From: Sasha Levin Date: Sun, 17 Aug 2025 13:27:11 +0000 (-0400) Subject: Fixes for 6.12 X-Git-Tag: v6.12.43~52 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=cd44edb6ac0ac9a4c52fe26a7ae3cd182725eaa9;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.12 Signed-off-by: Sasha Levin --- diff --git a/queue-6.12/acpi-apei-ghes-add-taint_machine_check-on-ghes-panic.patch b/queue-6.12/acpi-apei-ghes-add-taint_machine_check-on-ghes-panic.patch new file mode 100644 index 0000000000..2247f812cc --- /dev/null +++ b/queue-6.12/acpi-apei-ghes-add-taint_machine_check-on-ghes-panic.patch @@ -0,0 +1,43 @@ +From 42ad65aebbb210f44d067ece841eebe07663f11c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Jul 2025 08:39:51 -0700 +Subject: ACPI: APEI: GHES: add TAINT_MACHINE_CHECK on GHES panic path + +From: Breno Leitao + +[ Upstream commit 4734c8b46b901cff2feda8b82abc710b65dc31c1 ] + +When a GHES (Generic Hardware Error Source) triggers a panic, add the +TAINT_MACHINE_CHECK taint flag to the kernel. This explicitly marks the +kernel as tainted due to a machine check event, improving diagnostics +and post-mortem analysis. The taint is set with LOCKDEP_STILL_OK to +indicate lockdep remains valid. + +At large scale deployment, this helps to quickly determine panics that +are coming due to hardware failures. + +Signed-off-by: Breno Leitao +Reviewed-by: Tony Luck +Link: https://patch.msgid.link/20250702-add_tain-v1-1-9187b10914b9@debian.org +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/apei/ghes.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/acpi/apei/ghes.c b/drivers/acpi/apei/ghes.c +index 94e3d3fe11ae..91f9267c07ea 100644 +--- a/drivers/acpi/apei/ghes.c ++++ b/drivers/acpi/apei/ghes.c +@@ -996,6 +996,8 @@ static void __ghes_panic(struct ghes *ghes, + + __ghes_print_estatus(KERN_EMERG, ghes->generic, estatus); + ++ add_taint(TAINT_MACHINE_CHECK, LOCKDEP_STILL_OK); ++ + ghes_clear_estatus(ghes, estatus, buf_paddr, fixmap_idx); + + if (!panic_timeout) +-- +2.39.5 + diff --git a/queue-6.12/acpi-apei-send-sigbus-to-current-task-if-synchronous.patch b/queue-6.12/acpi-apei-send-sigbus-to-current-task-if-synchronous.patch new file mode 100644 index 0000000000..ce77f92da2 --- /dev/null +++ b/queue-6.12/acpi-apei-send-sigbus-to-current-task-if-synchronous.patch @@ -0,0 +1,67 @@ +From f587e775ad1cecd56fdd11f47dee3a8c4f738699 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Jul 2025 19:42:11 +0800 +Subject: ACPI: APEI: send SIGBUS to current task if synchronous memory error + not recovered + +From: Shuai Xue + +[ Upstream commit 79a5ae3c4c5eb7e38e0ebe4d6bf602d296080060 ] + +If a synchronous error is detected as a result of user-space process +triggering a 2-bit uncorrected error, the CPU will take a synchronous +error exception such as Synchronous External Abort (SEA) on Arm64. The +kernel will queue a memory_failure() work which poisons the related +page, unmaps the page, and then sends a SIGBUS to the process, so that +a system wide panic can be avoided. + +However, no memory_failure() work will be queued when abnormal +synchronous errors occur. These errors can include situations like +invalid PA, unexpected severity, no memory failure config support, +invalid GUID section, etc. In such a case, the user-space process will +trigger SEA again. This loop can potentially exceed the platform +firmware threshold or even trigger a kernel hard lockup, leading to a +system reboot. + +Fix it by performing a force kill if no memory_failure() work is queued +for synchronous errors. + +Signed-off-by: Shuai Xue +Reviewed-by: Jarkko Sakkinen +Reviewed-by: Jonathan Cameron +Reviewed-by: Yazen Ghannam +Reviewed-by: Jane Chu +Reviewed-by: Hanjun Guo +Link: https://patch.msgid.link/20250714114212.31660-2-xueshuai@linux.alibaba.com +[ rjw: Changelog edits ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/apei/ghes.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/drivers/acpi/apei/ghes.c b/drivers/acpi/apei/ghes.c +index 6cf40e8ac321..94e3d3fe11ae 100644 +--- a/drivers/acpi/apei/ghes.c ++++ b/drivers/acpi/apei/ghes.c +@@ -799,6 +799,17 @@ static bool ghes_do_proc(struct ghes *ghes, + } + } + ++ /* ++ * If no memory failure work is queued for abnormal synchronous ++ * errors, do a force kill. ++ */ ++ if (sync && !queued) { ++ dev_err(ghes->dev, ++ HW_ERR GHES_PFX "%s:%d: synchronous unrecoverable error (SIGBUS)\n", ++ current->comm, task_pid_nr(current)); ++ force_sig(SIGBUS); ++ } ++ + return queued; + } + +-- +2.39.5 + diff --git a/queue-6.12/acpi-prm-reduce-unnecessary-printing-to-avoid-user-c.patch b/queue-6.12/acpi-prm-reduce-unnecessary-printing-to-avoid-user-c.patch new file mode 100644 index 0000000000..b14f7f90e7 --- /dev/null +++ b/queue-6.12/acpi-prm-reduce-unnecessary-printing-to-avoid-user-c.patch @@ -0,0 +1,83 @@ +From e71a37579d90e6093eee00876ccdd7dabfa5ddbd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Jul 2025 01:41:04 +0000 +Subject: ACPI: PRM: Reduce unnecessary printing to avoid user confusion + +From: Zhu Qiyu + +[ Upstream commit 3db5648c4d608b5483470efc1da9780b081242dd ] + +Commit 088984c8d54c ("ACPI: PRM: Find EFI_MEMORY_RUNTIME block for PRM +handler and context") introduced non-essential printing "Failed to find +VA for GUID: xxxx, PA: 0x0" which may confuse users to think that +something wrong is going on while it is not the case. + +According to the PRM Spec Section 4.1.2 [1], both static data buffer +address and ACPI parameter buffer address may be NULL if they are not +needed, so there is no need to print out the "Failed to find VA ... " +in those cases. + +Link: https://uefi.org/sites/default/files/resources/Platform%20Runtime%20Mechanism%20-%20with%20legal%20notice.pdf # [1] +Signed-off-by: Zhu Qiyu +Link: https://patch.msgid.link/20250704014104.82524-1-qiyuzhu2@amd.com +[ rjw: Edits in new comments, subject and changelog ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/prmt.c | 26 ++++++++++++++++++++++++-- + 1 file changed, 24 insertions(+), 2 deletions(-) + +diff --git a/drivers/acpi/prmt.c b/drivers/acpi/prmt.c +index e549914a636c..be033bbb126a 100644 +--- a/drivers/acpi/prmt.c ++++ b/drivers/acpi/prmt.c +@@ -85,8 +85,6 @@ static u64 efi_pa_va_lookup(efi_guid_t *guid, u64 pa) + } + } + +- pr_warn("Failed to find VA for GUID: %pUL, PA: 0x%llx", guid, pa); +- + return 0; + } + +@@ -154,13 +152,37 @@ acpi_parse_prmt(union acpi_subtable_headers *header, const unsigned long end) + guid_copy(&th->guid, (guid_t *)handler_info->handler_guid); + th->handler_addr = + (void *)efi_pa_va_lookup(&th->guid, handler_info->handler_address); ++ /* ++ * Print a warning message if handler_addr is zero which is not expected to ++ * ever happen. ++ */ ++ if (unlikely(!th->handler_addr)) ++ pr_warn("Failed to find VA of handler for GUID: %pUL, PA: 0x%llx", ++ &th->guid, handler_info->handler_address); + + th->static_data_buffer_addr = + efi_pa_va_lookup(&th->guid, handler_info->static_data_buffer_address); ++ /* ++ * According to the PRM specification, static_data_buffer_address can be zero, ++ * so avoid printing a warning message in that case. Otherwise, if the ++ * return value of efi_pa_va_lookup() is zero, print the message. ++ */ ++ if (unlikely(!th->static_data_buffer_addr && handler_info->static_data_buffer_address)) ++ pr_warn("Failed to find VA of static data buffer for GUID: %pUL, PA: 0x%llx", ++ &th->guid, handler_info->static_data_buffer_address); + + th->acpi_param_buffer_addr = + efi_pa_va_lookup(&th->guid, handler_info->acpi_param_buffer_address); + ++ /* ++ * According to the PRM specification, acpi_param_buffer_address can be zero, ++ * so avoid printing a warning message in that case. Otherwise, if the ++ * return value of efi_pa_va_lookup() is zero, print the message. ++ */ ++ if (unlikely(!th->acpi_param_buffer_addr && handler_info->acpi_param_buffer_address)) ++ pr_warn("Failed to find VA of acpi param buffer for GUID: %pUL, PA: 0x%llx", ++ &th->guid, handler_info->acpi_param_buffer_address); ++ + } while (++cur_handler < tm->handler_count && (handler_info = get_next_handler(handler_info))); + + return 0; +-- +2.39.5 + diff --git a/queue-6.12/acpi-processor-fix-acpi_object-initialization.patch b/queue-6.12/acpi-processor-fix-acpi_object-initialization.patch new file mode 100644 index 0000000000..e117468602 --- /dev/null +++ b/queue-6.12/acpi-processor-fix-acpi_object-initialization.patch @@ -0,0 +1,41 @@ +From 7d2835155cf642f634f9a1e70cf3089e16ecef52 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Jul 2025 14:42:15 +0200 +Subject: ACPI: processor: fix acpi_object initialization + +From: Sebastian Ott + +[ Upstream commit 13edf7539211d8f7d0068ce3ed143005f1da3547 ] + +Initialization of the local acpi_object in acpi_processor_get_info() +only sets the first 4 bytes to zero and is thus incomplete. This is +indicated by messages like: + acpi ACPI0007:be: Invalid PBLK length [166288104] + +Fix this by initializing all 16 bytes of the processor member of that +union. + +Signed-off-by: Sebastian Ott +Link: https://patch.msgid.link/20250703124215.12522-1-sebott@redhat.com +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpi_processor.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/acpi/acpi_processor.c b/drivers/acpi/acpi_processor.c +index 7cf6101cb4c7..2a99f5eb6962 100644 +--- a/drivers/acpi/acpi_processor.c ++++ b/drivers/acpi/acpi_processor.c +@@ -275,7 +275,7 @@ static inline int acpi_processor_hotadd_init(struct acpi_processor *pr, + + static int acpi_processor_get_info(struct acpi_device *device) + { +- union acpi_object object = { 0 }; ++ union acpi_object object = { .processor = { 0 } }; + struct acpi_buffer buffer = { sizeof(union acpi_object), &object }; + struct acpi_processor *pr = acpi_driver_data(device); + int device_declaration = 0; +-- +2.39.5 + diff --git a/queue-6.12/acpi-suppress-misleading-spcr-console-message-when-s.patch b/queue-6.12/acpi-suppress-misleading-spcr-console-message-when-s.patch new file mode 100644 index 0000000000..707fd3c4c7 --- /dev/null +++ b/queue-6.12/acpi-suppress-misleading-spcr-console-message-when-s.patch @@ -0,0 +1,62 @@ +From 86e9cef68e4b48ac4f538cd9b582128baba347fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Jun 2025 21:13:08 +0800 +Subject: ACPI: Suppress misleading SPCR console message when SPCR table is + absent + +From: Li Chen + +[ Upstream commit bad3fa2fb9206f4dcec6ddef094ec2fbf6e8dcb2 ] + +The kernel currently alway prints: +"Use ACPI SPCR as default console: No/Yes " + +even on systems that lack an SPCR table. This can +mislead users into thinking the SPCR table exists +on the machines without SPCR. + +With this change, the "Yes" is only printed if +the SPCR table is present, parsed and !param_acpi_nospcr. +This avoids user confusion on SPCR-less systems. + +Signed-off-by: Li Chen +Acked-by: Hanjun Guo +Link: https://lore.kernel.org/r/20250620131309.126555-3-me@linux.beauty +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/acpi.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/arch/arm64/kernel/acpi.c b/arch/arm64/kernel/acpi.c +index e6f66491fbe9..862bb1cba4f0 100644 +--- a/arch/arm64/kernel/acpi.c ++++ b/arch/arm64/kernel/acpi.c +@@ -197,6 +197,8 @@ static int __init acpi_fadt_sanity_check(void) + */ + void __init acpi_boot_table_init(void) + { ++ int ret; ++ + /* + * Enable ACPI instead of device tree unless + * - ACPI has been disabled explicitly (acpi=off), or +@@ -250,10 +252,12 @@ void __init acpi_boot_table_init(void) + * behaviour, use acpi=nospcr to disable console in ACPI SPCR + * table as default serial console. + */ +- acpi_parse_spcr(earlycon_acpi_spcr_enable, ++ ret = acpi_parse_spcr(earlycon_acpi_spcr_enable, + !param_acpi_nospcr); +- pr_info("Use ACPI SPCR as default console: %s\n", +- param_acpi_nospcr ? "No" : "Yes"); ++ if (!ret || param_acpi_nospcr || !IS_ENABLED(CONFIG_ACPI_SPCR_TABLE)) ++ pr_info("Use ACPI SPCR as default console: No\n"); ++ else ++ pr_info("Use ACPI SPCR as default console: Yes\n"); + + if (IS_ENABLED(CONFIG_ACPI_BGRT)) + acpi_table_parse(ACPI_SIG_BGRT, acpi_parse_bgrt); +-- +2.39.5 + diff --git a/queue-6.12/alsa-hda-ca0132-fix-buffer-overflow-in-add_tuning_co.patch b/queue-6.12/alsa-hda-ca0132-fix-buffer-overflow-in-add_tuning_co.patch new file mode 100644 index 0000000000..cce10133df --- /dev/null +++ b/queue-6.12/alsa-hda-ca0132-fix-buffer-overflow-in-add_tuning_co.patch @@ -0,0 +1,41 @@ +From 2af29aa6e354d5d2685d9dc5556f405c87146ff2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Jun 2025 19:50:12 +0200 +Subject: ALSA: hda/ca0132: Fix buffer overflow in add_tuning_control + +From: Lucy Thrun + +[ Upstream commit a409c60111e6bb98fcabab2aeaa069daa9434ca0 ] + +The 'sprintf' call in 'add_tuning_control' may exceed the 44-byte +buffer if either string argument is too long. This triggers a compiler +warning. +Replaced 'sprintf' with 'snprintf' to limit string lengths to prevent +overflow. + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202506100642.95jpuMY1-lkp@intel.com/ +Signed-off-by: Lucy Thrun +Link: https://patch.msgid.link/20250610175012.918-3-lucy.thrun@digital-rabbithole.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_ca0132.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/pci/hda/patch_ca0132.c b/sound/pci/hda/patch_ca0132.c +index 77432e06f3e3..a2f57d7424bb 100644 +--- a/sound/pci/hda/patch_ca0132.c ++++ b/sound/pci/hda/patch_ca0132.c +@@ -4410,7 +4410,7 @@ static int add_tuning_control(struct hda_codec *codec, + } + knew.private_value = + HDA_COMPOSE_AMP_VAL(nid, 1, 0, type); +- sprintf(namestr, "%s %s Volume", name, dirstr[dir]); ++ snprintf(namestr, sizeof(namestr), "%s %s Volume", name, dirstr[dir]); + return snd_hda_ctl_add(codec, nid, snd_ctl_new1(&knew, codec)); + } + +-- +2.39.5 + diff --git a/queue-6.12/alsa-hda-disable-jack-polling-at-shutdown.patch b/queue-6.12/alsa-hda-disable-jack-polling-at-shutdown.patch new file mode 100644 index 0000000000..5f613d704a --- /dev/null +++ b/queue-6.12/alsa-hda-disable-jack-polling-at-shutdown.patch @@ -0,0 +1,43 @@ +From 6c9e05a2d7256246f05c45026492875b84e768f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Jun 2025 15:14:30 +0200 +Subject: ALSA: hda: Disable jack polling at shutdown + +From: Takashi Iwai + +[ Upstream commit 1adcbdf54f76e1004bdf71df4eb1888c26e7ad06 ] + +Although the jack polling is canceled at shutdown in +snd_hda_codec_shutdown(), it might be still re-triggered when the work +is being processed at cancel_delayed_work_sync() call. This may +result in the unexpected hardware access that should have been already +disabled. + +For assuring to stop the jack polling, clear codec->jackpoll_interval +at shutdown. + +Reported-by: Joakim Zhang +Closes: https://lore.kernel.org/20250619020844.2974160-4-joakim.zhang@cixtech.com +Tested-by: Joakim Zhang +Signed-off-by: Takashi Iwai +Link: https://patch.msgid.link/20250623131437.10670-2-tiwai@suse.de +Signed-off-by: Sasha Levin +--- + sound/pci/hda/hda_codec.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/hda_codec.c b/sound/pci/hda/hda_codec.c +index cb3bba7eed4f..db2487cfd5da 100644 +--- a/sound/pci/hda/hda_codec.c ++++ b/sound/pci/hda/hda_codec.c +@@ -3038,6 +3038,7 @@ void snd_hda_codec_shutdown(struct hda_codec *codec) + if (!codec->core.registered) + return; + ++ codec->jackpoll_interval = 0; /* don't poll any longer */ + cancel_delayed_work_sync(&codec->jackpoll_work); + list_for_each_entry(cpcm, &codec->pcm_list_head, list) + snd_pcm_suspend_all(cpcm->pcm); +-- +2.39.5 + diff --git a/queue-6.12/alsa-hda-handle-the-jack-polling-always-via-a-work.patch b/queue-6.12/alsa-hda-handle-the-jack-polling-always-via-a-work.patch new file mode 100644 index 0000000000..68a98cefec --- /dev/null +++ b/queue-6.12/alsa-hda-handle-the-jack-polling-always-via-a-work.patch @@ -0,0 +1,129 @@ +From ff7f15491a528640473f2ec2c051f274d6f3e6f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Jun 2025 15:14:32 +0200 +Subject: ALSA: hda: Handle the jack polling always via a work + +From: Takashi Iwai + +[ Upstream commit 5f7e54b23e4d253eff3b10b12d6fa92d28d7dddc ] + +We used to call directly hda_jackpoll_work() from a couple of places +for updating the jack and notify to user-space, but this makes rather +the code flow fragile. Namely, because of those direct calls, +hda_jackpoll_work() uses snd_hda_power_up_pm() and *_down_pm() calls +instead of the standard snd_hda_power_up() and *_down() calls. The +latter pair assures the runtime PM resume sync, so it can avoid the +race against the PM callbacks gracefully, while the former pair may +continue if called concurrently, hence it may race (by design). + +In this patch, we change the call pattern of hda_jackpoll_work(); now +all callers are replaced with the standard snd_hda_jack_report_sync() +and the additional schedule_delayed_work(). + +Since hda_jackpoll_work() is called only from the associated work, +it's always outside the PM code path, and we can safely use +snd_hda_power_up() and *_down() there instead. This allows us to +remove the racy check of power-state in hda_jackpoll_work(), as well +as the tricky cancel_delayed_work() and rescheduling at +hda_codec_runtime_suspend(). + +Reported-by: Joakim Zhang +Closes: https://lore.kernel.org/20250619020844.2974160-1-joakim.zhang@cixtech.com +Tested-by: Joakim Zhang +Signed-off-by: Takashi Iwai +Link: https://patch.msgid.link/20250623131437.10670-4-tiwai@suse.de +Signed-off-by: Sasha Levin +--- + sound/pci/hda/hda_codec.c | 41 +++++++++++++-------------------------- + 1 file changed, 14 insertions(+), 27 deletions(-) + +diff --git a/sound/pci/hda/hda_codec.c b/sound/pci/hda/hda_codec.c +index 46a220404999..cb3bba7eed4f 100644 +--- a/sound/pci/hda/hda_codec.c ++++ b/sound/pci/hda/hda_codec.c +@@ -639,24 +639,16 @@ static void hda_jackpoll_work(struct work_struct *work) + struct hda_codec *codec = + container_of(work, struct hda_codec, jackpoll_work.work); + +- /* for non-polling trigger: we need nothing if already powered on */ +- if (!codec->jackpoll_interval && snd_hdac_is_power_on(&codec->core)) ++ if (!codec->jackpoll_interval) + return; + + /* the power-up/down sequence triggers the runtime resume */ +- snd_hda_power_up_pm(codec); ++ snd_hda_power_up(codec); + /* update jacks manually if polling is required, too */ +- if (codec->jackpoll_interval) { +- snd_hda_jack_set_dirty_all(codec); +- snd_hda_jack_poll_all(codec); +- } +- snd_hda_power_down_pm(codec); +- +- if (!codec->jackpoll_interval) +- return; +- +- schedule_delayed_work(&codec->jackpoll_work, +- codec->jackpoll_interval); ++ snd_hda_jack_set_dirty_all(codec); ++ snd_hda_jack_poll_all(codec); ++ schedule_delayed_work(&codec->jackpoll_work, codec->jackpoll_interval); ++ snd_hda_power_down(codec); + } + + /* release all pincfg lists */ +@@ -2926,12 +2918,12 @@ static void hda_call_codec_resume(struct hda_codec *codec) + snd_hda_regmap_sync(codec); + } + +- if (codec->jackpoll_interval) +- hda_jackpoll_work(&codec->jackpoll_work.work); +- else +- snd_hda_jack_report_sync(codec); ++ snd_hda_jack_report_sync(codec); + codec->core.dev.power.power_state = PMSG_ON; + snd_hdac_leave_pm(&codec->core); ++ if (codec->jackpoll_interval) ++ schedule_delayed_work(&codec->jackpoll_work, ++ codec->jackpoll_interval); + } + + static int hda_codec_runtime_suspend(struct device *dev) +@@ -2943,8 +2935,6 @@ static int hda_codec_runtime_suspend(struct device *dev) + if (!codec->card) + return 0; + +- cancel_delayed_work_sync(&codec->jackpoll_work); +- + state = hda_call_codec_suspend(codec); + if (codec->link_down_at_suspend || + (codec_has_clkstop(codec) && codec_has_epss(codec) && +@@ -2952,10 +2942,6 @@ static int hda_codec_runtime_suspend(struct device *dev) + snd_hdac_codec_link_down(&codec->core); + snd_hda_codec_display_power(codec, false); + +- if (codec->bus->jackpoll_in_suspend && +- (dev->power.power_state.event != PM_EVENT_SUSPEND)) +- schedule_delayed_work(&codec->jackpoll_work, +- codec->jackpoll_interval); + return 0; + } + +@@ -3118,10 +3104,11 @@ int snd_hda_codec_build_controls(struct hda_codec *codec) + if (err < 0) + return err; + ++ snd_hda_jack_report_sync(codec); /* call at the last init point */ + if (codec->jackpoll_interval) +- hda_jackpoll_work(&codec->jackpoll_work.work); +- else +- snd_hda_jack_report_sync(codec); /* call at the last init point */ ++ schedule_delayed_work(&codec->jackpoll_work, ++ codec->jackpoll_interval); ++ + sync_power_up_states(codec); + return 0; + } +-- +2.39.5 + diff --git a/queue-6.12/alsa-hda-realtek-add-lg-gram-16z90r-a-to-alc269-fixu.patch b/queue-6.12/alsa-hda-realtek-add-lg-gram-16z90r-a-to-alc269-fixu.patch new file mode 100644 index 0000000000..29bbbb9329 --- /dev/null +++ b/queue-6.12/alsa-hda-realtek-add-lg-gram-16z90r-a-to-alc269-fixu.patch @@ -0,0 +1,48 @@ +From ae7e08fc3f99a46f271b7179bcc0761e489f15db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Aug 2025 09:12:07 -0600 +Subject: ALSA: hda/realtek: add LG gram 16Z90R-A to alc269 fixup table + +From: Thomas Croft + +[ Upstream commit dbe05428c4e54068a86e7e02405f3b30b1d2b3dd ] + +Several months ago, Joshua Grisham submitted a patch [1] +for several ALC298 based sound cards. + +The entry for the LG gram 16 in the alc269_fixup_tbl only matches the +Subsystem ID for the 16Z90R-Q and 16Z90R-K models [2]. My 16Z90R-A has a +different Subsystem ID [3]. I'm not sure why these IDs differ, but I +speculate it's due to the NVIDIA GPU included in the 16Z90R-A model that +isn't present in the other models. + +I applied the patch to the latest Arch Linux kernel and the card was +initialized as expected. + +[1]: https://lore.kernel.org/linux-sound/20240909193000.838815-1-josh@joshuagrisham.com/ +[2]: https://linux-hardware.org/?id=pci:8086-51ca-1854-0488 +[3]: https://linux-hardware.org/?id=pci:8086-51ca-1854-0489 + +Signed-off-by: Thomas Croft +Link: https://patch.msgid.link/20250804151457.134761-2-thomasmcft@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 50b340876f09..840cde49935d 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -11302,6 +11302,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x1854, 0x0440, "LG CQ6", ALC256_FIXUP_HEADPHONE_AMP_VOL), + SND_PCI_QUIRK(0x1854, 0x0441, "LG CQ6 AIO", ALC256_FIXUP_HEADPHONE_AMP_VOL), + SND_PCI_QUIRK(0x1854, 0x0488, "LG gram 16 (16Z90R)", ALC298_FIXUP_SAMSUNG_AMP_V2_4_AMPS), ++ SND_PCI_QUIRK(0x1854, 0x0489, "LG gram 16 (16Z90R-A)", ALC298_FIXUP_SAMSUNG_AMP_V2_4_AMPS), + SND_PCI_QUIRK(0x1854, 0x048a, "LG gram 17 (17ZD90R)", ALC298_FIXUP_SAMSUNG_AMP_V2_4_AMPS), + SND_PCI_QUIRK(0x19e5, 0x3204, "Huawei MACH-WX9", ALC256_FIXUP_HUAWEI_MACH_WX9_PINS), + SND_PCI_QUIRK(0x19e5, 0x320f, "Huawei WRT-WX9 ", ALC256_FIXUP_ASUS_MIC_NO_PRESENCE), +-- +2.39.5 + diff --git a/queue-6.12/alsa-intel8x0-fix-incorrect-codec-index-usage-in-mix.patch b/queue-6.12/alsa-intel8x0-fix-incorrect-codec-index-usage-in-mix.patch new file mode 100644 index 0000000000..812b1a39c7 --- /dev/null +++ b/queue-6.12/alsa-intel8x0-fix-incorrect-codec-index-usage-in-mix.patch @@ -0,0 +1,37 @@ +From 68949b24c742d0218bfa67c30f39a195f712d8bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 21 Jun 2025 11:52:24 -0700 +Subject: ALSA: intel8x0: Fix incorrect codec index usage in mixer for ICH4 + +From: Alok Tiwari + +[ Upstream commit 87aafc8580acf87fcaf1a7e30ed858d8c8d37d81 ] + +code mistakenly used a hardcoded index (codec[1]) instead of +iterating, over the codec array using the loop variable i. +Use codec[i] instead of codec[1] to match the loop iteration. + +Signed-off-by: Alok Tiwari +Link: https://patch.msgid.link/20250621185233.4081094-1-alok.a.tiwari@oracle.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/intel8x0.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/pci/intel8x0.c b/sound/pci/intel8x0.c +index e4bb99f71c2c..95f0bd2e1532 100644 +--- a/sound/pci/intel8x0.c ++++ b/sound/pci/intel8x0.c +@@ -2249,7 +2249,7 @@ static int snd_intel8x0_mixer(struct intel8x0 *chip, int ac97_clock, + tmp |= chip->ac97_sdin[0] << ICH_DI1L_SHIFT; + for (i = 1; i < 4; i++) { + if (pcm->r[0].codec[i]) { +- tmp |= chip->ac97_sdin[pcm->r[0].codec[1]->num] << ICH_DI2L_SHIFT; ++ tmp |= chip->ac97_sdin[pcm->r[0].codec[i]->num] << ICH_DI2L_SHIFT; + break; + } + } +-- +2.39.5 + diff --git a/queue-6.12/alsa-pcm-rewrite-recalculate_boundary-to-avoid-costl.patch b/queue-6.12/alsa-pcm-rewrite-recalculate_boundary-to-avoid-costl.patch new file mode 100644 index 0000000000..4bbc8d3d69 --- /dev/null +++ b/queue-6.12/alsa-pcm-rewrite-recalculate_boundary-to-avoid-costl.patch @@ -0,0 +1,96 @@ +From ec0c7b84ec22b2cd7403394a5c67379f05dc8908 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Jun 2025 11:44:02 +0200 +Subject: ALSA: pcm: Rewrite recalculate_boundary() to avoid costly loop + +From: Christophe Leroy + +[ Upstream commit 92f59aeb13252265c20e7aef1379a8080c57e0a2 ] + +At the time being recalculate_boundary() is implemented with a +loop which shows up as costly in a perf profile, as depicted by +the annotate below: + + 0.00 : c057e934: 3d 40 7f ff lis r10,32767 + 0.03 : c057e938: 61 4a ff ff ori r10,r10,65535 + 0.21 : c057e93c: 7d 49 50 50 subf r10,r9,r10 + 5.39 : c057e940: 7d 3c 4b 78 mr r28,r9 + 2.11 : c057e944: 55 29 08 3c slwi r9,r9,1 + 3.04 : c057e948: 7c 09 50 40 cmplw r9,r10 + 2.47 : c057e94c: 40 81 ff f4 ble c057e940 + +Total: 13.2% on that simple loop. + +But what the loop does is to multiply the boundary by 2 until it is +over the wanted border. This can be avoided by using fls() to get the +boundary value order and shift it by the appropriate number of bits at +once. + +This change provides the following profile: + + 0.04 : c057f6e8: 3d 20 7f ff lis r9,32767 + 0.02 : c057f6ec: 61 29 ff ff ori r9,r9,65535 + 0.34 : c057f6f0: 7d 5a 48 50 subf r10,r26,r9 + 0.23 : c057f6f4: 7c 1a 50 40 cmplw r26,r10 + 0.02 : c057f6f8: 41 81 00 20 bgt c057f718 + 0.26 : c057f6fc: 7f 47 00 34 cntlzw r7,r26 + 0.09 : c057f700: 7d 48 00 34 cntlzw r8,r10 + 0.22 : c057f704: 7d 08 38 50 subf r8,r8,r7 + 0.04 : c057f708: 7f 5a 40 30 slw r26,r26,r8 + 0.35 : c057f70c: 7c 0a d0 40 cmplw r10,r26 + 0.13 : c057f710: 40 80 05 f8 bge c057fd08 + 0.00 : c057f714: 57 5a f8 7e srwi r26,r26,1 + +Total: 1.7% with that loopless alternative. + +Signed-off-by: Christophe Leroy +Link: https://patch.msgid.link/4836e2cde653eebaf2709ebe30eec736bb8c67fd.1749202237.git.christophe.leroy@csgroup.eu +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/pcm_native.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c +index 0a1ba26872f8..9b91f68b3fff 100644 +--- a/sound/core/pcm_native.c ++++ b/sound/core/pcm_native.c +@@ -24,6 +24,7 @@ + #include + #include + #include ++#include + + #include "pcm_local.h" + +@@ -3130,13 +3131,23 @@ struct snd_pcm_sync_ptr32 { + static snd_pcm_uframes_t recalculate_boundary(struct snd_pcm_runtime *runtime) + { + snd_pcm_uframes_t boundary; ++ snd_pcm_uframes_t border; ++ int order; + + if (! runtime->buffer_size) + return 0; +- boundary = runtime->buffer_size; +- while (boundary * 2 <= 0x7fffffffUL - runtime->buffer_size) +- boundary *= 2; +- return boundary; ++ ++ border = 0x7fffffffUL - runtime->buffer_size; ++ if (runtime->buffer_size > border) ++ return runtime->buffer_size; ++ ++ order = __fls(border) - __fls(runtime->buffer_size); ++ boundary = runtime->buffer_size << order; ++ ++ if (boundary <= border) ++ return boundary; ++ else ++ return boundary / 2; + } + + static int snd_pcm_ioctl_sync_ptr_compat(struct snd_pcm_substream *substream, +-- +2.39.5 + diff --git a/queue-6.12/alsa-usb-audio-avoid-precedence-issues-in-mixer_quir.patch b/queue-6.12/alsa-usb-audio-avoid-precedence-issues-in-mixer_quir.patch new file mode 100644 index 0000000000..c0f1e58bba --- /dev/null +++ b/queue-6.12/alsa-usb-audio-avoid-precedence-issues-in-mixer_quir.patch @@ -0,0 +1,61 @@ +From da85d78248444fd3bb25f2abd100d30269a92582 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 May 2025 17:07:42 +0300 +Subject: ALSA: usb-audio: Avoid precedence issues in mixer_quirks macros + +From: Cristian Ciocaltea + +[ Upstream commit fd3ab72e42e9871a9902b945a2bf8bb87b49c718 ] + +Fix all macro related issues identified by checkpatch.pl: + + CHECK: Macro argument 'x' may be better as '(x)' to avoid precedence issues + +Signed-off-by: Cristian Ciocaltea +Signed-off-by: Takashi Iwai +Link: https://patch.msgid.link/20250526-dualsense-alsa-jack-v1-3-1a821463b632@collabora.com +Signed-off-by: Sasha Levin +--- + sound/usb/mixer_quirks.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/sound/usb/mixer_quirks.c b/sound/usb/mixer_quirks.c +index 1e7192cb4693..ef30d4aaf81a 100644 +--- a/sound/usb/mixer_quirks.c ++++ b/sound/usb/mixer_quirks.c +@@ -2152,15 +2152,15 @@ static int dell_dock_mixer_init(struct usb_mixer_interface *mixer) + #define SND_RME_CLK_FREQMUL_SHIFT 18 + #define SND_RME_CLK_FREQMUL_MASK 0x7 + #define SND_RME_CLK_SYSTEM(x) \ +- ((x >> SND_RME_CLK_SYSTEM_SHIFT) & SND_RME_CLK_SYSTEM_MASK) ++ (((x) >> SND_RME_CLK_SYSTEM_SHIFT) & SND_RME_CLK_SYSTEM_MASK) + #define SND_RME_CLK_AES(x) \ +- ((x >> SND_RME_CLK_AES_SHIFT) & SND_RME_CLK_AES_SPDIF_MASK) ++ (((x) >> SND_RME_CLK_AES_SHIFT) & SND_RME_CLK_AES_SPDIF_MASK) + #define SND_RME_CLK_SPDIF(x) \ +- ((x >> SND_RME_CLK_SPDIF_SHIFT) & SND_RME_CLK_AES_SPDIF_MASK) ++ (((x) >> SND_RME_CLK_SPDIF_SHIFT) & SND_RME_CLK_AES_SPDIF_MASK) + #define SND_RME_CLK_SYNC(x) \ +- ((x >> SND_RME_CLK_SYNC_SHIFT) & SND_RME_CLK_SYNC_MASK) ++ (((x) >> SND_RME_CLK_SYNC_SHIFT) & SND_RME_CLK_SYNC_MASK) + #define SND_RME_CLK_FREQMUL(x) \ +- ((x >> SND_RME_CLK_FREQMUL_SHIFT) & SND_RME_CLK_FREQMUL_MASK) ++ (((x) >> SND_RME_CLK_FREQMUL_SHIFT) & SND_RME_CLK_FREQMUL_MASK) + #define SND_RME_CLK_AES_LOCK 0x1 + #define SND_RME_CLK_AES_SYNC 0x4 + #define SND_RME_CLK_SPDIF_LOCK 0x2 +@@ -2169,9 +2169,9 @@ static int dell_dock_mixer_init(struct usb_mixer_interface *mixer) + #define SND_RME_SPDIF_FORMAT_SHIFT 5 + #define SND_RME_BINARY_MASK 0x1 + #define SND_RME_SPDIF_IF(x) \ +- ((x >> SND_RME_SPDIF_IF_SHIFT) & SND_RME_BINARY_MASK) ++ (((x) >> SND_RME_SPDIF_IF_SHIFT) & SND_RME_BINARY_MASK) + #define SND_RME_SPDIF_FORMAT(x) \ +- ((x >> SND_RME_SPDIF_FORMAT_SHIFT) & SND_RME_BINARY_MASK) ++ (((x) >> SND_RME_SPDIF_FORMAT_SHIFT) & SND_RME_BINARY_MASK) + + static const u32 snd_rme_rate_table[] = { + 32000, 44100, 48000, 50000, +-- +2.39.5 + diff --git a/queue-6.12/apparmor-fix-x_table_lookup-when-stacking-is-not-the.patch b/queue-6.12/apparmor-fix-x_table_lookup-when-stacking-is-not-the.patch new file mode 100644 index 0000000000..2164658544 --- /dev/null +++ b/queue-6.12/apparmor-fix-x_table_lookup-when-stacking-is-not-the.patch @@ -0,0 +1,144 @@ +From 955427229baa4b92a822d29cca8d4e332434b039 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Jan 2024 21:54:30 -0800 +Subject: apparmor: fix x_table_lookup when stacking is not the first entry + +From: John Johansen + +[ Upstream commit a9eb185be84e998aa9a99c7760534ccc06216705 ] + +x_table_lookup currently does stacking during label_parse() if the +target specifies a stack but its only caller ensures that it will +never be used with stacking. + +Refactor to slightly simplify the code in x_to_label(), this +also fixes a long standing problem where x_to_labels check on stacking +is only on the first element to the table option list, instead of +the element that is found and used. + +Signed-off-by: John Johansen +Signed-off-by: Sasha Levin +--- + security/apparmor/domain.c | 52 +++++++++++++++++++++----------------- + 1 file changed, 29 insertions(+), 23 deletions(-) + +diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c +index 571158ec6188..cccd61cca509 100644 +--- a/security/apparmor/domain.c ++++ b/security/apparmor/domain.c +@@ -509,6 +509,7 @@ static const char *next_name(int xtype, const char *name) + * @name: returns: name tested to find label (NOT NULL) + * + * Returns: refcounted label, or NULL on failure (MAYBE NULL) ++ * @name will always be set with the last name tried + */ + struct aa_label *x_table_lookup(struct aa_profile *profile, u32 xindex, + const char **name) +@@ -518,6 +519,7 @@ struct aa_label *x_table_lookup(struct aa_profile *profile, u32 xindex, + struct aa_label *label = NULL; + u32 xtype = xindex & AA_X_TYPE_MASK; + int index = xindex & AA_X_INDEX_MASK; ++ const char *next; + + AA_BUG(!name); + +@@ -525,25 +527,27 @@ struct aa_label *x_table_lookup(struct aa_profile *profile, u32 xindex, + /* TODO: move lookup parsing to unpack time so this is a straight + * index into the resultant label + */ +- for (*name = rules->file->trans.table[index]; !label && *name; +- *name = next_name(xtype, *name)) { ++ for (next = rules->file->trans.table[index]; next; ++ next = next_name(xtype, next)) { ++ const char *lookup = (*next == '&') ? next + 1 : next; ++ *name = next; + if (xindex & AA_X_CHILD) { +- struct aa_profile *new_profile; +- /* release by caller */ +- new_profile = aa_find_child(profile, *name); +- if (new_profile) +- label = &new_profile->label; ++ /* TODO: switich to parse to get stack of child */ ++ struct aa_profile *new = aa_find_child(profile, lookup); ++ ++ if (new) ++ /* release by caller */ ++ return &new->label; + continue; + } +- label = aa_label_parse(&profile->label, *name, GFP_KERNEL, ++ label = aa_label_parse(&profile->label, lookup, GFP_KERNEL, + true, false); +- if (IS_ERR(label)) +- label = NULL; ++ if (!IS_ERR_OR_NULL(label)) ++ /* release by caller */ ++ return label; + } + +- /* released by caller */ +- +- return label; ++ return NULL; + } + + /** +@@ -568,9 +572,9 @@ static struct aa_label *x_to_label(struct aa_profile *profile, + struct aa_ruleset *rules = list_first_entry(&profile->rules, + typeof(*rules), list); + struct aa_label *new = NULL; ++ struct aa_label *stack = NULL; + struct aa_ns *ns = profile->ns; + u32 xtype = xindex & AA_X_TYPE_MASK; +- const char *stack = NULL; + + switch (xtype) { + case AA_X_NONE: +@@ -579,13 +583,14 @@ static struct aa_label *x_to_label(struct aa_profile *profile, + break; + case AA_X_TABLE: + /* TODO: fix when perm mapping done at unload */ +- stack = rules->file->trans.table[xindex & AA_X_INDEX_MASK]; +- if (*stack != '&') { +- /* released by caller */ +- new = x_table_lookup(profile, xindex, lookupname); +- stack = NULL; ++ /* released by caller ++ * if null for both stack and direct want to try fallback ++ */ ++ new = x_table_lookup(profile, xindex, lookupname); ++ if (!new || **lookupname != '&') + break; +- } ++ stack = new; ++ new = NULL; + fallthrough; /* to X_NAME */ + case AA_X_NAME: + if (xindex & AA_X_CHILD) +@@ -600,6 +605,7 @@ static struct aa_label *x_to_label(struct aa_profile *profile, + break; + } + ++ /* fallback transition check */ + if (!new) { + if (xindex & AA_X_INHERIT) { + /* (p|c|n)ix - don't change profile but do +@@ -618,12 +624,12 @@ static struct aa_label *x_to_label(struct aa_profile *profile, + /* base the stack on post domain transition */ + struct aa_label *base = new; + +- new = aa_label_parse(base, stack, GFP_KERNEL, true, false); +- if (IS_ERR(new)) +- new = NULL; ++ new = aa_label_merge(base, stack, GFP_KERNEL); ++ /* null on error */ + aa_put_label(base); + } + ++ aa_put_label(stack); + /* released by caller */ + return new; + } +-- +2.39.5 + diff --git a/queue-6.12/apparmor-shift-ouid-when-mediating-hard-links-in-use.patch b/queue-6.12/apparmor-shift-ouid-when-mediating-hard-links-in-use.patch new file mode 100644 index 0000000000..811cce65b6 --- /dev/null +++ b/queue-6.12/apparmor-shift-ouid-when-mediating-hard-links-in-use.patch @@ -0,0 +1,55 @@ +From 27cfdc82161a2bb6c474aec0fcba9d747f9ddb9d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Apr 2025 18:42:08 -0400 +Subject: apparmor: shift ouid when mediating hard links in userns + +From: Gabriel Totev + +[ Upstream commit c5bf96d20fd787e4909b755de4705d52f3458836 ] + +When using AppArmor profiles inside an unprivileged container, +the link operation observes an unshifted ouid. +(tested with LXD and Incus) + +For example, root inside container and uid 1000000 outside, with +`owner /root/link l,` profile entry for ln: + +/root$ touch chain && ln chain link +==> dmesg +apparmor="DENIED" operation="link" class="file" +namespace="root//lxd-feet_" profile="linkit" +name="/root/link" pid=1655 comm="ln" requested_mask="l" denied_mask="l" +fsuid=1000000 ouid=0 [<== should be 1000000] target="/root/chain" + +Fix by mapping inode uid of old_dentry in aa_path_link() rather than +using it directly, similarly to how it's mapped in __file_path_perm() +later in the file. + +Signed-off-by: Gabriel Totev +Signed-off-by: John Johansen +Signed-off-by: Sasha Levin +--- + security/apparmor/file.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/security/apparmor/file.c b/security/apparmor/file.c +index d52a5b14dad4..62bc46e03758 100644 +--- a/security/apparmor/file.c ++++ b/security/apparmor/file.c +@@ -423,9 +423,11 @@ int aa_path_link(const struct cred *subj_cred, + { + struct path link = { .mnt = new_dir->mnt, .dentry = new_dentry }; + struct path target = { .mnt = new_dir->mnt, .dentry = old_dentry }; ++ struct inode *inode = d_backing_inode(old_dentry); ++ vfsuid_t vfsuid = i_uid_into_vfsuid(mnt_idmap(target.mnt), inode); + struct path_cond cond = { +- d_backing_inode(old_dentry)->i_uid, +- d_backing_inode(old_dentry)->i_mode ++ .uid = vfsuid_into_kuid(vfsuid), ++ .mode = inode->i_mode, + }; + char *buffer = NULL, *buffer2 = NULL; + struct aa_profile *profile; +-- +2.39.5 + diff --git a/queue-6.12/apparmor-use-the-condition-in-aa_bug_fmt-even-with-d.patch b/queue-6.12/apparmor-use-the-condition-in-aa_bug_fmt-even-with-d.patch new file mode 100644 index 0000000000..9a86f60f95 --- /dev/null +++ b/queue-6.12/apparmor-use-the-condition-in-aa_bug_fmt-even-with-d.patch @@ -0,0 +1,45 @@ +From 9a4f7a22f757cd0e25ed7222bedc5d7c8a9f6f13 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Jan 2025 21:54:04 +0100 +Subject: apparmor: use the condition in AA_BUG_FMT even with debug disabled +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mateusz Guzik + +[ Upstream commit 67e370aa7f968f6a4f3573ed61a77b36d1b26475 ] + +This follows the established practice and fixes a build failure for me: +security/apparmor/file.c: In function ‘__file_sock_perm’: +security/apparmor/file.c:544:24: error: unused variable ‘sock’ [-Werror=unused-variable] + 544 | struct socket *sock = (struct socket *) file->private_data; + | ^~~~ + +Signed-off-by: Mateusz Guzik +Signed-off-by: John Johansen +Signed-off-by: Sasha Levin +--- + security/apparmor/include/lib.h | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/security/apparmor/include/lib.h b/security/apparmor/include/lib.h +index d7a894b1031f..1ec00113a056 100644 +--- a/security/apparmor/include/lib.h ++++ b/security/apparmor/include/lib.h +@@ -48,7 +48,11 @@ extern struct aa_dfa *stacksplitdfa; + #define AA_BUG_FMT(X, fmt, args...) \ + WARN((X), "AppArmor WARN %s: (" #X "): " fmt, __func__, ##args) + #else +-#define AA_BUG_FMT(X, fmt, args...) no_printk(fmt, ##args) ++#define AA_BUG_FMT(X, fmt, args...) \ ++ do { \ ++ BUILD_BUG_ON_INVALID(X); \ ++ no_printk(fmt, ##args); \ ++ } while (0) + #endif + + #define AA_ERROR(fmt, args...) \ +-- +2.39.5 + diff --git a/queue-6.12/arm-rockchip-fix-kernel-hang-during-smp-initializati.patch b/queue-6.12/arm-rockchip-fix-kernel-hang-during-smp-initializati.patch new file mode 100644 index 0000000000..0689f75edc --- /dev/null +++ b/queue-6.12/arm-rockchip-fix-kernel-hang-during-smp-initializati.patch @@ -0,0 +1,70 @@ +From 36ed6b4ab0ce86fd3bcc3eb79b72c1fc045588a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Jul 2025 17:04:53 +0300 +Subject: ARM: rockchip: fix kernel hang during smp initialization + +From: Alexander Kochetkov + +[ Upstream commit 7cdb433bb44cdc87dc5260cdf15bf03cc1cd1814 ] + +In order to bring up secondary CPUs main CPU write trampoline +code to SRAM. The trampoline code is written while secondary +CPUs are powered on (at least that true for RK3188 CPU). +Sometimes that leads to kernel hang. Probably because secondary +CPU execute trampoline code while kernel doesn't expect. + +The patch moves SRAM initialization step to the point where all +secondary CPUs are powered down. + +That fixes rarely hangs on RK3188: +[ 0.091568] CPU0: thread -1, cpu 0, socket 0, mpidr 80000000 +[ 0.091996] rockchip_smp_prepare_cpus: ncores 4 + +Signed-off-by: Alexander Kochetkov +Link: https://lore.kernel.org/r/20250703140453.1273027-1-al.kochet@gmail.com +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + arch/arm/mach-rockchip/platsmp.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/arch/arm/mach-rockchip/platsmp.c b/arch/arm/mach-rockchip/platsmp.c +index 36915a073c23..f432d22bfed8 100644 +--- a/arch/arm/mach-rockchip/platsmp.c ++++ b/arch/arm/mach-rockchip/platsmp.c +@@ -279,11 +279,6 @@ static void __init rockchip_smp_prepare_cpus(unsigned int max_cpus) + } + + if (read_cpuid_part() == ARM_CPU_PART_CORTEX_A9) { +- if (rockchip_smp_prepare_sram(node)) { +- of_node_put(node); +- return; +- } +- + /* enable the SCU power domain */ + pmu_set_power_domain(PMU_PWRDN_SCU, true); + +@@ -316,11 +311,19 @@ static void __init rockchip_smp_prepare_cpus(unsigned int max_cpus) + asm ("mrc p15, 1, %0, c9, c0, 2\n" : "=r" (l2ctlr)); + ncores = ((l2ctlr >> 24) & 0x3) + 1; + } +- of_node_put(node); + + /* Make sure that all cores except the first are really off */ + for (i = 1; i < ncores; i++) + pmu_set_power_domain(0 + i, false); ++ ++ if (read_cpuid_part() == ARM_CPU_PART_CORTEX_A9) { ++ if (rockchip_smp_prepare_sram(node)) { ++ of_node_put(node); ++ return; ++ } ++ } ++ ++ of_node_put(node); + } + + static void __init rk3036_smp_prepare_cpus(unsigned int max_cpus) +-- +2.39.5 + diff --git a/queue-6.12/arm-tegra-use-i-o-memcpy-to-write-to-iram.patch b/queue-6.12/arm-tegra-use-i-o-memcpy-to-write-to-iram.patch new file mode 100644 index 0000000000..67b1302afe --- /dev/null +++ b/queue-6.12/arm-tegra-use-i-o-memcpy-to-write-to-iram.patch @@ -0,0 +1,36 @@ +From 4280bfccc95499da58c302326f2fc7c44e4d2d03 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 May 2025 11:11:24 -0500 +Subject: ARM: tegra: Use I/O memcpy to write to IRAM + +From: Aaron Kling + +[ Upstream commit 398e67e0f5ae04b29bcc9cbf342e339fe9d3f6f1 ] + +Kasan crashes the kernel trying to check boundaries when using the +normal memcpy. + +Signed-off-by: Aaron Kling +Link: https://lore.kernel.org/r/20250522-mach-tegra-kasan-v1-1-419041b8addb@gmail.com +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + arch/arm/mach-tegra/reset.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/mach-tegra/reset.c b/arch/arm/mach-tegra/reset.c +index d5c805adf7a8..ea706fac6358 100644 +--- a/arch/arm/mach-tegra/reset.c ++++ b/arch/arm/mach-tegra/reset.c +@@ -63,7 +63,7 @@ static void __init tegra_cpu_reset_handler_enable(void) + BUG_ON(is_enabled); + BUG_ON(tegra_cpu_reset_handler_size > TEGRA_IRAM_RESET_HANDLER_SIZE); + +- memcpy(iram_base, (void *)__tegra_cpu_reset_handler_start, ++ memcpy_toio(iram_base, (void *)__tegra_cpu_reset_handler_start, + tegra_cpu_reset_handler_size); + + err = call_firmware_op(set_cpu_boot_addr, 0, reset_address); +-- +2.39.5 + diff --git a/queue-6.12/arm64-handle-kcov-__init-vs-inline-mismatches.patch b/queue-6.12/arm64-handle-kcov-__init-vs-inline-mismatches.patch new file mode 100644 index 0000000000..b29c7bd1dd --- /dev/null +++ b/queue-6.12/arm64-handle-kcov-__init-vs-inline-mismatches.patch @@ -0,0 +1,51 @@ +From 85ece30e78906bf0e6ff38c943f909e59faaab24 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Jul 2025 22:50:25 -0700 +Subject: arm64: Handle KCOV __init vs inline mismatches + +From: Kees Cook + +[ Upstream commit 65c430906efffee9bd7551d474f01a6b1197df90 ] + +GCC appears to have kind of fragile inlining heuristics, in the +sense that it can change whether or not it inlines something based on +optimizations. It looks like the kcov instrumentation being added (or in +this case, removed) from a function changes the optimization results, +and some functions marked "inline" are _not_ inlined. In that case, +we end up with __init code calling a function not marked __init, and we +get the build warnings I'm trying to eliminate in the coming patch that +adds __no_sanitize_coverage to __init functions: + +WARNING: modpost: vmlinux: section mismatch in reference: acpi_get_enable_method+0x1c (section: .text.unlikely) -> acpi_psci_present (section: .init.text) + +This problem is somewhat fragile (though using either __always_inline +or __init will deterministically solve it), but we've tripped over +this before with GCC and the solution has usually been to just use +__always_inline and move on. + +For arm64 this requires forcing one ACPI function to be inlined with +__always_inline. + +Link: https://lore.kernel.org/r/20250724055029.3623499-1-kees@kernel.org +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + arch/arm64/include/asm/acpi.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/include/asm/acpi.h b/arch/arm64/include/asm/acpi.h +index a407f9cd549e..c07a58b96329 100644 +--- a/arch/arm64/include/asm/acpi.h ++++ b/arch/arm64/include/asm/acpi.h +@@ -150,7 +150,7 @@ acpi_set_mailbox_entry(int cpu, struct acpi_madt_generic_interrupt *processor) + {} + #endif + +-static inline const char *acpi_get_enable_method(int cpu) ++static __always_inline const char *acpi_get_enable_method(int cpu) + { + if (acpi_psci_present()) + return "psci"; +-- +2.39.5 + diff --git a/queue-6.12/arm64-mark-kernel-as-tainted-on-sae-and-serror-panic.patch b/queue-6.12/arm64-mark-kernel-as-tainted-on-sae-and-serror-panic.patch new file mode 100644 index 0000000000..6066bfe804 --- /dev/null +++ b/queue-6.12/arm64-mark-kernel-as-tainted-on-sae-and-serror-panic.patch @@ -0,0 +1,55 @@ +From 6a9e83a59a569ec899abba82adb4dcde85ad32e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jul 2025 02:42:01 -0700 +Subject: arm64: Mark kernel as tainted on SAE and SError panic + +From: Breno Leitao + +[ Upstream commit d7ce7e3a84642aadf7c4787f7ec4f58eb163d129 ] + +Set TAINT_MACHINE_CHECK when SError or Synchronous External Abort (SEA) +interrupts trigger a panic to flag potential hardware faults. This +tainting mechanism aids in debugging and enables correlation of +hardware-related crashes in large-scale deployments. + +This change aligns with similar patches[1] that mark machine check +events when the system crashes due to hardware errors. + +Link: https://lore.kernel.org/all/20250702-add_tain-v1-1-9187b10914b9@debian.org/ [1] +Signed-off-by: Breno Leitao +Acked-by: Mark Rutland +Link: https://lore.kernel.org/r/20250716-vmcore_hw_error-v2-1-f187f7d62aba@debian.org +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/traps.c | 1 + + arch/arm64/mm/fault.c | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/arch/arm64/kernel/traps.c b/arch/arm64/kernel/traps.c +index 563cbce11126..e2e8ffa65aa5 100644 +--- a/arch/arm64/kernel/traps.c ++++ b/arch/arm64/kernel/traps.c +@@ -921,6 +921,7 @@ void __noreturn panic_bad_stack(struct pt_regs *regs, unsigned long esr, unsigne + + void __noreturn arm64_serror_panic(struct pt_regs *regs, unsigned long esr) + { ++ add_taint(TAINT_MACHINE_CHECK, LOCKDEP_STILL_OK); + console_verbose(); + + pr_crit("SError Interrupt on CPU%d, code 0x%016lx -- %s\n", +diff --git a/arch/arm64/mm/fault.c b/arch/arm64/mm/fault.c +index 850307b49bab..2d1ebc0c3437 100644 +--- a/arch/arm64/mm/fault.c ++++ b/arch/arm64/mm/fault.c +@@ -798,6 +798,7 @@ static int do_sea(unsigned long far, unsigned long esr, struct pt_regs *regs) + */ + siaddr = untagged_addr(far); + } ++ add_taint(TAINT_MACHINE_CHECK, LOCKDEP_STILL_OK); + arm64_notify_die(inf->name, regs, inf->sig, inf->code, siaddr, esr); + + return 0; +-- +2.39.5 + diff --git a/queue-6.12/arm64-stacktrace-check-kretprobe_find_ret_addr-retur.patch b/queue-6.12/arm64-stacktrace-check-kretprobe_find_ret_addr-retur.patch new file mode 100644 index 0000000000..6ec7e161df --- /dev/null +++ b/queue-6.12/arm64-stacktrace-check-kretprobe_find_ret_addr-retur.patch @@ -0,0 +1,45 @@ +From b330bc4a7460c7cdc5b3d29cfebcdb139a98dfcd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 May 2025 12:09:59 +0100 +Subject: arm64: stacktrace: Check kretprobe_find_ret_addr() return value + +From: Mark Rutland + +[ Upstream commit beecfd6a88a675e20987e70ec532ba734b230fa4 ] + +If kretprobe_find_ret_addr() fails to find the original return address, +it returns 0. Check for this case so that a reliable stacktrace won't +silently ignore it. + +Signed-off-by: Mark Rutland +Cc: Andrea della Porta +Cc: Breno Leitao +Cc: Josh Poimboeuf +Cc: Miroslav Benes +Cc: Petr Mladek +Cc: Song Liu +Cc: Will Deacon +Reviewed-and-tested-by: Song Liu +Link: https://lore.kernel.org/r/20250521111000.2237470-2-mark.rutland@arm.com +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/stacktrace.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/arm64/kernel/stacktrace.c b/arch/arm64/kernel/stacktrace.c +index 2729faaee4b4..1d60a08a2184 100644 +--- a/arch/arm64/kernel/stacktrace.c ++++ b/arch/arm64/kernel/stacktrace.c +@@ -123,6 +123,8 @@ kunwind_recover_return_address(struct kunwind_state *state) + orig_pc = kretprobe_find_ret_addr(state->task, + (void *)state->common.fp, + &state->kr_cur); ++ if (!orig_pc) ++ return -EINVAL; + state->common.pc = orig_pc; + } + #endif /* CONFIG_KRETPROBES */ +-- +2.39.5 + diff --git a/queue-6.12/asoc-codecs-rt5640-retry-device_id-verification.patch b/queue-6.12/asoc-codecs-rt5640-retry-device_id-verification.patch new file mode 100644 index 0000000000..5ffe48b2f0 --- /dev/null +++ b/queue-6.12/asoc-codecs-rt5640-retry-device_id-verification.patch @@ -0,0 +1,48 @@ +From 69678ea9f69c081788ef3e5a99e1117cb4dab61c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 May 2025 16:21:19 +0200 +Subject: ASoC: codecs: rt5640: Retry DEVICE_ID verification +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Xinxin Wan + +[ Upstream commit 19f971057b2d7b99c80530ec1052b45de236a8da ] + +To be more resilient to codec-detection failures when the hardware +powers on slowly, add retry mechanism to the device verification check. +Similar pattern is found throughout a number of Realtek codecs. Our +tests show that 60ms delay is sufficient to address readiness issues on +rt5640 chip. + +Reviewed-by: Amadeusz Sławiński +Reviewed-by: Cezary Rojewski +Signed-off-by: Xinxin Wan +Signed-off-by: Cezary Rojewski +Link: https://patch.msgid.link/20250530142120.2944095-3-cezary.rojewski@intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/rt5640.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/sound/soc/codecs/rt5640.c b/sound/soc/codecs/rt5640.c +index 855139348edb..c366ae2275e8 100644 +--- a/sound/soc/codecs/rt5640.c ++++ b/sound/soc/codecs/rt5640.c +@@ -3013,6 +3013,11 @@ static int rt5640_i2c_probe(struct i2c_client *i2c) + } + + regmap_read(rt5640->regmap, RT5640_VENDOR_ID2, &val); ++ if (val != RT5640_DEVICE_ID) { ++ usleep_range(60000, 100000); ++ regmap_read(rt5640->regmap, RT5640_VENDOR_ID2, &val); ++ } ++ + if (val != RT5640_DEVICE_ID) { + dev_err(&i2c->dev, + "Device with ID register %#x is not rt5640/39\n", val); +-- +2.39.5 + diff --git a/queue-6.12/asoc-core-check-for-rtd-null-in-snd_soc_remove_pcm_r.patch b/queue-6.12/asoc-core-check-for-rtd-null-in-snd_soc_remove_pcm_r.patch new file mode 100644 index 0000000000..368befb302 --- /dev/null +++ b/queue-6.12/asoc-core-check-for-rtd-null-in-snd_soc_remove_pcm_r.patch @@ -0,0 +1,46 @@ +From 3dd12954a6276b8afce0477210e07c8ebe8dd230 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Jun 2025 11:42:20 +0300 +Subject: ASoC: core: Check for rtd == NULL in snd_soc_remove_pcm_runtime() + +From: Peter Ujfalusi + +[ Upstream commit 2d91cb261cac6d885954b8f5da28b5c176c18131 ] + +snd_soc_remove_pcm_runtime() might be called with rtd == NULL which will +leads to null pointer dereference. +This was reproduced with topology loading and marking a link as ignore +due to missing hardware component on the system. +On module removal the soc_tplg_remove_link() would call +snd_soc_remove_pcm_runtime() with rtd == NULL since the link was ignored, +no runtime was created. + +Signed-off-by: Peter Ujfalusi +Reviewed-by: Bard Liao +Reviewed-by: Ranjani Sridharan +Reviewed-by: Liam Girdwood +Reviewed-by: Kai Vehmanen +Link: https://patch.msgid.link/20250619084222.559-3-peter.ujfalusi@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-core.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c +index e3c8d4f20b9c..4ac870c2dafa 100644 +--- a/sound/soc/soc-core.c ++++ b/sound/soc/soc-core.c +@@ -1138,6 +1138,9 @@ static int snd_soc_compensate_channel_connection_map(struct snd_soc_card *card, + void snd_soc_remove_pcm_runtime(struct snd_soc_card *card, + struct snd_soc_pcm_runtime *rtd) + { ++ if (!rtd) ++ return; ++ + lockdep_assert_held(&client_mutex); + + /* +-- +2.39.5 + diff --git a/queue-6.12/asoc-hdac_hdmi-rate-limit-logging-on-connection-and-.patch b/queue-6.12/asoc-hdac_hdmi-rate-limit-logging-on-connection-and-.patch new file mode 100644 index 0000000000..1d6d14b7fa --- /dev/null +++ b/queue-6.12/asoc-hdac_hdmi-rate-limit-logging-on-connection-and-.patch @@ -0,0 +1,68 @@ +From b7a58b388520e617b220ca0930a3301fb7b66489 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Jun 2025 17:41:04 +0100 +Subject: ASoC: hdac_hdmi: Rate limit logging on connection and disconnection + +From: Mark Brown + +[ Upstream commit c4ca928a6db1593802cd945f075a7e21dd0430c1 ] + +We currently log parse failures for ELD data and some disconnection events +as errors without rate limiting. These log messages can be triggered very +frequently in some situations, especially ELD parsing when there is nothing +connected to a HDMI port which will generate: + +hdmi-audio-codec hdmi-audio-codec.1.auto: HDMI: Unknown ELD version 0 + +While there's doubtless work that could be done on reducing the number of +connection notification callbacks it's possible these may be legitimately +generated by poor quality physical connections so let's use rate limiting +to mitigate the log spam for the parse errors and lower the severity for +disconnect logging to debug level. + +Signed-off-by: Mark Brown +Link: https://patch.msgid.link/20250613-asoc-hdmi-eld-logging-v1-1-76d64154d969@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/hdac_hdmi.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/sound/soc/codecs/hdac_hdmi.c b/sound/soc/codecs/hdac_hdmi.c +index e1a7f0b0c0f3..33c7ba842eee 100644 +--- a/sound/soc/codecs/hdac_hdmi.c ++++ b/sound/soc/codecs/hdac_hdmi.c +@@ -1233,7 +1233,8 @@ static int hdac_hdmi_parse_eld(struct hdac_device *hdev, + >> DRM_ELD_VER_SHIFT; + + if (ver != ELD_VER_CEA_861D && ver != ELD_VER_PARTIAL) { +- dev_err(&hdev->dev, "HDMI: Unknown ELD version %d\n", ver); ++ dev_err_ratelimited(&hdev->dev, ++ "HDMI: Unknown ELD version %d\n", ver); + return -EINVAL; + } + +@@ -1241,7 +1242,8 @@ static int hdac_hdmi_parse_eld(struct hdac_device *hdev, + DRM_ELD_MNL_MASK) >> DRM_ELD_MNL_SHIFT; + + if (mnl > ELD_MAX_MNL) { +- dev_err(&hdev->dev, "HDMI: MNL Invalid %d\n", mnl); ++ dev_err_ratelimited(&hdev->dev, ++ "HDMI: MNL Invalid %d\n", mnl); + return -EINVAL; + } + +@@ -1300,8 +1302,8 @@ static void hdac_hdmi_present_sense(struct hdac_hdmi_pin *pin, + + if (!port->eld.monitor_present || !port->eld.eld_valid) { + +- dev_err(&hdev->dev, "%s: disconnect for pin:port %d:%d\n", +- __func__, pin->nid, port->id); ++ dev_dbg(&hdev->dev, "%s: disconnect for pin:port %d:%d\n", ++ __func__, pin->nid, port->id); + + /* + * PCMs are not registered during device probe, so don't +-- +2.39.5 + diff --git a/queue-6.12/asoc-intel-avs-fix-uninitialized-pointer-error-in-pr.patch b/queue-6.12/asoc-intel-avs-fix-uninitialized-pointer-error-in-pr.patch new file mode 100644 index 0000000000..db1b6734f6 --- /dev/null +++ b/queue-6.12/asoc-intel-avs-fix-uninitialized-pointer-error-in-pr.patch @@ -0,0 +1,48 @@ +From 768e6b2a3acb11af8df676184509a816d26c6503 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Jul 2025 14:49:06 +0200 +Subject: ASoC: Intel: avs: Fix uninitialized pointer error in probe() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Cezary Rojewski + +[ Upstream commit 11f74f48c14c1f4fe16541900ea5944c42e30ccf ] + +If pcim_request_all_regions() fails, error path operates on +uninitialized 'bus' pointer. Found out by Coverity static analyzer. + +Reviewed-by: Amadeusz Sławiński +Signed-off-by: Cezary Rojewski +Link: https://patch.msgid.link/20250730124906.351798-1-cezary.rojewski@intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/avs/core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/intel/avs/core.c b/sound/soc/intel/avs/core.c +index 82839d0994ee..80b526554bbf 100644 +--- a/sound/soc/intel/avs/core.c ++++ b/sound/soc/intel/avs/core.c +@@ -439,6 +439,8 @@ static int avs_pci_probe(struct pci_dev *pci, const struct pci_device_id *id) + adev = devm_kzalloc(dev, sizeof(*adev), GFP_KERNEL); + if (!adev) + return -ENOMEM; ++ bus = &adev->base.core; ++ + ret = avs_bus_init(adev, pci, id); + if (ret < 0) { + dev_err(dev, "failed to init avs bus: %d\n", ret); +@@ -449,7 +451,6 @@ static int avs_pci_probe(struct pci_dev *pci, const struct pci_device_id *id) + if (ret < 0) + return ret; + +- bus = &adev->base.core; + bus->addr = pci_resource_start(pci, 0); + bus->remap_addr = pci_ioremap_bar(pci, 0); + if (!bus->remap_addr) { +-- +2.39.5 + diff --git a/queue-6.12/asoc-qcom-use-drvdata-instead-of-component-to-keep-i.patch b/queue-6.12/asoc-qcom-use-drvdata-instead-of-component-to-keep-i.patch new file mode 100644 index 0000000000..9fa4aafb2a --- /dev/null +++ b/queue-6.12/asoc-qcom-use-drvdata-instead-of-component-to-keep-i.patch @@ -0,0 +1,141 @@ +From 33382d7eed9412ca2de5461e291126d38696f172 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Jun 2025 02:06:48 +0000 +Subject: ASoC: qcom: use drvdata instead of component to keep id + +From: Srinivas Kandagatla + +[ Upstream commit 8167f4f42572818fa8153be2b03e4c2120846603 ] + +Qcom lpass is using component->id to keep DAI ID (A). + +(S) static int lpass_platform_pcmops_open( + sruct snd_soc_component *component, + struct snd_pcm_substream *substream) + { ^^^^^^^^^(B0) + ... +(B1) struct snd_soc_pcm_runtime *soc_runtime = snd_soc_substream_to_rtd(substream); +(B2) struct snd_soc_dai *cpu_dai = snd_soc_rtd_to_cpu(soc_runtime, 0); + ... +(B3) unsigned int dai_id = cpu_dai->driver->id; + +(A) component->id = dai_id; + ... + } + +This driver can get dai_id from substream (B0 - B3). +In this driver, below functions get dai_id from component->id (A). + +(X) lpass_platform_pcmops_suspend() +(Y) lpass_platform_pcmops_resume() +(Z) lpass_platform_copy() + +Here, (Z) can get it from substream (B0 - B3), don't need to use +component->id (A). On suspend/resume (X)(Y), dai_id can only be obtained +from component->id (A), because there is no substream (B0) in function +parameter. + +But, component->id (A) itself should not be used for such purpose. +It is intilialized at snd_soc_component_initialize(), and parsed its ID +(= component->id) from device name (a). + + int snd_soc_component_initialize(...) + { + ... + if (!component->name) { +(a) component->name = fmt_single_name(dev, &component->id); + ... ^^^^^^^^^^^^^ + } + ... + } + +Unfortunately, current code is broken to start with. + +There are many regmaps that the driver cares about, however its only +managing one (either dp or i2s) in component suspend/resume path. + +I2S regmap is mandatory however other regmaps are setup based on flags +like "hdmi_port_enable" and "codec_dma_enable". + +Correct thing for suspend/resume path to handle is by checking these +flags, instead of using component->id. + +Signed-off-by: Srinivas Kandagatla +Suggested-by: Kuninori Morimoto +Signed-off-by: Kuninori Morimoto +Link: https://patch.msgid.link/87a56ouuob.wl-kuninori.morimoto.gx@renesas.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/qcom/lpass-platform.c | 27 +++++++++++++++++---------- + 1 file changed, 17 insertions(+), 10 deletions(-) + +diff --git a/sound/soc/qcom/lpass-platform.c b/sound/soc/qcom/lpass-platform.c +index addd2c4bdd3e..b6a33b1f4f7e 100644 +--- a/sound/soc/qcom/lpass-platform.c ++++ b/sound/soc/qcom/lpass-platform.c +@@ -202,7 +202,6 @@ static int lpass_platform_pcmops_open(struct snd_soc_component *component, + struct regmap *map; + unsigned int dai_id = cpu_dai->driver->id; + +- component->id = dai_id; + data = kzalloc(sizeof(*data), GFP_KERNEL); + if (!data) + return -ENOMEM; +@@ -1190,13 +1189,14 @@ static int lpass_platform_pcmops_suspend(struct snd_soc_component *component) + { + struct lpass_data *drvdata = snd_soc_component_get_drvdata(component); + struct regmap *map; +- unsigned int dai_id = component->id; + +- if (dai_id == LPASS_DP_RX) ++ if (drvdata->hdmi_port_enable) { + map = drvdata->hdmiif_map; +- else +- map = drvdata->lpaif_map; ++ regcache_cache_only(map, true); ++ regcache_mark_dirty(map); ++ } + ++ map = drvdata->lpaif_map; + regcache_cache_only(map, true); + regcache_mark_dirty(map); + +@@ -1207,14 +1207,19 @@ static int lpass_platform_pcmops_resume(struct snd_soc_component *component) + { + struct lpass_data *drvdata = snd_soc_component_get_drvdata(component); + struct regmap *map; +- unsigned int dai_id = component->id; ++ int ret; + +- if (dai_id == LPASS_DP_RX) ++ if (drvdata->hdmi_port_enable) { + map = drvdata->hdmiif_map; +- else +- map = drvdata->lpaif_map; ++ regcache_cache_only(map, false); ++ ret = regcache_sync(map); ++ if (ret) ++ return ret; ++ } + ++ map = drvdata->lpaif_map; + regcache_cache_only(map, false); ++ + return regcache_sync(map); + } + +@@ -1224,7 +1229,9 @@ static int lpass_platform_copy(struct snd_soc_component *component, + unsigned long bytes) + { + struct snd_pcm_runtime *rt = substream->runtime; +- unsigned int dai_id = component->id; ++ struct snd_soc_pcm_runtime *soc_runtime = snd_soc_substream_to_rtd(substream); ++ struct snd_soc_dai *cpu_dai = snd_soc_rtd_to_cpu(soc_runtime, 0); ++ unsigned int dai_id = cpu_dai->driver->id; + int ret = 0; + + void __iomem *dma_buf = (void __iomem *) (rt->dma_area + pos + +-- +2.39.5 + diff --git a/queue-6.12/asoc-soc-dapm-set-bias_level-if-snd_soc_dapm_set_bia.patch b/queue-6.12/asoc-soc-dapm-set-bias_level-if-snd_soc_dapm_set_bia.patch new file mode 100644 index 0000000000..d32dd30ebe --- /dev/null +++ b/queue-6.12/asoc-soc-dapm-set-bias_level-if-snd_soc_dapm_set_bia.patch @@ -0,0 +1,73 @@ +From b224a4df7dc7b8cc75d37c3680a132639947eab9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Jul 2025 02:26:39 +0000 +Subject: ASoC: soc-dapm: set bias_level if snd_soc_dapm_set_bias_level() was + successed + +From: Kuninori Morimoto + +[ Upstream commit f40ecc2743652c0b0f19935f81baf57c601eb7f0 ] + +ASoC has 2 functions to set bias level. + (A) snd_soc_dapm_force_bias_level() + (B) snd_soc_dapm_set_bias_level() + +snd_soc_dapm_force_bias_level() (A) will set dapm->bias_level (a) if +successed. + +(A) int snd_soc_dapm_force_bias_level(...) + { + ... + if (ret == 0) +(a) dapm->bias_level = level; + ... + } + +snd_soc_dapm_set_bias_level() (B) is also a function that sets bias_level. +It will call snd_soc_dapm_force_bias_level() (A) inside, but doesn't +set dapm->bias_level by itself. One note is that (A) might not be called. + +(B) static int snd_soc_dapm_set_bias_level(...) + { + ... + ret = snd_soc_card_set_bias_level(...); + ... + if (dapm != &card->dapm) +(A) ret = snd_soc_dapm_force_bias_level(...); + ... + ret = snd_soc_card_set_bias_level_post(...); + ... + } + +dapm->bias_level will be set if (A) was called, but might not be set +if (B) was called, even though it calles set_bias_level() function. + +We should set dapm->bias_level if we calls +snd_soc_dapm_set_bias_level() (B), too. + +Signed-off-by: Kuninori Morimoto +Link: https://patch.msgid.link/87qzyn4g4h.wl-kuninori.morimoto.gx@renesas.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-dapm.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c +index 99521c784a9b..196799b2fe24 100644 +--- a/sound/soc/soc-dapm.c ++++ b/sound/soc/soc-dapm.c +@@ -740,6 +740,10 @@ static int snd_soc_dapm_set_bias_level(struct snd_soc_dapm_context *dapm, + out: + trace_snd_soc_bias_level_done(dapm, level); + ++ /* success */ ++ if (ret == 0) ++ snd_soc_dapm_init_bias_level(dapm, level); ++ + return ret; + } + +-- +2.39.5 + diff --git a/queue-6.12/asoc-sof-topology-parse-the-dapm_widget_tokens-in-ca.patch b/queue-6.12/asoc-sof-topology-parse-the-dapm_widget_tokens-in-ca.patch new file mode 100644 index 0000000000..2a9a6d000e --- /dev/null +++ b/queue-6.12/asoc-sof-topology-parse-the-dapm_widget_tokens-in-ca.patch @@ -0,0 +1,66 @@ +From 594d04e7faf71dced82b4212c395263df0dcba8c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Jun 2025 13:26:40 +0300 +Subject: ASoC: SOF: topology: Parse the dapm_widget_tokens in case of DSPless + mode + +From: Peter Ujfalusi + +[ Upstream commit 6b3cb7f4341cbf62d41ccf6ea906dbe66be8aa3d ] + +Parsing the dapm_widget_tokens is also needed for DSPless mode as it is +setting the snd_soc_dapm_widget.no_wname_in_kcontrol_name flag for the +kcontrol creation from DAPM widgets. +Without that flag set, the following warnings might appear because of long +control names: +ALSA: Control name 'eqiir.2.1 Post Mixer Analog Playback IIR Eq bytes' truncated to 'eqiir.2.1 Post Mixer Analog Playback IIR Eq' +ALSA: Control name 'eqfir.2.1 Post Mixer Analog Playback FIR Eq bytes' truncated to 'eqfir.2.1 Post Mixer Analog Playback FIR Eq' +ALSA: Control name 'drc.2.1 Post Mixer Analog Playback DRC bytes' truncated to 'drc.2.1 Post Mixer Analog Playback DRC byte' +ALSA: Control name 'drc.2.1 Post Mixer Analog Playback DRC switch' truncated to 'drc.2.1 Post Mixer Analog Playback DRC swit' +ALSA: Control name 'gain.15.1 Pre Mixer Deepbuffer HDA Analog Volume' truncated to 'gain.15.1 Pre Mixer Deepbuffer HDA Analog V' + +Signed-off-by: Peter Ujfalusi +Reviewed-by: Liam Girdwood +Reviewed-by: Ranjani Sridharan +Link: https://patch.msgid.link/20250619102640.12068-1-peter.ujfalusi@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/sof/topology.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/sof/topology.c b/sound/soc/sof/topology.c +index f9708b8fd73b..0104257df930 100644 +--- a/sound/soc/sof/topology.c ++++ b/sound/soc/sof/topology.c +@@ -2364,14 +2364,25 @@ static int sof_dspless_widget_ready(struct snd_soc_component *scomp, int index, + struct snd_soc_dapm_widget *w, + struct snd_soc_tplg_dapm_widget *tw) + { ++ struct snd_soc_tplg_private *priv = &tw->priv; ++ int ret; ++ ++ /* for snd_soc_dapm_widget.no_wname_in_kcontrol_name */ ++ ret = sof_parse_tokens(scomp, w, dapm_widget_tokens, ++ ARRAY_SIZE(dapm_widget_tokens), ++ priv->array, le32_to_cpu(priv->size)); ++ if (ret < 0) { ++ dev_err(scomp->dev, "failed to parse dapm widget tokens for %s\n", ++ w->name); ++ return ret; ++ } ++ + if (WIDGET_IS_DAI(w->id)) { + static const struct sof_topology_token dai_tokens[] = { + {SOF_TKN_DAI_TYPE, SND_SOC_TPLG_TUPLE_TYPE_STRING, get_token_dai_type, 0}}; + struct snd_sof_dev *sdev = snd_soc_component_get_drvdata(scomp); +- struct snd_soc_tplg_private *priv = &tw->priv; + struct snd_sof_widget *swidget; + struct snd_sof_dai *sdai; +- int ret; + + swidget = kzalloc(sizeof(*swidget), GFP_KERNEL); + if (!swidget) +-- +2.39.5 + diff --git a/queue-6.12/ata-ahci-disable-dipm-if-host-lacks-support.patch b/queue-6.12/ata-ahci-disable-dipm-if-host-lacks-support.patch new file mode 100644 index 0000000000..d146b7aea3 --- /dev/null +++ b/queue-6.12/ata-ahci-disable-dipm-if-host-lacks-support.patch @@ -0,0 +1,56 @@ +From 33010c8dbb89be06b854f38307ab158f53175626 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Jul 2025 21:53:17 +0900 +Subject: ata: ahci: Disable DIPM if host lacks support +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Damien Le Moal + +[ Upstream commit f7870e8d345cdabfb94bcbdcba6a07e050f8705e ] + +The AHCI specification version 1.3.1 section 8.3.1.4 (Software +Requirements and Precedence) states that: + +If CAP.SSC or CAP.PSC is cleared to ‘0’, software should disable +device-initiated power management by issuing the appropriate SET +FEATURES command to the device. + +To satisfy this constraint and force ata_dev_configure to disable the +device DIPM feature, modify ahci_update_initial_lpm_policy() to set the +ATA_FLAG_NO_DIPM flag on ports that have a host with either the +ATA_HOST_NO_PART flag set or the ATA_HOST_NO_SSC flag set. + +Signed-off-by: Damien Le Moal +Reviewed-by: Niklas Cassel +Reviewed-by: Hannes Reinecke +Reviewed-by: Hannes Reinecke +Link: https://lore.kernel.org/r/20250701125321.69496-7-dlemoal@kernel.org +Signed-off-by: Niklas Cassel +Signed-off-by: Sasha Levin +--- + drivers/ata/ahci.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c +index 61d34ca0d9f4..944e44caa260 100644 +--- a/drivers/ata/ahci.c ++++ b/drivers/ata/ahci.c +@@ -1781,6 +1781,13 @@ static void ahci_update_initial_lpm_policy(struct ata_port *ap) + return; + } + ++ /* If no Partial or no Slumber, we cannot support DIPM. */ ++ if ((ap->host->flags & ATA_HOST_NO_PART) || ++ (ap->host->flags & ATA_HOST_NO_SSC)) { ++ ata_port_dbg(ap, "Host does not support DIPM\n"); ++ ap->flags |= ATA_FLAG_NO_DIPM; ++ } ++ + /* If no LPM states are supported by the HBA, do not bother with LPM */ + if ((ap->host->flags & ATA_HOST_NO_PART) && + (ap->host->flags & ATA_HOST_NO_SSC) && +-- +2.39.5 + diff --git a/queue-6.12/ata-ahci-disallow-lpm-policy-control-if-not-supporte.patch b/queue-6.12/ata-ahci-disallow-lpm-policy-control-if-not-supporte.patch new file mode 100644 index 0000000000..995cad0cd4 --- /dev/null +++ b/queue-6.12/ata-ahci-disallow-lpm-policy-control-if-not-supporte.patch @@ -0,0 +1,55 @@ +From a02a0d76a6bd3a2a5aa9874c0af3a87f400e681c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Jul 2025 21:53:19 +0900 +Subject: ata: ahci: Disallow LPM policy control if not supported + +From: Damien Le Moal + +[ Upstream commit 65b2c92f69d3df81422d27e5be012e357e733241 ] + +Commit fa997b0576c9 ("ata: ahci: Do not enable LPM if no LPM states are +supported by the HBA") introduced an early return in +ahci_update_initial_lpm_policy() to ensure that the target_lpm_policy +of ports belonging to a host that does not support the Partial, Slumber +and DevSleep power states is unchanged and remains set to +ATA_LPM_UNKNOWN and thus prevents the execution of +ata_eh_link_set_lpm(). + +However, a user or a system daemon (e.g. systemd-udevd) may still +attempt changing the LPM policy through the sysfs +link_power_management_policy of the host. + +Improve this to prevent sysfs LPM policy changes by setting the flag +ATA_FLAG_NO_LPM for the port of such host, and initialize the port +target_lpm_policy to ATA_LPM_MAX_POWER to guarantee that no unsupported +low power state is being used on the port and its link. + +Signed-off-by: Damien Le Moal +Reviewed-by: Hannes Reinecke +Reviewed-by: Niklas Cassel +Link: https://lore.kernel.org/r/20250701125321.69496-9-dlemoal@kernel.org +Signed-off-by: Niklas Cassel +Signed-off-by: Sasha Levin +--- + drivers/ata/ahci.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c +index a6a66d794763..61d34ca0d9f4 100644 +--- a/drivers/ata/ahci.c ++++ b/drivers/ata/ahci.c +@@ -1785,7 +1785,10 @@ static void ahci_update_initial_lpm_policy(struct ata_port *ap) + if ((ap->host->flags & ATA_HOST_NO_PART) && + (ap->host->flags & ATA_HOST_NO_SSC) && + (ap->host->flags & ATA_HOST_NO_DEVSLP)) { +- ata_port_dbg(ap, "no LPM states supported, not enabling LPM\n"); ++ ata_port_dbg(ap, ++ "No LPM states supported, forcing LPM max_power\n"); ++ ap->flags |= ATA_FLAG_NO_LPM; ++ ap->target_lpm_policy = ATA_LPM_MAX_POWER; + return; + } + +-- +2.39.5 + diff --git a/queue-6.12/ata-libata-sata-disallow-changing-lpm-state-if-not-s.patch b/queue-6.12/ata-libata-sata-disallow-changing-lpm-state-if-not-s.patch new file mode 100644 index 0000000000..39c4a242cc --- /dev/null +++ b/queue-6.12/ata-libata-sata-disallow-changing-lpm-state-if-not-s.patch @@ -0,0 +1,42 @@ +From 06135c1040c677cf25058802cb7057b871f09d58 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Jul 2025 21:53:16 +0900 +Subject: ata: libata-sata: Disallow changing LPM state if not supported + +From: Damien Le Moal + +[ Upstream commit 413e800cadbf67550d76c77c230b2ecd96bce83a ] + +Modify ata_scsi_lpm_store() to return an error if a user attempts to set +a link power management policy for a port that does not support LPM, +that is, ports flagged with ATA_FLAG_NO_LPM. + +Signed-off-by: Damien Le Moal +Reviewed-by: Niklas Cassel +Reviewed-by: Hannes Reinecke +Link: https://lore.kernel.org/r/20250701125321.69496-6-dlemoal@kernel.org +Signed-off-by: Niklas Cassel +Signed-off-by: Sasha Levin +--- + drivers/ata/libata-sata.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/ata/libata-sata.c b/drivers/ata/libata-sata.c +index a7442dc0bd8e..f1e8dbc2d564 100644 +--- a/drivers/ata/libata-sata.c ++++ b/drivers/ata/libata-sata.c +@@ -924,6 +924,11 @@ static ssize_t ata_scsi_lpm_store(struct device *device, + + spin_lock_irqsave(ap->lock, flags); + ++ if (ap->flags & ATA_FLAG_NO_LPM) { ++ count = -EOPNOTSUPP; ++ goto out_unlock; ++ } ++ + ata_for_each_link(link, ap, EDGE) { + ata_for_each_dev(dev, &ap->link, ENABLED) { + if (dev->quirks & ATA_QUIRK_NOLPM) { +-- +2.39.5 + diff --git a/queue-6.12/be2net-use-correct-byte-order-and-format-string-for-.patch b/queue-6.12/be2net-use-correct-byte-order-and-format-string-for-.patch new file mode 100644 index 0000000000..66fa99955e --- /dev/null +++ b/queue-6.12/be2net-use-correct-byte-order-and-format-string-for-.patch @@ -0,0 +1,53 @@ +From 08e76d285370fa94c773fa6ee3ecac1e80cff37c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Jul 2025 12:35:47 -0700 +Subject: be2net: Use correct byte order and format string for TCP seq and + ack_seq + +From: Alok Tiwari + +[ Upstream commit 4701ee5044fb3992f1c910630a9673c2dc600ce5 ] + +The TCP header fields seq and ack_seq are 32-bit values in network +byte order as (__be32). these fields were earlier printed using +ntohs(), which converts only 16-bit values and produces incorrect +results for 32-bit fields. This patch is changeing the conversion +to ntohl(), ensuring correct interpretation of these sequence numbers. + +Notably, the format specifier is updated from %d to %u to reflect the +unsigned nature of these fields. + +improves the accuracy of debug log messages for TCP sequence and +acknowledgment numbers during TX timeouts. + +Signed-off-by: Alok Tiwari +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250717193552.3648791-1-alok.a.tiwari@oracle.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/emulex/benet/be_main.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/emulex/benet/be_main.c b/drivers/net/ethernet/emulex/benet/be_main.c +index 3d2e21592119..490af6659429 100644 +--- a/drivers/net/ethernet/emulex/benet/be_main.c ++++ b/drivers/net/ethernet/emulex/benet/be_main.c +@@ -1465,10 +1465,10 @@ static void be_tx_timeout(struct net_device *netdev, unsigned int txqueue) + ntohs(tcphdr->source)); + dev_info(dev, "TCP dest port %d\n", + ntohs(tcphdr->dest)); +- dev_info(dev, "TCP sequence num %d\n", +- ntohs(tcphdr->seq)); +- dev_info(dev, "TCP ack_seq %d\n", +- ntohs(tcphdr->ack_seq)); ++ dev_info(dev, "TCP sequence num %u\n", ++ ntohl(tcphdr->seq)); ++ dev_info(dev, "TCP ack_seq %u\n", ++ ntohl(tcphdr->ack_seq)); + } else if (ip_hdr(skb)->protocol == + IPPROTO_UDP) { + udphdr = udp_hdr(skb); +-- +2.39.5 + diff --git a/queue-6.12/better-lockdep-annotations-for-simple_recursive_remo.patch b/queue-6.12/better-lockdep-annotations-for-simple_recursive_remo.patch new file mode 100644 index 0000000000..d972112401 --- /dev/null +++ b/queue-6.12/better-lockdep-annotations-for-simple_recursive_remo.patch @@ -0,0 +1,57 @@ +From 77d22e486633435f8fce877b900cd5f4d8400f99 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Jul 2025 22:30:32 -0400 +Subject: better lockdep annotations for simple_recursive_removal() + +From: Al Viro + +[ Upstream commit 2a8061ee5e41034eb14170ec4517b5583dbeff9f ] + +We want a class that nests outside of I_MUTEX_NORMAL (for the sake of +callbacks that might want to lock the victim) and inside I_MUTEX_PARENT +(so that a variant of that could be used with parent of the victim +held locked by the caller). + +In reality, simple_recursive_removal() + * never holds two locks at once + * holds the lock on parent of dentry passed to callback + * is used only on the trees with fixed topology, so the depths +are not changing. + +So the locking order is actually fine. + +AFAICS, the best solution is to assign I_MUTEX_CHILD to the locks +grabbed by that thing. + +Reported-by: syzbot+169de184e9defe7fe709@syzkaller.appspotmail.com +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + fs/libfs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/libfs.c b/fs/libfs.c +index 3cb49463a849..874324167849 100644 +--- a/fs/libfs.c ++++ b/fs/libfs.c +@@ -608,7 +608,7 @@ void simple_recursive_removal(struct dentry *dentry, + struct dentry *victim = NULL, *child; + struct inode *inode = this->d_inode; + +- inode_lock(inode); ++ inode_lock_nested(inode, I_MUTEX_CHILD); + if (d_is_dir(this)) + inode->i_flags |= S_DEAD; + while ((child = find_next_child(this, victim)) == NULL) { +@@ -620,7 +620,7 @@ void simple_recursive_removal(struct dentry *dentry, + victim = this; + this = this->d_parent; + inode = this->d_inode; +- inode_lock(inode); ++ inode_lock_nested(inode, I_MUTEX_CHILD); + if (simple_positive(victim)) { + d_invalidate(victim); // avoid lost mounts + if (d_is_dir(victim)) +-- +2.39.5 + diff --git a/queue-6.12/block-avoid-possible-overflow-for-chunk_sectors-chec.patch b/queue-6.12/block-avoid-possible-overflow-for-chunk_sectors-chec.patch new file mode 100644 index 0000000000..97c2fbc5f0 --- /dev/null +++ b/queue-6.12/block-avoid-possible-overflow-for-chunk_sectors-chec.patch @@ -0,0 +1,44 @@ +From 492adcdd86622ffceca45953e74dc7fb1e6a821f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Jul 2025 09:14:47 +0000 +Subject: block: avoid possible overflow for chunk_sectors check in + blk_stack_limits() + +From: John Garry + +[ Upstream commit 448dfecc7ff807822ecd47a5c052acedca7d09e8 ] + +In blk_stack_limits(), we check that the t->chunk_sectors value is a +multiple of the t->physical_block_size value. + +However, by finding the chunk_sectors value in bytes, we may overflow +the unsigned int which holds chunk_sectors, so change the check to be +based on sectors. + +Reviewed-by: Hannes Reinecke +Reviewed-by: Martin K. Petersen +Signed-off-by: John Garry +Reviewed-by: Damien Le Moal +Link: https://lore.kernel.org/r/20250729091448.1691334-2-john.g.garry@oracle.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-settings.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/block/blk-settings.c b/block/blk-settings.c +index 22ce7fa4fe20..9ae3eee4b5ae 100644 +--- a/block/blk-settings.c ++++ b/block/blk-settings.c +@@ -623,7 +623,7 @@ int blk_stack_limits(struct queue_limits *t, struct queue_limits *b, + } + + /* chunk_sectors a multiple of the physical block size? */ +- if ((t->chunk_sectors << 9) & (t->physical_block_size - 1)) { ++ if (t->chunk_sectors % (t->physical_block_size >> SECTOR_SHIFT)) { + t->chunk_sectors = 0; + t->flags |= BLK_FLAG_MISALIGNED; + ret = -1; +-- +2.39.5 + diff --git a/queue-6.12/bluetooth-btusb-add-new-vid-pid-0489-e14e-for-mt7925.patch b/queue-6.12/bluetooth-btusb-add-new-vid-pid-0489-e14e-for-mt7925.patch new file mode 100644 index 0000000000..d583da9135 --- /dev/null +++ b/queue-6.12/bluetooth-btusb-add-new-vid-pid-0489-e14e-for-mt7925.patch @@ -0,0 +1,77 @@ +From 748defc59d06514fa11149b5ec8a25db16c47440 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Jul 2025 14:36:06 +0800 +Subject: Bluetooth: btusb: Add new VID/PID 0489/e14e for MT7925 + +From: En-Wei Wu + +[ Upstream commit 942873c8137fe0015ab37f62f159d88079859c5e ] + +Add VID 0489 & PID e14e for MediaTek MT7925 USB Bluetooth chip. + +The information in /sys/kernel/debug/usb/devices about the Bluetooth +device is listed as the below. + +T: Bus=01 Lev=01 Prnt=01 Port=03 Cnt=03 Dev#= 4 Spd=480 MxCh= 0 +D: Ver= 2.10 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=0489 ProdID=e14e Rev= 1.00 +S: Manufacturer=MediaTek Inc. +S: Product=Wireless_Device +S: SerialNumber=000000000 +C:* #Ifs= 3 Cfg#= 1 Atr=e0 MxPwr=100mA +A: FirstIf#= 0 IfCount= 3 Cls=e0(wlcon) Sub=01 Prot=01 +I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=125us +E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms +I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms +I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms +I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms +I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms +I: If#= 1 Alt= 6 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 63 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 63 Ivl=1ms +I: If#= 2 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=8a(I) Atr=03(Int.) MxPS= 64 Ivl=125us +E: Ad=0a(O) Atr=03(Int.) MxPS= 64 Ivl=125us +I:* If#= 2 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=8a(I) Atr=03(Int.) MxPS= 512 Ivl=125us +E: Ad=0a(O) Atr=03(Int.) MxPS= 512 Ivl=125us + +Signed-off-by: En-Wei Wu +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btusb.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c +index 1d2e85b41820..d7aaaeb4fe32 100644 +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -702,6 +702,8 @@ static const struct usb_device_id quirks_table[] = { + BTUSB_WIDEBAND_SPEECH }, + { USB_DEVICE(0x0489, 0xe139), .driver_info = BTUSB_MEDIATEK | + BTUSB_WIDEBAND_SPEECH }, ++ { USB_DEVICE(0x0489, 0xe14e), .driver_info = BTUSB_MEDIATEK | ++ BTUSB_WIDEBAND_SPEECH }, + { USB_DEVICE(0x0489, 0xe14f), .driver_info = BTUSB_MEDIATEK | + BTUSB_WIDEBAND_SPEECH }, + { USB_DEVICE(0x0489, 0xe150), .driver_info = BTUSB_MEDIATEK | +-- +2.39.5 + diff --git a/queue-6.12/bluetooth-hci_sock-reset-cookie-to-zero-in-hci_sock_.patch b/queue-6.12/bluetooth-hci_sock-reset-cookie-to-zero-in-hci_sock_.patch new file mode 100644 index 0000000000..3167a1ed1b --- /dev/null +++ b/queue-6.12/bluetooth-hci_sock-reset-cookie-to-zero-in-hci_sock_.patch @@ -0,0 +1,42 @@ +From 86bc02aa1fae6a31c35c4a429710360713560032 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Jun 2025 20:31:16 +0800 +Subject: Bluetooth: hci_sock: Reset cookie to zero in hci_sock_free_cookie() + +From: Zijun Hu + +[ Upstream commit 4d7936e8a5b1fa803f4a631d2da4a80fa4f0f37f ] + +Reset cookie value to 0 instead of 0xffffffff in hci_sock_free_cookie() +since: +0 : means cookie has not been assigned yet +0xffffffff: means cookie assignment failure + +Also fix generating cookie failure with usage shown below: +hci_sock_gen_cookie(sk) // generate cookie +hci_sock_free_cookie(sk) // free cookie +hci_sock_gen_cookie(sk) // Can't generate cookie any more + +Signed-off-by: Zijun Hu +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_sock.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c +index 022b86797acd..4ad5296d7934 100644 +--- a/net/bluetooth/hci_sock.c ++++ b/net/bluetooth/hci_sock.c +@@ -118,7 +118,7 @@ static void hci_sock_free_cookie(struct sock *sk) + int id = hci_pi(sk)->cookie; + + if (id) { +- hci_pi(sk)->cookie = 0xffffffff; ++ hci_pi(sk)->cookie = 0; + ida_free(&sock_cookie_ida, id); + } + } +-- +2.39.5 + diff --git a/queue-6.12/bootconfig-fix-unaligned-access-when-building-footer.patch b/queue-6.12/bootconfig-fix-unaligned-access-when-building-footer.patch new file mode 100644 index 0000000000..4f1512cd00 --- /dev/null +++ b/queue-6.12/bootconfig-fix-unaligned-access-when-building-footer.patch @@ -0,0 +1,84 @@ +From 7374e988eb9d1da10f80713f4bad10891ef26016 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Jul 2025 12:49:25 +0200 +Subject: bootconfig: Fix unaligned access when building footer + +From: Ben Hutchings + +[ Upstream commit 6ed5e20466c79e3b3350bae39f678f73cf564b4e ] + +Currently we add padding between the bootconfig text and footer to +ensure that the footer is aligned within the initramfs image. +However, because only the bootconfig data is held in memory, not the +full initramfs image, the footer may not be naturally aligned in +memory. + +This can result in an alignment fault (SIGBUS) when writing the footer +on some architectures, such as sparc. + +Build the footer in a struct on the stack before adding it to the +buffer. + +References: https://buildd.debian.org/status/fetch.php?pkg=linux&arch=sparc64&ver=6.16%7Erc7-1%7Eexp1&stamp=1753209801&raw=0 +Link: https://lore.kernel.org/all/aIC-NTw-cdm9ZGFw@decadent.org.uk/ + +Signed-off-by: Ben Hutchings +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Sasha Levin +--- + tools/bootconfig/main.c | 24 +++++++++++++----------- + 1 file changed, 13 insertions(+), 11 deletions(-) + +diff --git a/tools/bootconfig/main.c b/tools/bootconfig/main.c +index 8a48cc2536f5..dce2d6ffcca5 100644 +--- a/tools/bootconfig/main.c ++++ b/tools/bootconfig/main.c +@@ -11,6 +11,7 @@ + #include + #include + #include ++#include + + #include + +@@ -359,7 +360,12 @@ static int delete_xbc(const char *path) + + static int apply_xbc(const char *path, const char *xbc_path) + { +- char *buf, *data, *p; ++ struct { ++ uint32_t size; ++ uint32_t csum; ++ char magic[BOOTCONFIG_MAGIC_LEN]; ++ } footer; ++ char *buf, *data; + size_t total_size; + struct stat stat; + const char *msg; +@@ -430,17 +436,13 @@ static int apply_xbc(const char *path, const char *xbc_path) + size += pad; + + /* Add a footer */ +- p = data + size; +- *(uint32_t *)p = htole32(size); +- p += sizeof(uint32_t); ++ footer.size = htole32(size); ++ footer.csum = htole32(csum); ++ memcpy(footer.magic, BOOTCONFIG_MAGIC, BOOTCONFIG_MAGIC_LEN); ++ static_assert(sizeof(footer) == BOOTCONFIG_FOOTER_SIZE); ++ memcpy(data + size, &footer, BOOTCONFIG_FOOTER_SIZE); + +- *(uint32_t *)p = htole32(csum); +- p += sizeof(uint32_t); +- +- memcpy(p, BOOTCONFIG_MAGIC, BOOTCONFIG_MAGIC_LEN); +- p += BOOTCONFIG_MAGIC_LEN; +- +- total_size = p - data; ++ total_size = size + BOOTCONFIG_FOOTER_SIZE; + + ret = write(fd, data, total_size); + if (ret < total_size) { +-- +2.39.5 + diff --git a/queue-6.12/bpf-forget-ranges-when-refining-tnum-after-jset.patch b/queue-6.12/bpf-forget-ranges-when-refining-tnum-after-jset.patch new file mode 100644 index 0000000000..1249bfd112 --- /dev/null +++ b/queue-6.12/bpf-forget-ranges-when-refining-tnum-after-jset.patch @@ -0,0 +1,67 @@ +From 5f1ff91da95f6b93a92aaf418712fa323ce77381 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jul 2025 20:20:53 +0200 +Subject: bpf: Forget ranges when refining tnum after JSET + +From: Paul Chaignon + +[ Upstream commit 6279846b9b2532e1b04559ef8bd0dec049f29383 ] + +Syzbot reported a kernel warning due to a range invariant violation on +the following BPF program. + + 0: call bpf_get_netns_cookie + 1: if r0 == 0 goto + 2: if r0 & Oxffffffff goto + +The issue is on the path where we fall through both jumps. + +That path is unreachable at runtime: after insn 1, we know r0 != 0, but +with the sign extension on the jset, we would only fallthrough insn 2 +if r0 == 0. Unfortunately, is_branch_taken() isn't currently able to +figure this out, so the verifier walks all branches. The verifier then +refines the register bounds using the second condition and we end +up with inconsistent bounds on this unreachable path: + + 1: if r0 == 0 goto + r0: u64=[0x1, 0xffffffffffffffff] var_off=(0, 0xffffffffffffffff) + 2: if r0 & 0xffffffff goto + r0 before reg_bounds_sync: u64=[0x1, 0xffffffffffffffff] var_off=(0, 0) + r0 after reg_bounds_sync: u64=[0x1, 0] var_off=(0, 0) + +Improving the range refinement for JSET to cover all cases is tricky. We +also don't expect many users to rely on JSET given LLVM doesn't generate +those instructions. So instead of improving the range refinement for +JSETs, Eduard suggested we forget the ranges whenever we're narrowing +tnums after a JSET. This patch implements that approach. + +Reported-by: syzbot+c711ce17dd78e5d4fdcf@syzkaller.appspotmail.com +Suggested-by: Eduard Zingerman +Acked-by: Yonghong Song +Acked-by: Eduard Zingerman +Signed-off-by: Paul Chaignon +Link: https://lore.kernel.org/r/9d4fd6432a095d281f815770608fdcd16028ce0b.1752171365.git.paul.chaignon@gmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/verifier.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index 531412c5103d..b880dea7d858 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -15052,6 +15052,10 @@ static void regs_refine_cond_op(struct bpf_reg_state *reg1, struct bpf_reg_state + if (!is_reg_const(reg2, is_jmp32)) + break; + val = reg_const_value(reg2, is_jmp32); ++ /* Forget the ranges before narrowing tnums, to avoid invariant ++ * violations if we're on a dead branch. ++ */ ++ __mark_reg_unbounded(reg1); + if (is_jmp32) { + t = tnum_and(tnum_subreg(reg1->var_off), tnum_const(~val)); + reg1->var_off = tnum_with_subreg(reg1->var_off, t); +-- +2.39.5 + diff --git a/queue-6.12/bpf-make-reg_not_null-true-for-const_ptr_to_map.patch b/queue-6.12/bpf-make-reg_not_null-true-for-const_ptr_to_map.patch new file mode 100644 index 0000000000..5eeca5afbd --- /dev/null +++ b/queue-6.12/bpf-make-reg_not_null-true-for-const_ptr_to_map.patch @@ -0,0 +1,65 @@ +From 3aa1f93e86dc0d719a9ddb4f9380860c546d8ac2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Jun 2025 11:30:22 -0700 +Subject: bpf: Make reg_not_null() true for CONST_PTR_TO_MAP + +From: Ihor Solodrai + +[ Upstream commit 5534e58f2e9bd72b253d033ee0af6e68eb8ac96b ] + +When reg->type is CONST_PTR_TO_MAP, it can not be null. However the +verifier explores the branches under rX == 0 in check_cond_jmp_op() +even if reg->type is CONST_PTR_TO_MAP, because it was not checked for +in reg_not_null(). + +Fix this by adding CONST_PTR_TO_MAP to the set of types that are +considered non nullable in reg_not_null(). + +An old "unpriv: cmp map pointer with zero" selftest fails with this +change, because now early out correctly triggers in +check_cond_jmp_op(), making the verification to pass. + +In practice verifier may allow pointer to null comparison in unpriv, +since in many cases the relevant branch and comparison op are removed +as dead code. So change the expected test result to __success_unpriv. + +Signed-off-by: Ihor Solodrai +Signed-off-by: Andrii Nakryiko +Acked-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20250609183024.359974-2-isolodrai@meta.com +Signed-off-by: Sasha Levin +--- + kernel/bpf/verifier.c | 3 ++- + tools/testing/selftests/bpf/progs/verifier_unpriv.c | 2 +- + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index b880dea7d858..24ae8f33e5d7 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -400,7 +400,8 @@ static bool reg_not_null(const struct bpf_reg_state *reg) + type == PTR_TO_MAP_KEY || + type == PTR_TO_SOCK_COMMON || + (type == PTR_TO_BTF_ID && is_trusted_reg(reg)) || +- type == PTR_TO_MEM; ++ type == PTR_TO_MEM || ++ type == CONST_PTR_TO_MAP; + } + + static struct btf_record *reg_btf_record(const struct bpf_reg_state *reg) +diff --git a/tools/testing/selftests/bpf/progs/verifier_unpriv.c b/tools/testing/selftests/bpf/progs/verifier_unpriv.c +index 7ea535bfbacd..e4ef82a6ee38 100644 +--- a/tools/testing/selftests/bpf/progs/verifier_unpriv.c ++++ b/tools/testing/selftests/bpf/progs/verifier_unpriv.c +@@ -619,7 +619,7 @@ __naked void pass_pointer_to_tail_call(void) + + SEC("socket") + __description("unpriv: cmp map pointer with zero") +-__success __failure_unpriv __msg_unpriv("R1 pointer comparison") ++__success __success_unpriv + __retval(0) + __naked void cmp_map_pointer_with_zero(void) + { +-- +2.39.5 + diff --git a/queue-6.12/bpftool-fix-json-writer-resource-leak-in-version-com.patch b/queue-6.12/bpftool-fix-json-writer-resource-leak-in-version-com.patch new file mode 100644 index 0000000000..7b27ce79f5 --- /dev/null +++ b/queue-6.12/bpftool-fix-json-writer-resource-leak-in-version-com.patch @@ -0,0 +1,46 @@ +From 0448edba526a5812831aabb461526669a1fd8160 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Jun 2025 09:24:42 -0400 +Subject: bpftool: Fix JSON writer resource leak in version command + +From: Yuan Chen + +[ Upstream commit 85cd83fed8267cde0dd1cea719808aad95ae4de7 ] + +When using `bpftool --version -j/-p`, the JSON writer object +created in do_version() was not properly destroyed after use. +This caused a memory leak each time the version command was +executed with JSON output. + +Fix: 004b45c0e51a (tools: bpftool: provide JSON output for all possible commands) + +Suggested-by: Quentin Monnet +Signed-off-by: Yuan Chen +Signed-off-by: Andrii Nakryiko +Reviewed-by: Quentin Monnet +Link: https://lore.kernel.org/bpf/20250617132442.9998-1-chenyuan_fl@163.com +Signed-off-by: Sasha Levin +--- + tools/bpf/bpftool/main.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/tools/bpf/bpftool/main.c b/tools/bpf/bpftool/main.c +index 08d0ac543c67..a0536528dfde 100644 +--- a/tools/bpf/bpftool/main.c ++++ b/tools/bpf/bpftool/main.c +@@ -534,9 +534,9 @@ int main(int argc, char **argv) + usage(); + + if (version_requested) +- return do_version(argc, argv); +- +- ret = cmd_select(commands, argc, argv, do_help); ++ ret = do_version(argc, argv); ++ else ++ ret = cmd_select(commands, argc, argv, do_help); + + if (json_output) + jsonw_destroy(&json_wtr); +-- +2.39.5 + diff --git a/queue-6.12/can-ti_hecc-fix-woverflow-compiler-warning.patch b/queue-6.12/can-ti_hecc-fix-woverflow-compiler-warning.patch new file mode 100644 index 0000000000..33787d0062 --- /dev/null +++ b/queue-6.12/can-ti_hecc-fix-woverflow-compiler-warning.patch @@ -0,0 +1,40 @@ +From 3699d261e0486141908515209bb05d23ed4d79b6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Jul 2025 20:28:11 +0900 +Subject: can: ti_hecc: fix -Woverflow compiler warning + +From: Vincent Mailhol + +[ Upstream commit 7cae4d04717b002cffe41169da3f239c845a0723 ] + +Fix below default (W=0) warning: + + drivers/net/can/ti_hecc.c: In function 'ti_hecc_start': + drivers/net/can/ti_hecc.c:386:20: warning: conversion from 'long unsigned int' to 'u32' {aka 'unsigned int'} changes value from '18446744073709551599' to '4294967279' [-Woverflow] + 386 | mbx_mask = ~BIT(HECC_RX_LAST_MBOX); + | ^ + +Signed-off-by: Vincent Mailhol +Link: https://patch.msgid.link/20250715-can-compile-test-v2-1-f7fd566db86f@wanadoo.fr +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/ti_hecc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/can/ti_hecc.c b/drivers/net/can/ti_hecc.c +index 644e8b8eb91e..e6d6661a908a 100644 +--- a/drivers/net/can/ti_hecc.c ++++ b/drivers/net/can/ti_hecc.c +@@ -383,7 +383,7 @@ static void ti_hecc_start(struct net_device *ndev) + * overflows instead of the hardware silently dropping the + * messages. + */ +- mbx_mask = ~BIT(HECC_RX_LAST_MBOX); ++ mbx_mask = ~BIT_U32(HECC_RX_LAST_MBOX); + hecc_write(priv, HECC_CANOPC, mbx_mask); + + /* Enable interrupts */ +-- +2.39.5 + diff --git a/queue-6.12/char-misc-fix-improper-and-inaccurate-error-code-ret.patch b/queue-6.12/char-misc-fix-improper-and-inaccurate-error-code-ret.patch new file mode 100644 index 0000000000..90ec4231cf --- /dev/null +++ b/queue-6.12/char-misc-fix-improper-and-inaccurate-error-code-ret.patch @@ -0,0 +1,43 @@ +From 57878c151f4b470ed2ee603260b14ee2a204c910 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Jun 2025 22:35:20 +0800 +Subject: char: misc: Fix improper and inaccurate error code returned by + misc_init() + +From: Zijun Hu + +[ Upstream commit 0ef1fe4bc38673db72e39b700b29c50dfcc5a415 ] + +misc_init() returns -EIO for __register_chrdev() invocation failure, but: + +- -EIO is for I/O error normally, but __register_chrdev() does not do I/O. +- -EIO can not cover various error codes returned by __register_chrdev(). + +Fix by returning error code of __register_chrdev(). + +Signed-off-by: Zijun Hu +Link: https://lore.kernel.org/r/20250620-fix_mischar-v1-3-6c2716bbf1fa@oss.qualcomm.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/char/misc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/char/misc.c b/drivers/char/misc.c +index dda466f9181a..30178e20d962 100644 +--- a/drivers/char/misc.c ++++ b/drivers/char/misc.c +@@ -314,8 +314,8 @@ static int __init misc_init(void) + if (err) + goto fail_remove; + +- err = -EIO; +- if (__register_chrdev(MISC_MAJOR, 0, MINORMASK + 1, "misc", &misc_fops)) ++ err = __register_chrdev(MISC_MAJOR, 0, MINORMASK + 1, "misc", &misc_fops); ++ if (err < 0) + goto fail_printk; + return 0; + +-- +2.39.5 + diff --git a/queue-6.12/cifs-fix-calling-cifsfindfirst-for-root-path-without.patch b/queue-6.12/cifs-fix-calling-cifsfindfirst-for-root-path-without.patch new file mode 100644 index 0000000000..1d7e695274 --- /dev/null +++ b/queue-6.12/cifs-fix-calling-cifsfindfirst-for-root-path-without.patch @@ -0,0 +1,60 @@ +From be97629e8bbb7d6da8a23f281a5f9d488e85fccb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Dec 2024 20:54:11 +0100 +Subject: cifs: Fix calling CIFSFindFirst() for root path without msearch +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit b460249b9a1dab7a9f58483e5349d045ad6d585c ] + +To query root path (without msearch wildcard) it is needed to +send pattern '\' instead of '' (empty string). + +This allows to use CIFSFindFirst() to query information about root path +which is being used in followup changes. + +This change fixes the stat() syscall called on the root path on the mount. +It is because stat() syscall uses the cifs_query_path_info() function and +it can fallback to the CIFSFindFirst() usage with msearch=false. + +Signed-off-by: Pali Rohár +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/client/cifssmb.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/fs/smb/client/cifssmb.c b/fs/smb/client/cifssmb.c +index e3d9367eaec3..8a257cb29c95 100644 +--- a/fs/smb/client/cifssmb.c ++++ b/fs/smb/client/cifssmb.c +@@ -4028,6 +4028,12 @@ CIFSFindFirst(const unsigned int xid, struct cifs_tcon *tcon, + pSMB->FileName[name_len] = 0; + pSMB->FileName[name_len+1] = 0; + name_len += 2; ++ } else if (!searchName[0]) { ++ pSMB->FileName[0] = CIFS_DIR_SEP(cifs_sb); ++ pSMB->FileName[1] = 0; ++ pSMB->FileName[2] = 0; ++ pSMB->FileName[3] = 0; ++ name_len = 4; + } + } else { + name_len = copy_path_name(pSMB->FileName, searchName); +@@ -4039,6 +4045,10 @@ CIFSFindFirst(const unsigned int xid, struct cifs_tcon *tcon, + pSMB->FileName[name_len] = '*'; + pSMB->FileName[name_len+1] = 0; + name_len += 2; ++ } else if (!searchName[0]) { ++ pSMB->FileName[0] = CIFS_DIR_SEP(cifs_sb); ++ pSMB->FileName[1] = 0; ++ name_len = 2; + } + } + +-- +2.39.5 + diff --git a/queue-6.12/clk-qcom-ipq5018-keep-xo-clock-always-on.patch b/queue-6.12/clk-qcom-ipq5018-keep-xo-clock-always-on.patch new file mode 100644 index 0000000000..90af72d9cc --- /dev/null +++ b/queue-6.12/clk-qcom-ipq5018-keep-xo-clock-always-on.patch @@ -0,0 +1,37 @@ +From cb6774ca507d3177f05f885a82c69392d539f483 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 May 2025 16:36:08 +0400 +Subject: clk: qcom: ipq5018: keep XO clock always on + +From: George Moussalem + +[ Upstream commit 693a723291d0634eaea24cff2f9d807f3223f204 ] + +The XO clock must not be disabled to avoid the kernel trying to disable +the it. As such, keep the XO clock always on by flagging it as critical. + +Signed-off-by: George Moussalem +Reviewed-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20250516-ipq5018-cmn-pll-v4-1-389a6b30e504@outlook.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/gcc-ipq5018.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/qcom/gcc-ipq5018.c b/drivers/clk/qcom/gcc-ipq5018.c +index 70f5dcb96700..24eb4c40da63 100644 +--- a/drivers/clk/qcom/gcc-ipq5018.c ++++ b/drivers/clk/qcom/gcc-ipq5018.c +@@ -1371,7 +1371,7 @@ static struct clk_branch gcc_xo_clk = { + &gcc_xo_clk_src.clkr.hw, + }, + .num_parents = 1, +- .flags = CLK_SET_RATE_PARENT, ++ .flags = CLK_SET_RATE_PARENT | CLK_IS_CRITICAL, + .ops = &clk_branch2_ops, + }, + }, +-- +2.39.5 + diff --git a/queue-6.12/clk-renesas-rzg2l-postpone-updating-priv-clks.patch b/queue-6.12/clk-renesas-rzg2l-postpone-updating-priv-clks.patch new file mode 100644 index 0000000000..564bd9f609 --- /dev/null +++ b/queue-6.12/clk-renesas-rzg2l-postpone-updating-priv-clks.patch @@ -0,0 +1,53 @@ +From ebfe08cff5a8a6f1ffebba0033c7fd6478e229ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 May 2025 12:04:08 +0300 +Subject: clk: renesas: rzg2l: Postpone updating priv->clks[] + +From: Claudiu Beznea + +[ Upstream commit 2f96afdffad4ef74e3c511207058c41c54a2d014 ] + +Since the sibling data is filled after the priv->clks[] array entry is +populated, the first clock that is probed and has a sibling will +temporarily behave as its own sibling until its actual sibling is +populated. To avoid any issues, postpone updating priv->clks[] until after +the sibling is populated. + +Signed-off-by: Claudiu Beznea +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/20250514090415.4098534-2-claudiu.beznea.uj@bp.renesas.com +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + drivers/clk/renesas/rzg2l-cpg.