From: Greg Kroah-Hartman Date: Mon, 21 Jul 2025 11:23:54 +0000 (+0200) Subject: 6.15-stable patches X-Git-Tag: v6.1.147~72 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=77ccf42478d8f79e7c9bea925ac021b5abcfe1aa;p=thirdparty%2Fkernel%2Fstable-queue.git 6.15-stable patches added patches: comedi-pcl812-fix-bit-shift-out-of-bounds.patch iio-accel-fxls8962af-fix-use-after-free-in-fxls8962af_fifo_flush.patch iio-adc-ad7380-fix-adi-gain-milli-property-parsing.patch iio-adc-adi-axi-adc-fix-ad7606_bus_reg_read.patch iio-adc-axp20x_adc-add-missing-sentinel-to-axp717-adc-channel-maps.patch iio-adc-max1363-fix-max1363_4x_chans-max1363_8x_chans.patch iio-adc-max1363-reorder-mode_list-entries.patch iio-adc-stm32-adc-fix-race-in-installing-chained-irq-handler.patch iio-backend-fix-out-of-bound-write.patch iio-common-st_sensors-fix-use-of-uninitialize-device-structs.patch s390-bpf-fix-bpf_arch_text_poke-with-new_addr-null-again.patch smb-client-fix-use-after-free-in-crypt_message-when-using-async-crypto.patch soc-aspeed-lpc-snoop-cleanup-resources-in-stack-order.patch soc-aspeed-lpc-snoop-don-t-disable-channels-that-aren-t-enabled.patch soundwire-revert-soundwire-qcom-add-set_channel_map-api-support.patch xfs-don-t-allocate-the-xfs_extent_busy-structure-for-zoned-rtgs.patch --- diff --git a/queue-6.15/comedi-pcl812-fix-bit-shift-out-of-bounds.patch b/queue-6.15/comedi-pcl812-fix-bit-shift-out-of-bounds.patch new file mode 100644 index 0000000000..85c9bdb64a --- /dev/null +++ b/queue-6.15/comedi-pcl812-fix-bit-shift-out-of-bounds.patch @@ -0,0 +1,43 @@ +From b14b076ce593f72585412fc7fd3747e03a5e3632 Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Mon, 7 Jul 2025 14:34:29 +0100 +Subject: comedi: pcl812: Fix bit shift out of bounds + +From: Ian Abbott + +commit b14b076ce593f72585412fc7fd3747e03a5e3632 upstream. + +When checking for a supported IRQ number, the following test is used: + + if ((1 << it->options[1]) & board->irq_bits) { + +However, `it->options[i]` is an unchecked `int` value from userspace, so +the shift amount could be negative or out of bounds. Fix the test by +requiring `it->options[1]` to be within bounds before proceeding with +the original test. Valid `it->options[1]` values that select the IRQ +will be in the range [1,15]. The value 0 explicitly disables the use of +interrupts. + +Reported-by: syzbot+32de323b0addb9e114ff@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=32de323b0addb9e114ff +Fixes: fcdb427bc7cf ("Staging: comedi: add pcl821 driver") +Cc: stable@vger.kernel.org # 5.13+ +Signed-off-by: Ian Abbott +Link: https://lore.kernel.org/r/20250707133429.73202-1-abbotti@mev.co.uk +Signed-off-by: Greg Kroah-Hartman +--- + drivers/comedi/drivers/pcl812.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/comedi/drivers/pcl812.c ++++ b/drivers/comedi/drivers/pcl812.c +@@ -1149,7 +1149,8 @@ static int pcl812_attach(struct comedi_d + if (IS_ERR(dev->pacer)) + return PTR_ERR(dev->pacer); + +- if ((1 << it->options[1]) & board->irq_bits) { ++ if (it->options[1] > 0 && it->options[1] < 16 && ++ (1 << it->options[1]) & board->irq_bits) { + ret = request_irq(it->options[1], pcl812_interrupt, 0, + dev->board_name, dev); + if (ret == 0) diff --git a/queue-6.15/iio-accel-fxls8962af-fix-use-after-free-in-fxls8962af_fifo_flush.patch b/queue-6.15/iio-accel-fxls8962af-fix-use-after-free-in-fxls8962af_fifo_flush.patch new file mode 100644 index 0000000000..c9e2bb833a --- /dev/null +++ b/queue-6.15/iio-accel-fxls8962af-fix-use-after-free-in-fxls8962af_fifo_flush.patch @@ -0,0 +1,48 @@ +From 1fe16dc1a2f5057772e5391ec042ed7442966c9a Mon Sep 17 00:00:00 2001 +From: Sean Nyekjaer +Date: Tue, 3 Jun 2025 14:25:44 +0200 +Subject: iio: accel: fxls8962af: Fix use after free in fxls8962af_fifo_flush + +From: Sean Nyekjaer + +commit 1fe16dc1a2f5057772e5391ec042ed7442966c9a upstream. + +fxls8962af_fifo_flush() uses indio_dev->active_scan_mask (with +iio_for_each_active_channel()) without making sure the indio_dev +stays in buffer mode. +There is a race if indio_dev exits buffer mode in the middle of the +interrupt that flushes the fifo. Fix this by calling +synchronize_irq() to ensure that no interrupt is currently running when +disabling buffer mode. + +Unable to handle kernel NULL pointer dereference at virtual address 00000000 when read +[...] +_find_first_bit_le from fxls8962af_fifo_flush+0x17c/0x290 +fxls8962af_fifo_flush from fxls8962af_interrupt+0x80/0x178 +fxls8962af_interrupt from irq_thread_fn+0x1c/0x7c +irq_thread_fn from irq_thread+0x110/0x1f4 +irq_thread from kthread+0xe0/0xfc +kthread from ret_from_fork+0x14/0x2c + +Fixes: 79e3a5bdd9ef ("iio: accel: fxls8962af: add hw buffered sampling") +Cc: stable@vger.kernel.org +Suggested-by: David Lechner +Signed-off-by: Sean Nyekjaer +Link: https://patch.msgid.link/20250603-fxlsrace-v2-1-5381b36ba1db@geanix.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/accel/fxls8962af-core.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/iio/accel/fxls8962af-core.c ++++ b/drivers/iio/accel/fxls8962af-core.c +@@ -877,6 +877,8 @@ static int fxls8962af_buffer_predisable( + if (ret) + return ret; + ++ synchronize_irq(data->irq); ++ + ret = __fxls8962af_fifo_set_mode(data, false); + + if (data->enable_event) diff --git a/queue-6.15/iio-adc-ad7380-fix-adi-gain-milli-property-parsing.patch b/queue-6.15/iio-adc-ad7380-fix-adi-gain-milli-property-parsing.patch new file mode 100644 index 0000000000..c129ef9eec --- /dev/null +++ b/queue-6.15/iio-adc-ad7380-fix-adi-gain-milli-property-parsing.patch @@ -0,0 +1,45 @@ +From 24fa69894ea3f76ecb13d7160692ee574a912803 Mon Sep 17 00:00:00 2001 +From: David Lechner +Date: Thu, 19 Jun 2025 10:24:22 -0500 +Subject: iio: adc: ad7380: fix adi,gain-milli property parsing + +From: David Lechner + +commit 24fa69894ea3f76ecb13d7160692ee574a912803 upstream. + +Change the data type of the "adi,gain-milli" property from u32 to u16. +The devicetree binding specifies it as uint16, so we need to read it as +such to avoid an -EOVERFLOW error when parsing the property. + +Fixes: c904e6dcf402 ("iio: adc: ad7380: add support for adaq4370-4 and adaq4380-4") +Signed-off-by: David Lechner +Link: https://patch.msgid.link/20250619-iio-adc-ad7380-fix-adi-gain-milli-parsing-v1-1-4c27fb426860@baylibre.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/ad7380.