From be1de0271a169ab4304adf95f292b69e306b0ce8 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 28 Jul 2025 15:59:48 +0200 Subject: [PATCH] 6.12-stable patches added patches: alsa-hda-realtek-add-mute-led-support-for-hp-pavilion-15-eg0xxx.patch alsa-hda-realtek-add-mute-led-support-for-hp-victus-15-fa0xxx.patch arm-9450-1-fix-allowing-linker-dce-with-binutils-2.36.patch arm64-entry-mask-daif-in-cpu_switch_to-call_on_irq_stack.patch bus-fsl-mc-fix-potential-double-device-reference-in-fsl_mc_get_endpoint.patch dpaa2-eth-fix-device-reference-count-leak-in-mac-endpoint-handling.patch dpaa2-switch-fix-device-reference-count-leak-in-mac-endpoint-handling.patch drm-amdgpu-reset-the-clear-flag-in-buddy-during-resume.patch drm-sched-remove-optimization-that-causes-hang-when-killing-dependent-jobs.patch e1000e-disregard-nvm-checksum-on-tgp-when-valid-checksum-bit-is-not-set.patch e1000e-ignore-uninitialized-checksum-word-on-tgp.patch gve-fix-stuck-tx-queue-for-dq-queue-format.patch i2c-qup-jump-out-of-the-loop-in-case-of-timeout.patch i2c-tegra-fix-reset-error-handling-with-acpi.patch i2c-virtio-avoid-hang-by-using-interruptible-completion-wait.patch ice-fix-a-null-pointer-dereference-in-ice_copy_and_init_pkg.patch kasan-use-vmalloc_dump_obj-for-vmalloc-error-reports.patch mm-ksm-fix-wsometimes-uninitialized-from-clang-21-in-advisor_mode_show.patch mm-vmscan-fix-hwpoisoned-large-folio-handling-in-shrink_folio_list.patch mm-zsmalloc-do-not-pass-__gfp_movable-if-config_compaction-n.patch nilfs2-reject-invalid-file-types-when-reading-inodes.patch platform-x86-ideapad-laptop-fix-fnlock-not-remembered-among-boots.patch platform-x86-ideapad-laptop-fix-kbd-backlight-not-remembered-among-boots.patch resource-fix-false-warning-in-__request_region.patch selftests-mptcp-connect-also-cover-alt-modes.patch selftests-mptcp-connect-also-cover-checksum.patch sprintf.h-requires-stdarg.h.patch timekeeping-zero-initialize-system_counterval-when-querying-time-from-phc-drivers.patch --- ...ed-support-for-hp-pavilion-15-eg0xxx.patch | 34 ++++ ...-led-support-for-hp-victus-15-fa0xxx.patch | 34 ++++ ...lowing-linker-dce-with-binutils-2.36.patch | 46 +++++ ...f-in-cpu_switch_to-call_on_irq_stack.patch | 125 ++++++++++++++ ...ice-reference-in-fsl_mc_get_endpoint.patch | 71 ++++++++ ...-count-leak-in-mac-endpoint-handling.patch | 68 ++++++++ ...-count-leak-in-mac-endpoint-handling.patch | 68 ++++++++ ...he-clear-flag-in-buddy-during-resume.patch | 157 ++++++++++++++++++ ...ses-hang-when-killing-dependent-jobs.patch | 81 +++++++++ ...p-when-valid-checksum-bit-is-not-set.patch | 42 +++++ ...e-uninitialized-checksum-word-on-tgp.patch | 62 +++++++ ...x-stuck-tx-queue-for-dq-queue-format.patch | 125 ++++++++++++++ ...p-out-of-the-loop-in-case-of-timeout.patch | 42 +++++ ...a-fix-reset-error-handling-with-acpi.patch | 80 +++++++++ ...-using-interruptible-completion-wait.patch | 51 ++++++ ...dereference-in-ice_copy_and_init_pkg.patch | 36 ++++ ...c_dump_obj-for-vmalloc-error-reports.patch | 73 ++++++++ ...d-from-clang-21-in-advisor_mode_show.patch | 57 +++++++ ...-folio-handling-in-shrink_folio_list.patch | 84 ++++++++++ ...__gfp_movable-if-config_compaction-n.patch | 55 ++++++ ...valid-file-types-when-reading-inodes.patch | 48 ++++++ ...ix-fnlock-not-remembered-among-boots.patch | 46 +++++ ...backlight-not-remembered-among-boots.patch | 45 +++++ ...ix-false-warning-in-__request_region.patch | 51 ++++++ ...s-mptcp-connect-also-cover-alt-modes.patch | 64 +++++++ ...ts-mptcp-connect-also-cover-checksum.patch | 48 ++++++ queue-6.12/series | 28 ++++ queue-6.12/sprintf.h-requires-stdarg.h.patch | 41 +++++ ...-when-querying-time-from-phc-drivers.patch | 45 +++++ 29 files changed, 1807 insertions(+) create mode 100644 queue-6.12/alsa-hda-realtek-add-mute-led-support-for-hp-pavilion-15-eg0xxx.patch create mode 100644 queue-6.12/alsa-hda-realtek-add-mute-led-support-for-hp-victus-15-fa0xxx.patch create mode 100644 queue-6.12/arm-9450-1-fix-allowing-linker-dce-with-binutils-2.36.patch create mode 100644 queue-6.12/arm64-entry-mask-daif-in-cpu_switch_to-call_on_irq_stack.patch create mode 100644 queue-6.12/bus-fsl-mc-fix-potential-double-device-reference-in-fsl_mc_get_endpoint.patch create mode 100644 queue-6.12/dpaa2-eth-fix-device-reference-count-leak-in-mac-endpoint-handling.patch create mode 100644 queue-6.12/dpaa2-switch-fix-device-reference-count-leak-in-mac-endpoint-handling.patch create mode 100644 queue-6.12/drm-amdgpu-reset-the-clear-flag-in-buddy-during-resume.patch create mode 100644 queue-6.12/drm-sched-remove-optimization-that-causes-hang-when-killing-dependent-jobs.patch create mode 100644 queue-6.12/e1000e-disregard-nvm-checksum-on-tgp-when-valid-checksum-bit-is-not-set.patch create mode 100644 queue-6.12/e1000e-ignore-uninitialized-checksum-word-on-tgp.patch create mode 100644 queue-6.12/gve-fix-stuck-tx-queue-for-dq-queue-format.patch create mode 100644 queue-6.12/i2c-qup-jump-out-of-the-loop-in-case-of-timeout.patch create mode 100644 queue-6.12/i2c-tegra-fix-reset-error-handling-with-acpi.patch create mode 100644 queue-6.12/i2c-virtio-avoid-hang-by-using-interruptible-completion-wait.patch create mode 100644 queue-6.12/ice-fix-a-null-pointer-dereference-in-ice_copy_and_init_pkg.patch create mode 100644 queue-6.12/kasan-use-vmalloc_dump_obj-for-vmalloc-error-reports.patch create mode 100644 queue-6.12/mm-ksm-fix-wsometimes-uninitialized-from-clang-21-in-advisor_mode_show.patch create mode 100644 queue-6.12/mm-vmscan-fix-hwpoisoned-large-folio-handling-in-shrink_folio_list.patch create mode 100644 queue-6.12/mm-zsmalloc-do-not-pass-__gfp_movable-if-config_compaction-n.patch create mode 100644 queue-6.12/nilfs2-reject-invalid-file-types-when-reading-inodes.patch create mode 100644 queue-6.12/platform-x86-ideapad-laptop-fix-fnlock-not-remembered-among-boots.patch create mode 100644 queue-6.12/platform-x86-ideapad-laptop-fix-kbd-backlight-not-remembered-among-boots.patch create mode 100644 queue-6.12/resource-fix-false-warning-in-__request_region.patch create mode 100644 queue-6.12/selftests-mptcp-connect-also-cover-alt-modes.patch create mode 100644 queue-6.12/selftests-mptcp-connect-also-cover-checksum.patch create mode 100644 queue-6.12/sprintf.h-requires-stdarg.h.patch create mode 100644 queue-6.12/timekeeping-zero-initialize-system_counterval-when-querying-time-from-phc-drivers.patch diff --git a/queue-6.12/alsa-hda-realtek-add-mute-led-support-for-hp-pavilion-15-eg0xxx.patch b/queue-6.12/alsa-hda-realtek-add-mute-led-support-for-hp-pavilion-15-eg0xxx.patch new file mode 100644 index 0000000000..95418f11be --- /dev/null +++ b/queue-6.12/alsa-hda-realtek-add-mute-led-support-for-hp-pavilion-15-eg0xxx.patch @@ -0,0 +1,34 @@ +From 9744ede7099e8a69c04aa23fbea44c15bc390c04 Mon Sep 17 00:00:00 2001 +From: Dawid Rezler +Date: Sun, 20 Jul 2025 17:49:08 +0200 +Subject: ALSA: hda/realtek - Add mute LED support for HP Pavilion 15-eg0xxx + +From: Dawid Rezler + +commit 9744ede7099e8a69c04aa23fbea44c15bc390c04 upstream. + +The mute LED on the HP Pavilion Laptop 15-eg0xxx, +which uses the ALC287 codec, didn't work. +This patch fixes the issue by enabling the ALC287_FIXUP_HP_GPIO_LED quirk. + +Tested on a physical device, the LED now works as intended. + +Signed-off-by: Dawid Rezler +Cc: +Link: https://patch.msgid.link/20250720154907.80815-2-dawidrezler.patches@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10608,6 +10608,7 @@ static const struct hda_quirk alc269_fix + SND_PCI_QUIRK(0x103c, 0x8788, "HP OMEN 15", ALC285_FIXUP_HP_MUTE_LED), + SND_PCI_QUIRK(0x103c, 0x87b7, "HP Laptop 14-fq0xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2), + SND_PCI_QUIRK(0x103c, 0x87c8, "HP", ALC287_FIXUP_HP_GPIO_LED), ++ SND_PCI_QUIRK(0x103c, 0x87cc, "HP Pavilion 15-eg0xxx", ALC287_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x87d3, "HP Laptop 15-gw0xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2), + SND_PCI_QUIRK(0x103c, 0x87df, "HP ProBook 430 G8 Notebook PC", ALC236_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x87e5, "HP ProBook 440 G8 Notebook PC", ALC236_FIXUP_HP_GPIO_LED), diff --git a/queue-6.12/alsa-hda-realtek-add-mute-led-support-for-hp-victus-15-fa0xxx.patch b/queue-6.12/alsa-hda-realtek-add-mute-led-support-for-hp-victus-15-fa0xxx.patch new file mode 100644 index 0000000000..8db28bcc30 --- /dev/null +++ b/queue-6.12/alsa-hda-realtek-add-mute-led-support-for-hp-victus-15-fa0xxx.patch @@ -0,0 +1,34 @@ +From 21c8ed9047b7f44c1c49b889d4ba2f555d9ee17e Mon Sep 17 00:00:00 2001 +From: Edip Hazuri +Date: Fri, 18 Jul 2025 00:26:26 +0300 +Subject: ALSA: hda/realtek - Add mute LED support for HP Victus 15-fa0xxx + +From: Edip Hazuri + +commit 21c8ed9047b7f44c1c49b889d4ba2f555d9ee17e upstream. + +The mute led on this laptop is using ALC245 but requires a quirk to work +This patch enables the existing quirk for the device. + +Tested on my Victus 15-fa0xxx Laptop. The LED behaviour works +as intended. + +Cc: +Signed-off-by: Edip Hazuri +Link: https://patch.msgid.link/20250717212625.366026-2-edip@medip.dev +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10687,6 +10687,7 @@ static const struct hda_quirk alc269_fix + SND_PCI_QUIRK(0x103c, 0x8a2e, "HP Envy 16", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x103c, 0x8a30, "HP Envy 17", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x103c, 0x8a31, "HP Envy 15", ALC287_FIXUP_CS35L41_I2C_2), ++ SND_PCI_QUIRK(0x103c, 0x8a4f, "HP Victus 15-fa0xxx (MB 8A4F)", ALC245_FIXUP_HP_MUTE_LED_COEFBIT), + SND_PCI_QUIRK(0x103c, 0x8a6e, "HP EDNA 360", ALC287_FIXUP_CS35L41_I2C_4), + SND_PCI_QUIRK(0x103c, 0x8a74, "HP ProBook 440 G8 Notebook PC", ALC236_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8a78, "HP Dev One", ALC285_FIXUP_HP_LIMIT_INT_MIC_BOOST), diff --git