From: Greg Kroah-Hartman Date: Sun, 6 Jul 2025 11:55:17 +0000 (+0200) Subject: 6.15-stable patches X-Git-Tag: v5.15.187~57 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b37eab5b75d30804b7b7433da45d76699f91f88e;p=thirdparty%2Fkernel%2Fstable-queue.git 6.15-stable patches added patches: anon_inode-rework-assertions.patch bluetooth-hci-set-extended-advertising-data-synchronously.patch bluetooth-hci_sync-revert-some-mesh-modifications.patch bluetooth-mgmt-mesh_send-check-instances-prior-disabling-advertising.patch bluetooth-mgmt-set_mesh-update-le-scan-interval-and-window.patch drm-v3d-disable-interrupts-before-resetting-the-gpu.patch dt-bindings-net-sophgo-sg2044-dwmac-drop-status-from-the-example.patch input-cs40l50-vibra-fix-potential-null-dereference-in-cs40l50_upload_owt.patch iommufd-selftest-add-asserts-testing-global-mfd.patch iommufd-selftest-add-missing-close-mfd-in-memfd_mmap.patch iommufd-selftest-fix-iommufd_dirty_tracking-with-large-hugepage-sizes.patch mmc-core-adjust-some-error-messages-for-sd-uhs-ii-cards.patch mmc-core-sd-apply-broken_sd_discard-quirk-earlier.patch mmc-sdhci-add-a-helper-function-for-dump-register-in-dynamic-debug-mode.patch mmc-sdhci-uhs2-adjust-some-error-messages-and-register-dump-for-sd-uhs-ii-card.patch mtk-sd-fix-a-pagefault-in-dma_unmap_sg-for-not-prepared-data.patch mtk-sd-prevent-memory-corruption-from-dma-map-failure.patch mtk-sd-reset-host-mrq-on-prepare_data-error.patch net-libwx-fix-the-incorrect-display-of-the-queue-number.patch net-txgbe-request-misc-irq-in-ndo_open.patch regulator-gpio-fix-the-out-of-bounds-access-to-drvdata-gpiods.patch revert-mmc-sdhci-disable-sd-card-clock-before-changing-parameters.patch s390-pci-do-not-try-re-enabling-load-store-if-device-is-disabled.patch s390-pci-fix-stale-function-handles-in-error-handling.patch usb-typec-altmodes-displayport-do-not-index-invalid-pin_assignments.patch virtio-net-ensure-the-received-length-does-not-exceed-allocated-size.patch vsock-vmci-clear-the-vmci-transport-packet-properly-when-initializing-it.patch xfs-actually-use-the-xfs_growfs_check_rtgeom-tracepoint.patch --- diff --git a/queue-6.15/anon_inode-rework-assertions.patch b/queue-6.15/anon_inode-rework-assertions.patch new file mode 100644 index 0000000000..3c7304c022 --- /dev/null +++ b/queue-6.15/anon_inode-rework-assertions.patch @@ -0,0 +1,86 @@ +From 1e7ab6f67824343ee3e96f100f0937c393749a8a Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Wed, 2 Jul 2025 11:23:55 +0200 +Subject: anon_inode: rework assertions + +From: Christian Brauner + +commit 1e7ab6f67824343ee3e96f100f0937c393749a8a upstream. + +Making anonymous inodes regular files comes with a lot of risk and +regression potential as evidenced by a recent hickup in io_uring. We're +better of continuing to not have them be regular files. Since we have +S_ANON_INODE we can port all of our assertions easily. + +Link: https://lore.kernel.org/20250702-work-fixes-v1-1-ff76ea589e33@kernel.org +Fixes: cfd86ef7e8e7 ("anon_inode: use a proper mode internally") +Acked-by: Jens Axboe +Cc: stable@kernel.org +Reported-by: Jens Axboe +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/exec.c | 9 +++++++-- + fs/libfs.c | 8 +++----- + fs/namei.c | 2 +- + 3 files changed, 11 insertions(+), 8 deletions(-) + +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -111,6 +111,9 @@ static inline void put_binfmt(struct lin + + bool path_noexec(const struct path *path) + { ++ /* If it's an anonymous inode make sure that we catch any shenanigans. */ ++ VFS_WARN_ON_ONCE(IS_ANON_FILE(d_inode(path->dentry)) && ++ !(path->mnt->mnt_sb->s_iflags & SB_I_NOEXEC)); + return (path->mnt->mnt_flags & MNT_NOEXEC) || + (path->mnt->mnt_sb->s_iflags & SB_I_NOEXEC); + } +@@ -894,13 +897,15 @@ static struct file *do_open_execat(int f + if (IS_ERR(file)) + return file; + ++ if (path_noexec(&file->f_path)) ++ return ERR_PTR(-EACCES); ++ + /* + * In the past the regular type check was here. It moved to may_open() in + * 633fb6ac3980 ("exec: move S_ISREG() check earlier"). Since then it is + * an invariant that all non-regular files error out before we get here. + */ +- if (WARN_ON_ONCE(!S_ISREG(file_inode(file)->i_mode)) || +- path_noexec(&file->f_path)) ++ if (WARN_ON_ONCE(!S_ISREG(file_inode(file)->i_mode))) + return ERR_PTR(-EACCES); + + err = exe_file_deny_write_access(file); +--- a/fs/libfs.c ++++ b/fs/libfs.c +@@ -1648,12 +1648,10 @@ struct inode *alloc_anon_inode(struct su + */ + inode->i_state = I_DIRTY; + /* +- * Historically anonymous inodes didn't have a type at all and +- * userspace has come to rely on this. Internally they're just +- * regular files but S_IFREG is masked off when reporting +- * information to userspace. ++ * Historically anonymous inodes don't have a type at all and ++ * userspace has come to rely on this. + */ +- inode->i_mode = S_IFREG | S_IRUSR | S_IWUSR; ++ inode->i_mode = S_IRUSR | S_IWUSR; + inode->i_uid = current_fsuid(); + inode->i_gid = current_fsgid(); + inode->i_flags |= S_PRIVATE | S_ANON_INODE; +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -3464,7 +3464,7 @@ static int may_open(struct mnt_idmap *id + return -EACCES; + break; + default: +- VFS_BUG_ON_INODE(1, inode); ++ VFS_BUG_ON_INODE(!IS_ANON_FILE(inode), inode); + } + + error = inode_permission(idmap, inode, MAY_OPEN | acc_mode); diff --git a/queue-6.15/bluetooth-hci-set-extended-advertising-data-synchronously.patch b/queue-6.15/bluetooth-hci-set-extended-advertising-data-synchronously.patch new file mode 100644 index 0000000000..bcd6bb15d2 --- /dev/null +++ b/queue-6.15/bluetooth-hci-set-extended-advertising-data-synchronously.patch @@ -0,0 +1,328 @@ +From 89fb8acc38852116d38d721ad394aad7f2871670 Mon Sep 17 00:00:00 2001 +From: Christian Eggers +Date: Fri, 27 Jun 2025 09:05:08 +0200 +Subject: Bluetooth: HCI: Set extended advertising data synchronously + +From: Christian Eggers + +commit 89fb8acc38852116d38d721ad394aad7f2871670 upstream. + +Currently, for controllers with extended advertising, the advertising +data is set in the asynchronous response handler for extended +adverstising params. As most advertising settings are performed in a +synchronous context, the (asynchronous) setting of the advertising data +is done too late (after enabling the advertising). + +Move setting of adverstising data from asynchronous response handler +into synchronous context to fix ordering of HCI commands. + +Signed-off-by: Christian Eggers +Fixes: a0fb3726ba55 ("Bluetooth: Use Set ext adv/scan rsp data if controller supports") +Cc: stable@vger.kernel.org +v2: https://lore.kernel.org/linux-bluetooth/20250626115209.17839-1-ceggers@arri.de/ +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/hci_event.c | 36 -------- + net/bluetooth/hci_sync.c | 207 ++++++++++++++++++++++++++++------------------ + 2 files changed, 130 insertions(+), 113 deletions(-) + +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -2150,40 +2150,6 @@ static u8 hci_cc_set_adv_param(struct hc + return rp->status; + } + +-static u8 hci_cc_set_ext_adv_param(struct hci_dev *hdev, void *data, +- struct sk_buff *skb) +-{ +- struct hci_rp_le_set_ext_adv_params *rp = data; +- struct hci_cp_le_set_ext_adv_params *cp; +- struct adv_info *adv_instance; +- +- bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); +- +- if (rp->status) +- return rp->status; +- +- cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_PARAMS); +- if (!cp) +- return rp->status; +- +- hci_dev_lock(hdev); +- hdev->adv_addr_type = cp->own_addr_type; +- if (!cp->handle) { +- /* Store in hdev for instance 0 */ +- hdev->adv_tx_power = rp->tx_power; +- } else { +- adv_instance = hci_find_adv_instance(hdev, cp->handle); +- if (adv_instance) +- adv_instance->tx_power = rp->tx_power; +- } +- /* Update adv data as tx power is known now */ +- hci_update_adv_data(hdev, cp->handle); +- +- hci_dev_unlock(hdev); +- +- return rp->status; +-} +- + static u8 hci_cc_read_rssi(struct hci_dev *hdev, void *data, + struct sk_buff *skb) + { +@@ -4164,8 +4130,6 @@ static const struct hci_cc { + HCI_CC(HCI_OP_LE_READ_NUM_SUPPORTED_ADV_SETS, + hci_cc_le_read_num_adv_sets, + sizeof(struct hci_rp_le_read_num_supported_adv_sets)), +- HCI_CC(HCI_OP_LE_SET_EXT_ADV_PARAMS, hci_cc_set_ext_adv_param, +- sizeof(struct hci_rp_le_set_ext_adv_params)), + HCI_CC_STATUS(HCI_OP_LE_SET_EXT_ADV_ENABLE, + hci_cc_le_set_ext_adv_enable), + HCI_CC_STATUS(HCI_OP_LE_SET_ADV_SET_RAND_ADDR, +--- a/net/bluetooth/hci_sync.c ++++ b/net/bluetooth/hci_sync.c +@@ -1205,9 +1205,126 @@ static int hci_set_adv_set_random_addr_s + sizeof(cp), &cp, HCI_CMD_TIMEOUT); + } + ++static int ++hci_set_ext_adv_params_sync(struct hci_dev *hdev, struct adv_info *adv, ++ const struct hci_cp_le_set_ext_adv_params *cp, ++ struct hci_rp_le_set_ext_adv_params *rp) ++{ ++ struct sk_buff *skb; ++ ++ skb = __hci_cmd_sync(hdev, HCI_OP_LE_SET_EXT_ADV_PARAMS, sizeof(*cp), ++ cp, HCI_CMD_TIMEOUT); ++ ++ /* If command return a status event, skb will be set to -ENODATA */ ++ if (skb == ERR_PTR(-ENODATA)) ++ return 0; ++ ++ if (IS_ERR(skb)) { ++ bt_dev_err(hdev, "Opcode 0x%4.4x failed: %ld", ++ HCI_OP_LE_SET_EXT_ADV_PARAMS, PTR_ERR(skb)); ++ return PTR_ERR(skb); ++ } ++ ++ if (skb->len != sizeof(*rp)) { ++ bt_dev_err(hdev, "Invalid response length for 0x%4.4x: %u", ++ HCI_OP_LE_SET_EXT_ADV_PARAMS, skb->len); ++ kfree_skb(skb); ++ return -EIO; ++ } ++ ++ memcpy(rp, skb->data, sizeof(*rp)); ++ kfree_skb(skb); ++ ++ if (!rp->status) { ++ hdev->adv_addr_type = cp->own_addr_type; ++ if (!cp->handle) { ++ /* Store in hdev for instance 0 */ ++ hdev->adv_tx_power = rp->tx_power; ++ } else if (adv) { ++ adv->tx_power = rp->tx_power; ++ } ++ } ++ ++ return rp->status; ++} ++ ++static int hci_set_ext_adv_data_sync(struct hci_dev *hdev, u8 instance) ++{ ++ DEFINE_FLEX(struct hci_cp_le_set_ext_adv_data, pdu, data, length, ++ HCI_MAX_EXT_AD_LENGTH); ++ u8 len; ++ struct adv_info *adv = NULL; ++ int err; ++ ++ if (instance) { ++ adv = hci_find_adv_instance(hdev, instance); ++ if (!adv || !adv->adv_data_changed) ++ return 0; ++ } ++ ++ len = eir_create_adv_data(hdev, instance, pdu->data, ++ HCI_MAX_EXT_AD_LENGTH); ++ ++ pdu->length = len; ++ pdu->handle = adv ? adv->handle : instance; ++ pdu->operation = LE_SET_ADV_DATA_OP_COMPLETE; ++ pdu->frag_pref = LE_SET_ADV_DATA_NO_FRAG; ++ ++ err = __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_EXT_ADV_DATA, ++ struct_size(pdu, data, len), pdu, ++ HCI_CMD_TIMEOUT); ++ if (err) ++ return err; ++ ++ /* Update