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/clk/renesas/rzg2l-cpg.c b/drivers/clk/renesas/rzg2l-cpg.c +index 97d42328fa81..e2ecc9d36e05 100644 +--- a/drivers/clk/renesas/rzg2l-cpg.c ++++ b/drivers/clk/renesas/rzg2l-cpg.c +@@ -1398,10 +1398,6 @@ rzg2l_cpg_register_mod_clk(const struct rzg2l_mod_clk *mod, + goto fail; + } + +- clk = clock->hw.clk; +- dev_dbg(dev, "Module clock %pC at %lu Hz\n", clk, clk_get_rate(clk)); +- priv->clks[id] = clk; +- + if (mod->is_coupled) { + struct mstp_clock *sibling; + +@@ -1413,6 +1409,10 @@ rzg2l_cpg_register_mod_clk(const struct rzg2l_mod_clk *mod, + } + } + ++ clk = clock->hw.clk; ++ dev_dbg(dev, "Module clock %pC at %lu Hz\n", clk, clk_get_rate(clk)); ++ priv->clks[id] = clk; ++ + return; + + fail: +-- +2.39.5 + diff --git a/queue-6.12/clk-tegra-periph-fix-error-handling-and-resolve-unsi.patch b/queue-6.12/clk-tegra-periph-fix-error-handling-and-resolve-unsi.patch new file mode 100644 index 0000000000..3cf5ef0015 --- /dev/null +++ b/queue-6.12/clk-tegra-periph-fix-error-handling-and-resolve-unsi.patch @@ -0,0 +1,53 @@ +From bec21d61bc6968e35a58fbcc67e380f263acf493 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Jul 2025 15:37:13 +0800 +Subject: clk: tegra: periph: Fix error handling and resolve unsigned compare + warning + +From: Pei Xiao + +[ Upstream commit 2dc2ca9000eea2eb749f658196204cb84d4306f7 ] + +./drivers/clk/tegra/clk-periph.c:59:5-9: WARNING: + Unsigned expression compared with zero: rate < 0 + +The unsigned long 'rate' variable caused: +- Incorrect handling of negative errors +- Compile warning: "Unsigned expression compared with zero" + +Fix by changing to long type and adding req->rate cast. + +Signed-off-by: Pei Xiao +Link: https://lore.kernel.org/r/79c7f01e29876c612e90d6d0157fb1572ca8b3fb.1752046270.git.xiaopei01@kylinos.cn +Acked-by: Thierry Reding +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/tegra/clk-periph.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/clk/tegra/clk-periph.c b/drivers/clk/tegra/clk-periph.c +index 0626650a7011..c9fc52a36fce 100644 +--- a/drivers/clk/tegra/clk-periph.c ++++ b/drivers/clk/tegra/clk-periph.c +@@ -51,7 +51,7 @@ static int clk_periph_determine_rate(struct clk_hw *hw, + struct tegra_clk_periph *periph = to_clk_periph(hw); + const struct clk_ops *div_ops = periph->div_ops; + struct clk_hw *div_hw = &periph->divider.hw; +- unsigned long rate; ++ long rate; + + __clk_hw_set_clk(div_hw, hw); + +@@ -59,7 +59,7 @@ static int clk_periph_determine_rate(struct clk_hw *hw, + if (rate < 0) + return rate; + +- req->rate = rate; ++ req->rate = (unsigned long)rate; + return 0; + } + +-- +2.39.5 + diff --git a/queue-6.12/clk-thead-mark-essential-bus-clocks-as-clk_ignore_un.patch b/queue-6.12/clk-thead-mark-essential-bus-clocks-as-clk_ignore_un.patch new file mode 100644 index 0000000000..e6800877a9 --- /dev/null +++ b/queue-6.12/clk-thead-mark-essential-bus-clocks-as-clk_ignore_un.patch @@ -0,0 +1,64 @@ +From 5d19ad1882bf5c5a1426574113f4acabc6d90039 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Jun 2025 20:08:53 +0200 +Subject: clk: thead: Mark essential bus clocks as CLK_IGNORE_UNUSED + +From: Michal Wilczynski + +[ Upstream commit 0370395d45ca6dd53bb931978f0e91ac8dd6f1c5 ] + +Probing peripherals in the AON and PERI domains, such as the PVT thermal +sensor and the PWM controller, can lead to boot hangs or unresponsive +devices on the LPi4A board. The root cause is that their parent bus +clocks ('CLK_CPU2AON_X2H' and the 'CLK_PERISYS_APB' clocks) are +automatically gated by the kernel's power-saving mechanisms when the bus +is perceived as idle. + +Alternative solutions were investigated, including modeling the parent +bus in the Device Tree with 'simple-pm-bus' or refactoring the clock +driver's parentage. The 'simple-pm-bus' approach is not viable due to +the lack of defined bus address ranges in the hardware manual and its +creation of improper dependencies on the 'pm_runtime' API for consumer +drivers. + +Therefore, applying the'`CLK_IGNORE_UNUSED' flag directly to the +essential bus clocks is the most direct and targeted fix. This prevents +the kernel from auto-gating these buses and ensures peripherals remain +accessible. + +This change fixes the boot hang associated with the PVT sensor and +resolves the functional issues with the PWM controller. + +Link: https://lore.kernel.org/all/9e8a12db-236d-474c-b110-b3be96edf057@samsung.com/ [1] + +Reviewed-by: Drew Fustini +Acked-by: Stephen Boyd +Signed-off-by: Michal Wilczynski +Signed-off-by: Drew Fustini +Signed-off-by: Sasha Levin +--- + drivers/clk/thead/clk-th1520-ap.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/clk/thead/clk-th1520-ap.c b/drivers/clk/thead/clk-th1520-ap.c +index 6ab89245af12..c8ebacc6934a 100644 +--- a/drivers/clk/thead/clk-th1520-ap.c ++++ b/drivers/clk/thead/clk-th1520-ap.c +@@ -799,11 +799,12 @@ static CCU_GATE(CLK_AON2CPU_A2X, aon2cpu_a2x_clk, "aon2cpu-a2x", axi4_cpusys2_ac + 0x134, BIT(8), 0); + static CCU_GATE(CLK_X2X_CPUSYS, x2x_cpusys_clk, "x2x-cpusys", axi4_cpusys2_aclk_pd, + 0x134, BIT(7), 0); +-static CCU_GATE(CLK_CPU2AON_X2H, cpu2aon_x2h_clk, "cpu2aon-x2h", axi_aclk_pd, 0x138, BIT(8), 0); ++static CCU_GATE(CLK_CPU2AON_X2H, cpu2aon_x2h_clk, "cpu2aon-x2h", axi_aclk_pd, ++ 0x138, BIT(8), CLK_IGNORE_UNUSED); + static CCU_GATE(CLK_CPU2PERI_X2H, cpu2peri_x2h_clk, "cpu2peri-x2h", axi4_cpusys2_aclk_pd, + 0x140, BIT(9), CLK_IGNORE_UNUSED); + static CCU_GATE(CLK_PERISYS_APB1_HCLK, perisys_apb1_hclk, "perisys-apb1-hclk", perisys_ahb_hclk_pd, +- 0x150, BIT(9), 0); ++ 0x150, BIT(9), CLK_IGNORE_UNUSED); + static CCU_GATE(CLK_PERISYS_APB2_HCLK, perisys_apb2_hclk, "perisys-apb2-hclk", perisys_ahb_hclk_pd, + 0x150, BIT(10), CLK_IGNORE_UNUSED); + static CCU_GATE(CLK_PERISYS_APB3_HCLK, perisys_apb3_hclk, "perisys-apb3-hclk", perisys_ahb_hclk_pd, +-- +2.39.5 + diff --git a/queue-6.12/cpufreq-cppc-mark-driver-with-need_update_limits-fla.patch b/queue-6.12/cpufreq-cppc-mark-driver-with-need_update_limits-fla.patch new file mode 100644 index 0000000000..fb63171086 --- /dev/null +++ b/queue-6.12/cpufreq-cppc-mark-driver-with-need_update_limits-fla.patch @@ -0,0 +1,51 @@ +From b8fc03244534d807399b59597d0b22f0845cdd65 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Jul 2025 05:55:40 +0000 +Subject: cpufreq: CPPC: Mark driver with NEED_UPDATE_LIMITS flag + +From: Prashant Malani + +[ Upstream commit 0a1416a49e63c320f6e6c1c8d07e1b58c0d4a3f3 ] + +AMU counters on certain CPPC-based platforms tend to yield inaccurate +delivered performance measurements on systems that are idle/mostly idle. +This results in an inaccurate frequency being stored by cpufreq in its +policy structure when the CPU is brought online. [1] + +Consequently, if the userspace governor tries to set the frequency to a +new value, there is a possibility that it would be the erroneous value +stored earlier. In such a scenario, cpufreq would assume that the +requested frequency has already been set and return early, resulting in +the correct/new frequency request never making it to the hardware. + +Since the operating frequency is liable to this sort of inconsistency, +mark the CPPC driver with CPUFREQ_NEED_UPDATE_LIMITS so that it is always +invoked when a target frequency update is requested. + +Link: https://lore.kernel.org/linux-pm/20250619000925.415528-3-pmalani@google.com/ [1] +Suggested-by: Rafael J. Wysocki +Signed-off-by: Prashant Malani +Acked-by: Viresh Kumar +Link: https://patch.msgid.link/20250722055611.130574-2-pmalani@google.com +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/cppc_cpufreq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/cpufreq/cppc_cpufreq.c b/drivers/cpufreq/cppc_cpufreq.c +index 36ea181260c7..8d5279c21e6c 100644 +--- a/drivers/cpufreq/cppc_cpufreq.c ++++ b/drivers/cpufreq/cppc_cpufreq.c +@@ -841,7 +841,7 @@ static struct freq_attr *cppc_cpufreq_attr[] = { + }; + + static struct cpufreq_driver cppc_cpufreq_driver = { +- .flags = CPUFREQ_CONST_LOOPS, ++ .flags = CPUFREQ_CONST_LOOPS | CPUFREQ_NEED_UPDATE_LIMITS, + .verify = cppc_verify_policy, + .target = cppc_cpufreq_set_target, + .get = cppc_cpufreq_get_rate, +-- +2.39.5 + diff --git a/queue-6.12/cpufreq-exit-governor-when-failed-to-start-old-gover.patch b/queue-6.12/cpufreq-exit-governor-when-failed-to-start-old-gover.patch new file mode 100644 index 0000000000..a8d88addb7 --- /dev/null +++ b/queue-6.12/cpufreq-exit-governor-when-failed-to-start-old-gover.patch @@ -0,0 +1,43 @@ +From e8d09c110bae14f2258de87167ea87ea890cdf7a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Jul 2025 18:41:45 +0800 +Subject: cpufreq: Exit governor when failed to start old governor + +From: Lifeng Zheng + +[ Upstream commit 0ae204405095abfbc2d694ee0fbb49bcbbe55c57 ] + +Detect the result of starting old governor in cpufreq_set_policy(). If it +fails, exit the governor and clear policy->governor. + +Signed-off-by: Lifeng Zheng +Link: https://patch.msgid.link/20250709104145.2348017-5-zhenglifeng1@huawei.com +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/cpufreq.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c +index fab94ffcb22c..bd55c2356303 100644 +--- a/drivers/cpufreq/cpufreq.c ++++ b/drivers/cpufreq/cpufreq.c +@@ -2724,10 +2724,12 @@ static int cpufreq_set_policy(struct cpufreq_policy *policy, + pr_debug("starting governor %s failed\n", policy->governor->name); + if (old_gov) { + policy->governor = old_gov; +- if (cpufreq_init_governor(policy)) ++ if (cpufreq_init_governor(policy)) { + policy->governor = NULL; +- else +- cpufreq_start_governor(policy); ++ } else if (cpufreq_start_governor(policy)) { ++ cpufreq_exit_governor(policy); ++ policy->governor = NULL; ++ } + } + + return ret; +-- +2.39.5 + diff --git a/queue-6.12/cpufreq-intel_pstate-add-granite-rapids-support-in-n.patch b/queue-6.12/cpufreq-intel_pstate-add-granite-rapids-support-in-n.patch new file mode 100644 index 0000000000..cb6759e001 --- /dev/null +++ b/queue-6.12/cpufreq-intel_pstate-add-granite-rapids-support-in-n.patch @@ -0,0 +1,36 @@ +From 5879a18290f5f1deecc5e3a044195e360b9f6e85 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Jun 2025 18:56:01 +0800 +Subject: cpufreq: intel_pstate: Add Granite Rapids support in no-HWP mode + +From: Li RongQing + +[ Upstream commit fc64e0421598aaa87d61184f6777b52614a095be ] + +Users may disable HWP in firmware, in which case intel_pstate +wouldn't load unless the CPU model is explicitly supported. + +Signed-off-by: Li RongQing +Link: https://patch.msgid.link/20250623105601.3924-1-lirongqing@baidu.com +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/intel_pstate.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/cpufreq/intel_pstate.c b/drivers/cpufreq/intel_pstate.c +index b86372aa341d..e90871092038 100644 +--- a/drivers/cpufreq/intel_pstate.c ++++ b/drivers/cpufreq/intel_pstate.c +@@ -2654,6 +2654,8 @@ static const struct x86_cpu_id intel_pstate_cpu_ids[] = { + X86_MATCH(INTEL_TIGERLAKE, core_funcs), + X86_MATCH(INTEL_SAPPHIRERAPIDS_X, core_funcs), + X86_MATCH(INTEL_EMERALDRAPIDS_X, core_funcs), ++ X86_MATCH(INTEL_GRANITERAPIDS_D, core_funcs), ++ X86_MATCH(INTEL_GRANITERAPIDS_X, core_funcs), + {} + }; + MODULE_DEVICE_TABLE(x86cpu, intel_pstate_cpu_ids); +-- +2.39.5 + diff --git a/queue-6.12/crypto-ccp-add-missing-bootloader-info-reg-for-pspv6.patch b/queue-6.12/crypto-ccp-add-missing-bootloader-info-reg-for-pspv6.patch new file mode 100644 index 0000000000..a5975d8925 --- /dev/null +++ b/queue-6.12/crypto-ccp-add-missing-bootloader-info-reg-for-pspv6.patch @@ -0,0 +1,34 @@ +From b84bd8daf629b0158bd795f9c62d43b165b65a04 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 May 2025 10:21:01 -0500 +Subject: crypto: ccp - Add missing bootloader info reg for pspv6 + +From: Mario Limonciello + +[ Upstream commit aaeff14688d0254b39731d9bb303c79bfd610f7d ] + +The bootloader info reg for pspv6 is the same as pspv4 and pspv5. + +Suggested-by: Tom Lendacky +Signed-off-by: Mario Limonciello +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/ccp/sp-pci.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/crypto/ccp/sp-pci.c b/drivers/crypto/ccp/sp-pci.c +index 2ebc878da160..224edaaa737b 100644 +--- a/drivers/crypto/ccp/sp-pci.c ++++ b/drivers/crypto/ccp/sp-pci.c +@@ -451,6 +451,7 @@ static const struct psp_vdata pspv6 = { + .cmdresp_reg = 0x10944, /* C2PMSG_17 */ + .cmdbuff_addr_lo_reg = 0x10948, /* C2PMSG_18 */ + .cmdbuff_addr_hi_reg = 0x1094c, /* C2PMSG_19 */ ++ .bootloader_info_reg = 0x109ec, /* C2PMSG_59 */ + .feature_reg = 0x109fc, /* C2PMSG_63 */ + .inten_reg = 0x10510, /* P2CMSG_INTEN */ + .intsts_reg = 0x10514, /* P2CMSG_INTSTS */ +-- +2.39.5 + diff --git a/queue-6.12/crypto-hisilicon-hpre-fix-dma-unmap-sequence.patch b/queue-6.12/crypto-hisilicon-hpre-fix-dma-unmap-sequence.patch new file mode 100644 index 0000000000..29e308e2b8 --- /dev/null +++ b/queue-6.12/crypto-hisilicon-hpre-fix-dma-unmap-sequence.patch @@ -0,0 +1,56 @@ +From cf8b30219c5d4332f67d5a3fc8353ddb57645c57 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Jul 2025 18:05:01 +0800 +Subject: crypto: hisilicon/hpre - fix dma unmap sequence + +From: Zhiqi Song + +[ Upstream commit 982fd1a74de63c388c060e4fa6f7fbd088d6d02e ] + +Perform DMA unmapping operations before processing data. +Otherwise, there may be unsynchronized data accessed by +the CPU when the SWIOTLB is enabled. + +Signed-off-by: Zhiqi Song +Signed-off-by: Chenghai Huang +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/hisilicon/hpre/hpre_crypto.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/crypto/hisilicon/hpre/hpre_crypto.c b/drivers/crypto/hisilicon/hpre/hpre_crypto.c +index c167dbd6c7d6..e71f1e459764 100644 +--- a/drivers/crypto/hisilicon/hpre/hpre_crypto.c ++++ b/drivers/crypto/hisilicon/hpre/hpre_crypto.c +@@ -1487,11 +1487,13 @@ static void hpre_ecdh_cb(struct hpre_ctx *ctx, void *resp) + if (overtime_thrhld && hpre_is_bd_timeout(req, overtime_thrhld)) + atomic64_inc(&dfx[HPRE_OVER_THRHLD_CNT].value); + ++ /* Do unmap before data processing */ ++ hpre_ecdh_hw_data_clr_all(ctx, req, areq->dst, areq->src); ++ + p = sg_virt(areq->dst); + memmove(p, p + ctx->key_sz - curve_sz, curve_sz); + memmove(p + curve_sz, p + areq->dst_len - curve_sz, curve_sz); + +- hpre_ecdh_hw_data_clr_all(ctx, req, areq->dst, areq->src); + kpp_request_complete(areq, ret); + + atomic64_inc(&dfx[HPRE_RECV_CNT].value); +@@ -1801,9 +1803,11 @@ static void hpre_curve25519_cb(struct hpre_ctx *ctx, void *resp) + if (overtime_thrhld && hpre_is_bd_timeout(req, overtime_thrhld)) + atomic64_inc(&dfx[HPRE_OVER_THRHLD_CNT].value); + ++ /* Do unmap before data processing */ ++ hpre_curve25519_hw_data_clr_all(ctx, req, areq->dst, areq->src); ++ + hpre_key_to_big_end(sg_virt(areq->dst), CURVE25519_KEY_SIZE); + +- hpre_curve25519_hw_data_clr_all(ctx, req, areq->dst, areq->src); + kpp_request_complete(areq, ret); + + atomic64_inc(&dfx[HPRE_RECV_CNT].value); +-- +2.39.5 + diff --git a/queue-6.12/crypto-jitter-fix-intermediary-handling.patch b/queue-6.12/crypto-jitter-fix-intermediary-handling.patch new file mode 100644 index 0000000000..ffa75e7b25 --- /dev/null +++ b/queue-6.12/crypto-jitter-fix-intermediary-handling.patch @@ -0,0 +1,54 @@ +From 4aae413e668f7be3fd35455941848c7351649f8c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 21 Jun 2025 13:36:43 +0200 +Subject: crypto: jitter - fix intermediary handling + +From: Markus Theil + +[ Upstream commit 735b72568c73875269a6b73ab9543a70f6ac8a9f ] + +The intermediary value was included in the wrong +hash state. While there, adapt to user-space by +setting the timestamp to 0 if stuck and inserting +the values nevertheless. + +Acked-by: Stephan Mueller +Signed-off-by: Markus Theil +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/jitterentropy-kcapi.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/crypto/jitterentropy-kcapi.c b/crypto/jitterentropy-kcapi.c +index c24d4ff2b4a8..1266eb790708 100644 +--- a/crypto/jitterentropy-kcapi.c ++++ b/crypto/jitterentropy-kcapi.c +@@ -144,7 +144,7 @@ int jent_hash_time(void *hash_state, __u64 time, u8 *addtl, + * Inject the data from the previous loop into the pool. This data is + * not considered to contain any entropy, but it stirs the pool a bit. + */ +- ret = crypto_shash_update(desc, intermediary, sizeof(intermediary)); ++ ret = crypto_shash_update(hash_state_desc, intermediary, sizeof(intermediary)); + if (ret) + goto err; + +@@ -157,11 +157,12 @@ int jent_hash_time(void *hash_state, __u64 time, u8 *addtl, + * conditioning operation to have an identical amount of input data + * according to section 3.1.5. + */ +- if (!stuck) { +- ret = crypto_shash_update(hash_state_desc, (u8 *)&time, +- sizeof(__u64)); ++ if (stuck) { ++ time = 0; + } + ++ ret = crypto_shash_update(hash_state_desc, (u8 *)&time, sizeof(__u64)); ++ + err: + shash_desc_zero(desc); + memzero_explicit(intermediary, sizeof(intermediary)); +-- +2.39.5 + diff --git a/queue-6.12/crypto-octeontx2-add-timeout-for-load_fvc-completion.patch b/queue-6.12/crypto-octeontx2-add-timeout-for-load_fvc-completion.patch new file mode 100644 index 0000000000..50a2ad1e79 --- /dev/null +++ b/queue-6.12/crypto-octeontx2-add-timeout-for-load_fvc-completion.patch @@ -0,0 +1,65 @@ +From 8124af8c05deacc0b2961d37112bb4bc78dc86eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 May 2025 15:36:24 +0530 +Subject: crypto: octeontx2 - add timeout for load_fvc completion poll + +From: Bharat Bhushan + +[ Upstream commit 2157e50f65d2030f07ea27ef7ac4cfba772e98ac ] + +Adds timeout to exit from possible infinite loop, which polls +on CPT instruction(load_fvc) completion. + +Signed-off-by: Srujana Challa +Signed-off-by: Bharat Bhushan +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + .../crypto/marvell/octeontx2/otx2_cptpf_ucode.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c b/drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c +index 5c9484646172..357a7c6ac837 100644 +--- a/drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c ++++ b/drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c +@@ -1493,6 +1493,7 @@ int otx2_cpt_discover_eng_capabilities(struct otx2_cptpf_dev *cptpf) + dma_addr_t rptr_baddr; + struct pci_dev *pdev; + u32 len, compl_rlen; ++ int timeout = 10000; + int ret, etype; + void *rptr; + +@@ -1555,16 +1556,27 @@ int otx2_cpt_discover_eng_capabilities(struct otx2_cptpf_dev *cptpf) + etype); + otx2_cpt_fill_inst(&inst, &iq_cmd, rptr_baddr); + lfs->ops->send_cmd(&inst, 1, &cptpf->lfs.lf[0]); ++ timeout = 10000; + + while (lfs->ops->cpt_get_compcode(result) == +- OTX2_CPT_COMPLETION_CODE_INIT) ++ OTX2_CPT_COMPLETION_CODE_INIT) { + cpu_relax(); ++ udelay(1); ++ timeout--; ++ if (!timeout) { ++ ret = -ENODEV; ++ cptpf->is_eng_caps_discovered = false; ++ dev_warn(&pdev->dev, "Timeout on CPT load_fvc completion poll\n"); ++ goto error_no_response; ++ } ++ } + + cptpf->eng_caps[etype].u = be64_to_cpup(rptr); + } +- dma_unmap_single(&pdev->dev, rptr_baddr, len, DMA_BIDIRECTIONAL); + cptpf->is_eng_caps_discovered = true; + ++error_no_response: ++ dma_unmap_single(&pdev->dev, rptr_baddr, len, DMA_BIDIRECTIONAL); + free_result: + kfree(result); + lf_cleanup: +-- +2.39.5 + diff --git a/queue-6.12/dm-mpath-don-t-print-the-loaded-message-if-registeri.patch b/queue-6.12/dm-mpath-don-t-print-the-loaded-message-if-registeri.patch new file mode 100644 index 0000000000..0f10caa294 --- /dev/null +++ b/queue-6.12/dm-mpath-don-t-print-the-loaded-message-if-registeri.patch @@ -0,0 +1,87 @@ +From 3f4fcec9856b10931c21cdd48cb8531f1a8276cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jun 2025 15:24:22 +0200 +Subject: dm-mpath: don't print the "loaded" message if registering fails + +From: Mikulas Patocka + +[ Upstream commit 6e11952a6abc4641dc8ae63f01b318b31b44e8db ] + +If dm_register_path_selector, don't print the "version X loaded" message. + +Signed-off-by: Mikulas Patocka +Signed-off-by: Sasha Levin +--- + drivers/md/dm-ps-historical-service-time.c | 4 +++- + drivers/md/dm-ps-queue-length.c | 4 +++- + drivers/md/dm-ps-round-robin.c | 4 +++- + drivers/md/dm-ps-service-time.c | 4 +++- + 4 files changed, 12 insertions(+), 4 deletions(-) + +diff --git a/drivers/md/dm-ps-historical-service-time.c b/drivers/md/dm-ps-historical-service-time.c +index b49e10d76d03..2c8626a83de4 100644 +--- a/drivers/md/dm-ps-historical-service-time.c ++++ b/drivers/md/dm-ps-historical-service-time.c +@@ -541,8 +541,10 @@ static int __init dm_hst_init(void) + { + int r = dm_register_path_selector(&hst_ps); + +- if (r < 0) ++ if (r < 0) { + DMERR("register failed %d", r); ++ return r; ++ } + + DMINFO("version " HST_VERSION " loaded"); + +diff --git a/drivers/md/dm-ps-queue-length.c b/drivers/md/dm-ps-queue-length.c +index e305f05ad1e5..eb543e6431e0 100644 +--- a/drivers/md/dm-ps-queue-length.c ++++ b/drivers/md/dm-ps-queue-length.c +@@ -260,8 +260,10 @@ static int __init dm_ql_init(void) + { + int r = dm_register_path_selector(&ql_ps); + +- if (r < 0) ++ if (r < 0) { + DMERR("register failed %d", r); ++ return r; ++ } + + DMINFO("version " QL_VERSION " loaded"); + +diff --git a/drivers/md/dm-ps-round-robin.c b/drivers/md/dm-ps-round-robin.c +index d1745b123dc1..66a15ac0c22c 100644 +--- a/drivers/md/dm-ps-round-robin.c ++++ b/drivers/md/dm-ps-round-robin.c +@@ -220,8 +220,10 @@ static int __init dm_rr_init(void) + { + int r = dm_register_path_selector(&rr_ps); + +- if (r < 0) ++ if (r < 0) { + DMERR("register failed %d", r); ++ return r; ++ } + + DMINFO("version " RR_VERSION " loaded"); + +diff --git a/drivers/md/dm-ps-service-time.c b/drivers/md/dm-ps-service-time.c +index 969d31c40272..f8c43aecdb27 100644 +--- a/drivers/md/dm-ps-service-time.c ++++ b/drivers/md/dm-ps-service-time.c +@@ -341,8 +341,10 @@ static int __init dm_st_init(void) + { + int r = dm_register_path_selector(&st_ps); + +- if (r < 0) ++ if (r < 0) { + DMERR("register failed %d", r); ++ return r; ++ } + + DMINFO("version " ST_VERSION " loaded"); + +-- +2.39.5 + diff --git a/queue-6.12/dm-stripe-limit-chunk_sectors-to-the-stripe-size.patch b/queue-6.12/dm-stripe-limit-chunk_sectors-to-the-stripe-size.patch new file mode 100644 index 0000000000..285c051017 --- /dev/null +++ b/queue-6.12/dm-stripe-limit-chunk_sectors-to-the-stripe-size.patch @@ -0,0 +1,43 @@ +From d614cd880cb6b6c96addb69dc6fa1378392f6af6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Jul 2025 10:52:57 +0000 +Subject: dm-stripe: limit chunk_sectors to the stripe size + +From: John Garry + +[ Upstream commit 5fb9d4341b782a80eefa0dc1664d131ac3c8885d ] + +Same as done for raid0, set chunk_sectors limit to appropriately set the +atomic write size limit. + +Setting chunk_sectors limit in this way overrides the stacked limit +already calculated based on the bottom device limits. This is ok, as +when any bios are sent to the bottom devices, the block layer will still +respect the bottom device chunk_sectors. + +Reviewed-by: Nilay Shroff +Reviewed-by: Mikulas Patocka +Signed-off-by: John Garry +Reviewed-by: Martin K. Petersen +Link: https://lore.kernel.org/r/20250711105258.3135198-6-john.g.garry@oracle.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/md/dm-stripe.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/md/dm-stripe.c b/drivers/md/dm-stripe.c +index 4112071de0be..c68dc1653cfd 100644 +--- a/drivers/md/dm-stripe.c ++++ b/drivers/md/dm-stripe.c +@@ -459,6 +459,7 @@ static void stripe_io_hints(struct dm_target *ti, + struct stripe_c *sc = ti->private; + unsigned int chunk_size = sc->chunk_size << SECTOR_SHIFT; + ++ limits->chunk_sectors = sc->chunk_size; + limits->io_min = chunk_size; + limits->io_opt = chunk_size * sc->stripes; + } +-- +2.39.5 + diff --git a/queue-6.12/dm-table-fix-checking-for-rq-stackable-devices.patch b/queue-6.12/dm-table-fix-checking-for-rq-stackable-devices.patch new file mode 100644 index 0000000000..5f0f66d377 --- /dev/null +++ b/queue-6.12/dm-table-fix-checking-for-rq-stackable-devices.patch @@ -0,0 +1,60 @@ +From dbec965f6e6bb92e6b93a9fa4cd52194c4aa3ca5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Jun 2025 19:08:52 -0400 +Subject: dm-table: fix checking for rq stackable devices + +From: Benjamin Marzinski + +[ Upstream commit 8ca719b81987be690f197e82fdb030580c0a07f3 ] + +Due to the semantics of iterate_devices(), the current code allows a +request-based dm table as long as it includes one request-stackable +device. It is supposed to only allow tables where there are no +non-request-stackable devices. + +Signed-off-by: Benjamin Marzinski +Reviewed-by: Mike Snitzer +Signed-off-by: Mikulas Patocka +Signed-off-by: Sasha Levin +--- + drivers/md/dm-table.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/md/dm-table.c b/drivers/md/dm-table.c +index e45cffdd419a..20b8f560a2da 100644 +--- a/drivers/md/dm-table.c ++++ b/drivers/md/dm-table.c +@@ -894,17 +894,17 @@ static bool dm_table_supports_dax(struct dm_table *t, + return true; + } + +-static int device_is_rq_stackable(struct dm_target *ti, struct dm_dev *dev, +- sector_t start, sector_t len, void *data) ++static int device_is_not_rq_stackable(struct dm_target *ti, struct dm_dev *dev, ++ sector_t start, sector_t len, void *data) + { + struct block_device *bdev = dev->bdev; + struct request_queue *q = bdev_get_queue(bdev); + + /* request-based cannot stack on partitions! */ + if (bdev_is_partition(bdev)) +- return false; ++ return true; + +- return queue_is_mq(q); ++ return !queue_is_mq(q); + } + + static int dm_table_determine_type(struct dm_table *t) +@@ -1000,7 +1000,7 @@ static int dm_table_determine_type(struct dm_table *t) + + /* Non-request-stackable devices can't be used for request-based dm */ + if (!ti->type->iterate_devices || +- !ti->type->iterate_devices(ti, device_is_rq_stackable, NULL)) { ++ ti->type->iterate_devices(ti, device_is_not_rq_stackable, NULL)) { + DMERR("table load rejected: including non-request-stackable devices"); + return -EINVAL; + } +-- +2.39.5 + diff --git a/queue-6.12/dmaengine-stm32-dma-configure-next-sg-only-if-there-.patch b/queue-6.12/dmaengine-stm32-dma-configure-next-sg-only-if-there-.patch new file mode 100644 index 0000000000..e60dbb5262 --- /dev/null +++ b/queue-6.12/dmaengine-stm32-dma-configure-next-sg-only-if-there-.patch @@ -0,0 +1,47 @@ +From e959669d14fbb8f20f13e9b510c016cdf60a51ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Jun 2025 09:31:37 +0200 +Subject: dmaengine: stm32-dma: configure next sg only if there are more than 2 + sgs + +From: Amelie Delaunay + +[ Upstream commit e19bdbaa31082b43dab1d936e20efcebc30aa73d ] + +DMA operates in Double Buffer Mode (DBM) when the transfer is cyclic and +there are at least two periods. +When DBM is enabled, the DMA toggles between two memory targets (SxM0AR and +SxM1AR), indicated by the SxSCR.CT bit (Current Target). +There is no need to update the next memory address if two periods are +configured, as SxM0AR and SxM1AR are already properly set up before the +transfer begins in the stm32_dma_start_transfer() function. +This avoids unnecessary updates to SxM0AR/SxM1AR, thereby preventing +potential Transfer Errors. Specifically, when the channel is enabled, +SxM0AR and SxM1AR can only be written if SxSCR.CT=1 and SxSCR.CT=0, +respectively. Otherwise, a Transfer Error interrupt is triggered, and the +stream is automatically disabled. + +Signed-off-by: Amelie Delaunay +Link: https://lore.kernel.org/r/20250624-stm32_dma_dbm_fix-v1-1-337c40d6c93e@foss.st.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/stm32/stm32-dma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/dma/stm32/stm32-dma.c b/drivers/dma/stm32/stm32-dma.c +index 917f8e922373..0e39f99bce8b 100644 +--- a/drivers/dma/stm32/stm32-dma.c ++++ b/drivers/dma/stm32/stm32-dma.c +@@ -744,7 +744,7 @@ static void stm32_dma_handle_chan_done(struct stm32_dma_chan *chan, u32 scr) + /* cyclic while CIRC/DBM disable => post resume reconfiguration needed */ + if (!(scr & (STM32_DMA_SCR_CIRC | STM32_DMA_SCR_DBM))) + stm32_dma_post_resume_reconfigure(chan); +- else if (scr & STM32_DMA_SCR_DBM) ++ else if (scr & STM32_DMA_SCR_DBM && chan->desc->num_sgs > 2) + stm32_dma_configure_next_sg(chan); + } else { + chan->busy = false; +-- +2.39.5 + diff --git a/queue-6.12/dpaa_eth-don-t-use-fixed_phy_change_carrier.patch b/queue-6.12/dpaa_eth-don-t-use-fixed_phy_change_carrier.patch new file mode 100644 index 0000000000..62781b3980 --- /dev/null +++ b/queue-6.12/dpaa_eth-don-t-use-fixed_phy_change_carrier.patch @@ -0,0 +1,46 @@ +From 20a1ce764847746b3cb7122ccd8a26dd9a5fa1da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Jun 2025 23:24:05 +0200 +Subject: dpaa_eth: don't use fixed_phy_change_carrier + +From: Heiner Kallweit + +[ Upstream commit d8155c1df5c8b717052567b188455d41fa7a8908 ] + +This effectively reverts 6e8b0ff1ba4c ("dpaa_eth: Add change_carrier() +for Fixed PHYs"). Usage of fixed_phy_change_carrier() requires that +fixed_phy_register() has been called before, directly or indirectly. +And that's not the case in this driver. + +Signed-off-by: Heiner Kallweit +Reviewed-by: Jacob Keller +Link: https://patch.msgid.link/7eb189b3-d5fd-4be6-8517-a66671a4e4e3@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/dpaa/dpaa_eth.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c b/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c +index e15dd3d858df..c5c1d3cb0278 100644 +--- a/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c ++++ b/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c +@@ -28,7 +28,6 @@ + #include + #include + #include +-#include + #include + #include + #include +@@ -3129,7 +3128,6 @@ static const struct net_device_ops dpaa_ops = { + .ndo_stop = dpaa_eth_stop, + .ndo_tx_timeout = dpaa_tx_timeout, + .ndo_get_stats64 = dpaa_get_stats64, +- .ndo_change_carrier = fixed_phy_change_carrier, + .ndo_set_mac_address = dpaa_set_mac_address, + .ndo_validate_addr = eth_validate_addr, + .ndo_set_rx_mode = dpaa_set_rx_mode, +-- +2.39.5 + diff --git a/queue-6.12/drbd-add-missing-kref_get-in-handle_write_conflicts.patch b/queue-6.12/drbd-add-missing-kref_get-in-handle_write_conflicts.patch new file mode 100644 index 0000000000..5e02d1cc9b --- /dev/null +++ b/queue-6.12/drbd-add-missing-kref_get-in-handle_write_conflicts.patch @@ -0,0 +1,65 @@ +From d3d9283e29aa8bb8b55945f7d10a16ead84236c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Jun 2025 11:57:28 +0200 +Subject: drbd: add missing kref_get in handle_write_conflicts +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Sarah Newman + +[ Upstream commit 00c9c9628b49e368d140cfa61d7df9b8922ec2a8 ] + +With `two-primaries` enabled, DRBD tries to detect "concurrent" writes +and handle write conflicts, so that even if you write to the same sector +simultaneously on both nodes, they end up with the identical data once +the writes are completed. + +In handling "superseeded" writes, we forgot a kref_get, +resulting in a premature drbd_destroy_device and use after free, +and further to kernel crashes with symptoms. + +Relevance: No one should use DRBD as a random data generator, and apparently +all users of "two-primaries" handle concurrent writes correctly on layer up. +That is cluster file systems use some distributed lock manager, +and live migration in virtualization environments stops writes on one node +before starting writes on the other node. + +Which means that other than for "test cases", +this code path is never taken in real life. + +FYI, in DRBD 9, things are handled differently nowadays. We still detect +"write conflicts", but no longer try to be smart about them. +We decided to disconnect hard instead: upper layers must not submit concurrent +writes. If they do, that's their fault. + +Signed-off-by: Sarah Newman +Signed-off-by: Lars Ellenberg +Signed-off-by: Christoph Böhmwalder +Link: https://lore.kernel.org/r/20250627095728.800688-1-christoph.boehmwalder@linbit.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/drbd/drbd_receiver.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/block/drbd/drbd_receiver.c b/drivers/block/drbd/drbd_receiver.c +index 0c9f54197768..ac18d36b0ea8 100644 +--- a/drivers/block/drbd/drbd_receiver.c ++++ b/drivers/block/drbd/drbd_receiver.c +@@ -2500,7 +2500,11 @@ static int handle_write_conflicts(struct drbd_device *device, + peer_req->w.cb = superseded ? e_send_superseded : + e_send_retry_write; + list_add_tail(&peer_req->w.list, &device->done_ee); +- queue_work(connection->ack_sender, &peer_req->peer_device->send_acks_work); ++ /* put is in drbd_send_acks_wf() */ ++ kref_get(&device->kref); ++ if (!queue_work(connection->ack_sender, ++ &peer_req->peer_device->send_acks_work)) ++ kref_put(&device->kref, drbd_destroy_device); + + err = -ENOENT; + goto out; +-- +2.39.5 + diff --git a/queue-6.12/drm-amd-allow-printing-vangogh-od-sclk-levels-withou.patch b/queue-6.12/drm-amd-allow-printing-vangogh-od-sclk-levels-withou.patch new file mode 100644 index 0000000000..e7b2f042fd --- /dev/null +++ b/queue-6.12/drm-amd-allow-printing-vangogh-od-sclk-levels-withou.patch @@ -0,0 +1,88 @@ +From 6ab643739d3bc083c7d359b9933f50b654a446e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 Jun 2025 22:12:26 -0500 +Subject: drm/amd: Allow printing VanGogh OD SCLK levels without setting dpm to + manual + +From: Mario Limonciello + +[ Upstream commit 2d1ec1e955414e8e8358178011c35afca1a1c0b1 ] + +Several other ASICs allow printing OD SCLK levels without setting DPM +control to manual. When OD is disabled it will show the range the +hardware supports. When OD is enabled it will show what values have +been programmed. Adjust VanGogh to work the same. + +Cc: Pierre-Loup A. Griffais +Reported-by: Vicki Pfau +Reviewed-by: Alex Deucher +Link: https://lore.kernel.org/r/20250609031227.479079-1-superm1@kernel.org +Signed-off-by: Mario Limonciello +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + .../gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c | 37 ++++++++----------- + 1 file changed, 15 insertions(+), 22 deletions(-) + +diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c b/drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c +index 9bca748ac2e9..3d3765815e24 100644 +--- a/drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c ++++ b/drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c +@@ -664,7 +664,6 @@ static int vangogh_print_clk_levels(struct smu_context *smu, + { + DpmClocks_t *clk_table = smu->smu_table.clocks_table; + SmuMetrics_t metrics; +- struct smu_dpm_context *smu_dpm_ctx = &(smu->smu_dpm); + int i, idx, size = 0, ret = 0; + uint32_t cur_value = 0, value = 0, count = 0; + bool cur_value_match_level = false; +@@ -680,31 +679,25 @@ static int vangogh_print_clk_levels(struct smu_context *smu, + + switch (clk_type) { + case SMU_OD_SCLK: +- if (smu_dpm_ctx->dpm_level == AMD_DPM_FORCED_LEVEL_MANUAL) { +- size += sysfs_emit_at(buf, size, "%s:\n", "OD_SCLK"); +- size += sysfs_emit_at(buf, size, "0: %10uMhz\n", +- (smu->gfx_actual_hard_min_freq > 0) ? smu->gfx_actual_hard_min_freq : smu->gfx_default_hard_min_freq); +- size += sysfs_emit_at(buf, size, "1: %10uMhz\n", +- (smu->gfx_actual_soft_max_freq > 0) ? smu->gfx_actual_soft_max_freq : smu->gfx_default_soft_max_freq); +- } ++ size += sysfs_emit_at(buf, size, "%s:\n", "OD_SCLK"); ++ size += sysfs_emit_at(buf, size, "0: %10uMhz\n", ++ (smu->gfx_actual_hard_min_freq > 0) ? smu->gfx_actual_hard_min_freq : smu->gfx_default_hard_min_freq); ++ size += sysfs_emit_at(buf, size, "1: %10uMhz\n", ++ (smu->gfx_actual_soft_max_freq > 0) ? smu->gfx_actual_soft_max_freq : smu->gfx_default_soft_max_freq); + break; + case SMU_OD_CCLK: +- if (smu_dpm_ctx->dpm_level == AMD_DPM_FORCED_LEVEL_MANUAL) { +- size += sysfs_emit_at(buf, size, "CCLK_RANGE in Core%d:\n", smu->cpu_core_id_select); +- size += sysfs_emit_at(buf, size, "0: %10uMhz\n", +- (smu->cpu_actual_soft_min_freq > 0) ? smu->cpu_actual_soft_min_freq : smu->cpu_default_soft_min_freq); +- size += sysfs_emit_at(buf, size, "1: %10uMhz\n", +- (smu->cpu_actual_soft_max_freq > 0) ? smu->cpu_actual_soft_max_freq : smu->cpu_default_soft_max_freq); +- } ++ size += sysfs_emit_at(buf, size, "CCLK_RANGE in Core%d:\n", smu->cpu_core_id_select); ++ size += sysfs_emit_at(buf, size, "0: %10uMhz\n", ++ (smu->cpu_actual_soft_min_freq > 0) ? smu->cpu_actual_soft_min_freq : smu->cpu_default_soft_min_freq); ++ size += sysfs_emit_at(buf, size, "1: %10uMhz\n", ++ (smu->cpu_actual_soft_max_freq > 0) ? smu->cpu_actual_soft_max_freq : smu->cpu_default_soft_max_freq); + break; + case SMU_OD_RANGE: +- if (smu_dpm_ctx->dpm_level == AMD_DPM_FORCED_LEVEL_MANUAL) { +- size += sysfs_emit_at(buf, size, "%s:\n", "OD_RANGE"); +- size += sysfs_emit_at(buf, size, "SCLK: %7uMhz %10uMhz\n", +- smu->gfx_default_hard_min_freq, smu->gfx_default_soft_max_freq); +- size += sysfs_emit_at(buf, size, "CCLK: %7uMhz %10uMhz\n", +- smu->cpu_default_soft_min_freq, smu->cpu_default_soft_max_freq); +- } ++ size += sysfs_emit_at(buf, size, "%s:\n", "OD_RANGE"); ++ size += sysfs_emit_at(buf, size, "SCLK: %7uMhz %10uMhz\n", ++ smu->gfx_default_hard_min_freq, smu->gfx_default_soft_max_freq); ++ size += sysfs_emit_at(buf, size, "CCLK: %7uMhz %10uMhz\n", ++ smu->cpu_default_soft_min_freq, smu->cpu_default_soft_max_freq); + break; + case SMU_SOCCLK: + /* the level 3 ~ 6 of socclk use the same frequency for vangogh */ +-- +2.39.5 + diff --git a/queue-6.12/drm-amd-display-avoid-configuring-psr-granularity-if.patch b/queue-6.12/drm-amd-display-avoid-configuring-psr-granularity-if.patch new file mode 100644 index 0000000000..197e7fce0b --- /dev/null +++ b/queue-6.12/drm-amd-display-avoid-configuring-psr-granularity-if.patch @@ -0,0 +1,49 @@ +From b4a742a178cac67ca6c2df2d504632e5c91ca2b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 6 Jul 2025 08:38:05 -0500 +Subject: drm/amd/display: Avoid configuring PSR granularity if PSR-SU not + supported + +From: Mario Limonciello + +[ Upstream commit a5ce8695d6d1b40d6960d2d298b579042c158f25 ] + +[Why] +If PSR-SU is disabled on the link, then configuring su_y granularity in +mod_power_calc_psr_configs() can lead to assertions in +psr_su_set_dsc_slice_height(). + +[How] +Check the PSR version in amdgpu_dm_link_setup_psr() to determine whether +or not to configure granularity. + +Reviewed-by: Sun peng (Leo) Li +Signed-off-by: Mario Limonciello +Signed-off-by: Ivan Lipski +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_psr.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_psr.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_psr.c +index e140b7a04d72..d63038ec4ec7 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_psr.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_psr.c +@@ -127,8 +127,10 @@ bool amdgpu_dm_link_setup_psr(struct dc_stream_state *stream) + psr_config.allow_multi_disp_optimizations = + (amdgpu_dc_feature_mask & DC_PSR_ALLOW_MULTI_DISP_OPT); + +- if (!psr_su_set_dsc_slice_height(dc, link, stream, &psr_config)) +- return false; ++ if (link->psr_settings.psr_version == DC_PSR_VERSION_SU_1) { ++ if (!psr_su_set_dsc_slice_height(dc, link, stream, &psr_config)) ++ return false; ++ } + + ret = dc_link_setup_psr(link, stream, &psr_config, &psr_context); + +-- +2.39.5 + diff --git a/queue-6.12/drm-amd-display-avoid-trying-aux-transactions-on-dis.patch b/queue-6.12/drm-amd-display-avoid-trying-aux-transactions-on-dis.patch new file mode 100644 index 0000000000..55209a7c12 --- /dev/null +++ b/queue-6.12/drm-amd-display-avoid-trying-aux-transactions-on-dis.patch @@ -0,0 +1,40 @@ +From 64f2a19fa912d72ccbc7e06dcd84f35dae700458 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 May 2025 16:06:50 +0800 +Subject: drm/amd/display: Avoid trying AUX transactions on disconnected ports + +From: Wayne Lin + +[ Upstream commit deb24e64c8881c462b29e2c69afd9e6669058be5 ] + +[Why & How] +Observe that we try to access DPCD 0x600h of disconnected DP ports. +In order not to wasting time on retrying these ports, call +dpcd_write_rx_power_ctrl() after checking its connection status. + +Reviewed-by: Aurabindo Pillai +Signed-off-by: Wayne Lin +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/link/link_dpms.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/link/link_dpms.c b/drivers/gpu/drm/amd/display/dc/link/link_dpms.c +index aa2800129767..9d740659521a 100644 +--- a/drivers/gpu/drm/amd/display/dc/link/link_dpms.c ++++ b/drivers/gpu/drm/amd/display/dc/link/link_dpms.c +@@ -140,7 +140,8 @@ void link_blank_dp_stream(struct dc_link *link, bool hw_init) + } + } + +- if ((!link->wa_flags.dp_keep_receiver_powered) || hw_init) ++ if (((!link->wa_flags.dp_keep_receiver_powered) || hw_init) && ++ (link->type != dc_connection_none)) + dpcd_write_rx_power_ctrl(link, false); + } + } +-- +2.39.5 + diff --git a/queue-6.12/drm-amd-display-disable-dsc_power_gate-for-dcn314-by.patch b/queue-6.12/drm-amd-display-disable-dsc_power_gate-for-dcn314-by.patch new file mode 100644 index 0000000000..d65343f962 --- /dev/null +++ b/queue-6.12/drm-amd-display-disable-dsc_power_gate-for-dcn314-by.patch @@ -0,0 +1,43 @@ +From 7121b11fc7e9dfb401c1452b052252e586c64223 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Jul 2025 14:37:33 -0400 +Subject: drm/amd/display: Disable dsc_power_gate for dcn314 by default + +From: Roman Li + +[ Upstream commit 02f3ec53177243d32ee8b6f8ba99136d7887ee3a ] + +[Why] +"REG_WAIT timeout 1us * 1000 tries - dcn314_dsc_pg_control line" +warnings seen after resuming from s2idle. +DCN314 has issues with DSC power gating that cause REG_WAIT timeouts +when attempting to power down DSC blocks. + +[How] +Disable dsc_power_gate for dcn314 by default. + +Reviewed-by: Nicholas Kazlauskas +Signed-off-by: Roman Li +Signed-off-by: Ivan Lipski +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/resource/dcn314/dcn314_resource.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/amd/display/dc/resource/dcn314/dcn314_resource.c b/drivers/gpu/drm/amd/display/dc/resource/dcn314/dcn314_resource.c +index 01d95108ce66..585c3e8a2194 100644 +--- a/drivers/gpu/drm/amd/display/dc/resource/dcn314/dcn314_resource.c ++++ b/drivers/gpu/drm/amd/display/dc/resource/dcn314/dcn314_resource.c +@@ -927,6 +927,7 @@ static const struct dc_debug_options debug_defaults_drv = { + .seamless_boot_odm_combine = true, + .enable_legacy_fast_update = true, + .using_dml2 = false, ++ .disable_dsc_power_gate = true, + }; + + static const struct dc_panel_config panel_config_defaults = { +-- +2.39.5 + diff --git a/queue-6.12/drm-amd-display-fix-failed-to-blank-crtc.patch b/queue-6.12/drm-amd-display-fix-failed-to-blank-crtc.patch new file mode 100644 index 0000000000..f14137a9f1 --- /dev/null +++ b/queue-6.12/drm-amd-display-fix-failed-to-blank-crtc.patch @@ -0,0 +1,48 @@ +From 82db6d1cf641514e6ee22b92947464b056c1f07a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Jun 2025 16:37:08 -0400 +Subject: drm/amd/display: Fix 'failed to blank crtc!' +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Wen Chen + +[ Upstream commit 01f60348d8fb6b3fbcdfc7bdde5d669f95b009a4 ] + +[why] +DCN35 is having “DC: failed to blank crtc!” when running HPO +test cases. It's caused by not having sufficient udelay time. + +[how] +Replace the old wait_for_blank_complete function with fsleep function to +sleep just until the next frame should come up. This way it doesn't poll +in case the pixel clock or other clock was bugged or until vactive and +the vblank are hit again. + +Reviewed-by: Nicholas Kazlauskas +Signed-off-by: Wen Chen +Signed-off-by: Fangzhi Zuo +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c b/drivers/gpu/drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c +index d9de8e17ccf4..08fc2a2c399f 100644 +--- a/drivers/gpu/drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c ++++ b/drivers/gpu/drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c +@@ -945,7 +945,7 @@ enum dc_status dcn20_enable_stream_timing( + return DC_ERROR_UNEXPECTED; + } + +- hws->funcs.wait_for_blank_complete(pipe_ctx->stream_res.opp); ++ fsleep(stream->timing.v_total * (stream->timing.h_total * 10000u / stream->timing.pix_clk_100hz)); + + params.vertical_total_min = stream->adjust.v_total_min; + params.vertical_total_max = stream->adjust.v_total_max; +-- +2.39.5 + diff --git a/queue-6.12/drm-amd-display-initialize-mode_select-to-0.patch b/queue-6.12/drm-amd-display-initialize-mode_select-to-0.patch new file mode 100644 index 0000000000..dc822e155d --- /dev/null +++ b/queue-6.12/drm-amd-display-initialize-mode_select-to-0.patch @@ -0,0 +1,42 @@ +From 471fb3175f6dfbd72200df72793bd8fb31495fbf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Jun 2025 15:40:18 -0600 +Subject: drm/amd/display: Initialize mode_select to 0 + +From: Alex Hung + +[ Upstream commit 592ddac93f8c02e13f19175745465f8c4d0f56cd ] + +[WHAT] +mode_select was supposed to be initialized in mpc_read_gamut_remap but +is not set in default case. This can cause indeterminate +behaviors. + +This is reported as an UNINIT error by Coverity. + +Reviewed-by: Aurabindo Pillai +Signed-off-by: Alex Hung +Signed-off-by: Fangzhi Zuo +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/mpc/dcn401/dcn401_mpc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/mpc/dcn401/dcn401_mpc.c b/drivers/gpu/drm/amd/display/dc/mpc/dcn401/dcn401_mpc.c +index 37ab5a4eefc7..0f531cfd3c49 100644 +--- a/drivers/gpu/drm/amd/display/dc/mpc/dcn401/dcn401_mpc.c ++++ b/drivers/gpu/drm/amd/display/dc/mpc/dcn401/dcn401_mpc.c +@@ -571,7 +571,7 @@ void mpc401_get_gamut_remap(struct mpc *mpc, + struct mpc_grph_gamut_adjustment *adjust) + { + uint16_t arr_reg_val[12] = {0}; +- uint32_t mode_select; ++ uint32_t mode_select = MPCC_GAMUT_REMAP_MODE_SELECT_0; + + read_gamut_remap(mpc, mpcc_id, arr_reg_val, adjust->mpcc_gamut_remap_block_id, &mode_select); + +-- +2.39.5 + diff --git a/queue-6.12/drm-amd-display-limit-clear_update_flags-to-dcn32-an.patch b/queue-6.12/drm-amd-display-limit-clear_update_flags-to-dcn32-an.patch new file mode 100644 index 0000000000..d8fd413005 --- /dev/null +++ b/queue-6.12/drm-amd-display-limit-clear_update_flags-to-dcn32-an.patch @@ -0,0 +1,52 @@ +From 1b9a2341c9e1bdc0edcb99daebc031e77b98b9f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Jun 2025 16:36:17 -0400 +Subject: drm/amd/display: limit clear_update_flags to dcn32 and above + +From: Charlene Liu + +[ Upstream commit f354556e29f40ef44fa8b13dc914817db3537e20 ] + +[why] +dc has some code out of sync: +dc_commit_updates_for_stream handles v1/v2/v3, +but dc_update_planes_and_stream makes v1 asic to use v2. + +as a reression fix: limit clear_update_flags to dcn32 or newer asic. +need to follow up that v1 asic using v2 issue. + +Reviewed-by: Syed Hassan +Signed-off-by: Charlene Liu +Signed-off-by: Ivan Lipski +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/core/dc.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/core/dc.c b/drivers/gpu/drm/amd/display/dc/core/dc.c +index a99d3e2256f1..b87f3e2d5117 100644 +--- a/drivers/gpu/drm/amd/display/dc/core/dc.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc.c +@@ -5121,8 +5121,7 @@ bool dc_update_planes_and_stream(struct dc *dc, + else + ret = update_planes_and_stream_v2(dc, srf_updates, + surface_count, stream, stream_update); +- +- if (ret) ++ if (ret && dc->ctx->dce_version >= DCN_VERSION_3_2) + clear_update_flags(srf_updates, surface_count, stream); + + return ret; +@@ -5153,7 +5152,7 @@ void dc_commit_updates_for_stream(struct dc *dc, + ret = update_planes_and_stream_v1(dc, srf_updates, surface_count, stream, + stream_update, state); + +- if (ret) ++ if (ret && dc->ctx->dce_version >= DCN_VERSION_3_2) + clear_update_flags(srf_updates, surface_count, stream); + } + +-- +2.39.5 + diff --git a/queue-6.12/drm-amd-display-only-finalize-atomic_obj-if-it-was-i.patch b/queue-6.12/drm-amd-display-only-finalize-atomic_obj-if-it-was-i.patch new file mode 100644 index 0000000000..7fe56e1dca --- /dev/null +++ b/queue-6.12/drm-amd-display-only-finalize-atomic_obj-if-it-was-i.patch @@ -0,0 +1,43 @@ +From 1507d598243f94f7b75c8a7f2051d6f80d3c469c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Jul 2025 14:41:46 -0500 +Subject: drm/amd/display: Only finalize atomic_obj if it was initialized + +From: Mario Limonciello + +[ Upstream commit b174084b3fe15ad1acc69530e673c1535d2e4f85 ] + +[Why] +If amdgpu_dm failed to initalize before amdgpu_dm_initialize_drm_device() +completed then freeing atomic_obj will lead to list corruption. + +[How] +Check if atomic_obj state is initialized before trying to free. + +Reviewed-by: Harry Wentland +Signed-off-by: Mario Limonciello +Signed-off-by: Ivan Lipski +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +index 084d9ed325af..33a3e5e28fbc 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -5223,7 +5223,8 @@ static int amdgpu_dm_initialize_drm_device(struct amdgpu_device *adev) + + static void amdgpu_dm_destroy_drm_device(struct amdgpu_display_manager *dm) + { +- drm_atomic_private_obj_fini(&dm->atomic_obj); ++ if (dm->atomic_obj.state) ++ drm_atomic_private_obj_fini(&dm->atomic_obj); + } + + /****************************************************************************** +-- +2.39.5 + diff --git a/queue-6.12/drm-amd-display-separate-set_gsl-from-set_gsl_source.patch b/queue-6.12/drm-amd-display-separate-set_gsl-from-set_gsl_source.patch new file mode 100644 index 0000000000..5a04713482 --- /dev/null +++ b/queue-6.12/drm-amd-display-separate-set_gsl-from-set_gsl_source.patch @@ -0,0 +1,49 @@ +From fe9431892bb950aec84bd06851eac6e96421018b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Jun 2025 13:07:14 -0400 +Subject: drm/amd/display: Separate set_gsl from set_gsl_source_select + +From: Ilya Bakoulin + +[ Upstream commit 660a467a5e7366cd6642de61f1aaeaf0d253ee68 ] + +[Why/How] +Separate the checks for set_gsl and set_gsl_source_select, since +source_select may not be implemented/necessary. + +Reviewed-by: Nevenko Stupar +Signed-off-by: Ilya Bakoulin +Signed-off-by: Ray Wu +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c b/drivers/gpu/drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c +index 9c5cdb3b80b5..d9de8e17ccf4 100644 +--- a/drivers/gpu/drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c ++++ b/drivers/gpu/drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c +@@ -273,14 +273,13 @@ void dcn20_setup_gsl_group_as_lock( + } + + /* at this point we want to program whether it's to enable or disable */ +- if (pipe_ctx->stream_res.tg->funcs->set_gsl != NULL && +- pipe_ctx->stream_res.tg->funcs->set_gsl_source_select != NULL) { ++ if (pipe_ctx->stream_res.tg->funcs->set_gsl != NULL) { + pipe_ctx->stream_res.tg->funcs->set_gsl( + pipe_ctx->stream_res.tg, + &gsl); +- +- pipe_ctx->stream_res.tg->funcs->set_gsl_source_select( +- pipe_ctx->stream_res.tg, group_idx, enable ? 4 : 0); ++ if (pipe_ctx->stream_res.tg->funcs->set_gsl_source_select != NULL) ++ pipe_ctx->stream_res.tg->funcs->set_gsl_source_select( ++ pipe_ctx->stream_res.tg, group_idx, enable ? 4 : 0); + } else + BREAK_TO_DEBUGGER(); + } +-- +2.39.5 + diff --git a/queue-6.12/drm-amd-display-update-dmcub-loading-sequence-for-dc.patch b/queue-6.12/drm-amd-display-update-dmcub-loading-sequence-for-dc.patch new file mode 100644 index 0000000000..b4b973a160 --- /dev/null +++ b/queue-6.12/drm-amd-display-update-dmcub-loading-sequence-for-dc.patch @@ -0,0 +1,82 @@ +From ae0fa157af7eebf44ce11d884e14657038af3054 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 May 2025 11:18:26 -0400 +Subject: drm/amd/display: Update DMCUB loading sequence for DCN3.5 + +From: Nicholas Kazlauskas + +[ Upstream commit d42b2331e158fa6bcdc89e4c8c470dc5da20be1f ] + +[Why] +New sequence from HW for reset and firmware reloading has been +provided that aims to stabilize the reload sequence in the case the +firmware is hung or has outstanding requests. + +[How] +Update the sequence to remove the DMUIF reset and the redundant +writes in the release. + +Reviewed-by: Ovidiu Bunea +Signed-off-by: Nicholas Kazlauskas +Signed-off-by: Wayne Lin +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + .../gpu/drm/amd/display/dmub/src/dmub_dcn35.c | 16 +++------------- + 1 file changed, 3 insertions(+), 13 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dmub/src/dmub_dcn35.c b/drivers/gpu/drm/amd/display/dmub/src/dmub_dcn35.c +index 4581eb479451..01e83c6ce701 100644 +--- a/drivers/gpu/drm/amd/display/dmub/src/dmub_dcn35.c ++++ b/drivers/gpu/drm/amd/display/dmub/src/dmub_dcn35.c +@@ -92,19 +92,15 @@ void dmub_dcn35_reset(struct dmub_srv *dmub) + uint32_t in_reset, is_enabled, scratch, i, pwait_mode; + + REG_GET(DMCUB_CNTL2, DMCUB_SOFT_RESET, &in_reset); ++ REG_GET(DMCUB_CNTL, DMCUB_ENABLE, &is_enabled); + +- if (in_reset == 0) { ++ if (in_reset == 0 && is_enabled != 0) { + cmd.bits.status = 1; + cmd.bits.command_code = DMUB_GPINT__STOP_FW; + cmd.bits.param = 0; + + dmub->hw_funcs.set_gpint(dmub, cmd); + +- /** +- * Timeout covers both the ACK and the wait +- * for remaining work to finish. +- */ +- + for (i = 0; i < timeout; ++i) { + if (dmub->hw_funcs.is_gpint_acked(dmub, cmd)) + break; +@@ -130,11 +126,9 @@ void dmub_dcn35_reset(struct dmub_srv *dmub) + /* Force reset in case we timed out, DMCUB is likely hung. */ + } + +- REG_GET(DMCUB_CNTL, DMCUB_ENABLE, &is_enabled); +- + if (is_enabled) { + REG_UPDATE(DMCUB_CNTL2, DMCUB_SOFT_RESET, 1); +- REG_UPDATE(MMHUBBUB_SOFT_RESET, DMUIF_SOFT_RESET, 1); ++ udelay(1); + REG_UPDATE(DMCUB_CNTL, DMCUB_ENABLE, 0); + } + +@@ -160,11 +154,7 @@ void dmub_dcn35_reset_release(struct dmub_srv *dmub) + LONO_SOCCLK_GATE_DISABLE, 1, + LONO_DMCUBCLK_GATE_DISABLE, 1); + +- REG_UPDATE(MMHUBBUB_SOFT_RESET, DMUIF_SOFT_RESET, 1); +- udelay(1); + REG_UPDATE_2(DMCUB_CNTL, DMCUB_ENABLE, 1, DMCUB_TRACEPORT_EN, 1); +- REG_UPDATE(DMCUB_CNTL2, DMCUB_SOFT_RESET, 1); +- udelay(1); + REG_UPDATE(MMHUBBUB_SOFT_RESET, DMUIF_SOFT_RESET, 0); + REG_UPDATE(DMCUB_CNTL2, DMCUB_SOFT_RESET, 0); + } +-- +2.39.5 + diff --git a/queue-6.12/drm-amd-pm-fix-null-pointer-access.patch b/queue-6.12/drm-amd-pm-fix-null-pointer-access.patch new file mode 100644 index 0000000000..f6acea4afb --- /dev/null +++ b/queue-6.12/drm-amd-pm-fix-null-pointer-access.patch @@ -0,0 +1,48 @@ +From 707fc79c2bbbbbbb1899f18d5545ad8d7f11353b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Jul 2025 14:44:35 +0000 +Subject: drm/amd/pm: fix null pointer access + +From: Umio Yasuno + +[ Upstream commit d524d40e3a6152a3ea1125af729f8cd8ca65efde ] + +Writing a string without delimiters (' ', '\n', '\0') to the under +gpu_od/fan_ctrl sysfs or pp_power_profile_mode for the CUSTOM profile +will result in a null pointer dereference. + +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4401 +Signed-off-by: Umio Yasuno +Acked-by: Alex Deucher +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/pm/amdgpu_pm.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/gpu/drm/amd/pm/amdgpu_pm.c b/drivers/gpu/drm/amd/pm/amdgpu_pm.c +index bfdfba676025..c4fdd82a0042 100644 +--- a/drivers/gpu/drm/amd/pm/amdgpu_pm.c ++++ b/drivers/gpu/drm/amd/pm/amdgpu_pm.c +@@ -1490,6 +1490,8 @@ static ssize_t amdgpu_set_pp_power_profile_mode(struct device *dev, + if (ret) + return -EINVAL; + parameter_size++; ++ if (!tmp_str) ++ break; + while (isspace(*tmp_str)) + tmp_str++; + } +@@ -3853,6 +3855,9 @@ static int parse_input_od_command_lines(const char *buf, + return -EINVAL; + parameter_size++; + ++ if (!tmp_str) ++ break; ++ + while (isspace(*tmp_str)) + tmp_str++; + } +-- +2.39.5 + diff --git a/queue-6.12/drm-imagination-clear-runtime-pm-errors-while-resett.patch b/queue-6.12/drm-imagination-clear-runtime-pm-errors-while-resett.patch new file mode 100644 index 0000000000..f4e17151f2 --- /dev/null +++ b/queue-6.12/drm-imagination-clear-runtime-pm-errors-while-resett.patch @@ -0,0 +1,110 @@ +From 7cb350a32e959755342d1e79adcb3fbb9a03de63 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Jun 2025 16:01:31 +0100 +Subject: drm/imagination: Clear runtime PM errors while resetting the GPU + +From: Alessio Belle + +[ Upstream commit 551507e0d0bf32ce1d7d27533c4b98307380804c ] + +The runtime PM might be left in error state if one of the callbacks +returned an error, e.g. if the (auto)suspend callback failed following +a firmware crash. + +When that happens, any further attempt to acquire or release a power +reference will then also fail, making it impossible to do anything else +with the GPU. The driver logic will eventually reach the reset code. + +In pvr_power_reset(), replace pvr_power_get() with a new API +pvr_power_get_clear() which also attempts to clear any runtime PM error +state if acquiring a power reference is not possible. + +Signed-off-by: Alessio Belle +Reviewed-by: Matt Coster +Link: https://lore.kernel.org/r/20250624-clear-rpm-errors-gpu-reset-v1-1-b8ff2ae55aac@imgtec.com +Signed-off-by: Matt Coster +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/imagination/pvr_power.c | 59 ++++++++++++++++++++++++- + 1 file changed, 58 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/imagination/pvr_power.c b/drivers/gpu/drm/imagination/pvr_power.c +index 850b318605da..d97613c6a0a9 100644 +--- a/drivers/gpu/drm/imagination/pvr_power.c ++++ b/drivers/gpu/drm/imagination/pvr_power.c +@@ -317,6 +317,63 @@ pvr_power_device_idle(struct device *dev) + return pvr_power_is_idle(pvr_dev) ? 0 : -EBUSY; + } + ++static int ++pvr_power_clear_error(struct pvr_device *pvr_dev) ++{ ++ struct device *dev = from_pvr_device(pvr_dev)->dev; ++ int err; ++ ++ /* Ensure the device state is known and nothing is happening past this point */ ++ pm_runtime_disable(dev); ++ ++ /* Attempt to clear the runtime PM error by setting the current state again */ ++ if (pm_runtime_status_suspended(dev)) ++ err = pm_runtime_set_suspended(dev); ++ else ++ err = pm_runtime_set_active(dev); ++ ++ if (err) { ++ drm_err(from_pvr_device(pvr_dev), ++ "%s: Failed to clear runtime PM error (new error %d)\n", ++ __func__, err); ++ } ++ ++ pm_runtime_enable(dev); ++ ++ return err; ++} ++ ++/** ++ * pvr_power_get_clear() - Acquire a power reference, correcting any errors ++ * @pvr_dev: Device pointer ++ * ++ * Attempt to acquire a power reference on the device. If the runtime PM ++ * is in error state, attempt to clear the error and retry. ++ * ++ * Returns: ++ * * 0 on success, or ++ * * Any error code returned by pvr_power_get() or the runtime PM API. ++ */ ++static int ++pvr_power_get_clear(struct pvr_device *pvr_dev) ++{ ++ int err; ++ ++ err = pvr_power_get(pvr_dev); ++ if (err == 0) ++ return err; ++ ++ drm_warn(from_pvr_device(pvr_dev), ++ "%s: pvr_power_get returned error %d, attempting recovery\n", ++ __func__, err); ++ ++ err = pvr_power_clear_error(pvr_dev); ++ if (err) ++ return err; ++ ++ return pvr_power_get(pvr_dev); ++} ++ + /** + * pvr_power_reset() - Reset the GPU + * @pvr_dev: Device pointer +@@ -341,7 +398,7 @@ pvr_power_reset(struct pvr_device *pvr_dev, bool hard_reset) + * Take a power reference during the reset. This should prevent any interference with the + * power state during reset. + */ +- WARN_ON(pvr_power_get(pvr_dev)); ++ WARN_ON(pvr_power_get_clear(pvr_dev)); + + down_write(&pvr_dev->reset_sem); + +-- +2.39.5 + diff --git a/queue-6.12/drm-msm-add-error-handling-for-krealloc-in-metadata-.patch b/queue-6.12/drm-msm-add-error-handling-for-krealloc-in-metadata-.patch new file mode 100644 index 0000000000..f27ab181b9 --- /dev/null +++ b/queue-6.12/drm-msm-add-error-handling-for-krealloc-in-metadata-.patch @@ -0,0 +1,52 @@ +From 38daf2c6c7de729efab98be795d092516d6cb1c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Jun 2025 10:16:43 +0800 +Subject: drm/msm: Add error handling for krealloc in metadata setup + +From: Yuan Chen + +[ Upstream commit 1c8c354098ea9d4376a58c96ae6b65288a6f15d8 ] + +Function msm_ioctl_gem_info_set_metadata() now checks for krealloc +failure and returns -ENOMEM, avoiding potential NULL pointer dereference. +Explicitly avoids __GFP_NOFAIL due to deadlock risks and allocation constraints. + +Signed-off-by: Yuan Chen +Patchwork: https://patchwork.freedesktop.org/patch/661235/ +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/msm_drv.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/msm_drv.c b/drivers/gpu/drm/msm/msm_drv.c +index 8c13b08708d2..197d8d9a421d 100644 +--- a/drivers/gpu/drm/msm/msm_drv.c ++++ b/drivers/gpu/drm/msm/msm_drv.c +@@ -550,6 +550,7 @@ static int msm_ioctl_gem_info_set_metadata(struct drm_gem_object *obj, + u32 metadata_size) + { + struct msm_gem_object *msm_obj = to_msm_bo(obj); ++ void *new_metadata; + void *buf; + int ret; + +@@ -567,8 +568,14 @@ static int msm_ioctl_gem_info_set_metadata(struct drm_gem_object *obj, + if (ret) + goto out; + +- msm_obj->metadata = ++ new_metadata = + krealloc(msm_obj->metadata, metadata_size, GFP_KERNEL); ++ if (!new_metadata) { ++ ret = -ENOMEM; ++ goto out; ++ } ++ ++ msm_obj->metadata = new_metadata; + msm_obj->metadata_size = metadata_size; + memcpy(msm_obj->metadata, buf, metadata_size); + +-- +2.39.5 + diff --git a/queue-6.12/drm-msm-use-trylock-for-debugfs.patch b/queue-6.12/drm-msm-use-trylock-for-debugfs.patch new file mode 100644 index 0000000000..30892ad594 --- /dev/null +++ b/queue-6.12/drm-msm-use-trylock-for-debugfs.patch @@ -0,0 +1,65 @@ +From f4bcfed1ba0cdc67e4e18703f1674aa8c0b2fd4f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 29 Jun 2025 13:13:22 -0700 +Subject: drm/msm: use trylock for debugfs + +From: Rob Clark + +[ Upstream commit 0a1ff88ec5b60b41ba830c5bf08b6cd8f45ab411 ] + +This resolves a potential deadlock vs msm_gem_vm_close(). Otherwise for +_NO_SHARE buffers msm_gem_describe() could be trying to acquire the +shared vm resv, while already holding priv->obj_lock. But _vm_close() +might drop the last reference to a GEM obj while already holding the vm +resv, and msm_gem_free_object() needs to grab priv->obj_lock, a locking +inversion. + +OTOH this is only for debugfs and it isn't critical if we undercount by +skipping a locked obj. So just use trylock() and move along if we can't +get the lock. + +Signed-off-by: Rob Clark +Signed-off-by: Rob Clark +Tested-by: Antonino Maniscalco +Reviewed-by: Antonino Maniscalco +Patchwork: https://patchwork.freedesktop.org/patch/661525/ +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/msm_gem.c | 3 ++- + drivers/gpu/drm/msm/msm_gem.h | 6 ++++++ + 2 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/msm_gem.c b/drivers/gpu/drm/msm/msm_gem.c +index ebc9ba66efb8..eeb3b65dd4d1 100644 +--- a/drivers/gpu/drm/msm/msm_gem.c ++++ b/drivers/gpu/drm/msm/msm_gem.c +@@ -963,7 +963,8 @@ void msm_gem_describe(struct drm_gem_object *obj, struct seq_file *m, + uint64_t off = drm_vma_node_start(&obj->vma_node); + const char *madv; + +- msm_gem_lock(obj); ++ if (!msm_gem_trylock(obj)) ++ return; + + stats->all.count++; + stats->all.size += obj->size; +diff --git a/drivers/gpu/drm/msm/msm_gem.h b/drivers/gpu/drm/msm/msm_gem.h +index 85f0257e83da..748053f70ca7 100644 +--- a/drivers/gpu/drm/msm/msm_gem.h ++++ b/drivers/gpu/drm/msm/msm_gem.h +@@ -188,6 +188,12 @@ msm_gem_lock(struct drm_gem_object *obj) + dma_resv_lock(obj->resv, NULL); + } + ++static inline bool __must_check ++msm_gem_trylock(struct drm_gem_object *obj) ++{ ++ return dma_resv_trylock(obj->resv); ++} ++ + static inline int + msm_gem_lock_interruptible(struct drm_gem_object *obj) + { +-- +2.39.5 + diff --git a/queue-6.12/drm-renesas-rz-du-mipi_dsi-add-min-check-for-vclk-ra.patch b/queue-6.12/drm-renesas-rz-du-mipi_dsi-add-min-check-for-vclk-ra.patch new file mode 100644 index 0000000000..c826a2b3df --- /dev/null +++ b/queue-6.12/drm-renesas-rz-du-mipi_dsi-add-min-check-for-vclk-ra.patch @@ -0,0 +1,42 @@ +From 0298b3a3363aa9ce86e64b1f6e69aa39f45904de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Jun 2025 23:56:22 +0100 +Subject: drm: renesas: rz-du: mipi_dsi: Add min check for VCLK range + +From: Lad Prabhakar + +[ Upstream commit e37a95d01d5acce211da8446fefbd8684c67f516 ] + +The VCLK range for Renesas RZ/G2L SoC is 5.803 MHz to 148.5 MHz. Add a +minimum clock check in the mode_valid callback to ensure that the clock +value does not fall below the valid range. + +Co-developed-by: Fabrizio Castro +Signed-off-by: Fabrizio Castro +Signed-off-by: Lad Prabhakar +Reviewed-by: Biju Das +Reviewed-by: Laurent Pinchart +Signed-off-by: Biju Das +Link: https://lore.kernel.org/r/20250609225630.502888-2-prabhakar.mahadev-lad.rj@bp.renesas.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/renesas/rz-du/rzg2l_mipi_dsi.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpu/drm/renesas/rz-du/rzg2l_mipi_dsi.c b/drivers/gpu/drm/renesas/rz-du/rzg2l_mipi_dsi.c +index 10febea473cd..6cec796dd463 100644 +--- a/drivers/gpu/drm/renesas/rz-du/rzg2l_mipi_dsi.c ++++ b/drivers/gpu/drm/renesas/rz-du/rzg2l_mipi_dsi.c +@@ -585,6 +585,9 @@ rzg2l_mipi_dsi_bridge_mode_valid(struct drm_bridge *bridge, + if (mode->clock > 148500) + return MODE_CLOCK_HIGH; + ++ if (mode->clock < 5803) ++ return MODE_CLOCK_LOW; ++ + return MODE_OK; + } + +-- +2.39.5 + diff --git a/queue-6.12/drm-ttm-respect-the-shrinker-core-free-target.patch b/queue-6.12/drm-ttm-respect-the-shrinker-core-free-target.patch new file mode 100644 index 0000000000..826acb90c6 --- /dev/null +++ b/queue-6.12/drm-ttm-respect-the-shrinker-core-free-target.patch @@ -0,0 +1,76 @@ +From 74db916400594e8e58e4df4128b4f135da432f54 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Jun 2025 12:27:49 +0100 +Subject: drm/ttm: Respect the shrinker core free target +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tvrtko Ursulin + +[ Upstream commit eac21f8ebeb4f84d703cf41dc3f81d16fa9dc00a ] + +Currently the TTM shrinker aborts shrinking as soon as it frees pages from +any of the page order pools and by doing so it can fail to respect the +freeing target which was configured by the shrinker core. + +We use the wording "can fail" because the number of freed pages will +depend on the presence of pages in the pools and the order of the pools on +the LRU list. For example if there are no free pages in the high order +pools the shrinker core may require multiple passes over the TTM shrinker +before it will free the default target of 128 pages (assuming there are +free pages in the low order pools). This inefficiency can be compounded by +the pool LRU where multiple further calls into the TTM shrinker are +required to end up looking at the pool with pages. + +Improve this by never freeing less than the shrinker core has requested. + +At the same time we start reporting the number of scanned pages (freed in +this case), which prevents the core shrinker from giving up on the TTM +shrinker too soon and moving on. + +v2: + * Simplify loop logic. (Christian) + * Improve commit message. + +Signed-off-by: Tvrtko Ursulin +Cc: Christian König +Cc: Thomas Hellström +Reviewed-by: Christian König +Signed-off-by: Tvrtko Ursulin +Link: https://lore.kernel.org/r/20250603112750.34997-2-tvrtko.ursulin@igalia.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/ttm/ttm_pool.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/ttm/ttm_pool.c b/drivers/gpu/drm/ttm/ttm_pool.c +index 8504dbe19c1a..4ae9d33cf485 100644 +--- a/drivers/gpu/drm/ttm/ttm_pool.c ++++ b/drivers/gpu/drm/ttm/ttm_pool.c +@@ -630,7 +630,6 @@ void ttm_pool_fini(struct ttm_pool *pool) + } + EXPORT_SYMBOL(ttm_pool_fini); + +-/* As long as pages are available make sure to release at least one */ + static unsigned long ttm_pool_shrinker_scan(struct shrinker *shrink, + struct shrink_control *sc) + { +@@ -638,9 +637,12 @@ static unsigned long ttm_pool_shrinker_scan(struct shrinker *shrink, + + do + num_freed += ttm_pool_shrink(); +- while (!num_freed && atomic_long_read(&allocated_pages)); ++ while (num_freed < sc->nr_to_scan && ++ atomic_long_read(&allocated_pages)); + +- return num_freed; ++ sc->nr_scanned = num_freed; ++ ++ return num_freed ?: SHRINK_STOP; + } + + /* Return the number of pages available or SHRINK_EMPTY if we have none */ +-- +2.39.5 + diff --git a/queue-6.12/drm-ttm-should-to-return-the-evict-error.patch b/queue-6.12/drm-ttm-should-to-return-the-evict-error.patch new file mode 100644 index 0000000000..04d7429f05 --- /dev/null +++ b/queue-6.12/drm-ttm-should-to-return-the-evict-error.patch @@ -0,0 +1,45 @@ +From 5783681f223433a060c647b26b54a657546b275f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Jun 2025 17:11:54 +0800 +Subject: drm/ttm: Should to return the evict error +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Emily Deng + +[ Upstream commit 4e16a9a00239db5d819197b9a00f70665951bf50 ] + +For the evict fail case, the evict error should be returned. + +v2: Consider ENOENT case. + +v3: Abort directly when the eviction failed for some reason (except for -ENOENT) + and not wait for the move to finish + +Signed-off-by: Emily Deng +Reviewed-by: Christian König +Signed-off-by: Christian König +Link: https://lore.kernel.org/r/20250603091154.3472646-1-Emily.Deng@amd.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/ttm/ttm_resource.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpu/drm/ttm/ttm_resource.c b/drivers/gpu/drm/ttm/ttm_resource.c +index 6d764ba88aab..53f258f39ceb 100644 +--- a/drivers/gpu/drm/ttm/ttm_resource.c ++++ b/drivers/gpu/drm/ttm/ttm_resource.c +@@ -501,6 +501,9 @@ int ttm_resource_manager_evict_all(struct ttm_device *bdev, + cond_resched(); + } while (!ret); + ++ if (ret && ret != -ENOENT) ++ return ret; ++ + spin_lock(&man->move_lock); + fence = dma_fence_get(man->move); + spin_unlock(&man->move_lock); +-- +2.39.5 + diff --git a/queue-6.12/drm-xe-make-dma-fences-compliant-with-the-safe-acces.patch b/queue-6.12/drm-xe-make-dma-fences-compliant-with-the-safe-acces.patch new file mode 100644 index 0000000000..e9a6218469 --- /dev/null +++ b/queue-6.12/drm-xe-make-dma-fences-compliant-with-the-safe-acces.patch @@ -0,0 +1,90 @@ +From 40daf866e2abb38b9100fff702f892b204109af7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Jun 2025 17:42:26 +0100 +Subject: drm/xe: Make dma-fences compliant with the safe access rules + +From: Tvrtko Ursulin + +[ Upstream commit 6bd90e700b4285e6a7541e00f969cab0d696adde ] + +Xe can free some of the data pointed to by the dma-fences it exports. Most +notably the timeline name can get freed if userspace closes the associated +submit queue. At the same time the fence could have been exported to a +third party (for example a sync_fence fd) which will then cause an use- +after-free on subsequent access. + +To make this safe we need to make the driver compliant with the newly +documented dma-fence rules. Driver has to ensure a RCU grace period +between signalling a fence and freeing any data pointed to by said fence. + +For the timeline name we simply make the queue be freed via kfree_rcu and +for the shared lock associated with multiple queues we add a RCU grace +period before freeing the per GT structure holding the lock. + +Signed-off-by: Tvrtko Ursulin +Reviewed-by: Matthew Brost +Acked-by: Lucas De Marchi +Signed-off-by: Tvrtko Ursulin +Link: https://lore.kernel.org/r/20250610164226.10817-5-tvrtko.ursulin@igalia.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/xe/xe_guc_exec_queue_types.h | 2 ++ + drivers/gpu/drm/xe/xe_guc_submit.c | 7 ++++++- + drivers/gpu/drm/xe/xe_hw_fence.c | 3 +++ + 3 files changed, 11 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/xe/xe_guc_exec_queue_types.h b/drivers/gpu/drm/xe/xe_guc_exec_queue_types.h +index 4c39f01e4f52..a3f421e2adc0 100644 +--- a/drivers/gpu/drm/xe/xe_guc_exec_queue_types.h ++++ b/drivers/gpu/drm/xe/xe_guc_exec_queue_types.h +@@ -20,6 +20,8 @@ struct xe_exec_queue; + struct xe_guc_exec_queue { + /** @q: Backpointer to parent xe_exec_queue */ + struct xe_exec_queue *q; ++ /** @rcu: For safe freeing of exported dma fences */ ++ struct rcu_head rcu; + /** @sched: GPU scheduler for this xe_exec_queue */ + struct xe_gpu_scheduler sched; + /** @entity: Scheduler entity for this xe_exec_queue */ +diff --git a/drivers/gpu/drm/xe/xe_guc_submit.c b/drivers/gpu/drm/xe/xe_guc_submit.c +index 0e17820a35e2..cf6946424fc3 100644 +--- a/drivers/gpu/drm/xe/xe_guc_submit.c ++++ b/drivers/gpu/drm/xe/xe_guc_submit.c +@@ -1241,7 +1241,11 @@ static void __guc_exec_queue_fini_async(struct work_struct *w) + xe_sched_entity_fini(&ge->entity); + xe_sched_fini(&ge->sched); + +- kfree(ge); ++ /* ++ * RCU free due sched being exported via DRM scheduler fences ++ * (timeline name). ++ */ ++ kfree_rcu(ge, rcu); + xe_exec_queue_fini(q); + xe_pm_runtime_put(guc_to_xe(guc)); + } +@@ -1427,6 +1431,7 @@ static int guc_exec_queue_init(struct xe_exec_queue *q) + + q->guc = ge; + ge->q = q; ++ init_rcu_head(&ge->rcu); + init_waitqueue_head(&ge->suspend_wait); + + for (i = 0; i < MAX_STATIC_MSG_TYPE; ++i) +diff --git a/drivers/gpu/drm/xe/xe_hw_fence.c b/drivers/gpu/drm/xe/xe_hw_fence.c +index 0b4f12be3692..6e2221b60688 100644 +--- a/drivers/gpu/drm/xe/xe_hw_fence.c ++++ b/drivers/gpu/drm/xe/xe_hw_fence.c +@@ -100,6 +100,9 @@ void xe_hw_fence_irq_finish(struct xe_hw_fence_irq *irq) + spin_unlock_irqrestore(&irq->lock, flags); + dma_fence_end_signalling(tmp); + } ++ ++ /* Safe release of the irq->lock used in dma_fence_init. */ ++ synchronize_rcu(); + } + + void xe_hw_fence_irq_run(struct xe_hw_fence_irq *irq) +-- +2.39.5 + diff --git a/queue-6.12/drm-xe-xe_query-use-separate-iterator-while-filling-.patch b/queue-6.12/drm-xe-xe_query-use-separate-iterator-while-filling-.patch new file mode 100644 index 0000000000..196fff2694 --- /dev/null +++ b/queue-6.12/drm-xe-xe_query-use-separate-iterator-while-filling-.patch @@ -0,0 +1,89 @@ +From e0b325585b0c52a44964f23b1d414771d6edf66b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Jul 2025 13:13:28 -0700 +Subject: drm/xe/xe_query: Use separate iterator while filling GT list + +From: Matt Roper + +[ Upstream commit d4eb4a010262ea7801e576d1033b355910f2f7d4 ] + +The 'id' value updated by for_each_gt() is the uapi GT ID of the GTs +being iterated over, and may skip over values if a GT is not present on +the device. Use a separate iterator for GT list array assignments to +ensure that the array will be filled properly on future platforms where +index in the GT query list may not match the uapi ID. + +v2: + - Include the missing increment of the iterator. (Jonathan) + +Cc: Jonathan Cavitt +Reviewed-by: Jonathan Cavitt +Link: https://lore.kernel.org/r/20250701201320.2514369-16-matthew.d.roper@intel.com +Signed-off-by: Matt Roper +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/xe/xe_query.c | 27 +++++++++++++++------------ + 1 file changed, 15 insertions(+), 12 deletions(-) + +diff --git a/drivers/gpu/drm/xe/xe_query.c b/drivers/gpu/drm/xe/xe_query.c +index 6fec5d1a1eb4..6e7c940d7e22 100644 +--- a/drivers/gpu/drm/xe/xe_query.c ++++ b/drivers/gpu/drm/xe/xe_query.c +@@ -366,6 +366,7 @@ static int query_gt_list(struct xe_device *xe, struct drm_xe_device_query *query + struct drm_xe_query_gt_list __user *query_ptr = + u64_to_user_ptr(query->data); + struct drm_xe_query_gt_list *gt_list; ++ int iter = 0; + u8 id; + + if (query->size == 0) { +@@ -383,12 +384,12 @@ static int query_gt_list(struct xe_device *xe, struct drm_xe_device_query *query + + for_each_gt(gt, xe, id) { + if (xe_gt_is_media_type(gt)) +- gt_list->gt_list[id].type = DRM_XE_QUERY_GT_TYPE_MEDIA; ++ gt_list->gt_list[iter].type = DRM_XE_QUERY_GT_TYPE_MEDIA; + else +- gt_list->gt_list[id].type = DRM_XE_QUERY_GT_TYPE_MAIN; +- gt_list->gt_list[id].tile_id = gt_to_tile(gt)->id; +- gt_list->gt_list[id].gt_id = gt->info.id; +- gt_list->gt_list[id].reference_clock = gt->info.reference_clock; ++ gt_list->gt_list[iter].type = DRM_XE_QUERY_GT_TYPE_MAIN; ++ gt_list->gt_list[iter].tile_id = gt_to_tile(gt)->id; ++ gt_list->gt_list[iter].gt_id = gt->info.id; ++ gt_list->gt_list[iter].reference_clock = gt->info.reference_clock; + /* + * The mem_regions indexes in the mask below need to + * directly identify the struct +@@ -404,19 +405,21 @@ static int query_gt_list(struct xe_device *xe, struct drm_xe_device_query *query + * assumption. + */ + if (!IS_DGFX(xe)) +- gt_list->gt_list[id].near_mem_regions = 0x1; ++ gt_list->gt_list[iter].near_mem_regions = 0x1; + else +- gt_list->gt_list[id].near_mem_regions = ++ gt_list->gt_list[iter].near_mem_regions = + BIT(gt_to_tile(gt)->id) << 1; +- gt_list->gt_list[id].far_mem_regions = xe->info.mem_region_mask ^ +- gt_list->gt_list[id].near_mem_regions; ++ gt_list->gt_list[iter].far_mem_regions = xe->info.mem_region_mask ^ ++ gt_list->gt_list[iter].near_mem_regions; + +- gt_list->gt_list[id].ip_ver_major = ++ gt_list->gt_list[iter].ip_ver_major = + REG_FIELD_GET(GMD_ID_ARCH_MASK, gt->info.gmdid); +- gt_list->gt_list[id].ip_ver_minor = ++ gt_list->gt_list[iter].ip_ver_minor = + REG_FIELD_GET(GMD_ID_RELEASE_MASK, gt->info.gmdid); +- gt_list->gt_list[id].ip_ver_rev = ++ gt_list->gt_list[iter].ip_ver_rev = + REG_FIELD_GET(GMD_ID_REVID, gt->info.gmdid); ++ ++ iter++; + } + + if (copy_to_user(query_ptr, gt_list, size)) { +-- +2.39.5 + diff --git a/queue-6.12/edac-synopsys-clear-the-ecc-counters-on-init.patch b/queue-6.12/edac-synopsys-clear-the-ecc-counters-on-init.patch new file mode 100644 index 0000000000..c59c7e53d5 --- /dev/null +++ b/queue-6.12/edac-synopsys-clear-the-ecc-counters-on-init.patch @@ -0,0 +1,202 @@ +From f5b1c0ef6c4ff494d0dc1762197ef0fe201859ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 13 Jul 2025 10:37:53 +0530 +Subject: EDAC/synopsys: Clear the ECC counters on init + +From: Shubhrajyoti Datta + +[ Upstream commit b1dc7f097b78eb8d25b071ead2384b07a549692b ] + +Clear the ECC error and counter registers during initialization/probe to avoid +reporting stale errors that may have occurred before EDAC registration. + +For that, unify the Zynq and ZynqMP ECC state reading paths and simplify the +code. + + [ bp: Massage commit message. + Fix an -Wsometimes-uninitialized warning as reported by + Reported-by: kernel test robot + Closes: https://lore.kernel.org/oe-kbuild-all/202507141048.obUv3ZUm-lkp@intel.com ] + +Signed-off-by: Shubhrajyoti Datta +Signed-off-by: Borislav Petkov (AMD) +Link: https://lore.kernel.org/20250713050753.7042-1-shubhrajyoti.datta@amd.com +Signed-off-by: Sasha Levin +--- + drivers/edac/synopsys_edac.c | 97 +++++++++++++++++------------------- + 1 file changed, 46 insertions(+), 51 deletions(-) + +diff --git a/drivers/edac/synopsys_edac.c b/drivers/edac/synopsys_edac.c +index d7416166fd8a..ec3ed5e2b2d7 100644 +--- a/drivers/edac/synopsys_edac.c ++++ b/drivers/edac/synopsys_edac.c +@@ -332,20 +332,26 @@ struct synps_edac_priv { + #endif + }; + ++enum synps_platform_type { ++ ZYNQ, ++ ZYNQMP, ++ SYNPS, ++}; ++ + /** + * struct synps_platform_data - synps platform data structure. ++ * @platform: Identifies the target hardware platform + * @get_error_info: Get EDAC error info. + * @get_mtype: Get mtype. + * @get_dtype: Get dtype. +- * @get_ecc_state: Get ECC state. + * @get_mem_info: Get EDAC memory info + * @quirks: To differentiate IPs. + */ + struct synps_platform_data { ++ enum synps_platform_type platform; + int (*get_error_info)(struct synps_edac_priv *priv); + enum mem_type (*get_mtype)(const void __iomem *base); + enum dev_type (*get_dtype)(const void __iomem *base); +- bool (*get_ecc_state)(void __iomem *base); + #ifdef CONFIG_EDAC_DEBUG + u64 (*get_mem_info)(struct synps_edac_priv *priv); + #endif +@@ -720,51 +726,38 @@ static enum dev_type zynqmp_get_dtype(const void __iomem *base) + return dt; + } + +-/** +- * zynq_get_ecc_state - Return the controller ECC enable/disable status. +- * @base: DDR memory controller base address. +- * +- * Get the ECC enable/disable status of the controller. +- * +- * Return: true if enabled, otherwise false. +- */ +-static bool zynq_get_ecc_state(void __iomem *base) ++static bool get_ecc_state(struct synps_edac_priv *priv) + { ++ u32 ecctype, clearval; + enum dev_type dt; +- u32 ecctype; +- +- dt = zynq_get_dtype(base); +- if (dt == DEV_UNKNOWN) +- return false; + +- ecctype = readl(base + SCRUB_OFST) & SCRUB_MODE_MASK; +- if ((ecctype == SCRUB_MODE_SECDED) && (dt == DEV_X2)) +- return true; +- +- return false; +-} +- +-/** +- * zynqmp_get_ecc_state - Return the controller ECC enable/disable status. +- * @base: DDR memory controller base address. +- * +- * Get the ECC enable/disable status for the controller. +- * +- * Return: a ECC status boolean i.e true/false - enabled/disabled. +- */ +-static bool zynqmp_get_ecc_state(void __iomem *base) +-{ +- enum dev_type dt; +- u32 ecctype; +- +- dt = zynqmp_get_dtype(base); +- if (dt == DEV_UNKNOWN) +- return false; +- +- ecctype = readl(base + ECC_CFG0_OFST) & SCRUB_MODE_MASK; +- if ((ecctype == SCRUB_MODE_SECDED) && +- ((dt == DEV_X2) || (dt == DEV_X4) || (dt == DEV_X8))) +- return true; ++ if (priv->p_data->platform == ZYNQ) { ++ dt = zynq_get_dtype(priv->baseaddr); ++ if (dt == DEV_UNKNOWN) ++ return false; ++ ++ ecctype = readl(priv->baseaddr + SCRUB_OFST) & SCRUB_MODE_MASK; ++ if (ecctype == SCRUB_MODE_SECDED && dt == DEV_X2) { ++ clearval = ECC_CTRL_CLR_CE_ERR | ECC_CTRL_CLR_UE_ERR; ++ writel(clearval, priv->baseaddr + ECC_CTRL_OFST); ++ writel(0x0, priv->baseaddr + ECC_CTRL_OFST); ++ return true; ++ } ++ } else { ++ dt = zynqmp_get_dtype(priv->baseaddr); ++ if (dt == DEV_UNKNOWN) ++ return false; ++ ++ ecctype = readl(priv->baseaddr + ECC_CFG0_OFST) & SCRUB_MODE_MASK; ++ if (ecctype == SCRUB_MODE_SECDED && ++ (dt == DEV_X2 || dt == DEV_X4 || dt == DEV_X8)) { ++ clearval = readl(priv->baseaddr + ECC_CLR_OFST) | ++ ECC_CTRL_CLR_CE_ERR | ECC_CTRL_CLR_CE_ERRCNT | ++ ECC_CTRL_CLR_UE_ERR | ECC_CTRL_CLR_UE_ERRCNT; ++ writel(clearval, priv->baseaddr + ECC_CLR_OFST); ++ return true; ++ } ++ } + + return false; + } +@@ -934,18 +927,18 @@ static int setup_irq(struct mem_ctl_info *mci, + } + + static const struct synps_platform_data zynq_edac_def = { ++ .platform = ZYNQ, + .get_error_info = zynq_get_error_info, + .get_mtype = zynq_get_mtype, + .get_dtype = zynq_get_dtype, +- .get_ecc_state = zynq_get_ecc_state, + .quirks = 0, + }; + + static const struct synps_platform_data zynqmp_edac_def = { ++ .platform = ZYNQMP, + .get_error_info = zynqmp_get_error_info, + .get_mtype = zynqmp_get_mtype, + .get_dtype = zynqmp_get_dtype, +- .get_ecc_state = zynqmp_get_ecc_state, + #ifdef CONFIG_EDAC_DEBUG + .get_mem_info = zynqmp_get_mem_info, + #endif +@@ -957,10 +950,10 @@ static const struct synps_platform_data zynqmp_edac_def = { + }; + + static const struct synps_platform_data synopsys_edac_def = { ++ .platform = SYNPS, + .get_error_info = zynqmp_get_error_info, + .get_mtype = zynqmp_get_mtype, + .get_dtype = zynqmp_get_dtype, +- .get_ecc_state = zynqmp_get_ecc_state, + .quirks = (DDR_ECC_INTR_SUPPORT | DDR_ECC_INTR_SELF_CLEAR + #ifdef CONFIG_EDAC_DEBUG + | DDR_ECC_DATA_POISON_SUPPORT +@@ -1390,10 +1383,6 @@ static int mc_probe(struct platform_device *pdev) + if (!p_data) + return -ENODEV; + +- if (!p_data->get_ecc_state(baseaddr)) { +- edac_printk(KERN_INFO, EDAC_MC, "ECC not enabled\n"); +- return -ENXIO; +- } + + layers[0].type = EDAC_MC_LAYER_CHIP_SELECT; + layers[0].size = SYNPS_EDAC_NR_CSROWS; +@@ -1413,6 +1402,12 @@ static int mc_probe(struct platform_device *pdev) + priv = mci->pvt_info; + priv->baseaddr = baseaddr; + priv->p_data = p_data; ++ if (!get_ecc_state(priv)) { ++ edac_printk(KERN_INFO, EDAC_MC, "ECC not enabled\n"); ++ rc = -ENODEV; ++ goto free_edac_mc; ++ } ++ + spin_lock_init(&priv->reglock); + + mc_init(mci, pdev); +-- +2.39.5 + diff --git a/queue-6.12/et131x-add-missing-check-after-dma-map.patch b/queue-6.12/et131x-add-missing-check-after-dma-map.patch new file mode 100644 index 0000000000..116e8e3808 --- /dev/null +++ b/queue-6.12/et131x-add-missing-check-after-dma-map.patch @@ -0,0 +1,100 @@ +From 1421d8b1dbfb6e944f78e14e8ba7dabcb5619371 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jul 2025 11:47:30 +0200 +Subject: et131x: Add missing check after DMA map + +From: Thomas Fourier + +[ Upstream commit d61f6cb6f6ef3c70d2ccc0d9c85c508cb8017da9 ] + +The DMA map functions can fail and should be tested for errors. +If the mapping fails, unmap and return an error. + +Signed-off-by: Thomas Fourier +Acked-by: Mark Einon +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250716094733.28734-2-fourier.thomas@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/agere/et131x.c | 36 +++++++++++++++++++++++++++++ + 1 file changed, 36 insertions(+) + +diff --git a/drivers/net/ethernet/agere/et131x.c b/drivers/net/ethernet/agere/et131x.c +index b325e0cef120..c956151adee5 100644 +--- a/drivers/net/ethernet/agere/et131x.c ++++ b/drivers/net/ethernet/agere/et131x.c +@@ -2459,6 +2459,10 @@ static int nic_send_packet(struct et131x_adapter *adapter, struct tcb *tcb) + skb->data, + skb_headlen(skb), + DMA_TO_DEVICE); ++ if (dma_mapping_error(&adapter->pdev->dev, ++ dma_addr)) ++ return -ENOMEM; ++ + desc[frag].addr_lo = lower_32_bits(dma_addr); + desc[frag].addr_hi = upper_32_bits(dma_addr); + frag++; +@@ -2468,6 +2472,10 @@ static int nic_send_packet(struct et131x_adapter *adapter, struct tcb *tcb) + skb->data, + skb_headlen(skb) / 2, + DMA_TO_DEVICE); ++ if (dma_mapping_error(&adapter->pdev->dev, ++ dma_addr)) ++ return -ENOMEM; ++ + desc[frag].addr_lo = lower_32_bits(dma_addr); + desc[frag].addr_hi = upper_32_bits(dma_addr); + frag++; +@@ -2478,6 +2486,10 @@ static int nic_send_packet(struct et131x_adapter *adapter, struct tcb *tcb) + skb_headlen(skb) / 2, + skb_headlen(skb) / 2, + DMA_TO_DEVICE); ++ if (dma_mapping_error(&adapter->pdev->dev, ++ dma_addr)) ++ goto unmap_first_out; ++ + desc[frag].addr_lo = lower_32_bits(dma_addr); + desc[frag].addr_hi = upper_32_bits(dma_addr); + frag++; +@@ -2489,6 +2501,9 @@ static int nic_send_packet(struct et131x_adapter *adapter, struct tcb *tcb) + 0, + desc[frag].len_vlan, + DMA_TO_DEVICE); ++ if (dma_mapping_error(&adapter->pdev->dev, dma_addr)) ++ goto unmap_out; ++ + desc[frag].addr_lo = lower_32_bits(dma_addr); + desc[frag].addr_hi = upper_32_bits(dma_addr); + frag++; +@@ -2578,6 +2593,27 @@ static int nic_send_packet(struct et131x_adapter *adapter, struct tcb *tcb) + &adapter->regs->global.watchdog_timer); + } + return 0; ++ ++unmap_out: ++ // Unmap the body of the packet with map_page ++ while (--i) { ++ frag--; ++ dma_addr = desc[frag].addr_lo; ++ dma_addr |= (u64)desc[frag].addr_hi << 32; ++ dma_unmap_page(&adapter->pdev->dev, dma_addr, ++ desc[frag].len_vlan, DMA_TO_DEVICE); ++ } ++ ++unmap_first_out: ++ // Unmap the header with map_single ++ while (frag--) { ++ dma_addr = desc[frag].addr_lo; ++ dma_addr |= (u64)desc[frag].addr_hi << 32; ++ dma_unmap_single(&adapter->pdev->dev, dma_addr, ++ desc[frag].len_vlan, DMA_TO_DEVICE); ++ } ++ ++ return -ENOMEM; + } + + static int send_packet(struct sk_buff *skb, struct et131x_adapter *adapter) +-- +2.39.5 + diff --git a/queue-6.12/exfat-add-cluster-chain-loop-check-for-dir.patch b/queue-6.12/exfat-add-cluster-chain-loop-check-for-dir.patch new file mode 100644 index 0000000000..1a142fd205 --- /dev/null +++ b/queue-6.12/exfat-add-cluster-chain-loop-check-for-dir.patch @@ -0,0 +1,227 @@ +From b64ede9e275d9d4700d32b72d9304ff3e1e9e61d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Mar 2025 17:00:49 +0800 +Subject: exfat: add cluster chain loop check for dir + +From: Yuezhang Mo + +[ Upstream commit 99f9a97dce39ad413c39b92c90393bbd6778f3fd ] + +An infinite loop may occur if the following conditions occur due to +file system corruption. + +(1) Condition for exfat_count_dir_entries() to loop infinitely. + - The cluster chain includes a loop. + - There is no UNUSED entry in the cluster chain. + +(2) Condition for exfat_create_upcase_table() to loop infinitely. + - The cluster chain of the root directory includes a loop. + - There are no UNUSED entry and up-case table entry in the cluster + chain of the root directory. + +(3) Condition for exfat_load_bitmap() to loop infinitely. + - The cluster chain of the root directory includes a loop. + - There are no UNUSED entry and bitmap entry in the cluster chain + of the root directory. + +(4) Condition for exfat_find_dir_entry() to loop infinitely. + - The cluster chain includes a loop. + - The unused directory entries were exhausted by some operation. + +(5) Condition for exfat_check_dir_empty() to loop infinitely. + - The cluster chain includes a loop. + - The unused directory entries were exhausted by some operation. + - All files and sub-directories under the directory are deleted. + +This commit adds checks to break the above infinite loop. + +Signed-off-by: Yuezhang Mo +Signed-off-by: Namjae Jeon +Signed-off-by: Sasha Levin +--- + fs/exfat/dir.c | 12 ++++++++++++ + fs/exfat/fatent.c | 10 ++++++++++ + fs/exfat/namei.c | 5 +++++ + fs/exfat/super.c | 32 +++++++++++++++++++++----------- + 4 files changed, 48 insertions(+), 11 deletions(-) + +diff --git a/fs/exfat/dir.c b/fs/exfat/dir.c +index 9d8848872fe8..1c428f7f83f5 100644 +--- a/fs/exfat/dir.c ++++ b/fs/exfat/dir.c +@@ -1015,6 +1015,7 @@ int exfat_find_dir_entry(struct super_block *sb, struct exfat_inode_info *ei, + struct exfat_hint_femp candi_empty; + struct exfat_sb_info *sbi = EXFAT_SB(sb); + int num_entries = exfat_calc_num_entries(p_uniname); ++ unsigned int clu_count = 0; + + if (num_entries < 0) + return num_entries; +@@ -1152,6 +1153,10 @@ int exfat_find_dir_entry(struct super_block *sb, struct exfat_inode_info *ei, + } else { + if (exfat_get_next_cluster(sb, &clu.dir)) + return -EIO; ++ ++ /* break if the cluster chain includes a loop */ ++ if (unlikely(++clu_count > EXFAT_DATA_CLUSTER_COUNT(sbi))) ++ goto not_found; + } + } + +@@ -1214,6 +1219,7 @@ int exfat_count_dir_entries(struct super_block *sb, struct exfat_chain *p_dir) + int i, count = 0; + int dentries_per_clu; + unsigned int entry_type; ++ unsigned int clu_count = 0; + struct exfat_chain clu; + struct exfat_dentry *ep; + struct exfat_sb_info *sbi = EXFAT_SB(sb); +@@ -1246,6 +1252,12 @@ int exfat_count_dir_entries(struct super_block *sb, struct exfat_chain *p_dir) + } else { + if (exfat_get_next_cluster(sb, &(clu.dir))) + return -EIO; ++ ++ if (unlikely(++clu_count > sbi->used_clusters)) { ++ exfat_fs_error(sb, "FAT or bitmap is corrupted"); ++ return -EIO; ++ } ++ + } + } + +diff --git a/fs/exfat/fatent.c b/fs/exfat/fatent.c +index 8df5ad6ebb10..0c60ddc24c54 100644 +--- a/fs/exfat/fatent.c ++++ b/fs/exfat/fatent.c +@@ -461,5 +461,15 @@ int exfat_count_num_clusters(struct super_block *sb, + } + + *ret_count = count; ++ ++ /* ++ * since exfat_count_used_clusters() is not called, sbi->used_clusters ++ * cannot be used here. ++ */ ++ if (unlikely(i == sbi->num_clusters && clu != EXFAT_EOF_CLUSTER)) { ++ exfat_fs_error(sb, "The cluster chain has a loop"); ++ return -EIO; ++ } ++ + return 0; + } +diff --git a/fs/exfat/namei.c b/fs/exfat/namei.c +index 7b3951951f8a..e9624eb61cbc 100644 +--- a/fs/exfat/namei.c ++++ b/fs/exfat/namei.c +@@ -888,6 +888,7 @@ static int exfat_check_dir_empty(struct super_block *sb, + { + int i, dentries_per_clu; + unsigned int type; ++ unsigned int clu_count = 0; + struct exfat_chain clu; + struct exfat_dentry *ep; + struct exfat_sb_info *sbi = EXFAT_SB(sb); +@@ -924,6 +925,10 @@ static int exfat_check_dir_empty(struct super_block *sb, + } else { + if (exfat_get_next_cluster(sb, &(clu.dir))) + return -EIO; ++ ++ /* break if the cluster chain includes a loop */ ++ if (unlikely(++clu_count > EXFAT_DATA_CLUSTER_COUNT(sbi))) ++ break; + } + } + +diff --git a/fs/exfat/super.c b/fs/exfat/super.c +index bd57844414aa..7aaf1ed6aee9 100644 +--- a/fs/exfat/super.c ++++ b/fs/exfat/super.c +@@ -370,13 +370,12 @@ static void exfat_hash_init(struct super_block *sb) + INIT_HLIST_HEAD(&sbi->inode_hashtable[i]); + } + +-static int exfat_read_root(struct inode *inode) ++static int exfat_read_root(struct inode *inode, struct exfat_chain *root_clu) + { + struct super_block *sb = inode->i_sb; + struct exfat_sb_info *sbi = EXFAT_SB(sb); + struct exfat_inode_info *ei = EXFAT_I(inode); +- struct exfat_chain cdir; +- int num_subdirs, num_clu = 0; ++ int num_subdirs; + + exfat_chain_set(&ei->dir, sbi->root_dir, 0, ALLOC_FAT_CHAIN); + ei->entry = -1; +@@ -389,12 +388,9 @@ static int exfat_read_root(struct inode *inode) + ei->hint_stat.clu = sbi->root_dir; + ei->hint_femp.eidx = EXFAT_HINT_NONE; + +- exfat_chain_set(&cdir, sbi->root_dir, 0, ALLOC_FAT_CHAIN); +- if (exfat_count_num_clusters(sb, &cdir, &num_clu)) +- return -EIO; +- i_size_write(inode, num_clu << sbi->cluster_size_bits); ++ i_size_write(inode, EXFAT_CLU_TO_B(root_clu->size, sbi)); + +- num_subdirs = exfat_count_dir_entries(sb, &cdir); ++ num_subdirs = exfat_count_dir_entries(sb, root_clu); + if (num_subdirs < 0) + return -EIO; + set_nlink(inode, num_subdirs + EXFAT_MIN_SUBDIR); +@@ -608,7 +604,8 @@ static int exfat_verify_boot_region(struct super_block *sb) + } + + /* mount the file system volume */ +-static int __exfat_fill_super(struct super_block *sb) ++static int __exfat_fill_super(struct super_block *sb, ++ struct exfat_chain *root_clu) + { + int ret; + struct exfat_sb_info *sbi = EXFAT_SB(sb); +@@ -625,6 +622,18 @@ static int __exfat_fill_super(struct super_block *sb) + goto free_bh; + } + ++ /* ++ * Call exfat_count_num_cluster() before searching for up-case and ++ * bitmap directory entries to avoid infinite loop if they are missing ++ * and the cluster chain includes a loop. ++ */ ++ exfat_chain_set(root_clu, sbi->root_dir, 0, ALLOC_FAT_CHAIN); ++ ret = exfat_count_num_clusters(sb, root_clu, &root_clu->size); ++ if (ret) { ++ exfat_err(sb, "failed to count the number of clusters in root"); ++ goto free_bh; ++ } ++ + ret = exfat_create_upcase_table(sb); + if (ret) { + exfat_err(sb, "failed to load upcase table"); +@@ -657,6 +666,7 @@ static int exfat_fill_super(struct super_block *sb, struct fs_context *fc) + struct exfat_sb_info *sbi = sb->s_fs_info; + struct exfat_mount_options *opts = &sbi->options; + struct inode *root_inode; ++ struct exfat_chain root_clu; + int err; + + if (opts->allow_utime == (unsigned short)-1) +@@ -675,7 +685,7 @@ static int exfat_fill_super(struct super_block *sb, struct fs_context *fc) + sb->s_time_min = EXFAT_MIN_TIMESTAMP_SECS; + sb->s_time_max = EXFAT_MAX_TIMESTAMP_SECS; + +- err = __exfat_fill_super(sb); ++ err = __exfat_fill_super(sb, &root_clu); + if (err) { + exfat_err(sb, "failed to recognize exfat type"); + goto check_nls_io; +@@ -710,7 +720,7 @@ static int exfat_fill_super(struct super_block *sb, struct fs_context *fc) + + root_inode->i_ino = EXFAT_ROOT_INO; + inode_set_iversion(root_inode, 1); +- err = exfat_read_root(root_inode); ++ err = exfat_read_root(root_inode, &root_clu); + if (err) { + exfat_err(sb, "failed to initialize root inode"); + goto put_inode; +-- +2.39.5 + diff --git a/queue-6.12/ext2-handle-fiemap-on-empty-files-to-prevent-einval.patch b/queue-6.12/ext2-handle-fiemap-on-empty-files-to-prevent-einval.patch new file mode 100644 index 0000000000..1bacb81456 --- /dev/null +++ b/queue-6.12/ext2-handle-fiemap-on-empty-files-to-prevent-einval.patch @@ -0,0 +1,51 @@ +From 6f660efc247ffd3b2e5b1c305112121893080868 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Jun 2025 11:18:38 -0400 +Subject: ext2: Handle fiemap on empty files to prevent EINVAL + +From: Wei Gao + +[ Upstream commit a099b09a3342a0b28ea330e405501b5b4d0424b4 ] + +Previously, ext2_fiemap would unconditionally apply "len = min_t(u64, len, +i_size_read(inode));", When inode->i_size was 0 (for an empty file), this +would reduce the requested len to 0. Passing len = 0 to iomap_fiemap could +then result in an -EINVAL error, even for valid queries on empty files. + +Link: https://github.com/linux-test-project/ltp/issues/1246 +Signed-off-by: Wei Gao +Signed-off-by: Jan Kara +Link: https://patch.msgid.link/20250613152402.3432135-1-wegao@suse.com +Signed-off-by: Sasha Levin +--- + fs/ext2/inode.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/fs/ext2/inode.c b/fs/ext2/inode.c +index 30f8201c155f..177b1f852b63 100644 +--- a/fs/ext2/inode.c ++++ b/fs/ext2/inode.c +@@ -895,9 +895,19 @@ int ext2_fiemap(struct inode *inode, struct fiemap_extent_info *fieinfo, + u64 start, u64 len) + { + int ret; ++ loff_t i_size; + + inode_lock(inode); +- len = min_t(u64, len, i_size_read(inode)); ++ i_size = i_size_read(inode); ++ /* ++ * iomap_fiemap() returns EINVAL for 0 length. Make sure we don't trim ++ * length to 0 but still trim the range as much as possible since ++ * ext2_get_blocks() iterates unmapped space block by block which is ++ * slow. ++ */ ++ if (i_size == 0) ++ i_size = 1; ++ len = min_t(u64, len, i_size); + ret = iomap_fiemap(inode, fieinfo, start, len, &ext2_iomap_ops); + inode_unlock(inode); + +-- +2.39.5 + diff --git a/queue-6.12/ext4-do-not-bug-when-inline_data_fl-lacks-system.dat.patch b/queue-6.12/ext4-do-not-bug-when-inline_data_fl-lacks-system.dat.patch new file mode 100644 index 0000000000..60415dc7c6 --- /dev/null +++ b/queue-6.12/ext4-do-not-bug-when-inline_data_fl-lacks-system.dat.patch @@ -0,0 +1,73 @@ +From 4f519018093f734545702d5ca88c9e137ec4a905 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Jul 2025 10:54:34 -0400 +Subject: ext4: do not BUG when INLINE_DATA_FL lacks system.data xattr + +From: Theodore Ts'o + +[ Upstream commit 099b847ccc6c1ad2f805d13cfbcc83f5b6d4bc42 ] + +A syzbot fuzzed image triggered a BUG_ON in ext4_update_inline_data() +when an inode had the INLINE_DATA_FL flag set but was missing the +system.data extended attribute. + +Since this can happen due to a maiciouly fuzzed file system, we +shouldn't BUG, but rather, report it as a corrupted file system. + +Add similar replacements of BUG_ON with EXT4_ERROR_INODE() ii +ext4_create_inline_data() and ext4_inline_data_truncate(). + +Reported-by: syzbot+544248a761451c0df72f@syzkaller.appspotmail.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/inline.c | 19 ++++++++++++++++--- + 1 file changed, 16 insertions(+), 3 deletions(-) + +diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c +index e02a3141637a..9fb5e0f172a7 100644 +--- a/fs/ext4/inline.c ++++ b/fs/ext4/inline.c +@@ -298,7 +298,11 @@ static int ext4_create_inline_data(handle_t *handle, + if (error) + goto out; + +- BUG_ON(!is.s.not_found); ++ if (!is.s.not_found) { ++ EXT4_ERROR_INODE(inode, "unexpected inline data xattr"); ++ error = -EFSCORRUPTED; ++ goto out; ++ } + + error = ext4_xattr_ibody_set(handle, inode, &i, &is); + if (error) { +@@ -349,7 +353,11 @@ static int ext4_update_inline_data(handle_t *handle, struct inode *inode, + if (error) + goto out; + +- BUG_ON(is.s.not_found); ++ if (is.s.not_found) { ++ EXT4_ERROR_INODE(inode, "missing inline data xattr"); ++ error = -EFSCORRUPTED; ++ goto out; ++ } + + len -= EXT4_MIN_INLINE_DATA_SIZE; + value = kzalloc(len, GFP_NOFS); +@@ -1969,7 +1977,12 @@ int ext4_inline_data_truncate(struct inode *inode, int *has_inline) + if ((err = ext4_xattr_ibody_find(inode, &i, &is)) != 0) + goto out_error; + +- BUG_ON(is.s.not_found); ++ if (is.s.not_found) { ++ EXT4_ERROR_INODE(inode, ++ "missing inline data xattr"); ++ err = -EFSCORRUPTED; ++ goto out_error; ++ } + + value_len = le32_to_cpu(is.s.here->e_value_size); + value = kmalloc(value_len, GFP_NOFS); +-- +2.39.5 + diff --git a/queue-6.12/f2fs-check-the-generic-conditions-first.patch b/queue-6.12/f2fs-check-the-generic-conditions-first.patch new file mode 100644 index 0000000000..27c232fb24 --- /dev/null +++ b/queue-6.12/f2fs-check-the-generic-conditions-first.patch @@ -0,0 +1,65 @@ +From ad2ea1acfeba0e72349e1cfa4c5cee6724f311c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jun 2025 16:06:09 +0000 +Subject: f2fs: check the generic conditions first + +From: Jaegeuk Kim + +[ Upstream commit e23ab8028de0d92df5921a570f5212c0370db3b5 ] + +Let's return errors caught by the generic checks. This fixes generic/494 where +it expects to see EBUSY by setattr_prepare instead of EINVAL by f2fs for active +swapfile. + +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/file.c | 24 ++++++++++++------------ + 1 file changed, 12 insertions(+), 12 deletions(-) + +diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c +index d9037e74631c..fa77841f3e2c 100644 +--- a/fs/f2fs/file.c ++++ b/fs/f2fs/file.c +@@ -1003,6 +1003,18 @@ int f2fs_setattr(struct mnt_idmap *idmap, struct dentry *dentry, + if (unlikely(f2fs_cp_error(F2FS_I_SB(inode)))) + return -EIO; + ++ err = setattr_prepare(idmap, dentry, attr); ++ if (err) ++ return err; ++ ++ err = fscrypt_prepare_setattr(dentry, attr); ++ if (err) ++ return err; ++ ++ err = fsverity_prepare_setattr(dentry, attr); ++ if (err) ++ return err; ++ + if (unlikely(IS_IMMUTABLE(inode))) + return -EPERM; + +@@ -1020,18 +1032,6 @@ int f2fs_setattr(struct mnt_idmap *idmap, struct dentry *dentry, + return -EINVAL; + } + +- err = setattr_prepare(idmap, dentry, attr); +- if (err) +- return err; +- +- err = fscrypt_prepare_setattr(dentry, attr); +- if (err) +- return err; +- +- err = fsverity_prepare_setattr(dentry, attr); +- if (err) +- return err; +- + if (is_quota_modification(idmap, inode, attr)) { + err = f2fs_dquot_initialize(inode); + if (err) +-- +2.39.5 + diff --git a/queue-6.12/fbdev-fix-potential-buffer-overflow-in-do_register_f.patch b/queue-6.12/fbdev-fix-potential-buffer-overflow-in-do_register_f.patch new file mode 100644 index 0000000000..f315a6070f --- /dev/null +++ b/queue-6.12/fbdev-fix-potential-buffer-overflow-in-do_register_f.patch @@ -0,0 +1,40 @@ +From 5934a77312abdd8e29c8c8b0cc0292e68fe25215 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Jul 2025 17:07:04 +0800 +Subject: fbdev: fix potential buffer overflow in do_register_framebuffer() + +From: Yongzhen Zhang + +[ Upstream commit 523b84dc7ccea9c4d79126d6ed1cf9033cf83b05 ] + +The current implementation may lead to buffer overflow when: +1. Unregistration creates NULL gaps in registered_fb[] +2. All array slots become occupied despite num_registered_fb < FB_MAX +3. The registration loop exceeds array bounds + +Add boundary check to prevent registered_fb[FB_MAX] access. + +Signed-off-by: Yongzhen Zhang +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/core/fbmem.