From: Sasha Levin Date: Mon, 14 Jul 2025 17:18:48 +0000 (-0400) Subject: Fixes for 6.15 X-Git-Tag: v5.4.296~37 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c9e3fff0793a48b882bbc3cb1db1c0921c92239d;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.15 Signed-off-by: Sasha Levin --- diff --git a/queue-6.15/alsa-hda-realtek-add-mic-mute-led-setup-for-asus-um5.patch b/queue-6.15/alsa-hda-realtek-add-mic-mute-led-setup-for-asus-um5.patch new file mode 100644 index 0000000000..6a912318a8 --- /dev/null +++ b/queue-6.15/alsa-hda-realtek-add-mic-mute-led-setup-for-asus-um5.patch @@ -0,0 +1,38 @@ +From a2d66641dd0f4f18497e148d95b4b69ce81842df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Jun 2025 17:18:39 +0200 +Subject: ALSA: hda/realtek: Add mic-mute LED setup for ASUS UM5606 + +From: Takashi Iwai + +[ Upstream commit 41c66461cb2e8d3934a5395f27e572ebe63696b4 ] + +ASUS UM5606* models use the quirk to set up the bass speakers, but it +missed the mic-mute LED configuration. Other similar models have the +AMD ACP dmic, and the mic-mute is set up for that, but those models +don't have AMD ACP but rather built-in mics of Realtek codec, hence +the Realtek driver should set it up, instead. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=220125 +Link: https://patch.msgid.link/20250623151841.28810-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index e33cbc6a385ea..beb9423658d72 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -6609,6 +6609,7 @@ static void alc294_fixup_bass_speaker_15(struct hda_codec *codec, + if (action == HDA_FIXUP_ACT_PRE_PROBE) { + static const hda_nid_t conn[] = { 0x02, 0x03 }; + snd_hda_override_conn_list(codec, 0x15, ARRAY_SIZE(conn), conn); ++ snd_hda_gen_add_micmute_led_cdev(codec, NULL); + } + } + +-- +2.39.5 + diff --git a/queue-6.15/alsa-hda-realtek-add-quirks-for-some-clevo-laptops.patch b/queue-6.15/alsa-hda-realtek-add-quirks-for-some-clevo-laptops.patch new file mode 100644 index 0000000000..b625d416e9 --- /dev/null +++ b/queue-6.15/alsa-hda-realtek-add-quirks-for-some-clevo-laptops.patch @@ -0,0 +1,66 @@ +From d1af54e851171111445cf36da1171c565c55e788 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Jun 2025 14:43:29 -0600 +Subject: ALSA: hda/realtek: Add quirks for some Clevo laptops + +From: Tim Crawford + +[ Upstream commit e41687b511d5e5437db5d2151e23c115dba30411 ] + +Add audio quirks to fix speaker output and headset detection on the +following Clevo models: + +- V350ENC +- V350WNPQ +- V540TU +- X560WNR +- X580WNS + +Signed-off-by: Tim Crawford +Link: https://patch.msgid.link/20250620204329.35878-1-tcrawford@system76.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 5cf5350439029..f7bb97230201f 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -2656,6 +2656,7 @@ static const struct hda_quirk alc882_fixup_tbl[] = { + SND_PCI_QUIRK(0x147b, 0x107a, "Abit AW9D-MAX", ALC882_FIXUP_ABIT_AW9D_MAX), + SND_PCI_QUIRK(0x1558, 0x3702, "Clevo X370SN[VW]", ALC1220_FIXUP_CLEVO_PB51ED_PINS), + SND_PCI_QUIRK(0x1558, 0x50d3, "Clevo PC50[ER][CDF]", ALC1220_FIXUP_CLEVO_PB51ED_PINS), ++ SND_PCI_QUIRK(0x1558, 0x5802, "Clevo X58[05]WN[RST]", ALC1220_FIXUP_CLEVO_PB51ED_PINS), + SND_PCI_QUIRK(0x1558, 0x65d1, "Clevo PB51[ER][CDF]", ALC1220_FIXUP_CLEVO_PB51ED_PINS), + SND_PCI_QUIRK(0x1558, 0x65d2, "Clevo PB51R[CDF]", ALC1220_FIXUP_CLEVO_PB51ED_PINS), + SND_PCI_QUIRK(0x1558, 0x65e1, "Clevo PB51[ED][DF]", ALC1220_FIXUP_CLEVO_PB51ED_PINS), +@@ -11117,6 +11118,8 @@ static const struct hda_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x1558, 0x14a1, "Clevo L141MU", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x2624, "Clevo L240TU", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x28c1, "Clevo V370VND", ALC2XX_FIXUP_HEADSET_MIC), ++ SND_PCI_QUIRK(0x1558, 0x35a1, "Clevo V3[56]0EN[CDE]", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE), ++ SND_PCI_QUIRK(0x1558, 0x35b1, "Clevo V3[57]0WN[MNP]Q", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x4018, "Clevo NV40M[BE]", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x4019, "Clevo NV40MZ", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x4020, "Clevo NV40MB", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), +@@ -11144,6 +11147,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x1558, 0x51b1, "Clevo NS50AU", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x51b3, "Clevo NS70AU", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x5630, "Clevo NP50RNJS", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE), ++ SND_PCI_QUIRK(0x1558, 0x5700, "Clevo X560WN[RST]", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x70a1, "Clevo NB70T[HJK]", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x70b3, "Clevo NK70SB", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x70f2, "Clevo NH79EPY", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), +@@ -11183,6 +11187,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x1558, 0xa650, "Clevo NP[567]0SN[CD]", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0xa671, "Clevo NP70SN[CDE]", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0xa741, "Clevo V54x_6x_TNE", ALC245_FIXUP_CLEVO_NOISY_MIC), ++ SND_PCI_QUIRK(0x1558, 0xa743, "Clevo V54x_6x_TU", ALC245_FIXUP_CLEVO_NOISY_MIC), + SND_PCI_QUIRK(0x1558, 0xa763, "Clevo V54x_6x_TU", ALC245_FIXUP_CLEVO_NOISY_MIC), + SND_PCI_QUIRK(0x1558, 0xb018, "Clevo NP50D[BE]", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0xb019, "Clevo NH77D[BE]Q", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), +-- +2.39.5 + diff --git a/queue-6.15/alsa-hda-realtek-enable-mute-led-on-hp-pavilion-lapt.patch b/queue-6.15/alsa-hda-realtek-enable-mute-led-on-hp-pavilion-lapt.patch new file mode 100644 index 0000000000..235150da5e --- /dev/null +++ b/queue-6.15/alsa-hda-realtek-enable-mute-led-on-hp-pavilion-lapt.patch @@ -0,0 +1,35 @@ +From 4197ff3af2dfbc3b9255c6f580f97b8237a83bbe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 21 Jun 2025 01:36:14 -0400 +Subject: ALSA: hda/realtek - Enable mute LED on HP Pavilion Laptop 15-eg100 + +From: Yasmin Fitzgerald + +[ Upstream commit 68cc9d3c8e44afe90e43cbbd2960da15c2f31e23 ] + +The HP Pavilion Laptop 15-eg100 has Realtek HDA codec ALC287. +It needs the ALC287_FIXUP_HP_GPIO_LED quirk to enable the mute LED. + +Signed-off-by: Yasmin Fitzgerald +Link: https://patch.msgid.link/20250621053832.52950-1-sunoflife1.git@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index b3cd0ab29bb6a..5cf5350439029 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10715,6 +10715,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x103c, 0x8975, "HP EliteBook x360 840 Aero G9", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x897d, "HP mt440 Mobile Thin Client U74", ALC236_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8981, "HP Elite Dragonfly G3", ALC245_FIXUP_CS35L41_SPI_4), ++ SND_PCI_QUIRK(0x103c, 0x898a, "HP Pavilion 15-eg100", ALC287_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x898e, "HP EliteBook 835 G9", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x103c, 0x898f, "HP EliteBook 835 G9", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x103c, 0x8991, "HP EliteBook 845 G9", ALC287_FIXUP_CS35L41_I2C_2_HP_GPIO_LED), +-- +2.39.5 + diff --git a/queue-6.15/alsa-hda-realtek-fix-mute-micmute-leds-for-hp-eliteb.patch b/queue-6.15/alsa-hda-realtek-fix-mute-micmute-leds-for-hp-eliteb.patch new file mode 100644 index 0000000000..4726c84394 --- /dev/null +++ b/queue-6.15/alsa-hda-realtek-fix-mute-micmute-leds-for-hp-eliteb.patch @@ -0,0 +1,38 @@ +From 9922f44fc72c45b6cee2948e0f71751bc2b37aaf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Jun 2025 14:30:23 +0800 +Subject: ALSA: hda/realtek: fix mute/micmute LEDs for HP EliteBook 6 G1a + +From: Chris Chiu + +[ Upstream commit 9a07ca9a4015f8f71e2b594ee76ac55483babd89 ] + +HP EliteBook 6 G1a laptops use ALC236 codec and need the fixup +ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF to make the mic/micmute LEDs +work. + +Signed-off-by: Chris Chiu +Link: https://patch.msgid.link/20250623063023.374920-1-chris.chiu@canonical.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index beb9423658d72..b3cd0ab29bb6a 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10886,7 +10886,9 @@ static const struct hda_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x103c, 0x8def, "HP EliteBook 660 G12", ALC236_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8df0, "HP EliteBook 630 G12", ALC236_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8df1, "HP EliteBook 630 G12", ALC236_FIXUP_HP_GPIO_LED), ++ SND_PCI_QUIRK(0x103c, 0x8dfb, "HP EliteBook 6 G1a 14", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), + SND_PCI_QUIRK(0x103c, 0x8dfc, "HP EliteBook 645 G12", ALC236_FIXUP_HP_GPIO_LED), ++ SND_PCI_QUIRK(0x103c, 0x8dfd, "HP EliteBook 6 G1a 16", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), + SND_PCI_QUIRK(0x103c, 0x8dfe, "HP EliteBook 665 G12", ALC236_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8e11, "HP Trekker", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x103c, 0x8e12, "HP Trekker", ALC287_FIXUP_CS35L41_I2C_2), +-- +2.39.5 + diff --git a/queue-6.15/asoc-amd-yc-add-quirk-for-acer-nitro-anv15-41-intern.patch b/queue-6.15/asoc-amd-yc-add-quirk-for-acer-nitro-anv15-41-intern.patch new file mode 100644 index 0000000000..313c54e574 --- /dev/null +++ b/queue-6.15/asoc-amd-yc-add-quirk-for-acer-nitro-anv15-41-intern.patch @@ -0,0 +1,42 @@ +From 9bc7674203cf37a7b36e726c5ba10d9a68e0d571 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 22 Jun 2025 22:58:00 +0000 +Subject: ASoC: amd: yc: add quirk for Acer Nitro ANV15-41 internal mic + +From: Yuzuru10 + +[ Upstream commit 7186b81807b4a08f8bf834b6bdc72d6ed8ba1587 ] + +This patch adds DMI-based quirk for the Acer Nitro ANV15-41, +allowing the internal microphone to be detected correctly on +machines with "RB" as board vendor. + +Signed-off-by: Yuzuru +Link: https://patch.msgid.link/20250622225754.20856-1-yuzuru_10@proton.me +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/amd/yc/acp6x-mach.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c +index 723cb7bc12851..1689b6b22598e 100644 +--- a/sound/soc/amd/yc/acp6x-mach.c ++++ b/sound/soc/amd/yc/acp6x-mach.c +@@ -346,6 +346,13 @@ static const struct dmi_system_id yc_acp_quirk_table[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "83Q3"), + } + }, ++ { ++ .driver_data = &acp6x_card, ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "RB"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Nitro ANV15-41"), ++ } ++ }, + { + .driver_data = &acp6x_card, + .matches = { +-- +2.39.5 + diff --git a/queue-6.15/asoc-rt721-sdca-fix-boost-gain-calculation-error.patch b/queue-6.15/asoc-rt721-sdca-fix-boost-gain-calculation-error.patch new file mode 100644 index 0000000000..4fb22cb3d3 --- /dev/null +++ b/queue-6.15/asoc-rt721-sdca-fix-boost-gain-calculation-error.patch @@ -0,0 +1,73 @@ +From e2cf1357e6fc8ac240b1522121aea0b30bbfbd0a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Jun 2025 02:59:28 +0000 +Subject: ASoC: rt721-sdca: fix boost gain calculation error + +From: Jack Yu + +[ Upstream commit ff21a6ec0f27c126db0a86d96751bd6e5d1d9874 ] + +Fix the boost gain calculation error in rt721_sdca_set_gain_get. +This patch is specific for "FU33 Boost Volume". + +Signed-off-by: Jack Yu +Link: https://patch.msgid.link/1b18fcde41c64d6fa85451d523c0434a@realtek.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/rt721-sdca.c | 23 +++++++++++++++++++---- + 1 file changed, 19 insertions(+), 4 deletions(-) + +diff --git a/sound/soc/codecs/rt721-sdca.c b/sound/soc/codecs/rt721-sdca.c +index 1c9f32e405cf9..ba080957e9336 100644 +--- a/sound/soc/codecs/rt721-sdca.c ++++ b/sound/soc/codecs/rt721-sdca.c +@@ -430,6 +430,7 @@ static int rt721_sdca_set_gain_get(struct snd_kcontrol *kcontrol, + unsigned int read_l, read_r, ctl_l = 0, ctl_r = 0; + unsigned int adc_vol_flag = 0; + const unsigned int interval_offset = 0xc0; ++ const unsigned int tendA = 0x200; + const unsigned int tendB = 0xa00; + + if (strstr(ucontrol->id.name, "FU1E Capture Volume") || +@@ -439,9 +440,16 @@ static int rt721_sdca_set_gain_get(struct snd_kcontrol *kcontrol, + regmap_read(rt721->mbq_regmap, mc->reg, &read_l); + regmap_read(rt721->mbq_regmap, mc->rreg, &read_r); + +- if (mc->shift == 8) /* boost gain */ ++ if (mc->shift == 8) { ++ /* boost gain */ + ctl_l = read_l / tendB; +- else { ++ } else if (mc->shift == 1) { ++ /* FU33 boost gain */ ++ if (read_l == 0x8000 || read_l == 0xfe00) ++ ctl_l = 0; ++ else ++ ctl_l = read_l / tendA + 1; ++ } else { + if (adc_vol_flag) + ctl_l = mc->max - (((0x1e00 - read_l) & 0xffff) / interval_offset); + else +@@ -449,9 +457,16 @@ static int rt721_sdca_set_gain_get(struct snd_kcontrol *kcontrol, + } + + if (read_l != read_r) { +- if (mc->shift == 8) /* boost gain */ ++ if (mc->shift == 8) { ++ /* boost gain */ + ctl_r = read_r / tendB; +- else { /* ADC/DAC gain */ ++ } else if (mc->shift == 1) { ++ /* FU33 boost gain */ ++ if (read_r == 0x8000 || read_r == 0xfe00) ++ ctl_r = 0; ++ else ++ ctl_r = read_r / tendA + 1; ++ } else { /* ADC/DAC gain */ + if (adc_vol_flag) + ctl_r = mc->max - (((0x1e00 - read_r) & 0xffff) / interval_offset); + else +-- +2.39.5 + diff --git a/queue-6.15/asoc-sof-intel-hda-use-devm_kstrdup-to-avoid-memleak.patch b/queue-6.15/asoc-sof-intel-hda-use-devm_kstrdup-to-avoid-memleak.patch new file mode 100644 index 0000000000..1f2558d4ad --- /dev/null +++ b/queue-6.15/asoc-sof-intel-hda-use-devm_kstrdup-to-avoid-memleak.patch @@ -0,0 +1,67 @@ +From 5d18db72cda57fd1a6430218ddb2f291b55d94eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Jun 2025 08:55:48 +0900 +Subject: ASoC: SOF: Intel: hda: Use devm_kstrdup() to avoid memleak. + +From: Tamura Dai + +[ Upstream commit 6c038b58a2dc5a008c7e7a1297f5aaa4deaaaa7e ] + +sof_pdata->tplg_filename can have address allocated by kstrdup() +and can be overwritten. Memory leak was detected with kmemleak: + +unreferenced object 0xffff88812391ff60 (size 16): + comm "kworker/4:1", pid 161, jiffies 4294802931 + hex dump (first 16 bytes): + 73 6f 66 2d 68 64 61 2d 67 65 6e 65 72 69 63 00 sof-hda-generic. + backtrace (crc 4bf1675c): + __kmalloc_node_track_caller_noprof+0x49c/0x6b0 + kstrdup+0x46/0xc0 + hda_machine_select.cold+0x1de/0x12cf [snd_sof_intel_hda_generic] + sof_init_environment+0x16f/0xb50 [snd_sof] + sof_probe_continue+0x45/0x7c0 [snd_sof] + sof_probe_work+0x1e/0x40 [snd_sof] + process_one_work+0x894/0x14b0 + worker_thread+0x5e5/0xfb0 + kthread+0x39d/0x760 + ret_from_fork+0x31/0x70 + ret_from_fork_asm+0x1a/0x30 + +Signed-off-by: Tamura Dai +Link: https://patch.msgid.link/20250615235548.8591-1-kirinode0@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/sof/intel/hda.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/sound/soc/sof/intel/hda.c b/sound/soc/sof/intel/hda.c +index 6a3932d90b43a..27b077f5c8f58 100644 +--- a/sound/soc/sof/intel/hda.c ++++ b/sound/soc/sof/intel/hda.c +@@ -1254,11 +1254,11 @@ static int check_tplg_quirk_mask(struct snd_soc_acpi_mach *mach) + return 0; + } + +-static char *remove_file_ext(const char *tplg_filename) ++static char *remove_file_ext(struct device *dev, const char *tplg_filename) + { + char *filename, *tmp; + +- filename = kstrdup(tplg_filename, GFP_KERNEL); ++ filename = devm_kstrdup(dev, tplg_filename, GFP_KERNEL); + if (!filename) + return NULL; + +@@ -1342,7 +1342,7 @@ struct snd_soc_acpi_mach *hda_machine_select(struct snd_sof_dev *sdev) + */ + if (!sof_pdata->tplg_filename) { + /* remove file extension if it exists */ +- tplg_filename = remove_file_ext(mach->sof_tplg_filename); ++ tplg_filename = remove_file_ext(sdev->dev, mach->sof_tplg_filename); + if (!tplg_filename) + return NULL; + +-- +2.39.5 + diff --git a/queue-6.15/atm-idt77252-add-missing-dma_map_error.patch b/queue-6.15/atm-idt77252-add-missing-dma_map_error.patch new file mode 100644 index 0000000000..449861a5ec --- /dev/null +++ b/queue-6.15/atm-idt77252-add-missing-dma_map_error.patch @@ -0,0 +1,53 @@ +From 95f4392266a7cc6451a394ba1158da77d71aca8d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Jun 2025 08:41:47 +0200 +Subject: atm: idt77252: Add missing `dma_map_error()` + +From: Thomas Fourier + +[ Upstream commit c4890963350dcf4e9a909bae23665921fba4ad27 ] + +The DMA map functions can fail and should be tested for errors. + +Signed-off-by: Thomas Fourier +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250624064148.12815-3-fourier.thomas@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/atm/idt77252.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/atm/idt77252.c b/drivers/atm/idt77252.c +index a876024d8a05f..63d41320cd5cf 100644 +--- a/drivers/atm/idt77252.c ++++ b/drivers/atm/idt77252.c +@@ -852,6 +852,8 @@ queue_skb(struct idt77252_dev *card, struct vc_map *vc, + + IDT77252_PRV_PADDR(skb) = dma_map_single(&card->pcidev->dev, skb->data, + skb->len, DMA_TO_DEVICE); ++ if (dma_mapping_error(&card->pcidev->dev, IDT77252_PRV_PADDR(skb))) ++ return -ENOMEM; + + error = -EINVAL; + +@@ -1857,6 +1859,8 @@ add_rx_skb(struct idt77252_dev *card, int queue, + paddr = dma_map_single(&card->pcidev->dev, skb->data, + skb_end_pointer(skb) - skb->data, + DMA_FROM_DEVICE); ++ if (dma_mapping_error(&card->pcidev->dev, paddr)) ++ goto outpoolrm; + IDT77252_PRV_PADDR(skb) = paddr; + + if (push_rx_skb(card, skb, queue)) { +@@ -1871,6 +1875,7 @@ add_rx_skb(struct idt77252_dev *card, int queue, + dma_unmap_single(&card->pcidev->dev, IDT77252_PRV_PADDR(skb), + skb_end_pointer(skb) - skb->data, DMA_FROM_DEVICE); + ++outpoolrm: + handle = IDT77252_PRV_POOL(skb); + card->sbpool[POOL_QUEUE(handle)].skb[POOL_INDEX(handle)] = NULL; + +-- +2.39.5 + diff --git a/queue-6.15/block-reject-bs-ps-block-devices-when-thp-is-disable.patch b/queue-6.15/block-reject-bs-ps-block-devices-when-thp-is-disable.patch new file mode 100644 index 0000000000..f6a333ebc4 --- /dev/null +++ b/queue-6.15/block-reject-bs-ps-block-devices-when-thp-is-disable.patch @@ -0,0 +1,77 @@ +From eedcd491fa8cf08d0fcc8fd9d3bf8ab8e021c304 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Jul 2025 11:21:34 +0200 +Subject: block: reject bs > ps block devices when THP is disabled + +From: Pankaj Raghav + +[ Upstream commit 4cdf1bdd45ac78a088773722f009883af30ad318 ] + +If THP is disabled and when a block device with logical block size > +page size is present, the following null ptr deref panic happens during +boot: + +[ [13.2 mK AOSAN: null-ptr-deref in range [0x0000000000000000-0x0000000000K0 0 0[07] +[ 13.017749] RIP: 0010:create_empty_buffers+0x3b/0x380 + +[ 13.025448] Call Trace: +[ 13.025692] +[ 13.025895] block_read_full_folio+0x610/0x780 +[ 13.026379] ? __pfx_blkdev_get_block+0x10/0x10 +[ 13.027008] ? __folio_batch_add_and_move+0x1fa/0x2b0 +[ 13.027548] ? __pfx_blkdev_read_folio+0x10/0x10 +[ 13.028080] filemap_read_folio+0x9b/0x200 +[ 13.028526] ? __pfx_filemap_read_folio+0x10/0x10 +[ 13.029030] ? __filemap_get_folio+0x43/0x620 +[ 13.029497] do_read_cache_folio+0x155/0x3b0 +[ 13.029962] ? __pfx_blkdev_read_folio+0x10/0x10 +[ 13.030381] read_part_sector+0xb7/0x2a0 +[ 13.030805] read_lba+0x174/0x2c0 + +[ 13.045348] nvme_scan_ns+0x684/0x850 [nvme_core] +[ 13.045858] ? __pfx_nvme_scan_ns+0x10/0x10 [nvme_core] +[ 13.046414] ? _raw_spin_unlock+0x15/0x40 +[ 13.046843] ? __switch_to+0x523/0x10a0 +[ 13.047253] ? kvm_clock_get_cycles+0x14/0x30 +[ 13.047742] ? __pfx_nvme_scan_ns_async+0x10/0x10 [nvme_core] +[ 13.048353] async_run_entry_fn+0x96/0x4f0 +[ 13.048787] process_one_work+0x667/0x10a0 +[ 13.049219] worker_thread+0x63c/0xf60 + +As large folio support depends on THP, only allow bs > ps block devices +if THP is enabled. + +Fixes: 47dd67532303 ("block/bdev: lift block size restrictions to 64k") +Signed-off-by: Pankaj Raghav +Reviewed-by: Luis Chamberlain +Link: https://lore.kernel.org/r/20250704092134.289491-1-p.raghav@samsung.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + include/linux/blkdev.h | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h +index 9a1f0ee40b566..7c2a66995518a 100644 +--- a/include/linux/blkdev.h ++++ b/include/linux/blkdev.h +@@ -268,11 +268,16 @@ static inline dev_t disk_devt(struct gendisk *disk) + return MKDEV(disk->major, disk->first_minor); + } + ++#ifdef CONFIG_TRANSPARENT_HUGEPAGE + /* + * We should strive for 1 << (PAGE_SHIFT + MAX_PAGECACHE_ORDER) + * however we constrain this to what we can validate and test. + */ + #define BLK_MAX_BLOCK_SIZE SZ_64K ++#else ++#define BLK_MAX_BLOCK_SIZE PAGE_SIZE ++#endif ++ + + /* blk_validate_limits() validates bsize, so drivers don't usually need to */ + static inline int blk_validate_block_size(unsigned long bsize) +-- +2.39.5 + diff --git a/queue-6.15/bnxt_en-fix-dcb-ets-validation.patch b/queue-6.15/bnxt_en-fix-dcb-ets-validation.patch new file mode 100644 index 0000000000..ad4337da53 --- /dev/null +++ b/queue-6.15/bnxt_en-fix-dcb-ets-validation.patch @@ -0,0 +1,49 @@ +From 130004fa4aff1b44ad50d45cf85802970cf2e3aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jul 2025 14:39:36 -0700 +Subject: bnxt_en: Fix DCB ETS validation + +From: Shravya KN + +[ Upstream commit b74c2a2e9cc471e847abd87e50a2354c07e02040 ] + +In bnxt_ets_validate(), the code incorrectly loops over all possible +traffic classes to check and add the ETS settings. Fix it to loop +over the configured traffic classes only. + +The unconfigured traffic classes will default to TSA_ETS with 0 +bandwidth. Looping over these unconfigured traffic classes may +cause the validation to fail and trigger this error message: + +"rejecting ETS config starving a TC\n" + +The .ieee_setets() will then fail. + +Fixes: 7df4ae9fe855 ("bnxt_en: Implement DCBNL to support host-based DCBX.") +Reviewed-by: Sreekanth Reddy +Signed-off-by: Shravya KN +Signed-off-by: Michael Chan +Link: https://patch.msgid.link/20250710213938.1959625-2-michael.chan@broadcom.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c +index 0dbb880a7aa0e..71e14be2507e1 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c +@@ -487,7 +487,9 @@ static int bnxt_ets_validate(struct bnxt *bp, struct ieee_ets *ets, u8 *tc) + + if ((ets->tc_tx_bw[i] || ets->tc_tsa[i]) && i > bp->max_tc) + return -EINVAL; ++ } + ++ for (i = 0; i < max_tc; i++) { + switch (ets->tc_tsa[i]) { + case IEEE_8021QAZ_TSA_STRICT: + break; +-- +2.39.5 + diff --git a/queue-6.15/bnxt_en-flush-fw-trace-before-copying-to-the-coredum.patch b/queue-6.15/bnxt_en-flush-fw-trace-before-copying-to-the-coredum.patch new file mode 100644 index 0000000000..514e6a6854 --- /dev/null +++ b/queue-6.15/bnxt_en-flush-fw-trace-before-copying-to-the-coredum.patch @@ -0,0 +1,69 @@ +From fd61de5454e54cb94fa27ebf238d72a7d76534ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jul 2025 14:39:37 -0700 +Subject: bnxt_en: Flush FW trace before copying to the coredump + +From: Shruti Parab + +[ Upstream commit 100c08c89d173b7fdf953e7d9f9ca8f69f80d1c5 ] + +bnxt_fill_drv_seg_record() calls bnxt_dbg_hwrm_log_buffer_flush() +to flush the FW trace buffer. This needs to be done before we +call bnxt_copy_ctx_mem() to copy the trace data. + +Without this fix, the coredump may not contain all the FW +traces. + +Fixes: 3c2179e66355 ("bnxt_en: Add FW trace coredump segments to the coredump") +Reviewed-by: Kalesh AP +Signed-off-by: Shruti Parab +Signed-off-by: Michael Chan +Link: https://patch.msgid.link/20250710213938.1959625-3-michael.chan@broadcom.