From 9bd35b873676e5dc2376fdc4a81ccdbc06d48e12 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Mon, 28 Apr 2025 21:39:18 -0400 Subject: [PATCH] Fixes for 6.12 Signed-off-by: Sasha Levin --- ...per-handling-of-bogus-negative-read-.patch | 139 +++++++++ ...-concurrent-read-and-writes-to-p9_co.patch | 102 +++++++ ...-ec-set-ec_no_wakeup-for-lenovo-go-s.patch | 82 +++++ ...ding-mistakes-in-a-couple-of-sizeof-.patch | 46 +++ ...ma-get-codec-or-cpu-dai-from-backend.patch | 56 ++++ ...tool-setting-error-code-in-do_loader.patch | 45 +++ ...-between-rcu_tasks_trace-and-event_m.patch | 79 +++++ ...-kmemleak-warning-for-percpu-hashmap.patch | 92 ++++++ ...he-busy-counter-check-in-bpf_cgrp_st.patch | 91 ++++++ ...hing-fexit-fmod_ret-to-__noreturn-fu.patch | 109 +++++++ ...n-t-allow-creation-of-local-partitio.patch | 78 +++++ ...g-of-smb1-session-setup-kerberos-req.patch | 135 +++++++++ ...g-of-wsl-chr-and-blk-reparse-points-.patch | 76 +++++ ...sabled-clock-provider-in-of_clk_get_.patch | 61 ++++ ...cp-add-support-for-pci-device-0x1134.patch | 36 +++ ...ig-fix-lib-built-in-failure-when-arc.patch | 209 +++++++++++++ ...-null-use-spin-lock-instead-of-mutex.patch | 101 +++++++ ...t-fix-dmatest-waiting-less-when-inte.patch | 51 ++++ ...increase-kiq-invalidate_tlbs-timeout.patch | 85 ++++++ ...-dummy-owner-for-sysfs-triggered-cle.patch | 66 ++++ ...use-the-right-function-for-hdp-flush.patch | 281 ++++++++++++++++++ ...-apply-wa_14022293748-wa_22019794406.patch | 40 +++ ...validity-check-resistent-to-sb-bh-co.patch | 78 +++++ ...ning-in-ntfs_extend_initialized_size.patch | 45 +++ ...s-ntfs3-keep-write-operations-atomic.patch | 115 +++++++ ...atmel-hsmci-quirk-up-out-of-the-regu.patch | 49 +++ ...able-gcc-randstruct-for-compile_test.patch | 41 +++ ...-add-support-for-nuvoton-npcm845-i3c.patch | 86 ++++++ ...uring-always-do-atomic-put-from-iowq.patch | 67 +++++ ...ecessary-ifs_block_is_uptodate-check.patch | 43 +++ ...iommu-clear-iommu-dma-ops-on-cleanup.patch | 49 +++ ...dependency-from-vmlinux-to-sorttable.patch | 39 +++ ...g-do-not-call-blocking-ops-when-task.patch | 59 ++++ ...-don-t-use-pk-through-debug-printing.patch | 138 +++++++++ ...390-don-t-use-pk-through-tracepoints.patch | 53 ++++ ...ys-clear-the-platform-ack-interrupt-.patch | 106 +++++++ ...the-possible-race-in-updation-of-cha.patch | 97 ++++++ ...ck-for-missing-source-disk-in-proces.patch | 77 +++++ ...cm-detect-cm-quirks-from-device-tree.patch | 107 +++++++ ...te-proc-fs-netfs-with-config_proc_fs.patch | 117 ++++++++ ...b-reduce-stack-usage-in-idt_scan_mws.patch | 77 +++++ ...w_amd-add-ntb-pci-id-for-new-gen-cpu.patch | 33 ++ ...ix-return-value-of-nvme_available_pa.patch | 35 +++ ...ana-log-page-after-ns-scan-completes.patch | 47 +++ ...equeue-namespace-scan-on-missed-aens.patch | 42 +++ ...-when-assoc-del_work-is-already-sche.patch | 36 +++ ...-fc-take-tgtport-reference-only-once.patch | 77 +++++ ...ecs-wcd934x-remove-potential-undefin.patch | 58 ++++ ...dtm-obfuscate-the-do_nothing-pointer.patch | 86 ++++++ ...nic-disable-smap-in-__stack_chk_fail.patch | 72 +++++ ...r-rk808-remove-potential-undefined-b.patch | 56 ++++ .../objtool-silence-more-kcov-warnings.patch | 67 +++++ ...objtool-stop-unret-validation-on-ud2.patch | 38 +++ ...sc-pdt-fix-missing-prototype-warning.patch | 51 ++++ ...rn_on-ctx-in-__free_event-for-partia.patch | 90 ++++++ ...dp-avoid-call-hpd_event_trigger-in-d.patch | 38 +++ ...-get-rid-of-spurious-level-interrupt.patch | 88 ++++++ ...rza2-fix-potential-null-pointer-dere.patch | 39 +++ queue-6.12/qibfs-fix-_another_-leak.patch | 36 +++ ...-all-alternative-macros-all-the-time.patch | 67 +++++ ...pcf85063-do-a-sw-reset-if-por-failed.patch | 78 +++++ ...0-sclp-add-check-for-get_zeroed_page.patch | 61 ++++ ...-tty-fix-a-potential-memory-leak-bug.patch | 55 ++++ ...make-config_cpu_isolation-depend-on-.patch | 46 +++ ...x-i-o-errors-caused-by-hardware-port.patch | 59 ++++ ...phy_attached-to-zero-when-device-is-.patch | 36 +++ ...enable-prdt-pre-fetching-with-ufshcd.patch | 58 ++++ ...ensure-pre_link-executes-before-exyn.patch | 58 ++++ ...gs101-put-ufs-device-in-reset-on-.su.patch | 75 +++++ ...nos-move-phy-calls-to-.exit-callback.patch | 70 +++++ ...x-stdout-race-condition-in-traffic-m.patch | 117 ++++++++ ...e-allow-read-ahead-pages-to-reach-th.patch | 62 ++++ .../selftests-ublk-fix-test_stripe_04.patch | 58 ++++ queue-6.12/series | 98 ++++++ ...-cancel_sync-warnings-on-uninitializ.patch | 108 +++++++ ...-imx-add-check-for-spi_imx_setupxfer.patch | 54 ++++ ...d-add-rate-limiting-and-simplify-tim.patch | 48 +++ ...d-use-warn_on_once-instead-of-warn_o.patch | 44 +++ ...-retimers-after-device-router-has-be.patch | 68 +++++ ...dd-a-lockdep-override-in-tick_freeze.patch | 85 ++++++ ...-panic-from-test_ubsan_out_of_bounds.patch | 90 ++++++ ...ched_yield-not-yielding-in-time-trav.patch | 65 ++++ ...avoid-using-reserved-endpoints-on-in.patch | 68 +++++ ...refactor-loop-to-avoid-null-endpoint.patch | 89 ++++++ ...d-add-null-pointer-check-in-ast_vhub.patch | 41 +++ ...-hcd-add-missing-spi_device_id-table.patch | 51 ++++ ...at-mvebu-use-quirks-instead-of-init_.patch | 84 ++++++ ...top-endpoint-retry-loop-if-the-endpo.patch | 57 ++++ ...e-error-mid-td-transfers-when-handli.patch | 53 ++++ ...chronous-ring-underrun-overrun-event.patch | 102 +++++++ ...ill-rsb-on-context-switch-with-eibrs.patch | 113 +++++++ ...ill-rsb-on-vmexit-with-eibrs-retpoli.patch | 64 ++++ ...use-sbpb-in-write_ibpb-if-applicable.patch | 41 +++ ...model-number-for-bartlett-lake-cpus-.patch | 47 +++ ...lockevent_i8253_disable-with-interru.patch | 73 +++++ ...-config_pci_cnb20le_quirk-depend-on-.patch | 97 ++++++ ...cpu-idle-and-frequency-drivers-for-p.patch | 74 +++++ ...e-xen-acpi-processor-dom0-dependency.patch | 40 +++ ...ious-events-on-etron-host-isoc-enpoi.patch | 153 ++++++++++ 99 files changed, 7299 insertions(+) create mode 100644 queue-6.12/9p-net-fix-improper-handling-of-bogus-negative-read-.patch create mode 100644 queue-6.12/9p-trans_fd-mark-concurrent-read-and-writes-to-p9_co.patch create mode 100644 queue-6.12/acpi-ec-set-ec_no_wakeup-for-lenovo-go-s.patch create mode 100644 queue-6.12/acpi-pptt-fix-coding-mistakes-in-a-couple-of-sizeof-.patch create mode 100644 queue-6.12/asoc-fsl_asrc_dma-get-codec-or-cpu-dai-from-backend.patch create mode 100644 queue-6.12/bpf-bpftool-setting-error-code-in-do_loader.patch create mode 100644 queue-6.12/bpf-fix-deadlock-between-rcu_tasks_trace-and-event_m.patch create mode 100644 queue-6.12/bpf-fix-kmemleak-warning-for-percpu-hashmap.patch create mode 100644 queue-6.12/bpf-only-fails-the-busy-counter-check-in-bpf_cgrp_st.patch create mode 100644 queue-6.12/bpf-reject-attaching-fexit-fmod_ret-to-__noreturn-fu.patch create mode 100644 queue-6.12/cgroup-cpuset-don-t-allow-creation-of-local-partitio.patch create mode 100644 queue-6.12/cifs-fix-encoding-of-smb1-session-setup-kerberos-req.patch create mode 100644 queue-6.12/cifs-fix-querying-of-wsl-chr-and-blk-reparse-points-.patch create mode 100644 queue-6.12/clk-check-for-disabled-clock-provider-in-of_clk_get_.patch create mode 100644 queue-6.12/crypto-ccp-add-support-for-pci-device-0x1134.patch create mode 100644 queue-6.12/crypto-lib-kconfig-fix-lib-built-in-failure-when-arc.patch create mode 100644 queue-6.12/crypto-null-use-spin-lock-instead-of-mutex.patch create mode 100644 queue-6.12/dmaengine-dmatest-fix-dmatest-waiting-less-when-inte.patch create mode 100644 queue-6.12/drm-amdgpu-increase-kiq-invalidate_tlbs-timeout.patch create mode 100644 queue-6.12/drm-amdgpu-use-a-dummy-owner-for-sysfs-triggered-cle.patch create mode 100644 queue-6.12/drm-amdgpu-use-the-right-function-for-hdp-flush.patch create mode 100644 queue-6.12/drm-xe-xe3lpg-apply-wa_14022293748-wa_22019794406.patch create mode 100644 queue-6.12/ext4-make-block-validity-check-resistent-to-sb-bh-co.patch create mode 100644 queue-6.12/fs-ntfs3-fix-warning-in-ntfs_extend_initialized_size.patch create mode 100644 queue-6.12/fs-ntfs3-keep-write-operations-atomic.patch create mode 100644 queue-6.12/gpiolib-of-move-atmel-hsmci-quirk-up-out-of-the-regu.patch create mode 100644 queue-6.12/hardening-disable-gcc-randstruct-for-compile_test.patch create mode 100644 queue-6.12/i3c-master-svc-add-support-for-nuvoton-npcm845-i3c.patch create mode 100644 queue-6.12/io_uring-always-do-atomic-put-from-iowq.patch create mode 100644 queue-6.12/iomap-skip-unnecessary-ifs_block_is_uptodate-check.patch create mode 100644 queue-6.12/iommu-clear-iommu-dma-ops-on-cleanup.patch create mode 100644 queue-6.12/kbuild-add-dependency-from-vmlinux-to-sorttable.patch create mode 100644 queue-6.12/ksmbd-fix-warning-do-not-call-blocking-ops-when-task.patch create mode 100644 queue-6.12/kvm-s390-don-t-use-pk-through-debug-printing.patch create mode 100644 queue-6.12/kvm-s390-don-t-use-pk-through-tracepoints.patch create mode 100644 queue-6.12/mailbox-pcc-always-clear-the-platform-ack-interrupt-.patch create mode 100644 queue-6.12/mailbox-pcc-fix-the-possible-race-in-updation-of-cha.patch create mode 100644 queue-6.12/md-raid1-add-check-for-missing-source-disk-in-proces.patch create mode 100644 queue-6.12/mips-cm-detect-cm-quirks-from-device-tree.patch create mode 100644 queue-6.12/netfs-only-create-proc-fs-netfs-with-config_proc_fs.patch create mode 100644 queue-6.12/ntb-reduce-stack-usage-in-idt_scan_mws.patch create mode 100644 queue-6.12/ntb_hw_amd-add-ntb-pci-id-for-new-gen-cpu.patch create mode 100644 queue-6.12/nvme-multipath-fix-return-value-of-nvme_available_pa.patch create mode 100644 queue-6.12/nvme-re-read-ana-log-page-after-ns-scan-completes.patch create mode 100644 queue-6.12/nvme-requeue-namespace-scan-on-missed-aens.patch create mode 100644 queue-6.12/nvmet-fc-put-ref-when-assoc-del_work-is-already-sche.patch create mode 100644 queue-6.12/nvmet-fc-take-tgtport-reference-only-once.patch create mode 100644 queue-6.12/objtool-asoc-codecs-wcd934x-remove-potential-undefin.patch create mode 100644 queue-6.12/objtool-lkdtm-obfuscate-the-do_nothing-pointer.patch create mode 100644 queue-6.12/objtool-panic-disable-smap-in-__stack_chk_fail.patch create mode 100644 queue-6.12/objtool-regulator-rk808-remove-potential-undefined-b.patch create mode 100644 queue-6.12/objtool-silence-more-kcov-warnings.patch create mode 100644 queue-6.12/objtool-stop-unret-validation-on-ud2.patch create mode 100644 queue-6.12/parisc-pdt-fix-missing-prototype-warning.patch create mode 100644 queue-6.12/perf-core-fix-warn_on-ctx-in-__free_event-for-partia.patch create mode 100644 queue-6.12/phy-rockchip-usbdp-avoid-call-hpd_event_trigger-in-d.patch create mode 100644 queue-6.12/pinctrl-mcp23s08-get-rid-of-spurious-level-interrupt.patch create mode 100644 queue-6.12/pinctrl-renesas-rza2-fix-potential-null-pointer-dere.patch create mode 100644 queue-6.12/qibfs-fix-_another_-leak.patch create mode 100644 queue-6.12/riscv-provide-all-alternative-macros-all-the-time.patch create mode 100644 queue-6.12/rtc-pcf85063-do-a-sw-reset-if-por-failed.patch create mode 100644 queue-6.12/s390-sclp-add-check-for-get_zeroed_page.patch create mode 100644 queue-6.12/s390-tty-fix-a-potential-memory-leak-bug.patch create mode 100644 queue-6.12/sched-isolation-make-config_cpu_isolation-depend-on-.patch create mode 100644 queue-6.12/scsi-hisi_sas-fix-i-o-errors-caused-by-hardware-port.patch create mode 100644 queue-6.12/scsi-pm80xx-set-phy_attached-to-zero-when-device-is-.patch create mode 100644 queue-6.12/scsi-ufs-exynos-enable-prdt-pre-fetching-with-ufshcd.patch create mode 100644 queue-6.12/scsi-ufs-exynos-ensure-pre_link-executes-before-exyn.patch create mode 100644 queue-6.12/scsi-ufs-exynos-gs101-put-ufs-device-in-reset-on-.su.patch create mode 100644 queue-6.12/scsi-ufs-exynos-move-phy-calls-to-.exit-callback.patch create mode 100644 queue-6.12/selftests-bpf-fix-stdout-race-condition-in-traffic-m.patch create mode 100644 queue-6.12/selftests-mincore-allow-read-ahead-pages-to-reach-th.patch create mode 100644 queue-6.12/selftests-ublk-fix-test_stripe_04.patch create mode 100644 queue-6.12/sound-virtio-fix-cancel_sync-warnings-on-uninitializ.patch create mode 100644 queue-6.12/spi-spi-imx-add-check-for-spi_imx_setupxfer.patch create mode 100644 queue-6.12/spi-tegra210-quad-add-rate-limiting-and-simplify-tim.patch create mode 100644 queue-6.12/spi-tegra210-quad-use-warn_on_once-instead-of-warn_o.patch create mode 100644 queue-6.12/thunderbolt-scan-retimers-after-device-router-has-be.patch create mode 100644 queue-6.12/timekeeping-add-a-lockdep-override-in-tick_freeze.patch create mode 100644 queue-6.12/ubsan-fix-panic-from-test_ubsan_out_of_bounds.patch create mode 100644 queue-6.12/um-work-around-sched_yield-not-yielding-in-time-trav.patch create mode 100644 queue-6.12/usb-dwc3-gadget-avoid-using-reserved-endpoints-on-in.patch create mode 100644 queue-6.12/usb-dwc3-gadget-refactor-loop-to-avoid-null-endpoint.patch create mode 100644 queue-6.12/usb-gadget-aspeed-add-null-pointer-check-in-ast_vhub.patch create mode 100644 queue-6.12/usb-host-max3421-hcd-add-missing-spi_device_id-table.patch create mode 100644 queue-6.12/usb-host-xhci-plat-mvebu-use-quirks-instead-of-init_.patch create mode 100644 queue-6.12/usb-xhci-avoid-stop-endpoint-retry-loop-if-the-endpo.patch create mode 100644 queue-6.12/usb-xhci-complete-error-mid-td-transfers-when-handli.patch create mode 100644 queue-6.12/usb-xhci-fix-isochronous-ring-underrun-overrun-event.patch create mode 100644 queue-6.12/x86-bugs-don-t-fill-rsb-on-context-switch-with-eibrs.patch create mode 100644 queue-6.12/x86-bugs-don-t-fill-rsb-on-vmexit-with-eibrs-retpoli.patch create mode 100644 queue-6.12/x86-bugs-use-sbpb-in-write_ibpb-if-applicable.patch create mode 100644 queue-6.12/x86-cpu-add-cpu-model-number-for-bartlett-lake-cpus-.patch create mode 100644 queue-6.12/x86-i8253-call-clockevent_i8253_disable-with-interru.patch create mode 100644 queue-6.12/x86-kconfig-make-config_pci_cnb20le_quirk-depend-on-.patch create mode 100644 queue-6.12/x86-xen-disable-cpu-idle-and-frequency-drivers-for-p.patch create mode 100644 queue-6.12/xen-change-xen-acpi-processor-dom0-dependency.patch create mode 100644 queue-6.12/xhci-handle-spurious-events-on-etron-host-isoc-enpoi.patch diff --git a/queue-6.12/9p-net-fix-improper-handling-of-bogus-negative-read-.patch b/queue-6.12/9p-net-fix-improper-handling-of-bogus-negative-read-.patch new file mode 100644 index 0000000000..14ebbd39ec --- /dev/null +++ b/queue-6.12/9p-net-fix-improper-handling-of-bogus-negative-read-.patch @@ -0,0 +1,139 @@ +From b53a89f4291e4b956e821167f06d1223af6e2937 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Mar 2025 20:20:15 +0900 +Subject: 9p/net: fix improper handling of bogus negative read/write replies + +From: Dominique Martinet + +[ Upstream commit d0259a856afca31d699b706ed5e2adf11086c73b ] + +In p9_client_write() and p9_client_read_once(), if the server +incorrectly replies with success but a negative write/read count then we +would consider written (negative) <= rsize (positive) because both +variables were signed. + +Make variables unsigned to avoid this problem. + +The reproducer linked below now fails with the following error instead +of a null pointer deref: +9pnet: bogus RWRITE count (4294967295 > 3) + +Reported-by: Robert Morris +Closes: https://lore.kernel.org/16271.1734448631@26-5-164.dynamic.csail.mit.edu +Message-ID: <20250319-9p_unsigned_rw-v3-1-71327f1503d0@codewreck.org> +Reviewed-by: Christian Schoenebeck +Signed-off-by: Dominique Martinet +Signed-off-by: Sasha Levin +--- + net/9p/client.c | 30 ++++++++++++++++-------------- + 1 file changed, 16 insertions(+), 14 deletions(-) + +diff --git a/net/9p/client.c b/net/9p/client.c +index 09f8ced9f8bb7..52a5497cfca79 100644 +--- a/net/9p/client.c ++++ b/net/9p/client.c +@@ -1548,7 +1548,8 @@ p9_client_read_once(struct p9_fid *fid, u64 offset, struct iov_iter *to, + struct p9_client *clnt = fid->clnt; + struct p9_req_t *req; + int count = iov_iter_count(to); +- int rsize, received, non_zc = 0; ++ u32 rsize, received; ++ bool non_zc = false; + char *dataptr; + + *err = 0; +@@ -1571,7 +1572,7 @@ p9_client_read_once(struct p9_fid *fid, u64 offset, struct iov_iter *to, + 0, 11, "dqd", fid->fid, + offset, rsize); + } else { +- non_zc = 1; ++ non_zc = true; + req = p9_client_rpc(clnt, P9_TREAD, "dqd", fid->fid, offset, + rsize); + } +@@ -1592,11 +1593,11 @@ p9_client_read_once(struct p9_fid *fid, u64 offset, struct iov_iter *to, + return 0; + } + if (rsize < received) { +- pr_err("bogus RREAD count (%d > %d)\n", received, rsize); ++ pr_err("bogus RREAD count (%u > %u)\n", received, rsize); + received = rsize; + } + +- p9_debug(P9_DEBUG_9P, "<<< RREAD count %d\n", received); ++ p9_debug(P9_DEBUG_9P, "<<< RREAD count %u\n", received); + + if (non_zc) { + int n = copy_to_iter(dataptr, received, to); +@@ -1623,9 +1624,9 @@ p9_client_write(struct p9_fid *fid, u64 offset, struct iov_iter *from, int *err) + *err = 0; + + while (iov_iter_count(from)) { +- int count = iov_iter_count(from); +- int rsize = fid->iounit; +- int written; ++ size_t count = iov_iter_count(from); ++ u32 rsize = fid->iounit; ++ u32 written; + + if (!rsize || rsize > clnt->msize - P9_IOHDRSZ) + rsize = clnt->msize - P9_IOHDRSZ; +@@ -1633,7 +1634,7 @@ p9_client_write(struct p9_fid *fid, u64 offset, struct iov_iter *from, int *err) + if (count < rsize) + rsize = count; + +- p9_debug(P9_DEBUG_9P, ">>> TWRITE fid %d offset %llu count %d (/%d)\n", ++ p9_debug(P9_DEBUG_9P, ">>> TWRITE fid %d offset %llu count %u (/%zu)\n", + fid->fid, offset, rsize, count); + + /* Don't bother zerocopy for small IO (< 1024) */ +@@ -1659,11 +1660,11 @@ p9_client_write(struct p9_fid *fid, u64 offset, struct iov_iter *from, int *err) + break; + } + if (rsize < written) { +- pr_err("bogus RWRITE count (%d > %d)\n", written, rsize); ++ pr_err("bogus RWRITE count (%u > %u)\n", written, rsize); + written = rsize; + } + +- p9_debug(P9_DEBUG_9P, "<<< RWRITE count %d\n", written); ++ p9_debug(P9_DEBUG_9P, "<<< RWRITE count %u\n", written); + + p9_req_put(clnt, req); + iov_iter_revert(from, count - written - iov_iter_count(from)); +@@ -2098,7 +2099,8 @@ EXPORT_SYMBOL_GPL(p9_client_xattrcreate); + + int p9_client_readdir(struct p9_fid *fid, char *data, u32 count, u64 offset) + { +- int err, rsize, non_zc = 0; ++ int err, non_zc = 0; ++ u32 rsize; + struct p9_client *clnt; + struct p9_req_t *req; + char *dataptr; +@@ -2107,7 +2109,7 @@ int p9_client_readdir(struct p9_fid *fid, char *data, u32 count, u64 offset) + + iov_iter_kvec(&to, ITER_DEST, &kv, 1, count); + +- p9_debug(P9_DEBUG_9P, ">>> TREADDIR fid %d offset %llu count %d\n", ++ p9_debug(P9_DEBUG_9P, ">>> TREADDIR fid %d offset %llu count %u\n", + fid->fid, offset, count); + + clnt = fid->clnt; +@@ -2142,11 +2144,11 @@ int p9_client_readdir(struct p9_fid *fid, char *data, u32 count, u64 offset) + goto free_and_error; + } + if (rsize < count) { +- pr_err("bogus RREADDIR count (%d > %d)\n", count, rsize); ++ pr_err("bogus RREADDIR count (%u > %u)\n", count, rsize); + count = rsize; + } + +- p9_debug(P9_DEBUG_9P, "<<< RREADDIR count %d\n", count); ++ p9_debug(P9_DEBUG_9P, "<<< RREADDIR count %u\n", count); + + if (non_zc) + memmove(data, dataptr, count); +-- +2.39.5 + diff --git a/queue-6.12/9p-trans_fd-mark-concurrent-read-and-writes-to-p9_co.patch b/queue-6.12/9p-trans_fd-mark-concurrent-read-and-writes-to-p9_co.patch new file mode 100644 index 0000000000..0a55ab6805 --- /dev/null +++ b/queue-6.12/9p-trans_fd-mark-concurrent-read-and-writes-to-p9_co.patch @@ -0,0 +1,102 @@ +From a07c2ab6e8f47e95df03018a3a8be4a677a196c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Mar 2025 22:39:02 +0100 +Subject: 9p/trans_fd: mark concurrent read and writes to p9_conn->err + +From: Ignacio Encinas + +[ Upstream commit fbc0283fbeae27b88448c90305e738991457fee2 ] + +Writes for the error value of a connection are spinlock-protected inside +p9_conn_cancel, but lockless reads are present elsewhere to avoid +performing unnecessary work after an error has been met. + +Mark the write and lockless reads to make KCSAN happy. Mark the write as +exclusive following the recommendation in "Lock-Protected Writes with +Lockless Reads" in tools/memory-model/Documentation/access-marking.txt +while we are at it. + +Mark p9_fd_request and p9_conn_cancel m->err reads despite the fact that +they do not race with concurrent writes for stylistic reasons. + +Reported-by: syzbot+d69a7cc8c683c2cb7506@syzkaller.appspotmail.com +Reported-by: syzbot+483d6c9b9231ea7e1851@syzkaller.appspotmail.com +Signed-off-by: Ignacio Encinas +Message-ID: <20250318-p9_conn_err_benign_data_race-v3-1-290bb18335cc@iencinas.com> +Signed-off-by: Dominique Martinet +Signed-off-by: Sasha Levin +--- + net/9p/trans_fd.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c +index 196060dc6138a..791e4868f2d4e 100644 +--- a/net/9p/trans_fd.c ++++ b/net/9p/trans_fd.c +@@ -191,12 +191,13 @@ static void p9_conn_cancel(struct p9_conn *m, int err) + + spin_lock(&m->req_lock); + +- if (m->err) { ++ if (READ_ONCE(m->err)) { + spin_unlock(&m->req_lock); + return; + } + +- m->err = err; ++ WRITE_ONCE(m->err, err); ++ ASSERT_EXCLUSIVE_WRITER(m->err); + + list_for_each_entry_safe(req, rtmp, &m->req_list, req_list) { + list_move(&req->req_list, &cancel_list); +@@ -283,7 +284,7 @@ static void p9_read_work(struct work_struct *work) + + m = container_of(work, struct p9_conn, rq); + +- if (m->err < 0) ++ if (READ_ONCE(m->err) < 0) + return; + + p9_debug(P9_DEBUG_TRANS, "start mux %p pos %zd\n", m, m->rc.offset); +@@ -450,7 +451,7 @@ static void p9_write_work(struct work_struct *work) + + m = container_of(work, struct p9_conn, wq); + +- if (m->err < 0) { ++ if (READ_ONCE(m->err) < 0) { + clear_bit(Wworksched, &m->wsched); + return; + } +@@ -622,7 +623,7 @@ static void p9_poll_mux(struct p9_conn *m) + __poll_t n; + int err = -ECONNRESET; + +- if (m->err < 0) ++ if (READ_ONCE(m->err) < 0) + return; + + n = p9_fd_poll(m->client, NULL, &err); +@@ -665,6 +666,7 @@ static void p9_poll_mux(struct p9_conn *m) + static int p9_fd_request(struct p9_client *client, struct p9_req_t *req) + { + __poll_t n; ++ int err; + struct p9_trans_fd *ts = client->trans; + struct p9_conn *m = &ts->conn; + +@@ -673,9 +675,10 @@ static int p9_fd_request(struct p9_client *client, struct p9_req_t *req) + + spin_lock(&m->req_lock); + +- if (m->err < 0) { ++ err = READ_ONCE(m->err); ++ if (err < 0) { + spin_unlock(&m->req_lock); +- return m->err; ++ return err; + } + + WRITE_ONCE(req->status, REQ_STATUS_UNSENT); +-- +2.39.5 + diff --git a/queue-6.12/acpi-ec-set-ec_no_wakeup-for-lenovo-go-s.patch b/queue-6.12/acpi-ec-set-ec_no_wakeup-for-lenovo-go-s.patch new file mode 100644 index 0000000000..d3d8ea5e0f --- /dev/null +++ b/queue-6.12/acpi-ec-set-ec_no_wakeup-for-lenovo-go-s.patch @@ -0,0 +1,82 @@ +From a8f1a2b669178720421358920f3aee97503e6e4c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Apr 2025 08:38:51 -0500 +Subject: ACPI: EC: Set ec_no_wakeup for Lenovo Go S + +From: Mario Limonciello + +[ Upstream commit b988685388effd648150aab272533f833a2a70f0 ] + +When AC adapter is unplugged or plugged in EC wakes from HW sleep but +APU doesn't enter back into HW sleep. + +The reason this happens is that, when the APU exits HW sleep, the power +rails controlled by the EC will power up the TCON. The TCON has a GPIO +that will be toggled at this time. The GPIO is not marked as a wakeup +source, but the GPIO controller still has an unserviced interrupt. +Unserviced interrupts will block entering HW sleep again. Clearing the +GPIO doesn't help as the TCON continues to assert it until it's been +initialized by i2c-hid. + +Fixing this would require TCON F/W changes and it's already broken in +the wild on production hardware. + +To avoid triggering this issue add a quirk to avoid letting EC wake +up system at all. The power button still works properly on this system. + +Reported-by: Antheas Kapenekakis +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3929 +Link: https://github.com/bazzite-org/patchwork/commit/95b93b2852718ee1e808c72e6b1836da4a95fc63 +Co-developed-by: Antheas Kapenekakis +Signed-off-by: Antheas Kapenekakis +Signed-off-by: Mario Limonciello +Link: https://patch.msgid.link/20250401133858.1892077-1-superm1@kernel.org +[ rjw: Changelog edits ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/ec.c | 28 ++++++++++++++++++++++++++++ + 1 file changed, 28 insertions(+) + +diff --git a/drivers/acpi/ec.c b/drivers/acpi/ec.c +index 25399f6dde7e2..e614e4bef9ea1 100644 +--- a/drivers/acpi/ec.c ++++ b/drivers/acpi/ec.c +@@ -2301,6 +2301,34 @@ static const struct dmi_system_id acpi_ec_no_wakeup[] = { + DMI_MATCH(DMI_PRODUCT_FAMILY, "103C_5336AN HP ZHAN 66 Pro"), + }, + }, ++ /* ++ * Lenovo Legion Go S; touchscreen blocks HW sleep when woken up from EC ++ * https://gitlab.freedesktop.org/drm/amd/-/issues/3929 ++ */ ++ { ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "83L3"), ++ } ++ }, ++ { ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "83N6"), ++ } ++ }, ++ { ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "83Q2"), ++ } ++ }, ++ { ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "83Q3"), ++ } ++ }, + { }, + }; + +-- +2.39.5 + diff --git a/queue-6.12/acpi-pptt-fix-coding-mistakes-in-a-couple-of-sizeof-.patch b/queue-6.12/acpi-pptt-fix-coding-mistakes-in-a-couple-of-sizeof-.patch new file mode 100644 index 0000000000..74aa5132dc --- /dev/null +++ b/queue-6.12/acpi-pptt-fix-coding-mistakes-in-a-couple-of-sizeof-.patch @@ -0,0 +1,46 @@ +From a3cb43eb8c0a6373ee32733d6965dad571fbe9cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Apr 2025 17:15:42 -0700 +Subject: ACPI PPTT: Fix coding mistakes in a couple of sizeof() calls + +From: Jean-Marc Eurin + +[ Upstream commit 7ab4f0e37a0f4207e742a8de69be03984db6ebf0 ] + +The end of table checks should be done with the structure size, +but 2 of the 3 similar calls use the pointer size. + +Signed-off-by: Jean-Marc Eurin +Link: https://patch.msgid.link/20250402001542.2600671-1-jmeurin@google.com +[ rjw: Subject edits ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/pptt.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/acpi/pptt.c b/drivers/acpi/pptt.c +index a35dd0e41c270..f73ce6e13065d 100644 +--- a/drivers/acpi/pptt.c ++++ b/drivers/acpi/pptt.c +@@ -229,7 +229,7 @@ static int acpi_pptt_leaf_node(struct acpi_table_header *table_hdr, + node_entry = ACPI_PTR_DIFF(node, table_hdr); + entry = ACPI_ADD_PTR(struct acpi_subtable_header, table_hdr, + sizeof(struct acpi_table_pptt)); +- proc_sz = sizeof(struct acpi_pptt_processor *); ++ proc_sz = sizeof(struct acpi_pptt_processor); + + while ((unsigned long)entry + proc_sz < table_end) { + cpu_node = (struct acpi_pptt_processor *)entry; +@@ -270,7 +270,7 @@ static struct acpi_pptt_processor *acpi_find_processor_node(struct acpi_table_he + table_end = (unsigned long)table_hdr + table_hdr->length; + entry = ACPI_ADD_PTR(struct acpi_subtable_header, table_hdr, + sizeof(struct acpi_table_pptt)); +- proc_sz = sizeof(struct acpi_pptt_processor *); ++ proc_sz = sizeof(struct acpi_pptt_processor); + + /* find the processor structure associated with this cpuid */ + while ((unsigned long)entry + proc_sz < table_end) { +-- +2.39.5 + diff --git a/queue-6.12/asoc-fsl_asrc_dma-get-codec-or-cpu-dai-from-backend.patch b/queue-6.12/asoc-fsl_asrc_dma-get-codec-or-cpu-dai-from-backend.patch new file mode 100644 index 0000000000..5e73883c5a --- /dev/null +++ b/queue-6.12/asoc-fsl_asrc_dma-get-codec-or-cpu-dai-from-backend.patch @@ -0,0 +1,56 @@ +From 5aa2966214eadf3e595c21aad225bf5e95c39130 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Mar 2025 11:35:04 +0800 +Subject: ASoC: fsl_asrc_dma: get codec or cpu dai from backend + +From: Shengjiu Wang + +[ Upstream commit ef5c23ae9ab380fa756f257411024a9b4518d1b9 ] + +With audio graph card, original cpu dai is changed to codec device in +backend, so if cpu dai is dummy device in backend, get the codec dai +device, which is the real hardware device connected. + +The specific case is ASRC->SAI->AMIX->CODEC. + +Signed-off-by: Shengjiu Wang +Link: https://patch.msgid.link/20250319033504.2898605-1-shengjiu.wang@nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/fsl/fsl_asrc_dma.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/fsl/fsl_asrc_dma.c b/sound/soc/fsl/fsl_asrc_dma.c +index f501f47242fb0..1bba48318e2dd 100644 +--- a/sound/soc/fsl/fsl_asrc_dma.c ++++ b/sound/soc/fsl/fsl_asrc_dma.c +@@ -156,11 +156,24 @@ static int fsl_asrc_dma_hw_params(struct snd_soc_component *component, + for_each_dpcm_be(rtd, stream, dpcm) { + struct snd_soc_pcm_runtime *be = dpcm->be; + struct snd_pcm_substream *substream_be; +- struct snd_soc_dai *dai = snd_soc_rtd_to_cpu(be, 0); ++ struct snd_soc_dai *dai_cpu = snd_soc_rtd_to_cpu(be, 0); ++ struct snd_soc_dai *dai_codec = snd_soc_rtd_to_codec(be, 0); ++ struct snd_soc_dai *dai; + + if (dpcm->fe != rtd) + continue; + ++ /* ++ * With audio graph card, original cpu dai is changed to codec ++ * device in backend, so if cpu dai is dummy device in backend, ++ * get the codec dai device, which is the real hardware device ++ * connected. ++ */ ++ if (!snd_soc_dai_is_dummy(dai_cpu)) ++ dai = dai_cpu; ++ else ++ dai = dai_codec; ++ + substream_be = snd_soc_dpcm_get_substream(be, stream); + dma_params_be = snd_soc_dai_get_dma_data(dai, substream_be); + dev_be = dai->dev; +-- +2.39.5 + diff --git a/queue-6.12/bpf-bpftool-setting-error-code-in-do_loader.patch b/queue-6.12/bpf-bpftool-setting-error-code-in-do_loader.patch new file mode 100644 index 0000000000..f581eda97d --- /dev/null +++ b/queue-6.12/bpf-bpftool-setting-error-code-in-do_loader.patch @@ -0,0 +1,45 @@ +From 90c749d3ea7c73bdb7b7c79da24c2805a800a2a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Mar 2025 12:12:37 +0900 +Subject: bpf: bpftool: Setting error code in do_loader() + +From: Sewon Nam + +[ Upstream commit 02a4694107b4c830d4bd6d194e98b3ac0bc86f29 ] + +We are missing setting error code in do_loader() when +bpf_object__open_file() fails. This means the command's exit status code +will be successful, even though the operation failed. So make sure to +return the correct error code. To maintain consistency with other +locations where bpf_object__open_file() is called, return -1. + + [0] Closes: https://github.com/libbpf/bpftool/issues/156 + +Reported-by: Dan Carpenter +Signed-off-by: Sewon Nam +Signed-off-by: Andrii Nakryiko +Tested-by: Quentin Monnet +Reviewed-by: Quentin Monnet +Link: https://lore.kernel.org/bpf/d3b5b4b4-19bb-4619-b4dd-86c958c4a367@stanley.mountain/t/#u +Link: https://lore.kernel.org/bpf/20250311031238.14865-1-swnam0729@gmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + tools/bpf/bpftool/prog.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/bpf/bpftool/prog.c b/tools/bpf/bpftool/prog.c +index e71be67f1d865..52ffb74ae4e89 100644 +--- a/tools/bpf/bpftool/prog.c ++++ b/tools/bpf/bpftool/prog.c +@@ -1928,6 +1928,7 @@ static int do_loader(int argc, char **argv) + + obj = bpf_object__open_file(file, &open_opts); + if (!obj) { ++ err = -1; + p_err("failed to open object file"); + goto err_close_obj; + } +-- +2.39.5 + diff --git a/queue-6.12/bpf-fix-deadlock-between-rcu_tasks_trace-and-event_m.patch b/queue-6.12/bpf-fix-deadlock-between-rcu_tasks_trace-and-event_m.patch new file mode 100644 index 0000000000..a44563e195 --- /dev/null +++ b/queue-6.12/bpf-fix-deadlock-between-rcu_tasks_trace-and-event_m.patch @@ -0,0 +1,79 @@ +From a7aaf431000accce73c367e3cf301ab475cc25f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Feb 2025 14:16:37 -0800 +Subject: bpf: Fix deadlock between rcu_tasks_trace and event_mutex. + +From: Alexei Starovoitov + +[ Upstream commit 4580f4e0ebdf8dc8d506ae926b88510395a0c1d1 ] + +Fix the following deadlock: +CPU A +_free_event() + perf_kprobe_destroy() + mutex_lock(&event_mutex) + perf_trace_event_unreg() + synchronize_rcu_tasks_trace() + +There are several paths where _free_event() grabs event_mutex +and calls sync_rcu_tasks_trace. Above is one such case. + +CPU B +bpf_prog_test_run_syscall() + rcu_read_lock_trace() + bpf_prog_run_pin_on_cpu() + bpf_prog_load() + bpf_tracing_func_proto() + trace_set_clr_event() + mutex_lock(&event_mutex) + +Delegate trace_set_clr_event() to workqueue to avoid +such lock dependency. + +Signed-off-by: Alexei Starovoitov +Signed-off-by: Andrii Nakryiko +Acked-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20250224221637.4780-1-alexei.starovoitov@gmail.com +Signed-off-by: Sasha Levin +--- + kernel/trace/bpf_trace.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c +index 55f279ddfd63d..e5c063fc8ef97 100644 +--- a/kernel/trace/bpf_trace.c ++++ b/kernel/trace/bpf_trace.c +@@ -403,7 +403,7 @@ static const struct bpf_func_proto bpf_trace_printk_proto = { + .arg2_type = ARG_CONST_SIZE, + }; + +-static void __set_printk_clr_event(void) ++static void __set_printk_clr_event(struct work_struct *work) + { + /* + * This program might be calling bpf_trace_printk, +@@ -416,10 +416,11 @@ static void __set_printk_clr_event(void) + if (trace_set_clr_event("bpf_trace", "bpf_trace_printk", 1)) + pr_warn_ratelimited("could not enable bpf_trace_printk events"); + } ++static DECLARE_WORK(set_printk_work, __set_printk_clr_event); + + const struct bpf_func_proto *bpf_get_trace_printk_proto(void) + { +- __set_printk_clr_event(); ++ schedule_work(&set_printk_work); + return &bpf_trace_printk_proto; + } + +@@ -462,7 +463,7 @@ static const struct bpf_func_proto bpf_trace_vprintk_proto = { + + const struct bpf_func_proto *bpf_get_trace_vprintk_proto(void) + { +- __set_printk_clr_event(); ++ schedule_work(&set_printk_work); + return &bpf_trace_vprintk_proto; + } + +-- +2.39.5 + diff --git a/queue-6.12/bpf-fix-kmemleak-warning-for-percpu-hashmap.patch b/queue-6.12/bpf-fix-kmemleak-warning-for-percpu-hashmap.patch new file mode 100644 index 0000000000..a6e3352b5b --- /dev/null +++ b/queue-6.12/bpf-fix-kmemleak-warning-for-percpu-hashmap.patch @@ -0,0 +1,92 @@ +From d5e8ae51de991e0127e12ef33fddff5d4d5eb03a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Feb 2025 09:55:14 -0800 +Subject: bpf: Fix kmemleak warning for percpu hashmap + +From: Yonghong Song + +[ Upstream commit 11ba7ce076e5903e7bdc1fd1498979c331b3c286 ] + +Vlad Poenaru reported the following kmemleak issue: + + unreferenced object 0x606fd7c44ac8 (size 32): + backtrace (crc 0): + pcpu_alloc_noprof+0x730/0xeb0 + bpf_map_alloc_percpu+0x69/0xc0 + prealloc_init+0x9d/0x1b0 + htab_map_alloc+0x363/0x510 + map_create+0x215/0x3a0 + __sys_bpf+0x16b/0x3e0 + __x64_sys_bpf+0x18/0x20 + do_syscall_64+0x7b/0x150 + entry_SYSCALL_64_after_hwframe+0x4b/0x53 + +Further investigation shows the reason is due to not 8-byte aligned +store of percpu pointer in htab_elem_set_ptr(): + *(void __percpu **)(l->key + key_size) = pptr; + +Note that the whole htab_elem alignment is 8 (for x86_64). If the key_size +is 4, that means pptr is stored in a location which is 4 byte aligned but +not 8 byte aligned. In mm/kmemleak.c, scan_block() scans the memory based +on 8 byte stride, so it won't detect above pptr, hence reporting the memory +leak. + +In htab_map_alloc(), we already have + + htab->elem_size = sizeof(struct htab_elem) + + round_up(htab->map.key_size, 8); + if (percpu) + htab->elem_size += sizeof(void *); + else + htab->elem_size += round_up(htab->map.value_size, 8); + +So storing pptr with 8-byte alignment won't cause any problem and can fix +kmemleak too. + +The issue can be reproduced with bpf selftest as well: + 1. Enable CONFIG_DEBUG_KMEMLEAK config + 2. Add a getchar() before skel destroy in test_hash_map() in prog_tests/for_each.c. + The purpose is to keep map available so kmemleak can be detected. + 3. run './test_progs -t for_each/hash_map &' and a kmemleak should be reported. + +Reported-by: Vlad Poenaru +Signed-off-by: Yonghong Song +Acked-by: Martin KaFai Lau +Link: https://lore.kernel.org/r/20250224175514.2207227-1-yonghong.song@linux.dev +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/hashtab.