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c +index eca2498f2436..6a033bf17ab6 100644 +--- a/drivers/video/fbdev/core/fbmem.c ++++ b/drivers/video/fbdev/core/fbmem.c +@@ -403,6 +403,9 @@ static int do_register_framebuffer(struct fb_info *fb_info) + if (!registered_fb[i]) + break; + ++ if (i >= FB_MAX) ++ return -ENXIO; ++ + if (!fb_info->modelist.prev || !fb_info->modelist.next) + INIT_LIST_HEAD(&fb_info->modelist); + +-- +2.39.5 + diff --git a/queue-6.12/firmware-arm_ffa-change-initcall-level-of-ffa_init-t.patch b/queue-6.12/firmware-arm_ffa-change-initcall-level-of-ffa_init-t.patch new file mode 100644 index 0000000000..f2b6f7913f --- /dev/null +++ b/queue-6.12/firmware-arm_ffa-change-initcall-level-of-ffa_init-t.patch @@ -0,0 +1,81 @@ +From 11d89b92cf778898b7b0dddff51ecf989842261e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Jul 2025 13:27:02 +0300 +Subject: firmware: arm_ffa: Change initcall level of ffa_init() to + rootfs_initcall +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Yeoreum Yun + +[ Upstream commit 0e0546eabcd6c19765a8dbf5b5db3723e7b0ea75 ] + +The Linux IMA (Integrity Measurement Architecture) subsystem used for +secure boot, file integrity, or remote attestation cannot be a loadable +module for few reasons listed below: + + o Boot-Time Integrity: IMA’s main role is to measure and appraise files + before they are used. This includes measuring critical system files during + early boot (e.g., init, init scripts, login binaries). If IMA were a + module, it would be loaded too late to cover those. + + o TPM Dependency: IMA integrates tightly with the TPM to record + measurements into PCRs. The TPM must be initialized early (ideally before + init_ima()), which aligns with IMA being built-in. + + o Security Model: IMA is part of a Trusted Computing Base (TCB). Making it + a module would weaken the security model, as a potentially compromised + system could delay or tamper with its initialization. + +IMA must be built-in to ensure it starts measuring from the earliest +possible point in boot which inturn implies TPM must be initialised and +ready to use before IMA. + +To enable integration of tpm_event_log with the IMA subsystem, the TPM +drivers (tpm_crb and tpm_crb_ffa) also needs to be built-in. However with +FF-A driver also being initialised at device initcall level, it can lead to +an initialization order issue where: + - crb_acpi_driver_init() may run before tpm_crb_ffa_driver()_init and + ffa_init() + - As a result, probing the TPM device via CRB over FFA is deferred + - ima_init() (called as a late initcall) runs before deferred probe + completes, IMA fails to find the TPM and logs the below error: + + | ima: No TPM chip found, activating TPM-bypass! + +Eventually it fails to generate boot_aggregate with PCR values. + +Because of the above stated dependency, the ffa driver needs to initialised +before tpm_crb_ffa module to ensure IMA finds the TPM successfully when +present. + +[ jarkko: reformatted some of the paragraphs because they were going past + the 75 character boundary. ] + +Signed-off-by: Yeoreum Yun +Reviewed-by: Mimi Zohar +Reviewed-by: Sudeep Holla +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Sasha Levin +--- + drivers/firmware/arm_ffa/driver.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/driver.c +index 83dad9c2da06..9fdfccbc6479 100644 +--- a/drivers/firmware/arm_ffa/driver.c ++++ b/drivers/firmware/arm_ffa/driver.c +@@ -1815,7 +1815,7 @@ static int __init ffa_init(void) + kfree(drv_info); + return ret; + } +-module_init(ffa_init); ++rootfs_initcall(ffa_init); + + static void __exit ffa_exit(void) + { +-- +2.39.5 + diff --git a/queue-6.12/firmware-arm_scmi-power_control-ensure-scmi_syspower.patch b/queue-6.12/firmware-arm_scmi-power_control-ensure-scmi_syspower.patch new file mode 100644 index 0000000000..d2566470b4 --- /dev/null +++ b/queue-6.12/firmware-arm_scmi-power_control-ensure-scmi_syspower.patch @@ -0,0 +1,98 @@ +From 1c659256d5999d21be4d37585a5376e6893fb615 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Jul 2025 11:09:36 +0800 +Subject: firmware: arm_scmi: power_control: Ensure SCMI_SYSPOWER_IDLE is set + early during resume + +From: Peng Fan + +[ Upstream commit 9a0658d3991e6c82df87584b253454842f22f965 ] + +Fix a race condition where a second suspend notification from another +SCMI agent wakes the system before SCMI_SYSPOWER_IDLE is set, leading +to ignored suspend requests. This is due to interrupts triggering early +execution of `scmi_userspace_notifier()` before the SCMI state is updated. + +To resolve this, set SCMI_SYSPOWER_IDLE earlier in the device resume +path, prior to `thaw_processes()`. This ensures the SCMI state is +correct when the notifier runs, allowing the system to suspend again +as expected. + +On some platforms using SCMI, SCP cannot distinguish between CPU idle +and suspend since both result in cluster power-off. By explicitly setting +the idle state early, the Linux SCMI agent can correctly re-suspend in +response to external notifications. + +Signed-off-by: Peng Fan +Message-Id: <20250704-scmi-pm-v2-2-9316cec2f9cc@nxp.com> +Signed-off-by: Sudeep Holla +Signed-off-by: Sasha Levin +--- + .../firmware/arm_scmi/scmi_power_control.c | 22 ++++++++++++++----- + 1 file changed, 17 insertions(+), 5 deletions(-) + +diff --git a/drivers/firmware/arm_scmi/scmi_power_control.c b/drivers/firmware/arm_scmi/scmi_power_control.c +index 21f467a92942..ab0cee0d4bec 100644 +--- a/drivers/firmware/arm_scmi/scmi_power_control.c ++++ b/drivers/firmware/arm_scmi/scmi_power_control.c +@@ -46,6 +46,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -324,12 +325,7 @@ static int scmi_userspace_notifier(struct notifier_block *nb, + + static void scmi_suspend_work_func(struct work_struct *work) + { +- struct scmi_syspower_conf *sc = +- container_of(work, struct scmi_syspower_conf, suspend_work); +- + pm_suspend(PM_SUSPEND_MEM); +- +- sc->state = SCMI_SYSPOWER_IDLE; + } + + static int scmi_syspower_probe(struct scmi_device *sdev) +@@ -354,6 +350,7 @@ static int scmi_syspower_probe(struct scmi_device *sdev) + sc->required_transition = SCMI_SYSTEM_MAX; + sc->userspace_nb.notifier_call = &scmi_userspace_notifier; + sc->dev = &sdev->dev; ++ dev_set_drvdata(&sdev->dev, sc); + + INIT_WORK(&sc->suspend_work, scmi_suspend_work_func); + +@@ -363,6 +360,18 @@ static int scmi_syspower_probe(struct scmi_device *sdev) + NULL, &sc->userspace_nb); + } + ++static int scmi_system_power_resume(struct device *dev) ++{ ++ struct scmi_syspower_conf *sc = dev_get_drvdata(dev); ++ ++ sc->state = SCMI_SYSPOWER_IDLE; ++ return 0; ++} ++ ++static const struct dev_pm_ops scmi_system_power_pmops = { ++ SET_SYSTEM_SLEEP_PM_OPS(NULL, scmi_system_power_resume) ++}; ++ + static const struct scmi_device_id scmi_id_table[] = { + { SCMI_PROTOCOL_SYSTEM, "syspower" }, + { }, +@@ -370,6 +379,9 @@ static const struct scmi_device_id scmi_id_table[] = { + MODULE_DEVICE_TABLE(scmi, scmi_id_table); + + static struct scmi_driver scmi_system_power_driver = { ++ .driver = { ++ .pm = &scmi_system_power_pmops, ++ }, + .name = "scmi-system-power", + .probe = scmi_syspower_probe, + .id_table = scmi_id_table, +-- +2.39.5 + diff --git a/queue-6.12/firmware-qcom-scm-initialize-tzmem-before-marking-sc.patch b/queue-6.12/firmware-qcom-scm-initialize-tzmem-before-marking-sc.patch new file mode 100644 index 0000000000..ee51090f2c --- /dev/null +++ b/queue-6.12/firmware-qcom-scm-initialize-tzmem-before-marking-sc.patch @@ -0,0 +1,100 @@ +From ce4f7568dafb70487161ee1d80862d5ebbac8b07 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jun 2025 14:12:04 +0200 +Subject: firmware: qcom: scm: initialize tzmem before marking SCM as available + +From: Bartosz Golaszewski + +[ Upstream commit 87be3e7a2d0030cda6314d2ec96b37991f636ccd ] + +Now that qcom_scm_shm_bridge_enable() uses the struct device passed to +it as argument to make the QCOM_SCM_MP_SHM_BRIDGE_ENABLE SCM call, we +can move the TZMem initialization before the assignment of the __scm +pointer in the SCM driver (which marks SCM as ready to users) thus +fixing the potential race between consumer calls and the memory pool +initialization. + +Reported-by: Johan Hovold +Closes: https://lore.kernel.org/all/20250120151000.13870-1-johan+linaro@kernel.org/ +Signed-off-by: Bartosz Golaszewski +Link: https://lore.kernel.org/r/20250630-qcom-scm-race-v2-3-fa3851c98611@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/firmware/qcom/qcom_scm.c | 53 ++++++++++++++++---------------- + 1 file changed, 26 insertions(+), 27 deletions(-) + +diff --git a/drivers/firmware/qcom/qcom_scm.c b/drivers/firmware/qcom/qcom_scm.c +index 23aefbf6fca5..88f3ae652a87 100644 +--- a/drivers/firmware/qcom/qcom_scm.c ++++ b/drivers/firmware/qcom/qcom_scm.c +@@ -2000,7 +2000,32 @@ static int qcom_scm_probe(struct platform_device *pdev) + if (ret) + return ret; + +- /* Paired with smp_load_acquire() in qcom_scm_is_available(). */ ++ ret = of_reserved_mem_device_init(scm->dev); ++ if (ret && ret != -ENODEV) ++ return dev_err_probe(scm->dev, ret, ++ "Failed to setup the reserved memory region for TZ mem\n"); ++ ++ ret = qcom_tzmem_enable(scm->dev); ++ if (ret) ++ return dev_err_probe(scm->dev, ret, ++ "Failed to enable the TrustZone memory allocator\n"); ++ ++ memset(&pool_config, 0, sizeof(pool_config)); ++ pool_config.initial_size = 0; ++ pool_config.policy = QCOM_TZMEM_POLICY_ON_DEMAND; ++ pool_config.max_size = SZ_256K; ++ ++ scm->mempool = devm_qcom_tzmem_pool_new(scm->dev, &pool_config); ++ if (IS_ERR(scm->mempool)) ++ return dev_err_probe(scm->dev, PTR_ERR(scm->mempool), ++ "Failed to create the SCM memory pool\n"); ++ ++ /* ++ * Paired with smp_load_acquire() in qcom_scm_is_available(). ++ * ++ * This marks the SCM API as ready to accept user calls and can only ++ * be called after the TrustZone memory pool is initialized. ++ */ + smp_store_release(&__scm, scm); + + irq = platform_get_irq_optional(pdev, 0); +@@ -2033,32 +2058,6 @@ static int qcom_scm_probe(struct platform_device *pdev) + if (of_property_read_bool(pdev->dev.of_node, "qcom,sdi-enabled") || !download_mode) + qcom_scm_disable_sdi(); + +- ret = of_reserved_mem_device_init(__scm->dev); +- if (ret && ret != -ENODEV) { +- dev_err_probe(__scm->dev, ret, +- "Failed to setup the reserved memory region for TZ mem\n"); +- goto err; +- } +- +- ret = qcom_tzmem_enable(__scm->dev); +- if (ret) { +- dev_err_probe(__scm->dev, ret, +- "Failed to enable the TrustZone memory allocator\n"); +- goto err; +- } +- +- memset(&pool_config, 0, sizeof(pool_config)); +- pool_config.initial_size = 0; +- pool_config.policy = QCOM_TZMEM_POLICY_ON_DEMAND; +- pool_config.max_size = SZ_256K; +- +- __scm->mempool = devm_qcom_tzmem_pool_new(__scm->dev, &pool_config); +- if (IS_ERR(__scm->mempool)) { +- ret = dev_err_probe(__scm->dev, PTR_ERR(__scm->mempool), +- "Failed to create the SCM memory pool\n"); +- goto err; +- } +- + /* + * Initialize the QSEECOM interface. + * +-- +2.39.5 + diff --git a/queue-6.12/firmware-tegra-fix-ivc-dependency-problems.patch b/queue-6.12/firmware-tegra-fix-ivc-dependency-problems.patch new file mode 100644 index 0000000000..4fedf6dac4 --- /dev/null +++ b/queue-6.12/firmware-tegra-fix-ivc-dependency-problems.patch @@ -0,0 +1,50 @@ +From 9ed50c4ec5c07d7f817d85ff2bc047c3c76e4225 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 May 2025 15:31:16 +0200 +Subject: firmware: tegra: Fix IVC dependency problems + +From: Thierry Reding + +[ Upstream commit 78eb18020a88a4eed15f5af7700ed570642ff8f1 ] + +The IVC code is library code that other drivers need to select if they +need that library. However, if the symbol is user-selectable this can +lead to conflicts. + +Fix this by making the symbol only selectable for COMPILE_TEST and add +a select TEGRA_IVC to TEGRA_BPMP, which is currently the only user. + +Link: https://lore.kernel.org/r/20250506133118.1011777-10-thierry.reding@gmail.com +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/firmware/tegra/Kconfig | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/firmware/tegra/Kconfig b/drivers/firmware/tegra/Kconfig +index cde1ab8bd9d1..91f2320c0d0f 100644 +--- a/drivers/firmware/tegra/Kconfig ++++ b/drivers/firmware/tegra/Kconfig +@@ -2,7 +2,7 @@ + menu "Tegra firmware driver" + + config TEGRA_IVC +- bool "Tegra IVC protocol" ++ bool "Tegra IVC protocol" if COMPILE_TEST + depends on ARCH_TEGRA + help + IVC (Inter-VM Communication) protocol is part of the IPC +@@ -13,8 +13,9 @@ config TEGRA_IVC + + config TEGRA_BPMP + bool "Tegra BPMP driver" +- depends on ARCH_TEGRA && TEGRA_HSP_MBOX && TEGRA_IVC ++ depends on ARCH_TEGRA && TEGRA_HSP_MBOX + depends on !CPU_BIG_ENDIAN ++ select TEGRA_IVC + help + BPMP (Boot and Power Management Processor) is designed to off-loading + the PM functions which include clock/DVFS/thermal/power from the CPU. +-- +2.39.5 + diff --git a/queue-6.12/fix-locking-in-efi_secret_unlink.patch b/queue-6.12/fix-locking-in-efi_secret_unlink.patch new file mode 100644 index 0000000000..d2f10aa603 --- /dev/null +++ b/queue-6.12/fix-locking-in-efi_secret_unlink.patch @@ -0,0 +1,46 @@ +From b6e6bba11333f4c484829e8b02999c701403fbf1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 May 2024 08:48:58 -0600 +Subject: fix locking in efi_secret_unlink() + +From: Al Viro + +[ Upstream commit 2c58d42de71f9c73e40afacc9d062892d2cc8862 ] + +We used to need securityfs_remove() to undo simple_pin_fs() done when +the file had been created and to drop the second extra reference +taken at the same time. Now that neither is needed (or done by +securityfs_remove()), we can simply call simple_unlink() and be done +with that - the broken games with locking had been there only for the +sake of securityfs_remove(). + +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + drivers/virt/coco/efi_secret/efi_secret.c | 10 +--------- + 1 file changed, 1 insertion(+), 9 deletions(-) + +diff --git a/drivers/virt/coco/efi_secret/efi_secret.c b/drivers/virt/coco/efi_secret/efi_secret.c +index cd29e66b1543..8482be108e82 100644 +--- a/drivers/virt/coco/efi_secret/efi_secret.c ++++ b/drivers/virt/coco/efi_secret/efi_secret.c +@@ -136,15 +136,7 @@ static int efi_secret_unlink(struct inode *dir, struct dentry *dentry) + if (s->fs_files[i] == dentry) + s->fs_files[i] = NULL; + +- /* +- * securityfs_remove tries to lock the directory's inode, but we reach +- * the unlink callback when it's already locked +- */ +- inode_unlock(dir); +- securityfs_remove(dentry); +- inode_lock(dir); +- +- return 0; ++ return simple_unlink(inode, dentry); + } + + static const struct inode_operations efi_secret_dir_inode_operations = { +-- +2.39.5 + diff --git a/queue-6.12/fs-ntfs3-add-sanity-check-for-file-name.patch b/queue-6.12/fs-ntfs3-add-sanity-check-for-file-name.patch new file mode 100644 index 0000000000..360d187497 --- /dev/null +++ b/queue-6.12/fs-ntfs3-add-sanity-check-for-file-name.patch @@ -0,0 +1,37 @@ +From 776cd9e92fd017b163748d2ac6607d05ab7a2ece Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Jun 2025 13:16:16 +0800 +Subject: fs/ntfs3: Add sanity check for file name + +From: Lizhi Xu + +[ Upstream commit e841ecb139339602bc1853f5f09daa5d1ea920a2 ] + +The length of the file name should be smaller than the directory entry size. + +Reported-by: syzbot+598057afa0f49e62bd23@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=598057afa0f49e62bd23 +Signed-off-by: Lizhi Xu +Signed-off-by: Konstantin Komarov +Signed-off-by: Sasha Levin +--- + fs/ntfs3/dir.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/ntfs3/dir.c b/fs/ntfs3/dir.c +index b6da80c69ca6..600e66035c1b 100644 +--- a/fs/ntfs3/dir.c ++++ b/fs/ntfs3/dir.c +@@ -304,6 +304,9 @@ static inline bool ntfs_dir_emit(struct ntfs_sb_info *sbi, + if (sbi->options->nohidden && (fname->dup.fa & FILE_ATTRIBUTE_HIDDEN)) + return true; + ++ if (fname->name_len + sizeof(struct NTFS_DE) > le16_to_cpu(e->size)) ++ return true; ++ + name_len = ntfs_utf16_to_nls(sbi, fname->name, fname->name_len, name, + PATH_MAX); + if (name_len <= 0) { +-- +2.39.5 + diff --git a/queue-6.12/fs-ntfs3-correctly-create-symlink-for-relative-path.patch b/queue-6.12/fs-ntfs3-correctly-create-symlink-for-relative-path.patch new file mode 100644 index 0000000000..531eb119a0 --- /dev/null +++ b/queue-6.12/fs-ntfs3-correctly-create-symlink-for-relative-path.patch @@ -0,0 +1,100 @@ +From eb8a74ab647187f38c1356e3cede7259378f159e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 May 2025 15:35:34 +0800 +Subject: fs/ntfs3: correctly create symlink for relative path + +From: Rong Zhang + +[ Upstream commit b1e9d89408f402858c00103f9831b25ffa0994d3 ] + +After applying this patch, could correctly create symlink: + +ln -s "relative/path/to/file" symlink + +Signed-off-by: Rong Zhang +[almaz.alexandrovich@paragon-software.com: added cpu_to_le32 macro to +rs->Flags assignment] +Signed-off-by: Konstantin Komarov +Signed-off-by: Sasha Levin +--- + fs/ntfs3/inode.c | 31 ++++++++++++++++++------------- + 1 file changed, 18 insertions(+), 13 deletions(-) + +diff --git a/fs/ntfs3/inode.c b/fs/ntfs3/inode.c +index 5c05cccd2d40..9077c7b62733 100644 +--- a/fs/ntfs3/inode.c ++++ b/fs/ntfs3/inode.c +@@ -1102,10 +1102,10 @@ int inode_read_data(struct inode *inode, void *data, size_t bytes) + * Number of bytes for REPARSE_DATA_BUFFER(IO_REPARSE_TAG_SYMLINK) + * for unicode string of @uni_len length. + */ +-static inline u32 ntfs_reparse_bytes(u32 uni_len) ++static inline u32 ntfs_reparse_bytes(u32 uni_len, bool is_absolute) + { + /* Header + unicode string + decorated unicode string. */ +- return sizeof(short) * (2 * uni_len + 4) + ++ return sizeof(short) * (2 * uni_len + (is_absolute ? 4 : 0)) + + offsetof(struct REPARSE_DATA_BUFFER, + SymbolicLinkReparseBuffer.PathBuffer); + } +@@ -1118,8 +1118,11 @@ ntfs_create_reparse_buffer(struct ntfs_sb_info *sbi, const char *symname, + struct REPARSE_DATA_BUFFER *rp; + __le16 *rp_name; + typeof(rp->SymbolicLinkReparseBuffer) *rs; ++ bool is_absolute; + +- rp = kzalloc(ntfs_reparse_bytes(2 * size + 2), GFP_NOFS); ++ is_absolute = (strlen(symname) > 1 && symname[1] == ':'); ++ ++ rp = kzalloc(ntfs_reparse_bytes(2 * size + 2, is_absolute), GFP_NOFS); + if (!rp) + return ERR_PTR(-ENOMEM); + +@@ -1134,7 +1137,7 @@ ntfs_create_reparse_buffer(struct ntfs_sb_info *sbi, const char *symname, + goto out; + + /* err = the length of unicode name of symlink. */ +- *nsize = ntfs_reparse_bytes(err); ++ *nsize = ntfs_reparse_bytes(err, is_absolute); + + if (*nsize > sbi->reparse.max_size) { + err = -EFBIG; +@@ -1154,7 +1157,7 @@ ntfs_create_reparse_buffer(struct ntfs_sb_info *sbi, const char *symname, + + /* PrintName + SubstituteName. */ + rs->SubstituteNameOffset = cpu_to_le16(sizeof(short) * err); +- rs->SubstituteNameLength = cpu_to_le16(sizeof(short) * err + 8); ++ rs->SubstituteNameLength = cpu_to_le16(sizeof(short) * err + (is_absolute ? 8 : 0)); + rs->PrintNameLength = rs->SubstituteNameOffset; + + /* +@@ -1162,16 +1165,18 @@ ntfs_create_reparse_buffer(struct ntfs_sb_info *sbi, const char *symname, + * parse this path. + * 0-absolute path 1- relative path (SYMLINK_FLAG_RELATIVE). + */ +- rs->Flags = 0; ++ rs->Flags = cpu_to_le32(is_absolute ? 0 : SYMLINK_FLAG_RELATIVE); + +- memmove(rp_name + err + 4, rp_name, sizeof(short) * err); ++ memmove(rp_name + err + (is_absolute ? 4 : 0), rp_name, sizeof(short) * err); + +- /* Decorate SubstituteName. */ +- rp_name += err; +- rp_name[0] = cpu_to_le16('\\'); +- rp_name[1] = cpu_to_le16('?'); +- rp_name[2] = cpu_to_le16('?'); +- rp_name[3] = cpu_to_le16('\\'); ++ if (is_absolute) { ++ /* Decorate SubstituteName. */ ++ rp_name += err; ++ rp_name[0] = cpu_to_le16('\\'); ++ rp_name[1] = cpu_to_le16('?'); ++ rp_name[2] = cpu_to_le16('?'); ++ rp_name[3] = cpu_to_le16('\\'); ++ } + + return rp; + out: +-- +2.39.5 + diff --git a/queue-6.12/fs-orangefs-use-snprintf-instead-of-sprintf.patch b/queue-6.12/fs-orangefs-use-snprintf-instead-of-sprintf.patch new file mode 100644 index 0000000000..986819c108 --- /dev/null +++ b/queue-6.12/fs-orangefs-use-snprintf-instead-of-sprintf.patch @@ -0,0 +1,47 @@ +From d4be5c984208984476d149009f4d0d74ccc25229 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 Jun 2025 20:05:59 +0330 +Subject: fs/orangefs: use snprintf() instead of sprintf() + +From: Amir Mohammad Jahangirzad + +[ Upstream commit cdfa1304657d6f23be8fd2bb0516380a3c89034e ] + +sprintf() is discouraged for use with bounded destination buffers +as it does not prevent buffer overflows when the formatted output +exceeds the destination buffer size. snprintf() is a safer +alternative as it limits the number of bytes written and ensures +NUL-termination. + +Replace sprintf() with snprintf() for copying the debug string +into a temporary buffer, using ORANGEFS_MAX_DEBUG_STRING_LEN as +the maximum size to ensure safe formatting and prevent memory +corruption in edge cases. + +EDIT: After this patch sat on linux-next for a few days, Dan +Carpenter saw it and suggested that I use scnprintf instead of +snprintf. I made the change and retested. + +Signed-off-by: Amir Mohammad Jahangirzad +Signed-off-by: Mike Marshall +Signed-off-by: Sasha Levin +--- + fs/orangefs/orangefs-debugfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/orangefs/orangefs-debugfs.c b/fs/orangefs/orangefs-debugfs.c +index b57140ebfad0..cd4bfd92ebd6 100644 +--- a/fs/orangefs/orangefs-debugfs.c ++++ b/fs/orangefs/orangefs-debugfs.c +@@ -354,7 +354,7 @@ static ssize_t orangefs_debug_read(struct file *file, + goto out; + + mutex_lock(&orangefs_debug_lock); +- sprintf_ret = sprintf(buf, "%s", (char *)file->private_data); ++ sprintf_ret = scnprintf(buf, ORANGEFS_MAX_DEBUG_STRING_LEN, "%s", (char *)file->private_data); + mutex_unlock(&orangefs_debug_lock); + + read_ret = simple_read_from_buffer(ubuf, count, ppos, buf, sprintf_ret); +-- +2.39.5 + diff --git a/queue-6.12/gfs2-set-.migrate_folio-in-gfs2_-rgrp-meta-_aops.patch b/queue-6.12/gfs2-set-.migrate_folio-in-gfs2_-rgrp-meta-_aops.patch new file mode 100644 index 0000000000..42bfa0bd6c --- /dev/null +++ b/queue-6.12/gfs2-set-.migrate_folio-in-gfs2_-rgrp-meta-_aops.patch @@ -0,0 +1,46 @@ +From 68eab960d8eb412bdaf47329d30dc2d307692680 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Jul 2025 16:21:15 +0100 +Subject: gfs2: Set .migrate_folio in gfs2_{rgrp,meta}_aops + +From: Andrew Price + +[ Upstream commit 5c8f12cf1e64e0e8e6cb80b0c935389973e8be8d ] + +Clears up the warning added in 7ee3647243e5 ("migrate: Remove call to +->writepage") that occurs in various xfstests, causing "something found +in dmesg" failures. + +[ 341.136573] gfs2_meta_aops does not implement migrate_folio +[ 341.136953] WARNING: CPU: 1 PID: 36 at mm/migrate.c:944 move_to_new_folio+0x2f8/0x300 + +Signed-off-by: Andrew Price +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Sasha Levin +--- + fs/gfs2/meta_io.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/gfs2/meta_io.c b/fs/gfs2/meta_io.c +index 960d6afcdfad..b795ca7765cd 100644 +--- a/fs/gfs2/meta_io.c ++++ b/fs/gfs2/meta_io.c +@@ -103,6 +103,7 @@ const struct address_space_operations gfs2_meta_aops = { + .invalidate_folio = block_invalidate_folio, + .writepages = gfs2_aspace_writepages, + .release_folio = gfs2_release_folio, ++ .migrate_folio = buffer_migrate_folio_norefs, + }; + + const struct address_space_operations gfs2_rgrp_aops = { +@@ -110,6 +111,7 @@ const struct address_space_operations gfs2_rgrp_aops = { + .invalidate_folio = block_invalidate_folio, + .writepages = gfs2_aspace_writepages, + .release_folio = gfs2_release_folio, ++ .migrate_folio = buffer_migrate_folio_norefs, + }; + + /** +-- +2.39.5 + diff --git a/queue-6.12/gfs2-validate-i_depth-for-exhash-directories.patch b/queue-6.12/gfs2-validate-i_depth-for-exhash-directories.patch new file mode 100644 index 0000000000..cd0719fd95 --- /dev/null +++ b/queue-6.12/gfs2-validate-i_depth-for-exhash-directories.patch @@ -0,0 +1,94 @@ +From 46b8ef93f7e733b6856de624ad5ea878918b66e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jul 2025 14:12:07 +0100 +Subject: gfs2: Validate i_depth for exhash directories + +From: Andrew Price + +[ Upstream commit 557c024ca7250bb65ae60f16c02074106c2f197b ] + +A fuzzer test introduced corruption that ends up with a depth of 0 in +dir_e_read(), causing an undefined shift by 32 at: + + index = hash >> (32 - dip->i_depth); + +As calculated in an open-coded way in dir_make_exhash(), the minimum +depth for an exhash directory is ilog2(sdp->sd_hash_ptrs) and 0 is +invalid as sdp->sd_hash_ptrs is fixed as sdp->bsize / 16 at mount time. + +So we can avoid the undefined behaviour by checking for depth values +lower than the minimum in gfs2_dinode_in(). Values greater than the +maximum are already being checked for there. + +Also switch the calculation in dir_make_exhash() to use ilog2() to +clarify how the depth is calculated. + +Tested with the syzkaller repro.c and xfstests '-g quick'. + +Reported-by: syzbot+4708579bb230a0582a57@syzkaller.appspotmail.com +Signed-off-by: Andrew Price +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Sasha Levin +--- + fs/gfs2/dir.c | 6 ++---- + fs/gfs2/glops.c | 6 ++++++ + 2 files changed, 8 insertions(+), 4 deletions(-) + +diff --git a/fs/gfs2/dir.c b/fs/gfs2/dir.c +index dbf1aede744c..509e2f0d97e7 100644 +--- a/fs/gfs2/dir.c ++++ b/fs/gfs2/dir.c +@@ -60,6 +60,7 @@ + #include + #include + #include ++#include + + #include "gfs2.h" + #include "incore.h" +@@ -912,7 +913,6 @@ static int dir_make_exhash(struct inode *inode) + struct qstr args; + struct buffer_head *bh, *dibh; + struct gfs2_leaf *leaf; +- int y; + u32 x; + __be64 *lp; + u64 bn; +@@ -979,9 +979,7 @@ static int dir_make_exhash(struct inode *inode) + i_size_write(inode, sdp->sd_sb.sb_bsize / 2); + gfs2_add_inode_blocks(&dip->i_inode, 1); + dip->i_diskflags |= GFS2_DIF_EXHASH; +- +- for (x = sdp->sd_hash_ptrs, y = -1; x; x >>= 1, y++) ; +- dip->i_depth = y; ++ dip->i_depth = ilog2(sdp->sd_hash_ptrs); + + gfs2_dinode_out(dip, dibh->b_data); + +diff --git a/fs/gfs2/glops.c b/fs/gfs2/glops.c +index 4b6b23c638e2..1ed42f0e6ec7 100644 +--- a/fs/gfs2/glops.c ++++ b/fs/gfs2/glops.c +@@ -11,6 +11,7 @@ + #include + #include + #include ++#include + + #include "gfs2.h" + #include "incore.h" +@@ -450,6 +451,11 @@ static int gfs2_dinode_in(struct gfs2_inode *ip, const void *buf) + gfs2_consist_inode(ip); + return -EIO; + } ++ if ((ip->i_diskflags & GFS2_DIF_EXHASH) && ++ depth < ilog2(sdp->sd_hash_ptrs)) { ++ gfs2_consist_inode(ip); ++ return -EIO; ++ } + ip->i_depth = (u8)depth; + ip->i_entries = be32_to_cpu(str->di_entries); + +-- +2.39.5 + diff --git a/queue-6.12/gpio-tps65912-check-the-return-value-of-regmap_updat.patch b/queue-6.12/gpio-tps65912-check-the-return-value-of-regmap_updat.patch new file mode 100644 index 0000000000..820ee06a14 --- /dev/null +++ b/queue-6.12/gpio-tps65912-check-the-return-value-of-regmap_updat.patch @@ -0,0 +1,42 @@ +From e78965747f7870dcabc2451acf0d1604199db3d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Jul 2025 09:50:15 +0200 +Subject: gpio: tps65912: check the return value of regmap_update_bits() + +From: Bartosz Golaszewski + +[ Upstream commit a0b2a6bbff8c26aafdecd320f38f52c341d5cafa ] + +regmap_update_bits() can fail, check its return value like we do +elsewhere in the driver. + +Link: https://lore.kernel.org/r/20250707-gpiochip-set-rv-gpio-round4-v1-2-35668aaaf6d2@linaro.org +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-tps65912.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpio/gpio-tps65912.c b/drivers/gpio/gpio-tps65912.c +index fab771cb6a87..bac757c191c2 100644 +--- a/drivers/gpio/gpio-tps65912.c ++++ b/drivers/gpio/gpio-tps65912.c +@@ -49,10 +49,13 @@ static int tps65912_gpio_direction_output(struct gpio_chip *gc, + unsigned offset, int value) + { + struct tps65912_gpio *gpio = gpiochip_get_data(gc); ++ int ret; + + /* Set the initial value */ +- regmap_update_bits(gpio->tps->regmap, TPS65912_GPIO1 + offset, +- GPIO_SET_MASK, value ? GPIO_SET_MASK : 0); ++ ret = regmap_update_bits(gpio->tps->regmap, TPS65912_GPIO1 + offset, ++ GPIO_SET_MASK, value ? GPIO_SET_MASK : 0); ++ if (ret) ++ return ret; + + return regmap_update_bits(gpio->tps->regmap, TPS65912_GPIO1 + offset, + GPIO_CFG_MASK, GPIO_CFG_MASK); +-- +2.39.5 + diff --git a/queue-6.12/gpio-wcd934x-check-the-return-value-of-regmap_update.patch b/queue-6.12/gpio-wcd934x-check-the-return-value-of-regmap_update.patch new file mode 100644 index 0000000000..b07838a11a --- /dev/null +++ b/queue-6.12/gpio-wcd934x-check-the-return-value-of-regmap_update.patch @@ -0,0 +1,42 @@ +From a71eecb71c1deda73ef691c7da3fd3e0dc46973f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Jul 2025 08:41:39 +0200 +Subject: gpio: wcd934x: check the return value of regmap_update_bits() + +From: Bartosz Golaszewski + +[ Upstream commit ff0f0d7c6587e38c308be9905e36f86e98fb9c1f ] + +regmap_update_bits() can fail so check its return value in +wcd_gpio_direction_output() for consistency with the rest of the code +and propagate any errors. + +Link: https://lore.kernel.org/r/20250709-gpiochip-set-rv-gpio-remaining-v1-2-b8950f69618d@linaro.org +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-wcd934x.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpio/gpio-wcd934x.c b/drivers/gpio/gpio-wcd934x.c +index 2bba27b13947..cfa7b0a50c8e 100644 +--- a/drivers/gpio/gpio-wcd934x.c ++++ b/drivers/gpio/gpio-wcd934x.c +@@ -46,9 +46,12 @@ static int wcd_gpio_direction_output(struct gpio_chip *chip, unsigned int pin, + int val) + { + struct wcd_gpio_data *data = gpiochip_get_data(chip); ++ int ret; + +- regmap_update_bits(data->map, WCD_REG_DIR_CTL_OFFSET, +- WCD_PIN_MASK(pin), WCD_PIN_MASK(pin)); ++ ret = regmap_update_bits(data->map, WCD_REG_DIR_CTL_OFFSET, ++ WCD_PIN_MASK(pin), WCD_PIN_MASK(pin)); ++ if (ret) ++ return ret; + + return regmap_update_bits(data->map, WCD_REG_VAL_CTL_OFFSET, + WCD_PIN_MASK(pin), +-- +2.39.5 + diff --git a/queue-6.12/gve-return-error-for-unknown-admin-queue-command.patch b/queue-6.12/gve-return-error-for-unknown-admin-queue-command.patch new file mode 100644 index 0000000000..a6fcb9dd03 --- /dev/null +++ b/queue-6.12/gve-return-error-for-unknown-admin-queue-command.patch @@ -0,0 +1,41 @@ +From c1396deadbb79e5956cea97b81535bce706543ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 Jun 2025 22:45:01 -0700 +Subject: gve: Return error for unknown admin queue command + +From: Alok Tiwari + +[ Upstream commit b11344f63fdd9e8c5121148a6965b41079071dd2 ] + +In gve_adminq_issue_cmd(), return -EINVAL instead of 0 when an unknown +admin queue command opcode is encountered. + +This prevents the function from silently succeeding on invalid input +and prevents undefined behavior by ensuring the function fails gracefully +when an unrecognized opcode is provided. + +These changes improve error handling. + +Signed-off-by: Alok Tiwari +Link: https://patch.msgid.link/20250616054504.1644770-2-alok.a.tiwari@oracle.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/google/gve/gve_adminq.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/google/gve/gve_adminq.c b/drivers/net/ethernet/google/gve/gve_adminq.c +index 060e0e674938..36acbcd8f62a 100644 +--- a/drivers/net/ethernet/google/gve/gve_adminq.c ++++ b/drivers/net/ethernet/google/gve/gve_adminq.c +@@ -564,6 +564,7 @@ static int gve_adminq_issue_cmd(struct gve_priv *priv, + break; + default: + dev_err(&priv->pdev->dev, "unknown AQ command opcode %d\n", opcode); ++ return -EINVAL; + } + + return 0; +-- +2.39.5 + diff --git a/queue-6.12/hfs-fix-general-protection-fault-in-hfs_find_init.patch b/queue-6.12/hfs-fix-general-protection-fault-in-hfs_find_init.patch new file mode 100644 index 0000000000..80f796c4be --- /dev/null +++ b/queue-6.12/hfs-fix-general-protection-fault-in-hfs_find_init.patch @@ -0,0 +1,308 @@ +From ed75c0a8a8a2bf7cddc9bade71d0337a1efc4da1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jul 2025 14:36:57 -0700 +Subject: hfs: fix general protection fault in hfs_find_init() + +From: Viacheslav Dubeyko + +[ Upstream commit 736a0516a16268995f4898eded49bfef077af709 ] + +The hfs_find_init() method can trigger the crash +if tree pointer is NULL: + +[ 45.746290][ T9787] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000008: 0000 [#1] SMP KAI +[ 45.747287][ T9787] KASAN: null-ptr-deref in range [0x0000000000000040-0x0000000000000047] +[ 45.748716][ T9787] CPU: 2 UID: 0 PID: 9787 Comm: repro Not tainted 6.16.0-rc3 #10 PREEMPT(full) +[ 45.750250][ T9787] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[ 45.751983][ T9787] RIP: 0010:hfs_find_init+0x86/0x230 +[ 45.752834][ T9787] Code: c1 ea 03 80 3c 02 00 0f 85 9a 01 00 00 4c 8d 6b 40 48 c7 45 18 00 00 00 00 48 b8 00 00 00 00 00 fc +[ 45.755574][ T9787] RSP: 0018:ffffc90015157668 EFLAGS: 00010202 +[ 45.756432][ T9787] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff819a4d09 +[ 45.757457][ T9787] RDX: 0000000000000008 RSI: ffffffff819acd3a RDI: ffffc900151576e8 +[ 45.758282][ T9787] RBP: ffffc900151576d0 R08: 0000000000000005 R09: 0000000000000000 +[ 45.758943][ T9787] R10: 0000000080000000 R11: 0000000000000001 R12: 0000000000000004 +[ 45.759619][ T9787] R13: 0000000000000040 R14: ffff88802c50814a R15: 0000000000000000 +[ 45.760293][ T9787] FS: 00007ffb72734540(0000) GS:ffff8880cec64000(0000) knlGS:0000000000000000 +[ 45.761050][ T9787] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 45.761606][ T9787] CR2: 00007f9bd8225000 CR3: 000000010979a000 CR4: 00000000000006f0 +[ 45.762286][ T9787] Call Trace: +[ 45.762570][ T9787] +[ 45.762824][ T9787] hfs_ext_read_extent+0x190/0x9d0 +[ 45.763269][ T9787] ? submit_bio_noacct_nocheck+0x2dd/0xce0 +[ 45.763766][ T9787] ? __pfx_hfs_ext_read_extent+0x10/0x10 +[ 45.764250][ T9787] hfs_get_block+0x55f/0x830 +[ 45.764646][ T9787] block_read_full_folio+0x36d/0x850 +[ 45.765105][ T9787] ? __pfx_hfs_get_block+0x10/0x10 +[ 45.765541][ T9787] ? const_folio_flags+0x5b/0x100 +[ 45.765972][ T9787] ? __pfx_hfs_read_folio+0x10/0x10 +[ 45.766415][ T9787] filemap_read_folio+0xbe/0x290 +[ 45.766840][ T9787] ? __pfx_filemap_read_folio+0x10/0x10 +[ 45.767325][ T9787] ? __filemap_get_folio+0x32b/0xbf0 +[ 45.767780][ T9787] do_read_cache_folio+0x263/0x5c0 +[ 45.768223][ T9787] ? __pfx_hfs_read_folio+0x10/0x10 +[ 45.768666][ T9787] read_cache_page+0x5b/0x160 +[ 45.769070][ T9787] hfs_btree_open+0x491/0x1740 +[ 45.769481][ T9787] hfs_mdb_get+0x15e2/0x1fb0 +[ 45.769877][ T9787] ? __pfx_hfs_mdb_get+0x10/0x10 +[ 45.770316][ T9787] ? find_held_lock+0x2b/0x80 +[ 45.770731][ T9787] ? lockdep_init_map_type+0x5c/0x280 +[ 45.771200][ T9787] ? lockdep_init_map_type+0x5c/0x280 +[ 45.771674][ T9787] hfs_fill_super+0x38e/0x720 +[ 45.772092][ T9787] ? __pfx_hfs_fill_super+0x10/0x10 +[ 45.772549][ T9787] ? snprintf+0xbe/0x100 +[ 45.772931][ T9787] ? __pfx_snprintf+0x10/0x10 +[ 45.773350][ T9787] ? do_raw_spin_lock+0x129/0x2b0 +[ 45.773796][ T9787] ? find_held_lock+0x2b/0x80 +[ 45.774215][ T9787] ? set_blocksize+0x40a/0x510 +[ 45.774636][ T9787] ? sb_set_blocksize+0x176/0x1d0 +[ 45.775087][ T9787] ? setup_bdev_super+0x369/0x730 +[ 45.775533][ T9787] get_tree_bdev_flags+0x384/0x620 +[ 45.775985][ T9787] ? __pfx_hfs_fill_super+0x10/0x10 +[ 45.776453][ T9787] ? __pfx_get_tree_bdev_flags+0x10/0x10 +[ 45.776950][ T9787] ? bpf_lsm_capable+0x9/0x10 +[ 45.777365][ T9787] ? security_capable+0x80/0x260 +[ 45.777803][ T9787] vfs_get_tree+0x8e/0x340 +[ 45.778203][ T9787] path_mount+0x13de/0x2010 +[ 45.778604][ T9787] ? kmem_cache_free+0x2b0/0x4c0 +[ 45.779052][ T9787] ? __pfx_path_mount+0x10/0x10 +[ 45.779480][ T9787] ? getname_flags.part.0+0x1c5/0x550 +[ 45.779954][ T9787] ? putname+0x154/0x1a0 +[ 45.780335][ T9787] __x64_sys_mount+0x27b/0x300 +[ 45.780758][ T9787] ? __pfx___x64_sys_mount+0x10/0x10 +[ 45.781232][ T9787] do_syscall_64+0xc9/0x480 +[ 45.781631][ T9787] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 45.782149][ T9787] RIP: 0033:0x7ffb7265b6ca +[ 45.782539][ T9787] Code: 48 8b 0d c9 17 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 +[ 45.784212][ T9787] RSP: 002b:00007ffc0c10cfb8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5 +[ 45.784935][ T9787] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ffb7265b6ca +[ 45.785626][ T9787] RDX: 0000200000000240 RSI: 0000200000000280 RDI: 00007ffc0c10d100 +[ 45.786316][ T9787] RBP: 00007ffc0c10d190 R08: 00007ffc0c10d000 R09: 0000000000000000 +[ 45.787011][ T9787] R10: 0000000000000048 R11: 0000000000000206 R12: 0000560246733250 +[ 45.787697][ T9787] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 +[ 45.788393][ T9787] +[ 45.788665][ T9787] Modules linked in: +[ 45.789058][ T9787] ---[ end trace 0000000000000000 ]--- +[ 45.789554][ T9787] RIP: 0010:hfs_find_init+0x86/0x230 +[ 45.790028][ T9787] Code: c1 ea 03 80 3c 02 00 0f 85 9a 01 00 00 4c 8d 6b 40 48 c7 45 18 00 00 00 00 48 b8 00 00 00 00 00 fc +[ 45.792364][ T9787] RSP: 0018:ffffc90015157668 EFLAGS: 00010202 +[ 45.793155][ T9787] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff819a4d09 +[ 45.794123][ T9787] RDX: 0000000000000008 RSI: ffffffff819acd3a RDI: ffffc900151576e8 +[ 45.795105][ T9787] RBP: ffffc900151576d0 R08: 0000000000000005 R09: 0000000000000000 +[ 45.796135][ T9787] R10: 0000000080000000 R11: 0000000000000001 R12: 0000000000000004 +[ 45.797114][ T9787] R13: 0000000000000040 R14: ffff88802c50814a R15: 0000000000000000 +[ 45.798024][ T9787] FS: 00007ffb72734540(0000) GS:ffff8880cec64000(0000) knlGS:0000000000000000 +[ 45.799019][ T9787] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 45.799822][ T9787] CR2: 00007f9bd8225000 CR3: 000000010979a000 CR4: 00000000000006f0 +[ 45.800747][ T9787] Kernel panic - not syncing: Fatal exception + +The hfs_fill_super() calls hfs_mdb_get() method that tries +to construct Extents Tree and Catalog Tree: + +HFS_SB(sb)->ext_tree = hfs_btree_open(sb, HFS_EXT_CNID, hfs_ext_keycmp); +if (!HFS_SB(sb)->ext_tree) { + pr_err("unable to open extent tree\n"); + goto out; +} +HFS_SB(sb)->cat_tree = hfs_btree_open(sb, HFS_CAT_CNID, hfs_cat_keycmp); +if (!HFS_SB(sb)->cat_tree) { + pr_err("unable to open catalog tree\n"); + goto out; +} + +However, hfs_btree_open() calls read_mapping_page() that +calls hfs_get_block(). And this method calls hfs_ext_read_extent(): + +static int hfs_ext_read_extent(struct inode *inode, u16 block) +{ + struct hfs_find_data fd; + int res; + + if (block >= HFS_I(inode)->cached_start && + block < HFS_I(inode)->cached_start + HFS_I(inode)->cached_blocks) + return 0; + + res = hfs_find_init(HFS_SB(inode->i_sb)->ext_tree, &fd); + if (!res) { + res = __hfs_ext_cache_extent(&fd, inode, block); + hfs_find_exit(&fd); + } + return res; +} + +The problem here that hfs_find_init() is trying to use +HFS_SB(inode->i_sb)->ext_tree that is not initialized yet. +It will be initailized when hfs_btree_open() finishes +the execution. + +The patch adds checking of tree pointer in hfs_find_init() +and it reworks the logic of hfs_btree_open() by reading +the b-tree's header directly from the volume. The read_mapping_page() +is exchanged on filemap_grab_folio() that grab the folio from +mapping. Then, sb_bread() extracts the b-tree's header +content and copy it into the folio. + +Reported-by: Wenzhi Wang +Signed-off-by: Viacheslav Dubeyko +cc: John Paul Adrian Glaubitz +cc: Yangtao Li +cc: linux-fsdevel@vger.kernel.org +Link: https://lore.kernel.org/r/20250710213657.108285-1-slava@dubeyko.com +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Sasha Levin +--- + fs/hfs/bfind.c | 3 +++ + fs/hfs/btree.c | 57 +++++++++++++++++++++++++++++++++++++++---------- + fs/hfs/extent.c | 2 +- + fs/hfs/hfs_fs.h | 1 + + 4 files changed, 51 insertions(+), 12 deletions(-) + +diff --git a/fs/hfs/bfind.c b/fs/hfs/bfind.c +index ef9498a6e88a..34e9804e0f36 100644 +--- a/fs/hfs/bfind.c ++++ b/fs/hfs/bfind.c +@@ -16,6 +16,9 @@ int hfs_find_init(struct hfs_btree *tree, struct hfs_find_data *fd) + { + void *ptr; + ++ if (!tree || !fd) ++ return -EINVAL; ++ + fd->tree = tree; + fd->bnode = NULL; + ptr = kmalloc(tree->max_key_len * 2 + 4, GFP_KERNEL); +diff --git a/fs/hfs/btree.c b/fs/hfs/btree.c +index 2fa4b1f8cc7f..e86e1e235658 100644 +--- a/fs/hfs/btree.c ++++ b/fs/hfs/btree.c +@@ -21,8 +21,12 @@ struct hfs_btree *hfs_btree_open(struct super_block *sb, u32 id, btree_keycmp ke + struct hfs_btree *tree; + struct hfs_btree_header_rec *head; + struct address_space *mapping; +- struct page *page; ++ struct folio *folio; ++ struct buffer_head *bh; + unsigned int size; ++ u16 dblock; ++ sector_t start_block; ++ loff_t offset; + + tree = kzalloc(sizeof(*tree), GFP_KERNEL); + if (!tree) +@@ -75,12 +79,40 @@ struct hfs_btree *hfs_btree_open(struct super_block *sb, u32 id, btree_keycmp ke + unlock_new_inode(tree->inode); + + mapping = tree->inode->i_mapping; +- page = read_mapping_page(mapping, 0, NULL); +- if (IS_ERR(page)) ++ folio = filemap_grab_folio(mapping, 0); ++ if (IS_ERR(folio)) + goto free_inode; + ++ folio_zero_range(folio, 0, folio_size(folio)); ++ ++ dblock = hfs_ext_find_block(HFS_I(tree->inode)->first_extents, 0); ++ start_block = HFS_SB(sb)->fs_start + (dblock * HFS_SB(sb)->fs_div); ++ ++ size = folio_size(folio); ++ offset = 0; ++ while (size > 0) { ++ size_t len; ++ ++ bh = sb_bread(sb, start_block); ++ if (!bh) { ++ pr_err("unable to read tree header\n"); ++ goto put_folio; ++ } ++ ++ len = min_t(size_t, folio_size(folio), sb->s_blocksize); ++ memcpy_to_folio(folio, offset, bh->b_data, sb->s_blocksize); ++ ++ brelse(bh); ++ ++ start_block++; ++ offset += len; ++ size -= len; ++ } ++ ++ folio_mark_uptodate(folio); ++ + /* Load the header */ +- head = (struct hfs_btree_header_rec *)(kmap_local_page(page) + ++ head = (struct hfs_btree_header_rec *)(kmap_local_folio(folio, 0) + + sizeof(struct hfs_bnode_desc)); + tree->root = be32_to_cpu(head->root); + tree->leaf_count = be32_to_cpu(head->leaf_count); +@@ -95,22 +127,22 @@ struct hfs_btree *hfs_btree_open(struct super_block *sb, u32 id, btree_keycmp ke + + size = tree->node_size; + if (!is_power_of_2(size)) +- goto fail_page; ++ goto fail_folio; + if (!tree->node_count) +- goto fail_page; ++ goto fail_folio; + switch (id) { + case HFS_EXT_CNID: + if (tree->max_key_len != HFS_MAX_EXT_KEYLEN) { + pr_err("invalid extent max_key_len %d\n", + tree->max_key_len); +- goto fail_page; ++ goto fail_folio; + } + break; + case HFS_CAT_CNID: + if (tree->max_key_len != HFS_MAX_CAT_KEYLEN) { + pr_err("invalid catalog max_key_len %d\n", + tree->max_key_len); +- goto fail_page; ++ goto fail_folio; + } + break; + default: +@@ -121,12 +153,15 @@ struct hfs_btree *hfs_btree_open(struct super_block *sb, u32 id, btree_keycmp ke + tree->pages_per_bnode = (tree->node_size + PAGE_SIZE - 1) >> PAGE_SHIFT; + + kunmap_local(head); +- put_page(page); ++ folio_unlock(folio); ++ folio_put(folio); + return tree; + +-fail_page: ++fail_folio: + kunmap_local(head); +- put_page(page); ++put_folio: ++ folio_unlock(folio); ++ folio_put(folio); + free_inode: + tree->inode->i_mapping->a_ops = &hfs_aops; + iput(tree->inode); +diff --git a/fs/hfs/extent.c b/fs/hfs/extent.c +index 4a0ce131e233..580c62981dbd 100644 +--- a/fs/hfs/extent.c ++++ b/fs/hfs/extent.c +@@ -71,7 +71,7 @@ int hfs_ext_keycmp(const btree_key *key1, const btree_key *key2) + * + * Find a block within an extent record + */ +-static u16 hfs_ext_find_block(struct hfs_extent *ext, u16 off) ++u16 hfs_ext_find_block(struct hfs_extent *ext, u16 off) + { + int i; + u16 count; +diff --git a/fs/hfs/hfs_fs.h b/fs/hfs/hfs_fs.h +index a0c7cb0f79fc..732c5c4c7545 100644 +--- a/fs/hfs/hfs_fs.h ++++ b/fs/hfs/hfs_fs.h +@@ -190,6 +190,7 @@ extern const struct inode_operations hfs_dir_inode_operations; + + /* extent.c */ + extern int hfs_ext_keycmp(const btree_key *, const btree_key *); ++extern u16 hfs_ext_find_block(struct hfs_extent *ext, u16 off); + extern int hfs_free_fork(struct super_block *, struct hfs_cat_file *, int); + extern int hfs_ext_write_extent(struct inode *); + extern int hfs_extend_file(struct inode *); +-- +2.39.5 + diff --git a/queue-6.12/hfs-fix-not-erasing-deleted-b-tree-node-issue.patch b/queue-6.12/hfs-fix-not-erasing-deleted-b-tree-node-issue.patch new file mode 100644 index 0000000000..ff79d27940 --- /dev/null +++ b/queue-6.12/hfs-fix-not-erasing-deleted-b-tree-node-issue.patch @@ -0,0 +1,105 @@ +From caf38cfdf6fa4237a8fc9815f0a54ca9a1e01159 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Apr 2025 17:12:11 -0700 +Subject: hfs: fix not erasing deleted b-tree node issue + +From: Viacheslav Dubeyko + +[ Upstream commit d3ed6d6981f4756f145766753c872482bc3b28d3 ] + +The generic/001 test of xfstests suite fails and corrupts +the HFS volume: + +sudo ./check generic/001 +FSTYP -- hfs +PLATFORM -- Linux/x86_64 hfsplus-testing-0001 6.15.0-rc2+ #3 SMP PREEMPT_DYNAMIC Fri Apr 25 17:13:00 PDT 2> +MKFS_OPTIONS -- /dev/loop51 +MOUNT_OPTIONS -- /dev/loop51 /mnt/scratch + +generic/001 32s ... _check_generic_filesystem: filesystem on /dev/loop50 is inconsistent +(see /home/slavad/XFSTESTS-2/xfstests-dev/results//generic/001.full for details) + +Ran: generic/001 +Failures: generic/001 +Failed 1 of 1 tests + +fsck.hfs -d -n ./test-image.bin +** ./test-image.bin (NO WRITE) + Using cacheBlockSize=32K cacheTotalBlock=1024 cacheSize=32768K. + Executing fsck_hfs (version 540.1-Linux). +** Checking HFS volume. + The volume name is untitled +** Checking extents overflow file. +** Checking catalog file. + Unused node is not erased (node = 2) + Unused node is not erased (node = 4) + + Unused node is not erased (node = 253) + Unused node is not erased (node = 254) + Unused node is not erased (node = 255) + Unused node is not erased (node = 256) +** Checking catalog hierarchy. +** Checking volume bitmap. +** Checking volume information. + Verify Status: VIStat = 0x0000, ABTStat = 0x0000 EBTStat = 0x0000 + CBTStat = 0x0004 CatStat = 0x00000000 +** The volume untitled was found corrupt and needs to be repaired. + volume type is HFS + primary MDB is at block 2 0x02 + alternate MDB is at block 20971518 0x13ffffe + primary VHB is at block 0 0x00 + alternate VHB is at block 0 0x00 + sector size = 512 0x200 + VolumeObject flags = 0x19 + total sectors for volume = 20971520 0x1400000 + total sectors for embedded volume = 0 0x00 + +This patch adds logic of clearing the deleted b-tree node. + +sudo ./check generic/001 +FSTYP -- hfs +PLATFORM -- Linux/x86_64 hfsplus-testing-0001 6.15.0-rc2+ #3 SMP PREEMPT_DYNAMIC Fri Apr 25 17:13:00 PDT 2025 +MKFS_OPTIONS -- /dev/loop51 +MOUNT_OPTIONS -- /dev/loop51 /mnt/scratch + +generic/001 9s ... 32s +Ran: generic/001 +Passed all 1 tests + +fsck.hfs -d -n ./test-image.bin +** ./test-image.bin (NO WRITE) + Using cacheBlockSize=32K cacheTotalBlock=1024 cacheSize=32768K. + Executing fsck_hfs (version 540.1-Linux). +** Checking HFS volume. + The volume name is untitled +** Checking extents overflow file. +** Checking catalog file. +** Checking catalog hierarchy. +** Checking volume bitmap. +** Checking volume information. +** The volume untitled appears to be OK. + +Signed-off-by: Viacheslav Dubeyko +Reviewed-by: Johannes Thumshirn +Link: https://lore.kernel.org/r/20250430001211.1912533-1-slava@dubeyko.com +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Sasha Levin +--- + fs/hfs/bnode.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/hfs/bnode.c b/fs/hfs/bnode.c +index 1dac5d9c055f..e8cd1a31f247 100644 +--- a/fs/hfs/bnode.c ++++ b/fs/hfs/bnode.c +@@ -574,6 +574,7 @@ void hfs_bnode_put(struct hfs_bnode *node) + if (test_bit(HFS_BNODE_DELETED, &node->flags)) { + hfs_bnode_unhash(node); + spin_unlock(&tree->hash_lock); ++ hfs_bnode_clear(node, 0, tree->node_size); + hfs_bmap_free(node); + hfs_bnode_free(node); + return; +-- +2.39.5 + diff --git a/queue-6.12/hfs-fix-slab-out-of-bounds-in-hfs_bnode_read.patch b/queue-6.12/hfs-fix-slab-out-of-bounds-in-hfs_bnode_read.patch new file mode 100644 index 0000000000..7a1233e83d --- /dev/null +++ b/queue-6.12/hfs-fix-slab-out-of-bounds-in-hfs_bnode_read.patch @@ -0,0 +1,166 @@ +From 92a7a459e5c516726de835fef8a0f6c33bb5e2ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Jul 2025 14:49:12 -0700 +Subject: hfs: fix slab-out-of-bounds in hfs_bnode_read() + +From: Viacheslav Dubeyko + +[ Upstream commit a431930c9bac518bf99d6b1da526a7f37ddee8d8 ] + +This patch introduces is_bnode_offset_valid() method that checks +the requested offset value. Also, it introduces +check_and_correct_requested_length() method that checks and +correct the requested length (if it is necessary). These methods +are used in hfs_bnode_read(), hfs_bnode_write(), hfs_bnode_clear(), +hfs_bnode_copy(), and hfs_bnode_move() with the goal to prevent +the access out of allocated memory and triggering the crash. + +Signed-off-by: Viacheslav Dubeyko +Link: https://lore.kernel.org/r/20250703214912.244138-1-slava@dubeyko.com +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Sasha Levin +--- + fs/hfs/bnode.c | 92 ++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 92 insertions(+) + +diff --git a/fs/hfs/bnode.c b/fs/hfs/bnode.c +index cb823a8a6ba9..1dac5d9c055f 100644 +--- a/fs/hfs/bnode.c ++++ b/fs/hfs/bnode.c +@@ -15,6 +15,48 @@ + + #include "btree.h" + ++static inline ++bool is_bnode_offset_valid(struct hfs_bnode *node, int off) ++{ ++ bool is_valid = off < node->tree->node_size; ++ ++ if (!is_valid) { ++ pr_err("requested invalid offset: " ++ "NODE: id %u, type %#x, height %u, " ++ "node_size %u, offset %d\n", ++ node->this, node->type, node->height, ++ node->tree->node_size, off); ++ } ++ ++ return is_valid; ++} ++ ++static inline ++int check_and_correct_requested_length(struct hfs_bnode *node, int off, int len) ++{ ++ unsigned int node_size; ++ ++ if (!is_bnode_offset_valid(node, off)) ++ return 0; ++ ++ node_size = node->tree->node_size; ++ ++ if ((off + len) > node_size) { ++ int new_len = (int)node_size - off; ++ ++ pr_err("requested length has been corrected: " ++ "NODE: id %u, type %#x, height %u, " ++ "node_size %u, offset %d, " ++ "requested_len %d, corrected_len %d\n", ++ node->this, node->type, node->height, ++ node->tree->node_size, off, len, new_len); ++ ++ return new_len; ++ } ++ ++ return len; ++} ++ + void hfs_bnode_read(struct hfs_bnode *node, void *buf, int off, int len) + { + struct page *page; +@@ -22,6 +64,20 @@ void hfs_bnode_read(struct hfs_bnode *node, void *buf, int off, int len) + int bytes_read; + int bytes_to_read; + ++ if (!is_bnode_offset_valid(node, off)) ++ return; ++ ++ if (len == 0) { ++ pr_err("requested zero length: " ++ "NODE: id %u, type %#x, height %u, " ++ "node_size %u, offset %d, len %d\n", ++ node->this, node->type, node->height, ++ node->tree->node_size, off, len); ++ return; ++ } ++ ++ len = check_and_correct_requested_length(node, off, len); ++ + off += node->page_offset; + pagenum = off >> PAGE_SHIFT; + off &= ~PAGE_MASK; /* compute page offset for the first page */ +@@ -80,6 +136,20 @@ void hfs_bnode_write(struct hfs_bnode *node, void *buf, int off, int len) + { + struct page *page; + ++ if (!is_bnode_offset_valid(node, off)) ++ return; ++ ++ if (len == 0) { ++ pr_err("requested zero length: " ++ "NODE: id %u, type %#x, height %u, " ++ "node_size %u, offset %d, len %d\n", ++ node->this, node->type, node->height, ++ node->tree->node_size, off, len); ++ return; ++ } ++ ++ len = check_and_correct_requested_length(node, off, len); ++ + off += node->page_offset; + page = node->page[0]; + +@@ -104,6 +174,20 @@ void hfs_bnode_clear(struct hfs_bnode *node, int off, int len) + { + struct page *page; + ++ if (!is_bnode_offset_valid(node, off)) ++ return; ++ ++ if (len == 0) { ++ pr_err("requested zero length: " ++ "NODE: id %u, type %#x, height %u, " ++ "node_size %u, offset %d, len %d\n", ++ node->this, node->type, node->height, ++ node->tree->node_size, off, len); ++ return; ++ } ++ ++ len = check_and_correct_requested_length(node, off, len); ++ + off += node->page_offset; + page = node->page[0]; + +@@ -119,6 +203,10 @@ void hfs_bnode_copy(struct hfs_bnode *dst_node, int dst, + hfs_dbg(BNODE_MOD, "copybytes: %u,%u,%u\n", dst, src, len); + if (!len) + return; ++ ++ len = check_and_correct_requested_length(src_node, src, len); ++ len = check_and_correct_requested_length(dst_node, dst, len); ++ + src += src_node->page_offset; + dst += dst_node->page_offset; + src_page = src_node->page[0]; +@@ -136,6 +224,10 @@ void hfs_bnode_move(struct hfs_bnode *node, int dst, int src, int len) + hfs_dbg(BNODE_MOD, "movebytes: %u,%u,%u\n", dst, src, len); + if (!len) + return; ++ ++ len = check_and_correct_requested_length(node, src, len); ++ len = check_and_correct_requested_length(node, dst, len); ++ + src += node->page_offset; + dst += node->page_offset; + page = node->page[0]; +-- +2.39.5 + diff --git a/queue-6.12/hfsplus-don-t-use-bug_on-in-hfsplus_create_attribute.patch b/queue-6.12/hfsplus-don-t-use-bug_on-in-hfsplus_create_attribute.patch new file mode 100644 index 0000000000..bb223183dd --- /dev/null +++ b/queue-6.12/hfsplus-don-t-use-bug_on-in-hfsplus_create_attribute.patch @@ -0,0 +1,46 @@ +From 0876b2a94b77caf84fbc1a1b714847624c234fbb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Jul 2025 14:17:56 +0900 +Subject: hfsplus: don't use BUG_ON() in hfsplus_create_attributes_file() + +From: Tetsuo Handa + +[ Upstream commit c7c6363ca186747ebc2df10c8a1a51e66e0e32d9 ] + +When the volume header contains erroneous values that do not reflect +the actual state of the filesystem, hfsplus_fill_super() assumes that +the attributes file is not yet created, which later results in hitting +BUG_ON() when hfsplus_create_attributes_file() is called. Replace this +BUG_ON() with -EIO error with a message to suggest running fsck tool. + +Reported-by: syzbot +Closes: https://syzkaller.appspot.com/bug?extid=1107451c16b9eb9d29e6 +Signed-off-by: Tetsuo Handa +Reviewed-by: Viacheslav Dubeyko +Link: https://lore.kernel.org/r/7b587d24-c8a1-4413-9b9a-00a33fbd849f@I-love.SAKURA.ne.jp +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Sasha Levin +--- + fs/hfsplus/xattr.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/fs/hfsplus/xattr.c b/fs/hfsplus/xattr.c +index 9a1a93e3888b..18dc3d254d21 100644 +--- a/fs/hfsplus/xattr.c ++++ b/fs/hfsplus/xattr.c +@@ -172,7 +172,11 @@ static int hfsplus_create_attributes_file(struct super_block *sb) + return PTR_ERR(attr_file); + } + +- BUG_ON(i_size_read(attr_file) != 0); ++ if (i_size_read(attr_file) != 0) { ++ err = -EIO; ++ pr_err("detected inconsistent attributes file, running fsck.hfsplus is recommended.\n"); ++ goto end_attr_file_creation; ++ } + + hip = HFSPLUS_I(attr_file); + +-- +2.39.5 + diff --git a/queue-6.12/hfsplus-fix-slab-out-of-bounds-in-hfsplus_bnode_read.patch b/queue-6.12/hfsplus-fix-slab-out-of-bounds-in-hfsplus_bnode_read.patch new file mode 100644 index 0000000000..c7c0bf0642 --- /dev/null +++ b/queue-6.12/hfsplus-fix-slab-out-of-bounds-in-hfsplus_bnode_read.patch @@ -0,0 +1,296 @@ +From 14320f1ad015708b4172e35945155b1d0769ec8c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Jul 2025 14:48:04 -0700 +Subject: hfsplus: fix slab-out-of-bounds in hfsplus_bnode_read() + +From: Viacheslav Dubeyko + +[ Upstream commit c80aa2aaaa5e69d5219c6af8ef7e754114bd08d2 ] + +The hfsplus_bnode_read() method can trigger the issue: + +[ 174.852007][ T9784] ================================================================== +[ 174.852709][ T9784] BUG: KASAN: slab-out-of-bounds in hfsplus_bnode_read+0x2f4/0x360 +[ 174.853412][ T9784] Read of size 8 at addr ffff88810b5fc6c0 by task repro/9784 +[ 174.854059][ T9784] +[ 174.854272][ T9784] CPU: 1 UID: 0 PID: 9784 Comm: repro Not tainted 6.16.0-rc3 #7 PREEMPT(full) +[ 174.854281][ T9784] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[ 174.854286][ T9784] Call Trace: +[ 174.854289][ T9784] +[ 174.854292][ T9784] dump_stack_lvl+0x10e/0x1f0 +[ 174.854305][ T9784] print_report+0xd0/0x660 +[ 174.854315][ T9784] ? __virt_addr_valid+0x81/0x610 +[ 174.854323][ T9784] ? __phys_addr+0xe8/0x180 +[ 174.854330][ T9784] ? hfsplus_bnode_read+0x2f4/0x360 +[ 174.854337][ T9784] kasan_report+0xc6/0x100 +[ 174.854346][ T9784] ? hfsplus_bnode_read+0x2f4/0x360 +[ 174.854354][ T9784] hfsplus_bnode_read+0x2f4/0x360 +[ 174.854362][ T9784] hfsplus_bnode_dump+0x2ec/0x380 +[ 174.854370][ T9784] ? __pfx_hfsplus_bnode_dump+0x10/0x10 +[ 174.854377][ T9784] ? hfsplus_bnode_write_u16+0x83/0xb0 +[ 174.854385][ T9784] ? srcu_gp_start+0xd0/0x310 +[ 174.854393][ T9784] ? __mark_inode_dirty+0x29e/0xe40 +[ 174.854402][ T9784] hfsplus_brec_remove+0x3d2/0x4e0 +[ 174.854411][ T9784] __hfsplus_delete_attr+0x290/0x3a0 +[ 174.854419][ T9784] ? __pfx_hfs_find_1st_rec_by_cnid+0x10/0x10 +[ 174.854427][ T9784] ? __pfx___hfsplus_delete_attr+0x10/0x10 +[ 174.854436][ T9784] ? __asan_memset+0x23/0x50 +[ 174.854450][ T9784] hfsplus_delete_all_attrs+0x262/0x320 +[ 174.854459][ T9784] ? __pfx_hfsplus_delete_all_attrs+0x10/0x10 +[ 174.854469][ T9784] ? rcu_is_watching+0x12/0xc0 +[ 174.854476][ T9784] ? __mark_inode_dirty+0x29e/0xe40 +[ 174.854483][ T9784] hfsplus_delete_cat+0x845/0xde0 +[ 174.854493][ T9784] ? __pfx_hfsplus_delete_cat+0x10/0x10 +[ 174.854507][ T9784] hfsplus_unlink+0x1ca/0x7c0 +[ 174.854516][ T9784] ? __pfx_hfsplus_unlink+0x10/0x10 +[ 174.854525][ T9784] ? down_write+0x148/0x200 +[ 174.854532][ T9784] ? __pfx_down_write+0x10/0x10 +[ 174.854540][ T9784] vfs_unlink+0x2fe/0x9b0 +[ 174.854549][ T9784] do_unlinkat+0x490/0x670 +[ 174.854557][ T9784] ? __pfx_do_unlinkat+0x10/0x10 +[ 174.854565][ T9784] ? __might_fault+0xbc/0x130 +[ 174.854576][ T9784] ? getname_flags.part.0+0x1c5/0x550 +[ 174.854584][ T9784] __x64_sys_unlink+0xc5/0x110 +[ 174.854592][ T9784] do_syscall_64+0xc9/0x480 +[ 174.854600][ T9784] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 174.854608][ T9784] RIP: 0033:0x7f6fdf4c3167 +[ 174.854614][ T9784] Code: f0 ff ff 73 01 c3 48 8b 0d 26 0d 0e 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 08 +[ 174.854622][ T9784] RSP: 002b:00007ffcb948bca8 EFLAGS: 00000206 ORIG_RAX: 0000000000000057 +[ 174.854630][ T9784] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f6fdf4c3167 +[ 174.854636][ T9784] RDX: 00007ffcb948bcc0 RSI: 00007ffcb948bcc0 RDI: 00007ffcb948bd50 +[ 174.854641][ T9784] RBP: 00007ffcb948cd90 R08: 0000000000000001 R09: 00007ffcb948bb40 +[ 174.854645][ T9784] R10: 00007f6fdf564fc0 R11: 0000000000000206 R12: 0000561e1bc9c2d0 +[ 174.854650][ T9784] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 +[ 174.854658][ T9784] +[ 174.854661][ T9784] +[ 174.879281][ T9784] Allocated by task 9784: +[ 174.879664][ T9784] kasan_save_stack+0x20/0x40 +[ 174.880082][ T9784] kasan_save_track+0x14/0x30 +[ 174.880500][ T9784] __kasan_kmalloc+0xaa/0xb0 +[ 174.880908][ T9784] __kmalloc_noprof+0x205/0x550 +[ 174.881337][ T9784] __hfs_bnode_create+0x107/0x890 +[ 174.881779][ T9784] hfsplus_bnode_find+0x2d0/0xd10 +[ 174.882222][ T9784] hfsplus_brec_find+0x2b0/0x520 +[ 174.882659][ T9784] hfsplus_delete_all_attrs+0x23b/0x320 +[ 174.883144][ T9784] hfsplus_delete_cat+0x845/0xde0 +[ 174.883595][ T9784] hfsplus_rmdir+0x106/0x1b0 +[ 174.884004][ T9784] vfs_rmdir+0x206/0x690 +[ 174.884379][ T9784] do_rmdir+0x2b7/0x390 +[ 174.884751][ T9784] __x64_sys_rmdir+0xc5/0x110 +[ 174.885167][ T9784] do_syscall_64+0xc9/0x480 +[ 174.885568][ T9784] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 174.886083][ T9784] +[ 174.886293][ T9784] The buggy address belongs to the object at ffff88810b5fc600 +[ 174.886293][ T9784] which belongs to the cache kmalloc-192 of size 192 +[ 174.887507][ T9784] The buggy address is located 40 bytes to the right of +[ 174.887507][ T9784] allocated 152-byte region [ffff88810b5fc600, ffff88810b5fc698) +[ 174.888766][ T9784] +[ 174.888976][ T9784] The buggy address belongs to the physical page: +[ 174.889533][ T9784] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10b5fc +[ 174.890295][ T9784] flags: 0x57ff00000000000(node=1|zone=2|lastcpupid=0x7ff) +[ 174.890927][ T9784] page_type: f5(slab) +[ 174.891284][ T9784] raw: 057ff00000000000 ffff88801b4423c0 ffffea000426dc80 dead000000000002 +[ 174.892032][ T9784] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 +[ 174.892774][ T9784] page dumped because: kasan: bad access detected +[ 174.893327][ T9784] page_owner tracks the page as allocated +[ 174.893825][ T9784] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52c00(GFP_NOIO|__GFP_NOWARN|__GFP_NO1 +[ 174.895373][ T9784] post_alloc_hook+0x1c0/0x230 +[ 174.895801][ T9784] get_page_from_freelist+0xdeb/0x3b30 +[ 174.896284][ T9784] __alloc_frozen_pages_noprof+0x25c/0x2460 +[ 174.896810][ T9784] alloc_pages_mpol+0x1fb/0x550 +[ 174.897242][ T9784] new_slab+0x23b/0x340 +[ 174.897614][ T9784] ___slab_alloc+0xd81/0x1960 +[ 174.898028][ T9784] __slab_alloc.isra.0+0x56/0xb0 +[ 174.898468][ T9784] __kmalloc_noprof+0x2b0/0x550 +[ 174.898896][ T9784] usb_alloc_urb+0x73/0xa0 +[ 174.899289][ T9784] usb_control_msg+0x1cb/0x4a0 +[ 174.899718][ T9784] usb_get_string+0xab/0x1a0 +[ 174.900133][ T9784] usb_string_sub+0x107/0x3c0 +[ 174.900549][ T9784] usb_string+0x307/0x670 +[ 174.900933][ T9784] usb_cache_string+0x80/0x150 +[ 174.901355][ T9784] usb_new_device+0x1d0/0x19d0 +[ 174.901786][ T9784] register_root_hub+0x299/0x730 +[ 174.902231][ T9784] page last free pid 10 tgid 10 stack trace: +[ 174.902757][ T9784] __free_frozen_pages+0x80c/0x1250 +[ 174.903217][ T9784] vfree.part.0+0x12b/0xab0 +[ 174.903645][ T9784] delayed_vfree_work+0x93/0xd0 +[ 174.904073][ T9784] process_one_work+0x9b5/0x1b80 +[ 174.904519][ T9784] worker_thread+0x630/0xe60 +[ 174.904927][ T9784] kthread+0x3a8/0x770 +[ 174.905291][ T9784] ret_from_fork+0x517/0x6e0 +[ 174.905709][ T9784] ret_from_fork_asm+0x1a/0x30 +[ 174.906128][ T9784] +[ 174.906338][ T9784] Memory state around the buggy address: +[ 174.906828][ T9784] ffff88810b5fc580: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc +[ 174.907528][ T9784] ffff88810b5fc600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 174.908222][ T9784] >ffff88810b5fc680: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 174.908917][ T9784] ^ +[ 174.909481][ T9784] ffff88810b5fc700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 174.910432][ T9784] ffff88810b5fc780: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc +[ 174.911401][ T9784] ================================================================== + +The reason of the issue that code doesn't check the correctness +of the requested offset and length. As a result, incorrect value +of offset or/and length could result in access out of allocated +memory. + +This patch introduces is_bnode_offset_valid() method that checks +the requested offset value. Also, it introduces +check_and_correct_requested_length() method that checks and +correct the requested length (if it is necessary). These methods +are used in hfsplus_bnode_read(), hfsplus_bnode_write(), +hfsplus_bnode_clear(), hfsplus_bnode_copy(), and hfsplus_bnode_move() +with the goal to prevent the access out of allocated memory +and triggering the crash. + +Reported-by: Kun Hu +Reported-by: Jiaji Qin +Reported-by: Shuoran Bai +Signed-off-by: Viacheslav Dubeyko +Link: https://lore.kernel.org/r/20250703214804.244077-1-slava@dubeyko.com +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Sasha Levin +--- + fs/hfsplus/bnode.c | 92 ++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 92 insertions(+) + +diff --git a/fs/hfsplus/bnode.c b/fs/hfsplus/bnode.c +index 079ea80534f7..14f4995588ff 100644 +--- a/fs/hfsplus/bnode.c ++++ b/fs/hfsplus/bnode.c +@@ -18,12 +18,68 @@ + #include "hfsplus_fs.h" + #include "hfsplus_raw.h" + ++static inline ++bool is_bnode_offset_valid(struct hfs_bnode *node, int off) ++{ ++ bool is_valid = off < node->tree->node_size; ++ ++ if (!is_valid) { ++ pr_err("requested invalid offset: " ++ "NODE: id %u, type %#x, height %u, " ++ "node_size %u, offset %d\n", ++ node->this, node->type, node->height, ++ node->tree->node_size, off); ++ } ++ ++ return is_valid; ++} ++ ++static inline ++int check_and_correct_requested_length(struct hfs_bnode *node, int off, int len) ++{ ++ unsigned int node_size; ++ ++ if (!is_bnode_offset_valid(node, off)) ++ return 0; ++ ++ node_size = node->tree->node_size; ++ ++ if ((off + len) > node_size) { ++ int new_len = (int)node_size - off; ++ ++ pr_err("requested length has been corrected: " ++ "NODE: id %u, type %#x, height %u, " ++ "node_size %u, offset %d, " ++ "requested_len %d, corrected_len %d\n", ++ node->this, node->type, node->height, ++ node->tree->node_size, off, len, new_len); ++ ++ return new_len; ++ } ++ ++ return len; ++} ++ + /* Copy a specified range of bytes from the raw data of a node */ + void hfs_bnode_read(struct hfs_bnode *node, void *buf, int off, int len) + { + struct page **pagep; + int l; + ++ if (!is_bnode_offset_valid(node, off)) ++ return; ++ ++ if (len == 0) { ++ pr_err("requested zero length: " ++ "NODE: id %u, type %#x, height %u, " ++ "node_size %u, offset %d, len %d\n", ++ node->this, node->type, node->height, ++ node->tree->node_size, off, len); ++ return; ++ } ++ ++ len = check_and_correct_requested_length(node, off, len); ++ + off += node->page_offset; + pagep = node->page + (off >> PAGE_SHIFT); + off &= ~PAGE_MASK; +@@ -81,6 +137,20 @@ void hfs_bnode_write(struct hfs_bnode *node, void *buf, int off, int len) + struct page **pagep; + int l; + ++ if (!is_bnode_offset_valid(node, off)) ++ return; ++ ++ if (len == 0) { ++ pr_err("requested zero length: " ++ "NODE: id %u, type %#x, height %u, " ++ "node_size %u, offset %d, len %d\n", ++ node->this, node->type, node->height, ++ node->tree->node_size, off, len); ++ return; ++ } ++ ++ len = check_and_correct_requested_length(node, off, len); ++ + off += node->page_offset; + pagep = node->page + (off >> PAGE_SHIFT); + off &= ~PAGE_MASK; +@@ -109,6 +179,20 @@ void hfs_bnode_clear(struct hfs_bnode *node, int off, int len) + struct page **pagep; + int l; + ++ if (!is_bnode_offset_valid(node, off)) ++ return; ++ ++ if (len == 0) { ++ pr_err("requested zero length: " ++ "NODE: id %u, type %#x, height %u, " ++ "node_size %u, offset %d, len %d\n", ++ node->this, node->type, node->height, ++ node->tree->node_size, off, len); ++ return; ++ } ++ ++ len = check_and_correct_requested_length(node, off, len); ++ + off += node->page_offset; + pagep = node->page + (off >> PAGE_SHIFT); + off &= ~PAGE_MASK; +@@ -133,6 +217,10 @@ void hfs_bnode_copy(struct hfs_bnode *dst_node, int dst, + hfs_dbg(BNODE_MOD, "copybytes: %u,%u,%u\n", dst, src, len); + if (!len) + return; ++ ++ len = check_and_correct_requested_length(src_node, src, len); ++ len = check_and_correct_requested_length(dst_node, dst, len); ++ + src += src_node->page_offset; + dst += dst_node->page_offset; + src_page = src_node->page + (src >> PAGE_SHIFT); +@@ -187,6 +275,10 @@ void hfs_bnode_move(struct hfs_bnode *node, int dst, int src, int len) + hfs_dbg(BNODE_MOD, "movebytes: %u,%u,%u\n", dst, src, len); + if (!len) + return; ++ ++ len = check_and_correct_requested_length(node, src, len); ++ len = check_and_correct_requested_length(node, dst, len); ++ + src += node->page_offset; + dst += node->page_offset; + if (dst > src) { +-- +2.39.5 + diff --git a/queue-6.12/hfsplus-fix-slab-out-of-bounds-read-in-hfsplus_uni2a.patch b/queue-6.12/hfsplus-fix-slab-out-of-bounds-read-in-hfsplus_uni2a.patch new file mode 100644 index 0000000000..b9c33a52af --- /dev/null +++ b/queue-6.12/hfsplus-fix-slab-out-of-bounds-read-in-hfsplus_uni2a.patch @@ -0,0 +1,177 @@ +From ca4ed2e0701e79eee0cb9414064b501771ee5d65 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jul 2025 16:08:30 -0700 +Subject: hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc() + +From: Viacheslav Dubeyko + +[ Upstream commit 94458781aee6045bd3d0ad4b80b02886b9e2219b ] + +The hfsplus_readdir() method is capable to crash by calling +hfsplus_uni2asc(): + +[ 667.121659][ T9805] ================================================================== +[ 667.122651][ T9805] BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0x902/0xa10 +[ 667.123627][ T9805] Read of size 2 at addr ffff88802592f40c by task repro/9805 +[ 667.124578][ T9805] +[ 667.124876][ T9805] CPU: 3 UID: 0 PID: 9805 Comm: repro Not tainted 6.16.0-rc3 #1 PREEMPT(full) +[ 667.124886][ T9805] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[ 667.124890][ T9805] Call Trace: +[ 667.124893][ T9805] +[ 667.124896][ T9805] dump_stack_lvl+0x10e/0x1f0 +[ 667.124911][ T9805] print_report+0xd0/0x660 +[ 667.124920][ T9805] ? __virt_addr_valid+0x81/0x610 +[ 667.124928][ T9805] ? __phys_addr+0xe8/0x180 +[ 667.124934][ T9805] ? hfsplus_uni2asc+0x902/0xa10 +[ 667.124942][ T9805] kasan_report+0xc6/0x100 +[ 667.124950][ T9805] ? hfsplus_uni2asc+0x902/0xa10 +[ 667.124959][ T9805] hfsplus_uni2asc+0x902/0xa10 +[ 667.124966][ T9805] ? hfsplus_bnode_read+0x14b/0x360 +[ 667.124974][ T9805] hfsplus_readdir+0x845/0xfc0 +[ 667.124984][ T9805] ? __pfx_hfsplus_readdir+0x10/0x10 +[ 667.124994][ T9805] ? stack_trace_save+0x8e/0xc0 +[ 667.125008][ T9805] ? iterate_dir+0x18b/0xb20 +[ 667.125015][ T9805] ? trace_lock_acquire+0x85/0xd0 +[ 667.125022][ T9805] ? lock_acquire+0x30/0x80 +[ 667.125029][ T9805] ? iterate_dir+0x18b/0xb20 +[ 667.125037][ T9805] ? down_read_killable+0x1ed/0x4c0 +[ 667.125044][ T9805] ? putname+0x154/0x1a0 +[ 667.125051][ T9805] ? __pfx_down_read_killable+0x10/0x10 +[ 667.125058][ T9805] ? apparmor_file_permission+0x239/0x3e0 +[ 667.125069][ T9805] iterate_dir+0x296/0xb20 +[ 667.125076][ T9805] __x64_sys_getdents64+0x13c/0x2c0 +[ 667.125084][ T9805] ? __pfx___x64_sys_getdents64+0x10/0x10 +[ 667.125091][ T9805] ? __x64_sys_openat+0x141/0x200 +[ 667.125126][ T9805] ? __pfx_filldir64+0x10/0x10 +[ 667.125134][ T9805] ? do_user_addr_fault+0x7fe/0x12f0 +[ 667.125143][ T9805] do_syscall_64+0xc9/0x480 +[ 667.125151][ T9805] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 667.125158][ T9805] RIP: 0033:0x7fa8753b2fc9 +[ 667.125164][ T9805] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 48 +[ 667.125172][ T9805] RSP: 002b:00007ffe96f8e0f8 EFLAGS: 00000217 ORIG_RAX: 00000000000000d9 +[ 667.125181][ T9805] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa8753b2fc9 +[ 667.125185][ T9805] RDX: 0000000000000400 RSI: 00002000000063c0 RDI: 0000000000000004 +[ 667.125190][ T9805] RBP: 00007ffe96f8e110 R08: 00007ffe96f8e110 R09: 00007ffe96f8e110 +[ 667.125195][ T9805] R10: 0000000000000000 R11: 0000000000000217 R12: 0000556b1e3b4260 +[ 667.125199][ T9805] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 +[ 667.125207][ T9805] +[ 667.125210][ T9805] +[ 667.145632][ T9805] Allocated by task 9805: +[ 667.145991][ T9805] kasan_save_stack+0x20/0x40 +[ 667.146352][ T9805] kasan_save_track+0x14/0x30 +[ 667.146717][ T9805] __kasan_kmalloc+0xaa/0xb0 +[ 667.147065][ T9805] __kmalloc_noprof+0x205/0x550 +[ 667.147448][ T9805] hfsplus_find_init+0x95/0x1f0 +[ 667.147813][ T9805] hfsplus_readdir+0x220/0xfc0 +[ 667.148174][ T9805] iterate_dir+0x296/0xb20 +[ 667.148549][ T9805] __x64_sys_getdents64+0x13c/0x2c0 +[ 667.148937][ T9805] do_syscall_64+0xc9/0x480 +[ 667.149291][ T9805] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 667.149809][ T9805] +[ 667.150030][ T9805] The buggy address belongs to the object at ffff88802592f000 +[ 667.150030][ T9805] which belongs to the cache kmalloc-2k of size 2048 +[ 667.151282][ T9805] The buggy address is located 0 bytes to the right of +[ 667.151282][ T9805] allocated 1036-byte region [ffff88802592f000, ffff88802592f40c) +[ 667.152580][ T9805] +[ 667.152798][ T9805] The buggy address belongs to the physical page: +[ 667.153373][ T9805] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x25928 +[ 667.154157][ T9805] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 +[ 667.154916][ T9805] anon flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) +[ 667.155631][ T9805] page_type: f5(slab) +[ 667.155997][ T9805] raw: 00fff00000000040 ffff88801b442f00 0000000000000000 dead000000000001 +[ 667.156770][ T9805] raw: 0000000000000000 0000000080080008 00000000f5000000 0000000000000000 +[ 667.157536][ T9805] head: 00fff00000000040 ffff88801b442f00 0000000000000000 dead000000000001 +[ 667.158317][ T9805] head: 0000000000000000 0000000080080008 00000000f5000000 0000000000000000 +[ 667.159088][ T9805] head: 00fff00000000003 ffffea0000964a01 00000000ffffffff 00000000ffffffff +[ 667.159865][ T9805] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 +[ 667.160643][ T9805] page dumped because: kasan: bad access detected +[ 667.161216][ T9805] page_owner tracks the page as allocated +[ 667.161732][ T9805] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN9 +[ 667.163566][ T9805] post_alloc_hook+0x1c0/0x230 +[ 667.164003][ T9805] get_page_from_freelist+0xdeb/0x3b30 +[ 667.164503][ T9805] __alloc_frozen_pages_noprof+0x25c/0x2460 +[ 667.165040][ T9805] alloc_pages_mpol+0x1fb/0x550 +[ 667.165489][ T9805] new_slab+0x23b/0x340 +[ 667.165872][ T9805] ___slab_alloc+0xd81/0x1960 +[ 667.166313][ T9805] __slab_alloc.isra.0+0x56/0xb0 +[ 667.166767][ T9805] __kmalloc_cache_noprof+0x255/0x3e0 +[ 667.167255][ T9805] psi_cgroup_alloc+0x52/0x2d0 +[ 667.167693][ T9805] cgroup_mkdir+0x694/0x1210 +[ 667.168118][ T9805] kernfs_iop_mkdir+0x111/0x190 +[ 667.168568][ T9805] vfs_mkdir+0x59b/0x8d0 +[ 667.168956][ T9805] do_mkdirat+0x2ed/0x3d0 +[ 667.169353][ T9805] __x64_sys_mkdir+0xef/0x140 +[ 667.169784][ T9805] do_syscall_64+0xc9/0x480 +[ 667.170195][ T9805] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 667.170730][ T9805] page last free pid 1257 tgid 1257 stack trace: +[ 667.171304][ T9805] __free_frozen_pages+0x80c/0x1250 +[ 667.171770][ T9805] vfree.part.0+0x12b/0xab0 +[ 667.172182][ T9805] delayed_vfree_work+0x93/0xd0 +[ 667.172612][ T9805] process_one_work+0x9b5/0x1b80 +[ 667.173067][ T9805] worker_thread+0x630/0xe60 +[ 667.173486][ T9805] kthread+0x3a8/0x770 +[ 667.173857][ T9805] ret_from_fork+0x517/0x6e0 +[ 667.174278][ T9805] ret_from_fork_asm+0x1a/0x30 +[ 667.174703][ T9805] +[ 667.174917][ T9805] Memory state around the buggy address: +[ 667.175411][ T9805] ffff88802592f300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 667.176114][ T9805] ffff88802592f380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 667.176830][ T9805] >ffff88802592f400: 00 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 667.177547][ T9805] ^ +[ 667.177933][ T9805] ffff88802592f480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 667.178640][ T9805] ffff88802592f500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 667.179350][ T9805] ================================================================== + +The hfsplus_uni2asc() method operates by struct hfsplus_unistr: + +struct hfsplus_unistr { + __be16 length; + hfsplus_unichr unicode[HFSPLUS_MAX_STRLEN]; +} __packed; + +where HFSPLUS_MAX_STRLEN is 255 bytes. The issue happens if length +of the structure instance has value bigger than 255 (for example, +65283). In such case, pointer on unicode buffer is going beyond of +the allocated memory. + +The patch fixes the issue by checking the length value of +hfsplus_unistr instance and using 255 value in the case if length +value is bigger than HFSPLUS_MAX_STRLEN. Potential reason of such +situation could be a corruption of Catalog File b-tree's node. + +Reported-by: Wenzhi Wang +Signed-off-by: Liu Shixin +Signed-off-by: Viacheslav Dubeyko +cc: John Paul Adrian Glaubitz +cc: Yangtao Li +cc: linux-fsdevel@vger.kernel.org +Reviewed-by: Yangtao Li +Link: https://lore.kernel.org/r/20250710230830.110500-1-slava@dubeyko.com +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Sasha Levin +--- + fs/hfsplus/unicode.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/fs/hfsplus/unicode.c b/fs/hfsplus/unicode.c +index 73342c925a4b..36b6cf2a3abb 100644 +--- a/fs/hfsplus/unicode.c ++++ b/fs/hfsplus/unicode.c +@@ -132,7 +132,14 @@ int hfsplus_uni2asc(struct super_block *sb, + + op = astr; + ip = ustr->unicode; ++ + ustrlen = be16_to_cpu(ustr->length); ++ if (ustrlen > HFSPLUS_MAX_STRLEN) { ++ ustrlen = HFSPLUS_MAX_STRLEN; ++ pr_err("invalid length %u has been corrected to %d\n", ++ be16_to_cpu(ustr->length), ustrlen); ++ } ++ + len = *len_p; + ce1 = NULL; + compose = !test_bit(HFSPLUS_SB_NODECOMPOSE, &HFSPLUS_SB(sb)->flags); +-- +2.39.5 + diff --git a/queue-6.12/hwmon-emc2305-set-initial-pwm-minimum-value-during-p.patch b/queue-6.12/hwmon-emc2305-set-initial-pwm-minimum-value-during-p.patch new file mode 100644 index 0000000000..46bc96e8c5 --- /dev/null +++ b/queue-6.12/hwmon-emc2305-set-initial-pwm-minimum-value-during-p.patch @@ -0,0 +1,56 @@ +From 7c34e3c06f1a698f239b8e63c3166fde556ffa89 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Jun 2025 14:31:25 +0300 +Subject: hwmon: (emc2305) Set initial PWM minimum value during probe based on + thermal state + +From: Florin Leotescu + +[ Upstream commit 0429415a084a15466e87d504e8c2a502488184a5 ] + +Prevent the PWM value from being set to minimum when thermal zone +temperature exceeds any trip point during driver probe. Otherwise, the +PWM fan speed will remains at minimum speed and not respond to +temperature changes. + +Signed-off-by: Florin Leotescu +Link: https://lore.kernel.org/r/20250603113125.3175103-5-florin.leotescu@oss.nxp.com +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/emc2305.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/hwmon/emc2305.c b/drivers/hwmon/emc2305.c +index 4d39fbd83769..5b5fccac9635 100644 +--- a/drivers/hwmon/emc2305.c ++++ b/drivers/hwmon/emc2305.c +@@ -300,6 +300,12 @@ static int emc2305_set_single_tz(struct device *dev, int idx) + dev_err(dev, "Failed to register cooling device %s\n", emc2305_fan_name[idx]); + return PTR_ERR(data->cdev_data[cdev_idx].cdev); + } ++ ++ if (data->cdev_data[cdev_idx].cur_state > 0) ++ /* Update pwm when temperature is above trips */ ++ pwm = EMC2305_PWM_STATE2DUTY(data->cdev_data[cdev_idx].cur_state, ++ data->max_state, EMC2305_FAN_MAX); ++ + /* Set minimal PWM speed. */ + if (data->pwm_separate) { + ret = emc2305_set_pwm(dev, pwm, cdev_idx); +@@ -313,10 +319,10 @@ static int emc2305_set_single_tz(struct device *dev, int idx) + } + } + data->cdev_data[cdev_idx].cur_state = +- EMC2305_PWM_DUTY2STATE(data->pwm_min[cdev_idx], data->max_state, ++ EMC2305_PWM_DUTY2STATE(pwm, data->max_state, + EMC2305_FAN_MAX); + data->cdev_data[cdev_idx].last_hwmon_state = +- EMC2305_PWM_DUTY2STATE(data->pwm_min[cdev_idx], data->max_state, ++ EMC2305_PWM_DUTY2STATE(pwm, data->max_state, + EMC2305_FAN_MAX); + return 0; + } +-- +2.39.5 + diff --git a/queue-6.12/i2c-force-dll0945-touchpad-i2c-freq-to-100khz.patch b/queue-6.12/i2c-force-dll0945-touchpad-i2c-freq-to-100khz.patch new file mode 100644 index 0000000000..d97475c69b --- /dev/null +++ b/queue-6.12/i2c-force-dll0945-touchpad-i2c-freq-to-100khz.patch @@ -0,0 +1,39 @@ +From d8c17584ac827ed8916ccfe3fe28d793188bb1bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 3 Aug 2025 07:15:54 +0800 +Subject: i2c: Force DLL0945 touchpad i2c freq to 100khz + +From: fangzhong.zhou + +[ Upstream commit 0b7c9528facdb5a73ad78fea86d2e95a6c48dbc4 ] + +This patch fixes an issue where the touchpad cursor movement becomes +slow on the Dell Precision 5560. Force the touchpad freq to 100khz +as a workaround. + +Tested on Dell Precision 5560 with 6.14 to 6.14.6. Cursor movement +is now smooth and responsive. + +Signed-off-by: fangzhong.zhou +[wsa: kept sorting and removed unnecessary parts from commit msg] +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/i2c-core-acpi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/i2c/i2c-core-acpi.c b/drivers/i2c/i2c-core-acpi.c +index d2499f302b50..f43067f6797e 100644 +--- a/drivers/i2c/i2c-core-acpi.c ++++ b/drivers/i2c/i2c-core-acpi.c +@@ -370,6 +370,7 @@ static const struct acpi_device_id i2c_acpi_force_100khz_device_ids[] = { + * the device works without issues on Windows at what is expected to be + * a 400KHz frequency. The root cause of the issue is not known. + */ ++ { "DLL0945", 0 }, + { "ELAN06FA", 0 }, + {} + }; +-- +2.39.5 + diff --git a/queue-6.12/i3c-add-missing-include-to-internal-header.patch b/queue-6.12/i3c-add-missing-include-to-internal-header.patch new file mode 100644 index 0000000000..8370daff79 --- /dev/null +++ b/queue-6.12/i3c-add-missing-include-to-internal-header.patch @@ -0,0 +1,44 @@ +From 07b8ef4c6815c796b34ac2915ed0ae0dc52719c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Jul 2025 14:00:47 +0200 +Subject: i3c: add missing include to internal header + +From: Wolfram Sang + +[ Upstream commit 3b661ca549b9e5bb11d0bc97ada6110aac3282d2 ] + +LKP found a random config which failed to build because IO accessors +were not defined: + + In file included from drivers/i3c/master.c:21: + drivers/i3c/internals.h: In function 'i3c_writel_fifo': +>> drivers/i3c/internals.h:35:9: error: implicit declaration of function 'writesl' [-Werror=implicit-function-declaration] + +Add the proper header to where the IO accessors are used. + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202507150208.BZDzzJ5E-lkp@intel.com/ +Signed-off-by: Wolfram Sang +Reviewed-by: Frank Li +Link: https://lore.kernel.org/r/20250717120046.9022-2-wsa+renesas@sang-engineering.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/i3c/internals.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/i3c/internals.h b/drivers/i3c/internals.h +index 433f6088b7ce..ce04aa4f269e 100644 +--- a/drivers/i3c/internals.h ++++ b/drivers/i3c/internals.h +@@ -9,6 +9,7 @@ + #define I3C_INTERNALS_H + + #include ++#include + + void i3c_bus_normaluse_lock(struct i3c_bus *bus); + void i3c_bus_normaluse_unlock(struct i3c_bus *bus); +-- +2.39.5 + diff --git a/queue-6.12/i3c-don-t-fail-if-gethdrcap-is-unsupported.patch b/queue-6.12/i3c-don-t-fail-if-gethdrcap-is-unsupported.patch new file mode 100644 index 0000000000..a2d362435b --- /dev/null +++ b/queue-6.12/i3c-don-t-fail-if-gethdrcap-is-unsupported.patch @@ -0,0 +1,43 @@ +From 09e7a5be8631877c7f2f4443a7de067d2a7bc7be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Jul 2025 22:44:32 +0200 +Subject: i3c: don't fail if GETHDRCAP is unsupported + +From: Wolfram Sang + +[ Upstream commit 447270cdb41b1c8c3621bb14b93a6749f942556e ] + +'I3C_BCR_HDR_CAP' is still spec v1.0 and has been renamed to 'advanced +capabilities' in v1.1 onwards. The ST pressure sensor LPS22DF does not +have HDR, but has the 'advanced cap' bit set. The core still wants to +get additional information using the CCC 'GETHDRCAP' (or GETCAPS in v1.1 +onwards). Not all controllers support this CCC and will notify the upper +layers about it. For instantiating the device, we can ignore this +unsupported CCC as standard communication will work. Without this patch, +the device will not be instantiated at all. + +Signed-off-by: Wolfram Sang +Reviewed-by: Frank Li +Link: https://lore.kernel.org/r/20250704204524.6124-1-wsa+renesas@sang-engineering.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/i3c/master.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/i3c/master.c b/drivers/i3c/master.c +index 7c1dc42b809b..9b7a34f9eca2 100644 +--- a/drivers/i3c/master.c ++++ b/drivers/i3c/master.c +@@ -1439,7 +1439,7 @@ static int i3c_master_retrieve_dev_info(struct i3c_dev_desc *dev) + + if (dev->info.bcr & I3C_BCR_HDR_CAP) { + ret = i3c_master_gethdrcap_locked(master, &dev->info); +- if (ret) ++ if (ret && ret != -ENOTSUPP) + return ret; + } + +-- +2.39.5 + diff --git a/queue-6.12/i3c-master-initialize-ret-in-i3c_i2c_notifier_call.patch b/queue-6.12/i3c-master-initialize-ret-in-i3c_i2c_notifier_call.patch new file mode 100644 index 0000000000..565eb66104 --- /dev/null +++ b/queue-6.12/i3c-master-initialize-ret-in-i3c_i2c_notifier_call.patch @@ -0,0 +1,37 @@ +From cc403dd4896094be30d9aad477710b8160a987ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 22 Jun 2025 12:11:07 +0200 +Subject: i3c: master: Initialize ret in i3c_i2c_notifier_call() + +From: Jorge Marques + +[ Upstream commit 290ce8b2d0745e45a3155268184523a8c75996f1 ] + +Set ret to -EINVAL if i3c_i2c_notifier_call() receives an invalid +action, resolving uninitialized warning. + +Signed-off-by: Jorge Marques +Reviewed-by: Frank Li +Link: https://lore.kernel.org/r/20250622-i3c-master-ret-uninitialized-v1-1-aabb5625c932@analog.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/i3c/master.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/i3c/master.c b/drivers/i3c/master.c +index 9b7a34f9eca2..c8e5c9291ea4 100644 +--- a/drivers/i3c/master.c ++++ b/drivers/i3c/master.c +@@ -2471,6 +2471,8 @@ static int i3c_i2c_notifier_call(struct notifier_block *nb, unsigned long action + case BUS_NOTIFY_DEL_DEVICE: + ret = i3c_master_i2c_detach(adap, client); + break; ++ default: ++ ret = -EINVAL; + } + i3c_bus_maintenance_unlock(&master->bus); + +-- +2.39.5 + diff --git a/queue-6.12/idpf-preserve-coalescing-settings-across-resets.patch b/queue-6.12/idpf-preserve-coalescing-settings-across-resets.patch new file mode 100644 index 0000000000..99ea49b707 --- /dev/null +++ b/queue-6.12/idpf-preserve-coalescing-settings-across-resets.patch @@ -0,0 +1,304 @@ +From 24c776d6ae7d3a798db01bbc28dfb25aa5ff7768 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Jun 2025 11:15:48 -0600 +Subject: idpf: preserve coalescing settings across resets + +From: Ahmed Zaki + +[ Upstream commit e1e3fec3e34b4934a9d2c98e4ee00a4d87b19179 ] + +The IRQ coalescing config currently reside only inside struct +idpf_q_vector. However, all idpf_q_vector structs are de-allocated and +re-allocated during resets. This leads to user-set coalesce configuration +to be lost. + +Add new fields to struct idpf_vport_user_config_data to save the user +settings and re-apply them after reset. + +Reviewed-by: Madhu Chittim +Signed-off-by: Ahmed Zaki +Reviewed-by: Simon Horman +Reviewed-by: Willem de Bruijn +Tested-by: Samuel Salin +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/idpf/idpf.h | 19 ++++++++++ + .../net/ethernet/intel/idpf/idpf_ethtool.c | 36 ++++++++++++++----- + drivers/net/ethernet/intel/idpf/idpf_lib.c | 18 +++++++++- + drivers/net/ethernet/intel/idpf/idpf_main.c | 1 + + drivers/net/ethernet/intel/idpf/idpf_txrx.c | 13 ++++--- + 5 files changed, 74 insertions(+), 13 deletions(-) + +diff --git a/drivers/net/ethernet/intel/idpf/idpf.h b/drivers/net/ethernet/intel/idpf/idpf.h +index 70dbf80f3bb7..a2b346d91879 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf.h ++++ b/drivers/net/ethernet/intel/idpf/idpf.h +@@ -369,10 +369,28 @@ struct idpf_rss_data { + u32 *cached_lut; + }; + ++/** ++ * struct idpf_q_coalesce - User defined coalescing configuration values for ++ * a single queue. ++ * @tx_intr_mode: Dynamic TX ITR or not ++ * @rx_intr_mode: Dynamic RX ITR or not ++ * @tx_coalesce_usecs: TX interrupt throttling rate ++ * @rx_coalesce_usecs: RX interrupt throttling rate ++ * ++ * Used to restore user coalescing configuration after a reset. ++ */ ++struct idpf_q_coalesce { ++ u32 tx_intr_mode; ++ u32 rx_intr_mode; ++ u32 tx_coalesce_usecs; ++ u32 rx_coalesce_usecs; ++}; ++ + /** + * struct idpf_vport_user_config_data - User defined configuration values for + * each vport. + * @rss_data: See struct idpf_rss_data ++ * @q_coalesce: Array of per queue coalescing data + * @num_req_tx_qs: Number of user requested TX queues through ethtool + * @num_req_rx_qs: Number of user requested RX queues through ethtool + * @num_req_txq_desc: Number of user requested TX queue descriptors through +@@ -386,6 +404,7 @@ struct idpf_rss_data { + */ + struct idpf_vport_user_config_data { + struct idpf_rss_data rss_data; ++ struct idpf_q_coalesce *q_coalesce; + u16 num_req_tx_qs; + u16 num_req_rx_qs; + u32 num_req_txq_desc; +diff --git a/drivers/net/ethernet/intel/idpf/idpf_ethtool.c b/drivers/net/ethernet/intel/idpf/idpf_ethtool.c +index f72420cf6821..f0f0ced0d95f 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_ethtool.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_ethtool.c +@@ -1089,12 +1089,14 @@ static int idpf_get_per_q_coalesce(struct net_device *netdev, u32 q_num, + /** + * __idpf_set_q_coalesce - set ITR values for specific queue + * @ec: ethtool structure from user to update ITR settings ++ * @q_coal: per queue coalesce settings + * @qv: queue vector for which itr values has to be set + * @is_rxq: is queue type rx + * + * Returns 0 on success, negative otherwise. + */ + static int __idpf_set_q_coalesce(const struct ethtool_coalesce *ec, ++ struct idpf_q_coalesce *q_coal, + struct idpf_q_vector *qv, bool is_rxq) + { + u32 use_adaptive_coalesce, coalesce_usecs; +@@ -1138,20 +1140,25 @@ static int __idpf_set_q_coalesce(const struct ethtool_coalesce *ec, + + if (is_rxq) { + qv->rx_itr_value = coalesce_usecs; ++ q_coal->rx_coalesce_usecs = coalesce_usecs; + if (use_adaptive_coalesce) { + qv->rx_intr_mode = IDPF_ITR_DYNAMIC; ++ q_coal->rx_intr_mode = IDPF_ITR_DYNAMIC; + } else { + qv->rx_intr_mode = !IDPF_ITR_DYNAMIC; +- idpf_vport_intr_write_itr(qv, qv->rx_itr_value, +- false); ++ q_coal->rx_intr_mode = !IDPF_ITR_DYNAMIC; ++ idpf_vport_intr_write_itr(qv, coalesce_usecs, false); + } + } else { + qv->tx_itr_value = coalesce_usecs; ++ q_coal->tx_coalesce_usecs = coalesce_usecs; + if (use_adaptive_coalesce) { + qv->tx_intr_mode = IDPF_ITR_DYNAMIC; ++ q_coal->tx_intr_mode = IDPF_ITR_DYNAMIC; + } else { + qv->tx_intr_mode = !IDPF_ITR_DYNAMIC; +- idpf_vport_intr_write_itr(qv, qv->tx_itr_value, true); ++ q_coal->tx_intr_mode = !IDPF_ITR_DYNAMIC; ++ idpf_vport_intr_write_itr(qv, coalesce_usecs, true); + } + } + +@@ -1164,6 +1171,7 @@ static int __idpf_set_q_coalesce(const struct ethtool_coalesce *ec, + /** + * idpf_set_q_coalesce - set ITR values for specific queue + * @vport: vport associated to the queue that need updating ++ * @q_coal: per queue coalesce settings + * @ec: coalesce settings to program the device with + * @q_num: update ITR/INTRL (coalesce) settings for this queue number/index + * @is_rxq: is queue type rx +@@ -1171,6 +1179,7 @@ static int __idpf_set_q_coalesce(const struct ethtool_coalesce *ec, + * Return 0 on success, and negative on failure + */ + static int idpf_set_q_coalesce(const struct idpf_vport *vport, ++ struct idpf_q_coalesce *q_coal, + const struct ethtool_coalesce *ec, + int q_num, bool is_rxq) + { +@@ -1179,7 +1188,7 @@ static int idpf_set_q_coalesce(const struct idpf_vport *vport, + qv = is_rxq ? idpf_find_rxq_vec(vport, q_num) : + idpf_find_txq_vec(vport, q_num); + +- if (qv && __idpf_set_q_coalesce(ec, qv, is_rxq)) ++ if (qv && __idpf_set_q_coalesce(ec, q_coal, qv, is_rxq)) + return -EINVAL; + + return 0; +@@ -1200,9 +1209,13 @@ static int idpf_set_coalesce(struct net_device *netdev, + struct netlink_ext_ack *extack) + { + struct idpf_netdev_priv *np = netdev_priv(netdev); ++ struct idpf_vport_user_config_data *user_config; ++ struct idpf_q_coalesce *q_coal; + struct idpf_vport *vport; + int i, err = 0; + ++ user_config = &np->adapter->vport_config[np->vport_idx]->user_config; ++ + idpf_vport_ctrl_lock(netdev); + vport = idpf_netdev_to_vport(netdev); + +@@ -1210,13 +1223,15 @@ static int idpf_set_coalesce(struct net_device *netdev, + goto unlock_mutex; + + for (i = 0; i < vport->num_txq; i++) { +- err = idpf_set_q_coalesce(vport, ec, i, false); ++ q_coal = &user_config->q_coalesce[i]; ++ err = idpf_set_q_coalesce(vport, q_coal, ec, i, false); + if (err) + goto unlock_mutex; + } + + for (i = 0; i < vport->num_rxq; i++) { +- err = idpf_set_q_coalesce(vport, ec, i, true); ++ q_coal = &user_config->q_coalesce[i]; ++ err = idpf_set_q_coalesce(vport, q_coal, ec, i, true); + if (err) + goto unlock_mutex; + } +@@ -1238,20 +1253,25 @@ static int idpf_set_coalesce(struct net_device *netdev, + static int idpf_set_per_q_coalesce(struct net_device *netdev, u32 q_num, + struct ethtool_coalesce *ec) + { ++ struct idpf_netdev_priv *np = netdev_priv(netdev); ++ struct idpf_vport_user_config_data *user_config; ++ struct idpf_q_coalesce *q_coal; + struct idpf_vport *vport; + int err; + + idpf_vport_ctrl_lock(netdev); + vport = idpf_netdev_to_vport(netdev); ++ user_config = &np->adapter->vport_config[np->vport_idx]->user_config; ++ q_coal = &user_config->q_coalesce[q_num]; + +- err = idpf_set_q_coalesce(vport, ec, q_num, false); ++ err = idpf_set_q_coalesce(vport, q_coal, ec, q_num, false); + if (err) { + idpf_vport_ctrl_unlock(netdev); + + return err; + } + +- err = idpf_set_q_coalesce(vport, ec, q_num, true); ++ err = idpf_set_q_coalesce(vport, q_coal, ec, q_num, true); + + idpf_vport_ctrl_unlock(netdev); + +diff --git a/drivers/net/ethernet/intel/idpf/idpf_lib.c b/drivers/net/ethernet/intel/idpf/idpf_lib.c +index 746b65533727..1468a0f0df2b 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_lib.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_lib.c +@@ -1089,8 +1089,10 @@ static struct idpf_vport *idpf_vport_alloc(struct idpf_adapter *adapter, + if (!vport) + return vport; + ++ num_max_q = max(max_q->max_txq, max_q->max_rxq); + if (!adapter->vport_config[idx]) { + struct idpf_vport_config *vport_config; ++ struct idpf_q_coalesce *q_coal; + + vport_config = kzalloc(sizeof(*vport_config), GFP_KERNEL); + if (!vport_config) { +@@ -1099,6 +1101,21 @@ static struct idpf_vport *idpf_vport_alloc(struct idpf_adapter *adapter, + return NULL; + } + ++ q_coal = kcalloc(num_max_q, sizeof(*q_coal), GFP_KERNEL); ++ if (!q_coal) { ++ kfree(vport_config); ++ kfree(vport); ++ ++ return NULL; ++ } ++ for (int i = 0; i < num_max_q; i++) { ++ q_coal[i].tx_intr_mode = IDPF_ITR_DYNAMIC; ++ q_coal[i].tx_coalesce_usecs = IDPF_ITR_TX_DEF; ++ q_coal[i].rx_intr_mode = IDPF_ITR_DYNAMIC; ++ q_coal[i].rx_coalesce_usecs = IDPF_ITR_RX_DEF; ++ } ++ vport_config->user_config.q_coalesce = q_coal; ++ + adapter->vport_config[idx] = vport_config; + } + +@@ -1108,7 +1125,6 @@ static struct idpf_vport *idpf_vport_alloc(struct idpf_adapter *adapter, + vport->default_vport = adapter->num_alloc_vports < + idpf_get_default_vports(adapter); + +- num_max_q = max(max_q->max_txq, max_q->max_rxq); + vport->q_vector_idxs = kcalloc(num_max_q, sizeof(u16), GFP_KERNEL); + if (!vport->q_vector_idxs) + goto free_vport; +diff --git a/drivers/net/ethernet/intel/idpf/idpf_main.c b/drivers/net/ethernet/intel/idpf/idpf_main.c +index 734da1680c5a..4c48a1a6aab0 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_main.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_main.c +@@ -62,6 +62,7 @@ static void idpf_remove(struct pci_dev *pdev) + destroy_workqueue(adapter->vc_event_wq); + + for (i = 0; i < adapter->max_vports; i++) { ++ kfree(adapter->vport_config[i]->user_config.q_coalesce); + kfree(adapter->vport_config[i]); + adapter->vport_config[i] = NULL; + } +diff --git a/drivers/net/ethernet/intel/idpf/idpf_txrx.c b/drivers/net/ethernet/intel/idpf/idpf_txrx.c +index c6c36de58b9d..4086a6ef352e 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_txrx.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_txrx.c +@@ -4190,9 +4190,13 @@ static void idpf_vport_intr_napi_add_all(struct idpf_vport *vport) + int idpf_vport_intr_alloc(struct idpf_vport *vport) + { + u16 txqs_per_vector, rxqs_per_vector, bufqs_per_vector; ++ struct idpf_vport_user_config_data *user_config; + struct idpf_q_vector *q_vector; ++ struct idpf_q_coalesce *q_coal; + u32 complqs_per_vector, v_idx; ++ u16 idx = vport->idx; + ++ user_config = &vport->adapter->vport_config[idx]->user_config; + vport->q_vectors = kcalloc(vport->num_q_vectors, + sizeof(struct idpf_q_vector), GFP_KERNEL); + if (!vport->q_vectors) +@@ -4210,14 +4214,15 @@ int idpf_vport_intr_alloc(struct idpf_vport *vport) + + for (v_idx = 0; v_idx < vport->num_q_vectors; v_idx++) { + q_vector = &vport->q_vectors[v_idx]; ++ q_coal = &user_config->q_coalesce[v_idx]; + q_vector->vport = vport; + +- q_vector->tx_itr_value = IDPF_ITR_TX_DEF; +- q_vector->tx_intr_mode = IDPF_ITR_DYNAMIC; ++ q_vector->tx_itr_value = q_coal->tx_coalesce_usecs; ++ q_vector->tx_intr_mode = q_coal->tx_intr_mode; + q_vector->tx_itr_idx = VIRTCHNL2_ITR_IDX_1; + +- q_vector->rx_itr_value = IDPF_ITR_RX_DEF; +- q_vector->rx_intr_mode = IDPF_ITR_DYNAMIC; ++ q_vector->rx_itr_value = q_coal->rx_coalesce_usecs; ++ q_vector->rx_intr_mode = q_coal->rx_intr_mode; + q_vector->rx_itr_idx = VIRTCHNL2_ITR_IDX_0; + + if (!zalloc_cpumask_var(&q_vector->affinity_mask, GFP_KERNEL)) +-- +2.39.5 + diff --git a/queue-6.12/iio-adc-ad7768-1-ensure-sync_in-pulse-minimum-timing.patch b/queue-6.12/iio-adc-ad7768-1-ensure-sync_in-pulse-minimum-timing.patch new file mode 100644 index 0000000000..8b406c78bd --- /dev/null +++ b/queue-6.12/iio-adc-ad7768-1-ensure-sync_in-pulse-minimum-timing.patch @@ -0,0 +1,70 @@ +From c0451bebddd23d8607547de7ae056fb725e65742 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Jun 2025 16:35:21 -0300 +Subject: iio: adc: ad7768-1: Ensure SYNC_IN pulse minimum timing requirement +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jonathan Santos + +[ Upstream commit 7e54d932873d91a55d1b89b7389876d78aeeab32 ] + +The SYNC_IN pulse width must be at least 1.5 x Tmclk, corresponding to +~2.5 µs at the lowest supported MCLK frequency. Add a 3 µs delay to +ensure reliable synchronization timing even for the worst-case scenario. + +Signed-off-by: Jonathan Santos +Reviewed-by: David Lechner +Reviewed-by: Andy Shevchenko +Link: https://patch.msgid.link/d3ee92a533cd1207cf5c5cc4d7bdbb5c6c267f68.1749063024.git.Jonathan.Santos@analog.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/ad7768-1.c | 23 +++++++++++++++++++---- + 1 file changed, 19 insertions(+), 4 deletions(-) + +diff --git a/drivers/iio/adc/ad7768-1.c b/drivers/iio/adc/ad7768-1.c +index a9248a85466e..7956948166ab 100644 +--- a/drivers/iio/adc/ad7768-1.c ++++ b/drivers/iio/adc/ad7768-1.c +@@ -203,6 +203,24 @@ static int ad7768_spi_reg_write(struct ad7768_state *st, + return spi_write(st->spi, st->data.d8, 2); + } + ++static int ad7768_send_sync_pulse(struct ad7768_state *st) ++{ ++ /* ++ * The datasheet specifies a minimum SYNC_IN pulse width of 1.5 × Tmclk, ++ * where Tmclk is the MCLK period. The supported MCLK frequencies range ++ * from 0.6 MHz to 17 MHz, which corresponds to a minimum SYNC_IN pulse ++ * width of approximately 2.5 µs in the worst-case scenario (0.6 MHz). ++ * ++ * Add a delay to ensure the pulse width is always sufficient to ++ * trigger synchronization. ++ */ ++ gpiod_set_value_cansleep(st->gpio_sync_in, 1); ++ fsleep(3); ++ gpiod_set_value_cansleep(st->gpio_sync_in, 0); ++ ++ return 0; ++} ++ + static int ad7768_set_mode(struct ad7768_state *st, + enum ad7768_conv_mode mode) + { +@@ -288,10 +306,7 @@ static int ad7768_set_dig_fil(struct ad7768_state *st, + return ret; + + /* A sync-in pulse is required every time the filter dec rate changes */ +- gpiod_set_value(st->gpio_sync_in, 1); +- gpiod_set_value(st->gpio_sync_in, 0); +- +- return 0; ++ return ad7768_send_sync_pulse(st); + } + + static int ad7768_set_freq(struct ad7768_state *st, +-- +2.39.5 + diff --git a/queue-6.12/iio-adc-ad_sigma_delta-don-t-overallocate-scan-buffe.patch b/queue-6.12/iio-adc-ad_sigma_delta-don-t-overallocate-scan-buffe.patch new file mode 100644 index 0000000000..dc2895ff84 --- /dev/null +++ b/queue-6.12/iio-adc-ad_sigma_delta-don-t-overallocate-scan-buffe.patch @@ -0,0 +1,42 @@ +From 4978f1e8dd4ab87facf5a6fcac2f536ae57b44bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Jul 2025 16:37:49 -0500 +Subject: iio: adc: ad_sigma_delta: don't overallocate scan buffer +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: David Lechner + +[ Upstream commit 5a2f15c5a8e017d0951e6dc62aa7b5b634f56881 ] + +Fix overallocating the size of the scan buffer by converting bits to +bytes. The size is meant to be in bytes, so scanbits needs to be +divided by 8. + +Signed-off-by: David Lechner +Reviewed-by: Andy Shevchenko +Reviewed-by: Nuno Sá +Link: https://patch.msgid.link/20250701-iio-adc-ad7173-add-spi-offload-support-v3-1-42abb83e3dac@baylibre.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/ad_sigma_delta.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/iio/adc/ad_sigma_delta.c b/drivers/iio/adc/ad_sigma_delta.c +index 3df1d4f6bc95..39196a2862cf 100644 +--- a/drivers/iio/adc/ad_sigma_delta.c ++++ b/drivers/iio/adc/ad_sigma_delta.c +@@ -379,7 +379,7 @@ static int ad_sd_buffer_postenable(struct iio_dev *indio_dev) + return ret; + } + +- samples_buf_size = ALIGN(slot * indio_dev->channels[0].scan_type.storagebits, 8); ++ samples_buf_size = ALIGN(slot * indio_dev->channels[0].scan_type.storagebits / 8, 8); + samples_buf_size += sizeof(int64_t); + samples_buf = devm_krealloc(&sigma_delta->spi->dev, sigma_delta->samples_buf, + samples_buf_size, GFP_KERNEL); +-- +2.39.5 + diff --git a/queue-6.12/imx8m-blk-ctrl-set-isi-panic-write-hurry-level.patch b/queue-6.12/imx8m-blk-ctrl-set-isi-panic-write-hurry-level.patch new file mode 100644 index 0000000000..bda78f0155 --- /dev/null +++ b/queue-6.12/imx8m-blk-ctrl-set-isi-panic-write-hurry-level.patch @@ -0,0 +1,55 @@ +From be8103a7a3ef049e936f3c7728e76c4063a0833f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 May 2025 11:26:55 +0200 +Subject: imx8m-blk-ctrl: set ISI panic write hurry level +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Krzysztof Hałasa + +[ Upstream commit c01fba0b4869cada5403fffff416cd1675dba078 ] + +Apparently, ISI needs cache settings similar to LCDIF. +Otherwise we get artefacts in the image. +Tested on i.MX8MP. + +Signed-off-by: Krzysztof Hałasa +Link: https://lore.kernel.org/r/m3ldr69lsw.fsf@t19.piap.pl +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/pmdomain/imx/imx8m-blk-ctrl.