From: Greg Kroah-Hartman Date: Mon, 10 Feb 2025 14:08:08 +0000 (+0100) Subject: 6.13-stable patches X-Git-Tag: v6.6.77~12 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d75b25a661f66d0f8c722b4c754a3ef182bc7a3e;p=thirdparty%2Fkernel%2Fstable-queue.git 6.13-stable patches added patches: alsa-hda-fix-headset-detection-failure-due-to-unstable-sort.patch alsa-hda-realtek-enable-headset-mic-on-positivo-c6400.patch alsa-hda-realtek-fix-quirk-matching-for-legion-pro-7.patch alsa-hda-realtek-workaround-for-resume-on-dell-venue-11-pro-7130.patch arm64-dts-qcom-x1e78100-lenovo-thinkpad-t14s-fix-usb-qmp-phy-supplies.patch arm64-dts-qcom-x1e80100-asus-vivobook-s15-fix-usb-qmp-phy-supplies.patch arm64-dts-qcom-x1e80100-crd-fix-usb-qmp-phy-supplies.patch arm64-dts-qcom-x1e80100-dell-xps13-9345-fix-usb-qmp-phy-supplies.patch arm64-dts-qcom-x1e80100-fix-usb_2-controller-interrupts.patch arm64-dts-qcom-x1e80100-lenovo-yoga-slim7x-fix-usb-qmp-phy-supplies.patch arm64-dts-qcom-x1e80100-microsoft-romulus-fix-usb-qmp-phy-supplies.patch arm64-dts-qcom-x1e80100-qcp-fix-usb-qmp-phy-supplies.patch arm64-tegra-fix-tegra234-pcie-interrupt-map.patch asoc-acp-support-microphone-from-lenovo-go-s.patch asoc-renesas-rz-ssi-add-a-check-for-negative-sample_space.patch asoc-renesas-rz-ssi-terminate-all-the-dma-transactions.patch atomic64-use-arch_spin_locks-instead-of-raw_spin_locks.patch blk-cgroup-fix-class-block_class-s-subsystem-refcount-leakage.patch block-don-t-revert-iter-for-eiocbqueued.patch dm-crypt-don-t-update-io-sector-after-kcryptd_crypt_write_io_submit.patch dm-crypt-track-tag_offset-in-convert_context.patch efi-libstub-use-std-gnu11-to-fix-build-with-gcc-15.patch firmware-qcom-scm-fix-missing-read-barrier-in-qcom_scm_get_tzmem_pool.patch firmware-qcom-scm-fix-missing-read-barrier-in-qcom_scm_is_available.patch hid-hid-sensor-hub-don-t-use-stale-platform-data-on-remove.patch input-bbnsm_pwrkey-add-remove-hook.patch kbuild-move-wenum-enum-conversion-to-w-2.patch kvm-x86-mmu-ensure-nx-huge-page-recovery-thread-is-alive-before-waking.patch loongarch-extend-the-maximum-number-of-watchpoints.patch mips-loongson64-remove-rom-size-unit-in-boardinfo.patch mips-math-emu-fix-emulation-of-the-prefx-instruction.patch mips-pci-legacy-override-pci_address_to_pio.patch nvme-pci-add-tuxedo-ibp-gen9-to-samsung-sleep-quirk.patch nvme-pci-add-tuxedo-infinityflex-to-samsung-sleep-quirk.patch of-address-fix-empty-resource-handling-in-__of_address_resource_bounds.patch of-correct-child-specifier-used-as-input-of-the-2nd-nexus-node.patch of-fix-of_find_node_opts_by_path-handling-of-alias-path-options.patch of-reserved-memory-fix-using-wrong-number-of-cells-to-get-property-alignment.patch of-reserved-memory-warn-for-missing-static-reserved-memory-regions.patch pci-avoid-putting-some-root-ports-into-d3-on-tuxedo-sirius-gen1.patch pci-dwc-ep-prevent-changing-bar-size-flags-in-pci_epc_set_bar.patch pci-dwc-ep-write-bar_mask-before-iatu-registers-in-pci_epc_set_bar.patch pci-endpoint-finish-virtual-ep-removal-in-pci_epf_remove_vepf.patch perf-bench-fix-undefined-behavior-in-cmpworker.patch pidfs-check-for-valid-ioctl-commands.patch pidfs-improve-ioctl-handling.patch powerpc-pseries-eeh-fix-get-pe-state-translation.patch revert-media-uvcvideo-require-entities-to-have-a-non-zero-unique-id.patch revert-mips-csrc-r4k-select-have_unstable_sched_clock-if-smp-64bit.patch ring-buffer-do-not-allow-events-in-nmi-with-generic-atomic64-cmpxchg.patch s390-pci-fix-sr-iov-for-pfs-initially-in-standby.patch scsi-core-do-not-retry-i-os-during-depopulation.patch scsi-qla2xxx-move-fce-trace-buffer-allocation-to-user-control.patch scsi-st-don-t-set-pos_unknown-just-after-device-recognition.patch scsi-storvsc-set-correct-data-length-for-sending-scsi-command-without-payload.patch scsi-ufs-core-fix-the-high-low_temp-bit-definitions.patch scsi-ufs-core-fix-use-after-free-in-init-error-and-remove-paths.patch scsi-ufs-qcom-fix-crypto-key-eviction.patch seccomp-passthrough-uretprobe-systemcall-without-filtering.patch serial-sh-sci-do-not-probe-the-serial-port-if-its-slot-in-sci_ports-is-in-use.patch serial-sh-sci-drop-__initdata-macro-for-port_cfg.patch soc-qcom-socinfo-avoid-out-of-bounds-read-of-serial-number.patch usb-gadget-f_tcm-decrement-command-ref-count-on-cleanup.patch usb-gadget-f_tcm-don-t-prepare-bot-write-request-twice.patch usb-gadget-f_tcm-ep_autoconfig-with-fullspeed-endpoint.patch usb-gadget-f_tcm-translate-error-to-sense.patch usbnet-ipheth-break-up-ncm-header-size-computation.patch usbnet-ipheth-check-that-dpe-points-past-ncm-header.patch usbnet-ipheth-document-scope-of-ncm-implementation.patch usbnet-ipheth-fix-dpe-oob-read.patch usbnet-ipheth-fix-possible-overflow-in-dpe-length-check.patch usbnet-ipheth-refactor-ncm-datagram-loop.patch usbnet-ipheth-use-static-ndp16-location-in-urb.patch wifi-brcmfmac-fix-null-pointer-dereference-in-brcmf_txfinalize.patch wifi-mt76-mt7915-add-module-param-to-select-5-ghz-or-6-ghz-on-mt7916.patch wifi-mt76-mt7921u-add-vid-pid-for-tp-link-txe50uh.patch wifi-rtlwifi-rtl8821ae-fix-media-status-report.patch wifi-rtw88-8703b-fix-rx-tx-issues.patch wifi-rtw88-sdio-fix-disconnection-after-beacon-loss.patch x86-efi-skip-memattr-table-on-kexec-boot.patch --- diff --git a/queue-6.13/alsa-hda-fix-headset-detection-failure-due-to-unstable-sort.patch b/queue-6.13/alsa-hda-fix-headset-detection-failure-due-to-unstable-sort.patch new file mode 100644 index 0000000000..25c93b062a --- /dev/null +++ b/queue-6.13/alsa-hda-fix-headset-detection-failure-due-to-unstable-sort.patch @@ -0,0 +1,66 @@ +From 3b4309546b48fc167aa615a2d881a09c0a97971f Mon Sep 17 00:00:00 2001 +From: Kuan-Wei Chiu +Date: Wed, 29 Jan 2025 00:54:15 +0800 +Subject: ALSA: hda: Fix headset detection failure due to unstable sort + +From: Kuan-Wei Chiu + +commit 3b4309546b48fc167aa615a2d881a09c0a97971f upstream. + +The auto_parser assumed sort() was stable, but the kernel's sort() uses +heapsort, which has never been stable. After commit 0e02ca29a563 +("lib/sort: optimize heapsort with double-pop variation"), the order of +equal elements changed, causing the headset to fail to work. + +Fix the issue by recording the original order of elements before +sorting and using it as a tiebreaker for equal elements in the +comparison function. + +Fixes: b9030a005d58 ("ALSA: hda - Use standard sort function in hda_auto_parser.c") +Reported-by: Austrum +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219158 +Tested-by: Austrum +Cc: stable@vger.kernel.org +Signed-off-by: Kuan-Wei Chiu +Link: https://patch.msgid.link/20250128165415.643223-1-visitorckw@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/hda_auto_parser.c | 8 +++++++- + sound/pci/hda/hda_auto_parser.h | 1 + + 2 files changed, 8 insertions(+), 1 deletion(-) + +--- a/sound/pci/hda/hda_auto_parser.c ++++ b/sound/pci/hda/hda_auto_parser.c +@@ -80,7 +80,11 @@ static int compare_input_type(const void + + /* In case one has boost and the other one has not, + pick the one with boost first. */ +- return (int)(b->has_boost_on_pin - a->has_boost_on_pin); ++ if (a->has_boost_on_pin != b->has_boost_on_pin) ++ return (int)(b->has_boost_on_pin - a->has_boost_on_pin); ++ ++ /* Keep the original order */ ++ return a->order - b->order; + } + + /* Reorder the surround channels +@@ -400,6 +404,8 @@ int snd_hda_parse_pin_defcfg(struct hda_ + reorder_outputs(cfg->speaker_outs, cfg->speaker_pins); + + /* sort inputs in the order of AUTO_PIN_* type */ ++ for (i = 0; i < cfg->num_inputs; i++) ++ cfg->inputs[i].order = i; + sort(cfg->inputs, cfg->num_inputs, sizeof(cfg->inputs[0]), + compare_input_type, NULL); + +--- a/sound/pci/hda/hda_auto_parser.h ++++ b/sound/pci/hda/hda_auto_parser.h +@@ -37,6 +37,7 @@ struct auto_pin_cfg_item { + unsigned int is_headset_mic:1; + unsigned int is_headphone_mic:1; /* Mic-only in headphone jack */ + unsigned int has_boost_on_pin:1; ++ int order; + }; + + struct auto_pin_cfg; diff --git a/queue-6.13/alsa-hda-realtek-enable-headset-mic-on-positivo-c6400.patch b/queue-6.13/alsa-hda-realtek-enable-headset-mic-on-positivo-c6400.patch new file mode 100644 index 0000000000..b0b4ea8f07 --- /dev/null +++ b/queue-6.13/alsa-hda-realtek-enable-headset-mic-on-positivo-c6400.patch @@ -0,0 +1,32 @@ +From 1aec3ed2e3e1512aba15e7e790196a44efd5f0a7 Mon Sep 17 00:00:00 2001 +From: Edson Juliano Drosdeck +Date: Tue, 14 Jan 2025 14:06:19 -0300 +Subject: ALSA: hda/realtek: Enable headset mic on Positivo C6400 + +From: Edson Juliano Drosdeck + +commit 1aec3ed2e3e1512aba15e7e790196a44efd5f0a7 upstream. + +Positivo C6400 is equipped with ALC269VB, and it needs +ALC269VB_FIXUP_ASUS_ZENBOOK quirk to make its headset mic work. +Also must to limits the microphone boost. + +Signed-off-by: Edson Juliano Drosdeck +Cc: +Link: https://patch.msgid.link/20250114170619.11510-1-edson.drosdeck@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10965,6 +10965,7 @@ static const struct hda_quirk alc269_fix + SND_PCI_QUIRK(0x17aa, 0x511f, "Thinkpad", ALC298_FIXUP_TPT470_DOCK), + SND_PCI_QUIRK(0x17aa, 0x9e54, "LENOVO NB", ALC269_FIXUP_LENOVO_EAPD), + SND_PCI_QUIRK(0x17aa, 0x9e56, "Lenovo ZhaoYang CF4620Z", ALC286_FIXUP_SONY_MIC_NO_PRESENCE), ++ SND_PCI_QUIRK(0x1849, 0x0269, "Positivo Master C6400", ALC269VB_FIXUP_ASUS_ZENBOOK), + SND_PCI_QUIRK(0x1849, 0x1233, "ASRock NUC Box 1100", ALC233_FIXUP_NO_AUDIO_JACK), + SND_PCI_QUIRK(0x1849, 0xa233, "Positivo Master C6300", ALC269_FIXUP_HEADSET_MIC), + SND_PCI_QUIRK(0x1854, 0x0440, "LG CQ6", ALC256_FIXUP_HEADPHONE_AMP_VOL), diff --git a/queue-6.13/alsa-hda-realtek-fix-quirk-matching-for-legion-pro-7.patch b/queue-6.13/alsa-hda-realtek-fix-quirk-matching-for-legion-pro-7.patch new file mode 100644 index 0000000000..94ecf0de32 --- /dev/null +++ b/queue-6.13/alsa-hda-realtek-fix-quirk-matching-for-legion-pro-7.patch @@ -0,0 +1,48 @@ +From 0f3a822ae2254a1e7ce3a130a1efd94e2cab73ee Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Sat, 25 Jan 2025 13:04:40 +0100 +Subject: ALSA: hda/realtek: Fix quirk matching for Legion Pro 7 + +From: Takashi Iwai + +commit 0f3a822ae2254a1e7ce3a130a1efd94e2cab73ee upstream. + +The recent cleanup of the quirk table entries with the codec ID +matching caused a regression on some Lenovo Legion 7 models with PCI +SSID 17aa:386f: it assumed wrongly as if the codec SSID on the machine +were also 17aa:386f, but in this case, it was 17aa:38a8. This made +the binding with a wrong sub-codec, instead of TAS2781, the Cirrus +codec was bound. + +For addressing the regression, correct the quirk entry to the right +value 17aa:38a8. + +Note that this makes the entry appearing in an unsorted position. +This exception is needed because the entry must match before the PCI +SSID 17aa:386f. + +Also there is another entry for 17aa:38a8, but the latter is for PCI +SSID matching while the new entry is for the codec SSID matching. + +Fixes: 504f052aa343 ("ALSA: hda/realtek: Use codec SSID matching for Lenovo devices") +Reported-and-tested-by: Samantha Glocker +Closes: https://lore.kernel.org/CAGPQRHYd48U__UKYj2jJnT4+dnNNoWRBi+wj6zPRn=JpNMBUrg@mail.gmail.com +Cc: +Link: https://patch.msgid.link/20250125120519.16420-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10890,7 +10890,7 @@ static const struct hda_quirk alc269_fix + SND_PCI_QUIRK(0x17aa, 0x3869, "Lenovo Yoga7 14IAL7", ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN), + HDA_CODEC_QUIRK(0x17aa, 0x386e, "Legion Y9000X 2022 IAH7", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x17aa, 0x386e, "Yoga Pro 7 14ARP8", ALC285_FIXUP_SPEAKER2_TO_DAC1), +- HDA_CODEC_QUIRK(0x17aa, 0x386f, "Legion Pro 7 16ARX8H", ALC287_FIXUP_TAS2781_I2C), ++ HDA_CODEC_QUIRK(0x17aa, 0x38a8, "Legion Pro 7 16ARX8H", ALC287_FIXUP_TAS2781_I2C), /* this must match before PCI SSID 17aa:386f below */ + SND_PCI_QUIRK(0x17aa, 0x386f, "Legion Pro 7i 16IAX7", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x17aa, 0x3870, "Lenovo Yoga 7 14ARB7", ALC287_FIXUP_YOGA7_14ARB7_I2C), + SND_PCI_QUIRK(0x17aa, 0x3877, "Lenovo Legion 7 Slim 16ARHA7", ALC287_FIXUP_CS35L41_I2C_2), diff --git a/queue-6.13/alsa-hda-realtek-workaround-for-resume-on-dell-venue-11-pro-7130.patch b/queue-6.13/alsa-hda-realtek-workaround-for-resume-on-dell-venue-11-pro-7130.patch new file mode 100644 index 0000000000..3b2a59646c --- /dev/null +++ b/queue-6.13/alsa-hda-realtek-workaround-for-resume-on-dell-venue-11-pro-7130.patch @@ -0,0 +1,72 @@ +From 8c2fa44132e8cd1b05c77a705adb8d1f5a5daf3f Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Thu, 30 Jan 2025 13:32:59 +0100 +Subject: ALSA: hda/realtek: Workaround for resume on Dell Venue 11 Pro 7130 + +From: Takashi Iwai + +commit 8c2fa44132e8cd1b05c77a705adb8d1f5a5daf3f upstream. + +It was reported that the headphone output on Dell Venue 11 Pro 7130 +becomes mono after PM resume. The cause seems to be the BIOS setting +up the codec COEF 0x0d bit 0x40 wrongly by some reason, and restoring +the original value 0x2800 fixes the problem. + +This patch adds the quirk entry to perform the COEF restore. + +Cc: +Link: https://bugzilla.kernel.org/show_bug.cgi?id=219697 +Link: https://bugzilla.opensuse.org/show_bug.cgi?id=1235686 +Link: https://patch.msgid.link/20250130123301.8996-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -7485,6 +7485,16 @@ static void alc287_fixup_lenovo_thinkpad + spec->gen.pcm_playback_hook = alc287_alc1318_playback_pcm_hook; + } + ++/* ++ * Clear COEF 0x0d (PCBEEP passthrough) bit 0x40 where BIOS sets it wrongly ++ * at PM resume ++ */ ++static void alc283_fixup_dell_hp_resume(struct hda_codec *codec, ++ const struct hda_fixup *fix, int action) ++{ ++ if (action == HDA_FIXUP_ACT_INIT) ++ alc_write_coef_idx(codec, 0xd, 0x2800); ++} + + enum { + ALC269_FIXUP_GPIO2, +@@ -7785,6 +7795,7 @@ enum { + ALC269_FIXUP_VAIO_VJFH52_MIC_NO_PRESENCE, + ALC233_FIXUP_MEDION_MTL_SPK, + ALC294_FIXUP_BASS_SPEAKER_15, ++ ALC283_FIXUP_DELL_HP_RESUME, + }; + + /* A special fixup for Lenovo C940 and Yoga Duet 7; +@@ -10117,6 +10128,10 @@ static const struct hda_fixup alc269_fix + .type = HDA_FIXUP_FUNC, + .v.func = alc294_fixup_bass_speaker_15, + }, ++ [ALC283_FIXUP_DELL_HP_RESUME] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = alc283_fixup_dell_hp_resume, ++ }, + }; + + static const struct hda_quirk alc269_fixup_tbl[] = { +@@ -10177,6 +10192,7 @@ static const struct hda_quirk alc269_fix + SND_PCI_QUIRK(0x1028, 0x05f4, "Dell", ALC269_FIXUP_DELL1_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1028, 0x05f5, "Dell", ALC269_FIXUP_DELL1_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1028, 0x05f6, "Dell", ALC269_FIXUP_DELL1_MIC_NO_PRESENCE), ++ SND_PCI_QUIRK(0x1028, 0x0604, "Dell Venue 11 Pro 7130", ALC283_FIXUP_DELL_HP_RESUME), + SND_PCI_QUIRK(0x1028, 0x0615, "Dell Vostro 5470", ALC290_FIXUP_SUBWOOFER_HSJACK), + SND_PCI_QUIRK(0x1028, 0x0616, "Dell Vostro 5470", ALC290_FIXUP_SUBWOOFER_HSJACK), + SND_PCI_QUIRK(0x1028, 0x062c, "Dell Latitude E5550", ALC292_FIXUP_DELL_E7X), diff --git a/queue-6.13/arm64-dts-qcom-x1e78100-lenovo-thinkpad-t14s-fix-usb-qmp-phy-supplies.patch b/queue-6.13/arm64-dts-qcom-x1e78100-lenovo-thinkpad-t14s-fix-usb-qmp-phy-supplies.patch new file mode 100644 index 0000000000..b8c06b6e59 --- /dev/null +++ b/queue-6.13/arm64-dts-qcom-x1e78100-lenovo-thinkpad-t14s-fix-usb-qmp-phy-supplies.patch @@ -0,0 +1,47 @@ +From 6efc01b75f819a2988aa9392f93a4d6501871525 Mon Sep 17 00:00:00 2001 +From: Stephan Gerhold +Date: Tue, 10 Dec 2024 10:07:33 +0100 +Subject: arm64: dts: qcom: x1e78100-lenovo-thinkpad-t14s: Fix USB QMP PHY supplies + +From: Stephan Gerhold + +commit 6efc01b75f819a2988aa9392f93a4d6501871525 upstream. + +On the X1E80100 CRD, &vreg_l3e_1p2 only powers &usb_mp_qmpphy0/1 +(i.e. USBSS_3 and USBSS_4). The QMP PHYs for USB_0, USB_1 and USB_2 +are actually powered by &vreg_l2j_1p2. + +Since x1e78100-lenovo-thinkpad-t14s mostly just mirrors the power supplies +from the x1e80100-crd device tree, assume that the fix also applies here. + +Cc: stable@vger.kernel.org +Fixes: 7d1cbe2f4985 ("arm64: dts: qcom: Add X1E78100 ThinkPad T14s Gen 6") +Signed-off-by: Stephan Gerhold +Reviewed-by: Johan Hovold +Link: https://lore.kernel.org/r/20241210-x1e80100-usb-qmp-supply-fix-v1-2-0adda5d30bbd@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/qcom/x1e78100-lenovo-thinkpad-t14s.dts | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm64/boot/dts/qcom/x1e78100-lenovo-thinkpad-t14s.dts ++++ b/arch/arm64/boot/dts/qcom/x1e78100-lenovo-thinkpad-t14s.dts +@@ -763,7 +763,7 @@ + }; + + &usb_1_ss0_qmpphy { +- vdda-phy-supply = <&vreg_l3e_1p2>; ++ vdda-phy-supply = <&vreg_l2j_1p2>; + vdda-pll-supply = <&vreg_l1j_0p8>; + + status = "okay"; +@@ -795,7 +795,7 @@ + }; + + &usb_1_ss1_qmpphy { +- vdda-phy-supply = <&vreg_l3e_1p2>; ++ vdda-phy-supply = <&vreg_l2j_1p2>; + vdda-pll-supply = <&vreg_l2d_0p9>; + + status = "okay"; diff --git a/queue-6.13/arm64-dts-qcom-x1e80100-asus-vivobook-s15-fix-usb-qmp-phy-supplies.patch b/queue-6.13/arm64-dts-qcom-x1e80100-asus-vivobook-s15-fix-usb-qmp-phy-supplies.patch new file mode 100644 index 0000000000..2548630ac1 --- /dev/null +++ b/queue-6.13/arm64-dts-qcom-x1e80100-asus-vivobook-s15-fix-usb-qmp-phy-supplies.patch @@ -0,0 +1,48 @@ +From bf5e9aa844ca74e9c202d8de2ce7390d24ec38a4 Mon Sep 17 00:00:00 2001 +From: Stephan Gerhold +Date: Tue, 10 Dec 2024 10:07:34 +0100 +Subject: arm64: dts: qcom: x1e80100-asus-vivobook-s15: Fix USB QMP PHY supplies + +From: Stephan Gerhold + +commit bf5e9aa844ca74e9c202d8de2ce7390d24ec38a4 upstream. + +On the X1E80100 CRD, &vreg_l3e_1p2 only powers &usb_mp_qmpphy0/1 +(i.e. USBSS_3 and USBSS_4). The QMP PHYs for USB_0, USB_1 and USB_2 +are actually powered by &vreg_l2j_1p2. + +Since x1e80100-asus-vivobook-s15 mostly just mirrors the power supplies +from the x1e80100-crd device tree, assume that the fix also applies here. + +Cc: stable@vger.kernel.org +Fixes: d0e2f8f62dff ("arm64: dts: qcom: Add device tree for ASUS Vivobook S 15") +Signed-off-by: Stephan Gerhold +Tested-by: Maud Spierings +Reviewed-by: Johan Hovold +Link: https://lore.kernel.org/r/20241210-x1e80100-usb-qmp-supply-fix-v1-3-0adda5d30bbd@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/qcom/x1e80100-asus-vivobook-s15.dts | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm64/boot/dts/qcom/x1e80100-asus-vivobook-s15.dts ++++ b/arch/arm64/boot/dts/qcom/x1e80100-asus-vivobook-s15.dts +@@ -591,7 +591,7 @@ + }; + + &usb_1_ss0_qmpphy { +- vdda-phy-supply = <&vreg_l3e_1p2>; ++ vdda-phy-supply = <&vreg_l2j_1p2>; + vdda-pll-supply = <&vreg_l1j_0p8>; + + status = "okay"; +@@ -623,7 +623,7 @@ + }; + + &usb_1_ss1_qmpphy { +- vdda-phy-supply = <&vreg_l3e_1p2>; ++ vdda-phy-supply = <&vreg_l2j_1p2>; + vdda-pll-supply = <&vreg_l2d_0p9>; + + status = "okay"; diff --git a/queue-6.13/arm64-dts-qcom-x1e80100-crd-fix-usb-qmp-phy-supplies.patch b/queue-6.13/arm64-dts-qcom-x1e80100-crd-fix-usb-qmp-phy-supplies.patch new file mode 100644 index 0000000000..edd7c73bda --- /dev/null +++ b/queue-6.13/arm64-dts-qcom-x1e80100-crd-fix-usb-qmp-phy-supplies.patch @@ -0,0 +1,53 @@ +From 789209dd08124da448bfa7524b21049a04d98f83 Mon Sep 17 00:00:00 2001 +From: Stephan Gerhold +Date: Tue, 10 Dec 2024 10:07:35 +0100 +Subject: arm64: dts: qcom: x1e80100-crd: Fix USB QMP PHY supplies + +From: Stephan Gerhold + +commit 789209dd08124da448bfa7524b21049a04d98f83 upstream. + +On the X1E80100 CRD, &vreg_l3e_1p2 only powers &usb_mp_qmpphy0/1 +(i.e. USBSS_3 and USBSS_4). The QMP PHYs for USB_0, USB_1 and USB_2 +are actually powered by &vreg_l2j_1p2. + +Cc: stable@vger.kernel.org +Fixes: ae5cee8e7349 ("arm64: dts: qcom: x1e80100-crd: Fix USB PHYs regulators") +Signed-off-by: Stephan Gerhold +Reviewed-by: Johan Hovold +Link: https://lore.kernel.org/r/20241210-x1e80100-usb-qmp-supply-fix-v1-4-0adda5d30bbd@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/qcom/x1e80100-crd.dts | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/arm64/boot/dts/qcom/x1e80100-crd.dts ++++ b/arch/arm64/boot/dts/qcom/x1e80100-crd.dts +@@ -1187,7 +1187,7 @@ + }; + + &usb_1_ss0_qmpphy { +- vdda-phy-supply = <&vreg_l3e_1p2>; ++ vdda-phy-supply = <&vreg_l2j_1p2>; + vdda-pll-supply = <&vreg_l1j_0p8>; + + status = "okay"; +@@ -1219,7 +1219,7 @@ + }; + + &usb_1_ss1_qmpphy { +- vdda-phy-supply = <&vreg_l3e_1p2>; ++ vdda-phy-supply = <&vreg_l2j_1p2>; + vdda-pll-supply = <&vreg_l2d_0p9>; + + status = "okay"; +@@ -1251,7 +1251,7 @@ + }; + + &usb_1_ss2_qmpphy { +- vdda-phy-supply = <&vreg_l3e_1p2>; ++ vdda-phy-supply = <&vreg_l2j_1p2>; + vdda-pll-supply = <&vreg_l2d_0p9>; + + status = "okay"; diff --git a/queue-6.13/arm64-dts-qcom-x1e80100-dell-xps13-9345-fix-usb-qmp-phy-supplies.patch b/queue-6.13/arm64-dts-qcom-x1e80100-dell-xps13-9345-fix-usb-qmp-phy-supplies.patch new file mode 100644 index 0000000000..b3148a2da3 --- /dev/null +++ b/queue-6.13/arm64-dts-qcom-x1e80100-dell-xps13-9345-fix-usb-qmp-phy-supplies.patch @@ -0,0 +1,48 @@ +From 26a1b22aaf0c6f5128f8d0242caf3d983d5a2836 Mon Sep 17 00:00:00 2001 +From: Stephan Gerhold +Date: Tue, 10 Dec 2024 10:07:36 +0100 +Subject: arm64: dts: qcom: x1e80100-dell-xps13-9345: Fix USB QMP PHY supplies + +From: Stephan Gerhold + +commit 26a1b22aaf0c6f5128f8d0242caf3d983d5a2836 upstream. + +On the X1E80100 CRD, &vreg_l3e_1p2 only powers &usb_mp_qmpphy0/1 +(i.e. USBSS_3 and USBSS_4). The QMP PHYs for USB_0, USB_1 and USB_2 +are actually powered by &vreg_l2j_1p2. + +Since x1e80100-dell-xps13-9345 mostly just mirrors the power supplies from +the x1e80100-crd device tree, assume that the fix also applies here. + +Cc: stable@vger.kernel.org +Fixes: f5b788d0e8cd ("arm64: dts: qcom: Add support for X1-based Dell XPS 13 9345") +Signed-off-by: Stephan Gerhold +Tested-by: Aleksandrs Vinarskis +Reviewed-by: Johan Hovold +Link: https://lore.kernel.org/r/20241210-x1e80100-usb-qmp-supply-fix-v1-5-0adda5d30bbd@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/qcom/x1e80100-dell-xps13-9345.dts | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm64/boot/dts/qcom/x1e80100-dell-xps13-9345.dts ++++ b/arch/arm64/boot/dts/qcom/x1e80100-dell-xps13-9345.dts +@@ -820,7 +820,7 @@ + }; + + &usb_1_ss0_qmpphy { +- vdda-phy-supply = <&vreg_l3e_1p2>; ++ vdda-phy-supply = <&vreg_l2j_1p2>; + vdda-pll-supply = <&vreg_l1j_0p9>; + + status = "okay"; +@@ -852,7 +852,7 @@ + }; + + &usb_1_ss1_qmpphy { +- vdda-phy-supply = <&vreg_l3e_1p2>; ++ vdda-phy-supply = <&vreg_l2j_1p2>; + vdda-pll-supply = <&vreg_l2d_0p9>; + + status = "okay"; diff --git a/queue-6.13/arm64-dts-qcom-x1e80100-fix-usb_2-controller-interrupts.patch b/queue-6.13/arm64-dts-qcom-x1e80100-fix-usb_2-controller-interrupts.patch new file mode 100644 index 0000000000..5b49ca906c --- /dev/null +++ b/queue-6.13/arm64-dts-qcom-x1e80100-fix-usb_2-controller-interrupts.patch @@ -0,0 +1,52 @@ +From 680421056216efe727ff4ed48f481691d5873b9e Mon Sep 17 00:00:00 2001 +From: Abel Vesa +Date: Tue, 7 Jan 2025 15:15:16 +0200 +Subject: arm64: dts: qcom: x1e80100: Fix usb_2 controller interrupts + +From: Abel Vesa + +commit 680421056216efe727ff4ed48f481691d5873b9e upstream. + +Back when the CRD support was brought up, the usb_2 controller didn't +have anything connected to it in order to test it properly, so it was +never enabled. + +On the Lenovo ThinkPad T14s, the usb_2 controller has the fingerprint +controller connected to it. So enabling it, proved that the interrupts +lines were wrong from the start. + +Fix both the pwr_event and the DWC ctrl_irq lines, according to +documentation. + +Fixes: 4af46b7bd66f ("arm64: dts: qcom: x1e80100: Add USB nodes") +Cc: stable@vger.kernel.org # 6.9 +Signed-off-by: Abel Vesa +Reviewed-by: Johan Hovold +Tested-by: Johan Hovold +Link: https://lore.kernel.org/r/20250107-x1e80100-fix-usb2-controller-irqs-v1-1-4689aa9852a7@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/qcom/x1e80100.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm64/boot/dts/qcom/x1e80100.dtsi ++++ b/arch/arm64/boot/dts/qcom/x1e80100.dtsi +@@ -4118,7 +4118,7 @@ + <&gcc GCC_USB20_MASTER_CLK>; + assigned-clock-rates = <19200000>, <200000000>; + +- interrupts-extended = <&intc GIC_SPI 240 IRQ_TYPE_LEVEL_HIGH>, ++ interrupts-extended = <&intc GIC_SPI 245 IRQ_TYPE_LEVEL_HIGH>, + <&pdc 50 IRQ_TYPE_EDGE_BOTH>, + <&pdc 49 IRQ_TYPE_EDGE_BOTH>; + interrupt-names = "pwr_event", +@@ -4144,7 +4144,7 @@ + usb_2_dwc3: usb@a200000 { + compatible = "snps,dwc3"; + reg = <0 0x0a200000 0 0xcd00>; +- interrupts = ; ++ interrupts = ; + iommus = <&apps_smmu 0x14e0 0x0>; + phys = <&usb_2_hsphy>; + phy-names = "usb2-phy"; diff --git a/queue-6.13/arm64-dts-qcom-x1e80100-lenovo-yoga-slim7x-fix-usb-qmp-phy-supplies.patch b/queue-6.13/arm64-dts-qcom-x1e80100-lenovo-yoga-slim7x-fix-usb-qmp-phy-supplies.patch new file mode 100644 index 0000000000..c5e2aa5214 --- /dev/null +++ b/queue-6.13/arm64-dts-qcom-x1e80100-lenovo-yoga-slim7x-fix-usb-qmp-phy-supplies.patch @@ -0,0 +1,56 @@ +From 6ba8e1b8242d27dd83ed4ce58a104c709e72f45f Mon Sep 17 00:00:00 2001 +From: Stephan Gerhold +Date: Tue, 10 Dec 2024 10:07:37 +0100 +Subject: arm64: dts: qcom: x1e80100-lenovo-yoga-slim7x: Fix USB QMP PHY supplies + +From: Stephan Gerhold + +commit 6ba8e1b8242d27dd83ed4ce58a104c709e72f45f upstream. + +On the X1E80100 CRD, &vreg_l3e_1p2 only powers &usb_mp_qmpphy0/1 +(i.e. USBSS_3 and USBSS_4). The QMP PHYs for USB_0, USB_1 and USB_2 +are actually powered by &vreg_l2j_1p2. + +Since x1e80100-lenovo-yoga-slim7x mostly just mirrors the power supplies +from the x1e80100-crd device tree, assume that the fix also applies here. + +Cc: stable@vger.kernel.org +Fixes: 45247fe17db2 ("arm64: dts: qcom: x1e80100: add Lenovo Thinkpad Yoga slim 7x devicetree") +Signed-off-by: Stephan Gerhold +Reviewed-by: Johan Hovold +Link: https://lore.kernel.org/r/20241210-x1e80100-usb-qmp-supply-fix-v1-6-0adda5d30bbd@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/qcom/x1e80100-lenovo-yoga-slim7x.dts | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/arm64/boot/dts/qcom/x1e80100-lenovo-yoga-slim7x.dts ++++ b/arch/arm64/boot/dts/qcom/x1e80100-lenovo-yoga-slim7x.dts +@@ -908,7 +908,7 @@ + }; + + &usb_1_ss0_qmpphy { +- vdda-phy-supply = <&vreg_l3e_1p2>; ++ vdda-phy-supply = <&vreg_l2j_1p2>; + vdda-pll-supply = <&vreg_l1j_0p8>; + + status = "okay"; +@@ -940,7 +940,7 @@ + }; + + &usb_1_ss1_qmpphy { +- vdda-phy-supply = <&vreg_l3e_1p2>; ++ vdda-phy-supply = <&vreg_l2j_1p2>; + vdda-pll-supply = <&vreg_l2d_0p9>; + + status = "okay"; +@@ -972,7 +972,7 @@ + }; + + &usb_1_ss2_qmpphy { +- vdda-phy-supply = <&vreg_l3e_1p2>; ++ vdda-phy-supply = <&vreg_l2j_1p2>; + vdda-pll-supply = <&vreg_l2d_0p9>; + + status = "okay"; diff --git a/queue-6.13/arm64-dts-qcom-x1e80100-microsoft-romulus-fix-usb-qmp-phy-supplies.patch b/queue-6.13/arm64-dts-qcom-x1e80100-microsoft-romulus-fix-usb-qmp-phy-supplies.patch new file mode 100644 index 0000000000..c6c4a4ac54 --- /dev/null +++ b/queue-6.13/arm64-dts-qcom-x1e80100-microsoft-romulus-fix-usb-qmp-phy-supplies.patch @@ -0,0 +1,47 @@ +From c0562f51b177d49829a378b5aeda73f78c60d0fc Mon Sep 17 00:00:00 2001 +From: Stephan Gerhold +Date: Tue, 10 Dec 2024 10:07:38 +0100 +Subject: arm64: dts: qcom: x1e80100-microsoft-romulus: Fix USB QMP PHY supplies + +From: Stephan Gerhold + +commit c0562f51b177d49829a378b5aeda73f78c60d0fc upstream. + +On the X1E80100 CRD, &vreg_l3e_1p2 only powers &usb_mp_qmpphy0/1 +(i.e. USBSS_3 and USBSS_4). The QMP PHYs for USB_0, USB_1 and USB_2 +are actually powered by &vreg_l2j_1p2. + +Since x1e80100-microsoft-romulus mostly just mirrors the power supplies +from the x1e80100-crd device tree, assume that the fix also applies here. + +Cc: stable@vger.kernel.org +Fixes: 09d77be56093 ("arm64: dts: qcom: Add support for X1-based Surface Laptop 7 devices") +Signed-off-by: Stephan Gerhold +Reviewed-by: Johan Hovold +Link: https://lore.kernel.org/r/20241210-x1e80100-usb-qmp-supply-fix-v1-7-0adda5d30bbd@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/qcom/x1e80100-microsoft-romulus.