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c +index 3ec941a0ea41c..bb3ba8ebaf3d2 100644 +--- a/kernel/bpf/hashtab.c ++++ b/kernel/bpf/hashtab.c +@@ -198,12 +198,12 @@ static bool htab_is_percpu(const struct bpf_htab *htab) + static inline void htab_elem_set_ptr(struct htab_elem *l, u32 key_size, + void __percpu *pptr) + { +- *(void __percpu **)(l->key + key_size) = pptr; ++ *(void __percpu **)(l->key + roundup(key_size, 8)) = pptr; + } + + static inline void __percpu *htab_elem_get_ptr(struct htab_elem *l, u32 key_size) + { +- return *(void __percpu **)(l->key + key_size); ++ return *(void __percpu **)(l->key + roundup(key_size, 8)); + } + + static void *fd_htab_map_get_ptr(const struct bpf_map *map, struct htab_elem *l) +@@ -2355,7 +2355,7 @@ static int htab_percpu_map_gen_lookup(struct bpf_map *map, struct bpf_insn *insn + *insn++ = BPF_EMIT_CALL(__htab_map_lookup_elem); + *insn++ = BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3); + *insn++ = BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, +- offsetof(struct htab_elem, key) + map->key_size); ++ offsetof(struct htab_elem, key) + roundup(map->key_size, 8)); + *insn++ = BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0); + *insn++ = BPF_MOV64_PERCPU_REG(BPF_REG_0, BPF_REG_0); + +-- +2.39.5 + diff --git a/queue-6.12/bpf-only-fails-the-busy-counter-check-in-bpf_cgrp_st.patch b/queue-6.12/bpf-only-fails-the-busy-counter-check-in-bpf_cgrp_st.patch new file mode 100644 index 0000000000..217eca4f79 --- /dev/null +++ b/queue-6.12/bpf-only-fails-the-busy-counter-check-in-bpf_cgrp_st.patch @@ -0,0 +1,91 @@ +From f65a45bfcafec4b0b803a689f168742c354ee909 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Mar 2025 11:27:59 -0700 +Subject: bpf: Only fails the busy counter check in bpf_cgrp_storage_get if it + creates storage + +From: Martin KaFai Lau + +[ Upstream commit f4edc66e48a694b3e6d164cc71f059de542dfaec ] + +The current cgrp storage has a percpu counter, bpf_cgrp_storage_busy, +to detect potential deadlock at a spin_lock that the local storage +acquires during new storage creation. + +There are false positives. It turns out to be too noisy in +production. For example, a bpf prog may be doing a +bpf_cgrp_storage_get on map_a. An IRQ comes in and triggers +another bpf_cgrp_storage_get on a different map_b. It will then +trigger the false positive deadlock check in the percpu counter. +On top of that, both are doing lookup only and no need to create +new storage, so practically it does not need to acquire +the spin_lock. + +The bpf_task_storage_get already has a strategy to minimize this +false positive by only failing if the bpf_task_storage_get needs +to create a new storage and the percpu counter is busy. Creating +a new storage is the only time it must acquire the spin_lock. + +This patch borrows the same idea. Unlike task storage that +has a separate variant for tracing (_recur) and non-tracing, this +patch stays with one bpf_cgrp_storage_get helper to keep it simple +for now in light of the upcoming res_spin_lock. + +The variable could potentially use a better name noTbusy instead +of nobusy. This patch follows the same naming in +bpf_task_storage_get for now. + +I have tested it by temporarily adding noinline to +the cgroup_storage_lookup(), traced it by fentry, and the fentry +program succeeded in calling bpf_cgrp_storage_get(). + +Signed-off-by: Martin KaFai Lau +Link: https://lore.kernel.org/r/20250318182759.3676094-1-martin.lau@linux.dev +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/bpf_cgrp_storage.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/kernel/bpf/bpf_cgrp_storage.c b/kernel/bpf/bpf_cgrp_storage.c +index 6547fb7ac0dcb..129a51b1da1b1 100644 +--- a/kernel/bpf/bpf_cgrp_storage.c ++++ b/kernel/bpf/bpf_cgrp_storage.c +@@ -162,6 +162,7 @@ BPF_CALL_5(bpf_cgrp_storage_get, struct bpf_map *, map, struct cgroup *, cgroup, + void *, value, u64, flags, gfp_t, gfp_flags) + { + struct bpf_local_storage_data *sdata; ++ bool nobusy; + + WARN_ON_ONCE(!bpf_rcu_lock_held()); + if (flags & ~(BPF_LOCAL_STORAGE_GET_F_CREATE)) +@@ -170,21 +171,21 @@ BPF_CALL_5(bpf_cgrp_storage_get, struct bpf_map *, map, struct cgroup *, cgroup, + if (!cgroup) + return (unsigned long)NULL; + +- if (!bpf_cgrp_storage_trylock()) +- return (unsigned long)NULL; ++ nobusy = bpf_cgrp_storage_trylock(); + +- sdata = cgroup_storage_lookup(cgroup, map, true); ++ sdata = cgroup_storage_lookup(cgroup, map, nobusy); + if (sdata) + goto unlock; + + /* only allocate new storage, when the cgroup is refcounted */ + if (!percpu_ref_is_dying(&cgroup->self.refcnt) && +- (flags & BPF_LOCAL_STORAGE_GET_F_CREATE)) ++ (flags & BPF_LOCAL_STORAGE_GET_F_CREATE) && nobusy) + sdata = bpf_local_storage_update(cgroup, (struct bpf_local_storage_map *)map, + value, BPF_NOEXIST, gfp_flags); + + unlock: +- bpf_cgrp_storage_unlock(); ++ if (nobusy) ++ bpf_cgrp_storage_unlock(); + return IS_ERR_OR_NULL(sdata) ? (unsigned long)NULL : (unsigned long)sdata->data; + } + +-- +2.39.5 + diff --git a/queue-6.12/bpf-reject-attaching-fexit-fmod_ret-to-__noreturn-fu.patch b/queue-6.12/bpf-reject-attaching-fexit-fmod_ret-to-__noreturn-fu.patch new file mode 100644 index 0000000000..14e26a927c --- /dev/null +++ b/queue-6.12/bpf-reject-attaching-fexit-fmod_ret-to-__noreturn-fu.patch @@ -0,0 +1,109 @@ +From ce36635191d791475551fd465160e3dd11c5f27c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Mar 2025 19:44:46 +0800 +Subject: bpf: Reject attaching fexit/fmod_ret to __noreturn functions + +From: Yafang Shao + +[ Upstream commit cfe816d469dce9c0864062cf65dd7b3c42adc6f8 ] + +If we attach fexit/fmod_ret to __noreturn functions, it will cause an +issue that the bpf trampoline image will be left over even if the bpf +link has been destroyed. Take attaching do_exit() with fexit for example. +The fexit works as follows, + + bpf_trampoline + + __bpf_tramp_enter + + percpu_ref_get(&tr->pcref); + + + call do_exit() + + + __bpf_tramp_exit + + percpu_ref_put(&tr->pcref); + +Since do_exit() never returns, the refcnt of the trampoline image is +never decremented, preventing it from being freed. That can be verified +with as follows, + + $ bpftool link show <<<< nothing output + $ grep "bpf_trampoline_[0-9]" /proc/kallsyms + ffffffffc04cb000 t bpf_trampoline_6442526459 [bpf] <<<< leftover + +In this patch, all functions annotated with __noreturn are rejected, except +for the following cases: +- Functions that result in a system reboot, such as panic, + machine_real_restart and rust_begin_unwind +- Functions that are never executed by tasks, such as rest_init and + cpu_startup_entry +- Functions implemented in assembly, such as rewind_stack_and_make_dead and + xen_cpu_bringup_again, lack an associated BTF ID. + +With this change, attaching fexit probes to functions like do_exit() will +be rejected. + +$ ./fexit +libbpf: prog 'fexit': BPF program load failed: -EINVAL +libbpf: prog 'fexit': -- BEGIN PROG LOAD LOG -- +Attaching fexit/fmod_ret to __noreturn functions is rejected. + +Signed-off-by: Yafang Shao +Link: https://lore.kernel.org/r/20250318114447.75484-2-laoar.shao@gmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/verifier.c | 32 ++++++++++++++++++++++++++++++++ + 1 file changed, 32 insertions(+) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index d2ef289993f20..8656208aa4bbb 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -22289,6 +22289,33 @@ BTF_ID(func, __rcu_read_unlock) + #endif + BTF_SET_END(btf_id_deny) + ++/* fexit and fmod_ret can't be used to attach to __noreturn functions. ++ * Currently, we must manually list all __noreturn functions here. Once a more ++ * robust solution is implemented, this workaround can be removed. ++ */ ++BTF_SET_START(noreturn_deny) ++#ifdef CONFIG_IA32_EMULATION ++BTF_ID(func, __ia32_sys_exit) ++BTF_ID(func, __ia32_sys_exit_group) ++#endif ++#ifdef CONFIG_KUNIT ++BTF_ID(func, __kunit_abort) ++BTF_ID(func, kunit_try_catch_throw) ++#endif ++#ifdef CONFIG_MODULES ++BTF_ID(func, __module_put_and_kthread_exit) ++#endif ++#ifdef CONFIG_X86_64 ++BTF_ID(func, __x64_sys_exit) ++BTF_ID(func, __x64_sys_exit_group) ++#endif ++BTF_ID(func, do_exit) ++BTF_ID(func, do_group_exit) ++BTF_ID(func, kthread_complete_and_exit) ++BTF_ID(func, kthread_exit) ++BTF_ID(func, make_task_dead) ++BTF_SET_END(noreturn_deny) ++ + static bool can_be_sleepable(struct bpf_prog *prog) + { + if (prog->type == BPF_PROG_TYPE_TRACING) { +@@ -22377,6 +22404,11 @@ static int check_attach_btf_id(struct bpf_verifier_env *env) + } else if (prog->type == BPF_PROG_TYPE_TRACING && + btf_id_set_contains(&btf_id_deny, btf_id)) { + return -EINVAL; ++ } else if ((prog->expected_attach_type == BPF_TRACE_FEXIT || ++ prog->expected_attach_type == BPF_MODIFY_RETURN) && ++ btf_id_set_contains(&noreturn_deny, btf_id)) { ++ verbose(env, "Attaching fexit/fmod_ret to __noreturn functions is rejected.\n"); ++ return -EINVAL; + } + + key = bpf_trampoline_compute_key(tgt_prog, prog->aux->attach_btf, btf_id); +-- +2.39.5 + diff --git a/queue-6.12/cgroup-cpuset-don-t-allow-creation-of-local-partitio.patch b/queue-6.12/cgroup-cpuset-don-t-allow-creation-of-local-partitio.patch new file mode 100644 index 0000000000..8ffde10412 --- /dev/null +++ b/queue-6.12/cgroup-cpuset-don-t-allow-creation-of-local-partitio.patch @@ -0,0 +1,78 @@ +From 32019a9120d5b98ed1d1bebedbf75d92dc7cc797 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 30 Mar 2025 17:52:43 -0400 +Subject: cgroup/cpuset: Don't allow creation of local partition over a remote + one + +From: Waiman Long + +[ Upstream commit 6da580ec656a5ed135db2cdf574b47635611a4d7 ] + +Currently, we don't allow the creation of a remote partition underneath +another local or remote partition. However, it is currently possible to +create a new local partition with an existing remote partition underneath +it if top_cpuset is the parent. However, the current cpuset code does +not set the effective exclusive CPUs correctly to account for those +that are taken by the remote partition. + +Changing the code to properly account for those remote partition CPUs +under all possible circumstances can be complex. It is much easier to +not allow such a configuration which is not that useful. So forbid +that by making sure that exclusive_cpus mask doesn't overlap with +subpartitions_cpus and invalidate the partition if that happens. + +Signed-off-by: Waiman Long +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +--- + kernel/cgroup/cpuset-internal.h | 1 + + kernel/cgroup/cpuset.c | 14 ++++++++++++++ + 2 files changed, 15 insertions(+) + +diff --git a/kernel/cgroup/cpuset-internal.h b/kernel/cgroup/cpuset-internal.h +index 976a8bc3ff603..383963e28ac69 100644 +--- a/kernel/cgroup/cpuset-internal.h ++++ b/kernel/cgroup/cpuset-internal.h +@@ -33,6 +33,7 @@ enum prs_errcode { + PERR_CPUSEMPTY, + PERR_HKEEPING, + PERR_ACCESS, ++ PERR_REMOTE, + }; + + /* bits in struct cpuset flags field */ +diff --git a/kernel/cgroup/cpuset.c b/kernel/cgroup/cpuset.c +index 839f88ba17f7d..c709a05023cd9 100644 +--- a/kernel/cgroup/cpuset.c ++++ b/kernel/cgroup/cpuset.c +@@ -62,6 +62,7 @@ static const char * const perr_strings[] = { + [PERR_CPUSEMPTY] = "cpuset.cpus and cpuset.cpus.exclusive are empty", + [PERR_HKEEPING] = "partition config conflicts with housekeeping setup", + [PERR_ACCESS] = "Enable partition not permitted", ++ [PERR_REMOTE] = "Have remote partition underneath", + }; + + /* +@@ -2824,6 +2825,19 @@ static int update_prstate(struct cpuset *cs, int new_prs) + goto out; + } + ++ /* ++ * We don't support the creation of a new local partition with ++ * a remote partition underneath it. This unsupported ++ * setting can happen only if parent is the top_cpuset because ++ * a remote partition cannot be created underneath an existing ++ * local or remote partition. ++ */ ++ if ((parent == &top_cpuset) && ++ cpumask_intersects(cs->exclusive_cpus, subpartitions_cpus)) { ++ err = PERR_REMOTE; ++ goto out; ++ } ++ + /* + * If parent is valid partition, enable local partiion. + * Otherwise, enable a remote partition. +-- +2.39.5 + diff --git a/queue-6.12/cifs-fix-encoding-of-smb1-session-setup-kerberos-req.patch b/queue-6.12/cifs-fix-encoding-of-smb1-session-setup-kerberos-req.patch new file mode 100644 index 0000000000..0db9c8f21e --- /dev/null +++ b/queue-6.12/cifs-fix-encoding-of-smb1-session-setup-kerberos-req.patch @@ -0,0 +1,135 @@ +From 9f959cd5c0e9b499ad0a59a9f2bec7b409c10671 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 6 Oct 2024 19:20:13 +0200 +Subject: cifs: Fix encoding of SMB1 Session Setup Kerberos Request in + non-UNICODE mode +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit 16cb6b0509b65ac89187e9402e0b7a9ddf1765ef ] + +Like in UNICODE mode, SMB1 Session Setup Kerberos Request contains oslm and +domain strings. + +Extract common code into ascii_oslm_strings() and ascii_domain_string() +functions (similar to unicode variants) and use these functions in +non-UNICODE code path in sess_auth_kerberos(). + +Decision if non-UNICODE or UNICODE mode is used is based on the +SMBFLG2_UNICODE flag in Flags2 packed field, and not based on the +capabilities of server. Fix this check too. + +Signed-off-by: Pali Rohár +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/client/sess.c | 60 +++++++++++++++++++++++++++++--------------- + 1 file changed, 40 insertions(+), 20 deletions(-) + +diff --git a/fs/smb/client/sess.c b/fs/smb/client/sess.c +index 2426fa7405173..9b32f7821b718 100644 +--- a/fs/smb/client/sess.c ++++ b/fs/smb/client/sess.c +@@ -707,6 +707,22 @@ unicode_oslm_strings(char **pbcc_area, const struct nls_table *nls_cp) + *pbcc_area = bcc_ptr; + } + ++static void ++ascii_oslm_strings(char **pbcc_area, const struct nls_table *nls_cp) ++{ ++ char *bcc_ptr = *pbcc_area; ++ ++ strcpy(bcc_ptr, "Linux version "); ++ bcc_ptr += strlen("Linux version "); ++ strcpy(bcc_ptr, init_utsname()->release); ++ bcc_ptr += strlen(init_utsname()->release) + 1; ++ ++ strcpy(bcc_ptr, CIFS_NETWORK_OPSYS); ++ bcc_ptr += strlen(CIFS_NETWORK_OPSYS) + 1; ++ ++ *pbcc_area = bcc_ptr; ++} ++ + static void unicode_domain_string(char **pbcc_area, struct cifs_ses *ses, + const struct nls_table *nls_cp) + { +@@ -731,6 +747,25 @@ static void unicode_domain_string(char **pbcc_area, struct cifs_ses *ses, + *pbcc_area = bcc_ptr; + } + ++static void ascii_domain_string(char **pbcc_area, struct cifs_ses *ses, ++ const struct nls_table *nls_cp) ++{ ++ char *bcc_ptr = *pbcc_area; ++ int len; ++ ++ /* copy domain */ ++ if (ses->domainName != NULL) { ++ len = strscpy(bcc_ptr, ses->domainName, CIFS_MAX_DOMAINNAME_LEN); ++ if (WARN_ON_ONCE(len < 0)) ++ len = CIFS_MAX_DOMAINNAME_LEN - 1; ++ bcc_ptr += len; ++ } /* else we send a null domain name so server will default to its own domain */ ++ *bcc_ptr = 0; ++ bcc_ptr++; ++ ++ *pbcc_area = bcc_ptr; ++} ++ + static void unicode_ssetup_strings(char **pbcc_area, struct cifs_ses *ses, + const struct nls_table *nls_cp) + { +@@ -776,25 +811,10 @@ static void ascii_ssetup_strings(char **pbcc_area, struct cifs_ses *ses, + *bcc_ptr = 0; + bcc_ptr++; /* account for null termination */ + +- /* copy domain */ +- if (ses->domainName != NULL) { +- len = strscpy(bcc_ptr, ses->domainName, CIFS_MAX_DOMAINNAME_LEN); +- if (WARN_ON_ONCE(len < 0)) +- len = CIFS_MAX_DOMAINNAME_LEN - 1; +- bcc_ptr += len; +- } /* else we send a null domain name so server will default to its own domain */ +- *bcc_ptr = 0; +- bcc_ptr++; +- + /* BB check for overflow here */ + +- strcpy(bcc_ptr, "Linux version "); +- bcc_ptr += strlen("Linux version "); +- strcpy(bcc_ptr, init_utsname()->release); +- bcc_ptr += strlen(init_utsname()->release) + 1; +- +- strcpy(bcc_ptr, CIFS_NETWORK_OPSYS); +- bcc_ptr += strlen(CIFS_NETWORK_OPSYS) + 1; ++ ascii_domain_string(&bcc_ptr, ses, nls_cp); ++ ascii_oslm_strings(&bcc_ptr, nls_cp); + + *pbcc_area = bcc_ptr; + } +@@ -1597,7 +1617,7 @@ sess_auth_kerberos(struct sess_data *sess_data) + sess_data->iov[1].iov_len = msg->secblob_len; + pSMB->req.SecurityBlobLength = cpu_to_le16(sess_data->iov[1].iov_len); + +- if (ses->capabilities & CAP_UNICODE) { ++ if (pSMB->req.hdr.Flags2 & SMBFLG2_UNICODE) { + /* unicode strings must be word aligned */ + if (!IS_ALIGNED(sess_data->iov[0].iov_len + sess_data->iov[1].iov_len, 2)) { + *bcc_ptr = 0; +@@ -1606,8 +1626,8 @@ sess_auth_kerberos(struct sess_data *sess_data) + unicode_oslm_strings(&bcc_ptr, sess_data->nls_cp); + unicode_domain_string(&bcc_ptr, ses, sess_data->nls_cp); + } else { +- /* BB: is this right? */ +- ascii_ssetup_strings(&bcc_ptr, ses, sess_data->nls_cp); ++ ascii_oslm_strings(&bcc_ptr, sess_data->nls_cp); ++ ascii_domain_string(&bcc_ptr, ses, sess_data->nls_cp); + } + + sess_data->iov[2].iov_len = (long) bcc_ptr - +-- +2.39.5 + diff --git a/queue-6.12/cifs-fix-querying-of-wsl-chr-and-blk-reparse-points-.patch b/queue-6.12/cifs-fix-querying-of-wsl-chr-and-blk-reparse-points-.patch new file mode 100644 index 0000000000..129d071b4a --- /dev/null +++ b/queue-6.12/cifs-fix-querying-of-wsl-chr-and-blk-reparse-points-.patch @@ -0,0 +1,76 @@ +From de1bbb99ed5368c24cda19d8424ee7b661fc4467 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Dec 2024 17:12:09 +0100 +Subject: cifs: Fix querying of WSL CHR and BLK reparse points over SMB1 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit ef86ab131d9127dfbfa8f06e12441d05fdfb090b ] + +When reparse point in SMB1 query_path_info() callback was detected then +query also for EA $LXDEV. In this EA are stored device major and minor +numbers used by WSL CHR and BLK reparse points. Without major and minor +numbers, stat() syscall does not work for char and block devices. + +Similar code is already in SMB2+ query_path_info() callback function. + +Signed-off-by: Pali Rohár +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/client/smb1ops.c | 36 ++++++++++++++++++++++++++++++++++++ + 1 file changed, 36 insertions(+) + +diff --git a/fs/smb/client/smb1ops.c b/fs/smb/client/smb1ops.c +index bd791aa54681f..55cceb8229323 100644 +--- a/fs/smb/client/smb1ops.c ++++ b/fs/smb/client/smb1ops.c +@@ -597,6 +597,42 @@ static int cifs_query_path_info(const unsigned int xid, + CIFSSMBClose(xid, tcon, fid.netfid); + } + ++#ifdef CONFIG_CIFS_XATTR ++ /* ++ * For WSL CHR and BLK reparse points it is required to fetch ++ * EA $LXDEV which contains major and minor device numbers. ++ */ ++ if (!rc && data->reparse_point) { ++ struct smb2_file_full_ea_info *ea; ++ ++ ea = (struct smb2_file_full_ea_info *)data->wsl.eas; ++ rc = CIFSSMBQAllEAs(xid, tcon, full_path, SMB2_WSL_XATTR_DEV, ++ &ea->ea_data[SMB2_WSL_XATTR_NAME_LEN + 1], ++ SMB2_WSL_XATTR_DEV_SIZE, cifs_sb); ++ if (rc == SMB2_WSL_XATTR_DEV_SIZE) { ++ ea->next_entry_offset = cpu_to_le32(0); ++ ea->flags = 0; ++ ea->ea_name_length = SMB2_WSL_XATTR_NAME_LEN; ++ ea->ea_value_length = cpu_to_le16(SMB2_WSL_XATTR_DEV_SIZE); ++ memcpy(&ea->ea_data[0], SMB2_WSL_XATTR_DEV, SMB2_WSL_XATTR_NAME_LEN + 1); ++ data->wsl.eas_len = sizeof(*ea) + SMB2_WSL_XATTR_NAME_LEN + 1 + ++ SMB2_WSL_XATTR_DEV_SIZE; ++ rc = 0; ++ } else if (rc >= 0) { ++ /* It is an error if EA $LXDEV has wrong size. */ ++ rc = -EINVAL; ++ } else { ++ /* ++ * In all other cases ignore error if fetching ++ * of EA $LXDEV failed. It is needed only for ++ * WSL CHR and BLK reparse points and wsl_to_fattr() ++ * handle the case when EA is missing. ++ */ ++ rc = 0; ++ } ++ } ++#endif ++ + return rc; + } + +-- +2.39.5 + diff --git a/queue-6.12/clk-check-for-disabled-clock-provider-in-of_clk_get_.patch b/queue-6.12/clk-check-for-disabled-clock-provider-in-of_clk_get_.patch new file mode 100644 index 0000000000..2dd4bce03b --- /dev/null +++ b/queue-6.12/clk-check-for-disabled-clock-provider-in-of_clk_get_.patch @@ -0,0 +1,61 @@ +From 4e93c1e0a394db4f2af10fbbf7b69df7a7093b2d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 22 Feb 2025 23:37:33 +0100 +Subject: clk: check for disabled clock-provider in + of_clk_get_hw_from_clkspec() + +From: Heiko Stuebner + +[ Upstream commit b20150d499b3ee5c2d632fbc5ac94f98dd33accf ] + +of_clk_get_hw_from_clkspec() checks all available clock-providers by +comparing their of nodes to the one from the clkspec. If no matching +clock provider is found, the function returns -EPROBE_DEFER to cause a +re-check at a later date. If a matching clock provider is found, an +authoritative answer can be retrieved from it whether the clock exists +or not. + +This does not take into account that the clock-provider may never +appear, because it's node is disabled. This can happen when a clock is +optional, provided by a separate block which never gets enabled. + +One example of this happening is the rk3588's VOP, which has optional +additional display clocks coming from PLLs inside the hdmiphy blocks. +These can be used for better rates, but the system will also work +without them. + +The problem around that is described in the followups to[1]. As we +already know the of node of the presumed clock provider, add a check via +of_device_is_available() whether this is a "valid" device node. This +prevents eternal defer loops. + +Link: https://lore.kernel.org/dri-devel/20250215-vop2-hdmi1-disp-modes-v1-3-81962a7151d6@collabora.com/ [1] +Reviewed-by: Sebastian Reichel +Tested-by: Cristian Ciocaltea +Signed-off-by: Heiko Stuebner +Link: https://lore.kernel.org/r/20250222223733.2990179-1-heiko@sntech.de +[sboyd@kernel.org: Reword commit text a bit] +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/clk.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/clk/clk.c b/drivers/clk/clk.c +index 5b4ab94193c2b..7de3dfdae4b50 100644 +--- a/drivers/clk/clk.c ++++ b/drivers/clk/clk.c +@@ -5264,6 +5264,10 @@ of_clk_get_hw_from_clkspec(struct of_phandle_args *clkspec) + if (!clkspec) + return ERR_PTR(-EINVAL); + ++ /* Check if node in clkspec is in disabled/fail state */ ++ if (!of_device_is_available(clkspec->np)) ++ return ERR_PTR(-ENOENT); ++ + mutex_lock(&of_clk_mutex); + list_for_each_entry(provider, &of_clk_providers, link) { + if (provider->node == clkspec->np) { +-- +2.39.5 + diff --git a/queue-6.12/crypto-ccp-add-support-for-pci-device-0x1134.patch b/queue-6.12/crypto-ccp-add-support-for-pci-device-0x1134.patch new file mode 100644 index 0000000000..817fd29286 --- /dev/null +++ b/queue-6.12/crypto-ccp-add-support-for-pci-device-0x1134.patch @@ -0,0 +1,36 @@ +From 75e5a6a435fd69908e1136f1ea2581f870fafa26 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Feb 2025 03:41:52 +0530 +Subject: crypto: ccp - Add support for PCI device 0x1134 + +From: Devaraj Rangasamy + +[ Upstream commit 6cb345939b8cc4be79909875276aa9dc87d16757 ] + +PCI device 0x1134 shares same register features as PCI device 0x17E0. +Hence reuse same data for the new PCI device ID 0x1134. + +Signed-off-by: Devaraj Rangasamy +Acked-by: Tom Lendacky +Reviewed-by: Mario Limonciello +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/ccp/sp-pci.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/crypto/ccp/sp-pci.c b/drivers/crypto/ccp/sp-pci.c +index 157f9a9ed6361..2ebc878da1609 100644 +--- a/drivers/crypto/ccp/sp-pci.c ++++ b/drivers/crypto/ccp/sp-pci.c +@@ -532,6 +532,7 @@ static const struct pci_device_id sp_pci_table[] = { + { PCI_VDEVICE(AMD, 0x14CA), (kernel_ulong_t)&dev_vdata[5] }, + { PCI_VDEVICE(AMD, 0x15C7), (kernel_ulong_t)&dev_vdata[6] }, + { PCI_VDEVICE(AMD, 0x1649), (kernel_ulong_t)&dev_vdata[6] }, ++ { PCI_VDEVICE(AMD, 0x1134), (kernel_ulong_t)&dev_vdata[7] }, + { PCI_VDEVICE(AMD, 0x17E0), (kernel_ulong_t)&dev_vdata[7] }, + { PCI_VDEVICE(AMD, 0x156E), (kernel_ulong_t)&dev_vdata[8] }, + /* Last entry must be zero */ +-- +2.39.5 + diff --git a/queue-6.12/crypto-lib-kconfig-fix-lib-built-in-failure-when-arc.patch b/queue-6.12/crypto-lib-kconfig-fix-lib-built-in-failure-when-arc.patch new file mode 100644 index 0000000000..f336bbf9c1 --- /dev/null +++ b/queue-6.12/crypto-lib-kconfig-fix-lib-built-in-failure-when-arc.patch @@ -0,0 +1,209 @@ +From ebd14f9c5aceda0b4c597f854e24ae5a35296662 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Feb 2025 12:48:55 +0800 +Subject: crypto: lib/Kconfig - Fix lib built-in failure when arch is modular + +From: Herbert Xu + +[ Upstream commit 1047e21aecdf17c8a9ab9fd4bd24c6647453f93d ] + +The HAVE_ARCH Kconfig options in lib/crypto try to solve the +modular versus built-in problem, but it still fails when the +the LIB option (e.g., CRYPTO_LIB_CURVE25519) is selected externally. + +Fix this by introducing a level of indirection with ARCH_MAY_HAVE +Kconfig options, these then go on to select the ARCH_HAVE options +if the ARCH Kconfig options matches that of the LIB option. + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202501230223.ikroNDr1-lkp@intel.com/ +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + arch/arm/crypto/Kconfig | 6 +++--- + arch/powerpc/crypto/Kconfig | 4 ++-- + arch/x86/crypto/Kconfig | 6 +++--- + lib/crypto/Kconfig | 26 ++++++++++++++++++-------- + 4 files changed, 26 insertions(+), 16 deletions(-) + +diff --git a/arch/arm/crypto/Kconfig b/arch/arm/crypto/Kconfig +index 5ff49a5e9afc9..8af59c1735ea4 100644 +--- a/arch/arm/crypto/Kconfig ++++ b/arch/arm/crypto/Kconfig +@@ -6,7 +6,7 @@ config CRYPTO_CURVE25519_NEON + tristate "Public key crypto: Curve25519 (NEON)" + depends on KERNEL_MODE_NEON + select CRYPTO_LIB_CURVE25519_GENERIC +- select CRYPTO_ARCH_HAVE_LIB_CURVE25519 ++ select CRYPTO_ARCH_MAY_HAVE_LIB_CURVE25519 + help + Curve25519 algorithm + +@@ -47,7 +47,7 @@ config CRYPTO_NHPOLY1305_NEON + config CRYPTO_POLY1305_ARM + tristate "Hash functions: Poly1305 (NEON)" + select CRYPTO_HASH +- select CRYPTO_ARCH_HAVE_LIB_POLY1305 ++ select CRYPTO_ARCH_MAY_HAVE_LIB_POLY1305 + help + Poly1305 authenticator algorithm (RFC7539) + +@@ -214,7 +214,7 @@ config CRYPTO_AES_ARM_CE + config CRYPTO_CHACHA20_NEON + tristate "Ciphers: ChaCha20, XChaCha20, XChaCha12 (NEON)" + select CRYPTO_SKCIPHER +- select CRYPTO_ARCH_HAVE_LIB_CHACHA ++ select CRYPTO_ARCH_MAY_HAVE_LIB_CHACHA + help + Length-preserving ciphers: ChaCha20, XChaCha20, and XChaCha12 + stream cipher algorithms +diff --git a/arch/powerpc/crypto/Kconfig b/arch/powerpc/crypto/Kconfig +index 46a4c85e85e24..2a2615e35fdb5 100644 +--- a/arch/powerpc/crypto/Kconfig ++++ b/arch/powerpc/crypto/Kconfig +@@ -6,7 +6,7 @@ config CRYPTO_CURVE25519_PPC64 + tristate "Public key crypto: Curve25519 (PowerPC64)" + depends on PPC64 && CPU_LITTLE_ENDIAN + select CRYPTO_LIB_CURVE25519_GENERIC +- select CRYPTO_ARCH_HAVE_LIB_CURVE25519 ++ select CRYPTO_ARCH_MAY_HAVE_LIB_CURVE25519 + help + Curve25519 algorithm + +@@ -128,7 +128,7 @@ config CRYPTO_CHACHA20_P10 + depends on PPC64 && CPU_LITTLE_ENDIAN && VSX + select CRYPTO_SKCIPHER + select CRYPTO_LIB_CHACHA_GENERIC +- select CRYPTO_ARCH_HAVE_LIB_CHACHA ++ select CRYPTO_ARCH_MAY_HAVE_LIB_CHACHA + help + Length-preserving ciphers: ChaCha20, XChaCha20, and XChaCha12 + stream cipher algorithms +diff --git a/arch/x86/crypto/Kconfig b/arch/x86/crypto/Kconfig +index 7b1bebed879df..d87b268d17d39 100644 +--- a/arch/x86/crypto/Kconfig ++++ b/arch/x86/crypto/Kconfig +@@ -6,7 +6,7 @@ config CRYPTO_CURVE25519_X86 + tristate "Public key crypto: Curve25519 (ADX)" + depends on X86 && 64BIT + select CRYPTO_LIB_CURVE25519_GENERIC +- select CRYPTO_ARCH_HAVE_LIB_CURVE25519 ++ select CRYPTO_ARCH_MAY_HAVE_LIB_CURVE25519 + help + Curve25519 algorithm + +@@ -352,7 +352,7 @@ config CRYPTO_CHACHA20_X86_64 + depends on X86 && 64BIT + select CRYPTO_SKCIPHER + select CRYPTO_LIB_CHACHA_GENERIC +- select CRYPTO_ARCH_HAVE_LIB_CHACHA ++ select CRYPTO_ARCH_MAY_HAVE_LIB_CHACHA + help + Length-preserving ciphers: ChaCha20, XChaCha20, and XChaCha12 + stream cipher algorithms +@@ -420,7 +420,7 @@ config CRYPTO_POLY1305_X86_64 + tristate "Hash functions: Poly1305 (SSE2/AVX2)" + depends on X86 && 64BIT + select CRYPTO_LIB_POLY1305_GENERIC +- select CRYPTO_ARCH_HAVE_LIB_POLY1305 ++ select CRYPTO_ARCH_MAY_HAVE_LIB_POLY1305 + help + Poly1305 authenticator algorithm (RFC7539) + +diff --git a/lib/crypto/Kconfig b/lib/crypto/Kconfig +index b01253cac70a7..c542ef1d64d03 100644 +--- a/lib/crypto/Kconfig ++++ b/lib/crypto/Kconfig +@@ -42,12 +42,17 @@ config CRYPTO_LIB_BLAKE2S_GENERIC + of CRYPTO_LIB_BLAKE2S. + + config CRYPTO_ARCH_HAVE_LIB_CHACHA +- tristate ++ bool + help + Declares whether the architecture provides an arch-specific + accelerated implementation of the ChaCha library interface, + either builtin or as a module. + ++config CRYPTO_ARCH_MAY_HAVE_LIB_CHACHA ++ tristate ++ select CRYPTO_ARCH_HAVE_LIB_CHACHA if CRYPTO_LIB_CHACHA=m ++ select CRYPTO_ARCH_HAVE_LIB_CHACHA if CRYPTO_ARCH_MAY_HAVE_LIB_CHACHA=y ++ + config CRYPTO_LIB_CHACHA_GENERIC + tristate + select CRYPTO_LIB_UTILS +@@ -60,7 +65,6 @@ config CRYPTO_LIB_CHACHA_GENERIC + + config CRYPTO_LIB_CHACHA + tristate "ChaCha library interface" +- depends on CRYPTO_ARCH_HAVE_LIB_CHACHA || !CRYPTO_ARCH_HAVE_LIB_CHACHA + select CRYPTO_LIB_CHACHA_GENERIC if CRYPTO_ARCH_HAVE_LIB_CHACHA=n + help + Enable the ChaCha library interface. This interface may be fulfilled +@@ -68,12 +72,17 @@ config CRYPTO_LIB_CHACHA + is available and enabled. + + config CRYPTO_ARCH_HAVE_LIB_CURVE25519 +- tristate ++ bool + help + Declares whether the architecture provides an arch-specific + accelerated implementation of the Curve25519 library interface, + either builtin or as a module. + ++config CRYPTO_ARCH_MAY_HAVE_LIB_CURVE25519 ++ tristate ++ select CRYPTO_ARCH_HAVE_LIB_CURVE25519 if CRYPTO_LIB_CURVE25519=m ++ select CRYPTO_ARCH_HAVE_LIB_CURVE25519 if CRYPTO_ARCH_MAY_HAVE_LIB_CURVE25519=y ++ + config CRYPTO_LIB_CURVE25519_GENERIC + tristate + help +@@ -85,7 +94,6 @@ config CRYPTO_LIB_CURVE25519_GENERIC + + config CRYPTO_LIB_CURVE25519 + tristate "Curve25519 scalar multiplication library" +- depends on CRYPTO_ARCH_HAVE_LIB_CURVE25519 || !CRYPTO_ARCH_HAVE_LIB_CURVE25519 + select CRYPTO_LIB_CURVE25519_GENERIC if CRYPTO_ARCH_HAVE_LIB_CURVE25519=n + select CRYPTO_LIB_UTILS + help +@@ -104,12 +112,17 @@ config CRYPTO_LIB_POLY1305_RSIZE + default 1 + + config CRYPTO_ARCH_HAVE_LIB_POLY1305 +- tristate ++ bool + help + Declares whether the architecture provides an arch-specific + accelerated implementation of the Poly1305 library interface, + either builtin or as a module. + ++config CRYPTO_ARCH_MAY_HAVE_LIB_POLY1305 ++ tristate ++ select CRYPTO_ARCH_HAVE_LIB_POLY1305 if CRYPTO_LIB_POLY1305=m ++ select CRYPTO_ARCH_HAVE_LIB_POLY1305 if CRYPTO_ARCH_MAY_HAVE_LIB_POLY1305=y ++ + config CRYPTO_LIB_POLY1305_GENERIC + tristate + help +@@ -121,7 +134,6 @@ config CRYPTO_LIB_POLY1305_GENERIC + + config CRYPTO_LIB_POLY1305 + tristate "Poly1305 library interface" +- depends on CRYPTO_ARCH_HAVE_LIB_POLY1305 || !CRYPTO_ARCH_HAVE_LIB_POLY1305 + select CRYPTO_LIB_POLY1305_GENERIC if CRYPTO_ARCH_HAVE_LIB_POLY1305=n + help + Enable the Poly1305 library interface. This interface may be fulfilled +@@ -130,8 +142,6 @@ config CRYPTO_LIB_POLY1305 + + config CRYPTO_LIB_CHACHA20POLY1305 + tristate "ChaCha20-Poly1305 AEAD support (8-byte nonce library version)" +- depends on CRYPTO_ARCH_HAVE_LIB_CHACHA || !CRYPTO_ARCH_HAVE_LIB_CHACHA +- depends on CRYPTO_ARCH_HAVE_LIB_POLY1305 || !CRYPTO_ARCH_HAVE_LIB_POLY1305 + depends on CRYPTO + select CRYPTO_LIB_CHACHA + select CRYPTO_LIB_POLY1305 +-- +2.39.5 + diff --git a/queue-6.12/crypto-null-use-spin-lock-instead-of-mutex.patch b/queue-6.12/crypto-null-use-spin-lock-instead-of-mutex.patch new file mode 100644 index 0000000000..c9792a7ca7 --- /dev/null +++ b/queue-6.12/crypto-null-use-spin-lock-instead-of-mutex.patch @@ -0,0 +1,101 @@ +From 8c39998d0d888101b3ddaf31505ef731447d4869 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Feb 2025 14:10:07 +0800 +Subject: crypto: null - Use spin lock instead of mutex + +From: Herbert Xu + +[ Upstream commit dcc47a028c24e793ce6d6efebfef1a1e92f80297 ] + +As the null algorithm may be freed in softirq context through +af_alg, use spin locks instead of mutexes to protect the default +null algorithm. + +Reported-by: syzbot+b3e02953598f447d4d2a@syzkaller.appspotmail.com +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/crypto_null.c | 39 ++++++++++++++++++++++++++------------- + 1 file changed, 26 insertions(+), 13 deletions(-) + +diff --git a/crypto/crypto_null.c b/crypto/crypto_null.c +index 5b84b0f7cc178..3378670286535 100644 +--- a/crypto/crypto_null.c ++++ b/crypto/crypto_null.c +@@ -17,10 +17,10 @@ + #include + #include + #include +-#include ++#include + #include + +-static DEFINE_MUTEX(crypto_default_null_skcipher_lock); ++static DEFINE_SPINLOCK(crypto_default_null_skcipher_lock); + static struct crypto_sync_skcipher *crypto_default_null_skcipher; + static int crypto_default_null_skcipher_refcnt; + +@@ -152,23 +152,32 @@ MODULE_ALIAS_CRYPTO("cipher_null"); + + struct crypto_sync_skcipher *crypto_get_default_null_skcipher(void) + { ++ struct crypto_sync_skcipher *ntfm = NULL; + struct crypto_sync_skcipher *tfm; + +- mutex_lock(&crypto_default_null_skcipher_lock); ++ spin_lock_bh(&crypto_default_null_skcipher_lock); + tfm = crypto_default_null_skcipher; + + if (!tfm) { +- tfm = crypto_alloc_sync_skcipher("ecb(cipher_null)", 0, 0); +- if (IS_ERR(tfm)) +- goto unlock; +- +- crypto_default_null_skcipher = tfm; ++ spin_unlock_bh(&crypto_default_null_skcipher_lock); ++ ++ ntfm = crypto_alloc_sync_skcipher("ecb(cipher_null)", 0, 0); ++ if (IS_ERR(ntfm)) ++ return ntfm; ++ ++ spin_lock_bh(&crypto_default_null_skcipher_lock); ++ tfm = crypto_default_null_skcipher; ++ if (!tfm) { ++ tfm = ntfm; ++ ntfm = NULL; ++ crypto_default_null_skcipher = tfm; ++ } + } + + crypto_default_null_skcipher_refcnt++; ++ spin_unlock_bh(&crypto_default_null_skcipher_lock); + +-unlock: +- mutex_unlock(&crypto_default_null_skcipher_lock); ++ crypto_free_sync_skcipher(ntfm); + + return tfm; + } +@@ -176,12 +185,16 @@ EXPORT_SYMBOL_GPL(crypto_get_default_null_skcipher); + + void crypto_put_default_null_skcipher(void) + { +- mutex_lock(&crypto_default_null_skcipher_lock); ++ struct crypto_sync_skcipher *tfm = NULL; ++ ++ spin_lock_bh(&crypto_default_null_skcipher_lock); + if (!--crypto_default_null_skcipher_refcnt) { +- crypto_free_sync_skcipher(crypto_default_null_skcipher); ++ tfm = crypto_default_null_skcipher; + crypto_default_null_skcipher = NULL; + } +- mutex_unlock(&crypto_default_null_skcipher_lock); ++ spin_unlock_bh(&crypto_default_null_skcipher_lock); ++ ++ crypto_free_sync_skcipher(tfm); + } + EXPORT_SYMBOL_GPL(crypto_put_default_null_skcipher); + +-- +2.39.5 + diff --git a/queue-6.12/dmaengine-dmatest-fix-dmatest-waiting-less-when-inte.patch b/queue-6.12/dmaengine-dmatest-fix-dmatest-waiting-less-when-inte.patch new file mode 100644 index 0000000000..8ca4203155 --- /dev/null +++ b/queue-6.12/dmaengine-dmatest-fix-dmatest-waiting-less-when-inte.patch @@ -0,0 +1,51 @@ +From ce387abc0ebdff9fa7e2885187b6a6323110f9e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Mar 2025 15:00:06 -0800 +Subject: dmaengine: dmatest: Fix dmatest waiting less when interrupted + +From: Vinicius Costa Gomes + +[ Upstream commit e87ca16e99118ab4e130a41bdf12abbf6a87656c ] + +Change the "wait for operation finish" logic to take interrupts into +account. + +When using dmatest with idxd DMA engine, it's possible that during +longer tests, the interrupt notifying the finish of an operation +happens during wait_event_freezable_timeout(), which causes dmatest to +cleanup all the resources, some of which might still be in use. + +This fix ensures that the wait logic correctly handles interrupts, +preventing premature cleanup of resources. + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-lkp/202502171134.8c403348-lkp@intel.com +Signed-off-by: Vinicius Costa Gomes +Reviewed-by: Dave Jiang +Link: https://lore.kernel.org/r/20250305230007.590178-1-vinicius.gomes@intel.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/dmatest.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/dma/dmatest.c b/drivers/dma/dmatest.c +index 91b2fbc0b8647..d891dfca358e2 100644 +--- a/drivers/dma/dmatest.c ++++ b/drivers/dma/dmatest.c +@@ -841,9 +841,9 @@ static int dmatest_func(void *data) + } else { + dma_async_issue_pending(chan); + +- wait_event_freezable_timeout(thread->done_wait, +- done->done, +- msecs_to_jiffies(params->timeout)); ++ wait_event_timeout(thread->done_wait, ++ done->done, ++ msecs_to_jiffies(params->timeout)); + + status = dma_async_is_tx_complete(chan, cookie, NULL, + NULL); +-- +2.39.5 + diff --git a/queue-6.12/drm-amdgpu-increase-kiq-invalidate_tlbs-timeout.patch b/queue-6.12/drm-amdgpu-increase-kiq-invalidate_tlbs-timeout.patch new file mode 100644 index 0000000000..3f811ecfca --- /dev/null +++ b/queue-6.12/drm-amdgpu-increase-kiq-invalidate_tlbs-timeout.patch @@ -0,0 +1,85 @@ +From e455a33ada3c64d2be8dc1f03b04f7eae5c57a37 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Mar 2025 13:19:05 -0500 +Subject: drm/amdgpu: Increase KIQ invalidate_tlbs timeout + +From: Jay Cornwall + +[ Upstream commit 3666ed821832f42baaf25f362680dda603cde732 ] + +KIQ invalidate_tlbs request has been seen to marginally exceed the +configured 100 ms timeout on systems under load. + +All other KIQ requests in the driver use a 10 second timeout. Use a +similar timeout implementation on the invalidate_tlbs path. + +v2: Poll once before msleep +v3: Fix return value + +Signed-off-by: Jay Cornwall +Cc: Kent Russell +Reviewed-by: Harish Kasiviswanathan +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu.h | 1 - + drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c | 19 ++++++++++++++----- + 2 files changed, 14 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu.h b/drivers/gpu/drm/amd/amdgpu/amdgpu.h +index 9b1e0ede05a45..b7aad43d9ad07 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu.h ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu.h +@@ -350,7 +350,6 @@ enum amdgpu_kiq_irq { + AMDGPU_CP_KIQ_IRQ_DRIVER0 = 0, + AMDGPU_CP_KIQ_IRQ_LAST + }; +-#define SRIOV_USEC_TIMEOUT 1200000 /* wait 12 * 100ms for SRIOV */ + #define MAX_KIQ_REG_WAIT 5000 /* in usecs, 5ms */ + #define MAX_KIQ_REG_BAILOUT_INTERVAL 5 /* in msecs, 5ms */ + #define MAX_KIQ_REG_TRY 1000 +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c +index 17a19d49d30a5..9d130d3af0b39 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c +@@ -678,12 +678,10 @@ int amdgpu_gmc_flush_gpu_tlb_pasid(struct amdgpu_device *adev, uint16_t pasid, + uint32_t flush_type, bool all_hub, + uint32_t inst) + { +- u32 usec_timeout = amdgpu_sriov_vf(adev) ? SRIOV_USEC_TIMEOUT : +- adev->usec_timeout; + struct amdgpu_ring *ring = &adev->gfx.kiq[inst].ring; + struct amdgpu_kiq *kiq = &adev->gfx.kiq[inst]; + unsigned int ndw; +- int r; ++ int r, cnt = 0; + uint32_t seq; + + /* +@@ -740,10 +738,21 @@ int amdgpu_gmc_flush_gpu_tlb_pasid(struct amdgpu_device *adev, uint16_t pasid, + + amdgpu_ring_commit(ring); + spin_unlock(&adev->gfx.kiq[inst].ring_lock); +- if (amdgpu_fence_wait_polling(ring, seq, usec_timeout) < 1) { ++ ++ r = amdgpu_fence_wait_polling(ring, seq, MAX_KIQ_REG_WAIT); ++ ++ might_sleep(); ++ while (r < 1 && cnt++ < MAX_KIQ_REG_TRY && ++ !amdgpu_reset_pending(adev->reset_domain)) { ++ msleep(MAX_KIQ_REG_BAILOUT_INTERVAL); ++ r = amdgpu_fence_wait_polling(ring, seq, MAX_KIQ_REG_WAIT); ++ } ++ ++ if (cnt > MAX_KIQ_REG_TRY) { + dev_err(adev->dev, "timeout waiting for kiq fence\n"); + r = -ETIME; +- } ++ } else ++ r = 0; + } + + error_unlock_reset: +-- +2.39.5 + diff --git a/queue-6.12/drm-amdgpu-use-a-dummy-owner-for-sysfs-triggered-cle.patch b/queue-6.12/drm-amdgpu-use-a-dummy-owner-for-sysfs-triggered-cle.patch new file mode 100644 index 0000000000..a38b34f69b --- /dev/null +++ b/queue-6.12/drm-amdgpu-use-a-dummy-owner-for-sysfs-triggered-cle.patch @@ -0,0 +1,66 @@ +From 57c12e3dc9f29089a0126343cf0ae6714f9fd48d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Mar 2025 18:58:17 +0100 +Subject: drm/amdgpu: use a dummy owner for sysfs triggered cleaner shaders v4 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Christian König + +[ Upstream commit 447fab30955cf7dba7dd563f42b67c02284860c8 ] + +Otherwise triggering sysfs multiple times without other submissions in +between only runs the shader once. + +v2: add some comment +v3: re-add missing cast +v4: squash in semicolon fix + +Signed-off-by: Christian König +Reviewed-by: Srinivasan Shanmugam +Signed-off-by: Alex Deucher +(cherry picked from commit 8b2ae7d492675e8af8902f103364bef59382b935) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_gfx.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_gfx.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_gfx.c +index 05ebb8216a55a..3c2ac5f4e814b 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gfx.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gfx.c +@@ -1426,9 +1426,11 @@ static int amdgpu_gfx_run_cleaner_shader_job(struct amdgpu_ring *ring) + struct amdgpu_device *adev = ring->adev; + struct drm_gpu_scheduler *sched = &ring->sched; + struct drm_sched_entity entity; ++ static atomic_t counter; + struct dma_fence *f; + struct amdgpu_job *job; + struct amdgpu_ib *ib; ++ void *owner; + int i, r; + + /* Initialize the scheduler entity */ +@@ -1439,9 +1441,15 @@ static int amdgpu_gfx_run_cleaner_shader_job(struct amdgpu_ring *ring) + goto err; + } + +- r = amdgpu_job_alloc_with_ib(ring->adev, &entity, NULL, +- 64, 0, +- &job); ++ /* ++ * Use some unique dummy value as the owner to make sure we execute ++ * the cleaner shader on each submission. The value just need to change ++ * for each submission and is otherwise meaningless. ++ */ ++ owner = (void *)(unsigned long)atomic_inc_return(&counter); ++ ++ r = amdgpu_job_alloc_with_ib(ring->adev, &entity, owner, ++ 64, 0, &job); + if (r) + goto err; + +-- +2.39.5 + diff --git a/queue-6.12/drm-amdgpu-use-the-right-function-for-hdp-flush.patch b/queue-6.12/drm-amdgpu-use-the-right-function-for-hdp-flush.patch new file mode 100644 index 0000000000..7d1c2320a2 --- /dev/null +++ b/queue-6.12/drm-amdgpu-use-the-right-function-for-hdp-flush.patch @@ -0,0 +1,281 @@ +From e18cb1f0af346b37c421b3bfae94e9e113e53754 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Apr 2025 17:40:26 +0530 +Subject: drm/amdgpu: Use the right function for hdp flush + +From: Lijo Lazar + +[ Upstream commit c235a7132258ac30bd43d228222986022d21f5de ] + +There are a few prechecks made before HDP flush like a flush is not +required on APU bare metal. Using hdp callback directly bypasses those +checks. Use amdgpu_device_flush_hdp which takes care of prechecks. + +Signed-off-by: Lijo Lazar +Reviewed-by: Alex Deucher +Signed-off-by: Alex Deucher +(cherry picked from commit 1d9bff4cf8c53d33ee2ff1b11574e5da739ce61c) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c | 8 ++++---- + drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c | 12 ++++++------ + drivers/gpu/drm/amd/amdgpu/gfx_v12_0.c | 6 +++--- + drivers/gpu/drm/amd/amdgpu/gmc_v10_0.c | 4 ++-- + drivers/gpu/drm/amd/amdgpu/gmc_v11_0.c | 4 ++-- + drivers/gpu/drm/amd/amdgpu/gmc_v12_0.c | 4 ++-- + drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c | 2 +- + drivers/gpu/drm/amd/amdgpu/psp_v11_0.c | 2 +- + drivers/gpu/drm/amd/amdgpu/psp_v13_0.c | 2 +- + drivers/gpu/drm/amd/amdgpu/psp_v14_0.c | 2 +- + 10 files changed, 23 insertions(+), 23 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c +index 45ed97038df0c..24d711b0e6346 100644 +--- a/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c +@@ -5998,7 +5998,7 @@ static int gfx_v10_0_cp_gfx_load_pfp_microcode(struct amdgpu_device *adev) + } + + if (amdgpu_emu_mode == 1) +- adev->hdp.funcs->flush_hdp(adev, NULL); ++ amdgpu_device_flush_hdp(adev, NULL); + + tmp = RREG32_SOC15(GC, 0, mmCP_PFP_IC_BASE_CNTL); + tmp = REG_SET_FIELD(tmp, CP_PFP_IC_BASE_CNTL, VMID, 0); +@@ -6076,7 +6076,7 @@ static int gfx_v10_0_cp_gfx_load_ce_microcode(struct amdgpu_device *adev) + } + + if (amdgpu_emu_mode == 1) +- adev->hdp.funcs->flush_hdp(adev, NULL); ++ amdgpu_device_flush_hdp(adev, NULL); + + tmp = RREG32_SOC15(GC, 0, mmCP_CE_IC_BASE_CNTL); + tmp = REG_SET_FIELD(tmp, CP_CE_IC_BASE_CNTL, VMID, 0); +@@ -6153,7 +6153,7 @@ static int gfx_v10_0_cp_gfx_load_me_microcode(struct amdgpu_device *adev) + } + + if (amdgpu_emu_mode == 1) +- adev->hdp.funcs->flush_hdp(adev, NULL); ++ amdgpu_device_flush_hdp(adev, NULL); + + tmp = RREG32_SOC15(GC, 0, mmCP_ME_IC_BASE_CNTL); + tmp = REG_SET_FIELD(tmp, CP_ME_IC_BASE_CNTL, VMID, 0); +@@ -6528,7 +6528,7 @@ static int gfx_v10_0_cp_compute_load_microcode(struct amdgpu_device *adev) + } + + if (amdgpu_emu_mode == 1) +- adev->hdp.funcs->flush_hdp(adev, NULL); ++ amdgpu_device_flush_hdp(adev, NULL); + + tmp = RREG32_SOC15(GC, 0, mmCP_CPC_IC_BASE_CNTL); + tmp = REG_SET_FIELD(tmp, CP_CPC_IC_BASE_CNTL, CACHE_POLICY, 0); +diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c +index 84cf5fd297b7f..0357fea8ae1df 100644 +--- a/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c +@@ -2327,7 +2327,7 @@ static int gfx_v11_0_config_me_cache(struct amdgpu_device *adev, uint64_t addr) + } + + if (amdgpu_emu_mode == 1) +- adev->hdp.funcs->flush_hdp(adev, NULL); ++ amdgpu_device_flush_hdp(adev, NULL); + + tmp = RREG32_SOC15(GC, 0, regCP_ME_IC_BASE_CNTL); + tmp = REG_SET_FIELD(tmp, CP_ME_IC_BASE_CNTL, VMID, 0); +@@ -2371,7 +2371,7 @@ static int gfx_v11_0_config_pfp_cache(struct amdgpu_device *adev, uint64_t addr) + } + + if (amdgpu_emu_mode == 1) +- adev->hdp.funcs->flush_hdp(adev, NULL); ++ amdgpu_device_flush_hdp(adev, NULL); + + tmp = RREG32_SOC15(GC, 0, regCP_PFP_IC_BASE_CNTL); + tmp = REG_SET_FIELD(tmp, CP_PFP_IC_BASE_CNTL, VMID, 0); +@@ -2416,7 +2416,7 @@ static int gfx_v11_0_config_mec_cache(struct amdgpu_device *adev, uint64_t addr) + } + + if (amdgpu_emu_mode == 1) +- adev->hdp.funcs->flush_hdp(adev, NULL); ++ amdgpu_device_flush_hdp(adev, NULL); + + tmp = RREG32_SOC15(GC, 0, regCP_CPC_IC_BASE_CNTL); + tmp = REG_SET_FIELD(tmp, CP_CPC_IC_BASE_CNTL, CACHE_POLICY, 0); +@@ -3051,7 +3051,7 @@ static int gfx_v11_0_cp_gfx_load_pfp_microcode_rs64(struct amdgpu_device *adev) + amdgpu_bo_unreserve(adev->gfx.pfp.pfp_fw_data_obj); + + if (amdgpu_emu_mode == 1) +- adev->hdp.funcs->flush_hdp(adev, NULL); ++ amdgpu_device_flush_hdp(adev, NULL); + + WREG32_SOC15(GC, 0, regCP_PFP_IC_BASE_LO, + lower_32_bits(adev->gfx.pfp.pfp_fw_gpu_addr)); +@@ -3269,7 +3269,7 @@ static int gfx_v11_0_cp_gfx_load_me_microcode_rs64(struct amdgpu_device *adev) + amdgpu_bo_unreserve(adev->gfx.me.me_fw_data_obj); + + if (amdgpu_emu_mode == 1) +- adev->hdp.funcs->flush_hdp(adev, NULL); ++ amdgpu_device_flush_hdp(adev, NULL); + + WREG32_SOC15(GC, 0, regCP_ME_IC_BASE_LO, + lower_32_bits(adev->gfx.me.me_fw_gpu_addr)); +@@ -4487,7 +4487,7 @@ static int gfx_v11_0_gfxhub_enable(struct amdgpu_device *adev) + if (r) + return r; + +- adev->hdp.funcs->flush_hdp(adev, NULL); ++ amdgpu_device_flush_hdp(adev, NULL); + + value = (amdgpu_vm_fault_stop == AMDGPU_VM_FAULT_STOP_ALWAYS) ? + false : true; +diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v12_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v12_0.c +index b259e217930c7..241619ee10e4b 100644 +--- a/drivers/gpu/drm/amd/amdgpu/gfx_v12_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v12_0.c +@@ -2264,7 +2264,7 @@ static int gfx_v12_0_cp_gfx_load_pfp_microcode_rs64(struct amdgpu_device *adev) + amdgpu_bo_unreserve(adev->gfx.pfp.pfp_fw_data_obj); + + if (amdgpu_emu_mode == 1) +- adev->hdp.funcs->flush_hdp(adev, NULL); ++ amdgpu_device_flush_hdp(adev, NULL); + + WREG32_SOC15(GC, 0, regCP_PFP_IC_BASE_LO, + lower_32_bits(adev->gfx.pfp.pfp_fw_gpu_addr)); +@@ -2408,7 +2408,7 @@ static int gfx_v12_0_cp_gfx_load_me_microcode_rs64(struct amdgpu_device *adev) + amdgpu_bo_unreserve(adev->gfx.me.me_fw_data_obj); + + if (amdgpu_emu_mode == 1) +- adev->hdp.funcs->flush_hdp(adev, NULL); ++ amdgpu_device_flush_hdp(adev, NULL); + + WREG32_SOC15(GC, 0, regCP_ME_IC_BASE_LO, + lower_32_bits(adev->gfx.me.me_fw_gpu_addr)); +@@ -3429,7 +3429,7 @@ static int gfx_v12_0_gfxhub_enable(struct amdgpu_device *adev) + if (r) + return r; + +- adev->hdp.funcs->flush_hdp(adev, NULL); ++ amdgpu_device_flush_hdp(adev, NULL); + + value = (amdgpu_vm_fault_stop == AMDGPU_VM_FAULT_STOP_ALWAYS) ? + false : true; +diff --git a/drivers/gpu/drm/amd/amdgpu/gmc_v10_0.c b/drivers/gpu/drm/amd/amdgpu/gmc_v10_0.c +index 9784a28921853..c6e7429212827 100644 +--- a/drivers/gpu/drm/amd/amdgpu/gmc_v10_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gmc_v10_0.c +@@ -265,7 +265,7 @@ static void gmc_v10_0_flush_gpu_tlb(struct amdgpu_device *adev, uint32_t vmid, + ack = hub->vm_inv_eng0_ack + hub->eng_distance * eng; + + /* flush hdp cache */ +- adev->hdp.funcs->flush_hdp(adev, NULL); ++ amdgpu_device_flush_hdp(adev, NULL); + + /* This is necessary for SRIOV as well as for GFXOFF to function + * properly under bare metal +@@ -966,7 +966,7 @@ static int gmc_v10_0_gart_enable(struct amdgpu_device *adev) + adev->hdp.funcs->init_registers(adev); + + /* Flush HDP after it is initialized */ +- adev->hdp.funcs->flush_hdp(adev, NULL); ++ amdgpu_device_flush_hdp(adev, NULL); + + value = (amdgpu_vm_fault_stop == AMDGPU_VM_FAULT_STOP_ALWAYS) ? + false : true; +diff --git a/drivers/gpu/drm/amd/amdgpu/gmc_v11_0.c b/drivers/gpu/drm/amd/amdgpu/gmc_v11_0.c +index 2797fd84432b2..4e9c23d65b02f 100644 +--- a/drivers/gpu/drm/amd/amdgpu/gmc_v11_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gmc_v11_0.c +@@ -226,7 +226,7 @@ static void gmc_v11_0_flush_gpu_tlb(struct amdgpu_device *adev, uint32_t vmid, + ack = hub->vm_inv_eng0_ack + hub->eng_distance * eng; + + /* flush hdp cache */ +- adev->hdp.funcs->flush_hdp(adev, NULL); ++ amdgpu_device_flush_hdp(adev, NULL); + + /* This is necessary for SRIOV as well as for GFXOFF to function + * properly under bare metal +@@ -893,7 +893,7 @@ static int gmc_v11_0_gart_enable(struct amdgpu_device *adev) + return r; + + /* Flush HDP after it is initialized */ +- adev->hdp.funcs->flush_hdp(adev, NULL); ++ amdgpu_device_flush_hdp(adev, NULL); + + value = (amdgpu_vm_fault_stop == AMDGPU_VM_FAULT_STOP_ALWAYS) ? + false : true; +diff --git a/drivers/gpu/drm/amd/amdgpu/gmc_v12_0.c b/drivers/gpu/drm/amd/amdgpu/gmc_v12_0.c +index 60acf676000b3..525e435ee22d8 100644 +--- a/drivers/gpu/drm/amd/amdgpu/gmc_v12_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gmc_v12_0.c +@@ -294,7 +294,7 @@ static void gmc_v12_0_flush_gpu_tlb(struct amdgpu_device *adev, uint32_t vmid, + return; + + /* flush hdp cache */ +- adev->hdp.funcs->flush_hdp(adev, NULL); ++ amdgpu_device_flush_hdp(adev, NULL); + + /* This is necessary for SRIOV as well as for GFXOFF to function + * properly under bare metal +@@ -862,7 +862,7 @@ static int gmc_v12_0_gart_enable(struct amdgpu_device *adev) + return r; + + /* Flush HDP after it is initialized */ +- adev->hdp.funcs->flush_hdp(adev, NULL); ++ amdgpu_device_flush_hdp(adev, NULL); + + value = (amdgpu_vm_fault_stop == AMDGPU_VM_FAULT_STOP_ALWAYS) ? + false : true; +diff --git a/drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c b/drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c +index 7a45f3fdc7341..9a212413c6d3a 100644 +--- a/drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c +@@ -2351,7 +2351,7 @@ static int gmc_v9_0_hw_init(void *handle) + adev->hdp.funcs->init_registers(adev); + + /* After HDP is initialized, flush HDP.*/ +- adev->hdp.funcs->flush_hdp(adev, NULL); ++ amdgpu_device_flush_hdp(adev, NULL); + + if (amdgpu_vm_fault_stop == AMDGPU_VM_FAULT_STOP_ALWAYS) + value = false; +diff --git a/drivers/gpu/drm/amd/amdgpu/psp_v11_0.c b/drivers/gpu/drm/amd/amdgpu/psp_v11_0.c +index 2395f1856962a..e77a467af7ac3 100644 +--- a/drivers/gpu/drm/amd/amdgpu/psp_v11_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/psp_v11_0.c +@@ -532,7 +532,7 @@ static int psp_v11_0_memory_training(struct psp_context *psp, uint32_t ops) + } + + memcpy_toio(adev->mman.aper_base_kaddr, buf, sz); +- adev->hdp.funcs->flush_hdp(adev, NULL); ++ amdgpu_device_flush_hdp(adev, NULL); + vfree(buf); + drm_dev_exit(idx); + } else { +diff --git a/drivers/gpu/drm/amd/amdgpu/psp_v13_0.c b/drivers/gpu/drm/amd/amdgpu/psp_v13_0.c +index 51e470e8d67d9..bf00de763acb0 100644 +--- a/drivers/gpu/drm/amd/amdgpu/psp_v13_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/psp_v13_0.c +@@ -600,7 +600,7 @@ static int psp_v13_0_memory_training(struct psp_context *psp, uint32_t ops) + } + + memcpy_toio(adev->mman.aper_base_kaddr, buf, sz); +- adev->hdp.funcs->flush_hdp(adev, NULL); ++ amdgpu_device_flush_hdp(adev, NULL); + vfree(buf); + drm_dev_exit(idx); + } else { +diff --git a/drivers/gpu/drm/amd/amdgpu/psp_v14_0.c b/drivers/gpu/drm/amd/amdgpu/psp_v14_0.c +index 4d33c95a51163..89f6c06946c51 100644 +--- a/drivers/gpu/drm/amd/amdgpu/psp_v14_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/psp_v14_0.c +@@ -488,7 +488,7 @@ static int psp_v14_0_memory_training(struct psp_context *psp, uint32_t ops) + } + + memcpy_toio(adev->mman.aper_base_kaddr, buf, sz); +- adev->hdp.funcs->flush_hdp(adev, NULL); ++ amdgpu_device_flush_hdp(adev, NULL); + vfree(buf); + drm_dev_exit(idx); + } else { +-- +2.39.5 + diff --git a/queue-6.12/drm-xe-xe3lpg-apply-wa_14022293748-wa_22019794406.patch b/queue-6.12/drm-xe-xe3lpg-apply-wa_14022293748-wa_22019794406.patch new file mode 100644 index 0000000000..cc555d8f47 --- /dev/null +++ b/queue-6.12/drm-xe-xe3lpg-apply-wa_14022293748-wa_22019794406.patch @@ -0,0 +1,40 @@ +From dd52520a6b13b3b66fef55f3b082f18d88a6bfd6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Mar 2025 15:43:05 -0700 +Subject: drm/xe/xe3lpg: Apply Wa_14022293748, Wa_22019794406 + +From: Julia Filipchuk + +[ Upstream commit 00e0ae4f1f872800413c819f8a2a909dc29cdc35 ] + +Extend Wa_14022293748, Wa_22019794406 to Xe3_LPG + +Signed-off-by: Julia Filipchuk +Reviewed-by: Tejas Upadhyay +Signed-off-by: John Harrison +Link: https://lore.kernel.org/r/20250325224310.1455499-1-julia.filipchuk@intel.com +(cherry picked from commit 32af900f2c6b1846fd3ede8ad36dd180d7e4ae70) +Signed-off-by: Lucas De Marchi +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/xe/xe_wa_oob.rules | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/xe/xe_wa_oob.rules b/drivers/gpu/drm/xe/xe_wa_oob.rules +index 264d6e116499c..93fa2708ee378 100644 +--- a/drivers/gpu/drm/xe/xe_wa_oob.rules ++++ b/drivers/gpu/drm/xe/xe_wa_oob.rules +@@ -29,8 +29,10 @@ + 13011645652 GRAPHICS_VERSION(2004) + 14022293748 GRAPHICS_VERSION(2001) + GRAPHICS_VERSION(2004) ++ GRAPHICS_VERSION_RANGE(3000, 3001) + 22019794406 GRAPHICS_VERSION(2001) + GRAPHICS_VERSION(2004) ++ GRAPHICS_VERSION_RANGE(3000, 3001) + 22019338487 MEDIA_VERSION(2000) + GRAPHICS_VERSION(2001) + MEDIA_VERSION(3000), MEDIA_STEP(A0, B0) +-- +2.39.5 + diff --git a/queue-6.12/ext4-make-block-validity-check-resistent-to-sb-bh-co.patch b/queue-6.12/ext4-make-block-validity-check-resistent-to-sb-bh-co.patch new file mode 100644 index 0000000000..f0a5fc6bf4 --- /dev/null +++ b/queue-6.12/ext4-make-block-validity-check-resistent-to-sb-bh-co.patch @@ -0,0 +1,78 @@ +From 0f4d87907572985b4af6ff746ed9b2dd22087707 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Mar 2025 11:54:52 +0530 +Subject: ext4: make block validity check resistent to sb bh corruption + +From: Ojaswin Mujoo + +[ Upstream commit ccad447a3d331a239477c281533bacb585b54a98 ] + +Block validity checks need to be skipped in case they are called +for journal blocks since they are part of system's protected +zone. + +Currently, this is done by checking inode->ino against +sbi->s_es->s_journal_inum, which is a direct read from the ext4 sb +buffer head. If someone modifies this underneath us then the +s_journal_inum field might get corrupted. To prevent against this, +change the check to directly compare the inode with journal->j_inode. + +**Slight change in behavior**: During journal init path, +check_block_validity etc might be called for journal inode when +sbi->s_journal is not set yet. In this case we now proceed with +ext4_inode_block_valid() instead of returning early. Since systems zones +have not been set yet, it is okay to proceed so we can perform basic +checks on the blocks. + +Suggested-by: Baokun Li +Reviewed-by: Baokun Li +Reviewed-by: Jan Kara +Reviewed-by: Zhang Yi +Signed-off-by: Ojaswin Mujoo +Link: https://patch.msgid.link/0c06bc9ebfcd6ccfed84a36e79147bf45ff5adc1.1743142920.git.ojaswin@linux.ibm.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/block_validity.c | 5 ++--- + fs/ext4/inode.c | 7 ++++--- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/fs/ext4/block_validity.c b/fs/ext4/block_validity.c +index 87ee3a17bd29c..e8c5525afc67a 100644 +--- a/fs/ext4/block_validity.c ++++ b/fs/ext4/block_validity.c +@@ -351,10 +351,9 @@ int ext4_check_blockref(const char *function, unsigned int line, + { + __le32 *bref = p; + unsigned int blk; ++ journal_t *journal = EXT4_SB(inode->i_sb)->s_journal; + +- if (ext4_has_feature_journal(inode->i_sb) && +- (inode->i_ino == +- le32_to_cpu(EXT4_SB(inode->i_sb)->s_es->s_journal_inum))) ++ if (journal && inode == journal->j_inode) + return 0; + + while (bref < p+max) { +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c +index ffa6aa55a1a7a..4fd5f2f2adca5 100644 +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -383,10 +383,11 @@ static int __check_block_validity(struct inode *inode, const char *func, + unsigned int line, + struct ext4_map_blocks *map) + { +- if (ext4_has_feature_journal(inode->i_sb) && +- (inode->i_ino == +- le32_to_cpu(EXT4_SB(inode->i_sb)->s_es->s_journal_inum))) ++ journal_t *journal = EXT4_SB(inode->i_sb)->s_journal; ++ ++ if (journal && inode == journal->j_inode) + return 0; ++ + if (!ext4_inode_block_valid(inode, map->m_pblk, map->m_len)) { + ext4_error_inode(inode, func, line, map->m_pblk, + "lblock %lu mapped to illegal pblock %llu " +-- +2.39.5 + diff --git a/queue-6.12/fs-ntfs3-fix-warning-in-ntfs_extend_initialized_size.patch b/queue-6.12/fs-ntfs3-fix-warning-in-ntfs_extend_initialized_size.patch new file mode 100644 index 0000000000..0ef15bbe4b --- /dev/null +++ b/queue-6.12/fs-ntfs3-fix-warning-in-ntfs_extend_initialized_size.patch @@ -0,0 +1,45 @@ +From d14ba663ea7ae6836dce8d67f0a32f14bd8921e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Oct 2024 20:16:38 +0800 +Subject: fs/ntfs3: Fix WARNING in ntfs_extend_initialized_size + +From: Edward Adam Davis + +[ Upstream commit ff355926445897cc9fdea3b00611e514232c213c ] + +Syzbot reported a WARNING in ntfs_extend_initialized_size. +The data type of in->i_valid and to is u64 in ntfs_file_mmap(). +If their values are greater than LLONG_MAX, overflow will occur because +the data types of the parameters valid and new_valid corresponding to +the function ntfs_extend_initialized_size() are loff_t. + +Before calling ntfs_extend_initialized_size() in the ntfs_file_mmap(), +the "ni->i_valid < to" has been determined, so the same WARN_ON determination +is not required in ntfs_extend_initialized_size(). +Just execute the ntfs_extend_initialized_size() in ntfs_extend() to make +a WARN_ON check. + +Reported-and-tested-by: syzbot+e37dd1dfc814b10caa55@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=e37dd1dfc814b10caa55 +Signed-off-by: Edward Adam Davis +Signed-off-by: Konstantin Komarov +Signed-off-by: Sasha Levin +--- + fs/ntfs3/file.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/ntfs3/file.c b/fs/ntfs3/file.c +index 4ca1fff826fd0..748c4be912db5 100644 +--- a/fs/ntfs3/file.c ++++ b/fs/ntfs3/file.c +@@ -428,6 +428,7 @@ static int ntfs_extend(struct inode *inode, loff_t pos, size_t count, + } + + if (extend_init && !is_compressed(ni)) { ++ WARN_ON(ni->i_valid >= pos); + err = ntfs_extend_initialized_size(file, ni, ni->i_valid, pos); + if (err) + goto out; +-- +2.39.5 + diff --git a/queue-6.12/fs-ntfs3-keep-write-operations-atomic.patch b/queue-6.12/fs-ntfs3-keep-write-operations-atomic.patch new file mode 100644 index 0000000000..cd723506b7 --- /dev/null +++ b/queue-6.12/fs-ntfs3-keep-write-operations-atomic.patch @@ -0,0 +1,115 @@ +From 8065876c9f2c6ece4d552cd084a277e847cd8f8a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Dec 2024 15:10:03 +0800 +Subject: fs/ntfs3: Keep write operations atomic + +From: Lizhi Xu + +[ Upstream commit 285cec318bf5a7a6c8ba999b2b6ec96f9a20590f ] + +syzbot reported a NULL pointer dereference in __generic_file_write_iter. [1] + +Before the write operation is completed, the user executes ioctl[2] to clear +the compress flag of the file, which causes the is_compressed() judgment to +return 0, further causing the program to enter the wrong process and call the +wrong ops ntfs_aops_cmpr, which triggers the null pointer dereference of +write_begin. + +Use inode lock to synchronize ioctl and write to avoid this case. + +[1] +Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 +Mem abort info: + ESR = 0x0000000086000006 + EC = 0x21: IABT (current EL), IL = 32 bits + SET = 0, FnV = 0 + EA = 0, S1PTW = 0 + FSC = 0x06: level 2 translation fault +user pgtable: 4k pages, 48-bit VAs, pgdp=000000011896d000 +[0000000000000000] pgd=0800000118b44403, p4d=0800000118b44403, pud=0800000117517403, pmd=0000000000000000 +Internal error: Oops: 0000000086000006 [#1] PREEMPT SMP +Modules linked in: +CPU: 0 UID: 0 PID: 6427 Comm: syz-executor347 Not tainted 6.13.0-rc3-syzkaller-g573067a5a685 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 +pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) +pc : 0x0 +lr : generic_perform_write+0x29c/0x868 mm/filemap.c:4055 +sp : ffff80009d4978a0 +x29: ffff80009d4979c0 x28: dfff800000000000 x27: ffff80009d497bc8 +x26: 0000000000000000 x25: ffff80009d497960 x24: ffff80008ba71c68 +x23: 0000000000000000 x22: ffff0000c655dac0 x21: 0000000000001000 +x20: 000000000000000c x19: 1ffff00013a92f2c x18: ffff0000e183aa1c +x17: 0004060000000014 x16: ffff800083275834 x15: 0000000000000001 +x14: 0000000000000000 x13: 0000000000000001 x12: ffff0000c655dac0 +x11: 0000000000ff0100 x10: 0000000000ff0100 x9 : 0000000000000000 +x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000 +x5 : ffff80009d497980 x4 : ffff80009d497960 x3 : 0000000000001000 +x2 : 0000000000000000 x1 : ffff0000e183a928 x0 : ffff0000d60b0fc0 +Call trace: + 0x0 (P) + __generic_file_write_iter+0xfc/0x204 mm/filemap.c:4156 + ntfs_file_write_iter+0x54c/0x630 fs/ntfs3/file.c:1267 + new_sync_write fs/read_write.c:586 [inline] + vfs_write+0x920/0xcf4 fs/read_write.c:679 + ksys_write+0x15c/0x26c fs/read_write.c:731 + __do_sys_write fs/read_write.c:742 [inline] + __se_sys_write fs/read_write.c:739 [inline] + __arm64_sys_write+0x7c/0x90 fs/read_write.c:739 + __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] + invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 + el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 + do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 + el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744 + el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762 + +[2] +ioctl$FS_IOC_SETFLAGS(r0, 0x40086602, &(0x7f00000000c0)=0x20) + +Reported-by: syzbot+5d0bdc98770e6c55a0fd@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=5d0bdc98770e6c55a0fd +Signed-off-by: Lizhi Xu +Signed-off-by: Konstantin Komarov +Signed-off-by: Sasha Levin +--- + fs/ntfs3/file.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +diff --git a/fs/ntfs3/file.c b/fs/ntfs3/file.c +index 7976ac4611c8d..4ca1fff826fd0 100644 +--- a/fs/ntfs3/file.c ++++ b/fs/ntfs3/file.c +@@ -1238,21 +1238,22 @@ static ssize_t ntfs_file_write_iter(struct kiocb *iocb, struct iov_iter *from) + ssize_t ret; + int err; + +- err = check_write_restriction(inode); +- if (err) +- return err; +- +- if (is_compressed(ni) && (iocb->ki_flags & IOCB_DIRECT)) { +- ntfs_inode_warn(inode, "direct i/o + compressed not supported"); +- return -EOPNOTSUPP; +- } +- + if (!inode_trylock(inode)) { + if (iocb->ki_flags & IOCB_NOWAIT) + return -EAGAIN; + inode_lock(inode); + } + ++ ret = check_write_restriction(inode); ++ if (ret) ++ goto out; ++ ++ if (is_compressed(ni) && (iocb->ki_flags & IOCB_DIRECT)) { ++ ntfs_inode_warn(inode, "direct i/o + compressed not supported"); ++ ret = -EOPNOTSUPP; ++ goto out; ++ } ++ + ret = generic_write_checks(iocb, from); + if (ret <= 0) + goto out; +-- +2.39.5 + diff --git a/queue-6.12/gpiolib-of-move-atmel-hsmci-quirk-up-out-of-the-regu.patch b/queue-6.12/gpiolib-of-move-atmel-hsmci-quirk-up-out-of-the-regu.patch new file mode 100644 index 0000000000..d820f03a8b --- /dev/null +++ b/queue-6.12/gpiolib-of-move-atmel-hsmci-quirk-up-out-of-the-regu.patch @@ -0,0 +1,49 @@ +From e3b4c51a1132e9945b32c151455bc84656c258cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Apr 2025 15:20:01 +0300 +Subject: gpiolib: of: Move Atmel HSMCI quirk up out of the regulator comment + +From: Andy Shevchenko + +[ Upstream commit b8c7a1ac884cc267d1031f8de07f1a689a69fbab ] + +The regulator comment in of_gpio_set_polarity_by_property() +made on top of a couple of the cases, while Atmel HSMCI quirk +is not related to that. Make it clear by moving Atmel HSMCI +quirk up out of the scope of the regulator comment. + +Signed-off-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20250402122058.1517393-3-andriy.shevchenko@linux.intel.com +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpiolib-of.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpio/gpiolib-of.c b/drivers/gpio/gpiolib-of.c +index e543129d36050..626daedb01698 100644 +--- a/drivers/gpio/gpiolib-of.c ++++ b/drivers/gpio/gpiolib-of.c +@@ -259,6 +259,9 @@ static void of_gpio_set_polarity_by_property(const struct device_node *np, + { "fsl,imx8qm-fec", "phy-reset-gpios", "phy-reset-active-high" }, + { "fsl,s32v234-fec", "phy-reset-gpios", "phy-reset-active-high" }, + #endif ++#if IS_ENABLED(CONFIG_MMC_ATMELMCI) ++ { "atmel,hsmci", "cd-gpios", "cd-inverted" }, ++#endif + #if IS_ENABLED(CONFIG_PCI_IMX6) + { "fsl,imx6q-pcie", "reset-gpio", "reset-gpio-active-high" }, + { "fsl,imx6sx-pcie", "reset-gpio", "reset-gpio-active-high" }, +@@ -284,9 +287,6 @@ static void of_gpio_set_polarity_by_property(const struct device_node *np, + #if IS_ENABLED(CONFIG_REGULATOR_GPIO) + { "regulator-gpio", "enable-gpio", "enable-active-high" }, + { "regulator-gpio", "enable-gpios", "enable-active-high" }, +-#endif +-#if IS_ENABLED(CONFIG_MMC_ATMELMCI) +- { "atmel,hsmci", "cd-gpios", "cd-inverted" }, + #endif + }; + unsigned int i; +-- +2.39.5 + diff --git a/queue-6.12/hardening-disable-gcc-randstruct-for-compile_test.patch b/queue-6.12/hardening-disable-gcc-randstruct-for-compile_test.patch new file mode 100644 index 0000000000..13a45cc2b2 --- /dev/null +++ b/queue-6.12/hardening-disable-gcc-randstruct-for-compile_test.patch @@ -0,0 +1,41 @@ +From 0002a16939abdbcc97554ed5d97899483685105b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Apr 2025 08:11:58 -0700 +Subject: hardening: Disable GCC randstruct for COMPILE_TEST + +From: Kees Cook + +[ Upstream commit f5c68a4e84f9feca3be578199ec648b676db2030 ] + +There is a GCC crash bug in the randstruct for latest GCC versions that +is being tickled by landlock[1]. Temporarily disable GCC randstruct for +COMPILE_TEST builds to unbreak CI systems for the coming -rc2. This can +be restored once the bug is fixed. + +Suggested-by: Mark Brown +Link: https://lore.kernel.org/all/20250407-kbuild-disable-gcc-plugins-v1-1-5d46ae583f5e@kernel.org/ [1] +Acked-by: Mark Brown +Acked-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20250409151154.work.872-kees@kernel.org +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + security/Kconfig.hardening | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening +index c9d5ca3d8d08d..2b219bc26fe56 100644 +--- a/security/Kconfig.hardening ++++ b/security/Kconfig.hardening +@@ -310,7 +310,7 @@ config CC_HAS_RANDSTRUCT + + choice + prompt "Randomize layout of sensitive kernel structures" +- default RANDSTRUCT_FULL if COMPILE_TEST && (GCC_PLUGINS || CC_HAS_RANDSTRUCT) ++ default RANDSTRUCT_FULL if COMPILE_TEST && CC_HAS_RANDSTRUCT + default RANDSTRUCT_NONE + help + If you enable this, the layouts of structures that are entirely +-- +2.39.5 + diff --git a/queue-6.12/i3c-master-svc-add-support-for-nuvoton-npcm845-i3c.patch b/queue-6.12/i3c-master-svc-add-support-for-nuvoton-npcm845-i3c.patch new file mode 100644 index 0000000000..b921bc578d --- /dev/null +++ b/queue-6.12/i3c-master-svc-add-support-for-nuvoton-npcm845-i3c.patch @@ -0,0 +1,86 @@ +From c32fb11d42ac30d721c1962f36e8b5e94eff372a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Mar 2025 15:54:26 +0800 +Subject: i3c: master: svc: Add support for Nuvoton npcm845 i3c + +From: Stanley Chu + +[ Upstream commit 98d87600a04e42282797631aa6b98dd43999e274 ] + +Nuvoton npcm845 SoC uses an older IP version, which has specific +hardware issues that need to be addressed with a different compatible +string. + +Add driver data for different compatible strings to define platform +specific quirks. +Add compatible string for npcm845 to define its own driver data. + +Signed-off-by: Stanley Chu +Reviewed-by: Frank Li +Link: https://lore.kernel.org/r/20250306075429.2265183-3-yschu@nuvoton.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/i3c/master/svc-i3c-master.c | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +diff --git a/drivers/i3c/master/svc-i3c-master.c b/drivers/i3c/master/svc-i3c-master.c +index 42102baabcdda..7911814ad82ac 100644 +--- a/drivers/i3c/master/svc-i3c-master.c ++++ b/drivers/i3c/master/svc-i3c-master.c +@@ -158,6 +158,10 @@ struct svc_i3c_regs_save { + u32 mdynaddr; + }; + ++struct svc_i3c_drvdata { ++ u32 quirks; ++}; ++ + /** + * struct svc_i3c_master - Silvaco I3C Master structure + * @base: I3C master controller +@@ -183,6 +187,7 @@ struct svc_i3c_regs_save { + * @ibi.tbq_slot: To be queued IBI slot + * @ibi.lock: IBI lock + * @lock: Transfer lock, protect between IBI work thread and callbacks from master ++ * @drvdata: Driver data + * @enabled_events: Bit masks for enable events (IBI, HotJoin). + * @mctrl_config: Configuration value in SVC_I3C_MCTRL for setting speed back. + */ +@@ -214,6 +219,7 @@ struct svc_i3c_master { + spinlock_t lock; + } ibi; + struct mutex lock; ++ const struct svc_i3c_drvdata *drvdata; + u32 enabled_events; + u32 mctrl_config; + }; +@@ -1768,6 +1774,10 @@ static int svc_i3c_master_probe(struct platform_device *pdev) + if (!master) + return -ENOMEM; + ++ master->drvdata = of_device_get_match_data(dev); ++ if (!master->drvdata) ++ return -EINVAL; ++ + master->regs = devm_platform_ioremap_resource(pdev, 0); + if (IS_ERR(master->regs)) + return PTR_ERR(master->regs); +@@ -1909,8 +1919,13 @@ static const struct dev_pm_ops svc_i3c_pm_ops = { + svc_i3c_runtime_resume, NULL) + }; + ++static const struct svc_i3c_drvdata npcm845_drvdata = {}; ++ ++static const struct svc_i3c_drvdata svc_default_drvdata = {}; ++ + static const struct of_device_id svc_i3c_master_of_match_tbl[] = { +- { .compatible = "silvaco,i3c-master-v1"}, ++ { .compatible = "nuvoton,npcm845-i3c", .data = &npcm845_drvdata }, ++ { .compatible = "silvaco,i3c-master-v1", .data = &svc_default_drvdata }, + { /* sentinel */ }, + }; + MODULE_DEVICE_TABLE(of, svc_i3c_master_of_match_tbl); +-- +2.39.5 + diff --git a/queue-6.12/io_uring-always-do-atomic-put-from-iowq.patch b/queue-6.12/io_uring-always-do-atomic-put-from-iowq.patch new file mode 100644 index 0000000000..9ac137920c --- /dev/null +++ b/queue-6.12/io_uring-always-do-atomic-put-from-iowq.patch @@ -0,0 +1,67 @@ +From 511e67ad2d0eb4655a51c9d3176b679d0890d639 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Apr 2025 12:29:30 +0100 +Subject: io_uring: always do atomic put from iowq + +From: Pavel Begunkov + +[ Upstream commit 390513642ee6763c7ada07f0a1470474986e6c1c ] + +io_uring always switches requests to atomic refcounting for iowq +execution before there is any parallilism by setting REQ_F_REFCOUNT, +and the flag is not cleared until the request completes. That should be +fine as long as the compiler doesn't make up a non existing value for +the flags, however KCSAN still complains when the request owner changes +oter flag bits: + +BUG: KCSAN: data-race in io_req_task_cancel / io_wq_free_work +... +read to 0xffff888117207448 of 8 bytes by task 3871 on cpu 0: + req_ref_put_and_test io_uring/refs.h:22 [inline] + +Skip REQ_F_REFCOUNT checks for iowq, we know it's set. + +Reported-by: syzbot+903a2ad71fb3f1e47cf5@syzkaller.appspotmail.com +Signed-off-by: Pavel Begunkov +Link: https://lore.kernel.org/r/d880bc27fb8c3209b54641be4ff6ac02b0e5789a.1743679736.git.asml.silence@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + io_uring/io_uring.c | 2 +- + io_uring/refs.h | 7 +++++++ + 2 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c +index 9bbcd5742bc2e..fef5c6e3b251e 100644 +--- a/io_uring/io_uring.c ++++ b/io_uring/io_uring.c +@@ -1778,7 +1778,7 @@ struct io_wq_work *io_wq_free_work(struct io_wq_work *work) + struct io_kiocb *req = container_of(work, struct io_kiocb, work); + struct io_kiocb *nxt = NULL; + +- if (req_ref_put_and_test(req)) { ++ if (req_ref_put_and_test_atomic(req)) { + if (req->flags & IO_REQ_LINK_FLAGS) + nxt = io_req_find_next(req); + io_free_req(req); +diff --git a/io_uring/refs.h b/io_uring/refs.h +index 63982ead9f7da..0d928d87c4ed1 100644 +--- a/io_uring/refs.h ++++ b/io_uring/refs.h +@@ -17,6 +17,13 @@ static inline bool req_ref_inc_not_zero(struct io_kiocb *req) + return atomic_inc_not_zero(&req->refs); + } + ++static inline bool req_ref_put_and_test_atomic(struct io_kiocb *req) ++{ ++ WARN_ON_ONCE(!(data_race(req->flags) & REQ_F_REFCOUNT)); ++ WARN_ON_ONCE(req_ref_zero_or_close_to_overflow(req)); ++ return atomic_dec_and_test(&req->refs); ++} ++ + static inline bool req_ref_put_and_test(struct io_kiocb *req) + { + if (likely(!(req->flags & REQ_F_REFCOUNT))) +-- +2.39.5 + diff --git a/queue-6.12/iomap-skip-unnecessary-ifs_block_is_uptodate-check.patch b/queue-6.12/iomap-skip-unnecessary-ifs_block_is_uptodate-check.patch new file mode 100644 index 0000000000..e08859a5ff --- /dev/null +++ b/queue-6.12/iomap-skip-unnecessary-ifs_block_is_uptodate-check.patch @@ -0,0 +1,43 @@ +From 3f57428c40a8550ef68c254d265b59b348fc9e58 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Apr 2025 15:12:36 +0800 +Subject: iomap: skip unnecessary ifs_block_is_uptodate check + +From: Gou Hao + +[ Upstream commit 8e3c15ee0d292c413c66fe10201d1b035a0bea72 ] + +In iomap_adjust_read_range, i is either the first !uptodate block, or it +is past last for the second loop looking for trailing uptodate blocks. +Assuming there's no overflow (there's no combination of huge folios and +tiny blksize) then yeah, there is no point in retesting that the same +block pointed to by i is uptodate since we hold the folio lock so nobody +else could have set it uptodate. + +Signed-off-by: Gou Hao +Link: https://lore.kernel.org/20250410071236.16017-1-gouhao@uniontech.com +Reviewed-by: "Darrick J. Wong" +Reviewed-by: Christoph Hellwig +Suggested-by: Christoph Hellwig +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/iomap/buffered-io.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/iomap/buffered-io.c b/fs/iomap/buffered-io.c +index 1bad460275ebe..d4b990938399c 100644 +--- a/fs/iomap/buffered-io.c ++++ b/fs/iomap/buffered-io.c +@@ -263,7 +263,7 @@ static void iomap_adjust_read_range(struct inode *inode, struct folio *folio, + } + + /* truncate len if we find any trailing uptodate block(s) */ +- for ( ; i <= last; i++) { ++ while (++i <= last) { + if (ifs_block_is_uptodate(ifs, i)) { + plen -= (last - i + 1) * block_size; + last = i - 1; +-- +2.39.5 + diff --git a/queue-6.12/iommu-clear-iommu-dma-ops-on-cleanup.patch b/queue-6.12/iommu-clear-iommu-dma-ops-on-cleanup.patch new file mode 100644 index 0000000000..07e5f08f29 --- /dev/null +++ b/queue-6.12/iommu-clear-iommu-dma-ops-on-cleanup.patch @@ -0,0 +1,49 @@ +From 786df48efdb4fa4aa14cf2ea0c0397cf261564d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Apr 2025 12:23:48 +0100 +Subject: iommu: Clear iommu-dma ops on cleanup + +From: Robin Murphy + +[ Upstream commit 280e5a30100578106a4305ce0118e0aa9b866f12 ] + +If iommu_device_register() encounters an error, it can end up tearing +down already-configured groups and default domains, however this +currently still leaves devices hooked up to iommu-dma (and even +historically the behaviour in this area was at best inconsistent across +architectures/drivers...) Although in the case that an IOMMU is present +whose driver has failed to probe, users cannot necessarily expect DMA to +work anyway, it's still arguable that we should do our best to put +things back as if the IOMMU driver was never there at all, and certainly +the potential for crashing in iommu-dma itself is undesirable. Make sure +we clean up the dev->dma_iommu flag along with everything else. + +Reported-by: Chen-Yu Tsai +Signed-off-by: Robin Murphy +Closes: https://lore.kernel.org/all/CAGXv+5HJpTYmQ2h-GD7GjyeYT7bL9EBCvu0mz5LgpzJZtzfW0w@mail.gmail.com/ +Tested-by: Chen-Yu Tsai +Reviewed-by: Lu Baolu +Link: https://lore.kernel.org/r/e788aa927f6d827dd4ea1ed608fada79f2bab030.1744284228.git.robin.murphy@arm.com +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/iommu.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c +index 83c8e617a2c58..13c2a00f8aac1 100644 +--- a/drivers/iommu/iommu.c ++++ b/drivers/iommu/iommu.c +@@ -503,6 +503,9 @@ static void iommu_deinit_device(struct device *dev) + dev->iommu_group = NULL; + module_put(ops->owner); + dev_iommu_free(dev); ++#ifdef CONFIG_IOMMU_DMA ++ dev->dma_iommu = false; ++#endif + } + + DEFINE_MUTEX(iommu_probe_device_lock); +-- +2.39.5 + diff --git a/queue-6.12/kbuild-add-dependency-from-vmlinux-to-sorttable.patch b/queue-6.12/kbuild-add-dependency-from-vmlinux-to-sorttable.patch new file mode 100644 index 0000000000..76e0eefa85 --- /dev/null +++ b/queue-6.12/kbuild-add-dependency-from-vmlinux-to-sorttable.patch @@ -0,0 +1,39 @@ +From 5a4786cee719ed750b405dafd1bb6c335431e509 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Feb 2025 21:30:14 +0800 +Subject: kbuild: add dependency from vmlinux to sorttable + +From: Xi Ruoyao + +[ Upstream commit 82c09de2d4c472ab1b973e6e033671020691e637 ] + +Without this dependency it's really puzzling when we bisect for a "bad" +commit in a series of sorttable change: when "git bisect" switches to +another commit, "make" just does nothing to vmlinux. + +Signed-off-by: Xi Ruoyao +Acked-by: Steven Rostedt (Google) +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/Makefile.vmlinux | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/scripts/Makefile.vmlinux b/scripts/Makefile.vmlinux +index 1284f05555b97..0c2494ffcaf87 100644 +--- a/scripts/Makefile.vmlinux ++++ b/scripts/Makefile.vmlinux +@@ -33,6 +33,10 @@ targets += vmlinux + vmlinux: scripts/link-vmlinux.sh vmlinux.o $(KBUILD_LDS) FORCE + +$(call if_changed_dep,link_vmlinux) + ++ifdef CONFIG_BUILDTIME_TABLE_SORT ++vmlinux: scripts/sorttable ++endif ++ + # module.builtin.ranges + # --------------------------------------------------------------------------- + ifdef CONFIG_BUILTIN_MODULE_RANGES +-- +2.39.5 + diff --git a/queue-6.12/ksmbd-fix-warning-do-not-call-blocking-ops-when-task.patch b/queue-6.12/ksmbd-fix-warning-do-not-call-blocking-ops-when-task.patch new file mode 100644 index 0000000000..5f1e2cff2d --- /dev/null +++ b/queue-6.12/ksmbd-fix-warning-do-not-call-blocking-ops-when-task.patch @@ -0,0 +1,59 @@ +From 2453cfe2952ddf4fd73dc3994414a9d1c75802c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Apr 2025 09:26:10 +0900 +Subject: ksmbd: fix WARNING "do not call blocking ops when !TASK_RUNNING" + +From: Namjae Jeon + +[ Upstream commit 1df0d4c616138784e033ad337961b6e1a6bcd999 ] + +wait_event_timeout() will set the state of the current +task to TASK_UNINTERRUPTIBLE, before doing the condition check. This +means that ksmbd_durable_scavenger_alive() will try to acquire the mutex +while already in a sleeping state. The scheduler warns us by giving +the following warning: + +do not call blocking ops when !TASK_RUNNING; state=2 set at + [<0000000061515a6f>] prepare_to_wait_event+0x9f/0x6c0 +WARNING: CPU: 2 PID: 4147 at kernel/sched/core.c:10099 __might_sleep+0x12f/0x160 + +mutex lock is not needed in ksmbd_durable_scavenger_alive(). + +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/server/vfs_cache.c | 8 +------- + 1 file changed, 1 insertion(+), 7 deletions(-) + +diff --git a/fs/smb/server/vfs_cache.c b/fs/smb/server/vfs_cache.c +index 8d1f30dcba7e8..1f8fa3468173a 100644 +--- a/fs/smb/server/vfs_cache.c ++++ b/fs/smb/server/vfs_cache.c +@@ -713,12 +713,8 @@ static bool tree_conn_fd_check(struct ksmbd_tree_connect *tcon, + + static bool ksmbd_durable_scavenger_alive(void) + { +- mutex_lock(&durable_scavenger_lock); +- if (!durable_scavenger_running) { +- mutex_unlock(&durable_scavenger_lock); ++ if (!durable_scavenger_running) + return false; +- } +- mutex_unlock(&durable_scavenger_lock); + + if (kthread_should_stop()) + return false; +@@ -799,9 +795,7 @@ static int ksmbd_durable_scavenger(void *dummy) + break; + } + +- mutex_lock(&durable_scavenger_lock); + durable_scavenger_running = false; +- mutex_unlock(&durable_scavenger_lock); + + module_put(THIS_MODULE); + +-- +2.39.5 + diff --git a/queue-6.12/kvm-s390-don-t-use-pk-through-debug-printing.patch b/queue-6.12/kvm-s390-don-t-use-pk-through-debug-printing.patch new file mode 100644 index 0000000000..d61138a302 --- /dev/null +++ b/queue-6.12/kvm-s390-don-t-use-pk-through-debug-printing.patch @@ -0,0 +1,138 @@ +From 9ba17884502331a34e59c77f4b5a11c8b917a171 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Feb 2025 14:13:57 +0100 +Subject: KVM: s390: Don't use %pK through debug printing +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Weißschuh + +[ Upstream commit 0c7fbae5bc782429c97d68dc40fb126748d7e352 ] + +Restricted pointers ("%pK") are only meant to be used when directly +printing to a file from task context. +Otherwise it can unintentionally expose security sensitive, +raw pointer values. + +Use regular pointer formatting instead. + +Link: https://lore.kernel.org/lkml/20250113171731-dc10e3c1-da64-4af0-b767-7c7070468023@linutronix.de/ +Signed-off-by: Thomas Weißschuh +Reviewed-by: Michael Mueller +Tested-by: Michael Mueller +Link: https://lore.kernel.org/r/20250217-restricted-pointers-s390-v1-2-0e4ace75d8aa@linutronix.de +Signed-off-by: Janosch Frank +Message-ID: <20250217-restricted-pointers-s390-v1-2-0e4ace75d8aa@linutronix.de> +Signed-off-by: Sasha Levin +--- + arch/s390/kvm/intercept.c | 2 +- + arch/s390/kvm/interrupt.c | 8 ++++---- + arch/s390/kvm/kvm-s390.c | 10 +++++----- + 3 files changed, 10 insertions(+), 10 deletions(-) + +diff --git a/arch/s390/kvm/intercept.c b/arch/s390/kvm/intercept.c +index b16352083ff98..f0be263b334ce 100644 +--- a/arch/s390/kvm/intercept.c ++++ b/arch/s390/kvm/intercept.c +@@ -94,7 +94,7 @@ static int handle_validity(struct kvm_vcpu *vcpu) + + vcpu->stat.exit_validity++; + trace_kvm_s390_intercept_validity(vcpu, viwhy); +- KVM_EVENT(3, "validity intercept 0x%x for pid %u (kvm 0x%pK)", viwhy, ++ KVM_EVENT(3, "validity intercept 0x%x for pid %u (kvm 0x%p)", viwhy, + current->pid, vcpu->kvm); + + /* do not warn on invalid runtime instrumentation mode */ +diff --git a/arch/s390/kvm/interrupt.c b/arch/s390/kvm/interrupt.c +index 4f0e7f61edf78..bc65fa6dc1555 100644 +--- a/arch/s390/kvm/interrupt.c ++++ b/arch/s390/kvm/interrupt.c +@@ -3161,7 +3161,7 @@ void kvm_s390_gisa_clear(struct kvm *kvm) + if (!gi->origin) + return; + gisa_clear_ipm(gi->origin); +- VM_EVENT(kvm, 3, "gisa 0x%pK cleared", gi->origin); ++ VM_EVENT(kvm, 3, "gisa 0x%p cleared", gi->origin); + } + + void kvm_s390_gisa_init(struct kvm *kvm) +@@ -3178,7 +3178,7 @@ void kvm_s390_gisa_init(struct kvm *kvm) + gi->timer.function = gisa_vcpu_kicker; + memset(gi->origin, 0, sizeof(struct kvm_s390_gisa)); + gi->origin->next_alert = (u32)virt_to_phys(gi->origin); +- VM_EVENT(kvm, 3, "gisa 0x%pK initialized", gi->origin); ++ VM_EVENT(kvm, 3, "gisa 0x%p initialized", gi->origin); + } + + void kvm_s390_gisa_enable(struct kvm *kvm) +@@ -3219,7 +3219,7 @@ void kvm_s390_gisa_destroy(struct kvm *kvm) + process_gib_alert_list(); + hrtimer_cancel(&gi->timer); + gi->origin = NULL; +- VM_EVENT(kvm, 3, "gisa 0x%pK destroyed", gisa); ++ VM_EVENT(kvm, 3, "gisa 0x%p destroyed", gisa); + } + + void kvm_s390_gisa_disable(struct kvm *kvm) +@@ -3468,7 +3468,7 @@ int __init kvm_s390_gib_init(u8 nisc) + } + } + +- KVM_EVENT(3, "gib 0x%pK (nisc=%d) initialized", gib, gib->nisc); ++ KVM_EVENT(3, "gib 0x%p (nisc=%d) initialized", gib, gib->nisc); + goto out; + + out_unreg_gal: +diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c +index bb7134faaebff..286a224c81ee4 100644 +--- a/arch/s390/kvm/kvm-s390.c ++++ b/arch/s390/kvm/kvm-s390.c +@@ -998,7 +998,7 @@ static int kvm_s390_set_mem_control(struct kvm *kvm, struct kvm_device_attr *att + } + mutex_unlock(&kvm->lock); + VM_EVENT(kvm, 3, "SET: max guest address: %lu", new_limit); +- VM_EVENT(kvm, 3, "New guest asce: 0x%pK", ++ VM_EVENT(kvm, 3, "New guest asce: 0x%p", + (void *) kvm->arch.gmap->asce); + break; + } +@@ -3421,7 +3421,7 @@ int kvm_arch_init_vm(struct kvm *kvm, unsigned long type) + kvm_s390_gisa_init(kvm); + INIT_LIST_HEAD(&kvm->arch.pv.need_cleanup); + kvm->arch.pv.set_aside = NULL; +- KVM_EVENT(3, "vm 0x%pK created by pid %u", kvm, current->pid); ++ KVM_EVENT(3, "vm 0x%p created by pid %u", kvm, current->pid); + + return 0; + out_err: +@@ -3484,7 +3484,7 @@ void kvm_arch_destroy_vm(struct kvm *kvm) + kvm_s390_destroy_adapters(kvm); + kvm_s390_clear_float_irqs(kvm); + kvm_s390_vsie_destroy(kvm); +- KVM_EVENT(3, "vm 0x%pK destroyed", kvm); ++ KVM_EVENT(3, "vm 0x%p destroyed", kvm); + } + + /* Section: vcpu related */ +@@ -3605,7 +3605,7 @@ static int sca_switch_to_extended(struct kvm *kvm) + + free_page((unsigned long)old_sca); + +- VM_EVENT(kvm, 2, "Switched to ESCA (0x%pK -> 0x%pK)", ++ VM_EVENT(kvm, 2, "Switched to ESCA (0x%p -> 0x%p)", + old_sca, kvm->arch.sca); + return 0; + } +@@ -3978,7 +3978,7 @@ int kvm_arch_vcpu_create(struct kvm_vcpu *vcpu) + goto out_free_sie_block; + } + +- VM_EVENT(vcpu->kvm, 3, "create cpu %d at 0x%pK, sie block at 0x%pK", ++ VM_EVENT(vcpu->kvm, 3, "create cpu %d at 0x%p, sie block at 0x%p", + vcpu->vcpu_id, vcpu, vcpu->arch.sie_block); + trace_kvm_s390_create_vcpu(vcpu->vcpu_id, vcpu, vcpu->arch.sie_block); + +-- +2.39.5 + diff --git a/queue-6.12/kvm-s390-don-t-use-pk-through-tracepoints.patch b/queue-6.12/kvm-s390-don-t-use-pk-through-tracepoints.patch new file mode 100644 index 0000000000..b59e64de05 --- /dev/null +++ b/queue-6.12/kvm-s390-don-t-use-pk-through-tracepoints.patch @@ -0,0 +1,53 @@ +From b3b48a84419efa81eb24ef77b4914a4f86eacf42 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Feb 2025 14:13:56 +0100 +Subject: KVM: s390: Don't use %pK through tracepoints +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Weißschuh + +[ Upstream commit 6c9567e0850be2f0f94ab64fa6512413fd1a1eb1 ] + +Restricted pointers ("%pK") are not meant to be used through TP_format(). +It can unintentionally expose security sensitive, raw pointer values. + +Use regular pointer formatting instead. + +Link: https://lore.kernel.org/lkml/20250113171731-dc10e3c1-da64-4af0-b767-7c7070468023@linutronix.de/ +Signed-off-by: Thomas Weißschuh +Reviewed-by: Michael Mueller +Link: https://lore.kernel.org/r/20250217-restricted-pointers-s390-v1-1-0e4ace75d8aa@linutronix.de +Signed-off-by: Janosch Frank +Message-ID: <20250217-restricted-pointers-s390-v1-1-0e4ace75d8aa@linutronix.de> +Signed-off-by: Sasha Levin +--- + arch/s390/kvm/trace-s390.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/s390/kvm/trace-s390.h b/arch/s390/kvm/trace-s390.h +index 9ac92dbf680db..9e28f165c114c 100644 +--- a/arch/s390/kvm/trace-s390.h ++++ b/arch/s390/kvm/trace-s390.h +@@ -56,7 +56,7 @@ TRACE_EVENT(kvm_s390_create_vcpu, + __entry->sie_block = sie_block; + ), + +- TP_printk("create cpu %d at 0x%pK, sie block at 0x%pK", ++ TP_printk("create cpu %d at 0x%p, sie block at 0x%p", + __entry->id, __entry->vcpu, __entry->sie_block) + ); + +@@ -255,7 +255,7 @@ TRACE_EVENT(kvm_s390_enable_css, + __entry->kvm = kvm; + ), + +- TP_printk("enabling channel I/O support (kvm @ %pK)\n", ++ TP_printk("enabling channel I/O support (kvm @ %p)\n", + __entry->kvm) + ); + +-- +2.39.5 + diff --git a/queue-6.12/mailbox-pcc-always-clear-the-platform-ack-interrupt-.patch b/queue-6.12/mailbox-pcc-always-clear-the-platform-ack-interrupt-.patch new file mode 100644 index 0000000000..f0f66a3551 --- /dev/null +++ b/queue-6.12/mailbox-pcc-always-clear-the-platform-ack-interrupt-.patch @@ -0,0 +1,106 @@ +From 8fa53da8f86ba65ed9eac32773d0950899d88365 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Mar 2025 15:28:48 +0000 +Subject: mailbox: pcc: Always clear the platform ack interrupt first + +From: Sudeep Holla + +[ Upstream commit cf1338c0e02880cd235a4590eeb15e2039c873bc ] + +The PCC mailbox interrupt handler (pcc_mbox_irq()) currently checks +for command completion flags and any error status before clearing the +interrupt. + +The below sequence highlights an issue in the handling of PCC mailbox +interrupts, specifically when dealing with doorbell notifications and +acknowledgment between the OSPM and the platform where type3 and type4 +channels are sharing the interrupt. + +------------------------------------------------------------------------- +| T | Platform Firmware | OSPM/Linux PCC driver | +|---|---------------------------------|---------------------------------| +| 1 | | Build message in shmem | +| 2 | | Ring Type3 chan doorbell | +| 3 | Receives the doorbell interrupt | | +| 4 | Process the message from OSPM | | +| 5 | Build response for the message | | +| 6 | Ring Platform ACK interrupt on | | +| | Type3 chan to OSPM | Received the interrupt | +| 7 | Build Notification in Type4 Chan| | +| 8 | | Start processing interrupt in | +| | | pcc_mbox_irq() handler | +| 9 | | Enter PCC handler for Type4 chan| +|10 | | Check command complete cleared | +|11 | | Read the notification | +|12 | | Clear Platform ACK interrupt | +| | No effect from the previous step yet as the Platform ACK | +| | interrupt has not yet been triggered for this channel | +|13 | Ring Platform ACK interrupt on | | +| | Type4 chan to OSPM | | +|14 | | Enter PCC handler for Type3 chan| +|15 | | Command complete is set. | +|16 | | Read the response. | +|17 | | Clear Platform ACK interrupt | +|18 | | Leave PCC handler for Type3 | +|19 | | Leave pcc_mbox_irq() handler | +|20 | | Re-enter pcc_mbox_irq() handler | +|21 | | Enter PCC handler for Type4 chan| +|22 | | Leave PCC handler for Type4 chan| +|23 | | Enter PCC handler for Type3 chan| +|24 | | Leave PCC handler for Type3 chan| +|25 | | Leave pcc_mbox_irq() handler | +------------------------------------------------------------------------- + +The key issue occurs when OSPM tries to acknowledge platform ack +interrupt for a notification which is ready to be read and processed +but the interrupt itself is not yet triggered by the platform. + +This ineffective acknowledgment leads to an issue later in time where +the interrupt remains pending as we exit the interrupt handler without +clearing the platform ack interrupt as there is no pending response or +notification. The interrupt acknowledgment order is incorrect. + +To resolve this issue, the platform acknowledgment interrupt should +always be cleared before processing the interrupt for any notifications +or response. + +Reported-by: Robbie King +Reviewed-by: Huisong Li +Tested-by: Huisong Li +Tested-by: Adam Young +Tested-by: Robbie King +Signed-off-by: Sudeep Holla +Signed-off-by: Jassi Brar +Signed-off-by: Sasha Levin +--- + drivers/mailbox/pcc.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/mailbox/pcc.c b/drivers/mailbox/pcc.c +index 8fd4d0f79b090..f8215a8f656a4 100644 +--- a/drivers/mailbox/pcc.c ++++ b/drivers/mailbox/pcc.c +@@ -313,6 +313,10 @@ static irqreturn_t pcc_mbox_irq(int irq, void *p) + int ret; + + pchan = chan->con_priv; ++ ++ if (pcc_chan_reg_read_modify_write(&pchan->plat_irq_ack)) ++ return IRQ_NONE; ++ + if (pchan->type == ACPI_PCCT_TYPE_EXT_PCC_MASTER_SUBSPACE && + !pchan->chan_in_use) + return IRQ_NONE; +@@ -330,9 +334,6 @@ static irqreturn_t pcc_mbox_irq(int irq, void *p) + return IRQ_NONE; + } + +- if (pcc_chan_reg_read_modify_write(&pchan->plat_irq_ack)) +- return IRQ_NONE; +- + /* + * Clear this flag after updating interrupt ack register and just + * before mbox_chan_received_data() which might call pcc_send_data() +-- +2.39.5 + diff --git a/queue-6.12/mailbox-pcc-fix-the-possible-race-in-updation-of-cha.patch b/queue-6.12/mailbox-pcc-fix-the-possible-race-in-updation-of-cha.patch new file mode 100644 index 0000000000..07519b810d --- /dev/null +++ b/queue-6.12/mailbox-pcc-fix-the-possible-race-in-updation-of-cha.patch @@ -0,0 +1,97 @@ +From b81b34f7e47a1587d9ac6bfbe70c5c8b07259497 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Mar 2025 15:28:47 +0000 +Subject: mailbox: pcc: Fix the possible race in updation of chan_in_use flag + +From: Huisong Li + +[ Upstream commit 9779d45c749340ab461d595c1a4a664cb28f3007 ] + +The function mbox_chan_received_data() calls the Rx callback of the +mailbox client driver. The callback might set chan_in_use flag from +pcc_send_data(). This flag's status determines whether the PCC channel +is in use. + +However, there is a potential race condition where chan_in_use is +updated incorrectly due to concurrency between the interrupt handler +(pcc_mbox_irq()) and the command sender(pcc_send_data()). + +The 'chan_in_use' flag of a channel is set to true after sending a +command. And the flag of the new command may be cleared erroneous by +the interrupt handler afer mbox_chan_received_data() returns, + +As a result, the interrupt being level triggered can't be cleared in +pcc_mbox_irq() and it will be disabled after the number of handled times +exceeds the specified value. The error log is as follows: + + | kunpeng_hccs HISI04B2:00: PCC command executed timeout! + | kunpeng_hccs HISI04B2:00: get port link status info failed, ret = -110 + | irq 13: nobody cared (try booting with the "irqpoll" option) + | Call trace: + | dump_backtrace+0x0/0x210 + | show_stack+0x1c/0x2c + | dump_stack+0xec/0x130 + | __report_bad_irq+0x50/0x190 + | note_interrupt+0x1e4/0x260 + | handle_irq_event+0x144/0x17c + | handle_fasteoi_irq+0xd0/0x240 + | __handle_domain_irq+0x80/0xf0 + | gic_handle_irq+0x74/0x2d0 + | el1_irq+0xbc/0x140 + | mnt_clone_write+0x0/0x70 + | file_update_time+0xcc/0x160 + | fault_dirty_shared_page+0xe8/0x150 + | do_shared_fault+0x80/0x1d0 + | do_fault+0x118/0x1a4 + | handle_pte_fault+0x154/0x230 + | __handle_mm_fault+0x1ac/0x390 + | handle_mm_fault+0xf0/0x250 + | do_page_fault+0x184/0x454 + | do_translation_fault+0xac/0xd4 + | do_mem_abort+0x44/0xb4 + | el0_da+0x40/0x74 + | el0_sync_handler+0x60/0xb4 + | el0_sync+0x168/0x180 + | handlers: + | pcc_mbox_irq + | Disabling IRQ #13 + +To solve this issue, pcc_mbox_irq() must clear 'chan_in_use' flag before +the call to mbox_chan_received_data(). + +Tested-by: Adam Young +Tested-by: Robbie King +Signed-off-by: Huisong Li +(sudeep.holla: Minor updates to the subject, commit message and comment) +Signed-off-by: Sudeep Holla +Signed-off-by: Jassi Brar +Signed-off-by: Sasha Levin +--- + drivers/mailbox/pcc.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/mailbox/pcc.c b/drivers/mailbox/pcc.c +index 82102a4c5d688..8fd4d0f79b090 100644 +--- a/drivers/mailbox/pcc.c ++++ b/drivers/mailbox/pcc.c +@@ -333,10 +333,16 @@ static irqreturn_t pcc_mbox_irq(int irq, void *p) + if (pcc_chan_reg_read_modify_write(&pchan->plat_irq_ack)) + return IRQ_NONE; + ++ /* ++ * Clear this flag after updating interrupt ack register and just ++ * before mbox_chan_received_data() which might call pcc_send_data() ++ * where the flag is set again to start new transfer. This is ++ * required to avoid any possible race in updatation of this flag. ++ */ ++ pchan->chan_in_use = false; + mbox_chan_received_data(chan, NULL); + + check_and_ack(pchan, chan); +- pchan->chan_in_use = false; + + return IRQ_HANDLED; + } +-- +2.39.5 + diff --git a/queue-6.12/md-raid1-add-check-for-missing-source-disk-in-proces.patch b/queue-6.12/md-raid1-add-check-for-missing-source-disk-in-proces.patch new file mode 100644 index 0000000000..a6088b8cd9 --- /dev/null +++ b/queue-6.12/md-raid1-add-check-for-missing-source-disk-in-proces.patch @@ -0,0 +1,77 @@ +From d9d8171b5dc96645fbe533ebdc838c0e11026d9c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Apr 2025 17:38:08 +0300 +Subject: md/raid1: Add check for missing source disk in process_checks() + +From: Meir Elisha + +[ Upstream commit b7c178d9e57c8fd4238ff77263b877f6f16182ba ] + +During recovery/check operations, the process_checks function loops +through available disks to find a 'primary' source with successfully +read data. + +If no suitable source disk is found after checking all possibilities, +the 'primary' index will reach conf->raid_disks * 2. Add an explicit +check for this condition after the loop. If no source disk was found, +print an error message and return early to prevent further processing +without a valid primary source. + +Link: https://lore.kernel.org/linux-raid/20250408143808.1026534-1-meir.elisha@volumez.com +Signed-off-by: Meir Elisha +Suggested-and-reviewed-by: Yu Kuai +Signed-off-by: Yu Kuai +Signed-off-by: Sasha Levin +--- + drivers/md/raid1.c | 26 ++++++++++++++++---------- + 1 file changed, 16 insertions(+), 10 deletions(-) + +diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c +index 8a994a1975ca7..6b6cd753d61a9 100644 +--- a/drivers/md/raid1.c ++++ b/drivers/md/raid1.c +@@ -2156,14 +2156,9 @@ static int fix_sync_read_error(struct r1bio *r1_bio) + if (!rdev_set_badblocks(rdev, sect, s, 0)) + abort = 1; + } +- if (abort) { +- conf->recovery_disabled = +- mddev->recovery_disabled; +- set_bit(MD_RECOVERY_INTR, &mddev->recovery); +- md_done_sync(mddev, r1_bio->sectors, 0); +- put_buf(r1_bio); ++ if (abort) + return 0; +- } ++ + /* Try next page */ + sectors -= s; + sect += s; +@@ -2302,10 +2297,21 @@ static void sync_request_write(struct mddev *mddev, struct r1bio *r1_bio) + int disks = conf->raid_disks * 2; + struct bio *wbio; + +- if (!test_bit(R1BIO_Uptodate, &r1_bio->state)) +- /* ouch - failed to read all of that. */ +- if (!fix_sync_read_error(r1_bio)) ++ if (!test_bit(R1BIO_Uptodate, &r1_bio->state)) { ++ /* ++ * ouch - failed to read all of that. ++ * No need to fix read error for check/repair ++ * because all member disks are read. ++ */ ++ if (test_bit(MD_RECOVERY_REQUESTED, &mddev->recovery) || ++ !fix_sync_read_error(r1_bio)) { ++ conf->recovery_disabled = mddev->recovery_disabled; ++ set_bit(MD_RECOVERY_INTR, &mddev->recovery); ++ md_done_sync(mddev, r1_bio->sectors, 0); ++ put_buf(r1_bio); + return; ++ } ++ } + + if (test_bit(MD_RECOVERY_REQUESTED, &mddev->recovery)) + process_checks(r1_bio); +-- +2.39.5 + diff --git a/queue-6.12/mips-cm-detect-cm-quirks-from-device-tree.patch b/queue-6.12/mips-cm-detect-cm-quirks-from-device-tree.patch new file mode 100644 index 0000000000..1d27ea99d2 --- /dev/null +++ b/queue-6.12/mips-cm-detect-cm-quirks-from-device-tree.patch @@ -0,0 +1,107 @@ +From f500a87b2b39db6fbe21313fc29982206247c934 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Jan 2025 12:01:56 +0100 +Subject: MIPS: cm: Detect CM quirks from device tree + +From: Gregory CLEMENT + +[ Upstream commit e27fbe16af5cfc40639de4ced67d1a866a1953e9 ] + +Some information that should be retrieved at runtime for the Coherence +Manager can be either absent or wrong. This patch allows checking if +some of this information is available from the device tree and updates +the internal variable accordingly. + +For now, only the compatible string associated with the broken HCI is +being retrieved. + +Signed-off-by: Gregory CLEMENT +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/include/asm/mips-cm.h | 22 ++++++++++++++++++++++ + arch/mips/kernel/mips-cm.c | 14 ++++++++++++++ + 2 files changed, 36 insertions(+) + +diff --git a/arch/mips/include/asm/mips-cm.h b/arch/mips/include/asm/mips-cm.h +index 1e782275850a3..6a1de2ebc7b80 100644 +--- a/arch/mips/include/asm/mips-cm.h ++++ b/arch/mips/include/asm/mips-cm.h +@@ -59,6 +59,16 @@ extern phys_addr_t mips_cm_l2sync_phys_base(void); + */ + extern int mips_cm_is64; + ++/* ++ * mips_cm_is_l2_hci_broken - determine if HCI is broken ++ * ++ * Some CM reports show that Hardware Cache Initialization is ++ * complete, but in reality it's not the case. They also incorrectly ++ * indicate that Hardware Cache Initialization is supported. This ++ * flags allows warning about this broken feature. ++ */ ++extern bool mips_cm_is_l2_hci_broken; ++ + /** + * mips_cm_error_report - Report CM cache errors + */ +@@ -97,6 +107,18 @@ static inline bool mips_cm_present(void) + #endif + } + ++/** ++ * mips_cm_update_property - update property from the device tree ++ * ++ * Retrieve the properties from the device tree if a CM node exist and ++ * update the internal variable based on this. ++ */ ++#ifdef CONFIG_MIPS_CM ++extern void mips_cm_update_property(void); ++#else ++static void mips_cm_update_property(void) {} ++#endif ++ + /** + * mips_cm_has_l2sync - determine whether an L2-only sync region is present + * +diff --git a/arch/mips/kernel/mips-cm.c b/arch/mips/kernel/mips-cm.c +index 3eb2cfb893e19..9cfabaa94d010 100644 +--- a/arch/mips/kernel/mips-cm.c ++++ b/arch/mips/kernel/mips-cm.c +@@ -5,6 +5,7 @@ + */ + + #include ++#include + #include + #include + +@@ -14,6 +15,7 @@ + void __iomem *mips_gcr_base; + void __iomem *mips_cm_l2sync_base; + int mips_cm_is64; ++bool mips_cm_is_l2_hci_broken; + + static char *cm2_tr[8] = { + "mem", "gcr", "gic", "mmio", +@@ -237,6 +239,18 @@ static void mips_cm_probe_l2sync(void) + mips_cm_l2sync_base = ioremap(addr, MIPS_CM_L2SYNC_SIZE); + } + ++void mips_cm_update_property(void) ++{ ++ struct device_node *cm_node; ++ ++ cm_node = of_find_compatible_node(of_root, NULL, "mobileye,eyeq6-cm"); ++ if (!cm_node) ++ return; ++ pr_info("HCI (Hardware Cache Init for the L2 cache) in GCR_L2_RAM_CONFIG from the CM3 is broken"); ++ mips_cm_is_l2_hci_broken = true; ++ of_node_put(cm_node); ++} ++ + int mips_cm_probe(void) + { + phys_addr_t addr; +-- +2.39.5 + diff --git a/queue-6.12/netfs-only-create-proc-fs-netfs-with-config_proc_fs.patch b/queue-6.12/netfs-only-create-proc-fs-netfs-with-config_proc_fs.patch new file mode 100644 index 0000000000..91f5c8a8ff --- /dev/null +++ b/queue-6.12/netfs-only-create-proc-fs-netfs-with-config_proc_fs.patch @@ -0,0 +1,117 @@ +From 023e5681b591d1d7a2d5684f777d95974ad4a718 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Apr 2025 10:00:15 -0700 +Subject: netfs: Only create /proc/fs/netfs with CONFIG_PROC_FS + +From: Song Liu + +[ Upstream commit 40cb48eba3b4b79e110c1a35d33a48cac54507a2 ] + +When testing a special config: + +CONFIG_NETFS_SUPPORTS=y +CONFIG_PROC_FS=n + +The system crashes with something like: + +[ 3.766197] ------------[ cut here ]------------ +[ 3.766484] kernel BUG at mm/mempool.c:560! +[ 3.766789] Oops: invalid opcode: 0000 [#1] SMP NOPTI +[ 3.767123] CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Tainted: G W +[ 3.767777] Tainted: [W]=WARN +[ 3.767968] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), +[ 3.768523] RIP: 0010:mempool_alloc_slab.cold+0x17/0x19 +[ 3.768847] Code: 50 fe ff 58 5b 5d 41 5c 41 5d 41 5e 41 5f e9 93 95 13 00 +[ 3.769977] RSP: 0018:ffffc90000013998 EFLAGS: 00010286 +[ 3.770315] RAX: 000000000000002f RBX: ffff888100ba8640 RCX: 0000000000000000 +[ 3.770749] RDX: 0000000000000000 RSI: 0000000000000003 RDI: 00000000ffffffff +[ 3.771217] RBP: 0000000000092880 R08: 0000000000000000 R09: ffffc90000013828 +[ 3.771664] R10: 0000000000000001 R11: 00000000ffffffea R12: 0000000000092cc0 +[ 3.772117] R13: 0000000000000400 R14: ffff8881004b1620 R15: ffffea0004ef7e40 +[ 3.772554] FS: 0000000000000000(0000) GS:ffff8881b5f3c000(0000) knlGS:0000000000000000 +[ 3.773061] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 3.773443] CR2: ffffffff830901b4 CR3: 0000000004296001 CR4: 0000000000770ef0 +[ 3.773884] PKRU: 55555554 +[ 3.774058] Call Trace: +[ 3.774232] +[ 3.774371] mempool_alloc_noprof+0x6a/0x190 +[ 3.774649] ? _printk+0x57/0x80 +[ 3.774862] netfs_alloc_request+0x85/0x2ce +[ 3.775147] netfs_readahead+0x28/0x170 +[ 3.775395] read_pages+0x6c/0x350 +[ 3.775623] ? srso_alias_return_thunk+0x5/0xfbef5 +[ 3.775928] page_cache_ra_unbounded+0x1bd/0x2a0 +[ 3.776247] filemap_get_pages+0x139/0x970 +[ 3.776510] ? srso_alias_return_thunk+0x5/0xfbef5 +[ 3.776820] filemap_read+0xf9/0x580 +[ 3.777054] ? srso_alias_return_thunk+0x5/0xfbef5 +[ 3.777368] ? srso_alias_return_thunk+0x5/0xfbef5 +[ 3.777674] ? find_held_lock+0x32/0x90 +[ 3.777929] ? netfs_start_io_read+0x19/0x70 +[ 3.778221] ? netfs_start_io_read+0x19/0x70 +[ 3.778489] ? srso_alias_return_thunk+0x5/0xfbef5 +[ 3.778800] ? lock_acquired+0x1e6/0x450 +[ 3.779054] ? srso_alias_return_thunk+0x5/0xfbef5 +[ 3.779379] netfs_buffered_read_iter+0x57/0x80 +[ 3.779670] __kernel_read+0x158/0x2c0 +[ 3.779927] bprm_execve+0x300/0x7a0 +[ 3.780185] kernel_execve+0x10c/0x140 +[ 3.780423] ? __pfx_kernel_init+0x10/0x10 +[ 3.780690] kernel_init+0xd5/0x150 +[ 3.780910] ret_from_fork+0x2d/0x50 +[ 3.781156] ? __pfx_kernel_init+0x10/0x10 +[ 3.781414] ret_from_fork_asm+0x1a/0x30 +[ 3.781677] +[ 3.781823] Modules linked in: +[ 3.782065] ---[ end trace 0000000000000000 ]--- + +This is caused by the following error path in netfs_init(): + + if (!proc_mkdir("fs/netfs", NULL)) + goto error_proc; + +Fix this by adding ifdef in netfs_main(), so that /proc/fs/netfs is only +created with CONFIG_PROC_FS. + +Signed-off-by: Song Liu +Link: https://lore.kernel.org/20250409170015.2651829-1-song@kernel.org +Acked-by: David Howells +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/netfs/main.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/fs/netfs/main.c b/fs/netfs/main.c +index 6c7be1377ee0e..3a8433e802cc2 100644 +--- a/fs/netfs/main.c ++++ b/fs/netfs/main.c +@@ -125,11 +125,13 @@ static int __init netfs_init(void) + if (mempool_init_slab_pool(&netfs_subrequest_pool, 100, netfs_subrequest_slab) < 0) + goto error_subreqpool; + ++#ifdef CONFIG_PROC_FS + if (!proc_mkdir("fs/netfs", NULL)) + goto error_proc; + if (!proc_create_seq("fs/netfs/requests", S_IFREG | 0444, NULL, + &netfs_requests_seq_ops)) + goto error_procfile; ++#endif + #ifdef CONFIG_FSCACHE_STATS + if (!proc_create_single("fs/netfs/stats", S_IFREG | 0444, NULL, + netfs_stats_show)) +@@ -142,9 +144,11 @@ static int __init netfs_init(void) + return 0; + + error_fscache: ++#ifdef CONFIG_PROC_FS + error_procfile: + remove_proc_subtree("fs/netfs", NULL); + error_proc: ++#endif + mempool_exit(&netfs_subrequest_pool); + error_subreqpool: + kmem_cache_destroy(netfs_subrequest_slab); +-- +2.39.5 + diff --git a/queue-6.12/ntb-reduce-stack-usage-in-idt_scan_mws.patch b/queue-6.12/ntb-reduce-stack-usage-in-idt_scan_mws.patch new file mode 100644 index 0000000000..206fc8acbe --- /dev/null +++ b/queue-6.12/ntb-reduce-stack-usage-in-idt_scan_mws.patch @@ -0,0 +1,77 @@ +From 28938611afd8aabc96883e5f44651a599600e06f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Feb 2025 09:57:25 +0100 +Subject: ntb: reduce stack usage in idt_scan_mws + +From: Arnd Bergmann + +[ Upstream commit aff12700b8dd7422bfe2277696e192af4df9de8f ] + +idt_scan_mws() puts a large fixed-size array on the stack and copies +it into a smaller dynamically allocated array at the end. On 32-bit +targets, the fixed size can easily exceed the warning limit for +possible stack overflow: + +drivers/ntb/hw/idt/ntb_hw_idt.c:1041:27: error: stack frame size (1032) exceeds limit (1024) in 'idt_scan_mws' [-Werror,-Wframe-larger-than] + +Change it to instead just always use dynamic allocation for the +array from the start. It's too big for the stack, but not actually +all that much for a permanent allocation. + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/all/202205111109.PiKTruEj-lkp@intel.com/ +Signed-off-by: Arnd Bergmann +Reviewed-by: Dave Jiang +Reviewed-by: Damien Le Moal +Signed-off-by: Jon Mason +Signed-off-by: Sasha Levin +--- + drivers/ntb/hw/idt/ntb_hw_idt.c | 18 +++++++----------- + 1 file changed, 7 insertions(+), 11 deletions(-) + +diff --git a/drivers/ntb/hw/idt/ntb_hw_idt.c b/drivers/ntb/hw/idt/ntb_hw_idt.c +index 6fc9dfe824747..419de7038570d 100644 +--- a/drivers/ntb/hw/idt/ntb_hw_idt.c ++++ b/drivers/ntb/hw/idt/ntb_hw_idt.c +@@ -1041,7 +1041,7 @@ static inline char *idt_get_mw_name(enum idt_mw_type mw_type) + static struct idt_mw_cfg *idt_scan_mws(struct idt_ntb_dev *ndev, int port, + unsigned char *mw_cnt) + { +- struct idt_mw_cfg mws[IDT_MAX_NR_MWS], *ret_mws; ++ struct idt_mw_cfg *mws; + const struct idt_ntb_bar *bars; + enum idt_mw_type mw_type; + unsigned char widx, bidx, en_cnt; +@@ -1049,6 +1049,11 @@ static struct idt_mw_cfg *idt_scan_mws(struct idt_ntb_dev *ndev, int port, + int aprt_size; + u32 data; + ++ mws = devm_kcalloc(&ndev->ntb.pdev->dev, IDT_MAX_NR_MWS, ++ sizeof(*mws), GFP_KERNEL); ++ if (!mws) ++ return ERR_PTR(-ENOMEM); ++ + /* Retrieve the array of the BARs registers */ + bars = portdata_tbl[port].bars; + +@@ -1103,16 +1108,7 @@ static struct idt_mw_cfg *idt_scan_mws(struct idt_ntb_dev *ndev, int port, + } + } + +- /* Allocate memory for memory window descriptors */ +- ret_mws = devm_kcalloc(&ndev->ntb.pdev->dev, *mw_cnt, sizeof(*ret_mws), +- GFP_KERNEL); +- if (!ret_mws) +- return ERR_PTR(-ENOMEM); +- +- /* Copy the info of detected memory windows */ +- memcpy(ret_mws, mws, (*mw_cnt)*sizeof(*ret_mws)); +- +- return ret_mws; ++ return mws; + } + + /* +-- +2.39.5 + diff --git a/queue-6.12/ntb_hw_amd-add-ntb-pci-id-for-new-gen-cpu.patch b/queue-6.12/ntb_hw_amd-add-ntb-pci-id-for-new-gen-cpu.patch new file mode 100644 index 0000000000..45a0f86c43 --- /dev/null +++ b/queue-6.12/ntb_hw_amd-add-ntb-pci-id-for-new-gen-cpu.patch @@ -0,0 +1,33 @@ +From 6c6c5d4298076a5710814963db1772e2d62fddca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Mar 2025 20:02:16 +0530 +Subject: ntb_hw_amd: Add NTB PCI ID for new gen CPU + +From: Basavaraj Natikar + +[ Upstream commit bf8a7ce7e4c7267a6f5f2b2023cfc459b330b25e ] + +Add NTB support for new generation of processor. + +Signed-off-by: Basavaraj Natikar +Signed-off-by: Jon Mason +Signed-off-by: Sasha Levin +--- + drivers/ntb/hw/amd/ntb_hw_amd.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/ntb/hw/amd/ntb_hw_amd.c b/drivers/ntb/hw/amd/ntb_hw_amd.c +index d687e8c2cc78d..63ceed89b62ef 100644 +--- a/drivers/ntb/hw/amd/ntb_hw_amd.c ++++ b/drivers/ntb/hw/amd/ntb_hw_amd.c +@@ -1318,6 +1318,7 @@ static const struct pci_device_id amd_ntb_pci_tbl[] = { + { PCI_VDEVICE(AMD, 0x148b), (kernel_ulong_t)&dev_data[1] }, + { PCI_VDEVICE(AMD, 0x14c0), (kernel_ulong_t)&dev_data[1] }, + { PCI_VDEVICE(AMD, 0x14c3), (kernel_ulong_t)&dev_data[1] }, ++ { PCI_VDEVICE(AMD, 0x155a), (kernel_ulong_t)&dev_data[1] }, + { PCI_VDEVICE(HYGON, 0x145b), (kernel_ulong_t)&dev_data[0] }, + { 0, } + }; +-- +2.39.5 + diff --git a/queue-6.12/nvme-multipath-fix-return-value-of-nvme_available_pa.patch b/queue-6.12/nvme-multipath-fix-return-value-of-nvme_available_pa.patch new file mode 100644 index 0000000000..fe5b8347f9 --- /dev/null +++ b/queue-6.12/nvme-multipath-fix-return-value-of-nvme_available_pa.patch @@ -0,0 +1,35 @@ +From 0cdce855260966c057ab40151d8041f94ca7062a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Apr 2025 14:06:43 -0600 +Subject: nvme: multipath: fix return value of nvme_available_path + +From: Uday Shankar + +[ Upstream commit e3105f54a51554fb1bbf19dcaf93c4411d2d6c8a ] + +The function returns bool so we should return false, not NULL. No +functional changes are expected. + +Signed-off-by: Uday Shankar +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/multipath.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/multipath.c b/drivers/nvme/host/multipath.c +index f25582e4d88bb..561dd08022c06 100644 +--- a/drivers/nvme/host/multipath.c ++++ b/drivers/nvme/host/multipath.c +@@ -427,7 +427,7 @@ static bool nvme_available_path(struct nvme_ns_head *head) + struct nvme_ns *ns; + + if (!test_bit(NVME_NSHEAD_DISK_LIVE, &head->flags)) +- return NULL; ++ return false; + + list_for_each_entry_srcu(ns, &head->list, siblings, + srcu_read_lock_held(&head->srcu)) { +-- +2.39.5 + diff --git a/queue-6.12/nvme-re-read-ana-log-page-after-ns-scan-completes.patch b/queue-6.12/nvme-re-read-ana-log-page-after-ns-scan-completes.patch new file mode 100644 index 0000000000..94eb95d625 --- /dev/null +++ b/queue-6.12/nvme-re-read-ana-log-page-after-ns-scan-completes.patch @@ -0,0 +1,47 @@ +From eb3060781fab1cd5ec353e48af8f6be7fa581950 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Apr 2025 09:19:30 +0200 +Subject: nvme: re-read ANA log page after ns scan completes + +From: Hannes Reinecke + +[ Upstream commit 62baf70c327444338c34703c71aa8cc8e4189bd6 ] + +When scanning for new namespaces we might have missed an ANA AEN. + +The NVMe base spec (NVMe Base Specification v2.1, Figure 151 'Asynchonous +Event Information - Notice': Asymmetric Namespace Access Change) states: + + A controller shall not send this even if an Attached Namespace + Attribute Changed asynchronous event [...] is sent for the same event. + +so we need to re-read the ANA log page after we rescanned the namespace +list to update the ANA states of the new namespaces. + +Signed-off-by: Hannes Reinecke +Reviewed-by: Keith Busch +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/core.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index 587385b59b865..f7519c07ed3c4 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -4277,6 +4277,11 @@ static void nvme_scan_work(struct work_struct *work) + /* Requeue if we have missed AENs */ + if (test_bit(NVME_AER_NOTICE_NS_CHANGED, &ctrl->events)) + nvme_queue_scan(ctrl); ++#ifdef CONFIG_NVME_MULTIPATH ++ else ++ /* Re-read the ANA log page to not miss updates */ ++ queue_work(nvme_wq, &ctrl->ana_work); ++#endif + } + + /* +-- +2.39.5 + diff --git a/queue-6.12/nvme-requeue-namespace-scan-on-missed-aens.patch b/queue-6.12/nvme-requeue-namespace-scan-on-missed-aens.patch new file mode 100644 index 0000000000..850365a954 --- /dev/null +++ b/queue-6.12/nvme-requeue-namespace-scan-on-missed-aens.patch @@ -0,0 +1,42 @@ +From 1c023423c28a8f145c976474bec69d1df6bcabd2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Apr 2025 09:19:29 +0200 +Subject: nvme: requeue namespace scan on missed AENs + +From: Hannes Reinecke + +[ Upstream commit 9546ad1a9bda7362492114f5866b95b0ac4a100e ] + +Scanning for namespaces can take some time, so if the target is +reconfigured while the scan is running we may miss a Attached Namespace +Attribute Changed AEN. + +Check if the NVME_AER_NOTICE_NS_CHANGED bit is set once the scan has +finished, and requeue scanning to pick up any missed change. + +Signed-off-by: Hannes Reinecke +Reviewed-by: Keith Busch +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/core.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index 9bdf6fc53697c..587385b59b865 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -4273,6 +4273,10 @@ static void nvme_scan_work(struct work_struct *work) + nvme_scan_ns_sequential(ctrl); + } + mutex_unlock(&ctrl->scan_lock); ++ ++ /* Requeue if we have missed AENs */ ++ if (test_bit(NVME_AER_NOTICE_NS_CHANGED, &ctrl->events)) ++ nvme_queue_scan(ctrl); + } + + /* +-- +2.39.5 + diff --git a/queue-6.12/nvmet-fc-put-ref-when-assoc-del_work-is-already-sche.patch b/queue-6.12/nvmet-fc-put-ref-when-assoc-del_work-is-already-sche.patch new file mode 100644 index 0000000000..81de4b841e --- /dev/null +++ b/queue-6.12/nvmet-fc-put-ref-when-assoc-del_work-is-already-sche.patch @@ -0,0 +1,36 @@ +From b8d9de16a36e38a25ad1cda9db2993a5b7854f9c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Apr 2025 17:29:10 +0200 +Subject: nvmet-fc: put ref when assoc->del_work is already scheduled + +From: Daniel Wagner + +[ Upstream commit 70289ae5cac4d3a39575405aaf63330486cea030 ] + +Do not leak the tgtport reference when the work is already scheduled. + +Signed-off-by: Daniel Wagner +Reviewed-by: Hannes Reinecke +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/fc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/nvme/target/fc.c b/drivers/nvme/target/fc.c +index 78c4a417f477e..ef8c5961e10c8 100644 +--- a/drivers/nvme/target/fc.c ++++ b/drivers/nvme/target/fc.c +@@ -1089,7 +1089,8 @@ static void + nvmet_fc_schedule_delete_assoc(struct nvmet_fc_tgt_assoc *assoc) + { + nvmet_fc_tgtport_get(assoc->tgtport); +- queue_work(nvmet_wq, &assoc->del_work); ++ if (!queue_work(nvmet_wq, &assoc->del_work)) ++ nvmet_fc_tgtport_put(assoc->tgtport); + } + + static bool +-- +2.39.5 + diff --git a/queue-6.12/nvmet-fc-take-tgtport-reference-only-once.patch b/queue-6.12/nvmet-fc-take-tgtport-reference-only-once.patch new file mode 100644 index 0000000000..55d3c61ac2 --- /dev/null +++ b/queue-6.12/nvmet-fc-take-tgtport-reference-only-once.patch @@ -0,0 +1,77 @@ +From 63b20cb60469008d83f3d6d9e3ab976d843ba9ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Apr 2025 17:29:09 +0200 +Subject: nvmet-fc: take tgtport reference only once + +From: Daniel Wagner + +[ Upstream commit b0b26ad0e1943de25ce82a7e5af3574f31b1cf99 ] + +The reference counting code can be simplified. Instead taking a tgtport +refrerence at the beginning of nvmet_fc_alloc_hostport and put it back +if not a new hostport object is allocated, only take it when a new +hostport object is allocated. + +Signed-off-by: Daniel Wagner +Reviewed-by: Hannes Reinecke +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/fc.c | 22 +++++++--------------- + 1 file changed, 7 insertions(+), 15 deletions(-) + +diff --git a/drivers/nvme/target/fc.c b/drivers/nvme/target/fc.c +index 7318b736d4141..78c4a417f477e 100644 +--- a/drivers/nvme/target/fc.c ++++ b/drivers/nvme/target/fc.c +@@ -1028,33 +1028,24 @@ nvmet_fc_alloc_hostport(struct nvmet_fc_tgtport *tgtport, void *hosthandle) + struct nvmet_fc_hostport *newhost, *match = NULL; + unsigned long flags; + ++ /* ++ * Caller holds a reference on tgtport. ++ */ ++ + /* if LLDD not implemented, leave as NULL */ + if (!hosthandle) + return NULL; + +- /* +- * take reference for what will be the newly allocated hostport if +- * we end up using a new allocation +- */ +- if (!nvmet_fc_tgtport_get(tgtport)) +- return ERR_PTR(-EINVAL); +- + spin_lock_irqsave(&tgtport->lock, flags); + match = nvmet_fc_match_hostport(tgtport, hosthandle); + spin_unlock_irqrestore(&tgtport->lock, flags); + +- if (match) { +- /* no new allocation - release reference */ +- nvmet_fc_tgtport_put(tgtport); ++ if (match) + return match; +- } + + newhost = kzalloc(sizeof(*newhost), GFP_KERNEL); +- if (!newhost) { +- /* no new allocation - release reference */ +- nvmet_fc_tgtport_put(tgtport); ++ if (!newhost) + return ERR_PTR(-ENOMEM); +- } + + spin_lock_irqsave(&tgtport->lock, flags); + match = nvmet_fc_match_hostport(tgtport, hosthandle); +@@ -1063,6 +1054,7 @@ nvmet_fc_alloc_hostport(struct nvmet_fc_tgtport *tgtport, void *hosthandle) + kfree(newhost); + newhost = match; + } else { ++ nvmet_fc_tgtport_get(tgtport); + newhost->tgtport = tgtport; + newhost->hosthandle = hosthandle; + INIT_LIST_HEAD(&newhost->host_list); +-- +2.39.5 + diff --git a/queue-6.12/objtool-asoc-codecs-wcd934x-remove-potential-undefin.patch b/queue-6.12/objtool-asoc-codecs-wcd934x-remove-potential-undefin.patch new file mode 100644 index 0000000000..696fae81d0 --- /dev/null +++ b/queue-6.12/objtool-asoc-codecs-wcd934x-remove-potential-undefin.patch @@ -0,0 +1,58 @@ +From d70c7ee26e0bbd47dcafdf77cf9c08d0bca78ce9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Mar 2025 14:56:09 -0700 +Subject: objtool, ASoC: codecs: wcd934x: Remove potential undefined behavior + in wcd934x_slim_irq_handler() + +From: Josh Poimboeuf + +[ Upstream commit 060aed9c0093b341480770457093449771cf1496 ] + +If 'port_id' is negative, the shift counts in wcd934x_slim_irq_handler() +also become negative, resulting in undefined behavior due to shift out +of bounds. + +If I'm reading the code correctly, that appears to be not possible, but +with KCOV enabled, Clang's range analysis isn't always able to determine +that and generates undefined behavior. + +As a result the code generation isn't optimal, and undefined behavior +should be avoided regardless. Improve code generation and remove the +undefined behavior by converting the signed variables to unsigned. + +Fixes the following warning with UBSAN: + + sound/soc/codecs/snd-soc-wcd934x.o: warning: objtool: .text.wcd934x_slim_irq_handler: unexpected end of section + +Reported-by: kernel test robot +Signed-off-by: Josh Poimboeuf +Signed-off-by: Ingo Molnar +Acked-by: Mark Brown +Cc: Srinivas Kandagatla +Cc: Liam Girdwood +Cc: Jaroslav Kysela +Cc: Takashi Iwai +Cc: Linus Torvalds +Link: https://lore.kernel.org/r/7e863839ec7301bf9c0f429a03873d44e484c31c.1742852847.git.jpoimboe@kernel.org +Closes: https://lore.kernel.org/oe-kbuild-all/202503180044.oH9gyPeg-lkp@intel.com/ +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/wcd934x.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/wcd934x.c b/sound/soc/codecs/wcd934x.c +index 910852eb9698c..c7f1b28f3b230 100644 +--- a/sound/soc/codecs/wcd934x.c ++++ b/sound/soc/codecs/wcd934x.c +@@ -2273,7 +2273,7 @@ static irqreturn_t wcd934x_slim_irq_handler(int irq, void *data) + { + struct wcd934x_codec *wcd = data; + unsigned long status = 0; +- int i, j, port_id; ++ unsigned int i, j, port_id; + unsigned int val, int_val = 0; + irqreturn_t ret = IRQ_NONE; + bool tx; +-- +2.39.5 + diff --git a/queue-6.12/objtool-lkdtm-obfuscate-the-do_nothing-pointer.patch b/queue-6.12/objtool-lkdtm-obfuscate-the-do_nothing-pointer.patch new file mode 100644 index 0000000000..b16bd35491 --- /dev/null +++ b/queue-6.12/objtool-lkdtm-obfuscate-the-do_nothing-pointer.patch @@ -0,0 +1,86 @@ +From 3e38450d797189dcee158129fcdb27127c09b8f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Mar 2025 14:56:12 -0700 +Subject: objtool, lkdtm: Obfuscate the do_nothing() pointer + +From: Josh Poimboeuf + +[ Upstream commit 05026ea01e95ffdeb0e5ac8fb7fb1b551e3a8726 ] + +If execute_location()'s memcpy of do_nothing() gets inlined and unrolled +by the compiler, it copies one word at a time: + + mov 0x0(%rip),%rax R_X86_64_PC32 .text+0x1374 + mov %rax,0x38(%rbx) + mov 0x0(%rip),%rax R_X86_64_PC32 .text+0x136c + mov %rax,0x30(%rbx) + ... + +Those .text references point to the middle of the function, causing +objtool to complain about their lack of ENDBR. + +Prevent that by resolving the function pointer at runtime rather than +build time. This fixes the following warning: + + drivers/misc/lkdtm/lkdtm.o: warning: objtool: execute_location+0x23: relocation to !ENDBR: .text+0x1378 + +Reported-by: kernel test robot +Signed-off-by: Josh Poimboeuf +Signed-off-by: Ingo Molnar +Reviewed-by: Kees Cook +Cc: Arnd Bergmann +Cc: Greg Kroah-Hartman +Cc: Linus Torvalds +Link: https://lore.kernel.org/r/30b9abffbddeb43c4f6320b1270fa9b4d74c54ed.1742852847.git.jpoimboe@kernel.org +Closes: https://lore.kernel.org/oe-kbuild-all/202503191453.uFfxQy5R-lkp@intel.com/ +Signed-off-by: Sasha Levin +--- + drivers/misc/lkdtm/perms.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/drivers/misc/lkdtm/perms.c b/drivers/misc/lkdtm/perms.c +index 5b861dbff27e9..6c24426104ba6 100644 +--- a/drivers/misc/lkdtm/perms.c ++++ b/drivers/misc/lkdtm/perms.c +@@ -28,6 +28,13 @@ static const unsigned long rodata = 0xAA55AA55; + /* This is marked __ro_after_init, so it should ultimately be .rodata. */ + static unsigned long ro_after_init __ro_after_init = 0x55AA5500; + ++/* ++ * This is a pointer to do_nothing() which is initialized at runtime rather ++ * than build time to avoid objtool IBT validation warnings caused by an ++ * inlined unrolled memcpy() in execute_location(). ++ */ ++static void __ro_after_init *do_nothing_ptr; ++ + /* + * This just returns to the caller. It is designed to be copied into + * non-executable memory regions. +@@ -65,13 +72,12 @@ static noinline __nocfi void execute_location(void *dst, bool write) + { + void (*func)(void); + func_desc_t fdesc; +- void *do_nothing_text = dereference_function_descriptor(do_nothing); + +- pr_info("attempting ok execution at %px\n", do_nothing_text); ++ pr_info("attempting ok execution at %px\n", do_nothing_ptr); + do_nothing(); + + if (write == CODE_WRITE) { +- memcpy(dst, do_nothing_text, EXEC_SIZE); ++ memcpy(dst, do_nothing_ptr, EXEC_SIZE); + flush_icache_range((unsigned long)dst, + (unsigned long)dst + EXEC_SIZE); + } +@@ -267,6 +273,8 @@ static void lkdtm_ACCESS_NULL(void) + + void __init lkdtm_perms_init(void) + { ++ do_nothing_ptr = dereference_function_descriptor(do_nothing); ++ + /* Make sure we can write to __ro_after_init values during __init */ + ro_after_init |= 0xAA; + } +-- +2.39.5 + diff --git a/queue-6.12/objtool-panic-disable-smap-in-__stack_chk_fail.patch b/queue-6.12/objtool-panic-disable-smap-in-__stack_chk_fail.patch new file mode 100644 index 0000000000..3404683da5 --- /dev/null +++ b/queue-6.12/objtool-panic-disable-smap-in-__stack_chk_fail.patch @@ -0,0 +1,72 @@ +From 344477c56e6b3458de563ad71e5ebd64f6128b4f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Mar 2025 14:56:07 -0700 +Subject: objtool, panic: Disable SMAP in __stack_chk_fail() + +From: Josh Poimboeuf + +[ Upstream commit 72c774aa9d1e16bfd247096935e7dae194d84929 ] + +__stack_chk_fail() can be called from uaccess-enabled code. Make sure +uaccess gets disabled before calling panic(). + +Fixes the following warning: + + kernel/trace/trace_branch.o: error: objtool: ftrace_likely_update+0x1ea: call to __stack_chk_fail() with UACCESS enabled + +Signed-off-by: Josh Poimboeuf +Signed-off-by: Ingo Molnar +Cc: Kees Cook +Cc: Andrew Morton +Cc: Linus Torvalds +Link: https://lore.kernel.org/r/a3e97e0119e1b04c725a8aa05f7bc83d98e657eb.1742852847.git.jpoimboe@kernel.org +Signed-off-by: Sasha Levin +--- + kernel/panic.c | 6 ++++++ + tools/objtool/check.c | 5 ++++- + 2 files changed, 10 insertions(+), 1 deletion(-) + +diff --git a/kernel/panic.c b/kernel/panic.c +index fbc59b3b64d0b..ddad0578355bb 100644 +--- a/kernel/panic.c ++++ b/kernel/panic.c +@@ -832,9 +832,15 @@ device_initcall(register_warn_debugfs); + */ + __visible noinstr void __stack_chk_fail(void) + { ++ unsigned long flags; ++ + instrumentation_begin(); ++ flags = user_access_save(); ++ + panic("stack-protector: Kernel stack is corrupted in: %pB", + __builtin_return_address(0)); ++ ++ user_access_restore(flags); + instrumentation_end(); + } + EXPORT_SYMBOL(__stack_chk_fail); +diff --git a/tools/objtool/check.c b/tools/objtool/check.c +index ff7e0622e9112..bab1f22fd50a1 100644 +--- a/tools/objtool/check.c ++++ b/tools/objtool/check.c +@@ -1243,12 +1243,15 @@ static const char *uaccess_safe_builtin[] = { + "__ubsan_handle_load_invalid_value", + /* STACKLEAK */ + "stackleak_track_stack", ++ /* TRACE_BRANCH_PROFILING */ ++ "ftrace_likely_update", ++ /* STACKPROTECTOR */ ++ "__stack_chk_fail", + /* misc */ + "csum_partial_copy_generic", + "copy_mc_fragile", + "copy_mc_fragile_handle_tail", + "copy_mc_enhanced_fast_string", +- "ftrace_likely_update", /* CONFIG_TRACE_BRANCH_PROFILING */ + "rep_stos_alternative", + "rep_movs_alternative", + "__copy_user_nocache", +-- +2.39.5 + diff --git a/queue-6.12/objtool-regulator-rk808-remove-potential-undefined-b.patch b/queue-6.12/objtool-regulator-rk808-remove-potential-undefined-b.patch new file mode 100644 index 0000000000..dea1d195d0 --- /dev/null +++ b/queue-6.12/objtool-regulator-rk808-remove-potential-undefined-b.patch @@ -0,0 +1,56 @@ +From 5eeb8f96ccc49c436139e3b1a8b5da64d889db31 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Mar 2025 14:56:10 -0700 +Subject: objtool, regulator: rk808: Remove potential undefined behavior in + rk806_set_mode_dcdc() + +From: Josh Poimboeuf + +[ Upstream commit 29c578c848402a34e8c8e115bf66cb6008b77062 ] + +If 'ctr_bit' is negative, the shift counts become negative, causing a +shift of bounds and undefined behavior. + +Presumably that's not possible in normal operation, but the code +generation isn't optimal. And undefined behavior should be avoided +regardless. + +Improve code generation and remove the undefined behavior by converting +the signed variables to unsigned. + +Fixes the following warning with an UBSAN kernel: + + vmlinux.o: warning: objtool: rk806_set_mode_dcdc() falls through to next function rk806_get_mode_dcdc() + vmlinux.o: warning: objtool: .text.rk806_set_mode_dcdc: unexpected end of section + +Reported-by: kernel test robot +Signed-off-by: Josh Poimboeuf +Signed-off-by: Ingo Molnar +Acked-by: Mark Brown +Cc: Liam Girdwood +Cc: Linus Torvalds +Link: https://lore.kernel.org/r/2023abcddf3f524ba478d64339996f25dc4097d2.1742852847.git.jpoimboe@kernel.org +Closes: https://lore.kernel.org/oe-kbuild-all/202503182350.52KeHGD4-lkp@intel.com/ +Signed-off-by: Sasha Levin +--- + drivers/regulator/rk808-regulator.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/regulator/rk808-regulator.c b/drivers/regulator/rk808-regulator.c +index 37476d2558fda..72df554b6375b 100644 +--- a/drivers/regulator/rk808-regulator.c ++++ b/drivers/regulator/rk808-regulator.c +@@ -270,8 +270,8 @@ static const unsigned int rk817_buck1_4_ramp_table[] = { + + static int rk806_set_mode_dcdc(struct regulator_dev *rdev, unsigned int mode) + { +- int rid = rdev_get_id(rdev); +- int ctr_bit, reg; ++ unsigned int rid = rdev_get_id(rdev); ++ unsigned int ctr_bit, reg; + + reg = RK806_POWER_FPWM_EN0 + rid / 8; + ctr_bit = rid % 8; +-- +2.39.5 + diff --git a/queue-6.12/objtool-silence-more-kcov-warnings.patch b/queue-6.12/objtool-silence-more-kcov-warnings.patch new file mode 100644 index 0000000000..327fd3e391 --- /dev/null +++ b/queue-6.12/objtool-silence-more-kcov-warnings.patch @@ -0,0 +1,67 @@ +From 2fa311881d5da77a8444bbea6fa3d27601d87fcc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Mar 2025 14:55:57 -0700 +Subject: objtool: Silence more KCOV warnings + +From: Josh Poimboeuf + +[ Upstream commit 6b023c7842048c4bbeede802f3cf36b96c7a8b25 ] + +In the past there were issues with KCOV triggering unreachable +instruction warnings, which is why unreachable warnings are now disabled +with CONFIG_KCOV. + +Now some new KCOV warnings are showing up with GCC 14: + + vmlinux.o: warning: objtool: cpuset_write_resmask() falls through to next function cpuset_update_active_cpus.cold() + drivers/usb/core/driver.o: error: objtool: usb_deregister() falls through to next function usb_match_device() + sound/soc/codecs/snd-soc-wcd934x.o: warning: objtool: .text.wcd934x_slim_irq_handler: unexpected end of section + +All are caused by GCC KCOV not finishing an optimization, leaving behind +a never-taken conditional branch to a basic block which falls through to +the next function (or end of section). + +At a high level this is similar to the unreachable warnings mentioned +above, in that KCOV isn't fully removing dead code. Treat it the same +way by adding these to the list of warnings to ignore with CONFIG_KCOV. + +Reported-by: Ingo Molnar +Reported-by: kernel test robot +Signed-off-by: Josh Poimboeuf +Signed-off-by: Ingo Molnar +Cc: Linus Torvalds +Link: https://lore.kernel.org/r/66a61a0b65d74e072d3dc02384e395edb2adc3c5.1742852846.git.jpoimboe@kernel.org +Closes: https://lore.kernel.org/Z9iTsI09AEBlxlHC@gmail.com +Closes: https://lore.kernel.org/oe-kbuild-all/202503180044.oH9gyPeg-lkp@intel.com/ +Signed-off-by: Sasha Levin +--- + tools/objtool/check.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/tools/objtool/check.c b/tools/objtool/check.c +index ce3ea0c2de042..ff7e0622e9112 100644 +--- a/tools/objtool/check.c ++++ b/tools/objtool/check.c +@@ -3634,6 +3634,9 @@ static int validate_branch(struct objtool_file *file, struct symbol *func, + !strncmp(func->name, "__pfx_", 6)) + return 0; + ++ if (file->ignore_unreachables) ++ return 0; ++ + WARN("%s() falls through to next function %s()", + func->name, insn_func(insn)->name); + return 1; +@@ -3853,6 +3856,9 @@ static int validate_branch(struct objtool_file *file, struct symbol *func, + if (!next_insn) { + if (state.cfi.cfa.base == CFI_UNDEFINED) + return 0; ++ if (file->ignore_unreachables) ++ return 0; ++ + WARN("%s: unexpected end of section", sec->name); + return 1; + } +-- +2.39.5 + diff --git a/queue-6.12/objtool-stop-unret-validation-on-ud2.patch b/queue-6.12/objtool-stop-unret-validation-on-ud2.patch new file mode 100644 index 0000000000..24467239fd --- /dev/null +++ b/queue-6.12/objtool-stop-unret-validation-on-ud2.patch @@ -0,0 +1,38 @@ +From 8cb00d19414271bcb7beb2269e9021115d51822b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Apr 2025 00:02:15 -0700 +Subject: objtool: Stop UNRET validation on UD2 + +From: Josh Poimboeuf + +[ Upstream commit 9f9cc012c2cbac4833746a0182e06a8eec940d19 ] + +In preparation for simplifying INSN_SYSCALL, make validate_unret() +terminate control flow on UD2 just like validate_branch() already does. + +Signed-off-by: Josh Poimboeuf +Signed-off-by: Ingo Molnar +Cc: Linus Torvalds +Link: https://lore.kernel.org/r/ce841269e7e28c8b7f32064464a9821034d724ff.1744095216.git.jpoimboe@kernel.org +Signed-off-by: Sasha Levin +--- + tools/objtool/check.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/tools/objtool/check.c b/tools/objtool/check.c +index bab1f22fd50a1..9e6a934329dc8 100644 +--- a/tools/objtool/check.c ++++ b/tools/objtool/check.c +@@ -4014,6 +4014,9 @@ static int validate_unret(struct objtool_file *file, struct instruction *insn) + break; + } + ++ if (insn->dead_end) ++ return 0; ++ + if (!next) { + WARN_INSN(insn, "teh end!"); + return -1; +-- +2.39.5 + diff --git a/queue-6.12/parisc-pdt-fix-missing-prototype-warning.patch b/queue-6.12/parisc-pdt-fix-missing-prototype-warning.patch new file mode 100644 index 0000000000..9d5beb1567 --- /dev/null +++ b/queue-6.12/parisc-pdt-fix-missing-prototype-warning.patch @@ -0,0 +1,51 @@ +From e41afad279a67014989c74f73f762e7a1b51dbf7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 9 Feb 2025 01:43:04 +0800 +Subject: parisc: PDT: Fix missing prototype warning + +From: Yu-Chun Lin + +[ Upstream commit b899981750dcb958ceffa4462d903963ee494aa2 ] + +As reported by the kernel test robot, the following error occurs: + +arch/parisc/kernel/pdt.c:65:6: warning: no previous prototype for 'arch_report_meminfo' [-Wmissing-prototypes] + 65 | void arch_report_meminfo(struct seq_file *m) + | ^~~~~~~~~~~~~~~~~~~ + +arch_report_meminfo() is declared in include/linux/proc_fs.h and only +defined when CONFIG_PROC_FS is enabled. Wrap its definition in #ifdef +CONFIG_PROC_FS to fix the -Wmissing-prototypes warning. + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202502082315.IPaHaTyM-lkp@intel.com/ +Signed-off-by: Yu-Chun Lin +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + arch/parisc/kernel/pdt.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/parisc/kernel/pdt.c b/arch/parisc/kernel/pdt.c +index 0f9b3b5914cf6..b70b67adb855f 100644 +--- a/arch/parisc/kernel/pdt.c ++++ b/arch/parisc/kernel/pdt.c +@@ -63,6 +63,7 @@ static unsigned long pdt_entry[MAX_PDT_ENTRIES] __page_aligned_bss; + #define PDT_ADDR_PERM_ERR (pdt_type != PDT_PDC ? 2UL : 0UL) + #define PDT_ADDR_SINGLE_ERR 1UL + ++#ifdef CONFIG_PROC_FS + /* report PDT entries via /proc/meminfo */ + void arch_report_meminfo(struct seq_file *m) + { +@@ -74,6 +75,7 @@ void arch_report_meminfo(struct seq_file *m) + seq_printf(m, "PDT_cur_entries: %7lu\n", + pdt_status.pdt_entries); + } ++#endif + + static int get_info_pat_new(void) + { +-- +2.39.5 + diff --git a/queue-6.12/perf-core-fix-warn_on-ctx-in-__free_event-for-partia.patch b/queue-6.12/perf-core-fix-warn_on-ctx-in-__free_event-for-partia.patch new file mode 100644 index 0000000000..210b6b81b6 --- /dev/null +++ b/queue-6.12/perf-core-fix-warn_on-ctx-in-__free_event-for-partia.patch @@ -0,0 +1,90 @@ +From 0a96cb2e8816bce566988aac1b9f445c3b806a6c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Apr 2025 16:30:36 -0400 +Subject: perf/core: Fix WARN_ON(!ctx) in __free_event() for partial init + +From: Gabriel Shahrouzi + +[ Upstream commit 0ba3a4ab76fd3367b9cb680cad70182c896c795c ] + +Move the get_ctx(child_ctx) call and the child_event->ctx assignment to +occur immediately after the child event is allocated. Ensure that +child_event->ctx is non-NULL before any subsequent error path within +inherit_event calls free_event(), satisfying the assumptions of the +cleanup code. + +Details: + +There's no clear Fixes tag, because this bug is a side-effect of +multiple interacting commits over time (up to 15 years old), not +a single regression. + +The code initially incremented refcount then assigned context +immediately after the child_event was created. Later, an early +validity check for child_event was added before the +refcount/assignment. Even later, a WARN_ON_ONCE() cleanup check was +added, assuming event->ctx is valid if the pmu_ctx is valid. +The problem is that the WARN_ON_ONCE() could trigger after the initial +check passed but before child_event->ctx was assigned, violating its +precondition. The solution is to assign child_event->ctx right after +its initial validation. This ensures the context exists for any +subsequent checks or cleanup routines, resolving the WARN_ON_ONCE(). + +To resolve it, defer the refcount update and child_event->ctx assignment +directly after child_event->pmu_ctx is set but before checking if the +parent event is orphaned. The cleanup routine depends on +event->pmu_ctx being non-NULL before it verifies event->ctx is +non-NULL. This also maintains the author's original intent of passing +in child_ctx to find_get_pmu_context before its refcount/assignment. + +[ mingo: Expanded the changelog from another email by Gabriel Shahrouzi. ] + +Reported-by: syzbot+ff3aa851d46ab82953a3@syzkaller.appspotmail.com +Signed-off-by: Gabriel Shahrouzi +Signed-off-by: Ingo Molnar +Cc: Peter Zijlstra +Cc: Ravi Bangoria +Cc: Kan Liang +Cc: Oleg Nesterov +Cc: Alexander Shishkin +Link: https://lore.kernel.org/r/20250405203036.582721-1-gshahrouzi@gmail.com +Closes: https://syzkaller.appspot.com/bug?extid=ff3aa851d46ab82953a3 +Signed-off-by: Sasha Levin +--- + kernel/events/core.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/kernel/events/core.c b/kernel/events/core.c +index 97af53c43608e..edafe9fc4bdd0 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -13661,6 +13661,9 @@ inherit_event(struct perf_event *parent_event, + if (IS_ERR(child_event)) + return child_event; + ++ get_ctx(child_ctx); ++ child_event->ctx = child_ctx; ++ + pmu_ctx = find_get_pmu_context(child_event->pmu, child_ctx, child_event); + if (IS_ERR(pmu_ctx)) { + free_event(child_event); +@@ -13683,8 +13686,6 @@ inherit_event(struct perf_event *parent_event, + return NULL; + } + +- get_ctx(child_ctx); +- + /* + * Make the child state follow the state of the parent event, + * not its attr.disabled bit. We hold the parent's mutex, +@@ -13705,7 +13706,6 @@ inherit_event(struct perf_event *parent_event, + local64_set(&hwc->period_left, sample_period); + } + +- child_event->ctx = child_ctx; + child_event->overflow_handler = parent_event->overflow_handler; + child_event->overflow_handler_context + = parent_event->overflow_handler_context; +-- +2.39.5 + diff --git a/queue-6.12/phy-rockchip-usbdp-avoid-call-hpd_event_trigger-in-d.patch b/queue-6.12/phy-rockchip-usbdp-avoid-call-hpd_event_trigger-in-d.patch new file mode 100644 index 0000000000..e95a463c9d --- /dev/null +++ b/queue-6.12/phy-rockchip-usbdp-avoid-call-hpd_event_trigger-in-d.patch @@ -0,0 +1,38 @@ +From 13591b8cb1640637de4989240a1549b374e66dde Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Mar 2025 19:52:25 +0800 +Subject: phy: rockchip: usbdp: Avoid call hpd_event_trigger in dp_phy_init + +From: Andy Yan + +[ Upstream commit 28dc672a1a877c77b000c896abd8f15afcdc1b0c ] + +Function rk_udphy_dp_hpd_event_trigger will set vogrf let it +trigger HPD interrupt to DP by Type-C. This configuration is only +required when the DP work in Alternate Mode, and called by +typec_mux_set. In standard DP mode, such settings will prevent +the DP from receiving HPD interrupts. + +Signed-off-by: Andy Yan +Link: https://lore.kernel.org/r/20250302115257.188774-1-andyshrk@163.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/rockchip/phy-rockchip-usbdp.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/phy/rockchip/phy-rockchip-usbdp.c b/drivers/phy/rockchip/phy-rockchip-usbdp.c +index 2c51e5c62d3eb..f5c6d264d89ed 100644 +--- a/drivers/phy/rockchip/phy-rockchip-usbdp.c ++++ b/drivers/phy/rockchip/phy-rockchip-usbdp.c +@@ -1045,7 +1045,6 @@ static int rk_udphy_dp_phy_init(struct phy *phy) + mutex_lock(&udphy->mutex); + + udphy->dp_in_use = true; +- rk_udphy_dp_hpd_event_trigger(udphy, udphy->dp_sink_hpd_cfg); + + mutex_unlock(&udphy->mutex); + +-- +2.39.5 + diff --git a/queue-6.12/pinctrl-mcp23s08-get-rid-of-spurious-level-interrupt.patch b/queue-6.12/pinctrl-mcp23s08-get-rid-of-spurious-level-interrupt.patch new file mode 100644 index 0000000000..b3baf8623e --- /dev/null +++ b/queue-6.12/pinctrl-mcp23s08-get-rid-of-spurious-level-interrupt.patch @@ -0,0 +1,88 @@ +From 8d169b8de6a0cafaf8221f2770fa05c1a3d692f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Jan 2025 15:05:04 +0300 +Subject: pinctrl: mcp23s08: Get rid of spurious level interrupts + +From: Dmitry Mastykin + +[ Upstream commit 7b0671b97f0872d6950ccc925e210cb3f67721bf ] + +irq_mask()/irq_unmask() are not called for nested interrupts. So level +interrupts are never masked, chip's interrupt output is not cleared on +INTCAP or GPIO read, the irq handler is uselessly called again. Nested +irq handler is not called again, because interrupt reason is cleared by +its first call. +/proc/interrupts shows that number of chip's irqs is greater than +number of nested irqs. + +This patch adds masking and unmasking level interrupts inside irq handler. + +Signed-off-by: Dmitry Mastykin +Link: https://lore.kernel.org/20250122120504.1279790-1-mastichi@gmail.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/pinctrl-mcp23s08.c | 23 ++++++++++++++++++++--- + 1 file changed, 20 insertions(+), 3 deletions(-) + +diff --git a/drivers/pinctrl/pinctrl-mcp23s08.c b/drivers/pinctrl/pinctrl-mcp23s08.c +index f384c72d95545..70d7485ada364 100644 +--- a/drivers/pinctrl/pinctrl-mcp23s08.c ++++ b/drivers/pinctrl/pinctrl-mcp23s08.c +@@ -382,6 +382,7 @@ static irqreturn_t mcp23s08_irq(int irq, void *data) + { + struct mcp23s08 *mcp = data; + int intcap, intcon, intf, i, gpio, gpio_orig, intcap_mask, defval, gpinten; ++ bool need_unmask = false; + unsigned long int enabled_interrupts; + unsigned int child_irq; + bool intf_set, intcap_changed, gpio_bit_changed, +@@ -396,9 +397,6 @@ static irqreturn_t mcp23s08_irq(int irq, void *data) + goto unlock; + } + +- if (mcp_read(mcp, MCP_INTCAP, &intcap)) +- goto unlock; +- + if (mcp_read(mcp, MCP_INTCON, &intcon)) + goto unlock; + +@@ -408,6 +406,16 @@ static irqreturn_t mcp23s08_irq(int irq, void *data) + if (mcp_read(mcp, MCP_DEFVAL, &defval)) + goto unlock; + ++ /* Mask level interrupts to avoid their immediate reactivation after clearing */ ++ if (intcon) { ++ need_unmask = true; ++ if (mcp_write(mcp, MCP_GPINTEN, gpinten & ~intcon)) ++ goto unlock; ++ } ++ ++ if (mcp_read(mcp, MCP_INTCAP, &intcap)) ++ goto unlock; ++ + /* This clears the interrupt(configurable on S18) */ + if (mcp_read(mcp, MCP_GPIO, &gpio)) + goto unlock; +@@ -470,9 +478,18 @@ static irqreturn_t mcp23s08_irq(int irq, void *data) + } + } + ++ if (need_unmask) { ++ mutex_lock(&mcp->lock); ++ goto unlock; ++ } ++ + return IRQ_HANDLED; + + unlock: ++ if (need_unmask) ++ if (mcp_write(mcp, MCP_GPINTEN, gpinten)) ++ dev_err(mcp->chip.parent, "can't unmask GPINTEN\n"); ++ + mutex_unlock(&mcp->lock); + return IRQ_HANDLED; + } +-- +2.39.5 + diff --git a/queue-6.12/pinctrl-renesas-rza2-fix-potential-null-pointer-dere.patch b/queue-6.12/pinctrl-renesas-rza2-fix-potential-null-pointer-dere.patch new file mode 100644 index 0000000000..9023f7d0f7 --- /dev/null +++ b/queue-6.12/pinctrl-renesas-rza2-fix-potential-null-pointer-dere.patch @@ -0,0 +1,39 @@ +From 853141ba631bb635e9036d3b24bdbd9bc03755e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Feb 2025 17:25:52 -0600 +Subject: pinctrl: renesas: rza2: Fix potential NULL pointer dereference + +From: Chenyuan Yang + +[ Upstream commit f752ee5b5b86b5f88a5687c9eb0ef9b39859b908 ] + +`chip.label` in rza2_gpio_register() could be NULL. +Add the missing check. + +Signed-off-by: Chenyuan Yang +Reviewed-by: Geert Uytterhoeven +Reviewed-by: Matthias Brugger +Link: https://lore.kernel.org/20250210232552.1545887-1-chenyuan0y@gmail.com +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/renesas/pinctrl-rza2.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/pinctrl/renesas/pinctrl-rza2.c b/drivers/pinctrl/renesas/pinctrl-rza2.c +index 773eaf508565b..8369fab61758d 100644 +--- a/drivers/pinctrl/renesas/pinctrl-rza2.c ++++ b/drivers/pinctrl/renesas/pinctrl-rza2.c +@@ -243,6 +243,9 @@ static int rza2_gpio_register(struct rza2_pinctrl_priv *priv) + int ret; + + chip.label = devm_kasprintf(priv->dev, GFP_KERNEL, "%pOFn", np); ++ if (!chip.label) ++ return -ENOMEM; ++ + chip.parent = priv->dev; + chip.ngpio = priv->npins; + +-- +2.39.5 + diff --git a/queue-6.12/qibfs-fix-_another_-leak.patch b/queue-6.12/qibfs-fix-_another_-leak.patch new file mode 100644 index 0000000000..bd49134e4d --- /dev/null +++ b/queue-6.12/qibfs-fix-_another_-leak.patch @@ -0,0 +1,36 @@ +From 1227e71a9c302e1526bd26367123c4b4e43cc5e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 May 2024 17:50:34 -0600 +Subject: qibfs: fix _another_ leak + +From: Al Viro + +[ Upstream commit bdb43af4fdb39f844ede401bdb1258f67a580a27 ] + +failure to allocate inode => leaked dentry... + +this one had been there since the initial merge; to be fair, +if we are that far OOM, the odds of failing at that particular +allocation are low... + +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/qib/qib_fs.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/infiniband/hw/qib/qib_fs.c b/drivers/infiniband/hw/qib/qib_fs.c +index b27791029fa93..b9f4a2937c3ac 100644 +--- a/drivers/infiniband/hw/qib/qib_fs.c ++++ b/drivers/infiniband/hw/qib/qib_fs.c +@@ -55,6 +55,7 @@ static int qibfs_mknod(struct inode *dir, struct dentry *dentry, + struct inode *inode = new_inode(dir->i_sb); + + if (!inode) { ++ dput(dentry); + error = -EPERM; + goto bail; + } +-- +2.39.5 + diff --git a/queue-6.12/riscv-provide-all-alternative-macros-all-the-time.patch b/queue-6.12/riscv-provide-all-alternative-macros-all-the-time.patch new file mode 100644 index 0000000000..c7ef614e82 --- /dev/null +++ b/queue-6.12/riscv-provide-all-alternative-macros-all-the-time.patch @@ -0,0 +1,67 @@ +From ee56ec9d8931b529464fc5577d84a46282a10a49 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Apr 2025 14:09:48 +0200 +Subject: riscv: Provide all alternative macros all the time + +From: Andrew Jones + +[ Upstream commit fb53a9aa5f5b8bf302f3260a7f1f5a24345ce62a ] + +We need to provide all six forms of the alternative macros +(ALTERNATIVE, ALTERNATIVE_2, _ALTERNATIVE_CFG, _ALTERNATIVE_CFG_2, +__ALTERNATIVE_CFG, __ALTERNATIVE_CFG_2) for all four cases derived +from the two ifdefs (RISCV_ALTERNATIVE, __ASSEMBLY__) in order to +ensure all configs can compile. Define this missing ones and ensure +all are defined to consume all parameters passed. + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202504130710.3IKz6Ibs-lkp@intel.com/ +Signed-off-by: Andrew Jones +Tested-by: Alexandre Ghiti +Reviewed-by: Alexandre Ghiti +Link: https://lore.kernel.org/r/20250414120947.135173-2-ajones@ventanamicro.com +Signed-off-by: Alexandre Ghiti +Signed-off-by: Sasha Levin +--- + arch/riscv/include/asm/alternative-macros.h | 19 +++++++------------ + 1 file changed, 7 insertions(+), 12 deletions(-) + +diff --git a/arch/riscv/include/asm/alternative-macros.h b/arch/riscv/include/asm/alternative-macros.h +index 721ec275ce57e..231d777d936c2 100644 +--- a/arch/riscv/include/asm/alternative-macros.h ++++ b/arch/riscv/include/asm/alternative-macros.h +@@ -115,24 +115,19 @@ + \old_c + .endm + +-#define _ALTERNATIVE_CFG(old_c, ...) \ +- ALTERNATIVE_CFG old_c +- +-#define _ALTERNATIVE_CFG_2(old_c, ...) \ +- ALTERNATIVE_CFG old_c ++#define __ALTERNATIVE_CFG(old_c, ...) ALTERNATIVE_CFG old_c ++#define __ALTERNATIVE_CFG_2(old_c, ...) ALTERNATIVE_CFG old_c + + #else /* !__ASSEMBLY__ */ + +-#define __ALTERNATIVE_CFG(old_c) \ +- old_c "\n" ++#define __ALTERNATIVE_CFG(old_c, ...) old_c "\n" ++#define __ALTERNATIVE_CFG_2(old_c, ...) old_c "\n" + +-#define _ALTERNATIVE_CFG(old_c, ...) \ +- __ALTERNATIVE_CFG(old_c) ++#endif /* __ASSEMBLY__ */ + +-#define _ALTERNATIVE_CFG_2(old_c, ...) \ +- __ALTERNATIVE_CFG(old_c) ++#define _ALTERNATIVE_CFG(old_c, ...) __ALTERNATIVE_CFG(old_c) ++#define _ALTERNATIVE_CFG_2(old_c, ...) __ALTERNATIVE_CFG_2(old_c) + +-#endif /* __ASSEMBLY__ */ + #endif /* CONFIG_RISCV_ALTERNATIVE */ + + /* +-- +2.39.5 + diff --git a/queue-6.12/rtc-pcf85063-do-a-sw-reset-if-por-failed.patch b/queue-6.12/rtc-pcf85063-do-a-sw-reset-if-por-failed.patch new file mode 100644 index 0000000000..f6852d1667 --- /dev/null +++ b/queue-6.12/rtc-pcf85063-do-a-sw-reset-if-por-failed.patch @@ -0,0 +1,78 @@ +From f58823ca35c0f998a560602e5a11a5b8cc329062 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Jan 2025 10:34:49 +0100 +Subject: rtc: pcf85063: do a SW reset if POR failed + +From: Lukas Stockmann + +[ Upstream commit 2b7cbd98495f6ee4cd6422fe77828a19e9edf87f ] + +Power-on Reset has a documented issue in PCF85063, refer to its datasheet, +section "Software reset": + +"There is a low probability that some devices will have corruption of the +registers after the automatic power-on reset if the device is powered up +with a residual VDD level. It is required that the VDD starts at zero volts +at power up or upon power cycling to ensure that there is no corruption of +the registers. If this is not possible, a reset must be initiated after +power-up (i.e. when power is stable) with the software reset command" + +Trigger SW reset if there is an indication that POR has failed. + +Link: https://www.nxp.com/docs/en/data-sheet/PCF85063A.pdf +Signed-off-by: Lukas Stockmann +Signed-off-by: Alexander Sverdlin +Link: https://lore.kernel.org/r/20250120093451.30778-1-alexander.sverdlin@siemens.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-pcf85063.c | 19 ++++++++++++++++++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +diff --git a/drivers/rtc/rtc-pcf85063.c b/drivers/rtc/rtc-pcf85063.c +index 905986c616559..73848f764559b 100644 +--- a/drivers/rtc/rtc-pcf85063.c ++++ b/drivers/rtc/rtc-pcf85063.c +@@ -35,6 +35,7 @@ + #define PCF85063_REG_CTRL1_CAP_SEL BIT(0) + #define PCF85063_REG_CTRL1_STOP BIT(5) + #define PCF85063_REG_CTRL1_EXT_TEST BIT(7) ++#define PCF85063_REG_CTRL1_SWR 0x58 + + #define PCF85063_REG_CTRL2 0x01 + #define PCF85063_CTRL2_AF BIT(6) +@@ -589,7 +590,7 @@ static int pcf85063_probe(struct i2c_client *client) + + i2c_set_clientdata(client, pcf85063); + +- err = regmap_read(pcf85063->regmap, PCF85063_REG_CTRL1, &tmp); ++ err = regmap_read(pcf85063->regmap, PCF85063_REG_SC, &tmp); + if (err) { + dev_err(&client->dev, "RTC chip is not present\n"); + return err; +@@ -599,6 +600,22 @@ static int pcf85063_probe(struct i2c_client *client) + if (IS_ERR(pcf85063->rtc)) + return PTR_ERR(pcf85063->rtc); + ++ /* ++ * If a Power loss is detected, SW reset the device. ++ * From PCF85063A datasheet: ++ * There is a low probability that some devices will have corruption ++ * of the registers after the automatic power-on reset... ++ */ ++ if (tmp & PCF85063_REG_SC_OS) { ++ dev_warn(&client->dev, ++ "POR issue detected, sending a SW reset\n"); ++ err = regmap_write(pcf85063->regmap, PCF85063_REG_CTRL1, ++ PCF85063_REG_CTRL1_SWR); ++ if (err < 0) ++ dev_warn(&client->dev, ++ "SW reset failed, trying to continue\n"); ++ } ++ + err = pcf85063_load_capacitance(pcf85063, client->dev.of_node, + config->force_cap_7000 ? 7000 : 0); + if (err < 0) +-- +2.39.5 + diff --git a/queue-6.12/s390-sclp-add-check-for-get_zeroed_page.patch b/queue-6.12/s390-sclp-add-check-for-get_zeroed_page.patch new file mode 100644 index 0000000000..51daaf6fdf --- /dev/null +++ b/queue-6.12/s390-sclp-add-check-for-get_zeroed_page.patch @@ -0,0 +1,61 @@ +From 2a7349fdc9fbcd7a3bc5c6d66cdb4ee52f8b7c32 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Feb 2025 10:52:16 +0800 +Subject: s390/sclp: Add check for get_zeroed_page() + +From: Haoxiang Li + +[ Upstream commit 3db42c75a921854a99db0a2775814fef97415bac ] + +Add check for the return value of get_zeroed_page() in +sclp_console_init() to prevent null pointer dereference. +Furthermore, to solve the memory leak caused by the loop +allocation, add a free helper to do the free job. + +Signed-off-by: Haoxiang Li +Acked-by: Heiko Carstens +Link: https://lore.kernel.org/r/20250218025216.2421548-1-haoxiang_li2024@163.com +Signed-off-by: Vasily Gorbik +Signed-off-by: Sasha Levin +--- + drivers/s390/char/sclp_con.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/drivers/s390/char/sclp_con.c b/drivers/s390/char/sclp_con.c +index e5d947c763ea5..6a030ba38bf36 100644 +--- a/drivers/s390/char/sclp_con.c ++++ b/drivers/s390/char/sclp_con.c +@@ -263,6 +263,19 @@ static struct console sclp_console = + .index = 0 /* ttyS0 */ + }; + ++/* ++ * Release allocated pages. ++ */ ++static void __init __sclp_console_free_pages(void) ++{ ++ struct list_head *page, *p; ++ ++ list_for_each_safe(page, p, &sclp_con_pages) { ++ list_del(page); ++ free_page((unsigned long)page); ++ } ++} ++ + /* + * called by console_init() in drivers/char/tty_io.c at boot-time. + */ +@@ -282,6 +295,10 @@ sclp_console_init(void) + /* Allocate pages for output buffering */ + for (i = 0; i < sclp_console_pages; i++) { + page = (void *) get_zeroed_page(GFP_KERNEL | GFP_DMA); ++ if (!page) { ++ __sclp_console_free_pages(); ++ return -ENOMEM; ++ } + list_add_tail(page, &sclp_con_pages); + } + sclp_conbuf = NULL; +-- +2.39.5 + diff --git a/queue-6.12/s390-tty-fix-a-potential-memory-leak-bug.patch b/queue-6.12/s390-tty-fix-a-potential-memory-leak-bug.patch new file mode 100644 index 0000000000..e221f2ca57 --- /dev/null +++ b/queue-6.12/s390-tty-fix-a-potential-memory-leak-bug.patch @@ -0,0 +1,55 @@ +From 7282051c2081ccec8594a56b4f012cfca9248159 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Feb 2025 11:41:04 +0800 +Subject: s390/tty: Fix a potential memory leak bug + +From: Haoxiang Li + +[ Upstream commit ad9bb8f049717d64c5e62b2a44954be9f681c65b ] + +The check for get_zeroed_page() leads to a direct return +and overlooked the memory leak caused by loop allocation. +Add a free helper to free spaces allocated by get_zeroed_page(). + +Signed-off-by: Haoxiang Li +Acked-by: Heiko Carstens +Link: https://lore.kernel.org/r/20250218034104.2436469-1-haoxiang_li2024@163.com +Signed-off-by: Vasily Gorbik +Signed-off-by: Sasha Levin +--- + drivers/s390/char/sclp_tty.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/drivers/s390/char/sclp_tty.c b/drivers/s390/char/sclp_tty.c +index 892c18d2f87e9..d3edacb6ee148 100644 +--- a/drivers/s390/char/sclp_tty.c ++++ b/drivers/s390/char/sclp_tty.c +@@ -490,6 +490,17 @@ static const struct tty_operations sclp_ops = { + .flush_buffer = sclp_tty_flush_buffer, + }; + ++/* Release allocated pages. */ ++static void __init __sclp_tty_free_pages(void) ++{ ++ struct list_head *page, *p; ++ ++ list_for_each_safe(page, p, &sclp_tty_pages) { ++ list_del(page); ++ free_page((unsigned long)page); ++ } ++} ++ + static int __init + sclp_tty_init(void) + { +@@ -516,6 +527,7 @@ sclp_tty_init(void) + for (i = 0; i < MAX_KMEM_PAGES; i++) { + page = (void *) get_zeroed_page(GFP_KERNEL | GFP_DMA); + if (page == NULL) { ++ __sclp_tty_free_pages(); + tty_driver_kref_put(driver); + return -ENOMEM; + } +-- +2.39.5 + diff --git a/queue-6.12/sched-isolation-make-config_cpu_isolation-depend-on-.patch b/queue-6.12/sched-isolation-make-config_cpu_isolation-depend-on-.patch new file mode 100644 index 0000000000..4b2272ae19 --- /dev/null +++ b/queue-6.12/sched-isolation-make-config_cpu_isolation-depend-on-.patch @@ -0,0 +1,46 @@ +From 6f1cd787d621e2677a0481fc9f7d686f928ea164 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 30 Mar 2025 15:49:55 +0200 +Subject: sched/isolation: Make CONFIG_CPU_ISOLATION depend on CONFIG_SMP + +From: Oleg Nesterov + +[ Upstream commit 975776841e689dd8ba36df9fa72ac3eca3c2957a ] + +kernel/sched/isolation.c obviously makes no sense without CONFIG_SMP, but +the Kconfig entry we have right now: + + config CPU_ISOLATION + bool "CPU isolation" + depends on SMP || COMPILE_TEST + +allows the creation of pointless .config's which cause +build failures. + +Reported-by: kernel test robot +Signed-off-by: Oleg Nesterov +Signed-off-by: Ingo Molnar +Link: https://lore.kernel.org/r/20250330134955.GA7910@redhat.com + +Closes: https://lore.kernel.org/oe-kbuild-all/202503260646.lrUqD3j5-lkp@intel.com/ +Signed-off-by: Sasha Levin +--- + init/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/init/Kconfig b/init/Kconfig +index 243d0087f9445..2b4969758da83 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -708,7 +708,7 @@ endmenu # "CPU/Task time and stats accounting" + + config CPU_ISOLATION + bool "CPU isolation" +- depends on SMP || COMPILE_TEST ++ depends on SMP + default y + help + Make sure that CPUs running critical tasks are not disturbed by +-- +2.39.5 + diff --git a/queue-6.12/scsi-hisi_sas-fix-i-o-errors-caused-by-hardware-port.patch b/queue-6.12/scsi-hisi_sas-fix-i-o-errors-caused-by-hardware-port.patch new file mode 100644 index 0000000000..c264c651d6 --- /dev/null +++ b/queue-6.12/scsi-hisi_sas-fix-i-o-errors-caused-by-hardware-port.patch @@ -0,0 +1,59 @@ +From a2863dcdb851b3ae5508f750bd0aee978d9b7676 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Mar 2025 17:51:35 +0800 +Subject: scsi: hisi_sas: Fix I/O errors caused by hardware port ID changes + +From: Xingui Yang + +[ Upstream commit daff37f00c7506ca322ccfce95d342022f06ec58 ] + +The hw port ID of phy may change when inserting disks in batches, causing +the port ID in hisi_sas_port and itct to be inconsistent with the hardware, +resulting in I/O errors. The solution is to set the device state to gone to +intercept I/O sent to the device, and then execute linkreset to discard and +find the disk to re-update its information. + +Signed-off-by: Xingui Yang +Link: https://lore.kernel.org/r/20250312095135.3048379-3-yangxingui@huawei.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/hisi_sas/hisi_sas_main.c | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +diff --git a/drivers/scsi/hisi_sas/hisi_sas_main.c b/drivers/scsi/hisi_sas/hisi_sas_main.c +index ffd15fa4f9e59..e98e6b2b9f570 100644 +--- a/drivers/scsi/hisi_sas/hisi_sas_main.c ++++ b/drivers/scsi/hisi_sas/hisi_sas_main.c +@@ -912,8 +912,28 @@ static void hisi_sas_phyup_work_common(struct work_struct *work, + container_of(work, typeof(*phy), works[event]); + struct hisi_hba *hisi_hba = phy->hisi_hba; + struct asd_sas_phy *sas_phy = &phy->sas_phy; ++ struct asd_sas_port *sas_port = sas_phy->port; ++ struct hisi_sas_port *port = phy->port; ++ struct device *dev = hisi_hba->dev; ++ struct domain_device *port_dev; + int phy_no = sas_phy->id; + ++ if (!test_bit(HISI_SAS_RESETTING_BIT, &hisi_hba->flags) && ++ sas_port && port && (port->id != phy->port_id)) { ++ dev_info(dev, "phy%d's hw port id changed from %d to %llu\n", ++ phy_no, port->id, phy->port_id); ++ port_dev = sas_port->port_dev; ++ if (port_dev && !dev_is_expander(port_dev->dev_type)) { ++ /* ++ * Set the device state to gone to block ++ * sending IO to the device. ++ */ ++ set_bit(SAS_DEV_GONE, &port_dev->state); ++ hisi_sas_notify_phy_event(phy, HISI_PHYE_LINK_RESET); ++ return; ++ } ++ } ++ + phy->wait_phyup_cnt = 0; + if (phy->identify.target_port_protocols == SAS_PROTOCOL_SSP) + hisi_hba->hw->sl_notify_ssp(hisi_hba, phy_no); +-- +2.39.5 + diff --git a/queue-6.12/scsi-pm80xx-set-phy_attached-to-zero-when-device-is-.patch b/queue-6.12/scsi-pm80xx-set-phy_attached-to-zero-when-device-is-.patch new file mode 100644 index 0000000000..a736b79a80 --- /dev/null +++ b/queue-6.12/scsi-pm80xx-set-phy_attached-to-zero-when-device-is-.patch @@ -0,0 +1,36 @@ +From 6c1e52aea090d349e4f3d2565da851d7941b0f13 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Mar 2025 23:03:05 +0000 +Subject: scsi: pm80xx: Set phy_attached to zero when device is gone + +From: Igor Pylypiv + +[ Upstream commit f7b705c238d1483f0a766e2b20010f176e5c0fb7 ] + +When a fatal error occurs, a phy down event may not be received to set +phy->phy_attached to zero. + +Signed-off-by: Igor Pylypiv +Signed-off-by: Salomon Dushimirimana +Link: https://lore.kernel.org/r/20250319230305.3172920-1-salomondush@google.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/pm8001/pm8001_sas.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/scsi/pm8001/pm8001_sas.c b/drivers/scsi/pm8001/pm8001_sas.c +index ee2da8e49d4cf..a9d6dac413346 100644 +--- a/drivers/scsi/pm8001/pm8001_sas.c ++++ b/drivers/scsi/pm8001/pm8001_sas.c +@@ -719,6 +719,7 @@ static void pm8001_dev_gone_notify(struct domain_device *dev) + spin_lock_irqsave(&pm8001_ha->lock, flags); + } + PM8001_CHIP_DISP->dereg_dev_req(pm8001_ha, device_id); ++ pm8001_ha->phy[pm8001_dev->attached_phy].phy_attached = 0; + pm8001_free_dev(pm8001_dev); + } else { + pm8001_dbg(pm8001_ha, DISC, "Found dev has gone.\n"); +-- +2.39.5 + diff --git a/queue-6.12/scsi-ufs-exynos-enable-prdt-pre-fetching-with-ufshcd.patch b/queue-6.12/scsi-ufs-exynos-enable-prdt-pre-fetching-with-ufshcd.patch new file mode 100644 index 0000000000..611f9392cb --- /dev/null +++ b/queue-6.12/scsi-ufs-exynos-enable-prdt-pre-fetching-with-ufshcd.patch @@ -0,0 +1,58 @@ +From 4f3b7cd2150a05690c0f0ccabf0b25066c5d52df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Mar 2025 15:30:22 +0000 +Subject: scsi: ufs: exynos: Enable PRDT pre-fetching with UFSHCD_CAP_CRYPTO + +From: Peter Griffin + +[ Upstream commit deac9ad496ec17e1ec06848964ecc635bdaca703 ] + +PRDT_PREFETCH_ENABLE[31] bit should be set when desctype field of +fmpsecurity0 register is type2 (double file encryption) or type3 +(support for file and disk encryption). Setting this bit enables PRDT +pre-fetching on both TXPRDT and RXPRDT. + +Signed-off-by: Peter Griffin +Link: https://lore.kernel.org/r/20250319-exynos-ufs-stability-fixes-v2-5-96722cc2ba1b@linaro.org +Reviewed-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/ufs/host/ufs-exynos.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/ufs/host/ufs-exynos.c b/drivers/ufs/host/ufs-exynos.c +index 75bb0ff07b07e..626187100316b 100644 +--- a/drivers/ufs/host/ufs-exynos.c ++++ b/drivers/ufs/host/ufs-exynos.c +@@ -34,7 +34,7 @@ + * Exynos's Vendor specific registers for UFSHCI + */ + #define HCI_TXPRDT_ENTRY_SIZE 0x00 +-#define PRDT_PREFECT_EN BIT(31) ++#define PRDT_PREFETCH_EN BIT(31) + #define HCI_RXPRDT_ENTRY_SIZE 0x04 + #define HCI_1US_TO_CNT_VAL 0x0C + #define CNT_VAL_1US_MASK 0x3FF +@@ -1066,12 +1066,17 @@ static int exynos_ufs_post_link(struct ufs_hba *hba) + struct exynos_ufs *ufs = ufshcd_get_variant(hba); + struct phy *generic_phy = ufs->phy; + struct exynos_ufs_uic_attr *attr = ufs->drv_data->uic_attr; ++ u32 val = ilog2(DATA_UNIT_SIZE); + + exynos_ufs_establish_connt(ufs); + exynos_ufs_fit_aggr_timeout(ufs); + + hci_writel(ufs, 0xa, HCI_DATA_REORDER); +- hci_writel(ufs, ilog2(DATA_UNIT_SIZE), HCI_TXPRDT_ENTRY_SIZE); ++ ++ if (hba->caps & UFSHCD_CAP_CRYPTO) ++ val |= PRDT_PREFETCH_EN; ++ hci_writel(ufs, val, HCI_TXPRDT_ENTRY_SIZE); ++ + hci_writel(ufs, ilog2(DATA_UNIT_SIZE), HCI_RXPRDT_ENTRY_SIZE); + hci_writel(ufs, (1 << hba->nutrs) - 1, HCI_UTRL_NEXUS_TYPE); + hci_writel(ufs, (1 << hba->nutmrs) - 1, HCI_UTMRL_NEXUS_TYPE); +-- +2.39.5 + diff --git a/queue-6.12/scsi-ufs-exynos-ensure-pre_link-executes-before-exyn.patch b/queue-6.12/scsi-ufs-exynos-ensure-pre_link-executes-before-exyn.patch new file mode 100644 index 0000000000..334d86aece --- /dev/null +++ b/queue-6.12/scsi-ufs-exynos-ensure-pre_link-executes-before-exyn.patch @@ -0,0 +1,58 @@ +From d48526fca1034bcb59ab35c546068ad5c8d922ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Mar 2025 15:30:18 +0000 +Subject: scsi: ufs: exynos: Ensure pre_link() executes before + exynos_ufs_phy_init() + +From: Peter Griffin + +[ Upstream commit 3d101165e72316775947d71321d97194f03dfef3 ] + +Ensure clocks are enabled before configuring unipro. Additionally move +the pre_link() hook before the exynos_ufs_phy_init() calls. This means +the register write sequence more closely resembles the ordering of the +downstream driver. + +Signed-off-by: Peter Griffin +Link: https://lore.kernel.org/r/20250319-exynos-ufs-stability-fixes-v2-1-96722cc2ba1b@linaro.org +Reviewed-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/ufs/host/ufs-exynos.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/ufs/host/ufs-exynos.c b/drivers/ufs/host/ufs-exynos.c +index fd1ebb4fcd96c..75bb0ff07b07e 100644 +--- a/drivers/ufs/host/ufs-exynos.c ++++ b/drivers/ufs/host/ufs-exynos.c +@@ -1028,9 +1028,14 @@ static int exynos_ufs_pre_link(struct ufs_hba *hba) + exynos_ufs_config_intr(ufs, DFES_DEF_L4_ERRS, UNIPRO_L4); + exynos_ufs_set_unipro_pclk_div(ufs); + ++ exynos_ufs_setup_clocks(hba, true, PRE_CHANGE); ++ + /* unipro */ + exynos_ufs_config_unipro(ufs); + ++ if (ufs->drv_data->pre_link) ++ ufs->drv_data->pre_link(ufs); ++ + /* m-phy */ + exynos_ufs_phy_init(ufs); + if (!(ufs->opts & EXYNOS_UFS_OPT_SKIP_CONFIG_PHY_ATTR)) { +@@ -1038,11 +1043,6 @@ static int exynos_ufs_pre_link(struct ufs_hba *hba) + exynos_ufs_config_phy_cap_attr(ufs); + } + +- exynos_ufs_setup_clocks(hba, true, PRE_CHANGE); +- +- if (ufs->drv_data->pre_link) +- ufs->drv_data->pre_link(ufs); +- + return 0; + } + +-- +2.39.5 + diff --git a/queue-6.12/scsi-ufs-exynos-gs101-put-ufs-device-in-reset-on-.su.patch b/queue-6.12/scsi-ufs-exynos-gs101-put-ufs-device-in-reset-on-.su.patch new file mode 100644 index 0000000000..e60a4e5eb0 --- /dev/null +++ b/queue-6.12/scsi-ufs-exynos-gs101-put-ufs-device-in-reset-on-.su.patch @@ -0,0 +1,75 @@ +From 109c52e56642d2fbc5dc572127cd22acbf0b4249 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Mar 2025 15:30:24 +0000 +Subject: scsi: ufs: exynos: gs101: Put UFS device in reset on .suspend() + +From: Peter Griffin + +[ Upstream commit cd4c0025069f16fc666c6ffc56c49c9b1154841f ] + +GPIO_OUT[0] is connected to the reset pin of embedded UFS device. +Before powering off the phy assert the reset signal. + +This is added as a gs101 specific suspend hook so as not to have any +unintended consequences for other SoCs supported by this driver. + +Signed-off-by: Peter Griffin +Link: https://lore.kernel.org/r/20250319-exynos-ufs-stability-fixes-v2-7-96722cc2ba1b@linaro.org +Reviewed-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/ufs/host/ufs-exynos.c | 10 ++++++++++ + drivers/ufs/host/ufs-exynos.h | 1 + + 2 files changed, 11 insertions(+) + +diff --git a/drivers/ufs/host/ufs-exynos.c b/drivers/ufs/host/ufs-exynos.c +index 55ea863b47f3d..5ba17ccf6417f 100644 +--- a/drivers/ufs/host/ufs-exynos.c ++++ b/drivers/ufs/host/ufs-exynos.c +@@ -1687,6 +1687,12 @@ static void exynos_ufs_hibern8_notify(struct ufs_hba *hba, + } + } + ++static int gs101_ufs_suspend(struct exynos_ufs *ufs) ++{ ++ hci_writel(ufs, 0 << 0, HCI_GPIO_OUT); ++ return 0; ++} ++ + static int exynos_ufs_suspend(struct ufs_hba *hba, enum ufs_pm_op pm_op, + enum ufs_notify_change_status status) + { +@@ -1695,6 +1701,9 @@ static int exynos_ufs_suspend(struct ufs_hba *hba, enum ufs_pm_op pm_op, + if (status == PRE_CHANGE) + return 0; + ++ if (ufs->drv_data->suspend) ++ ufs->drv_data->suspend(ufs); ++ + if (!ufshcd_is_link_active(hba)) + phy_power_off(ufs->phy); + +@@ -2172,6 +2181,7 @@ static const struct exynos_ufs_drv_data gs101_ufs_drvs = { + .pre_link = gs101_ufs_pre_link, + .post_link = gs101_ufs_post_link, + .pre_pwr_change = gs101_ufs_pre_pwr_change, ++ .suspend = gs101_ufs_suspend, + }; + + static const struct of_device_id exynos_ufs_of_match[] = { +diff --git a/drivers/ufs/host/ufs-exynos.h b/drivers/ufs/host/ufs-exynos.h +index d0b3df221503c..3c6fe5132190a 100644 +--- a/drivers/ufs/host/ufs-exynos.h ++++ b/drivers/ufs/host/ufs-exynos.h +@@ -192,6 +192,7 @@ struct exynos_ufs_drv_data { + struct ufs_pa_layer_attr *pwr); + int (*pre_hce_enable)(struct exynos_ufs *ufs); + int (*post_hce_enable)(struct exynos_ufs *ufs); ++ int (*suspend)(struct exynos_ufs *ufs); + }; + + struct ufs_phy_time_cfg { +-- +2.39.5 + diff --git a/queue-6.12/scsi-ufs-exynos-move-phy-calls-to-.exit-callback.patch b/queue-6.12/scsi-ufs-exynos-move-phy-calls-to-.exit-callback.patch new file mode 100644 index 0000000000..00c57dc759 --- /dev/null +++ b/queue-6.12/scsi-ufs-exynos-move-phy-calls-to-.exit-callback.patch @@ -0,0 +1,70 @@ +From 403edb05f45ddd0135250b282f770cb2ddb958ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Mar 2025 15:30:23 +0000 +Subject: scsi: ufs: exynos: Move phy calls to .exit() callback + +From: Peter Griffin + +[ Upstream commit 67e4085015c33bf2fb552af1f171c58b81ef0616 ] + +ufshcd_pltfrm_remove() calls ufshcd_remove(hba) which in turn calls +ufshcd_hba_exit(). + +By moving the phy_power_off() and phy_exit() calls to the newly created +.exit callback they get called by ufshcd_variant_hba_exit() before +ufshcd_hba_exit() turns off the regulators. This is also similar flow to +the ufs-qcom driver. + +Signed-off-by: Peter Griffin +Link: https://lore.kernel.org/r/20250319-exynos-ufs-stability-fixes-v2-6-96722cc2ba1b@linaro.org +Reviewed-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/ufs/host/ufs-exynos.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/drivers/ufs/host/ufs-exynos.c b/drivers/ufs/host/ufs-exynos.c +index 626187100316b..55ea863b47f3d 100644 +--- a/drivers/ufs/host/ufs-exynos.c ++++ b/drivers/ufs/host/ufs-exynos.c +@@ -1490,6 +1490,14 @@ static int exynos_ufs_init(struct ufs_hba *hba) + return ret; + } + ++static void exynos_ufs_exit(struct ufs_hba *hba) ++{ ++ struct exynos_ufs *ufs = ufshcd_get_variant(hba); ++ ++ phy_power_off(ufs->phy); ++ phy_exit(ufs->phy); ++} ++ + static int exynos_ufs_host_reset(struct ufs_hba *hba) + { + struct exynos_ufs *ufs = ufshcd_get_variant(hba); +@@ -1958,6 +1966,7 @@ static int gs101_ufs_pre_pwr_change(struct exynos_ufs *ufs, + static const struct ufs_hba_variant_ops ufs_hba_exynos_ops = { + .name = "exynos_ufs", + .init = exynos_ufs_init, ++ .exit = exynos_ufs_exit, + .hce_enable_notify = exynos_ufs_hce_enable_notify, + .link_startup_notify = exynos_ufs_link_startup_notify, + .pwr_change_notify = exynos_ufs_pwr_change_notify, +@@ -1996,13 +2005,7 @@ static int exynos_ufs_probe(struct platform_device *pdev) + + static void exynos_ufs_remove(struct platform_device *pdev) + { +- struct ufs_hba *hba = platform_get_drvdata(pdev); +- struct exynos_ufs *ufs = ufshcd_get_variant(hba); +- + ufshcd_pltfrm_remove(pdev); +- +- phy_power_off(ufs->phy); +- phy_exit(ufs->phy); + } + + static struct exynos_ufs_uic_attr exynos7_uic_attr = { +-- +2.39.5 + diff --git a/queue-6.12/selftests-bpf-fix-stdout-race-condition-in-traffic-m.patch b/queue-6.12/selftests-bpf-fix-stdout-race-condition-in-traffic-m.patch new file mode 100644 index 0000000000..3100ba8cf2 --- /dev/null +++ b/queue-6.12/selftests-bpf-fix-stdout-race-condition-in-traffic-m.patch @@ -0,0 +1,117 @@ +From 4f0b0bcaefc9d3d5487db17b12121d63a6921cee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Feb 2025 15:32:17 -0800 +Subject: selftests/bpf: Fix stdout race condition in traffic monitor + +From: Amery Hung + +[ Upstream commit b99f27e90268b1a814c13f8bd72ea1db448ea257 ] + +Fix a race condition between the main test_progs thread and the traffic +monitoring thread. The traffic monitor thread tries to print a line +using multiple printf and use flockfile() to prevent the line from being +torn apart. Meanwhile, the main thread doing io redirection can reassign +or close stdout when going through tests. A deadlock as shown below can +happen. + + main traffic_monitor_thread + ==== ====================== + show_transport() + -> flockfile(stdout) + +stdio_hijack_init() +-> stdout = open_memstream(log_buf, log_cnt); + ... + env.subtest_state->stdout_saved = stdout; + + ... + funlockfile(stdout) +stdio_restore_cleanup() +-> fclose(env.subtest_state->stdout_saved); + +After the traffic monitor thread lock stdout, A new memstream can be +assigned to stdout by the main thread. Therefore, the traffic monitor +thread later will not be able to unlock the original stdout. As the +main thread tries to access the old stdout, it will hang indefinitely +as it is still locked by the traffic monitor thread. + +The deadlock can be reproduced by running test_progs repeatedly with +traffic monitor enabled: + +for ((i=1;i<=100;i++)); do + ./test_progs -a flow_dissector_skb* -m '*' +done + +Fix this by only calling printf once and remove flockfile()/funlockfile(). + +Signed-off-by: Amery Hung +Signed-off-by: Martin KaFai Lau +Link: https://patch.msgid.link/20250213233217.553258-1-ameryhung@gmail.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/network_helpers.c | 33 ++++++++----------- + 1 file changed, 13 insertions(+), 20 deletions(-) + +diff --git a/tools/testing/selftests/bpf/network_helpers.c b/tools/testing/selftests/bpf/network_helpers.c +index 27784946b01b8..af0ee70a53f9f 100644 +--- a/tools/testing/selftests/bpf/network_helpers.c ++++ b/tools/testing/selftests/bpf/network_helpers.c +@@ -771,12 +771,13 @@ static const char *pkt_type_str(u16 pkt_type) + return "Unknown"; + } + ++#define MAX_FLAGS_STRLEN 21 + /* Show the information of the transport layer in the packet */ + static void show_transport(const u_char *packet, u16 len, u32 ifindex, + const char *src_addr, const char *dst_addr, + u16 proto, bool ipv6, u8 pkt_type) + { +- char *ifname, _ifname[IF_NAMESIZE]; ++ char *ifname, _ifname[IF_NAMESIZE], flags[MAX_FLAGS_STRLEN] = ""; + const char *transport_str; + u16 src_port, dst_port; + struct udphdr *udp; +@@ -817,29 +818,21 @@ static void show_transport(const u_char *packet, u16 len, u32 ifindex, + + /* TCP or UDP*/ + +- flockfile(stdout); ++ if (proto == IPPROTO_TCP) ++ snprintf(flags, MAX_FLAGS_STRLEN, "%s%s%s%s", ++ tcp->fin ? ", FIN" : "", ++ tcp->syn ? ", SYN" : "", ++ tcp->rst ? ", RST" : "", ++ tcp->ack ? ", ACK" : ""); ++ + if (ipv6) +- printf("%-7s %-3s IPv6 %s.%d > %s.%d: %s, length %d", ++ printf("%-7s %-3s IPv6 %s.%d > %s.%d: %s, length %d%s\n", + ifname, pkt_type_str(pkt_type), src_addr, src_port, +- dst_addr, dst_port, transport_str, len); ++ dst_addr, dst_port, transport_str, len, flags); + else +- printf("%-7s %-3s IPv4 %s:%d > %s:%d: %s, length %d", ++ printf("%-7s %-3s IPv4 %s:%d > %s:%d: %s, length %d%s\n", + ifname, pkt_type_str(pkt_type), src_addr, src_port, +- dst_addr, dst_port, transport_str, len); +- +- if (proto == IPPROTO_TCP) { +- if (tcp->fin) +- printf(", FIN"); +- if (tcp->syn) +- printf(", SYN"); +- if (tcp->rst) +- printf(", RST"); +- if (tcp->ack) +- printf(", ACK"); +- } +- +- printf("\n"); +- funlockfile(stdout); ++ dst_addr, dst_port, transport_str, len, flags); + } + + static void show_ipv6_packet(const u_char *packet, u32 ifindex, u8 pkt_type) +-- +2.39.5 + diff --git a/queue-6.12/selftests-mincore-allow-read-ahead-pages-to-reach-th.patch b/queue-6.12/selftests-mincore-allow-read-ahead-pages-to-reach-th.patch new file mode 100644 index 0000000000..b9090ad91f --- /dev/null +++ b/queue-6.12/selftests-mincore-allow-read-ahead-pages-to-reach-th.patch @@ -0,0 +1,62 @@ +From d4b82cb12f151d1523a262db84bbdfe3ac8453da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Mar 2025 16:09:40 +0800 +Subject: selftests/mincore: Allow read-ahead pages to reach the end of the + file + +From: Qiuxu Zhuo + +[ Upstream commit 197c1eaa7ba633a482ed7588eea6fd4aa57e08d4 ] + +When running the mincore_selftest on a system with an XFS file system, it +failed the "check_file_mmap" test case due to the read-ahead pages reaching +the end of the file. The failure log is as below: + + RUN global.check_file_mmap ... + mincore_selftest.c:264:check_file_mmap:Expected i (1024) < vec_size (1024) + mincore_selftest.c:265:check_file_mmap:Read-ahead pages reached the end of the file + check_file_mmap: Test failed + FAIL global.check_file_mmap + +This is because the read-ahead window size of the XFS file system on this +machine is 4 MB, which is larger than the size from the #PF address to the +end of the file. As a result, all the pages for this file are populated. + + blockdev --getra /dev/nvme0n1p5 + 8192 + blockdev --getbsz /dev/nvme0n1p5 + 512 + +This issue can be fixed by extending the current FILE_SIZE 4MB to a larger +number, but it will still fail if the read-ahead window size of the file +system is larger enough. Additionally, in the real world, read-ahead pages +reaching the end of the file can happen and is an expected behavior. +Therefore, allowing read-ahead pages to reach the end of the file is a +better choice for the "check_file_mmap" test case. + +Link: https://lore.kernel.org/r/20250311080940.21413-1-qiuxu.zhuo@intel.com +Reported-by: Yi Lai +Signed-off-by: Qiuxu Zhuo +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/mincore/mincore_selftest.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/tools/testing/selftests/mincore/mincore_selftest.c b/tools/testing/selftests/mincore/mincore_selftest.c +index e949a43a61450..efabfcbe0b498 100644 +--- a/tools/testing/selftests/mincore/mincore_selftest.c ++++ b/tools/testing/selftests/mincore/mincore_selftest.c +@@ -261,9 +261,6 @@ TEST(check_file_mmap) + TH_LOG("No read-ahead pages found in memory"); + } + +- EXPECT_LT(i, vec_size) { +- TH_LOG("Read-ahead pages reached the end of the file"); +- } + /* + * End of the readahead window. The rest of the pages shouldn't + * be in memory. +-- +2.39.5 + diff --git a/queue-6.12/selftests-ublk-fix-test_stripe_04.patch b/queue-6.12/selftests-ublk-fix-test_stripe_04.patch new file mode 100644 index 0000000000..f5645530f7 --- /dev/null +++ b/queue-6.12/selftests-ublk-fix-test_stripe_04.patch @@ -0,0 +1,58 @@ +From 4b790b1e158453b384655401e6c6e876ade9746a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Apr 2025 08:18:49 +0800 +Subject: selftests: ublk: fix test_stripe_04 + +From: Ming Lei + +[ Upstream commit 72070e57b0a518ec8e562a2b68fdfc796ef5c040 ] + +Commit 57ed58c13256 ("selftests: ublk: enable zero copy for stripe target") +added test entry of test_stripe_04, but forgot to add the test script. + +So fix the test by adding the script file. + +Reported-by: Uday Shankar +Signed-off-by: Ming Lei +Reviewed-by: Uday Shankar +Link: https://lore.kernel.org/r/20250404001849.1443064-1-ming.lei@redhat.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + .../testing/selftests/ublk/test_stripe_04.sh | 24 +++++++++++++++++++ + 1 file changed, 24 insertions(+) + create mode 100755 tools/testing/selftests/ublk/test_stripe_04.sh + +diff --git a/tools/testing/selftests/ublk/test_stripe_04.sh b/tools/testing/selftests/ublk/test_stripe_04.sh +new file mode 100755 +index 0000000000000..1f2b642381d17 +--- /dev/null ++++ b/tools/testing/selftests/ublk/test_stripe_04.sh +@@ -0,0 +1,24 @@ ++#!/bin/bash ++# SPDX-License-Identifier: GPL-2.0 ++ ++. "$(cd "$(dirname "$0")" && pwd)"/test_common.sh ++ ++TID="stripe_04" ++ERR_CODE=0 ++ ++_prep_test "stripe" "mkfs & mount & umount on zero copy" ++ ++backfile_0=$(_create_backfile 256M) ++backfile_1=$(_create_backfile 256M) ++dev_id=$(_add_ublk_dev -t stripe -z -q 2 "$backfile_0" "$backfile_1") ++_check_add_dev $TID $? "$backfile_0" "$backfile_1" ++ ++_mkfs_mount_test /dev/ublkb"${dev_id}" ++ERR_CODE=$? ++ ++_cleanup_test "stripe" ++ ++_remove_backfile "$backfile_0" ++_remove_backfile "$backfile_1" ++ ++_show_result $TID $ERR_CODE +-- +2.39.5 + diff --git a/queue-6.12/series b/queue-6.12/series index ec4efd39da..84f3b1decb 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -149,3 +149,101 @@ usb-wdm-handle-io-errors-in-wdm_wwan_port_start.patch usb-wdm-close-race-between-wdm_open-and-wdm_wwan_port_stop.patch usb-wdm-wdm_wwan_port_tx_complete-mutex-in-atomic-context.patch usb-wdm-add-annotation.patch +selftests-bpf-fix-stdout-race-condition-in-traffic-m.patch +pinctrl-renesas-rza2-fix-potential-null-pointer-dere.patch +pinctrl-mcp23s08-get-rid-of-spurious-level-interrupt.patch +mips-cm-detect-cm-quirks-from-device-tree.patch +crypto-ccp-add-support-for-pci-device-0x1134.patch +crypto-lib-kconfig-fix-lib-built-in-failure-when-arc.patch +crypto-null-use-spin-lock-instead-of-mutex.patch +bpf-fix-kmemleak-warning-for-percpu-hashmap.patch +bpf-fix-deadlock-between-rcu_tasks_trace-and-event_m.patch +clk-check-for-disabled-clock-provider-in-of_clk_get_.patch +parisc-pdt-fix-missing-prototype-warning.patch +s390-sclp-add-check-for-get_zeroed_page.patch +s390-tty-fix-a-potential-memory-leak-bug.patch +bpf-bpftool-setting-error-code-in-do_loader.patch +bpf-only-fails-the-busy-counter-check-in-bpf_cgrp_st.patch +bpf-reject-attaching-fexit-fmod_ret-to-__noreturn-fu.patch +x86-kconfig-make-config_pci_cnb20le_quirk-depend-on-.patch +mailbox-pcc-fix-the-possible-race-in-updation-of-cha.patch +mailbox-pcc-always-clear-the-platform-ack-interrupt-.patch +usb-host-max3421-hcd-add-missing-spi_device_id-table.patch +fs-ntfs3-keep-write-operations-atomic.patch +fs-ntfs3-fix-warning-in-ntfs_extend_initialized_size.patch +usb-dwc3-gadget-refactor-loop-to-avoid-null-endpoint.patch +usb-dwc3-gadget-avoid-using-reserved-endpoints-on-in.patch +sound-virtio-fix-cancel_sync-warnings-on-uninitializ.patch +usb-xhci-complete-error-mid-td-transfers-when-handli.patch +usb-xhci-fix-isochronous-ring-underrun-overrun-event.patch +xhci-handle-spurious-events-on-etron-host-isoc-enpoi.patch +i3c-master-svc-add-support-for-nuvoton-npcm845-i3c.patch +dmaengine-dmatest-fix-dmatest-waiting-less-when-inte.patch +usb-xhci-avoid-stop-endpoint-retry-loop-if-the-endpo.patch +phy-rockchip-usbdp-avoid-call-hpd_event_trigger-in-d.patch +usb-gadget-aspeed-add-null-pointer-check-in-ast_vhub.patch +usb-host-xhci-plat-mvebu-use-quirks-instead-of-init_.patch +thunderbolt-scan-retimers-after-device-router-has-be.patch +um-work-around-sched_yield-not-yielding-in-time-trav.patch +objtool-silence-more-kcov-warnings.patch +objtool-panic-disable-smap-in-__stack_chk_fail.patch +objtool-asoc-codecs-wcd934x-remove-potential-undefin.patch +objtool-regulator-rk808-remove-potential-undefined-b.patch +objtool-lkdtm-obfuscate-the-do_nothing-pointer.patch +qibfs-fix-_another_-leak.patch +ntb-reduce-stack-usage-in-idt_scan_mws.patch +ntb_hw_amd-add-ntb-pci-id-for-new-gen-cpu.patch +9p-net-fix-improper-handling-of-bogus-negative-read-.patch +9p-trans_fd-mark-concurrent-read-and-writes-to-p9_co.patch +rtc-pcf85063-do-a-sw-reset-if-por-failed.patch +io_uring-always-do-atomic-put-from-iowq.patch +kbuild-add-dependency-from-vmlinux-to-sorttable.patch +sched-isolation-make-config_cpu_isolation-depend-on-.patch +kvm-s390-don-t-use-pk-through-tracepoints.patch +kvm-s390-don-t-use-pk-through-debug-printing.patch +cgroup-cpuset-don-t-allow-creation-of-local-partitio.patch +selftests-ublk-fix-test_stripe_04.patch +perf-core-fix-warn_on-ctx-in-__free_event-for-partia.patch +xen-change-xen-acpi-processor-dom0-dependency.patch +nvme-requeue-namespace-scan-on-missed-aens.patch +acpi-ec-set-ec_no_wakeup-for-lenovo-go-s.patch +acpi-pptt-fix-coding-mistakes-in-a-couple-of-sizeof-.patch +drm-amdgpu-increase-kiq-invalidate_tlbs-timeout.patch +drm-xe-xe3lpg-apply-wa_14022293748-wa_22019794406.patch +nvme-re-read-ana-log-page-after-ns-scan-completes.patch +nvme-multipath-fix-return-value-of-nvme_available_pa.patch +objtool-stop-unret-validation-on-ud2.patch +gpiolib-of-move-atmel-hsmci-quirk-up-out-of-the-regu.patch +x86-xen-disable-cpu-idle-and-frequency-drivers-for-p.patch +selftests-mincore-allow-read-ahead-pages-to-reach-th.patch +x86-bugs-use-sbpb-in-write_ibpb-if-applicable.patch +x86-bugs-don-t-fill-rsb-on-vmexit-with-eibrs-retpoli.patch +x86-bugs-don-t-fill-rsb-on-context-switch-with-eibrs.patch +nvmet-fc-take-tgtport-reference-only-once.patch +nvmet-fc-put-ref-when-assoc-del_work-is-already-sche.patch +cifs-fix-encoding-of-smb1-session-setup-kerberos-req.patch +timekeeping-add-a-lockdep-override-in-tick_freeze.patch +cifs-fix-querying-of-wsl-chr-and-blk-reparse-points-.patch +iommu-clear-iommu-dma-ops-on-cleanup.patch +ext4-make-block-validity-check-resistent-to-sb-bh-co.patch +scsi-hisi_sas-fix-i-o-errors-caused-by-hardware-port.patch +scsi-ufs-exynos-ensure-pre_link-executes-before-exyn.patch +scsi-ufs-exynos-enable-prdt-pre-fetching-with-ufshcd.patch +scsi-ufs-exynos-move-phy-calls-to-.exit-callback.patch +scsi-ufs-exynos-gs101-put-ufs-device-in-reset-on-.su.patch +scsi-pm80xx-set-phy_attached-to-zero-when-device-is-.patch +asoc-fsl_asrc_dma-get-codec-or-cpu-dai-from-backend.patch +x86-i8253-call-clockevent_i8253_disable-with-interru.patch +netfs-only-create-proc-fs-netfs-with-config_proc_fs.patch +iomap-skip-unnecessary-ifs_block_is_uptodate-check.patch +riscv-provide-all-alternative-macros-all-the-time.patch +ksmbd-fix-warning-do-not-call-blocking-ops-when-task.patch +spi-tegra210-quad-use-warn_on_once-instead-of-warn_o.patch +spi-tegra210-quad-add-rate-limiting-and-simplify-tim.patch +hardening-disable-gcc-randstruct-for-compile_test.patch +ubsan-fix-panic-from-test_ubsan_out_of_bounds.patch +x86-cpu-add-cpu-model-number-for-bartlett-lake-cpus-.patch +md-raid1-add-check-for-missing-source-disk-in-proces.patch +drm-amdgpu-use-a-dummy-owner-for-sysfs-triggered-cle.patch +drm-amdgpu-use-the-right-function-for-hdp-flush.patch +spi-spi-imx-add-check-for-spi_imx_setupxfer.patch diff --git a/queue-6.12/sound-virtio-fix-cancel_sync-warnings-on-uninitializ.patch b/queue-6.12/sound-virtio-fix-cancel_sync-warnings-on-uninitializ.patch new file mode 100644 index 0000000000..065a0b4813 --- /dev/null +++ b/queue-6.12/sound-virtio-fix-cancel_sync-warnings-on-uninitializ.patch @@ -0,0 +1,108 @@ +From 364ed7dfe097ea0085fe470f0fb569c594817a52 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Jan 2025 11:40:59 -0800 +Subject: sound/virtio: Fix cancel_sync warnings on uninitialized work_structs + +From: John Stultz + +[ Upstream commit 3c7df2e27346eb40a0e86230db1ccab195c97cfe ] + +Betty reported hitting the following warning: + +[ 8.709131][ T221] WARNING: CPU: 2 PID: 221 at kernel/workqueue.c:4182 +... +[ 8.713282][ T221] Call trace: +[ 8.713365][ T221] __flush_work+0x8d0/0x914 +[ 8.713468][ T221] __cancel_work_sync+0xac/0xfc +[ 8.713570][ T221] cancel_work_sync+0x24/0x34 +[ 8.713667][ T221] virtsnd_remove+0xa8/0xf8 [virtio_snd ab15f34d0dd772f6d11327e08a81d46dc9c36276] +[ 8.713868][ T221] virtsnd_probe+0x48c/0x664 [virtio_snd ab15f34d0dd772f6d11327e08a81d46dc9c36276] +[ 8.714035][ T221] virtio_dev_probe+0x28c/0x390 +[ 8.714139][ T221] really_probe+0x1bc/0x4c8 +... + +It seems we're hitting the error path in virtsnd_probe(), which +triggers a virtsnd_remove() which iterates over the substreams +calling cancel_work_sync() on the elapsed_period work_struct. + +Looking at the code, from earlier in: +virtsnd_probe()->virtsnd_build_devs()->virtsnd_pcm_parse_cfg() + +We set snd->nsubstreams, allocate the snd->substreams, and if +we then hit an error on the info allocation or something in +virtsnd_ctl_query_info() fails, we will exit without having +initialized the elapsed_period work_struct. + +When that error path unwinds we then call virtsnd_remove() +which as long as the substreams array is allocated, will iterate +through calling cancel_work_sync() on the uninitialized work +struct hitting this warning. + +Takashi Iwai suggested this fix, which initializes the substreams +structure right after allocation, so that if we hit the error +paths we avoid trying to cleanup uninitialized data. + +Note: I have not yet managed to reproduce the issue myself, so +this patch has had limited testing. + +Feedback or thoughts would be appreciated! + +Cc: Anton Yakovlev +Cc: "Michael S. Tsirkin" +Cc: Jaroslav Kysela +Cc: Takashi Iwai +Cc: virtualization@lists.linux.dev +Cc: linux-sound@vger.kernel.org +Cc: kernel-team@android.com +Reported-by: Betty Zhou +Suggested-by: Takashi Iwai +Signed-off-by: John Stultz +Message-Id: <20250116194114.3375616-1-jstultz@google.com> +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Sasha Levin +--- + sound/virtio/virtio_pcm.c | 21 +++++++++++++++------ + 1 file changed, 15 insertions(+), 6 deletions(-) + +diff --git a/sound/virtio/virtio_pcm.c b/sound/virtio/virtio_pcm.c +index 967e4c45be9bb..2f7c5e709f075 100644 +--- a/sound/virtio/virtio_pcm.c ++++ b/sound/virtio/virtio_pcm.c +@@ -339,6 +339,21 @@ int virtsnd_pcm_parse_cfg(struct virtio_snd *snd) + if (!snd->substreams) + return -ENOMEM; + ++ /* ++ * Initialize critical substream fields early in case we hit an ++ * error path and end up trying to clean up uninitialized structures ++ * elsewhere. ++ */ ++ for (i = 0; i < snd->nsubstreams; ++i) { ++ struct virtio_pcm_substream *vss = &snd->substreams[i]; ++ ++ vss->snd = snd; ++ vss->sid = i; ++ INIT_WORK(&vss->elapsed_period, virtsnd_pcm_period_elapsed); ++ init_waitqueue_head(&vss->msg_empty); ++ spin_lock_init(&vss->lock); ++ } ++ + info = kcalloc(snd->nsubstreams, sizeof(*info), GFP_KERNEL); + if (!info) + return -ENOMEM; +@@ -352,12 +367,6 @@ int virtsnd_pcm_parse_cfg(struct virtio_snd *snd) + struct virtio_pcm_substream *vss = &snd->substreams[i]; + struct virtio_pcm *vpcm; + +- vss->snd = snd; +- vss->sid = i; +- INIT_WORK(&vss->elapsed_period, virtsnd_pcm_period_elapsed); +- init_waitqueue_head(&vss->msg_empty); +- spin_lock_init(&vss->lock); +- + rc = virtsnd_pcm_build_hw(vss, &info[i]); + if (rc) + goto on_exit; +-- +2.39.5 + diff --git a/queue-6.12/spi-spi-imx-add-check-for-spi_imx_setupxfer.patch b/queue-6.12/spi-spi-imx-add-check-for-spi_imx_setupxfer.patch new file mode 100644 index 0000000000..4a1e8ad6ad --- /dev/null +++ b/queue-6.12/spi-spi-imx-add-check-for-spi_imx_setupxfer.patch @@ -0,0 +1,54 @@ +From b3db59160c9966ec203aaa5b44d1e48d545a29cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Apr 2025 10:16:05 +0900 +Subject: spi: spi-imx: Add check for spi_imx_setupxfer() + +From: Tamura Dai + +[ Upstream commit 951a04ab3a2db4029debfa48d380ef834b93207e ] + +Add check for the return value of spi_imx_setupxfer(). +spi_imx->rx and spi_imx->tx function pointer can be NULL when +spi_imx_setupxfer() return error, and make NULL pointer dereference. + + Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 + Call trace: + 0x0 + spi_imx_pio_transfer+0x50/0xd8 + spi_imx_transfer_one+0x18c/0x858 + spi_transfer_one_message+0x43c/0x790 + __spi_pump_transfer_message+0x238/0x5d4 + __spi_sync+0x2b0/0x454 + spi_write_then_read+0x11c/0x200 + +Signed-off-by: Tamura Dai +Reviewed-by: Carlos Song +Link: https://patch.msgid.link/20250417011700.14436-1-kirinode0@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-imx.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-imx.c b/drivers/spi/spi-imx.c +index 4c31d36f3130a..810541eed213e 100644 +--- a/drivers/spi/spi-imx.c ++++ b/drivers/spi/spi-imx.c +@@ -1614,10 +1614,13 @@ static int spi_imx_transfer_one(struct spi_controller *controller, + struct spi_device *spi, + struct spi_transfer *transfer) + { ++ int ret; + struct spi_imx_data *spi_imx = spi_controller_get_devdata(spi->controller); + unsigned long hz_per_byte, byte_limit; + +- spi_imx_setupxfer(spi, transfer); ++ ret = spi_imx_setupxfer(spi, transfer); ++ if (ret < 0) ++ return ret; + transfer->effective_speed_hz = spi_imx->spi_bus_clk; + + /* flush rxfifo before transfer */ +-- +2.39.5 + diff --git a/queue-6.12/spi-tegra210-quad-add-rate-limiting-and-simplify-tim.patch b/queue-6.12/spi-tegra210-quad-add-rate-limiting-and-simplify-tim.patch new file mode 100644 index 0000000000..22776caf32 --- /dev/null +++ b/queue-6.12/spi-tegra210-quad-add-rate-limiting-and-simplify-tim.patch @@ -0,0 +1,48 @@ +From f2d4f50d609270a6089df75dfd5a3fab2b97b81a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Apr 2025 06:47:50 -0700 +Subject: spi: tegra210-quad: add rate limiting and simplify timeout error + message + +From: Breno Leitao + +[ Upstream commit 21f4314e66ed8d40b2ee24185d1a06a07a512eb1 ] + +On malfunctioning hardware, timeout error messages can appear thousands +of times, creating unnecessary system pressure and log bloat. This patch +makes two improvements: + +1. Replace dev_err() with dev_err_ratelimited() to prevent log flooding + when hardware errors persist +2. Remove the redundant timeout value parameter from the error message, + as 'ret' is always zero in this error path + +These changes reduce logging overhead while maintaining necessary error +reporting for debugging purposes. + +Signed-off-by: Breno Leitao +Link: https://patch.msgid.link/20250401-tegra-v2-2-126c293ec047@debian.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-tegra210-quad.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/spi/spi-tegra210-quad.c b/drivers/spi/spi-tegra210-quad.c +index 94dc4cbc40e15..2d48ad844fb80 100644 +--- a/drivers/spi/spi-tegra210-quad.c ++++ b/drivers/spi/spi-tegra210-quad.c +@@ -1118,8 +1118,8 @@ static int tegra_qspi_combined_seq_xfer(struct tegra_qspi *tqspi, + QSPI_DMA_TIMEOUT); + + if (WARN_ON_ONCE(ret == 0)) { +- dev_err(tqspi->dev, "QSPI Transfer failed with timeout: %d\n", +- ret); ++ dev_err_ratelimited(tqspi->dev, ++ "QSPI Transfer failed with timeout\n"); + if (tqspi->is_curr_dma_xfer && + (tqspi->cur_direction & DATA_DIR_TX)) + dmaengine_terminate_all +-- +2.39.5 + diff --git a/queue-6.12/spi-tegra210-quad-use-warn_on_once-instead-of-warn_o.patch b/queue-6.12/spi-tegra210-quad-use-warn_on_once-instead-of-warn_o.patch new file mode 100644 index 0000000000..59e2e8e5e3 --- /dev/null +++ b/queue-6.12/spi-tegra210-quad-use-warn_on_once-instead-of-warn_o.patch @@ -0,0 +1,44 @@ +From 4327020ea12ac4cc28c7dbb04ebb6a80ebdf1764 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Apr 2025 06:47:49 -0700 +Subject: spi: tegra210-quad: use WARN_ON_ONCE instead of WARN_ON for timeouts + +From: Breno Leitao + +[ Upstream commit 41c721fc093938745d116c3a21326a0ee03bb491 ] + +Some machines with tegra_qspi_combined_seq_xfer hardware issues generate +excessive kernel warnings, severely polluting the logs: + + dmesg | grep -i "WARNING:.*tegra_qspi_transfer_one_message" | wc -l + 94451 + +This patch replaces WARN_ON with WARN_ON_ONCE for timeout conditions to +reduce log spam. The subsequent error message still prints on each +occurrence, providing sufficient information about the failure, while +the stack trace is only needed once for debugging purposes. + +Signed-off-by: Breno Leitao +Link: https://patch.msgid.link/20250401-tegra-v2-1-126c293ec047@debian.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-tegra210-quad.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-tegra210-quad.c b/drivers/spi/spi-tegra210-quad.c +index 43f11b0e9e765..94dc4cbc40e15 100644 +--- a/drivers/spi/spi-tegra210-quad.c ++++ b/drivers/spi/spi-tegra210-quad.c +@@ -1117,7 +1117,7 @@ static int tegra_qspi_combined_seq_xfer(struct tegra_qspi *tqspi, + (&tqspi->xfer_completion, + QSPI_DMA_TIMEOUT); + +- if (WARN_ON(ret == 0)) { ++ if (WARN_ON_ONCE(ret == 0)) { + dev_err(tqspi->dev, "QSPI Transfer failed with timeout: %d\n", + ret); + if (tqspi->is_curr_dma_xfer && +-- +2.39.5 + diff --git a/queue-6.12/thunderbolt-scan-retimers-after-device-router-has-be.patch b/queue-6.12/thunderbolt-scan-retimers-after-device-router-has-be.patch new file mode 100644 index 0000000000..7c786b2704 --- /dev/null +++ b/queue-6.12/thunderbolt-scan-retimers-after-device-router-has-be.patch @@ -0,0 +1,68 @@ +From 6bd42950e1d7a5301b0cca295a919b8b07d2c4d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Mar 2025 10:53:21 +0200 +Subject: thunderbolt: Scan retimers after device router has been enumerated + +From: Mika Westerberg + +[ Upstream commit 75749d2c1d8cef439f8b69fa1f4f36d0fc3193e6 ] + +Thomas reported connection issues on AMD system with Pluggable UD-4VPD +dock. After some experiments it looks like the device has some sort of +internal timeout that triggers reconnect. This is completely against the +USB4 spec, as there is no requirement for the host to enumerate the +device right away or even at all. + +In Linux case the delay is caused by scanning of retimers on the link so +we can work this around by doing the scanning after the device router +has been enumerated. + +Reported-by: Thomas Lynema +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219748 +Reviewed-by: Mario Limonciello +Signed-off-by: Mika Westerberg +Signed-off-by: Sasha Levin +--- + drivers/thunderbolt/tb.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/drivers/thunderbolt/tb.c b/drivers/thunderbolt/tb.c +index a7c6919fbf978..e1da433a9e7fb 100644 +--- a/drivers/thunderbolt/tb.c ++++ b/drivers/thunderbolt/tb.c +@@ -1295,11 +1295,15 @@ static void tb_scan_port(struct tb_port *port) + goto out_rpm_put; + } + +- tb_retimer_scan(port, true); +- + sw = tb_switch_alloc(port->sw->tb, &port->sw->dev, + tb_downstream_route(port)); + if (IS_ERR(sw)) { ++ /* ++ * Make the downstream retimers available even if there ++ * is no router connected. ++ */ ++ tb_retimer_scan(port, true); ++ + /* + * If there is an error accessing the connected switch + * it may be connected to another domain. Also we allow +@@ -1349,6 +1353,14 @@ static void tb_scan_port(struct tb_port *port) + upstream_port = tb_upstream_port(sw); + tb_configure_link(port, upstream_port, sw); + ++ /* ++ * Scan for downstream retimers. We only scan them after the ++ * router has been enumerated to avoid issues with certain ++ * Pluggable devices that expect the host to enumerate them ++ * within certain timeout. ++ */ ++ tb_retimer_scan(port, true); ++ + /* + * CL0s and CL1 are enabled and supported together. + * Silently ignore CLx enabling in case CLx is not supported. +-- +2.39.5 + diff --git a/queue-6.12/timekeeping-add-a-lockdep-override-in-tick_freeze.patch b/queue-6.12/timekeeping-add-a-lockdep-override-in-tick_freeze.patch new file mode 100644 index 0000000000..374ca4520d --- /dev/null +++ b/queue-6.12/timekeeping-add-a-lockdep-override-in-tick_freeze.patch @@ -0,0 +1,85 @@ +From 58cc0f2ecff706ca11fc7aef4c51fcb95a3c55ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Apr 2025 15:34:29 +0200 +Subject: timekeeping: Add a lockdep override in tick_freeze() + +From: Sebastian Andrzej Siewior + +[ Upstream commit 92e250c624ea37fde64bfd624fd2556f0d846f18 ] + +tick_freeze() acquires a raw spinlock (tick_freeze_lock). Later in the +callchain (timekeeping_suspend() -> mc146818_avoid_UIP()) the RTC driver +acquires a spinlock which becomes a sleeping lock on PREEMPT_RT. Lockdep +complains about this lock nesting. + +Add a lockdep override for this special case and a comment explaining +why it is okay. + +Reported-by: Borislav Petkov +Reported-by: Chris Bainbridge +Signed-off-by: Sebastian Andrzej Siewior +Signed-off-by: Thomas Gleixner +Acked-by: Peter Zijlstra (Intel) +Link: https://lore.kernel.org/all/20250404133429.pnAzf-eF@linutronix.de +Closes: https://lore.kernel.org/all/20250330113202.GAZ-krsjAnurOlTcp-@fat_crate.local/ +Closes: https://lore.kernel.org/all/CAP-bSRZ0CWyZZsMtx046YV8L28LhY0fson2g4EqcwRAVN1Jk+Q@mail.gmail.com/ +Signed-off-by: Sasha Levin +--- + kernel/time/tick-common.c | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +diff --git a/kernel/time/tick-common.c b/kernel/time/tick-common.c +index a47bcf71defcf..9a3859443c042 100644 +--- a/kernel/time/tick-common.c ++++ b/kernel/time/tick-common.c +@@ -509,6 +509,7 @@ void tick_resume(void) + + #ifdef CONFIG_SUSPEND + static DEFINE_RAW_SPINLOCK(tick_freeze_lock); ++static DEFINE_WAIT_OVERRIDE_MAP(tick_freeze_map, LD_WAIT_SLEEP); + static unsigned int tick_freeze_depth; + + /** +@@ -528,9 +529,22 @@ void tick_freeze(void) + if (tick_freeze_depth == num_online_cpus()) { + trace_suspend_resume(TPS("timekeeping_freeze"), + smp_processor_id(), true); ++ /* ++ * All other CPUs have their interrupts disabled and are ++ * suspended to idle. Other tasks have been frozen so there ++ * is no scheduling happening. This means that there is no ++ * concurrency in the system at this point. Therefore it is ++ * okay to acquire a sleeping lock on PREEMPT_RT, such as a ++ * spinlock, because the lock cannot be held by other CPUs ++ * or threads and acquiring it cannot block. ++ * ++ * Inform lockdep about the situation. ++ */ ++ lock_map_acquire_try(&tick_freeze_map); + system_state = SYSTEM_SUSPEND; + sched_clock_suspend(); + timekeeping_suspend(); ++ lock_map_release(&tick_freeze_map); + } else { + tick_suspend_local(); + } +@@ -552,8 +566,16 @@ void tick_unfreeze(void) + raw_spin_lock(&tick_freeze_lock); + + if (tick_freeze_depth == num_online_cpus()) { ++ /* ++ * Similar to tick_freeze(). On resumption the first CPU may ++ * acquire uncontended sleeping locks while other CPUs block on ++ * tick_freeze_lock. ++ */ ++ lock_map_acquire_try(&tick_freeze_map); + timekeeping_resume(); + sched_clock_resume(); ++ lock_map_release(&tick_freeze_map); ++ + system_state = SYSTEM_RUNNING; + trace_suspend_resume(TPS("timekeeping_freeze"), + smp_processor_id(), false); +-- +2.39.5 + diff --git a/queue-6.12/ubsan-fix-panic-from-test_ubsan_out_of_bounds.patch b/queue-6.12/ubsan-fix-panic-from-test_ubsan_out_of_bounds.patch new file mode 100644 index 0000000000..3b7c3f6eec --- /dev/null +++ b/queue-6.12/ubsan-fix-panic-from-test_ubsan_out_of_bounds.patch @@ -0,0 +1,90 @@ +From 5883f61cf815cf2cbfaf5b0136b58c43269d7155 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Apr 2025 20:33:54 +0000 +Subject: ubsan: Fix panic from test_ubsan_out_of_bounds + +From: Mostafa Saleh + +[ Upstream commit 9b044614be12d78d3a93767708b8d02fb7dfa9b0 ] + +Running lib_ubsan.ko on arm64 (without CONFIG_UBSAN_TRAP) panics the +kernel: + +[ 31.616546] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: test_ubsan_out_of_bounds+0x158/0x158 [test_ubsan] +[ 31.646817] CPU: 3 UID: 0 PID: 179 Comm: insmod Not tainted 6.15.0-rc2 #1 PREEMPT +[ 31.648153] Hardware name: linux,dummy-virt (DT) +[ 31.648970] Call trace: +[ 31.649345] show_stack+0x18/0x24 (C) +[ 31.650960] dump_stack_lvl+0x40/0x84 +[ 31.651559] dump_stack+0x18/0x24 +[ 31.652264] panic+0x138/0x3b4 +[ 31.652812] __ktime_get_real_seconds+0x0/0x10 +[ 31.653540] test_ubsan_load_invalid_value+0x0/0xa8 [test_ubsan] +[ 31.654388] init_module+0x24/0xff4 [test_ubsan] +[ 31.655077] do_one_initcall+0xd4/0x280 +[ 31.655680] do_init_module+0x58/0x2b4 + +That happens because the test corrupts other data in the stack: +400: d5384108 mrs x8, sp_el0 +404: f9426d08 ldr x8, [x8, #1240] +408: f85f83a9 ldur x9, [x29, #-8] +40c: eb09011f cmp x8, x9 +410: 54000301 b.ne 470 // b.any + +As there is no guarantee the compiler will order the local variables +as declared in the module: + volatile char above[4] = { }; /* Protect surrounding memory. */ + volatile int arr[4]; + volatile char below[4] = { }; /* Protect surrounding memory. */ + +There is another problem where the out-of-bound index is 5 which is larger +than the extra surrounding memory for protection. + +So, use a struct to enforce the ordering, and fix the index to be 4. +Also, remove some of the volatiles and rely on OPTIMIZER_HIDE_VAR() + +Signed-off-by: Mostafa Saleh +Link: https://lore.kernel.org/r/20250415203354.4109415-1-smostafa@google.com +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + lib/test_ubsan.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +diff --git a/lib/test_ubsan.c b/lib/test_ubsan.c +index 5d7b10e986107..63b7566e78639 100644 +--- a/lib/test_ubsan.c ++++ b/lib/test_ubsan.c +@@ -68,18 +68,22 @@ static void test_ubsan_shift_out_of_bounds(void) + + static void test_ubsan_out_of_bounds(void) + { +- volatile int i = 4, j = 5, k = -1; +- volatile char above[4] = { }; /* Protect surrounding memory. */ +- volatile int arr[4]; +- volatile char below[4] = { }; /* Protect surrounding memory. */ ++ int i = 4, j = 4, k = -1; ++ volatile struct { ++ char above[4]; /* Protect surrounding memory. */ ++ int arr[4]; ++ char below[4]; /* Protect surrounding memory. */ ++ } data; + +- above[0] = below[0]; ++ OPTIMIZER_HIDE_VAR(i); ++ OPTIMIZER_HIDE_VAR(j); ++ OPTIMIZER_HIDE_VAR(k); + + UBSAN_TEST(CONFIG_UBSAN_BOUNDS, "above"); +- arr[j] = i; ++ data.arr[j] = i; + + UBSAN_TEST(CONFIG_UBSAN_BOUNDS, "below"); +- arr[k] = i; ++ data.arr[k] = i; + } + + enum ubsan_test_enum { +-- +2.39.5 + diff --git a/queue-6.12/um-work-around-sched_yield-not-yielding-in-time-trav.patch b/queue-6.12/um-work-around-sched_yield-not-yielding-in-time-trav.patch new file mode 100644 index 0000000000..baf5d7e52f --- /dev/null +++ b/queue-6.12/um-work-around-sched_yield-not-yielding-in-time-trav.patch @@ -0,0 +1,65 @@ +From 50011b4979e26bea93e02997bdf79d74bd40b4e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Mar 2025 14:08:15 +0100 +Subject: um: work around sched_yield not yielding in time-travel mode + +From: Benjamin Berg + +[ Upstream commit 887c5c12e80c8424bd471122d2e8b6b462e12874 ] + +sched_yield by a userspace may not actually cause scheduling in +time-travel mode as no time has passed. In the case seen it appears to +be a badly implemented userspace spinlock in ASAN. Unfortunately, with +time-travel it causes an extreme slowdown or even deadlock depending on +the kernel configuration (CONFIG_UML_MAX_USERSPACE_ITERATIONS). + +Work around it by accounting time to the process whenever it executes a +sched_yield syscall. + +Signed-off-by: Benjamin Berg +Link: https://patch.msgid.link/20250314130815.226872-1-benjamin@sipsolutions.net +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + arch/um/include/linux/time-internal.h | 2 ++ + arch/um/kernel/skas/syscall.c | 11 +++++++++++ + 2 files changed, 13 insertions(+) + +diff --git a/arch/um/include/linux/time-internal.h b/arch/um/include/linux/time-internal.h +index b22226634ff60..138908b999d76 100644 +--- a/arch/um/include/linux/time-internal.h ++++ b/arch/um/include/linux/time-internal.h +@@ -83,6 +83,8 @@ extern void time_travel_not_configured(void); + #define time_travel_del_event(...) time_travel_not_configured() + #endif /* CONFIG_UML_TIME_TRAVEL_SUPPORT */ + ++extern unsigned long tt_extra_sched_jiffies; ++ + /* + * Without CONFIG_UML_TIME_TRAVEL_SUPPORT this is a linker error if used, + * which is intentional since we really shouldn't link it in that case. +diff --git a/arch/um/kernel/skas/syscall.c b/arch/um/kernel/skas/syscall.c +index b09e85279d2b8..a5beaea2967ec 100644 +--- a/arch/um/kernel/skas/syscall.c ++++ b/arch/um/kernel/skas/syscall.c +@@ -31,6 +31,17 @@ void handle_syscall(struct uml_pt_regs *r) + goto out; + + syscall = UPT_SYSCALL_NR(r); ++ ++ /* ++ * If no time passes, then sched_yield may not actually yield, causing ++ * broken spinlock implementations in userspace (ASAN) to hang for long ++ * periods of time. ++ */ ++ if ((time_travel_mode == TT_MODE_INFCPU || ++ time_travel_mode == TT_MODE_EXTERNAL) && ++ syscall == __NR_sched_yield) ++ tt_extra_sched_jiffies += 1; ++ + if (syscall >= 0 && syscall < __NR_syscalls) { + unsigned long ret = EXECUTE_SYSCALL(syscall, regs); + +-- +2.39.5 + diff --git a/queue-6.12/usb-dwc3-gadget-avoid-using-reserved-endpoints-on-in.patch b/queue-6.12/usb-dwc3-gadget-avoid-using-reserved-endpoints-on-in.patch new file mode 100644 index 0000000000..eb21924d1c --- /dev/null +++ b/queue-6.12/usb-dwc3-gadget-avoid-using-reserved-endpoints-on-in.patch @@ -0,0 +1,68 @@ +From d1a35b650df0187d7692b4552392d0186f92178c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Feb 2025 21:28:04 +0200 +Subject: usb: dwc3: gadget: Avoid using reserved endpoints on Intel Merrifield +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Andy Shevchenko + +[ Upstream commit 461f24bff86808ee5fbfe74751a825f8a7ab24e0 ] + +Intel Merrifield SoC uses these endpoints for tracing and they cannot +be re-allocated if being used because the side band flow control signals +are hard wired to certain endpoints: + +• 1 High BW Bulk IN (IN#1) (RTIT) +• 1 1KB BW Bulk IN (IN#8) + 1 1KB BW Bulk OUT (Run Control) (OUT#8) + +In device mode, since RTIT (EP#1) and EXI/RunControl (EP#8) uses +External Buffer Control (EBC) mode, these endpoints are to be mapped to +EBC mode (to be done by EXI target driver). Additionally TRB for RTIT +and EXI are maintained in STM (System Trace Module) unit and the EXI +target driver will as well configure the TRB location for EP #1 IN +and EP#8 (IN and OUT). Since STM/PTI and EXI hardware blocks manage +these endpoints and interface to OTG3 controller through EBC interface, +there is no need to enable any events (such as XferComplete etc) +for these end points. + +Signed-off-by: Andy Shevchenko +Tested-by: Ferry Toth +Acked-by: Thinh Nguyen +Link: https://lore.kernel.org/r/20250212193116.2487289-5-andriy.shevchenko@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/dwc3-pci.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/usb/dwc3/dwc3-pci.c b/drivers/usb/dwc3/dwc3-pci.c +index 052852f801467..54a4ee2b90b7f 100644 +--- a/drivers/usb/dwc3/dwc3-pci.c ++++ b/drivers/usb/dwc3/dwc3-pci.c +@@ -148,11 +148,21 @@ static const struct property_entry dwc3_pci_intel_byt_properties[] = { + {} + }; + ++/* ++ * Intel Merrifield SoC uses these endpoints for tracing and they cannot ++ * be re-allocated if being used because the side band flow control signals ++ * are hard wired to certain endpoints: ++ * - 1 High BW Bulk IN (IN#1) (RTIT) ++ * - 1 1KB BW Bulk IN (IN#8) + 1 1KB BW Bulk OUT (Run Control) (OUT#8) ++ */ ++static const u8 dwc3_pci_mrfld_reserved_endpoints[] = { 3, 16, 17 }; ++ + static const struct property_entry dwc3_pci_mrfld_properties[] = { + PROPERTY_ENTRY_STRING("dr_mode", "otg"), + PROPERTY_ENTRY_STRING("linux,extcon-name", "mrfld_bcove_pwrsrc"), + PROPERTY_ENTRY_BOOL("snps,dis_u3_susphy_quirk"), + PROPERTY_ENTRY_BOOL("snps,dis_u2_susphy_quirk"), ++ PROPERTY_ENTRY_U8_ARRAY("snps,reserved-endpoints", dwc3_pci_mrfld_reserved_endpoints), + PROPERTY_ENTRY_BOOL("snps,usb2-gadget-lpm-disable"), + PROPERTY_ENTRY_BOOL("linux,sysdev_is_parent"), + {} +-- +2.39.5 + diff --git a/queue-6.12/usb-dwc3-gadget-refactor-loop-to-avoid-null-endpoint.patch b/queue-6.12/usb-dwc3-gadget-refactor-loop-to-avoid-null-endpoint.patch new file mode 100644 index 0000000000..b39fd41d64 --- /dev/null +++ b/queue-6.12/usb-dwc3-gadget-refactor-loop-to-avoid-null-endpoint.patch @@ -0,0 +1,89 @@ +From 83a651a32bd387498946bd1d5750116caa06c66a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Feb 2025 21:28:02 +0200 +Subject: usb: dwc3: gadget: Refactor loop to avoid NULL endpoints + +From: Andy Shevchenko + +[ Upstream commit eafba0205426091354f050381c32ad1567c35844 ] + +Prepare the gadget driver to handle the reserved endpoints that will be +not allocated at the initialisation time. + +While at it, add a warning where the NULL endpoint should never happen. + +Signed-off-by: Andy Shevchenko +Tested-by: Ferry Toth +Acked-by: Thinh Nguyen +Link: https://lore.kernel.org/r/20250212193116.2487289-3-andriy.shevchenko@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/gadget.c | 22 ++++++++++++++++++---- + 1 file changed, 18 insertions(+), 4 deletions(-) + +diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c +index 12446495af87c..e72bac650981d 100644 +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -548,6 +548,7 @@ static int dwc3_gadget_set_xfer_resource(struct dwc3_ep *dep) + int dwc3_gadget_start_config(struct dwc3 *dwc, unsigned int resource_index) + { + struct dwc3_gadget_ep_cmd_params params; ++ struct dwc3_ep *dep; + u32 cmd; + int i; + int ret; +@@ -564,8 +565,13 @@ int dwc3_gadget_start_config(struct dwc3 *dwc, unsigned int resource_index) + return ret; + + /* Reset resource allocation flags */ +- for (i = resource_index; i < dwc->num_eps && dwc->eps[i]; i++) +- dwc->eps[i]->flags &= ~DWC3_EP_RESOURCE_ALLOCATED; ++ for (i = resource_index; i < dwc->num_eps; i++) { ++ dep = dwc->eps[i]; ++ if (!dep) ++ continue; ++ ++ dep->flags &= ~DWC3_EP_RESOURCE_ALLOCATED; ++ } + + return 0; + } +@@ -752,9 +758,11 @@ void dwc3_gadget_clear_tx_fifos(struct dwc3 *dwc) + + dwc->last_fifo_depth = fifo_depth; + /* Clear existing TXFIFO for all IN eps except ep0 */ +- for (num = 3; num < min_t(int, dwc->num_eps, DWC3_ENDPOINTS_NUM); +- num += 2) { ++ for (num = 3; num < min_t(int, dwc->num_eps, DWC3_ENDPOINTS_NUM); num += 2) { + dep = dwc->eps[num]; ++ if (!dep) ++ continue; ++ + /* Don't change TXFRAMNUM on usb31 version */ + size = DWC3_IP_IS(DWC3) ? 0 : + dwc3_readl(dwc->regs, DWC3_GTXFIFOSIZ(num >> 1)) & +@@ -3670,6 +3678,8 @@ static bool dwc3_gadget_endpoint_trbs_complete(struct dwc3_ep *dep, + + for (i = 0; i < DWC3_ENDPOINTS_NUM; i++) { + dep = dwc->eps[i]; ++ if (!dep) ++ continue; + + if (!(dep->flags & DWC3_EP_ENABLED)) + continue; +@@ -3858,6 +3868,10 @@ static void dwc3_endpoint_interrupt(struct dwc3 *dwc, + u8 epnum = event->endpoint_number; + + dep = dwc->eps[epnum]; ++ if (!dep) { ++ dev_warn(dwc->dev, "spurious event, endpoint %u is not allocated\n", epnum); ++ return; ++ } + + if (!(dep->flags & DWC3_EP_ENABLED)) { + if ((epnum > 1) && !(dep->flags & DWC3_EP_TRANSFER_STARTED)) +-- +2.39.5 + diff --git a/queue-6.12/usb-gadget-aspeed-add-null-pointer-check-in-ast_vhub.patch b/queue-6.12/usb-gadget-aspeed-add-null-pointer-check-in-ast_vhub.patch new file mode 100644 index 0000000000..bd369a2e5c --- /dev/null +++ b/queue-6.12/usb-gadget-aspeed-add-null-pointer-check-in-ast_vhub.patch @@ -0,0 +1,41 @@ +From cd9b5beb3438f52feefcd073a3c24b25e43df7d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Mar 2025 20:27:05 -0500 +Subject: usb: gadget: aspeed: Add NULL pointer check in ast_vhub_init_dev() + +From: Chenyuan Yang + +[ Upstream commit 8c75f3e6a433d92084ad4e78b029ae680865420f ] + +The variable d->name, returned by devm_kasprintf(), could be NULL. +A pointer check is added to prevent potential NULL pointer dereference. +This is similar to the fix in commit 3027e7b15b02 +("ice: Fix some null pointer dereference issues in ice_ptp.c"). + +This issue is found by our static analysis tool + +Signed-off-by: Chenyuan Yang +Link: https://lore.kernel.org/r/20250311012705.1233829-1-chenyuan0y@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/aspeed-vhub/dev.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/usb/gadget/udc/aspeed-vhub/dev.c b/drivers/usb/gadget/udc/aspeed-vhub/dev.c +index 573109ca5b799..a09f72772e6e9 100644 +--- a/drivers/usb/gadget/udc/aspeed-vhub/dev.c ++++ b/drivers/usb/gadget/udc/aspeed-vhub/dev.c +@@ -548,6 +548,9 @@ int ast_vhub_init_dev(struct ast_vhub *vhub, unsigned int idx) + d->vhub = vhub; + d->index = idx; + d->name = devm_kasprintf(parent, GFP_KERNEL, "port%d", idx+1); ++ if (!d->name) ++ return -ENOMEM; ++ + d->regs = vhub->regs + 0x100 + 0x10 * idx; + + ast_vhub_init_ep0(vhub, &d->ep0, d); +-- +2.39.5 + diff --git a/queue-6.12/usb-host-max3421-hcd-add-missing-spi_device_id-table.patch b/queue-6.12/usb-host-max3421-hcd-add-missing-spi_device_id-table.patch new file mode 100644 index 0000000000..f6b7c1eae2 --- /dev/null +++ b/queue-6.12/usb-host-max3421-hcd-add-missing-spi_device_id-table.patch @@ -0,0 +1,51 @@ +From b96807878ba77154766186df3fe59ff0d2591442 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Jan 2025 20:51:13 +0100 +Subject: usb: host: max3421-hcd: Add missing spi_device_id table + +From: Alexander Stein + +[ Upstream commit 41d5e3806cf589f658f92c75195095df0b66f66a ] + +"maxim,max3421" DT compatible is missing its SPI device ID entry, not +allowing module autoloading and leading to the following message: + "SPI driver max3421-hcd has no spi_device_id for maxim,max3421" + +Fix this by adding the spi_device_id table. + +Signed-off-by: Alexander Stein +Link: https://lore.kernel.org/r/20250128195114.56321-1-alexander.stein@mailbox.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/max3421-hcd.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/usb/host/max3421-hcd.c b/drivers/usb/host/max3421-hcd.c +index 0881fdd1823e0..dcf31a592f5d1 100644 +--- a/drivers/usb/host/max3421-hcd.c ++++ b/drivers/usb/host/max3421-hcd.c +@@ -1946,6 +1946,12 @@ max3421_remove(struct spi_device *spi) + usb_put_hcd(hcd); + } + ++static const struct spi_device_id max3421_spi_ids[] = { ++ { "max3421" }, ++ { }, ++}; ++MODULE_DEVICE_TABLE(spi, max3421_spi_ids); ++ + static const struct of_device_id max3421_of_match_table[] = { + { .compatible = "maxim,max3421", }, + {}, +@@ -1955,6 +1961,7 @@ MODULE_DEVICE_TABLE(of, max3421_of_match_table); + static struct spi_driver max3421_driver = { + .probe = max3421_probe, + .remove = max3421_remove, ++ .id_table = max3421_spi_ids, + .driver = { + .name = "max3421-hcd", + .of_match_table = max3421_of_match_table, +-- +2.39.5 + diff --git a/queue-6.12/usb-host-xhci-plat-mvebu-use-quirks-instead-of-init_.patch b/queue-6.12/usb-host-xhci-plat-mvebu-use-quirks-instead-of-init_.patch new file mode 100644 index 0000000000..acc40aae5b --- /dev/null +++ b/queue-6.12/usb-host-xhci-plat-mvebu-use-quirks-instead-of-init_.patch @@ -0,0 +1,84 @@ +From efeda244bf7361b5d9f56848b2395db611c2b3d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Feb 2025 18:36:46 +0100 +Subject: usb: host: xhci-plat: mvebu: use ->quirks instead of ->init_quirk() + func +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Théo Lebrun + +[ Upstream commit 64eb182d5f7a5ec30227bce4f6922ff663432f44 ] + +Compatible "marvell,armada3700-xhci" match data uses the +struct xhci_plat_priv::init_quirk() function pointer to add +XHCI_RESET_ON_RESUME as quirk on XHCI. + +Instead, use the struct xhci_plat_priv::quirks field. + +Signed-off-by: Théo Lebrun +Link: https://lore.kernel.org/r/20250205-s2r-cdns-v7-1-13658a271c3c@bootlin.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/xhci-mvebu.c | 10 ---------- + drivers/usb/host/xhci-mvebu.h | 6 ------ + drivers/usb/host/xhci-plat.c | 2 +- + 3 files changed, 1 insertion(+), 17 deletions(-) + +diff --git a/drivers/usb/host/xhci-mvebu.c b/drivers/usb/host/xhci-mvebu.c +index 87f1597a0e5ab..257e4d79971fd 100644 +--- a/drivers/usb/host/xhci-mvebu.c ++++ b/drivers/usb/host/xhci-mvebu.c +@@ -73,13 +73,3 @@ int xhci_mvebu_mbus_init_quirk(struct usb_hcd *hcd) + + return 0; + } +- +-int xhci_mvebu_a3700_init_quirk(struct usb_hcd *hcd) +-{ +- struct xhci_hcd *xhci = hcd_to_xhci(hcd); +- +- /* Without reset on resume, the HC won't work at all */ +- xhci->quirks |= XHCI_RESET_ON_RESUME; +- +- return 0; +-} +diff --git a/drivers/usb/host/xhci-mvebu.h b/drivers/usb/host/xhci-mvebu.h +index 3be021793cc8b..9d26e22c48422 100644 +--- a/drivers/usb/host/xhci-mvebu.h ++++ b/drivers/usb/host/xhci-mvebu.h +@@ -12,16 +12,10 @@ struct usb_hcd; + + #if IS_ENABLED(CONFIG_USB_XHCI_MVEBU) + int xhci_mvebu_mbus_init_quirk(struct usb_hcd *hcd); +-int xhci_mvebu_a3700_init_quirk(struct usb_hcd *hcd); + #else + static inline int xhci_mvebu_mbus_init_quirk(struct usb_hcd *hcd) + { + return 0; + } +- +-static inline int xhci_mvebu_a3700_init_quirk(struct usb_hcd *hcd) +-{ +- return 0; +-} + #endif + #endif /* __LINUX_XHCI_MVEBU_H */ +diff --git a/drivers/usb/host/xhci-plat.c b/drivers/usb/host/xhci-plat.c +index e6660472501e4..2379a67e34e12 100644 +--- a/drivers/usb/host/xhci-plat.c ++++ b/drivers/usb/host/xhci-plat.c +@@ -106,7 +106,7 @@ static const struct xhci_plat_priv xhci_plat_marvell_armada = { + }; + + static const struct xhci_plat_priv xhci_plat_marvell_armada3700 = { +- .init_quirk = xhci_mvebu_a3700_init_quirk, ++ .quirks = XHCI_RESET_ON_RESUME, + }; + + static const struct xhci_plat_priv xhci_plat_brcm = { +-- +2.39.5 + diff --git a/queue-6.12/usb-xhci-avoid-stop-endpoint-retry-loop-if-the-endpo.patch b/queue-6.12/usb-xhci-avoid-stop-endpoint-retry-loop-if-the-endpo.patch new file mode 100644 index 0000000000..3826dc1a1d --- /dev/null +++ b/queue-6.12/usb-xhci-avoid-stop-endpoint-retry-loop-if-the-endpo.patch @@ -0,0 +1,57 @@ +From e3615efa03572c788ff4da01b12a8128a150ca04 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Mar 2025 17:45:51 +0200 +Subject: usb: xhci: Avoid Stop Endpoint retry loop if the endpoint seems + Running + +From: Michal Pecio + +[ Upstream commit 28a76fcc4c85dd39633fb96edb643c91820133e3 ] + +Nothing prevents a broken HC from claiming that an endpoint is Running +and repeatedly rejecting Stop Endpoint with Context State Error. + +Avoid infinite retries and give back cancelled TDs. + +No such cases known so far, but HCs have bugs. + +Signed-off-by: Michal Pecio +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20250311154551.4035726-4-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/xhci-ring.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c +index 653e24bb3e9ad..cb2a047213075 100644 +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -1190,16 +1190,19 @@ static void xhci_handle_cmd_stop_ep(struct xhci_hcd *xhci, int slot_id, + * Stopped state, but it will soon change to Running. + * + * Assume this bug on unexpected Stop Endpoint failures. +- * Keep retrying until the EP starts and stops again, on +- * chips where this is known to help. Wait for 100ms. ++ * Keep retrying until the EP starts and stops again. + */ +- if (time_is_before_jiffies(ep->stop_time + msecs_to_jiffies(100))) +- break; + fallthrough; + case EP_STATE_RUNNING: + /* Race, HW handled stop ep cmd before ep was running */ + xhci_dbg(xhci, "Stop ep completion ctx error, ctx_state %d\n", + GET_EP_CTX_STATE(ep_ctx)); ++ /* ++ * Don't retry forever if we guessed wrong or a defective HC never starts ++ * the EP or says 'Running' but fails the command. We must give back TDs. ++ */ ++ if (time_is_before_jiffies(ep->stop_time + msecs_to_jiffies(100))) ++ break; + + command = xhci_alloc_command(xhci, false, GFP_ATOMIC); + if (!command) { +-- +2.39.5 + diff --git a/queue-6.12/usb-xhci-complete-error-mid-td-transfers-when-handli.patch b/queue-6.12/usb-xhci-complete-error-mid-td-transfers-when-handli.patch new file mode 100644 index 0000000000..8a39a32f4a --- /dev/null +++ b/queue-6.12/usb-xhci-complete-error-mid-td-transfers-when-handli.patch @@ -0,0 +1,53 @@ +From e7410a2bad4c526de4aed76b8c6e63f478efef5a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Mar 2025 16:49:43 +0200 +Subject: usb: xhci: Complete 'error mid TD' transfers when handling Missed + Service + +From: Michal Pecio + +[ Upstream commit bfa8459942822bdcc86f0e87f237c0723ae64948 ] + +Missed Service Error after an error mid TD means that the failed TD has +already been passed by the xHC without acknowledgment of the final TRB, +a known hardware bug. So don't wait any more and give back the TD. + +Reproduced on NEC uPD720200 under conditions of ludicrously bad USB link +quality, confirmed to behave as expected using dynamic debug. + +Signed-off-by: Michal Pecio +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20250306144954.3507700-5-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/xhci-ring.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c +index f3266fe406baf..7001f9725cf7c 100644 +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -2787,7 +2787,7 @@ static int handle_tx_event(struct xhci_hcd *xhci, + xhci_dbg(xhci, + "Miss service interval error for slot %u ep %u, set skip flag\n", + slot_id, ep_index); +- return 0; ++ break; + case COMP_NO_PING_RESPONSE_ERROR: + ep->skip = true; + xhci_dbg(xhci, +@@ -2838,6 +2838,10 @@ static int handle_tx_event(struct xhci_hcd *xhci, + xhci_td_cleanup(xhci, td, ep_ring, td->status); + } + ++ /* Missed TDs will be skipped on the next event */ ++ if (trb_comp_code == COMP_MISSED_SERVICE_ERROR) ++ return 0; ++ + if (list_empty(&ep_ring->td_list)) { + /* + * Don't print wanings if ring is empty due to a stopped endpoint generating an +-- +2.39.5 + diff --git a/queue-6.12/usb-xhci-fix-isochronous-ring-underrun-overrun-event.patch b/queue-6.12/usb-xhci-fix-isochronous-ring-underrun-overrun-event.patch new file mode 100644 index 0000000000..786b6ad12c --- /dev/null +++ b/queue-6.12/usb-xhci-fix-isochronous-ring-underrun-overrun-event.patch @@ -0,0 +1,102 @@ +From 0133c18dd26770c965ef55f4786987b0802b3b57 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Mar 2025 16:49:44 +0200 +Subject: usb: xhci: Fix isochronous Ring Underrun/Overrun event handling + +From: Michal Pecio + +[ Upstream commit 906dec15b9b321b546fd31a3c99ffc13724c7af4 ] + +The TRB pointer of these events points at enqueue at the time of error +occurrence on xHCI 1.1+ HCs or it's NULL on older ones. By the time we +are handling the event, a new TD may be queued at this ring position. + +I can trigger this race by rising interrupt moderation to increase IRQ +handling delay. Similar delay may occur naturally due to system load. + +If this ever happens after a Missed Service Error, missed TDs will be +skipped and the new TD processed as if it matched the event. It could +be given back prematurely, risking data loss or buffer UAF by the xHC. + +Don't complete TDs on xrun events and don't warn if queued TDs don't +match the event's TRB pointer, which can be NULL or a link/no-op TRB. +Don't warn if there are no queued TDs at all. + +Now that it's safe, also handle xrun events if the skip flag is clear. +This ensures completion of any TD stuck in 'error mid TD' state right +before the xrun event, which could happen if a driver submits a finite +number of URBs to a buggy HC and then an error occurs on the last TD. + +Signed-off-by: Michal Pecio +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20250306144954.3507700-6-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/xhci-ring.c | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c +index 7001f9725cf7c..6eb297b168fa4 100644 +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -2662,6 +2662,7 @@ static int handle_tx_event(struct xhci_hcd *xhci, + int status = -EINPROGRESS; + struct xhci_ep_ctx *ep_ctx; + u32 trb_comp_code; ++ bool ring_xrun_event = false; + + slot_id = TRB_TO_SLOT_ID(le32_to_cpu(event->flags)); + ep_index = TRB_TO_EP_ID(le32_to_cpu(event->flags)) - 1; +@@ -2768,14 +2769,12 @@ static int handle_tx_event(struct xhci_hcd *xhci, + * Underrun Event for OUT Isoch endpoint. + */ + xhci_dbg(xhci, "Underrun event on slot %u ep %u\n", slot_id, ep_index); +- if (ep->skip) +- break; +- return 0; ++ ring_xrun_event = true; ++ break; + case COMP_RING_OVERRUN: + xhci_dbg(xhci, "Overrun event on slot %u ep %u\n", slot_id, ep_index); +- if (ep->skip) +- break; +- return 0; ++ ring_xrun_event = true; ++ break; + case COMP_MISSED_SERVICE_ERROR: + /* + * When encounter missed service error, one or more isoc tds +@@ -2851,6 +2850,7 @@ static int handle_tx_event(struct xhci_hcd *xhci, + */ + if (trb_comp_code != COMP_STOPPED && + trb_comp_code != COMP_STOPPED_LENGTH_INVALID && ++ !ring_xrun_event && + !ep_ring->last_td_was_short) { + xhci_warn(xhci, "Event TRB for slot %u ep %u with no TDs queued\n", + slot_id, ep_index); +@@ -2885,6 +2885,10 @@ static int handle_tx_event(struct xhci_hcd *xhci, + goto check_endpoint_halted; + } + ++ /* TD was queued after xrun, maybe xrun was on a link, don't panic yet */ ++ if (ring_xrun_event) ++ return 0; ++ + /* + * Skip the Force Stopped Event. The 'ep_trb' of FSE is not in the current + * TD pointed by 'ep_ring->dequeue' because that the hardware dequeue +@@ -2931,6 +2935,10 @@ static int handle_tx_event(struct xhci_hcd *xhci, + */ + } while (ep->skip); + ++ /* Get out if a TD was queued at enqueue after the xrun occurred */ ++ if (ring_xrun_event) ++ return 0; ++ + if (trb_comp_code == COMP_SHORT_PACKET) + ep_ring->last_td_was_short = true; + else +-- +2.39.5 + diff --git a/queue-6.12/x86-bugs-don-t-fill-rsb-on-context-switch-with-eibrs.patch b/queue-6.12/x86-bugs-don-t-fill-rsb-on-context-switch-with-eibrs.patch new file mode 100644 index 0000000000..57ce4305be --- /dev/null +++ b/queue-6.12/x86-bugs-don-t-fill-rsb-on-context-switch-with-eibrs.patch @@ -0,0 +1,113 @@ +From 1117e207b4b4e5494bae9fdc5397ac2810494db2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Apr 2025 14:47:34 -0700 +Subject: x86/bugs: Don't fill RSB on context switch with eIBRS + +From: Josh Poimboeuf + +[ Upstream commit 27ce8299bc1ec6df8306073785ff82b30b3cc5ee ] + +User->user Spectre v2 attacks (including RSB) across context switches +are already mitigated by IBPB in cond_mitigation(), if enabled globally +or if either the prev or the next task has opted in to protection. RSB +filling without IBPB serves no purpose for protecting user space, as +indirect branches are still vulnerable. + +User->kernel RSB attacks are mitigated by eIBRS. In which case the RSB +filling on context switch isn't needed, so remove it. + +Suggested-by: Pawan Gupta +Signed-off-by: Josh Poimboeuf +Signed-off-by: Ingo Molnar +Reviewed-by: Pawan Gupta +Reviewed-by: Amit Shah +Reviewed-by: Nikolay Borisov +Link: https://lore.kernel.org/r/98cdefe42180358efebf78e3b80752850c7a3e1b.1744148254.git.jpoimboe@kernel.org +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/bugs.c | 24 ++++++++++++------------ + arch/x86/mm/tlb.c | 6 +++--- + 2 files changed, 15 insertions(+), 15 deletions(-) + +diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c +index 589e34c0b70b5..46bddb5bb15ff 100644 +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -1578,7 +1578,7 @@ static void __init spec_ctrl_disable_kernel_rrsba(void) + rrsba_disabled = true; + } + +-static void __init spectre_v2_determine_rsb_fill_type_at_vmexit(enum spectre_v2_mitigation mode) ++static void __init spectre_v2_select_rsb_mitigation(enum spectre_v2_mitigation mode) + { + /* + * Similar to context switches, there are two types of RSB attacks +@@ -1602,7 +1602,7 @@ static void __init spectre_v2_determine_rsb_fill_type_at_vmexit(enum spectre_v2_ + */ + switch (mode) { + case SPECTRE_V2_NONE: +- return; ++ break; + + case SPECTRE_V2_EIBRS: + case SPECTRE_V2_EIBRS_LFENCE: +@@ -1611,18 +1611,21 @@ static void __init spectre_v2_determine_rsb_fill_type_at_vmexit(enum spectre_v2_ + pr_info("Spectre v2 / PBRSB-eIBRS: Retire a single CALL on VMEXIT\n"); + setup_force_cpu_cap(X86_FEATURE_RSB_VMEXIT_LITE); + } +- return; ++ break; + + case SPECTRE_V2_RETPOLINE: + case SPECTRE_V2_LFENCE: + case SPECTRE_V2_IBRS: +- pr_info("Spectre v2 / SpectreRSB : Filling RSB on VMEXIT\n"); ++ pr_info("Spectre v2 / SpectreRSB: Filling RSB on context switch and VMEXIT\n"); ++ setup_force_cpu_cap(X86_FEATURE_RSB_CTXSW); + setup_force_cpu_cap(X86_FEATURE_RSB_VMEXIT); +- return; +- } ++ break; + +- pr_warn_once("Unknown Spectre v2 mode, disabling RSB mitigation at VM exit"); +- dump_stack(); ++ default: ++ pr_warn_once("Unknown Spectre v2 mode, disabling RSB mitigation\n"); ++ dump_stack(); ++ break; ++ } + } + + /* +@@ -1854,10 +1857,7 @@ static void __init spectre_v2_select_mitigation(void) + * + * FIXME: Is this pointless for retbleed-affected AMD? + */ +- setup_force_cpu_cap(X86_FEATURE_RSB_CTXSW); +- pr_info("Spectre v2 / SpectreRSB mitigation: Filling RSB on context switch\n"); +- +- spectre_v2_determine_rsb_fill_type_at_vmexit(mode); ++ spectre_v2_select_rsb_mitigation(mode); + + /* + * Retpoline protects the kernel, but doesn't protect firmware. IBRS +diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c +index 00ffa74d0dd0b..27d81cb049ff8 100644 +--- a/arch/x86/mm/tlb.c ++++ b/arch/x86/mm/tlb.c +@@ -389,9 +389,9 @@ static void cond_mitigation(struct task_struct *next) + prev_mm = this_cpu_read(cpu_tlbstate.last_user_mm_spec); + + /* +- * Avoid user/user BTB poisoning by flushing the branch predictor +- * when switching between processes. This stops one process from +- * doing Spectre-v2 attacks on another. ++ * Avoid user->user BTB/RSB poisoning by flushing them when switching ++ * between processes. This stops one process from doing Spectre-v2 ++ * attacks on another. + * + * Both, the conditional and the always IBPB mode use the mm + * pointer to avoid the IBPB when switching between tasks of the +-- +2.39.5 + diff --git a/queue-6.12/x86-bugs-don-t-fill-rsb-on-vmexit-with-eibrs-retpoli.patch b/queue-6.12/x86-bugs-don-t-fill-rsb-on-vmexit-with-eibrs-retpoli.patch new file mode 100644 index 0000000000..b73860e55b --- /dev/null +++ b/queue-6.12/x86-bugs-don-t-fill-rsb-on-vmexit-with-eibrs-retpoli.patch @@ -0,0 +1,64 @@ +From dd3f5b956bddd0f31f727723cfe5319fa87c90c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Apr 2025 14:47:33 -0700 +Subject: x86/bugs: Don't fill RSB on VMEXIT with eIBRS+retpoline + +From: Josh Poimboeuf + +[ Upstream commit 18bae0dfec15b24ec14ca17dc18603372f5f254f ] + +eIBRS protects against guest->host RSB underflow/poisoning attacks. +Adding retpoline to the mix doesn't change that. Retpoline has a +balanced CALL/RET anyway. + +So the current full RSB filling on VMEXIT with eIBRS+retpoline is +overkill. Disable it or do the VMEXIT_LITE mitigation if needed. + +Suggested-by: Pawan Gupta +Signed-off-by: Josh Poimboeuf +Signed-off-by: Ingo Molnar +Reviewed-by: Pawan Gupta +Reviewed-by: Amit Shah +Reviewed-by: Nikolay Borisov +Cc: Paolo Bonzini +Cc: Vitaly Kuznetsov +Cc: Sean Christopherson +Cc: David Woodhouse +Link: https://lore.kernel.org/r/84a1226e5c9e2698eae1b5ade861f1b8bf3677dc.1744148254.git.jpoimboe@kernel.org +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/bugs.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c +index 5fba44a4f988c..589e34c0b70b5 100644 +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -1604,20 +1604,20 @@ static void __init spectre_v2_determine_rsb_fill_type_at_vmexit(enum spectre_v2_ + case SPECTRE_V2_NONE: + return; + +- case SPECTRE_V2_EIBRS_LFENCE: + case SPECTRE_V2_EIBRS: ++ case SPECTRE_V2_EIBRS_LFENCE: ++ case SPECTRE_V2_EIBRS_RETPOLINE: + if (boot_cpu_has_bug(X86_BUG_EIBRS_PBRSB)) { +- setup_force_cpu_cap(X86_FEATURE_RSB_VMEXIT_LITE); + pr_info("Spectre v2 / PBRSB-eIBRS: Retire a single CALL on VMEXIT\n"); ++ setup_force_cpu_cap(X86_FEATURE_RSB_VMEXIT_LITE); + } + return; + +- case SPECTRE_V2_EIBRS_RETPOLINE: + case SPECTRE_V2_RETPOLINE: + case SPECTRE_V2_LFENCE: + case SPECTRE_V2_IBRS: +- setup_force_cpu_cap(X86_FEATURE_RSB_VMEXIT); + pr_info("Spectre v2 / SpectreRSB : Filling RSB on VMEXIT\n"); ++ setup_force_cpu_cap(X86_FEATURE_RSB_VMEXIT); + return; + } + +-- +2.39.5 + diff --git a/queue-6.12/x86-bugs-use-sbpb-in-write_ibpb-if-applicable.patch b/queue-6.12/x86-bugs-use-sbpb-in-write_ibpb-if-applicable.patch new file mode 100644 index 0000000000..ddd3807cea --- /dev/null +++ b/queue-6.12/x86-bugs-use-sbpb-in-write_ibpb-if-applicable.patch @@ -0,0 +1,41 @@ +From e9f2c025703e1aedfce3b48dde125eb4a936f4e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Apr 2025 14:47:31 -0700 +Subject: x86/bugs: Use SBPB in write_ibpb() if applicable + +From: Josh Poimboeuf + +[ Upstream commit fc9fd3f98423367c79e0bd85a9515df26dc1b3cc ] + +write_ibpb() does IBPB, which (among other things) flushes branch type +predictions on AMD. If the CPU has SRSO_NO, or if the SRSO mitigation +has been disabled, branch type flushing isn't needed, in which case the +lighter-weight SBPB can be used. + +The 'x86_pred_cmd' variable already keeps track of whether IBPB or SBPB +should be used. Use that instead of hardcoding IBPB. + +Signed-off-by: Josh Poimboeuf +Signed-off-by: Ingo Molnar +Link: https://lore.kernel.org/r/17c5dcd14b29199b75199d67ff7758de9d9a4928.1744148254.git.jpoimboe@kernel.org +Signed-off-by: Sasha Levin +--- + arch/x86/entry/entry.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/entry/entry.S b/arch/x86/entry/entry.S +index b7ea3e8e9eccd..58e3124ee2b42 100644 +--- a/arch/x86/entry/entry.S ++++ b/arch/x86/entry/entry.S +@@ -18,7 +18,7 @@ + + SYM_FUNC_START(entry_ibpb) + movl $MSR_IA32_PRED_CMD, %ecx +- movl $PRED_CMD_IBPB, %eax ++ movl _ASM_RIP(x86_pred_cmd), %eax + xorl %edx, %edx + wrmsr + +-- +2.39.5 + diff --git a/queue-6.12/x86-cpu-add-cpu-model-number-for-bartlett-lake-cpus-.patch b/queue-6.12/x86-cpu-add-cpu-model-number-for-bartlett-lake-cpus-.patch new file mode 100644 index 0000000000..4ce7dfa4f6 --- /dev/null +++ b/queue-6.12/x86-cpu-add-cpu-model-number-for-bartlett-lake-cpus-.patch @@ -0,0 +1,47 @@ +From bd1118ba080ce653ff90fd6a56afd7150dedd258 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Apr 2025 11:28:39 +0800 +Subject: x86/cpu: Add CPU model number for Bartlett Lake CPUs with Raptor Cove + cores + +From: Pi Xiange + +[ Upstream commit d466304c4322ad391797437cd84cca7ce1660de0 ] + +Bartlett Lake has a P-core only product with Raptor Cove. + +[ mingo: Switch around the define as pointed out by Christian Ludloff: + Ratpr Cove is the core, Bartlett Lake is the product. + +Signed-off-by: Pi Xiange +Signed-off-by: Ingo Molnar +Cc: Christian Ludloff +Cc: Peter Zijlstra +Cc: Tony Luck +Cc: Andrew Cooper +Cc: "H. Peter Anvin" +Cc: John Ogness +Cc: "Ahmed S. Darwish" +Cc: x86-cpuid@lists.linux.dev +Link: https://lore.kernel.org/r/20250414032839.5368-1-xiange.pi@intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/intel-family.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/x86/include/asm/intel-family.h b/arch/x86/include/asm/intel-family.h +index 1a42f829667a3..62d8b9448dc5c 100644 +--- a/arch/x86/include/asm/intel-family.h ++++ b/arch/x86/include/asm/intel-family.h +@@ -115,6 +115,8 @@ + #define INTEL_GRANITERAPIDS_X IFM(6, 0xAD) + #define INTEL_GRANITERAPIDS_D IFM(6, 0xAE) + ++#define INTEL_BARTLETTLAKE IFM(6, 0xD7) /* Raptor Cove */ ++ + /* "Hybrid" Processors (P-Core/E-Core) */ + + #define INTEL_LAKEFIELD IFM(6, 0x8A) /* Sunny Cove / Tremont */ +-- +2.39.5 + diff --git a/queue-6.12/x86-i8253-call-clockevent_i8253_disable-with-interru.patch b/queue-6.12/x86-i8253-call-clockevent_i8253_disable-with-interru.patch new file mode 100644 index 0000000000..21bd208dd0 --- /dev/null +++ b/queue-6.12/x86-i8253-call-clockevent_i8253_disable-with-interru.patch @@ -0,0 +1,73 @@ +From fff72f5c4b421a68cae5e3f650dc71d595573673 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Apr 2025 11:23:03 +0200 +Subject: x86/i8253: Call clockevent_i8253_disable() with interrupts disabled + +From: Fernando Fernandez Mancera + +[ Upstream commit 3940f5349b476197fb079c5aa19c9a988de64efb ] + +There's a lockdep false positive warning related to i8253_lock: + + WARNING: HARDIRQ-safe -> HARDIRQ-unsafe lock order detected + ... + systemd-sleep/3324 [HC0[0]:SC0[0]:HE0:SE1] is trying to acquire: + ffffffffb2c23398 (i8253_lock){+.+.}-{2:2}, at: pcspkr_event+0x3f/0xe0 [pcspkr] + + ... + ... which became HARDIRQ-irq-unsafe at: + ... + lock_acquire+0xd0/0x2f0 + _raw_spin_lock+0x30/0x40 + clockevent_i8253_disable+0x1c/0x60 + pit_timer_init+0x25/0x50 + hpet_time_init+0x46/0x50 + x86_late_time_init+0x1b/0x40 + start_kernel+0x962/0xa00 + x86_64_start_reservations+0x24/0x30 + x86_64_start_kernel+0xed/0xf0 + common_startup_64+0x13e/0x141 + ... + +Lockdep complains due pit_timer_init() using the lock in an IRQ-unsafe +fashion, but it's a false positive, because there is no deadlock +possible at that point due to init ordering: at the point where +pit_timer_init() is called there is no other possible usage of +i8253_lock because the system is still in the very early boot stage +with no interrupts. + +But in any case, pit_timer_init() should disable interrupts before +calling clockevent_i8253_disable() out of general principle, and to +keep lockdep working even in this scenario. + +Use scoped_guard() for that, as suggested by Thomas Gleixner. + +[ mingo: Cleaned up the changelog. ] + +Suggested-by: Thomas Gleixner +Signed-off-by: Fernando Fernandez Mancera +Signed-off-by: Ingo Molnar +Reviewed-by: Thomas Gleixner +Link: https://lore.kernel.org/r/Z-uwd4Bnn7FcCShX@gmail.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/i8253.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/i8253.c b/arch/x86/kernel/i8253.c +index 80e262bb627fe..cb9852ad60989 100644 +--- a/arch/x86/kernel/i8253.c ++++ b/arch/x86/kernel/i8253.c +@@ -46,7 +46,8 @@ bool __init pit_timer_init(void) + * VMMs otherwise steal CPU time just to pointlessly waggle + * the (masked) IRQ. + */ +- clockevent_i8253_disable(); ++ scoped_guard(irq) ++ clockevent_i8253_disable(); + return false; + } + clockevent_i8253_init(true); +-- +2.39.5 + diff --git a/queue-6.12/x86-kconfig-make-config_pci_cnb20le_quirk-depend-on-.patch b/queue-6.12/x86-kconfig-make-config_pci_cnb20le_quirk-depend-on-.patch new file mode 100644 index 0000000000..051d0a1e0c --- /dev/null +++ b/queue-6.12/x86-kconfig-make-config_pci_cnb20le_quirk-depend-on-.patch @@ -0,0 +1,97 @@ +From de3f4a1ce7f547ed858b228908a8dd318b4cf362 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Mar 2025 21:48:48 +0100 +Subject: x86/Kconfig: Make CONFIG_PCI_CNB20LE_QUIRK depend on X86_32 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mateusz Jończyk + +[ Upstream commit d9f87802676bb23b9425aea8ad95c76ad9b50c6e ] + +I was unable to find a good description of the ServerWorks CNB20LE +chipset. However, it was probably exclusively used with the Pentium III +processor (this CPU model was used in all references to it that I +found where the CPU model was provided: dmesgs in [1] and [2]; +[3] page 2; [4]-[7]). + +As is widely known, the Pentium III processor did not support the 64-bit +mode, support for which was introduced by Intel a couple of years later. +So it is safe to assume that no systems with the CNB20LE chipset have +amd64 and the CONFIG_PCI_CNB20LE_QUIRK may now depend on X86_32. + +Additionally, I have determined that most computers with the CNB20LE +chipset did have ACPI support and this driver was inactive on them. +I have submitted a patch to remove this driver, but it was met with +resistance [8]. + +[1] Jim Studt, Re: Problem with ServerWorks CNB20LE and lost interrupts + Linux Kernel Mailing List, https://lkml.org/lkml/2002/1/11/111 + +[2] RedHat Bug 665109 - e100 problems on old Compaq Proliant DL320 + https://bugzilla.redhat.com/show_bug.cgi?id=665109 + +[3] R. Hughes-Jones, S. Dallison, G. Fairey, Performance Measurements on + Gigabit Ethernet NICs and Server Quality Motherboards, + http://datatag.web.cern.ch/papers/pfldnet2003-rhj.doc + +[4] "Hardware for Linux", + Probe #d6b5151873 of Intel STL2-bd A28808-302 Desktop Computer (STL2) + https://linux-hardware.org/?probe=d6b5151873 + +[5] "Hardware for Linux", Probe #0b5d843f10 of Compaq ProLiant DL380 + https://linux-hardware.org/?probe=0b5d843f10 + +[6] Ubuntu Forums, Dell Poweredge 2400 - Adaptec SCSI Bus AIC-7880 + https://ubuntuforums.org/showthread.php?t=1689552 + +[7] Ira W. Snyder, "BISECTED: 2.6.35 (and -git) fail to boot: APIC problems" + https://lkml.org/lkml/2010/8/13/220 + +[8] Bjorn Helgaas, "Re: [PATCH] x86/pci: drop ServerWorks / Broadcom + CNB20LE PCI host bridge driver" + https://lore.kernel.org/lkml/20220318165535.GA840063@bhelgaas/T/ + +Signed-off-by: Mateusz Jończyk +Signed-off-by: David Heideberg +Signed-off-by: Ingo Molnar +Cc: "H. Peter Anvin" +Cc: Linus Torvalds +Link: https://lore.kernel.org/r/20250321-x86_x2apic-v3-6-b0cbaa6fa338@ixit.cz +Signed-off-by: Sasha Levin +--- + arch/x86/Kconfig | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig +index e54da3b4d334e..ee5611418500c 100644 +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -2964,13 +2964,21 @@ config MMCONF_FAM10H + depends on X86_64 && PCI_MMCONFIG && ACPI + + config PCI_CNB20LE_QUIRK +- bool "Read CNB20LE Host Bridge Windows" if EXPERT +- depends on PCI ++ bool "Read PCI host bridge windows from the CNB20LE chipset" if EXPERT ++ depends on X86_32 && PCI + help + Read the PCI windows out of the CNB20LE host bridge. This allows + PCI hotplug to work on systems with the CNB20LE chipset which do + not have ACPI. + ++ The ServerWorks (later Broadcom) CNB20LE was a chipset designed ++ most probably only for Pentium III. ++ ++ To find out if you have such a chipset, search for a PCI device with ++ 1166:0009 PCI IDs, for example by executing ++ lspci -nn | grep '1166:0009' ++ The code is inactive if there is none. ++ + There's no public spec for this chipset, and this functionality + is known to be incomplete. + +-- +2.39.5 + diff --git a/queue-6.12/x86-xen-disable-cpu-idle-and-frequency-drivers-for-p.patch b/queue-6.12/x86-xen-disable-cpu-idle-and-frequency-drivers-for-p.patch new file mode 100644 index 0000000000..64ccfe8bf9 --- /dev/null +++ b/queue-6.12/x86-xen-disable-cpu-idle-and-frequency-drivers-for-p.patch @@ -0,0 +1,74 @@ +From ad4401a855274dad34742d216b23fa983d9f7c94 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Apr 2025 12:18:41 +0200 +Subject: x86/xen: disable CPU idle and frequency drivers for PVH dom0 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Roger Pau Monne + +[ Upstream commit 64a66e2c3b3113dc78a6124e14825d68ddc2e188 ] + +When running as a PVH dom0 the ACPI tables exposed to Linux are (mostly) +the native ones, thus exposing the C and P states, that can lead to +attachment of CPU idle and frequency drivers. However the entity in +control of the CPU C and P states is Xen, as dom0 doesn't have a full view +of the system load, neither has all CPUs assigned and identity pinned. + +Like it's done for classic PV guests, prevent Linux from using idle or +frequency state drivers when running as a PVH dom0. + +On an AMD EPYC 7543P system without this fix a Linux PVH dom0 will keep the +host CPUs spinning at 100% even when dom0 is completely idle, as it's +attempting to use the acpi_idle driver. + +Signed-off-by: Roger Pau Monné +Reviewed-by: Jason Andryuk +Signed-off-by: Juergen Gross +Message-ID: <20250407101842.67228-1-roger.pau@citrix.com> +Signed-off-by: Sasha Levin +--- + arch/x86/xen/enlighten_pvh.c | 19 ++++++++++++++++++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/xen/enlighten_pvh.c b/arch/x86/xen/enlighten_pvh.c +index 0e3d930bcb89e..9d25d9373945c 100644 +--- a/arch/x86/xen/enlighten_pvh.c ++++ b/arch/x86/xen/enlighten_pvh.c +@@ -1,5 +1,7 @@ + // SPDX-License-Identifier: GPL-2.0 + #include ++#include ++#include + #include + #include + +@@ -123,8 +125,23 @@ static void __init pvh_arch_setup(void) + { + pvh_reserve_extra_memory(); + +- if (xen_initial_domain()) ++ if (xen_initial_domain()) { + xen_add_preferred_consoles(); ++ ++ /* ++ * Disable usage of CPU idle and frequency drivers: when ++ * running as hardware domain the exposed native ACPI tables ++ * causes idle and/or frequency drivers to attach and ++ * malfunction. It's Xen the entity that controls the idle and ++ * frequency states. ++ * ++ * For unprivileged domains the exposed ACPI tables are ++ * fabricated and don't contain such data. ++ */ ++ disable_cpuidle(); ++ disable_cpufreq(); ++ WARN_ON(xen_set_default_idle()); ++ } + } + + void __init xen_pvh_init(struct boot_params *boot_params) +-- +2.39.5 + diff --git a/queue-6.12/xen-change-xen-acpi-processor-dom0-dependency.patch b/queue-6.12/xen-change-xen-acpi-processor-dom0-dependency.patch new file mode 100644 index 0000000000..f64ba62c25 --- /dev/null +++ b/queue-6.12/xen-change-xen-acpi-processor-dom0-dependency.patch @@ -0,0 +1,40 @@ +From abfa861437f1d890f47892b5688597403c3dd15e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Mar 2025 13:29:12 -0400 +Subject: xen: Change xen-acpi-processor dom0 dependency + +From: Jason Andryuk + +[ Upstream commit 0f2946bb172632e122d4033e0b03f85230a29510 ] + +xen-acpi-processor functions under a PVH dom0 with only a +xen_initial_domain() runtime check. Change the Kconfig dependency from +PV dom0 to generic dom0 to reflect that. + +Suggested-by: Jan Beulich +Signed-off-by: Jason Andryuk +Reviewed-by: Juergen Gross +Tested-by: Jan Beulich +Signed-off-by: Juergen Gross +Message-ID: <20250331172913.51240-1-jason.andryuk@amd.com> +Signed-off-by: Sasha Levin +--- + drivers/xen/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/xen/Kconfig b/drivers/xen/Kconfig +index f7d6f47971fdf..24f485827e039 100644 +--- a/drivers/xen/Kconfig ++++ b/drivers/xen/Kconfig +@@ -278,7 +278,7 @@ config XEN_PRIVCMD_EVENTFD + + config XEN_ACPI_PROCESSOR + tristate "Xen ACPI processor" +- depends on XEN && XEN_PV_DOM0 && X86 && ACPI_PROCESSOR && CPU_FREQ ++ depends on XEN && XEN_DOM0 && X86 && ACPI_PROCESSOR && CPU_FREQ + default m + help + This ACPI processor uploads Power Management information to the Xen +-- +2.39.5 + diff --git a/queue-6.12/xhci-handle-spurious-events-on-etron-host-isoc-enpoi.patch b/queue-6.12/xhci-handle-spurious-events-on-etron-host-isoc-enpoi.patch new file mode 100644 index 0000000000..81b5b792f6 --- /dev/null +++ b/queue-6.12/xhci-handle-spurious-events-on-etron-host-isoc-enpoi.patch @@ -0,0 +1,153 @@ +From a5cdbf2fa0830cf511aae20276d3795ba0d01ab2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Mar 2025 16:49:54 +0200 +Subject: xhci: Handle spurious events on Etron host isoc enpoints + +From: Mathias Nyman + +[ Upstream commit b331a3d8097fad4e541d212684192f21fedbd6e5 ] + +Unplugging a USB3.0 webcam from Etron hosts while streaming results +in errors like this: + +[ 2.646387] xhci_hcd 0000:03:00.0: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 18 comp_code 13 +[ 2.646446] xhci_hcd 0000:03:00.0: Looking for event-dma 000000002fdf8630 trb-start 000000002fdf8640 trb-end 000000002fdf8650 +[ 2.646560] xhci_hcd 0000:03:00.0: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 18 comp_code 13 +[ 2.646568] xhci_hcd 0000:03:00.0: Looking for event-dma 000000002fdf8660 trb-start 000000002fdf8670 trb-end 000000002fdf8670 + +Etron xHC generates two transfer events for the TRB if an error is +detected while processing the last TRB of an isoc TD. + +The first event can be any sort of error (like USB Transaction or +Babble Detected, etc), and the final event is Success. + +The xHCI driver will handle the TD after the first event and remove it +from its internal list, and then print an "Transfer event TRB DMA ptr +not part of current TD" error message after the final event. + +Commit 5372c65e1311 ("xhci: process isoc TD properly when there was a +transaction error mid TD.") is designed to address isoc transaction +errors, but unfortunately it doesn't account for this scenario. + +This issue is similar to the XHCI_SPURIOUS_SUCCESS case where a success +event follows a 'short transfer' event, but the TD the event points to +is already given back. + +Expand the spurious success 'short transfer' event handling to cover +the spurious success after error on Etron hosts. + +Kuangyi Chiang reported this issue and submitted a different solution +based on using error_mid_td. This commit message is mostly taken +from that patch. + +Reported-by: Kuangyi Chiang +Closes: https://lore.kernel.org/linux-usb/20241028025337.6372-6-ki.chiang65@gmail.com/ +Tested-by: Kuangyi Chiang +Tested-by: Michal Pecio +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20250306144954.3507700-16-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/xhci-ring.c | 38 ++++++++++++++++++++++++------------ + drivers/usb/host/xhci.h | 2 +- + 2 files changed, 27 insertions(+), 13 deletions(-) + +diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c +index 6eb297b168fa4..653e24bb3e9ad 100644 +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -2642,6 +2642,22 @@ static int handle_transferless_tx_event(struct xhci_hcd *xhci, struct xhci_virt_ + return 0; + } + ++static bool xhci_spurious_success_tx_event(struct xhci_hcd *xhci, ++ struct xhci_ring *ring) ++{ ++ switch (ring->old_trb_comp_code) { ++ case COMP_SHORT_PACKET: ++ return xhci->quirks & XHCI_SPURIOUS_SUCCESS; ++ case COMP_USB_TRANSACTION_ERROR: ++ case COMP_BABBLE_DETECTED_ERROR: ++ case COMP_ISOCH_BUFFER_OVERRUN: ++ return xhci->quirks & XHCI_ETRON_HOST && ++ ring->type == TYPE_ISOC; ++ default: ++ return false; ++ } ++} ++ + /* + * If this function returns an error condition, it means it got a Transfer + * event with a corrupted Slot ID, Endpoint ID, or TRB DMA address. +@@ -2696,8 +2712,8 @@ static int handle_tx_event(struct xhci_hcd *xhci, + case COMP_SUCCESS: + if (EVENT_TRB_LEN(le32_to_cpu(event->transfer_len)) != 0) { + trb_comp_code = COMP_SHORT_PACKET; +- xhci_dbg(xhci, "Successful completion on short TX for slot %u ep %u with last td short %d\n", +- slot_id, ep_index, ep_ring->last_td_was_short); ++ xhci_dbg(xhci, "Successful completion on short TX for slot %u ep %u with last td comp code %d\n", ++ slot_id, ep_index, ep_ring->old_trb_comp_code); + } + break; + case COMP_SHORT_PACKET: +@@ -2851,7 +2867,7 @@ static int handle_tx_event(struct xhci_hcd *xhci, + if (trb_comp_code != COMP_STOPPED && + trb_comp_code != COMP_STOPPED_LENGTH_INVALID && + !ring_xrun_event && +- !ep_ring->last_td_was_short) { ++ !xhci_spurious_success_tx_event(xhci, ep_ring)) { + xhci_warn(xhci, "Event TRB for slot %u ep %u with no TDs queued\n", + slot_id, ep_index); + } +@@ -2903,11 +2919,12 @@ static int handle_tx_event(struct xhci_hcd *xhci, + + /* + * Some hosts give a spurious success event after a short +- * transfer. Ignore it. ++ * transfer or error on last TRB. Ignore it. + */ +- if ((xhci->quirks & XHCI_SPURIOUS_SUCCESS) && +- ep_ring->last_td_was_short) { +- ep_ring->last_td_was_short = false; ++ if (xhci_spurious_success_tx_event(xhci, ep_ring)) { ++ xhci_dbg(xhci, "Spurious event dma %pad, comp_code %u after %u\n", ++ &ep_trb_dma, trb_comp_code, ep_ring->old_trb_comp_code); ++ ep_ring->old_trb_comp_code = trb_comp_code; + return 0; + } + +@@ -2935,15 +2952,12 @@ static int handle_tx_event(struct xhci_hcd *xhci, + */ + } while (ep->skip); + ++ ep_ring->old_trb_comp_code = trb_comp_code; ++ + /* Get out if a TD was queued at enqueue after the xrun occurred */ + if (ring_xrun_event) + return 0; + +- if (trb_comp_code == COMP_SHORT_PACKET) +- ep_ring->last_td_was_short = true; +- else +- ep_ring->last_td_was_short = false; +- + ep_trb = &ep_seg->trbs[(ep_trb_dma - ep_seg->dma) / sizeof(*ep_trb)]; + trace_xhci_handle_transfer(ep_ring, (struct xhci_generic_trb *) ep_trb); + +diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h +index 017a156953d72..2a954efa53e80 100644 +--- a/drivers/usb/host/xhci.h ++++ b/drivers/usb/host/xhci.h +@@ -1360,7 +1360,7 @@ struct xhci_ring { + unsigned int num_trbs_free; /* used only by xhci DbC */ + unsigned int bounce_buf_len; + enum xhci_ring_type type; +- bool last_td_was_short; ++ u32 old_trb_comp_code; + struct radix_tree_root *trb_address_map; + }; + +-- +2.39.5 + -- 2.47.3