From: Greg Kroah-Hartman Date: Fri, 22 Aug 2025 12:58:13 +0000 (+0200) Subject: 6.1-stable patches X-Git-Tag: v6.16.3~47 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e513aa289fb6cfefc7ef1598808605382fcffe6d;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: arm-9448-1-use-an-absolute-path-to-unified.h-in-kbuild_aflags.patch arm64-entry-mask-daif-in-cpu_switch_to-call_on_irq_stack.patch ata-fix-sata_mobile_lpm_policy-description-in-kconfig.patch block-make-req_op_zone_finish-a-write-operation.patch block-reject-invalid-operation-in-submit_bio_noacct.patch btrfs-abort-transaction-on-unexpected-eb-generation-at-btrfs_copy_root.patch btrfs-fix-qgroup-reservation-leak-on-failure-to-allocate-ordered-extent.patch btrfs-populate-otime-when-logging-an-inode-item.patch btrfs-qgroup-fix-race-between-quota-disable-and-quota-rescan-ioctl.patch btrfs-send-use-fallocate-for-hole-punching-with-send-stream-v2.patch cifs-reset-iface-weights-when-we-cannot-find-a-candidate.patch drm-sched-remove-optimization-that-causes-hang-when-killing-dependent-jobs.patch f2fs-fix-to-do-sanity-check-on-ino-and-xnid.patch fscrypt-don-t-use-problematic-non-inline-crypto-engines.patch iio-hid-sensor-prox-fix-incorrect-offset-calculation.patch iio-hid-sensor-prox-restore-lost-scale-assignments.patch media-venus-fix-oob-read-due-to-missing-payload-bound-check.patch media-venus-introduce-accessors-for-remapped-hfi_buffer_reqs-members.patch mm-ptdump-take-the-memory-hotplug-lock-inside-ptdump_walk_pgd.patch net-add-netdev_lockdep_set_classes-to-virtual-drivers.patch net-enetc-fix-device-and-of-node-leak-at-probe.patch net-sched-ets-use-old-nbands-while-purging-unused-classes.patch net_sched-sch_ets-implement-lockless-ets_dump.patch pci-acpi-fix-runtime-pm-ref-imbalance-on-hot-plug-capable-ports.patch perf-x86-intel-fix-crash-in-icl_update_topdown_event.patch platform-chrome-cros_ec-remove-unneeded-label-and-if-condition.patch platform-chrome-cros_ec-unregister-notifier-in-cros_ec_unregister.patch platform-chrome-cros_ec-use-per-device-lockdep-key.patch smb-client-let-send_done-cleanup-before-calling-smbd_disconnect_rdma_connection.patch usb-dwc3-imx8mp-fix-device-leak-at-unbind.patch usb-musb-omap2430-convert-to-platform-remove-callback-returning-void.patch usb-musb-omap2430-fix-device-leak-at-unbind.patch usb-typec-fusb302-cache-pd-rx-state.patch x86-mce-amd-add-default-names-for-mca-banks-and-blocks.patch xfs-fully-decouple-xfs_ibulk-flags-from-xfs_iwalk-flags.patch --- diff --git a/queue-6.1/arm-9448-1-use-an-absolute-path-to-unified.h-in-kbuild_aflags.patch b/queue-6.1/arm-9448-1-use-an-absolute-path-to-unified.h-in-kbuild_aflags.patch new file mode 100644 index 0000000000..ed712b2f59 --- /dev/null +++ b/queue-6.1/arm-9448-1-use-an-absolute-path-to-unified.h-in-kbuild_aflags.patch @@ -0,0 +1,60 @@ +From stable+bounces-164977-greg=kroah.com@vger.kernel.org Mon Jul 28 16:51:59 2025 +From: Sasha Levin +Date: Mon, 28 Jul 2025 10:51:25 -0400 +Subject: ARM: 9448/1: Use an absolute path to unified.h in KBUILD_AFLAGS +To: stable@vger.kernel.org +Cc: Nathan Chancellor , KernelCI bot , Masahiro Yamada , Russell King , Sasha Levin +Message-ID: <20250728145125.2340542-1-sashal@kernel.org> + +From: Nathan Chancellor + +[ Upstream commit 87c4e1459e80bf65066f864c762ef4dc932fad4b ] + +After commit d5c8d6e0fa61 ("kbuild: Update assembler calls to use proper +flags and language target"), which updated as-instr to use the +'assembler-with-cpp' language option, the Kbuild version of as-instr +always fails internally for arch/arm with + + : fatal error: asm/unified.h: No such file or directory + compilation terminated. + +because '-include' flags are now taken into account by the compiler +driver and as-instr does not have '$(LINUXINCLUDE)', so unified.h is not +found. + +This went unnoticed at the time of the Kbuild change because the last +use of as-instr in Kbuild that arch/arm could reach was removed in 5.7 +by commit 541ad0150ca4 ("arm: Remove 32bit KVM host support") but a +stable backport of the Kbuild change to before that point exposed this +potential issue if one were to be reintroduced. + +Follow the general pattern of '-include' paths throughout the tree and +make unified.h absolute using '$(srctree)' to ensure KBUILD_AFLAGS can +be used independently. + +Closes: https://lore.kernel.org/CACo-S-1qbCX4WAVFA63dWfHtrRHZBTyyr2js8Lx=Az03XHTTHg@mail.gmail.com/ + +Cc: stable@vger.kernel.org +Fixes: d5c8d6e0fa61 ("kbuild: Update assembler calls to use proper flags and language target") +Reported-by: KernelCI bot +Reviewed-by: Masahiro Yamada +Signed-off-by: Nathan Chancellor +Signed-off-by: Russell King (Oracle) +[ adapted to missing -Wa ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/Makefile ++++ b/arch/arm/Makefile +@@ -133,7 +133,7 @@ endif + + # Need -Uarm for gcc < 3.x + KBUILD_CFLAGS +=$(CFLAGS_ABI) $(CFLAGS_ISA) $(arch-y) $(tune-y) $(call cc-option,-mshort-load-bytes,$(call cc-option,-malignment-traps,)) -msoft-float -Uarm +-KBUILD_AFLAGS +=$(CFLAGS_ABI) $(AFLAGS_ISA) $(arch-y) $(tune-y) -include asm/unified.h -msoft-float ++KBUILD_AFLAGS +=$(CFLAGS_ABI) $(AFLAGS_ISA) $(arch-y) $(tune-y) -include $(srctree)/arch/arm/include/asm/unified.h -msoft-float + + CHECKFLAGS += -D__arm__ + diff --git a/queue-6.1/arm64-entry-mask-daif-in-cpu_switch_to-call_on_irq_stack.patch b/queue-6.1/arm64-entry-mask-daif-in-cpu_switch_to-call_on_irq_stack.patch new file mode 100644 index 0000000000..e30bd07856 --- /dev/null +++ b/queue-6.1/arm64-entry-mask-daif-in-cpu_switch_to-call_on_irq_stack.patch @@ -0,0 +1,115 @@ +From stable+bounces-165060-greg=kroah.com@vger.kernel.org Tue Jul 29 14:24:51 2025 +From: Sasha Levin +Date: Tue, 29 Jul 2025 08:24:21 -0400 +Subject: arm64/entry: Mask DAIF in cpu_switch_to(), call_on_irq_stack() +To: stable@vger.kernel.org +Cc: Ada Couprie Diaz , Cristian Prundeanu , Will Deacon , Sasha Levin +Message-ID: <20250729122421.2688525-1-sashal@kernel.org> + +From: Ada Couprie Diaz + +[ Upstream commit d42e6c20de6192f8e4ab4cf10be8c694ef27e8cb ] + +`cpu_switch_to()` and `call_on_irq_stack()` manipulate SP to change +to different stacks along with the Shadow Call Stack if it is enabled. +Those two stack changes cannot be done atomically and both functions +can be interrupted by SErrors or Debug Exceptions which, though unlikely, +is very much broken : if interrupted, we can end up with mismatched stacks +and Shadow Call Stack leading to clobbered stacks. + +In `cpu_switch_to()`, it can happen when SP_EL0 points to the new task, +but x18 stills points to the old task's SCS. When the interrupt handler +tries to save the task's SCS pointer, it will save the old task +SCS pointer (x18) into the new task struct (pointed to by SP_EL0), +clobbering it. + +In `call_on_irq_stack()`, it can happen when switching from the task stack +to the IRQ stack and when switching back. In both cases, we can be +interrupted when the SCS pointer points to the IRQ SCS, but SP points to +the task stack. The nested interrupt handler pushes its return addresses +on the IRQ SCS. It then detects that SP points to the task stack, +calls `call_on_irq_stack()` and clobbers the task SCS pointer with +the IRQ SCS pointer, which it will also use ! + +This leads to tasks returning to addresses on the wrong SCS, +or even on the IRQ SCS, triggering kernel panics via CONFIG_VMAP_STACK +or FPAC if enabled. + +This is possible on a default config, but unlikely. +However, when enabling CONFIG_ARM64_PSEUDO_NMI, DAIF is unmasked and +instead the GIC is responsible for filtering what interrupts the CPU +should receive based on priority. +Given the goal of emulating NMIs, pseudo-NMIs can be received by the CPU +even in `cpu_switch_to()` and `call_on_irq_stack()`, possibly *very* +frequently depending on the system configuration and workload, leading +to unpredictable kernel panics. + +Completely mask DAIF in `cpu_switch_to()` and restore it when returning. +Do the same in `call_on_irq_stack()`, but restore and mask around +the branch. +Mask DAIF even if CONFIG_SHADOW_CALL_STACK is not enabled for consistency +of behaviour between all configurations. + +Introduce and use an assembly macro for saving and masking DAIF, +as the existing one saves but only masks IF. + +Cc: +Signed-off-by: Ada Couprie Diaz +Reported-by: Cristian Prundeanu +Fixes: 59b37fe52f49 ("arm64: Stash shadow stack pointer in the task struct on interrupt") +Tested-by: Cristian Prundeanu +Acked-by: Will Deacon +Link: https://lore.kernel.org/r/20250718142814.133329-1-ada.coupriediaz@arm.com +Signed-off-by: Will Deacon +[ removed duplicate save_and_disable_daif macro ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kernel/entry.S | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/arch/arm64/kernel/entry.S ++++ b/arch/arm64/kernel/entry.S +@@ -827,6 +827,7 @@ SYM_CODE_END(__bp_harden_el1_vectors) + * + */ + SYM_FUNC_START(cpu_switch_to) ++ save_and_disable_daif x11 + mov x10, #THREAD_CPU_CONTEXT + add x8, x0, x10 + mov x9, sp +@@ -850,6 +851,7 @@ SYM_FUNC_START(cpu_switch_to) + ptrauth_keys_install_kernel x1, x8, x9, x10 + scs_save x0 + scs_load_current ++ restore_irq x11 + ret + SYM_FUNC_END(cpu_switch_to) + NOKPROBE(cpu_switch_to) +@@ -876,6 +878,7 @@ NOKPROBE(ret_from_fork) + * Calls func(regs) using this CPU's irq stack and shadow irq stack. + */ + SYM_FUNC_START(call_on_irq_stack) ++ save_and_disable_daif x9 + #ifdef CONFIG_SHADOW_CALL_STACK + get_current_task x16 + scs_save x16 +@@ -890,8 +893,10 @@ SYM_FUNC_START(call_on_irq_stack) + + /* Move to the new stack and call the function there */ + add sp, x16, #IRQ_STACK_SIZE ++ restore_irq x9 + blr x1 + ++ save_and_disable_daif x9 + /* + * Restore the SP from the FP, and restore the FP and LR from the frame + * record. +@@ -899,6 +904,7 @@ SYM_FUNC_START(call_on_irq_stack) + mov sp, x29 + ldp x29, x30, [sp], #16 + scs_load_current ++ restore_irq x9 + ret + SYM_FUNC_END(call_on_irq_stack) + NOKPROBE(call_on_irq_stack) diff --git a/queue-6.1/ata-fix-sata_mobile_lpm_policy-description-in-kconfig.patch b/queue-6.1/ata-fix-sata_mobile_lpm_policy-description-in-kconfig.patch new file mode 100644 index 0000000000..f7b60e0f81 --- /dev/null +++ b/queue-6.1/ata-fix-sata_mobile_lpm_policy-description-in-kconfig.patch @@ -0,0 +1,79 @@ +From stable+bounces-172201-greg=kroah.com@vger.kernel.org Thu Aug 21 18:54:54 2025 +From: Sasha Levin +Date: Thu, 21 Aug 2025 12:52:24 -0400 +Subject: ata: Fix SATA_MOBILE_LPM_POLICY description in Kconfig +To: stable@vger.kernel.org +Cc: Damien Le Moal , Hannes Reinecke , Niklas Cassel , Sasha Levin +Message-ID: <20250821165224.842834-1-sashal@kernel.org> + +From: Damien Le Moal + +[ Upstream commit ed62a62a18bc144f73eadf866ae46842e8f6606e ] + +Improve the description of the possible default SATA link power +management policies and add the missing description for policy 5. +No functional changes. + +Fixes: a5ec5a7bfd1f ("ata: ahci: Support state with min power but Partial low power state") +Cc: stable@vger.kernel.org +Signed-off-by: Damien Le Moal +Reviewed-by: Hannes Reinecke +Reviewed-by: Niklas Cassel +[ Adjust context ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/Kconfig | 33 +++++++++++++++++++++++++-------- + 1 file changed, 25 insertions(+), 8 deletions(-) + +--- a/drivers/ata/Kconfig ++++ b/drivers/ata/Kconfig +@@ -117,7 +117,7 @@ config SATA_AHCI + + config SATA_MOBILE_LPM_POLICY + int "Default SATA Link Power Management policy for low power chipsets" +- range 0 4 ++ range 0 5 + default 0 + depends on SATA_AHCI + help +@@ -126,15 +126,32 @@ config SATA_MOBILE_LPM_POLICY + chipsets are typically found on most laptops but desktops and + servers now also widely use chipsets supporting low power modes. + +- The value set has the following meanings: ++ Each policy combines power saving states and features: ++ - Partial: The Phy logic is powered but is in a reduced power ++ state. The exit latency from this state is no longer than ++ 10us). ++ - Slumber: The Phy logic is powered but is in an even lower power ++ state. The exit latency from this state is potentially ++ longer, but no longer than 10ms. ++ - DevSleep: The Phy logic may be powered down. The exit latency from ++ this state is no longer than 20 ms, unless otherwise ++ specified by DETO in the device Identify Device Data log. ++ - HIPM: Host Initiated Power Management (host automatically ++ transitions to partial and slumber). ++ - DIPM: Device Initiated Power Management (device automatically ++ transitions to partial and slumber). ++ ++ The possible values for the default SATA link power management ++ policies are: + 0 => Keep firmware settings +- 1 => Maximum performance +- 2 => Medium power +- 3 => Medium power with Device Initiated PM enabled +- 4 => Minimum power ++ 1 => No power savings (maximum performance) ++ 2 => HIPM (Partial) ++ 3 => HIPM (Partial) and DIPM (Partial and Slumber) ++ 4 => HIPM (Partial and DevSleep) and DIPM (Partial and Slumber) ++ 5 => HIPM (Slumber and DevSleep) and DIPM (Partial and Slumber) + +- Note "Minimum power" is known to cause issues, including disk +- corruption, with some disks and should not be used. ++ Excluding the value 0, higher values represent policies with higher ++ power savings. + + config SATA_AHCI_PLATFORM + tristate "Platform AHCI SATA support" diff --git a/queue-6.1/block-make-req_op_zone_finish-a-write-operation.patch b/queue-6.1/block-make-req_op_zone_finish-a-write-operation.patch new file mode 100644 index 0000000000..833f8f8ad6 --- /dev/null +++ b/queue-6.1/block-make-req_op_zone_finish-a-write-operation.patch @@ -0,0 +1,53 @@ +From stable+bounces-169843-greg=kroah.com@vger.kernel.org Sat Aug 16 05:48:12 2025 +From: Sasha Levin +Date: Fri, 15 Aug 2025 23:47:58 -0400 +Subject: block: Make REQ_OP_ZONE_FINISH a write operation +To: stable@vger.kernel.org +Cc: Damien Le Moal , Bart Van Assche , Johannes Thumshirn , Christoph Hellwig , Jens Axboe , Sasha Levin +Message-ID: <20250816034758.666065-2-sashal@kernel.org> + +From: Damien Le Moal + +[ Upstream commit 3f66ccbaaef3a0c5bd844eab04e3207b4061c546 ] + +REQ_OP_ZONE_FINISH is defined as "12", which makes +op_is_write(REQ_OP_ZONE_FINISH) return false, despite the fact that a +zone finish operation is an operation that modifies a zone (transition +it to full) and so should be considered as a write operation (albeit +one that does not transfer any data to the device). + +Fix this by redefining REQ_OP_ZONE_FINISH to be an odd number (13), and +redefine REQ_OP_ZONE_RESET and REQ_OP_ZONE_RESET_ALL using sequential +odd numbers from that new value. + +Fixes: 6c1b1da58f8c ("block: add zone open, close and finish operations") +Cc: stable@vger.kernel.org +Signed-off-by: Damien Le Moal +Reviewed-by: Bart Van Assche +Reviewed-by: Johannes Thumshirn +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20250625093327.548866-2-dlemoal@kernel.org +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/blk_types.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/include/linux/blk_types.h ++++ b/include/linux/blk_types.h +@@ -375,11 +375,11 @@ enum req_op { + /* Close a zone */ + REQ_OP_ZONE_CLOSE = (__force blk_opf_t)11, + /* Transition a zone to full */ +- REQ_OP_ZONE_FINISH = (__force blk_opf_t)12, ++ REQ_OP_ZONE_FINISH = (__force blk_opf_t)13, + /* reset a zone write pointer */ +- REQ_OP_ZONE_RESET = (__force blk_opf_t)13, ++ REQ_OP_ZONE_RESET = (__force blk_opf_t)15, + /* reset all the zone present on the device */ +- REQ_OP_ZONE_RESET_ALL = (__force blk_opf_t)15, ++ REQ_OP_ZONE_RESET_ALL = (__force blk_opf_t)17, + + /* Driver private requests */ + REQ_OP_DRV_IN = (__force blk_opf_t)34, diff --git a/queue-6.1/block-reject-invalid-operation-in-submit_bio_noacct.patch b/queue-6.1/block-reject-invalid-operation-in-submit_bio_noacct.patch new file mode 100644 index 0000000000..6abc48e8eb --- /dev/null +++ b/queue-6.1/block-reject-invalid-operation-in-submit_bio_noacct.patch @@ -0,0 +1,107 @@ +From stable+bounces-169842-greg=kroah.com@vger.kernel.org Sat Aug 16 05:49:42 2025 +From: Sasha Levin +Date: Fri, 15 Aug 2025 23:47:57 -0400 +Subject: block: reject invalid operation in submit_bio_noacct +To: stable@vger.kernel.org +Cc: Christoph Hellwig , Jens Axboe , Sasha Levin +Message-ID: <20250816034758.666065-1-sashal@kernel.org> + +From: Christoph Hellwig + +[ Upstream commit 1c042f8d4bc342b7985b1de3d76836f1a1083b65 ] + +submit_bio_noacct allows completely invalid operations, or operations +that are not supported in the bio path. Extent the existing switch +statement to rejcect all invalid types. + +Move the code point for REQ_OP_ZONE_APPEND so that it's not right in the +middle of the zone management operations and the switch statement can +follow the numerical order of the operations. + +Signed-off-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20231221070538.1112446-1-hch@lst.de +Signed-off-by: Jens Axboe +Stable-dep-of: 3f66ccbaaef3 ("block: Make REQ_OP_ZONE_FINISH a write operation") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + block/blk-core.c | 26 +++++++++++++++++++++----- + include/linux/blk_types.h | 8 ++++---- + 2 files changed, 25 insertions(+), 9 deletions(-) + +--- a/block/blk-core.c ++++ b/block/blk-core.c +@@ -755,6 +755,15 @@ void submit_bio_noacct(struct bio *bio) + bio_clear_polled(bio); + + switch (bio_op(bio)) { ++ case REQ_OP_READ: ++ case REQ_OP_WRITE: ++ break; ++ case REQ_OP_FLUSH: ++ /* ++ * REQ_OP_FLUSH can't be submitted through bios, it is only ++ * synthetized in struct request by the flush state machine. ++ */ ++ goto not_supported; + case REQ_OP_DISCARD: + if (!bdev_max_discard_sectors(bdev)) + goto not_supported; +@@ -768,6 +777,10 @@ void submit_bio_noacct(struct bio *bio) + if (status != BLK_STS_OK) + goto end_io; + break; ++ case