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/iio/adc/ad7380.c ++++ b/drivers/iio/adc/ad7380.c +@@ -1920,8 +1920,9 @@ static int ad7380_probe(struct spi_devic + + if (st->chip_info->has_hardware_gain) { + device_for_each_child_node_scoped(dev, node) { +- unsigned int channel, gain; ++ unsigned int channel; + int gain_idx; ++ u16 gain; + + ret = fwnode_property_read_u32(node, "reg", &channel); + if (ret) +@@ -1933,7 +1934,7 @@ static int ad7380_probe(struct spi_devic + "Invalid channel number %i\n", + channel); + +- ret = fwnode_property_read_u32(node, "adi,gain-milli", ++ ret = fwnode_property_read_u16(node, "adi,gain-milli", + &gain); + if (ret && ret != -EINVAL) + return dev_err_probe(dev, ret, diff --git a/queue-6.15/iio-adc-adi-axi-adc-fix-ad7606_bus_reg_read.patch b/queue-6.15/iio-adc-adi-axi-adc-fix-ad7606_bus_reg_read.patch new file mode 100644 index 0000000000..990b6206d9 --- /dev/null +++ b/queue-6.15/iio-adc-adi-axi-adc-fix-ad7606_bus_reg_read.patch @@ -0,0 +1,54 @@ +From 6ac609d1fba19d5d40fb3c81201ffadcb6d00fb3 Mon Sep 17 00:00:00 2001 +From: David Lechner +Date: Fri, 30 May 2025 16:50:14 -0500 +Subject: iio: adc: adi-axi-adc: fix ad7606_bus_reg_read() + +From: David Lechner + +commit 6ac609d1fba19d5d40fb3c81201ffadcb6d00fb3 upstream. + +Mask the value read before returning it. The value read over the +parallel bus via the AXI ADC IP block contains both the address and +the data, but callers expect val to only contain the data. + +axi_adc_raw_write() takes a u32 parameter, so addr was the wrong type. +This wasn't causing any issues but is corrected anyway since we are +touching the same line to add a new variable. + +Cc: stable@vger.kernel.org +Fixes: 79c47485e438 ("iio: adc: adi-axi-adc: add support for AD7606 register writing") +Signed-off-by: David Lechner +Link: https://patch.msgid.link/20250530-iio-adc-adi-axi-adc-fix-ad7606_bus_reg_read-v2-1-ad2dfc0694ce@baylibre.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/adi-axi-adc.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/iio/adc/adi-axi-adc.c b/drivers/iio/adc/adi-axi-adc.c +index 4116c44197b8..2dbaa0b5b3d6 100644 +--- a/drivers/iio/adc/adi-axi-adc.c ++++ b/drivers/iio/adc/adi-axi-adc.c +@@ -445,7 +445,7 @@ static int axi_adc_raw_read(struct iio_backend *back, u32 *val) + static int ad7606_bus_reg_read(struct iio_backend *back, u32 reg, u32 *val) + { + struct adi_axi_adc_state *st = iio_backend_get_priv(back); +- int addr; ++ u32 addr, reg_val; + + guard(mutex)(&st->lock); + +@@ -455,7 +455,9 @@ static int ad7606_bus_reg_read(struct iio_backend *back, u32 reg, u32 *val) + */ + addr = FIELD_PREP(ADI_AXI_REG_ADDRESS_MASK, reg) | ADI_AXI_REG_READ_BIT; + axi_adc_raw_write(back, addr); +- axi_adc_raw_read(back, val); ++ axi_adc_raw_read(back, ®_val); ++ ++ *val = FIELD_GET(ADI_AXI_REG_VALUE_MASK, reg_val); + + /* Write 0x0 on the bus to get back to ADC mode */ + axi_adc_raw_write(back, 0); +-- +2.50.1 + diff --git a/queue-6.15/iio-adc-axp20x_adc-add-missing-sentinel-to-axp717-adc-channel-maps.patch b/queue-6.15/iio-adc-axp20x_adc-add-missing-sentinel-to-axp717-adc-channel-maps.patch new file mode 100644 index 0000000000..bcc12a234c --- /dev/null +++ b/queue-6.15/iio-adc-axp20x_adc-add-missing-sentinel-to-axp717-adc-channel-maps.patch @@ -0,0 +1,34 @@ +From 3281ddcea6429f7bc1fdb39d407752dd1371aba9 Mon Sep 17 00:00:00 2001 +From: Chen-Yu Tsai +Date: Sat, 7 Jun 2025 21:56:27 +0800 +Subject: iio: adc: axp20x_adc: Add missing sentinel to AXP717 ADC channel maps + +From: Chen-Yu Tsai + +commit 3281ddcea6429f7bc1fdb39d407752dd1371aba9 upstream. + +The AXP717 ADC channel maps is missing a sentinel entry at the end. This +causes a KASAN warning. + +Add the missing sentinel entry. + +Fixes: 5ba0cb92584b ("iio: adc: axp20x_adc: add support for AXP717 ADC") +Signed-off-by: Chen-Yu Tsai +Link: https://patch.msgid.link/20250607135627.2086850-1-wens@kernel.org +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/axp20x_adc.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/iio/adc/axp20x_adc.c ++++ b/drivers/iio/adc/axp20x_adc.c +@@ -187,6 +187,7 @@ static struct iio_map axp717_maps[] = { + .consumer_channel = "batt_chrg_i", + .adc_channel_label = "batt_chrg_i", + }, ++ { } + }; + + /* diff --git a/queue-6.15/iio-adc-max1363-fix-max1363_4x_chans-max1363_8x_chans.patch b/queue-6.15/iio-adc-max1363-fix-max1363_4x_chans-max1363_8x_chans.patch new file mode 100644 index 0000000000..a536117821 --- /dev/null +++ b/queue-6.15/iio-adc-max1363-fix-max1363_4x_chans-max1363_8x_chans.patch @@ -0,0 +1,93 @@ +From 6d21f2c2dd843bceefd9455f2919f6bb526797f0 Mon Sep 17 00:00:00 2001 +From: Fabio Estevam +Date: Fri, 16 May 2025 14:38:59 -0300 +Subject: iio: adc: max1363: Fix MAX1363_4X_CHANS/MAX1363_8X_CHANS[] + +From: Fabio Estevam + +commit 6d21f2c2dd843bceefd9455f2919f6bb526797f0 upstream. + +Since commit 2718f15403fb ("iio: sanity check available_scan_masks array"), +booting a board populated with a MAX11601 results in a flood of warnings: + +max1363 1-0064: available_scan_mask 8 subset of 0. Never used +max1363 1-0064: available_scan_mask 9 subset of 0. Never used +max1363 1-0064: available_scan_mask 10 subset of 0. Never used +max1363 1-0064: available_scan_mask 11 subset of 0. Never used +max1363 1-0064: available_scan_mask 12 subset of 0. Never used +max1363 1-0064: available_scan_mask 13 subset of 0. Never used +... + +These warnings are caused by incorrect offsets used for differential +channels in the MAX1363_4X_CHANS() and MAX1363_8X_CHANS() macros. + +The max1363_mode_table[] defines the differential channel mappings as +follows: + +MAX1363_MODE_DIFF_SINGLE(0, 1, 1 << 12), +MAX1363_MODE_DIFF_SINGLE(2, 3, 1 << 13), +MAX1363_MODE_DIFF_SINGLE(4, 5, 1 << 14), +MAX1363_MODE_DIFF_SINGLE(6, 7, 1 << 15), +MAX1363_MODE_DIFF_SINGLE(8, 9, 1 << 16), +MAX1363_MODE_DIFF_SINGLE(10, 11, 1 << 17), +MAX1363_MODE_DIFF_SINGLE(1, 0, 1 << 18), +MAX1363_MODE_DIFF_SINGLE(3, 2, 1 << 19), +MAX1363_MODE_DIFF_SINGLE(5, 4, 1 << 20), +MAX1363_MODE_DIFF_SINGLE(7, 6, 1 << 21), +MAX1363_MODE_DIFF_SINGLE(9, 8, 1 << 22), +MAX1363_MODE_DIFF_SINGLE(11, 10, 1 << 23), + +Update the macros to follow this same pattern, ensuring that the scan masks +are valid and preventing the warnings. + +Cc: stable@vger.kernel.org +Suggested-by: Jonathan Cameron +Signed-off-by: Fabio Estevam +Acked-by: Matti Vaittinen +Link: https://patch.msgid.link/20250516173900.677821-1-festevam@gmail.