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/broadcom/bnxt/bnxt_coredump.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_coredump.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_coredump.c +index a000d3f630bd3..187695af6611f 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_coredump.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_coredump.c +@@ -368,23 +368,27 @@ static u32 bnxt_get_ctx_coredump(struct bnxt *bp, void *buf, u32 offset, + if (!ctxm->mem_valid || !seg_id) + continue; + +- if (trace) ++ if (trace) { + extra_hlen = BNXT_SEG_RCD_LEN; ++ if (buf) { ++ u16 trace_type = bnxt_bstore_to_trace[type]; ++ ++ bnxt_fill_drv_seg_record(bp, &record, ctxm, ++ trace_type); ++ } ++ } ++ + if (buf) + data = buf + BNXT_SEG_HDR_LEN + extra_hlen; ++ + seg_len = bnxt_copy_ctx_mem(bp, ctxm, data, 0) + extra_hlen; + if (buf) { + bnxt_fill_coredump_seg_hdr(bp, &seg_hdr, NULL, seg_len, + 0, 0, 0, comp_id, seg_id); + memcpy(buf, &seg_hdr, BNXT_SEG_HDR_LEN); + buf += BNXT_SEG_HDR_LEN; +- if (trace) { +- u16 trace_type = bnxt_bstore_to_trace[type]; +- +- bnxt_fill_drv_seg_record(bp, &record, ctxm, +- trace_type); ++ if (trace) + memcpy(buf, &record, BNXT_SEG_RCD_LEN); +- } + buf += seg_len; + } + len += BNXT_SEG_HDR_LEN + seg_len; +-- +2.39.5 + diff --git a/queue-6.15/bnxt_en-set-dma-unmap-len-correctly-for-xdp_redirect.patch b/queue-6.15/bnxt_en-set-dma-unmap-len-correctly-for-xdp_redirect.patch new file mode 100644 index 0000000000..0187994a8e --- /dev/null +++ b/queue-6.15/bnxt_en-set-dma-unmap-len-correctly-for-xdp_redirect.patch @@ -0,0 +1,72 @@ +From 4013df4caf512ffcf12982b0dd0e694d0b7dc5ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jul 2025 14:39:38 -0700 +Subject: bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT + +From: Somnath Kotur + +[ Upstream commit 3cdf199d4755d477972ee87110b2aebc88b3cfad ] + +When transmitting an XDP_REDIRECT packet, call dma_unmap_len_set() +with the proper length instead of 0. This bug triggers this warning +on a system with IOMMU enabled: + +WARNING: CPU: 36 PID: 0 at drivers/iommu/dma-iommu.c:842 __iommu_dma_unmap+0x159/0x170 +RIP: 0010:__iommu_dma_unmap+0x159/0x170 +Code: a8 00 00 00 00 48 c7 45 b0 00 00 00 00 48 c7 45 c8 00 00 00 00 48 c7 45 a0 ff ff ff ff 4c 89 45 +b8 4c 89 45 c0 e9 77 ff ff ff <0f> 0b e9 60 ff ff ff e8 8b bf 6a 00 66 66 2e 0f 1f 84 00 00 00 00 +RSP: 0018:ff22d31181150c88 EFLAGS: 00010206 +RAX: 0000000000002000 RBX: 00000000e13a0000 RCX: 0000000000000000 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 +RBP: ff22d31181150cf0 R08: ff22d31181150ca8 R09: 0000000000000000 +R10: 0000000000000000 R11: ff22d311d36c9d80 R12: 0000000000001000 +R13: ff13544d10645010 R14: ff22d31181150c90 R15: ff13544d0b2bac00 +FS: 0000000000000000(0000) GS:ff13550908a00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00005be909dacff8 CR3: 0008000173408003 CR4: 0000000000f71ef0 +PKRU: 55555554 +Call Trace: + +? show_regs+0x6d/0x80 +? __warn+0x89/0x160 +? __iommu_dma_unmap+0x159/0x170 +? report_bug+0x17e/0x1b0 +? handle_bug+0x46/0x90 +? exc_invalid_op+0x18/0x80 +? asm_exc_invalid_op+0x1b/0x20 +? __iommu_dma_unmap+0x159/0x170 +? __iommu_dma_unmap+0xb3/0x170 +iommu_dma_unmap_page+0x4f/0x100 +dma_unmap_page_attrs+0x52/0x220 +? srso_alias_return_thunk+0x5/0xfbef5 +? xdp_return_frame+0x2e/0xd0 +bnxt_tx_int_xdp+0xdf/0x440 [bnxt_en] +__bnxt_poll_work_done+0x81/0x1e0 [bnxt_en] +bnxt_poll+0xd3/0x1e0 [bnxt_en] + +Fixes: f18c2b77b2e4 ("bnxt_en: optimized XDP_REDIRECT support") +Signed-off-by: Somnath Kotur +Signed-off-by: Michael Chan +Link: https://patch.msgid.link/20250710213938.1959625-4-michael.chan@broadcom.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c +index e675611777b52..aedd9e145ff9c 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c +@@ -115,7 +115,7 @@ static void __bnxt_xmit_xdp_redirect(struct bnxt *bp, + tx_buf->action = XDP_REDIRECT; + tx_buf->xdpf = xdpf; + dma_unmap_addr_set(tx_buf, mapping, mapping); +- dma_unmap_len_set(tx_buf, len, 0); ++ dma_unmap_len_set(tx_buf, len, len); + } + + void bnxt_tx_int_xdp(struct bnxt *bp, struct bnxt_napi *bnapi, int budget) +-- +2.39.5 + diff --git a/queue-6.15/bpf-adjust-free-target-to-avoid-global-starvation-of.patch b/queue-6.15/bpf-adjust-free-target-to-avoid-global-starvation-of.patch new file mode 100644 index 0000000000..12128f172a --- /dev/null +++ b/queue-6.15/bpf-adjust-free-target-to-avoid-global-starvation-of.patch @@ -0,0 +1,311 @@ +From bd93e413f221b9f2fe4de421c1a9aa453e568c5d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Jun 2025 17:57:40 -0400 +Subject: bpf: Adjust free target to avoid global starvation of LRU map + +From: Willem de Bruijn + +[ Upstream commit d4adf1c9ee7722545450608bcb095fb31512f0c6 ] + +BPF_MAP_TYPE_LRU_HASH can recycle most recent elements well before the +map is full, due to percpu reservations and force shrink before +neighbor stealing. Once a CPU is unable to borrow from the global map, +it will once steal one elem from a neighbor and after that each time +flush this one element to the global list and immediately recycle it. + +Batch value LOCAL_FREE_TARGET (128) will exhaust a 10K element map +with 79 CPUs. CPU 79 will observe this behavior even while its +neighbors hold 78 * 127 + 1 * 15 == 9921 free elements (99%). + +CPUs need not be active concurrently. The issue can appear with +affinity migration, e.g., irqbalance. Each CPU can reserve and then +hold onto its 128 elements indefinitely. + +Avoid global list exhaustion by limiting aggregate percpu caches to +half of map size, by adjusting LOCAL_FREE_TARGET based on cpu count. +This change has no effect on sufficiently large tables. + +Similar to LOCAL_NR_SCANS and lru->nr_scans, introduce a map variable +lru->free_target. The extra field fits in a hole in struct bpf_lru. +The cacheline is already warm where read in the hot path. The field is +only accessed with the lru lock held. + +Tested-by: Anton Protopopov +Signed-off-by: Willem de Bruijn +Acked-by: Stanislav Fomichev +Link: https://lore.kernel.org/r/20250618215803.3587312-1-willemdebruijn.kernel@gmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + Documentation/bpf/map_hash.rst | 8 ++- + Documentation/bpf/map_lru_hash_update.dot | 6 +- + kernel/bpf/bpf_lru_list.c | 9 ++- + kernel/bpf/bpf_lru_list.h | 1 + + tools/testing/selftests/bpf/test_lru_map.c | 72 +++++++++++----------- + 5 files changed, 52 insertions(+), 44 deletions(-) + +diff --git a/Documentation/bpf/map_hash.rst b/Documentation/bpf/map_hash.rst +index d2343952f2cbd..8606bf958a8cf 100644 +--- a/Documentation/bpf/map_hash.rst ++++ b/Documentation/bpf/map_hash.rst +@@ -233,10 +233,16 @@ attempts in order to enforce the LRU property which have increasing impacts on + other CPUs involved in the following operation attempts: + + - Attempt to use CPU-local state to batch operations +-- Attempt to fetch free nodes from global lists ++- Attempt to fetch ``target_free`` free nodes from global lists + - Attempt to pull any node from a global list and remove it from the hashmap + - Attempt to pull any node from any CPU's list and remove it from the hashmap + ++The number of nodes to borrow from the global list in a batch, ``target_free``, ++depends on the size of the map. Larger batch size reduces lock contention, but ++may also exhaust the global structure. The value is computed at map init to ++avoid exhaustion, by limiting aggregate reservation by all CPUs to half the map ++size. With a minimum of a single element and maximum budget of 128 at a time. ++ + This algorithm is described visually in the following diagram. See the + description in commit 3a08c2fd7634 ("bpf: LRU List") for a full explanation of + the corresponding operations: +diff --git a/Documentation/bpf/map_lru_hash_update.dot b/Documentation/bpf/map_lru_hash_update.dot +index a0fee349d29c2..ab10058f5b79f 100644 +--- a/Documentation/bpf/map_lru_hash_update.dot ++++ b/Documentation/bpf/map_lru_hash_update.dot +@@ -35,18 +35,18 @@ digraph { + fn_bpf_lru_list_pop_free_to_local [shape=rectangle,fillcolor=2, + label="Flush local pending, + Rotate Global list, move +- LOCAL_FREE_TARGET ++ target_free + from global -> local"] + // Also corresponds to: + // fn__local_list_flush() + // fn_bpf_lru_list_rotate() + fn___bpf_lru_node_move_to_free[shape=diamond,fillcolor=2, +- label="Able to free\nLOCAL_FREE_TARGET\nnodes?"] ++ label="Able to free\ntarget_free\nnodes?"] + + fn___bpf_lru_list_shrink_inactive [shape=rectangle,fillcolor=3, + label="Shrink inactive list + up to remaining +- LOCAL_FREE_TARGET ++ target_free + (global LRU -> local)"] + fn___bpf_lru_list_shrink [shape=diamond,fillcolor=2, + label="> 0 entries in\nlocal free list?"] +diff --git a/kernel/bpf/bpf_lru_list.c b/kernel/bpf/bpf_lru_list.c +index 3dabdd137d102..2d6e1c98d8adc 100644 +--- a/kernel/bpf/bpf_lru_list.c ++++ b/kernel/bpf/bpf_lru_list.c +@@ -337,12 +337,12 @@ static void bpf_lru_list_pop_free_to_local(struct bpf_lru *lru, + list) { + __bpf_lru_node_move_to_free(l, node, local_free_list(loc_l), + BPF_LRU_LOCAL_LIST_T_FREE); +- if (++nfree == LOCAL_FREE_TARGET) ++ if (++nfree == lru->target_free) + break; + } + +- if (nfree < LOCAL_FREE_TARGET) +- __bpf_lru_list_shrink(lru, l, LOCAL_FREE_TARGET - nfree, ++ if (nfree < lru->target_free) ++ __bpf_lru_list_shrink(lru, l, lru->target_free - nfree, + local_free_list(loc_l), + BPF_LRU_LOCAL_LIST_T_FREE); + +@@ -577,6 +577,9 @@ static void bpf_common_lru_populate(struct bpf_lru *lru, void *buf, + list_add(&node->list, &l->lists[BPF_LRU_LIST_T_FREE]); + buf += elem_size; + } ++ ++ lru->target_free = clamp((nr_elems / num_possible_cpus()) / 2, ++ 1, LOCAL_FREE_TARGET); + } + + static void bpf_percpu_lru_populate(struct bpf_lru *lru, void *buf, +diff --git a/kernel/bpf/bpf_lru_list.h b/kernel/bpf/bpf_lru_list.h +index cbd8d3720c2bb..fe2661a58ea94 100644 +--- a/kernel/bpf/bpf_lru_list.h ++++ b/kernel/bpf/bpf_lru_list.h +@@ -58,6 +58,7 @@ struct bpf_lru { + del_from_htab_func del_from_htab; + void *del_arg; + unsigned int hash_offset; ++ unsigned int target_free; + unsigned int nr_scans; + bool percpu; + }; +diff --git a/tools/testing/selftests/bpf/test_lru_map.c b/tools/testing/selftests/bpf/test_lru_map.c +index fda7589c50236..4ae83f4b7fc7e 100644 +--- a/tools/testing/selftests/bpf/test_lru_map.c ++++ b/tools/testing/selftests/bpf/test_lru_map.c +@@ -138,6 +138,12 @@ static int sched_next_online(int pid, int *next_to_try) + return ret; + } + ++/* Inverse of how bpf_common_lru_populate derives target_free from map_size. */ ++static unsigned int __map_size(unsigned int tgt_free) ++{ ++ return tgt_free * nr_cpus * 2; ++} ++ + /* Size of the LRU map is 2 + * Add key=1 (+1 key) + * Add key=2 (+1 key) +@@ -231,11 +237,11 @@ static void test_lru_sanity0(int map_type, int map_flags) + printf("Pass\n"); + } + +-/* Size of the LRU map is 1.5*tgt_free +- * Insert 1 to tgt_free (+tgt_free keys) +- * Lookup 1 to tgt_free/2 +- * Insert 1+tgt_free to 2*tgt_free (+tgt_free keys) +- * => 1+tgt_free/2 to LOCALFREE_TARGET will be removed by LRU ++/* Verify that unreferenced elements are recycled before referenced ones. ++ * Insert elements. ++ * Reference a subset of these. ++ * Insert more, enough to trigger recycling. ++ * Verify that unreferenced are recycled. + */ + static void test_lru_sanity1(int map_type, int map_flags, unsigned int tgt_free) + { +@@ -257,7 +263,7 @@ static void test_lru_sanity1(int map_type, int map_flags, unsigned int tgt_free) + batch_size = tgt_free / 2; + assert(batch_size * 2 == tgt_free); + +- map_size = tgt_free + batch_size; ++ map_size = __map_size(tgt_free) + batch_size; + lru_map_fd = create_map(map_type, map_flags, map_size); + assert(lru_map_fd != -1); + +@@ -266,13 +272,13 @@ static void test_lru_sanity1(int map_type, int map_flags, unsigned int tgt_free) + + value[0] = 1234; + +- /* Insert 1 to tgt_free (+tgt_free keys) */ +- end_key = 1 + tgt_free; ++ /* Insert map_size - batch_size keys */ ++ end_key = 1 + __map_size(tgt_free); + for (key = 1; key < end_key; key++) + assert(!bpf_map_update_elem(lru_map_fd, &key, value, + BPF_NOEXIST)); + +- /* Lookup 1 to tgt_free/2 */ ++ /* Lookup 1 to batch_size */ + end_key = 1 + batch_size; + for (key = 1; key < end_key; key++) { + assert(!bpf_map_lookup_elem_with_ref_bit(lru_map_fd, key, value)); +@@ -280,12 +286,13 @@ static void test_lru_sanity1(int map_type, int map_flags, unsigned int tgt_free) + BPF_NOEXIST)); + } + +- /* Insert 1+tgt_free to 2*tgt_free +- * => 1+tgt_free/2 to LOCALFREE_TARGET will be ++ /* Insert another map_size - batch_size keys ++ * Map will contain 1 to batch_size plus these latest, i.e., ++ * => previous 1+batch_size to map_size - batch_size will have been + * removed by LRU + */ +- key = 1 + tgt_free; +- end_key = key + tgt_free; ++ key = 1 + __map_size(tgt_free); ++ end_key = key + __map_size(tgt_free); + for (; key < end_key; key++) { + assert(!bpf_map_update_elem(lru_map_fd, &key, value, + BPF_NOEXIST)); +@@ -301,17 +308,8 @@ static void test_lru_sanity1(int map_type, int map_flags, unsigned int tgt_free) + printf("Pass\n"); + } + +-/* Size of the LRU map 1.5 * tgt_free +- * Insert 1 to tgt_free (+tgt_free keys) +- * Update 1 to tgt_free/2 +- * => The original 1 to tgt_free/2 will be removed due to +- * the LRU shrink process +- * Re-insert 1 to tgt_free/2 again and do a lookup immeidately +- * Insert 1+tgt_free to tgt_free*3/2 +- * Insert 1+tgt_free*3/2 to tgt_free*5/2 +- * => Key 1+tgt_free to tgt_free*3/2 +- * will be removed from LRU because it has never +- * been lookup and ref bit is not set ++/* Verify that insertions exceeding map size will recycle the oldest. ++ * Verify that unreferenced elements are recycled before referenced. + */ + static void test_lru_sanity2(int map_type, int map_flags, unsigned int tgt_free) + { +@@ -334,7 +332,7 @@ static void test_lru_sanity2(int map_type, int map_flags, unsigned int tgt_free) + batch_size = tgt_free / 2; + assert(batch_size * 2 == tgt_free); + +- map_size = tgt_free + batch_size; ++ map_size = __map_size(tgt_free) + batch_size; + lru_map_fd = create_map(map_type, map_flags, map_size); + assert(lru_map_fd != -1); + +@@ -343,8 +341,8 @@ static void test_lru_sanity2(int map_type, int map_flags, unsigned int tgt_free) + + value[0] = 1234; + +- /* Insert 1 to tgt_free (+tgt_free keys) */ +- end_key = 1 + tgt_free; ++ /* Insert map_size - batch_size keys */ ++ end_key = 1 + __map_size(tgt_free); + for (key = 1; key < end_key; key++) + assert(!bpf_map_update_elem(lru_map_fd, &key, value, + BPF_NOEXIST)); +@@ -357,8 +355,7 @@ static void test_lru_sanity2(int map_type, int map_flags, unsigned int tgt_free) + * shrink the inactive list to get tgt_free + * number of free nodes. + * +- * Hence, the oldest key 1 to tgt_free/2 +- * are removed from the LRU list. ++ * Hence, the oldest key is removed from the LRU list. + */ + key = 1; + if (map_type == BPF_MAP_TYPE_LRU_PERCPU_HASH) { +@@ -370,8 +367,7 @@ static void test_lru_sanity2(int map_type, int map_flags, unsigned int tgt_free) + BPF_EXIST)); + } + +- /* Re-insert 1 to tgt_free/2 again and do a lookup +- * immeidately. ++ /* Re-insert 1 to batch_size again and do a lookup immediately. + */ + end_key = 1 + batch_size; + value[0] = 4321; +@@ -387,17 +383,18 @@ static void test_lru_sanity2(int map_type, int map_flags, unsigned int tgt_free) + + value[0] = 1234; + +- /* Insert 1+tgt_free to tgt_free*3/2 */ +- end_key = 1 + tgt_free + batch_size; +- for (key = 1 + tgt_free; key < end_key; key++) ++ /* Insert batch_size new elements */ ++ key = 1 + __map_size(tgt_free); ++ end_key = key + batch_size; ++ for (; key < end_key; key++) + /* These newly added but not referenced keys will be + * gone during the next LRU shrink. + */ + assert(!bpf_map_update_elem(lru_map_fd, &key, value, + BPF_NOEXIST)); + +- /* Insert 1+tgt_free*3/2 to tgt_free*5/2 */ +- end_key = key + tgt_free; ++ /* Insert map_size - batch_size elements */ ++ end_key += __map_size(tgt_free); + for (; key < end_key; key++) { + assert(!bpf_map_update_elem(lru_map_fd, &key, value, + BPF_NOEXIST)); +@@ -500,7 +497,8 @@ static void test_lru_sanity4(int map_type, int map_flags, unsigned int tgt_free) + lru_map_fd = create_map(map_type, map_flags, + 3 * tgt_free * nr_cpus); + else +- lru_map_fd = create_map(map_type, map_flags, 3 * tgt_free); ++ lru_map_fd = create_map(map_type, map_flags, ++ 3 * __map_size(tgt_free)); + assert(lru_map_fd != -1); + + expected_map_fd = create_map(BPF_MAP_TYPE_HASH, 0, +-- +2.39.5 + diff --git a/queue-6.15/btrfs-fix-assertion-when-building-free-space-tree.patch b/queue-6.15/btrfs-fix-assertion-when-building-free-space-tree.patch new file mode 100644 index 0000000000..538d04e6f5 --- /dev/null +++ b/queue-6.15/btrfs-fix-assertion-when-building-free-space-tree.patch @@ -0,0 +1,126 @@ +From 5443e61c7c4df8e3c8c55b1efeeab9640c641881 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Jun 2025 20:51:03 +0100 +Subject: btrfs: fix assertion when building free space tree + +From: Filipe Manana + +[ Upstream commit 1961d20f6fa8903266ed9bd77c691924c22c8f02 ] + +When building the free space tree with the block group tree feature +enabled, we can hit an assertion failure like this: + + BTRFS info (device loop0 state M): rebuilding free space tree + assertion failed: ret == 0, in fs/btrfs/free-space-tree.c:1102 + ------------[ cut here ]------------ + kernel BUG at fs/btrfs/free-space-tree.c:1102! + Internal error: Oops - BUG: 00000000f2000800 [#1] SMP + Modules linked in: + CPU: 1 UID: 0 PID: 6592 Comm: syz-executor322 Not tainted 6.15.0-rc7-syzkaller-gd7fa1af5b33e #0 PREEMPT + Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 + pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) + pc : populate_free_space_tree+0x514/0x518 fs/btrfs/free-space-tree.c:1102 + lr : populate_free_space_tree+0x514/0x518 fs/btrfs/free-space-tree.c:1102 + sp : ffff8000a4ce7600 + x29: ffff8000a4ce76e0 x28: ffff0000c9bc6000 x27: ffff0000ddfff3d8 + x26: ffff0000ddfff378 x25: dfff800000000000 x24: 0000000000000001 + x23: ffff8000a4ce7660 x22: ffff70001499cecc x21: ffff0000e1d8c160 + x20: ffff0000e1cb7800 x19: ffff0000e1d8c0b0 x18: 00000000ffffffff + x17: ffff800092f39000 x16: ffff80008ad27e48 x15: ffff700011e740c0 + x14: 1ffff00011e740c0 x13: 0000000000000004 x12: ffffffffffffffff + x11: ffff700011e740c0 x10: 0000000000ff0100 x9 : 94ef24f55d2dbc00 + x8 : 94ef24f55d2dbc00 x7 : 0000000000000001 x6 : 0000000000000001 + x5 : ffff8000a4ce6f98 x4 : ffff80008f415ba0 x3 : ffff800080548ef0 + x2 : 0000000000000000 x1 : 0000000100000000 x0 : 000000000000003e + Call trace: + populate_free_space_tree+0x514/0x518 fs/btrfs/free-space-tree.c:1102 (P) + btrfs_rebuild_free_space_tree+0x14c/0x54c fs/btrfs/free-space-tree.c:1337 + btrfs_start_pre_rw_mount+0xa78/0xe10 fs/btrfs/disk-io.c:3074 + btrfs_remount_rw fs/btrfs/super.c:1319 [inline] + btrfs_reconfigure+0x828/0x2418 fs/btrfs/super.c:1543 + reconfigure_super+0x1d4/0x6f0 fs/super.c:1083 + do_remount fs/namespace.c:3365 [inline] + path_mount+0xb34/0xde0 fs/namespace.c:4200 + do_mount fs/namespace.c:4221 [inline] + __do_sys_mount fs/namespace.c:4432 [inline] + __se_sys_mount fs/namespace.c:4409 [inline] + __arm64_sys_mount+0x3e8/0x468 fs/namespace.c:4409 + __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] + invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 + el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 + do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 + el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767 + el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786 + el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 + Code: f0047182 91178042 528089c3 9771d47b (d4210000) + ---[ end trace 0000000000000000 ]--- + +This happens because we are processing an empty block group, which has +no extents allocated from it, there are no items for this block group, +including the block group item since block group items are stored in a +dedicated tree when using the block group tree feature. It also means +this is the block group with the highest start offset, so there are no +higher keys in the extent root, hence btrfs_search_slot_for_read() +returns 1 (no higher key found). + +Fix this by asserting 'ret' is 0 only if the block group tree feature +is not enabled, in which case we should find a block group item for +the block group since it's stored in the extent root and block group +item keys are greater than extent item keys (the value for +BTRFS_BLOCK_GROUP_ITEM_KEY is 192 and for BTRFS_EXTENT_ITEM_KEY and +BTRFS_METADATA_ITEM_KEY the values are 168 and 169 respectively). +In case 'ret' is 1, we just need to add a record to the free space +tree which spans the whole block group, and we can achieve this by +making 'ret == 0' as the while loop's condition. + +Reported-by: syzbot+36fae25c35159a763a2a@syzkaller.appspotmail.com +Link: https://lore.kernel.org/linux-btrfs/6841dca8.a00a0220.d4325.0020.GAE@google.com/ +Reviewed-by: Qu Wenruo +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/free-space-tree.