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm64/boot/dts/qcom/x1e80100-microsoft-romulus.dtsi ++++ b/arch/arm64/boot/dts/qcom/x1e80100-microsoft-romulus.dtsi +@@ -823,7 +823,7 @@ + }; + + &usb_1_ss0_qmpphy { +- vdda-phy-supply = <&vreg_l3e>; ++ vdda-phy-supply = <&vreg_l2j>; + vdda-pll-supply = <&vreg_l1j>; + + status = "okay"; +@@ -855,7 +855,7 @@ + }; + + &usb_1_ss1_qmpphy { +- vdda-phy-supply = <&vreg_l3e>; ++ vdda-phy-supply = <&vreg_l2j>; + vdda-pll-supply = <&vreg_l2d>; + + status = "okay"; diff --git a/queue-6.13/arm64-dts-qcom-x1e80100-qcp-fix-usb-qmp-phy-supplies.patch b/queue-6.13/arm64-dts-qcom-x1e80100-qcp-fix-usb-qmp-phy-supplies.patch new file mode 100644 index 0000000000..2c8ac8f0fb --- /dev/null +++ b/queue-6.13/arm64-dts-qcom-x1e80100-qcp-fix-usb-qmp-phy-supplies.patch @@ -0,0 +1,53 @@ +From 4861ba7cf5a49969dee258dda2bf8d4e819135d1 Mon Sep 17 00:00:00 2001 +From: Stephan Gerhold +Date: Tue, 10 Dec 2024 10:07:39 +0100 +Subject: arm64: dts: qcom: x1e80100-qcp: Fix USB QMP PHY supplies + +From: Stephan Gerhold + +commit 4861ba7cf5a49969dee258dda2bf8d4e819135d1 upstream. + +On the X1E80100 QCP, &vreg_l3e_1p2 only powers &usb_mp_qmpphy0/1 +(i.e. USBSS_3 and USBSS_4). The QMP PHYs for USB_0, USB_1 and USB_2 +are actually powered by &vreg_l2j_1p2. + +Cc: stable@vger.kernel.org +Fixes: 20676f7819d7 ("arm64: dts: qcom: x1e80100-qcp: Fix USB PHYs regulators") +Signed-off-by: Stephan Gerhold +Reviewed-by: Johan Hovold +Link: https://lore.kernel.org/r/20241210-x1e80100-usb-qmp-supply-fix-v1-8-0adda5d30bbd@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/qcom/x1e80100-qcp.dts | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/arm64/boot/dts/qcom/x1e80100-qcp.dts ++++ b/arch/arm64/boot/dts/qcom/x1e80100-qcp.dts +@@ -896,7 +896,7 @@ + }; + + &usb_1_ss0_qmpphy { +- vdda-phy-supply = <&vreg_l3e_1p2>; ++ vdda-phy-supply = <&vreg_l2j_1p2>; + vdda-pll-supply = <&vreg_l1j_0p8>; + + status = "okay"; +@@ -928,7 +928,7 @@ + }; + + &usb_1_ss1_qmpphy { +- vdda-phy-supply = <&vreg_l3e_1p2>; ++ vdda-phy-supply = <&vreg_l2j_1p2>; + vdda-pll-supply = <&vreg_l2d_0p9>; + + status = "okay"; +@@ -960,7 +960,7 @@ + }; + + &usb_1_ss2_qmpphy { +- vdda-phy-supply = <&vreg_l3e_1p2>; ++ vdda-phy-supply = <&vreg_l2j_1p2>; + vdda-pll-supply = <&vreg_l2d_0p9>; + + status = "okay"; diff --git a/queue-6.13/arm64-tegra-fix-tegra234-pcie-interrupt-map.patch b/queue-6.13/arm64-tegra-fix-tegra234-pcie-interrupt-map.patch new file mode 100644 index 0000000000..2dea45ec31 --- /dev/null +++ b/queue-6.13/arm64-tegra-fix-tegra234-pcie-interrupt-map.patch @@ -0,0 +1,45 @@ +From b615fbd70fce8582d92b3bdbbf3c9b80cadcfb55 Mon Sep 17 00:00:00 2001 +From: Brad Griffis +Date: Fri, 13 Dec 2024 23:56:02 +0000 +Subject: arm64: tegra: Fix Tegra234 PCIe interrupt-map + +From: Brad Griffis + +commit b615fbd70fce8582d92b3bdbbf3c9b80cadcfb55 upstream. + +For interrupt-map entries, the DTS specification requires +that #address-cells is defined for both the child node and the +interrupt parent. For the PCIe interrupt-map entries, the parent +node ("gic") has not specified #address-cells. The existing layout +of the PCIe interrupt-map entries indicates that it assumes +that #address-cells is zero for this node. + +Explicitly set #address-cells to zero for "gic" so that it complies +with the device tree specification. + +NVIDIA EDK2 works around this issue by assuming #address-cells +is zero in this scenario, but that workaround is being removed and so +this update is needed or else NVIDIA EDK2 cannot successfully parse the +device tree and the board cannot boot. + +Fixes: ec142c44b026 ("arm64: tegra: Add P2U and PCIe controller nodes to Tegra234 DT") +Signed-off-by: Brad Griffis +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20241213235602.452303-1-bgriffis@nvidia.com +Signed-off-by: Thierry Reding +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/nvidia/tegra234.dtsi | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/arm64/boot/dts/nvidia/tegra234.dtsi ++++ b/arch/arm64/boot/dts/nvidia/tegra234.dtsi +@@ -4018,6 +4018,8 @@ + #redistributor-regions = <1>; + #interrupt-cells = <3>; + interrupt-controller; ++ ++ #address-cells = <0>; + }; + + smmu_iso: iommu@10000000 { diff --git a/queue-6.13/asoc-acp-support-microphone-from-lenovo-go-s.patch b/queue-6.13/asoc-acp-support-microphone-from-lenovo-go-s.patch new file mode 100644 index 0000000000..a7ace2a283 --- /dev/null +++ b/queue-6.13/asoc-acp-support-microphone-from-lenovo-go-s.patch @@ -0,0 +1,63 @@ +From b9a8ea185f3f8024619b2e74b74375493c87df8c Mon Sep 17 00:00:00 2001 +From: Mario Limonciello +Date: Wed, 22 Jan 2025 20:49:13 -0600 +Subject: ASoC: acp: Support microphone from Lenovo Go S + +From: Mario Limonciello + +commit b9a8ea185f3f8024619b2e74b74375493c87df8c upstream. + +On Lenovo Go S there is a DMIC connected to the ACP but the firmware +has no `AcpDmicConnected` ACPI _DSD. + +Add a DMI entry for all possible Lenovo Go S SKUs to enable DMIC. + +Cc: nijs1@lenovo.com +Cc: pgriffais@valvesoftware.com +Cc: mpearson-lenovo@squebb.ca +Cc: stable@vger.kernel.org +Signed-off-by: Mario Limonciello +Link: https://patch.msgid.link/20250123024915.2457115-1-superm1@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/amd/yc/acp6x-mach.c | 28 ++++++++++++++++++++++++++++ + 1 file changed, 28 insertions(+) + +--- a/sound/soc/amd/yc/acp6x-mach.c ++++ b/sound/soc/amd/yc/acp6x-mach.c +@@ -307,6 +307,34 @@ static const struct dmi_system_id yc_acp + { + .driver_data = &acp6x_card, + .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "83L3"), ++ } ++ }, ++ { ++ .driver_data = &acp6x_card, ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "83N6"), ++ } ++ }, ++ { ++ .driver_data = &acp6x_card, ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "83Q2"), ++ } ++ }, ++ { ++ .driver_data = &acp6x_card, ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "83Q3"), ++ } ++ }, ++ { ++ .driver_data = &acp6x_card, ++ .matches = { + DMI_MATCH(DMI_BOARD_VENDOR, "ASUSTeK COMPUTER INC."), + DMI_MATCH(DMI_PRODUCT_NAME, "UM5302TA"), + } diff --git a/queue-6.13/asoc-renesas-rz-ssi-add-a-check-for-negative-sample_space.patch b/queue-6.13/asoc-renesas-rz-ssi-add-a-check-for-negative-sample_space.patch new file mode 100644 index 0000000000..b13dee948b --- /dev/null +++ b/queue-6.13/asoc-renesas-rz-ssi-add-a-check-for-negative-sample_space.patch @@ -0,0 +1,40 @@ +From 82a0a3e6f8c02b3236b55e784a083fa4ee07c321 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 8 Jan 2025 12:28:46 +0300 +Subject: ASoC: renesas: rz-ssi: Add a check for negative sample_space + +From: Dan Carpenter + +commit 82a0a3e6f8c02b3236b55e784a083fa4ee07c321 upstream. + +My static checker rule complains about this code. The concern is that +if "sample_space" is negative then the "sample_space >= runtime->channels" +condition will not work as intended because it will be type promoted to a +high unsigned int value. + +strm->fifo_sample_size is SSI_FIFO_DEPTH (32). The SSIFSR_TDC_MASK is +0x3f. Without any further context it does seem like a reasonable warning +and it can't hurt to add a check for negatives. + +Cc: stable@vger.kernel.org +Fixes: 03e786bd4341 ("ASoC: sh: Add RZ/G2L SSIF-2 driver") +Signed-off-by: Dan Carpenter +Reviewed-by: Geert Uytterhoeven +Link: https://patch.msgid.link/e07c3dc5-d885-4b04-a742-71f42243f4fd@stanley.mountain +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/renesas/rz-ssi.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/soc/renesas/rz-ssi.c ++++ b/sound/soc/renesas/rz-ssi.c +@@ -526,6 +526,8 @@ static int rz_ssi_pio_send(struct rz_ssi + sample_space = strm->fifo_sample_size; + ssifsr = rz_ssi_reg_readl(ssi, SSIFSR); + sample_space -= (ssifsr >> SSIFSR_TDC_SHIFT) & SSIFSR_TDC_MASK; ++ if (sample_space < 0) ++ return -EINVAL; + + /* Only add full frames at a time */ + while (frames_left && (sample_space >= runtime->channels)) { diff --git a/queue-6.13/asoc-renesas-rz-ssi-terminate-all-the-dma-transactions.patch b/queue-6.13/asoc-renesas-rz-ssi-terminate-all-the-dma-transactions.patch new file mode 100644 index 0000000000..added40155 --- /dev/null +++ b/queue-6.13/asoc-renesas-rz-ssi-terminate-all-the-dma-transactions.patch @@ -0,0 +1,83 @@ +From 541011dc2d7c4c82523706f726f422a5e23cc86f Mon Sep 17 00:00:00 2001 +From: Claudiu Beznea +Date: Tue, 10 Dec 2024 19:09:33 +0200 +Subject: ASoC: renesas: rz-ssi: Terminate all the DMA transactions + +From: Claudiu Beznea + +commit 541011dc2d7c4c82523706f726f422a5e23cc86f upstream. + +The stop trigger invokes rz_ssi_stop() and rz_ssi_stream_quit(). +- The purpose of rz_ssi_stop() is to disable TX/RX, terminate DMA + transactions, and set the controller to idle. +- The purpose of rz_ssi_stream_quit() is to reset the substream-specific + software data by setting strm->running and strm->substream appropriately. + +The function rz_ssi_is_stream_running() checks if both strm->substream and +strm->running are valid and returns true if so. Its implementation is as +follows: + +static inline bool rz_ssi_is_stream_running(struct rz_ssi_stream *strm) +{ + return strm->substream && strm->running; +} + +When the controller is configured in full-duplex mode (with both playback +and capture active), the rz_ssi_stop() function does not modify the +controller settings when called for the first substream in the full-duplex +setup. Instead, it simply sets strm->running = 0 and returns if the +companion substream is still running. The following code illustrates this: + +static int rz_ssi_stop(struct rz_ssi_priv *ssi, struct rz_ssi_stream *strm) +{ + strm->running = 0; + + if (rz_ssi_is_stream_running(&ssi->playback) || + rz_ssi_is_stream_running(&ssi->capture)) + return 0; + + // ... +} + +The controller settings, along with the DMA termination (for the last +stopped substream), are only applied when the last substream in the +full-duplex setup is stopped. + +While applying the controller settings only when the last substream stops +is not problematic, terminating the DMA operations for only one substream +causes failures when starting and stopping full-duplex operations multiple +times in a loop. + +To address this issue, call dmaengine_terminate_async() for both substreams +involved in the full-duplex setup when the last substream in the setup is +stopped. + +Fixes: 4f8cd05a4305 ("ASoC: sh: rz-ssi: Add full duplex support") +Cc: stable@vger.kernel.org +Reviewed-by: Biju Das +Signed-off-by: Claudiu Beznea +Reviewed-by: Geert Uytterhoeven +Link: https://patch.msgid.link/20241210170953.2936724-5-claudiu.beznea.uj@bp.renesas.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/renesas/rz-ssi.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/sound/soc/renesas/rz-ssi.c ++++ b/sound/soc/renesas/rz-ssi.c +@@ -414,8 +414,12 @@ static int rz_ssi_stop(struct rz_ssi_pri + rz_ssi_reg_mask_setl(ssi, SSICR, SSICR_TEN | SSICR_REN, 0); + + /* Cancel all remaining DMA transactions */ +- if (rz_ssi_is_dma_enabled(ssi)) +- dmaengine_terminate_async(strm->dma_ch); ++ if (rz_ssi_is_dma_enabled(ssi)) { ++ if (ssi->playback.dma_ch) ++ dmaengine_terminate_async(ssi->playback.dma_ch); ++ if (ssi->capture.dma_ch) ++ dmaengine_terminate_async(ssi->capture.dma_ch); ++ } + + rz_ssi_set_idle(ssi); + diff --git a/queue-6.13/atomic64-use-arch_spin_locks-instead-of-raw_spin_locks.patch b/queue-6.13/atomic64-use-arch_spin_locks-instead-of-raw_spin_locks.patch new file mode 100644 index 0000000000..2f73829eef --- /dev/null +++ b/queue-6.13/atomic64-use-arch_spin_locks-instead-of-raw_spin_locks.patch @@ -0,0 +1,239 @@ +From 6c8ad3ab45ad0e94bfb7a9c71f2fa9c6cacea4b2 Mon Sep 17 00:00:00 2001 +From: Steven Rostedt +Date: Wed, 22 Jan 2025 14:43:11 -0500 +Subject: atomic64: Use arch_spin_locks instead of raw_spin_locks + +From: Steven Rostedt + +commit 6c8ad3ab45ad0e94bfb7a9c71f2fa9c6cacea4b2 upstream. + +raw_spin_locks can be traced by lockdep or tracing itself. Atomic64 +operations can be used in the tracing infrastructure. When an architecture +does not have true atomic64 operations it can use the generic version that +disables interrupts and uses spin_locks. + +The tracing ring buffer code uses atomic64 operations for the time +keeping. But because some architectures use the default operations, the +locking inside the atomic operations can cause an infinite recursion. + +As atomic64 implementation is architecture specific, it should not be +using raw_spin_locks() but instead arch_spin_locks as that is the purpose +of arch_spin_locks. To be used in architecture specific implementations of +generic infrastructure like atomic64 operations. + +Note, by switching from raw_spin_locks to arch_spin_locks, the locks taken +to emulate the atomic64 operations will not have lockdep, mmio, or any +kind of checks done on them. They will not even disable preemption, +although the code will disable interrupts preventing the tasks that hold +the locks from being preempted. As the locks held are done so for very +short periods of time, and the logic is only done to emulate atomic64, not +having them be instrumented should not be an issue. + +Cc: stable@vger.kernel.org +Cc: Mark Rutland +Cc: Mathieu Desnoyers +Cc: Andrew Morton +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: Linus Torvalds +Cc: Andreas Larsson +Link: https://lore.kernel.org/20250122144311.64392baf@gandalf.local.home +Fixes: c84897c0ff592 ("ring-buffer: Remove 32bit timestamp logic") +Closes: https://lore.kernel.org/all/86fb4f86-a0e4-45a2-a2df-3154acc4f086@gaisler.com/ +Reported-by: Ludwig Rydberg +Reviewed-by: Masami Hiramatsu (Google) +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + lib/atomic64.c | 78 +++++++++++++++++++++++++++++++++++---------------------- + 1 file changed, 48 insertions(+), 30 deletions(-) + +--- a/lib/atomic64.c ++++ b/lib/atomic64.c +@@ -25,15 +25,15 @@ + * Ensure each lock is in a separate cacheline. + */ + static union { +- raw_spinlock_t lock; ++ arch_spinlock_t lock; + char pad[L1_CACHE_BYTES]; + } atomic64_lock[NR_LOCKS] __cacheline_aligned_in_smp = { + [0 ... (NR_LOCKS - 1)] = { +- .lock = __RAW_SPIN_LOCK_UNLOCKED(atomic64_lock.lock), ++ .lock = __ARCH_SPIN_LOCK_UNLOCKED, + }, + }; + +-static inline raw_spinlock_t *lock_addr(const atomic64_t *v) ++static inline arch_spinlock_t *lock_addr(const atomic64_t *v) + { + unsigned long addr = (unsigned long) v; + +@@ -45,12 +45,14 @@ static inline raw_spinlock_t *lock_addr( + s64 generic_atomic64_read(const atomic64_t *v) + { + unsigned long flags; +- raw_spinlock_t *lock = lock_addr(v); ++ arch_spinlock_t *lock = lock_addr(v); + s64 val; + +- raw_spin_lock_irqsave(lock, flags); ++ local_irq_save(flags); ++ arch_spin_lock(lock); + val = v->counter; +- raw_spin_unlock_irqrestore(lock, flags); ++ arch_spin_unlock(lock); ++ local_irq_restore(flags); + return val; + } + EXPORT_SYMBOL(generic_atomic64_read); +@@ -58,11 +60,13 @@ EXPORT_SYMBOL(generic_atomic64_read); + void generic_atomic64_set(atomic64_t *v, s64 i) + { + unsigned long flags; +- raw_spinlock_t *lock = lock_addr(v); ++ arch_spinlock_t *lock = lock_addr(v); + +- raw_spin_lock_irqsave(lock, flags); ++ local_irq_save(flags); ++ arch_spin_lock(lock); + v->counter = i; +- raw_spin_unlock_irqrestore(lock, flags); ++ arch_spin_unlock(lock); ++ local_irq_restore(flags); + } + EXPORT_SYMBOL(generic_atomic64_set); + +@@ -70,11 +74,13 @@ EXPORT_SYMBOL(generic_atomic64_set); + void generic_atomic64_##op(s64 a, atomic64_t *v) \ + { \ + unsigned long flags; \ +- raw_spinlock_t *lock = lock_addr(v); \ ++ arch_spinlock_t *lock = lock_addr(v); \ + \ +- raw_spin_lock_irqsave(lock, flags); \ ++ local_irq_save(flags); \ ++ arch_spin_lock(lock); \ + v->counter c_op a; \ +- raw_spin_unlock_irqrestore(lock, flags); \ ++ arch_spin_unlock(lock); \ ++ local_irq_restore(flags); \ + } \ + EXPORT_SYMBOL(generic_atomic64_##op); + +@@ -82,12 +88,14 @@ EXPORT_SYMBOL(generic_atomic64_##op); + s64 generic_atomic64_##op##_return(s64 a, atomic64_t *v) \ + { \ + unsigned long flags; \ +- raw_spinlock_t *lock = lock_addr(v); \ ++ arch_spinlock_t *lock = lock_addr(v); \ + s64 val; \ + \ +- raw_spin_lock_irqsave(lock, flags); \ ++ local_irq_save(flags); \ ++ arch_spin_lock(lock); \ + val = (v->counter c_op a); \ +- raw_spin_unlock_irqrestore(lock, flags); \ ++ arch_spin_unlock(lock); \ ++ local_irq_restore(flags); \ + return val; \ + } \ + EXPORT_SYMBOL(generic_atomic64_##op##_return); +@@ -96,13 +104,15 @@ EXPORT_SYMBOL(generic_atomic64_##op##_re + s64 generic_atomic64_fetch_##op(s64 a, atomic64_t *v) \ + { \ + unsigned long flags; \ +- raw_spinlock_t *lock = lock_addr(v); \ ++ arch_spinlock_t *lock = lock_addr(v); \ + s64 val; \ + \ +- raw_spin_lock_irqsave(lock, flags); \ ++ local_irq_save(flags); \ ++ arch_spin_lock(lock); \ + val = v->counter; \ + v->counter c_op a; \ +- raw_spin_unlock_irqrestore(lock, flags); \ ++ arch_spin_unlock(lock); \ ++ local_irq_restore(flags); \ + return val; \ + } \ + EXPORT_SYMBOL(generic_atomic64_fetch_##op); +@@ -131,14 +141,16 @@ ATOMIC64_OPS(xor, ^=) + s64 generic_atomic64_dec_if_positive(atomic64_t *v) + { + unsigned long flags; +- raw_spinlock_t *lock = lock_addr(v); ++ arch_spinlock_t *lock = lock_addr(v); + s64 val; + +- raw_spin_lock_irqsave(lock, flags); ++ local_irq_save(flags); ++ arch_spin_lock(lock); + val = v->counter - 1; + if (val >= 0) + v->counter = val; +- raw_spin_unlock_irqrestore(lock, flags); ++ arch_spin_unlock(lock); ++ local_irq_restore(flags); + return val; + } + EXPORT_SYMBOL(generic_atomic64_dec_if_positive); +@@ -146,14 +158,16 @@ EXPORT_SYMBOL(generic_atomic64_dec_if_po + s64 generic_atomic64_cmpxchg(atomic64_t *v, s64 o, s64 n) + { + unsigned long flags; +- raw_spinlock_t *lock = lock_addr(v); ++ arch_spinlock_t *lock = lock_addr(v); + s64 val; + +- raw_spin_lock_irqsave(lock, flags); ++ local_irq_save(flags); ++ arch_spin_lock(lock); + val = v->counter; + if (val == o) + v->counter = n; +- raw_spin_unlock_irqrestore(lock, flags); ++ arch_spin_unlock(lock); ++ local_irq_restore(flags); + return val; + } + EXPORT_SYMBOL(generic_atomic64_cmpxchg); +@@ -161,13 +175,15 @@ EXPORT_SYMBOL(generic_atomic64_cmpxchg); + s64 generic_atomic64_xchg(atomic64_t *v, s64 new) + { + unsigned long flags; +- raw_spinlock_t *lock = lock_addr(v); ++ arch_spinlock_t *lock = lock_addr(v); + s64 val; + +- raw_spin_lock_irqsave(lock, flags); ++ local_irq_save(flags); ++ arch_spin_lock(lock); + val = v->counter; + v->counter = new; +- raw_spin_unlock_irqrestore(lock, flags); ++ arch_spin_unlock(lock); ++ local_irq_restore(flags); + return val; + } + EXPORT_SYMBOL(generic_atomic64_xchg); +@@ -175,14 +191,16 @@ EXPORT_SYMBOL(generic_atomic64_xchg); + s64 generic_atomic64_fetch_add_unless(atomic64_t *v, s64 a, s64 u) + { + unsigned long flags; +- raw_spinlock_t *lock = lock_addr(v); ++ arch_spinlock_t *lock = lock_addr(v); + s64 val; + +- raw_spin_lock_irqsave(lock, flags); ++ local_irq_save(flags); ++ arch_spin_lock(lock); + val = v->counter; + if (val != u) + v->counter += a; +- raw_spin_unlock_irqrestore(lock, flags); ++ arch_spin_unlock(lock); ++ local_irq_restore(flags); + + return val; + } diff --git a/queue-6.13/blk-cgroup-fix-class-block_class-s-subsystem-refcount-leakage.patch b/queue-6.13/blk-cgroup-fix-class-block_class-s-subsystem-refcount-leakage.patch new file mode 100644 index 0000000000..e404c54cd2 --- /dev/null +++ b/queue-6.13/blk-cgroup-fix-class-block_class-s-subsystem-refcount-leakage.patch @@ -0,0 +1,41 @@ +From d1248436cbef1f924c04255367ff4845ccd9025e Mon Sep 17 00:00:00 2001 +From: Zijun Hu +Date: Sun, 5 Jan 2025 16:34:03 +0800 +Subject: blk-cgroup: Fix class @block_class's subsystem refcount leakage +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Zijun Hu + +commit d1248436cbef1f924c04255367ff4845ccd9025e upstream. + +blkcg_fill_root_iostats() iterates over @block_class's devices by +class_dev_iter_(init|next)(), but does not end iterating with +class_dev_iter_exit(), so causes the class's subsystem refcount leakage. + +Fix by ending the iterating with class_dev_iter_exit(). + +Fixes: ef45fe470e1e ("blk-cgroup: show global disk stats in root cgroup io.stat") +Reviewed-by: Michal Koutný +Cc: Greg Kroah-Hartman +Cc: stable@vger.kernel.org +Acked-by: Tejun Heo +Signed-off-by: Zijun Hu +Link: https://lore.kernel.org/r/20250105-class_fix-v6-2-3a2f1768d4d4@quicinc.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + block/blk-cgroup.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/block/blk-cgroup.c ++++ b/block/blk-cgroup.c +@@ -1138,6 +1138,7 @@ static void blkcg_fill_root_iostats(void + blkg_iostat_set(&blkg->iostat.cur, &tmp); + u64_stats_update_end_irqrestore(&blkg->iostat.sync, flags); + } ++ class_dev_iter_exit(&iter); + } + + static void blkcg_print_one_stat(struct blkcg_gq *blkg, struct seq_file *s) diff --git a/queue-6.13/block-don-t-revert-iter-for-eiocbqueued.patch b/queue-6.13/block-don-t-revert-iter-for-eiocbqueued.patch new file mode 100644 index 0000000000..6a92f56c68 --- /dev/null +++ b/queue-6.13/block-don-t-revert-iter-for-eiocbqueued.patch @@ -0,0 +1,44 @@ +From b13ee668e8280ca5b07f8ce2846b9957a8a10853 Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Thu, 23 Jan 2025 06:18:41 -0700 +Subject: block: don't revert iter for -EIOCBQUEUED + +From: Jens Axboe + +commit b13ee668e8280ca5b07f8ce2846b9957a8a10853 upstream. + +blkdev_read_iter() has a few odd checks, like gating the position and +count adjustment on whether or not the result is bigger-than-or-equal to +zero (where bigger than makes more sense), and not checking the return +value of blkdev_direct_IO() before doing an iov_iter_revert(). The +latter can lead to attempting to revert with a negative value, which +when passed to iov_iter_revert() as an unsigned value will lead to +throwing a WARN_ON() because unroll is bigger than MAX_RW_COUNT. + +Be sane and don't revert for -EIOCBQUEUED, like what is done in other +spots. + +Cc: stable@vger.kernel.org +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + block/fops.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/block/fops.c ++++ b/block/fops.c +@@ -758,11 +758,12 @@ static ssize_t blkdev_read_iter(struct k + file_accessed(iocb->ki_filp); + + ret = blkdev_direct_IO(iocb, to); +- if (ret >= 0) { ++ if (ret > 0) { + iocb->ki_pos += ret; + count -= ret; + } +- iov_iter_revert(to, count - iov_iter_count(to)); ++ if (ret != -EIOCBQUEUED) ++ iov_iter_revert(to, count - iov_iter_count(to)); + if (ret < 0 || !count) + goto reexpand; + } diff --git a/queue-6.13/dm-crypt-don-t-update-io-sector-after-kcryptd_crypt_write_io_submit.patch b/queue-6.13/dm-crypt-don-t-update-io-sector-after-kcryptd_crypt_write_io_submit.patch new file mode 100644 index 0000000000..5c7a67d3e6 --- /dev/null +++ b/queue-6.13/dm-crypt-don-t-update-io-sector-after-kcryptd_crypt_write_io_submit.patch @@ -0,0 +1,91 @@ +From 9fdbbdbbc92b1474a87b89f8b964892a63734492 Mon Sep 17 00:00:00 2001 +From: Hou Tao +Date: Mon, 20 Jan 2025 16:29:49 +0800 +Subject: dm-crypt: don't update io->sector after kcryptd_crypt_write_io_submit() + +From: Hou Tao + +commit 9fdbbdbbc92b1474a87b89f8b964892a63734492 upstream. + +The updates of io->sector are the leftovers when dm-crypt allocated +pages for partial write request. However, since commit cf2f1abfbd0db +("dm crypt: don't allocate pages for a partial request"), there is no +partial request anymore. + +After the introduction of write request rb-tree, the updates of +io->sectors may interfere the insertion procedure, because ->sectors of +these write requests which have already been added in the rb-tree may be +changed during the insertion of new write request. + +Fix it by removing these buggy updates of io->sectors. Considering these +updates only effect the write request rb-tree, the commit which +introduces the write request rb-tree is used as the fix tag. + +Fixes: b3c5fd305249 ("dm crypt: sort writes") +Cc: stable@vger.kernel.org +Signed-off-by: Hou Tao +Signed-off-by: Mikulas Patocka +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-crypt.c | 14 +++----------- + 1 file changed, 3 insertions(+), 11 deletions(-) + +--- a/drivers/md/dm-crypt.c ++++ b/drivers/md/dm-crypt.c +@@ -2092,7 +2092,6 @@ static void kcryptd_crypt_write_continue + struct crypt_config *cc = io->cc; + struct convert_context *ctx = &io->ctx; + int crypt_finished; +- sector_t sector = io->sector; + blk_status_t r; + + wait_for_completion(&ctx->restart); +@@ -2109,10 +2108,8 @@ static void kcryptd_crypt_write_continue + } + + /* Encryption was already finished, submit io now */ +- if (crypt_finished) { ++ if (crypt_finished) + kcryptd_crypt_write_io_submit(io, 0); +- io->sector = sector; +- } + + crypt_dec_pending(io); + } +@@ -2123,14 +2120,13 @@ static void kcryptd_crypt_write_convert( + struct convert_context *ctx = &io->ctx; + struct bio *clone; + int crypt_finished; +- sector_t sector = io->sector; + blk_status_t r; + + /* + * Prevent io from disappearing until this function completes. + */ + crypt_inc_pending(io); +- crypt_convert_init(cc, ctx, NULL, io->base_bio, sector); ++ crypt_convert_init(cc, ctx, NULL, io->base_bio, io->sector); + + clone = crypt_alloc_buffer(io, io->base_bio->bi_iter.bi_size); + if (unlikely(!clone)) { +@@ -2147,8 +2143,6 @@ static void kcryptd_crypt_write_convert( + io->ctx.iter_in = clone->bi_iter; + } + +- sector += bio_sectors(clone); +- + crypt_inc_pending(io); + r = crypt_convert(cc, ctx, + test_bit(DM_CRYPT_NO_WRITE_WORKQUEUE, &cc->flags), true); +@@ -2172,10 +2166,8 @@ static void kcryptd_crypt_write_convert( + } + + /* Encryption was already finished, submit io now */ +- if (crypt_finished) { ++ if (crypt_finished) + kcryptd_crypt_write_io_submit(io, 0); +- io->sector = sector; +- } + + dec: + crypt_dec_pending(io); diff --git a/queue-6.13/dm-crypt-track-tag_offset-in-convert_context.patch b/queue-6.13/dm-crypt-track-tag_offset-in-convert_context.patch new file mode 100644 index 0000000000..877813efd6 --- /dev/null +++ b/queue-6.13/dm-crypt-track-tag_offset-in-convert_context.patch @@ -0,0 +1,96 @@ +From 8b8f8037765757861f899ed3a2bfb34525b5c065 Mon Sep 17 00:00:00 2001 +From: Hou Tao +Date: Mon, 20 Jan 2025 16:29:51 +0800 +Subject: dm-crypt: track tag_offset in convert_context + +From: Hou Tao + +commit 8b8f8037765757861f899ed3a2bfb34525b5c065 upstream. + +dm-crypt uses tag_offset to index the integrity metadata for each crypt +sector. When the initial crypt_convert() returns BLK_STS_DEV_RESOURCE, +dm-crypt will try to continue the crypt/decrypt procedure in a kworker. +However, it resets tag_offset as zero instead of using the tag_offset +related with current sector. It may return unexpected data when using +random IV or return unexpected integrity related error. + +Fix the problem by tracking tag_offset in per-IO convert_context. +Therefore, when the crypt/decrypt procedure continues in a kworker, it +could use the next tag_offset saved in convert_context. + +Fixes: 8abec36d1274 ("dm crypt: do not wait for backlogged crypto request completion in softirq") +Cc: stable@vger.kernel.org +Signed-off-by: Hou Tao +Signed-off-by: Mikulas Patocka +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-crypt.