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/max1363.c | 24 ++++++++++++------------ + 1 file changed, 12 insertions(+), 12 deletions(-) + +--- a/drivers/iio/adc/max1363.c ++++ b/drivers/iio/adc/max1363.c +@@ -511,10 +511,10 @@ static const struct iio_event_spec max13 + MAX1363_CHAN_U(1, _s1, 1, bits, ev_spec, num_ev_spec), \ + MAX1363_CHAN_U(2, _s2, 2, bits, ev_spec, num_ev_spec), \ + MAX1363_CHAN_U(3, _s3, 3, bits, ev_spec, num_ev_spec), \ +- MAX1363_CHAN_B(0, 1, d0m1, 4, bits, ev_spec, num_ev_spec), \ +- MAX1363_CHAN_B(2, 3, d2m3, 5, bits, ev_spec, num_ev_spec), \ +- MAX1363_CHAN_B(1, 0, d1m0, 6, bits, ev_spec, num_ev_spec), \ +- MAX1363_CHAN_B(3, 2, d3m2, 7, bits, ev_spec, num_ev_spec), \ ++ MAX1363_CHAN_B(0, 1, d0m1, 12, bits, ev_spec, num_ev_spec), \ ++ MAX1363_CHAN_B(2, 3, d2m3, 13, bits, ev_spec, num_ev_spec), \ ++ MAX1363_CHAN_B(1, 0, d1m0, 18, bits, ev_spec, num_ev_spec), \ ++ MAX1363_CHAN_B(3, 2, d3m2, 19, bits, ev_spec, num_ev_spec), \ + IIO_CHAN_SOFT_TIMESTAMP(8) \ + } + +@@ -609,14 +609,14 @@ static const enum max1363_modes max11608 + MAX1363_CHAN_U(5, _s5, 5, bits, NULL, 0), \ + MAX1363_CHAN_U(6, _s6, 6, bits, NULL, 0), \ + MAX1363_CHAN_U(7, _s7, 7, bits, NULL, 0), \ +- MAX1363_CHAN_B(0, 1, d0m1, 8, bits, NULL, 0), \ +- MAX1363_CHAN_B(2, 3, d2m3, 9, bits, NULL, 0), \ +- MAX1363_CHAN_B(4, 5, d4m5, 10, bits, NULL, 0), \ +- MAX1363_CHAN_B(6, 7, d6m7, 11, bits, NULL, 0), \ +- MAX1363_CHAN_B(1, 0, d1m0, 12, bits, NULL, 0), \ +- MAX1363_CHAN_B(3, 2, d3m2, 13, bits, NULL, 0), \ +- MAX1363_CHAN_B(5, 4, d5m4, 14, bits, NULL, 0), \ +- MAX1363_CHAN_B(7, 6, d7m6, 15, bits, NULL, 0), \ ++ MAX1363_CHAN_B(0, 1, d0m1, 12, bits, NULL, 0), \ ++ MAX1363_CHAN_B(2, 3, d2m3, 13, bits, NULL, 0), \ ++ MAX1363_CHAN_B(4, 5, d4m5, 14, bits, NULL, 0), \ ++ MAX1363_CHAN_B(6, 7, d6m7, 15, bits, NULL, 0), \ ++ MAX1363_CHAN_B(1, 0, d1m0, 18, bits, NULL, 0), \ ++ MAX1363_CHAN_B(3, 2, d3m2, 19, bits, NULL, 0), \ ++ MAX1363_CHAN_B(5, 4, d5m4, 20, bits, NULL, 0), \ ++ MAX1363_CHAN_B(7, 6, d7m6, 21, bits, NULL, 0), \ + IIO_CHAN_SOFT_TIMESTAMP(16) \ + } + static const struct iio_chan_spec max11602_channels[] = MAX1363_8X_CHANS(8); diff --git a/queue-6.15/iio-adc-max1363-reorder-mode_list-entries.patch b/queue-6.15/iio-adc-max1363-reorder-mode_list-entries.patch new file mode 100644 index 0000000000..f5bdd1c372 --- /dev/null +++ b/queue-6.15/iio-adc-max1363-reorder-mode_list-entries.patch @@ -0,0 +1,91 @@ +From 8d8d7c1dbc46aa07a76acab7336a42ddd900be10 Mon Sep 17 00:00:00 2001 +From: Fabio Estevam +Date: Fri, 16 May 2025 14:39:00 -0300 +Subject: iio: adc: max1363: Reorder mode_list[] entries + +From: Fabio Estevam + +commit 8d8d7c1dbc46aa07a76acab7336a42ddd900be10 upstream. + +The IIO core issues warnings when a scan mask is a subset of a previous +entry in the available_scan_masks array. + +On a board using a MAX11601, the following warning is observed: + +max1363 1-0064: available_scan_mask 7 subset of 6. Never used + +This occurs because the entries in the max11607_mode_list[] array are not +ordered correctly. To fix this, reorder the entries so that no scan mask is +a subset of an earlier one. + +While at it, reorder the mode_list[] arrays for other supported chips as +well, to prevent similar warnings on different variants. + +Note fixes tag dropped as these were introduced over many commits a long +time back and the side effect until recently was a reduction in sampling +rate due to reading too many channels when only a few were desired. +Now we have a sanity check that reports this error but that is not +where the issue was introduced. + +Cc: stable@vger.kernel.org +Signed-off-by: Fabio Estevam +Acked-by: Matti Vaittinen +Link: https://patch.msgid.link/20250516173900.677821-2-festevam@gmail.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/max1363.c | 19 +++++++++---------- + 1 file changed, 9 insertions(+), 10 deletions(-) + +--- a/drivers/iio/adc/max1363.c ++++ b/drivers/iio/adc/max1363.c +@@ -532,23 +532,23 @@ static const struct iio_chan_spec max136 + /* Applies to max1236, max1237 */ + static const enum max1363_modes max1236_mode_list[] = { + _s0, _s1, _s2, _s3, +- s0to1, s0to2, s0to3, ++ s0to1, s0to2, s2to3, s0to3, + d0m1, d2m3, d1m0, d3m2, + d0m1to2m3, d1m0to3m2, +- s2to3, + }; + + /* Applies to max1238, max1239 */ + static const enum max1363_modes max1238_mode_list[] = { + _s0, _s1, _s2, _s3, _s4, _s5, _s6, _s7, _s8, _s9, _s10, _s11, + s0to1, s0to2, s0to3, s0to4, s0to5, s0to6, ++ s6to7, s6to8, s6to9, s6to10, s6to11, + s0to7, s0to8, s0to9, s0to10, s0to11, + d0m1, d2m3, d4m5, d6m7, d8m9, d10m11, + d1m0, d3m2, d5m4, d7m6, d9m8, d11m10, +- d0m1to2m3, d0m1to4m5, d0m1to6m7, d0m1to8m9, d0m1to10m11, +- d1m0to3m2, d1m0to5m4, d1m0to7m6, d1m0to9m8, d1m0to11m10, +- s6to7, s6to8, s6to9, s6to10, s6to11, +- d6m7to8m9, d6m7to10m11, d7m6to9m8, d7m6to11m10, ++ d0m1to2m3, d0m1to4m5, d0m1to6m7, d6m7to8m9, ++ d0m1to8m9, d6m7to10m11, d0m1to10m11, d1m0to3m2, ++ d1m0to5m4, d1m0to7m6, d7m6to9m8, d1m0to9m8, ++ d7m6to11m10, d1m0to11m10, + }; + + #define MAX1363_12X_CHANS(bits) { \ +@@ -584,16 +584,15 @@ static const struct iio_chan_spec max123 + + static const enum max1363_modes max11607_mode_list[] = { + _s0, _s1, _s2, _s3, +- s0to1, s0to2, s0to3, +- s2to3, ++ s0to1, s0to2, s2to3, ++ s0to3, + d0m1, d2m3, d1m0, d3m2, + d0m1to2m3, d1m0to3m2, + }; + + static const enum max1363_modes max11608_mode_list[] = { + _s0, _s1, _s2, _s3, _s4, _s5, _s6, _s7, +- s0to1, s0to2, s0to3, s0to4, s0to5, s0to6, s0to7, +- s6to7, ++ s0to1, s0to2, s0to3, s0to4, s0to5, s0to6, s6to7, s0to7, + d0m1, d2m3, d4m5, d6m7, + d1m0, d3m2, d5m4, d7m6, + d0m1to2m3, d0m1to4m5, d0m1to6m7, diff --git a/queue-6.15/iio-adc-stm32-adc-fix-race-in-installing-chained-irq-handler.patch b/queue-6.15/iio-adc-stm32-adc-fix-race-in-installing-chained-irq-handler.patch new file mode 100644 index 0000000000..88b4f26858 --- /dev/null +++ b/queue-6.15/iio-adc-stm32-adc-fix-race-in-installing-chained-irq-handler.patch @@ -0,0 +1,45 @@ +From e8ad595064f6ebd5d2d1a5d5d7ebe0efce623091 Mon Sep 17 00:00:00 2001 +From: Chen Ni +Date: Thu, 15 May 2025 16:31:01 +0800 +Subject: iio: adc: stm32-adc: Fix race in installing chained IRQ handler +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Chen Ni + +commit e8ad595064f6ebd5d2d1a5d5d7ebe0efce623091 upstream. + +Fix a race where a pending interrupt could be received and the handler +called before the handler's data has been setup, by converting to +irq_set_chained_handler_and_data(). + +Fixes: 1add69880240 ("iio: adc: Add support for STM32 ADC core") +Signed-off-by: Chen Ni +Reviewed-by: Nuno Sá +Tested-by: Fabrice Gasnier +Reviewed-by: Fabrice Gasnier +Link: https://patch.msgid.link/20250515083101.3811350-1-nichen@iscas.ac.cn +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/stm32-adc-core.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/drivers/iio/adc/stm32-adc-core.c ++++ b/drivers/iio/adc/stm32-adc-core.c +@@ -429,10 +429,9 @@ static int stm32_adc_irq_probe(struct pl + return -ENOMEM; + } + +- for (i = 0; i < priv->cfg->num_irqs; i++) { +- irq_set_chained_handler(priv->irq[i], stm32_adc_irq_handler); +- irq_set_handler_data(priv->irq[i], priv); +- } ++ for (i = 0; i < priv->cfg->num_irqs; i++) ++ irq_set_chained_handler_and_data(priv->irq[i], ++ stm32_adc_irq_handler, priv); + + return 0; + } diff --git a/queue-6.15/iio-backend-fix-out-of-bound-write.patch b/queue-6.15/iio-backend-fix-out-of-bound-write.patch new file mode 100644 index 0000000000..ac6efc5bce --- /dev/null +++ b/queue-6.15/iio-backend-fix-out-of-bound-write.patch @@ -0,0 +1,48 @@ +From da9374819eb3885636934c1006d450c3cb1a02ed Mon Sep 17 00:00:00 2001 +From: Markus Burri +Date: Thu, 8 May 2025 15:06:07 +0200 +Subject: iio: backend: fix out-of-bound write +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Markus Burri + +commit da9374819eb3885636934c1006d450c3cb1a02ed upstream. + +The buffer is set to 80 character. If a caller write more characters, +count is truncated to the max available space in "simple_write_to_buffer". +But afterwards a string terminator is written to the buffer at offset count +without boundary check. The zero termination is written OUT-OF-BOUND. + +Add a check that the given buffer is smaller then the buffer to prevent. + +Fixes: 035b4989211d ("iio: backend: make sure to NULL terminate stack buffer") +Signed-off-by: Markus Burri +Reviewed-by: Nuno Sá +Link: https://patch.msgid.link/20250508130612.82270-2-markus.burri@mt.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/industrialio-backend.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/iio/industrialio-backend.c ++++ b/drivers/iio/industrialio-backend.c +@@ -155,11 +155,14 @@ static ssize_t iio_backend_debugfs_write + ssize_t rc; + int ret; + ++ if (count >= sizeof(buf)) ++ return -ENOSPC; ++ + rc = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, userbuf, count); + if (rc < 0) + return rc; + +- buf[count] = '\0'; ++ buf[rc] = '\0'; + + ret = sscanf(buf, "%i %i", &back->cached_reg_addr, &val); + diff --git a/queue-6.15/iio-common-st_sensors-fix-use-of-uninitialize-device-structs.patch b/queue-6.15/iio-common-st_sensors-fix-use-of-uninitialize-device-structs.patch new file mode 100644 index 0000000000..8ca2e94670 --- /dev/null +++ b/queue-6.15/iio-common-st_sensors-fix-use-of-uninitialize-device-structs.patch @@ -0,0 +1,282 @@ +From 9f92e93e257b33e73622640a9205f8642ec16ddd Mon Sep 17 00:00:00 2001 +From: Maud Spierings +Date: Tue, 27 May 2025 08:36:08 +0200 +Subject: iio: common: st_sensors: Fix use of uninitialize device structs + +From: Maud Spierings + +commit 9f92e93e257b33e73622640a9205f8642ec16ddd upstream. + +Throughout the various probe functions &indio_dev->dev is used before it +is initialized. This caused a kernel panic in st_sensors_power_enable() +when the call to devm_regulator_bulk_get_enable() fails and then calls +dev_err_probe() with the uninitialized device. + +This seems to only cause a panic with dev_err_probe(), dev_err(), +dev_warn() and dev_info() don't seem to cause a panic, but are fixed +as well. + +The issue is reported and traced here: [1] + +Link: https://lore.kernel.org/all/AM7P189MB100986A83D2F28AF3FFAF976E39EA@AM7P189MB1009.EURP189.PROD.OUTLOOK.COM/ [1] +Cc: stable@vger.kernel.org +Signed-off-by: Maud Spierings +Reviewed-by: Andy Shevchenko +Link: https://... [1] +Link: https://patch.msgid.link/20250527-st_iio_fix-v4-1-12d89801c761@gocontroll.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/accel/st_accel_core.c | 10 ++--- + drivers/iio/common/st_sensors/st_sensors_core.c | 36 +++++++++------------ + drivers/iio/common/st_sensors/st_sensors_trigger.c | 20 +++++------ + 3 files changed, 31 insertions(+), 35 deletions(-) + +--- a/drivers/iio/accel/st_accel_core.c ++++ b/drivers/iio/accel/st_accel_core.c +@@ -1353,6 +1353,7 @@ static int apply_acpi_orientation(struct + union acpi_object *ont; + union acpi_object *elements; + acpi_status status; ++ struct device *parent = indio_dev->dev.parent; + int ret = -EINVAL; + unsigned int val; + int i, j; +@@ -1371,7 +1372,7 @@ static int apply_acpi_orientation(struct + }; + + +- adev = ACPI_COMPANION(indio_dev->dev.parent); ++ adev = ACPI_COMPANION(parent); + if (!adev) + return -ENXIO; + +@@ -1380,8 +1381,7 @@ static int apply_acpi_orientation(struct + if (status == AE_NOT_FOUND) { + return -ENXIO; + } else if (ACPI_FAILURE(status)) { +- dev_warn(&indio_dev->dev, "failed to execute _ONT: %d\n", +- status); ++ dev_warn(parent, "failed to execute _ONT: %d\n", status); + return status; + } + +@@ -1457,12 +1457,12 @@ static int apply_acpi_orientation(struct + } + + ret = 0; +- dev_info(&indio_dev->dev, "computed mount matrix from ACPI\n"); ++ dev_info(parent, "computed mount matrix from ACPI\n"); + + out: + kfree(buffer.pointer); + if (ret) +- dev_dbg(&indio_dev->dev, ++ dev_dbg(parent, + "failed to apply ACPI orientation data: %d\n", ret); + + return ret; +--- a/drivers/iio/common/st_sensors/st_sensors_core.c ++++ b/drivers/iio/common/st_sensors/st_sensors_core.c +@@ -154,7 +154,7 @@ static int st_sensors_set_fullscale(stru + return err; + + st_accel_set_fullscale_error: +- dev_err(&indio_dev->dev, "failed to set new fullscale.\n"); ++ dev_err(indio_dev->dev.parent, "failed to set new fullscale.\n"); + return err; + } + +@@ -231,8 +231,7 @@ int st_sensors_power_enable(struct iio_d + ARRAY_SIZE(regulator_names), + regulator_names); + if (err) +- return dev_err_probe(&indio_dev->dev, err, +- "unable to enable supplies\n"); ++ return dev_err_probe(parent, err, "unable to enable supplies\n"); + + return 0; + } +@@ -241,13 +240,14 @@ EXPORT_SYMBOL_NS(st_sensors_power_enable + static int st_sensors_set_drdy_int_pin(struct iio_dev *indio_dev, + struct st_sensors_platform_data *pdata) + { ++ struct device *parent = indio_dev->dev.parent; + struct st_sensor_data *sdata = iio_priv(indio_dev); + + /* Sensor does not support interrupts */ + if (!sdata->sensor_settings->drdy_irq.int1.addr && + !sdata->sensor_settings->drdy_irq.int2.addr) { + if (pdata->drdy_int_pin) +- dev_info(&indio_dev->dev, ++ dev_info(parent, + "DRDY on pin INT%d specified, but sensor does not support interrupts\n", + pdata->drdy_int_pin); + return 0; +@@ -256,29 +256,27 @@ static int st_sensors_set_drdy_int_pin(s + switch (pdata->drdy_int_pin) { + case 1: + if (!sdata->sensor_settings->drdy_irq.int1.mask) { +- dev_err(&indio_dev->dev, +- "DRDY on INT1 not available.\n"); ++ dev_err(parent, "DRDY on INT1 not available.\n"); + return -EINVAL; + } + sdata->drdy_int_pin = 1; + break; + case 2: + if (!sdata->sensor_settings->drdy_irq.int2.mask) { +- dev_err(&indio_dev->dev, +- "DRDY on INT2 not available.\n"); ++ dev_err(parent, "DRDY on INT2 not available.\n"); + return -EINVAL; + } + sdata->drdy_int_pin = 2; + break; + default: +- dev_err(&indio_dev->dev, "DRDY on pdata not valid.\n"); ++ dev_err(parent, "DRDY on pdata not valid.\n"); + return -EINVAL; + } + + if (pdata->open_drain) { + if (!sdata->sensor_settings->drdy_irq.int1.addr_od && + !sdata->sensor_settings->drdy_irq.int2.addr_od) +- dev_err(&indio_dev->dev, ++ dev_err(parent, + "open drain requested but unsupported.\n"); + else + sdata->int_pin_open_drain = true; +@@ -336,6 +334,7 @@ EXPORT_SYMBOL_NS(st_sensors_dev_name_pro + int st_sensors_init_sensor(struct iio_dev *indio_dev, + struct st_sensors_platform_data *pdata) + { ++ struct device *parent = indio_dev->dev.parent; + struct st_sensor_data *sdata = iio_priv(indio_dev); + struct st_sensors_platform_data *of_pdata; + int err = 0; +@@ -343,7 +342,7 @@ int st_sensors_init_sensor(struct iio_de + mutex_init(&sdata->odr_lock); + + /* If OF/DT pdata exists, it will take precedence of anything else */ +- of_pdata = st_sensors_dev_probe(indio_dev->dev.parent, pdata); ++ of_pdata = st_sensors_dev_probe(parent, pdata); + if (IS_ERR(of_pdata)) + return PTR_ERR(of_pdata); + if (of_pdata) +@@ -370,7 +369,7 @@ int st_sensors_init_sensor(struct iio_de + if (err < 0) + return err; + } else +- dev_info(&indio_dev->dev, "Full-scale not possible\n"); ++ dev_info(parent, "Full-scale not possible\n"); + + err = st_sensors_set_odr(indio_dev, sdata->odr); + if (err < 0) +@@ -405,7 +404,7 @@ int st_sensors_init_sensor(struct iio_de + mask = sdata->sensor_settings->drdy_irq.int2.mask_od; + } + +- dev_info(&indio_dev->dev, ++ dev_info(parent, + "set interrupt line to open drain mode on pin %d\n", + sdata->drdy_int_pin); + err = st_sensors_write_data_with_mask(indio_dev, addr, +@@ -594,21 +593,20 @@ EXPORT_SYMBOL_NS(st_sensors_get_settings + int st_sensors_verify_id(struct iio_dev *indio_dev) + { + struct st_sensor_data *sdata = iio_priv(indio_dev); ++ struct device *parent = indio_dev->dev.parent; + int wai, err; + + if (sdata->sensor_settings->wai_addr) { + err = regmap_read(sdata->regmap, + sdata->sensor_settings->wai_addr, &wai); + if (err < 0) { +- dev_err(&indio_dev->dev, +- "failed to read Who-Am-I register.\n"); +- return err; ++ return dev_err_probe(parent, err, ++ "failed to read Who-Am-I register.\n"); + } + + if (sdata->sensor_settings->wai != wai) { +- dev_warn(&indio_dev->dev, +- "%s: WhoAmI mismatch (0x%x).\n", +- indio_dev->name, wai); ++ dev_warn(parent, "%s: WhoAmI mismatch (0x%x).\n", ++ indio_dev->name, wai); + } + } + +--- a/drivers/iio/common/st_sensors/st_sensors_trigger.c ++++ b/drivers/iio/common/st_sensors/st_sensors_trigger.c +@@ -127,7 +127,7 @@ int st_sensors_allocate_trigger(struct i + sdata->trig = devm_iio_trigger_alloc(parent, "%s-trigger", + indio_dev->name); + if (sdata->trig == NULL) { +- dev_err(&indio_dev->dev, "failed to allocate iio trigger.\n"); ++ dev_err(parent, "failed to allocate iio trigger.\n"); + return -ENOMEM; + } + +@@ -143,7 +143,7 @@ int st_sensors_allocate_trigger(struct i + case IRQF_TRIGGER_FALLING: + case IRQF_TRIGGER_LOW: + if (!sdata->sensor_settings->drdy_irq.addr_ihl) { +- dev_err(&indio_dev->dev, ++ dev_err(parent, + "falling/low specified for IRQ but hardware supports only rising/high: will request rising/high\n"); + if (irq_trig == IRQF_TRIGGER_FALLING) + irq_trig = IRQF_TRIGGER_RISING; +@@ -156,21 +156,19 @@ int st_sensors_allocate_trigger(struct i + sdata->sensor_settings->drdy_irq.mask_ihl, 1); + if (err < 0) + return err; +- dev_info(&indio_dev->dev, ++ dev_info(parent, + "interrupts on the falling edge or active low level\n"); + } + break; + case IRQF_TRIGGER_RISING: +- dev_info(&indio_dev->dev, +- "interrupts on the rising edge\n"); ++ dev_info(parent, "interrupts on the rising edge\n"); + break; + case IRQF_TRIGGER_HIGH: +- dev_info(&indio_dev->dev, +- "interrupts active high level\n"); ++ dev_info(parent, "interrupts active high level\n"); + break; + default: + /* This is the most preferred mode, if possible */ +- dev_err(&indio_dev->dev, ++ dev_err(parent, + "unsupported IRQ trigger specified (%lx), enforce rising edge\n", irq_trig); + irq_trig = IRQF_TRIGGER_RISING; + } +@@ -179,7 +177,7 @@ int st_sensors_allocate_trigger(struct i + if (irq_trig == IRQF_TRIGGER_FALLING || + irq_trig == IRQF_TRIGGER_RISING) { + if (!sdata->sensor_settings->drdy_irq.stat_drdy.addr) { +- dev_err(&indio_dev->dev, ++ dev_err(parent, + "edge IRQ not supported w/o stat register.\n"); + return -EOPNOTSUPP; + } +@@ -214,13 +212,13 @@ int st_sensors_allocate_trigger(struct i + sdata->trig->name, + sdata->trig); + if (err) { +- dev_err(&indio_dev->dev, "failed to request trigger IRQ.\n"); ++ dev_err(parent, "failed to request trigger IRQ.\n"); + return err; + } + + err = devm_iio_trigger_register(parent, sdata->trig); + if (err < 0) { +- dev_err(&indio_dev->dev, "failed to register iio trigger.\n"); ++ dev_err(parent, "failed to register iio trigger.\n"); + return err; + } + indio_dev->trig = iio_trigger_get(sdata->trig); diff --git a/queue-6.15/s390-bpf-fix-bpf_arch_text_poke-with-new_addr-null-again.patch b/queue-6.15/s390-bpf-fix-bpf_arch_text_poke-with-new_addr-null-again.patch new file mode 100644 index 0000000000..c5ba5cd802 --- /dev/null +++ b/queue-6.15/s390-bpf-fix-bpf_arch_text_poke-with-new_addr-null-again.patch @@ -0,0 +1,45 @@ +From 6a5abf8cf182f577c7ae6c62f14debc9754ec986 Mon Sep 17 00:00:00 2001 +From: Ilya Leoshkevich +Date: Wed, 16 Jul 2025 21:35:06 +0200 +Subject: s390/bpf: Fix bpf_arch_text_poke() with new_addr == NULL again + +From: Ilya Leoshkevich + +commit 6a5abf8cf182f577c7ae6c62f14debc9754ec986 upstream. + +Commit 7ded842b356d ("s390/bpf: Fix bpf_plt pointer arithmetic") has +accidentally removed the critical piece of commit c730fce7c70c +("s390/bpf: Fix bpf_arch_text_poke() with new_addr == NULL"), causing +intermittent kernel panics in e.g. perf's on_switch() prog to reappear. + +Restore the fix and add a comment. + +Fixes: 7ded842b356d ("s390/bpf: Fix bpf_plt pointer arithmetic") +Cc: stable@vger.kernel.org +Signed-off-by: Ilya Leoshkevich +Link: https://lore.kernel.org/r/20250716194524.48109-2-iii@linux.ibm.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/net/bpf_jit_comp.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/arch/s390/net/bpf_jit_comp.c ++++ b/arch/s390/net/bpf_jit_comp.c +@@ -544,7 +544,15 @@ static void bpf_jit_plt(struct bpf_plt * + { + memcpy(plt, &bpf_plt, sizeof(*plt)); + plt->ret = ret; +- plt->target = target; ++ /* ++ * (target == NULL) implies that the branch to this PLT entry was ++ * patched and became a no-op. However, some CPU could have jumped ++ * to this PLT entry before patching and may be still executing it. ++ * ++ * Since the intention in this case is to make the PLT entry a no-op, ++ * make the target point to the return label instead of NULL. ++ */ ++ plt->target = target ?: ret; + } + + /* diff --git a/queue-6.15/series b/queue-6.15/series index 40bc922cd8..8373fc9819 100644 --- a/queue-6.15/series +++ b/queue-6.15/series @@ -70,3 +70,19 @@ net-libwx-remove-duplicate-page_pool_put_full_page.patch net-libwx-fix-the-using-of-rx-buffer-dma.patch net-libwx-properly-reset-rx-ring-descriptor.patch pmdomain-governor-consider-cpu-latency-tolerance-from-pm_domain_cpu_gov.patch +s390-bpf-fix-bpf_arch_text_poke-with-new_addr-null-again.patch +smb-client-fix-use-after-free-in-crypt_message-when-using-async-crypto.patch +soc-aspeed-lpc-snoop-cleanup-resources-in-stack-order.patch +soc-aspeed-lpc-snoop-don-t-disable-channels-that-aren-t-enabled.patch +soundwire-revert-soundwire-qcom-add-set_channel_map-api-support.patch +xfs-don-t-allocate-the-xfs_extent_busy-structure-for-zoned-rtgs.patch +iio-accel-fxls8962af-fix-use-after-free-in-fxls8962af_fifo_flush.patch +iio-adc-ad7380-fix-adi-gain-milli-property-parsing.patch +iio-adc-adi-axi-adc-fix-ad7606_bus_reg_read.patch +iio-adc-axp20x_adc-add-missing-sentinel-to-axp717-adc-channel-maps.patch +iio-adc-max1363-fix-max1363_4x_chans-max1363_8x_chans.patch +iio-adc-max1363-reorder-mode_list-entries.patch +iio-adc-stm32-adc-fix-race-in-installing-chained-irq-handler.patch +iio-backend-fix-out-of-bound-write.patch +iio-common-st_sensors-fix-use-of-uninitialize-device-structs.patch +comedi-pcl812-fix-bit-shift-out-of-bounds.patch diff --git a/queue-6.15/smb-client-fix-use-after-free-in-crypt_message-when-using-async-crypto.patch b/queue-6.15/smb-client-fix-use-after-free-in-crypt_message-when-using-async-crypto.patch new file mode 100644 index 0000000000..e0d8764635 --- /dev/null +++ b/queue-6.15/smb-client-fix-use-after-free-in-crypt_message-when-using-async-crypto.patch @@ -0,0 +1,81 @@ +From b220bed63330c0e1733dc06ea8e75d5b9962b6b6 Mon Sep 17 00:00:00 2001 +From: Wang Zhaolong +Date: Sat, 5 Jul 2025 10:51:18 +0800 +Subject: smb: client: fix use-after-free in crypt_message when using async crypto + +From: Wang Zhaolong + +commit b220bed63330c0e1733dc06ea8e75d5b9962b6b6 upstream. + +The CVE-2024-50047 fix removed asynchronous crypto handling from +crypt_message(), assuming all crypto operations are synchronous. +However, when hardware crypto accelerators are used, this can cause +use-after-free crashes: + + crypt_message() + // Allocate the creq buffer containing the req + creq = smb2_get_aead_req(..., &req); + + // Async encryption returns -EINPROGRESS immediately + rc = enc ? crypto_aead_encrypt(req) : crypto_aead_decrypt(req); + + // Free creq while async operation is still in progress + kvfree_sensitive(creq, ...); + +Hardware crypto modules often implement async AEAD operations for +performance. When crypto_aead_encrypt/decrypt() returns -EINPROGRESS, +the operation completes asynchronously. Without crypto_wait_req(), +the function immediately frees the request buffer, leading to crashes +when the driver later accesses the freed memory. + +This results in a use-after-free condition when the hardware crypto +driver later accesses the freed request structure, leading to kernel +crashes with NULL pointer dereferences. + +The issue occurs because crypto_alloc_aead() with mask=0 doesn't +guarantee synchronous operation. Even without CRYPTO_ALG_ASYNC in +the mask, async implementations can be selected. + +Fix by restoring the async crypto handling: +- DECLARE_CRYPTO_WAIT(wait) for completion tracking +- aead_request_set_callback() for async completion notification +- crypto_wait_req() to wait for operation completion + +This ensures the request buffer isn't freed until the crypto operation +completes, whether synchronous or asynchronous, while preserving the +CVE-2024-50047 fix. + +Fixes: b0abcd65ec54 ("smb: client: fix UAF in async decryption") +Link: https://lore.kernel.org/all/8b784a13-87b0-4131-9ff9-7a8993538749@huaweicloud.com/ +Cc: stable@vger.kernel.org +Reviewed-by: Paulo Alcantara (Red Hat) +Signed-off-by: Wang Zhaolong +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/smb2ops.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/fs/smb/client/smb2ops.c ++++ b/fs/smb/client/smb2ops.c +@@ -4307,6 +4307,7 @@ crypt_message(struct TCP_Server_Info *se + u8 key[SMB3_ENC_DEC_KEY_SIZE]; + struct aead_request *req; + u8 *iv; ++ DECLARE_CRYPTO_WAIT(wait); + unsigned int crypt_len = le32_to_cpu(tr_hdr->OriginalMessageSize); + void *creq; + size_t sensitive_size; +@@ -4357,7 +4358,11 @@ crypt_message(struct TCP_Server_Info *se + aead_request_set_crypt(req, sg, sg, crypt_len, iv); + aead_request_set_ad(req, assoc_data_len); + +- rc = enc ? crypto_aead_encrypt(req) : crypto_aead_decrypt(req); ++ aead_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG, ++ crypto_req_done, &wait); ++ ++ rc = crypto_wait_req(enc ? crypto_aead_encrypt(req) ++ : crypto_aead_decrypt(req), &wait); + + if (!rc && enc) + memcpy(&tr_hdr->Signature, sign, SMB2_SIGNATURE_SIZE); diff --git a/queue-6.15/soc-aspeed-lpc-snoop-cleanup-resources-in-stack-order.patch b/queue-6.15/soc-aspeed-lpc-snoop-cleanup-resources-in-stack-order.patch new file mode 100644 index 0000000000..fbc20cfa14 --- /dev/null +++ b/queue-6.15/soc-aspeed-lpc-snoop-cleanup-resources-in-stack-order.patch @@ -0,0 +1,36 @@ +From 8481d59be606d2338dbfe14b04cdbd1a3402c150 Mon Sep 17 00:00:00 2001 +From: Andrew Jeffery +Date: Mon, 16 Jun 2025 22:43:38 +0930 +Subject: soc: aspeed: lpc-snoop: Cleanup resources in stack-order + +From: Andrew Jeffery + +commit 8481d59be606d2338dbfe14b04cdbd1a3402c150 upstream. + +Free the kfifo after unregistering the miscdev in +aspeed_lpc_disable_snoop() as the kfifo is initialised before the +miscdev in aspeed_lpc_enable_snoop(). + +Fixes: 3772e5da4454 ("drivers/misc: Aspeed LPC snoop output using misc chardev") +Cc: stable@vger.kernel.org +Cc: Jean Delvare +Acked-by: Jean Delvare +Link: https://patch.msgid.link/20250616-aspeed-lpc-snoop-fixes-v2-1-3cdd59c934d3@codeconstruct.com.au +Signed-off-by: Andrew Jeffery +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soc/aspeed/aspeed-lpc-snoop.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/soc/aspeed/aspeed-lpc-snoop.c ++++ b/drivers/soc/aspeed/aspeed-lpc-snoop.c +@@ -263,8 +263,8 @@ static void aspeed_lpc_disable_snoop(str + return; + } + +- kfifo_free(&lpc_snoop->chan[channel].fifo); + misc_deregister(&lpc_snoop->chan[channel].miscdev); ++ kfifo_free(&lpc_snoop->chan[channel].fifo); + } + + static int aspeed_lpc_snoop_probe(struct platform_device *pdev) diff --git a/queue-6.15/soc-aspeed-lpc-snoop-don-t-disable-channels-that-aren-t-enabled.patch b/queue-6.15/soc-aspeed-lpc-snoop-don-t-disable-channels-that-aren-t-enabled.patch new file mode 100644 index 0000000000..f8da0d6766 --- /dev/null +++ b/queue-6.15/soc-aspeed-lpc-snoop-don-t-disable-channels-that-aren-t-enabled.patch @@ -0,0 +1,83 @@ +From 56448e78a6bb4e1a8528a0e2efe94eff0400c247 Mon Sep 17 00:00:00 2001 +From: Andrew Jeffery +Date: Mon, 16 Jun 2025 22:43:39 +0930 +Subject: soc: aspeed: lpc-snoop: Don't disable channels that aren't enabled + +From: Andrew Jeffery + +commit 56448e78a6bb4e1a8528a0e2efe94eff0400c247 upstream. + +Mitigate e.g. the following: + + # echo 1e789080.lpc-snoop > /sys/bus/platform/drivers/aspeed-lpc-snoop/unbind + ... + [ 120.363594] Unable to handle kernel NULL pointer dereference at virtual address 00000004 when write + [ 120.373866] [00000004] *pgd=00000000 + [ 120.377910] Internal error: Oops: 805 [#1] SMP ARM + [ 120.383306] CPU: 1 UID: 0 PID: 315 Comm: sh Not tainted 6.15.0-rc1-00009-g926217bc7d7d-dirty #20 NONE + ... + [ 120.679543] Call trace: + [ 120.679559] misc_deregister from aspeed_lpc_snoop_remove+0x84/0xac + [ 120.692462] aspeed_lpc_snoop_remove from platform_remove+0x28/0x38 + [ 120.700996] platform_remove from device_release_driver_internal+0x188/0x200 + ... + +Fixes: 9f4f9ae81d0a ("drivers/misc: add Aspeed LPC snoop driver") +Cc: stable@vger.kernel.org +Cc: Jean Delvare +Acked-by: Jean Delvare +Link: https://patch.msgid.link/20250616-aspeed-lpc-snoop-fixes-v2-2-3cdd59c934d3@codeconstruct.com.au +Signed-off-by: Andrew Jeffery +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soc/aspeed/aspeed-lpc-snoop.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/soc/aspeed/aspeed-lpc-snoop.c ++++ b/drivers/soc/aspeed/aspeed-lpc-snoop.c +@@ -58,6 +58,7 @@ struct aspeed_lpc_snoop_model_data { + }; + + struct aspeed_lpc_snoop_channel { ++ bool enabled; + struct kfifo fifo; + wait_queue_head_t wq; + struct miscdevice miscdev; +@@ -190,6 +191,9 @@ static int aspeed_lpc_enable_snoop(struc + const struct aspeed_lpc_snoop_model_data *model_data = + of_device_get_match_data(dev); + ++ if (WARN_ON(lpc_snoop->chan[channel].enabled)) ++ return -EBUSY; ++ + init_waitqueue_head(&lpc_snoop->chan[channel].wq); + /* Create FIFO datastructure */ + rc = kfifo_alloc(&lpc_snoop->chan[channel].fifo, +@@ -236,6 +240,8 @@ static int aspeed_lpc_enable_snoop(struc + regmap_update_bits(lpc_snoop->regmap, HICRB, + hicrb_en, hicrb_en); + ++ lpc_snoop->chan[channel].enabled = true; ++ + return 0; + + err_misc_deregister: +@@ -248,6 +254,9 @@ err_free_fifo: + static void aspeed_lpc_disable_snoop(struct aspeed_lpc_snoop *lpc_snoop, + int channel) + { ++ if (!lpc_snoop->chan[channel].enabled) ++ return; ++ + switch (channel) { + case 0: + regmap_update_bits(lpc_snoop->regmap, HICR5, +@@ -263,6 +272,8 @@ static void aspeed_lpc_disable_snoop(str + return; + } + ++ lpc_snoop->chan[channel].enabled = false; ++ /* Consider improving safety wrt concurrent reader(s) */ + misc_deregister(&lpc_snoop->chan[channel].miscdev); + kfifo_free(&lpc_snoop->chan[channel].fifo); + } diff --git a/queue-6.15/soundwire-revert-soundwire-qcom-add-set_channel_map-api-support.patch b/queue-6.15/soundwire-revert-soundwire-qcom-add-set_channel_map-api-support.patch new file mode 100644 index 0000000000..acb9cc29af --- /dev/null +++ b/queue-6.15/soundwire-revert-soundwire-qcom-add-set_channel_map-api-support.patch @@ -0,0 +1,131 @@ +From 834bce6a715ae9a9c4dce7892454a19adf22b013 Mon Sep 17 00:00:00 2001 +From: Amit Pundir +Date: Wed, 9 Jul 2025 23:19:49 +0530 +Subject: soundwire: Revert "soundwire: qcom: Add set_channel_map api support" + +From: Amit Pundir + +commit 834bce6a715ae9a9c4dce7892454a19adf22b013 upstream. + +This reverts commit 7796c97df6b1b2206681a07f3c80f6023a6593d5. + +This patch broke Dragonboard 845c (sdm845). I see: + + Unexpected kernel BRK exception at EL1 + Internal error: BRK handler: 00000000f20003e8 [#1] SMP + pc : qcom_swrm_set_channel_map+0x7c/0x80 [soundwire_qcom] + lr : snd_soc_dai_set_channel_map+0x34/0x78 + Call trace: + qcom_swrm_set_channel_map+0x7c/0x80 [soundwire_qcom] (P) + sdm845_dai_init+0x18c/0x2e0 [snd_soc_sdm845] + snd_soc_link_init+0x28/0x6c + snd_soc_bind_card+0x5f4/0xb0c + snd_soc_register_card+0x148/0x1a4 + devm_snd_soc_register_card+0x50/0xb0 + sdm845_snd_platform_probe+0x124/0x148 [snd_soc_sdm845] + platform_probe+0x6c/0xd0 + really_probe+0xc0/0x2a4 + __driver_probe_device+0x7c/0x130 + driver_probe_device+0x40/0x118 + __device_attach_driver+0xc4/0x108 + bus_for_each_drv+0x8c/0xf0 + __device_attach+0xa4/0x198 + device_initial_probe+0x18/0x28 + bus_probe_device+0xb8/0xbc + deferred_probe_work_func+0xac/0xfc + process_one_work+0x244/0x658 + worker_thread+0x1b4/0x360 + kthread+0x148/0x228 + ret_from_fork+0x10/0x20 + Kernel panic - not syncing: BRK handler: Fatal exception + +Dan has also reported following issues with the original patch +https://lore.kernel.org/all/33fe8fe7-719a-405a-9ed2-d9f816ce1d57@sabinyo.mountain/ + +Bug #1: +The zeroeth element of ctrl->pconfig[] is