From cce206bbc19f26a62ccbd02a503675279ec38f12 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 20 Oct 2025 13:22:57 +0200 Subject: [PATCH] 5.10-stable patches added patches: blk-crypto-fix-missing-blktrace-bio-split-events.patch btrfs-avoid-potential-out-of-bounds-in-btrfs_encode_fh.patch bus-mhi-host-do-not-use-uninitialized-dev-pointer-in-mhi_init_irq_setup.patch drm-exynos-exynos7_drm_decon-remove-ctx-suspended.patch media-lirc-fix-error-handling-in-lirc_register.patch media-rc-directly-use-ida_free.patch xen-events-update-virq_to_irq-on-migration.patch --- ...ix-missing-blktrace-bio-split-events.patch | 48 +++++ ...ial-out-of-bounds-in-btrfs_encode_fh.patch | 76 ++++++++ ...ed-dev-pointer-in-mhi_init_irq_setup.patch | 58 ++++++ ...ynos7_drm_decon-remove-ctx-suspended.patch | 167 ++++++++++++++++++ ...-fix-error-handling-in-lirc_register.patch | 56 ++++++ .../media-rc-directly-use-ida_free.patch | 84 +++++++++ queue-5.10/series | 7 + ...ents-update-virq_to_irq-on-migration.patch | 64 +++++++ 8 files changed, 560 insertions(+) create mode 100644 queue-5.10/blk-crypto-fix-missing-blktrace-bio-split-events.patch create mode 100644 queue-5.10/btrfs-avoid-potential-out-of-bounds-in-btrfs_encode_fh.patch create mode 100644 queue-5.10/bus-mhi-host-do-not-use-uninitialized-dev-pointer-in-mhi_init_irq_setup.patch create mode 100644 queue-5.10/drm-exynos-exynos7_drm_decon-remove-ctx-suspended.patch create mode 100644 queue-5.10/media-lirc-fix-error-handling-in-lirc_register.patch create mode 100644 queue-5.10/media-rc-directly-use-ida_free.patch create mode 100644 queue-5.10/xen-events-update-virq_to_irq-on-migration.patch diff --git a/queue-5.10/blk-crypto-fix-missing-blktrace-bio-split-events.patch b/queue-5.10/blk-crypto-fix-missing-blktrace-bio-split-events.patch new file mode 100644 index 0000000000..2e8843f308 --- /dev/null +++ b/queue-5.10/blk-crypto-fix-missing-blktrace-bio-split-events.patch @@ -0,0 +1,48 @@ +From stable+bounces-187851-greg=kroah.com@vger.kernel.org Sat Oct 18 18:14:47 2025 +From: Sasha Levin +Date: Sat, 18 Oct 2025 12:14:33 -0400 +Subject: blk-crypto: fix missing blktrace bio split events +To: stable@vger.kernel.org +Cc: Yu Kuai , Bart Van Assche , Christoph Hellwig , Jens Axboe , Sasha Levin +Message-ID: <20251018161433.836920-1-sashal@kernel.org> + +From: Yu Kuai + +[ Upstream commit 06d712d297649f48ebf1381d19bd24e942813b37 ] + +trace_block_split() is missing, resulting in blktrace inability to catch +BIO split events and making it harder to analyze the BIO sequence. + +Cc: stable@vger.kernel.org +Fixes: 488f6682c832 ("block: blk-crypto-fallback for Inline Encryption") +Signed-off-by: Yu Kuai +Reviewed-by: Bart Van Assche +Reviewed-by: Christoph Hellwig +Signed-off-by: Jens Axboe +[ added queue parameter to trace_block_split() call ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + block/blk-crypto-fallback.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/block/blk-crypto-fallback.c ++++ b/block/blk-crypto-fallback.c +@@ -18,6 +18,7 @@ + #include + #include + #include ++#include + + #include "blk-crypto-internal.h" + +@@ -227,7 +228,9 @@ static bool blk_crypto_split_bio_if_need + bio->bi_status = BLK_STS_RESOURCE; + return false; + } ++ + bio_chain(split_bio, bio); ++ trace_block_split(bio->bi_disk->queue, split_bio, bio->bi_iter.bi_sector); + submit_bio_noacct(bio); + *bio_ptr = split_bio; + } diff --git a/queue-5.10/btrfs-avoid-potential-out-of-bounds-in-btrfs_encode_fh.patch b/queue-5.10/btrfs-avoid-potential-out-of-bounds-in-btrfs_encode_fh.patch new file mode 100644 index 0000000000..fb7ed9afbd --- /dev/null +++ b/queue-5.10/btrfs-avoid-potential-out-of-bounds-in-btrfs_encode_fh.patch @@ -0,0 +1,76 @@ +From stable+bounces-187846-greg=kroah.com@vger.kernel.org Sat Oct 18 18:03:06 2025 +From: Sasha Levin +Date: Sat, 18 Oct 2025 12:01:58 -0400 +Subject: btrfs: avoid potential out-of-bounds in btrfs_encode_fh() +To: stable@vger.kernel.org +Cc: Anderson Nascimento , David Sterba , Sasha Levin +Message-ID: <20251018160158.831532-1-sashal@kernel.org> + +From: Anderson Nascimento + +[ Upstream commit dff4f9ff5d7f289e4545cc936362e01ed3252742 ] + +The function btrfs_encode_fh() does not properly account for the three +cases it handles. + +Before writing to the file handle (fh), the function only returns to the +user BTRFS_FID_SIZE_NON_CONNECTABLE (5 dwords, 20 bytes) or +BTRFS_FID_SIZE_CONNECTABLE (8 dwords, 32 bytes). + +However, when a parent exists and the root ID of the parent and the +inode are different, the function writes BTRFS_FID_SIZE_CONNECTABLE_ROOT +(10 dwords, 40 bytes). + +If *max_len is not large enough, this write goes out of bounds because +BTRFS_FID_SIZE_CONNECTABLE_ROOT is greater than +BTRFS_FID_SIZE_CONNECTABLE originally returned. + +This results in an 8-byte out-of-bounds write at +fid->parent_root_objectid = parent_root_id. + +A previous attempt to fix this issue was made but was lost. + +https://lore.kernel.org/all/4CADAEEC020000780001B32C@vpn.id2.novell.com/ + +Although this issue does not seem to be easily triggerable, it is a +potential memory corruption bug that should be fixed. This patch +resolves the issue by ensuring the function returns the appropriate size +for all three cases and validates that *max_len is large enough before +writing any data. + +Fixes: be6e8dc0ba84 ("NFS support for btrfs - v3") +CC: stable@vger.kernel.org # 3.0+ +Signed-off-by: Anderson Nascimento +Reviewed-by: David Sterba +Signed-off-by: David Sterba +[ replaced btrfs_root_id() calls with direct ->root->root_key.objectid access ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/export.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/fs/btrfs/export.c ++++ b/fs/btrfs/export.c +@@ -22,7 +22,11 @@ static int btrfs_encode_fh(struct inode + int type; + + if (parent && (len < BTRFS_FID_SIZE_CONNECTABLE)) { +- *max_len = BTRFS_FID_SIZE_CONNECTABLE; ++ if (BTRFS_I(inode)->root->root_key.objectid != ++ BTRFS_I(parent)->root->root_key.objectid) ++ *max_len = BTRFS_FID_SIZE_CONNECTABLE_ROOT; ++ else ++ *max_len = BTRFS_FID_SIZE_CONNECTABLE; + return FILEID_INVALID; + } else if (len < BTRFS_FID_SIZE_NON_CONNECTABLE) { + *max_len = BTRFS_FID_SIZE_NON_CONNECTABLE; +@@ -44,6 +48,8 @@ static int btrfs_encode_fh(struct inode + parent_root_id = BTRFS_I(parent)->root->root_key.objectid; + + if (parent_root_id != fid->root_objectid) { ++ if (*max_len < BTRFS_FID_SIZE_CONNECTABLE_ROOT) ++ return FILEID_INVALID; + fid->parent_root_objectid = parent_root_id; + len = BTRFS_FID_SIZE_CONNECTABLE_ROOT; + type = FILEID_BTRFS_WITH_PARENT_ROOT; diff --git a/queue-5.10/bus-mhi-host-do-not-use-uninitialized-dev-pointer-in-mhi_init_irq_setup.patch b/queue-5.10/bus-mhi-host-do-not-use-uninitialized-dev-pointer-in-mhi_init_irq_setup.patch new file mode 100644 index 0000000000..06fe333d26 --- /dev/null +++ b/queue-5.10/bus-mhi-host-do-not-use-uninitialized-dev-pointer-in-mhi_init_irq_setup.patch @@ -0,0 +1,58 @@ +From stable+bounces-187843-greg=kroah.com@vger.kernel.org Sat Oct 18 16:55:00 2025 +From: Sasha Levin +Date: Sat, 18 Oct 2025 10:54:52 -0400 +Subject: bus: mhi: host: Do not use uninitialized 'dev' pointer in mhi_init_irq_setup() +To: stable@vger.kernel.org +Cc: Adam Xue , Manivannan Sadhasivam , Krishna Chaitanya Chundru , Sasha Levin +Message-ID: <20251018145452.792939-1-sashal@kernel.org> + +From: Adam Xue + +[ Upstream commit d0856a6dff57f95cc5d2d74e50880f01697d0cc4 ] + +In mhi_init_irq_setup, the device pointer used for dev_err() was not +initialized. Use the pointer from mhi_cntrl instead. + +Fixes: b0fc0167f254 ("bus: mhi: core: Allow shared IRQ for event rings") +Fixes: 3000f85b8f47 ("bus: mhi: core: Add support for basic PM operations") +Signed-off-by: Adam Xue +[mani: reworded subject/description and CCed stable] +Signed-off-by: Manivannan Sadhasivam +Reviewed-by: Krishna Chaitanya Chundru +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20250905174118.38512-1-zxue@semtech.com +[ Adjust context ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bus/mhi/host/init.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/bus/mhi/host/init.c ++++ b/drivers/bus/mhi/host/init.c +@@ -147,7 +147,6 @@ void mhi_deinit_free_irq(struct mhi_cont + int mhi_init_irq_setup(struct mhi_controller *mhi_cntrl) + { + struct mhi_event *mhi_event = mhi_cntrl->mhi_event; +- struct device *dev = &mhi_cntrl->mhi_dev->dev; + int i, ret; + + /* Setup BHI_INTVEC IRQ */ +@@ -163,7 +162,7 @@ int mhi_init_irq_setup(struct mhi_contro + continue; + + if (mhi_event->irq >= mhi_cntrl->nr_irqs) { +- dev_err(dev, "irq %d not available for event ring\n", ++ dev_err(mhi_cntrl->cntrl_dev, "irq %d not available for event ring\n", + mhi_event->irq); + ret = -EINVAL; + goto error_request; +@@ -174,7 +173,7 @@ int mhi_init_irq_setup(struct mhi_contro + IRQF_SHARED | IRQF_NO_SUSPEND, + "mhi", mhi_event); + if (ret) { +- dev_err(dev, "Error requesting irq:%d for ev:%d\n", ++ dev_err(mhi_cntrl->cntrl_dev, "Error requesting irq:%d for ev:%d\n", + mhi_cntrl->irq[mhi_event->irq], i); + goto error_request; + } diff --git a/queue-5.10/drm-exynos-exynos7_drm_decon-remove-ctx-suspended.patch b/queue-5.10/drm-exynos-exynos7_drm_decon-remove-ctx-suspended.patch new file mode 100644 index 0000000000..f1d60a6beb --- /dev/null +++ b/queue-5.10/drm-exynos-exynos7_drm_decon-remove-ctx-suspended.patch @@ -0,0 +1,167 @@ +From stable+bounces-187840-greg=kroah.com@vger.kernel.org Sat Oct 18 15:52:05 2025 +From: Sasha Levin +Date: Sat, 18 Oct 2025 09:51:55 -0400 +Subject: drm/exynos: exynos7_drm_decon: remove ctx->suspended +To: stable@vger.kernel.org +Cc: Kaustabh Chakraborty , Inki Dae , Sasha Levin +Message-ID: <20251018135155.712293-1-sashal@kernel.org> + +From: Kaustabh Chakraborty + +[ Upstream commit e1361a4f1be9cb69a662c6d7b5ce218007d6e82b ] + +Condition guards are found to be redundant, as the call flow is properly +managed now, as also observed in the Exynos5433 DECON driver. Since +state checking is no longer necessary, remove it. + +This also fixes an issue which prevented decon_commit() from +decon_atomic_enable() due to an incorrect state change setting. + +Fixes: 96976c3d9aff ("drm/exynos: Add DECON driver") +Cc: stable@vger.kernel.org +Suggested-by: Inki Dae +Signed-off-by: Kaustabh Chakraborty +Signed-off-by: Inki Dae +[ Adjust context ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/exynos/exynos7_drm_decon.c | 36 ----------------------------- + 1 file changed, 36 deletions(-) + +--- a/drivers/gpu/drm/exynos/exynos7_drm_decon.c ++++ b/drivers/gpu/drm/exynos/exynos7_drm_decon.c +@@ -51,7 +51,6 @@ struct decon_context { + void __iomem *regs; + unsigned long irq_flags; + bool i80_if; +- bool suspended; + wait_queue_head_t wait_vsync_queue; + atomic_t wait_vsync_event; + +@@ -85,9 +84,6 @@ static void decon_wait_for_vblank(struct + { + struct decon_context *ctx = crtc->ctx; + +- if (ctx->suspended) +- return; +- + atomic_set(&ctx->wait_vsync_event, 1); + + /* +@@ -155,9 +151,6 @@ static void decon_commit(struct exynos_d + struct drm_display_mode *mode = &crtc->base.state->adjusted_mode; + u32 val, clkdiv; + +- if (ctx->suspended) +- return; +- + /* nothing to do if we haven't set the mode yet */ + if (mode->htotal == 0 || mode->vtotal == 0) + return; +@@ -219,9 +212,6 @@ static int decon_enable_vblank(struct ex + struct decon_context *ctx = crtc->ctx; + u32 val; + +- if (ctx->suspended) +- return -EPERM; +- + if (!test_and_set_bit(0, &ctx->irq_flags)) { + val = readl(ctx->regs + VIDINTCON0); + +@@ -244,9 +234,6 @@ static void decon_disable_vblank(struct + struct decon_context *ctx = crtc->ctx; + u32 val; + +- if (ctx->suspended) +- return; +- + if (test_and_clear_bit(0, &ctx->irq_flags)) { + val = readl(ctx->regs + VIDINTCON0); + +@@ -369,9 +356,6 @@ static void decon_atomic_begin(struct ex + struct decon_context *ctx = crtc->ctx; + int i; + +- if (ctx->suspended) +- return; +- + for (i = 0; i < WINDOWS_NR; i++) + decon_shadow_protect_win(ctx, i, true); + } +@@ -391,9 +375,6 @@ static void decon_update_plane(struct ex + unsigned int cpp = fb->format->cpp[0]; + unsigned int pitch = fb->pitches[0]; + +- if (ctx->suspended) +- return; +- + /* + * SHADOWCON/PRTCON register is used for enabling timing. + * +@@ -481,9 +462,6 @@ static void decon_disable_plane(struct e + unsigned int win = plane->index; + u32 val; + +- if (ctx->suspended) +- return; +- + /* protect windows */ + decon_shadow_protect_win(ctx, win, true); + +@@ -502,9 +480,6 @@ static void decon_atomic_flush(struct ex + struct decon_context *ctx = crtc->ctx; + int i; + +- if (ctx->suspended) +- return; +- + for (i = 0; i < WINDOWS_NR; i++) + decon_shadow_protect_win(ctx, i, false); + exynos_crtc_handle_event(crtc); +@@ -531,9 +506,6 @@ static void decon_atomic_enable(struct e + { + struct decon_context *ctx = crtc->ctx; + +- if (!ctx->suspended) +- return; +- + pm_runtime_get_sync(ctx->dev); + + decon_init(ctx); +@@ -543,8 +515,6 @@ static void decon_atomic_enable(struct e + decon_enable_vblank(ctx->crtc); + + decon_commit(ctx->crtc); +- +- ctx->suspended = false; + } + + static void decon_atomic_disable(struct exynos_drm_crtc *crtc) +@@ -552,9 +522,6 @@ static void decon_atomic_disable(struct + struct decon_context *ctx = crtc->ctx; + int i; + +- if (ctx->suspended) +- return; +- + /* + * We need to make sure that all windows are disabled before we + * suspend that connector. Otherwise we might try to scan from +@@ -564,8 +531,6 @@ static void decon_atomic_disable(struct + decon_disable_plane(crtc, &ctx->planes[i]); + + pm_runtime_put_sync(ctx->dev); +- +- ctx->suspended = true; + } + + static const struct exynos_drm_crtc_ops decon_crtc_ops = { +@@ -687,7 +652,6 @@ static int decon_probe(struct platform_d + return -ENOMEM; + + ctx->dev = dev; +- ctx->suspended = true; + + i80_if_timings = of_get_child_by_name(dev->of_node, "i80-if-timings"); + if (i80_if_timings) diff --git a/queue-5.10/media-lirc-fix-error-handling-in-lirc_register.patch b/queue-5.10/media-lirc-fix-error-handling-in-lirc_register.patch new file mode 100644 index 0000000000..7b11d6ea52 --- /dev/null +++ b/queue-5.10/media-lirc-fix-error-handling-in-lirc_register.patch @@ -0,0 +1,56 @@ +From stable+bounces-187719-greg=kroah.com@vger.kernel.org Sat Oct 18 01:18:34 2025 +From: Sasha Levin +Date: Fri, 17 Oct 2025 19:18:23 -0400 +Subject: media: lirc: Fix error handling in lirc_register() +To: stable@vger.kernel.org +Cc: Ma Ke , Sean Young , Hans Verkuil , Sasha Levin +Message-ID: <20251017231823.30098-2-sashal@kernel.org> + +From: Ma Ke + +[ Upstream commit 4f4098c57e139ad972154077fb45c3e3141555dd ] + +When cdev_device_add() failed, calling put_device() to explicitly +release dev->lirc_dev. Otherwise, it could cause the fault of the +reference count. + +Found by code review. + +Cc: stable@vger.kernel.org +Fixes: a6ddd4fecbb0 ("media: lirc: remove last remnants of lirc kapi") +Signed-off-by: Ma Ke +Signed-off-by: Sean Young +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/rc/lirc_dev.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/media/rc/lirc_dev.c ++++ b/drivers/media/rc/lirc_dev.c +@@ -747,11 +747,11 @@ int lirc_register(struct rc_dev *dev) + + cdev_init(&dev->lirc_cdev, &lirc_fops); + ++ get_device(&dev->dev); ++ + err = cdev_device_add(&dev->lirc_cdev, &dev->lirc_dev); + if (err) +- goto out_ida; +- +- get_device(&dev->dev); ++ goto out_put_device; + + switch (dev->driver_type) { + case RC_DRIVER_SCANCODE: +@@ -775,7 +775,8 @@ int lirc_register(struct rc_dev *dev) + + return 0; + +-out_ida: ++out_put_device: ++ put_device(&dev->lirc_dev); + ida_free(&lirc_ida, minor); + return err; + } diff --git a/queue-5.10/media-rc-directly-use-ida_free.patch b/queue-5.10/media-rc-directly-use-ida_free.patch new file mode 100644 index 0000000000..fe7d7590ca --- /dev/null +++ b/queue-5.10/media-rc-directly-use-ida_free.patch @@ -0,0 +1,84 @@ +From stable+bounces-187718-greg=kroah.com@vger.kernel.org Sat Oct 18 01:18:31 2025 +From: Sasha Levin +Date: Fri, 17 Oct 2025 19:18:22 -0400 +Subject: media: rc: Directly use ida_free() +To: stable@vger.kernel.org +Cc: keliu , Sean Young , Mauro Carvalho Chehab , Sasha Levin +Message-ID: <20251017231823.30098-1-sashal@kernel.org> + +From: keliu + +[ Upstream commit cd54ff938091d890edf78e6555ec30c63dcd2eb5 ] + +Use ida_alloc() and ida_free() instead of the deprecated +ida_simple_get() and ida_simple_remove(). + +Signed-off-by: keliu +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Stable-dep-of: 4f4098c57e13 ("media: lirc: Fix error handling in lirc_register()") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/rc/lirc_dev.c | 6 +++--- + drivers/media/rc/rc-main.c | 6 +++--- + 2 files changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/media/rc/lirc_dev.c ++++ b/drivers/media/rc/lirc_dev.c +@@ -731,7 +731,7 @@ int lirc_register(struct rc_dev *dev) + const char *rx_type, *tx_type; + int err, minor; + +- minor = ida_simple_get(&lirc_ida, 0, RC_DEV_MAX, GFP_KERNEL); ++ minor = ida_alloc_max(&lirc_ida, RC_DEV_MAX - 1, GFP_KERNEL); + if (minor < 0) + return minor; + +@@ -776,7 +776,7 @@ int lirc_register(struct rc_dev *dev) + return 0; + + out_ida: +- ida_simple_remove(&lirc_ida, minor); ++ ida_free(&lirc_ida, minor); + return err; + } + +@@ -794,7 +794,7 @@ void lirc_unregister(struct rc_dev *dev) + spin_unlock_irqrestore(&dev->lirc_fh_lock, flags); + + cdev_device_del(&dev->lirc_cdev, &dev->lirc_dev); +- ida_simple_remove(&lirc_ida, MINOR(dev->lirc_dev.devt)); ++ ida_free(&lirc_ida, MINOR(dev->lirc_dev.devt)); + } + + int __init lirc_dev_init(void) +--- a/drivers/media/rc/rc-main.c ++++ b/drivers/media/rc/rc-main.c +@@ -1897,7 +1897,7 @@ int rc_register_device(struct rc_dev *de + if (!dev) + return -EINVAL; + +- minor = ida_simple_get(&rc_ida, 0, RC_DEV_MAX, GFP_KERNEL); ++ minor = ida_alloc_max(&rc_ida, RC_DEV_MAX - 1, GFP_KERNEL); + if (minor < 0) + return minor; + +@@ -1980,7 +1980,7 @@ out_rx_free: + out_raw: + ir_raw_event_free(dev); + out_minor: +- ida_simple_remove(&rc_ida, minor); ++ ida_free(&rc_ida, minor); + return rc; + } + EXPORT_SYMBOL_GPL(rc_register_device); +@@ -2040,7 +2040,7 @@ void rc_unregister_device(struct rc_dev + + device_del(&dev->dev); + +- ida_simple_remove(&rc_ida, dev->minor); ++ ida_free(&rc_ida, dev->minor); + + if (!dev->managed_alloc) + rc_free_device(dev); diff --git a/queue-5.10/series b/queue-5.10/series index 5cb82e116b..c2f838d131 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -229,3 +229,10 @@ kvm-arm64-prevent-access-to-vcpu-events-before-init.patch jbd2-ensure-that-all-ongoing-i-o-complete-before-freeing-blocks.patch ext4-detect-invalid-inline_data-extents-flag-combination.patch pwm-berlin-fix-wrong-register-in-suspend-resume.patch +blk-crypto-fix-missing-blktrace-bio-split-events.patch +btrfs-avoid-potential-out-of-bounds-in-btrfs_encode_fh.patch +bus-mhi-host-do-not-use-uninitialized-dev-pointer-in-mhi_init_irq_setup.patch +drm-exynos-exynos7_drm_decon-remove-ctx-suspended.patch +media-rc-directly-use-ida_free.patch +media-lirc-fix-error-handling-in-lirc_register.patch +xen-events-update-virq_to_irq-on-migration.patch diff --git a/queue-5.10/xen-events-update-virq_to_irq-on-migration.patch b/queue-5.10/xen-events-update-virq_to_irq-on-migration.patch new file mode 100644 index 0000000000..6903f3cdf8 --- /dev/null +++ b/queue-5.10/xen-events-update-virq_to_irq-on-migration.patch @@ -0,0 +1,64 @@ +From stable+bounces-186348-greg=kroah.com@vger.kernel.org Fri Oct 17 16:54:26 2025 +From: Sasha Levin +Date: Fri, 17 Oct 2025 10:50:07 -0400 +Subject: xen/events: Update virq_to_irq on migration +To: stable@vger.kernel.org +Cc: Jason Andryuk , Juergen Gross , Sasha Levin +Message-ID: <20251017145007.4008799-1-sashal@kernel.org> + +From: Jason Andryuk + +[ Upstream commit 3fcc8e146935415d69ffabb5df40ecf50e106131 ] + +VIRQs come in 3 flavors, per-VPU, per-domain, and global, and the VIRQs +are tracked in per-cpu virq_to_irq arrays. + +Per-domain and global VIRQs must be bound on CPU 0, and +bind_virq_to_irq() sets the per_cpu virq_to_irq at registration time +Later, the interrupt can migrate, and info->cpu is updated. When +calling __unbind_from_irq(), the per-cpu virq_to_irq is cleared for a +different cpu. If bind_virq_to_irq() is called again with CPU 0, the +stale irq is returned. There won't be any irq_info for the irq, so +things break. + +Make xen_rebind_evtchn_to_cpu() update the per_cpu virq_to_irq mappings +to keep them update to date with the current cpu. This ensures the +correct virq_to_irq is cleared in __unbind_from_irq(). + +Fixes: e46cdb66c8fc ("xen: event channels") +Cc: stable@vger.kernel.org +Signed-off-by: Jason Andryuk +Reviewed-by: Juergen Gross +Signed-off-by: Juergen Gross +Message-ID: <20250828003604.8949-4-jason.andryuk@amd.com> +[ Adjust context ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/xen/events/events_base.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +--- a/drivers/xen/events/events_base.c ++++ b/drivers/xen/events/events_base.c +@@ -1746,9 +1746,20 @@ static int xen_rebind_evtchn_to_cpu(stru + * virq or IPI channel, which don't actually need to be rebound. Ignore + * it, but don't do the xenlinux-level rebind in that case. + */ +- if (HYPERVISOR_event_channel_op(EVTCHNOP_bind_vcpu, &bind_vcpu) >= 0) ++ if (HYPERVISOR_event_channel_op(EVTCHNOP_bind_vcpu, &bind_vcpu) >= 0) { ++ int old_cpu = info->cpu; ++ + bind_evtchn_to_cpu(evtchn, tcpu); + ++ if (info->type == IRQT_VIRQ) { ++ int virq = info->u.virq; ++ int irq = per_cpu(virq_to_irq, old_cpu)[virq]; ++ ++ per_cpu(virq_to_irq, old_cpu)[virq] = -1; ++ per_cpu(virq_to_irq, tcpu)[virq] = irq; ++ } ++ } ++ + do_unmask(info, EVT_MASK_REASON_TEMPORARY); + + return 0; -- 2.47.3