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +--- a/drivers/md/dm-crypt.c ++++ b/drivers/md/dm-crypt.c +@@ -59,6 +59,7 @@ struct convert_context { + struct bio *bio_out; + struct bvec_iter iter_out; + atomic_t cc_pending; ++ unsigned int tag_offset; + u64 cc_sector; + union { + struct skcipher_request *req; +@@ -1256,6 +1257,7 @@ static void crypt_convert_init(struct cr + if (bio_out) + ctx->iter_out = bio_out->bi_iter; + ctx->cc_sector = sector + cc->iv_offset; ++ ctx->tag_offset = 0; + init_completion(&ctx->restart); + } + +@@ -1588,7 +1590,6 @@ static void crypt_free_req(struct crypt_ + static blk_status_t crypt_convert(struct crypt_config *cc, + struct convert_context *ctx, bool atomic, bool reset_pending) + { +- unsigned int tag_offset = 0; + unsigned int sector_step = cc->sector_size >> SECTOR_SHIFT; + int r; + +@@ -1611,9 +1612,9 @@ static blk_status_t crypt_convert(struct + atomic_inc(&ctx->cc_pending); + + if (crypt_integrity_aead(cc)) +- r = crypt_convert_block_aead(cc, ctx, ctx->r.req_aead, tag_offset); ++ r = crypt_convert_block_aead(cc, ctx, ctx->r.req_aead, ctx->tag_offset); + else +- r = crypt_convert_block_skcipher(cc, ctx, ctx->r.req, tag_offset); ++ r = crypt_convert_block_skcipher(cc, ctx, ctx->r.req, ctx->tag_offset); + + switch (r) { + /* +@@ -1633,8 +1634,8 @@ static blk_status_t crypt_convert(struct + * exit and continue processing in a workqueue + */ + ctx->r.req = NULL; ++ ctx->tag_offset++; + ctx->cc_sector += sector_step; +- tag_offset++; + return BLK_STS_DEV_RESOURCE; + } + } else { +@@ -1648,8 +1649,8 @@ static blk_status_t crypt_convert(struct + */ + case -EINPROGRESS: + ctx->r.req = NULL; ++ ctx->tag_offset++; + ctx->cc_sector += sector_step; +- tag_offset++; + continue; + /* + * The request was already processed (synchronously). +@@ -1657,7 +1658,7 @@ static blk_status_t crypt_convert(struct + case 0: + atomic_dec(&ctx->cc_pending); + ctx->cc_sector += sector_step; +- tag_offset++; ++ ctx->tag_offset++; + if (!atomic) + cond_resched(); + continue; diff --git a/queue-6.13/efi-libstub-use-std-gnu11-to-fix-build-with-gcc-15.patch b/queue-6.13/efi-libstub-use-std-gnu11-to-fix-build-with-gcc-15.patch new file mode 100644 index 0000000000..9948664c79 --- /dev/null +++ b/queue-6.13/efi-libstub-use-std-gnu11-to-fix-build-with-gcc-15.patch @@ -0,0 +1,52 @@ +From 8ba14d9f490aef9fd535c04e9e62e1169eb7a055 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Tue, 21 Jan 2025 18:11:34 -0700 +Subject: efi: libstub: Use '-std=gnu11' to fix build with GCC 15 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nathan Chancellor + +commit 8ba14d9f490aef9fd535c04e9e62e1169eb7a055 upstream. + +GCC 15 changed the default C standard version to C23, which should not +have impacted the kernel because it requests the gnu11 standard via +'-std=' in the main Makefile. However, the EFI libstub Makefile uses its +own set of KBUILD_CFLAGS for x86 without a '-std=' value (i.e., using +the default), resulting in errors from the kernel's definitions of bool, +true, and false in stddef.h, which are reserved keywords under C23. + + ./include/linux/stddef.h:11:9: error: expected identifier before ‘false’ + 11 | false = 0, + ./include/linux/types.h:35:33: error: two or more data types in declaration specifiers + 35 | typedef _Bool bool; + +Set '-std=gnu11' in the x86 cflags to resolve the error and consistently +use the same C standard version for the entire kernel. All other +architectures reuse KBUILD_CFLAGS from the rest of the kernel, so this +issue is not visible for them. + +Cc: stable@vger.kernel.org +Reported-by: Kostadin Shishmanov +Closes: https://lore.kernel.org/4OAhbllK7x4QJGpZjkYjtBYNLd_2whHx9oFiuZcGwtVR4hIzvduultkgfAIRZI3vQpZylu7Gl929HaYFRGeMEalWCpeMzCIIhLxxRhq4U-Y=@protonmail.com/ +Reported-by: Jakub Jelinek +Closes: https://lore.kernel.org/Z4467umXR2PZ0M1H@tucnak/ +Signed-off-by: Nathan Chancellor +Signed-off-by: Ard Biesheuvel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/efi/libstub/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/firmware/efi/libstub/Makefile ++++ b/drivers/firmware/efi/libstub/Makefile +@@ -11,7 +11,7 @@ cflags-y := $(KBUILD_CFLAGS) + + cflags-$(CONFIG_X86_32) := -march=i386 + cflags-$(CONFIG_X86_64) := -mcmodel=small +-cflags-$(CONFIG_X86) += -m$(BITS) -D__KERNEL__ \ ++cflags-$(CONFIG_X86) += -m$(BITS) -D__KERNEL__ -std=gnu11 \ + -fPIC -fno-strict-aliasing -mno-red-zone \ + -mno-mmx -mno-sse -fshort-wchar \ + -Wno-pointer-sign \ diff --git a/queue-6.13/firmware-qcom-scm-fix-missing-read-barrier-in-qcom_scm_get_tzmem_pool.patch b/queue-6.13/firmware-qcom-scm-fix-missing-read-barrier-in-qcom_scm_get_tzmem_pool.patch new file mode 100644 index 0000000000..33497adb4f --- /dev/null +++ b/queue-6.13/firmware-qcom-scm-fix-missing-read-barrier-in-qcom_scm_get_tzmem_pool.patch @@ -0,0 +1,49 @@ +From b628510397b5cafa1f5d3e848a28affd1c635302 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Mon, 9 Dec 2024 15:27:55 +0100 +Subject: firmware: qcom: scm: Fix missing read barrier in qcom_scm_get_tzmem_pool() + +From: Krzysztof Kozlowski + +commit b628510397b5cafa1f5d3e848a28affd1c635302 upstream. + +Commit 2e4955167ec5 ("firmware: qcom: scm: Fix __scm and waitq +completion variable initialization") introduced a write barrier in probe +function to store global '__scm' variable. We all known barriers are +paired (see memory-barriers.txt: "Note that write barriers should +normally be paired with read or address-dependency barriers"), therefore +accessing it from concurrent contexts requires read barrier. Previous +commit added such barrier in qcom_scm_is_available(), so let's use that +directly. + +Lack of this read barrier can result in fetching stale '__scm' variable +value, NULL, and dereferencing it. + +Note that barrier in qcom_scm_is_available() satisfies here the control +dependency. + +Fixes: ca61d6836e6f ("firmware: qcom: scm: fix a NULL-pointer dereference") +Fixes: 449d0d84bcd8 ("firmware: qcom: scm: smc: switch to using the SCM allocator") +Cc: stable@vger.kernel.org +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20241209-qcom-scm-missing-barriers-and-all-sort-of-srap-v2-2-9061013c8d92@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/qcom/qcom_scm.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/firmware/qcom/qcom_scm.c ++++ b/drivers/firmware/qcom/qcom_scm.c +@@ -217,7 +217,10 @@ static DEFINE_SPINLOCK(scm_query_lock); + + struct qcom_tzmem_pool *qcom_scm_get_tzmem_pool(void) + { +- return __scm ? __scm->mempool : NULL; ++ if (!qcom_scm_is_available()) ++ return NULL; ++ ++ return __scm->mempool; + } + + static enum qcom_scm_convention __get_convention(void) diff --git a/queue-6.13/firmware-qcom-scm-fix-missing-read-barrier-in-qcom_scm_is_available.patch b/queue-6.13/firmware-qcom-scm-fix-missing-read-barrier-in-qcom_scm_is_available.patch new file mode 100644 index 0000000000..ded3ab898b --- /dev/null +++ b/queue-6.13/firmware-qcom-scm-fix-missing-read-barrier-in-qcom_scm_is_available.patch @@ -0,0 +1,65 @@ +From 0a744cceebd0480cb39587b3b1339d66a9d14063 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Mon, 9 Dec 2024 15:27:54 +0100 +Subject: firmware: qcom: scm: Fix missing read barrier in qcom_scm_is_available() + +From: Krzysztof Kozlowski + +commit 0a744cceebd0480cb39587b3b1339d66a9d14063 upstream. + +Commit 2e4955167ec5 ("firmware: qcom: scm: Fix __scm and waitq +completion variable initialization") introduced a write barrier in probe +function to store global '__scm' variable. It also claimed that it +added a read barrier, because as we all known barriers are paired (see +memory-barriers.txt: "Note that write barriers should normally be paired +with read or address-dependency barriers"), however it did not really +add it. + +The offending commit used READ_ONCE() to access '__scm' global which is +not a barrier. + +The barrier is needed so the store to '__scm' will be properly visible. +This is most likely not fatal in current driver design, because missing +read barrier would mean qcom_scm_is_available() callers will access old +value, NULL. Driver does not support unbinding and does not correctly +handle probe failures, thus there is no risk of stale or old pointer in +'__scm' variable. + +However for code correctness, readability and to be sure that we did not +mess up something in this tricky topic of SMP barriers, add a read +barrier for accessing '__scm'. Change also comment from useless/obvious +what does barrier do, to what is expected: which other parts of the code +are involved here. + +Fixes: 2e4955167ec5 ("firmware: qcom: scm: Fix __scm and waitq completion variable initialization") +Cc: stable@vger.kernel.org +Reviewed-by: Bartosz Golaszewski +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20241209-qcom-scm-missing-barriers-and-all-sort-of-srap-v2-1-9061013c8d92@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/qcom/qcom_scm.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/firmware/qcom/qcom_scm.c ++++ b/drivers/firmware/qcom/qcom_scm.c +@@ -1867,7 +1867,8 @@ static int qcom_scm_qseecom_init(struct + */ + bool qcom_scm_is_available(void) + { +- return !!READ_ONCE(__scm); ++ /* Paired with smp_store_release() in qcom_scm_probe */ ++ return !!smp_load_acquire(&__scm); + } + EXPORT_SYMBOL_GPL(qcom_scm_is_available); + +@@ -2024,7 +2025,7 @@ static int qcom_scm_probe(struct platfor + if (ret) + return ret; + +- /* Let all above stores be available after this */ ++ /* Paired with smp_load_acquire() in qcom_scm_is_available(). */ + smp_store_release(&__scm, scm); + + irq = platform_get_irq_optional(pdev, 0); diff --git a/queue-6.13/hid-hid-sensor-hub-don-t-use-stale-platform-data-on-remove.patch b/queue-6.13/hid-hid-sensor-hub-don-t-use-stale-platform-data-on-remove.patch new file mode 100644 index 0000000000..87ac31bdbe --- /dev/null +++ b/queue-6.13/hid-hid-sensor-hub-don-t-use-stale-platform-data-on-remove.patch @@ -0,0 +1,84 @@ +From 8a5b38c3fd709e8acd2bfdedf66c25e6af759576 Mon Sep 17 00:00:00 2001 +From: Heiko Stuebner +Date: Thu, 7 Nov 2024 12:47:04 +0100 +Subject: HID: hid-sensor-hub: don't use stale platform-data on remove + +From: Heiko Stuebner + +commit 8a5b38c3fd709e8acd2bfdedf66c25e6af759576 upstream. + +The hid-sensor-hub creates the individual device structs and transfers them +to the created mfd platform-devices via the platform_data in the mfd_cell. + +Before e651a1da442a ("HID: hid-sensor-hub: Allow parallel synchronous reads") +the sensor-hub was managing access centrally, with one "completion" in the +hub's data structure, which needed to be finished on removal at the latest. + +The mentioned commit then moved this central management to each hid sensor +device, resulting on a completion in each struct hid_sensor_hub_device. +The remove procedure was adapted to go through all sensor devices and +finish any pending "completion". + +What this didn't take into account was, platform_device_add_data() that is +used by mfd_add{_hotplug}_devices() does a kmemdup on the submitted +platform-data. So the data the platform-device gets is a copy of the +original data, meaning that the device worked on a different completion +than what sensor_hub_remove() currently wants to access. + +To fix that, use device_for_each_child() to go through each child-device +similar to how mfd_remove_devices() unregisters the devices later and +with that get the live platform_data to finalize the correct completion. + +Fixes: e651a1da442a ("HID: hid-sensor-hub: Allow parallel synchronous reads") +Cc: stable@vger.kernel.org +Signed-off-by: Heiko Stuebner +Acked-by: Benjamin Tissoires +Acked-by: Srinivas Pandruvada +Acked-by: Jiri Kosina +Link: https://lore.kernel.org/r/20241107114712.538976-2-heiko@sntech.de +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-sensor-hub.c | 21 ++++++++++++++------- + 1 file changed, 14 insertions(+), 7 deletions(-) + +--- a/drivers/hid/hid-sensor-hub.c ++++ b/drivers/hid/hid-sensor-hub.c +@@ -730,23 +730,30 @@ err_stop_hw: + return ret; + } + ++static int sensor_hub_finalize_pending_fn(struct device *dev, void *data) ++{ ++ struct hid_sensor_hub_device *hsdev = dev->platform_data; ++ ++ if (hsdev->pending.status) ++ complete(&hsdev->pending.ready); ++ ++ return 0; ++} ++ + static void sensor_hub_remove(struct hid_device *hdev) + { + struct sensor_hub_data *data = hid_get_drvdata(hdev); + unsigned long flags; +- int i; + + hid_dbg(hdev, " hardware removed\n"); + hid_hw_close(hdev); + hid_hw_stop(hdev); ++ + spin_lock_irqsave(&data->lock, flags); +- for (i = 0; i < data->hid_sensor_client_cnt; ++i) { +- struct hid_sensor_hub_device *hsdev = +- data->hid_sensor_hub_client_devs[i].platform_data; +- if (hsdev->pending.status) +- complete(&hsdev->pending.ready); +- } ++ device_for_each_child(&hdev->dev, NULL, ++ sensor_hub_finalize_pending_fn); + spin_unlock_irqrestore(&data->lock, flags); ++ + mfd_remove_devices(&hdev->dev); + mutex_destroy(&data->mutex); + } diff --git a/queue-6.13/input-bbnsm_pwrkey-add-remove-hook.patch b/queue-6.13/input-bbnsm_pwrkey-add-remove-hook.patch new file mode 100644 index 0000000000..20b36bf399 --- /dev/null +++ b/queue-6.13/input-bbnsm_pwrkey-add-remove-hook.patch @@ -0,0 +1,49 @@ +From 55b75306c3edf369285ce22ba1ced45e335094c2 Mon Sep 17 00:00:00 2001 +From: Peng Fan +Date: Thu, 12 Dec 2024 11:03:22 +0800 +Subject: Input: bbnsm_pwrkey - add remove hook + +From: Peng Fan + +commit 55b75306c3edf369285ce22ba1ced45e335094c2 upstream. + +Without remove hook to clear wake irq, there will be kernel dump when +doing module test. +"bbnsm_pwrkey 44440000.bbnsm:pwrkey: wake irq already initialized" + +Add remove hook to clear wake irq and set wakeup to false. + +Signed-off-by: Peng Fan +Fixes: 40e40fdfec3f ("Input: bbnsm_pwrkey - add bbnsm power key support") +Link: https://lore.kernel.org/r/20241212030322.3110017-1-peng.fan@oss.nxp.com +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/misc/nxp-bbnsm-pwrkey.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/input/misc/nxp-bbnsm-pwrkey.c ++++ b/drivers/input/misc/nxp-bbnsm-pwrkey.c +@@ -187,6 +187,12 @@ static int bbnsm_pwrkey_probe(struct pla + return 0; + } + ++static void bbnsm_pwrkey_remove(struct platform_device *pdev) ++{ ++ dev_pm_clear_wake_irq(&pdev->dev); ++ device_init_wakeup(&pdev->dev, false); ++} ++ + static int __maybe_unused bbnsm_pwrkey_suspend(struct device *dev) + { + struct platform_device *pdev = to_platform_device(dev); +@@ -223,6 +229,8 @@ static struct platform_driver bbnsm_pwrk + .of_match_table = bbnsm_pwrkey_ids, + }, + .probe = bbnsm_pwrkey_probe, ++ .remove = bbnsm_pwrkey_remove, ++ + }; + module_platform_driver(bbnsm_pwrkey_driver); + diff --git a/queue-6.13/kbuild-move-wenum-enum-conversion-to-w-2.patch b/queue-6.13/kbuild-move-wenum-enum-conversion-to-w-2.patch new file mode 100644 index 0000000000..f26dd0ec73 --- /dev/null +++ b/queue-6.13/kbuild-move-wenum-enum-conversion-to-w-2.patch @@ -0,0 +1,61 @@ +From 8f6629c004b193d23612641c3607e785819e97ab Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Thu, 17 Oct 2024 10:09:22 -0700 +Subject: kbuild: Move -Wenum-enum-conversion to W=2 + +From: Nathan Chancellor + +commit 8f6629c004b193d23612641c3607e785819e97ab upstream. + +-Wenum-enum-conversion was strengthened in clang-19 to warn for C, which +caused the kernel to move it to W=1 in commit 75b5ab134bb5 ("kbuild: +Move -Wenum-{compare-conditional,enum-conversion} into W=1") because +there were numerous instances that would break builds with -Werror. +Unfortunately, this is not a full solution, as more and more developers, +subsystems, and distributors are building with W=1 as well, so they +continue to see the numerous instances of this warning. + +Since the move to W=1, there have not been many new instances that have +appeared through various build reports and the ones that have appeared +seem to be following similar existing patterns, suggesting that most +instances of this warning will not be real issues. The only alternatives +for silencing this warning are adding casts (which is generally seen as +an ugly practice) or refactoring the enums to macro defines or a unified +enum (which may be undesirable because of type safety in other parts of +the code). + +Move the warning to W=2, where warnings that occur frequently but may be +relevant should reside. + +Cc: stable@vger.kernel.org +Fixes: 75b5ab134bb5 ("kbuild: Move -Wenum-{compare-conditional,enum-conversion} into W=1") +Link: https://lore.kernel.org/ZwRA9SOcOjjLJcpi@google.com/ +Signed-off-by: Nathan Chancellor +Acked-by: Arnd Bergmann +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + scripts/Makefile.extrawarn | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/scripts/Makefile.extrawarn ++++ b/scripts/Makefile.extrawarn +@@ -130,7 +130,6 @@ KBUILD_CFLAGS += $(call cc-disable-warni + KBUILD_CFLAGS += -Wno-tautological-constant-out-of-range-compare + KBUILD_CFLAGS += $(call cc-disable-warning, unaligned-access) + KBUILD_CFLAGS += -Wno-enum-compare-conditional +-KBUILD_CFLAGS += -Wno-enum-enum-conversion + endif + + endif +@@ -154,6 +153,10 @@ KBUILD_CFLAGS += -Wno-missing-field-init + KBUILD_CFLAGS += -Wno-type-limits + KBUILD_CFLAGS += -Wno-shift-negative-value + ++ifdef CONFIG_CC_IS_CLANG ++KBUILD_CFLAGS += -Wno-enum-enum-conversion ++endif ++ + ifdef CONFIG_CC_IS_GCC + KBUILD_CFLAGS += -Wno-maybe-uninitialized + endif diff --git a/queue-6.13/kvm-x86-mmu-ensure-nx-huge-page-recovery-thread-is-alive-before-waking.patch b/queue-6.13/kvm-x86-mmu-ensure-nx-huge-page-recovery-thread-is-alive-before-waking.patch new file mode 100644 index 0000000000..0a86e58acb --- /dev/null +++ b/queue-6.13/kvm-x86-mmu-ensure-nx-huge-page-recovery-thread-is-alive-before-waking.patch @@ -0,0 +1,111 @@ +From 43fb96ae78551d7bfa4ecca956b258f085d67c40 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Fri, 24 Jan 2025 15:46:23 -0800 +Subject: KVM: x86/mmu: Ensure NX huge page recovery thread is alive before waking + +From: Sean Christopherson + +commit 43fb96ae78551d7bfa4ecca956b258f085d67c40 upstream. + +When waking a VM's NX huge page recovery thread, ensure the thread is +actually alive before trying to wake it. Now that the thread is spawned +on-demand during KVM_RUN, a VM without a recovery thread is reachable via +the related module params. + + BUG: kernel NULL pointer dereference, address: 0000000000000040 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 + RIP: 0010:vhost_task_wake+0x5/0x10 + Call Trace: + + set_nx_huge_pages+0xcc/0x1e0 [kvm] + param_attr_store+0x8a/0xd0 + module_attr_store+0x1a/0x30 + kernfs_fop_write_iter+0x12f/0x1e0 + vfs_write+0x233/0x3e0 + ksys_write+0x60/0xd0 + do_syscall_64+0x5b/0x160 + entry_SYSCALL_64_after_hwframe+0x4b/0x53 + RIP: 0033:0x7f3b52710104 + + Modules linked in: kvm_intel kvm + CR2: 0000000000000040 + +Fixes: 931656b9e2ff ("kvm: defer huge page recovery vhost task to later") +Cc: stable@vger.kernel.org +Cc: Keith Busch +Signed-off-by: Sean Christopherson +Message-ID: <20250124234623.3609069-1-seanjc@google.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/mmu/mmu.c | 33 ++++++++++++++++++++++++++------- + 1 file changed, 26 insertions(+), 7 deletions(-) + +--- a/arch/x86/kvm/mmu/mmu.c ++++ b/arch/x86/kvm/mmu/mmu.c +@@ -7090,6 +7090,19 @@ static void mmu_destroy_caches(void) + kmem_cache_destroy(mmu_page_header_cache); + } + ++static void kvm_wake_nx_recovery_thread(struct kvm *kvm) ++{ ++ /* ++ * The NX recovery thread is spawned on-demand at the first KVM_RUN and ++ * may not be valid even though the VM is globally visible. Do nothing, ++ * as such a VM can't have any possible NX huge pages. ++ */ ++ struct vhost_task *nx_thread = READ_ONCE(kvm->arch.nx_huge_page_recovery_thread); ++ ++ if (nx_thread) ++ vhost_task_wake(nx_thread); ++} ++ + static int get_nx_huge_pages(char *buffer, const struct kernel_param *kp) + { + if (nx_hugepage_mitigation_hard_disabled) +@@ -7150,7 +7163,7 @@ static int set_nx_huge_pages(const char + kvm_mmu_zap_all_fast(kvm); + mutex_unlock(&kvm->slots_lock); + +- vhost_task_wake(kvm->arch.nx_huge_page_recovery_thread); ++ kvm_wake_nx_recovery_thread(kvm); + } + mutex_unlock(&kvm_lock); + } +@@ -7279,7 +7292,7 @@ static int set_nx_huge_pages_recovery_pa + mutex_lock(&kvm_lock); + + list_for_each_entry(kvm, &vm_list, vm_list) +- vhost_task_wake(kvm->arch.nx_huge_page_recovery_thread); ++ kvm_wake_nx_recovery_thread(kvm); + + mutex_unlock(&kvm_lock); + } +@@ -7415,14 +7428,20 @@ static void kvm_mmu_start_lpage_recovery + { + struct kvm_arch *ka = container_of(once, struct kvm_arch, nx_once); + struct kvm *kvm = container_of(ka, struct kvm, arch); ++ struct vhost_task *nx_thread; + + kvm->arch.nx_huge_page_last = get_jiffies_64(); +- kvm->arch.nx_huge_page_recovery_thread = vhost_task_create( +- kvm_nx_huge_page_recovery_worker, kvm_nx_huge_page_recovery_worker_kill, +- kvm, "kvm-nx-lpage-recovery"); ++ nx_thread = vhost_task_create(kvm_nx_huge_page_recovery_worker, ++ kvm_nx_huge_page_recovery_worker_kill, ++ kvm, "kvm-nx-lpage-recovery"); ++ ++ if (!nx_thread) ++ return; ++ ++ vhost_task_start(nx_thread); + +- if (kvm->arch.nx_huge_page_recovery_thread) +- vhost_task_start(kvm->arch.nx_huge_page_recovery_thread); ++ /* Make the task visible only once it is fully started. */ ++ WRITE_ONCE(kvm->arch.nx_huge_page_recovery_thread, nx_thread); + } + + int kvm_mmu_post_init_vm(struct kvm *kvm) diff --git a/queue-6.13/loongarch-extend-the-maximum-number-of-watchpoints.patch b/queue-6.13/loongarch-extend-the-maximum-number-of-watchpoints.patch new file mode 100644 index 0000000000..19aa4a0b81 --- /dev/null +++ b/queue-6.13/loongarch-extend-the-maximum-number-of-watchpoints.patch @@ -0,0 +1,108 @@ +From 531936dee53e471a3ec668de3c94ca357f54b7e8 Mon Sep 17 00:00:00 2001 +From: Tiezhu Yang +Date: Sun, 26 Jan 2025 21:49:59 +0800 +Subject: LoongArch: Extend the maximum number of watchpoints + +From: Tiezhu Yang + +commit 531936dee53e471a3ec668de3c94ca357f54b7e8 upstream. + +The maximum number of load/store watchpoints and fetch instruction +watchpoints is 14 each according to LoongArch Reference Manual, so +extend the maximum number of watchpoints from 8 to 14 for ptrace. + +By the way, just simply change 8 to 14 for the definition in struct +user_watch_state at the beginning, but it may corrupt uapi, then add +a new struct user_watch_state_v2 directly. + +As far as I can tell, the only users for this struct in the userspace +are GDB and LLDB, there are no any problems of software compatibility +between the application and kernel according to the analysis. + +The compatibility problem has been considered while developing and +testing. When the applications in the userspace get watchpoint state, +the length will be specified which is no bigger than the sizeof struct +user_watch_state or user_watch_state_v2, the actual length is assigned +as the minimal value of the application and kernel in the generic code +of ptrace: + +kernel/ptrace.c: ptrace_regset(): + + kiov->iov_len = min(kiov->iov_len, + (__kernel_size_t) (regset->n * regset->size)); + + if (req == PTRACE_GETREGSET) + return copy_regset_to_user(task, view, regset_no, 0, + kiov->iov_len, kiov->iov_base); + else + return copy_regset_from_user(task, view, regset_no, 0, + kiov->iov_len, kiov->iov_base); + +For example, there are four kind of combinations, all of them work well. + +(1) "older kernel + older gdb", the actual length is 8+(8+8+4+4)*8=200; +(2) "newer kernel + newer gdb", the actual length is 8+(8+8+4+4)*14=344; +(3) "older kernel + newer gdb", the actual length is 8+(8+8+4+4)*8=200; +(4) "newer kernel + older gdb", the actual length is 8+(8+8+4+4)*8=200. + +Link: https://loongson.github.io/LoongArch-Documentation/LoongArch-Vol1-EN.html#control-and-status-registers-related-to-watchpoints +Cc: stable@vger.kernel.org +Fixes: 1a69f7a161a7 ("LoongArch: ptrace: Expose hardware breakpoints to debuggers") +Reviewed-by: WANG Xuerui +Reviewed-by: Xi Ruoyao +Signed-off-by: Tiezhu Yang +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman +--- + arch/loongarch/include/uapi/asm/ptrace.h | 10 ++++++++++ + arch/loongarch/kernel/ptrace.c | 6 +++--- + 2 files changed, 13 insertions(+), 3 deletions(-) + +--- a/arch/loongarch/include/uapi/asm/ptrace.h ++++ b/arch/loongarch/include/uapi/asm/ptrace.h +@@ -72,6 +72,16 @@ struct user_watch_state { + } dbg_regs[8]; + }; + ++struct user_watch_state_v2 { ++ uint64_t dbg_info; ++ struct { ++ uint64_t addr; ++ uint64_t mask; ++ uint32_t ctrl; ++ uint32_t pad; ++ } dbg_regs[14]; ++}; ++ + #define PTRACE_SYSEMU 0x1f + #define PTRACE_SYSEMU_SINGLESTEP 0x20 + +--- a/arch/loongarch/kernel/ptrace.c ++++ b/arch/loongarch/kernel/ptrace.c +@@ -720,7 +720,7 @@ static int hw_break_set(struct task_stru + unsigned int note_type = regset->core_note_type; + + /* Resource info */ +- offset = offsetof(struct user_watch_state, dbg_regs); ++ offset = offsetof(struct user_watch_state_v2, dbg_regs); + user_regset_copyin_ignore(&pos, &count, &kbuf, &ubuf, 0, offset); + + /* (address, mask, ctrl) registers */ +@@ -920,7 +920,7 @@ static const struct user_regset loongarc + #ifdef CONFIG_HAVE_HW_BREAKPOINT + [REGSET_HW_BREAK] = { + .core_note_type = NT_LOONGARCH_HW_BREAK, +- .n = sizeof(struct user_watch_state) / sizeof(u32), ++ .n = sizeof(struct user_watch_state_v2) / sizeof(u32), + .size = sizeof(u32), + .align = sizeof(u32), + .regset_get = hw_break_get, +@@ -928,7 +928,7 @@ static const struct user_regset loongarc + }, + [REGSET_HW_WATCH] = { + .core_note_type = NT_LOONGARCH_HW_WATCH, +- .n = sizeof(struct user_watch_state) / sizeof(u32), ++ .n = sizeof(struct user_watch_state_v2) / sizeof(u32), + .size = sizeof(u32), + .align = sizeof(u32), + .regset_get = hw_break_get, diff --git a/queue-6.13/mips-loongson64-remove-rom-size-unit-in-boardinfo.patch b/queue-6.13/mips-loongson64-remove-rom-size-unit-in-boardinfo.patch new file mode 100644 index 0000000000..7e64e0d200 --- /dev/null +++ b/queue-6.13/mips-loongson64-remove-rom-size-unit-in-boardinfo.patch @@ -0,0 +1,48 @@ +From bd2212d658d7659b9d83c7e2f3a06789d4db1e90 Mon Sep 17 00:00:00 2001 +From: Kexy Biscuit +Date: Sat, 11 Jan 2025 01:22:08 +0800 +Subject: MIPS: Loongson64: remove ROM Size unit in boardinfo +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kexy Biscuit + +commit bd2212d658d7659b9d83c7e2f3a06789d4db1e90 upstream. + +Per Appendix A.7 in Q/LS 0013-2014 (龙芯CPU开发系统固件与内核接口规范 V2.2, +lit. Loongson DevSys Firmware Kernel Interface Specification V2.2), +interface_info.size is size of this interface, not size of the LEFI BIOS +ROM. + +In any case, the BIOS ROM Size just cannot be several kilobytes (KB) on +Loongson64 LEFI platforms. + +Reported-by: Mingcong Bai +Suggested-by: Icenowy Zheng +Fixes: 6c1bfbd9df8c ("MIPS: Loongson64: Add /sys/firmware/lefi/boardinfo") +Cc: stable@vger.kernel.org +Signed-off-by: Kexy Biscuit +Acked-by: Jiaxun Yang +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/loongson64/boardinfo.