supposed to be unused. We +start counting at 1. However this code sets ctrl->pconfig[0].ch_mask = 128. + +Bug #2: +There are SLIM_MAX_TX_PORTS (16) elements in tx_ch[] array but only +QCOM_SDW_MAX_PORTS + 1 (15) in the ctrl->pconfig[] array so it corrupts +memory like Yongqin Liu pointed out. + +Bug 3: +Like Jie Gan pointed out, it erases all the tx information with the rx +information. + +Cc: stable@vger.kernel.org # v6.15+ +Signed-off-by: Amit Pundir +Acked-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20250709174949.8541-1-amit.pundir@linaro.org +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soundwire/qcom.c | 26 -------------------------- + 1 file changed, 26 deletions(-) + +diff --git a/drivers/soundwire/qcom.c b/drivers/soundwire/qcom.c +index 295a46dc2be7..0f45e3404756 100644 +--- a/drivers/soundwire/qcom.c ++++ b/drivers/soundwire/qcom.c +@@ -156,7 +156,6 @@ struct qcom_swrm_port_config { + u8 word_length; + u8 blk_group_count; + u8 lane_control; +- u8 ch_mask; + }; + + /* +@@ -1049,13 +1048,9 @@ static int qcom_swrm_port_enable(struct sdw_bus *bus, + { + u32 reg = SWRM_DP_PORT_CTRL_BANK(enable_ch->port_num, bank); + struct qcom_swrm_ctrl *ctrl = to_qcom_sdw(bus); +- struct qcom_swrm_port_config *pcfg; + u32 val; + +- pcfg = &ctrl->pconfig[enable_ch->port_num]; + ctrl->reg_read(ctrl, reg, &val); +- if (pcfg->ch_mask != SWR_INVALID_PARAM && pcfg->ch_mask != 0) +- enable_ch->ch_mask = pcfg->ch_mask; + + if (enable_ch->enable) + val |= (enable_ch->ch_mask << SWRM_DP_PORT_CTRL_EN_CHAN_SHFT); +@@ -1275,26 +1270,6 @@ static void *qcom_swrm_get_sdw_stream(struct snd_soc_dai *dai, int direction) + return ctrl->sruntime[dai->id]; + } + +-static int qcom_swrm_set_channel_map(struct snd_soc_dai *dai, +- unsigned int tx_num, const unsigned int *tx_slot, +- unsigned int rx_num, const unsigned int *rx_slot) +-{ +- struct qcom_swrm_ctrl *ctrl = dev_get_drvdata(dai->dev); +- int i; +- +- if (tx_slot) { +- for (i = 0; i < tx_num; i++) +- ctrl->pconfig[i].ch_mask = tx_slot[i]; +- } +- +- if (rx_slot) { +- for (i = 0; i < rx_num; i++) +- ctrl->pconfig[i].ch_mask = rx_slot[i]; +- } +- +- return 0; +-} +- + static int qcom_swrm_startup(struct snd_pcm_substream *substream, + struct snd_soc_dai *dai) + { +@@ -1331,7 +1306,6 @@ static const struct snd_soc_dai_ops qcom_swrm_pdm_dai_ops = { + .shutdown = qcom_swrm_shutdown, + .set_stream = qcom_swrm_set_sdw_stream, + .get_stream = qcom_swrm_get_sdw_stream, +- .set_channel_map = qcom_swrm_set_channel_map, + }; + + static const struct snd_soc_component_driver qcom_swrm_dai_component = { +-- +2.50.1 + diff --git a/queue-6.15/xfs-don-t-allocate-the-xfs_extent_busy-structure-for-zoned-rtgs.patch b/queue-6.15/xfs-don-t-allocate-the-xfs_extent_busy-structure-for-zoned-rtgs.patch new file mode 100644 index 0000000000..8d859d79ba --- /dev/null +++ b/queue-6.15/xfs-don-t-allocate-the-xfs_extent_busy-structure-for-zoned-rtgs.patch @@ -0,0 +1,98 @@ +From 5948705adbf1a7afcecfe9a13ff39221ef61e16b Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig +Date: Wed, 16 Jul 2025 14:54:01 +0200 +Subject: xfs: don't allocate the xfs_extent_busy structure for zoned RTGs + +From: Christoph Hellwig + +commit 5948705adbf1a7afcecfe9a13ff39221ef61e16b upstream. + +Busy extent tracking is primarily used to ensure that freed blocks are +not reused for data allocations before the transaction that deleted them +has been committed to stable storage, and secondarily to drive online +discard. None of the use cases applies to zoned RTGs, as the zoned +allocator can't overwrite blocks before resetting the zone, which already +flushes out all transactions touching the RTGs. + +So the busy extent tracking is not needed for zoned RTGs, and also not +called for zoned RTGs. But somehow the code to skip allocating and +freeing the structure got lost during the zoned XFS upstreaming process. +This not only causes these structures to unnecessarily allocated, but can +also lead to memory leaks as the xg_busy_extents pointer in the +xfs_group structure is overlayed with the pointer for the linked list +of to be reset zones. + +Stop allocating and freeing the structure to not pointlessly allocate +memory which is then leaked when the zone is reset. + +Fixes: 080d01c41d44 ("xfs: implement zoned garbage collection") +Signed-off-by: Christoph Hellwig +Cc: # v6.15 +[cem: Fix type and add stable tag] +Reviewed-by: Darrick J. Wong +Signed-off-by: Carlos Maiolino +Signed-off-by: Greg Kroah-Hartman +--- + fs/xfs/libxfs/xfs_group.c | 14 +++++++++----- + fs/xfs/xfs_extent_busy.h | 8 ++++++++ + 2 files changed, 17 insertions(+), 5 deletions(-) + +diff --git a/fs/xfs/libxfs/xfs_group.c b/fs/xfs/libxfs/xfs_group.c +index e9d76bcdc820..20ad7c309489 100644 +--- a/fs/xfs/libxfs/xfs_group.c ++++ b/fs/xfs/libxfs/xfs_group.c +@@ -163,7 +163,8 @@ xfs_group_free( + + xfs_defer_drain_free(&xg->xg_intents_drain); + #ifdef __KERNEL__ +- kfree(xg->xg_busy_extents); ++ if (xfs_group_has_extent_busy(xg->xg_mount, xg->xg_type)) ++ kfree(xg->xg_busy_extents); + #endif + + if (uninit) +@@ -189,9 +190,11 @@ xfs_group_insert( + xg->xg_type = type; + + #ifdef __KERNEL__ +- xg->xg_busy_extents = xfs_extent_busy_alloc(); +- if (!xg->xg_busy_extents) +- return -ENOMEM; ++ if (xfs_group_has_extent_busy(mp, type)) { ++ xg->xg_busy_extents = xfs_extent_busy_alloc(); ++ if (!xg->xg_busy_extents) ++ return -ENOMEM; ++ } + spin_lock_init(&xg->xg_state_lock); + xfs_hooks_init(&xg->xg_rmap_update_hooks); + #endif +@@ -210,7 +213,8 @@ xfs_group_insert( + out_drain: + xfs_defer_drain_free(&xg->xg_intents_drain); + #ifdef __KERNEL__ +- kfree(xg->xg_busy_extents); ++ if (xfs_group_has_extent_busy(xg->xg_mount, xg->xg_type)) ++ kfree(xg->xg_busy_extents); + #endif + return error; + } +diff --git a/fs/xfs/xfs_extent_busy.h b/fs/xfs/xfs_extent_busy.h +index f069b04e8ea1..3e6e019b6146 100644 +--- a/fs/xfs/xfs_extent_busy.h ++++ b/fs/xfs/xfs_extent_busy.h +@@ -68,4 +68,12 @@ static inline void xfs_extent_busy_sort(struct list_head *list) + list_sort(NULL, list, xfs_extent_busy_ag_cmp); + } + ++/* ++ * Zoned RTGs don't need to track busy extents, as the actual block freeing only ++ * happens by a zone reset, which forces out all transactions that touched the ++ * to be reset zone first. ++ */ ++#define xfs_group_has_extent_busy(mp, type) \ ++ ((type) == XG_TYPE_AG || !xfs_has_zoned((mp))) ++ + #endif /* __XFS_EXTENT_BUSY_H__ */ +-- +2.50.1 +