From: Greg Kroah-Hartman Date: Mon, 5 Jan 2026 11:36:00 +0000 (+0100) Subject: 6.12-stable patches X-Git-Tag: v6.12.64~31 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=34f2262a8b6c93e3c62a267b25cd8f5059df07d7;p=thirdparty%2Fkernel%2Fstable-queue.git 6.12-stable patches added patches: dm-bufio-align-write-boundary-on-physical-block-size.patch dm-ebs-mark-full-buffer-dirty-even-on-partial-write.patch fbdev-gbefb-fix-to-use-physical-address-instead-of-dma-address.patch fbdev-pxafb-fix-multiple-clamped-values-in-pxafb_adjust_timing.patch fbdev-tcx.c-fix-mem_map-to-correct-smem_start-offset.patch firmware-stratix10-svc-add-mutex-in-stratix10-memory-management.patch loongarch-add-new-pci-id-for-pci_fixup_vgadev.patch loongarch-correct-the-calculation-logic-of-thread_count.patch loongarch-fix-build-errors-for-config_randstruct.patch loongarch-use-__pmd-__pte-for-swap-entry-conversions.patch loongarch-use-unsigned-long-for-_end-and-_text.patch media-adv7842-avoid-possible-out-of-bounds-array-accesses-in-adv7842_cp_log_status.patch media-amphion-cancel-message-work-before-releasing-the-vpu-core.patch media-cec-fix-debugfs-leak-on-bus_register-failure.patch media-i2c-adv7604-remove-redundant-cancel_delayed_work-in-probe.patch media-i2c-adv7842-remove-redundant-cancel_delayed_work-in-probe.patch media-mediatek-vcodec-fix-a-reference-leak-in-mtk_vcodec_fw_vpu_init.patch media-msp3400-avoid-possible-out-of-bounds-array-accesses-in-msp3400c_thread.patch media-platform-mtk-mdp3-fix-device-leaks-at-probe.patch media-renesas-rcar_drif-fix-device-node-reference-leak-in-rcar_drif_bond_enabled.patch media-samsung-exynos4-is-fix-potential-abba-deadlock-on-init.patch media-tda1997x-remove-redundant-cancel_delayed_work-in-probe.patch media-verisilicon-protect-g2-hevc-decoder-against-invalid-dpb-index.patch media-videobuf2-fix-device-reference-leak-in-vb2_dc_alloc-error-path.patch media-vpif_capture-fix-section-mismatch.patch media-vpif_display-fix-section-mismatch.patch mm-damon-tests-core-kunit-handle-alloc-failure-on-damon_test_set_attrs.patch mm-damon-tests-core-kunit-handle-alloc-failures-in-damon_test_ops_registration.patch mm-damon-tests-core-kunit-handle-alloc-failures-in-damon_test_set_regions.patch mm-damon-tests-core-kunit-handle-alloc-failures-in-damon_test_update_monitoring_result.patch mm-damon-tests-core-kunit-handle-alloc-failures-on-damon_test_merge_two.patch mm-damon-tests-core-kunit-handle-alloc-failures-on-damon_test_split_at.patch mm-damon-tests-core-kunit-handle-alloc-failures-on-dasmon_test_merge_regions_of.patch mm-damon-tests-core-kunit-handle-allocation-failures-in-damon_test_regions.patch mm-damon-tests-core-kunit-handle-memory-alloc-failure-from-damon_test_aggregate.patch mm-damon-tests-core-kunit-handle-memory-failure-from-damon_test_target.patch mm-damon-tests-sysfs-kunit-handle-alloc-failures-on-damon_sysfs_test_add_targets.patch mm-damon-tests-vaddr-kunit-handle-alloc-failures-in-damon_test_split_evenly_fail.patch mm-damon-tests-vaddr-kunit-handle-alloc-failures-on-damon_test_split_evenly_succ.patch mtd-mtdpart-ignore-error-enoent-from-parsers-on-subpartitions.patch mtd-spi-nor-winbond-add-support-for-w25h01nwxxam-chips.patch mtd-spi-nor-winbond-add-support-for-w25h02nwxxam-chips.patch mtd-spi-nor-winbond-add-support-for-w25h512nwxxam-chips.patch mtd-spi-nor-winbond-add-support-for-w25q01nwxxim-chips.patch mtd-spi-nor-winbond-add-support-for-w25q01nwxxiq-chips.patch mtd-spi-nor-winbond-add-support-for-w25q02nwxxim-chips.patch parisc-entry-set-w-bit-for-compat-tasks-in-syscall_restore_rfi.patch parisc-entry.s-fix-space-adjustment-on-interruption-for-64-bit-userspace.patch perf-x86-amd-uncore-fix-the-return-value-of-amd_uncore_df_event_init-on-error.patch powerpc-pseries-cmm-call-balloon_devinfo_init-also-without-config_balloon_compaction.patch --- diff --git a/queue-6.12/dm-bufio-align-write-boundary-on-physical-block-size.patch b/queue-6.12/dm-bufio-align-write-boundary-on-physical-block-size.patch new file mode 100644 index 0000000000..a94ce8a58a --- /dev/null +++ b/queue-6.12/dm-bufio-align-write-boundary-on-physical-block-size.patch @@ -0,0 +1,53 @@ +From d0ac06ae53be0cdb61f5fe6b62d25d3317c51657 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Mon, 20 Oct 2025 14:48:13 +0200 +Subject: dm-bufio: align write boundary on physical block size + +From: Mikulas Patocka + +commit d0ac06ae53be0cdb61f5fe6b62d25d3317c51657 upstream. + +There may be devices with physical block size larger than 4k. + +If dm-bufio sends I/O that is not aligned on physical block size, +performance is degraded. + +The 4k minimum alignment limit is there because some SSDs report logical +and physical block size 512 despite having 4k internally - so dm-bufio +shouldn't send I/Os not aligned on 4k boundary, because they perform +badly (the SSD does read-modify-write for them). + +Signed-off-by: Mikulas Patocka +Reported-by: Uladzislau Rezki (Sony) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-bufio.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/md/dm-bufio.c ++++ b/drivers/md/dm-bufio.c +@@ -1375,7 +1375,7 @@ static void submit_io(struct dm_buffer * + { + unsigned int n_sectors; + sector_t sector; +- unsigned int offset, end; ++ unsigned int offset, end, align; + + b->end_io = end_io; + +@@ -1389,9 +1389,11 @@ static void submit_io(struct dm_buffer * + b->c->write_callback(b); + offset = b->write_start; + end = b->write_end; +- offset &= -DM_BUFIO_WRITE_ALIGN; +- end += DM_BUFIO_WRITE_ALIGN - 1; +- end &= -DM_BUFIO_WRITE_ALIGN; ++ align = max(DM_BUFIO_WRITE_ALIGN, ++ bdev_physical_block_size(b->c->bdev)); ++ offset &= -align; ++ end += align - 1; ++ end &= -align; + if (unlikely(end > b->c->block_size)) + end = b->c->block_size; + diff --git a/queue-6.12/dm-ebs-mark-full-buffer-dirty-even-on-partial-write.patch b/queue-6.12/dm-ebs-mark-full-buffer-dirty-even-on-partial-write.patch new file mode 100644 index 0000000000..95c7e32571 --- /dev/null +++ b/queue-6.12/dm-ebs-mark-full-buffer-dirty-even-on-partial-write.patch @@ -0,0 +1,118 @@ +From 7fa3e7d114abc9cc71cc35d768e116641074ddb4 Mon Sep 17 00:00:00 2001 +From: "Uladzislau Rezki (Sony)" +Date: Mon, 17 Nov 2025 11:59:45 +0100 +Subject: dm-ebs: Mark full buffer dirty even on partial write + +From: Uladzislau Rezki (Sony) + +commit 7fa3e7d114abc9cc71cc35d768e116641074ddb4 upstream. + +When performing a read-modify-write(RMW) operation, any modification +to a buffered block must cause the entire buffer to be marked dirty. + +Marking only a subrange as dirty is incorrect because the underlying +device block size(ubs) defines the minimum read/write granularity. A +lower device can perform I/O only on regions which are fully aligned +and sized to ubs. + +This change ensures that write-back operations always occur in full +ubs-sized chunks, matching the intended emulation semantics of the +EBS target. + +As for user space visible impact, submitting sub-ubs and misaligned +I/O for devices which are tuned to ubs sizes only, will reject such +requests, therefore it can lead to losing data. Example: + +1) Create a 8K nvme device in qemu by adding + +-device nvme,drive=drv0,serial=foo,logical_block_size=8192,physical_block_size=8192 + +2) Setup dm-ebs to emulate 512B to 8K mapping + +urezki@pc638:~/bin$ cat dmsetup.sh + +lower=/dev/nvme0n1 +len=$(blockdev --getsz "$lower") + +echo "0 $len ebs $lower 0 1 16" | dmsetup create nvme-8k +urezki@pc638:~/bin$ + +offset 0, ebs=1 and ubs=16(in sectors). + +3) Create an ext4 filesystem(default 4K block size) + +urezki@pc638:~/bin$ sudo mkfs.ext4 -F /dev/dm-0 +mke2fs 1.47.0 (5-Feb-2023) +Discarding device blocks: done +Creating filesystem with 2072576 4k blocks and 518144 inodes +Filesystem UUID: bd0b6ca6-0506-4e31-86da-8d22c9d50b63 +Superblock backups stored on blocks: + 32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632 + +Allocating group tables: done +Writing inode tables: done +Creating journal (16384 blocks): done +Writing superblocks and filesystem accounting information: mkfs.ext4: Input/output error while writing out and closing file system +urezki@pc638:~/bin$ dmesg + + +[ 1618.875449] buffer_io_error: 1028 callbacks suppressed +[ 1618.875456] Buffer I/O error on dev dm-0, logical block 0, lost async page write +[ 1618.875527] Buffer I/O error on dev dm-0, logical block 1, lost async page write +[ 1618.875602] Buffer I/O error on dev dm-0, logical block 2, lost async page write +[ 1618.875620] Buffer I/O error on dev dm-0, logical block 3, lost async page write +[ 1618.875639] Buffer I/O error on dev dm-0, logical block 4, lost async page write +[ 1618.894316] Buffer I/O error on dev dm-0, logical block 5, lost async page write +[ 1618.894358] Buffer I/O error on dev dm-0, logical block 6, lost async page write +[ 1618.894380] Buffer I/O error on dev dm-0, logical block 7, lost async page write +[ 1618.894405] Buffer I/O error on dev dm-0, logical block 8, lost async page write +[ 1618.894427] Buffer I/O error on dev dm-0, logical block 9, lost async page write + + +Many I/O errors because the lower 8K device rejects sub-ubs/misaligned +requests. + +with a patch: + +urezki@pc638:~/bin$ sudo mkfs.ext4 -F /dev/dm-0 +mke2fs 1.47.0 (5-Feb-2023) +Discarding device blocks: done +Creating filesystem with 2072576 4k blocks and 518144 inodes +Filesystem UUID: 9b54f44f-ef55-4bd4-9e40-c8b775a616ac +Superblock backups stored on blocks: + 32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632 + +Allocating group tables: done +Writing inode tables: done +Creating journal (16384 blocks): done +Writing superblocks and filesystem accounting information: done + +urezki@pc638:~/bin$ sudo mount /dev/dm-0 /mnt/ +urezki@pc638:~/bin$ ls -al /mnt/ +total 24 +drwxr-xr-x 3 root root 4096 Oct 17 15:13 . +drwxr-xr-x 19 root root 4096 Jul 10 19:42 .. +drwx------ 2 root root 16384 Oct 17 15:13 lost+found +urezki@pc638:~/bin$ + +After this change: mkfs completes; mount succeeds. + +Signed-off-by: Uladzislau Rezki (Sony) +Signed-off-by: Mikulas Patocka +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-ebs-target.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/md/dm-ebs-target.c ++++ b/drivers/md/dm-ebs-target.c +@@ -103,7 +103,7 @@ static int __ebs_rw_bvec(struct ebs_c *e + } else { + flush_dcache_page(bv->bv_page); + memcpy(ba, pa, cur_len); +- dm_bufio_mark_partial_buffer_dirty(b, buf_off, buf_off + cur_len); ++ dm_bufio_mark_buffer_dirty(b); + } + + dm_bufio_release(b); diff --git a/queue-6.12/fbdev-gbefb-fix-to-use-physical-address-instead-of-dma-address.patch b/queue-6.12/fbdev-gbefb-fix-to-use-physical-address-instead-of-dma-address.patch new file mode 100644 index 0000000000..e3dcc62b2d --- /dev/null +++ b/queue-6.12/fbdev-gbefb-fix-to-use-physical-address-instead-of-dma-address.patch @@ -0,0 +1,53 @@ +From e3f44742bbb10537fe53d83d20dea2a7c167674d Mon Sep 17 00:00:00 2001 +From: Rene Rebe +Date: Fri, 14 Nov 2025 16:00:42 +0100 +Subject: fbdev: gbefb: fix to use physical address instead of dma address +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rene Rebe + +commit e3f44742bbb10537fe53d83d20dea2a7c167674d upstream. + +While debuggigng why X would not start on mips64 Sgi/O2 I found the +phys adress being off. Turns out the gbefb passed the internal +dma_addr as phys. May be broken pre git history. Fix by converting +dma_to_phys. + +Signed-off-by: René Rebe +Cc: # v4.0+ +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/gbefb.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/video/fbdev/gbefb.c ++++ b/drivers/video/fbdev/gbefb.c +@@ -12,6 +12,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -65,7 +66,7 @@ struct gbefb_par { + static unsigned int gbe_mem_size = CONFIG_FB_GBE_MEM * 1024*1024; + static void *gbe_mem; + static dma_addr_t gbe_dma_addr; +-static unsigned long gbe_mem_phys; ++static phys_addr_t gbe_mem_phys; + + static struct { + uint16_t *cpu; +@@ -1183,7 +1184,7 @@ static int gbefb_probe(struct platform_d + goto out_release_mem_region; + } + +- gbe_mem_phys = (unsigned long) gbe_dma_addr; ++ gbe_mem_phys = dma_to_phys(&p_dev->dev, gbe_dma_addr); + } + + par = info->par; diff --git a/queue-6.12/fbdev-pxafb-fix-multiple-clamped-values-in-pxafb_adjust_timing.patch b/queue-6.12/fbdev-pxafb-fix-multiple-clamped-values-in-pxafb_adjust_timing.patch new file mode 100644 index 0000000000..b24a2637e4 --- /dev/null +++ b/queue-6.12/fbdev-pxafb-fix-multiple-clamped-values-in-pxafb_adjust_timing.patch @@ -0,0 +1,43 @@ +From 0155e868cbc111846cc2809c1546ea53810a56ae Mon Sep 17 00:00:00 2001 +From: Thorsten Blum +Date: Tue, 2 Dec 2025 19:15:32 +0100 +Subject: fbdev: pxafb: Fix multiple clamped values in pxafb_adjust_timing + +From: Thorsten Blum + +commit 0155e868cbc111846cc2809c1546ea53810a56ae upstream. + +The variables were never clamped because the return value of clamp_val() +was not used. Fix this by assigning the clamped values, and use clamp() +instead of clamp_val(). + +Cc: stable@vger.kernel.org +Fixes: 3f16ff608a75 ("[ARM] pxafb: cleanup of the timing checking code") +Signed-off-by: Thorsten Blum +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/pxafb.