a/queue-6.12/arm-9450-1-fix-allowing-linker-dce-with-binutils-2.36.patch b/queue-6.12/arm-9450-1-fix-allowing-linker-dce-with-binutils-2.36.patch new file mode 100644 index 0000000000..cf39adece8 --- /dev/null +++ b/queue-6.12/arm-9450-1-fix-allowing-linker-dce-with-binutils-2.36.patch @@ -0,0 +1,46 @@ +From 53e7e1fb81cc8ba2da1cb31f8917ef397caafe91 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Mon, 14 Jul 2025 20:56:47 +0100 +Subject: ARM: 9450/1: Fix allowing linker DCE with binutils < 2.36 + +From: Nathan Chancellor + +commit 53e7e1fb81cc8ba2da1cb31f8917ef397caafe91 upstream. + +Commit e7607f7d6d81 ("ARM: 9443/1: Require linker to support KEEP within +OVERLAY for DCE") accidentally broke the binutils version restriction +that was added in commit 0d437918fb64 ("ARM: 9414/1: Fix build issue +with LD_DEAD_CODE_DATA_ELIMINATION"), reintroducing the segmentation +fault addressed by that workaround. + +Restore the binutils version dependency by using +CONFIG_LD_CAN_USE_KEEP_IN_OVERLAY as an additional condition to ensure +that CONFIG_HAVE_LD_DEAD_CODE_DATA_ELIMINATION is only enabled with +binutils >= 2.36 and ld.lld >= 21.0.0. + +Closes: https://lore.kernel.org/6739da7d-e555-407a-b5cb-e5681da71056@landley.net/ +Closes: https://lore.kernel.org/CAFERDQ0zPoya5ZQfpbeuKVZEo_fKsonLf6tJbp32QnSGAtbi+Q@mail.gmail.com/ + +Cc: stable@vger.kernel.org +Fixes: e7607f7d6d81 ("ARM: 9443/1: Require linker to support KEEP within OVERLAY for DCE") +Reported-by: Rob Landley +Tested-by: Rob Landley +Reported-by: Martin Wetterwald +Signed-off-by: Nathan Chancellor +Signed-off-by: Russell King (Oracle) +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/Kconfig ++++ b/arch/arm/Kconfig +@@ -118,7 +118,7 @@ config ARM + select HAVE_KERNEL_XZ + select HAVE_KPROBES if !XIP_KERNEL && !CPU_ENDIAN_BE32 && !CPU_V7M + select HAVE_KRETPROBES if HAVE_KPROBES +- select HAVE_LD_DEAD_CODE_DATA_ELIMINATION if (LD_VERSION >= 23600 || LD_CAN_USE_KEEP_IN_OVERLAY) ++ select HAVE_LD_DEAD_CODE_DATA_ELIMINATION if (LD_VERSION >= 23600 || LD_IS_LLD) && LD_CAN_USE_KEEP_IN_OVERLAY + select HAVE_MOD_ARCH_SPECIFIC + select HAVE_NMI + select HAVE_OPTPROBES if !THUMB2_KERNEL diff --git a/queue-6.12/arm64-entry-mask-daif-in-cpu_switch_to-call_on_irq_stack.patch b/queue-6.12/arm64-entry-mask-daif-in-cpu_switch_to-call_on_irq_stack.patch new file mode 100644 index 0000000000..72eaa808d5 --- /dev/null +++ b/queue-6.12/arm64-entry-mask-daif-in-cpu_switch_to-call_on_irq_stack.patch @@ -0,0 +1,125 @@ +From d42e6c20de6192f8e4ab4cf10be8c694ef27e8cb Mon Sep 17 00:00:00 2001 +From: Ada Couprie Diaz +Date: Fri, 18 Jul 2025 15:28:14 +0100 +Subject: arm64/entry: Mask DAIF in cpu_switch_to(), call_on_irq_stack() + +From: Ada Couprie Diaz + +commit d42e6c20de6192f8e4ab4cf10be8c694ef27e8cb upstream. + +`cpu_switch_to()` and `call_on_irq_stack()` manipulate SP to change +to different stacks along with the Shadow Call Stack if it is enabled. +Those two stack changes cannot be done atomically and both functions +can be interrupted by SErrors or Debug Exceptions which, though unlikely, +is very much broken : if interrupted, we can end up with mismatched stacks +and Shadow Call Stack leading to clobbered stacks. + +In `cpu_switch_to()`, it can happen when SP_EL0 points to the new task, +but x18 stills points to the old task's SCS. When the interrupt handler +tries to save the task's SCS pointer, it will save the old task +SCS pointer (x18) into the new task struct (pointed to by SP_EL0), +clobbering it. + +In `call_on_irq_stack()`, it can happen when switching from the task stack +to the IRQ stack and when switching back. In both cases, we can be +interrupted when the SCS pointer points to the IRQ SCS, but SP points to +the task stack. The nested interrupt handler pushes its return addresses +on the IRQ SCS. It then detects that SP points to the task stack, +calls `call_on_irq_stack()` and clobbers the task SCS pointer with +the IRQ SCS pointer, which it will also use ! + +This leads to tasks returning to addresses on the wrong SCS, +or even on the IRQ SCS, triggering kernel panics via CONFIG_VMAP_STACK +or FPAC if enabled. + +This is possible on a default config, but unlikely. +However, when enabling CONFIG_ARM64_PSEUDO_NMI, DAIF is unmasked and +instead the GIC is responsible for filtering what interrupts the CPU +should receive based on priority. +Given the goal of emulating NMIs, pseudo-NMIs can be received by the CPU +even in `cpu_switch_to()` and `call_on_irq_stack()`, possibly *very* +frequently depending on the system configuration and workload, leading +to unpredictable kernel panics. + +Completely mask DAIF in `cpu_switch_to()` and restore it when returning. +Do the same in `call_on_irq_stack()`, but restore and mask around +the branch. +Mask DAIF even if CONFIG_SHADOW_CALL_STACK is not enabled for consistency +of behaviour between all configurations. + +Introduce and use an assembly macro for saving and masking DAIF, +as the existing one saves but only masks IF. + +Cc: +Signed-off-by: Ada Couprie Diaz +Reported-by: Cristian Prundeanu +Fixes: 59b37fe52f49 ("arm64: Stash shadow stack pointer in the task struct on interrupt") +Tested-by: Cristian Prundeanu +Acked-by: Will Deacon +Link: https://lore.kernel.org/r/20250718142814.133329-1-ada.coupriediaz@arm.com +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/include/asm/assembler.h | 5 +++++ + arch/arm64/kernel/entry.S | 6 ++++++ + 2 files changed, 11 insertions(+) + +--- a/arch/arm64/include/asm/assembler.h ++++ b/arch/arm64/include/asm/assembler.h +@@ -41,6 +41,11 @@ + /* + * Save/restore interrupts. + */ ++ .macro save_and_disable_daif, flags ++ mrs \flags, daif ++ msr daifset, #0xf ++ .endm ++ + .macro save_and_disable_irq, flags + mrs \flags, daif + msr daifset, #3 +--- a/arch/arm64/kernel/entry.S ++++ b/arch/arm64/kernel/entry.S +@@ -823,6 +823,7 @@ SYM_CODE_END(__bp_harden_el1_vectors) + * + */ + SYM_FUNC_START(cpu_switch_to) ++ save_and_disable_daif x11 + mov x10, #THREAD_CPU_CONTEXT + add x8, x0, x10 + mov x9, sp +@@ -846,6 +847,7 @@ SYM_FUNC_START(cpu_switch_to) + ptrauth_keys_install_kernel x1, x8, x9, x10 + scs_save x0 + scs_load_current ++ restore_irq x11 + ret + SYM_FUNC_END(cpu_switch_to) + NOKPROBE(cpu_switch_to) +@@ -872,6 +874,7 @@ NOKPROBE(ret_from_fork) + * Calls func(regs) using this CPU's irq stack and shadow irq stack. + */ + SYM_FUNC_START(call_on_irq_stack) ++ save_and_disable_daif x9 + #ifdef CONFIG_SHADOW_CALL_STACK + get_current_task x16 + scs_save x16 +@@ -886,8 +889,10 @@ SYM_FUNC_START(call_on_irq_stack) + + /* Move to the new stack and call the function there */ + add sp, x16, #IRQ_STACK_SIZE ++ restore_irq x9 + blr x1 + ++ save_and_disable_daif x9 + /* + * Restore the SP from the FP, and restore the FP and LR from the frame + * record. +@@ -895,6 +900,7 @@ SYM_FUNC_START(call_on_irq_stack) + mov sp, x29 + ldp x29, x30, [sp], #16 + scs_load_current ++ restore_irq x9 + ret + SYM_FUNC_END(call_on_irq_stack) + NOKPROBE(call_on_irq_stack) diff --git a/queue-6.12/bus-fsl-mc-fix-potential-double-device-reference-in-fsl_mc_get_endpoint.patch b/queue-6.12/bus-fsl-mc-fix-potential-double-device-reference-in-fsl_mc_get_endpoint.patch new file mode 100644 index 0000000000..823f564e80 --- /dev/null +++ b/queue-6.12/bus-fsl-mc-fix-potential-double-device-reference-in-fsl_mc_get_endpoint.patch @@ -0,0 +1,71 @@ +From bddbe13d36a02d5097b99cf02354d5752ad1ac60 Mon Sep 17 00:00:00 2001 +From: Ma Ke +Date: Thu, 17 Jul 2025 10:23:07 +0800 +Subject: bus: fsl-mc: Fix potential double device reference in fsl_mc_get_endpoint() + +From: Ma Ke + +commit bddbe13d36a02d5097b99cf02354d5752ad1ac60 upstream. + +The fsl_mc_get_endpoint() function may call fsl_mc_device_lookup() +twice, which would increment the device's reference count twice if +both lookups find a device. This could lead to a reference count leak. + +Found by code review. + +Cc: stable@vger.kernel.org +Fixes: 1ac210d128ef ("bus: fsl-mc: add the fsl_mc_get_endpoint function") +Signed-off-by: Ma Ke +Tested-by: Ioana Ciornei +Reviewed-by: Simon Horman +Fixes: 8567494cebe5 ("bus: fsl-mc: rescan devices if endpoint not found") +Link: https://patch.msgid.link/20250717022309.3339976-1-make24@iscas.ac.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bus/fsl-mc/fsl-mc-bus.c | 19 +++++++++---------- + 1 file changed, 9 insertions(+), 10 deletions(-) + +--- a/drivers/bus/fsl-mc/fsl-mc-bus.c ++++ b/drivers/bus/fsl-mc/fsl-mc-bus.c +@@ -942,6 +942,7 @@ struct fsl_mc_device *fsl_mc_get_endpoin + struct fsl_mc_obj_desc endpoint_desc = {{ 0 }}; + struct dprc_endpoint endpoint1 = {{ 0 }}; + struct dprc_endpoint endpoint2 = {{ 0 }}; ++ struct fsl_mc_bus *mc_bus; + int state, err; + + mc_bus_dev = to_fsl_mc_device(mc_dev->dev.parent); +@@ -965,6 +966,8 @@ struct fsl_mc_device *fsl_mc_get_endpoin + strcpy(endpoint_desc.type, endpoint2.type); + endpoint_desc.id = endpoint2.id; + endpoint = fsl_mc_device_lookup(&endpoint_desc, mc_bus_dev); ++ if (endpoint) ++ return endpoint; + + /* + * We know that the device has an endpoint because we verified by +@@ -972,17 +975,13 @@ struct fsl_mc_device *fsl_mc_get_endpoin + * yet discovered by the fsl-mc bus, thus the lookup returned NULL. + * Force a rescan of the devices in this container and retry the lookup. + */ +- if (!endpoint) { +- struct fsl_mc_bus *mc_bus = to_fsl_mc_bus(mc_bus_dev); +- +- if (mutex_trylock(&mc_bus->scan_mutex)) { +- err = dprc_scan_objects(mc_bus_dev, true); +- mutex_unlock(&mc_bus->scan_mutex); +- } +- +- if (err < 0) +- return ERR_PTR(err); ++ mc_bus = to_fsl_mc_bus(mc_bus_dev); ++ if (mutex_trylock(&mc_bus->scan_mutex)) { ++ err = dprc_scan_objects(mc_bus_dev, true); ++ mutex_unlock(&mc_bus->scan_mutex); + } ++ if (err < 0) ++ return ERR_PTR(err); + + endpoint = fsl_mc_device_lookup(&endpoint_desc, mc_bus_dev); + /* diff --git a/queue-6.12/dpaa2-eth-fix-device-reference-count-leak-in-mac-endpoint-handling.patch b/queue-6.12/dpaa2-eth-fix-device-reference-count-leak-in-mac-endpoint-handling.patch new file mode 100644 index 0000000000..e6ff5df2ad --- /dev/null +++ b/queue-6.12/dpaa2-eth-fix-device-reference-count-leak-in-mac-endpoint-handling.patch @@ -0,0 +1,68 @@ +From ee9f3a81ab08dfe0538dbd1746f81fd4d5147fdc Mon Sep 17 00:00:00 2001 +From: Ma Ke +Date: Thu, 17 Jul 2025 10:23:08 +0800 +Subject: dpaa2-eth: Fix device reference count leak in MAC endpoint handling + +From: Ma Ke + +commit ee9f3a81ab08dfe0538dbd1746f81fd4d5147fdc upstream. + +The fsl_mc_get_endpoint() function uses device_find_child() for +localization, which implicitly calls get_device() to increment the +device's reference count before returning the pointer. However, the +caller dpaa2_eth_connect_mac() fails to properly release this +reference in multiple scenarios. We should call put_device() to +decrement reference count properly. + +As comment of device_find_child() says, 'NOTE: you will need to drop +the reference with put_device() after use'. + +Found by code review. + +Cc: stable@vger.kernel.org +Fixes: 719479230893 ("dpaa2-eth: add MAC/PHY support through phylink") +Signed-off-by: Ma Ke +Tested-by: Ioana Ciornei +Reviewed-by: Ioana Ciornei +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250717022309.3339976-2-make24@iscas.ac.