REQ_OP_WRITE_ZEROES: ++ if (!q->limits.max_write_zeroes_sectors) ++ goto not_supported; ++ break; + case REQ_OP_ZONE_RESET: + case REQ_OP_ZONE_OPEN: + case REQ_OP_ZONE_CLOSE: +@@ -779,12 +792,15 @@ void submit_bio_noacct(struct bio *bio) + if (!bdev_is_zoned(bio->bi_bdev) || !blk_queue_zone_resetall(q)) + goto not_supported; + break; +- case REQ_OP_WRITE_ZEROES: +- if (!q->limits.max_write_zeroes_sectors) +- goto not_supported; +- break; ++ case REQ_OP_DRV_IN: ++ case REQ_OP_DRV_OUT: ++ /* ++ * Driver private operations are only used with passthrough ++ * requests. ++ */ ++ fallthrough; + default: +- break; ++ goto not_supported; + } + + if (blk_throtl_bio(bio)) +--- a/include/linux/blk_types.h ++++ b/include/linux/blk_types.h +@@ -366,6 +366,8 @@ enum req_op { + REQ_OP_DISCARD = (__force blk_opf_t)3, + /* securely erase sectors */ + REQ_OP_SECURE_ERASE = (__force blk_opf_t)5, ++ /* write data at the current zone write pointer */ ++ REQ_OP_ZONE_APPEND = (__force blk_opf_t)7, + /* write the zero filled sector many times */ + REQ_OP_WRITE_ZEROES = (__force blk_opf_t)9, + /* Open a zone */ +@@ -374,12 +376,10 @@ enum req_op { + REQ_OP_ZONE_CLOSE = (__force blk_opf_t)11, + /* Transition a zone to full */ + REQ_OP_ZONE_FINISH = (__force blk_opf_t)12, +- /* write data at the current zone write pointer */ +- REQ_OP_ZONE_APPEND = (__force blk_opf_t)13, + /* reset a zone write pointer */ +- REQ_OP_ZONE_RESET = (__force blk_opf_t)15, ++ REQ_OP_ZONE_RESET = (__force blk_opf_t)13, + /* reset all the zone present on the device */ +- REQ_OP_ZONE_RESET_ALL = (__force blk_opf_t)17, ++ REQ_OP_ZONE_RESET_ALL = (__force blk_opf_t)15, + + /* Driver private requests */ + REQ_OP_DRV_IN = (__force blk_opf_t)34, diff --git a/queue-6.1/btrfs-abort-transaction-on-unexpected-eb-generation-at-btrfs_copy_root.patch b/queue-6.1/btrfs-abort-transaction-on-unexpected-eb-generation-at-btrfs_copy_root.patch new file mode 100644 index 0000000000..4c03cc55ae --- /dev/null +++ b/queue-6.1/btrfs-abort-transaction-on-unexpected-eb-generation-at-btrfs_copy_root.patch @@ -0,0 +1,48 @@ +From stable+bounces-171707-greg=kroah.com@vger.kernel.org Tue Aug 19 03:36:30 2025 +From: Sasha Levin +Date: Mon, 18 Aug 2025 21:34:31 -0400 +Subject: btrfs: abort transaction on unexpected eb generation at btrfs_copy_root() +To: stable@vger.kernel.org +Cc: Filipe Manana , Daniel Vacek , Qu Wenruo , David Sterba , Sasha Levin +Message-ID: <20250819013431.249337-1-sashal@kernel.org> + +From: Filipe Manana + +[ Upstream commit 33e8f24b52d2796b8cfb28c19a1a7dd6476323a8 ] + +If we find an unexpected generation for the extent buffer we are cloning +at btrfs_copy_root(), we just WARN_ON() and don't error out and abort the +transaction, meaning we allow to persist metadata with an unexpected +generation. Instead of warning only, abort the transaction and return +-EUCLEAN. + +CC: stable@vger.kernel.org # 6.1+ +Reviewed-by: Daniel Vacek +Reviewed-by: Qu Wenruo +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/ctree.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/fs/btrfs/ctree.c ++++ b/fs/btrfs/ctree.c +@@ -237,7 +237,14 @@ int btrfs_copy_root(struct btrfs_trans_h + + write_extent_buffer_fsid(cow, fs_info->fs_devices->metadata_uuid); + +- WARN_ON(btrfs_header_generation(buf) > trans->transid); ++ if (unlikely(btrfs_header_generation(buf) > trans->transid)) { ++ btrfs_tree_unlock(cow); ++ free_extent_buffer(cow); ++ ret = -EUCLEAN; ++ btrfs_abort_transaction(trans, ret); ++ return ret; ++ } ++ + if (new_root_objectid == BTRFS_TREE_RELOC_OBJECTID) + ret = btrfs_inc_ref(trans, root, cow, 1); + else diff --git a/queue-6.1/btrfs-fix-qgroup-reservation-leak-on-failure-to-allocate-ordered-extent.patch b/queue-6.1/btrfs-fix-qgroup-reservation-leak-on-failure-to-allocate-ordered-extent.patch new file mode 100644 index 0000000000..5493084c53 --- /dev/null +++ b/queue-6.1/btrfs-fix-qgroup-reservation-leak-on-failure-to-allocate-ordered-extent.patch @@ -0,0 +1,64 @@ +From stable+bounces-164821-greg=kroah.com@vger.kernel.org Sat Jul 26 04:25:14 2025 +From: Sasha Levin +Date: Fri, 25 Jul 2025 22:25:03 -0400 +Subject: btrfs: fix qgroup reservation leak on failure to allocate ordered extent +To: stable@vger.kernel.org +Cc: Filipe Manana , Boris Burkov , Qu Wenruo , David Sterba , Sasha Levin +Message-ID: <20250726022503.2023611-1-sashal@kernel.org> + +From: Filipe Manana + +[ Upstream commit 1f2889f5594a2bc4c6a52634c4a51b93e785def5 ] + +If we fail to allocate an ordered extent for a COW write we end up leaking +a qgroup data reservation since we called btrfs_qgroup_release_data() but +we didn't call btrfs_qgroup_free_refroot() (which would happen when +running the respective data delayed ref created by ordered extent +completion or when finishing the ordered extent in case an error happened). + +So make sure we call btrfs_qgroup_free_refroot() if we fail to allocate an +ordered extent for a COW write. + +Fixes: 7dbeaad0af7d ("btrfs: change timing for qgroup reserved space for ordered extents to fix reserved space leak") +CC: stable@vger.kernel.org # 6.1+ +Reviewed-by: Boris Burkov +Reviewed-by: Qu Wenruo +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +[ adjust to code movements ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/ordered-data.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/fs/btrfs/ordered-data.c ++++ b/fs/btrfs/ordered-data.c +@@ -173,9 +173,10 @@ int btrfs_add_ordered_extent(struct btrf + struct btrfs_ordered_extent *entry; + int ret; + u64 qgroup_rsv = 0; ++ const bool is_nocow = (flags & ++ ((1U << BTRFS_ORDERED_NOCOW) | (1U << BTRFS_ORDERED_PREALLOC))); + +- if (flags & +- ((1 << BTRFS_ORDERED_NOCOW) | (1 << BTRFS_ORDERED_PREALLOC))) { ++ if (is_nocow) { + /* For nocow write, we can release the qgroup rsv right now */ + ret = btrfs_qgroup_free_data(inode, NULL, file_offset, num_bytes, &qgroup_rsv); + if (ret < 0) +@@ -191,8 +192,13 @@ int btrfs_add_ordered_extent(struct btrf + return ret; + } + entry = kmem_cache_zalloc(btrfs_ordered_extent_cache, GFP_NOFS); +- if (!entry) ++ if (!entry) { ++ if (!is_nocow) ++ btrfs_qgroup_free_refroot(inode->root->fs_info, ++ btrfs_root_id(inode->root), ++ qgroup_rsv, BTRFS_QGROUP_RSV_DATA); + return -ENOMEM; ++ } + + entry->file_offset = file_offset; + entry->num_bytes = num_bytes; diff --git a/queue-6.1/btrfs-populate-otime-when-logging-an-inode-item.patch b/queue-6.1/btrfs-populate-otime-when-logging-an-inode-item.patch new file mode 100644 index 0000000000..30d93ab6f6 --- /dev/null +++ b/queue-6.1/btrfs-populate-otime-when-logging-an-inode-item.patch @@ -0,0 +1,116 @@ +From stable+bounces-171772-greg=kroah.com@vger.kernel.org Tue Aug 19 13:59:43 2025 +From: Sasha Levin +Date: Tue, 19 Aug 2025 07:55:40 -0400 +Subject: btrfs: populate otime when logging an inode item +To: stable@vger.kernel.org +Cc: Qu Wenruo , Filipe Manana , David Sterba , Sasha Levin +Message-ID: <20250819115540.449133-1-sashal@kernel.org> + +From: Qu Wenruo + +[ Upstream commit 1ef94169db0958d6de39f9ea6e063ce887342e2d ] + +[TEST FAILURE WITH EXPERIMENTAL FEATURES] +When running test case generic/508, the test case will fail with the new +btrfs shutdown support: + +generic/508 - output mismatch (see /home/adam/xfstests/results//generic/508.out.bad) +# --- tests/generic/508.out 2022-05-11 11:25:30.806666664 +0930 +# +++ /home/adam/xfstests/results//generic/508.out.bad 2025-07-02 14:53:22.401824212 +0930 +# @@ -1,2 +1,6 @@ +# QA output created by 508 +# Silence is golden +# +Before: +# +After : stat.btime = Thu Jan 1 09:30:00 1970 +# +Before: +# +After : stat.btime = Wed Jul 2 14:53:22 2025 +# ... +# (Run 'diff -u /home/adam/xfstests/tests/generic/508.out /home/adam/xfstests/results//generic/508.out.bad' to see the entire diff) +Ran: generic/508 +Failures: generic/508 +Failed 1 of 1 tests + +Please note that the test case requires shutdown support, thus the test +case will be skipped using the current upstream kernel, as it doesn't +have shutdown ioctl support. + +[CAUSE] +The direct cause the 0 time stamp in the log tree: + +leaf 30507008 items 2 free space 16057 generation 9 owner TREE_LOG +leaf 30507008 flags 0x1(WRITTEN) backref revision 1 +checksum stored e522548d +checksum calced e522548d +fs uuid 57d45451-481e-43e4-aa93-289ad707a3a0 +chunk uuid d52bd3fd-5163-4337-98a7-7986993ad398 + item 0 key (257 INODE_ITEM 0) itemoff 16123 itemsize 160 + generation 9 transid 9 size 0 nbytes 0 + block group 0 mode 100644 links 1 uid 0 gid 0 rdev 0 + sequence 1 flags 0x0(none) + atime 1751432947.492000000 (2025-07-02 14:39:07) + ctime 1751432947.492000000 (2025-07-02 14:39:07) + mtime 1751432947.492000000 (2025-07-02 14:39:07) + otime 0.0 (1970-01-01 09:30:00) <<< + +But the old fs tree has all the correct time stamp: + +btrfs-progs v6.12 +fs tree key (FS_TREE ROOT_ITEM 0) +leaf 30425088 items 2 free space 16061 generation 5 owner FS_TREE +leaf 30425088 flags 0x1(WRITTEN) backref revision 1 +checksum stored 48f6c57e +checksum calced 48f6c57e +fs uuid 57d45451-481e-43e4-aa93-289ad707a3a0 +chunk uuid d52bd3fd-5163-4337-98a7-7986993ad398 + item 0 key (256 INODE_ITEM 0) itemoff 16123 itemsize 160 + generation 3 transid 0 size 0 nbytes 16384 + block group 0 mode 40755 links 1 uid 0 gid 0 rdev 0 + sequence 0 flags 0x0(none) + atime 1751432947.0 (2025-07-02 14:39:07) + ctime 1751432947.0 (2025-07-02 14:39:07) + mtime 1751432947.0 (2025-07-02 14:39:07) + otime 1751432947.0 (2025-07-02 14:39:07) <<< + +The root cause is that fill_inode_item() in tree-log.c is only +populating a/c/m time, not the otime (or btime in statx output). + +Part of the reason is that, the vfs inode only has a/c/m time, no native +btime support yet. + +[FIX] +Thankfully btrfs has its otime stored in btrfs_inode::i_otime_sec and +btrfs_inode::i_otime_nsec. + +So what we really need is just fill the otime time stamp in +fill_inode_item() of tree-log.c + +There is another fill_inode_item() in inode.c, which is doing the proper +otime population. + +Fixes: 94edf4ae43a5 ("Btrfs: don't bother committing delayed inode updates when fsyncing") +CC: stable@vger.kernel.org +Reviewed-by: Filipe Manana +Signed-off-by: Qu Wenruo +Reviewed-by: David Sterba +Signed-off-by: David Sterba +[ timespec changes in older tree ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/tree-log.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -4210,6 +4210,11 @@ static void fill_inode_item(struct btrfs + btrfs_set_token_timespec_nsec(&token, &item->ctime, + inode->i_ctime.tv_nsec); + ++ btrfs_set_token_timespec_sec(&token, &item->otime, ++ BTRFS_I(inode)->i_otime.tv_sec); ++ btrfs_set_token_timespec_nsec(&token, &item->otime, ++ BTRFS_I(inode)->i_otime.tv_nsec); ++ + /* + * We do not need to set the nbytes field, in fact during a fast fsync + * its value may not even be correct, since a fast fsync does not wait diff --git a/queue-6.1/btrfs-qgroup-fix-race-between-quota-disable-and-quota-rescan-ioctl.patch b/queue-6.1/btrfs-qgroup-fix-race-between-quota-disable-and-quota-rescan-ioctl.patch new file mode 100644 index 0000000000..651371829b --- /dev/null +++ b/queue-6.1/btrfs-qgroup-fix-race-between-quota-disable-and-quota-rescan-ioctl.patch @@ -0,0 +1,113 @@ +From stable+bounces-171685-greg=kroah.com@vger.kernel.org Tue Aug 19 02:17:01 2025 +From: Sasha Levin +Date: Mon, 18 Aug 2025 20:16:51 -0400 +Subject: btrfs: qgroup: fix race between quota disable and quota rescan ioctl +To: stable@vger.kernel.org +Cc: Filipe Manana , cen zhang , Boris Burkov , Qu Wenruo , David Sterba , Sasha Levin +Message-ID: <20250819001651.204498-1-sashal@kernel.org> + +From: Filipe Manana + +[ Upstream commit e1249667750399a48cafcf5945761d39fa584edf ] + +There's a race between a task disabling quotas and another running the +rescan ioctl that can result in a use-after-free of qgroup records from +the fs_info->qgroup_tree rbtree. + +This happens as follows: + +1) Task A enters btrfs_ioctl_quota_rescan() -> btrfs_qgroup_rescan(); + +2) Task B enters btrfs_quota_disable() and calls + btrfs_qgroup_wait_for_completion(), which does nothing because at that + point fs_info->qgroup_rescan_running is false (it wasn't set yet by + task A); + +3) Task B calls btrfs_free_qgroup_config() which starts freeing qgroups + from fs_info->qgroup_tree without taking the lock fs_info->qgroup_lock; + +4) Task A enters qgroup_rescan_zero_tracking() which starts iterating + the fs_info->qgroup_tree tree while holding fs_info->qgroup_lock, + but task B is freeing qgroup records from that tree without holding + the lock, resulting in a use-after-free. + +Fix this by taking fs_info->qgroup_lock at btrfs_free_qgroup_config(). +Also at btrfs_qgroup_rescan() don't start the rescan worker if quotas +were already disabled. + +Reported-by: cen zhang +Link: https://lore.kernel.org/linux-btrfs/CAFRLqsV+cMDETFuzqdKSHk_FDm6tneea45krsHqPD6B3FetLpQ@mail.gmail.com/ +CC: stable@vger.kernel.org # 6.1+ +Reviewed-by: Boris Burkov +Reviewed-by: Qu Wenruo +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +[ Check for BTRFS_FS_QUOTA_ENABLED, instead of btrfs_qgroup_full_accounting() ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/qgroup.c | 31 ++++++++++++++++++++++++------- + 1 file changed, 24 insertions(+), 7 deletions(-) + +--- a/fs/btrfs/qgroup.c ++++ b/fs/btrfs/qgroup.c +@@ -573,22 +573,30 @@ bool btrfs_check_quota_leak(struct btrfs + + /* + * This is called from close_ctree() or open_ctree() or btrfs_quota_disable(), +- * first two are in single-threaded paths.And for the third one, we have set +- * quota_root to be null with qgroup_lock held before, so it is safe to clean +- * up the in-memory structures without qgroup_lock held. ++ * first two are in single-threaded paths. + */ + void btrfs_free_qgroup_config(struct btrfs_fs_info *fs_info) + { + struct rb_node *n; + struct btrfs_qgroup *qgroup; + ++ /* ++ * btrfs_quota_disable() can be called concurrently with ++ * btrfs_qgroup_rescan() -> qgroup_rescan_zero_tracking(), so take the ++ * lock. ++ */ ++ spin_lock(&fs_info->qgroup_lock); + while ((n = rb_first(&fs_info->qgroup_tree))) { + qgroup = rb_entry(n, struct btrfs_qgroup, node); + rb_erase(n, &fs_info->qgroup_tree); + __del_qgroup_rb(fs_info, qgroup); ++ spin_unlock(&fs_info->qgroup_lock); + btrfs_sysfs_del_one_qgroup(fs_info, qgroup); + kfree(qgroup); ++ spin_lock(&fs_info->qgroup_lock); + } ++ spin_unlock(&fs_info->qgroup_lock); ++ + /* + * We call btrfs_free_qgroup_config() when unmounting + * filesystem and disabling quota, so we set qgroup_ulist +@@ -3597,12 +3605,21 @@ btrfs_qgroup_rescan(struct btrfs_fs_info + qgroup_rescan_zero_tracking(fs_info); + + mutex_lock(&fs_info->qgroup_rescan_lock); +- fs_info->qgroup_rescan_running = true; +- btrfs_queue_work(fs_info->qgroup_rescan_workers, +- &fs_info->qgroup_rescan_work); ++ /* ++ * The rescan worker is only for full accounting qgroups, check if it's ++ * enabled as it is pointless to queue it otherwise. A concurrent quota ++ * disable may also have just cleared BTRFS_FS_QUOTA_ENABLED. ++ */ ++ if (test_bit(BTRFS_FS_QUOTA_ENABLED, &fs_info->flags)) { ++ fs_info->qgroup_rescan_running = true; ++ btrfs_queue_work(fs_info->qgroup_rescan_workers, ++ &fs_info->qgroup_rescan_work); ++ } else { ++ ret = -ENOTCONN; ++ } + mutex_unlock(&fs_info->qgroup_rescan_lock); + +- return 0; ++ return ret; + } + + int btrfs_qgroup_wait_for_completion(struct btrfs_fs_info *fs_info, diff --git a/queue-6.1/btrfs-send-use-fallocate-for-hole-punching-with-send-stream-v2.patch b/queue-6.1/btrfs-send-use-fallocate-for-hole-punching-with-send-stream-v2.patch new file mode 100644 index 0000000000..f037b5351d --- /dev/null +++ b/queue-6.1/btrfs-send-use-fallocate-for-hole-punching-with-send-stream-v2.patch @@ -0,0 +1,121 @@ +From stable+bounces-171741-greg=kroah.com@vger.kernel.org Tue Aug 19 05:18:57 2025 +From: Sasha Levin +Date: Mon, 18 Aug 2025 23:18:42 -0400 +Subject: btrfs: send: use fallocate for hole punching with send stream v2 +To: stable@vger.kernel.org +Cc: Filipe Manana , Boris Burkov , David Sterba , Sasha Levin +Message-ID: <20250819031842.309897-1-sashal@kernel.org> + +From: Filipe Manana + +[ Upstream commit 005b0a0c24e1628313e951516b675109a92cacfe ] + +Currently holes are sent as writes full of zeroes, which results in +unnecessarily using disk space at the receiving end and increasing the +stream size. + +In some cases we avoid sending writes of zeroes, like during a full +send operation where we just skip writes for holes. + +But for some cases we fill previous holes with writes of zeroes too, like +in this scenario: + +1) We have a file with a hole in the range [2M, 3M), we snapshot the + subvolume and do a full send. The range [2M, 3M) stays as a hole at + the receiver since we skip sending write commands full of zeroes; + +2) We punch a hole for the range [3M, 4M) in our file, so that now it + has a 2M hole in the range [2M, 4M), and snapshot the subvolume. + Now if we do an incremental send, we will send write commands full + of zeroes for the range [2M, 4M), removing the hole for [2M, 3M) at + the receiver. + +We could improve cases such as this last one by doing additional +comparisons of file extent items (or their absence) between the parent +and send snapshots, but that's a lot of code to add plus additional CPU +and IO costs. + +Since the send stream v2 already has a fallocate command and btrfs-progs +implements a callback to execute fallocate since the send stream v2 +support was added to it, update the kernel to use fallocate for punching +holes for V2+ streams. + +Test coverage is provided by btrfs/284 which is a version of btrfs/007 +that exercises send stream v2 instead of v1, using fsstress with random +operations and fssum to verify file contents. + +Link: https://github.com/kdave/btrfs-progs/issues/1001 +CC: stable@vger.kernel.org # 6.1+ +Reviewed-by: Boris Burkov +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +[ Replaced get_cur_inode_path() with fs_path_alloc() and get_cur_path() ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/send.c | 39 +++++++++++++++++++++++++++++++++++++++ + 1 file changed, 39 insertions(+) + +--- a/fs/btrfs/send.c ++++ b/fs/btrfs/send.c +@@ -4,6 +4,7 @@ + */ + + #include ++#include + #include + #include + #include +@@ -5231,6 +5232,36 @@ out: + return ret; + } + ++static int send_fallocate(struct send_ctx *sctx, u32 mode, u64 offset, u64 len) ++{ ++ struct fs_path *p; ++ int ret; ++ ++ p = fs_path_alloc(); ++ if (!p) ++ return -ENOMEM; ++ ++ ret = get_cur_path(sctx, sctx->cur_ino, sctx->cur_inode_gen, p); ++ if (ret < 0) ++ goto out; ++ ++ ret = begin_cmd(sctx, BTRFS_SEND_C_FALLOCATE); ++ if (ret < 0) ++ goto out; ++ ++ TLV_PUT_PATH(sctx, BTRFS_SEND_A_PATH, p); ++ TLV_PUT_U32(sctx, BTRFS_SEND_A_FALLOCATE_MODE, mode); ++ TLV_PUT_U64(sctx, BTRFS_SEND_A_FILE_OFFSET, offset); ++ TLV_PUT_U64(sctx, BTRFS_SEND_A_SIZE, len); ++ ++ ret = send_cmd(sctx); ++ ++tlv_put_failure: ++out: ++ fs_path_free(p); ++ return ret; ++} ++ + static int send_hole(struct send_ctx *sctx, u64 end) + { + struct fs_path *p = NULL; +@@ -5239,6 +5270,14 @@ static int send_hole(struct send_ctx *sc + int ret = 0; + + /* ++ * Starting with send stream v2 we have fallocate and can use it to ++ * punch holes instead of sending writes full of zeroes. ++ */ ++ if (proto_cmd_ok(sctx, BTRFS_SEND_C_FALLOCATE)) ++ return send_fallocate(sctx, FALLOC_FL_PUNCH_HOLE | FALLOC_FL_KEEP_SIZE, ++ offset, end - offset); ++ ++ /* + * A hole that starts at EOF or beyond it. Since we do not yet support + * fallocate (for extent preallocation and hole punching), sending a + * write of zeroes starting at EOF or beyond would later require issuing diff --git a/queue-6.1/cifs-reset-iface-weights-when-we-cannot-find-a-candidate.patch b/queue-6.1/cifs-reset-iface-weights-when-we-cannot-find-a-candidate.patch new file mode 100644 index 0000000000..fb1001b865 --- /dev/null +++ b/queue-6.1/cifs-reset-iface-weights-when-we-cannot-find-a-candidate.patch @@ -0,0 +1,66 @@ +From stable+bounces-171637-greg=kroah.com@vger.kernel.org Mon Aug 18 20:41:41 2025 +From: Sasha Levin +Date: Mon, 18 Aug 2025 14:40:33 -0400 +Subject: cifs: reset iface weights when we cannot find a candidate +To: stable@vger.kernel.org +Cc: Shyam Prasad N , Steve French , Sasha Levin +Message-ID: <20250818184033.23573-1-sashal@kernel.org> + +From: Shyam Prasad N + +[ Upstream commit 9d5eff7821f6d70f7d1b4d8a60680fba4de868a7 ] + +We now do a weighted selection of server interfaces when allocating +new channels. The weights are decided based on the speed advertised. +The fulfilled weight for an interface is a counter that is used to +track the interface selection. It should be reset back to zero once +all interfaces fulfilling their weight. + +In cifs_chan_update_iface, this reset logic was missing. As a result +when the server interface list changes, the client may not be able +to find a new candidate for other channels after all interfaces have +been fulfilled. + +Fixes: a6d8fb54a515 ("cifs: distribute channels across interfaces based on speed") +Cc: +Signed-off-by: Shyam Prasad N +Signed-off-by: Steve French +[ Kept both int rc and int retry variables ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/sess.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/fs/smb/client/sess.c ++++ b/fs/smb/client/sess.c +@@ -292,6 +292,7 @@ cifs_chan_update_iface(struct cifs_ses * + struct cifs_server_iface *last_iface = NULL; + struct sockaddr_storage ss; + int rc = 0; ++ int retry = 0; + + spin_lock(&ses->chan_lock); + chan_index = cifs_ses_get_chan_index(ses, server); +@@ -320,6 +321,7 @@ cifs_chan_update_iface(struct cifs_ses * + return 0; + } + ++try_again: + last_iface = list_last_entry(&ses->iface_list, struct cifs_server_iface, + iface_head); + iface_min_speed = last_iface->speed; +@@ -358,6 +360,13 @@ cifs_chan_update_iface(struct cifs_ses * + + if (list_entry_is_head(iface, &ses->iface_list, iface_head)) { + rc = 1; ++ list_for_each_entry(iface, &ses->iface_list, iface_head) ++ iface->weight_fulfilled = 0; ++ ++ /* see if it can be satisfied in second attempt */ ++ if (!retry++) ++ goto try_again; ++ + iface = NULL; + cifs_dbg(FYI, "unable to find a suitable iface\n"); + } diff --git a/queue-6.1/drm-sched-remove-optimization-that-causes-hang-when-killing-dependent-jobs.patch b/queue-6.1/drm-sched-remove-optimization-that-causes-hang-when-killing-dependent-jobs.patch new file mode 100644 index 0000000000..b69579ceae --- /dev/null +++ b/queue-6.1/drm-sched-remove-optimization-that-causes-hang-when-killing-dependent-jobs.patch @@ -0,0 +1,82 @@ +From stable+bounces-165094-greg=kroah.com@vger.kernel.org Tue Jul 29 17:53:59 2025 +From: Sasha Levin +Date: Tue, 29 Jul 2025 11:53:49 -0400 +Subject: drm/sched: Remove optimization that causes hang when killing dependent jobs +To: stable@vger.kernel.org +Cc: "Lin.Cao" , "Christian König" , "Philipp Stanner" , "Sasha Levin" +Message-ID: <20250729155349.2739128-1-sashal@kernel.org> + +From: "Lin.Cao" + +[ Upstream commit 15f77764e90a713ee3916ca424757688e4f565b9 ] + +When application A submits jobs and application B submits a job with a +dependency on A's fence, the normal flow wakes up the scheduler after +processing each job. However, the optimization in +drm_sched_entity_add_dependency_cb() uses a callback that only clears +dependencies without waking up the scheduler. + +When application A is killed before its jobs can run, the callback gets +triggered but only clears the dependency without waking up the scheduler, +causing the scheduler to enter sleep state and application B to hang. + +Remove the optimization by deleting drm_sched_entity_clear_dep() and its +usage, ensuring the scheduler is always woken up when dependencies are +cleared. + +Fixes: 777dbd458c89 ("drm/amdgpu: drop a dummy wakeup scheduler") +Cc: stable@vger.kernel.org # v4.6+ +Signed-off-by: Lin.Cao +Reviewed-by: Christian König +Signed-off-by: Philipp Stanner +Link: https://lore.kernel.org/r/20250717084453.921097-1-lincao12@amd.com +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/scheduler/sched_entity.c | 21 ++------------------- + 1 file changed, 2 insertions(+), 19 deletions(-) + +--- a/drivers/gpu/drm/scheduler/sched_entity.c ++++ b/drivers/gpu/drm/scheduler/sched_entity.c +@@ -327,17 +327,6 @@ void drm_sched_entity_destroy(struct drm + } + EXPORT_SYMBOL(drm_sched_entity_destroy); + +-/* drm_sched_entity_clear_dep - callback to clear the entities dependency */ +-static void drm_sched_entity_clear_dep(struct dma_fence *f, +- struct dma_fence_cb *cb) +-{ +- struct drm_sched_entity *entity = +- container_of(cb, struct drm_sched_entity, cb); +- +- entity->dependency = NULL; +- dma_fence_put(f); +-} +- + /* + * drm_sched_entity_clear_dep - callback to clear the entities dependency and + * wake up scheduler +@@ -348,7 +337,8 @@ static void drm_sched_entity_wakeup(stru + struct drm_sched_entity *entity = + container_of(cb, struct drm_sched_entity, cb); + +- drm_sched_entity_clear_dep(f, cb); ++ entity->dependency = NULL; ++ dma_fence_put(f); + drm_sched_wakeup(entity->rq->sched); + } + +@@ -401,13 +391,6 @@ static bool drm_sched_entity_add_depende + fence = dma_fence_get(&s_fence->scheduled); + dma_fence_put(entity->dependency); + entity->dependency = fence; +- if (!dma_fence_add_callback(fence, &entity->cb, +- drm_sched_entity_clear_dep)) +- return true; +- +- /* Ignore it when it is already scheduled */ +- dma_fence_put(fence); +- return false; + } + + if (!dma_fence_add_callback(entity->dependency, &entity->cb, diff --git a/queue-6.1/f2fs-fix-to-do-sanity-check-on-ino-and-xnid.patch b/queue-6.1/f2fs-fix-to-do-sanity-check-on-ino-and-xnid.patch new file mode 100644 index 0000000000..000fb18659 --- /dev/null +++ b/queue-6.1/f2fs-fix-to-do-sanity-check-on-ino-and-xnid.patch @@ -0,0 +1,106 @@ +From stable+bounces-164650-greg=kroah.com@vger.kernel.org Thu Jul 24 19:09:26 2025 +From: Sasha Levin +Date: Thu, 24 Jul 2025 13:09:12 -0400 +Subject: f2fs: fix to do sanity check on ino and xnid +To: stable@vger.kernel.org +Cc: Chao Yu , syzbot+cc448dcdc7ae0b4e4ffa@syzkaller.appspotmail.com, Jaegeuk Kim , Sasha Levin +Message-ID: <20250724170912.1405261-1-sashal@kernel.org> + +From: Chao Yu + +[ Upstream commit 061cf3a84bde038708eb0f1d065b31b7c2456533 ] + +syzbot reported a f2fs bug as below: + +INFO: task syz-executor140:5308 blocked for more than 143 seconds. + Not tainted 6.14.0-rc7-syzkaller-00069-g81e4f8d68c66 #0 +"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. +task:syz-executor140 state:D stack:24016 pid:5308 tgid:5308 ppid:5306 task_flags:0x400140 flags:0x00000006 +Call Trace: + + context_switch kernel/sched/core.c:5378 [inline] + __schedule+0x190e/0x4c90 kernel/sched/core.c:6765 + __schedule_loop kernel/sched/core.c:6842 [inline] + schedule+0x14b/0x320 kernel/sched/core.c:6857 + io_schedule+0x8d/0x110 kernel/sched/core.c:7690 + folio_wait_bit_common+0x839/0xee0 mm/filemap.c:1317 + __folio_lock mm/filemap.c:1664 [inline] + folio_lock include/linux/pagemap.h:1163 [inline] + __filemap_get_folio+0x147/0xb40 mm/filemap.c:1917 + pagecache_get_page+0x2c/0x130 mm/folio-compat.c:87 + find_get_page_flags include/linux/pagemap.h:842 [inline] + f2fs_grab_cache_page+0x2b/0x320 fs/f2fs/f2fs.h:2776 + __get_node_page+0x131/0x11b0 fs/f2fs/node.c:1463 + read_xattr_block+0xfb/0x190 fs/f2fs/xattr.c:306 + lookup_all_xattrs fs/f2fs/xattr.c:355 [inline] + f2fs_getxattr+0x676/0xf70 fs/f2fs/xattr.c:533 + __f2fs_get_acl+0x52/0x870 fs/f2fs/acl.c:179 + f2fs_acl_create fs/f2fs/acl.c:375 [inline] + f2fs_init_acl+0xd7/0x9b0 fs/f2fs/acl.c:418 + f2fs_init_inode_metadata+0xa0f/0x1050 fs/f2fs/dir.c:539 + f2fs_add_inline_entry+0x448/0x860 fs/f2fs/inline.c:666 + f2fs_add_dentry+0xba/0x1e0 fs/f2fs/dir.c:765 + f2fs_do_add_link+0x28c/0x3a0 fs/f2fs/dir.c:808 + f2fs_add_link fs/f2fs/f2fs.h:3616 [inline] + f2fs_mknod+0x2e8/0x5b0 fs/f2fs/namei.c:766 + vfs_mknod+0x36d/0x3b0 fs/namei.c:4191 + unix_bind_bsd net/unix/af_unix.c:1286 [inline] + unix_bind+0x563/0xe30 net/unix/af_unix.c:1379 + __sys_bind_socket net/socket.c:1817 [inline] + __sys_bind+0x1e4/0x290 net/socket.c:1848 + __do_sys_bind net/socket.c:1853 [inline] + __se_sys_bind net/socket.c:1851 [inline] + __x64_sys_bind+0x7a/0x90 net/socket.c:1851 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Let's dump and check metadata of corrupted inode, it shows its xattr_nid +is the same to its i_ino. + +dump.f2fs -i 3 chaseyu.img.raw +i_xattr_nid [0x 3 : 3] + +So that, during mknod in the corrupted directory, it tries to get and +lock inode page twice, result in deadlock. + +- f2fs_mknod + - f2fs_add_inline_entry + - f2fs_get_inode_page --- lock dir's inode page + - f2fs_init_acl + - f2fs_acl_create(dir,..) + - __f2fs_get_acl + - f2fs_getxattr + - lookup_all_xattrs + - __get_node_page --- try to lock dir's inode page + +In order to fix this, let's add sanity check on ino and xnid. + +Cc: stable@vger.kernel.org +Reported-by: syzbot+cc448dcdc7ae0b4e4ffa@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/linux-f2fs-devel/67e06150.050a0220.21942d.0005.GAE@google.com +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +[ add set_sbi_flag(sbi, SBI_NEED_FSCK) to match error handling pattern ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/inode.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/fs/f2fs/inode.c ++++ b/fs/f2fs/inode.c +@@ -210,6 +210,13 @@ static bool sanity_check_inode(struct in + return false; + } + ++ if (ino_of_node(node_page) == fi->i_xattr_nid) { ++ set_sbi_flag(sbi, SBI_NEED_FSCK); ++ f2fs_warn(sbi, "%s: corrupted inode i_ino=%lx, xnid=%x, run fsck to fix.", ++ __func__, inode->i_ino, fi->i_xattr_nid); ++ return false; ++ } ++ + if (f2fs_sb_has_flexible_inline_xattr(sbi) + && !f2fs_has_extra_attr(inode)) { + set_sbi_flag(sbi, SBI_NEED_FSCK); diff --git a/queue-6.1/fscrypt-don-t-use-problematic-non-inline-crypto-engines.patch b/queue-6.1/fscrypt-don-t-use-problematic-non-inline-crypto-engines.patch new file mode 100644 index 0000000000..374971c6e3 --- /dev/null +++ b/queue-6.1/fscrypt-don-t-use-problematic-non-inline-crypto-engines.patch @@ -0,0 +1,188 @@ +From stable+bounces-169828-greg=kroah.com@vger.kernel.org Sat Aug 16 00:10:04 2025 +From: Sasha Levin +Date: Fri, 15 Aug 2025 18:07:29 -0400 +Subject: fscrypt: Don't use problematic non-inline crypto engines +To: stable@vger.kernel.org +Cc: Eric Biggers , Ard Biesheuvel , Sasha Levin +Message-ID: <20250815220729.247859-1-sashal@kernel.org> + +From: Eric Biggers + +[ Upstream commit b41c1d8d07906786c60893980d52688f31d114a6 ] + +Make fscrypt no longer use Crypto API drivers for non-inline crypto +engines, even when the Crypto API prioritizes them over CPU-based code +(which unfortunately it often does). These drivers tend to be really +problematic, especially for fscrypt's workload. This commit has no +effect on inline crypto engines, which are different and do work well. + +Specifically, exclude drivers that have CRYPTO_ALG_KERN_DRIVER_ONLY or +CRYPTO_ALG_ALLOCATES_MEMORY set. (Later, CRYPTO_ALG_ASYNC should be +excluded too. That's omitted for now to keep this commit backportable, +since until recently some CPU-based code had CRYPTO_ALG_ASYNC set.) + +There are two major issues with these drivers: bugs and performance. + +First, these drivers tend to be buggy. They're fundamentally much more +error-prone and harder to test than the CPU-based code. They often +don't get tested before kernel releases, and even if they do, the crypto +self-tests don't properly test these drivers. Released drivers have +en/decrypted or hashed data incorrectly. These bugs cause issues for +fscrypt users who often didn't even want to use these drivers, e.g.: + +- https://github.com/google/fscryptctl/issues/32 +- https://github.com/google/fscryptctl/issues/9 +- https://lore.kernel.org/r/PH0PR02MB731916ECDB6C613665863B6CFFAA2@PH0PR02MB7319.namprd02.prod.outlook.com + +These drivers have also similarly caused issues for dm-crypt users, +including data corruption and deadlocks. Since Linux v5.10, dm-crypt +has disabled most of them by excluding CRYPTO_ALG_ALLOCATES_MEMORY. + +Second, these drivers tend to be *much* slower than the CPU-based code. +This may seem counterintuitive, but benchmarks clearly show it. There's +a *lot* of overhead associated with going to a hardware driver, off the +CPU, and back again. To prove this, I gathered as many systems with +this type of crypto engine as I could, and I measured synchronous +encryption of 4096-byte messages (which matches fscrypt's workload): + +Intel Emerald Rapids server: + AES-256-XTS: + xts-aes-vaes-avx512 16171 MB/s [CPU-based, Vector AES] + qat_aes_xts 289 MB/s [Offload, Intel QuickAssist] + +Qualcomm SM8650 HDK: + AES-256-XTS: + xts-aes-ce 4301 MB/s [CPU-based, ARMv8 Crypto Extensions] + xts-aes-qce 73 MB/s [Offload, Qualcomm Crypto Engine] + +i.MX 8M Nano LPDDR4 EVK: + AES-256-XTS: + xts-aes-ce 647 MB/s [CPU-based, ARMv8 Crypto Extensions] + xts(ecb-aes-caam) 20 MB/s [Offload, CAAM] + AES-128-CBC-ESSIV: + essiv(cbc-aes-caam,sha256-lib) 23 MB/s [Offload, CAAM] + +STM32MP157F-DK2: + AES-256-XTS: + xts-aes-neonbs 13.2 MB/s [CPU-based, ARM NEON] + xts(stm32-ecb-aes) 3.1 MB/s [Offload, STM32 crypto engine] + AES-128-CBC-ESSIV: + essiv(cbc-aes-neonbs,sha256-lib) + 14.7 MB/s [CPU-based, ARM NEON] + essiv(stm32-cbc-aes,sha256-lib) + 3.2 MB/s [Offload, STM32 crypto engine] + Adiantum: + adiantum(xchacha12-arm,aes-arm,nhpoly1305-neon) + 52.8 MB/s [CPU-based, ARM scalar + NEON] + +So, there was no case in which the crypto engine was even *close* to +being faster. On the first three, which have AES instructions in the +CPU, the CPU was 30 to 55 times faster (!). Even on STM32MP157F-DK2 +which has a Cortex-A7 CPU that doesn't have AES instructions, AES was +over 4 times faster on the CPU. And Adiantum encryption, which is what +actually should be used on CPUs like that, was over 17 times faster. + +Other justifications that have been given for these non-inline crypto +engines (almost always coming from the hardware vendors, not actual +users) don't seem very plausible either: + + - The crypto engine throughput could be improved by processing + multiple requests concurrently. Currently irrelevant to fscrypt, + since it doesn't do that. This would also be complex, and unhelpful + in many cases. 