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/video/fbdev/pxafb.c ++++ b/drivers/video/fbdev/pxafb.c +@@ -418,12 +418,12 @@ static int pxafb_adjust_timing(struct px + var->yres = max_t(int, var->yres, MIN_YRES); + + if (!(fbi->lccr0 & LCCR0_LCDT)) { +- clamp_val(var->hsync_len, 1, 64); +- clamp_val(var->vsync_len, 1, 64); +- clamp_val(var->left_margin, 1, 255); +- clamp_val(var->right_margin, 1, 255); +- clamp_val(var->upper_margin, 1, 255); +- clamp_val(var->lower_margin, 1, 255); ++ var->hsync_len = clamp(var->hsync_len, 1, 64); ++ var->vsync_len = clamp(var->vsync_len, 1, 64); ++ var->left_margin = clamp(var->left_margin, 1, 255); ++ var->right_margin = clamp(var->right_margin, 1, 255); ++ var->upper_margin = clamp(var->upper_margin, 1, 255); ++ var->lower_margin = clamp(var->lower_margin, 1, 255); + } + + /* make sure each line is aligned on word boundary */ diff --git a/queue-6.12/fbdev-tcx.c-fix-mem_map-to-correct-smem_start-offset.patch b/queue-6.12/fbdev-tcx.c-fix-mem_map-to-correct-smem_start-offset.patch new file mode 100644 index 0000000000..50e3e62755 --- /dev/null +++ b/queue-6.12/fbdev-tcx.c-fix-mem_map-to-correct-smem_start-offset.patch @@ -0,0 +1,39 @@ +From 35fa2b4bf96415b88d7edaa5cf8af5185d9ce76e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ren=C3=A9=20Rebe?= +Date: Thu, 20 Nov 2025 14:24:00 +0100 +Subject: fbdev: tcx.c fix mem_map to correct smem_start offset +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: René Rebe + +commit 35fa2b4bf96415b88d7edaa5cf8af5185d9ce76e upstream. + +403ae52ac047 ("sparc: fix drivers/video/tcx.c warning") changed the +physbase initializing breaking the user-space mmap, e.g. for Xorg +entirely. + +Fix fbdev mmap table so the sbus mmap helper work correctly, and +not try to map vastly (physbase) offset memory. + +Fixes: 403ae52ac047 ("sparc: fix drivers/video/tcx.c warning") +Cc: +Signed-off-by: René Rebe +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/tcx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/video/fbdev/tcx.c ++++ b/drivers/video/fbdev/tcx.c +@@ -428,7 +428,7 @@ static int tcx_probe(struct platform_dev + j = i; + break; + } +- par->mmap_map[i].poff = op->resource[j].start; ++ par->mmap_map[i].poff = op->resource[j].start - info->fix.smem_start; + } + + info->fbops = &tcx_ops; diff --git a/queue-6.12/firmware-stratix10-svc-add-mutex-in-stratix10-memory-management.patch b/queue-6.12/firmware-stratix10-svc-add-mutex-in-stratix10-memory-management.patch new file mode 100644 index 0000000000..308a8b455e --- /dev/null +++ b/queue-6.12/firmware-stratix10-svc-add-mutex-in-stratix10-memory-management.patch @@ -0,0 +1,80 @@ +From 85f96cbbbc67b59652b2c1ec394b8ddc0ddf1b0b Mon Sep 17 00:00:00 2001 +From: Mahesh Rao +Date: Mon, 27 Oct 2025 22:54:40 +0800 +Subject: firmware: stratix10-svc: Add mutex in stratix10 memory management + +From: Mahesh Rao + +commit 85f96cbbbc67b59652b2c1ec394b8ddc0ddf1b0b upstream. + +Add mutex lock to stratix10_svc_allocate_memory and +stratix10_svc_free_memory for thread safety. This prevents race +conditions and ensures proper synchronization during memory operations. +This is required for parallel communication with the Stratix10 service +channel. + +Fixes: 7ca5ce896524f ("firmware: add Intel Stratix10 service layer driver") +Cc: stable@vger.kernel.org +Signed-off-by: Mahesh Rao +Reviewed-by: Matthew Gerlach +Signed-off-by: Dinh Nguyen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/stratix10-svc.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/firmware/stratix10-svc.c ++++ b/drivers/firmware/stratix10-svc.c +@@ -1,6 +1,7 @@ + // SPDX-License-Identifier: GPL-2.0 + /* + * Copyright (C) 2017-2018, Intel Corporation ++ * Copyright (C) 2025, Altera Corporation + */ + + #include +@@ -176,6 +177,12 @@ static LIST_HEAD(svc_ctrl); + static LIST_HEAD(svc_data_mem); + + /** ++ * svc_mem_lock protects access to the svc_data_mem list for ++ * concurrent multi-client operations ++ */ ++static DEFINE_MUTEX(svc_mem_lock); ++ ++/** + * svc_pa_to_va() - translate physical address to virtual address + * @addr: to be translated physical address + * +@@ -187,6 +194,7 @@ static void *svc_pa_to_va(unsigned long + struct stratix10_svc_data_mem *pmem; + + pr_debug("claim back P-addr=0x%016x\n", (unsigned int)addr); ++ guard(mutex)(&svc_mem_lock); + list_for_each_entry(pmem, &svc_data_mem, node) + if (pmem->paddr == addr) + return pmem->vaddr; +@@ -996,6 +1004,7 @@ int stratix10_svc_send(struct stratix10_ + p_data->flag = ct->flags; + } + } else { ++ guard(mutex)(&svc_mem_lock); + list_for_each_entry(p_mem, &svc_data_mem, node) + if (p_mem->vaddr == p_msg->payload) { + p_data->paddr = p_mem->paddr; +@@ -1078,6 +1087,7 @@ void *stratix10_svc_allocate_memory(stru + if (!pmem) + return ERR_PTR(-ENOMEM); + ++ guard(mutex)(&svc_mem_lock); + va = gen_pool_alloc(genpool, s); + if (!va) + return ERR_PTR(-ENOMEM); +@@ -1106,6 +1116,7 @@ EXPORT_SYMBOL_GPL(stratix10_svc_allocate + void stratix10_svc_free_memory(struct stratix10_svc_chan *chan, void *kaddr) + { + struct stratix10_svc_data_mem *pmem; ++ guard(mutex)(&svc_mem_lock); + + list_for_each_entry(pmem, &svc_data_mem, node) + if (pmem->vaddr == kaddr) { diff --git a/queue-6.12/loongarch-add-new-pci-id-for-pci_fixup_vgadev.patch b/queue-6.12/loongarch-add-new-pci-id-for-pci_fixup_vgadev.patch new file mode 100644 index 0000000000..7362342781 --- /dev/null +++ b/queue-6.12/loongarch-add-new-pci-id-for-pci_fixup_vgadev.patch @@ -0,0 +1,36 @@ +From bf3fa8f232a1eec8d7b88dcd9e925e60f04f018d Mon Sep 17 00:00:00 2001 +From: Huacai Chen +Date: Sat, 6 Dec 2025 10:39:49 +0800 +Subject: LoongArch: Add new PCI ID for pci_fixup_vgadev() + +From: Huacai Chen + +commit bf3fa8f232a1eec8d7b88dcd9e925e60f04f018d upstream. + +Loongson-2K3000 has a new PCI ID (0x7a46) for its display controller, +Add it for pci_fixup_vgadev() since we prefer a discrete graphics card +as default boot device if present. + +Cc: stable@vger.kernel.org +Signed-off-by: Tianrui Zhao +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman +--- + arch/loongarch/pci/pci.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/loongarch/pci/pci.c ++++ b/arch/loongarch/pci/pci.c +@@ -15,6 +15,7 @@ + #define PCI_DEVICE_ID_LOONGSON_HOST 0x7a00 + #define PCI_DEVICE_ID_LOONGSON_DC1 0x7a06 + #define PCI_DEVICE_ID_LOONGSON_DC2 0x7a36 ++#define PCI_DEVICE_ID_LOONGSON_DC3 0x7a46 + + int raw_pci_read(unsigned int domain, unsigned int bus, unsigned int devfn, + int reg, int len, u32 *val) +@@ -98,3 +99,4 @@ static void pci_fixup_vgadev(struct pci_ + } + DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_LOONGSON, PCI_DEVICE_ID_LOONGSON_DC1, pci_fixup_vgadev); + DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_LOONGSON, PCI_DEVICE_ID_LOONGSON_DC2, pci_fixup_vgadev); ++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_LOONGSON, PCI_DEVICE_ID_LOONGSON_DC3, pci_fixup_vgadev); diff --git a/queue-6.12/loongarch-correct-the-calculation-logic-of-thread_count.patch b/queue-6.12/loongarch-correct-the-calculation-logic-of-thread_count.patch new file mode 100644 index 0000000000..5ea0a1f535 --- /dev/null +++ b/queue-6.12/loongarch-correct-the-calculation-logic-of-thread_count.patch @@ -0,0 +1,49 @@ +From 1de0ae21f136efa6c5d8a4d3e07b7d1ca39c750f Mon Sep 17 00:00:00 2001 +From: Qiang Ma +Date: Sat, 6 Dec 2025 10:39:49 +0800 +Subject: LoongArch: Correct the calculation logic of thread_count + +From: Qiang Ma + +commit 1de0ae21f136efa6c5d8a4d3e07b7d1ca39c750f upstream. + +For thread_count, the current calculation method has a maximum of 255, +which may not be sufficient in the future. Therefore, we are correcting +it now. + +Reference: SMBIOS Specification, 7.5 Processor Information (Type 4)[1] + +[1]: https://www.dmtf.org/sites/default/files/standards/documents/DSP0134_3.9.0.pdf + +Cc: stable@vger.kernel.org +Signed-off-by: Qiang Ma +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman +--- + arch/loongarch/kernel/setup.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/arch/loongarch/kernel/setup.c ++++ b/arch/loongarch/kernel/setup.c +@@ -56,6 +56,7 @@ + #define SMBIOS_FREQLOW_MASK 0xFF + #define SMBIOS_CORE_PACKAGE_OFFSET 0x23 + #define SMBIOS_THREAD_PACKAGE_OFFSET 0x25 ++#define SMBIOS_THREAD_PACKAGE_2_OFFSET 0x2E + #define LOONGSON_EFI_ENABLE (1 << 3) + + unsigned long fw_arg0, fw_arg1, fw_arg2; +@@ -126,7 +127,12 @@ static void __init parse_cpu_table(const + cpu_clock_freq = freq_temp * 1000000; + + loongson_sysconf.cpuname = (void *)dmi_string_parse(dm, dmi_data[16]); +- loongson_sysconf.cores_per_package = *(dmi_data + SMBIOS_THREAD_PACKAGE_OFFSET); ++ loongson_sysconf.cores_per_package = *(u8 *)(dmi_data + SMBIOS_THREAD_PACKAGE_OFFSET); ++ if (dm->length >= 0x30 && loongson_sysconf.cores_per_package == 0xff) { ++ /* SMBIOS 3.0+ has ThreadCount2 for more than 255 threads */ ++ loongson_sysconf.cores_per_package = ++ *(u16 *)(dmi_data + SMBIOS_THREAD_PACKAGE_2_OFFSET); ++ } + + pr_info("CpuClock = %llu\n", cpu_clock_freq); + } diff --git a/queue-6.12/loongarch-fix-build-errors-for-config_randstruct.patch b/queue-6.12/loongarch-fix-build-errors-for-config_randstruct.patch new file mode 100644 index 0000000000..6ca8189f70 --- /dev/null +++ b/queue-6.12/loongarch-fix-build-errors-for-config_randstruct.patch @@ -0,0 +1,38 @@ +From 3c250aecef62da81deb38ac6738ac0a88d91f1fc Mon Sep 17 00:00:00 2001 +From: Huacai Chen +Date: Sat, 6 Dec 2025 10:39:40 +0800 +Subject: LoongArch: Fix build errors for CONFIG_RANDSTRUCT + +From: Huacai Chen + +commit 3c250aecef62da81deb38ac6738ac0a88d91f1fc upstream. + +When CONFIG_RANDSTRUCT enabled, members of task_struct are randomized. +There is a chance that TASK_STACK_CANARY be out of 12bit immediate's +range and causes build errors. TASK_STACK_CANARY is naturally aligned, +so fix it by replacing ld.d/st.d with ldptr.d/stptr.d which have 14bit +immediates. + +Cc: stable@vger.kernel.org +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202511240656.0NaPcJs1-lkp@intel.com/ +Suggested-by: Rui Wang +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman +--- + arch/loongarch/kernel/switch.S | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/loongarch/kernel/switch.S ++++ b/arch/loongarch/kernel/switch.S +@@ -25,8 +25,8 @@ SYM_FUNC_START(__switch_to) + stptr.d a4, a0, THREAD_SCHED_CFA + #if defined(CONFIG_STACKPROTECTOR) && !defined(CONFIG_SMP) + la t7, __stack_chk_guard +- LONG_L t8, a1, TASK_STACK_CANARY +- LONG_S t8, t7, 0 ++ ldptr.d t8, a1, TASK_STACK_CANARY ++ stptr.d t8, t7, 0 + #endif + move tp, a2 + cpu_restore_nonscratch a1 diff --git a/queue-6.12/loongarch-use-__pmd-__pte-for-swap-entry-conversions.patch b/queue-6.12/loongarch-use-__pmd-__pte-for-swap-entry-conversions.patch new file mode 100644 index 0000000000..556b89b8f1 --- /dev/null +++ b/queue-6.12/loongarch-use-__pmd-__pte-for-swap-entry-conversions.patch @@ -0,0 +1,57 @@ +From 4a71df151e703b5e7e85b33369cee59ef2665e61 Mon Sep 17 00:00:00 2001 +From: Yuli Wang +Date: Sat, 6 Dec 2025 10:39:48 +0800 +Subject: LoongArch: Use __pmd()/__pte() for swap entry conversions +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: WangYuli + +commit 4a71df151e703b5e7e85b33369cee59ef2665e61 upstream. + +The __pmd() and __pte() helper macros provide the correct initialization +syntax and abstraction for the pmd_t and pte_t types. + +Use __pmd() to fix follow warning about __swp_entry_to_pmd() with gcc-15 +under specific configs [1] : + + In file included from ./include/linux/pgtable.h:6, + from ./include/linux/mm.h:31, + from ./include/linux/pagemap.h:8, + from arch/loongarch/mm/init.c:14: + ./include/linux/swapops.h: In function ‘swp_entry_to_pmd’: + ./arch/loongarch/include/asm/pgtable.h:302:34: error: missing braces around initializer [-Werror=missing-braces] + 302 | #define __swp_entry_to_pmd(x) ((pmd_t) { (x).val | _PAGE_HUGE }) + | ^ + ./include/linux/swapops.h:559:16: note: in expansion of macro ‘__swp_entry_to_pmd’ + 559 | return __swp_entry_to_pmd(arch_entry); + | ^~~~~~~~~~~~~~~~~~ + cc1: all warnings being treated as errors + +Also update __swp_entry_to_pte() to use __pte() for consistency. + +[1]. https://download.01.org/0day-ci/archive/20251119/202511190316.luI90kAo-lkp@intel.com/config + +Cc: stable@vger.kernel.org +Signed-off-by: Yuli Wang +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman +--- + arch/loongarch/include/asm/pgtable.