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/arch/mips/loongson64/boardinfo.c ++++ b/arch/mips/loongson64/boardinfo.c +@@ -21,13 +21,11 @@ static ssize_t boardinfo_show(struct kob + "BIOS Info\n" + "Vendor\t\t\t: %s\n" + "Version\t\t\t: %s\n" +- "ROM Size\t\t: %d KB\n" + "Release Date\t\t: %s\n", + strsep(&tmp_board_manufacturer, "-"), + eboard->name, + strsep(&tmp_bios_vendor, "-"), + einter->description, +- einter->size, + especial->special_name); + } + static struct kobj_attribute boardinfo_attr = __ATTR(boardinfo, 0444, diff --git a/queue-6.13/mips-math-emu-fix-emulation-of-the-prefx-instruction.patch b/queue-6.13/mips-math-emu-fix-emulation-of-the-prefx-instruction.patch new file mode 100644 index 0000000000..1d82cdfdee --- /dev/null +++ b/queue-6.13/mips-math-emu-fix-emulation-of-the-prefx-instruction.patch @@ -0,0 +1,90 @@ +From 42a39e4aa59a10aa4afdc14194f3ee63d2db94e1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mateusz=20Jo=C5=84czyk?= +Date: Sun, 5 Jan 2025 22:18:06 +0100 +Subject: mips/math-emu: fix emulation of the prefx instruction +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mateusz Jończyk + +commit 42a39e4aa59a10aa4afdc14194f3ee63d2db94e1 upstream. + +Currently, installation of Debian 12.8 for mipsel fails on machines +without an FPU [1]. This is caused by the fact that zstd (which is used +for initramfs compression) executes the prefx instruction, which is not +emulated properly by the kernel. + +The prefx (Prefetch Indexed) instruction fetches data from memory into +the cache without any side effects. Though functionally unrelated, it +requires an FPU [2]. + +Bytecode format of this instruction ends on "001111" binary: + + (prefx instruction format) & 0x0000003f = 0x0000000f + +The code in fpux_emu() runs like so: + + #define MIPSInst(x) x + #define MIPSInst_FMA_FFMT(x) (MIPSInst(x) & 0x00000007) + #define MIPSInst_FUNC(x) (MIPSInst(x) & 0x0000003f) + enum cop1x_func { ..., pfetch_op = 0x0f, ... }; + + ... + + switch (MIPSInst_FMA_FFMT(ir)) { + ... + + case 0x3: + if (MIPSInst_FUNC(ir) != pfetch_op) + return SIGILL; + + /* ignore prefx operation */ + break; + + default: + return SIGILL; + } + +That snippet above contains a logic error and the + if (MIPSInst_FUNC(ir) != pfetch_op) +comparison always fires. + +When MIPSInst_FUNC(ir) is equal to pfetch_op, ir must end on 001111 +binary. In this case, MIPSInst_FMA_FFMT(ir) must be equal to 0x7, which +does not match that case label. + +This causes emulation failure for the prefx instruction. Fix it. + +This has been broken by +commit 919af8b96c89 ("MIPS: Make definitions of MIPSInst_FMA_{FUNC,FMTM} consistent with MIPS64 manual") +which modified the MIPSInst_FMA_FFMT macro without updating the users. + +Signed-off-by: Mateusz Jończyk +Cc: stable@vger.kernel.org # after 3 weeks +Cc: Dengcheng Zhu +Cc: Thomas Bogendoerfer +Cc: Ming Wang +Cc: Tiezhu Yang +Fixes: 919af8b96c89 ("MIPS: Make definitions of MIPSInst_FMA_{FUNC,FMTM} consistent with MIPS64 manual") +Signed-off-by: Greg Kroah-Hartman + +[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1091858 +[2] MIPS Architecture For Programmers Volume II-A: The MIPS32 Instruction Set + +Signed-off-by: Thomas Bogendoerfer +--- + arch/mips/math-emu/cp1emu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/math-emu/cp1emu.c ++++ b/arch/mips/math-emu/cp1emu.c +@@ -1660,7 +1660,7 @@ static int fpux_emu(struct pt_regs *xcp, + break; + } + +- case 0x3: ++ case 0x7: + if (MIPSInst_FUNC(ir) != pfetch_op) + return SIGILL; + diff --git a/queue-6.13/mips-pci-legacy-override-pci_address_to_pio.patch b/queue-6.13/mips-pci-legacy-override-pci_address_to_pio.patch new file mode 100644 index 0000000000..aacb43ca11 --- /dev/null +++ b/queue-6.13/mips-pci-legacy-override-pci_address_to_pio.patch @@ -0,0 +1,47 @@ +From df1b8d6e89db0edd572a1e375f5d3dd5575b9a9b Mon Sep 17 00:00:00 2001 +From: Jiaxun Yang +Date: Tue, 14 Jan 2025 18:11:58 +0000 +Subject: MIPS: pci-legacy: Override pci_address_to_pio +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jiaxun Yang + +commit df1b8d6e89db0edd572a1e375f5d3dd5575b9a9b upstream. + +pci-legacy systems are not using logic_pio to managed PIO +allocations, thus the generic pci_address_to_pio won't work +when PCI_IOBASE is defined. + +Override the function to use architecture implementation to +fix the problem. + +Cc: stable@vger.kernel.org +Fixes: 4bfb53e7d317 ("mips: add including") +Reported-by: Mateusz Jończyk +Closes: https://lore.kernel.org/r/99f75c66-4c2d-45dc-a808-b5ba440c7551@app.fastmail.com/ +Signed-off-by: Jiaxun Yang +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/pci/pci-legacy.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/arch/mips/pci/pci-legacy.c ++++ b/arch/mips/pci/pci-legacy.c +@@ -29,6 +29,14 @@ static LIST_HEAD(controllers); + + static int pci_initialized; + ++unsigned long pci_address_to_pio(phys_addr_t address) ++{ ++ if (address > IO_SPACE_LIMIT) ++ return (unsigned long)-1; ++ ++ return (unsigned long) address; ++} ++ + /* + * We need to avoid collisions with `mirrored' VGA ports + * and other strange ISA hardware, so we always want the diff --git a/queue-6.13/nvme-pci-add-tuxedo-ibp-gen9-to-samsung-sleep-quirk.patch b/queue-6.13/nvme-pci-add-tuxedo-ibp-gen9-to-samsung-sleep-quirk.patch new file mode 100644 index 0000000000..4fd2d9d2ab --- /dev/null +++ b/queue-6.13/nvme-pci-add-tuxedo-ibp-gen9-to-samsung-sleep-quirk.patch @@ -0,0 +1,35 @@ +From 11cb3529d18514f7d28ad2190533192aedefd761 Mon Sep 17 00:00:00 2001 +From: Georg Gottleuber +Date: Mon, 16 Dec 2024 23:28:04 +0100 +Subject: nvme-pci: Add TUXEDO IBP Gen9 to Samsung sleep quirk + +From: Georg Gottleuber + +commit 11cb3529d18514f7d28ad2190533192aedefd761 upstream. + +On the TUXEDO InfinityBook Pro Gen9 Intel, a Samsung 990 Evo NVMe leads to +a high power consumption in s2idle sleep (4 watts). + +This patch applies 'Force No Simple Suspend' quirk to achieve a sleep with +a lower power consumption, typically around 1.2 watts. + +Signed-off-by: Georg Gottleuber +Cc: stable@vger.kernel.org +Signed-off-by: Werner Sembach +Reviewed-by: Christoph Hellwig +Signed-off-by: Keith Busch +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/host/pci.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -3150,6 +3150,7 @@ static unsigned long check_vendor_combin + */ + if (dmi_match(DMI_BOARD_NAME, "DN50Z-140HC-YD") || + dmi_match(DMI_BOARD_NAME, "GMxPXxx") || ++ dmi_match(DMI_BOARD_NAME, "GXxMRXx") || + dmi_match(DMI_BOARD_NAME, "PH4PG31") || + dmi_match(DMI_BOARD_NAME, "PH4PRX1_PH6PRX1") || + dmi_match(DMI_BOARD_NAME, "PH6PG01_PH6PG71")) diff --git a/queue-6.13/nvme-pci-add-tuxedo-infinityflex-to-samsung-sleep-quirk.patch b/queue-6.13/nvme-pci-add-tuxedo-infinityflex-to-samsung-sleep-quirk.patch new file mode 100644 index 0000000000..9597679eaf --- /dev/null +++ b/queue-6.13/nvme-pci-add-tuxedo-infinityflex-to-samsung-sleep-quirk.patch @@ -0,0 +1,37 @@ +From dbf2bb1a1319b7c7d8828905378a6696cca6b0f2 Mon Sep 17 00:00:00 2001 +From: Georg Gottleuber +Date: Mon, 16 Dec 2024 23:28:03 +0100 +Subject: nvme-pci: Add TUXEDO InfinityFlex to Samsung sleep quirk + +From: Georg Gottleuber + +commit dbf2bb1a1319b7c7d8828905378a6696cca6b0f2 upstream. + +On the TUXEDO InfinityFlex, a Samsung 990 Evo NVMe leads to a high power +consumption in s2idle sleep (4 watts). + +This patch applies 'Force No Simple Suspend' quirk to achieve a sleep with +a lower power consumption, typically around 1.4 watts. + +Signed-off-by: Georg Gottleuber +Cc: stable@vger.kernel.org +Signed-off-by: Werner Sembach +Reviewed-by: Christoph Hellwig +Signed-off-by: Keith Busch +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/host/pci.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -3148,7 +3148,8 @@ static unsigned long check_vendor_combin + * because of high power consumption (> 2 Watt) in s2idle + * sleep. Only some boards with Intel CPU are affected. + */ +- if (dmi_match(DMI_BOARD_NAME, "GMxPXxx") || ++ if (dmi_match(DMI_BOARD_NAME, "DN50Z-140HC-YD") || ++ dmi_match(DMI_BOARD_NAME, "GMxPXxx") || + dmi_match(DMI_BOARD_NAME, "PH4PG31") || + dmi_match(DMI_BOARD_NAME, "PH4PRX1_PH6PRX1") || + dmi_match(DMI_BOARD_NAME, "PH6PG01_PH6PG71")) diff --git a/queue-6.13/of-address-fix-empty-resource-handling-in-__of_address_resource_bounds.patch b/queue-6.13/of-address-fix-empty-resource-handling-in-__of_address_resource_bounds.patch new file mode 100644 index 0000000000..ea7dc6aef6 --- /dev/null +++ b/queue-6.13/of-address-fix-empty-resource-handling-in-__of_address_resource_bounds.patch @@ -0,0 +1,55 @@ +From 15e2f65f2ecfeb8e39315522e2b5cfdc5651fc10 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Thomas=20Wei=C3=9Fschuh?= +Date: Mon, 20 Jan 2025 15:09:40 +0100 +Subject: of: address: Fix empty resource handling in __of_address_resource_bounds() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Weißschuh + +commit 15e2f65f2ecfeb8e39315522e2b5cfdc5651fc10 upstream. + +"resource->end" needs to always be equal to "resource->start + size - 1". +The previous version of the function did not perform the "- 1" in case +of an empty resource. + +Also make sure to allow an empty resource at address 0. + +Reported-by: Basharath Hussain Khaja +Closes: https://lore.kernel.org/lkml/20250108140414.13530-1-basharath@couthit.com/ +Fixes: 1a52a094c2f0 ("of: address: Unify resource bounds overflow checking") +Cc: stable@vger.kernel.org +Signed-off-by: Thomas Weißschuh +Link: https://lore.kernel.org/r/20250120-of-address-overflow-v1-1-dd68dbf47bce@linutronix.de +Signed-off-by: Rob Herring (Arm) +Signed-off-by: Greg Kroah-Hartman +--- + drivers/of/address.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +--- a/drivers/of/address.c ++++ b/drivers/of/address.c +@@ -200,17 +200,15 @@ static u64 of_bus_pci_map(__be32 *addr, + + static int __of_address_resource_bounds(struct resource *r, u64 start, u64 size) + { +- u64 end = start; +- + if (overflows_type(start, r->start)) + return -EOVERFLOW; +- if (size && check_add_overflow(end, size - 1, &end)) +- return -EOVERFLOW; +- if (overflows_type(end, r->end)) +- return -EOVERFLOW; + + r->start = start; +- r->end = end; ++ ++ if (!size) ++ r->end = wrapping_sub(typeof(r->end), r->start, 1); ++ else if (size && check_add_overflow(r->start, size - 1, &r->end)) ++ return -EOVERFLOW; + + return 0; + } diff --git a/queue-6.13/of-correct-child-specifier-used-as-input-of-the-2nd-nexus-node.patch b/queue-6.13/of-correct-child-specifier-used-as-input-of-the-2nd-nexus-node.patch new file mode 100644 index 0000000000..78b35b2513 --- /dev/null +++ b/queue-6.13/of-correct-child-specifier-used-as-input-of-the-2nd-nexus-node.patch @@ -0,0 +1,50 @@ +From e4c00c9b1f70cd11792ff5b825899a6ee0234a62 Mon Sep 17 00:00:00 2001 +From: Zijun Hu +Date: Thu, 9 Jan 2025 21:26:52 +0800 +Subject: of: Correct child specifier used as input of the 2nd nexus node + +From: Zijun Hu + +commit e4c00c9b1f70cd11792ff5b825899a6ee0234a62 upstream. + +API of_parse_phandle_with_args_map() will use wrong input for nexus node +Nexus_2 as shown below: + + Node_1 Nexus_1 Nexus_2 +&Nexus_1,arg_1 -> arg_1,&Nexus_2,arg_2' -> &Nexus_2,arg_2 -> arg_2,... + map-pass-thru=<...> + +Nexus_1's output arg_2 should be used as input of Nexus_2, but the API +wrongly uses arg_2' instead which != arg_2 due to Nexus_1's map-pass-thru. + +Fix by always making @match_array point to @initial_match_array into +which to store nexus output. + +Fixes: bd6f2fd5a1d5 ("of: Support parsing phandle argument lists through a nexus node") +Cc: stable@vger.kernel.org +Signed-off-by: Zijun Hu +Link: https://lore.kernel.org/r/20250109-of_core_fix-v4-1-db8a72415b8c@quicinc.com +Signed-off-by: Rob Herring (Arm) +Signed-off-by: Greg Kroah-Hartman +--- + drivers/of/base.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/of/base.c ++++ b/drivers/of/base.c +@@ -1546,7 +1546,6 @@ int of_parse_phandle_with_args_map(const + * specifier into the out_args structure, keeping the + * bits specified in -map-pass-thru. + */ +- match_array = map - new_size; + for (i = 0; i < new_size; i++) { + __be32 val = *(map - new_size + i); + +@@ -1555,6 +1554,7 @@ int of_parse_phandle_with_args_map(const + val |= cpu_to_be32(out_args->args[i]) & pass[i]; + } + ++ initial_match_array[i] = val; + out_args->args[i] = be32_to_cpu(val); + } + out_args->args_count = list_size = new_size; diff --git a/queue-6.13/of-fix-of_find_node_opts_by_path-handling-of-alias-path-options.patch b/queue-6.13/of-fix-of_find_node_opts_by_path-handling-of-alias-path-options.patch new file mode 100644 index 0000000000..c245afd77d --- /dev/null +++ b/queue-6.13/of-fix-of_find_node_opts_by_path-handling-of-alias-path-options.patch @@ -0,0 +1,52 @@ +From b9e58c934c56aa35b0fb436d9afd86ef326bae0e Mon Sep 17 00:00:00 2001 +From: Zijun Hu +Date: Mon, 16 Dec 2024 08:40:40 +0800 +Subject: of: Fix of_find_node_opts_by_path() handling of alias+path+options + +From: Zijun Hu + +commit b9e58c934c56aa35b0fb436d9afd86ef326bae0e upstream. + +of_find_node_opts_by_path() fails to find OF device node when its +@path parameter have pattern below: + +"alias-name/node-name-1/.../node-name-N:options". + +The reason is that alias name length calculated by the API is wrong, as +explained by example below: + +"testcase-alias/phandle-tests/consumer-a:testaliasoption". + ^ ^ ^ + 0 14 39 + +The right length of alias 'testcase-alias' is 14, but the result worked +out by the API is 39 which is obvious wrong. + +Fix by using index of either '/' or ':' as the length who comes earlier. + +Fixes: 75c28c09af99 ("of: add optional options parameter to of_find_node_by_path()") +Cc: stable@vger.kernel.org +Signed-off-by: Zijun Hu +Link: https://lore.kernel.org/r/20241216-of_core_fix-v2-1-e69b8f60da63@quicinc.com +Signed-off-by: Rob Herring (Arm) +Signed-off-by: Greg Kroah-Hartman +--- + drivers/of/base.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/of/base.c ++++ b/drivers/of/base.c +@@ -894,10 +894,10 @@ struct device_node *of_find_node_opts_by + /* The path could begin with an alias */ + if (*path != '/') { + int len; +- const char *p = separator; ++ const char *p = strchrnul(path, '/'); + +- if (!p) +- p = strchrnul(path, '/'); ++ if (separator && separator < p) ++ p = separator; + len = p - path; + + /* of_aliases must not be NULL */ diff --git a/queue-6.13/of-reserved-memory-fix-using-wrong-number-of-cells-to-get-property-alignment.patch b/queue-6.13/of-reserved-memory-fix-using-wrong-number-of-cells-to-get-property-alignment.patch new file mode 100644 index 0000000000..29998a1b7c --- /dev/null +++ b/queue-6.13/of-reserved-memory-fix-using-wrong-number-of-cells-to-get-property-alignment.patch @@ -0,0 +1,47 @@ +From 267b21d0bef8e67dbe6c591c9991444e58237ec9 Mon Sep 17 00:00:00 2001 +From: Zijun Hu +Date: Thu, 9 Jan 2025 21:27:00 +0800 +Subject: of: reserved-memory: Fix using wrong number of cells to get property 'alignment' +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Zijun Hu + +commit 267b21d0bef8e67dbe6c591c9991444e58237ec9 upstream. + +According to DT spec, size of property 'alignment' is based on parent +node’s #size-cells property. + +But __reserved_mem_alloc_size() wrongly uses @dt_root_addr_cells to get +the property obviously. + +Fix by using @dt_root_size_cells instead of @dt_root_addr_cells. + +Fixes: 3f0c82066448 ("drivers: of: add initialization code for dynamic reserved memory") +Cc: stable@vger.kernel.org +Signed-off-by: Zijun Hu +Link: https://lore.kernel.org/r/20250109-of_core_fix-v4-9-db8a72415b8c@quicinc.com +Signed-off-by: Rob Herring (Arm) +Signed-off-by: Greg Kroah-Hartman +--- + drivers/of/of_reserved_mem.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/of/of_reserved_mem.c ++++ b/drivers/of/of_reserved_mem.c +@@ -410,12 +410,12 @@ static int __init __reserved_mem_alloc_s + + prop = of_get_flat_dt_prop(node, "alignment", &len); + if (prop) { +- if (len != dt_root_addr_cells * sizeof(__be32)) { ++ if (len != dt_root_size_cells * sizeof(__be32)) { + pr_err("invalid alignment property in '%s' node.\n", + uname); + return -EINVAL; + } +- align = dt_mem_next_cell(dt_root_addr_cells, &prop); ++ align = dt_mem_next_cell(dt_root_size_cells, &prop); + } + + nomap = of_get_flat_dt_prop(node, "no-map", NULL) != NULL; diff --git a/queue-6.13/of-reserved-memory-warn-for-missing-static-reserved-memory-regions.patch b/queue-6.13/of-reserved-memory-warn-for-missing-static-reserved-memory-regions.patch new file mode 100644 index 0000000000..c5baaefb47 --- /dev/null +++ b/queue-6.13/of-reserved-memory-warn-for-missing-static-reserved-memory-regions.patch @@ -0,0 +1,41 @@ +From 81dfedd5234b42df11a473eefe7328ea4a0416ad Mon Sep 17 00:00:00 2001 +From: Zijun Hu +Date: Tue, 14 Jan 2025 23:23:04 +0800 +Subject: of: reserved-memory: Warn for missing static reserved memory regions + +From: Zijun Hu + +commit 81dfedd5234b42df11a473eefe7328ea4a0416ad upstream. + +For child node of /reserved-memory, its property 'reg' may contain +multiple regions, but fdt_scan_reserved_mem_reg_nodes() only takes +into account the first region, and miss remaining regions. + +But there are no simple approach to fix it, so give user warning +message when miss remaining regions. + +Fixes: 8a6e02d0c00e ("of: reserved_mem: Restructure how the reserved memory regions are processed") +Cc: stable@vger.kernel.org +Signed-off-by: Zijun Hu +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20250114-of_core_fix-v5-2-b8bafd00a86f@quicinc.com +Signed-off-by: Rob Herring (Arm) +Signed-off-by: Greg Kroah-Hartman +--- + drivers/of/of_reserved_mem.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/of/of_reserved_mem.c ++++ b/drivers/of/of_reserved_mem.c +@@ -263,6 +263,11 @@ void __init fdt_scan_reserved_mem_reg_no + uname); + continue; + } ++ ++ if (len > t_len) ++ pr_warn("%s() ignores %d regions in node '%s'\n", ++ __func__, len / t_len - 1, uname); ++ + base = dt_mem_next_cell(dt_root_addr_cells, &prop); + size = dt_mem_next_cell(dt_root_size_cells, &prop); + diff --git a/queue-6.13/pci-avoid-putting-some-root-ports-into-d3-on-tuxedo-sirius-gen1.patch b/queue-6.13/pci-avoid-putting-some-root-ports-into-d3-on-tuxedo-sirius-gen1.patch new file mode 100644 index 0000000000..8b7118a4ca --- /dev/null +++ b/queue-6.13/pci-avoid-putting-some-root-ports-into-d3-on-tuxedo-sirius-gen1.patch @@ -0,0 +1,84 @@ +From b1049f2d68693c80a576c4578d96774a68df2bad Mon Sep 17 00:00:00 2001 +From: Werner Sembach +Date: Tue, 14 Jan 2025 23:23:54 +0100 +Subject: PCI: Avoid putting some root ports into D3 on TUXEDO Sirius Gen1 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Werner Sembach + +commit b1049f2d68693c80a576c4578d96774a68df2bad upstream. + +commit 9d26d3a8f1b0 ("PCI: Put PCIe ports into D3 during suspend") sets the +policy that all PCIe ports are allowed to use D3. When the system is +suspended if the port is not power manageable by the platform and won't be +used for wakeup via a PME this sets up the policy for these ports to go +into D3hot. + +This policy generally makes sense from an OSPM perspective but it leads to +problems with wakeup from suspend on the TUXEDO Sirius 16 Gen 1 with a +specific old BIOS. This manifests as a system hang. + +On the affected Device + BIOS combination, add a quirk for the root port of +the problematic controller to ensure that these root ports are not put into +D3hot at suspend. + +This patch is based on + + https://lore.kernel.org/linux-pci/20230708214457.1229-2-mario.limonciello@amd.com + +but with the added condition both in the documentation and in the code to +apply only to the TUXEDO Sirius 16 Gen 1 with a specific old BIOS and only +the affected root ports. + +Fixes: 9d26d3a8f1b0 ("PCI: Put PCIe ports into D3 during suspend") +Suggested-by: Mario Limonciello +Link: https://lore.kernel.org/r/20250114222436.1075456-1-wse@tuxedocomputers.com +Co-developed-by: Georg Gottleuber +Signed-off-by: Georg Gottleuber +Signed-off-by: Werner Sembach +Signed-off-by: Krzysztof Wilczyński +Cc: # 6.1+ +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/pci/fixup.c | 30 ++++++++++++++++++++++++++++++ + 1 file changed, 30 insertions(+) + +--- a/arch/x86/pci/fixup.c ++++ b/arch/x86/pci/fixup.c +@@ -1010,4 +1010,34 @@ DECLARE_PCI_FIXUP_SUSPEND(PCI_VENDOR_ID_ + DECLARE_PCI_FIXUP_RESUME(PCI_VENDOR_ID_AMD, 0x1668, amd_rp_pme_resume); + DECLARE_PCI_FIXUP_SUSPEND(PCI_VENDOR_ID_AMD, 0x1669, amd_rp_pme_suspend); + DECLARE_PCI_FIXUP_RESUME(PCI_VENDOR_ID_AMD, 0x1669, amd_rp_pme_resume); ++ ++/* ++ * Putting PCIe root ports on Ryzen SoCs with USB4 controllers into D3hot ++ * may cause problems when the system attempts wake up from s2idle. ++ * ++ * On the TUXEDO Sirius 16 Gen 1 with a specific old BIOS this manifests as ++ * a system hang. ++ */ ++static const struct dmi_system_id quirk_tuxeo_rp_d3_dmi_table[] = { ++ { ++ .matches = { ++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "TUXEDO"), ++ DMI_EXACT_MATCH(DMI_BOARD_NAME, "APX958"), ++ DMI_EXACT_MATCH(DMI_BIOS_VERSION, "V1.00A00_20240108"), ++ }, ++ }, ++ {} ++}; ++ ++static void quirk_tuxeo_rp_d3(struct pci_dev *pdev) ++{ ++ struct pci_dev *root_pdev; ++ ++ if (dmi_check_system(quirk_tuxeo_rp_d3_dmi_table)) { ++ root_pdev = pcie_find_root_port(pdev); ++ if (root_pdev) ++ root_pdev->dev_flags |= PCI_DEV_FLAGS_NO_D3; ++ } ++} ++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_AMD, 0x1502, quirk_tuxeo_rp_d3); + #endif /* CONFIG_SUSPEND */ diff --git a/queue-6.13/pci-dwc-ep-prevent-changing-bar-size-flags-in-pci_epc_set_bar.patch b/queue-6.13/pci-dwc-ep-prevent-changing-bar-size-flags-in-pci_epc_set_bar.patch new file mode 100644 index 0000000000..d87a43f493 --- /dev/null +++ b/queue-6.13/pci-dwc-ep-prevent-changing-bar-size-flags-in-pci_epc_set_bar.patch @@ -0,0 +1,75 @@ +From 3708acbd5f169ebafe1faa519cb28adc56295546 Mon Sep 17 00:00:00 2001 +From: Niklas Cassel +Date: Fri, 13 Dec 2024 15:33:03 +0100 +Subject: PCI: dwc: ep: Prevent changing BAR size/flags in pci_epc_set_bar() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Niklas Cassel + +commit 3708acbd5f169ebafe1faa519cb28adc56295546 upstream. + +In commit 4284c88fff0e ("PCI: designware-ep: Allow pci_epc_set_bar() update +inbound map address") set_bar() was modified to support dynamically +changing the backing physical address of a BAR that was already configured. + +This means that set_bar() can be called twice, without ever calling +clear_bar() (as calling clear_bar() would clear the BAR's PCI address +assigned by the host). + +This can only be done if the new BAR size/flags does not differ from the +existing BAR configuration. Add these missing checks. + +If we allow set_bar() to set e.g. a new BAR size that differs from the +existing BAR size, the new address translation range will be smaller than +the BAR size already determined by the host, which would mean that a read +past the new BAR size would pass the iATU untranslated, which could allow +the host to read memory not belonging to the new struct pci_epf_bar. + +While at it, add comments which clarifies the support for dynamically +changing the physical address of a BAR. (Which was also missing.) + +Fixes: 4284c88fff0e ("PCI: designware-ep: Allow pci_epc_set_bar() update inbound map address") +Link: https://lore.kernel.org/r/20241213143301.4158431-10-cassel@kernel.org +Signed-off-by: Niklas Cassel +Signed-off-by: Krzysztof Wilczyński +Reviewed-by: Manivannan Sadhasivam +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/controller/dwc/pcie-designware-ep.c | 22 +++++++++++++++++++++- + 1 file changed, 21 insertions(+), 1 deletion(-) + +--- a/drivers/pci/controller/dwc/pcie-designware-ep.c ++++ b/drivers/pci/controller/dwc/pcie-designware-ep.c +@@ -222,8 +222,28 @@ static int dw_pcie_ep_set_bar(struct pci + if ((flags & PCI_BASE_ADDRESS_MEM_TYPE_64) && (bar & 1)) + return -EINVAL; + +- if (ep->epf_bar[bar]) ++ /* ++ * Certain EPF drivers dynamically change the physical address of a BAR ++ * (i.e. they call set_bar() twice, without ever calling clear_bar(), as ++ * calling clear_bar() would clear the BAR's PCI address assigned by the ++ * host). ++ */ ++ if (ep->epf_bar[bar]) { ++ /* ++ * We can only dynamically change a BAR if the new BAR size and ++ * BAR flags do not differ from the existing configuration. ++ */ ++ if (ep->epf_bar[bar]->barno != bar || ++ ep->epf_bar[bar]->size != size || ++ ep->epf_bar[bar]->flags != flags) ++ return -EINVAL; ++ ++ /* ++ * When dynamically changing a BAR, skip writing the BAR reg, as ++ * that would clear the BAR's PCI address assigned by the host. ++ */ + goto config_atu; ++ } + + reg = PCI_BASE_ADDRESS_0 + (4 * bar); + diff --git a/queue-6.13/pci-dwc-ep-write-bar_mask-before-iatu-registers-in-pci_epc_set_bar.patch b/queue-6.13/pci-dwc-ep-write-bar_mask-before-iatu-registers-in-pci_epc_set_bar.patch new file mode 100644 index 0000000000..9bfb2c972d --- /dev/null +++ b/queue-6.13/pci-dwc-ep-write-bar_mask-before-iatu-registers-in-pci_epc_set_bar.patch @@ -0,0 +1,90 @@ +From 33a6938e0c3373f2d11f92d098f337668cd64fdd Mon Sep 17 00:00:00 2001 +From: Niklas Cassel +Date: Fri, 13 Dec 2024 15:33:02 +0100 +Subject: PCI: dwc: ep: Write BAR_MASK before iATU registers in pci_epc_set_bar() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Niklas Cassel + +commit 33a6938e0c3373f2d11f92d098f337668cd64fdd upstream. + +The "DesignWare Cores PCI Express Controller Register Descriptions, +Version 4.60a", section "1.21.70 IATU_LWR_TARGET_ADDR_OFF_INBOUND_i", +fields LWR_TARGET_RW and LWR_TARGET_HW both state that: +"Field size depends on log2(BAR_MASK+1) in BAR match mode." + +I.e. only the upper bits are writable, and the number of writable bits is +dependent on the configured BAR_MASK. + +If we do not write the BAR_MASK before writing the iATU registers, we are +relying the reset value of the BAR_MASK being larger than the requested +BAR size (which is supplied in the struct pci_epf_bar which is passed to +pci_epc_set_bar()). The reset value of the BAR_MASK is SoC dependent. + +Thus, if the struct pci_epf_bar requests a BAR size that is larger than the +reset value of the BAR_MASK, the iATU will try to write to read-only bits, +which will cause the iATU to end up redirecting to a physical address that +is different from the address that was intended. + +Thus, we should always write the iATU registers after writing the BAR_MASK. + +Fixes: f8aed6ec624f ("PCI: dwc: designware: Add EP mode support") +Link: https://lore.kernel.org/r/20241213143301.4158431-9-cassel@kernel.org +Signed-off-by: Niklas Cassel +Signed-off-by: Krzysztof Wilczyński +Reviewed-by: Manivannan Sadhasivam +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/controller/dwc/pcie-designware-ep.c | 28 ++++++++++++------------ + 1 file changed, 15 insertions(+), 13 deletions(-) + +--- a/drivers/pci/controller/dwc/pcie-designware-ep.c ++++ b/drivers/pci/controller/dwc/pcie-designware-ep.c +@@ -222,19 +222,10 @@ static int dw_pcie_ep_set_bar(struct pci + if ((flags & PCI_BASE_ADDRESS_MEM_TYPE_64) && (bar & 1)) + return -EINVAL; + +- reg = PCI_BASE_ADDRESS_0 + (4 * bar); +- +- if (!