_fault.patch new file mode 100644 index 0000000000..e0f9474e21 --- /dev/null +++ b/queue-6.16/parisc-try-to-fixup-kernel-exception-in-bad_area_nosemaphore-path-of-do_page_fault.patch @@ -0,0 +1,30 @@ +From f92a5e36b0c45cd12ac0d1bc44680c0dfae34543 Mon Sep 17 00:00:00 2001 +From: John David Anglin +Date: Mon, 21 Jul 2025 16:13:13 -0400 +Subject: parisc: Try to fixup kernel exception in bad_area_nosemaphore path of do_page_fault() + +From: John David Anglin + +commit f92a5e36b0c45cd12ac0d1bc44680c0dfae34543 upstream. + +Signed-off-by: John David Anglin +Signed-off-by: Helge Deller +Cc: stable@vger.kernel.org # v5.12+ +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/mm/fault.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/parisc/mm/fault.c ++++ b/arch/parisc/mm/fault.c +@@ -363,6 +363,10 @@ bad_area: + mmap_read_unlock(mm); + + bad_area_nosemaphore: ++ if (!user_mode(regs) && fixup_exception(regs)) { ++ return; ++ } ++ + if (user_mode(regs)) { + int signo, si_code; + diff --git a/queue-6.16/parisc-update-comments-in-make_insert_tlb.patch b/queue-6.16/parisc-update-comments-in-make_insert_tlb.patch new file mode 100644 index 0000000000..b2349b01ec --- /dev/null +++ b/queue-6.16/parisc-update-comments-in-make_insert_tlb.patch @@ -0,0 +1,98 @@ +From cb22f247f371bd206a88cf0e0c05d80b8b62fb26 Mon Sep 17 00:00:00 2001 +From: John David Anglin +Date: Mon, 21 Jul 2025 15:13:42 -0400 +Subject: parisc: Update comments in make_insert_tlb + +From: John David Anglin + +commit cb22f247f371bd206a88cf0e0c05d80b8b62fb26 upstream. + +The following testcase exposed a problem with our read access checks +in get_user() and raw_copy_from_user(): + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +int main(int argc, char **argv) +{ + unsigned long page_size = sysconf(_SC_PAGESIZE); + char *p = malloc(3 * page_size); + char *p_aligned; + + /* initialize memory region. If not initialized, write syscall below will correctly return EFAULT. */ + if (1) + memset(p, 'X', 3 * page_size); + + p_aligned = (char *) ((((uintptr_t) p) + (2*page_size - 1)) & ~(page_size - 1)); + /* Drop PROT_READ protection. Kernel and userspace should fault when accessing that memory region */ + mprotect(p_aligned, page_size, PROT_NONE); + + /* the following write() should return EFAULT, since PROT_READ was dropped by previous mprotect() */ + int ret = write(2, p_aligned, 1); + if (!ret || errno != EFAULT) + printf("\n FAILURE: write() did not returned expected EFAULT value\n"); + + return 0; +} + +Because of the way _PAGE_READ is handled, kernel code never generates +a read access fault when it access a page as the kernel privilege level +is always less than PL1 in the PTE. + +This patch reworks the comments in the make_insert_tlb macro to try +to make this clearer. + +Signed-off-by: John David Anglin +Signed-off-by: Helge Deller +Cc: stable@vger.kernel.org # v5.12+ +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/kernel/entry.S | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +--- a/arch/parisc/kernel/entry.S ++++ b/arch/parisc/kernel/entry.S +@@ -499,6 +499,12 @@ + * this happens is quite subtle, read below */ + .macro make_insert_tlb spc,pte,prot,tmp + space_to_prot \spc \prot /* create prot id from space */ ++ ++#if _PAGE_SPECIAL_BIT == _PAGE_DMB_BIT ++ /* need to drop DMB bit, as it's used as SPECIAL flag */ ++ depi 0,_PAGE_SPECIAL_BIT,1,\pte ++#endif ++ + /* The following is the real subtlety. This is depositing + * T <-> _PAGE_REFTRAP + * D <-> _PAGE_DIRTY +@@ -511,17 +517,18 @@ + * Finally, _PAGE_READ goes in the top bit of PL1 (so we + * trigger an access rights trap in user space if the user + * tries to read an unreadable page */ +-#if _PAGE_SPECIAL_BIT == _PAGE_DMB_BIT +- /* need to drop DMB bit, as it's used as SPECIAL flag */ +- depi 0,_PAGE_SPECIAL_BIT,1,\pte +-#endif + depd \pte,8,7,\prot + + /* PAGE_USER indicates the page can be read with user privileges, + * so deposit X1|11 to PL1|PL2 (remember the upper bit of PL1 +- * contains _PAGE_READ) */ ++ * contains _PAGE_READ). While the kernel can't directly write ++ * user pages which have _PAGE_WRITE zero, it can read pages ++ * which have _PAGE_READ zero (PL <= PL1). Thus, the kernel ++ * exception fault handler doesn't trigger when reading pages ++ * that aren't user read accessible */ + extrd,u,*= \pte,_PAGE_USER_BIT+32,1,%r0 + depdi 7,11,3,\prot ++ + /* If we're a gateway page, drop PL2 back to zero for promotion + * to kernel privilege (so we can execute the page as kernel). + * Any privilege promotion page always denys read and write */ diff --git a/queue-6.16/pci-endpoint-fix-configfs-group-list-head-handling.patch b/queue-6.16/pci-endpoint-fix-configfs-group-list-head-handling.patch new file mode 100644 index 0000000000..f360a89c0d --- /dev/null +++ b/queue-6.16/pci-endpoint-fix-configfs-group-list-head-handling.patch @@ -0,0 +1,62 @@ +From d79123d79a8154b4318529b7b2ff7e15806f480b Mon Sep 17 00:00:00 2001 +From: Damien Le Moal +Date: Tue, 24 Jun 2025 20:45:43 +0900 +Subject: PCI: endpoint: Fix configfs group list head handling + +From: Damien Le Moal + +commit d79123d79a8154b4318529b7b2ff7e15806f480b upstream. + +Doing a list_del() on the epf_group field of struct pci_epf_driver in +pci_epf_remove_cfs() is not correct as this field is a list head, not +a list entry. This list_del() call triggers a KASAN warning when an +endpoint function driver which has a configfs attribute group is torn +down: + +================================================================== +BUG: KASAN: slab-use-after-free in pci_epf_remove_cfs+0x17c/0x198 +Write of size 8 at addr ffff00010f4a0d80 by task rmmod/319 + +CPU: 3 UID: 0 PID: 319 Comm: rmmod Not tainted 6.16.0-rc2 #1 NONE +Hardware name: Radxa ROCK 5B (DT) +Call trace: +show_stack+0x2c/0x84 (C) +dump_stack_lvl+0x70/0x98 +print_report+0x17c/0x538 +kasan_report+0xb8/0x190 +__asan_report_store8_noabort+0x20/0x2c +pci_epf_remove_cfs+0x17c/0x198 +pci_epf_unregister_driver+0x18/0x30 +nvmet_pci_epf_cleanup_module+0x24/0x30 [nvmet_pci_epf] +__arm64_sys_delete_module+0x264/0x424 +invoke_syscall+0x70/0x260 +el0_svc_common.constprop.0+0xac/0x230 +do_el0_svc+0x40/0x58 +el0_svc+0x48/0xdc +el0t_64_sync_handler+0x10c/0x138 +el0t_64_sync+0x198/0x19c +... + +Remove this incorrect list_del() call from pci_epf_remove_cfs(). + +Fixes: ef1433f717a2 ("PCI: endpoint: Create configfs entry for each pci_epf_device_id table entry") +Signed-off-by: Damien Le Moal +Signed-off-by: Manivannan Sadhasivam +Reviewed-by: Niklas Cassel +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20250624114544.342159-2-dlemoal@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/endpoint/pci-epf-core.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/pci/endpoint/pci-epf-core.c ++++ b/drivers/pci/endpoint/pci-epf-core.c +@@ -338,7 +338,6 @@ static void pci_epf_remove_cfs(struct pc + mutex_lock(&pci_epf_mutex); + list_for_each_entry_safe(group, tmp, &driver->epf_group, group_entry) + pci_ep_cfs_remove_epf_group(group); +- list_del(&driver->epf_group); + mutex_unlock(&pci_epf_mutex); + } + diff --git a/queue-6.16/pci-endpoint-fix-configfs-group-removal-on-driver-teardown.patch b/queue-6.16/pci-endpoint-fix-configfs-group-removal-on-driver-teardown.patch new file mode 100644 index 0000000000..15ed5cc1a0 --- /dev/null +++ b/queue-6.16/pci-endpoint-fix-configfs-group-removal-on-driver-teardown.patch @@ -0,0 +1,53 @@ +From 910bdb8197f9322790c738bb32feaa11dba26909 Mon Sep 17 00:00:00 2001 +From: Damien Le Moal +Date: Tue, 24 Jun 2025 20:45:44 +0900 +Subject: PCI: endpoint: Fix configfs group removal on driver teardown + +From: Damien Le Moal + +commit 910bdb8197f9322790c738bb32feaa11dba26909 upstream. + +An endpoint driver configfs attributes group is added to the +epf_group list of struct pci_epf_driver by pci_epf_add_cfs() but an +added group is not removed from this list when the attribute group is +unregistered with pci_ep_cfs_remove_epf_group(). + +Add the missing list_del() call in pci_ep_cfs_remove_epf_group() +to correctly remove the attribute group from the driver list. + +With this change, once the loop over all attribute groups in +pci_epf_remove_cfs() completes, the driver epf_group list should be +empty. Add a WARN_ON() to make sure of that. + +Fixes: ef1433f717a2 ("PCI: endpoint: Create configfs entry for each pci_epf_device_id table entry") +Signed-off-by: Damien Le Moal +Signed-off-by: Manivannan Sadhasivam +Reviewed-by: Niklas Cassel +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20250624114544.342159-3-dlemoal@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/endpoint/pci-ep-cfs.c | 1 + + drivers/pci/endpoint/pci-epf-core.c | 1 + + 2 files changed, 2 insertions(+) + +--- a/drivers/pci/endpoint/pci-ep-cfs.c ++++ b/drivers/pci/endpoint/pci-ep-cfs.c +@@ -691,6 +691,7 @@ void pci_ep_cfs_remove_epf_group(struct + if (IS_ERR_OR_NULL(group)) + return; + ++ list_del(&group->group_entry); + configfs_unregister_default_group(group); + } + EXPORT_SYMBOL(pci_ep_cfs_remove_epf_group); +--- a/drivers/pci/endpoint/pci-epf-core.c ++++ b/drivers/pci/endpoint/pci-epf-core.c +@@ -338,6 +338,7 @@ static void pci_epf_remove_cfs(struct pc + mutex_lock(&pci_epf_mutex); + list_for_each_entry_safe(group, tmp, &driver->epf_group, group_entry) + pci_ep_cfs_remove_epf_group(group); ++ WARN_ON(!list_empty(&driver->epf_group)); + mutex_unlock(&pci_epf_mutex); + } + diff --git a/queue-6.16/pci-fix-link-speed-calculation-on-retrain-failure.patch b/queue-6.16/pci-fix-link-speed-calculation-on-retrain-failure.patch new file mode 100644 index 0000000000..10fa49e651 --- /dev/null +++ b/queue-6.16/pci-fix-link-speed-calculation-on-retrain-failure.patch @@ -0,0 +1,96 @@ +From 9989e0ca7462c62f93dbc62f684448aa2efb9226 Mon Sep 17 00:00:00 2001 +From: Jiwei Sun +Date: Thu, 23 Jan 2025 13:51:54 +0800 +Subject: PCI: Fix link speed calculation on retrain failure +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jiwei Sun + +commit 9989e0ca7462c62f93dbc62f684448aa2efb9226 upstream. + +When pcie_failed_link_retrain() fails to retrain, it tries to revert to the +previous link speed. However it calculates that speed from the Link +Control 2 register without masking out non-speed bits first. + +PCIE_LNKCTL2_TLS2SPEED() converts such incorrect values to +PCI_SPEED_UNKNOWN (0xff), which in turn causes a WARN splat in +pcie_set_target_speed(): + + pci 0000:00:01.1: [1022:14ed] type 01 class 0x060400 PCIe Root Port + pci 0000:00:01.1: broken device, retraining non-functional downstream link at 2.5GT/s + pci 0000:00:01.1: retraining failed + WARNING: CPU: 1 PID: 1 at drivers/pci/pcie/bwctrl.c:168 pcie_set_target_speed + RDX: 0000000000000001 RSI: 00000000000000ff RDI: ffff9acd82efa000 + pcie_failed_link_retrain + pci_device_add + pci_scan_single_device + +Mask out the non-speed bits in PCIE_LNKCTL2_TLS2SPEED() and +PCIE_LNKCAP_SLS2SPEED() so they don't incorrectly return PCI_SPEED_UNKNOWN. + +Fixes: de9a6c8d5dbf ("PCI/bwctrl: Add pcie_set_target_speed() to set PCIe Link Speed") +Reported-by: Andrew +Closes: https://lore.kernel.org/r/7iNzXbCGpf8yUMJZBQjLdbjPcXrEJqBxy5-bHfppz0ek-h4_-G93b1KUrm106r2VNF2FV_sSq0nENv4RsRIUGnlYZMlQr2ZD2NyB5sdj5aU=@protonmail.com/ +Suggested-by: Maciej W. Rozycki +Suggested-by: Ilpo Järvinen +Signed-off-by: Jiwei Sun +[bhelgaas: commit log, add details from https://lore.kernel.org/r/1c92ef6bcb314ee6977839b46b393282e4f52e74.1750684771.git.lukas@wunner.de] +Signed-off-by: Bjorn Helgaas +Reviewed-by: Ilpo Järvinen +Cc: stable@vger.kernel.org # v6.13+ +Link: https://patch.msgid.link/20250123055155.22648-2-sjiwei@163.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/pci.h | 32 +++++++++++++++++++------------- + 1 file changed, 19 insertions(+), 13 deletions(-) + +--- a/drivers/pci/pci.h ++++ b/drivers/pci/pci.h +@@ -391,12 +391,14 @@ void pci_bus_put(struct pci_bus *bus); + + #define PCIE_LNKCAP_SLS2SPEED(lnkcap) \ + ({ \ +- ((lnkcap) == PCI_EXP_LNKCAP_SLS_64_0GB ? PCIE_SPEED_64_0GT : \ +- (lnkcap) == PCI_EXP_LNKCAP_SLS_32_0GB ? PCIE_SPEED_32_0GT : \ +- (lnkcap) == PCI_EXP_LNKCAP_SLS_16_0GB ? PCIE_SPEED_16_0GT : \ +- (lnkcap) == PCI_EXP_LNKCAP_SLS_8_0GB ? PCIE_SPEED_8_0GT : \ +- (lnkcap) == PCI_EXP_LNKCAP_SLS_5_0GB ? PCIE_SPEED_5_0GT : \ +- (lnkcap) == PCI_EXP_LNKCAP_SLS_2_5GB ? PCIE_SPEED_2_5GT : \ ++ u32 lnkcap_sls = (lnkcap) & PCI_EXP_LNKCAP_SLS; \ ++ \ ++ (lnkcap_sls == PCI_EXP_LNKCAP_SLS_64_0GB ? PCIE_SPEED_64_0GT : \ ++ lnkcap_sls == PCI_EXP_LNKCAP_SLS_32_0GB ? PCIE_SPEED_32_0GT : \ ++ lnkcap_sls == PCI_EXP_LNKCAP_SLS_16_0GB ? PCIE_SPEED_16_0GT : \ ++ lnkcap_sls == PCI_EXP_LNKCAP_SLS_8_0GB ? PCIE_SPEED_8_0GT : \ ++ lnkcap_sls == PCI_EXP_LNKCAP_SLS_5_0GB ? PCIE_SPEED_5_0GT : \ ++ lnkcap_sls == PCI_EXP_LNKCAP_SLS_2_5GB ? PCIE_SPEED_2_5GT : \ + PCI_SPEED_UNKNOWN); \ + }) + +@@ -411,13 +413,17 @@ void pci_bus_put(struct pci_bus *bus); + PCI_SPEED_UNKNOWN) + + #define PCIE_LNKCTL2_TLS2SPEED(lnkctl2) \ +- ((lnkctl2) == PCI_EXP_LNKCTL2_TLS_64_0GT ? PCIE_SPEED_64_0GT : \ +- (lnkctl2) == PCI_EXP_LNKCTL2_TLS_32_0GT ? PCIE_SPEED_32_0GT : \ +- (lnkctl2) == PCI_EXP_LNKCTL2_TLS_16_0GT ? PCIE_SPEED_16_0GT : \ +- (lnkctl2) == PCI_EXP_LNKCTL2_TLS_8_0GT ? PCIE_SPEED_8_0GT : \ +- (lnkctl2) == PCI_EXP_LNKCTL2_TLS_5_0GT ? PCIE_SPEED_5_0GT : \ +- (lnkctl2) == PCI_EXP_LNKCTL2_TLS_2_5GT ? PCIE_SPEED_2_5GT : \ +- PCI_SPEED_UNKNOWN) ++({ \ ++ u16 lnkctl2_tls = (lnkctl2) & PCI_EXP_LNKCTL2_TLS; \ ++ \ ++ (lnkctl2_tls == PCI_EXP_LNKCTL2_TLS_64_0GT ? PCIE_SPEED_64_0GT : \ ++ lnkctl2_tls == PCI_EXP_LNKCTL2_TLS_32_0GT ? PCIE_SPEED_32_0GT : \ ++ lnkctl2_tls == PCI_EXP_LNKCTL2_TLS_16_0GT ? PCIE_SPEED_16_0GT : \ ++ lnkctl2_tls == PCI_EXP_LNKCTL2_TLS_8_0GT ? PCIE_SPEED_8_0GT : \ ++ lnkctl2_tls == PCI_EXP_LNKCTL2_TLS_5_0GT ? PCIE_SPEED_5_0GT : \ ++ lnkctl2_tls == PCI_EXP_LNKCTL2_TLS_2_5GT ? PCIE_SPEED_2_5GT : \ ++ PCI_SPEED_UNKNOWN); \ ++}) + + /* PCIe speed to Mb/s reduced by encoding overhead */ + #define PCIE_SPEED2MBS_ENC(speed) \ diff --git a/queue-6.16/pci-imx6-add-imx8mm_ep-and-imx8mp_ep-fixed-256-byte-bar-4-in-epc_features.patch b/queue-6.16/pci-imx6-add-imx8mm_ep-and-imx8mp_ep-fixed-256-byte-bar-4-in-epc_features.patch new file mode 100644 index 0000000000..153ad0768b --- /dev/null +++ b/queue-6.16/pci-imx6-add-imx8mm_ep-and-imx8mp_ep-fixed-256-byte-bar-4-in-epc_features.patch @@ -0,0 +1,35 @@ +From 399444a87acdea5d21c218bc8e9b621fea1cd218 Mon Sep 17 00:00:00 2001 +From: Richard Zhu +Date: Tue, 8 Jul 2025 17:10:03 +0800 +Subject: PCI: imx6: Add IMX8MM_EP and IMX8MP_EP fixed 256-byte BAR 4 in epc_features + +From: Richard Zhu + +commit 399444a87acdea5d21c218bc8e9b621fea1cd218 upstream. + +For IMX8MM_EP and IMX8MP_EP, add fixed 256-byte BAR 4 and reserved BAR 5 +in imx8m_pcie_epc_features. + +Fixes: 75c2f26da03f ("PCI: imx6: Add i.MX PCIe EP mode support") +Signed-off-by: Richard Zhu +[bhelgaas: add details in subject] +Signed-off-by: Bjorn Helgaas +Reviewed-by: Frank Li +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20250708091003.2582846-3-hongxing.zhu@nxp.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/controller/dwc/pci-imx6.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/pci/controller/dwc/pci-imx6.c ++++ b/drivers/pci/controller/dwc/pci-imx6.c +@@ -1385,6 +1385,8 @@ static const struct pci_epc_features imx + .msix_capable = false, + .bar[BAR_1] = { .type = BAR_RESERVED, }, + .bar[BAR_3] = { .type = BAR_RESERVED, }, ++ .bar[BAR_4] = { .type = BAR_FIXED, .fixed_size = SZ_256, }, ++ .bar[BAR_5] = { .type = BAR_RESERVED, }, + .align = SZ_64K, + }; + diff --git a/queue-6.16/pci-imx6-add-imx8mq_ep-third-64-bit-bar-in-epc_features.patch b/queue-6.16/pci-imx6-add-imx8mq_ep-third-64-bit-bar-in-epc_features.patch new file mode 100644 index 0000000000..3297e0bbfe --- /dev/null +++ b/queue-6.16/pci-imx6-add-imx8mq_ep-third-64-bit-bar-in-epc_features.patch @@ -0,0 +1,36 @@ +From c523fa63ac1d452abeeb4e699560ec3365037f32 Mon Sep 17 00:00:00 2001 +From: Richard Zhu +Date: Tue, 8 Jul 2025 17:10:02 +0800 +Subject: PCI: imx6: Add IMX8MQ_EP third 64-bit BAR in epc_features + +From: Richard Zhu + +commit c523fa63ac1d452abeeb4e699560ec3365037f32 upstream. + +IMX8MQ_EP has three 64-bit BAR0/2/4 capable and programmable BARs. For +IMX8MQ_EP, use imx8q_pcie_epc_features (64-bit BARs 0, 2, 4) instead +of imx8m_pcie_epc_features (64-bit BARs 0, 2). + +Fixes: 75c2f26da03f ("PCI: imx6: Add i.MX PCIe EP mode support") +Signed-off-by: Richard Zhu +[bhelgaas: add details in subject] +Signed-off-by: Bjorn Helgaas +Reviewed-by: Frank Li +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20250708091003.2582846-2-hongxing.zhu@nxp.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/controller/dwc/pci-imx6.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/pci/controller/dwc/pci-imx6.c ++++ b/drivers/pci/controller/dwc/pci-imx6.c +@@ -1912,7 +1912,7 @@ static const struct imx_pcie_drvdata drv + .mode_mask[0] = IMX6Q_GPR12_DEVICE_TYPE, + .mode_off[1] = IOMUXC_GPR12, + .mode_mask[1] = IMX8MQ_GPR12_PCIE2_CTRL_DEVICE_TYPE, +- .epc_features = &imx8m_pcie_epc_features, ++ .epc_features = &imx8q_pcie_epc_features, + .init_phy = imx8mq_pcie_init_phy, + .enable_ref_clk = imx8mm_pcie_enable_ref_clk, + }, diff --git a/queue-6.16/pci-imx6-delay-link-start-until-configfs-start-written.patch b/queue-6.16/pci-imx6-delay-link-start-until-configfs-start-written.patch new file mode 100644 index 0000000000..c5b9045c1f --- /dev/null +++ b/queue-6.16/pci-imx6-delay-link-start-until-configfs-start-written.patch @@ -0,0 +1,44 @@ +From 2e6ea70690ddd1ffa422423fd0d4523e4dfe4b62 Mon Sep 17 00:00:00 2001 +From: Richard Zhu +Date: Wed, 9 Jul 2025 11:37:22 +0800 +Subject: PCI: imx6: Delay link start until configfs 'start' written + +From: Richard Zhu + +commit 2e6ea70690ddd1ffa422423fd0d4523e4dfe4b62 upstream. + +According to Documentation/PCI/endpoint/pci-endpoint-cfs.rst, the Endpoint +controller (EPC) should only start the link when userspace writes '1' to +the '/sys/kernel/config/pci_ep/controllers//start' attribute, which +ultimately results in calling imx_pcie_start_link() via +pci_epc_start_store(). + +To align with the documented behavior, do not start the link automatically +when adding the EP controller. + +Fixes: 75c2f26da03f ("PCI: imx6: Add i.MX PCIe EP mode support") +Signed-off-by: Richard Zhu +[mani: reworded commit subject and description] +Signed-off-by: Manivannan Sadhasivam +[bhelgaas: commit log] +Signed-off-by: Bjorn Helgaas +Reviewed-by: Frank Li +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20250709033722.2924372-3-hongxing.zhu@nxp.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/controller/dwc/pci-imx6.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/drivers/pci/controller/dwc/pci-imx6.c ++++ b/drivers/pci/controller/dwc/pci-imx6.c +@@ -1468,9 +1468,6 @@ static int imx_add_pcie_ep(struct imx_pc + + pci_epc_init_notify(ep->epc); + +- /* Start LTSSM. */ +- imx_pcie_ltssm_enable(dev); +- + return 0; + } + diff --git a/queue-6.16/pci-imx6-remove-apps_reset-toggling-from-imx_pcie_-assert-deassert-_core_reset.patch b/queue-6.16/pci-imx6-remove-apps_reset-toggling-from-imx_pcie_-assert-deassert-_core_reset.patch new file mode 100644 index 0000000000..6cbea323f9 --- /dev/null +++ b/queue-6.16/pci-imx6-remove-apps_reset-toggling-from-imx_pcie_-assert-deassert-_core_reset.patch @@ -0,0 +1,66 @@ +From d31eb217425591e100b475fad6360cd3da2073c6 Mon Sep 17 00:00:00 2001 +From: Richard Zhu +Date: Wed, 9 Jul 2025 11:37:21 +0800 +Subject: PCI: imx6: Remove apps_reset toggling from imx_pcie_{assert/deassert}_core_reset + +From: Richard Zhu + +commit d31eb217425591e100b475fad6360cd3da2073c6 upstream. + +apps_reset corresponds to LTSSM_EN in i.MX7, i.MX8MQ, i.MX8MM and i.MX8MP +platforms. Since assertion/de-assertion of apps_reset is done in +imx_pcie_ltssm_enable() and imx_pcie_ltssm_disable(), remove it from +imx_pcie_assert_core_reset() and imx_pcie_deassert_core_reset(). + +This also fixes a failure in enumerating the PI7C9X2G608GP (hotplug) chip +reliably on i.MX8MM, as reported by Tim. + +It should be noted that only i.MX7D, i.MX8MQ, i.MX8MM, and i.MX8MP +platforms have the apps_reset logic, so this change doesn't have any effect +on other platforms. + +Fixes: ef61c7d8d032 ("PCI: imx6: Deassert apps_reset in imx_pcie_deassert_core_reset()") +Reported-by: Tim Harvey +Closes: https://lore.kernel.org/all/CAJ+vNU3ohR2YKTwC4xoYrc1z-neDoH2TTZcMHDy+poj9=jSy+w@mail.gmail.com/ +Signed-off-by: Richard Zhu +[mani: reworded commit subject and description] +Signed-off-by: Manivannan Sadhasivam +[bhelgaas: commit log] +Signed-off-by: Bjorn Helgaas +Tested-by: Tim Harvey # imx8mp-venice-gw74xx (i.MX8MP + hotplug capable switch) +Reviewed-by: Frank Li +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20250709033722.2924372-2-hongxing.zhu@nxp.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/controller/dwc/pci-imx6.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/pci/controller/dwc/pci-imx6.c ++++ b/drivers/pci/controller/dwc/pci-imx6.c +@@ -860,7 +860,6 @@ static int imx95_pcie_core_reset(struct + static void imx_pcie_assert_core_reset(struct imx_pcie *imx_pcie) + { + reset_control_assert(imx_pcie->pciephy_reset); +- reset_control_assert(imx_pcie->apps_reset); + + if (imx_pcie->drvdata->core_reset) + imx_pcie->drvdata->core_reset(imx_pcie, true); +@@ -872,7 +871,6 @@ static void imx_pcie_assert_core_reset(s + static int imx_pcie_deassert_core_reset(struct imx_pcie *imx_pcie) + { + reset_control_deassert(imx_pcie->pciephy_reset); +- reset_control_deassert(imx_pcie->apps_reset); + + if (imx_pcie->drvdata->core_reset) + imx_pcie->drvdata->core_reset(imx_pcie, false); +@@ -1247,6 +1245,9 @@ static int imx_pcie_host_init(struct dw_ + } + } + ++ /* Make sure that PCIe LTSSM is cleared */ ++ imx_pcie_ltssm_disable(dev); ++ + ret = imx_pcie_deassert_core_reset(imx_pcie); + if (ret < 0) { + dev_err(dev, "pcie deassert core reset failed: %d\n", ret); diff --git a/queue-6.16/pci-portdrv-use-is_pciehp-instead-of-is_hotplug_bridge.patch b/queue-6.16/pci-portdrv-use-is_pciehp-instead-of-is_hotplug_bridge.patch new file mode 100644 index 0000000000..27fb0e078d --- /dev/null +++ b/queue-6.16/pci-portdrv-use-is_pciehp-instead-of-is_hotplug_bridge.patch @@ -0,0 +1,41 @@ +From 1d60796a62f327cd9e0a6a0865ded7656d2c67f9 Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Sun, 13 Jul 2025 16:31:02 +0200 +Subject: PCI/portdrv: Use is_pciehp instead of is_hotplug_bridge + +From: Lukas Wunner + +commit 1d60796a62f327cd9e0a6a0865ded7656d2c67f9 upstream. + +The PCIe port driver erroneously creates a subdevice for hotplug on ACPI +slots which are handled by the ACPI hotplug driver. + +Avoid by checking the is_pciehp flag instead of is_hotplug_bridge when +deciding whether to create a subdevice. The latter encompasses ACPI slots +whereas the former doesn't. + +The superfluous subdevice has no real negative impact, it occupies memory +and interrupt resources but otherwise just sits there waiting for +interrupts from the slot that are never signaled. + +Fixes: f8415222837b ("PCI: Use cached copy of PCI_EXP_SLTCAP_HPC bit") +Signed-off-by: Lukas Wunner +Signed-off-by: Bjorn Helgaas +Cc: stable@vger.kernel.org # v4.7+ +Link: https://patch.msgid.link/40d5a5fe8d40595d505949c620a067fa110ee85e.1752390102.git.lukas@wunner.de +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/pcie/portdrv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/pci/pcie/portdrv.c ++++ b/drivers/pci/pcie/portdrv.c +@@ -220,7 +220,7 @@ static int get_port_device_capability(st + struct pci_host_bridge *host = pci_find_host_bridge(dev->bus); + int services = 0; + +- if (dev->is_hotplug_bridge && ++ if (dev->is_pciehp && + (pci_pcie_type(dev) == PCI_EXP_TYPE_ROOT_PORT || + pci_pcie_type(dev) == PCI_EXP_TYPE_DOWNSTREAM) && + (pcie_ports_native || host->native_pcie_hotplug)) { diff --git a/queue-6.16/phy-qcom-phy-qcom-m31-update-ipq5332-m31-usb-phy-initialization-sequence.patch b/queue-6.16/phy-qcom-phy-qcom-m31-update-ipq5332-m31-usb-phy-initialization-sequence.patch new file mode 100644 index 0000000000..c4fed305b1 --- /dev/null +++ b/queue-6.16/phy-qcom-phy-qcom-m31-update-ipq5332-m31-usb-phy-initialization-sequence.patch @@ -0,0 +1,71 @@ +From 4a3556b81b99f0c8c0358f7cc6801a62b4538fe2 Mon Sep 17 00:00:00 2001 +From: Kathiravan Thirumoorthy +Date: Mon, 30 Jun 2025 13:48:13 +0530 +Subject: phy: qcom: phy-qcom-m31: Update IPQ5332 M31 USB phy initialization sequence + +From: Kathiravan Thirumoorthy + +commit 4a3556b81b99f0c8c0358f7cc6801a62b4538fe2 upstream. + +The current configuration used for the IPQ5332 M31 USB PHY fails the +Near End High Speed Signal Quality compliance test. To resolve this, +update the initialization sequence as specified in the Hardware Design +Document. + +Fixes: 08e49af50701 ("phy: qcom: Introduce M31 USB PHY driver") +Cc: stable@kernel.org +Signed-off-by: Kathiravan Thirumoorthy +Reviewed-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20250630-ipq5332_hsphy_complaince-v2-1-63621439ebdb@oss.qualcomm.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/phy/qualcomm/phy-qcom-m31.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +--- a/drivers/phy/qualcomm/phy-qcom-m31.c ++++ b/drivers/phy/qualcomm/phy-qcom-m31.c +@@ -58,14 +58,16 @@ + #define USB2_0_TX_ENABLE BIT(2) + + #define USB2PHY_USB_PHY_M31_XCFGI_4 0xc8 +- #define HSTX_SLEW_RATE_565PS GENMASK(1, 0) ++ #define HSTX_SLEW_RATE_400PS GENMASK(2, 0) + #define PLL_CHARGING_PUMP_CURRENT_35UA GENMASK(4, 3) + #define ODT_VALUE_38_02_OHM GENMASK(7, 6) + + #define USB2PHY_USB_PHY_M31_XCFGI_5 0xcc +- #define ODT_VALUE_45_02_OHM BIT(2) + #define HSTX_PRE_EMPHASIS_LEVEL_0_55MA BIT(0) + ++#define USB2PHY_USB_PHY_M31_XCFGI_9 0xdc ++ #define HSTX_CURRENT_17_1MA_385MV BIT(1) ++ + #define USB2PHY_USB_PHY_M31_XCFGI_11 0xe4 + #define XCFG_COARSE_TUNE_NUM BIT(1) + #define XCFG_FINE_TUNE_NUM BIT(3) +@@ -164,7 +166,7 @@ static struct m31_phy_regs m31_ipq5332_r + }, + { + USB2PHY_USB_PHY_M31_XCFGI_4, +- HSTX_SLEW_RATE_565PS | PLL_CHARGING_PUMP_CURRENT_35UA | ODT_VALUE_38_02_OHM, ++ HSTX_SLEW_RATE_400PS | PLL_CHARGING_PUMP_CURRENT_35UA | ODT_VALUE_38_02_OHM, + 0 + }, + { +@@ -174,10 +176,14 @@ static struct m31_phy_regs m31_ipq5332_r + }, + { + USB2PHY_USB_PHY_M31_XCFGI_5, +- ODT_VALUE_45_02_OHM | HSTX_PRE_EMPHASIS_LEVEL_0_55MA, ++ HSTX_PRE_EMPHASIS_LEVEL_0_55MA, + 4 + }, + { ++ USB2PHY_USB_PHY_M31_XCFGI_9, ++ HSTX_CURRENT_17_1MA_385MV, ++ }, ++ { + USB_PHY_UTMI_CTRL5, + 0x0, + 0 diff --git a/queue-6.16/proc-proc_maps_open-allow-proc_mem_open-to-return-null.patch b/queue-6.16/proc-proc_maps_open-allow-proc_mem_open-to-return-null.patch new file mode 100644 index 0000000000..26a90bc506 --- /dev/null +++ b/queue-6.16/proc-proc_maps_open-allow-proc_mem_open-to-return-null.patch @@ -0,0 +1,47 @@ +From c0e1b774f68bdbea1618e356e30672c7f1e32509 Mon Sep 17 00:00:00 2001 +From: Jialin Wang +Date: Fri, 8 Aug 2025 00:54:55 +0800 +Subject: proc: proc_maps_open allow proc_mem_open to return NULL + +From: Jialin Wang + +commit c0e1b774f68bdbea1618e356e30672c7f1e32509 upstream. + +The commit 65c66047259f ("proc: fix the issue of proc_mem_open returning +NULL") caused proc_maps_open() to return -ESRCH when proc_mem_open() +returns NULL. This breaks legitimate /proc//maps access for kernel +threads since kernel threads have NULL mm_struct. + +The regression causes perf to fail and exit when profiling a kernel +thread: + + # perf record -v -g -p $(pgrep kswapd0) + ... + couldn't open /proc/65/task/65/maps + +This patch partially reverts the commit to fix it. + +Link: https://lkml.kernel.org/r/20250807165455.73656-1-wjl.linux@gmail.com +Fixes: 65c66047259f ("proc: fix the issue of proc_mem_open returning NULL") +Signed-off-by: Jialin Wang +Cc: Penglei Jiang +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/proc/task_mmu.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/proc/task_mmu.c ++++ b/fs/proc/task_mmu.c +@@ -212,8 +212,8 @@ static int proc_maps_open(struct inode * + + priv->inode = inode; + priv->mm = proc_mem_open(inode, PTRACE_MODE_READ); +- if (IS_ERR_OR_NULL(priv->mm)) { +- int err = priv->mm ? PTR_ERR(priv->mm) : -ESRCH; ++ if (IS_ERR(priv->mm)) { ++ int err = PTR_ERR(priv->mm); + + seq_release_private(inode, file); + return err; diff --git a/queue-6.16/readahead-fix-return-value-of-page_cache_next_miss-when-no-hole-is-found.patch b/queue-6.16/readahead-fix-return-value-of-page_cache_next_miss-when-no-hole-is-found.patch new file mode 100644 index 0000000000..3cbdf792c6 --- /dev/null +++ b/queue-6.16/readahead-fix-return-value-of-page_cache_next_miss-when-no-hole-is-found.patch @@ -0,0 +1,44 @@ +From bbcaee20e03ecaeeecba32a703816a0d4502b6c4 Mon Sep 17 00:00:00 2001 +From: Chi Zhiling +Date: Thu, 5 Jun 2025 13:49:35 +0800 +Subject: readahead: fix return value of page_cache_next_miss() when no hole is found + +From: Chi Zhiling + +commit bbcaee20e03ecaeeecba32a703816a0d4502b6c4 upstream. + +max_scan in page_cache_next_miss always decreases to zero when no hole is +found, causing the return value to be index + 0. + +Fix this by preserving the max_scan value throughout the loop. + +Jan said "From what I know and have seen in the past, wrong responses +from page_cache_next_miss() can lead to readahead window reduction and +thus reduced read speeds." + +Link: https://lkml.kernel.org/r/20250605054935.2323451-1-chizhiling@163.com +Fixes: 901a269ff3d5 ("filemap: fix page_cache_next_miss() when no hole found") +Signed-off-by: Chi Zhiling +Reviewed-by: Jan Kara +Cc: Josef Bacik +Cc: Matthew Wilcox (Oracle) +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/filemap.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/mm/filemap.c ++++ b/mm/filemap.c +@@ -1778,8 +1778,9 @@ pgoff_t page_cache_next_miss(struct addr + pgoff_t index, unsigned long max_scan) + { + XA_STATE(xas, &mapping->i_pages, index); ++ unsigned long nr = max_scan; + +- while (max_scan--) { ++ while (nr--) { + void *entry = xas_next(&xas); + if (!entry || xa_is_value(entry)) + return xas.xa_index; diff --git a/queue-6.16/series b/queue-6.16/series index 1264508696..05e49e1752 100644 --- a/queue-6.16/series +++ b/queue-6.16/series @@ -88,3 +88,55 @@ pwm-imx-tpm-reset-counter-if-cmod-is-0.patch pwm-mediatek-handle-hardware-enable-and-clock-enable-separately.patch pwm-mediatek-fix-duty-and-period-setting.patch hwmon-gsc-hwmon-fix-fan-pwm-setpoint-show-functions.patch +mtd-spi-nor-fix-spi_nor_try_unlock_all.patch +mtd-spinand-propagate-spinand_wait-errors-from-spinand_write_page.patch +mtd-rawnand-fsmc-add-missing-check-after-dma-map.patch +mtd-rawnand-renesas-add-missing-check-after-dma-map.patch +mfd-mt6397-do-not-use-generic-name-for-keypad-sub-devices.patch +readahead-fix-return-value-of-page_cache_next_miss-when-no-hole-is-found.patch +pci-portdrv-use-is_pciehp-instead-of-is_hotplug_bridge.patch +pci-fix-link-speed-calculation-on-retrain-failure.patch +pci-endpoint-fix-configfs-group-list-head-handling.patch +pci-endpoint-fix-configfs-group-removal-on-driver-teardown.patch +pci-imx6-add-imx8mq_ep-third-64-bit-bar-in-epc_features.patch +pci-imx6-add-imx8mm_ep-and-imx8mp_ep-fixed-256-byte-bar-4-in-epc_features.patch +pci-imx6-remove-apps_reset-toggling-from-imx_pcie_-assert-deassert-_core_reset.patch +pci-imx6-delay-link-start-until-configfs-start-written.patch +vsock-virtio-validate-length-in-packet-header-before-skb_put.patch +vhost-vsock-avoid-allocating-arbitrarily-sized-skbs.patch +phy-qcom-phy-qcom-m31-update-ipq5332-m31-usb-phy-initialization-sequence.patch +amdgpu-amdgpu_discovery-increase-timeout-limit-for-ifwi-init.patch +asoc-sof-amd-acp-loader-use-gfp_kernel-for-dma-allocations-in-resume-context.patch +block-restore-default-wbt-enablement.patch +f2fs-fix-to-avoid-out-of-boundary-access-in-dnode-page.patch +i2c-qcom-geni-fix-i2c-frequency-table-to-achieve-accurate-bus-rates.patch +iomap-fix-broken-data-integrity-guarantees-for-o_sync-writes.patch +jbd2-prevent-softlockup-in-jbd2_log_do_checkpoint.patch +kasan-test-fix-protection-against-compiler-elision.patch +kbuild-userprogs-use-correct-linker-when-mixing-clang-and-gnu-ld.patch +mark-xe-driver-as-broken-if-kernel-page-size-is-not-4kb.patch +open_tree_attr-do-not-allow-id-mapping-changes-without-open_tree_clone.patch +proc-proc_maps_open-allow-proc_mem_open-to-return-null.patch +soc-tegra-pmc-ensure-power-domains-are-in-a-known-state.patch +parisc-check-region-is-readable-by-user-in-raw_copy_from_user.patch +parisc-define-and-use-set_pte_at.patch +parisc-drop-warn_on_once-from-flush_cache_vmap.patch +parisc-makefile-explain-that-64bit-requires-both-32-bit-and-64-bit-compilers.patch +parisc-rename-pte_needs_flush-to-pte_needs_cache_flush-in-cache.c.patch +parisc-revise-__get_user-to-probe-user-read-access.patch +parisc-revise-gateway-lws-calls-to-probe-user-read-access.patch +parisc-try-to-fixup-kernel-exception-in-bad_area_nosemaphore-path-of-do_page_fault.patch +parisc-update-comments-in-make_insert_tlb.patch +media-gspca-add-bounds-checking-to-firmware-parser.patch +media-hi556-correct-the-test-pattern-configuration.patch +media-imx-fix-a-potential-memory-leak-in-imx_media_csc_scaler_device_init.patch +media-ipu6-isys-use-correct-pads-for-xlate_streams.patch +media-vivid-fix-wrong-pixel_array-control-size.patch +media-verisilicon-fix-av1-decoder-clock-frequency.patch +media-v4l2-ctrls-don-t-reset-handler-s-error-in-v4l2_ctrl_handler_free.patch +media-usbtv-lock-resolution-while-streaming.patch +media-rainshadow-cec-fix-toctou-race-condition-in-rain_interrupt.patch +media-pisp_be-fix-pm_runtime-underrun-in-probe.patch +media-ov2659-fix-memory-leaks-in-ov2659_probe.patch +media-mt9m114-fix-deadlock-in-get_frame_interval-set_frame_interval.patch +media-ivsc-fix-crash-at-shutdown-due-to-missing-mei_cldev_disable-calls.patch diff --git a/queue-6.16/soc-tegra-pmc-ensure-power-domains-are-in-a-known-state.patch b/queue-6.16/soc-tegra-pmc-ensure-power-domains-are-in-a-known-state.patch new file mode 100644 index 0000000000..9adf84ee38 --- /dev/null +++ b/queue-6.16/soc-tegra-pmc-ensure-power-domains-are-in-a-known-state.patch @@ -0,0 +1,137 @@ +From b6bcbce3359619d05bf387d4f5cc3af63668dbaa Mon Sep 17 00:00:00 2001 +From: Jon Hunter +Date: Thu, 31 Jul 2025 13:18:32 +0100 +Subject: soc/tegra: pmc: Ensure power-domains are in a known state + +From: Jon Hunter + +commit b6bcbce3359619d05bf387d4f5cc3af63668dbaa upstream. + +After commit 13a4b7fb6260 ("pmdomain: core: Leave powered-on genpds on +until late_initcall_sync") was applied, the Tegra210 Jetson TX1 board +failed to boot. Looking into this issue, before this commit was applied, +if any of the Tegra power-domains were in 'on' state when the kernel +booted, they were being turned off by the genpd core before any driver +had chance to request them. This was purely by luck and a consequence of +the power-domains being turned off earlier during boot. After this +commit was applied, any power-domains in the 'on' state are kept on for +longer during boot and therefore, may never transitioned to the off +state before they are requested/used. The hang on the Tegra210 Jetson +TX1 is caused because devices in some power-domains are accessed without +the power-domain being turned off and on, indicating that the +power-domain is not in a completely on state. + +>From reviewing the Tegra PMC driver code, if a power-domain is in the +'on' state there is no guarantee that all the necessary clocks +associated with the power-domain are on and even if they are they would +not have been requested via the clock framework and so could be turned +off later. Some power-domains also have a 'clamping' register that needs +to be configured as well. In short, if a power-domain is already 'on' it +is difficult to know if it has been configured correctly. Given that the +power-domains happened to be switched off during boot previously, to +ensure that they are in a good known state on boot, fix this by +switching off any power-domains that are on initially when registering +the power-domains with the genpd framework. + +Note that commit 05cfb988a4d0 ("soc/tegra: pmc: Initialise resets +associated with a power partition") updated the +tegra_powergate_of_get_resets() function to pass the 'off' to ensure +that the resets for the power-domain are in the correct state on boot. +However, now that we may power off a domain on boot, if it is on, it is +better to move this logic into the tegra_powergate_add() function so +that there is a single place where we are handling the initial state of +the power-domain. + +Fixes: a38045121bf4 ("soc/tegra: pmc: Add generic PM domain support") +Signed-off-by: Jon Hunter +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20250731121832.213671-1-jonathanh@nvidia.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soc/tegra/pmc.c | 51 +++++++++++++++++++++++++++--------------------- + 1 file changed, 29 insertions(+), 22 deletions(-) + +--- a/drivers/soc/tegra/pmc.c ++++ b/drivers/soc/tegra/pmc.c +@@ -1234,7 +1234,7 @@ err: + } + + static int tegra_powergate_of_get_resets(struct tegra_powergate *pg, +- struct device_node *np, bool off) ++ struct device_node *np) + { + struct device *dev = pg->pmc->dev; + int err; +@@ -1249,22 +1249,6 @@ static int tegra_powergate_of_get_resets + err = reset_control_acquire(pg->reset); + if (err < 0) { + pr_err("failed to acquire resets: %d\n", err); +- goto out; +- } +- +- if (off) { +- err = reset_control_assert(pg->reset); +- } else { +- err = reset_control_deassert(pg->reset); +- if (err < 0) +- goto out; +- +- reset_control_release(pg->reset); +- } +- +-out: +- if (err) { +- reset_control_release(pg->reset); + reset_control_put(pg->reset); + } + +@@ -1309,20 +1293,43 @@ static int tegra_powergate_add(struct te + goto set_available; + } + +- err = tegra_powergate_of_get_resets(pg, np, off); ++ err = tegra_powergate_of_get_resets(pg, np); + if (err < 0) { + dev_err(dev, "failed to get resets for %pOFn: %d\n", np, err); + goto remove_clks; + } + +- if (!IS_ENABLED(CONFIG_PM_GENERIC_DOMAINS)) { +- if (off) +- WARN_ON(tegra_powergate_power_up(pg, true)); ++ /* ++ * If the power-domain is off, then ensure the resets are asserted. ++ * If the power-domain is on, then power down to ensure that when is ++ * it turned on the power-domain, clocks and resets are all in the ++ * expected state. ++ */ ++ if (off) { ++ err = reset_control_assert(pg->reset); ++ if (err) { ++ pr_err("failed to assert resets: %d\n", err); ++ goto remove_resets; ++ } ++ } else { ++ err = tegra_powergate_power_down(pg); ++ if (err) { ++ dev_err(dev, "failed to turn off PM domain %s: %d\n", ++ pg->genpd.name, err); ++ goto remove_resets; ++ } ++ } + ++ /* ++ * If PM_GENERIC_DOMAINS is not enabled, power-on ++ * the domain and skip the genpd registration. ++ */ ++ if (!IS_ENABLED(CONFIG_PM_GENERIC_DOMAINS)) { ++ WARN_ON(tegra_powergate_power_up(pg, true)); + goto remove_resets; + } + +- err = pm_genpd_init(&pg->genpd, NULL, off); ++ err = pm_genpd_init(&pg->genpd, NULL, true); + if (err < 0) { + dev_err(dev, "failed to initialise PM domain %pOFn: %d\n", np, + err); diff --git a/queue-6.16/vhost-vsock-avoid-allocating-arbitrarily-sized-skbs.patch b/queue-6.16/vhost-vsock-avoid-allocating-arbitrarily-sized-skbs.patch new file mode 100644 index 0000000000..688e8427bb --- /dev/null +++ b/queue-6.16/vhost-vsock-avoid-allocating-arbitrarily-sized-skbs.patch @@ -0,0 +1,53 @@ +From 10a886aaed293c4db3417951f396827216299e3d Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Thu, 17 Jul 2025 10:01:08 +0100 +Subject: vhost/vsock: Avoid allocating arbitrarily-sized SKBs + +From: Will Deacon + +commit 10a886aaed293c4db3417951f396827216299e3d upstream. + +vhost_vsock_alloc_skb() returns NULL for packets advertising a length +larger than VIRTIO_VSOCK_MAX_PKT_BUF_SIZE in the packet header. However, +this is only checked once the SKB has been allocated and, if the length +in the packet header is zero, the SKB may not be freed immediately. + +Hoist the size check before the SKB allocation so that an iovec larger +than VIRTIO_VSOCK_MAX_PKT_BUF_SIZE + the header size is rejected +outright. The subsequent check on the length field in the header can +then simply check that the allocated SKB is indeed large enough to hold +the packet. + +Cc: +Fixes: 71dc9ec9ac7d ("virtio/vsock: replace virtio_vsock_pkt with sk_buff") +Reviewed-by: Stefano Garzarella +Signed-off-by: Will Deacon +Message-Id: <20250717090116.11987-2-will@kernel.org> +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vhost/vsock.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/vhost/vsock.c ++++ b/drivers/vhost/vsock.c +@@ -344,6 +344,9 @@ vhost_vsock_alloc_skb(struct vhost_virtq + + len = iov_length(vq->iov, out); + ++ if (len > VIRTIO_VSOCK_MAX_PKT_BUF_SIZE + VIRTIO_VSOCK_SKB_HEADROOM) ++ return NULL; ++ + /* len contains both payload and hdr */ + skb = virtio_vsock_alloc_skb(len, GFP_KERNEL); + if (!skb) +@@ -367,8 +370,7 @@ vhost_vsock_alloc_skb(struct vhost_virtq + return skb; + + /* The pkt is too big or the length in the header is invalid */ +- if (payload_len > VIRTIO_VSOCK_MAX_PKT_BUF_SIZE || +- payload_len + sizeof(*hdr) > len) { ++ if (payload_len + sizeof(*hdr) > len) { + kfree_skb(skb); + return NULL; + } diff --git a/queue-6.16/vsock-virtio-validate-length-in-packet-header-before-skb_put.patch b/queue-6.16/vsock-virtio-validate-length-in-packet-header-before-skb_put.patch new file mode 100644 index 0000000000..09b1f3d01f --- /dev/null +++ b/queue-6.16/vsock-virtio-validate-length-in-packet-header-before-skb_put.patch @@ -0,0 +1,62 @@ +From 0dab92484474587b82e8e0455839eaf5ac7bf894 Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Thu, 17 Jul 2025 10:01:09 +0100 +Subject: vsock/virtio: Validate length in packet header before skb_put() + +From: Will Deacon + +commit 0dab92484474587b82e8e0455839eaf5ac7bf894 upstream. + +When receiving a vsock packet in the guest, only the virtqueue buffer +size is validated prior to virtio_vsock_skb_rx_put(). Unfortunately, +virtio_vsock_skb_rx_put() uses the length from the packet header as the +length argument to skb_put(), potentially resulting in SKB overflow if +the host has gone wonky. + +Validate the length as advertised by the packet header before calling +virtio_vsock_skb_rx_put(). + +Cc: +Fixes: 71dc9ec9ac7d ("virtio/vsock: replace virtio_vsock_pkt with sk_buff") +Signed-off-by: Will Deacon +Message-Id: <20250717090116.11987-3-will@kernel.org> +Signed-off-by: Michael S. Tsirkin +Reviewed-by: Stefano Garzarella +Signed-off-by: Greg Kroah-Hartman +--- + net/vmw_vsock/virtio_transport.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/net/vmw_vsock/virtio_transport.c ++++ b/net/vmw_vsock/virtio_transport.c +@@ -624,8 +624,9 @@ static void virtio_transport_rx_work(str + do { + virtqueue_disable_cb(vq); + for (;;) { ++ unsigned int len, payload_len; ++ struct virtio_vsock_hdr *hdr; + struct sk_buff *skb; +- unsigned int len; + + if (!virtio_transport_more_replies(vsock)) { + /* Stop rx until the device processes already +@@ -642,11 +643,18 @@ static void virtio_transport_rx_work(str + vsock->rx_buf_nr--; + + /* Drop short/long packets */ +- if (unlikely(len < sizeof(struct virtio_vsock_hdr) || ++ if (unlikely(len < sizeof(*hdr) || + len > virtio_vsock_skb_len(skb))) { + kfree_skb(skb); + continue; + } ++ ++ hdr = virtio_vsock_hdr(skb); ++ payload_len = le32_to_cpu(hdr->len); ++ if (unlikely(payload_len > len - sizeof(*hdr))) { ++ kfree_skb(skb); ++ continue; ++ } + + virtio_vsock_skb_rx_put(skb); + virtio_transport_deliver_tap_pkt(skb);