data if the command succeed */ ++ if (adv) { ++ adv->adv_data_changed = false; ++ } else { ++ memcpy(hdev->adv_data, pdu->data, len); ++ hdev->adv_data_len = len; ++ } ++ ++ return 0; ++} ++ ++static int hci_set_adv_data_sync(struct hci_dev *hdev, u8 instance) ++{ ++ struct hci_cp_le_set_adv_data cp; ++ u8 len; ++ ++ memset(&cp, 0, sizeof(cp)); ++ ++ len = eir_create_adv_data(hdev, instance, cp.data, sizeof(cp.data)); ++ ++ /* There's nothing to do if the data hasn't changed */ ++ if (hdev->adv_data_len == len && ++ memcmp(cp.data, hdev->adv_data, len) == 0) ++ return 0; ++ ++ memcpy(hdev->adv_data, cp.data, sizeof(cp.data)); ++ hdev->adv_data_len = len; ++ ++ cp.length = len; ++ ++ return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_ADV_DATA, ++ sizeof(cp), &cp, HCI_CMD_TIMEOUT); ++} ++ ++int hci_update_adv_data_sync(struct hci_dev *hdev, u8 instance) ++{ ++ if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) ++ return 0; ++ ++ if (ext_adv_capable(hdev)) ++ return hci_set_ext_adv_data_sync(hdev, instance); ++ ++ return hci_set_adv_data_sync(hdev, instance); ++} ++ + int hci_setup_ext_adv_instance_sync(struct hci_dev *hdev, u8 instance) + { + struct hci_cp_le_set_ext_adv_params cp; ++ struct hci_rp_le_set_ext_adv_params rp; + bool connectable; + u32 flags; + bdaddr_t random_addr; +@@ -1314,8 +1431,12 @@ int hci_setup_ext_adv_instance_sync(stru + cp.secondary_phy = HCI_ADV_PHY_1M; + } + +- err = __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_EXT_ADV_PARAMS, +- sizeof(cp), &cp, HCI_CMD_TIMEOUT); ++ err = hci_set_ext_adv_params_sync(hdev, adv, &cp, &rp); ++ if (err) ++ return err; ++ ++ /* Update adv data as tx power is known now */ ++ err = hci_set_ext_adv_data_sync(hdev, cp.handle); + if (err) + return err; + +@@ -1808,79 +1929,6 @@ int hci_le_terminate_big_sync(struct hci + sizeof(cp), &cp, HCI_CMD_TIMEOUT); + } + +-static int hci_set_ext_adv_data_sync(struct hci_dev *hdev, u8 instance) +-{ +- DEFINE_FLEX(struct hci_cp_le_set_ext_adv_data, pdu, data, length, +- HCI_MAX_EXT_AD_LENGTH); +- u8 len; +- struct adv_info *adv = NULL; +- int err; +- +- if (instance) { +- adv = hci_find_adv_instance(hdev, instance); +- if (!adv || !adv->adv_data_changed) +- return 0; +- } +- +- len = eir_create_adv_data(hdev, instance, pdu->data, +- HCI_MAX_EXT_AD_LENGTH); +- +- pdu->length = len; +- pdu->handle = adv ? adv->handle : instance; +- pdu->operation = LE_SET_ADV_DATA_OP_COMPLETE; +- pdu->frag_pref = LE_SET_ADV_DATA_NO_FRAG; +- +- err = __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_EXT_ADV_DATA, +- struct_size(pdu, data, len), pdu, +- HCI_CMD_TIMEOUT); +- if (err) +- return err; +- +- /* Update data if the command succeed */ +- if (adv) { +- adv->adv_data_changed = false; +- } else { +- memcpy(hdev->adv_data, pdu->data, len); +- hdev->adv_data_len = len; +- } +- +- return 0; +-} +- +-static int hci_set_adv_data_sync(struct hci_dev *hdev, u8 instance) +-{ +- struct hci_cp_le_set_adv_data cp; +- u8 len; +- +- memset(&cp, 0, sizeof(cp)); +- +- len = eir_create_adv_data(hdev, instance, cp.data, sizeof(cp.data)); +- +- /* There's nothing to do if the data hasn't changed */ +- if (hdev->adv_data_len == len && +- memcmp(cp.data, hdev->adv_data, len) == 0) +- return 0; +- +- memcpy(hdev->adv_data, cp.data, sizeof(cp.data)); +- hdev->adv_data_len = len; +- +- cp.length = len; +- +- return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_ADV_DATA, +- sizeof(cp), &cp, HCI_CMD_TIMEOUT); +-} +- +-int hci_update_adv_data_sync(struct hci_dev *hdev, u8 instance) +-{ +- if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) +- return 0; +- +- if (ext_adv_capable(hdev)) +- return hci_set_ext_adv_data_sync(hdev, instance); +- +- return hci_set_adv_data_sync(hdev, instance); +-} +- + int hci_schedule_adv_instance_sync(struct hci_dev *hdev, u8 instance, + bool force) + { +@@ -6263,6 +6311,7 @@ static int hci_le_ext_directed_advertisi + struct hci_conn *conn) + { + struct hci_cp_le_set_ext_adv_params cp; ++ struct hci_rp_le_set_ext_adv_params rp; + int err; + bdaddr_t random_addr; + u8 own_addr_type; +@@ -6304,8 +6353,12 @@ static int hci_le_ext_directed_advertisi + if (err) + return err; + +- err = __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_EXT_ADV_PARAMS, +- sizeof(cp), &cp, HCI_CMD_TIMEOUT); ++ err = hci_set_ext_adv_params_sync(hdev, NULL, &cp, &rp); ++ if (err) ++ return err; ++ ++ /* Update adv data as tx power is known now */ ++ err = hci_set_ext_adv_data_sync(hdev, cp.handle); + if (err) + return err; + diff --git a/queue-6.15/bluetooth-hci_sync-revert-some-mesh-modifications.patch b/queue-6.15/bluetooth-hci_sync-revert-some-mesh-modifications.patch new file mode 100644 index 0000000000..3d6d61b615 --- /dev/null +++ b/queue-6.15/bluetooth-hci_sync-revert-some-mesh-modifications.patch @@ -0,0 +1,74 @@ +From 46c0d947b64ac8efcf89dd754213dab5d1bd00aa Mon Sep 17 00:00:00 2001 +From: Christian Eggers +Date: Wed, 25 Jun 2025 15:09:29 +0200 +Subject: Bluetooth: hci_sync: revert some mesh modifications + +From: Christian Eggers + +commit 46c0d947b64ac8efcf89dd754213dab5d1bd00aa upstream. + +This reverts minor parts of the changes made in commit b338d91703fa +("Bluetooth: Implement support for Mesh"). It looks like these changes +were only made for development purposes but shouldn't have been part of +the commit. + +Fixes: b338d91703fa ("Bluetooth: Implement support for Mesh") +Cc: stable@vger.kernel.org +Signed-off-by: Christian Eggers +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/hci_sync.c | 16 ++++------------ + 1 file changed, 4 insertions(+), 12 deletions(-) + +--- a/net/bluetooth/hci_sync.c ++++ b/net/bluetooth/hci_sync.c +@@ -2004,13 +2004,10 @@ static int hci_clear_adv_sets_sync(struc + static int hci_clear_adv_sync(struct hci_dev *hdev, struct sock *sk, bool force) + { + struct adv_info *adv, *n; +- int err = 0; + + if (ext_adv_capable(hdev)) + /* Remove all existing sets */ +- err = hci_clear_adv_sets_sync(hdev, sk); +- if (ext_adv_capable(hdev)) +- return err; ++ return hci_clear_adv_sets_sync(hdev, sk); + + /* This is safe as long as there is no command send while the lock is + * held. +@@ -2038,13 +2035,11 @@ static int hci_clear_adv_sync(struct hci + static int hci_remove_adv_sync(struct hci_dev *hdev, u8 instance, + struct sock *sk) + { +- int err = 0; ++ int err; + + /* If we use extended advertising, instance has to be removed first. */ + if (ext_adv_capable(hdev)) +- err = hci_remove_ext_adv_instance_sync(hdev, instance, sk); +- if (ext_adv_capable(hdev)) +- return err; ++ return hci_remove_ext_adv_instance_sync(hdev, instance, sk); + + /* This is safe as long as there is no command send while the lock is + * held. +@@ -2143,16 +2138,13 @@ int hci_read_tx_power_sync(struct hci_de + int hci_disable_advertising_sync(struct hci_dev *hdev) + { + u8 enable = 0x00; +- int err = 0; + + /* If controller is not advertising we are done. */ + if (!hci_dev_test_flag(hdev, HCI_LE_ADV)) + return 0; + + if (ext_adv_capable(hdev)) +- err = hci_disable_ext_adv_instance_sync(hdev, 0x00); +- if (ext_adv_capable(hdev)) +- return err; ++ return hci_disable_ext_adv_instance_sync(hdev, 0x00); + + return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_ADV_ENABLE, + sizeof(enable), &enable, HCI_CMD_TIMEOUT); diff --git a/queue-6.15/bluetooth-mgmt-mesh_send-check-instances-prior-disabling-advertising.patch b/queue-6.15/bluetooth-mgmt-mesh_send-check-instances-prior-disabling-advertising.patch new file mode 100644 index 0000000000..29d9858e20 --- /dev/null +++ b/queue-6.15/bluetooth-mgmt-mesh_send-check-instances-prior-disabling-advertising.patch @@ -0,0 +1,38 @@ +From f3cb5676e5c11c896ba647ee309a993e73531588 Mon Sep 17 00:00:00 2001 +From: Christian Eggers +Date: Wed, 25 Jun 2025 15:09:31 +0200 +Subject: Bluetooth: MGMT: mesh_send: check instances prior disabling advertising + +From: Christian Eggers + +commit f3cb5676e5c11c896ba647ee309a993e73531588 upstream. + +The unconditional call of hci_disable_advertising_sync() in +mesh_send_done_sync() also disables other LE advertisings (non mesh +related). + +I am not sure whether this call is required at all, but checking the +adv_instances list (like done at other places) seems to solve the +problem. + +Fixes: b338d91703fa ("Bluetooth: Implement support for Mesh") +Cc: stable@vger.kernel.org +Signed-off-by: Christian Eggers +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/mgmt.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/bluetooth/mgmt.c ++++ b/net/bluetooth/mgmt.c +@@ -1080,7 +1080,8 @@ static int mesh_send_done_sync(struct hc + struct mgmt_mesh_tx *mesh_tx; + + hci_dev_clear_flag(hdev, HCI_MESH_SENDING); +- hci_disable_advertising_sync(hdev); ++ if (list_empty(&hdev->adv_instances)) ++ hci_disable_advertising_sync(hdev); + mesh_tx = mgmt_mesh_next(hdev, NULL); + + if (mesh_tx) diff --git a/queue-6.15/bluetooth-mgmt-set_mesh-update-le-scan-interval-and-window.patch b/queue-6.15/bluetooth-mgmt-set_mesh-update-le-scan-interval-and-window.patch new file mode 100644 index 0000000000..edbeb5a84f --- /dev/null +++ b/queue-6.15/bluetooth-mgmt-set_mesh-update-le-scan-interval-and-window.patch @@ -0,0 +1,77 @@ +From e5af67a870f738bb8a4594b6c60c2caf4c87a3c9 Mon Sep 17 00:00:00 2001 +From: Christian Eggers +Date: Wed, 25 Jun 2025 15:09:30 +0200 +Subject: Bluetooth: MGMT: set_mesh: update LE scan interval and window + +From: Christian Eggers + +commit e5af67a870f738bb8a4594b6c60c2caf4c87a3c9 upstream. + +According to the message of commit b338d91703fa ("Bluetooth: Implement +support for Mesh"), MGMT_OP_SET_MESH_RECEIVER should set the passive scan +parameters. Currently the scan interval and window parameters are +silently ignored, although user space (bluetooth-meshd) expects that +they can be used [1] + +[1] https://git.kernel.org/pub/scm/bluetooth/bluez.git/tree/mesh/mesh-io-mgmt.c#n344 +Fixes: b338d91703fa ("Bluetooth: Implement support for Mesh") +Cc: stable@vger.kernel.org +Signed-off-by: Christian Eggers +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/mgmt.c | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +--- a/net/bluetooth/mgmt.c ++++ b/net/bluetooth/mgmt.c +@@ -2153,6 +2153,9 @@ static int set_mesh_sync(struct hci_dev + else + hci_dev_clear_flag(hdev, HCI_MESH); + ++ hdev->le_scan_interval = __le16_to_cpu(cp->period); ++ hdev->le_scan_window = __le16_to_cpu(cp->window); ++ + len -= sizeof(*cp); + + /* If filters don't fit, forward all adv pkts */ +@@ -2167,6 +2170,7 @@ static int set_mesh(struct sock *sk, str + { + struct mgmt_cp_set_mesh *cp = data; + struct mgmt_pending_cmd *cmd; ++ __u16 period, window; + int err = 0; + + bt_dev_dbg(hdev, "sock %p", sk); +@@ -2180,6 +2184,23 @@ static int set_mesh(struct sock *sk, str + return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_MESH_RECEIVER, + MGMT_STATUS_INVALID_PARAMS); + ++ /* Keep allowed ranges in sync with set_scan_params() */ ++ period = __le16_to_cpu(cp->period); ++ ++ if (period < 0x0004 || period > 0x4000) ++ return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_MESH_RECEIVER, ++ MGMT_STATUS_INVALID_PARAMS); ++ ++ window = __le16_to_cpu(cp->window); ++ ++ if (window < 0x0004 || window > 0x4000) ++ return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_MESH_RECEIVER, ++ MGMT_STATUS_INVALID_PARAMS); ++ ++ if (window > period) ++ return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_MESH_RECEIVER, ++ MGMT_STATUS_INVALID_PARAMS); ++ + hci_dev_lock(hdev); + + cmd = mgmt_pending_add(sk, MGMT_OP_SET_MESH_RECEIVER, hdev, data, len); +@@ -6432,6 +6453,7 @@ static int set_scan_params(struct sock * + return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SCAN_PARAMS, + MGMT_STATUS_NOT_SUPPORTED); + ++ /* Keep allowed ranges in sync with set_mesh() */ + interval = __le16_to_cpu(cp->interval); + + if (interval < 0x0004 || interval > 0x4000) diff --git a/queue-6.15/drm-v3d-disable-interrupts-before-resetting-the-gpu.patch b/queue-6.15/drm-v3d-disable-interrupts-before-resetting-the-gpu.patch new file mode 100644 index 0000000000..d59f8fd92b --- /dev/null +++ b/queue-6.15/drm-v3d-disable-interrupts-before-resetting-the-gpu.patch @@ -0,0 +1,200 @@ +From 226862f50a7a88e4e4de9abbf36c64d19acd6fd0 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ma=C3=ADra=20Canal?= +Date: Sat, 28 Jun 2025 19:42:42 -0300 +Subject: drm/v3d: Disable interrupts before resetting the GPU +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maíra Canal + +commit 226862f50a7a88e4e4de9abbf36c64d19acd6fd0 upstream. + +Currently, an interrupt can be triggered during a GPU reset, which can +lead to GPU hangs and NULL pointer dereference in an interrupt context +as shown in the following trace: + + [ 314.035040] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000c0 + [ 314.043822] Mem abort info: + [ 314.046606] ESR = 0x0000000096000005 + [ 314.050347] EC = 0x25: DABT (current EL), IL = 32 bits + [ 314.055651] SET = 0, FnV = 0 + [ 314.058695] EA = 0, S1PTW = 0 + [ 314.061826] FSC = 0x05: level 1 translation fault + [ 314.066694] Data abort info: + [ 314.069564] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 + [ 314.075039] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 + [ 314.080080] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 + [ 314.085382] user pgtable: 4k pages, 39-bit VAs, pgdp=0000000102728000 + [ 314.091814] [00000000000000c0] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000 + [ 314.100511] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP + [ 314.106770] Modules linked in: v3d i2c_brcmstb vc4 snd_soc_hdmi_codec gpu_sched drm_shmem_helper drm_display_helper cec drm_dma_helper drm_kms_helper drm drm_panel_orientation_quirks snd_soc_core snd_compress snd_pcm_dmaengine snd_pcm snd_timer snd backlight + [ 314.129654] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.25+rpt-rpi-v8 #1 Debian 1:6.12.25-1+rpt1 + [ 314.139388] Hardware name: Raspberry Pi 4 Model B Rev 1.4 (DT) + [ 314.145211] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) + [ 314.152165] pc : v3d_irq+0xec/0x2e0 [v3d] + [ 314.156187] lr : v3d_irq+0xe0/0x2e0 [v3d] + [ 314.160198] sp : ffffffc080003ea0 + [ 314.163502] x29: ffffffc080003ea0 x28: ffffffec1f184980 x27: 021202b000000000 + [ 314.170633] x26: ffffffec1f17f630 x25: ffffff8101372000 x24: ffffffec1f17d9f0 + [ 314.177764] x23: 000000000000002a x22: 000000000000002a x21: ffffff8103252000 + [ 314.184895] x20: 0000000000000001 x19: 00000000deadbeef x18: 0000000000000000 + [ 314.192026] x17: ffffff94e51d2000 x16: ffffffec1dac3cb0 x15: c306000000000000 + [ 314.199156] x14: 0000000000000000 x13: b2fc982e03cc5168 x12: 0000000000000001 + [ 314.206286] x11: ffffff8103f8bcc0 x10: ffffffec1f196868 x9 : ffffffec1dac3874 + [ 314.213416] x8 : 0000000000000000 x7 : 0000000000042a3a x6 : ffffff810017a180 + [ 314.220547] x5 : ffffffec1ebad400 x4 : ffffffec1ebad320 x3 : 00000000000bebeb + [ 314.227677] x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000 + [ 314.234807] Call trace: + [ 314.237243] v3d_irq+0xec/0x2e0 [v3d] + [ 314.240906] __handle_irq_event_percpu+0x58/0x218 + [ 314.245609] handle_irq_event+0x54/0xb8 + [ 314.249439] handle_fasteoi_irq+0xac/0x240 + [ 314.253527] handle_irq_desc+0x48/0x68 + [ 314.257269] generic_handle_domain_irq+0x24/0x38 + [ 314.261879] gic_handle_irq+0x48/0xd8 + [ 314.265533] call_on_irq_stack+0x24/0x58 + [ 314.269448] do_interrupt_handler+0x88/0x98 + [ 314.273624] el1_interrupt+0x34/0x68 + [ 314.277193] el1h_64_irq_handler+0x18/0x28 + [ 314.281281] el1h_64_irq+0x64/0x68 + [ 314.284673] default_idle_call+0x3c/0x168 + [ 314.288675] do_idle+0x1fc/0x230 + [ 314.291895] cpu_startup_entry+0x3c/0x50 + [ 314.295810] rest_init+0xe4/0xf0 + [ 314.299030] start_kernel+0x5e8/0x790 + [ 314.302684] __primary_switched+0x80/0x90 + [ 314.306691] Code: 940029eb 360ffc13 f9442ea0 52800001 (f9406017) + [ 314.312775] ---[ end trace 0000000000000000 ]--- + [ 314.317384] Kernel panic - not syncing: Oops: Fatal exception in interrupt + [ 314.324249] SMP: stopping secondary CPUs + [ 314.328167] Kernel Offset: 0x2b9da00000 from 0xffffffc080000000 + [ 314.334076] PHYS_OFFSET: 0x0 + [ 314.336946] CPU features: 0x08,00002013,c0200000,0200421b + [ 314.342337] Memory Limit: none + [ 314.345382] ---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]--- + +Before resetting the GPU, it's necessary to disable all interrupts and +deal with any interrupt handler still in-flight. Otherwise, the GPU might +reset with jobs still running, or yet, an interrupt could be handled +during the reset. + +Cc: stable@vger.kernel.org +Fixes: 57692c94dcbe ("drm/v3d: Introduce a new DRM driver for Broadcom V3D V3.x+") +Reviewed-by: Juan A. Suarez +Reviewed-by: Iago Toral Quiroga +Link: https://lore.kernel.org/r/20250628224243.47599-1-mcanal@igalia.com +Signed-off-by: Maíra Canal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/v3d/v3d_drv.h | 8 ++++++++ + drivers/gpu/drm/v3d/v3d_gem.c | 2 ++ + drivers/gpu/drm/v3d/v3d_irq.c | 37 +++++++++++++++++++++++++++---------- + 3 files changed, 37 insertions(+), 10 deletions(-) + +--- a/drivers/gpu/drm/v3d/v3d_drv.h ++++ b/drivers/gpu/drm/v3d/v3d_drv.h +@@ -101,6 +101,12 @@ enum v3d_gen { + V3D_GEN_71 = 71, + }; + ++enum v3d_irq { ++ V3D_CORE_IRQ, ++ V3D_HUB_IRQ, ++ V3D_MAX_IRQS, ++}; ++ + struct v3d_dev { + struct drm_device drm; + +@@ -112,6 +118,8 @@ struct v3d_dev { + + bool single_irq_line; + ++ int irq[V3D_MAX_IRQS]; ++ + struct v3d_perfmon_info perfmon_info; + + void __iomem *hub_regs; +--- a/drivers/gpu/drm/v3d/v3d_gem.c ++++ b/drivers/gpu/drm/v3d/v3d_gem.c +@@ -118,6 +118,8 @@ v3d_reset(struct v3d_dev *v3d) + if (false) + v3d_idle_axi(v3d, 0); + ++ v3d_irq_disable(v3d); ++ + v3d_idle_gca(v3d); + v3d_reset_v3d(v3d); + +--- a/drivers/gpu/drm/v3d/v3d_irq.c ++++ b/drivers/gpu/drm/v3d/v3d_irq.c +@@ -260,7 +260,7 @@ v3d_hub_irq(int irq, void *arg) + int + v3d_irq_init(struct v3d_dev *v3d) + { +- int irq1, ret, core; ++ int irq, ret, core; + + INIT_WORK(&v3d->overflow_mem_work, v3d_overflow_mem_work); + +@@ -271,17 +271,24 @@ v3d_irq_init(struct v3d_dev *v3d) + V3D_CORE_WRITE(core, V3D_CTL_INT_CLR, V3D_CORE_IRQS(v3d->ver)); + V3D_WRITE(V3D_HUB_INT_CLR, V3D_HUB_IRQS(v3d->ver)); + +- irq1 = platform_get_irq_optional(v3d_to_pdev(v3d), 1); +- if (irq1 == -EPROBE_DEFER) +- return irq1; +- if (irq1 > 0) { +- ret = devm_request_irq(v3d->drm.dev, irq1, ++ irq = platform_get_irq_optional(v3d_to_pdev(v3d), 1); ++ if (irq == -EPROBE_DEFER) ++ return irq; ++ if (irq > 0) { ++ v3d->irq[V3D_CORE_IRQ] = irq; ++ ++ ret = devm_request_irq(v3d->drm.dev, v3d->irq[V3D_CORE_IRQ], + v3d_irq, IRQF_SHARED, + "v3d_core0", v3d); + if (ret) + goto fail; +- ret = devm_request_irq(v3d->drm.dev, +- platform_get_irq(v3d_to_pdev(v3d), 0), ++ ++ irq = platform_get_irq(v3d_to_pdev(v3d), 0); ++ if (irq < 0) ++ return irq; ++ v3d->irq[V3D_HUB_IRQ] = irq; ++ ++ ret = devm_request_irq(v3d->drm.dev, v3d->irq[V3D_HUB_IRQ], + v3d_hub_irq, IRQF_SHARED, + "v3d_hub", v3d); + if (ret) +@@ -289,8 +296,12 @@ v3d_irq_init(struct v3d_dev *v3d) + } else { + v3d->single_irq_line = true; + +- ret = devm_request_irq(v3d->drm.dev, +- platform_get_irq(v3d_to_pdev(v3d), 0), ++ irq = platform_get_irq(v3d_to_pdev(v3d), 0); ++ if (irq < 0) ++ return irq; ++ v3d->irq[V3D_CORE_IRQ] = irq; ++ ++ ret = devm_request_irq(v3d->drm.dev, v3d->irq[V3D_CORE_IRQ], + v3d_irq, IRQF_SHARED, + "v3d", v3d); + if (ret) +@@ -331,6 +342,12 @@ v3d_irq_disable(struct v3d_dev *v3d) + V3D_CORE_WRITE(core, V3D_CTL_INT_MSK_SET, ~0); + V3D_WRITE(V3D_HUB_INT_MSK_SET, ~0); + ++ /* Finish any interrupt handler still in flight. */ ++ for (int i = 0; i < V3D_MAX_IRQS; i++) { ++ if (v3d->irq[i]) ++ synchronize_irq(v3d->irq[i]); ++ } ++ + /* Clear any pending interrupts we might have left. */ + for (core = 0; core < v3d->cores; core++) + V3D_CORE_WRITE(core, V3D_CTL_INT_CLR, V3D_CORE_IRQS(v3d->ver)); diff --git a/queue-6.15/dt-bindings-net-sophgo-sg2044-dwmac-drop-status-from-the-example.patch b/queue-6.15/dt-bindings-net-sophgo-sg2044-dwmac-drop-status-from-the-example.patch new file mode 100644 index 0000000000..ad2490188c --- /dev/null +++ b/queue-6.15/dt-bindings-net-sophgo-sg2044-dwmac-drop-status-from-the-example.patch @@ -0,0 +1,50 @@ +From f030713e5abf67d0a88864c8855f809c763af954 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Tue, 1 Jul 2025 08:36:22 +0200 +Subject: dt-bindings: net: sophgo,sg2044-dwmac: Drop status from the example + +From: Krzysztof Kozlowski + +commit f030713e5abf67d0a88864c8855f809c763af954 upstream. + +Examples should be complete and should not have a 'status' property, +especially a disabled one because this disables the dt_binding_check of +the example against the schema. Dropping 'status' property shows +missing other properties - phy-mode and phy-handle. + +Fixes: 114508a89ddc ("dt-bindings: net: Add support for Sophgo SG2044 dwmac") +Cc: +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Alexander Sverdlin +Reviewed-by: Chen Wang +Link: https://patch.msgid.link/20250701063621.23808-2-krzysztof.kozlowski@linaro.org +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/net/sophgo,sg2044-dwmac.yaml | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/Documentation/devicetree/bindings/net/sophgo,sg2044-dwmac.yaml b/Documentation/devicetree/bindings/net/sophgo,sg2044-dwmac.yaml +index 4dd2dc9c678b..8afbd9ebd73f 100644 +--- a/Documentation/devicetree/bindings/net/sophgo,sg2044-dwmac.yaml ++++ b/Documentation/devicetree/bindings/net/sophgo,sg2044-dwmac.yaml +@@ -80,6 +80,8 @@ examples: + interrupt-parent = <&intc>; + interrupts = <296 IRQ_TYPE_LEVEL_HIGH>; + interrupt-names = "macirq"; ++ phy-handle = <&phy0>; ++ phy-mode = "rgmii-id"; + resets = <&rst 30>; + reset-names = "stmmaceth"; + snps,multicast-filter-bins = <0>; +@@ -91,7 +93,6 @@ examples: + snps,mtl-rx-config = <&gmac0_mtl_rx_setup>; + snps,mtl-tx-config = <&gmac0_mtl_tx_setup>; + snps,axi-config = <&gmac0_stmmac_axi_setup>; +- status = "disabled"; + + gmac0_mtl_rx_setup: rx-queues-config { + snps,rx-queues-to-use = <8>; +-- +2.50.0 + diff --git a/queue-6.15/input-cs40l50-vibra-fix-potential-null-dereference-in-cs40l50_upload_owt.patch b/queue-6.15/input-cs40l50-vibra-fix-potential-null-dereference-in-cs40l50_upload_owt.patch new file mode 100644 index 0000000000..afba2b90ed --- /dev/null +++ b/queue-6.15/input-cs40l50-vibra-fix-potential-null-dereference-in-cs40l50_upload_owt.patch @@ -0,0 +1,36 @@ +From 4cf65845fdd09d711fc7546d60c9abe010956922 Mon Sep 17 00:00:00 2001 +From: Yunshui Jiang +Date: Thu, 3 Jul 2025 21:56:02 -0700 +Subject: Input: cs40l50-vibra - fix potential NULL dereference in cs40l50_upload_owt() + +From: Yunshui Jiang + +commit 4cf65845fdd09d711fc7546d60c9abe010956922 upstream. + +The cs40l50_upload_owt() function allocates memory via kmalloc() +without checking for allocation failure, which could lead to a +NULL pointer dereference. + +Return -ENOMEM in case allocation fails. + +Signed-off-by: Yunshui Jiang +Fixes: c38fe1bb5d21 ("Input: cs40l50 - Add support for the CS40L50 haptic driver") +Link: https://lore.kernel.org/r/20250704024010.2353841-1-jiangyunshui@kylinos.cn +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/misc/cs40l50-vibra.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/input/misc/cs40l50-vibra.c ++++ b/drivers/input/misc/cs40l50-vibra.c +@@ -238,6 +238,8 @@ static int cs40l50_upload_owt(struct cs4 + header.data_words = len / sizeof(u32); + + new_owt_effect_data = kmalloc(sizeof(header) + len, GFP_KERNEL); ++ if (!new_owt_effect_data) ++ return -ENOMEM; + + memcpy(new_owt_effect_data, &header, sizeof(header)); + memcpy(new_owt_effect_data + sizeof(header), work_data->custom_data, len); diff --git a/queue-6.15/iommufd-selftest-add-asserts-testing-global-mfd.patch b/queue-6.15/iommufd-selftest-add-asserts-testing-global-mfd.patch new file mode 100644 index 0000000000..543a302182 --- /dev/null +++ b/queue-6.15/iommufd-selftest-add-asserts-testing-global-mfd.patch @@ -0,0 +1,34 @@ +From a9bf67ee170514b17541038c60bb94cb2cf5732f Mon Sep 17 00:00:00 2001 +From: Nicolin Chen +Date: Tue, 24 Jun 2025 11:00:47 -0700 +Subject: iommufd/selftest: Add asserts testing global mfd + +From: Nicolin Chen + +commit a9bf67ee170514b17541038c60bb94cb2cf5732f upstream. + +The mfd and mfd_buffer will be used in the tests directly without an extra +check. Test them in setup_sizes() to ensure they are safe to use. + +Fixes: 0bcceb1f51c7 ("iommufd: Selftest coverage for IOMMU_IOAS_MAP_FILE") +Link: https://patch.msgid.link/r/94bdc11d2b6d5db337b1361c5e5fce0ed494bb40.1750787928.git.nicolinc@nvidia.com +Cc: stable@vger.kernel.org +Reviewed-by: Jason Gunthorpe +Signed-off-by: Nicolin Chen +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/iommu/iommufd.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/tools/testing/selftests/iommu/iommufd.c ++++ b/tools/testing/selftests/iommu/iommufd.c +@@ -54,6 +54,8 @@ static __attribute__((constructor)) void + + mfd_buffer = memfd_mmap(BUFFER_SIZE, PROT_READ | PROT_WRITE, MAP_SHARED, + &mfd); ++ assert(mfd_buffer != MAP_FAILED); ++ assert(mfd > 0); + } + + FIXTURE(iommufd) diff --git a/queue-6.15/iommufd-selftest-add-missing-close-mfd-in-memfd_mmap.patch b/queue-6.15/iommufd-selftest-add-missing-close-mfd-in-memfd_mmap.patch new file mode 100644 index 0000000000..ca0a694b1d --- /dev/null +++ b/queue-6.15/iommufd-selftest-add-missing-close-mfd-in-memfd_mmap.patch @@ -0,0 +1,46 @@ +From 4b75e3babb85238912f50bbe0647bae08242a9b6 Mon Sep 17 00:00:00 2001 +From: Nicolin Chen +Date: Tue, 24 Jun 2025 11:00:46 -0700 +Subject: iommufd/selftest: Add missing close(mfd) in memfd_mmap() + +From: Nicolin Chen + +commit 4b75e3babb85238912f50bbe0647bae08242a9b6 upstream. + +Do not forget to close mfd in the error paths, since none of the callers +would close it when ASSERT_NE(MAP_FAILED, buf) fails. + +Fixes: 0bcceb1f51c7 ("iommufd: Selftest coverage for IOMMU_IOAS_MAP_FILE") +Link: https://patch.msgid.link/r/a363a69dbf453d4bc1bde276f3b16778620488e1.1750787928.git.nicolinc@nvidia.com +Cc: stable@vger.kernel.org +Reviewed-by: Jason Gunthorpe +Signed-off-by: Nicolin Chen +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/iommu/iommufd_utils.h | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/tools/testing/selftests/iommu/iommufd_utils.h ++++ b/tools/testing/selftests/iommu/iommufd_utils.h +@@ -60,13 +60,18 @@ static inline void *memfd_mmap(size_t le + { + int mfd_flags = (flags & MAP_HUGETLB) ? MFD_HUGETLB : 0; + int mfd = memfd_create("buffer", mfd_flags); ++ void *buf = MAP_FAILED; + + if (mfd <= 0) + return MAP_FAILED; + if (ftruncate(mfd, length)) +- return MAP_FAILED; ++ goto out; + *mfd_p = mfd; +- return mmap(0, length, prot, flags, mfd, 0); ++ buf = mmap(0, length, prot, flags, mfd, 0); ++out: ++ if (buf == MAP_FAILED) ++ close(mfd); ++ return buf; + } + + /* diff --git a/queue-6.15/iommufd-selftest-fix-iommufd_dirty_tracking-with-large-hugepage-sizes.patch b/queue-6.15/iommufd-selftest-fix-iommufd_dirty_tracking-with-large-hugepage-sizes.patch new file mode 100644 index 0000000000..3fc9202596 --- /dev/null +++ b/queue-6.15/iommufd-selftest-fix-iommufd_dirty_tracking-with-large-hugepage-sizes.patch @@ -0,0 +1,100 @@ +From 818625570558cd91082c9bafd6f2b59b73241a69 Mon Sep 17 00:00:00 2001 +From: Nicolin Chen +Date: Tue, 24 Jun 2025 11:00:45 -0700 +Subject: iommufd/selftest: Fix iommufd_dirty_tracking with large hugepage sizes + +From: Nicolin Chen + +commit 818625570558cd91082c9bafd6f2b59b73241a69 upstream. + +The hugepage test cases of iommufd_dirty_tracking have the 64MB and 128MB +coverages. Both of them are smaller than the default hugepage size 512MB, +when CONFIG_PAGE_SIZE_64KB=y. However, these test cases have a variant of +using huge pages, which would mmap(MAP_HUGETLB) using these smaller sizes +than the system hugepag size. This results in the kernel aligning up the +smaller size to 512MB. If a memory was located between the upper 64/128MB +size boundary and the hugepage 512MB boundary, it would get wiped out: +https://lore.kernel.org/all/aEoUhPYIAizTLADq@nvidia.com/ + +Given that this aligning up behavior is well documented, we have no choice +but to allocate a hugepage aligned size to avoid this unintended wipe out. +Instead of relying on the kernel's internal force alignment, pass the same +size to posix_memalign() and map(). + +Also, fix the FIXTURE_TEARDOWN() misusing munmap() to free the memory from +posix_memalign(), as munmap() doesn't destroy the allocator meta data. So, +call free() instead. + +Fixes: a9af47e382a4 ("iommufd/selftest: Test IOMMU_HWPT_GET_DIRTY_BITMAP") +Link: https://patch.msgid.link/r/1ea8609ae6d523fdd4d8efb179ddee79c8582cb6.1750787928.git.nicolinc@nvidia.com +Cc: stable@vger.kernel.org +Suggested-by: Jason Gunthorpe +Signed-off-by: Nicolin Chen +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/iommu/iommufd.c | 30 +++++++++++++++++++++--------- + 1 file changed, 21 insertions(+), 9 deletions(-) + +--- a/tools/testing/selftests/iommu/iommufd.c ++++ b/tools/testing/selftests/iommu/iommufd.c +@@ -2010,6 +2010,7 @@ FIXTURE_VARIANT(iommufd_dirty_tracking) + + FIXTURE_SETUP(iommufd_dirty_tracking) + { ++ size_t mmap_buffer_size; + unsigned long size; + int mmap_flags; + void *vrc; +@@ -2024,22 +2025,33 @@ FIXTURE_SETUP(iommufd_dirty_tracking) + self->fd = open("/dev/iommu", O_RDWR); + ASSERT_NE(-1, self->fd); + +- rc = posix_memalign(&self->buffer, HUGEPAGE_SIZE, variant->buffer_size); +- if (rc || !self->buffer) { +- SKIP(return, "Skipping buffer_size=%lu due to errno=%d", +- variant->buffer_size, rc); +- } +- + mmap_flags = MAP_SHARED | MAP_ANONYMOUS | MAP_FIXED; ++ mmap_buffer_size = variant->buffer_size; + if (variant->hugepages) { + /* + * MAP_POPULATE will cause the kernel to fail mmap if THPs are + * not available. + */ + mmap_flags |= MAP_HUGETLB | MAP_POPULATE; ++ ++ /* ++ * Allocation must be aligned to the HUGEPAGE_SIZE, because the ++ * following mmap() will automatically align the length to be a ++ * multiple of the underlying huge page size. Failing to do the ++ * same at this allocation will result in a memory overwrite by ++ * the mmap(). ++ */ ++ if (mmap_buffer_size < HUGEPAGE_SIZE) ++ mmap_buffer_size = HUGEPAGE_SIZE; ++ } ++ ++ rc = posix_memalign(&self->buffer, HUGEPAGE_SIZE, mmap_buffer_size); ++ if (rc || !self->buffer) { ++ SKIP(return, "Skipping buffer_size=%lu due to errno=%d", ++ mmap_buffer_size, rc); + } + assert((uintptr_t)self->buffer % HUGEPAGE_SIZE == 0); +- vrc = mmap(self->buffer, variant->buffer_size, PROT_READ | PROT_WRITE, ++ vrc = mmap(self->buffer, mmap_buffer_size, PROT_READ | PROT_WRITE, + mmap_flags, -1, 0); + assert(vrc == self->buffer); + +@@ -2068,8 +2080,8 @@ FIXTURE_SETUP(iommufd_dirty_tracking) + + FIXTURE_TEARDOWN(iommufd_dirty_tracking) + { +- munmap(self->buffer, variant->buffer_size); +- munmap(self->bitmap, DIV_ROUND_UP(self->bitmap_size, BITS_PER_BYTE)); ++ free(self->buffer); ++ free(self->bitmap); + teardown_iommufd(self->fd, _metadata); + } + diff --git a/queue-6.15/mmc-core-adjust-some-error-messages-for-sd-uhs-ii-cards.patch b/queue-6.15/mmc-core-adjust-some-error-messages-for-sd-uhs-ii-cards.patch new file mode 100644 index 0000000000..c0221ac700 --- /dev/null +++ b/queue-6.15/mmc-core-adjust-some-error-messages-for-sd-uhs-ii-cards.patch @@ -0,0 +1,36 @@ +From 14633da0f416fdbb6844d1b295cdc828b666e273 Mon Sep 17 00:00:00 2001 +From: Victor Shih +Date: Fri, 6 Jun 2025 19:01:19 +0800 +Subject: mmc: core: Adjust some error messages for SD UHS-II cards + +From: Victor Shih + +commit 14633da0f416fdbb6844d1b295cdc828b666e273 upstream. + +Adjust some error messages to debug mode to avoid causing +misunderstanding it is an error. + +Signed-off-by: Victor Shih +Acked-by: Adrian Hunter +Fixes: 9a9f7e13952b ("mmc: core: Support UHS-II card control and access") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20250606110121.96314-2-victorshihgli@gmail.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/core/sd_uhs2.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/mmc/core/sd_uhs2.c ++++ b/drivers/mmc/core/sd_uhs2.c +@@ -91,8 +91,8 @@ static int sd_uhs2_phy_init(struct mmc_h + + err = host->ops->uhs2_control(host, UHS2_PHY_INIT); + if (err) { +- pr_err("%s: failed to initial phy for UHS-II!\n", +- mmc_hostname(host)); ++ pr_debug("%s: failed to initial phy for UHS-II!\n", ++ mmc_hostname(host)); + } + + return err; diff --git a/queue-6.15/mmc-core-sd-apply-broken_sd_discard-quirk-earlier.patch b/queue-6.15/mmc-core-sd-apply-broken_sd_discard-quirk-earlier.patch new file mode 100644 index 0000000000..356166c759 --- /dev/null +++ b/queue-6.15/mmc-core-sd-apply-broken_sd_discard-quirk-earlier.patch @@ -0,0 +1,56 @@ +From 009c3a4bc41e855fd76f92727f9fbae4e5917d7f Mon Sep 17 00:00:00 2001 +From: Avri Altman +Date: Mon, 26 May 2025 14:44:45 +0300 +Subject: mmc: core: sd: Apply BROKEN_SD_DISCARD quirk earlier + +From: Avri Altman + +commit 009c3a4bc41e855fd76f92727f9fbae4e5917d7f upstream. + +Move the BROKEN_SD_DISCARD quirk for certain SanDisk SD cards from the +`mmc_blk_fixups[]` to `mmc_sd_fixups[]`. This ensures the quirk is +applied earlier in the device initialization process, aligning with the +reasoning in [1]. Applying the quirk sooner prevents the kernel from +incorrectly enabling discard support on affected cards during initial +setup. + +[1] https://lore.kernel.org/all/20240820230631.GA436523@sony.com + +Fixes: 07d2872bf4c8 ("mmc: core: Add SD card quirk for broken discard") +Signed-off-by: Avri Altman +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20250526114445.675548-1-avri.altman@sandisk.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/core/quirks.h | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/mmc/core/quirks.h ++++ b/drivers/mmc/core/quirks.h +@@ -44,6 +44,12 @@ static const struct mmc_fixup __maybe_un + 0, -1ull, SDIO_ANY_ID, SDIO_ANY_ID, add_quirk_sd, + MMC_QUIRK_NO_UHS_DDR50_TUNING, EXT_CSD_REV_ANY), + ++ /* ++ * Some SD cards reports discard support while they don't ++ */ ++ MMC_FIXUP(CID_NAME_ANY, CID_MANFID_SANDISK_SD, 0x5344, add_quirk_sd, ++ MMC_QUIRK_BROKEN_SD_DISCARD), ++ + END_FIXUP + }; + +@@ -147,12 +153,6 @@ static const struct mmc_fixup __maybe_un + MMC_FIXUP("M62704", CID_MANFID_KINGSTON, 0x0100, add_quirk_mmc, + MMC_QUIRK_TRIM_BROKEN), + +- /* +- * Some SD cards reports discard support while they don't +- */ +- MMC_FIXUP(CID_NAME_ANY, CID_MANFID_SANDISK_SD, 0x5344, add_quirk_sd, +- MMC_QUIRK_BROKEN_SD_DISCARD), +- + END_FIXUP + }; + diff --git a/queue-6.15/mmc-sdhci-add-a-helper-function-for-dump-register-in-dynamic-debug-mode.patch b/queue-6.15/mmc-sdhci-add-a-helper-function-for-dump-register-in-dynamic-debug-mode.patch new file mode 100644 index 0000000000..296e91e414 --- /dev/null +++ b/queue-6.15/mmc-sdhci-add-a-helper-function-for-dump-register-in-dynamic-debug-mode.patch @@ -0,0 +1,44 @@ +From 2881ba9af073faa8ee7408a8d1e0575e50eb3f6c Mon Sep 17 00:00:00 2001 +From: Victor Shih +Date: Fri, 6 Jun 2025 19:01:20 +0800 +Subject: mmc: sdhci: Add a helper function for dump register in dynamic debug mode + +From: Victor Shih + +commit 2881ba9af073faa8ee7408a8d1e0575e50eb3f6c upstream. + +Add a helper function for dump register in dynamic debug mode. + +Signed-off-by: Victor Shih +Acked-by: Adrian Hunter +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20250606110121.96314-3-victorshihgli@gmail.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/sdhci.h | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +--- a/drivers/mmc/host/sdhci.h ++++ b/drivers/mmc/host/sdhci.h +@@ -898,4 +898,20 @@ void sdhci_switch_external_dma(struct sd + void sdhci_set_data_timeout_irq(struct sdhci_host *host, bool enable); + void __sdhci_set_timeout(struct sdhci_host *host, struct mmc_command *cmd); + ++#if defined(CONFIG_DYNAMIC_DEBUG) || \ ++ (defined(CONFIG_DYNAMIC_DEBUG_CORE) && defined(DYNAMIC_DEBUG_MODULE)) ++#define SDHCI_DBG_ANYWAY 0 ++#elif defined(DEBUG) ++#define SDHCI_DBG_ANYWAY 1 ++#else ++#define SDHCI_DBG_ANYWAY 0 ++#endif ++ ++#define sdhci_dbg_dumpregs(host, fmt) \ ++do { \ ++ DEFINE_DYNAMIC_DEBUG_METADATA(descriptor, fmt); \ ++ if (DYNAMIC_DEBUG_BRANCH(descriptor) || SDHCI_DBG_ANYWAY) \ ++ sdhci_dumpregs(host); \ ++} while (0) ++ + #endif /* __SDHCI_HW_H */ diff --git a/queue-6.15/mmc-sdhci-uhs2-adjust-some-error-messages-and-register-dump-for-sd-uhs-ii-card.patch b/queue-6.15/mmc-sdhci-uhs2-adjust-some-error-messages-and-register-dump-for-sd-uhs-ii-card.patch new file mode 100644 index 0000000000..52b496ddd8 --- /dev/null +++ b/queue-6.15/mmc-sdhci-uhs2-adjust-some-error-messages-and-register-dump-for-sd-uhs-ii-card.patch @@ -0,0 +1,83 @@ +From 49b14db035135341f6cf4de7af6ac2cbc8ad29b6 Mon Sep 17 00:00:00 2001 +From: Victor Shih +Date: Fri, 6 Jun 2025 19:01:21 +0800 +Subject: mmc: sdhci-uhs2: Adjust some error messages and register dump for SD UHS-II card + +From: Victor Shih + +commit 49b14db035135341f6cf4de7af6ac2cbc8ad29b6 upstream. + +Adjust some error messages to debug mode and register dump to dynamic +debug mode to avoid causing misunderstanding it is an error. + +Signed-off-by: Victor Shih +Acked-by: Adrian Hunter +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20250606110121.96314-4-victorshihgli@gmail.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/sdhci-uhs2.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +--- a/drivers/mmc/host/sdhci-uhs2.c ++++ b/drivers/mmc/host/sdhci-uhs2.c +@@ -99,8 +99,8 @@ void sdhci_uhs2_reset(struct sdhci_host + /* hw clears the bit when it's done */ + if (read_poll_timeout_atomic(sdhci_readw, val, !(val & mask), 10, + UHS2_RESET_TIMEOUT_100MS, true, host, SDHCI_UHS2_SW_RESET)) { +- pr_warn("%s: %s: Reset 0x%x never completed. %s: clean reset bit.\n", __func__, +- mmc_hostname(host->mmc), (int)mask, mmc_hostname(host->mmc)); ++ pr_debug("%s: %s: Reset 0x%x never completed. %s: clean reset bit.\n", __func__, ++ mmc_hostname(host->mmc), (int)mask, mmc_hostname(host->mmc)); + sdhci_writeb(host, 0, SDHCI_UHS2_SW_RESET); + return; + } +@@ -335,8 +335,8 @@ static int sdhci_uhs2_interface_detect(s + if (read_poll_timeout(sdhci_readl, val, (val & SDHCI_UHS2_IF_DETECT), + 100, UHS2_INTERFACE_DETECT_TIMEOUT_100MS, true, + host, SDHCI_PRESENT_STATE)) { +- pr_warn("%s: not detect UHS2 interface in 100ms.\n", mmc_hostname(host->mmc)); +- sdhci_dumpregs(host); ++ pr_debug("%s: not detect UHS2 interface in 100ms.\n", mmc_hostname(host->mmc)); ++ sdhci_dbg_dumpregs(host, "UHS2 interface detect timeout in 100ms"); + return -EIO; + } + +@@ -345,8 +345,8 @@ static int sdhci_uhs2_interface_detect(s + + if (read_poll_timeout(sdhci_readl, val, (val & SDHCI_UHS2_LANE_SYNC), + 100, UHS2_LANE_SYNC_TIMEOUT_150MS, true, host, SDHCI_PRESENT_STATE)) { +- pr_warn("%s: UHS2 Lane sync fail in 150ms.\n", mmc_hostname(host->mmc)); +- sdhci_dumpregs(host); ++ pr_debug("%s: UHS2 Lane sync fail in 150ms.\n", mmc_hostname(host->mmc)); ++ sdhci_dbg_dumpregs(host, "UHS2 Lane sync fail in 150ms"); + return -EIO; + } + +@@ -417,12 +417,12 @@ static int sdhci_uhs2_do_detect_init(str + host->ops->uhs2_pre_detect_init(host); + + if (sdhci_uhs2_interface_detect(host)) { +- pr_warn("%s: cannot detect UHS2 interface.\n", mmc_hostname(host->mmc)); ++ pr_debug("%s: cannot detect UHS2 interface.\n", mmc_hostname(host->mmc)); + return -EIO; + } + + if (sdhci_uhs2_init(host)) { +- pr_warn("%s: UHS2 init fail.\n", mmc_hostname(host->mmc)); ++ pr_debug("%s: UHS2 init fail.\n", mmc_hostname(host->mmc)); + return -EIO; + } + +@@ -504,8 +504,8 @@ static int sdhci_uhs2_check_dormant(stru + if (read_poll_timeout(sdhci_readl, val, (val & SDHCI_UHS2_IN_DORMANT_STATE), + 100, UHS2_CHECK_DORMANT_TIMEOUT_100MS, true, host, + SDHCI_PRESENT_STATE)) { +- pr_warn("%s: UHS2 IN_DORMANT fail in 100ms.\n", mmc_hostname(host->mmc)); +- sdhci_dumpregs(host); ++ pr_debug("%s: UHS2 IN_DORMANT fail in 100ms.\n", mmc_hostname(host->mmc)); ++ sdhci_dbg_dumpregs(host, "UHS2 IN_DORMANT fail in 100ms"); + return -EIO; + } + return 0; diff --git a/queue-6.15/mtk-sd-fix-a-pagefault-in-dma_unmap_sg-for-not-prepared-data.patch b/queue-6.15/mtk-sd-fix-a-pagefault-in-dma_unmap_sg-for-not-prepared-data.patch new file mode 100644 index 0000000000..a52dee2860 --- /dev/null +++ b/queue-6.15/mtk-sd-fix-a-pagefault-in-dma_unmap_sg-for-not-prepared-data.patch @@ -0,0 +1,54 @@ +From 539d80575b810c7a5987c7ac8915e3bc99c03695 Mon Sep 17 00:00:00 2001 +From: "Masami Hiramatsu (Google)" +Date: Thu, 5 Jun 2025 10:07:38 +0900 +Subject: mtk-sd: Fix a pagefault in dma_unmap_sg() for not prepared data + +From: Masami Hiramatsu (Google) + +commit 539d80575b810c7a5987c7ac8915e3bc99c03695 upstream. + +When swiotlb buffer is full, the dma_map_sg() returns 0 to +msdc_prepare_data(), but it does not check it and sets the +MSDC_PREPARE_FLAG. + +swiotlb_tbl_map_single() /* prints "swiotlb buffer is full" */ + <-swiotlb_map() + <-dma_direct_map_page() + <-dma_direct_map_sg() + <-__dma_map_sg_attrs() + <-dma_map_sg_attrs() + <-dma_map_sg() /* returns 0 (pages mapped) */ + <-msdc_prepare_data() + +Then, the msdc_unprepare_data() checks MSDC_PREPARE_FLAG and calls +dma_unmap_sg() with unmapped pages. It causes a page fault. + +To fix this problem, Do not set MSDC_PREPARE_FLAG if dma_map_sg() +fails because this is not prepared. + +Fixes: 208489032bdd ("mmc: mediatek: Add Mediatek MMC driver") +Signed-off-by: Masami Hiramatsu (Google) +Tested-by: Sergey Senozhatsky +Reviewed-by: AngeloGioacchino Del Regno +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/174908565814.4056588.769599127120955383.stgit@mhiramat.tok.corp.google.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/mtk-sd.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/mmc/host/mtk-sd.c ++++ b/drivers/mmc/host/mtk-sd.c +@@ -827,9 +827,10 @@ static inline void msdc_dma_setup(struct + static void msdc_prepare_data(struct msdc_host *host, struct mmc_data *data) + { + if (!