(flags & PCI_BASE_ADDRESS_SPACE)) +- type = PCIE_ATU_TYPE_MEM; +- else +- type = PCIE_ATU_TYPE_IO; +- +- ret = dw_pcie_ep_inbound_atu(ep, func_no, type, epf_bar->phys_addr, bar); +- if (ret) +- return ret; +- + if (ep->epf_bar[bar]) +- return 0; ++ goto config_atu; ++ ++ reg = PCI_BASE_ADDRESS_0 + (4 * bar); + + dw_pcie_dbi_ro_wr_en(pci); + +@@ -246,9 +237,20 @@ static int dw_pcie_ep_set_bar(struct pci + dw_pcie_ep_writel_dbi(ep, func_no, reg + 4, 0); + } + +- ep->epf_bar[bar] = epf_bar; + dw_pcie_dbi_ro_wr_dis(pci); + ++config_atu: ++ if (!(flags & PCI_BASE_ADDRESS_SPACE)) ++ type = PCIE_ATU_TYPE_MEM; ++ else ++ type = PCIE_ATU_TYPE_IO; ++ ++ ret = dw_pcie_ep_inbound_atu(ep, func_no, type, epf_bar->phys_addr, bar); ++ if (ret) ++ return ret; ++ ++ ep->epf_bar[bar] = epf_bar; ++ + return 0; + } + diff --git a/queue-6.13/pci-endpoint-finish-virtual-ep-removal-in-pci_epf_remove_vepf.patch b/queue-6.13/pci-endpoint-finish-virtual-ep-removal-in-pci_epf_remove_vepf.patch new file mode 100644 index 0000000000..c981566105 --- /dev/null +++ b/queue-6.13/pci-endpoint-finish-virtual-ep-removal-in-pci_epf_remove_vepf.patch @@ -0,0 +1,40 @@ +From 3b9f942eb21c92041905e3943a8d5177c9a9d89d Mon Sep 17 00:00:00 2001 +From: Zijun Hu +Date: Tue, 10 Dec 2024 22:00:20 +0800 +Subject: PCI: endpoint: Finish virtual EP removal in pci_epf_remove_vepf() + +From: Zijun Hu + +commit 3b9f942eb21c92041905e3943a8d5177c9a9d89d upstream. + +When removing a virtual Endpoint, pci_epf_remove_vepf() failed to clear +epf_vf->epf_pf, which caused a subsequent pci_epf_add_vepf() to incorrectly +return -EBUSY: + + pci_epf_add_vepf(epf_pf, epf_vf) // add + pci_epf_remove_vepf(epf_pf, epf_vf) // remove + pci_epf_add_vepf(epf_pf, epf_vf) // add again, -EBUSY error + +Fix by clearing epf_vf->epf_pf in pci_epf_remove_vepf(). + +Link: https://lore.kernel.org/r/20241210-pci-epc-core_fix-v3-3-4d86dd573e4b@quicinc.com +Fixes: 1cf362e907f3 ("PCI: endpoint: Add support to add virtual function in endpoint core") +Signed-off-by: Zijun Hu +Signed-off-by: Bjorn Helgaas +Reviewed-by: Frank Li +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/endpoint/pci-epf-core.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/pci/endpoint/pci-epf-core.c ++++ b/drivers/pci/endpoint/pci-epf-core.c +@@ -202,6 +202,7 @@ void pci_epf_remove_vepf(struct pci_epf + + mutex_lock(&epf_pf->lock); + clear_bit(epf_vf->vfunc_no, &epf_pf->vfunction_num_map); ++ epf_vf->epf_pf = NULL; + list_del(&epf_vf->list); + mutex_unlock(&epf_pf->lock); + } diff --git a/queue-6.13/perf-bench-fix-undefined-behavior-in-cmpworker.patch b/queue-6.13/perf-bench-fix-undefined-behavior-in-cmpworker.patch new file mode 100644 index 0000000000..1b210f1a98 --- /dev/null +++ b/queue-6.13/perf-bench-fix-undefined-behavior-in-cmpworker.patch @@ -0,0 +1,52 @@ +From 62892e77b8a64b9dc0e1da75980aa145347b6820 Mon Sep 17 00:00:00 2001 +From: Kuan-Wei Chiu +Date: Thu, 16 Jan 2025 19:08:42 +0800 +Subject: perf bench: Fix undefined behavior in cmpworker() + +From: Kuan-Wei Chiu + +commit 62892e77b8a64b9dc0e1da75980aa145347b6820 upstream. + +The comparison function cmpworker() violates the C standard's +requirements for qsort() comparison functions, which mandate symmetry +and transitivity: + +Symmetry: If x < y, then y > x. +Transitivity: If x < y and y < z, then x < z. + +In its current implementation, cmpworker() incorrectly returns 0 when +w1->tid < w2->tid, which breaks both symmetry and transitivity. This +violation causes undefined behavior, potentially leading to issues such +as memory corruption in glibc [1]. + +Fix the issue by returning -1 when w1->tid < w2->tid, ensuring +compliance with the C standard and preventing undefined behavior. + +Link: https://www.qualys.com/2024/01/30/qsort.txt [1] +Fixes: 121dd9ea0116 ("perf bench: Add epoll parallel epoll_wait benchmark") +Cc: stable@vger.kernel.org +Signed-off-by: Kuan-Wei Chiu +Reviewed-by: James Clark +Link: https://lore.kernel.org/r/20250116110842.4087530-1-visitorckw@gmail.com +Signed-off-by: Namhyung Kim +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/bench/epoll-wait.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/tools/perf/bench/epoll-wait.c ++++ b/tools/perf/bench/epoll-wait.c +@@ -420,7 +420,12 @@ static int cmpworker(const void *p1, con + + struct worker *w1 = (struct worker *) p1; + struct worker *w2 = (struct worker *) p2; +- return w1->tid > w2->tid; ++ ++ if (w1->tid > w2->tid) ++ return 1; ++ if (w1->tid < w2->tid) ++ return -1; ++ return 0; + } + + int bench_epoll_wait(int argc, const char **argv) diff --git a/queue-6.13/pidfs-check-for-valid-ioctl-commands.patch b/queue-6.13/pidfs-check-for-valid-ioctl-commands.patch new file mode 100644 index 0000000000..2b19bf66f8 --- /dev/null +++ b/queue-6.13/pidfs-check-for-valid-ioctl-commands.patch @@ -0,0 +1,58 @@ +From 8ce3528188207a2e1896cc3173fba6d99a59013a Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Fri, 29 Nov 2024 21:16:37 +0100 +Subject: pidfs: check for valid ioctl commands + +From: Christian Brauner + +commit 8ce3528188207a2e1896cc3173fba6d99a59013a upstream. + +Prior to doing any work, check whether the provided ioctl command is +supported by pidfs. + +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/pidfs.c | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +--- a/fs/pidfs.c ++++ b/fs/pidfs.c +@@ -190,6 +190,27 @@ static long pidfd_info(struct task_struc + return 0; + } + ++static bool pidfs_ioctl_valid(unsigned int cmd) ++{ ++ switch (cmd) { ++ case FS_IOC_GETVERSION: ++ case PIDFD_GET_CGROUP_NAMESPACE: ++ case PIDFD_GET_INFO: ++ case PIDFD_GET_IPC_NAMESPACE: ++ case PIDFD_GET_MNT_NAMESPACE: ++ case PIDFD_GET_NET_NAMESPACE: ++ case PIDFD_GET_PID_FOR_CHILDREN_NAMESPACE: ++ case PIDFD_GET_TIME_NAMESPACE: ++ case PIDFD_GET_TIME_FOR_CHILDREN_NAMESPACE: ++ case PIDFD_GET_UTS_NAMESPACE: ++ case PIDFD_GET_USER_NAMESPACE: ++ case PIDFD_GET_PID_NAMESPACE: ++ return true; ++ } ++ ++ return false; ++} ++ + static long pidfd_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + { + struct task_struct *task __free(put_task) = NULL; +@@ -198,6 +219,9 @@ static long pidfd_ioctl(struct file *fil + struct ns_common *ns_common = NULL; + struct pid_namespace *pid_ns; + ++ if (!pidfs_ioctl_valid(cmd)) ++ return -ENOIOCTLCMD; ++ + task = get_pid_task(pid, PIDTYPE_PID); + if (!task) + return -ESRCH; diff --git a/queue-6.13/pidfs-improve-ioctl-handling.patch b/queue-6.13/pidfs-improve-ioctl-handling.patch new file mode 100644 index 0000000000..a95ab281f5 --- /dev/null +++ b/queue-6.13/pidfs-improve-ioctl-handling.patch @@ -0,0 +1,62 @@ +From 091ee63e36e8289f9067f659a48d497911e49d6f Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Tue, 4 Feb 2025 14:51:20 +0100 +Subject: pidfs: improve ioctl handling + +From: Christian Brauner + +commit 091ee63e36e8289f9067f659a48d497911e49d6f upstream. + +Pidfs supports extensible and non-extensible ioctls. The extensible +ioctls need to check for the ioctl number itself not just the ioctl +command otherwise both backward- and forward compatibility are broken. + +The pidfs ioctl handler also needs to look at the type of the ioctl +command to guard against cases where "[...] a daemon receives some +random file descriptor from a (potentially less privileged) client and +expects the FD to be of some specific type, it might call ioctl() on +this FD with some type-specific command and expect the call to fail if +the FD is of the wrong type; but due to the missing type check, the +kernel instead performs some action that userspace didn't expect." +(cf. [1]] + +Link: https://lore.kernel.org/r/20250204-work-pidfs-ioctl-v1-1-04987d239575@kernel.org +Link: https://lore.kernel.org/r/CAG48ez2K9A5GwtgqO31u9ZL292we8ZwAA=TJwwEv7wRuJ3j4Lw@mail.gmail.com [1] +Fixes: 8ce352818820 ("pidfs: check for valid ioctl commands") +Acked-by: Luca Boccassi +Reported-by: Jann Horn +Cc: stable@vger.kernel.org # v6.13; please backport with 8ce352818820 ("pidfs: check for valid ioctl commands") +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/pidfs.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/fs/pidfs.c ++++ b/fs/pidfs.c +@@ -195,7 +195,6 @@ static bool pidfs_ioctl_valid(unsigned i + switch (cmd) { + case FS_IOC_GETVERSION: + case PIDFD_GET_CGROUP_NAMESPACE: +- case PIDFD_GET_INFO: + case PIDFD_GET_IPC_NAMESPACE: + case PIDFD_GET_MNT_NAMESPACE: + case PIDFD_GET_NET_NAMESPACE: +@@ -208,6 +207,17 @@ static bool pidfs_ioctl_valid(unsigned i + return true; + } + ++ /* Extensible ioctls require some more careful checks. */ ++ switch (_IOC_NR(cmd)) { ++ case _IOC_NR(PIDFD_GET_INFO): ++ /* ++ * Try to prevent performing a pidfd ioctl when someone ++ * erronously mistook the file descriptor for a pidfd. ++ * This is not perfect but will catch most cases. ++ */ ++ return (_IOC_TYPE(cmd) == _IOC_TYPE(PIDFD_GET_INFO)); ++ } ++ + return false; + } + diff --git a/queue-6.13/powerpc-pseries-eeh-fix-get-pe-state-translation.patch b/queue-6.13/powerpc-pseries-eeh-fix-get-pe-state-translation.patch new file mode 100644 index 0000000000..6478840de1 --- /dev/null +++ b/queue-6.13/powerpc-pseries-eeh-fix-get-pe-state-translation.patch @@ -0,0 +1,54 @@ +From 11b93559000c686ad7e5ab0547e76f21cc143844 Mon Sep 17 00:00:00 2001 +From: Narayana Murty N +Date: Thu, 16 Jan 2025 04:39:54 -0600 +Subject: powerpc/pseries/eeh: Fix get PE state translation + +From: Narayana Murty N + +commit 11b93559000c686ad7e5ab0547e76f21cc143844 upstream. + +The PE Reset State "0" returned by RTAS calls +"ibm_read_slot_reset_[state|state2]" indicates that the reset is +deactivated and the PE is in a state where MMIO and DMA are allowed. +However, the current implementation of "pseries_eeh_get_state()" does +not reflect this, causing drivers to incorrectly assume that MMIO and +DMA operations cannot be resumed. + +The userspace drivers as a part of EEH recovery using VFIO ioctls fail +to detect when the recovery process is complete. The VFIO_EEH_PE_GET_STATE +ioctl does not report the expected EEH_PE_STATE_NORMAL state, preventing +userspace drivers from functioning properly on pseries systems. + +The patch addresses this issue by updating 'pseries_eeh_get_state()' +to include "EEH_STATE_MMIO_ENABLED" and "EEH_STATE_DMA_ENABLED" in +the result mask for PE Reset State "0". This ensures correct state +reporting to the callers, aligning the behavior with the PAPR specification +and fixing the bug in EEH recovery for VFIO user workflows. + +Fixes: 00ba05a12b3c ("powerpc/pseries: Cleanup on pseries_eeh_get_state()") +Cc: stable@vger.kernel.org +Reviewed-by: Ritesh Harjani (IBM) +Signed-off-by: Narayana Murty N +Link: https://lore.kernel.org/stable/20241212075044.10563-1-nnmlinux%40linux.ibm.com +Signed-off-by: Madhavan Srinivasan +Link: https://patch.msgid.link/20250116103954.17324-1-nnmlinux@linux.ibm.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/platforms/pseries/eeh_pseries.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/platforms/pseries/eeh_pseries.c ++++ b/arch/powerpc/platforms/pseries/eeh_pseries.c +@@ -580,8 +580,10 @@ static int pseries_eeh_get_state(struct + + switch(rets[0]) { + case 0: +- result = EEH_STATE_MMIO_ACTIVE | +- EEH_STATE_DMA_ACTIVE; ++ result = EEH_STATE_MMIO_ACTIVE | ++ EEH_STATE_DMA_ACTIVE | ++ EEH_STATE_MMIO_ENABLED | ++ EEH_STATE_DMA_ENABLED; + break; + case 1: + result = EEH_STATE_RESET_ACTIVE | diff --git a/queue-6.13/revert-media-uvcvideo-require-entities-to-have-a-non-zero-unique-id.patch b/queue-6.13/revert-media-uvcvideo-require-entities-to-have-a-non-zero-unique-id.patch new file mode 100644 index 0000000000..4075a1c30a --- /dev/null +++ b/queue-6.13/revert-media-uvcvideo-require-entities-to-have-a-non-zero-unique-id.patch @@ -0,0 +1,184 @@ +From 8004d635f27bbccaa5c083c50d4d5302a6ffa00e Mon Sep 17 00:00:00 2001 +From: Thadeu Lima de Souza Cascardo +Date: Tue, 14 Jan 2025 17:00:45 -0300 +Subject: Revert "media: uvcvideo: Require entities to have a non-zero unique ID" + +From: Thadeu Lima de Souza Cascardo + +commit 8004d635f27bbccaa5c083c50d4d5302a6ffa00e upstream. + +This reverts commit 3dd075fe8ebbc6fcbf998f81a75b8c4b159a6195. + +Tomasz has reported that his device, Generalplus Technology Inc. 808 Camera, +with ID 1b3f:2002, stopped being detected: + +$ ls -l /dev/video* +zsh: no matches found: /dev/video* +[ 7.230599] usb 3-2: Found multiple Units with ID 5 + +This particular device is non-compliant, having both the Output Terminal +and Processing Unit with ID 5. uvc_scan_fallback, though, is able to build +a chain. However, when media elements are added and uvc_mc_create_links +call uvc_entity_by_id, it will get the incorrect entity, +media_create_pad_link will WARN, and it will fail to register the entities. + +In order to reinstate support for such devices in a timely fashion, +reverting the fix for these warnings is appropriate. A proper fix that +considers the existence of such non-compliant devices will be submitted in +a later development cycle. + +Reported-by: Tomasz Sikora +Fixes: 3dd075fe8ebb ("media: uvcvideo: Require entities to have a non-zero unique ID") +Cc: stable@vger.kernel.org +Signed-off-by: Thadeu Lima de Souza Cascardo +Reviewed-by: Laurent Pinchart +Reviewed-by: Hans de Goede +Reviewed-by: Ricardo Ribalda +Link: https://lore.kernel.org/r/20250114200045.1401644-1-cascardo@igalia.com +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/uvc/uvc_driver.c | 70 ++++++++++++++----------------------- + 1 file changed, 27 insertions(+), 43 deletions(-) + +--- a/drivers/media/usb/uvc/uvc_driver.c ++++ b/drivers/media/usb/uvc/uvc_driver.c +@@ -775,27 +775,14 @@ static const u8 uvc_media_transport_inpu + UVC_GUID_UVC_MEDIA_TRANSPORT_INPUT; + static const u8 uvc_processing_guid[16] = UVC_GUID_UVC_PROCESSING; + +-static struct uvc_entity *uvc_alloc_new_entity(struct uvc_device *dev, u16 type, +- u16 id, unsigned int num_pads, +- unsigned int extra_size) ++static struct uvc_entity *uvc_alloc_entity(u16 type, u16 id, ++ unsigned int num_pads, unsigned int extra_size) + { + struct uvc_entity *entity; + unsigned int num_inputs; + unsigned int size; + unsigned int i; + +- /* Per UVC 1.1+ spec 3.7.2, the ID should be non-zero. */ +- if (id == 0) { +- dev_err(&dev->udev->dev, "Found Unit with invalid ID 0.\n"); +- return ERR_PTR(-EINVAL); +- } +- +- /* Per UVC 1.1+ spec 3.7.2, the ID is unique. */ +- if (uvc_entity_by_id(dev, id)) { +- dev_err(&dev->udev->dev, "Found multiple Units with ID %u\n", id); +- return ERR_PTR(-EINVAL); +- } +- + extra_size = roundup(extra_size, sizeof(*entity->pads)); + if (num_pads) + num_inputs = type & UVC_TERM_OUTPUT ? num_pads : num_pads - 1; +@@ -805,7 +792,7 @@ static struct uvc_entity *uvc_alloc_new_ + + num_inputs; + entity = kzalloc(size, GFP_KERNEL); + if (entity == NULL) +- return ERR_PTR(-ENOMEM); ++ return NULL; + + entity->id = id; + entity->type = type; +@@ -917,10 +904,10 @@ static int uvc_parse_vendor_control(stru + break; + } + +- unit = uvc_alloc_new_entity(dev, UVC_VC_EXTENSION_UNIT, +- buffer[3], p + 1, 2 * n); +- if (IS_ERR(unit)) +- return PTR_ERR(unit); ++ unit = uvc_alloc_entity(UVC_VC_EXTENSION_UNIT, buffer[3], ++ p + 1, 2*n); ++ if (unit == NULL) ++ return -ENOMEM; + + memcpy(unit->guid, &buffer[4], 16); + unit->extension.bNumControls = buffer[20]; +@@ -1029,10 +1016,10 @@ static int uvc_parse_standard_control(st + return -EINVAL; + } + +- term = uvc_alloc_new_entity(dev, type | UVC_TERM_INPUT, +- buffer[3], 1, n + p); +- if (IS_ERR(term)) +- return PTR_ERR(term); ++ term = uvc_alloc_entity(type | UVC_TERM_INPUT, buffer[3], ++ 1, n + p); ++ if (term == NULL) ++ return -ENOMEM; + + if (UVC_ENTITY_TYPE(term) == UVC_ITT_CAMERA) { + term->camera.bControlSize = n; +@@ -1088,10 +1075,10 @@ static int uvc_parse_standard_control(st + return 0; + } + +- term = uvc_alloc_new_entity(dev, type | UVC_TERM_OUTPUT, +- buffer[3], 1, 0); +- if (IS_ERR(term)) +- return PTR_ERR(term); ++ term = uvc_alloc_entity(type | UVC_TERM_OUTPUT, buffer[3], ++ 1, 0); ++ if (term == NULL) ++ return -ENOMEM; + + memcpy(term->baSourceID, &buffer[7], 1); + +@@ -1110,10 +1097,9 @@ static int uvc_parse_standard_control(st + return -EINVAL; + } + +- unit = uvc_alloc_new_entity(dev, buffer[2], buffer[3], +- p + 1, 0); +- if (IS_ERR(unit)) +- return PTR_ERR(unit); ++ unit = uvc_alloc_entity(buffer[2], buffer[3], p + 1, 0); ++ if (unit == NULL) ++ return -ENOMEM; + + memcpy(unit->baSourceID, &buffer[5], p); + +@@ -1133,9 +1119,9 @@ static int uvc_parse_standard_control(st + return -EINVAL; + } + +- unit = uvc_alloc_new_entity(dev, buffer[2], buffer[3], 2, n); +- if (IS_ERR(unit)) +- return PTR_ERR(unit); ++ unit = uvc_alloc_entity(buffer[2], buffer[3], 2, n); ++ if (unit == NULL) ++ return -ENOMEM; + + memcpy(unit->baSourceID, &buffer[4], 1); + unit->processing.wMaxMultiplier = +@@ -1162,10 +1148,9 @@ static int uvc_parse_standard_control(st + return -EINVAL; + } + +- unit = uvc_alloc_new_entity(dev, buffer[2], buffer[3], +- p + 1, n); +- if (IS_ERR(unit)) +- return PTR_ERR(unit); ++ unit = uvc_alloc_entity(buffer[2], buffer[3], p + 1, n); ++ if (unit == NULL) ++ return -ENOMEM; + + memcpy(unit->guid, &buffer[4], 16); + unit->extension.bNumControls = buffer[20]; +@@ -1305,10 +1290,9 @@ static int uvc_gpio_parse(struct uvc_dev + return dev_err_probe(&dev->udev->dev, irq, + "No IRQ for privacy GPIO\n"); + +- unit = uvc_alloc_new_entity(dev, UVC_EXT_GPIO_UNIT, +- UVC_EXT_GPIO_UNIT_ID, 0, 1); +- if (IS_ERR(unit)) +- return PTR_ERR(unit); ++ unit = uvc_alloc_entity(UVC_EXT_GPIO_UNIT, UVC_EXT_GPIO_UNIT_ID, 0, 1); ++ if (!unit) ++ return -ENOMEM; + + unit->gpio.gpio_privacy = gpio_privacy; + unit->gpio.irq = irq; diff --git a/queue-6.13/revert-mips-csrc-r4k-select-have_unstable_sched_clock-if-smp-64bit.patch b/queue-6.13/revert-mips-csrc-r4k-select-have_unstable_sched_clock-if-smp-64bit.patch new file mode 100644 index 0000000000..a61a2a89c7 --- /dev/null +++ b/queue-6.13/revert-mips-csrc-r4k-select-have_unstable_sched_clock-if-smp-64bit.patch @@ -0,0 +1,49 @@ +From 078b831638e1aa06dd7ffa9f244c8ac6b2995561 Mon Sep 17 00:00:00 2001 +From: Xi Ruoyao +Date: Mon, 23 Dec 2024 17:20:41 +0800 +Subject: Revert "MIPS: csrc-r4k: Select HAVE_UNSTABLE_SCHED_CLOCK if SMP && 64BIT" + +From: Xi Ruoyao + +commit 078b831638e1aa06dd7ffa9f244c8ac6b2995561 upstream. + +This reverts commit 426fa8e4fe7bb914b5977cbce453a9926bf5b2e6. + +The commit has caused two issues on Loongson 3A4000: + +1. The timestamp in dmesg become erratic, like: + + [3.736957] amdgpu 0000:04:00.0: ... ... + [3.748895] [drm] Initialized amdgpu ... ... + [18446744073.381141] amdgpu 0000:04:00:0: ... ... + [1.613326] igb 0000:03:00.0 enp3s0: ... ... + +2. More seriously, some workloads (for example, the test + stdlib/test-cxa_atexit2 in the Glibc test suite) triggers an RCU + stall and hang the system with a high probably (4 hangs out of 5 + tests). + +Revert this commit to use jiffie on Loongson MIPS systems and fix these +issues for now. The root cause may need more investigation. + +Cc: stable@vger.kernel.org # 6.11+ +Cc: Jiaxun Yang +Cc: Icenowy Zheng +Signed-off-by: Xi Ruoyao +Reviewed-by: Jiaxun Yang +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +--- a/arch/mips/Kconfig ++++ b/arch/mips/Kconfig +@@ -1084,7 +1084,6 @@ config CSRC_IOASIC + + config CSRC_R4K + select CLOCKSOURCE_WATCHDOG if CPU_FREQ +- select HAVE_UNSTABLE_SCHED_CLOCK if SMP && 64BIT + bool + + config CSRC_SB1250 diff --git a/queue-6.13/ring-buffer-do-not-allow-events-in-nmi-with-generic-atomic64-cmpxchg.patch b/queue-6.13/ring-buffer-do-not-allow-events-in-nmi-with-generic-atomic64-cmpxchg.patch new file mode 100644 index 0000000000..0b8f6a76ef --- /dev/null +++ b/queue-6.13/ring-buffer-do-not-allow-events-in-nmi-with-generic-atomic64-cmpxchg.patch @@ -0,0 +1,51 @@ +From cd2375a3567fd3d93aa6c68e0027a5756213bda0 Mon Sep 17 00:00:00 2001 +From: Steven Rostedt +Date: Mon, 20 Jan 2025 18:56:56 -0500 +Subject: ring-buffer: Do not allow events in NMI with generic atomic64 cmpxchg() + +From: Steven Rostedt + +commit cd2375a3567fd3d93aa6c68e0027a5756213bda0 upstream. + +Some architectures can not safely do atomic64 operations in NMI context. +Since the ring buffer relies on atomic64 operations to do its time +keeping, if an event is requested in NMI context, reject it for these +architectures. + +Cc: stable@vger.kernel.org +Cc: Mark Rutland +Cc: Mathieu Desnoyers +Cc: Andrew Morton +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: Linus Torvalds +Cc: Andreas Larsson +Link: https://lore.kernel.org/20250120235721.407068250@goodmis.org +Fixes: c84897c0ff592 ("ring-buffer: Remove 32bit timestamp logic") +Closes: https://lore.kernel.org/all/86fb4f86-a0e4-45a2-a2df-3154acc4f086@gaisler.com/ +Reported-by: Ludwig Rydberg +Reviewed-by: Masami Hiramatsu (Google) +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/ring_buffer.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -4398,8 +4398,13 @@ rb_reserve_next_event(struct trace_buffe + int nr_loops = 0; + int add_ts_default; + +- /* ring buffer does cmpxchg, make sure it is safe in NMI context */ +- if (!IS_ENABLED(CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG) && ++ /* ++ * ring buffer does cmpxchg as well as atomic64 operations ++ * (which some archs use locking for atomic64), make sure this ++ * is safe in NMI context ++ */ ++ if ((!IS_ENABLED(CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG) || ++ IS_ENABLED(CONFIG_GENERIC_ATOMIC64)) && + (unlikely(in_nmi()))) { + return NULL; + } diff --git a/queue-6.13/s390-pci-fix-sr-iov-for-pfs-initially-in-standby.patch b/queue-6.13/s390-pci-fix-sr-iov-for-pfs-initially-in-standby.patch new file mode 100644 index 0000000000..bd42812319 --- /dev/null +++ b/queue-6.13/s390-pci-fix-sr-iov-for-pfs-initially-in-standby.patch @@ -0,0 +1,52 @@ +From dc287e4c9149ab54a5003b4d4da007818b5fda3d Mon Sep 17 00:00:00 2001 +From: Niklas Schnelle +Date: Wed, 22 Jan 2025 14:36:01 +0100 +Subject: s390/pci: Fix SR-IOV for PFs initially in standby + +From: Niklas Schnelle + +commit dc287e4c9149ab54a5003b4d4da007818b5fda3d upstream. + +Since commit 25f39d3dcb48 ("s390/pci: Ignore RID for isolated VFs") PFs +which are not initially configured but in standby are considered +isolated. That is they create only a single function PCI domain. Due to +the PCI domains being created on discovery, this means that even if they +are configured later on, sibling PFs and their child VFs will not be +added to their PCI domain breaking SR-IOV expectations. + +The reason the referenced commit ignored standby PFs for the creation of +multi-function PCI subhierarchies, was to work around a PCI domain +renumbering scenario on reboot. The renumbering would occur after +removing a previously in standby PF, whose domain number is used for its +configured sibling PFs and their child VFs, but which itself remained in +standby. When this is followed by a reboot, the sibling PF is used +instead to determine the PCI domain number of it and its child VFs. + +In principle it is not possible to know which standby PFs will be +configured later and which may be removed. The PCI domain and root bus +are pre-requisites for hotplug slots so the decision of which functions +belong to which domain can not be postponed. With the renumbering +occurring only in rare circumstances and being generally benign, accept +it as an oddity and fix SR-IOV for initially standby PFs simply by +allowing them to create PCI domains. + +Cc: stable@vger.kernel.org +Reviewed-by: Gerd Bayer +Fixes: 25f39d3dcb48 ("s390/pci: Ignore RID for isolated VFs") +Signed-off-by: Niklas Schnelle +Signed-off-by: Alexander Gordeev +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/pci/pci_bus.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/arch/s390/pci/pci_bus.c ++++ b/arch/s390/pci/pci_bus.c +@@ -171,7 +171,6 @@ void zpci_bus_scan_busses(void) + static bool zpci_bus_is_multifunction_root(struct zpci_dev *zdev) + { + return !s390_pci_no_rid && zdev->rid_available && +- zpci_is_device_configured(zdev) && + !zdev->vfn; + } + diff --git a/queue-6.13/scsi-core-do-not-retry-i-os-during-depopulation.patch b/queue-6.13/scsi-core-do-not-retry-i-os-during-depopulation.patch new file mode 100644 index 0000000000..4261aa7c19 --- /dev/null +++ b/queue-6.13/scsi-core-do-not-retry-i-os-during-depopulation.patch @@ -0,0 +1,55 @@ +From 9ff7c383b8ac0c482a1da7989f703406d78445c6 Mon Sep 17 00:00:00 2001 +From: Igor Pylypiv +Date: Fri, 31 Jan 2025 10:44:07 -0800 +Subject: scsi: core: Do not retry I/Os during depopulation + +From: Igor Pylypiv + +commit 9ff7c383b8ac0c482a1da7989f703406d78445c6 upstream. + +Fail I/Os instead of retry to prevent user space processes from being +blocked on the I/O completion for several minutes. + +Retrying I/Os during "depopulation in progress" or "depopulation restore in +progress" results in a continuous retry loop until the depopulation +completes or until the I/O retry loop is aborted due to a timeout by the +scsi_cmd_runtime_exceeced(). + +Depopulation is slow and can take 24+ hours to complete on 20+ TB HDDs. +Most I/Os in the depopulation retry loop end up taking several minutes +before returning the failure to user space. + +Cc: stable@vger.kernel.org # 4.18.x: 2bbeb8d scsi: core: Handle depopulation and restoration in progress +Cc: stable@vger.kernel.org # 4.18.x +Fixes: e37c7d9a0341 ("scsi: core: sanitize++ in progress") +Signed-off-by: Igor Pylypiv +Link: https://lore.kernel.org/r/20250131184408.859579-1-ipylypiv@google.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/scsi_lib.