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/pmdomain/imx/imx8m-blk-ctrl.c b/drivers/pmdomain/imx/imx8m-blk-ctrl.c +index ca942d7929c2..8b7b175f5896 100644 +--- a/drivers/pmdomain/imx/imx8m-blk-ctrl.c ++++ b/drivers/pmdomain/imx/imx8m-blk-ctrl.c +@@ -665,6 +665,11 @@ static const struct imx8m_blk_ctrl_data imx8mn_disp_blk_ctl_dev_data = { + #define LCDIF_1_RD_HURRY GENMASK(15, 13) + #define LCDIF_0_RD_HURRY GENMASK(12, 10) + ++#define ISI_CACHE_CTRL 0x50 ++#define ISI_V_WR_HURRY GENMASK(28, 26) ++#define ISI_U_WR_HURRY GENMASK(25, 23) ++#define ISI_Y_WR_HURRY GENMASK(22, 20) ++ + static int imx8mp_media_power_notifier(struct notifier_block *nb, + unsigned long action, void *data) + { +@@ -694,6 +699,11 @@ static int imx8mp_media_power_notifier(struct notifier_block *nb, + regmap_set_bits(bc->regmap, LCDIF_ARCACHE_CTRL, + FIELD_PREP(LCDIF_1_RD_HURRY, 7) | + FIELD_PREP(LCDIF_0_RD_HURRY, 7)); ++ /* Same here for ISI */ ++ regmap_set_bits(bc->regmap, ISI_CACHE_CTRL, ++ FIELD_PREP(ISI_V_WR_HURRY, 7) | ++ FIELD_PREP(ISI_U_WR_HURRY, 7) | ++ FIELD_PREP(ISI_Y_WR_HURRY, 7)); + } + + return NOTIFY_OK; +-- +2.39.5 + diff --git a/queue-6.12/ionic-clean-dbpage-in-de-init.patch b/queue-6.12/ionic-clean-dbpage-in-de-init.patch new file mode 100644 index 0000000000..e889d83133 --- /dev/null +++ b/queue-6.12/ionic-clean-dbpage-in-de-init.patch @@ -0,0 +1,55 @@ +From 1a4febd4a78ed3693911be8010453eb3efb6fc57 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Jun 2025 14:46:43 -0700 +Subject: ionic: clean dbpage in de-init + +From: Shannon Nelson + +[ Upstream commit c9080abea1e69b8b1408ec7dec0acdfdc577a3e2 ] + +Since the kern_dbpage gets set up in ionic_lif_init() and that +function's error path will clean it if needed, the kern_dbpage +on teardown should be cleaned in ionic_lif_deinit(), not in +ionic_lif_free(). As it is currently we get a double call +to iounmap() on kern_dbpage if the PCI ionic fails setting up +the lif. One example of this is when firmware isn't responding +to AdminQ requests and ionic's first AdminQ call fails to +setup the NotifyQ. + +Signed-off-by: Shannon Nelson +Reviewed-by: Simon Horman +Reviewed-by: Joe Damato +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/pensando/ionic/ionic_lif.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/pensando/ionic/ionic_lif.c b/drivers/net/ethernet/pensando/ionic/ionic_lif.c +index 3d3f936779f7..d6bea7152805 100644 +--- a/drivers/net/ethernet/pensando/ionic/ionic_lif.c ++++ b/drivers/net/ethernet/pensando/ionic/ionic_lif.c +@@ -3526,10 +3526,6 @@ void ionic_lif_free(struct ionic_lif *lif) + lif->info = NULL; + lif->info_pa = 0; + +- /* unmap doorbell page */ +- ionic_bus_unmap_dbpage(lif->ionic, lif->kern_dbpage); +- lif->kern_dbpage = NULL; +- + mutex_destroy(&lif->config_lock); + mutex_destroy(&lif->queue_lock); + +@@ -3555,6 +3551,9 @@ void ionic_lif_deinit(struct ionic_lif *lif) + ionic_lif_qcq_deinit(lif, lif->notifyqcq); + ionic_lif_qcq_deinit(lif, lif->adminqcq); + ++ ionic_bus_unmap_dbpage(lif->ionic, lif->kern_dbpage); ++ lif->kern_dbpage = NULL; ++ + ionic_lif_reset(lif); + } + +-- +2.39.5 + diff --git a/queue-6.12/ipmi-fix-strcpy-source-and-destination-the-same.patch b/queue-6.12/ipmi-fix-strcpy-source-and-destination-the-same.patch new file mode 100644 index 0000000000..52bcac236f --- /dev/null +++ b/queue-6.12/ipmi-fix-strcpy-source-and-destination-the-same.patch @@ -0,0 +1,150 @@ +From 8b0aea1371247b3d5d5fe10e099bb62b9b54b4a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Jun 2025 19:06:26 -0500 +Subject: ipmi: Fix strcpy source and destination the same + +From: Corey Minyard + +[ Upstream commit 8ffcb7560b4a15faf821df95e3ab532b2b020f8c ] + +The source and destination of some strcpy operations was the same. +Split out the part of the operations that needed to be done for those +particular calls so the unnecessary copy wasn't done. + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202506140756.EFXXvIP4-lkp@intel.com/ +Signed-off-by: Corey Minyard +Signed-off-by: Sasha Levin +--- + drivers/char/ipmi/ipmi_watchdog.c | 59 ++++++++++++++++++++++--------- + 1 file changed, 42 insertions(+), 17 deletions(-) + +diff --git a/drivers/char/ipmi/ipmi_watchdog.c b/drivers/char/ipmi/ipmi_watchdog.c +index 335eea80054e..37ab5806b1a4 100644 +--- a/drivers/char/ipmi/ipmi_watchdog.c ++++ b/drivers/char/ipmi/ipmi_watchdog.c +@@ -1189,14 +1189,8 @@ static struct ipmi_smi_watcher smi_watcher = { + .smi_gone = ipmi_smi_gone + }; + +-static int action_op(const char *inval, char *outval) ++static int action_op_set_val(const char *inval) + { +- if (outval) +- strcpy(outval, action); +- +- if (!inval) +- return 0; +- + if (strcmp(inval, "reset") == 0) + action_val = WDOG_TIMEOUT_RESET; + else if (strcmp(inval, "none") == 0) +@@ -1207,18 +1201,26 @@ static int action_op(const char *inval, char *outval) + action_val = WDOG_TIMEOUT_POWER_DOWN; + else + return -EINVAL; +- strcpy(action, inval); + return 0; + } + +-static int preaction_op(const char *inval, char *outval) ++static int action_op(const char *inval, char *outval) + { ++ int rv; ++ + if (outval) +- strcpy(outval, preaction); ++ strcpy(outval, action); + + if (!inval) + return 0; ++ rv = action_op_set_val(inval); ++ if (!rv) ++ strcpy(action, inval); ++ return rv; ++} + ++static int preaction_op_set_val(const char *inval) ++{ + if (strcmp(inval, "pre_none") == 0) + preaction_val = WDOG_PRETIMEOUT_NONE; + else if (strcmp(inval, "pre_smi") == 0) +@@ -1231,18 +1233,26 @@ static int preaction_op(const char *inval, char *outval) + preaction_val = WDOG_PRETIMEOUT_MSG_INT; + else + return -EINVAL; +- strcpy(preaction, inval); + return 0; + } + +-static int preop_op(const char *inval, char *outval) ++static int preaction_op(const char *inval, char *outval) + { ++ int rv; ++ + if (outval) +- strcpy(outval, preop); ++ strcpy(outval, preaction); + + if (!inval) + return 0; ++ rv = preaction_op_set_val(inval); ++ if (!rv) ++ strcpy(preaction, inval); ++ return 0; ++} + ++static int preop_op_set_val(const char *inval) ++{ + if (strcmp(inval, "preop_none") == 0) + preop_val = WDOG_PREOP_NONE; + else if (strcmp(inval, "preop_panic") == 0) +@@ -1251,7 +1261,22 @@ static int preop_op(const char *inval, char *outval) + preop_val = WDOG_PREOP_GIVE_DATA; + else + return -EINVAL; +- strcpy(preop, inval); ++ return 0; ++} ++ ++static int preop_op(const char *inval, char *outval) ++{ ++ int rv; ++ ++ if (outval) ++ strcpy(outval, preop); ++ ++ if (!inval) ++ return 0; ++ ++ rv = preop_op_set_val(inval); ++ if (!rv) ++ strcpy(preop, inval); + return 0; + } + +@@ -1288,18 +1313,18 @@ static int __init ipmi_wdog_init(void) + { + int rv; + +- if (action_op(action, NULL)) { ++ if (action_op_set_val(action)) { + action_op("reset", NULL); + pr_info("Unknown action '%s', defaulting to reset\n", action); + } + +- if (preaction_op(preaction, NULL)) { ++ if (preaction_op_set_val(preaction)) { + preaction_op("pre_none", NULL); + pr_info("Unknown preaction '%s', defaulting to none\n", + preaction); + } + +- if (preop_op(preop, NULL)) { ++ if (preop_op_set_val(preop)) { + preop_op("preop_none", NULL); + pr_info("Unknown preop '%s', defaulting to none\n", preop); + } +-- +2.39.5 + diff --git a/queue-6.12/ipmi-use-dev_warn_ratelimited-for-incorrect-message-.patch b/queue-6.12/ipmi-use-dev_warn_ratelimited-for-incorrect-message-.patch new file mode 100644 index 0000000000..e8a86f375b --- /dev/null +++ b/queue-6.12/ipmi-use-dev_warn_ratelimited-for-incorrect-message-.patch @@ -0,0 +1,47 @@ +From 08c16421d012302075244a8da968e99fbc2ffa6f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jul 2025 05:57:26 -0700 +Subject: ipmi: Use dev_warn_ratelimited() for incorrect message warnings + +From: Breno Leitao + +[ Upstream commit ec50ec378e3fd83bde9b3d622ceac3509a60b6b5 ] + +During BMC firmware upgrades on live systems, the ipmi_msghandler +generates excessive "BMC returned incorrect response" warnings +while the BMC is temporarily offline. This can flood system logs +in large deployments. + +Replace dev_warn() with dev_warn_ratelimited() to throttle these +warnings and prevent log spam during BMC maintenance operations. + +Signed-off-by: Breno Leitao +Message-ID: <20250710-ipmi_ratelimit-v1-1-6d417015ebe9@debian.org> +Signed-off-by: Corey Minyard +Signed-off-by: Sasha Levin +--- + drivers/char/ipmi/ipmi_msghandler.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/char/ipmi/ipmi_msghandler.c b/drivers/char/ipmi/ipmi_msghandler.c +index 6a4a8ecd0edd..09405668ebb3 100644 +--- a/drivers/char/ipmi/ipmi_msghandler.c ++++ b/drivers/char/ipmi/ipmi_msghandler.c +@@ -4617,10 +4617,10 @@ static int handle_one_recv_msg(struct ipmi_smi *intf, + * The NetFN and Command in the response is not even + * marginally correct. + */ +- dev_warn(intf->si_dev, +- "BMC returned incorrect response, expected netfn %x cmd %x, got netfn %x cmd %x\n", +- (msg->data[0] >> 2) | 1, msg->data[1], +- msg->rsp[0] >> 2, msg->rsp[1]); ++ dev_warn_ratelimited(intf->si_dev, ++ "BMC returned incorrect response, expected netfn %x cmd %x, got netfn %x cmd %x\n", ++ (msg->data[0] >> 2) | 1, msg->data[1], ++ msg->rsp[0] >> 2, msg->rsp[1]); + + goto return_unspecified; + } +-- +2.39.5 + diff --git a/queue-6.12/ipv6-mcast-check-inet6_dev-dead-under-idev-mc_lock-i.patch b/queue-6.12/ipv6-mcast-check-inet6_dev-dead-under-idev-mc_lock-i.patch new file mode 100644 index 0000000000..f2a4da14ee --- /dev/null +++ b/queue-6.12/ipv6-mcast-check-inet6_dev-dead-under-idev-mc_lock-i.patch @@ -0,0 +1,118 @@ +From 87404b6c3bb0a51c1da55792aa3ec687f442f804 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Jul 2025 16:01:20 -0700 +Subject: ipv6: mcast: Check inet6_dev->dead under idev->mc_lock in + __ipv6_dev_mc_inc(). + +From: Kuniyuki Iwashima + +[ Upstream commit dbd40f318cf2f59759bd170c401adc20ba360a3e ] + +Since commit 63ed8de4be81 ("mld: add mc_lock for protecting +per-interface mld data"), every multicast resource is protected +by inet6_dev->mc_lock. + +RTNL is unnecessary in terms of protection but still needed for +synchronisation between addrconf_ifdown() and __ipv6_dev_mc_inc(). + +Once we removed RTNL, there would be a race below, where we could +add a multicast address to a dead inet6_dev. + + CPU1 CPU2 + ==== ==== + addrconf_ifdown() __ipv6_dev_mc_inc() + if (idev->dead) <-- false + dead = true return -ENODEV; + ipv6_mc_destroy_dev() / ipv6_mc_down() + mutex_lock(&idev->mc_lock) + ... + mutex_unlock(&idev->mc_lock) + mutex_lock(&idev->mc_lock) + ... + mutex_unlock(&idev->mc_lock) + +The race window can be easily closed by checking inet6_dev->dead +under inet6_dev->mc_lock in __ipv6_dev_mc_inc() as addrconf_ifdown() +will acquire it after marking inet6_dev dead. + +Let's check inet6_dev->dead under mc_lock in __ipv6_dev_mc_inc(). + +Note that now __ipv6_dev_mc_inc() no longer depends on RTNL and +we can remove ASSERT_RTNL() there and the RTNL comment above +addrconf_join_solict(). + +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20250702230210.3115355-4-kuni1840@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/addrconf.c | 7 +++---- + net/ipv6/mcast.c | 11 +++++------ + 2 files changed, 8 insertions(+), 10 deletions(-) + +diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c +index be51b8792b96..49ec223f2eda 100644 +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -2228,13 +2228,12 @@ void addrconf_dad_failure(struct sk_buff *skb, struct inet6_ifaddr *ifp) + in6_ifa_put(ifp); + } + +-/* Join to solicited addr multicast group. +- * caller must hold RTNL */ ++/* Join to solicited addr multicast group. */ + void addrconf_join_solict(struct net_device *dev, const struct in6_addr *addr) + { + struct in6_addr maddr; + +- if (dev->flags&(IFF_LOOPBACK|IFF_NOARP)) ++ if (READ_ONCE(dev->flags) & (IFF_LOOPBACK | IFF_NOARP)) + return; + + addrconf_addr_solict_mult(addr, &maddr); +@@ -3883,7 +3882,7 @@ static int addrconf_ifdown(struct net_device *dev, bool unregister) + * Do not dev_put! + */ + if (unregister) { +- idev->dead = 1; ++ WRITE_ONCE(idev->dead, 1); + + /* protected by rtnl_lock */ + RCU_INIT_POINTER(dev->ip6_ptr, NULL); +diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c +index 9949554e3211..e2a11a2f3b25 100644 +--- a/net/ipv6/mcast.c ++++ b/net/ipv6/mcast.c +@@ -907,23 +907,22 @@ static struct ifmcaddr6 *mca_alloc(struct inet6_dev *idev, + static int __ipv6_dev_mc_inc(struct net_device *dev, + const struct in6_addr *addr, unsigned int mode) + { +- struct ifmcaddr6 *mc; + struct inet6_dev *idev; +- +- ASSERT_RTNL(); ++ struct ifmcaddr6 *mc; + + /* we need to take a reference on idev */ + idev = in6_dev_get(dev); +- + if (!idev) + return -EINVAL; + +- if (idev->dead) { ++ mutex_lock(&idev->mc_lock); ++ ++ if (READ_ONCE(idev->dead)) { ++ mutex_unlock(&idev->mc_lock); + in6_dev_put(idev); + return -ENODEV; + } + +- mutex_lock(&idev->mc_lock); + for_each_mc_mclock(idev, mc) { + if (ipv6_addr_equal(&mc->mca_addr, addr)) { + mc->mca_users++; +-- +2.39.5 + diff --git a/queue-6.12/jfs-regular-file-corruption-check.patch b/queue-6.12/jfs-regular-file-corruption-check.patch new file mode 100644 index 0000000000..7e169935a7 --- /dev/null +++ b/queue-6.12/jfs-regular-file-corruption-check.patch @@ -0,0 +1,39 @@ +From 57fde59e3626b4f7615b0f2b12aaa303e3846cf6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Jun 2025 14:48:43 +0800 +Subject: jfs: Regular file corruption check + +From: Edward Adam Davis + +[ Upstream commit 2d04df8116426b6c7b9f8b9b371250f666a2a2fb ] + +The reproducer builds a corrupted file on disk with a negative i_size value. +Add a check when opening this file to avoid subsequent operation failures. + +Reported-by: syzbot+630f6d40b3ccabc8e96e@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=630f6d40b3ccabc8e96e +Tested-by: syzbot+630f6d40b3ccabc8e96e@syzkaller.appspotmail.com +Signed-off-by: Edward Adam Davis +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/file.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/jfs/file.c b/fs/jfs/file.c +index 01b6912e60f8..742cadd1f37e 100644 +--- a/fs/jfs/file.c ++++ b/fs/jfs/file.c +@@ -44,6 +44,9 @@ static int jfs_open(struct inode *inode, struct file *file) + { + int rc; + ++ if (S_ISREG(inode->i_mode) && inode->i_size < 0) ++ return -EIO; ++ + if ((rc = dquot_file_open(inode, file))) + return rc; + +-- +2.39.5 + diff --git a/queue-6.12/jfs-truncate-good-inode-pages-when-hard-link-is-0.patch b/queue-6.12/jfs-truncate-good-inode-pages-when-hard-link-is-0.patch new file mode 100644 index 0000000000..4c3c43c641 --- /dev/null +++ b/queue-6.12/jfs-truncate-good-inode-pages-when-hard-link-is-0.patch @@ -0,0 +1,41 @@ +From bbfc2ad75410b2bf03d99a76f8adc7d0a07e1b38 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Jun 2025 11:05:34 +0800 +Subject: jfs: truncate good inode pages when hard link is 0 + +From: Lizhi Xu + +[ Upstream commit 2d91b3765cd05016335cd5df5e5c6a29708ec058 ] + +The fileset value of the inode copy from the disk by the reproducer is +AGGR_RESERVED_I. When executing evict, its hard link number is 0, so its +inode pages are not truncated. This causes the bugon to be triggered when +executing clear_inode() because nrpages is greater than 0. + +Reported-by: syzbot+6e516bb515d93230bc7b@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=6e516bb515d93230bc7b +Signed-off-by: Lizhi Xu +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/inode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/jfs/inode.c b/fs/jfs/inode.c +index 07cfdc440596..5fe8cb4742c2 100644 +--- a/fs/jfs/inode.c ++++ b/fs/jfs/inode.c +@@ -145,9 +145,9 @@ void jfs_evict_inode(struct inode *inode) + if (!inode->i_nlink && !is_bad_inode(inode)) { + dquot_initialize(inode); + ++ truncate_inode_pages_final(&inode->i_data); + if (JFS_IP(inode)->fileset == FILESYSTEM_I) { + struct inode *ipimap = JFS_SBI(inode->i_sb)->ipimap; +- truncate_inode_pages_final(&inode->i_data); + + if (test_cflag(COMMIT_Freewmap, inode)) + jfs_free_zero_link(inode); +-- +2.39.5 + diff --git a/queue-6.12/jfs-upper-bound-check-of-tree-index-in-dballocag.patch b/queue-6.12/jfs-upper-bound-check-of-tree-index-in-dballocag.patch new file mode 100644 index 0000000000..fa7b75bd7e --- /dev/null +++ b/queue-6.12/jfs-upper-bound-check-of-tree-index-in-dballocag.patch @@ -0,0 +1,44 @@ +From bd019f4a73ac6e4153fdab38426e20f130b386e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Apr 2025 00:13:51 +0200 +Subject: jfs: upper bound check of tree index in dbAllocAG + +From: Arnaud Lecomte + +[ Upstream commit c214006856ff52a8ff17ed8da52d50601d54f9ce ] + +When computing the tree index in dbAllocAG, we never check if we are +out of bounds realative to the size of the stree. +This could happen in a scenario where the filesystem metadata are +corrupted. + +Reported-by: syzbot+cffd18309153948f3c3e@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=cffd18309153948f3c3e +Tested-by: syzbot+cffd18309153948f3c3e@syzkaller.appspotmail.com +Signed-off-by: Arnaud Lecomte +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_dmap.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c +index 5a877261c3fe..cdfa699cd7c8 100644 +--- a/fs/jfs/jfs_dmap.c ++++ b/fs/jfs/jfs_dmap.c +@@ -1389,6 +1389,12 @@ dbAllocAG(struct bmap * bmp, int agno, s64 nblocks, int l2nb, s64 * results) + (1 << (L2LPERCTL - (bmp->db_agheight << 1))) / bmp->db_agwidth; + ti = bmp->db_agstart + bmp->db_agwidth * (agno & (agperlev - 1)); + ++ if (ti < 0 || ti >= le32_to_cpu(dcp->nleafs)) { ++ jfs_error(bmp->db_ipbmap->i_sb, "Corrupt dmapctl page\n"); ++ release_metapage(mp); ++ return -EIO; ++ } ++ + /* dmap control page trees fan-out by 4 and a single allocation + * group may be described by 1 or 2 subtrees within the ag level + * dmap control page, depending upon the ag size. examine the ag's +-- +2.39.5 + diff --git a/queue-6.12/kconfig-gconf-avoid-hardcoding-model2-in-on_treeview.patch b/queue-6.12/kconfig-gconf-avoid-hardcoding-model2-in-on_treeview.patch new file mode 100644 index 0000000000..af07a9ebcf --- /dev/null +++ b/queue-6.12/kconfig-gconf-avoid-hardcoding-model2-in-on_treeview.patch @@ -0,0 +1,45 @@ +From 6a0f2bed287cb8e9388870f4aa70ab88187c30a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Jun 2025 00:05:20 +0900 +Subject: kconfig: gconf: avoid hardcoding model2 in + on_treeview2_cursor_changed() + +From: Masahiro Yamada + +[ Upstream commit cae9cdbcd9af044810bcceeb43a87accca47c71d ] + +The on_treeview2_cursor_changed() handler is connected to both the left +and right tree views, but it hardcodes model2 (the GtkTreeModel of the +right tree view). This is incorrect. Get the associated model from the +view. + +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/kconfig/gconf.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/scripts/kconfig/gconf.c b/scripts/kconfig/gconf.c +index c0f46f189060..abe4cfe66b14 100644 +--- a/scripts/kconfig/gconf.c ++++ b/scripts/kconfig/gconf.c +@@ -942,13 +942,14 @@ on_treeview2_key_press_event(GtkWidget * widget, + void + on_treeview2_cursor_changed(GtkTreeView * treeview, gpointer user_data) + { ++ GtkTreeModel *model = gtk_tree_view_get_model(treeview); + GtkTreeSelection *selection; + GtkTreeIter iter; + struct menu *menu; + + selection = gtk_tree_view_get_selection(treeview); +- if (gtk_tree_selection_get_selected(selection, &model2, &iter)) { +- gtk_tree_model_get(model2, &iter, COL_MENU, &menu, -1); ++ if (gtk_tree_selection_get_selected(selection, &model, &iter)) { ++ gtk_tree_model_get(model, &iter, COL_MENU, &menu, -1); + text_insert_help(menu); + } + } +-- +2.39.5 + diff --git a/queue-6.12/kconfig-gconf-fix-potential-memory-leak-in-renderer_.patch b/queue-6.12/kconfig-gconf-fix-potential-memory-leak-in-renderer_.patch new file mode 100644 index 0000000000..8c1954c24e --- /dev/null +++ b/queue-6.12/kconfig-gconf-fix-potential-memory-leak-in-renderer_.patch @@ -0,0 +1,42 @@ +From 0dccb64324beb3d0ab1f7f8e885f5d90f282220c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Jun 2025 00:04:55 +0900 +Subject: kconfig: gconf: fix potential memory leak in renderer_edited() + +From: Masahiro Yamada + +[ Upstream commit f72ed4c6a375e52a3f4b75615e4a89d29d8acea7 ] + +If gtk_tree_model_get_iter() fails, gtk_tree_path_free() is not called. + +Signed-off-by: Masahiro Yamada +Acked-by: Randy Dunlap +Signed-off-by: Sasha Levin +--- + scripts/kconfig/gconf.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/scripts/kconfig/gconf.c b/scripts/kconfig/gconf.c +index abe4cfe66b14..0caf0ced13df 100644 +--- a/scripts/kconfig/gconf.c ++++ b/scripts/kconfig/gconf.c +@@ -748,7 +748,7 @@ static void renderer_edited(GtkCellRendererText * cell, + struct symbol *sym; + + if (!gtk_tree_model_get_iter(model2, &iter, path)) +- return; ++ goto free; + + gtk_tree_model_get(model2, &iter, COL_MENU, &menu, -1); + sym = menu->sym; +@@ -760,6 +760,7 @@ static void renderer_edited(GtkCellRendererText * cell, + + update_tree(&rootmenu, NULL); + ++free: + gtk_tree_path_free(path); + } + +-- +2.39.5 + diff --git a/queue-6.12/kconfig-lxdialog-fix-space-to-de-select-options.patch b/queue-6.12/kconfig-lxdialog-fix-space-to-de-select-options.patch new file mode 100644 index 0000000000..89cd158258 --- /dev/null +++ b/queue-6.12/kconfig-lxdialog-fix-space-to-de-select-options.patch @@ -0,0 +1,49 @@ +From 468e5e56d84077afe946d3237c7792b474624aec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Nov 2013 00:53:32 +0100 +Subject: kconfig: lxdialog: fix 'space' to (de)select options + +From: Yann E. MORIN + +[ Upstream commit 694174f94ebeeb5ec5cc0e9de9b40c82057e1d95 ] + +In case a menu has comment without letters/numbers (eg. characters +matching the regexp '^[^[:alpha:][:digit:]]+$', for example - or *), +hitting space will cycle through those comments, rather than +selecting/deselecting the currently-highlighted option. + +This is the behaviour of hitting any letter/digit: jump to the next +option which prompt starts with that letter. The only letters that +do not behave as such are 'y' 'm' and 'n'. Prompts that start with +one of those three letters are instead matched on the first letter +that is not 'y', 'm' or 'n'. + +Fix that by treating 'space' as we treat y/m/n, ie. as an action key, +not as shortcut to jump to prompt. + +Signed-off-by: Yann E. MORIN +Signed-off-by: Peter Korsgaard +Signed-off-by: Cherniaev Andrei +[masahiro: took from Buildroot, adjusted the commit subject] +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/kconfig/lxdialog/menubox.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/scripts/kconfig/lxdialog/menubox.c b/scripts/kconfig/lxdialog/menubox.c +index 6e6244df0c56..d4c19b7beebb 100644 +--- a/scripts/kconfig/lxdialog/menubox.c ++++ b/scripts/kconfig/lxdialog/menubox.c +@@ -264,7 +264,7 @@ int dialog_menu(const char *title, const char *prompt, + if (key < 256 && isalpha(key)) + key = tolower(key); + +- if (strchr("ynmh", key)) ++ if (strchr("ynmh ", key)) + i = max_choice; + else { + for (i = choice + 1; i < max_choice; i++) { +-- +2.39.5 + diff --git a/queue-6.12/kconfig-lxdialog-replace-strcpy-with-strncpy-in-inpu.patch b/queue-6.12/kconfig-lxdialog-replace-strcpy-with-strncpy-in-inpu.patch new file mode 100644 index 0000000000..6af888c59e --- /dev/null +++ b/queue-6.12/kconfig-lxdialog-replace-strcpy-with-strncpy-in-inpu.patch @@ -0,0 +1,41 @@ +From 19f52357efd62aeacdd5c4e9761c7fa3d809d25c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 27 Jul 2025 22:14:33 +0530 +Subject: kconfig: lxdialog: replace strcpy() with strncpy() in inputbox.c + +From: Suchit Karunakaran + +[ Upstream commit 5ac726653a1029a2eccba93bbe59e01fc9725828 ] + +strcpy() performs no bounds checking and can lead to buffer overflows if +the input string exceeds the destination buffer size. This patch replaces +it with strncpy(), and null terminates the input string. + +Signed-off-by: Suchit Karunakaran +Reviewed-by: Nicolas Schier +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/kconfig/lxdialog/inputbox.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/scripts/kconfig/lxdialog/inputbox.c b/scripts/kconfig/lxdialog/inputbox.c +index 3c6e24b20f5b..5e4a131724f2 100644 +--- a/scripts/kconfig/lxdialog/inputbox.c ++++ b/scripts/kconfig/lxdialog/inputbox.c +@@ -39,8 +39,10 @@ int dialog_inputbox(const char *title, const char *prompt, int height, int width + + if (!init) + instr[0] = '\0'; +- else +- strcpy(instr, init); ++ else { ++ strncpy(instr, init, sizeof(dialog_input_result) - 1); ++ instr[sizeof(dialog_input_result) - 1] = '\0'; ++ } + + do_resize: + if (getmaxy(stdscr) <= (height - INPUTBOX_HEIGHT_MIN)) +-- +2.39.5 + diff --git a/queue-6.12/kconfig-nconf-ensure-null-termination-where-strncpy-.patch b/queue-6.12/kconfig-nconf-ensure-null-termination-where-strncpy-.patch new file mode 100644 index 0000000000..bd332a56d5 --- /dev/null +++ b/queue-6.12/kconfig-nconf-ensure-null-termination-where-strncpy-.patch @@ -0,0 +1,55 @@ +From f99880ca3e3f0b8ab7bd996455cc3e16455b9619 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Jun 2025 00:36:54 +0530 +Subject: kconfig: nconf: Ensure null termination where strncpy is used + +From: Shankari Anand + +[ Upstream commit f468992936894c9ce3b1659cf38c230d33b77a16 ] + +strncpy() does not guarantee null-termination if the source string is +longer than the destination buffer. + +Ensure the buffer is explicitly null-terminated to prevent potential +string overflows or undefined behavior. + +Signed-off-by: Shankari Anand +Signed-off-by: Masahiro Yamada +Acked-by: Randy Dunlap +Tested-by: Randy Dunlap +Tested-by: Nicolas Schier +Acked-by: Nicolas Schier +Signed-off-by: Sasha Levin +--- + scripts/kconfig/nconf.c | 2 ++ + scripts/kconfig/nconf.gui.c | 1 + + 2 files changed, 3 insertions(+) + +diff --git a/scripts/kconfig/nconf.c b/scripts/kconfig/nconf.c +index 063b4f7ccbdb..5f484422278e 100644 +--- a/scripts/kconfig/nconf.c ++++ b/scripts/kconfig/nconf.c +@@ -593,6 +593,8 @@ static void item_add_str(const char *fmt, ...) + tmp_str, + sizeof(k_menu_items[index].str)); + ++ k_menu_items[index].str[sizeof(k_menu_items[index].str) - 1] = '\0'; ++ + free_item(curses_menu_items[index]); + curses_menu_items[index] = new_item( + k_menu_items[index].str, +diff --git a/scripts/kconfig/nconf.gui.c b/scripts/kconfig/nconf.gui.c +index 72b605efe549..1526c52bc34c 100644 +--- a/scripts/kconfig/nconf.gui.c ++++ b/scripts/kconfig/nconf.gui.c +@@ -350,6 +350,7 @@ int dialog_inputbox(WINDOW *main_window, + x = (columns-win_cols)/2; + + strncpy(result, init, *result_len); ++ result[*result_len - 1] = '\0'; + + /* create the windows */ + win = newwin(win_lines, win_cols, y, x); +-- +2.39.5 + diff --git a/queue-6.12/kselftest-arm64-specify-sve-data-when-testing-vl-set.patch b/queue-6.12/kselftest-arm64-specify-sve-data-when-testing-vl-set.patch new file mode 100644 index 0000000000..2cbc2c5032 --- /dev/null +++ b/queue-6.12/kselftest-arm64-specify-sve-data-when-testing-vl-set.patch @@ -0,0 +1,49 @@ +From 4b8114bfcc415a67859676a725630b9cf14e32d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Jun 2025 16:25:33 +0100 +Subject: kselftest/arm64: Specify SVE data when testing VL set in sve-ptrace + +From: Mark Brown + +[ Upstream commit 9e8ebfe677f9101bbfe1f75d548a5aec581e8213 ] + +Since f916dd32a943 ("arm64/fpsimd: ptrace: Mandate SVE payload for +streaming-mode state") we reject attempts to write to the streaming mode +regset even if there is no register data supplied, causing the tests for +setting vector lengths and setting SVE_VL_INHERIT in sve-ptrace to +spuriously fail. Set the flag to avoid the issue, we still support not +supplying register data. + +Acked-by: Mark Rutland +Signed-off-by: Mark Brown +Link: https://lore.kernel.org/r/20250609-kselftest-arm64-ssve-fixups-v2-3-998fcfa6f240@kernel.org +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/arm64/fp/sve-ptrace.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/arm64/fp/sve-ptrace.c b/tools/testing/selftests/arm64/fp/sve-ptrace.c +index c6228176dd1a..408fb1c5c2f8 100644 +--- a/tools/testing/selftests/arm64/fp/sve-ptrace.c ++++ b/tools/testing/selftests/arm64/fp/sve-ptrace.c +@@ -168,7 +168,7 @@ static void ptrace_set_get_inherit(pid_t child, const struct vec_type *type) + memset(&sve, 0, sizeof(sve)); + sve.size = sizeof(sve); + sve.vl = sve_vl_from_vq(SVE_VQ_MIN); +- sve.flags = SVE_PT_VL_INHERIT; ++ sve.flags = SVE_PT_VL_INHERIT | SVE_PT_REGS_SVE; + ret = set_sve(child, type, &sve); + if (ret != 0) { + ksft_test_result_fail("Failed to set %s SVE_PT_VL_INHERIT\n", +@@ -233,6 +233,7 @@ static void ptrace_set_get_vl(pid_t child, const struct vec_type *type, + /* Set the VL by doing a set with no register payload */ + memset(&sve, 0, sizeof(sve)); + sve.size = sizeof(sve); ++ sve.flags = SVE_PT_REGS_SVE; + sve.vl = vl; + ret = set_sve(child, type, &sve); + if (ret != 0) { +-- +2.39.5 + diff --git a/queue-6.12/ktest.pl-prevent-recursion-of-default-variable-optio.patch b/queue-6.12/ktest.pl-prevent-recursion-of-default-variable-optio.patch new file mode 100644 index 0000000000..7ecec7deee --- /dev/null +++ b/queue-6.12/ktest.pl-prevent-recursion-of-default-variable-optio.patch @@ -0,0 +1,62 @@ +From cf8e16a41c8e0c72d24b55afadc6e191af94b2e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Jul 2025 16:18:44 -0400 +Subject: ktest.pl: Prevent recursion of default variable options + +From: Steven Rostedt + +[ Upstream commit 61f7e318e99d3b398670518dd3f4f8510d1800fc ] + +If a default variable contains itself, do not recurse on it. + +For example: + + ADD_CONFIG := ${CONFIG_DIR}/temp_config + DEFAULTS + ADD_CONFIG = ${CONFIG_DIR}/default_config ${ADD_CONFIG} + +The above works because the temp variable ADD_CONFIG (is a temp because it +is created with ":=") is already defined, it will be substituted in the +variable option. But if it gets commented out: + + # ADD_CONFIG := ${CONFIG_DIR}/temp_config + DEFAULTS + ADD_CONFIG = ${CONFIG_DIR}/default_config ${ADD_CONFIG} + +Then the above will go into a recursive loop where ${ADD_CONFIG} will +get replaced with the current definition of ADD_CONFIG which contains the +${ADD_CONFIG} and that will also try to get converted. ktest.pl will error +after 100 attempts of recursion and fail. + +When replacing a variable with the default variable, if the default +variable contains itself, do not replace it. + +Cc: "John Warthog9 Hawley" +Cc: Dhaval Giani +Cc: Greg KH +Link: https://lore.kernel.org/20250718202053.732189428@kernel.org +Signed-off-by: Steven Rostedt +Signed-off-by: Sasha Levin +--- + tools/testing/ktest/ktest.pl | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/tools/testing/ktest/ktest.pl b/tools/testing/ktest/ktest.pl +index 7e524601e01a..bad227ee1b5b 100755 +--- a/tools/testing/ktest/ktest.pl ++++ b/tools/testing/ktest/ktest.pl +@@ -1371,7 +1371,10 @@ sub __eval_option { + # If a variable contains itself, use the default var + if (($var eq $name) && defined($opt{$var})) { + $o = $opt{$var}; +- $retval = "$retval$o"; ++ # Only append if the default doesn't contain itself ++ if ($o !~ m/\$\{$var\}/) { ++ $retval = "$retval$o"; ++ } + } elsif (defined($opt{$o})) { + $o = $opt{$o}; + $retval = "$retval$o"; +-- +2.39.5 + diff --git a/queue-6.12/leds-leds-lp50xx-handle-reg-to-get-correct-multi_ind.patch b/queue-6.12/leds-leds-lp50xx-handle-reg-to-get-correct-multi_ind.patch new file mode 100644 index 0000000000..d1528e4b8d --- /dev/null +++ b/queue-6.12/leds-leds-lp50xx-handle-reg-to-get-correct-multi_ind.patch @@ -0,0 +1,68 @@ +From ee52ff6daea7b6dba3028d533f286d10aa38db73 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Jun 2025 12:23:54 +0200 +Subject: leds: leds-lp50xx: Handle reg to get correct multi_index + +From: Johan Adolfsson + +[ Upstream commit 2e84a5e5374232e6f356ce5c079a5658d7e4af2c ] + +mc_subled used for multi_index needs well defined array indexes, +to guarantee the desired result, use reg for that. + +If devicetree child nodes is processed in random or reverse order +you may end up with multi_index "blue green red" instead of the expected +"red green blue". +If user space apps uses multi_index to deduce how to control the leds +they would most likely be broken without this patch if devicetree +processing is reversed (which it appears to be). + +arch/arm/boot/dts/aspeed/aspeed-bmc-facebook-fuji.dts has reg set +but I don't see how it can have worked without this change. + +If reg is not set, an error is returned, +If reg is out of range, an error is returned. +reg within led child nodes starts with 0, to map to the iout in each bank. + +Signed-off-by: Johan Adolfsson +Reviewed-by: Jacek Anaszewski +Link: https://lore.kernel.org/r/20250617-led-fix-v7-1-cdbe8efc88fa@axis.com +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/leds/leds-lp50xx.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/drivers/leds/leds-lp50xx.c b/drivers/leds/leds-lp50xx.c +index 175d4b06659b..e9eb0ad6751d 100644 +--- a/drivers/leds/leds-lp50xx.c ++++ b/drivers/leds/leds-lp50xx.c +@@ -481,6 +481,7 @@ static int lp50xx_probe_dt(struct lp50xx *priv) + } + + fwnode_for_each_child_node(child, led_node) { ++ int multi_index; + ret = fwnode_property_read_u32(led_node, "color", + &color_id); + if (ret) { +@@ -488,8 +489,16 @@ static int lp50xx_probe_dt(struct lp50xx *priv) + dev_err(priv->dev, "Cannot read color\n"); + goto child_out; + } ++ ret = fwnode_property_read_u32(led_node, "reg", &multi_index); ++ if (ret != 0) { ++ dev_err(priv->dev, "reg must be set\n"); ++ return -EINVAL; ++ } else if (multi_index >= LP50XX_LEDS_PER_MODULE) { ++ dev_err(priv->dev, "reg %i out of range\n", multi_index); ++ return -EINVAL; ++ } + +- mc_led_info[num_colors].color_index = color_id; ++ mc_led_info[multi_index].color_index = color_id; + num_colors++; + } + +-- +2.39.5 + diff --git a/queue-6.12/lib-packing-include-necessary-headers.patch b/queue-6.12/lib-packing-include-necessary-headers.patch new file mode 100644 index 0000000000..f43bb97b6f --- /dev/null +++ b/queue-6.12/lib-packing-include-necessary-headers.patch @@ -0,0 +1,45 @@ +From ddb4f0fd80c3ba3ed16bbdfe02838eb0b34b00f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Jun 2025 08:50:44 -0500 +Subject: lib: packing: Include necessary headers + +From: Nathan Lynch + +[ Upstream commit 8bd0af3154b2206ce19f8b1410339f7a2a56d0c3 ] + +packing.h uses ARRAY_SIZE(), BUILD_BUG_ON_MSG(), min(), max(), and +sizeof_field() without including the headers where they are defined, +potentially causing build failures. + +Fix this in packing.h and sort the result. + +Signed-off-by: Nathan Lynch +Reviewed-by: Vladimir Oltean +Link: https://patch.msgid.link/20250624-packing-includes-v1-1-c23c81fab508@amd.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/linux/packing.h | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/include/linux/packing.h b/include/linux/packing.h +index 8d6571feb95d..60117401c7ee 100644 +--- a/include/linux/packing.h ++++ b/include/linux/packing.h +@@ -5,8 +5,12 @@ + #ifndef _LINUX_PACKING_H + #define _LINUX_PACKING_H + +-#include ++#include + #include ++#include ++#include ++#include ++#include + + #define QUIRK_MSB_ON_THE_RIGHT BIT(0) + #define QUIRK_LITTLE_ENDIAN BIT(1) +-- +2.39.5 + diff --git a/queue-6.12/lib-sbitmap-convert-shallow_depth-from-one-word-to-t.patch b/queue-6.12/lib-sbitmap-convert-shallow_depth-from-one-word-to-t.patch new file mode 100644 index 0000000000..038c6fd79c --- /dev/null +++ b/queue-6.12/lib-sbitmap-convert-shallow_depth-from-one-word-to-t.patch @@ -0,0 +1,325 @@ +From a683804c9543ae359adb677cbdd5bb63d4d63f6a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Aug 2025 11:24:12 +0800 +Subject: lib/sbitmap: convert shallow_depth from one word to the whole sbitmap + +From: Yu Kuai + +[ Upstream commit 42e6c6ce03fd3e41e39a0f93f9b1a1d9fa664338 ] + +Currently elevators will record internal 'async_depth' to throttle +asynchronous requests, and they both calculate shallow_dpeth based on +sb->shift, with the respect that sb->shift is the available tags in one +word. + +However, sb->shift is not the availbale tags in the last word, see +__map_depth: + +if (index == sb->map_nr - 1) + return sb->depth - (index << sb->shift); + +For consequence, if the last word is used, more tags can be get than +expected, for example, assume nr_requests=256 and there are four words, +in the worst case if user set nr_requests=32, then the first word is +the last word, and still use bits per word, which is 64, to calculate +async_depth is wrong. + +One the ohter hand, due to cgroup qos, bfq can allow only one request +to be allocated, and set shallow_dpeth=1 will still allow the number +of words request to be allocated. + +Fix this problems by using shallow_depth to the whole sbitmap instead +of per word, also change kyber, mq-deadline and bfq to follow this, +a new helper __map_depth_with_shallow() is introduced to calculate +available bits in each word. + +Signed-off-by: Yu Kuai +Link: https://lore.kernel.org/r/20250807032413.1469456-2-yukuai1@huaweicloud.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/bfq-iosched.c | 35 ++++++++++++-------------- + block/bfq-iosched.h | 3 +-- + block/kyber-iosched.c | 9 ++----- + block/mq-deadline.c | 16 +----------- + include/linux/sbitmap.h | 6 ++--- + lib/sbitmap.c | 56 +++++++++++++++++++++-------------------- + 6 files changed, 52 insertions(+), 73 deletions(-) + +diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c +index cad16c163611..68359e1b92e2 100644 +--- a/block/bfq-iosched.c ++++ b/block/bfq-iosched.c +@@ -701,17 +701,13 @@ static void bfq_limit_depth(blk_opf_t opf, struct blk_mq_alloc_data *data) + { + struct bfq_data *bfqd = data->q->elevator->elevator_data; + struct bfq_io_cq *bic = bfq_bic_lookup(data->q); +- int depth; +- unsigned limit = data->q->nr_requests; +- unsigned int act_idx; ++ unsigned int limit, act_idx; + + /* Sync reads have full depth available */ +- if (op_is_sync(opf) && !op_is_write(opf)) { +- depth = 0; +- } else { +- depth = bfqd->word_depths[!!bfqd->wr_busy_queues][op_is_sync(opf)]; +- limit = (limit * depth) >> bfqd->full_depth_shift; +- } ++ if (op_is_sync(opf) && !op_is_write(opf)) ++ limit = data->q->nr_requests; ++ else ++ limit = bfqd->async_depths[!!bfqd->wr_busy_queues][op_is_sync(opf)]; + + for (act_idx = 0; bic && act_idx < bfqd->num_actuators; act_idx++) { + /* Fast path to check if bfqq is already allocated. */ +@@ -725,14 +721,16 @@ static void bfq_limit_depth(blk_opf_t opf, struct blk_mq_alloc_data *data) + * available requests and thus starve other entities. + */ + if (bfqq_request_over_limit(bfqd, bic, opf, act_idx, limit)) { +- depth = 1; ++ limit = 1; + break; + } + } ++ + bfq_log(bfqd, "[%s] wr_busy %d sync %d depth %u", +- __func__, bfqd->wr_busy_queues, op_is_sync(opf), depth); +- if (depth) +- data->shallow_depth = depth; ++ __func__, bfqd->wr_busy_queues, op_is_sync(opf), limit); ++ ++ if (limit < data->q->nr_requests) ++ data->shallow_depth = limit; + } + + static struct bfq_queue * +@@ -7128,9 +7126,8 @@ void bfq_put_async_queues(struct bfq_data *bfqd, struct bfq_group *bfqg) + */ + static void bfq_update_depths(struct bfq_data *bfqd, struct sbitmap_queue *bt) + { +- unsigned int depth = 1U << bt->sb.shift; ++ unsigned int nr_requests = bfqd->queue->nr_requests; + +- bfqd->full_depth_shift = bt->sb.shift; + /* + * In-word depths if no bfq_queue is being weight-raised: + * leaving 25% of tags only for sync reads. +@@ -7142,13 +7139,13 @@ static void bfq_update_depths(struct bfq_data *bfqd, struct sbitmap_queue *bt) + * limit 'something'. + */ + /* no more than 50% of tags for async I/O */ +- bfqd->word_depths[0][0] = max(depth >> 1, 1U); ++ bfqd->async_depths[0][0] = max(nr_requests >> 1, 1U); + /* + * no more than 75% of tags for sync writes (25% extra tags + * w.r.t. async I/O, to prevent async I/O from starving sync + * writes) + */ +- bfqd->word_depths[0][1] = max((depth * 3) >> 2, 1U); ++ bfqd->async_depths[0][1] = max((nr_requests * 3) >> 2, 1U); + + /* + * In-word depths in case some bfq_queue is being weight- +@@ -7158,9 +7155,9 @@ static void bfq_update_depths(struct bfq_data *bfqd, struct sbitmap_queue *bt) + * shortage. + */ + /* no more than ~18% of tags for async I/O */ +- bfqd->word_depths[1][0] = max((depth * 3) >> 4, 1U); ++ bfqd->async_depths[1][0] = max((nr_requests * 3) >> 4, 1U); + /* no more than ~37% of tags for sync writes (~20% extra tags) */ +- bfqd->word_depths[1][1] = max((depth * 6) >> 4, 1U); ++ bfqd->async_depths[1][1] = max((nr_requests * 6) >> 4, 1U); + } + + static void bfq_depth_updated(struct blk_mq_hw_ctx *hctx) +diff --git a/block/bfq-iosched.h b/block/bfq-iosched.h +index 687a3a7ba784..31217f196f4f 100644 +--- a/block/bfq-iosched.h ++++ b/block/bfq-iosched.h +@@ -813,8 +813,7 @@ struct bfq_data { + * Depth limits used in bfq_limit_depth (see comments on the + * function) + */ +- unsigned int word_depths[2][2]; +- unsigned int full_depth_shift; ++ unsigned int async_depths[2][2]; + + /* + * Number of independent actuators. This is equal to 1 in +diff --git a/block/kyber-iosched.c b/block/kyber-iosched.c +index 4155594aefc6..ccfefa6a3669 100644 +--- a/block/kyber-iosched.c ++++ b/block/kyber-iosched.c +@@ -157,10 +157,7 @@ struct kyber_queue_data { + */ + struct sbitmap_queue domain_tokens[KYBER_NUM_DOMAINS]; + +- /* +- * Async request percentage, converted to per-word depth for +- * sbitmap_get_shallow(). +- */ ++ /* Number of allowed async requests. */ + unsigned int async_depth; + + struct kyber_cpu_latency __percpu *cpu_latency; +@@ -454,10 +451,8 @@ static void kyber_depth_updated(struct blk_mq_hw_ctx *hctx) + { + struct kyber_queue_data *kqd = hctx->queue->elevator->elevator_data; + struct blk_mq_tags *tags = hctx->sched_tags; +- unsigned int shift = tags->bitmap_tags.sb.shift; +- +- kqd->async_depth = (1U << shift) * KYBER_ASYNC_PERCENT / 100U; + ++ kqd->async_depth = hctx->queue->nr_requests * KYBER_ASYNC_PERCENT / 100U; + sbitmap_queue_min_shallow_depth(&tags->bitmap_tags, kqd->async_depth); + } + +diff --git a/block/mq-deadline.c b/block/mq-deadline.c +index 91b3789f710e..19473a9b5044 100644 +--- a/block/mq-deadline.c ++++ b/block/mq-deadline.c +@@ -487,20 +487,6 @@ static struct request *dd_dispatch_request(struct blk_mq_hw_ctx *hctx) + return rq; + } + +-/* +- * 'depth' is a number in the range 1..INT_MAX representing a number of +- * requests. Scale it with a factor (1 << bt->sb.shift) / q->nr_requests since +- * 1..(1 << bt->sb.shift) is the range expected by sbitmap_get_shallow(). +- * Values larger than q->nr_requests have the same effect as q->nr_requests. +- */ +-static int dd_to_word_depth(struct blk_mq_hw_ctx *hctx, unsigned int qdepth) +-{ +- struct sbitmap_queue *bt = &hctx->sched_tags->bitmap_tags; +- const unsigned int nrr = hctx->queue->nr_requests; +- +- return ((qdepth << bt->sb.shift) + nrr - 1) / nrr; +-} +- + /* + * Called by __blk_mq_alloc_request(). The shallow_depth value set by this + * function is used by __blk_mq_get_tag(). +@@ -517,7 +503,7 @@ static void dd_limit_depth(blk_opf_t opf, struct blk_mq_alloc_data *data) + * Throttle asynchronous requests and writes such that these requests + * do not block the allocation of synchronous requests. + */ +- data->shallow_depth = dd_to_word_depth(data->hctx, dd->async_depth); ++ data->shallow_depth = dd->async_depth; + } + + /* Called by blk_mq_update_nr_requests(). */ +diff --git a/include/linux/sbitmap.h b/include/linux/sbitmap.h +index 189140bf11fc..4adf4b364fcd 100644 +--- a/include/linux/sbitmap.h ++++ b/include/linux/sbitmap.h +@@ -213,12 +213,12 @@ int sbitmap_get(struct sbitmap *sb); + * sbitmap_get_shallow() - Try to allocate a free bit from a &struct sbitmap, + * limiting the depth used from each word. + * @sb: Bitmap to allocate from. +- * @shallow_depth: The maximum number of bits to allocate from a single word. ++ * @shallow_depth: The maximum number of bits to allocate from the bitmap. + * + * This rather specific operation allows for having multiple users with + * different allocation limits. E.g., there can be a high-priority class that + * uses sbitmap_get() and a low-priority class that uses sbitmap_get_shallow() +- * with a @shallow_depth of (1 << (@sb->shift - 1)). Then, the low-priority ++ * with a @shallow_depth of (sb->depth >> 1). Then, the low-priority + * class can only allocate half of the total bits in the bitmap, preventing it + * from starving out the high-priority class. + * +@@ -478,7 +478,7 @@ unsigned long __sbitmap_queue_get_batch(struct sbitmap_queue *sbq, int nr_tags, + * sbitmap_queue, limiting the depth used from each word, with preemption + * already disabled. + * @sbq: Bitmap queue to allocate from. +- * @shallow_depth: The maximum number of bits to allocate from a single word. ++ * @shallow_depth: The maximum number of bits to allocate from the queue. + * See sbitmap_get_shallow(). + * + * If you call this, make sure to call sbitmap_queue_min_shallow_depth() after +diff --git a/lib/sbitmap.c b/lib/sbitmap.c +index d3412984170c..c07e3cd82e29 100644 +--- a/lib/sbitmap.c ++++ b/lib/sbitmap.c +@@ -208,8 +208,28 @@ static int sbitmap_find_bit_in_word(struct sbitmap_word *map, + return nr; + } + ++static unsigned int __map_depth_with_shallow(const struct sbitmap *sb, ++ int index, ++ unsigned int shallow_depth) ++{ ++ u64 shallow_word_depth; ++ unsigned int word_depth, reminder; ++ ++ word_depth = __map_depth(sb, index); ++ if (shallow_depth >= sb->depth) ++ return word_depth; ++ ++ shallow_word_depth = word_depth * shallow_depth; ++ reminder = do_div(shallow_word_depth, sb->depth); ++ ++ if (reminder >= (index + 1) * word_depth) ++ shallow_word_depth++; ++ ++ return (unsigned int)shallow_word_depth; ++} ++ + static int sbitmap_find_bit(struct sbitmap *sb, +- unsigned int depth, ++ unsigned int shallow_depth, + unsigned int index, + unsigned int alloc_hint, + bool wrap) +@@ -218,12 +238,12 @@ static int sbitmap_find_bit(struct sbitmap *sb, + int nr = -1; + + for (i = 0; i < sb->map_nr; i++) { +- nr = sbitmap_find_bit_in_word(&sb->map[index], +- min_t(unsigned int, +- __map_depth(sb, index), +- depth), +- alloc_hint, wrap); ++ unsigned int depth = __map_depth_with_shallow(sb, index, ++ shallow_depth); + ++ if (depth) ++ nr = sbitmap_find_bit_in_word(&sb->map[index], depth, ++ alloc_hint, wrap); + if (nr != -1) { + nr += index << sb->shift; + break; +@@ -406,27 +426,9 @@ EXPORT_SYMBOL_GPL(sbitmap_bitmap_show); + static unsigned int sbq_calc_wake_batch(struct sbitmap_queue *sbq, + unsigned int depth) + { +- unsigned int wake_batch; +- unsigned int shallow_depth; +- +- /* +- * Each full word of the bitmap has bits_per_word bits, and there might +- * be a partial word. There are depth / bits_per_word full words and +- * depth % bits_per_word bits left over. In bitwise arithmetic: +- * +- * bits_per_word = 1 << shift +- * depth / bits_per_word = depth >> shift +- * depth % bits_per_word = depth & ((1 << shift) - 1) +- * +- * Each word can be limited to sbq->min_shallow_depth bits. +- */ +- shallow_depth = min(1U << sbq->sb.shift, sbq->min_shallow_depth); +- depth = ((depth >> sbq->sb.shift) * shallow_depth + +- min(depth & ((1U << sbq->sb.shift) - 1), shallow_depth)); +- wake_batch = clamp_t(unsigned int, depth / SBQ_WAIT_QUEUES, 1, +- SBQ_WAKE_BATCH); +- +- return wake_batch; ++ return clamp_t(unsigned int, ++ min(depth, sbq->min_shallow_depth) / SBQ_WAIT_QUEUES, ++ 1, SBQ_WAKE_BATCH); + } + + int sbitmap_queue_init_node(struct sbitmap_queue *sbq, unsigned int depth, +-- +2.39.5 + diff --git a/queue-6.12/libbpf-verify-that-arena-map-exists-when-adding-aren.patch b/queue-6.12/libbpf-verify-that-arena-map-exists-when-adding-aren.patch new file mode 100644 index 0000000000..3c2264551a --- /dev/null +++ b/queue-6.12/libbpf-verify-that-arena-map-exists-when-adding-aren.patch @@ -0,0 +1,47 @@ +From 910d6a4da0730948b374b94d8848b4dae7e39989 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Jul 2025 15:20:59 -0700 +Subject: libbpf: Verify that arena map exists when adding arena relocations + +From: Eduard Zingerman + +[ Upstream commit 42be23e8f2dcb100cb9944b2b54b6bf41aff943d ] + +Fuzzer reported a memory access error in bpf_program__record_reloc() +that happens when: +- ".addr_space.1" section exists +- there is a relocation referencing this section +- there are no arena maps defined in BTF. + +Sanity checks for maps existence are already present in +bpf_program__record_reloc(), hence this commit adds another one. + +[1] https://github.com/libbpf/libbpf/actions/runs/16375110681/job/46272998064 + +Signed-off-by: Eduard Zingerman +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20250718222059.281526-1-eddyz87@gmail.com +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/libbpf.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c +index 747cef47e685..e33cf3caf8b6 100644 +--- a/tools/lib/bpf/libbpf.c ++++ b/tools/lib/bpf/libbpf.c +@@ -4546,6 +4546,11 @@ static int bpf_program__record_reloc(struct bpf_program *prog, + + /* arena data relocation */ + if (shdr_idx == obj->efile.arena_data_shndx) { ++ if (obj->arena_map_idx < 0) { ++ pr_warn("prog '%s': bad arena data relocation at insn %u, no arena maps defined\n", ++ prog->name, insn_idx); ++ return -LIBBPF_ERRNO__RELOC; ++ } + reloc_desc->type = RELO_DATA; + reloc_desc->insn_idx = insn_idx; + reloc_desc->map_idx = obj->arena_map_idx; +-- +2.39.5 + diff --git a/queue-6.12/loop-avoid-updating-block-size-under-exclusive-owner.patch b/queue-6.12/loop-avoid-updating-block-size-under-exclusive-owner.patch new file mode 100644 index 0000000000..e323dbd2ca --- /dev/null +++ b/queue-6.12/loop-avoid-updating-block-size-under-exclusive-owner.patch @@ -0,0 +1,112 @@ +From a1e9bfcf2d1c0b7d8b8a32d8b4d9acbb4dad0a1b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Jul 2025 18:32:03 +0200 +Subject: loop: Avoid updating block size under exclusive owner + +From: Jan Kara + +[ Upstream commit 7e49538288e523427beedd26993d446afef1a6fb ] + +Syzbot came up with a reproducer where a loop device block size is +changed underneath a mounted filesystem. This causes a mismatch between +the block device block size and the block size stored in the superblock +causing confusion in various places such as fs/buffer.c. The particular +issue triggered by syzbot was a warning in __getblk_slow() due to +requested buffer size not matching block device block size. + +Fix the problem by getting exclusive hold of the loop device to change +its block size. This fails if somebody (such as filesystem) has already +an exclusive ownership of the block device and thus prevents modifying +the loop device under some exclusive owner which doesn't expect it. + +Reported-by: syzbot+01ef7a8da81a975e1ccd@syzkaller.appspotmail.com +Signed-off-by: Jan Kara +Tested-by: syzbot+01ef7a8da81a975e1ccd@syzkaller.appspotmail.com +Link: https://lore.kernel.org/r/20250711163202.19623-2-jack@suse.cz +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/loop.c | 38 ++++++++++++++++++++++++++++++-------- + 1 file changed, 30 insertions(+), 8 deletions(-) + +diff --git a/drivers/block/loop.c b/drivers/block/loop.c +index 2f42d1644618..db9b5164ccca 100644 +--- a/drivers/block/loop.c ++++ b/drivers/block/loop.c +@@ -1404,16 +1404,33 @@ static int loop_set_dio(struct loop_device *lo, unsigned long arg) + return error; + } + +-static int loop_set_block_size(struct loop_device *lo, unsigned long arg) ++static int loop_set_block_size(struct loop_device *lo, blk_mode_t mode, ++ struct block_device *bdev, unsigned long arg) + { + struct queue_limits lim; + int err = 0; + +- if (lo->lo_state != Lo_bound) +- return -ENXIO; ++ /* ++ * If we don't hold exclusive handle for the device, upgrade to it ++ * here to avoid changing device under exclusive owner. ++ */ ++ if (!(mode & BLK_OPEN_EXCL)) { ++ err = bd_prepare_to_claim(bdev, loop_set_block_size, NULL); ++ if (err) ++ return err; ++ } ++ ++ err = mutex_lock_killable(&lo->lo_mutex); ++ if (err) ++ goto abort_claim; ++ ++ if (lo->lo_state != Lo_bound) { ++ err = -ENXIO; ++ goto unlock; ++ } + + if (lo->lo_queue->limits.logical_block_size == arg) +- return 0; ++ goto unlock; + + sync_blockdev(lo->lo_device); + invalidate_bdev(lo->lo_device); +@@ -1425,6 +1442,11 @@ static int loop_set_block_size(struct loop_device *lo, unsigned long arg) + loop_update_dio(lo); + blk_mq_unfreeze_queue(lo->lo_queue); + ++unlock: ++ mutex_unlock(&lo->lo_mutex); ++abort_claim: ++ if (!(mode & BLK_OPEN_EXCL)) ++ bd_abort_claiming(bdev, loop_set_block_size); + return err; + } + +@@ -1443,9 +1465,6 @@ static int lo_simple_ioctl(struct loop_device *lo, unsigned int cmd, + case LOOP_SET_DIRECT_IO: + err = loop_set_dio(lo, arg); + break; +- case LOOP_SET_BLOCK_SIZE: +- err = loop_set_block_size(lo, arg); +- break; + default: + err = -EINVAL; + } +@@ -1500,9 +1519,12 @@ static int lo_ioctl(struct block_device *bdev, blk_mode_t mode, + break; + case LOOP_GET_STATUS64: + return loop_get_status64(lo, argp); ++ case LOOP_SET_BLOCK_SIZE: ++ if (!(mode & BLK_OPEN_WRITE) && !capable(CAP_SYS_ADMIN)) ++ return -EPERM; ++ return loop_set_block_size(lo, mode, bdev, arg); + case LOOP_SET_CAPACITY: + case LOOP_SET_DIRECT_IO: +- case LOOP_SET_BLOCK_SIZE: + if (!(mode & BLK_OPEN_WRITE) && !capable(CAP_SYS_ADMIN)) + return -EPERM; + fallthrough; +-- +2.39.5 + diff --git a/queue-6.12/md-call-del_gendisk-in-control-path.patch b/queue-6.12/md-call-del_gendisk-in-control-path.patch new file mode 100644 index 0000000000..5ed439be1a --- /dev/null +++ b/queue-6.12/md-call-del_gendisk-in-control-path.patch @@ -0,0 +1,188 @@ +From ff0b64256d28c7fe0d141fbd210bef93233a6461 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jun 2025 15:31:06 +0800 +Subject: md: call del_gendisk in control path + +From: Xiao Ni + +[ Upstream commit 9e59d609763f70a992a8f3808dabcce60f14eb5c ] + +Now del_gendisk and put_disk are called asynchronously in workqueue work. +The asynchronous way has a problem that the device node can still exist +after mdadm --stop command returns in a short window. So udev rule can +open this device node and create the struct mddev in kernel again. So put +del_gendisk in control path and still leave put_disk in md_kobj_release +to avoid uaf of gendisk. + +Function del_gendisk can't be called with reconfig_mutex. If it's called +with reconfig mutex, a deadlock can happen. del_gendisk waits all sysfs +files access to finish and sysfs file access waits reconfig mutex. So +put del_gendisk after releasing reconfig mutex. + +But there is still a window that sysfs can be accessed between mddev_unlock +and del_gendisk. So some actions (add disk, change level, .e.g) can happen +which lead unexpected results. MD_DELETED is used to resolve this problem. +MD_DELETED is set before releasing reconfig mutex and it should be checked +for these sysfs access which need reconfig mutex. For sysfs access which +don't need reconfig mutex, del_gendisk will wait them to finish. + +But it doesn't need to do this in function mddev_lock_nointr. There are +ten places that call it. +* Five of them are in dm raid which we don't need to care. MD_DELETED is +only used for md raid. +* stop_sync_thread, md_do_sync and md_start_sync are related sync request, +and it needs to wait sync thread to finish before stopping an array. +* md_ioctl: md_open is called before md_ioctl, so ->openers is added. It +will fail to stop the array. So it doesn't need to check MD_DELETED here +* md_set_readonly: +It needs to call mddev_set_closing_and_sync_blockdev when setting readonly +or read_auto. So it will fail to stop the array too because MD_CLOSING is +already set. + +Reviewed-by: Yu Kuai +Signed-off-by: Xiao Ni +Link: https://lore.kernel.org/linux-raid/20250611073108.25463-2-xni@redhat.com +Signed-off-by: Yu Kuai +Signed-off-by: Sasha Levin +--- + drivers/md/md.c | 33 +++++++++++++++++++++++---------- + drivers/md/md.h | 26 ++++++++++++++++++++++++-- + 2 files changed, 47 insertions(+), 12 deletions(-) + +diff --git a/drivers/md/md.c b/drivers/md/md.c +index 4b3291723670..91cece996250 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -619,9 +619,6 @@ static void __mddev_put(struct mddev *mddev) + mddev->ctime || mddev->hold_active) + return; + +- /* Array is not configured at all, and not held active, so destroy it */ +- set_bit(MD_DELETED, &mddev->flags); +- + /* + * Call queue_work inside the spinlock so that flush_workqueue() after + * mddev_find will succeed in waiting for the work to be done. +@@ -856,6 +853,16 @@ void mddev_unlock(struct mddev *mddev) + kobject_del(&rdev->kobj); + export_rdev(rdev, mddev); + } ++ ++ /* Call del_gendisk after release reconfig_mutex to avoid ++ * deadlock (e.g. call del_gendisk under the lock and an ++ * access to sysfs files waits the lock) ++ * And MD_DELETED is only used for md raid which is set in ++ * do_md_stop. dm raid only uses md_stop to stop. So dm raid ++ * doesn't need to check MD_DELETED when getting reconfig lock ++ */ ++ if (test_bit(MD_DELETED, &mddev->flags)) ++ del_gendisk(mddev->gendisk); + } + EXPORT_SYMBOL_GPL(mddev_unlock); + +@@ -5720,19 +5727,30 @@ md_attr_store(struct kobject *kobj, struct attribute *attr, + struct md_sysfs_entry *entry = container_of(attr, struct md_sysfs_entry, attr); + struct mddev *mddev = container_of(kobj, struct mddev, kobj); + ssize_t rv; ++ struct kernfs_node *kn = NULL; + + if (!entry->store) + return -EIO; + if (!capable(CAP_SYS_ADMIN)) + return -EACCES; ++ ++ if (entry->store == array_state_store && cmd_match(page, "clear")) ++ kn = sysfs_break_active_protection(kobj, attr); ++ + spin_lock(&all_mddevs_lock); + if (!mddev_get(mddev)) { + spin_unlock(&all_mddevs_lock); ++ if (kn) ++ sysfs_unbreak_active_protection(kn); + return -EBUSY; + } + spin_unlock(&all_mddevs_lock); + rv = entry->store(mddev, page, length); + mddev_put(mddev); ++ ++ if (kn) ++ sysfs_unbreak_active_protection(kn); ++ + return rv; + } + +@@ -5740,12 +5758,6 @@ static void md_kobj_release(struct kobject *ko) + { + struct mddev *mddev = container_of(ko, struct mddev, kobj); + +- if (mddev->sysfs_state) +- sysfs_put(mddev->sysfs_state); +- if (mddev->sysfs_level) +- sysfs_put(mddev->sysfs_level); +- +- del_gendisk(mddev->gendisk); + put_disk(mddev->gendisk); + } + +@@ -6601,8 +6613,9 @@ static int do_md_stop(struct mddev *mddev, int mode) + mddev->bitmap_info.offset = 0; + + export_array(mddev); +- + md_clean(mddev); ++ set_bit(MD_DELETED, &mddev->flags); ++ + if (mddev->hold_active == UNTIL_STOP) + mddev->hold_active = 0; + } +diff --git a/drivers/md/md.h b/drivers/md/md.h +index 8826dce9717d..cf06a9de6f19 100644 +--- a/drivers/md/md.h ++++ b/drivers/md/md.h +@@ -669,11 +669,26 @@ static inline bool reshape_interrupted(struct mddev *mddev) + + static inline int __must_check mddev_lock(struct mddev *mddev) + { +- return mutex_lock_interruptible(&mddev->reconfig_mutex); ++ int ret; ++ ++ ret = mutex_lock_interruptible(&mddev->reconfig_mutex); ++ ++ /* MD_DELETED is set in do_md_stop with reconfig_mutex. ++ * So check it here. ++ */ ++ if (!ret && test_bit(MD_DELETED, &mddev->flags)) { ++ ret = -ENODEV; ++ mutex_unlock(&mddev->reconfig_mutex); ++ } ++ ++ return ret; + } + + /* Sometimes we need to take the lock in a situation where + * failure due to interrupts is not acceptable. ++ * It doesn't need to check MD_DELETED here, the owner which ++ * holds the lock here can't be stopped. And all paths can't ++ * call this function after do_md_stop. + */ + static inline void mddev_lock_nointr(struct mddev *mddev) + { +@@ -682,7 +697,14 @@ static inline void mddev_lock_nointr(struct mddev *mddev) + + static inline int mddev_trylock(struct mddev *mddev) + { +- return mutex_trylock(&mddev->reconfig_mutex); ++ int ret; ++ ++ ret = mutex_trylock(&mddev->reconfig_mutex); ++ if (!ret && test_bit(MD_DELETED, &mddev->flags)) { ++ ret = -ENODEV; ++ mutex_unlock(&mddev->reconfig_mutex); ++ } ++ return ret; + } + extern void mddev_unlock(struct mddev *mddev); + +-- +2.39.5 + diff --git a/queue-6.12/md-dm-zoned-target-initialize-return-variable-r-to-a.patch b/queue-6.12/md-dm-zoned-target-initialize-return-variable-r-to-a.patch new file mode 100644 index 0000000000..9dc5221306 --- /dev/null +++ b/queue-6.12/md-dm-zoned-target-initialize-return-variable-r-to-a.patch @@ -0,0 +1,45 @@ +From 0cae9a677dfa02d0604405ef1ba86eb88da1a7cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jul 2025 13:11:57 +0530 +Subject: md: dm-zoned-target: Initialize return variable r to avoid + uninitialized use + +From: Purva Yeshi + +[ Upstream commit 487767bff572d46f7c37ad846c4078f6d6c9cc55 ] + +Fix Smatch-detected error: +drivers/md/dm-zoned-target.c:1073 dmz_iterate_devices() +error: uninitialized symbol 'r'. + +Smatch detects a possible use of the uninitialized variable 'r' in +dmz_iterate_devices() because if dmz->nr_ddevs is zero, the loop is +skipped and 'r' is returned without being set, leading to undefined +behavior. + +Initialize 'r' to 0 before the loop. This ensures that if there are no +devices to iterate over, the function still returns a defined value. + +Signed-off-by: Purva Yeshi +Signed-off-by: Mikulas Patocka +Signed-off-by: Sasha Levin +--- + drivers/md/dm-zoned-target.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/md/dm-zoned-target.c b/drivers/md/dm-zoned-target.c +index 6141fc25d842..c38bd6e4c273 100644 +--- a/drivers/md/dm-zoned-target.c ++++ b/drivers/md/dm-zoned-target.c +@@ -1061,7 +1061,7 @@ static int dmz_iterate_devices(struct dm_target *ti, + struct dmz_target *dmz = ti->private; + unsigned int zone_nr_sectors = dmz_zone_nr_sectors(dmz->metadata); + sector_t capacity; +- int i, r; ++ int i, r = 0; + + for (i = 0; i < dmz->nr_ddevs; i++) { + capacity = dmz->dev[i].capacity & ~(zone_nr_sectors - 1); +-- +2.39.5 + diff --git a/queue-6.12/md-don-t-clear-md_closing-until-mddev-is-freed.patch b/queue-6.12/md-don-t-clear-md_closing-until-mddev-is-freed.patch new file mode 100644 index 0000000000..fbb03d10e7 --- /dev/null +++ b/queue-6.12/md-don-t-clear-md_closing-until-mddev-is-freed.patch @@ -0,0 +1,62 @@ +From 880e342d560e6fd3280ec8a359395bcc2f4e1f04 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jun 2025 15:31:07 +0800 +Subject: md: Don't clear MD_CLOSING until mddev is freed + +From: Xiao Ni + +[ Upstream commit 5f286f33553d600e6c2fb5a23dd6afcf99b3ebac ] + +UNTIL_STOP is used to avoid mddev is freed on the last close before adding +disks to mddev. And it should be cleared when stopping an array which is +mentioned in commit efeb53c0e572 ("md: Allow md devices to be created by +name."). So reset ->hold_active to 0 in md_clean. + +And MD_CLOSING should be kept until mddev is freed to avoid reopen. + +Reviewed-by: Yu Kuai +Signed-off-by: Xiao Ni +Link: https://lore.kernel.org/linux-raid/20250611073108.25463-3-xni@redhat.com +Signed-off-by: Yu Kuai +Signed-off-by: Sasha Levin +--- + drivers/md/md.c | 16 ++++------------ + 1 file changed, 4 insertions(+), 12 deletions(-) + +diff --git a/drivers/md/md.c b/drivers/md/md.c +index 91cece996250..6b5b69a7a3f0 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -6380,15 +6380,10 @@ static void md_clean(struct mddev *mddev) + mddev->persistent = 0; + mddev->level = LEVEL_NONE; + mddev->clevel[0] = 0; +- /* +- * Don't clear MD_CLOSING, or mddev can be opened again. +- * 'hold_active != 0' means mddev is still in the creation +- * process and will be used later. +- */ +- if (mddev->hold_active) +- mddev->flags = 0; +- else +- mddev->flags &= BIT_ULL_MASK(MD_CLOSING); ++ /* if UNTIL_STOP is set, it's cleared here */ ++ mddev->hold_active = 0; ++ /* Don't clear MD_CLOSING, or mddev can be opened again. */ ++ mddev->flags &= BIT_ULL_MASK(MD_CLOSING); + mddev->sb_flags = 0; + mddev->ro = MD_RDWR; + mddev->metadata_type[0] = 0; +@@ -6615,9 +6610,6 @@ static int do_md_stop(struct mddev *mddev, int mode) + export_array(mddev); + md_clean(mddev); + set_bit(MD_DELETED, &mddev->flags); +- +- if (mddev->hold_active == UNTIL_STOP) +- mddev->hold_active = 0; + } + md_new_event(); + sysfs_notify_dirent_safe(mddev->sysfs_state); +-- +2.39.5 + diff --git a/queue-6.12/md-raid10-set-chunk_sectors-limit.patch b/queue-6.12/md-raid10-set-chunk_sectors-limit.patch new file mode 100644 index 0000000000..725f631843 --- /dev/null +++ b/queue-6.12/md-raid10-set-chunk_sectors-limit.patch @@ -0,0 +1,38 @@ +From f22f0dde371298dad53991569760e292d4549101 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Jul 2025 10:52:56 +0000 +Subject: md/raid10: set chunk_sectors limit + +From: John Garry + +[ Upstream commit 7ef50c4c6a9c36fa3ea6f1681a80c0bf9a797345 ] + +Same as done for raid0, set chunk_sectors limit to appropriately set the +atomic write size limit. + +Reviewed-by: Nilay Shroff +Reviewed-by: Yu Kuai +Signed-off-by: John Garry +Reviewed-by: Martin K. Petersen +Link: https://lore.kernel.org/r/20250711105258.3135198-5-john.g.garry@oracle.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/md/raid10.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c +index 5cdc599fcad3..7515a98001ca 100644 +--- a/drivers/md/raid10.c ++++ b/drivers/md/raid10.c +@@ -3968,6 +3968,7 @@ static int raid10_set_queue_limits(struct mddev *mddev) + md_init_stacking_limits(&lim); + lim.max_write_zeroes_sectors = 0; + lim.io_min = mddev->chunk_sectors << 9; ++ lim.chunk_sectors = mddev->chunk_sectors; + lim.io_opt = lim.io_min * raid10_nr_stripes(conf); + err = mddev_stack_rdev_limits(mddev, &lim, MDDEV_STACK_INTEGRITY); + if (err) +-- +2.39.5 + diff --git a/queue-6.12/media-dvb-frontends-dib7090p-fix-null-ptr-deref-in-d.patch b/queue-6.12/media-dvb-frontends-dib7090p-fix-null-ptr-deref-in-d.patch new file mode 100644 index 0000000000..544d23b754 --- /dev/null +++ b/queue-6.12/media-dvb-frontends-dib7090p-fix-null-ptr-deref-in-d.patch @@ -0,0 +1,46 @@ +From 47931bc40ac512735c4a974ce1a487d5749e17f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 Jun 2025 21:32:31 -0400 +Subject: media: dvb-frontends: dib7090p: fix null-ptr-deref in + dib7090p_rw_on_apb() + +From: Alex Guo + +[ Upstream commit ce5cac69b2edac3e3246fee03e8f4c2a1075238b ] + +In dib7090p_rw_on_apb, msg is controlled by user. When msg[0].buf is null and +msg[0].len is zero, former checks on msg[0].buf would be passed. If accessing +msg[0].buf[2] without sanity check, null pointer deref would happen. We add +check on msg[0].len to prevent crash. Similar issue occurs when access +msg[1].buf[0] and msg[1].buf[1]. + +Similar commit: commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()") + +Signed-off-by: Alex Guo +Link: https://lore.kernel.org/r/20250616013231.730221-1-alexguo1023@gmail.com +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-frontends/dib7000p.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/media/dvb-frontends/dib7000p.c b/drivers/media/dvb-frontends/dib7000p.c +index c5582d4fa5be..24f13a866735 100644 +--- a/drivers/media/dvb-frontends/dib7000p.c ++++ b/drivers/media/dvb-frontends/dib7000p.c +@@ -2256,8 +2256,12 @@ static int dib7090p_rw_on_apb(struct i2c_adapter *i2c_adap, + u16 word; + + if (num == 1) { /* write */ ++ if (msg[0].len < 3) ++ return -EOPNOTSUPP; + dib7000p_write_word(state, apb_address, ((msg[0].buf[1] << 8) | (msg[0].buf[2]))); + } else { ++ if (msg[1].len < 2) ++ return -EOPNOTSUPP; + word = dib7000p_read_word(state, apb_address); + msg[1].buf[0] = (word >> 8) & 0xff; + msg[1].buf[1] = (word) & 0xff; +-- +2.39.5 + diff --git a/queue-6.12/media-dvb-frontends-w7090p-fix-null-ptr-deref-in-w70.patch b/queue-6.12/media-dvb-frontends-w7090p-fix-null-ptr-deref-in-w70.patch new file mode 100644 index 0000000000..e89153fb25 --- /dev/null +++ b/queue-6.12/media-dvb-frontends-w7090p-fix-null-ptr-deref-in-w70.patch @@ -0,0 +1,48 @@ +From 853207aaf1b2fac0ce3a7b11b77c5f0827656a62 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 Jun 2025 21:33:53 -0400 +Subject: media: dvb-frontends: w7090p: fix null-ptr-deref in + w7090p_tuner_write_serpar and w7090p_tuner_read_serpar + +From: Alex Guo + +[ Upstream commit ed0234c8458b3149f15e496b48a1c9874dd24a1b ] + +In w7090p_tuner_write_serpar, msg is controlled by user. When msg[0].buf is null and msg[0].len is zero, former checks on msg[0].buf would be passed. If accessing msg[0].buf[2] without sanity check, null pointer deref would happen. We add +check on msg[0].len to prevent crash. + +Similar commit: commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()") + +Signed-off-by: Alex Guo +Link: https://lore.kernel.org/r/20250616013353.738790-1-alexguo1023@gmail.com +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-frontends/dib7000p.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/media/dvb-frontends/dib7000p.c b/drivers/media/dvb-frontends/dib7000p.c +index 24f13a866735..40c5b1dc7d91 100644 +--- a/drivers/media/dvb-frontends/dib7000p.c ++++ b/drivers/media/dvb-frontends/dib7000p.c +@@ -2193,6 +2193,8 @@ static int w7090p_tuner_write_serpar(struct i2c_adapter *i2c_adap, struct i2c_ms + struct dib7000p_state *state = i2c_get_adapdata(i2c_adap); + u8 n_overflow = 1; + u16 i = 1000; ++ if (msg[0].len < 3) ++ return -EOPNOTSUPP; + u16 serpar_num = msg[0].buf[0]; + + while (n_overflow == 1 && i) { +@@ -2212,6 +2214,8 @@ static int w7090p_tuner_read_serpar(struct i2c_adapter *i2c_adap, struct i2c_msg + struct dib7000p_state *state = i2c_get_adapdata(i2c_adap); + u8 n_overflow = 1, n_empty = 1; + u16 i = 1000; ++ if (msg[0].len < 1 || msg[1].len < 2) ++ return -EOPNOTSUPP; + u16 serpar_num = msg[0].buf[0]; + u16 read_word; + +-- +2.39.5 + diff --git a/queue-6.12/media-hi556-fix-reset-gpio-timings.patch b/queue-6.12/media-hi556-fix-reset-gpio-timings.patch new file mode 100644 index 0000000000..4eec7ff8ea --- /dev/null +++ b/queue-6.12/media-hi556-fix-reset-gpio-timings.patch @@ -0,0 +1,52 @@ +From dd4dc924bc867def8e3f06a2b3ac1264c31848d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 31 May 2025 21:05:33 +0200 +Subject: media: hi556: Fix reset GPIO timings + +From: Hans de Goede + +[ Upstream commit 99f2211a9d89fe34b3fa847fd7a4475171406cd0 ] + +probe() requests the reset GPIO to be set to high when getting it. +Immeditately after this hi556_resume() is called and sets the GPIO low. + +If the GPIO was low before requesting it this will result in the GPIO +only very briefly spiking high and the sensor not being properly reset. +The same problem also happens on back to back runtime suspend + resume. + +Fix this by adding a sleep of 2 ms in hi556_resume() before setting +the GPIO low (if there is a reset GPIO). + +The final sleep is kept unconditional, because if there is e.g. no reset +GPIO but a controllable clock then the sensor also needs some time after +enabling the clock. + +Signed-off-by: Hans de Goede +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/hi556.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/i2c/hi556.c b/drivers/media/i2c/hi556.c +index 0e89aff9c664..3c84cf07275f 100644 +--- a/drivers/media/i2c/hi556.c ++++ b/drivers/media/i2c/hi556.c +@@ -1321,7 +1321,12 @@ static int hi556_resume(struct device *dev) + return ret; + } + +- gpiod_set_value_cansleep(hi556->reset_gpio, 0); ++ if (hi556->reset_gpio) { ++ /* Assert reset for at least 2ms on back to back off-on */ ++ usleep_range(2000, 2200); ++ gpiod_set_value_cansleep(hi556->reset_gpio, 0); ++ } ++ + usleep_range(5000, 5500); + return 0; + } +-- +2.39.5 + diff --git a/queue-6.12/media-ipu-bridge-add-_hid-for-ov5670.patch b/queue-6.12/media-ipu-bridge-add-_hid-for-ov5670.patch new file mode 100644 index 0000000000..fd693a81e9 --- /dev/null +++ b/queue-6.12/media-ipu-bridge-add-_hid-for-ov5670.patch @@ -0,0 +1,37 @@ +From d2fe3e421ee1524f6a01674a2f7685a49a943d2a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 May 2025 14:17:46 +0100 +Subject: media: ipu-bridge: Add _HID for OV5670 + +From: Daniel Scally + +[ Upstream commit 484f8bec3ddb453321ef0b8621c25de6ce3d0302 ] + +The OV5670 is found on Dell 7212 tablets paired with an IPU3 ISP +and needs to be connected by the ipu-bridge. Add it to the list +of supported devices. + +Signed-off-by: Daniel Scally +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/pci/intel/ipu-bridge.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/media/pci/intel/ipu-bridge.c b/drivers/media/pci/intel/ipu-bridge.c +index a0e9a71580b5..4e921c751629 100644 +--- a/drivers/media/pci/intel/ipu-bridge.c ++++ b/drivers/media/pci/intel/ipu-bridge.c +@@ -59,6 +59,8 @@ static const struct ipu_sensor_config ipu_supported_sensors[] = { + IPU_SENSOR_CONFIG("INT33BE", 1, 419200000), + /* Omnivision OV2740 */ + IPU_SENSOR_CONFIG("INT3474", 1, 180000000), ++ /* Omnivision OV5670 */ ++ IPU_SENSOR_CONFIG("INT3479", 1, 422400000), + /* Omnivision OV8865 */ + IPU_SENSOR_CONFIG("INT347A", 1, 360000000), + /* Omnivision OV7251 */ +-- +2.39.5 + diff --git a/queue-6.12/media-tc358743-check-i2c-succeeded-during-probe.patch b/queue-6.12/media-tc358743-check-i2c-succeeded-during-probe.patch new file mode 100644 index 0000000000..e4df523852 --- /dev/null +++ b/queue-6.12/media-tc358743-check-i2c-succeeded-during-probe.patch @@ -0,0 +1,109 @@ +From 01d35316624cf595ad857e59d28ae1218c5553cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jun 2025 19:37:15 +0100 +Subject: media: tc358743: Check I2C succeeded during probe + +From: Dave Stevenson + +[ Upstream commit 303d81635e1d9c949b370215cc94526ed81f2e3d ] + +The probe for the TC358743 reads the CHIPID register from +the device and compares it to the expected value of 0. +If the I2C request fails then that also returns 0, so +the driver loads thinking that the device is there. + +Generally I2C communications are reliable so there is +limited need to check the return value on every transfer, +therefore only amend the one read during probe to check +for I2C errors. + +Signed-off-by: Dave Stevenson +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/tc358743.c | 27 +++++++++++++++++++++++---- + 1 file changed, 23 insertions(+), 4 deletions(-) + +diff --git a/drivers/media/i2c/tc358743.c b/drivers/media/i2c/tc358743.c +index 344a670e732f..621855b3a715 100644 +--- a/drivers/media/i2c/tc358743.c ++++ b/drivers/media/i2c/tc358743.c +@@ -110,7 +110,7 @@ static inline struct tc358743_state *to_state(struct v4l2_subdev *sd) + + /* --------------- I2C --------------- */ + +-static void i2c_rd(struct v4l2_subdev *sd, u16 reg, u8 *values, u32 n) ++static int i2c_rd(struct v4l2_subdev *sd, u16 reg, u8 *values, u32 n) + { + struct tc358743_state *state = to_state(sd); + struct i2c_client *client = state->i2c_client; +@@ -136,6 +136,7 @@ static void i2c_rd(struct v4l2_subdev *sd, u16 reg, u8 *values, u32 n) + v4l2_err(sd, "%s: reading register 0x%x from 0x%x failed: %d\n", + __func__, reg, client->addr, err); + } ++ return err != ARRAY_SIZE(msgs); + } + + static void i2c_wr(struct v4l2_subdev *sd, u16 reg, u8 *values, u32 n) +@@ -192,15 +193,24 @@ static void i2c_wr(struct v4l2_subdev *sd, u16 reg, u8 *values, u32 n) + } + } + +-static noinline u32 i2c_rdreg(struct v4l2_subdev *sd, u16 reg, u32 n) ++static noinline u32 i2c_rdreg_err(struct v4l2_subdev *sd, u16 reg, u32 n, ++ int *err) + { ++ int error; + __le32 val = 0; + +- i2c_rd(sd, reg, (u8 __force *)&val, n); ++ error = i2c_rd(sd, reg, (u8 __force *)&val, n); ++ if (err) ++ *err = error; + + return le32_to_cpu(val); + } + ++static inline u32 i2c_rdreg(struct v4l2_subdev *sd, u16 reg, u32 n) ++{ ++ return i2c_rdreg_err(sd, reg, n, NULL); ++} ++ + static noinline void i2c_wrreg(struct v4l2_subdev *sd, u16 reg, u32 val, u32 n) + { + __le32 raw = cpu_to_le32(val); +@@ -229,6 +239,13 @@ static u16 i2c_rd16(struct v4l2_subdev *sd, u16 reg) + return i2c_rdreg(sd, reg, 2); + } + ++static int i2c_rd16_err(struct v4l2_subdev *sd, u16 reg, u16 *value) ++{ ++ int err; ++ *value = i2c_rdreg_err(sd, reg, 2, &err); ++ return err; ++} ++ + static void i2c_wr16(struct v4l2_subdev *sd, u16 reg, u16 val) + { + i2c_wrreg(sd, reg, val, 2); +@@ -2030,6 +2047,7 @@ static int tc358743_probe(struct i2c_client *client) + struct tc358743_platform_data *pdata = client->dev.platform_data; + struct v4l2_subdev *sd; + u16 irq_mask = MASK_HDMI_MSK | MASK_CSI_MSK; ++ u16 chipid; + int err; + + if (!i2c_check_functionality(client->adapter, I2C_FUNC_SMBUS_BYTE_DATA)) +@@ -2061,7 +2079,8 @@ static int tc358743_probe(struct i2c_client *client) + sd->flags |= V4L2_SUBDEV_FL_HAS_DEVNODE | V4L2_SUBDEV_FL_HAS_EVENTS; + + /* i2c access */ +- if ((i2c_rd16(sd, CHIPID) & MASK_CHIPID) != 0) { ++ if (i2c_rd16_err(sd, CHIPID, &chipid) || ++ (chipid & MASK_CHIPID) != 0) { + v4l2_info(sd, "not a TC358743 on address 0x%x\n", + client->addr << 1); + return -ENODEV; +-- +2.39.5 + diff --git a/queue-6.12/media-tc358743-increase-fifo-trigger-level-to-374.patch b/queue-6.12/media-tc358743-increase-fifo-trigger-level-to-374.patch new file mode 100644 index 0000000000..4512be0328 --- /dev/null +++ b/queue-6.12/media-tc358743-increase-fifo-trigger-level-to-374.patch @@ -0,0 +1,58 @@ +From 9876600441892c90868e0250a56d4cb0057b4678 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jun 2025 19:37:14 +0100 +Subject: media: tc358743: Increase FIFO trigger level to 374 + +From: Dave Stevenson + +[ Upstream commit 86addd25314a1e77dbdcfddfeed0bab2f27da0e2 ] + +The existing fixed value of 16 worked for UYVY 720P60 over +2 lanes at 594MHz, or UYVY 1080P60 over 4 lanes. (RGB888 +1080P60 needs 6 lanes at 594MHz). +It doesn't allow for lower resolutions to work as the FIFO +underflows. + +374 is required for 1080P24 or 1080P30 UYVY over 2 lanes @ +972Mbit/s, but >374 means that the FIFO underflows on 1080P50 +UYVY over 2 lanes @ 972Mbit/s. + +Whilst it would be nice to compute it, the required information +isn't published by Toshiba. + +Signed-off-by: Dave Stevenson +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/tc358743.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/i2c/tc358743.c b/drivers/media/i2c/tc358743.c +index ee7c2cd6a81b..d1306f39fa13 100644 +--- a/drivers/media/i2c/tc358743.c ++++ b/drivers/media/i2c/tc358743.c +@@ -1948,8 +1948,19 @@ static int tc358743_probe_of(struct tc358743_state *state) + state->pdata.refclk_hz = clk_get_rate(refclk); + state->pdata.ddc5v_delay = DDC5V_DELAY_100_MS; + state->pdata.enable_hdcp = false; +- /* A FIFO level of 16 should be enough for 2-lane 720p60 at 594 MHz. */ +- state->pdata.fifo_level = 16; ++ /* ++ * Ideally the FIFO trigger level should be set based on the input and ++ * output data rates, but the calculations required are buried in ++ * Toshiba's register settings spreadsheet. ++ * A value of 16 works with a 594Mbps data rate for 720p60 (using 2 ++ * lanes) and 1080p60 (using 4 lanes), but fails when the data rate ++ * is increased, or a lower pixel clock is used that result in CSI ++ * reading out faster than the data is arriving. ++ * ++ * A value of 374 works with both those modes at 594Mbps, and with most ++ * modes on 972Mbps. ++ */ ++ state->pdata.fifo_level = 374; + /* + * The PLL input clock is obtained by dividing refclk by pll_prd. + * It must be between 6 MHz and 40 MHz, lower frequency is better. +-- +2.39.5 + diff --git a/queue-6.12/media-tc358743-return-an-appropriate-colorspace-from.patch b/queue-6.12/media-tc358743-return-an-appropriate-colorspace-from.patch new file mode 100644 index 0000000000..9ef3321436 --- /dev/null +++ b/queue-6.12/media-tc358743-return-an-appropriate-colorspace-from.patch @@ -0,0 +1,113 @@ +From cca7f712a7bc9de474f7b20dcb68c5a13116d0af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jun 2025 19:37:16 +0100 +Subject: media: tc358743: Return an appropriate colorspace from + tc358743_set_fmt + +From: Dave Stevenson + +[ Upstream commit 377cc006a364dfdab2f3f221cfad63a9265200b8 ] + +When calling tc358743_set_fmt, the code was calling tc358743_get_fmt +to choose a valid format. However that sets the colorspace +based on information read back from the chip, not the colour +format requested. + +The result was that if you called try or set format for UYVY +when the current format was RGB3 then you would get told SRGB, +and try RGB3 when current was UYVY and you would get told +SMPTE170M. + +The value programmed in the VI_REP register for the colorspace +is always set by this driver, therefore there is no need to read +back the value, and never set to REC709. +Return the colorspace based on the format set/tried instead. + +Signed-off-by: Dave Stevenson +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/tc358743.c | 44 ++++++++++++++---------------------- + 1 file changed, 17 insertions(+), 27 deletions(-) + +diff --git a/drivers/media/i2c/tc358743.c b/drivers/media/i2c/tc358743.c +index 621855b3a715..ee7c2cd6a81b 100644 +--- a/drivers/media/i2c/tc358743.c ++++ b/drivers/media/i2c/tc358743.c +@@ -1677,12 +1677,23 @@ static int tc358743_enum_mbus_code(struct v4l2_subdev *sd, + return 0; + } + ++static u32 tc358743_g_colorspace(u32 code) ++{ ++ switch (code) { ++ case MEDIA_BUS_FMT_RGB888_1X24: ++ return V4L2_COLORSPACE_SRGB; ++ case MEDIA_BUS_FMT_UYVY8_1X16: ++ return V4L2_COLORSPACE_SMPTE170M; ++ default: ++ return 0; ++ } ++} ++ + static int tc358743_get_fmt(struct v4l2_subdev *sd, + struct v4l2_subdev_state *sd_state, + struct v4l2_subdev_format *format) + { + struct tc358743_state *state = to_state(sd); +- u8 vi_rep = i2c_rd8(sd, VI_REP); + + if (format->pad != 0) + return -EINVAL; +@@ -1692,23 +1703,7 @@ static int tc358743_get_fmt(struct v4l2_subdev *sd, + format->format.height = state->timings.bt.height; + format->format.field = V4L2_FIELD_NONE; + +- switch (vi_rep & MASK_VOUT_COLOR_SEL) { +- case MASK_VOUT_COLOR_RGB_FULL: +- case MASK_VOUT_COLOR_RGB_LIMITED: +- format->format.colorspace = V4L2_COLORSPACE_SRGB; +- break; +- case MASK_VOUT_COLOR_601_YCBCR_LIMITED: +- case MASK_VOUT_COLOR_601_YCBCR_FULL: +- format->format.colorspace = V4L2_COLORSPACE_SMPTE170M; +- break; +- case MASK_VOUT_COLOR_709_YCBCR_FULL: +- case MASK_VOUT_COLOR_709_YCBCR_LIMITED: +- format->format.colorspace = V4L2_COLORSPACE_REC709; +- break; +- default: +- format->format.colorspace = 0; +- break; +- } ++ format->format.colorspace = tc358743_g_colorspace(format->format.code); + + return 0; + } +@@ -1722,19 +1717,14 @@ static int tc358743_set_fmt(struct v4l2_subdev *sd, + u32 code = format->format.code; /* is overwritten by get_fmt */ + int ret = tc358743_get_fmt(sd, sd_state, format); + +- format->format.code = code; ++ if (code == MEDIA_BUS_FMT_RGB888_1X24 || ++ code == MEDIA_BUS_FMT_UYVY8_1X16) ++ format->format.code = code; ++ format->format.colorspace = tc358743_g_colorspace(format->format.code); + + if (ret) + return ret; + +- switch (code) { +- case MEDIA_BUS_FMT_RGB888_1X24: +- case MEDIA_BUS_FMT_UYVY8_1X16: +- break; +- default: +- return -EINVAL; +- } +- + if (format->which == V4L2_SUBDEV_FORMAT_TRY) + return 0; + +-- +2.39.5 + diff --git a/queue-6.12/media-usb-hdpvr-disable-zero-length-read-messages.patch b/queue-6.12/media-usb-hdpvr-disable-zero-length-read-messages.patch new file mode 100644 index 0000000000..f5d67fded6 --- /dev/null +++ b/queue-6.12/media-usb-hdpvr-disable-zero-length-read-messages.patch @@ -0,0 +1,46 @@ +From a3ef4dcd1aa426445912a09380d642477f536f0a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 May 2025 10:09:54 +0200 +Subject: media: usb: hdpvr: disable zero-length read messages + +From: Wolfram Sang + +[ Upstream commit b5ae5a79825ba8037b0be3ef677a24de8c063abf ] + +This driver passes the length of an i2c_msg directly to +usb_control_msg(). If the message is now a read and of length 0, it +violates the USB protocol and a warning will be printed. Enable the +I2C_AQ_NO_ZERO_LEN_READ quirk for this adapter thus forbidding 0-length +read messages altogether. + +Signed-off-by: Wolfram Sang +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/usb/hdpvr/hdpvr-i2c.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/media/usb/hdpvr/hdpvr-i2c.c b/drivers/media/usb/hdpvr/hdpvr-i2c.c +index 070559b01b01..54956a8ff15e 100644 +--- a/drivers/media/usb/hdpvr/hdpvr-i2c.c ++++ b/drivers/media/usb/hdpvr/hdpvr-i2c.c +@@ -165,10 +165,16 @@ static const struct i2c_algorithm hdpvr_algo = { + .functionality = hdpvr_functionality, + }; + ++/* prevent invalid 0-length usb_control_msg */ ++static const struct i2c_adapter_quirks hdpvr_quirks = { ++ .flags = I2C_AQ_NO_ZERO_LEN_READ, ++}; ++ + static const struct i2c_adapter hdpvr_i2c_adapter_template = { + .name = "Hauppauge HD PVR I2C", + .owner = THIS_MODULE, + .algo = &hdpvr_algo, ++ .quirks = &hdpvr_quirks, + }; + + static int hdpvr_activate_ir(struct hdpvr_device *dev) +-- +2.39.5 + diff --git a/queue-6.12/media-uvcvideo-add-quirk-for-hp-webcam-hd-2300.patch b/queue-6.12/media-uvcvideo-add-quirk-for-hp-webcam-hd-2300.patch new file mode 100644 index 0000000000..b6ed1285c1 --- /dev/null +++ b/queue-6.12/media-uvcvideo-add-quirk-for-hp-webcam-hd-2300.patch @@ -0,0 +1,65 @@ +From 3e2ddaaa9aa3dab601158035e3111959a7535ef1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Jun 2025 18:21:57 +0000 +Subject: media: uvcvideo: Add quirk for HP Webcam HD 2300 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ricardo Ribalda + +[ Upstream commit 53b0b80e5240fec7c5a420bffb310edc83faf4fd ] + +HP Webcam HD 2300 does not seem to flip the FID bit according to spec. + +Device Descriptor: + bLength 18 + bDescriptorType 1 + bcdUSB 2.00 + bDeviceClass 239 Miscellaneous Device + bDeviceSubClass 2 [unknown] + bDeviceProtocol 1 Interface Association + bMaxPacketSize0 64 + idVendor 0x03f0 HP, Inc + idProduct 0xe207 HP Webcam HD 2300 + bcdDevice 10.20 + iManufacturer 3 Hewlett Packard + iProduct 1 HP Webcam HD 2300 + iSerial 0 + bNumConfigurations 1 + +Reported-by: Michaël Melchiore +Closes: https://lore.kernel.org/linux-media/CA+q66aRvTigH15cUyfvzPJ2mfsDFMt=CjuYNwvAZb29w8b1KDA@mail.gmail.com +Signed-off-by: Ricardo Ribalda +Reviewed-by: Laurent Pinchart +Link: https://lore.kernel.org/r/20250602-uvc-hp-quirk-v1-1-7047d94d679f@chromium.org +Signed-off-by: Laurent Pinchart +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/usb/uvc/uvc_driver.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c +index 241b3f95f327..2396e582fc9d 100644 +--- a/drivers/media/usb/uvc/uvc_driver.c ++++ b/drivers/media/usb/uvc/uvc_driver.c +@@ -2487,6 +2487,15 @@ static const struct uvc_device_info uvc_quirk_force_y8 = { + * Sort these by vendor/product ID. + */ + static const struct usb_device_id uvc_ids[] = { ++ /* HP Webcam HD 2300 */ ++ { .match_flags = USB_DEVICE_ID_MATCH_DEVICE ++ | USB_DEVICE_ID_MATCH_INT_INFO, ++ .idVendor = 0x03f0, ++ .idProduct = 0xe207, ++ .bInterfaceClass = USB_CLASS_VIDEO, ++ .bInterfaceSubClass = 1, ++ .bInterfaceProtocol = 0, ++ .driver_info = (kernel_ulong_t)&uvc_quirk_stream_no_fid }, + /* Quanta ACER HD User Facing */ + { .match_flags = USB_DEVICE_ID_MATCH_DEVICE + | USB_DEVICE_ID_MATCH_INT_INFO, +-- +2.39.5 + diff --git a/queue-6.12/media-uvcvideo-fix-bandwidth-issue-for-alcor-camera.patch b/queue-6.12/media-uvcvideo-fix-bandwidth-issue-for-alcor-camera.patch new file mode 100644 index 0000000000..db6c6ac7c3 --- /dev/null +++ b/queue-6.12/media-uvcvideo-fix-bandwidth-issue-for-alcor-camera.patch @@ -0,0 +1,52 @@ +From 71afd0e236608673f1f3174a6ca6b5b2b4a10eb1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 10 May 2025 14:18:03 +0800 +Subject: media: uvcvideo: Fix bandwidth issue for Alcor camera + +From: chenchangcheng + +[ Upstream commit 9764401bf6f8a20eb11c2e78470f20fee91a9ea7 ] + +Some broken device return wrong dwMaxPayloadTransferSize fields as +follows: + +[ 218.632537] uvcvideo: Device requested 2752512 B/frame bandwidth. +[ 218.632598] uvcvideo: No fast enough alt setting for requested bandwidth. + +When dwMaxPayloadTransferSize is greater than maxpsize, it will prevent +the camera from starting. So use the bandwidth of maxpsize. + +Signed-off-by: chenchangcheng +Reviewed-by: Ricardo Ribalda +Reviewed-by: Laurent Pinchart +Link: https://lore.kernel.org/r/20250510061803.811433-1-ccc194101@163.com +Signed-off-by: Laurent Pinchart +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/usb/uvc/uvc_video.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/media/usb/uvc/uvc_video.c b/drivers/media/usb/uvc/uvc_video.c +index eab7b8f55730..17ec298ee4f7 100644 +--- a/drivers/media/usb/uvc/uvc_video.c ++++ b/drivers/media/usb/uvc/uvc_video.c +@@ -258,6 +258,15 @@ static void uvc_fixup_video_ctrl(struct uvc_streaming *stream, + + ctrl->dwMaxPayloadTransferSize = bandwidth; + } ++ ++ if (stream->intf->num_altsetting > 1 && ++ ctrl->dwMaxPayloadTransferSize > stream->maxpsize) { ++ dev_warn_ratelimited(&stream->intf->dev, ++ "UVC non compliance: the max payload transmission size (%u) exceeds the size of the ep max packet (%u). Using the max size.\n", ++ ctrl->dwMaxPayloadTransferSize, ++ stream->maxpsize); ++ ctrl->dwMaxPayloadTransferSize = stream->maxpsize; ++ } + } + + static size_t uvc_video_ctrl_size(struct uvc_streaming *stream) +-- +2.39.5 + diff --git a/queue-6.12/media-v4l2-common-reduce-warnings-about-missing-v4l2.patch b/queue-6.12/media-v4l2-common-reduce-warnings-about-missing-v4l2.patch new file mode 100644 index 0000000000..368df5d294 --- /dev/null +++ b/queue-6.12/media-v4l2-common-reduce-warnings-about-missing-v4l2.patch @@ -0,0 +1,47 @@ +From e9a2b1ab010185af7745b03edbd46f1f3f1dadc4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 May 2025 10:37:45 +0200 +Subject: media: v4l2-common: Reduce warnings about missing V4L2_CID_LINK_FREQ + control +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Niklas Söderlund + +[ Upstream commit 5a0abb8909b9dcf347fce1d201ac6686ac33fd64 ] + +When operating a pipeline with a missing V4L2_CID_LINK_FREQ control this +two line warning is printed each time the pipeline is started. Reduce +this excessive logging by only warning once for the missing control. + +Signed-off-by: Niklas Söderlund +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/v4l2-core/v4l2-common.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/media/v4l2-core/v4l2-common.c b/drivers/media/v4l2-core/v4l2-common.c +index 0a2f4f0d0a07..807894af9057 100644 +--- a/drivers/media/v4l2-core/v4l2-common.c ++++ b/drivers/media/v4l2-core/v4l2-common.c +@@ -494,10 +494,10 @@ s64 v4l2_get_link_freq(struct v4l2_ctrl_handler *handler, unsigned int mul, + + freq = div_u64(v4l2_ctrl_g_ctrl_int64(ctrl) * mul, div); + +- pr_warn("%s: Link frequency estimated using pixel rate: result might be inaccurate\n", +- __func__); +- pr_warn("%s: Consider implementing support for V4L2_CID_LINK_FREQ in the transmitter driver\n", +- __func__); ++ pr_warn_once("%s: Link frequency estimated using pixel rate: result might be inaccurate\n", ++ __func__); ++ pr_warn_once("%s: Consider implementing support for V4L2_CID_LINK_FREQ in the transmitter driver\n", ++ __func__); + } + + return freq > 0 ? freq : -EINVAL; +-- +2.39.5 + diff --git a/queue-6.12/mei-bus-check-for-still-connected-devices-in-mei_cl_.patch b/queue-6.12/mei-bus-check-for-still-connected-devices-in-mei_cl_.patch new file mode 100644 index 0000000000..4c230ed018 --- /dev/null +++ b/queue-6.12/mei-bus-check-for-still-connected-devices-in-mei_cl_.patch @@ -0,0 +1,53 @@ +From 37c3158ecc9f54d51749f3662ad23d5d355f5388 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Jun 2025 10:50:52 +0200 +Subject: mei: bus: Check for still connected devices in + mei_cl_bus_dev_release() + +From: Hans de Goede + +[ Upstream commit 35e8a426b16adbecae7a4e0e3c00fc8d0273db53 ] + +mei_cl_bus_dev_release() also frees the mei-client (struct mei_cl) +belonging to the device being released. + +If there are bugs like the just fixed bug in the ACE/CSI2 mei drivers, +the mei-client being freed might still be part of the mei_device's +file_list and iterating over this list after the freeing will then trigger +a use-afer-free bug. + +Add a check to mei_cl_bus_dev_release() to make sure that the to-be-freed +mei-client is not on the mei_device's file_list. + +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20250623085052.12347-11-hansg@kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/mei/bus.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/misc/mei/bus.c b/drivers/misc/mei/bus.c +index 5576146ab13b..04f9a4b79d85 100644 +--- a/drivers/misc/mei/bus.c ++++ b/drivers/misc/mei/bus.c +@@ -1353,10 +1353,16 @@ static void mei_dev_bus_put(struct mei_device *bus) + static void mei_cl_bus_dev_release(struct device *dev) + { + struct mei_cl_device *cldev = to_mei_cl_device(dev); ++ struct mei_device *mdev = cldev->cl->dev; ++ struct mei_cl *cl; + + mei_cl_flush_queues(cldev->cl, NULL); + mei_me_cl_put(cldev->me_cl); + mei_dev_bus_put(cldev->bus); ++ ++ list_for_each_entry(cl, &mdev->file_list, link) ++ WARN_ON(cl == cldev->cl); ++ + kfree(cldev->cl); + kfree(cldev); + } +-- +2.39.5 + diff --git a/queue-6.12/mfd-axp20x-set-explicit-id-for-axp313-regulator.patch b/queue-6.12/mfd-axp20x-set-explicit-id-for-axp313-regulator.patch new file mode 100644 index 0000000000..a0446380b7 --- /dev/null +++ b/queue-6.12/mfd-axp20x-set-explicit-id-for-axp313-regulator.patch @@ -0,0 +1,49 @@ +From 431b170d59a5533e35045435b35ed90904e5d041 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Jun 2025 01:32:07 +0800 +Subject: mfd: axp20x: Set explicit ID for AXP313 regulator + +From: Chen-Yu Tsai + +[ Upstream commit 88828c7e940dd45d139ad4a39d702b23840a37c5 ] + +On newer boards featuring the A523 SoC, the AXP323 (related to the +AXP313) is paired with the AXP717 and serves as a secondary PMIC +providing additional regulator outputs. However the MFD cells are all +registered with PLATFORM_DEVID_NONE, which causes the regulator cells +to conflict with each other. + +Commit e37ec3218870 ("mfd: axp20x: Allow multiple regulators") attempted +to fix this by switching to PLATFORM_DEVID_AUTO so that the device names +would all be different, however that broke IIO channel mapping, which is +also tied to the device names. As a result the change was later reverted. + +Instead, here we attempt to make sure the AXP313/AXP323 regulator cell +does not conflict by explicitly giving it an ID number. This was +previously done for the AXP809+AXP806 pair used with the A80 SoC. + +Signed-off-by: Chen-Yu Tsai +Link: https://lore.kernel.org/r/20250619173207.3367126-1-wens@kernel.org +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/axp20x.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/mfd/axp20x.c b/drivers/mfd/axp20x.c +index 378092903971..cbf1029d0333 100644 +--- a/drivers/mfd/axp20x.c ++++ b/drivers/mfd/axp20x.c +@@ -1034,7 +1034,8 @@ static const struct mfd_cell axp152_cells[] = { + }; + + static struct mfd_cell axp313a_cells[] = { +- MFD_CELL_NAME("axp20x-regulator"), ++ /* AXP323 is sometimes paired with AXP717 as sub-PMIC */ ++ MFD_CELL_BASIC("axp20x-regulator", NULL, NULL, 0, 1), + MFD_CELL_RES("axp313a-pek", axp313a_pek_resources), + }; + +-- +2.39.5 + diff --git a/queue-6.12/mfd-tps6594-add-ti-tps652g1-support.patch b/queue-6.12/mfd-tps6594-add-ti-tps652g1-support.patch new file mode 100644 index 0000000000..6605ee5636 --- /dev/null +++ b/queue-6.12/mfd-tps6594-add-ti-tps652g1-support.patch @@ -0,0 +1,254 @@ +From 7a317658568bdb0b1e860bc66a1786162029e7ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Jun 2025 13:45:12 +0200 +Subject: mfd: tps6594: Add TI TPS652G1 support + +From: Michael Walle + +[ Upstream commit 626bb0a45584d544d84eab909795ccb355062bcc ] + +The TPS652G1 is a stripped down version of the TPS65224. From a software +point of view, it lacks any voltage monitoring, the watchdog, the ESM +and the ADC. + +Signed-off-by: Michael Walle +Link: https://lore.kernel.org/r/20250613114518.1772109-2-mwalle@kernel.org +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/tps6594-core.c | 88 ++++++++++++++++++++++++++++++++++--- + drivers/mfd/tps6594-i2c.c | 10 ++++- + drivers/mfd/tps6594-spi.c | 10 ++++- + include/linux/mfd/tps6594.h | 1 + + 4 files changed, 99 insertions(+), 10 deletions(-) + +diff --git a/drivers/mfd/tps6594-core.c b/drivers/mfd/tps6594-core.c +index a7223e873cd1..c16c37e36617 100644 +--- a/drivers/mfd/tps6594-core.c ++++ b/drivers/mfd/tps6594-core.c +@@ -1,6 +1,11 @@ + // SPDX-License-Identifier: GPL-2.0 + /* +- * Core functions for TI TPS65224/TPS6594/TPS6593/LP8764 PMICs ++ * Core functions for following TI PMICs: ++ * - LP8764 ++ * - TPS65224 ++ * - TPS652G1 ++ * - TPS6593 ++ * - TPS6594 + * + * Copyright (C) 2023 BayLibre Incorporated - https://www.baylibre.com/ + */ +@@ -414,6 +419,61 @@ static const unsigned int tps65224_irq_reg[] = { + TPS6594_REG_INT_FSM_ERR, + }; + ++/* TPS652G1 Resources */ ++ ++static const struct mfd_cell tps652g1_common_cells[] = { ++ MFD_CELL_RES("tps6594-pfsm", tps65224_pfsm_resources), ++ MFD_CELL_RES("tps6594-pinctrl", tps65224_pinctrl_resources), ++ MFD_CELL_NAME("tps6594-regulator"), ++}; ++ ++static const struct regmap_irq tps652g1_irqs[] = { ++ /* INT_GPIO register */ ++ REGMAP_IRQ_REG(TPS65224_IRQ_GPIO1, 2, TPS65224_BIT_GPIO1_INT), ++ REGMAP_IRQ_REG(TPS65224_IRQ_GPIO2, 2, TPS65224_BIT_GPIO2_INT), ++ REGMAP_IRQ_REG(TPS65224_IRQ_GPIO3, 2, TPS65224_BIT_GPIO3_INT), ++ REGMAP_IRQ_REG(TPS65224_IRQ_GPIO4, 2, TPS65224_BIT_GPIO4_INT), ++ REGMAP_IRQ_REG(TPS65224_IRQ_GPIO5, 2, TPS65224_BIT_GPIO5_INT), ++ REGMAP_IRQ_REG(TPS65224_IRQ_GPIO6, 2, TPS65224_BIT_GPIO6_INT), ++ ++ /* INT_STARTUP register */ ++ REGMAP_IRQ_REG(TPS65224_IRQ_VSENSE, 3, TPS65224_BIT_VSENSE_INT), ++ REGMAP_IRQ_REG(TPS65224_IRQ_ENABLE, 3, TPS6594_BIT_ENABLE_INT), ++ REGMAP_IRQ_REG(TPS65224_IRQ_PB_SHORT, 3, TPS65224_BIT_PB_SHORT_INT), ++ REGMAP_IRQ_REG(TPS65224_IRQ_FSD, 3, TPS6594_BIT_FSD_INT), ++ REGMAP_IRQ_REG(TPS65224_IRQ_SOFT_REBOOT, 3, TPS6594_BIT_SOFT_REBOOT_INT), ++ ++ /* INT_MISC register */ ++ REGMAP_IRQ_REG(TPS65224_IRQ_BIST_PASS, 4, TPS6594_BIT_BIST_PASS_INT), ++ REGMAP_IRQ_REG(TPS65224_IRQ_EXT_CLK, 4, TPS6594_BIT_EXT_CLK_INT), ++ REGMAP_IRQ_REG(TPS65224_IRQ_REG_UNLOCK, 4, TPS65224_BIT_REG_UNLOCK_INT), ++ REGMAP_IRQ_REG(TPS65224_IRQ_TWARN, 4, TPS6594_BIT_TWARN_INT), ++ REGMAP_IRQ_REG(TPS65224_IRQ_PB_LONG, 4, TPS65224_BIT_PB_LONG_INT), ++ REGMAP_IRQ_REG(TPS65224_IRQ_PB_FALL, 4, TPS65224_BIT_PB_FALL_INT), ++ REGMAP_IRQ_REG(TPS65224_IRQ_PB_RISE, 4, TPS65224_BIT_PB_RISE_INT), ++ REGMAP_IRQ_REG(TPS65224_IRQ_ADC_CONV_READY, 4, TPS65224_BIT_ADC_CONV_READY_INT), ++ ++ /* INT_MODERATE_ERR register */ ++ REGMAP_IRQ_REG(TPS65224_IRQ_TSD_ORD, 5, TPS6594_BIT_TSD_ORD_INT), ++ REGMAP_IRQ_REG(TPS65224_IRQ_BIST_FAIL, 5, TPS6594_BIT_BIST_FAIL_INT), ++ REGMAP_IRQ_REG(TPS65224_IRQ_REG_CRC_ERR, 5, TPS6594_BIT_REG_CRC_ERR_INT), ++ REGMAP_IRQ_REG(TPS65224_IRQ_RECOV_CNT, 5, TPS6594_BIT_RECOV_CNT_INT), ++ ++ /* INT_SEVERE_ERR register */ ++ REGMAP_IRQ_REG(TPS65224_IRQ_TSD_IMM, 6, TPS6594_BIT_TSD_IMM_INT), ++ REGMAP_IRQ_REG(TPS65224_IRQ_VCCA_OVP, 6, TPS6594_BIT_VCCA_OVP_INT), ++ REGMAP_IRQ_REG(TPS65224_IRQ_PFSM_ERR, 6, TPS6594_BIT_PFSM_ERR_INT), ++ REGMAP_IRQ_REG(TPS65224_IRQ_BG_XMON, 6, TPS65224_BIT_BG_XMON_INT), ++ ++ /* INT_FSM_ERR register */ ++ REGMAP_IRQ_REG(TPS65224_IRQ_IMM_SHUTDOWN, 7, TPS6594_BIT_IMM_SHUTDOWN_INT), ++ REGMAP_IRQ_REG(TPS65224_IRQ_ORD_SHUTDOWN, 7, TPS6594_BIT_ORD_SHUTDOWN_INT), ++ REGMAP_IRQ_REG(TPS65224_IRQ_MCU_PWR_ERR, 7, TPS6594_BIT_MCU_PWR_ERR_INT), ++ REGMAP_IRQ_REG(TPS65224_IRQ_SOC_PWR_ERR, 7, TPS6594_BIT_SOC_PWR_ERR_INT), ++ REGMAP_IRQ_REG(TPS65224_IRQ_COMM_ERR, 7, TPS6594_BIT_COMM_ERR_INT), ++ REGMAP_IRQ_REG(TPS65224_IRQ_I2C2_ERR, 7, TPS65224_BIT_I2C2_ERR_INT), ++}; ++ + static inline unsigned int tps6594_get_irq_reg(struct regmap_irq_chip_data *data, + unsigned int base, int index) + { +@@ -443,7 +503,7 @@ static int tps6594_handle_post_irq(void *irq_drv_data) + * a new interrupt. + */ + if (tps->use_crc) { +- if (tps->chip_id == TPS65224) { ++ if (tps->chip_id == TPS65224 || tps->chip_id == TPS652G1) { + regmap_reg = TPS6594_REG_INT_FSM_ERR; + mask_val = TPS6594_BIT_COMM_ERR_INT; + } else { +@@ -481,6 +541,18 @@ static struct regmap_irq_chip tps65224_irq_chip = { + .handle_post_irq = tps6594_handle_post_irq, + }; + ++static struct regmap_irq_chip tps652g1_irq_chip = { ++ .ack_base = TPS6594_REG_INT_BUCK, ++ .ack_invert = 1, ++ .clear_ack = 1, ++ .init_ack_masked = 1, ++ .num_regs = ARRAY_SIZE(tps65224_irq_reg), ++ .irqs = tps652g1_irqs, ++ .num_irqs = ARRAY_SIZE(tps652g1_irqs), ++ .get_irq_reg = tps65224_get_irq_reg, ++ .handle_post_irq = tps6594_handle_post_irq, ++}; ++ + static const struct regmap_range tps6594_volatile_ranges[] = { + regmap_reg_range(TPS6594_REG_INT_TOP, TPS6594_REG_STAT_READBACK_ERR), + regmap_reg_range(TPS6594_REG_RTC_STATUS, TPS6594_REG_RTC_STATUS), +@@ -507,7 +579,7 @@ static int tps6594_check_crc_mode(struct tps6594 *tps, bool primary_pmic) + int ret; + unsigned int regmap_reg, mask_val; + +- if (tps->chip_id == TPS65224) { ++ if (tps->chip_id == TPS65224 || tps->chip_id == TPS652G1) { + regmap_reg = TPS6594_REG_CONFIG_2; + mask_val = TPS65224_BIT_I2C1_SPI_CRC_EN; + } else { +@@ -537,7 +609,7 @@ static int tps6594_set_crc_feature(struct tps6594 *tps) + int ret; + unsigned int regmap_reg, mask_val; + +- if (tps->chip_id == TPS65224) { ++ if (tps->chip_id == TPS65224 || tps->chip_id == TPS652G1) { + regmap_reg = TPS6594_REG_CONFIG_2; + mask_val = TPS65224_BIT_I2C1_SPI_CRC_EN; + } else { +@@ -628,6 +700,10 @@ int tps6594_device_init(struct tps6594 *tps, bool enable_crc) + irq_chip = &tps65224_irq_chip; + n_cells = ARRAY_SIZE(tps65224_common_cells); + cells = tps65224_common_cells; ++ } else if (tps->chip_id == TPS652G1) { ++ irq_chip = &tps652g1_irq_chip; ++ n_cells = ARRAY_SIZE(tps652g1_common_cells); ++ cells = tps652g1_common_cells; + } else { + irq_chip = &tps6594_irq_chip; + n_cells = ARRAY_SIZE(tps6594_common_cells); +@@ -651,8 +727,8 @@ int tps6594_device_init(struct tps6594 *tps, bool enable_crc) + if (ret) + return dev_err_probe(dev, ret, "Failed to add common child devices\n"); + +- /* No RTC for LP8764 and TPS65224 */ +- if (tps->chip_id != LP8764 && tps->chip_id != TPS65224) { ++ /* No RTC for LP8764, TPS65224 and TPS652G1 */ ++ if (tps->chip_id != LP8764 && tps->chip_id != TPS65224 && tps->chip_id != TPS652G1) { + ret = devm_mfd_add_devices(dev, PLATFORM_DEVID_AUTO, tps6594_rtc_cells, + ARRAY_SIZE(tps6594_rtc_cells), NULL, 0, + regmap_irq_get_domain(tps->irq_data)); +diff --git a/drivers/mfd/tps6594-i2c.c b/drivers/mfd/tps6594-i2c.c +index 4ab91c34d9fb..7ff7516286fd 100644 +--- a/drivers/mfd/tps6594-i2c.c ++++ b/drivers/mfd/tps6594-i2c.c +@@ -1,6 +1,11 @@ + // SPDX-License-Identifier: GPL-2.0 + /* +- * I2C access driver for TI TPS65224/TPS6594/TPS6593/LP8764 PMICs ++ * I2C access driver for the following TI PMICs: ++ * - LP8764 ++ * - TPS65224 ++ * - TPS652G1 ++ * - TPS6593 ++ * - TPS6594 + * + * Copyright (C) 2023 BayLibre Incorporated - https://www.baylibre.com/ + */ +@@ -197,6 +202,7 @@ static const struct of_device_id tps6594_i2c_of_match_table[] = { + { .compatible = "ti,tps6593-q1", .data = (void *)TPS6593, }, + { .compatible = "ti,lp8764-q1", .data = (void *)LP8764, }, + { .compatible = "ti,tps65224-q1", .data = (void *)TPS65224, }, ++ { .compatible = "ti,tps652g1", .data = (void *)TPS652G1, }, + {} + }; + MODULE_DEVICE_TABLE(of, tps6594_i2c_of_match_table); +@@ -222,7 +228,7 @@ static int tps6594_i2c_probe(struct i2c_client *client) + return dev_err_probe(dev, -EINVAL, "Failed to find matching chip ID\n"); + tps->chip_id = (unsigned long)match->data; + +- if (tps->chip_id == TPS65224) ++ if (tps->chip_id == TPS65224 || tps->chip_id == TPS652G1) + tps6594_i2c_regmap_config.volatile_table = &tps65224_volatile_table; + + tps->regmap = devm_regmap_init(dev, NULL, client, &tps6594_i2c_regmap_config); +diff --git a/drivers/mfd/tps6594-spi.c b/drivers/mfd/tps6594-spi.c +index 6ebccb79f0cc..944b7313a1d9 100644 +--- a/drivers/mfd/tps6594-spi.c ++++ b/drivers/mfd/tps6594-spi.c +@@ -1,6 +1,11 @@ + // SPDX-License-Identifier: GPL-2.0 + /* +- * SPI access driver for TI TPS65224/TPS6594/TPS6593/LP8764 PMICs ++ * SPI access driver for the following TI PMICs: ++ * - LP8764 ++ * - TPS65224 ++ * - TPS652G1 ++ * - TPS6593 ++ * - TPS6594 + * + * Copyright (C) 2023 BayLibre Incorporated - https://www.baylibre.com/ + */ +@@ -82,6 +87,7 @@ static const struct of_device_id tps6594_spi_of_match_table[] = { + { .compatible = "ti,tps6593-q1", .data = (void *)TPS6593, }, + { .compatible = "ti,lp8764-q1", .data = (void *)LP8764, }, + { .compatible = "ti,tps65224-q1", .data = (void *)TPS65224, }, ++ { .compatible = "ti,tps652g1", .data = (void *)TPS652G1, }, + {} + }; + MODULE_DEVICE_TABLE(of, tps6594_spi_of_match_table); +@@ -107,7 +113,7 @@ static int tps6594_spi_probe(struct spi_device *spi) + return dev_err_probe(dev, -EINVAL, "Failed to find matching chip ID\n"); + tps->chip_id = (unsigned long)match->data; + +- if (tps->chip_id == TPS65224) ++ if (tps->chip_id == TPS65224 || tps->chip_id == TPS652G1) + tps6594_spi_regmap_config.volatile_table = &tps65224_volatile_table; + + tps->regmap = devm_regmap_init(dev, NULL, spi, &tps6594_spi_regmap_config); +diff --git a/include/linux/mfd/tps6594.h b/include/linux/mfd/tps6594.h +index 16543fd4d83e..021db8875963 100644 +--- a/include/linux/mfd/tps6594.h ++++ b/include/linux/mfd/tps6594.h +@@ -19,6 +19,7 @@ enum pmic_id { + TPS6593, + LP8764, + TPS65224, ++ TPS652G1, + }; + + /* Macro to get page index from register address */ +-- +2.39.5 + diff --git a/queue-6.12/mips-don-t-crash-in-stack_top-for-tasks-without-abi-.patch b/queue-6.12/mips-don-t-crash-in-stack_top-for-tasks-without-abi-.patch new file mode 100644 index 0000000000..9ce0930302 --- /dev/null +++ b/queue-6.12/mips-don-t-crash-in-stack_top-for-tasks-without-abi-.patch @@ -0,0 +1,79 @@ +From fbc68344b07348ca797d0d763717e53a7eb98f17 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jun 2025 13:28:26 +0200 +Subject: MIPS: Don't crash in stack_top() for tasks without ABI or vDSO +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Weißschuh + +[ Upstream commit e9f4a6b3421e936c3ee9d74710243897d74dbaa2 ] + +Not all tasks have an ABI associated or vDSO mapped, +for example kthreads never do. +If such a task ever ends up calling stack_top(), it will derefence the +NULL ABI pointer and crash. + +This can for example happen when using kunit: + + mips_stack_top+0x28/0xc0 + arch_pick_mmap_layout+0x190/0x220 + kunit_vm_mmap_init+0xf8/0x138 + __kunit_add_resource+0x40/0xa8 + kunit_vm_mmap+0x88/0xd8 + usercopy_test_init+0xb8/0x240 + kunit_try_run_case+0x5c/0x1a8 + kunit_generic_run_threadfn_adapter+0x28/0x50 + kthread+0x118/0x240 + ret_from_kernel_thread+0x14/0x1c + +Only dereference the ABI point if it is set. + +The GIC page is also included as it is specific to the vDSO. +Also move the randomization adjustment into the same conditional. + +Signed-off-by: Thomas Weißschuh +Reviewed-by: David Gow +Reviewed-by: Huacai Chen +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/kernel/process.