(data->host_cookie & MSDC_PREPARE_FLAG)) { +- data->host_cookie |= MSDC_PREPARE_FLAG; + data->sg_count = dma_map_sg(host->dev, data->sg, data->sg_len, + mmc_get_dma_dir(data)); ++ if (data->sg_count) ++ data->host_cookie |= MSDC_PREPARE_FLAG; + } + } + diff --git a/queue-6.15/mtk-sd-prevent-memory-corruption-from-dma-map-failure.patch b/queue-6.15/mtk-sd-prevent-memory-corruption-from-dma-map-failure.patch new file mode 100644 index 0000000000..86fa1c4eb3 --- /dev/null +++ b/queue-6.15/mtk-sd-prevent-memory-corruption-from-dma-map-failure.patch @@ -0,0 +1,60 @@ +From f5de469990f19569627ea0dd56536ff5a13beaa3 Mon Sep 17 00:00:00 2001 +From: "Masami Hiramatsu (Google)" +Date: Thu, 12 Jun 2025 20:26:10 +0900 +Subject: mtk-sd: Prevent memory corruption from DMA map failure + +From: Masami Hiramatsu (Google) + +commit f5de469990f19569627ea0dd56536ff5a13beaa3 upstream. + +If msdc_prepare_data() fails to map the DMA region, the request is +not prepared for data receiving, but msdc_start_data() proceeds +the DMA with previous setting. +Since this will lead a memory corruption, we have to stop the +request operation soon after the msdc_prepare_data() fails to +prepare it. + +Signed-off-by: Masami Hiramatsu (Google) +Fixes: 208489032bdd ("mmc: mediatek: Add Mediatek MMC driver") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/174972756982.3337526.6755001617701603082.stgit@mhiramat.tok.corp.google.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/mtk-sd.c | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +--- a/drivers/mmc/host/mtk-sd.c ++++ b/drivers/mmc/host/mtk-sd.c +@@ -834,6 +834,11 @@ static void msdc_prepare_data(struct msd + } + } + ++static bool msdc_data_prepared(struct mmc_data *data) ++{ ++ return data->host_cookie & MSDC_PREPARE_FLAG; ++} ++ + static void msdc_unprepare_data(struct msdc_host *host, struct mmc_data *data) + { + if (data->host_cookie & MSDC_ASYNC_FLAG) +@@ -1466,8 +1471,18 @@ static void msdc_ops_request(struct mmc_ + WARN_ON(!host->hsq_en && host->mrq); + host->mrq = mrq; + +- if (mrq->data) ++ if (mrq->data) { + msdc_prepare_data(host, mrq->data); ++ if (!msdc_data_prepared(mrq->data)) { ++ /* ++ * Failed to prepare DMA area, fail fast before ++ * starting any commands. ++ */ ++ mrq->cmd->error = -ENOSPC; ++ mmc_request_done(mmc_from_priv(host), mrq); ++ return; ++ } ++ } + + /* if SBC is required, we have HW option and SW option. + * if HW option is enabled, and SBC does not have "special" flags, diff --git a/queue-6.15/mtk-sd-reset-host-mrq-on-prepare_data-error.patch b/queue-6.15/mtk-sd-reset-host-mrq-on-prepare_data-error.patch new file mode 100644 index 0000000000..068057b2d9 --- /dev/null +++ b/queue-6.15/mtk-sd-reset-host-mrq-on-prepare_data-error.patch @@ -0,0 +1,33 @@ +From ec54c0a20709ed6e56f40a8d59eee725c31a916b Mon Sep 17 00:00:00 2001 +From: Sergey Senozhatsky +Date: Wed, 25 Jun 2025 14:20:37 +0900 +Subject: mtk-sd: reset host->mrq on prepare_data() error + +From: Sergey Senozhatsky + +commit ec54c0a20709ed6e56f40a8d59eee725c31a916b upstream. + +Do not leave host with dangling ->mrq pointer if we hit +the msdc_prepare_data() error out path. + +Signed-off-by: Sergey Senozhatsky +Reviewed-by: Masami Hiramatsu (Google) +Fixes: f5de469990f1 ("mtk-sd: Prevent memory corruption from DMA map failure") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20250625052106.584905-1-senozhatsky@chromium.org +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/mtk-sd.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/mmc/host/mtk-sd.c ++++ b/drivers/mmc/host/mtk-sd.c +@@ -1474,6 +1474,7 @@ static void msdc_ops_request(struct mmc_ + if (mrq->data) { + msdc_prepare_data(host, mrq->data); + if (!msdc_data_prepared(mrq->data)) { ++ host->mrq = NULL; + /* + * Failed to prepare DMA area, fail fast before + * starting any commands. diff --git a/queue-6.15/net-libwx-fix-the-incorrect-display-of-the-queue-number.patch b/queue-6.15/net-libwx-fix-the-incorrect-display-of-the-queue-number.patch new file mode 100644 index 0000000000..d0e116bda0 --- /dev/null +++ b/queue-6.15/net-libwx-fix-the-incorrect-display-of-the-queue-number.patch @@ -0,0 +1,36 @@ +From 5186ff7e1d0e26aaef998ba18b31c79c28d1441f Mon Sep 17 00:00:00 2001 +From: Jiawen Wu +Date: Tue, 1 Jul 2025 15:06:25 +0800 +Subject: net: libwx: fix the incorrect display of the queue number + +From: Jiawen Wu + +commit 5186ff7e1d0e26aaef998ba18b31c79c28d1441f upstream. + +When setting "ethtool -L eth0 combined 1", the number of RX/TX queue is +changed to be 1. RSS is disabled at this moment, and the indices of FDIR +have not be changed in wx_set_rss_queues(). So the combined count still +shows the previous value. This issue was introduced when supporting +FDIR. Fix it for those devices that support FDIR. + +Fixes: 34744a7749b3 ("net: txgbe: add FDIR info to ethtool ops") +Cc: stable@vger.kernel.org +Signed-off-by: Jiawen Wu +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/A5C8FE56D6C04608+20250701070625.73680-1-jiawenwu@trustnetic.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/wangxun/libwx/wx_lib.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/wangxun/libwx/wx_lib.c ++++ b/drivers/net/ethernet/wangxun/libwx/wx_lib.c +@@ -1641,6 +1641,7 @@ static void wx_set_rss_queues(struct wx + + clear_bit(WX_FLAG_FDIR_HASH, wx->flags); + ++ wx->ring_feature[RING_F_FDIR].indices = 1; + /* Use Flow Director in addition to RSS to ensure the best + * distribution of flows across cores, even when an FDIR flow + * isn't matched. diff --git a/queue-6.15/net-txgbe-request-misc-irq-in-ndo_open.patch b/queue-6.15/net-txgbe-request-misc-irq-in-ndo_open.patch new file mode 100644 index 0000000000..8728ea83fa --- /dev/null +++ b/queue-6.15/net-txgbe-request-misc-irq-in-ndo_open.patch @@ -0,0 +1,135 @@ +From cc9f7f65cd2f31150b10e6956f1f0882e1bbae49 Mon Sep 17 00:00:00 2001 +From: Jiawen Wu +Date: Tue, 1 Jul 2025 14:30:28 +0800 +Subject: net: txgbe: request MISC IRQ in ndo_open + +From: Jiawen Wu + +commit cc9f7f65cd2f31150b10e6956f1f0882e1bbae49 upstream. + +Move the creating of irq_domain for MISC IRQ from .probe to .ndo_open, +and free it in .ndo_stop, to maintain consistency with the queue IRQs. +This it for subsequent adjustments to the IRQ vectors. + +Fixes: aefd013624a1 ("net: txgbe: use irq_domain for interrupt controller") +Cc: stable@vger.kernel.org +Signed-off-by: Jiawen Wu +Reviewed-by: Michal Swiatkowski +Link: https://patch.msgid.link/20250701063030.59340-2-jiawenwu@trustnetic.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/wangxun/txgbe/txgbe_irq.c | 2 +- + drivers/net/ethernet/wangxun/txgbe/txgbe_main.c | 22 ++++++++++------------ + 2 files changed, 11 insertions(+), 13 deletions(-) + +--- a/drivers/net/ethernet/wangxun/txgbe/txgbe_irq.c ++++ b/drivers/net/ethernet/wangxun/txgbe/txgbe_irq.c +@@ -68,7 +68,6 @@ free_queue_irqs: + free_irq(wx->msix_q_entries[vector].vector, + wx->q_vector[vector]); + } +- wx_reset_interrupt_capability(wx); + return err; + } + +@@ -172,6 +171,7 @@ void txgbe_free_misc_irq(struct txgbe *t + free_irq(txgbe->link_irq, txgbe); + free_irq(txgbe->misc.irq, txgbe); + txgbe_del_irq_domain(txgbe); ++ txgbe->wx->misc_irq_domain = false; + } + + int txgbe_setup_misc_irq(struct txgbe *txgbe) +--- a/drivers/net/ethernet/wangxun/txgbe/txgbe_main.c ++++ b/drivers/net/ethernet/wangxun/txgbe/txgbe_main.c +@@ -354,10 +354,14 @@ static int txgbe_open(struct net_device + + wx_configure(wx); + +- err = txgbe_request_queue_irqs(wx); ++ err = txgbe_setup_misc_irq(wx->priv); + if (err) + goto err_free_resources; + ++ err = txgbe_request_queue_irqs(wx); ++ if (err) ++ goto err_free_misc_irq; ++ + /* Notify the stack of the actual queue counts. */ + err = netif_set_real_num_tx_queues(netdev, wx->num_tx_queues); + if (err) +@@ -375,6 +379,9 @@ static int txgbe_open(struct net_device + + err_free_irq: + wx_free_irq(wx); ++err_free_misc_irq: ++ txgbe_free_misc_irq(wx->priv); ++ wx_reset_interrupt_capability(wx); + err_free_resources: + wx_free_resources(wx); + err_reset: +@@ -415,6 +422,7 @@ static int txgbe_close(struct net_device + wx_ptp_stop(wx); + txgbe_down(wx); + wx_free_irq(wx); ++ txgbe_free_misc_irq(wx->priv); + wx_free_resources(wx); + txgbe_fdir_filter_exit(wx); + wx_control_hw(wx, false); +@@ -460,7 +468,6 @@ static void txgbe_shutdown(struct pci_de + int txgbe_setup_tc(struct net_device *dev, u8 tc) + { + struct wx *wx = netdev_priv(dev); +- struct txgbe *txgbe = wx->priv; + + /* Hardware has to reinitialize queues and interrupts to + * match packet buffer alignment. Unfortunately, the +@@ -471,7 +478,6 @@ int txgbe_setup_tc(struct net_device *de + else + txgbe_reset(wx); + +- txgbe_free_misc_irq(txgbe); + wx_clear_interrupt_scheme(wx); + + if (tc) +@@ -480,7 +486,6 @@ int txgbe_setup_tc(struct net_device *de + netdev_reset_tc(dev); + + wx_init_interrupt_scheme(wx); +- txgbe_setup_misc_irq(txgbe); + + if (netif_running(dev)) + txgbe_open(dev); +@@ -729,13 +734,9 @@ static int txgbe_probe(struct pci_dev *p + + txgbe_init_fdir(txgbe); + +- err = txgbe_setup_misc_irq(txgbe); +- if (err) +- goto err_release_hw; +- + err = txgbe_init_phy(txgbe); + if (err) +- goto err_free_misc_irq; ++ goto err_release_hw; + + err = register_netdev(netdev); + if (err) +@@ -763,8 +764,6 @@ static int txgbe_probe(struct pci_dev *p + + err_remove_phy: + txgbe_remove_phy(txgbe); +-err_free_misc_irq: +- txgbe_free_misc_irq(txgbe); + err_release_hw: + wx_clear_interrupt_scheme(wx); + wx_control_hw(wx, false); +@@ -798,7 +797,6 @@ static void txgbe_remove(struct pci_dev + unregister_netdev(netdev); + + txgbe_remove_phy(txgbe); +- txgbe_free_misc_irq(txgbe); + wx_free_isb_resources(wx); + + pci_release_selected_regions(pdev, diff --git a/queue-6.15/regulator-gpio-fix-the-out-of-bounds-access-to-drvdata-gpiods.patch b/queue-6.15/regulator-gpio-fix-the-out-of-bounds-access-to-drvdata-gpiods.patch new file mode 100644 index 0000000000..855034fcef --- /dev/null +++ b/queue-6.15/regulator-gpio-fix-the-out-of-bounds-access-to-drvdata-gpiods.patch @@ -0,0 +1,52 @@ +From c9764fd88bc744592b0604ccb6b6fc1a5f76b4e3 Mon Sep 17 00:00:00 2001 +From: Manivannan Sadhasivam +Date: Thu, 3 Jul 2025 16:05:49 +0530 +Subject: regulator: gpio: Fix the out-of-bounds access to drvdata::gpiods + +From: Manivannan Sadhasivam + +commit c9764fd88bc744592b0604ccb6b6fc1a5f76b4e3 upstream. + +drvdata::gpiods is supposed to hold an array of 'gpio_desc' pointers. But +the memory is allocated for only one pointer. This will lead to +out-of-bounds access later in the code if 'config::ngpios' is > 1. So +fix the code to allocate enough memory to hold 'config::ngpios' of GPIO +descriptors. + +While at it, also move the check for memory allocation failure to be below +the allocation to make it more readable. + +Cc: stable@vger.kernel.org # 5.0 +Fixes: d6cd33ad7102 ("regulator: gpio: Convert to use descriptors") +Signed-off-by: Manivannan Sadhasivam +Link: https://patch.msgid.link/20250703103549.16558-1-mani@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/regulator/gpio-regulator.