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/fs/btrfs/free-space-tree.c b/fs/btrfs/free-space-tree.c +index b65a20fd519ba..64af363f36ddc 100644 +--- a/fs/btrfs/free-space-tree.c ++++ b/fs/btrfs/free-space-tree.c +@@ -1099,11 +1099,21 @@ static int populate_free_space_tree(struct btrfs_trans_handle *trans, + ret = btrfs_search_slot_for_read(extent_root, &key, path, 1, 0); + if (ret < 0) + goto out_locked; +- ASSERT(ret == 0); ++ /* ++ * If ret is 1 (no key found), it means this is an empty block group, ++ * without any extents allocated from it and there's no block group ++ * item (key BTRFS_BLOCK_GROUP_ITEM_KEY) located in the extent tree ++ * because we are using the block group tree feature, so block group ++ * items are stored in the block group tree. It also means there are no ++ * extents allocated for block groups with a start offset beyond this ++ * block group's end offset (this is the last, highest, block group). ++ */ ++ if (!btrfs_fs_compat_ro(trans->fs_info, BLOCK_GROUP_TREE)) ++ ASSERT(ret == 0); + + start = block_group->start; + end = block_group->start + block_group->length; +- while (1) { ++ while (ret == 0) { + btrfs_item_key_to_cpu(path->nodes[0], &key, path->slots[0]); + + if (key.type == BTRFS_EXTENT_ITEM_KEY || +@@ -1133,8 +1143,6 @@ static int populate_free_space_tree(struct btrfs_trans_handle *trans, + ret = btrfs_next_item(extent_root, path); + if (ret < 0) + goto out_locked; +- if (ret) +- break; + } + if (start < end) { + ret = __add_to_free_space_tree(trans, block_group, path2, +-- +2.39.5 + diff --git a/queue-6.15/can-m_can-m_can_handle_lost_msg-downgrade-msg-lost-i.patch b/queue-6.15/can-m_can-m_can_handle_lost_msg-downgrade-msg-lost-i.patch new file mode 100644 index 0000000000..a64a501634 --- /dev/null +++ b/queue-6.15/can-m_can-m_can_handle_lost_msg-downgrade-msg-lost-i.patch @@ -0,0 +1,40 @@ +From b345fea8736f70ca3e6023a7084da90302a9dec9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Jul 2025 12:12:02 +0200 +Subject: can: m_can: m_can_handle_lost_msg(): downgrade msg lost in rx message + to debug level + +From: Sean Nyekjaer + +[ Upstream commit 58805e9cbc6f6a28f35d90e740956e983a0e036e ] + +Downgrade the "msg lost in rx" message to debug level, to prevent +flooding the kernel log with error messages. + +Fixes: e0d1f4816f2a ("can: m_can: add Bosch M_CAN controller support") +Reviewed-by: Vincent Mailhol +Signed-off-by: Sean Nyekjaer +Link: https://patch.msgid.link/20250711-mcan_ratelimit-v3-1-7413e8e21b84@geanix.com +[mkl: enhance commit message] +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/m_can/m_can.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/can/m_can/m_can.c b/drivers/net/can/m_can/m_can.c +index c2c116ce1087c..782131de5ef76 100644 +--- a/drivers/net/can/m_can/m_can.c ++++ b/drivers/net/can/m_can/m_can.c +@@ -665,7 +665,7 @@ static int m_can_handle_lost_msg(struct net_device *dev) + struct can_frame *frame; + u32 timestamp = 0; + +- netdev_err(dev, "msg lost in rxf0\n"); ++ netdev_dbg(dev, "msg lost in rxf0\n"); + + stats->rx_errors++; + stats->rx_over_errors++; +-- +2.39.5 + diff --git a/queue-6.15/driver-bluetooth-hci_qca-fix-unable-to-load-the-bt-d.patch b/queue-6.15/driver-bluetooth-hci_qca-fix-unable-to-load-the-bt-d.patch new file mode 100644 index 0000000000..d289a36435 --- /dev/null +++ b/queue-6.15/driver-bluetooth-hci_qca-fix-unable-to-load-the-bt-d.patch @@ -0,0 +1,49 @@ +From 62bfa12edc34f51b03446eda715cbabbc5236c3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Jun 2025 18:55:00 +0800 +Subject: driver: bluetooth: hci_qca:fix unable to load the BT driver + +From: Shuai Zhang + +[ Upstream commit db0ff7e15923ffa7067874604ca275e92343f1b1 ] + +Some modules have BT_EN enabled via a hardware pull-up, +meaning it is not defined in the DTS and is not controlled +through the power sequence. In such cases, fall through +to follow the legacy flow. + +Signed-off-by: Shuai Zhang +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/hci_qca.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c +index a2dc39c005f4f..976ec88a0f62a 100644 +--- a/drivers/bluetooth/hci_qca.c ++++ b/drivers/bluetooth/hci_qca.c +@@ -2392,10 +2392,17 @@ static int qca_serdev_probe(struct serdev_device *serdev) + */ + qcadev->bt_power->pwrseq = devm_pwrseq_get(&serdev->dev, + "bluetooth"); +- if (IS_ERR(qcadev->bt_power->pwrseq)) +- return PTR_ERR(qcadev->bt_power->pwrseq); + +- break; ++ /* ++ * Some modules have BT_EN enabled via a hardware pull-up, ++ * meaning it is not defined in the DTS and is not controlled ++ * through the power sequence. In such cases, fall through ++ * to follow the legacy flow. ++ */ ++ if (IS_ERR(qcadev->bt_power->pwrseq)) ++ qcadev->bt_power->pwrseq = NULL; ++ else ++ break; + } + fallthrough; + case QCA_WCN3950: +-- +2.39.5 + diff --git a/queue-6.15/drm-nouveau-gsp-fix-potential-leak-of-memory-used-du.patch b/queue-6.15/drm-nouveau-gsp-fix-potential-leak-of-memory-used-du.patch new file mode 100644 index 0000000000..780d476137 --- /dev/null +++ b/queue-6.15/drm-nouveau-gsp-fix-potential-leak-of-memory-used-du.patch @@ -0,0 +1,96 @@ +From d14fb56a866326b04d037c201beb7adbf0f1ef13 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Jun 2025 14:00:36 +1000 +Subject: drm/nouveau/gsp: fix potential leak of memory used during acpi init + +From: Ben Skeggs + +[ Upstream commit d133036a0b23d3ef781d067ccdea6bbfb381e0cf ] + +If any of the ACPI calls fail, memory allocated for the input buffer +would be leaked. Fix failure paths to free allocated memory. + +Also add checks to ensure the allocations succeeded in the first place. + +Reported-by: Danilo Krummrich +Fixes: 176fdcbddfd2 ("drm/nouveau/gsp/r535: add support for booting GSP-RM") +Signed-off-by: Ben Skeggs +Signed-off-by: Danilo Krummrich +Link: https://lore.kernel.org/r/20250617040036.2932-1-bskeggs@nvidia.com +Signed-off-by: Sasha Levin +--- + .../gpu/drm/nouveau/nvkm/subdev/gsp/r535.c | 20 +++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c +index 53a4af0010392..d220c68bfe914 100644 +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c +@@ -1047,7 +1047,6 @@ r535_gsp_acpi_caps(acpi_handle handle, CAPS_METHOD_DATA *caps) + union acpi_object argv4 = { + .buffer.type = ACPI_TYPE_BUFFER, + .buffer.length = 4, +- .buffer.pointer = kmalloc(argv4.buffer.length, GFP_KERNEL), + }, *obj; + + caps->status = 0xffff; +@@ -1055,17 +1054,22 @@ r535_gsp_acpi_caps(acpi_handle handle, CAPS_METHOD_DATA *caps) + if (!acpi_check_dsm(handle, &NVOP_DSM_GUID, NVOP_DSM_REV, BIT_ULL(0x1a))) + return; + ++ argv4.buffer.pointer = kmalloc(argv4.buffer.length, GFP_KERNEL); ++ if (!argv4.buffer.pointer) ++ return; ++ + obj = acpi_evaluate_dsm(handle, &NVOP_DSM_GUID, NVOP_DSM_REV, 0x1a, &argv4); + if (!obj) +- return; ++ goto done; + + if (WARN_ON(obj->type != ACPI_TYPE_BUFFER) || + WARN_ON(obj->buffer.length != 4)) +- return; ++ goto done; + + caps->status = 0; + caps->optimusCaps = *(u32 *)obj->buffer.pointer; + ++done: + ACPI_FREE(obj); + + kfree(argv4.buffer.pointer); +@@ -1082,24 +1086,28 @@ r535_gsp_acpi_jt(acpi_handle handle, JT_METHOD_DATA *jt) + union acpi_object argv4 = { + .buffer.type = ACPI_TYPE_BUFFER, + .buffer.length = sizeof(caps), +- .buffer.pointer = kmalloc(argv4.buffer.length, GFP_KERNEL), + }, *obj; + + jt->status = 0xffff; + ++ argv4.buffer.pointer = kmalloc(argv4.buffer.length, GFP_KERNEL); ++ if (!argv4.buffer.pointer) ++ return; ++ + obj = acpi_evaluate_dsm(handle, &JT_DSM_GUID, JT_DSM_REV, 0x1, &argv4); + if (!obj) +- return; ++ goto done; + + if (WARN_ON(obj->type != ACPI_TYPE_BUFFER) || + WARN_ON(obj->buffer.length != 4)) +- return; ++ goto done; + + jt->status = 0; + jt->jtCaps = *(u32 *)obj->buffer.pointer; + jt->jtRevId = (jt->jtCaps & 0xfff00000) >> 20; + jt->bSBIOSCaps = 0; + ++done: + ACPI_FREE(obj); + + kfree(argv4.buffer.pointer); +-- +2.39.5 + diff --git a/queue-6.15/drm-tegra-nvdec-fix-dma_alloc_coherent-error-check.patch b/queue-6.15/drm-tegra-nvdec-fix-dma_alloc_coherent-error-check.patch new file mode 100644 index 0000000000..fa17e49c18 --- /dev/null +++ b/queue-6.15/drm-tegra-nvdec-fix-dma_alloc_coherent-error-check.patch @@ -0,0 +1,41 @@ +From b9fa48cef8ac739a6f50a9920ec5106caba9a79e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Jul 2025 11:08:07 +0900 +Subject: drm/tegra: nvdec: Fix dma_alloc_coherent error check + +From: Mikko Perttunen + +[ Upstream commit 44306a684cd1699b8562a54945ddc43e2abc9eab ] + +Check for NULL return value with dma_alloc_coherent, in line with +Robin's fix for vic.c in 'drm/tegra: vic: Fix DMA API misuse'. + +Fixes: 46f226c93d35 ("drm/tegra: Add NVDEC driver") +Signed-off-by: Mikko Perttunen +Signed-off-by: Thierry Reding +Link: https://lore.kernel.org/r/20250702-nvdec-dma-error-check-v1-1-c388b402c53a@nvidia.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/tegra/nvdec.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/tegra/nvdec.c b/drivers/gpu/drm/tegra/nvdec.c +index 2d9a0a3f6c381..7a38664e890e3 100644 +--- a/drivers/gpu/drm/tegra/nvdec.c ++++ b/drivers/gpu/drm/tegra/nvdec.c +@@ -261,10 +261,8 @@ static int nvdec_load_falcon_firmware(struct nvdec *nvdec) + + if (!client->group) { + virt = dma_alloc_coherent(nvdec->dev, size, &iova, GFP_KERNEL); +- +- err = dma_mapping_error(nvdec->dev, iova); +- if (err < 0) +- return err; ++ if (!virt) ++ return -ENOMEM; + } else { + virt = tegra_drm_alloc(tegra, size, &iova); + if (IS_ERR(virt)) +-- +2.39.5 + diff --git a/queue-6.15/drm-xe-pf-clear-all-lmtt-pages-on-alloc.patch b/queue-6.15/drm-xe-pf-clear-all-lmtt-pages-on-alloc.patch new file mode 100644 index 0000000000..7c433a14fb --- /dev/null +++ b/queue-6.15/drm-xe-pf-clear-all-lmtt-pages-on-alloc.patch @@ -0,0 +1,80 @@ +From 19f16c219e41cf3183b5ed4e83f77b67a9de139a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Jul 2025 00:00:52 +0200 +Subject: drm/xe/pf: Clear all LMTT pages on alloc +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Michal Wajdeczko + +[ Upstream commit 705a412a367f383430fa34bada387af2e52eb043 ] + +Our LMEM buffer objects are not cleared by default on alloc +and during VF provisioning we only setup LMTT PTEs for the +actually provisioned LMEM range. But beyond that valid range +we might leave some stale data that could either point to some +other VFs allocations or even to the PF pages. + +Explicitly clear all new LMTT page to avoid the risk that a +malicious VF would try to exploit that gap. + +While around add asserts to catch any undesired PTE overwrites +and low-level debug traces to track LMTT PT life-cycle. + +Fixes: b1d204058218 ("drm/xe/pf: Introduce Local Memory Translation Table") +Signed-off-by: Michal Wajdeczko +Cc: Michał Winiarski +Cc: Lukasz Laguna +Reviewed-by: Michał Winiarski +Reviewed-by: Piotr Piórkowski +Link: https://lore.kernel.org/r/20250701220052.1612-1-michal.wajdeczko@intel.com +(cherry picked from commit 3fae6918a3e27cce20ded2551f863fb05d4bef8d) +Signed-off-by: Lucas De Marchi +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/xe/xe_lmtt.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/drivers/gpu/drm/xe/xe_lmtt.c b/drivers/gpu/drm/xe/xe_lmtt.c +index 89393dcb53d9d..1337cf49f1c20 100644 +--- a/drivers/gpu/drm/xe/xe_lmtt.c ++++ b/drivers/gpu/drm/xe/xe_lmtt.c +@@ -78,6 +78,9 @@ static struct xe_lmtt_pt *lmtt_pt_alloc(struct xe_lmtt *lmtt, unsigned int level + } + + lmtt_assert(lmtt, xe_bo_is_vram(bo)); ++ lmtt_debug(lmtt, "level=%u addr=%#llx\n", level, (u64)xe_bo_main_addr(bo, XE_PAGE_SIZE)); ++ ++ xe_map_memset(lmtt_to_xe(lmtt), &bo->vmap, 0, 0, bo->size); + + pt->level = level; + pt->bo = bo; +@@ -91,6 +94,9 @@ static struct xe_lmtt_pt *lmtt_pt_alloc(struct xe_lmtt *lmtt, unsigned int level + + static void lmtt_pt_free(struct xe_lmtt_pt *pt) + { ++ lmtt_debug(&pt->bo->tile->sriov.pf.lmtt, "level=%u addr=%llx\n", ++ pt->level, (u64)xe_bo_main_addr(pt->bo, XE_PAGE_SIZE)); ++ + xe_bo_unpin_map_no_vm(pt->bo); + kfree(pt); + } +@@ -226,9 +232,14 @@ static void lmtt_write_pte(struct xe_lmtt *lmtt, struct xe_lmtt_pt *pt, + + switch (lmtt->ops->lmtt_pte_size(level)) { + case sizeof(u32): ++ lmtt_assert(lmtt, !overflows_type(pte, u32)); ++ lmtt_assert(lmtt, !pte || !iosys_map_rd(&pt->bo->vmap, idx * sizeof(u32), u32)); ++ + xe_map_wr(lmtt_to_xe(lmtt), &pt->bo->vmap, idx * sizeof(u32), u32, pte); + break; + case sizeof(u64): ++ lmtt_assert(lmtt, !pte || !iosys_map_rd(&pt->bo->vmap, idx * sizeof(u64), u64)); ++ + xe_map_wr(lmtt_to_xe(lmtt), &pt->bo->vmap, idx * sizeof(u64), u64, pte); + break; + default: +-- +2.39.5 + diff --git a/queue-6.15/drm-xe-pm-correct-comment-of-xe_pm_set_vram_threshol.patch b/queue-6.15/drm-xe-pm-correct-comment-of-xe_pm_set_vram_threshol.patch new file mode 100644 index 0000000000..06c901a4ac --- /dev/null +++ b/queue-6.15/drm-xe-pm-correct-comment-of-xe_pm_set_vram_threshol.patch @@ -0,0 +1,52 @@ +From 1442040b21b762a26b84b449f27a27e3da446b3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Jul 2025 02:14:51 +0000 +Subject: drm/xe/pm: Correct comment of xe_pm_set_vram_threshold() + +From: Shuicheng Lin + +[ Upstream commit 0539c5eaf81f3f844213bf6b3137a53e5b04b083 ] + +The parameter threshold is with size in MiB, not in bits. +Correct it to avoid any confusion. + +v2: s/mb/MiB, s/vram/VRAM, fix return section. (Michal) + +Fixes: 30c399529f4c ("drm/xe: Document Xe PM component") +Cc: Michal Wajdeczko +Cc: Rodrigo Vivi +Signed-off-by: Shuicheng Lin +Link: https://lore.kernel.org/r/20250708021450.3602087-2-shuicheng.lin@intel.com +Reviewed-by: Stuart Summers +Signed-off-by: Rodrigo Vivi +(cherry picked from commit 0efec0500117947f924e5ac83be40f96378af85a) +Signed-off-by: Lucas De Marchi +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/xe/xe_pm.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/xe/xe_pm.c b/drivers/gpu/drm/xe/xe_pm.c +index c499c86382858..20f8522bb04a5 100644 +--- a/drivers/gpu/drm/xe/xe_pm.c ++++ b/drivers/gpu/drm/xe/xe_pm.c +@@ -706,11 +706,13 @@ void xe_pm_assert_unbounded_bridge(struct xe_device *xe) + } + + /** +- * xe_pm_set_vram_threshold - Set a vram threshold for allowing/blocking D3Cold ++ * xe_pm_set_vram_threshold - Set a VRAM threshold for allowing/blocking D3Cold + * @xe: xe device instance +- * @threshold: VRAM size in bites for the D3cold threshold ++ * @threshold: VRAM size in MiB for the D3cold threshold + * +- * Returns 0 for success, negative error code otherwise. ++ * Return: ++ * * 0 - success ++ * * -EINVAL - invalid argument + */ + int xe_pm_set_vram_threshold(struct xe_device *xe, u32 threshold) + { +-- +2.39.5 + diff --git a/queue-6.15/drm-xe-pm-restore-display-pm-if-there-is-error-after.patch b/queue-6.15/drm-xe-pm-restore-display-pm-if-there-is-error-after.patch new file mode 100644 index 0000000000..f15db79c99 --- /dev/null +++ b/queue-6.15/drm-xe-pm-restore-display-pm-if-there-is-error-after.patch @@ -0,0 +1,52 @@ +From c7566ae3946a5802e118185d847c1c0abea1ed1c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Jul 2025 03:54:25 +0000 +Subject: drm/xe/pm: Restore display pm if there is error after display suspend + +From: Shuicheng Lin + +[ Upstream commit 6d33df611a39a1b4ad9f2b609ded5d6efa04d97e ] + +xe_bo_evict_all() is called after xe_display_pm_suspend(). So if there +is error with xe_bo_evict_all(), display pm should be restored. + +Fixes: 51462211f4a9 ("drm/xe/pxp: add PXP PM support") +Fixes: cb8f81c17531 ("drm/xe/display: Make display suspend/resume work on discrete") +Cc: Maarten Lankhorst +Cc: Daniele Ceraolo Spurio +Cc: John Harrison +Signed-off-by: Shuicheng Lin +Reviewed-by: Daniele Ceraolo Spurio +Link: https://lore.kernel.org/r/20250708035424.3608190-2-shuicheng.lin@intel.com +Signed-off-by: Rodrigo Vivi +(cherry picked from commit 83dcee17855c4e5af037ae3262809036de127903) +Signed-off-by: Lucas De Marchi +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/xe/xe_pm.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/xe/xe_pm.c b/drivers/gpu/drm/xe/xe_pm.c +index 7b6b754ad6eb7..c499c86382858 100644 +--- a/drivers/gpu/drm/xe/xe_pm.c ++++ b/drivers/gpu/drm/xe/xe_pm.c +@@ -135,7 +135,7 @@ int xe_pm_suspend(struct xe_device *xe) + /* FIXME: Super racey... */ + err = xe_bo_evict_all(xe); + if (err) +- goto err_pxp; ++ goto err_display; + + for_each_gt(gt, xe, id) { + err = xe_gt_suspend(gt); +@@ -152,7 +152,6 @@ int xe_pm_suspend(struct xe_device *xe) + + err_display: + xe_display_pm_resume(xe); +-err_pxp: + xe_pxp_pm_resume(xe->pxp); + err: + drm_dbg(&xe->drm, "Device suspend failed %d\n", err); +-- +2.39.5 + diff --git a/queue-6.15/erofs-fix-to-add-missing-tracepoint-in-erofs_readahe.patch b/queue-6.15/erofs-fix-to-add-missing-tracepoint-in-erofs_readahe.patch new file mode 100644 index 0000000000..b89c9f47ab --- /dev/null +++ b/queue-6.15/erofs-fix-to-add-missing-tracepoint-in-erofs_readahe.patch @@ -0,0 +1,40 @@ +From fe9039c5bcd4971c9ee1cb5bf1ba2811b10f63d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Jul 2025 16:48:32 +0800 +Subject: erofs: fix to add missing tracepoint in erofs_readahead() + +From: Chao Yu + +[ Upstream commit d53238b614e01266a3d36b417b60a502e0698504 ] + +Commit 771c994ea51f ("erofs: convert all uncompressed cases to iomap") +converts to use iomap interface, it removed trace_erofs_readahead() +tracepoint in the meantime, let's add it back. + +Fixes: 771c994ea51f ("erofs: convert all uncompressed cases to iomap") +Signed-off-by: Chao Yu +Reviewed-by: Gao Xiang +Link: https://lore.kernel.org/r/20250707084832.2725677-1-chao@kernel.org +Signed-off-by: Gao Xiang +Signed-off-by: Sasha Levin +--- + fs/erofs/data.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/erofs/data.c b/fs/erofs/data.c +index 0ab0e8ec70d03..33cb0a7330d23 100644 +--- a/fs/erofs/data.c ++++ b/fs/erofs/data.c +@@ -363,6 +363,9 @@ static int erofs_read_folio(struct file *file, struct folio *folio) + + static void erofs_readahead(struct readahead_control *rac) + { ++ trace_erofs_readahead(rac->mapping->host, readahead_index(rac), ++ readahead_count(rac), true); ++ + return iomap_readahead(rac, &erofs_iomap_ops); + } + +-- +2.39.5 + diff --git a/queue-6.15/erofs-refine-readahead-tracepoint.patch b/queue-6.15/erofs-refine-readahead-tracepoint.patch new file mode 100644 index 0000000000..d3febfcd27 --- /dev/null +++ b/queue-6.15/erofs-refine-readahead-tracepoint.patch @@ -0,0 +1,76 @@ +From 2a201ebeeaa68dfac8621851b3d40c22b1b1d31f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 May 2025 20:08:20 +0800 +Subject: erofs: refine readahead tracepoint + +From: Gao Xiang + +[ Upstream commit 4eb56b0761e75034dd35067a81da4c280c178262 ] + + - trace_erofs_readpages => trace_erofs_readahead; + + - Rename a redundant statement `nrpages = readahead_count(rac);`; + + - Move the tracepoint to the beginning of z_erofs_readahead(). + +Signed-off-by: Gao Xiang +Reviewed-by: Hongbo Li +Link: https://lore.kernel.org/r/20250514120820.2739288-1-hsiangkao@linux.alibaba.com +Signed-off-by: Gao Xiang +Stable-dep-of: d53238b614e0 ("erofs: fix to add missing tracepoint in erofs_readahead()") +Signed-off-by: Sasha Levin +--- + fs/erofs/fileio.c | 2 +- + fs/erofs/zdata.c | 5 ++--- + include/trace/events/erofs.h | 2 +- + 3 files changed, 4 insertions(+), 5 deletions(-) + +diff --git a/fs/erofs/fileio.c b/fs/erofs/fileio.c +index 4cb4497b2767d..da1304a9bb435 100644 +--- a/fs/erofs/fileio.c ++++ b/fs/erofs/fileio.c +@@ -180,7 +180,7 @@ static void erofs_fileio_readahead(struct readahead_control *rac) + struct folio *folio; + int err; + +- trace_erofs_readpages(inode, readahead_index(rac), ++ trace_erofs_readahead(inode, readahead_index(rac), + readahead_count(rac), true); + while ((folio = readahead_folio(rac))) { + err = erofs_fileio_scan_folio(&io, folio); +diff --git a/fs/erofs/zdata.c b/fs/erofs/zdata.c +index 8791ecebcdce7..d21ae4802c7f1 100644 +--- a/fs/erofs/zdata.c ++++ b/fs/erofs/zdata.c +@@ -1855,13 +1855,12 @@ static void z_erofs_readahead(struct readahead_control *rac) + { + struct inode *const inode = rac->mapping->host; + Z_EROFS_DEFINE_FRONTEND(f, inode, readahead_pos(rac)); +- struct folio *head = NULL, *folio; + unsigned int nrpages = readahead_count(rac); ++ struct folio *head = NULL, *folio; + int err; + ++ trace_erofs_readahead(inode, readahead_index(rac), nrpages, false); + z_erofs_pcluster_readmore(&f, rac, true); +- nrpages = readahead_count(rac); +- trace_erofs_readpages(inode, readahead_index(rac), nrpages, false); + while ((folio = readahead_folio(rac))) { + folio->private = head; + head = folio; +diff --git a/include/trace/events/erofs.h b/include/trace/events/erofs.h +index a71b19ed5d0cf..dad7360f42f95 100644 +--- a/include/trace/events/erofs.h ++++ b/include/trace/events/erofs.h +@@ -113,7 +113,7 @@ TRACE_EVENT(erofs_read_folio, + __entry->raw) + ); + +-TRACE_EVENT(erofs_readpages, ++TRACE_EVENT(erofs_readahead, + + TP_PROTO(struct inode *inode, pgoff_t start, unsigned int nrpage, + bool raw), +-- +2.39.5 + diff --git a/queue-6.15/hid-add-ignore-quirk-for-smartlinktechnology.patch b/queue-6.15/hid-add-ignore-quirk-for-smartlinktechnology.patch new file mode 100644 index 0000000000..900d1c0a9b --- /dev/null +++ b/queue-6.15/hid-add-ignore-quirk-for-smartlinktechnology.patch @@ -0,0 +1,65 @@ +From f1ff5800dae754dfca96a49e4d3ecb61b4cde690 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Jun 2025 15:29:59 +0800 +Subject: HID: Add IGNORE quirk for SMARTLINKTECHNOLOGY + +From: Zhang Heng + +[ Upstream commit 1a8953f4f7746c6a515989774fe03047c522c613 ] + +MARTLINKTECHNOLOGY is a microphone device, when the HID interface in an +audio device is requested to get specific report id, the following error +may occur. + +[ 562.939373] usb 1-1.4.1.2: new full-speed USB device number 21 using xhci_hcd +[ 563.104908] usb 1-1.4.1.2: New USB device found, idVendor=4c4a, idProduct=4155, bcdDevice= 1.00 +[ 563.104910] usb 1-1.4.1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=3 +[ 563.104911] usb 1-1.4.1.2: Product: USB Composite Device +[ 563.104912] usb 1-1.4.1.2: Manufacturer: SmartlinkTechnology +[ 563.104913] usb 1-1.4.1.2: SerialNumber: 20201111000001 +[ 563.229499] input: SmartlinkTechnology USB Composite Device as /devices/pci0000:00/0000:00:07.1/0000:04:00.3/usb1/1-1/1-1.4/1-1.4.1/1-1.4.1.2/1-1.4.1.2:1.2/0003:4C4A:4155.000F/input/input35 +[ 563.291505] hid-generic 0003:4C4A:4155.000F: input,hidraw2: USB HID v2.01 Keyboard [SmartlinkTechnology USB Composite Device] on usb-0000:04:00.3-1.4.1.2/input2 +[ 563.291557] usbhid 1-1.4.1.2:1.3: couldn't find an input interrupt endpoint +[ 568.506654] usb 1-1.4.1.2: 1:1: usb_set_interface failed (-110) +[ 573.626656] usb 1-1.4.1.2: 1:1: usb_set_interface failed (-110) +[ 578.746657] usb 1-1.4.1.2: 1:1: usb_set_interface failed (-110) +[ 583.866655] usb 1-1.4.1.2: 1:1: usb_set_interface failed (-110) +[ 588.986657] usb 1-1.4.1.2: 1:1: usb_set_interface failed (-110) + +Ignore HID interface. The device is working properly. + +Signed-off-by: Zhang Heng +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-ids.h | 3 +++ + drivers/hid/hid-quirks.c | 1 + + 2 files changed, 4 insertions(+) + +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h +index 898fe03074c64..116436be5e287 100644 +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -1525,4 +1525,7 @@ + #define USB_VENDOR_ID_SIGNOTEC 0x2133 + #define USB_DEVICE_ID_SIGNOTEC_VIEWSONIC_PD1011 0x0018 + ++#define USB_VENDOR_ID_SMARTLINKTECHNOLOGY 0x4c4a ++#define USB_DEVICE_ID_SMARTLINKTECHNOLOGY_4155 0x4155 ++ + #endif +diff --git a/drivers/hid/hid-quirks.c b/drivers/hid/hid-quirks.c +index 0731473cc9b1a..7a363fdf31edf 100644 +--- a/drivers/hid/hid-quirks.c ++++ b/drivers/hid/hid-quirks.c +@@ -904,6 +904,7 @@ static const struct hid_device_id hid_ignore_list[] = { + #endif + { HID_USB_DEVICE(USB_VENDOR_ID_YEALINK, USB_DEVICE_ID_YEALINK_P1K_P4K_B2K) }, + { HID_USB_DEVICE(USB_VENDOR_ID_QUANTA, USB_DEVICE_ID_QUANTA_HP_5MP_CAMERA_5473) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_SMARTLINKTECHNOLOGY, USB_DEVICE_ID_SMARTLINKTECHNOLOGY_4155) }, + { } + }; + +-- +2.39.5 + diff --git a/queue-6.15/hid-lenovo-add-support-for-thinkpad-x1-tablet-thin-k.patch b/queue-6.15/hid-lenovo-add-support-for-thinkpad-x1-tablet-thin-k.patch new file mode 100644 index 0000000000..1861ad1a3c --- /dev/null +++ b/queue-6.15/hid-lenovo-add-support-for-thinkpad-x1-tablet-thin-k.patch @@ -0,0 +1,120 @@ +From 1597625b6ab2940e30e021e37259262f9cd0d880 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Jun 2025 13:34:38 +0900 +Subject: HID: lenovo: Add support for ThinkPad X1 Tablet Thin Keyboard Gen2 + +From: Akira Inoue + +[ Upstream commit a8905238c3bbe13db90065ed74682418f23830c3 ] + +Add "Thinkpad X1 Tablet Gen 2 Keyboard" PID to hid-lenovo driver to fix trackpoint not working issue. + +Signed-off-by: Akira Inoue +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-ids.h | 1 + + drivers/hid/hid-lenovo.c | 8 ++++++++ + drivers/hid/hid-multitouch.c | 8 +++++++- + 3 files changed, 16 insertions(+), 1 deletion(-) + +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h +index 1062731315a2a..898fe03074c64 100644 +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -818,6 +818,7 @@ + #define USB_DEVICE_ID_LENOVO_TPPRODOCK 0x6067 + #define USB_DEVICE_ID_LENOVO_X1_COVER 0x6085 + #define USB_DEVICE_ID_LENOVO_X1_TAB 0x60a3 ++#define USB_DEVICE_ID_LENOVO_X1_TAB2 0x60a4 + #define USB_DEVICE_ID_LENOVO_X1_TAB3 0x60b5 + #define USB_DEVICE_ID_LENOVO_X12_TAB 0x60fe + #define USB_DEVICE_ID_LENOVO_X12_TAB2 0x61ae +diff --git a/drivers/hid/hid-lenovo.c b/drivers/hid/hid-lenovo.c +index a3c23a72316ac..b3121fa7a72d7 100644 +--- a/drivers/hid/hid-lenovo.c ++++ b/drivers/hid/hid-lenovo.c +@@ -492,6 +492,7 @@ static int lenovo_input_mapping(struct hid_device *hdev, + case USB_DEVICE_ID_LENOVO_X12_TAB: + case USB_DEVICE_ID_LENOVO_X12_TAB2: + case USB_DEVICE_ID_LENOVO_X1_TAB: ++ case USB_DEVICE_ID_LENOVO_X1_TAB2: + case USB_DEVICE_ID_LENOVO_X1_TAB3: + return lenovo_input_mapping_x1_tab_kbd(hdev, hi, field, usage, bit, max); + default: +@@ -608,6 +609,7 @@ static ssize_t attr_fn_lock_store(struct device *dev, + case USB_DEVICE_ID_LENOVO_X12_TAB2: + case USB_DEVICE_ID_LENOVO_TP10UBKBD: + case USB_DEVICE_ID_LENOVO_X1_TAB: ++ case USB_DEVICE_ID_LENOVO_X1_TAB2: + case USB_DEVICE_ID_LENOVO_X1_TAB3: + ret = lenovo_led_set_tp10ubkbd(hdev, TP10UBKBD_FN_LOCK_LED, value); + if (ret) +@@ -864,6 +866,7 @@ static int lenovo_event(struct hid_device *hdev, struct hid_field *field, + case USB_DEVICE_ID_LENOVO_X12_TAB2: + case USB_DEVICE_ID_LENOVO_TP10UBKBD: + case USB_DEVICE_ID_LENOVO_X1_TAB: ++ case USB_DEVICE_ID_LENOVO_X1_TAB2: + case USB_DEVICE_ID_LENOVO_X1_TAB3: + return lenovo_event_tp10ubkbd(hdev, field, usage, value); + default: +@@ -1147,6 +1150,7 @@ static int lenovo_led_brightness_set(struct led_classdev *led_cdev, + case USB_DEVICE_ID_LENOVO_X12_TAB2: + case USB_DEVICE_ID_LENOVO_TP10UBKBD: + case USB_DEVICE_ID_LENOVO_X1_TAB: ++ case USB_DEVICE_ID_LENOVO_X1_TAB2: + case USB_DEVICE_ID_LENOVO_X1_TAB3: + ret = lenovo_led_set_tp10ubkbd(hdev, tp10ubkbd_led[led_nr], value); + break; +@@ -1387,6 +1391,7 @@ static int lenovo_probe(struct hid_device *hdev, + case USB_DEVICE_ID_LENOVO_X12_TAB2: + case USB_DEVICE_ID_LENOVO_TP10UBKBD: + case USB_DEVICE_ID_LENOVO_X1_TAB: ++ case USB_DEVICE_ID_LENOVO_X1_TAB2: + case USB_DEVICE_ID_LENOVO_X1_TAB3: + ret = lenovo_probe_tp10ubkbd(hdev); + break; +@@ -1476,6 +1481,7 @@ static void lenovo_remove(struct hid_device *hdev) + case USB_DEVICE_ID_LENOVO_X12_TAB2: + case USB_DEVICE_ID_LENOVO_TP10UBKBD: + case USB_DEVICE_ID_LENOVO_X1_TAB: ++ case USB_DEVICE_ID_LENOVO_X1_TAB2: + case USB_DEVICE_ID_LENOVO_X1_TAB3: + lenovo_remove_tp10ubkbd(hdev); + break; +@@ -1526,6 +1532,8 @@ static const struct hid_device_id lenovo_devices[] = { + */ + { HID_DEVICE(BUS_USB, HID_GROUP_GENERIC, + USB_VENDOR_ID_LENOVO, USB_DEVICE_ID_LENOVO_X1_TAB) }, ++ { HID_DEVICE(BUS_USB, HID_GROUP_GENERIC, ++ USB_VENDOR_ID_LENOVO, USB_DEVICE_ID_LENOVO_X1_TAB2) }, + { HID_DEVICE(BUS_USB, HID_GROUP_GENERIC, + USB_VENDOR_ID_LENOVO, USB_DEVICE_ID_LENOVO_X1_TAB3) }, + { HID_DEVICE(BUS_USB, HID_GROUP_GENERIC, +diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c +index 7ac8e16e61581..536a0a47518fa 100644 +--- a/drivers/hid/hid-multitouch.c ++++ b/drivers/hid/hid-multitouch.c +@@ -2122,12 +2122,18 @@ static const struct hid_device_id mt_devices[] = { + HID_DEVICE(BUS_I2C, HID_GROUP_GENERIC, + USB_VENDOR_ID_LG, I2C_DEVICE_ID_LG_7010) }, + +- /* Lenovo X1 TAB Gen 2 */ ++ /* Lenovo X1 TAB Gen 1 */ + { .driver_data = MT_CLS_WIN_8_FORCE_MULTI_INPUT, + HID_DEVICE(BUS_USB, HID_GROUP_MULTITOUCH_WIN_8, + USB_VENDOR_ID_LENOVO, + USB_DEVICE_ID_LENOVO_X1_TAB) }, + ++ /* Lenovo X1 TAB Gen 2 */ ++ { .driver_data = MT_CLS_WIN_8_FORCE_MULTI_INPUT, ++ HID_DEVICE(BUS_USB, HID_GROUP_MULTITOUCH_WIN_8, ++ USB_VENDOR_ID_LENOVO, ++ USB_DEVICE_ID_LENOVO_X1_TAB2) }, ++ + /* Lenovo X1 TAB Gen 3 */ + { .driver_data = MT_CLS_WIN_8_FORCE_MULTI_INPUT, + HID_DEVICE(BUS_USB, HID_GROUP_MULTITOUCH_WIN_8, +-- +2.39.5 + diff --git a/queue-6.15/hid-nintendo-avoid-bluetooth-suspend-resume-stalls.patch b/queue-6.15/hid-nintendo-avoid-bluetooth-suspend-resume-stalls.patch new file mode 100644 index 0000000000..5507cca955 --- /dev/null +++ b/queue-6.15/hid-nintendo-avoid-bluetooth-suspend-resume-stalls.patch @@ -0,0 +1,105 @@ +From 2d5047d822e51dd8dabbfc82f9b590ee83976b26 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 May 2025 03:47:00 -0400 +Subject: HID: nintendo: avoid bluetooth suspend/resume stalls + +From: Daniel J. Ogorchock + +[ Upstream commit 4a0381080397e77792a5168069f174d3e56175ff ] + +Ensure we don't stall or panic the kernel when using bluetooth-connected +controllers. This was reported as an issue on android devices using +kernel 6.6 due to the resume hook which had been added for usb joycons. + +First, set a new state value to JOYCON_CTLR_STATE_SUSPENDED in a +newly-added nintendo_hid_suspend. This makes sure we will not stall out +the kernel waiting for input reports during led classdev suspend. The +stalls could happen if connectivity is unreliable or lost to the +controller prior to suspend. + +Second, since we lose connectivity during suspend, do not try +joycon_init() for bluetooth controllers in the nintendo_hid_resume path. + +Tested via multiple suspend/resume flows when using the controller both +in USB and bluetooth modes. + +Signed-off-by: Daniel J. Ogorchock +Reviewed-by: Silvan Jegen +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-nintendo.c | 38 ++++++++++++++++++++++++++++++++++++-- + 1 file changed, 36 insertions(+), 2 deletions(-) + +diff --git a/drivers/hid/hid-nintendo.c b/drivers/hid/hid-nintendo.c +index 839d5bcd72b1e..fb4985988615b 100644 +--- a/drivers/hid/hid-nintendo.c ++++ b/drivers/hid/hid-nintendo.c +@@ -308,6 +308,7 @@ enum joycon_ctlr_state { + JOYCON_CTLR_STATE_INIT, + JOYCON_CTLR_STATE_READ, + JOYCON_CTLR_STATE_REMOVED, ++ JOYCON_CTLR_STATE_SUSPENDED, + }; + + /* Controller type received as part of device info */ +@@ -2750,14 +2751,46 @@ static void nintendo_hid_remove(struct hid_device *hdev) + + static int nintendo_hid_resume(struct hid_device *hdev) + { +- int ret = joycon_init(hdev); ++ struct joycon_ctlr *ctlr = hid_get_drvdata(hdev); ++ int ret; ++ ++ hid_dbg(hdev, "resume\n"); ++ if (!joycon_using_usb(ctlr)) { ++ hid_dbg(hdev, "no-op resume for bt ctlr\n"); ++ ctlr->ctlr_state = JOYCON_CTLR_STATE_READ; ++ return 0; ++ } + ++ ret = joycon_init(hdev); + if (ret) +- hid_err(hdev, "Failed to restore controller after resume"); ++ hid_err(hdev, ++ "Failed to restore controller after resume: %d\n", ++ ret); ++ else ++ ctlr->ctlr_state = JOYCON_CTLR_STATE_READ; + + return ret; + } + ++static int nintendo_hid_suspend(struct hid_device *hdev, pm_message_t message) ++{ ++ struct joycon_ctlr *ctlr = hid_get_drvdata(hdev); ++ ++ hid_dbg(hdev, "suspend: %d\n", message.event); ++ /* ++ * Avoid any blocking loops in suspend/resume transitions. ++ * ++ * joycon_enforce_subcmd_rate() can result in repeated retries if for ++ * whatever reason the controller stops providing input reports. ++ * ++ * This has been observed with bluetooth controllers which lose ++ * connectivity prior to suspend (but not long enough to result in ++ * complete disconnection). ++ */ ++ ctlr->ctlr_state = JOYCON_CTLR_STATE_SUSPENDED; ++ return 0; ++} ++ + #endif + + static const struct hid_device_id nintendo_hid_devices[] = { +@@ -2796,6 +2829,7 @@ static struct hid_driver nintendo_hid_driver = { + + #ifdef CONFIG_PM + .resume = nintendo_hid_resume, ++ .suspend = nintendo_hid_suspend, + #endif + }; + static int __init nintendo_init(void) +-- +2.39.5 + diff --git a/queue-6.15/hid-quirks-add-quirk-for-2-chicony-electronics-hp-5m.patch b/queue-6.15/hid-quirks-add-quirk-for-2-chicony-electronics-hp-5m.patch new file mode 100644 index 0000000000..aac532169a --- /dev/null +++ b/queue-6.15/hid-quirks-add-quirk-for-2-chicony-electronics-hp-5m.patch @@ -0,0 +1,54 @@ +From 3ced702644c870fc1db065e3e00b67d51d446ecc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 May 2025 13:50:15 +0800 +Subject: HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras + +From: Chia-Lin Kao (AceLan) + +[ Upstream commit 54bae4c17c11688339eb73a04fd24203bb6e7494 ] + +The Chicony Electronics HP 5MP Cameras (USB ID 04F2:B824 & 04F2:B82C) +report a HID sensor interface that is not actually implemented. +Attempting to access this non-functional sensor via iio_info causes +system hangs as runtime PM tries to wake up an unresponsive sensor. + +Add these 2 devices to the HID ignore list since the sensor interface is +non-functional by design and should not be exposed to userspace. + +Signed-off-by: Chia-Lin Kao (AceLan) +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-ids.h | 2 ++ + drivers/hid/hid-quirks.c | 2 ++ + 2 files changed, 4 insertions(+) + +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h +index 116436be5e287..b937af010e354 100644 +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -311,6 +311,8 @@ + #define USB_DEVICE_ID_ASUS_AK1D 0x1125 + #define USB_DEVICE_ID_CHICONY_TOSHIBA_WT10A 0x1408 + #define USB_DEVICE_ID_CHICONY_ACER_SWITCH12 0x1421 ++#define USB_DEVICE_ID_CHICONY_HP_5MP_CAMERA 0xb824 ++#define USB_DEVICE_ID_CHICONY_HP_5MP_CAMERA2 0xb82c + + #define USB_VENDOR_ID_CHUNGHWAT 0x2247 + #define USB_DEVICE_ID_CHUNGHWAT_MULTITOUCH 0x0001 +diff --git a/drivers/hid/hid-quirks.c b/drivers/hid/hid-quirks.c +index 7a363fdf31edf..06c27308e497b 100644 +--- a/drivers/hid/hid-quirks.c ++++ b/drivers/hid/hid-quirks.c +@@ -757,6 +757,8 @@ static const struct hid_device_id hid_ignore_list[] = { + { HID_USB_DEVICE(USB_VENDOR_ID_AVERMEDIA, USB_DEVICE_ID_AVER_FM_MR800) }, + { HID_USB_DEVICE(USB_VENDOR_ID_AXENTIA, USB_DEVICE_ID_AXENTIA_FM_RADIO) }, + { HID_USB_DEVICE(USB_VENDOR_ID_BERKSHIRE, USB_DEVICE_ID_BERKSHIRE_PCWD) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_CHICONY, USB_DEVICE_ID_CHICONY_HP_5MP_CAMERA) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_CHICONY, USB_DEVICE_ID_CHICONY_HP_5MP_CAMERA2) }, + { HID_USB_DEVICE(USB_VENDOR_ID_CIDC, 0x0103) }, + { HID_USB_DEVICE(USB_VENDOR_ID_CYGNAL, USB_DEVICE_ID_CYGNAL_RADIO_SI470X) }, + { HID_USB_DEVICE(USB_VENDOR_ID_CYGNAL, USB_DEVICE_ID_CYGNAL_RADIO_SI4713) }, +-- +2.39.5 + diff --git a/queue-6.15/ibmvnic-fix-hardcoded-num_rx_stats-num_tx_stats-with.patch b/queue-6.15/ibmvnic-fix-hardcoded-num_rx_stats-num_tx_stats-with.patch new file mode 100644 index 0000000000..56217053bf --- /dev/null +++ b/queue-6.15/ibmvnic-fix-hardcoded-num_rx_stats-num_tx_stats-with.patch @@ -0,0 +1,68 @@ +From 8caf3ca9433274b6bd78561afb3b0f5d59627d8d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Jul 2025 08:33:32 -0700 +Subject: ibmvnic: Fix hardcoded NUM_RX_STATS/NUM_TX_STATS with dynamic sizeof + +From: Mingming Cao + +[ Upstream commit 01b8114b432d7baaa5e51ab229c12c4f36b8e2c6 ] + +The previous hardcoded definitions of NUM_RX_STATS and +NUM_TX_STATS were not updated when new fields were added +to the ibmvnic_{rx,tx}_queue_stats structures. Specifically, +commit 2ee73c54a615 ("ibmvnic: Add stat for tx direct vs tx +batched") added a fourth TX stat, but NUM_TX_STATS remained 3, +leading to a mismatch. + +This patch replaces the static defines with dynamic sizeof-based +calculations to ensure the stat arrays are correctly sized. +This fixes incorrect indexing and prevents incomplete stat +reporting in tools like ethtool. + +Fixes: 2ee73c54a615 ("ibmvnic: Add stat for tx direct vs tx batched") +Signed-off-by: Mingming Cao +Reviewed-by: Dave Marquardt +Reviewed-by: Haren Myneni +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250709153332.73892-1-mmc@linux.ibm.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ibm/ibmvnic.h | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/ibm/ibmvnic.h b/drivers/net/ethernet/ibm/ibmvnic.h +index a189038d88df0..246ddce753f92 100644 +--- a/drivers/net/ethernet/ibm/ibmvnic.h ++++ b/drivers/net/ethernet/ibm/ibmvnic.h +@@ -211,7 +211,6 @@ struct ibmvnic_statistics { + u8 reserved[72]; + } __packed __aligned(8); + +-#define NUM_TX_STATS 3 + struct ibmvnic_tx_queue_stats { + u64 batched_packets; + u64 direct_packets; +@@ -219,13 +218,18 @@ struct ibmvnic_tx_queue_stats { + u64 dropped_packets; + }; + +-#define NUM_RX_STATS 3 ++#define NUM_TX_STATS \ ++ (sizeof(struct ibmvnic_tx_queue_stats) / sizeof(u64)) ++ + struct ibmvnic_rx_queue_stats { + u64 packets; + u64 bytes; + u64 interrupts; + }; + ++#define NUM_RX_STATS \ ++ (sizeof(struct ibmvnic_rx_queue_stats) / sizeof(u64)) ++ + struct ibmvnic_acl_buffer { + __be32 len; + __be32 version; +-- +2.39.5 + diff --git a/queue-6.15/io_uring-make-fallocate-be-hashed-work.patch b/queue-6.15/io_uring-make-fallocate-be-hashed-work.patch new file mode 100644 index 0000000000..286f64000e --- /dev/null +++ b/queue-6.15/io_uring-make-fallocate-be-hashed-work.patch @@ -0,0 +1,36 @@ +From 753a015a4601befc10e04c4571cd9ccc231fea9f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Jun 2025 19:02:18 +0800 +Subject: io_uring: make fallocate be hashed work + +From: Fengnan Chang + +[ Upstream commit 88a80066af1617fab444776135d840467414beb6 ] + +Like ftruncate and write, fallocate operations on the same file cannot +be executed in parallel, so it is better to make fallocate be hashed +work. + +Signed-off-by: Fengnan Chang +Link: https://lore.kernel.org/r/20250623110218.61490-1-changfengnan@bytedance.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + io_uring/opdef.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/io_uring/opdef.c b/io_uring/opdef.c +index 489384c0438bd..78ef5976bf003 100644 +--- a/io_uring/opdef.c ++++ b/io_uring/opdef.c +@@ -216,6 +216,7 @@ const struct io_issue_def io_issue_defs[] = { + }, + [IORING_OP_FALLOCATE] = { + .needs_file = 1, ++ .hash_reg_file = 1, + .prep = io_fallocate_prep, + .issue = io_fallocate, + }, +-- +2.39.5 + diff --git a/queue-6.15/io_uring-zcrx-fix-pp-destruction-warnings.patch b/queue-6.15/io_uring-zcrx-fix-pp-destruction-warnings.patch new file mode 100644 index 0000000000..6da38f6bea --- /dev/null +++ b/queue-6.15/io_uring-zcrx-fix-pp-destruction-warnings.patch @@ -0,0 +1,42 @@ +From 345b22c6ab8434c7458c2b0f33538af1ee1c04f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Jul 2025 09:52:33 +0100 +Subject: io_uring/zcrx: fix pp destruction warnings + +From: Pavel Begunkov + +[ Upstream commit 203817de269539c062724d97dfa5af3cdf77a3ec ] + +With multiple page pools and in some other cases we can have allocated +niovs on page pool destruction. Remove a misplaced warning checking that +all niovs are returned to zcrx on io_pp_zc_destroy(). It was reported +before but apparently got lost. + +Reported-by: Pedro Tammela +Fixes: 34a3e60821ab9 ("io_uring/zcrx: implement zerocopy receive pp memory provider") +Signed-off-by: Pavel Begunkov +Link: https://lore.kernel.org/r/b9e6d919d2964bc48ddbf8eb52fc9f5d118e9bc1.1751878185.git.asml.silence@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + io_uring/zcrx.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/io_uring/zcrx.c b/io_uring/zcrx.c +index a53058dd6b7a1..adb1e426987ed 100644 +--- a/io_uring/zcrx.c ++++ b/io_uring/zcrx.c +@@ -676,10 +676,7 @@ static int io_pp_zc_init(struct page_pool *pp) + static void io_pp_zc_destroy(struct page_pool *pp) + { + struct io_zcrx_ifq *ifq = io_pp_to_ifq(pp); +- struct io_zcrx_area *area = ifq->area; + +- if (WARN_ON_ONCE(area->free_count != area->nia.num_niovs)) +- return; + percpu_ref_put(&ifq->ctx->refs); + } + +-- +2.39.5 + diff --git a/queue-6.15/md-raid1-fix-stack-memory-use-after-return-in-raid1_.patch b/queue-6.15/md-raid1-fix-stack-memory-use-after-return-in-raid1_.patch new file mode 100644 index 0000000000..a7504a55fb --- /dev/null +++ b/queue-6.15/md-raid1-fix-stack-memory-use-after-return-in-raid1_.patch @@ -0,0 +1,80 @@ +From a58d7193a95b679ab1aa1e62e85fad1cc45f6888 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Jun 2025 19:28:40 +0800 +Subject: md/raid1: Fix stack memory use after return in raid1_reshape + +From: Wang Jinchao + +[ Upstream commit d67ed2ccd2d1dcfda9292c0ea8697a9d0f2f0d98 ] + +In the raid1_reshape function, newpool is +allocated on the stack and assigned to conf->r1bio_pool. +This results in conf->r1bio_pool.wait.head pointing +to a stack address. +Accessing this address later can lead to a kernel panic. + +Example access path: + +raid1_reshape() +{ + // newpool is on the stack + mempool_t newpool, oldpool; + // initialize newpool.wait.head to stack address + mempool_init(&newpool, ...); + conf->r1bio_pool = newpool; +} + +raid1_read_request() or raid1_write_request() +{ + alloc_r1bio() + { + mempool_alloc() + { + // if pool->alloc fails + remove_element() + { + --pool->curr_nr; + } + } + } +} + +mempool_free() +{ + if (pool->curr_nr < pool->min_nr) { + // pool->wait.head is a stack address + // wake_up() will try to access this invalid address + // which leads to a kernel panic + return; + wake_up(&pool->wait); + } +} + +Fix: +reinit conf->r1bio_pool.wait after assigning newpool. + +Fixes: afeee514ce7f ("md: convert to bioset_init()/mempool_init()") +Signed-off-by: Wang Jinchao +Reviewed-by: Yu Kuai +Link: https://lore.kernel.org/linux-raid/20250612112901.3023950-1-wangjinchao600@gmail.com +Signed-off-by: Yu Kuai +Signed-off-by: Sasha Levin +--- + drivers/md/raid1.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c +index 1fe645e630012..80efe737010b5 100644 +--- a/drivers/md/raid1.c ++++ b/drivers/md/raid1.c +@@ -3431,6 +3431,7 @@ static int raid1_reshape(struct mddev *mddev) + /* ok, everything is stopped */ + oldpool = conf->r1bio_pool; + conf->r1bio_pool = newpool; ++ init_waitqueue_head(&conf->r1bio_pool.wait); + + for (d = d2 = 0; d < conf->raid_disks; d++) { + struct md_rdev *rdev = conf->mirrors[d].rdev; +-- +2.39.5 + diff --git a/queue-6.15/md-raid1-raid10-strip-req_nowait-from-member-bios.patch b/queue-6.15/md-raid1-raid10-strip-req_nowait-from-member-bios.patch new file mode 100644 index 0000000000..a10ff4f5f8 --- /dev/null +++ b/queue-6.15/md-raid1-raid10-strip-req_nowait-from-member-bios.patch @@ -0,0 +1,74 @@ +From 382d305b7834a531c9191316e1c8fa397f0cb503 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Jul 2025 18:23:41 +0800 +Subject: md/raid1,raid10: strip REQ_NOWAIT from member bios + +From: Zheng Qixing + +[ Upstream commit 5fa31c49928139fa948f078b094d80f12ed83f5f ] + +RAID layers don't implement proper non-blocking semantics for +REQ_NOWAIT, making the flag potentially misleading when propagated +to member disks. + +This patch clear REQ_NOWAIT from cloned bios in raid1/raid10. Retain +original bio's REQ_NOWAIT flag for upper layer error handling. + +Maybe we can implement non-blocking I/O handling mechanisms within +RAID in future work. + +Fixes: 9f346f7d4ea7 ("md/raid1,raid10: don't handle IO error for +REQ_RAHEAD and REQ_NOWAIT") +Signed-off-by: Zheng Qixing +Link: https://lore.kernel.org/linux-raid/20250702102341.1969154-1-zhengqixing@huaweicloud.com +Signed-off-by: Yu Kuai +Signed-off-by: Sasha Levin +--- + drivers/md/raid1.c | 3 ++- + drivers/md/raid10.c | 2 ++ + 2 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c +index 80efe737010b5..3d99a4e38e1c6 100644 +--- a/drivers/md/raid1.c ++++ b/drivers/md/raid1.c +@@ -1399,7 +1399,7 @@ static void raid1_read_request(struct mddev *mddev, struct bio *bio, + } + read_bio = bio_alloc_clone(mirror->rdev->bdev, bio, gfp, + &mddev->bio_set); +- ++ read_bio->bi_opf &= ~REQ_NOWAIT; + r1_bio->bios[rdisk] = read_bio; + + read_bio->bi_iter.bi_sector = r1_bio->sector + +@@ -1649,6 +1649,7 @@ static void raid1_write_request(struct mddev *mddev, struct bio *bio, + wait_for_serialization(rdev, r1_bio); + } + ++ mbio->bi_opf &= ~REQ_NOWAIT; + r1_bio->bios[i] = mbio; + + mbio->bi_iter.bi_sector = (r1_bio->sector + rdev->data_offset); +diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c +index 0443a479809f9..6a55374a6ba37 100644 +--- a/drivers/md/raid10.c ++++ b/drivers/md/raid10.c +@@ -1224,6 +1224,7 @@ static void raid10_read_request(struct mddev *mddev, struct bio *bio, + r10_bio->master_bio = bio; + } + read_bio = bio_alloc_clone(rdev->bdev, bio, gfp, &mddev->bio_set); ++ read_bio->bi_opf &= ~REQ_NOWAIT; + + r10_bio->devs[slot].bio = read_bio; + r10_bio->devs[slot].rdev = rdev; +@@ -1259,6 +1260,7 @@ static void raid10_write_one_disk(struct mddev *mddev, struct r10bio *r10_bio, + conf->mirrors[devnum].rdev; + + mbio = bio_alloc_clone(rdev->bdev, bio, GFP_NOIO, &mddev->bio_set); ++ mbio->bi_opf &= ~REQ_NOWAIT; + if (replacement) + r10_bio->devs[n_copy].repl_bio = mbio; + else +-- +2.39.5 + diff --git a/queue-6.15/nbd-fix-uaf-in-nbd_genl_connect-error-path.patch b/queue-6.15/nbd-fix-uaf-in-nbd_genl_connect-error-path.patch new file mode 100644 index 0000000000..58aa946315 --- /dev/null +++ b/queue-6.15/nbd-fix-uaf-in-nbd_genl_connect-error-path.patch @@ -0,0 +1,86 @@ +From 3f90690996217e62ec8c693007c64168c036b263 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Jun 2025 21:24:05 +0800 +Subject: nbd: fix uaf in nbd_genl_connect() error path + +From: Zheng Qixing + +[ Upstream commit aa9552438ebf015fc5f9f890dbfe39f0c53cf37e ] + +There is a use-after-free issue in nbd: + +block nbd6: Receive control failed (result -104) +block nbd6: shutting down sockets +================================================================== +BUG: KASAN: slab-use-after-free in recv_work+0x694/0xa80 drivers/block/nbd.c:1022 +Write of size 4 at addr ffff8880295de478 by task kworker/u33:0/67 + +CPU: 2 UID: 0 PID: 67 Comm: kworker/u33:0 Not tainted 6.15.0-rc5-syzkaller-00123-g2c89c1b655c0 #0 PREEMPT(full) +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 +Workqueue: nbd6-recv recv_work +Call Trace: + + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:408 [inline] + print_report+0xc3/0x670 mm/kasan/report.c:521 + kasan_report+0xe0/0x110 mm/kasan/report.c:634 + check_region_inline mm/kasan/generic.c:183 [inline] + kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189 + instrument_atomic_read_write include/linux/instrumented.h:96 [inline] + atomic_dec include/linux/atomic/atomic-instrumented.h:592 [inline] + recv_work+0x694/0xa80 drivers/block/nbd.c:1022 + process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3238 + process_scheduled_works kernel/workqueue.c:3319 [inline] + worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400 + kthread+0x3c2/0x780 kernel/kthread.c:464 + ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:153 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 + + +nbd_genl_connect() does not properly stop the device on certain +error paths after nbd_start_device() has been called. This causes +the error path to put nbd->config while recv_work continue to use +the config after putting it, leading to use-after-free in recv_work. + +This patch moves nbd_start_device() after the backend file creation. + +Reported-by: syzbot+48240bab47e705c53126@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/68227a04.050a0220.f2294.00b5.GAE@google.com/T/ +Fixes: 6497ef8df568 ("nbd: provide a way for userspace processes to identify device backends") +Signed-off-by: Zheng Qixing +Reviewed-by: Yu Kuai +Link: https://lore.kernel.org/r/20250612132405.364904-1-zhengqixing@huaweicloud.