2 of the 4 engines I tested even had only one queue. + + - Some of the engines, e.g. STM32, support hardware keys. Also + currently irrelevant to fscrypt, since it doesn't support these. + Interestingly, the STM32 driver itself doesn't support this either. + + - Free up CPU for other tasks and/or reduce energy usage. Not very + plausible considering the "short" message length, driver overhead, + and scheduling overhead. There's just very little time for the CPU + to do something else like run another task or enter low-power state, + before the message finishes and it's time to process the next one. + + - Some of these engines resist power analysis and electromagnetic + attacks, while the CPU-based crypto generally does not. In theory, + this sounds great. In practice, if this benefit requires the use of + an off-CPU offload that massively regresses performance and has a + low-quality, buggy driver, the price for this hardening (which is + not relevant to most fscrypt users, and tends to be incomplete) is + just too high. Inline crypto engines are much more promising here, + as are on-CPU solutions like RISC-V High Assurance Cryptography. + +Fixes: b30ab0e03407 ("ext4 crypto: add ext4 encryption facilities") +Cc: stable@vger.kernel.org +Acked-by: Ard Biesheuvel +Link: https://lore.kernel.org/r/20250704070322.20692-1-ebiggers@kernel.org +Signed-off-by: Eric Biggers +[ Drop some documentation changes ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/crypto/fscrypt_private.h | 17 +++++++++++++++++ + fs/crypto/hkdf.c | 2 +- + fs/crypto/keysetup.c | 3 ++- + fs/crypto/keysetup_v1.c | 3 ++- + 4 files changed, 22 insertions(+), 3 deletions(-) + +--- a/fs/crypto/fscrypt_private.h ++++ b/fs/crypto/fscrypt_private.h +@@ -27,6 +27,23 @@ + */ + #define FSCRYPT_MIN_KEY_SIZE 16 + ++/* ++ * This mask is passed as the third argument to the crypto_alloc_*() functions ++ * to prevent fscrypt from using the Crypto API drivers for non-inline crypto ++ * engines. Those drivers have been problematic for fscrypt. fscrypt users ++ * have reported hangs and even incorrect en/decryption with these drivers. ++ * Since going to the driver, off CPU, and back again is really slow, such ++ * drivers can be over 50 times slower than the CPU-based code for fscrypt's ++ * workload. Even on platforms that lack AES instructions on the CPU, using the ++ * offloads has been shown to be slower, even staying with AES. (Of course, ++ * Adiantum is faster still, and is the recommended option on such platforms...) ++ * ++ * Note that fscrypt also supports inline crypto engines. Those don't use the ++ * Crypto API and work much better than the old-style (non-inline) engines. ++ */ ++#define FSCRYPT_CRYPTOAPI_MASK \ ++ (CRYPTO_ALG_ALLOCATES_MEMORY | CRYPTO_ALG_KERN_DRIVER_ONLY) ++ + #define FSCRYPT_CONTEXT_V1 1 + #define FSCRYPT_CONTEXT_V2 2 + +--- a/fs/crypto/hkdf.c ++++ b/fs/crypto/hkdf.c +@@ -72,7 +72,7 @@ int fscrypt_init_hkdf(struct fscrypt_hkd + u8 prk[HKDF_HASHLEN]; + int err; + +- hmac_tfm = crypto_alloc_shash(HKDF_HMAC_ALG, 0, 0); ++ hmac_tfm = crypto_alloc_shash(HKDF_HMAC_ALG, 0, FSCRYPT_CRYPTOAPI_MASK); + if (IS_ERR(hmac_tfm)) { + fscrypt_err(NULL, "Error allocating " HKDF_HMAC_ALG ": %ld", + PTR_ERR(hmac_tfm)); +--- a/fs/crypto/keysetup.c ++++ b/fs/crypto/keysetup.c +@@ -88,7 +88,8 @@ fscrypt_allocate_skcipher(struct fscrypt + struct crypto_skcipher *tfm; + int err; + +- tfm = crypto_alloc_skcipher(mode->cipher_str, 0, 0); ++ tfm = crypto_alloc_skcipher(mode->cipher_str, 0, ++ FSCRYPT_CRYPTOAPI_MASK); + if (IS_ERR(tfm)) { + if (PTR_ERR(tfm) == -ENOENT) { + fscrypt_warn(inode, +--- a/fs/crypto/keysetup_v1.c ++++ b/fs/crypto/keysetup_v1.c +@@ -52,7 +52,8 @@ static int derive_key_aes(const u8 *mast + struct skcipher_request *req = NULL; + DECLARE_CRYPTO_WAIT(wait); + struct scatterlist src_sg, dst_sg; +- struct crypto_skcipher *tfm = crypto_alloc_skcipher("ecb(aes)", 0, 0); ++ struct crypto_skcipher *tfm = ++ crypto_alloc_skcipher("ecb(aes)", 0, FSCRYPT_CRYPTOAPI_MASK); + + if (IS_ERR(tfm)) { + res = PTR_ERR(tfm); diff --git a/queue-6.1/iio-hid-sensor-prox-fix-incorrect-offset-calculation.patch b/queue-6.1/iio-hid-sensor-prox-fix-incorrect-offset-calculation.patch new file mode 100644 index 0000000000..dfc5e4dcc3 --- /dev/null +++ b/queue-6.1/iio-hid-sensor-prox-fix-incorrect-offset-calculation.patch @@ -0,0 +1,42 @@ +From stable+bounces-164641-greg=kroah.com@vger.kernel.org Thu Jul 24 18:27:28 2025 +From: Sasha Levin +Date: Thu, 24 Jul 2025 12:27:07 -0400 +Subject: iio: hid-sensor-prox: Fix incorrect OFFSET calculation +To: stable@vger.kernel.org +Cc: Zhang Lixu , Srinivas Pandruvada , Jonathan Cameron , Sasha Levin +Message-ID: <20250724162707.1368528-1-sashal@kernel.org> + +From: Zhang Lixu + +[ Upstream commit 79dabbd505210e41c88060806c92c052496dd61c ] + +The OFFSET calculation in the prox_read_raw() was incorrectly using the +unit exponent, which is intended for SCALE calculations. + +Remove the incorrect OFFSET calculation and set it to a fixed value of 0. + +Cc: stable@vger.kernel.org +Fixes: 39a3a0138f61 ("iio: hid-sensors: Added Proximity Sensor Driver") +Signed-off-by: Zhang Lixu +Acked-by: Srinivas Pandruvada +Link: https://patch.msgid.link/20250331055022.1149736-4-lixu.zhang@intel.com +Signed-off-by: Jonathan Cameron +[ adapted prox_attr array access to single structure member access ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/light/hid-sensor-prox.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/iio/light/hid-sensor-prox.c ++++ b/drivers/iio/light/hid-sensor-prox.c +@@ -103,8 +103,7 @@ static int prox_read_raw(struct iio_dev + ret_type = prox_state->scale_precision; + break; + case IIO_CHAN_INFO_OFFSET: +- *val = hid_sensor_convert_exponent( +- prox_state->prox_attr.unit_expo); ++ *val = 0; + ret_type = IIO_VAL_INT; + break; + case IIO_CHAN_INFO_SAMP_FREQ: diff --git a/queue-6.1/iio-hid-sensor-prox-restore-lost-scale-assignments.patch b/queue-6.1/iio-hid-sensor-prox-restore-lost-scale-assignments.patch new file mode 100644 index 0000000000..8deeff6eac --- /dev/null +++ b/queue-6.1/iio-hid-sensor-prox-restore-lost-scale-assignments.patch @@ -0,0 +1,50 @@ +From stable+bounces-164642-greg=kroah.com@vger.kernel.org Thu Jul 24 18:38:01 2025 +From: Sasha Levin +Date: Thu, 24 Jul 2025 12:33:24 -0400 +Subject: iio: hid-sensor-prox: Restore lost scale assignments +To: stable@vger.kernel.org +Cc: Zhang Lixu , Srinivas Pandruvada , Jonathan Cameron , Sasha Levin +Message-ID: <20250724163324.1369864-1-sashal@kernel.org> + +From: Zhang Lixu + +[ Upstream commit 83ded7cfaccccd2f4041769c313b58b4c9e265ad ] + +The variables `scale_pre_decml`, `scale_post_decml`, and `scale_precision` +were assigned in commit d68c592e02f6 ("iio: hid-sensor-prox: Fix scale not +correct issue"), but due to a merge conflict in +commit 9c15db92a8e5 ("Merge tag 'iio-for-5.13a' of +https://git.kernel.org/pub/scm/linux/kernel/git/jic23/iio into staging-next"), +these assignments were lost. + +Add back lost assignments and replace `st->prox_attr` with +`st->prox_attr[0]` because commit 596ef5cf654b ("iio: hid-sensor-prox: Add +support for more channels") changed `prox_attr` to an array. + +Cc: stable@vger.kernel.org # 5.13+ +Fixes: 9c15db92a8e5 ("Merge tag 'iio-for-5.13a' of https://git.kernel.org/pub/scm/linux/kernel/git/jic23/iio into staging-next") +Signed-off-by: Zhang Lixu +Acked-by: Srinivas Pandruvada +Link: https://patch.msgid.link/20250331055022.1149736-2-lixu.zhang@intel.com +Signed-off-by: Jonathan Cameron +[ changed st->prox_attr[0] array access to st->prox_attr single struct member ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/light/hid-sensor-prox.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/iio/light/hid-sensor-prox.c ++++ b/drivers/iio/light/hid-sensor-prox.c +@@ -222,6 +222,11 @@ static int prox_parse_report(struct plat + dev_dbg(&pdev->dev, "prox %x:%x\n", st->prox_attr.index, + st->prox_attr.report_id); + ++ st->scale_precision = hid_sensor_format_scale(hsdev->usage, ++ &st->prox_attr, ++ &st->scale_pre_decml, ++ &st->scale_post_decml); ++ + return ret; + } + diff --git a/queue-6.1/media-venus-fix-oob-read-due-to-missing-payload-bound-check.patch b/queue-6.1/media-venus-fix-oob-read-due-to-missing-payload-bound-check.patch new file mode 100644 index 0000000000..fdc0107ffb --- /dev/null +++ b/queue-6.1/media-venus-fix-oob-read-due-to-missing-payload-bound-check.patch @@ -0,0 +1,201 @@ +From stable+bounces-171813-greg=kroah.com@vger.kernel.org Tue Aug 19 17:19:35 2025 +From: Sasha Levin +Date: Tue, 19 Aug 2025 11:16:16 -0400 +Subject: media: venus: Fix OOB read due to missing payload bound check +To: stable@vger.kernel.org +Cc: Vedang Nagar , Vikash Garodia , Bryan O'Donoghue , Dikshita Agarwal , Bryan O'Donoghue , Hans Verkuil , Sasha Levin +Message-ID: <20250819151616.535142-2-sashal@kernel.org> + +From: Vedang Nagar + +[ Upstream commit 06d6770ff0d8cc8dfd392329a8cc03e2a83e7289 ] + +Currently, The event_seq_changed() handler processes a variable number +of properties sent by the firmware. The number of properties is indicated +by the firmware and used to iterate over the payload. However, the +payload size is not being validated against the actual message length. + +This can lead to out-of-bounds memory access if the firmware provides a +property count that exceeds the data available in the payload. Such a +condition can result in kernel crashes or potential information leaks if +memory beyond the buffer is accessed. + +Fix this by properly validating the remaining size of the payload before +each property access and updating bounds accordingly as properties are +parsed. + +This ensures that property parsing is safely bounded within the received +message buffer and protects against malformed or malicious firmware +behavior. + +Fixes: 09c2845e8fe4 ("[media] media: venus: hfi: add Host Firmware Interface (HFI)") +Cc: stable@vger.kernel.org +Signed-off-by: Vedang Nagar +Reviewed-by: Vikash Garodia +Reviewed-by: Bryan O'Donoghue +Co-developed-by: Dikshita Agarwal +Signed-off-by: Dikshita Agarwal +Signed-off-by: Bryan O'Donoghue +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/qcom/venus/hfi_msgs.c | 83 ++++++++++++++++++--------- + 1 file changed, 58 insertions(+), 25 deletions(-) + +--- a/drivers/media/platform/qcom/venus/hfi_msgs.c ++++ b/drivers/media/platform/qcom/venus/hfi_msgs.c +@@ -33,8 +33,9 @@ static void event_seq_changed(struct ven + struct hfi_buffer_requirements *bufreq; + struct hfi_extradata_input_crop *crop; + struct hfi_dpb_counts *dpb_count; ++ u32 ptype, rem_bytes; ++ u32 size_read = 0; + u8 *data_ptr; +- u32 ptype; + + inst->error = HFI_ERR_NONE; + +@@ -44,86 +45,118 @@ static void event_seq_changed(struct ven + break; + default: + inst->error = HFI_ERR_SESSION_INVALID_PARAMETER; +- goto done; ++ inst->ops->event_notify(inst, EVT_SYS_EVENT_CHANGE, &event); ++ return; + } + + event.event_type = pkt->event_data1; + + num_properties_changed = pkt->event_data2; +- if (!num_properties_changed) { +- inst->error = HFI_ERR_SESSION_INSUFFICIENT_RESOURCES; +- goto done; +- } ++ if (!num_properties_changed) ++ goto error; + + data_ptr = (u8 *)&pkt->ext_event_data[0]; ++ rem_bytes = pkt->shdr.hdr.size - sizeof(*pkt); ++ + do { ++ if (rem_bytes < sizeof(u32)) ++ goto error; + ptype = *((u32 *)data_ptr); ++ ++ data_ptr += sizeof(u32); ++ rem_bytes -= sizeof(u32); ++ + switch (ptype) { + case HFI_PROPERTY_PARAM_FRAME_SIZE: +- data_ptr += sizeof(u32); ++ if (rem_bytes < sizeof(struct hfi_framesize)) ++ goto error; ++ + frame_sz = (struct hfi_framesize *)data_ptr; + event.width = frame_sz->width; + event.height = frame_sz->height; +- data_ptr += sizeof(*frame_sz); ++ size_read = sizeof(struct hfi_framesize); + break; + case HFI_PROPERTY_PARAM_PROFILE_LEVEL_CURRENT: +- data_ptr += sizeof(u32); ++ if (rem_bytes < sizeof(struct hfi_profile_level)) ++ goto error; ++ + profile_level = (struct hfi_profile_level *)data_ptr; + event.profile = profile_level->profile; + event.level = profile_level->level; +- data_ptr += sizeof(*profile_level); ++ size_read = sizeof(struct hfi_profile_level); + break; + case HFI_PROPERTY_PARAM_VDEC_PIXEL_BITDEPTH: +- data_ptr += sizeof(u32); ++ if (rem_bytes < sizeof(struct hfi_bit_depth)) ++ goto error; ++ + pixel_depth = (struct hfi_bit_depth *)data_ptr; + event.bit_depth = pixel_depth->bit_depth; +- data_ptr += sizeof(*pixel_depth); ++ size_read = sizeof(struct hfi_bit_depth); + break; + case HFI_PROPERTY_PARAM_VDEC_PIC_STRUCT: +- data_ptr += sizeof(u32); ++ if (rem_bytes < sizeof(struct hfi_pic_struct)) ++ goto error; ++ + pic_struct = (struct hfi_pic_struct *)data_ptr; + event.pic_struct = pic_struct->progressive_only; +- data_ptr += sizeof(*pic_struct); ++ size_read = sizeof(struct hfi_pic_struct); + break; + case HFI_PROPERTY_PARAM_VDEC_COLOUR_SPACE: +- data_ptr += sizeof(u32); ++ if (rem_bytes < sizeof(struct hfi_colour_space)) ++ goto error; ++ + colour_info = (struct hfi_colour_space *)data_ptr; + event.colour_space = colour_info->colour_space; +- data_ptr += sizeof(*colour_info); ++ size_read = sizeof(struct hfi_colour_space); + break; + case HFI_PROPERTY_CONFIG_VDEC_ENTROPY: +- data_ptr += sizeof(u32); ++ if (rem_bytes < sizeof(u32)) ++ goto error; ++ + event.entropy_mode = *(u32 *)data_ptr; +- data_ptr += sizeof(u32); ++ size_read = sizeof(u32); + break; + case HFI_PROPERTY_CONFIG_BUFFER_REQUIREMENTS: +- data_ptr += sizeof(u32); ++ if (rem_bytes < sizeof(struct hfi_buffer_requirements)) ++ goto error; ++ + bufreq = (struct hfi_buffer_requirements *)data_ptr; + event.buf_count = hfi_bufreq_get_count_min(bufreq, ver); +- data_ptr += sizeof(*bufreq); ++ size_read = sizeof(struct hfi_buffer_requirements); + break; + case HFI_INDEX_EXTRADATA_INPUT_CROP: +- data_ptr += sizeof(u32); ++ if (rem_bytes < sizeof(struct hfi_extradata_input_crop)) ++ goto error; ++ + crop = (struct hfi_extradata_input_crop *)data_ptr; + event.input_crop.left = crop->left; + event.input_crop.top = crop->top; + event.input_crop.width = crop->width; + event.input_crop.height = crop->height; +- data_ptr += sizeof(*crop); ++ size_read = sizeof(struct hfi_extradata_input_crop); + break; + case HFI_PROPERTY_PARAM_VDEC_DPB_COUNTS: +- data_ptr += sizeof(u32); ++ if (rem_bytes < sizeof(struct hfi_dpb_counts)) ++ goto error; ++ + dpb_count = (struct hfi_dpb_counts *)data_ptr; + event.buf_count = dpb_count->fw_min_cnt; +- data_ptr += sizeof(*dpb_count); ++ size_read = sizeof(struct hfi_dpb_counts); + break; + default: ++ size_read = 0; + break; + } ++ data_ptr += size_read; ++ rem_bytes -= size_read; + num_properties_changed--; + } while (num_properties_changed > 0); + +-done: ++ inst->ops->event_notify(inst, EVT_SYS_EVENT_CHANGE, &event); ++ return; ++ ++error: ++ inst->error = HFI_ERR_SESSION_INSUFFICIENT_RESOURCES; + inst->ops->event_notify(inst, EVT_SYS_EVENT_CHANGE, &event); + } + diff --git a/queue-6.1/media-venus-introduce-accessors-for-remapped-hfi_buffer_reqs-members.patch b/queue-6.1/media-venus-introduce-accessors-for-remapped-hfi_buffer_reqs-members.patch new file mode 100644 index 0000000000..4d8531c6c6 --- /dev/null +++ b/queue-6.1/media-venus-introduce-accessors-for-remapped-hfi_buffer_reqs-members.patch @@ -0,0 +1,209 @@ +From stable+bounces-171812-greg=kroah.com@vger.kernel.org Tue Aug 19 17:16:28 2025 +From: Sasha Levin +Date: Tue, 19 Aug 2025 11:16:15 -0400 +Subject: media: venus: Introduce accessors for remapped hfi_buffer_reqs members +To: stable@vger.kernel.org +Cc: Konrad Dybcio , Bryan O'Donoghue , Stanimir Varbanov , Hans Verkuil , Sasha Levin +Message-ID: <20250819151616.535142-1-sashal@kernel.org> + +From: Konrad Dybcio + +[ Upstream commit bbfc89e6f67ccb1ddefc3e8a284248bcfea58544 ] + +Currently we have macros to access these, but they don't provide a +way to override the remapped fields. Replace the macros with actual +get/set pairs to fix that. + +Reviewed-by: Bryan O'Donoghue +Signed-off-by: Konrad Dybcio +Signed-off-by: Stanimir Varbanov +Signed-off-by: Hans Verkuil +Stable-dep-of: 06d6770ff0d8 ("media: venus: Fix OOB read due to missing payload bound check") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/qcom/venus/helpers.c | 2 + drivers/media/platform/qcom/venus/hfi_helper.h | 61 +++++++++++++++++++++---- + drivers/media/platform/qcom/venus/hfi_msgs.c | 2 + drivers/media/platform/qcom/venus/vdec.c | 8 +-- + drivers/media/platform/qcom/venus/vdec_ctrls.c | 2 + drivers/media/platform/qcom/venus/venc.c | 4 - + drivers/media/platform/qcom/venus/venc_ctrls.c | 2 + 7 files changed, 63 insertions(+), 18 deletions(-) + +--- a/drivers/media/platform/qcom/venus/helpers.c ++++ b/drivers/media/platform/qcom/venus/helpers.c +@@ -189,7 +189,7 @@ int venus_helper_alloc_dpb_bufs(struct v + if (ret) + return ret; + +- count = HFI_BUFREQ_COUNT_MIN(&bufreq, ver); ++ count = hfi_bufreq_get_count_min(&bufreq, ver); + + for (i = 0; i < count; i++) { + buf = kzalloc(sizeof(*buf), GFP_KERNEL); +--- a/drivers/media/platform/qcom/venus/hfi_helper.h ++++ b/drivers/media/platform/qcom/venus/hfi_helper.h +@@ -1150,14 +1150,6 @@ struct hfi_buffer_display_hold_count_act + u32 hold_count; + }; + +-/* HFI 4XX reorder the fields, use these macros */ +-#define HFI_BUFREQ_HOLD_COUNT(bufreq, ver) \ +- ((ver) == HFI_VERSION_4XX ? 