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/loongarch/include/asm/pgtable.h ++++ b/arch/loongarch/include/asm/pgtable.h +@@ -295,9 +295,9 @@ static inline pte_t mk_swap_pte(unsigned + #define __swp_offset(x) ((x).val >> 24) + #define __swp_entry(type, offset) ((swp_entry_t) { pte_val(mk_swap_pte((type), (offset))) }) + #define __pte_to_swp_entry(pte) ((swp_entry_t) { pte_val(pte) }) +-#define __swp_entry_to_pte(x) ((pte_t) { (x).val }) ++#define __swp_entry_to_pte(x) __pte((x).val) + #define __pmd_to_swp_entry(pmd) ((swp_entry_t) { pmd_val(pmd) }) +-#define __swp_entry_to_pmd(x) ((pmd_t) { (x).val | _PAGE_HUGE }) ++#define __swp_entry_to_pmd(x) __pmd((x).val | _PAGE_HUGE) + + static inline int pte_swp_exclusive(pte_t pte) + { diff --git a/queue-6.12/loongarch-use-unsigned-long-for-_end-and-_text.patch b/queue-6.12/loongarch-use-unsigned-long-for-_end-and-_text.patch new file mode 100644 index 0000000000..4e71c0903f --- /dev/null +++ b/queue-6.12/loongarch-use-unsigned-long-for-_end-and-_text.patch @@ -0,0 +1,41 @@ +From a258a3cb1895e3acf5f2fe245d17426e894bc935 Mon Sep 17 00:00:00 2001 +From: Tiezhu Yang +Date: Sat, 6 Dec 2025 10:39:48 +0800 +Subject: LoongArch: Use unsigned long for _end and _text + +From: Tiezhu Yang + +commit a258a3cb1895e3acf5f2fe245d17426e894bc935 upstream. + +It is better to use unsigned long rather than long for _end and _text to +calculate the kernel length. + +Cc: stable@vger.kernel.org # v6.3+ +Fixes: e5f02b51fa0c ("LoongArch: Add support for kernel address space layout randomization (KASLR)") +Signed-off-by: Tiezhu Yang +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman +--- + arch/loongarch/kernel/relocate.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/loongarch/kernel/relocate.c ++++ b/arch/loongarch/kernel/relocate.c +@@ -183,7 +183,7 @@ static inline void __init *determine_rel + if (kaslr_disabled()) + return destination; + +- kernel_length = (long)_end - (long)_text; ++ kernel_length = (unsigned long)_end - (unsigned long)_text; + + random_offset = get_random_boot() << 16; + random_offset &= (CONFIG_RANDOMIZE_BASE_MAX_OFFSET - 1); +@@ -232,7 +232,7 @@ unsigned long __init relocate_kernel(voi + early_memunmap(cmdline, COMMAND_LINE_SIZE); + + if (random_offset) { +- kernel_length = (long)(_end) - (long)(_text); ++ kernel_length = (unsigned long)(_end) - (unsigned long)(_text); + + /* Copy the kernel to it's new location */ + memcpy(location_new, _text, kernel_length); diff --git a/queue-6.12/media-adv7842-avoid-possible-out-of-bounds-array-accesses-in-adv7842_cp_log_status.patch b/queue-6.12/media-adv7842-avoid-possible-out-of-bounds-array-accesses-in-adv7842_cp_log_status.patch new file mode 100644 index 0000000000..96ad02dcc6 --- /dev/null +++ b/queue-6.12/media-adv7842-avoid-possible-out-of-bounds-array-accesses-in-adv7842_cp_log_status.patch @@ -0,0 +1,57 @@ +From 8163419e3e05d71dcfa8fb49c8fdf8d76908fe51 Mon Sep 17 00:00:00 2001 +From: Ivan Abramov +Date: Wed, 3 Sep 2025 02:23:31 +0300 +Subject: media: adv7842: Avoid possible out-of-bounds array accesses in adv7842_cp_log_status() + +From: Ivan Abramov + +commit 8163419e3e05d71dcfa8fb49c8fdf8d76908fe51 upstream. + +It's possible for cp_read() and hdmi_read() to return -EIO. Those +values are further used as indexes for accessing arrays. + +Fix that by checking return values where it's needed. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: a89bcd4c6c20 ("[media] adv7842: add new video decoder driver") +Cc: stable@vger.kernel.org +Signed-off-by: Ivan Abramov +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/adv7842.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/media/i2c/adv7842.c ++++ b/drivers/media/i2c/adv7842.c +@@ -2689,6 +2689,7 @@ static int adv7842_cp_log_status(struct + /* CP block */ + struct adv7842_state *state = to_state(sd); + struct v4l2_dv_timings timings; ++ int temp; + u8 reg_io_0x02 = io_read(sd, 0x02); + u8 reg_io_0x21 = io_read(sd, 0x21); + u8 reg_rep_0x77 = rep_read(sd, 0x77); +@@ -2811,8 +2812,9 @@ static int adv7842_cp_log_status(struct + (((reg_io_0x02 >> 2) & 0x01) ^ (reg_io_0x02 & 0x01)) ? + "(16-235)" : "(0-255)", + (reg_io_0x02 & 0x08) ? "enabled" : "disabled"); ++ temp = cp_read(sd, 0xf4) >> 4; + v4l2_info(sd, "Color space conversion: %s\n", +- csc_coeff_sel_rb[cp_read(sd, 0xf4) >> 4]); ++ temp < 0 ? "" : csc_coeff_sel_rb[temp]); + + if (!is_digital_input(sd)) + return 0; +@@ -2842,8 +2844,9 @@ static int adv7842_cp_log_status(struct + hdmi_read(sd, 0x5f)); + v4l2_info(sd, "AV Mute: %s\n", + (hdmi_read(sd, 0x04) & 0x40) ? "on" : "off"); ++ temp = hdmi_read(sd, 0x0b) >> 6; + v4l2_info(sd, "Deep color mode: %s\n", +- deep_color_mode_txt[hdmi_read(sd, 0x0b) >> 6]); ++ temp < 0 ? "" : deep_color_mode_txt[temp]); + + adv7842_log_infoframes(sd); + diff --git a/queue-6.12/media-amphion-cancel-message-work-before-releasing-the-vpu-core.patch b/queue-6.12/media-amphion-cancel-message-work-before-releasing-the-vpu-core.patch new file mode 100644 index 0000000000..ab02c99bec --- /dev/null +++ b/queue-6.12/media-amphion-cancel-message-work-before-releasing-the-vpu-core.patch @@ -0,0 +1,44 @@ +From ae246b0032146e352c4c06a7bf03cd3d5bcb2ecd Mon Sep 17 00:00:00 2001 +From: Ming Qian +Date: Tue, 16 Sep 2025 14:10:07 +0800 +Subject: media: amphion: Cancel message work before releasing the VPU core + +From: Ming Qian + +commit ae246b0032146e352c4c06a7bf03cd3d5bcb2ecd upstream. + +To avoid accessing the VPU register after release of the VPU core, +cancel the message work and destroy the workqueue that handles the +VPU message before release of the VPU core. + +Fixes: 3cd084519c6f ("media: amphion: add vpu v4l2 m2m support") +Cc: stable@vger.kernel.org +Signed-off-by: Ming Qian +Signed-off-by: Nicolas Dufresne +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/amphion/vpu_v4l2.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/media/platform/amphion/vpu_v4l2.c ++++ b/drivers/media/platform/amphion/vpu_v4l2.c +@@ -698,15 +698,15 @@ static int vpu_v4l2_release(struct vpu_i + { + vpu_trace(inst->vpu->dev, "%p\n", inst); + +- vpu_release_core(inst->core); +- put_device(inst->dev); +- + if (inst->workqueue) { + cancel_work_sync(&inst->msg_work); + destroy_workqueue(inst->workqueue); + inst->workqueue = NULL; + } + ++ vpu_release_core(inst->core); ++ put_device(inst->dev); ++ + v4l2_ctrl_handler_free(&inst->ctrl_handler); + mutex_destroy(&inst->lock); + diff --git a/queue-6.12/media-cec-fix-debugfs-leak-on-bus_register-failure.patch b/queue-6.12/media-cec-fix-debugfs-leak-on-bus_register-failure.patch new file mode 100644 index 0000000000..41fdafba12 --- /dev/null +++ b/queue-6.12/media-cec-fix-debugfs-leak-on-bus_register-failure.patch @@ -0,0 +1,35 @@ +From c43bcd2b2aa3c2ca9d2433c3990ecbc2c47d10eb Mon Sep 17 00:00:00 2001 +From: Haotian Zhang +Date: Mon, 29 Sep 2025 19:12:29 +0800 +Subject: media: cec: Fix debugfs leak on bus_register() failure + +From: Haotian Zhang + +commit c43bcd2b2aa3c2ca9d2433c3990ecbc2c47d10eb upstream. + +In cec_devnode_init(), the debugfs directory created with +debugfs_create_dir() is not removed if bus_register() fails. +This leaves a stale "cec" entry in debugfs and prevents +proper module reloading. + +Fix this by removing the debugfs directory in the error path. + +Fixes: a56960e8b406 ("[media] cec: add HDMI CEC framework (core)") +Cc: stable@vger.kernel.org +Signed-off-by: Haotian Zhang +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/cec/core/cec-core.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/media/cec/core/cec-core.c ++++ b/drivers/media/cec/core/cec-core.c +@@ -420,6 +420,7 @@ static int __init cec_devnode_init(void) + + ret = bus_register(&cec_bus_type); + if (ret < 0) { ++ debugfs_remove_recursive(top_cec_dir); + unregister_chrdev_region(cec_dev_t, CEC_NUM_DEVICES); + pr_warn("cec: bus_register failed\n"); + return -EIO; diff --git a/queue-6.12/media-i2c-adv7604-remove-redundant-cancel_delayed_work-in-probe.patch b/queue-6.12/media-i2c-adv7604-remove-redundant-cancel_delayed_work-in-probe.patch new file mode 100644 index 0000000000..d87becdbb1 --- /dev/null +++ b/queue-6.12/media-i2c-adv7604-remove-redundant-cancel_delayed_work-in-probe.patch @@ -0,0 +1,50 @@ +From 8f34f24355a607b98ecd9924837aab13c676eeca Mon Sep 17 00:00:00 2001 +From: Duoming Zhou +Date: Tue, 2 Sep 2025 09:53:37 +0800 +Subject: media: i2c: ADV7604: Remove redundant cancel_delayed_work in probe + +From: Duoming Zhou + +commit 8f34f24355a607b98ecd9924837aab13c676eeca upstream. + +The delayed_work delayed_work_enable_hotplug is initialized with +INIT_DELAYED_WORK() in adv76xx_probe(), but it is never scheduled +anywhere in the probe function. + +Calling cancel_delayed_work() on a work that has never been +scheduled is redundant and unnecessary, as there is no pending +work to cancel. + +Remove the redundant cancel_delayed_work() from error handling +path and adjust the goto label accordingly to simplify the code +and avoid potential confusion. + +Fixes: 54450f591c99 ("[media] adv7604: driver for the Analog Devices ADV7604 video decoder") +Cc: stable@vger.kernel.org +Signed-off-by: Duoming Zhou +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/adv7604.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/media/i2c/adv7604.c ++++ b/drivers/media/i2c/adv7604.c +@@ -3620,7 +3620,7 @@ static int adv76xx_probe(struct i2c_clie + err = media_entity_pads_init(&sd->entity, state->source_pad + 1, + state->pads); + if (err) +- goto err_work_queues; ++ goto err_i2c; + + /* Configure regmaps */ + err = configure_regmaps(state); +@@ -3661,8 +3661,6 @@ static int adv76xx_probe(struct i2c_clie + + err_entity: + media_entity_cleanup(&sd->entity); +-err_work_queues: +- cancel_delayed_work(&state->delayed_work_enable_hotplug); + err_i2c: + adv76xx_unregister_clients(state); + err_hdl: diff --git a/queue-6.12/media-i2c-adv7842-remove-redundant-cancel_delayed_work-in-probe.patch b/queue-6.12/media-i2c-adv7842-remove-redundant-cancel_delayed_work-in-probe.patch new file mode 100644 index 0000000000..c641e5eb5f --- /dev/null +++ b/queue-6.12/media-i2c-adv7842-remove-redundant-cancel_delayed_work-in-probe.patch @@ -0,0 +1,50 @@ +From e66a5cc606c58e72f18f9cdd868a3672e918f9f8 Mon Sep 17 00:00:00 2001 +From: Duoming Zhou +Date: Tue, 2 Sep 2025 09:10:31 +0800 +Subject: media: i2c: adv7842: Remove redundant cancel_delayed_work in probe + +From: Duoming Zhou + +commit e66a5cc606c58e72f18f9cdd868a3672e918f9f8 upstream. + +The delayed_work delayed_work_enable_hotplug is initialized with +INIT_DELAYED_WORK() in adv7842_probe(), but it is never scheduled +anywhere in the probe function. + +Calling cancel_delayed_work() on a work that has never been +scheduled is redundant and unnecessary, as there is no pending +work to cancel. + +Remove the redundant cancel_delayed_work() from error handling +path and adjust the goto label accordingly to simplify the code +and avoid potential confusion. + +Fixes: a89bcd4c6c20 ("[media] adv7842: add new video decoder driver") +Cc: stable@vger.kernel.org +Signed-off-by: Duoming Zhou +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/adv7842.