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/nbd.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c +index 7bdc7eb808ea9..2592bd19ebc15 100644 +--- a/drivers/block/nbd.c ++++ b/drivers/block/nbd.c +@@ -2198,9 +2198,7 @@ static int nbd_genl_connect(struct sk_buff *skb, struct genl_info *info) + goto out; + } + } +- ret = nbd_start_device(nbd); +- if (ret) +- goto out; ++ + if (info->attrs[NBD_ATTR_BACKEND_IDENTIFIER]) { + nbd->backend = nla_strdup(info->attrs[NBD_ATTR_BACKEND_IDENTIFIER], + GFP_KERNEL); +@@ -2216,6 +2214,8 @@ static int nbd_genl_connect(struct sk_buff *skb, struct genl_info *info) + goto out; + } + set_bit(NBD_RT_HAS_BACKEND_FILE, &config->runtime_flags); ++ ++ ret = nbd_start_device(nbd); + out: + mutex_unlock(&nbd->config_lock); + if (!ret) { +-- +2.39.5 + diff --git a/queue-6.15/net-appletalk-fix-device-refcount-leak-in-atrtr_crea.patch b/queue-6.15/net-appletalk-fix-device-refcount-leak-in-atrtr_crea.patch new file mode 100644 index 0000000000..9ead506e10 --- /dev/null +++ b/queue-6.15/net-appletalk-fix-device-refcount-leak-in-atrtr_crea.patch @@ -0,0 +1,38 @@ +From ea2ede9b2346d020ad3cdbbbdcf0cb7cefd53992 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Jul 2025 03:52:51 +0000 +Subject: net: appletalk: Fix device refcount leak in atrtr_create() + +From: Kito Xu + +[ Upstream commit 711c80f7d8b163d3ecd463cd96f07230f488e750 ] + +When updating an existing route entry in atrtr_create(), the old device +reference was not being released before assigning the new device, +leading to a device refcount leak. Fix this by calling dev_put() to +release the old device reference before holding the new one. + +Fixes: c7f905f0f6d4 ("[ATALK]: Add missing dev_hold() to atrtr_create().") +Signed-off-by: Kito Xu +Link: https://patch.msgid.link/tencent_E1A26771CDAB389A0396D1681A90A49E5D09@qq.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/appletalk/ddp.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/appletalk/ddp.c b/net/appletalk/ddp.c +index b068651984fe3..fa7f002b14fa3 100644 +--- a/net/appletalk/ddp.c ++++ b/net/appletalk/ddp.c +@@ -576,6 +576,7 @@ static int atrtr_create(struct rtentry *r, struct net_device *devhint) + + /* Fill in the routing entry */ + rt->target = ta->sat_addr; ++ dev_put(rt->dev); /* Release old device */ + dev_hold(devhint); + rt->dev = devhint; + rt->flags = r->rt_flags; +-- +2.39.5 + diff --git a/queue-6.15/net-ll_temac-fix-missing-tx_pending-check-in-ethtool.patch b/queue-6.15/net-ll_temac-fix-missing-tx_pending-check-in-ethtool.patch new file mode 100644 index 0000000000..cc11488cf3 --- /dev/null +++ b/queue-6.15/net-ll_temac-fix-missing-tx_pending-check-in-ethtool.patch @@ -0,0 +1,45 @@ +From e45965992396984e4ac4f3212b8703cd271ac5fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jul 2025 11:06:17 -0700 +Subject: net: ll_temac: Fix missing tx_pending check in + ethtools_set_ringparam() + +From: Alok Tiwari + +[ Upstream commit e81750b4e3826fedce7362dad839cb40384d60ae ] + +The function ll_temac_ethtools_set_ringparam() incorrectly checked +rx_pending twice, once correctly for RX and once mistakenly in place +of tx_pending. This caused tx_pending to be left unchecked against +TX_BD_NUM_MAX. +As a result, invalid TX ring sizes may have been accepted or valid +ones wrongly rejected based on the RX limit, leading to potential +misconfiguration or unexpected results. + +This patch corrects the condition to properly validate tx_pending. + +Fixes: f7b261bfc35e ("net: ll_temac: Make RX/TX ring sizes configurable") +Signed-off-by: Alok Tiwari +Link: https://patch.msgid.link/20250710180621.2383000-1-alok.a.tiwari@oracle.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/xilinx/ll_temac_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/xilinx/ll_temac_main.c b/drivers/net/ethernet/xilinx/ll_temac_main.c +index edb36ff07a0c6..6f82203a414cd 100644 +--- a/drivers/net/ethernet/xilinx/ll_temac_main.c ++++ b/drivers/net/ethernet/xilinx/ll_temac_main.c +@@ -1309,7 +1309,7 @@ ll_temac_ethtools_set_ringparam(struct net_device *ndev, + if (ering->rx_pending > RX_BD_NUM_MAX || + ering->rx_mini_pending || + ering->rx_jumbo_pending || +- ering->rx_pending > TX_BD_NUM_MAX) ++ ering->tx_pending > TX_BD_NUM_MAX) + return -EINVAL; + + if (netif_running(ndev)) +-- +2.39.5 + diff --git a/queue-6.15/net-mana-record-doorbell-physical-address-in-pf-mode.patch b/queue-6.15/net-mana-record-doorbell-physical-address-in-pf-mode.patch new file mode 100644 index 0000000000..645f56027b --- /dev/null +++ b/queue-6.15/net-mana-record-doorbell-physical-address-in-pf-mode.patch @@ -0,0 +1,47 @@ +From 401624e887a86af04e0420fda604b9cdac5a95f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Jun 2025 18:36:46 -0700 +Subject: net: mana: Record doorbell physical address in PF mode + +From: Long Li + +[ Upstream commit e0fca6f2cebff539e9317a15a37dcf432e3b851a ] + +MANA supports RDMA in PF mode. The driver should record the doorbell +physical address when in PF mode. + +The doorbell physical address is used by the RDMA driver to map +doorbell pages of the device to user-mode applications through RDMA +verbs interface. In the past, they have been mapped to user-mode while +the device is in VF mode. With the support for PF mode implemented, +also expose those pages in PF mode. + +Support for PF mode is implemented in +290e5d3c49f6 ("net: mana: Add support for Multi Vports on Bare metal") + +Signed-off-by: Long Li +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/1750210606-12167-1-git-send-email-longli@linuxonhyperv.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/microsoft/mana/gdma_main.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/microsoft/mana/gdma_main.c b/drivers/net/ethernet/microsoft/mana/gdma_main.c +index 4ffaf75888852..3dc94349820d2 100644 +--- a/drivers/net/ethernet/microsoft/mana/gdma_main.c ++++ b/drivers/net/ethernet/microsoft/mana/gdma_main.c +@@ -31,6 +31,9 @@ static void mana_gd_init_pf_regs(struct pci_dev *pdev) + gc->db_page_base = gc->bar0_va + + mana_gd_r64(gc, GDMA_PF_REG_DB_PAGE_OFF); + ++ gc->phys_db_page_base = gc->bar0_pa + ++ mana_gd_r64(gc, GDMA_PF_REG_DB_PAGE_OFF); ++ + sriov_base_off = mana_gd_r64(gc, GDMA_SRIOV_REG_CFG_BASE_OFF); + + sriov_base_va = gc->bar0_va + sriov_base_off; +-- +2.39.5 + diff --git a/queue-6.15/net-mlx5-reset-bw_share-field-when-changing-a-node-s.patch b/queue-6.15/net-mlx5-reset-bw_share-field-when-changing-a-node-s.patch new file mode 100644 index 0000000000..215300049b --- /dev/null +++ b/queue-6.15/net-mlx5-reset-bw_share-field-when-changing-a-node-s.patch @@ -0,0 +1,44 @@ +From 9a40b9d9db9e681daea22e5c14ffca33d081c2d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jul 2025 16:53:42 +0300 +Subject: net/mlx5: Reset bw_share field when changing a node's parent + +From: Carolina Jubran + +[ Upstream commit f7b76466894083c8f518cf29fef75fcd3ec670e5 ] + +When changing a node's parent, its scheduling element is destroyed and +re-created with bw_share 0. However, the node's bw_share field was not +updated accordingly. + +Set the node's bw_share to 0 after re-creation to keep the software +state in sync with the firmware configuration. + +Fixes: 9c7bbf4c3304 ("net/mlx5: Add support for setting parent of nodes") +Signed-off-by: Carolina Jubran +Reviewed-by: Cosmin Ratiu +Reviewed-by: Dragos Tatulea +Signed-off-by: Tariq Toukan +Reviewed-by: Jacob Keller +Link: https://patch.msgid.link/1752155624-24095-2-git-send-email-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c b/drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c +index b6ae384396b33..ad9f6fca9b6a2 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c +@@ -1076,6 +1076,7 @@ static int esw_qos_vports_node_update_parent(struct mlx5_esw_sched_node *node, + return err; + } + esw_qos_node_set_parent(node, parent); ++ node->bw_share = 0; + + return 0; + } +-- +2.39.5 + diff --git a/queue-6.15/net-mlx5e-add-new-prio-for-promiscuous-mode.patch b/queue-6.15/net-mlx5e-add-new-prio-for-promiscuous-mode.patch new file mode 100644 index 0000000000..b925ee83bd --- /dev/null +++ b/queue-6.15/net-mlx5e-add-new-prio-for-promiscuous-mode.patch @@ -0,0 +1,116 @@ +From 08672fa035fd389cde7091423f4a01277cc39537 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jul 2025 16:53:44 +0300 +Subject: net/mlx5e: Add new prio for promiscuous mode + +From: Jianbo Liu + +[ Upstream commit 4c9fce56fa702059bbc5ab737265b68f79cbaac4 ] + +An optimization for promiscuous mode adds a high-priority steering +table with a single catch-all rule to steer all traffic directly to +the TTC table. + +However, a gap exists between the creation of this table and the +insertion of the catch-all rule. Packets arriving in this brief window +would miss as no rule was inserted yet, unnecessarily incrementing the +'rx_steer_missed_packets' counter and dropped. + +This patch resolves the issue by introducing a new prio for this +table, placing it between MLX5E_TC_PRIO and MLX5E_NIC_PRIO. By doing +so, packets arriving during the window now fall through to the next +prio (at MLX5E_NIC_PRIO) instead of being dropped. + +Fixes: 1c46d7409f30 ("net/mlx5e: Optimize promiscuous mode") +Signed-off-by: Jianbo Liu +Reviewed-by: Mark Bloch +Signed-off-by: Tariq Toukan +Reviewed-by: Jacob Keller +Link: https://patch.msgid.link/1752155624-24095-4-git-send-email-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en/fs.h | 9 +++++++-- + drivers/net/ethernet/mellanox/mlx5/core/en_fs.c | 2 +- + drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 13 +++++++++---- + 3 files changed, 17 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/fs.h b/drivers/net/ethernet/mellanox/mlx5/core/en/fs.h +index b5c3a2a9d2a59..9560fcba643f5 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/fs.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/fs.h +@@ -18,7 +18,8 @@ enum { + + enum { + MLX5E_TC_PRIO = 0, +- MLX5E_NIC_PRIO ++ MLX5E_PROMISC_PRIO, ++ MLX5E_NIC_PRIO, + }; + + struct mlx5e_flow_table { +@@ -68,9 +69,13 @@ struct mlx5e_l2_table { + MLX5_HASH_FIELD_SEL_DST_IP |\ + MLX5_HASH_FIELD_SEL_IPSEC_SPI) + +-/* NIC prio FTS */ ++/* NIC promisc FT level */ + enum { + MLX5E_PROMISC_FT_LEVEL, ++}; ++ ++/* NIC prio FTS */ ++enum { + MLX5E_VLAN_FT_LEVEL, + MLX5E_L2_FT_LEVEL, + MLX5E_TTC_FT_LEVEL, +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_fs.c b/drivers/net/ethernet/mellanox/mlx5/core/en_fs.c +index 05058710d2c79..537e732085b22 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_fs.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_fs.c +@@ -776,7 +776,7 @@ static int mlx5e_create_promisc_table(struct mlx5e_flow_steering *fs) + ft_attr.max_fte = MLX5E_PROMISC_TABLE_SIZE; + ft_attr.autogroup.max_num_groups = 1; + ft_attr.level = MLX5E_PROMISC_FT_LEVEL; +- ft_attr.prio = MLX5E_NIC_PRIO; ++ ft_attr.prio = MLX5E_PROMISC_PRIO; + + ft->t = mlx5_create_auto_grouped_flow_table(fs->ns, &ft_attr); + if (IS_ERR(ft->t)) { +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c +index 445301ea70426..53c4eba9867df 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c +@@ -113,13 +113,16 @@ + #define ETHTOOL_PRIO_NUM_LEVELS 1 + #define ETHTOOL_NUM_PRIOS 11 + #define ETHTOOL_MIN_LEVEL (KERNEL_MIN_LEVEL + ETHTOOL_NUM_PRIOS) +-/* Promiscuous, Vlan, mac, ttc, inner ttc, {UDP/ANY/aRFS/accel/{esp, esp_err}}, IPsec policy, ++/* Vlan, mac, ttc, inner ttc, {UDP/ANY/aRFS/accel/{esp, esp_err}}, IPsec policy, + * {IPsec RoCE MPV,Alias table},IPsec RoCE policy + */ +-#define KERNEL_NIC_PRIO_NUM_LEVELS 11 ++#define KERNEL_NIC_PRIO_NUM_LEVELS 10 + #define KERNEL_NIC_NUM_PRIOS 1 +-/* One more level for tc */ +-#define KERNEL_MIN_LEVEL (KERNEL_NIC_PRIO_NUM_LEVELS + 1) ++/* One more level for tc, and one more for promisc */ ++#define KERNEL_MIN_LEVEL (KERNEL_NIC_PRIO_NUM_LEVELS + 2) ++ ++#define KERNEL_NIC_PROMISC_NUM_PRIOS 1 ++#define KERNEL_NIC_PROMISC_NUM_LEVELS 1 + + #define KERNEL_NIC_TC_NUM_PRIOS 1 + #define KERNEL_NIC_TC_NUM_LEVELS 3 +@@ -187,6 +190,8 @@ static struct init_tree_node { + ADD_NS(MLX5_FLOW_TABLE_MISS_ACTION_DEF, + ADD_MULTIPLE_PRIO(KERNEL_NIC_TC_NUM_PRIOS, + KERNEL_NIC_TC_NUM_LEVELS), ++ ADD_MULTIPLE_PRIO(KERNEL_NIC_PROMISC_NUM_PRIOS, ++ KERNEL_NIC_PROMISC_NUM_LEVELS), + ADD_MULTIPLE_PRIO(KERNEL_NIC_NUM_PRIOS, + KERNEL_NIC_PRIO_NUM_LEVELS))), + ADD_PRIO(0, BY_PASS_MIN_LEVEL, 0, FS_CHAINING_CAPS, +-- +2.39.5 + diff --git a/queue-6.15/net-mlx5e-fix-race-between-dim-disable-and-net_dim.patch b/queue-6.15/net-mlx5e-fix-race-between-dim-disable-and-net_dim.patch new file mode 100644 index 0000000000..c29fc2ffb4 --- /dev/null +++ b/queue-6.15/net-mlx5e-fix-race-between-dim-disable-and-net_dim.patch @@ -0,0 +1,99 @@ +From 6516d2f1381a4c6bda9c9044e3af5fab645426af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jul 2025 16:53:43 +0300 +Subject: net/mlx5e: Fix race between DIM disable and net_dim() + +From: Carolina Jubran + +[ Upstream commit eb41a264a3a576dc040ee37c3d9d6b7e2d9be968 ] + +There's a race between disabling DIM and NAPI callbacks using the dim +pointer on the RQ or SQ. + +If NAPI checks the DIM state bit and sees it still set, it assumes +`rq->dim` or `sq->dim` is valid. But if DIM gets disabled right after +that check, the pointer might already be set to NULL, leading to a NULL +pointer dereference in net_dim(). + +Fix this by calling `synchronize_net()` before freeing the DIM context. +This ensures all in-progress NAPI callbacks are finished before the +pointer is cleared. + +Kernel log: + +BUG: kernel NULL pointer dereference, address: 0000000000000000 +... +RIP: 0010:net_dim+0x23/0x190 +... +Call Trace: + + ? __die+0x20/0x60 + ? page_fault_oops+0x150/0x3e0 + ? common_interrupt+0xf/0xa0 + ? sysvec_call_function_single+0xb/0x90 + ? exc_page_fault+0x74/0x130 + ? asm_exc_page_fault+0x22/0x30 + ? net_dim+0x23/0x190 + ? mlx5e_poll_ico_cq+0x41/0x6f0 [mlx5_core] + ? sysvec_apic_timer_interrupt+0xb/0x90 + mlx5e_handle_rx_dim+0x92/0xd0 [mlx5_core] + mlx5e_napi_poll+0x2cd/0xac0 [mlx5_core] + ? mlx5e_poll_ico_cq+0xe5/0x6f0 [mlx5_core] + busy_poll_stop+0xa2/0x200 + ? mlx5e_napi_poll+0x1d9/0xac0 [mlx5_core] + ? mlx5e_trigger_irq+0x130/0x130 [mlx5_core] + __napi_busy_loop+0x345/0x3b0 + ? sysvec_call_function_single+0xb/0x90 + ? asm_sysvec_call_function_single+0x16/0x20 + ? sysvec_apic_timer_interrupt+0xb/0x90 + ? pcpu_free_area+0x1e4/0x2e0 + napi_busy_loop+0x11/0x20 + xsk_recvmsg+0x10c/0x130 + sock_recvmsg+0x44/0x70 + __sys_recvfrom+0xbc/0x130 + ? __schedule+0x398/0x890 + __x64_sys_recvfrom+0x20/0x30 + do_syscall_64+0x4c/0x100 + entry_SYSCALL_64_after_hwframe+0x4b/0x53 +... +---[ end trace 0000000000000000 ]--- +... +---[ end Kernel panic - not syncing: Fatal exception in interrupt ]--- + +Fixes: 445a25f6e1a2 ("net/mlx5e: Support updating coalescing configuration without resetting channels") +Signed-off-by: Carolina Jubran +Reviewed-by: Cosmin Ratiu +Signed-off-by: Tariq Toukan +Reviewed-by: Jacob Keller +Link: https://patch.msgid.link/1752155624-24095-3-git-send-email-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_dim.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_dim.c b/drivers/net/ethernet/mellanox/mlx5/core/en_dim.c +index 298bb74ec5e94..d1d629697e285 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_dim.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_dim.c +@@ -113,7 +113,7 @@ int mlx5e_dim_rx_change(struct mlx5e_rq *rq, bool enable) + __set_bit(MLX5E_RQ_STATE_DIM, &rq->state); + } else { + __clear_bit(MLX5E_RQ_STATE_DIM, &rq->state); +- ++ synchronize_net(); + mlx5e_dim_disable(rq->dim); + rq->dim = NULL; + } +@@ -140,7 +140,7 @@ int mlx5e_dim_tx_change(struct mlx5e_txqsq *sq, bool enable) + __set_bit(MLX5E_SQ_STATE_DIM, &sq->state); + } else { + __clear_bit(MLX5E_SQ_STATE_DIM, &sq->state); +- ++ synchronize_net(); + mlx5e_dim_disable(sq->dim); + sq->dim = NULL; + } +-- +2.39.5 + diff --git a/queue-6.15/net-phy-microchip-limit-100m-workaround-to-link-down.patch b/queue-6.15/net-phy-microchip-limit-100m-workaround-to-link-down.patch new file mode 100644 index 0000000000..7f905452d3 --- /dev/null +++ b/queue-6.15/net-phy-microchip-limit-100m-workaround-to-link-down.patch @@ -0,0 +1,60 @@ +From 49624bc355fcef2b6bf3fc835bace9d2be19dc0b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Jul 2025 15:07:53 +0200 +Subject: net: phy: microchip: limit 100M workaround to link-down events on + LAN88xx + +From: Oleksij Rempel + +[ Upstream commit dd4360c0e8504f2f7639c7f5d07c93cfd6a98333 ] + +Restrict the 100Mbit forced-mode workaround to link-down transitions +only, to prevent repeated link reset cycles in certain configurations. + +The workaround was originally introduced to improve signal reliability +when switching cables between long and short distances. It temporarily +forces the PHY into 10 Mbps before returning to 100 Mbps. + +However, when used with autonegotiating link partners (e.g., Intel i350), +executing this workaround on every link change can confuse the partner +and cause constant renegotiation loops. This results in repeated link +down/up transitions and the PHY never reaching a stable state. + +Limit the workaround to only run during the PHY_NOLINK state. This ensures +it is triggered only once per link drop, avoiding disruptive toggling +while still preserving its intended effect. + +Note: I am not able to reproduce the original issue that this workaround +addresses. I can only confirm that 100 Mbit mode works correctly in my +test setup. Based on code inspection, I assume the workaround aims to +reset some internal state machine or signal block by toggling speeds. +However, a PHY reset is already performed earlier in the function via +phy_init_hw(), which may achieve a similar effect. Without a reproducer, +I conservatively keep the workaround but restrict its conditions. + +Fixes: e57cf3639c32 ("net: lan78xx: fix accessing the LAN7800's internal phy specific registers from the MAC driver") +Signed-off-by: Oleksij Rempel +Reviewed-by: Andrew Lunn +Link: https://patch.msgid.link/20250709130753.3994461-3-o.rempel@pengutronix.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/microchip.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/phy/microchip.c b/drivers/net/phy/microchip.c +index 5d1ca285d95ba..55822d36889c3 100644 +--- a/drivers/net/phy/microchip.c ++++ b/drivers/net/phy/microchip.c +@@ -332,7 +332,7 @@ static void lan88xx_link_change_notify(struct phy_device *phydev) + * As workaround, set to 10 before setting to 100 + * at forced 100 F/H mode. + */ +- if (!phydev->autoneg && phydev->speed == 100) { ++ if (phydev->state == PHY_NOLINK && !phydev->autoneg && phydev->speed == 100) { + /* disable phy interrupt */ + temp = phy_read(phydev, LAN88XX_INT_MASK); + temp &= ~LAN88XX_INT_MASK_MDINTPIN_EN_; +-- +2.39.5 + diff --git a/queue-6.15/net-phy-microchip-use-genphy_soft_reset-to-purge-sta.patch b/queue-6.15/net-phy-microchip-use-genphy_soft_reset-to-purge-sta.patch new file mode 100644 index 0000000000..b527c3b492 --- /dev/null +++ b/queue-6.15/net-phy-microchip-use-genphy_soft_reset-to-purge-sta.patch @@ -0,0 +1,47 @@ +From 0dc30d730f4e613b4a241f6e592270144a15423c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Jul 2025 15:07:52 +0200 +Subject: net: phy: microchip: Use genphy_soft_reset() to purge stale LPA bits + +From: Oleksij Rempel + +[ Upstream commit b4517c363e0e005c7f81ae3be199eec68e87f122 ] + +Enable .soft_reset for the LAN88xx PHY driver by assigning +genphy_soft_reset() to ensure that the phylib core performs a proper +soft reset during reconfiguration. + +Previously, the driver left .soft_reset unimplemented, so calls to +phy_init_hw() (e.g., from lan88xx_link_change_notify()) did not fully +reset the PHY. As a result, stale contents in the Link Partner Ability +(LPA) register could persist, causing the PHY to incorrectly report +that the link partner advertised autonegotiation even when it did not. + +Using genphy_soft_reset() guarantees a clean reset of the PHY and +corrects the false autoneg reporting in these scenarios. + +Fixes: ccb989e4d1ef ("net: phy: microchip: Reset LAN88xx PHY to ensure clean link state on LAN7800/7850") +Signed-off-by: Oleksij Rempel +Reviewed-by: Andrew Lunn +Link: https://patch.msgid.link/20250709130753.3994461-2-o.rempel@pengutronix.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/microchip.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/phy/microchip.c b/drivers/net/phy/microchip.c +index 93de88c1c8fd5..5d1ca285d95ba 100644 +--- a/drivers/net/phy/microchip.c ++++ b/drivers/net/phy/microchip.c +@@ -486,6 +486,7 @@ static struct phy_driver microchip_phy_driver[] = { + .config_init = lan88xx_config_init, + .config_aneg = lan88xx_config_aneg, + .link_change_notify = lan88xx_link_change_notify, ++ .soft_reset = genphy_soft_reset, + + /* Interrupt handling is broken, do not define related + * functions to force polling. +-- +2.39.5 + diff --git a/queue-6.15/net-usb-qmi_wwan-add-simcom-8230c-composition.patch b/queue-6.15/net-usb-qmi_wwan-add-simcom-8230c-composition.patch new file mode 100644 index 0000000000..66b031a511 --- /dev/null +++ b/queue-6.15/net-usb-qmi_wwan-add-simcom-8230c-composition.patch @@ -0,0 +1,63 @@ +From bcf60ab9eb06bea69423fb8ac000d9143ffdd810 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Jun 2025 10:27:02 +0800 +Subject: net: usb: qmi_wwan: add SIMCom 8230C composition +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Xiaowei Li + +[ Upstream commit 0b39b055b5b48cbbdf5746a1ca6e3f6b0221e537 ] + +Add support for SIMCom 8230C which is based on Qualcomm SDX35 chip. +0x9071: tty (DM) + tty (NMEA) + tty (AT) + rmnet +T: Bus=01 Lev=01 Prnt=01 Port=05 Cnt=02 Dev#= 8 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=1e0e ProdID=9071 Rev= 5.15 +S: Manufacturer=SIMCOM +S: Product=SDXBAAGHA-IDP _SN:D744C4C5 +S: SerialNumber=0123456789ABCDEF +C:* #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA +I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan +E: Ad=86(I) Atr=03(Int.) MxPS= 8 Ivl=32ms +E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=none +E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +Signed-off-by: Xiaowei Li +Acked-by: Bjørn Mork +Link: https://patch.msgid.link/tencent_21D781FAA4969FEACA6ABB460362B52C9409@qq.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/qmi_wwan.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c +index b586b1c13a47f..f5647ee0addec 100644 +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -1426,6 +1426,7 @@ static const struct usb_device_id products[] = { + {QMI_QUIRK_SET_DTR(0x22de, 0x9051, 2)}, /* Hucom Wireless HM-211S/K */ + {QMI_FIXED_INTF(0x22de, 0x9061, 3)}, /* WeTelecom WPD-600N */ + {QMI_QUIRK_SET_DTR(0x1e0e, 0x9001, 5)}, /* SIMCom 7100E, 7230E, 7600E ++ */ ++ {QMI_QUIRK_SET_DTR(0x1e0e, 0x9071, 3)}, /* SIMCom 8230C ++ */ + {QMI_QUIRK_SET_DTR(0x2c7c, 0x0121, 4)}, /* Quectel EC21 Mini PCIe */ + {QMI_QUIRK_SET_DTR(0x2c7c, 0x0191, 4)}, /* Quectel EG91 */ + {QMI_QUIRK_SET_DTR(0x2c7c, 0x0195, 4)}, /* Quectel EG95 */ +-- +2.39.5 + diff --git a/queue-6.15/netfilter-flowtable-account-for-ethernet-header-in-n.patch b/queue-6.15/netfilter-flowtable-account-for-ethernet-header-in-n.patch new file mode 100644 index 0000000000..000ada824f --- /dev/null +++ b/queue-6.15/netfilter-flowtable-account-for-ethernet-header-in-n.patch @@ -0,0 +1,61 @@ +From 0e144bd5dc12b96694175cb62c64382a41956d1e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Jul 2025 12:45:17 +0000 +Subject: netfilter: flowtable: account for Ethernet header in + nf_flow_pppoe_proto() + +From: Eric Dumazet + +[ Upstream commit 18cdb3d982da8976b28d57691eb256ec5688fad2 ] + +syzbot found a potential access to uninit-value in nf_flow_pppoe_proto() + +Blamed commit forgot the Ethernet header. + +BUG: KMSAN: uninit-value in nf_flow_offload_inet_hook+0x7e4/0x940 net/netfilter/nf_flow_table_inet.c:27 + nf_flow_offload_inet_hook+0x7e4/0x940 net/netfilter/nf_flow_table_inet.c:27 + nf_hook_entry_hookfn include/linux/netfilter.h:157 [inline] + nf_hook_slow+0xe1/0x3d0 net/netfilter/core.c:623 + nf_hook_ingress include/linux/netfilter_netdev.h:34 [inline] + nf_ingress net/core/dev.c:5742 [inline] + __netif_receive_skb_core+0x4aff/0x70c0 net/core/dev.c:5837 + __netif_receive_skb_one_core net/core/dev.c:5975 [inline] + __netif_receive_skb+0xcc/0xac0 net/core/dev.c:6090 + netif_receive_skb_internal net/core/dev.c:6176 [inline] + netif_receive_skb+0x57/0x630 net/core/dev.c:6235 + tun_rx_batched+0x1df/0x980 drivers/net/tun.c:1485 + tun_get_user+0x4ee0/0x6b40 drivers/net/tun.c:1938 + tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1984 + new_sync_write fs/read_write.c:593 [inline] + vfs_write+0xb4b/0x1580 fs/read_write.c:686 + ksys_write fs/read_write.c:738 [inline] + __do_sys_write fs/read_write.c:749 [inline] + +Reported-by: syzbot+bf6ed459397e307c3ad2@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/686bc073.a00a0220.c7b3.0086.GAE@google.com/T/#u +Fixes: 87b3593bed18 ("netfilter: flowtable: validate pppoe header") +Signed-off-by: Eric Dumazet +Reviewed-by: Pablo Neira Ayuso +Link: https://patch.msgid.link/20250707124517.614489-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/netfilter/nf_flow_table.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/net/netfilter/nf_flow_table.h b/include/net/netfilter/nf_flow_table.h +index d711642e78b57..c003cd194fa2a 100644 +--- a/include/net/netfilter/nf_flow_table.h ++++ b/include/net/netfilter/nf_flow_table.h +@@ -370,7 +370,7 @@ static inline __be16 __nf_flow_pppoe_proto(const struct sk_buff *skb) + + static inline bool nf_flow_pppoe_proto(struct sk_buff *skb, __be16 *inner_proto) + { +- if (!pskb_may_pull(skb, PPPOE_SES_HLEN)) ++ if (!pskb_may_pull(skb, ETH_HLEN + PPPOE_SES_HLEN)) + return false; + + *inner_proto = __nf_flow_pppoe_proto(skb); +-- +2.39.5 + diff --git a/queue-6.15/raid10-cleanup-memleak-at-raid10_make_request.patch b/queue-6.15/raid10-cleanup-memleak-at-raid10_make_request.patch new file mode 100644 index 0000000000..6f9896862a --- /dev/null +++ b/queue-6.15/raid10-cleanup-memleak-at-raid10_make_request.patch @@ -0,0 +1,81 @@ +From 7afe8f0ddff907e4242299cc45045cb3d1f362c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Jul 2025 11:23:04 -0400 +Subject: raid10: cleanup memleak at raid10_make_request + +From: Nigel Croxon + +[ Upstream commit 43806c3d5b9bb7d74ba4e33a6a8a41ac988bde24 ] + +If raid10_read_request or raid10_write_request registers a new +request and the REQ_NOWAIT flag is set, the code does not +free the malloc from the mempool. + +unreferenced object 0xffff8884802c3200 (size 192): + comm "fio", pid 9197, jiffies 4298078271 + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 88 41 02 00 00 00 00 00 .........A...... + 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace (crc c1a049a2): + __kmalloc+0x2bb/0x450 + mempool_alloc+0x11b/0x320 + raid10_make_request+0x19e/0x650 [raid10] + md_handle_request+0x3b3/0x9e0 + __submit_bio+0x394/0x560 + __submit_bio_noacct+0x145/0x530 + submit_bio_noacct_nocheck+0x682/0x830 + __blkdev_direct_IO_async+0x4dc/0x6b0 + blkdev_read_iter+0x1e5/0x3b0 + __io_read+0x230/0x1110 + io_read+0x13/0x30 + io_issue_sqe+0x134/0x1180 + io_submit_sqes+0x48c/0xe90 + __do_sys_io_uring_enter+0x574/0x8b0 + do_syscall_64+0x5c/0xe0 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + +V4: changing backing tree to see if CKI tests will pass. +The patch code has not changed between any versions. + +Fixes: c9aa889b035f ("md: raid10 add nowait support") +Signed-off-by: Nigel Croxon +Link: https://lore.kernel.org/linux-raid/c0787379-9caa-42f3-b5fc-369aed784400@redhat.com +Signed-off-by: Yu Kuai +Signed-off-by: Sasha Levin +--- + drivers/md/raid10.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c +index 54320a887ecc5..0443a479809f9 100644 +--- a/drivers/md/raid10.c ++++ b/drivers/md/raid10.c +@@ -1182,8 +1182,11 @@ static void raid10_read_request(struct mddev *mddev, struct bio *bio, + } + } + +- if (!regular_request_wait(mddev, conf, bio, r10_bio->sectors)) ++ if (!regular_request_wait(mddev, conf, bio, r10_bio->sectors)) { ++ raid_end_bio_io(r10_bio); + return; ++ } ++ + rdev = read_balance(conf, r10_bio, &max_sectors); + if (!rdev) { + if (err_rdev) { +@@ -1370,8 +1373,11 @@ static void raid10_write_request(struct mddev *mddev, struct bio *bio, + } + + sectors = r10_bio->sectors; +- if (!regular_request_wait(mddev, conf, bio, sectors)) ++ if (!regular_request_wait(mddev, conf, bio, sectors)) { ++ raid_end_bio_io(r10_bio); + return; ++ } ++ + if (test_bit(MD_RECOVERY_RESHAPE, &mddev->recovery) && + (mddev->reshape_backwards + ? (bio->bi_iter.bi_sector < conf->reshape_safe && +-- +2.39.5 + diff --git a/queue-6.15/riscv-vdso-exclude-.rodata-from-the-pt_dynamic-segme.patch b/queue-6.15/riscv-vdso-exclude-.rodata-from-the-pt_dynamic-segme.patch new file mode 100644 index 0000000000..18bf9eda15 --- /dev/null +++ b/queue-6.15/riscv-vdso-exclude-.rodata-from-the-pt_dynamic-segme.patch @@ -0,0 +1,51 @@ +From 38a080f9d462dc114f9558eb7f0e520314511222 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Jun 2025 20:48:44 -0700 +Subject: riscv: vdso: Exclude .rodata from the PT_DYNAMIC segment + +From: Fangrui Song + +[ Upstream commit e0eb1b6b0cd29ca7793c501d5960fd36ba11f110 ] + +.rodata is implicitly included in the PT_DYNAMIC segment due to +inheriting the segment of the preceding .dynamic section (in both GNU ld +and LLD). When the .rodata section's size is not a multiple of 16 +bytes on riscv64, llvm-readelf will report a "PT_DYNAMIC dynamic table +is invalid" warning. Note: in the presence of the .dynamic section, GNU +readelf and llvm-readelf's -d option decodes the dynamic section using +the section. + +This issue arose after commit 8f8c1ff879fab60f80f3a7aec3000f47e5b03ba9 +("riscv: vdso.lds.S: remove hardcoded 0x800 .text start addr"), which +placed .rodata directly after .dynamic by removing .eh_frame. + +This patch resolves the implicit inclusion into PT_DYNAMIC by explicitly +specifying the :text output section phdr. + +Reported-by: Nathan Chancellor +Closes: https://github.com/ClangBuiltLinux/linux/issues/2093 +Signed-off-by: Fangrui Song +Tested-by: Nathan Chancellor +Link: https://lore.kernel.org/r/20250602-riscv-vdso-v1-1-0620cf63cff0@maskray.me +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +--- + arch/riscv/kernel/vdso/vdso.lds.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/riscv/kernel/vdso/vdso.lds.S b/arch/riscv/kernel/vdso/vdso.lds.S +index 8e86965a8aae4..646e268ede443 100644 +--- a/arch/riscv/kernel/vdso/vdso.lds.S ++++ b/arch/riscv/kernel/vdso/vdso.lds.S +@@ -30,7 +30,7 @@ SECTIONS + *(.data .data.* .gnu.linkonce.d.*) + *(.dynbss) + *(.bss .bss.* .gnu.linkonce.b.*) +- } ++ } :text + + .note : { *(.note.*) } :text :note + +-- +2.39.5 + diff --git a/queue-6.15/selftests-net-lib-fix-shift-count-out-of-range.patch b/queue-6.15/selftests-net-lib-fix-shift-count-out-of-range.patch new file mode 100644 index 0000000000..a9caf0941d --- /dev/null +++ b/queue-6.15/selftests-net-lib-fix-shift-count-out-of-range.patch @@ -0,0 +1,56 @@ +From 1ee23ceede353b38f284ed8cd2f56d4e8fe108e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Jul 2025 09:12:44 +0000 +Subject: selftests: net: lib: fix shift count out of range + +From: Hangbin Liu + +[ Upstream commit 47c84997c686b4d43b225521b732492552b84758 ] + +I got the following warning when writing other tests: + + + handle_test_result_pass 'bond 802.3ad' '(lacp_active off)' + + local 'test_name=bond 802.3ad' + + shift + + local 'opt_str=(lacp_active off)' + + shift + + log_test_result 'bond 802.3ad' '(lacp_active off)' ' OK ' + + local 'test_name=bond 802.3ad' + + shift + + local 'opt_str=(lacp_active off)' + + shift + + local 'result= OK ' + + shift + + local retmsg= + + shift + /net/tools/testing/selftests/net/forwarding/../lib.sh: line 315: shift: shift count out of range + +This happens because an extra shift is executed even after all arguments +have been consumed. Remove the last shift in log_test_result() to avoid +this warning. + +Fixes: a923af1ceee7 ("selftests: forwarding: Convert log_test() to recognize RET values") +Signed-off-by: Hangbin Liu +Link: https://patch.msgid.link/20250709091244.88395-1-liuhangbin@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/lib.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/net/lib.sh b/tools/testing/selftests/net/lib.sh +index 701905eeff66d..f380f30425945 100644 +--- a/tools/testing/selftests/net/lib.sh ++++ b/tools/testing/selftests/net/lib.sh +@@ -286,7 +286,7 @@ log_test_result() + local test_name=$1; shift + local opt_str=$1; shift + local result=$1; shift +- local retmsg=$1; shift ++ local retmsg=$1 + + printf "TEST: %-60s [%s]\n" "$test_name $opt_str" "$result" + if [[ $retmsg ]]; then +-- +2.39.5 + diff --git a/queue-6.15/series b/queue-6.15/series index 95233e38fb..9cc48780a4 100644 --- a/queue-6.15/series +++ b/queue-6.15/series @@ -124,3 +124,65 @@ erofs-fix-large-fragment-handling.patch asoc-intel-sof-function-topology-lib-print-out-the-unsupported-dmic-count.patch netlink-fix-rmem-check-in-netlink_broadcast_deliver.patch netlink-make-sure-we-allow-at-least-one-dump-skb.patch +wifi-cfg80211-fix-s1g-beacon-head-validation-in-nl80.patch +wifi-zd1211rw-fix-potential-null-pointer-dereference.patch +drm-tegra-nvdec-fix-dma_alloc_coherent-error-check.patch +md-raid1-fix-stack-memory-use-after-return-in-raid1_.patch +raid10-cleanup-memleak-at-raid10_make_request.patch +md-raid1-raid10-strip-req_nowait-from-member-bios.patch +wifi-mac80211-correctly-identify-s1g-short-beacon.patch +wifi-mac80211-fix-non-transmitted-bssid-profile-sear.patch +wifi-mac80211-reject-vht-opmode-for-unsupported-chan.patch +wifi-rt2x00-fix-remove-callback-type-mismatch.patch +io_uring-zcrx-fix-pp-destruction-warnings.patch +drm-nouveau-gsp-fix-potential-leak-of-memory-used-du.patch +wifi-mt76-assume-__mt76_connac_mcu_alloc_sta_req-run.patch +wifi-mt76-move-rcu-section-in-mt7996_mcu_set_fixed_f.patch +wifi-mt76-move-rcu-section-in-mt7996_mcu_add_rate_ct.patch +wifi-mt76-move-rcu-section-in-mt7996_mcu_add_rate_ct.patch-12874 +wifi-mt76-remove-rcu-section-in-mt7996_mac_sta_rc_wo.patch +wifi-mt76-mt7925-fix-null-ptr-deref-in-mt7925_therma.patch +nbd-fix-uaf-in-nbd_genl_connect-error-path.patch +block-reject-bs-ps-block-devices-when-thp-is-disable.patch +drm-xe-pf-clear-all-lmtt-pages-on-alloc.patch +erofs-refine-readahead-tracepoint.patch +erofs-fix-to-add-missing-tracepoint-in-erofs_readahe.patch +wifi-mac80211-add-the-virtual-monitor-after-reconfig.patch +netfilter-flowtable-account-for-ethernet-header-in-n.patch +net-appletalk-fix-device-refcount-leak-in-atrtr_crea.patch +ibmvnic-fix-hardcoded-num_rx_stats-num_tx_stats-with.patch +net-phy-microchip-use-genphy_soft_reset-to-purge-sta.patch +net-phy-microchip-limit-100m-workaround-to-link-down.patch +selftests-net-lib-fix-shift-count-out-of-range.patch +drm-xe-pm-restore-display-pm-if-there-is-error-after.patch +drm-xe-pm-correct-comment-of-xe_pm_set_vram_threshol.patch +can-m_can-m_can_handle_lost_msg-downgrade-msg-lost-i.patch +net-mlx5-reset-bw_share-field-when-changing-a-node-s.patch +net-mlx5e-fix-race-between-dim-disable-and-net_dim.patch +net-mlx5e-add-new-prio-for-promiscuous-mode.patch +net-ll_temac-fix-missing-tx_pending-check-in-ethtool.patch +bnxt_en-fix-dcb-ets-validation.patch +bnxt_en-flush-fw-trace-before-copying-to-the-coredum.patch +bnxt_en-set-dma-unmap-len-correctly-for-xdp_redirect.patch +ublk-sanity-check-add_dev-input-for-underflow.patch +atm-idt77252-add-missing-dma_map_error.patch +um-vector-reduce-stack-usage-in-vector_eth_configure.patch +asoc-sof-intel-hda-use-devm_kstrdup-to-avoid-memleak.patch +asoc-rt721-sdca-fix-boost-gain-calculation-error.patch +alsa-hda-realtek-add-mic-mute-led-setup-for-asus-um5.patch +alsa-hda-realtek-fix-mute-micmute-leds-for-hp-eliteb.patch +io_uring-make-fallocate-be-hashed-work.patch +asoc-amd-yc-add-quirk-for-acer-nitro-anv15-41-intern.patch +alsa-hda-realtek-enable-mute-led-on-hp-pavilion-lapt.patch +alsa-hda-realtek-add-quirks-for-some-clevo-laptops.patch +net-usb-qmi_wwan-add-simcom-8230c-composition.patch +driver-bluetooth-hci_qca-fix-unable-to-load-the-bt-d.patch +hid-lenovo-add-support-for-thinkpad-x1-tablet-thin-k.patch +net-mana-record-doorbell-physical-address-in-pf-mode.patch +btrfs-fix-assertion-when-building-free-space-tree.patch +vt-add-missing-notification-when-switching-back-to-t.patch +bpf-adjust-free-target-to-avoid-global-starvation-of.patch +riscv-vdso-exclude-.rodata-from-the-pt_dynamic-segme.patch +hid-add-ignore-quirk-for-smartlinktechnology.patch +hid-quirks-add-quirk-for-2-chicony-electronics-hp-5m.patch +hid-nintendo-avoid-bluetooth-suspend-resume-stalls.patch diff --git a/queue-6.15/ublk-sanity-check-add_dev-input-for-underflow.patch b/queue-6.15/ublk-sanity-check-add_dev-input-for-underflow.patch new file mode 100644 index 0000000000..9d196dde40 --- /dev/null +++ b/queue-6.15/ublk-sanity-check-add_dev-input-for-underflow.patch @@ -0,0 +1,38 @@ +From eba62cc26cac209bebf0b0c1a615cf1518834a24 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Jun 2025 12:20:45 +1000 +Subject: ublk: sanity check add_dev input for underflow + +From: Ronnie Sahlberg + +[ Upstream commit 969127bf0783a4ac0c8a27e633a9e8ea1738583f ] + +Add additional checks that queue depth and number of queues are +non-zero. + +Signed-off-by: Ronnie Sahlberg +Reviewed-by: Ming Lei +Link: https://lore.kernel.org/r/20250626022046.235018-1-ronniesahlberg@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/ublk_drv.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c +index 8a482853a75ed..0e017eae97fb1 100644 +--- a/drivers/block/ublk_drv.c ++++ b/drivers/block/ublk_drv.c +@@ -2710,7 +2710,8 @@ static int ublk_ctrl_add_dev(const struct ublksrv_ctrl_cmd *header) + if (copy_from_user(&info, argp, sizeof(info))) + return -EFAULT; + +- if (info.queue_depth > UBLK_MAX_QUEUE_DEPTH || info.nr_hw_queues > UBLK_MAX_NR_QUEUES) ++ if (info.queue_depth > UBLK_MAX_QUEUE_DEPTH || !info.queue_depth || ++ info.nr_hw_queues > UBLK_MAX_NR_QUEUES || !info.nr_hw_queues) + return -EINVAL; + + if (capable(CAP_SYS_ADMIN)) +-- +2.39.5 + diff --git a/queue-6.15/um-vector-reduce-stack-usage-in-vector_eth_configure.patch b/queue-6.15/um-vector-reduce-stack-usage-in-vector_eth_configure.patch new file mode 100644 index 0000000000..4090c234a2 --- /dev/null +++ b/queue-6.15/um-vector-reduce-stack-usage-in-vector_eth_configure.patch @@ -0,0 +1,93 @@ +From d537273056db1569759db42e4f3ea9428f872485 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Jun 2025 19:08:29 +0800 +Subject: um: vector: Reduce stack usage in vector_eth_configure() + +From: Tiwei Bie + +[ Upstream commit 2d65fc13be85c336c56af7077f08ccd3a3a15a4a ] + +When compiling with clang (19.1.7), initializing *vp using a compound +literal may result in excessive stack usage. Fix it by initializing the +required fields of *vp individually. + +Without this patch: + +$ objdump -d arch/um/drivers/vector_kern.o | ./scripts/checkstack.pl x86_64 0 +... +0x0000000000000540 vector_eth_configure [vector_kern.o]:1472 +... + +With this patch: + +$ objdump -d arch/um/drivers/vector_kern.o | ./scripts/checkstack.pl x86_64 0 +... +0x0000000000000540 vector_eth_configure [vector_kern.o]:208 +... + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202506221017.WtB7Usua-lkp@intel.com/ +Signed-off-by: Tiwei Bie +Link: https://patch.msgid.link/20250623110829.314864-1-tiwei.btw@antgroup.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + arch/um/drivers/vector_kern.c | 42 +++++++++++------------------------ + 1 file changed, 13 insertions(+), 29 deletions(-) + +diff --git a/arch/um/drivers/vector_kern.c b/arch/um/drivers/vector_kern.c +index b97bb52dd5626..70f8d7e87fb81 100644 +--- a/arch/um/drivers/vector_kern.c ++++ b/arch/um/drivers/vector_kern.c +@@ -1592,35 +1592,19 @@ static void vector_eth_configure( + + device->dev = dev; + +- *vp = ((struct vector_private) +- { +- .list = LIST_HEAD_INIT(vp->list), +- .dev = dev, +- .unit = n, +- .options = get_transport_options(def), +- .rx_irq = 0, +- .tx_irq = 0, +- .parsed = def, +- .max_packet = get_mtu(def) + ETH_HEADER_OTHER, +- /* TODO - we need to calculate headroom so that ip header +- * is 16 byte aligned all the time +- */ +- .headroom = get_headroom(def), +- .form_header = NULL, +- .verify_header = NULL, +- .header_rxbuffer = NULL, +- .header_txbuffer = NULL, +- .header_size = 0, +- .rx_header_size = 0, +- .rexmit_scheduled = false, +- .opened = false, +- .transport_data = NULL, +- .in_write_poll = false, +- .coalesce = 2, +- .req_size = get_req_size(def), +- .in_error = false, +- .bpf = NULL +- }); ++ INIT_LIST_HEAD(&vp->list); ++ vp->dev = dev; ++ vp->unit = n; ++ vp->options = get_transport_options(def); ++ vp->parsed = def; ++ vp->max_packet = get_mtu(def) + ETH_HEADER_OTHER; ++ /* ++ * TODO - we need to calculate headroom so that ip header ++ * is 16 byte aligned all the time ++ */ ++ vp->headroom = get_headroom(def); ++ vp->coalesce = 2; ++ vp->req_size = get_req_size(def); + + dev->features = dev->hw_features = (NETIF_F_SG | NETIF_F_FRAGLIST); + INIT_WORK(&vp->reset_tx, vector_reset_tx); +-- +2.39.5 + diff --git a/queue-6.15/vt-add-missing-notification-when-switching-back-to-t.patch b/queue-6.15/vt-add-missing-notification-when-switching-back-to-t.patch new file mode 100644 index 0000000000..16faf18604 --- /dev/null +++ b/queue-6.15/vt-add-missing-notification-when-switching-back-to-t.patch @@ -0,0 +1,35 @@ +From a23b837d79501b6182b964260154ee4b94fb1cf7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Jun 2025 21:41:44 -0400 +Subject: vt: add missing notification when switching back to text mode + +From: Nicolas Pitre + +[ Upstream commit ff78538e07fa284ce08cbbcb0730daa91ed16722 ] + +Programs using poll() on /dev/vcsa to be notified when VT changes occur +were missing one case: the switch from gfx to text mode. + +Signed-off-by: Nicolas Pitre +Link: https://lore.kernel.org/r/9o5ro928-0pp4-05rq-70p4-ro385n21n723@onlyvoer.pbz +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/vt/vt.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c +index f5642b3038e4d..ed5bbf704a7d1 100644 +--- a/drivers/tty/vt/vt.c ++++ b/drivers/tty/vt/vt.c +@@ -4566,6 +4566,7 @@ void do_unblank_screen(int leaving_gfx) + set_palette(vc); + set_cursor(vc); + vt_event_post(VT_EVENT_UNBLANK, vc->vc_num, vc->vc_num); ++ notify_update(vc); + } + EXPORT_SYMBOL(do_unblank_screen); + +-- +2.39.5 + diff --git a/queue-6.15/wifi-cfg80211-fix-s1g-beacon-head-validation-in-nl80.patch b/queue-6.15/wifi-cfg80211-fix-s1g-beacon-head-validation-in-nl80.patch new file mode 100644 index 0000000000..ee49e66d3a --- /dev/null +++ b/queue-6.15/wifi-cfg80211-fix-s1g-beacon-head-validation-in-nl80.patch @@ -0,0 +1,53 @@ +From 6ccb5721cbc903411e637596e5828dd3ed43d3ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Jun 2025 21:51:18 +1000 +Subject: wifi: cfg80211: fix S1G beacon head validation in nl80211 + +From: Lachlan Hodges + +[ Upstream commit 1fe44a86ff0ff483aa1f1332f2b08f431fa51ce8 ] + +S1G beacons contain fixed length optional fields that precede the +variable length elements, ensure we take this into account when +validating the beacon. This particular case was missed in +1e1f706fc2ce ("wifi: cfg80211/mac80211: correctly parse S1G +beacon optional elements"). + +Fixes: 1d47f1198d58 ("nl80211: correctly validate S1G beacon head") +Signed-off-by: Lachlan Hodges +Link: https://patch.msgid.link/20250626115118.68660-1-lachlan.hodges@morsemicro.com +[shorten/reword subject] +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/nl80211.