0 : (bufreq)->hold_count) +-#define HFI_BUFREQ_COUNT_MIN(bufreq, ver) \ +- ((ver) == HFI_VERSION_4XX ? (bufreq)->hold_count : (bufreq)->count_min) +-#define HFI_BUFREQ_COUNT_MIN_HOST(bufreq, ver) \ +- ((ver) == HFI_VERSION_4XX ? (bufreq)->count_min : 0) +- + struct hfi_buffer_requirements { + u32 type; + u32 size; +@@ -1169,6 +1161,59 @@ struct hfi_buffer_requirements { + u32 alignment; + }; + ++/* On HFI 4XX, some of the struct members have been swapped. */ ++static inline u32 hfi_bufreq_get_hold_count(struct hfi_buffer_requirements *req, ++ u32 ver) ++{ ++ if (ver == HFI_VERSION_4XX) ++ return 0; ++ ++ return req->hold_count; ++}; ++ ++static inline u32 hfi_bufreq_get_count_min(struct hfi_buffer_requirements *req, ++ u32 ver) ++{ ++ if (ver == HFI_VERSION_4XX) ++ return req->hold_count; ++ ++ return req->count_min; ++}; ++ ++static inline u32 hfi_bufreq_get_count_min_host(struct hfi_buffer_requirements *req, ++ u32 ver) ++{ ++ if (ver == HFI_VERSION_4XX) ++ return req->count_min; ++ ++ return 0; ++}; ++ ++static inline void hfi_bufreq_set_hold_count(struct hfi_buffer_requirements *req, ++ u32 ver, u32 val) ++{ ++ if (ver == HFI_VERSION_4XX) ++ return; ++ ++ req->hold_count = val; ++}; ++ ++static inline void hfi_bufreq_set_count_min(struct hfi_buffer_requirements *req, ++ u32 ver, u32 val) ++{ ++ if (ver == HFI_VERSION_4XX) ++ req->hold_count = val; ++ ++ req->count_min = val; ++}; ++ ++static inline void hfi_bufreq_set_count_min_host(struct hfi_buffer_requirements *req, ++ u32 ver, u32 val) ++{ ++ if (ver == HFI_VERSION_4XX) ++ req->count_min = val; ++}; ++ + struct hfi_data_payload { + u32 size; + u8 data[1]; +--- a/drivers/media/platform/qcom/venus/hfi_msgs.c ++++ b/drivers/media/platform/qcom/venus/hfi_msgs.c +@@ -99,7 +99,7 @@ static void event_seq_changed(struct ven + case HFI_PROPERTY_CONFIG_BUFFER_REQUIREMENTS: + data_ptr += sizeof(u32); + bufreq = (struct hfi_buffer_requirements *)data_ptr; +- event.buf_count = HFI_BUFREQ_COUNT_MIN(bufreq, ver); ++ event.buf_count = hfi_bufreq_get_count_min(bufreq, ver); + data_ptr += sizeof(*bufreq); + break; + case HFI_INDEX_EXTRADATA_INPUT_CROP: +--- a/drivers/media/platform/qcom/venus/vdec.c ++++ b/drivers/media/platform/qcom/venus/vdec.c +@@ -864,13 +864,13 @@ static int vdec_num_buffers(struct venus + if (ret) + return ret; + +- *in_num = HFI_BUFREQ_COUNT_MIN(&bufreq, ver); ++ *in_num = hfi_bufreq_get_count_min(&bufreq, ver); + + ret = venus_helper_get_bufreq(inst, HFI_BUFFER_OUTPUT, &bufreq); + if (ret) + return ret; + +- *out_num = HFI_BUFREQ_COUNT_MIN(&bufreq, ver); ++ *out_num = hfi_bufreq_get_count_min(&bufreq, ver); + + return 0; + } +@@ -984,14 +984,14 @@ static int vdec_verify_conf(struct venus + return ret; + + if (inst->num_output_bufs < bufreq.count_actual || +- inst->num_output_bufs < HFI_BUFREQ_COUNT_MIN(&bufreq, ver)) ++ inst->num_output_bufs < hfi_bufreq_get_count_min(&bufreq, ver)) + return -EINVAL; + + ret = venus_helper_get_bufreq(inst, HFI_BUFFER_INPUT, &bufreq); + if (ret) + return ret; + +- if (inst->num_input_bufs < HFI_BUFREQ_COUNT_MIN(&bufreq, ver)) ++ if (inst->num_input_bufs < hfi_bufreq_get_count_min(&bufreq, ver)) + return -EINVAL; + + return 0; +--- a/drivers/media/platform/qcom/venus/vdec_ctrls.c ++++ b/drivers/media/platform/qcom/venus/vdec_ctrls.c +@@ -79,7 +79,7 @@ static int vdec_op_g_volatile_ctrl(struc + case V4L2_CID_MIN_BUFFERS_FOR_CAPTURE: + ret = venus_helper_get_bufreq(inst, HFI_BUFFER_OUTPUT, &bufreq); + if (!ret) +- ctrl->val = HFI_BUFREQ_COUNT_MIN(&bufreq, ver); ++ ctrl->val = hfi_bufreq_get_count_min(&bufreq, ver); + break; + default: + return -EINVAL; +--- a/drivers/media/platform/qcom/venus/venc.c ++++ b/drivers/media/platform/qcom/venus/venc.c +@@ -1176,7 +1176,7 @@ static int venc_verify_conf(struct venus + return ret; + + if (inst->num_output_bufs < bufreq.count_actual || +- inst->num_output_bufs < HFI_BUFREQ_COUNT_MIN(&bufreq, ver)) ++ inst->num_output_bufs < hfi_bufreq_get_count_min(&bufreq, ver)) + return -EINVAL; + + ret = venus_helper_get_bufreq(inst, HFI_BUFFER_INPUT, &bufreq); +@@ -1184,7 +1184,7 @@ static int venc_verify_conf(struct venus + return ret; + + if (inst->num_input_bufs < bufreq.count_actual || +- inst->num_input_bufs < HFI_BUFREQ_COUNT_MIN(&bufreq, ver)) ++ inst->num_input_bufs < hfi_bufreq_get_count_min(&bufreq, ver)) + return -EINVAL; + + return 0; +--- a/drivers/media/platform/qcom/venus/venc_ctrls.c ++++ b/drivers/media/platform/qcom/venus/venc_ctrls.c +@@ -358,7 +358,7 @@ static int venc_op_g_volatile_ctrl(struc + case V4L2_CID_MIN_BUFFERS_FOR_OUTPUT: + ret = venus_helper_get_bufreq(inst, HFI_BUFFER_INPUT, &bufreq); + if (!ret) +- ctrl->val = HFI_BUFREQ_COUNT_MIN(&bufreq, ver); ++ ctrl->val = hfi_bufreq_get_count_min(&bufreq, ver); + break; + default: + return -EINVAL; diff --git a/queue-6.1/mm-ptdump-take-the-memory-hotplug-lock-inside-ptdump_walk_pgd.patch b/queue-6.1/mm-ptdump-take-the-memory-hotplug-lock-inside-ptdump_walk_pgd.patch new file mode 100644 index 0000000000..f932b4b85d --- /dev/null +++ b/queue-6.1/mm-ptdump-take-the-memory-hotplug-lock-inside-ptdump_walk_pgd.patch @@ -0,0 +1,114 @@ +From stable+bounces-171807-greg=kroah.com@vger.kernel.org Tue Aug 19 16:51:28 2025 +From: Sasha Levin +Date: Tue, 19 Aug 2025 10:49:44 -0400 +Subject: mm/ptdump: take the memory hotplug lock inside ptdump_walk_pgd() +To: stable@vger.kernel.org +Cc: Anshuman Khandual , David Hildenbrand , Dev Jain , Alexander Gordeev , Catalin Marinas , Will Deacon , Ryan Roberts , Paul Walmsley , Palmer Dabbelt , Gerald Schaefer , Heiko Carstens , Vasily Gorbik , Christian Borntraeger , Sven Schnelle , Andrew Morton , Sasha Levin +Message-ID: <20250819144944.523881-1-sashal@kernel.org> + +From: Anshuman Khandual + +[ Upstream commit 59305202c67fea50378dcad0cc199dbc13a0e99a ] + +Memory hot remove unmaps and tears down various kernel page table regions +as required. The ptdump code can race with concurrent modifications of +the kernel page tables. When leaf entries are modified concurrently, the +dump code may log stale or inconsistent information for a VA range, but +this is otherwise not harmful. + +But when intermediate levels of kernel page table are freed, the dump code +will continue to use memory that has been freed and potentially +reallocated for another purpose. In such cases, the ptdump code may +dereference bogus addresses, leading to a number of potential problems. + +To avoid the above mentioned race condition, platforms such as arm64, +riscv and s390 take memory hotplug lock, while dumping kernel page table +via the sysfs interface /sys/kernel/debug/kernel_page_tables. + +Similar race condition exists while checking for pages that might have +been marked W+X via /sys/kernel/debug/kernel_page_tables/check_wx_pages +which in turn calls ptdump_check_wx(). Instead of solving this race +condition again, let's just move the memory hotplug lock inside generic +ptdump_check_wx() which will benefit both the scenarios. + +Drop get_online_mems() and put_online_mems() combination from all existing +platform ptdump code paths. + +Link: https://lkml.kernel.org/r/20250620052427.2092093-1-anshuman.khandual@arm.com +Fixes: bbd6ec605c0f ("arm64/mm: Enable memory hot remove") +Signed-off-by: Anshuman Khandual +Acked-by: David Hildenbrand +Reviewed-by: Dev Jain +Acked-by: Alexander Gordeev [s390] +Cc: Catalin Marinas +Cc: Will Deacon +Cc: Ryan Roberts +Cc: Paul Walmsley +Cc: Palmer Dabbelt +Cc: Alexander Gordeev +Cc: Gerald Schaefer +Cc: Heiko Carstens +Cc: Vasily Gorbik +Cc: Christian Borntraeger +Cc: Sven Schnelle +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/mm/ptdump_debugfs.c | 3 --- + arch/s390/mm/dump_pagetables.c | 2 -- + mm/ptdump.c | 2 ++ + 3 files changed, 2 insertions(+), 5 deletions(-) + +--- a/arch/arm64/mm/ptdump_debugfs.c ++++ b/arch/arm64/mm/ptdump_debugfs.c +@@ -1,6 +1,5 @@ + // SPDX-License-Identifier: GPL-2.0 + #include +-#include + #include + + #include +@@ -9,9 +8,7 @@ static int ptdump_show(struct seq_file * + { + struct ptdump_info *info = m->private; + +- get_online_mems(); + ptdump_walk(m, info); +- put_online_mems(); + return 0; + } + DEFINE_SHOW_ATTRIBUTE(ptdump); +--- a/arch/s390/mm/dump_pagetables.c ++++ b/arch/s390/mm/dump_pagetables.c +@@ -249,11 +249,9 @@ static int ptdump_show(struct seq_file * + .marker = address_markers, + }; + +- get_online_mems(); + mutex_lock(&cpa_mutex); + ptdump_walk_pgd(&st.ptdump, &init_mm, NULL); + mutex_unlock(&cpa_mutex); +- put_online_mems(); + return 0; + } + DEFINE_SHOW_ATTRIBUTE(ptdump); +--- a/mm/ptdump.c ++++ b/mm/ptdump.c +@@ -152,6 +152,7 @@ void ptdump_walk_pgd(struct ptdump_state + { + const struct ptdump_range *range = st->range; + ++ get_online_mems(); + mmap_write_lock(mm); + while (range->start != range->end) { + walk_page_range_novma(mm, range->start, range->end, +@@ -159,6 +160,7 @@ void ptdump_walk_pgd(struct ptdump_state + range++; + } + mmap_write_unlock(mm); ++ put_online_mems(); + + /* Flush out the last page */ + st->note_page(st, 0, -1, 0); diff --git a/queue-6.1/net-add-netdev_lockdep_set_classes-to-virtual-drivers.patch b/queue-6.1/net-add-netdev_lockdep_set_classes-to-virtual-drivers.patch new file mode 100644 index 0000000000..662141bd01 --- /dev/null +++ b/queue-6.1/net-add-netdev_lockdep_set_classes-to-virtual-drivers.patch @@ -0,0 +1,285 @@ +From 0bef512012b1cd8820f0c9ec80e5f8ceb43fdd59 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Mon, 12 Feb 2024 14:07:00 +0000 +Subject: net: add netdev_lockdep_set_classes() to virtual drivers + +From: Eric Dumazet + +commit 0bef512012b1cd8820f0c9ec80e5f8ceb43fdd59 upstream. + +Based on a syzbot report, it appears many virtual +drivers do not yet use netdev_lockdep_set_classes(), +triggerring lockdep false positives. + +WARNING: possible recursive locking detected +6.8.0-rc4-next-20240212-syzkaller #0 Not tainted + +syz-executor.0/19016 is trying to acquire lock: + ffff8880162cb298 (_xmit_ETHER#2){+.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline] + ffff8880162cb298 (_xmit_ETHER#2){+.-.}-{2:2}, at: __netif_tx_lock include/linux/netdevice.h:4452 [inline] + ffff8880162cb298 (_xmit_ETHER#2){+.-.}-{2:2}, at: sch_direct_xmit+0x1c4/0x5f0 net/sched/sch_generic.c:340 + +but task is already holding lock: + ffff8880223db4d8 (_xmit_ETHER#2){+.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline] + ffff8880223db4d8 (_xmit_ETHER#2){+.-.}-{2:2}, at: __netif_tx_lock include/linux/netdevice.h:4452 [inline] + ffff8880223db4d8 (_xmit_ETHER#2){+.-.}-{2:2}, at: sch_direct_xmit+0x1c4/0x5f0 net/sched/sch_generic.c:340 + +other info that might help us debug this: + Possible unsafe locking scenario: + + CPU0 + lock(_xmit_ETHER#2); + lock(_xmit_ETHER#2); + + *** DEADLOCK *** + + May be due to missing lock nesting notation + +9 locks held by syz-executor.0/19016: + #0: ffffffff8f385208 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline] + #0: ffffffff8f385208 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x82c/0x1040 net/core/rtnetlink.c:6603 + #1: ffffc90000a08c00 ((&in_dev->mr_ifc_timer)){+.-.}-{0:0}, at: call_timer_fn+0xc0/0x600 kernel/time/timer.c:1697 + #2: ffffffff8e131520 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:298 [inline] + #2: ffffffff8e131520 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:750 [inline] + #2: ffffffff8e131520 (rcu_read_lock){....}-{1:2}, at: ip_finish_output2+0x45f/0x1360 net/ipv4/ip_output.c:228 + #3: ffffffff8e131580 (rcu_read_lock_bh){....}-{1:2}, at: local_bh_disable include/linux/bottom_half.h:20 [inline] + #3: ffffffff8e131580 (rcu_read_lock_bh){....}-{1:2}, at: rcu_read_lock_bh include/linux/rcupdate.h:802 [inline] + #3: ffffffff8e131580 (rcu_read_lock_bh){....}-{1:2}, at: __dev_queue_xmit+0x2c4/0x3b10 net/core/dev.c:4284 + #4: ffff8880416e3258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: spin_trylock include/linux/spinlock.h:361 [inline] + #4: ffff8880416e3258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: qdisc_run_begin include/net/sch_generic.h:195 [inline] + #4: ffff8880416e3258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: __dev_xmit_skb net/core/dev.c:3771 [inline] + #4: ffff8880416e3258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: __dev_queue_xmit+0x1262/0x3b10 net/core/dev.c:4325 + #5: ffff8880223db4d8 (_xmit_ETHER#2){+.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline] + #5: ffff8880223db4d8 (_xmit_ETHER#2){+.-.}-{2:2}, at: __netif_tx_lock include/linux/netdevice.h:4452 [inline] + #5: ffff8880223db4d8 (_xmit_ETHER#2){+.-.}-{2:2}, at: sch_direct_xmit+0x1c4/0x5f0 net/sched/sch_generic.c:340 + #6: ffffffff8e131520 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:298 [inline] + #6: ffffffff8e131520 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:750 [inline] + #6: ffffffff8e131520 (rcu_read_lock){....}-{1:2}, at: ip_finish_output2+0x45f/0x1360 net/ipv4/ip_output.c:228 + #7: ffffffff8e131580 (rcu_read_lock_bh){....}-{1:2}, at: local_bh_disable include/linux/bottom_half.h:20 [inline] + #7: ffffffff8e131580 (rcu_read_lock_bh){....}-{1:2}, at: rcu_read_lock_bh include/linux/rcupdate.h:802 [inline] + #7: ffffffff8e131580 (rcu_read_lock_bh){....}-{1:2}, at: __dev_queue_xmit+0x2c4/0x3b10 net/core/dev.c:4284 + #8: ffff888014d9d258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: spin_trylock include/linux/spinlock.h:361 [inline] + #8: ffff888014d9d258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: qdisc_run_begin include/net/sch_generic.h:195 [inline] + #8: ffff888014d9d258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: __dev_xmit_skb net/core/dev.c:3771 [inline] + #8: ffff888014d9d258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: __dev_queue_xmit+0x1262/0x3b10 net/core/dev.c:4325 + +stack backtrace: +CPU: 1 PID: 19016 Comm: syz-executor.0 Not tainted 6.8.0-rc4-next-20240212-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 + check_deadlock kernel/locking/lockdep.c:3062 [inline] + validate_chain+0x15c1/0x58e0 kernel/locking/lockdep.c:3856 + __lock_acquire+0x1346/0x1fd0 kernel/locking/lockdep.c:5137 + lock_acquire+0x1e4/0x530 kernel/locking/lockdep.c:5754 + __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline] + _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154 + spin_lock include/linux/spinlock.h:351 [inline] + __netif_tx_lock include/linux/netdevice.h:4452 [inline] + sch_direct_xmit+0x1c4/0x5f0 net/sched/sch_generic.c:340 + __dev_xmit_skb net/core/dev.c:3784 [inline] + __dev_queue_xmit+0x1912/0x3b10 net/core/dev.c:4325 + neigh_output include/net/neighbour.h:542 [inline] + ip_finish_output2+0xe66/0x1360 net/ipv4/ip_output.c:235 + iptunnel_xmit+0x540/0x9b0 net/ipv4/ip_tunnel_core.c:82 + ip_tunnel_xmit+0x20ee/0x2960 net/ipv4/ip_tunnel.c:831 + erspan_xmit+0x9de/0x1460 net/ipv4/ip_gre.c:720 + __netdev_start_xmit include/linux/netdevice.h:4989 [inline] + netdev_start_xmit include/linux/netdevice.h:5003 [inline] + xmit_one net/core/dev.c:3555 [inline] + dev_hard_start_xmit+0x242/0x770 net/core/dev.c:3571 + sch_direct_xmit+0x2b6/0x5f0 net/sched/sch_generic.c:342 + __dev_xmit_skb net/core/dev.c:3784 [inline] + __dev_queue_xmit+0x1912/0x3b10 net/core/dev.c:4325 + neigh_output include/net/neighbour.h:542 [inline] + ip_finish_output2+0xe66/0x1360 net/ipv4/ip_output.c:235 + igmpv3_send_cr net/ipv4/igmp.c:723 [inline] + igmp_ifc_timer_expire+0xb71/0xd90 net/ipv4/igmp.c:813 + call_timer_fn+0x17e/0x600 kernel/time/timer.c:1700 + expire_timers kernel/time/timer.c:1751 [inline] + __run_timers+0x621/0x830 kernel/time/timer.c:2038 + run_timer_softirq+0x67/0xf0 kernel/time/timer.c:2051 + __do_softirq+0x2bc/0x943 kernel/softirq.c:554 + invoke_softirq kernel/softirq.c:428 [inline] + __irq_exit_rcu+0xf2/0x1c0 kernel/softirq.c:633 + irq_exit_rcu+0x9/0x30 kernel/softirq.c:645 + instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1076 [inline] + sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1076 + + + asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 + RIP: 0010:resched_offsets_ok kernel/sched/core.c:10127 [inline] + RIP: 0010:__might_resched+0x16f/0x780 kernel/sched/core.c:10142 +Code: 00 4c 89 e8 48 c1 e8 03 48 ba 00 00 00 00 00 fc ff df 48 89 44 24 38 0f b6 04 10 84 c0 0f 85 87 04 00 00 41 8b 45 00 c1 e0 08 <01> d8 44 39 e0 0f 85 d6 00 00 00 44 89 64 24 1c 48 8d bc 24 a0 00 +RSP: 0018:ffffc9000ee069e0 EFLAGS: 00000246 +RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff8880296a9e00 +RDX: dffffc0000000000 RSI: ffff8880296a9e00 RDI: ffffffff8bfe8fa0 +RBP: ffffc9000ee06b00 R08: ffffffff82326877 R09: 1ffff11002b5ad1b +R10: dffffc0000000000 R11: ffffed1002b5ad1c R12: 0000000000000000 +R13: ffff8880296aa23c R14: 000000000000062a R15: 1ffff92001dc0d44 + down_write+0x19/0x50 kernel/locking/rwsem.c:1578 + kernfs_activate fs/kernfs/dir.c:1403 [inline] + kernfs_add_one+0x4af/0x8b0 fs/kernfs/dir.c:819 + __kernfs_create_file+0x22e/0x2e0 fs/kernfs/file.c:1056 + sysfs_add_file_mode_ns+0x24a/0x310 fs/sysfs/file.c:307 + create_files fs/sysfs/group.c:64 [inline] + internal_create_group+0x4f4/0xf20 fs/sysfs/group.c:152 + internal_create_groups fs/sysfs/group.c:192 [inline] + sysfs_create_groups+0x56/0x120 fs/sysfs/group.c:218 + create_dir lib/kobject.c:78 [inline] + kobject_add_internal+0x472/0x8d0 lib/kobject.c:240 + kobject_add_varg lib/kobject.c:374 [inline] + kobject_init_and_add+0x124/0x190 lib/kobject.c:457 + netdev_queue_add_kobject net/core/net-sysfs.c:1706 [inline] + netdev_queue_update_kobjects+0x1f3/0x480 net/core/net-sysfs.c:1758 + register_queue_kobjects net/core/net-sysfs.c:1819 [inline] + netdev_register_kobject+0x265/0x310 net/core/net-sysfs.c:2059 + register_netdevice+0x1191/0x19c0 net/core/dev.c:10298 + bond_newlink+0x3b/0x90 drivers/net/bonding/bond_netlink.c:576 + rtnl_newlink_create net/core/rtnetlink.c:3506 [inline] + __rtnl_newlink net/core/rtnetlink.c:3726 [inline] + rtnl_newlink+0x158f/0x20a0 net/core/rtnetlink.c:3739 + rtnetlink_rcv_msg+0x885/0x1040 net/core/rtnetlink.c:6606 + netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543 + netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline] + netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367 + netlink_sendmsg+0xa3c/0xd70 net/netlink/af_netlink.c:1908 + sock_sendmsg_nosec net/socket.c:730 [inline] + __sock_sendmsg+0x221/0x270 net/socket.c:745 + __sys_sendto+0x3a4/0x4f0 net/socket.c:2191 + __do_sys_sendto net/socket.c:2203 [inline] + __se_sys_sendto net/socket.c:2199 [inline] + __x64_sys_sendto+0xde/0x100 net/socket.c:2199 + do_syscall_64+0xfb/0x240 + entry_SYSCALL_64_after_hwframe+0x6d/0x75 +RIP: 0033:0x7fc3fa87fa9c + +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20240212140700.2795436-4-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sumanth Gavini +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dummy.c | 1 + + drivers/net/geneve.c | 1 + + drivers/net/loopback.c | 1 + + drivers/net/veth.c | 1 + + drivers/net/vxlan/vxlan_core.c | 1 + + net/ipv4/ip_tunnel.c | 1 + + net/ipv6/ip6_gre.c | 2 ++ + net/ipv6/ip6_tunnel.c | 1 + + net/ipv6/ip6_vti.c | 1 + + net/ipv6/sit.c | 1 + + 10 files changed, 11 insertions(+) + +--- a/drivers/net/dummy.c ++++ b/drivers/net/dummy.c +@@ -71,6 +71,7 @@ static int dummy_dev_init(struct net_dev + if (!dev->lstats) + return -ENOMEM; + ++ netdev_lockdep_set_classes(dev); + return 0; + } + +--- a/drivers/net/geneve.c ++++ b/drivers/net/geneve.c +@@ -349,6 +349,7 @@ static int geneve_init(struct net_device + gro_cells_destroy(&geneve->gro_cells); + return err; + } ++ netdev_lockdep_set_classes(dev); + return 0; + } + +--- a/drivers/net/loopback.c ++++ b/drivers/net/loopback.c +@@ -144,6 +144,7 @@ static int loopback_dev_init(struct net_ + dev->lstats = netdev_alloc_pcpu_stats(struct pcpu_lstats); + if (!dev->lstats) + return -ENOMEM; ++ netdev_lockdep_set_classes(dev); + return 0; + } + +--- a/drivers/net/veth.c ++++ b/drivers/net/veth.c +@@ -1373,6 +1373,7 @@ static void veth_free_queues(struct net_ + + static int veth_dev_init(struct net_device *dev) + { ++ netdev_lockdep_set_classes(dev); + return veth_alloc_queues(dev); + } + +--- a/drivers/net/vxlan/vxlan_core.c ++++ b/drivers/net/vxlan/vxlan_core.c +@@ -2998,6 +2998,7 @@ static int vxlan_init(struct net_device + if (err) + goto err_free_percpu; + ++ netdev_lockdep_set_classes(dev); + return 0; + + err_free_percpu: +--- a/net/ipv4/ip_tunnel.c ++++ b/net/ipv4/ip_tunnel.c +@@ -1298,6 +1298,7 @@ int ip_tunnel_init(struct net_device *de + + if (tunnel->collect_md) + netif_keep_dst(dev); ++ netdev_lockdep_set_classes(dev); + return 0; + } + EXPORT_SYMBOL_GPL(ip_tunnel_init); +--- a/net/ipv6/ip6_gre.c ++++ b/net/ipv6/ip6_gre.c +@@ -1537,6 +1537,7 @@ static int ip6gre_tunnel_init_common(str + ip6gre_tnl_init_features(dev); + + netdev_hold(dev, &tunnel->dev_tracker, GFP_KERNEL); ++ netdev_lockdep_set_classes(dev); + return 0; + + cleanup_dst_cache_init: +@@ -1929,6 +1930,7 @@ static int ip6erspan_tap_init(struct net + ip6erspan_tnl_link_config(tunnel, 1); + + netdev_hold(dev, &tunnel->dev_tracker, GFP_KERNEL); ++ netdev_lockdep_set_classes(dev); + return 0; + + cleanup_dst_cache_init: +--- a/net/ipv6/ip6_tunnel.c ++++ b/net/ipv6/ip6_tunnel.c +@@ -1902,6 +1902,7 @@ ip6_tnl_dev_init_gen(struct net_device * + dev->max_mtu = IP6_MAX_MTU - dev->hard_header_len - t_hlen; + + netdev_hold(dev, &t->dev_tracker, GFP_KERNEL); ++ netdev_lockdep_set_classes(dev); + return 0; + + destroy_dst: +--- a/net/ipv6/ip6_vti.c ++++ b/net/ipv6/ip6_vti.c +@@ -937,6 +937,7 @@ static inline int vti6_dev_init_gen(stru + if (!dev->tstats) + return -ENOMEM; + netdev_hold(dev, &t->dev_tracker, GFP_KERNEL); ++ netdev_lockdep_set_classes(dev); + return 0; + } + +--- a/net/ipv6/sit.c ++++ b/net/ipv6/sit.c +@@ -1460,6 +1460,7 @@ static int ipip6_tunnel_init(struct net_ + return err; + } + netdev_hold(dev, &tunnel->dev_tracker, GFP_KERNEL); ++ netdev_lockdep_set_classes(dev); + return 0; + } + diff --git a/queue-6.1/net-enetc-fix-device-and-of-node-leak-at-probe.patch b/queue-6.1/net-enetc-fix-device-and-of-node-leak-at-probe.patch new file mode 100644 index 0000000000..48abf9f85f --- /dev/null +++ b/queue-6.1/net-enetc-fix-device-and-of-node-leak-at-probe.patch @@ -0,0 +1,66 @@ +From stable+bounces-169816-greg=kroah.com@vger.kernel.org Fri Aug 15 21:54:26 2025 +From: Sasha Levin +Date: Fri, 15 Aug 2025 15:54:16 -0400 +Subject: net: enetc: fix device and OF node leak at probe +To: stable@vger.kernel.org +Cc: Johan Hovold , Vladimir Oltean , Simon Horman , Jakub Kicinski , Sasha Levin +Message-ID: <20250815195416.198795-1-sashal@kernel.org> + +From: Johan Hovold + +[ Upstream commit 70458f8a6b44daf3ad39f0d9b6d1097c8a7780ed ] + +Make sure to drop the references to the IERB OF node and platform device +taken by of_parse_phandle() and of_find_device_by_node() during probe. + +Fixes: e7d48e5fbf30 ("net: enetc: add a mini driver for the Integrated Endpoint Register Block") +Cc: stable@vger.kernel.org # 5.13 +Cc: Vladimir Oltean +Signed-off-by: Johan Hovold +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250725171213.880-3-johan@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/enetc/enetc_pf.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/freescale/enetc/enetc_pf.c ++++ b/drivers/net/ethernet/freescale/enetc/enetc_pf.c +@@ -1207,6 +1207,7 @@ static int enetc_pf_register_with_ierb(s + struct device_node *node = pdev->dev.of_node; + struct platform_device *ierb_pdev; + struct device_node *ierb_node; ++ int ret; + + /* Don't register with the IERB if the PF itself is disabled */ + if (!node || !of_device_is_available(node)) +@@ -1214,16 +1215,25 @@ static int enetc_pf_register_with_ierb(s + + ierb_node = of_find_compatible_node(NULL, NULL, + "fsl,ls1028a-enetc-ierb"); +- if (!ierb_node || !of_device_is_available(ierb_node)) ++ if (!ierb_node) + return -ENODEV; + ++ if (!of_device_is_available(ierb_node)) { ++ of_node_put(ierb_node); ++ return -ENODEV; ++ } ++ + ierb_pdev = of_find_device_by_node(ierb_node); + of_node_put(ierb_node); + + if (!ierb_pdev) + return -EPROBE_DEFER; + +- return enetc_ierb_register_pf(ierb_pdev, pdev); ++ ret = enetc_ierb_register_pf(ierb_pdev, pdev); ++ ++ put_device(&ierb_pdev->dev); ++ ++ return ret; + } + + static int enetc_pf_probe(struct pci_dev *pdev, diff --git a/queue-6.1/net-sched-ets-use-old-nbands-while-purging-unused-classes.patch b/queue-6.1/net-sched-ets-use-old-nbands-while-purging-unused-classes.patch new file mode 100644 index 0000000000..e611dbd37a --- /dev/null +++ b/queue-6.1/net-sched-ets-use-old-nbands-while-purging-unused-classes.patch @@ -0,0 +1,119 @@ +From stable+bounces-171770-greg=kroah.com@vger.kernel.org Tue Aug 19 13:54:29 2025 +From: Sasha Levin +Date: Tue, 19 Aug 2025 07:52:23 -0400 +Subject: net/sched: ets: use old 'nbands' while purging unused classes +To: stable@vger.kernel.org +Cc: Davide Caratti , Li Shuang , Petr Machata , Ivan Vecera , Jakub Kicinski , Sasha Levin +Message-ID: <20250819115223.446888-2-sashal@kernel.org> + +From: Davide Caratti + +[ Upstream commit 87c6efc5ce9c126ae4a781bc04504b83780e3650 ] + +Shuang reported sch_ets test-case [1] crashing in ets_class_qlen_notify() +after recent changes from Lion [2]. The problem is: in ets_qdisc_change() +we purge unused DWRR queues; the value of 'q->nbands' is the new one, and +the cleanup should be done with the old one. The problem is here since my +first attempts to fix ets_qdisc_change(), but it surfaced again after the +recent qdisc len accounting fixes. Fix it purging idle DWRR queues before +assigning a new value of 'q->nbands', so that all purge operations find a +consistent configuration: + + - old 'q->nbands' because it's needed by ets_class_find() + - old 'q->nstrict' because it's needed by ets_class_is_strict() + + BUG: kernel NULL pointer dereference, address: 0000000000000000 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 0 P4D 0 + Oops: Oops: 0000 [#1] SMP NOPTI + CPU: 62 UID: 0 PID: 39457 Comm: tc Kdump: loaded Not tainted 6.12.0-116.el10.x86_64 #1 PREEMPT(voluntary) + Hardware name: Dell Inc. PowerEdge R640/06DKY5, BIOS 2.12.2 07/09/2021 + RIP: 0010:__list_del_entry_valid_or_report+0x4/0x80 + Code: ff 4c 39 c7 0f 84 39 19 8e ff b8 01 00 00 00 c3 cc cc cc cc 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa <48> 8b 17 48 8b 4f 08 48 85 d2 0f 84 56 19 8e ff 48 85 c9 0f 84 ab + RSP: 0018:ffffba186009f400 EFLAGS: 00010202 + RAX: 00000000000000d6 RBX: 0000000000000000 RCX: 0000000000000004 + RDX: ffff9f0fa29b69c0 RSI: 0000000000000000 RDI: 0000000000000000 + RBP: ffffffffc12c2400 R08: 0000000000000008 R09: 0000000000000004 + R10: ffffffffffffffff R11: 0000000000000004 R12: 0000000000000000 + R13: ffff9f0f8cfe0000 R14: 0000000000100005 R15: 0000000000000000 + FS: 00007f2154f37480(0000) GS:ffff9f269c1c0000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000000000 CR3: 00000001530be001 CR4: 00000000007726f0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + PKRU: 55555554 + Call Trace: + + ets_class_qlen_notify+0x65/0x90 [sch_ets] + qdisc_tree_reduce_backlog+0x74/0x110 + ets_qdisc_change+0x630/0xa40 [sch_ets] + __tc_modify_qdisc.constprop.0+0x216/0x7f0 + tc_modify_qdisc+0x7c/0x120 + rtnetlink_rcv_msg+0x145/0x3f0 + netlink_rcv_skb+0x53/0x100 + netlink_unicast+0x245/0x390 + netlink_sendmsg+0x21b/0x470 + ____sys_sendmsg+0x39d/0x3d0 + ___sys_sendmsg+0x9a/0xe0 + __sys_sendmsg+0x7a/0xd0 + do_syscall_64+0x7d/0x160 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + RIP: 0033:0x7f2155114084 + Code: 89 02 b8 ff ff ff ff eb bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 80 3d 25 f0 0c 00 00 74 13 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 89 54 24 1c 48 89 + RSP: 002b:00007fff1fd7a988 EFLAGS: 00000202 ORIG_RAX: 000000000000002e + RAX: ffffffffffffffda RBX: 0000560ec063e5e0 RCX: 00007f2155114084 + RDX: 0000000000000000 RSI: 00007fff1fd7a9f0 RDI: 0000000000000003 + RBP: 00007fff1fd7aa60 R08: 0000000000000010 R09: 000000000000003f + R10: 0000560ee9b3a010 R11: 0000000000000202 R12: 00007fff1fd7aae0 + R13: 000000006891ccde R14: 0000560ec063e5e0 R15: 00007fff1fd7aad0 + + + [1] https://lore.kernel.org/netdev/e08c7f4a6882f260011909a868311c6e9b54f3e4.1639153474.git.dcaratti@redhat.com/ + [2] https://lore.kernel.org/netdev/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.com/ + +Cc: stable@vger.kernel.org +Fixes: 103406b38c60 ("net/sched: Always pass notifications when child class becomes empty") +Fixes: c062f2a0b04d ("net/sched: sch_ets: don't remove idle classes from the round-robin list") +Fixes: dcc68b4d8084 ("net: sch_ets: Add a new Qdisc") +Reported-by: Li Shuang +Closes: https://issues.redhat.com/browse/RHEL-108026 +Reviewed-by: Petr Machata +Co-developed-by: Ivan Vecera +Signed-off-by: Ivan Vecera +Signed-off-by: Davide Caratti +Link: https://patch.msgid.link/7928ff6d17db47a2ae7cc205c44777b1f1950545.1755016081.git.dcaratti@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_ets.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/net/sched/sch_ets.c ++++ b/net/sched/sch_ets.c +@@ -651,6 +651,12 @@ static int ets_qdisc_change(struct Qdisc + + sch_tree_lock(sch); + ++ for (i = nbands; i < oldbands; i++) { ++ if (i >= q->nstrict && q->classes[i].qdisc->q.qlen) ++ list_del_init(&q->classes[i].alist); ++ qdisc_purge_queue(q->classes[i].qdisc); ++ } ++ + WRITE_ONCE(q->nbands, nbands); + for (i = nstrict; i < q->nstrict; i++) { + if (q->classes[i].qdisc->q.qlen) { +@@ -658,11 +664,6 @@ static int ets_qdisc_change(struct Qdisc + q->classes[i].deficit = quanta[i]; + } + } +- for (i = q->nbands; i < oldbands; i++) { +- if (i >= q->nstrict && q->classes[i].qdisc->q.qlen) +- list_del_init(&q->classes[i].alist); +- qdisc_purge_queue(q->classes[i].qdisc); +- } + WRITE_ONCE(q->nstrict, nstrict); + memcpy(q->prio2band, priomap, sizeof(priomap)); + diff --git a/queue-6.1/net_sched-sch_ets-implement-lockless-ets_dump.patch b/queue-6.1/net_sched-sch_ets-implement-lockless-ets_dump.patch new file mode 100644 index 0000000000..41dbae8bb6 --- /dev/null +++ b/queue-6.1/net_sched-sch_ets-implement-lockless-ets_dump.patch @@ -0,0 +1,106 @@ +From stable+bounces-171769-greg=kroah.com@vger.kernel.org Tue Aug 19 13:54:27 2025 +From: Sasha Levin +Date: Tue, 19 Aug 2025 07:52:22 -0400 +Subject: net_sched: sch_ets: implement lockless ets_dump() +To: stable@vger.kernel.org +Cc: Eric Dumazet , Simon Horman , "David S. Miller" , Sasha Levin +Message-ID: <20250819115223.446888-1-sashal@kernel.org> + +From: Eric Dumazet + +[ Upstream commit c5f1dde7f731e7bf2e7c169ca42cb4989fc2f8b9 ] + +Instead of relying on RTNL, ets_dump() can use READ_ONCE() +annotations, paired with WRITE_ONCE() ones in ets_change(). + +Signed-off-by: Eric Dumazet +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Stable-dep-of: 87c6efc5ce9c ("net/sched: ets: use old 'nbands' while purging unused classes") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_ets.c | 25 ++++++++++++++----------- + 1 file changed, 14 insertions(+), 11 deletions(-) + +--- a/net/sched/sch_ets.c ++++ b/net/sched/sch_ets.c +@@ -651,7 +651,7 @@ static int ets_qdisc_change(struct Qdisc + + sch_tree_lock(sch); + +- q->nbands = nbands; ++ WRITE_ONCE(q->nbands, nbands); + for (i = nstrict; i < q->nstrict; i++) { + if (q->classes[i].qdisc->q.qlen) { + list_add_tail(&q->classes[i].alist, &q->active); +@@ -663,11 +663,11 @@ static int ets_qdisc_change(struct Qdisc + list_del_init(&q->classes[i].alist); + qdisc_purge_queue(q->classes[i].qdisc); + } +- q->nstrict = nstrict; ++ WRITE_ONCE(q->nstrict, nstrict); + memcpy(q->prio2band, priomap, sizeof(priomap)); + + for (i = 0; i < q->nbands; i++) +- q->classes[i].quantum = quanta[i]; ++ WRITE_ONCE(q->classes[i].quantum, quanta[i]); + + for (i = oldbands; i < q->nbands; i++) { + q->classes[i].qdisc = queues[i]; +@@ -681,7 +681,7 @@ static int ets_qdisc_change(struct Qdisc + for (i = q->nbands; i < oldbands; i++) { + qdisc_put(q->classes[i].qdisc); + q->classes[i].qdisc = NULL; +- q->classes[i].quantum = 0; ++ WRITE_ONCE(q->classes[i].quantum, 0); + q->classes[i].deficit = 0; + gnet_stats_basic_sync_init(&q->classes[i].bstats); + memset(&q->classes[i].qstats, 0, sizeof(q->classes[i].qstats)); +@@ -738,6 +738,7 @@ static int ets_qdisc_dump(struct Qdisc * + struct ets_sched *q = qdisc_priv(sch); + struct nlattr *opts; + struct nlattr *nest; ++ u8 nbands, nstrict; + int band; + int prio; + int err; +@@ -750,21 +751,22 @@ static int ets_qdisc_dump(struct Qdisc * + if (!opts) + goto nla_err; + +- if (nla_put_u8(skb, TCA_ETS_NBANDS, q->nbands)) ++ nbands = READ_ONCE(q->nbands); ++ if (nla_put_u8(skb, TCA_ETS_NBANDS, nbands)) + goto nla_err; + +- if (q->nstrict && +- nla_put_u8(skb, TCA_ETS_NSTRICT, q->nstrict)) ++ nstrict = READ_ONCE(q->nstrict); ++ if (nstrict && nla_put_u8(skb, TCA_ETS_NSTRICT, nstrict)) + goto nla_err; + +- if (q->nbands > q->nstrict) { ++ if (nbands > nstrict) { + nest = nla_nest_start(skb, TCA_ETS_QUANTA); + if (!nest) + goto nla_err; + +- for (band = q->nstrict; band < q->nbands; band++) { ++ for (band = nstrict; band < nbands; band++) { + if (nla_put_u32(skb, TCA_ETS_QUANTA_BAND, +- q->classes[band].quantum)) ++ READ_ONCE(q->classes[band].quantum))) + goto nla_err; + } + +@@ -776,7 +778,8 @@ static int ets_qdisc_dump(struct Qdisc * + goto nla_err; + + for (prio = 0; prio <= TC_PRIO_MAX; prio++) { +- if (nla_put_u8(skb, TCA_ETS_PRIOMAP_BAND, q->prio2band[prio])) ++ if (nla_put_u8(skb, TCA_ETS_PRIOMAP_BAND, ++ READ_ONCE(q->prio2band[prio]))) + goto nla_err; + } + diff --git a/queue-6.1/pci-acpi-fix-runtime-pm-ref-imbalance-on-hot-plug-capable-ports.patch b/queue-6.1/pci-acpi-fix-runtime-pm-ref-imbalance-on-hot-plug-capable-ports.patch new file mode 100644 index 0000000000..33f30be789 --- /dev/null +++ b/queue-6.1/pci-acpi-fix-runtime-pm-ref-imbalance-on-hot-plug-capable-ports.patch @@ -0,0 +1,141 @@ +From stable+bounces-169871-greg=kroah.com@vger.kernel.org Sun Aug 17 03:48:09 2025 +From: Sasha Levin +Date: Sat, 16 Aug 2025 21:47:59 -0400 +Subject: PCI/ACPI: Fix runtime PM ref imbalance on Hot-Plug Capable ports +To: stable@vger.kernel.org +Cc: Lukas Wunner , Laurent Bigonville , Mario Limonciello , Bjorn Helgaas , "Rafael J. Wysocki" , Sasha Levin +Message-ID: <20250817014759.1328597-1-sashal@kernel.org> + +From: Lukas Wunner + +[ Upstream commit 6cff20ce3b92ffbf2fc5eb9e5a030b3672aa414a ] + +pci_bridge_d3_possible() is called from both pcie_portdrv_probe() and +pcie_portdrv_remove() to determine whether runtime power management shall +be enabled (on probe) or disabled (on remove) on a PCIe port. + +The underlying assumption is that pci_bridge_d3_possible() always returns +the same value, else a runtime PM reference imbalance would occur. That +assumption is not given if the PCIe port is inaccessible on remove due to +hot-unplug: pci_bridge_d3_possible() calls pciehp_is_native(), which +accesses Config Space to determine whether the port is Hot-Plug Capable. +An inaccessible port returns "all ones", which is converted to "all +zeroes" by pcie_capability_read_dword(). Hence the port no longer seems +Hot-Plug Capable on remove even though it was on probe. + +The resulting runtime PM ref imbalance causes warning messages such as: + + pcieport 0000:02:04.0: Runtime PM usage count underflow! + +Avoid the Config Space access (and thus the runtime PM ref imbalance) by +caching the Hot-Plug Capable bit in struct pci_dev. + +The struct already contains an "is_hotplug_bridge" flag, which however is +not only set on Hot-Plug Capable PCIe ports, but also Conventional PCI +Hot-Plug bridges and ACPI slots. The flag identifies bridges which are +allocated additional MMIO and bus number resources to allow for hierarchy +expansion. + +The kernel is somewhat sloppily using "is_hotplug_bridge" in a number of +places to identify Hot-Plug Capable PCIe ports, even though the flag +encompasses other devices. Subsequent commits replace these occurrences +with the new flag to clearly delineate Hot-Plug Capable PCIe ports from +other kinds of hotplug bridges. + +Document the existing "is_hotplug_bridge" and the new "is_pciehp" flag +and document the (non-obvious) requirement that pci_bridge_d3_possible() +always returns the same value across the entire lifetime of a bridge, +including its hot-removal. + +Fixes: 5352a44a561d ("PCI: pciehp: Make pciehp_is_native() stricter") +Reported-by: Laurent Bigonville +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220216 +Reported-by: Mario Limonciello +Closes: https://lore.kernel.org/r/20250609020223.269407-3-superm1@kernel.org/ +Link: https://lore.kernel.org/all/20250620025535.3425049-3-superm1@kernel.org/T/#u +Signed-off-by: Lukas Wunner +Signed-off-by: Bjorn Helgaas +Acked-by: Rafael J. Wysocki +Cc: stable@vger.kernel.org # v4.18+ +Link: https://patch.msgid.link/fe5dcc3b2e62ee1df7905d746bde161eb1b3291c.1752390101.git.lukas@wunner.de +[ changed "recent enough PCIe ports" comment to "some PCIe ports" ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/pci-acpi.c | 4 +--- + drivers/pci/pci.c | 8 ++++++-- + drivers/pci/probe.c | 2 +- + include/linux/pci.h | 10 +++++++++- + 4 files changed, 17 insertions(+), 7 deletions(-) + +--- a/drivers/pci/pci-acpi.c ++++ b/drivers/pci/pci-acpi.c +@@ -793,13 +793,11 @@ int pci_acpi_program_hp_params(struct pc + bool pciehp_is_native(struct pci_dev *bridge) + { + const struct pci_host_bridge *host; +- u32 slot_cap; + + if (!IS_ENABLED(CONFIG_HOTPLUG_PCI_PCIE)) + return false; + +- pcie_capability_read_dword(bridge, PCI_EXP_SLTCAP, &slot_cap); +- if (!