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/media/i2c/adv7842.c ++++ b/drivers/media/i2c/adv7842.c +@@ -3573,7 +3573,7 @@ static int adv7842_probe(struct i2c_clie + err = media_entity_pads_init(&sd->entity, ADV7842_PAD_SOURCE + 1, + state->pads); + if (err) +- goto err_work_queues; ++ goto err_i2c; + + err = adv7842_core_init(sd); + if (err) +@@ -3594,8 +3594,6 @@ static int adv7842_probe(struct i2c_clie + + err_entity: + media_entity_cleanup(&sd->entity); +-err_work_queues: +- cancel_delayed_work(&state->delayed_work_enable_hotplug); + err_i2c: + adv7842_unregister_clients(sd); + err_hdl: diff --git a/queue-6.12/media-mediatek-vcodec-fix-a-reference-leak-in-mtk_vcodec_fw_vpu_init.patch b/queue-6.12/media-mediatek-vcodec-fix-a-reference-leak-in-mtk_vcodec_fw_vpu_init.patch new file mode 100644 index 0000000000..3e3f1c4306 --- /dev/null +++ b/queue-6.12/media-mediatek-vcodec-fix-a-reference-leak-in-mtk_vcodec_fw_vpu_init.patch @@ -0,0 +1,42 @@ +From cdd0f118ef87db8a664fb5ea366fd1766d2df1cd Mon Sep 17 00:00:00 2001 +From: Haoxiang Li +Date: Mon, 15 Sep 2025 20:09:38 +0800 +Subject: media: mediatek: vcodec: Fix a reference leak in mtk_vcodec_fw_vpu_init() + +From: Haoxiang Li + +commit cdd0f118ef87db8a664fb5ea366fd1766d2df1cd upstream. + +vpu_get_plat_device() increases the reference count of the returned +platform device. However, when devm_kzalloc() fails, the reference +is not released, causing a reference leak. + +Fix this by calling put_device() on fw_pdev->dev before returning +on the error path. + +Fixes: e25a89f743b1 ("media: mtk-vcodec: potential dereference of null pointer") +Cc: stable@vger.kernel.org +Signed-off-by: Haoxiang Li +Reviewed-by: AngeloGioacchino Del Regno +Reviewed-by: Tzung-Bi Shih +Signed-off-by: Nicolas Dufresne +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/mediatek/vcodec/common/mtk_vcodec_fw_vpu.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/media/platform/mediatek/vcodec/common/mtk_vcodec_fw_vpu.c ++++ b/drivers/media/platform/mediatek/vcodec/common/mtk_vcodec_fw_vpu.c +@@ -117,8 +117,10 @@ struct mtk_vcodec_fw *mtk_vcodec_fw_vpu_ + vpu_wdt_reg_handler(fw_pdev, mtk_vcodec_vpu_reset_enc_handler, priv, rst_id); + + fw = devm_kzalloc(&plat_dev->dev, sizeof(*fw), GFP_KERNEL); +- if (!fw) ++ if (!fw) { ++ put_device(&fw_pdev->dev); + return ERR_PTR(-ENOMEM); ++ } + fw->type = VPU; + fw->ops = &mtk_vcodec_vpu_msg; + fw->pdev = fw_pdev; diff --git a/queue-6.12/media-msp3400-avoid-possible-out-of-bounds-array-accesses-in-msp3400c_thread.patch b/queue-6.12/media-msp3400-avoid-possible-out-of-bounds-array-accesses-in-msp3400c_thread.patch new file mode 100644 index 0000000000..77c68610d6 --- /dev/null +++ b/queue-6.12/media-msp3400-avoid-possible-out-of-bounds-array-accesses-in-msp3400c_thread.patch @@ -0,0 +1,39 @@ +From d2bceb2e20e783d57e739c71e4e50b4b9f4a3953 Mon Sep 17 00:00:00 2001 +From: Ivan Abramov +Date: Wed, 3 Sep 2025 02:28:14 +0300 +Subject: media: msp3400: Avoid possible out-of-bounds array accesses in msp3400c_thread() + +From: Ivan Abramov + +commit d2bceb2e20e783d57e739c71e4e50b4b9f4a3953 upstream. + +It's possible for max1 to remain -1 if msp_read() always fail. This +variable is further used as index for accessing arrays. + +Fix that by checking max1 prior to array accesses. + +It seems that restart is the preferable action in case of out-of-bounds +value. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 8a4b275f9c19 ("V4L/DVB (3427): audmode and rxsubchans fixes (VIDIOC_G/S_TUNER)") +Cc: stable@vger.kernel.org +Signed-off-by: Ivan Abramov +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/msp3400-kthreads.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/media/i2c/msp3400-kthreads.c ++++ b/drivers/media/i2c/msp3400-kthreads.c +@@ -596,6 +596,8 @@ restart: + "carrier2 val: %5d / %s\n", val, cd[i].name); + } + ++ if (max1 < 0 || max1 > 3) ++ goto restart; + /* program the msp3400 according to the results */ + state->main = msp3400c_carrier_detect_main[max1].cdo; + switch (max1) { diff --git a/queue-6.12/media-platform-mtk-mdp3-fix-device-leaks-at-probe.patch b/queue-6.12/media-platform-mtk-mdp3-fix-device-leaks-at-probe.patch new file mode 100644 index 0000000000..48939f54d7 --- /dev/null +++ b/queue-6.12/media-platform-mtk-mdp3-fix-device-leaks-at-probe.patch @@ -0,0 +1,72 @@ +From 8f6f3aa21517ef34d50808af0c572e69580dca20 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 24 Sep 2025 16:39:19 +0200 +Subject: media: platform: mtk-mdp3: fix device leaks at probe + +From: Johan Hovold + +commit 8f6f3aa21517ef34d50808af0c572e69580dca20 upstream. + +Make sure to drop the references taken when looking up the subsys +devices during probe on probe failure (e.g. probe deferral) and on +driver unbind. + +Similarly, drop the SCP device reference after retrieving its platform +data during probe to avoid leaking it. + +Note that holding a reference to a device does not prevent its driver +data from going away. + +Fixes: 61890ccaefaf ("media: platform: mtk-mdp3: add MediaTek MDP3 driver") +Cc: stable@vger.kernel.org # 6.1 +Cc: Moudy Ho +Signed-off-by: Johan Hovold +Reviewed-by: AngeloGioacchino Del Regno +Signed-off-by: Nicolas Dufresne +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/mediatek/mdp3/mtk-mdp3-core.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/drivers/media/platform/mediatek/mdp3/mtk-mdp3-core.c ++++ b/drivers/media/platform/mediatek/mdp3/mtk-mdp3-core.c +@@ -176,10 +176,18 @@ void mdp_video_device_release(struct vid + kfree(mdp); + } + ++static void mdp_put_device(void *_dev) ++{ ++ struct device *dev = _dev; ++ ++ put_device(dev); ++} ++ + static int mdp_mm_subsys_deploy(struct mdp_dev *mdp, enum mdp_infra_id id) + { + struct platform_device *mm_pdev = NULL; + struct device **dev; ++ int ret; + int i; + + if (!mdp) +@@ -213,6 +221,11 @@ static int mdp_mm_subsys_deploy(struct m + if (WARN_ON(!mm_pdev)) + return -ENODEV; + ++ ret = devm_add_action_or_reset(&mdp->pdev->dev, mdp_put_device, ++ &mm_pdev->dev); ++ if (ret) ++ return ret; ++ + *dev = &mm_pdev->dev; + } + +@@ -298,6 +311,7 @@ static int mdp_probe(struct platform_dev + goto err_destroy_clock_wq; + } + mdp->scp = platform_get_drvdata(mm_pdev); ++ put_device(&mm_pdev->dev); + } + + mdp->rproc_handle = scp_get_rproc(mdp->scp); diff --git a/queue-6.12/media-renesas-rcar_drif-fix-device-node-reference-leak-in-rcar_drif_bond_enabled.patch b/queue-6.12/media-renesas-rcar_drif-fix-device-node-reference-leak-in-rcar_drif_bond_enabled.patch new file mode 100644 index 0000000000..c3fe481736 --- /dev/null +++ b/queue-6.12/media-renesas-rcar_drif-fix-device-node-reference-leak-in-rcar_drif_bond_enabled.patch @@ -0,0 +1,41 @@ +From 445e1658894fd74eab7e53071fa16233887574ed Mon Sep 17 00:00:00 2001 +From: Miaoqian Lin +Date: Wed, 3 Sep 2025 21:37:29 +0800 +Subject: media: renesas: rcar_drif: fix device node reference leak in rcar_drif_bond_enabled + +From: Miaoqian Lin + +commit 445e1658894fd74eab7e53071fa16233887574ed upstream. + +The function calls of_parse_phandle() which returns +a device node with an incremented reference count. When the bonded device +is not available, the function +returns NULL without releasing the reference, causing a reference leak. + +Add of_node_put(np) to release the device node reference. +The of_node_put function handles NULL pointers. + +Found through static analysis by reviewing the doc of of_parse_phandle() +and cross-checking its usage patterns across the codebase. + +Fixes: 7625ee981af1 ("[media] media: platform: rcar_drif: Add DRIF support") +Cc: stable@vger.kernel.org +Signed-off-by: Miaoqian Lin +Reviewed-by: Geert Uytterhoeven +Reviewed-by: Fabrizio Castro +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/renesas/rcar_drif.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/media/platform/renesas/rcar_drif.c ++++ b/drivers/media/platform/renesas/rcar_drif.c +@@ -1249,6 +1249,7 @@ static struct device_node *rcar_drif_bon + if (np && of_device_is_available(np)) + return np; + ++ of_node_put(np); + return NULL; + } + diff --git a/queue-6.12/media-samsung-exynos4-is-fix-potential-abba-deadlock-on-init.patch b/queue-6.12/media-samsung-exynos4-is-fix-potential-abba-deadlock-on-init.patch new file mode 100644 index 0000000000..e2d7787c53 --- /dev/null +++ b/queue-6.12/media-samsung-exynos4-is-fix-potential-abba-deadlock-on-init.patch @@ -0,0 +1,44 @@ +From 17dc8ccd6dd5ffe30aa9b0d36e2af1389344ce2b Mon Sep 17 00:00:00 2001 +From: Marek Szyprowski +Date: Tue, 14 Oct 2025 12:46:43 +0200 +Subject: media: samsung: exynos4-is: fix potential ABBA deadlock on init + +From: Marek Szyprowski + +commit 17dc8ccd6dd5ffe30aa9b0d36e2af1389344ce2b upstream. + +v4l2_device_register_subdev_nodes() must called without taking +media_dev->graph_mutex to avoid potential AB-BA deadlock on further +subdevice driver initialization. + +Fixes: fa91f1056f17 ("[media] exynos4-is: Add support for asynchronous subdevices registration") +Cc: stable@vger.kernel.org +Signed-off-by: Marek Szyprowski +Acked-by: Sylwester Nawrocki +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/samsung/exynos4-is/media-dev.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/media/platform/samsung/exynos4-is/media-dev.c ++++ b/drivers/media/platform/samsung/exynos4-is/media-dev.c +@@ -1410,12 +1410,14 @@ static int subdev_notifier_complete(stru + mutex_lock(&fmd->media_dev.graph_mutex); + + ret = fimc_md_create_links(fmd); +- if (ret < 0) +- goto unlock; ++ if (ret < 0) { ++ mutex_unlock(&fmd->media_dev.graph_mutex); ++ return ret; ++ } + +- ret = v4l2_device_register_subdev_nodes(&fmd->v4l2_dev); +-unlock: + mutex_unlock(&fmd->media_dev.graph_mutex); ++ ++ ret = v4l2_device_register_subdev_nodes(&fmd->v4l2_dev); + if (ret < 0) + return ret; + diff --git a/queue-6.12/media-tda1997x-remove-redundant-cancel_delayed_work-in-probe.patch b/queue-6.12/media-tda1997x-remove-redundant-cancel_delayed_work-in-probe.patch new file mode 100644 index 0000000000..f7d66a3345 --- /dev/null +++ b/queue-6.12/media-tda1997x-remove-redundant-cancel_delayed_work-in-probe.patch @@ -0,0 +1,38 @@ +From 29de195ca39fc2ac0af6fd45522994df9f431f80 Mon Sep 17 00:00:00 2001 +From: Duoming Zhou +Date: Mon, 1 Sep 2025 21:26:17 +0800 +Subject: media: TDA1997x: Remove redundant cancel_delayed_work in probe + +From: Duoming Zhou + +commit 29de195ca39fc2ac0af6fd45522994df9f431f80 upstream. + +The delayed_work delayed_work_enable_hpd is initialized with +INIT_DELAYED_WORK(), but it is never scheduled in tda1997x_probe(). + +Calling cancel_delayed_work() on a work that has never been +scheduled is redundant and unnecessary, as there is no pending +work to cancel. + +Remove the redundant cancel_delayed_work() from error handling +path in tda1997x_probe() to avoid potential confusion. + +Fixes: 9ac0038db9a7 ("media: i2c: Add TDA1997x HDMI receiver driver") +Cc: stable@vger.kernel.org +Signed-off-by: Duoming Zhou +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/tda1997x.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/media/i2c/tda1997x.c ++++ b/drivers/media/i2c/tda1997x.c +@@ -2798,7 +2798,6 @@ err_free_media: + err_free_handler: + v4l2_ctrl_handler_free(&state->hdl); + err_free_mutex: +- cancel_delayed_work(&state->delayed_work_enable_hpd); + mutex_destroy(&state->page_lock); + mutex_destroy(&state->lock); + tda1997x_set_power(state, 0); diff --git a/queue-6.12/media-verisilicon-protect-g2-hevc-decoder-against-invalid-dpb-index.patch b/queue-6.12/media-verisilicon-protect-g2-hevc-decoder-against-invalid-dpb-index.patch new file mode 100644 index 0000000000..0fab9e6db4 --- /dev/null +++ b/queue-6.12/media-verisilicon-protect-g2-hevc-decoder-against-invalid-dpb-index.patch @@ -0,0 +1,60 @@ +From 47825b1646a6a9eca0f90baa3d4f98947c2add96 Mon Sep 17 00:00:00 2001 +From: Nicolas Dufresne +Date: Mon, 22 Sep 2025 14:43:39 -0400 +Subject: media: verisilicon: Protect G2 HEVC decoder against invalid DPB index + +From: Nicolas Dufresne + +commit 47825b1646a6a9eca0f90baa3d4f98947c2add96 upstream. + +Fix the Hantro G2 HEVC decoder so that we use DPB index 0 whenever a +ninvalid index is received from user space. This protects the hardware +from doing faulty memory access which then leads to bus errors. + +To be noted that when a reference is missing, userspace such as GStreamer +passes an invalid DPB index of 255. This issue was found by seeking to a +CRA picture using GStreamer. The framework is currently missing the code +to skip over RASL pictures placed after the CRA. This situation can also +occur while doing live streaming over lossy transport. + +Fixes: cb5dd5a0fa518 ("media: hantro: Introduce G2/HEVC decoder") +Cc: stable@vger.kernel.org +Reviewed-by: Benjamin Gaignard +Signed-off-by: Nicolas Dufresne +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/verisilicon/hantro_g2_hevc_dec.