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c +index f039a7d0d6f73..0c7e8389bc49e 100644 +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -229,6 +229,7 @@ static int validate_beacon_head(const struct nlattr *attr, + unsigned int len = nla_len(attr); + const struct element *elem; + const struct ieee80211_mgmt *mgmt = (void *)data; ++ const struct ieee80211_ext *ext; + unsigned int fixedlen, hdrlen; + bool s1g_bcn; + +@@ -237,8 +238,10 @@ static int validate_beacon_head(const struct nlattr *attr, + + s1g_bcn = ieee80211_is_s1g_beacon(mgmt->frame_control); + if (s1g_bcn) { +- fixedlen = offsetof(struct ieee80211_ext, +- u.s1g_beacon.variable); ++ ext = (struct ieee80211_ext *)mgmt; ++ fixedlen = ++ offsetof(struct ieee80211_ext, u.s1g_beacon.variable) + ++ ieee80211_s1g_optional_len(ext->frame_control); + hdrlen = offsetof(struct ieee80211_ext, u.s1g_beacon); + } else { + fixedlen = offsetof(struct ieee80211_mgmt, +-- +2.39.5 + diff --git a/queue-6.15/wifi-mac80211-add-the-virtual-monitor-after-reconfig.patch b/queue-6.15/wifi-mac80211-add-the-virtual-monitor-after-reconfig.patch new file mode 100644 index 0000000000..b0288fb22a --- /dev/null +++ b/queue-6.15/wifi-mac80211-add-the-virtual-monitor-after-reconfig.patch @@ -0,0 +1,69 @@ +From fcff899e4bb04846bc0a82dc0c268825b94b80be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Jul 2025 23:34:56 +0300 +Subject: wifi: mac80211: add the virtual monitor after reconfig complete + +From: Miri Korenblit + +[ Upstream commit c07981af55d3ba3ec3be880cfe4a0cc10f1f7138 ] + +In reconfig we add the virtual monitor in 2 cases: +1. If we are resuming (it was deleted on suspend) +2. If it was added after an error but before the reconfig + (due to the last non-monitor interface removal). + +In the second case, the removal of the non-monitor interface will succeed +but the addition of the virtual monitor will fail, so we add it in the +reconfig. + +The problem is that we mislead the driver to think that this is an existing +interface that is getting re-added - while it is actually a completely new +interface from the drivers' point of view. + +Some drivers act differently when a interface is re-added. For example, it +might not initialize things because they were already initialized. +Such drivers will - in this case - be left with a partialy initialized vif. + +To fix it, add the virtual monitor after reconfig_complete, so the +driver will know that this is a completely new interface. + +Fixes: 3c3e21e7443b ("mac80211: destroy virtual monitor interface across suspend") +Reviewed-by: Johannes Berg +Signed-off-by: Miri Korenblit +Link: https://patch.msgid.link/20250709233451.648d39b041e8.I2e37b68375278987e303d6c00cc5f3d8334d2f96@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/util.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/net/mac80211/util.c b/net/mac80211/util.c +index 82256eddd16bd..0fc3527e6fdd1 100644 +--- a/net/mac80211/util.c ++++ b/net/mac80211/util.c +@@ -2155,11 +2155,6 @@ int ieee80211_reconfig(struct ieee80211_local *local) + cfg80211_sched_scan_stopped_locked(local->hw.wiphy, 0); + + wake_up: +- +- if (local->virt_monitors > 0 && +- local->virt_monitors == local->open_count) +- ieee80211_add_virtual_monitor(local); +- + /* + * Clear the WLAN_STA_BLOCK_BA flag so new aggregation + * sessions can be established after a resume. +@@ -2213,6 +2208,10 @@ int ieee80211_reconfig(struct ieee80211_local *local) + } + } + ++ if (local->virt_monitors > 0 && ++ local->virt_monitors == local->open_count) ++ ieee80211_add_virtual_monitor(local); ++ + if (!suspended) + return 0; + +-- +2.39.5 + diff --git a/queue-6.15/wifi-mac80211-correctly-identify-s1g-short-beacon.patch b/queue-6.15/wifi-mac80211-correctly-identify-s1g-short-beacon.patch new file mode 100644 index 0000000000..40ec46dc76 --- /dev/null +++ b/queue-6.15/wifi-mac80211-correctly-identify-s1g-short-beacon.patch @@ -0,0 +1,135 @@ +From 1c54f4038aa8b60659f1823cf3b45cd77bafda37 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Jul 2025 17:55:41 +1000 +Subject: wifi: mac80211: correctly identify S1G short beacon + +From: Lachlan Hodges + +[ Upstream commit c5fd399a24c8e2865524361f7dc4d4a6899be4f4 ] + +mac80211 identifies a short beacon by the presence of the next +TBTT field, however the standard actually doesn't explicitly state that +the next TBTT can't be in a long beacon or even that it is required in +a short beacon - and as a result this validation does not work for all +vendor implementations. + +The standard explicitly states that an S1G long beacon shall contain +the S1G beacon compatibility element as the first element in a beacon +transmitted at a TBTT that is not a TSBTT (Target Short Beacon +Transmission Time) as per IEEE80211-2024 11.1.3.10.1. This is validated +by 9.3.4.3 Table 9-76 which states that the S1G beacon compatibility +element is only allowed in the full set and is not allowed in the +minimum set of elements permitted for use within short beacons. + +Correctly identify short beacons by the lack of an S1G beacon +compatibility element as the first element in an S1G beacon frame. + +Fixes: 9eaffe5078ca ("cfg80211: convert S1G beacon to scan results") +Signed-off-by: Simon Wadsworth +Signed-off-by: Lachlan Hodges +Link: https://patch.msgid.link/20250701075541.162619-1-lachlan.hodges@morsemicro.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + include/linux/ieee80211.h | 45 ++++++++++++++++++++++++++++----------- + net/mac80211/mlme.c | 7 ++++-- + 2 files changed, 38 insertions(+), 14 deletions(-) + +diff --git a/include/linux/ieee80211.h b/include/linux/ieee80211.h +index 7edc3fb0641cb..f16a073928e9f 100644 +--- a/include/linux/ieee80211.h ++++ b/include/linux/ieee80211.h +@@ -662,18 +662,6 @@ static inline bool ieee80211_s1g_has_cssid(__le16 fc) + (fc & cpu_to_le16(IEEE80211_S1G_BCN_CSSID)); + } + +-/** +- * ieee80211_is_s1g_short_beacon - check if frame is an S1G short beacon +- * @fc: frame control bytes in little-endian byteorder +- * Return: whether or not the frame is an S1G short beacon, +- * i.e. it is an S1G beacon with 'next TBTT' flag set +- */ +-static inline bool ieee80211_is_s1g_short_beacon(__le16 fc) +-{ +- return ieee80211_is_s1g_beacon(fc) && +- (fc & cpu_to_le16(IEEE80211_S1G_BCN_NEXT_TBTT)); +-} +- + /** + * ieee80211_is_atim - check if IEEE80211_FTYPE_MGMT && IEEE80211_STYPE_ATIM + * @fc: frame control bytes in little-endian byteorder +@@ -4897,6 +4885,39 @@ static inline bool ieee80211_is_ftm(struct sk_buff *skb) + return false; + } + ++/** ++ * ieee80211_is_s1g_short_beacon - check if frame is an S1G short beacon ++ * @fc: frame control bytes in little-endian byteorder ++ * @variable: pointer to the beacon frame elements ++ * @variable_len: length of the frame elements ++ * Return: whether or not the frame is an S1G short beacon. As per ++ * IEEE80211-2024 11.1.3.10.1, The S1G beacon compatibility element shall ++ * always be present as the first element in beacon frames generated at a ++ * TBTT (Target Beacon Transmission Time), so any frame not containing ++ * this element must have been generated at a TSBTT (Target Short Beacon ++ * Transmission Time) that is not a TBTT. Additionally, short beacons are ++ * prohibited from containing the S1G beacon compatibility element as per ++ * IEEE80211-2024 9.3.4.3 Table 9-76, so if we have an S1G beacon with ++ * either no elements or the first element is not the beacon compatibility ++ * element, we have a short beacon. ++ */ ++static inline bool ieee80211_is_s1g_short_beacon(__le16 fc, const u8 *variable, ++ size_t variable_len) ++{ ++ if (!ieee80211_is_s1g_beacon(fc)) ++ return false; ++ ++ /* ++ * If the frame does not contain at least 1 element (this is perfectly ++ * valid in a short beacon) and is an S1G beacon, we have a short ++ * beacon. ++ */ ++ if (variable_len < 2) ++ return true; ++ ++ return variable[0] != WLAN_EID_S1G_BCN_COMPAT; ++} ++ + struct element { + u8 id; + u8 datalen; +diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c +index 53d5ffad87be8..dc8df3129c007 100644 +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -7194,6 +7194,7 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_link_data *link, + struct ieee80211_bss_conf *bss_conf = link->conf; + struct ieee80211_vif_cfg *vif_cfg = &sdata->vif.cfg; + struct ieee80211_mgmt *mgmt = (void *) hdr; ++ struct ieee80211_ext *ext = NULL; + size_t baselen; + struct ieee802_11_elems *elems; + struct ieee80211_local *local = sdata->local; +@@ -7219,7 +7220,7 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_link_data *link, + /* Process beacon from the current BSS */ + bssid = ieee80211_get_bssid(hdr, len, sdata->vif.type); + if (ieee80211_is_s1g_beacon(mgmt->frame_control)) { +- struct ieee80211_ext *ext = (void *) mgmt; ++ ext = (void *)mgmt; + variable = ext->u.s1g_beacon.variable + + ieee80211_s1g_optional_len(ext->frame_control); + } +@@ -7406,7 +7407,9 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_link_data *link, + } + + if ((ncrc == link->u.mgd.beacon_crc && link->u.mgd.beacon_crc_valid) || +- ieee80211_is_s1g_short_beacon(mgmt->frame_control)) ++ (ext && ieee80211_is_s1g_short_beacon(ext->frame_control, ++ parse_params.start, ++ parse_params.len))) + goto free; + link->u.mgd.beacon_crc = ncrc; + link->u.mgd.beacon_crc_valid = true; +-- +2.39.5 + diff --git a/queue-6.15/wifi-mac80211-fix-non-transmitted-bssid-profile-sear.patch b/queue-6.15/wifi-mac80211-fix-non-transmitted-bssid-profile-sear.patch new file mode 100644 index 0000000000..b41075ff93 --- /dev/null +++ b/queue-6.15/wifi-mac80211-fix-non-transmitted-bssid-profile-sear.patch @@ -0,0 +1,56 @@ +From a3096c5ac440172256430eba443c3ba4a61db541 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jun 2025 15:45:01 +0200 +Subject: wifi: mac80211: fix non-transmitted BSSID profile search + +From: Johannes Berg + +[ Upstream commit e1e6ebf490e55fee1ae573aa443c1d4aea5e4a40 ] + +When the non-transmitted BSSID profile is found, immediately return +from the search to not return the wrong profile_len when the profile +is found in a multiple BSSID element that isn't the last one in the +frame. + +Fixes: 5023b14cf4df ("mac80211: support profile split between elements") +Reported-by: Michael-CY Lee +Link: https://patch.msgid.link/20250630154501.f26cd45a0ecd.I28e0525d06e8a99e555707301bca29265cf20dc8@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/parse.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/net/mac80211/parse.c b/net/mac80211/parse.c +index 6da39c864f45b..922ea9a6e2412 100644 +--- a/net/mac80211/parse.c ++++ b/net/mac80211/parse.c +@@ -758,7 +758,6 @@ static size_t ieee802_11_find_bssid_profile(const u8 *start, size_t len, + { + const struct element *elem, *sub; + size_t profile_len = 0; +- bool found = false; + + if (!bss || !bss->transmitted_bss) + return profile_len; +@@ -809,15 +808,14 @@ static size_t ieee802_11_find_bssid_profile(const u8 *start, size_t len, + index[2], + new_bssid); + if (ether_addr_equal(new_bssid, bss->bssid)) { +- found = true; + elems->bssid_index_len = index[1]; + elems->bssid_index = (void *)&index[2]; +- break; ++ return profile_len; + } + } + } + +- return found ? profile_len : 0; ++ return 0; + } + + static void +-- +2.39.5 + diff --git a/queue-6.15/wifi-mac80211-reject-vht-opmode-for-unsupported-chan.patch b/queue-6.15/wifi-mac80211-reject-vht-opmode-for-unsupported-chan.patch new file mode 100644 index 0000000000..4002247a44 --- /dev/null +++ b/queue-6.15/wifi-mac80211-reject-vht-opmode-for-unsupported-chan.patch @@ -0,0 +1,63 @@ +From 6963c15fcf9fb1883cb23fd50621098e479023e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Jul 2025 12:37:57 -0700 +Subject: wifi: mac80211: reject VHT opmode for unsupported channel widths + +From: Moon Hee Lee + +[ Upstream commit 58fcb1b4287ce38850402bb2bb16d09bf77b91d9 ] + +VHT operating mode notifications are not defined for channel widths +below 20 MHz. In particular, 5 MHz and 10 MHz are not valid under the +VHT specification and must be rejected. + +Without this check, malformed notifications using these widths may +reach ieee80211_chan_width_to_rx_bw(), leading to a WARN_ON due to +invalid input. This issue was reported by syzbot. + +Reject these unsupported widths early in sta_link_apply_parameters() +when opmode_notif is used. The accepted set includes 20, 40, 80, 160, +and 80+80 MHz, which are valid for VHT. While 320 MHz is not defined +for VHT, it is allowed to avoid rejecting HE or EHT clients that may +still send a VHT opmode notification. + +Reported-by: syzbot+ededba317ddeca8b3f08@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=ededba317ddeca8b3f08 +Fixes: 751e7489c1d7 ("wifi: mac80211: expose ieee80211_chan_width_to_rx_bw() to drivers") +Tested-by: syzbot+ededba317ddeca8b3f08@syzkaller.appspotmail.com +Signed-off-by: Moon Hee Lee +Link: https://patch.msgid.link/20250703193756.46622-2-moonhee.lee.ca@gmail.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/cfg.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c +index acfde525fad2f..4a8d9c3ea480f 100644 +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -1942,6 +1942,20 @@ static int sta_link_apply_parameters(struct ieee80211_local *local, + ieee80211_sta_init_nss(link_sta); + + if (params->opmode_notif_used) { ++ enum nl80211_chan_width width = link->conf->chanreq.oper.width; ++ ++ switch (width) { ++ case NL80211_CHAN_WIDTH_20: ++ case NL80211_CHAN_WIDTH_40: ++ case NL80211_CHAN_WIDTH_80: ++ case NL80211_CHAN_WIDTH_160: ++ case NL80211_CHAN_WIDTH_80P80: ++ case NL80211_CHAN_WIDTH_320: /* not VHT, allowed for HE/EHT */ ++ break; ++ default: ++ return -EINVAL; ++ } ++ + /* returned value is only needed for rc update, but the + * rc isn't initialized here yet, so ignore it + */ +-- +2.39.5 + diff --git a/queue-6.15/wifi-mt76-assume-__mt76_connac_mcu_alloc_sta_req-run.patch b/queue-6.15/wifi-mt76-assume-__mt76_connac_mcu_alloc_sta_req-run.patch new file mode 100644 index 0000000000..cff81ec776 --- /dev/null +++ b/queue-6.15/wifi-mt76-assume-__mt76_connac_mcu_alloc_sta_req-run.patch @@ -0,0 +1,39 @@ +From 728459b49998a82bde0290d43e4cc652ee0e5005 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Jun 2025 13:14:16 +0200 +Subject: wifi: mt76: Assume __mt76_connac_mcu_alloc_sta_req runs in atomic + context + +From: Lorenzo Bianconi + +[ Upstream commit a0c5eac9181025b6d65ff25c203a7f10274f80c1 ] + +Rely on GFP_ATOMIC flag in __mt76_connac_mcu_alloc_sta_req since it can +run in atomic context. This is a preliminary patch to fix a 'sleep while +atomic' issue in mt7996_mac_sta_rc_work(). + +Fixes: 0762bdd30279 ("wifi: mt76: mt7996: rework mt7996_mac_sta_rc_work to support MLO") +Signed-off-by: Lorenzo Bianconi +Link: https://patch.msgid.link/20250605-mt7996-sleep-while-atomic-v1-1-d46d15f9203c@kernel.org +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c +index 963970b8d1310..407df42f0f9b6 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c ++++ b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c +@@ -288,7 +288,7 @@ __mt76_connac_mcu_alloc_sta_req(struct mt76_dev *dev, struct mt76_vif_link *mvif + + mt76_connac_mcu_get_wlan_idx(dev, wcid, &hdr.wlan_idx_lo, + &hdr.wlan_idx_hi); +- skb = mt76_mcu_msg_alloc(dev, NULL, len); ++ skb = __mt76_mcu_msg_alloc(dev, NULL, len, len, GFP_ATOMIC); + if (!skb) + return ERR_PTR(-ENOMEM); + +-- +2.39.5 + diff --git a/queue-6.15/wifi-mt76-move-rcu-section-in-mt7996_mcu_add_rate_ct.patch b/queue-6.15/wifi-mt76-move-rcu-section-in-mt7996_mcu_add_rate_ct.patch new file mode 100644 index 0000000000..3f76f4dc70 --- /dev/null +++ b/queue-6.15/wifi-mt76-move-rcu-section-in-mt7996_mcu_add_rate_ct.patch @@ -0,0 +1,188 @@ +From 1075f94ec405c16d2358b4a5a3c78f7cd1fc2658 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Jun 2025 13:14:18 +0200 +Subject: wifi: mt76: Move RCU section in mt7996_mcu_add_rate_ctrl_fixed() + +From: Lorenzo Bianconi + +[ Upstream commit 28d519d0d493a8cf3f8ca01f10d962c56cec1825 ] + +Since mt7996_mcu_set_fixed_field() can't be executed in a RCU critical +section, move RCU section in mt7996_mcu_add_rate_ctrl_fixed() and run +mt7996_mcu_set_fixed_field() in non-atomic context. This is a +preliminary patch to fix a 'sleep while atomic' issue in +mt7996_mac_sta_rc_work(). + +Fixes: 0762bdd30279 ("wifi: mt76: mt7996: rework mt7996_mac_sta_rc_work to support MLO") +Signed-off-by: Lorenzo Bianconi +Link: https://patch.msgid.link/20250605-mt7996-sleep-while-atomic-v1-3-d46d15f9203c@kernel.org +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + .../net/wireless/mediatek/mt76/mt7996/mcu.c | 86 ++++++++++++------- + 1 file changed, 57 insertions(+), 29 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c +index d67ed58d7126d..6c2b258ce4ff6 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c +@@ -1955,51 +1955,74 @@ int mt7996_mcu_set_fixed_field(struct mt7996_dev *dev, struct mt7996_sta *msta, + } + + static int +-mt7996_mcu_add_rate_ctrl_fixed(struct mt7996_dev *dev, +- struct ieee80211_link_sta *link_sta, +- struct mt7996_vif_link *link, +- struct mt7996_sta_link *msta_link, +- u8 link_id) ++mt7996_mcu_add_rate_ctrl_fixed(struct mt7996_dev *dev, struct mt7996_sta *msta, ++ struct ieee80211_vif *vif, u8 link_id) + { +- struct cfg80211_chan_def *chandef = &link->phy->mt76->chandef; +- struct cfg80211_bitrate_mask *mask = &link->bitrate_mask; +- enum nl80211_band band = chandef->chan->band; +- struct mt7996_sta *msta = msta_link->sta; ++ struct ieee80211_link_sta *link_sta; ++ struct cfg80211_bitrate_mask mask; ++ struct mt7996_sta_link *msta_link; ++ struct mt7996_vif_link *link; + struct sta_phy_uni phy = {}; +- int ret, nrates = 0; ++ struct ieee80211_sta *sta; ++ int ret, nrates = 0, idx; ++ enum nl80211_band band; ++ bool has_he; + + #define __sta_phy_bitrate_mask_check(_mcs, _gi, _ht, _he) \ + do { \ +- u8 i, gi = mask->control[band]._gi; \ ++ u8 i, gi = mask.control[band]._gi; \ + gi = (_he) ? gi : gi == NL80211_TXRATE_FORCE_SGI; \ + phy.sgi = gi; \ +- phy.he_ltf = mask->control[band].he_ltf; \ +- for (i = 0; i < ARRAY_SIZE(mask->control[band]._mcs); i++) { \ +- if (!mask->control[band]._mcs[i]) \ ++ phy.he_ltf = mask.control[band].he_ltf; \ ++ for (i = 0; i < ARRAY_SIZE(mask.control[band]._mcs); i++) { \ ++ if (!mask.control[band]._mcs[i]) \ + continue; \ +- nrates += hweight16(mask->control[band]._mcs[i]); \ +- phy.mcs = ffs(mask->control[band]._mcs[i]) - 1; \ ++ nrates += hweight16(mask.control[band]._mcs[i]); \ ++ phy.mcs = ffs(mask.control[band]._mcs[i]) - 1; \ + if (_ht) \ + phy.mcs += 8 * i; \ + } \ + } while (0) + +- if (link_sta->he_cap.has_he) { ++ rcu_read_lock(); ++ ++ link = mt7996_vif_link(dev, vif, link_id); ++ if (!link) ++ goto error_unlock; ++ ++ msta_link = rcu_dereference(msta->link[link_id]); ++ if (!msta_link) ++ goto error_unlock; ++ ++ sta = wcid_to_sta(&msta_link->wcid); ++ link_sta = rcu_dereference(sta->link[link_id]); ++ if (!link_sta) ++ goto error_unlock; ++ ++ band = link->phy->mt76->chandef.chan->band; ++ has_he = link_sta->he_cap.has_he; ++ mask = link->bitrate_mask; ++ idx = msta_link->wcid.idx; ++ ++ if (has_he) { + __sta_phy_bitrate_mask_check(he_mcs, he_gi, 0, 1); + } else if (link_sta->vht_cap.vht_supported) { + __sta_phy_bitrate_mask_check(vht_mcs, gi, 0, 0); + } else if (link_sta->ht_cap.ht_supported) { + __sta_phy_bitrate_mask_check(ht_mcs, gi, 1, 0); + } else { +- nrates = hweight32(mask->control[band].legacy); +- phy.mcs = ffs(mask->control[band].legacy) - 1; ++ nrates = hweight32(mask.control[band].legacy); ++ phy.mcs = ffs(mask.control[band].legacy) - 1; + } ++ ++ rcu_read_unlock(); ++ + #undef __sta_phy_bitrate_mask_check + + /* fall back to auto rate control */ +- if (mask->control[band].gi == NL80211_TXRATE_DEFAULT_GI && +- mask->control[band].he_gi == GENMASK(7, 0) && +- mask->control[band].he_ltf == GENMASK(7, 0) && ++ if (mask.control[band].gi == NL80211_TXRATE_DEFAULT_GI && ++ mask.control[band].he_gi == GENMASK(7, 0) && ++ mask.control[band].he_ltf == GENMASK(7, 0) && + nrates != 1) + return 0; + +@@ -2012,16 +2035,16 @@ mt7996_mcu_add_rate_ctrl_fixed(struct mt7996_dev *dev, + } + + /* fixed GI */ +- if (mask->control[band].gi != NL80211_TXRATE_DEFAULT_GI || +- mask->control[band].he_gi != GENMASK(7, 0)) { ++ if (mask.control[band].gi != NL80211_TXRATE_DEFAULT_GI || ++ mask.control[band].he_gi != GENMASK(7, 0)) { + u32 addr; + + /* firmware updates only TXCMD but doesn't take WTBL into + * account, so driver should update here to reflect the + * actual txrate hardware sends out. + */ +- addr = mt7996_mac_wtbl_lmac_addr(dev, msta_link->wcid.idx, 7); +- if (link_sta->he_cap.has_he) ++ addr = mt7996_mac_wtbl_lmac_addr(dev, idx, 7); ++ if (has_he) + mt76_rmw_field(dev, addr, GENMASK(31, 24), phy.sgi); + else + mt76_rmw_field(dev, addr, GENMASK(15, 12), phy.sgi); +@@ -2033,7 +2056,7 @@ mt7996_mcu_add_rate_ctrl_fixed(struct mt7996_dev *dev, + } + + /* fixed HE_LTF */ +- if (mask->control[band].he_ltf != GENMASK(7, 0)) { ++ if (mask.control[band].he_ltf != GENMASK(7, 0)) { + ret = mt7996_mcu_set_fixed_field(dev, msta, &phy, link_id, + RATE_PARAM_FIXED_HE_LTF); + if (ret) +@@ -2041,6 +2064,11 @@ mt7996_mcu_add_rate_ctrl_fixed(struct mt7996_dev *dev, + } + + return 0; ++ ++error_unlock: ++ rcu_read_unlock(); ++ ++ return -ENODEV; + } + + static void +@@ -2159,6 +2187,7 @@ int mt7996_mcu_add_rate_ctrl(struct mt7996_dev *dev, + struct mt7996_sta_link *msta_link, + u8 link_id, bool changed) + { ++ struct mt7996_sta *msta = msta_link->sta; + struct sk_buff *skb; + int ret; + +@@ -2185,8 +2214,7 @@ int mt7996_mcu_add_rate_ctrl(struct mt7996_dev *dev, + if (ret) + return ret; + +- return mt7996_mcu_add_rate_ctrl_fixed(dev, link_sta, link, msta_link, +- link_id); ++ return mt7996_mcu_add_rate_ctrl_fixed(dev, msta, vif, link_id); + } + + static int +-- +2.39.5 + diff --git a/queue-6.15/wifi-mt76-move-rcu-section-in-mt7996_mcu_add_rate_ct.patch-12874 b/queue-6.15/wifi-mt76-move-rcu-section-in-mt7996_mcu_add_rate_ct.patch-12874 new file mode 100644 index 0000000000..c256d449de --- /dev/null +++ b/queue-6.15/wifi-mt76-move-rcu-section-in-mt7996_mcu_add_rate_ct.patch-12874 @@ -0,0 +1,174 @@ +From 47079f7396624c4e081037d8b6a7a250a6efcf88 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Jun 2025 13:14:19 +0200 +Subject: wifi: mt76: Move RCU section in mt7996_mcu_add_rate_ctrl() + +From: Lorenzo Bianconi + +[ Upstream commit 3dd6f67c669c860b93ff533f790f23ee1cb36f25 ] + +Since mt76_mcu_skb_send_msg() routine can't be executed in atomic context, +move RCU section in mt7996_mcu_add_rate_ctrl() and execute +mt76_mcu_skb_send_msg() in non-atomic context. This is a preliminary +patch to fix a 'sleep while atomic' issue in mt7996_mac_sta_rc_work(). + +Fixes: 0762bdd30279 ("wifi: mt76: mt7996: rework mt7996_mac_sta_rc_work to support MLO") +Signed-off-by: Lorenzo Bianconi +Link: https://patch.msgid.link/20250605-mt7996-sleep-while-atomic-v1-4-d46d15f9203c@kernel.org +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + .../net/wireless/mediatek/mt76/mt7996/mac.c | 6 +-- + .../net/wireless/mediatek/mt76/mt7996/main.c | 6 +-- + .../net/wireless/mediatek/mt76/mt7996/mcu.c | 50 +++++++++++++++---- + .../wireless/mediatek/mt76/mt7996/mt7996.h | 10 ++-- + 4 files changed, 45 insertions(+), 27 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c +index 5cf2d6669ee68..20a201e336759 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c +@@ -2321,7 +2321,6 @@ void mt7996_mac_sta_rc_work(struct work_struct *work) + struct ieee80211_bss_conf *link_conf; + struct ieee80211_link_sta *link_sta; + struct mt7996_sta_link *msta_link; +- struct mt7996_vif_link *link; + struct mt76_vif_link *mlink; + struct ieee80211_sta *sta; + struct ieee80211_vif *vif; +@@ -2363,13 +2362,10 @@ void mt7996_mac_sta_rc_work(struct work_struct *work) + + spin_unlock_bh(&dev->mt76.sta_poll_lock); + +- link = (struct mt7996_vif_link *)mlink; +- + if (changed & (IEEE80211_RC_SUPP_RATES_CHANGED | + IEEE80211_RC_NSS_CHANGED | + IEEE80211_RC_BW_CHANGED)) +- mt7996_mcu_add_rate_ctrl(dev, vif, link_conf, +- link_sta, link, msta_link, ++ mt7996_mcu_add_rate_ctrl(dev, msta_link->sta, vif, + link_id, true); + + if (changed & IEEE80211_RC_SMPS_CHANGED) +diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/main.c b/drivers/net/wireless/mediatek/mt76/mt7996/main.c +index bb2eef6b934b5..5584bea9e2a3f 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7996/main.