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c ++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c +@@ -4655,12 +4655,19 @@ static int dpaa2_eth_connect_mac(struct + return PTR_ERR(dpmac_dev); + } + +- if (IS_ERR(dpmac_dev) || dpmac_dev->dev.type != &fsl_mc_bus_dpmac_type) ++ if (IS_ERR(dpmac_dev)) + return 0; + ++ if (dpmac_dev->dev.type != &fsl_mc_bus_dpmac_type) { ++ err = 0; ++ goto out_put_device; ++ } ++ + mac = kzalloc(sizeof(struct dpaa2_mac), GFP_KERNEL); +- if (!mac) +- return -ENOMEM; ++ if (!mac) { ++ err = -ENOMEM; ++ goto out_put_device; ++ } + + mac->mc_dev = dpmac_dev; + mac->mc_io = priv->mc_io; +@@ -4694,6 +4701,8 @@ err_close_mac: + dpaa2_mac_close(mac); + err_free_mac: + kfree(mac); ++out_put_device: ++ put_device(&dpmac_dev->dev); + return err; + } + diff --git a/queue-6.12/dpaa2-switch-fix-device-reference-count-leak-in-mac-endpoint-handling.patch b/queue-6.12/dpaa2-switch-fix-device-reference-count-leak-in-mac-endpoint-handling.patch new file mode 100644 index 0000000000..7bef55c2a6 --- /dev/null +++ b/queue-6.12/dpaa2-switch-fix-device-reference-count-leak-in-mac-endpoint-handling.patch @@ -0,0 +1,68 @@ +From 96e056ffba912ef18a72177f71956a5b347b5177 Mon Sep 17 00:00:00 2001 +From: Ma Ke +Date: Thu, 17 Jul 2025 10:23:09 +0800 +Subject: dpaa2-switch: Fix device reference count leak in MAC endpoint handling + +From: Ma Ke + +commit 96e056ffba912ef18a72177f71956a5b347b5177 upstream. + +The fsl_mc_get_endpoint() function uses device_find_child() for +localization, which implicitly calls get_device() to increment the +device's reference count before returning the pointer. However, the +caller dpaa2_switch_port_connect_mac() fails to properly release this +reference in multiple scenarios. We should call put_device() to +decrement reference count properly. + +As comment of device_find_child() says, 'NOTE: you will need to drop +the reference with put_device() after use'. + +Found by code review. + +Cc: stable@vger.kernel.org +Fixes: 84cba72956fd ("dpaa2-switch: integrate the MAC endpoint support") +Signed-off-by: Ma Ke +Tested-by: Ioana Ciornei +Reviewed-by: Ioana Ciornei +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250717022309.3339976-3-make24@iscas.ac.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c ++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c +@@ -1447,12 +1447,19 @@ static int dpaa2_switch_port_connect_mac + if (PTR_ERR(dpmac_dev) == -EPROBE_DEFER) + return PTR_ERR(dpmac_dev); + +- if (IS_ERR(dpmac_dev) || dpmac_dev->dev.type != &fsl_mc_bus_dpmac_type) ++ if (IS_ERR(dpmac_dev)) + return 0; + ++ if (dpmac_dev->dev.type != &fsl_mc_bus_dpmac_type) { ++ err = 0; ++ goto out_put_device; ++ } ++ + mac = kzalloc(sizeof(*mac), GFP_KERNEL); +- if (!mac) +- return -ENOMEM; ++ if (!mac) { ++ err = -ENOMEM; ++ goto out_put_device; ++ } + + mac->mc_dev = dpmac_dev; + mac->mc_io = port_priv->ethsw_data->mc_io; +@@ -1482,6 +1489,8 @@ err_close_mac: + dpaa2_mac_close(mac); + err_free_mac: + kfree(mac); ++out_put_device: ++ put_device(&dpmac_dev->dev); + return err; + } + diff --git a/queue-6.12/drm-amdgpu-reset-the-clear-flag-in-buddy-during-resume.patch b/queue-6.12/drm-amdgpu-reset-the-clear-flag-in-buddy-during-resume.patch new file mode 100644 index 0000000000..93921be8c5 --- /dev/null +++ b/queue-6.12/drm-amdgpu-reset-the-clear-flag-in-buddy-during-resume.patch @@ -0,0 +1,157 @@ +From 95a16160ca1d75c66bf7a1c5e0bcaffb18e7c7fc Mon Sep 17 00:00:00 2001 +From: Arunpravin Paneer Selvam +Date: Wed, 16 Jul 2025 13:21:24 +0530 +Subject: drm/amdgpu: Reset the clear flag in buddy during resume +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Arunpravin Paneer Selvam + +commit 95a16160ca1d75c66bf7a1c5e0bcaffb18e7c7fc upstream. + +- Added a handler in DRM buddy manager to reset the cleared + flag for the blocks in the freelist. + +- This is necessary because, upon resuming, the VRAM becomes + cluttered with BIOS data, yet the VRAM backend manager + believes that everything has been cleared. + +v2: + - Add lock before accessing drm_buddy_clear_reset_blocks()(Matthew Auld) + - Force merge the two dirty blocks.(Matthew Auld) + - Add a new unit test case for this issue.(Matthew Auld) + - Having this function being able to flip the state either way would be + good. (Matthew Brost) + +v3(Matthew Auld): + - Do merge step first to avoid the use of extra reset flag. + +Signed-off-by: Arunpravin Paneer Selvam +Suggested-by: Christian König +Acked-by: Christian König +Reviewed-by: Matthew Auld +Cc: stable@vger.kernel.org +Fixes: a68c7eaa7a8f ("drm/amdgpu: Enable clear page functionality") +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3812 +Signed-off-by: Christian König +Link: https://lore.kernel.org/r/20250716075125.240637-2-Arunpravin.PaneerSelvam@amd.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 2 + + drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.h | 1 + drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c | 17 ++++++++++ + drivers/gpu/drm/drm_buddy.c | 43 +++++++++++++++++++++++++++ + include/drm/drm_buddy.h | 2 + + 5 files changed, 65 insertions(+) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +@@ -4954,6 +4954,8 @@ exit: + dev->dev->power.disable_depth--; + #endif + } ++ ++ amdgpu_vram_mgr_clear_reset_blocks(adev); + adev->in_suspend = false; + + if (adev->enable_mes) +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.h ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.h +@@ -153,6 +153,7 @@ int amdgpu_vram_mgr_reserve_range(struct + uint64_t start, uint64_t size); + int amdgpu_vram_mgr_query_page_status(struct amdgpu_vram_mgr *mgr, + uint64_t start); ++void amdgpu_vram_mgr_clear_reset_blocks(struct amdgpu_device *adev); + + bool amdgpu_res_cpu_visible(struct amdgpu_device *adev, + struct ttm_resource *res); +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c +@@ -783,6 +783,23 @@ uint64_t amdgpu_vram_mgr_vis_usage(struc + } + + /** ++ * amdgpu_vram_mgr_clear_reset_blocks - reset clear blocks ++ * ++ * @adev: amdgpu device pointer ++ * ++ * Reset the cleared drm buddy blocks. ++ */ ++void amdgpu_vram_mgr_clear_reset_blocks(struct amdgpu_device *adev) ++{ ++ struct amdgpu_vram_mgr *mgr = &adev->mman.vram_mgr; ++ struct drm_buddy *mm = &mgr->mm; ++ ++ mutex_lock(&mgr->lock); ++ drm_buddy_reset_clear(mm, false); ++ mutex_unlock(&mgr->lock); ++} ++ ++/** + * amdgpu_vram_mgr_intersects - test each drm buddy block for intersection + * + * @man: TTM memory type manager +--- a/drivers/gpu/drm/drm_buddy.c ++++ b/drivers/gpu/drm/drm_buddy.c +@@ -401,6 +401,49 @@ drm_get_buddy(struct drm_buddy_block *bl + EXPORT_SYMBOL(drm_get_buddy); + + /** ++ * drm_buddy_reset_clear - reset blocks clear state ++ * ++ * @mm: DRM buddy manager ++ * @is_clear: blocks clear state ++ * ++ * Reset the clear state based on @is_clear value for each block ++ * in the freelist. ++ */ ++void drm_buddy_reset_clear(struct drm_buddy *mm, bool is_clear) ++{ ++ u64 root_size, size, start; ++ unsigned int order; ++ int i; ++ ++ size = mm->size; ++ for (i = 0; i < mm->n_roots; ++i) { ++ order = ilog2(size) - ilog2(mm->chunk_size); ++ start = drm_buddy_block_offset(mm->roots[i]); ++ __force_merge(mm, start, start + size, order); ++ ++ root_size = mm->chunk_size << order; ++ size -= root_size; ++ } ++ ++ for (i = 0; i <= mm->max_order; ++i) { ++ struct drm_buddy_block *block; ++ ++ list_for_each_entry_reverse(block, &mm->free_list[i], link) { ++ if (is_clear != drm_buddy_block_is_clear(block)) { ++ if (is_clear) { ++ mark_cleared(block); ++ mm->clear_avail += drm_buddy_block_size(mm, block); ++ } else { ++ clear_reset(block); ++ mm->clear_avail -= drm_buddy_block_size(mm, block); ++ } ++ } ++ } ++ } ++} ++EXPORT_SYMBOL(drm_buddy_reset_clear); ++ ++/** + * drm_buddy_free_block - free a block + * + * @mm: DRM buddy manager +--- a/include/drm/drm_buddy.h ++++ b/include/drm/drm_buddy.h +@@ -160,6 +160,8 @@ int drm_buddy_block_trim(struct drm_budd + u64 new_size, + struct list_head *blocks); + ++void drm_buddy_reset_clear(struct drm_buddy *mm, bool is_clear); ++ + void drm_buddy_free_block(struct drm_buddy *mm, struct drm_buddy_block *block); + + void drm_buddy_free_list(struct drm_buddy *mm, diff --git a/queue-6.12/drm-sched-remove-optimization-that-causes-hang-when-killing-dependent-jobs.patch b/queue-6.12/drm-sched-remove-optimization-that-causes-hang-when-killing-dependent-jobs.patch new file mode 100644 index 0000000000..e523e3ec43 --- /dev/null +++ b/queue-6.12/drm-sched-remove-optimization-that-causes-hang-when-killing-dependent-jobs.patch @@ -0,0 +1,81 @@ +From 15f77764e90a713ee3916ca424757688e4f565b9 Mon Sep 17 00:00:00 2001 +From: "Lin.Cao" +Date: Thu, 17 Jul 2025 16:44:53 +0800 +Subject: drm/sched: Remove optimization that causes hang when killing dependent jobs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Lin.Cao + +commit 15f77764e90a713ee3916ca424757688e4f565b9 upstream. + +When application A submits jobs and application B submits a job with a +dependency on A's fence, the normal flow wakes up the scheduler after +processing each job. However, the optimization in +drm_sched_entity_add_dependency_cb() uses a callback that only clears +dependencies without waking up the scheduler. + +When application A is killed before its jobs can run, the callback gets +triggered but only clears the dependency without waking up the scheduler, +causing the scheduler to enter sleep state and application B to hang. + +Remove the optimization by deleting drm_sched_entity_clear_dep() and its +usage, ensuring the scheduler is always woken up when dependencies are +cleared. + +Fixes: 777dbd458c89 ("drm/amdgpu: drop a dummy wakeup scheduler") +Cc: stable@vger.kernel.org # v4.6+ +Signed-off-by: Lin.Cao +Reviewed-by: Christian König +Signed-off-by: Philipp Stanner +Link: https://lore.kernel.org/r/20250717084453.921097-1-lincao12@amd.