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/scsi_lib.c ++++ b/drivers/scsi/scsi_lib.c +@@ -868,13 +868,18 @@ static void scsi_io_completion_action(st + case 0x1a: /* start stop unit in progress */ + case 0x1b: /* sanitize in progress */ + case 0x1d: /* configuration in progress */ +- case 0x24: /* depopulation in progress */ +- case 0x25: /* depopulation restore in progress */ + action = ACTION_DELAYED_RETRY; + break; + case 0x0a: /* ALUA state transition */ + action = ACTION_DELAYED_REPREP; + break; ++ /* ++ * Depopulation might take many hours, ++ * thus it is not worthwhile to retry. ++ */ ++ case 0x24: /* depopulation in progress */ ++ case 0x25: /* depopulation restore in progress */ ++ fallthrough; + default: + action = ACTION_FAIL; + break; diff --git a/queue-6.13/scsi-qla2xxx-move-fce-trace-buffer-allocation-to-user-control.patch b/queue-6.13/scsi-qla2xxx-move-fce-trace-buffer-allocation-to-user-control.patch new file mode 100644 index 0000000000..293d7c5d5e --- /dev/null +++ b/queue-6.13/scsi-qla2xxx-move-fce-trace-buffer-allocation-to-user-control.patch @@ -0,0 +1,297 @@ +From 841df27d619ee1f5ca6473e15227b39d6136562d Mon Sep 17 00:00:00 2001 +From: Quinn Tran +Date: Fri, 15 Nov 2024 18:33:09 +0530 +Subject: scsi: qla2xxx: Move FCE Trace buffer allocation to user control + +From: Quinn Tran + +commit 841df27d619ee1f5ca6473e15227b39d6136562d upstream. + +Currently FCE Tracing is enabled to log additional ELS events. Instead, +user will enable or disable this feature through debugfs. + +Modify existing DFS knob to allow user to enable or disable this +feature. + +echo [1 | 0] > /sys/kernel/debug/qla2xxx/qla2xxx_??/fce +cat /sys/kernel/debug/qla2xxx/qla2xxx_??/fce + +Cc: stable@vger.kernel.org +Fixes: df613b96077c ("[SCSI] qla2xxx: Add Fibre Channel Event (FCE) tracing support.") +Signed-off-by: Quinn Tran +Signed-off-by: Nilesh Javali +Link: https://lore.kernel.org/r/20241115130313.46826-4-njavali@marvell.com +Reviewed-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_def.h | 2 + drivers/scsi/qla2xxx/qla_dfs.c | 124 ++++++++++++++++++++++++++++++++-------- + drivers/scsi/qla2xxx/qla_gbl.h | 3 + drivers/scsi/qla2xxx/qla_init.c | 28 ++++++--- + 4 files changed, 126 insertions(+), 31 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_def.h ++++ b/drivers/scsi/qla2xxx/qla_def.h +@@ -4098,6 +4098,8 @@ struct qla_hw_data { + uint32_t npiv_supported :1; + uint32_t pci_channel_io_perm_failure :1; + uint32_t fce_enabled :1; ++ uint32_t user_enabled_fce :1; ++ uint32_t fce_dump_buf_alloced :1; + uint32_t fac_supported :1; + + uint32_t chip_reset_done :1; +--- a/drivers/scsi/qla2xxx/qla_dfs.c ++++ b/drivers/scsi/qla2xxx/qla_dfs.c +@@ -409,27 +409,32 @@ qla2x00_dfs_fce_show(struct seq_file *s, + + mutex_lock(&ha->fce_mutex); + +- seq_puts(s, "FCE Trace Buffer\n"); +- seq_printf(s, "In Pointer = %llx\n\n", (unsigned long long)ha->fce_wr); +- seq_printf(s, "Base = %llx\n\n", (unsigned long long) ha->fce_dma); +- seq_puts(s, "FCE Enable Registers\n"); +- seq_printf(s, "%08x %08x %08x %08x %08x %08x\n", +- ha->fce_mb[0], ha->fce_mb[2], ha->fce_mb[3], ha->fce_mb[4], +- ha->fce_mb[5], ha->fce_mb[6]); +- +- fce = (uint32_t *) ha->fce; +- fce_start = (unsigned long long) ha->fce_dma; +- for (cnt = 0; cnt < fce_calc_size(ha->fce_bufs) / 4; cnt++) { +- if (cnt % 8 == 0) +- seq_printf(s, "\n%llx: ", +- (unsigned long long)((cnt * 4) + fce_start)); +- else +- seq_putc(s, ' '); +- seq_printf(s, "%08x", *fce++); ++ if (ha->flags.user_enabled_fce) { ++ seq_puts(s, "FCE Trace Buffer\n"); ++ seq_printf(s, "In Pointer = %llx\n\n", (unsigned long long)ha->fce_wr); ++ seq_printf(s, "Base = %llx\n\n", (unsigned long long)ha->fce_dma); ++ seq_puts(s, "FCE Enable Registers\n"); ++ seq_printf(s, "%08x %08x %08x %08x %08x %08x\n", ++ ha->fce_mb[0], ha->fce_mb[2], ha->fce_mb[3], ha->fce_mb[4], ++ ha->fce_mb[5], ha->fce_mb[6]); ++ ++ fce = (uint32_t *)ha->fce; ++ fce_start = (unsigned long long)ha->fce_dma; ++ for (cnt = 0; cnt < fce_calc_size(ha->fce_bufs) / 4; cnt++) { ++ if (cnt % 8 == 0) ++ seq_printf(s, "\n%llx: ", ++ (unsigned long long)((cnt * 4) + fce_start)); ++ else ++ seq_putc(s, ' '); ++ seq_printf(s, "%08x", *fce++); ++ } ++ ++ seq_puts(s, "\nEnd\n"); ++ } else { ++ seq_puts(s, "FCE Trace is currently not enabled\n"); ++ seq_puts(s, "\techo [ 1 | 0 ] > fce\n"); + } + +- seq_puts(s, "\nEnd\n"); +- + mutex_unlock(&ha->fce_mutex); + + return 0; +@@ -467,7 +472,7 @@ qla2x00_dfs_fce_release(struct inode *in + struct qla_hw_data *ha = vha->hw; + int rval; + +- if (ha->flags.fce_enabled) ++ if (ha->flags.fce_enabled || !ha->fce) + goto out; + + mutex_lock(&ha->fce_mutex); +@@ -488,11 +493,88 @@ out: + return single_release(inode, file); + } + ++static ssize_t ++qla2x00_dfs_fce_write(struct file *file, const char __user *buffer, ++ size_t count, loff_t *pos) ++{ ++ struct seq_file *s = file->private_data; ++ struct scsi_qla_host *vha = s->private; ++ struct qla_hw_data *ha = vha->hw; ++ char *buf; ++ int rc = 0; ++ unsigned long enable; ++ ++ if (!IS_QLA25XX(ha) && !IS_QLA81XX(ha) && !IS_QLA83XX(ha) && ++ !IS_QLA27XX(ha) && !IS_QLA28XX(ha)) { ++ ql_dbg(ql_dbg_user, vha, 0xd034, ++ "this adapter does not support FCE."); ++ return -EINVAL; ++ } ++ ++ buf = memdup_user_nul(buffer, count); ++ if (IS_ERR(buf)) { ++ ql_dbg(ql_dbg_user, vha, 0xd037, ++ "fail to copy user buffer."); ++ return PTR_ERR(buf); ++ } ++ ++ enable = kstrtoul(buf, 0, 0); ++ rc = count; ++ ++ mutex_lock(&ha->fce_mutex); ++ ++ if (enable) { ++ if (ha->flags.user_enabled_fce) { ++ mutex_unlock(&ha->fce_mutex); ++ goto out_free; ++ } ++ ha->flags.user_enabled_fce = 1; ++ if (!ha->fce) { ++ rc = qla2x00_alloc_fce_trace(vha); ++ if (rc) { ++ ha->flags.user_enabled_fce = 0; ++ mutex_unlock(&ha->fce_mutex); ++ goto out_free; ++ } ++ ++ /* adjust fw dump buffer to take into account of this feature */ ++ if (!ha->flags.fce_dump_buf_alloced) ++ qla2x00_alloc_fw_dump(vha); ++ } ++ ++ if (!ha->flags.fce_enabled) ++ qla_enable_fce_trace(vha); ++ ++ ql_dbg(ql_dbg_user, vha, 0xd045, "User enabled FCE .\n"); ++ } else { ++ if (!ha->flags.user_enabled_fce) { ++ mutex_unlock(&ha->fce_mutex); ++ goto out_free; ++ } ++ ha->flags.user_enabled_fce = 0; ++ if (ha->flags.fce_enabled) { ++ qla2x00_disable_fce_trace(vha, NULL, NULL); ++ ha->flags.fce_enabled = 0; ++ } ++ ++ qla2x00_free_fce_trace(ha); ++ /* no need to re-adjust fw dump buffer */ ++ ++ ql_dbg(ql_dbg_user, vha, 0xd04f, "User disabled FCE .\n"); ++ } ++ ++ mutex_unlock(&ha->fce_mutex); ++out_free: ++ kfree(buf); ++ return rc; ++} ++ + static const struct file_operations dfs_fce_ops = { + .open = qla2x00_dfs_fce_open, + .read = seq_read, + .llseek = seq_lseek, + .release = qla2x00_dfs_fce_release, ++ .write = qla2x00_dfs_fce_write, + }; + + static int +@@ -626,8 +708,6 @@ qla2x00_dfs_setup(scsi_qla_host_t *vha) + if (!IS_QLA25XX(ha) && !IS_QLA81XX(ha) && !IS_QLA83XX(ha) && + !IS_QLA27XX(ha) && !IS_QLA28XX(ha)) + goto out; +- if (!ha->fce) +- goto out; + + if (qla2x00_dfs_root) + goto create_dir; +--- a/drivers/scsi/qla2xxx/qla_gbl.h ++++ b/drivers/scsi/qla2xxx/qla_gbl.h +@@ -11,6 +11,9 @@ + /* + * Global Function Prototypes in qla_init.c source file. + */ ++int qla2x00_alloc_fce_trace(scsi_qla_host_t *); ++void qla2x00_free_fce_trace(struct qla_hw_data *ha); ++void qla_enable_fce_trace(scsi_qla_host_t *); + extern int qla2x00_initialize_adapter(scsi_qla_host_t *); + extern int qla24xx_post_prli_work(struct scsi_qla_host *vha, fc_port_t *fcport); + +--- a/drivers/scsi/qla2xxx/qla_init.c ++++ b/drivers/scsi/qla2xxx/qla_init.c +@@ -2681,7 +2681,7 @@ exit: + return rval; + } + +-static void qla_enable_fce_trace(scsi_qla_host_t *vha) ++void qla_enable_fce_trace(scsi_qla_host_t *vha) + { + int rval; + struct qla_hw_data *ha = vha->hw; +@@ -3717,25 +3717,24 @@ qla24xx_chip_diag(scsi_qla_host_t *vha) + return rval; + } + +-static void +-qla2x00_alloc_fce_trace(scsi_qla_host_t *vha) ++int qla2x00_alloc_fce_trace(scsi_qla_host_t *vha) + { + dma_addr_t tc_dma; + void *tc; + struct qla_hw_data *ha = vha->hw; + + if (!IS_FWI2_CAPABLE(ha)) +- return; ++ return -EINVAL; + + if (!IS_QLA25XX(ha) && !IS_QLA81XX(ha) && !IS_QLA83XX(ha) && + !IS_QLA27XX(ha) && !IS_QLA28XX(ha)) +- return; ++ return -EINVAL; + + if (ha->fce) { + ql_dbg(ql_dbg_init, vha, 0x00bd, + "%s: FCE Mem is already allocated.\n", + __func__); +- return; ++ return -EIO; + } + + /* Allocate memory for Fibre Channel Event Buffer. */ +@@ -3745,7 +3744,7 @@ qla2x00_alloc_fce_trace(scsi_qla_host_t + ql_log(ql_log_warn, vha, 0x00be, + "Unable to allocate (%d KB) for FCE.\n", + FCE_SIZE / 1024); +- return; ++ return -ENOMEM; + } + + ql_dbg(ql_dbg_init, vha, 0x00c0, +@@ -3754,6 +3753,16 @@ qla2x00_alloc_fce_trace(scsi_qla_host_t + ha->fce_dma = tc_dma; + ha->fce = tc; + ha->fce_bufs = FCE_NUM_BUFFERS; ++ return 0; ++} ++ ++void qla2x00_free_fce_trace(struct qla_hw_data *ha) ++{ ++ if (!ha->fce) ++ return; ++ dma_free_coherent(&ha->pdev->dev, FCE_SIZE, ha->fce, ha->fce_dma); ++ ha->fce = NULL; ++ ha->fce_dma = 0; + } + + static void +@@ -3844,9 +3853,10 @@ qla2x00_alloc_fw_dump(scsi_qla_host_t *v + if (ha->tgt.atio_ring) + mq_size += ha->tgt.atio_q_length * sizeof(request_t); + +- qla2x00_alloc_fce_trace(vha); +- if (ha->fce) ++ if (ha->fce) { + fce_size = sizeof(struct qla2xxx_fce_chain) + FCE_SIZE; ++ ha->flags.fce_dump_buf_alloced = 1; ++ } + qla2x00_alloc_eft_trace(vha); + if (ha->eft) + eft_size = EFT_SIZE; diff --git a/queue-6.13/scsi-st-don-t-set-pos_unknown-just-after-device-recognition.patch b/queue-6.13/scsi-st-don-t-set-pos_unknown-just-after-device-recognition.patch new file mode 100644 index 0000000000..c91207198d --- /dev/null +++ b/queue-6.13/scsi-st-don-t-set-pos_unknown-just-after-device-recognition.patch @@ -0,0 +1,70 @@ +From 98b37881b7492ae9048ad48260cc8a6ee9eb39fd Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Kai=20M=C3=A4kisara?= +Date: Mon, 16 Dec 2024 13:37:55 +0200 +Subject: scsi: st: Don't set pos_unknown just after device recognition +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kai Mäkisara + +commit 98b37881b7492ae9048ad48260cc8a6ee9eb39fd upstream. + +Commit 9604eea5bd3a ("scsi: st: Add third party poweron reset handling") in +v6.6 added new code to handle the Power On/Reset Unit Attention (POR UA) +sense data. This was in addition to the existing method. When this Unit +Attention is received, the driver blocks attempts to read, write and some +other operations because the reset may have rewinded the tape. Because of +the added code, also the initial POR UA resulted in blocking operations, +including those that are used to set the driver options after the device is +recognized. Also, reading and writing are refused, whereas they succeeded +before this commit. + +Add code to not set pos_unknown to block operations if the POR UA is +received from the first test_ready() call after the st device has been +created. This restores the behavior before v6.6. + +Signed-off-by: Kai Mäkisara +Link: https://lore.kernel.org/r/20241216113755.30415-1-Kai.Makisara@kolumbus.fi +Fixes: 9604eea5bd3a ("scsi: st: Add third party poweron reset handling") +CC: stable@vger.kernel.org +Closes: https://lore.kernel.org/linux-scsi/2201CF73-4795-4D3B-9A79-6EE5215CF58D@kolumbus.fi/ +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/st.c | 6 ++++++ + drivers/scsi/st.h | 1 + + 2 files changed, 7 insertions(+) + +--- a/drivers/scsi/st.c ++++ b/drivers/scsi/st.c +@@ -1030,6 +1030,11 @@ static int test_ready(struct scsi_tape * + retval = new_session ? CHKRES_NEW_SESSION : CHKRES_READY; + break; + } ++ if (STp->first_tur) { ++ /* Don't set pos_unknown right after device recognition */ ++ STp->pos_unknown = 0; ++ STp->first_tur = 0; ++ } + + if (SRpnt != NULL) + st_release_request(SRpnt); +@@ -4328,6 +4333,7 @@ static int st_probe(struct device *dev) + blk_queue_rq_timeout(tpnt->device->request_queue, ST_TIMEOUT); + tpnt->long_timeout = ST_LONG_TIMEOUT; + tpnt->try_dio = try_direct_io; ++ tpnt->first_tur = 1; + + for (i = 0; i < ST_NBR_MODES; i++) { + STm = &(tpnt->modes[i]); +--- a/drivers/scsi/st.h ++++ b/drivers/scsi/st.h +@@ -170,6 +170,7 @@ struct scsi_tape { + unsigned char rew_at_close; /* rewind necessary at close */ + unsigned char inited; + unsigned char cleaning_req; /* cleaning requested? */ ++ unsigned char first_tur; /* first TEST UNIT READY */ + int block_size; + int min_block; + int max_block; diff --git a/queue-6.13/scsi-storvsc-set-correct-data-length-for-sending-scsi-command-without-payload.patch b/queue-6.13/scsi-storvsc-set-correct-data-length-for-sending-scsi-command-without-payload.patch new file mode 100644 index 0000000000..ee1d5db6a6 --- /dev/null +++ b/queue-6.13/scsi-storvsc-set-correct-data-length-for-sending-scsi-command-without-payload.patch @@ -0,0 +1,45 @@ +From 87c4b5e8a6b65189abd9ea5010ab308941f964a4 Mon Sep 17 00:00:00 2001 +From: Long Li +Date: Wed, 22 Jan 2025 19:07:22 -0800 +Subject: scsi: storvsc: Set correct data length for sending SCSI command without payload + +From: Long Li + +commit 87c4b5e8a6b65189abd9ea5010ab308941f964a4 upstream. + +In StorVSC, payload->range.len is used to indicate if this SCSI command +carries payload. This data is allocated as part of the private driver data +by the upper layer and may get passed to lower driver uninitialized. + +For example, the SCSI error handling mid layer may send TEST_UNIT_READY or +REQUEST_SENSE while reusing the buffer from a failed command. The private +data section may have stale data from the previous command. + +If the SCSI command doesn't carry payload, the driver may use this value as +is for communicating with host, resulting in possible corruption. + +Fix this by always initializing this value. + +Fixes: be0cf6ca301c ("scsi: storvsc: Set the tablesize based on the information given by the host") +Cc: stable@kernel.org +Tested-by: Roman Kisel +Reviewed-by: Roman Kisel +Reviewed-by: Michael Kelley +Signed-off-by: Long Li +Link: https://lore.kernel.org/r/1737601642-7759-1-git-send-email-longli@linuxonhyperv.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/storvsc_drv.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/scsi/storvsc_drv.c ++++ b/drivers/scsi/storvsc_drv.c +@@ -1800,6 +1800,7 @@ static int storvsc_queuecommand(struct S + + length = scsi_bufflen(scmnd); + payload = (struct vmbus_packet_mpb_array *)&cmd_request->mpb; ++ payload->range.len = 0; + payload_sz = 0; + + if (scsi_sg_count(scmnd)) { diff --git a/queue-6.13/scsi-ufs-core-fix-the-high-low_temp-bit-definitions.patch b/queue-6.13/scsi-ufs-core-fix-the-high-low_temp-bit-definitions.patch new file mode 100644 index 0000000000..55cfe4cc13 --- /dev/null +++ b/queue-6.13/scsi-ufs-core-fix-the-high-low_temp-bit-definitions.patch @@ -0,0 +1,39 @@ +From 1b3e2d4ec0c5848776cc56d2624998aa5b2f0d27 Mon Sep 17 00:00:00 2001 +From: "Bao D. Nguyen" +Date: Mon, 13 Jan 2025 10:32:07 -0800 +Subject: scsi: ufs: core: Fix the HIGH/LOW_TEMP Bit Definitions + +From: Bao D. Nguyen + +commit 1b3e2d4ec0c5848776cc56d2624998aa5b2f0d27 upstream. + +According to the UFS Device Specification, the dExtendedUFSFeaturesSupport +defines the support for TOO_HIGH_TEMPERATURE as bit[4] and the +TOO_LOW_TEMPERATURE as bit[5]. Correct the code to match with +the UFS device specification definition. + +Cc: stable@vger.kernel.org +Fixes: e88e2d32200a ("scsi: ufs: core: Probe for temperature notification support") +Signed-off-by: Bao D. Nguyen +Link: https://lore.kernel.org/r/69992b3e3e3434a5c7643be5a64de48be892ca46.1736793068.git.quic_nguyenb@quicinc.com +Reviewed-by: Avri Altman +Reviewed-by: Peter Wang +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + include/ufs/ufs.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/include/ufs/ufs.h ++++ b/include/ufs/ufs.h +@@ -386,8 +386,8 @@ enum { + + /* Possible values for dExtendedUFSFeaturesSupport */ + enum { +- UFS_DEV_LOW_TEMP_NOTIF = BIT(4), +- UFS_DEV_HIGH_TEMP_NOTIF = BIT(5), ++ UFS_DEV_HIGH_TEMP_NOTIF = BIT(4), ++ UFS_DEV_LOW_TEMP_NOTIF = BIT(5), + UFS_DEV_EXT_TEMP_NOTIF = BIT(6), + UFS_DEV_HPB_SUPPORT = BIT(7), + UFS_DEV_WRITE_BOOSTER_SUP = BIT(8), diff --git a/queue-6.13/scsi-ufs-core-fix-use-after-free-in-init-error-and-remove-paths.patch b/queue-6.13/scsi-ufs-core-fix-use-after-free-in-init-error-and-remove-paths.patch new file mode 100644 index 0000000000..596c0a29dd --- /dev/null +++ b/queue-6.13/scsi-ufs-core-fix-use-after-free-in-init-error-and-remove-paths.patch @@ -0,0 +1,256 @@ +From f8fb2403ddebb5eea0033d90d9daae4c88749ada Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Andr=C3=A9=20Draszik?= +Date: Fri, 24 Jan 2025 15:09:00 +0000 +Subject: scsi: ufs: core: Fix use-after free in init error and remove paths +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: André Draszik + +commit f8fb2403ddebb5eea0033d90d9daae4c88749ada upstream. + +devm_blk_crypto_profile_init() registers a cleanup handler to run when +the associated (platform-) device is being released. For UFS, the +crypto private data and pointers are stored as part of the ufs_hba's +data structure 'struct ufs_hba::crypto_profile'. This structure is +allocated as part of the underlying ufshcd and therefore Scsi_host +allocation. + +During driver release or during error handling in ufshcd_pltfrm_init(), +this structure is released as part of ufshcd_dealloc_host() before the +(platform-) device associated with the crypto call above is released. +Once this device is released, the crypto cleanup code will run, using +the just-released 'struct ufs_hba::crypto_profile'. This causes a +use-after-free situation: + + Call trace: + kfree+0x60/0x2d8 (P) + kvfree+0x44/0x60 + blk_crypto_profile_destroy_callback+0x28/0x70 + devm_action_release+0x1c/0x30 + release_nodes+0x6c/0x108 + devres_release_all+0x98/0x100 + device_unbind_cleanup+0x20/0x70 + really_probe+0x218/0x2d0 + +In other words, the initialisation code flow is: + + platform-device probe + ufshcd_pltfrm_init() + ufshcd_alloc_host() + scsi_host_alloc() + allocation of struct ufs_hba + creation of scsi-host devices + devm_blk_crypto_profile_init() + devm registration of cleanup handler using platform-device + +and during error handling of ufshcd_pltfrm_init() or during driver +removal: + + ufshcd_dealloc_host() + scsi_host_put() + put_device(scsi-host) + release of struct ufs_hba + put_device(platform-device) + crypto cleanup handler + +To fix this use-after free, change ufshcd_alloc_host() to register a +devres action to automatically cleanup the underlying SCSI device on +ufshcd destruction, without requiring explicit calls to +ufshcd_dealloc_host(). This way: + + * the crypto profile and all other ufs_hba-owned resources are + destroyed before SCSI (as they've been registered after) + * a memleak is plugged in tc-dwc-g210-pci.c remove() as a + side-effect + * EXPORT_SYMBOL_GPL(ufshcd_dealloc_host) can be removed fully as + it's not needed anymore + * no future drivers using ufshcd_alloc_host() could ever forget + adding the cleanup + +Fixes: cb77cb5abe1f ("blk-crypto: rename blk_keyslot_manager to blk_crypto_profile") +Fixes: d76d9d7d1009 ("scsi: ufs: use devm_blk_ksm_init()") +Cc: stable@vger.kernel.org +Signed-off-by: André Draszik +Link: https://lore.kernel.org/r/20250124-ufshcd-fix-v4-1-c5d0144aae59@linaro.org +Reviewed-by: Bean Huo +Reviewed-by: Manivannan Sadhasivam +Acked-by: Eric Biggers +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ufs/core/ufshcd.c | 31 +++++++++++++++++++++---------- + drivers/ufs/host/ufshcd-pci.c | 2 -- + drivers/ufs/host/ufshcd-pltfrm.c | 28 +++++++++------------------- + include/ufs/ufshcd.h | 1 - + 4 files changed, 30 insertions(+), 32 deletions(-) + +--- a/drivers/ufs/core/ufshcd.c ++++ b/drivers/ufs/core/ufshcd.c +@@ -10293,16 +10293,6 @@ EXPORT_SYMBOL_GPL(ufshcd_system_thaw); + #endif /* CONFIG_PM_SLEEP */ + + /** +- * ufshcd_dealloc_host - deallocate Host Bus Adapter (HBA) +- * @hba: pointer to Host Bus Adapter (HBA) +- */ +-void ufshcd_dealloc_host(struct ufs_hba *hba) +-{ +- scsi_host_put(hba->host); +-} +-EXPORT_SYMBOL_GPL(ufshcd_dealloc_host); +- +-/** + * ufshcd_set_dma_mask - Set dma mask based on the controller + * addressing capability + * @hba: per adapter instance +@@ -10321,11 +10311,25 @@ static int ufshcd_set_dma_mask(struct uf + } + + /** ++ * ufshcd_devres_release - devres cleanup handler, invoked during release of ++ * hba->dev ++ * @host: pointer to SCSI host ++ */ ++static void ufshcd_devres_release(void *host) ++{ ++ scsi_host_put(host); ++} ++ ++/** + * ufshcd_alloc_host - allocate Host Bus Adapter (HBA) + * @dev: pointer to device handle + * @hba_handle: driver private handle + * + * Return: 0 on success, non-zero value on failure. ++ * ++ * NOTE: There is no corresponding ufshcd_dealloc_host() because this function ++ * keeps track of its allocations using devres and deallocates everything on ++ * device removal automatically. + */ + int ufshcd_alloc_host(struct device *dev, struct ufs_hba **hba_handle) + { +@@ -10347,6 +10351,13 @@ int ufshcd_alloc_host(struct device *dev + err = -ENOMEM; + goto out_error; + } ++ ++ err = devm_add_action_or_reset(dev, ufshcd_devres_release, ++ host); ++ if (err) ++ return dev_err_probe(dev, err, ++ "failed to add ufshcd dealloc action\n"); ++ + host->nr_maps = HCTX_TYPE_POLL + 1; + hba = shost_priv(host); + hba->host = host; +--- a/drivers/ufs/host/ufshcd-pci.c ++++ b/drivers/ufs/host/ufshcd-pci.c +@@ -562,7 +562,6 @@ static void ufshcd_pci_remove(struct pci + pm_runtime_forbid(&pdev->dev); + pm_runtime_get_noresume(&pdev->dev); + ufshcd_remove(hba); +- ufshcd_dealloc_host(hba); + } + + /** +@@ -605,7 +604,6 @@ ufshcd_pci_probe(struct pci_dev *pdev, c + err = ufshcd_init(hba, mmio_base, pdev->irq); + if (err) { + dev_err(&pdev->dev, "Initialization failed\n"); +- ufshcd_dealloc_host(hba); + return err; + } + +--- a/drivers/ufs/host/ufshcd-pltfrm.c ++++ b/drivers/ufs/host/ufshcd-pltfrm.c +@@ -465,21 +465,17 @@ int ufshcd_pltfrm_init(struct platform_d + struct device *dev = &pdev->dev; + + mmio_base = devm_platform_ioremap_resource(pdev, 0); +- if (IS_ERR(mmio_base)) { +- err = PTR_ERR(mmio_base); +- goto out; +- } ++ if (IS_ERR(mmio_base)) ++ return PTR_ERR(mmio_base); + + irq = platform_get_irq(pdev, 0); +- if (irq < 0) { +- err = irq; +- goto out; +- } ++ if (irq < 0) ++ return irq; + + err = ufshcd_alloc_host(dev, &hba); + if (err) { + dev_err(dev, "Allocation failed\n"); +- goto out; ++ return err; + } + + hba->vops = vops; +@@ -488,13 +484,13 @@ int ufshcd_pltfrm_init(struct platform_d + if (err) { + dev_err(dev, "%s: clock parse failed %d\n", + __func__, err); +- goto dealloc_host; ++ return err; + } + err = ufshcd_parse_regulator_info(hba); + if (err) { + dev_err(dev, "%s: regulator init failed %d\n", + __func__, err); +- goto dealloc_host; ++ return err; + } + + ufshcd_init_lanes_per_dir(hba); +@@ -502,25 +498,20 @@ int ufshcd_pltfrm_init(struct platform_d + err = ufshcd_parse_operating_points(hba); + if (err) { + dev_err(dev, "%s: OPP parse failed %d\n", __func__, err); +- goto dealloc_host; ++ return err; + } + + err = ufshcd_init(hba, mmio_base, irq); + if (err) { + dev_err_probe(dev, err, "Initialization failed with error %d\n", + err); +- goto dealloc_host; ++ return err; + } + + pm_runtime_set_active(dev); + pm_runtime_enable(dev); + + return 0; +- +-dealloc_host: +- ufshcd_dealloc_host(hba); +-out: +- return err; + } + EXPORT_SYMBOL_GPL(ufshcd_pltfrm_init); + +@@ -534,7 +525,6 @@ void ufshcd_pltfrm_remove(struct platfor + + pm_runtime_get_sync(&pdev->dev); + ufshcd_remove(hba); +- ufshcd_dealloc_host(hba); + pm_runtime_disable(&pdev->dev); + pm_runtime_put_noidle(&pdev->dev); + } +--- a/include/ufs/ufshcd.h ++++ b/include/ufs/ufshcd.h +@@ -1297,7 +1297,6 @@ static inline void ufshcd_rmwl(struct uf + void ufshcd_enable_irq(struct ufs_hba *hba); + void ufshcd_disable_irq(struct ufs_hba *hba); + int ufshcd_alloc_host(struct device *, struct ufs_hba **); +-void ufshcd_dealloc_host(struct ufs_hba *); + int ufshcd_hba_enable(struct ufs_hba *hba); + int ufshcd_init(struct ufs_hba *, void __iomem *, unsigned int); + int ufshcd_link_recovery(struct ufs_hba *hba); diff --git a/queue-6.13/scsi-ufs-qcom-fix-crypto-key-eviction.patch b/queue-6.13/scsi-ufs-qcom-fix-crypto-key-eviction.patch new file mode 100644 index 0000000000..ada771d019 --- /dev/null +++ b/queue-6.13/scsi-ufs-qcom-fix-crypto-key-eviction.patch @@ -0,0 +1,58 @@ +From 7a0905caf5665be41094a6ceb5e9d2524de4627a Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Mon, 9 Dec 2024 19:08:39 -0800 +Subject: scsi: ufs: qcom: Fix crypto key eviction + +From: Eric Biggers + +commit 7a0905caf5665be41094a6ceb5e9d2524de4627a upstream. + +Commit 56541c7c4468 ("scsi: ufs: ufs-qcom: Switch to the new ICE API") +introduced an incorrect check of the algorithm ID into the key eviction +path, and thus qcom_ice_evict_key() is no longer ever called. Fix it. + +Fixes: 56541c7c4468 ("scsi: ufs: ufs-qcom: Switch to the new ICE API") +Cc: stable@vger.kernel.org +Cc: Abel Vesa +Signed-off-by: Eric Biggers +Link: https://lore.kernel.org/r/20241210030839.1118805-1-ebiggers@kernel.org +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ufs/host/ufs-qcom.c | 18 ++++++++---------- + 1 file changed, 8 insertions(+), 10 deletions(-) + +--- a/drivers/ufs/host/ufs-qcom.c ++++ b/drivers/ufs/host/ufs-qcom.c +@@ -155,8 +155,9 @@ static int ufs_qcom_ice_program_key(stru + { + struct ufs_qcom_host *host = ufshcd_get_variant(hba); + union ufs_crypto_cap_entry cap; +- bool config_enable = +- cfg->config_enable & UFS_CRYPTO_CONFIGURATION_ENABLE; ++ ++ if (!(cfg->config_enable & UFS_CRYPTO_CONFIGURATION_ENABLE)) ++ return qcom_ice_evict_key(host->ice, slot); + + /* Only AES-256-XTS has been tested so far. */ + cap = hba->crypto_cap_array[cfg->crypto_cap_idx]; +@@ -164,14 +165,11 @@ static int ufs_qcom_ice_program_key(stru + cap.key_size != UFS_CRYPTO_KEY_SIZE_256) + return -EOPNOTSUPP; + +- if (config_enable) +- return qcom_ice_program_key(host->ice, +- QCOM_ICE_CRYPTO_ALG_AES_XTS, +- QCOM_ICE_CRYPTO_KEY_SIZE_256, +- cfg->crypto_key, +- cfg->data_unit_size, slot); +- else +- return qcom_ice_evict_key(host->ice, slot); ++ return qcom_ice_program_key(host->ice, ++ QCOM_ICE_CRYPTO_ALG_AES_XTS, ++ QCOM_ICE_CRYPTO_KEY_SIZE_256, ++ cfg->crypto_key, ++ cfg->data_unit_size, slot); + } + + #else diff --git a/queue-6.13/seccomp-passthrough-uretprobe-systemcall-without-filtering.patch b/queue-6.13/seccomp-passthrough-uretprobe-systemcall-without-filtering.patch new file mode 100644 index 0000000000..c343594d2b --- /dev/null +++ b/queue-6.13/seccomp-passthrough-uretprobe-systemcall-without-filtering.patch @@ -0,0 +1,70 @@ +From cf6cb56ef24410fb5308f9655087f1eddf4452e6 Mon Sep 17 00:00:00 2001 +From: Eyal Birger +Date: Sun, 2 Feb 2025 08:29:20 -0800 +Subject: seccomp: passthrough uretprobe systemcall without filtering + +From: Eyal Birger + +commit cf6cb56ef24410fb5308f9655087f1eddf4452e6 upstream. + +When attaching uretprobes to processes running inside docker, the attached +process is segfaulted when encountering the retprobe. + +The reason is that now that uretprobe is a system call the default seccomp +filters in docker block it as they only allow a specific set of known +syscalls. This is true for other userspace applications which use seccomp +to control their syscall surface. + +Since uretprobe is a "kernel implementation detail" system call which is +not used by userspace application code directly, it is impractical and +there's very little point in forcing all userspace applications to +explicitly allow it in order to avoid crashing tracked processes. + +Pass this systemcall through seccomp without depending on configuration. + +Note: uretprobe is currently only x86_64 and isn't expected to ever be +supported in i386. + +Fixes: ff474a78cef5 ("uprobe: Add uretprobe syscall to speed up return probe") +Reported-by: Rafael Buchbinder +Closes: https://lore.kernel.org/lkml/CAHsH6Gs3Eh8DFU0wq58c_LF8A4_+o6z456J7BidmcVY2AqOnHQ@mail.gmail.com/ +Link: https://lore.kernel.org/lkml/20250121182939.33d05470@gandalf.local.home/T/#me2676c378eff2d6a33f3054fed4a5f3afa64e65b +Link: https://lore.kernel.org/lkml/20250128145806.1849977-1-eyal.birger@gmail.com/ +Cc: stable@vger.kernel.org +Signed-off-by: Eyal Birger +Link: https://lore.kernel.org/r/20250202162921.335813-2-eyal.birger@gmail.com +[kees: minimized changes for easier backporting, tweaked commit log] +Signed-off-by: Kees Cook +Signed-off-by: Greg Kroah-Hartman +--- + kernel/seccomp.