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/regulator/gpio-regulator.c ++++ b/drivers/regulator/gpio-regulator.c +@@ -260,8 +260,10 @@ static int gpio_regulator_probe(struct p + return -ENOMEM; + } + +- drvdata->gpiods = devm_kzalloc(dev, sizeof(struct gpio_desc *), +- GFP_KERNEL); ++ drvdata->gpiods = devm_kcalloc(dev, config->ngpios, ++ sizeof(struct gpio_desc *), GFP_KERNEL); ++ if (!drvdata->gpiods) ++ return -ENOMEM; + + if (config->input_supply) { + drvdata->desc.supply_name = devm_kstrdup(&pdev->dev, +@@ -274,8 +276,6 @@ static int gpio_regulator_probe(struct p + } + } + +- if (!drvdata->gpiods) +- return -ENOMEM; + for (i = 0; i < config->ngpios; i++) { + drvdata->gpiods[i] = devm_gpiod_get_index(dev, + NULL, diff --git a/queue-6.15/revert-mmc-sdhci-disable-sd-card-clock-before-changing-parameters.patch b/queue-6.15/revert-mmc-sdhci-disable-sd-card-clock-before-changing-parameters.patch new file mode 100644 index 0000000000..58cbdf16d2 --- /dev/null +++ b/queue-6.15/revert-mmc-sdhci-disable-sd-card-clock-before-changing-parameters.patch @@ -0,0 +1,49 @@ +From dcc3bcfc5b50c625b475dcc25d167b6b947a6637 Mon Sep 17 00:00:00 2001 +From: Ulf Hansson +Date: Tue, 24 Jun 2025 13:09:32 +0200 +Subject: Revert "mmc: sdhci: Disable SD card clock before changing parameters" + +From: Ulf Hansson + +commit dcc3bcfc5b50c625b475dcc25d167b6b947a6637 upstream. + +It has turned out the trying to strictly conform to the SDHCI specification +is causing problems. Let's revert and start over. + +This reverts commit fb3bbc46c94f261b6156ee863c1b06c84cf157dc. + +Cc: Erick Shepherd +Cc: stable@vger.kernel.org +Fixes: fb3bbc46c94f ("mmc: sdhci: Disable SD card clock before changing parameters") +Suggested-by: Adrian Hunter +Reported-by: Jonathan Liu +Reported-by: Salvatore Bonaccorso +Closes: https://bugs.debian.org/1108065 +Acked-by: Adrian Hunter +Signed-off-by: Ulf Hansson +Link: https://lore.kernel.org/r/20250624110932.176925-1-ulf.hansson@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/sdhci.c | 9 ++------- + 1 file changed, 2 insertions(+), 7 deletions(-) + +--- a/drivers/mmc/host/sdhci.c ++++ b/drivers/mmc/host/sdhci.c +@@ -2065,15 +2065,10 @@ void sdhci_set_clock(struct sdhci_host * + + host->mmc->actual_clock = 0; + +- clk = sdhci_readw(host, SDHCI_CLOCK_CONTROL); +- if (clk & SDHCI_CLOCK_CARD_EN) +- sdhci_writew(host, clk & ~SDHCI_CLOCK_CARD_EN, +- SDHCI_CLOCK_CONTROL); ++ sdhci_writew(host, 0, SDHCI_CLOCK_CONTROL); + +- if (clock == 0) { +- sdhci_writew(host, 0, SDHCI_CLOCK_CONTROL); ++ if (clock == 0) + return; +- } + + clk = sdhci_calc_clk(host, clock, &host->mmc->actual_clock); + sdhci_enable_clk(host, clk); diff --git a/queue-6.15/s390-pci-do-not-try-re-enabling-load-store-if-device-is-disabled.patch b/queue-6.15/s390-pci-do-not-try-re-enabling-load-store-if-device-is-disabled.patch new file mode 100644 index 0000000000..dcc3717fa9 --- /dev/null +++ b/queue-6.15/s390-pci-do-not-try-re-enabling-load-store-if-device-is-disabled.patch @@ -0,0 +1,37 @@ +From b97a7972b1f4f81417840b9a2ab0c19722b577d5 Mon Sep 17 00:00:00 2001 +From: Niklas Schnelle +Date: Wed, 25 Jun 2025 11:28:29 +0200 +Subject: s390/pci: Do not try re-enabling load/store if device is disabled + +From: Niklas Schnelle + +commit b97a7972b1f4f81417840b9a2ab0c19722b577d5 upstream. + +If a device is disabled unblocking load/store on its own is not useful +as a full re-enable of the function is necessary anyway. Note that SCLP +Write Event Data Action Qualifier 0 (Reset) leaves the device disabled +and triggers this case unless the driver already requests a reset. + +Cc: stable@vger.kernel.org +Fixes: 4cdf2f4e24ff ("s390/pci: implement minimal PCI error recovery") +Reviewed-by: Farhan Ali +Signed-off-by: Niklas Schnelle +Signed-off-by: Alexander Gordeev +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/pci/pci_event.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/s390/pci/pci_event.c ++++ b/arch/s390/pci/pci_event.c +@@ -106,6 +106,10 @@ static pci_ers_result_t zpci_event_do_er + struct zpci_dev *zdev = to_zpci(pdev); + int rc; + ++ /* The underlying device may have been disabled by the event */ ++ if (!zdev_enabled(zdev)) ++ return PCI_ERS_RESULT_NEED_RESET; ++ + pr_info("%s: Unblocking device access for examination\n", pci_name(pdev)); + rc = zpci_reset_load_store_blocked(zdev); + if (rc) { diff --git a/queue-6.15/s390-pci-fix-stale-function-handles-in-error-handling.patch b/queue-6.15/s390-pci-fix-stale-function-handles-in-error-handling.patch new file mode 100644 index 0000000000..65d02b5ef0 --- /dev/null +++ b/queue-6.15/s390-pci-fix-stale-function-handles-in-error-handling.patch @@ -0,0 +1,58 @@ +From 45537926dd2aaa9190ac0fac5a0fbeefcadfea95 Mon Sep 17 00:00:00 2001 +From: Niklas Schnelle +Date: Wed, 25 Jun 2025 11:28:28 +0200 +Subject: s390/pci: Fix stale function handles in error handling + +From: Niklas Schnelle + +commit 45537926dd2aaa9190ac0fac5a0fbeefcadfea95 upstream. + +The error event information for PCI error events contains a function +handle for the respective function. This handle is generally captured at +the time the error event was recorded. Due to delays in processing or +cascading issues, it may happen that during firmware recovery multiple +events are generated. When processing these events in order Linux may +already have recovered an affected function making the event information +stale. Fix this by doing an unconditional CLP List PCI function +retrieving the current function handle with the zdev->state_lock held +and ignoring the event if its function handle is stale. + +Cc: stable@vger.kernel.org +Fixes: 4cdf2f4e24ff ("s390/pci: implement minimal PCI error recovery") +Reviewed-by: Julian Ruess +Reviewed-by: Gerd Bayer +Reviewed-by: Farhan Ali +Signed-off-by: Niklas Schnelle +Signed-off-by: Alexander Gordeev +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/pci/pci_event.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/arch/s390/pci/pci_event.c ++++ b/arch/s390/pci/pci_event.c +@@ -273,6 +273,8 @@ static void __zpci_event_error(struct zp + struct zpci_dev *zdev = get_zdev_by_fid(ccdf->fid); + struct pci_dev *pdev = NULL; + pci_ers_result_t ers_res; ++ u32 fh = 0; ++ int rc; + + zpci_dbg(3, "err fid:%x, fh:%x, pec:%x\n", + ccdf->fid, ccdf->fh, ccdf->pec); +@@ -281,6 +283,15 @@ static void __zpci_event_error(struct zp + + if (zdev) { + mutex_lock(&zdev->state_lock); ++ rc = clp_refresh_fh(zdev->fid, &fh); ++ if (rc) ++ goto no_pdev; ++ if (!fh || ccdf->fh != fh) { ++ /* Ignore events with stale handles */ ++ zpci_dbg(3, "err fid:%x, fh:%x (stale %x)\n", ++ ccdf->fid, fh, ccdf->fh); ++ goto no_pdev; ++ } + zpci_update_fh(zdev, ccdf->fh); + if (zdev->zbus->bus) + pdev = pci_get_slot(zdev->zbus->bus, zdev->devfn); diff --git a/queue-6.15/series b/queue-6.15/series index edbcb56f7f..c5dcff0bd2 100644 --- a/queue-6.15/series +++ b/queue-6.15/series @@ -2,3 +2,31 @@ rtc-pcf2127-add-missing-semicolon-after-statement.patch rtc-pcf2127-fix-spi-command-byte-for-pcf2131.patch rtc-cmos-use-spin_lock_irqsave-in-cmos_interrupt.patch virtio-net-xsk-rx-fix-the-frame-s-length-check.patch +virtio-net-ensure-the-received-length-does-not-exceed-allocated-size.patch +s390-pci-fix-stale-function-handles-in-error-handling.patch +s390-pci-do-not-try-re-enabling-load-store-if-device-is-disabled.patch +dt-bindings-net-sophgo-sg2044-dwmac-drop-status-from-the-example.patch +net-txgbe-request-misc-irq-in-ndo_open.patch +vsock-vmci-clear-the-vmci-transport-packet-properly-when-initializing-it.patch +iommufd-selftest-add-missing-close-mfd-in-memfd_mmap.patch +iommufd-selftest-add-asserts-testing-global-mfd.patch +net-libwx-fix-the-incorrect-display-of-the-queue-number.patch +mmc-sdhci-add-a-helper-function-for-dump-register-in-dynamic-debug-mode.patch +xfs-actually-use-the-xfs_growfs_check_rtgeom-tracepoint.patch +revert-mmc-sdhci-disable-sd-card-clock-before-changing-parameters.patch +mmc-sdhci-uhs2-adjust-some-error-messages-and-register-dump-for-sd-uhs-ii-card.patch +mmc-core-sd-apply-broken_sd_discard-quirk-earlier.patch +mmc-core-adjust-some-error-messages-for-sd-uhs-ii-cards.patch +bluetooth-hci-set-extended-advertising-data-synchronously.patch +bluetooth-hci_sync-revert-some-mesh-modifications.patch +bluetooth-mgmt-set_mesh-update-le-scan-interval-and-window.patch +bluetooth-mgmt-mesh_send-check-instances-prior-disabling-advertising.patch +iommufd-selftest-fix-iommufd_dirty_tracking-with-large-hugepage-sizes.patch +regulator-gpio-fix-the-out-of-bounds-access-to-drvdata-gpiods.patch +input-cs40l50-vibra-fix-potential-null-dereference-in-cs40l50_upload_owt.patch +anon_inode-rework-assertions.patch +usb-typec-altmodes-displayport-do-not-index-invalid-pin_assignments.patch +mtk-sd-fix-a-pagefault-in-dma_unmap_sg-for-not-prepared-data.patch +mtk-sd-prevent-memory-corruption-from-dma-map-failure.patch +mtk-sd-reset-host-mrq-on-prepare_data-error.patch +drm-v3d-disable-interrupts-before-resetting-the-gpu.patch diff --git a/queue-6.15/usb-typec-altmodes-displayport-do-not-index-invalid-pin_assignments.patch b/queue-6.15/usb-typec-altmodes-displayport-do-not-index-invalid-pin_assignments.patch new file mode 100644 index 0000000000..9791188424 --- /dev/null +++ b/queue-6.15/usb-typec-altmodes-displayport-do-not-index-invalid-pin_assignments.patch @@ -0,0 +1,53 @@ +From af4db5a35a4ef7a68046883bfd12468007db38f1 Mon Sep 17 00:00:00 2001 +From: RD Babiera +Date: Wed, 18 Jun 2025 22:49:42 +0000 +Subject: usb: typec: altmodes/displayport: do not index invalid pin_assignments + +From: RD Babiera + +commit af4db5a35a4ef7a68046883bfd12468007db38f1 upstream. + +A poorly implemented DisplayPort Alt Mode port partner can indicate +that its pin assignment capabilities are greater than the maximum +value, DP_PIN_ASSIGN_F. In this case, calls to pin_assignment_show +will cause a BRK exception due to an out of bounds array access. + +Prevent for loop in pin_assignment_show from accessing +invalid values in pin_assignments by adding DP_PIN_ASSIGN_MAX +value in typec_dp.h and using i < DP_PIN_ASSIGN_MAX as a loop +condition. + +Fixes: 0e3bb7d6894d ("usb: typec: Add driver for DisplayPort alternate mode") +Cc: stable +Signed-off-by: RD Babiera +Reviewed-by: Badhri Jagan Sridharan +Reviewed-by: Heikki Krogerus +Link: https://lore.kernel.org/r/20250618224943.3263103-2-rdbabiera@google.