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/scheduler/sched_entity.c | 21 ++------------------- + 1 file changed, 2 insertions(+), 19 deletions(-) + +--- a/drivers/gpu/drm/scheduler/sched_entity.c ++++ b/drivers/gpu/drm/scheduler/sched_entity.c +@@ -368,17 +368,6 @@ void drm_sched_entity_destroy(struct drm + } + EXPORT_SYMBOL(drm_sched_entity_destroy); + +-/* drm_sched_entity_clear_dep - callback to clear the entities dependency */ +-static void drm_sched_entity_clear_dep(struct dma_fence *f, +- struct dma_fence_cb *cb) +-{ +- struct drm_sched_entity *entity = +- container_of(cb, struct drm_sched_entity, cb); +- +- entity->dependency = NULL; +- dma_fence_put(f); +-} +- + /* + * drm_sched_entity_clear_dep - callback to clear the entities dependency and + * wake up scheduler +@@ -389,7 +378,8 @@ static void drm_sched_entity_wakeup(stru + struct drm_sched_entity *entity = + container_of(cb, struct drm_sched_entity, cb); + +- drm_sched_entity_clear_dep(f, cb); ++ entity->dependency = NULL; ++ dma_fence_put(f); + drm_sched_wakeup(entity->rq->sched); + } + +@@ -442,13 +432,6 @@ static bool drm_sched_entity_add_depende + fence = dma_fence_get(&s_fence->scheduled); + dma_fence_put(entity->dependency); + entity->dependency = fence; +- if (!dma_fence_add_callback(fence, &entity->cb, +- drm_sched_entity_clear_dep)) +- return true; +- +- /* Ignore it when it is already scheduled */ +- dma_fence_put(fence); +- return false; + } + + if (!dma_fence_add_callback(entity->dependency, &entity->cb, diff --git a/queue-6.12/e1000e-disregard-nvm-checksum-on-tgp-when-valid-checksum-bit-is-not-set.patch b/queue-6.12/e1000e-disregard-nvm-checksum-on-tgp-when-valid-checksum-bit-is-not-set.patch new file mode 100644 index 0000000000..0d83e7bad3 --- /dev/null +++ b/queue-6.12/e1000e-disregard-nvm-checksum-on-tgp-when-valid-checksum-bit-is-not-set.patch @@ -0,0 +1,42 @@ +From 536fd741c7ac907d63166cdae1081b1febfab613 Mon Sep 17 00:00:00 2001 +From: Jacek Kowalski +Date: Mon, 30 Jun 2025 10:33:39 +0200 +Subject: e1000e: disregard NVM checksum on tgp when valid checksum bit is not set + +From: Jacek Kowalski + +commit 536fd741c7ac907d63166cdae1081b1febfab613 upstream. + +As described by Vitaly Lifshits: + +> Starting from Tiger Lake, LAN NVM is locked for writes by SW, so the +> driver cannot perform checksum validation and correction. This means +> that all NVM images must leave the factory with correct checksum and +> checksum valid bit set. Since Tiger Lake devices were the first to have +> this lock, some systems in the field did not meet this requirement. +> Therefore, for these transitional devices we skip checksum update and +> verification, if the valid bit is not set. + +Signed-off-by: Jacek Kowalski +Reviewed-by: Simon Horman +Reviewed-by: Vitaly Lifshits +Fixes: 4051f68318ca9 ("e1000e: Do not take care about recovery NVM checksum") +Cc: stable@vger.kernel.org +Tested-by: Mor Bar-Gabay +Signed-off-by: Tony Nguyen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/e1000e/ich8lan.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/ethernet/intel/e1000e/ich8lan.c ++++ b/drivers/net/ethernet/intel/e1000e/ich8lan.c +@@ -4274,6 +4274,8 @@ static s32 e1000_validate_nvm_checksum_i + ret_val = e1000e_update_nvm_checksum(hw); + if (ret_val) + return ret_val; ++ } else if (hw->mac.type == e1000_pch_tgp) { ++ return 0; + } + } + diff --git a/queue-6.12/e1000e-ignore-uninitialized-checksum-word-on-tgp.patch b/queue-6.12/e1000e-ignore-uninitialized-checksum-word-on-tgp.patch new file mode 100644 index 0000000000..79904f2294 --- /dev/null +++ b/queue-6.12/e1000e-ignore-uninitialized-checksum-word-on-tgp.patch @@ -0,0 +1,62 @@ +From 61114910a5f6a71d0b6ea3b95082dfe031b19dfe Mon Sep 17 00:00:00 2001 +From: Jacek Kowalski +Date: Mon, 30 Jun 2025 10:35:00 +0200 +Subject: e1000e: ignore uninitialized checksum word on tgp + +From: Jacek Kowalski + +commit 61114910a5f6a71d0b6ea3b95082dfe031b19dfe upstream. + +As described by Vitaly Lifshits: + +> Starting from Tiger Lake, LAN NVM is locked for writes by SW, so the +> driver cannot perform checksum validation and correction. This means +> that all NVM images must leave the factory with correct checksum and +> checksum valid bit set. + +Unfortunately some systems have left the factory with an uninitialized +value of 0xFFFF at register address 0x3F (checksum word location). +So on Tiger Lake platform we ignore the computed checksum when such +condition is encountered. + +Signed-off-by: Jacek Kowalski +Tested-by: Vlad URSU +Fixes: 4051f68318ca9 ("e1000e: Do not take care about recovery NVM checksum") +Cc: stable@vger.kernel.org +Reviewed-by: Simon Horman +Reviewed-by: Vitaly Lifshits +Tested-by: Mor Bar-Gabay +Signed-off-by: Tony Nguyen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/e1000e/defines.h | 3 +++ + drivers/net/ethernet/intel/e1000e/nvm.c | 6 ++++++ + 2 files changed, 9 insertions(+) + +--- a/drivers/net/ethernet/intel/e1000e/defines.h ++++ b/drivers/net/ethernet/intel/e1000e/defines.h +@@ -638,6 +638,9 @@ + /* For checksumming, the sum of all words in the NVM should equal 0xBABA. */ + #define NVM_SUM 0xBABA + ++/* Uninitialized ("empty") checksum word value */ ++#define NVM_CHECKSUM_UNINITIALIZED 0xFFFF ++ + /* PBA (printed board assembly) number words */ + #define NVM_PBA_OFFSET_0 8 + #define NVM_PBA_OFFSET_1 9 +--- a/drivers/net/ethernet/intel/e1000e/nvm.c ++++ b/drivers/net/ethernet/intel/e1000e/nvm.c +@@ -558,6 +558,12 @@ s32 e1000e_validate_nvm_checksum_generic + checksum += nvm_data; + } + ++ if (hw->mac.type == e1000_pch_tgp && ++ nvm_data == NVM_CHECKSUM_UNINITIALIZED) { ++ e_dbg("Uninitialized NVM Checksum on TGP platform - ignoring\n"); ++ return 0; ++ } ++ + if (checksum != (u16)NVM_SUM) { + e_dbg("NVM Checksum Invalid\n"); + return -E1000_ERR_NVM; diff --git a/queue-6.12/gve-fix-stuck-tx-queue-for-dq-queue-format.patch b/queue-6.12/gve-fix-stuck-tx-queue-for-dq-queue-format.patch new file mode 100644 index 0000000000..5bdf2a39c7 --- /dev/null +++ b/queue-6.12/gve-fix-stuck-tx-queue-for-dq-queue-format.patch @@ -0,0 +1,125 @@ +From b03f15c0192b184078206760c839054ae6eb4eaa Mon Sep 17 00:00:00 2001 +From: Praveen Kaligineedi +Date: Thu, 17 Jul 2025 19:20:24 +0000 +Subject: gve: Fix stuck TX queue for DQ queue format + +From: Praveen Kaligineedi + +commit b03f15c0192b184078206760c839054ae6eb4eaa upstream. + +gve_tx_timeout was calculating missed completions in a way that is only +relevant in the GQ queue format. Additionally, it was attempting to +disable device interrupts, which is not needed in either GQ or DQ queue +formats. + +As a result, TX timeouts with the DQ queue format likely would have +triggered early resets without kicking the queue at all. + +This patch drops the check for pending work altogether and always kicks +the queue after validating the queue has not seen a TX timeout too +recently. + +Cc: stable@vger.kernel.org +Fixes: 87a7f321bb6a ("gve: Recover from queue stall due to missed IRQ") +Co-developed-by: Tim Hostetler +Signed-off-by: Tim Hostetler +Signed-off-by: Praveen Kaligineedi +Signed-off-by: Harshitha Ramamurthy +Link: https://patch.msgid.link/20250717192024.1820931-1-hramamurthy@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/google/gve/gve_main.c | 71 +++++++++++++++-------------- + 1 file changed, 39 insertions(+), 32 deletions(-) + +--- a/drivers/net/ethernet/google/gve/gve_main.c ++++ b/drivers/net/ethernet/google/gve/gve_main.c +@@ -1972,49 +1972,56 @@ static void gve_turnup_and_check_status( + gve_handle_link_status(priv, GVE_DEVICE_STATUS_LINK_STATUS_MASK & status); + } + +-static void gve_tx_timeout(struct net_device *dev, unsigned int txqueue) ++static struct gve_notify_block *gve_get_tx_notify_block(struct gve_priv *priv, ++ unsigned int txqueue) + { +- struct gve_notify_block *block; +- struct gve_tx_ring *tx = NULL; +- struct gve_priv *priv; +- u32 last_nic_done; +- u32 current_time; + u32 ntfy_idx; + +- netdev_info(dev, "Timeout on tx queue, %d", txqueue); +- priv = netdev_priv(dev); + if (txqueue > priv->tx_cfg.num_queues) +- goto reset; ++ return NULL; + + ntfy_idx = gve_tx_idx_to_ntfy(priv, txqueue); + if (ntfy_idx >= priv->num_ntfy_blks) +- goto reset; ++ return NULL; ++ ++ return &priv->ntfy_blocks[ntfy_idx]; ++} ++ ++static bool gve_tx_timeout_try_q_kick(struct gve_priv *priv, ++ unsigned int txqueue) ++{ ++ struct gve_notify_block *block; ++ u32 current_time; + +- block = &priv->ntfy_blocks[ntfy_idx]; +- tx = block->tx; ++ block = gve_get_tx_notify_block(priv, txqueue); ++ ++ if (!block) ++ return false; + + current_time = jiffies_to_msecs(jiffies); +- if (tx->last_kick_msec + MIN_TX_TIMEOUT_GAP > current_time) +- goto reset; ++ if (block->tx->last_kick_msec + MIN_TX_TIMEOUT_GAP > current_time) ++ return false; ++ ++ netdev_info(priv->dev, "Kicking queue %d", txqueue); ++ napi_schedule(&block->napi); ++ block->tx->last_kick_msec = current_time; ++ return true; ++} ++ ++static void gve_tx_timeout(struct net_device *dev, unsigned int txqueue) ++{ ++ struct gve_notify_block *block; ++ struct gve_priv *priv; ++ ++ netdev_info(dev, "Timeout on tx queue, %d", txqueue); ++ priv = netdev_priv(dev); ++ ++ if (!gve_tx_timeout_try_q_kick(priv, txqueue)) ++ gve_schedule_reset(priv); + +- /* Check to see if there are missed completions, which will allow us to +- * kick the queue. +- */ +- last_nic_done = gve_tx_load_event_counter(priv, tx); +- if (last_nic_done - tx->done) { +- netdev_info(dev, "Kicking queue %d", txqueue); +- iowrite32be(GVE_IRQ_MASK, gve_irq_doorbell(priv, block)); +- napi_schedule(&block->napi); +- tx->last_kick_msec = current_time; +- goto out; +- } // Else reset. +- +-reset: +- gve_schedule_reset(priv); +- +-out: +- if (tx) +- tx->queue_timeout++; ++ block = gve_get_tx_notify_block(priv, txqueue); ++ if (block) ++ block->tx->queue_timeout++; + priv->tx_timeo_cnt++; + } + diff --git a/queue-6.12/i2c-qup-jump-out-of-the-loop-in-case-of-timeout.patch b/queue-6.12/i2c-qup-jump-out-of-the-loop-in-case-of-timeout.patch new file mode 100644 index 0000000000..a1a258b62c --- /dev/null +++ b/queue-6.12/i2c-qup-jump-out-of-the-loop-in-case-of-timeout.patch @@ -0,0 +1,42 @@ +From a7982a14b3012527a9583d12525cd0dc9f8d8934 Mon Sep 17 00:00:00 2001 +From: Yang Xiwen +Date: Mon, 16 Jun 2025 00:01:10 +0800 +Subject: i2c: qup: jump out of the loop in case of timeout + +From: Yang Xiwen + +commit a7982a14b3012527a9583d12525cd0dc9f8d8934 upstream. + +Original logic only sets the return value but doesn't jump out of the +loop if the bus is kept active by a client. This is not expected. A +malicious or buggy i2c client can hang the kernel in this case and +should be avoided. This is observed during a long time test with a +PCA953x GPIO extender. + +Fix it by changing the logic to not only sets the return value, but also +jumps out of the loop and return to the caller with -ETIMEDOUT. + +Fixes: fbfab1ab0658 ("i2c: qup: reorganization of driver code to remove polling for qup v1") +Signed-off-by: Yang Xiwen +Cc: # v4.17+ +Signed-off-by: Andi Shyti +Link: https://lore.kernel.org/r/20250616-qca-i2c-v1-1-2a8d37ee0a30@outlook.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-qup.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/i2c/busses/i2c-qup.c ++++ b/drivers/i2c/busses/i2c-qup.c +@@ -452,8 +452,10 @@ static int qup_i2c_bus_active(struct qup + if (!(status & I2C_STATUS_BUS_ACTIVE)) + break; + +- if (time_after(jiffies, timeout)) ++ if (time_after(jiffies, timeout)) { + ret = -ETIMEDOUT; ++ break; ++ } + + usleep_range(len, len * 2); + } diff --git a/queue-6.12/i2c-tegra-fix-reset-error-handling-with-acpi.patch b/queue-6.12/i2c-tegra-fix-reset-error-handling-with-acpi.patch new file mode 100644 index 0000000000..263a4fd46d --- /dev/null +++ b/queue-6.12/i2c-tegra-fix-reset-error-handling-with-acpi.patch @@ -0,0 +1,80 @@ +From 56344e241c543f17e8102fa13466ad5c3e7dc9ff Mon Sep 17 00:00:00 2001 +From: Akhil R +Date: Thu, 10 Jul 2025 18:42:04 +0530 +Subject: i2c: tegra: Fix reset error handling with ACPI + +From: Akhil R + +commit 56344e241c543f17e8102fa13466ad5c3e7dc9ff upstream. + +The acpi_evaluate_object() returns an ACPI error code and not +Linux one. For the some platforms the err will have positive code +which may be interpreted incorrectly. Use device_reset() for +reset control which handles it correctly. + +Fixes: bd2fdedbf2ba ("i2c: tegra: Add the ACPI support") +Reported-by: Andy Shevchenko +Signed-off-by: Akhil R +Cc: # v5.17+ +Reviewed-by: Andy Shevchenko +Signed-off-by: Andi Shyti +Link: https://lore.kernel.org/r/20250710131206.2316-2-akhilrajeev@nvidia.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-tegra.c | 24 +----------------------- + 1 file changed, 1 insertion(+), 23 deletions(-) + +--- a/drivers/i2c/busses/i2c-tegra.c ++++ b/drivers/i2c/busses/i2c-tegra.c +@@ -607,7 +607,6 @@ static int tegra_i2c_wait_for_config_loa + static int tegra_i2c_init(struct tegra_i2c_dev *i2c_dev) + { + u32 val, clk_divisor, clk_multiplier, tsu_thd, tlow, thigh, non_hs_mode; +- acpi_handle handle = ACPI_HANDLE(i2c_dev->dev); + struct i2c_timings *t = &i2c_dev->timings; + int err; + +@@ -619,11 +618,7 @@ static int tegra_i2c_init(struct tegra_i + * emit a noisy warning on error, which won't stay unnoticed and + * won't hose machine entirely. + */ +- if (handle) +- err = acpi_evaluate_object(handle, "_RST", NULL, NULL); +- else +- err = reset_control_reset(i2c_dev->rst); +- ++ err = device_reset(i2c_dev->dev); + WARN_ON_ONCE(err); + + if (IS_DVC(i2c_dev)) +@@ -1666,19 +1661,6 @@ static void tegra_i2c_parse_dt(struct te + i2c_dev->is_vi = true; + } + +-static int tegra_i2c_init_reset(struct tegra_i2c_dev *i2c_dev) +-{ +- if (ACPI_HANDLE(i2c_dev->dev)) +- return 0; +- +- i2c_dev->rst = devm_reset_control_get_exclusive(i2c_dev->dev, "i2c"); +- if (IS_ERR(i2c_dev->rst)) +- return dev_err_probe(i2c_dev->dev, PTR_ERR(i2c_dev->rst), +- "failed to get reset control\n"); +- +- return 0; +-} +- + static int tegra_i2c_init_clocks(struct tegra_i2c_dev *i2c_dev) + { + int err; +@@ -1788,10 +1770,6 @@ static int tegra_i2c_probe(struct platfo + + tegra_i2c_parse_dt(i2c_dev); + +- err = tegra_i2c_init_reset(i2c_dev); +- if (err) +- return err; +- + err = tegra_i2c_init_clocks(i2c_dev); + if (err) + return err; diff --git a/queue-6.12/i2c-virtio-avoid-hang-by-using-interruptible-completion-wait.patch b/queue-6.12/i2c-virtio-avoid-hang-by-using-interruptible-completion-wait.patch new file mode 100644 index 0000000000..c807397dfa --- /dev/null +++ b/queue-6.12/i2c-virtio-avoid-hang-by-using-interruptible-completion-wait.patch @@ -0,0 +1,51 @@ +From a663b3c47ab10f66130818cf94eb59c971541c3f Mon Sep 17 00:00:00 2001 +From: Viresh Kumar +Date: Thu, 3 Jul 2025 17:01:02 +0530 +Subject: i2c: virtio: Avoid hang by using interruptible completion wait + +From: Viresh Kumar + +commit a663b3c47ab10f66130818cf94eb59c971541c3f upstream. + +The current implementation uses wait_for_completion(), which can cause +the caller to hang indefinitely if the transfer never completes. + +Switch to wait_for_completion_interruptible() so that the operation can +be interrupted by signals. + +Fixes: 84e1d0bf1d71 ("i2c: virtio: disable timeout handling") +Signed-off-by: Viresh Kumar +Cc: # v5.16+ +Signed-off-by: Andi Shyti +Link: https://lore.kernel.org/r/b8944e9cab8eb959d888ae80add6f2a686159ba2.1751541962.git.viresh.kumar@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-virtio.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +--- a/drivers/i2c/busses/i2c-virtio.c ++++ b/drivers/i2c/busses/i2c-virtio.c +@@ -116,15 +116,16 @@ static int virtio_i2c_complete_reqs(stru + for (i = 0; i < num; i++) { + struct virtio_i2c_req *req = &reqs[i]; + +- wait_for_completion(&req->completion); +- +- if (!failed && req->in_hdr.status != VIRTIO_I2C_MSG_OK) +- failed = true; ++ if (!failed) { ++ if (wait_for_completion_interruptible(&req->completion)) ++ failed = true; ++ else if (req->in_hdr.status != VIRTIO_I2C_MSG_OK) ++ failed = true; ++ else ++ j++; ++ } + + i2c_put_dma_safe_msg_buf(reqs[i].buf, &msgs[i], !failed); +- +- if (!failed) +- j++; + } + + return j; diff --git a/queue-6.12/ice-fix-a-null-pointer-dereference-in-ice_copy_and_init_pkg.patch b/queue-6.12/ice-fix-a-null-pointer-dereference-in-ice_copy_and_init_pkg.patch new file mode 100644 index 0000000000..d88e239977 --- /dev/null +++ b/queue-6.12/ice-fix-a-null-pointer-dereference-in-ice_copy_and_init_pkg.patch @@ -0,0 +1,36 @@ +From 4ff12d82dac119b4b99b5a78b5af3bf2474c0a36 Mon Sep 17 00:00:00 2001 +From: Haoxiang Li +Date: Thu, 3 Jul 2025 17:52:32 +0800 +Subject: ice: Fix a null pointer dereference in ice_copy_and_init_pkg() + +From: Haoxiang Li + +commit 4ff12d82dac119b4b99b5a78b5af3bf2474c0a36 upstream. + +Add check for the return value of devm_kmemdup() +to prevent potential null pointer dereference. + +Fixes: c76488109616 ("ice: Implement Dynamic Device Personalization (DDP) download") +Cc: stable@vger.kernel.org +Signed-off-by: Haoxiang Li +Reviewed-by: Michal Swiatkowski +Reviewed-by: Aleksandr Loktionov +Reviewed-by: Simon Horman +Tested-by: Rinitha S (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/ice/ice_ddp.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/ethernet/intel/ice/ice_ddp.c ++++ b/drivers/net/ethernet/intel/ice/ice_ddp.c +@@ -2277,6 +2277,8 @@ enum ice_ddp_state ice_copy_and_init_pkg + return ICE_DDP_PKG_ERR; + + buf_copy = devm_kmemdup(ice_hw_to_dev(hw), buf, len, GFP_KERNEL); ++ if (!buf_copy) ++ return ICE_DDP_PKG_ERR; + + state = ice_init_pkg(hw, buf_copy, len); + if (!ice_is_init_pkg_successful(state)) { diff --git a/queue-6.12/kasan-use-vmalloc_dump_obj-for-vmalloc-error-reports.patch b/queue-6.12/kasan-use-vmalloc_dump_obj-for-vmalloc-error-reports.patch new file mode 100644 index 0000000000..8b8ad5b03d --- /dev/null +++ b/queue-6.12/kasan-use-vmalloc_dump_obj-for-vmalloc-error-reports.patch @@ -0,0 +1,73 @@ +From 6ade153349c6bb990d170cecc3e8bdd8628119ab Mon Sep 17 00:00:00 2001 +From: Marco Elver +Date: Wed, 16 Jul 2025 17:23:28 +0200 +Subject: kasan: use vmalloc_dump_obj() for vmalloc error reports + +From: Marco Elver + +commit 6ade153349c6bb990d170cecc3e8bdd8628119ab upstream. + +Since 6ee9b3d84775 ("kasan: remove kasan_find_vm_area() to prevent +possible deadlock"), more detailed info about the vmalloc mapping and the +origin was dropped due to potential deadlocks. + +While fixing the deadlock is necessary, that patch was too quick in +killing an otherwise useful feature, and did no due-diligence in +understanding if an alternative option is available. + +Restore printing more helpful vmalloc allocation info in KASAN reports +with the help of vmalloc_dump_obj(). Example report: + +| BUG: KASAN: vmalloc-out-of-bounds in vmalloc_oob+0x4c9/0x610 +| Read of size 1 at addr ffffc900002fd7f3 by task kunit_try_catch/493 +| +| CPU: [...] +| Call Trace: +| +| dump_stack_lvl+0xa8/0xf0 +| print_report+0x17e/0x810 +| kasan_report+0x155/0x190 +| vmalloc_oob+0x4c9/0x610 +| [...] +| +| The buggy address belongs to a 1-page vmalloc region starting at 0xffffc900002fd000 allocated at vmalloc_oob+0x36/0x610 +| The buggy address belongs to the physical page: +| page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x126364 +| flags: 0x200000000000000(node=0|zone=2) +| raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000 +| raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 +| page dumped because: kasan: bad access detected +| +| [..] + +Link: https://lkml.kernel.org/r/20250716152448.3877201-1-elver@google.com +Fixes: 6ee9b3d84775 ("kasan: remove kasan_find_vm_area() to prevent possible deadlock") +Signed-off-by: Marco Elver +Suggested-by: Uladzislau Rezki +Acked-by: Uladzislau Rezki (Sony) +Cc: Alexander Potapenko +Cc: Andrey Konovalov +Cc: Andrey Ryabinin +Cc: Sebastian Andrzej Siewior +Cc: Yeoreum Yun +Cc: Yunseong Kim +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/kasan/report.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/mm/kasan/report.c ++++ b/mm/kasan/report.c +@@ -398,7 +398,9 @@ static void print_address_description(vo + } + + if (is_vmalloc_addr(addr)) { +- pr_err("The buggy address %px belongs to a vmalloc virtual mapping\n", addr); ++ pr_err("The buggy address belongs to a"); ++ if (!vmalloc_dump_obj(addr)) ++ pr_cont(" vmalloc virtual mapping\n"); + page = vmalloc_to_page(addr); + } + diff --git a/queue-6.12/mm-ksm-fix-wsometimes-uninitialized-from-clang-21-in-advisor_mode_show.patch b/queue-6.12/mm-ksm-fix-wsometimes-uninitialized-from-clang-21-in-advisor_mode_show.patch new file mode 100644 index 0000000000..dfd12b62e9 --- /dev/null +++ b/queue-6.12/mm-ksm-fix-wsometimes-uninitialized-from-clang-21-in-advisor_mode_show.patch @@ -0,0 +1,57 @@ +From 153ad566724fe6f57b14f66e9726d295d22e576d Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Tue, 15 Jul 2025 12:56:16 -0700 +Subject: mm/ksm: fix -Wsometimes-uninitialized from clang-21 in advisor_mode_show() + +From: Nathan Chancellor + +commit 153ad566724fe6f57b14f66e9726d295d22e576d upstream. + +After a recent change in clang to expose uninitialized warnings from const +variables [1], there is a false positive warning from the if statement in +advisor_mode_show(). + + mm/ksm.c:3687:11: error: variable 'output' is used uninitialized whenever 'if' condition is false [-Werror,-Wsometimes-uninitialized] + 3687 | else if (ksm_advisor == KSM_ADVISOR_SCAN_TIME) + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + mm/ksm.c:3690:33: note: uninitialized use occurs here + 3690 | return sysfs_emit(buf, "%s\n", output); + | ^~~~~~ + +Rewrite the if statement to implicitly make KSM_ADVISOR_NONE the else +branch so that it is obvious to the compiler that ksm_advisor can only be +KSM_ADVISOR_NONE or KSM_ADVISOR_SCAN_TIME due to the assignments in +advisor_mode_store(). + +Link: https://lkml.kernel.org/r/20250715-ksm-fix-clang-21-uninit-warning-v1-1-f443feb4bfc4@kernel.org +Fixes: 66790e9a735b ("mm/ksm: add sysfs knobs for advisor") +Signed-off-by: Nathan Chancellor +Closes: https://github.com/ClangBuiltLinux/linux/issues/2100 +Link: https://github.com/llvm/llvm-project/commit/2464313eef01c5b1edf0eccf57a32cdee01472c7 [1] +Acked-by: David Hildenbrand +Cc: Chengming Zhou +Cc: Stefan Roesch +Cc: xu xin +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/ksm.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/mm/ksm.c ++++ b/mm/ksm.c +@@ -3643,10 +3643,10 @@ static ssize_t advisor_mode_show(struct + { + const char *output; + +- if (ksm_advisor == KSM_ADVISOR_NONE) +- output = "[none] scan-time"; +- else if (ksm_advisor == KSM_ADVISOR_SCAN_TIME) ++ if (ksm_advisor == KSM_ADVISOR_SCAN_TIME) + output = "none [scan-time]"; ++ else ++ output = "[none] scan-time"; + + return sysfs_emit(buf, "%s\n", output); + } diff --git a/queue-6.12/mm-vmscan-fix-hwpoisoned-large-folio-handling-in-shrink_folio_list.patch b/queue-6.12/mm-vmscan-fix-hwpoisoned-large-folio-handling-in-shrink_folio_list.patch new file mode 100644 index 0000000000..9ba6d9cb48 --- /dev/null +++ b/queue-6.12/mm-vmscan-fix-hwpoisoned-large-folio-handling-in-shrink_folio_list.patch @@ -0,0 +1,84 @@ +From 9f1e8cd0b7c4c944e9921b52a6661b5eda2705ab Mon Sep 17 00:00:00 2001 +From: Jinjiang Tu +Date: Fri, 27 Jun 2025 20:57:46 +0800 +Subject: mm/vmscan: fix hwpoisoned large folio handling in shrink_folio_list + +From: Jinjiang Tu + +commit 9f1e8cd0b7c4c944e9921b52a6661b5eda2705ab upstream. + +In shrink_folio_list(), the hwpoisoned folio may be large folio, which +can't be handled by unmap_poisoned_folio(). For THP, try_to_unmap_one() +must be passed with TTU_SPLIT_HUGE_PMD to split huge PMD first and then +retry. Without TTU_SPLIT_HUGE_PMD, we will trigger null-ptr deref of +pvmw.pte. Even we passed TTU_SPLIT_HUGE_PMD, we will trigger a +WARN_ON_ONCE due to the page isn't in swapcache. + +Since UCE is rare in real world, and race with reclaimation is more rare, +just skipping the hwpoisoned large folio is enough. memory_failure() will +handle it if the UCE is triggered again. + +This happens when memory reclaim for large folio races with +memory_failure(), and will lead to kernel panic. The race is as +follows: + +cpu0 cpu1 + shrink_folio_list memory_failure + TestSetPageHWPoison + unmap_poisoned_folio + --> trigger BUG_ON due to + unmap_poisoned_folio couldn't + handle large folio + +[tujinjiang@huawei.com: add comment to unmap_poisoned_folio()] + Link: https://lkml.kernel.org/r/69fd4e00-1b13-d5f7-1c82-705c7d977ea4@huawei.com +Link: https://lkml.kernel.org/r/20250627125747.3094074-2-tujinjiang@huawei.com +Signed-off-by: Jinjiang Tu +Fixes: 1b0449544c64 ("mm/vmscan: don't try to reclaim hwpoison folio") +Reported-by: syzbot+3b220254df55d8ca8a61@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/68412d57.050a0220.2461cf.000e.GAE@google.com/ +Acked-by: David Hildenbrand +Reviewed-by: Miaohe Lin +Acked-by: Zi Yan +Reviewed-by: Oscar Salvador +Cc: Kefeng Wang +Cc: Michal Hocko +Cc: Oscar Salvador +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/memory-failure.c | 4 ++++ + mm/vmscan.c | 8 ++++++++ + 2 files changed, 12 insertions(+) + +--- a/mm/memory-failure.c ++++ b/mm/memory-failure.c +@@ -1559,6 +1559,10 @@ static int get_hwpoison_page(struct page + return ret; + } + ++/* ++ * The caller must guarantee the folio isn't large folio, except hugetlb. ++ * try_to_unmap() can't handle it. ++ */ + int unmap_poisoned_folio(struct folio *folio, unsigned long pfn, bool must_kill) + { + enum ttu_flags ttu = TTU_IGNORE_MLOCK | TTU_SYNC | TTU_HWPOISON; +--- a/mm/vmscan.c ++++ b/mm/vmscan.c +@@ -1080,6 +1080,14 @@ retry: + goto keep; + + if (folio_contain_hwpoisoned_page(folio)) { ++ /* ++ * unmap_poisoned_folio() can't handle large ++ * folio, just skip it. memory_failure() will ++ * handle it if the UCE is triggered again. ++ */ ++ if (folio_test_large(folio)) ++ goto keep_locked; ++ + unmap_poisoned_folio(folio, folio_pfn(folio), false); + folio_unlock(folio); + folio_put(folio); diff --git a/queue-6.12/mm-zsmalloc-do-not-pass-__gfp_movable-if-config_compaction-n.patch b/queue-6.12/mm-zsmalloc-do-not-pass-__gfp_movable-if-config_compaction-n.patch new file mode 100644 index 0000000000..bedb154c21 --- /dev/null +++ b/queue-6.12/mm-zsmalloc-do-not-pass-__gfp_movable-if-config_compaction-n.patch @@ -0,0 +1,55 @@ +From 694d6b99923eb05a8fd188be44e26077d19f0e21 Mon Sep 17 00:00:00 2001 +From: Harry Yoo +Date: Fri, 4 Jul 2025 19:30:53 +0900 +Subject: mm/zsmalloc: do not pass __GFP_MOVABLE if CONFIG_COMPACTION=n + +From: Harry Yoo + +commit 694d6b99923eb05a8fd188be44e26077d19f0e21 upstream. + +Commit 48b4800a1c6a ("zsmalloc: page migration support") added support for +migrating zsmalloc pages using the movable_operations migration framework. +However, the commit did not take into account that zsmalloc supports +migration only when CONFIG_COMPACTION is enabled. Tracing shows that +zsmalloc was still passing the __GFP_MOVABLE flag even when compaction is +not supported. + +This can result in unmovable pages being allocated from movable page +blocks (even without stealing page blocks), ZONE_MOVABLE and CMA area. + +Possible user visible effects: +- Some ZONE_MOVABLE memory can be not actually movable +- CMA allocation can fail because of this +- Increased memory fragmentation due to ignoring the page mobility + grouping feature +I'm not really sure who uses kernels without compaction support, though :( + + +To fix this, clear the __GFP_MOVABLE flag when +!IS_ENABLED(CONFIG_COMPACTION). + +Link: https://lkml.kernel.org/r/20250704103053.6913-1-harry.yoo@oracle.com +Fixes: 48b4800a1c6a ("zsmalloc: page migration support") +Signed-off-by: Harry Yoo +Acked-by: David Hildenbrand +Reviewed-by: Sergey Senozhatsky +Cc: Minchan Kim +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/zsmalloc.