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +--- a/drivers/media/platform/verisilicon/hantro_g2_hevc_dec.c ++++ b/drivers/media/platform/verisilicon/hantro_g2_hevc_dec.c +@@ -283,6 +283,15 @@ static void set_params(struct hantro_ctx + hantro_reg_write(vpu, &g2_apf_threshold, 8); + } + ++static u32 get_dpb_index(const struct v4l2_ctrl_hevc_decode_params *decode_params, ++ const u32 index) ++{ ++ if (index > decode_params->num_active_dpb_entries) ++ return 0; ++ ++ return index; ++} ++ + static void set_ref_pic_list(struct hantro_ctx *ctx) + { + const struct hantro_hevc_dec_ctrls *ctrls = &ctx->hevc_dec.ctrls; +@@ -355,8 +364,10 @@ static void set_ref_pic_list(struct hant + list1[j++] = list1[i++]; + + for (i = 0; i < V4L2_HEVC_DPB_ENTRIES_NUM_MAX; i++) { +- hantro_reg_write(vpu, &ref_pic_regs0[i], list0[i]); +- hantro_reg_write(vpu, &ref_pic_regs1[i], list1[i]); ++ hantro_reg_write(vpu, &ref_pic_regs0[i], ++ get_dpb_index(decode_params, list0[i])); ++ hantro_reg_write(vpu, &ref_pic_regs1[i], ++ get_dpb_index(decode_params, list1[i])); + } + } + diff --git a/queue-6.12/media-videobuf2-fix-device-reference-leak-in-vb2_dc_alloc-error-path.patch b/queue-6.12/media-videobuf2-fix-device-reference-leak-in-vb2_dc_alloc-error-path.patch new file mode 100644 index 0000000000..804cc941b1 --- /dev/null +++ b/queue-6.12/media-videobuf2-fix-device-reference-leak-in-vb2_dc_alloc-error-path.patch @@ -0,0 +1,38 @@ +From 94de23a9aa487d7c1372efb161721d7949a177ae Mon Sep 17 00:00:00 2001 +From: Haotian Zhang +Date: Tue, 28 Oct 2025 14:44:43 +0800 +Subject: media: videobuf2: Fix device reference leak in vb2_dc_alloc error path + +From: Haotian Zhang + +commit 94de23a9aa487d7c1372efb161721d7949a177ae upstream. + +In vb2_dc_alloc(), get_device() is called to increment the device +reference count. However, if subsequent DMA allocation fails +(vb2_dc_alloc_coherent or vb2_dc_alloc_non_coherent returns error), +the function returns without calling put_device(), causing a device +reference leak. + +Add put_device() call in the error path before kfree() to properly +release the device reference acquired earlier. + +Fixes: de27891f675e ("media: videobuf2: handle non-contiguous DMA allocations") +Cc: stable@vger.kernel.org +Signed-off-by: Haotian Zhang +Reviewed-by: Marek Szyprowski +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/common/videobuf2/videobuf2-dma-contig.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/media/common/videobuf2/videobuf2-dma-contig.c ++++ b/drivers/media/common/videobuf2/videobuf2-dma-contig.c +@@ -258,6 +258,7 @@ static void *vb2_dc_alloc(struct vb2_buf + + if (ret) { + dev_err(dev, "dma alloc of size %lu failed\n", size); ++ put_device(buf->dev); + kfree(buf); + return ERR_PTR(-ENOMEM); + } diff --git a/queue-6.12/media-vpif_capture-fix-section-mismatch.patch b/queue-6.12/media-vpif_capture-fix-section-mismatch.patch new file mode 100644 index 0000000000..114370cc09 --- /dev/null +++ b/queue-6.12/media-vpif_capture-fix-section-mismatch.patch @@ -0,0 +1,46 @@ +From 0ef841113724166c3c484d0e9ae6db1eb5634fde Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 17 Oct 2025 07:33:20 +0200 +Subject: media: vpif_capture: fix section mismatch + +From: Johan Hovold + +commit 0ef841113724166c3c484d0e9ae6db1eb5634fde upstream. + +Platform drivers can be probed after their init sections have been +discarded (e.g. on probe deferral or manual rebind through sysfs) so the +probe function must not live in init. + +Note that commit ffa1b391c61b ("V4L/DVB: vpif_cap/disp: Removed section +mismatch warning") incorrectly suppressed the modpost warning. + +Fixes: ffa1b391c61b ("V4L/DVB: vpif_cap/disp: Removed section mismatch warning") +Fixes: 6ffefff5a9e7 ("V4L/DVB (12906c): V4L : vpif capture driver for DM6467") +Cc: stable@vger.kernel.org # 2.6.32 +Signed-off-by: Johan Hovold +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/ti/davinci/vpif_capture.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/media/platform/ti/davinci/vpif_capture.c ++++ b/drivers/media/platform/ti/davinci/vpif_capture.c +@@ -1602,7 +1602,7 @@ err_cleanup: + * This creates device entries by register itself to the V4L2 driver and + * initializes fields of each channel objects + */ +-static __init int vpif_probe(struct platform_device *pdev) ++static int vpif_probe(struct platform_device *pdev) + { + struct vpif_subdev_info *subdevdata; + struct i2c_adapter *i2c_adap; +@@ -1809,7 +1809,7 @@ static int vpif_resume(struct device *de + + static SIMPLE_DEV_PM_OPS(vpif_pm_ops, vpif_suspend, vpif_resume); + +-static __refdata struct platform_driver vpif_driver = { ++static struct platform_driver vpif_driver = { + .driver = { + .name = VPIF_DRIVER_NAME, + .pm = &vpif_pm_ops, diff --git a/queue-6.12/media-vpif_display-fix-section-mismatch.patch b/queue-6.12/media-vpif_display-fix-section-mismatch.patch new file mode 100644 index 0000000000..cd58053709 --- /dev/null +++ b/queue-6.12/media-vpif_display-fix-section-mismatch.patch @@ -0,0 +1,46 @@ +From 59ca64bf98e4209df8ace8057d31ae3c80f948cd Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 17 Oct 2025 07:33:21 +0200 +Subject: media: vpif_display: fix section mismatch + +From: Johan Hovold + +commit 59ca64bf98e4209df8ace8057d31ae3c80f948cd upstream. + +Platform drivers can be probed after their init sections have been +discarded (e.g. on probe deferral or manual rebind through sysfs) so the +probe function must not live in init. + +Note that commit ffa1b391c61b ("V4L/DVB: vpif_cap/disp: Removed section +mismatch warning") incorrectly suppressed the modpost warning. + +Fixes: ffa1b391c61b ("V4L/DVB: vpif_cap/disp: Removed section mismatch warning") +Fixes: e7332e3a552f ("V4L/DVB (12176): davinci/vpif_display: Add VPIF display driver") +Cc: stable@vger.kernel.org # 2.6.32 +Signed-off-by: Johan Hovold +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/ti/davinci/vpif_display.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/media/platform/ti/davinci/vpif_display.c ++++ b/drivers/media/platform/ti/davinci/vpif_display.c +@@ -1216,7 +1216,7 @@ probe_out: + * vpif_probe: This function creates device entries by register itself to the + * V4L2 driver and initializes fields of each channel objects + */ +-static __init int vpif_probe(struct platform_device *pdev) ++static int vpif_probe(struct platform_device *pdev) + { + struct vpif_subdev_info *subdevdata; + struct i2c_adapter *i2c_adap; +@@ -1392,7 +1392,7 @@ static int vpif_resume(struct device *de + + static SIMPLE_DEV_PM_OPS(vpif_pm_ops, vpif_suspend, vpif_resume); + +-static __refdata struct platform_driver vpif_driver = { ++static struct platform_driver vpif_driver = { + .driver = { + .name = VPIF_DRIVER_NAME, + .pm = &vpif_pm_ops, diff --git a/queue-6.12/mm-damon-tests-core-kunit-handle-alloc-failure-on-damon_test_set_attrs.patch b/queue-6.12/mm-damon-tests-core-kunit-handle-alloc-failure-on-damon_test_set_attrs.patch new file mode 100644 index 0000000000..c7254afbe0 --- /dev/null +++ b/queue-6.12/mm-damon-tests-core-kunit-handle-alloc-failure-on-damon_test_set_attrs.patch @@ -0,0 +1,41 @@ +From 915a2453d824a9b6bf724e3f970d86ae1d092a61 Mon Sep 17 00:00:00 2001 +From: SeongJae Park +Date: Sat, 1 Nov 2025 11:20:06 -0700 +Subject: mm/damon/tests/core-kunit: handle alloc failure on damon_test_set_attrs() + +From: SeongJae Park + +commit 915a2453d824a9b6bf724e3f970d86ae1d092a61 upstream. + +damon_test_set_attrs() is assuming all dynamic memory allocation in it +will succeed. Those are indeed likely in the real use cases since those +allocations are too small to fail, but theoretically those could fail. In +the case, inappropriate memory access can happen. Fix it by appropriately +cleanup pre-allocated memory and skip the execution of the remaining tests +in the failure cases. + +Link: https://lkml.kernel.org/r/20251101182021.74868-13-sj@kernel.org +Fixes: aa13779be6b7 ("mm/damon/core-test: add a test for damon_set_attrs()") +Signed-off-by: SeongJae Park +Cc: Brendan Higgins +Cc: David Gow +Cc: Kefeng Wang +Cc: [6.5+] +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/damon/tests/core-kunit.h | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/mm/damon/tests/core-kunit.h ++++ b/mm/damon/tests/core-kunit.h +@@ -445,6 +445,9 @@ static void damon_test_set_attrs(struct + .sample_interval = 5000, .aggr_interval = 100000,}; + struct damon_attrs invalid_attrs; + ++ if (!c) ++ kunit_skip(test, "ctx alloc fail"); ++ + KUNIT_EXPECT_EQ(test, damon_set_attrs(c, &valid_attrs), 0); + + invalid_attrs = valid_attrs; diff --git a/queue-6.12/mm-damon-tests-core-kunit-handle-alloc-failures-in-damon_test_ops_registration.patch b/queue-6.12/mm-damon-tests-core-kunit-handle-alloc-failures-in-damon_test_ops_registration.patch new file mode 100644 index 0000000000..9ade85fb7f --- /dev/null +++ b/queue-6.12/mm-damon-tests-core-kunit-handle-alloc-failures-in-damon_test_ops_registration.patch @@ -0,0 +1,41 @@ +From 4f835f4e8c863985f15abd69db033c2f66546094 Mon Sep 17 00:00:00 2001 +From: SeongJae Park +Date: Sat, 1 Nov 2025 11:20:03 -0700 +Subject: mm/damon/tests/core-kunit: handle alloc failures in damon_test_ops_registration() + +From: SeongJae Park + +commit 4f835f4e8c863985f15abd69db033c2f66546094 upstream. + +damon_test_ops_registration() is assuming all dynamic memory allocation in +it will succeed. Those are indeed likely in the real use cases since +those allocations are too small to fail, but theoretically those could +fail. In the case, inappropriate memory access can happen. Fix it by +appropriately cleanup pre-allocated memory and skip the execution of the +remaining tests in the failure cases. + +Link: https://lkml.kernel.org/r/20251101182021.74868-10-sj@kernel.org +Fixes: 4f540f5ab4f2 ("mm/damon/core-test: add a kunit test case for ops registration") +Signed-off-by: SeongJae Park +Cc: Brendan Higgins +Cc: David Gow +Cc: Kefeng Wang +Cc: [5.19+] +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/damon/tests/core-kunit.h | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/mm/damon/tests/core-kunit.h ++++ b/mm/damon/tests/core-kunit.h +@@ -300,6 +300,9 @@ static void damon_test_ops_registration( + struct damon_operations ops = {.id = DAMON_OPS_VADDR}, bak; + bool need_cleanup = false; + ++ if (!c) ++ kunit_skip(test, "ctx alloc fail"); ++ + /* DAMON_OPS_VADDR is registered only if CONFIG_DAMON_VADDR is set */ + if (!damon_is_registered_ops(DAMON_OPS_VADDR)) { + bak.id = DAMON_OPS_VADDR; diff --git a/queue-6.12/mm-damon-tests-core-kunit-handle-alloc-failures-in-damon_test_set_regions.patch b/queue-6.12/mm-damon-tests-core-kunit-handle-alloc-failures-in-damon_test_set_regions.patch new file mode 100644 index 0000000000..0233e1bf10 --- /dev/null +++ b/queue-6.12/mm-damon-tests-core-kunit-handle-alloc-failures-in-damon_test_set_regions.patch @@ -0,0 +1,60 @@ +From 74d5969995d129fd59dd93b9c7daa6669cb6810f Mon Sep 17 00:00:00 2001 +From: SeongJae Park +Date: Sat, 1 Nov 2025 11:20:04 -0700 +Subject: mm/damon/tests/core-kunit: handle alloc failures in damon_test_set_regions() + +From: SeongJae Park + +commit 74d5969995d129fd59dd93b9c7daa6669cb6810f upstream. + +damon_test_set_regions() is assuming all dynamic memory allocation in it +will succeed. Those are indeed likely in the real use cases since those +allocations are too small to fail, but theoretically those could fail. In +the case, inappropriate memory access can happen. Fix it by appropriately +cleanup pre-allocated memory and skip the execution of the remaining tests +in the failure cases. + +Link: https://lkml.kernel.org/r/20251101182021.74868-11-sj@kernel.org +Fixes: 62f409560eb2 ("mm/damon/core-test: test damon_set_regions") +Signed-off-by: SeongJae Park +Cc: Brendan Higgins +Cc: David Gow +Cc: Kefeng Wang +Cc: [6.1+] +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/damon/tests/core-kunit.h | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +--- a/mm/damon/tests/core-kunit.h ++++ b/mm/damon/tests/core-kunit.h +@@ -345,13 +345,26 @@ static void damon_test_ops_registration( + static void damon_test_set_regions(struct kunit *test) + { + struct damon_target *t = damon_new_target(); +- struct damon_region *r1 = damon_new_region(4, 16); +- struct damon_region *r2 = damon_new_region(24, 32); ++ struct damon_region *r1, *r2; + struct damon_addr_range range = {.start = 8, .end = 28}; + unsigned long expects[] = {8, 16, 16, 24, 24, 28}; + int expect_idx = 0; + struct damon_region *r; + ++ if (!t) ++ kunit_skip(test, "target alloc fail"); ++ r1 = damon_new_region(4, 16); ++ if (!r1) { ++ damon_free_target(t); ++ kunit_skip(test, "region alloc fail"); ++ } ++ r2 = damon_new_region(24, 32); ++ if (!r2) { ++ damon_free_target(t); ++ damon_free_region(r1); ++ kunit_skip(test, "second region alloc fail"); ++ } ++ + damon_add_region(r1, t); + damon_add_region(r2, t); + damon_set_regions(t, &range, 