From 44bb2d65d0369709f1150d2f8fc20df22c42c822 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Mon, 7 Jul 2025 00:22:43 -0400 Subject: [PATCH] Fixes for 6.1 Signed-off-by: Sasha Levin --- ...-evaluate-a-method-if-arguments-are-.patch | 51 +++++ ...low-changing-the-dma-mode-during-ope.patch | 38 ++++ ...-disable-dmas-once-when-dma-mode-is-.patch | 41 ++++ ...ign-cl37-an-sequence-as-per-databook.patch | 89 ++++++++ ...xmit-timer-downdev-work-to-workqueue.patch | 94 ++++++++ ...pple-t8103-fix-pcie-bcm4377-nodename.patch | 42 ++++ ...d-yc-update-quirk-data-for-hp-victus.patch | 40 ++++ ...do-not-assume-40-wire-cable-if-no-de.patch | 138 ++++++++++++ ...-pata_cs5536-fix-build-on-32-bit-uml.patch | 38 ++++ ...t-unintended-pause-by-checking-if-ad.patch | 69 ++++++ ...eration-of-extrefs-during-log-replay.patch | 51 +++++ ...g-error-handling-when-searching-for-.patch | 45 ++++ ...guard-display-clock-control-with-run.patch | 67 ++++++ ...-interrupt-top-half-should-be-in-irq.patch | 52 +++++ ...timeline-left-held-on-vma-alloc-erro.patch | 128 +++++++++++ ...ts-change-mock_request-to-return-err.patch | 107 +++++++++ ...ix-a-fence-leak-in-submit-error-path.patch | 45 ++++ ...nother-leak-in-the-submit-error-path.patch | 57 +++++ ...ct-mtu-comparison-in-enic_change_mtu.patch | 47 ++++ ...d-missing-dma-mapping-error-checks-a.patch | 213 ++++++++++++++++++ ...-pci-e-link-substate-to-avoid-perfor.patch | 66 ++++++ ...set-error-message-in-check_expect_hi.patch | 50 ++++ ...d-fix-memory-leak-of-ecc-engine-conf.patch | 59 +++++ ...-pass-notifications-when-child-class.patch | 109 +++++++++ ...c-net-rpc-nfs-when-nfs_fs_proc_net_i.patch | 139 ++++++++++++ ...x-a-race-to-wake-on-nfs_layout_drain.patch | 45 ++++ .../nui-fix-dma_mapping_error-check.patch | 143 ++++++++++++ ...x-mlxbf-tmfifo-fix-vring_desc.len-as.patch | 46 ++++ ...x-mlxreg-lc-fix-logic-error-in-power.patch | 51 +++++ ...x-nvsw-sn2201-fix-bus-number-in-adap.patch | 42 ++++ ...l-wmi-sysman-fix-wmi-data-block-retr.patch | 141 ++++++++++++ ...x-struct-termio-related-ioctl-macros.patch | 58 +++++ ...n-early-if-callback-is-not-specified.patch | 43 ++++ ...a-mlx5-fix-cc-counters-query-for-mpv.patch | 38 ++++ ...lize-obj_event-obj_sub_list-before-x.patch | 100 ++++++++ ...g-neighbour-pointers-in-rose_rt_devi.patch | 84 +++++++ ...-dma-mapping-test-in-qla24xx_get_por.patch | 38 ++++ ...-missing-dma-mapping-error-in-qla4xx.patch | 37 +++ ...null-pointer-dereference-in-core_scs.patch | 56 +++++ ...x-spelling-of-a-sysfs-attribute-name.patch | 60 +++++ queue-6.1/series | 44 ++++ ...ace-condition-in-negotiate-timeout-b.patch | 128 +++++++++++ ...-clear-completion-counter-before-ini.patch | 61 +++++ ...kl-remove-warn-on-bad-firmware-input.patch | 43 ++++ ...op-invalid-source-address-ocb-frames.patch | 42 ++++ 45 files changed, 3175 insertions(+) create mode 100644 queue-6.1/acpica-refuse-to-evaluate-a-method-if-arguments-are-.patch create mode 100644 queue-6.1/alsa-sb-don-t-allow-changing-the-dma-mode-during-ope.patch create mode 100644 queue-6.1/alsa-sb-force-to-disable-dmas-once-when-dma-mode-is-.patch create mode 100644 queue-6.1/amd-xgbe-align-cl37-an-sequence-as-per-databook.patch create mode 100644 queue-6.1/aoe-defer-rexmit-timer-downdev-work-to-workqueue.patch create mode 100644 queue-6.1/arm64-dts-apple-t8103-fix-pcie-bcm4377-nodename.patch create mode 100644 queue-6.1/asoc-amd-yc-update-quirk-data-for-hp-victus.patch create mode 100644 queue-6.1/ata-libata-acpi-do-not-assume-40-wire-cable-if-no-de.patch create mode 100644 queue-6.1/ata-pata_cs5536-fix-build-on-32-bit-uml.patch create mode 100644 queue-6.1/bluetooth-prevent-unintended-pause-by-checking-if-ad.patch create mode 100644 queue-6.1/btrfs-fix-iteration-of-extrefs-during-log-replay.patch create mode 100644 queue-6.1/btrfs-fix-missing-error-handling-when-searching-for-.patch create mode 100644 queue-6.1/drm-exynos-fimd-guard-display-clock-control-with-run.patch create mode 100644 queue-6.1/drm-i915-gsc-mei-interrupt-top-half-should-be-in-irq.patch create mode 100644 queue-6.1/drm-i915-gt-fix-timeline-left-held-on-vma-alloc-erro.patch create mode 100644 queue-6.1/drm-i915-selftests-change-mock_request-to-return-err.patch create mode 100644 queue-6.1/drm-msm-fix-a-fence-leak-in-submit-error-path.patch create mode 100644 queue-6.1/drm-msm-fix-another-leak-in-the-submit-error-path.patch create mode 100644 queue-6.1/enic-fix-incorrect-mtu-comparison-in-enic_change_mtu.patch create mode 100644 queue-6.1/ethernet-atl1-add-missing-dma-mapping-error-checks-a.patch create mode 100644 queue-6.1/igc-disable-l1.2-pci-e-link-substate-to-avoid-perfor.patch create mode 100644 queue-6.1/lib-test_objagg-set-error-message-in-check_expect_hi.patch create mode 100644 queue-6.1/mtd-spinand-fix-memory-leak-of-ecc-engine-conf.patch create mode 100644 queue-6.1/net-sched-always-pass-notifications-when-child-class.patch create mode 100644 queue-6.1/nfs-clean-up-proc-net-rpc-nfs-when-nfs_fs_proc_net_i.patch create mode 100644 queue-6.1/nfsv4-pnfs-fix-a-race-to-wake-on-nfs_layout_drain.patch create mode 100644 queue-6.1/nui-fix-dma_mapping_error-check.patch create mode 100644 queue-6.1/platform-mellanox-mlxbf-tmfifo-fix-vring_desc.len-as.patch create mode 100644 queue-6.1/platform-mellanox-mlxreg-lc-fix-logic-error-in-power.patch create mode 100644 queue-6.1/platform-mellanox-nvsw-sn2201-fix-bus-number-in-adap.patch create mode 100644 queue-6.1/platform-x86-dell-wmi-sysman-fix-wmi-data-block-retr.patch create mode 100644 queue-6.1/powerpc-fix-struct-termio-related-ioctl-macros.patch create mode 100644 queue-6.1/rcu-return-early-if-callback-is-not-specified.patch create mode 100644 queue-6.1/rdma-mlx5-fix-cc-counters-query-for-mpv.patch create mode 100644 queue-6.1/rdma-mlx5-initialize-obj_event-obj_sub_list-before-x.patch create mode 100644 queue-6.1/rose-fix-dangling-neighbour-pointers-in-rose_rt_devi.patch create mode 100644 queue-6.1/scsi-qla2xxx-fix-dma-mapping-test-in-qla24xx_get_por.patch create mode 100644 queue-6.1/scsi-qla4xxx-fix-missing-dma-mapping-error-in-qla4xx.patch create mode 100644 queue-6.1/scsi-target-fix-null-pointer-dereference-in-core_scs.patch create mode 100644 queue-6.1/scsi-ufs-core-fix-spelling-of-a-sysfs-attribute-name.patch create mode 100644 queue-6.1/smb-client-fix-race-condition-in-negotiate-timeout-b.patch create mode 100644 queue-6.1/spi-spi-fsl-dspi-clear-completion-counter-before-ini.patch create mode 100644 queue-6.1/wifi-ath6kl-remove-warn-on-bad-firmware-input.patch create mode 100644 queue-6.1/wifi-mac80211-drop-invalid-source-address-ocb-frames.patch diff --git a/queue-6.1/acpica-refuse-to-evaluate-a-method-if-arguments-are-.patch b/queue-6.1/acpica-refuse-to-evaluate-a-method-if-arguments-are-.patch new file mode 100644 index 0000000000..e20202fd39 --- /dev/null +++ b/queue-6.1/acpica-refuse-to-evaluate-a-method-if-arguments-are-.patch @@ -0,0 +1,51 @@ +From c613a5ec6d720ffd8ff0591efaf86f54ee00108c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Jun 2025 14:17:45 +0200 +Subject: ACPICA: Refuse to evaluate a method if arguments are missing + +From: Rafael J. Wysocki + +[ Upstream commit 6fcab2791543924d438e7fa49276d0998b0a069f ] + +As reported in [1], a platform firmware update that increased the number +of method parameters and forgot to update a least one of its callers, +caused ACPICA to crash due to use-after-free. + +Since this a result of a clear AML issue that arguably cannot be fixed +up by the interpreter (it cannot produce missing data out of thin air), +address it by making ACPICA refuse to evaluate a method if the caller +attempts to pass fewer arguments than expected to it. + +Closes: https://github.com/acpica/acpica/issues/1027 [1] +Reported-by: Peter Williams +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Hans de Goede +Tested-by: Hans de Goede # Dell XPS 9640 with BIOS 1.12.0 +Link: https://patch.msgid.link/5909446.DvuYhMxLoT@rjwysocki.net +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/dsmethod.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/acpi/acpica/dsmethod.c b/drivers/acpi/acpica/dsmethod.c +index 9332bc688713c..05fd1ec8de14e 100644 +--- a/drivers/acpi/acpica/dsmethod.c ++++ b/drivers/acpi/acpica/dsmethod.c +@@ -483,6 +483,13 @@ acpi_ds_call_control_method(struct acpi_thread_state *thread, + return_ACPI_STATUS(AE_NULL_OBJECT); + } + ++ if (this_walk_state->num_operands < obj_desc->method.param_count) { ++ ACPI_ERROR((AE_INFO, "Missing argument for method [%4.4s]", ++ acpi_ut_get_node_name(method_node))); ++ ++ return_ACPI_STATUS(AE_AML_UNINITIALIZED_ARG); ++ } ++ + /* Init for new method, possibly wait on method mutex */ + + status = +-- +2.39.5 + diff --git a/queue-6.1/alsa-sb-don-t-allow-changing-the-dma-mode-during-ope.patch b/queue-6.1/alsa-sb-don-t-allow-changing-the-dma-mode-during-ope.patch new file mode 100644 index 0000000000..df5794005b --- /dev/null +++ b/queue-6.1/alsa-sb-don-t-allow-changing-the-dma-mode-during-ope.patch @@ -0,0 +1,38 @@ +From d07a71edd5e2c2e73ba09b5cd1def4b17e0ed72b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Jun 2025 08:43:19 +0200 +Subject: ALSA: sb: Don't allow changing the DMA mode during operations + +From: Takashi Iwai + +[ Upstream commit ed29e073ba93f2d52832804cabdd831d5d357d33 ] + +When a PCM stream is already running, one shouldn't change the DMA +mode via kcontrol, which may screw up the hardware. Return -EBUSY +instead. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=218185 +Link: https://patch.msgid.link/20250610064322.26787-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/isa/sb/sb16_main.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sound/isa/sb/sb16_main.c b/sound/isa/sb/sb16_main.c +index a9b87e159b2d1..5efbd0a41312b 100644 +--- a/sound/isa/sb/sb16_main.c ++++ b/sound/isa/sb/sb16_main.c +@@ -703,6 +703,9 @@ static int snd_sb16_dma_control_put(struct snd_kcontrol *kcontrol, struct snd_ct + unsigned char nval, oval; + int change; + ++ if (chip->mode & (SB_MODE_PLAYBACK | SB_MODE_CAPTURE)) ++ return -EBUSY; ++ + nval = ucontrol->value.enumerated.item[0]; + if (nval > 2) + return -EINVAL; +-- +2.39.5 + diff --git a/queue-6.1/alsa-sb-force-to-disable-dmas-once-when-dma-mode-is-.patch b/queue-6.1/alsa-sb-force-to-disable-dmas-once-when-dma-mode-is-.patch new file mode 100644 index 0000000000..0dad04f185 --- /dev/null +++ b/queue-6.1/alsa-sb-force-to-disable-dmas-once-when-dma-mode-is-.patch @@ -0,0 +1,41 @@ +From 7b9d604848a84012aaf8cffb5bceab68f2d2828c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Jun 2025 08:43:20 +0200 +Subject: ALSA: sb: Force to disable DMAs once when DMA mode is changed + +From: Takashi Iwai + +[ Upstream commit 4c267ae2ef349639b4d9ebf00dd28586a82fdbe6 ] + +When the DMA mode is changed on the (still real!) SB AWE32 after +playing a stream and closing, the previous DMA setup was still +silently kept, and it can confuse the hardware, resulting in the +unexpected noises. As a workaround, enforce the disablement of DMA +setups when the DMA setup is changed by the kcontrol. + +https://bugzilla.kernel.org/show_bug.cgi?id=218185 +Link: https://patch.msgid.link/20250610064322.26787-2-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/isa/sb/sb16_main.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/sound/isa/sb/sb16_main.c b/sound/isa/sb/sb16_main.c +index 5efbd0a41312b..1497a7822eee6 100644 +--- a/sound/isa/sb/sb16_main.c ++++ b/sound/isa/sb/sb16_main.c +@@ -714,6 +714,10 @@ static int snd_sb16_dma_control_put(struct snd_kcontrol *kcontrol, struct snd_ct + change = nval != oval; + snd_sb16_set_dma_mode(chip, nval); + spin_unlock_irqrestore(&chip->reg_lock, flags); ++ if (change) { ++ snd_dma_disable(chip->dma8); ++ snd_dma_disable(chip->dma16); ++ } + return change; + } + +-- +2.39.5 + diff --git a/queue-6.1/amd-xgbe-align-cl37-an-sequence-as-per-databook.patch b/queue-6.1/amd-xgbe-align-cl37-an-sequence-as-per-databook.patch new file mode 100644 index 0000000000..50c4193f35 --- /dev/null +++ b/queue-6.1/amd-xgbe-align-cl37-an-sequence-as-per-databook.patch @@ -0,0 +1,89 @@ +From 449756e0519c1f0d5b405caad1ff151174ab1772 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Jul 2025 00:56:36 +0530 +Subject: amd-xgbe: align CL37 AN sequence as per databook + +From: Raju Rangoju + +[ Upstream commit 42fd432fe6d320323215ebdf4de4d0d7e56e6792 ] + +Update the Clause 37 Auto-Negotiation implementation to properly align +with the PCS hardware specifications: +- Fix incorrect bit settings in Link Status and Link Duplex fields +- Implement missing sequence steps 2 and 7 + +These changes ensure CL37 auto-negotiation protocol follows the exact +sequence patterns as specified in the hardware databook. + +Fixes: 1bf40ada6290 ("amd-xgbe: Add support for clause 37 auto-negotiation") +Signed-off-by: Raju Rangoju +Link: https://patch.msgid.link/20250630192636.3838291-1-Raju.Rangoju@amd.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/amd/xgbe/xgbe-common.h | 2 ++ + drivers/net/ethernet/amd/xgbe/xgbe-mdio.c | 9 +++++++++ + drivers/net/ethernet/amd/xgbe/xgbe.h | 4 ++-- + 3 files changed, 13 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-common.h b/drivers/net/ethernet/amd/xgbe/xgbe-common.h +index 466273b22f0a4..893a52b2262b6 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe-common.h ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-common.h +@@ -1357,6 +1357,8 @@ + #define MDIO_VEND2_CTRL1_SS13 BIT(13) + #endif + ++#define XGBE_VEND2_MAC_AUTO_SW BIT(9) ++ + /* MDIO mask values */ + #define XGBE_AN_CL73_INT_CMPLT BIT(0) + #define XGBE_AN_CL73_INC_LINK BIT(1) +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c b/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c +index 60be836b294bb..19fed56b6ee3f 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c +@@ -363,6 +363,10 @@ static void xgbe_an37_set(struct xgbe_prv_data *pdata, bool enable, + reg |= MDIO_VEND2_CTRL1_AN_RESTART; + + XMDIO_WRITE(pdata, MDIO_MMD_VEND2, MDIO_CTRL1, reg); ++ ++ reg = XMDIO_READ(pdata, MDIO_MMD_VEND2, MDIO_PCS_DIG_CTRL); ++ reg |= XGBE_VEND2_MAC_AUTO_SW; ++ XMDIO_WRITE(pdata, MDIO_MMD_VEND2, MDIO_PCS_DIG_CTRL, reg); + } + + static void xgbe_an37_restart(struct xgbe_prv_data *pdata) +@@ -991,6 +995,11 @@ static void xgbe_an37_init(struct xgbe_prv_data *pdata) + + netif_dbg(pdata, link, pdata->netdev, "CL37 AN (%s) initialized\n", + (pdata->an_mode == XGBE_AN_MODE_CL37) ? "BaseX" : "SGMII"); ++ ++ reg = XMDIO_READ(pdata, MDIO_MMD_AN, MDIO_CTRL1); ++ reg &= ~MDIO_AN_CTRL1_ENABLE; ++ XMDIO_WRITE(pdata, MDIO_MMD_AN, MDIO_CTRL1, reg); ++ + } + + static void xgbe_an73_init(struct xgbe_prv_data *pdata) +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe.h b/drivers/net/ethernet/amd/xgbe/xgbe.h +index b17c7d1dc4b00..f3ba76530b67b 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe.h ++++ b/drivers/net/ethernet/amd/xgbe/xgbe.h +@@ -292,11 +292,11 @@ + #define XGBE_LINK_TIMEOUT 5 + #define XGBE_KR_TRAINING_WAIT_ITER 50 + +-#define XGBE_SGMII_AN_LINK_STATUS BIT(1) ++#define XGBE_SGMII_AN_LINK_DUPLEX BIT(1) + #define XGBE_SGMII_AN_LINK_SPEED (BIT(2) | BIT(3)) + #define XGBE_SGMII_AN_LINK_SPEED_100 0x04 + #define XGBE_SGMII_AN_LINK_SPEED_1000 0x08 +-#define XGBE_SGMII_AN_LINK_DUPLEX BIT(4) ++#define XGBE_SGMII_AN_LINK_STATUS BIT(4) + + /* ECC correctable error notification window (seconds) */ + #define XGBE_ECC_LIMIT 60 +-- +2.39.5 + diff --git a/queue-6.1/aoe-defer-rexmit-timer-downdev-work-to-workqueue.patch b/queue-6.1/aoe-defer-rexmit-timer-downdev-work-to-workqueue.patch new file mode 100644 index 0000000000..38ec6ae9ce --- /dev/null +++ b/queue-6.1/aoe-defer-rexmit-timer-downdev-work-to-workqueue.patch @@ -0,0 +1,94 @@ +From 92d37f8f6017f53c21732553bca0950fe44fdce3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Jun 2025 17:06:00 +0000 +Subject: aoe: defer rexmit timer downdev work to workqueue + +From: Justin Sanders + +[ Upstream commit cffc873d68ab09a0432b8212008c5613f8a70a2c ] + +When aoe's rexmit_timer() notices that an aoe target fails to respond to +commands for more than aoe_deadsecs, it calls aoedev_downdev() which +cleans the outstanding aoe and block queues. This can involve sleeping, +such as in blk_mq_freeze_queue(), which should not occur in irq context. + +This patch defers that aoedev_downdev() call to the aoe device's +workqueue. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=212665 +Signed-off-by: Justin Sanders +Link: https://lore.kernel.org/r/20250610170600.869-2-jsanders.devel@gmail.com +Tested-By: Valentin Kleibel +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/aoe/aoe.h | 1 + + drivers/block/aoe/aoecmd.c | 8 ++++++-- + drivers/block/aoe/aoedev.c | 5 ++++- + 3 files changed, 11 insertions(+), 3 deletions(-) + +diff --git a/drivers/block/aoe/aoe.h b/drivers/block/aoe/aoe.h +index 749ae1246f4cf..d35caa3c69e15 100644 +--- a/drivers/block/aoe/aoe.h ++++ b/drivers/block/aoe/aoe.h +@@ -80,6 +80,7 @@ enum { + DEVFL_NEWSIZE = (1<<6), /* need to update dev size in block layer */ + DEVFL_FREEING = (1<<7), /* set when device is being cleaned up */ + DEVFL_FREED = (1<<8), /* device has been cleaned up */ ++ DEVFL_DEAD = (1<<9), /* device has timed out of aoe_deadsecs */ + }; + + enum { +diff --git a/drivers/block/aoe/aoecmd.c b/drivers/block/aoe/aoecmd.c +index d1f4ddc576451..c4c5cf1ec71ba 100644 +--- a/drivers/block/aoe/aoecmd.c ++++ b/drivers/block/aoe/aoecmd.c +@@ -754,7 +754,7 @@ rexmit_timer(struct timer_list *timer) + + utgts = count_targets(d, NULL); + +- if (d->flags & DEVFL_TKILL) { ++ if (d->flags & (DEVFL_TKILL | DEVFL_DEAD)) { + spin_unlock_irqrestore(&d->lock, flags); + return; + } +@@ -786,7 +786,8 @@ rexmit_timer(struct timer_list *timer) + * to clean up. + */ + list_splice(&flist, &d->factive[0]); +- aoedev_downdev(d); ++ d->flags |= DEVFL_DEAD; ++ queue_work(aoe_wq, &d->work); + goto out; + } + +@@ -898,6 +899,9 @@ aoecmd_sleepwork(struct work_struct *work) + { + struct aoedev *d = container_of(work, struct aoedev, work); + ++ if (d->flags & DEVFL_DEAD) ++ aoedev_downdev(d); ++ + if (d->flags & DEVFL_GDALLOC) + aoeblk_gdalloc(d); + +diff --git a/drivers/block/aoe/aoedev.c b/drivers/block/aoe/aoedev.c +index 280679bde3a50..4240e11adfb76 100644 +--- a/drivers/block/aoe/aoedev.c ++++ b/drivers/block/aoe/aoedev.c +@@ -200,8 +200,11 @@ aoedev_downdev(struct aoedev *d) + struct list_head *head, *pos, *nx; + struct request *rq, *rqnext; + int i; ++ unsigned long flags; + +- d->flags &= ~DEVFL_UP; ++ spin_lock_irqsave(&d->lock, flags); ++ d->flags &= ~(DEVFL_UP | DEVFL_DEAD); ++ spin_unlock_irqrestore(&d->lock, flags); + + /* clean out active and to-be-retransmitted buffers */ + for (i = 0; i < NFACTIVE; i++) { +-- +2.39.5 + diff --git a/queue-6.1/arm64-dts-apple-t8103-fix-pcie-bcm4377-nodename.patch b/queue-6.1/arm64-dts-apple-t8103-fix-pcie-bcm4377-nodename.patch new file mode 100644 index 0000000000..afca0f1938 --- /dev/null +++ b/queue-6.1/arm64-dts-apple-t8103-fix-pcie-bcm4377-nodename.patch @@ -0,0 +1,42 @@ +From 10e32657302b9aa7b484b061e971a227ecff80aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jun 2025 22:30:31 +0200 +Subject: arm64: dts: apple: t8103: Fix PCIe BCM4377 nodename + +From: Janne Grunau + +[ Upstream commit ac1daa91e9370e3b88ef7826a73d62a4d09e2717 ] + +Fix the following `make dtbs_check` warnings for all t8103 based devices: + +arch/arm64/boot/dts/apple/t8103-j274.dtb: network@0,0: $nodename:0: 'network@0,0' does not match '^wifi(@.*)?$' + from schema $id: http://devicetree.org/schemas/net/wireless/brcm,bcm4329-fmac.yaml# +arch/arm64/boot/dts/apple/t8103-j274.dtb: network@0,0: Unevaluated properties are not allowed ('local-mac-address' was unexpected) + from schema $id: http://devicetree.org/schemas/net/wireless/brcm,bcm4329-fmac.yaml# + +Fixes: bf2c05b619ff ("arm64: dts: apple: t8103: Expose PCI node for the WiFi MAC address") +Signed-off-by: Janne Grunau +Reviewed-by: Sven Peter +Link: https://lore.kernel.org/r/20250611-arm64_dts_apple_wifi-v1-1-fb959d8e1eb4@jannau.net +Signed-off-by: Sven Peter +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/apple/t8103-jxxx.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/apple/t8103-jxxx.dtsi b/arch/arm64/boot/dts/apple/t8103-jxxx.dtsi +index 3d15b8e2a6c1e..6d78f623e6df5 100644 +--- a/arch/arm64/boot/dts/apple/t8103-jxxx.dtsi ++++ b/arch/arm64/boot/dts/apple/t8103-jxxx.dtsi +@@ -70,7 +70,7 @@ hpm1: usb-pd@3f { + */ + &port00 { + bus-range = <1 1>; +- wifi0: network@0,0 { ++ wifi0: wifi@0,0 { + compatible = "pci14e4,4425"; + reg = <0x10000 0x0 0x0 0x0 0x0>; + /* To be filled by the loader */ +-- +2.39.5 + diff --git a/queue-6.1/asoc-amd-yc-update-quirk-data-for-hp-victus.patch b/queue-6.1/asoc-amd-yc-update-quirk-data-for-hp-victus.patch new file mode 100644 index 0000000000..fe191019cd --- /dev/null +++ b/queue-6.1/asoc-amd-yc-update-quirk-data-for-hp-victus.patch @@ -0,0 +1,40 @@ +From 2f046004360217d50da4a6659da247679af756c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Jun 2025 07:51:25 -0400 +Subject: ASoC: amd: yc: update quirk data for HP Victus + +From: Raven Black + +[ Upstream commit 13b86ea92ebf0fa587fbadfb8a60ca2e9993203f ] + +Make the internal microphone work on HP Victus laptops. + +Signed-off-by: Raven Black +Link: https://patch.msgid.link/20250613-support-hp-victus-microphone-v1-1-bebc4c3a2041@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/amd/yc/acp6x-mach.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c +index 30f28f33a52ca..ecf4f4c0e6967 100644 +--- a/sound/soc/amd/yc/acp6x-mach.c ++++ b/sound/soc/amd/yc/acp6x-mach.c +@@ -451,6 +451,13 @@ static const struct dmi_system_id yc_acp_quirk_table[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "OMEN by HP Gaming Laptop 16z-n000"), + } + }, ++ { ++ .driver_data = &acp6x_card, ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "HP"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Victus by HP Gaming Laptop 15-fb2xxx"), ++ } ++ }, + { + .driver_data = &acp6x_card, + .matches = { +-- +2.39.5 + diff --git a/queue-6.1/ata-libata-acpi-do-not-assume-40-wire-cable-if-no-de.patch b/queue-6.1/ata-libata-acpi-do-not-assume-40-wire-cable-if-no-de.patch new file mode 100644 index 0000000000..2eff8be699 --- /dev/null +++ b/queue-6.1/ata-libata-acpi-do-not-assume-40-wire-cable-if-no-de.patch @@ -0,0 +1,138 @@ +From cf3f4c999f3cd1771cb486734d88f23dd7445e6e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 May 2025 11:56:55 +0300 +Subject: ata: libata-acpi: Do not assume 40 wire cable if no devices are + enabled + +From: Tasos Sahanidis + +[ Upstream commit 33877220b8641b4cde474a4229ea92c0e3637883 ] + +On at least an ASRock 990FX Extreme 4 with a VIA VT6330, the devices +have not yet been enabled by the first time ata_acpi_cbl_80wire() is +called. This means that the ata_for_each_dev loop is never entered, +and a 40 wire cable is assumed. + +The VIA controller on this board does not report the cable in the PCI +config space, thus having to fall back to ACPI even though no SATA +bridge is present. + +The _GTM values are correctly reported by the firmware through ACPI, +which has already set up faster transfer modes, but due to the above +the controller is forced down to a maximum of UDMA/33. + +Resolve this by modifying ata_acpi_cbl_80wire() to directly return the +cable type. First, an unknown cable is assumed which preserves the mode +set by the firmware, and then on subsequent calls when the devices have +been enabled, an 80 wire cable is correctly detected. + +Since the function now directly returns the cable type, it is renamed +to ata_acpi_cbl_pata_type(). + +Signed-off-by: Tasos Sahanidis +Link: https://lore.kernel.org/r/20250519085945.1399466-1-tasos@tasossah.com +Signed-off-by: Niklas Cassel +Signed-off-by: Sasha Levin +--- + drivers/ata/libata-acpi.c | 24 ++++++++++++++++-------- + drivers/ata/pata_via.c | 6 ++---- + include/linux/libata.h | 7 +++---- + 3 files changed, 21 insertions(+), 16 deletions(-) + +diff --git a/drivers/ata/libata-acpi.c b/drivers/ata/libata-acpi.c +index 61b4ccf88bf1e..1ad682d88c866 100644 +--- a/drivers/ata/libata-acpi.c ++++ b/drivers/ata/libata-acpi.c +@@ -514,15 +514,19 @@ unsigned int ata_acpi_gtm_xfermask(struct ata_device *dev, + EXPORT_SYMBOL_GPL(ata_acpi_gtm_xfermask); + + /** +- * ata_acpi_cbl_80wire - Check for 80 wire cable ++ * ata_acpi_cbl_pata_type - Return PATA cable type + * @ap: Port to check +- * @gtm: GTM data to use + * +- * Return 1 if the @gtm indicates the BIOS selected an 80wire mode. ++ * Return ATA_CBL_PATA* according to the transfer mode selected by BIOS + */ +-int ata_acpi_cbl_80wire(struct ata_port *ap, const struct ata_acpi_gtm *gtm) ++int ata_acpi_cbl_pata_type(struct ata_port *ap) + { + struct ata_device *dev; ++ int ret = ATA_CBL_PATA_UNK; ++ const struct ata_acpi_gtm *gtm = ata_acpi_init_gtm(ap); ++ ++ if (!gtm) ++ return ATA_CBL_PATA40; + + ata_for_each_dev(dev, &ap->link, ENABLED) { + unsigned int xfer_mask, udma_mask; +@@ -530,13 +534,17 @@ int ata_acpi_cbl_80wire(struct ata_port *ap, const struct ata_acpi_gtm *gtm) + xfer_mask = ata_acpi_gtm_xfermask(dev, gtm); + ata_unpack_xfermask(xfer_mask, NULL, NULL, &udma_mask); + +- if (udma_mask & ~ATA_UDMA_MASK_40C) +- return 1; ++ ret = ATA_CBL_PATA40; ++ ++ if (udma_mask & ~ATA_UDMA_MASK_40C) { ++ ret = ATA_CBL_PATA80; ++ break; ++ } + } + +- return 0; ++ return ret; + } +-EXPORT_SYMBOL_GPL(ata_acpi_cbl_80wire); ++EXPORT_SYMBOL_GPL(ata_acpi_cbl_pata_type); + + static void ata_acpi_gtf_to_tf(struct ata_device *dev, + const struct ata_acpi_gtf *gtf, +diff --git a/drivers/ata/pata_via.c b/drivers/ata/pata_via.c +index 5e2666b71aaff..31d39038f020f 100644 +--- a/drivers/ata/pata_via.c ++++ b/drivers/ata/pata_via.c +@@ -201,11 +201,9 @@ static int via_cable_detect(struct ata_port *ap) { + two drives */ + if (ata66 & (0x10100000 >> (16 * ap->port_no))) + return ATA_CBL_PATA80; ++ + /* Check with ACPI so we can spot BIOS reported SATA bridges */ +- if (ata_acpi_init_gtm(ap) && +- ata_acpi_cbl_80wire(ap, ata_acpi_init_gtm(ap))) +- return ATA_CBL_PATA80; +- return ATA_CBL_PATA40; ++ return ata_acpi_cbl_pata_type(ap); + } + + static int via_pre_reset(struct ata_link *link, unsigned long deadline) +diff --git a/include/linux/libata.h b/include/linux/libata.h +index 6645259be1438..363462d3f0773 100644 +--- a/include/linux/libata.h ++++ b/include/linux/libata.h +@@ -1293,7 +1293,7 @@ int ata_acpi_stm(struct ata_port *ap, const struct ata_acpi_gtm *stm); + int ata_acpi_gtm(struct ata_port *ap, struct ata_acpi_gtm *stm); + unsigned int ata_acpi_gtm_xfermask(struct ata_device *dev, + const struct ata_acpi_gtm *gtm); +-int ata_acpi_cbl_80wire(struct ata_port *ap, const struct ata_acpi_gtm *gtm); ++int ata_acpi_cbl_pata_type(struct ata_port *ap); + #else + static inline const struct ata_acpi_gtm *ata_acpi_init_gtm(struct ata_port *ap) + { +@@ -1318,10 +1318,9 @@ static inline unsigned int ata_acpi_gtm_xfermask(struct ata_device *dev, + return 0; + } + +-static inline int ata_acpi_cbl_80wire(struct ata_port *ap, +- const struct ata_acpi_gtm *gtm) ++static inline int ata_acpi_cbl_pata_type(struct ata_port *ap) + { +- return 0; ++ return ATA_CBL_PATA40; + } + #endif + +-- +2.39.5 + diff --git a/queue-6.1/ata-pata_cs5536-fix-build-on-32-bit-uml.patch b/queue-6.1/ata-pata_cs5536-fix-build-on-32-bit-uml.patch new file mode 100644 index 0000000000..777a3a54bb --- /dev/null +++ b/queue-6.1/ata-pata_cs5536-fix-build-on-32-bit-uml.patch @@ -0,0 +1,38 @@ +From 7922ad19d397b1b9c8da1bb610a203a5f36159c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Jun 2025 11:01:11 +0200 +Subject: ata: pata_cs5536: fix build on 32-bit UML + +From: Johannes Berg + +[ Upstream commit fe5b391fc56f77cf3c22a9dd4f0ce20db0e3533f ] + +On 32-bit ARCH=um, CONFIG_X86_32 is still defined, so it +doesn't indicate building on real X86 machines. There's +no MSR on UML though, so add a check for CONFIG_X86. + +Reported-by: Arnd Bergmann +Signed-off-by: Johannes Berg +Link: https://lore.kernel.org/r/20250606090110.15784-2-johannes@sipsolutions.net +Signed-off-by: Niklas Cassel +Signed-off-by: Sasha Levin +--- + drivers/ata/pata_cs5536.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/ata/pata_cs5536.c b/drivers/ata/pata_cs5536.c +index ab47aeb5587f5..13daa69914cbe 100644 +--- a/drivers/ata/pata_cs5536.c ++++ b/drivers/ata/pata_cs5536.c +@@ -27,7 +27,7 @@ + #include + #include + +-#ifdef CONFIG_X86_32 ++#if defined(CONFIG_X86) && defined(CONFIG_X86_32) + #include + static int use_msr; + module_param_named(msr, use_msr, int, 0644); +-- +2.39.5 + diff --git a/queue-6.1/bluetooth-prevent-unintended-pause-by-checking-if-ad.patch b/queue-6.1/bluetooth-prevent-unintended-pause-by-checking-if-ad.patch new file mode 100644 index 0000000000..5be592d683 --- /dev/null +++ b/queue-6.1/bluetooth-prevent-unintended-pause-by-checking-if-ad.patch @@ -0,0 +1,69 @@ +From 58e2854990c9ef11fc44c8d85b5536cf6e930706 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Jun 2025 11:01:07 +0800 +Subject: Bluetooth: Prevent unintended pause by checking if advertising is + active + +From: Yang Li + +[ Upstream commit 1f029b4e30a602db33dedee5ac676e9236ad193c ] + +When PA Create Sync is enabled, advertising resumes unexpectedly. +Therefore, it's necessary to check whether advertising is currently +active before attempting to pause it. + + < HCI Command: LE Add Device To... (0x08|0x0011) plen 7 #1345 [hci0] 48.306205 + Address type: Random (0x01) + Address: 4F:84:84:5F:88:17 (Resolvable) + Identity type: Random (0x01) + Identity: FC:5B:8C:F7:5D:FB (Static) + < HCI Command: LE Set Address Re.. (0x08|0x002d) plen 1 #1347 [hci0] 48.308023 + Address resolution: Enabled (0x01) + ... + < HCI Command: LE Set Extended A.. (0x08|0x0039) plen 6 #1349 [hci0] 48.309650 + Extended advertising: Enabled (0x01) + Number of sets: 1 (0x01) + Entry 0 + Handle: 0x01 + Duration: 0 ms (0x00) + Max ext adv events: 0 + ... + < HCI Command: LE Periodic Adve.. (0x08|0x0044) plen 14 #1355 [hci0] 48.314575 + Options: 0x0000 + Use advertising SID, Advertiser Address Type and address + Reporting initially enabled + SID: 0x02 + Adv address type: Random (0x01) + Adv address: 4F:84:84:5F:88:17 (Resolvable) + Identity type: Random (0x01) + Identity: FC:5B:8C:F7:5D:FB (Static) + Skip: 0x0000 + Sync timeout: 20000 msec (0x07d0) + Sync CTE type: 0x0000 + +Fixes: ad383c2c65a5 ("Bluetooth: hci_sync: Enable advertising when LL privacy is enabled") +Signed-off-by: Yang Li +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_sync.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c +index acaa8d45feb8a..c1e018eaa6f4c 100644 +--- a/net/bluetooth/hci_sync.c ++++ b/net/bluetooth/hci_sync.c +@@ -2474,6 +2474,10 @@ static int hci_pause_advertising_sync(struct hci_dev *hdev) + int err; + int old_state; + ++ /* If controller is not advertising we are done. */ ++ if (!hci_dev_test_flag(hdev, HCI_LE_ADV)) ++ return 0; ++ + /* If already been paused there is nothing to do. */ + if (hdev->advertising_paused) + return 0; +-- +2.39.5 + diff --git a/queue-6.1/btrfs-fix-iteration-of-extrefs-during-log-replay.patch b/queue-6.1/btrfs-fix-iteration-of-extrefs-during-log-replay.patch new file mode 100644 index 0000000000..f41ccddd6d --- /dev/null +++ b/queue-6.1/btrfs-fix-iteration-of-extrefs-during-log-replay.patch @@ -0,0 +1,51 @@ +From a488ccc09e6ae175a6db40b9ca532b98c74544b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Jun 2025 12:11:58 +0100 +Subject: btrfs: fix iteration of extrefs during log replay + +From: Filipe Manana + +[ Upstream commit 54a7081ed168b72a8a2d6ef4ba3a1259705a2926 ] + +At __inode_add_ref() when processing extrefs, if we jump into the next +label we have an undefined value of victim_name.len, since we haven't +initialized it before we did the goto. This results in an invalid memory +access in the next iteration of the loop since victim_name.len was not +initialized to the length of the name of the current extref. + +Fix this by initializing victim_name.len with the current extref's name +length. + +Fixes: e43eec81c516 ("btrfs: use struct qstr instead of name and namelen pairs") +Reviewed-by: Johannes Thumshirn +Reviewed-by: Qu Wenruo +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/tree-log.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c +index 35bb364089f8a..982dc92bdf1df 100644 +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -1160,13 +1160,13 @@ static inline int __add_inode_ref(struct btrfs_trans_handle *trans, + struct fscrypt_str victim_name; + + extref = (struct btrfs_inode_extref *)(base + cur_offset); ++ victim_name.len = btrfs_inode_extref_name_len(leaf, extref); + + if (btrfs_inode_extref_parent(leaf, extref) != parent_objectid) + goto next; + + ret = read_alloc_one_name(leaf, &extref->name, +- btrfs_inode_extref_name_len(leaf, extref), +- &victim_name); ++ victim_name.len, &victim_name); + if (ret) + return ret; + +-- +2.39.5 + diff --git a/queue-6.1/btrfs-fix-missing-error-handling-when-searching-for-.patch b/queue-6.1/btrfs-fix-missing-error-handling-when-searching-for-.patch new file mode 100644 index 0000000000..0614387298 --- /dev/null +++ b/queue-6.1/btrfs-fix-missing-error-handling-when-searching-for-.patch @@ -0,0 +1,45 @@ +From f1e23ade84bc96ae0503b1263aca1417713318c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Jun 2025 16:57:07 +0100 +Subject: btrfs: fix missing error handling when searching for inode refs + during log replay + +From: Filipe Manana + +[ Upstream commit 6561a40ceced9082f50c374a22d5966cf9fc5f5c ] + +During log replay, at __add_inode_ref(), when we are searching for inode +ref keys we totally ignore if btrfs_search_slot() returns an error. This +may make a log replay succeed when there was an actual error and leave +some metadata inconsistency in a subvolume tree. Fix this by checking if +an error was returned from btrfs_search_slot() and if so, return it to +the caller. + +Fixes: e02119d5a7b4 ("Btrfs: Add a write ahead tree log to optimize synchronous operations") +Reviewed-by: Johannes Thumshirn +Reviewed-by: Qu Wenruo +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/tree-log.