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/mm/zsmalloc.c ++++ b/mm/zsmalloc.c +@@ -976,6 +976,9 @@ static struct zspage *alloc_zspage(struc + if (!zspage) + return NULL; + ++ if (!IS_ENABLED(CONFIG_COMPACTION)) ++ gfp &= ~__GFP_MOVABLE; ++ + zspage->magic = ZSPAGE_MAGIC; + migrate_lock_init(zspage); + diff --git a/queue-6.12/nilfs2-reject-invalid-file-types-when-reading-inodes.patch b/queue-6.12/nilfs2-reject-invalid-file-types-when-reading-inodes.patch new file mode 100644 index 0000000000..731355c0ed --- /dev/null +++ b/queue-6.12/nilfs2-reject-invalid-file-types-when-reading-inodes.patch @@ -0,0 +1,48 @@ +From 4aead50caf67e01020c8be1945c3201e8a972a27 Mon Sep 17 00:00:00 2001 +From: Ryusuke Konishi +Date: Thu, 10 Jul 2025 22:49:08 +0900 +Subject: nilfs2: reject invalid file types when reading inodes + +From: Ryusuke Konishi + +commit 4aead50caf67e01020c8be1945c3201e8a972a27 upstream. + +To prevent inodes with invalid file types from tripping through the vfs +and causing malfunctions or assertion failures, add a missing sanity check +when reading an inode from a block device. If the file type is not valid, +treat it as a filesystem error. + +Link: https://lkml.kernel.org/r/20250710134952.29862-1-konishi.ryusuke@gmail.com +Fixes: 05fe58fdc10d ("nilfs2: inode operations") +Signed-off-by: Ryusuke Konishi +Reported-by: syzbot+895c23f6917da440ed0d@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?extid=895c23f6917da440ed0d +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/nilfs2/inode.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/fs/nilfs2/inode.c ++++ b/fs/nilfs2/inode.c +@@ -499,11 +499,18 @@ static int __nilfs_read_inode(struct sup + inode->i_op = &nilfs_symlink_inode_operations; + inode_nohighmem(inode); + inode->i_mapping->a_ops = &nilfs_aops; +- } else { ++ } else if (S_ISCHR(inode->i_mode) || S_ISBLK(inode->i_mode) || ++ S_ISFIFO(inode->i_mode) || S_ISSOCK(inode->i_mode)) { + inode->i_op = &nilfs_special_inode_operations; + init_special_inode( + inode, inode->i_mode, + huge_decode_dev(le64_to_cpu(raw_inode->i_device_code))); ++ } else { ++ nilfs_error(sb, ++ "invalid file type bits in mode 0%o for inode %lu", ++ inode->i_mode, ino); ++ err = -EIO; ++ goto failed_unmap; + } + nilfs_ifile_unmap_inode(raw_inode); + brelse(bh); diff --git a/queue-6.12/platform-x86-ideapad-laptop-fix-fnlock-not-remembered-among-boots.patch b/queue-6.12/platform-x86-ideapad-laptop-fix-fnlock-not-remembered-among-boots.patch new file mode 100644 index 0000000000..b403eb865d --- /dev/null +++ b/queue-6.12/platform-x86-ideapad-laptop-fix-fnlock-not-remembered-among-boots.patch @@ -0,0 +1,46 @@ +From 9533b789df7e8d273543a5991aec92447be043d7 Mon Sep 17 00:00:00 2001 +From: Rong Zhang +Date: Tue, 8 Jul 2025 00:38:06 +0800 +Subject: platform/x86: ideapad-laptop: Fix FnLock not remembered among boots +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rong Zhang + +commit 9533b789df7e8d273543a5991aec92447be043d7 upstream. + +On devices supported by ideapad-laptop, the HW/FW can remember the +FnLock state among boots. However, since the introduction of the FnLock +LED class device, it is turned off while shutting down, as a side effect +of the LED class device unregistering sequence. + +Many users always turn on FnLock because they use function keys much +more frequently than multimedia keys. The behavior change is +inconvenient for them. Thus, set LED_RETAIN_AT_SHUTDOWN on the LED class +device so that the FnLock state gets remembered, which also aligns with +the behavior of manufacturer utilities on Windows. + +Fixes: 07f48f668fac ("platform/x86: ideapad-laptop: add FnLock LED class device") +Cc: stable@vger.kernel.org +Signed-off-by: Rong Zhang +Reviewed-by: Hans de Goede +Link: https://lore.kernel.org/r/20250707163808.155876-2-i@rong.moe +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/x86/ideapad-laptop.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/platform/x86/ideapad-laptop.c ++++ b/drivers/platform/x86/ideapad-laptop.c +@@ -1731,7 +1731,7 @@ static int ideapad_fn_lock_led_init(stru + priv->fn_lock.led.name = "platform::" LED_FUNCTION_FNLOCK; + priv->fn_lock.led.brightness_get = ideapad_fn_lock_led_cdev_get; + priv->fn_lock.led.brightness_set_blocking = ideapad_fn_lock_led_cdev_set; +- priv->fn_lock.led.flags = LED_BRIGHT_HW_CHANGED; ++ priv->fn_lock.led.flags = LED_BRIGHT_HW_CHANGED | LED_RETAIN_AT_SHUTDOWN; + + err = led_classdev_register(&priv->platform_device->dev, &priv->fn_lock.led); + if (err) diff --git a/queue-6.12/platform-x86-ideapad-laptop-fix-kbd-backlight-not-remembered-among-boots.patch b/queue-6.12/platform-x86-ideapad-laptop-fix-kbd-backlight-not-remembered-among-boots.patch new file mode 100644 index 0000000000..311c461d7c --- /dev/null +++ b/queue-6.12/platform-x86-ideapad-laptop-fix-kbd-backlight-not-remembered-among-boots.patch @@ -0,0 +1,45 @@ +From e10981075adce203eac0be866389309eeb8ef11e Mon Sep 17 00:00:00 2001 +From: Rong Zhang +Date: Tue, 8 Jul 2025 00:38:07 +0800 +Subject: platform/x86: ideapad-laptop: Fix kbd backlight not remembered among boots +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rong Zhang + +commit e10981075adce203eac0be866389309eeb8ef11e upstream. + +On some models supported by ideapad-laptop, the HW/FW can remember the +state of keyboard backlight among boots. However, it is always turned +off while shutting down, as a side effect of the LED class device +unregistering sequence. + +This is inconvenient for users who always prefer turning on the +keyboard backlight. Thus, set LED_RETAIN_AT_SHUTDOWN on the LED class +device so that the state of keyboard backlight gets remembered, which +also aligns with the behavior of manufacturer utilities on Windows. + +Fixes: 503325f84bc0 ("platform/x86: ideapad-laptop: add keyboard backlight control support") +Cc: stable@vger.kernel.org +Signed-off-by: Rong Zhang +Reviewed-by: Hans de Goede +Link: https://lore.kernel.org/r/20250707163808.155876-3-i@rong.moe +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/x86/ideapad-laptop.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/platform/x86/ideapad-laptop.c ++++ b/drivers/platform/x86/ideapad-laptop.c +@@ -1672,7 +1672,7 @@ static int ideapad_kbd_bl_init(struct id + priv->kbd_bl.led.name = "platform::" LED_FUNCTION_KBD_BACKLIGHT; + priv->kbd_bl.led.brightness_get = ideapad_kbd_bl_led_cdev_brightness_get; + priv->kbd_bl.led.brightness_set_blocking = ideapad_kbd_bl_led_cdev_brightness_set; +- priv->kbd_bl.led.flags = LED_BRIGHT_HW_CHANGED; ++ priv->kbd_bl.led.flags = LED_BRIGHT_HW_CHANGED | LED_RETAIN_AT_SHUTDOWN; + + err = led_classdev_register(&priv->platform_device->dev, &priv->kbd_bl.led); + if (err) diff --git a/queue-6.12/resource-fix-false-warning-in-__request_region.patch b/queue-6.12/resource-fix-false-warning-in-__request_region.patch new file mode 100644 index 0000000000..7fe3fa6966 --- /dev/null +++ b/queue-6.12/resource-fix-false-warning-in-__request_region.patch @@ -0,0 +1,51 @@ +From 91a229bb7ba86b2592c3f18c54b7b2c5e6fe0f95 Mon Sep 17 00:00:00 2001 +From: Akinobu Mita +Date: Sat, 19 Jul 2025 20:26:04 +0900 +Subject: resource: fix false warning in __request_region() + +From: Akinobu Mita + +commit 91a229bb7ba86b2592c3f18c54b7b2c5e6fe0f95 upstream. + +A warning is raised when __request_region() detects a conflict with a +resource whose resource.desc is IORES_DESC_DEVICE_PRIVATE_MEMORY. + +But this warning is only valid for iomem_resources. +The hmem device resource uses resource.desc as the numa node id, which can +cause spurious warnings. + +This warning appeared on a machine with multiple cxl memory expanders. +One of the NUMA node id is 6, which is the same as the value of +IORES_DESC_DEVICE_PRIVATE_MEMORY. + +In this environment it was just a spurious warning, but when I saw the +warning I suspected a real problem so it's better to fix it. + +This change fixes this by restricting the warning to only iomem_resource. +This also adds a missing new line to the warning message. + +Link: https://lkml.kernel.org/r/20250719112604.25500-1-akinobu.mita@gmail.com +Fixes: 7dab174e2e27 ("dax/hmem: Move hmem device registration to dax_hmem.ko") +Signed-off-by: Akinobu Mita +Reviewed-by: Dan Williams +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + kernel/resource.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/kernel/resource.c ++++ b/kernel/resource.c +@@ -1268,8 +1268,9 @@ static int __request_region_locked(struc + * become unavailable to other users. Conflicts are + * not expected. Warn to aid debugging if encountered. + */ +- if (conflict->desc == IORES_DESC_DEVICE_PRIVATE_MEMORY) { +- pr_warn("Unaddressable device %s %pR conflicts with %pR", ++ if (parent == &iomem_resource && ++ conflict->desc == IORES_DESC_DEVICE_PRIVATE_MEMORY) { ++ pr_warn("Unaddressable device %s %pR conflicts with %pR\n", + conflict->name, conflict, res); + } + if (conflict != parent) { diff --git a/queue-6.12/selftests-mptcp-connect-also-cover-alt-modes.patch b/queue-6.12/selftests-mptcp-connect-also-cover-alt-modes.patch new file mode 100644 index 0000000000..2b842a2f6e --- /dev/null +++ b/queue-6.12/selftests-mptcp-connect-also-cover-alt-modes.patch @@ -0,0 +1,64 @@ +From 37848a456fc38c191aedfe41f662cc24db8c23d9 Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Tue, 15 Jul 2025 20:43:28 +0200 +Subject: selftests: mptcp: connect: also cover alt modes + +From: Matthieu Baerts (NGI0) + +commit 37848a456fc38c191aedfe41f662cc24db8c23d9 upstream. + +The "mmap" and "sendfile" alternate modes for mptcp_connect.sh/.c are +available from the beginning, but only tested when mptcp_connect.sh is +manually launched with "-m mmap" or "-m sendfile", not via the +kselftests helpers. + +The MPTCP CI was manually running "mptcp_connect.sh -m mmap", but not +"-m sendfile". Plus other CIs, especially the ones validating the stable +releases, were not validating these alternate modes. + +To make sure these modes are validated by these CIs, add two new test +programs executing mptcp_connect.sh with the alternate modes. + +Fixes: 048d19d444be ("mptcp: add basic kselftest for mptcp") +Cc: stable@vger.kernel.org +Reviewed-by: Geliang Tang +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20250715-net-mptcp-sft-connect-alt-v2-1-8230ddd82454@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/mptcp/Makefile | 3 ++- + tools/testing/selftests/net/mptcp/mptcp_connect_mmap.sh | 5 +++++ + tools/testing/selftests/net/mptcp/mptcp_connect_sendfile.sh | 5 +++++ + 3 files changed, 12 insertions(+), 1 deletion(-) + create mode 100755 tools/testing/selftests/net/mptcp/mptcp_connect_mmap.sh + create mode 100755 tools/testing/selftests/net/mptcp/mptcp_connect_sendfile.sh + +--- a/tools/testing/selftests/net/mptcp/Makefile ++++ b/tools/testing/selftests/net/mptcp/Makefile +@@ -4,7 +4,8 @@ top_srcdir = ../../../../.. + + CFLAGS += -Wall -Wl,--no-as-needed -O2 -g -I$(top_srcdir)/usr/include $(KHDR_INCLUDES) + +-TEST_PROGS := mptcp_connect.sh pm_netlink.sh mptcp_join.sh diag.sh \ ++TEST_PROGS := mptcp_connect.sh mptcp_connect_mmap.sh mptcp_connect_sendfile.sh \ ++ pm_netlink.sh mptcp_join.sh diag.sh \ + simult_flows.sh mptcp_sockopt.sh userspace_pm.sh + + TEST_GEN_FILES = mptcp_connect pm_nl_ctl mptcp_sockopt mptcp_inq +--- /dev/null ++++ b/tools/testing/selftests/net/mptcp/mptcp_connect_mmap.sh +@@ -0,0 +1,5 @@ ++#!/bin/bash ++# SPDX-License-Identifier: GPL-2.0 ++ ++MPTCP_LIB_KSFT_TEST="$(basename "${0}" .sh)" \ ++ "$(dirname "${0}")/mptcp_connect.sh" -m mmap "${@}" +--- /dev/null ++++ b/tools/testing/selftests/net/mptcp/mptcp_connect_sendfile.sh +@@ -0,0 +1,5 @@ ++#!/bin/bash ++# SPDX-License-Identifier: GPL-2.0 ++ ++MPTCP_LIB_KSFT_TEST="$(basename "${0}" .sh)" \ ++ "$(dirname "${0}")/mptcp_connect.sh" -m sendfile "${@}" diff --git a/queue-6.12/selftests-mptcp-connect-also-cover-checksum.patch b/queue-6.12/selftests-mptcp-connect-also-cover-checksum.patch new file mode 100644 index 0000000000..24654d87cd --- /dev/null +++ b/queue-6.12/selftests-mptcp-connect-also-cover-checksum.patch @@ -0,0 +1,48 @@ +From fdf0f60a2bb02ba581d9e71d583e69dd0714a521 Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Tue, 15 Jul 2025 20:43:29 +0200 +Subject: selftests: mptcp: connect: also cover checksum + +From: Matthieu Baerts (NGI0) + +commit fdf0f60a2bb02ba581d9e71d583e69dd0714a521 upstream. + +The checksum mode has been added a while ago, but it is only validated +when manually launching mptcp_connect.sh with "-C". + +The different CIs were then not validating these MPTCP Connect tests +with checksum enabled. To make sure they do, add a new test program +executing mptcp_connect.sh with the checksum mode. + +Fixes: 94d66ba1d8e4 ("selftests: mptcp: enable checksum in mptcp_connect.sh") +Cc: stable@vger.kernel.org +Reviewed-by: Geliang Tang +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20250715-net-mptcp-sft-connect-alt-v2-2-8230ddd82454@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/mptcp/Makefile | 2 +- + tools/testing/selftests/net/mptcp/mptcp_connect_checksum.sh | 5 +++++ + 2 files changed, 6 insertions(+), 1 deletion(-) + create mode 100755 tools/testing/selftests/net/mptcp/mptcp_connect_checksum.sh + +--- a/tools/testing/selftests/net/mptcp/Makefile ++++ b/tools/testing/selftests/net/mptcp/Makefile +@@ -5,7 +5,7 @@ top_srcdir = ../../../../.. + CFLAGS += -Wall -Wl,--no-as-needed -O2 -g -I$(top_srcdir)/usr/include $(KHDR_INCLUDES) + + TEST_PROGS := mptcp_connect.sh mptcp_connect_mmap.sh mptcp_connect_sendfile.sh \ +- pm_netlink.sh mptcp_join.sh diag.sh \ ++ mptcp_connect_checksum.sh pm_netlink.sh mptcp_join.sh diag.sh \ + simult_flows.sh mptcp_sockopt.sh userspace_pm.sh + + TEST_GEN_FILES = mptcp_connect pm_nl_ctl mptcp_sockopt mptcp_inq +--- /dev/null ++++ b/tools/testing/selftests/net/mptcp/mptcp_connect_checksum.sh +@@ -0,0 +1,5 @@ ++#!/bin/bash ++# SPDX-License-Identifier: GPL-2.0 ++ ++MPTCP_LIB_KSFT_TEST="$(basename "${0}" .sh)" \ ++ "$(dirname "${0}")/mptcp_connect.sh" -C "${@}" diff --git a/queue-6.12/series b/queue-6.12/series index 6924a35a97..b6f293cfdd 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -36,3 +36,31 @@ net-hns3-fix-concurrent-setting-vlan-filter-issue.patch net-hns3-disable-interrupt-when-ptp-init-failed.patch net-hns3-fixed-vf-get-max-channels-bug.patch net-hns3-default-enable-tx-bounce-buffer-when-smmu-e.patch +platform-x86-ideapad-laptop-fix-fnlock-not-remembered-among-boots.patch +platform-x86-ideapad-laptop-fix-kbd-backlight-not-remembered-among-boots.patch +drm-amdgpu-reset-the-clear-flag-in-buddy-during-resume.patch +drm-sched-remove-optimization-that-causes-hang-when-killing-dependent-jobs.patch +mm-ksm-fix-wsometimes-uninitialized-from-clang-21-in-advisor_mode_show.patch +arm-9450-1-fix-allowing-linker-dce-with-binutils-2.36.patch +timekeeping-zero-initialize-system_counterval-when-querying-time-from-phc-drivers.patch +i2c-qup-jump-out-of-the-loop-in-case-of-timeout.patch +i2c-tegra-fix-reset-error-handling-with-acpi.patch +i2c-virtio-avoid-hang-by-using-interruptible-completion-wait.patch +bus-fsl-mc-fix-potential-double-device-reference-in-fsl_mc_get_endpoint.patch +sprintf.h-requires-stdarg.h.patch +alsa-hda-realtek-add-mute-led-support-for-hp-pavilion-15-eg0xxx.patch +alsa-hda-realtek-add-mute-led-support-for-hp-victus-15-fa0xxx.patch +arm64-entry-mask-daif-in-cpu_switch_to-call_on_irq_stack.patch +dpaa2-eth-fix-device-reference-count-leak-in-mac-endpoint-handling.patch +dpaa2-switch-fix-device-reference-count-leak-in-mac-endpoint-handling.patch +e1000e-disregard-nvm-checksum-on-tgp-when-valid-checksum-bit-is-not-set.patch +e1000e-ignore-uninitialized-checksum-word-on-tgp.patch +gve-fix-stuck-tx-queue-for-dq-queue-format.patch +ice-fix-a-null-pointer-dereference-in-ice_copy_and_init_pkg.patch +kasan-use-vmalloc_dump_obj-for-vmalloc-error-reports.patch +nilfs2-reject-invalid-file-types-when-reading-inodes.patch +resource-fix-false-warning-in-__request_region.patch +selftests-mptcp-connect-also-cover-alt-modes.patch +selftests-mptcp-connect-also-cover-checksum.patch +mm-vmscan-fix-hwpoisoned-large-folio-handling-in-shrink_folio_list.patch +mm-zsmalloc-do-not-pass-__gfp_movable-if-config_compaction-n.patch diff --git a/queue-6.12/sprintf.h-requires-stdarg.h.patch b/queue-6.12/sprintf.h-requires-stdarg.h.patch new file mode 100644 index 0000000000..96cb5bb9f6 --- /dev/null +++ b/queue-6.12/sprintf.h-requires-stdarg.h.patch @@ -0,0 +1,41 @@ +From 0dec7201788b9152f06321d0dab46eed93834cda Mon Sep 17 00:00:00 2001 +From: Stephen Rothwell +Date: Mon, 21 Jul 2025 16:15:57 +1000 +Subject: sprintf.h requires stdarg.h + +From: Stephen Rothwell + +commit 0dec7201788b9152f06321d0dab46eed93834cda upstream. + +In file included from drivers/crypto/intel/qat/qat_common/adf_pm_dbgfs_utils.c:4: +include/linux/sprintf.h:11:54: error: unknown type name 'va_list' + 11 | __printf(2, 0) int vsprintf(char *buf, const char *, va_list); + | ^~~~~~~ +include/linux/sprintf.h:1:1: note: 'va_list' is defined in header ''; this is probably fixable by adding '#include ' + +Link: https://lkml.kernel.org/r/20250721173754.42865913@canb.auug.org.au +Fixes: 39ced19b9e60 ("lib/vsprintf: split out sprintf() and friends") +Signed-off-by: Stephen Rothwell +Cc: Andriy Shevchenko +Cc: Herbert Xu +Cc: Petr Mladek +Cc: Steven Rostedt +Cc: Rasmus Villemoes +Cc: Sergey Senozhatsky +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/sprintf.h | 1 + + 1 file changed, 1 insertion(+) + +--- a/include/linux/sprintf.h ++++ b/include/linux/sprintf.h +@@ -4,6 +4,7 @@ + + #include + #include ++#include + + int num_to_str(char *buf, int size, unsigned long long num, unsigned int width); + diff --git a/queue-6.12/timekeeping-zero-initialize-system_counterval-when-querying-time-from-phc-drivers.patch b/queue-6.12/timekeeping-zero-initialize-system_counterval-when-querying-time-from-phc-drivers.patch new file mode 100644 index 0000000000..d564208a35 --- /dev/null +++ b/queue-6.12/timekeeping-zero-initialize-system_counterval-when-querying-time-from-phc-drivers.patch @@ -0,0 +1,45 @@ +From 67c632b4a7fbd6b76a08b86f4950f0f84de93439 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Markus=20Bl=C3=B6chl?= +Date: Sun, 20 Jul 2025 15:54:51 +0200 +Subject: timekeeping: Zero initialize system_counterval when querying time from phc drivers +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Markus Blöchl + +commit 67c632b4a7fbd6b76a08b86f4950f0f84de93439 upstream. + +Most drivers only populate the fields cycles and cs_id of system_counterval +in their get_time_fn() callback for get_device_system_crosststamp(), unless +they explicitly provide nanosecond values. + +When the use_nsecs field was added to struct system_counterval, most +drivers did not care. Clock sources other than CSID_GENERIC could then get +converted in convert_base_to_cs() based on an uninitialized use_nsecs field, +which usually results in -EINVAL during the following range check. + +Pass in a fully zero initialized system_counterval_t to cure that. + +Fixes: 6b2e29977518 ("timekeeping: Provide infrastructure for converting to/from a base clock") +Signed-off-by: Markus Blöchl +Signed-off-by: Thomas Gleixner +Acked-by: John Stultz +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/all/20250720-timekeeping_uninit_crossts-v2-1-f513c885b7c2@blochl.de +Signed-off-by: Greg Kroah-Hartman +--- + kernel/time/timekeeping.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/time/timekeeping.c ++++ b/kernel/time/timekeeping.c +@@ -1218,7 +1218,7 @@ int get_device_system_crosststamp(int (* + struct system_time_snapshot *history_begin, + struct system_device_crosststamp *xtstamp) + { +- struct system_counterval_t system_counterval; ++ struct system_counterval_t system_counterval = {}; + struct timekeeper *tk = &tk_core.timekeeper; + u64 cycles, now, interval_start; + unsigned int clock_was_set_seq = 0; -- 2.47.2