1); diff --git a/queue-6.12/mm-damon-tests-core-kunit-handle-alloc-failures-in-damon_test_update_monitoring_result.patch b/queue-6.12/mm-damon-tests-core-kunit-handle-alloc-failures-in-damon_test_update_monitoring_result.patch new file mode 100644 index 0000000000..7e18c55918 --- /dev/null +++ b/queue-6.12/mm-damon-tests-core-kunit-handle-alloc-failures-in-damon_test_update_monitoring_result.patch @@ -0,0 +1,41 @@ +From 8cf298c01b7fdb08eef5b6b26d0fe98d48134d72 Mon Sep 17 00:00:00 2001 +From: SeongJae Park +Date: Sat, 1 Nov 2025 11:20:05 -0700 +Subject: mm/damon/tests/core-kunit: handle alloc failures in damon_test_update_monitoring_result() + +From: SeongJae Park + +commit 8cf298c01b7fdb08eef5b6b26d0fe98d48134d72 upstream. + +damon_test_update_monitoring_result() is assuming all dynamic memory +allocation in it will succeed. Those are indeed likely in the real use +cases since those allocations are too small to fail, but theoretically +those could fail. In the case, inappropriate memory access can happen. +Fix it by appropriately cleanup pre-allocated memory and skip the +execution of the remaining tests in the failure cases. + +Link: https://lkml.kernel.org/r/20251101182021.74868-12-sj@kernel.org +Fixes: f4c978b6594b ("mm/damon/core-test: add a test for damon_update_monitoring_results()") +Signed-off-by: SeongJae Park +Cc: Brendan Higgins +Cc: David Gow +Cc: Kefeng Wang +Cc: [6.3+] +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/damon/tests/core-kunit.h | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/mm/damon/tests/core-kunit.h ++++ b/mm/damon/tests/core-kunit.h +@@ -406,6 +406,9 @@ static void damon_test_update_monitoring + struct damon_attrs new_attrs; + struct damon_region *r = damon_new_region(3, 7); + ++ if (!r) ++ kunit_skip(test, "region alloc fail"); ++ + r->nr_accesses = 15; + r->nr_accesses_bp = 150000; + r->age = 20; diff --git a/queue-6.12/mm-damon-tests-core-kunit-handle-alloc-failures-on-damon_test_merge_two.patch b/queue-6.12/mm-damon-tests-core-kunit-handle-alloc-failures-on-damon_test_merge_two.patch new file mode 100644 index 0000000000..feff145222 --- /dev/null +++ b/queue-6.12/mm-damon-tests-core-kunit-handle-alloc-failures-on-damon_test_merge_two.patch @@ -0,0 +1,53 @@ +From 3d443dd29a1db7efa587a4bb0c06a497e13ca9e4 Mon Sep 17 00:00:00 2001 +From: SeongJae Park +Date: Sat, 1 Nov 2025 11:20:00 -0700 +Subject: mm/damon/tests/core-kunit: handle alloc failures on damon_test_merge_two() + +From: SeongJae Park + +commit 3d443dd29a1db7efa587a4bb0c06a497e13ca9e4 upstream. + +damon_test_merge_two() is assuming all dynamic memory allocation in it +will succeed. Those are indeed likely in the real use cases since those +allocations are too small to fail, but theoretically those could fail. In +the case, inappropriate memory access can happen. Fix it by appropriately +cleanup pre-allocated memory and skip the execution of the remaining tests +in the failure cases. + +Link: https://lkml.kernel.org/r/20251101182021.74868-7-sj@kernel.org +Fixes: 17ccae8bb5c9 ("mm/damon: add kunit tests") +Signed-off-by: SeongJae Park +Cc: Brendan Higgins +Cc: David Gow +Cc: Kefeng Wang +Cc: [5.15+] +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/damon/tests/core-kunit.h | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/mm/damon/tests/core-kunit.h ++++ b/mm/damon/tests/core-kunit.h +@@ -188,11 +188,21 @@ static void damon_test_merge_two(struct + int i; + + t = damon_new_target(); ++ if (!t) ++ kunit_skip(test, "target alloc fail"); + r = damon_new_region(0, 100); ++ if (!r) { ++ damon_free_target(t); ++ kunit_skip(test, "region alloc fail"); ++ } + r->nr_accesses = 10; + r->nr_accesses_bp = 100000; + damon_add_region(r, t); + r2 = damon_new_region(100, 300); ++ if (!r2) { ++ damon_free_target(t); ++ kunit_skip(test, "second region alloc fail"); ++ } + r2->nr_accesses = 20; + r2->nr_accesses_bp = 200000; + damon_add_region(r2, t); diff --git a/queue-6.12/mm-damon-tests-core-kunit-handle-alloc-failures-on-damon_test_split_at.patch b/queue-6.12/mm-damon-tests-core-kunit-handle-alloc-failures-on-damon_test_split_at.patch new file mode 100644 index 0000000000..dd0abaa947 --- /dev/null +++ b/queue-6.12/mm-damon-tests-core-kunit-handle-alloc-failures-on-damon_test_split_at.patch @@ -0,0 +1,51 @@ +From 5e80d73f22043c59c8ad36452a3253937ed77955 Mon Sep 17 00:00:00 2001 +From: SeongJae Park +Date: Sat, 1 Nov 2025 11:19:59 -0700 +Subject: mm/damon/tests/core-kunit: handle alloc failures on damon_test_split_at() + +From: SeongJae Park + +commit 5e80d73f22043c59c8ad36452a3253937ed77955 upstream. + +damon_test_split_at() is assuming all dynamic memory allocation in it will +succeed. Those are indeed likely in the real use cases since those +allocations are too small to fail, but theoretically those could fail. In +the case, inappropriate memory access can happen. Fix it by appropriately +cleanup pre-allocated memory and skip the execution of the remaining tests +in the failure cases. + +Link: https://lkml.kernel.org/r/20251101182021.74868-6-sj@kernel.org +Fixes: 17ccae8bb5c9 ("mm/damon: add kunit tests") +Signed-off-by: SeongJae Park +Cc: Brendan Higgins +Cc: David Gow +Cc: Kefeng Wang +Cc: [5.15+] +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/damon/tests/core-kunit.h | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/mm/damon/tests/core-kunit.h ++++ b/mm/damon/tests/core-kunit.h +@@ -124,8 +124,19 @@ static void damon_test_split_at(struct k + struct damon_target *t; + struct damon_region *r, *r_new; + ++ if (!c) ++ kunit_skip(test, "ctx alloc fail"); + t = damon_new_target(); ++ if (!t) { ++ damon_destroy_ctx(c); ++ kunit_skip(test, "target alloc fail"); ++ } + r = damon_new_region(0, 100); ++ if (!r) { ++ damon_destroy_ctx(c); ++ damon_free_target(t); ++ kunit_skip(test, "region alloc fail"); ++ } + r->nr_accesses_bp = 420000; + r->nr_accesses = 42; + r->last_nr_accesses = 15; diff --git a/queue-6.12/mm-damon-tests-core-kunit-handle-alloc-failures-on-dasmon_test_merge_regions_of.patch b/queue-6.12/mm-damon-tests-core-kunit-handle-alloc-failures-on-dasmon_test_merge_regions_of.patch new file mode 100644 index 0000000000..123ad3ee63 --- /dev/null +++ b/queue-6.12/mm-damon-tests-core-kunit-handle-alloc-failures-on-dasmon_test_merge_regions_of.patch @@ -0,0 +1,46 @@ +From 0998d2757218771c59d5ca59ccf13d1542a38f17 Mon Sep 17 00:00:00 2001 +From: SeongJae Park +Date: Sat, 1 Nov 2025 11:20:01 -0700 +Subject: mm/damon/tests/core-kunit: handle alloc failures on dasmon_test_merge_regions_of() + +From: SeongJae Park + +commit 0998d2757218771c59d5ca59ccf13d1542a38f17 upstream. + +damon_test_merge_regions_of() is assuming all dynamic memory allocation in +it will succeed. Those are indeed likely in the real use cases since +those allocations are too small to fail, but theoretically those could +fail. In the case, inappropriate memory access can happen. Fix it by +appropriately cleanup pre-allocated memory and skip the execution of the +remaining tests in the failure cases. + +Link: https://lkml.kernel.org/r/20251101182021.74868-8-sj@kernel.org +Fixes: 17ccae8bb5c9 ("mm/damon: add kunit tests") +Signed-off-by: SeongJae Park +Cc: Brendan Higgins +Cc: David Gow +Cc: Kefeng Wang +Cc: [5.15+] +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/damon/tests/core-kunit.h | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/mm/damon/tests/core-kunit.h ++++ b/mm/damon/tests/core-kunit.h +@@ -238,8 +238,14 @@ static void damon_test_merge_regions_of( + int i; + + t = damon_new_target(); ++ if (!t) ++ kunit_skip(test, "target alloc fail"); + for (i = 0; i < ARRAY_SIZE(sa); i++) { + r = damon_new_region(sa[i], ea[i]); ++ if (!r) { ++ damon_free_target(t); ++ kunit_skip(test, "region alloc fail"); ++ } + r->nr_accesses = nrs[i]; + r->nr_accesses_bp = nrs[i] * 10000; + damon_add_region(r, t); diff --git a/queue-6.12/mm-damon-tests-core-kunit-handle-allocation-failures-in-damon_test_regions.patch b/queue-6.12/mm-damon-tests-core-kunit-handle-allocation-failures-in-damon_test_regions.patch new file mode 100644 index 0000000000..a47e7b4fff --- /dev/null +++ b/queue-6.12/mm-damon-tests-core-kunit-handle-allocation-failures-in-damon_test_regions.patch @@ -0,0 +1,49 @@ +From e16fdd4f754048d6e23c56bd8d920b71e41e3777 Mon Sep 17 00:00:00 2001 +From: SeongJae Park +Date: Sat, 1 Nov 2025 11:19:56 -0700 +Subject: mm/damon/tests/core-kunit: handle allocation failures in damon_test_regions() + +From: SeongJae Park + +commit e16fdd4f754048d6e23c56bd8d920b71e41e3777 upstream. + +damon_test_regions() is assuming all dynamic memory allocation in it will +succeed. Those are indeed likely in the real use cases since those +allocations are too small to fail, but theoretically those could fail. In +the case, inappropriate memory access can happen. Fix it by appropriately +cleanup pre-allocated memory and skip the execution of the remaining tests +in the failure cases. + +Link: https://lkml.kernel.org/r/20251101182021.74868-3-sj@kernel.org +Fixes: 17ccae8bb5c9 ("mm/damon: add kunit tests") +Signed-off-by: SeongJae Park +Cc: Brendan Higgins +Cc: David Gow +Cc: Kefeng Wang +Cc: [5.15+] +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/damon/tests/core-kunit.h | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/mm/damon/tests/core-kunit.h ++++ b/mm/damon/tests/core-kunit.h +@@ -20,11 +20,17 @@ static void damon_test_regions(struct ku + struct damon_target *t; + + r = damon_new_region(1, 2); ++ if (!r) ++ kunit_skip(test, "region alloc fail"); + KUNIT_EXPECT_EQ(test, 1ul, r->ar.start); + KUNIT_EXPECT_EQ(test, 2ul, r->ar.end); + KUNIT_EXPECT_EQ(test, 0u, r->nr_accesses); + + t = damon_new_target(); ++ if (!t) { ++ damon_free_region(r); ++ kunit_skip(test, "target alloc fail"); ++ } + KUNIT_EXPECT_EQ(test, 0u, damon_nr_regions(t)); + + damon_add_region(r, t); diff --git a/queue-6.12/mm-damon-tests-core-kunit-handle-memory-alloc-failure-from-damon_test_aggregate.patch b/queue-6.12/mm-damon-tests-core-kunit-handle-memory-alloc-failure-from-damon_test_aggregate.patch new file mode 100644 index 0000000000..db38c18ae4 --- /dev/null +++ b/queue-6.12/mm-damon-tests-core-kunit-handle-memory-alloc-failure-from-damon_test_aggregate.patch @@ -0,0 +1,58 @@ +From f79f2fc44ebd0ed655239046be3e80e8804b5545 Mon Sep 17 00:00:00 2001 +From: SeongJae Park +Date: Sat, 1 Nov 2025 11:19:58 -0700 +Subject: mm/damon/tests/core-kunit: handle memory alloc failure from damon_test_aggregate() + +From: SeongJae Park + +commit f79f2fc44ebd0ed655239046be3e80e8804b5545 upstream. + +damon_test_aggregate() is assuming all dynamic memory allocation in it +will succeed. Those are indeed likely in the real use cases since those +allocations are too small to fail, but theoretically those could fail. In +the case, inappropriate memory access can happen. Fix it by appropriately +cleanup pre-allocated memory and skip the execution of the remaining tests +in the failure cases. + +Link: https://lkml.kernel.org/r/20251101182021.74868-5-sj@kernel.org +Fixes: 17ccae8bb5c9 ("mm/damon: add kunit tests") +Signed-off-by: SeongJae Park +Cc: Brendan Higgins +Cc: David Gow +Cc: Kefeng Wang +Cc: [5.15+] +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/damon/tests/core-kunit.h | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/mm/damon/tests/core-kunit.h ++++ b/mm/damon/tests/core-kunit.h +@@ -97,8 +97,15 @@ static void damon_test_aggregate(struct + struct damon_region *r; + int it, ir; + ++ if (!ctx) ++ kunit_skip(test, "ctx alloc fail"); ++ + for (it = 0; it < 3; it++) { + t = damon_new_target(); ++ if (!t) { ++ damon_destroy_ctx(ctx); ++ kunit_skip(test, "target alloc fail"); ++ } + damon_add_target(ctx, t); + } + +@@ -106,6 +113,10 @@ static void damon_test_aggregate(struct + damon_for_each_target(t, ctx) { + for (ir = 0; ir < 3; ir++) { + r = damon_new_region(saddr[it][ir], eaddr[it][ir]); ++ if (!r) { ++ damon_destroy_ctx(ctx); ++ kunit_skip(test, "region alloc fail"); ++ } + r->nr_accesses = accesses[it][ir]; + r->nr_accesses_bp = accesses[it][ir] * 10000; + damon_add_region(r, t); diff --git a/queue-6.12/mm-damon-tests-core-kunit-handle-memory-failure-from-damon_test_target.patch b/queue-6.12/mm-damon-tests-core-kunit-handle-memory-failure-from-damon_test_target.patch new file mode 100644 index 0000000000..45b668b89f --- /dev/null +++ b/queue-6.12/mm-damon-tests-core-kunit-handle-memory-failure-from-damon_test_target.patch @@ -0,0 +1,46 @@ +From