(slot_cap & PCI_EXP_SLTCAP_HPC)) ++ if (!bridge->is_pciehp) + return false; + + if (pcie_ports_native) +--- a/drivers/pci/pci.c ++++ b/drivers/pci/pci.c +@@ -3019,8 +3019,12 @@ static const struct dmi_system_id bridge + * pci_bridge_d3_possible - Is it possible to put the bridge into D3 + * @bridge: Bridge to check + * +- * This function checks if it is possible to move the bridge to D3. +- * Currently we only allow D3 for recent enough PCIe ports and Thunderbolt. ++ * Currently we only allow D3 for some PCIe ports and for Thunderbolt. ++ * ++ * Return: Whether it is possible to move the bridge to D3. ++ * ++ * The return value is guaranteed to be constant across the entire lifetime ++ * of the bridge, including its hot-removal. + */ + bool pci_bridge_d3_possible(struct pci_dev *bridge) + { +--- a/drivers/pci/probe.c ++++ b/drivers/pci/probe.c +@@ -1592,7 +1592,7 @@ void set_pcie_hotplug_bridge(struct pci_ + + pcie_capability_read_dword(pdev, PCI_EXP_SLTCAP, ®32); + if (reg32 & PCI_EXP_SLTCAP_HPC) +- pdev->is_hotplug_bridge = 1; ++ pdev->is_hotplug_bridge = pdev->is_pciehp = 1; + } + + static void set_pcie_thunderbolt(struct pci_dev *dev) +--- a/include/linux/pci.h ++++ b/include/linux/pci.h +@@ -317,7 +317,14 @@ struct pci_sriov; + struct pci_p2pdma; + struct rcec_ea; + +-/* The pci_dev structure describes PCI devices */ ++/* struct pci_dev - describes a PCI device ++ * ++ * @is_hotplug_bridge: Hotplug bridge of any kind (e.g. PCIe Hot-Plug Capable, ++ * Conventional PCI Hot-Plug, ACPI slot). ++ * Such bridges are allocated additional MMIO and bus ++ * number resources to allow for hierarchy expansion. ++ * @is_pciehp: PCIe Hot-Plug Capable bridge. ++ */ + struct pci_dev { + struct list_head bus_list; /* Node in per-bus list */ + struct pci_bus *bus; /* Bus this device is on */ +@@ -438,6 +445,7 @@ struct pci_dev { + unsigned int is_physfn:1; + unsigned int is_virtfn:1; + unsigned int is_hotplug_bridge:1; ++ unsigned int is_pciehp:1; + unsigned int shpc_managed:1; /* SHPC owned by shpchp */ + unsigned int is_thunderbolt:1; /* Thunderbolt controller */ + /* diff --git a/queue-6.1/perf-x86-intel-fix-crash-in-icl_update_topdown_event.patch b/queue-6.1/perf-x86-intel-fix-crash-in-icl_update_topdown_event.patch new file mode 100644 index 0000000000..1da31451e1 --- /dev/null +++ b/queue-6.1/perf-x86-intel-fix-crash-in-icl_update_topdown_event.patch @@ -0,0 +1,69 @@ +From stable+bounces-164558-greg=kroah.com@vger.kernel.org Thu Jul 24 06:11:59 2025 +From: Sasha Levin +Date: Thu, 24 Jul 2025 00:11:50 -0400 +Subject: perf/x86/intel: Fix crash in icl_update_topdown_event() +To: stable@vger.kernel.org +Cc: Kan Liang , Vince Weaver , Peter Zijlstra , Ingo Molnar , Sasha Levin +Message-ID: <20250724041150.1296795-1-sashal@kernel.org> + +From: Kan Liang + +[ Upstream commit b0823d5fbacb1c551d793cbfe7af24e0d1fa45ed ] + +The perf_fuzzer found a hard-lockup crash on a RaptorLake machine: + + Oops: general protection fault, maybe for address 0xffff89aeceab400: 0000 + CPU: 23 UID: 0 PID: 0 Comm: swapper/23 + Tainted: [W]=WARN + Hardware name: Dell Inc. Precision 9660/0VJ762 + RIP: 0010:native_read_pmc+0x7/0x40 + Code: cc e8 8d a9 01 00 48 89 03 5b cd cc cc cc cc 0f 1f ... + RSP: 000:fffb03100273de8 EFLAGS: 00010046 + .... + Call Trace: + + icl_update_topdown_event+0x165/0x190 + ? ktime_get+0x38/0xd0 + intel_pmu_read_event+0xf9/0x210 + __perf_event_read+0xf9/0x210 + +CPUs 16-23 are E-core CPUs that don't support the perf metrics feature. +The icl_update_topdown_event() should not be invoked on these CPUs. + +It's a regression of commit: + + f9bdf1f95339 ("perf/x86/intel: Avoid disable PMU if !cpuc->enabled in sample read") + +The bug introduced by that commit is that the is_topdown_event() function +is mistakenly used to replace the is_topdown_count() call to check if the +topdown functions for the perf metrics feature should be invoked. + +Fix it. + +Fixes: f9bdf1f95339 ("perf/x86/intel: Avoid disable PMU if !cpuc->enabled in sample read") +Closes: https://lore.kernel.org/lkml/352f0709-f026-cd45-e60c-60dfd97f73f3@maine.edu/ +Reported-by: Vince Weaver +Signed-off-by: Kan Liang +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Ingo Molnar +Tested-by: Vince Weaver +Cc: stable@vger.kernel.org # v6.15+ +Link: https://lore.kernel.org/r/20250612143818.2889040-1-kan.liang@linux.intel.com +[ omitted PEBS check ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/events/intel/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/events/intel/core.c ++++ b/arch/x86/events/intel/core.c +@@ -2703,7 +2703,7 @@ static void intel_pmu_read_event(struct + if (pmu_enabled) + intel_pmu_disable_all(); + +- if (is_topdown_event(event)) ++ if (is_topdown_count(event)) + static_call(intel_pmu_update_topdown_event)(event); + else + intel_pmu_drain_pebs_buffer(); diff --git a/queue-6.1/platform-chrome-cros_ec-remove-unneeded-label-and-if-condition.patch b/queue-6.1/platform-chrome-cros_ec-remove-unneeded-label-and-if-condition.patch new file mode 100644 index 0000000000..3d340a00fc --- /dev/null +++ b/queue-6.1/platform-chrome-cros_ec-remove-unneeded-label-and-if-condition.patch @@ -0,0 +1,75 @@ +From stable+bounces-172083-greg=kroah.com@vger.kernel.org Thu Aug 21 15:32:25 2025 +From: Sasha Levin +Date: Thu, 21 Aug 2025 09:27:18 -0400 +Subject: platform/chrome: cros_ec: remove unneeded label and if-condition +To: stable@vger.kernel.org +Cc: Tzung-Bi Shih , Guenter Roeck , Sasha Levin +Message-ID: <20250821132719.713502-2-sashal@kernel.org> + +From: Tzung-Bi Shih + +[ Upstream commit 554ec02c97254962bbb0a8776c3160d294fc7e51 ] + +Both `ec_dev->ec` and `ec_dev->pd` are initialized to NULL at the +beginning of cros_ec_register(). Also, platform_device_unregister() +takes care if the given platform_device is NULL. + +Remove the unneeded goto-label and if-condition. + +Signed-off-by: Tzung-Bi Shih +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20230308031247.2866401-1-tzungbi@kernel.org +Stable-dep-of: e23749534619 ("platform/chrome: cros_ec: Unregister notifier in cros_ec_unregister()") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/chrome/cros_ec.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +--- a/drivers/platform/chrome/cros_ec.c ++++ b/drivers/platform/chrome/cros_ec.c +@@ -205,7 +205,7 @@ int cros_ec_register(struct cros_ec_devi + err = cros_ec_query_all(ec_dev); + if (err) { + dev_err(dev, "Cannot identify the EC: error %d\n", err); +- goto destroy_mutex; ++ goto exit; + } + + if (ec_dev->irq > 0) { +@@ -217,7 +217,7 @@ int cros_ec_register(struct cros_ec_devi + if (err) { + dev_err(dev, "Failed to request IRQ %d: %d\n", + ec_dev->irq, err); +- goto destroy_mutex; ++ goto exit; + } + } + +@@ -229,7 +229,7 @@ int cros_ec_register(struct cros_ec_devi + dev_err(ec_dev->dev, + "Failed to create CrOS EC platform device\n"); + err = PTR_ERR(ec_dev->ec); +- goto destroy_mutex; ++ goto exit; + } + + if (ec_dev->max_passthru) { +@@ -295,7 +295,6 @@ int cros_ec_register(struct cros_ec_devi + exit: + platform_device_unregister(ec_dev->ec); + platform_device_unregister(ec_dev->pd); +-destroy_mutex: + mutex_destroy(&ec_dev->lock); + lockdep_unregister_key(&ec_dev->lockdep_key); + return err; +@@ -312,8 +311,7 @@ EXPORT_SYMBOL(cros_ec_register); + */ + void cros_ec_unregister(struct cros_ec_device *ec_dev) + { +- if (ec_dev->pd) +- platform_device_unregister(ec_dev->pd); ++ platform_device_unregister(ec_dev->pd); + platform_device_unregister(ec_dev->ec); + mutex_destroy(&ec_dev->lock); + lockdep_unregister_key(&ec_dev->lockdep_key); diff --git a/queue-6.1/platform-chrome-cros_ec-unregister-notifier-in-cros_ec_unregister.patch b/queue-6.1/platform-chrome-cros_ec-unregister-notifier-in-cros_ec_unregister.patch new file mode 100644 index 0000000000..d2317e1dbf --- /dev/null +++ b/queue-6.1/platform-chrome-cros_ec-unregister-notifier-in-cros_ec_unregister.patch @@ -0,0 +1,40 @@ +From stable+bounces-172084-greg=kroah.com@vger.kernel.org Thu Aug 21 15:31:24 2025 +From: Sasha Levin +Date: Thu, 21 Aug 2025 09:27:19 -0400 +Subject: platform/chrome: cros_ec: Unregister notifier in cros_ec_unregister() +To: stable@vger.kernel.org +Cc: Tzung-Bi Shih , Benson Leung , Sasha Levin +Message-ID: <20250821132719.713502-3-sashal@kernel.org> + +From: Tzung-Bi Shih + +[ Upstream commit e2374953461947eee49f69b3e3204ff080ef31b1 ] + +The blocking notifier is registered in cros_ec_register(); however, it +isn't unregistered in cros_ec_unregister(). + +Fix it. + +Fixes: 42cd0ab476e2 ("platform/chrome: cros_ec: Query EC protocol version if EC transitions between RO/RW") +Cc: stable@vger.kernel.org +Reviewed-by: Benson Leung +Link: https://lore.kernel.org/r/20250722120513.234031-1-tzungbi@kernel.org +Signed-off-by: Tzung-Bi Shih +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/chrome/cros_ec.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/platform/chrome/cros_ec.c ++++ b/drivers/platform/chrome/cros_ec.c +@@ -311,6 +311,9 @@ EXPORT_SYMBOL(cros_ec_register); + */ + void cros_ec_unregister(struct cros_ec_device *ec_dev) + { ++ if (ec_dev->mkbp_event_supported) ++ blocking_notifier_chain_unregister(&ec_dev->event_notifier, ++ &ec_dev->notifier_ready); + platform_device_unregister(ec_dev->pd); + platform_device_unregister(ec_dev->ec); + mutex_destroy(&ec_dev->lock); diff --git a/queue-6.1/platform-chrome-cros_ec-use-per-device-lockdep-key.patch b/queue-6.1/platform-chrome-cros_ec-use-per-device-lockdep-key.patch new file mode 100644 index 0000000000..ee33a649b5 --- /dev/null +++ b/queue-6.1/platform-chrome-cros_ec-use-per-device-lockdep-key.patch @@ -0,0 +1,144 @@ +From stable+bounces-172082-greg=kroah.com@vger.kernel.org Thu Aug 21 15:31:16 2025 +From: Sasha Levin +Date: Thu, 21 Aug 2025 09:27:17 -0400 +Subject: platform/chrome: cros_ec: Use per-device lockdep key +To: stable@vger.kernel.org +Cc: Chen-Yu Tsai , Tzung-Bi Shih , Sasha Levin +Message-ID: <20250821132719.713502-1-sashal@kernel.org> + +From: Chen-Yu Tsai + +[ Upstream commit 961a325becd9a142ae5c8b258e5c2f221f8bfac8 ] + +Lockdep reports a bogus possible deadlock on MT8192 Chromebooks due to +the following lock sequences: + +1. lock(i2c_register_adapter) [1]; lock(&ec_dev->lock) +2. lock(&ec_dev->lock); lock(prepare_lock); + +The actual dependency chains are much longer. The shortened version +looks somewhat like: + +1. cros-ec-rpmsg on mtk-scp + ec_dev->lock -> prepare_lock +2. In rt5682_i2c_probe() on native I2C bus: + prepare_lock -> regmap->lock -> (possibly) i2c_adapter->bus_lock +3. In rt5682_i2c_probe() on native I2C bus: + regmap->lock -> i2c_adapter->bus_lock +4. In sbs_probe() on i2c-cros-ec-tunnel I2C bus attached on cros-ec: + i2c_adapter->bus_lock -> ec_dev->lock + +While lockdep is correct that the shared lockdep classes have a circular +dependency, it is bogus because + + a) 2+3 happen on a native I2C bus + b) 4 happens on the actual EC on ChromeOS devices + c) 1 happens on the SCP coprocessor on MediaTek Chromebooks that just + happens to expose a cros-ec interface, but does not have an + i2c-cros-ec-tunnel I2C bus + +In short, the "dependencies" are actually on different devices. + +Setup a per-device lockdep key for cros_ec devices so lockdep can tell +the two instances apart. This helps with getting rid of the bogus +lockdep warning. For ChromeOS devices that only have one cros-ec +instance this doesn't change anything. + +Also add a missing mutex_destroy, just to make the teardown complete. + +[1] This is likely the per I2C bus lock with shared lockdep class + +Signed-off-by: Chen-Yu Tsai +Signed-off-by: Tzung-Bi Shih +Link: https://lore.kernel.org/r/20230111074146.2624496-1-wenst@chromium.org +Stable-dep-of: e23749534619 ("platform/chrome: cros_ec: Unregister notifier in cros_ec_unregister()") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/chrome/cros_ec.c | 14 +++++++++++--- + include/linux/platform_data/cros_ec_proto.h | 4 ++++ + 2 files changed, 15 insertions(+), 3 deletions(-) + +--- a/drivers/platform/chrome/cros_ec.c ++++ b/drivers/platform/chrome/cros_ec.c +@@ -198,12 +198,14 @@ int cros_ec_register(struct cros_ec_devi + if (!ec_dev->dout) + return -ENOMEM; + ++ lockdep_register_key(&ec_dev->lockdep_key); + mutex_init(&ec_dev->lock); ++ lockdep_set_class(&ec_dev->lock, &ec_dev->lockdep_key); + + err = cros_ec_query_all(ec_dev); + if (err) { + dev_err(dev, "Cannot identify the EC: error %d\n", err); +- return err; ++ goto destroy_mutex; + } + + if (ec_dev->irq > 0) { +@@ -215,7 +217,7 @@ int cros_ec_register(struct cros_ec_devi + if (err) { + dev_err(dev, "Failed to request IRQ %d: %d\n", + ec_dev->irq, err); +- return err; ++ goto destroy_mutex; + } + } + +@@ -226,7 +228,8 @@ int cros_ec_register(struct cros_ec_devi + if (IS_ERR(ec_dev->ec)) { + dev_err(ec_dev->dev, + "Failed to create CrOS EC platform device\n"); +- return PTR_ERR(ec_dev->ec); ++ err = PTR_ERR(ec_dev->ec); ++ goto destroy_mutex; + } + + if (ec_dev->max_passthru) { +@@ -292,6 +295,9 @@ int cros_ec_register(struct cros_ec_devi + exit: + platform_device_unregister(ec_dev->ec); + platform_device_unregister(ec_dev->pd); ++destroy_mutex: ++ mutex_destroy(&ec_dev->lock); ++ lockdep_unregister_key(&ec_dev->lockdep_key); + return err; + } + EXPORT_SYMBOL(cros_ec_register); +@@ -309,6 +315,8 @@ void cros_ec_unregister(struct cros_ec_d + if (ec_dev->pd) + platform_device_unregister(ec_dev->pd); + platform_device_unregister(ec_dev->ec); ++ mutex_destroy(&ec_dev->lock); ++ lockdep_unregister_key(&ec_dev->lockdep_key); + } + EXPORT_SYMBOL(cros_ec_unregister); + +--- a/include/linux/platform_data/cros_ec_proto.h ++++ b/include/linux/platform_data/cros_ec_proto.h +@@ -9,6 +9,7 @@ + #define __LINUX_CROS_EC_PROTO_H + + #include ++#include + #include + #include + +@@ -116,6 +117,8 @@ struct cros_ec_command { + * command. The caller should check msg.result for the EC's result + * code. + * @pkt_xfer: Send packet to EC and get response. ++ * @lockdep_key: Lockdep class for each instance. Unused if CONFIG_LOCKDEP is ++ * not enabled. + * @lock: One transaction at a time. + * @mkbp_event_supported: 0 if MKBP not supported. Otherwise its value is + * the maximum supported version of the MKBP host event +@@ -160,6 +163,7 @@ struct cros_ec_device { + struct cros_ec_command *msg); + int (*pkt_xfer)(struct cros_ec_device *ec, + struct cros_ec_command *msg); ++ struct lock_class_key lockdep_key; + struct mutex lock; + u8 mkbp_event_supported; + bool host_sleep_v1; diff --git a/queue-6.1/series b/queue-6.1/series index c6d879e32c..65cf4a8d28 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -340,3 +340,38 @@ ipv6-sr-fix-mac-comparison-to-be-constant-time.patch acpi-pfr_update-fix-the-driver-update-version-check.patch mptcp-drop-skb-if-mptcp-skb-extension-allocation-fails.patch mptcp-pm-kernel-flush-do-not-reset-add_addr-limit.patch +f2fs-fix-to-do-sanity-check-on-ino-and-xnid.patch +iio-hid-sensor-prox-restore-lost-scale-assignments.patch +iio-hid-sensor-prox-fix-incorrect-offset-calculation.patch +perf-x86-intel-fix-crash-in-icl_update_topdown_event.patch +x86-mce-amd-add-default-names-for-mca-banks-and-blocks.patch +net-add-netdev_lockdep_set_classes-to-virtual-drivers.patch +btrfs-fix-qgroup-reservation-leak-on-failure-to-allocate-ordered-extent.patch +arm-9448-1-use-an-absolute-path-to-unified.h-in-kbuild_aflags.patch +arm64-entry-mask-daif-in-cpu_switch_to-call_on_irq_stack.patch +drm-sched-remove-optimization-that-causes-hang-when-killing-dependent-jobs.patch +net-enetc-fix-device-and-of-node-leak-at-probe.patch +fscrypt-don-t-use-problematic-non-inline-crypto-engines.patch +block-reject-invalid-operation-in-submit_bio_noacct.patch +block-make-req_op_zone_finish-a-write-operation.patch +pci-acpi-fix-runtime-pm-ref-imbalance-on-hot-plug-capable-ports.patch +smb-client-let-send_done-cleanup-before-calling-smbd_disconnect_rdma_connection.patch +cifs-reset-iface-weights-when-we-cannot-find-a-candidate.patch +usb-typec-fusb302-cache-pd-rx-state.patch +btrfs-qgroup-fix-race-between-quota-disable-and-quota-rescan-ioctl.patch +btrfs-abort-transaction-on-unexpected-eb-generation-at-btrfs_copy_root.patch +xfs-fully-decouple-xfs_ibulk-flags-from-xfs_iwalk-flags.patch +btrfs-send-use-fallocate-for-hole-punching-with-send-stream-v2.patch +net_sched-sch_ets-implement-lockless-ets_dump.patch +net-sched-ets-use-old-nbands-while-purging-unused-classes.patch +mm-ptdump-take-the-memory-hotplug-lock-inside-ptdump_walk_pgd.patch +media-venus-introduce-accessors-for-remapped-hfi_buffer_reqs-members.patch +media-venus-fix-oob-read-due-to-missing-payload-bound-check.patch +usb-musb-omap2430-convert-to-platform-remove-callback-returning-void.patch +usb-musb-omap2430-fix-device-leak-at-unbind.patch +platform-chrome-cros_ec-use-per-device-lockdep-key.patch +platform-chrome-cros_ec-remove-unneeded-label-and-if-condition.patch +platform-chrome-cros_ec-unregister-notifier-in-cros_ec_unregister.patch +usb-dwc3-imx8mp-fix-device-leak-at-unbind.patch +ata-fix-sata_mobile_lpm_policy-description-in-kconfig.patch +btrfs-populate-otime-when-logging-an-inode-item.patch diff --git a/queue-6.1/smb-client-let-send_done-cleanup-before-calling-smbd_disconnect_rdma_connection.patch b/queue-6.1/smb-client-let-send_done-cleanup-before-calling-smbd_disconnect_rdma_connection.patch new file mode 100644 index 0000000000..4a67afb985 --- /dev/null +++ b/queue-6.1/smb-client-let-send_done-cleanup-before-calling-smbd_disconnect_rdma_connection.patch @@ -0,0 +1,63 @@ +From stable+bounces-169889-greg=kroah.com@vger.kernel.org Sun Aug 17 15:51:23 2025 +From: Sasha Levin +Date: Sun, 17 Aug 2025 09:51:13 -0400 +Subject: smb: client: let send_done() cleanup before calling smbd_disconnect_rdma_connection() +To: stable@vger.kernel.org +Cc: Stefan Metzmacher , Steve French , Tom Talpey , Long Li , linux-cifs@vger.kernel.org, samba-technical@lists.samba.org, Steve French , Sasha Levin +Message-ID: <20250817135113.1474958-1-sashal@kernel.org> + +From: Stefan Metzmacher + +[ Upstream commit 5349ae5e05fa37409fd48a1eb483b199c32c889b ] + +We should call ib_dma_unmap_single() and mempool_free() before calling +smbd_disconnect_rdma_connection(). + +And smbd_disconnect_rdma_connection() needs to be the last function to +call as all other state might already be gone after it returns. + +Cc: Steve French +Cc: Tom Talpey +Cc: Long Li +Cc: linux-cifs@vger.kernel.org +Cc: samba-technical@lists.samba.org +Fixes: f198186aa9bb ("CIFS: SMBD: Establish SMB Direct connection") +Signed-off-by: Stefan Metzmacher +Signed-off-by: Steve French +[ Replaced `info` with `request->info` ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/smbdirect.