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/altmodes/displayport.c | 2 +- + include/linux/usb/typec_dp.h | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/usb/typec/altmodes/displayport.c ++++ b/drivers/usb/typec/altmodes/displayport.c +@@ -677,7 +677,7 @@ static ssize_t pin_assignment_show(struc + + assignments = get_current_pin_assignments(dp); + +- for (i = 0; assignments; assignments >>= 1, i++) { ++ for (i = 0; assignments && i < DP_PIN_ASSIGN_MAX; assignments >>= 1, i++) { + if (assignments & 1) { + if (i == cur) + len += sprintf(buf + len, "[%s] ", +--- a/include/linux/usb/typec_dp.h ++++ b/include/linux/usb/typec_dp.h +@@ -57,6 +57,7 @@ enum { + DP_PIN_ASSIGN_D, + DP_PIN_ASSIGN_E, + DP_PIN_ASSIGN_F, /* Not supported after v1.0b */ ++ DP_PIN_ASSIGN_MAX, + }; + + /* DisplayPort alt mode specific commands */ diff --git a/queue-6.15/virtio-net-ensure-the-received-length-does-not-exceed-allocated-size.patch b/queue-6.15/virtio-net-ensure-the-received-length-does-not-exceed-allocated-size.patch new file mode 100644 index 0000000000..302b4402de --- /dev/null +++ b/queue-6.15/virtio-net-ensure-the-received-length-does-not-exceed-allocated-size.patch @@ -0,0 +1,110 @@ +From 315dbdd7cdf6aa533829774caaf4d25f1fd20e73 Mon Sep 17 00:00:00 2001 +From: Bui Quang Minh +Date: Mon, 30 Jun 2025 21:42:10 +0700 +Subject: virtio-net: ensure the received length does not exceed allocated size + +From: Bui Quang Minh + +commit 315dbdd7cdf6aa533829774caaf4d25f1fd20e73 upstream. + +In xdp_linearize_page, when reading the following buffers from the ring, +we forget to check the received length with the true allocate size. This +can lead to an out-of-bound read. This commit adds that missing check. + +Cc: +Fixes: 4941d472bf95 ("virtio-net: do not reset during XDP set") +Signed-off-by: Bui Quang Minh +Acked-by: Jason Wang +Link: https://patch.msgid.link/20250630144212.48471-2-minhquangbui99@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/virtio_net.c | 38 ++++++++++++++++++++++++++++++++++---- + 1 file changed, 34 insertions(+), 4 deletions(-) + +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -778,6 +778,26 @@ static unsigned int mergeable_ctx_to_tru + return (unsigned long)mrg_ctx & ((1 << MRG_CTX_HEADER_SHIFT) - 1); + } + ++static int check_mergeable_len(struct net_device *dev, void *mrg_ctx, ++ unsigned int len) ++{ ++ unsigned int headroom, tailroom, room, truesize; ++ ++ truesize = mergeable_ctx_to_truesize(mrg_ctx); ++ headroom = mergeable_ctx_to_headroom(mrg_ctx); ++ tailroom = headroom ? sizeof(struct skb_shared_info) : 0; ++ room = SKB_DATA_ALIGN(headroom + tailroom); ++ ++ if (len > truesize - room) { ++ pr_debug("%s: rx error: len %u exceeds truesize %lu\n", ++ dev->name, len, (unsigned long)(truesize - room)); ++ DEV_STATS_INC(dev, rx_length_errors); ++ return -1; ++ } ++ ++ return 0; ++} ++ + static struct sk_buff *virtnet_build_skb(void *buf, unsigned int buflen, + unsigned int headroom, + unsigned int len) +@@ -1811,7 +1831,8 @@ static unsigned int virtnet_get_headroom + * across multiple buffers (num_buf > 1), and we make sure buffers + * have enough headroom. + */ +-static struct page *xdp_linearize_page(struct receive_queue *rq, ++static struct page *xdp_linearize_page(struct net_device *dev, ++ struct receive_queue *rq, + int *num_buf, + struct page *p, + int offset, +@@ -1831,18 +1852,27 @@ static struct page *xdp_linearize_page(s + memcpy(page_address(page) + page_off, page_address(p) + offset, *len); + page_off += *len; + ++ /* Only mergeable mode can go inside this while loop. In small mode, ++ * *num_buf == 1, so it cannot go inside. ++ */ + while (--*num_buf) { + unsigned int buflen; + void *buf; ++ void *ctx; + int off; + +- buf = virtnet_rq_get_buf(rq, &buflen, NULL); ++ buf = virtnet_rq_get_buf(rq, &buflen, &ctx); + if (unlikely(!buf)) + goto err_buf; + + p = virt_to_head_page(buf); + off = buf - page_address(p); + ++ if (check_mergeable_len(dev, ctx, buflen)) { ++ put_page(p); ++ goto err_buf; ++ } ++ + /* guard against a misconfigured or uncooperative backend that + * is sending packet larger than the MTU. + */ +@@ -1931,7 +1961,7 @@ static struct sk_buff *receive_small_xdp + headroom = vi->hdr_len + header_offset; + buflen = SKB_DATA_ALIGN(GOOD_PACKET_LEN + headroom) + + SKB_DATA_ALIGN(sizeof(struct skb_shared_info)); +- xdp_page = xdp_linearize_page(rq, &num_buf, page, ++ xdp_page = xdp_linearize_page(dev, rq, &num_buf, page, + offset, header_offset, + &tlen); + if (!xdp_page) +@@ -2266,7 +2296,7 @@ static void *mergeable_xdp_get_buf(struc + */ + if (!xdp_prog->aux->xdp_has_frags) { + /* linearize data for XDP */ +- xdp_page = xdp_linearize_page(rq, num_buf, ++ xdp_page = xdp_linearize_page(vi->dev, rq, num_buf, + *page, offset, + XDP_PACKET_HEADROOM, + len); diff --git a/queue-6.15/virtio-net-xsk-rx-fix-the-frame-s-length-check.patch b/queue-6.15/virtio-net-xsk-rx-fix-the-frame-s-length-check.patch index 4cd546a66c..e96d760d24 100644 --- a/queue-6.15/virtio-net-xsk-rx-fix-the-frame-s-length-check.patch +++ b/queue-6.15/virtio-net-xsk-rx-fix-the-frame-s-length-check.patch @@ -42,14 +42,12 @@ Link: https://patch.msgid.link/20250630151315.86722-2-minhquangbui99@gmail.com Signed-off-by: Paolo Abeni Signed-off-by: Greg Kroah-Hartman --- - drivers/net/virtio_net.c | 22 ++++++++++++++++++---- + drivers/net/virtio_net.c | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) -diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c -index ecd3f46deb5d..50ff9a309ddc 100644 --- a/drivers/net/virtio_net.c +++ b/drivers/net/virtio_net.c -@@ -1147,15 +1147,29 @@ static void check_sq_full_and_disable(struct virtnet_info *vi, +@@ -1127,15 +1127,29 @@ static void check_sq_full_and_disable(st } } @@ -81,7 +79,7 @@ index ecd3f46deb5d..50ff9a309ddc 100644 if (unlikely(len > bufsize)) { pr_debug("%s: rx error: len %u exceeds truesize %u\n", -@@ -1280,7 +1294,7 @@ static int xsk_append_merge_buffer(struct virtnet_info *vi, +@@ -1260,7 +1274,7 @@ static int xsk_append_merge_buffer(struc u64_stats_add(&stats->bytes, len); @@ -90,7 +88,7 @@ index ecd3f46deb5d..50ff9a309ddc 100644 if (!xdp) goto err; -@@ -1378,7 +1392,7 @@ static void virtnet_receive_xsk_buf(struct virtnet_info *vi, struct receive_queu +@@ -1358,7 +1372,7 @@ static void virtnet_receive_xsk_buf(stru u64_stats_add(&stats->bytes, len); @@ -99,6 +97,3 @@ index ecd3f46deb5d..50ff9a309ddc 100644 if (!xdp) return; --- -2.50.0 - diff --git a/queue-6.15/vsock-vmci-clear-the-vmci-transport-packet-properly-when-initializing-it.patch b/queue-6.15/vsock-vmci-clear-the-vmci-transport-packet-properly-when-initializing-it.patch new file mode 100644 index 0000000000..359065a6ff --- /dev/null +++ b/queue-6.15/vsock-vmci-clear-the-vmci-transport-packet-properly-when-initializing-it.patch @@ -0,0 +1,56 @@ +From 223e2288f4b8c262a864e2c03964ffac91744cd5 Mon Sep 17 00:00:00 2001 +From: HarshaVardhana S A +Date: Tue, 1 Jul 2025 14:22:54 +0200 +Subject: vsock/vmci: Clear the vmci transport packet properly when initializing it + +From: HarshaVardhana S A + +commit 223e2288f4b8c262a864e2c03964ffac91744cd5 upstream. + +In vmci_transport_packet_init memset the vmci_transport_packet before +populating the fields to avoid any uninitialised data being left in the +structure. + +Cc: Bryan Tan +Cc: Vishnu Dasa +Cc: Broadcom internal kernel review list +Cc: Stefano Garzarella +Cc: "David S. Miller" +Cc: Eric Dumazet +Cc: Jakub Kicinski +Cc: Paolo Abeni +Cc: Simon Horman +Cc: virtualization@lists.linux.dev +Cc: netdev@vger.kernel.org +Cc: stable +Signed-off-by: HarshaVardhana S A +Signed-off-by: Greg Kroah-Hartman +Fixes: d021c344051a ("VSOCK: Introduce VM Sockets") +Acked-by: Stefano Garzarella +Link: https://patch.msgid.link/20250701122254.2397440-1-gregkh@linuxfoundation.org +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + net/vmw_vsock/vmci_transport.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/vmw_vsock/vmci_transport.c ++++ b/net/vmw_vsock/vmci_transport.c +@@ -119,6 +119,8 @@ vmci_transport_packet_init(struct vmci_t + u16 proto, + struct vmci_handle handle) + { ++ memset(pkt, 0, sizeof(*pkt)); ++ + /* We register the stream control handler as an any cid handle so we + * must always send from a source address of VMADDR_CID_ANY + */ +@@ -131,8 +133,6 @@ vmci_transport_packet_init(struct vmci_t + pkt->type = type; + pkt->src_port = src->svm_port; + pkt->dst_port = dst->svm_port; +- memset(&pkt->proto, 0, sizeof(pkt->proto)); +- memset(&pkt->_reserved2, 0, sizeof(pkt->_reserved2)); + + switch (pkt->type) { + case VMCI_TRANSPORT_PACKET_TYPE_INVALID: diff --git a/queue-6.15/xfs-actually-use-the-xfs_growfs_check_rtgeom-tracepoint.patch b/queue-6.15/xfs-actually-use-the-xfs_growfs_check_rtgeom-tracepoint.patch new file mode 100644 index 0000000000..2a977f8146 --- /dev/null +++ b/queue-6.15/xfs-actually-use-the-xfs_growfs_check_rtgeom-tracepoint.patch @@ -0,0 +1,40 @@ +From db44d088a5ab030b741a3adf2e7b181a8a6dcfbe Mon Sep 17 00:00:00 2001 +From: "Darrick J. Wong" +Date: Thu, 12 Jun 2025 10:51:12 -0700 +Subject: xfs: actually use the xfs_growfs_check_rtgeom tracepoint + +From: Darrick J. Wong + +commit db44d088a5ab030b741a3adf2e7b181a8a6dcfbe upstream. + +We created a new tracepoint but forgot to put it in. Fix that. + +Cc: rostedt@goodmis.org +Cc: stable@vger.kernel.org # v6.14 +Fixes: 59a57acbce282d ("xfs: check that the rtrmapbt maxlevels doesn't increase when growing fs") +Signed-off-by: Darrick J. Wong +Reviewed-by: Carlos Maiolino +Reported-by: Steven Rostedt +Closes: https://lore.kernel.org/all/20250612131021.114e6ec8@batman.local.home/ +Signed-off-by: Carlos Maiolino +Signed-off-by: Greg Kroah-Hartman +--- + fs/xfs/xfs_rtalloc.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/xfs/xfs_rtalloc.c b/fs/xfs/xfs_rtalloc.c +index 6484c596ecea..736eb0924573 100644 +--- a/fs/xfs/xfs_rtalloc.c ++++ b/fs/xfs/xfs_rtalloc.c +@@ -1259,6 +1259,8 @@ xfs_growfs_check_rtgeom( + + kfree(nmp); + ++ trace_xfs_growfs_check_rtgeom(mp, min_logfsbs); ++ + if (min_logfsbs > mp->m_sb.sb_logblocks) + return -EINVAL; + +-- +2.50.0 +