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c +index fdc432b3352a9..35bb364089f8a 100644 +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -1085,7 +1085,9 @@ static inline int __add_inode_ref(struct btrfs_trans_handle *trans, + search_key.type = BTRFS_INODE_REF_KEY; + search_key.offset = parent_objectid; + ret = btrfs_search_slot(NULL, root, &search_key, path, 0, 0); +- if (ret == 0) { ++ if (ret < 0) { ++ return ret; ++ } else if (ret == 0) { + struct btrfs_inode_ref *victim_ref; + unsigned long ptr; + unsigned long ptr_end; +-- +2.39.5 + diff --git a/queue-6.1/drm-exynos-fimd-guard-display-clock-control-with-run.patch b/queue-6.1/drm-exynos-fimd-guard-display-clock-control-with-run.patch new file mode 100644 index 0000000000..b2d29c3690 --- /dev/null +++ b/queue-6.1/drm-exynos-fimd-guard-display-clock-control-with-run.patch @@ -0,0 +1,67 @@ +From 20ae587f6c1d9eeb3430fef8241f81576b6f69b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Jun 2025 14:06:26 +0200 +Subject: drm/exynos: fimd: Guard display clock control with runtime PM calls + +From: Marek Szyprowski + +[ Upstream commit 5d91394f236167ac624b823820faf4aa928b889e ] + +Commit c9b1150a68d9 ("drm/atomic-helper: Re-order bridge chain pre-enable +and post-disable") changed the call sequence to the CRTC enable/disable +and bridge pre_enable/post_disable methods, so those bridge methods are +now called when CRTC is not yet enabled. + +This causes a lockup observed on Samsung Peach-Pit/Pi Chromebooks. The +source of this lockup is a call to fimd_dp_clock_enable() function, when +FIMD device is not yet runtime resumed. It worked before the mentioned +commit only because the CRTC implemented by the FIMD driver was always +enabled what guaranteed the FIMD device to be runtime resumed. + +This patch adds runtime PM guards to the fimd_dp_clock_enable() function +to enable its proper operation also when the CRTC implemented by FIMD is +not yet enabled. + +Fixes: 196e059a8a6a ("drm/exynos: convert clock_enable crtc callback to pipeline clock") +Signed-off-by: Marek Szyprowski +Reviewed-by: Tomi Valkeinen +Signed-off-by: Inki Dae +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/exynos/exynos_drm_fimd.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/drivers/gpu/drm/exynos/exynos_drm_fimd.c b/drivers/gpu/drm/exynos/exynos_drm_fimd.c +index 529033b980b20..0816714b1e581 100644 +--- a/drivers/gpu/drm/exynos/exynos_drm_fimd.c ++++ b/drivers/gpu/drm/exynos/exynos_drm_fimd.c +@@ -188,6 +188,7 @@ struct fimd_context { + u32 i80ifcon; + bool i80_if; + bool suspended; ++ bool dp_clk_enabled; + wait_queue_head_t wait_vsync_queue; + atomic_t wait_vsync_event; + atomic_t win_updated; +@@ -1048,7 +1049,18 @@ static void fimd_dp_clock_enable(struct exynos_drm_clk *clk, bool enable) + struct fimd_context *ctx = container_of(clk, struct fimd_context, + dp_clk); + u32 val = enable ? DP_MIE_CLK_DP_ENABLE : DP_MIE_CLK_DISABLE; ++ ++ if (enable == ctx->dp_clk_enabled) ++ return; ++ ++ if (enable) ++ pm_runtime_resume_and_get(ctx->dev); ++ ++ ctx->dp_clk_enabled = enable; + writel(val, ctx->regs + DP_MIE_CLKCON); ++ ++ if (!enable) ++ pm_runtime_put(ctx->dev); + } + + static const struct exynos_drm_crtc_ops fimd_crtc_ops = { +-- +2.39.5 + diff --git a/queue-6.1/drm-i915-gsc-mei-interrupt-top-half-should-be-in-irq.patch b/queue-6.1/drm-i915-gsc-mei-interrupt-top-half-should-be-in-irq.patch new file mode 100644 index 0000000000..380a241979 --- /dev/null +++ b/queue-6.1/drm-i915-gsc-mei-interrupt-top-half-should-be-in-irq.patch @@ -0,0 +1,52 @@ +From 1d774101e32eaa71574f8ef1128d15e9e15a6537 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Apr 2025 23:11:07 +0800 +Subject: drm/i915/gsc: mei interrupt top half should be in irq disabled + context + +From: Junxiao Chang + +[ Upstream commit 8cadce97bf264ed478669c6f32d5603b34608335 ] + +MEI GSC interrupt comes from i915. It has top half and bottom half. +Top half is called from i915 interrupt handler. It should be in +irq disabled context. + +With RT kernel, by default i915 IRQ handler is in threaded IRQ. MEI GSC +top half might be in threaded IRQ context. generic_handle_irq_safe API +could be called from either IRQ or process context, it disables local +IRQ then calls MEI GSC interrupt top half. + +This change fixes A380/A770 GPU boot hang issue with RT kernel. + +Fixes: 1e3dc1d8622b ("drm/i915/gsc: add gsc as a mei auxiliary device") +Tested-by: Furong Zhou +Suggested-by: Sebastian Andrzej Siewior +Acked-by: Sebastian Andrzej Siewior +Signed-off-by: Junxiao Chang +Link: https://lore.kernel.org/r/20250425151108.643649-1-junxiao.chang@intel.com +Reviewed-by: Rodrigo Vivi +Signed-off-by: Rodrigo Vivi +(cherry picked from commit dccf655f69002d496a527ba441b4f008aa5bebbf) +Signed-off-by: Joonas Lahtinen +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/gt/intel_gsc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/i915/gt/intel_gsc.c b/drivers/gpu/drm/i915/gt/intel_gsc.c +index 7af6db3194ddb..0f83e1cedf781 100644 +--- a/drivers/gpu/drm/i915/gt/intel_gsc.c ++++ b/drivers/gpu/drm/i915/gt/intel_gsc.c +@@ -273,7 +273,7 @@ static void gsc_irq_handler(struct intel_gt *gt, unsigned int intf_id) + if (gt->gsc.intf[intf_id].irq < 0) + return; + +- ret = generic_handle_irq(gt->gsc.intf[intf_id].irq); ++ ret = generic_handle_irq_safe(gt->gsc.intf[intf_id].irq); + if (ret) + drm_err_ratelimited(>->i915->drm, "error handling GSC irq: %d\n", ret); + } +-- +2.39.5 + diff --git a/queue-6.1/drm-i915-gt-fix-timeline-left-held-on-vma-alloc-erro.patch b/queue-6.1/drm-i915-gt-fix-timeline-left-held-on-vma-alloc-erro.patch new file mode 100644 index 0000000000..6c2bac5dad --- /dev/null +++ b/queue-6.1/drm-i915-gt-fix-timeline-left-held-on-vma-alloc-erro.patch @@ -0,0 +1,128 @@ +From fb8390192a0d46d743e0e5ec7c714dcdc4c2c8eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jun 2025 12:42:13 +0200 +Subject: drm/i915/gt: Fix timeline left held on VMA alloc error + +From: Janusz Krzysztofik + +[ Upstream commit a5aa7bc1fca78c7fa127d9e33aa94a0c9066c1d6 ] + +The following error has been reported sporadically by CI when a test +unbinds the i915 driver on a ring submission platform: + +<4> [239.330153] ------------[ cut here ]------------ +<4> [239.330166] i915 0000:00:02.0: [drm] drm_WARN_ON(dev_priv->mm.shrink_count) +<4> [239.330196] WARNING: CPU: 1 PID: 18570 at drivers/gpu/drm/i915/i915_gem.c:1309 i915_gem_cleanup_early+0x13e/0x150 [i915] +... +<4> [239.330640] RIP: 0010:i915_gem_cleanup_early+0x13e/0x150 [i915] +... +<4> [239.330942] Call Trace: +<4> [239.330944] +<4> [239.330949] i915_driver_late_release+0x2b/0xa0 [i915] +<4> [239.331202] i915_driver_release+0x86/0xa0 [i915] +<4> [239.331482] devm_drm_dev_init_release+0x61/0x90 +<4> [239.331494] devm_action_release+0x15/0x30 +<4> [239.331504] release_nodes+0x3d/0x120 +<4> [239.331517] devres_release_all+0x96/0xd0 +<4> [239.331533] device_unbind_cleanup+0x12/0x80 +<4> [239.331543] device_release_driver_internal+0x23a/0x280 +<4> [239.331550] ? bus_find_device+0xa5/0xe0 +<4> [239.331563] device_driver_detach+0x14/0x20 +... +<4> [357.719679] ---[ end trace 0000000000000000 ]--- + +If the test also unloads the i915 module then that's followed with: + +<3> [357.787478] ============================================================================= +<3> [357.788006] BUG i915_vma (Tainted: G U W N ): Objects remaining on __kmem_cache_shutdown() +<3> [357.788031] ----------------------------------------------------------------------------- +<3> [357.788204] Object 0xffff888109e7f480 @offset=29824 +<3> [357.788670] Allocated in i915_vma_instance+0xee/0xc10 [i915] age=292729 cpu=4 pid=2244 +<4> [357.788994] i915_vma_instance+0xee/0xc10 [i915] +<4> [357.789290] init_status_page+0x7b/0x420 [i915] +<4> [357.789532] intel_engines_init+0x1d8/0x980 [i915] +<4> [357.789772] intel_gt_init+0x175/0x450 [i915] +<4> [357.790014] i915_gem_init+0x113/0x340 [i915] +<4> [357.790281] i915_driver_probe+0x847/0xed0 [i915] +<4> [357.790504] i915_pci_probe+0xe6/0x220 [i915] +... + +Closer analysis of CI results history has revealed a dependency of the +error on a few IGT tests, namely: +- igt@api_intel_allocator@fork-simple-stress-signal, +- igt@api_intel_allocator@two-level-inception-interruptible, +- igt@gem_linear_blits@interruptible, +- igt@prime_mmap_coherency@ioctl-errors, +which invisibly trigger the issue, then exhibited with first driver unbind +attempt. + +All of the above tests perform actions which are actively interrupted with +signals. Further debugging has allowed to narrow that scope down to +DRM_IOCTL_I915_GEM_EXECBUFFER2, and ring_context_alloc(), specific to ring +submission, in particular. + +If successful then that function, or its execlists or GuC submission +equivalent, is supposed to be called only once per GEM context engine, +followed by raise of a flag that prevents the function from being called +again. The function is expected to unwind its internal errors itself, so +it may be safely called once more after it returns an error. + +In case of ring submission, the function first gets a reference to the +engine's legacy timeline and then allocates a VMA. If the VMA allocation +fails, e.g. when i915_vma_instance() called from inside is interrupted +with a signal, then ring_context_alloc() fails, leaving the timeline held +referenced. On next I915_GEM_EXECBUFFER2 IOCTL, another reference to the +timeline is got, and only that last one is put on successful completion. +As a consequence, the legacy timeline, with its underlying engine status +page's VMA object, is still held and not released on driver unbind. + +Get the legacy timeline only after successful allocation of the context +engine's VMA. + +v2: Add a note on other submission methods (Krzysztof Karas): + Both execlists and GuC submission use lrc_alloc() which seems free + from a similar issue. + +Fixes: 75d0a7f31eec ("drm/i915: Lift timeline into intel_context") +Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/12061 +Cc: Chris Wilson +Cc: Matthew Auld +Cc: Krzysztof Karas +Reviewed-by: Sebastian Brzezinka +Reviewed-by: Krzysztof Niemiec +Signed-off-by: Janusz Krzysztofik +Reviewed-by: Nitin Gote +Reviewed-by: Andi Shyti +Signed-off-by: Andi Shyti +Link: https://lore.kernel.org/r/20250611104352.1014011-2-janusz.krzysztofik@linux.intel.com +(cherry picked from commit cc43422b3cc79eacff4c5a8ba0d224688ca9dd4f) +Signed-off-by: Joonas Lahtinen +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/gt/intel_ring_submission.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/i915/gt/intel_ring_submission.c b/drivers/gpu/drm/i915/gt/intel_ring_submission.c +index d5d6f1fadcae3..bb62a4b84d4e4 100644 +--- a/drivers/gpu/drm/i915/gt/intel_ring_submission.c ++++ b/drivers/gpu/drm/i915/gt/intel_ring_submission.c +@@ -571,7 +571,6 @@ static int ring_context_alloc(struct intel_context *ce) + /* One ringbuffer to rule them all */ + GEM_BUG_ON(!engine->legacy.ring); + ce->ring = engine->legacy.ring; +- ce->timeline = intel_timeline_get(engine->legacy.timeline); + + GEM_BUG_ON(ce->state); + if (engine->context_size) { +@@ -584,6 +583,8 @@ static int ring_context_alloc(struct intel_context *ce) + ce->state = vma; + } + ++ ce->timeline = intel_timeline_get(engine->legacy.timeline); ++ + return 0; + } + +-- +2.39.5 + diff --git a/queue-6.1/drm-i915-selftests-change-mock_request-to-return-err.patch b/queue-6.1/drm-i915-selftests-change-mock_request-to-return-err.patch new file mode 100644 index 0000000000..17d96f1ab4 --- /dev/null +++ b/queue-6.1/drm-i915-selftests-change-mock_request-to-return-err.patch @@ -0,0 +1,107 @@ +From 2ad5dfd1d060f1d3e58a006203d0468439e32c02 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Jun 2025 10:21:58 -0500 +Subject: drm/i915/selftests: Change mock_request() to return error pointers + +From: Dan Carpenter + +[ Upstream commit caa7c7a76b78ce41d347003f84975125383e6b59 ] + +There was an error pointer vs NULL bug in __igt_breadcrumbs_smoketest(). +The __mock_request_alloc() function implements the +smoketest->request_alloc() function pointer. It was supposed to return +error pointers, but it propogates the NULL return from mock_request() +so in the event of a failure, it would lead to a NULL pointer +dereference. + +To fix this, change the mock_request() function to return error pointers +and update all the callers to expect that. + +Fixes: 52c0fdb25c7c ("drm/i915: Replace global breadcrumbs with per-context interrupt tracking") +Signed-off-by: Dan Carpenter +Reviewed-by: Rodrigo Vivi +Link: https://lore.kernel.org/r/685c1417.050a0220.696f5.5c05@mx.google.com +Signed-off-by: Rodrigo Vivi +(cherry picked from commit 778fa8ad5f0f23397d045c7ebca048ce8def1c43) +Signed-off-by: Joonas Lahtinen +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/selftests/i915_request.c | 20 +++++++++---------- + drivers/gpu/drm/i915/selftests/mock_request.c | 2 +- + 2 files changed, 11 insertions(+), 11 deletions(-) + +diff --git a/drivers/gpu/drm/i915/selftests/i915_request.c b/drivers/gpu/drm/i915/selftests/i915_request.c +index a46350c37e9d4..a088fbca97e0c 100644 +--- a/drivers/gpu/drm/i915/selftests/i915_request.c ++++ b/drivers/gpu/drm/i915/selftests/i915_request.c +@@ -73,8 +73,8 @@ static int igt_add_request(void *arg) + /* Basic preliminary test to create a request and let it loose! */ + + request = mock_request(rcs0(i915)->kernel_context, HZ / 10); +- if (!request) +- return -ENOMEM; ++ if (IS_ERR(request)) ++ return PTR_ERR(request); + + i915_request_add(request); + +@@ -91,8 +91,8 @@ static int igt_wait_request(void *arg) + /* Submit a request, then wait upon it */ + + request = mock_request(rcs0(i915)->kernel_context, T); +- if (!request) +- return -ENOMEM; ++ if (IS_ERR(request)) ++ return PTR_ERR(request); + + i915_request_get(request); + +@@ -160,8 +160,8 @@ static int igt_fence_wait(void *arg) + /* Submit a request, treat it as a fence and wait upon it */ + + request = mock_request(rcs0(i915)->kernel_context, T); +- if (!request) +- return -ENOMEM; ++ if (IS_ERR(request)) ++ return PTR_ERR(request); + + if (dma_fence_wait_timeout(&request->fence, false, T) != -ETIME) { + pr_err("fence wait success before submit (expected timeout)!\n"); +@@ -219,8 +219,8 @@ static int igt_request_rewind(void *arg) + GEM_BUG_ON(IS_ERR(ce)); + request = mock_request(ce, 2 * HZ); + intel_context_put(ce); +- if (!request) { +- err = -ENOMEM; ++ if (IS_ERR(request)) { ++ err = PTR_ERR(request); + goto err_context_0; + } + +@@ -237,8 +237,8 @@ static int igt_request_rewind(void *arg) + GEM_BUG_ON(IS_ERR(ce)); + vip = mock_request(ce, 0); + intel_context_put(ce); +- if (!vip) { +- err = -ENOMEM; ++ if (IS_ERR(vip)) { ++ err = PTR_ERR(vip); + goto err_context_1; + } + +diff --git a/drivers/gpu/drm/i915/selftests/mock_request.c b/drivers/gpu/drm/i915/selftests/mock_request.c +index 09f747228dff5..1b0cf073e9643 100644 +--- a/drivers/gpu/drm/i915/selftests/mock_request.c ++++ b/drivers/gpu/drm/i915/selftests/mock_request.c +@@ -35,7 +35,7 @@ mock_request(struct intel_context *ce, unsigned long delay) + /* NB the i915->requests slab cache is enlarged to fit mock_request */ + request = intel_context_create_request(ce); + if (IS_ERR(request)) +- return NULL; ++ return request; + + request->mock.delay = delay; + return request; +-- +2.39.5 + diff --git a/queue-6.1/drm-msm-fix-a-fence-leak-in-submit-error-path.patch b/queue-6.1/drm-msm-fix-a-fence-leak-in-submit-error-path.patch new file mode 100644 index 0000000000..5a6f23a962 --- /dev/null +++ b/queue-6.1/drm-msm-fix-a-fence-leak-in-submit-error-path.patch @@ -0,0 +1,45 @@ +From 7cf2a7f444cc9243efc3cb92fd9b6df7e6653a08 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 May 2025 09:33:32 -0700 +Subject: drm/msm: Fix a fence leak in submit error path + +From: Rob Clark + +[ Upstream commit 5d319f75ccf7f0927425a7545aa1a22b3eedc189 ] + +In error paths, we could unref the submit without calling +drm_sched_entity_push_job(), so msm_job_free() will never get +called. Since drm_sched_job_cleanup() will NULL out the +s_fence, we can use that to detect this case. + +Signed-off-by: Rob Clark +Patchwork: https://patchwork.freedesktop.org/patch/653584/ +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/msm_gem_submit.