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/arch/mips/kernel/process.c b/arch/mips/kernel/process.c +index b630604c577f..02aa6a04a21d 100644 +--- a/arch/mips/kernel/process.c ++++ b/arch/mips/kernel/process.c +@@ -690,18 +690,20 @@ unsigned long mips_stack_top(void) + } + + /* Space for the VDSO, data page & GIC user page */ +- top -= PAGE_ALIGN(current->thread.abi->vdso->size); +- top -= PAGE_SIZE; +- top -= mips_gic_present() ? PAGE_SIZE : 0; ++ if (current->thread.abi) { ++ top -= PAGE_ALIGN(current->thread.abi->vdso->size); ++ top -= PAGE_SIZE; ++ top -= mips_gic_present() ? PAGE_SIZE : 0; ++ ++ /* Space to randomize the VDSO base */ ++ if (current->flags & PF_RANDOMIZE) ++ top -= VDSO_RANDOMIZE_SIZE; ++ } + + /* Space for cache colour alignment */ + if (cpu_has_dc_aliases) + top -= shm_align_mask + 1; + +- /* Space to randomize the VDSO base */ +- if (current->flags & PF_RANDOMIZE) +- top -= VDSO_RANDOMIZE_SIZE; +- + return top; + } + +-- +2.39.5 + diff --git a/queue-6.12/mips-lantiq-falcon-sysctrl-fix-request-memory-check-.patch b/queue-6.12/mips-lantiq-falcon-sysctrl-fix-request-memory-check-.patch new file mode 100644 index 0000000000..ec163c026e --- /dev/null +++ b/queue-6.12/mips-lantiq-falcon-sysctrl-fix-request-memory-check-.patch @@ -0,0 +1,74 @@ +From ee092c3011024dabdf04a72a4b2f3b1342870815 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Jun 2025 22:53:23 +0800 +Subject: MIPS: lantiq: falcon: sysctrl: fix request memory check logic + +From: Shiji Yang + +[ Upstream commit 9c9a7ff9882fc6ba7d2f4050697e8bb80383e8dc ] + +request_mem_region() will return NULL instead of error code +when the memory request fails. Therefore, we should check if +the return value is non-zero instead of less than zero. In +this way, this patch also fixes the build warnings: + +arch/mips/lantiq/falcon/sysctrl.c:214:50: error: ordered comparison of pointer with integer zero [-Werror=extra] + 214 | res_status.name) < 0) || + | ^ +arch/mips/lantiq/falcon/sysctrl.c:216:47: error: ordered comparison of pointer with integer zero [-Werror=extra] + 216 | res_ebu.name) < 0) || + | ^ +arch/mips/lantiq/falcon/sysctrl.c:219:50: error: ordered comparison of pointer with integer zero [-Werror=extra] + 219 | res_sys[0].name) < 0) || + | ^ +arch/mips/lantiq/falcon/sysctrl.c:222:50: error: ordered comparison of pointer with integer zero [-Werror=extra] + 222 | res_sys[1].name) < 0) || + | ^ +arch/mips/lantiq/falcon/sysctrl.c:225:50: error: ordered comparison of pointer with integer zero [-Werror=extra] + 225 | res_sys[2].name) < 0)) + | + +Signed-off-by: Shiji Yang +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/lantiq/falcon/sysctrl.c | 23 ++++++++++------------- + 1 file changed, 10 insertions(+), 13 deletions(-) + +diff --git a/arch/mips/lantiq/falcon/sysctrl.c b/arch/mips/lantiq/falcon/sysctrl.c +index 1187729d8cbb..357543996ee6 100644 +--- a/arch/mips/lantiq/falcon/sysctrl.c ++++ b/arch/mips/lantiq/falcon/sysctrl.c +@@ -214,19 +214,16 @@ void __init ltq_soc_init(void) + of_node_put(np_syseth); + of_node_put(np_sysgpe); + +- if ((request_mem_region(res_status.start, resource_size(&res_status), +- res_status.name) < 0) || +- (request_mem_region(res_ebu.start, resource_size(&res_ebu), +- res_ebu.name) < 0) || +- (request_mem_region(res_sys[0].start, +- resource_size(&res_sys[0]), +- res_sys[0].name) < 0) || +- (request_mem_region(res_sys[1].start, +- resource_size(&res_sys[1]), +- res_sys[1].name) < 0) || +- (request_mem_region(res_sys[2].start, +- resource_size(&res_sys[2]), +- res_sys[2].name) < 0)) ++ if ((!request_mem_region(res_status.start, resource_size(&res_status), ++ res_status.name)) || ++ (!request_mem_region(res_ebu.start, resource_size(&res_ebu), ++ res_ebu.name)) || ++ (!request_mem_region(res_sys[0].start, resource_size(&res_sys[0]), ++ res_sys[0].name)) || ++ (!request_mem_region(res_sys[1].start, resource_size(&res_sys[1]), ++ res_sys[1].name)) || ++ (!request_mem_region(res_sys[2].start, resource_size(&res_sys[2]), ++ res_sys[2].name))) + pr_err("Failed to request core resources"); + + status_membase = ioremap(res_status.start, +-- +2.39.5 + diff --git a/queue-6.12/mips-vpe-mt-add-missing-prototypes-for-vpe_-alloc-st.patch b/queue-6.12/mips-vpe-mt-add-missing-prototypes-for-vpe_-alloc-st.patch new file mode 100644 index 0000000000..87baaf8b74 --- /dev/null +++ b/queue-6.12/mips-vpe-mt-add-missing-prototypes-for-vpe_-alloc-st.patch @@ -0,0 +1,53 @@ +From ba1621431c3d9384ab6880380f6252273429b462 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Jul 2025 21:06:32 +0800 +Subject: MIPS: vpe-mt: add missing prototypes for vpe_{alloc,start,stop,free} + +From: Shiji Yang + +[ Upstream commit 844615dd0f2d95c018ec66b943e08af22b62aff3 ] + +These functions are exported but their prototypes are not defined. +This patch adds the missing function prototypes to fix the following +compilation warnings: + +arch/mips/kernel/vpe-mt.c:180:7: error: no previous prototype for 'vpe_alloc' [-Werror=missing-prototypes] + 180 | void *vpe_alloc(void) + | ^~~~~~~~~ +arch/mips/kernel/vpe-mt.c:198:5: error: no previous prototype for 'vpe_start' [-Werror=missing-prototypes] + 198 | int vpe_start(void *vpe, unsigned long start) + | ^~~~~~~~~ +arch/mips/kernel/vpe-mt.c:208:5: error: no previous prototype for 'vpe_stop' [-Werror=missing-prototypes] + 208 | int vpe_stop(void *vpe) + | ^~~~~~~~ +arch/mips/kernel/vpe-mt.c:229:5: error: no previous prototype for 'vpe_free' [-Werror=missing-prototypes] + 229 | int vpe_free(void *vpe) + | ^~~~~~~~ + +Signed-off-by: Shiji Yang +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/include/asm/vpe.h | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/arch/mips/include/asm/vpe.h b/arch/mips/include/asm/vpe.h +index 61fd4d0aeda4..c0769dc4b853 100644 +--- a/arch/mips/include/asm/vpe.h ++++ b/arch/mips/include/asm/vpe.h +@@ -119,4 +119,12 @@ void cleanup_tc(struct tc *tc); + + int __init vpe_module_init(void); + void __exit vpe_module_exit(void); ++ ++#ifdef CONFIG_MIPS_VPE_LOADER_MT ++void *vpe_alloc(void); ++int vpe_start(void *vpe, unsigned long start); ++int vpe_stop(void *vpe); ++int vpe_free(void *vpe); ++#endif /* CONFIG_MIPS_VPE_LOADER_MT */ ++ + #endif /* _ASM_VPE_H */ +-- +2.39.5 + diff --git a/queue-6.12/mmc-rtsx_usb_sdmmc-fix-error-path-in-sd_set_power_mo.patch b/queue-6.12/mmc-rtsx_usb_sdmmc-fix-error-path-in-sd_set_power_mo.patch new file mode 100644 index 0000000000..6cef4901aa --- /dev/null +++ b/queue-6.12/mmc-rtsx_usb_sdmmc-fix-error-path-in-sd_set_power_mo.patch @@ -0,0 +1,40 @@ +From 2caa41949dcc6b793b535370c1cb341427a164e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Jun 2025 13:16:23 +0200 +Subject: mmc: rtsx_usb_sdmmc: Fix error-path in sd_set_power_mode() + +From: Ulf Hansson + +[ Upstream commit 47a255f7d2eabee06cfbf5b1c2379749442fd01d ] + +In the error path of sd_set_power_mode() we don't update host->power_mode, +which could lead to an imbalance of the runtime PM usage count. Fix this by +always updating host->power_mode. + +Reviewed-by: Avri Altman +Signed-off-by: Ulf Hansson +Acked-by: Ricky Wu +Link: https://lore.kernel.org/r/20250610111633.504366-2-ulf.hansson@linaro.org +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/rtsx_usb_sdmmc.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/mmc/host/rtsx_usb_sdmmc.c b/drivers/mmc/host/rtsx_usb_sdmmc.c +index 4e86f0a705b6..2bf51fe11a09 100644 +--- a/drivers/mmc/host/rtsx_usb_sdmmc.c ++++ b/drivers/mmc/host/rtsx_usb_sdmmc.c +@@ -1032,9 +1032,7 @@ static int sd_set_power_mode(struct rtsx_usb_sdmmc *host, + err = sd_power_on(host); + } + +- if (!err) +- host->power_mode = power_mode; +- ++ host->power_mode = power_mode; + return err; + } + +-- +2.39.5 + diff --git a/queue-6.12/mmc-sdhci-msm-ensure-sd-card-power-isn-t-on-when-car.patch b/queue-6.12/mmc-sdhci-msm-ensure-sd-card-power-isn-t-on-when-car.patch new file mode 100644 index 0000000000..03378d712a --- /dev/null +++ b/queue-6.12/mmc-sdhci-msm-ensure-sd-card-power-isn-t-on-when-car.patch @@ -0,0 +1,71 @@ +From f95a127452b2bd074038db6318688f4806225cab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Jul 2025 15:36:59 +0530 +Subject: mmc: sdhci-msm: Ensure SD card power isn't ON when card removed + +From: Sarthak Garg + +[ Upstream commit db58532188ebf51d52b1d7693d9e94c76b926e9f ] + +Many mobile phones feature multi-card tray designs, where the same +tray is used for both SD and SIM cards. If the SD card is placed +at the outermost location in the tray, the SIM card may come in +contact with SD card power-supply while removing the tray, possibly +resulting in SIM damage. + +To prevent that, make sure the SD card is really inserted by reading +the Card Detect pin state. If it's not, turn off the power in +sdhci_msm_check_power_status() and also set the BUS_FAIL power state +on the controller as part of pwr_irq handling for BUS_ON request. + +Signed-off-by: Sarthak Garg +Acked-by: Adrian Hunter +Link: https://lore.kernel.org/r/20250701100659.3310386-1-quic_sartgarg@quicinc.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/sdhci-msm.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/drivers/mmc/host/sdhci-msm.c b/drivers/mmc/host/sdhci-msm.c +index 82808cc373f6..c2144a3efb30 100644 +--- a/drivers/mmc/host/sdhci-msm.c ++++ b/drivers/mmc/host/sdhci-msm.c +@@ -1564,6 +1564,7 @@ static void sdhci_msm_check_power_status(struct sdhci_host *host, u32 req_type) + { + struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host); + struct sdhci_msm_host *msm_host = sdhci_pltfm_priv(pltfm_host); ++ struct mmc_host *mmc = host->mmc; + bool done = false; + u32 val = SWITCHABLE_SIGNALING_VOLTAGE; + const struct sdhci_msm_offset *msm_offset = +@@ -1621,6 +1622,12 @@ static void sdhci_msm_check_power_status(struct sdhci_host *host, u32 req_type) + "%s: pwr_irq for req: (%d) timed out\n", + mmc_hostname(host->mmc), req_type); + } ++ ++ if ((req_type & REQ_BUS_ON) && mmc->card && !mmc->ops->get_cd(mmc)) { ++ sdhci_writeb(host, 0, SDHCI_POWER_CONTROL); ++ host->pwr = 0; ++ } ++ + pr_debug("%s: %s: request %d done\n", mmc_hostname(host->mmc), + __func__, req_type); + } +@@ -1679,6 +1686,13 @@ static void sdhci_msm_handle_pwr_irq(struct sdhci_host *host, int irq) + udelay(10); + } + ++ if ((irq_status & CORE_PWRCTL_BUS_ON) && mmc->card && ++ !mmc->ops->get_cd(mmc)) { ++ msm_host_writel(msm_host, CORE_PWRCTL_BUS_FAIL, host, ++ msm_offset->core_pwrctl_ctl); ++ return; ++ } ++ + /* Handle BUS ON/OFF*/ + if (irq_status & CORE_PWRCTL_BUS_ON) { + pwr_state = REQ_BUS_ON; +-- +2.39.5 + diff --git a/queue-6.12/module-prevent-silent-truncation-of-module-name-in-d.patch b/queue-6.12/module-prevent-silent-truncation-of-module-name-in-d.patch new file mode 100644 index 0000000000..4336dd52ab --- /dev/null +++ b/queue-6.12/module-prevent-silent-truncation-of-module-name-in-d.patch @@ -0,0 +1,57 @@ +From ce718d879623ceed7a5b7a2f813c91221bbdcf46 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jun 2025 16:32:32 +0200 +Subject: module: Prevent silent truncation of module name in delete_module(2) + +From: Petr Pavlu + +[ Upstream commit a6323bd4e611567913e23df5b58f2d4e4da06789 ] + +Passing a module name longer than MODULE_NAME_LEN to the delete_module +syscall results in its silent truncation. This really isn't much of +a problem in practice, but it could theoretically lead to the removal of an +incorrect module. It is more sensible to return ENAMETOOLONG or ENOENT in +such a case. + +Update the syscall to return ENOENT, as documented in the delete_module(2) +man page to mean "No module by that name exists." This is appropriate +because a module with a name longer than MODULE_NAME_LEN cannot be loaded +in the first place. + +Signed-off-by: Petr Pavlu +Reviewed-by: Daniel Gomez +Link: https://lore.kernel.org/r/20250630143535.267745-2-petr.pavlu@suse.com +Signed-off-by: Daniel Gomez +Signed-off-by: Sasha Levin +--- + kernel/module/main.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/kernel/module/main.c b/kernel/module/main.c +index 6908062f4560..4511d0a4762a 100644 +--- a/kernel/module/main.c ++++ b/kernel/module/main.c +@@ -703,14 +703,16 @@ SYSCALL_DEFINE2(delete_module, const char __user *, name_user, + struct module *mod; + char name[MODULE_NAME_LEN]; + char buf[MODULE_FLAGS_BUF_SIZE]; +- int ret, forced = 0; ++ int ret, len, forced = 0; + + if (!capable(CAP_SYS_MODULE) || modules_disabled) + return -EPERM; + +- if (strncpy_from_user(name, name_user, MODULE_NAME_LEN-1) < 0) +- return -EFAULT; +- name[MODULE_NAME_LEN-1] = '\0'; ++ len = strncpy_from_user(name, name_user, MODULE_NAME_LEN); ++ if (len == 0 || len == MODULE_NAME_LEN) ++ return -ENOENT; ++ if (len < 0) ++ return len; + + audit_log_kern_module(name); + +-- +2.39.5 + diff --git a/queue-6.12/neighbour-add-support-for-nud_permanent-proxy-entrie.patch b/queue-6.12/neighbour-add-support-for-nud_permanent-proxy-entrie.patch new file mode 100644 index 0000000000..05bda363e0 --- /dev/null +++ b/queue-6.12/neighbour-add-support-for-nud_permanent-proxy-entrie.patch @@ -0,0 +1,102 @@ +From 079d56fad2d33c6e02c16bf5f1596b94ff6934a0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Jun 2025 16:13:34 +0200 +Subject: neighbour: add support for NUD_PERMANENT proxy entries + +From: Nicolas Escande + +[ Upstream commit c7d78566bbd30544a0618a6ffbc97bc0ddac7035 ] + +As discussesd before in [0] proxy entries (which are more configuration +than runtime data) should stay when the link (carrier) goes does down. +This is what happens for regular neighbour entries. + +So lets fix this by: + - storing in proxy entries the fact that it was added as NUD_PERMANENT + - not removing NUD_PERMANENT proxy entries when the carrier goes down + (same as how it's done in neigh_flush_dev() for regular neigh entries) + +[0]: https://lore.kernel.org/netdev/c584ef7e-6897-01f3-5b80-12b53f7b4bf4@kernel.org/ + +Signed-off-by: Nicolas Escande +Reviewed-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20250617141334.3724863-1-nico.escande@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/neighbour.h | 1 + + net/core/neighbour.c | 12 +++++++++--- + 2 files changed, 10 insertions(+), 3 deletions(-) + +diff --git a/include/net/neighbour.h b/include/net/neighbour.h +index a44f262a7384..cb5f835a5d61 100644 +--- a/include/net/neighbour.h ++++ b/include/net/neighbour.h +@@ -180,6 +180,7 @@ struct pneigh_entry { + netdevice_tracker dev_tracker; + u32 flags; + u8 protocol; ++ bool permanent; + u32 key[]; + }; + +diff --git a/net/core/neighbour.c b/net/core/neighbour.c +index 8082cc6be4fc..96786016dbb4 100644 +--- a/net/core/neighbour.c ++++ b/net/core/neighbour.c +@@ -55,7 +55,8 @@ static void __neigh_notify(struct neighbour *n, int type, int flags, + u32 pid); + static void neigh_update_notify(struct neighbour *neigh, u32 nlmsg_pid); + static int pneigh_ifdown_and_unlock(struct neigh_table *tbl, +- struct net_device *dev); ++ struct net_device *dev, ++ bool skip_perm); + + #ifdef CONFIG_PROC_FS + static const struct seq_operations neigh_stat_seq_ops; +@@ -444,7 +445,7 @@ static int __neigh_ifdown(struct neigh_table *tbl, struct net_device *dev, + { + write_lock_bh(&tbl->lock); + neigh_flush_dev(tbl, dev, skip_perm); +- pneigh_ifdown_and_unlock(tbl, dev); ++ pneigh_ifdown_and_unlock(tbl, dev, skip_perm); + pneigh_queue_purge(&tbl->proxy_queue, dev ? dev_net(dev) : NULL, + tbl->family); + if (skb_queue_empty_lockless(&tbl->proxy_queue)) +@@ -847,7 +848,8 @@ int pneigh_delete(struct neigh_table *tbl, struct net *net, const void *pkey, + } + + static int pneigh_ifdown_and_unlock(struct neigh_table *tbl, +- struct net_device *dev) ++ struct net_device *dev, ++ bool skip_perm) + { + struct pneigh_entry *n, **np, *freelist = NULL; + u32 h; +@@ -855,12 +857,15 @@ static int pneigh_ifdown_and_unlock(struct neigh_table *tbl, + for (h = 0; h <= PNEIGH_HASHMASK; h++) { + np = &tbl->phash_buckets[h]; + while ((n = *np) != NULL) { ++ if (skip_perm && n->permanent) ++ goto skip; + if (!dev || n->dev == dev) { + *np = n->next; + n->next = freelist; + freelist = n; + continue; + } ++skip: + np = &n->next; + } + } +@@ -2041,6 +2046,7 @@ static int neigh_add(struct sk_buff *skb, struct nlmsghdr *nlh, + pn = pneigh_lookup(tbl, net, dst, dev, 1); + if (pn) { + pn->flags = ndm_flags; ++ pn->permanent = !!(ndm->ndm_state & NUD_PERMANENT); + if (protocol) + pn->protocol = protocol; + err = 0; +-- +2.39.5 + diff --git a/queue-6.12/net-ag71xx-add-missing-check-after-dma-map.patch b/queue-6.12/net-ag71xx-add-missing-check-after-dma-map.patch new file mode 100644 index 0000000000..39c84f94a5 --- /dev/null +++ b/queue-6.12/net-ag71xx-add-missing-check-after-dma-map.patch @@ -0,0 +1,50 @@ +From b327385b6fb4579040e9fce49e09f590d5953aa8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jul 2025 11:57:25 +0200 +Subject: net: ag71xx: Add missing check after DMA map + +From: Thomas Fourier + +[ Upstream commit 96a1e15e60216b52da0e6da5336b6d7f5b0188b0 ] + +The DMA map functions can fail and should be tested for errors. + +Signed-off-by: Thomas Fourier +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250716095733.37452-3-fourier.thomas@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/atheros/ag71xx.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/net/ethernet/atheros/ag71xx.c b/drivers/net/ethernet/atheros/ag71xx.c +index 9586b6894f7e..bccc7e7b2a84 100644 +--- a/drivers/net/ethernet/atheros/ag71xx.c ++++ b/drivers/net/ethernet/atheros/ag71xx.c +@@ -1213,6 +1213,11 @@ static bool ag71xx_fill_rx_buf(struct ag71xx *ag, struct ag71xx_buf *buf, + buf->rx.rx_buf = data; + buf->rx.dma_addr = dma_map_single(&ag->pdev->dev, data, ag->rx_buf_size, + DMA_FROM_DEVICE); ++ if (dma_mapping_error(&ag->pdev->dev, buf->rx.dma_addr)) { ++ skb_free_frag(data); ++ buf->rx.rx_buf = NULL; ++ return false; ++ } + desc->data = (u32)buf->rx.dma_addr + offset; + return true; + } +@@ -1511,6 +1516,10 @@ static netdev_tx_t ag71xx_hard_start_xmit(struct sk_buff *skb, + + dma_addr = dma_map_single(&ag->pdev->dev, skb->data, skb->len, + DMA_TO_DEVICE); ++ if (dma_mapping_error(&ag->pdev->dev, dma_addr)) { ++ netif_dbg(ag, tx_err, ndev, "DMA mapping error\n"); ++ goto err_drop; ++ } + + i = ring->curr & ring_mask; + desc = ag71xx_ring_desc(ring, i); +-- +2.39.5 + diff --git a/queue-6.12/net-atlantic-add-set_power-to-fw_ops-for-atl2-to-fix.patch b/queue-6.12/net-atlantic-add-set_power-to-fw_ops-for-atl2-to-fix.patch new file mode 100644 index 0000000000..8ca6407b96 --- /dev/null +++ b/queue-6.12/net-atlantic-add-set_power-to-fw_ops-for-atl2-to-fix.patch @@ -0,0 +1,113 @@ +From 92047aa1005608ba85129cdc3338b8cf9fa150b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 28 Jun 2025 22:15:28 -0700 +Subject: net: atlantic: add set_power to fw_ops for atl2 to fix wol + +From: Eric Work + +[ Upstream commit fad9cf216597a71936ac87143d1618fbbcf97cbe ] + +Aquantia AQC113(C) using ATL2FW doesn't properly prepare the NIC for +enabling wake-on-lan. The FW operation `set_power` was only implemented +for `hw_atl` and not `hw_atl2`. Implement the `set_power` functionality +for `hw_atl2`. + +Tested with both AQC113 and AQC113C devices. Confirmed you can shutdown +the system and wake from S5 using magic packets. NIC was previously +powered off when entering S5. If the NIC was configured for WOL by the +Windows driver, loading the atlantic driver would disable WOL. + +Partially cherry-picks changes from commit, +https://github.com/Aquantia/AQtion/commit/37bd5cc + +Attributing original authors from Marvell for the referenced commit. + +Closes: https://github.com/Aquantia/AQtion/issues/70 +Co-developed-by: Igor Russkikh +Co-developed-by: Mark Starovoitov +Co-developed-by: Dmitry Bogdanov +Co-developed-by: Pavel Belous +Co-developed-by: Nikita Danilov +Signed-off-by: Eric Work +Reviewed-by: Igor Russkikh +Link: https://patch.msgid.link/20250629051535.5172-1-work.eric@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/aquantia/atlantic/aq_hw.h | 2 + + .../atlantic/hw_atl2/hw_atl2_utils_fw.c | 39 +++++++++++++++++++ + 2 files changed, 41 insertions(+) + +diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_hw.h b/drivers/net/ethernet/aquantia/atlantic/aq_hw.h +index f010bda61c96..2cd0352a11f4 100644 +--- a/drivers/net/ethernet/aquantia/atlantic/aq_hw.h ++++ b/drivers/net/ethernet/aquantia/atlantic/aq_hw.h +@@ -113,6 +113,8 @@ struct aq_stats_s { + #define AQ_HW_POWER_STATE_D0 0U + #define AQ_HW_POWER_STATE_D3 3U + ++#define AQ_FW_WAKE_ON_LINK_RTPM BIT(10) ++ + #define AQ_HW_FLAG_STARTED 0x00000004U + #define AQ_HW_FLAG_STOPPING 0x00000008U + #define AQ_HW_FLAG_RESETTING 0x00000010U +diff --git a/drivers/net/ethernet/aquantia/atlantic/hw_atl2/hw_atl2_utils_fw.c b/drivers/net/ethernet/aquantia/atlantic/hw_atl2/hw_atl2_utils_fw.c +index 52e2070a4a2f..7370e3f76b62 100644 +--- a/drivers/net/ethernet/aquantia/atlantic/hw_atl2/hw_atl2_utils_fw.c ++++ b/drivers/net/ethernet/aquantia/atlantic/hw_atl2/hw_atl2_utils_fw.c +@@ -462,6 +462,44 @@ static int aq_a2_fw_get_mac_temp(struct aq_hw_s *self, int *temp) + return aq_a2_fw_get_phy_temp(self, temp); + } + ++static int aq_a2_fw_set_wol_params(struct aq_hw_s *self, const u8 *mac, u32 wol) ++{ ++ struct mac_address_aligned_s mac_address; ++ struct link_control_s link_control; ++ struct wake_on_lan_s wake_on_lan; ++ ++ memcpy(mac_address.aligned.mac_address, mac, ETH_ALEN); ++ hw_atl2_shared_buffer_write(self, mac_address, mac_address); ++ ++ memset(&wake_on_lan, 0, sizeof(wake_on_lan)); ++ ++ if (wol & WAKE_MAGIC) ++ wake_on_lan.wake_on_magic_packet = 1U; ++ ++ if (wol & (WAKE_PHY | AQ_FW_WAKE_ON_LINK_RTPM)) ++ wake_on_lan.wake_on_link_up = 1U; ++ ++ hw_atl2_shared_buffer_write(self, sleep_proxy, wake_on_lan); ++ ++ hw_atl2_shared_buffer_get(self, link_control, link_control); ++ link_control.mode = AQ_HOST_MODE_SLEEP_PROXY; ++ hw_atl2_shared_buffer_write(self, link_control, link_control); ++ ++ return hw_atl2_shared_buffer_finish_ack(self); ++} ++ ++static int aq_a2_fw_set_power(struct aq_hw_s *self, unsigned int power_state, ++ const u8 *mac) ++{ ++ u32 wol = self->aq_nic_cfg->wol; ++ int err = 0; ++ ++ if (wol) ++ err = aq_a2_fw_set_wol_params(self, mac, wol); ++ ++ return err; ++} ++ + static int aq_a2_fw_set_eee_rate(struct aq_hw_s *self, u32 speed) + { + struct link_options_s link_options; +@@ -605,6 +643,7 @@ const struct aq_fw_ops aq_a2_fw_ops = { + .set_state = aq_a2_fw_set_state, + .update_link_status = aq_a2_fw_update_link_status, + .update_stats = aq_a2_fw_update_stats, ++ .set_power = aq_a2_fw_set_power, + .get_mac_temp = aq_a2_fw_get_mac_temp, + .get_phy_temp = aq_a2_fw_get_phy_temp, + .set_eee_rate = aq_a2_fw_set_eee_rate, +-- +2.39.5 + diff --git a/queue-6.12/net-dsa-b53-ensure-bcm5325-phys-are-enabled.patch b/queue-6.12/net-dsa-b53-ensure-bcm5325-phys-are-enabled.patch new file mode 100644 index 0000000000..ab743d1081 --- /dev/null +++ b/queue-6.12/net-dsa-b53-ensure-bcm5325-phys-are-enabled.patch @@ -0,0 +1,71 @@ +From dc802f84d8d6172228bfdc61a9d83c9ecb45e495 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 14 Jun 2025 10:00:00 +0200 +Subject: net: dsa: b53: ensure BCM5325 PHYs are enabled +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Álvaro Fernández Rojas + +[ Upstream commit 966a83df36c6f27476ac3501771422e7852098bc ] + +According to the datasheet, BCM5325 uses B53_PD_MODE_CTRL_25 register to +disable clocking to individual PHYs. +Only ports 1-4 can be enabled or disabled and the datasheet is explicit +about not toggling BIT(0) since it disables the PLL power and the switch. + +Signed-off-by: Álvaro Fernández Rojas +Reviewed-by: Florian Fainelli +Link: https://patch.msgid.link/20250614080000.1884236-15-noltari@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/b53/b53_common.c | 13 +++++++++++++ + drivers/net/dsa/b53/b53_regs.h | 5 ++++- + 2 files changed, 17 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c +index 71c30a81c36d..eacd7c325530 100644 +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -613,6 +613,19 @@ int b53_setup_port(struct dsa_switch *ds, int port) + if (dsa_is_user_port(ds, port)) + b53_set_eap_mode(dev, port, EAP_MODE_SIMPLIFIED); + ++ if (is5325(dev) && ++ in_range(port, 1, 4)) { ++ u8 reg; ++ ++ b53_read8(dev, B53_CTRL_PAGE, B53_PD_MODE_CTRL_25, ®); ++ reg &= ~PD_MODE_POWER_DOWN_PORT(0); ++ if (dsa_is_unused_port(ds, port)) ++ reg |= PD_MODE_POWER_DOWN_PORT(port); ++ else ++ reg &= ~PD_MODE_POWER_DOWN_PORT(port); ++ b53_write8(dev, B53_CTRL_PAGE, B53_PD_MODE_CTRL_25, reg); ++ } ++ + return 0; + } + EXPORT_SYMBOL(b53_setup_port); +diff --git a/drivers/net/dsa/b53/b53_regs.h b/drivers/net/dsa/b53/b53_regs.h +index 5f7a0e5c5709..d8900aa433e5 100644 +--- a/drivers/net/dsa/b53/b53_regs.h ++++ b/drivers/net/dsa/b53/b53_regs.h +@@ -101,8 +101,11 @@ + #define PORT_OVERRIDE_SPEED_2000M BIT(6) /* BCM5301X only, requires setting 1000M */ + #define PORT_OVERRIDE_EN BIT(7) /* Use the register contents */ + +-/* Power-down mode control */ ++/* Power-down mode control (8 bit) */ + #define B53_PD_MODE_CTRL_25 0x0f ++#define PD_MODE_PORT_MASK 0x1f ++/* Bit 0 also powers down the switch. */ ++#define PD_MODE_POWER_DOWN_PORT(i) BIT(i) + + /* IP Multicast control (8 bit) */ + #define B53_IP_MULTICAST_CTRL 0x21 +-- +2.39.5 + diff --git a/queue-6.12/net-dsa-b53-fix-b53_imp_vlan_setup-for-bcm5325.patch b/queue-6.12/net-dsa-b53-fix-b53_imp_vlan_setup-for-bcm5325.patch new file mode 100644 index 0000000000..f2accf27a2 --- /dev/null +++ b/queue-6.12/net-dsa-b53-fix-b53_imp_vlan_setup-for-bcm5325.patch @@ -0,0 +1,42 @@ +From 625621727a20c3968d75c283f5a6ba576c377852 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 14 Jun 2025 09:59:59 +0200 +Subject: net: dsa: b53: fix b53_imp_vlan_setup for BCM5325 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Álvaro Fernández Rojas + +[ Upstream commit c00df1018791185ea398f78af415a2a0aaa0c79c ] + +CPU port should be B53_CPU_PORT instead of B53_CPU_PORT_25 for +B53_PVLAN_PORT_MASK register. + +Reviewed-by: Florian Fainelli +Signed-off-by: Álvaro Fernández Rojas +Link: https://patch.msgid.link/20250614080000.1884236-14-noltari@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/b53/b53_common.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c +index eacd7c325530..fef265521e8a 100644 +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -527,6 +527,10 @@ void b53_imp_vlan_setup(struct dsa_switch *ds, int cpu_port) + unsigned int i; + u16 pvlan; + ++ /* BCM5325 CPU port is at 8 */ ++ if ((is5325(dev) || is5365(dev)) && cpu_port == B53_CPU_PORT_25) ++ cpu_port = B53_CPU_PORT; ++ + /* Enable the IMP port to be in the same VLAN as the other ports + * on a per-port basis such that we only have Port i and IMP in + * the same VLAN. +-- +2.39.5 + diff --git a/queue-6.12/net-dsa-b53-fix-ip_multicast_ctrl-on-bcm5325.patch b/queue-6.12/net-dsa-b53-fix-ip_multicast_ctrl-on-bcm5325.patch new file mode 100644 index 0000000000..92cc42a3b5 --- /dev/null +++ b/queue-6.12/net-dsa-b53-fix-ip_multicast_ctrl-on-bcm5325.patch @@ -0,0 +1,69 @@ +From fba390760cd59bef53e0e1f55f087c6d26fff10c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 14 Jun 2025 09:59:54 +0200 +Subject: net: dsa: b53: fix IP_MULTICAST_CTRL on BCM5325 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Álvaro Fernández Rojas + +[ Upstream commit 044d5ce2788b165798bfd173548e61bf7b6baf4d ] + +BCM5325 doesn't implement B53_UC_FWD_EN, B53_MC_FWD_EN or B53_IPMC_FWD_EN. + +Reviewed-by: Florian Fainelli +Signed-off-by: Álvaro Fernández Rojas +Link: https://patch.msgid.link/20250614080000.1884236-9-noltari@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/b53/b53_common.c | 18 +++++++++++------- + drivers/net/dsa/b53/b53_regs.h | 1 + + 2 files changed, 12 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c +index aacdfc64d3b6..844cf2b8f727 100644 +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -364,14 +364,18 @@ static void b53_set_forwarding(struct b53_device *dev, int enable) + b53_read8(dev, B53_CTRL_PAGE, B53_SWITCH_CTRL, &mgmt); + mgmt |= B53_MII_DUMB_FWDG_EN; + b53_write8(dev, B53_CTRL_PAGE, B53_SWITCH_CTRL, mgmt); +- } + +- /* Look at B53_UC_FWD_EN and B53_MC_FWD_EN to decide whether +- * frames should be flooded or not. +- */ +- b53_read8(dev, B53_CTRL_PAGE, B53_IP_MULTICAST_CTRL, &mgmt); +- mgmt |= B53_UC_FWD_EN | B53_MC_FWD_EN | B53_IPMC_FWD_EN; +- b53_write8(dev, B53_CTRL_PAGE, B53_IP_MULTICAST_CTRL, mgmt); ++ /* Look at B53_UC_FWD_EN and B53_MC_FWD_EN to decide whether ++ * frames should be flooded or not. ++ */ ++ b53_read8(dev, B53_CTRL_PAGE, B53_IP_MULTICAST_CTRL, &mgmt); ++ mgmt |= B53_UC_FWD_EN | B53_MC_FWD_EN | B53_IPMC_FWD_EN; ++ b53_write8(dev, B53_CTRL_PAGE, B53_IP_MULTICAST_CTRL, mgmt); ++ } else { ++ b53_read8(dev, B53_CTRL_PAGE, B53_IP_MULTICAST_CTRL, &mgmt); ++ mgmt |= B53_IP_MCAST_25; ++ b53_write8(dev, B53_CTRL_PAGE, B53_IP_MULTICAST_CTRL, mgmt); ++ } + } + + static void b53_enable_vlan(struct b53_device *dev, int port, bool enable, +diff --git a/drivers/net/dsa/b53/b53_regs.h b/drivers/net/dsa/b53/b53_regs.h +index 719c2ac94a4f..5741231e0841 100644 +--- a/drivers/net/dsa/b53/b53_regs.h ++++ b/drivers/net/dsa/b53/b53_regs.h +@@ -110,6 +110,7 @@ + + /* IP Multicast control (8 bit) */ + #define B53_IP_MULTICAST_CTRL 0x21 ++#define B53_IP_MCAST_25 BIT(0) + #define B53_IPMC_FWD_EN BIT(1) + #define B53_UC_FWD_EN BIT(6) + #define B53_MC_FWD_EN BIT(7) +-- +2.39.5 + diff --git a/queue-6.12/net-dsa-b53-prevent-dis_learning-access-on-bcm5325.patch b/queue-6.12/net-dsa-b53-prevent-dis_learning-access-on-bcm5325.patch new file mode 100644 index 0000000000..e4d2349791 --- /dev/null +++ b/queue-6.12/net-dsa-b53-prevent-dis_learning-access-on-bcm5325.patch @@ -0,0 +1,56 @@ +From 34a594ecb0d94324b795864f6ea94906cfbb592f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 14 Jun 2025 09:59:55 +0200 +Subject: net: dsa: b53: prevent DIS_LEARNING access on BCM5325 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Álvaro Fernández Rojas + +[ Upstream commit 800728abd9f83bda4de62a30ce62a8b41c242020 ] + +BCM5325 doesn't implement DIS_LEARNING register so we should avoid reading +or writing it. + +Reviewed-by: Florian Fainelli +Signed-off-by: Álvaro Fernández Rojas +Link: https://patch.msgid.link/20250614080000.1884236-10-noltari@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/b53/b53_common.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c +index 0085adecaf2d..1ee2e5e9a5b2 100644 +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -581,6 +581,9 @@ static void b53_port_set_learning(struct b53_device *dev, int port, + { + u16 reg; + ++ if (is5325(dev)) ++ return; ++ + b53_read16(dev, B53_CTRL_PAGE, B53_DIS_LEARNING, ®); + if (learning) + reg &= ~BIT(port); +@@ -2197,7 +2200,13 @@ int b53_br_flags_pre(struct dsa_switch *ds, int port, + struct switchdev_brport_flags flags, + struct netlink_ext_ack *extack) + { +- if (flags.mask & ~(BR_FLOOD | BR_MCAST_FLOOD | BR_LEARNING)) ++ struct b53_device *dev = ds->priv; ++ unsigned long mask = (BR_FLOOD | BR_MCAST_FLOOD); ++ ++ if (!is5325(dev)) ++ mask |= BR_LEARNING; ++ ++ if (flags.mask & ~mask) + return -EINVAL; + + return 0; +-- +2.39.5 + diff --git a/queue-6.12/net-dsa-b53-prevent-gmii_port_override_ctrl-access-o.patch b/queue-6.12/net-dsa-b53-prevent-gmii_port_override_ctrl-access-o.patch new file mode 100644 index 0000000000..46186cb335 --- /dev/null +++ b/queue-6.12/net-dsa-b53-prevent-gmii_port_override_ctrl-access-o.patch @@ -0,0 +1,88 @@ +From c93e9fc91ff0b6fbd7bc8fccf62de03495432d2f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 14 Jun 2025 09:59:57 +0200 +Subject: net: dsa: b53: prevent GMII_PORT_OVERRIDE_CTRL access on BCM5325 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Álvaro Fernández Rojas + +[ Upstream commit 37883bbc45a8555d6eca88d3a9730504d2dac86c ] + +BCM5325 doesn't implement GMII_PORT_OVERRIDE_CTRL register so we should +avoid reading or writing it. +PORT_OVERRIDE_RX_FLOW and PORT_OVERRIDE_TX_FLOW aren't defined on BCM5325 +and we should use PORT_OVERRIDE_LP_FLOW_25 instead. + +Reviewed-by: Florian Fainelli +Signed-off-by: Álvaro Fernández Rojas +Link: https://patch.msgid.link/20250614080000.1884236-12-noltari@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/b53/b53_common.c | 21 +++++++++++++++++---- + drivers/net/dsa/b53/b53_regs.h | 1 + + 2 files changed, 18 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c +index fef265521e8a..0085adecaf2d 100644 +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -1269,6 +1269,8 @@ static void b53_force_link(struct b53_device *dev, int port, int link) + if (port == dev->imp_port) { + off = B53_PORT_OVERRIDE_CTRL; + val = PORT_OVERRIDE_EN; ++ } else if (is5325(dev)) { ++ return; + } else { + off = B53_GMII_PORT_OVERRIDE_CTRL(port); + val = GMII_PO_EN; +@@ -1293,6 +1295,8 @@ static void b53_force_port_config(struct b53_device *dev, int port, + if (port == dev->imp_port) { + off = B53_PORT_OVERRIDE_CTRL; + val = PORT_OVERRIDE_EN; ++ } else if (is5325(dev)) { ++ return; + } else { + off = B53_GMII_PORT_OVERRIDE_CTRL(port); + val = GMII_PO_EN; +@@ -1323,10 +1327,19 @@ static void b53_force_port_config(struct b53_device *dev, int port, + return; + } + +- if (rx_pause) +- reg |= PORT_OVERRIDE_RX_FLOW; +- if (tx_pause) +- reg |= PORT_OVERRIDE_TX_FLOW; ++ if (rx_pause) { ++ if (is5325(dev)) ++ reg |= PORT_OVERRIDE_LP_FLOW_25; ++ else ++ reg |= PORT_OVERRIDE_RX_FLOW; ++ } ++ ++ if (tx_pause) { ++ if (is5325(dev)) ++ reg |= PORT_OVERRIDE_LP_FLOW_25; ++ else ++ reg |= PORT_OVERRIDE_TX_FLOW; ++ } + + b53_write8(dev, B53_CTRL_PAGE, off, reg); + } +diff --git a/drivers/net/dsa/b53/b53_regs.h b/drivers/net/dsa/b53/b53_regs.h +index d8900aa433e5..719c2ac94a4f 100644 +--- a/drivers/net/dsa/b53/b53_regs.h ++++ b/drivers/net/dsa/b53/b53_regs.h +@@ -95,6 +95,7 @@ + #define PORT_OVERRIDE_SPEED_10M (0 << PORT_OVERRIDE_SPEED_S) + #define PORT_OVERRIDE_SPEED_100M (1 << PORT_OVERRIDE_SPEED_S) + #define PORT_OVERRIDE_SPEED_1000M (2 << PORT_OVERRIDE_SPEED_S) ++#define PORT_OVERRIDE_LP_FLOW_25 BIT(3) /* BCM5325 only */ + #define PORT_OVERRIDE_RV_MII_25 BIT(4) /* BCM5325 only */ + #define PORT_OVERRIDE_RX_FLOW BIT(4) + #define PORT_OVERRIDE_TX_FLOW BIT(5) +-- +2.39.5 + diff --git a/queue-6.12/net-dsa-b53-prevent-switch_ctrl-access-on-bcm5325.patch b/queue-6.12/net-dsa-b53-prevent-switch_ctrl-access-on-bcm5325.patch new file mode 100644 index 0000000000..d3f89d572d --- /dev/null +++ b/queue-6.12/net-dsa-b53-prevent-switch_ctrl-access-on-bcm5325.patch @@ -0,0 +1,49 @@ +From be987faa664a59b28d5d95cd25b734f6114dd268 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 14 Jun 2025 09:59:53 +0200 +Subject: net: dsa: b53: prevent SWITCH_CTRL access on BCM5325 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Álvaro Fernández Rojas + +[ Upstream commit 22ccaaca43440e90a3b68d2183045b42247dc4be ] + +BCM5325 doesn't implement SWITCH_CTRL register so we should avoid reading +or writing it. + +Reviewed-by: Florian Fainelli +Signed-off-by: Álvaro Fernández Rojas +Link: https://patch.msgid.link/20250614080000.1884236-8-noltari@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/b53/b53_common.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c +index 1ee2e5e9a5b2..aacdfc64d3b6 100644 +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -359,11 +359,12 @@ static void b53_set_forwarding(struct b53_device *dev, int enable) + + b53_write8(dev, B53_CTRL_PAGE, B53_SWITCH_MODE, mgmt); + +- /* Include IMP port in dumb forwarding mode +- */ +- b53_read8(dev, B53_CTRL_PAGE, B53_SWITCH_CTRL, &mgmt); +- mgmt |= B53_MII_DUMB_FWDG_EN; +- b53_write8(dev, B53_CTRL_PAGE, B53_SWITCH_CTRL, mgmt); ++ if (!is5325(dev)) { ++ /* Include IMP port in dumb forwarding mode */ ++ b53_read8(dev, B53_CTRL_PAGE, B53_SWITCH_CTRL, &mgmt); ++ mgmt |= B53_MII_DUMB_FWDG_EN; ++ b53_write8(dev, B53_CTRL_PAGE, B53_SWITCH_CTRL, mgmt); ++ } + + /* Look at B53_UC_FWD_EN and B53_MC_FWD_EN to decide whether + * frames should be flooded or not. +-- +2.39.5 + diff --git a/queue-6.12/net-fec-allow-disable-coalescing.patch b/queue-6.12/net-fec-allow-disable-coalescing.patch new file mode 100644 index 0000000000..093a2489ce --- /dev/null +++ b/queue-6.12/net-fec-allow-disable-coalescing.patch @@ -0,0 +1,80 @@ +From 72b1190c4301b924007fc92c94d47c16d597b298 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Jun 2025 15:44:02 +0200 +Subject: net: fec: allow disable coalescing + +From: Jonas Rebmann + +[ Upstream commit b7ad21258f9e9a7f58b19595d5ceed2cde3bed68 ] + +In the current implementation, IP coalescing is always enabled and +cannot be disabled. + +As setting maximum frames to 0 or 1, or setting delay to zero implies +immediate delivery of single packets/IRQs, disable coalescing in +hardware in these cases. + +This also guarantees that coalescing is never enabled with ICFT or ICTT +set to zero, a configuration that could lead to unpredictable behaviour +according to i.MX8MP reference manual. + +Signed-off-by: Jonas Rebmann +Reviewed-by: Wei Fang +Link: https://patch.msgid.link/20250626-fec_deactivate_coalescing-v2-1-0b217f2e80da@pengutronix.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/fec_main.c | 34 +++++++++++------------ + 1 file changed, 16 insertions(+), 18 deletions(-) + +diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c +index 479ced24096b..a1cc338cf20f 100644 +--- a/drivers/net/ethernet/freescale/fec_main.c ++++ b/drivers/net/ethernet/freescale/fec_main.c +@@ -3122,27 +3122,25 @@ static int fec_enet_us_to_itr_clock(struct net_device *ndev, int us) + static void fec_enet_itr_coal_set(struct net_device *ndev) + { + struct fec_enet_private *fep = netdev_priv(ndev); +- int rx_itr, tx_itr; ++ u32 rx_itr = 0, tx_itr = 0; ++ int rx_ictt, tx_ictt; + +- /* Must be greater than zero to avoid unpredictable behavior */ +- if (!fep->rx_time_itr || !fep->rx_pkts_itr || +- !fep->tx_time_itr || !fep->tx_pkts_itr) +- return; +- +- /* Select enet system clock as Interrupt Coalescing +- * timer Clock Source +- */ +- rx_itr = FEC_ITR_CLK_SEL; +- tx_itr = FEC_ITR_CLK_SEL; ++ rx_ictt = fec_enet_us_to_itr_clock(ndev, fep->rx_time_itr); ++ tx_ictt = fec_enet_us_to_itr_clock(ndev, fep->tx_time_itr); + +- /* set ICFT and ICTT */ +- rx_itr |= FEC_ITR_ICFT(fep->rx_pkts_itr); +- rx_itr |= FEC_ITR_ICTT(fec_enet_us_to_itr_clock(ndev, fep->rx_time_itr)); +- tx_itr |= FEC_ITR_ICFT(fep->tx_pkts_itr); +- tx_itr |= FEC_ITR_ICTT(fec_enet_us_to_itr_clock(ndev, fep->tx_time_itr)); ++ if (rx_ictt > 0 && fep->rx_pkts_itr > 1) { ++ /* Enable with enet system clock as Interrupt Coalescing timer Clock Source */ ++ rx_itr = FEC_ITR_EN | FEC_ITR_CLK_SEL; ++ rx_itr |= FEC_ITR_ICFT(fep->rx_pkts_itr); ++ rx_itr |= FEC_ITR_ICTT(rx_ictt); ++ } + +- rx_itr |= FEC_ITR_EN; +- tx_itr |= FEC_ITR_EN; ++ if (tx_ictt > 0 && fep->tx_pkts_itr > 1) { ++ /* Enable with enet system clock as Interrupt Coalescing timer Clock Source */ ++ tx_itr = FEC_ITR_EN | FEC_ITR_CLK_SEL; ++ tx_itr |= FEC_ITR_ICFT(fep->tx_pkts_itr); ++ tx_itr |= FEC_ITR_ICTT(tx_ictt); ++ } + + writel(tx_itr, fep->hwp + FEC_TXIC0); + writel(rx_itr, fep->hwp + FEC_RXIC0); +-- +2.39.5 + diff --git a/queue-6.12/net-ieee8021q-fix-insufficient-table-size-assertion.patch b/queue-6.12/net-ieee8021q-fix-insufficient-table-size-assertion.patch new file mode 100644 index 0000000000..7797b87c59 --- /dev/null +++ b/queue-6.12/net-ieee8021q-fix-insufficient-table-size-assertion.patch @@ -0,0 +1,101 @@ +From ae881fe01f7223ee57970a1b0434af567441aa06 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Jun 2025 22:59:07 +0200 +Subject: net: ieee8021q: fix insufficient table-size assertion + +From: RubenKelevra + +[ Upstream commit 21deb2d966920f0d4dd098ca6c3a55efbc0b2f23 ] + +_Static_assert(ARRAY_SIZE(map) != IEEE8021Q_TT_MAX - 1) rejects only a +length of 7 and allows any other mismatch. Replace it with a strict +equality test via a helper macro so that every mapping table must have +exactly IEEE8021Q_TT_MAX (8) entries. + +Signed-off-by: RubenKelevra +Link: https://patch.msgid.link/20250626205907.1566384-1-rubenkelevra@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/core/ieee8021q_helpers.c | 44 +++++++++++------------------------- + 1 file changed, 13 insertions(+), 31 deletions(-) + +diff --git a/net/core/ieee8021q_helpers.c b/net/core/ieee8021q_helpers.c +index 759a9b9f3f89..669b357b73b2 100644 +--- a/net/core/ieee8021q_helpers.c ++++ b/net/core/ieee8021q_helpers.c +@@ -7,6 +7,11 @@ + #include + #include + ++/* verify that table covers all 8 traffic types */ ++#define TT_MAP_SIZE_OK(tbl) \ ++ compiletime_assert(ARRAY_SIZE(tbl) == IEEE8021Q_TT_MAX, \ ++ #tbl " size mismatch") ++ + /* The following arrays map Traffic Types (TT) to traffic classes (TC) for + * different number of queues as shown in the example provided by + * IEEE 802.1Q-2022 in Annex I "I.3 Traffic type to traffic class mapping" and +@@ -101,51 +106,28 @@ int ieee8021q_tt_to_tc(enum ieee8021q_traffic_type tt, unsigned int num_queues) + + switch (num_queues) { + case 8: +- compiletime_assert(ARRAY_SIZE(ieee8021q_8queue_tt_tc_map) != +- IEEE8021Q_TT_MAX - 1, +- "ieee8021q_8queue_tt_tc_map != max - 1"); ++ TT_MAP_SIZE_OK(ieee8021q_8queue_tt_tc_map); + return ieee8021q_8queue_tt_tc_map[tt]; + case 7: +- compiletime_assert(ARRAY_SIZE(ieee8021q_7queue_tt_tc_map) != +- IEEE8021Q_TT_MAX - 1, +- "ieee8021q_7queue_tt_tc_map != max - 1"); +- ++ TT_MAP_SIZE_OK(ieee8021q_7queue_tt_tc_map); + return ieee8021q_7queue_tt_tc_map[tt]; + case 6: +- compiletime_assert(ARRAY_SIZE(ieee8021q_6queue_tt_tc_map) != +- IEEE8021Q_TT_MAX - 1, +- "ieee8021q_6queue_tt_tc_map != max - 1"); +- ++ TT_MAP_SIZE_OK(ieee8021q_6queue_tt_tc_map); + return ieee8021q_6queue_tt_tc_map[tt]; + case 5: +- compiletime_assert(ARRAY_SIZE(ieee8021q_5queue_tt_tc_map) != +- IEEE8021Q_TT_MAX - 1, +- "ieee8021q_5queue_tt_tc_map != max - 1"); +- ++ TT_MAP_SIZE_OK(ieee8021q_5queue_tt_tc_map); + return ieee8021q_5queue_tt_tc_map[tt]; + case 4: +- compiletime_assert(ARRAY_SIZE(ieee8021q_4queue_tt_tc_map) != +- IEEE8021Q_TT_MAX - 1, +- "ieee8021q_4queue_tt_tc_map != max - 1"); +- ++ TT_MAP_SIZE_OK(ieee8021q_4queue_tt_tc_map); + return ieee8021q_4queue_tt_tc_map[tt]; + case 3: +- compiletime_assert(ARRAY_SIZE(ieee8021q_3queue_tt_tc_map) != +- IEEE8021Q_TT_MAX - 1, +- "ieee8021q_3queue_tt_tc_map != max - 1"); +- ++ TT_MAP_SIZE_OK(ieee8021q_3queue_tt_tc_map); + return ieee8021q_3queue_tt_tc_map[tt]; + case 2: +- compiletime_assert(ARRAY_SIZE(ieee8021q_2queue_tt_tc_map) != +- IEEE8021Q_TT_MAX - 1, +- "ieee8021q_2queue_tt_tc_map != max - 1"); +- ++ TT_MAP_SIZE_OK(ieee8021q_2queue_tt_tc_map); + return ieee8021q_2queue_tt_tc_map[tt]; + case 1: +- compiletime_assert(ARRAY_SIZE(ieee8021q_1queue_tt_tc_map) != +- IEEE8021Q_TT_MAX - 1, +- "ieee8021q_1queue_tt_tc_map != max - 1"); +- ++ TT_MAP_SIZE_OK(ieee8021q_1queue_tt_tc_map); + return ieee8021q_1queue_tt_tc_map[tt]; + } + +-- +2.39.5 + diff --git a/queue-6.12/net-ipv4-fix-incorrect-mtu-in-broadcast-routes.patch b/queue-6.12/net-ipv4-fix-incorrect-mtu-in-broadcast-routes.patch new file mode 100644 index 0000000000..534b675302 --- /dev/null +++ b/queue-6.12/net-ipv4-fix-incorrect-mtu-in-broadcast-routes.patch @@ -0,0 +1,51 @@ +From 5182452b15df601d48aa47f3af9bdaa8037a67ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jul 2025 16:27:13 +0200 +Subject: net: ipv4: fix incorrect MTU in broadcast routes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Oscar Maes + +[ Upstream commit 9e30ecf23b1b8f091f7d08b27968dea83aae7908 ] + +Currently, __mkroute_output overrules the MTU value configured for +broadcast routes. + +This buggy behaviour can be reproduced with: + +ip link set dev eth1 mtu 9000 +ip route del broadcast 192.168.0.255 dev eth1 proto kernel scope link src 192.168.0.2 +ip route add broadcast 192.168.0.255 dev eth1 proto kernel scope link src 192.168.0.2 mtu 1500 + +The maximum packet size should be 1500, but it is actually 8000: + +ping -b 192.168.0.255 -s 8000 + +Fix __mkroute_output to allow MTU values to be configured for +for broadcast routes (to support a mixed-MTU local-area-network). + +Signed-off-by: Oscar Maes +Link: https://patch.msgid.link/20250710142714.12986-1-oscmaes92@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/route.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/net/ipv4/route.c b/net/ipv4/route.c +index 73d555593f5c..9a5c9497b393 100644 +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -2545,7 +2545,6 @@ static struct rtable *__mkroute_output(const struct fib_result *res, + do_cache = true; + if (type == RTN_BROADCAST) { + flags |= RTCF_BROADCAST | RTCF_LOCAL; +- fi = NULL; + } else if (type == RTN_MULTICAST) { + flags |= RTCF_MULTICAST | RTCF_LOCAL; + if (!ip_check_mc_rcu(in_dev, fl4->daddr, fl4->saddr, +-- +2.39.5 + diff --git a/queue-6.12/net-mctp-prevent-duplicate-binds.patch b/queue-6.12/net-mctp-prevent-duplicate-binds.patch new file mode 100644 index 0000000000..5214996a65 --- /dev/null +++ b/queue-6.12/net-mctp-prevent-duplicate-binds.patch @@ -0,0 +1,79 @@ +From c513f6ff3aa15696c36b20b64e4c322113189d66 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jul 2025 16:55:55 +0800 +Subject: net: mctp: Prevent duplicate binds + +From: Matt Johnston + +[ Upstream commit 3954502377ec05a1b37e2dc9bef0bacd4bbd71b2 ] + +Disallow bind() calls that have the same arguments as existing bound +sockets. Previously multiple sockets could bind() to the same +type/local address, with an arbitrary socket receiving matched messages. + +This is only a partial fix, a future commit will define precedence order +for MCTP_ADDR_ANY versus specific EID bind(), which are allowed to exist +together. + +Signed-off-by: Matt Johnston +Link: https://patch.msgid.link/20250710-mctp-bind-v4-2-8ec2f6460c56@codeconstruct.com.au +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/mctp/af_mctp.c | 26 +++++++++++++++++++++++--- + 1 file changed, 23 insertions(+), 3 deletions(-) + +diff --git a/net/mctp/af_mctp.c b/net/mctp/af_mctp.c +index 57850d4dac5d..70aeebfc4182 100644 +--- a/net/mctp/af_mctp.c ++++ b/net/mctp/af_mctp.c +@@ -73,7 +73,6 @@ static int mctp_bind(struct socket *sock, struct sockaddr *addr, int addrlen) + + lock_sock(sk); + +- /* TODO: allow rebind */ + if (sk_hashed(sk)) { + rc = -EADDRINUSE; + goto out_release; +@@ -629,15 +628,36 @@ static void mctp_sk_close(struct sock *sk, long timeout) + static int mctp_sk_hash(struct sock *sk) + { + struct net *net = sock_net(sk); ++ struct sock *existing; ++ struct mctp_sock *msk; ++ int rc; ++ ++ msk = container_of(sk, struct mctp_sock, sk); + + /* Bind lookup runs under RCU, remain live during that. */ + sock_set_flag(sk, SOCK_RCU_FREE); + + mutex_lock(&net->mctp.bind_lock); ++ ++ /* Prevent duplicate binds. */ ++ sk_for_each(existing, &net->mctp.binds) { ++ struct mctp_sock *mex = ++ container_of(existing, struct mctp_sock, sk); ++ ++ if (mex->bind_type == msk->bind_type && ++ mex->bind_addr == msk->bind_addr && ++ mex->bind_net == msk->bind_net) { ++ rc = -EADDRINUSE; ++ goto out; ++ } ++ } ++ + sk_add_node_rcu(sk, &net->mctp.binds); +- mutex_unlock(&net->mctp.bind_lock); ++ rc = 0; + +- return 0; ++out: ++ mutex_unlock(&net->mctp.bind_lock); ++ return rc; + } + + static void mctp_sk_unhash(struct sock *sk) +-- +2.39.5 + diff --git a/queue-6.12/net-mlx5e-properly-access-rcu-protected-qdisc_sleepi.patch b/queue-6.12/net-mlx5e-properly-access-rcu-protected-qdisc_sleepi.patch new file mode 100644 index 0000000000..925be6367c --- /dev/null +++ b/queue-6.12/net-mlx5e-properly-access-rcu-protected-qdisc_sleepi.patch @@ -0,0 +1,47 @@ +From ead5fa6038d9a48ec11edee873bb02ba33bc80fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jul 2025 17:17:49 +0300 +Subject: net/mlx5e: Properly access RCU protected qdisc_sleeping variable + +From: Leon Romanovsky + +[ Upstream commit 2a601b2d35623065d31ebaf697b07502d54878c9 ] + +qdisc_sleeping variable is declared as "struct Qdisc __rcu" and +as such needs proper annotation while accessing it. + +Without rtnl_dereference(), the following error is generated by sparse: + +drivers/net/ethernet/mellanox/mlx5/core/en/qos.c:377:40: warning: + incorrect type in initializer (different address spaces) +drivers/net/ethernet/mellanox/mlx5/core/en/qos.c:377:40: expected + struct Qdisc *qdisc +drivers/net/ethernet/mellanox/mlx5/core/en/qos.c:377:40: got struct + Qdisc [noderef] __rcu *qdisc_sleeping + +Signed-off-by: Leon Romanovsky +Signed-off-by: Tariq Toukan +Reviewed-by: Michal Swiatkowski +Link: https://patch.msgid.link/1752675472-201445-4-git-send-email-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en/qos.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/qos.c b/drivers/net/ethernet/mellanox/mlx5/core/en/qos.c +index f0744a45db92..4e461cb03b83 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/qos.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/qos.c +@@ -374,7 +374,7 @@ void mlx5e_reactivate_qos_sq(struct mlx5e_priv *priv, u16 qid, struct netdev_que + void mlx5e_reset_qdisc(struct net_device *dev, u16 qid) + { + struct netdev_queue *dev_queue = netdev_get_tx_queue(dev, qid); +- struct Qdisc *qdisc = dev_queue->qdisc_sleeping; ++ struct Qdisc *qdisc = rtnl_dereference(dev_queue->qdisc_sleeping); + + if (!qdisc) + return; +-- +2.39.5 + diff --git a/queue-6.12/net-ncsi-fix-buffer-overflow-in-fetching-version-id.patch b/queue-6.12/net-ncsi-fix-buffer-overflow-in-fetching-version-id.patch new file mode 100644 index 0000000000..856ad1b6fe --- /dev/null +++ b/queue-6.12/net-ncsi-fix-buffer-overflow-in-fetching-version-id.patch @@ -0,0 +1,52 @@ +From fd1327058214b7443f27d21b6ff436c608068b7a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Jun 2025 12:33:38 -0700 +Subject: net: ncsi: Fix buffer overflow in fetching version id + +From: Hari Kalavakunta + +[ Upstream commit 8e16170ae972c7fed132bc928914a2ffb94690fc ] + +In NC-SI spec v1.2 section 8.4.44.2, the firmware name doesn't +need to be null terminated while its size occupies the full size +of the field. Fix the buffer overflow issue by adding one +additional byte for null terminator. + +Signed-off-by: Hari Kalavakunta +Reviewed-by: Paul Fertser +Link: https://patch.msgid.link/20250610193338.1368-1-kalavakunta.hari.prasad@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ncsi/internal.h | 2 +- + net/ncsi/ncsi-rsp.c | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/ncsi/internal.h b/net/ncsi/internal.h +index 2c260f33b55c..ad1f671ffc37 100644 +--- a/net/ncsi/internal.h ++++ b/net/ncsi/internal.h +@@ -110,7 +110,7 @@ struct ncsi_channel_version { + u8 update; /* NCSI version update */ + char alpha1; /* NCSI version alpha1 */ + char alpha2; /* NCSI version alpha2 */ +- u8 fw_name[12]; /* Firmware name string */ ++ u8 fw_name[12 + 1]; /* Firmware name string */ + u32 fw_version; /* Firmware version */ + u16 pci_ids[4]; /* PCI identification */ + u32 mf_id; /* Manufacture ID */ +diff --git a/net/ncsi/ncsi-rsp.c b/net/ncsi/ncsi-rsp.c +index 8668888c5a2f..d5ed80731e89 100644 +--- a/net/ncsi/ncsi-rsp.c ++++ b/net/ncsi/ncsi-rsp.c +@@ -775,6 +775,7 @@ static int ncsi_rsp_handler_gvi(struct ncsi_request *nr) + ncv->alpha1 = rsp->alpha1; + ncv->alpha2 = rsp->alpha2; + memcpy(ncv->fw_name, rsp->fw_name, 12); ++ ncv->fw_name[12] = '\0'; + ncv->fw_version = ntohl(rsp->fw_version); + for (i = 0; i < ARRAY_SIZE(ncv->pci_ids); i++) + ncv->pci_ids[i] = ntohs(rsp->pci_ids[i]); +-- +2.39.5 + diff --git a/queue-6.12/net-pcs-xpcs-mask-readl-return-value-to-16-bits.patch b/queue-6.12/net-pcs-xpcs-mask-readl-return-value-to-16-bits.patch new file mode 100644 index 0000000000..6fb322cd39 --- /dev/null +++ b/queue-6.12/net-pcs-xpcs-mask-readl-return-value-to-16-bits.patch @@ -0,0 +1,46 @@ +From 28e39df59780cacde036d4981a10f0aa2fc70457 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jul 2025 11:03:49 +0800 +Subject: net: pcs: xpcs: mask readl() return value to 16 bits + +From: Jack Ping CHNG + +[ Upstream commit 2b0ba7b5b010455c4e43ab557860f8b1089e7424 ] + +readl() returns 32-bit value but Clause 22/45 registers are 16-bit wide. +Masking with 0xFFFF avoids using garbage upper bits. + +Signed-off-by: Jack Ping CHNG +Reviewed-by: Maxime Chevallier +Link: https://patch.msgid.link/20250716030349.3796806-1-jchng@maxlinear.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/pcs/pcs-xpcs-plat.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/pcs/pcs-xpcs-plat.c b/drivers/net/pcs/pcs-xpcs-plat.c +index 629315f1e57c..9dcaf7a66113 100644 +--- a/drivers/net/pcs/pcs-xpcs-plat.c ++++ b/drivers/net/pcs/pcs-xpcs-plat.c +@@ -66,7 +66,7 @@ static int xpcs_mmio_read_reg_indirect(struct dw_xpcs_plat *pxpcs, + switch (pxpcs->reg_width) { + case 4: + writel(page, pxpcs->reg_base + (DW_VR_CSR_VIEWPORT << 2)); +- ret = readl(pxpcs->reg_base + (ofs << 2)); ++ ret = readl(pxpcs->reg_base + (ofs << 2)) & 0xffff; + break; + default: + writew(page, pxpcs->reg_base + (DW_VR_CSR_VIEWPORT << 1)); +@@ -124,7 +124,7 @@ static int xpcs_mmio_read_reg_direct(struct dw_xpcs_plat *pxpcs, + + switch (pxpcs->reg_width) { + case 4: +- ret = readl(pxpcs->reg_base + (csr << 2)); ++ ret = readl(pxpcs->reg_base + (csr << 2)) & 0xffff; + break; + default: + ret = readw(pxpcs->reg_base + (csr << 1)); +-- +2.39.5 + diff --git a/queue-6.12/net-phy-bcm54811-phy-initialization.patch b/queue-6.12/net-phy-bcm54811-phy-initialization.patch new file mode 100644 index 0000000000..30cf5568da --- /dev/null +++ b/queue-6.12/net-phy-bcm54811-phy-initialization.patch @@ -0,0 +1,80 @@ +From 00c22c35b77ab8d2da90955b0fd8d9514da2763b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Jul 2025 11:01:40 +0200 +Subject: net: phy: bcm54811: PHY initialization +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kamil Horák - 2N + +[ Upstream commit 3117a11fff5af9e74f4946f07cb3ca083cbbdf4b ] + +Reset the bit 12 in PHY's LRE Control register upon initialization. +According to the datasheet, this bit must be written to zero after +every device reset. + +Signed-off-by: Kamil Horák - 2N +Reviewed-by: Florian Fainelli +Link: https://patch.msgid.link/20250708090140.61355-5-kamilh@axis.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/broadcom.c | 25 +++++++++++++++++++++---- + 1 file changed, 21 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/phy/broadcom.c b/drivers/net/phy/broadcom.c +index d2a9cf3fde5a..9260c822e467 100644 +--- a/drivers/net/phy/broadcom.c ++++ b/drivers/net/phy/broadcom.c +@@ -655,7 +655,7 @@ static int bcm5481x_read_abilities(struct phy_device *phydev) + { + struct device_node *np = phydev->mdio.dev.of_node; + struct bcm54xx_phy_priv *priv = phydev->priv; +- int i, val, err; ++ int i, val, err, aneg; + + for (i = 0; i < ARRAY_SIZE(bcm54811_linkmodes); i++) + linkmode_clear_bit(bcm54811_linkmodes[i], phydev->supported); +@@ -676,9 +676,19 @@ static int bcm5481x_read_abilities(struct phy_device *phydev) + if (val < 0) + return val; + ++ /* BCM54811 is not capable of LDS but the corresponding bit ++ * in LRESR is set to 1 and marked "Ignore" in the datasheet. ++ * So we must read the bcm54811 as unable to auto-negotiate ++ * in BroadR-Reach mode. ++ */ ++ if (BRCM_PHY_MODEL(phydev) == PHY_ID_BCM54811) ++ aneg = 0; ++ else ++ aneg = val & LRESR_LDSABILITY; ++ + linkmode_mod_bit(ETHTOOL_LINK_MODE_Autoneg_BIT, + phydev->supported, +- val & LRESR_LDSABILITY); ++ aneg); + linkmode_mod_bit(ETHTOOL_LINK_MODE_100baseT1_Full_BIT, + phydev->supported, + val & LRESR_100_1PAIR); +@@ -735,8 +745,15 @@ static int bcm54811_config_aneg(struct phy_device *phydev) + + /* Aneg firstly. */ + if (priv->brr_mode) { +- /* BCM54811 is only capable of autonegotiation in IEEE mode */ +- phydev->autoneg = 0; ++ /* BCM54811 is only capable of autonegotiation in IEEE mode. ++ * In BroadR-Reach mode, disable the Long Distance Signaling, ++ * the BRR mode autoneg as supported in other Broadcom PHYs. ++ * This bit is marked as "Reserved" and "Default 1, must be ++ * written to 0 after every device reset" in the datasheet. ++ */ ++ ret = phy_modify(phydev, MII_BCM54XX_LRECR, LRECR_LDSEN, 0); ++ if (ret < 0) ++ return ret; + ret = bcm_config_lre_aneg(phydev, false); + } else { + ret = genphy_config_aneg(phydev); +-- +2.39.5 + diff --git a/queue-6.12/net-phy-micrel-add-ksz9131_resume.patch b/queue-6.12/net-phy-micrel-add-ksz9131_resume.patch new file mode 100644 index 0000000000..546ddcbfcf --- /dev/null +++ b/queue-6.12/net-phy-micrel-add-ksz9131_resume.patch @@ -0,0 +1,56 @@ +From 27e8e3e65f9722bd1c92c7bf5d1e0b5c56767e31 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Jul 2025 06:40:21 +0100 +Subject: net: phy: micrel: Add ksz9131_resume() + +From: Biju Das + +[ Upstream commit f25a7eaa897f21396e99f90809af82ca553c9d14 ] + +The Renesas RZ/G3E SMARC EVK uses KSZ9131RNXC phy. On deep power state, +PHY loses the power and on wakeup the rgmii delays are not reconfigured +causing it to fail. + +Replace the callback kszphy_resume()->ksz9131_resume() for reconfiguring +the rgmii_delay when it exits from PM suspend state. + +Signed-off-by: Biju Das +Reviewed-by: Andrew Lunn +Link: https://patch.msgid.link/20250711054029.48536-1-biju.das.jz@bp.renesas.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/micrel.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/phy/micrel.c b/drivers/net/phy/micrel.c +index 88a3c18f82ae..92e9eb4146d9 100644 +--- a/drivers/net/phy/micrel.c ++++ b/drivers/net/phy/micrel.c +@@ -5394,6 +5394,14 @@ static int lan8841_suspend(struct phy_device *phydev) + return kszphy_generic_suspend(phydev); + } + ++static int ksz9131_resume(struct phy_device *phydev) ++{ ++ if (phydev->suspended && phy_interface_is_rgmii(phydev)) ++ ksz9131_config_rgmii_delay(phydev); ++ ++ return kszphy_resume(phydev); ++} ++ + static struct phy_driver ksphy_driver[] = { + { + .phy_id = PHY_ID_KS8737, +@@ -5639,7 +5647,7 @@ static struct phy_driver ksphy_driver[] = { + .get_strings = kszphy_get_strings, + .get_stats = kszphy_get_stats, + .suspend = kszphy_suspend, +- .resume = kszphy_resume, ++ .resume = ksz9131_resume, + .cable_test_start = ksz9x31_cable_test_start, + .cable_test_get_status = ksz9x31_cable_test_get_status, + .get_features = ksz9477_get_features, +-- +2.39.5 + diff --git a/queue-6.12/net-phy-smsc-add-proper-reset-flags-for-lan8710a.patch b/queue-6.12/net-phy-smsc-add-proper-reset-flags-for-lan8710a.patch new file mode 100644 index 0000000000..0c6e8745c6 --- /dev/null +++ b/queue-6.12/net-phy-smsc-add-proper-reset-flags-for-lan8710a.patch @@ -0,0 +1,41 @@ +From e2078f4752e1b169570dcba90cf19eb581b0e63d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Jul 2025 17:29:16 +0200 +Subject: net: phy: smsc: add proper reset flags for LAN8710A +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Buday Csaba + +[ Upstream commit 57ec5a8735dc5dccd1ee68afdb1114956a3fce0d ] + +According to the LAN8710A datasheet (Rev. B, section 3.8.5.1), a hardware +reset is required after power-on, and the reference clock (REF_CLK) must be +established before asserting reset. + +Signed-off-by: Buday Csaba +Cc: Csókás Bence +Reviewed-by: Andrew Lunn +Link: https://patch.msgid.link/20250728152916.46249-2-csokas.bence@prolan.hu +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/smsc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/phy/smsc.c b/drivers/net/phy/smsc.c +index 6a43f6d6e85c..de66b621eb99 100644 +--- a/drivers/net/phy/smsc.c ++++ b/drivers/net/phy/smsc.c +@@ -784,6 +784,7 @@ static struct phy_driver smsc_phy_driver[] = { + + /* PHY_BASIC_FEATURES */ + ++ .flags = PHY_RST_AFTER_CLK_EN, + .probe = smsc_phy_probe, + + /* basic functions */ +-- +2.39.5 + diff --git a/queue-6.12/net-thunderbolt-enable-end-to-end-flow-control-also-.patch b/queue-6.12/net-thunderbolt-enable-end-to-end-flow-control-also-.patch new file mode 100644 index 0000000000..a1c492497f --- /dev/null +++ b/queue-6.12/net-thunderbolt-enable-end-to-end-flow-control-also-.patch @@ -0,0 +1,59 @@ +From 22161ade6d4c40ff98b81e8d2f9d1d39e28665aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 28 Jun 2025 17:38:13 +0800 +Subject: net: thunderbolt: Enable end-to-end flow control also in transmit + +From: zhangjianrong + +[ Upstream commit a8065af3346ebd7c76ebc113451fb3ba94cf7769 ] + +According to USB4 specification, if E2E flow control is disabled for +the Transmit Descriptor Ring, the Host Interface Adapter Layer shall +not require any credits to be available before transmitting a Tunneled +Packet from this Transmit Descriptor Ring, so e2e flow control should +be enabled in both directions. + +Acked-by: Mika Westerberg +Link: https://lore.kernel.org/20250624153805.GC2824380@black.fi.intel.com +Signed-off-by: zhangjianrong +Link: https://patch.msgid.link/20250628093813.647005-1-zhangjianrong5@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/thunderbolt/main.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/thunderbolt/main.c b/drivers/net/thunderbolt/main.c +index 0a53ec293d04..643cf67840b5 100644 +--- a/drivers/net/thunderbolt/main.c ++++ b/drivers/net/thunderbolt/main.c +@@ -924,8 +924,12 @@ static int tbnet_open(struct net_device *dev) + + netif_carrier_off(dev); + +- ring = tb_ring_alloc_tx(xd->tb->nhi, -1, TBNET_RING_SIZE, +- RING_FLAG_FRAME); ++ flags = RING_FLAG_FRAME; ++ /* Only enable full E2E if the other end supports it too */ ++ if (tbnet_e2e && net->svc->prtcstns & TBNET_E2E) ++ flags |= RING_FLAG_E2E; ++ ++ ring = tb_ring_alloc_tx(xd->tb->nhi, -1, TBNET_RING_SIZE, flags); + if (!ring) { + netdev_err(dev, "failed to allocate Tx ring\n"); + return -ENOMEM; +@@ -944,11 +948,6 @@ static int tbnet_open(struct net_device *dev) + sof_mask = BIT(TBIP_PDF_FRAME_START); + eof_mask = BIT(TBIP_PDF_FRAME_END); + +- flags = RING_FLAG_FRAME; +- /* Only enable full E2E if the other end supports it too */ +- if (tbnet_e2e && net->svc->prtcstns & TBNET_E2E) +- flags |= RING_FLAG_E2E; +- + ring = tb_ring_alloc_rx(xd->tb->nhi, -1, TBNET_RING_SIZE, flags, + net->tx_ring.ring->hop, sof_mask, + eof_mask, tbnet_start_poll, net); +-- +2.39.5 + diff --git a/queue-6.12/net-thunderbolt-fix-the-parameter-passing-of-tb_xdom.patch b/queue-6.12/net-thunderbolt-fix-the-parameter-passing-of-tb_xdom.patch new file mode 100644 index 0000000000..c64d9f396f --- /dev/null +++ b/queue-6.12/net-thunderbolt-fix-the-parameter-passing-of-tb_xdom.patch @@ -0,0 +1,57 @@ +From 1292d2919b439a92bb98438a28b9de091346b023 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 28 Jun 2025 17:49:20 +0800 +Subject: net: thunderbolt: Fix the parameter passing of + tb_xdomain_enable_paths()/tb_xdomain_disable_paths() + +From: zhangjianrong + +[ Upstream commit 8ec31cb17cd355cea25cdb8496d9b3fbf1321647 ] + +According to the description of tb_xdomain_enable_paths(), the third +parameter represents the transmit ring and the fifth parameter represents +the receive ring. tb_xdomain_disable_paths() is the same case. + +[Jakub] Mika says: it works now because both rings ->hop is the same + +Acked-by: Mika Westerberg +Link: https://lore.kernel.org/20250625051149.GD2824380@black.fi.intel.com +Signed-off-by: zhangjianrong +Link: https://patch.msgid.link/20250628094920.656658-1-zhangjianrong5@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/thunderbolt/main.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/thunderbolt/main.c b/drivers/net/thunderbolt/main.c +index 643cf67840b5..dcaa62377808 100644 +--- a/drivers/net/thunderbolt/main.c ++++ b/drivers/net/thunderbolt/main.c +@@ -396,9 +396,9 @@ static void tbnet_tear_down(struct tbnet *net, bool send_logout) + + ret = tb_xdomain_disable_paths(net->xd, + net->local_transmit_path, +- net->rx_ring.ring->hop, ++ net->tx_ring.ring->hop, + net->remote_transmit_path, +- net->tx_ring.ring->hop); ++ net->rx_ring.ring->hop); + if (ret) + netdev_warn(net->dev, "failed to disable DMA paths\n"); + +@@ -662,9 +662,9 @@ static void tbnet_connected_work(struct work_struct *work) + goto err_free_rx_buffers; + + ret = tb_xdomain_enable_paths(net->xd, net->local_transmit_path, +- net->rx_ring.ring->hop, ++ net->tx_ring.ring->hop, + net->remote_transmit_path, +- net->tx_ring.ring->hop); ++ net->rx_ring.ring->hop); + if (ret) { + netdev_err(net->dev, "failed to enable DMA paths\n"); + goto err_free_tx_buffers; +-- +2.39.5 + diff --git a/queue-6.12/net-thunderx-fix-format-truncation-warning-in-bgx_ac.patch b/queue-6.12/net-thunderx-fix-format-truncation-warning-in-bgx_ac.patch new file mode 100644 index 0000000000..f3ebd36dbb --- /dev/null +++ b/queue-6.12/net-thunderx-fix-format-truncation-warning-in-bgx_ac.patch @@ -0,0 +1,66 @@ +From d375822f82e4b4a7ac6c451ade70863c949670e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Jul 2025 07:05:30 -0700 +Subject: net: thunderx: Fix format-truncation warning in bgx_acpi_match_id() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alok Tiwari + +[ Upstream commit 53d20606c40678d425cc03f0978c614dca51f25e ] + +The buffer bgx_sel used in snprintf() was too small to safely hold +the formatted string "BGX%d" for all valid bgx_id values. This caused +a -Wformat-truncation warning with `Werror` enabled during build. + +Increase the buffer size from 5 to 7 and use `sizeof(bgx_sel)` in +snprintf() to ensure safety and suppress the warning. + +Build warning: + CC drivers/net/ethernet/cavium/thunder/thunder_bgx.o + drivers/net/ethernet/cavium/thunder/thunder_bgx.c: In function +‘bgx_acpi_match_id’: + drivers/net/ethernet/cavium/thunder/thunder_bgx.c:1434:27: error: ‘%d’ +directive output may be truncated writing between 1 and 3 bytes into a +region of size 2 [-Werror=format-truncation=] + snprintf(bgx_sel, 5, "BGX%d", bgx->bgx_id); + ^~ + drivers/net/ethernet/cavium/thunder/thunder_bgx.c:1434:23: note: +directive argument in the range [0, 255] + snprintf(bgx_sel, 5, "BGX%d", bgx->bgx_id); + ^~~~~~~ + drivers/net/ethernet/cavium/thunder/thunder_bgx.c:1434:2: note: +‘snprintf’ output between 5 and 7 bytes into a destination of size 5 + snprintf(bgx_sel, 5, "BGX%d", bgx->bgx_id); + +compiler warning due to insufficient snprintf buffer size. + +Signed-off-by: Alok Tiwari +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250711140532.2463602-1-alok.a.tiwari@oracle.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cavium/thunder/thunder_bgx.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c +index 608cc6af5af1..aa80c3702232 100644 +--- a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c ++++ b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c +@@ -1429,9 +1429,9 @@ static acpi_status bgx_acpi_match_id(acpi_handle handle, u32 lvl, + { + struct acpi_buffer string = { ACPI_ALLOCATE_BUFFER, NULL }; + struct bgx *bgx = context; +- char bgx_sel[5]; ++ char bgx_sel[7]; + +- snprintf(bgx_sel, 5, "BGX%d", bgx->bgx_id); ++ snprintf(bgx_sel, sizeof(bgx_sel), "BGX%d", bgx->bgx_id); + if (ACPI_FAILURE(acpi_get_name(handle, ACPI_SINGLE_NAME, &string))) { + pr_warn("Invalid link device\n"); + return AE_OK; +-- +2.39.5 + diff --git a/queue-6.12/net-usb-cdc-ncm-check-for-filtering-capability.patch b/queue-6.12/net-usb-cdc-ncm-check-for-filtering-capability.patch new file mode 100644 index 0000000000..870ffb1ae4 --- /dev/null +++ b/queue-6.12/net-usb-cdc-ncm-check-for-filtering-capability.patch @@ -0,0 +1,103 @@ +From dd2fc5a7cfdee09dabfee5e82c40a729ac28f606 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Jul 2025 14:06:17 +0200 +Subject: net: usb: cdc-ncm: check for filtering capability + +From: Oliver Neukum + +[ Upstream commit 61c3e8940f2d8b5bfeaeec4bedc2f3e7d873abb3 ] + +If the decice does not support filtering, filtering +must not be used and all packets delivered for the +upper layers to sort. + +Signed-off-by: Oliver Neukum +Link: https://patch.msgid.link/20250717120649.2090929-1-oneukum@suse.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/cdc_ncm.c | 20 ++++++++++++++++---- + include/linux/usb/cdc_ncm.h | 1 + + 2 files changed, 17 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c +index d5c47a2a62dc..4abfdfcf0e28 100644 +--- a/drivers/net/usb/cdc_ncm.c ++++ b/drivers/net/usb/cdc_ncm.c +@@ -893,6 +893,10 @@ int cdc_ncm_bind_common(struct usbnet *dev, struct usb_interface *intf, u8 data_ + } + } + ++ if (ctx->func_desc) ++ ctx->filtering_supported = !!(ctx->func_desc->bmNetworkCapabilities ++ & USB_CDC_NCM_NCAP_ETH_FILTER); ++ + iface_no = ctx->data->cur_altsetting->desc.bInterfaceNumber; + + /* Device-specific flags */ +@@ -1899,6 +1903,14 @@ static void cdc_ncm_status(struct usbnet *dev, struct urb *urb) + } + } + ++static void cdc_ncm_update_filter(struct usbnet *dev) ++{ ++ struct cdc_ncm_ctx *ctx = (struct cdc_ncm_ctx *)dev->data[0]; ++ ++ if (ctx->filtering_supported) ++ usbnet_cdc_update_filter(dev); ++} ++ + static const struct driver_info cdc_ncm_info = { + .description = "CDC NCM (NO ZLP)", + .flags = FLAG_POINTTOPOINT | FLAG_NO_SETINT | FLAG_MULTI_PACKET +@@ -1909,7 +1921,7 @@ static const struct driver_info cdc_ncm_info = { + .status = cdc_ncm_status, + .rx_fixup = cdc_ncm_rx_fixup, + .tx_fixup = cdc_ncm_tx_fixup, +- .set_rx_mode = usbnet_cdc_update_filter, ++ .set_rx_mode = cdc_ncm_update_filter, + }; + + /* Same as cdc_ncm_info, but with FLAG_SEND_ZLP */ +@@ -1923,7 +1935,7 @@ static const struct driver_info cdc_ncm_zlp_info = { + .status = cdc_ncm_status, + .rx_fixup = cdc_ncm_rx_fixup, + .tx_fixup = cdc_ncm_tx_fixup, +- .set_rx_mode = usbnet_cdc_update_filter, ++ .set_rx_mode = cdc_ncm_update_filter, + }; + + /* Same as cdc_ncm_info, but with FLAG_SEND_ZLP */ +@@ -1965,7 +1977,7 @@ static const struct driver_info wwan_info = { + .status = cdc_ncm_status, + .rx_fixup = cdc_ncm_rx_fixup, + .tx_fixup = cdc_ncm_tx_fixup, +- .set_rx_mode = usbnet_cdc_update_filter, ++ .set_rx_mode = cdc_ncm_update_filter, + }; + + /* Same as wwan_info, but with FLAG_NOARP */ +@@ -1979,7 +1991,7 @@ static const struct driver_info wwan_noarp_info = { + .status = cdc_ncm_status, + .rx_fixup = cdc_ncm_rx_fixup, + .tx_fixup = cdc_ncm_tx_fixup, +- .set_rx_mode = usbnet_cdc_update_filter, ++ .set_rx_mode = cdc_ncm_update_filter, + }; + + static const struct usb_device_id cdc_devs[] = { +diff --git a/include/linux/usb/cdc_ncm.h b/include/linux/usb/cdc_ncm.h +index 2d207cb4837d..4ac082a63173 100644 +--- a/include/linux/usb/cdc_ncm.h ++++ b/include/linux/usb/cdc_ncm.h +@@ -119,6 +119,7 @@ struct cdc_ncm_ctx { + u32 timer_interval; + u32 max_ndp_size; + u8 is_ndp16; ++ u8 filtering_supported; + union { + struct usb_cdc_ncm_ndp16 *delayed_ndp16; + struct usb_cdc_ncm_ndp32 *delayed_ndp32; +-- +2.39.5 + diff --git a/queue-6.12/net-vlan-make-is_vlan_dev-a-stub-when-vlan-is-not-co.patch b/queue-6.12/net-vlan-make-is_vlan_dev-a-stub-when-vlan-is-not-co.patch new file mode 100644 index 0000000000..02487ff6c2 --- /dev/null +++ b/queue-6.12/net-vlan-make-is_vlan_dev-a-stub-when-vlan-is-not-co.patch @@ -0,0 +1,77 @@ +From 7cb01be8602e86f18d6639122f31e2b7b3648f95 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Jun 2025 16:26:24 +0300 +Subject: net: vlan: Make is_vlan_dev() a stub when VLAN is not configured + +From: Gal Pressman + +[ Upstream commit 2de1ba0887e5d3bf02d7c212f380039b34e10aa3 ] + +Add a stub implementation of is_vlan_dev() that returns false when +VLAN support is not compiled in (CONFIG_VLAN_8021Q=n). + +This allows us to compile-out VLAN-dependent dead code when it is not +needed. + +This also resolves the following compilation error when: +* CONFIG_VLAN_8021Q=n +* CONFIG_OBJTOOL=y +* CONFIG_OBJTOOL_WERROR=y + +drivers/net/ethernet/mellanox/mlx5/core/mlx5_core.o: error: objtool: parse_mirred.isra.0+0x370: mlx5e_tc_act_vlan_add_push_action() missing __noreturn in .c/.h or NORETURN() in noreturns.h + +The error occurs because objtool cannot determine that unreachable BUG() +(which doesn't return) calls in VLAN code paths are actually dead code +when VLAN support is disabled. + +Signed-off-by: Gal Pressman +Link: https://patch.msgid.link/20250616132626.1749331-2-gal@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/linux/if_vlan.h | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/include/linux/if_vlan.h b/include/linux/if_vlan.h +index d65b5d71b93b..4354f6ad8887 100644 +--- a/include/linux/if_vlan.h ++++ b/include/linux/if_vlan.h +@@ -79,11 +79,6 @@ static inline struct vlan_ethhdr *skb_vlan_eth_hdr(const struct sk_buff *skb) + /* found in socket.c */ + extern void vlan_ioctl_set(int (*hook)(struct net *, void __user *)); + +-static inline bool is_vlan_dev(const struct net_device *dev) +-{ +- return dev->priv_flags & IFF_802_1Q_VLAN; +-} +- + #define skb_vlan_tag_present(__skb) (!!(__skb)->vlan_all) + #define skb_vlan_tag_get(__skb) ((__skb)->vlan_tci) + #define skb_vlan_tag_get_id(__skb) ((__skb)->vlan_tci & VLAN_VID_MASK) +@@ -199,6 +194,11 @@ struct vlan_dev_priv { + #endif + }; + ++static inline bool is_vlan_dev(const struct net_device *dev) ++{ ++ return dev->priv_flags & IFF_802_1Q_VLAN; ++} ++ + static inline struct vlan_dev_priv *vlan_dev_priv(const struct net_device *dev) + { + return netdev_priv(dev); +@@ -236,6 +236,11 @@ extern void vlan_vids_del_by_dev(struct net_device *dev, + extern bool vlan_uses_dev(const struct net_device *dev); + + #else ++static inline bool is_vlan_dev(const struct net_device *dev) ++{ ++ return false; ++} ++ + static inline struct net_device * + __vlan_find_dev_deep_rcu(struct net_device *real_dev, + __be16 vlan_proto, u16 vlan_id) +-- +2.39.5 + diff --git a/queue-6.12/net-vlan-replace-bug-with-warn_on_once-in-vlan_dev_-.patch b/queue-6.12/net-vlan-replace-bug-with-warn_on_once-in-vlan_dev_-.patch new file mode 100644 index 0000000000..91039b34c8 --- /dev/null +++ b/queue-6.12/net-vlan-replace-bug-with-warn_on_once-in-vlan_dev_-.patch @@ -0,0 +1,56 @@ +From 9526c9e7d1fe9cbc9a500cef2c01625b2f3d0d9e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Jun 2025 16:26:25 +0300 +Subject: net: vlan: Replace BUG() with WARN_ON_ONCE() in vlan_dev_* stubs + +From: Gal Pressman + +[ Upstream commit 60a8b1a5d0824afda869f18dc0ecfe72f8dfda42 ] + +When CONFIG_VLAN_8021Q=n, a set of stub helpers are used, three of these +helpers use BUG() unconditionally. + +This code should not be reached, as callers of these functions should +always check for is_vlan_dev() first, but the usage of BUG() is not +recommended, replace it with WARN_ON() instead. + +Reviewed-by: Alex Lazar +Reviewed-by: Dragos Tatulea +Signed-off-by: Gal Pressman +Link: https://patch.msgid.link/20250616132626.1749331-3-gal@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/linux/if_vlan.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/include/linux/if_vlan.h b/include/linux/if_vlan.h +index 4354f6ad8887..9551dba15cc2 100644 +--- a/include/linux/if_vlan.h ++++ b/include/linux/if_vlan.h +@@ -258,19 +258,19 @@ vlan_for_each(struct net_device *dev, + + static inline struct net_device *vlan_dev_real_dev(const struct net_device *dev) + { +- BUG(); ++ WARN_ON_ONCE(1); + return NULL; + } + + static inline u16 vlan_dev_vlan_id(const struct net_device *dev) + { +- BUG(); ++ WARN_ON_ONCE(1); + return 0; + } + + static inline __be16 vlan_dev_vlan_proto(const struct net_device *dev) + { +- BUG(); ++ WARN_ON_ONCE(1); + return 0; + } + +-- +2.39.5 + diff --git a/queue-6.12/netfilter-nft_set_pipapo-prefer-kvmalloc-for-scratch.patch b/queue-6.12/netfilter-nft_set_pipapo-prefer-kvmalloc-for-scratch.patch new file mode 100644 index 0000000000..7faf23516a --- /dev/null +++ b/queue-6.12/netfilter-nft_set_pipapo-prefer-kvmalloc-for-scratch.patch @@ -0,0 +1,52 @@ +From 675989e48db7d92642ad999a328f7a6469cecfeb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Jul 2025 19:05:16 +0200 +Subject: netfilter: nft_set_pipapo: prefer kvmalloc for scratch maps + +From: Florian Westphal + +[ Upstream commit 897eefee2eb73ec6c119a0ca357d7b4a3e92c5ef ] + +The scratchmap size depends on the number of elements in the set. +For huge sets, each scratch map can easily require very large +allocations, e.g. for 100k entries each scratch map will require +close to 64kbyte of memory. + +Signed-off-by: Florian Westphal +Reviewed-by: Stefano Brivio +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_set_pipapo.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c +index c5855069bdab..9e4e25f2458f 100644 +--- a/net/netfilter/nft_set_pipapo.c ++++ b/net/netfilter/nft_set_pipapo.c +@@ -1219,7 +1219,7 @@ static void pipapo_free_scratch(const struct nft_pipapo_match *m, unsigned int c + + mem = s; + mem -= s->align_off; +- kfree(mem); ++ kvfree(mem); + } + + /** +@@ -1240,10 +1240,9 @@ static int pipapo_realloc_scratch(struct nft_pipapo_match *clone, + void *scratch_aligned; + u32 align_off; + #endif +- scratch = kzalloc_node(struct_size(scratch, map, +- bsize_max * 2) + +- NFT_PIPAPO_ALIGN_HEADROOM, +- GFP_KERNEL_ACCOUNT, cpu_to_node(i)); ++ scratch = kvzalloc_node(struct_size(scratch, map, bsize_max * 2) + ++ NFT_PIPAPO_ALIGN_HEADROOM, ++ GFP_KERNEL_ACCOUNT, cpu_to_node(i)); + if (!scratch) { + /* On failure, there's no need to undo previous + * allocations: this means that some scratch maps have +-- +2.39.5 + diff --git a/queue-6.12/netmem-fix-skb_frag_address_safe-with-unreadable-skb.patch b/queue-6.12/netmem-fix-skb_frag_address_safe-with-unreadable-skb.patch new file mode 100644 index 0000000000..52063fae2b --- /dev/null +++ b/queue-6.12/netmem-fix-skb_frag_address_safe-with-unreadable-skb.patch @@ -0,0 +1,45 @@ +From 7c63c209f91203daa51c0a196770109a0b22c1cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Jun 2025 17:52:38 +0000 +Subject: netmem: fix skb_frag_address_safe with unreadable skbs + +From: Mina Almasry + +[ Upstream commit 4672aec56d2e8edabcb74c3e2320301d106a377e ] + +skb_frag_address_safe() needs a check that the +skb_frag_page exists check similar to skb_frag_address(). + +Cc: ap420073@gmail.com + +Signed-off-by: Mina Almasry +Acked-by: Stanislav Fomichev +Link: https://patch.msgid.link/20250619175239.3039329-1-almasrymina@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/linux/skbuff.h | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h +index a726a698aac4..b2827fce5a2d 100644 +--- a/include/linux/skbuff.h ++++ b/include/linux/skbuff.h +@@ -3638,7 +3638,13 @@ static inline void *skb_frag_address(const skb_frag_t *frag) + */ + static inline void *skb_frag_address_safe(const skb_frag_t *frag) + { +- void *ptr = page_address(skb_frag_page(frag)); ++ struct page *page = skb_frag_page(frag); ++ void *ptr; ++ ++ if (!page) ++ return NULL; ++ ++ ptr = page_address(page); + if (unlikely(!ptr)) + return NULL; + +-- +2.39.5 + diff --git a/queue-6.12/nvme-pci-try-function-level-reset-on-init-failure.patch b/queue-6.12/nvme-pci-try-function-level-reset-on-init-failure.patch new file mode 100644 index 0000000000..a34ef0c3b9 --- /dev/null +++ b/queue-6.12/nvme-pci-try-function-level-reset-on-init-failure.patch @@ -0,0 +1,67 @@ +From 204146cfdfb73612b527b15670bbee612a2e9615 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Jul 2025 12:16:27 -0700 +Subject: nvme-pci: try function level reset on init failure + +From: Keith Busch + +[ Upstream commit 5b2c214a95942f7997d1916a4c44017becbc3cac ] + +NVMe devices from multiple vendors appear to get stuck in a reset state +that we can't get out of with an NVMe level Controller Reset. The kernel +would report these with messages that look like: + + Device not ready; aborting reset, CSTS=0x1 + +These have historically required a power cycle to make them usable +again, but in many cases, a PCIe FLR is sufficient to restart operation +without a power cycle. Try it if the initial controller reset fails +during any nvme reset attempt. + +Signed-off-by: Keith Busch +Reviewed-by: Chaitanya Kulkarni +Reviewed-by: Nitesh Shetty +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 24 ++++++++++++++++++++++-- + 1 file changed, 22 insertions(+), 2 deletions(-) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index 37fd1a8ace12..2bddc9f60fec 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -1888,8 +1888,28 @@ static int nvme_pci_configure_admin_queue(struct nvme_dev *dev) + * might be pointing at! + */ + result = nvme_disable_ctrl(&dev->ctrl, false); +- if (result < 0) +- return result; ++ if (result < 0) { ++ struct pci_dev *pdev = to_pci_dev(dev->dev); ++ ++ /* ++ * The NVMe Controller Reset method did not get an expected ++ * CSTS.RDY transition, so something with the device appears to ++ * be stuck. Use the lower level and bigger hammer PCIe ++ * Function Level Reset to attempt restoring the device to its ++ * initial state, and try again. ++ */ ++ result = pcie_reset_flr(pdev, false); ++ if (result < 0) ++ return result; ++ ++ pci_restore_state(pdev); ++ result = nvme_disable_ctrl(&dev->ctrl, false); ++ if (result < 0) ++ return result; ++ ++ dev_info(dev->ctrl.device, ++ "controller reset completed after pcie flr\n"); ++ } + + result = nvme_alloc_queue(dev, 0, NVME_AQ_DEPTH); + if (result) +-- +2.39.5 + diff --git a/queue-6.12/nvme-tcp-log-tls-handshake-failures-at-error-level.patch b/queue-6.12/nvme-tcp-log-tls-handshake-failures-at-error-level.patch new file mode 100644 index 0000000000..fd0aa5ea59 --- /dev/null +++ b/queue-6.12/nvme-tcp-log-tls-handshake-failures-at-error-level.patch @@ -0,0 +1,47 @@ +From 5041dd7e0dcc01f5880bf78d35312c1cadabf75f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Jul 2025 16:06:29 +0200 +Subject: nvme-tcp: log TLS handshake failures at error level + +From: Maurizio Lombardi + +[ Upstream commit 5a58ac9bfc412a58c3cf26c6a7e54d4308e9d109 ] + +Update the nvme_tcp_start_tls() function to use dev_err() instead of +dev_dbg() when a TLS error is detected. This ensures that handshake +failures are visible by default, aiding in debugging. + +Signed-off-by: Maurizio Lombardi +Reviewed-by: Laurence Oberman +Reviewed-by: Hannes Reinecke +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/tcp.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c +index 25e486e6e805..83a6b18b01ad 100644 +--- a/drivers/nvme/host/tcp.c ++++ b/drivers/nvme/host/tcp.c +@@ -1777,9 +1777,14 @@ static int nvme_tcp_start_tls(struct nvme_ctrl *nctrl, + qid, ret); + tls_handshake_cancel(queue->sock->sk); + } else { +- dev_dbg(nctrl->device, +- "queue %d: TLS handshake complete, error %d\n", +- qid, queue->tls_err); ++ if (queue->tls_err) { ++ dev_err(nctrl->device, ++ "queue %d: TLS handshake complete, error %d\n", ++ qid, queue->tls_err); ++ } else { ++ dev_dbg(nctrl->device, ++ "queue %d: TLS handshake complete\n", qid); ++ } + ret = queue->tls_err; + } + return ret; +-- +2.39.5 + diff --git a/queue-6.12/perf-arm-add-missing-.suppress_bind_attrs.patch b/queue-6.12/perf-arm-add-missing-.suppress_bind_attrs.patch new file mode 100644 index 0000000000..291cb83076 --- /dev/null +++ b/queue-6.12/perf-arm-add-missing-.suppress_bind_attrs.patch @@ -0,0 +1,51 @@ +From 3ad7bef3fc7af396ac72323b657543bdbfb38277 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Jul 2025 15:08:13 +0100 +Subject: perf/arm: Add missing .suppress_bind_attrs + +From: Robin Murphy + +[ Upstream commit 860a831de138a7ad6bc86019adaf10eb84c02655 ] + +PMU drivers should set .suppress_bind_attrs so that userspace is denied +the opportunity to pull the driver out from underneath an in-use PMU +(with predictably unpleasant consequences). Somehow both the CMN and NI +drivers have managed to miss this; put that right. + +Signed-off-by: Robin Murphy +Reviewed-by: Leo Yan +Link: https://lore.kernel.org/r/acd48c341b33b96804a3969ee00b355d40c546e2.1751465293.git.robin.murphy@arm.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/perf/arm-cmn.c | 1 + + drivers/perf/arm-ni.c | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/drivers/perf/arm-cmn.c b/drivers/perf/arm-cmn.c +index ff17e0f95fbb..978b239ec10b 100644 +--- a/drivers/perf/arm-cmn.c ++++ b/drivers/perf/arm-cmn.c +@@ -2661,6 +2661,7 @@ static struct platform_driver arm_cmn_driver = { + .name = "arm-cmn", + .of_match_table = of_match_ptr(arm_cmn_of_match), + .acpi_match_table = ACPI_PTR(arm_cmn_acpi_match), ++ .suppress_bind_attrs = true, + }, + .probe = arm_cmn_probe, + .remove_new = arm_cmn_remove, +diff --git a/drivers/perf/arm-ni.c b/drivers/perf/arm-ni.c +index 4b9d53dae897..fb09730a9aa0 100644 +--- a/drivers/perf/arm-ni.c ++++ b/drivers/perf/arm-ni.c +@@ -710,6 +710,7 @@ static struct platform_driver arm_ni_driver = { + .name = "arm-ni", + .of_match_table = of_match_ptr(arm_ni_of_match), + .acpi_match_table = ACPI_PTR(arm_ni_acpi_match), ++ .suppress_bind_attrs = true, + }, + .probe = arm_ni_probe, + .remove = arm_ni_remove, +-- +2.39.5 + diff --git a/queue-6.12/perf-cxlpmu-remove-unintended-newline-from-irq-name-.patch b/queue-6.12/perf-cxlpmu-remove-unintended-newline-from-irq-name-.patch new file mode 100644 index 0000000000..234e544578 --- /dev/null +++ b/queue-6.12/perf-cxlpmu-remove-unintended-newline-from-irq-name-.patch @@ -0,0 +1,41 @@ +From 67c412a24b9b8bf90908ba834a05c7f24fbb555e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Jun 2025 12:43:39 -0700 +Subject: perf/cxlpmu: Remove unintended newline from IRQ name format string + +From: Alok Tiwari + +[ Upstream commit 3e870815ccf5bc75274158f0b5e234fce6f93229 ] + +The IRQ name format string used in devm_kasprintf() mistakenly included +a newline character "\n". +This could lead to confusing log output or misformatted names in sysfs +or debug messages. + +This fix removes the newline to ensure proper IRQ naming. + +Signed-off-by: Alok Tiwari +Reviewed-by: Jonathan Cameron +Link: https://lore.kernel.org/r/20250624194350.109790-3-alok.a.tiwari@oracle.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/perf/cxl_pmu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/perf/cxl_pmu.c b/drivers/perf/cxl_pmu.c +index 43d68b69e630..16328569fde9 100644 +--- a/drivers/perf/cxl_pmu.c ++++ b/drivers/perf/cxl_pmu.c +@@ -870,7 +870,7 @@ static int cxl_pmu_probe(struct device *dev) + return rc; + irq = rc; + +- irq_name = devm_kasprintf(dev, GFP_KERNEL, "%s_overflow\n", dev_name); ++ irq_name = devm_kasprintf(dev, GFP_KERNEL, "%s_overflow", dev_name); + if (!irq_name) + return -ENOMEM; + +-- +2.39.5 + diff --git a/queue-6.12/phy-rockchip-pcie-properly-disable-test_write-strobe.patch b/queue-6.12/phy-rockchip-pcie-properly-disable-test_write-strobe.patch new file mode 100644 index 0000000000..af031cdca3 --- /dev/null +++ b/queue-6.12/phy-rockchip-pcie-properly-disable-test_write-strobe.patch @@ -0,0 +1,42 @@ +From 8684f6dc6aa6daa0169e4e34349fa8326a8c57e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jun 2025 19:25:28 -0300 +Subject: phy: rockchip-pcie: Properly disable TEST_WRITE strobe signal + +From: Geraldo Nascimento + +[ Upstream commit 25facbabc3fc33c794ad09d73f73268c0f8cbc7d ] + +pcie_conf is used to touch TEST_WRITE strobe signal. This signal should +be enabled, a little time waited, and then disabled. Current code clearly +was copy-pasted and never disables the strobe signal. Adjust the define. +While at it, remove PHY_CFG_RD_MASK which has been unused since +64cdc0360811 ("phy: rockchip-pcie: remove unused phy_rd_cfg function"). + +Reviewed-by: Neil Armstrong +Signed-off-by: Geraldo Nascimento +Link: https://lore.kernel.org/r/d514d5d5627680caafa8b7548cbdfee4307f5440.1751322015.git.geraldogabriel@gmail.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/rockchip/phy-rockchip-pcie.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/phy/rockchip/phy-rockchip-pcie.c b/drivers/phy/rockchip/phy-rockchip-pcie.c +index 51cc5ece0e63..a75affbb49b6 100644 +--- a/drivers/phy/rockchip/phy-rockchip-pcie.c ++++ b/drivers/phy/rockchip/phy-rockchip-pcie.c +@@ -30,9 +30,8 @@ + #define PHY_CFG_ADDR_SHIFT 1 + #define PHY_CFG_DATA_MASK 0xf + #define PHY_CFG_ADDR_MASK 0x3f +-#define PHY_CFG_RD_MASK 0x3ff + #define PHY_CFG_WR_ENABLE 1 +-#define PHY_CFG_WR_DISABLE 1 ++#define PHY_CFG_WR_DISABLE 0 + #define PHY_CFG_WR_SHIFT 0 + #define PHY_CFG_WR_MASK 1 + #define PHY_CFG_PLL_LOCK 0x10 +-- +2.39.5 + diff --git a/queue-6.12/pidfs-raise-sb_i_nodev-and-sb_i_noexec.patch b/queue-6.12/pidfs-raise-sb_i_nodev-and-sb_i_noexec.patch new file mode 100644 index 0000000000..9c77ca6af7 --- /dev/null +++ b/queue-6.12/pidfs-raise-sb_i_nodev-and-sb_i_noexec.patch @@ -0,0 +1,40 @@ +From 659c8cbae7b9e7c01bac2ff3cd846564b1abc4f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Jun 2025 22:53:35 +0200 +Subject: pidfs: raise SB_I_NODEV and SB_I_NOEXEC + +From: Christian Brauner + +[ Upstream commit 1a1ad73aa1a66787f05f7f10f686b74bab77be72 ] + +Similar to commit 1ed95281c0c7 ("anon_inode: raise SB_I_NODEV and SB_I_NOEXEC"): +it shouldn't be possible to execute pidfds via +execveat(fd_anon_inode, "", NULL, NULL, AT_EMPTY_PATH) +so raise SB_I_NOEXEC so that no one gets any creative ideas. + +Also raise SB_I_NODEV as we don't expect or support any devices on pidfs. + +Link: https://lore.kernel.org/20250618-work-pidfs-persistent-v2-1-98f3456fd552@kernel.org +Reviewed-by: Alexander Mikhalitsyn +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/pidfs.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/pidfs.c b/fs/pidfs.c +index 52b7e4f76732..5a8d8eb8df23 100644 +--- a/fs/pidfs.c ++++ b/fs/pidfs.c +@@ -382,6 +382,8 @@ static int pidfs_init_fs_context(struct fs_context *fc) + if (!ctx) + return -ENOMEM; + ++ fc->s_iflags |= SB_I_NOEXEC; ++ fc->s_iflags |= SB_I_NODEV; + ctx->ops = &pidfs_sops; + ctx->dops = &pidfs_dentry_operations; + fc->s_fs_info = (void *)&pidfs_stashed_ops; +-- +2.39.5 + diff --git a/queue-6.12/pinctrl-stm32-manage-irq-affinity-settings.patch b/queue-6.12/pinctrl-stm32-manage-irq-affinity-settings.patch new file mode 100644 index 0000000000..258ff7c5da --- /dev/null +++ b/queue-6.12/pinctrl-stm32-manage-irq-affinity-settings.patch @@ -0,0 +1,39 @@ +From 02a056024345db323d09b2d8667829e964ba0d95 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Jun 2025 16:30:39 +0200 +Subject: pinctrl: stm32: Manage irq affinity settings + +From: Cheick Traore + +[ Upstream commit 4c5cc2f65386e22166ce006efe515c667aa075e4 ] + +Trying to set the affinity of the interrupts associated to stm32 +pinctrl results in a write error. + +Fill struct irq_chip::irq_set_affinity to use the default helper +function. + +Signed-off-by: Cheick Traore +Signed-off-by: Antonio Borneo +Link: https://lore.kernel.org/20250610143042.295376-3-antonio.borneo@foss.st.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/stm32/pinctrl-stm32.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/pinctrl/stm32/pinctrl-stm32.c b/drivers/pinctrl/stm32/pinctrl-stm32.c +index 03f3f707d275..2659a854a514 100644 +--- a/drivers/pinctrl/stm32/pinctrl-stm32.c ++++ b/drivers/pinctrl/stm32/pinctrl-stm32.c +@@ -407,6 +407,7 @@ static struct irq_chip stm32_gpio_irq_chip = { + .irq_set_wake = irq_chip_set_wake_parent, + .irq_request_resources = stm32_gpio_irq_request_resources, + .irq_release_resources = stm32_gpio_irq_release_resources, ++ .irq_set_affinity = IS_ENABLED(CONFIG_SMP) ? irq_chip_set_affinity_parent : NULL, + }; + + static int stm32_gpio_domain_translate(struct irq_domain *d, +-- +2.39.5 + diff --git a/queue-6.12/platform-chrome-cros_ec_sensorhub-retries-when-a-sen.patch b/queue-6.12/platform-chrome-cros_ec_sensorhub-retries-when-a-sen.patch new file mode 100644 index 0000000000..d54ccf878d --- /dev/null +++ b/queue-6.12/platform-chrome-cros_ec_sensorhub-retries-when-a-sen.patch @@ -0,0 +1,88 @@ +From 4307cb147c6980f93afe384d3ef2d2a4ec5bbf5c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Jun 2025 14:05:18 -0700 +Subject: platform/chrome: cros_ec_sensorhub: Retries when a sensor is not + ready + +From: Gwendal Grignou + +[ Upstream commit 981d7f91aeda17424b29f033249f4fa7cd2a7556 ] + +When the EC/ISH starts, it can take a while for all the sensors to be up +and running or declared broken. + +If the sensor stack return -EBUSY when checking for sensor information, +retry up to 50 times. +It has been observed 100ms wait time is enough to have valid sensors +ready. It can take more time in case a sensor is really broken and is +not coming up. + +Signed-off-by: Gwendal Grignou +Link: https://lore.kernel.org/r/20250623210518.306740-1-gwendal@google.com +Signed-off-by: Tzung-Bi Shih +Signed-off-by: Sasha Levin +--- + drivers/platform/chrome/cros_ec_sensorhub.c | 23 +++++++++++++++++---- + 1 file changed, 19 insertions(+), 4 deletions(-) + +diff --git a/drivers/platform/chrome/cros_ec_sensorhub.c b/drivers/platform/chrome/cros_ec_sensorhub.c +index 50cdae67fa32..9bad8f72680e 100644 +--- a/drivers/platform/chrome/cros_ec_sensorhub.c ++++ b/drivers/platform/chrome/cros_ec_sensorhub.c +@@ -8,6 +8,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -18,6 +19,7 @@ + #include + + #define DRV_NAME "cros-ec-sensorhub" ++#define CROS_EC_CMD_INFO_RETRIES 50 + + static void cros_ec_sensorhub_free_sensor(void *arg) + { +@@ -53,7 +55,7 @@ static int cros_ec_sensorhub_register(struct device *dev, + int sensor_type[MOTIONSENSE_TYPE_MAX] = { 0 }; + struct cros_ec_command *msg = sensorhub->msg; + struct cros_ec_dev *ec = sensorhub->ec; +- int ret, i; ++ int ret, i, retries; + char *name; + + +@@ -65,12 +67,25 @@ static int cros_ec_sensorhub_register(struct device *dev, + sensorhub->params->cmd = MOTIONSENSE_CMD_INFO; + sensorhub->params->info.sensor_num = i; + +- ret = cros_ec_cmd_xfer_status(ec->ec_dev, msg); ++ retries = CROS_EC_CMD_INFO_RETRIES; ++ do { ++ ret = cros_ec_cmd_xfer_status(ec->ec_dev, msg); ++ if (ret == -EBUSY) { ++ /* The EC is still busy initializing sensors. */ ++ usleep_range(5000, 6000); ++ retries--; ++ } ++ } while (ret == -EBUSY && retries); ++ + if (ret < 0) { +- dev_warn(dev, "no info for EC sensor %d : %d/%d\n", +- i, ret, msg->result); ++ dev_err(dev, "no info for EC sensor %d : %d/%d\n", ++ i, ret, msg->result); + continue; + } ++ if (retries < CROS_EC_CMD_INFO_RETRIES) { ++ dev_warn(dev, "%d retries needed to bring up sensor %d\n", ++ CROS_EC_CMD_INFO_RETRIES - retries, i); ++ } + + switch (sensorhub->resp->info.type) { + case MOTIONSENSE_TYPE_ACCEL: +-- +2.39.5 + diff --git a/queue-6.12/platform-chrome-cros_ec_typec-defer-probe-on-missing.patch b/queue-6.12/platform-chrome-cros_ec_typec-defer-probe-on-missing.patch new file mode 100644 index 0000000000..6b7c02398e --- /dev/null +++ b/queue-6.12/platform-chrome-cros_ec_typec-defer-probe-on-missing.patch @@ -0,0 +1,44 @@ +From a3d11c60efd422ad8fc45bd18e672c27fd6eea0b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Jun 2025 17:37:47 +0200 +Subject: platform/chrome: cros_ec_typec: Defer probe on missing EC parent + +From: Tomasz Michalec + +[ Upstream commit 8866f4e557eba43e991f99711515217a95f62d2e ] + +If cros_typec_probe is called before EC device is registered, +cros_typec_probe will fail. It may happen when cros-ec-typec.ko is +loaded before EC bus layer module (e.g. cros_ec_lpcs.ko, +cros_ec_spi.ko). + +Return -EPROBE_DEFER when cros_typec_probe doesn't get EC device, so +the probe function can be called again after EC device is registered. + +Signed-off-by: Tomasz Michalec +Reviewed-by: Abhishek Pandit-Subedi +Link: https://lore.kernel.org/r/20250610153748.1858519-1-tmichalec@google.com +Signed-off-by: Tzung-Bi Shih +Signed-off-by: Sasha Levin +--- + drivers/platform/chrome/cros_ec_typec.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/platform/chrome/cros_ec_typec.c b/drivers/platform/chrome/cros_ec_typec.c +index f1324466efac..ca665b901010 100644 +--- a/drivers/platform/chrome/cros_ec_typec.c ++++ b/drivers/platform/chrome/cros_ec_typec.c +@@ -1226,8 +1226,8 @@ static int cros_typec_probe(struct platform_device *pdev) + + typec->ec = dev_get_drvdata(pdev->dev.parent); + if (!typec->ec) { +- dev_err(dev, "couldn't find parent EC device\n"); +- return -ENODEV; ++ dev_warn(dev, "couldn't find parent EC device\n"); ++ return -EPROBE_DEFER; + } + + platform_set_drvdata(pdev, typec); +-- +2.39.5 + diff --git a/queue-6.12/platform-x86-amd-pmc-add-lenovo-yoga-6-13alc6-to-pmc.patch b/queue-6.12/platform-x86-amd-pmc-add-lenovo-yoga-6-13alc6-to-pmc.patch new file mode 100644 index 0000000000..8c921b8315 --- /dev/null +++ b/queue-6.12/platform-x86-amd-pmc-add-lenovo-yoga-6-13alc6-to-pmc.patch @@ -0,0 +1,54 @@ +From 3451c64bf567739ab05c444aebac0a596f1157cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Jul 2025 12:23:05 -0500 +Subject: platform/x86/amd: pmc: Add Lenovo Yoga 6 13ALC6 to pmc quirk list +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mario Limonciello + +[ Upstream commit 4ff3aeb664f7dfe824ba91ffb0b203397a8d431e ] + +The Lenovo Yoga 6 13ACL6 82ND has a similar BIOS problem as other Lenovo +laptops from that vintage that causes a rather long resume from suspend. + +Add it to the quirk list that manipulates the scratch register to avoid +the issue. + +Reported-by: Adam Berglund +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4434 +Tested-by: Adam Berglund +Signed-off-by: Mario Limonciello +Reviewed-by: Hans de Goede +Link: https://lore.kernel.org/r/20250718172307.1928744-1-superm1@kernel.org +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/amd/pmc/pmc-quirks.