fafe953de2c661907c94055a2497c6b8dbfd26f3 Mon Sep 17 00:00:00 2001 +From: SeongJae Park +Date: Sat, 1 Nov 2025 11:19:57 -0700 +Subject: mm/damon/tests/core-kunit: handle memory failure from damon_test_target() + +From: SeongJae Park + +commit fafe953de2c661907c94055a2497c6b8dbfd26f3 upstream. + +damon_test_target() is assuming all dynamic memory allocation in it will +succeed. Those are indeed likely in the real use cases since those +allocations are too small to fail, but theoretically those could fail. In +the case, inappropriate memory access can happen. Fix it by appropriately +cleanup pre-allocated memory and skip the execution of the remaining tests +in the failure cases. + +Link: https://lkml.kernel.org/r/20251101182021.74868-4-sj@kernel.org +Fixes: 17ccae8bb5c9 ("mm/damon: add kunit tests") +Signed-off-by: SeongJae Park +Cc: Brendan Higgins +Cc: David Gow +Cc: Kefeng Wang +Cc: [5.15+] +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/damon/tests/core-kunit.h | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/mm/damon/tests/core-kunit.h ++++ b/mm/damon/tests/core-kunit.h +@@ -58,7 +58,14 @@ static void damon_test_target(struct kun + struct damon_ctx *c = damon_new_ctx(); + struct damon_target *t; + ++ if (!c) ++ kunit_skip(test, "ctx alloc fail"); ++ + t = damon_new_target(); ++ if (!t) { ++ damon_destroy_ctx(c); ++ kunit_skip(test, "target alloc fail"); ++ } + KUNIT_EXPECT_EQ(test, 0u, nr_damon_targets(c)); + + damon_add_target(c, t); diff --git a/queue-6.12/mm-damon-tests-sysfs-kunit-handle-alloc-failures-on-damon_sysfs_test_add_targets.patch b/queue-6.12/mm-damon-tests-sysfs-kunit-handle-alloc-failures-on-damon_sysfs_test_add_targets.patch new file mode 100644 index 0000000000..24416394f0 --- /dev/null +++ b/queue-6.12/mm-damon-tests-sysfs-kunit-handle-alloc-failures-on-damon_sysfs_test_add_targets.patch @@ -0,0 +1,78 @@ +From 7d808bf13943f4c6a6142400bffe14267f6dc997 Mon Sep 17 00:00:00 2001 +From: SeongJae Park +Date: Sat, 1 Nov 2025 11:20:14 -0700 +Subject: mm/damon/tests/sysfs-kunit: handle alloc failures on damon_sysfs_test_add_targets() + +From: SeongJae Park + +commit 7d808bf13943f4c6a6142400bffe14267f6dc997 upstream. + +damon_sysfs_test_add_targets() is assuming all dynamic memory allocation +in it will succeed. Those are indeed likely in the real use cases since +those allocations are too small to fail, but theoretically those could +fail. In the case, inappropriate memory access can happen. Fix it by +appropriately cleanup pre-allocated memory and skip the execution of the +remaining tests in the failure cases. + +Link: https://lkml.kernel.org/r/20251101182021.74868-21-sj@kernel.org +Fixes: b8ee5575f763 ("mm/damon/sysfs-test: add a unit test for damon_sysfs_set_targets()") +Signed-off-by: SeongJae Park +Cc: Brendan Higgins +Cc: David Gow +Cc: Kefeng Wang +Cc: [6.7+] +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/damon/tests/sysfs-kunit.h | 25 +++++++++++++++++++++++++ + 1 file changed, 25 insertions(+) + +diff --git a/mm/damon/tests/sysfs-kunit.h b/mm/damon/tests/sysfs-kunit.h +index 7b5c7b307da9..ce7218469f20 100644 +--- a/mm/damon/tests/sysfs-kunit.h ++++ b/mm/damon/tests/sysfs-kunit.h +@@ -45,16 +45,41 @@ static void damon_sysfs_test_add_targets(struct kunit *test) + struct damon_ctx *ctx; + + sysfs_targets = damon_sysfs_targets_alloc(); ++ if (!sysfs_targets) ++ kunit_skip(test, "sysfs_targets alloc fail"); + sysfs_targets->nr = 1; + sysfs_targets->targets_arr = kmalloc_array(1, + sizeof(*sysfs_targets->targets_arr), GFP_KERNEL); ++ if (!sysfs_targets->targets_arr) { ++ kfree(sysfs_targets); ++ kunit_skip(test, "targets_arr alloc fail"); ++ } + + sysfs_target = damon_sysfs_target_alloc(); ++ if (!sysfs_target) { ++ kfree(sysfs_targets->targets_arr); ++ kfree(sysfs_targets); ++ kunit_skip(test, "sysfs_target alloc fail"); ++ } + sysfs_target->pid = __damon_sysfs_test_get_any_pid(12, 100); + sysfs_target->regions = damon_sysfs_regions_alloc(); ++ if (!sysfs_target->regions) { ++ kfree(sysfs_targets->targets_arr); ++ kfree(sysfs_targets); ++ kfree(sysfs_target); ++ kunit_skip(test, "sysfs_regions alloc fail"); ++ } ++ + sysfs_targets->targets_arr[0] = sysfs_target; + + ctx = damon_new_ctx(); ++ if (!ctx) { ++ kfree(sysfs_targets->targets_arr); ++ kfree(sysfs_targets); ++ kfree(sysfs_target); ++ kfree(sysfs_target->regions); ++ kunit_skip(test, "ctx alloc fail"); ++ } + + damon_sysfs_add_targets(ctx, sysfs_targets); + KUNIT_EXPECT_EQ(test, 1u, nr_damon_targets(ctx)); +-- +2.52.0 + diff --git a/queue-6.12/mm-damon-tests-vaddr-kunit-handle-alloc-failures-in-damon_test_split_evenly_fail.patch b/queue-6.12/mm-damon-tests-vaddr-kunit-handle-alloc-failures-in-damon_test_split_evenly_fail.patch new file mode 100644 index 0000000000..e0f6ee4654 --- /dev/null +++ b/queue-6.12/mm-damon-tests-vaddr-kunit-handle-alloc-failures-in-damon_test_split_evenly_fail.patch @@ -0,0 +1,49 @@ +From 7890e5b5bb6e386155c6e755fe70e0cdcc77f18e Mon Sep 17 00:00:00 2001 +From: SeongJae Park +Date: Sat, 1 Nov 2025 11:20:12 -0700 +Subject: mm/damon/tests/vaddr-kunit: handle alloc failures in damon_test_split_evenly_fail() + +From: SeongJae Park + +commit 7890e5b5bb6e386155c6e755fe70e0cdcc77f18e upstream. + +damon_test_split_evenly_fail() is assuming all dynamic memory allocation +in it will succeed. Those are indeed likely in the real use cases since +those allocations are too small to fail, but theoretically those could +fail. In the case, inappropriate memory access can happen. Fix it by +appropriately cleanup pre-allocated memory and skip the execution of the +remaining tests in the failure cases. + +Link: https://lkml.kernel.org/r/20251101182021.74868-19-sj@kernel.org +Fixes: 17ccae8bb5c9 ("mm/damon: add kunit tests") +Signed-off-by: SeongJae Park +Cc: Brendan Higgins +Cc: David Gow +Cc: Kefeng Wang +Cc: [5.15+] +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/damon/tests/vaddr-kunit.h | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/mm/damon/tests/vaddr-kunit.h ++++ b/mm/damon/tests/vaddr-kunit.h +@@ -250,7 +250,16 @@ static void damon_test_split_evenly_fail + unsigned long start, unsigned long end, unsigned int nr_pieces) + { + struct damon_target *t = damon_new_target(); +- struct damon_region *r = damon_new_region(start, end); ++ struct damon_region *r; ++ ++ if (!t) ++ kunit_skip(test, "target alloc fail"); ++ ++ r = damon_new_region(start, end); ++ if (!r) { ++ damon_free_target(t); ++ kunit_skip(test, "region alloc fail"); ++ } + + damon_add_region(r, t); + KUNIT_EXPECT_EQ(test, diff --git a/queue-6.12/mm-damon-tests-vaddr-kunit-handle-alloc-failures-on-damon_test_split_evenly_succ.patch b/queue-6.12/mm-damon-tests-vaddr-kunit-handle-alloc-failures-on-damon_test_split_evenly_succ.patch new file mode 100644 index 0000000000..f72d084746 --- /dev/null +++ b/queue-6.12/mm-damon-tests-vaddr-kunit-handle-alloc-failures-on-damon_test_split_evenly_succ.patch @@ -0,0 +1,50 @@ +From 0a63a0e7570b9b2631dfb8d836dc572709dce39e Mon Sep 17 00:00:00 2001 +From: SeongJae Park +Date: Sat, 1 Nov 2025 11:20:13 -0700 +Subject: mm/damon/tests/vaddr-kunit: handle alloc failures on damon_test_split_evenly_succ() + +From: SeongJae Park + +commit 0a63a0e7570b9b2631dfb8d836dc572709dce39e upstream. + +damon_test_split_evenly_succ() is assuming all dynamic memory allocation +in it will succeed. Those are indeed likely in the real use cases since +those allocations are too small to fail, but theoretically those could +fail. In the case, inappropriate memory access can happen. Fix it by +appropriately cleanup pre-allocated memory and skip the execution of the +remaining tests in the failure cases. + +Link: https://lkml.kernel.org/r/20251101182021.74868-20-sj@kernel.org +Fixes: 17ccae8bb5c9 ("mm/damon: add kunit tests") +Signed-off-by: SeongJae Park +Cc: Brendan Higgins +Cc: David Gow +Cc: Kefeng Wang +Cc: [5.15+] +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/damon/tests/vaddr-kunit.h | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/mm/damon/tests/vaddr-kunit.h ++++ b/mm/damon/tests/vaddr-kunit.h +@@ -278,10 +278,17 @@ static void damon_test_split_evenly_succ + unsigned long start, unsigned long end, unsigned int nr_pieces) + { + struct damon_target *t = damon_new_target(); +- struct damon_region *r = damon_new_region(start, end); ++ struct damon_region *r; + unsigned long expected_width = (end - start) / nr_pieces; + unsigned long i = 0; + ++ if (!t) ++ kunit_skip(test, "target alloc fail"); ++ r = damon_new_region(start, end); ++ if (!r) { ++ damon_free_target(t); ++ kunit_skip(test, "region alloc fail"); ++ } + damon_add_region(r, t); + KUNIT_EXPECT_EQ(test, + damon_va_evenly_split_region(t, r, nr_pieces), 0); diff --git a/queue-6.12/mtd-mtdpart-ignore-error-enoent-from-parsers-on-subpartitions.patch b/queue-6.12/mtd-mtdpart-ignore-error-enoent-from-parsers-on-subpartitions.patch new file mode 100644 index 0000000000..312e7b1102 --- /dev/null +++ b/queue-6.12/mtd-mtdpart-ignore-error-enoent-from-parsers-on-subpartitions.patch @@ -0,0 +1,65 @@ +From 64ef5f454e167bb66cf70104f033c3d71e6ef9c0 Mon Sep 17 00:00:00 2001 +From: Christian Marangi +Date: Sun, 9 Nov 2025 12:52:44 +0100 +Subject: mtd: mtdpart: ignore error -ENOENT from parsers on subpartitions + +From: Christian Marangi + +commit 64ef5f454e167bb66cf70104f033c3d71e6ef9c0 upstream. + +Commit 5c2f7727d437 ("mtd: mtdpart: check for subpartitions parsing +result") introduced some kind of regression with parser on subpartitions +where if a parser emits an error then the entire parsing process from the +upper parser fails and partitions are deleted. + +Not checking for error in subpartitions was originally intended as +special parser can emit error also in the case of the partition not +correctly init (for example a wiped partition) or special case where the +partition should be skipped due to some ENV variables externally +provided (from bootloader for example) + +One example case is the TRX partition where, in the context of a wiped +partition, returns a -ENOENT as the trx_magic is not found in the +expected TRX header (as the partition is wiped) + +To better handle this and still keep some kind of error tracking (for +example to catch -ENOMEM errors or -EINVAL errors), permit parser on +subpartition to emit -ENOENT error, print a debug log and skip them +accordingly. + +This results in giving better tracking of the status of the parser +(instead of returning just 0, dropping any kind of signal that there is +something wrong with the parser) and to some degree restore the original +logic of the subpartitions parse. + +(worth to notice that some special partition might have all the special +header present for the parser and declare 0 partition in it, this is why +it would be wrong to simply return 0 in the case of a special partition +that is NOT init for the scanning parser) + +Cc: stable@vger.kernel.org +Fixes: 5c2f7727d437 ("mtd: mtdpart: check for subpartitions parsing result") +Signed-off-by: Christian Marangi +Signed-off-by: Miquel Raynal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/mtdpart.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/mtd/mtdpart.c ++++ b/drivers/mtd/mtdpart.c +@@ -425,9 +425,12 @@ int add_mtd_partitions(struct mtd_info * + + mtd_add_partition_attrs(child); + +- /* Look for subpartitions */ ++ /* Look for subpartitions (skip if no maching parser found) */ + ret = parse_mtd_partitions(child, parts[i].types, NULL); +- if (ret < 0) { ++ if (ret < 0 && ret == -ENOENT) { ++ pr_debug("Skip parsing subpartitions: %d\n", ret); ++ continue; ++ } else if (ret < 0) { + pr_err("Failed to parse subpartitions: %d\n", ret); + goto err_del_partitions; + } diff --git a/queue-6.12/mtd-spi-nor-winbond-add-support-for-w25h01nwxxam-chips.patch b/queue-6.12/mtd-spi-nor-winbond-add-support-for-w25h01nwxxam-chips.patch new file mode 100644 index 0000000000..b3762aed21 --- /dev/null +++ b/queue-6.12/mtd-spi-nor-winbond-add-support-for-w25h01nwxxam-chips.patch @@ -0,0 +1,35 @@ +From 1df1fdbc7e63350b2962dc7d87ded124ee26f3ad Mon Sep 17 00:00:00 2001 +From: Miquel Raynal +Date: Wed, 5 Nov 2025 18:27:04 +0100 +Subject: mtd: spi-nor: winbond: Add support for W25H01NWxxAM chips + +From: Miquel Raynal + +commit 1df1fdbc7e63350b2962dc7d87ded124ee26f3ad upstream. + +These chips must be described as none of the block protection +information are discoverable. This chip supports 4 bits plus the +top/bottom addressing capability to identify the protected blocks. + +Cc: stable@vger.kernel.org +Signed-off-by: Miquel Raynal +Reviewed-by: Michael Walle +Signed-off-by: Pratyush Yadav +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/spi-nor/winbond.