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/gpu/drm/msm/msm_gem_submit.c b/drivers/gpu/drm/msm/msm_gem_submit.c +index c12a6ac2d3840..4ee6aeb23c512 100644 +--- a/drivers/gpu/drm/msm/msm_gem_submit.c ++++ b/drivers/gpu/drm/msm/msm_gem_submit.c +@@ -71,6 +71,15 @@ void __msm_gem_submit_destroy(struct kref *kref) + container_of(kref, struct msm_gem_submit, ref); + unsigned i; + ++ /* ++ * In error paths, we could unref the submit without calling ++ * drm_sched_entity_push_job(), so msm_job_free() will never ++ * get called. Since drm_sched_job_cleanup() will NULL out ++ * s_fence, we can use that to detect this case. ++ */ ++ if (submit->base.s_fence) ++ drm_sched_job_cleanup(&submit->base); ++ + if (submit->fence_id) { + spin_lock(&submit->queue->idr_lock); + idr_remove(&submit->queue->fence_idr, submit->fence_id); +-- +2.39.5 + diff --git a/queue-6.1/drm-msm-fix-another-leak-in-the-submit-error-path.patch b/queue-6.1/drm-msm-fix-another-leak-in-the-submit-error-path.patch new file mode 100644 index 0000000000..8f87c1b501 --- /dev/null +++ b/queue-6.1/drm-msm-fix-another-leak-in-the-submit-error-path.patch @@ -0,0 +1,57 @@ +From ce56a5ceb56c5a71047cd4e3cde46ab5082c56db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 May 2025 09:33:33 -0700 +Subject: drm/msm: Fix another leak in the submit error path + +From: Rob Clark + +[ Upstream commit f681c2aa8676a890eacc84044717ab0fd26e058f ] + +put_unused_fd() doesn't free the installed file, if we've already done +fd_install(). So we need to also free the sync_file. + +Signed-off-by: Rob Clark +Patchwork: https://patchwork.freedesktop.org/patch/653583/ +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/msm_gem_submit.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/msm/msm_gem_submit.c b/drivers/gpu/drm/msm/msm_gem_submit.c +index 4ee6aeb23c512..572dd662e8095 100644 +--- a/drivers/gpu/drm/msm/msm_gem_submit.c ++++ b/drivers/gpu/drm/msm/msm_gem_submit.c +@@ -724,6 +724,7 @@ int msm_ioctl_gem_submit(struct drm_device *dev, void *data, + struct msm_ringbuffer *ring; + struct msm_submit_post_dep *post_deps = NULL; + struct drm_syncobj **syncobjs_to_reset = NULL; ++ struct sync_file *sync_file = NULL; + int out_fence_fd = -1; + bool has_ww_ticket = false; + unsigned i; +@@ -927,7 +928,7 @@ int msm_ioctl_gem_submit(struct drm_device *dev, void *data, + } + + if (ret == 0 && args->flags & MSM_SUBMIT_FENCE_FD_OUT) { +- struct sync_file *sync_file = sync_file_create(submit->user_fence); ++ sync_file = sync_file_create(submit->user_fence); + if (!sync_file) { + ret = -ENOMEM; + } else { +@@ -958,8 +959,11 @@ int msm_ioctl_gem_submit(struct drm_device *dev, void *data, + out_unlock: + mutex_unlock(&queue->lock); + out_post_unlock: +- if (ret && (out_fence_fd >= 0)) ++ if (ret && (out_fence_fd >= 0)) { + put_unused_fd(out_fence_fd); ++ if (sync_file) ++ fput(sync_file->file); ++ } + + if (!IS_ERR_OR_NULL(submit)) { + msm_gem_submit_put(submit); +-- +2.39.5 + diff --git a/queue-6.1/enic-fix-incorrect-mtu-comparison-in-enic_change_mtu.patch b/queue-6.1/enic-fix-incorrect-mtu-comparison-in-enic_change_mtu.patch new file mode 100644 index 0000000000..1a30530a5e --- /dev/null +++ b/queue-6.1/enic-fix-incorrect-mtu-comparison-in-enic_change_mtu.patch @@ -0,0 +1,47 @@ +From a47bf864eb34f361bed096870304a4deeb9dbd8d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 28 Jun 2025 07:56:05 -0700 +Subject: enic: fix incorrect MTU comparison in enic_change_mtu() + +From: Alok Tiwari + +[ Upstream commit aaf2b2480375099c022a82023e1cd772bf1c6a5d ] + +The comparison in enic_change_mtu() incorrectly used the current +netdev->mtu instead of the new new_mtu value when warning about +an MTU exceeding the port MTU. This could suppress valid warnings +or issue incorrect ones. + +Fix the condition and log to properly reflect the new_mtu. + +Fixes: ab123fe071c9 ("enic: handle mtu change for vf properly") +Signed-off-by: Alok Tiwari +Acked-by: John Daley +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250628145612.476096-1-alok.a.tiwari@oracle.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cisco/enic/enic_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/cisco/enic/enic_main.c b/drivers/net/ethernet/cisco/enic/enic_main.c +index 2065c26f394db..c76a91f85dac4 100644 +--- a/drivers/net/ethernet/cisco/enic/enic_main.c ++++ b/drivers/net/ethernet/cisco/enic/enic_main.c +@@ -2058,10 +2058,10 @@ static int enic_change_mtu(struct net_device *netdev, int new_mtu) + if (enic_is_dynamic(enic) || enic_is_sriov_vf(enic)) + return -EOPNOTSUPP; + +- if (netdev->mtu > enic->port_mtu) ++ if (new_mtu > enic->port_mtu) + netdev_warn(netdev, + "interface MTU (%d) set higher than port MTU (%d)\n", +- netdev->mtu, enic->port_mtu); ++ new_mtu, enic->port_mtu); + + return _enic_change_mtu(netdev, new_mtu); + } +-- +2.39.5 + diff --git a/queue-6.1/ethernet-atl1-add-missing-dma-mapping-error-checks-a.patch b/queue-6.1/ethernet-atl1-add-missing-dma-mapping-error-checks-a.patch new file mode 100644 index 0000000000..3dadca443f --- /dev/null +++ b/queue-6.1/ethernet-atl1-add-missing-dma-mapping-error-checks-a.patch @@ -0,0 +1,213 @@ +From 287ca0b4dc7ea38bee090f177407af30a31109a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Jun 2025 16:16:24 +0200 +Subject: ethernet: atl1: Add missing DMA mapping error checks and count errors + +From: Thomas Fourier + +[ Upstream commit d72411d20905180cdc452c553be17481b24463d2 ] + +The `dma_map_XXX()` functions can fail and must be checked using +`dma_mapping_error()`. This patch adds proper error handling for all +DMA mapping calls. + +In `atl1_alloc_rx_buffers()`, if DMA mapping fails, the buffer is +deallocated and marked accordingly. + +In `atl1_tx_map()`, previously mapped buffers are unmapped and the +packet is dropped on failure. + +If `atl1_xmit_frame()` drops the packet, increment the tx_error counter. + +Fixes: f3cc28c79760 ("Add Attansic L1 ethernet driver.") +Signed-off-by: Thomas Fourier +Link: https://patch.msgid.link/20250625141629.114984-2-fourier.thomas@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/atheros/atlx/atl1.c | 79 +++++++++++++++++------- + 1 file changed, 57 insertions(+), 22 deletions(-) + +diff --git a/drivers/net/ethernet/atheros/atlx/atl1.c b/drivers/net/ethernet/atheros/atlx/atl1.c +index 02aa6fd8ebc2d..4ed165702d58e 100644 +--- a/drivers/net/ethernet/atheros/atlx/atl1.c ++++ b/drivers/net/ethernet/atheros/atlx/atl1.c +@@ -1861,14 +1861,21 @@ static u16 atl1_alloc_rx_buffers(struct atl1_adapter *adapter) + break; + } + +- buffer_info->alloced = 1; +- buffer_info->skb = skb; +- buffer_info->length = (u16) adapter->rx_buffer_len; + page = virt_to_page(skb->data); + offset = offset_in_page(skb->data); + buffer_info->dma = dma_map_page(&pdev->dev, page, offset, + adapter->rx_buffer_len, + DMA_FROM_DEVICE); ++ if (dma_mapping_error(&pdev->dev, buffer_info->dma)) { ++ kfree_skb(skb); ++ adapter->soft_stats.rx_dropped++; ++ break; ++ } ++ ++ buffer_info->alloced = 1; ++ buffer_info->skb = skb; ++ buffer_info->length = (u16)adapter->rx_buffer_len; ++ + rfd_desc->buffer_addr = cpu_to_le64(buffer_info->dma); + rfd_desc->buf_len = cpu_to_le16(adapter->rx_buffer_len); + rfd_desc->coalese = 0; +@@ -2183,8 +2190,8 @@ static int atl1_tx_csum(struct atl1_adapter *adapter, struct sk_buff *skb, + return 0; + } + +-static void atl1_tx_map(struct atl1_adapter *adapter, struct sk_buff *skb, +- struct tx_packet_desc *ptpd) ++static bool atl1_tx_map(struct atl1_adapter *adapter, struct sk_buff *skb, ++ struct tx_packet_desc *ptpd) + { + struct atl1_tpd_ring *tpd_ring = &adapter->tpd_ring; + struct atl1_buffer *buffer_info; +@@ -2194,6 +2201,7 @@ static void atl1_tx_map(struct atl1_adapter *adapter, struct sk_buff *skb, + unsigned int nr_frags; + unsigned int f; + int retval; ++ u16 first_mapped; + u16 next_to_use; + u16 data_len; + u8 hdr_len; +@@ -2201,6 +2209,7 @@ static void atl1_tx_map(struct atl1_adapter *adapter, struct sk_buff *skb, + buf_len -= skb->data_len; + nr_frags = skb_shinfo(skb)->nr_frags; + next_to_use = atomic_read(&tpd_ring->next_to_use); ++ first_mapped = next_to_use; + buffer_info = &tpd_ring->buffer_info[next_to_use]; + BUG_ON(buffer_info->skb); + /* put skb in last TPD */ +@@ -2216,6 +2225,8 @@ static void atl1_tx_map(struct atl1_adapter *adapter, struct sk_buff *skb, + buffer_info->dma = dma_map_page(&adapter->pdev->dev, page, + offset, hdr_len, + DMA_TO_DEVICE); ++ if (dma_mapping_error(&adapter->pdev->dev, buffer_info->dma)) ++ goto dma_err; + + if (++next_to_use == tpd_ring->count) + next_to_use = 0; +@@ -2242,6 +2253,9 @@ static void atl1_tx_map(struct atl1_adapter *adapter, struct sk_buff *skb, + page, offset, + buffer_info->length, + DMA_TO_DEVICE); ++ if (dma_mapping_error(&adapter->pdev->dev, ++ buffer_info->dma)) ++ goto dma_err; + if (++next_to_use == tpd_ring->count) + next_to_use = 0; + } +@@ -2254,6 +2268,8 @@ static void atl1_tx_map(struct atl1_adapter *adapter, struct sk_buff *skb, + buffer_info->dma = dma_map_page(&adapter->pdev->dev, page, + offset, buf_len, + DMA_TO_DEVICE); ++ if (dma_mapping_error(&adapter->pdev->dev, buffer_info->dma)) ++ goto dma_err; + if (++next_to_use == tpd_ring->count) + next_to_use = 0; + } +@@ -2277,6 +2293,9 @@ static void atl1_tx_map(struct atl1_adapter *adapter, struct sk_buff *skb, + buffer_info->dma = skb_frag_dma_map(&adapter->pdev->dev, + frag, i * ATL1_MAX_TX_BUF_LEN, + buffer_info->length, DMA_TO_DEVICE); ++ if (dma_mapping_error(&adapter->pdev->dev, ++ buffer_info->dma)) ++ goto dma_err; + + if (++next_to_use == tpd_ring->count) + next_to_use = 0; +@@ -2285,6 +2304,22 @@ static void atl1_tx_map(struct atl1_adapter *adapter, struct sk_buff *skb, + + /* last tpd's buffer-info */ + buffer_info->skb = skb; ++ ++ return true; ++ ++ dma_err: ++ while (first_mapped != next_to_use) { ++ buffer_info = &tpd_ring->buffer_info[first_mapped]; ++ dma_unmap_page(&adapter->pdev->dev, ++ buffer_info->dma, ++ buffer_info->length, ++ DMA_TO_DEVICE); ++ buffer_info->dma = 0; ++ ++ if (++first_mapped == tpd_ring->count) ++ first_mapped = 0; ++ } ++ return false; + } + + static void atl1_tx_queue(struct atl1_adapter *adapter, u16 count, +@@ -2355,10 +2390,8 @@ static netdev_tx_t atl1_xmit_frame(struct sk_buff *skb, + + len = skb_headlen(skb); + +- if (unlikely(skb->len <= 0)) { +- dev_kfree_skb_any(skb); +- return NETDEV_TX_OK; +- } ++ if (unlikely(skb->len <= 0)) ++ goto drop_packet; + + nr_frags = skb_shinfo(skb)->nr_frags; + for (f = 0; f < nr_frags; f++) { +@@ -2371,10 +2404,9 @@ static netdev_tx_t atl1_xmit_frame(struct sk_buff *skb, + if (mss) { + if (skb->protocol == htons(ETH_P_IP)) { + proto_hdr_len = skb_tcp_all_headers(skb); +- if (unlikely(proto_hdr_len > len)) { +- dev_kfree_skb_any(skb); +- return NETDEV_TX_OK; +- } ++ if (unlikely(proto_hdr_len > len)) ++ goto drop_packet; ++ + /* need additional TPD ? */ + if (proto_hdr_len != len) + count += (len - proto_hdr_len + +@@ -2406,23 +2438,26 @@ static netdev_tx_t atl1_xmit_frame(struct sk_buff *skb, + } + + tso = atl1_tso(adapter, skb, ptpd); +- if (tso < 0) { +- dev_kfree_skb_any(skb); +- return NETDEV_TX_OK; +- } ++ if (tso < 0) ++ goto drop_packet; + + if (!tso) { + ret_val = atl1_tx_csum(adapter, skb, ptpd); +- if (ret_val < 0) { +- dev_kfree_skb_any(skb); +- return NETDEV_TX_OK; +- } ++ if (ret_val < 0) ++ goto drop_packet; + } + +- atl1_tx_map(adapter, skb, ptpd); ++ if (!atl1_tx_map(adapter, skb, ptpd)) ++ goto drop_packet; ++ + atl1_tx_queue(adapter, count, ptpd); + atl1_update_mailbox(adapter); + return NETDEV_TX_OK; ++ ++drop_packet: ++ adapter->soft_stats.tx_errors++; ++ dev_kfree_skb_any(skb); ++ return NETDEV_TX_OK; + } + + static int atl1_rings_clean(struct napi_struct *napi, int budget) +-- +2.39.5 + diff --git a/queue-6.1/igc-disable-l1.2-pci-e-link-substate-to-avoid-perfor.patch b/queue-6.1/igc-disable-l1.2-pci-e-link-substate-to-avoid-perfor.patch new file mode 100644 index 0000000000..25f375f85b --- /dev/null +++ b/queue-6.1/igc-disable-l1.2-pci-e-link-substate-to-avoid-perfor.patch @@ -0,0 +1,66 @@ +From 4e933a478a2ad8aed956ae8967541868e13e0cc2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jun 2025 15:52:54 +0300 +Subject: igc: disable L1.2 PCI-E link substate to avoid performance issue + +From: Vitaly Lifshits + +[ Upstream commit 0325143b59c6c6d79987afc57d2456e7a20d13b7 ] + +I226 devices advertise support for the PCI-E link L1.2 substate. However, +due to a hardware limitation, the exit latency from this low-power state +is longer than the packet buffer can tolerate under high traffic +conditions. This can lead to packet loss and degraded performance. + +To mitigate this, disable the L1.2 substate. The increased power draw +between L1.1 and L1.2 is insignificant. + +Fixes: 43546211738e ("igc: Add new device ID's") +Link: https://lore.kernel.org/intel-wired-lan/15248b4f-3271-42dd-8e35-02bfc92b25e1@intel.com +Signed-off-by: Vitaly Lifshits +Reviewed-by: Aleksandr Loktionov +Tested-by: Mor Bar-Gabay +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc_main.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c +index 082f78beeb4ed..ca3fd02708102 100644 +--- a/drivers/net/ethernet/intel/igc/igc_main.c ++++ b/drivers/net/ethernet/intel/igc/igc_main.c +@@ -6553,6 +6553,10 @@ static int igc_probe(struct pci_dev *pdev, + adapter->port_num = hw->bus.func; + adapter->msg_enable = netif_msg_init(debug, DEFAULT_MSG_ENABLE); + ++ /* Disable ASPM L1.2 on I226 devices to avoid packet loss */ ++ if (igc_is_device_id_i226(hw)) ++ pci_disable_link_state(pdev, PCIE_LINK_STATE_L1_2); ++ + err = pci_save_state(pdev); + if (err) + goto err_ioremap; +@@ -6920,6 +6924,9 @@ static int __maybe_unused igc_resume(struct device *dev) + pci_enable_wake(pdev, PCI_D3hot, 0); + pci_enable_wake(pdev, PCI_D3cold, 0); + ++ if (igc_is_device_id_i226(hw)) ++ pci_disable_link_state(pdev, PCIE_LINK_STATE_L1_2); ++ + if (igc_init_interrupt_scheme(adapter, true)) { + netdev_err(netdev, "Unable to allocate memory for queues\n"); + return -ENOMEM; +@@ -7035,6 +7042,9 @@ static pci_ers_result_t igc_io_slot_reset(struct pci_dev *pdev) + pci_enable_wake(pdev, PCI_D3hot, 0); + pci_enable_wake(pdev, PCI_D3cold, 0); + ++ if (igc_is_device_id_i226(hw)) ++ pci_disable_link_state_locked(pdev, PCIE_LINK_STATE_L1_2); ++ + /* In case of PCI error, adapter loses its HW address + * so we should re-assign it here. + */ +-- +2.39.5 + diff --git a/queue-6.1/lib-test_objagg-set-error-message-in-check_expect_hi.patch b/queue-6.1/lib-test_objagg-set-error-message-in-check_expect_hi.patch new file mode 100644 index 0000000000..9033aec87f --- /dev/null +++ b/queue-6.1/lib-test_objagg-set-error-message-in-check_expect_hi.patch @@ -0,0 +1,50 @@ +From f341af069acb439c5fe74553530658981cb118b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jun 2025 14:36:40 -0500 +Subject: lib: test_objagg: Set error message in check_expect_hints_stats() + +From: Dan Carpenter + +[ Upstream commit e6ed134a4ef592fe1fd0cafac9683813b3c8f3e8 ] + +Smatch complains that the error message isn't set in the caller: + + lib/test_objagg.c:923 test_hints_case2() + error: uninitialized symbol 'errmsg'. + +This static checker warning only showed up after a recent refactoring +but the bug dates back to when the code was originally added. This +likely doesn't affect anything in real life. + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/r/202506281403.DsuyHFTZ-lkp@intel.com/ +Fixes: 0a020d416d0a ("lib: introduce initial implementation of object aggregation manager") +Signed-off-by: Dan Carpenter +Reviewed-by: Ido Schimmel +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/8548f423-2e3b-4bb7-b816-5041de2762aa@sabinyo.mountain +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + lib/test_objagg.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/lib/test_objagg.c b/lib/test_objagg.c +index c0c957c506354..c0f7bb53db8d5 100644 +--- a/lib/test_objagg.c ++++ b/lib/test_objagg.c +@@ -899,8 +899,10 @@ static int check_expect_hints_stats(struct objagg_hints *objagg_hints, + int err; + + stats = objagg_hints_stats_get(objagg_hints); +- if (IS_ERR(stats)) ++ if (IS_ERR(stats)) { ++ *errmsg = "objagg_hints_stats_get() failed."; + return PTR_ERR(stats); ++ } + err = __check_expect_stats(stats, expect_stats, errmsg); + objagg_stats_put(stats); + return err; +-- +2.39.5 + diff --git a/queue-6.1/mtd-spinand-fix-memory-leak-of-ecc-engine-conf.patch b/queue-6.1/mtd-spinand-fix-memory-leak-of-ecc-engine-conf.patch new file mode 100644 index 0000000000..a6e8f5fb00 --- /dev/null +++ b/queue-6.1/mtd-spinand-fix-memory-leak-of-ecc-engine-conf.patch @@ -0,0 +1,59 @@ +From 30d88c1648a4365e0e68ff207c02308ec7bb9b71 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Jun 2025 13:35:16 +0200 +Subject: mtd: spinand: fix memory leak of ECC engine conf + +From: Pablo Martin-Gomez + +[ Upstream commit 6463cbe08b0cbf9bba8763306764f5fd643023e1 ] + +Memory allocated for the ECC engine conf is not released during spinand +cleanup. Below kmemleak trace is seen for this memory leak: + +unreferenced object 0xffffff80064f00e0 (size 8): + comm "swapper/0", pid 1, jiffies 4294937458 + hex dump (first 8 bytes): + 00 00 00 00 00 00 00 00 ........ + backtrace (crc 0): + kmemleak_alloc+0x30/0x40 + __kmalloc_cache_noprof+0x208/0x3c0 + spinand_ondie_ecc_init_ctx+0x114/0x200 + nand_ecc_init_ctx+0x70/0xa8 + nanddev_ecc_engine_init+0xec/0x27c + spinand_probe+0xa2c/0x1620 + spi_mem_probe+0x130/0x21c + spi_probe+0xf0/0x170 + really_probe+0x17c/0x6e8 + __driver_probe_device+0x17c/0x21c + driver_probe_device+0x58/0x180 + __device_attach_driver+0x15c/0x1f8 + bus_for_each_drv+0xec/0x150 + __device_attach+0x188/0x24c + device_initial_probe+0x10/0x20 + bus_probe_device+0x11c/0x160 + +Fix the leak by calling nanddev_ecc_engine_cleanup() inside +spinand_cleanup(). + +Signed-off-by: Pablo Martin-Gomez +Signed-off-by: Miquel Raynal +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/spi/core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/mtd/nand/spi/core.c b/drivers/mtd/nand/spi/core.c +index dacd9c0e8b202..80e9646d20503 100644 +--- a/drivers/mtd/nand/spi/core.c ++++ b/drivers/mtd/nand/spi/core.c +@@ -1314,6 +1314,7 @@ static void spinand_cleanup(struct spinand_device *spinand) + { + struct nand_device *nand = spinand_to_nand(spinand); + ++ nanddev_ecc_engine_cleanup(nand); + nanddev_cleanup(nand); + spinand_manufacturer_cleanup(spinand); + kfree(spinand->databuf); +-- +2.39.5 + diff --git a/queue-6.1/net-sched-always-pass-notifications-when-child-class.patch b/queue-6.1/net-sched-always-pass-notifications-when-child-class.patch new file mode 100644 index 0000000000..8ca9c15533 --- /dev/null +++ b/queue-6.1/net-sched-always-pass-notifications-when-child-class.patch @@ -0,0 +1,109 @@ +From 745c17cc7b9cb4190549ed5ffa64ce267803d532 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jun 2025 15:27:30 +0200 +Subject: net/sched: Always pass notifications when child class becomes empty + +From: Lion Ackermann + +[ Upstream commit 103406b38c600fec1fe375a77b27d87e314aea09 ] + +Certain classful qdiscs may invoke their classes' dequeue handler on an +enqueue operation. This may unexpectedly empty the child qdisc and thus +make an in-flight class passive via qlen_notify(). Most qdiscs do not +expect such behaviour at this point in time and may re-activate the +class eventually anyways which will lead to a use-after-free. + +The referenced fix commit attempted to fix this behavior for the HFSC +case by moving the backlog accounting around, though this turned out to +be incomplete since the parent's parent may run into the issue too. +The following reproducer demonstrates this use-after-free: + + tc qdisc add dev lo root handle 1: drr + tc filter add dev lo parent 1: basic classid 1:1 + tc class add dev lo parent 1: classid 1:1 drr + tc qdisc add dev lo parent 1:1 handle 2: hfsc def 1 + tc class add dev lo parent 2: classid 2:1 hfsc rt m1 8 d 1 m2 0 + tc qdisc add dev lo parent 2:1 handle 3: netem + tc qdisc add dev lo parent 3:1 handle 4: blackhole + + echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888 + tc class delete dev lo classid 1:1 + echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888 + +Since backlog accounting issues leading to a use-after-frees on stale +class pointers is a recurring pattern at this point, this patch takes +a different approach. Instead of trying to fix the accounting, the patch +ensures that qdisc_tree_reduce_backlog always calls qlen_notify when +the child qdisc is empty. This solves the problem because deletion of +qdiscs always involves a call to qdisc_reset() and / or +qdisc_purge_queue() which ultimately resets its qlen to 0 thus causing +the following qdisc_tree_reduce_backlog() to report to the parent. Note +that this may call qlen_notify on passive classes multiple times. This +is not a problem after the recent patch series that made all the +classful qdiscs qlen_notify() handlers idempotent. + +Fixes: 3f981138109f ("sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue()") +Signed-off-by: Lion Ackermann +Reviewed-by: Jamal Hadi Salim +Acked-by: Cong Wang +Acked-by: Jamal Hadi Salim +Link: https://patch.msgid.link/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_api.c | 19 +++++-------------- + 1 file changed, 5 insertions(+), 14 deletions(-) + +diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c +index c395e7a98232d..7c5df62421bbd 100644 +--- a/net/sched/sch_api.c ++++ b/net/sched/sch_api.c +@@ -776,15 +776,12 @@ static u32 qdisc_alloc_handle(struct net_device *dev) + + void qdisc_tree_reduce_backlog(struct Qdisc *sch, int n, int len) + { +- bool qdisc_is_offloaded = sch->flags & TCQ_F_OFFLOADED; + const struct Qdisc_class_ops *cops; + unsigned long cl; + u32 parentid; + bool notify; + int drops; + +- if (n == 0 && len == 0) +- return; + drops = max_t(int, n, 0); + rcu_read_lock(); + while ((parentid = sch->parent)) { +@@ -793,17 +790,8 @@ void qdisc_tree_reduce_backlog(struct Qdisc *sch, int n, int len) + + if (sch->flags & TCQ_F_NOPARENT) + break; +- /* Notify parent qdisc only if child qdisc becomes empty. +- * +- * If child was empty even before update then backlog +- * counter is screwed and we skip notification because +- * parent class is already passive. +- * +- * If the original child was offloaded then it is allowed +- * to be seem as empty, so the parent is notified anyway. +- */ +- notify = !sch->q.qlen && !WARN_ON_ONCE(!n && +- !qdisc_is_offloaded); ++ /* Notify parent qdisc only if child qdisc becomes empty. */ ++ notify = !sch->q.qlen; + /* TODO: perform the search on a per txq basis */ + sch = qdisc_lookup_rcu(qdisc_dev(sch), TC_H_MAJ(parentid)); + if (sch == NULL) { +@@ -812,6 +800,9 @@ void qdisc_tree_reduce_backlog(struct Qdisc *sch, int n, int len) + } + cops = sch->ops->cl_ops; + if (notify && cops->qlen_notify) { ++ /* Note that qlen_notify must be idempotent as it may get called ++ * multiple times. ++ */ + cl = cops->find(sch, parentid); + cops->qlen_notify(sch, cl); + } +-- +2.39.5 + diff --git a/queue-6.1/nfs-clean-up-proc-net-rpc-nfs-when-nfs_fs_proc_net_i.patch b/queue-6.1/nfs-clean-up-proc-net-rpc-nfs-when-nfs_fs_proc_net_i.patch new file mode 100644 index 0000000000..5695fba13d --- /dev/null +++ b/queue-6.1/nfs-clean-up-proc-net-rpc-nfs-when-nfs_fs_proc_net_i.patch @@ -0,0 +1,139 @@ +From 7de6b7a345f6d620d77ca59460d8c09b719c1343 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Jun 2025 14:52:50 -0700 +Subject: nfs: Clean up /proc/net/rpc/nfs when nfs_fs_proc_net_init() fails. + +From: Kuniyuki Iwashima + +[ Upstream commit e8d6f3ab59468e230f3253efe5cb63efa35289f7 ] + +syzbot reported a warning below [1] following a fault injection in +nfs_fs_proc_net_init(). [0] + +When nfs_fs_proc_net_init() fails, /proc/net/rpc/nfs is not removed. + +Later, rpc_proc_exit() tries to remove /proc/net/rpc, and the warning +is logged as the directory is not empty. + +Let's handle the error of nfs_fs_proc_net_init() properly. + +[0]: +FAULT_INJECTION: forcing a failure. +name failslab, interval 1, probability 0, space 0, times 0 +CPU: 1 UID: 0 PID: 6120 Comm: syz.2.27 Not tainted 6.16.0-rc1-syzkaller-00010-g2c4a1f3fe03e #0 PREEMPT(full) +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 +Call Trace: + + dump_stack_lvl (lib/dump_stack.c:123) + should_fail_ex (lib/fault-inject.c:73 lib/fault-inject.c:174) + should_failslab (mm/failslab.c:46) + kmem_cache_alloc_noprof (mm/slub.c:4178 mm/slub.c:4204) + __proc_create (fs/proc/generic.c:427) + proc_create_reg (fs/proc/generic.c:554) + proc_create_net_data (fs/proc/proc_net.c:120) + nfs_fs_proc_net_init (fs/nfs/client.c:1409) + nfs_net_init (fs/nfs/inode.c:2600) + ops_init (net/core/net_namespace.c:138) + setup_net (net/core/net_namespace.c:443) + copy_net_ns (net/core/net_namespace.c:576) + create_new_namespaces (kernel/nsproxy.c:110) + unshare_nsproxy_namespaces (kernel/nsproxy.c:218 (discriminator 4)) + ksys_unshare (kernel/fork.c:3123) + __x64_sys_unshare (kernel/fork.c:3190) + do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) + entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) + + +[1]: +remove_proc_entry: removing non-empty directory 'net/rpc', leaking at least 'nfs' + WARNING: CPU: 1 PID: 6120 at fs/proc/generic.c:727 remove_proc_entry+0x45e/0x530 fs/proc/generic.c:727 +Modules linked in: +CPU: 1 UID: 0 PID: 6120 Comm: syz.2.27 Not tainted 6.16.0-rc1-syzkaller-00010-g2c4a1f3fe03e #0 PREEMPT(full) +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 + RIP: 0010:remove_proc_entry+0x45e/0x530 fs/proc/generic.c:727 +Code: 3c 02 00 0f 85 85 00 00 00 48 8b 93 d8 00 00 00 4d 89 f0 4c 89 e9 48 c7 c6 40 ba a2 8b 48 c7 c7 60 b9 a2 8b e8 33 81 1d ff 90 <0f> 0b 90 90 e9 5f fe ff ff e8 04 69 5e ff 90 48 b8 00 00 00 00 00 +RSP: 0018:ffffc90003637b08 EFLAGS: 00010282 +RAX: 0000000000000000 RBX: ffff88805f534140 RCX: ffffffff817a92c8 +RDX: ffff88807da99e00 RSI: ffffffff817a92d5 RDI: 0000000000000001 +RBP: ffff888033431ac0 R08: 0000000000000001 R09: 0000000000000000 +R10: 0000000000000001 R11: 0000000000000001 R12: ffff888033431a00 +R13: ffff888033431ae4 R14: ffff888033184724 R15: dffffc0000000000 +FS: 0000555580328500(0000) GS:ffff888124a62000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f71733743e0 CR3: 000000007f618000 CR4: 00000000003526f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + sunrpc_exit_net+0x46/0x90 net/sunrpc/sunrpc_syms.c:76 + ops_exit_list net/core/net_namespace.c:200 [inline] + ops_undo_list+0x2eb/0xab0 net/core/net_namespace.c:253 + setup_net+0x2e1/0x510 net/core/net_namespace.c:457 + copy_net_ns+0x2a6/0x5f0 net/core/net_namespace.c:574 + create_new_namespaces+0x3ea/0xa90 kernel/nsproxy.c:110 + unshare_nsproxy_namespaces+0xc0/0x1f0 kernel/nsproxy.c:218 + ksys_unshare+0x45b/0xa40 kernel/fork.c:3121 + __do_sys_unshare kernel/fork.c:3192 [inline] + __se_sys_unshare kernel/fork.c:3190 [inline] + __x64_sys_unshare+0x31/0x40 kernel/fork.c:3190 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xcd/0x490 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7fa1a6b8e929 +Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007fff3a090368 EFLAGS: 00000246 ORIG_RAX: 0000000000000110 +RAX: ffffffffffffffda RBX: 00007fa1a6db5fa0 RCX: 00007fa1a6b8e929 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000040000080 +RBP: 00007fa1a6c10b39 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 00007fa1a6db5fa0 R14: 00007fa1a6db5fa0 R15: 0000000000000001 + + +Fixes: d47151b79e32 ("nfs: expose /proc/net/sunrpc/nfs in net namespaces") +Reported-by: syzbot+a4cc4ac22daa4a71b87c@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=a4cc4ac22daa4a71b87c +Tested-by: syzbot+a4cc4ac22daa4a71b87c@syzkaller.appspotmail.com +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/inode.c | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c +index e774cfc85eeed..627410be2e884 100644 +--- a/fs/nfs/inode.c ++++ b/fs/nfs/inode.c +@@ -2431,15 +2431,26 @@ EXPORT_SYMBOL_GPL(nfs_net_id); + static int nfs_net_init(struct net *net) + { + struct nfs_net *nn = net_generic(net, nfs_net_id); ++ int err; + + nfs_clients_init(net); + + if (!rpc_proc_register(net, &nn->rpcstats)) { +- nfs_clients_exit(net); +- return -ENOMEM; ++ err = -ENOMEM; ++ goto err_proc_rpc; + } + +- return nfs_fs_proc_net_init(net); ++ err = nfs_fs_proc_net_init(net); ++ if (err) ++ goto err_proc_nfs; ++ ++ return 0; ++ ++err_proc_nfs: ++ rpc_proc_unregister(net, "nfs"); ++err_proc_rpc: ++ nfs_clients_exit(net); ++ return err; + } + + static void nfs_net_exit(struct net *net) +-- +2.39.5 + diff --git a/queue-6.1/nfsv4-pnfs-fix-a-race-to-wake-on-nfs_layout_drain.patch b/queue-6.1/nfsv4-pnfs-fix-a-race-to-wake-on-nfs_layout_drain.patch new file mode 100644 index 0000000000..30a000f36c --- /dev/null +++ b/queue-6.1/nfsv4-pnfs-fix-a-race-to-wake-on-nfs_layout_drain.patch @@ -0,0 +1,45 @@ +From c1cabe0d5a847ce842c237a057e94a70c673e804 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Jun 2025 11:02:21 -0400 +Subject: NFSv4/pNFS: Fix a race to wake on NFS_LAYOUT_DRAIN + +From: Benjamin Coddington + +[ Upstream commit c01776287414ca43412d1319d2877cbad65444ac ] + +We found a few different systems hung up in writeback waiting on the same +page lock, and one task waiting on the NFS_LAYOUT_DRAIN bit in +pnfs_update_layout(), however the pnfs_layout_hdr's plh_outstanding count +was zero. + +It seems most likely that this is another race between the waiter and waker +similar to commit ed0172af5d6f ("SUNRPC: Fix a race to wake a sync task"). +Fix it up by applying the advised barrier. + +Fixes: 880265c77ac4 ("pNFS: Avoid a live lock condition in pnfs_update_layout()") +Signed-off-by: Benjamin Coddington +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/pnfs.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c +index fe0ddbce3bcb2..7f48e0d870bdb 100644 +--- a/fs/nfs/pnfs.c ++++ b/fs/nfs/pnfs.c +@@ -1930,8 +1930,10 @@ static void nfs_layoutget_begin(struct pnfs_layout_hdr *lo) + static void nfs_layoutget_end(struct pnfs_layout_hdr *lo) + { + if (atomic_dec_and_test(&lo->plh_outstanding) && +- test_and_clear_bit(NFS_LAYOUT_DRAIN, &lo->plh_flags)) ++ test_and_clear_bit(NFS_LAYOUT_DRAIN, &lo->plh_flags)) { ++ smp_mb__after_atomic(); + wake_up_bit(&lo->plh_flags, NFS_LAYOUT_DRAIN); ++ } + } + + static bool pnfs_is_first_layoutget(struct pnfs_layout_hdr *lo) +-- +2.39.5 + diff --git a/queue-6.1/nui-fix-dma_mapping_error-check.patch b/queue-6.1/nui-fix-dma_mapping_error-check.patch new file mode 100644 index 0000000000..d5dfde19e9 --- /dev/null +++ b/queue-6.1/nui-fix-dma_mapping_error-check.patch @@ -0,0 +1,143 @@ +From 8530c898a31ed5b5085a28f2e88f8440047a2971 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jun 2025 10:36:43 +0200 +Subject: nui: Fix dma_mapping_error() check + +From: Thomas Fourier + +[ Upstream commit 561aa0e22b70a5e7246b73d62a824b3aef3fc375 ] + +dma_map_XXX() functions return values DMA_MAPPING_ERROR as error values +which is often ~0. The error value should be tested with +dma_mapping_error(). + +This patch creates a new function in niu_ops to test if the mapping +failed. The test is fixed in niu_rbr_add_page(), added in +niu_start_xmit() and the successfully mapped pages are unmaped upon error. + +Fixes: ec2deec1f352 ("niu: Fix to check for dma mapping errors.") +Signed-off-by: Thomas Fourier +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sun/niu.c | 31 ++++++++++++++++++++++++++++++- + drivers/net/ethernet/sun/niu.h | 4 ++++ + 2 files changed, 34 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/sun/niu.c b/drivers/net/ethernet/sun/niu.c +index 4bbf011d53e69..2b38cb4fdaeb8 100644 +--- a/drivers/net/ethernet/sun/niu.c ++++ b/drivers/net/ethernet/sun/niu.c +@@ -3336,7 +3336,7 @@ static int niu_rbr_add_page(struct niu *np, struct rx_ring_info *rp, + + addr = np->ops->map_page(np->device, page, 0, + PAGE_SIZE, DMA_FROM_DEVICE); +- if (!addr) { ++ if (np->ops->mapping_error(np->device, addr)) { + __free_page(page); + return -ENOMEM; + } +@@ -6672,6 +6672,8 @@ static netdev_tx_t niu_start_xmit(struct sk_buff *skb, + len = skb_headlen(skb); + mapping = np->ops->map_single(np->device, skb->data, + len, DMA_TO_DEVICE); ++ if (np->ops->mapping_error(np->device, mapping)) ++ goto out_drop; + + prod = rp->prod; + +@@ -6713,6 +6715,8 @@ static netdev_tx_t niu_start_xmit(struct sk_buff *skb, + mapping = np->ops->map_page(np->device, skb_frag_page(frag), + skb_frag_off(frag), len, + DMA_TO_DEVICE); ++ if (np->ops->mapping_error(np->device, mapping)) ++ goto out_unmap; + + rp->tx_buffs[prod].skb = NULL; + rp->tx_buffs[prod].mapping = mapping; +@@ -6737,6 +6741,19 @@ static netdev_tx_t niu_start_xmit(struct sk_buff *skb, + out: + return NETDEV_TX_OK; + ++out_unmap: ++ while (i--) { ++ const skb_frag_t *frag; ++ ++ prod = PREVIOUS_TX(rp, prod); ++ frag = &skb_shinfo(skb)->frags[i]; ++ np->ops->unmap_page(np->device, rp->tx_buffs[prod].mapping, ++ skb_frag_size(frag), DMA_TO_DEVICE); ++ } ++ ++ np->ops->unmap_single(np->device, rp->tx_buffs[rp->prod].mapping, ++ skb_headlen(skb), DMA_TO_DEVICE); ++ + out_drop: + rp->tx_errors++; + kfree_skb(skb); +@@ -9636,6 +9653,11 @@ static void niu_pci_unmap_single(struct device *dev, u64 dma_address, + dma_unmap_single(dev, dma_address, size, direction); + } + ++static int niu_pci_mapping_error(struct device *dev, u64 addr) ++{ ++ return dma_mapping_error(dev, addr); ++} ++ + static const struct niu_ops niu_pci_ops = { + .alloc_coherent = niu_pci_alloc_coherent, + .free_coherent = niu_pci_free_coherent, +@@ -9643,6 +9665,7 @@ static const struct niu_ops niu_pci_ops = { + .unmap_page = niu_pci_unmap_page, + .map_single = niu_pci_map_single, + .unmap_single = niu_pci_unmap_single, ++ .mapping_error = niu_pci_mapping_error, + }; + + static void niu_driver_version(void) +@@ -10009,6 +10032,11 @@ static void niu_phys_unmap_single(struct device *dev, u64 dma_address, + /* Nothing to do. */ + } + ++static int niu_phys_mapping_error(struct device *dev, u64 dma_address) ++{ ++ return false; ++} ++ + static const struct niu_ops niu_phys_ops = { + .alloc_coherent = niu_phys_alloc_coherent, + .free_coherent = niu_phys_free_coherent, +@@ -10016,6 +10044,7 @@ static const struct niu_ops niu_phys_ops = { + .unmap_page = niu_phys_unmap_page, + .map_single = niu_phys_map_single, + .unmap_single = niu_phys_unmap_single, ++ .mapping_error = niu_phys_mapping_error, + }; + + static int niu_of_probe(struct platform_device *op) +diff --git a/drivers/net/ethernet/sun/niu.h b/drivers/net/ethernet/sun/niu.h +index 04c215f91fc08..0b169c08b0f2d 100644 +--- a/drivers/net/ethernet/sun/niu.h ++++ b/drivers/net/ethernet/sun/niu.h +@@ -2879,6 +2879,9 @@ struct tx_ring_info { + #define NEXT_TX(tp, index) \ + (((index) + 1) < (tp)->pending ? ((index) + 1) : 0) + ++#define PREVIOUS_TX(tp, index) \ ++ (((index) - 1) >= 0 ? ((index) - 1) : (((tp)->pending) - 1)) ++ + static inline u32 niu_tx_avail(struct tx_ring_info *tp) + { + return (tp->pending - +@@ -3140,6 +3143,7 @@ struct niu_ops { + enum dma_data_direction direction); + void (*unmap_single)(struct device *dev, u64 dma_address, + size_t size, enum dma_data_direction direction); ++ int (*mapping_error)(struct device *dev, u64 dma_address); + }; + + struct niu_link_config { +-- +2.39.5 + diff --git a/queue-6.1/platform-mellanox-mlxbf-tmfifo-fix-vring_desc.len-as.patch b/queue-6.1/platform-mellanox-mlxbf-tmfifo-fix-vring_desc.len-as.patch new file mode 100644 index 0000000000..f5fd586b78 --- /dev/null +++ b/queue-6.1/platform-mellanox-mlxbf-tmfifo-fix-vring_desc.len-as.patch @@ -0,0 +1,46 @@ +From cac9dff320ce937c230ad4d5ef231820b0b0b16c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Jun 2025 21:46:08 +0000 +Subject: platform/mellanox: mlxbf-tmfifo: fix vring_desc.len assignment +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: David Thompson + +[ Upstream commit 109f4d29dade8ae5b4ac6325af9d1bc24b4230f8 ] + +Fix warnings reported by sparse, related to incorrect type: +drivers/platform/mellanox/mlxbf-tmfifo.c:284:38: warning: incorrect type in assignment (different base types) +drivers/platform/mellanox/mlxbf-tmfifo.c:284:38: expected restricted __virtio32 [usertype] len +drivers/platform/mellanox/mlxbf-tmfifo.c:284:38: got unsigned long + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202404040339.S7CUIgf3-lkp@intel.com/ +Fixes: 78034cbece79 ("platform/mellanox: mlxbf-tmfifo: Drop the Rx packet if no more descriptors") +Signed-off-by: David Thompson +Link: https://lore.kernel.org/r/20250613214608.2250130-1-davthompson@nvidia.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/mellanox/mlxbf-tmfifo.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/platform/mellanox/mlxbf-tmfifo.c b/drivers/platform/mellanox/mlxbf-tmfifo.c +index 9925a6d94affc..d8565490e4870 100644 +--- a/drivers/platform/mellanox/mlxbf-tmfifo.c ++++ b/drivers/platform/mellanox/mlxbf-tmfifo.c +@@ -253,7 +253,8 @@ static int mlxbf_tmfifo_alloc_vrings(struct mlxbf_tmfifo *fifo, + vring->align = SMP_CACHE_BYTES; + vring->index = i; + vring->vdev_id = tm_vdev->vdev.id.device; +- vring->drop_desc.len = VRING_DROP_DESC_MAX_LEN; ++ vring->drop_desc.len = cpu_to_virtio32(&tm_vdev->vdev, ++ VRING_DROP_DESC_MAX_LEN); + dev = &tm_vdev->vdev.dev; + + size = vring_size(vring->num, vring->align); +-- +2.39.5 + diff --git a/queue-6.1/platform-mellanox-mlxreg-lc-fix-logic-error-in-power.patch b/queue-6.1/platform-mellanox-mlxreg-lc-fix-logic-error-in-power.patch new file mode 100644 index 0000000000..f60a7b2ea2 --- /dev/null +++ b/queue-6.1/platform-mellanox-mlxreg-lc-fix-logic-error-in-power.patch @@ -0,0 +1,51 @@ +From 7a39595a45f951f40f9c675d77f5264764f20f91 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jun 2025 03:58:08 -0700 +Subject: platform/mellanox: mlxreg-lc: Fix logic error in power state check +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alok Tiwari + +[ Upstream commit 644bec18e705ca41d444053407419a21832fcb2f ] + +Fixes a logic issue in mlxreg_lc_completion_notify() where the +intention was to check if MLXREG_LC_POWERED flag is not set before +powering on the device. + +The original code used "state & ~MLXREG_LC_POWERED" to check for the +absence of the POWERED bit. However this condition evaluates to true +even when other bits are set, leading to potentially incorrect +behavior. + +Corrected the logic to explicitly check for the absence of +MLXREG_LC_POWERED using !(state & MLXREG_LC_POWERED). + +Fixes: 62f9529b8d5c ("platform/mellanox: mlxreg-lc: Add initial support for Nvidia line card devices") +Suggested-by: Vadim Pasternak +Signed-off-by: Alok Tiwari +Link: https://lore.kernel.org/r/20250630105812.601014-1-alok.a.tiwari@oracle.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/mellanox/mlxreg-lc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/platform/mellanox/mlxreg-lc.c b/drivers/platform/mellanox/mlxreg-lc.c +index 8d833836a6d32..74e9d78ff01ef 100644 +--- a/drivers/platform/mellanox/mlxreg-lc.c ++++ b/drivers/platform/mellanox/mlxreg-lc.c +@@ -688,7 +688,7 @@ static int mlxreg_lc_completion_notify(void *handle, struct i2c_adapter *parent, + if (regval & mlxreg_lc->data->mask) { + mlxreg_lc->state |= MLXREG_LC_SYNCED; + mlxreg_lc_state_update_locked(mlxreg_lc, MLXREG_LC_SYNCED, 1); +- if (mlxreg_lc->state & ~MLXREG_LC_POWERED) { ++ if (!(mlxreg_lc->state & MLXREG_LC_POWERED)) { + err = mlxreg_lc_power_on_off(mlxreg_lc, 1); + if (err) + goto mlxreg_lc_regmap_power_on_off_fail; +-- +2.39.5 + diff --git a/queue-6.1/platform-mellanox-nvsw-sn2201-fix-bus-number-in-adap.patch b/queue-6.1/platform-mellanox-nvsw-sn2201-fix-bus-number-in-adap.patch new file mode 100644 index 0000000000..8fade1d701 --- /dev/null +++ b/queue-6.1/platform-mellanox-nvsw-sn2201-fix-bus-number-in-adap.patch @@ -0,0 +1,42 @@ +From 9bf6a022e8d6bdacd473deb2fb9862710d628a99 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 22 Jun 2025 00:29:12 -0700 +Subject: platform/mellanox: nvsw-sn2201: Fix bus number in adapter error + message +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alok Tiwari + +[ Upstream commit d07143b507c51c04c091081627c5a130e9d3c517 ] + +change error log to use correct bus number from main_mux_devs +instead of cpld_devs. + +Fixes: 662f24826f95 ("platform/mellanox: Add support for new SN2201 system") +Signed-off-by: Alok Tiwari +Reviewed-by: Vadim Pasternak +Link: https://lore.kernel.org/r/20250622072921.4111552-2-alok.a.tiwari@oracle.com +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/mellanox/nvsw-sn2201.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/platform/mellanox/nvsw-sn2201.c b/drivers/platform/mellanox/nvsw-sn2201.c +index f53baf7e78e74..03fbbbe1c8756 100644 +--- a/drivers/platform/mellanox/nvsw-sn2201.c ++++ b/drivers/platform/mellanox/nvsw-sn2201.c +@@ -1084,7 +1084,7 @@ static int nvsw_sn2201_i2c_completion_notify(void *handle, int id) + if (!nvsw_sn2201->main_mux_devs->adapter) { + err = -ENODEV; + dev_err(nvsw_sn2201->dev, "Failed to get adapter for bus %d\n", +- nvsw_sn2201->cpld_devs->nr); ++ nvsw_sn2201->main_mux_devs->nr); + goto i2c_get_adapter_main_fail; + } + +-- +2.39.5 + diff --git a/queue-6.1/platform-x86-dell-wmi-sysman-fix-wmi-data-block-retr.patch b/queue-6.1/platform-x86-dell-wmi-sysman-fix-wmi-data-block-retr.patch new file mode 100644 index 0000000000..c5bad2addf --- /dev/null +++ b/queue-6.1/platform-x86-dell-wmi-sysman-fix-wmi-data-block-retr.patch @@ -0,0 +1,141 @@ +From 1c8593e44aac0164e1ed288708b1568d2aac3301 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jun 2025 00:43:12 -0300 +Subject: platform/x86: dell-wmi-sysman: Fix WMI data block retrieval in sysfs + callbacks +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kurt Borja + +[ Upstream commit eb617dd25ca176f3fee24f873f0fd60010773d67 ] + +After retrieving WMI data blocks in sysfs callbacks, check for the +validity of them before dereferencing their content. + +Reported-by: Jan Graczyk +Closes: https://lore.kernel.org/r/CAHk-=wgMiSKXf7SvQrfEnxVtmT=QVQPjJdNjfm3aXS7wc=rzTw@mail.gmail.com/ +Fixes: e8a60aa7404b ("platform/x86: Introduce support for Systems Management Driver over WMI for Dell Systems") +Suggested-by: Linus Torvalds +Reviewed-by: Armin Wolf +Signed-off-by: Kurt Borja +Link: https://lore.kernel.org/r/20250630-sysman-fix-v2-1-d185674d0a30@gmail.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + .../platform/x86/dell/dell-wmi-sysman/dell-wmi-sysman.h | 5 +++++ + .../platform/x86/dell/dell-wmi-sysman/enum-attributes.c | 5 +++-- + .../platform/x86/dell/dell-wmi-sysman/int-attributes.c | 5 +++-- + .../x86/dell/dell-wmi-sysman/passobj-attributes.c | 5 +++-- + .../platform/x86/dell/dell-wmi-sysman/string-attributes.c | 5 +++-- + drivers/platform/x86/dell/dell-wmi-sysman/sysman.c | 8 ++++---- + 6 files changed, 21 insertions(+), 12 deletions(-) + +diff --git a/drivers/platform/x86/dell/dell-wmi-sysman/dell-wmi-sysman.h b/drivers/platform/x86/dell/dell-wmi-sysman/dell-wmi-sysman.h +index 3ad33a094588c..817ee7ba07ca0 100644 +--- a/drivers/platform/x86/dell/dell-wmi-sysman/dell-wmi-sysman.h ++++ b/drivers/platform/x86/dell/dell-wmi-sysman/dell-wmi-sysman.h +@@ -89,6 +89,11 @@ extern struct wmi_sysman_priv wmi_priv; + + enum { ENUM, INT, STR, PO }; + ++#define ENUM_MIN_ELEMENTS 8 ++#define INT_MIN_ELEMENTS 9 ++#define STR_MIN_ELEMENTS 8 ++#define PO_MIN_ELEMENTS 4 ++ + enum { + ATTR_NAME, + DISPL_NAME_LANG_CODE, +diff --git a/drivers/platform/x86/dell/dell-wmi-sysman/enum-attributes.c b/drivers/platform/x86/dell/dell-wmi-sysman/enum-attributes.c +index 8cc212c852668..fc2f58b4cbc6e 100644 +--- a/drivers/platform/x86/dell/dell-wmi-sysman/enum-attributes.c ++++ b/drivers/platform/x86/dell/dell-wmi-sysman/enum-attributes.c +@@ -23,9 +23,10 @@ static ssize_t current_value_show(struct kobject *kobj, struct kobj_attribute *a + obj = get_wmiobj_pointer(instance_id, DELL_WMI_BIOS_ENUMERATION_ATTRIBUTE_GUID); + if (!obj) + return -EIO; +- if (obj->package.elements[CURRENT_VAL].type != ACPI_TYPE_STRING) { ++ if (obj->type != ACPI_TYPE_PACKAGE || obj->package.count < ENUM_MIN_ELEMENTS || ++ obj->package.elements[CURRENT_VAL].type != ACPI_TYPE_STRING) { + kfree(obj); +- return -EINVAL; ++ return -EIO; + } + ret = snprintf(buf, PAGE_SIZE, "%s\n", obj->package.elements[CURRENT_VAL].string.pointer); + kfree(obj); +diff --git a/drivers/platform/x86/dell/dell-wmi-sysman/int-attributes.c b/drivers/platform/x86/dell/dell-wmi-sysman/int-attributes.c +index 951e75b538fad..7352480642391 100644 +--- a/drivers/platform/x86/dell/dell-wmi-sysman/int-attributes.c ++++ b/drivers/platform/x86/dell/dell-wmi-sysman/int-attributes.c +@@ -25,9 +25,10 @@ static ssize_t current_value_show(struct kobject *kobj, struct kobj_attribute *a + obj = get_wmiobj_pointer(instance_id, DELL_WMI_BIOS_INTEGER_ATTRIBUTE_GUID); + if (!obj) + return -EIO; +- if (obj->package.elements[CURRENT_VAL].type != ACPI_TYPE_INTEGER) { ++ if (obj->type != ACPI_TYPE_PACKAGE || obj->package.count < INT_MIN_ELEMENTS || ++ obj->package.elements[CURRENT_VAL].type != ACPI_TYPE_INTEGER) { + kfree(obj); +- return -EINVAL; ++ return -EIO; + } + ret = snprintf(buf, PAGE_SIZE, "%lld\n", obj->package.elements[CURRENT_VAL].integer.value); + kfree(obj); +diff --git a/drivers/platform/x86/dell/dell-wmi-sysman/passobj-attributes.c b/drivers/platform/x86/dell/dell-wmi-sysman/passobj-attributes.c +index d8f1bf5e58a0f..3167e06d416ed 100644 +--- a/drivers/platform/x86/dell/dell-wmi-sysman/passobj-attributes.c ++++ b/drivers/platform/x86/dell/dell-wmi-sysman/passobj-attributes.c +@@ -26,9 +26,10 @@ static ssize_t is_enabled_show(struct kobject *kobj, struct kobj_attribute *attr + obj = get_wmiobj_pointer(instance_id, DELL_WMI_BIOS_PASSOBJ_ATTRIBUTE_GUID); + if (!obj) + return -EIO; +- if (obj->package.elements[IS_PASS_SET].type != ACPI_TYPE_INTEGER) { ++ if (obj->type != ACPI_TYPE_PACKAGE || obj->package.count < PO_MIN_ELEMENTS || ++ obj->package.elements[IS_PASS_SET].type != ACPI_TYPE_INTEGER) { + kfree(obj); +- return -EINVAL; ++ return -EIO; + } + ret = snprintf(buf, PAGE_SIZE, "%lld\n", obj->package.elements[IS_PASS_SET].integer.value); + kfree(obj); +diff --git a/drivers/platform/x86/dell/dell-wmi-sysman/string-attributes.c b/drivers/platform/x86/dell/dell-wmi-sysman/string-attributes.c +index c392f0ecf8b55..0d2c74f8d1aad 100644 +--- a/drivers/platform/x86/dell/dell-wmi-sysman/string-attributes.c ++++ b/drivers/platform/x86/dell/dell-wmi-sysman/string-attributes.c +@@ -25,9 +25,10 @@ static ssize_t current_value_show(struct kobject *kobj, struct kobj_attribute *a + obj = get_wmiobj_pointer(instance_id, DELL_WMI_BIOS_STRING_ATTRIBUTE_GUID); + if (!obj) + return -EIO; +- if (obj->package.elements[CURRENT_VAL].type != ACPI_TYPE_STRING) { ++ if (obj->type != ACPI_TYPE_PACKAGE || obj->package.count < STR_MIN_ELEMENTS || ++ obj->package.elements[CURRENT_VAL].type != ACPI_TYPE_STRING) { + kfree(obj); +- return -EINVAL; ++ return -EIO; + } + ret = snprintf(buf, PAGE_SIZE, "%s\n", obj->package.elements[CURRENT_VAL].string.pointer); + kfree(obj); +diff --git a/drivers/platform/x86/dell/dell-wmi-sysman/sysman.c b/drivers/platform/x86/dell/dell-wmi-sysman/sysman.c +index 3ef90211c51a6..660f00173f2ea 100644 +--- a/drivers/platform/x86/dell/dell-wmi-sysman/sysman.c ++++ b/drivers/platform/x86/dell/dell-wmi-sysman/sysman.c +@@ -411,10 +411,10 @@ static int init_bios_attributes(int attr_type, const char *guid) + return retval; + + switch (attr_type) { +- case ENUM: min_elements = 8; break; +- case INT: min_elements = 9; break; +- case STR: min_elements = 8; break; +- case PO: min_elements = 4; break; ++ case ENUM: min_elements = ENUM_MIN_ELEMENTS; break; ++ case INT: min_elements = INT_MIN_ELEMENTS; break; ++ case STR: min_elements = STR_MIN_ELEMENTS; break; ++ case PO: min_elements = PO_MIN_ELEMENTS; break; + default: + pr_err("Error: Unknown attr_type: %d\n", attr_type); + return -EINVAL; +-- +2.39.5 + diff --git a/queue-6.1/powerpc-fix-struct-termio-related-ioctl-macros.patch b/queue-6.1/powerpc-fix-struct-termio-related-ioctl-macros.patch new file mode 100644 index 0000000000..952927180d --- /dev/null +++ b/queue-6.1/powerpc-fix-struct-termio-related-ioctl-macros.patch @@ -0,0 +1,58 @@ +From d933299d4abba51e7cb192b28e5f68f1a8ff0918 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 May 2025 19:52:37 +0530 +Subject: powerpc: Fix struct termio related ioctl macros + +From: Madhavan Srinivasan + +[ Upstream commit ab107276607af90b13a5994997e19b7b9731e251 ] + +Since termio interface is now obsolete, include/uapi/asm/ioctls.h +has some constant macros referring to "struct termio", this caused +build failure at userspace. + +In file included from /usr/include/asm/ioctl.h:12, + from /usr/include/asm/ioctls.h:5, + from tst-ioctls.c:3: +tst-ioctls.c: In function 'get_TCGETA': +tst-ioctls.c:12:10: error: invalid application of 'sizeof' to incomplete type 'struct termio' + 12 | return TCGETA; + | ^~~~~~ + +Even though termios.h provides "struct termio", trying to juggle definitions around to +make it compile could introduce regressions. So better to open code it. + +Reported-by: Tulio Magno +Suggested-by: Nicholas Piggin +Tested-by: Justin M. Forbes +Reviewed-by: Michael Ellerman +Closes: https://lore.kernel.org/linuxppc-dev/8734dji5wl.fsf@ascii.art.br/ +Signed-off-by: Madhavan Srinivasan +Link: https://patch.msgid.link/20250517142237.156665-1-maddy@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/uapi/asm/ioctls.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/powerpc/include/uapi/asm/ioctls.h b/arch/powerpc/include/uapi/asm/ioctls.h +index 2c145da3b774a..b5211e413829a 100644 +--- a/arch/powerpc/include/uapi/asm/ioctls.h ++++ b/arch/powerpc/include/uapi/asm/ioctls.h +@@ -23,10 +23,10 @@ + #define TCSETSW _IOW('t', 21, struct termios) + #define TCSETSF _IOW('t', 22, struct termios) + +-#define TCGETA _IOR('t', 23, struct termio) +-#define TCSETA _IOW('t', 24, struct termio) +-#define TCSETAW _IOW('t', 25, struct termio) +-#define TCSETAF _IOW('t', 28, struct termio) ++#define TCGETA 0x40147417 /* _IOR('t', 23, struct termio) */ ++#define TCSETA 0x80147418 /* _IOW('t', 24, struct termio) */ ++#define TCSETAW 0x80147419 /* _IOW('t', 25, struct termio) */ ++#define TCSETAF 0x8014741c /* _IOW('t', 28, struct termio) */ + + #define TCSBRK _IO('t', 29) + #define TCXONC _IO('t', 30) +-- +2.39.5 + diff --git a/queue-6.1/rcu-return-early-if-callback-is-not-specified.patch b/queue-6.1/rcu-return-early-if-callback-is-not-specified.patch new file mode 100644 index 0000000000..3de4ee9226 --- /dev/null +++ b/queue-6.1/rcu-return-early-if-callback-is-not-specified.patch @@ -0,0 +1,43 @@ +From fcc7019a9ffa2da8908302e8e0ca9a3a3d24110e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Jun 2025 19:34:48 +0200 +Subject: rcu: Return early if callback is not specified + +From: Uladzislau Rezki (Sony) + +[ Upstream commit 33b6a1f155d627f5bd80c7485c598ce45428f74f ] + +Currently the call_rcu() API does not check whether a callback +pointer is NULL. If NULL is passed, rcu_core() will try to invoke +it, resulting in NULL pointer dereference and a kernel crash. + +To prevent this and improve debuggability, this patch adds a check +for NULL and emits a kernel stack trace to help identify a faulty +caller. + +Signed-off-by: Uladzislau Rezki (Sony) +Reviewed-by: Joel Fernandes +Signed-off-by: Joel Fernandes +Signed-off-by: Sasha Levin +--- + kernel/rcu/tree.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/kernel/rcu/tree.c b/kernel/rcu/tree.c +index dd6e15ca63b0c..38ab28a53e108 100644 +--- a/kernel/rcu/tree.c ++++ b/kernel/rcu/tree.c +@@ -2827,6 +2827,10 @@ void call_rcu(struct rcu_head *head, rcu_callback_t func) + /* Misaligned rcu_head! */ + WARN_ON_ONCE((unsigned long)head & (sizeof(void *) - 1)); + ++ /* Avoid NULL dereference if callback is NULL. */ ++ if (WARN_ON_ONCE(!func)) ++ return; ++ + if (debug_rcu_head_queue(head)) { + /* + * Probable double call_rcu(), so leak the callback. +-- +2.39.5 + diff --git a/queue-6.1/rdma-mlx5-fix-cc-counters-query-for-mpv.patch b/queue-6.1/rdma-mlx5-fix-cc-counters-query-for-mpv.patch new file mode 100644 index 0000000000..e9f1f9cd8c --- /dev/null +++ b/queue-6.1/rdma-mlx5-fix-cc-counters-query-for-mpv.patch @@ -0,0 +1,38 @@ +From 6a11b0bb07182d4bde9e026b4c422433f00d0a8d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Jun 2025 12:14:53 +0300 +Subject: RDMA/mlx5: Fix CC counters query for MPV + +From: Patrisious Haddad + +[ Upstream commit acd245b1e33fc4b9d0f2e3372021d632f7ee0652 ] + +In case, CC counters are querying for the second port use the correct +core device for the query instead of always using the master core device. + +Fixes: aac4492ef23a ("IB/mlx5: Update counter implementation for dual port RoCE") +Signed-off-by: Patrisious Haddad +Reviewed-by: Michael Guralnik +Link: https://patch.msgid.link/9cace74dcf106116118bebfa9146d40d4166c6b0.1750064969.git.leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx5/counters.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/mlx5/counters.c b/drivers/infiniband/hw/mlx5/counters.c +index 9915504ad1e18..39f71312e57a2 100644 +--- a/drivers/infiniband/hw/mlx5/counters.c ++++ b/drivers/infiniband/hw/mlx5/counters.c +@@ -308,7 +308,7 @@ static int do_get_hw_stats(struct ib_device *ibdev, + */ + goto done; + } +- ret = mlx5_lag_query_cong_counters(dev->mdev, ++ ret = mlx5_lag_query_cong_counters(mdev, + stats->value + + cnts->num_q_counters, + cnts->num_cong_counters, +-- +2.39.5 + diff --git a/queue-6.1/rdma-mlx5-initialize-obj_event-obj_sub_list-before-x.patch b/queue-6.1/rdma-mlx5-initialize-obj_event-obj_sub_list-before-x.patch new file mode 100644 index 0000000000..b152c3cb0f --- /dev/null +++ b/queue-6.1/rdma-mlx5-initialize-obj_event-obj_sub_list-before-x.patch @@ -0,0 +1,100 @@ +From 5682fb85c14d76fb3d9f8feb68d8aa8e438d3e8b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Jun 2025 11:13:55 +0300 +Subject: RDMA/mlx5: Initialize obj_event->obj_sub_list before xa_insert + +From: Mark Zhang + +[ Upstream commit 8edab8a72d67742f87e9dc2e2b0cdfddda5dc29a ] + +The obj_event may be loaded immediately after inserted, then if the +list_head is not initialized then we may get a poisonous pointer. This +fixes the crash below: + + mlx5_core 0000:03:00.0: MLX5E: StrdRq(1) RqSz(8) StrdSz(2048) RxCqeCmprss(0 enhanced) + mlx5_core.sf mlx5_core.sf.4: firmware version: 32.38.3056 + mlx5_core 0000:03:00.0 en3f0pf0sf2002: renamed from eth0 + mlx5_core.sf mlx5_core.sf.4: Rate limit: 127 rates are supported, range: 0Mbps to 195312Mbps + IPv6: ADDRCONF(NETDEV_CHANGE): en3f0pf0sf2002: link becomes ready + Unable to handle kernel NULL pointer dereference at virtual address 0000000000000060 + Mem abort info: + ESR = 0x96000006 + EC = 0x25: DABT (current EL), IL = 32 bits + SET = 0, FnV = 0 + EA = 0, S1PTW = 0 + Data abort info: + ISV = 0, ISS = 0x00000006 + CM = 0, WnR = 0 + user pgtable: 4k pages, 48-bit VAs, pgdp=00000007760fb000 + [0000000000000060] pgd=000000076f6d7003, p4d=000000076f6d7003, pud=0000000777841003, pmd=0000000000000000 + Internal error: Oops: 96000006 [#1] SMP + Modules linked in: ipmb_host(OE) act_mirred(E) cls_flower(E) sch_ingress(E) mptcp_diag(E) udp_diag(E) raw_diag(E) unix_diag(E) tcp_diag(E) inet_diag(E) binfmt_misc(E) bonding(OE) rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) isofs(E) cdrom(E) mst_pciconf(OE) ib_umad(OE) mlx5_ib(OE) ipmb_dev_int(OE) mlx5_core(OE) kpatch_15237886(OEK) mlxdevm(OE) auxiliary(OE) ib_uverbs(OE) ib_core(OE) psample(E) mlxfw(OE) tls(E) sunrpc(E) vfat(E) fat(E) crct10dif_ce(E) ghash_ce(E) sha1_ce(E) sbsa_gwdt(E) virtio_console(E) ext4(E) mbcache(E) jbd2(E) xfs(E) libcrc32c(E) mmc_block(E) virtio_net(E) net_failover(E) failover(E) sha2_ce(E) sha256_arm64(E) nvme(OE) nvme_core(OE) gpio_mlxbf3(OE) mlx_compat(OE) mlxbf_pmc(OE) i2c_mlxbf(OE) sdhci_of_dwcmshc(OE) pinctrl_mlxbf3(OE) mlxbf_pka(OE) gpio_generic(E) i2c_core(E) mmc_core(E) mlxbf_gige(OE) vitesse(E) pwr_mlxbf(OE) mlxbf_tmfifo(OE) micrel(E) mlxbf_bootctl(OE) virtio_ring(E) virtio(E) ipmi_devintf(E) ipmi_msghandler(E) + [last unloaded: mst_pci] + CPU: 11 PID: 20913 Comm: rte-worker-11 Kdump: loaded Tainted: G OE K 5.10.134-13.1.an8.aarch64 #1 + Hardware name: https://www.mellanox.com BlueField-3 SmartNIC Main Card/BlueField-3 SmartNIC Main Card, BIOS 4.2.2.12968 Oct 26 2023 + pstate: a0400089 (NzCv daIf +PAN -UAO -TCO BTYPE=--) + pc : dispatch_event_fd+0x68/0x300 [mlx5_ib] + lr : devx_event_notifier+0xcc/0x228 [mlx5_ib] + sp : ffff80001005bcf0 + x29: ffff80001005bcf0 x28: 0000000000000001 + x27: ffff244e0740a1d8 x26: ffff244e0740a1d0 + x25: ffffda56beff5ae0 x24: ffffda56bf911618 + x23: ffff244e0596a480 x22: ffff244e0596a480 + x21: ffff244d8312ad90 x20: ffff244e0596a480 + x19: fffffffffffffff0 x18: 0000000000000000 + x17: 0000000000000000 x16: ffffda56be66d620 + x15: 0000000000000000 x14: 0000000000000000 + x13: 0000000000000000 x12: 0000000000000000 + x11: 0000000000000040 x10: ffffda56bfcafb50 + x9 : ffffda5655c25f2c x8 : 0000000000000010 + x7 : 0000000000000000 x6 : ffff24545a2e24b8 + x5 : 0000000000000003 x4 : ffff80001005bd28 + x3 : 0000000000000000 x2 : 0000000000000000 + x1 : ffff244e0596a480 x0 : ffff244d8312ad90 + Call trace: + dispatch_event_fd+0x68/0x300 [mlx5_ib] + devx_event_notifier+0xcc/0x228 [mlx5_ib] + atomic_notifier_call_chain+0x58/0x80 + mlx5_eq_async_int+0x148/0x2b0 [mlx5_core] + atomic_notifier_call_chain+0x58/0x80 + irq_int_handler+0x20/0x30 [mlx5_core] + __handle_irq_event_percpu+0x60/0x220 + handle_irq_event_percpu+0x3c/0x90 + handle_irq_event+0x58/0x158 + handle_fasteoi_irq+0xfc/0x188 + generic_handle_irq+0x34/0x48 + ... + +Fixes: 759738537142 ("IB/mlx5: Enable subscription for device events over DEVX") +Link: https://patch.msgid.link/r/3ce7f20e0d1a03dc7de6e57494ec4b8eaf1f05c2.1750147949.git.leon@kernel.org +Signed-off-by: Mark Zhang +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx5/devx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/mlx5/devx.c b/drivers/infiniband/hw/mlx5/devx.c +index 7013ce20549bd..cc126e62643a0 100644 +--- a/drivers/infiniband/hw/mlx5/devx.c ++++ b/drivers/infiniband/hw/mlx5/devx.c +@@ -1914,6 +1914,7 @@ subscribe_event_xa_alloc(struct mlx5_devx_event_table *devx_event_table, + /* Level1 is valid for future use, no need to free */ + return -ENOMEM; + ++ INIT_LIST_HEAD(&obj_event->obj_sub_list); + err = xa_insert(&event->object_ids, + key_level2, + obj_event, +@@ -1922,7 +1923,6 @@ subscribe_event_xa_alloc(struct mlx5_devx_event_table *devx_event_table, + kfree(obj_event); + return err; + } +- INIT_LIST_HEAD(&obj_event->obj_sub_list); + } + + return 0; +-- +2.39.5 + diff --git a/queue-6.1/rose-fix-dangling-neighbour-pointers-in-rose_rt_devi.patch b/queue-6.1/rose-fix-dangling-neighbour-pointers-in-rose_rt_devi.patch new file mode 100644 index 0000000000..bdd1cc8f10 --- /dev/null +++ b/queue-6.1/rose-fix-dangling-neighbour-pointers-in-rose_rt_devi.patch @@ -0,0 +1,84 @@ +From a208df5201bb82e2085080a008feaf2d74114641 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 29 Jun 2025 12:06:31 +0900 +Subject: rose: fix dangling neighbour pointers in rose_rt_device_down() + +From: Kohei Enju + +[ Upstream commit 34a500caf48c47d5171f4aa1f237da39b07c6157 ] + +There are two bugs in rose_rt_device_down() that can cause +use-after-free: + +1. The loop bound `t->count` is modified within the loop, which can + cause the loop to terminate early and miss some entries. + +2. When removing an entry from the neighbour array, the subsequent entries + are moved up to fill the gap, but the loop index `i` is still + incremented, causing the next entry to be skipped. + +For example, if a node has three neighbours (A, A, B) with count=3 and A +is being removed, the second A is not checked. + + i=0: (A, A, B) -> (A, B) with count=2 + ^ checked + i=1: (A, B) -> (A, B) with count=2 + ^ checked (B, not A!) + i=2: (doesn't occur because i < count is false) + +This leaves the second A in the array with count=2, but the rose_neigh +structure has been freed. Code that accesses these entries assumes that +the first `count` entries are valid pointers, causing a use-after-free +when it accesses the dangling pointer. + +Fix both issues by iterating over the array in reverse order with a fixed +loop bound. This ensures that all entries are examined and that the removal +of an entry doesn't affect subsequent iterations. + +Reported-by: syzbot+e04e2c007ba2c80476cb@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=e04e2c007ba2c80476cb +Tested-by: syzbot+e04e2c007ba2c80476cb@syzkaller.appspotmail.com +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Kohei Enju +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250629030833.6680-1-enjuk@amazon.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/rose/rose_route.c | 15 ++++----------- + 1 file changed, 4 insertions(+), 11 deletions(-) + +diff --git a/net/rose/rose_route.c b/net/rose/rose_route.c +index fee772b4637c8..a7054546f52df 100644 +--- a/net/rose/rose_route.c ++++ b/net/rose/rose_route.c +@@ -497,22 +497,15 @@ void rose_rt_device_down(struct net_device *dev) + t = rose_node; + rose_node = rose_node->next; + +- for (i = 0; i < t->count; i++) { ++ for (i = t->count - 1; i >= 0; i--) { + if (t->neighbour[i] != s) + continue; + + t->count--; + +- switch (i) { +- case 0: +- t->neighbour[0] = t->neighbour[1]; +- fallthrough; +- case 1: +- t->neighbour[1] = t->neighbour[2]; +- break; +- case 2: +- break; +- } ++ memmove(&t->neighbour[i], &t->neighbour[i + 1], ++ sizeof(t->neighbour[0]) * ++ (t->count - i)); + } + + if (t->count <= 0) +-- +2.39.5 + diff --git a/queue-6.1/scsi-qla2xxx-fix-dma-mapping-test-in-qla24xx_get_por.patch b/queue-6.1/scsi-qla2xxx-fix-dma-mapping-test-in-qla24xx_get_por.patch new file mode 100644 index 0000000000..617c647f5a --- /dev/null +++ b/queue-6.1/scsi-qla2xxx-fix-dma-mapping-test-in-qla24xx_get_por.patch @@ -0,0 +1,38 @@ +From a8abaa8545e061374c9bab7355d50ef440212e18 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Jun 2025 18:11:11 +0200 +Subject: scsi: qla2xxx: Fix DMA mapping test in qla24xx_get_port_database() + +From: Thomas Fourier + +[ Upstream commit c3b214719a87735d4f67333a8ef3c0e31a34837c ] + +dma_map_XXX() functions return as error values DMA_MAPPING_ERROR which is +often ~0. The error value should be tested with dma_mapping_error() like +it was done in qla26xx_dport_diagnostics(). + +Fixes: 818c7f87a177 ("scsi: qla2xxx: Add changes in preparation for vendor extended FDMI/RDP") +Signed-off-by: Thomas Fourier +Link: https://lore.kernel.org/r/20250617161115.39888-2-fourier.thomas@gmail.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_mbx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/qla2xxx/qla_mbx.c b/drivers/scsi/qla2xxx/qla_mbx.c +index 1fd9485985f2e..77b23d9dcb3c6 100644 +--- a/drivers/scsi/qla2xxx/qla_mbx.c ++++ b/drivers/scsi/qla2xxx/qla_mbx.c +@@ -2147,7 +2147,7 @@ qla24xx_get_port_database(scsi_qla_host_t *vha, u16 nport_handle, + + pdb_dma = dma_map_single(&vha->hw->pdev->dev, pdb, + sizeof(*pdb), DMA_FROM_DEVICE); +- if (!pdb_dma) { ++ if (dma_mapping_error(&vha->hw->pdev->dev, pdb_dma)) { + ql_log(ql_log_warn, vha, 0x1116, "Failed to map dma buffer.\n"); + return QLA_MEMORY_ALLOC_FAILED; + } +-- +2.39.5 + diff --git a/queue-6.1/scsi-qla4xxx-fix-missing-dma-mapping-error-in-qla4xx.patch b/queue-6.1/scsi-qla4xxx-fix-missing-dma-mapping-error-in-qla4xx.patch new file mode 100644 index 0000000000..2a1daa3923 --- /dev/null +++ b/queue-6.1/scsi-qla4xxx-fix-missing-dma-mapping-error-in-qla4xx.patch @@ -0,0 +1,37 @@ +From db829c5ffbced0fb56eb00274d38435e5a53134b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Jun 2025 09:17:37 +0200 +Subject: scsi: qla4xxx: Fix missing DMA mapping error in qla4xxx_alloc_pdu() + +From: Thomas Fourier + +[ Upstream commit 00f452a1b084efbe8dcb60a29860527944a002a1 ] + +dma_map_XXX() can fail and should be tested for errors with +dma_mapping_error(). + +Fixes: b3a271a94d00 ("[SCSI] qla4xxx: support iscsiadm session mgmt") +Signed-off-by: Thomas Fourier +Link: https://lore.kernel.org/r/20250618071742.21822-2-fourier.thomas@gmail.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla4xxx/ql4_os.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/scsi/qla4xxx/ql4_os.c b/drivers/scsi/qla4xxx/ql4_os.c +index 3f2f9734ee42e..2925823a494a6 100644 +--- a/drivers/scsi/qla4xxx/ql4_os.c ++++ b/drivers/scsi/qla4xxx/ql4_os.c +@@ -3420,6 +3420,8 @@ static int qla4xxx_alloc_pdu(struct iscsi_task *task, uint8_t opcode) + task_data->data_dma = dma_map_single(&ha->pdev->dev, task->data, + task->data_count, + DMA_TO_DEVICE); ++ if (dma_mapping_error(&ha->pdev->dev, task_data->data_dma)) ++ return -ENOMEM; + } + + DEBUG2(ql4_printk(KERN_INFO, ha, "%s: MaxRecvLen %u, iscsi hrd %d\n", +-- +2.39.5 + diff --git a/queue-6.1/scsi-target-fix-null-pointer-dereference-in-core_scs.patch b/queue-6.1/scsi-target-fix-null-pointer-dereference-in-core_scs.patch new file mode 100644 index 0000000000..419b5b04c4 --- /dev/null +++ b/queue-6.1/scsi-target-fix-null-pointer-dereference-in-core_scs.patch @@ -0,0 +1,56 @@ +From 54b76a108d8d13247859c190146d1bacddae95ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Jun 2025 12:15:56 +0200 +Subject: scsi: target: Fix NULL pointer dereference in + core_scsi3_decode_spec_i_port() + +From: Maurizio Lombardi + +[ Upstream commit d8ab68bdb294b09a761e967dad374f2965e1913f ] + +The function core_scsi3_decode_spec_i_port(), in its error code path, +unconditionally calls core_scsi3_lunacl_undepend_item() passing the +dest_se_deve pointer, which may be NULL. + +This can lead to a NULL pointer dereference if dest_se_deve remains +unset. + +SPC-3 PR SPEC_I_PT: Unable to locate dest_tpg +Unable to handle kernel paging request at virtual address dfff800000000012 +Call trace: + core_scsi3_lunacl_undepend_item+0x2c/0xf0 [target_core_mod] (P) + core_scsi3_decode_spec_i_port+0x120c/0x1c30 [target_core_mod] + core_scsi3_emulate_pro_register+0x6b8/0xcd8 [target_core_mod] + target_scsi3_emulate_pr_out+0x56c/0x840 [target_core_mod] + +Fix this by adding a NULL check before calling +core_scsi3_lunacl_undepend_item() + +Signed-off-by: Maurizio Lombardi +Link: https://lore.kernel.org/r/20250612101556.24829-1-mlombard@redhat.com +Reviewed-by: Mike Christie +Reviewed-by: John Meneghini +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/target_core_pr.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/target/target_core_pr.c b/drivers/target/target_core_pr.c +index 1493b1d01194f..a355661e82027 100644 +--- a/drivers/target/target_core_pr.c ++++ b/drivers/target/target_core_pr.c +@@ -1841,7 +1841,9 @@ core_scsi3_decode_spec_i_port( + } + + kmem_cache_free(t10_pr_reg_cache, dest_pr_reg); +- core_scsi3_lunacl_undepend_item(dest_se_deve); ++ ++ if (dest_se_deve) ++ core_scsi3_lunacl_undepend_item(dest_se_deve); + + if (is_local) + continue; +-- +2.39.5 + diff --git a/queue-6.1/scsi-ufs-core-fix-spelling-of-a-sysfs-attribute-name.patch b/queue-6.1/scsi-ufs-core-fix-spelling-of-a-sysfs-attribute-name.patch new file mode 100644 index 0000000000..5aed44e556 --- /dev/null +++ b/queue-6.1/scsi-ufs-core-fix-spelling-of-a-sysfs-attribute-name.patch @@ -0,0 +1,60 @@ +From 7cfb9a709999e419dff8ec3a08d457531b380a22 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Jun 2025 11:16:44 -0700 +Subject: scsi: ufs: core: Fix spelling of a sysfs attribute name + +From: Bart Van Assche + +[ Upstream commit 021f243627ead17eb6500170256d3d9be787dad8 ] + +Change "resourse" into "resource" in the name of a sysfs attribute. + +Fixes: d829fc8a1058 ("scsi: ufs: sysfs: unit descriptor") +Signed-off-by: Bart Van Assche +Link: https://lore.kernel.org/r/20250624181658.336035-1-bvanassche@acm.org +Reviewed-by: Avri Altman +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + Documentation/ABI/testing/sysfs-driver-ufs | 2 +- + drivers/ufs/core/ufs-sysfs.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/Documentation/ABI/testing/sysfs-driver-ufs b/Documentation/ABI/testing/sysfs-driver-ufs +index 228aa43e14ed5..70f8c2e9c00d1 100644 +--- a/Documentation/ABI/testing/sysfs-driver-ufs ++++ b/Documentation/ABI/testing/sysfs-driver-ufs +@@ -711,7 +711,7 @@ Description: This file shows the thin provisioning type. This is one of + + The file is read only. + +-What: /sys/class/scsi_device/*/device/unit_descriptor/physical_memory_resourse_count ++What: /sys/class/scsi_device/*/device/unit_descriptor/physical_memory_resource_count + Date: February 2018 + Contact: Stanislav Nijnikov + Description: This file shows the total physical memory resources. This is +diff --git a/drivers/ufs/core/ufs-sysfs.c b/drivers/ufs/core/ufs-sysfs.c +index 17e38979b8223..ff30e2d22d906 100644 +--- a/drivers/ufs/core/ufs-sysfs.c ++++ b/drivers/ufs/core/ufs-sysfs.c +@@ -1262,7 +1262,7 @@ UFS_UNIT_DESC_PARAM(logical_block_size, _LOGICAL_BLK_SIZE, 1); + UFS_UNIT_DESC_PARAM(logical_block_count, _LOGICAL_BLK_COUNT, 8); + UFS_UNIT_DESC_PARAM(erase_block_size, _ERASE_BLK_SIZE, 4); + UFS_UNIT_DESC_PARAM(provisioning_type, _PROVISIONING_TYPE, 1); +-UFS_UNIT_DESC_PARAM(physical_memory_resourse_count, _PHY_MEM_RSRC_CNT, 8); ++UFS_UNIT_DESC_PARAM(physical_memory_resource_count, _PHY_MEM_RSRC_CNT, 8); + UFS_UNIT_DESC_PARAM(context_capabilities, _CTX_CAPABILITIES, 2); + UFS_UNIT_DESC_PARAM(large_unit_granularity, _LARGE_UNIT_SIZE_M1, 1); + UFS_UNIT_DESC_PARAM(hpb_lu_max_active_regions, _HPB_LU_MAX_ACTIVE_RGNS, 2); +@@ -1282,7 +1282,7 @@ static struct attribute *ufs_sysfs_unit_descriptor[] = { + &dev_attr_logical_block_count.attr, + &dev_attr_erase_block_size.attr, + &dev_attr_provisioning_type.attr, +- &dev_attr_physical_memory_resourse_count.attr, ++ &dev_attr_physical_memory_resource_count.attr, + &dev_attr_context_capabilities.attr, + &dev_attr_large_unit_granularity.attr, + &dev_attr_hpb_lu_max_active_regions.attr, +-- +2.39.5 + diff --git a/queue-6.1/series b/queue-6.1/series index c2a08087e6..e8a22db7cd 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -12,3 +12,47 @@ usb-typec-altmodes-displayport-do-not-index-invalid-pin_assignments.patch mtk-sd-fix-a-pagefault-in-dma_unmap_sg-for-not-prepared-data.patch mtk-sd-prevent-memory-corruption-from-dma-map-failure.patch mtk-sd-reset-host-mrq-on-prepare_data-error.patch +arm64-dts-apple-t8103-fix-pcie-bcm4377-nodename.patch +platform-mellanox-mlxbf-tmfifo-fix-vring_desc.len-as.patch +rdma-mlx5-initialize-obj_event-obj_sub_list-before-x.patch +nfs-clean-up-proc-net-rpc-nfs-when-nfs_fs_proc_net_i.patch +nfsv4-pnfs-fix-a-race-to-wake-on-nfs_layout_drain.patch +scsi-qla2xxx-fix-dma-mapping-test-in-qla24xx_get_por.patch +scsi-qla4xxx-fix-missing-dma-mapping-error-in-qla4xx.patch +scsi-ufs-core-fix-spelling-of-a-sysfs-attribute-name.patch +rdma-mlx5-fix-cc-counters-query-for-mpv.patch +platform-mellanox-nvsw-sn2201-fix-bus-number-in-adap.patch +bluetooth-prevent-unintended-pause-by-checking-if-ad.patch +btrfs-fix-missing-error-handling-when-searching-for-.patch +btrfs-fix-iteration-of-extrefs-during-log-replay.patch +ethernet-atl1-add-missing-dma-mapping-error-checks-a.patch +drm-exynos-fimd-guard-display-clock-control-with-run.patch +spi-spi-fsl-dspi-clear-completion-counter-before-ini.patch +drm-i915-selftests-change-mock_request-to-return-err.patch +platform-x86-dell-wmi-sysman-fix-wmi-data-block-retr.patch +platform-mellanox-mlxreg-lc-fix-logic-error-in-power.patch +drm-i915-gt-fix-timeline-left-held-on-vma-alloc-erro.patch +drm-i915-gsc-mei-interrupt-top-half-should-be-in-irq.patch +igc-disable-l1.2-pci-e-link-substate-to-avoid-perfor.patch +lib-test_objagg-set-error-message-in-check_expect_hi.patch +amd-xgbe-align-cl37-an-sequence-as-per-databook.patch +enic-fix-incorrect-mtu-comparison-in-enic_change_mtu.patch +rose-fix-dangling-neighbour-pointers-in-rose_rt_devi.patch +nui-fix-dma_mapping_error-check.patch +net-sched-always-pass-notifications-when-child-class.patch +smb-client-fix-race-condition-in-negotiate-timeout-b.patch +drm-msm-fix-a-fence-leak-in-submit-error-path.patch +drm-msm-fix-another-leak-in-the-submit-error-path.patch +alsa-sb-don-t-allow-changing-the-dma-mode-during-ope.patch +alsa-sb-force-to-disable-dmas-once-when-dma-mode-is-.patch +ata-libata-acpi-do-not-assume-40-wire-cable-if-no-de.patch +ata-pata_cs5536-fix-build-on-32-bit-uml.patch +powerpc-fix-struct-termio-related-ioctl-macros.patch +asoc-amd-yc-update-quirk-data-for-hp-victus.patch +scsi-target-fix-null-pointer-dereference-in-core_scs.patch +aoe-defer-rexmit-timer-downdev-work-to-workqueue.patch +wifi-mac80211-drop-invalid-source-address-ocb-frames.patch +wifi-ath6kl-remove-warn-on-bad-firmware-input.patch +acpica-refuse-to-evaluate-a-method-if-arguments-are-.patch +mtd-spinand-fix-memory-leak-of-ecc-engine-conf.patch +rcu-return-early-if-callback-is-not-specified.patch diff --git a/queue-6.1/smb-client-fix-race-condition-in-negotiate-timeout-b.patch b/queue-6.1/smb-client-fix-race-condition-in-negotiate-timeout-b.patch new file mode 100644 index 0000000000..d3a723f7da --- /dev/null +++ b/queue-6.1/smb-client-fix-race-condition-in-negotiate-timeout-b.patch @@ -0,0 +1,128 @@ +From 1b1002c084fc7403e6f12febfc62549e346286b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Jul 2025 21:29:52 +0800 +Subject: smb: client: fix race condition in negotiate timeout by using more + precise timing + +From: Wang Zhaolong + +[ Upstream commit 266b5d02e14f3a0e07414e11f239397de0577a1d ] + +When the SMB server reboots and the client immediately accesses the mount +point, a race condition can occur that causes operations to fail with +"Host is down" error. + +Reproduction steps: + # Mount SMB share + mount -t cifs //192.168.245.109/TEST /mnt/ -o xxxx + ls /mnt + + # Reboot server + ssh root@192.168.245.109 reboot + ssh root@192.168.245.109 /path/to/cifs_server_setup.sh + ssh root@192.168.245.109 systemctl stop firewalld + + # Immediate access fails + ls /mnt + ls: cannot access '/mnt': Host is down + + # But works if there is a delay + +The issue is caused by a race condition between negotiate and reconnect. +The 20-second negotiate timeout mechanism can interfere with the normal +recovery process when both are triggered simultaneously. + + ls cifsd +--------------------------------------------------- + cifs_getattr + cifs_revalidate_dentry + cifs_get_inode_info + cifs_get_fattr + smb2_query_path_info + smb2_compound_op + SMB2_open_init + smb2_reconnect + cifs_negotiate_protocol + smb2_negotiate + cifs_send_recv + smb_send_rqst + wait_for_response + cifs_demultiplex_thread + cifs_read_from_socket + cifs_readv_from_socket + server_unresponsive + cifs_reconnect + __cifs_reconnect + cifs_abort_connection + mid->mid_state = MID_RETRY_NEEDED + cifs_wake_up_task + cifs_sync_mid_result + // case MID_RETRY_NEEDED + rc = -EAGAIN; + // In smb2_negotiate() + rc = -EHOSTDOWN; + +The server_unresponsive() timeout triggers cifs_reconnect(), which aborts +ongoing mid requests and causes the ls command to receive -EAGAIN, leading +to -EHOSTDOWN. + +Fix this by introducing a dedicated `neg_start` field to +precisely tracks when the negotiate process begins. The timeout check +now uses this accurate timestamp instead of `lstrp`, ensuring that: + +1. Timeout is only triggered after negotiate has actually run for 20s +2. The mechanism doesn't interfere with concurrent recovery processes +3. Uninitialized timestamps (value 0) don't trigger false timeouts + +Fixes: 7ccc1465465d ("smb: client: fix hang in wait_for_response() for negproto") +Signed-off-by: Wang Zhaolong +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/client/cifsglob.h | 1 + + fs/smb/client/connect.c | 7 ++++--- + 2 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/fs/smb/client/cifsglob.h b/fs/smb/client/cifsglob.h +index 9c5aa646b8cc8..6df50ff6d9184 100644 +--- a/fs/smb/client/cifsglob.h ++++ b/fs/smb/client/cifsglob.h +@@ -678,6 +678,7 @@ struct TCP_Server_Info { + __le32 session_key_id; /* retrieved from negotiate response and send in session setup request */ + struct session_key session_key; + unsigned long lstrp; /* when we got last response from this server */ ++ unsigned long neg_start; /* when negotiate started (jiffies) */ + struct cifs_secmech secmech; /* crypto sec mech functs, descriptors */ + #define CIFS_NEGFLAVOR_UNENCAP 1 /* wct == 17, but no ext_sec */ + #define CIFS_NEGFLAVOR_EXTENDED 2 /* wct == 17, ext_sec bit set */ +diff --git a/fs/smb/client/connect.c b/fs/smb/client/connect.c +index 6486e514686f0..c3480e84f5c62 100644 +--- a/fs/smb/client/connect.c ++++ b/fs/smb/client/connect.c +@@ -689,12 +689,12 @@ server_unresponsive(struct TCP_Server_Info *server) + /* + * If we're in the process of mounting a share or reconnecting a session + * and the server abruptly shut down (e.g. socket wasn't closed, packet +- * had been ACK'ed but no SMB response), don't wait longer than 20s to +- * negotiate protocol. ++ * had been ACK'ed but no SMB response), don't wait longer than 20s from ++ * when negotiate actually started. + */ + spin_lock(&server->srv_lock); + if (server->tcpStatus == CifsInNegotiate && +- time_after(jiffies, server->lstrp + 20 * HZ)) { ++ time_after(jiffies, server->neg_start + 20 * HZ)) { + spin_unlock(&server->srv_lock); + cifs_reconnect(server, false); + return true; +@@ -4219,6 +4219,7 @@ cifs_negotiate_protocol(const unsigned int xid, struct cifs_ses *ses, + + server->lstrp = jiffies; + server->tcpStatus = CifsInNegotiate; ++ server->neg_start = jiffies; + spin_unlock(&server->srv_lock); + + rc = server->ops->negotiate(xid, ses, server); +-- +2.39.5 + diff --git a/queue-6.1/spi-spi-fsl-dspi-clear-completion-counter-before-ini.patch b/queue-6.1/spi-spi-fsl-dspi-clear-completion-counter-before-ini.patch new file mode 100644 index 0000000000..f2190a8e29 --- /dev/null +++ b/queue-6.1/spi-spi-fsl-dspi-clear-completion-counter-before-ini.patch @@ -0,0 +1,61 @@ +From bd264ee044b1f350cb7eafcdbd2c779967cedf6f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Jun 2025 11:21:37 +0100 +Subject: spi: spi-fsl-dspi: Clear completion counter before initiating + transfer + +From: James Clark + +[ Upstream commit fa60c094c19b97e103d653f528f8d9c178b6a5f5 ] + +In target mode, extra interrupts can be received between the end of a +transfer and halting the module if the host continues sending more data. +If the interrupt from this occurs after the reinit_completion() then the +completion counter is left at a non-zero value. The next unrelated +transfer initiated by userspace will then complete immediately without +waiting for the interrupt or writing to the RX buffer. + +Fix it by resetting the counter before the transfer so that lingering +values are cleared. This is done after clearing the FIFOs and the +status register but before the transfer is initiated, so no interrupts +should be received at this point resulting in other race conditions. + +Fixes: 4f5ee75ea171 ("spi: spi-fsl-dspi: Replace interruptible wait queue with a simple completion") +Signed-off-by: James Clark +Reviewed-by: Frank Li +Link: https://patch.msgid.link/20250627-james-nxp-spi-dma-v4-1-178dba20c120@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-fsl-dspi.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-fsl-dspi.c b/drivers/spi/spi-fsl-dspi.c +index 5374c6d44519a..3a33156f52740 100644 +--- a/drivers/spi/spi-fsl-dspi.c ++++ b/drivers/spi/spi-fsl-dspi.c +@@ -964,11 +964,20 @@ static int dspi_transfer_one_message(struct spi_controller *ctlr, + if (dspi->devtype_data->trans_mode == DSPI_DMA_MODE) { + status = dspi_dma_xfer(dspi); + } else { ++ /* ++ * Reinitialize the completion before transferring data ++ * to avoid the case where it might remain in the done ++ * state due to a spurious interrupt from a previous ++ * transfer. This could falsely signal that the current ++ * transfer has completed. ++ */ ++ if (dspi->irq) ++ reinit_completion(&dspi->xfer_done); ++ + dspi_fifo_write(dspi); + + if (dspi->irq) { + wait_for_completion(&dspi->xfer_done); +- reinit_completion(&dspi->xfer_done); + } else { + do { + status = dspi_poll(dspi); +-- +2.39.5 + diff --git a/queue-6.1/wifi-ath6kl-remove-warn-on-bad-firmware-input.patch b/queue-6.1/wifi-ath6kl-remove-warn-on-bad-firmware-input.patch new file mode 100644 index 0000000000..ab63fa2438 --- /dev/null +++ b/queue-6.1/wifi-ath6kl-remove-warn-on-bad-firmware-input.patch @@ -0,0 +1,43 @@ +From b7435455a998f369d02f1aa1cd2a001a2bf823a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Jun 2025 11:45:29 +0200 +Subject: wifi: ath6kl: remove WARN on bad firmware input + +From: Johannes Berg + +[ Upstream commit e7417421d89358da071fd2930f91e67c7128fbff ] + +If the firmware gives bad input, that's nothing to do with +the driver's stack at this point etc., so the WARN_ON() +doesn't add any value. Additionally, this is one of the +top syzbot reports now. Just print a message, and as an +added bonus, print the sizes too. + +Reported-by: syzbot+92c6dd14aaa230be6855@syzkaller.appspotmail.com +Tested-by: syzbot+92c6dd14aaa230be6855@syzkaller.appspotmail.com +Acked-by: Jeff Johnson +Link: https://patch.msgid.link/20250617114529.031a677a348e.I58bf1eb4ac16a82c546725ff010f3f0d2b0cca49@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath6kl/bmi.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath6kl/bmi.c b/drivers/net/wireless/ath/ath6kl/bmi.c +index af98e871199d3..5a9e93fd1ef42 100644 +--- a/drivers/net/wireless/ath/ath6kl/bmi.c ++++ b/drivers/net/wireless/ath/ath6kl/bmi.c +@@ -87,7 +87,9 @@ int ath6kl_bmi_get_target_info(struct ath6kl *ar, + * We need to do some backwards compatibility to make this work. + */ + if (le32_to_cpu(targ_info->byte_count) != sizeof(*targ_info)) { +- WARN_ON(1); ++ ath6kl_err("mismatched byte count %d vs. expected %zd\n", ++ le32_to_cpu(targ_info->byte_count), ++ sizeof(*targ_info)); + return -EINVAL; + } + +-- +2.39.5 + diff --git a/queue-6.1/wifi-mac80211-drop-invalid-source-address-ocb-frames.patch b/queue-6.1/wifi-mac80211-drop-invalid-source-address-ocb-frames.patch new file mode 100644 index 0000000000..8ed200ef7c --- /dev/null +++ b/queue-6.1/wifi-mac80211-drop-invalid-source-address-ocb-frames.patch @@ -0,0 +1,42 @@ +From 10fc2bb2241e3e162828173bf8c3784445c9242f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Jun 2025 17:18:38 +0200 +Subject: wifi: mac80211: drop invalid source address OCB frames + +From: Johannes Berg + +[ Upstream commit d1b1a5eb27c4948e8811cf4dbb05aaf3eb10700c ] + +In OCB, don't accept frames from invalid source addresses +(and in particular don't try to create stations for them), +drop the frames instead. + +Reported-by: syzbot+8b512026a7ec10dcbdd9@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/r/6788d2d9.050a0220.20d369.0028.GAE@google.com/ +Signed-off-by: Johannes Berg +Tested-by: syzbot+8b512026a7ec10dcbdd9@syzkaller.appspotmail.com +Link: https://patch.msgid.link/20250616171838.7433379cab5d.I47444d63c72a0bd58d2e2b67bb99e1fea37eec6f@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/rx.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c +index b6077a97af1dc..8c9267acb227b 100644 +--- a/net/mac80211/rx.c ++++ b/net/mac80211/rx.c +@@ -4336,6 +4336,10 @@ static bool ieee80211_accept_frame(struct ieee80211_rx_data *rx) + if (!multicast && + !ether_addr_equal(sdata->dev->dev_addr, hdr->addr1)) + return false; ++ /* reject invalid/our STA address */ ++ if (!is_valid_ether_addr(hdr->addr2) || ++ ether_addr_equal(sdata->dev->dev_addr, hdr->addr2)) ++ return false; + if (!rx->sta) { + int rate_idx; + if (status->encoding != RX_ENC_LEGACY) +-- +2.39.5 + -- 2.47.2