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/kernel/seccomp.c ++++ b/kernel/seccomp.c +@@ -749,6 +749,15 @@ static bool seccomp_is_const_allow(struc + if (WARN_ON_ONCE(!fprog)) + return false; + ++ /* Our single exception to filtering. */ ++#ifdef __NR_uretprobe ++#ifdef SECCOMP_ARCH_COMPAT ++ if (sd->arch == SECCOMP_ARCH_NATIVE) ++#endif ++ if (sd->nr == __NR_uretprobe) ++ return true; ++#endif ++ + for (pc = 0; pc < fprog->len; pc++) { + struct sock_filter *insn = &fprog->filter[pc]; + u16 code = insn->code; +@@ -1023,6 +1032,9 @@ static inline void seccomp_log(unsigned + */ + static const int mode1_syscalls[] = { + __NR_seccomp_read, __NR_seccomp_write, __NR_seccomp_exit, __NR_seccomp_sigreturn, ++#ifdef __NR_uretprobe ++ __NR_uretprobe, ++#endif + -1, /* negative terminated */ + }; + diff --git a/queue-6.13/serial-sh-sci-do-not-probe-the-serial-port-if-its-slot-in-sci_ports-is-in-use.patch b/queue-6.13/serial-sh-sci-do-not-probe-the-serial-port-if-its-slot-in-sci_ports-is-in-use.patch new file mode 100644 index 0000000000..9f512b439e --- /dev/null +++ b/queue-6.13/serial-sh-sci-do-not-probe-the-serial-port-if-its-slot-in-sci_ports-is-in-use.patch @@ -0,0 +1,79 @@ +From 9f7dea875cc7f9c1a56a5c688290634a59cd1420 Mon Sep 17 00:00:00 2001 +From: Claudiu Beznea +Date: Thu, 16 Jan 2025 20:22:47 +0200 +Subject: serial: sh-sci: Do not probe the serial port if its slot in sci_ports[] is in use + +From: Claudiu Beznea + +commit 9f7dea875cc7f9c1a56a5c688290634a59cd1420 upstream. + +In the sh-sci driver, sci_ports[0] is used by earlycon. If the earlycon is +still active when sci_probe() is called and the new serial port is supposed +to map to sci_ports[0], return -EBUSY to prevent breaking the earlycon. + +This situation should occurs in debug scenarios, and users should be +aware of the potential conflict. + +Fixes: 0b0cced19ab1 ("serial: sh-sci: Add CONFIG_SERIAL_EARLYCON support") +Cc: stable@vger.kernel.org +Signed-off-by: Claudiu Beznea +Link: https://lore.kernel.org/r/20250116182249.3828577-4-claudiu.beznea.uj@bp.renesas.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/sh-sci.c | 23 +++++++++++++++++++++++ + 1 file changed, 23 insertions(+) + +--- a/drivers/tty/serial/sh-sci.c ++++ b/drivers/tty/serial/sh-sci.c +@@ -165,6 +165,7 @@ struct sci_port { + static struct sci_port sci_ports[SCI_NPORTS]; + static unsigned long sci_ports_in_use; + static struct uart_driver sci_uart_driver; ++static bool sci_uart_earlycon; + + static inline struct sci_port * + to_sci_port(struct uart_port *uart) +@@ -3450,6 +3451,7 @@ static int sci_probe_single(struct platf + static int sci_probe(struct platform_device *dev) + { + struct plat_sci_port *p; ++ struct resource *res; + struct sci_port *sp; + unsigned int dev_id; + int ret; +@@ -3479,6 +3481,26 @@ static int sci_probe(struct platform_dev + } + + sp = &sci_ports[dev_id]; ++ ++ /* ++ * In case: ++ * - the probed port alias is zero (as the one used by earlycon), and ++ * - the earlycon is still active (e.g., "earlycon keep_bootcon" in ++ * bootargs) ++ * ++ * defer the probe of this serial. This is a debug scenario and the user ++ * must be aware of it. ++ * ++ * Except when the probed port is the same as the earlycon port. ++ */ ++ ++ res = platform_get_resource(dev, IORESOURCE_MEM, 0); ++ if (!res) ++ return -ENODEV; ++ ++ if (sci_uart_earlycon && sp == &sci_ports[0] && sp->port.mapbase != res->start) ++ return dev_err_probe(&dev->dev, -EBUSY, "sci_port[0] is used by earlycon!\n"); ++ + platform_set_drvdata(dev, sp); + + ret = sci_probe_single(dev, dev_id, p, sp); +@@ -3575,6 +3597,7 @@ static int __init early_console_setup(st + port_cfg.type = type; + sci_ports[0].cfg = &port_cfg; + sci_ports[0].params = sci_probe_regmap(&port_cfg); ++ sci_uart_earlycon = true; + port_cfg.scscr = sci_serial_in(&sci_ports[0].port, SCSCR); + sci_serial_out(&sci_ports[0].port, SCSCR, + SCSCR_RE | SCSCR_TE | port_cfg.scscr); diff --git a/queue-6.13/serial-sh-sci-drop-__initdata-macro-for-port_cfg.patch b/queue-6.13/serial-sh-sci-drop-__initdata-macro-for-port_cfg.patch new file mode 100644 index 0000000000..fa249f39f2 --- /dev/null +++ b/queue-6.13/serial-sh-sci-drop-__initdata-macro-for-port_cfg.patch @@ -0,0 +1,38 @@ +From eaeee4225dba30bef4d424bdf134a07b7f423e8b Mon Sep 17 00:00:00 2001 +From: Claudiu Beznea +Date: Thu, 16 Jan 2025 20:22:45 +0200 +Subject: serial: sh-sci: Drop __initdata macro for port_cfg + +From: Claudiu Beznea + +commit eaeee4225dba30bef4d424bdf134a07b7f423e8b upstream. + +The port_cfg object is used by serial_console_write(), which serves as +the write function for the earlycon device. Marking port_cfg as __initdata +causes it to be freed after kernel initialization, resulting in earlycon +becoming unavailable thereafter. Remove the __initdata macro from port_cfg +to resolve this issue. + +Fixes: 0b0cced19ab1 ("serial: sh-sci: Add CONFIG_SERIAL_EARLYCON support") +Cc: stable@vger.kernel.org +Reviewed-by: Geert Uytterhoeven +Signed-off-by: Claudiu Beznea +Fixes: 0b0cced19ab15c9e ("serial: sh-sci: Add CONFIG_SERIAL_EARLYCON support") +Link: https://lore.kernel.org/r/20250116182249.3828577-2-claudiu.beznea.uj@bp.renesas.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/sh-sci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/tty/serial/sh-sci.c ++++ b/drivers/tty/serial/sh-sci.c +@@ -3562,7 +3562,7 @@ sh_early_platform_init_buffer("earlyprin + early_serial_buf, ARRAY_SIZE(early_serial_buf)); + #endif + #ifdef CONFIG_SERIAL_SH_SCI_EARLYCON +-static struct plat_sci_port port_cfg __initdata; ++static struct plat_sci_port port_cfg; + + static int __init early_console_setup(struct earlycon_device *device, + int type) diff --git a/queue-6.13/series b/queue-6.13/series index d4db5d6e46..444a884011 100644 --- a/queue-6.13/series +++ b/queue-6.13/series @@ -206,3 +206,83 @@ clk-mediatek-mt2701-aud-fix-conversion-to-mtk_clk_simple_probe.patch clk-mediatek-mt2701-bdp-add-missing-dummy-clk.patch clk-mediatek-mt2701-img-add-missing-dummy-clk.patch clk-mediatek-mt2701-mm-add-missing-dummy-clk.patch +seccomp-passthrough-uretprobe-systemcall-without-filtering.patch +blk-cgroup-fix-class-block_class-s-subsystem-refcount-leakage.patch +efi-libstub-use-std-gnu11-to-fix-build-with-gcc-15.patch +x86-efi-skip-memattr-table-on-kexec-boot.patch +perf-bench-fix-undefined-behavior-in-cmpworker.patch +scsi-ufs-core-fix-the-high-low_temp-bit-definitions.patch +of-correct-child-specifier-used-as-input-of-the-2nd-nexus-node.patch +of-address-fix-empty-resource-handling-in-__of_address_resource_bounds.patch +of-fix-of_find_node_opts_by_path-handling-of-alias-path-options.patch +of-reserved-memory-fix-using-wrong-number-of-cells-to-get-property-alignment.patch +of-reserved-memory-warn-for-missing-static-reserved-memory-regions.patch +input-bbnsm_pwrkey-add-remove-hook.patch +hid-hid-sensor-hub-don-t-use-stale-platform-data-on-remove.patch +ring-buffer-do-not-allow-events-in-nmi-with-generic-atomic64-cmpxchg.patch +atomic64-use-arch_spin_locks-instead-of-raw_spin_locks.patch +wifi-rtlwifi-rtl8821ae-fix-media-status-report.patch +wifi-brcmfmac-fix-null-pointer-dereference-in-brcmf_txfinalize.patch +wifi-mt76-mt7921u-add-vid-pid-for-tp-link-txe50uh.patch +wifi-rtw88-sdio-fix-disconnection-after-beacon-loss.patch +wifi-mt76-mt7915-add-module-param-to-select-5-ghz-or-6-ghz-on-mt7916.patch +wifi-rtw88-8703b-fix-rx-tx-issues.patch +usb-gadget-f_tcm-translate-error-to-sense.patch +usb-gadget-f_tcm-decrement-command-ref-count-on-cleanup.patch +usb-gadget-f_tcm-ep_autoconfig-with-fullspeed-endpoint.patch +usb-gadget-f_tcm-don-t-prepare-bot-write-request-twice.patch +usbnet-ipheth-fix-possible-overflow-in-dpe-length-check.patch +usbnet-ipheth-use-static-ndp16-location-in-urb.patch +usbnet-ipheth-check-that-dpe-points-past-ncm-header.patch +usbnet-ipheth-refactor-ncm-datagram-loop.patch +usbnet-ipheth-break-up-ncm-header-size-computation.patch +usbnet-ipheth-fix-dpe-oob-read.patch +usbnet-ipheth-document-scope-of-ncm-implementation.patch +arm64-dts-qcom-x1e80100-asus-vivobook-s15-fix-usb-qmp-phy-supplies.patch +arm64-dts-qcom-x1e80100-dell-xps13-9345-fix-usb-qmp-phy-supplies.patch +arm64-dts-qcom-x1e80100-qcp-fix-usb-qmp-phy-supplies.patch +arm64-dts-qcom-x1e78100-lenovo-thinkpad-t14s-fix-usb-qmp-phy-supplies.patch +arm64-dts-qcom-x1e80100-crd-fix-usb-qmp-phy-supplies.patch +arm64-dts-qcom-x1e80100-lenovo-yoga-slim7x-fix-usb-qmp-phy-supplies.patch +arm64-dts-qcom-x1e80100-microsoft-romulus-fix-usb-qmp-phy-supplies.patch +arm64-dts-qcom-x1e80100-fix-usb_2-controller-interrupts.patch +asoc-renesas-rz-ssi-terminate-all-the-dma-transactions.patch +asoc-renesas-rz-ssi-add-a-check-for-negative-sample_space.patch +asoc-acp-support-microphone-from-lenovo-go-s.patch +soc-qcom-socinfo-avoid-out-of-bounds-read-of-serial-number.patch +serial-sh-sci-drop-__initdata-macro-for-port_cfg.patch +serial-sh-sci-do-not-probe-the-serial-port-if-its-slot-in-sci_ports-is-in-use.patch +mips-loongson64-remove-rom-size-unit-in-boardinfo.patch +loongarch-extend-the-maximum-number-of-watchpoints.patch +powerpc-pseries-eeh-fix-get-pe-state-translation.patch +dm-crypt-don-t-update-io-sector-after-kcryptd_crypt_write_io_submit.patch +dm-crypt-track-tag_offset-in-convert_context.patch +mips-math-emu-fix-emulation-of-the-prefx-instruction.patch +mips-pci-legacy-override-pci_address_to_pio.patch +revert-mips-csrc-r4k-select-have_unstable_sched_clock-if-smp-64bit.patch +block-don-t-revert-iter-for-eiocbqueued.patch +revert-media-uvcvideo-require-entities-to-have-a-non-zero-unique-id.patch +firmware-qcom-scm-fix-missing-read-barrier-in-qcom_scm_is_available.patch +firmware-qcom-scm-fix-missing-read-barrier-in-qcom_scm_get_tzmem_pool.patch +alsa-hda-realtek-enable-headset-mic-on-positivo-c6400.patch +alsa-hda-realtek-fix-quirk-matching-for-legion-pro-7.patch +alsa-hda-fix-headset-detection-failure-due-to-unstable-sort.patch +alsa-hda-realtek-workaround-for-resume-on-dell-venue-11-pro-7130.patch +arm64-tegra-fix-tegra234-pcie-interrupt-map.patch +s390-pci-fix-sr-iov-for-pfs-initially-in-standby.patch +pci-avoid-putting-some-root-ports-into-d3-on-tuxedo-sirius-gen1.patch +pci-endpoint-finish-virtual-ep-removal-in-pci_epf_remove_vepf.patch +pci-dwc-ep-write-bar_mask-before-iatu-registers-in-pci_epc_set_bar.patch +pci-dwc-ep-prevent-changing-bar-size-flags-in-pci_epc_set_bar.patch +nvme-pci-add-tuxedo-infinityflex-to-samsung-sleep-quirk.patch +nvme-pci-add-tuxedo-ibp-gen9-to-samsung-sleep-quirk.patch +kvm-x86-mmu-ensure-nx-huge-page-recovery-thread-is-alive-before-waking.patch +scsi-st-don-t-set-pos_unknown-just-after-device-recognition.patch +scsi-qla2xxx-move-fce-trace-buffer-allocation-to-user-control.patch +scsi-ufs-qcom-fix-crypto-key-eviction.patch +scsi-ufs-core-fix-use-after-free-in-init-error-and-remove-paths.patch +scsi-storvsc-set-correct-data-length-for-sending-scsi-command-without-payload.patch +scsi-core-do-not-retry-i-os-during-depopulation.patch +kbuild-move-wenum-enum-conversion-to-w-2.patch +pidfs-check-for-valid-ioctl-commands.patch +pidfs-improve-ioctl-handling.patch diff --git a/queue-6.13/soc-qcom-socinfo-avoid-out-of-bounds-read-of-serial-number.patch b/queue-6.13/soc-qcom-socinfo-avoid-out-of-bounds-read-of-serial-number.patch new file mode 100644 index 0000000000..17d81f932a --- /dev/null +++ b/queue-6.13/soc-qcom-socinfo-avoid-out-of-bounds-read-of-serial-number.patch @@ -0,0 +1,49 @@ +From 22cf4fae6660b6e1a583a41cbf84e3046ca9ccd0 Mon Sep 17 00:00:00 2001 +From: Stephan Gerhold +Date: Mon, 30 Dec 2024 20:59:35 +0100 +Subject: soc: qcom: socinfo: Avoid out of bounds read of serial number + +From: Stephan Gerhold + +commit 22cf4fae6660b6e1a583a41cbf84e3046ca9ccd0 upstream. + +On MSM8916 devices, the serial number exposed in sysfs is constant and does +not change across individual devices. It's always: + + db410c:/sys/devices/soc0$ cat serial_number + 2644893864 + +The firmware used on MSM8916 exposes SOCINFO_VERSION(0, 8), which does not +have support for the serial_num field in the socinfo struct. There is an +existing check to avoid exposing the serial number in that case, but it's +not correct: When checking the item_size returned by SMEM, we need to make +sure the *end* of the serial_num is within bounds, instead of comparing +with the *start* offset. The serial_number currently exposed on MSM8916 +devices is just an out of bounds read of whatever comes after the socinfo +struct in SMEM. + +Fix this by changing offsetof() to offsetofend(), so that the size of the +field is also taken into account. + +Cc: stable@vger.kernel.org +Fixes: efb448d0a3fc ("soc: qcom: Add socinfo driver") +Signed-off-by: Stephan Gerhold +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20241230-qcom-socinfo-serialno-oob-v1-1-9b7a890da3da@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soc/qcom/socinfo.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/soc/qcom/socinfo.c ++++ b/drivers/soc/qcom/socinfo.c +@@ -796,7 +796,7 @@ static int qcom_socinfo_probe(struct pla + if (!qs->attr.soc_id || !qs->attr.revision) + return -ENOMEM; + +- if (offsetof(struct socinfo, serial_num) <= item_size) { ++ if (offsetofend(struct socinfo, serial_num) <= item_size) { + qs->attr.serial_number = devm_kasprintf(&pdev->dev, GFP_KERNEL, + "%u", + le32_to_cpu(info->serial_num)); diff --git a/queue-6.13/usb-gadget-f_tcm-decrement-command-ref-count-on-cleanup.patch b/queue-6.13/usb-gadget-f_tcm-decrement-command-ref-count-on-cleanup.patch new file mode 100644 index 0000000000..7eef1f6654 --- /dev/null +++ b/queue-6.13/usb-gadget-f_tcm-decrement-command-ref-count-on-cleanup.patch @@ -0,0 +1,32 @@ +From 3b2a52e88ab0c9469eaadd4d4c8f57d072477820 Mon Sep 17 00:00:00 2001 +From: Thinh Nguyen +Date: Wed, 11 Dec 2024 00:31:48 +0000 +Subject: usb: gadget: f_tcm: Decrement command ref count on cleanup + +From: Thinh Nguyen + +commit 3b2a52e88ab0c9469eaadd4d4c8f57d072477820 upstream. + +We submitted the command with TARGET_SCF_ACK_KREF, which requires +acknowledgment of command completion. If the command fails, make sure to +decrement the ref count. + +Fixes: cff834c16d23 ("usb-gadget/tcm: Convert to TARGET_SCF_ACK_KREF I/O krefs") +Cc: stable@vger.kernel.org +Signed-off-by: Thinh Nguyen +Link: https://lore.kernel.org/r/3c667b4d9c8b0b580346a69ff53616b6a74cfea2.1733876548.git.Thinh.Nguyen@synopsys.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_tcm.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/gadget/function/f_tcm.c ++++ b/drivers/usb/gadget/function/f_tcm.c +@@ -973,6 +973,7 @@ static void usbg_data_write_cmpl(struct + return; + + cleanup: ++ target_put_sess_cmd(se_cmd); + transport_generic_free_cmd(&cmd->se_cmd, 0); + } + diff --git a/queue-6.13/usb-gadget-f_tcm-don-t-prepare-bot-write-request-twice.patch b/queue-6.13/usb-gadget-f_tcm-don-t-prepare-bot-write-request-twice.patch new file mode 100644 index 0000000000..59e1869893 --- /dev/null +++ b/queue-6.13/usb-gadget-f_tcm-don-t-prepare-bot-write-request-twice.patch @@ -0,0 +1,55 @@ +From 94d9bf671ae314cacc2d7bf96bd233b4abc7cede Mon Sep 17 00:00:00 2001 +From: Thinh Nguyen +Date: Wed, 11 Dec 2024 00:32:07 +0000 +Subject: usb: gadget: f_tcm: Don't prepare BOT write request twice + +From: Thinh Nguyen + +commit 94d9bf671ae314cacc2d7bf96bd233b4abc7cede upstream. + +The duplicate kmalloc here is causing memory leak. The request +preparation in bot_send_write_request is also done in +usbg_prepare_w_request. Remove the duplicate work. + +Fixes: c52661d60f63 ("usb-gadget: Initial merge of target module for UASP + BOT") +Cc: stable@vger.kernel.org +Signed-off-by: Thinh Nguyen +Link: https://lore.kernel.org/r/f4f26c3d586cde0d46f8c3bcb4e8ae32311b650d.1733876548.git.Thinh.Nguyen@synopsys.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_tcm.c | 17 ----------------- + 1 file changed, 17 deletions(-) + +--- a/drivers/usb/gadget/function/f_tcm.c ++++ b/drivers/usb/gadget/function/f_tcm.c +@@ -245,7 +245,6 @@ static int bot_send_write_request(struct + { + struct f_uas *fu = cmd->fu; + struct se_cmd *se_cmd = &cmd->se_cmd; +- struct usb_gadget *gadget = fuas_to_gadget(fu); + int ret; + + init_completion(&cmd->write_complete); +@@ -256,22 +255,6 @@ static int bot_send_write_request(struct + return -EINVAL; + } + +- if (!gadget->sg_supported) { +- cmd->data_buf = kmalloc(se_cmd->data_length, GFP_KERNEL); +- if (!cmd->data_buf) +- return -ENOMEM; +- +- fu->bot_req_out->buf = cmd->data_buf; +- } else { +- fu->bot_req_out->buf = NULL; +- fu->bot_req_out->num_sgs = se_cmd->t_data_nents; +- fu->bot_req_out->sg = se_cmd->t_data_sg; +- } +- +- fu->bot_req_out->complete = usbg_data_write_cmpl; +- fu->bot_req_out->length = se_cmd->data_length; +- fu->bot_req_out->context = cmd; +- + ret = usbg_prepare_w_request(cmd, fu->bot_req_out); + if (ret) + goto cleanup; diff --git a/queue-6.13/usb-gadget-f_tcm-ep_autoconfig-with-fullspeed-endpoint.patch b/queue-6.13/usb-gadget-f_tcm-ep_autoconfig-with-fullspeed-endpoint.patch new file mode 100644 index 0000000000..0451913146 --- /dev/null +++ b/queue-6.13/usb-gadget-f_tcm-ep_autoconfig-with-fullspeed-endpoint.patch @@ -0,0 +1,80 @@ +From 25224c1f07d31c261d04dfbc705a7a0f314a825d Mon Sep 17 00:00:00 2001 +From: Thinh Nguyen +Date: Wed, 11 Dec 2024 00:32:01 +0000 +Subject: usb: gadget: f_tcm: ep_autoconfig with fullspeed endpoint + +From: Thinh Nguyen + +commit 25224c1f07d31c261d04dfbc705a7a0f314a825d upstream. + +Match usb endpoint using fullspeed endpoint descriptor to make sure the +wMaxPacketSize for fullspeed descriptors is automatically configured. + +Fixes: c52661d60f63 ("usb-gadget: Initial merge of target module for UASP + BOT") +Cc: stable@vger.kernel.org +Signed-off-by: Thinh Nguyen +Link: https://lore.kernel.org/r/e4507bc824aed6e7c7f5a718392ab6a7c1480a7f.1733876548.git.Thinh.Nguyen@synopsys.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_tcm.c | 30 +++++++++++++----------------- + 1 file changed, 13 insertions(+), 17 deletions(-) + +--- a/drivers/usb/gadget/function/f_tcm.c ++++ b/drivers/usb/gadget/function/f_tcm.c +@@ -1970,43 +1970,39 @@ static int tcm_bind(struct usb_configura + bot_intf_desc.bInterfaceNumber = iface; + uasp_intf_desc.bInterfaceNumber = iface; + fu->iface = iface; +- ep = usb_ep_autoconfig_ss(gadget, &uasp_ss_bi_desc, +- &uasp_bi_ep_comp_desc); ++ ep = usb_ep_autoconfig(gadget, &uasp_fs_bi_desc); + if (!ep) + goto ep_fail; + + fu->ep_in = ep; + +- ep = usb_ep_autoconfig_ss(gadget, &uasp_ss_bo_desc, +- &uasp_bo_ep_comp_desc); ++ ep = usb_ep_autoconfig(gadget, &uasp_fs_bo_desc); + if (!ep) + goto ep_fail; + fu->ep_out = ep; + +- ep = usb_ep_autoconfig_ss(gadget, &uasp_ss_status_desc, +- &uasp_status_in_ep_comp_desc); ++ ep = usb_ep_autoconfig(gadget, &uasp_fs_status_desc); + if (!ep) + goto ep_fail; + fu->ep_status = ep; + +- ep = usb_ep_autoconfig_ss(gadget, &uasp_ss_cmd_desc, +- &uasp_cmd_comp_desc); ++ ep = usb_ep_autoconfig(gadget, &uasp_fs_cmd_desc); + if (!ep) + goto ep_fail; + fu->ep_cmd = ep; + + /* Assume endpoint addresses are the same for both speeds */ +- uasp_bi_desc.bEndpointAddress = uasp_ss_bi_desc.bEndpointAddress; +- uasp_bo_desc.bEndpointAddress = uasp_ss_bo_desc.bEndpointAddress; ++ uasp_bi_desc.bEndpointAddress = uasp_fs_bi_desc.bEndpointAddress; ++ uasp_bo_desc.bEndpointAddress = uasp_fs_bo_desc.bEndpointAddress; + uasp_status_desc.bEndpointAddress = +- uasp_ss_status_desc.bEndpointAddress; +- uasp_cmd_desc.bEndpointAddress = uasp_ss_cmd_desc.bEndpointAddress; ++ uasp_fs_status_desc.bEndpointAddress; ++ uasp_cmd_desc.bEndpointAddress = uasp_fs_cmd_desc.bEndpointAddress; + +- uasp_fs_bi_desc.bEndpointAddress = uasp_ss_bi_desc.bEndpointAddress; +- uasp_fs_bo_desc.bEndpointAddress = uasp_ss_bo_desc.bEndpointAddress; +- uasp_fs_status_desc.bEndpointAddress = +- uasp_ss_status_desc.bEndpointAddress; +- uasp_fs_cmd_desc.bEndpointAddress = uasp_ss_cmd_desc.bEndpointAddress; ++ uasp_ss_bi_desc.bEndpointAddress = uasp_fs_bi_desc.bEndpointAddress; ++ uasp_ss_bo_desc.bEndpointAddress = uasp_fs_bo_desc.bEndpointAddress; ++ uasp_ss_status_desc.bEndpointAddress = ++ uasp_fs_status_desc.bEndpointAddress; ++ uasp_ss_cmd_desc.bEndpointAddress = uasp_fs_cmd_desc.bEndpointAddress; + + ret = usb_assign_descriptors(f, uasp_fs_function_desc, + uasp_hs_function_desc, uasp_ss_function_desc, diff --git a/queue-6.13/usb-gadget-f_tcm-translate-error-to-sense.patch b/queue-6.13/usb-gadget-f_tcm-translate-error-to-sense.patch new file mode 100644 index 0000000000..92761d72fd --- /dev/null +++ b/queue-6.13/usb-gadget-f_tcm-translate-error-to-sense.patch @@ -0,0 +1,42 @@ +From 98fa00fd3ae43b857b4976984a135483d89d9281 Mon Sep 17 00:00:00 2001 +From: Thinh Nguyen +Date: Wed, 11 Dec 2024 00:31:43 +0000 +Subject: usb: gadget: f_tcm: Translate error to sense + +From: Thinh Nguyen + +commit 98fa00fd3ae43b857b4976984a135483d89d9281 upstream. + +When respond with check_condition error status, clear from_transport +input so the target layer can translate the sense reason reported by +f_tcm. + +Fixes: c52661d60f63 ("usb-gadget: Initial merge of target module for UASP + BOT") +Cc: stable@vger.kernel.org +Signed-off-by: Thinh Nguyen +Link: https://lore.kernel.org/r/b2a5577efe7abd0af0051229622cf7d3be5cdcd0.1733876548.git.Thinh.Nguyen@synopsys.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_tcm.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/usb/gadget/function/f_tcm.c ++++ b/drivers/usb/gadget/function/f_tcm.c +@@ -1065,7 +1065,7 @@ static void usbg_cmd_work(struct work_st + + out: + transport_send_check_condition_and_sense(se_cmd, +- TCM_UNSUPPORTED_SCSI_OPCODE, 1); ++ TCM_UNSUPPORTED_SCSI_OPCODE, 0); + } + + static struct usbg_cmd *usbg_get_cmd(struct f_uas *fu, +@@ -1193,7 +1193,7 @@ static void bot_cmd_work(struct work_str + + out: + transport_send_check_condition_and_sense(se_cmd, +- TCM_UNSUPPORTED_SCSI_OPCODE, 1); ++ TCM_UNSUPPORTED_SCSI_OPCODE, 0); + } + + static int bot_submit_command(struct f_uas *fu, diff --git a/queue-6.13/usbnet-ipheth-break-up-ncm-header-size-computation.patch b/queue-6.13/usbnet-ipheth-break-up-ncm-header-size-computation.patch new file mode 100644 index 0000000000..44f24c52a9 --- /dev/null +++ b/queue-6.13/usbnet-ipheth-break-up-ncm-header-size-computation.patch @@ -0,0 +1,53 @@ +From efcbc678a14be268040ffc1fa33c98faf2d55141 Mon Sep 17 00:00:00 2001 +From: Foster Snowhill +Date: Sun, 26 Jan 2025 00:54:07 +0100 +Subject: usbnet: ipheth: break up NCM header size computation + +From: Foster Snowhill + +commit efcbc678a14be268040ffc1fa33c98faf2d55141 upstream. + +Originally, the total NCM header size was computed as the sum of two +vaguely labelled constants. While accurate, it wasn't particularly clear +where they were coming from. + +Use sizes of existing NCM structs where available. Define the total +NDP16 size based on the maximum amount of DPEs that can fit into the +iOS-specific fixed-size header. + +This change does not fix any particular issue. Rather, it introduces +intermediate constants that will simplify subsequent commits. +It should also make it clearer for the reader where the constant values +come from. + +Cc: stable@vger.kernel.org # 6.5.x +Signed-off-by: Foster Snowhill +Reviewed-by: Jakub Kicinski +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/ipheth.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +--- a/drivers/net/usb/ipheth.c ++++ b/drivers/net/usb/ipheth.c +@@ -61,7 +61,18 @@ + #define IPHETH_USBINTF_PROTO 1 + + #define IPHETH_IP_ALIGN 2 /* padding at front of URB */ +-#define IPHETH_NCM_HEADER_SIZE (12 + 96) /* NCMH + NCM0 */ ++/* On iOS devices, NCM headers in RX have a fixed size regardless of DPE count: ++ * - NTH16 (NCMH): 12 bytes, as per CDC NCM 1.0 spec ++ * - NDP16 (NCM0): 96 bytes, of which ++ * - NDP16 fixed header: 8 bytes ++ * - maximum of 22 DPEs (21 datagrams + trailer), 4 bytes each ++ */ ++#define IPHETH_NDP16_MAX_DPE 22 ++#define IPHETH_NDP16_HEADER_SIZE (sizeof(struct usb_cdc_ncm_ndp16) + \ ++ IPHETH_NDP16_MAX_DPE * \ ++ sizeof(struct usb_cdc_ncm_dpe16)) ++#define IPHETH_NCM_HEADER_SIZE (sizeof(struct usb_cdc_ncm_nth16) + \ ++ IPHETH_NDP16_HEADER_SIZE) + #define IPHETH_TX_BUF_SIZE ETH_FRAME_LEN + #define IPHETH_RX_BUF_SIZE_LEGACY (IPHETH_IP_ALIGN + ETH_FRAME_LEN) + #define IPHETH_RX_BUF_SIZE_NCM 65536 diff --git a/queue-6.13/usbnet-ipheth-check-that-dpe-points-past-ncm-header.patch b/queue-6.13/usbnet-ipheth-check-that-dpe-points-past-ncm-header.patch new file mode 100644 index 0000000000..ef1d77f843 --- /dev/null +++ b/queue-6.13/usbnet-ipheth-check-that-dpe-points-past-ncm-header.patch @@ -0,0 +1,39 @@ +From 429fa68b58cefb9aa9de27e4089637298b46b757 Mon Sep 17 00:00:00 2001 +From: Foster Snowhill +Date: Sun, 26 Jan 2025 00:54:04 +0100 +Subject: usbnet: ipheth: check that DPE points past NCM header + +From: Foster Snowhill + +commit 429fa68b58cefb9aa9de27e4089637298b46b757 upstream. + +By definition, a DPE points at the start of a network frame/datagram. +Thus it makes no sense for it to point at anything that's part of the +NCM header. It is not a security issue, but merely an indication of +a malformed DPE. + +Enforce that all DPEs point at the data portion of the URB, past the +NCM header. + +Fixes: a2d274c62e44 ("usbnet: ipheth: add CDC NCM support") +Cc: stable@vger.kernel.org +Signed-off-by: Foster Snowhill +Reviewed-by: Jakub Kicinski +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/ipheth.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/usb/ipheth.c ++++ b/drivers/net/usb/ipheth.c +@@ -241,7 +241,8 @@ static int ipheth_rcvbulk_callback_ncm(s + dpe = ncm0->dpe16; + while (le16_to_cpu(dpe->wDatagramIndex) != 0 && + le16_to_cpu(dpe->wDatagramLength) != 0) { +- if (le16_to_cpu(dpe->wDatagramIndex) >= urb->actual_length || ++ if (le16_to_cpu(dpe->wDatagramIndex) < IPHETH_NCM_HEADER_SIZE || ++ le16_to_cpu(dpe->wDatagramIndex) >= urb->actual_length || + le16_to_cpu(dpe->wDatagramLength) > urb->actual_length - + le16_to_cpu(dpe->wDatagramIndex)) { + dev->net->stats.rx_length_errors++; diff --git a/queue-6.13/usbnet-ipheth-document-scope-of-ncm-implementation.patch b/queue-6.13/usbnet-ipheth-document-scope-of-ncm-implementation.patch new file mode 100644 index 0000000000..916b2411fb --- /dev/null +++ b/queue-6.13/usbnet-ipheth-document-scope-of-ncm-implementation.patch @@ -0,0 +1,42 @@ +From be154b598fa54136e2be17d6dd13c8a8bc0078ce Mon Sep 17 00:00:00 2001 +From: Foster Snowhill +Date: Sun, 26 Jan 2025 00:54:09 +0100 +Subject: usbnet: ipheth: document scope of NCM implementation + +From: Foster Snowhill + +commit be154b598fa54136e2be17d6dd13c8a8bc0078ce upstream. + +Clarify that the "NCM" implementation in `ipheth` is very limited, as +iOS devices aren't compatible with the CDC NCM specification in regular +tethering mode. + +For a standards-compliant implementation, one shall turn to +the `cdc_ncm` module. + +Cc: stable@vger.kernel.org # 6.5.x +Signed-off-by: Foster Snowhill +Reviewed-by: Jakub Kicinski +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/ipheth.