From: Greg Kroah-Hartman Date: Mon, 18 Aug 2025 10:07:31 +0000 (+0200) Subject: 6.1-stable patches X-Git-Tag: v6.12.43~39 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f7ae08f36275110b06500742a1c889c0459bf189;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: ext4-fix-largest-free-orders-lists-corruption-on-mb_optimize_scan-switch.patch ext4-fix-zombie-groups-in-average-fragment-size-lists.patch misc-rtsx-usb-ensure-mmc-child-device-is-active-when-card-is-present.patch usb-core-config-prevent-oob-read-in-ss-endpoint-companion-parsing.patch usb-typec-ucsi-update-power_supply-on-power-role-change.patch --- diff --git a/queue-6.1/ext4-fix-largest-free-orders-lists-corruption-on-mb_optimize_scan-switch.patch b/queue-6.1/ext4-fix-largest-free-orders-lists-corruption-on-mb_optimize_scan-switch.patch new file mode 100644 index 0000000000..7739f616bb --- /dev/null +++ b/queue-6.1/ext4-fix-largest-free-orders-lists-corruption-on-mb_optimize_scan-switch.patch @@ -0,0 +1,92 @@ +From 7d345aa1fac4c2ec9584fbd6f389f2c2368671d5 Mon Sep 17 00:00:00 2001 +From: Baokun Li +Date: Mon, 14 Jul 2025 21:03:21 +0800 +Subject: ext4: fix largest free orders lists corruption on mb_optimize_scan switch + +From: Baokun Li + +commit 7d345aa1fac4c2ec9584fbd6f389f2c2368671d5 upstream. + +The grp->bb_largest_free_order is updated regardless of whether +mb_optimize_scan is enabled. This can lead to inconsistencies between +grp->bb_largest_free_order and the actual s_mb_largest_free_orders list +index when mb_optimize_scan is repeatedly enabled and disabled via remount. + +For example, if mb_optimize_scan is initially enabled, largest free +order is 3, and the group is in s_mb_largest_free_orders[3]. Then, +mb_optimize_scan is disabled via remount, block allocations occur, +updating largest free order to 2. Finally, mb_optimize_scan is re-enabled +via remount, more block allocations update largest free order to 1. + +At this point, the group would be removed from s_mb_largest_free_orders[3] +under the protection of s_mb_largest_free_orders_locks[2]. This lock +mismatch can lead to list corruption. + +To fix this, whenever grp->bb_largest_free_order changes, we now always +attempt to remove the group from its old order list. However, we only +insert the group into the new order list if `mb_optimize_scan` is enabled. +This approach helps prevent lock inconsistencies and ensures the data in +the order lists remains reliable. + +Fixes: 196e402adf2e ("ext4: improve cr 0 / cr 1 group scanning") +CC: stable@vger.kernel.org +Suggested-by: Jan Kara +Signed-off-by: Baokun Li +Reviewed-by: Zhang Yi +Link: https://patch.msgid.link/20250714130327.1830534-12-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/mballoc.c | 33 ++++++++++++++------------------- + 1 file changed, 14 insertions(+), 19 deletions(-) + +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -1032,33 +1032,28 @@ static void + mb_set_largest_free_order(struct super_block *sb, struct ext4_group_info *grp) + { + struct ext4_sb_info *sbi = EXT4_SB(sb); +- int i; ++ int new, old = grp->bb_largest_free_order; + +- for (i = MB_NUM_ORDERS(sb) - 1; i >= 0; i--) +- if (grp->bb_counters[i] > 0) ++ for (new = MB_NUM_ORDERS(sb) - 1; new >= 0; new--) ++ if (grp->bb_counters[new] > 0) + break; ++ + /* No need to move between order lists? */ +- if (!test_opt2(sb, MB_OPTIMIZE_SCAN) || +- i == grp->bb_largest_free_order) { +- grp->bb_largest_free_order = i; ++ if (new == old) + return; +- } + +- if (grp->bb_largest_free_order >= 0) { +- write_lock(&sbi->s_mb_largest_free_orders_locks[ +- grp->bb_largest_free_order]); ++ if (old >= 0 && !list_empty(&grp->bb_largest_free_order_node)) { ++ write_lock(&sbi->s_mb_largest_free_orders_locks[old]); + list_del_init(&grp->bb_largest_free_order_node); +- write_unlock(&sbi->s_mb_largest_free_orders_locks[ +- grp->bb_largest_free_order]); ++ write_unlock(&sbi->s_mb_largest_free_orders_locks[old]); + } +- grp->bb_largest_free_order = i; +- if (grp->bb_largest_free_order >= 0 && grp->bb_free) { +- write_lock(&sbi->s_mb_largest_free_orders_locks[ +- grp->bb_largest_free_order]); ++ ++ grp->bb_largest_free_order = new; ++ if (test_opt2(sb, MB_OPTIMIZE_SCAN) && new >= 0 && grp->bb_free) { ++ write_lock(&sbi->s_mb_largest_free_orders_locks[new]); + list_add_tail(&grp->bb_largest_free_order_node, +- &sbi->s_mb_largest_free_orders[grp->bb_largest_free_order]); +- write_unlock(&sbi->s_mb_largest_free_orders_locks[ +- grp->bb_largest_free_order]); ++ &sbi->s_mb_largest_free_orders[new]); ++ write_unlock(&sbi->s_mb_largest_free_orders_locks[new]); + } + } + diff --git a/queue-6.1/ext4-fix-zombie-groups-in-average-fragment-size-lists.patch b/queue-6.1/ext4-fix-zombie-groups-in-average-fragment-size-lists.patch new file mode 100644 index 0000000000..9060b97a32 --- /dev/null +++ b/queue-6.1/ext4-fix-zombie-groups-in-average-fragment-size-lists.patch @@ -0,0 +1,85 @@ +From 1c320d8e92925bb7615f83a7b6e3f402a5c2ca63 Mon Sep 17 00:00:00 2001 +From: Baokun Li +Date: Mon, 14 Jul 2025 21:03:20 +0800 +Subject: ext4: fix zombie groups in average fragment size lists + +From: Baokun Li + +commit 1c320d8e92925bb7615f83a7b6e3f402a5c2ca63 upstream. + +Groups with no free blocks shouldn't be in any average fragment size list. +However, when all blocks in a group are allocated(i.e., bb_fragments or +bb_free is 0), we currently skip updating the average fragment size, which +means the group isn't removed from its previous s_mb_avg_fragment_size[old] +list. + +This created "zombie" groups that were always skipped during traversal as +they couldn't satisfy any block allocation requests, negatively impacting +traversal efficiency. + +Therefore, when a group becomes completely full, bb_avg_fragment_size_order +is now set to -1. If the old order was not -1, a removal operation is +performed; if the new order is not -1, an insertion is performed. + +Fixes: 196e402adf2e ("ext4: improve cr 0 / cr 1 group scanning") +CC: stable@vger.kernel.org +Signed-off-by: Baokun Li +Reviewed-by: Jan Kara +Reviewed-by: Zhang Yi +Link: https://patch.msgid.link/20250714130327.1830534-11-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/mballoc.c | 34 +++++++++++++++++----------------- + 1 file changed, 17 insertions(+), 17 deletions(-) + +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -829,30 +829,30 @@ static void + mb_update_avg_fragment_size(struct super_block *sb, struct ext4_group_info *grp) + { + struct ext4_sb_info *sbi = EXT4_SB(sb); +- int new_order; ++ int new, old; + +- if (!test_opt2(sb, MB_OPTIMIZE_SCAN) || grp->bb_fragments == 0) ++ if (!test_opt2(sb, MB_OPTIMIZE_SCAN)) + return; + +- new_order = mb_avg_fragment_size_order(sb, +- grp->bb_free / grp->bb_fragments); +- if (new_order == grp->bb_avg_fragment_size_order) ++ old = grp->bb_avg_fragment_size_order; ++ new = grp->bb_fragments == 0 ? -1 : ++ mb_avg_fragment_size_order(sb, grp->bb_free / grp->bb_fragments); ++ if (new == old) + return; + +- if (grp->bb_avg_fragment_size_order != -1) { +- write_lock(&sbi->s_mb_avg_fragment_size_locks[ +- grp->bb_avg_fragment_size_order]); ++ if (old >= 0) { ++ write_lock(&sbi->s_mb_avg_fragment_size_locks[old]); + list_del(&grp->bb_avg_fragment_size_node); +- write_unlock(&sbi->s_mb_avg_fragment_size_locks[ +- grp->bb_avg_fragment_size_order]); ++ write_unlock(&sbi->s_mb_avg_fragment_size_locks[old]); ++ } ++ ++ grp->bb_avg_fragment_size_order = new; ++ if (new >= 0) { ++ write_lock(&sbi->s_mb_avg_fragment_size_locks[new]); ++ list_add_tail(&grp->bb_avg_fragment_size_node, ++ &sbi->s_mb_avg_fragment_size[new]); ++ write_unlock(&sbi->s_mb_avg_fragment_size_locks[new]); + } +- grp->bb_avg_fragment_size_order = new_order; +- write_lock(&sbi->s_mb_avg_fragment_size_locks[ +- grp->bb_avg_fragment_size_order]); +- list_add_tail(&grp->bb_avg_fragment_size_node, +- &sbi->s_mb_avg_fragment_size[grp->bb_avg_fragment_size_order]); +- write_unlock(&sbi->s_mb_avg_fragment_size_locks[ +- grp->bb_avg_fragment_size_order]); + } + + /* diff --git a/queue-6.1/misc-rtsx-usb-ensure-mmc-child-device-is-active-when-card-is-present.patch b/queue-6.1/misc-rtsx-usb-ensure-mmc-child-device-is-active-when-card-is-present.patch new file mode 100644 index 0000000000..39fa304eca --- /dev/null +++ b/queue-6.1/misc-rtsx-usb-ensure-mmc-child-device-is-active-when-card-is-present.patch @@ -0,0 +1,69 @@ +From 966c5cd72be8989c8a559ddef8e8ff07a37c5eb0 Mon Sep 17 00:00:00 2001 +From: Ricky Wu +Date: Fri, 11 Jul 2025 22:01:43 +0800 +Subject: misc: rtsx: usb: Ensure mmc child device is active when card is present + +From: Ricky Wu + +commit 966c5cd72be8989c8a559ddef8e8ff07a37c5eb0 upstream. + +When a card is present in the reader, the driver currently defers +autosuspend by returning -EAGAIN during the suspend callback to +trigger USB remote wakeup signaling. However, this does not guarantee +that the mmc child device has been resumed, which may cause issues if +it remains suspended while the card is accessible. +This patch ensures that all child devices, including the mmc host +controller, are explicitly resumed before returning -EAGAIN. This +fixes a corner case introduced by earlier remote wakeup handling, +improving reliability of runtime PM when a card is inserted. + +Fixes: 883a87ddf2f1 ("misc: rtsx_usb: Use USB remote wakeup signaling for card insertion detection") +Cc: stable@vger.kernel.org +Signed-off-by: Ricky Wu +Reviewed-by: Ulf Hansson +Link: https://lore.kernel.org/r/20250711140143.2105224-1-ricky_wu@realtek.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/cardreader/rtsx_usb.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +--- a/drivers/misc/cardreader/rtsx_usb.c ++++ b/drivers/misc/cardreader/rtsx_usb.c +@@ -698,6 +698,12 @@ static void rtsx_usb_disconnect(struct u + } + + #ifdef CONFIG_PM ++static int rtsx_usb_resume_child(struct device *dev, void *data) ++{ ++ pm_request_resume(dev); ++ return 0; ++} ++ + static int rtsx_usb_suspend(struct usb_interface *intf, pm_message_t message) + { + struct rtsx_ucr *ucr = +@@ -713,8 +719,10 @@ static int rtsx_usb_suspend(struct usb_i + mutex_unlock(&ucr->dev_mutex); + + /* Defer the autosuspend if card exists */ +- if (val & (SD_CD | MS_CD)) ++ if (val & (SD_CD | MS_CD)) { ++ device_for_each_child(&intf->dev, NULL, rtsx_usb_resume_child); + return -EAGAIN; ++ } + } else { + /* There is an ongoing operation*/ + return -EAGAIN; +@@ -724,12 +732,6 @@ static int rtsx_usb_suspend(struct usb_i + return 0; + } + +-static int rtsx_usb_resume_child(struct device *dev, void *data) +-{ +- pm_request_resume(dev); +- return 0; +-} +- + static int rtsx_usb_resume(struct usb_interface *intf) + { + device_for_each_child(&intf->dev, NULL, rtsx_usb_resume_child); diff --git a/queue-6.1/series b/queue-6.1/series index 5230be8fb8..5327ab7c98 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -243,3 +243,8 @@ asoc-soc-dai.h-merge-dai-call-back-functions-into-op.patch asoc-fsl-merge-dai-call-back-functions-into-ops.patch asoc-fsl_sai-replace-regmap_write-with-regmap_update.patch drm-amdgpu-fix-incorrect-vm-flags-to-map-bo.patch +ext4-fix-zombie-groups-in-average-fragment-size-lists.patch +ext4-fix-largest-free-orders-lists-corruption-on-mb_optimize_scan-switch.patch +usb-core-config-prevent-oob-read-in-ss-endpoint-companion-parsing.patch +misc-rtsx-usb-ensure-mmc-child-device-is-active-when-card-is-present.patch +usb-typec-ucsi-update-power_supply-on-power-role-change.patch diff --git a/queue-6.1/usb-core-config-prevent-oob-read-in-ss-endpoint-companion-parsing.patch b/queue-6.1/usb-core-config-prevent-oob-read-in-ss-endpoint-companion-parsing.patch new file mode 100644 index 0000000000..935962757d --- /dev/null +++ b/queue-6.1/usb-core-config-prevent-oob-read-in-ss-endpoint-companion-parsing.patch @@ -0,0 +1,41 @@ +From cf16f408364efd8a68f39011a3b073c83a03612d Mon Sep 17 00:00:00 2001 +From: Xinyu Liu +Date: Mon, 30 Jun 2025 10:02:56 +0800 +Subject: usb: core: config: Prevent OOB read in SS endpoint companion parsing + +From: Xinyu Liu + +commit cf16f408364efd8a68f39011a3b073c83a03612d upstream. + +usb_parse_ss_endpoint_companion() checks descriptor type before length, +enabling a potentially odd read outside of the buffer size. + +Fix this up by checking the size first before looking at any of the +fields in the descriptor. + +Signed-off-by: Xinyu Liu +Cc: stable +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/core/config.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/drivers/usb/core/config.c ++++ b/drivers/usb/core/config.c +@@ -81,8 +81,14 @@ static void usb_parse_ss_endpoint_compan + */ + desc = (struct usb_ss_ep_comp_descriptor *) buffer; + +- if (desc->bDescriptorType != USB_DT_SS_ENDPOINT_COMP || +- size < USB_DT_SS_EP_COMP_SIZE) { ++ if (size < USB_DT_SS_EP_COMP_SIZE) { ++ dev_notice(ddev, ++ "invalid SuperSpeed endpoint companion descriptor " ++ "of length %d, skipping\n", size); ++ return; ++ } ++ ++ if (desc->bDescriptorType != USB_DT_SS_ENDPOINT_COMP) { + dev_notice(ddev, "No SuperSpeed endpoint companion for config %d " + " interface %d altsetting %d ep %d: " + "using minimum values\n", diff --git a/queue-6.1/usb-typec-ucsi-update-power_supply-on-power-role-change.patch b/queue-6.1/usb-typec-ucsi-update-power_supply-on-power-role-change.patch new file mode 100644 index 0000000000..440adf170e --- /dev/null +++ b/queue-6.1/usb-typec-ucsi-update-power_supply-on-power-role-change.patch @@ -0,0 +1,37 @@ +From 7616f006db07017ef5d4ae410fca99279aaca7aa Mon Sep 17 00:00:00 2001 +From: Myrrh Periwinkle +Date: Mon, 21 Jul 2025 13:32:51 +0700 +Subject: usb: typec: ucsi: Update power_supply on power role change + +From: Myrrh Periwinkle + +commit 7616f006db07017ef5d4ae410fca99279aaca7aa upstream. + +The current power direction of an USB-C port also influences the +power_supply's online status, so a power role change should also update +the power_supply. + +Fixes an issue on some systems where plugging in a normal USB device in +for the first time after a reboot will cause upower to erroneously +consider the system to be connected to AC power. + +Cc: stable +Fixes: 0e6371fbfba3 ("usb: typec: ucsi: Report power supply changes") +Signed-off-by: Myrrh Periwinkle +Reviewed-by: Heikki Krogerus +Link: https://lore.kernel.org/r/20250721-fix-ucsi-pwr-dir-notify-v1-1-e53d5340cb38@qtmlabs.xyz +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/ucsi/ucsi.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/typec/ucsi/ucsi.c ++++ b/drivers/usb/typec/ucsi/ucsi.c +@@ -806,6 +806,7 @@ static void ucsi_handle_connector_change + + if (con->status.change & UCSI_CONSTAT_POWER_DIR_CHANGE) { + typec_set_pwr_role(con->port, role); ++ ucsi_port_psy_changed(con); + + /* Complete pending power role swap */ + if (!completion_done(&con->complete))