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/platform/x86/amd/pmc/pmc-quirks.c b/drivers/platform/x86/amd/pmc/pmc-quirks.c +index 7ed12c1d3b34..04686ae1e976 100644 +--- a/drivers/platform/x86/amd/pmc/pmc-quirks.c ++++ b/drivers/platform/x86/amd/pmc/pmc-quirks.c +@@ -189,6 +189,15 @@ static const struct dmi_system_id fwbug_list[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "82XQ"), + } + }, ++ /* https://gitlab.freedesktop.org/drm/amd/-/issues/4434 */ ++ { ++ .ident = "Lenovo Yoga 6 13ALC6", ++ .driver_data = &quirk_s2idle_bug, ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "82ND"), ++ } ++ }, + /* https://gitlab.freedesktop.org/drm/amd/-/issues/2684 */ + { + .ident = "HP Laptop 15s-eq2xxx", +-- +2.39.5 + diff --git a/queue-6.12/platform-x86-thinkpad_acpi-handle-kcov-__init-vs-inl.patch b/queue-6.12/platform-x86-thinkpad_acpi-handle-kcov-__init-vs-inl.patch new file mode 100644 index 0000000000..a0ab8d59d1 --- /dev/null +++ b/queue-6.12/platform-x86-thinkpad_acpi-handle-kcov-__init-vs-inl.patch @@ -0,0 +1,50 @@ +From f9f4450e01e95108a6b2d7a966878e8c72b2a5fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 May 2025 11:18:37 -0700 +Subject: platform/x86: thinkpad_acpi: Handle KCOV __init vs inline mismatches +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kees Cook + +[ Upstream commit 6418a8504187dc7f5b6f9d0649c03e362cb0664b ] + +When KCOV is enabled all functions get instrumented, unless the +__no_sanitize_coverage attribute is used. To prepare for +__no_sanitize_coverage being applied to __init functions[1], we have +to handle differences in how GCC's inline optimizations get resolved. +For thinkpad_acpi routines, this means forcing two functions to be +inline with __always_inline. + +Link: https://lore.kernel.org/lkml/20250523043935.2009972-11-kees@kernel.org/ [1] +Signed-off-by: Kees Cook +Link: https://lore.kernel.org/r/20250529181831.work.439-kees@kernel.org +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/thinkpad_acpi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/platform/x86/thinkpad_acpi.c b/drivers/platform/x86/thinkpad_acpi.c +index 0528af4ed8d6..2c67d9758e6b 100644 +--- a/drivers/platform/x86/thinkpad_acpi.c ++++ b/drivers/platform/x86/thinkpad_acpi.c +@@ -561,12 +561,12 @@ static unsigned long __init tpacpi_check_quirks( + return 0; + } + +-static inline bool __pure __init tpacpi_is_lenovo(void) ++static __always_inline bool __pure __init tpacpi_is_lenovo(void) + { + return thinkpad_id.vendor == PCI_VENDOR_ID_LENOVO; + } + +-static inline bool __pure __init tpacpi_is_ibm(void) ++static __always_inline bool __pure __init tpacpi_is_ibm(void) + { + return thinkpad_id.vendor == PCI_VENDOR_ID_IBM; + } +-- +2.39.5 + diff --git a/queue-6.12/pm-cpupower-fix-the-snapshot-order-of-tsc-mperf-cloc.patch b/queue-6.12/pm-cpupower-fix-the-snapshot-order-of-tsc-mperf-cloc.patch new file mode 100644 index 0000000000..a79d6654db --- /dev/null +++ b/queue-6.12/pm-cpupower-fix-the-snapshot-order-of-tsc-mperf-cloc.patch @@ -0,0 +1,46 @@ +From 7352dec60f967e9bc2434018773c98642c032be1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Jun 2025 17:53:54 +0530 +Subject: pm: cpupower: Fix the snapshot-order of tsc,mperf, clock in + mperf_stop() + +From: Gautham R. Shenoy + +[ Upstream commit cda7ac8ce7de84cf32a3871ba5f318aa3b79381e ] + +In the function mperf_start(), mperf_monitor snapshots the time, tsc +and finally the aperf,mperf MSRs. However, this order of snapshotting +in is reversed in mperf_stop(). As a result, the C0 residency (which +is computed as delta_mperf * 100 / delta_tsc) is under-reported on +CPUs that is 100% busy. + +Fix this by snapshotting time, tsc and then aperf,mperf in +mperf_stop() in the same order as in mperf_start(). + +Link: https://lore.kernel.org/r/20250612122355.19629-2-gautham.shenoy@amd.com +Signed-off-by: Gautham R. Shenoy +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + tools/power/cpupower/utils/idle_monitor/mperf_monitor.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c b/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c +index 08a399b0be28..6ab9139f16af 100644 +--- a/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c ++++ b/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c +@@ -240,9 +240,9 @@ static int mperf_stop(void) + int cpu; + + for (cpu = 0; cpu < cpu_count; cpu++) { +- mperf_measure_stats(cpu); +- mperf_get_tsc(&tsc_at_measure_end[cpu]); + clock_gettime(CLOCK_REALTIME, &time_end[cpu]); ++ mperf_get_tsc(&tsc_at_measure_end[cpu]); ++ mperf_measure_stats(cpu); + } + + return 0; +-- +2.39.5 + diff --git a/queue-6.12/pm-devfreq-governor-replace-sscanf-with-kstrtoul-in-.patch b/queue-6.12/pm-devfreq-governor-replace-sscanf-with-kstrtoul-in-.patch new file mode 100644 index 0000000000..0cfb4d12c7 --- /dev/null +++ b/queue-6.12/pm-devfreq-governor-replace-sscanf-with-kstrtoul-in-.patch @@ -0,0 +1,51 @@ +From ae8185afafde59769e339f56115f8793b609b1e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Apr 2025 11:00:17 +0800 +Subject: PM / devfreq: governor: Replace sscanf() with kstrtoul() in + set_freq_store() + +From: Lifeng Zheng + +[ Upstream commit 914cc799b28f17d369d5b4db3b941957d18157e8 ] + +Replace sscanf() with kstrtoul() in set_freq_store() and check the result +to avoid invalid input. + +Signed-off-by: Lifeng Zheng +Link: https://lore.kernel.org/lkml/20250421030020.3108405-2-zhenglifeng1@huawei.com/ +Signed-off-by: Chanwoo Choi +Signed-off-by: Sasha Levin +--- + drivers/devfreq/governor_userspace.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/devfreq/governor_userspace.c b/drivers/devfreq/governor_userspace.c +index d1aa6806b683..175de0c0b50e 100644 +--- a/drivers/devfreq/governor_userspace.c ++++ b/drivers/devfreq/governor_userspace.c +@@ -9,6 +9,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -39,10 +40,13 @@ static ssize_t set_freq_store(struct device *dev, struct device_attribute *attr, + unsigned long wanted; + int err = 0; + ++ err = kstrtoul(buf, 0, &wanted); ++ if (err) ++ return err; ++ + mutex_lock(&devfreq->lock); + data = devfreq->governor_data; + +- sscanf(buf, "%lu", &wanted); + data->user_frequency = wanted; + data->valid = true; + err = update_devfreq(devfreq); +-- +2.39.5 + diff --git a/queue-6.12/pm-runtime-clear-power.needs_force_resume-in-pm_runt.patch b/queue-6.12/pm-runtime-clear-power.needs_force_resume-in-pm_runt.patch new file mode 100644 index 0000000000..27eb3dfb1c --- /dev/null +++ b/queue-6.12/pm-runtime-clear-power.needs_force_resume-in-pm_runt.patch @@ -0,0 +1,41 @@ +From f32a80f7e7b5b1bd41568797b8454047b214f797 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Jun 2025 21:16:05 +0200 +Subject: PM: runtime: Clear power.needs_force_resume in pm_runtime_reinit() + +From: Rafael J. Wysocki + +[ Upstream commit 89d9cec3b1e9c49bae9375a2db6dc49bc7468af0 ] + +Clear power.needs_force_resume in pm_runtime_reinit() in case it has +been set by pm_runtime_force_suspend() invoked from a driver remove +callback. + +Suggested-by: Ulf Hansson +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Ulf Hansson +Link: https://patch.msgid.link/9495163.CDJkKcVGEf@rjwysocki.net +Signed-off-by: Sasha Levin +--- + drivers/base/power/runtime.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/base/power/runtime.c b/drivers/base/power/runtime.c +index 99f25d6b2027..317505eab126 100644 +--- a/drivers/base/power/runtime.c ++++ b/drivers/base/power/runtime.c +@@ -1787,6 +1787,11 @@ void pm_runtime_reinit(struct device *dev) + pm_runtime_put(dev->parent); + } + } ++ /* ++ * Clear power.needs_force_resume in case it has been set by ++ * pm_runtime_force_suspend() invoked from a driver remove callback. ++ */ ++ dev->power.needs_force_resume = false; + } + + /** +-- +2.39.5 + diff --git a/queue-6.12/pm-sleep-console-fix-the-black-screen-issue.patch b/queue-6.12/pm-sleep-console-fix-the-black-screen-issue.patch new file mode 100644 index 0000000000..0b584cc266 --- /dev/null +++ b/queue-6.12/pm-sleep-console-fix-the-black-screen-issue.patch @@ -0,0 +1,77 @@ +From d4578f98129f70da92f1eab8c5662a7dfde1df3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jun 2025 11:23:45 +0800 +Subject: PM: sleep: console: Fix the black screen issue + +From: tuhaowen + +[ Upstream commit 4266e8fa56d3d982bf451d382a410b9db432015c ] + +When the computer enters sleep status without a monitor +connected, the system switches the console to the virtual +terminal tty63(SUSPEND_CONSOLE). + +If a monitor is subsequently connected before waking up, +the system skips the required VT restoration process +during wake-up, leaving the console on tty63 instead of +switching back to tty1. + +To fix this issue, a global flag vt_switch_done is introduced +to record whether the system has successfully switched to +the suspend console via vt_move_to_console() during suspend. + +If the switch was completed, vt_switch_done is set to 1. +Later during resume, this flag is checked to ensure that +the original console is restored properly by calling +vt_move_to_console(orig_fgconsole, 0). + +This prevents scenarios where the resume logic skips console +restoration due to incorrect detection of the console state, +especially when a monitor is reconnected before waking up. + +Signed-off-by: tuhaowen +Link: https://patch.msgid.link/20250611032345.29962-1-tuhaowen@uniontech.com +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + kernel/power/console.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/kernel/power/console.c b/kernel/power/console.c +index fcdf0e14a47d..19c48aa5355d 100644 +--- a/kernel/power/console.c ++++ b/kernel/power/console.c +@@ -16,6 +16,7 @@ + #define SUSPEND_CONSOLE (MAX_NR_CONSOLES-1) + + static int orig_fgconsole, orig_kmsg; ++static bool vt_switch_done; + + static DEFINE_MUTEX(vt_switch_mutex); + +@@ -136,17 +137,21 @@ void pm_prepare_console(void) + if (orig_fgconsole < 0) + return; + ++ vt_switch_done = true; ++ + orig_kmsg = vt_kmsg_redirect(SUSPEND_CONSOLE); + return; + } + + void pm_restore_console(void) + { +- if (!pm_vt_switch()) ++ if (!pm_vt_switch() && !vt_switch_done) + return; + + if (orig_fgconsole >= 0) { + vt_move_to_console(orig_fgconsole, 0); + vt_kmsg_redirect(orig_kmsg); + } ++ ++ vt_switch_done = false; + } +-- +2.39.5 + diff --git a/queue-6.12/pmdomain-ti-select-pm_generic_domains.patch b/queue-6.12/pmdomain-ti-select-pm_generic_domains.patch new file mode 100644 index 0000000000..aae678dd7b --- /dev/null +++ b/queue-6.12/pmdomain-ti-select-pm_generic_domains.patch @@ -0,0 +1,40 @@ +From 292104a5c4de80c5625b01dfed38e00ab8a3a2c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Jul 2025 10:50:08 +0200 +Subject: pmdomain: ti: Select PM_GENERIC_DOMAINS + +From: Guillaume La Roque + +[ Upstream commit fcddcb7e8f38a40db99f87a962c5d0a153a76566 ] + +Select PM_GENERIC_DOMAINS instead of depending on it to ensure +it is always enabled when TI_SCI_PM_DOMAINS is selected. +Since PM_GENERIC_DOMAINS is an implicit symbol, it can only be enabled +through 'select' and cannot be explicitly enabled in configuration. +This simplifies the dependency chain and prevents build issues + +Signed-off-by: Guillaume La Roque +Reviewed-by: Nishanth Menon +Link: https://lore.kernel.org/r/20250715-depspmdomain-v2-1-6f0eda3ce824@baylibre.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/pmdomain/ti/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pmdomain/ti/Kconfig b/drivers/pmdomain/ti/Kconfig +index 67c608bf7ed0..5386b362a7ab 100644 +--- a/drivers/pmdomain/ti/Kconfig ++++ b/drivers/pmdomain/ti/Kconfig +@@ -10,7 +10,7 @@ if SOC_TI + config TI_SCI_PM_DOMAINS + tristate "TI SCI PM Domains Driver" + depends on TI_SCI_PROTOCOL +- depends on PM_GENERIC_DOMAINS ++ select PM_GENERIC_DOMAINS if PM + help + Generic power domain implementation for TI device implementing + the TI SCI protocol. +-- +2.39.5 + diff --git a/queue-6.12/pnfs-fix-disk-addr-range-check-in-block-scsi-layout.patch b/queue-6.12/pnfs-fix-disk-addr-range-check-in-block-scsi-layout.patch new file mode 100644 index 0000000000..8abc6deca2 --- /dev/null +++ b/queue-6.12/pnfs-fix-disk-addr-range-check-in-block-scsi-layout.patch @@ -0,0 +1,41 @@ +From 5733d8c7e5e043f92582bce4bb0a5e3194f5417d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Jul 2025 16:32:21 +0300 +Subject: pNFS: Fix disk addr range check in block/scsi layout + +From: Sergey Bashirov + +[ Upstream commit 7db6e66663681abda54f81d5916db3a3b8b1a13d ] + +At the end of the isect translation, disc_addr represents the physical +disk offset. Thus, end calculated from disk_addr is also a physical disk +offset. Therefore, range checking should be done using map->disk_offset, +not map->start. + +Signed-off-by: Sergey Bashirov +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20250702133226.212537-1-sergeybashirov@gmail.com +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/blocklayout/blocklayout.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/nfs/blocklayout/blocklayout.c b/fs/nfs/blocklayout/blocklayout.c +index 47189476b553..5d6edafbed20 100644 +--- a/fs/nfs/blocklayout/blocklayout.c ++++ b/fs/nfs/blocklayout/blocklayout.c +@@ -149,8 +149,8 @@ do_add_page_to_bio(struct bio *bio, int npg, enum req_op op, sector_t isect, + + /* limit length to what the device mapping allows */ + end = disk_addr + *len; +- if (end >= map->start + map->len) +- *len = map->start + map->len - disk_addr; ++ if (end >= map->disk_offset + map->len) ++ *len = map->disk_offset + map->len - disk_addr; + + retry: + if (!bio) { +-- +2.39.5 + diff --git a/queue-6.12/pnfs-fix-stripe-mapping-in-block-scsi-layout.patch b/queue-6.12/pnfs-fix-stripe-mapping-in-block-scsi-layout.patch new file mode 100644 index 0000000000..20c3ed6a51 --- /dev/null +++ b/queue-6.12/pnfs-fix-stripe-mapping-in-block-scsi-layout.patch @@ -0,0 +1,57 @@ +From 07c8da0ae54f2e6323e1e718f4aef500d022fd56 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Jul 2025 15:21:48 +0300 +Subject: pNFS: Fix stripe mapping in block/scsi layout + +From: Sergey Bashirov + +[ Upstream commit 81438498a285759f31e843ac4800f82a5ce6521f ] + +Because of integer division, we need to carefully calculate the +disk offset. Consider the example below for a stripe of 6 volumes, +a chunk size of 4096, and an offset of 70000. + +chunk = div_u64(offset, dev->chunk_size) = 70000 / 4096 = 17 +offset = chunk * dev->chunk_size = 17 * 4096 = 69632 +disk_offset_wrong = div_u64(offset, dev->nr_children) = 69632 / 6 = 11605 +disk_chunk = div_u64(chunk, dev->nr_children) = 17 / 6 = 2 +disk_offset = disk_chunk * dev->chunk_size = 2 * 4096 = 8192 + +Signed-off-by: Sergey Bashirov +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20250701122341.199112-1-sergeybashirov@gmail.com +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/blocklayout/dev.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/fs/nfs/blocklayout/dev.c b/fs/nfs/blocklayout/dev.c +index cab8809f0e0f..44306ac22353 100644 +--- a/fs/nfs/blocklayout/dev.c ++++ b/fs/nfs/blocklayout/dev.c +@@ -257,10 +257,11 @@ static bool bl_map_stripe(struct pnfs_block_dev *dev, u64 offset, + struct pnfs_block_dev *child; + u64 chunk; + u32 chunk_idx; ++ u64 disk_chunk; + u64 disk_offset; + + chunk = div_u64(offset, dev->chunk_size); +- div_u64_rem(chunk, dev->nr_children, &chunk_idx); ++ disk_chunk = div_u64_rem(chunk, dev->nr_children, &chunk_idx); + + if (chunk_idx >= dev->nr_children) { + dprintk("%s: invalid chunk idx %d (%lld/%lld)\n", +@@ -273,7 +274,7 @@ static bool bl_map_stripe(struct pnfs_block_dev *dev, u64 offset, + offset = chunk * dev->chunk_size; + + /* disk offset of the stripe */ +- disk_offset = div_u64(offset, dev->nr_children); ++ disk_offset = disk_chunk * dev->chunk_size; + + child = &dev->children[chunk_idx]; + child->map(child, disk_offset, map); +-- +2.39.5 + diff --git a/queue-6.12/pnfs-fix-uninited-ptr-deref-in-block-scsi-layout.patch b/queue-6.12/pnfs-fix-uninited-ptr-deref-in-block-scsi-layout.patch new file mode 100644 index 0000000000..9010811a4b --- /dev/null +++ b/queue-6.12/pnfs-fix-uninited-ptr-deref-in-block-scsi-layout.patch @@ -0,0 +1,99 @@ +From 37418709f645ff486b485b7d6d4ea291e8c1fe68 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jun 2025 21:35:26 +0300 +Subject: pNFS: Fix uninited ptr deref in block/scsi layout + +From: Sergey Bashirov + +[ Upstream commit 9768797c219326699778fba9cd3b607b2f1e7950 ] + +The error occurs on the third attempt to encode extents. When function +ext_tree_prepare_commit() reallocates a larger buffer to retry encoding +extents, the "layoutupdate_pages" page array is initialized only after the +retry loop. But ext_tree_free_commitdata() is called on every iteration +and tries to put pages in the array, thus dereferencing uninitialized +pointers. + +An additional problem is that there is no limit on the maximum possible +buffer_size. When there are too many extents, the client may create a +layoutcommit that is larger than the maximum possible RPC size accepted +by the server. + +During testing, we observed two typical scenarios. First, one memory page +for extents is enough when we work with small files, append data to the +end of the file, or preallocate extents before writing. But when we fill +a new large file without preallocating, the number of extents can be huge, +and counting the number of written extents in ext_tree_encode_commit() +does not help much. Since this number increases even more between +unlocking and locking of ext_tree, the reallocated buffer may not be +large enough again and again. + +Co-developed-by: Konstantin Evtushenko +Signed-off-by: Konstantin Evtushenko +Signed-off-by: Sergey Bashirov +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20250630183537.196479-2-sergeybashirov@gmail.com +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/blocklayout/extent_tree.c | 20 +++++++++++++++----- + 1 file changed, 15 insertions(+), 5 deletions(-) + +diff --git a/fs/nfs/blocklayout/extent_tree.c b/fs/nfs/blocklayout/extent_tree.c +index 8f7cff7a4293..0add0f329816 100644 +--- a/fs/nfs/blocklayout/extent_tree.c ++++ b/fs/nfs/blocklayout/extent_tree.c +@@ -552,6 +552,15 @@ static int ext_tree_encode_commit(struct pnfs_block_layout *bl, __be32 *p, + return ret; + } + ++/** ++ * ext_tree_prepare_commit - encode extents that need to be committed ++ * @arg: layout commit data ++ * ++ * Return values: ++ * %0: Success, all required extents are encoded ++ * %-ENOSPC: Some extents are encoded, but not all, due to RPC size limit ++ * %-ENOMEM: Out of memory, extents not encoded ++ */ + int + ext_tree_prepare_commit(struct nfs4_layoutcommit_args *arg) + { +@@ -568,12 +577,12 @@ ext_tree_prepare_commit(struct nfs4_layoutcommit_args *arg) + start_p = page_address(arg->layoutupdate_page); + arg->layoutupdate_pages = &arg->layoutupdate_page; + +-retry: +- ret = ext_tree_encode_commit(bl, start_p + 1, buffer_size, &count, &arg->lastbytewritten); ++ ret = ext_tree_encode_commit(bl, start_p + 1, buffer_size, ++ &count, &arg->lastbytewritten); + if (unlikely(ret)) { + ext_tree_free_commitdata(arg, buffer_size); + +- buffer_size = ext_tree_layoutupdate_size(bl, count); ++ buffer_size = NFS_SERVER(arg->inode)->wsize; + count = 0; + + arg->layoutupdate_pages = +@@ -588,7 +597,8 @@ ext_tree_prepare_commit(struct nfs4_layoutcommit_args *arg) + return -ENOMEM; + } + +- goto retry; ++ ret = ext_tree_encode_commit(bl, start_p + 1, buffer_size, ++ &count, &arg->lastbytewritten); + } + + *start_p = cpu_to_be32(count); +@@ -608,7 +618,7 @@ ext_tree_prepare_commit(struct nfs4_layoutcommit_args *arg) + } + + dprintk("%s found %zu ranges\n", __func__, count); +- return 0; ++ return ret; + } + + void +-- +2.39.5 + diff --git a/queue-6.12/pnfs-handle-rpc-size-limit-for-layoutcommits.patch b/queue-6.12/pnfs-handle-rpc-size-limit-for-layoutcommits.patch new file mode 100644 index 0000000000..e2d0821012 --- /dev/null +++ b/queue-6.12/pnfs-handle-rpc-size-limit-for-layoutcommits.patch @@ -0,0 +1,67 @@ +From 0349daddddcc2eb7ff4b3cb0186955935045e872 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jun 2025 21:35:29 +0300 +Subject: pNFS: Handle RPC size limit for layoutcommits + +From: Sergey Bashirov + +[ Upstream commit d897d81671bc4615c80f4f3bd5e6b218f59df50c ] + +When there are too many block extents for a layoutcommit, they may not +all fit into the maximum-sized RPC. This patch allows the generic pnfs +code to properly handle -ENOSPC returned by the block/scsi layout driver +and trigger additional layoutcommits if necessary. + +Co-developed-by: Konstantin Evtushenko +Signed-off-by: Konstantin Evtushenko +Signed-off-by: Sergey Bashirov +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20250630183537.196479-5-sergeybashirov@gmail.com +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/pnfs.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c +index 6b888e9ff394..89d49dd3978f 100644 +--- a/fs/nfs/pnfs.c ++++ b/fs/nfs/pnfs.c +@@ -3332,6 +3332,7 @@ pnfs_layoutcommit_inode(struct inode *inode, bool sync) + struct nfs_inode *nfsi = NFS_I(inode); + loff_t end_pos; + int status; ++ bool mark_as_dirty = false; + + if (!pnfs_layoutcommit_outstanding(inode)) + return 0; +@@ -3383,19 +3384,23 @@ pnfs_layoutcommit_inode(struct inode *inode, bool sync) + if (ld->prepare_layoutcommit) { + status = ld->prepare_layoutcommit(&data->args); + if (status) { +- put_cred(data->cred); ++ if (status != -ENOSPC) ++ put_cred(data->cred); + spin_lock(&inode->i_lock); + set_bit(NFS_INO_LAYOUTCOMMIT, &nfsi->flags); + if (end_pos > nfsi->layout->plh_lwb) + nfsi->layout->plh_lwb = end_pos; +- goto out_unlock; ++ if (status != -ENOSPC) ++ goto out_unlock; ++ spin_unlock(&inode->i_lock); ++ mark_as_dirty = true; + } + } + + + status = nfs4_proc_layoutcommit(data, sync); + out: +- if (status) ++ if (status || mark_as_dirty) + mark_inode_dirty_sync(inode); + dprintk("<-- %s status %d\n", __func__, status); + return status; +-- +2.39.5 + diff --git a/queue-6.12/power-supply-qcom_battmgr-add-lithium-polymer-entry.patch b/queue-6.12/power-supply-qcom_battmgr-add-lithium-polymer-entry.patch new file mode 100644 index 0000000000..23793eb90d --- /dev/null +++ b/queue-6.12/power-supply-qcom_battmgr-add-lithium-polymer-entry.patch @@ -0,0 +1,43 @@ +From 774aabd9c926abff85de41fd21780136c98fd58e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 May 2025 13:14:22 +0300 +Subject: power: supply: qcom_battmgr: Add lithium-polymer entry + +From: Abel Vesa + +[ Upstream commit 202ac22b8e2e015e6c196fd8113f3d2a62dd1afc ] + +On some Dell XPS 13 (9345) variants, the battery used is lithium-polymer +based. Currently, this is reported as unknown technology due to the entry +missing. + +[ 4083.135325] Unknown battery technology 'LIP' + +Add another check for lithium-polymer in the technology parsing callback +and return that instead of unknown. + +Signed-off-by: Abel Vesa +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20250523-psy-qcom-battmgr-add-lipo-entry-v1-1-938c20a43a25@linaro.org +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/qcom_battmgr.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/power/supply/qcom_battmgr.c b/drivers/power/supply/qcom_battmgr.c +index f0a64c00ddaa..c2037b58fbcd 100644 +--- a/drivers/power/supply/qcom_battmgr.c ++++ b/drivers/power/supply/qcom_battmgr.c +@@ -980,6 +980,8 @@ static unsigned int qcom_battmgr_sc8280xp_parse_technology(const char *chemistry + { + if (!strncmp(chemistry, "LIO", BATTMGR_CHEMISTRY_LEN)) + return POWER_SUPPLY_TECHNOLOGY_LION; ++ if (!strncmp(chemistry, "LIP", BATTMGR_CHEMISTRY_LEN)) ++ return POWER_SUPPLY_TECHNOLOGY_LIPO; + + pr_err("Unknown battery technology '%s'\n", chemistry); + return POWER_SUPPLY_TECHNOLOGY_UNKNOWN; +-- +2.39.5 + diff --git a/queue-6.12/powerpc-512-fix-possible-dma_unmap_single-on-uniniti.patch b/queue-6.12/powerpc-512-fix-possible-dma_unmap_single-on-uniniti.patch new file mode 100644 index 0000000000..59579a3357 --- /dev/null +++ b/queue-6.12/powerpc-512-fix-possible-dma_unmap_single-on-uniniti.patch @@ -0,0 +1,43 @@ +From 27d4e8cf8423366958b0f616a96c74752212a872 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Jun 2025 16:29:11 +0200 +Subject: (powerpc/512) Fix possible `dma_unmap_single()` on uninitialized + pointer + +From: Thomas Fourier + +[ Upstream commit 760b9b4f6de9a33ca56a05f950cabe82138d25bd ] + +If the device configuration fails (if `dma_dev->device_config()`), +`sg_dma_address(&sg)` is not initialized and the jump to `err_dma_prep` +leads to calling `dma_unmap_single()` on `sg_dma_address(&sg)`. + +Signed-off-by: Thomas Fourier +Reviewed-by: Christophe Leroy +Signed-off-by: Madhavan Srinivasan +Link: https://patch.msgid.link/20250610142918.169540-2-fourier.thomas@gmail.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/512x/mpc512x_lpbfifo.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/arch/powerpc/platforms/512x/mpc512x_lpbfifo.c b/arch/powerpc/platforms/512x/mpc512x_lpbfifo.c +index 9668b052cd4b..f251e0f68262 100644 +--- a/arch/powerpc/platforms/512x/mpc512x_lpbfifo.c ++++ b/arch/powerpc/platforms/512x/mpc512x_lpbfifo.c +@@ -240,10 +240,8 @@ static int mpc512x_lpbfifo_kick(void) + dma_conf.src_addr_width = DMA_SLAVE_BUSWIDTH_4_BYTES; + + /* Make DMA channel work with LPB FIFO data register */ +- if (dma_dev->device_config(lpbfifo.chan, &dma_conf)) { +- ret = -EINVAL; +- goto err_dma_prep; +- } ++ if (dma_dev->device_config(lpbfifo.chan, &dma_conf)) ++ return -EINVAL; + + sg_init_table(&sg, 1); + +-- +2.39.5 + diff --git a/queue-6.12/powerpc-floppy-add-missing-checks-after-dma-map.patch b/queue-6.12/powerpc-floppy-add-missing-checks-after-dma-map.patch new file mode 100644 index 0000000000..b74bd591b9 --- /dev/null +++ b/queue-6.12/powerpc-floppy-add-missing-checks-after-dma-map.patch @@ -0,0 +1,41 @@ +From 7395e5b58ac85512df170b164fb9c4de3654c972 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Jun 2025 09:55:55 +0200 +Subject: powerpc: floppy: Add missing checks after DMA map + +From: Thomas Fourier + +[ Upstream commit cf183c1730f2634245da35e9b5d53381b787d112 ] + +The DMA map functions can fail and should be tested for errors. + +Signed-off-by: Thomas Fourier +Reviewed-by: Christophe Leroy +Signed-off-by: Madhavan Srinivasan +Link: https://patch.msgid.link/20250620075602.12575-1-fourier.thomas@gmail.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/floppy.h | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/arch/powerpc/include/asm/floppy.h b/arch/powerpc/include/asm/floppy.h +index f8ce178b43b7..34abf8bea2cc 100644 +--- a/arch/powerpc/include/asm/floppy.h ++++ b/arch/powerpc/include/asm/floppy.h +@@ -144,9 +144,12 @@ static int hard_dma_setup(char *addr, unsigned long size, int mode, int io) + bus_addr = 0; + } + +- if (!bus_addr) /* need to map it */ ++ if (!bus_addr) { /* need to map it */ + bus_addr = dma_map_single(&isa_bridge_pcidev->dev, addr, size, + dir); ++ if (dma_mapping_error(&isa_bridge_pcidev->dev, bus_addr)) ++ return -ENOMEM; ++ } + + /* remember this one as prev */ + prev_addr = addr; +-- +2.39.5 + diff --git a/queue-6.12/powerpc-thp-tracing-hide-hugepage-events-under-confi.patch b/queue-6.12/powerpc-thp-tracing-hide-hugepage-events-under-confi.patch new file mode 100644 index 0000000000..f6f5df2e10 --- /dev/null +++ b/queue-6.12/powerpc-thp-tracing-hide-hugepage-events-under-confi.patch @@ -0,0 +1,51 @@ +From 7f90cc7e221767ce05edb4b5e7748f0b4386dce1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Jun 2025 10:12:59 -0400 +Subject: powerpc/thp: tracing: Hide hugepage events under CONFIG_PPC_BOOK3S_64 + +From: Steven Rostedt + +[ Upstream commit 43cf0e05089afe23dac74fa6e1e109d49f2903c4 ] + +The events hugepage_set_pmd, hugepage_set_pud, hugepage_update_pmd and +hugepage_update_pud are only called when CONFIG_PPC_BOOK3S_64 is defined. +As each event can take up to 5K regardless if they are used or not, it's +best not to define them when they are not used. Add #ifdef around these +events when they are not used. + +Cc: Masami Hiramatsu +Cc: Mathieu Desnoyers +Cc: Andrew Morton +Cc: Michael Ellerman +Link: https://lore.kernel.org/20250612101259.0ad43e48@batman.local.home +Acked-by: David Hildenbrand +Acked-by: Madhavan Srinivasan +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + include/trace/events/thp.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/include/trace/events/thp.h b/include/trace/events/thp.h +index f50048af5fcc..c8fe879d5828 100644 +--- a/include/trace/events/thp.h ++++ b/include/trace/events/thp.h +@@ -8,6 +8,7 @@ + #include + #include + ++#ifdef CONFIG_PPC_BOOK3S_64 + DECLARE_EVENT_CLASS(hugepage_set, + + TP_PROTO(unsigned long addr, unsigned long pte), +@@ -66,6 +67,7 @@ DEFINE_EVENT(hugepage_update, hugepage_update_pud, + TP_PROTO(unsigned long addr, unsigned long pud, unsigned long clr, unsigned long set), + TP_ARGS(addr, pud, clr, set) + ); ++#endif /* CONFIG_PPC_BOOK3S_64 */ + + DECLARE_EVENT_CLASS(migration_pmd, + +-- +2.39.5 + diff --git a/queue-6.12/pps-clients-gpio-fix-interrupt-handling-order-in-rem.patch b/queue-6.12/pps-clients-gpio-fix-interrupt-handling-order-in-rem.patch new file mode 100644 index 0000000000..a4e4d8be60 --- /dev/null +++ b/queue-6.12/pps-clients-gpio-fix-interrupt-handling-order-in-rem.patch @@ -0,0 +1,58 @@ +From bba027e4e4c60740c16d649213e7b5dff7ab8a78 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 May 2025 05:33:55 +0000 +Subject: pps: clients: gpio: fix interrupt handling order in remove path + +From: Eliav Farber + +[ Upstream commit 6bca1e955830808dc90e0506b2951b4256b81bbb ] + +The interrupt handler in pps_gpio_probe() is registered after calling +pps_register_source() using devm_request_irq(). However, in the +corresponding remove function, pps_unregister_source() is called before +the IRQ is freed, since devm-managed resources are released after the +remove function completes. + +This creates a potential race condition where an interrupt may occur +after the PPS source is unregistered but before the handler is removed, +possibly leading to a kernel panic. + +To prevent this, switch from devm-managed IRQ registration to manual +management by using request_irq() and calling free_irq() explicitly in +the remove path before unregistering the PPS source. This ensures the +interrupt handler is safely removed before deactivating the PPS source. + +Signed-off-by: Eliav Farber +Link: https://lore.kernel.org/r/20250527053355.37185-1-farbere@amazon.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/pps/clients/pps-gpio.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/pps/clients/pps-gpio.c b/drivers/pps/clients/pps-gpio.c +index 93e662912b53..1412f8af15f2 100644 +--- a/drivers/pps/clients/pps-gpio.c ++++ b/drivers/pps/clients/pps-gpio.c +@@ -206,8 +206,8 @@ static int pps_gpio_probe(struct platform_device *pdev) + } + + /* register IRQ interrupt handler */ +- ret = devm_request_irq(dev, data->irq, pps_gpio_irq_handler, +- get_irqf_trigger_flags(data), data->info.name, data); ++ ret = request_irq(data->irq, pps_gpio_irq_handler, ++ get_irqf_trigger_flags(data), data->info.name, data); + if (ret) { + pps_unregister_source(data->pps); + dev_err(dev, "failed to acquire IRQ %d\n", data->irq); +@@ -224,6 +224,7 @@ static void pps_gpio_remove(struct platform_device *pdev) + { + struct pps_gpio_device_data *data = platform_get_drvdata(pdev); + ++ free_irq(data->irq, data); + pps_unregister_source(data->pps); + del_timer_sync(&data->echo_timer); + /* reset echo pin in any case */ +-- +2.39.5 + diff --git a/queue-6.12/printk-nbcon-allow-reacquire-during-panic.patch b/queue-6.12/printk-nbcon-allow-reacquire-during-panic.patch new file mode 100644 index 0000000000..447ed5391c --- /dev/null +++ b/queue-6.12/printk-nbcon-allow-reacquire-during-panic.patch @@ -0,0 +1,204 @@ +From 7c915af126b5f6ee15bf54f92f2259b9b46157b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Jun 2025 21:01:49 +0206 +Subject: printk: nbcon: Allow reacquire during panic + +From: John Ogness + +[ Upstream commit 571c1ea91a73db56bd94054fabecd0f070dc90db ] + +If a console printer is interrupted during panic, it will never +be able to reacquire ownership in order to perform and cleanup. +That in itself is not a problem, since the non-panic CPU will +simply quiesce in an endless loop within nbcon_reacquire_nobuf(). + +However, in this state, platforms that do not support a true NMI +to interrupt the quiesced CPU will not be able to shutdown that +CPU from within panic(). This then causes problems for such as +being unable to load and run a kdump kernel. + +Fix this by allowing non-panic CPUs to reacquire ownership using +a direct acquire. Then the non-panic CPUs can successfullyl exit +the nbcon_reacquire_nobuf() loop and the console driver can +perform any necessary cleanup. But more importantly, the CPU is +no longer quiesced and is free to process any interrupts +necessary for panic() to shutdown the CPU. + +All other forms of acquire are still not allowed for non-panic +CPUs since it is safer to have them avoid gaining console +ownership that is not strictly necessary. + +Reported-by: Michael Kelley +Closes: https://lore.kernel.org/r/SN6PR02MB4157A4C5E8CB219A75263A17D46DA@SN6PR02MB4157.namprd02.prod.outlook.com +Signed-off-by: John Ogness +Reviewed-by: Petr Mladek +Tested-by: Michael Kelley +Link: https://patch.msgid.link/20250606185549.900611-1-john.ogness@linutronix.de +Signed-off-by: Petr Mladek +Signed-off-by: Sasha Levin +--- + kernel/printk/nbcon.c | 63 ++++++++++++++++++++++++++++--------------- + 1 file changed, 41 insertions(+), 22 deletions(-) + +diff --git a/kernel/printk/nbcon.c b/kernel/printk/nbcon.c +index fd12efcc4aed..e7a3af81b173 100644 +--- a/kernel/printk/nbcon.c ++++ b/kernel/printk/nbcon.c +@@ -214,8 +214,9 @@ static void nbcon_seq_try_update(struct nbcon_context *ctxt, u64 new_seq) + + /** + * nbcon_context_try_acquire_direct - Try to acquire directly +- * @ctxt: The context of the caller +- * @cur: The current console state ++ * @ctxt: The context of the caller ++ * @cur: The current console state ++ * @is_reacquire: This acquire is a reacquire + * + * Acquire the console when it is released. Also acquire the console when + * the current owner has a lower priority and the console is in a safe state. +@@ -225,17 +226,17 @@ static void nbcon_seq_try_update(struct nbcon_context *ctxt, u64 new_seq) + * + * Errors: + * +- * -EPERM: A panic is in progress and this is not the panic CPU. +- * Or the current owner or waiter has the same or higher +- * priority. No acquire method can be successful in +- * this case. ++ * -EPERM: A panic is in progress and this is neither the panic ++ * CPU nor is this a reacquire. Or the current owner or ++ * waiter has the same or higher priority. No acquire ++ * method can be successful in these cases. + * + * -EBUSY: The current owner has a lower priority but the console + * in an unsafe state. The caller should try using + * the handover acquire method. + */ + static int nbcon_context_try_acquire_direct(struct nbcon_context *ctxt, +- struct nbcon_state *cur) ++ struct nbcon_state *cur, bool is_reacquire) + { + unsigned int cpu = smp_processor_id(); + struct console *con = ctxt->console; +@@ -243,14 +244,20 @@ static int nbcon_context_try_acquire_direct(struct nbcon_context *ctxt, + + do { + /* +- * Panic does not imply that the console is owned. However, it +- * is critical that non-panic CPUs during panic are unable to +- * acquire ownership in order to satisfy the assumptions of +- * nbcon_waiter_matches(). In particular, the assumption that +- * lower priorities are ignored during panic. ++ * Panic does not imply that the console is owned. However, ++ * since all non-panic CPUs are stopped during panic(), it ++ * is safer to have them avoid gaining console ownership. ++ * ++ * If this acquire is a reacquire (and an unsafe takeover ++ * has not previously occurred) then it is allowed to attempt ++ * a direct acquire in panic. This gives console drivers an ++ * opportunity to perform any necessary cleanup if they were ++ * interrupted by the panic CPU while printing. + */ +- if (other_cpu_in_panic()) ++ if (other_cpu_in_panic() && ++ (!is_reacquire || cur->unsafe_takeover)) { + return -EPERM; ++ } + + if (ctxt->prio <= cur->prio || ctxt->prio <= cur->req_prio) + return -EPERM; +@@ -301,8 +308,9 @@ static bool nbcon_waiter_matches(struct nbcon_state *cur, int expected_prio) + * Event #1 implies this context is EMERGENCY. + * Event #2 implies the new context is PANIC. + * Event #3 occurs when panic() has flushed the console. +- * Events #4 and #5 are not possible due to the other_cpu_in_panic() +- * check in nbcon_context_try_acquire_direct(). ++ * Event #4 occurs when a non-panic CPU reacquires. ++ * Event #5 is not possible due to the other_cpu_in_panic() check ++ * in nbcon_context_try_acquire_handover(). + */ + + return (cur->req_prio == expected_prio); +@@ -431,6 +439,16 @@ static int nbcon_context_try_acquire_handover(struct nbcon_context *ctxt, + WARN_ON_ONCE(ctxt->prio <= cur->prio || ctxt->prio <= cur->req_prio); + WARN_ON_ONCE(!cur->unsafe); + ++ /* ++ * Panic does not imply that the console is owned. However, it ++ * is critical that non-panic CPUs during panic are unable to ++ * wait for a handover in order to satisfy the assumptions of ++ * nbcon_waiter_matches(). In particular, the assumption that ++ * lower priorities are ignored during panic. ++ */ ++ if (other_cpu_in_panic()) ++ return -EPERM; ++ + /* Handover is not possible on the same CPU. */ + if (cur->cpu == cpu) + return -EBUSY; +@@ -558,7 +576,8 @@ static struct printk_buffers panic_nbcon_pbufs; + + /** + * nbcon_context_try_acquire - Try to acquire nbcon console +- * @ctxt: The context of the caller ++ * @ctxt: The context of the caller ++ * @is_reacquire: This acquire is a reacquire + * + * Context: Under @ctxt->con->device_lock() or local_irq_save(). + * Return: True if the console was acquired. False otherwise. +@@ -568,7 +587,7 @@ static struct printk_buffers panic_nbcon_pbufs; + * in an unsafe state. Otherwise, on success the caller may assume + * the console is not in an unsafe state. + */ +-static bool nbcon_context_try_acquire(struct nbcon_context *ctxt) ++static bool nbcon_context_try_acquire(struct nbcon_context *ctxt, bool is_reacquire) + { + unsigned int cpu = smp_processor_id(); + struct console *con = ctxt->console; +@@ -577,7 +596,7 @@ static bool nbcon_context_try_acquire(struct nbcon_context *ctxt) + + nbcon_state_read(con, &cur); + try_again: +- err = nbcon_context_try_acquire_direct(ctxt, &cur); ++ err = nbcon_context_try_acquire_direct(ctxt, &cur, is_reacquire); + if (err != -EBUSY) + goto out; + +@@ -913,7 +932,7 @@ void nbcon_reacquire_nobuf(struct nbcon_write_context *wctxt) + { + struct nbcon_context *ctxt = &ACCESS_PRIVATE(wctxt, ctxt); + +- while (!nbcon_context_try_acquire(ctxt)) ++ while (!nbcon_context_try_acquire(ctxt, true)) + cpu_relax(); + + nbcon_write_context_set_buf(wctxt, NULL, 0); +@@ -1101,7 +1120,7 @@ static bool nbcon_emit_one(struct nbcon_write_context *wctxt, bool use_atomic) + cant_migrate(); + } + +- if (!nbcon_context_try_acquire(ctxt)) ++ if (!nbcon_context_try_acquire(ctxt, false)) + goto out; + + /* +@@ -1486,7 +1505,7 @@ static int __nbcon_atomic_flush_pending_con(struct console *con, u64 stop_seq, + ctxt->prio = nbcon_get_default_prio(); + ctxt->allow_unsafe_takeover = allow_unsafe_takeover; + +- if (!nbcon_context_try_acquire(ctxt)) ++ if (!nbcon_context_try_acquire(ctxt, false)) + return -EPERM; + + while (nbcon_seq_read(con) < stop_seq) { +@@ -1762,7 +1781,7 @@ bool nbcon_device_try_acquire(struct console *con) + ctxt->console = con; + ctxt->prio = NBCON_PRIO_NORMAL; + +- if (!nbcon_context_try_acquire(ctxt)) ++ if (!nbcon_context_try_acquire(ctxt, false)) + return false; + + if (!nbcon_context_enter_unsafe(ctxt)) +-- +2.39.5 + diff --git a/queue-6.12/ptp-use-ratelimite-for-freerun-error-message.patch b/queue-6.12/ptp-use-ratelimite-for-freerun-error-message.patch new file mode 100644 index 0000000000..6317772511 --- /dev/null +++ b/queue-6.12/ptp-use-ratelimite-for-freerun-error-message.patch @@ -0,0 +1,39 @@ +From 7ed9035213e1824543b8b966069e89a2267c0f81 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Jun 2025 10:15:46 -0700 +Subject: ptp: Use ratelimite for freerun error message + +From: Breno Leitao + +[ Upstream commit e9a7795e75b78b56997fb0070c18d6e1057b6462 ] + +Replace pr_err() with pr_err_ratelimited() in ptp_clock_settime() to +prevent log flooding when the physical clock is free running, which +happens on some of my hosts. This ensures error messages are +rate-limited and improves kernel log readability. + +Signed-off-by: Breno Leitao +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250613-ptp-v1-1-ee44260ce9e2@debian.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/ptp/ptp_clock.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/ptp/ptp_clock.c b/drivers/ptp/ptp_clock.c +index b892a7323084..642a540861d4 100644 +--- a/drivers/ptp/ptp_clock.c ++++ b/drivers/ptp/ptp_clock.c +@@ -96,7 +96,7 @@ static int ptp_clock_settime(struct posix_clock *pc, const struct timespec64 *tp + struct ptp_clock *ptp = container_of(pc, struct ptp_clock, clock); + + if (ptp_clock_freerun(ptp)) { +- pr_err("ptp: physical clock is free running\n"); ++ pr_err_ratelimited("ptp: physical clock is free running\n"); + return -EBUSY; + } + +-- +2.39.5 + diff --git a/queue-6.12/rcu-fix-rcu_read_unlock-deadloop-due-to-irq-work.patch b/queue-6.12/rcu-fix-rcu_read_unlock-deadloop-due-to-irq-work.patch new file mode 100644 index 0000000000..5dfcaa24bf --- /dev/null +++ b/queue-6.12/rcu-fix-rcu_read_unlock-deadloop-due-to-irq-work.patch @@ -0,0 +1,159 @@ +From 55d804a818666b872fa466be97ffbb69ceda36ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Jul 2025 10:22:19 -0400 +Subject: rcu: Fix rcu_read_unlock() deadloop due to IRQ work + +From: Joel Fernandes + +[ Upstream commit b41642c87716bbd09797b1e4ea7d904f06c39b7b ] + +During rcu_read_unlock_special(), if this happens during irq_exit(), we +can lockup if an IPI is issued. This is because the IPI itself triggers +the irq_exit() path causing a recursive lock up. + +This is precisely what Xiongfeng found when invoking a BPF program on +the trace_tick_stop() tracepoint As shown in the trace below. Fix by +managing the irq_work state correctly. + +irq_exit() + __irq_exit_rcu() + /* in_hardirq() returns false after this */ + preempt_count_sub(HARDIRQ_OFFSET) + tick_irq_exit() + tick_nohz_irq_exit() + tick_nohz_stop_sched_tick() + trace_tick_stop() /* a bpf prog is hooked on this trace point */ + __bpf_trace_tick_stop() + bpf_trace_run2() + rcu_read_unlock_special() + /* will send a IPI to itself */ + irq_work_queue_on(&rdp->defer_qs_iw, rdp->cpu); + +A simple reproducer can also be obtained by doing the following in +tick_irq_exit(). It will hang on boot without the patch: + + static inline void tick_irq_exit(void) + { + + rcu_read_lock(); + + WRITE_ONCE(current->rcu_read_unlock_special.b.need_qs, true); + + rcu_read_unlock(); + + + +Reported-by: Xiongfeng Wang +Closes: https://lore.kernel.org/all/9acd5f9f-6732-7701-6880-4b51190aa070@huawei.com/ +Tested-by: Qi Xi +Signed-off-by: Joel Fernandes +Reviewed-by: "Paul E. McKenney" +Reported-by: Linux Kernel Functional Testing +[neeraj: Apply Frederic's suggested fix for PREEMPT_RT] +Signed-off-by: Neeraj Upadhyay (AMD) +Signed-off-by: Sasha Levin +--- + kernel/rcu/tree.h | 13 ++++++++++++- + kernel/rcu/tree_plugin.h | 37 ++++++++++++++++++++++++++----------- + 2 files changed, 38 insertions(+), 12 deletions(-) + +diff --git a/kernel/rcu/tree.h b/kernel/rcu/tree.h +index 1bba2225e744..f99677bf97ca 100644 +--- a/kernel/rcu/tree.h ++++ b/kernel/rcu/tree.h +@@ -174,6 +174,17 @@ struct rcu_snap_record { + unsigned long jiffies; /* Track jiffies value */ + }; + ++/* ++ * An IRQ work (deferred_qs_iw) is used by RCU to get the scheduler's attention. ++ * to report quiescent states at the soonest possible time. ++ * The request can be in one of the following states: ++ * - DEFER_QS_IDLE: An IRQ work is yet to be scheduled. ++ * - DEFER_QS_PENDING: An IRQ work was scheduled but either not yet run, or it ++ * ran and we still haven't reported a quiescent state. ++ */ ++#define DEFER_QS_IDLE 0 ++#define DEFER_QS_PENDING 1 ++ + /* Per-CPU data for read-copy update. */ + struct rcu_data { + /* 1) quiescent-state and grace-period handling : */ +@@ -191,7 +202,7 @@ struct rcu_data { + /* during and after the last grace */ + /* period it is aware of. */ + struct irq_work defer_qs_iw; /* Obtain later scheduler attention. */ +- bool defer_qs_iw_pending; /* Scheduler attention pending? */ ++ int defer_qs_iw_pending; /* Scheduler attention pending? */ + struct work_struct strict_work; /* Schedule readers for strict GPs. */ + + /* 2) batch handling */ +diff --git a/kernel/rcu/tree_plugin.h b/kernel/rcu/tree_plugin.h +index 27ab715569f2..edcf534fe082 100644 +--- a/kernel/rcu/tree_plugin.h ++++ b/kernel/rcu/tree_plugin.h +@@ -485,13 +485,16 @@ rcu_preempt_deferred_qs_irqrestore(struct task_struct *t, unsigned long flags) + struct rcu_node *rnp; + union rcu_special special; + ++ rdp = this_cpu_ptr(&rcu_data); ++ if (rdp->defer_qs_iw_pending == DEFER_QS_PENDING) ++ rdp->defer_qs_iw_pending = DEFER_QS_IDLE; ++ + /* + * If RCU core is waiting for this CPU to exit its critical section, + * report the fact that it has exited. Because irqs are disabled, + * t->rcu_read_unlock_special cannot change. + */ + special = t->rcu_read_unlock_special; +- rdp = this_cpu_ptr(&rcu_data); + if (!special.s && !rdp->cpu_no_qs.b.exp) { + local_irq_restore(flags); + return; +@@ -628,7 +631,23 @@ static void rcu_preempt_deferred_qs_handler(struct irq_work *iwp) + + rdp = container_of(iwp, struct rcu_data, defer_qs_iw); + local_irq_save(flags); +- rdp->defer_qs_iw_pending = false; ++ ++ /* ++ * If the IRQ work handler happens to run in the middle of RCU read-side ++ * critical section, it could be ineffective in getting the scheduler's ++ * attention to report a deferred quiescent state (the whole point of the ++ * IRQ work). For this reason, requeue the IRQ work. ++ * ++ * Basically, we want to avoid following situation: ++ * 1. rcu_read_unlock() queues IRQ work (state -> DEFER_QS_PENDING) ++ * 2. CPU enters new rcu_read_lock() ++ * 3. IRQ work runs but cannot report QS due to rcu_preempt_depth() > 0 ++ * 4. rcu_read_unlock() does not re-queue work (state still PENDING) ++ * 5. Deferred QS reporting does not happen. ++ */ ++ if (rcu_preempt_depth() > 0) ++ WRITE_ONCE(rdp->defer_qs_iw_pending, DEFER_QS_IDLE); ++ + local_irq_restore(flags); + } + +@@ -675,17 +694,13 @@ static void rcu_read_unlock_special(struct task_struct *t) + set_tsk_need_resched(current); + set_preempt_need_resched(); + if (IS_ENABLED(CONFIG_IRQ_WORK) && irqs_were_disabled && +- expboost && !rdp->defer_qs_iw_pending && cpu_online(rdp->cpu)) { ++ expboost && rdp->defer_qs_iw_pending != DEFER_QS_PENDING && ++ cpu_online(rdp->cpu)) { + // Get scheduler to re-evaluate and call hooks. + // If !IRQ_WORK, FQS scan will eventually IPI. +- if (IS_ENABLED(CONFIG_RCU_STRICT_GRACE_PERIOD) && +- IS_ENABLED(CONFIG_PREEMPT_RT)) +- rdp->defer_qs_iw = IRQ_WORK_INIT_HARD( +- rcu_preempt_deferred_qs_handler); +- else +- init_irq_work(&rdp->defer_qs_iw, +- rcu_preempt_deferred_qs_handler); +- rdp->defer_qs_iw_pending = true; ++ rdp->defer_qs_iw = ++ IRQ_WORK_INIT_HARD(rcu_preempt_deferred_qs_handler); ++ rdp->defer_qs_iw_pending = DEFER_QS_PENDING; + irq_work_queue_on(&rdp->defer_qs_iw, rdp->cpu); + } + } +-- +2.39.5 + diff --git a/queue-6.12/rcu-nocb-fix-possible-invalid-rdp-s-nocb_cb_kthread-.patch b/queue-6.12/rcu-nocb-fix-possible-invalid-rdp-s-nocb_cb_kthread-.patch new file mode 100644 index 0000000000..5f3b243c89 --- /dev/null +++ b/queue-6.12/rcu-nocb-fix-possible-invalid-rdp-s-nocb_cb_kthread-.patch @@ -0,0 +1,64 @@ +From 3c242dcdecc6517fb9dc9f53bd33b3012d9c69fa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 May 2025 19:26:05 +0800 +Subject: rcu/nocb: Fix possible invalid rdp's->nocb_cb_kthread pointer access + +From: Zqiang + +[ Upstream commit 1bba3900ca18bdae28d1b9fa10f16a8f8cb2ada1 ] + +In the preparation stage of CPU online, if the corresponding +the rdp's->nocb_cb_kthread does not exist, will be created, +there is a situation where the rdp's rcuop kthreads creation fails, +and then de-offload this CPU's rdp, does not assign this CPU's +rdp->nocb_cb_kthread pointer, but this rdp's->nocb_gp_rdp and +rdp's->rdp_gp->nocb_gp_kthread is still valid. + +This will cause the subsequent re-offload operation of this offline +CPU, which will pass the conditional check and the kthread_unpark() +will access invalid rdp's->nocb_cb_kthread pointer. + +This commit therefore use rdp's->nocb_gp_kthread instead of +rdp_gp's->nocb_gp_kthread for safety check. + +Signed-off-by: Zqiang +Reviewed-by: Frederic Weisbecker +Signed-off-by: Neeraj Upadhyay (AMD) +Signed-off-by: Sasha Levin +--- + kernel/rcu/tree_nocb.h | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/kernel/rcu/tree_nocb.h b/kernel/rcu/tree_nocb.h +index 2ad3a88623a7..a1a5942d7017 100644 +--- a/kernel/rcu/tree_nocb.h ++++ b/kernel/rcu/tree_nocb.h +@@ -1152,7 +1152,6 @@ static bool rcu_nocb_rdp_offload_wait_cond(struct rcu_data *rdp) + static int rcu_nocb_rdp_offload(struct rcu_data *rdp) + { + int wake_gp; +- struct rcu_data *rdp_gp = rdp->nocb_gp_rdp; + + WARN_ON_ONCE(cpu_online(rdp->cpu)); + /* +@@ -1162,7 +1161,7 @@ static int rcu_nocb_rdp_offload(struct rcu_data *rdp) + if (!rdp->nocb_gp_rdp) + return -EINVAL; + +- if (WARN_ON_ONCE(!rdp_gp->nocb_gp_kthread)) ++ if (WARN_ON_ONCE(!rdp->nocb_gp_kthread)) + return -EINVAL; + + pr_info("Offloading %d\n", rdp->cpu); +@@ -1172,7 +1171,7 @@ static int rcu_nocb_rdp_offload(struct rcu_data *rdp) + + wake_gp = rcu_nocb_queue_toggle_rdp(rdp); + if (wake_gp) +- wake_up_process(rdp_gp->nocb_gp_kthread); ++ wake_up_process(rdp->nocb_gp_kthread); + + swait_event_exclusive(rdp->nocb_state_wq, + rcu_nocb_rdp_offload_wait_cond(rdp)); +-- +2.39.5 + diff --git a/queue-6.12/rcu-protect-defer_qs_iw_pending-from-data-race.patch b/queue-6.12/rcu-protect-defer_qs_iw_pending-from-data-race.patch new file mode 100644 index 0000000000..269a4986c8 --- /dev/null +++ b/queue-6.12/rcu-protect-defer_qs_iw_pending-from-data-race.patch @@ -0,0 +1,97 @@ +From 48e1b578df95496d65b69174072418b14d8a84ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Apr 2025 16:49:53 -0700 +Subject: rcu: Protect ->defer_qs_iw_pending from data race + +From: Paul E. McKenney + +[ Upstream commit 90c09d57caeca94e6f3f87c49e96a91edd40cbfd ] + +On kernels built with CONFIG_IRQ_WORK=y, when rcu_read_unlock() is +invoked within an interrupts-disabled region of code [1], it will invoke +rcu_read_unlock_special(), which uses an irq-work handler to force the +system to notice when the RCU read-side critical section actually ends. +That end won't happen until interrupts are enabled at the soonest. + +In some kernels, such as those booted with rcutree.use_softirq=y, the +irq-work handler is used unconditionally. + +The per-CPU rcu_data structure's ->defer_qs_iw_pending field is +updated by the irq-work handler and is both read and updated by +rcu_read_unlock_special(). This resulted in the following KCSAN splat: + +------------------------------------------------------------------------ + +BUG: KCSAN: data-race in rcu_preempt_deferred_qs_handler / rcu_read_unlock_special + +read to 0xffff96b95f42d8d8 of 1 bytes by task 90 on cpu 8: + rcu_read_unlock_special+0x175/0x260 + __rcu_read_unlock+0x92/0xa0 + rt_spin_unlock+0x9b/0xc0 + __local_bh_enable+0x10d/0x170 + __local_bh_enable_ip+0xfb/0x150 + rcu_do_batch+0x595/0xc40 + rcu_cpu_kthread+0x4e9/0x830 + smpboot_thread_fn+0x24d/0x3b0 + kthread+0x3bd/0x410 + ret_from_fork+0x35/0x40 + ret_from_fork_asm+0x1a/0x30 + +write to 0xffff96b95f42d8d8 of 1 bytes by task 88 on cpu 8: + rcu_preempt_deferred_qs_handler+0x1e/0x30 + irq_work_single+0xaf/0x160 + run_irq_workd+0x91/0xc0 + smpboot_thread_fn+0x24d/0x3b0 + kthread+0x3bd/0x410 + ret_from_fork+0x35/0x40 + ret_from_fork_asm+0x1a/0x30 + +no locks held by irq_work/8/88. +irq event stamp: 200272 +hardirqs last enabled at (200272): [] finish_task_switch+0x131/0x320 +hardirqs last disabled at (200271): [] __schedule+0x129/0xd70 +softirqs last enabled at (0): [] copy_process+0x4df/0x1cc0 +softirqs last disabled at (0): [<0000000000000000>] 0x0 + +------------------------------------------------------------------------ + +The problem is that irq-work handlers run with interrupts enabled, which +means that rcu_preempt_deferred_qs_handler() could be interrupted, +and that interrupt handler might contain an RCU read-side critical +section, which might invoke rcu_read_unlock_special(). In the strict +KCSAN mode of operation used by RCU, this constitutes a data race on +the ->defer_qs_iw_pending field. + +This commit therefore disables interrupts across the portion of the +rcu_preempt_deferred_qs_handler() that updates the ->defer_qs_iw_pending +field. This suffices because this handler is not a fast path. + +Signed-off-by: Paul E. McKenney +Reviewed-by: Frederic Weisbecker +Signed-off-by: Neeraj Upadhyay (AMD) +Signed-off-by: Sasha Levin +--- + kernel/rcu/tree_plugin.h | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/kernel/rcu/tree_plugin.h b/kernel/rcu/tree_plugin.h +index 304e3405e6ec..27ab715569f2 100644 +--- a/kernel/rcu/tree_plugin.h ++++ b/kernel/rcu/tree_plugin.h +@@ -623,10 +623,13 @@ notrace void rcu_preempt_deferred_qs(struct task_struct *t) + */ + static void rcu_preempt_deferred_qs_handler(struct irq_work *iwp) + { ++ unsigned long flags; + struct rcu_data *rdp; + + rdp = container_of(iwp, struct rcu_data, defer_qs_iw); ++ local_irq_save(flags); + rdp->defer_qs_iw_pending = false; ++ local_irq_restore(flags); + } + + /* +-- +2.39.5 + diff --git a/queue-6.12/rdma-bnxt_re-fix-size-of-uverbs_copy_to-in-bnxt_re_m.patch b/queue-6.12/rdma-bnxt_re-fix-size-of-uverbs_copy_to-in-bnxt_re_m.patch new file mode 100644 index 0000000000..5f4d5782a3 --- /dev/null +++ b/queue-6.12/rdma-bnxt_re-fix-size-of-uverbs_copy_to-in-bnxt_re_m.patch @@ -0,0 +1,39 @@ +From ee04df377bde57fc9302a31832083e7d4df18ad7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Jul 2025 10:08:55 +0530 +Subject: RDMA/bnxt_re: Fix size of uverbs_copy_to() in + BNXT_RE_METHOD_GET_TOGGLE_MEM + +From: Kalesh AP + +[ Upstream commit 09d231ab569ca97478445ccc1ad44ab026de39b1 ] + +Since both "length" and "offset" are of type u32, there is +no functional issue here. + +Reviewed-by: Saravanan Vajravel +Signed-off-by: Shravya KN +Signed-off-by: Kalesh AP +Link: https://patch.msgid.link/20250704043857.19158-2-kalesh-anakkur.purayil@broadcom.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/ib_verbs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/ib_verbs.c b/drivers/infiniband/hw/bnxt_re/ib_verbs.c +index 0b21d8b5d962..4a3ce61a3bba 100644 +--- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c ++++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c +@@ -4642,7 +4642,7 @@ static int UVERBS_HANDLER(BNXT_RE_METHOD_GET_TOGGLE_MEM)(struct uverbs_attr_bund + return err; + + err = uverbs_copy_to(attrs, BNXT_RE_TOGGLE_MEM_MMAP_OFFSET, +- &offset, sizeof(length)); ++ &offset, sizeof(offset)); + if (err) + return err; + +-- +2.39.5 + diff --git a/queue-6.12/rdma-core-reduce-stack-using-in-nldev_stat_get_doit.patch b/queue-6.12/rdma-core-reduce-stack-using-in-nldev_stat_get_doit.patch new file mode 100644 index 0000000000..4a0f055ac7 --- /dev/null +++ b/queue-6.12/rdma-core-reduce-stack-using-in-nldev_stat_get_doit.patch @@ -0,0 +1,77 @@ +From 4c2264e9356e8cb1a6234a8fe0d180e49ae5470f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Jun 2025 13:33:26 +0200 +Subject: RDMA/core: reduce stack using in nldev_stat_get_doit() + +From: Arnd Bergmann + +[ Upstream commit 43163f4c30f94d2103c948a247cdf2cda5068ca7 ] + +In the s390 defconfig, gcc-10 and earlier end up inlining three functions +into nldev_stat_get_doit(), and each of them uses some 600 bytes of stack. + +The result is a function with an overly large stack frame and a warning: + +drivers/infiniband/core/nldev.c:2466:1: error: the frame size of 1720 bytes is larger than 1280 bytes [-Werror=frame-larger-than=] + +Mark the three functions noinline_for_stack to prevent this, ensuring +that only one copy of the nlattr array is on the stack of each function. + +Signed-off-by: Arnd Bergmann +Link: https://patch.msgid.link/20250620113335.3776965-1-arnd@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/nldev.c | 22 ++++++++++++---------- + 1 file changed, 12 insertions(+), 10 deletions(-) + +diff --git a/drivers/infiniband/core/nldev.c b/drivers/infiniband/core/nldev.c +index f12189986303..fef11a80647c 100644 +--- a/drivers/infiniband/core/nldev.c ++++ b/drivers/infiniband/core/nldev.c +@@ -1468,10 +1468,11 @@ static const struct nldev_fill_res_entry fill_entries[RDMA_RESTRACK_MAX] = { + + }; + +-static int res_get_common_doit(struct sk_buff *skb, struct nlmsghdr *nlh, +- struct netlink_ext_ack *extack, +- enum rdma_restrack_type res_type, +- res_fill_func_t fill_func) ++static noinline_for_stack int ++res_get_common_doit(struct sk_buff *skb, struct nlmsghdr *nlh, ++ struct netlink_ext_ack *extack, ++ enum rdma_restrack_type res_type, ++ res_fill_func_t fill_func) + { + const struct nldev_fill_res_entry *fe = &fill_entries[res_type]; + struct nlattr *tb[RDMA_NLDEV_ATTR_MAX]; +@@ -2256,10 +2257,10 @@ static int nldev_stat_del_doit(struct sk_buff *skb, struct nlmsghdr *nlh, + return ret; + } + +-static int stat_get_doit_default_counter(struct sk_buff *skb, +- struct nlmsghdr *nlh, +- struct netlink_ext_ack *extack, +- struct nlattr *tb[]) ++static noinline_for_stack int ++stat_get_doit_default_counter(struct sk_buff *skb, struct nlmsghdr *nlh, ++ struct netlink_ext_ack *extack, ++ struct nlattr *tb[]) + { + struct rdma_hw_stats *stats; + struct nlattr *table_attr; +@@ -2349,8 +2350,9 @@ static int stat_get_doit_default_counter(struct sk_buff *skb, + return ret; + } + +-static int stat_get_doit_qp(struct sk_buff *skb, struct nlmsghdr *nlh, +- struct netlink_ext_ack *extack, struct nlattr *tb[]) ++static noinline_for_stack int ++stat_get_doit_qp(struct sk_buff *skb, struct nlmsghdr *nlh, ++ struct netlink_ext_ack *extack, struct nlattr *tb[]) + + { + static enum rdma_nl_counter_mode mode; +-- +2.39.5 + diff --git a/queue-6.12/rdma-hfi1-fix-possible-divide-by-zero-in-find_hw_thr.patch b/queue-6.12/rdma-hfi1-fix-possible-divide-by-zero-in-find_hw_thr.patch new file mode 100644 index 0000000000..a1f1b21b6a --- /dev/null +++ b/queue-6.12/rdma-hfi1-fix-possible-divide-by-zero-in-find_hw_thr.patch @@ -0,0 +1,85 @@ +From 533292a08c850d6c5b548ffa78d7915035049623 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Jun 2025 15:39:38 -0400 +Subject: RDMA: hfi1: fix possible divide-by-zero in find_hw_thread_mask() + +From: Yury Norov [NVIDIA] + +[ Upstream commit 59f7d2138591ef8f0e4e4ab5f1ab674e8181ad3a ] + +The function divides number of online CPUs by num_core_siblings, and +later checks the divider by zero. This implies a possibility to get +and divide-by-zero runtime error. Fix it by moving the check prior to +division. This also helps to save one indentation level. + +Signed-off-by: Yury Norov [NVIDIA] +Link: https://patch.msgid.link/20250604193947.11834-3-yury.norov@gmail.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hfi1/affinity.c | 44 +++++++++++++++------------ + 1 file changed, 24 insertions(+), 20 deletions(-) + +diff --git a/drivers/infiniband/hw/hfi1/affinity.c b/drivers/infiniband/hw/hfi1/affinity.c +index 7ead8746b79b..f2c530ab85a5 100644 +--- a/drivers/infiniband/hw/hfi1/affinity.c ++++ b/drivers/infiniband/hw/hfi1/affinity.c +@@ -964,31 +964,35 @@ static void find_hw_thread_mask(uint hw_thread_no, cpumask_var_t hw_thread_mask, + struct hfi1_affinity_node_list *affinity) + { + int possible, curr_cpu, i; +- uint num_cores_per_socket = node_affinity.num_online_cpus / ++ uint num_cores_per_socket; ++ ++ cpumask_copy(hw_thread_mask, &affinity->proc.mask); ++ ++ if (affinity->num_core_siblings == 0) ++ return; ++ ++ num_cores_per_socket = node_affinity.num_online_cpus / + affinity->num_core_siblings / + node_affinity.num_online_nodes; + +- cpumask_copy(hw_thread_mask, &affinity->proc.mask); +- if (affinity->num_core_siblings > 0) { +- /* Removing other siblings not needed for now */ +- possible = cpumask_weight(hw_thread_mask); +- curr_cpu = cpumask_first(hw_thread_mask); +- for (i = 0; +- i < num_cores_per_socket * node_affinity.num_online_nodes; +- i++) +- curr_cpu = cpumask_next(curr_cpu, hw_thread_mask); +- +- for (; i < possible; i++) { +- cpumask_clear_cpu(curr_cpu, hw_thread_mask); +- curr_cpu = cpumask_next(curr_cpu, hw_thread_mask); +- } ++ /* Removing other siblings not needed for now */ ++ possible = cpumask_weight(hw_thread_mask); ++ curr_cpu = cpumask_first(hw_thread_mask); ++ for (i = 0; ++ i < num_cores_per_socket * node_affinity.num_online_nodes; ++ i++) ++ curr_cpu = cpumask_next(curr_cpu, hw_thread_mask); + +- /* Identifying correct HW threads within physical cores */ +- cpumask_shift_left(hw_thread_mask, hw_thread_mask, +- num_cores_per_socket * +- node_affinity.num_online_nodes * +- hw_thread_no); ++ for (; i < possible; i++) { ++ cpumask_clear_cpu(curr_cpu, hw_thread_mask); ++ curr_cpu = cpumask_next(curr_cpu, hw_thread_mask); + } ++ ++ /* Identifying correct HW threads within physical cores */ ++ cpumask_shift_left(hw_thread_mask, hw_thread_mask, ++ num_cores_per_socket * ++ node_affinity.num_online_nodes * ++ hw_thread_no); + } + + int hfi1_get_proc_affinity(int node) +-- +2.39.5 + diff --git a/queue-6.12/remoteproc-imx_rproc-skip-clock-enable-when-m-core-i.patch b/queue-6.12/remoteproc-imx_rproc-skip-clock-enable-when-m-core-i.patch new file mode 100644 index 0000000000..0ddbd8161a --- /dev/null +++ b/queue-6.12/remoteproc-imx_rproc-skip-clock-enable-when-m-core-i.patch @@ -0,0 +1,59 @@ +From e4cd4f4896d89fc1aa8213b36923a4bf85c8715f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 29 Jun 2025 14:25:11 -0300 +Subject: remoteproc: imx_rproc: skip clock enable when M-core is managed by + the SCU + +From: Hiago De Franco + +[ Upstream commit 496deecb020d14ba89ba7084fbc3024f91687023 ] + +For the i.MX8X and i.MX8 family SoCs, when the Cortex-M core is powered +up and started by the Cortex-A core using the bootloader (e.g., via the +U-Boot bootaux command), both M-core and Linux run within the same SCFW +(System Controller Firmware) partition. With that, Linux has permission +to control the M-core. + +But once the M-core is started by the bootloader, the SCFW automatically +enables its clock and sets the clock rate. If Linux later attempts to +enable the same clock via clk_prepare_enable(), the SCFW returns a +'LOCKED' error, as the clock is already configured by the SCFW. This +causes the probe function in imx_rproc.c to fail, leading to the M-core +power domain being shut down while the core is still running. This +results in a fault from the SCU (System Controller Unit) and triggers a +system reset. + +To address this issue, ignore handling the clk for i.MX8X and i.MX8 +M-core, as SCFW already takes care of enabling and configuring the +clock. + +Suggested-by: Peng Fan +Reviewed-by: Ulf Hansson +Reviewed-by: Peng Fan +Signed-off-by: Hiago De Franco +Acked-by: Mathieu Poirier +Link: https://lore.kernel.org/r/20250629172512.14857-3-hiagofranco@gmail.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/remoteproc/imx_rproc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/remoteproc/imx_rproc.c b/drivers/remoteproc/imx_rproc.c +index 800015ff7ff9..cc3f5b7fe9dd 100644 +--- a/drivers/remoteproc/imx_rproc.c ++++ b/drivers/remoteproc/imx_rproc.c +@@ -1029,8 +1029,8 @@ static int imx_rproc_clk_enable(struct imx_rproc *priv) + struct device *dev = priv->dev; + int ret; + +- /* Remote core is not under control of Linux */ +- if (dcfg->method == IMX_RPROC_NONE) ++ /* Remote core is not under control of Linux or it is managed by SCU API */ ++ if (dcfg->method == IMX_RPROC_NONE || dcfg->method == IMX_RPROC_SCU_API) + return 0; + + priv->clk = devm_clk_get(dev, NULL); +-- +2.39.5 + diff --git a/queue-6.12/reset-brcmstb-enable-reset-drivers-for-arch_bcm2835.patch b/queue-6.12/reset-brcmstb-enable-reset-drivers-for-arch_bcm2835.patch new file mode 100644 index 0000000000..3ba32b4f49 --- /dev/null +++ b/queue-6.12/reset-brcmstb-enable-reset-drivers-for-arch_bcm2835.patch @@ -0,0 +1,59 @@ +From 367a7130fd339f9801d980daa084bc565db99510 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jun 2025 18:52:58 +0100 +Subject: reset: brcmstb: Enable reset drivers for ARCH_BCM2835 + +From: Peter Robinson + +[ Upstream commit 1d99f92f71b6b4b2eee776562c991428490f71ef ] + +The BRCMSTB and BRCMSTB_RESCAL reset drivers are also +used in the BCM2712, AKA the RPi5. The RPi platforms +have typically used the ARCH_BCM2835, and the PCIe +support for this SoC can use this config which depends +on these drivers so enable building them when just that +arch option is enabled to ensure the platform works as +expected. + +Signed-off-by: Peter Robinson +Acked-by: Florian Fainelli +Link: https://lore.kernel.org/r/20250630175301.846082-1-pbrobinson@gmail.com +Signed-off-by: Philipp Zabel +Signed-off-by: Sasha Levin +--- + drivers/reset/Kconfig | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/reset/Kconfig b/drivers/reset/Kconfig +index 5484a65f66b9..1cf577e3223b 100644 +--- a/drivers/reset/Kconfig ++++ b/drivers/reset/Kconfig +@@ -51,8 +51,8 @@ config RESET_BERLIN + + config RESET_BRCMSTB + tristate "Broadcom STB reset controller" +- depends on ARCH_BRCMSTB || COMPILE_TEST +- default ARCH_BRCMSTB ++ depends on ARCH_BRCMSTB || ARCH_BCM2835 || COMPILE_TEST ++ default ARCH_BRCMSTB || ARCH_BCM2835 + help + This enables the reset controller driver for Broadcom STB SoCs using + a SUN_TOP_CTRL_SW_INIT style controller. +@@ -60,11 +60,11 @@ config RESET_BRCMSTB + config RESET_BRCMSTB_RESCAL + tristate "Broadcom STB RESCAL reset controller" + depends on HAS_IOMEM +- depends on ARCH_BRCMSTB || COMPILE_TEST +- default ARCH_BRCMSTB ++ depends on ARCH_BRCMSTB || ARCH_BCM2835 || COMPILE_TEST ++ default ARCH_BRCMSTB || ARCH_BCM2835 + help + This enables the RESCAL reset controller for SATA, PCIe0, or PCIe1 on +- BCM7216. ++ BCM7216 or the BCM2712. + + config RESET_EYEQ + bool "Mobileye EyeQ reset controller" +-- +2.39.5 + diff --git a/queue-6.12/rtc-ds1307-handle-oscillator-stop-flag-osf-for-ds134.patch b/queue-6.12/rtc-ds1307-handle-oscillator-stop-flag-osf-for-ds134.patch new file mode 100644 index 0000000000..6c1a9a9077 --- /dev/null +++ b/queue-6.12/rtc-ds1307-handle-oscillator-stop-flag-osf-for-ds134.patch @@ -0,0 +1,63 @@ +From ac444888b1f40ed411a6f1025461ed8887874a95 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jun 2025 11:14:16 -0700 +Subject: rtc: ds1307: handle oscillator stop flag (OSF) for ds1341 + +From: Meagan Lloyd + +[ Upstream commit 523923cfd5d622b8f4ba893fdaf29fa6adeb8c3e ] + +In using CONFIG_RTC_HCTOSYS, rtc_hctosys() will sync the RTC time to the +kernel time as long as rtc_read_time() succeeds. In some power loss +situations, our supercapacitor-backed DS1342 RTC comes up with either an +unpredictable future time or the default 01/01/00 from the datasheet. +The oscillator stop flag (OSF) is set in these scenarios due to the +power loss and can be used to determine the validity of the RTC data. + +This change expands the oscillator stop flag (OSF) handling that has +already been implemented for some chips to the ds1341 chip (DS1341 and +DS1342 share a datasheet). This handling manages the validity of the RTC +data in .read_time and .set_time based on the OSF. + +Signed-off-by: Meagan Lloyd +Reviewed-by: Tyler Hicks +Acked-by: Rodolfo Giometti +Link: https://lore.kernel.org/r/1749665656-30108-3-git-send-email-meaganlloyd@linux.microsoft.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-ds1307.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/drivers/rtc/rtc-ds1307.c b/drivers/rtc/rtc-ds1307.c +index c8a666de9cbe..c6d388bb4a19 100644 +--- a/drivers/rtc/rtc-ds1307.c ++++ b/drivers/rtc/rtc-ds1307.c +@@ -279,6 +279,13 @@ static int ds1307_get_time(struct device *dev, struct rtc_time *t) + if (tmp & DS1340_BIT_OSF) + return -EINVAL; + break; ++ case ds_1341: ++ ret = regmap_read(ds1307->regmap, DS1337_REG_STATUS, &tmp); ++ if (ret) ++ return ret; ++ if (tmp & DS1337_BIT_OSF) ++ return -EINVAL; ++ break; + case ds_1388: + ret = regmap_read(ds1307->regmap, DS1388_REG_FLAG, &tmp); + if (ret) +@@ -377,6 +384,10 @@ static int ds1307_set_time(struct device *dev, struct rtc_time *t) + regmap_update_bits(ds1307->regmap, DS1340_REG_FLAG, + DS1340_BIT_OSF, 0); + break; ++ case ds_1341: ++ regmap_update_bits(ds1307->regmap, DS1337_REG_STATUS, ++ DS1337_BIT_OSF, 0); ++ break; + case ds_1388: + regmap_update_bits(ds1307->regmap, DS1388_REG_FLAG, + DS1388_BIT_OSF, 0); +-- +2.39.5 + diff --git a/queue-6.12/rtc-ds1307-remove-clear-of-oscillator-stop-flag-osf-.patch b/queue-6.12/rtc-ds1307-remove-clear-of-oscillator-stop-flag-osf-.patch new file mode 100644 index 0000000000..4e1c17de8e --- /dev/null +++ b/queue-6.12/rtc-ds1307-remove-clear-of-oscillator-stop-flag-osf-.patch @@ -0,0 +1,52 @@ +From 97051f2f9d5a73e5d9fafd9b1b7ce29bb07df7e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jun 2025 11:14:15 -0700 +Subject: rtc: ds1307: remove clear of oscillator stop flag (OSF) in probe + +From: Meagan Lloyd + +[ Upstream commit 48458654659c9c2e149c211d86637f1592470da5 ] + +In using CONFIG_RTC_HCTOSYS, rtc_hctosys() will sync the RTC time to the +kernel time as long as rtc_read_time() succeeds. In some power loss +situations, our supercapacitor-backed DS1342 RTC comes up with either an +unpredictable future time or the default 01/01/00 from the datasheet. +The oscillator stop flag (OSF) is set in these scenarios due to the +power loss and can be used to determine the validity of the RTC data. + +Some chip types in the ds1307 driver already have OSF handling to +determine whether .read_time provides valid RTC data or returns -EINVAL. + +This change removes the clear of the OSF in .probe as the OSF needs to +be preserved to expand the OSF handling to the ds1341 chip type (note +that DS1341 and DS1342 share a datasheet). + +Signed-off-by: Meagan Lloyd +Reviewed-by: Tyler Hicks +Acked-by: Rodolfo Giometti +Link: https://lore.kernel.org/r/1749665656-30108-2-git-send-email-meaganlloyd@linux.microsoft.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-ds1307.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/rtc/rtc-ds1307.c b/drivers/rtc/rtc-ds1307.c +index c6d388bb4a19..1960d1bd851c 100644 +--- a/drivers/rtc/rtc-ds1307.c ++++ b/drivers/rtc/rtc-ds1307.c +@@ -1824,10 +1824,8 @@ static int ds1307_probe(struct i2c_client *client) + regmap_write(ds1307->regmap, DS1337_REG_CONTROL, + regs[0]); + +- /* oscillator fault? clear flag, and warn */ ++ /* oscillator fault? warn */ + if (regs[1] & DS1337_BIT_OSF) { +- regmap_write(ds1307->regmap, DS1337_REG_STATUS, +- regs[1] & ~DS1337_BIT_OSF); + dev_warn(ds1307->dev, "SET TIME!\n"); + } + break; +-- +2.39.5 + diff --git a/queue-6.12/s390-early-copy-last-breaking-event-address-to-pt_re.patch b/queue-6.12/s390-early-copy-last-breaking-event-address-to-pt_re.patch new file mode 100644 index 0000000000..1373e6e4be --- /dev/null +++ b/queue-6.12/s390-early-copy-last-breaking-event-address-to-pt_re.patch @@ -0,0 +1,41 @@ +From 810acaee29aa20f855e0b485f47b455ea3028977 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Jul 2025 18:12:06 +0200 +Subject: s390/early: Copy last breaking event address to pt_regs + +From: Heiko Carstens + +[ Upstream commit 7cf636c99b257c1b4b12066ab34fd5f06e8d892f ] + +In case of an early crash the early program check handler also prints the +last breaking event address which is contained within the pt_regs +structure. However it is not initialized, and therefore a more or less +random value is printed in case of a crash. + +Copy the last breaking event address from lowcore to pt_regs in case of an +early program check to address this. This also makes it easier to analyze +early crashes. + +Reviewed-by: Alexander Gordeev +Signed-off-by: Heiko Carstens +Signed-off-by: Alexander Gordeev +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/early.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/s390/kernel/early.c b/arch/s390/kernel/early.c +index 62f8f5a750a3..0c054e2d1e03 100644 +--- a/arch/s390/kernel/early.c ++++ b/arch/s390/kernel/early.c +@@ -183,6 +183,7 @@ void __init __do_early_pgm_check(struct pt_regs *regs) + + regs->int_code = lc->pgm_int_code; + regs->int_parm_long = lc->trans_exc_code; ++ regs->last_break = lc->pgm_last_break; + ip = __rewind_psw(regs->psw, regs->int_code >> 16); + + /* Monitor Event? Might be a warning */ +-- +2.39.5 + diff --git a/queue-6.12/s390-stp-remove-udelay-from-stp_sync_clock.patch b/queue-6.12/s390-stp-remove-udelay-from-stp_sync_clock.patch new file mode 100644 index 0000000000..769954807e --- /dev/null +++ b/queue-6.12/s390-stp-remove-udelay-from-stp_sync_clock.patch @@ -0,0 +1,44 @@ +From f7f45e54cbb6793ff6b35ef918c4c0467cceade3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Jul 2025 13:50:27 +0200 +Subject: s390/stp: Remove udelay from stp_sync_clock() + +From: Sven Schnelle + +[ Upstream commit b367017cdac21781a74eff4e208d3d38e1f38d3f ] + +When an stp sync check is handled on a system with multiple +cpus each cpu gets a machine check but only the first one +actually handles the sync operation. All other CPUs spin +waiting for the first one to finish with a short udelay(). +But udelay can't be used here as the first CPU modifies tod_clock_base +before performing the sync op. During this timeframe +get_tod_clock_monotonic() might return a non-monotonic time. + +The time spent waiting should be very short and udelay is a busy loop +anyways, therefore simply remove the udelay. + +Reviewed-by: Heiko Carstens +Signed-off-by: Sven Schnelle +Signed-off-by: Alexander Gordeev +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/time.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/s390/kernel/time.c b/arch/s390/kernel/time.c +index b713effe0579..96fc41f26d7e 100644 +--- a/arch/s390/kernel/time.c ++++ b/arch/s390/kernel/time.c +@@ -579,7 +579,7 @@ static int stp_sync_clock(void *data) + atomic_dec(&sync->cpus); + /* Wait for in_sync to be set. */ + while (READ_ONCE(sync->in_sync) == 0) +- __udelay(1); ++ ; + } + if (sync->in_sync != 1) + /* Didn't work. Clear per-cpu in sync bit again. */ +-- +2.39.5 + diff --git a/queue-6.12/s390-time-use-monotonic-clock-in-get_cycles.patch b/queue-6.12/s390-time-use-monotonic-clock-in-get_cycles.patch new file mode 100644 index 0000000000..d3850d162d --- /dev/null +++ b/queue-6.12/s390-time-use-monotonic-clock-in-get_cycles.patch @@ -0,0 +1,54 @@ +From f122a3f7ece2e2e62d15a22e1aff25f7cdd8a367 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jul 2025 09:42:29 +0200 +Subject: s390/time: Use monotonic clock in get_cycles() + +From: Sven Schnelle + +[ Upstream commit 09e7e29d2b49ba84bcefb3dc1657726d2de5bb24 ] + +Otherwise the code might not work correctly when the clock +is changed. + +Signed-off-by: Sven Schnelle +Reviewed-by: Heiko Carstens +Signed-off-by: Alexander Gordeev +Signed-off-by: Sasha Levin +--- + arch/s390/include/asm/timex.h | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/arch/s390/include/asm/timex.h b/arch/s390/include/asm/timex.h +index 640901f2fbc3..811ec531954b 100644 +--- a/arch/s390/include/asm/timex.h ++++ b/arch/s390/include/asm/timex.h +@@ -192,13 +192,6 @@ static inline unsigned long get_tod_clock_fast(void) + asm volatile("stckf %0" : "=Q" (clk) : : "cc"); + return clk; + } +- +-static inline cycles_t get_cycles(void) +-{ +- return (cycles_t) get_tod_clock() >> 2; +-} +-#define get_cycles get_cycles +- + int get_phys_clock(unsigned long *clock); + void init_cpu_timer(void); + +@@ -226,6 +219,12 @@ static inline unsigned long get_tod_clock_monotonic(void) + return tod; + } + ++static inline cycles_t get_cycles(void) ++{ ++ return (cycles_t)get_tod_clock_monotonic() >> 2; ++} ++#define get_cycles get_cycles ++ + /** + * tod_to_ns - convert a TOD format value to nanoseconds + * @todval: to be converted TOD format value +-- +2.39.5 + diff --git a/queue-6.12/sched-deadline-fix-accounting-after-global-limits-ch.patch b/queue-6.12/sched-deadline-fix-accounting-after-global-limits-ch.patch new file mode 100644 index 0000000000..b17fe884d4 --- /dev/null +++ b/queue-6.12/sched-deadline-fix-accounting-after-global-limits-ch.patch @@ -0,0 +1,70 @@ +From e1b2a7b48735b8c73d3f2574c2ed4ca60d5ad771 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Jun 2025 13:51:16 +0200 +Subject: sched/deadline: Fix accounting after global limits change + +From: Juri Lelli + +[ Upstream commit 440989c10f4e32620e9e2717ca52c3ed7ae11048 ] + +A global limits change (sched_rt_handler() logic) currently leaves stale +and/or incorrect values in variables related to accounting (e.g. +extra_bw). + +Properly clean up per runqueue variables before implementing the change +and rebuild scheduling domains (so that accounting is also properly +restored) after such a change is complete. + +Reported-by: Marcel Ziswiler +Signed-off-by: Juri Lelli +Signed-off-by: Peter Zijlstra (Intel) +Tested-by: Marcel Ziswiler # nuc & rock5b +Link: https://lore.kernel.org/r/20250627115118.438797-4-juri.lelli@redhat.com +Signed-off-by: Sasha Levin +--- + kernel/sched/deadline.c | 4 +++- + kernel/sched/rt.c | 6 ++++++ + 2 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/kernel/sched/deadline.c b/kernel/sched/deadline.c +index 0a47e5155897..53e3670fbb1e 100644 +--- a/kernel/sched/deadline.c ++++ b/kernel/sched/deadline.c +@@ -3227,6 +3227,9 @@ void sched_dl_do_global(void) + if (global_rt_runtime() != RUNTIME_INF) + new_bw = to_ratio(global_rt_period(), global_rt_runtime()); + ++ for_each_possible_cpu(cpu) ++ init_dl_rq_bw_ratio(&cpu_rq(cpu)->dl); ++ + for_each_possible_cpu(cpu) { + rcu_read_lock_sched(); + +@@ -3242,7 +3245,6 @@ void sched_dl_do_global(void) + raw_spin_unlock_irqrestore(&dl_b->lock, flags); + + rcu_read_unlock_sched(); +- init_dl_rq_bw_ratio(&cpu_rq(cpu)->dl); + } + } + +diff --git a/kernel/sched/rt.c b/kernel/sched/rt.c +index 172c588de542..6ad6717084ed 100644 +--- a/kernel/sched/rt.c ++++ b/kernel/sched/rt.c +@@ -2951,6 +2951,12 @@ static int sched_rt_handler(const struct ctl_table *table, int write, void *buff + } + mutex_unlock(&mutex); + ++ /* ++ * After changing maximum available bandwidth for DEADLINE, we need to ++ * recompute per root domain and per cpus variables accordingly. ++ */ ++ rebuild_sched_domains(); ++ + return ret; + } + +-- +2.39.5 + diff --git a/queue-6.12/sched-fair-bump-sd-max_newidle_lb_cost-when-newidle-.patch b/queue-6.12/sched-fair-bump-sd-max_newidle_lb_cost-when-newidle-.patch new file mode 100644 index 0000000000..1013f8bc1b --- /dev/null +++ b/queue-6.12/sched-fair-bump-sd-max_newidle_lb_cost-when-newidle-.patch @@ -0,0 +1,90 @@ +From aa4832e966b15059886e135f3642c39385061501 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Jun 2025 07:39:10 -0700 +Subject: sched/fair: Bump sd->max_newidle_lb_cost when newidle balance fails + +From: Chris Mason + +[ Upstream commit 155213a2aed42c85361bf4f5c817f5cb68951c3b ] + +schbench (https://github.com/masoncl/schbench.git) is showing a +regression from previous production kernels that bisected down to: + +sched/fair: Remove sysctl_sched_migration_cost condition (c5b0a7eefc) + +The schbench command line was: + +schbench -L -m 4 -M auto -t 256 -n 0 -r 0 -s 0 + +This creates 4 message threads pinned to CPUs 0-3, and 256x4 worker +threads spread across the rest of the CPUs. Neither the worker threads +or the message threads do any work, they just wake each other up and go +back to sleep as soon as possible. + +The end result is the first 4 CPUs are pegged waking up those 1024 +workers, and the rest of the CPUs are constantly banging in and out of +idle. If I take a v6.9 Linus kernel and revert that one commit, +performance goes from 3.4M RPS to 5.4M RPS. + +schedstat shows there are ~100x more new idle balance operations, and +profiling shows the worker threads are spending ~20% of their CPU time +on new idle balance. schedstats also shows that almost all of these new +idle balance attemps are failing to find busy groups. + +The fix used here is to crank up the cost of the newidle balance whenever it +fails. Since we don't want sd->max_newidle_lb_cost to grow out of +control, this also changes update_newidle_cost() to use +sysctl_sched_migration_cost as the upper limit on max_newidle_lb_cost. + +Signed-off-by: Chris Mason +Signed-off-by: Peter Zijlstra (Intel) +Acked-by: Vincent Guittot +Link: https://lkml.kernel.org/r/20250626144017.1510594-2-clm@fb.com +Signed-off-by: Sasha Levin +--- + kernel/sched/fair.c | 19 ++++++++++++++++--- + 1 file changed, 16 insertions(+), 3 deletions(-) + +diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c +index 7280ed04c96c..af61769b1d50 100644 +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -12220,8 +12220,14 @@ static inline bool update_newidle_cost(struct sched_domain *sd, u64 cost) + /* + * Track max cost of a domain to make sure to not delay the + * next wakeup on the CPU. ++ * ++ * sched_balance_newidle() bumps the cost whenever newidle ++ * balance fails, and we don't want things to grow out of ++ * control. Use the sysctl_sched_migration_cost as the upper ++ * limit, plus a litle extra to avoid off by ones. + */ +- sd->max_newidle_lb_cost = cost; ++ sd->max_newidle_lb_cost = ++ min(cost, sysctl_sched_migration_cost + 200); + sd->last_decay_max_lb_cost = jiffies; + } else if (time_after(jiffies, sd->last_decay_max_lb_cost + HZ)) { + /* +@@ -12926,10 +12932,17 @@ static int sched_balance_newidle(struct rq *this_rq, struct rq_flags *rf) + + t1 = sched_clock_cpu(this_cpu); + domain_cost = t1 - t0; +- update_newidle_cost(sd, domain_cost); +- + curr_cost += domain_cost; + t0 = t1; ++ ++ /* ++ * Failing newidle means it is not effective; ++ * bump the cost so we end up doing less of it. ++ */ ++ if (!pulled_task) ++ domain_cost = (3 * sd->max_newidle_lb_cost) / 2; ++ ++ update_newidle_cost(sd, domain_cost); + } + + /* +-- +2.39.5 + diff --git a/queue-6.12/scsi-aacraid-stop-using-pci_irq_affinity.patch b/queue-6.12/scsi-aacraid-stop-using-pci_irq_affinity.patch new file mode 100644 index 0000000000..81be0d2d04 --- /dev/null +++ b/queue-6.12/scsi-aacraid-stop-using-pci_irq_affinity.patch @@ -0,0 +1,69 @@ +From 84f304fb4b0aadcb5ebea762d1528787b8a8eb25 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Jul 2025 11:15:35 +0000 +Subject: scsi: aacraid: Stop using PCI_IRQ_AFFINITY + +From: John Garry + +[ Upstream commit dafeaf2c03e71255438ffe5a341d94d180e6c88e ] + +When PCI_IRQ_AFFINITY is set for calling pci_alloc_irq_vectors(), it +means interrupts are spread around the available CPUs. It also means that +the interrupts become managed, which means that an interrupt is shutdown +when all the CPUs in the interrupt affinity mask go offline. + +Using managed interrupts in this way means that we should ensure that +completions should not occur on HW queues where the associated interrupt +is shutdown. This is typically achieved by ensuring only CPUs which are +online can generate IO completion traffic to the HW queue which they are +mapped to (so that they can also serve completion interrupts for that HW +queue). + +The problem in the driver is that a CPU can generate completions to a HW +queue whose interrupt may be shutdown, as the CPUs in the HW queue +interrupt affinity mask may be offline. This can cause IOs to never +complete and hang the system. The driver maintains its own CPU <-> HW +queue mapping for submissions, see aac_fib_vector_assign(), but this does +not reflect the CPU <-> HW queue interrupt affinity mapping. + +Commit 9dc704dcc09e ("scsi: aacraid: Reply queue mapping to CPUs based on +IRQ affinity") tried to remedy this issue may mapping CPUs properly to HW +queue interrupts. However this was later reverted in commit c5becf57dd56 +("Revert "scsi: aacraid: Reply queue mapping to CPUs based on IRQ +affinity") - it seems that there were other reports of hangs. I guess +that this was due to some implementation issue in the original commit or +maybe a HW issue. + +Fix the very original hang by just not using managed interrupts by not +setting PCI_IRQ_AFFINITY. In this way, all CPUs will be in each HW queue +affinity mask, so should not create completion problems if any CPUs go +offline. + +Signed-off-by: John Garry +Link: https://lore.kernel.org/r/20250715111535.499853-1-john.g.garry@oracle.com +Closes: https://lore.kernel.org/linux-scsi/20250618192427.3845724-1-jmeneghi@redhat.com/ +Reviewed-by: John Meneghini +Tested-by: John Meneghini +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/aacraid/comminit.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/scsi/aacraid/comminit.c b/drivers/scsi/aacraid/comminit.c +index 28cf18955a08..726c8531b7d3 100644 +--- a/drivers/scsi/aacraid/comminit.c ++++ b/drivers/scsi/aacraid/comminit.c +@@ -481,8 +481,7 @@ void aac_define_int_mode(struct aac_dev *dev) + pci_find_capability(dev->pdev, PCI_CAP_ID_MSIX)) { + min_msix = 2; + i = pci_alloc_irq_vectors(dev->pdev, +- min_msix, msi_count, +- PCI_IRQ_MSIX | PCI_IRQ_AFFINITY); ++ min_msix, msi_count, PCI_IRQ_MSIX); + if (i > 0) { + dev->msi_enabled = 1; + msi_count = i; +-- +2.39.5 + diff --git a/queue-6.12/scsi-bfa-double-free-fix.patch b/queue-6.12/scsi-bfa-double-free-fix.patch new file mode 100644 index 0000000000..0d811a2933 --- /dev/null +++ b/queue-6.12/scsi-bfa-double-free-fix.patch @@ -0,0 +1,42 @@ +From 1f57e072f6a99c2fb1c7f1537f707f7d4d9b8592 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Jun 2025 19:58:24 +0800 +Subject: scsi: bfa: Double-free fix + +From: jackysliu <1972843537@qq.com> + +[ Upstream commit add4c4850363d7c1b72e8fce9ccb21fdd2cf5dc9 ] + +When the bfad_im_probe() function fails during initialization, the memory +pointed to by bfad->im is freed without setting bfad->im to NULL. + +Subsequently, during driver uninstallation, when the state machine enters +the bfad_sm_stopping state and calls the bfad_im_probe_undo() function, +it attempts to free the memory pointed to by bfad->im again, thereby +triggering a double-free vulnerability. + +Set bfad->im to NULL if probing fails. + +Signed-off-by: jackysliu <1972843537@qq.com> +Link: https://lore.kernel.org/r/tencent_3BB950D6D2D470976F55FC879206DE0B9A09@qq.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/bfa/bfad_im.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/scsi/bfa/bfad_im.c b/drivers/scsi/bfa/bfad_im.c +index 66fb701401de..0cc04c84b259 100644 +--- a/drivers/scsi/bfa/bfad_im.c ++++ b/drivers/scsi/bfa/bfad_im.c +@@ -706,6 +706,7 @@ bfad_im_probe(struct bfad_s *bfad) + + if (bfad_thread_workq(bfad) != BFA_STATUS_OK) { + kfree(im); ++ bfad->im = NULL; + return BFA_STATUS_FAILED; + } + +-- +2.39.5 + diff --git a/queue-6.12/scsi-fix-sas_user_scan-to-handle-wildcard-and-multi-.patch b/queue-6.12/scsi-fix-sas_user_scan-to-handle-wildcard-and-multi-.patch new file mode 100644 index 0000000000..b79712794d --- /dev/null +++ b/queue-6.12/scsi-fix-sas_user_scan-to-handle-wildcard-and-multi-.patch @@ -0,0 +1,136 @@ +From 9aae2d4223aad436fd7a7566053b5bcc70bf7810 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Jun 2025 11:46:49 +0530 +Subject: scsi: Fix sas_user_scan() to handle wildcard and multi-channel scans + +From: Ranjan Kumar + +[ Upstream commit 37c4e72b0651e7697eb338cd1fb09feef472cc1a ] + +sas_user_scan() did not fully process wildcard channel scans +(SCAN_WILD_CARD) when a transport-specific user_scan() callback was +present. Only channel 0 would be scanned via user_scan(), while the +remaining channels were skipped, potentially missing devices. + +user_scan() invokes updated sas_user_scan() for channel 0, and if +successful, iteratively scans remaining channels (1 to +shost->max_channel) via scsi_scan_host_selected(). This ensures complete +wildcard scanning without affecting transport-specific scanning behavior. + +Signed-off-by: Ranjan Kumar +Link: https://lore.kernel.org/r/20250624061649.17990-1-ranjan.kumar@broadcom.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_scan.c | 2 +- + drivers/scsi/scsi_transport_sas.c | 60 ++++++++++++++++++++++++------- + 2 files changed, 49 insertions(+), 13 deletions(-) + +diff --git a/drivers/scsi/scsi_scan.c b/drivers/scsi/scsi_scan.c +index fe08af4dcb67..36e0b3105460 100644 +--- a/drivers/scsi/scsi_scan.c ++++ b/drivers/scsi/scsi_scan.c +@@ -1881,7 +1881,7 @@ int scsi_scan_host_selected(struct Scsi_Host *shost, unsigned int channel, + + return 0; + } +- ++EXPORT_SYMBOL(scsi_scan_host_selected); + static void scsi_sysfs_add_devices(struct Scsi_Host *shost) + { + struct scsi_device *sdev; +diff --git a/drivers/scsi/scsi_transport_sas.c b/drivers/scsi/scsi_transport_sas.c +index 4e33f1661e4c..d322802c7790 100644 +--- a/drivers/scsi/scsi_transport_sas.c ++++ b/drivers/scsi/scsi_transport_sas.c +@@ -40,6 +40,8 @@ + #include + + #include "scsi_sas_internal.h" ++#include "scsi_priv.h" ++ + struct sas_host_attrs { + struct list_head rphy_list; + struct mutex lock; +@@ -1681,32 +1683,66 @@ int scsi_is_sas_rphy(const struct device *dev) + } + EXPORT_SYMBOL(scsi_is_sas_rphy); + +- +-/* +- * SCSI scan helper +- */ +- +-static int sas_user_scan(struct Scsi_Host *shost, uint channel, +- uint id, u64 lun) ++static void scan_channel_zero(struct Scsi_Host *shost, uint id, u64 lun) + { + struct sas_host_attrs *sas_host = to_sas_host_attrs(shost); + struct sas_rphy *rphy; + +- mutex_lock(&sas_host->lock); + list_for_each_entry(rphy, &sas_host->rphy_list, list) { + if (rphy->identify.device_type != SAS_END_DEVICE || + rphy->scsi_target_id == -1) + continue; + +- if ((channel == SCAN_WILD_CARD || channel == 0) && +- (id == SCAN_WILD_CARD || id == rphy->scsi_target_id)) { ++ if (id == SCAN_WILD_CARD || id == rphy->scsi_target_id) { + scsi_scan_target(&rphy->dev, 0, rphy->scsi_target_id, + lun, SCSI_SCAN_MANUAL); + } + } +- mutex_unlock(&sas_host->lock); ++} + +- return 0; ++/* ++ * SCSI scan helper ++ */ ++ ++static int sas_user_scan(struct Scsi_Host *shost, uint channel, ++ uint id, u64 lun) ++{ ++ struct sas_host_attrs *sas_host = to_sas_host_attrs(shost); ++ int res = 0; ++ int i; ++ ++ switch (channel) { ++ case 0: ++ mutex_lock(&sas_host->lock); ++ scan_channel_zero(shost, id, lun); ++ mutex_unlock(&sas_host->lock); ++ break; ++ ++ case SCAN_WILD_CARD: ++ mutex_lock(&sas_host->lock); ++ scan_channel_zero(shost, id, lun); ++ mutex_unlock(&sas_host->lock); ++ ++ for (i = 1; i <= shost->max_channel; i++) { ++ res = scsi_scan_host_selected(shost, i, id, lun, ++ SCSI_SCAN_MANUAL); ++ if (res) ++ goto exit_scan; ++ } ++ break; ++ ++ default: ++ if (channel < shost->max_channel) { ++ res = scsi_scan_host_selected(shost, channel, id, lun, ++ SCSI_SCAN_MANUAL); ++ } else { ++ res = -EINVAL; ++ } ++ break; ++ } ++ ++exit_scan: ++ return res; + } + + +-- +2.39.5 + diff --git a/queue-6.12/scsi-libiscsi-initialize-iscsi_conn-dd_data-only-if-.patch b/queue-6.12/scsi-libiscsi-initialize-iscsi_conn-dd_data-only-if-.patch new file mode 100644 index 0000000000..7ff8ebbf47 --- /dev/null +++ b/queue-6.12/scsi-libiscsi-initialize-iscsi_conn-dd_data-only-if-.patch @@ -0,0 +1,63 @@ +From 02bda48f672877ba71360c2fd51cd675bbceb8bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Jun 2025 16:53:29 +0530 +Subject: scsi: libiscsi: Initialize iscsi_conn->dd_data only if memory is + allocated + +From: Showrya M N + +[ Upstream commit 3ea3a256ed81f95ab0f3281a0e234b01a9cae605 ] + +In case of an ib_fast_reg_mr allocation failure during iSER setup, the +machine hits a panic because iscsi_conn->dd_data is initialized +unconditionally, even when no memory is allocated (dd_size == 0). This +leads invalid pointer dereference during connection teardown. + +Fix by setting iscsi_conn->dd_data only if memory is actually allocated. + +Panic trace: +------------ + iser: iser_create_fastreg_desc: Failed to allocate ib_fast_reg_mr err=-12 + iser: iser_alloc_rx_descriptors: failed allocating rx descriptors / data buffers + BUG: unable to handle page fault for address: fffffffffffffff8 + RIP: 0010:swake_up_locked.part.5+0xa/0x40 + Call Trace: + complete+0x31/0x40 + iscsi_iser_conn_stop+0x88/0xb0 [ib_iser] + iscsi_stop_conn+0x66/0xc0 [scsi_transport_iscsi] + iscsi_if_stop_conn+0x14a/0x150 [scsi_transport_iscsi] + iscsi_if_rx+0x1135/0x1834 [scsi_transport_iscsi] + ? netlink_lookup+0x12f/0x1b0 + ? netlink_deliver_tap+0x2c/0x200 + netlink_unicast+0x1ab/0x280 + netlink_sendmsg+0x257/0x4f0 + ? _copy_from_user+0x29/0x60 + sock_sendmsg+0x5f/0x70 + +Signed-off-by: Showrya M N +Signed-off-by: Potnuri Bharat Teja +Link: https://lore.kernel.org/r/20250627112329.19763-1-showrya@chelsio.com +Reviewed-by: Chris Leech +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/libiscsi.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c +index 2b1bf990a9dc..29af3722ea22 100644 +--- a/drivers/scsi/libiscsi.c ++++ b/drivers/scsi/libiscsi.c +@@ -3184,7 +3184,8 @@ iscsi_conn_setup(struct iscsi_cls_session *cls_session, int dd_size, + return NULL; + conn = cls_conn->dd_data; + +- conn->dd_data = cls_conn->dd_data + sizeof(*conn); ++ if (dd_size) ++ conn->dd_data = cls_conn->dd_data + sizeof(*conn); + conn->session = session; + conn->cls_conn = cls_conn; + conn->c_stage = ISCSI_CONN_INITIAL_STAGE; +-- +2.39.5 + diff --git a/queue-6.12/scsi-lpfc-check-for-hdwq-null-ptr-when-cleaning-up-l.patch b/queue-6.12/scsi-lpfc-check-for-hdwq-null-ptr-when-cleaning-up-l.patch new file mode 100644 index 0000000000..e00dfb0299 --- /dev/null +++ b/queue-6.12/scsi-lpfc-check-for-hdwq-null-ptr-when-cleaning-up-l.patch @@ -0,0 +1,44 @@ +From aba59e4d7529f8ad3d6af6c62387e67ab49626c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Jun 2025 12:21:28 -0700 +Subject: scsi: lpfc: Check for hdwq null ptr when cleaning up lpfc_vport + structure + +From: Justin Tee + +[ Upstream commit 6698796282e828733cde3329c887b4ae9e5545e9 ] + +If a call to lpfc_sli4_read_rev() from lpfc_sli4_hba_setup() fails, the +resultant cleanup routine lpfc_sli4_vport_delete_fcp_xri_aborted() may +occur before sli4_hba.hdwqs are allocated. This may result in a null +pointer dereference when attempting to take the abts_io_buf_list_lock for +the first hardware queue. Fix by adding a null ptr check on +phba->sli4_hba.hdwq and early return because this situation means there +must have been an error during port initialization. + +Signed-off-by: Justin Tee +Link: https://lore.kernel.org/r/20250618192138.124116-4-justintee8345@gmail.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_scsi.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/scsi/lpfc/lpfc_scsi.c b/drivers/scsi/lpfc/lpfc_scsi.c +index 905026a4782c..67e089881181 100644 +--- a/drivers/scsi/lpfc/lpfc_scsi.c ++++ b/drivers/scsi/lpfc/lpfc_scsi.c +@@ -390,6 +390,10 @@ lpfc_sli4_vport_delete_fcp_xri_aborted(struct lpfc_vport *vport) + if (!(vport->cfg_enable_fc4_type & LPFC_ENABLE_FCP)) + return; + ++ /* may be called before queues established if hba_setup fails */ ++ if (!phba->sli4_hba.hdwq) ++ return; ++ + spin_lock_irqsave(&phba->hbalock, iflag); + for (idx = 0; idx < phba->cfg_hdw_queue; idx++) { + qp = &phba->sli4_hba.hdwq[idx]; +-- +2.39.5 + diff --git a/queue-6.12/scsi-lpfc-ensure-hba_setup-flag-is-used-only-for-sli.patch b/queue-6.12/scsi-lpfc-ensure-hba_setup-flag-is-used-only-for-sli.patch new file mode 100644 index 0000000000..fe78e61736 --- /dev/null +++ b/queue-6.12/scsi-lpfc-ensure-hba_setup-flag-is-used-only-for-sli.patch @@ -0,0 +1,40 @@ +From f57bac2c3c1ae839d06a163cead4e526aea7b640 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Jun 2025 12:21:33 -0700 +Subject: scsi: lpfc: Ensure HBA_SETUP flag is used only for SLI4 in + dev_loss_tmo_callbk + +From: Justin Tee + +[ Upstream commit 1cced5779e7a3ff7ec025fc47c76a7bd3bb38877 ] + +For SLI3, the HBA_SETUP flag is never set so the lpfc_dev_loss_tmo_callbk +always early returns. Add a phba->sli_rev check for SLI4 mode so that +the SLI3 path can flow through the original dev_loss_tmo worker thread +design to lpfc_dev_loss_tmo_handler instead of early return. + +Signed-off-by: Justin Tee +Link: https://lore.kernel.org/r/20250618192138.124116-9-justintee8345@gmail.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_hbadisc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/lpfc/lpfc_hbadisc.c b/drivers/scsi/lpfc/lpfc_hbadisc.c +index b5dd17eecf82..3ba515c1fe3a 100644 +--- a/drivers/scsi/lpfc/lpfc_hbadisc.c ++++ b/drivers/scsi/lpfc/lpfc_hbadisc.c +@@ -177,7 +177,8 @@ lpfc_dev_loss_tmo_callbk(struct fc_rport *rport) + + /* Don't schedule a worker thread event if the vport is going down. */ + if (test_bit(FC_UNLOADING, &vport->load_flag) || +- !test_bit(HBA_SETUP, &phba->hba_flag)) { ++ (phba->sli_rev == LPFC_SLI_REV4 && ++ !test_bit(HBA_SETUP, &phba->hba_flag))) { + + spin_lock_irqsave(&ndlp->lock, iflags); + ndlp->rport = NULL; +-- +2.39.5 + diff --git a/queue-6.12/scsi-mpi3mr-correctly-handle-ata-device-errors.patch b/queue-6.12/scsi-mpi3mr-correctly-handle-ata-device-errors.patch new file mode 100644 index 0000000000..c969b529a6 --- /dev/null +++ b/queue-6.12/scsi-mpi3mr-correctly-handle-ata-device-errors.patch @@ -0,0 +1,86 @@ +From 1cffc5d5c53263440869dbac3083acf81e3c6b0b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Jun 2025 14:27:46 +0900 +Subject: scsi: mpi3mr: Correctly handle ATA device errors + +From: Damien Le Moal + +[ Upstream commit 04caad5a7ba86e830d04750417a15bad8ac2613c ] + +With the ATA error model, an NCQ command failure always triggers an abort +(termination) of all NCQ commands queued on the device. In such case, the +SAT or the host must handle the failed command according to the command +sense data and immediately retry all other NCQ commands that were aborted +due to the failed NCQ command. + +For SAS HBAs controlled by the mpi3mr driver, NCQ command aborts are not +handled by the HBA SAT and sent back to the host, with an ioc log +information equal to 0x31080000 (IOC_LOGINFO_PREFIX_PL with the PL code +PL_LOGINFO_CODE_SATA_NCQ_FAIL_ALL_CMDS_AFTR_ERR). The function +mpi3mr_process_op_reply_desc() always forces a retry of commands +terminated with the status MPI3_IOCSTATUS_SCSI_IOC_TERMINATED using the +SCSI result DID_SOFT_ERROR, regardless of the ioc_loginfo for the +command. This correctly forces the retry of collateral NCQ abort +commands, but with the retry counter for the command being incremented. +If a command to an ATA device is subject to too many retries due to other +NCQ commands failing (e.g. read commands trying to access unreadable +sectors), the collateral NCQ abort commands may be terminated with an +error as they run out of retries. This violates the SAT specification and +causes hard-to-debug command errors. + +Solve this issue by modifying the handling of the +MPI3_IOCSTATUS_SCSI_IOC_TERMINATED status to check if a command is for an +ATA device and if the command ioc_loginfo indicates an NCQ collateral +abort. If that is the case, force the command retry using the SCSI result +DID_IMM_RETRY to avoid incrementing the command retry count. + +Signed-off-by: Damien Le Moal +Link: https://lore.kernel.org/r/20250606052747.742998-2-dlemoal@kernel.org +Tested-by: Yafang Shao +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/mpi3mr/mpi3mr_os.c | 20 +++++++++++++++++++- + 1 file changed, 19 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/mpi3mr/mpi3mr_os.c b/drivers/scsi/mpi3mr/mpi3mr_os.c +index 1e8735538b23..990646e1e18d 100644 +--- a/drivers/scsi/mpi3mr/mpi3mr_os.c ++++ b/drivers/scsi/mpi3mr/mpi3mr_os.c +@@ -49,6 +49,13 @@ static void mpi3mr_send_event_ack(struct mpi3mr_ioc *mrioc, u8 event, + + #define MPI3_EVENT_WAIT_FOR_DEVICES_TO_REFRESH (0xFFFE) + ++/* ++ * SAS Log info code for a NCQ collateral abort after an NCQ error: ++ * IOC_LOGINFO_PREFIX_PL | PL_LOGINFO_CODE_SATA_NCQ_FAIL_ALL_CMDS_AFTR_ERR ++ * See: drivers/message/fusion/lsi/mpi_log_sas.h ++ */ ++#define IOC_LOGINFO_SATA_NCQ_FAIL_AFTER_ERR 0x31080000 ++ + /** + * mpi3mr_host_tag_for_scmd - Get host tag for a scmd + * @mrioc: Adapter instance reference +@@ -3397,7 +3404,18 @@ void mpi3mr_process_op_reply_desc(struct mpi3mr_ioc *mrioc, + scmd->result = DID_NO_CONNECT << 16; + break; + case MPI3_IOCSTATUS_SCSI_IOC_TERMINATED: +- scmd->result = DID_SOFT_ERROR << 16; ++ if (ioc_loginfo == IOC_LOGINFO_SATA_NCQ_FAIL_AFTER_ERR) { ++ /* ++ * This is a ATA NCQ command aborted due to another NCQ ++ * command failure. We must retry this command ++ * immediately but without incrementing its retry ++ * counter. ++ */ ++ WARN_ON_ONCE(xfer_count != 0); ++ scmd->result = DID_IMM_RETRY << 16; ++ } else { ++ scmd->result = DID_SOFT_ERROR << 16; ++ } + break; + case MPI3_IOCSTATUS_SCSI_TASK_TERMINATED: + case MPI3_IOCSTATUS_SCSI_EXT_TERMINATED: +-- +2.39.5 + diff --git a/queue-6.12/scsi-mpt3sas-correctly-handle-ata-device-errors.patch b/queue-6.12/scsi-mpt3sas-correctly-handle-ata-device-errors.patch new file mode 100644 index 0000000000..1124879607 --- /dev/null +++ b/queue-6.12/scsi-mpt3sas-correctly-handle-ata-device-errors.patch @@ -0,0 +1,85 @@ +From e8a417d3696bac5aaa0319f46805b698f130d2c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Jun 2025 14:27:47 +0900 +Subject: scsi: mpt3sas: Correctly handle ATA device errors + +From: Damien Le Moal + +[ Upstream commit 15592a11d5a5c8411ac8494ec49736b658f6fbff ] + +With the ATA error model, an NCQ command failure always triggers an abort +(termination) of all NCQ commands queued on the device. In such case, the +SAT or the host must handle the failed command according to the command +sense data and immediately retry all other NCQ commands that were aborted +due to the failed NCQ command. + +For SAS HBAs controlled by the mpt3sas driver, NCQ command aborts are not +handled by the HBA SAT and sent back to the host, with an ioc log +information equal to 0x31080000 (IOC_LOGINFO_PREFIX_PL with the PL code +PL_LOGINFO_CODE_SATA_NCQ_FAIL_ALL_CMDS_AFTR_ERR). The function +_scsih_io_done() always forces a retry of commands terminated with the +status MPI2_IOCSTATUS_SCSI_IOC_TERMINATED using the SCSI result +DID_SOFT_ERROR, regardless of the log_info for the command. This +correctly forces the retry of collateral NCQ abort commands, but with the +retry counter for the command being incremented. If a command to an ATA +device is subject to too many retries due to other NCQ commands failing +(e.g. read commands trying to access unreadable sectors), the collateral +NCQ abort commands may be terminated with an error as they run out of +retries. This violates the SAT specification and causes hard-to-debug +command errors. + +Solve this issue by modifying the handling of the +MPI2_IOCSTATUS_SCSI_IOC_TERMINATED status to check if a command is for an +ATA device and if the command loginfo indicates an NCQ collateral +abort. If that is the case, force the command retry using the SCSI result +DID_IMM_RETRY to avoid incrementing the command retry count. + +Signed-off-by: Damien Le Moal +Link: https://lore.kernel.org/r/20250606052747.742998-3-dlemoal@kernel.org +Tested-by: Yafang Shao +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/mpt3sas/mpt3sas_scsih.