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +--- a/fs/smb/client/smbdirect.c ++++ b/fs/smb/client/smbdirect.c +@@ -273,18 +273,21 @@ static void send_done(struct ib_cq *cq, + log_rdma_send(INFO, "smbd_request 0x%p completed wc->status=%d\n", + request, wc->status); + +- if (wc->status != IB_WC_SUCCESS || wc->opcode != IB_WC_SEND) { +- log_rdma_send(ERR, "wc->status=%d wc->opcode=%d\n", +- wc->status, wc->opcode); +- smbd_disconnect_rdma_connection(request->info); +- } +- + for (i = 0; i < request->num_sge; i++) + ib_dma_unmap_single(request->info->id->device, + request->sge[i].addr, + request->sge[i].length, + DMA_TO_DEVICE); + ++ if (wc->status != IB_WC_SUCCESS || wc->opcode != IB_WC_SEND) { ++ struct smbd_connection *info = request->info; ++ log_rdma_send(ERR, "wc->status=%d wc->opcode=%d\n", ++ wc->status, wc->opcode); ++ mempool_free(request, info->request_mempool); ++ smbd_disconnect_rdma_connection(info); ++ return; ++ } ++ + if (atomic_dec_and_test(&request->info->send_pending)) + wake_up(&request->info->wait_send_pending); + diff --git a/queue-6.1/usb-dwc3-imx8mp-fix-device-leak-at-unbind.patch b/queue-6.1/usb-dwc3-imx8mp-fix-device-leak-at-unbind.patch new file mode 100644 index 0000000000..6a5131d175 --- /dev/null +++ b/queue-6.1/usb-dwc3-imx8mp-fix-device-leak-at-unbind.patch @@ -0,0 +1,56 @@ +From stable+bounces-172200-greg=kroah.com@vger.kernel.org Thu Aug 21 18:54:51 2025 +From: Sasha Levin +Date: Thu, 21 Aug 2025 12:52:17 -0400 +Subject: usb: dwc3: imx8mp: fix device leak at unbind +To: stable@vger.kernel.org +Cc: Johan Hovold , Li Jun , Greg Kroah-Hartman , Sasha Levin +Message-ID: <20250821165217.842711-1-sashal@kernel.org> + +From: Johan Hovold + +[ Upstream commit 086a0e516f7b3844e6328a5c69e2708b66b0ce18 ] + +Make sure to drop the reference to the dwc3 device taken by +of_find_device_by_node() on probe errors and on driver unbind. + +Fixes: 6dd2565989b4 ("usb: dwc3: add imx8mp dwc3 glue layer driver") +Cc: stable@vger.kernel.org # 5.12 +Cc: Li Jun +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20250724091910.21092-2-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/dwc3-imx8mp.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/usb/dwc3/dwc3-imx8mp.c ++++ b/drivers/usb/dwc3/dwc3-imx8mp.c +@@ -243,7 +243,7 @@ static int dwc3_imx8mp_probe(struct plat + IRQF_ONESHOT, dev_name(dev), dwc3_imx); + if (err) { + dev_err(dev, "failed to request IRQ #%d --> %d\n", irq, err); +- goto depopulate; ++ goto put_dwc3; + } + + device_set_wakeup_capable(dev, true); +@@ -251,6 +251,8 @@ static int dwc3_imx8mp_probe(struct plat + + return 0; + ++put_dwc3: ++ put_device(&dwc3_imx->dwc3->dev); + depopulate: + of_platform_depopulate(dev); + err_node_put: +@@ -271,6 +273,8 @@ static int dwc3_imx8mp_remove(struct pla + struct dwc3_imx8mp *dwc3_imx = platform_get_drvdata(pdev); + struct device *dev = &pdev->dev; + ++ put_device(&dwc3_imx->dwc3->dev); ++ + pm_runtime_get_sync(dev); + of_platform_depopulate(dev); + diff --git a/queue-6.1/usb-musb-omap2430-convert-to-platform-remove-callback-returning-void.patch b/queue-6.1/usb-musb-omap2430-convert-to-platform-remove-callback-returning-void.patch new file mode 100644 index 0000000000..474a49117c --- /dev/null +++ b/queue-6.1/usb-musb-omap2430-convert-to-platform-remove-callback-returning-void.patch @@ -0,0 +1,60 @@ +From sashal@kernel.org Thu Aug 21 15:32:47 2025 +From: Sasha Levin +Date: Thu, 21 Aug 2025 09:32:42 -0400 +Subject: usb: musb: omap2430: Convert to platform remove callback returning void +To: stable@vger.kernel.org +Cc: "Uwe Kleine-König" , "Greg Kroah-Hartman" , "Sasha Levin" +Message-ID: <20250821133244.715359-1-sashal@kernel.org> + +From: Uwe Kleine-König + +[ Upstream commit cb020bf52253327fe382e10bcae02a4f1da33c04 ] + +The .remove() callback for a platform driver returns an int which makes +many driver authors wrongly assume it's possible to do error handling by +returning an error code. However the value returned is (mostly) ignored +and this typically results in resource leaks. To improve here there is a +quest to make the remove callback return void. In the first step of this +quest all drivers are converted to .remove_new() which already returns +void. + +Trivially convert this driver from always returning zero in the remove +callback to the void returning variant. + +Signed-off-by: Uwe Kleine-König +Link: https://lore.kernel.org/r/20230405141009.3400693-8-u.kleine-koenig@pengutronix.de +Signed-off-by: Greg Kroah-Hartman +Stable-dep-of: 1473e9e7679b ("usb: musb: omap2430: fix device leak at unbind") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/musb/omap2430.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/usb/musb/omap2430.c ++++ b/drivers/usb/musb/omap2430.c +@@ -471,14 +471,12 @@ err0: + return ret; + } + +-static int omap2430_remove(struct platform_device *pdev) ++static void omap2430_remove(struct platform_device *pdev) + { + struct omap2430_glue *glue = platform_get_drvdata(pdev); + + platform_device_unregister(glue->musb); + pm_runtime_disable(glue->dev); +- +- return 0; + } + + #ifdef CONFIG_PM +@@ -610,7 +608,7 @@ MODULE_DEVICE_TABLE(of, omap2430_id_tabl + + static struct platform_driver omap2430_driver = { + .probe = omap2430_probe, +- .remove = omap2430_remove, ++ .remove_new = omap2430_remove, + .driver = { + .name = "musb-omap2430", + .pm = DEV_PM_OPS, diff --git a/queue-6.1/usb-musb-omap2430-fix-device-leak-at-unbind.patch b/queue-6.1/usb-musb-omap2430-fix-device-leak-at-unbind.patch new file mode 100644 index 0000000000..5ca287e976 --- /dev/null +++ b/queue-6.1/usb-musb-omap2430-fix-device-leak-at-unbind.patch @@ -0,0 +1,84 @@ +From sashal@kernel.org Thu Aug 21 15:32:48 2025 +From: Sasha Levin +Date: Thu, 21 Aug 2025 09:32:43 -0400 +Subject: usb: musb: omap2430: fix device leak at unbind +To: stable@vger.kernel.org +Cc: Johan Hovold , Roger Quadros , Greg Kroah-Hartman , Sasha Levin +Message-ID: <20250821133244.715359-2-sashal@kernel.org> + +From: Johan Hovold + +[ Upstream commit 1473e9e7679bd4f5a62d1abccae894fb86de280f ] + +Make sure to drop the reference to the control device taken by +of_find_device_by_node() during probe when the driver is unbound. + +Fixes: 8934d3e4d0e7 ("usb: musb: omap2430: Don't use omap_get_control_dev()") +Cc: stable@vger.kernel.org # 3.13 +Cc: Roger Quadros +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20250724091910.21092-5-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/musb/omap2430.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +--- a/drivers/usb/musb/omap2430.c ++++ b/drivers/usb/musb/omap2430.c +@@ -400,7 +400,7 @@ static int omap2430_probe(struct platfor + ret = platform_device_add_resources(musb, pdev->resource, pdev->num_resources); + if (ret) { + dev_err(&pdev->dev, "failed to add resources\n"); +- goto err2; ++ goto err_put_control_otghs; + } + + if (populate_irqs) { +@@ -413,7 +413,7 @@ static int omap2430_probe(struct platfor + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); + if (!res) { + ret = -EINVAL; +- goto err2; ++ goto err_put_control_otghs; + } + + musb_res[i].start = res->start; +@@ -441,14 +441,14 @@ static int omap2430_probe(struct platfor + ret = platform_device_add_resources(musb, musb_res, i); + if (ret) { + dev_err(&pdev->dev, "failed to add IRQ resources\n"); +- goto err2; ++ goto err_put_control_otghs; + } + } + + ret = platform_device_add_data(musb, pdata, sizeof(*pdata)); + if (ret) { + dev_err(&pdev->dev, "failed to add platform_data\n"); +- goto err2; ++ goto err_put_control_otghs; + } + + pm_runtime_enable(glue->dev); +@@ -463,7 +463,9 @@ static int omap2430_probe(struct platfor + + err3: + pm_runtime_disable(glue->dev); +- ++err_put_control_otghs: ++ if (!IS_ERR(glue->control_otghs)) ++ put_device(glue->control_otghs); + err2: + platform_device_put(musb); + +@@ -477,6 +479,8 @@ static void omap2430_remove(struct platf + + platform_device_unregister(glue->musb); + pm_runtime_disable(glue->dev); ++ if (!IS_ERR(glue->control_otghs)) ++ put_device(glue->control_otghs); + } + + #ifdef CONFIG_PM diff --git a/queue-6.1/usb-typec-fusb302-cache-pd-rx-state.patch b/queue-6.1/usb-typec-fusb302-cache-pd-rx-state.patch new file mode 100644 index 0000000000..12a57d9839 --- /dev/null +++ b/queue-6.1/usb-typec-fusb302-cache-pd-rx-state.patch @@ -0,0 +1,98 @@ +From sashal@kernel.org Mon Aug 18 22:30:30 2025 +From: Sasha Levin +Date: Mon, 18 Aug 2025 16:30:26 -0400 +Subject: usb: typec: fusb302: cache PD RX state +To: stable@vger.kernel.org +Cc: Sebastian Reichel , stable , Heikki Krogerus , Greg Kroah-Hartman , Sasha Levin +Message-ID: <20250818203026.76749-1-sashal@kernel.org> + +From: Sebastian Reichel + +[ Upstream commit 1e61f6ab08786d66a11cfc51e13d6f08a6b06c56 ] + +This patch fixes a race condition communication error, which ends up in +PD hard resets when losing the race. Some systems, like the Radxa ROCK +5B are powered through USB-C without any backup power source and use a +FUSB302 chip to do the PD negotiation. This means it is quite important +to avoid hard resets, since that effectively kills the system's +power-supply. + +I've found the following race condition while debugging unplanned power +loss during booting the board every now and then: + +1. lots of TCPM/FUSB302/PD initialization stuff +2. TCPM ends up in SNK_WAIT_CAPABILITIES (tcpm_set_pd_rx is enabled here) +3. the remote PD source does not send anything, so TCPM does a SOFT RESET +4. TCPM ends up in SNK_WAIT_CAPABILITIES for the second time + (tcpm_set_pd_rx is enabled again, even though it is still on) + +At this point I've seen broken CRC good messages being send by the +FUSB302 with a logic analyzer sniffing the CC lines. Also it looks like +messages are being lost and things generally going haywire with one of +the two sides doing a hard reset once a broken CRC good message was send +to the bus. + +I think the system is running into a race condition, that the FIFOs are +being cleared and/or the automatic good CRC message generation flag is +being updated while a message is already arriving. + +Let's avoid this by caching the PD RX enabled state, as we have already +processed anything in the FIFOs and are in a good state. As a side +effect that this also optimizes I2C bus usage :) + +As far as I can tell the problem theoretically also exists when TCPM +enters SNK_WAIT_CAPABILITIES the first time, but I believe this is less +critical for the following reason: + +On devices like the ROCK 5B, which are powered through a TCPM backed +USB-C port, the bootloader must have done some prior PD communication +(initial communication must happen within 5 seconds after plugging the +USB-C plug). This means the first time the kernel TCPM state machine +reaches SNK_WAIT_CAPABILITIES, the remote side is not sending messages +actively. On other devices a hard reset simply adds some extra delay and +things should be good afterwards. + +Fixes: c034a43e72dda ("staging: typec: Fairchild FUSB302 Type-c chip driver") +Cc: stable +Signed-off-by: Sebastian Reichel +Reviewed-by: Heikki Krogerus +Link: https://lore.kernel.org/r/20250704-fusb302-race-condition-fix-v1-1-239012c0e27a@kernel.org +Signed-off-by: Greg Kroah-Hartman +[ Adjust context ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/tcpm/fusb302.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/usb/typec/tcpm/fusb302.c ++++ b/drivers/usb/typec/tcpm/fusb302.c +@@ -103,6 +103,7 @@ struct fusb302_chip { + bool vconn_on; + bool vbus_on; + bool charge_on; ++ bool pd_rx_on; + bool vbus_present; + enum typec_cc_polarity cc_polarity; + enum typec_cc_status cc1; +@@ -841,6 +842,11 @@ static int tcpm_set_pd_rx(struct tcpc_de + int ret = 0; + + mutex_lock(&chip->lock); ++ if (chip->pd_rx_on == on) { ++ fusb302_log(chip, "pd is already %s", str_on_off(on)); ++ goto done; ++ } ++ + ret = fusb302_pd_rx_flush(chip); + if (ret < 0) { + fusb302_log(chip, "cannot flush pd rx buffer, ret=%d", ret); +@@ -863,6 +869,8 @@ static int tcpm_set_pd_rx(struct tcpc_de + on ? "on" : "off", ret); + goto done; + } ++ ++ chip->pd_rx_on = on; + fusb302_log(chip, "pd := %s", on ? "on" : "off"); + done: + mutex_unlock(&chip->lock); diff --git a/queue-6.1/x86-mce-amd-add-default-names-for-mca-banks-and-blocks.patch b/queue-6.1/x86-mce-amd-add-default-names-for-mca-banks-and-blocks.patch new file mode 100644 index 0000000000..0f23d475fa --- /dev/null +++ b/queue-6.1/x86-mce-amd-add-default-names-for-mca-banks-and-blocks.patch @@ -0,0 +1,62 @@ +From stable+bounces-164358-greg=kroah.com@vger.kernel.org Wed Jul 23 04:30:26 2025 +From: Sasha Levin +Date: Tue, 22 Jul 2025 22:30:16 -0400 +Subject: x86/mce/amd: Add default names for MCA banks and blocks +To: stable@vger.kernel.org +Cc: Yazen Ghannam , Borislav Petkov , Sasha Levin +Message-ID: <20250723023016.1031080-1-sashal@kernel.org> + +From: Yazen Ghannam + +[ Upstream commit d66e1e90b16055d2f0ee76e5384e3f119c3c2773 ] + +Ensure that sysfs init doesn't fail for new/unrecognized bank types or if +a bank has additional blocks available. + +Most MCA banks have a single thresholding block, so the block takes the same +name as the bank. + +Unified Memory Controllers (UMCs) are a special case where there are two +blocks and each has a unique name. + +However, the microarchitecture allows for five blocks. Any new MCA bank types +with more than one block will be missing names for the extra blocks. The MCE +sysfs will fail to initialize in this case. + +Fixes: 87a6d4091bd7 ("x86/mce/AMD: Update sysfs bank names for SMCA systems") +Signed-off-by: Yazen Ghannam +Signed-off-by: Borislav Petkov (AMD) +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/20250624-wip-mca-updates-v4-3-236dd74f645f@amd.com +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/cpu/mce/amd.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +--- a/arch/x86/kernel/cpu/mce/amd.c ++++ b/arch/x86/kernel/cpu/mce/amd.c +@@ -1052,13 +1052,20 @@ static const char *get_name(unsigned int + } + + bank_type = smca_get_bank_type(cpu, bank); +- if (bank_type >= N_SMCA_BANK_TYPES) +- return NULL; + + if (b && bank_type == SMCA_UMC) { + if (b->block < ARRAY_SIZE(smca_umc_block_names)) + return smca_umc_block_names[b->block]; +- return NULL; ++ } ++ ++ if (b && b->block) { ++ snprintf(buf_mcatype, MAX_MCATYPE_NAME_LEN, "th_block_%u", b->block); ++ return buf_mcatype; ++ } ++ ++ if (bank_type >= N_SMCA_BANK_TYPES) { ++ snprintf(buf_mcatype, MAX_MCATYPE_NAME_LEN, "th_bank_%u", bank); ++ return buf_mcatype; + } + + if (per_cpu(smca_bank_counts, cpu)[bank_type] == 1) diff --git a/queue-6.1/xfs-fully-decouple-xfs_ibulk-flags-from-xfs_iwalk-flags.patch b/queue-6.1/xfs-fully-decouple-xfs_ibulk-flags-from-xfs_iwalk-flags.patch new file mode 100644 index 0000000000..4f96471723 --- /dev/null +++ b/queue-6.1/xfs-fully-decouple-xfs_ibulk-flags-from-xfs_iwalk-flags.patch @@ -0,0 +1,60 @@ +From stable+bounces-171740-greg=kroah.com@vger.kernel.org Tue Aug 19 05:06:15 2025 +From: Sasha Levin +Date: Mon, 18 Aug 2025 23:06:06 -0400 +Subject: xfs: fully decouple XFS_IBULK* flags from XFS_IWALK* flags +To: stable@vger.kernel.org +Cc: Christoph Hellwig , cen zhang , "Darrick J. Wong" , Carlos Maiolino , Sasha Levin +Message-ID: <20250819030606.304788-1-sashal@kernel.org> + +From: Christoph Hellwig + +[ Upstream commit d2845519b0723c5d5a0266cbf410495f9b8fd65c ] + +Fix up xfs_inumbers to now pass in the XFS_IBULK* flags into the flags +argument to xfs_inobt_walk, which expects the XFS_IWALK* flags. + +Currently passing the wrong flags works for non-debug builds because +the only XFS_IWALK* flag has the same encoding as the corresponding +XFS_IBULK* flag, but in debug builds it can trigger an assert that no +incorrect flag is passed. Instead just extra the relevant flag. + +Fixes: 5b35d922c52798 ("xfs: Decouple XFS_IBULK flags from XFS_IWALK flags") +Cc: # v5.19 +Reported-by: cen zhang +Signed-off-by: Christoph Hellwig +Reviewed-by: Darrick J. Wong +Signed-off-by: Carlos Maiolino +[ Adjust context ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/xfs/xfs_itable.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/fs/xfs/xfs_itable.c ++++ b/fs/xfs/xfs_itable.c +@@ -422,11 +422,15 @@ xfs_inumbers( + .breq = breq, + }; + struct xfs_trans *tp; ++ unsigned int iwalk_flags = 0; + int error = 0; + + if (xfs_bulkstat_already_done(breq->mp, breq->startino)) + return 0; + ++ if (breq->flags & XFS_IBULK_SAME_AG) ++ iwalk_flags |= XFS_IWALK_SAME_AG; ++ + /* + * Grab an empty transaction so that we can use its recursive buffer + * locking abilities to detect cycles in the inobt without deadlocking. +@@ -435,7 +439,7 @@ xfs_inumbers( + if (error) + goto out; + +- error = xfs_inobt_walk(breq->mp, tp, breq->startino, breq->flags, ++ error = xfs_inobt_walk(breq->mp, tp, breq->startino, iwalk_flags, + xfs_inumbers_walk, breq->icount, &ic); + xfs_trans_cancel(tp); + out: