From 504bcf6e6fa6a099107a22a0c968d158381f38db Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Fri, 20 Jun 2025 09:15:06 -0400 Subject: [PATCH] Fixes for 6.1 Signed-off-by: Sasha Levin --- ...tery-negate-current-when-discharging.patch | 63 +++++ ...-out-if-acpi_kobj-registration-fails.patch | 43 ++++ ...sequence-overread-in-call-to-strncmp.patch | 57 +++++ ...cpi-operand-cache-leak-in-dswstate.c.patch | 110 ++++++++ ...-acpi-parse-and-parseext-cache-leaks.patch | 236 ++++++++++++++++++ ...ties-fix-overflow-check-in-vsnprintf.patch | 46 ++++ ...-l4ls-clk-domain-handling-in-standby.patch | 87 +++++++ ...d-quirk-for-lenovo-yoga-pro-7-14asp9.patch | 51 ++++ ...er-cycle-amp-on-isense-vsense-change.patch | 73 ++++++ ...ub-add-check-to-of_device_get_match_.patch | 36 +++ ...ad_lock_trace_held-in-bpf_map_lookup.patch | 43 ++++ ...-fix-data-lost-during-eagain-retries.patch | 68 +++++ ...up-command-to-only-show-cgroup-bpf-p.patch | 112 +++++++++ ...ase-mc_cmd_completion_timeout_ms-val.patch | 40 +++ ...kchip-rk3036-mark-ddrphy-as-critical.patch | 37 +++ ...the-cpus-choice-in-the-watchdog-per-.patch | 60 +++++ ...p-scmi-devices-that-aren-t-used-by-t.patch | 89 +++++++ ...rect-command-version-selection-in-be.patch | 39 +++ ...modelist-not-set-on-unregistered-con.patch | 65 +++++ ...nvoke-runtime-suspend-on-quick-slave.patch | 79 ++++++ .../i2c-npcm-add-clock-toggle-recovery.patch | 49 ++++ ...check-msg-length-in-smbus-block-read.patch | 40 +++ ...ite-access-to-an-invalid-page-in-i40.patch | 48 ++++ ...e-fix-check-for-existing-switch-rule.patch | 56 +++++ ...-ga-log-notifier-callbacks-finish-ru.patch | 43 ++++ ...this_cpu_inc-for-stats-on-preempt_rt.patch | 44 ++++ ...ical-pointer-detection-to-btf_dedup_.patch | 71 ++++++ ...mc-add-quirk-to-disable-ddr50-tuning.patch | 134 ++++++++++ ...erate-software-timestamp-just-before.patch | 49 ++++ ...-re-implement-br_multicast_-enable-d.patch | 173 +++++++++++++ ...-update-multicast-contex-when-vlan-s.patch | 165 ++++++++++++ ...add-synchronization-for-stats-update.patch | 102 ++++++++ ...ernet-cortina-use-toe-tso-on-all-tcp.patch | 132 ++++++++++ ...fy-the-eeprom-and-otp-size-for-pci1x.patch | 89 +++++++ ...eturn-value-of-dma_set_mask_and_cohe.patch | 42 ++++ ..._timestamping_tx_software-flag-when-.patch | 37 +++ ...e102x-return-code-for-mse102x_rx_pkt.patch | 92 +++++++ ...-error-log-forcn10k_map_unmap_rq_pol.patch | 47 ++++ ...cter-validation-for-the-userspace-ac.patch | 45 ++++ ...7xx-propagate-error-from-armada_37xx.patch | 41 +++ ...opagate-error-from-armada_37xx.patch-10884 | 45 ++++ ...ropagate-error-from-armada_37xx.patch-3693 | 52 ++++ ...propagate-error-from-armada_37xx.patch-760 | 45 ++++ ...s08-reset-all-pins-to-input-at-probe.patch | 47 ++++ ...platform-x86-dell_rbu-fix-list-usage.patch | 54 ++++ ...ell_rbu-stop-overwriting-data-buffer.patch | 55 ++++ ...enying-of-auto-suspend-in-pm_suspend.patch | 61 +++++ ...ply-bq27xxx-retrieve-again-when-busy.patch | 90 +++++++ ...missing-pe-bridge-reconfiguration-du.patch | 67 +++++ ...sc-probe-for-l4_wkup-and-l4_cfg-inte.patch | 112 +++++++++ ...fc_check_sli_ndlp-handling-for-gen_r.patch | 40 +++ ...csi-lpfc-use-memcpy-for-bios-version.patch | 47 ++++ ...t-wake-readers-in-__sctp_write_space.patch | 42 ++++ queue-6.1/series | 68 +++++ ...or-checking-condition-for-assign-rel.patch | 49 ++++ ...rrect-a-oob-check-in-software_node_g.patch | 42 ++++ ...for-minimal-rtt-in-tcp_rcv_rtt_updat.patch | 71 ++++++ ...tp-rcvq_space.space-value-for-passiv.patch | 52 ++++ ...-calculation-wraparound-on-32-bit-ke.patch | 87 +++++++ ...use-kfree_sensitive-for-aead-cleanup.patch | 45 ++++ ...at-dst-cache-initialization-errors-a.patch | 75 ++++++ .../watchdog-da9052_wdt-respect-twdmin.patch | 39 +++ ...fi-ath11k-fix-qmi-memory-reuse-logic.patch | 70 ++++++ ...-not-offer-a-mesh-path-if-forwarding.patch | 67 +++++ ...sim-prevent-tsf-from-setting-if-beac.patch | 42 ++++ ...-add-support-for-liteon-wn4516r-wn45.patch | 86 +++++++ ...921-add-160-mhz-ap-for-mt7922-device.patch | 38 +++ ...i-plfxlc-fix-memory-leak-in-plfxlc_u.patch | 39 +++ ...t-attempts-to-reclaim-poisoned-pages.patch | 87 +++++++ 69 files changed, 4647 insertions(+) create mode 100644 queue-6.1/acpi-battery-negate-current-when-discharging.patch create mode 100644 queue-6.1/acpi-bus-bail-out-if-acpi_kobj-registration-fails.patch create mode 100644 queue-6.1/acpica-avoid-sequence-overread-in-call-to-strncmp.patch create mode 100644 queue-6.1/acpica-fix-acpi-operand-cache-leak-in-dswstate.c.patch create mode 100644 queue-6.1/acpica-fix-acpi-parse-and-parseext-cache-leaks.patch create mode 100644 queue-6.1/acpica-utilities-fix-overflow-check-in-vsnprintf.patch create mode 100644 queue-6.1/arm-omap2-fix-l4ls-clk-domain-handling-in-standby.patch create mode 100644 queue-6.1/asoc-amd-yc-add-quirk-for-lenovo-yoga-pro-7-14asp9.patch create mode 100644 queue-6.1/asoc-tas2770-power-cycle-amp-on-isense-vsense-change.patch create mode 100644 queue-6.1/asoc-tegra210_ahub-add-check-to-of_device_get_match_.patch create mode 100644 queue-6.1/bpf-check-rcu_read_lock_trace_held-in-bpf_map_lookup.patch create mode 100644 queue-6.1/bpf-sockmap-fix-data-lost-during-eagain-retries.patch create mode 100644 queue-6.1/bpftool-fix-cgroup-command-to-only-show-cgroup-bpf-p.patch create mode 100644 queue-6.1/bus-fsl-mc-increase-mc_cmd_completion_timeout_ms-val.patch create mode 100644 queue-6.1/clk-rockchip-rk3036-mark-ddrphy-as-critical.patch create mode 100644 queue-6.1/clocksource-fix-the-cpus-choice-in-the-watchdog-per-.patch create mode 100644 queue-6.1/cpufreq-scmi-skip-scmi-devices-that-aren-t-used-by-t.patch create mode 100644 queue-6.1/emulex-benet-correct-command-version-selection-in-be.patch create mode 100644 queue-6.1/fbcon-make-sure-modelist-not-set-on-unregistered-con.patch create mode 100644 queue-6.1/i2c-designware-invoke-runtime-suspend-on-quick-slave.patch create mode 100644 queue-6.1/i2c-npcm-add-clock-toggle-recovery.patch create mode 100644 queue-6.1/i2c-tegra-check-msg-length-in-smbus-block-read.patch create mode 100644 queue-6.1/i40e-fix-mmio-write-access-to-an-invalid-page-in-i40.patch create mode 100644 queue-6.1/ice-fix-check-for-existing-switch-rule.patch create mode 100644 queue-6.1/iommu-amd-ensure-ga-log-notifier-callbacks-finish-ru.patch create mode 100644 queue-6.1/ipv4-route-use-this_cpu_inc-for-stats-on-preempt_rt.patch create mode 100644 queue-6.1/libbpf-add-identical-pointer-detection-to-btf_dedup_.patch create mode 100644 queue-6.1/mmc-add-quirk-to-disable-ddr50-tuning.patch create mode 100644 queue-6.1/net-atlantic-generate-software-timestamp-just-before.patch create mode 100644 queue-6.1/net-bridge-mcast-re-implement-br_multicast_-enable-d.patch create mode 100644 queue-6.1/net-bridge-mcast-update-multicast-contex-when-vlan-s.patch create mode 100644 queue-6.1/net-dlink-add-synchronization-for-stats-update.patch create mode 100644 queue-6.1/net-ethernet-cortina-use-toe-tso-on-all-tcp.patch create mode 100644 queue-6.1/net-lan743x-modify-the-eeprom-and-otp-size-for-pci1x.patch create mode 100644 queue-6.1/net-macb-check-return-value-of-dma_set_mask_and_cohe.patch create mode 100644 queue-6.1/net-mlx4-add-sof_timestamping_tx_software-flag-when-.patch create mode 100644 queue-6.1/net-vertexcom-mse102x-return-code-for-mse102x_rx_pkt.patch create mode 100644 queue-6.1/octeontx2-pf-add-error-log-forcn10k_map_unmap_rq_pol.patch create mode 100644 queue-6.1/openvswitch-stricter-validation-for-the-userspace-ac.patch create mode 100644 queue-6.1/pinctrl-armada-37xx-propagate-error-from-armada_37xx.patch create mode 100644 queue-6.1/pinctrl-armada-37xx-propagate-error-from-armada_37xx.patch-10884 create mode 100644 queue-6.1/pinctrl-armada-37xx-propagate-error-from-armada_37xx.patch-3693 create mode 100644 queue-6.1/pinctrl-armada-37xx-propagate-error-from-armada_37xx.patch-760 create mode 100644 queue-6.1/pinctrl-mcp23s08-reset-all-pins-to-input-at-probe.patch create mode 100644 queue-6.1/platform-x86-dell_rbu-fix-list-usage.patch create mode 100644 queue-6.1/platform-x86-dell_rbu-stop-overwriting-data-buffer.patch create mode 100644 queue-6.1/pm-runtime-fix-denying-of-auto-suspend-in-pm_suspend.patch create mode 100644 queue-6.1/power-supply-bq27xxx-retrieve-again-when-busy.patch create mode 100644 queue-6.1/powerpc-eeh-fix-missing-pe-bridge-reconfiguration-du.patch create mode 100644 queue-6.1/revert-bus-ti-sysc-probe-for-l4_wkup-and-l4_cfg-inte.patch create mode 100644 queue-6.1/scsi-lpfc-fix-lpfc_check_sli_ndlp-handling-for-gen_r.patch create mode 100644 queue-6.1/scsi-lpfc-use-memcpy-for-bios-version.patch create mode 100644 queue-6.1/sctp-do-not-wake-readers-in-__sctp_write_space.patch create mode 100644 queue-6.1/sock-correct-error-checking-condition-for-assign-rel.patch create mode 100644 queue-6.1/software-node-correct-a-oob-check-in-software_node_g.patch create mode 100644 queue-6.1/tcp-always-seek-for-minimal-rtt-in-tcp_rcv_rtt_updat.patch create mode 100644 queue-6.1/tcp-fix-initial-tp-rcvq_space.space-value-for-passiv.patch create mode 100644 queue-6.1/tee-prevent-size-calculation-wraparound-on-32-bit-ke.patch create mode 100644 queue-6.1/tipc-use-kfree_sensitive-for-aead-cleanup.patch create mode 100644 queue-6.1/vxlan-do-not-treat-dst-cache-initialization-errors-a.patch create mode 100644 queue-6.1/watchdog-da9052_wdt-respect-twdmin.patch create mode 100644 queue-6.1/wifi-ath11k-fix-qmi-memory-reuse-logic.patch create mode 100644 queue-6.1/wifi-mac80211-do-not-offer-a-mesh-path-if-forwarding.patch create mode 100644 queue-6.1/wifi-mac80211_hwsim-prevent-tsf-from-setting-if-beac.patch create mode 100644 queue-6.1/wifi-mt76-mt76x2-add-support-for-liteon-wn4516r-wn45.patch create mode 100644 queue-6.1/wifi-mt76-mt7921-add-160-mhz-ap-for-mt7922-device.patch create mode 100644 queue-6.1/wireless-purelifi-plfxlc-fix-memory-leak-in-plfxlc_u.patch create mode 100644 queue-6.1/x86-sgx-prevent-attempts-to-reclaim-poisoned-pages.patch diff --git a/queue-6.1/acpi-battery-negate-current-when-discharging.patch b/queue-6.1/acpi-battery-negate-current-when-discharging.patch new file mode 100644 index 0000000000..0040cb8772 --- /dev/null +++ b/queue-6.1/acpi-battery-negate-current-when-discharging.patch @@ -0,0 +1,63 @@ +From 839f86434b870936fd0982b8218ecc664920e47c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 May 2025 12:41:45 +1000 +Subject: ACPI: battery: negate current when discharging + +From: Peter Marheine + +[ Upstream commit 234f71555019d308c6bc6f98c78c5551cb8cd56a ] + +The ACPI specification requires that battery rate is always positive, +but the kernel ABI for POWER_SUPPLY_PROP_CURRENT_NOW +(Documentation/ABI/testing/sysfs-class-power) specifies that it should +be negative when a battery is discharging. When reporting CURRENT_NOW, +massage the value to match the documented ABI. + +This only changes the sign of `current_now` and not `power_now` because +documentation doesn't describe any particular meaning for `power_now` so +leaving `power_now` unchanged is less likely to confuse userspace +unnecessarily, whereas becoming consistent with the documented ABI is +worth potentially confusing clients that read `current_now`. + +Signed-off-by: Peter Marheine +Link: https://patch.msgid.link/20250508024146.1436129-1-pmarheine@chromium.org +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/battery.c | 19 ++++++++++++++++--- + 1 file changed, 16 insertions(+), 3 deletions(-) + +diff --git a/drivers/acpi/battery.c b/drivers/acpi/battery.c +index 5a4e022662417..2f188a734a0c5 100644 +--- a/drivers/acpi/battery.c ++++ b/drivers/acpi/battery.c +@@ -241,10 +241,23 @@ static int acpi_battery_get_property(struct power_supply *psy, + break; + case POWER_SUPPLY_PROP_CURRENT_NOW: + case POWER_SUPPLY_PROP_POWER_NOW: +- if (battery->rate_now == ACPI_BATTERY_VALUE_UNKNOWN) ++ if (battery->rate_now == ACPI_BATTERY_VALUE_UNKNOWN) { + ret = -ENODEV; +- else +- val->intval = battery->rate_now * 1000; ++ break; ++ } ++ ++ val->intval = battery->rate_now * 1000; ++ /* ++ * When discharging, the current should be reported as a ++ * negative number as per the power supply class interface ++ * definition. ++ */ ++ if (psp == POWER_SUPPLY_PROP_CURRENT_NOW && ++ (battery->state & ACPI_BATTERY_STATE_DISCHARGING) && ++ acpi_battery_handle_discharging(battery) ++ == POWER_SUPPLY_STATUS_DISCHARGING) ++ val->intval = -val->intval; ++ + break; + case POWER_SUPPLY_PROP_CHARGE_FULL_DESIGN: + case POWER_SUPPLY_PROP_ENERGY_FULL_DESIGN: +-- +2.39.5 + diff --git a/queue-6.1/acpi-bus-bail-out-if-acpi_kobj-registration-fails.patch b/queue-6.1/acpi-bus-bail-out-if-acpi_kobj-registration-fails.patch new file mode 100644 index 0000000000..16522dc031 --- /dev/null +++ b/queue-6.1/acpi-bus-bail-out-if-acpi_kobj-registration-fails.patch @@ -0,0 +1,43 @@ +From ec15e0a624d68f7b119e262df7bf27bb3dce2cd6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 May 2025 20:51:11 +0200 +Subject: ACPI: bus: Bail out if acpi_kobj registration fails + +From: Armin Wolf + +[ Upstream commit 94a370fc8def6038dbc02199db9584b0b3690f1a ] + +The ACPI sysfs code will fail to initialize if acpi_kobj is NULL, +together with some ACPI drivers. + +Follow the other firmware subsystems and bail out if the kobject +cannot be registered. + +Signed-off-by: Armin Wolf +Link: https://patch.msgid.link/20250518185111.3560-2-W_Armin@gmx.de +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/bus.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/acpi/bus.c b/drivers/acpi/bus.c +index a16b7de73d164..fafa15507b141 100644 +--- a/drivers/acpi/bus.c ++++ b/drivers/acpi/bus.c +@@ -1389,8 +1389,10 @@ static int __init acpi_init(void) + } + + acpi_kobj = kobject_create_and_add("acpi", firmware_kobj); +- if (!acpi_kobj) +- pr_debug("%s: kset create error\n", __func__); ++ if (!acpi_kobj) { ++ pr_err("Failed to register kobject\n"); ++ return -ENOMEM; ++ } + + init_prmt(); + acpi_init_pcc(); +-- +2.39.5 + diff --git a/queue-6.1/acpica-avoid-sequence-overread-in-call-to-strncmp.patch b/queue-6.1/acpica-avoid-sequence-overread-in-call-to-strncmp.patch new file mode 100644 index 0000000000..b29a556ab3 --- /dev/null +++ b/queue-6.1/acpica-avoid-sequence-overread-in-call-to-strncmp.patch @@ -0,0 +1,57 @@ +From 2a0a30f559e7e82ac123727570af3c58f95b3ae4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Apr 2025 21:30:27 +0200 +Subject: ACPICA: Avoid sequence overread in call to strncmp() + +From: Ahmed Salem + +[ Upstream commit 64b9dfd0776e9c38d733094859a09f13282ce6f8 ] + +ACPICA commit 8b83a8d88dfec59ea147fad35fc6deea8859c58c + +ap_get_table_length() checks if tables are valid by +calling ap_is_valid_header(). The latter then calls +ACPI_VALIDATE_RSDP_SIG(Table->Signature). + +ap_is_valid_header() accepts struct acpi_table_header as an argument, so +the signature size is always fixed to 4 bytes. + +The problem is when the string comparison is between ACPI-defined table +signature and ACPI_SIG_RSDP. Common ACPI table header specifies the +Signature field to be 4 bytes long[1], with the exception of the RSDP +structure whose signature is 8 bytes long "RSD PTR " (including the +trailing blank character)[2]. Calling strncmp(sig, rsdp_sig, 8) would +then result in a sequence overread[3] as sig would be smaller (4 bytes) +than the specified bound (8 bytes). + +As a workaround, pass the bound conditionally based on the size of the +signature being passed. + +Link: https://uefi.org/specs/ACPI/6.5_A/05_ACPI_Software_Programming_Model.html#system-description-table-header [1] +Link: https://uefi.org/specs/ACPI/6.5_A/05_ACPI_Software_Programming_Model.html#root-system-description-pointer-rsdp-structure [2] +Link: https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html#index-Wstringop-overread [3] +Link: https://github.com/acpica/acpica/commit/8b83a8d8 +Signed-off-by: Ahmed Salem +Signed-off-by: Rafael J. Wysocki +Link: https://patch.msgid.link/2248233.Mh6RI2rZIc@rjwysocki.net +Signed-off-by: Sasha Levin +--- + include/acpi/actypes.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/acpi/actypes.h b/include/acpi/actypes.h +index 3491e454b2abf..680586f885a8c 100644 +--- a/include/acpi/actypes.h ++++ b/include/acpi/actypes.h +@@ -527,7 +527,7 @@ typedef u64 acpi_integer; + + /* Support for the special RSDP signature (8 characters) */ + +-#define ACPI_VALIDATE_RSDP_SIG(a) (!strncmp (ACPI_CAST_PTR (char, (a)), ACPI_SIG_RSDP, 8)) ++#define ACPI_VALIDATE_RSDP_SIG(a) (!strncmp (ACPI_CAST_PTR (char, (a)), ACPI_SIG_RSDP, (sizeof(a) < 8) ? ACPI_NAMESEG_SIZE : 8)) + #define ACPI_MAKE_RSDP_SIG(dest) (memcpy (ACPI_CAST_PTR (char, (dest)), ACPI_SIG_RSDP, 8)) + + /* Support for OEMx signature (x can be any character) */ +-- +2.39.5 + diff --git a/queue-6.1/acpica-fix-acpi-operand-cache-leak-in-dswstate.c.patch b/queue-6.1/acpica-fix-acpi-operand-cache-leak-in-dswstate.c.patch new file mode 100644 index 0000000000..37f225a2d3 --- /dev/null +++ b/queue-6.1/acpica-fix-acpi-operand-cache-leak-in-dswstate.c.patch @@ -0,0 +1,110 @@ +From 395b7038ce3d0130dc50b9ba365140b207f2bde5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Mar 2025 21:05:24 +0100 +Subject: ACPICA: fix acpi operand cache leak in dswstate.c + +From: Seunghun Han + +[ Upstream commit 156fd20a41e776bbf334bd5e45c4f78dfc90ce1c ] + +ACPICA commit 987a3b5cf7175916e2a4b6ea5b8e70f830dfe732 + +I found an ACPI cache leak in ACPI early termination and boot continuing case. + +When early termination occurs due to malicious ACPI table, Linux kernel +terminates ACPI function and continues to boot process. While kernel terminates +ACPI function, kmem_cache_destroy() reports Acpi-Operand cache leak. + +Boot log of ACPI operand cache leak is as follows: +>[ 0.585957] ACPI: Added _OSI(Module Device) +>[ 0.587218] ACPI: Added _OSI(Processor Device) +>[ 0.588530] ACPI: Added _OSI(3.0 _SCP Extensions) +>[ 0.589790] ACPI: Added _OSI(Processor Aggregator Device) +>[ 0.591534] ACPI Error: Illegal I/O port address/length above 64K: C806E00000004002/0x2 (20170303/hwvalid-155) +>[ 0.594351] ACPI Exception: AE_LIMIT, Unable to initialize fixed events (20170303/evevent-88) +>[ 0.597858] ACPI: Unable to start the ACPI Interpreter +>[ 0.599162] ACPI Error: Could not remove SCI handler (20170303/evmisc-281) +>[ 0.601836] kmem_cache_destroy Acpi-Operand: Slab cache still has objects +>[ 0.603556] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.12.0-rc5 #26 +>[ 0.605159] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS virtual_box 12/01/2006 +>[ 0.609177] Call Trace: +>[ 0.610063] ? dump_stack+0x5c/0x81 +>[ 0.611118] ? kmem_cache_destroy+0x1aa/0x1c0 +>[ 0.612632] ? acpi_sleep_proc_init+0x27/0x27 +>[ 0.613906] ? acpi_os_delete_cache+0xa/0x10 +>[ 0.617986] ? acpi_ut_delete_caches+0x3f/0x7b +>[ 0.619293] ? acpi_terminate+0xa/0x14 +>[ 0.620394] ? acpi_init+0x2af/0x34f +>[ 0.621616] ? __class_create+0x4c/0x80 +>[ 0.623412] ? video_setup+0x7f/0x7f +>[ 0.624585] ? acpi_sleep_proc_init+0x27/0x27 +>[ 0.625861] ? do_one_initcall+0x4e/0x1a0 +>[ 0.627513] ? kernel_init_freeable+0x19e/0x21f +>[ 0.628972] ? rest_init+0x80/0x80 +>[ 0.630043] ? kernel_init+0xa/0x100 +>[ 0.631084] ? ret_from_fork+0x25/0x30 +>[ 0.633343] vgaarb: loaded +>[ 0.635036] EDAC MC: Ver: 3.0.0 +>[ 0.638601] PCI: Probing PCI hardware +>[ 0.639833] PCI host bridge to bus 0000:00 +>[ 0.641031] pci_bus 0000:00: root bus resource [io 0x0000-0xffff] +> ... Continue to boot and log is omitted ... + +I analyzed this memory leak in detail and found acpi_ds_obj_stack_pop_and_ +delete() function miscalculated the top of the stack. acpi_ds_obj_stack_push() +function uses walk_state->operand_index for start position of the top, but +acpi_ds_obj_stack_pop_and_delete() function considers index 0 for it. +Therefore, this causes acpi operand memory leak. + +This cache leak causes a security threat because an old kernel (<= 4.9) shows +memory locations of kernel functions in stack dump. Some malicious users +could use this information to neutralize kernel ASLR. + +I made a patch to fix ACPI operand cache leak. + +Link: https://github.com/acpica/acpica/commit/987a3b5c +Signed-off-by: Seunghun Han +Signed-off-by: Rafael J. Wysocki +Link: https://patch.msgid.link/4999480.31r3eYUQgx@rjwysocki.net +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/dsutils.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/acpi/acpica/dsutils.c b/drivers/acpi/acpica/dsutils.c +index fb9ed5e1da89d..2bdae8a25e084 100644 +--- a/drivers/acpi/acpica/dsutils.c ++++ b/drivers/acpi/acpica/dsutils.c +@@ -668,6 +668,8 @@ acpi_ds_create_operands(struct acpi_walk_state *walk_state, + union acpi_parse_object *arguments[ACPI_OBJ_NUM_OPERANDS]; + u32 arg_count = 0; + u32 index = walk_state->num_operands; ++ u32 prev_num_operands = walk_state->num_operands; ++ u32 new_num_operands; + u32 i; + + ACPI_FUNCTION_TRACE_PTR(ds_create_operands, first_arg); +@@ -696,6 +698,7 @@ acpi_ds_create_operands(struct acpi_walk_state *walk_state, + + /* Create the interpreter arguments, in reverse order */ + ++ new_num_operands = index; + index--; + for (i = 0; i < arg_count; i++) { + arg = arguments[index]; +@@ -720,7 +723,11 @@ acpi_ds_create_operands(struct acpi_walk_state *walk_state, + * pop everything off of the operand stack and delete those + * objects + */ +- acpi_ds_obj_stack_pop_and_delete(arg_count, walk_state); ++ walk_state->num_operands = i; ++ acpi_ds_obj_stack_pop_and_delete(new_num_operands, walk_state); ++ ++ /* Restore operand count */ ++ walk_state->num_operands = prev_num_operands; + + ACPI_EXCEPTION((AE_INFO, status, "While creating Arg %u", index)); + return_ACPI_STATUS(status); +-- +2.39.5 + diff --git a/queue-6.1/acpica-fix-acpi-parse-and-parseext-cache-leaks.patch b/queue-6.1/acpica-fix-acpi-parse-and-parseext-cache-leaks.patch new file mode 100644 index 0000000000..cf9ebdad05 --- /dev/null +++ b/queue-6.1/acpica-fix-acpi-parse-and-parseext-cache-leaks.patch @@ -0,0 +1,236 @@ +From 59e2e2c7347a91f9ec8b3ff9c80da6895ab59dd2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Mar 2025 21:06:21 +0100 +Subject: ACPICA: fix acpi parse and parseext cache leaks +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Seunghun Han + +[ Upstream commit bed18f0bdcd6737a938264a59d67923688696fc4 ] + +ACPICA commit 8829e70e1360c81e7a5a901b5d4f48330e021ea5 + +I'm Seunghun Han, and I work for National Security Research Institute of +South Korea. + +I have been doing a research on ACPI and found an ACPI cache leak in ACPI +early abort cases. + +Boot log of ACPI cache leak is as follows: +[ 0.352414] ACPI: Added _OSI(Module Device) +[ 0.353182] ACPI: Added _OSI(Processor Device) +[ 0.353182] ACPI: Added _OSI(3.0 _SCP Extensions) +[ 0.353182] ACPI: Added _OSI(Processor Aggregator Device) +[ 0.356028] ACPI: Unable to start the ACPI Interpreter +[ 0.356799] ACPI Error: Could not remove SCI handler (20170303/evmisc-281) +[ 0.360215] kmem_cache_destroy Acpi-State: Slab cache still has objects +[ 0.360648] CPU: 0 PID: 1 Comm: swapper/0 Tainted: G W +4.12.0-rc4-next-20170608+ #10 +[ 0.361273] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS +virtual_box 12/01/2006 +[ 0.361873] Call Trace: +[ 0.362243] ? dump_stack+0x5c/0x81 +[ 0.362591] ? kmem_cache_destroy+0x1aa/0x1c0 +[ 0.362944] ? acpi_sleep_proc_init+0x27/0x27 +[ 0.363296] ? acpi_os_delete_cache+0xa/0x10 +[ 0.363646] ? acpi_ut_delete_caches+0x6d/0x7b +[ 0.364000] ? acpi_terminate+0xa/0x14 +[ 0.364000] ? acpi_init+0x2af/0x34f +[ 0.364000] ? __class_create+0x4c/0x80 +[ 0.364000] ? video_setup+0x7f/0x7f +[ 0.364000] ? acpi_sleep_proc_init+0x27/0x27 +[ 0.364000] ? do_one_initcall+0x4e/0x1a0 +[ 0.364000] ? kernel_init_freeable+0x189/0x20a +[ 0.364000] ? rest_init+0xc0/0xc0 +[ 0.364000] ? kernel_init+0xa/0x100 +[ 0.364000] ? ret_from_fork+0x25/0x30 + +I analyzed this memory leak in detail. I found that “Acpi-State” cache and +“Acpi-Parse” cache were merged because the size of cache objects was same +slab cache size. + +I finally found “Acpi-Parse” cache and “Acpi-parse_ext” cache were leaked +using SLAB_NEVER_MERGE flag in kmem_cache_create() function. + +Real ACPI cache leak point is as follows: +[ 0.360101] ACPI: Added _OSI(Module Device) +[ 0.360101] ACPI: Added _OSI(Processor Device) +[ 0.360101] ACPI: Added _OSI(3.0 _SCP Extensions) +[ 0.361043] ACPI: Added _OSI(Processor Aggregator Device) +[ 0.364016] ACPI: Unable to start the ACPI Interpreter +[ 0.365061] ACPI Error: Could not remove SCI handler (20170303/evmisc-281) +[ 0.368174] kmem_cache_destroy Acpi-Parse: Slab cache still has objects +[ 0.369332] CPU: 1 PID: 1 Comm: swapper/0 Tainted: G W +4.12.0-rc4-next-20170608+ #8 +[ 0.371256] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS +virtual_box 12/01/2006 +[ 0.372000] Call Trace: +[ 0.372000] ? dump_stack+0x5c/0x81 +[ 0.372000] ? kmem_cache_destroy+0x1aa/0x1c0 +[ 0.372000] ? acpi_sleep_proc_init+0x27/0x27 +[ 0.372000] ? acpi_os_delete_cache+0xa/0x10 +[ 0.372000] ? acpi_ut_delete_caches+0x56/0x7b +[ 0.372000] ? acpi_terminate+0xa/0x14 +[ 0.372000] ? acpi_init+0x2af/0x34f +[ 0.372000] ? __class_create+0x4c/0x80 +[ 0.372000] ? video_setup+0x7f/0x7f +[ 0.372000] ? acpi_sleep_proc_init+0x27/0x27 +[ 0.372000] ? do_one_initcall+0x4e/0x1a0 +[ 0.372000] ? kernel_init_freeable+0x189/0x20a +[ 0.372000] ? rest_init+0xc0/0xc0 +[ 0.372000] ? kernel_init+0xa/0x100 +[ 0.372000] ? ret_from_fork+0x25/0x30 +[ 0.388039] kmem_cache_destroy Acpi-parse_ext: Slab cache still has objects +[ 0.389063] CPU: 1 PID: 1 Comm: swapper/0 Tainted: G W +4.12.0-rc4-next-20170608+ #8 +[ 0.390557] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS +virtual_box 12/01/2006 +[ 0.392000] Call Trace: +[ 0.392000] ? dump_stack+0x5c/0x81 +[ 0.392000] ? kmem_cache_destroy+0x1aa/0x1c0 +[ 0.392000] ? acpi_sleep_proc_init+0x27/0x27 +[ 0.392000] ? acpi_os_delete_cache+0xa/0x10 +[ 0.392000] ? acpi_ut_delete_caches+0x6d/0x7b +[ 0.392000] ? acpi_terminate+0xa/0x14 +[ 0.392000] ? acpi_init+0x2af/0x34f +[ 0.392000] ? __class_create+0x4c/0x80 +[ 0.392000] ? video_setup+0x7f/0x7f +[ 0.392000] ? acpi_sleep_proc_init+0x27/0x27 +[ 0.392000] ? do_one_initcall+0x4e/0x1a0 +[ 0.392000] ? kernel_init_freeable+0x189/0x20a +[ 0.392000] ? rest_init+0xc0/0xc0 +[ 0.392000] ? kernel_init+0xa/0x100 +[ 0.392000] ? ret_from_fork+0x25/0x30 + +When early abort is occurred due to invalid ACPI information, Linux kernel +terminates ACPI by calling acpi_terminate() function. The function calls +acpi_ut_delete_caches() function to delete local caches (acpi_gbl_namespace_ +cache, state_cache, operand_cache, ps_node_cache, ps_node_ext_cache). + +But the deletion codes in acpi_ut_delete_caches() function only delete +slab caches using kmem_cache_destroy() function, therefore the cache +objects should be flushed before acpi_ut_delete_caches() function. + +"Acpi-Parse" cache and "Acpi-ParseExt" cache are used in an AML parse +function, acpi_ps_parse_loop(). The function should complete all ops +using acpi_ps_complete_final_op() when an error occurs due to invalid +AML codes. +However, the current implementation of acpi_ps_complete_final_op() does not +complete all ops when it meets some errors and this cause cache leak. + +This cache leak has a security threat because an old kernel (<= 4.9) shows +memory locations of kernel functions in stack dump. Some malicious users +could use this information to neutralize kernel ASLR. + +To fix ACPI cache leak for enhancing security, I made a patch to complete all +ops unconditionally for acpi_ps_complete_final_op() function. + +I hope that this patch improves the security of Linux kernel. + +Thank you. + +Link: https://github.com/acpica/acpica/commit/8829e70e +Signed-off-by: Seunghun Han +Signed-off-by: Rafael J. Wysocki +Link: https://patch.msgid.link/2363774.ElGaqSPkdT@rjwysocki.net +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/psobject.c | 52 ++++++++++------------------------ + 1 file changed, 15 insertions(+), 37 deletions(-) + +diff --git a/drivers/acpi/acpica/psobject.c b/drivers/acpi/acpica/psobject.c +index bca249e67c6b5..3c887515bad41 100644 +--- a/drivers/acpi/acpica/psobject.c ++++ b/drivers/acpi/acpica/psobject.c +@@ -636,7 +636,8 @@ acpi_status + acpi_ps_complete_final_op(struct acpi_walk_state *walk_state, + union acpi_parse_object *op, acpi_status status) + { +- acpi_status status2; ++ acpi_status return_status = status; ++ u8 ascending = TRUE; + + ACPI_FUNCTION_TRACE_PTR(ps_complete_final_op, walk_state); + +@@ -650,7 +651,7 @@ acpi_ps_complete_final_op(struct acpi_walk_state *walk_state, + op)); + do { + if (op) { +- if (walk_state->ascending_callback != NULL) { ++ if (ascending && walk_state->ascending_callback != NULL) { + walk_state->op = op; + walk_state->op_info = + acpi_ps_get_opcode_info(op->common. +@@ -672,49 +673,26 @@ acpi_ps_complete_final_op(struct acpi_walk_state *walk_state, + } + + if (status == AE_CTRL_TERMINATE) { +- status = AE_OK; +- +- /* Clean up */ +- do { +- if (op) { +- status2 = +- acpi_ps_complete_this_op +- (walk_state, op); +- if (ACPI_FAILURE +- (status2)) { +- return_ACPI_STATUS +- (status2); +- } +- } +- +- acpi_ps_pop_scope(& +- (walk_state-> +- parser_state), +- &op, +- &walk_state-> +- arg_types, +- &walk_state-> +- arg_count); +- +- } while (op); +- +- return_ACPI_STATUS(status); ++ ascending = FALSE; ++ return_status = AE_CTRL_TERMINATE; + } + + else if (ACPI_FAILURE(status)) { + + /* First error is most important */ + +- (void) +- acpi_ps_complete_this_op(walk_state, +- op); +- return_ACPI_STATUS(status); ++ ascending = FALSE; ++ return_status = status; + } + } + +- status2 = acpi_ps_complete_this_op(walk_state, op); +- if (ACPI_FAILURE(status2)) { +- return_ACPI_STATUS(status2); ++ status = acpi_ps_complete_this_op(walk_state, op); ++ if (ACPI_FAILURE(status)) { ++ ascending = FALSE; ++ if (ACPI_SUCCESS(return_status) || ++ return_status == AE_CTRL_TERMINATE) { ++ return_status = status; ++ } + } + } + +@@ -724,5 +702,5 @@ acpi_ps_complete_final_op(struct acpi_walk_state *walk_state, + + } while (op); + +- return_ACPI_STATUS(status); ++ return_ACPI_STATUS(return_status); + } +-- +2.39.5 + diff --git a/queue-6.1/acpica-utilities-fix-overflow-check-in-vsnprintf.patch b/queue-6.1/acpica-utilities-fix-overflow-check-in-vsnprintf.patch new file mode 100644 index 0000000000..4b99419e10 --- /dev/null +++ b/queue-6.1/acpica-utilities-fix-overflow-check-in-vsnprintf.patch @@ -0,0 +1,46 @@ +From 3f52b5cdb1cc4106f71b4c617229aaed9876cefe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Apr 2025 21:21:52 +0200 +Subject: ACPICA: utilities: Fix overflow check in vsnprintf() + +From: gldrk + +[ Upstream commit 12b660251007e00a3e4d47ec62dbe3a7ace7023e ] + +ACPICA commit d9d59b7918514ae55063b93f3ec041b1a569bf49 + +The old version breaks sprintf on 64-bit systems for buffers +outside [0..UINT32_MAX]. + +Link: https://github.com/acpica/acpica/commit/d9d59b79 +Signed-off-by: Rafael J. Wysocki +Link: https://patch.msgid.link/4994935.GXAFRqVoOG@rjwysocki.net +Signed-off-by: gldrk +[ rjw: Added the tag from gldrk ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/utprint.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/drivers/acpi/acpica/utprint.c b/drivers/acpi/acpica/utprint.c +index d5aa2109847f3..67104bfc184de 100644 +--- a/drivers/acpi/acpica/utprint.c ++++ b/drivers/acpi/acpica/utprint.c +@@ -333,11 +333,8 @@ int vsnprintf(char *string, acpi_size size, const char *format, va_list args) + + pos = string; + +- if (size != ACPI_UINT32_MAX) { +- end = string + size; +- } else { +- end = ACPI_CAST_PTR(char, ACPI_UINT32_MAX); +- } ++ size = ACPI_MIN(size, ACPI_PTR_DIFF(ACPI_MAX_PTR, string)); ++ end = string + size; + + for (; *format; ++format) { + if (*format != '%') { +-- +2.39.5 + diff --git a/queue-6.1/arm-omap2-fix-l4ls-clk-domain-handling-in-standby.patch b/queue-6.1/arm-omap2-fix-l4ls-clk-domain-handling-in-standby.patch new file mode 100644 index 0000000000..e130ba5c8d --- /dev/null +++ b/queue-6.1/arm-omap2-fix-l4ls-clk-domain-handling-in-standby.patch @@ -0,0 +1,87 @@ +From 1c1bd537e8a76f66bdaa1ea2beddf78a9c8fe682 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Mar 2025 16:00:39 -0700 +Subject: ARM: OMAP2+: Fix l4ls clk domain handling in STANDBY + +From: Sukrut Bellary + +[ Upstream commit 47fe74098f3dadba2f9cc1e507d813a4aa93f5f3 ] + +Don't put the l4ls clk domain to sleep in case of standby. +Since CM3 PM FW[1](ti-v4.1.y) doesn't wake-up/enable the l4ls clk domain +upon wake-up, CM3 PM FW fails to wake-up the MPU. + +[1] https://git.ti.com/cgit/processor-firmware/ti-amx3-cm3-pm-firmware/ + +Signed-off-by: Sukrut Bellary +Tested-by: Judith Mendez +Link: https://lore.kernel.org/r/20250318230042.3138542-2-sbellary@baylibre.com +Signed-off-by: Kevin Hilman +Signed-off-by: Sasha Levin +--- + arch/arm/mach-omap2/clockdomain.h | 1 + + arch/arm/mach-omap2/clockdomains33xx_data.c | 2 +- + arch/arm/mach-omap2/cm33xx.c | 14 +++++++++++++- + 3 files changed, 15 insertions(+), 2 deletions(-) + +diff --git a/arch/arm/mach-omap2/clockdomain.h b/arch/arm/mach-omap2/clockdomain.h +index 68550b23c938d..eb6ca2ea80679 100644 +--- a/arch/arm/mach-omap2/clockdomain.h ++++ b/arch/arm/mach-omap2/clockdomain.h +@@ -48,6 +48,7 @@ + #define CLKDM_NO_AUTODEPS (1 << 4) + #define CLKDM_ACTIVE_WITH_MPU (1 << 5) + #define CLKDM_MISSING_IDLE_REPORTING (1 << 6) ++#define CLKDM_STANDBY_FORCE_WAKEUP BIT(7) + + #define CLKDM_CAN_HWSUP (CLKDM_CAN_ENABLE_AUTO | CLKDM_CAN_DISABLE_AUTO) + #define CLKDM_CAN_SWSUP (CLKDM_CAN_FORCE_SLEEP | CLKDM_CAN_FORCE_WAKEUP) +diff --git a/arch/arm/mach-omap2/clockdomains33xx_data.c b/arch/arm/mach-omap2/clockdomains33xx_data.c +index 87f4e927eb183..c05a3c07d4486 100644 +--- a/arch/arm/mach-omap2/clockdomains33xx_data.c ++++ b/arch/arm/mach-omap2/clockdomains33xx_data.c +@@ -19,7 +19,7 @@ static struct clockdomain l4ls_am33xx_clkdm = { + .pwrdm = { .name = "per_pwrdm" }, + .cm_inst = AM33XX_CM_PER_MOD, + .clkdm_offs = AM33XX_CM_PER_L4LS_CLKSTCTRL_OFFSET, +- .flags = CLKDM_CAN_SWSUP, ++ .flags = CLKDM_CAN_SWSUP | CLKDM_STANDBY_FORCE_WAKEUP, + }; + + static struct clockdomain l3s_am33xx_clkdm = { +diff --git a/arch/arm/mach-omap2/cm33xx.c b/arch/arm/mach-omap2/cm33xx.c +index d61fa06117b42..5c833dec6352f 100644 +--- a/arch/arm/mach-omap2/cm33xx.c ++++ b/arch/arm/mach-omap2/cm33xx.c +@@ -20,6 +20,9 @@ + #include "cm-regbits-34xx.h" + #include "cm-regbits-33xx.h" + #include "prm33xx.h" ++#if IS_ENABLED(CONFIG_SUSPEND) ++#include ++#endif + + /* + * CLKCTRL_IDLEST_*: possible values for the CM_*_CLKCTRL.IDLEST bitfield: +@@ -328,8 +331,17 @@ static int am33xx_clkdm_clk_disable(struct clockdomain *clkdm) + { + bool hwsup = false; + ++#if IS_ENABLED(CONFIG_SUSPEND) ++ /* ++ * In case of standby, Don't put the l4ls clk domain to sleep. ++ * Since CM3 PM FW doesn't wake-up/enable the l4ls clk domain ++ * upon wake-up, CM3 PM FW fails to wake-up th MPU. ++ */ ++ if (pm_suspend_target_state == PM_SUSPEND_STANDBY && ++ (clkdm->flags & CLKDM_STANDBY_FORCE_WAKEUP)) ++ return 0; ++#endif + hwsup = am33xx_cm_is_clkdm_in_hwsup(clkdm->cm_inst, clkdm->clkdm_offs); +- + if (!hwsup && (clkdm->flags & CLKDM_CAN_FORCE_SLEEP)) + am33xx_clkdm_sleep(clkdm); + +-- +2.39.5 + diff --git a/queue-6.1/asoc-amd-yc-add-quirk-for-lenovo-yoga-pro-7-14asp9.patch b/queue-6.1/asoc-amd-yc-add-quirk-for-lenovo-yoga-pro-7-14asp9.patch new file mode 100644 index 0000000000..ff389d5786 --- /dev/null +++ b/queue-6.1/asoc-amd-yc-add-quirk-for-lenovo-yoga-pro-7-14asp9.patch @@ -0,0 +1,51 @@ +From 5cf23c6e29445742416f6fab4467675f709b1781 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 May 2025 01:27:41 +0300 +Subject: ASoC: amd: yc: Add quirk for Lenovo Yoga Pro 7 14ASP9 + +From: Talhah Peerbhai + +[ Upstream commit a28206060dc5848a1a2a15b7f6ac6223d869084d ] + +Similar to many other Lenovo models with AMD chips, the Lenovo +Yoga Pro 7 14ASP9 (product name 83HN) requires a specific quirk +to ensure internal mic detection. This patch adds a quirk fixing this. + +Signed-off-by: Talhah Peerbhai +Link: https://patch.msgid.link/20250515222741.144616-1-talhah.peerbhai@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/amd/yc/acp6x-mach.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c +index 1f94269e121af..d5dc1d48fca94 100644 +--- a/sound/soc/amd/yc/acp6x-mach.c ++++ b/sound/soc/amd/yc/acp6x-mach.c +@@ -304,6 +304,13 @@ static const struct dmi_system_id yc_acp_quirk_table[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "83AS"), + } + }, ++ { ++ .driver_data = &acp6x_card, ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "83HN"), ++ } ++ }, + { + .driver_data = &acp6x_card, + .matches = { +@@ -353,7 +360,7 @@ static const struct dmi_system_id yc_acp_quirk_table[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "M5402RA"), + } + }, +- { ++ { + .driver_data = &acp6x_card, + .matches = { + DMI_MATCH(DMI_BOARD_VENDOR, "ASUSTeK COMPUTER INC."), +-- +2.39.5 + diff --git a/queue-6.1/asoc-tas2770-power-cycle-amp-on-isense-vsense-change.patch b/queue-6.1/asoc-tas2770-power-cycle-amp-on-isense-vsense-change.patch new file mode 100644 index 0000000000..9a32056450 --- /dev/null +++ b/queue-6.1/asoc-tas2770-power-cycle-amp-on-isense-vsense-change.patch @@ -0,0 +1,73 @@ +From 32a268287e2c03e07e429ba62544a2991f8d3d6b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 6 Apr 2025 09:15:05 +1000 +Subject: ASoC: tas2770: Power cycle amp on ISENSE/VSENSE change + +From: Hector Martin + +[ Upstream commit f529c91be8a34ac12e7599bf87c65b6f4a2c9f5c ] + +The ISENSE/VSENSE blocks are only powered up when the amplifier +transitions from shutdown to active. This means that if those controls +are flipped on while the amplifier is already playing back audio, they +will have no effect. + +Fix this by forcing a power cycle around transitions in those controls. + +Reviewed-by: Neal Gompa +Signed-off-by: Hector Martin +Signed-off-by: James Calligeros +Link: https://patch.msgid.link/20250406-apple-codec-changes-v5-1-50a00ec850a3@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/tas2770.c | 30 ++++++++++++++++++++++++++++-- + 1 file changed, 28 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/codecs/tas2770.c b/sound/soc/codecs/tas2770.c +index e284a3a854591..8bd98e9817c97 100644 +--- a/sound/soc/codecs/tas2770.c ++++ b/sound/soc/codecs/tas2770.c +@@ -158,11 +158,37 @@ static const struct snd_kcontrol_new isense_switch = + static const struct snd_kcontrol_new vsense_switch = + SOC_DAPM_SINGLE("Switch", TAS2770_PWR_CTRL, 2, 1, 1); + ++static int sense_event(struct snd_soc_dapm_widget *w, ++ struct snd_kcontrol *kcontrol, int event) ++{ ++ struct snd_soc_component *component = snd_soc_dapm_to_component(w->dapm); ++ struct tas2770_priv *tas2770 = snd_soc_component_get_drvdata(component); ++ ++ /* ++ * Powering up ISENSE/VSENSE requires a trip through the shutdown state. ++ * Do that here to ensure that our changes are applied properly, otherwise ++ * we might end up with non-functional IVSENSE if playback started earlier, ++ * which would break software speaker protection. ++ */ ++ switch (event) { ++ case SND_SOC_DAPM_PRE_REG: ++ return snd_soc_component_update_bits(component, TAS2770_PWR_CTRL, ++ TAS2770_PWR_CTRL_MASK, ++ TAS2770_PWR_CTRL_SHUTDOWN); ++ case SND_SOC_DAPM_POST_REG: ++ return tas2770_update_pwr_ctrl(tas2770); ++ default: ++ return 0; ++ } ++} ++ + static const struct snd_soc_dapm_widget tas2770_dapm_widgets[] = { + SND_SOC_DAPM_AIF_IN("ASI1", "ASI1 Playback", 0, SND_SOC_NOPM, 0, 0), + SND_SOC_DAPM_MUX("ASI1 Sel", SND_SOC_NOPM, 0, 0, &tas2770_asi1_mux), +- SND_SOC_DAPM_SWITCH("ISENSE", TAS2770_PWR_CTRL, 3, 1, &isense_switch), +- SND_SOC_DAPM_SWITCH("VSENSE", TAS2770_PWR_CTRL, 2, 1, &vsense_switch), ++ SND_SOC_DAPM_SWITCH_E("ISENSE", TAS2770_PWR_CTRL, 3, 1, &isense_switch, ++ sense_event, SND_SOC_DAPM_PRE_REG | SND_SOC_DAPM_POST_REG), ++ SND_SOC_DAPM_SWITCH_E("VSENSE", TAS2770_PWR_CTRL, 2, 1, &vsense_switch, ++ sense_event, SND_SOC_DAPM_PRE_REG | SND_SOC_DAPM_POST_REG), + SND_SOC_DAPM_DAC_E("DAC", NULL, SND_SOC_NOPM, 0, 0, tas2770_dac_event, + SND_SOC_DAPM_POST_PMU | SND_SOC_DAPM_PRE_PMD), + SND_SOC_DAPM_OUTPUT("OUT"), +-- +2.39.5 + diff --git a/queue-6.1/asoc-tegra210_ahub-add-check-to-of_device_get_match_.patch b/queue-6.1/asoc-tegra210_ahub-add-check-to-of_device_get_match_.patch new file mode 100644 index 0000000000..e99cbf52b3 --- /dev/null +++ b/queue-6.1/asoc-tegra210_ahub-add-check-to-of_device_get_match_.patch @@ -0,0 +1,36 @@ +From 43266fb82c24993125149e14f0370fc62d7643d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 May 2025 20:37:44 +0800 +Subject: ASoC: tegra210_ahub: Add check to of_device_get_match_data() + +From: Yuanjun Gong + +[ Upstream commit 04cb269c204398763a620d426cbee43064854000 ] + +In tegra_ahub_probe(), check the result of function +of_device_get_match_data(), return an error code in case it fails. + +Signed-off-by: Yuanjun Gong +Link: https://patch.msgid.link/20250513123744.3041724-1-ruc_gongyuanjun@163.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/tegra/tegra210_ahub.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/soc/tegra/tegra210_ahub.c b/sound/soc/tegra/tegra210_ahub.c +index dfdcb4580cd75..4be5683504154 100644 +--- a/sound/soc/tegra/tegra210_ahub.c ++++ b/sound/soc/tegra/tegra210_ahub.c +@@ -1369,6 +1369,8 @@ static int tegra_ahub_probe(struct platform_device *pdev) + return -ENOMEM; + + ahub->soc_data = of_device_get_match_data(&pdev->dev); ++ if (!ahub->soc_data) ++ return -ENODEV; + + platform_set_drvdata(pdev, ahub); + +-- +2.39.5 + diff --git a/queue-6.1/bpf-check-rcu_read_lock_trace_held-in-bpf_map_lookup.patch b/queue-6.1/bpf-check-rcu_read_lock_trace_held-in-bpf_map_lookup.patch new file mode 100644 index 0000000000..55d4089780 --- /dev/null +++ b/queue-6.1/bpf-check-rcu_read_lock_trace_held-in-bpf_map_lookup.patch @@ -0,0 +1,43 @@ +From cbe2c41e15840834dcec8aeee218b3694d3bd48e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 May 2025 14:25:34 +0800 +Subject: bpf: Check rcu_read_lock_trace_held() in bpf_map_lookup_percpu_elem() + +From: Hou Tao + +[ Upstream commit d4965578267e2e81f67c86e2608481e77e9c8569 ] + +bpf_map_lookup_percpu_elem() helper is also available for sleepable bpf +program. When BPF JIT is disabled or under 32-bit host, +bpf_map_lookup_percpu_elem() will not be inlined. Using it in a +sleepable bpf program will trigger the warning in +bpf_map_lookup_percpu_elem(), because the bpf program only holds +rcu_read_lock_trace lock. Therefore, add the missed check. + +Reported-by: syzbot+dce5aae19ae4d6399986@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/bpf/000000000000176a130617420310@google.com/ +Signed-off-by: Hou Tao +Link: https://lore.kernel.org/r/20250526062534.1105938-1-houtao@huaweicloud.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/helpers.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c +index 4fef0a0155255..94e85d311641b 100644 +--- a/kernel/bpf/helpers.c ++++ b/kernel/bpf/helpers.c +@@ -125,7 +125,8 @@ const struct bpf_func_proto bpf_map_peek_elem_proto = { + + BPF_CALL_3(bpf_map_lookup_percpu_elem, struct bpf_map *, map, void *, key, u32, cpu) + { +- WARN_ON_ONCE(!rcu_read_lock_held() && !rcu_read_lock_bh_held()); ++ WARN_ON_ONCE(!rcu_read_lock_held() && !rcu_read_lock_trace_held() && ++ !rcu_read_lock_bh_held()); + return (unsigned long) map->ops->map_lookup_percpu_elem(map, key, cpu); + } + +-- +2.39.5 + diff --git a/queue-6.1/bpf-sockmap-fix-data-lost-during-eagain-retries.patch b/queue-6.1/bpf-sockmap-fix-data-lost-during-eagain-retries.patch new file mode 100644 index 0000000000..c7d44ffd08 --- /dev/null +++ b/queue-6.1/bpf-sockmap-fix-data-lost-during-eagain-retries.patch @@ -0,0 +1,68 @@ +From 8fd7f46be483fd58228fcd611662d74997ebfa3f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Apr 2025 22:21:20 +0800 +Subject: bpf, sockmap: Fix data lost during EAGAIN retries + +From: Jiayuan Chen + +[ Upstream commit 7683167196bd727ad5f3c3fc6a9ca70f54520a81 ] + +We call skb_bpf_redirect_clear() to clean _sk_redir before handling skb in +backlog, but when sk_psock_handle_skb() return EAGAIN due to sk_rcvbuf +limit, the redirect info in _sk_redir is not recovered. + +Fix skb redir loss during EAGAIN retries by restoring _sk_redir +information using skb_bpf_set_redir(). + +Before this patch: +''' +./bench sockmap -c 2 -p 1 -a --rx-verdict-ingress +Setting up benchmark 'sockmap'... +create socket fd c1:13 p1:14 c2:15 p2:16 +Benchmark 'sockmap' started. +Send Speed 1343.172 MB/s, BPF Speed 1343.238 MB/s, Rcv Speed 65.271 MB/s +Send Speed 1352.022 MB/s, BPF Speed 1352.088 MB/s, Rcv Speed 0 MB/s +Send Speed 1354.105 MB/s, BPF Speed 1354.105 MB/s, Rcv Speed 0 MB/s +Send Speed 1355.018 MB/s, BPF Speed 1354.887 MB/s, Rcv Speed 0 MB/s +''' +Due to the high send rate, the RX processing path may frequently hit the +sk_rcvbuf limit. Once triggered, incorrect _sk_redir will cause the flow +to mistakenly enter the "!ingress" path, leading to send failures. +(The Rcv speed depends on tcp_rmem). + +After this patch: +''' +./bench sockmap -c 2 -p 1 -a --rx-verdict-ingress +Setting up benchmark 'sockmap'... +create socket fd c1:13 p1:14 c2:15 p2:16 +Benchmark 'sockmap' started. +Send Speed 1347.236 MB/s, BPF Speed 1347.367 MB/s, Rcv Speed 65.402 MB/s +Send Speed 1353.320 MB/s, BPF Speed 1353.320 MB/s, Rcv Speed 65.536 MB/s +Send Speed 1353.186 MB/s, BPF Speed 1353.121 MB/s, Rcv Speed 65.536 MB/s +''' + +Signed-off-by: Jiayuan Chen +Link: https://lore.kernel.org/r/20250407142234.47591-2-jiayuan.chen@linux.dev +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + net/core/skmsg.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/core/skmsg.c b/net/core/skmsg.c +index e5ba57a5db126..2aa6262f19e84 100644 +--- a/net/core/skmsg.c ++++ b/net/core/skmsg.c +@@ -688,7 +688,8 @@ static void sk_psock_backlog(struct work_struct *work) + if (ret <= 0) { + if (ret == -EAGAIN) { + sk_psock_skb_state(psock, state, len, off); +- ++ /* Restore redir info we cleared before */ ++ skb_bpf_set_redir(skb, psock->sk, ingress); + /* Delay slightly to prioritize any + * other work that might be here. + */ +-- +2.39.5 + diff --git a/queue-6.1/bpftool-fix-cgroup-command-to-only-show-cgroup-bpf-p.patch b/queue-6.1/bpftool-fix-cgroup-command-to-only-show-cgroup-bpf-p.patch new file mode 100644 index 0000000000..c81d3aa99d --- /dev/null +++ b/queue-6.1/bpftool-fix-cgroup-command-to-only-show-cgroup-bpf-p.patch @@ -0,0 +1,112 @@ +From 8c1fd37afb7705ae17ecd47c8b21b2829ad93469 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 May 2025 13:32:32 -0700 +Subject: bpftool: Fix cgroup command to only show cgroup bpf programs + +From: Martin KaFai Lau + +[ Upstream commit b69d4413aa1961930fbf9ffad8376d577378daf9 ] + +The netkit program is not a cgroup bpf program and should not be shown +in the output of the "bpftool cgroup show" command. + +However, if the netkit device happens to have ifindex 3, +the "bpftool cgroup show" command will output the netkit +bpf program as well: + +> ip -d link show dev nk1 +3: nk1@if2: ... + link/ether ... + netkit mode ... + +> bpftool net show +tc: +nk1(3) netkit/peer tw_ns_nk2phy prog_id 469447 + +> bpftool cgroup show /sys/fs/cgroup/... +ID AttachType AttachFlags Name +... ... ... +469447 netkit_peer tw_ns_nk2phy + +The reason is that the target_fd (which is the cgroup_fd here) and +the target_ifindex are in a union in the uapi/linux/bpf.h. The bpftool +iterates all values in "enum bpf_attach_type" which includes +non cgroup attach types like netkit. The cgroup_fd is usually 3 here, +so the bug is triggered when the netkit ifindex just happens +to be 3 as well. + +The bpftool's cgroup.c already has a list of cgroup-only attach type +defined in "cgroup_attach_types[]". This patch fixes it by iterating +over "cgroup_attach_types[]" instead of "__MAX_BPF_ATTACH_TYPE". + +Cc: Quentin Monnet +Reported-by: Takshak Chahande +Signed-off-by: Martin KaFai Lau +Acked-by: Daniel Borkmann +Reviewed-by: Quentin Monnet +Link: https://lore.kernel.org/r/20250507203232.1420762-1-martin.lau@linux.dev +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + tools/bpf/bpftool/cgroup.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/tools/bpf/bpftool/cgroup.c b/tools/bpf/bpftool/cgroup.c +index b46a998d8f8df..d157f58ec7d5a 100644 +--- a/tools/bpf/bpftool/cgroup.c ++++ b/tools/bpf/bpftool/cgroup.c +@@ -284,11 +284,11 @@ static int show_bpf_progs(int cgroup_fd, enum bpf_attach_type type, + + static int do_show(int argc, char **argv) + { +- enum bpf_attach_type type; + int has_attached_progs; + const char *path; + int cgroup_fd; + int ret = -1; ++ unsigned int i; + + query_flags = 0; + +@@ -336,14 +336,14 @@ static int do_show(int argc, char **argv) + "AttachFlags", "Name"); + + btf_vmlinux = libbpf_find_kernel_btf(); +- for (type = 0; type < __MAX_BPF_ATTACH_TYPE; type++) { ++ for (i = 0; i < ARRAY_SIZE(cgroup_attach_types); i++) { + /* + * Not all attach types may be supported, so it's expected, + * that some requests will fail. + * If we were able to get the show for at least one + * attach type, let's return 0. + */ +- if (show_bpf_progs(cgroup_fd, type, 0) == 0) ++ if (show_bpf_progs(cgroup_fd, cgroup_attach_types[i], 0) == 0) + ret = 0; + } + +@@ -366,9 +366,9 @@ static int do_show(int argc, char **argv) + static int do_show_tree_fn(const char *fpath, const struct stat *sb, + int typeflag, struct FTW *ftw) + { +- enum bpf_attach_type type; + int has_attached_progs; + int cgroup_fd; ++ unsigned int i; + + if (typeflag != FTW_D) + return 0; +@@ -400,8 +400,8 @@ static int do_show_tree_fn(const char *fpath, const struct stat *sb, + } + + btf_vmlinux = libbpf_find_kernel_btf(); +- for (type = 0; type < __MAX_BPF_ATTACH_TYPE; type++) +- show_bpf_progs(cgroup_fd, type, ftw->level); ++ for (i = 0; i < ARRAY_SIZE(cgroup_attach_types); i++) ++ show_bpf_progs(cgroup_fd, cgroup_attach_types[i], ftw->level); + + if (errno == EINVAL) + /* Last attach type does not support query. +-- +2.39.5 + diff --git a/queue-6.1/bus-fsl-mc-increase-mc_cmd_completion_timeout_ms-val.patch b/queue-6.1/bus-fsl-mc-increase-mc_cmd_completion_timeout_ms-val.patch new file mode 100644 index 0000000000..36a5652be6 --- /dev/null +++ b/queue-6.1/bus-fsl-mc-increase-mc_cmd_completion_timeout_ms-val.patch @@ -0,0 +1,40 @@ +From abfac463b527ce8657d06f4ed1070b8da68473cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Apr 2025 13:58:14 +0300 +Subject: bus: fsl-mc: increase MC_CMD_COMPLETION_TIMEOUT_MS value + +From: Laurentiu Tudor + +[ Upstream commit 23d060136841c58c2f9ee8c08ad945d1879ead4b ] + +In case the MC firmware runs in debug mode with extensive prints pushed +to the console, the current timeout of 500ms is not enough. +Increase the timeout value so that we don't have any chance of wrongly +assuming that the firmware is not responding when it's just taking more +time. + +Signed-off-by: Laurentiu Tudor +Signed-off-by: Ioana Ciornei +Link: https://lore.kernel.org/r/20250408105814.2837951-7-ioana.ciornei@nxp.com +Signed-off-by: Christophe Leroy +Signed-off-by: Sasha Levin +--- + drivers/bus/fsl-mc/mc-sys.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/bus/fsl-mc/mc-sys.c b/drivers/bus/fsl-mc/mc-sys.c +index f2052cd0a0517..b22c59d57c8f0 100644 +--- a/drivers/bus/fsl-mc/mc-sys.c ++++ b/drivers/bus/fsl-mc/mc-sys.c +@@ -19,7 +19,7 @@ + /* + * Timeout in milliseconds to wait for the completion of an MC command + */ +-#define MC_CMD_COMPLETION_TIMEOUT_MS 500 ++#define MC_CMD_COMPLETION_TIMEOUT_MS 15000 + + /* + * usleep_range() min and max values used to throttle down polling +-- +2.39.5 + diff --git a/queue-6.1/clk-rockchip-rk3036-mark-ddrphy-as-critical.patch b/queue-6.1/clk-rockchip-rk3036-mark-ddrphy-as-critical.patch new file mode 100644 index 0000000000..9a07e52e8d --- /dev/null +++ b/queue-6.1/clk-rockchip-rk3036-mark-ddrphy-as-critical.patch @@ -0,0 +1,37 @@ +From be4c1c25bb5c0daa8840ca9f6ba94fa9200b9f9c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 3 May 2025 22:25:31 +0200 +Subject: clk: rockchip: rk3036: mark ddrphy as critical + +From: Heiko Stuebner + +[ Upstream commit 596a977b34a722c00245801a5774aa79cec4e81d ] + +The ddrphy is supplied by the dpll, but due to the limited number of PLLs +on the rk3036, the dpll also is used for other periperhals, like the GPU. + +So it happened, when the Lima driver turned off the gpu clock, this in +turn also disabled the dpll and thus the ram. + +Signed-off-by: Heiko Stuebner +Link: https://lore.kernel.org/r/20250503202532.992033-4-heiko@sntech.de +Signed-off-by: Sasha Levin +--- + drivers/clk/rockchip/clk-rk3036.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/clk/rockchip/clk-rk3036.c b/drivers/clk/rockchip/clk-rk3036.c +index d644bc155ec6e..f5f27535087a3 100644 +--- a/drivers/clk/rockchip/clk-rk3036.c ++++ b/drivers/clk/rockchip/clk-rk3036.c +@@ -431,6 +431,7 @@ static const char *const rk3036_critical_clocks[] __initconst = { + "hclk_peri", + "pclk_peri", + "pclk_ddrupctl", ++ "ddrphy", + }; + + static void __init rk3036_clk_init(struct device_node *np) +-- +2.39.5 + diff --git a/queue-6.1/clocksource-fix-the-cpus-choice-in-the-watchdog-per-.patch b/queue-6.1/clocksource-fix-the-cpus-choice-in-the-watchdog-per-.patch new file mode 100644 index 0000000000..73b2009319 --- /dev/null +++ b/queue-6.1/clocksource-fix-the-cpus-choice-in-the-watchdog-per-.patch @@ -0,0 +1,60 @@ +From c4a57aea8e7c631a2a32adb85aa92cd6e1c7f453 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 23 Mar 2025 14:36:24 -0300 +Subject: clocksource: Fix the CPUs' choice in the watchdog per CPU + verification + +From: Guilherme G. Piccoli + +[ Upstream commit 08d7becc1a6b8c936e25d827becabfe3bff72a36 ] + +Right now, if the clocksource watchdog detects a clocksource skew, it might +perform a per CPU check, for example in the TSC case on x86. In other +words: supposing TSC is detected as unstable by the clocksource watchdog +running at CPU1, as part of marking TSC unstable the kernel will also run a +check of TSC readings on some CPUs to be sure it is synced between them +all. + +But that check happens only on some CPUs, not all of them; this choice is +based on the parameter "verify_n_cpus" and in some random cpumask +calculation. So, the watchdog runs such per CPU checks on up to +"verify_n_cpus" random CPUs among all online CPUs, with the risk of +repeating CPUs (that aren't double checked) in the cpumask random +calculation. + +But if "verify_n_cpus" > num_online_cpus(), it should skip the random +calculation and just go ahead and check the clocksource sync between +all online CPUs, without the risk of skipping some CPUs due to +duplicity in the random cpumask calculation. + +Tests in a 4 CPU laptop with TSC skew detected led to some cases of the per +CPU verification skipping some CPU even with verify_n_cpus=8, due to the +duplicity on random cpumask generation. Skipping the randomization when the +number of online CPUs is smaller than verify_n_cpus, solves that. + +Suggested-by: Thadeu Lima de Souza Cascardo +Signed-off-by: Guilherme G. Piccoli +Signed-off-by: Thomas Gleixner +Reviewed-by: Paul E. McKenney +Link: https://lore.kernel.org/all/20250323173857.372390-1-gpiccoli@igalia.com +Signed-off-by: Sasha Levin +--- + kernel/time/clocksource.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/time/clocksource.c b/kernel/time/clocksource.c +index 9e221a97d2274..e89fd0bbc3b35 100644 +--- a/kernel/time/clocksource.c ++++ b/kernel/time/clocksource.c +@@ -285,7 +285,7 @@ static void clocksource_verify_choose_cpus(void) + { + int cpu, i, n = verify_n_cpus; + +- if (n < 0) { ++ if (n < 0 || n >= num_online_cpus()) { + /* Check all of the CPUs. */ + cpumask_copy(&cpus_chosen, cpu_online_mask); + cpumask_clear_cpu(smp_processor_id(), &cpus_chosen); +-- +2.39.5 + diff --git a/queue-6.1/cpufreq-scmi-skip-scmi-devices-that-aren-t-used-by-t.patch b/queue-6.1/cpufreq-scmi-skip-scmi-devices-that-aren-t-used-by-t.patch new file mode 100644 index 0000000000..69ed19b82e --- /dev/null +++ b/queue-6.1/cpufreq-scmi-skip-scmi-devices-that-aren-t-used-by-t.patch @@ -0,0 +1,89 @@ +From 020bdee34aac180d076eba4b9f48639613a7c10a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 May 2025 20:53:12 -0700 +Subject: cpufreq: scmi: Skip SCMI devices that aren't used by the CPUs + +From: Mike Tipton + +[ Upstream commit 6c9bb86922728c7a4cceb99f131e00dd87514f20 ] + +Currently, all SCMI devices with performance domains attempt to register +a cpufreq driver, even if their performance domains aren't used to +control the CPUs. The cpufreq framework only supports registering a +single driver, so only the first device will succeed. And if that device +isn't used for the CPUs, then cpufreq will scale the wrong domains. + +To avoid this, return early from scmi_cpufreq_probe() if the probing +SCMI device isn't referenced by the CPU device phandles. + +This keeps the existing assumption that all CPUs are controlled by a +single SCMI device. + +Signed-off-by: Mike Tipton +Reviewed-by: Peng Fan +Reviewed-by: Cristian Marussi +Reviewed-by: Sudeep Holla +Tested-by: Cristian Marussi +Signed-off-by: Viresh Kumar +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/scmi-cpufreq.c | 36 +++++++++++++++++++++++++++++++++- + 1 file changed, 35 insertions(+), 1 deletion(-) + +diff --git a/drivers/cpufreq/scmi-cpufreq.c b/drivers/cpufreq/scmi-cpufreq.c +index e4989764efe2a..6ff77003a96ea 100644 +--- a/drivers/cpufreq/scmi-cpufreq.c ++++ b/drivers/cpufreq/scmi-cpufreq.c +@@ -299,6 +299,40 @@ static struct cpufreq_driver scmi_cpufreq_driver = { + .register_em = scmi_cpufreq_register_em, + }; + ++static bool scmi_dev_used_by_cpus(struct device *scmi_dev) ++{ ++ struct device_node *scmi_np = dev_of_node(scmi_dev); ++ struct device_node *cpu_np, *np; ++ struct device *cpu_dev; ++ int cpu, idx; ++ ++ if (!scmi_np) ++ return false; ++ ++ for_each_possible_cpu(cpu) { ++ cpu_dev = get_cpu_device(cpu); ++ if (!cpu_dev) ++ continue; ++ ++ cpu_np = dev_of_node(cpu_dev); ++ ++ np = of_parse_phandle(cpu_np, "clocks", 0); ++ of_node_put(np); ++ ++ if (np == scmi_np) ++ return true; ++ ++ idx = of_property_match_string(cpu_np, "power-domain-names", "perf"); ++ np = of_parse_phandle(cpu_np, "power-domains", idx); ++ of_node_put(np); ++ ++ if (np == scmi_np) ++ return true; ++ } ++ ++ return false; ++} ++ + static int scmi_cpufreq_probe(struct scmi_device *sdev) + { + int ret; +@@ -307,7 +341,7 @@ static int scmi_cpufreq_probe(struct scmi_device *sdev) + + handle = sdev->handle; + +- if (!handle) ++ if (!handle || !scmi_dev_used_by_cpus(dev)) + return -ENODEV; + + perf_ops = handle->devm_protocol_get(sdev, SCMI_PROTOCOL_PERF, &ph); +-- +2.39.5 + diff --git a/queue-6.1/emulex-benet-correct-command-version-selection-in-be.patch b/queue-6.1/emulex-benet-correct-command-version-selection-in-be.patch new file mode 100644 index 0000000000..6272d4333f --- /dev/null +++ b/queue-6.1/emulex-benet-correct-command-version-selection-in-be.patch @@ -0,0 +1,39 @@ +From 7575c67ad00bf380be67c5a0880dfc7eb82da27d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 May 2025 07:17:19 -0700 +Subject: emulex/benet: correct command version selection in be_cmd_get_stats() + +From: Alok Tiwari + +[ Upstream commit edb888d29748cee674006a52e544925dacc7728e ] + +Logic here always sets hdr->version to 2 if it is not a BE3 or Lancer chip, +even if it is BE2. Use 'else if' to prevent multiple assignments, setting +version 0 for BE2, version 1 for BE3 and Lancer, and version 2 for others. +Fixes potential incorrect version setting when BE2_chip and +BE3_chip/lancer_chip checks could both be true. + +Signed-off-by: Alok Tiwari +Link: https://patch.msgid.link/20250519141731.691136-1-alok.a.tiwari@oracle.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/emulex/benet/be_cmds.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/emulex/benet/be_cmds.c b/drivers/net/ethernet/emulex/benet/be_cmds.c +index d00f4e29c9d88..17098cd89dfff 100644 +--- a/drivers/net/ethernet/emulex/benet/be_cmds.c ++++ b/drivers/net/ethernet/emulex/benet/be_cmds.c +@@ -1608,7 +1608,7 @@ int be_cmd_get_stats(struct be_adapter *adapter, struct be_dma_mem *nonemb_cmd) + /* version 1 of the cmd is not supported only by BE2 */ + if (BE2_chip(adapter)) + hdr->version = 0; +- if (BE3_chip(adapter) || lancer_chip(adapter)) ++ else if (BE3_chip(adapter) || lancer_chip(adapter)) + hdr->version = 1; + else + hdr->version = 2; +-- +2.39.5 + diff --git a/queue-6.1/fbcon-make-sure-modelist-not-set-on-unregistered-con.patch b/queue-6.1/fbcon-make-sure-modelist-not-set-on-unregistered-con.patch new file mode 100644 index 0000000000..547bc28635 --- /dev/null +++ b/queue-6.1/fbcon-make-sure-modelist-not-set-on-unregistered-con.patch @@ -0,0 +1,65 @@ +From f8d8843932d8d168a2264153bae2ad2488cd8521 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 May 2025 13:06:47 -0700 +Subject: fbcon: Make sure modelist not set on unregistered console + +From: Kees Cook + +[ Upstream commit cedc1b63394a866bf8663a3e40f4546f1d28c8d8 ] + +It looks like attempting to write to the "store_modes" sysfs node will +run afoul of unregistered consoles: + +UBSAN: array-index-out-of-bounds in drivers/video/fbdev/core/fbcon.c:122:28 +index -1 is out of range for type 'fb_info *[32]' +... + fbcon_info_from_console+0x192/0x1a0 drivers/video/fbdev/core/fbcon.c:122 + fbcon_new_modelist+0xbf/0x2d0 drivers/video/fbdev/core/fbcon.c:3048 + fb_new_modelist+0x328/0x440 drivers/video/fbdev/core/fbmem.c:673 + store_modes+0x1c9/0x3e0 drivers/video/fbdev/core/fbsysfs.c:113 + dev_attr_store+0x55/0x80 drivers/base/core.c:2439 + +static struct fb_info *fbcon_registered_fb[FB_MAX]; +... +static signed char con2fb_map[MAX_NR_CONSOLES]; +... +static struct fb_info *fbcon_info_from_console(int console) +... + return fbcon_registered_fb[con2fb_map[console]]; + +If con2fb_map contains a -1 things go wrong here. Instead, return NULL, +as callers of fbcon_info_from_console() are trying to compare against +existing "info" pointers, so error handling should kick in correctly. + +Reported-by: syzbot+a7d4444e7b6e743572f7@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/679d0a8f.050a0220.163cdc.000c.GAE@google.com/ +Signed-off-by: Kees Cook +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/core/fbcon.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c +index 538e932055ca5..3f9d2178d3871 100644 +--- a/drivers/video/fbdev/core/fbcon.c ++++ b/drivers/video/fbdev/core/fbcon.c +@@ -115,9 +115,14 @@ static signed char con2fb_map_boot[MAX_NR_CONSOLES]; + + static struct fb_info *fbcon_info_from_console(int console) + { ++ signed char fb; + WARN_CONSOLE_UNLOCKED(); + +- return fbcon_registered_fb[con2fb_map[console]]; ++ fb = con2fb_map[console]; ++ if (fb < 0 || fb >= ARRAY_SIZE(fbcon_registered_fb)) ++ return NULL; ++ ++ return fbcon_registered_fb[fb]; + } + + static int logo_lines; +-- +2.39.5 + diff --git a/queue-6.1/i2c-designware-invoke-runtime-suspend-on-quick-slave.patch b/queue-6.1/i2c-designware-invoke-runtime-suspend-on-quick-slave.patch new file mode 100644 index 0000000000..b0516e37c1 --- /dev/null +++ b/queue-6.1/i2c-designware-invoke-runtime-suspend-on-quick-slave.patch @@ -0,0 +1,79 @@ +From 4704a82295b370d52fac8b216ae29ee171b204d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Apr 2025 10:33:03 +0800 +Subject: i2c: designware: Invoke runtime suspend on quick slave + re-registration + +From: Tan En De + +[ Upstream commit 2fe2b969d911a09abcd6a47401a3c66c38a310e6 ] + +Replaced pm_runtime_put() with pm_runtime_put_sync_suspend() to ensure +the runtime suspend is invoked immediately when unregistering a slave. +This prevents a race condition where suspend was skipped when +unregistering and registering slave in quick succession. + +For example, consider the rapid sequence of +`delete_device -> new_device -> delete_device -> new_device`. +In this sequence, it is observed that the dw_i2c_plat_runtime_suspend() +might not be invoked after `delete_device` operation. + +This is because after `delete_device` operation, when the +pm_runtime_put() is about to trigger suspend, the following `new_device` +operation might race and cancel the suspend. + +If that happens, during the `new_device` operation, +dw_i2c_plat_runtime_resume() is skipped (since there was no suspend), which +means `i_dev->init()`, i.e. i2c_dw_init_slave(), is skipped. +Since i2c_dw_init_slave() is skipped, i2c_dw_configure_fifo_slave() is +skipped too, which leaves `DW_IC_INTR_MASK` unconfigured. If we inspect +the interrupt mask register using devmem, it will show as zero. + +Example shell script to reproduce the issue: +``` + #!/bin/sh + + SLAVE_LADDR=0x1010 + SLAVE_BUS=13 + NEW_DEVICE=/sys/bus/i2c/devices/i2c-$SLAVE_BUS/new_device + DELETE_DEVICE=/sys/bus/i2c/devices/i2c-$SLAVE_BUS/delete_device + + # Create initial device + echo slave-24c02 $SLAVE_LADDR > $NEW_DEVICE + sleep 2 + + # Rapid sequence of + # delete_device -> new_device -> delete_device -> new_device + echo $SLAVE_LADDR > $DELETE_DEVICE + echo slave-24c02 $SLAVE_LADDR > $NEW_DEVICE + echo $SLAVE_LADDR > $DELETE_DEVICE + echo slave-24c02 $SLAVE_LADDR > $NEW_DEVICE + + # Using devmem to inspect IC_INTR_MASK will show as zero +``` + +Signed-off-by: Tan En De +Acked-by: Jarkko Nikula +Link: https://lore.kernel.org/r/20250412023303.378600-1-ende.tan@starfivetech.com +Signed-off-by: Andi Shyti +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-designware-slave.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/i2c/busses/i2c-designware-slave.c b/drivers/i2c/busses/i2c-designware-slave.c +index 5b54a9b9ed1a3..09b8ccc040c6e 100644 +--- a/drivers/i2c/busses/i2c-designware-slave.c ++++ b/drivers/i2c/busses/i2c-designware-slave.c +@@ -97,7 +97,7 @@ static int i2c_dw_unreg_slave(struct i2c_client *slave) + dev->disable(dev); + synchronize_irq(dev->irq); + dev->slave = NULL; +- pm_runtime_put(dev->dev); ++ pm_runtime_put_sync_suspend(dev->dev); + + return 0; + } +-- +2.39.5 + diff --git a/queue-6.1/i2c-npcm-add-clock-toggle-recovery.patch b/queue-6.1/i2c-npcm-add-clock-toggle-recovery.patch new file mode 100644 index 0000000000..e68524eaad --- /dev/null +++ b/queue-6.1/i2c-npcm-add-clock-toggle-recovery.patch @@ -0,0 +1,49 @@ +From 68c54481b6816feb8e298212acd5d7e19a5347c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Mar 2025 19:32:50 +0000 +Subject: i2c: npcm: Add clock toggle recovery + +From: Tali Perry + +[ Upstream commit 38010591a0fc3203f1cee45b01ab358b72dd9ab2 ] + +During init of the bus, the module checks that the bus is idle. +If one of the lines are stuck try to recover them first before failing. +Sometimes SDA and SCL are low if improper reset occurs (e.g., reboot). + +Signed-off-by: Tali Perry +Signed-off-by: Mohammed Elbadry +Reviewed-by: Mukesh Kumar Savaliya +Link: https://lore.kernel.org/r/20250328193252.1570811-1-mohammed.0.elbadry@gmail.com +Signed-off-by: Andi Shyti +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-npcm7xx.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-npcm7xx.c b/drivers/i2c/busses/i2c-npcm7xx.c +index 0947e3d155c56..828234d1ee477 100644 +--- a/drivers/i2c/busses/i2c-npcm7xx.c ++++ b/drivers/i2c/busses/i2c-npcm7xx.c +@@ -1973,10 +1973,14 @@ static int npcm_i2c_init_module(struct npcm_i2c *bus, enum i2c_mode mode, + + /* Check HW is OK: SDA and SCL should be high at this point. */ + if ((npcm_i2c_get_SDA(&bus->adap) == 0) || (npcm_i2c_get_SCL(&bus->adap) == 0)) { +- dev_err(bus->dev, "I2C%d init fail: lines are low\n", bus->num); +- dev_err(bus->dev, "SDA=%d SCL=%d\n", npcm_i2c_get_SDA(&bus->adap), +- npcm_i2c_get_SCL(&bus->adap)); +- return -ENXIO; ++ dev_warn(bus->dev, " I2C%d SDA=%d SCL=%d, attempting to recover\n", bus->num, ++ npcm_i2c_get_SDA(&bus->adap), npcm_i2c_get_SCL(&bus->adap)); ++ if (npcm_i2c_recovery_tgclk(&bus->adap)) { ++ dev_err(bus->dev, "I2C%d init fail: SDA=%d SCL=%d\n", ++ bus->num, npcm_i2c_get_SDA(&bus->adap), ++ npcm_i2c_get_SCL(&bus->adap)); ++ return -ENXIO; ++ } + } + + npcm_i2c_int_enable(bus, true); +-- +2.39.5 + diff --git a/queue-6.1/i2c-tegra-check-msg-length-in-smbus-block-read.patch b/queue-6.1/i2c-tegra-check-msg-length-in-smbus-block-read.patch new file mode 100644 index 0000000000..0b4e7f1fba --- /dev/null +++ b/queue-6.1/i2c-tegra-check-msg-length-in-smbus-block-read.patch @@ -0,0 +1,40 @@ +From 70c4b4f75fe9a5b2a00f6bba4119152530a95e08 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Apr 2025 11:03:20 +0530 +Subject: i2c: tegra: check msg length in SMBUS block read + +From: Akhil R + +[ Upstream commit a6e04f05ce0b070ab39d5775580e65c7d943da0b ] + +For SMBUS block read, do not continue to read if the message length +passed from the device is '0' or greater than the maximum allowed bytes. + +Signed-off-by: Akhil R +Acked-by: Thierry Reding +Link: https://lore.kernel.org/r/20250424053320.19211-1-akhilrajeev@nvidia.com +Signed-off-by: Andi Shyti +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-tegra.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/i2c/busses/i2c-tegra.c b/drivers/i2c/busses/i2c-tegra.c +index f7b4977d66496..b8726167cf739 100644 +--- a/drivers/i2c/busses/i2c-tegra.c ++++ b/drivers/i2c/busses/i2c-tegra.c +@@ -1425,6 +1425,11 @@ static int tegra_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[], + ret = tegra_i2c_xfer_msg(i2c_dev, &msgs[i], MSG_END_CONTINUE); + if (ret) + break; ++ ++ /* Validate message length before proceeding */ ++ if (msgs[i].buf[0] == 0 || msgs[i].buf[0] > I2C_SMBUS_BLOCK_MAX) ++ break; ++ + /* Set the msg length from first byte */ + msgs[i].len += msgs[i].buf[0]; + dev_dbg(i2c_dev->dev, "reading %d bytes\n", msgs[i].len); +-- +2.39.5 + diff --git a/queue-6.1/i40e-fix-mmio-write-access-to-an-invalid-page-in-i40.patch b/queue-6.1/i40e-fix-mmio-write-access-to-an-invalid-page-in-i40.patch new file mode 100644 index 0000000000..c74c30710b --- /dev/null +++ b/queue-6.1/i40e-fix-mmio-write-access-to-an-invalid-page-in-i40.patch @@ -0,0 +1,48 @@ +From 9cbbd3b9a2174aede861e8869b2afea4023abd28 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Mar 2025 14:16:02 +0900 +Subject: i40e: fix MMIO write access to an invalid page in i40e_clear_hw + +From: Kyungwook Boo + +[ Upstream commit 015bac5daca978448f2671478c553ce1f300c21e ] + +When the device sends a specific input, an integer underflow can occur, leading +to MMIO write access to an invalid page. + +Prevent the integer underflow by changing the type of related variables. + +Signed-off-by: Kyungwook Boo +Link: https://lore.kernel.org/lkml/ffc91764-1142-4ba2-91b6-8c773f6f7095@gmail.com/T/ +Reviewed-by: Przemek Kitszel +Reviewed-by: Simon Horman +Reviewed-by: Aleksandr Loktionov +Tested-by: Rinitha S (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_common.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_common.c b/drivers/net/ethernet/intel/i40e/i40e_common.c +index 6266756b47b9d..a707974e42794 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_common.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_common.c +@@ -1063,10 +1063,11 @@ int i40e_pf_reset(struct i40e_hw *hw) + void i40e_clear_hw(struct i40e_hw *hw) + { + u32 num_queues, base_queue; +- u32 num_pf_int; +- u32 num_vf_int; ++ s32 num_pf_int; ++ s32 num_vf_int; + u32 num_vfs; +- u32 i, j; ++ s32 i; ++ u32 j; + u32 val; + u32 eol = 0x7ff; + +-- +2.39.5 + diff --git a/queue-6.1/ice-fix-check-for-existing-switch-rule.patch b/queue-6.1/ice-fix-check-for-existing-switch-rule.patch new file mode 100644 index 0000000000..78af3ebc87 --- /dev/null +++ b/queue-6.1/ice-fix-check-for-existing-switch-rule.patch @@ -0,0 +1,56 @@ +From 33a2c92894ab5cac79f9bf697876038e1aef2010 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Feb 2025 09:50:35 +0100 +Subject: ice: fix check for existing switch rule + +From: Mateusz Pacuszka + +[ Upstream commit a808691df39b52cd9db861b118e88e18b63e2299 ] + +In case the rule already exists and another VSI wants to subscribe to it +new VSI list is being created and both VSIs are moved to it. +Currently, the check for already existing VSI with the same rule is done +based on fdw_id.hw_vsi_id, which applies only to LOOKUP_RX flag. +Change it to vsi_handle. This is software VSI ID, but it can be applied +here, because vsi_map itself is also based on it. + +Additionally change return status in case the VSI already exists in the +VSI map to "Already exists". Such case should be handled by the caller. + +Signed-off-by: Mateusz Pacuszka +Reviewed-by: Przemek Kitszel +Reviewed-by: Michal Swiatkowski +Signed-off-by: Larysa Zaremba +Reviewed-by: Simon Horman +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_switch.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_switch.c b/drivers/net/ethernet/intel/ice/ice_switch.c +index 3a29ae46fb397..11dda98e70e5a 100644 +--- a/drivers/net/ethernet/intel/ice/ice_switch.c ++++ b/drivers/net/ethernet/intel/ice/ice_switch.c +@@ -3013,7 +3013,7 @@ ice_add_update_vsi_list(struct ice_hw *hw, + u16 vsi_handle_arr[2]; + + /* A rule already exists with the new VSI being added */ +- if (cur_fltr->fwd_id.hw_vsi_id == new_fltr->fwd_id.hw_vsi_id) ++ if (cur_fltr->vsi_handle == new_fltr->vsi_handle) + return -EEXIST; + + vsi_handle_arr[0] = cur_fltr->vsi_handle; +@@ -6014,7 +6014,7 @@ ice_adv_add_update_vsi_list(struct ice_hw *hw, + + /* A rule already exists with the new VSI being added */ + if (test_bit(vsi_handle, m_entry->vsi_list_info->vsi_map)) +- return 0; ++ return -EEXIST; + + /* Update the previously created VSI list set with + * the new VSI ID passed in +-- +2.39.5 + diff --git a/queue-6.1/iommu-amd-ensure-ga-log-notifier-callbacks-finish-ru.patch b/queue-6.1/iommu-amd-ensure-ga-log-notifier-callbacks-finish-ru.patch new file mode 100644 index 0000000000..aeb6e2e93d --- /dev/null +++ b/queue-6.1/iommu-amd-ensure-ga-log-notifier-callbacks-finish-ru.patch @@ -0,0 +1,43 @@ +From 3df013de535b6d2cc11bfcbf1fcc741350d6883d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Mar 2025 20:10:48 -0700 +Subject: iommu/amd: Ensure GA log notifier callbacks finish running before + module unload + +From: Sean Christopherson + +[ Upstream commit 94c721ea03c7078163f41dbaa101ac721ddac329 ] + +Synchronize RCU when unregistering KVM's GA log notifier to ensure all +in-flight interrupt handlers complete before KVM-the module is unloaded. + +Signed-off-by: Sean Christopherson +Link: https://lore.kernel.org/r/20250315031048.2374109-1-seanjc@google.com +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/amd/iommu.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/iommu/amd/iommu.c b/drivers/iommu/amd/iommu.c +index 4421b464947b8..b778023388715 100644 +--- a/drivers/iommu/amd/iommu.c ++++ b/drivers/iommu/amd/iommu.c +@@ -770,6 +770,14 @@ int amd_iommu_register_ga_log_notifier(int (*notifier)(u32)) + { + iommu_ga_log_notifier = notifier; + ++ /* ++ * Ensure all in-flight IRQ handlers run to completion before returning ++ * to the caller, e.g. to ensure module code isn't unloaded while it's ++ * being executed in the IRQ handler. ++ */ ++ if (!notifier) ++ synchronize_rcu(); ++ + return 0; + } + EXPORT_SYMBOL(amd_iommu_register_ga_log_notifier); +-- +2.39.5 + diff --git a/queue-6.1/ipv4-route-use-this_cpu_inc-for-stats-on-preempt_rt.patch b/queue-6.1/ipv4-route-use-this_cpu_inc-for-stats-on-preempt_rt.patch new file mode 100644 index 0000000000..1da0418832 --- /dev/null +++ b/queue-6.1/ipv4-route-use-this_cpu_inc-for-stats-on-preempt_rt.patch @@ -0,0 +1,44 @@ +From 6291b24318b0a6cd3141684622b995b524f6fdba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 May 2025 11:27:24 +0200 +Subject: ipv4/route: Use this_cpu_inc() for stats on PREEMPT_RT + +From: Sebastian Andrzej Siewior + +[ Upstream commit 1c0829788a6e6e165846b9bedd0b908ef16260b6 ] + +The statistics are incremented with raw_cpu_inc() assuming it always +happens with bottom half disabled. Without per-CPU locking in +local_bh_disable() on PREEMPT_RT this is no longer true. + +Use this_cpu_inc() on PREEMPT_RT for the increment to not worry about +preemption. + +Cc: David Ahern +Signed-off-by: Sebastian Andrzej Siewior +Link: https://patch.msgid.link/20250512092736.229935-4-bigeasy@linutronix.de +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv4/route.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/ipv4/route.c b/net/ipv4/route.c +index 4574dcba9f193..8701081010173 100644 +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -192,7 +192,11 @@ const __u8 ip_tos2prio[16] = { + EXPORT_SYMBOL(ip_tos2prio); + + static DEFINE_PER_CPU(struct rt_cache_stat, rt_cache_stat); ++#ifndef CONFIG_PREEMPT_RT + #define RT_CACHE_STAT_INC(field) raw_cpu_inc(rt_cache_stat.field) ++#else ++#define RT_CACHE_STAT_INC(field) this_cpu_inc(rt_cache_stat.field) ++#endif + + #ifdef CONFIG_PROC_FS + static void *rt_cache_seq_start(struct seq_file *seq, loff_t *pos) +-- +2.39.5 + diff --git a/queue-6.1/libbpf-add-identical-pointer-detection-to-btf_dedup_.patch b/queue-6.1/libbpf-add-identical-pointer-detection-to-btf_dedup_.patch new file mode 100644 index 0000000000..5fd61aab15 --- /dev/null +++ b/queue-6.1/libbpf-add-identical-pointer-detection-to-btf_dedup_.patch @@ -0,0 +1,71 @@ +From d3efaa1136b57c6986665c127280f8af0728dc05 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Apr 2025 17:10:42 +0100 +Subject: libbpf: Add identical pointer detection to btf_dedup_is_equiv() + +From: Alan Maguire + +[ Upstream commit 8e64c387c942229c551d0f23de4d9993d3a2acb6 ] + +Recently as a side-effect of + +commit ac053946f5c4 ("compiler.h: introduce TYPEOF_UNQUAL() macro") + +issues were observed in deduplication between modules and kernel BTF +such that a large number of kernel types were not deduplicated so +were found in module BTF (task_struct, bpf_prog etc). The root cause +appeared to be a failure to dedup struct types, specifically those +with members that were pointers with __percpu annotations. + +The issue in dedup is at the point that we are deduplicating structures, +we have not yet deduplicated reference types like pointers. If multiple +copies of a pointer point at the same (deduplicated) integer as in this +case, we do not see them as identical. Special handling already exists +to deal with structures and arrays, so add pointer handling here too. + +Reported-by: Alexei Starovoitov +Signed-off-by: Alan Maguire +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20250429161042.2069678-1-alan.maguire@oracle.com +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/btf.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/tools/lib/bpf/btf.c b/tools/lib/bpf/btf.c +index 8224a797c2da5..f7e3209d6c641 100644 +--- a/tools/lib/bpf/btf.c ++++ b/tools/lib/bpf/btf.c +@@ -3939,6 +3939,19 @@ static bool btf_dedup_identical_structs(struct btf_dedup *d, __u32 id1, __u32 id + return true; + } + ++static bool btf_dedup_identical_ptrs(struct btf_dedup *d, __u32 id1, __u32 id2) ++{ ++ struct btf_type *t1, *t2; ++ ++ t1 = btf_type_by_id(d->btf, id1); ++ t2 = btf_type_by_id(d->btf, id2); ++ ++ if (!btf_is_ptr(t1) || !btf_is_ptr(t2)) ++ return false; ++ ++ return t1->type == t2->type; ++} ++ + /* + * Check equivalence of BTF type graph formed by candidate struct/union (we'll + * call it "candidate graph" in this description for brevity) to a type graph +@@ -4071,6 +4084,9 @@ static int btf_dedup_is_equiv(struct btf_dedup *d, __u32 cand_id, + */ + if (btf_dedup_identical_structs(d, hypot_type_id, cand_id)) + return 1; ++ /* A similar case is again observed for PTRs. */ ++ if (btf_dedup_identical_ptrs(d, hypot_type_id, cand_id)) ++ return 1; + return 0; + } + +-- +2.39.5 + diff --git a/queue-6.1/mmc-add-quirk-to-disable-ddr50-tuning.patch b/queue-6.1/mmc-add-quirk-to-disable-ddr50-tuning.patch new file mode 100644 index 0000000000..68dc6c0375 --- /dev/null +++ b/queue-6.1/mmc-add-quirk-to-disable-ddr50-tuning.patch @@ -0,0 +1,134 @@ +From d02e59744dbdea34b982214628eb8689e9410843 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Mar 2025 17:13:37 -0500 +Subject: mmc: Add quirk to disable DDR50 tuning + +From: Erick Shepherd + +[ Upstream commit 9510b38dc0ba358c93cbf5ee7c28820afb85937b ] + +Adds the MMC_QUIRK_NO_UHS_DDR50_TUNING quirk and updates +mmc_execute_tuning() to return 0 if that quirk is set. This fixes an +issue on certain Swissbit SD cards that do not support DDR50 tuning +where tuning requests caused I/O errors to be thrown. + +Signed-off-by: Erick Shepherd +Acked-by: Adrian Hunter +Link: https://lore.kernel.org/r/20250331221337.1414534-1-erick.shepherd@ni.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/core/card.h | 6 ++++++ + drivers/mmc/core/quirks.h | 10 ++++++++++ + drivers/mmc/core/sd.c | 32 ++++++++++++++++++++++++-------- + include/linux/mmc/card.h | 1 + + 4 files changed, 41 insertions(+), 8 deletions(-) + +diff --git a/drivers/mmc/core/card.h b/drivers/mmc/core/card.h +index 8476754b1b170..fe0b2fa3bb89d 100644 +--- a/drivers/mmc/core/card.h ++++ b/drivers/mmc/core/card.h +@@ -86,6 +86,7 @@ struct mmc_fixup { + #define CID_MANFID_MICRON 0x13 + #define CID_MANFID_SAMSUNG 0x15 + #define CID_MANFID_APACER 0x27 ++#define CID_MANFID_SWISSBIT 0x5D + #define CID_MANFID_KINGSTON 0x70 + #define CID_MANFID_HYNIX 0x90 + #define CID_MANFID_KINGSTON_SD 0x9F +@@ -291,4 +292,9 @@ static inline int mmc_card_broken_sd_poweroff_notify(const struct mmc_card *c) + return c->quirks & MMC_QUIRK_BROKEN_SD_POWEROFF_NOTIFY; + } + ++static inline int mmc_card_no_uhs_ddr50_tuning(const struct mmc_card *c) ++{ ++ return c->quirks & MMC_QUIRK_NO_UHS_DDR50_TUNING; ++} ++ + #endif +diff --git a/drivers/mmc/core/quirks.h b/drivers/mmc/core/quirks.h +index 12c90b567ce38..d05f220fdeee3 100644 +--- a/drivers/mmc/core/quirks.h ++++ b/drivers/mmc/core/quirks.h +@@ -34,6 +34,16 @@ static const struct mmc_fixup __maybe_unused mmc_sd_fixups[] = { + MMC_QUIRK_BROKEN_SD_CACHE | MMC_QUIRK_BROKEN_SD_POWEROFF_NOTIFY, + EXT_CSD_REV_ANY), + ++ /* ++ * Swissbit series S46-u cards throw I/O errors during tuning requests ++ * after the initial tuning request expectedly times out. This has ++ * only been observed on cards manufactured on 01/2019 that are using ++ * Bay Trail host controllers. ++ */ ++ _FIXUP_EXT("0016G", CID_MANFID_SWISSBIT, 0x5342, 2019, 1, ++ 0, -1ull, SDIO_ANY_ID, SDIO_ANY_ID, add_quirk_sd, ++ MMC_QUIRK_NO_UHS_DDR50_TUNING, EXT_CSD_REV_ANY), ++ + END_FIXUP + }; + +diff --git a/drivers/mmc/core/sd.c b/drivers/mmc/core/sd.c +index 819af50ae175c..557c4ee1e2770 100644 +--- a/drivers/mmc/core/sd.c ++++ b/drivers/mmc/core/sd.c +@@ -618,6 +618,29 @@ static int sd_set_current_limit(struct mmc_card *card, u8 *status) + return 0; + } + ++/* ++ * Determine if the card should tune or not. ++ */ ++static bool mmc_sd_use_tuning(struct mmc_card *card) ++{ ++ /* ++ * SPI mode doesn't define CMD19 and tuning is only valid for SDR50 and ++ * SDR104 mode SD-cards. Note that tuning is mandatory for SDR104. ++ */ ++ if (mmc_host_is_spi(card->host)) ++ return false; ++ ++ switch (card->host->ios.timing) { ++ case MMC_TIMING_UHS_SDR50: ++ case MMC_TIMING_UHS_SDR104: ++ return true; ++ case MMC_TIMING_UHS_DDR50: ++ return !mmc_card_no_uhs_ddr50_tuning(card); ++ } ++ ++ return false; ++} ++ + /* + * UHS-I specific initialization procedure + */ +@@ -661,14 +684,7 @@ static int mmc_sd_init_uhs_card(struct mmc_card *card) + if (err) + goto out; + +- /* +- * SPI mode doesn't define CMD19 and tuning is only valid for SDR50 and +- * SDR104 mode SD-cards. Note that tuning is mandatory for SDR104. +- */ +- if (!mmc_host_is_spi(card->host) && +- (card->host->ios.timing == MMC_TIMING_UHS_SDR50 || +- card->host->ios.timing == MMC_TIMING_UHS_DDR50 || +- card->host->ios.timing == MMC_TIMING_UHS_SDR104)) { ++ if (mmc_sd_use_tuning(card)) { + err = mmc_execute_tuning(card); + + /* +diff --git a/include/linux/mmc/card.h b/include/linux/mmc/card.h +index afa575e362a47..7c6da19fff9f0 100644 +--- a/include/linux/mmc/card.h ++++ b/include/linux/mmc/card.h +@@ -297,6 +297,7 @@ struct mmc_card { + #define MMC_QUIRK_BROKEN_SD_CACHE (1<<15) /* Disable broken SD cache support */ + #define MMC_QUIRK_BROKEN_CACHE_FLUSH (1<<16) /* Don't flush cache until the write has occurred */ + #define MMC_QUIRK_BROKEN_SD_POWEROFF_NOTIFY (1<<17) /* Disable broken SD poweroff notify support */ ++#define MMC_QUIRK_NO_UHS_DDR50_TUNING (1<<18) /* Disable DDR50 tuning */ + + bool written_flag; /* Indicates eMMC has been written since power on */ + bool reenable_cmdq; /* Re-enable Command Queue */ +-- +2.39.5 + diff --git a/queue-6.1/net-atlantic-generate-software-timestamp-just-before.patch b/queue-6.1/net-atlantic-generate-software-timestamp-just-before.patch new file mode 100644 index 0000000000..906941c8ac --- /dev/null +++ b/queue-6.1/net-atlantic-generate-software-timestamp-just-before.patch @@ -0,0 +1,49 @@ +From 1068756b7ceee6dcdaaad655eb8cac5171d4e6e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 10 May 2025 21:48:10 +0800 +Subject: net: atlantic: generate software timestamp just before the doorbell + +From: Jason Xing + +[ Upstream commit 285ad7477559b6b5ceed10ba7ecfed9d17c0e7c6 ] + +Make sure the call of skb_tx_timestamp is as close as possible to the +doorbell. + +Signed-off-by: Jason Xing +Link: https://patch.msgid.link/20250510134812.48199-2-kerneljasonxing@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/aquantia/atlantic/aq_main.c | 1 - + drivers/net/ethernet/aquantia/atlantic/aq_nic.c | 2 ++ + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_main.c b/drivers/net/ethernet/aquantia/atlantic/aq_main.c +index 77609dc0a08d6..9d877f436e335 100644 +--- a/drivers/net/ethernet/aquantia/atlantic/aq_main.c ++++ b/drivers/net/ethernet/aquantia/atlantic/aq_main.c +@@ -122,7 +122,6 @@ static netdev_tx_t aq_ndev_start_xmit(struct sk_buff *skb, struct net_device *nd + } + #endif + +- skb_tx_timestamp(skb); + return aq_nic_xmit(aq_nic, skb); + } + +diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_nic.c b/drivers/net/ethernet/aquantia/atlantic/aq_nic.c +index a467c8f91020b..3bfd9027cccac 100644 +--- a/drivers/net/ethernet/aquantia/atlantic/aq_nic.c ++++ b/drivers/net/ethernet/aquantia/atlantic/aq_nic.c +@@ -893,6 +893,8 @@ int aq_nic_xmit(struct aq_nic_s *self, struct sk_buff *skb) + + frags = aq_nic_map_skb(self, skb, ring); + ++ skb_tx_timestamp(skb); ++ + if (likely(frags)) { + err = self->aq_hw_ops->hw_ring_tx_xmit(self->aq_hw, + ring, frags); +-- +2.39.5 + diff --git a/queue-6.1/net-bridge-mcast-re-implement-br_multicast_-enable-d.patch b/queue-6.1/net-bridge-mcast-re-implement-br_multicast_-enable-d.patch new file mode 100644 index 0000000000..647e335d37 --- /dev/null +++ b/queue-6.1/net-bridge-mcast-re-implement-br_multicast_-enable-d.patch @@ -0,0 +1,173 @@ +From 675472a41bfc9ed8e8a6a118181c68ab0533ea15 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Apr 2025 15:43:12 +0200 +Subject: net: bridge: mcast: re-implement br_multicast_{enable, disable}_port + functions + +From: Yong Wang + +[ Upstream commit 4b30ae9adb047dd0a7982975ec3933c529537026 ] + +When a bridge port STP state is changed from BLOCKING/DISABLED to +FORWARDING, the port's igmp query timer will NOT re-arm itself if the +bridge has been configured as per-VLAN multicast snooping. + +Solve this by choosing the correct multicast context(s) to enable/disable +port multicast based on whether per-VLAN multicast snooping is enabled or +not, i.e. using per-{port, VLAN} context in case of per-VLAN multicast +snooping by re-implementing br_multicast_enable_port() and +br_multicast_disable_port() functions. + +Before the patch, the IGMP query does not happen in the last step of the +following test sequence, i.e. no growth for tx counter: + # ip link add name br1 up type bridge vlan_filtering 1 mcast_snooping 1 mcast_vlan_snooping 1 mcast_querier 1 mcast_stats_enabled 1 + # bridge vlan global set vid 1 dev br1 mcast_snooping 1 mcast_querier 1 mcast_query_interval 100 mcast_startup_query_count 0 + # ip link add name swp1 up master br1 type dummy + # bridge link set dev swp1 state 0 + # ip -j -p stats show dev swp1 group xstats_slave subgroup bridge suite mcast | jq '.[]["multicast"]["igmp_queries"]["tx_v2"]' +1 + # sleep 1 + # ip -j -p stats show dev swp1 group xstats_slave subgroup bridge suite mcast | jq '.[]["multicast"]["igmp_queries"]["tx_v2"]' +1 + # bridge link set dev swp1 state 3 + # sleep 2 + # ip -j -p stats show dev swp1 group xstats_slave subgroup bridge suite mcast | jq '.[]["multicast"]["igmp_queries"]["tx_v2"]' +1 + +After the patch, the IGMP query happens in the last step of the test: + # ip link add name br1 up type bridge vlan_filtering 1 mcast_snooping 1 mcast_vlan_snooping 1 mcast_querier 1 mcast_stats_enabled 1 + # bridge vlan global set vid 1 dev br1 mcast_snooping 1 mcast_querier 1 mcast_query_interval 100 mcast_startup_query_count 0 + # ip link add name swp1 up master br1 type dummy + # bridge link set dev swp1 state 0 + # ip -j -p stats show dev swp1 group xstats_slave subgroup bridge suite mcast | jq '.[]["multicast"]["igmp_queries"]["tx_v2"]' +1 + # sleep 1 + # ip -j -p stats show dev swp1 group xstats_slave subgroup bridge suite mcast | jq '.[]["multicast"]["igmp_queries"]["tx_v2"]' +1 + # bridge link set dev swp1 state 3 + # sleep 2 + # ip -j -p stats show dev swp1 group xstats_slave subgroup bridge suite mcast | jq '.[]["multicast"]["igmp_queries"]["tx_v2"]' +3 + +Signed-off-by: Yong Wang +Reviewed-by: Andy Roulin +Reviewed-by: Ido Schimmel +Signed-off-by: Petr Machata +Acked-by: Nikolay Aleksandrov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/bridge/br_multicast.c | 77 +++++++++++++++++++++++++++++++++++---- + 1 file changed, 69 insertions(+), 8 deletions(-) + +diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c +index 5972821ce1950..e28c9db0c4db2 100644 +--- a/net/bridge/br_multicast.c ++++ b/net/bridge/br_multicast.c +@@ -1931,12 +1931,17 @@ static void __br_multicast_enable_port_ctx(struct net_bridge_mcast_port *pmctx) + } + } + +-void br_multicast_enable_port(struct net_bridge_port *port) ++static void br_multicast_enable_port_ctx(struct net_bridge_mcast_port *pmctx) + { +- struct net_bridge *br = port->br; ++ struct net_bridge *br = pmctx->port->br; + + spin_lock_bh(&br->multicast_lock); +- __br_multicast_enable_port_ctx(&port->multicast_ctx); ++ if (br_multicast_port_ctx_is_vlan(pmctx) && ++ !(pmctx->vlan->priv_flags & BR_VLFLAG_MCAST_ENABLED)) { ++ spin_unlock_bh(&br->multicast_lock); ++ return; ++ } ++ __br_multicast_enable_port_ctx(pmctx); + spin_unlock_bh(&br->multicast_lock); + } + +@@ -1963,11 +1968,67 @@ static void __br_multicast_disable_port_ctx(struct net_bridge_mcast_port *pmctx) + br_multicast_rport_del_notify(pmctx, del); + } + ++static void br_multicast_disable_port_ctx(struct net_bridge_mcast_port *pmctx) ++{ ++ struct net_bridge *br = pmctx->port->br; ++ ++ spin_lock_bh(&br->multicast_lock); ++ if (br_multicast_port_ctx_is_vlan(pmctx) && ++ !(pmctx->vlan->priv_flags & BR_VLFLAG_MCAST_ENABLED)) { ++ spin_unlock_bh(&br->multicast_lock); ++ return; ++ } ++ ++ __br_multicast_disable_port_ctx(pmctx); ++ spin_unlock_bh(&br->multicast_lock); ++} ++ ++static void br_multicast_toggle_port(struct net_bridge_port *port, bool on) ++{ ++#if IS_ENABLED(CONFIG_BRIDGE_VLAN_FILTERING) ++ if (br_opt_get(port->br, BROPT_MCAST_VLAN_SNOOPING_ENABLED)) { ++ struct net_bridge_vlan_group *vg; ++ struct net_bridge_vlan *vlan; ++ ++ rcu_read_lock(); ++ vg = nbp_vlan_group_rcu(port); ++ if (!vg) { ++ rcu_read_unlock(); ++ return; ++ } ++ ++ /* iterate each vlan, toggle vlan multicast context */ ++ list_for_each_entry_rcu(vlan, &vg->vlan_list, vlist) { ++ struct net_bridge_mcast_port *pmctx = ++ &vlan->port_mcast_ctx; ++ u8 state = br_vlan_get_state(vlan); ++ /* enable vlan multicast context when state is ++ * LEARNING or FORWARDING ++ */ ++ if (on && br_vlan_state_allowed(state, true)) ++ br_multicast_enable_port_ctx(pmctx); ++ else ++ br_multicast_disable_port_ctx(pmctx); ++ } ++ rcu_read_unlock(); ++ return; ++ } ++#endif ++ /* toggle port multicast context when vlan snooping is disabled */ ++ if (on) ++ br_multicast_enable_port_ctx(&port->multicast_ctx); ++ else ++ br_multicast_disable_port_ctx(&port->multicast_ctx); ++} ++ ++void br_multicast_enable_port(struct net_bridge_port *port) ++{ ++ br_multicast_toggle_port(port, true); ++} ++ + void br_multicast_disable_port(struct net_bridge_port *port) + { +- spin_lock_bh(&port->br->multicast_lock); +- __br_multicast_disable_port_ctx(&port->multicast_ctx); +- spin_unlock_bh(&port->br->multicast_lock); ++ br_multicast_toggle_port(port, false); + } + + static int __grp_src_delete_marked(struct net_bridge_port_group *pg) +@@ -4156,9 +4217,9 @@ int br_multicast_toggle_vlan_snooping(struct net_bridge *br, bool on, + __br_multicast_open(&br->multicast_ctx); + list_for_each_entry(p, &br->port_list, list) { + if (on) +- br_multicast_disable_port(p); ++ br_multicast_disable_port_ctx(&p->multicast_ctx); + else +- br_multicast_enable_port(p); ++ br_multicast_enable_port_ctx(&p->multicast_ctx); + } + + list_for_each_entry(vlan, &vg->vlan_list, vlist) +-- +2.39.5 + diff --git a/queue-6.1/net-bridge-mcast-update-multicast-contex-when-vlan-s.patch b/queue-6.1/net-bridge-mcast-update-multicast-contex-when-vlan-s.patch new file mode 100644 index 0000000000..2f43c575f7 --- /dev/null +++ b/queue-6.1/net-bridge-mcast-update-multicast-contex-when-vlan-s.patch @@ -0,0 +1,165 @@ +From 77254a9b9594c86550eafd0e35a39d7d86bc3224 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Apr 2025 15:43:13 +0200 +Subject: net: bridge: mcast: update multicast contex when vlan state is + changed + +From: Yong Wang + +[ Upstream commit 6c131043eaf1be2a6cc2d228f92ceb626fbcc0f3 ] + +When the vlan STP state is changed, which could be manipulated by +"bridge vlan" commands, similar to port STP state, this also impacts +multicast behaviors such as igmp query. In the scenario of per-VLAN +snooping, there's a need to update the corresponding multicast context +to re-arm the port query timer when vlan state becomes "forwarding" etc. + +Update br_vlan_set_state() function to enable vlan multicast context +in such scenario. + +Before the patch, the IGMP query does not happen in the last step of the +following test sequence, i.e. no growth for tx counter: + # ip link add name br1 up type bridge vlan_filtering 1 mcast_snooping 1 mcast_vlan_snooping 1 mcast_querier 1 mcast_stats_enabled 1 + # bridge vlan global set vid 1 dev br1 mcast_snooping 1 mcast_querier 1 mcast_query_interval 100 mcast_startup_query_count 0 + # ip link add name swp1 up master br1 type dummy + # sleep 1 + # bridge vlan set vid 1 dev swp1 state 4 + # ip -j -p stats show dev swp1 group xstats_slave subgroup bridge suite mcast | jq '.[]["multicast"]["igmp_queries"]["tx_v2"]' +1 + # sleep 1 + # ip -j -p stats show dev swp1 group xstats_slave subgroup bridge suite mcast | jq '.[]["multicast"]["igmp_queries"]["tx_v2"]' +1 + # bridge vlan set vid 1 dev swp1 state 3 + # sleep 2 + # ip -j -p stats show dev swp1 group xstats_slave subgroup bridge suite mcast | jq '.[]["multicast"]["igmp_queries"]["tx_v2"]' +1 + +After the patch, the IGMP query happens in the last step of the test: + # ip link add name br1 up type bridge vlan_filtering 1 mcast_snooping 1 mcast_vlan_snooping 1 mcast_querier 1 mcast_stats_enabled 1 + # bridge vlan global set vid 1 dev br1 mcast_snooping 1 mcast_querier 1 mcast_query_interval 100 mcast_startup_query_count 0 + # ip link add name swp1 up master br1 type dummy + # sleep 1 + # bridge vlan set vid 1 dev swp1 state 4 + # ip -j -p stats show dev swp1 group xstats_slave subgroup bridge suite mcast | jq '.[]["multicast"]["igmp_queries"]["tx_v2"]' +1 + # sleep 1 + # ip -j -p stats show dev swp1 group xstats_slave subgroup bridge suite mcast | jq '.[]["multicast"]["igmp_queries"]["tx_v2"]' +1 + # bridge vlan set vid 1 dev swp1 state 3 + # sleep 2 + # ip -j -p stats show dev swp1 group xstats_slave subgroup bridge suite mcast | jq '.[]["multicast"]["igmp_queries"]["tx_v2"]' +3 + +Signed-off-by: Yong Wang +Reviewed-by: Andy Roulin +Reviewed-by: Ido Schimmel +Signed-off-by: Petr Machata +Acked-by: Nikolay Aleksandrov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/bridge/br_mst.c | 4 ++-- + net/bridge/br_multicast.c | 26 ++++++++++++++++++++++++++ + net/bridge/br_private.h | 11 ++++++++++- + 3 files changed, 38 insertions(+), 3 deletions(-) + +diff --git a/net/bridge/br_mst.c b/net/bridge/br_mst.c +index 1820f09ff59ce..3f24b4ee49c27 100644 +--- a/net/bridge/br_mst.c ++++ b/net/bridge/br_mst.c +@@ -80,10 +80,10 @@ static void br_mst_vlan_set_state(struct net_bridge_vlan_group *vg, + if (br_vlan_get_state(v) == state) + return; + +- br_vlan_set_state(v, state); +- + if (v->vid == vg->pvid) + br_vlan_set_pvid_state(vg, state); ++ ++ br_vlan_set_state(v, state); + } + + int br_mst_set_state(struct net_bridge_port *p, u16 msti, u8 state, +diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c +index 3cd2b648408d6..5972821ce1950 100644 +--- a/net/bridge/br_multicast.c ++++ b/net/bridge/br_multicast.c +@@ -4037,6 +4037,32 @@ static void __br_multicast_stop(struct net_bridge_mcast *brmctx) + #endif + } + ++void br_multicast_update_vlan_mcast_ctx(struct net_bridge_vlan *v, u8 state) ++{ ++#if IS_ENABLED(CONFIG_BRIDGE_VLAN_FILTERING) ++ struct net_bridge *br; ++ ++ if (!br_vlan_should_use(v)) ++ return; ++ ++ if (br_vlan_is_master(v)) ++ return; ++ ++ br = v->port->br; ++ ++ if (!br_opt_get(br, BROPT_MCAST_VLAN_SNOOPING_ENABLED)) ++ return; ++ ++ if (br_vlan_state_allowed(state, true)) ++ br_multicast_enable_port_ctx(&v->port_mcast_ctx); ++ ++ /* Multicast is not disabled for the vlan when it goes in ++ * blocking state because the timers will expire and stop by ++ * themselves without sending more queries. ++ */ ++#endif ++} ++ + void br_multicast_toggle_one_vlan(struct net_bridge_vlan *vlan, bool on) + { + struct net_bridge *br; +diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h +index 19fb505492521..767f0e81dd265 100644 +--- a/net/bridge/br_private.h ++++ b/net/bridge/br_private.h +@@ -977,6 +977,7 @@ void br_multicast_port_ctx_init(struct net_bridge_port *port, + struct net_bridge_vlan *vlan, + struct net_bridge_mcast_port *pmctx); + void br_multicast_port_ctx_deinit(struct net_bridge_mcast_port *pmctx); ++void br_multicast_update_vlan_mcast_ctx(struct net_bridge_vlan *v, u8 state); + void br_multicast_toggle_one_vlan(struct net_bridge_vlan *vlan, bool on); + int br_multicast_toggle_vlan_snooping(struct net_bridge *br, bool on, + struct netlink_ext_ack *extack); +@@ -1403,6 +1404,11 @@ static inline void br_multicast_port_ctx_deinit(struct net_bridge_mcast_port *pm + { + } + ++static inline void br_multicast_update_vlan_mcast_ctx(struct net_bridge_vlan *v, ++ u8 state) ++{ ++} ++ + static inline void br_multicast_toggle_one_vlan(struct net_bridge_vlan *vlan, + bool on) + { +@@ -1752,7 +1758,9 @@ bool br_vlan_global_opts_can_enter_range(const struct net_bridge_vlan *v_curr, + bool br_vlan_global_opts_fill(struct sk_buff *skb, u16 vid, u16 vid_range, + const struct net_bridge_vlan *v_opts); + +-/* vlan state manipulation helpers using *_ONCE to annotate lock-free access */ ++/* vlan state manipulation helpers using *_ONCE to annotate lock-free access, ++ * while br_vlan_set_state() may access data protected by multicast_lock. ++ */ + static inline u8 br_vlan_get_state(const struct net_bridge_vlan *v) + { + return READ_ONCE(v->state); +@@ -1761,6 +1769,7 @@ static inline u8 br_vlan_get_state(const struct net_bridge_vlan *v) + static inline void br_vlan_set_state(struct net_bridge_vlan *v, u8 state) + { + WRITE_ONCE(v->state, state); ++ br_multicast_update_vlan_mcast_ctx(v, state); + } + + static inline u8 br_vlan_get_pvid_state(const struct net_bridge_vlan_group *vg) +-- +2.39.5 + diff --git a/queue-6.1/net-dlink-add-synchronization-for-stats-update.patch b/queue-6.1/net-dlink-add-synchronization-for-stats-update.patch new file mode 100644 index 0000000000..09eb575dd1 --- /dev/null +++ b/queue-6.1/net-dlink-add-synchronization-for-stats-update.patch @@ -0,0 +1,102 @@ +From 10432de98b8e999205dbf51ac8019732a60fed92 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 May 2025 16:53:31 +0900 +Subject: net: dlink: add synchronization for stats update + +From: Moon Yeounsu + +[ Upstream commit 12889ce926e9a9baf6b83d809ba316af539b89e2 ] + +This patch synchronizes code that accesses from both user-space +and IRQ contexts. The `get_stats()` function can be called from both +context. + +`dev->stats.tx_errors` and `dev->stats.collisions` are also updated +in the `tx_errors()` function. Therefore, these fields must also be +protected by synchronized. + +There is no code that accessses `dev->stats.tx_errors` between the +previous and updated lines, so the updating point can be moved. + +Signed-off-by: Moon Yeounsu +Link: https://patch.msgid.link/20250515075333.48290-1-yyyynoom@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/dlink/dl2k.c | 14 +++++++++++++- + drivers/net/ethernet/dlink/dl2k.h | 2 ++ + 2 files changed, 15 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/dlink/dl2k.c b/drivers/net/ethernet/dlink/dl2k.c +index 71cb7fe63de3c..dfc23cc173097 100644 +--- a/drivers/net/ethernet/dlink/dl2k.c ++++ b/drivers/net/ethernet/dlink/dl2k.c +@@ -146,6 +146,8 @@ rio_probe1 (struct pci_dev *pdev, const struct pci_device_id *ent) + np->ioaddr = ioaddr; + np->chip_id = chip_idx; + np->pdev = pdev; ++ ++ spin_lock_init(&np->stats_lock); + spin_lock_init (&np->tx_lock); + spin_lock_init (&np->rx_lock); + +@@ -868,7 +870,6 @@ tx_error (struct net_device *dev, int tx_status) + frame_id = (tx_status & 0xffff0000); + printk (KERN_ERR "%s: Transmit error, TxStatus %4.4x, FrameId %d.\n", + dev->name, tx_status, frame_id); +- dev->stats.tx_errors++; + /* Ttransmit Underrun */ + if (tx_status & 0x10) { + dev->stats.tx_fifo_errors++; +@@ -905,9 +906,15 @@ tx_error (struct net_device *dev, int tx_status) + rio_set_led_mode(dev); + /* Let TxStartThresh stay default value */ + } ++ ++ spin_lock(&np->stats_lock); + /* Maximum Collisions */ + if (tx_status & 0x08) + dev->stats.collisions++; ++ ++ dev->stats.tx_errors++; ++ spin_unlock(&np->stats_lock); ++ + /* Restart the Tx */ + dw32(MACCtrl, dr16(MACCtrl) | TxEnable); + } +@@ -1076,7 +1083,9 @@ get_stats (struct net_device *dev) + int i; + #endif + unsigned int stat_reg; ++ unsigned long flags; + ++ spin_lock_irqsave(&np->stats_lock, flags); + /* All statistics registers need to be acknowledged, + else statistic overflow could cause problems */ + +@@ -1126,6 +1135,9 @@ get_stats (struct net_device *dev) + dr16(TCPCheckSumErrors); + dr16(UDPCheckSumErrors); + dr16(IPCheckSumErrors); ++ ++ spin_unlock_irqrestore(&np->stats_lock, flags); ++ + return &dev->stats; + } + +diff --git a/drivers/net/ethernet/dlink/dl2k.h b/drivers/net/ethernet/dlink/dl2k.h +index 0e33e2eaae960..56aff2f0bdbfa 100644 +--- a/drivers/net/ethernet/dlink/dl2k.h ++++ b/drivers/net/ethernet/dlink/dl2k.h +@@ -372,6 +372,8 @@ struct netdev_private { + struct pci_dev *pdev; + void __iomem *ioaddr; + void __iomem *eeprom_addr; ++ // To ensure synchronization when stats are updated. ++ spinlock_t stats_lock; + spinlock_t tx_lock; + spinlock_t rx_lock; + unsigned int rx_buf_sz; /* Based on MTU+slack. */ +-- +2.39.5 + diff --git a/queue-6.1/net-ethernet-cortina-use-toe-tso-on-all-tcp.patch b/queue-6.1/net-ethernet-cortina-use-toe-tso-on-all-tcp.patch new file mode 100644 index 0000000000..05c04e7386 --- /dev/null +++ b/queue-6.1/net-ethernet-cortina-use-toe-tso-on-all-tcp.patch @@ -0,0 +1,132 @@ +From a7f417cb77dfd96fe7f93cf71b60670bfb69f7c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Apr 2025 11:26:58 +0200 +Subject: net: ethernet: cortina: Use TOE/TSO on all TCP + +From: Linus Walleij + +[ Upstream commit 6a07e3af4973402fa199a80036c10060b922c92c ] + +It is desireable to push the hardware accelerator to also +process non-segmented TCP frames: we pass the skb->len +to the "TOE/TSO" offloader and it will handle them. + +Without this quirk the driver becomes unstable and lock +up and and crash. + +I do not know exactly why, but it is probably due to the +TOE (TCP offload engine) feature that is coupled with the +segmentation feature - it is not possible to turn one +part off and not the other, either both TOE and TSO are +active, or neither of them. + +Not having the TOE part active seems detrimental, as if +that hardware feature is not really supposed to be turned +off. + +The datasheet says: + + "Based on packet parsing and TCP connection/NAT table + lookup results, the NetEngine puts the packets + belonging to the same TCP connection to the same queue + for the software to process. The NetEngine puts + incoming packets to the buffer or series of buffers + for a jumbo packet. With this hardware acceleration, + IP/TCP header parsing, checksum validation and + connection lookup are offloaded from the software + processing." + +After numerous tests with the hardware locking up after +something between minutes and hours depending on load +using iperf3 I have concluded this is necessary to stabilize +the hardware. + +Signed-off-by: Linus Walleij +Link: https://patch.msgid.link/20250408-gemini-ethernet-tso-always-v1-1-e669f932359c@linaro.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cortina/gemini.c | 37 +++++++++++++++++++++------ + 1 file changed, 29 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/ethernet/cortina/gemini.c b/drivers/net/ethernet/cortina/gemini.c +index 7cc0ea3737b2d..729a69007ec47 100644 +--- a/drivers/net/ethernet/cortina/gemini.c ++++ b/drivers/net/ethernet/cortina/gemini.c +@@ -1148,6 +1148,7 @@ static int gmac_map_tx_bufs(struct net_device *netdev, struct sk_buff *skb, + struct gmac_txdesc *txd; + skb_frag_t *skb_frag; + dma_addr_t mapping; ++ bool tcp = false; + void *buffer; + u16 mss; + int ret; +@@ -1155,6 +1156,13 @@ static int gmac_map_tx_bufs(struct net_device *netdev, struct sk_buff *skb, + word1 = skb->len; + word3 = SOF_BIT; + ++ /* Determine if we are doing TCP */ ++ if (skb->protocol == htons(ETH_P_IP)) ++ tcp = (ip_hdr(skb)->protocol == IPPROTO_TCP); ++ else ++ /* IPv6 */ ++ tcp = (ipv6_hdr(skb)->nexthdr == IPPROTO_TCP); ++ + mss = skb_shinfo(skb)->gso_size; + if (mss) { + /* This means we are dealing with TCP and skb->len is the +@@ -1167,8 +1175,26 @@ static int gmac_map_tx_bufs(struct net_device *netdev, struct sk_buff *skb, + mss, skb->len); + word1 |= TSS_MTU_ENABLE_BIT; + word3 |= mss; ++ } else if (tcp) { ++ /* Even if we are not using TSO, use the hardware offloader ++ * for transferring the TCP frame: this hardware has partial ++ * TCP awareness (called TOE - TCP Offload Engine) and will ++ * according to the datasheet put packets belonging to the ++ * same TCP connection in the same queue for the TOE/TSO ++ * engine to process. The engine will deal with chopping ++ * up frames that exceed ETH_DATA_LEN which the ++ * checksumming engine cannot handle (see below) into ++ * manageable chunks. It flawlessly deals with quite big ++ * frames and frames containing custom DSA EtherTypes. ++ */ ++ mss = netdev->mtu + skb_tcp_all_headers(skb); ++ mss = min(mss, skb->len); ++ netdev_dbg(netdev, "TOE/TSO len %04x mtu %04x mss %04x\n", ++ skb->len, netdev->mtu, mss); ++ word1 |= TSS_MTU_ENABLE_BIT; ++ word3 |= mss; + } else if (skb->len >= ETH_FRAME_LEN) { +- /* Hardware offloaded checksumming isn't working on frames ++ /* Hardware offloaded checksumming isn't working on non-TCP frames + * bigger than 1514 bytes. A hypothesis about this is that the + * checksum buffer is only 1518 bytes, so when the frames get + * bigger they get truncated, or the last few bytes get +@@ -1185,21 +1211,16 @@ static int gmac_map_tx_bufs(struct net_device *netdev, struct sk_buff *skb, + } + + if (skb->ip_summed == CHECKSUM_PARTIAL) { +- int tcp = 0; +- + /* We do not switch off the checksumming on non TCP/UDP + * frames: as is shown from tests, the checksumming engine + * is smart enough to see that a frame is not actually TCP + * or UDP and then just pass it through without any changes + * to the frame. + */ +- if (skb->protocol == htons(ETH_P_IP)) { ++ if (skb->protocol == htons(ETH_P_IP)) + word1 |= TSS_IP_CHKSUM_BIT; +- tcp = ip_hdr(skb)->protocol == IPPROTO_TCP; +- } else { /* IPv6 */ ++ else + word1 |= TSS_IPV6_ENABLE_BIT; +- tcp = ipv6_hdr(skb)->nexthdr == IPPROTO_TCP; +- } + + word1 |= tcp ? TSS_TCP_CHKSUM_BIT : TSS_UDP_CHKSUM_BIT; + } +-- +2.39.5 + diff --git a/queue-6.1/net-lan743x-modify-the-eeprom-and-otp-size-for-pci1x.patch b/queue-6.1/net-lan743x-modify-the-eeprom-and-otp-size-for-pci1x.patch new file mode 100644 index 0000000000..dd78e269b8 --- /dev/null +++ b/queue-6.1/net-lan743x-modify-the-eeprom-and-otp-size-for-pci1x.patch @@ -0,0 +1,89 @@ +From 4c96b1abcbe862a4eaf8f7a2bd539b7d563b5d8d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 May 2025 23:03:26 +0530 +Subject: net: lan743x: Modify the EEPROM and OTP size for PCI1xxxx devices + +From: Rengarajan S + +[ Upstream commit 3b9935586a9b54d2da27901b830d3cf46ad66a1e ] + +Maximum OTP and EEPROM size for hearthstone PCI1xxxx devices are 8 Kb +and 64 Kb respectively. Adjust max size definitions and return correct +EEPROM length based on device. Also prevent out-of-bound read/write. + +Signed-off-by: Rengarajan S +Link: https://patch.msgid.link/20250523173326.18509-1-rengarajan.s@microchip.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/microchip/lan743x_ethtool.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/microchip/lan743x_ethtool.c b/drivers/net/ethernet/microchip/lan743x_ethtool.c +index e47a579410fbb..bd00ee2ca69fd 100644 +--- a/drivers/net/ethernet/microchip/lan743x_ethtool.c ++++ b/drivers/net/ethernet/microchip/lan743x_ethtool.c +@@ -18,6 +18,8 @@ + #define EEPROM_MAC_OFFSET (0x01) + #define MAX_EEPROM_SIZE (512) + #define MAX_OTP_SIZE (1024) ++#define MAX_HS_OTP_SIZE (8 * 1024) ++#define MAX_HS_EEPROM_SIZE (64 * 1024) + #define OTP_INDICATOR_1 (0xF3) + #define OTP_INDICATOR_2 (0xF7) + +@@ -272,6 +274,9 @@ static int lan743x_hs_otp_read(struct lan743x_adapter *adapter, u32 offset, + int ret; + int i; + ++ if (offset + length > MAX_HS_OTP_SIZE) ++ return -EINVAL; ++ + ret = lan743x_hs_syslock_acquire(adapter, LOCK_TIMEOUT_MAX_CNT); + if (ret < 0) + return ret; +@@ -320,6 +325,9 @@ static int lan743x_hs_otp_write(struct lan743x_adapter *adapter, u32 offset, + int ret; + int i; + ++ if (offset + length > MAX_HS_OTP_SIZE) ++ return -EINVAL; ++ + ret = lan743x_hs_syslock_acquire(adapter, LOCK_TIMEOUT_MAX_CNT); + if (ret < 0) + return ret; +@@ -497,6 +505,9 @@ static int lan743x_hs_eeprom_read(struct lan743x_adapter *adapter, + u32 val; + int i; + ++ if (offset + length > MAX_HS_EEPROM_SIZE) ++ return -EINVAL; ++ + retval = lan743x_hs_syslock_acquire(adapter, LOCK_TIMEOUT_MAX_CNT); + if (retval < 0) + return retval; +@@ -539,6 +550,9 @@ static int lan743x_hs_eeprom_write(struct lan743x_adapter *adapter, + u32 val; + int i; + ++ if (offset + length > MAX_HS_EEPROM_SIZE) ++ return -EINVAL; ++ + retval = lan743x_hs_syslock_acquire(adapter, LOCK_TIMEOUT_MAX_CNT); + if (retval < 0) + return retval; +@@ -604,9 +618,9 @@ static int lan743x_ethtool_get_eeprom_len(struct net_device *netdev) + struct lan743x_adapter *adapter = netdev_priv(netdev); + + if (adapter->flags & LAN743X_ADAPTER_FLAG_OTP) +- return MAX_OTP_SIZE; ++ return adapter->is_pci11x1x ? MAX_HS_OTP_SIZE : MAX_OTP_SIZE; + +- return MAX_EEPROM_SIZE; ++ return adapter->is_pci11x1x ? MAX_HS_EEPROM_SIZE : MAX_EEPROM_SIZE; + } + + static int lan743x_ethtool_get_eeprom(struct net_device *netdev, +-- +2.39.5 + diff --git a/queue-6.1/net-macb-check-return-value-of-dma_set_mask_and_cohe.patch b/queue-6.1/net-macb-check-return-value-of-dma_set_mask_and_cohe.patch new file mode 100644 index 0000000000..1514622a1b --- /dev/null +++ b/queue-6.1/net-macb-check-return-value-of-dma_set_mask_and_cohe.patch @@ -0,0 +1,42 @@ +From fb9c3094011b4ffca04789af05b8e11518a2a2e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 25 May 2025 21:20:31 -0600 +Subject: net: macb: Check return value of dma_set_mask_and_coherent() + +From: Sergio Perez Gonzalez + +[ Upstream commit 3920a758800762917177a6b5ab39707d8e376fe6 ] + +Issue flagged by coverity. Add a safety check for the return value +of dma_set_mask_and_coherent, go to a safe exit if it returns error. + +Link: https://scan7.scan.coverity.com/#/project-view/53936/11354?selectedIssue=1643754 +Signed-off-by: Sergio Perez Gonzalez +Reviewed-by: Claudiu Beznea +Link: https://patch.msgid.link/20250526032034.84900-1-sperezglz@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cadence/macb_main.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c +index d2f4709dee0de..495a1cb0bc183 100644 +--- a/drivers/net/ethernet/cadence/macb_main.c ++++ b/drivers/net/ethernet/cadence/macb_main.c +@@ -4956,7 +4956,11 @@ static int macb_probe(struct platform_device *pdev) + + #ifdef CONFIG_ARCH_DMA_ADDR_T_64BIT + if (GEM_BFEXT(DAW64, gem_readl(bp, DCFG6))) { +- dma_set_mask_and_coherent(&pdev->dev, DMA_BIT_MASK(44)); ++ err = dma_set_mask_and_coherent(&pdev->dev, DMA_BIT_MASK(44)); ++ if (err) { ++ dev_err(&pdev->dev, "failed to set DMA mask\n"); ++ goto err_out_free_netdev; ++ } + bp->hw_dma_cap |= HW_DMA_CAP_64B; + } + #endif +-- +2.39.5 + diff --git a/queue-6.1/net-mlx4-add-sof_timestamping_tx_software-flag-when-.patch b/queue-6.1/net-mlx4-add-sof_timestamping_tx_software-flag-when-.patch new file mode 100644 index 0000000000..e88dc7fded --- /dev/null +++ b/queue-6.1/net-mlx4-add-sof_timestamping_tx_software-flag-when-.patch @@ -0,0 +1,37 @@ +From 61e79726902b52ec825e882d7e01c366678515f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 10 May 2025 17:34:42 +0800 +Subject: net: mlx4: add SOF_TIMESTAMPING_TX_SOFTWARE flag when getting ts info + +From: Jason Xing + +[ Upstream commit b86bcfee30576b752302c55693fff97242b35dfd ] + +As mlx4 has implemented skb_tx_timestamp() in mlx4_en_xmit(), the +SOFTWARE flag is surely needed when users are trying to get timestamp +information. + +Signed-off-by: Jason Xing +Reviewed-by: Tariq Toukan +Link: https://patch.msgid.link/20250510093442.79711-1-kerneljasonxing@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx4/en_ethtool.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c b/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c +index 7d45f1d55f799..d1a319ad6af1a 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c ++++ b/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c +@@ -1916,6 +1916,7 @@ static int mlx4_en_get_ts_info(struct net_device *dev, + if (mdev->dev->caps.flags2 & MLX4_DEV_CAP_FLAG2_TS) { + info->so_timestamping |= + SOF_TIMESTAMPING_TX_HARDWARE | ++ SOF_TIMESTAMPING_TX_SOFTWARE | + SOF_TIMESTAMPING_RX_HARDWARE | + SOF_TIMESTAMPING_RAW_HARDWARE; + +-- +2.39.5 + diff --git a/queue-6.1/net-vertexcom-mse102x-return-code-for-mse102x_rx_pkt.patch b/queue-6.1/net-vertexcom-mse102x-return-code-for-mse102x_rx_pkt.patch new file mode 100644 index 0000000000..0001ba9f2e --- /dev/null +++ b/queue-6.1/net-vertexcom-mse102x-return-code-for-mse102x_rx_pkt.patch @@ -0,0 +1,92 @@ +From 452551e4e5a68d307936ba10672cd414a4a2a120 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 May 2025 14:04:34 +0200 +Subject: net: vertexcom: mse102x: Return code for mse102x_rx_pkt_spi + +From: Stefan Wahren + +[ Upstream commit 4ecf56f4b66011b583644bf9a62188d05dfcd78c ] + +The MSE102x doesn't provide any interrupt register, so the only way +to handle the level interrupt is to fetch the whole packet from +the MSE102x internal buffer via SPI. So in cases the interrupt +handler fails to do this, it should return IRQ_NONE. This allows +the core to disable the interrupt in case the issue persists +and prevent an interrupt storm. + +Signed-off-by: Stefan Wahren +Link: https://patch.msgid.link/20250509120435.43646-6-wahrenst@gmx.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/vertexcom/mse102x.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/vertexcom/mse102x.c b/drivers/net/ethernet/vertexcom/mse102x.c +index 060a566bc6aae..c902f8761d5d4 100644 +--- a/drivers/net/ethernet/vertexcom/mse102x.c ++++ b/drivers/net/ethernet/vertexcom/mse102x.c +@@ -306,7 +306,7 @@ static void mse102x_dump_packet(const char *msg, int len, const char *data) + data, len, true); + } + +-static void mse102x_rx_pkt_spi(struct mse102x_net *mse) ++static irqreturn_t mse102x_rx_pkt_spi(struct mse102x_net *mse) + { + struct sk_buff *skb; + unsigned int rxalign; +@@ -327,7 +327,7 @@ static void mse102x_rx_pkt_spi(struct mse102x_net *mse) + mse102x_tx_cmd_spi(mse, CMD_CTR); + ret = mse102x_rx_cmd_spi(mse, (u8 *)&rx); + if (ret) +- return; ++ return IRQ_NONE; + + cmd_resp = be16_to_cpu(rx); + if ((cmd_resp & CMD_MASK) != CMD_RTS) { +@@ -360,7 +360,7 @@ static void mse102x_rx_pkt_spi(struct mse102x_net *mse) + rxalign = ALIGN(rxlen + DET_SOF_LEN + DET_DFT_LEN, 4); + skb = netdev_alloc_skb_ip_align(mse->ndev, rxalign); + if (!skb) +- return; ++ return IRQ_NONE; + + /* 2 bytes Start of frame (before ethernet header) + * 2 bytes Data frame tail (after ethernet frame) +@@ -370,7 +370,7 @@ static void mse102x_rx_pkt_spi(struct mse102x_net *mse) + if (mse102x_rx_frame_spi(mse, rxpkt, rxlen, drop)) { + mse->ndev->stats.rx_errors++; + dev_kfree_skb(skb); +- return; ++ return IRQ_HANDLED; + } + + if (netif_msg_pktdata(mse)) +@@ -381,6 +381,8 @@ static void mse102x_rx_pkt_spi(struct mse102x_net *mse) + + mse->ndev->stats.rx_packets++; + mse->ndev->stats.rx_bytes += rxlen; ++ ++ return IRQ_HANDLED; + } + + static int mse102x_tx_pkt_spi(struct mse102x_net *mse, struct sk_buff *txb, +@@ -512,12 +514,13 @@ static irqreturn_t mse102x_irq(int irq, void *_mse) + { + struct mse102x_net *mse = _mse; + struct mse102x_net_spi *mses = to_mse102x_spi(mse); ++ irqreturn_t ret; + + mutex_lock(&mses->lock); +- mse102x_rx_pkt_spi(mse); ++ ret = mse102x_rx_pkt_spi(mse); + mutex_unlock(&mses->lock); + +- return IRQ_HANDLED; ++ return ret; + } + + static int mse102x_net_open(struct net_device *ndev) +-- +2.39.5 + diff --git a/queue-6.1/octeontx2-pf-add-error-log-forcn10k_map_unmap_rq_pol.patch b/queue-6.1/octeontx2-pf-add-error-log-forcn10k_map_unmap_rq_pol.patch new file mode 100644 index 0000000000..5b58200e27 --- /dev/null +++ b/queue-6.1/octeontx2-pf-add-error-log-forcn10k_map_unmap_rq_pol.patch @@ -0,0 +1,47 @@ +From dc0c26c15ddcadbb5620d27e85436483f890c126 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Apr 2025 11:26:02 +0800 +Subject: octeontx2-pf: Add error log forcn10k_map_unmap_rq_policer() + +From: Wentao Liang + +[ Upstream commit 9c056ec6dd1654b1420dafbbe2a69718850e6ff2 ] + +The cn10k_free_matchall_ipolicer() calls the cn10k_map_unmap_rq_policer() +for each queue in a for loop without checking for any errors. + +Check the return value of the cn10k_map_unmap_rq_policer() function during +each loop, and report a warning if the function fails. + +Signed-off-by: Wentao Liang +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250408032602.2909-1-vulab@iscas.ac.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/nic/cn10k.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/cn10k.c b/drivers/net/ethernet/marvell/octeontx2/nic/cn10k.c +index 7417087b6db59..a2807a1e4f4a6 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/cn10k.c ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/cn10k.c +@@ -352,9 +352,12 @@ int cn10k_free_matchall_ipolicer(struct otx2_nic *pfvf) + mutex_lock(&pfvf->mbox.lock); + + /* Remove RQ's policer mapping */ +- for (qidx = 0; qidx < hw->rx_queues; qidx++) +- cn10k_map_unmap_rq_policer(pfvf, qidx, +- hw->matchall_ipolicer, false); ++ for (qidx = 0; qidx < hw->rx_queues; qidx++) { ++ rc = cn10k_map_unmap_rq_policer(pfvf, qidx, hw->matchall_ipolicer, false); ++ if (rc) ++ dev_warn(pfvf->dev, "Failed to unmap RQ %d's policer (error %d).", ++ qidx, rc); ++ } + + rc = cn10k_free_leaf_profile(pfvf, hw->matchall_ipolicer); + +-- +2.39.5 + diff --git a/queue-6.1/openvswitch-stricter-validation-for-the-userspace-ac.patch b/queue-6.1/openvswitch-stricter-validation-for-the-userspace-ac.patch new file mode 100644 index 0000000000..db87b0b481 --- /dev/null +++ b/queue-6.1/openvswitch-stricter-validation-for-the-userspace-ac.patch @@ -0,0 +1,45 @@ +From 86b4bc82f93ca4048cbd09dff7bfdfd242f3a944 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 May 2025 10:08:24 +0200 +Subject: openvswitch: Stricter validation for the userspace action + +From: Eelco Chaudron + +[ Upstream commit 88906f55954131ed2d3974e044b7fb48129b86ae ] + +This change enhances the robustness of validate_userspace() by ensuring +that all Netlink attributes are fully contained within the parent +attribute. The previous use of nla_parse_nested_deprecated() could +silently skip trailing or malformed attributes, as it stops parsing at +the first invalid entry. + +By switching to nla_parse_deprecated_strict(), we make sure only fully +validated attributes are copied for later use. + +Signed-off-by: Eelco Chaudron +Reviewed-by: Simon Horman +Acked-by: Ilya Maximets +Link: https://patch.msgid.link/67eb414e2d250e8408bb8afeb982deca2ff2b10b.1747037304.git.echaudro@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/openvswitch/flow_netlink.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c +index 0ed3953dbe529..38a7346fc895a 100644 +--- a/net/openvswitch/flow_netlink.c ++++ b/net/openvswitch/flow_netlink.c +@@ -3033,7 +3033,8 @@ static int validate_userspace(const struct nlattr *attr) + struct nlattr *a[OVS_USERSPACE_ATTR_MAX + 1]; + int error; + +- error = nla_parse_nested_deprecated(a, OVS_USERSPACE_ATTR_MAX, attr, ++ error = nla_parse_deprecated_strict(a, OVS_USERSPACE_ATTR_MAX, ++ nla_data(attr), nla_len(attr), + userspace_policy, NULL); + if (error) + return error; +-- +2.39.5 + diff --git a/queue-6.1/pinctrl-armada-37xx-propagate-error-from-armada_37xx.patch b/queue-6.1/pinctrl-armada-37xx-propagate-error-from-armada_37xx.patch new file mode 100644 index 0000000000..4b5dba05f8 --- /dev/null +++ b/queue-6.1/pinctrl-armada-37xx-propagate-error-from-armada_37xx.patch @@ -0,0 +1,41 @@ +From 8f930b117cff7b06603c45237347d92e099f1c26 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 May 2025 21:18:38 +0200 +Subject: pinctrl: armada-37xx: propagate error from + armada_37xx_pmx_set_by_name() + +From: Gabor Juhos + +[ Upstream commit 4229c28323db141eda69cb99427be75d3edba071 ] + +The regmap_update_bits() function can fail, so propagate its error +up to the stack instead of silently ignoring that. + +Signed-off-by: Imre Kaloz +Reviewed-by: Andrew Lunn +Signed-off-by: Gabor Juhos +Link: https://lore.kernel.org/20250514-pinctrl-a37xx-fixes-v2-7-07e9ac1ab737@gmail.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/mvebu/pinctrl-armada-37xx.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c b/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c +index eb6043d6c499c..7483ffa2a409c 100644 +--- a/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c ++++ b/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c +@@ -360,9 +360,7 @@ static int armada_37xx_pmx_set_by_name(struct pinctrl_dev *pctldev, + + val = grp->val[func]; + +- regmap_update_bits(info->regmap, reg, mask, val); +- +- return 0; ++ return regmap_update_bits(info->regmap, reg, mask, val); + } + + static int armada_37xx_pmx_set(struct pinctrl_dev *pctldev, +-- +2.39.5 + diff --git a/queue-6.1/pinctrl-armada-37xx-propagate-error-from-armada_37xx.patch-10884 b/queue-6.1/pinctrl-armada-37xx-propagate-error-from-armada_37xx.patch-10884 new file mode 100644 index 0000000000..64bfbe3d93 --- /dev/null +++ b/queue-6.1/pinctrl-armada-37xx-propagate-error-from-armada_37xx.patch-10884 @@ -0,0 +1,45 @@ +From 0f431b9b0f15ac2528b8178d249d3bedab5ea4bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 May 2025 21:18:35 +0200 +Subject: pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get() + +From: Gabor Juhos + +[ Upstream commit 57273ff8bb16f3842c2597b5bbcd49e7fa12edf7 ] + +The regmap_read() function can fail, so propagate its error up to +the stack instead of silently ignoring that. + +Signed-off-by: Imre Kaloz +Reviewed-by: Andrew Lunn +Signed-off-by: Gabor Juhos +Link: https://lore.kernel.org/20250514-pinctrl-a37xx-fixes-v2-4-07e9ac1ab737@gmail.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/mvebu/pinctrl-armada-37xx.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c b/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c +index 3ada8dcaa806b..f68caea15b03d 100644 +--- a/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c ++++ b/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c +@@ -445,11 +445,14 @@ static int armada_37xx_gpio_get(struct gpio_chip *chip, unsigned int offset) + struct armada_37xx_pinctrl *info = gpiochip_get_data(chip); + unsigned int reg = INPUT_VAL; + unsigned int val, mask; ++ int ret; + + armada_37xx_update_reg(®, &offset); + mask = BIT(offset); + +- regmap_read(info->regmap, reg, &val); ++ ret = regmap_read(info->regmap, reg, &val); ++ if (ret) ++ return ret; + + return (val & mask) != 0; + } +-- +2.39.5 + diff --git a/queue-6.1/pinctrl-armada-37xx-propagate-error-from-armada_37xx.patch-3693 b/queue-6.1/pinctrl-armada-37xx-propagate-error-from-armada_37xx.patch-3693 new file mode 100644 index 0000000000..badc7cdb9e --- /dev/null +++ b/queue-6.1/pinctrl-armada-37xx-propagate-error-from-armada_37xx.patch-3693 @@ -0,0 +1,52 @@ +From 948307b7c5fb8962e8255e80b5c961abf954680e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 May 2025 21:18:36 +0200 +Subject: pinctrl: armada-37xx: propagate error from + armada_37xx_pmx_gpio_set_direction() + +From: Gabor Juhos + +[ Upstream commit bfa0ff804ffa8b1246ade8be08de98c9eb19d16f ] + +The armada_37xx_gpio_direction_{in,out}put() functions can fail, so +propagate their error values back to the stack instead of silently +ignoring those. + +Signed-off-by: Imre Kaloz +Reviewed-by: Andrew Lunn +Signed-off-by: Gabor Juhos +Link: https://lore.kernel.org/20250514-pinctrl-a37xx-fixes-v2-5-07e9ac1ab737@gmail.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/mvebu/pinctrl-armada-37xx.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c b/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c +index e9032359a68a5..3ada8dcaa806b 100644 +--- a/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c ++++ b/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c +@@ -474,16 +474,17 @@ static int armada_37xx_pmx_gpio_set_direction(struct pinctrl_dev *pctldev, + { + struct armada_37xx_pinctrl *info = pinctrl_dev_get_drvdata(pctldev); + struct gpio_chip *chip = range->gc; ++ int ret; + + dev_dbg(info->dev, "gpio_direction for pin %u as %s-%d to %s\n", + offset, range->name, offset, input ? "input" : "output"); + + if (input) +- armada_37xx_gpio_direction_input(chip, offset); ++ ret = armada_37xx_gpio_direction_input(chip, offset); + else +- armada_37xx_gpio_direction_output(chip, offset, 0); ++ ret = armada_37xx_gpio_direction_output(chip, offset, 0); + +- return 0; ++ return ret; + } + + static int armada_37xx_gpio_request_enable(struct pinctrl_dev *pctldev, +-- +2.39.5 + diff --git a/queue-6.1/pinctrl-armada-37xx-propagate-error-from-armada_37xx.patch-760 b/queue-6.1/pinctrl-armada-37xx-propagate-error-from-armada_37xx.patch-760 new file mode 100644 index 0000000000..a81a18cda5 --- /dev/null +++ b/queue-6.1/pinctrl-armada-37xx-propagate-error-from-armada_37xx.patch-760 @@ -0,0 +1,45 @@ +From 04d4926c8eeafa3862a289f43d4e93f10d7f966d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 May 2025 21:18:37 +0200 +Subject: pinctrl: armada-37xx: propagate error from + armada_37xx_gpio_get_direction() + +From: Gabor Juhos + +[ Upstream commit 6481c0a83367b0672951ccc876fbae7ee37b594b ] + +The regmap_read() function can fail, so propagate its error up to +the stack instead of silently ignoring that. + +Signed-off-by: Imre Kaloz +Reviewed-by: Andrew Lunn +Signed-off-by: Gabor Juhos +Link: https://lore.kernel.org/20250514-pinctrl-a37xx-fixes-v2-6-07e9ac1ab737@gmail.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/mvebu/pinctrl-armada-37xx.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c b/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c +index 7483ffa2a409c..e9032359a68a5 100644 +--- a/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c ++++ b/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c +@@ -402,10 +402,13 @@ static int armada_37xx_gpio_get_direction(struct gpio_chip *chip, + struct armada_37xx_pinctrl *info = gpiochip_get_data(chip); + unsigned int reg = OUTPUT_EN; + unsigned int val, mask; ++ int ret; + + armada_37xx_update_reg(®, &offset); + mask = BIT(offset); +- regmap_read(info->regmap, reg, &val); ++ ret = regmap_read(info->regmap, reg, &val); ++ if (ret) ++ return ret; + + if (val & mask) + return GPIO_LINE_DIRECTION_OUT; +-- +2.39.5 + diff --git a/queue-6.1/pinctrl-mcp23s08-reset-all-pins-to-input-at-probe.patch b/queue-6.1/pinctrl-mcp23s08-reset-all-pins-to-input-at-probe.patch new file mode 100644 index 0000000000..4df15580aa --- /dev/null +++ b/queue-6.1/pinctrl-mcp23s08-reset-all-pins-to-input-at-probe.patch @@ -0,0 +1,47 @@ +From bc13e5306c30ce00c06cbb7f64c9031d70c1cebb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Mar 2025 16:17:45 +0100 +Subject: pinctrl: mcp23s08: Reset all pins to input at probe + +From: Mike Looijmans + +[ Upstream commit 3ede3f8b4b4b399b0ca41e44959f80d5cf84fc98 ] + +At startup, the driver just assumes that all registers have their +default values. But after a soft reset, the chip will just be in the +state it was, and some pins may have been configured as outputs. Any +modification of the output register will cause these pins to be driven +low, which leads to unexpected/unwanted effects. To prevent this from +happening, set the chip's IO configuration register to a known safe +mode (all inputs) before toggling any other bits. + +Signed-off-by: Mike Looijmans +Link: https://lore.kernel.org/20250314151803.28903-1-mike.looijmans@topic.nl +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/pinctrl-mcp23s08.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/pinctrl/pinctrl-mcp23s08.c b/drivers/pinctrl/pinctrl-mcp23s08.c +index 2e8bbef8ca344..ca001fa63ed39 100644 +--- a/drivers/pinctrl/pinctrl-mcp23s08.c ++++ b/drivers/pinctrl/pinctrl-mcp23s08.c +@@ -563,6 +563,14 @@ int mcp23s08_probe_one(struct mcp23s08 *mcp, struct device *dev, + + mcp->reset_gpio = devm_gpiod_get_optional(dev, "reset", GPIOD_OUT_LOW); + ++ /* ++ * Reset the chip - we don't really know what state it's in, so reset ++ * all pins to input first to prevent surprises. ++ */ ++ ret = mcp_write(mcp, MCP_IODIR, mcp->chip.ngpio == 16 ? 0xFFFF : 0xFF); ++ if (ret < 0) ++ return ret; ++ + /* verify MCP_IOCON.SEQOP = 0, so sequential reads work, + * and MCP_IOCON.HAEN = 1, so we work with all chips. + */ +-- +2.39.5 + diff --git a/queue-6.1/platform-x86-dell_rbu-fix-list-usage.patch b/queue-6.1/platform-x86-dell_rbu-fix-list-usage.patch new file mode 100644 index 0000000000..c6e64fdf20 --- /dev/null +++ b/queue-6.1/platform-x86-dell_rbu-fix-list-usage.patch @@ -0,0 +1,54 @@ +From fa671911289fd4bde78dd24a504acfb519626356 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Jun 2025 13:46:56 -0500 +Subject: platform/x86: dell_rbu: Fix list usage +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Stuart Hayes + +[ Upstream commit 61ce04601e0d8265ec6d2ffa6df5a7e1bce64854 ] + +Pass the correct list head to list_for_each_entry*() when looping through +the packet list. + +Without this patch, reading the packet data via sysfs will show the data +incorrectly (because it starts at the wrong packet), and clearing the +packet list will result in a NULL pointer dereference. + +Fixes: d19f359fbdc6 ("platform/x86: dell_rbu: don't open code list_for_each_entry*()") +Signed-off-by: Stuart Hayes +Link: https://lore.kernel.org/r/20250609184659.7210-3-stuart.w.hayes@gmail.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/dell/dell_rbu.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/platform/x86/dell/dell_rbu.c b/drivers/platform/x86/dell/dell_rbu.c +index 9f51e0fcab04e..4d2b5f6dd513f 100644 +--- a/drivers/platform/x86/dell/dell_rbu.c ++++ b/drivers/platform/x86/dell/dell_rbu.c +@@ -292,7 +292,7 @@ static int packet_read_list(char *data, size_t * pread_length) + remaining_bytes = *pread_length; + bytes_read = rbu_data.packet_read_count; + +- list_for_each_entry(newpacket, (&packet_data_head.list)->next, list) { ++ list_for_each_entry(newpacket, &packet_data_head.list, list) { + bytes_copied = do_packet_read(pdest, newpacket, + remaining_bytes, bytes_read, &temp_count); + remaining_bytes -= bytes_copied; +@@ -315,7 +315,7 @@ static void packet_empty_list(void) + { + struct packet_data *newpacket, *tmp; + +- list_for_each_entry_safe(newpacket, tmp, (&packet_data_head.list)->next, list) { ++ list_for_each_entry_safe(newpacket, tmp, &packet_data_head.list, list) { + list_del(&newpacket->list); + + /* +-- +2.39.5 + diff --git a/queue-6.1/platform-x86-dell_rbu-stop-overwriting-data-buffer.patch b/queue-6.1/platform-x86-dell_rbu-stop-overwriting-data-buffer.patch new file mode 100644 index 0000000000..3966886ce8 --- /dev/null +++ b/queue-6.1/platform-x86-dell_rbu-stop-overwriting-data-buffer.patch @@ -0,0 +1,55 @@ +From 4f619bd6f80ce0c744905b91fd4bfb22e075fc47 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Jun 2025 13:46:58 -0500 +Subject: platform/x86: dell_rbu: Stop overwriting data buffer +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Stuart Hayes + +[ Upstream commit f4b0fa38d5fefe9aed6ed831f3bd3538c168ee19 ] + +The dell_rbu driver will use memset() to clear the data held by each +packet when it is no longer needed (when the driver is unloaded, the +packet size is changed, etc). + +The amount of memory that is cleared (before this patch) is the normal +packet size. However, the last packet in the list may be smaller. + +Fix this to only clear the memory actually used by each packet, to prevent +it from writing past the end of data buffer. + +Because the packet data buffers are allocated with __get_free_pages() (in +page-sized increments), this bug could only result in a buffer being +overwritten when a packet size larger than one page is used. The only user +of the dell_rbu module should be the Dell BIOS update program, which uses +a packet size of 4096, so no issues should be seen without the patch, it +just blocks the possiblity. + +Fixes: 6c54c28e69f2 ("[PATCH] dell_rbu: new Dell BIOS update driver") +Signed-off-by: Stuart Hayes +Link: https://lore.kernel.org/r/20250609184659.7210-5-stuart.w.hayes@gmail.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/dell/dell_rbu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/dell/dell_rbu.c b/drivers/platform/x86/dell/dell_rbu.c +index 4d2b5f6dd513f..fee20866b41e4 100644 +--- a/drivers/platform/x86/dell/dell_rbu.c ++++ b/drivers/platform/x86/dell/dell_rbu.c +@@ -322,7 +322,7 @@ static void packet_empty_list(void) + * zero out the RBU packet memory before freeing + * to make sure there are no stale RBU packets left in memory + */ +- memset(newpacket->data, 0, rbu_data.packetsize); ++ memset(newpacket->data, 0, newpacket->length); + set_memory_wb((unsigned long)newpacket->data, + 1 << newpacket->ordernum); + free_pages((unsigned long) newpacket->data, +-- +2.39.5 + diff --git a/queue-6.1/pm-runtime-fix-denying-of-auto-suspend-in-pm_suspend.patch b/queue-6.1/pm-runtime-fix-denying-of-auto-suspend-in-pm_suspend.patch new file mode 100644 index 0000000000..49ec5506fa --- /dev/null +++ b/queue-6.1/pm-runtime-fix-denying-of-auto-suspend-in-pm_suspend.patch @@ -0,0 +1,61 @@ +From 5c9aec52ef74b0913d123cf9b12c913b47132a88 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 May 2025 12:11:25 +0530 +Subject: PM: runtime: fix denying of auto suspend in pm_suspend_timer_fn() + +From: Charan Teja Kalla + +[ Upstream commit 40d3b40dce375d6f1c1dbf08d79eed3aed6c691d ] + +pm_runtime_put_autosuspend() schedules a hrtimer to expire +at "dev->power.timer_expires". If the hrtimer's callback, +pm_suspend_timer_fn(), observes that the current time equals +"dev->power.timer_expires", it unexpectedly bails out instead of +proceeding with runtime suspend. + +pm_suspend_timer_fn(): + + if (expires > 0 && expires < ktime_get_mono_fast_ns()) { + dev->power.timer_expires = 0; + rpm_suspend(..) + } + +Additionally, as ->timer_expires is not cleared, all the future auto +suspend requests will not schedule hrtimer to perform auto suspend. + +rpm_suspend(): + + if ((rpmflags & RPM_AUTO) &&...) { + if (!(dev->power.timer_expires && ...) { <-- this will fail. + hrtimer_start_range_ns(&dev->power.suspend_timer,...); + } + } + +Fix this by as well checking if current time reaches the set expiration. + +Co-developed-by: Patrick Daly +Signed-off-by: Patrick Daly +Signed-off-by: Charan Teja Kalla +Link: https://patch.msgid.link/20250515064125.1211561-1-quic_charante@quicinc.com +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/base/power/runtime.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/base/power/runtime.c b/drivers/base/power/runtime.c +index bb68cba4d85a9..313ccb7e77646 100644 +--- a/drivers/base/power/runtime.c ++++ b/drivers/base/power/runtime.c +@@ -1001,7 +1001,7 @@ static enum hrtimer_restart pm_suspend_timer_fn(struct hrtimer *timer) + * If 'expires' is after the current time, we've been called + * too early. + */ +- if (expires > 0 && expires < ktime_get_mono_fast_ns()) { ++ if (expires > 0 && expires <= ktime_get_mono_fast_ns()) { + dev->power.timer_expires = 0; + rpm_suspend(dev, dev->power.timer_autosuspends ? + (RPM_ASYNC | RPM_AUTO) : RPM_ASYNC); +-- +2.39.5 + diff --git a/queue-6.1/power-supply-bq27xxx-retrieve-again-when-busy.patch b/queue-6.1/power-supply-bq27xxx-retrieve-again-when-busy.patch new file mode 100644 index 0000000000..e89409c9bf --- /dev/null +++ b/queue-6.1/power-supply-bq27xxx-retrieve-again-when-busy.patch @@ -0,0 +1,90 @@ +From 50e2e4896e38b4bf400963bbcdf4c23cc8537b9e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Apr 2025 11:40:47 +0800 +Subject: power: supply: bq27xxx: Retrieve again when busy +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jerry Lv + +[ Upstream commit f16d9fb6cf03fdbdefa41a8b32ba1e57afb7ae3d ] + +Multiple applications may access the battery gauge at the same time, so +the gauge may be busy and EBUSY will be returned. The driver will set a +flag to record the EBUSY state, and this flag will be kept until the next +periodic update. When this flag is set, bq27xxx_battery_get_property() +will just return ENODEV until the flag is updated. + +Even if the gauge was busy during the last accessing attempt, returning +ENODEV is not ideal, and can cause confusion in the applications layer. + +Instead, retry accessing the I2C to update the flag is as expected, for +the gauge typically recovers from busy state within a few milliseconds. +If still failed to access the gauge, the real error code would be returned +instead of ENODEV (as suggested by Pali Rohár). + +Reviewed-by: Pali Rohár +Signed-off-by: Jerry Lv +Link: https://lore.kernel.org/r/20250415-foo-fix-v2-1-5b45a395e4cc@axis.com +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/bq27xxx_battery.c | 2 +- + drivers/power/supply/bq27xxx_battery_i2c.c | 13 ++++++++++++- + 2 files changed, 13 insertions(+), 2 deletions(-) + +diff --git a/drivers/power/supply/bq27xxx_battery.c b/drivers/power/supply/bq27xxx_battery.c +index 2868dcf3f96dc..b3dd64ab8d32c 100644 +--- a/drivers/power/supply/bq27xxx_battery.c ++++ b/drivers/power/supply/bq27xxx_battery.c +@@ -2044,7 +2044,7 @@ static int bq27xxx_battery_get_property(struct power_supply *psy, + mutex_unlock(&di->lock); + + if (psp != POWER_SUPPLY_PROP_PRESENT && di->cache.flags < 0) +- return -ENODEV; ++ return di->cache.flags; + + switch (psp) { + case POWER_SUPPLY_PROP_STATUS: +diff --git a/drivers/power/supply/bq27xxx_battery_i2c.c b/drivers/power/supply/bq27xxx_battery_i2c.c +index 17b37354e32c0..b05d2693fde04 100644 +--- a/drivers/power/supply/bq27xxx_battery_i2c.c ++++ b/drivers/power/supply/bq27xxx_battery_i2c.c +@@ -6,6 +6,7 @@ + * Andrew F. Davis + */ + ++#include + #include + #include + #include +@@ -32,6 +33,7 @@ static int bq27xxx_battery_i2c_read(struct bq27xxx_device_info *di, u8 reg, + struct i2c_msg msg[2]; + u8 data[2]; + int ret; ++ int retry = 0; + + if (!client->adapter) + return -ENODEV; +@@ -48,7 +50,16 @@ static int bq27xxx_battery_i2c_read(struct bq27xxx_device_info *di, u8 reg, + else + msg[1].len = 2; + +- ret = i2c_transfer(client->adapter, msg, ARRAY_SIZE(msg)); ++ do { ++ ret = i2c_transfer(client->adapter, msg, ARRAY_SIZE(msg)); ++ if (ret == -EBUSY && ++retry < 3) { ++ /* sleep 10 milliseconds when busy */ ++ usleep_range(10000, 11000); ++ continue; ++ } ++ break; ++ } while (1); ++ + if (ret < 0) + return ret; + +-- +2.39.5 + diff --git a/queue-6.1/powerpc-eeh-fix-missing-pe-bridge-reconfiguration-du.patch b/queue-6.1/powerpc-eeh-fix-missing-pe-bridge-reconfiguration-du.patch new file mode 100644 index 0000000000..4019844139 --- /dev/null +++ b/queue-6.1/powerpc-eeh-fix-missing-pe-bridge-reconfiguration-du.patch @@ -0,0 +1,67 @@ +From b0ad28429e71100613a51b9b55d00b8b39702712 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 May 2025 02:29:28 -0400 +Subject: powerpc/eeh: Fix missing PE bridge reconfiguration during VFIO EEH + recovery + +From: Narayana Murty N + +[ Upstream commit 33bc69cf6655cf60829a803a45275f11a74899e5 ] + +VFIO EEH recovery for PCI passthrough devices fails on PowerNV and pseries +platforms due to missing host-side PE bridge reconfiguration. In the +current implementation, eeh_pe_configure() only performs RTAS or OPAL-based +bridge reconfiguration for native host devices, but skips it entirely for +PEs managed through VFIO in guest passthrough scenarios. + +This leads to incomplete EEH recovery when a PCI error affects a +passthrough device assigned to a QEMU/KVM guest. Although VFIO triggers the +EEH recovery flow through VFIO_EEH_PE_ENABLE ioctl, the platform-specific +bridge reconfiguration step is silently bypassed. As a result, the PE's +config space is not fully restored, causing subsequent config space access +failures or EEH freeze-on-access errors inside the guest. + +This patch fixes the issue by ensuring that eeh_pe_configure() always +invokes the platform's configure_bridge() callback (e.g., +pseries_eeh_phb_configure_bridge) even for VFIO-managed PEs. This ensures +that RTAS or OPAL calls to reconfigure the PE bridge are correctly issued +on the host side, restoring the PE's configuration space after an EEH +event. + +This fix is essential for reliable EEH recovery in QEMU/KVM guests using +VFIO PCI passthrough on PowerNV and pseries systems. + +Tested with: +- QEMU/KVM guest using VFIO passthrough (IBM Power9,(lpar)Power11 host) +- Injected EEH errors with pseries EEH errinjct tool on host, recovery + verified on qemu guest. +- Verified successful config space access and CAP_EXP DevCtl restoration + after recovery + +Fixes: 212d16cdca2d ("powerpc/eeh: EEH support for VFIO PCI device") +Signed-off-by: Narayana Murty N +Reviewed-by: Vaibhav Jain +Reviewed-by: Ganesh Goudar +Signed-off-by: Madhavan Srinivasan +Link: https://patch.msgid.link/20250508062928.146043-1-nnmlinux@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/eeh.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/powerpc/kernel/eeh.c b/arch/powerpc/kernel/eeh.c +index ab316e155ea9f..2e286bba2f645 100644 +--- a/arch/powerpc/kernel/eeh.c ++++ b/arch/powerpc/kernel/eeh.c +@@ -1516,6 +1516,8 @@ int eeh_pe_configure(struct eeh_pe *pe) + /* Invalid PE ? */ + if (!pe) + return -ENODEV; ++ else ++ ret = eeh_ops->configure_bridge(pe); + + return ret; + } +-- +2.39.5 + diff --git a/queue-6.1/revert-bus-ti-sysc-probe-for-l4_wkup-and-l4_cfg-inte.patch b/queue-6.1/revert-bus-ti-sysc-probe-for-l4_wkup-and-l4_cfg-inte.patch new file mode 100644 index 0000000000..fce872a1e6 --- /dev/null +++ b/queue-6.1/revert-bus-ti-sysc-probe-for-l4_wkup-and-l4_cfg-inte.patch @@ -0,0 +1,112 @@ +From 69d2e2f1be3ce6d1fab900f96e4c505ca9f711c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Apr 2025 11:06:34 +0200 +Subject: Revert "bus: ti-sysc: Probe for l4_wkup and l4_cfg interconnect + devices first" + +From: Alexander Sverdlin + +[ Upstream commit 36305857b1ead8f6ca033a913162ebc09bee0b43 ] + +This reverts commit 4700a00755fb5a4bb5109128297d6fd2d1272ee6. + +It breaks target-module@2b300050 ("ti,sysc-omap2") probe on AM62x in a case +when minimally-configured system tries to network-boot: + +[ 6.888776] probe of 2b300050.target-module returned 517 after 258 usecs +[ 17.129637] probe of 2b300050.target-module returned 517 after 708 usecs +[ 17.137397] platform 2b300050.target-module: deferred probe pending: (reason unknown) +[ 26.878471] Waiting up to 100 more seconds for network. + +There are minimal configurations possible when the deferred device is not +being probed any more (because everything else has been successfully +probed) and deferral lists are not processed any more. + +Stable mmc enumeration can be achieved by filling /aliases node properly +(4700a00755fb commit's rationale). + +After revert: + +[ 9.006816] IP-Config: Complete: +[ 9.010058] device=lan0, ... + +Tested-by: Andreas Kemnade # GTA04, Panda, BT200 +Reviewed-by: Tony Lindgren +Signed-off-by: Alexander Sverdlin +Link: https://lore.kernel.org/r/20250401090643.2776793-1-alexander.sverdlin@siemens.com +Signed-off-by: Kevin Hilman +Signed-off-by: Sasha Levin +--- + drivers/bus/ti-sysc.c | 49 ------------------------------------------- + 1 file changed, 49 deletions(-) + +diff --git a/drivers/bus/ti-sysc.c b/drivers/bus/ti-sysc.c +index 15c6b85b125d4..172b17fe87c42 100644 +--- a/drivers/bus/ti-sysc.c ++++ b/drivers/bus/ti-sysc.c +@@ -689,51 +689,6 @@ static int sysc_parse_and_check_child_range(struct sysc *ddata) + return 0; + } + +-/* Interconnect instances to probe before l4_per instances */ +-static struct resource early_bus_ranges[] = { +- /* am3/4 l4_wkup */ +- { .start = 0x44c00000, .end = 0x44c00000 + 0x300000, }, +- /* omap4/5 and dra7 l4_cfg */ +- { .start = 0x4a000000, .end = 0x4a000000 + 0x300000, }, +- /* omap4 l4_wkup */ +- { .start = 0x4a300000, .end = 0x4a300000 + 0x30000, }, +- /* omap5 and dra7 l4_wkup without dra7 dcan segment */ +- { .start = 0x4ae00000, .end = 0x4ae00000 + 0x30000, }, +-}; +- +-static atomic_t sysc_defer = ATOMIC_INIT(10); +- +-/** +- * sysc_defer_non_critical - defer non_critical interconnect probing +- * @ddata: device driver data +- * +- * We want to probe l4_cfg and l4_wkup interconnect instances before any +- * l4_per instances as l4_per instances depend on resources on l4_cfg and +- * l4_wkup interconnects. +- */ +-static int sysc_defer_non_critical(struct sysc *ddata) +-{ +- struct resource *res; +- int i; +- +- if (!atomic_read(&sysc_defer)) +- return 0; +- +- for (i = 0; i < ARRAY_SIZE(early_bus_ranges); i++) { +- res = &early_bus_ranges[i]; +- if (ddata->module_pa >= res->start && +- ddata->module_pa <= res->end) { +- atomic_set(&sysc_defer, 0); +- +- return 0; +- } +- } +- +- atomic_dec_if_positive(&sysc_defer); +- +- return -EPROBE_DEFER; +-} +- + static struct device_node *stdout_path; + + static void sysc_init_stdout_path(struct sysc *ddata) +@@ -959,10 +914,6 @@ static int sysc_map_and_check_registers(struct sysc *ddata) + if (error) + return error; + +- error = sysc_defer_non_critical(ddata); +- if (error) +- return error; +- + sysc_check_children(ddata); + + if (!of_get_property(np, "reg", NULL)) +-- +2.39.5 + diff --git a/queue-6.1/scsi-lpfc-fix-lpfc_check_sli_ndlp-handling-for-gen_r.patch b/queue-6.1/scsi-lpfc-fix-lpfc_check_sli_ndlp-handling-for-gen_r.patch new file mode 100644 index 0000000000..eb839712c6 --- /dev/null +++ b/queue-6.1/scsi-lpfc-fix-lpfc_check_sli_ndlp-handling-for-gen_r.patch @@ -0,0 +1,40 @@ +From 74bcd56f821f5869cdc2c6c745a56beaa32db048 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Apr 2025 12:47:59 -0700 +Subject: scsi: lpfc: Fix lpfc_check_sli_ndlp() handling for GEN_REQUEST64 + commands + +From: Justin Tee + +[ Upstream commit 05ae6c9c7315d844fbc15afe393f5ba5e5771126 ] + +In lpfc_check_sli_ndlp(), the get_job_els_rsp64_did remote_id assignment +does not apply for GEN_REQUEST64 commands as it only has meaning for a +ELS_REQUEST64 command. So, if (iocb->ndlp == ndlp) is false, we could +erroneously return the wrong value. Fix by replacing the fallthrough +statement with a break statement before the remote_id check. + +Signed-off-by: Justin Tee +Link: https://lore.kernel.org/r/20250425194806.3585-2-justintee8345@gmail.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_hbadisc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/lpfc/lpfc_hbadisc.c b/drivers/scsi/lpfc/lpfc_hbadisc.c +index b04112c77fcd1..3a55e410235c0 100644 +--- a/drivers/scsi/lpfc/lpfc_hbadisc.c ++++ b/drivers/scsi/lpfc/lpfc_hbadisc.c +@@ -5074,7 +5074,7 @@ lpfc_check_sli_ndlp(struct lpfc_hba *phba, + case CMD_GEN_REQUEST64_CR: + if (iocb->ndlp == ndlp) + return 1; +- fallthrough; ++ break; + case CMD_ELS_REQUEST64_CR: + if (remote_id == ndlp->nlp_DID) + return 1; +-- +2.39.5 + diff --git a/queue-6.1/scsi-lpfc-use-memcpy-for-bios-version.patch b/queue-6.1/scsi-lpfc-use-memcpy-for-bios-version.patch new file mode 100644 index 0000000000..6704fc0e93 --- /dev/null +++ b/queue-6.1/scsi-lpfc-use-memcpy-for-bios-version.patch @@ -0,0 +1,47 @@ +From d208b633f4583471b3ef858e89d3c697a56311d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Apr 2025 13:34:22 +0200 +Subject: scsi: lpfc: Use memcpy() for BIOS version + +From: Daniel Wagner + +[ Upstream commit ae82eaf4aeea060bb736c3e20c0568b67c701d7d ] + +The strlcat() with FORTIFY support is triggering a panic because it +thinks the target buffer will overflow although the correct target +buffer size is passed in. + +Anyway, instead of memset() with 0 followed by a strlcat(), just use +memcpy() and ensure that the resulting buffer is NULL terminated. + +BIOSVersion is only used for the lpfc_printf_log() which expects a +properly terminated string. + +Signed-off-by: Daniel Wagner +Link: https://lore.kernel.org/r/20250409-fix-lpfc-bios-str-v1-1-05dac9e51e13@kernel.org +Reviewed-by: Justin Tee +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_sli.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c +index 1e04b6fc127af..d5e21e74888a7 100644 +--- a/drivers/scsi/lpfc/lpfc_sli.c ++++ b/drivers/scsi/lpfc/lpfc_sli.c +@@ -6031,9 +6031,9 @@ lpfc_sli4_get_ctl_attr(struct lpfc_hba *phba) + phba->sli4_hba.flash_id = bf_get(lpfc_cntl_attr_flash_id, cntl_attr); + phba->sli4_hba.asic_rev = bf_get(lpfc_cntl_attr_asic_rev, cntl_attr); + +- memset(phba->BIOSVersion, 0, sizeof(phba->BIOSVersion)); +- strlcat(phba->BIOSVersion, (char *)cntl_attr->bios_ver_str, ++ memcpy(phba->BIOSVersion, cntl_attr->bios_ver_str, + sizeof(phba->BIOSVersion)); ++ phba->BIOSVersion[sizeof(phba->BIOSVersion) - 1] = '\0'; + + lpfc_printf_log(phba, KERN_INFO, LOG_SLI, + "3086 lnk_type:%d, lnk_numb:%d, bios_ver:%s, " +-- +2.39.5 + diff --git a/queue-6.1/sctp-do-not-wake-readers-in-__sctp_write_space.patch b/queue-6.1/sctp-do-not-wake-readers-in-__sctp_write_space.patch new file mode 100644 index 0000000000..c520552564 --- /dev/null +++ b/queue-6.1/sctp-do-not-wake-readers-in-__sctp_write_space.patch @@ -0,0 +1,42 @@ +From 8e803c12fd9ba086bedce3746be74ad3cf413dfb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 May 2025 10:17:28 +0200 +Subject: sctp: Do not wake readers in __sctp_write_space() + +From: Petr Malat + +[ Upstream commit af295892a7abbf05a3c2ba7abc4d81bb448623d6 ] + +Function __sctp_write_space() doesn't set poll key, which leads to +ep_poll_callback() waking up all waiters, not only these waiting +for the socket being writable. Set the key properly using +wake_up_interruptible_poll(), which is preferred over the sync +variant, as writers are not woken up before at least half of the +queue is available. Also, TCP does the same. + +Signed-off-by: Petr Malat +Acked-by: Xin Long +Link: https://patch.msgid.link/20250516081727.1361451-1-oss@malat.biz +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sctp/socket.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/sctp/socket.c b/net/sctp/socket.c +index 65162d67c3a3c..8a8a5cf8d8e65 100644 +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -9089,7 +9089,8 @@ static void __sctp_write_space(struct sctp_association *asoc) + wq = rcu_dereference(sk->sk_wq); + if (wq) { + if (waitqueue_active(&wq->wait)) +- wake_up_interruptible(&wq->wait); ++ wake_up_interruptible_poll(&wq->wait, EPOLLOUT | ++ EPOLLWRNORM | EPOLLWRBAND); + + /* Note that we try to include the Async I/O support + * here by modeling from the current TCP/UDP code. +-- +2.39.5 + diff --git a/queue-6.1/series b/queue-6.1/series index 95383a417f..f218470552 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -371,3 +371,71 @@ pci-dw-rockchip-fix-phy-function-call-sequence-in-rockchip_pcie_phy_deinit.patch iio-accel-fxls8962af-fix-temperature-scan-element-sign.patch iio-imu-inv_icm42600-fix-temperature-calculation.patch iio-adc-ad7606_spi-fix-reg-write-value-mask.patch +acpica-fix-acpi-operand-cache-leak-in-dswstate.c.patch +asoc-amd-yc-add-quirk-for-lenovo-yoga-pro-7-14asp9.patch +clocksource-fix-the-cpus-choice-in-the-watchdog-per-.patch +mmc-add-quirk-to-disable-ddr50-tuning.patch +acpica-avoid-sequence-overread-in-call-to-strncmp.patch +asoc-tas2770-power-cycle-amp-on-isense-vsense-change.patch +acpi-bus-bail-out-if-acpi_kobj-registration-fails.patch +acpica-fix-acpi-parse-and-parseext-cache-leaks.patch +power-supply-bq27xxx-retrieve-again-when-busy.patch +acpica-utilities-fix-overflow-check-in-vsnprintf.patch +asoc-tegra210_ahub-add-check-to-of_device_get_match_.patch +pm-runtime-fix-denying-of-auto-suspend-in-pm_suspend.patch +acpi-battery-negate-current-when-discharging.patch +net-macb-check-return-value-of-dma_set_mask_and_cohe.patch +net-lan743x-modify-the-eeprom-and-otp-size-for-pci1x.patch +tipc-use-kfree_sensitive-for-aead-cleanup.patch +bpf-check-rcu_read_lock_trace_held-in-bpf_map_lookup.patch +i2c-designware-invoke-runtime-suspend-on-quick-slave.patch +emulex-benet-correct-command-version-selection-in-be.patch +wifi-mt76-mt76x2-add-support-for-liteon-wn4516r-wn45.patch +wifi-mt76-mt7921-add-160-mhz-ap-for-mt7922-device.patch +sctp-do-not-wake-readers-in-__sctp_write_space.patch +cpufreq-scmi-skip-scmi-devices-that-aren-t-used-by-t.patch +i2c-tegra-check-msg-length-in-smbus-block-read.patch +i2c-npcm-add-clock-toggle-recovery.patch +net-dlink-add-synchronization-for-stats-update.patch +wifi-ath11k-fix-qmi-memory-reuse-logic.patch +tcp-always-seek-for-minimal-rtt-in-tcp_rcv_rtt_updat.patch +tcp-fix-initial-tp-rcvq_space.space-value-for-passiv.patch +x86-sgx-prevent-attempts-to-reclaim-poisoned-pages.patch +ipv4-route-use-this_cpu_inc-for-stats-on-preempt_rt.patch +openvswitch-stricter-validation-for-the-userspace-ac.patch +net-atlantic-generate-software-timestamp-just-before.patch +pinctrl-armada-37xx-propagate-error-from-armada_37xx.patch +pinctrl-armada-37xx-propagate-error-from-armada_37xx.patch-760 +pinctrl-armada-37xx-propagate-error-from-armada_37xx.patch-3693 +pinctrl-armada-37xx-propagate-error-from-armada_37xx.patch-10884 +net-mlx4-add-sof_timestamping_tx_software-flag-when-.patch +net-vertexcom-mse102x-return-code-for-mse102x_rx_pkt.patch +wireless-purelifi-plfxlc-fix-memory-leak-in-plfxlc_u.patch +wifi-mac80211-do-not-offer-a-mesh-path-if-forwarding.patch +bpftool-fix-cgroup-command-to-only-show-cgroup-bpf-p.patch +clk-rockchip-rk3036-mark-ddrphy-as-critical.patch +libbpf-add-identical-pointer-detection-to-btf_dedup_.patch +scsi-lpfc-fix-lpfc_check_sli_ndlp-handling-for-gen_r.patch +iommu-amd-ensure-ga-log-notifier-callbacks-finish-ru.patch +wifi-mac80211_hwsim-prevent-tsf-from-setting-if-beac.patch +net-bridge-mcast-update-multicast-contex-when-vlan-s.patch +net-bridge-mcast-re-implement-br_multicast_-enable-d.patch +vxlan-do-not-treat-dst-cache-initialization-errors-a.patch +software-node-correct-a-oob-check-in-software_node_g.patch +pinctrl-mcp23s08-reset-all-pins-to-input-at-probe.patch +scsi-lpfc-use-memcpy-for-bios-version.patch +sock-correct-error-checking-condition-for-assign-rel.patch +i40e-fix-mmio-write-access-to-an-invalid-page-in-i40.patch +ice-fix-check-for-existing-switch-rule.patch +bpf-sockmap-fix-data-lost-during-eagain-retries.patch +net-ethernet-cortina-use-toe-tso-on-all-tcp.patch +octeontx2-pf-add-error-log-forcn10k_map_unmap_rq_pol.patch +fbcon-make-sure-modelist-not-set-on-unregistered-con.patch +watchdog-da9052_wdt-respect-twdmin.patch +bus-fsl-mc-increase-mc_cmd_completion_timeout_ms-val.patch +arm-omap2-fix-l4ls-clk-domain-handling-in-standby.patch +tee-prevent-size-calculation-wraparound-on-32-bit-ke.patch +revert-bus-ti-sysc-probe-for-l4_wkup-and-l4_cfg-inte.patch +platform-x86-dell_rbu-fix-list-usage.patch +platform-x86-dell_rbu-stop-overwriting-data-buffer.patch +powerpc-eeh-fix-missing-pe-bridge-reconfiguration-du.patch diff --git a/queue-6.1/sock-correct-error-checking-condition-for-assign-rel.patch b/queue-6.1/sock-correct-error-checking-condition-for-assign-rel.patch new file mode 100644 index 0000000000..e31afd855a --- /dev/null +++ b/queue-6.1/sock-correct-error-checking-condition-for-assign-rel.patch @@ -0,0 +1,49 @@ +From d54427f763c9d6a88063d6aefc28c64a6a00ffcf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Apr 2025 09:01:27 +0800 +Subject: sock: Correct error checking condition for + (assign|release)_proto_idx() + +From: Zijun Hu + +[ Upstream commit faeefc173be40512341b102cf1568aa0b6571acd ] + +(assign|release)_proto_idx() wrongly check find_first_zero_bit() failure +by condition '(prot->inuse_idx == PROTO_INUSE_NR - 1)' obviously. + +Fix by correcting the condition to '(prot->inuse_idx == PROTO_INUSE_NR)' + +Signed-off-by: Zijun Hu +Reviewed-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20250410-fix_net-v2-1-d69e7c5739a4@quicinc.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/sock.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/core/sock.c b/net/core/sock.c +index 168e7f42c0542..d8c0650322ea6 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -3797,7 +3797,7 @@ static int assign_proto_idx(struct proto *prot) + { + prot->inuse_idx = find_first_zero_bit(proto_inuse_idx, PROTO_INUSE_NR); + +- if (unlikely(prot->inuse_idx == PROTO_INUSE_NR - 1)) { ++ if (unlikely(prot->inuse_idx == PROTO_INUSE_NR)) { + pr_err("PROTO_INUSE_NR exhausted\n"); + return -ENOSPC; + } +@@ -3808,7 +3808,7 @@ static int assign_proto_idx(struct proto *prot) + + static void release_proto_idx(struct proto *prot) + { +- if (prot->inuse_idx != PROTO_INUSE_NR - 1) ++ if (prot->inuse_idx != PROTO_INUSE_NR) + clear_bit(prot->inuse_idx, proto_inuse_idx); + } + #else +-- +2.39.5 + diff --git a/queue-6.1/software-node-correct-a-oob-check-in-software_node_g.patch b/queue-6.1/software-node-correct-a-oob-check-in-software_node_g.patch new file mode 100644 index 0000000000..58da783e65 --- /dev/null +++ b/queue-6.1/software-node-correct-a-oob-check-in-software_node_g.patch @@ -0,0 +1,42 @@ +From 3d880c8f0ea98331bc0a6e817c65f745ce94bf3e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Apr 2025 19:36:52 +0800 +Subject: software node: Correct a OOB check in + software_node_get_reference_args() + +From: Zijun Hu + +[ Upstream commit 31e4e12e0e9609850cefd4b2e1adf782f56337d6 ] + +software_node_get_reference_args() wants to get @index-th element, so +the property value requires at least '(index + 1) * sizeof(*ref)' bytes +but that can not be guaranteed by current OOB check, and may cause OOB +for malformed property. + +Fix by using as OOB check '((index + 1) * sizeof(*ref) > prop->length)'. + +Reviewed-by: Sakari Ailus +Signed-off-by: Zijun Hu +Link: https://lore.kernel.org/r/20250414-fix_swnode-v2-1-9c9e6ae11eab@quicinc.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/base/swnode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/base/swnode.c b/drivers/base/swnode.c +index 44153caa893ad..fdea6b93eb30e 100644 +--- a/drivers/base/swnode.c ++++ b/drivers/base/swnode.c +@@ -518,7 +518,7 @@ software_node_get_reference_args(const struct fwnode_handle *fwnode, + if (prop->is_inline) + return -EINVAL; + +- if (index * sizeof(*ref) >= prop->length) ++ if ((index + 1) * sizeof(*ref) > prop->length) + return -ENOENT; + + ref_array = prop->pointer; +-- +2.39.5 + diff --git a/queue-6.1/tcp-always-seek-for-minimal-rtt-in-tcp_rcv_rtt_updat.patch b/queue-6.1/tcp-always-seek-for-minimal-rtt-in-tcp_rcv_rtt_updat.patch new file mode 100644 index 0000000000..61b1e2eeb5 --- /dev/null +++ b/queue-6.1/tcp-always-seek-for-minimal-rtt-in-tcp_rcv_rtt_updat.patch @@ -0,0 +1,71 @@ +From 4b1a65b5d9976b678bdf1ceaa2a0b9ef05251e7d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 May 2025 19:39:15 +0000 +Subject: tcp: always seek for minimal rtt in tcp_rcv_rtt_update() + +From: Eric Dumazet + +[ Upstream commit b879dcb1aeeca278eacaac0b1e2425b1c7599f9f ] + +tcp_rcv_rtt_update() goal is to maintain an estimation of the RTT +in tp->rcv_rtt_est.rtt_us, used by tcp_rcv_space_adjust() + +When TCP TS are enabled, tcp_rcv_rtt_update() is using +EWMA to smooth the samples. + +Change this to immediately latch the incoming value if it +is lower than tp->rcv_rtt_est.rtt_us, so that tcp_rcv_space_adjust() +does not overshoot tp->rcvq_space.space and sk->sk_rcvbuf. + +Signed-off-by: Eric Dumazet +Link: https://patch.msgid.link/20250513193919.1089692-8-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_input.c | 22 ++++++++-------------- + 1 file changed, 8 insertions(+), 14 deletions(-) + +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index db1a99df29d55..1044e9bce2d88 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -649,10 +649,12 @@ EXPORT_SYMBOL(tcp_initialize_rcv_mss); + */ + static void tcp_rcv_rtt_update(struct tcp_sock *tp, u32 sample, int win_dep) + { +- u32 new_sample = tp->rcv_rtt_est.rtt_us; +- long m = sample; ++ u32 new_sample, old_sample = tp->rcv_rtt_est.rtt_us; ++ long m = sample << 3; + +- if (new_sample != 0) { ++ if (old_sample == 0 || m < old_sample) { ++ new_sample = m; ++ } else { + /* If we sample in larger samples in the non-timestamp + * case, we could grossly overestimate the RTT especially + * with chatty applications or bulk transfer apps which +@@ -663,17 +665,9 @@ static void tcp_rcv_rtt_update(struct tcp_sock *tp, u32 sample, int win_dep) + * else with timestamps disabled convergence takes too + * long. + */ +- if (!win_dep) { +- m -= (new_sample >> 3); +- new_sample += m; +- } else { +- m <<= 3; +- if (m < new_sample) +- new_sample = m; +- } +- } else { +- /* No previous measure. */ +- new_sample = m << 3; ++ if (win_dep) ++ return; ++ new_sample = old_sample - (old_sample >> 3) + sample; + } + + tp->rcv_rtt_est.rtt_us = new_sample; +-- +2.39.5 + diff --git a/queue-6.1/tcp-fix-initial-tp-rcvq_space.space-value-for-passiv.patch b/queue-6.1/tcp-fix-initial-tp-rcvq_space.space-value-for-passiv.patch new file mode 100644 index 0000000000..c25c70e491 --- /dev/null +++ b/queue-6.1/tcp-fix-initial-tp-rcvq_space.space-value-for-passiv.patch @@ -0,0 +1,52 @@ +From afa578f23757d7d24b35b365aa20334d667bb4cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 May 2025 19:39:14 +0000 +Subject: tcp: fix initial tp->rcvq_space.space value for passive TS enabled + flows + +From: Eric Dumazet + +[ Upstream commit cd171461b90a2d2cf230943df60d580174633718 ] + +tcp_rcv_state_process() must tweak tp->advmss for TS enabled flows +before the call to tcp_init_transfer() / tcp_init_buffer_space(). + +Otherwise tp->rcvq_space.space is off by 120 bytes +(TCP_INIT_CWND * TCPOLEN_TSTAMP_ALIGNED). + +Signed-off-by: Eric Dumazet +Reviewed-by: Wei Wang +Link: https://patch.msgid.link/20250513193919.1089692-7-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_input.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index 1044e9bce2d88..2888aaae0d76f 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -6633,6 +6633,9 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb) + if (!tp->srtt_us) + tcp_synack_rtt_meas(sk, req); + ++ if (tp->rx_opt.tstamp_ok) ++ tp->advmss -= TCPOLEN_TSTAMP_ALIGNED; ++ + if (req) { + tcp_rcv_synrecv_state_fastopen(sk); + } else { +@@ -6657,9 +6660,6 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb) + tp->snd_wnd = ntohs(th->window) << tp->rx_opt.snd_wscale; + tcp_init_wl(tp, TCP_SKB_CB(skb)->seq); + +- if (tp->rx_opt.tstamp_ok) +- tp->advmss -= TCPOLEN_TSTAMP_ALIGNED; +- + if (!inet_csk(sk)->icsk_ca_ops->cong_control) + tcp_update_pacing_rate(sk); + +-- +2.39.5 + diff --git a/queue-6.1/tee-prevent-size-calculation-wraparound-on-32-bit-ke.patch b/queue-6.1/tee-prevent-size-calculation-wraparound-on-32-bit-ke.patch new file mode 100644 index 0000000000..1709085151 --- /dev/null +++ b/queue-6.1/tee-prevent-size-calculation-wraparound-on-32-bit-ke.patch @@ -0,0 +1,87 @@ +From 51d7e7d373d4e053e559547934e9e669afccac12 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Apr 2025 15:06:43 +0200 +Subject: tee: Prevent size calculation wraparound on 32-bit kernels + +From: Jann Horn + +[ Upstream commit 39bb67edcc582b3b386a9ec983da67fa8a10ec03 ] + +The current code around TEE_IOCTL_PARAM_SIZE() is a bit wrong on +32-bit kernels: Multiplying a user-provided 32-bit value with the +size of a structure can wrap around on such platforms. + +Fix it by using saturating arithmetic for the size calculation. + +This has no security consequences because, in all users of +TEE_IOCTL_PARAM_SIZE(), the subsequent kcalloc() implicitly checks +for wrapping. + +Signed-off-by: Jann Horn +Signed-off-by: Jens Wiklander +Tested-by: Rouven Czerwinski +Signed-off-by: Sasha Levin +--- + drivers/tee/tee_core.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/drivers/tee/tee_core.c b/drivers/tee/tee_core.c +index 98da206cd7615..a9a893bc19fa4 100644 +--- a/drivers/tee/tee_core.c ++++ b/drivers/tee/tee_core.c +@@ -10,6 +10,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -19,7 +20,7 @@ + + #define TEE_NUM_DEVICES 32 + +-#define TEE_IOCTL_PARAM_SIZE(x) (sizeof(struct tee_param) * (x)) ++#define TEE_IOCTL_PARAM_SIZE(x) (size_mul(sizeof(struct tee_param), (x))) + + #define TEE_UUID_NS_NAME_SIZE 128 + +@@ -487,7 +488,7 @@ static int tee_ioctl_open_session(struct tee_context *ctx, + if (copy_from_user(&arg, uarg, sizeof(arg))) + return -EFAULT; + +- if (sizeof(arg) + TEE_IOCTL_PARAM_SIZE(arg.num_params) != buf.buf_len) ++ if (size_add(sizeof(arg), TEE_IOCTL_PARAM_SIZE(arg.num_params)) != buf.buf_len) + return -EINVAL; + + if (arg.num_params) { +@@ -565,7 +566,7 @@ static int tee_ioctl_invoke(struct tee_context *ctx, + if (copy_from_user(&arg, uarg, sizeof(arg))) + return -EFAULT; + +- if (sizeof(arg) + TEE_IOCTL_PARAM_SIZE(arg.num_params) != buf.buf_len) ++ if (size_add(sizeof(arg), TEE_IOCTL_PARAM_SIZE(arg.num_params)) != buf.buf_len) + return -EINVAL; + + if (arg.num_params) { +@@ -699,7 +700,7 @@ static int tee_ioctl_supp_recv(struct tee_context *ctx, + if (get_user(num_params, &uarg->num_params)) + return -EFAULT; + +- if (sizeof(*uarg) + TEE_IOCTL_PARAM_SIZE(num_params) != buf.buf_len) ++ if (size_add(sizeof(*uarg), TEE_IOCTL_PARAM_SIZE(num_params)) != buf.buf_len) + return -EINVAL; + + params = kcalloc(num_params, sizeof(struct tee_param), GFP_KERNEL); +@@ -798,7 +799,7 @@ static int tee_ioctl_supp_send(struct tee_context *ctx, + get_user(num_params, &uarg->num_params)) + return -EFAULT; + +- if (sizeof(*uarg) + TEE_IOCTL_PARAM_SIZE(num_params) > buf.buf_len) ++ if (size_add(sizeof(*uarg), TEE_IOCTL_PARAM_SIZE(num_params)) > buf.buf_len) + return -EINVAL; + + params = kcalloc(num_params, sizeof(struct tee_param), GFP_KERNEL); +-- +2.39.5 + diff --git a/queue-6.1/tipc-use-kfree_sensitive-for-aead-cleanup.patch b/queue-6.1/tipc-use-kfree_sensitive-for-aead-cleanup.patch new file mode 100644 index 0000000000..15b061fb2d --- /dev/null +++ b/queue-6.1/tipc-use-kfree_sensitive-for-aead-cleanup.patch @@ -0,0 +1,45 @@ +From 55ebe127b2bbaf33b78bc44c3877c92f308fb239 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 May 2025 11:47:17 +0000 +Subject: tipc: use kfree_sensitive() for aead cleanup + +From: Zilin Guan + +[ Upstream commit c8ef20fe7274c5766a317f9193b70bed717b6b3d ] + +The tipc_aead_free() function currently uses kfree() to release the aead +structure. However, this structure contains sensitive information, such +as key's SALT value, which should be securely erased from memory to +prevent potential leakage. + +To enhance security, replace kfree() with kfree_sensitive() when freeing +the aead structure. This change ensures that sensitive data is explicitly +cleared before memory deallocation, aligning with the approach used in +tipc_aead_init() and adhering to best practices for handling confidential +information. + +Signed-off-by: Zilin Guan +Reviewed-by: Tung Nguyen +Link: https://patch.msgid.link/20250523114717.4021518-1-zilin@seu.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/tipc/crypto.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/tipc/crypto.c b/net/tipc/crypto.c +index 17e2b09002853..d52829c6aa472 100644 +--- a/net/tipc/crypto.c ++++ b/net/tipc/crypto.c +@@ -425,7 +425,7 @@ static void tipc_aead_free(struct rcu_head *rp) + } + free_percpu(aead->tfm_entry); + kfree_sensitive(aead->key); +- kfree(aead); ++ kfree_sensitive(aead); + } + + static int tipc_aead_users(struct tipc_aead __rcu *aead) +-- +2.39.5 + diff --git a/queue-6.1/vxlan-do-not-treat-dst-cache-initialization-errors-a.patch b/queue-6.1/vxlan-do-not-treat-dst-cache-initialization-errors-a.patch new file mode 100644 index 0000000000..7efe6b9033 --- /dev/null +++ b/queue-6.1/vxlan-do-not-treat-dst-cache-initialization-errors-a.patch @@ -0,0 +1,75 @@ +From f6ba6a6efcda5cf64541d631555cf54a224c9be9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Apr 2025 15:11:41 +0300 +Subject: vxlan: Do not treat dst cache initialization errors as fatal + +From: Ido Schimmel + +[ Upstream commit 20c76dadc783759fd3819d289c72be590660cc8b ] + +FDB entries are allocated in an atomic context as they can be added from +the data path when learning is enabled. + +After converting the FDB hash table to rhashtable, the insertion rate +will be much higher (*) which will entail a much higher rate of per-CPU +allocations via dst_cache_init(). + +When adding a large number of entries (e.g., 256k) in a batch, a small +percentage (< 0.02%) of these per-CPU allocations will fail [1]. This +does not happen with the current code since the insertion rate is low +enough to give the per-CPU allocator a chance to asynchronously create +new chunks of per-CPU memory. + +Given that: + +a. Only a small percentage of these per-CPU allocations fail. + +b. The scenario where this happens might not be the most realistic one. + +c. The driver can work correctly without dst caches. The dst_cache_*() +APIs first check that the dst cache was properly initialized. + +d. The dst caches are not always used (e.g., 'tos inherit'). + +It seems reasonable to not treat these allocation failures as fatal. + +Therefore, do not bail when dst_cache_init() fails and suppress warnings +by specifying '__GFP_NOWARN'. + +[1] percpu: allocation failed, size=40 align=8 atomic=1, atomic alloc failed, no space left + +(*) 97% reduction in average latency of vxlan_fdb_update() when adding +256k entries in a batch. + +Reviewed-by: Petr Machata +Signed-off-by: Ido Schimmel +Link: https://patch.msgid.link/20250415121143.345227-14-idosch@nvidia.com +Reviewed-by: Nikolay Aleksandrov +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/vxlan/vxlan_core.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/vxlan/vxlan_core.c b/drivers/net/vxlan/vxlan_core.c +index ef61eab81707c..747ce00dd321d 100644 +--- a/drivers/net/vxlan/vxlan_core.c ++++ b/drivers/net/vxlan/vxlan_core.c +@@ -653,10 +653,10 @@ static int vxlan_fdb_append(struct vxlan_fdb *f, + if (rd == NULL) + return -ENOMEM; + +- if (dst_cache_init(&rd->dst_cache, GFP_ATOMIC)) { +- kfree(rd); +- return -ENOMEM; +- } ++ /* The driver can work correctly without a dst cache, so do not treat ++ * dst cache initialization errors as fatal. ++ */ ++ dst_cache_init(&rd->dst_cache, GFP_ATOMIC | __GFP_NOWARN); + + rd->remote_ip = *ip; + rd->remote_port = port; +-- +2.39.5 + diff --git a/queue-6.1/watchdog-da9052_wdt-respect-twdmin.patch b/queue-6.1/watchdog-da9052_wdt-respect-twdmin.patch new file mode 100644 index 0000000000..7a5333a130 --- /dev/null +++ b/queue-6.1/watchdog-da9052_wdt-respect-twdmin.patch @@ -0,0 +1,39 @@ +From d1fea3f79f65847eb81a546e6cd3298537469897 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Mar 2025 09:29:51 +0100 +Subject: watchdog: da9052_wdt: respect TWDMIN + +From: Marcus Folkesson + +[ Upstream commit 325f510fcd9cda5a44bcb662b74ba4e3dabaca10 ] + +We have to wait at least the minimium time for the watchdog window +(TWDMIN) before writings to the wdt register after the +watchdog is activated. +Otherwise the chip will assert TWD_ERROR and power down to reset mode. + +Signed-off-by: Marcus Folkesson +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20250326-da9052-fixes-v3-4-a38a560fef0e@gmail.com +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/da9052_wdt.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/watchdog/da9052_wdt.c b/drivers/watchdog/da9052_wdt.c +index d708c091bf1b1..180526220d8c4 100644 +--- a/drivers/watchdog/da9052_wdt.c ++++ b/drivers/watchdog/da9052_wdt.c +@@ -164,6 +164,7 @@ static int da9052_wdt_probe(struct platform_device *pdev) + da9052_wdt = &driver_data->wdt; + + da9052_wdt->timeout = DA9052_DEF_TIMEOUT; ++ da9052_wdt->min_hw_heartbeat_ms = DA9052_TWDMIN; + da9052_wdt->info = &da9052_wdt_info; + da9052_wdt->ops = &da9052_wdt_ops; + da9052_wdt->parent = dev; +-- +2.39.5 + diff --git a/queue-6.1/wifi-ath11k-fix-qmi-memory-reuse-logic.patch b/queue-6.1/wifi-ath11k-fix-qmi-memory-reuse-logic.patch new file mode 100644 index 0000000000..fd76a8d120 --- /dev/null +++ b/queue-6.1/wifi-ath11k-fix-qmi-memory-reuse-logic.patch @@ -0,0 +1,70 @@ +From d2e106a3ea012d42b6cf75dcbae90ea090092dec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Apr 2025 13:02:41 +0500 +Subject: wifi: ath11k: Fix QMI memory reuse logic + +From: Muhammad Usama Anjum + +[ Upstream commit cd2e7bae92bd7e65063ab8d04721d2b711ba4cbe ] + +Firmware requests 2 segments at first. The first segment is of 6799360 +whose allocation fails due to dma remapping not available. The success +is returned to firmware. Then firmware asks for 22 smaller segments +instead of 2 big ones. Those get allocated successfully. At suspend/ +hibernation time, these segments aren't freed as they will be reused +by firmware after resuming. + +After resuming, the firmware asks for the 2 segments again with the +first segment of 6799360 size. Since chunk->vaddr is not NULL, the +type and size are compared with the previous type and size to know if +it can be reused or not. Unfortunately, it is detected that it cannot +be reused and this first smaller segment is freed. Then we continue to +allocate 6799360 size memory which fails and ath11k_qmi_free_target_mem_chunk() +is called which frees the second smaller segment as well. Later success +is returned to firmware which asks for 22 smaller segments again. But +as we had freed 2 segments already, we'll allocate the first 2 new +smaller segments again and reuse the remaining 20. Hence 20 small +segments are being reused instead of 22. + +Add skip logic when vaddr is set, but size/type don't match. Use the +same skip and success logic as used when dma_alloc_coherent() fails. +By skipping, the possibility of resume failure due to kernel failing to +allocate memory for QMI can be avoided. + + kernel: ath11k_pci 0000:03:00.0: failed to allocate dma memory for qmi (524288 B type 1) + ath11k_pci 0000:03:00.0: failed to allocate qmi target memory: -22 + +Tested-on: WCN6855 WLAN.HSP.1.1-03926.13-QCAHSPSWPL_V2_SILICONZ_CE-2.52297.6 + +Signed-off-by: Muhammad Usama Anjum +Reviewed-by: Baochen Qiang +Link: https://patch.msgid.link/20250428080242.466901-1-usama.anjum@collabora.com +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/qmi.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath11k/qmi.c b/drivers/net/wireless/ath/ath11k/qmi.c +index 764cd320c6c18..f790759c86115 100644 +--- a/drivers/net/wireless/ath/ath11k/qmi.c ++++ b/drivers/net/wireless/ath/ath11k/qmi.c +@@ -1989,6 +1989,15 @@ static int ath11k_qmi_alloc_target_mem_chunk(struct ath11k_base *ab) + chunk->prev_size == chunk->size) + continue; + ++ if (ab->qmi.mem_seg_count <= ATH11K_QMI_FW_MEM_REQ_SEGMENT_CNT) { ++ ath11k_dbg(ab, ATH11K_DBG_QMI, ++ "size/type mismatch (current %d %u) (prev %d %u), try later with small size\n", ++ chunk->size, chunk->type, ++ chunk->prev_size, chunk->prev_type); ++ ab->qmi.target_mem_delayed = true; ++ return 0; ++ } ++ + /* cannot reuse the existing chunk */ + dma_free_coherent(ab->dev, chunk->prev_size, + chunk->vaddr, chunk->paddr); +-- +2.39.5 + diff --git a/queue-6.1/wifi-mac80211-do-not-offer-a-mesh-path-if-forwarding.patch b/queue-6.1/wifi-mac80211-do-not-offer-a-mesh-path-if-forwarding.patch new file mode 100644 index 0000000000..e27aa9f3ce --- /dev/null +++ b/queue-6.1/wifi-mac80211-do-not-offer-a-mesh-path-if-forwarding.patch @@ -0,0 +1,67 @@ +From ae9ec00b6748b4bc62e314aa6de99c2bfb32c066 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Apr 2025 21:10:42 +0200 +Subject: wifi: mac80211: do not offer a mesh path if forwarding is disabled + +From: Benjamin Berg + +[ Upstream commit cf1b684a06170d253b47d6a5287821de976435bd ] + +When processing a PREQ the code would always check whether we have a +mesh path locally and reply accordingly. However, when forwarding is +disabled then we should not reply with this information as we will not +forward data packets down that path. + +Move the check for dot11MeshForwarding up in the function and skip the +mesh path lookup in that case. In the else block, set forward to false +so that the rest of the function becomes a no-op and the +dot11MeshForwarding check does not need to be duplicated. + +This explains an effect observed in the Freifunk community where mesh +forwarding is disabled. In that case a mesh with three STAs and only bad +links in between them, individual STAs would occionally have indirect +mpath entries. This should not have happened. + +Signed-off-by: Benjamin Berg +Reviewed-by: Rouven Czerwinski +Link: https://patch.msgid.link/20250430191042.3287004-1-benjamin@sipsolutions.net +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/mesh_hwmp.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/mac80211/mesh_hwmp.c b/net/mac80211/mesh_hwmp.c +index 47eb67dc11cfe..da9e152a7aaba 100644 +--- a/net/mac80211/mesh_hwmp.c ++++ b/net/mac80211/mesh_hwmp.c +@@ -625,7 +625,7 @@ static void hwmp_preq_frame_process(struct ieee80211_sub_if_data *sdata, + mesh_path_add_gate(mpath); + } + rcu_read_unlock(); +- } else { ++ } else if (ifmsh->mshcfg.dot11MeshForwarding) { + rcu_read_lock(); + mpath = mesh_path_lookup(sdata, target_addr); + if (mpath) { +@@ -643,6 +643,8 @@ static void hwmp_preq_frame_process(struct ieee80211_sub_if_data *sdata, + } + } + rcu_read_unlock(); ++ } else { ++ forward = false; + } + + if (reply) { +@@ -660,7 +662,7 @@ static void hwmp_preq_frame_process(struct ieee80211_sub_if_data *sdata, + } + } + +- if (forward && ifmsh->mshcfg.dot11MeshForwarding) { ++ if (forward) { + u32 preq_id; + u8 hopcount; + +-- +2.39.5 + diff --git a/queue-6.1/wifi-mac80211_hwsim-prevent-tsf-from-setting-if-beac.patch b/queue-6.1/wifi-mac80211_hwsim-prevent-tsf-from-setting-if-beac.patch new file mode 100644 index 0000000000..646a70e69e --- /dev/null +++ b/queue-6.1/wifi-mac80211_hwsim-prevent-tsf-from-setting-if-beac.patch @@ -0,0 +1,42 @@ +From 6885e24adf6145ac34084d6bcd7855f203a0c21f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Apr 2025 22:15:53 +0800 +Subject: wifi: mac80211_hwsim: Prevent tsf from setting if beacon is disabled + +From: Edward Adam Davis + +[ Upstream commit c575f5374be7a5c4be4acb9fe6be3a4669d94674 ] + +Setting tsf is meaningless if beacon is disabled, so check that beacon +is enabled before setting tsf. + +Reported-by: syzbot+064815c6cd721082a52a@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=064815c6cd721082a52a +Tested-by: syzbot+064815c6cd721082a52a@syzkaller.appspotmail.com +Signed-off-by: Edward Adam Davis +Link: https://patch.msgid.link/tencent_3609AC2EFAAED68CA5A7E3C6D212D1C67806@qq.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mac80211_hwsim.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c +index abcd165a62cfe..80a2a668cfb9e 100644 +--- a/drivers/net/wireless/mac80211_hwsim.c ++++ b/drivers/net/wireless/mac80211_hwsim.c +@@ -1091,6 +1091,11 @@ static void mac80211_hwsim_set_tsf(struct ieee80211_hw *hw, + /* MLD not supported here */ + u32 bcn_int = data->link_data[0].beacon_int; + u64 delta = abs(tsf - now); ++ struct ieee80211_bss_conf *conf; ++ ++ conf = link_conf_dereference_protected(vif, data->link_data[0].link_id); ++ if (conf && !conf->enable_beacon) ++ return; + + /* adjust after beaconing with new timestamp at old TBTT */ + if (tsf > now) { +-- +2.39.5 + diff --git a/queue-6.1/wifi-mt76-mt76x2-add-support-for-liteon-wn4516r-wn45.patch b/queue-6.1/wifi-mt76-mt76x2-add-support-for-liteon-wn4516r-wn45.patch new file mode 100644 index 0000000000..b00a7c47c7 --- /dev/null +++ b/queue-6.1/wifi-mt76-mt76x2-add-support-for-liteon-wn4516r-wn45.patch @@ -0,0 +1,86 @@ +From abca5db99a19b12531dea256f11fea32278c2bf6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Apr 2025 16:39:14 +0200 +Subject: wifi: mt76: mt76x2: Add support for LiteOn WN4516R,WN4519R + +From: Henk Vergonet + +[ Upstream commit 3c0e4f606d8693795a2c965d6f4987b1bfc31097 ] + +Adds support for: + - LiteOn WN4516R + - LiteOn WN4519R + Both use: + - A nonstandard USB connector + - Mediatek chipset MT7600U + - ASIC revision: 76320044 + +Disabled VHT support on ASIC revision 76320044: + + This fixes the 5G connectibity issue on LiteOn WN4519R module + see https://github.com/openwrt/mt76/issues/971 + + And may also fix the 5G issues on the XBox One Wireless Adapter + see https://github.com/openwrt/mt76/issues/200 + + I have looked at the FCC info related to the MT7632U chip as mentioned in here: + https://github.com/openwrt/mt76/issues/459 + These confirm the chipset does not support 'ac' mode and hence VHT should be turned of. + +Signed-off-by: Henk Vergonet +Acked-by: Lorenzo Bianconi +Link: https://patch.msgid.link/20250418143914.31384-1-henk.vergonet@gmail.com +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt76x2/usb.c | 2 ++ + .../net/wireless/mediatek/mt76/mt76x2/usb_init.c | 13 ++++++++++++- + 2 files changed, 14 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt76x2/usb.c b/drivers/net/wireless/mediatek/mt76/mt76x2/usb.c +index d804309992196..229a365370ef5 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt76x2/usb.c ++++ b/drivers/net/wireless/mediatek/mt76/mt76x2/usb.c +@@ -17,6 +17,8 @@ static const struct usb_device_id mt76x2u_device_table[] = { + { USB_DEVICE(0x057c, 0x8503) }, /* Avm FRITZ!WLAN AC860 */ + { USB_DEVICE(0x7392, 0xb711) }, /* Edimax EW 7722 UAC */ + { USB_DEVICE(0x0e8d, 0x7632) }, /* HC-M7662BU1 */ ++ { USB_DEVICE(0x0471, 0x2126) }, /* LiteOn WN4516R module, nonstandard USB connector */ ++ { USB_DEVICE(0x0471, 0x7600) }, /* LiteOn WN4519R module, nonstandard USB connector */ + { USB_DEVICE(0x2c4e, 0x0103) }, /* Mercury UD13 */ + { USB_DEVICE(0x0846, 0x9053) }, /* Netgear A6210 */ + { USB_DEVICE(0x045e, 0x02e6) }, /* XBox One Wireless Adapter */ +diff --git a/drivers/net/wireless/mediatek/mt76/mt76x2/usb_init.c b/drivers/net/wireless/mediatek/mt76/mt76x2/usb_init.c +index 33a14365ec9b9..3b55628115115 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt76x2/usb_init.c ++++ b/drivers/net/wireless/mediatek/mt76/mt76x2/usb_init.c +@@ -191,6 +191,7 @@ int mt76x2u_register_device(struct mt76x02_dev *dev) + { + struct ieee80211_hw *hw = mt76_hw(dev); + struct mt76_usb *usb = &dev->mt76.usb; ++ bool vht; + int err; + + INIT_DELAYED_WORK(&dev->cal_work, mt76x2u_phy_calibrate); +@@ -217,7 +218,17 @@ int mt76x2u_register_device(struct mt76x02_dev *dev) + + /* check hw sg support in order to enable AMSDU */ + hw->max_tx_fragments = dev->mt76.usb.sg_en ? MT_TX_SG_MAX_SIZE : 1; +- err = mt76_register_device(&dev->mt76, true, mt76x02_rates, ++ switch (dev->mt76.rev) { ++ case 0x76320044: ++ /* these ASIC revisions do not support VHT */ ++ vht = false; ++ break; ++ default: ++ vht = true; ++ break; ++ } ++ ++ err = mt76_register_device(&dev->mt76, vht, mt76x02_rates, + ARRAY_SIZE(mt76x02_rates)); + if (err) + goto fail; +-- +2.39.5 + diff --git a/queue-6.1/wifi-mt76-mt7921-add-160-mhz-ap-for-mt7922-device.patch b/queue-6.1/wifi-mt76-mt7921-add-160-mhz-ap-for-mt7922-device.patch new file mode 100644 index 0000000000..df05d7967f --- /dev/null +++ b/queue-6.1/wifi-mt76-mt7921-add-160-mhz-ap-for-mt7922-device.patch @@ -0,0 +1,38 @@ +From 1bdba637259fd279f431c70f5975b27b59127526 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 10 May 2025 19:53:09 -0500 +Subject: wifi: mt76: mt7921: add 160 MHz AP for mt7922 device + +From: Samuel Williams + +[ Upstream commit 7011faebe543f8f094fdb3281d0ec9e1eab81309 ] + +This allows mt7922 in hostapd mode to transmit up to 1.4 Gbps. + +Signed-off-by: Samuel Williams +Link: https://patch.msgid.link/20250511005316.1118961-1-sam8641@gmail.com +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7921/main.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/main.c b/drivers/net/wireless/mediatek/mt76/mt7921/main.c +index 5070cc23917bd..7adda1718d6ac 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7921/main.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7921/main.c +@@ -104,6 +104,11 @@ mt7921_init_he_caps(struct mt7921_phy *phy, enum nl80211_band band, + he_cap_elem->phy_cap_info[9] |= + IEEE80211_HE_PHY_CAP9_TX_1024_QAM_LESS_THAN_242_TONE_RU | + IEEE80211_HE_PHY_CAP9_RX_1024_QAM_LESS_THAN_242_TONE_RU; ++ ++ if (is_mt7922(phy->mt76->dev)) { ++ he_cap_elem->phy_cap_info[0] |= ++ IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_160MHZ_IN_5G; ++ } + break; + case NL80211_IFTYPE_STATION: + he_cap_elem->mac_cap_info[1] |= +-- +2.39.5 + diff --git a/queue-6.1/wireless-purelifi-plfxlc-fix-memory-leak-in-plfxlc_u.patch b/queue-6.1/wireless-purelifi-plfxlc-fix-memory-leak-in-plfxlc_u.patch new file mode 100644 index 0000000000..afb54fd2c4 --- /dev/null +++ b/queue-6.1/wireless-purelifi-plfxlc-fix-memory-leak-in-plfxlc_u.patch @@ -0,0 +1,39 @@ +From 329ddbf6b2ecc6e6c8d5daa6a06c184cce12e223 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 27 Apr 2025 10:57:45 +0100 +Subject: wireless: purelifi: plfxlc: fix memory leak in plfxlc_usb_wreq_asyn() + +From: Salah Triki + +[ Upstream commit 63a9a727d373fa5b8ce509eef50dbc45e0f745b9 ] + +Add usb_free_urb() in the error path to prevent memory leak. + +Signed-off-by: Salah Triki +Link: https://patch.msgid.link/aA3_maPlEJzO7wrL@pc +[fix subject] +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/purelifi/plfxlc/usb.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/purelifi/plfxlc/usb.c b/drivers/net/wireless/purelifi/plfxlc/usb.c +index 311676c1ece0a..8151bc5e00ccc 100644 +--- a/drivers/net/wireless/purelifi/plfxlc/usb.c ++++ b/drivers/net/wireless/purelifi/plfxlc/usb.c +@@ -503,8 +503,10 @@ int plfxlc_usb_wreq_async(struct plfxlc_usb *usb, const u8 *buffer, + (void *)buffer, buffer_len, complete_fn, context); + + r = usb_submit_urb(urb, GFP_ATOMIC); +- if (r) ++ if (r) { ++ usb_free_urb(urb); + dev_err(&udev->dev, "Async write submit failed (%d)\n", r); ++ } + + return r; + } +-- +2.39.5 + diff --git a/queue-6.1/x86-sgx-prevent-attempts-to-reclaim-poisoned-pages.patch b/queue-6.1/x86-sgx-prevent-attempts-to-reclaim-poisoned-pages.patch new file mode 100644 index 0000000000..2fb371fd61 --- /dev/null +++ b/queue-6.1/x86-sgx-prevent-attempts-to-reclaim-poisoned-pages.patch @@ -0,0 +1,87 @@ +From 5be0fb4c7ca514890e96e85367ce44797bf45e14 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 May 2025 01:04:29 +0200 +Subject: x86/sgx: Prevent attempts to reclaim poisoned pages + +From: Andrew Zaborowski + +[ Upstream commit ed16618c380c32c68c06186d0ccbb0d5e0586e59 ] + +TL;DR: SGX page reclaim touches the page to copy its contents to +secondary storage. SGX instructions do not gracefully handle machine +checks. Despite this, the existing SGX code will try to reclaim pages +that it _knows_ are poisoned. Avoid even trying to reclaim poisoned pages. + +The longer story: + +Pages used by an enclave only get epc_page->poison set in +arch_memory_failure() but they currently stay on sgx_active_page_list until +sgx_encl_release(), with the SGX_EPC_PAGE_RECLAIMER_TRACKED flag untouched. + +epc_page->poison is not checked in the reclaimer logic meaning that, if other +conditions are met, an attempt will be made to reclaim an EPC page that was +poisoned. This is bad because 1. we don't want that page to end up added +to another enclave and 2. it is likely to cause one core to shut down +and the kernel to panic. + +Specifically, reclaiming uses microcode operations including "EWB" which +accesses the EPC page contents to encrypt and write them out to non-SGX +memory. Those operations cannot handle MCEs in their accesses other than +by putting the executing core into a special shutdown state (affecting +both threads with HT.) The kernel will subsequently panic on the +remaining cores seeing the core didn't enter MCE handler(s) in time. + +Call sgx_unmark_page_reclaimable() to remove the affected EPC page from +sgx_active_page_list on memory error to stop it being considered for +reclaiming. + +Testing epc_page->poison in sgx_reclaim_pages() would also work but I assume +it's better to add code in the less likely paths. + +The affected EPC page is not added to &node->sgx_poison_page_list until +later in sgx_encl_release()->sgx_free_epc_page() when it is EREMOVEd. +Membership on other lists doesn't change to avoid changing any of the +lists' semantics except for sgx_active_page_list. There's a "TBD" comment +in arch_memory_failure() about pre-emptive actions, the goal here is not +to address everything that it may imply. + +This also doesn't completely close the time window when a memory error +notification will be fatal (for a not previously poisoned EPC page) -- +the MCE can happen after sgx_reclaim_pages() has selected its candidates +or even *inside* a microcode operation (actually easy to trigger due to +the amount of time spent in them.) + +The spinlock in sgx_unmark_page_reclaimable() is safe because +memory_failure() runs in process context and no spinlocks are held, +explicitly noted in a mm/memory-failure.c comment. + +Signed-off-by: Andrew Zaborowski +Signed-off-by: Ingo Molnar +Acked-by: Dave Hansen +Cc: H. Peter Anvin +Cc: Linus Torvalds +Cc: Tony Luck +Cc: balrogg@gmail.com +Cc: linux-sgx@vger.kernel.org +Link: https://lore.kernel.org/r/20250508230429.456271-1-andrew.zaborowski@intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/sgx/main.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/x86/kernel/cpu/sgx/main.c b/arch/x86/kernel/cpu/sgx/main.c +index c4960b8e5195f..b86eb601827bf 100644 +--- a/arch/x86/kernel/cpu/sgx/main.c ++++ b/arch/x86/kernel/cpu/sgx/main.c +@@ -718,6 +718,8 @@ int arch_memory_failure(unsigned long pfn, int flags) + goto out; + } + ++ sgx_unmark_page_reclaimable(page); ++ + /* + * TBD: Add additional plumbing to enable pre-emptive + * action for asynchronous poison notification. Until +-- +2.39.5 + -- 2.47.2