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +diff --git a/drivers/scsi/mpt3sas/mpt3sas_scsih.c b/drivers/scsi/mpt3sas/mpt3sas_scsih.c +index 91aa9de3b84f..9719da76461c 100644 +--- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c ++++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c +@@ -195,6 +195,14 @@ struct sense_info { + #define MPT3SAS_PORT_ENABLE_COMPLETE (0xFFFD) + #define MPT3SAS_ABRT_TASK_SET (0xFFFE) + #define MPT3SAS_REMOVE_UNRESPONDING_DEVICES (0xFFFF) ++ ++/* ++ * SAS Log info code for a NCQ collateral abort after an NCQ error: ++ * IOC_LOGINFO_PREFIX_PL | PL_LOGINFO_CODE_SATA_NCQ_FAIL_ALL_CMDS_AFTR_ERR ++ * See: drivers/message/fusion/lsi/mpi_log_sas.h ++ */ ++#define IOC_LOGINFO_SATA_NCQ_FAIL_AFTER_ERR 0x31080000 ++ + /** + * struct fw_event_work - firmware event struct + * @list: link list framework +@@ -5814,6 +5822,17 @@ _scsih_io_done(struct MPT3SAS_ADAPTER *ioc, u16 smid, u8 msix_index, u32 reply) + scmd->result = DID_TRANSPORT_DISRUPTED << 16; + goto out; + } ++ if (log_info == IOC_LOGINFO_SATA_NCQ_FAIL_AFTER_ERR) { ++ /* ++ * This is a ATA NCQ command aborted due to another NCQ ++ * command failure. We must retry this command ++ * immediately but without incrementing its retry ++ * counter. ++ */ ++ WARN_ON_ONCE(xfer_cnt != 0); ++ scmd->result = DID_IMM_RETRY << 16; ++ break; ++ } + if (log_info == 0x31110630) { + if (scmd->retries > 2) { + scmd->result = DID_NO_CONNECT << 16; +-- +2.39.5 + diff --git a/queue-6.12/scsi-target-core-generate-correct-identifiers-for-pr.patch b/queue-6.12/scsi-target-core-generate-correct-identifiers-for-pr.patch new file mode 100644 index 0000000000..af5b54b4af --- /dev/null +++ b/queue-6.12/scsi-target-core-generate-correct-identifiers-for-pr.patch @@ -0,0 +1,237 @@ +From 81f2ddec8cc50b6e9d3cbda5fc30a2590b517c0d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Jul 2025 15:37:38 +0200 +Subject: scsi: target: core: Generate correct identifiers for PR OUT transport + IDs + +From: Maurizio Lombardi + +[ Upstream commit 6e0f6aa44b68335df404a2df955055f416b5f2aa ] + +Fix target_parse_pr_out_transport_id() to return a string representing +the transport ID in a human-readable format (e.g., naa.xxxxxxxx...) for +various SCSI protocol types (SAS, FCP, SRP, SBP). + +Previously, the function returned a pointer to the raw binary buffer, +which was incorrectly compared against human-readable strings, causing +comparisons to fail. Now, the function writes a properly formatted +string into a buffer provided by the caller. The output format depends +on the transport protocol: + +* SAS: 64-bit identifier, "naa." prefix. +* FCP: 64-bit identifier, colon separated values. +* SBP: 64-bit identifier, no prefix. +* SRP: 128-bit identifier, "0x" prefix. +* iSCSI: IQN string. + +Signed-off-by: Maurizio Lombardi +Link: https://lore.kernel.org/r/20250714133738.11054-1-mlombard@redhat.com +Reviewed-by: Dmitry Bogdanov +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/target_core_fabric_lib.c | 63 +++++++++++++++++++------ + drivers/target/target_core_internal.h | 4 +- + drivers/target/target_core_pr.c | 18 +++---- + 3 files changed, 60 insertions(+), 25 deletions(-) + +diff --git a/drivers/target/target_core_fabric_lib.c b/drivers/target/target_core_fabric_lib.c +index 43f47e3aa448..ec7bc6e30228 100644 +--- a/drivers/target/target_core_fabric_lib.c ++++ b/drivers/target/target_core_fabric_lib.c +@@ -257,11 +257,41 @@ static int iscsi_get_pr_transport_id_len( + return len; + } + +-static char *iscsi_parse_pr_out_transport_id( ++static void sas_parse_pr_out_transport_id(char *buf, char *i_str) ++{ ++ char hex[17] = {}; ++ ++ bin2hex(hex, buf + 4, 8); ++ snprintf(i_str, TRANSPORT_IQN_LEN, "naa.%s", hex); ++} ++ ++static void srp_parse_pr_out_transport_id(char *buf, char *i_str) ++{ ++ char hex[33] = {}; ++ ++ bin2hex(hex, buf + 8, 16); ++ snprintf(i_str, TRANSPORT_IQN_LEN, "0x%s", hex); ++} ++ ++static void fcp_parse_pr_out_transport_id(char *buf, char *i_str) ++{ ++ snprintf(i_str, TRANSPORT_IQN_LEN, "%8phC", buf + 8); ++} ++ ++static void sbp_parse_pr_out_transport_id(char *buf, char *i_str) ++{ ++ char hex[17] = {}; ++ ++ bin2hex(hex, buf + 8, 8); ++ snprintf(i_str, TRANSPORT_IQN_LEN, "%s", hex); ++} ++ ++static bool iscsi_parse_pr_out_transport_id( + struct se_portal_group *se_tpg, + char *buf, + u32 *out_tid_len, +- char **port_nexus_ptr) ++ char **port_nexus_ptr, ++ char *i_str) + { + char *p; + int i; +@@ -282,7 +312,7 @@ static char *iscsi_parse_pr_out_transport_id( + if ((format_code != 0x00) && (format_code != 0x40)) { + pr_err("Illegal format code: 0x%02x for iSCSI" + " Initiator Transport ID\n", format_code); +- return NULL; ++ return false; + } + /* + * If the caller wants the TransportID Length, we set that value for the +@@ -306,7 +336,7 @@ static char *iscsi_parse_pr_out_transport_id( + pr_err("Unable to locate \",i,0x\" separator" + " for Initiator port identifier: %s\n", + &buf[4]); +- return NULL; ++ return false; + } + *p = '\0'; /* Terminate iSCSI Name */ + p += 5; /* Skip over ",i,0x" separator */ +@@ -339,7 +369,8 @@ static char *iscsi_parse_pr_out_transport_id( + } else + *port_nexus_ptr = NULL; + +- return &buf[4]; ++ strscpy(i_str, &buf[4], TRANSPORT_IQN_LEN); ++ return true; + } + + int target_get_pr_transport_id_len(struct se_node_acl *nacl, +@@ -387,33 +418,35 @@ int target_get_pr_transport_id(struct se_node_acl *nacl, + } + } + +-const char *target_parse_pr_out_transport_id(struct se_portal_group *tpg, +- char *buf, u32 *out_tid_len, char **port_nexus_ptr) ++bool target_parse_pr_out_transport_id(struct se_portal_group *tpg, ++ char *buf, u32 *out_tid_len, char **port_nexus_ptr, char *i_str) + { +- u32 offset; +- + switch (tpg->proto_id) { + case SCSI_PROTOCOL_SAS: + /* + * Assume the FORMAT CODE 00b from spc4r17, 7.5.4.7 TransportID + * for initiator ports using SCSI over SAS Serial SCSI Protocol. + */ +- offset = 4; ++ sas_parse_pr_out_transport_id(buf, i_str); + break; +- case SCSI_PROTOCOL_SBP: + case SCSI_PROTOCOL_SRP: ++ srp_parse_pr_out_transport_id(buf, i_str); ++ break; + case SCSI_PROTOCOL_FCP: +- offset = 8; ++ fcp_parse_pr_out_transport_id(buf, i_str); ++ break; ++ case SCSI_PROTOCOL_SBP: ++ sbp_parse_pr_out_transport_id(buf, i_str); + break; + case SCSI_PROTOCOL_ISCSI: + return iscsi_parse_pr_out_transport_id(tpg, buf, out_tid_len, +- port_nexus_ptr); ++ port_nexus_ptr, i_str); + default: + pr_err("Unknown proto_id: 0x%02x\n", tpg->proto_id); +- return NULL; ++ return false; + } + + *port_nexus_ptr = NULL; + *out_tid_len = 24; +- return buf + offset; ++ return true; + } +diff --git a/drivers/target/target_core_internal.h b/drivers/target/target_core_internal.h +index 408be26d2e9b..20aab1f50565 100644 +--- a/drivers/target/target_core_internal.h ++++ b/drivers/target/target_core_internal.h +@@ -103,8 +103,8 @@ int target_get_pr_transport_id_len(struct se_node_acl *nacl, + int target_get_pr_transport_id(struct se_node_acl *nacl, + struct t10_pr_registration *pr_reg, int *format_code, + unsigned char *buf); +-const char *target_parse_pr_out_transport_id(struct se_portal_group *tpg, +- char *buf, u32 *out_tid_len, char **port_nexus_ptr); ++bool target_parse_pr_out_transport_id(struct se_portal_group *tpg, ++ char *buf, u32 *out_tid_len, char **port_nexus_ptr, char *i_str); + + /* target_core_hba.c */ + struct se_hba *core_alloc_hba(const char *, u32, u32); +diff --git a/drivers/target/target_core_pr.c b/drivers/target/target_core_pr.c +index 47fe50b80c22..82061cbe6781 100644 +--- a/drivers/target/target_core_pr.c ++++ b/drivers/target/target_core_pr.c +@@ -1478,11 +1478,12 @@ core_scsi3_decode_spec_i_port( + LIST_HEAD(tid_dest_list); + struct pr_transport_id_holder *tidh_new, *tidh, *tidh_tmp; + unsigned char *buf, *ptr, proto_ident; +- const unsigned char *i_str = NULL; ++ unsigned char i_str[TRANSPORT_IQN_LEN]; + char *iport_ptr = NULL, i_buf[PR_REG_ISID_ID_LEN]; + sense_reason_t ret; + u32 tpdl, tid_len = 0; + u32 dest_rtpi = 0; ++ bool tid_found; + + /* + * Allocate a struct pr_transport_id_holder and setup the +@@ -1571,9 +1572,9 @@ core_scsi3_decode_spec_i_port( + dest_rtpi = tmp_lun->lun_tpg->tpg_rtpi; + + iport_ptr = NULL; +- i_str = target_parse_pr_out_transport_id(tmp_tpg, +- ptr, &tid_len, &iport_ptr); +- if (!i_str) ++ tid_found = target_parse_pr_out_transport_id(tmp_tpg, ++ ptr, &tid_len, &iport_ptr, i_str); ++ if (!tid_found) + continue; + /* + * Determine if this SCSI device server requires that +@@ -3153,13 +3154,14 @@ core_scsi3_emulate_pro_register_and_move(struct se_cmd *cmd, u64 res_key, + struct t10_pr_registration *pr_reg, *pr_res_holder, *dest_pr_reg; + struct t10_reservation *pr_tmpl = &dev->t10_pr; + unsigned char *buf; +- const unsigned char *initiator_str; ++ unsigned char initiator_str[TRANSPORT_IQN_LEN]; + char *iport_ptr = NULL, i_buf[PR_REG_ISID_ID_LEN] = { }; + u32 tid_len, tmp_tid_len; + int new_reg = 0, type, scope, matching_iname; + sense_reason_t ret; + unsigned short rtpi; + unsigned char proto_ident; ++ bool tid_found; + + if (!se_sess || !se_lun) { + pr_err("SPC-3 PR: se_sess || struct se_lun is NULL!\n"); +@@ -3278,9 +3280,9 @@ core_scsi3_emulate_pro_register_and_move(struct se_cmd *cmd, u64 res_key, + ret = TCM_INVALID_PARAMETER_LIST; + goto out; + } +- initiator_str = target_parse_pr_out_transport_id(dest_se_tpg, +- &buf[24], &tmp_tid_len, &iport_ptr); +- if (!initiator_str) { ++ tid_found = target_parse_pr_out_transport_id(dest_se_tpg, ++ &buf[24], &tmp_tid_len, &iport_ptr, initiator_str); ++ if (!tid_found) { + pr_err("SPC-3 PR REGISTER_AND_MOVE: Unable to locate" + " initiator_str from Transport ID\n"); + ret = TCM_INVALID_PARAMETER_LIST; +-- +2.39.5 + diff --git a/queue-6.12/securityfs-don-t-pin-dentries-twice-once-is-enough.patch b/queue-6.12/securityfs-don-t-pin-dentries-twice-once-is-enough.patch new file mode 100644 index 0000000000..779634347f --- /dev/null +++ b/queue-6.12/securityfs-don-t-pin-dentries-twice-once-is-enough.patch @@ -0,0 +1,44 @@ +From dda8d955cf55b95d7b380a71df44d9c80d142d15 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 May 2025 23:38:01 -0400 +Subject: securityfs: don't pin dentries twice, once is enough... + +From: Al Viro + +[ Upstream commit 27cd1bf1240d482e4f02ca4f9812e748f3106e4f ] + +incidentally, securityfs_recursive_remove() is broken without that - +it leaks dentries, since simple_recursive_removal() does not expect +anything of that sort. It could be worked around by dput() in +remove_one() callback, but it's easier to just drop that double-get +stuff. + +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + security/inode.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/security/inode.c b/security/inode.c +index da3ab44c8e57..58cc60c50498 100644 +--- a/security/inode.c ++++ b/security/inode.c +@@ -159,7 +159,6 @@ static struct dentry *securityfs_create_dentry(const char *name, umode_t mode, + inode->i_fop = fops; + } + d_instantiate(dentry, inode); +- dget(dentry); + inode_unlock(dir); + return dentry; + +@@ -306,7 +305,6 @@ void securityfs_remove(struct dentry *dentry) + simple_rmdir(dir, dentry); + else + simple_unlink(dir, dentry); +- dput(dentry); + } + inode_unlock(dir); + simple_release_fs(&mount, &mount_count); +-- +2.39.5 + diff --git a/queue-6.12/selftests-bpf-fix-a-user_ringbuf-failure-with-arm64-.patch b/queue-6.12/selftests-bpf-fix-a-user_ringbuf-failure-with-arm64-.patch new file mode 100644 index 0000000000..e26723f5ea --- /dev/null +++ b/queue-6.12/selftests-bpf-fix-a-user_ringbuf-failure-with-arm64-.patch @@ -0,0 +1,59 @@ +From 46012d40b8b0db850371198c011f4dd7961265b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Jun 2025 18:36:26 -0700 +Subject: selftests/bpf: Fix a user_ringbuf failure with arm64 64KB page size + +From: Yonghong Song + +[ Upstream commit bbc7bd658ddc662083639b9e9a280b90225ecd9a ] + +The ringbuf max_entries must be PAGE_ALIGNED. See kernel function +ringbuf_map_alloc(). So for arm64 64KB page size, adjust max_entries +properly. + +Signed-off-by: Yonghong Song +Link: https://lore.kernel.org/r/20250607013626.1553001-1-yonghong.song@linux.dev +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/prog_tests/user_ringbuf.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/tools/testing/selftests/bpf/prog_tests/user_ringbuf.c b/tools/testing/selftests/bpf/prog_tests/user_ringbuf.c +index d424e7ecbd12..9fd3ae987321 100644 +--- a/tools/testing/selftests/bpf/prog_tests/user_ringbuf.c ++++ b/tools/testing/selftests/bpf/prog_tests/user_ringbuf.c +@@ -21,8 +21,7 @@ + #include "../progs/test_user_ringbuf.h" + + static const long c_sample_size = sizeof(struct sample) + BPF_RINGBUF_HDR_SZ; +-static const long c_ringbuf_size = 1 << 12; /* 1 small page */ +-static const long c_max_entries = c_ringbuf_size / c_sample_size; ++static long c_ringbuf_size, c_max_entries; + + static void drain_current_samples(void) + { +@@ -424,7 +423,9 @@ static void test_user_ringbuf_loop(void) + uint32_t remaining_samples = total_samples; + int err; + +- BUILD_BUG_ON(total_samples <= c_max_entries); ++ if (!ASSERT_LT(c_max_entries, total_samples, "compare_c_max_entries")) ++ return; ++ + err = load_skel_create_user_ringbuf(&skel, &ringbuf); + if (err) + return; +@@ -686,6 +687,9 @@ void test_user_ringbuf(void) + { + int i; + ++ c_ringbuf_size = getpagesize(); /* 1 page */ ++ c_max_entries = c_ringbuf_size / c_sample_size; ++ + for (i = 0; i < ARRAY_SIZE(success_tests); i++) { + if (!test__start_subtest(success_tests[i].test_name)) + continue; +-- +2.39.5 + diff --git a/queue-6.12/selftests-bpf-fix-ringbuf-ringbuf_write-test-failure.patch b/queue-6.12/selftests-bpf-fix-ringbuf-ringbuf_write-test-failure.patch new file mode 100644 index 0000000000..0607deea31 --- /dev/null +++ b/queue-6.12/selftests-bpf-fix-ringbuf-ringbuf_write-test-failure.patch @@ -0,0 +1,66 @@ +From ae76753a98b41e6f22e86c8871a57da33cb63c95 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Jun 2025 18:36:21 -0700 +Subject: selftests/bpf: Fix ringbuf/ringbuf_write test failure with arm64 64KB + page size + +From: Yonghong Song + +[ Upstream commit 8c8c5e3c854a2593ec90dacd868f3066b67de1c4 ] + +The ringbuf max_entries must be PAGE_ALIGNED. See kernel function +ringbuf_map_alloc(). So for arm64 64KB page size, adjust max_entries +and other related metrics properly. + +Signed-off-by: Yonghong Song +Link: https://lore.kernel.org/r/20250607013621.1552332-1-yonghong.song@linux.dev +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/prog_tests/ringbuf.c | 4 ++-- + tools/testing/selftests/bpf/progs/test_ringbuf_write.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/tools/testing/selftests/bpf/prog_tests/ringbuf.c b/tools/testing/selftests/bpf/prog_tests/ringbuf.c +index da430df45aa4..d1e4cb28a72c 100644 +--- a/tools/testing/selftests/bpf/prog_tests/ringbuf.c ++++ b/tools/testing/selftests/bpf/prog_tests/ringbuf.c +@@ -97,7 +97,7 @@ static void ringbuf_write_subtest(void) + if (!ASSERT_OK_PTR(skel, "skel_open")) + return; + +- skel->maps.ringbuf.max_entries = 0x4000; ++ skel->maps.ringbuf.max_entries = 0x40000; + + err = test_ringbuf_write_lskel__load(skel); + if (!ASSERT_OK(err, "skel_load")) +@@ -108,7 +108,7 @@ static void ringbuf_write_subtest(void) + mmap_ptr = mmap(NULL, page_size, PROT_READ | PROT_WRITE, MAP_SHARED, rb_fd, 0); + if (!ASSERT_OK_PTR(mmap_ptr, "rw_cons_pos")) + goto cleanup; +- *mmap_ptr = 0x3000; ++ *mmap_ptr = 0x30000; + ASSERT_OK(munmap(mmap_ptr, page_size), "unmap_rw"); + + skel->bss->pid = getpid(); +diff --git a/tools/testing/selftests/bpf/progs/test_ringbuf_write.c b/tools/testing/selftests/bpf/progs/test_ringbuf_write.c +index 350513c0e4c9..f063a0013f85 100644 +--- a/tools/testing/selftests/bpf/progs/test_ringbuf_write.c ++++ b/tools/testing/selftests/bpf/progs/test_ringbuf_write.c +@@ -26,11 +26,11 @@ int test_ringbuf_write(void *ctx) + if (cur_pid != pid) + return 0; + +- sample1 = bpf_ringbuf_reserve(&ringbuf, 0x3000, 0); ++ sample1 = bpf_ringbuf_reserve(&ringbuf, 0x30000, 0); + if (!sample1) + return 0; + /* first one can pass */ +- sample2 = bpf_ringbuf_reserve(&ringbuf, 0x3000, 0); ++ sample2 = bpf_ringbuf_reserve(&ringbuf, 0x30000, 0); + if (!sample2) { + bpf_ringbuf_discard(sample1, 0); + __sync_fetch_and_add(&discarded, 1); +-- +2.39.5 + diff --git a/queue-6.12/selftests-futex-define-sys_futex-on-32-bit-architect.patch b/queue-6.12/selftests-futex-define-sys_futex-on-32-bit-architect.patch new file mode 100644 index 0000000000..04e36f6ed3 --- /dev/null +++ b/queue-6.12/selftests-futex-define-sys_futex-on-32-bit-architect.patch @@ -0,0 +1,52 @@ +From d1dbdbce8469a4d3d06bd3d79d6f14fe17953214 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jul 2025 18:36:30 +0800 +Subject: selftests/futex: Define SYS_futex on 32-bit architectures with 64-bit + time_t + +From: Cynthia Huang + +[ Upstream commit 04850819c65c8242072818655d4341e70ae998b5 ] + +The kernel does not provide sys_futex() on 32-bit architectures that do not +support 32-bit time representations, such as riscv32. + +As a result, glibc cannot define SYS_futex, causing compilation failures in +tests that rely on this syscall. Define SYS_futex as SYS_futex_time64 in +such cases to ensure successful compilation and compatibility. + +Signed-off-by: Cynthia Huang +Signed-off-by: Ben Zong-You Xie +Signed-off-by: Thomas Gleixner +Reviewed-by: Muhammad Usama Anjum +Link: https://lore.kernel.org/all/20250710103630.3156130-1-ben717@andestech.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/futex/include/futextest.h | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/tools/testing/selftests/futex/include/futextest.h b/tools/testing/selftests/futex/include/futextest.h +index ddbcfc9b7bac..7a5fd1d5355e 100644 +--- a/tools/testing/selftests/futex/include/futextest.h ++++ b/tools/testing/selftests/futex/include/futextest.h +@@ -47,6 +47,17 @@ typedef volatile u_int32_t futex_t; + FUTEX_PRIVATE_FLAG) + #endif + ++/* ++ * SYS_futex is expected from system C library, in glibc some 32-bit ++ * architectures (e.g. RV32) are using 64-bit time_t, therefore it doesn't have ++ * SYS_futex defined but just SYS_futex_time64. Define SYS_futex as ++ * SYS_futex_time64 in this situation to ensure the compilation and the ++ * compatibility. ++ */ ++#if !defined(SYS_futex) && defined(SYS_futex_time64) ++#define SYS_futex SYS_futex_time64 ++#endif ++ + /** + * futex() - SYS_futex syscall wrapper + * @uaddr: address of first futex +-- +2.39.5 + diff --git a/queue-6.12/selftests-netfilter-enable-config_inet_sctp_diag.patch b/queue-6.12/selftests-netfilter-enable-config_inet_sctp_diag.patch new file mode 100644 index 0000000000..7ba51b4b99 --- /dev/null +++ b/queue-6.12/selftests-netfilter-enable-config_inet_sctp_diag.patch @@ -0,0 +1,33 @@ +From efa3a9053c36c0ed7acca36bf4dd166f9ea09332 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jun 2025 17:44:25 +0200 +Subject: selftests: netfilter: Enable CONFIG_INET_SCTP_DIAG + +From: Sebastian Andrzej Siewior + +[ Upstream commit ba71a6e58b38aa6f86865d4e18579cb014903692 ] + +The config snippet specifies CONFIG_SCTP_DIAG. This was never an option. + +Replace CONFIG_SCTP_DIAG with the intended CONFIG_INET_SCTP_DIAG. + +Signed-off-by: Sebastian Andrzej Siewior +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/netfilter/config | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/net/netfilter/config b/tools/testing/selftests/net/netfilter/config +index 43d8b500d391..8cc6036f97dc 100644 +--- a/tools/testing/selftests/net/netfilter/config ++++ b/tools/testing/selftests/net/netfilter/config +@@ -91,4 +91,4 @@ CONFIG_XFRM_STATISTICS=y + CONFIG_NET_PKTGEN=m + CONFIG_TUN=m + CONFIG_INET_DIAG=m +-CONFIG_SCTP_DIAG=m ++CONFIG_INET_SCTP_DIAG=m +-- +2.39.5 + diff --git a/queue-6.12/selftests-tracing-use-mutex_unlock-for-testing-glob-.patch b/queue-6.12/selftests-tracing-use-mutex_unlock-for-testing-glob-.patch new file mode 100644 index 0000000000..66077451af --- /dev/null +++ b/queue-6.12/selftests-tracing-use-mutex_unlock-for-testing-glob-.patch @@ -0,0 +1,41 @@ +From e680a44aed15aa1b74bc0e19ac4930e89a74a2bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Jul 2025 13:26:43 +0900 +Subject: selftests: tracing: Use mutex_unlock for testing glob filter + +From: Masami Hiramatsu (Google) + +[ Upstream commit a089bb2822a49b0c5777a8936f82c1f8629231fb ] + +Since commit c5b6ababd21a ("locking/mutex: implement +mutex_trylock_nested") makes mutex_trylock() as an inlined +function if CONFIG_DEBUG_LOCK_ALLOC=y, we can not use +mutex_trylock() for testing the glob filter of ftrace. + +Use mutex_unlock instead. + +Link: https://lore.kernel.org/r/175151680309.2149615.9795104805153538717.stgit@mhiramat.tok.corp.google.com +Signed-off-by: Masami Hiramatsu (Google) +Acked-by: Steven Rostedt (Google) +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + .../testing/selftests/ftrace/test.d/ftrace/func-filter-glob.tc | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/ftrace/test.d/ftrace/func-filter-glob.tc b/tools/testing/selftests/ftrace/test.d/ftrace/func-filter-glob.tc +index 4b994b6df5ac..ed81eaf2afd6 100644 +--- a/tools/testing/selftests/ftrace/test.d/ftrace/func-filter-glob.tc ++++ b/tools/testing/selftests/ftrace/test.d/ftrace/func-filter-glob.tc +@@ -29,7 +29,7 @@ ftrace_filter_check 'schedule*' '^schedule.*$' + ftrace_filter_check '*pin*lock' '.*pin.*lock$' + + # filter by start*mid* +-ftrace_filter_check 'mutex*try*' '^mutex.*try.*' ++ftrace_filter_check 'mutex*unl*' '^mutex.*unl.*' + + # Advanced full-glob matching feature is recently supported. + # Skip the tests if we are sure the kernel does not support it. +-- +2.39.5 + diff --git a/queue-6.12/selftests-vdso-vdso_test_getrandom-always-print-tap-.patch b/queue-6.12/selftests-vdso-vdso_test_getrandom-always-print-tap-.patch new file mode 100644 index 0000000000..b0ef5c8c47 --- /dev/null +++ b/queue-6.12/selftests-vdso-vdso_test_getrandom-always-print-tap-.patch @@ -0,0 +1,60 @@ +From fdc2d3628944ec9774e411d6f285de252e1ff47b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jun 2025 12:33:58 +0200 +Subject: selftests: vDSO: vdso_test_getrandom: Always print TAP header +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Weißschuh + +[ Upstream commit 1158220b24674edaf885433153deb4f0e5c7d331 ] + +The TAP specification requires that the output begins with a header line. +If vgetrandom_init() fails and skips the test, that header line is missing. + +Call vgetrandom_init() after ksft_print_header(). + +Signed-off-by: Thomas Weißschuh +Signed-off-by: Thomas Gleixner +Reviewed-by: Muhammad Usama Anjum +Link: https://lore.kernel.org/all/20250611-selftests-vdso-fixes-v3-8-e62e37a6bcf5@linutronix.de +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/vDSO/vdso_test_getrandom.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/vDSO/vdso_test_getrandom.c b/tools/testing/selftests/vDSO/vdso_test_getrandom.c +index 95057f7567db..ff8d5675da2b 100644 +--- a/tools/testing/selftests/vDSO/vdso_test_getrandom.c ++++ b/tools/testing/selftests/vDSO/vdso_test_getrandom.c +@@ -242,6 +242,7 @@ static void kselftest(void) + pid_t child; + + ksft_print_header(); ++ vgetrandom_init(); + ksft_set_plan(2); + + for (size_t i = 0; i < 1000; ++i) { +@@ -295,8 +296,6 @@ static void usage(const char *argv0) + + int main(int argc, char *argv[]) + { +- vgetrandom_init(); +- + if (argc == 1) { + kselftest(); + return 0; +@@ -306,6 +305,9 @@ int main(int argc, char *argv[]) + usage(argv[0]); + return 1; + } ++ ++ vgetrandom_init(); ++ + if (!strcmp(argv[1], "bench-single")) + bench_single(); + else if (!strcmp(argv[1], "bench-multi")) +-- +2.39.5 + diff --git a/queue-6.12/series b/queue-6.12/series index 9d33ee1730..eb6a80736a 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -61,3 +61,307 @@ cpuidle-governors-menu-avoid-using-invalid-recent-in.patch ptp-prevent-possible-abba-deadlock-in-ptp_clock_free.patch tls-handle-data-disappearing-from-under-the-tls-ulp.patch net-kcm-fix-race-condition-in-kcm_unattach.patch +hfs-fix-general-protection-fault-in-hfs_find_init.patch +hfs-fix-slab-out-of-bounds-in-hfs_bnode_read.patch +hfsplus-fix-slab-out-of-bounds-in-hfsplus_bnode_read.patch +hfsplus-fix-slab-out-of-bounds-read-in-hfsplus_uni2a.patch +hfsplus-don-t-use-bug_on-in-hfsplus_create_attribute.patch +arm64-handle-kcov-__init-vs-inline-mismatches.patch +firmware-arm_ffa-change-initcall-level-of-ffa_init-t.patch +smb-server-avoid-deadlock-when-linking-with-replacei.patch +nvme-pci-try-function-level-reset-on-init-failure.patch +dm-stripe-limit-chunk_sectors-to-the-stripe-size.patch +md-raid10-set-chunk_sectors-limit.patch +nvme-tcp-log-tls-handshake-failures-at-error-level.patch +gfs2-validate-i_depth-for-exhash-directories.patch +gfs2-set-.migrate_folio-in-gfs2_-rgrp-meta-_aops.patch +md-call-del_gendisk-in-control-path.patch +loop-avoid-updating-block-size-under-exclusive-owner.patch +udf-verify-partition-map-count.patch +drbd-add-missing-kref_get-in-handle_write_conflicts.patch +hfs-fix-not-erasing-deleted-b-tree-node-issue.patch +better-lockdep-annotations-for-simple_recursive_remo.patch +ata-ahci-disallow-lpm-policy-control-if-not-supporte.patch +ata-ahci-disable-dipm-if-host-lacks-support.patch +ata-libata-sata-disallow-changing-lpm-state-if-not-s.patch +fs-ntfs3-add-sanity-check-for-file-name.patch +fs-ntfs3-correctly-create-symlink-for-relative-path.patch +md-don-t-clear-md_closing-until-mddev-is-freed.patch +pidfs-raise-sb_i_nodev-and-sb_i_noexec.patch +ext2-handle-fiemap-on-empty-files-to-prevent-einval.patch +fix-locking-in-efi_secret_unlink.patch +securityfs-don-t-pin-dentries-twice-once-is-enough.patch +tracefs-add-d_delete-to-remove-negative-dentries.patch +usb-xhci-print-xhci-xhc_state-when-queue_command-fai.patch +platform-x86-amd-pmc-add-lenovo-yoga-6-13alc6-to-pmc.patch +cpufreq-cppc-mark-driver-with-need_update_limits-fla.patch +selftests-futex-define-sys_futex-on-32-bit-architect.patch +usb-typec-ucsi-psy-set-current-max-to-100ma-for-bc-1.patch +usb-xhci-avoid-showing-warnings-for-dying-controller.patch +usb-xhci-set-avg_trb_len-8-for-ep0-during-address-de.patch +usb-xhci-avoid-showing-errors-during-surprise-remova.patch +firmware-qcom-scm-initialize-tzmem-before-marking-sc.patch +soc-qcom-rpmh-rsc-add-rsc-version-4-support.patch +acpi-apei-send-sigbus-to-current-task-if-synchronous.patch +remoteproc-imx_rproc-skip-clock-enable-when-m-core-i.patch +usb-typec-tcpm-tcpci_maxim-fix-irq-wake-usage.patch +pmdomain-ti-select-pm_generic_domains.patch +gpio-wcd934x-check-the-return-value-of-regmap_update.patch +cpufreq-exit-governor-when-failed-to-start-old-gover.patch +cpufreq-intel_pstate-add-granite-rapids-support-in-n.patch +arm-rockchip-fix-kernel-hang-during-smp-initializati.patch +pm-devfreq-governor-replace-sscanf-with-kstrtoul-in-.patch +edac-synopsys-clear-the-ecc-counters-on-init.patch +asoc-soc-dapm-set-bias_level-if-snd_soc_dapm_set_bia.patch +thermal-drivers-qcom-spmi-temp-alarm-enable-stage-2-.patch +tools-nolibc-define-time_t-in-terms-of-__kernel_old_.patch +iio-adc-ad_sigma_delta-don-t-overallocate-scan-buffe.patch +gpio-tps65912-check-the-return-value-of-regmap_updat.patch +mfd-tps6594-add-ti-tps652g1-support.patch +arm-tegra-use-i-o-memcpy-to-write-to-iram.patch +tools-build-fix-s390-x-cross-compilation-with-clang.patch +selftests-tracing-use-mutex_unlock-for-testing-glob-.patch +acpi-prm-reduce-unnecessary-printing-to-avoid-user-c.patch +firmware-arm_scmi-power_control-ensure-scmi_syspower.patch +firmware-tegra-fix-ivc-dependency-problems.patch +pm-runtime-clear-power.needs_force_resume-in-pm_runt.patch +thermal-sysfs-return-enodata-instead-of-eagain-for-r.patch +pm-sleep-console-fix-the-black-screen-issue.patch +acpi-processor-fix-acpi_object-initialization.patch +mmc-sdhci-msm-ensure-sd-card-power-isn-t-on-when-car.patch +acpi-apei-ghes-add-taint_machine_check-on-ghes-panic.patch +selftests-vdso-vdso_test_getrandom-always-print-tap-.patch +pps-clients-gpio-fix-interrupt-handling-order-in-rem.patch +reset-brcmstb-enable-reset-drivers-for-arch_bcm2835.patch +char-misc-fix-improper-and-inaccurate-error-code-ret.patch +mei-bus-check-for-still-connected-devices-in-mei_cl_.patch +mmc-rtsx_usb_sdmmc-fix-error-path-in-sd_set_power_mo.patch +platform-chrome-cros_ec_sensorhub-retries-when-a-sen.patch +alsa-hda-handle-the-jack-polling-always-via-a-work.patch +alsa-hda-disable-jack-polling-at-shutdown.patch +x86-bugs-avoid-warning-when-overriding-return-thunk.patch +asoc-hdac_hdmi-rate-limit-logging-on-connection-and-.patch +alsa-intel8x0-fix-incorrect-codec-index-usage-in-mix.patch +asoc-sof-topology-parse-the-dapm_widget_tokens-in-ca.patch +tty-serial-fix-print-format-specifiers.patch +asoc-core-check-for-rtd-null-in-snd_soc_remove_pcm_r.patch +usb-typec-intel_pmc_mux-defer-probe-if-scu-ipc-isn-t.patch +usb-core-usb_submit_urb-downgrade-type-check.patch +pm-cpupower-fix-the-snapshot-order-of-tsc-mperf-cloc.patch +imx8m-blk-ctrl-set-isi-panic-write-hurry-level.patch +soc-qcom-mdt_loader-actually-use-the-e_phoff.patch +platform-x86-thinkpad_acpi-handle-kcov-__init-vs-inl.patch +platform-chrome-cros_ec_typec-defer-probe-on-missing.patch +alsa-hda-ca0132-fix-buffer-overflow-in-add_tuning_co.patch +alsa-pcm-rewrite-recalculate_boundary-to-avoid-costl.patch +alsa-usb-audio-avoid-precedence-issues-in-mixer_quir.patch +iio-adc-ad7768-1-ensure-sync_in-pulse-minimum-timing.patch +asoc-codecs-rt5640-retry-device_id-verification.patch +asoc-qcom-use-drvdata-instead-of-component-to-keep-i.patch +netfilter-nft_set_pipapo-prefer-kvmalloc-for-scratch.patch +selftests-netfilter-enable-config_inet_sctp_diag.patch +powerpc-thp-tracing-hide-hugepage-events-under-confi.patch +bootconfig-fix-unaligned-access-when-building-footer.patch +bluetooth-btusb-add-new-vid-pid-0489-e14e-for-mt7925.patch +bluetooth-hci_sock-reset-cookie-to-zero-in-hci_sock_.patch +xen-netfront-fix-tx-response-spurious-interrupts.patch +wifi-iwlwifi-mvm-avoid-outdated-reorder-buffer-head_.patch +net-usb-cdc-ncm-check-for-filtering-capability.patch +wifi-ath12k-correct-tid-cleanup-when-tid-setup-fails.patch +ktest.pl-prevent-recursion-of-default-variable-optio.patch +wifi-cfg80211-reject-htc-bit-for-management-frames.patch +s390-time-use-monotonic-clock-in-get_cycles.patch +be2net-use-correct-byte-order-and-format-string-for-.patch +libbpf-verify-that-arena-map-exists-when-adding-aren.patch +idpf-preserve-coalescing-settings-across-resets.patch +wifi-rtw89-wow-add-basic-rate-ie-to-probe-request-in.patch +wifi-rtw89-lower-the-timeout-in-rtw89_fw_read_c2h_re.patch +et131x-add-missing-check-after-dma-map.patch +net-ag71xx-add-missing-check-after-dma-map.patch +net-mlx5e-properly-access-rcu-protected-qdisc_sleepi.patch +net-pcs-xpcs-mask-readl-return-value-to-16-bits.patch +arm64-mark-kernel-as-tainted-on-sae-and-serror-panic.patch +drm-amd-pm-fix-null-pointer-access.patch +rcu-protect-defer_qs_iw_pending-from-data-race.patch +drm-amd-display-limit-clear_update_flags-to-dcn32-an.patch +can-ti_hecc-fix-woverflow-compiler-warning.patch +net-mctp-prevent-duplicate-binds.patch +wifi-cfg80211-fix-interface-type-validation.patch +wifi-mac80211-don-t-unreserve-never-reserved-chanctx.patch +net-ipv4-fix-incorrect-mtu-in-broadcast-routes.patch +net-thunderx-fix-format-truncation-warning-in-bgx_ac.patch +net-phy-micrel-add-ksz9131_resume.patch +perf-cxlpmu-remove-unintended-newline-from-irq-name-.patch +sched-deadline-fix-accounting-after-global-limits-ch.patch +bpf-forget-ranges-when-refining-tnum-after-jset.patch +wifi-iwlwifi-mvm-set-gtk-id-also-in-older-fws.patch +um-re-evaluate-thread-flags-repeatedly.patch +wifi-iwlwifi-mvm-fix-scan-request-validation.patch +s390-stp-remove-udelay-from-stp_sync_clock.patch +net-phy-bcm54811-phy-initialization.patch +sched-fair-bump-sd-max_newidle_lb_cost-when-newidle-.patch +wifi-mac80211-don-t-complete-management-tx-on-sae-co.patch +wifi-mac80211-avoid-weird-state-in-error-path.patch +s390-early-copy-last-breaking-event-address-to-pt_re.patch +powerpc-512-fix-possible-dma_unmap_single-on-uniniti.patch +ipv6-mcast-check-inet6_dev-dead-under-idev-mc_lock-i.patch +rcu-nocb-fix-possible-invalid-rdp-s-nocb_cb_kthread-.patch +wifi-mac80211-fix-rx-link-assignment-for-non-mlo-sta.patch +drm-msm-use-trylock-for-debugfs.patch +drm-msm-add-error-handling-for-krealloc-in-metadata-.patch +perf-arm-add-missing-.suppress_bind_attrs.patch +drm-imagination-clear-runtime-pm-errors-while-resett.patch +wifi-rtw89-fix-rtw89_mac_power_switch-for-usb.patch +wifi-mt76-mt7915-mcu-re-init-mcu-before-loading-fw-p.patch +kselftest-arm64-specify-sve-data-when-testing-vl-set.patch +drm-xe-xe_query-use-separate-iterator-while-filling-.patch +net-thunderbolt-enable-end-to-end-flow-control-also-.patch +net-thunderbolt-fix-the-parameter-passing-of-tb_xdom.patch +xfrm-duplicate-spi-handling.patch +net-atlantic-add-set_power-to-fw_ops-for-atl2-to-fix.patch +acpi-suppress-misleading-spcr-console-message-when-s.patch +net-ieee8021q-fix-insufficient-table-size-assertion.patch +net-fec-allow-disable-coalescing.patch +drm-amd-display-separate-set_gsl-from-set_gsl_source.patch +wifi-ath10k-shutdown-driver-when-hardware-is-unrelia.patch +wifi-ath12k-add-memset-and-update-default-rate-value.patch +wifi-ath12k-fix-station-association-with-mbssid-non-.patch +lib-packing-include-necessary-headers.patch +wifi-iwlwifi-dvm-fix-potential-overflow-in-rs_fill_l.patch +wifi-iwlwifi-fw-fix-possible-memory-leak-in-iwl_fw_d.patch +drm-amd-display-fix-failed-to-blank-crtc.patch +drm-amd-display-initialize-mode_select-to-0.patch +wifi-mac80211-update-radar_required-in-channel-conte.patch +wifi-rtlwifi-fix-possible-skb-memory-leak-in-_rtl_pc.patch +wifi-ath12k-enable-reo-queue-lookup-table-feature-on.patch +wifi-ath12k-decrement-tid-on-rx-peer-frag-setup-erro.patch +powerpc-floppy-add-missing-checks-after-dma-map.patch +netmem-fix-skb_frag_address_safe-with-unreadable-skb.patch +arm64-stacktrace-check-kretprobe_find_ret_addr-retur.patch +wifi-iwlegacy-check-rate_idx-range-after-addition.patch +neighbour-add-support-for-nud_permanent-proxy-entrie.patch +dpaa_eth-don-t-use-fixed_phy_change_carrier.patch +drm-amd-allow-printing-vangogh-od-sclk-levels-withou.patch +net-vlan-make-is_vlan_dev-a-stub-when-vlan-is-not-co.patch +net-vlan-replace-bug-with-warn_on_once-in-vlan_dev_-.patch +gve-return-error-for-unknown-admin-queue-command.patch +net-dsa-b53-ensure-bcm5325-phys-are-enabled.patch +net-dsa-b53-fix-b53_imp_vlan_setup-for-bcm5325.patch +net-dsa-b53-prevent-gmii_port_override_ctrl-access-o.patch +net-dsa-b53-prevent-dis_learning-access-on-bcm5325.patch +net-dsa-b53-prevent-switch_ctrl-access-on-bcm5325.patch +bpftool-fix-json-writer-resource-leak-in-version-com.patch +ptp-use-ratelimite-for-freerun-error-message.patch +wifi-rtw89-scan-abort-when-assign-unassign_vif.patch +wifi-rtlwifi-fix-possible-skb-memory-leak-in-_rtl_pc.patch-28826 +ionic-clean-dbpage-in-de-init.patch +drm-xe-make-dma-fences-compliant-with-the-safe-acces.patch +net-ncsi-fix-buffer-overflow-in-fetching-version-id.patch +drm-renesas-rz-du-mipi_dsi-add-min-check-for-vclk-ra.patch +drm-ttm-should-to-return-the-evict-error.patch +uapi-in6-restore-visibility-of-most-ipv6-socket-opti.patch +bpf-make-reg_not_null-true-for-const_ptr_to_map.patch +selftests-bpf-fix-ringbuf-ringbuf_write-test-failure.patch +selftests-bpf-fix-a-user_ringbuf-failure-with-arm64-.patch +drm-amd-display-update-dmcub-loading-sequence-for-dc.patch +drm-amd-display-avoid-trying-aux-transactions-on-dis.patch +drm-ttm-respect-the-shrinker-core-free-target.patch +rcu-fix-rcu_read_unlock-deadloop-due-to-irq-work.patch +net-dsa-b53-fix-ip_multicast_ctrl-on-bcm5325.patch +vsock-virtio-resize-receive-buffers-so-that-each-skb.patch +vhost-fail-early-when-__vhost_add_used-fails.patch +drm-amd-display-only-finalize-atomic_obj-if-it-was-i.patch +drm-amd-display-avoid-configuring-psr-granularity-if.patch +drm-amd-display-disable-dsc_power_gate-for-dcn314-by.patch +watchdog-sbsa-adjust-keepalive-timeout-to-avoid-medi.patch +cifs-fix-calling-cifsfindfirst-for-root-path-without.patch +fbdev-fix-potential-buffer-overflow-in-do_register_f.patch +crypto-hisilicon-hpre-fix-dma-unmap-sequence.patch +ext4-do-not-bug-when-inline_data_fl-lacks-system.dat.patch +clk-tegra-periph-fix-error-handling-and-resolve-unsi.patch +mfd-axp20x-set-explicit-id-for-axp313-regulator.patch +phy-rockchip-pcie-properly-disable-test_write-strobe.patch +scsi-libiscsi-initialize-iscsi_conn-dd_data-only-if-.patch +fs-orangefs-use-snprintf-instead-of-sprintf.patch +watchdog-dw_wdt-fix-default-timeout.patch +hwmon-emc2305-set-initial-pwm-minimum-value-during-p.patch +clk-qcom-ipq5018-keep-xo-clock-always-on.patch +mips-vpe-mt-add-missing-prototypes-for-vpe_-alloc-st.patch +watchdog-itco_wdt-report-error-if-timeout-configurat.patch +scsi-bfa-double-free-fix.patch +jfs-truncate-good-inode-pages-when-hard-link-is-0.patch +jfs-regular-file-corruption-check.patch +jfs-upper-bound-check-of-tree-index-in-dballocag.patch +media-hi556-fix-reset-gpio-timings.patch +rdma-bnxt_re-fix-size-of-uverbs_copy_to-in-bnxt_re_m.patch +crypto-jitter-fix-intermediary-handling.patch +mips-don-t-crash-in-stack_top-for-tasks-without-abi-.patch +mips-lantiq-falcon-sysctrl-fix-request-memory-check-.patch +clk-thead-mark-essential-bus-clocks-as-clk_ignore_un.patch +media-ipu-bridge-add-_hid-for-ov5670.patch +media-v4l2-common-reduce-warnings-about-missing-v4l2.patch +leds-leds-lp50xx-handle-reg-to-get-correct-multi_ind.patch +dmaengine-stm32-dma-configure-next-sg-only-if-there-.patch +rdma-hfi1-fix-possible-divide-by-zero-in-find_hw_thr.patch +rdma-core-reduce-stack-using-in-nldev_stat_get_doit.patch +scsi-lpfc-ensure-hba_setup-flag-is-used-only-for-sli.patch +scsi-lpfc-check-for-hdwq-null-ptr-when-cleaning-up-l.patch +power-supply-qcom_battmgr-add-lithium-polymer-entry.patch +scsi-mpt3sas-correctly-handle-ata-device-errors.patch +scsi-mpi3mr-correctly-handle-ata-device-errors.patch +pinctrl-stm32-manage-irq-affinity-settings.patch +media-tc358743-check-i2c-succeeded-during-probe.patch +media-tc358743-return-an-appropriate-colorspace-from.patch +media-tc358743-increase-fifo-trigger-level-to-374.patch +media-usb-hdpvr-disable-zero-length-read-messages.patch +media-dvb-frontends-dib7090p-fix-null-ptr-deref-in-d.patch +media-dvb-frontends-w7090p-fix-null-ptr-deref-in-w70.patch +media-uvcvideo-add-quirk-for-hp-webcam-hd-2300.patch +media-uvcvideo-fix-bandwidth-issue-for-alcor-camera.patch +crypto-octeontx2-add-timeout-for-load_fvc-completion.patch +crypto-ccp-add-missing-bootloader-info-reg-for-pspv6.patch +clk-renesas-rzg2l-postpone-updating-priv-clks.patch +soundwire-amd-serialize-amd-manager-resume-sequence-.patch +soundwire-amd-cancel-pending-slave-status-handling-w.patch +soundwire-move-handle_nested_irq-outside-of-sdw_dev_.patch +md-dm-zoned-target-initialize-return-variable-r-to-a.patch +module-prevent-silent-truncation-of-module-name-in-d.patch +i3c-add-missing-include-to-internal-header.patch +rtc-ds1307-handle-oscillator-stop-flag-osf-for-ds134.patch +apparmor-shift-ouid-when-mediating-hard-links-in-use.patch +i3c-don-t-fail-if-gethdrcap-is-unsupported.patch +i3c-master-initialize-ret-in-i3c_i2c_notifier_call.patch +dm-mpath-don-t-print-the-loaded-message-if-registeri.patch +dm-table-fix-checking-for-rq-stackable-devices.patch +apparmor-use-the-condition-in-aa_bug_fmt-even-with-d.patch +apparmor-fix-x_table_lookup-when-stacking-is-not-the.patch +i2c-force-dll0945-touchpad-i2c-freq-to-100khz.patch +exfat-add-cluster-chain-loop-check-for-dir.patch +f2fs-check-the-generic-conditions-first.patch +printk-nbcon-allow-reacquire-during-panic.patch +kconfig-lxdialog-replace-strcpy-with-strncpy-in-inpu.patch +vfio-type1-conditional-rescheduling-while-pinning.patch +kconfig-nconf-ensure-null-termination-where-strncpy-.patch +scsi-fix-sas_user_scan-to-handle-wildcard-and-multi-.patch +scsi-target-core-generate-correct-identifiers-for-pr.patch +scsi-aacraid-stop-using-pci_irq_affinity.patch +vfio-mlx5-fix-possible-overflow-in-tracking-max-mess.patch +ipmi-use-dev_warn_ratelimited-for-incorrect-message-.patch +kconfig-gconf-avoid-hardcoding-model2-in-on_treeview.patch +kconfig-gconf-fix-potential-memory-leak-in-renderer_.patch +kconfig-lxdialog-fix-space-to-de-select-options.patch +ipmi-fix-strcpy-source-and-destination-the-same.patch +tools-power-turbostat-handle-non-root-legacy-uncore-.patch +tools-power-turbostat-fix-build-with-musl.patch +tools-power-turbostat-handle-cap_get_proc-enosys.patch +smb-client-don-t-call-init_waitqueue_head-info-conn_.patch +lib-sbitmap-convert-shallow_depth-from-one-word-to-t.patch +alsa-hda-realtek-add-lg-gram-16z90r-a-to-alc269-fixu.patch +net-phy-smsc-add-proper-reset-flags-for-lan8710a.patch +asoc-intel-avs-fix-uninitialized-pointer-error-in-pr.patch +block-avoid-possible-overflow-for-chunk_sectors-chec.patch +pnfs-fix-stripe-mapping-in-block-scsi-layout.patch +pnfs-fix-disk-addr-range-check-in-block-scsi-layout.patch +pnfs-handle-rpc-size-limit-for-layoutcommits.patch +pnfs-fix-uninited-ptr-deref-in-block-scsi-layout.patch +rtc-ds1307-remove-clear-of-oscillator-stop-flag-osf-.patch diff --git a/queue-6.12/smb-client-don-t-call-init_waitqueue_head-info-conn_.patch b/queue-6.12/smb-client-don-t-call-init_waitqueue_head-info-conn_.patch new file mode 100644 index 0000000000..7e83ccef5c --- /dev/null +++ b/queue-6.12/smb-client-don-t-call-init_waitqueue_head-info-conn_.patch @@ -0,0 +1,39 @@ +From 16354ddd66029210422c79fbe9d2d2aaabe928ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Aug 2025 18:12:13 +0200 +Subject: smb: client: don't call init_waitqueue_head(&info->conn_wait) twice + in _smbd_get_connection + +From: Stefan Metzmacher + +[ Upstream commit 550a194c5998e4e77affc6235e80d3766dc2d27e ] + +It is already called long before we may hit this cleanup code path. + +Cc: Steve French +Cc: Tom Talpey +Cc: Long Li +Cc: linux-cifs@vger.kernel.org +Cc: samba-technical@lists.samba.org +Signed-off-by: Stefan Metzmacher +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/client/smbdirect.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/fs/smb/client/smbdirect.c b/fs/smb/client/smbdirect.c +index cd4c61932cb2..b9bb531717a6 100644 +--- a/fs/smb/client/smbdirect.c ++++ b/fs/smb/client/smbdirect.c +@@ -1689,7 +1689,6 @@ static struct smbd_connection *_smbd_get_connection( + cancel_delayed_work_sync(&info->idle_timer_work); + destroy_caches_and_workqueue(info); + sc->status = SMBDIRECT_SOCKET_NEGOTIATE_FAILED; +- init_waitqueue_head(&info->conn_wait); + rdma_disconnect(sc->rdma.cm_id); + wait_event(info->conn_wait, + sc->status == SMBDIRECT_SOCKET_DISCONNECTED); +-- +2.39.5 + diff --git a/queue-6.12/smb-server-avoid-deadlock-when-linking-with-replacei.patch b/queue-6.12/smb-server-avoid-deadlock-when-linking-with-replacei.patch new file mode 100644 index 0000000000..d630b51923 --- /dev/null +++ b/queue-6.12/smb-server-avoid-deadlock-when-linking-with-replacei.patch @@ -0,0 +1,82 @@ +From cdeb6f95950e086c8294f55ddc6fcd26175ac604 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Jun 2025 09:35:09 +1000 +Subject: smb/server: avoid deadlock when linking with ReplaceIfExists + +From: NeilBrown + +[ Upstream commit d5fc1400a34b4ea5e8f2ce296ea12bf8c8421694 ] + +If smb2_create_link() is called with ReplaceIfExists set and the name +does exist then a deadlock will happen. + +ksmbd_vfs_kern_path_locked() will return with success and the parent +directory will be locked. ksmbd_vfs_remove_file() will then remove the +file. ksmbd_vfs_link() will then be called while the parent is still +locked. It will try to lock the same parent and will deadlock. + +This patch moves the ksmbd_vfs_kern_path_unlock() call to *before* +ksmbd_vfs_link() and then simplifies the code, removing the file_present +flag variable. + +Signed-off-by: NeilBrown +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/server/smb2pdu.c | 16 ++++------------ + 1 file changed, 4 insertions(+), 12 deletions(-) + +diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c +index 495a9faa298b..6dafc2fbac25 100644 +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -6023,7 +6023,6 @@ static int smb2_create_link(struct ksmbd_work *work, + { + char *link_name = NULL, *target_name = NULL, *pathname = NULL; + struct path path, parent_path; +- bool file_present = false; + int rc; + + if (buf_len < (u64)sizeof(struct smb2_file_link_info) + +@@ -6056,11 +6055,8 @@ static int smb2_create_link(struct ksmbd_work *work, + if (rc) { + if (rc != -ENOENT) + goto out; +- } else +- file_present = true; +- +- if (file_info->ReplaceIfExists) { +- if (file_present) { ++ } else { ++ if (file_info->ReplaceIfExists) { + rc = ksmbd_vfs_remove_file(work, &path); + if (rc) { + rc = -EINVAL; +@@ -6068,21 +6064,17 @@ static int smb2_create_link(struct ksmbd_work *work, + link_name); + goto out; + } +- } +- } else { +- if (file_present) { ++ } else { + rc = -EEXIST; + ksmbd_debug(SMB, "link already exists\n"); + goto out; + } ++ ksmbd_vfs_kern_path_unlock(&parent_path, &path); + } +- + rc = ksmbd_vfs_link(work, target_name, link_name); + if (rc) + rc = -EINVAL; + out: +- if (file_present) +- ksmbd_vfs_kern_path_unlock(&parent_path, &path); + + if (!IS_ERR(link_name)) + kfree(link_name); +-- +2.39.5 + diff --git a/queue-6.12/soc-qcom-mdt_loader-actually-use-the-e_phoff.patch b/queue-6.12/soc-qcom-mdt_loader-actually-use-the-e_phoff.patch new file mode 100644 index 0000000000..04fa36dd17 --- /dev/null +++ b/queue-6.12/soc-qcom-mdt_loader-actually-use-the-e_phoff.patch @@ -0,0 +1,74 @@ +From 5d20f2b3cfab36116a8b150cf9828cd446eaef3c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Jun 2025 21:58:30 -0500 +Subject: soc: qcom: mdt_loader: Actually use the e_phoff + +From: Bjorn Andersson + +[ Upstream commit 47e339cac89143709e84a3b71ba8bd9b2fdd2368 ] + +Rather than relying/assuming that the tools generating the firmware +places the program headers immediately following the ELF header, use +e_phoff as intended to find the program headers. + +Reviewed-by: Dmitry Baryshkov +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20250610-mdt-loader-validation-and-fixes-v2-3-f7073e9ab899@oss.qualcomm.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/soc/qcom/mdt_loader.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/soc/qcom/mdt_loader.c b/drivers/soc/qcom/mdt_loader.c +index b2c0fb55d4ae..44589d10b15b 100644 +--- a/drivers/soc/qcom/mdt_loader.c ++++ b/drivers/soc/qcom/mdt_loader.c +@@ -83,7 +83,7 @@ ssize_t qcom_mdt_get_size(const struct firmware *fw) + int i; + + ehdr = (struct elf32_hdr *)fw->data; +- phdrs = (struct elf32_phdr *)(ehdr + 1); ++ phdrs = (struct elf32_phdr *)(fw->data + ehdr->e_phoff); + + for (i = 0; i < ehdr->e_phnum; i++) { + phdr = &phdrs[i]; +@@ -135,7 +135,7 @@ void *qcom_mdt_read_metadata(const struct firmware *fw, size_t *data_len, + void *data; + + ehdr = (struct elf32_hdr *)fw->data; +- phdrs = (struct elf32_phdr *)(ehdr + 1); ++ phdrs = (struct elf32_phdr *)(fw->data + ehdr->e_phoff); + + if (ehdr->e_phnum < 2) + return ERR_PTR(-EINVAL); +@@ -215,7 +215,7 @@ int qcom_mdt_pas_init(struct device *dev, const struct firmware *fw, + int i; + + ehdr = (struct elf32_hdr *)fw->data; +- phdrs = (struct elf32_phdr *)(ehdr + 1); ++ phdrs = (struct elf32_phdr *)(fw->data + ehdr->e_phoff); + + for (i = 0; i < ehdr->e_phnum; i++) { + phdr = &phdrs[i]; +@@ -270,7 +270,7 @@ static bool qcom_mdt_bins_are_split(const struct firmware *fw, const char *fw_na + int i; + + ehdr = (struct elf32_hdr *)fw->data; +- phdrs = (struct elf32_phdr *)(ehdr + 1); ++ phdrs = (struct elf32_phdr *)(fw->data + ehdr->e_phoff); + + for (i = 0; i < ehdr->e_phnum; i++) { + /* +@@ -312,7 +312,7 @@ static int __qcom_mdt_load(struct device *dev, const struct firmware *fw, + + is_split = qcom_mdt_bins_are_split(fw, fw_name); + ehdr = (struct elf32_hdr *)fw->data; +- phdrs = (struct elf32_phdr *)(ehdr + 1); ++ phdrs = (struct elf32_phdr *)(fw->data + ehdr->e_phoff); + + for (i = 0; i < ehdr->e_phnum; i++) { + phdr = &phdrs[i]; +-- +2.39.5 + diff --git a/queue-6.12/soc-qcom-rpmh-rsc-add-rsc-version-4-support.patch b/queue-6.12/soc-qcom-rpmh-rsc-add-rsc-version-4-support.patch new file mode 100644 index 0000000000..b486ab6586 --- /dev/null +++ b/queue-6.12/soc-qcom-rpmh-rsc-add-rsc-version-4-support.patch @@ -0,0 +1,38 @@ +From 685e74c12c97832e166653d08289ebce7a59c78f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Jun 2025 11:19:43 +0530 +Subject: soc: qcom: rpmh-rsc: Add RSC version 4 support + +From: Maulik Shah + +[ Upstream commit 84684c57c9cd47b86c883a7170dd68222d97ef13 ] + +Register offsets for v3 and v4 versions are backward compatible. Assign v3 +offsets for v4 and all higher versions to avoid end up using v2 offsets. + +Signed-off-by: Maulik Shah +Reviewed-by: Konrad Dybcio +Reviewed-by: Neil Armstrong +Link: https://lore.kernel.org/r/20250623-rsc_v4-v1-1-275b27bc5e3c@oss.qualcomm.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/soc/qcom/rpmh-rsc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/soc/qcom/rpmh-rsc.c b/drivers/soc/qcom/rpmh-rsc.c +index de86009ecd91..641f29a98cbd 100644 +--- a/drivers/soc/qcom/rpmh-rsc.c ++++ b/drivers/soc/qcom/rpmh-rsc.c +@@ -1075,7 +1075,7 @@ static int rpmh_rsc_probe(struct platform_device *pdev) + drv->ver.minor = rsc_id & (MINOR_VER_MASK << MINOR_VER_SHIFT); + drv->ver.minor >>= MINOR_VER_SHIFT; + +- if (drv->ver.major == 3) ++ if (drv->ver.major >= 3) + drv->regs = rpmh_rsc_reg_offset_ver_3_0; + else + drv->regs = rpmh_rsc_reg_offset_ver_2_7; +-- +2.39.5 + diff --git a/queue-6.12/soundwire-amd-cancel-pending-slave-status-handling-w.patch b/queue-6.12/soundwire-amd-cancel-pending-slave-status-handling-w.patch new file mode 100644 index 0000000000..bb15db146e --- /dev/null +++ b/queue-6.12/soundwire-amd-cancel-pending-slave-status-handling-w.patch @@ -0,0 +1,35 @@ +From 3439c3a6907d8f174abdd89d6955a686f494ca91 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 May 2025 11:13:41 +0530 +Subject: soundwire: amd: cancel pending slave status handling workqueue during + remove sequence + +From: Vijendar Mukunda + +[ Upstream commit f93b697ed98e3c85d1973ea170d4f4e7a6b2b45d ] + +During remove sequence, cancel the pending slave status update workqueue. + +Signed-off-by: Vijendar Mukunda +Link: https://lore.kernel.org/r/20250530054447.1645807-4-Vijendar.Mukunda@amd.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/soundwire/amd_manager.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/soundwire/amd_manager.c b/drivers/soundwire/amd_manager.c +index dc7d54cb1740..a325ce52c396 100644 +--- a/drivers/soundwire/amd_manager.c ++++ b/drivers/soundwire/amd_manager.c +@@ -972,6 +972,7 @@ static void amd_sdw_manager_remove(struct platform_device *pdev) + int ret; + + pm_runtime_disable(&pdev->dev); ++ cancel_work_sync(&amd_manager->amd_sdw_work); + amd_disable_sdw_interrupts(amd_manager); + sdw_bus_master_delete(&amd_manager->bus); + ret = amd_disable_sdw_manager(amd_manager); +-- +2.39.5 + diff --git a/queue-6.12/soundwire-amd-serialize-amd-manager-resume-sequence-.patch b/queue-6.12/soundwire-amd-serialize-amd-manager-resume-sequence-.patch new file mode 100644 index 0000000000..6d4d708458 --- /dev/null +++ b/queue-6.12/soundwire-amd-serialize-amd-manager-resume-sequence-.patch @@ -0,0 +1,46 @@ +From 0c57764aa881d665ff73a032b6979630f2ddeb23 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 May 2025 11:13:40 +0530 +Subject: soundwire: amd: serialize amd manager resume sequence during + pm_prepare + +From: Vijendar Mukunda + +[ Upstream commit 03837341790039d6f1cbf7a1ae7dfa2cb77ef0a4 ] + +During pm_prepare callback, pm_request_resume() delays SoundWire manager D0 +entry sequence. Synchronize runtime resume sequence for amd_manager +instance prior to invoking child devices resume sequence for both the amd +power modes(ClockStop Mode and Power off mode). +Change the power_mode_mask check and use pm_runtime_resume() in +amd_pm_prepare() callback. + +Signed-off-by: Vijendar Mukunda +Link: https://lore.kernel.org/r/20250530054447.1645807-3-Vijendar.Mukunda@amd.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/soundwire/amd_manager.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/soundwire/amd_manager.c b/drivers/soundwire/amd_manager.c +index 1895fba5e70b..dc7d54cb1740 100644 +--- a/drivers/soundwire/amd_manager.c ++++ b/drivers/soundwire/amd_manager.c +@@ -1076,10 +1076,10 @@ static int __maybe_unused amd_pm_prepare(struct device *dev) + * device is not in runtime suspend state, observed that device alerts are missing + * without pm_prepare on AMD platforms in clockstop mode0. + */ +- if (amd_manager->power_mode_mask & AMD_SDW_CLK_STOP_MODE) { +- ret = pm_request_resume(dev); ++ if (amd_manager->power_mode_mask) { ++ ret = pm_runtime_resume(dev); + if (ret < 0) { +- dev_err(bus->dev, "pm_request_resume failed: %d\n", ret); ++ dev_err(bus->dev, "pm_runtime_resume failed: %d\n", ret); + return 0; + } + } +-- +2.39.5 + diff --git a/queue-6.12/soundwire-move-handle_nested_irq-outside-of-sdw_dev_.patch b/queue-6.12/soundwire-move-handle_nested_irq-outside-of-sdw_dev_.patch new file mode 100644 index 0000000000..d28dc9f4c0 --- /dev/null +++ b/queue-6.12/soundwire-move-handle_nested_irq-outside-of-sdw_dev_.patch @@ -0,0 +1,71 @@ +From e94f28b073cc19611dad6dd8b70fbc410891991f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Jun 2025 15:30:40 +0100 +Subject: soundwire: Move handle_nested_irq outside of sdw_dev_lock + +From: Charles Keepax + +[ Upstream commit ccb7bb13c00bcc3178d270da052635c56148bc16 ] + +The sdw_dev_lock protects the SoundWire driver callbacks against +the probed flag, which is used to skip the callbacks if the +driver gets removed. For more information see commit bd29c00edd0a +("soundwire: revisit driver bind/unbind and callbacks"). + +However, this lock is a frequent source of mutex inversions. +Many audio operations eventually hit the hardware resulting in a +SoundWire callback, this means that typically the driver has the +locking order ALSA/ASoC locks -> sdw_dev_lock. Conversely, the IRQ +comes in directly from the SoundWire hardware, but then will often +want to access ALSA/ASoC, such as updating something in DAPM or +an ALSA control. This gives the other lock order sdw_dev_lock -> +ALSA/ASoC locks. + +When the IRQ handling was initially added to SoundWire this was +through a callback mechanism. As such it required being covered by +the lock because the callbacks are part of the sdw_driver structure +and are thus present regardless of if the driver is currently +probed. + +Since then a newer mechanism using the IRQ framework has been +added, which is currently covered by the same lock but this isn't +actually required. Handlers for the IRQ framework are registered in +probe and should by released during remove, thus the IRQ framework +will have already unbound the IRQ before the slave driver is +removed. Avoid the aforementioned mutex inversion by moving the +handle_nested_irq call outside of the sdw_dev_lock. + +Signed-off-by: Charles Keepax +Link: https://lore.kernel.org/r/20250609143041.495049-3-ckeepax@opensource.cirrus.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/soundwire/bus.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/soundwire/bus.c b/drivers/soundwire/bus.c +index 6ca06cce41d3..6c7989e2079e 100644 +--- a/drivers/soundwire/bus.c ++++ b/drivers/soundwire/bus.c +@@ -1732,15 +1732,15 @@ static int sdw_handle_slave_alerts(struct sdw_slave *slave) + + /* Update the Slave driver */ + if (slave_notify) { ++ if (slave->prop.use_domain_irq && slave->irq) ++ handle_nested_irq(slave->irq); ++ + mutex_lock(&slave->sdw_dev_lock); + + if (slave->probed) { + struct device *dev = &slave->dev; + struct sdw_driver *drv = drv_to_sdw_driver(dev->driver); + +- if (slave->prop.use_domain_irq && slave->irq) +- handle_nested_irq(slave->irq); +- + if (drv->ops && drv->ops->interrupt_callback) { + slave_intr.sdca_cascade = sdca_cascade; + slave_intr.control_port = clear; +-- +2.39.5 + diff --git a/queue-6.12/thermal-drivers-qcom-spmi-temp-alarm-enable-stage-2-.patch b/queue-6.12/thermal-drivers-qcom-spmi-temp-alarm-enable-stage-2-.patch new file mode 100644 index 0000000000..5b53dd9a9d --- /dev/null +++ b/queue-6.12/thermal-drivers-qcom-spmi-temp-alarm-enable-stage-2-.patch @@ -0,0 +1,156 @@ +From 260c93ec54899e980279409856a0acc3d9c5a93d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jul 2025 15:45:51 -0700 +Subject: thermal/drivers/qcom-spmi-temp-alarm: Enable stage 2 shutdown when + required + +From: David Collins + +[ Upstream commit f8e157ff2df46ddabd930815d196895976227831 ] + +Certain TEMP_ALARM GEN2 PMIC peripherals need over-temperature stage 2 +automatic PMIC partial shutdown. This will ensure that in the event of +reaching the hotter stage 3 over-temperature threshold, repeated faults +will be avoided during the automatic PMIC hardware full shutdown. +Modify the stage 2 shutdown control logic to ensure that stage 2 +shutdown is enabled on all affected PMICs. Read the digital major +and minor revision registers to identify these PMICs. + +Signed-off-by: David Collins +Signed-off-by: Anjelique Melendez +Link: https://lore.kernel.org/r/20250710224555.3047790-2-anjelique.melendez@oss.qualcomm.com +Signed-off-by: Daniel Lezcano +Signed-off-by: Sasha Levin +--- + drivers/thermal/qcom/qcom-spmi-temp-alarm.c | 43 ++++++++++++++++----- + 1 file changed, 34 insertions(+), 9 deletions(-) + +diff --git a/drivers/thermal/qcom/qcom-spmi-temp-alarm.c b/drivers/thermal/qcom/qcom-spmi-temp-alarm.c +index c2d59cbfaea9..a575585c737b 100644 +--- a/drivers/thermal/qcom/qcom-spmi-temp-alarm.c ++++ b/drivers/thermal/qcom/qcom-spmi-temp-alarm.c +@@ -1,6 +1,7 @@ + // SPDX-License-Identifier: GPL-2.0-only + /* + * Copyright (c) 2011-2015, 2017, 2020, The Linux Foundation. All rights reserved. ++ * Copyright (c) Qualcomm Technologies, Inc. and/or its subsidiaries. + */ + + #include +@@ -16,6 +17,7 @@ + + #include "../thermal_hwmon.h" + ++#define QPNP_TM_REG_DIG_MINOR 0x00 + #define QPNP_TM_REG_DIG_MAJOR 0x01 + #define QPNP_TM_REG_TYPE 0x04 + #define QPNP_TM_REG_SUBTYPE 0x05 +@@ -31,7 +33,7 @@ + #define STATUS_GEN2_STATE_MASK GENMASK(6, 4) + #define STATUS_GEN2_STATE_SHIFT 4 + +-#define SHUTDOWN_CTRL1_OVERRIDE_S2 BIT(6) ++#define SHUTDOWN_CTRL1_OVERRIDE_STAGE2 BIT(6) + #define SHUTDOWN_CTRL1_THRESHOLD_MASK GENMASK(1, 0) + + #define SHUTDOWN_CTRL1_RATE_25HZ BIT(3) +@@ -78,6 +80,7 @@ struct qpnp_tm_chip { + /* protects .thresh, .stage and chip registers */ + struct mutex lock; + bool initialized; ++ bool require_stage2_shutdown; + + struct iio_channel *adc; + const long (*temp_map)[THRESH_COUNT][STAGE_COUNT]; +@@ -220,13 +223,13 @@ static int qpnp_tm_update_critical_trip_temp(struct qpnp_tm_chip *chip, + { + long stage2_threshold_min = (*chip->temp_map)[THRESH_MIN][1]; + long stage2_threshold_max = (*chip->temp_map)[THRESH_MAX][1]; +- bool disable_s2_shutdown = false; ++ bool disable_stage2_shutdown = false; + u8 reg; + + WARN_ON(!mutex_is_locked(&chip->lock)); + + /* +- * Default: S2 and S3 shutdown enabled, thresholds at ++ * Default: Stage 2 and Stage 3 shutdown enabled, thresholds at + * lowest threshold set, monitoring at 25Hz + */ + reg = SHUTDOWN_CTRL1_RATE_25HZ; +@@ -241,12 +244,12 @@ static int qpnp_tm_update_critical_trip_temp(struct qpnp_tm_chip *chip, + chip->thresh = THRESH_MAX - + ((stage2_threshold_max - temp) / + TEMP_THRESH_STEP); +- disable_s2_shutdown = true; ++ disable_stage2_shutdown = true; + } else { + chip->thresh = THRESH_MAX; + + if (chip->adc) +- disable_s2_shutdown = true; ++ disable_stage2_shutdown = true; + else + dev_warn(chip->dev, + "No ADC is configured and critical temperature %d mC is above the maximum stage 2 threshold of %ld mC! Configuring stage 2 shutdown at %ld mC.\n", +@@ -255,8 +258,8 @@ static int qpnp_tm_update_critical_trip_temp(struct qpnp_tm_chip *chip, + + skip: + reg |= chip->thresh; +- if (disable_s2_shutdown) +- reg |= SHUTDOWN_CTRL1_OVERRIDE_S2; ++ if (disable_stage2_shutdown && !chip->require_stage2_shutdown) ++ reg |= SHUTDOWN_CTRL1_OVERRIDE_STAGE2; + + return qpnp_tm_write(chip, QPNP_TM_REG_SHUTDOWN_CTRL1, reg); + } +@@ -350,8 +353,8 @@ static int qpnp_tm_probe(struct platform_device *pdev) + { + struct qpnp_tm_chip *chip; + struct device_node *node; +- u8 type, subtype, dig_major; +- u32 res; ++ u8 type, subtype, dig_major, dig_minor; ++ u32 res, dig_revision; + int ret, irq; + + node = pdev->dev.of_node; +@@ -403,6 +406,11 @@ static int qpnp_tm_probe(struct platform_device *pdev) + return dev_err_probe(&pdev->dev, ret, + "could not read dig_major\n"); + ++ ret = qpnp_tm_read(chip, QPNP_TM_REG_DIG_MINOR, &dig_minor); ++ if (ret < 0) ++ return dev_err_probe(&pdev->dev, ret, ++ "could not read dig_minor\n"); ++ + if (type != QPNP_TM_TYPE || (subtype != QPNP_TM_SUBTYPE_GEN1 + && subtype != QPNP_TM_SUBTYPE_GEN2)) { + dev_err(&pdev->dev, "invalid type 0x%02x or subtype 0x%02x\n", +@@ -416,6 +424,23 @@ static int qpnp_tm_probe(struct platform_device *pdev) + else + chip->temp_map = &temp_map_gen1; + ++ if (chip->subtype == QPNP_TM_SUBTYPE_GEN2) { ++ dig_revision = (dig_major << 8) | dig_minor; ++ /* ++ * Check if stage 2 automatic partial shutdown must remain ++ * enabled to avoid potential repeated faults upon reaching ++ * over-temperature stage 3. ++ */ ++ switch (dig_revision) { ++ case 0x0001: ++ case 0x0002: ++ case 0x0100: ++ case 0x0101: ++ chip->require_stage2_shutdown = true; ++ break; ++ } ++ } ++ + /* + * Register the sensor before initializing the hardware to be able to + * read the trip points. get_temp() returns the default temperature +-- +2.39.5 + diff --git a/queue-6.12/thermal-sysfs-return-enodata-instead-of-eagain-for-r.patch b/queue-6.12/thermal-sysfs-return-enodata-instead-of-eagain-for-r.patch new file mode 100644 index 0000000000..b6a5736f7f --- /dev/null +++ b/queue-6.12/thermal-sysfs-return-enodata-instead-of-eagain-for-r.patch @@ -0,0 +1,53 @@ +From 64e553e664966d0c945a54a7c7f71646b1245864 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Jun 2025 10:41:43 +0000 +Subject: thermal: sysfs: Return ENODATA instead of EAGAIN for reads + +From: Hsin-Te Yuan + +[ Upstream commit 1a4aabc27e95674837f2e25f4ef340c0469e6203 ] + +According to POSIX spec, EAGAIN returned by read with O_NONBLOCK set +means the read would block. Hence, the common implementation in +nonblocking model will poll the file when the nonblocking read returns +EAGAIN. However, when the target file is thermal zone, this mechanism +will totally malfunction because thermal zone doesn't implement sysfs +notification and thus the poll will never return. + +For example, the read in Golang implemnts such method and sometimes +hangs at reading some thermal zones via sysfs. + +Change to return -ENODATA instead of -EAGAIN to userspace. + +Signed-off-by: Hsin-Te Yuan +Link: https://patch.msgid.link/20250620-temp-v3-1-6becc6aeb66c@chromium.org +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/thermal/thermal_sysfs.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/thermal/thermal_sysfs.c b/drivers/thermal/thermal_sysfs.c +index 1838aa729bb5..c58c53d4ecc6 100644 +--- a/drivers/thermal/thermal_sysfs.c ++++ b/drivers/thermal/thermal_sysfs.c +@@ -40,10 +40,13 @@ temp_show(struct device *dev, struct device_attribute *attr, char *buf) + + ret = thermal_zone_get_temp(tz, &temperature); + +- if (ret) +- return ret; ++ if (!ret) ++ return sprintf(buf, "%d\n", temperature); + +- return sprintf(buf, "%d\n", temperature); ++ if (ret == -EAGAIN) ++ return -ENODATA; ++ ++ return ret; + } + + static ssize_t +-- +2.39.5 + diff --git a/queue-6.12/tools-build-fix-s390-x-cross-compilation-with-clang.patch b/queue-6.12/tools-build-fix-s390-x-cross-compilation-with-clang.patch new file mode 100644 index 0000000000..50ebd7bb2c --- /dev/null +++ b/queue-6.12/tools-build-fix-s390-x-cross-compilation-with-clang.patch @@ -0,0 +1,44 @@ +From ab697c12f14c29f534f639346bdc5d91e9c6ab03 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Jun 2025 13:00:27 +0200 +Subject: tools/build: Fix s390(x) cross-compilation with clang +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Weißschuh + +[ Upstream commit a40f0cdce78be8a559ee8a85c908049c65a410b2 ] + +The heuristic to derive a clang target triple from a GCC one does not work +for s390. GCC uses "s390-linux" while clang expects "s390x-linux" or +"powerz-linux". + +Add an explicit override. + +Signed-off-by: Thomas Weißschuh +Link: https://lore.kernel.org/r/20250620-tools-cross-s390-v2-1-ecda886e00e5@linutronix.de +Signed-off-by: Thomas Weißschuh +Signed-off-by: Sasha Levin +--- + tools/scripts/Makefile.include | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/tools/scripts/Makefile.include b/tools/scripts/Makefile.include +index 0aa4005017c7..5f2afd95de43 100644 +--- a/tools/scripts/Makefile.include ++++ b/tools/scripts/Makefile.include +@@ -98,7 +98,9 @@ else ifneq ($(CROSS_COMPILE),) + # Allow userspace to override CLANG_CROSS_FLAGS to specify their own + # sysroots and flags or to avoid the GCC call in pure Clang builds. + ifeq ($(CLANG_CROSS_FLAGS),) +-CLANG_CROSS_FLAGS := --target=$(notdir $(CROSS_COMPILE:%-=%)) ++CLANG_TARGET := $(notdir $(CROSS_COMPILE:%-=%)) ++CLANG_TARGET := $(subst s390-linux,s390x-linux,$(CLANG_TARGET)) ++CLANG_CROSS_FLAGS := --target=$(CLANG_TARGET) + GCC_TOOLCHAIN_DIR := $(dir $(shell which $(CROSS_COMPILE)gcc 2>/dev/null)) + ifneq ($(GCC_TOOLCHAIN_DIR),) + CLANG_CROSS_FLAGS += --prefix=$(GCC_TOOLCHAIN_DIR)$(notdir $(CROSS_COMPILE)) +-- +2.39.5 + diff --git a/queue-6.12/tools-nolibc-define-time_t-in-terms-of-__kernel_old_.patch b/queue-6.12/tools-nolibc-define-time_t-in-terms-of-__kernel_old_.patch new file mode 100644 index 0000000000..2e51b309e9 --- /dev/null +++ b/queue-6.12/tools-nolibc-define-time_t-in-terms-of-__kernel_old_.patch @@ -0,0 +1,54 @@ +From d8beafcbb8a885dd890eafad2d9c2e4377dcc39e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Jul 2025 11:00:55 +0200 +Subject: tools/nolibc: define time_t in terms of __kernel_old_time_t +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Weißschuh + +[ Upstream commit d5094bcb5bfdfea2cf0de8aaf77cc65db56cbdb5 ] + +Nolibc assumes that the kernel ABI is using a time values that are as +large as a long integer. For most ABIs this holds true. +But for x32 this is not correct, as it uses 32bit longs but 64bit times. + +Also the 'struct stat' implementation of nolibc relies on timespec::tv_sec +and time_t being the same type. While timespec::tv_sec comes from the +kernel and is of type __kernel_old_time_t, time_t is defined within nolibc. + +Switch to the __kernel_old_time_t to always get the correct type. + +Signed-off-by: Thomas Weißschuh +Link: https://lore.kernel.org/r/20250712-nolibc-x32-v1-1-6d81cb798710@weissschuh.net +Acked-by: Willy Tarreau +Signed-off-by: Sasha Levin +--- + tools/include/nolibc/std.h | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/tools/include/nolibc/std.h b/tools/include/nolibc/std.h +index 933bc0be7e1c..a9d8b5b51f37 100644 +--- a/tools/include/nolibc/std.h ++++ b/tools/include/nolibc/std.h +@@ -20,6 +20,8 @@ + + #include "stdint.h" + ++#include ++ + /* those are commonly provided by sys/types.h */ + typedef unsigned int dev_t; + typedef unsigned long ino_t; +@@ -31,6 +33,6 @@ typedef unsigned long nlink_t; + typedef signed long off_t; + typedef signed long blksize_t; + typedef signed long blkcnt_t; +-typedef signed long time_t; ++typedef __kernel_old_time_t time_t; + + #endif /* _NOLIBC_STD_H */ +-- +2.39.5 + diff --git a/queue-6.12/tools-power-turbostat-fix-build-with-musl.patch b/queue-6.12/tools-power-turbostat-fix-build-with-musl.patch new file mode 100644 index 0000000000..e05ca82aff --- /dev/null +++ b/queue-6.12/tools-power-turbostat-fix-build-with-musl.patch @@ -0,0 +1,42 @@ +From c706816a98b4e46eda80c619b3f8dd13f2b3c94a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Jun 2025 09:54:23 -0700 +Subject: tools/power turbostat: Fix build with musl + +From: Calvin Owens + +[ Upstream commit 6ea0ec1b958a84aff9f03fb0ae4613a4d5bed3ea ] + +turbostat.c: In function 'parse_int_file': + turbostat.c:5567:19: error: 'PATH_MAX' undeclared (first use in this function) + 5567 | char path[PATH_MAX]; + | ^~~~~~~~ + + turbostat.c: In function 'probe_graphics': + turbostat.c:6787:19: error: 'PATH_MAX' undeclared (first use in this function) + 6787 | char path[PATH_MAX]; + | ^~~~~~~~ + +Signed-off-by: Calvin Owens +Reviewed-by: Artem Bityutskiy +Signed-off-by: Len Brown +Signed-off-by: Sasha Levin +--- + tools/power/x86/turbostat/turbostat.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/power/x86/turbostat/turbostat.c b/tools/power/x86/turbostat/turbostat.c +index 8c876e9df1a9..9be6803ea10f 100644 +--- a/tools/power/x86/turbostat/turbostat.c ++++ b/tools/power/x86/turbostat/turbostat.c +@@ -67,6 +67,7 @@ + #include + #include + #include ++#include + + #define UNUSED(x) (void)(x) + +-- +2.39.5 + diff --git a/queue-6.12/tools-power-turbostat-handle-cap_get_proc-enosys.patch b/queue-6.12/tools-power-turbostat-handle-cap_get_proc-enosys.patch new file mode 100644 index 0000000000..45ac5de141 --- /dev/null +++ b/queue-6.12/tools-power-turbostat-handle-cap_get_proc-enosys.patch @@ -0,0 +1,45 @@ +From b75289f8ca8de621e56a86ce404ca5bcad8976c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Jun 2025 19:20:28 -0700 +Subject: tools/power turbostat: Handle cap_get_proc() ENOSYS + +From: Calvin Owens + +[ Upstream commit d34fe509f5f76d9dc36291242d67c6528027ebbd ] + +Kernels configured with CONFIG_MULTIUSER=n have no cap_get_proc(). +Check for ENOSYS to recognize this case, and continue on to +attempt to access the requested MSRs (such as temperature). + +Signed-off-by: Calvin Owens +Signed-off-by: Len Brown +Signed-off-by: Sasha Levin +--- + tools/power/x86/turbostat/turbostat.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/tools/power/x86/turbostat/turbostat.c b/tools/power/x86/turbostat/turbostat.c +index 9be6803ea10f..b663a76d31f1 100644 +--- a/tools/power/x86/turbostat/turbostat.c ++++ b/tools/power/x86/turbostat/turbostat.c +@@ -6246,8 +6246,16 @@ int check_for_cap_sys_rawio(void) + int ret = 0; + + caps = cap_get_proc(); +- if (caps == NULL) ++ if (caps == NULL) { ++ /* ++ * CONFIG_MULTIUSER=n kernels have no cap_get_proc() ++ * Allow them to continue and attempt to access MSRs ++ */ ++ if (errno == ENOSYS) ++ return 0; ++ + return 1; ++ } + + if (cap_get_flag(caps, CAP_SYS_RAWIO, CAP_EFFECTIVE, &cap_flag_value)) { + ret = 1; +-- +2.39.5 + diff --git a/queue-6.12/tools-power-turbostat-handle-non-root-legacy-uncore-.patch b/queue-6.12/tools-power-turbostat-handle-non-root-legacy-uncore-.patch new file mode 100644 index 0000000000..e87adb68b7 --- /dev/null +++ b/queue-6.12/tools-power-turbostat-handle-non-root-legacy-uncore-.patch @@ -0,0 +1,44 @@ +From d36098fc339969e8418f5e56d8ca52577c8da620 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 9 Aug 2025 16:31:31 -0400 +Subject: tools/power turbostat: Handle non-root legacy-uncore sysfs + permissions + +From: Len Brown + +[ Upstream commit e60a13bcef206795d3ddf82f130fe8f570176d06 ] + +/sys/devices/system/cpu/intel_uncore_frequency/package_X_die_Y/ +may be readable by all, but +/sys/devices/system/cpu/intel_uncore_frequency/package_X_die_Y/current_freq_khz +may be readable only by root. + +Non-root turbostat users see complaints in this scenario. + +Fail probe of the interface if we can't read current_freq_khz. + +Reported-by: Artem Bityutskiy +Original-patch-by: Zhang Rui +Signed-off-by: Len Brown +Signed-off-by: Sasha Levin +--- + tools/power/x86/turbostat/turbostat.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/tools/power/x86/turbostat/turbostat.c b/tools/power/x86/turbostat/turbostat.c +index 4c322586730d..8c876e9df1a9 100644 +--- a/tools/power/x86/turbostat/turbostat.c ++++ b/tools/power/x86/turbostat/turbostat.c +@@ -6409,7 +6409,8 @@ static void probe_intel_uncore_frequency_legacy(void) + sprintf(path_base, "/sys/devices/system/cpu/intel_uncore_frequency/package_%02d_die_%02d", i, + j); + +- if (access(path_base, R_OK)) ++ sprintf(path, "%s/current_freq_khz", path_base); ++ if (access(path, R_OK)) + continue; + + BIC_PRESENT(BIC_UNCORE_MHZ); +-- +2.39.5 + diff --git a/queue-6.12/tracefs-add-d_delete-to-remove-negative-dentries.patch b/queue-6.12/tracefs-add-d_delete-to-remove-negative-dentries.patch new file mode 100644 index 0000000000..10ddde1c4a --- /dev/null +++ b/queue-6.12/tracefs-add-d_delete-to-remove-negative-dentries.patch @@ -0,0 +1,57 @@ +From 2b68ef4ce7cebc95ad5c3516ebb3857655728219 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jun 2025 12:18:15 -0400 +Subject: tracefs: Add d_delete to remove negative dentries + +From: Steven Rostedt + +[ Upstream commit d9b13cdad80dc11d74408cf201939a946e9303a6 ] + +If a lookup in tracefs is done on a file that does not exist, it leaves a +dentry hanging around until memory pressure removes it. But eventfs +dentries should hang around as when their ref count goes to zero, it +requires more work to recreate it. For the rest of the tracefs dentries, +they hang around as their dentry is used as a descriptor for the tracing +system. But if a file lookup happens for a file in tracefs that does not +exist, it should be deleted. + +Add a .d_delete callback that checks if dentry->fsdata is set or not. Only +eventfs dentries set fsdata so if it has content it should not be deleted +and should hang around in the cache. + +Reported-by: Al Viro +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + fs/tracefs/inode.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/fs/tracefs/inode.c b/fs/tracefs/inode.c +index cfc614c638da..9f15d606dfde 100644 +--- a/fs/tracefs/inode.c ++++ b/fs/tracefs/inode.c +@@ -464,9 +464,20 @@ static int tracefs_d_revalidate(struct dentry *dentry, unsigned int flags) + return !(ei && ei->is_freed); + } + ++static int tracefs_d_delete(const struct dentry *dentry) ++{ ++ /* ++ * We want to keep eventfs dentries around but not tracefs ++ * ones. eventfs dentries have content in d_fsdata. ++ * Use d_fsdata to determine if it's a eventfs dentry or not. ++ */ ++ return dentry->d_fsdata == NULL; ++} ++ + static const struct dentry_operations tracefs_dentry_operations = { + .d_revalidate = tracefs_d_revalidate, + .d_release = tracefs_d_release, ++ .d_delete = tracefs_d_delete, + }; + + static int tracefs_fill_super(struct super_block *sb, struct fs_context *fc) +-- +2.39.5 + diff --git a/queue-6.12/tty-serial-fix-print-format-specifiers.patch b/queue-6.12/tty-serial-fix-print-format-specifiers.patch new file mode 100644 index 0000000000..45be01ad80 --- /dev/null +++ b/queue-6.12/tty-serial-fix-print-format-specifiers.patch @@ -0,0 +1,202 @@ +From 51d3fdee3a9a321c9a233fd4d182cfbbad7791be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Jun 2025 23:56:53 -0700 +Subject: tty: serial: fix print format specifiers + +From: Joseph Tilahun + +[ Upstream commit 33a2515abd45c64911955ff1da179589db54f99f ] + +The serial info sometimes produces negative TX/RX counts. E.g.: + +3: uart:FSL_LPUART mmio:0x02970000 irq:46 tx:-1595870545 rx:339619 +RTS|CTS|DTR|DSR|CD + +It appears that the print format specifiers don't match with the types of +the respective variables. E.g.: All of the fields in struct uart_icount +are u32, but the format specifier used is %d, even though u32 is unsigned +and %d is for signed integers. Update drivers/tty/serial/serial_core.c +to use the proper format specifiers. Reference +https://docs.kernel.org/core-api/printk-formats.html as the documentation +for what format specifiers are the proper ones to use for a given C type. + +Signed-off-by: Joseph Tilahun +Link: https://lore.kernel.org/r/20250610065653.3750067-1-jtilahun@astranis.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/serial_core.c | 44 ++++++++++++++++---------------- + 1 file changed, 22 insertions(+), 22 deletions(-) + +diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c +index d94d73e45fb6..440303566b14 100644 +--- a/drivers/tty/serial/serial_core.c ++++ b/drivers/tty/serial/serial_core.c +@@ -1353,28 +1353,28 @@ static void uart_sanitize_serial_rs485_delays(struct uart_port *port, + if (!port->rs485_supported.delay_rts_before_send) { + if (rs485->delay_rts_before_send) { + dev_warn_ratelimited(port->dev, +- "%s (%d): RTS delay before sending not supported\n", ++ "%s (%u): RTS delay before sending not supported\n", + port->name, port->line); + } + rs485->delay_rts_before_send = 0; + } else if (rs485->delay_rts_before_send > RS485_MAX_RTS_DELAY) { + rs485->delay_rts_before_send = RS485_MAX_RTS_DELAY; + dev_warn_ratelimited(port->dev, +- "%s (%d): RTS delay before sending clamped to %u ms\n", ++ "%s (%u): RTS delay before sending clamped to %u ms\n", + port->name, port->line, rs485->delay_rts_before_send); + } + + if (!port->rs485_supported.delay_rts_after_send) { + if (rs485->delay_rts_after_send) { + dev_warn_ratelimited(port->dev, +- "%s (%d): RTS delay after sending not supported\n", ++ "%s (%u): RTS delay after sending not supported\n", + port->name, port->line); + } + rs485->delay_rts_after_send = 0; + } else if (rs485->delay_rts_after_send > RS485_MAX_RTS_DELAY) { + rs485->delay_rts_after_send = RS485_MAX_RTS_DELAY; + dev_warn_ratelimited(port->dev, +- "%s (%d): RTS delay after sending clamped to %u ms\n", ++ "%s (%u): RTS delay after sending clamped to %u ms\n", + port->name, port->line, rs485->delay_rts_after_send); + } + } +@@ -1404,14 +1404,14 @@ static void uart_sanitize_serial_rs485(struct uart_port *port, struct serial_rs4 + rs485->flags &= ~SER_RS485_RTS_AFTER_SEND; + + dev_warn_ratelimited(port->dev, +- "%s (%d): invalid RTS setting, using RTS_ON_SEND instead\n", ++ "%s (%u): invalid RTS setting, using RTS_ON_SEND instead\n", + port->name, port->line); + } else { + rs485->flags |= SER_RS485_RTS_AFTER_SEND; + rs485->flags &= ~SER_RS485_RTS_ON_SEND; + + dev_warn_ratelimited(port->dev, +- "%s (%d): invalid RTS setting, using RTS_AFTER_SEND instead\n", ++ "%s (%u): invalid RTS setting, using RTS_AFTER_SEND instead\n", + port->name, port->line); + } + } +@@ -1850,7 +1850,7 @@ static void uart_wait_until_sent(struct tty_struct *tty, int timeout) + + expire = jiffies + timeout; + +- pr_debug("uart_wait_until_sent(%d), jiffies=%lu, expire=%lu...\n", ++ pr_debug("uart_wait_until_sent(%u), jiffies=%lu, expire=%lu...\n", + port->line, jiffies, expire); + + /* +@@ -2046,7 +2046,7 @@ static void uart_line_info(struct seq_file *m, struct uart_driver *drv, int i) + return; + + mmio = uport->iotype >= UPIO_MEM; +- seq_printf(m, "%d: uart:%s %s%08llX irq:%d", ++ seq_printf(m, "%u: uart:%s %s%08llX irq:%u", + uport->line, uart_type(uport), + mmio ? "mmio:0x" : "port:", + mmio ? (unsigned long long)uport->mapbase +@@ -2068,18 +2068,18 @@ static void uart_line_info(struct seq_file *m, struct uart_driver *drv, int i) + if (pm_state != UART_PM_STATE_ON) + uart_change_pm(state, pm_state); + +- seq_printf(m, " tx:%d rx:%d", ++ seq_printf(m, " tx:%u rx:%u", + uport->icount.tx, uport->icount.rx); + if (uport->icount.frame) +- seq_printf(m, " fe:%d", uport->icount.frame); ++ seq_printf(m, " fe:%u", uport->icount.frame); + if (uport->icount.parity) +- seq_printf(m, " pe:%d", uport->icount.parity); ++ seq_printf(m, " pe:%u", uport->icount.parity); + if (uport->icount.brk) +- seq_printf(m, " brk:%d", uport->icount.brk); ++ seq_printf(m, " brk:%u", uport->icount.brk); + if (uport->icount.overrun) +- seq_printf(m, " oe:%d", uport->icount.overrun); ++ seq_printf(m, " oe:%u", uport->icount.overrun); + if (uport->icount.buf_overrun) +- seq_printf(m, " bo:%d", uport->icount.buf_overrun); ++ seq_printf(m, " bo:%u", uport->icount.buf_overrun); + + #define INFOBIT(bit, str) \ + if (uport->mctrl & (bit)) \ +@@ -2571,7 +2571,7 @@ uart_report_port(struct uart_driver *drv, struct uart_port *port) + break; + } + +- pr_info("%s%s%s at %s (irq = %d, base_baud = %d) is a %s\n", ++ pr_info("%s%s%s at %s (irq = %u, base_baud = %u) is a %s\n", + port->dev ? dev_name(port->dev) : "", + port->dev ? ": " : "", + port->name, +@@ -2579,7 +2579,7 @@ uart_report_port(struct uart_driver *drv, struct uart_port *port) + + /* The magic multiplier feature is a bit obscure, so report it too. */ + if (port->flags & UPF_MAGIC_MULTIPLIER) +- pr_info("%s%s%s extra baud rates supported: %d, %d", ++ pr_info("%s%s%s extra baud rates supported: %u, %u", + port->dev ? dev_name(port->dev) : "", + port->dev ? ": " : "", + port->name, +@@ -2978,7 +2978,7 @@ static ssize_t close_delay_show(struct device *dev, + struct tty_port *port = dev_get_drvdata(dev); + + uart_get_info(port, &tmp); +- return sprintf(buf, "%d\n", tmp.close_delay); ++ return sprintf(buf, "%u\n", tmp.close_delay); + } + + static ssize_t closing_wait_show(struct device *dev, +@@ -2988,7 +2988,7 @@ static ssize_t closing_wait_show(struct device *dev, + struct tty_port *port = dev_get_drvdata(dev); + + uart_get_info(port, &tmp); +- return sprintf(buf, "%d\n", tmp.closing_wait); ++ return sprintf(buf, "%u\n", tmp.closing_wait); + } + + static ssize_t custom_divisor_show(struct device *dev, +@@ -3008,7 +3008,7 @@ static ssize_t io_type_show(struct device *dev, + struct tty_port *port = dev_get_drvdata(dev); + + uart_get_info(port, &tmp); +- return sprintf(buf, "%d\n", tmp.io_type); ++ return sprintf(buf, "%u\n", tmp.io_type); + } + + static ssize_t iomem_base_show(struct device *dev, +@@ -3028,7 +3028,7 @@ static ssize_t iomem_reg_shift_show(struct device *dev, + struct tty_port *port = dev_get_drvdata(dev); + + uart_get_info(port, &tmp); +- return sprintf(buf, "%d\n", tmp.iomem_reg_shift); ++ return sprintf(buf, "%u\n", tmp.iomem_reg_shift); + } + + static ssize_t console_show(struct device *dev, +@@ -3168,7 +3168,7 @@ static int serial_core_add_one_port(struct uart_driver *drv, struct uart_port *u + state->pm_state = UART_PM_STATE_UNDEFINED; + uart_port_set_cons(uport, drv->cons); + uport->minor = drv->tty_driver->minor_start + uport->line; +- uport->name = kasprintf(GFP_KERNEL, "%s%d", drv->dev_name, ++ uport->name = kasprintf(GFP_KERNEL, "%s%u", drv->dev_name, + drv->tty_driver->name_base + uport->line); + if (!uport->name) { + ret = -ENOMEM; +@@ -3211,7 +3211,7 @@ static int serial_core_add_one_port(struct uart_driver *drv, struct uart_port *u + device_set_wakeup_capable(tty_dev, 1); + } else { + uport->flags |= UPF_DEAD; +- dev_err(uport->dev, "Cannot register tty device on line %d\n", ++ dev_err(uport->dev, "Cannot register tty device on line %u\n", + uport->line); + } + +-- +2.39.5 + diff --git a/queue-6.12/uapi-in6-restore-visibility-of-most-ipv6-socket-opti.patch b/queue-6.12/uapi-in6-restore-visibility-of-most-ipv6-socket-opti.patch new file mode 100644 index 0000000000..e85c52566d --- /dev/null +++ b/queue-6.12/uapi-in6-restore-visibility-of-most-ipv6-socket-opti.patch @@ -0,0 +1,102 @@ +From ccfda119429d088ecbf5f99fd5f9d5c420abdb19 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Jun 2025 07:39:33 -0700 +Subject: uapi: in6: restore visibility of most IPv6 socket options +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jakub Kicinski + +[ Upstream commit 31557b3487b349464daf42bc4366153743c1e727 ] + +A decade ago commit 6d08acd2d32e ("in6: fix conflict with glibc") +hid the definitions of IPV6 options, because GCC was complaining +about duplicates. The commit did not list the warnings seen, but +trying to recreate them now I think they are (building iproute2): + +In file included from ./include/uapi/rdma/rdma_user_cm.h:39, + from rdma.h:16, + from res.h:9, + from res-ctx.c:7: +../include/uapi/linux/in6.h:171:9: warning: ‘IPV6_ADD_MEMBERSHIP’ redefined + 171 | #define IPV6_ADD_MEMBERSHIP 20 + | ^~~~~~~~~~~~~~~~~~~ +In file included from /usr/include/netinet/in.h:37, + from rdma.h:13: +/usr/include/bits/in.h:233:10: note: this is the location of the previous definition + 233 | # define IPV6_ADD_MEMBERSHIP IPV6_JOIN_GROUP + | ^~~~~~~~~~~~~~~~~~~ +../include/uapi/linux/in6.h:172:9: warning: ‘IPV6_DROP_MEMBERSHIP’ redefined + 172 | #define IPV6_DROP_MEMBERSHIP 21 + | ^~~~~~~~~~~~~~~~~~~~ +/usr/include/bits/in.h:234:10: note: this is the location of the previous definition + 234 | # define IPV6_DROP_MEMBERSHIP IPV6_LEAVE_GROUP + | ^~~~~~~~~~~~~~~~~~~~ + +Compilers don't complain about redefinition if the defines +are identical, but here we have the kernel using the literal +value, and glibc using an indirection (defining to a name +of another define, with the same numerical value). + +Problem is, the commit in question hid all the IPV6 socket +options, and glibc has a pretty sparse list. For instance +it lacks Flow Label related options. Willem called this out +in commit 3fb321fde22d ("selftests/net: ipv6 flowlabel"): + + /* uapi/glibc weirdness may leave this undefined */ + #ifndef IPV6_FLOWINFO + #define IPV6_FLOWINFO 11 + #endif + +More interestingly some applications (socat) use +a #ifdef IPV6_FLOWINFO to gate compilation of thier +rudimentary flow label support. (For added confusion +socat misspells it as IPV4_FLOWINFO in some places.) + +Hide only the two defines we know glibc has a problem +with. If we discover more warnings we can hide more +but we should avoid covering the entire block of +defines for "IPV6 socket options". + +Link: https://patch.msgid.link/20250609143933.1654417-1-kuba@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/uapi/linux/in6.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/include/uapi/linux/in6.h b/include/uapi/linux/in6.h +index ff8d21f9e95b..5a47339ef7d7 100644 +--- a/include/uapi/linux/in6.h ++++ b/include/uapi/linux/in6.h +@@ -152,7 +152,6 @@ struct in6_flowlabel_req { + /* + * IPV6 socket options + */ +-#if __UAPI_DEF_IPV6_OPTIONS + #define IPV6_ADDRFORM 1 + #define IPV6_2292PKTINFO 2 + #define IPV6_2292HOPOPTS 3 +@@ -169,8 +168,10 @@ struct in6_flowlabel_req { + #define IPV6_MULTICAST_IF 17 + #define IPV6_MULTICAST_HOPS 18 + #define IPV6_MULTICAST_LOOP 19 ++#if __UAPI_DEF_IPV6_OPTIONS + #define IPV6_ADD_MEMBERSHIP 20 + #define IPV6_DROP_MEMBERSHIP 21 ++#endif + #define IPV6_ROUTER_ALERT 22 + #define IPV6_MTU_DISCOVER 23 + #define IPV6_MTU 24 +@@ -203,7 +204,6 @@ struct in6_flowlabel_req { + #define IPV6_IPSEC_POLICY 34 + #define IPV6_XFRM_POLICY 35 + #define IPV6_HDRINCL 36 +-#endif + + /* + * Multicast: +-- +2.39.5 + diff --git a/queue-6.12/udf-verify-partition-map-count.patch b/queue-6.12/udf-verify-partition-map-count.patch new file mode 100644 index 0000000000..60404a35a5 --- /dev/null +++ b/queue-6.12/udf-verify-partition-map-count.patch @@ -0,0 +1,54 @@ +From dc319b3a25f842b09ddc9c95475ea647030fa80c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Jul 2025 19:01:20 +0200 +Subject: udf: Verify partition map count + +From: Jan Kara + +[ Upstream commit 1a11201668e8635602577dcf06f2e96c591d8819 ] + +Verify that number of partition maps isn't insanely high which can lead +to large allocation in udf_sb_alloc_partition_maps(). All partition maps +have to fit in the LVD which is in a single block. + +Reported-by: syzbot+478f2c1a6f0f447a46bb@syzkaller.appspotmail.com +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/udf/super.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/fs/udf/super.c b/fs/udf/super.c +index 1c8a736b3309..b2f168b0a0d1 100644 +--- a/fs/udf/super.c ++++ b/fs/udf/super.c +@@ -1440,7 +1440,7 @@ static int udf_load_logicalvol(struct super_block *sb, sector_t block, + struct genericPartitionMap *gpm; + uint16_t ident; + struct buffer_head *bh; +- unsigned int table_len; ++ unsigned int table_len, part_map_count; + int ret; + + bh = udf_read_tagged(sb, block, block, &ident); +@@ -1461,7 +1461,16 @@ static int udf_load_logicalvol(struct super_block *sb, sector_t block, + "logical volume"); + if (ret) + goto out_bh; +- ret = udf_sb_alloc_partition_maps(sb, le32_to_cpu(lvd->numPartitionMaps)); ++ ++ part_map_count = le32_to_cpu(lvd->numPartitionMaps); ++ if (part_map_count > table_len / sizeof(struct genericPartitionMap1)) { ++ udf_err(sb, "error loading logical volume descriptor: " ++ "Too many partition maps (%u > %u)\n", part_map_count, ++ table_len / (unsigned)sizeof(struct genericPartitionMap1)); ++ ret = -EIO; ++ goto out_bh; ++ } ++ ret = udf_sb_alloc_partition_maps(sb, part_map_count); + if (ret) + goto out_bh; + +-- +2.39.5 + diff --git a/queue-6.12/um-re-evaluate-thread-flags-repeatedly.patch b/queue-6.12/um-re-evaluate-thread-flags-repeatedly.patch new file mode 100644 index 0000000000..4f4a121a50 --- /dev/null +++ b/queue-6.12/um-re-evaluate-thread-flags-repeatedly.patch @@ -0,0 +1,78 @@ +From 92c717eb565545d4ff7270042d4a5eaa0ff15c40 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Jul 2025 14:34:47 +0200 +Subject: um: Re-evaluate thread flags repeatedly +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Weißschuh + +[ Upstream commit b9e2f2246eb2b5617d53af7b5e4e1b8c916f26a8 ] + +The thread flags may change during their processing. +For example a task_work can queue a new signal to be sent. +This signal should be delivered before returning to usespace again. + +Evaluate the flags repeatedly similar to other architectures. + +Signed-off-by: Thomas Weißschuh +Reviewed-by: Nam Cao +Link: https://patch.msgid.link/20250704-uml-thread_flags-v1-1-0e293fd8d627@linutronix.de +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + arch/um/include/asm/thread_info.h | 4 ++++ + arch/um/kernel/process.c | 20 ++++++++++++-------- + 2 files changed, 16 insertions(+), 8 deletions(-) + +diff --git a/arch/um/include/asm/thread_info.h b/arch/um/include/asm/thread_info.h +index c7b4b49826a2..40d823f36c09 100644 +--- a/arch/um/include/asm/thread_info.h ++++ b/arch/um/include/asm/thread_info.h +@@ -68,7 +68,11 @@ static inline struct thread_info *current_thread_info(void) + #define _TIF_NOTIFY_SIGNAL (1 << TIF_NOTIFY_SIGNAL) + #define _TIF_MEMDIE (1 << TIF_MEMDIE) + #define _TIF_SYSCALL_AUDIT (1 << TIF_SYSCALL_AUDIT) ++#define _TIF_NOTIFY_RESUME (1 << TIF_NOTIFY_RESUME) + #define _TIF_SECCOMP (1 << TIF_SECCOMP) + #define _TIF_SINGLESTEP (1 << TIF_SINGLESTEP) + ++#define _TIF_WORK_MASK (_TIF_NEED_RESCHED | _TIF_SIGPENDING | _TIF_NOTIFY_SIGNAL | \ ++ _TIF_NOTIFY_RESUME) ++ + #endif +diff --git a/arch/um/kernel/process.c b/arch/um/kernel/process.c +index 9c6cf03ed02b..eaeeedd62930 100644 +--- a/arch/um/kernel/process.c ++++ b/arch/um/kernel/process.c +@@ -81,14 +81,18 @@ struct task_struct *__switch_to(struct task_struct *from, struct task_struct *to + void interrupt_end(void) + { + struct pt_regs *regs = ¤t->thread.regs; +- +- if (need_resched()) +- schedule(); +- if (test_thread_flag(TIF_SIGPENDING) || +- test_thread_flag(TIF_NOTIFY_SIGNAL)) +- do_signal(regs); +- if (test_thread_flag(TIF_NOTIFY_RESUME)) +- resume_user_mode_work(regs); ++ unsigned long thread_flags; ++ ++ thread_flags = read_thread_flags(); ++ while (thread_flags & _TIF_WORK_MASK) { ++ if (thread_flags & _TIF_NEED_RESCHED) ++ schedule(); ++ if (thread_flags & (_TIF_SIGPENDING | _TIF_NOTIFY_SIGNAL)) ++ do_signal(regs); ++ if (thread_flags & _TIF_NOTIFY_RESUME) ++ resume_user_mode_work(regs); ++ thread_flags = read_thread_flags(); ++ } + } + + int get_current_pid(void) +-- +2.39.5 + diff --git a/queue-6.12/usb-core-usb_submit_urb-downgrade-type-check.patch b/queue-6.12/usb-core-usb_submit_urb-downgrade-type-check.patch new file mode 100644 index 0000000000..ce71d51498 --- /dev/null +++ b/queue-6.12/usb-core-usb_submit_urb-downgrade-type-check.patch @@ -0,0 +1,40 @@ +From 7850486bdf7fa672e958515c5e92bcef5446693d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Jun 2025 14:20:25 +0200 +Subject: usb: core: usb_submit_urb: downgrade type check + +From: Oliver Neukum + +[ Upstream commit 503bbde34cc3dd2acd231f277ba70c3f9ed22e59 ] + +Checking for the endpoint type is no reason for a WARN, as that can +cause a reboot. A driver not checking the endpoint type must not cause a +reboot, as there is just no point in this. We cannot prevent a device +from doing something incorrect as a reaction to a transfer. Hence +warning for a mere assumption being wrong is not sensible. + +Signed-off-by: Oliver Neukum +Acked-by: Alan Stern +Link: https://lore.kernel.org/r/20250612122149.2559724-1-oneukum@suse.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/core/urb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/core/urb.c b/drivers/usb/core/urb.c +index 7576920e2d5a..9f202f575cec 100644 +--- a/drivers/usb/core/urb.c ++++ b/drivers/usb/core/urb.c +@@ -500,7 +500,7 @@ int usb_submit_urb(struct urb *urb, gfp_t mem_flags) + + /* Check that the pipe's type matches the endpoint's type */ + if (usb_pipe_type_check(urb->dev, urb->pipe)) +- dev_WARN(&dev->dev, "BOGUS urb xfer, pipe %x != type %x\n", ++ dev_warn_once(&dev->dev, "BOGUS urb xfer, pipe %x != type %x\n", + usb_pipetype(urb->pipe), pipetypes[xfertype]); + + /* Check against a simple/standard policy */ +-- +2.39.5 + diff --git a/queue-6.12/usb-typec-intel_pmc_mux-defer-probe-if-scu-ipc-isn-t.patch b/queue-6.12/usb-typec-intel_pmc_mux-defer-probe-if-scu-ipc-isn-t.patch new file mode 100644 index 0000000000..8ed0b8c010 --- /dev/null +++ b/queue-6.12/usb-typec-intel_pmc_mux-defer-probe-if-scu-ipc-isn-t.patch @@ -0,0 +1,40 @@ +From b1e82d30944a7a30092c1a4ca3ae05abc5ded623 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Jun 2025 17:40:58 +0200 +Subject: usb: typec: intel_pmc_mux: Defer probe if SCU IPC isn't present + +From: Tomasz Michalec + +[ Upstream commit df9a825f330e76c72d1985bc9bdc4b8981e3d15f ] + +If pmc_usb_probe is called before SCU IPC is registered, pmc_usb_probe +will fail. + +Return -EPROBE_DEFER when pmc_usb_probe doesn't get SCU IPC device, so +the probe function can be called again after SCU IPC is initialized. + +Signed-off-by: Tomasz Michalec +Reviewed-by: Heikki Krogerus +Link: https://lore.kernel.org/r/20250610154058.1859812-1-tmichalec@google.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/typec/mux/intel_pmc_mux.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/typec/mux/intel_pmc_mux.c b/drivers/usb/typec/mux/intel_pmc_mux.c +index 46b4c5c3a6be..32343f567d44 100644 +--- a/drivers/usb/typec/mux/intel_pmc_mux.c ++++ b/drivers/usb/typec/mux/intel_pmc_mux.c +@@ -754,7 +754,7 @@ static int pmc_usb_probe(struct platform_device *pdev) + + pmc->ipc = devm_intel_scu_ipc_dev_get(&pdev->dev); + if (!pmc->ipc) +- return -ENODEV; ++ return -EPROBE_DEFER; + + pmc->dev = &pdev->dev; + +-- +2.39.5 + diff --git a/queue-6.12/usb-typec-tcpm-tcpci_maxim-fix-irq-wake-usage.patch b/queue-6.12/usb-typec-tcpm-tcpci_maxim-fix-irq-wake-usage.patch new file mode 100644 index 0000000000..03f0959bc9 --- /dev/null +++ b/queue-6.12/usb-typec-tcpm-tcpci_maxim-fix-irq-wake-usage.patch @@ -0,0 +1,114 @@ +From 5a3a9eb393d1cd0828bf42258313f117f0dedbce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Jul 2025 11:50:27 +0100 +Subject: usb: typec: tcpm/tcpci_maxim: fix irq wake usage +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: André Draszik + +[ Upstream commit 31611223fb34a3e9320cdfc4f4395072a13ea78e ] + +This driver calls enable_irq_wake() during probe() unconditionally, and +never issues the required corresponding disable_irq_wake() to disable +hardware interrupt wakeup signals. + +Additionally, whether or not a device should wake-up the system is +meant to be a policy decision based on sysfs (.../power/wakeup) in the +first place. + +Update the driver to use the standard approach to enable/disable IRQ +wake during the suspend/resume callbacks. This solves both issues +described above. + +Signed-off-by: André Draszik +Reviewed-by: Badhri Jagan Sridharan +Link: https://lore.kernel.org/r/20250707-max77759-irq-wake-v1-1-d367f633e4bc@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/typec/tcpm/tcpci_maxim_core.c | 46 +++++++++++++++-------- + 1 file changed, 30 insertions(+), 16 deletions(-) + +diff --git a/drivers/usb/typec/tcpm/tcpci_maxim_core.c b/drivers/usb/typec/tcpm/tcpci_maxim_core.c +index 648311f5e3cf..eeaf79e97261 100644 +--- a/drivers/usb/typec/tcpm/tcpci_maxim_core.c ++++ b/drivers/usb/typec/tcpm/tcpci_maxim_core.c +@@ -421,21 +421,6 @@ static irqreturn_t max_tcpci_isr(int irq, void *dev_id) + return IRQ_WAKE_THREAD; + } + +-static int max_tcpci_init_alert(struct max_tcpci_chip *chip, struct i2c_client *client) +-{ +- int ret; +- +- ret = devm_request_threaded_irq(chip->dev, client->irq, max_tcpci_isr, max_tcpci_irq, +- (IRQF_TRIGGER_LOW | IRQF_ONESHOT), dev_name(chip->dev), +- chip); +- +- if (ret < 0) +- return ret; +- +- enable_irq_wake(client->irq); +- return 0; +-} +- + static int max_tcpci_start_toggling(struct tcpci *tcpci, struct tcpci_data *tdata, + enum typec_cc_status cc) + { +@@ -532,7 +517,9 @@ static int max_tcpci_probe(struct i2c_client *client) + + chip->port = tcpci_get_tcpm_port(chip->tcpci); + +- ret = max_tcpci_init_alert(chip, client); ++ ret = devm_request_threaded_irq(&client->dev, client->irq, max_tcpci_isr, max_tcpci_irq, ++ (IRQF_TRIGGER_LOW | IRQF_ONESHOT), dev_name(chip->dev), ++ chip); + if (ret < 0) + return dev_err_probe(&client->dev, ret, + "IRQ initialization failed\n"); +@@ -541,6 +528,32 @@ static int max_tcpci_probe(struct i2c_client *client) + return 0; + } + ++#ifdef CONFIG_PM_SLEEP ++static int max_tcpci_resume(struct device *dev) ++{ ++ struct i2c_client *client = to_i2c_client(dev); ++ int ret = 0; ++ ++ if (client->irq && device_may_wakeup(dev)) ++ ret = disable_irq_wake(client->irq); ++ ++ return ret; ++} ++ ++static int max_tcpci_suspend(struct device *dev) ++{ ++ struct i2c_client *client = to_i2c_client(dev); ++ int ret = 0; ++ ++ if (client->irq && device_may_wakeup(dev)) ++ ret = enable_irq_wake(client->irq); ++ ++ return ret; ++} ++#endif /* CONFIG_PM_SLEEP */ ++ ++static SIMPLE_DEV_PM_OPS(max_tcpci_pm_ops, max_tcpci_suspend, max_tcpci_resume); ++ + static const struct i2c_device_id max_tcpci_id[] = { + { "maxtcpc" }, + { } +@@ -559,6 +572,7 @@ static struct i2c_driver max_tcpci_i2c_driver = { + .driver = { + .name = "maxtcpc", + .of_match_table = of_match_ptr(max_tcpci_of_match), ++ .pm = &max_tcpci_pm_ops, + }, + .probe = max_tcpci_probe, + .id_table = max_tcpci_id, +-- +2.39.5 + diff --git a/queue-6.12/usb-typec-ucsi-psy-set-current-max-to-100ma-for-bc-1.patch b/queue-6.12/usb-typec-ucsi-psy-set-current-max-to-100ma-for-bc-1.patch new file mode 100644 index 0000000000..aa8db46789 --- /dev/null +++ b/queue-6.12/usb-typec-ucsi-psy-set-current-max-to-100ma-for-bc-1.patch @@ -0,0 +1,68 @@ +From 68bfed37f072ae68a991db421affcbd683e81737 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Jul 2025 20:08:05 +0000 +Subject: usb: typec: ucsi: psy: Set current max to 100mA for BC 1.2 and + Default + +From: Benson Leung + +[ Upstream commit af833e7f7db3cf4c82f063668e1b52297a30ec18 ] + +ucsi_psy_get_current_max would return 0mA as the maximum current if +UCSI detected a BC or a Default USB Power sporce. + +The comment in this function is true that we can't tell the difference +between DCP/CDP or SDP chargers, but we can guarantee that at least 1-unit +of USB 1.1/2.0 power is available, which is 100mA, which is a better +fallback value than 0, which causes some userspaces, including the ChromeOS +power manager, to regard this as a power source that is not providing +any power. + +In reality, 100mA is guaranteed from all sources in these classes. + +Signed-off-by: Benson Leung +Reviewed-by: Jameson Thies +Reviewed-by: Heikki Krogerus +Reviewed-by: Sebastian Reichel +Link: https://lore.kernel.org/r/20250717200805.3710473-1-bleung@chromium.