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7996/main.c +@@ -1112,10 +1112,8 @@ mt7996_mac_sta_event(struct mt7996_dev *dev, struct ieee80211_vif *vif, + if (err) + return err; + +- err = mt7996_mcu_add_rate_ctrl(dev, vif, link_conf, +- link_sta, link, +- msta_link, link_id, +- false); ++ err = mt7996_mcu_add_rate_ctrl(dev, msta_link->sta, vif, ++ link_id, false); + if (err) + return err; + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c +index 6c2b258ce4ff6..63dc6df20c3e4 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c +@@ -2179,23 +2179,44 @@ mt7996_mcu_sta_rate_ctrl_tlv(struct sk_buff *skb, struct mt7996_dev *dev, + memset(ra->rx_rcpi, INIT_RCPI, sizeof(ra->rx_rcpi)); + } + +-int mt7996_mcu_add_rate_ctrl(struct mt7996_dev *dev, +- struct ieee80211_vif *vif, +- struct ieee80211_bss_conf *link_conf, +- struct ieee80211_link_sta *link_sta, +- struct mt7996_vif_link *link, +- struct mt7996_sta_link *msta_link, +- u8 link_id, bool changed) ++int mt7996_mcu_add_rate_ctrl(struct mt7996_dev *dev, struct mt7996_sta *msta, ++ struct ieee80211_vif *vif, u8 link_id, ++ bool changed) + { +- struct mt7996_sta *msta = msta_link->sta; ++ struct ieee80211_bss_conf *link_conf; ++ struct ieee80211_link_sta *link_sta; ++ struct mt7996_sta_link *msta_link; ++ struct mt7996_vif_link *link; ++ struct ieee80211_sta *sta; + struct sk_buff *skb; +- int ret; ++ int ret = -ENODEV; ++ ++ rcu_read_lock(); ++ ++ link = mt7996_vif_link(dev, vif, link_id); ++ if (!link) ++ goto error_unlock; ++ ++ msta_link = rcu_dereference(msta->link[link_id]); ++ if (!msta_link) ++ goto error_unlock; ++ ++ sta = wcid_to_sta(&msta_link->wcid); ++ link_sta = rcu_dereference(sta->link[link_id]); ++ if (!link_sta) ++ goto error_unlock; ++ ++ link_conf = rcu_dereference(vif->link_conf[link_id]); ++ if (!link_conf) ++ goto error_unlock; + + skb = __mt76_connac_mcu_alloc_sta_req(&dev->mt76, &link->mt76, + &msta_link->wcid, + MT7996_STA_UPDATE_MAX_SIZE); +- if (IS_ERR(skb)) +- return PTR_ERR(skb); ++ if (IS_ERR(skb)) { ++ ret = PTR_ERR(skb); ++ goto error_unlock; ++ } + + /* firmware rc algorithm refers to sta_rec_he for HE control. + * once dev->rc_work changes the settings driver should also +@@ -2209,12 +2230,19 @@ int mt7996_mcu_add_rate_ctrl(struct mt7996_dev *dev, + */ + mt7996_mcu_sta_rate_ctrl_tlv(skb, dev, vif, link_conf, link_sta, link); + ++ rcu_read_unlock(); ++ + ret = mt76_mcu_skb_send_msg(&dev->mt76, skb, + MCU_WMWA_UNI_CMD(STA_REC_UPDATE), true); + if (ret) + return ret; + + return mt7996_mcu_add_rate_ctrl_fixed(dev, msta, vif, link_id); ++ ++error_unlock: ++ rcu_read_unlock(); ++ ++ return ret; + } + + static int +diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h b/drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h +index 16a4a465b9b27..8220a7310f285 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h ++++ b/drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h +@@ -604,13 +604,9 @@ int mt7996_mcu_beacon_inband_discov(struct mt7996_dev *dev, + int mt7996_mcu_add_obss_spr(struct mt7996_phy *phy, + struct mt7996_vif_link *link, + struct ieee80211_he_obss_pd *he_obss_pd); +-int mt7996_mcu_add_rate_ctrl(struct mt7996_dev *dev, +- struct ieee80211_vif *vif, +- struct ieee80211_bss_conf *link_conf, +- struct ieee80211_link_sta *link_sta, +- struct mt7996_vif_link *link, +- struct mt7996_sta_link *msta_link, +- u8 link_id, bool changed); ++int mt7996_mcu_add_rate_ctrl(struct mt7996_dev *dev, struct mt7996_sta *msta, ++ struct ieee80211_vif *vif, u8 link_id, ++ bool changed); + int mt7996_set_channel(struct mt76_phy *mphy); + int mt7996_mcu_set_chan_info(struct mt7996_phy *phy, u16 tag); + int mt7996_mcu_set_tx(struct mt7996_dev *dev, struct ieee80211_vif *vif, +-- +2.39.5 + diff --git a/queue-6.15/wifi-mt76-move-rcu-section-in-mt7996_mcu_set_fixed_f.patch b/queue-6.15/wifi-mt76-move-rcu-section-in-mt7996_mcu_set_fixed_f.patch new file mode 100644 index 0000000000..5f645362e7 --- /dev/null +++ b/queue-6.15/wifi-mt76-move-rcu-section-in-mt7996_mcu_set_fixed_f.patch @@ -0,0 +1,235 @@ +From 0c264fd5135c12245cc42ec180cb27267b2ce58c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Jun 2025 13:14:17 +0200 +Subject: wifi: mt76: Move RCU section in mt7996_mcu_set_fixed_field() + +From: Lorenzo Bianconi + +[ Upstream commit c772cd726eea6fe8fb81d2aeeacb18cecff73a7b ] + +Since mt76_mcu_skb_send_msg() routine can't be executed in atomic context, +move RCU section in mt7996_mcu_set_fixed_field() and execute +mt76_mcu_skb_send_msg() in non-atomic context. This is a preliminary +patch to fix a 'sleep while atomic' issue in mt7996_mac_sta_rc_work(). + +Fixes: 0762bdd30279 ("wifi: mt76: mt7996: rework mt7996_mac_sta_rc_work to support MLO") +Signed-off-by: Lorenzo Bianconi +Link: https://patch.msgid.link/20250605-mt7996-sleep-while-atomic-v1-2-d46d15f9203c@kernel.org +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + .../net/wireless/mediatek/mt76/mt7996/mac.c | 5 +- + .../net/wireless/mediatek/mt76/mt7996/main.c | 3 +- + .../net/wireless/mediatek/mt76/mt7996/mcu.c | 68 +++++++++++++------ + .../wireless/mediatek/mt76/mt7996/mt7996.h | 10 ++- + 4 files changed, 57 insertions(+), 29 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c +index 2108361543a0c..5cf2d6669ee68 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c +@@ -2370,11 +2370,10 @@ void mt7996_mac_sta_rc_work(struct work_struct *work) + IEEE80211_RC_BW_CHANGED)) + mt7996_mcu_add_rate_ctrl(dev, vif, link_conf, + link_sta, link, msta_link, +- true); ++ link_id, true); + + if (changed & IEEE80211_RC_SMPS_CHANGED) +- mt7996_mcu_set_fixed_field(dev, link_sta, link, +- msta_link, NULL, ++ mt7996_mcu_set_fixed_field(dev, msta, NULL, link_id, + RATE_PARAM_MMPS_UPDATE); + + spin_lock_bh(&dev->mt76.sta_poll_lock); +diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/main.c b/drivers/net/wireless/mediatek/mt76/mt7996/main.c +index b11dd3dd5c46f..bb2eef6b934b5 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7996/main.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7996/main.c +@@ -1114,7 +1114,8 @@ mt7996_mac_sta_event(struct mt7996_dev *dev, struct ieee80211_vif *vif, + + err = mt7996_mcu_add_rate_ctrl(dev, vif, link_conf, + link_sta, link, +- msta_link, false); ++ msta_link, link_id, ++ false); + if (err) + return err; + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c +index ddd555942c738..d67ed58d7126d 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c +@@ -1883,22 +1883,35 @@ int mt7996_mcu_set_fixed_rate_ctrl(struct mt7996_dev *dev, + MCU_WM_UNI_CMD(RA), true); + } + +-int mt7996_mcu_set_fixed_field(struct mt7996_dev *dev, +- struct ieee80211_link_sta *link_sta, +- struct mt7996_vif_link *link, +- struct mt7996_sta_link *msta_link, +- void *data, u32 field) ++int mt7996_mcu_set_fixed_field(struct mt7996_dev *dev, struct mt7996_sta *msta, ++ void *data, u8 link_id, u32 field) + { +- struct sta_phy_uni *phy = data; ++ struct mt7996_vif *mvif = msta->vif; ++ struct mt7996_sta_link *msta_link; + struct sta_rec_ra_fixed_uni *ra; ++ struct sta_phy_uni *phy = data; ++ struct mt76_vif_link *mlink; + struct sk_buff *skb; ++ int err = -ENODEV; + struct tlv *tlv; + +- skb = __mt76_connac_mcu_alloc_sta_req(&dev->mt76, &link->mt76, ++ rcu_read_lock(); ++ ++ mlink = rcu_dereference(mvif->mt76.link[link_id]); ++ if (!mlink) ++ goto error_unlock; ++ ++ msta_link = rcu_dereference(msta->link[link_id]); ++ if (!msta_link) ++ goto error_unlock; ++ ++ skb = __mt76_connac_mcu_alloc_sta_req(&dev->mt76, mlink, + &msta_link->wcid, + MT7996_STA_UPDATE_MAX_SIZE); +- if (IS_ERR(skb)) +- return PTR_ERR(skb); ++ if (IS_ERR(skb)) { ++ err = PTR_ERR(skb); ++ goto error_unlock; ++ } + + tlv = mt76_connac_mcu_add_tlv(skb, STA_REC_RA_UPDATE, sizeof(*ra)); + ra = (struct sta_rec_ra_fixed_uni *)tlv; +@@ -1913,27 +1926,45 @@ int mt7996_mcu_set_fixed_field(struct mt7996_dev *dev, + if (phy) + ra->phy = *phy; + break; +- case RATE_PARAM_MMPS_UPDATE: ++ case RATE_PARAM_MMPS_UPDATE: { ++ struct ieee80211_sta *sta = wcid_to_sta(&msta_link->wcid); ++ struct ieee80211_link_sta *link_sta; ++ ++ link_sta = rcu_dereference(sta->link[link_id]); ++ if (!link_sta) { ++ dev_kfree_skb(skb); ++ goto error_unlock; ++ } ++ + ra->mmps_mode = mt7996_mcu_get_mmps_mode(link_sta->smps_mode); + break; ++ } + default: + break; + } + ra->field = cpu_to_le32(field); + ++ rcu_read_unlock(); ++ + return mt76_mcu_skb_send_msg(&dev->mt76, skb, + MCU_WMWA_UNI_CMD(STA_REC_UPDATE), true); ++error_unlock: ++ rcu_read_unlock(); ++ ++ return err; + } + + static int + mt7996_mcu_add_rate_ctrl_fixed(struct mt7996_dev *dev, + struct ieee80211_link_sta *link_sta, + struct mt7996_vif_link *link, +- struct mt7996_sta_link *msta_link) ++ struct mt7996_sta_link *msta_link, ++ u8 link_id) + { + struct cfg80211_chan_def *chandef = &link->phy->mt76->chandef; + struct cfg80211_bitrate_mask *mask = &link->bitrate_mask; + enum nl80211_band band = chandef->chan->band; ++ struct mt7996_sta *msta = msta_link->sta; + struct sta_phy_uni phy = {}; + int ret, nrates = 0; + +@@ -1974,8 +2005,7 @@ mt7996_mcu_add_rate_ctrl_fixed(struct mt7996_dev *dev, + + /* fixed single rate */ + if (nrates == 1) { +- ret = mt7996_mcu_set_fixed_field(dev, link_sta, link, +- msta_link, &phy, ++ ret = mt7996_mcu_set_fixed_field(dev, msta, &phy, link_id, + RATE_PARAM_FIXED_MCS); + if (ret) + return ret; +@@ -1996,8 +2026,7 @@ mt7996_mcu_add_rate_ctrl_fixed(struct mt7996_dev *dev, + else + mt76_rmw_field(dev, addr, GENMASK(15, 12), phy.sgi); + +- ret = mt7996_mcu_set_fixed_field(dev, link_sta, link, +- msta_link, &phy, ++ ret = mt7996_mcu_set_fixed_field(dev, msta, &phy, link_id, + RATE_PARAM_FIXED_GI); + if (ret) + return ret; +@@ -2005,8 +2034,7 @@ mt7996_mcu_add_rate_ctrl_fixed(struct mt7996_dev *dev, + + /* fixed HE_LTF */ + if (mask->control[band].he_ltf != GENMASK(7, 0)) { +- ret = mt7996_mcu_set_fixed_field(dev, link_sta, link, +- msta_link, &phy, ++ ret = mt7996_mcu_set_fixed_field(dev, msta, &phy, link_id, + RATE_PARAM_FIXED_HE_LTF); + if (ret) + return ret; +@@ -2128,7 +2156,8 @@ int mt7996_mcu_add_rate_ctrl(struct mt7996_dev *dev, + struct ieee80211_bss_conf *link_conf, + struct ieee80211_link_sta *link_sta, + struct mt7996_vif_link *link, +- struct mt7996_sta_link *msta_link, bool changed) ++ struct mt7996_sta_link *msta_link, ++ u8 link_id, bool changed) + { + struct sk_buff *skb; + int ret; +@@ -2156,7 +2185,8 @@ int mt7996_mcu_add_rate_ctrl(struct mt7996_dev *dev, + if (ret) + return ret; + +- return mt7996_mcu_add_rate_ctrl_fixed(dev, link_sta, link, msta_link); ++ return mt7996_mcu_add_rate_ctrl_fixed(dev, link_sta, link, msta_link, ++ link_id); + } + + static int +diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h b/drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h +index 77605403b3966..16a4a465b9b27 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h ++++ b/drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h +@@ -609,18 +609,16 @@ int mt7996_mcu_add_rate_ctrl(struct mt7996_dev *dev, + struct ieee80211_bss_conf *link_conf, + struct ieee80211_link_sta *link_sta, + struct mt7996_vif_link *link, +- struct mt7996_sta_link *msta_link, bool changed); ++ struct mt7996_sta_link *msta_link, ++ u8 link_id, bool changed); + int mt7996_set_channel(struct mt76_phy *mphy); + int mt7996_mcu_set_chan_info(struct mt7996_phy *phy, u16 tag); + int mt7996_mcu_set_tx(struct mt7996_dev *dev, struct ieee80211_vif *vif, + struct ieee80211_bss_conf *link_conf); + int mt7996_mcu_set_fixed_rate_ctrl(struct mt7996_dev *dev, + void *data, u16 version); +-int mt7996_mcu_set_fixed_field(struct mt7996_dev *dev, +- struct ieee80211_link_sta *link_sta, +- struct mt7996_vif_link *link, +- struct mt7996_sta_link *msta_link, +- void *data, u32 field); ++int mt7996_mcu_set_fixed_field(struct mt7996_dev *dev, struct mt7996_sta *msta, ++ void *data, u8 link_id, u32 field); + int mt7996_mcu_set_eeprom(struct mt7996_dev *dev); + int mt7996_mcu_get_eeprom(struct mt7996_dev *dev, u32 offset, u8 *buf, u32 buf_len); + int mt7996_mcu_get_eeprom_free_block(struct mt7996_dev *dev, u8 *block_num); +-- +2.39.5 + diff --git a/queue-6.15/wifi-mt76-mt7925-fix-null-ptr-deref-in-mt7925_therma.patch b/queue-6.15/wifi-mt76-mt7925-fix-null-ptr-deref-in-mt7925_therma.patch new file mode 100644 index 0000000000..5432c6fcde --- /dev/null +++ b/queue-6.15/wifi-mt76-mt7925-fix-null-ptr-deref-in-mt7925_therma.patch @@ -0,0 +1,41 @@ +From c2bdb09bcf259bc2c5d7b03df73fe1328f5b9c2c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Jun 2025 20:49:01 +0800 +Subject: wifi: mt76: mt7925: Fix null-ptr-deref in mt7925_thermal_init() + +From: Henry Martin + +[ Upstream commit 03ee8f73801a8f46d83dfc2bf73fb9ffa5a21602 ] + +devm_kasprintf() returns NULL on error. Currently, mt7925_thermal_init() +does not check for this case, which results in a NULL pointer +dereference. + +Add NULL check after devm_kasprintf() to prevent this issue. + +Fixes: 396e41a74a88 ("wifi: mt76: mt7925: support temperature sensor") +Signed-off-by: Henry Martin +Reviewed-by: AngeloGioacchino Del Regno +Link: https://patch.msgid.link/20250625124901.1839832-1-bsdhenryma@tencent.com +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7925/init.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/init.c b/drivers/net/wireless/mediatek/mt76/mt7925/init.c +index 2a83ff59a968c..4249bad83c930 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7925/init.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7925/init.c +@@ -52,6 +52,8 @@ static int mt7925_thermal_init(struct mt792x_phy *phy) + + name = devm_kasprintf(&wiphy->dev, GFP_KERNEL, "mt7925_%s", + wiphy_name(wiphy)); ++ if (!name) ++ return -ENOMEM; + + hwmon = devm_hwmon_device_register_with_groups(&wiphy->dev, name, phy, + mt7925_hwmon_groups); +-- +2.39.5 + diff --git a/queue-6.15/wifi-mt76-remove-rcu-section-in-mt7996_mac_sta_rc_wo.patch b/queue-6.15/wifi-mt76-remove-rcu-section-in-mt7996_mac_sta_rc_wo.patch new file mode 100644 index 0000000000..018a942eff --- /dev/null +++ b/queue-6.15/wifi-mt76-remove-rcu-section-in-mt7996_mac_sta_rc_wo.patch @@ -0,0 +1,101 @@ +From 78ecb1ad1e56f2fdc5b4d945887c0a7086b47ad3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Jun 2025 13:14:20 +0200 +Subject: wifi: mt76: Remove RCU section in mt7996_mac_sta_rc_work() + +From: Lorenzo Bianconi + +[ Upstream commit 71532576f41e5b0ec967a82ed49d5dfb1027ccdb ] + +Since mt7996_mcu_add_rate_ctrl() and mt7996_mcu_set_fixed_field() can't +run in atomic context, move RCU critical section in +mt7996_mcu_add_rate_ctrl() and mt7996_mcu_set_fixed_field(). This patch +fixes a 'sleep while atomic' issue in mt7996_mac_sta_rc_work(). + +Fixes: 0762bdd30279 ("wifi: mt76: mt7996: rework mt7996_mac_sta_rc_work to support MLO") +Signed-off-by: Lorenzo Bianconi +Tested-by: Ben Greear +Link: https://patch.msgid.link/20250605-mt7996-sleep-while-atomic-v1-5-d46d15f9203c@kernel.org +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + .../net/wireless/mediatek/mt76/mt7996/mac.c | 35 ++++--------------- + 1 file changed, 7 insertions(+), 28 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c +index 20a201e336759..3646806088e9a 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c +@@ -2318,19 +2318,12 @@ void mt7996_mac_update_stats(struct mt7996_phy *phy) + void mt7996_mac_sta_rc_work(struct work_struct *work) + { + struct mt7996_dev *dev = container_of(work, struct mt7996_dev, rc_work); +- struct ieee80211_bss_conf *link_conf; +- struct ieee80211_link_sta *link_sta; + struct mt7996_sta_link *msta_link; +- struct mt76_vif_link *mlink; +- struct ieee80211_sta *sta; + struct ieee80211_vif *vif; +- struct mt7996_sta *msta; + struct mt7996_vif *mvif; + LIST_HEAD(list); + u32 changed; +- u8 link_id; + +- rcu_read_lock(); + spin_lock_bh(&dev->mt76.sta_poll_lock); + list_splice_init(&dev->sta_rc_list, &list); + +@@ -2341,24 +2334,9 @@ void mt7996_mac_sta_rc_work(struct work_struct *work) + + changed = msta_link->changed; + msta_link->changed = 0; +- +- sta = wcid_to_sta(&msta_link->wcid); +- link_id = msta_link->wcid.link_id; +- msta = msta_link->sta; +- mvif = msta->vif; +- vif = container_of((void *)mvif, struct ieee80211_vif, drv_priv); +- +- mlink = rcu_dereference(mvif->mt76.link[link_id]); +- if (!mlink) +- continue; +- +- link_sta = rcu_dereference(sta->link[link_id]); +- if (!link_sta) +- continue; +- +- link_conf = rcu_dereference(vif->link_conf[link_id]); +- if (!link_conf) +- continue; ++ mvif = msta_link->sta->vif; ++ vif = container_of((void *)mvif, struct ieee80211_vif, ++ drv_priv); + + spin_unlock_bh(&dev->mt76.sta_poll_lock); + +@@ -2366,17 +2344,18 @@ void mt7996_mac_sta_rc_work(struct work_struct *work) + IEEE80211_RC_NSS_CHANGED | + IEEE80211_RC_BW_CHANGED)) + mt7996_mcu_add_rate_ctrl(dev, msta_link->sta, vif, +- link_id, true); ++ msta_link->wcid.link_id, ++ true); + + if (changed & IEEE80211_RC_SMPS_CHANGED) +- mt7996_mcu_set_fixed_field(dev, msta, NULL, link_id, ++ mt7996_mcu_set_fixed_field(dev, msta_link->sta, NULL, ++ msta_link->wcid.link_id, + RATE_PARAM_MMPS_UPDATE); + + spin_lock_bh(&dev->mt76.sta_poll_lock); + } + + spin_unlock_bh(&dev->mt76.sta_poll_lock); +- rcu_read_unlock(); + } + + void mt7996_mac_work(struct work_struct *work) +-- +2.39.5 + diff --git a/queue-6.15/wifi-rt2x00-fix-remove-callback-type-mismatch.patch b/queue-6.15/wifi-rt2x00-fix-remove-callback-type-mismatch.patch new file mode 100644 index 0000000000..84d66c6575 --- /dev/null +++ b/queue-6.15/wifi-rt2x00-fix-remove-callback-type-mismatch.patch @@ -0,0 +1,60 @@ +From b935ddfa29b5c5b17e50ef415f4d92bb984e0a7e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 6 Jul 2025 11:20:53 +0200 +Subject: wifi: rt2x00: fix remove callback type mismatch + +From: Felix Fietkau + +[ Upstream commit 2ce6ad9262256dd345cb104ba0ac6cf4aeed25a3 ] + +The function is used as remove callback for a platform driver. +It was missed during the conversion from int to void + +Fixes: 0edb555a65d1 ("platform: Make platform_driver::remove() return void") +Signed-off-by: Felix Fietkau +Link: https://patch.msgid.link/20250706092053.97724-1-nbd@nbd.name +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ralink/rt2x00/rt2x00soc.c | 4 +--- + drivers/net/wireless/ralink/rt2x00/rt2x00soc.h | 2 +- + 2 files changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/ralink/rt2x00/rt2x00soc.c b/drivers/net/wireless/ralink/rt2x00/rt2x00soc.c +index eface610178d2..f7f3a2340c392 100644 +--- a/drivers/net/wireless/ralink/rt2x00/rt2x00soc.c ++++ b/drivers/net/wireless/ralink/rt2x00/rt2x00soc.c +@@ -108,7 +108,7 @@ int rt2x00soc_probe(struct platform_device *pdev, const struct rt2x00_ops *ops) + } + EXPORT_SYMBOL_GPL(rt2x00soc_probe); + +-int rt2x00soc_remove(struct platform_device *pdev) ++void rt2x00soc_remove(struct platform_device *pdev) + { + struct ieee80211_hw *hw = platform_get_drvdata(pdev); + struct rt2x00_dev *rt2x00dev = hw->priv; +@@ -119,8 +119,6 @@ int rt2x00soc_remove(struct platform_device *pdev) + rt2x00lib_remove_dev(rt2x00dev); + rt2x00soc_free_reg(rt2x00dev); + ieee80211_free_hw(hw); +- +- return 0; + } + EXPORT_SYMBOL_GPL(rt2x00soc_remove); + +diff --git a/drivers/net/wireless/ralink/rt2x00/rt2x00soc.h b/drivers/net/wireless/ralink/rt2x00/rt2x00soc.h +index 021fd06b36272..d6226b8a10e00 100644 +--- a/drivers/net/wireless/ralink/rt2x00/rt2x00soc.h ++++ b/drivers/net/wireless/ralink/rt2x00/rt2x00soc.h +@@ -17,7 +17,7 @@ + * SoC driver handlers. + */ + int rt2x00soc_probe(struct platform_device *pdev, const struct rt2x00_ops *ops); +-int rt2x00soc_remove(struct platform_device *pdev); ++void rt2x00soc_remove(struct platform_device *pdev); + #ifdef CONFIG_PM + int rt2x00soc_suspend(struct platform_device *pdev, pm_message_t state); + int rt2x00soc_resume(struct platform_device *pdev); +-- +2.39.5 + diff --git a/queue-6.15/wifi-zd1211rw-fix-potential-null-pointer-dereference.patch b/queue-6.15/wifi-zd1211rw-fix-potential-null-pointer-dereference.patch new file mode 100644 index 0000000000..5302029420 --- /dev/null +++ b/queue-6.15/wifi-zd1211rw-fix-potential-null-pointer-dereference.patch @@ -0,0 +1,68 @@ +From 2f2dc33b657e2f84ed6a8acc403b3e0f957d0863 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Jun 2025 14:46:19 +0300 +Subject: wifi: zd1211rw: Fix potential NULL pointer dereference in + zd_mac_tx_to_dev() + +From: Daniil Dulov + +[ Upstream commit 74b1ec9f5d627d2bdd5e5b6f3f81c23317657023 ] + +There is a potential NULL pointer dereference in zd_mac_tx_to_dev(). For +example, the following is possible: + + T0 T1 +zd_mac_tx_to_dev() + /* len == skb_queue_len(q) */ + while (len > ZD_MAC_MAX_ACK_WAITERS) { + + filter_ack() + spin_lock_irqsave(&q->lock, flags); + /* position == skb_queue_len(q) */ + for (i=1; itype == NL80211_IFTYPE_AP) + skb = __skb_dequeue(q); + spin_unlock_irqrestore(&q->lock, flags); + + skb_dequeue() -> NULL + +Since there is a small gap between checking skb queue length and skb being +unconditionally dequeued in zd_mac_tx_to_dev(), skb_dequeue() can return NULL. +Then the pointer is passed to zd_mac_tx_status() where it is dereferenced. + +In order to avoid potential NULL pointer dereference due to situations like +above, check if skb is not NULL before passing it to zd_mac_tx_status(). + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 459c51ad6e1f ("zd1211rw: port to mac80211") +Signed-off-by: Daniil Dulov +Link: https://patch.msgid.link/20250626114619.172631-1-d.dulov@aladdin.ru +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/zydas/zd1211rw/zd_mac.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/zydas/zd1211rw/zd_mac.c b/drivers/net/wireless/zydas/zd1211rw/zd_mac.c +index 9653dbaac3c05..781510a3ec6d5 100644 +--- a/drivers/net/wireless/zydas/zd1211rw/zd_mac.c ++++ b/drivers/net/wireless/zydas/zd1211rw/zd_mac.c +@@ -583,7 +583,11 @@ void zd_mac_tx_to_dev(struct sk_buff *skb, int error) + + skb_queue_tail(q, skb); + while (skb_queue_len(q) > ZD_MAC_MAX_ACK_WAITERS) { +- zd_mac_tx_status(hw, skb_dequeue(q), ++ skb = skb_dequeue(q); ++ if (!skb) ++ break; ++ ++ zd_mac_tx_status(hw, skb, + mac->ack_pending ? mac->ack_signal : 0, + NULL); + mac->ack_pending = 0; +-- +2.39.5 +