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/net/usb/ipheth.c ++++ b/drivers/net/usb/ipheth.c +@@ -218,6 +218,14 @@ static int ipheth_rcvbulk_callback_legac + return ipheth_consume_skb(buf, len, dev); + } + ++/* In "NCM mode", the iOS device encapsulates RX (phone->computer) traffic ++ * in NCM Transfer Blocks (similarly to CDC NCM). However, unlike reverse ++ * tethering (handled by the `cdc_ncm` driver), regular tethering is not ++ * compliant with the CDC NCM spec, as the device is missing the necessary ++ * descriptors, and TX (computer->phone) traffic is not encapsulated ++ * at all. Thus `ipheth` implements a very limited subset of the spec with ++ * the sole purpose of parsing RX URBs. ++ */ + static int ipheth_rcvbulk_callback_ncm(struct urb *urb) + { + struct usb_cdc_ncm_nth16 *ncmh; diff --git a/queue-6.13/usbnet-ipheth-fix-dpe-oob-read.patch b/queue-6.13/usbnet-ipheth-fix-dpe-oob-read.patch new file mode 100644 index 0000000000..768b3917ee --- /dev/null +++ b/queue-6.13/usbnet-ipheth-fix-dpe-oob-read.patch @@ -0,0 +1,42 @@ +From ee591f2b281721171896117f9946fced31441418 Mon Sep 17 00:00:00 2001 +From: Foster Snowhill +Date: Sun, 26 Jan 2025 00:54:08 +0100 +Subject: usbnet: ipheth: fix DPE OoB read + +From: Foster Snowhill + +commit ee591f2b281721171896117f9946fced31441418 upstream. + +Fix an out-of-bounds DPE read, limit the number of processed DPEs to +the amount that fits into the fixed-size NDP16 header. + +Fixes: a2d274c62e44 ("usbnet: ipheth: add CDC NCM support") +Cc: stable@vger.kernel.org +Signed-off-by: Foster Snowhill +Reviewed-by: Jakub Kicinski +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/ipheth.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/net/usb/ipheth.c ++++ b/drivers/net/usb/ipheth.c +@@ -246,7 +246,7 @@ static int ipheth_rcvbulk_callback_ncm(s + goto rx_error; + + dpe = ncm0->dpe16; +- while (true) { ++ for (int dpe_i = 0; dpe_i < IPHETH_NDP16_MAX_DPE; ++dpe_i, ++dpe) { + dg_idx = le16_to_cpu(dpe->wDatagramIndex); + dg_len = le16_to_cpu(dpe->wDatagramLength); + +@@ -268,8 +268,6 @@ static int ipheth_rcvbulk_callback_ncm(s + retval = ipheth_consume_skb(buf, dg_len, dev); + if (retval != 0) + return retval; +- +- dpe++; + } + + rx_error: diff --git a/queue-6.13/usbnet-ipheth-fix-possible-overflow-in-dpe-length-check.patch b/queue-6.13/usbnet-ipheth-fix-possible-overflow-in-dpe-length-check.patch new file mode 100644 index 0000000000..6f11115b72 --- /dev/null +++ b/queue-6.13/usbnet-ipheth-fix-possible-overflow-in-dpe-length-check.patch @@ -0,0 +1,40 @@ +From c219427ed296f94bb4b91d08626776dc7719ee27 Mon Sep 17 00:00:00 2001 +From: Foster Snowhill +Date: Sun, 26 Jan 2025 00:54:03 +0100 +Subject: usbnet: ipheth: fix possible overflow in DPE length check + +From: Foster Snowhill + +commit c219427ed296f94bb4b91d08626776dc7719ee27 upstream. + +Originally, it was possible for the DPE length check to overflow if +wDatagramIndex + wDatagramLength > U16_MAX. This could lead to an OoB +read. + +Move the wDatagramIndex term to the other side of the inequality. + +An existing condition ensures that wDatagramIndex < urb->actual_length. + +Fixes: a2d274c62e44 ("usbnet: ipheth: add CDC NCM support") +Cc: stable@vger.kernel.org +Signed-off-by: Foster Snowhill +Reviewed-by: Jakub Kicinski +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/ipheth.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/usb/ipheth.c ++++ b/drivers/net/usb/ipheth.c +@@ -243,8 +243,8 @@ static int ipheth_rcvbulk_callback_ncm(s + while (le16_to_cpu(dpe->wDatagramIndex) != 0 && + le16_to_cpu(dpe->wDatagramLength) != 0) { + if (le16_to_cpu(dpe->wDatagramIndex) >= urb->actual_length || +- le16_to_cpu(dpe->wDatagramIndex) + +- le16_to_cpu(dpe->wDatagramLength) > urb->actual_length) { ++ le16_to_cpu(dpe->wDatagramLength) > urb->actual_length - ++ le16_to_cpu(dpe->wDatagramIndex)) { + dev->net->stats.rx_length_errors++; + return retval; + } diff --git a/queue-6.13/usbnet-ipheth-refactor-ncm-datagram-loop.patch b/queue-6.13/usbnet-ipheth-refactor-ncm-datagram-loop.patch new file mode 100644 index 0000000000..e63caf8766 --- /dev/null +++ b/queue-6.13/usbnet-ipheth-refactor-ncm-datagram-loop.patch @@ -0,0 +1,106 @@ +From 2a9a196429e98fcc64078366c2679bc40aba5466 Mon Sep 17 00:00:00 2001 +From: Foster Snowhill +Date: Sun, 26 Jan 2025 00:54:06 +0100 +Subject: usbnet: ipheth: refactor NCM datagram loop + +From: Foster Snowhill + +commit 2a9a196429e98fcc64078366c2679bc40aba5466 upstream. + +Introduce an rx_error label to reduce repetitions in the header +signature checks. + +Store wDatagramIndex and wDatagramLength after endianness conversion to +avoid repeated le16_to_cpu() calls. + +Rewrite the loop to return on a null trailing DPE, which is required +by the CDC NCM spec. In case it is missing, fall through to rx_error. + +This change does not fix any particular issue. Its purpose is to +simplify a subsequent commit that fixes a potential OoB read by limiting +the maximum amount of processed DPEs. + +Cc: stable@vger.kernel.org # 6.5.x +Signed-off-by: Foster Snowhill +Reviewed-by: Jakub Kicinski +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/ipheth.c | 42 +++++++++++++++++++++++------------------- + 1 file changed, 23 insertions(+), 19 deletions(-) + +--- a/drivers/net/usb/ipheth.c ++++ b/drivers/net/usb/ipheth.c +@@ -213,9 +213,9 @@ static int ipheth_rcvbulk_callback_ncm(s + struct usb_cdc_ncm_ndp16 *ncm0; + struct usb_cdc_ncm_dpe16 *dpe; + struct ipheth_device *dev; ++ u16 dg_idx, dg_len; + int retval = -EINVAL; + char *buf; +- int len; + + dev = urb->context; + +@@ -227,39 +227,43 @@ static int ipheth_rcvbulk_callback_ncm(s + ncmh = urb->transfer_buffer; + if (ncmh->dwSignature != cpu_to_le32(USB_CDC_NCM_NTH16_SIGN) || + /* On iOS, NDP16 directly follows NTH16 */ +- ncmh->wNdpIndex != cpu_to_le16(sizeof(struct usb_cdc_ncm_nth16))) { +- dev->net->stats.rx_errors++; +- return retval; +- } ++ ncmh->wNdpIndex != cpu_to_le16(sizeof(struct usb_cdc_ncm_nth16))) ++ goto rx_error; + + ncm0 = urb->transfer_buffer + sizeof(struct usb_cdc_ncm_nth16); +- if (ncm0->dwSignature != cpu_to_le32(USB_CDC_NCM_NDP16_NOCRC_SIGN)) { +- dev->net->stats.rx_errors++; +- return retval; +- } ++ if (ncm0->dwSignature != cpu_to_le32(USB_CDC_NCM_NDP16_NOCRC_SIGN)) ++ goto rx_error; + + dpe = ncm0->dpe16; +- while (le16_to_cpu(dpe->wDatagramIndex) != 0 && +- le16_to_cpu(dpe->wDatagramLength) != 0) { +- if (le16_to_cpu(dpe->wDatagramIndex) < IPHETH_NCM_HEADER_SIZE || +- le16_to_cpu(dpe->wDatagramIndex) >= urb->actual_length || +- le16_to_cpu(dpe->wDatagramLength) > urb->actual_length - +- le16_to_cpu(dpe->wDatagramIndex)) { ++ while (true) { ++ dg_idx = le16_to_cpu(dpe->wDatagramIndex); ++ dg_len = le16_to_cpu(dpe->wDatagramLength); ++ ++ /* Null DPE must be present after last datagram pointer entry ++ * (3.3.1 USB CDC NCM spec v1.0) ++ */ ++ if (dg_idx == 0 && dg_len == 0) ++ return 0; ++ ++ if (dg_idx < IPHETH_NCM_HEADER_SIZE || ++ dg_idx >= urb->actual_length || ++ dg_len > urb->actual_length - dg_idx) { + dev->net->stats.rx_length_errors++; + return retval; + } + +- buf = urb->transfer_buffer + le16_to_cpu(dpe->wDatagramIndex); +- len = le16_to_cpu(dpe->wDatagramLength); ++ buf = urb->transfer_buffer + dg_idx; + +- retval = ipheth_consume_skb(buf, len, dev); ++ retval = ipheth_consume_skb(buf, dg_len, dev); + if (retval != 0) + return retval; + + dpe++; + } + +- return 0; ++rx_error: ++ dev->net->stats.rx_errors++; ++ return retval; + } + + static void ipheth_rcvbulk_callback(struct urb *urb) diff --git a/queue-6.13/usbnet-ipheth-use-static-ndp16-location-in-urb.patch b/queue-6.13/usbnet-ipheth-use-static-ndp16-location-in-urb.patch new file mode 100644 index 0000000000..45305e44b8 --- /dev/null +++ b/queue-6.13/usbnet-ipheth-use-static-ndp16-location-in-urb.patch @@ -0,0 +1,57 @@ +From 86586dcb75cb8fd062a518aca8ee667938b91efb Mon Sep 17 00:00:00 2001 +From: Foster Snowhill +Date: Sun, 26 Jan 2025 00:54:05 +0100 +Subject: usbnet: ipheth: use static NDP16 location in URB + +From: Foster Snowhill + +commit 86586dcb75cb8fd062a518aca8ee667938b91efb upstream. + +Original code allowed for the start of NDP16 to be anywhere within the +URB based on the `wNdpIndex` value in NTH16. Only the start position of +NDP16 was checked, so it was possible for even the fixed-length part +of NDP16 to extend past the end of URB, leading to an out-of-bounds +read. + +On iOS devices, the NDP16 header always directly follows NTH16. Rely on +and check for this specific format. + +This, along with NCM-specific minimal URB length check that already +exists, will ensure that the fixed-length part of NDP16 plus a set +amount of DPEs fit within the URB. + +Note that this commit alone does not fully address the OoB read. +The limit on the amount of DPEs needs to be enforced separately. + +Fixes: a2d274c62e44 ("usbnet: ipheth: add CDC NCM support") +Cc: stable@vger.kernel.org +Signed-off-by: Foster Snowhill +Reviewed-by: Jakub Kicinski +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/ipheth.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +--- a/drivers/net/usb/ipheth.c ++++ b/drivers/net/usb/ipheth.c +@@ -226,15 +226,14 @@ static int ipheth_rcvbulk_callback_ncm(s + + ncmh = urb->transfer_buffer; + if (ncmh->dwSignature != cpu_to_le32(USB_CDC_NCM_NTH16_SIGN) || +- le16_to_cpu(ncmh->wNdpIndex) >= urb->actual_length) { ++ /* On iOS, NDP16 directly follows NTH16 */ ++ ncmh->wNdpIndex != cpu_to_le16(sizeof(struct usb_cdc_ncm_nth16))) { + dev->net->stats.rx_errors++; + return retval; + } + +- ncm0 = urb->transfer_buffer + le16_to_cpu(ncmh->wNdpIndex); +- if (ncm0->dwSignature != cpu_to_le32(USB_CDC_NCM_NDP16_NOCRC_SIGN) || +- le16_to_cpu(ncmh->wHeaderLength) + le16_to_cpu(ncm0->wLength) >= +- urb->actual_length) { ++ ncm0 = urb->transfer_buffer + sizeof(struct usb_cdc_ncm_nth16); ++ if (ncm0->dwSignature != cpu_to_le32(USB_CDC_NCM_NDP16_NOCRC_SIGN)) { + dev->net->stats.rx_errors++; + return retval; + } diff --git a/queue-6.13/wifi-brcmfmac-fix-null-pointer-dereference-in-brcmf_txfinalize.patch b/queue-6.13/wifi-brcmfmac-fix-null-pointer-dereference-in-brcmf_txfinalize.patch new file mode 100644 index 0000000000..389dea7932 --- /dev/null +++ b/queue-6.13/wifi-brcmfmac-fix-null-pointer-dereference-in-brcmf_txfinalize.patch @@ -0,0 +1,69 @@ +From 68abd0c4ebf24cd499841a488b97a6873d5efabb Mon Sep 17 00:00:00 2001 +From: Marcel Hamer +Date: Thu, 16 Jan 2025 14:22:40 +0100 +Subject: wifi: brcmfmac: fix NULL pointer dereference in brcmf_txfinalize() + +From: Marcel Hamer + +commit 68abd0c4ebf24cd499841a488b97a6873d5efabb upstream. + +On removal of the device or unloading of the kernel module a potential NULL +pointer dereference occurs. + +The following sequence deletes the interface: + + brcmf_detach() + brcmf_remove_interface() + brcmf_del_if() + +Inside the brcmf_del_if() function the drvr->if2bss[ifidx] is updated to +BRCMF_BSSIDX_INVALID (-1) if the bsscfgidx matches. + +After brcmf_remove_interface() call the brcmf_proto_detach() function is +called providing the following sequence: + + brcmf_detach() + brcmf_proto_detach() + brcmf_proto_msgbuf_detach() + brcmf_flowring_detach() + brcmf_msgbuf_delete_flowring() + brcmf_msgbuf_remove_flowring() + brcmf_flowring_delete() + brcmf_get_ifp() + brcmf_txfinalize() + +Since brcmf_get_ip() can and actually will return NULL in this case the +call to brcmf_txfinalize() will result in a NULL pointer dereference inside +brcmf_txfinalize() when trying to update ifp->ndev->stats.tx_errors. + +This will only happen if a flowring still has an skb. + +Although the NULL pointer dereference has only been seen when trying to +update the tx statistic, all other uses of the ifp pointer have been +guarded as well with an early return if ifp is NULL. + +Cc: stable@vger.kernel.org +Signed-off-by: Marcel Hamer +Link: https://lore.kernel.org/all/b519e746-ddfd-421f-d897-7620d229e4b2@gmail.com/ +Acked-by: Arend van Spriel +Signed-off-by: Kalle Valo +Link: https://patch.msgid.link/20250116132240.731039-1-marcel.hamer@windriver.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c +@@ -540,6 +540,11 @@ void brcmf_txfinalize(struct brcmf_if *i + struct ethhdr *eh; + u16 type; + ++ if (!ifp) { ++ brcmu_pkt_buf_free_skb(txp); ++ return; ++ } ++ + eh = (struct ethhdr *)(txp->data); + type = ntohs(eh->h_proto); + diff --git a/queue-6.13/wifi-mt76-mt7915-add-module-param-to-select-5-ghz-or-6-ghz-on-mt7916.patch b/queue-6.13/wifi-mt76-mt7915-add-module-param-to-select-5-ghz-or-6-ghz-on-mt7916.patch new file mode 100644 index 0000000000..5b9bb537a1 --- /dev/null +++ b/queue-6.13/wifi-mt76-mt7915-add-module-param-to-select-5-ghz-or-6-ghz-on-mt7916.patch @@ -0,0 +1,92 @@ +From 57af267d2b8f5d88485c6372761386d79c5e6a1a Mon Sep 17 00:00:00 2001 +From: Shayne Chen +Date: Thu, 10 Oct 2024 10:38:16 +0200 +Subject: wifi: mt76: mt7915: add module param to select 5 GHz or 6 GHz on MT7916 + +From: Shayne Chen + +commit 57af267d2b8f5d88485c6372761386d79c5e6a1a upstream. + +Due to a limitation in available memory, the MT7916 firmware can only +handle either 5 GHz or 6 GHz at a time. It does not support runtime +switching without a full restart. + +On older firmware, this accidentally worked to some degree due to missing +checks, but couldn't be supported properly, because it left the 6 GHz +channels uncalibrated. +Newer firmware refuses to start on either band if the passed EEPROM +data indicates support for both. + +Deal with this limitation by using a module parameter to specify the +preferred band in case both are supported. + +Fixes: b4d093e321bd ("mt76: mt7915: add 6 GHz support") +Cc: stable@vger.kernel.org +Signed-off-by: Shayne Chen +Link: https://patch.msgid.link/20241010083816.51880-1-nbd@nbd.name +Signed-off-by: Felix Fietkau +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/mediatek/mt76/mt7915/eeprom.c | 21 +++++++++++++++++++-- + drivers/net/wireless/mediatek/mt76/mt7915/init.c | 4 ++-- + 2 files changed, 21 insertions(+), 4 deletions(-) + +--- a/drivers/net/wireless/mediatek/mt76/mt7915/eeprom.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7915/eeprom.c +@@ -2,9 +2,14 @@ + /* Copyright (C) 2020 MediaTek Inc. */ + + #include ++#include + #include "mt7915.h" + #include "eeprom.h" + ++static bool enable_6ghz; ++module_param(enable_6ghz, bool, 0644); ++MODULE_PARM_DESC(enable_6ghz, "Enable 6 GHz instead of 5 GHz on hardware that supports both"); ++ + static int mt7915_eeprom_load_precal(struct mt7915_dev *dev) + { + struct mt76_dev *mdev = &dev->mt76; +@@ -170,8 +175,20 @@ static void mt7915_eeprom_parse_band_con + phy->mt76->cap.has_6ghz = true; + return; + case MT_EE_V2_BAND_SEL_5GHZ_6GHZ: +- phy->mt76->cap.has_5ghz = true; +- phy->mt76->cap.has_6ghz = true; ++ if (enable_6ghz) { ++ phy->mt76->cap.has_6ghz = true; ++ u8p_replace_bits(&eeprom[MT_EE_WIFI_CONF + band], ++ MT_EE_V2_BAND_SEL_6GHZ, ++ MT_EE_WIFI_CONF0_BAND_SEL); ++ } else { ++ phy->mt76->cap.has_5ghz = true; ++ u8p_replace_bits(&eeprom[MT_EE_WIFI_CONF + band], ++ MT_EE_V2_BAND_SEL_5GHZ, ++ MT_EE_WIFI_CONF0_BAND_SEL); ++ } ++ /* force to buffer mode */ ++ dev->flash_mode = true; ++ + return; + default: + phy->mt76->cap.has_2ghz = true; +--- a/drivers/net/wireless/mediatek/mt76/mt7915/init.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7915/init.c +@@ -1239,14 +1239,14 @@ int mt7915_register_device(struct mt7915 + if (ret) + goto unreg_dev; + +- ieee80211_queue_work(mt76_hw(dev), &dev->init_work); +- + if (phy2) { + ret = mt7915_register_ext_phy(dev, phy2); + if (ret) + goto unreg_thermal; + } + ++ ieee80211_queue_work(mt76_hw(dev), &dev->init_work); ++ + dev->recovery.hw_init_done = true; + + ret = mt7915_init_debugfs(&dev->phy); diff --git a/queue-6.13/wifi-mt76-mt7921u-add-vid-pid-for-tp-link-txe50uh.patch b/queue-6.13/wifi-mt76-mt7921u-add-vid-pid-for-tp-link-txe50uh.patch new file mode 100644 index 0000000000..455d6f65e4 --- /dev/null +++ b/queue-6.13/wifi-mt76-mt7921u-add-vid-pid-for-tp-link-txe50uh.patch @@ -0,0 +1,33 @@ +From 47d9a8ba1d7f31c674b6936b3c34ee934aa9b420 Mon Sep 17 00:00:00 2001 +From: Nick Morrow +Date: Thu, 19 Dec 2024 08:12:14 -0600 +Subject: wifi: mt76: mt7921u: Add VID/PID for TP-Link TXE50UH + +From: Nick Morrow + +commit 47d9a8ba1d7f31c674b6936b3c34ee934aa9b420 upstream. + +Add VID/PID 35bc/0107 for recently released TP-Link TXE50UH USB WiFi adapter. + +Tested-by: Shang Chieh Tseng +Signed-off-by: Nick Morrow +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/e797f105-9ca8-41e9-96de-7d25dec09943@gmail.com +Signed-off-by: Felix Fietkau +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/mediatek/mt76/mt7921/usb.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/wireless/mediatek/mt76/mt7921/usb.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7921/usb.c +@@ -21,6 +21,9 @@ static const struct usb_device_id mt7921 + /* Netgear, Inc. [A8000,AXE3000] */ + { USB_DEVICE_AND_INTERFACE_INFO(0x0846, 0x9060, 0xff, 0xff, 0xff), + .driver_info = (kernel_ulong_t)MT7921_FIRMWARE_WM }, ++ /* TP-Link TXE50UH */ ++ { USB_DEVICE_AND_INTERFACE_INFO(0x35bc, 0x0107, 0xff, 0xff, 0xff), ++ .driver_info = (kernel_ulong_t)MT7921_FIRMWARE_WM }, + { }, + }; + diff --git a/queue-6.13/wifi-rtlwifi-rtl8821ae-fix-media-status-report.patch b/queue-6.13/wifi-rtlwifi-rtl8821ae-fix-media-status-report.patch new file mode 100644 index 0000000000..3743708082 --- /dev/null +++ b/queue-6.13/wifi-rtlwifi-rtl8821ae-fix-media-status-report.patch @@ -0,0 +1,59 @@ +From 66ef0289ac99e155d206ddaa0fdfad09ae3cd007 Mon Sep 17 00:00:00 2001 +From: Bitterblue Smith +Date: Wed, 18 Dec 2024 00:53:11 +0200 +Subject: wifi: rtlwifi: rtl8821ae: Fix media status report + +From: Bitterblue Smith + +commit 66ef0289ac99e155d206ddaa0fdfad09ae3cd007 upstream. + +RTL8821AE is stuck transmitting at the lowest rate allowed by the rate +mask. This is because the firmware doesn't know the device is connected +to a network. + +Fix the macros SET_H2CCMD_MSRRPT_PARM_OPMODE and +SET_H2CCMD_MSRRPT_PARM_MACID_IND to work on the first byte of __cmd, +not the second. Now the firmware is correctly notified when the device +is connected to a network and it activates the rate control. + +Before (MCS3): + +[ 5] 0.00-1.00 sec 12.5 MBytes 105 Mbits/sec 0 339 KBytes +[ 5] 1.00-2.00 sec 10.6 MBytes 89.1 Mbits/sec 0 339 KBytes +[ 5] 2.00-3.00 sec 10.6 MBytes 89.1 Mbits/sec 0 386 KBytes +[ 5] 3.00-4.00 sec 10.6 MBytes 89.1 Mbits/sec 0 386 KBytes +[ 5] 4.00-5.00 sec 10.2 MBytes 86.0 Mbits/sec 0 427 KBytes + +After (MCS9): + +[ 5] 0.00-1.00 sec 33.9 MBytes 284 Mbits/sec 0 771 KBytes +[ 5] 1.00-2.00 sec 31.6 MBytes 265 Mbits/sec 0 865 KBytes +[ 5] 2.00-3.00 sec 29.9 MBytes 251 Mbits/sec 0 963 KBytes +[ 5] 3.00-4.00 sec 28.2 MBytes 237 Mbits/sec 0 963 KBytes +[ 5] 4.00-5.00 sec 26.8 MBytes 224 Mbits/sec 0 963 KBytes + +Fixes: 39f40710d0b5 ("rtlwifi: rtl88821ae: Remove usage of private bit manipulation macros") +Cc: stable@vger.kernel.org +Signed-off-by: Bitterblue Smith +Acked-by: Ping-Ke Shih +Signed-off-by: Ping-Ke Shih +Link: https://patch.msgid.link/754785b3-8a78-4554-b80d-de5f603b410b@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/realtek/rtlwifi/rtl8821ae/fw.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/fw.h ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/fw.h +@@ -197,9 +197,9 @@ enum rtl8821a_h2c_cmd { + + /* _MEDIA_STATUS_RPT_PARM_CMD1 */ + #define SET_H2CCMD_MSRRPT_PARM_OPMODE(__cmd, __value) \ +- u8p_replace_bits(__cmd + 1, __value, BIT(0)) ++ u8p_replace_bits(__cmd, __value, BIT(0)) + #define SET_H2CCMD_MSRRPT_PARM_MACID_IND(__cmd, __value) \ +- u8p_replace_bits(__cmd + 1, __value, BIT(1)) ++ u8p_replace_bits(__cmd, __value, BIT(1)) + + /* AP_OFFLOAD */ + #define SET_H2CCMD_AP_OFFLOAD_ON(__cmd, __value) \ diff --git a/queue-6.13/wifi-rtw88-8703b-fix-rx-tx-issues.patch b/queue-6.13/wifi-rtw88-8703b-fix-rx-tx-issues.patch new file mode 100644 index 0000000000..59759d9323 --- /dev/null +++ b/queue-6.13/wifi-rtw88-8703b-fix-rx-tx-issues.patch @@ -0,0 +1,64 @@ +From a806a8160a0fcaff368bb510c8a52eff37faf727 Mon Sep 17 00:00:00 2001 +From: Vasily Khoruzhick +Date: Thu, 2 Jan 2025 23:50:53 -0800 +Subject: wifi: rtw88: 8703b: Fix RX/TX issues + +From: Vasily Khoruzhick + +commit a806a8160a0fcaff368bb510c8a52eff37faf727 upstream. + +Fix 3 typos in 8703b driver. 2 typos in calibration routines are not +fatal and do not seem to have any impact, just fix them to match vendor +driver. + +However the last one in rtw8703b_set_channel_bb() clears too many bits +in REG_OFDM0_TX_PSD_NOISE, causing TX and RX issues (neither rate goes +above MCS0-MCS1). Vendor driver clears only 2 most significant bits. + +With the last typo fixed, the driver is able to reach MCS7 on Pinebook + +Cc: stable@vger.kernel.org +Fixes: 9bb762b3a957 ("wifi: rtw88: Add definitions for 8703b chip") +Signed-off-by: Vasily Khoruzhick +Acked-by: Ping-Ke Shih +Tested-by: Fiona Klute +Tested-by: Andrey Skvortsov +Signed-off-by: Ping-Ke Shih +Link: https://patch.msgid.link/20250103075107.1337533-1-anarsoul@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/realtek/rtw88/rtw8703b.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/net/wireless/realtek/rtw88/rtw8703b.c ++++ b/drivers/net/wireless/realtek/rtw88/rtw8703b.c +@@ -903,7 +903,7 @@ static void rtw8703b_set_channel_bb(stru + rtw_write32_mask(rtwdev, REG_FPGA0_RFMOD, BIT_MASK_RFMOD, 0x0); + rtw_write32_mask(rtwdev, REG_FPGA1_RFMOD, BIT_MASK_RFMOD, 0x0); + rtw_write32_mask(rtwdev, REG_OFDM0_TX_PSD_NOISE, +- GENMASK(31, 20), 0x0); ++ GENMASK(31, 30), 0x0); + rtw_write32(rtwdev, REG_BBRX_DFIR, 0x4A880000); + rtw_write32(rtwdev, REG_OFDM0_A_TX_AFE, 0x19F60000); + break; +@@ -1198,9 +1198,9 @@ static u8 rtw8703b_iqk_rx_path(struct rt + rtw_write32(rtwdev, REG_RXIQK_TONE_A_11N, 0x38008c1c); + rtw_write32(rtwdev, REG_TX_IQK_TONE_B, 0x38008c1c); + rtw_write32(rtwdev, REG_RX_IQK_TONE_B, 0x38008c1c); +- rtw_write32(rtwdev, REG_TXIQK_PI_A_11N, 0x8216000f); ++ rtw_write32(rtwdev, REG_TXIQK_PI_A_11N, 0x8214030f); + rtw_write32(rtwdev, REG_RXIQK_PI_A_11N, 0x28110000); +- rtw_write32(rtwdev, REG_TXIQK_PI_B, 0x28110000); ++ rtw_write32(rtwdev, REG_TXIQK_PI_B, 0x82110000); + rtw_write32(rtwdev, REG_RXIQK_PI_B, 0x28110000); + + /* LOK setting */ +@@ -1372,7 +1372,7 @@ void rtw8703b_iqk_fill_a_matrix(struct r + return; + + tmp_rx_iqi |= FIELD_PREP(BIT_MASK_RXIQ_S1_X, result[IQK_S1_RX_X]); +- tmp_rx_iqi |= FIELD_PREP(BIT_MASK_RXIQ_S1_Y1, result[IQK_S1_RX_X]); ++ tmp_rx_iqi |= FIELD_PREP(BIT_MASK_RXIQ_S1_Y1, result[IQK_S1_RX_Y]); + rtw_write32(rtwdev, REG_A_RXIQI, tmp_rx_iqi); + rtw_write32_mask(rtwdev, REG_RXIQK_MATRIX_LSB_11N, BIT_MASK_RXIQ_S1_Y2, + BIT_SET_RXIQ_S1_Y2(result[IQK_S1_RX_Y])); diff --git a/queue-6.13/wifi-rtw88-sdio-fix-disconnection-after-beacon-loss.patch b/queue-6.13/wifi-rtw88-sdio-fix-disconnection-after-beacon-loss.patch new file mode 100644 index 0000000000..5a34b252c9 --- /dev/null +++ b/queue-6.13/wifi-rtw88-sdio-fix-disconnection-after-beacon-loss.patch @@ -0,0 +1,36 @@ +From fb2fcfbe5eef9ae26b0425978435ae1308951e51 Mon Sep 17 00:00:00 2001 +From: Fiona Klute +Date: Mon, 6 Jan 2025 15:54:34 +0200 +Subject: wifi: rtw88: sdio: Fix disconnection after beacon loss + +From: Fiona Klute + +commit fb2fcfbe5eef9ae26b0425978435ae1308951e51 upstream. + +This is the equivalent of commit 28818b4d871b ("wifi: rtw88: usb: Fix +disconnection after beacon loss") for SDIO chips. +Tested on Pinephone (RTL8723CS), random disconnections became rare, +instead of a frequent nuisance. + +Cc: stable@vger.kernel.org +Signed-off-by: Fiona Klute +Tested-by: Vasily Khoruzhick # Tested on Pinebook +Acked-by: Ping-Ke Shih +Signed-off-by: Ping-Ke Shih +Link: https://patch.msgid.link/20250106135434.35936-1-fiona.klute@gmx.de +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/realtek/rtw88/sdio.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/wireless/realtek/rtw88/sdio.c ++++ b/drivers/net/wireless/realtek/rtw88/sdio.c +@@ -1192,6 +1192,8 @@ static void rtw_sdio_indicate_tx_status( + struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb); + struct ieee80211_hw *hw = rtwdev->hw; + ++ skb_pull(skb, rtwdev->chip->tx_pkt_desc_sz); ++ + /* enqueue to wait for tx report */ + if (info->flags & IEEE80211_TX_CTL_REQ_TX_STATUS) { + rtw_tx_report_enqueue(rtwdev, skb, tx_data->sn); diff --git a/queue-6.13/x86-efi-skip-memattr-table-on-kexec-boot.patch b/queue-6.13/x86-efi-skip-memattr-table-on-kexec-boot.patch new file mode 100644 index 0000000000..1d9fafe34b --- /dev/null +++ b/queue-6.13/x86-efi-skip-memattr-table-on-kexec-boot.patch @@ -0,0 +1,50 @@ +From 64b45dd46e154ee7641d7e0457f3fa266e57179f Mon Sep 17 00:00:00 2001 +From: Dave Young +Date: Thu, 23 Jan 2025 14:36:27 +0800 +Subject: x86/efi: skip memattr table on kexec boot + +From: Dave Young + +commit 64b45dd46e154ee7641d7e0457f3fa266e57179f upstream. + +efi_memattr_init() added a sanity check to avoid firmware caused corruption. +The check is based on efi memmap entry numbers, but kexec only takes the +runtime related memmap entries thus this caused many false warnings, see +below thread for details: + +https://lore.kernel.org/all/20250108215957.3437660-2-usamaarif642@gmail.com/ + +Ard suggests to skip the efi memattr table in kexec, this makes sense because +those memattr fixups are not critical. + +Fixes: 8fbe4c49c0cc ("efi/memattr: Ignore table if the size is clearly bogus") +Cc: # v6.13+ +Reported-by: Breno Leitao +Reported-and-tested-by: Usama Arif +Suggested-by: Ard Biesheuvel +Signed-off-by: Dave Young +Signed-off-by: Ard Biesheuvel +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/platform/efi/quirks.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/arch/x86/platform/efi/quirks.c b/arch/x86/platform/efi/quirks.c +index 846bf49f2508..553f330198f2 100644 +--- a/arch/x86/platform/efi/quirks.c ++++ b/arch/x86/platform/efi/quirks.c +@@ -561,6 +561,11 @@ int __init efi_reuse_config(u64 tables, int nr_tables) + + if (!efi_guidcmp(guid, SMBIOS_TABLE_GUID)) + ((efi_config_table_64_t *)p)->table = data->smbios; ++ ++ /* Do not bother to play with mem attr table across kexec */ ++ if (!efi_guidcmp(guid, EFI_MEMORY_ATTRIBUTES_TABLE_GUID)) ++ ((efi_config_table_64_t *)p)->table = EFI_INVALID_TABLE_ADDR; ++ + p += sz; + } + early_memunmap(tablep, nr_tables * sz); +-- +2.48.1 +