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/typec/ucsi/psy.c | 2 +- + drivers/usb/typec/ucsi/ucsi.h | 7 ++++--- + 2 files changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/usb/typec/ucsi/psy.c b/drivers/usb/typec/ucsi/psy.c +index 1c631c7855a9..9447a50716ec 100644 +--- a/drivers/usb/typec/ucsi/psy.c ++++ b/drivers/usb/typec/ucsi/psy.c +@@ -164,7 +164,7 @@ static int ucsi_psy_get_current_max(struct ucsi_connector *con, + case UCSI_CONSTAT_PWR_OPMODE_DEFAULT: + /* UCSI can't tell b/w DCP/CDP or USB2/3x1/3x2 SDP chargers */ + default: +- val->intval = 0; ++ val->intval = UCSI_TYPEC_DEFAULT_CURRENT * 1000; + break; + } + return 0; +diff --git a/drivers/usb/typec/ucsi/ucsi.h b/drivers/usb/typec/ucsi/ucsi.h +index 0568e643e844..25cff9658966 100644 +--- a/drivers/usb/typec/ucsi/ucsi.h ++++ b/drivers/usb/typec/ucsi/ucsi.h +@@ -412,9 +412,10 @@ struct ucsi { + #define UCSI_MAX_SVID 5 + #define UCSI_MAX_ALTMODES (UCSI_MAX_SVID * 6) + +-#define UCSI_TYPEC_VSAFE5V 5000 +-#define UCSI_TYPEC_1_5_CURRENT 1500 +-#define UCSI_TYPEC_3_0_CURRENT 3000 ++#define UCSI_TYPEC_VSAFE5V 5000 ++#define UCSI_TYPEC_DEFAULT_CURRENT 100 ++#define UCSI_TYPEC_1_5_CURRENT 1500 ++#define UCSI_TYPEC_3_0_CURRENT 3000 + + struct ucsi_connector { + int num; +-- +2.39.5 + diff --git a/queue-6.12/usb-xhci-avoid-showing-errors-during-surprise-remova.patch b/queue-6.12/usb-xhci-avoid-showing-errors-during-surprise-remova.patch new file mode 100644 index 0000000000..828be36018 --- /dev/null +++ b/queue-6.12/usb-xhci-avoid-showing-errors-during-surprise-remova.patch @@ -0,0 +1,60 @@ +From 3b451eee2fa1da4531ba8e2c0d3d5b9df7e065ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Jul 2025 10:31:05 +0300 +Subject: usb: xhci: Avoid showing errors during surprise removal + +From: Mario Limonciello + +[ Upstream commit 4b9c60e440525b729ac5f071e00bcee12e0a7e84 ] + +When a USB4 dock is unplugged from a system it won't respond to ring +events. The PCI core handles the surprise removal event and notifies +all PCI drivers. The XHCI PCI driver sets a flag that the device is +being removed as well. + +When that flag is set don't show messages in the cleanup path for +marking the controller dead. + +Signed-off-by: Mario Limonciello +Signed-off-by: Mathias Nyman +Acked-by: Mathias Nyman +Link: https://lore.kernel.org/r/20250717073107.488599-2-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/xhci-ring.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c +index 19978f02bb9e..f6ecb3b9fb14 100644 +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -1313,12 +1313,15 @@ static void xhci_kill_endpoint_urbs(struct xhci_hcd *xhci, + */ + void xhci_hc_died(struct xhci_hcd *xhci) + { ++ bool notify; + int i, j; + + if (xhci->xhc_state & XHCI_STATE_DYING) + return; + +- xhci_err(xhci, "xHCI host controller not responding, assume dead\n"); ++ notify = !(xhci->xhc_state & XHCI_STATE_REMOVING); ++ if (notify) ++ xhci_err(xhci, "xHCI host controller not responding, assume dead\n"); + xhci->xhc_state |= XHCI_STATE_DYING; + + xhci_cleanup_command_queue(xhci); +@@ -1332,7 +1335,7 @@ void xhci_hc_died(struct xhci_hcd *xhci) + } + + /* inform usb core hc died if PCI remove isn't already handling it */ +- if (!(xhci->xhc_state & XHCI_STATE_REMOVING)) ++ if (notify) + usb_hc_died(xhci_to_hcd(xhci)); + } + +-- +2.39.5 + diff --git a/queue-6.12/usb-xhci-avoid-showing-warnings-for-dying-controller.patch b/queue-6.12/usb-xhci-avoid-showing-warnings-for-dying-controller.patch new file mode 100644 index 0000000000..7f99cccc9d --- /dev/null +++ b/queue-6.12/usb-xhci-avoid-showing-warnings-for-dying-controller.patch @@ -0,0 +1,55 @@ +From 18c348fd6891930df868bdebdcfeb99cad70f2d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Jul 2025 10:31:06 +0300 +Subject: usb: xhci: Avoid showing warnings for dying controller + +From: Mario Limonciello + +[ Upstream commit 65fc0fc137b5da3ee1f4ca4f61050fcb203d7582 ] + +When a USB4 dock is unplugged from a system it won't respond to ring +events. The PCI core handles the surprise removal event and notifies +all PCI drivers. The XHCI PCI driver sets a flag that the device is +being removed, and when the device stops responding a flag is also +added to indicate it's dying. + +When that flag is set don't bother to show warnings about a missing +controller. + +Signed-off-by: Mario Limonciello +Signed-off-by: Mathias Nyman +Acked-by: Mathias Nyman +Link: https://lore.kernel.org/r/20250717073107.488599-3-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/xhci.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c +index 09a5a6604962..e399638d6000 100644 +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -119,7 +119,8 @@ int xhci_halt(struct xhci_hcd *xhci) + ret = xhci_handshake(&xhci->op_regs->status, + STS_HALT, STS_HALT, XHCI_MAX_HALT_USEC); + if (ret) { +- xhci_warn(xhci, "Host halt failed, %d\n", ret); ++ if (!(xhci->xhc_state & XHCI_STATE_DYING)) ++ xhci_warn(xhci, "Host halt failed, %d\n", ret); + return ret; + } + +@@ -178,7 +179,8 @@ int xhci_reset(struct xhci_hcd *xhci, u64 timeout_us) + state = readl(&xhci->op_regs->status); + + if (state == ~(u32)0) { +- xhci_warn(xhci, "Host not accessible, reset failed.\n"); ++ if (!(xhci->xhc_state & XHCI_STATE_DYING)) ++ xhci_warn(xhci, "Host not accessible, reset failed.\n"); + return -ENODEV; + } + +-- +2.39.5 + diff --git a/queue-6.12/usb-xhci-print-xhci-xhc_state-when-queue_command-fai.patch b/queue-6.12/usb-xhci-print-xhci-xhc_state-when-queue_command-fai.patch new file mode 100644 index 0000000000..3a7381876b --- /dev/null +++ b/queue-6.12/usb-xhci-print-xhci-xhc_state-when-queue_command-fai.patch @@ -0,0 +1,42 @@ +From 7f721f0b07ecc605ab643ad0e1bc8191175e5545 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Jul 2025 14:01:18 +0800 +Subject: usb: xhci: print xhci->xhc_state when queue_command failed + +From: Su Hui + +[ Upstream commit 7919407eca2ef562fa6c98c41cfdf6f6cdd69d92 ] + +When encounters some errors like these: +xhci_hcd 0000:4a:00.2: xHCI dying or halted, can't queue_command +xhci_hcd 0000:4a:00.2: FIXME: allocate a command ring segment +usb usb5-port6: couldn't allocate usb_device + +It's hard to know whether xhc_state is dying or halted. So it's better +to print xhc_state's value which can help locate the resaon of the bug. + +Signed-off-by: Su Hui +Link: https://lore.kernel.org/r/20250725060117.1773770-1-suhui@nfschina.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/xhci-ring.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c +index 2ff8787f753c..19978f02bb9e 100644 +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -4378,7 +4378,8 @@ static int queue_command(struct xhci_hcd *xhci, struct xhci_command *cmd, + + if ((xhci->xhc_state & XHCI_STATE_DYING) || + (xhci->xhc_state & XHCI_STATE_HALTED)) { +- xhci_dbg(xhci, "xHCI dying or halted, can't queue_command\n"); ++ xhci_dbg(xhci, "xHCI dying or halted, can't queue_command. state: 0x%x\n", ++ xhci->xhc_state); + return -ESHUTDOWN; + } + +-- +2.39.5 + diff --git a/queue-6.12/usb-xhci-set-avg_trb_len-8-for-ep0-during-address-de.patch b/queue-6.12/usb-xhci-set-avg_trb_len-8-for-ep0-during-address-de.patch new file mode 100644 index 0000000000..4bc8f9a361 --- /dev/null +++ b/queue-6.12/usb-xhci-set-avg_trb_len-8-for-ep0-during-address-de.patch @@ -0,0 +1,61 @@ +From 31665e4da1c501ee8de53ccfdafad8be02bd4185 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Jul 2025 10:31:07 +0300 +Subject: usb: xhci: Set avg_trb_len = 8 for EP0 during Address Device Command + +From: Jay Chen + +[ Upstream commit f72b9aa821a2bfe4b6dfec4be19f264d0673b008 ] + +There is a subtle contradiction between sections of the xHCI 1.2 spec +regarding the initialization of Input Endpoint Context fields. Section +4.8.2 ("Endpoint Context Initialization") states that all fields should +be initialized to 0. However, Section 6.2.3 ("Endpoint Context", p.453) +specifies that the Average TRB Length (avg_trb_len) field shall be +greater than 0, and explicitly notes (p.454): "Software shall set +Average TRB Length to '8' for control endpoints." + +Strictly setting all fields to 0 during initialization conflicts with +the specific recommendation for control endpoints. In practice, setting +avg_trb_len = 0 is not meaningful for the hardware/firmware, as the +value is used for bandwidth calculation. + +Motivation: Our company is developing a custom Virtual xHC hardware +platform that strictly follows the xHCI spec and its recommendations. +During validation, we observed that enumeration fails and a parameter +error (TRB Completion Code = 5) is reported if avg_trb_len for EP0 is +not set to 8 as recommended by Section 6.2.3. This demonstrates the +importance of assigning a meaningful, non-zero value to avg_trb_len, +even in virtualized or emulated environments. + +This patch explicitly sets avg_trb_len to 8 for EP0 in +xhci_setup_addressable_virt_dev(), as recommended in Section 6.2.3, to +prevent potential issues with xHCI host controllers that enforce the +spec strictly. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=220033 +Signed-off-by: Jay Chen +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20250717073107.488599-4-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/xhci-mem.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c +index 91178b8dbbf0..1111650757ea 100644 +--- a/drivers/usb/host/xhci-mem.c ++++ b/drivers/usb/host/xhci-mem.c +@@ -1172,6 +1172,8 @@ int xhci_setup_addressable_virt_dev(struct xhci_hcd *xhci, struct usb_device *ud + ep0_ctx->deq = cpu_to_le64(dev->eps[0].ring->first_seg->dma | + dev->eps[0].ring->cycle_state); + ++ ep0_ctx->tx_info = cpu_to_le32(EP_AVG_TRB_LENGTH(8)); ++ + trace_xhci_setup_addressable_virt_device(dev); + + /* Steps 7 and 8 were done in xhci_alloc_virt_device() */ +-- +2.39.5 + diff --git a/queue-6.12/vfio-mlx5-fix-possible-overflow-in-tracking-max-mess.patch b/queue-6.12/vfio-mlx5-fix-possible-overflow-in-tracking-max-mess.patch new file mode 100644 index 0000000000..155b8ad1d4 --- /dev/null +++ b/queue-6.12/vfio-mlx5-fix-possible-overflow-in-tracking-max-mess.patch @@ -0,0 +1,46 @@ +From 088b6f3b40d8e4b7fd227286fcac7fc34f87fbc1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Jul 2025 14:40:17 +0000 +Subject: vfio/mlx5: fix possible overflow in tracking max message size + +From: Artem Sadovnikov + +[ Upstream commit b3060198483bac43ec113c62ae3837076f61f5de ] + +MLX cap pg_track_log_max_msg_size consists of 5 bits, value of which is +used as power of 2 for max_msg_size. This can lead to multiplication +overflow between max_msg_size (u32) and integer constant, and afterwards +incorrect value is being written to rq_size. + +Fix this issue by extending integer constant to u64 type. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Suggested-by: Alex Williamson +Signed-off-by: Artem Sadovnikov +Reviewed-by: Yishai Hadas +Link: https://lore.kernel.org/r/20250701144017.2410-2-a.sadovnikov@ispras.ru +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/vfio/pci/mlx5/cmd.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/vfio/pci/mlx5/cmd.c b/drivers/vfio/pci/mlx5/cmd.c +index eb7387ee6ebd..e7d2251db626 100644 +--- a/drivers/vfio/pci/mlx5/cmd.c ++++ b/drivers/vfio/pci/mlx5/cmd.c +@@ -1538,8 +1538,8 @@ int mlx5vf_start_page_tracker(struct vfio_device *vdev, + log_max_msg_size = MLX5_CAP_ADV_VIRTUALIZATION(mdev, pg_track_log_max_msg_size); + max_msg_size = (1ULL << log_max_msg_size); + /* The RQ must hold at least 4 WQEs/messages for successful QP creation */ +- if (rq_size < 4 * max_msg_size) +- rq_size = 4 * max_msg_size; ++ if (rq_size < 4ULL * max_msg_size) ++ rq_size = 4ULL * max_msg_size; + + memset(tracker, 0, sizeof(*tracker)); + tracker->uar = mlx5_get_uars_page(mdev); +-- +2.39.5 + diff --git a/queue-6.12/vfio-type1-conditional-rescheduling-while-pinning.patch b/queue-6.12/vfio-type1-conditional-rescheduling-while-pinning.patch new file mode 100644 index 0000000000..d2c3d808e2 --- /dev/null +++ b/queue-6.12/vfio-type1-conditional-rescheduling-while-pinning.patch @@ -0,0 +1,74 @@ +From c7d5b5c2808fc24da8dd90cccaad769e2ba01ff0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Jul 2025 11:46:22 -0700 +Subject: vfio/type1: conditional rescheduling while pinning + +From: Keith Busch + +[ Upstream commit b1779e4f209c7ff7e32f3c79d69bca4e3a3a68b6 ] + +A large DMA mapping request can loop through dma address pinning for +many pages. In cases where THP can not be used, the repeated vmf_insert_pfn can +be costly, so let the task reschedule as need to prevent CPU stalls. Failure to +do so has potential harmful side effects, like increased memory pressure +as unrelated rcu tasks are unable to make their reclaim callbacks and +result in OOM conditions. + + rcu: INFO: rcu_sched self-detected stall on CPU + rcu: 36-....: (20999 ticks this GP) idle=b01c/1/0x4000000000000000 softirq=35839/35839 fqs=3538 + rcu: hardirqs softirqs csw/system + rcu: number: 0 107 0 + rcu: cputime: 50 0 10446 ==> 10556(ms) + rcu: (t=21075 jiffies g=377761 q=204059 ncpus=384) +... + + ? asm_sysvec_apic_timer_interrupt+0x16/0x20 + ? walk_system_ram_range+0x63/0x120 + ? walk_system_ram_range+0x46/0x120 + ? pgprot_writethrough+0x20/0x20 + lookup_memtype+0x67/0xf0 + track_pfn_insert+0x20/0x40 + vmf_insert_pfn_prot+0x88/0x140 + vfio_pci_mmap_huge_fault+0xf9/0x1b0 [vfio_pci_core] + __do_fault+0x28/0x1b0 + handle_mm_fault+0xef1/0x2560 + fixup_user_fault+0xf5/0x270 + vaddr_get_pfns+0x169/0x2f0 [vfio_iommu_type1] + vfio_pin_pages_remote+0x162/0x8e0 [vfio_iommu_type1] + vfio_iommu_type1_ioctl+0x1121/0x1810 [vfio_iommu_type1] + ? futex_wake+0x1c1/0x260 + x64_sys_call+0x234/0x17a0 + do_syscall_64+0x63/0x130 + ? exc_page_fault+0x63/0x130 + entry_SYSCALL_64_after_hwframe+0x4b/0x53 + +Signed-off-by: Keith Busch +Reviewed-by: Paul E. McKenney +Link: https://lore.kernel.org/r/20250715184622.3561598-1-kbusch@meta.com +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/vfio/vfio_iommu_type1.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c +index 8338cfd61fe1..124997ce00d6 100644 +--- a/drivers/vfio/vfio_iommu_type1.c ++++ b/drivers/vfio/vfio_iommu_type1.c +@@ -619,6 +619,13 @@ static long vfio_pin_pages_remote(struct vfio_dma *dma, unsigned long vaddr, + + while (npage) { + if (!batch->size) { ++ /* ++ * Large mappings may take a while to repeatedly refill ++ * the batch, so conditionally relinquish the CPU when ++ * needed to avoid stalls. ++ */ ++ cond_resched(); ++ + /* Empty batch, so refill it. */ + long req_pages = min_t(long, npage, batch->capacity); + +-- +2.39.5 + diff --git a/queue-6.12/vhost-fail-early-when-__vhost_add_used-fails.patch b/queue-6.12/vhost-fail-early-when-__vhost_add_used-fails.patch new file mode 100644 index 0000000000..5f2c75595d --- /dev/null +++ b/queue-6.12/vhost-fail-early-when-__vhost_add_used-fails.patch @@ -0,0 +1,43 @@ +From a8222ab79d8902c4034f5f524eaa4e01c669c50b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Jul 2025 16:47:53 +0800 +Subject: vhost: fail early when __vhost_add_used() fails +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jason Wang + +[ Upstream commit b4ba1207d45adaafa2982c035898b36af2d3e518 ] + +This patch fails vhost_add_used_n() early when __vhost_add_used() +fails to make sure used idx is not updated with stale used ring +information. + +Reported-by: Eugenio Pérez +Signed-off-by: Jason Wang +Message-Id: <20250714084755.11921-2-jasowang@redhat.com> +Signed-off-by: Michael S. Tsirkin +Tested-by: Lei Yang +Signed-off-by: Sasha Levin +--- + drivers/vhost/vhost.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c +index 79b0b7cd2860..71604668e53f 100644 +--- a/drivers/vhost/vhost.c ++++ b/drivers/vhost/vhost.c +@@ -2971,6 +2971,9 @@ int vhost_add_used_n(struct vhost_virtqueue *vq, struct vring_used_elem *heads, + } + r = __vhost_add_used_n(vq, heads, count); + ++ if (r < 0) ++ return r; ++ + /* Make sure buffer is written before we update index. */ + smp_wmb(); + if (vhost_put_used_idx(vq)) { +-- +2.39.5 + diff --git a/queue-6.12/vsock-virtio-resize-receive-buffers-so-that-each-skb.patch b/queue-6.12/vsock-virtio-resize-receive-buffers-so-that-each-skb.patch new file mode 100644 index 0000000000..5612451976 --- /dev/null +++ b/queue-6.12/vsock-virtio-resize-receive-buffers-so-that-each-skb.patch @@ -0,0 +1,66 @@ +From 4ba7aa818ed71e7d715846fd1d6cec9ff97e64ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Jul 2025 10:01:11 +0100 +Subject: vsock/virtio: Resize receive buffers so that each SKB fits in a 4K + page + +From: Will Deacon + +[ Upstream commit 03a92f036a04fed2b00d69f5f46f1a486e70dc5c ] + +When allocating receive buffers for the vsock virtio RX virtqueue, an +SKB is allocated with a 4140 data payload (the 44-byte packet header + +VIRTIO_VSOCK_DEFAULT_RX_BUF_SIZE). Even when factoring in the SKB +overhead, the resulting 8KiB allocation thanks to the rounding in +kmalloc_reserve() is wasteful (~3700 unusable bytes) and results in a +higher-order page allocation on systems with 4KiB pages just for the +sake of a few hundred bytes of packet data. + +Limit the vsock virtio RX buffers to 4KiB per SKB, resulting in much +better memory utilisation and removing the need to allocate higher-order +pages entirely. + +Reviewed-by: Stefano Garzarella +Signed-off-by: Will Deacon +Message-Id: <20250717090116.11987-5-will@kernel.org> +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Sasha Levin +--- + include/linux/virtio_vsock.h | 7 ++++++- + net/vmw_vsock/virtio_transport.c | 2 +- + 2 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/include/linux/virtio_vsock.h b/include/linux/virtio_vsock.h +index 36fb3edfa403..6c00687539cf 100644 +--- a/include/linux/virtio_vsock.h ++++ b/include/linux/virtio_vsock.h +@@ -111,7 +111,12 @@ static inline size_t virtio_vsock_skb_len(struct sk_buff *skb) + return (size_t)(skb_end_pointer(skb) - skb->head); + } + +-#define VIRTIO_VSOCK_DEFAULT_RX_BUF_SIZE (1024 * 4) ++/* Dimension the RX SKB so that the entire thing fits exactly into ++ * a single 4KiB page. This avoids wasting memory due to alloc_skb() ++ * rounding up to the next page order and also means that we ++ * don't leave higher-order pages sitting around in the RX queue. ++ */ ++#define VIRTIO_VSOCK_DEFAULT_RX_BUF_SIZE SKB_WITH_OVERHEAD(1024 * 4) + #define VIRTIO_VSOCK_MAX_BUF_SIZE 0xFFFFFFFFUL + #define VIRTIO_VSOCK_MAX_PKT_BUF_SIZE (1024 * 64) + +diff --git a/net/vmw_vsock/virtio_transport.c b/net/vmw_vsock/virtio_transport.c +index f0e48e6911fc..f01f9e878106 100644 +--- a/net/vmw_vsock/virtio_transport.c ++++ b/net/vmw_vsock/virtio_transport.c +@@ -307,7 +307,7 @@ virtio_transport_cancel_pkt(struct vsock_sock *vsk) + + static void virtio_vsock_rx_fill(struct virtio_vsock *vsock) + { +- int total_len = VIRTIO_VSOCK_DEFAULT_RX_BUF_SIZE + VIRTIO_VSOCK_SKB_HEADROOM; ++ int total_len = VIRTIO_VSOCK_DEFAULT_RX_BUF_SIZE; + struct scatterlist pkt, *p; + struct virtqueue *vq; + struct sk_buff *skb; +-- +2.39.5 + diff --git a/queue-6.12/watchdog-dw_wdt-fix-default-timeout.patch b/queue-6.12/watchdog-dw_wdt-fix-default-timeout.patch new file mode 100644 index 0000000000..5eb3d21693 --- /dev/null +++ b/queue-6.12/watchdog-dw_wdt-fix-default-timeout.patch @@ -0,0 +1,43 @@ +From 5f9110f9a6c5706dee89ab39168fc0208a7bc861 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Jul 2025 18:55:02 +0200 +Subject: watchdog: dw_wdt: Fix default timeout + +From: Sebastian Reichel + +[ Upstream commit ac3dbb91e0167d017f44701dd51c1efe30d0c256 ] + +The Synopsys Watchdog driver sets the default timeout to 30 seconds, +but on some devices this is not a valid timeout. E.g. on RK3588 the +actual timeout being used is 44 seconds instead. + +Once the watchdog is started the value is updated accordingly, but +it would be better to expose a sensible timeout to userspace without +the need to first start the watchdog. + +Signed-off-by: Sebastian Reichel +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20250717-dw-wdt-fix-initial-timeout-v1-1-86dc864d48dd@kernel.org +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/dw_wdt.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/watchdog/dw_wdt.c b/drivers/watchdog/dw_wdt.c +index 84dca3695f86..e5e6d7f15918 100644 +--- a/drivers/watchdog/dw_wdt.c ++++ b/drivers/watchdog/dw_wdt.c +@@ -644,6 +644,8 @@ static int dw_wdt_drv_probe(struct platform_device *pdev) + } else { + wdd->timeout = DW_WDT_DEFAULT_SECONDS; + watchdog_init_timeout(wdd, 0, dev); ++ /* Limit timeout value to hardware constraints. */ ++ dw_wdt_set_timeout(wdd, wdd->timeout); + } + + platform_set_drvdata(pdev, dw_wdt); +-- +2.39.5 + diff --git a/queue-6.12/watchdog-itco_wdt-report-error-if-timeout-configurat.patch b/queue-6.12/watchdog-itco_wdt-report-error-if-timeout-configurat.patch new file mode 100644 index 0000000000..59a1413578 --- /dev/null +++ b/queue-6.12/watchdog-itco_wdt-report-error-if-timeout-configurat.patch @@ -0,0 +1,54 @@ +From 2b43727c00c20272c04806cfddc1877f8d834ed6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Jul 2025 15:35:18 +0800 +Subject: watchdog: iTCO_wdt: Report error if timeout configuration fails + +From: Ziyan Fu + +[ Upstream commit 40efc43eb7ffb5a4e2f998c13b8cfb555e671b92 ] + +The driver probes with the invalid timeout value when +'iTCO_wdt_set_timeout()' fails, as its return value is not checked. In +this case, when executing "wdctl", we may get: + +Device: /dev/watchdog0 +Timeout: 30 seconds +Timeleft: 613 seconds + +The timeout value is the value of "heartbeat" or "WATCHDOG_TIMEOUT", and +the timeleft value is calculated from the register value we actually read +(0xffff) by masking with 0x3ff and converting ticks to seconds (* 6 / 10). + +Add error handling to return the failure code if 'iTCO_wdt_set_timeout()' +fails, ensuring the driver probe fails and prevents invalid operation. + +Signed-off-by: Ziyan Fu +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20250704073518.7838-1-13281011316@163.com +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/iTCO_wdt.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/watchdog/iTCO_wdt.c b/drivers/watchdog/iTCO_wdt.c +index f01ed38aba67..d5c91759dc00 100644 +--- a/drivers/watchdog/iTCO_wdt.c ++++ b/drivers/watchdog/iTCO_wdt.c +@@ -601,7 +601,11 @@ static int iTCO_wdt_probe(struct platform_device *pdev) + /* Check that the heartbeat value is within it's range; + if not reset to the default */ + if (iTCO_wdt_set_timeout(&p->wddev, heartbeat)) { +- iTCO_wdt_set_timeout(&p->wddev, WATCHDOG_TIMEOUT); ++ ret = iTCO_wdt_set_timeout(&p->wddev, WATCHDOG_TIMEOUT); ++ if (ret != 0) { ++ dev_err(dev, "Failed to set watchdog timeout (%d)\n", WATCHDOG_TIMEOUT); ++ return ret; ++ } + dev_info(dev, "timeout value out of range, using %d\n", + WATCHDOG_TIMEOUT); + } +-- +2.39.5 + diff --git a/queue-6.12/watchdog-sbsa-adjust-keepalive-timeout-to-avoid-medi.patch b/queue-6.12/watchdog-sbsa-adjust-keepalive-timeout-to-avoid-medi.patch new file mode 100644 index 0000000000..b1f266da49 --- /dev/null +++ b/queue-6.12/watchdog-sbsa-adjust-keepalive-timeout-to-avoid-medi.patch @@ -0,0 +1,129 @@ +From 282c95849aff0fce4dc33cd82fc69f61a2a7cf87 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Jul 2025 16:06:39 -0700 +Subject: watchdog: sbsa: Adjust keepalive timeout to avoid MediaTek WS0 race + condition + +From: Aaron Plattner + +[ Upstream commit 48defdf6b083f74a44e1f742db284960d3444aec ] + +The MediaTek implementation of the sbsa_gwdt watchdog has a race +condition where a write to SBSA_GWDT_WRR is ignored if it occurs while +the hardware is processing a timeout refresh that asserts WS0. + +Detect this based on the hardware implementer and adjust +wdd->min_hw_heartbeat_ms to avoid the race by forcing the keepalive ping +to be one second later. + +Signed-off-by: Aaron Plattner +Acked-by: Timur Tabi +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20250721230640.2244915-1-aplattner@nvidia.com +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/sbsa_gwdt.c | 50 +++++++++++++++++++++++++++++++++--- + 1 file changed, 47 insertions(+), 3 deletions(-) + +diff --git a/drivers/watchdog/sbsa_gwdt.c b/drivers/watchdog/sbsa_gwdt.c +index 5f23913ce3b4..6ce1bfb39064 100644 +--- a/drivers/watchdog/sbsa_gwdt.c ++++ b/drivers/watchdog/sbsa_gwdt.c +@@ -75,11 +75,17 @@ + #define SBSA_GWDT_VERSION_MASK 0xF + #define SBSA_GWDT_VERSION_SHIFT 16 + ++#define SBSA_GWDT_IMPL_MASK 0x7FF ++#define SBSA_GWDT_IMPL_SHIFT 0 ++#define SBSA_GWDT_IMPL_MEDIATEK 0x426 ++ + /** + * struct sbsa_gwdt - Internal representation of the SBSA GWDT + * @wdd: kernel watchdog_device structure + * @clk: store the System Counter clock frequency, in Hz. + * @version: store the architecture version ++ * @need_ws0_race_workaround: ++ * indicate whether to adjust wdd->timeout to avoid a race with WS0 + * @refresh_base: Virtual address of the watchdog refresh frame + * @control_base: Virtual address of the watchdog control frame + */ +@@ -87,6 +93,7 @@ struct sbsa_gwdt { + struct watchdog_device wdd; + u32 clk; + int version; ++ bool need_ws0_race_workaround; + void __iomem *refresh_base; + void __iomem *control_base; + }; +@@ -161,6 +168,31 @@ static int sbsa_gwdt_set_timeout(struct watchdog_device *wdd, + */ + sbsa_gwdt_reg_write(((u64)gwdt->clk / 2) * timeout, gwdt); + ++ /* ++ * Some watchdog hardware has a race condition where it will ignore ++ * sbsa_gwdt_keepalive() if it is called at the exact moment that a ++ * timeout occurs and WS0 is being asserted. Unfortunately, the default ++ * behavior of the watchdog core is very likely to trigger this race ++ * when action=0 because it programs WOR to be half of the desired ++ * timeout, and watchdog_next_keepalive() chooses the exact same time to ++ * send keepalive pings. ++ * ++ * This triggers a race where sbsa_gwdt_keepalive() can be called right ++ * as WS0 is being asserted, and affected hardware will ignore that ++ * write and continue to assert WS0. After another (timeout / 2) ++ * seconds, the same race happens again. If the driver wins then the ++ * explicit refresh will reset WS0 to false but if the hardware wins, ++ * then WS1 is asserted and the system resets. ++ * ++ * Avoid the problem by scheduling keepalive heartbeats one second later ++ * than the WOR timeout. ++ * ++ * This workaround might not be needed in a future revision of the ++ * hardware. ++ */ ++ if (gwdt->need_ws0_race_workaround) ++ wdd->min_hw_heartbeat_ms = timeout * 500 + 1000; ++ + return 0; + } + +@@ -202,12 +234,15 @@ static int sbsa_gwdt_keepalive(struct watchdog_device *wdd) + static void sbsa_gwdt_get_version(struct watchdog_device *wdd) + { + struct sbsa_gwdt *gwdt = watchdog_get_drvdata(wdd); +- int ver; ++ int iidr, ver, impl; + +- ver = readl(gwdt->control_base + SBSA_GWDT_W_IIDR); +- ver = (ver >> SBSA_GWDT_VERSION_SHIFT) & SBSA_GWDT_VERSION_MASK; ++ iidr = readl(gwdt->control_base + SBSA_GWDT_W_IIDR); ++ ver = (iidr >> SBSA_GWDT_VERSION_SHIFT) & SBSA_GWDT_VERSION_MASK; ++ impl = (iidr >> SBSA_GWDT_IMPL_SHIFT) & SBSA_GWDT_IMPL_MASK; + + gwdt->version = ver; ++ gwdt->need_ws0_race_workaround = ++ !action && (impl == SBSA_GWDT_IMPL_MEDIATEK); + } + + static int sbsa_gwdt_start(struct watchdog_device *wdd) +@@ -299,6 +334,15 @@ static int sbsa_gwdt_probe(struct platform_device *pdev) + else + wdd->max_hw_heartbeat_ms = GENMASK_ULL(47, 0) / gwdt->clk * 1000; + ++ if (gwdt->need_ws0_race_workaround) { ++ /* ++ * A timeout of 3 seconds means that WOR will be set to 1.5 ++ * seconds and the heartbeat will be scheduled every 2.5 ++ * seconds. ++ */ ++ wdd->min_timeout = 3; ++ } ++ + status = readl(cf_base + SBSA_GWDT_WCS); + if (status & SBSA_GWDT_WCS_WS1) { + dev_warn(dev, "System reset by WDT.\n"); +-- +2.39.5 + diff --git a/queue-6.12/wifi-ath10k-shutdown-driver-when-hardware-is-unrelia.patch b/queue-6.12/wifi-ath10k-shutdown-driver-when-hardware-is-unrelia.patch new file mode 100644 index 0000000000..2dc4f3f40e --- /dev/null +++ b/queue-6.12/wifi-ath10k-shutdown-driver-when-hardware-is-unrelia.patch @@ -0,0 +1,212 @@ +From 82888184f9dc6c8d4211f84512e8791de171bc4d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Jun 2025 10:27:31 +0800 +Subject: wifi: ath10k: shutdown driver when hardware is unreliable + +From: Kang Yang + +[ Upstream commit c256a94d1b1b15109740306f7f2a7c2173e12072 ] + +In rare cases, ath10k may lose connection with the PCIe bus due to +some unknown reasons, which could further lead to system crashes during +resuming due to watchdog timeout: + +ath10k_pci 0000:01:00.0: wmi command 20486 timeout, restarting hardware +ath10k_pci 0000:01:00.0: already restarting +ath10k_pci 0000:01:00.0: failed to stop WMI vdev 0: -11 +ath10k_pci 0000:01:00.0: failed to stop vdev 0: -11 +ieee80211 phy0: PM: **** DPM device timeout **** +Call Trace: + panic+0x125/0x315 + dpm_watchdog_set+0x54/0x54 + dpm_watchdog_handler+0x57/0x57 + call_timer_fn+0x31/0x13c + +At this point, all WMI commands will timeout and attempt to restart +device. So set a threshold for consecutive restart failures. If the +threshold is exceeded, consider the hardware is unreliable and all +ath10k operations should be skipped to avoid system crash. + +fail_cont_count and pending_recovery are atomic variables, and +do not involve complex conditional logic. Therefore, even if recovery +check and reconfig complete are executed concurrently, the recovery +mechanism will not be broken. + +Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00288-QCARMSWPZ-1 + +Signed-off-by: Kang Yang +Reviewed-by: Loic Poulain +Link: https://patch.msgid.link/20250623022731.509-1-kang.yang@oss.qualcomm.com +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/core.c | 48 +++++++++++++++++++++++--- + drivers/net/wireless/ath/ath10k/core.h | 11 ++++-- + drivers/net/wireless/ath/ath10k/mac.c | 7 +++- + drivers/net/wireless/ath/ath10k/wmi.c | 6 ++++ + 4 files changed, 63 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath10k/core.c b/drivers/net/wireless/ath/ath10k/core.c +index b3294287bce1..7b6812909ab3 100644 +--- a/drivers/net/wireless/ath/ath10k/core.c ++++ b/drivers/net/wireless/ath/ath10k/core.c +@@ -2484,12 +2484,50 @@ static int ath10k_init_hw_params(struct ath10k *ar) + return 0; + } + ++static bool ath10k_core_needs_recovery(struct ath10k *ar) ++{ ++ long time_left; ++ ++ /* Sometimes the recovery will fail and then the next all recovery fail, ++ * so avoid infinite recovery. ++ */ ++ if (atomic_read(&ar->fail_cont_count) >= ATH10K_RECOVERY_MAX_FAIL_COUNT) { ++ ath10k_err(ar, "consecutive fail %d times, will shutdown driver!", ++ atomic_read(&ar->fail_cont_count)); ++ ar->state = ATH10K_STATE_WEDGED; ++ return false; ++ } ++ ++ ath10k_dbg(ar, ATH10K_DBG_BOOT, "total recovery count: %d", ++ar->recovery_count); ++ ++ if (atomic_read(&ar->pending_recovery)) { ++ /* Sometimes it happened another recovery work before the previous one ++ * completed, then the second recovery work will destroy the previous ++ * one, thus below is to avoid that. ++ */ ++ time_left = wait_for_completion_timeout(&ar->driver_recovery, ++ ATH10K_RECOVERY_TIMEOUT_HZ); ++ if (time_left) { ++ ath10k_warn(ar, "previous recovery succeeded, skip this!\n"); ++ return false; ++ } ++ ++ /* Record the continuous recovery fail count when recovery failed. */ ++ atomic_inc(&ar->fail_cont_count); ++ ++ /* Avoid having multiple recoveries at the same time. */ ++ return false; ++ } ++ ++ atomic_inc(&ar->pending_recovery); ++ ++ return true; ++} ++ + void ath10k_core_start_recovery(struct ath10k *ar) + { +- if (test_and_set_bit(ATH10K_FLAG_RESTARTING, &ar->dev_flags)) { +- ath10k_warn(ar, "already restarting\n"); ++ if (!ath10k_core_needs_recovery(ar)) + return; +- } + + queue_work(ar->workqueue, &ar->restart_work); + } +@@ -2525,6 +2563,8 @@ static void ath10k_core_restart(struct work_struct *work) + struct ath10k *ar = container_of(work, struct ath10k, restart_work); + int ret; + ++ reinit_completion(&ar->driver_recovery); ++ + set_bit(ATH10K_FLAG_CRASH_FLUSH, &ar->dev_flags); + + /* Place a barrier to make sure the compiler doesn't reorder +@@ -2589,8 +2629,6 @@ static void ath10k_core_restart(struct work_struct *work) + if (ret) + ath10k_warn(ar, "failed to send firmware crash dump via devcoredump: %d", + ret); +- +- complete(&ar->driver_recovery); + } + + static void ath10k_core_set_coverage_class_work(struct work_struct *work) +diff --git a/drivers/net/wireless/ath/ath10k/core.h b/drivers/net/wireless/ath/ath10k/core.h +index 446dca74f06a..85e16c945b5c 100644 +--- a/drivers/net/wireless/ath/ath10k/core.h ++++ b/drivers/net/wireless/ath/ath10k/core.h +@@ -4,6 +4,7 @@ + * Copyright (c) 2011-2017 Qualcomm Atheros, Inc. + * Copyright (c) 2018-2019, The Linux Foundation. All rights reserved. + * Copyright (c) 2022 Qualcomm Innovation Center, Inc. All rights reserved. ++ * Copyright (c) Qualcomm Technologies, Inc. and/or its subsidiaries. + */ + + #ifndef _CORE_H_ +@@ -87,6 +88,8 @@ + IEEE80211_IFACE_SKIP_SDATA_NOT_IN_DRIVER) + #define ATH10K_ITER_RESUME_FLAGS (IEEE80211_IFACE_ITER_RESUME_ALL |\ + IEEE80211_IFACE_SKIP_SDATA_NOT_IN_DRIVER) ++#define ATH10K_RECOVERY_TIMEOUT_HZ (5 * HZ) ++#define ATH10K_RECOVERY_MAX_FAIL_COUNT 4 + + struct ath10k; + +@@ -865,9 +868,6 @@ enum ath10k_dev_flags { + /* Per Station statistics service */ + ATH10K_FLAG_PEER_STATS, + +- /* Indicates that ath10k device is during recovery process and not complete */ +- ATH10K_FLAG_RESTARTING, +- + /* protected by conf_mutex */ + ATH10K_FLAG_NAPI_ENABLED, + }; +@@ -1211,6 +1211,11 @@ struct ath10k { + struct work_struct bundle_tx_work; + struct work_struct tx_complete_work; + ++ atomic_t pending_recovery; ++ unsigned int recovery_count; ++ /* continuous recovery fail count */ ++ atomic_t fail_cont_count; ++ + /* cycle count is reported twice for each visited channel during scan. + * access protected by data_lock + */ +diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c +index 6b467696bc98..6493731333ab 100644 +--- a/drivers/net/wireless/ath/ath10k/mac.c ++++ b/drivers/net/wireless/ath/ath10k/mac.c +@@ -8125,7 +8125,12 @@ static void ath10k_reconfig_complete(struct ieee80211_hw *hw, + ath10k_info(ar, "device successfully recovered\n"); + ar->state = ATH10K_STATE_ON; + ieee80211_wake_queues(ar->hw); +- clear_bit(ATH10K_FLAG_RESTARTING, &ar->dev_flags); ++ ++ /* Clear recovery state. */ ++ complete(&ar->driver_recovery); ++ atomic_set(&ar->fail_cont_count, 0); ++ atomic_set(&ar->pending_recovery, 0); ++ + if (ar->hw_params.hw_restart_disconnect) { + list_for_each_entry(arvif, &ar->arvifs, list) { + if (arvif->is_up && arvif->vdev_type == WMI_VDEV_TYPE_STA) +diff --git a/drivers/net/wireless/ath/ath10k/wmi.c b/drivers/net/wireless/ath/ath10k/wmi.c +index 5e061f7525a6..09066e6aca40 100644 +--- a/drivers/net/wireless/ath/ath10k/wmi.c ++++ b/drivers/net/wireless/ath/ath10k/wmi.c +@@ -4,6 +4,7 @@ + * Copyright (c) 2011-2017 Qualcomm Atheros, Inc. + * Copyright (c) 2018-2019, The Linux Foundation. All rights reserved. + * Copyright (c) 2021-2024 Qualcomm Innovation Center, Inc. All rights reserved. ++ * Copyright (c) Qualcomm Technologies, Inc. and/or its subsidiaries. + */ + + #include +@@ -1941,6 +1942,11 @@ int ath10k_wmi_cmd_send(struct ath10k *ar, struct sk_buff *skb, u32 cmd_id) + } + + wait_event_timeout(ar->wmi.tx_credits_wq, ({ ++ if (ar->state == ATH10K_STATE_WEDGED) { ++ ret = -ESHUTDOWN; ++ ath10k_dbg(ar, ATH10K_DBG_WMI, ++ "drop wmi command %d, hardware is wedged\n", cmd_id); ++ } + /* try to send pending beacons first. they take priority */ + ath10k_wmi_tx_beacons_nowait(ar); + +-- +2.39.5 + diff --git a/queue-6.12/wifi-ath12k-add-memset-and-update-default-rate-value.patch b/queue-6.12/wifi-ath12k-add-memset-and-update-default-rate-value.patch new file mode 100644 index 0000000000..88c18cfd2a --- /dev/null +++ b/queue-6.12/wifi-ath12k-add-memset-and-update-default-rate-value.patch @@ -0,0 +1,58 @@ +From f07bf59b06d2d963f10c803a1c77446c632f789b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Jun 2025 12:05:12 +0530 +Subject: wifi: ath12k: Add memset and update default rate value in wmi tx + completion + +From: Sarika Sharma + +[ Upstream commit 9903c0986f782dfc511d7638b6f15fb6e8600cd3 ] + +When both AP/STA and monitor interfaces are enabled, ieee80211_tx_status() +is invoked from two paths: the TX completion handler for data frames +and the WMI TX completion handler for management frames. +In the data path, the skb->cb is properly zeroed using memset, but in +the WMI path, this step is missing. + +As a result, mac80211 encountered uninitialized (junk) values in +skb->cb when generating the radiotap header for monitor mode, leading +to invalid radiotap lengths. + +Hence, explicitly zero the status field in the skb->cb using memset +in WMI TX completion path to ensure consistent and correct behavior +during WMI tx completion path. + +Additionally, set info->status.rates[0].idx = -1 to indicate that +no valid rate information is available, avoiding misinterpretation of +garbage values. + +Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1 + +Signed-off-by: Sarika Sharma +Reviewed-by: Vasanthakumar Thiagarajan +Link: https://patch.msgid.link/20250603063512.1887652-1-quic_sarishar@quicinc.com +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath12k/wmi.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath12k/wmi.c b/drivers/net/wireless/ath/ath12k/wmi.c +index d5892e17494f..5c5fc2b7642f 100644 +--- a/drivers/net/wireless/ath/ath12k/wmi.c ++++ b/drivers/net/wireless/ath/ath12k/wmi.c +@@ -5229,6 +5229,11 @@ static int wmi_process_mgmt_tx_comp(struct ath12k *ar, u32 desc_id, + dma_unmap_single(ar->ab->dev, skb_cb->paddr, msdu->len, DMA_TO_DEVICE); + + info = IEEE80211_SKB_CB(msdu); ++ memset(&info->status, 0, sizeof(info->status)); ++ ++ /* skip tx rate update from ieee80211_status*/ ++ info->status.rates[0].idx = -1; ++ + if ((!(info->flags & IEEE80211_TX_CTL_NO_ACK)) && !status) + info->flags |= IEEE80211_TX_STAT_ACK; + +-- +2.39.5 + diff --git a/queue-6.12/wifi-ath12k-correct-tid-cleanup-when-tid-setup-fails.patch b/queue-6.12/wifi-ath12k-correct-tid-cleanup-when-tid-setup-fails.patch new file mode 100644 index 0000000000..56a242535d --- /dev/null +++ b/queue-6.12/wifi-ath12k-correct-tid-cleanup-when-tid-setup-fails.patch @@ -0,0 +1,49 @@ +From 35576657675ff1f50c54180410b77e30927ab9b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Jul 2025 11:47:49 +0530 +Subject: wifi: ath12k: Correct tid cleanup when tid setup fails + +From: Sarika Sharma + +[ Upstream commit 4a2bf707270f897ab8077baee8ed5842a5321686 ] + +Currently, if any error occurs during ath12k_dp_rx_peer_tid_setup(), +the tid value is already incremented, even though the corresponding +TID is not actually allocated. Proceed to +ath12k_dp_rx_peer_tid_delete() starting from unallocated tid, +which might leads to freeing unallocated TID and cause potential +crash or out-of-bounds access. + +Hence, fix by correctly decrementing tid before cleanup to match only +the successfully allocated TIDs. + +Also, remove tid-- from failure case of ath12k_dp_rx_peer_frag_setup(), +as decrementing the tid before cleanup in loop will take care of this. + +Compile tested only. + +Signed-off-by: Sarika Sharma +Reviewed-by: Vasanthakumar Thiagarajan +Link: https://patch.msgid.link/20250721061749.886732-1-quic_sarishar@quicinc.com +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath12k/dp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath12k/dp.c b/drivers/net/wireless/ath/ath12k/dp.c +index 217eb57663f0..cfb17f16b081 100644 +--- a/drivers/net/wireless/ath/ath12k/dp.c ++++ b/drivers/net/wireless/ath/ath12k/dp.c +@@ -96,7 +96,7 @@ int ath12k_dp_peer_setup(struct ath12k *ar, int vdev_id, const u8 *addr) + return -ENOENT; + } + +- for (; tid >= 0; tid--) ++ for (tid--; tid >= 0; tid--) + ath12k_dp_rx_peer_tid_delete(ar, peer, tid); + + spin_unlock_bh(&ab->base_lock); +-- +2.39.5 + diff --git a/queue-6.12/wifi-ath12k-decrement-tid-on-rx-peer-frag-setup-erro.patch b/queue-6.12/wifi-ath12k-decrement-tid-on-rx-peer-frag-setup-erro.patch new file mode 100644 index 0000000000..1546971a8f --- /dev/null +++ b/queue-6.12/wifi-ath12k-decrement-tid-on-rx-peer-frag-setup-erro.patch @@ -0,0 +1,44 @@ +From 9372fb7a867accfc74407c39a2e038a1409a6c24 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 May 2025 09:17:13 +0530 +Subject: wifi: ath12k: Decrement TID on RX peer frag setup error handling + +From: Karthikeyan Kathirvel + +[ Upstream commit 7c0884fcd2ddde0544d2e77f297ae461e1f53f58 ] + +Currently, TID is not decremented before peer cleanup, during error +handling path of ath12k_dp_rx_peer_frag_setup(). This could lead to +out-of-bounds access in peer->rx_tid[]. + +Hence, add a decrement operation for TID, before peer cleanup to +ensures proper cleanup and prevents out-of-bounds access issues when +the RX peer frag setup fails. + +Found during code review. Compile tested only. + +Signed-off-by: Karthikeyan Kathirvel +Signed-off-by: Sarika Sharma +Reviewed-by: Vasanthakumar Thiagarajan +Link: https://patch.msgid.link/20250526034713.712592-1-quic_sarishar@quicinc.com +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath12k/dp.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/ath/ath12k/dp.c b/drivers/net/wireless/ath/ath12k/dp.c +index cfb17f16b081..3244f7c3ca4f 100644 +--- a/drivers/net/wireless/ath/ath12k/dp.c ++++ b/drivers/net/wireless/ath/ath12k/dp.c +@@ -79,6 +79,7 @@ int ath12k_dp_peer_setup(struct ath12k *ar, int vdev_id, const u8 *addr) + ret = ath12k_dp_rx_peer_frag_setup(ar, addr, vdev_id); + if (ret) { + ath12k_warn(ab, "failed to setup rx defrag context\n"); ++ tid--; + goto peer_clean; + } + +-- +2.39.5 + diff --git a/queue-6.12/wifi-ath12k-enable-reo-queue-lookup-table-feature-on.patch b/queue-6.12/wifi-ath12k-enable-reo-queue-lookup-table-feature-on.patch new file mode 100644 index 0000000000..81e72017c7 --- /dev/null +++ b/queue-6.12/wifi-ath12k-enable-reo-queue-lookup-table-feature-on.patch @@ -0,0 +1,43 @@ +From 1e24afe31e95bcf346731f2e0affa236e90e9981 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Jun 2025 08:48:50 +0530 +Subject: wifi: ath12k: Enable REO queue lookup table feature on QCN9274 hw2.0 + +From: Raj Kumar Bhagat + +[ Upstream commit b79742b84e16e41c4a09f3126436f39f36e75c06 ] + +The commit 89ac53e96217 ("wifi: ath12k: Enable REO queue lookup table +feature on QCN9274") originally intended to enable the reoq_lut_support +hardware parameter flag for both QCN9274 hw1.0 and hw2.0. However, +it enabled it only for QCN9274 hw1.0. + +Hence, enable REO queue lookup table feature on QCN9274 hw2.0. + +Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1 + +Signed-off-by: Raj Kumar Bhagat +Reviewed-by: Vasanthakumar Thiagarajan +Link: https://patch.msgid.link/20250609-qcn9274-reoq-v1-1-a92c91abc9b9@quicinc.com +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath12k/hw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath12k/hw.c b/drivers/net/wireless/ath/ath12k/hw.c +index e3eb22bb9e1c..057ef2d282b2 100644 +--- a/drivers/net/wireless/ath/ath12k/hw.c ++++ b/drivers/net/wireless/ath/ath12k/hw.c +@@ -1084,7 +1084,7 @@ static const struct ath12k_hw_params ath12k_hw_params[] = { + .download_calib = true, + .supports_suspend = false, + .tcl_ring_retry = true, +- .reoq_lut_support = false, ++ .reoq_lut_support = true, + .supports_shadow_regs = false, + + .num_tcl_banks = 48, +-- +2.39.5 + diff --git a/queue-6.12/wifi-ath12k-fix-station-association-with-mbssid-non-.patch b/queue-6.12/wifi-ath12k-fix-station-association-with-mbssid-non-.patch new file mode 100644 index 0000000000..8c6e4946cd --- /dev/null +++ b/queue-6.12/wifi-ath12k-fix-station-association-with-mbssid-non-.patch @@ -0,0 +1,51 @@ +From 816b077c8c237b5a5856ea5ee4a00d62667436a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 May 2025 09:26:14 +0530 +Subject: wifi: ath12k: Fix station association with MBSSID Non-TX BSS + +From: Hari Chandrakanthan + +[ Upstream commit 70eeacc1a92a444f4b5777ab19e1c378a5edc8dd ] + +ath12k station is unable to associate with non-transmitting BSSes +in a Multiple BSS set because the user-space does not receive +information about the non-transmitting BSSes from mac80211's +scan results. + +The ath12k driver does not advertise its MBSSID capability to mac80211, +resulting in wiphy->support_mbssid not being set. Consequently, the +information about non-transmitting BSS is not parsed from received +Beacon/Probe response frames and is therefore not included in the +scan results. + +Fix this by advertising the MBSSID capability of ath12k driver to +mac80211. + +Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1 +Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.1.c5-00284-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1 + +Signed-off-by: Hari Chandrakanthan +Signed-off-by: Rameshkumar Sundaram +Reviewed-by: Vasanthakumar Thiagarajan +Link: https://patch.msgid.link/20250530035615.3178480-2-rameshkumar.sundaram@oss.qualcomm.com +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath12k/mac.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/ath/ath12k/mac.c b/drivers/net/wireless/ath/ath12k/mac.c +index 4ca684278c36..4b3fbec397ac 100644 +--- a/drivers/net/wireless/ath/ath12k/mac.c ++++ b/drivers/net/wireless/ath/ath12k/mac.c +@@ -9218,6 +9218,7 @@ static int ath12k_mac_hw_register(struct ath12k_hw *ah) + + wiphy->mbssid_max_interfaces = mbssid_max_interfaces; + wiphy->ema_max_profile_periodicity = TARGET_EMA_MAX_PROFILE_PERIOD; ++ ieee80211_hw_set(hw, SUPPORTS_MULTI_BSSID); + + if (is_6ghz) { + wiphy_ext_feature_set(wiphy, +-- +2.39.5 + diff --git a/queue-6.12/wifi-cfg80211-fix-interface-type-validation.patch b/queue-6.12/wifi-cfg80211-fix-interface-type-validation.patch new file mode 100644 index 0000000000..e0d3e226cd --- /dev/null +++ b/queue-6.12/wifi-cfg80211-fix-interface-type-validation.patch @@ -0,0 +1,36 @@ +From e328f31f92e3968e100a91d845481dedf1ddf98c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Jul 2025 23:37:55 +0300 +Subject: wifi: cfg80211: Fix interface type validation + +From: Ilan Peer + +[ Upstream commit 14450be2332a49445106403492a367412b8c23f4 ] + +Fix a condition that verified valid values of interface types. + +Signed-off-by: Ilan Peer +Signed-off-by: Miri Korenblit +Link: https://patch.msgid.link/20250709233537.7ad199ca5939.I0ac1ff74798bf59a87a57f2e18f2153c308b119b@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + include/net/cfg80211.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h +index bb1862536f9c..c555d9964702 100644 +--- a/include/net/cfg80211.h ++++ b/include/net/cfg80211.h +@@ -633,7 +633,7 @@ ieee80211_get_sband_iftype_data(const struct ieee80211_supported_band *sband, + const struct ieee80211_sband_iftype_data *data; + int i; + +- if (WARN_ON(iftype >= NL80211_IFTYPE_MAX)) ++ if (WARN_ON(iftype >= NUM_NL80211_IFTYPES)) + return NULL; + + if (iftype == NL80211_IFTYPE_AP_VLAN) +-- +2.39.5 + diff --git a/queue-6.12/wifi-cfg80211-reject-htc-bit-for-management-frames.patch b/queue-6.12/wifi-cfg80211-reject-htc-bit-for-management-frames.patch new file mode 100644 index 0000000000..6780a60d9d --- /dev/null +++ b/queue-6.12/wifi-cfg80211-reject-htc-bit-for-management-frames.patch @@ -0,0 +1,38 @@ +From edd4ce4f91aef45a9499f3edb35407f4e6458279 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Jul 2025 20:23:06 +0200 +Subject: wifi: cfg80211: reject HTC bit for management frames + +From: Johannes Berg + +[ Upstream commit be06a8c7313943109fa870715356503c4c709cbc ] + +Management frames sent by userspace should never have the +order/HTC bit set, reject that. It could also cause some +confusion with the length of the buffer and the header so +the validation might end up wrong. + +Link: https://patch.msgid.link/20250718202307.97a0455f0f35.I1805355c7e331352df16611839bc8198c855a33f@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/mlme.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/wireless/mlme.c b/net/wireless/mlme.c +index a5eb92d93074..d1a66410b9c5 100644 +--- a/net/wireless/mlme.c ++++ b/net/wireless/mlme.c +@@ -843,7 +843,8 @@ int cfg80211_mlme_mgmt_tx(struct cfg80211_registered_device *rdev, + + mgmt = (const struct ieee80211_mgmt *)params->buf; + +- if (!ieee80211_is_mgmt(mgmt->frame_control)) ++ if (!ieee80211_is_mgmt(mgmt->frame_control) || ++ ieee80211_has_order(mgmt->frame_control)) + return -EINVAL; + + stype = le16_to_cpu(mgmt->frame_control) & IEEE80211_FCTL_STYPE; +-- +2.39.5 + diff --git a/queue-6.12/wifi-iwlegacy-check-rate_idx-range-after-addition.patch b/queue-6.12/wifi-iwlegacy-check-rate_idx-range-after-addition.patch new file mode 100644 index 0000000000..577bd92f3c --- /dev/null +++ b/queue-6.12/wifi-iwlegacy-check-rate_idx-range-after-addition.patch @@ -0,0 +1,43 @@ +From 801bb3a4493e47ebf1fa76f26926feb45217637b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 25 May 2025 16:45:24 +0200 +Subject: wifi: iwlegacy: Check rate_idx range after addition + +From: Stanislaw Gruszka + +[ Upstream commit 0de19d5ae0b2c5b18b88c5c7f0442f707a207409 ] + +Limit rate_idx to IL_LAST_OFDM_RATE for 5GHz band for thinkable case +the index is incorrect. + +Reported-by: Fedor Pchelkin +Reported-by: Alexei Safin +Signed-off-by: Stanislaw Gruszka +Reviewed-by: Fedor Pchelkin +Link: https://patch.msgid.link/20250525144524.GA172583@wp.pl +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlegacy/4965-mac.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlegacy/4965-mac.c b/drivers/net/wireless/intel/iwlegacy/4965-mac.c +index 05c4af41bdb9..a94cf27ffe4b 100644 +--- a/drivers/net/wireless/intel/iwlegacy/4965-mac.c ++++ b/drivers/net/wireless/intel/iwlegacy/4965-mac.c +@@ -1575,8 +1575,11 @@ il4965_tx_cmd_build_rate(struct il_priv *il, + || rate_idx > RATE_COUNT_LEGACY) + rate_idx = rate_lowest_index(&il->bands[info->band], sta); + /* For 5 GHZ band, remap mac80211 rate indices into driver indices */ +- if (info->band == NL80211_BAND_5GHZ) ++ if (info->band == NL80211_BAND_5GHZ) { + rate_idx += IL_FIRST_OFDM_RATE; ++ if (rate_idx > IL_LAST_OFDM_RATE) ++ rate_idx = IL_LAST_OFDM_RATE; ++ } + /* Get PLCP rate for tx_cmd->rate_n_flags */ + rate_plcp = il_rates[rate_idx].plcp; + /* Zero out flags for this packet */ +-- +2.39.5 + diff --git a/queue-6.12/wifi-iwlwifi-dvm-fix-potential-overflow-in-rs_fill_l.patch b/queue-6.12/wifi-iwlwifi-dvm-fix-potential-overflow-in-rs_fill_l.patch new file mode 100644 index 0000000000..a7e7f8605b --- /dev/null +++ b/queue-6.12/wifi-iwlwifi-dvm-fix-potential-overflow-in-rs_fill_l.patch @@ -0,0 +1,44 @@ +From 693557a5e1bcd9fd32c0f6e595c0c64869dfce87 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Mar 2024 13:17:55 +0300 +Subject: wifi: iwlwifi: dvm: fix potential overflow in rs_fill_link_cmd() + +From: Rand Deeb + +[ Upstream commit e3ad987e9dc7d1e12e3f2f1e623f0e174cd0ca78 ] + +The 'index' variable in the rs_fill_link_cmd() function can reach +LINK_QUAL_MAX_RETRY_NUM during the execution of the inner loop. This +variable is used as an index for the lq_cmd->rs_table array, which has a +size of LINK_QUAL_MAX_RETRY_NUM, without proper validation. + +Modify the condition of the inner loop to ensure that the 'index' variable +does not exceed LINK_QUAL_MAX_RETRY_NUM - 1, thereby preventing any +potential overflow issues. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Signed-off-by: Rand Deeb +Link: https://patch.msgid.link/20240313101755.269209-1-rand.sec96@gmail.com +Signed-off-by: Miri Korenblit +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/dvm/rs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/rs.c b/drivers/net/wireless/intel/iwlwifi/dvm/rs.c +index 8879e668ef0d..ed964103281e 100644 +--- a/drivers/net/wireless/intel/iwlwifi/dvm/rs.c ++++ b/drivers/net/wireless/intel/iwlwifi/dvm/rs.c +@@ -2899,7 +2899,7 @@ static void rs_fill_link_cmd(struct iwl_priv *priv, + /* Repeat initial/next rate. + * For legacy IWL_NUMBER_TRY == 1, this loop will not execute. + * For HT IWL_HT_NUMBER_TRY == 3, this executes twice. */ +- while (repeat_rate > 0 && (index < LINK_QUAL_MAX_RETRY_NUM)) { ++ while (repeat_rate > 0 && index < (LINK_QUAL_MAX_RETRY_NUM - 1)) { + if (is_legacy(tbl_type.lq_type)) { + if (ant_toggle_cnt < NUM_TRY_BEFORE_ANT_TOGGLE) + ant_toggle_cnt++; +-- +2.39.5 + diff --git a/queue-6.12/wifi-iwlwifi-fw-fix-possible-memory-leak-in-iwl_fw_d.patch b/queue-6.12/wifi-iwlwifi-fw-fix-possible-memory-leak-in-iwl_fw_d.patch new file mode 100644 index 0000000000..bba70abe10 --- /dev/null +++ b/queue-6.12/wifi-iwlwifi-fw-fix-possible-memory-leak-in-iwl_fw_d.patch @@ -0,0 +1,47 @@ +From ee08b8f788852bc940eaee4d7bcb574d78fc2d51 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jun 2025 22:26:23 +0300 +Subject: wifi: iwlwifi: fw: Fix possible memory leak in iwl_fw_dbg_collect + +From: Pagadala Yesu Anjaneyulu + +[ Upstream commit cc8d9cbf269dab363c768bfa9312265bc807fca5 ] + +Ensure descriptor is freed on error to avoid memory leak. + +Signed-off-by: Pagadala Yesu Anjaneyulu +Signed-off-by: Miri Korenblit +Link: https://patch.msgid.link/20250611222325.8158d15ec866.Ifa3e422c302397111f20a16da7509e6574bc19e3@changeid +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/fw/dbg.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/fw/dbg.c b/drivers/net/wireless/intel/iwlwifi/fw/dbg.c +index cd284767ff4b..385755af8237 100644 +--- a/drivers/net/wireless/intel/iwlwifi/fw/dbg.c ++++ b/drivers/net/wireless/intel/iwlwifi/fw/dbg.c +@@ -2955,6 +2955,7 @@ int iwl_fw_dbg_collect(struct iwl_fw_runtime *fwrt, + struct iwl_fw_dump_desc *desc; + unsigned int delay = 0; + bool monitor_only = false; ++ int ret; + + if (trigger) { + u16 occurrences = le16_to_cpu(trigger->occurrences) - 1; +@@ -2985,7 +2986,11 @@ int iwl_fw_dbg_collect(struct iwl_fw_runtime *fwrt, + desc->trig_desc.type = cpu_to_le32(trig); + memcpy(desc->trig_desc.data, str, len); + +- return iwl_fw_dbg_collect_desc(fwrt, desc, monitor_only, delay); ++ ret = iwl_fw_dbg_collect_desc(fwrt, desc, monitor_only, delay); ++ if (ret) ++ kfree(desc); ++ ++ return ret; + } + IWL_EXPORT_SYMBOL(iwl_fw_dbg_collect); + +-- +2.39.5 + diff --git a/queue-6.12/wifi-iwlwifi-mvm-avoid-outdated-reorder-buffer-head_.patch b/queue-6.12/wifi-iwlwifi-mvm-avoid-outdated-reorder-buffer-head_.patch new file mode 100644 index 0000000000..a777ac2f04 --- /dev/null +++ b/queue-6.12/wifi-iwlwifi-mvm-avoid-outdated-reorder-buffer-head_.patch @@ -0,0 +1,51 @@ +From 0ea00c280eb7e3370836a6a8c68111b1d55f7a09 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Jul 2025 09:45:05 +0300 +Subject: wifi: iwlwifi: mvm: avoid outdated reorder buffer head_sn + +From: Avraham Stern + +[ Upstream commit 422850b29e05e67c9145895bfe559940caa0caa8 ] + +If no frames are received on a queue for a while, the reorder buffer +head_sn may be an old one. When the next frame that is received on +that queue and buffered is a subframe of an AMSDU but not the last +subframe, it will not update the buffer's head_sn. When the frame +release notification arrives, it will not release the buffered frame +because it will look like the notification's NSSN is lower than the +buffer's head_sn (because of a wraparound). +Fix it by updating the head_sn when the first frame is buffered. + +Signed-off-by: Avraham Stern +Reviewed-by: Daniel Gabay +Reviewed-by: Johannes Berg +Signed-off-by: Miri Korenblit +Link: https://patch.msgid.link/20250723094230.795ec0cb8817.I9ec9a3508e7935e8d1833ea3e086066fdefee644@changeid +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c b/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c +index 0b52d77f5783..64bd5d10765d 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c +@@ -854,10 +854,15 @@ static bool iwl_mvm_reorder(struct iwl_mvm *mvm, + * already ahead and it will be dropped. + * If the last sub-frame is not on this queue - we will get frame + * release notification with up to date NSSN. ++ * If this is the first frame that is stored in the buffer, the head_sn ++ * may be outdated. Update it based on the last NSSN to make sure it ++ * will be released when the frame release notification arrives. + */ + if (!amsdu || last_subframe) + iwl_mvm_release_frames(mvm, sta, napi, baid_data, + buffer, nssn); ++ else if (buffer->num_stored == 1) ++ buffer->head_sn = nssn; + + spin_unlock_bh(&buffer->lock); + return true; +-- +2.39.5 + diff --git a/queue-6.12/wifi-iwlwifi-mvm-fix-scan-request-validation.patch b/queue-6.12/wifi-iwlwifi-mvm-fix-scan-request-validation.patch new file mode 100644 index 0000000000..ff518ef8ee --- /dev/null +++ b/queue-6.12/wifi-iwlwifi-mvm-fix-scan-request-validation.patch @@ -0,0 +1,37 @@ +From 24860b1a0d5675dd162593ed62c43c17d776651d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Jul 2025 23:05:43 +0300 +Subject: wifi: iwlwifi: mvm: fix scan request validation + +From: Avraham Stern + +[ Upstream commit 7c2f3ec7707188d8d5269ae2dce97d7be3e9f261 ] + +The scan request validation function uses bitwise and instead +of logical and. Fix it. + +Signed-off-by: Avraham Stern +Reviewed-by: Ilan Peer +Signed-off-by: Miri Korenblit +Link: https://patch.msgid.link/20250709230308.3fbc1f27871b.I7a8ee91f463c1a2d9d8561c8232e196885d02c43@changeid +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/scan.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/scan.c b/drivers/net/wireless/intel/iwlwifi/mvm/scan.c +index ddcbd80a49fb..853b95709a79 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/scan.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/scan.c +@@ -835,7 +835,7 @@ static inline bool iwl_mvm_scan_fits(struct iwl_mvm *mvm, int n_ssids, + int n_channels) + { + return ((n_ssids <= PROBE_OPTION_MAX) && +- (n_channels <= mvm->fw->ucode_capa.n_scan_channels) & ++ (n_channels <= mvm->fw->ucode_capa.n_scan_channels) && + (ies->common_ie_len + + ies->len[NL80211_BAND_2GHZ] + ies->len[NL80211_BAND_5GHZ] + + ies->len[NL80211_BAND_6GHZ] <= +-- +2.39.5 + diff --git a/queue-6.12/wifi-iwlwifi-mvm-set-gtk-id-also-in-older-fws.patch b/queue-6.12/wifi-iwlwifi-mvm-set-gtk-id-also-in-older-fws.patch new file mode 100644 index 0000000000..93fbe27792 --- /dev/null +++ b/queue-6.12/wifi-iwlwifi-mvm-set-gtk-id-also-in-older-fws.patch @@ -0,0 +1,44 @@ +From 0376ed8f48d71c8adfc9cc3fd97a62d9506b9ceb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jul 2025 21:28:27 +0300 +Subject: wifi: iwlwifi: mvm: set gtk id also in older FWs + +From: Miri Korenblit + +[ Upstream commit 61be9803f322ab46f31ba944c6ef7de195891f64 ] + +We use gtk[i].id, but it is not even set in older FW APIs +(iwl_wowlan_status_v6 and iwl_wowlan_status_v7). +Set it also in older FWs. + +Reviewed-by: Johannes Berg +Signed-off-by: Miri Korenblit +Link: https://patch.msgid.link/20250710212632.e91e49590414.I27d2fdbed1c54aee59929fa11ec169f07e159406@changeid +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/d3.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/d3.c b/drivers/net/wireless/intel/iwlwifi/mvm/d3.c +index 6a4300c01d41..7e258dcdf501 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/d3.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/d3.c +@@ -2375,6 +2375,7 @@ static void iwl_mvm_convert_gtk_v2(struct iwl_wowlan_status_data *status, + + status->gtk[0].len = data->key_len; + status->gtk[0].flags = data->key_flags; ++ status->gtk[0].id = status->gtk[0].flags & IWL_WOWLAN_GTK_IDX_MASK; + + memcpy(status->gtk[0].key, data->key, sizeof(data->key)); + +@@ -2686,6 +2687,7 @@ iwl_mvm_send_wowlan_get_status(struct iwl_mvm *mvm, u8 sta_id) + * currently used key. + */ + status->gtk[0].flags = v6->gtk.key_index | BIT(7); ++ status->gtk[0].id = v6->gtk.key_index; + } else if (notif_ver == 7) { + struct iwl_wowlan_status_v7 *v7 = (void *)cmd.resp_pkt->data; + +-- +2.39.5 + diff --git a/queue-6.12/wifi-mac80211-avoid-weird-state-in-error-path.patch b/queue-6.12/wifi-mac80211-avoid-weird-state-in-error-path.patch new file mode 100644 index 0000000000..909672d518 --- /dev/null +++ b/queue-6.12/wifi-mac80211-avoid-weird-state-in-error-path.patch @@ -0,0 +1,85 @@ +From d6cf949f36555778205c7ec9e62655d75d5c5e3f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Jun 2025 21:35:13 +0300 +Subject: wifi: mac80211: avoid weird state in error path + +From: Miri Korenblit + +[ Upstream commit be1ba9ed221ffb95a8bb15f4c83d0694225ba808 ] + +If we get to the error path of ieee80211_prep_connection, for example +because of a FW issue, then ieee80211_vif_set_links is called +with 0. +But the call to drv_change_vif_links from ieee80211_vif_update_links +will probably fail as well, for the same reason. +In this case, the valid_links and active_links bitmaps will be reverted +to the value of the failing connection. +Then, in the next connection, due to the logic of +ieee80211_set_vif_links_bitmaps, valid_links will be set to the ID of +the new connection assoc link, but the active_links will remain with the +ID of the old connection's assoc link. +If those IDs are different, we get into a weird state of valid_links and +active_links being different. One of the consequences of this state is +to call drv_change_vif_links with new_links as 0, since the & operation +between the bitmaps will be 0. + +Since a removal of a link should always succeed, ignore the return value +of drv_change_vif_links if it was called to only remove links, which is +the case for the ieee80211_prep_connection's error path. +That way, the bitmaps will not be reverted to have the value from the +failing connection and will have 0, so the next connection will have a +good state. + +Signed-off-by: Miri Korenblit +Reviewed-by: Johannes Berg +Link: https://patch.msgid.link/20250609213231.ba2011fb435f.Id87ff6dab5e1cf757b54094ac2d714c656165059@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + include/net/mac80211.h | 2 ++ + net/mac80211/link.c | 9 ++++++++- + 2 files changed, 10 insertions(+), 1 deletion(-) + +diff --git a/include/net/mac80211.h b/include/net/mac80211.h +index 155421671fff..80259a37e724 100644 +--- a/include/net/mac80211.h ++++ b/include/net/mac80211.h +@@ -4435,6 +4435,8 @@ struct ieee80211_prep_tx_info { + * new links bitmaps may be 0 if going from/to a non-MLO situation. + * The @old array contains pointers to the old bss_conf structures + * that were already removed, in case they're needed. ++ * Note that removal of link should always succeed, so the return value ++ * will be ignored in a removal only case. + * This callback can sleep. + * @change_sta_links: Change the valid links of a station, similar to + * @change_vif_links. This callback can sleep. +diff --git a/net/mac80211/link.c b/net/mac80211/link.c +index 9484449d6a34..cafedc5ecd44 100644 +--- a/net/mac80211/link.c ++++ b/net/mac80211/link.c +@@ -2,7 +2,7 @@ + /* + * MLO link handling + * +- * Copyright (C) 2022-2024 Intel Corporation ++ * Copyright (C) 2022-2025 Intel Corporation + */ + #include + #include +@@ -365,6 +365,13 @@ static int ieee80211_vif_update_links(struct ieee80211_sub_if_data *sdata, + ieee80211_update_apvlan_links(sdata); + } + ++ /* ++ * Ignore errors if we are only removing links as removal should ++ * always succeed ++ */ ++ if (!new_links) ++ ret = 0; ++ + if (ret) { + /* restore config */ + memcpy(sdata->link, old_data, sizeof(old_data)); +-- +2.39.5 + diff --git a/queue-6.12/wifi-mac80211-don-t-complete-management-tx-on-sae-co.patch b/queue-6.12/wifi-mac80211-don-t-complete-management-tx-on-sae-co.patch new file mode 100644 index 0000000000..77cd5d8bbb --- /dev/null +++ b/queue-6.12/wifi-mac80211-don-t-complete-management-tx-on-sae-co.patch @@ -0,0 +1,99 @@ +From bff5a0f4f7d3b4322dccfa4e76ac3eeaaa4f11ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Jun 2025 21:35:27 +0300 +Subject: wifi: mac80211: don't complete management TX on SAE commit + +From: Johannes Berg + +[ Upstream commit 6b04716cdcac37bdbacde34def08bc6fdb5fc4e2 ] + +When SAE commit is sent and received in response, there's no +ordering for the SAE confirm messages. As such, don't call +drivers to stop listening on the channel when the confirm +message is still expected. + +This fixes an issue if the local confirm is transmitted later +than the AP's confirm, for iwlwifi (and possibly mt76) the +AP's confirm would then get lost since the device isn't on +the channel at the time the AP transmit the confirm. + +For iwlwifi at least, this also improves the overall timing +of the authentication handshake (by about 15ms according to +the report), likely since the session protection won't be +aborted and rescheduled. + +Note that even before this, mgd_complete_tx() wasn't always +called for each call to mgd_prepare_tx() (e.g. in the case +of WEP key shared authentication), and the current drivers +that have the complete callback don't seem to mind. Document +this as well though. + +Reported-by: Jan Hendrik Farr +Closes: https://lore.kernel.org/all/aB30Ea2kRG24LINR@archlinux/ +Signed-off-by: Johannes Berg +Signed-off-by: Miri Korenblit +Link: https://patch.msgid.link/20250609213232.12691580e140.I3f1d3127acabcd58348a110ab11044213cf147d3@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + include/net/mac80211.h | 2 ++ + net/mac80211/mlme.c | 9 ++++++++- + 2 files changed, 10 insertions(+), 1 deletion(-) + +diff --git a/include/net/mac80211.h b/include/net/mac80211.h +index 8e7094160206..155421671fff 100644 +--- a/include/net/mac80211.h ++++ b/include/net/mac80211.h +@@ -4269,6 +4269,8 @@ struct ieee80211_prep_tx_info { + * @mgd_complete_tx: Notify the driver that the response frame for a previously + * transmitted frame announced with @mgd_prepare_tx was received, the data + * is filled similarly to @mgd_prepare_tx though the duration is not used. ++ * Note that this isn't always called for each mgd_prepare_tx() call, for ++ * example for SAE the 'confirm' messages can be on the air in any order. + * + * @mgd_protect_tdls_discover: Protect a TDLS discovery session. After sending + * a TDLS discovery-request, we expect a reply to arrive on the AP's +diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c +index 1bcd4eef73e6..5a9a84a0cc35 100644 +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -4292,6 +4292,7 @@ static void ieee80211_rx_mgmt_auth(struct ieee80211_sub_if_data *sdata, + struct ieee80211_prep_tx_info info = { + .subtype = IEEE80211_STYPE_AUTH, + }; ++ bool sae_need_confirm = false; + + lockdep_assert_wiphy(sdata->local->hw.wiphy); + +@@ -4337,6 +4338,8 @@ static void ieee80211_rx_mgmt_auth(struct ieee80211_sub_if_data *sdata, + jiffies + IEEE80211_AUTH_WAIT_SAE_RETRY; + ifmgd->auth_data->timeout_started = true; + run_again(sdata, ifmgd->auth_data->timeout); ++ if (auth_transaction == 1) ++ sae_need_confirm = true; + goto notify_driver; + } + +@@ -4379,6 +4382,9 @@ static void ieee80211_rx_mgmt_auth(struct ieee80211_sub_if_data *sdata, + ifmgd->auth_data->expected_transaction == 2)) { + if (!ieee80211_mark_sta_auth(sdata)) + return; /* ignore frame -- wait for timeout */ ++ } else if (ifmgd->auth_data->algorithm == WLAN_AUTH_SAE && ++ auth_transaction == 1) { ++ sae_need_confirm = true; + } else if (ifmgd->auth_data->algorithm == WLAN_AUTH_SAE && + auth_transaction == 2) { + sdata_info(sdata, "SAE peer confirmed\n"); +@@ -4387,7 +4393,8 @@ static void ieee80211_rx_mgmt_auth(struct ieee80211_sub_if_data *sdata, + + cfg80211_rx_mlme_mgmt(sdata->dev, (u8 *)mgmt, len); + notify_driver: +- drv_mgd_complete_tx(sdata->local, sdata, &info); ++ if (!sae_need_confirm) ++ drv_mgd_complete_tx(sdata->local, sdata, &info); + } + + #define case_WLAN(type) \ +-- +2.39.5 + diff --git a/queue-6.12/wifi-mac80211-don-t-unreserve-never-reserved-chanctx.patch b/queue-6.12/wifi-mac80211-don-t-unreserve-never-reserved-chanctx.patch new file mode 100644 index 0000000000..c340822ebe --- /dev/null +++ b/queue-6.12/wifi-mac80211-don-t-unreserve-never-reserved-chanctx.patch @@ -0,0 +1,40 @@ +From ad77173e2775a6be6d1fdc3ec4297455638fd8e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Jul 2025 23:37:53 +0300 +Subject: wifi: mac80211: don't unreserve never reserved chanctx + +From: Johannes Berg + +[ Upstream commit a6d521bafcb290294128a51b13dbf4baae5748fc ] + +If a link has no chanctx, indicating it is an inactive link +that we tracked CSA for, then attempting to unreserve the +reserved chanctx will throw a warning and fail, since there +never was a reserved chanctx. Skip the unreserve. + +Signed-off-by: Johannes Berg +Signed-off-by: Miri Korenblit +Link: https://patch.msgid.link/20250709233537.022192f4b1ae.Ib58156ac13e674a9f4d714735be0764a244c0aae@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/mlme.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c +index fd7434995a47..1bcd4eef73e6 100644 +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -2243,7 +2243,8 @@ ieee80211_sta_abort_chanswitch(struct ieee80211_link_data *link) + if (!local->ops->abort_channel_switch) + return; + +- ieee80211_link_unreserve_chanctx(link); ++ if (rcu_access_pointer(link->conf->chanctx_conf)) ++ ieee80211_link_unreserve_chanctx(link); + + ieee80211_vif_unblock_queues_csa(sdata); + +-- +2.39.5 + diff --git a/queue-6.12/wifi-mac80211-fix-rx-link-assignment-for-non-mlo-sta.patch b/queue-6.12/wifi-mac80211-fix-rx-link-assignment-for-non-mlo-sta.patch new file mode 100644 index 0000000000..882b393dee --- /dev/null +++ b/queue-6.12/wifi-mac80211-fix-rx-link-assignment-for-non-mlo-sta.patch @@ -0,0 +1,57 @@ +From 73361967cf0485e6710f91465a032c6006b012ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jun 2025 14:11:19 +0530 +Subject: wifi: mac80211: fix rx link assignment for non-MLO stations + +From: Hari Chandrakanthan + +[ Upstream commit cc2b722132893164bcb3cee4f08ed056e126eb6c ] + +Currently, ieee80211_rx_data_set_sta() does not correctly handle the +case where the interface supports multiple links (MLO), but the station +does not (non-MLO). This can lead to incorrect link assignment or +unexpected warnings when accessing link information. + +Hence, add a fix to check if the station lacks valid link support and +use its default link ID for rx->link assignment. If the station +unexpectedly has valid links, fall back to the default link. + +This ensures correct link association and prevents potential issues +in mixed MLO/non-MLO environments. + +Signed-off-by: Hari Chandrakanthan +Signed-off-by: Sarika Sharma +Link: https://patch.msgid.link/20250630084119.3583593-1-quic_sarishar@quicinc.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/rx.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c +index 8e1d00efa62e..8c0d91dfd7e2 100644 +--- a/net/mac80211/rx.c ++++ b/net/mac80211/rx.c +@@ -4283,10 +4283,16 @@ static bool ieee80211_rx_data_set_sta(struct ieee80211_rx_data *rx, + rx->link_sta = NULL; + } + +- if (link_id < 0) +- rx->link = &rx->sdata->deflink; +- else if (!ieee80211_rx_data_set_link(rx, link_id)) ++ if (link_id < 0) { ++ if (ieee80211_vif_is_mld(&rx->sdata->vif) && ++ sta && !sta->sta.valid_links) ++ rx->link = ++ rcu_dereference(rx->sdata->link[sta->deflink.link_id]); ++ else ++ rx->link = &rx->sdata->deflink; ++ } else if (!ieee80211_rx_data_set_link(rx, link_id)) { + return false; ++ } + + return true; + } +-- +2.39.5 + diff --git a/queue-6.12/wifi-mac80211-update-radar_required-in-channel-conte.patch b/queue-6.12/wifi-mac80211-update-radar_required-in-channel-conte.patch new file mode 100644 index 0000000000..77bdf68afa --- /dev/null +++ b/queue-6.12/wifi-mac80211-update-radar_required-in-channel-conte.patch @@ -0,0 +1,49 @@ +From 53411f37e00cb902bf7b5184b0e80701ad48d428 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 Jun 2025 19:33:24 +0530 +Subject: wifi: mac80211: update radar_required in channel context after + channel switch + +From: Ramya Gnanasekar + +[ Upstream commit 140c6a61d83cbd85adba769b5ef8d61acfa5b392 ] + +Currently, when a non-DFS channel is brought up and the bandwidth is +expanded from 80 MHz to 160 MHz, where the primary 80 MHz is non-DFS +and the secondary 80 MHz consists of DFS channels, radar detection +fails if radar occurs in the secondary 80 MHz. + +When the channel is switched from 80 MHz to 160 MHz, with the primary +80 MHz being non-DFS and the secondary 80 MHz consisting of DFS +channels, the radar required flag in the channel switch parameters +is set to true. However, when using a reserved channel context, +it is not updated in sdata, which disables radar detection in the +secondary 80 MHz DFS channels. + +Update the radar required flag in sdata to fix this issue when using +a reserved channel context. + +Signed-off-by: Ramya Gnanasekar +Signed-off-by: Ramasamy Kaliappan +Link: https://patch.msgid.link/20250608140324.1687117-1-ramasamy.kaliappan@oss.qualcomm.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/chan.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/mac80211/chan.c b/net/mac80211/chan.c +index 282e8c13e2bf..e3b46df95b71 100644 +--- a/net/mac80211/chan.c ++++ b/net/mac80211/chan.c +@@ -1349,6 +1349,7 @@ ieee80211_link_use_reserved_reassign(struct ieee80211_link_data *link) + goto out; + } + ++ link->radar_required = link->reserved_radar_required; + list_move(&link->assigned_chanctx_list, &new_ctx->assigned_links); + rcu_assign_pointer(link_conf->chanctx_conf, &new_ctx->conf); + +-- +2.39.5 + diff --git a/queue-6.12/wifi-mt76-mt7915-mcu-re-init-mcu-before-loading-fw-p.patch b/queue-6.12/wifi-mt76-mt7915-mcu-re-init-mcu-before-loading-fw-p.patch new file mode 100644 index 0000000000..f4124d737c --- /dev/null +++ b/queue-6.12/wifi-mt76-mt7915-mcu-re-init-mcu-before-loading-fw-p.patch @@ -0,0 +1,66 @@ +From 581086f8c865fae0858c5ab5e741e3cd9bc9da45 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Apr 2025 02:45:27 +0200 +Subject: wifi: mt76: mt7915: mcu: re-init MCU before loading FW patch + +From: David Bauer + +[ Upstream commit ac9c50c79eaef5fca0f165e45d0c5880606db53e ] + +Restart the MCU and release the patch semaphore before loading the MCU +patch firmware from the host. + +This fixes failures upon error recovery in case the semaphore was +previously taken and never released by the host. + +This happens from time to time upon triggering a full-chip error +recovery. Under this circumstance, the hardware restart fails and the +radio is rendered inoperational. + +Signed-off-by: David Bauer +Link: https://patch.msgid.link/20250402004528.1036715-3-mail@david-bauer.net +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + .../net/wireless/mediatek/mt76/mt7915/mcu.c | 25 +++++++++++-------- + 1 file changed, 15 insertions(+), 10 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c +index 87d0dd040001..3398c25cb03c 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c +@@ -2071,16 +2071,21 @@ static int mt7915_load_firmware(struct mt7915_dev *dev) + { + int ret; + +- /* make sure fw is download state */ +- if (mt7915_firmware_state(dev, false)) { +- /* restart firmware once */ +- mt76_connac_mcu_restart(&dev->mt76); +- ret = mt7915_firmware_state(dev, false); +- if (ret) { +- dev_err(dev->mt76.dev, +- "Firmware is not ready for download\n"); +- return ret; +- } ++ /* Release Semaphore if taken by previous failed attempt */ ++ ret = mt76_connac_mcu_patch_sem_ctrl(&dev->mt76, false); ++ if (ret != PATCH_REL_SEM_SUCCESS) { ++ dev_err(dev->mt76.dev, "Could not release semaphore\n"); ++ /* Continue anyways */ ++ } ++ ++ /* Always restart MCU firmware */ ++ mt76_connac_mcu_restart(&dev->mt76); ++ ++ /* Check if MCU is ready */ ++ ret = mt7915_firmware_state(dev, false); ++ if (ret) { ++ dev_err(dev->mt76.dev, "Firmware did not enter download state\n"); ++ return ret; + } + + ret = mt76_connac2_load_patch(&dev->mt76, fw_name_var(dev, ROM_PATCH)); +-- +2.39.5 + diff --git a/queue-6.12/wifi-rtlwifi-fix-possible-skb-memory-leak-in-_rtl_pc.patch b/queue-6.12/wifi-rtlwifi-fix-possible-skb-memory-leak-in-_rtl_pc.patch new file mode 100644 index 0000000000..8ed1d70535 --- /dev/null +++ b/queue-6.12/wifi-rtlwifi-fix-possible-skb-memory-leak-in-_rtl_pc.patch @@ -0,0 +1,58 @@ +From 567944b855533c8630f17b311678dfaf72a37caa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Jun 2025 12:56:30 +0200 +Subject: wifi: rtlwifi: fix possible skb memory leak in + `_rtl_pci_rx_interrupt()`. + +From: Thomas Fourier + +[ Upstream commit 44c0e191004f0e3aa1bdee3be248be14dbe5b020 ] + +The function `_rtl_pci_init_one_rxdesc()` can fail even when the new +`skb` is passed because of a DMA mapping error. If it fails, the `skb` +is not saved in the rx ringbuffer and thus lost. + +Compile tested only + +Signed-off-by: Thomas Fourier +Acked-by: Ping-Ke Shih +Signed-off-by: Ping-Ke Shih +Link: https://patch.msgid.link/20250616105631.444309-4-fourier.thomas@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtlwifi/pci.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/pci.c b/drivers/net/wireless/realtek/rtlwifi/pci.c +index 898f597f70a9..2741c3beac4c 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/pci.c ++++ b/drivers/net/wireless/realtek/rtlwifi/pci.c +@@ -802,13 +802,19 @@ static void _rtl_pci_rx_interrupt(struct ieee80211_hw *hw) + skb = new_skb; + no_new: + if (rtlpriv->use_new_trx_flow) { +- _rtl_pci_init_one_rxdesc(hw, skb, (u8 *)buffer_desc, +- rxring_idx, +- rtlpci->rx_ring[rxring_idx].idx); ++ if (!_rtl_pci_init_one_rxdesc(hw, skb, (u8 *)buffer_desc, ++ rxring_idx, ++ rtlpci->rx_ring[rxring_idx].idx)) { ++ if (new_skb) ++ dev_kfree_skb_any(skb); ++ } + } else { +- _rtl_pci_init_one_rxdesc(hw, skb, (u8 *)pdesc, +- rxring_idx, +- rtlpci->rx_ring[rxring_idx].idx); ++ if (!_rtl_pci_init_one_rxdesc(hw, skb, (u8 *)pdesc, ++ rxring_idx, ++ rtlpci->rx_ring[rxring_idx].idx)) { ++ if (new_skb) ++ dev_kfree_skb_any(skb); ++ } + if (rtlpci->rx_ring[rxring_idx].idx == + rtlpci->rxringcount - 1) + rtlpriv->cfg->ops->set_desc(hw, (u8 *)pdesc, +-- +2.39.5 + diff --git a/queue-6.12/wifi-rtlwifi-fix-possible-skb-memory-leak-in-_rtl_pc.patch-28826 b/queue-6.12/wifi-rtlwifi-fix-possible-skb-memory-leak-in-_rtl_pc.patch-28826 new file mode 100644 index 0000000000..64904c3651 --- /dev/null +++ b/queue-6.12/wifi-rtlwifi-fix-possible-skb-memory-leak-in-_rtl_pc.patch-28826 @@ -0,0 +1,43 @@ +From 8d3ea7e7de40ef734beab2af2a7bf1813385ab1c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Jun 2025 09:38:36 +0200 +Subject: wifi: rtlwifi: fix possible skb memory leak in + _rtl_pci_init_one_rxdesc() + +From: Thomas Fourier + +[ Upstream commit 76b3e5078d76f0eeadb7aacf9845399f8473da0d ] + +When `dma_mapping_error()` is true, if a new `skb` has been allocated, +then it must be de-allocated. + +Compile tested only + +Signed-off-by: Thomas Fourier +Signed-off-by: Ping-Ke Shih +Link: https://patch.msgid.link/20250613074014.69856-2-fourier.thomas@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtlwifi/pci.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/pci.c b/drivers/net/wireless/realtek/rtlwifi/pci.c +index 2741c3beac4c..d080469264cf 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/pci.c ++++ b/drivers/net/wireless/realtek/rtlwifi/pci.c +@@ -572,8 +572,11 @@ static int _rtl_pci_init_one_rxdesc(struct ieee80211_hw *hw, + dma_map_single(&rtlpci->pdev->dev, skb_tail_pointer(skb), + rtlpci->rxbuffersize, DMA_FROM_DEVICE); + bufferaddress = *((dma_addr_t *)skb->cb); +- if (dma_mapping_error(&rtlpci->pdev->dev, bufferaddress)) ++ if (dma_mapping_error(&rtlpci->pdev->dev, bufferaddress)) { ++ if (!new_skb) ++ kfree_skb(skb); + return 0; ++ } + rtlpci->rx_ring[rxring_idx].rx_buf[desc_idx] = skb; + if (rtlpriv->use_new_trx_flow) { + /* skb->cb may be 64 bit address */ +-- +2.39.5 + diff --git a/queue-6.12/wifi-rtw89-fix-rtw89_mac_power_switch-for-usb.patch b/queue-6.12/wifi-rtw89-fix-rtw89_mac_power_switch-for-usb.patch new file mode 100644 index 0000000000..3a952f5a13 --- /dev/null +++ b/queue-6.12/wifi-rtw89-fix-rtw89_mac_power_switch-for-usb.patch @@ -0,0 +1,77 @@ +From 55563c8c6937c7ec8a3350498f3ed6c781bc065e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jun 2025 23:45:55 +0300 +Subject: wifi: rtw89: Fix rtw89_mac_power_switch() for USB + +From: Bitterblue Smith + +[ Upstream commit e2b71603333a9dd73ee88347d8894fffc3456ac1 ] + +Clear some bits in some registers in order to allow RTL8851BU to power +on. This is done both when powering on and when powering off because +that's what the vendor driver does. + +Also tested with RTL8832BU and RTL8832CU. + +Signed-off-by: Bitterblue Smith +Acked-by: Ping-Ke Shih +Signed-off-by: Ping-Ke Shih +Link: https://patch.msgid.link/a39da939-d640-4486-ad38-f658f220afc8@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtw89/mac.c | 19 +++++++++++++++++++ + drivers/net/wireless/realtek/rtw89/reg.h | 1 + + 2 files changed, 20 insertions(+) + +diff --git a/drivers/net/wireless/realtek/rtw89/mac.c b/drivers/net/wireless/realtek/rtw89/mac.c +index 2188bca899e3..8b7ca63af7ed 100644 +--- a/drivers/net/wireless/realtek/rtw89/mac.c ++++ b/drivers/net/wireless/realtek/rtw89/mac.c +@@ -1441,6 +1441,23 @@ void rtw89_mac_notify_wake(struct rtw89_dev *rtwdev) + rtw89_mac_send_rpwm(rtwdev, state, true); + } + ++static void rtw89_mac_power_switch_boot_mode(struct rtw89_dev *rtwdev) ++{ ++ u32 boot_mode; ++ ++ if (rtwdev->hci.type != RTW89_HCI_TYPE_USB) ++ return; ++ ++ boot_mode = rtw89_read32_mask(rtwdev, R_AX_GPIO_MUXCFG, B_AX_BOOT_MODE); ++ if (!boot_mode) ++ return; ++ ++ rtw89_write32_clr(rtwdev, R_AX_SYS_PW_CTRL, B_AX_APFN_ONMAC); ++ rtw89_write32_clr(rtwdev, R_AX_SYS_STATUS1, B_AX_AUTO_WLPON); ++ rtw89_write32_clr(rtwdev, R_AX_GPIO_MUXCFG, B_AX_BOOT_MODE); ++ rtw89_write32_clr(rtwdev, R_AX_RSV_CTRL, B_AX_R_DIS_PRST); ++} ++ + static int rtw89_mac_power_switch(struct rtw89_dev *rtwdev, bool on) + { + #define PWR_ACT 1 +@@ -1450,6 +1467,8 @@ static int rtw89_mac_power_switch(struct rtw89_dev *rtwdev, bool on) + int ret; + u8 val; + ++ rtw89_mac_power_switch_boot_mode(rtwdev); ++ + if (on) { + cfg_seq = chip->pwr_on_seq; + cfg_func = chip->ops->pwr_on_func; +diff --git a/drivers/net/wireless/realtek/rtw89/reg.h b/drivers/net/wireless/realtek/rtw89/reg.h +index 9fbcc7fee290..7ec516979fe2 100644 +--- a/drivers/net/wireless/realtek/rtw89/reg.h ++++ b/drivers/net/wireless/realtek/rtw89/reg.h +@@ -182,6 +182,7 @@ + + #define R_AX_SYS_STATUS1 0x00F4 + #define B_AX_SEL_0XC0_MASK GENMASK(17, 16) ++#define B_AX_AUTO_WLPON BIT(10) + #define B_AX_PAD_HCI_SEL_V2_MASK GENMASK(5, 3) + #define MAC_AX_HCI_SEL_SDIO_UART 0 + #define MAC_AX_HCI_SEL_MULTI_USB 1 +-- +2.39.5 + diff --git a/queue-6.12/wifi-rtw89-lower-the-timeout-in-rtw89_fw_read_c2h_re.patch b/queue-6.12/wifi-rtw89-lower-the-timeout-in-rtw89_fw_read_c2h_re.patch new file mode 100644 index 0000000000..9be47cf97c --- /dev/null +++ b/queue-6.12/wifi-rtw89-lower-the-timeout-in-rtw89_fw_read_c2h_re.patch @@ -0,0 +1,73 @@ +From c5fde875ebc141e3c5f3aab6378ca83d09f08280 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Jul 2025 22:44:47 +0300 +Subject: wifi: rtw89: Lower the timeout in rtw89_fw_read_c2h_reg() for USB +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Bitterblue Smith + +[ Upstream commit 671be46afd1f03de9dc6e4679c88e1a7a81cdff6 ] + +This read_poll_timeout_atomic() with a delay of 1 µs and a timeout of +1000000 µs can take ~250 seconds in the worst case because sending a +USB control message takes ~250 µs. + +Lower the timeout to 4000 for USB in order to reduce the maximum polling +time to ~1 second. + +This problem was observed with RTL8851BU while suspending to RAM with +WOWLAN enabled. The computer sat for 4 minutes with a black screen +before suspending. + +Signed-off-by: Bitterblue Smith +Signed-off-by: Ping-Ke Shih +Link: https://patch.msgid.link/09313da6-c865-4e91-b758-4cb38a878796@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtw89/fw.c | 9 +++++++-- + drivers/net/wireless/realtek/rtw89/fw.h | 2 ++ + 2 files changed, 9 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtw89/fw.c b/drivers/net/wireless/realtek/rtw89/fw.c +index 7dbce3b10a7d..10a3a66a9981 100644 +--- a/drivers/net/wireless/realtek/rtw89/fw.c ++++ b/drivers/net/wireless/realtek/rtw89/fw.c +@@ -5934,13 +5934,18 @@ static int rtw89_fw_read_c2h_reg(struct rtw89_dev *rtwdev, + const struct rtw89_chip_info *chip = rtwdev->chip; + struct rtw89_fw_info *fw_info = &rtwdev->fw; + const u32 *c2h_reg = chip->c2h_regs; +- u32 ret; ++ u32 ret, timeout; + u8 i, val; + + info->id = RTW89_FWCMD_C2HREG_FUNC_NULL; + ++ if (rtwdev->hci.type == RTW89_HCI_TYPE_USB) ++ timeout = RTW89_C2H_TIMEOUT_USB; ++ else ++ timeout = RTW89_C2H_TIMEOUT; ++ + ret = read_poll_timeout_atomic(rtw89_read8, val, val, 1, +- RTW89_C2H_TIMEOUT, false, rtwdev, ++ timeout, false, rtwdev, + chip->c2h_ctrl_reg); + if (ret) { + rtw89_warn(rtwdev, "c2h reg timeout\n"); +diff --git a/drivers/net/wireless/realtek/rtw89/fw.h b/drivers/net/wireless/realtek/rtw89/fw.h +index 502ece540b9d..2981d6eeb678 100644 +--- a/drivers/net/wireless/realtek/rtw89/fw.h ++++ b/drivers/net/wireless/realtek/rtw89/fw.h +@@ -97,6 +97,8 @@ struct rtw89_h2creg_sch_tx_en { + #define RTW89_C2HREG_HDR_LEN 2 + #define RTW89_H2CREG_HDR_LEN 2 + #define RTW89_C2H_TIMEOUT 1000000 ++#define RTW89_C2H_TIMEOUT_USB 4000 ++ + struct rtw89_mac_c2h_info { + u8 id; + u8 content_len; +-- +2.39.5 + diff --git a/queue-6.12/wifi-rtw89-scan-abort-when-assign-unassign_vif.patch b/queue-6.12/wifi-rtw89-scan-abort-when-assign-unassign_vif.patch new file mode 100644 index 0000000000..406c9c038b --- /dev/null +++ b/queue-6.12/wifi-rtw89-scan-abort-when-assign-unassign_vif.patch @@ -0,0 +1,51 @@ +From 8247b0658d1ae173cd0cdf97fa00bce313249b74 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Jun 2025 21:00:34 +0800 +Subject: wifi: rtw89: scan abort when assign/unassign_vif + +From: Chih-Kang Chang + +[ Upstream commit 3db8563bac6c34018cbb96b14549a95c368b0304 ] + +If scan happen during start_ap, the register which control TX might be +turned off during scan. Additionally, if set_channel occurs during scan +will backup this register and set to firmware after set_channel done. +When scan complete, firmware will also set TX by this register, causing +TX to be disabled and beacon can't be TX. Therefore, in assign/unassign_vif +call scan abort before set_channel to avoid scan racing with set_channel. + +Signed-off-by: Chih-Kang Chang +Signed-off-by: Ping-Ke Shih +Link: https://patch.msgid.link/20250610130034.14692-13-pkshih@realtek.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtw89/chan.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/wireless/realtek/rtw89/chan.c b/drivers/net/wireless/realtek/rtw89/chan.c +index 4df4e04c3e67..559aa60e3df0 100644 +--- a/drivers/net/wireless/realtek/rtw89/chan.c ++++ b/drivers/net/wireless/realtek/rtw89/chan.c +@@ -2682,6 +2682,9 @@ int rtw89_chanctx_ops_assign_vif(struct rtw89_dev *rtwdev, + rtwvif_link->chanctx_assigned = true; + cfg->ref_count++; + ++ if (rtwdev->scanning) ++ rtw89_hw_scan_abort(rtwdev, rtwdev->scan_info.scanning_vif); ++ + if (list_empty(&rtwvif->mgnt_entry)) + list_add_tail(&rtwvif->mgnt_entry, &mgnt->active_list); + +@@ -2715,6 +2718,9 @@ void rtw89_chanctx_ops_unassign_vif(struct rtw89_dev *rtwdev, + rtwvif_link->chanctx_assigned = false; + cfg->ref_count--; + ++ if (rtwdev->scanning) ++ rtw89_hw_scan_abort(rtwdev, rtwdev->scan_info.scanning_vif); ++ + if (!rtw89_vif_is_active_role(rtwvif)) + list_del_init(&rtwvif->mgnt_entry); + +-- +2.39.5 + diff --git a/queue-6.12/wifi-rtw89-wow-add-basic-rate-ie-to-probe-request-in.patch b/queue-6.12/wifi-rtw89-wow-add-basic-rate-ie-to-probe-request-in.patch new file mode 100644 index 0000000000..880161a8c1 --- /dev/null +++ b/queue-6.12/wifi-rtw89-wow-add-basic-rate-ie-to-probe-request-in.patch @@ -0,0 +1,53 @@ +From 56f88bdb8f4c810b93454119f491d627cc0d4d78 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jul 2025 20:29:26 +0800 +Subject: wifi: rtw89: wow: Add Basic Rate IE to probe request in scheduled + scan mode + +From: Chin-Yen Lee + +[ Upstream commit 37c23874d13eb369d8b384a1ce5992ff6c23d56f ] + +In scheduled scan mode, the current probe request only includes the SSID +IE, but omits the Basic Rate IE. Some APs do not respond to such +incomplete probe requests, causing net-detect failures. To improve +interoperability and ensure APs respond correctly, add the Basic Rate IE +to the probe request in driver. + +Signed-off-by: Chin-Yen Lee +Signed-off-by: Ping-Ke Shih +Link: https://patch.msgid.link/20250716122926.6709-1-pkshih@realtek.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtw89/wow.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/realtek/rtw89/wow.c b/drivers/net/wireless/realtek/rtw89/wow.c +index 3e81fd974ec1..fdb715dc175c 100644 +--- a/drivers/net/wireless/realtek/rtw89/wow.c ++++ b/drivers/net/wireless/realtek/rtw89/wow.c +@@ -1415,6 +1415,8 @@ static void rtw89_fw_release_pno_pkt_list(struct rtw89_dev *rtwdev, + static int rtw89_pno_scan_update_probe_req(struct rtw89_dev *rtwdev, + struct rtw89_vif_link *rtwvif_link) + { ++ static const u8 basic_rate_ie[] = {WLAN_EID_SUPP_RATES, 0x08, ++ 0x0c, 0x12, 0x18, 0x24, 0x30, 0x48, 0x60, 0x6c}; + struct rtw89_wow_param *rtw_wow = &rtwdev->wow; + struct cfg80211_sched_scan_request *nd_config = rtw_wow->nd_config; + u8 num = nd_config->n_match_sets, i; +@@ -1426,10 +1428,11 @@ static int rtw89_pno_scan_update_probe_req(struct rtw89_dev *rtwdev, + skb = ieee80211_probereq_get(rtwdev->hw, rtwvif_link->mac_addr, + nd_config->match_sets[i].ssid.ssid, + nd_config->match_sets[i].ssid.ssid_len, +- nd_config->ie_len); ++ nd_config->ie_len + sizeof(basic_rate_ie)); + if (!skb) + return -ENOMEM; + ++ skb_put_data(skb, basic_rate_ie, sizeof(basic_rate_ie)); + skb_put_data(skb, nd_config->ie, nd_config->ie_len); + + info = kzalloc(sizeof(*info), GFP_KERNEL); +-- +2.39.5 + diff --git a/queue-6.12/x86-bugs-avoid-warning-when-overriding-return-thunk.patch b/queue-6.12/x86-bugs-avoid-warning-when-overriding-return-thunk.patch new file mode 100644 index 0000000000..38edb94821 --- /dev/null +++ b/queue-6.12/x86-bugs-avoid-warning-when-overriding-return-thunk.patch @@ -0,0 +1,46 @@ +From 94bb2ecbb6b221ed840beb30e495345361a7c1ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jun 2025 10:29:31 -0700 +Subject: x86/bugs: Avoid warning when overriding return thunk + +From: Pawan Gupta + +[ Upstream commit 9f85fdb9fc5a1bd308a10a0a7d7e34f2712ba58b ] + +The purpose of the warning is to prevent an unexpected change to the return +thunk mitigation. However, there are legitimate cases where the return +thunk is intentionally set more than once. For example, ITS and SRSO both +can set the return thunk after retbleed has set it. In both the cases +retbleed is still mitigated. + +Replace the warning with an info about the active return thunk. + +Suggested-by: Borislav Petkov +Signed-off-by: Pawan Gupta +Signed-off-by: Borislav Petkov (AMD) +Link: https://lore.kernel.org/20250611-eibrs-fix-v4-3-5ff86cac6c61@linux.intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/bugs.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c +index c2c7b76d953f..31b4b73e5405 100644 +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -71,10 +71,9 @@ void (*x86_return_thunk)(void) __ro_after_init = __x86_return_thunk; + + static void __init set_return_thunk(void *thunk) + { +- if (x86_return_thunk != __x86_return_thunk) +- pr_warn("x86/bugs: return thunk changed\n"); +- + x86_return_thunk = thunk; ++ ++ pr_info("active return thunk: %ps\n", thunk); + } + + /* Update SPEC_CTRL MSR and its cached copy unconditionally */ +-- +2.39.5 + diff --git a/queue-6.12/xen-netfront-fix-tx-response-spurious-interrupts.patch b/queue-6.12/xen-netfront-fix-tx-response-spurious-interrupts.patch new file mode 100644 index 0000000000..ab51462670 --- /dev/null +++ b/queue-6.12/xen-netfront-fix-tx-response-spurious-interrupts.patch @@ -0,0 +1,108 @@ +From 61e3af1d5cfeb35d1e4960e529f5866e856c1a77 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Jul 2025 09:34:54 +0000 +Subject: xen/netfront: Fix TX response spurious interrupts + +From: Anthoine Bourgeois + +[ Upstream commit 114a2de6fa86d99ed9546cc9113a3cad58beef79 ] + +We found at Vates that there are lot of spurious interrupts when +benchmarking the xen-net PV driver frontend. This issue appeared with a +patch that addresses security issue XSA-391 (b27d47950e48 "xen/netfront: +harden netfront against event channel storms"). On an iperf benchmark, +spurious interrupts can represent up to 50% of the interrupts. + +Spurious interrupts are interrupts that are rised for nothing, there is +no work to do. This appends because the function that handles the +interrupts ("xennet_tx_buf_gc") is also called at the end of the request +path to garbage collect the responses received during the transmission +load. + +The request path is doing the work that the interrupt handler should +have done otherwise. This is particurary true when there is more than +one vcpu and get worse linearly with the number of vcpu/queue. + +Moreover, this problem is amplifyed by the penalty imposed by a spurious +interrupt. When an interrupt is found spurious the interrupt chip will +delay the EOI to slowdown the backend. This delay will allow more +responses to be handled by the request path and then there will be more +chance the next interrupt will not find any work to do, creating a new +spurious interrupt. + +This causes performance issue. The solution here is to remove the calls +from the request path and let the interrupt handler do the processing of +the responses. This approch removes most of the spurious interrupts +(<0.05%) and also has the benefit of freeing up cycles in the request +path, allowing it to process more work, which improves performance +compared to masking the spurious interrupt one way or another. + +This optimization changes a part of the code that is present since the +net frontend driver was upstreamed. There is no similar pattern in the +other xen PV drivers. Since the first commit of xen-netfront is a blob +that doesn't explain all the design choices I can only guess why this +specific mecanism was here. This could have been introduce to compensate +a slow backend at the time (maybe the backend was fixed or optimize +later) or a small queue. In 18 years, both frontend and backend gain lot +of features and optimizations that could have obsolete the feature of +reaping completions from the TX path. + +Some vif throughput performance figures from a 8 vCPUs, 4GB of RAM HVM +guest(s): + +Without this patch on the : +vm -> dom0: 4.5Gb/s +vm -> vm: 7.0Gb/s + +Without XSA-391 patch (revert of b27d47950e48): +vm -> dom0: 8.3Gb/s +vm -> vm: 8.7Gb/s + +With XSA-391 and this patch: +vm -> dom0: 11.5Gb/s +vm -> vm: 12.6Gb/s + +v2: +- add revewed and tested by tags +- resend with the maintainers in the recipients list + +v3: +- remove Fixes tag but keep the commit ref in the explanation +- add a paragraph on why this code was here + +Signed-off-by: Anthoine Bourgeois +Reviewed-by: Juergen Gross +Tested-by: Elliott Mitchell +Signed-off-by: Juergen Gross +Message-ID: <20250721093316.23560-1-anthoine.bourgeois@vates.tech> +Signed-off-by: Sasha Levin +--- + drivers/net/xen-netfront.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c +index 809b407cece1..2042399e890a 100644 +--- a/drivers/net/xen-netfront.c ++++ b/drivers/net/xen-netfront.c +@@ -637,8 +637,6 @@ static int xennet_xdp_xmit_one(struct net_device *dev, + tx_stats->packets++; + u64_stats_update_end(&tx_stats->syncp); + +- xennet_tx_buf_gc(queue); +- + return 0; + } + +@@ -848,9 +846,6 @@ static netdev_tx_t xennet_start_xmit(struct sk_buff *skb, struct net_device *dev + tx_stats->packets++; + u64_stats_update_end(&tx_stats->syncp); + +- /* Note: It is not safe to access skb after xennet_tx_buf_gc()! */ +- xennet_tx_buf_gc(queue); +- + if (!netfront_tx_slot_available(queue)) + netif_tx_stop_queue(netdev_get_tx_queue(dev, queue->id)); + +-- +2.39.5 + diff --git a/queue-6.12/xfrm-duplicate-spi-handling.patch b/queue-6.12/xfrm-duplicate-spi-handling.patch new file mode 100644 index 0000000000..84221c3cea --- /dev/null +++ b/queue-6.12/xfrm-duplicate-spi-handling.patch @@ -0,0 +1,162 @@ +From d21cdd17730cf22b23a9d2c6a27dc7fdf629040e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jun 2025 18:08:56 +0530 +Subject: xfrm: Duplicate SPI Handling + +From: Aakash Kumar S + +[ Upstream commit 94f39804d891cffe4ce17737d295f3b195bc7299 ] + +The issue originates when Strongswan initiates an XFRM_MSG_ALLOCSPI +Netlink message, which triggers the kernel function xfrm_alloc_spi(). +This function is expected to ensure uniqueness of the Security Parameter +Index (SPI) for inbound Security Associations (SAs). However, it can +return success even when the requested SPI is already in use, leading +to duplicate SPIs assigned to multiple inbound SAs, differentiated +only by their destination addresses. + +This behavior causes inconsistencies during SPI lookups for inbound packets. +Since the lookup may return an arbitrary SA among those with the same SPI, +packet processing can fail, resulting in packet drops. + +According to RFC 4301 section 4.4.2 , for inbound processing a unicast SA +is uniquely identified by the SPI and optionally protocol. + +Reproducing the Issue Reliably: +To consistently reproduce the problem, restrict the available SPI range in +charon.conf : spi_min = 0x10000000 spi_max = 0x10000002 +This limits the system to only 2 usable SPI values. +Next, create more than 2 Child SA. each using unique pair of src/dst address. +As soon as the 3rd Child SA is initiated, it will be assigned a duplicate +SPI, since the SPI pool is already exhausted. +With a narrow SPI range, the issue is consistently reproducible. +With a broader/default range, it becomes rare and unpredictable. + +Current implementation: +xfrm_spi_hash() lookup function computes hash using daddr, proto, and family. +So if two SAs have the same SPI but different destination addresses, then +they will: +a. Hash into different buckets +b. Be stored in different linked lists (byspi + h) +c. Not be seen in the same hlist_for_each_entry_rcu() iteration. +As a result, the lookup will result in NULL and kernel allows that Duplicate SPI + +Proposed Change: +xfrm_state_lookup_spi_proto() does a truly global search - across all states, +regardless of hash bucket and matches SPI and proto. + +Signed-off-by: Aakash Kumar S +Acked-by: Herbert Xu +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_state.c | 72 ++++++++++++++++++++++++++----------------- + 1 file changed, 43 insertions(+), 29 deletions(-) + +diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c +index ad0fe8849471..6f99fd2d966c 100644 +--- a/net/xfrm/xfrm_state.c ++++ b/net/xfrm/xfrm_state.c +@@ -1637,6 +1637,26 @@ struct xfrm_state *xfrm_state_lookup_byspi(struct net *net, __be32 spi, + } + EXPORT_SYMBOL(xfrm_state_lookup_byspi); + ++static struct xfrm_state *xfrm_state_lookup_spi_proto(struct net *net, __be32 spi, u8 proto) ++{ ++ struct xfrm_state *x; ++ unsigned int i; ++ ++ rcu_read_lock(); ++ for (i = 0; i <= net->xfrm.state_hmask; i++) { ++ hlist_for_each_entry_rcu(x, &net->xfrm.state_byspi[i], byspi) { ++ if (x->id.spi == spi && x->id.proto == proto) { ++ if (!xfrm_state_hold_rcu(x)) ++ continue; ++ rcu_read_unlock(); ++ return x; ++ } ++ } ++ } ++ rcu_read_unlock(); ++ return NULL; ++} ++ + static void __xfrm_state_insert(struct xfrm_state *x) + { + struct net *net = xs_net(x); +@@ -2465,10 +2485,8 @@ int xfrm_alloc_spi(struct xfrm_state *x, u32 low, u32 high, + unsigned int h; + struct xfrm_state *x0; + int err = -ENOENT; +- __be32 minspi = htonl(low); +- __be32 maxspi = htonl(high); ++ u32 range = high - low + 1; + __be32 newspi = 0; +- u32 mark = x->mark.v & x->mark.m; + + spin_lock_bh(&x->lock); + if (x->km.state == XFRM_STATE_DEAD) { +@@ -2482,38 +2500,34 @@ int xfrm_alloc_spi(struct xfrm_state *x, u32 low, u32 high, + + err = -ENOENT; + +- if (minspi == maxspi) { +- x0 = xfrm_state_lookup(net, mark, &x->id.daddr, minspi, x->id.proto, x->props.family); +- if (x0) { +- NL_SET_ERR_MSG(extack, "Requested SPI is already in use"); +- xfrm_state_put(x0); ++ for (h = 0; h < range; h++) { ++ u32 spi = (low == high) ? low : get_random_u32_inclusive(low, high); ++ newspi = htonl(spi); ++ ++ spin_lock_bh(&net->xfrm.xfrm_state_lock); ++ x0 = xfrm_state_lookup_spi_proto(net, newspi, x->id.proto); ++ if (!x0) { ++ x->id.spi = newspi; ++ h = xfrm_spi_hash(net, &x->id.daddr, newspi, x->id.proto, x->props.family); ++ XFRM_STATE_INSERT(byspi, &x->byspi, net->xfrm.state_byspi + h, x->xso.type); ++ spin_unlock_bh(&net->xfrm.xfrm_state_lock); ++ err = 0; + goto unlock; + } +- newspi = minspi; +- } else { +- u32 spi = 0; +- for (h = 0; h < high-low+1; h++) { +- spi = get_random_u32_inclusive(low, high); +- x0 = xfrm_state_lookup(net, mark, &x->id.daddr, htonl(spi), x->id.proto, x->props.family); +- if (x0 == NULL) { +- newspi = htonl(spi); +- break; +- } +- xfrm_state_put(x0); ++ xfrm_state_put(x0); ++ spin_unlock_bh(&net->xfrm.xfrm_state_lock); ++ ++ if (signal_pending(current)) { ++ err = -ERESTARTSYS; ++ goto unlock; + } ++ ++ if (low == high) ++ break; + } +- if (newspi) { +- spin_lock_bh(&net->xfrm.xfrm_state_lock); +- x->id.spi = newspi; +- h = xfrm_spi_hash(net, &x->id.daddr, x->id.spi, x->id.proto, x->props.family); +- XFRM_STATE_INSERT(byspi, &x->byspi, net->xfrm.state_byspi + h, +- x->xso.type); +- spin_unlock_bh(&net->xfrm.xfrm_state_lock); + +- err = 0; +- } else { ++ if (err) + NL_SET_ERR_MSG(extack, "No SPI available in the requested range"); +- } + + unlock: + spin_unlock_bh(&x->lock); +-- +2.39.5 +