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/mtd/spi-nor/winbond.c ++++ b/drivers/mtd/spi-nor/winbond.c +@@ -270,6 +270,10 @@ static const struct flash_info winbond_n + /* W25H512NWxxAM */ + .id = SNOR_ID(0xef, 0xa0, 0x20), + .flags = SPI_NOR_HAS_LOCK | SPI_NOR_HAS_TB | SPI_NOR_TB_SR_BIT6 | SPI_NOR_4BIT_BP, ++ }, { ++ /* W25H01NWxxAM */ ++ .id = SNOR_ID(0xef, 0xa0, 0x21), ++ .flags = SPI_NOR_HAS_LOCK | SPI_NOR_HAS_TB | SPI_NOR_TB_SR_BIT6 | SPI_NOR_4BIT_BP, + }, + }; + diff --git a/queue-6.12/mtd-spi-nor-winbond-add-support-for-w25h02nwxxam-chips.patch b/queue-6.12/mtd-spi-nor-winbond-add-support-for-w25h02nwxxam-chips.patch new file mode 100644 index 0000000000..b89c2a85ce --- /dev/null +++ b/queue-6.12/mtd-spi-nor-winbond-add-support-for-w25h02nwxxam-chips.patch @@ -0,0 +1,35 @@ +From 604cf6a40157abba4677dea9834de8df9047d798 Mon Sep 17 00:00:00 2001 +From: Miquel Raynal +Date: Wed, 5 Nov 2025 18:27:05 +0100 +Subject: mtd: spi-nor: winbond: Add support for W25H02NWxxAM chips + +From: Miquel Raynal + +commit 604cf6a40157abba4677dea9834de8df9047d798 upstream. + +These chips must be described as none of the block protection +information are discoverable. This chip supports 4 bits plus the +top/bottom addressing capability to identify the protected blocks. + +Cc: stable@vger.kernel.org +Signed-off-by: Miquel Raynal +Reviewed-by: Michael Walle +Signed-off-by: Pratyush Yadav +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/spi-nor/winbond.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/mtd/spi-nor/winbond.c ++++ b/drivers/mtd/spi-nor/winbond.c +@@ -274,6 +274,10 @@ static const struct flash_info winbond_n + /* W25H01NWxxAM */ + .id = SNOR_ID(0xef, 0xa0, 0x21), + .flags = SPI_NOR_HAS_LOCK | SPI_NOR_HAS_TB | SPI_NOR_TB_SR_BIT6 | SPI_NOR_4BIT_BP, ++ }, { ++ /* W25H02NWxxAM */ ++ .id = SNOR_ID(0xef, 0xa0, 0x22), ++ .flags = SPI_NOR_HAS_LOCK | SPI_NOR_HAS_TB | SPI_NOR_TB_SR_BIT6 | SPI_NOR_4BIT_BP, + }, + }; + diff --git a/queue-6.12/mtd-spi-nor-winbond-add-support-for-w25h512nwxxam-chips.patch b/queue-6.12/mtd-spi-nor-winbond-add-support-for-w25h512nwxxam-chips.patch new file mode 100644 index 0000000000..9ea70af0c6 --- /dev/null +++ b/queue-6.12/mtd-spi-nor-winbond-add-support-for-w25h512nwxxam-chips.patch @@ -0,0 +1,35 @@ +From f21d2c7d37553b24825918f2f61df123e182b712 Mon Sep 17 00:00:00 2001 +From: Miquel Raynal +Date: Wed, 5 Nov 2025 18:27:03 +0100 +Subject: mtd: spi-nor: winbond: Add support for W25H512NWxxAM chips + +From: Miquel Raynal + +commit f21d2c7d37553b24825918f2f61df123e182b712 upstream. + +These chips must be described as none of the block protection +information are discoverable. This chip supports 4 bits plus the +top/bottom addressing capability to identify the protected blocks. + +Cc: stable@vger.kernel.org +Signed-off-by: Miquel Raynal +Reviewed-by: Michael Walle +Signed-off-by: Pratyush Yadav +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/spi-nor/winbond.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/mtd/spi-nor/winbond.c ++++ b/drivers/mtd/spi-nor/winbond.c +@@ -266,6 +266,10 @@ static const struct flash_info winbond_n + /* W25Q02NWxxIM */ + .id = SNOR_ID(0xef, 0x80, 0x22), + .flags = SPI_NOR_HAS_LOCK | SPI_NOR_HAS_TB | SPI_NOR_TB_SR_BIT6 | SPI_NOR_4BIT_BP, ++ }, { ++ /* W25H512NWxxAM */ ++ .id = SNOR_ID(0xef, 0xa0, 0x20), ++ .flags = SPI_NOR_HAS_LOCK | SPI_NOR_HAS_TB | SPI_NOR_TB_SR_BIT6 | SPI_NOR_4BIT_BP, + }, + }; + diff --git a/queue-6.12/mtd-spi-nor-winbond-add-support-for-w25q01nwxxim-chips.patch b/queue-6.12/mtd-spi-nor-winbond-add-support-for-w25q01nwxxim-chips.patch new file mode 100644 index 0000000000..8feb5cb0fb --- /dev/null +++ b/queue-6.12/mtd-spi-nor-winbond-add-support-for-w25q01nwxxim-chips.patch @@ -0,0 +1,35 @@ +From a607e676c8b9258eabc3fc88f45bcd70ea178b41 Mon Sep 17 00:00:00 2001 +From: Miquel Raynal +Date: Wed, 5 Nov 2025 18:27:01 +0100 +Subject: mtd: spi-nor: winbond: Add support for W25Q01NWxxIM chips + +From: Miquel Raynal + +commit a607e676c8b9258eabc3fc88f45bcd70ea178b41 upstream. + +These chips must be described as none of the block protection +information are discoverable. This chip supports 4 bits plus the +top/bottom addressing capability to identify the protected blocks. + +Cc: stable@vger.kernel.org +Signed-off-by: Miquel Raynal +Reviewed-by: Michael Walle +Signed-off-by: Pratyush Yadav +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/spi-nor/winbond.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/mtd/spi-nor/winbond.c ++++ b/drivers/mtd/spi-nor/winbond.c +@@ -258,6 +258,10 @@ static const struct flash_info winbond_n + /* W25Q01NWxxIQ */ + .id = SNOR_ID(0xef, 0x60, 0x21), + .flags = SPI_NOR_HAS_LOCK | SPI_NOR_HAS_TB | SPI_NOR_TB_SR_BIT6 | SPI_NOR_4BIT_BP, ++ }, { ++ /* W25Q01NWxxIM */ ++ .id = SNOR_ID(0xef, 0x80, 0x21), ++ .flags = SPI_NOR_HAS_LOCK | SPI_NOR_HAS_TB | SPI_NOR_TB_SR_BIT6 | SPI_NOR_4BIT_BP, + }, + }; + diff --git a/queue-6.12/mtd-spi-nor-winbond-add-support-for-w25q01nwxxiq-chips.patch b/queue-6.12/mtd-spi-nor-winbond-add-support-for-w25q01nwxxiq-chips.patch new file mode 100644 index 0000000000..163aa2f126 --- /dev/null +++ b/queue-6.12/mtd-spi-nor-winbond-add-support-for-w25q01nwxxiq-chips.patch @@ -0,0 +1,35 @@ +From aee8c4d9d48d661624d72de670ebe5c6b5687842 Mon Sep 17 00:00:00 2001 +From: Miquel Raynal +Date: Wed, 5 Nov 2025 18:27:00 +0100 +Subject: mtd: spi-nor: winbond: Add support for W25Q01NWxxIQ chips + +From: Miquel Raynal + +commit aee8c4d9d48d661624d72de670ebe5c6b5687842 upstream. + +This chip must be described as none of the block protection information +are discoverable. This chip supports 4 bits plus the top/bottom +addressing capability to identify the protected blocks. + +Cc: stable@vger.kernel.org +Signed-off-by: Miquel Raynal +Reviewed-by: Michael Walle +Signed-off-by: Pratyush Yadav +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/spi-nor/winbond.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/mtd/spi-nor/winbond.c ++++ b/drivers/mtd/spi-nor/winbond.c +@@ -254,6 +254,10 @@ static const struct flash_info winbond_n + .id = SNOR_ID(0xef, 0x80, 0x20), + .name = "w25q512nwm", + .otp = SNOR_OTP(256, 3, 0x1000, 0x1000), ++ }, { ++ /* W25Q01NWxxIQ */ ++ .id = SNOR_ID(0xef, 0x60, 0x21), ++ .flags = SPI_NOR_HAS_LOCK | SPI_NOR_HAS_TB | SPI_NOR_TB_SR_BIT6 | SPI_NOR_4BIT_BP, + }, + }; + diff --git a/queue-6.12/mtd-spi-nor-winbond-add-support-for-w25q02nwxxim-chips.patch b/queue-6.12/mtd-spi-nor-winbond-add-support-for-w25q02nwxxim-chips.patch new file mode 100644 index 0000000000..f932f5c1e2 --- /dev/null +++ b/queue-6.12/mtd-spi-nor-winbond-add-support-for-w25q02nwxxim-chips.patch @@ -0,0 +1,35 @@ +From 71c239348d9fbdb1f0d6f36013f1697cc06c3e9c Mon Sep 17 00:00:00 2001 +From: Miquel Raynal +Date: Wed, 5 Nov 2025 18:27:02 +0100 +Subject: mtd: spi-nor: winbond: Add support for W25Q02NWxxIM chips + +From: Miquel Raynal + +commit 71c239348d9fbdb1f0d6f36013f1697cc06c3e9c upstream. + +These chips must be described as none of the block protection +information are discoverable. This chip supports 4 bits plus the +top/bottom addressing capability to identify the protected blocks. + +Cc: stable@vger.kernel.org +Signed-off-by: Miquel Raynal +Reviewed-by: Michael Walle +Signed-off-by: Pratyush Yadav +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/spi-nor/winbond.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/mtd/spi-nor/winbond.c ++++ b/drivers/mtd/spi-nor/winbond.c +@@ -262,6 +262,10 @@ static const struct flash_info winbond_n + /* W25Q01NWxxIM */ + .id = SNOR_ID(0xef, 0x80, 0x21), + .flags = SPI_NOR_HAS_LOCK | SPI_NOR_HAS_TB | SPI_NOR_TB_SR_BIT6 | SPI_NOR_4BIT_BP, ++ }, { ++ /* W25Q02NWxxIM */ ++ .id = SNOR_ID(0xef, 0x80, 0x22), ++ .flags = SPI_NOR_HAS_LOCK | SPI_NOR_HAS_TB | SPI_NOR_TB_SR_BIT6 | SPI_NOR_4BIT_BP, + }, + }; + diff --git a/queue-6.12/parisc-entry-set-w-bit-for-compat-tasks-in-syscall_restore_rfi.patch b/queue-6.12/parisc-entry-set-w-bit-for-compat-tasks-in-syscall_restore_rfi.patch new file mode 100644 index 0000000000..0b5926553e --- /dev/null +++ b/queue-6.12/parisc-entry-set-w-bit-for-compat-tasks-in-syscall_restore_rfi.patch @@ -0,0 +1,58 @@ +From 5fb1d3ce3e74a4530042795e1e065422295f1371 Mon Sep 17 00:00:00 2001 +From: Sven Schnelle +Date: Wed, 15 Oct 2025 23:21:41 +0200 +Subject: parisc: entry: set W bit for !compat tasks in syscall_restore_rfi() + +From: Sven Schnelle + +commit 5fb1d3ce3e74a4530042795e1e065422295f1371 upstream. + +When the kernel leaves to userspace via syscall_restore_rfi(), the +W bit is not set in the new PSW. This doesn't cause any problems +because there's no 64 bit userspace for parisc. Simple static binaries +are usually loaded at addresses way below the 32 bit limit so the W bit +doesn't matter. + +Fix this by setting the W bit when TIF_32BIT is not set. + +Signed-off-by: Sven Schnelle +Cc: stable@vger.kernel.org +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/kernel/asm-offsets.c | 2 ++ + arch/parisc/kernel/entry.S | 5 ++++- + 2 files changed, 6 insertions(+), 1 deletion(-) + +--- a/arch/parisc/kernel/asm-offsets.c ++++ b/arch/parisc/kernel/asm-offsets.c +@@ -258,6 +258,8 @@ int main(void) + BLANK(); + DEFINE(TIF_BLOCKSTEP_PA_BIT, 31-TIF_BLOCKSTEP); + DEFINE(TIF_SINGLESTEP_PA_BIT, 31-TIF_SINGLESTEP); ++ DEFINE(TIF_32BIT_PA_BIT, 31-TIF_32BIT); ++ + BLANK(); + DEFINE(ASM_PMD_SHIFT, PMD_SHIFT); + DEFINE(ASM_PGDIR_SHIFT, PGDIR_SHIFT); +--- a/arch/parisc/kernel/entry.S ++++ b/arch/parisc/kernel/entry.S +@@ -1846,6 +1846,10 @@ syscall_restore_rfi: + extru,= %r19,TIF_BLOCKSTEP_PA_BIT,1,%r0 + depi -1,7,1,%r20 /* T bit */ + ++#ifdef CONFIG_64BIT ++ extru,<> %r19,TIF_32BIT_PA_BIT,1,%r0 ++ depi -1,4,1,%r20 /* W bit */ ++#endif + STREG %r20,TASK_PT_PSW(%r1) + + /* Always store space registers, since sr3 can be changed (e.g. fork) */ +@@ -1859,7 +1863,6 @@ syscall_restore_rfi: + STREG %r25,TASK_PT_IASQ0(%r1) + STREG %r25,TASK_PT_IASQ1(%r1) + +- /* XXX W bit??? */ + /* Now if old D bit is clear, it means we didn't save all registers + * on syscall entry, so do that now. This only happens on TRACEME + * calls, or if someone attached to us while we were on a syscall. diff --git a/queue-6.12/parisc-entry.s-fix-space-adjustment-on-interruption-for-64-bit-userspace.patch b/queue-6.12/parisc-entry.s-fix-space-adjustment-on-interruption-for-64-bit-userspace.patch new file mode 100644 index 0000000000..495a119dce --- /dev/null +++ b/queue-6.12/parisc-entry.s-fix-space-adjustment-on-interruption-for-64-bit-userspace.patch @@ -0,0 +1,61 @@ +From 1aa4524c0c1b54842c4c0a370171d11b12d0709b Mon Sep 17 00:00:00 2001 +From: Sven Schnelle +Date: Thu, 30 Oct 2025 08:56:05 +0100 +Subject: parisc: entry.S: fix space adjustment on interruption for 64-bit userspace + +From: Sven Schnelle + +commit 1aa4524c0c1b54842c4c0a370171d11b12d0709b upstream. + +In wide mode, the IASQ contain the upper part of the GVA +during interruption. This needs to be reversed before +the space is used - otherwise it contains parts of IAOQ. +See Page 2-13 "Processing Resources / Interruption Instruction +Address Queues" in the Parisc 2.0 Architecture Manual page 2-13 +for an explanation. + +The IAOQ/IASQ space_adjust was skipped for other interruptions +than itlb misses. However, the code in handle_interruption() +checks whether iasq[0] contains a valid space. Due to the not +masked out bits this match failed and the process was killed. + +Also add space_adjust for IAOQ1/IASQ1 so ptregs contains sane values. + +Signed-off-by: Sven Schnelle +Cc: stable@vger.kernel.org # v6.0+ +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/kernel/entry.S | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/arch/parisc/kernel/entry.S ++++ b/arch/parisc/kernel/entry.S +@@ -1059,8 +1059,6 @@ ENTRY_CFI(intr_save) /* for os_hpmc */ + STREG %r17, PT_IOR(%r29) + + #if defined(CONFIG_64BIT) +- b,n intr_save2 +- + skip_save_ior: + /* We have a itlb miss, and when executing code above 4 Gb on ILP64, we + * need to adjust iasq/iaoq here in the same way we adjusted isr/ior +@@ -1069,10 +1067,17 @@ skip_save_ior: + bb,COND(>=),n %r8,PSW_W_BIT,intr_save2 + LDREG PT_IASQ0(%r29), %r16 + LDREG PT_IAOQ0(%r29), %r17 +- /* adjust iasq/iaoq */ ++ /* adjust iasq0/iaoq0 */ + space_adjust %r16,%r17,%r1 + STREG %r16, PT_IASQ0(%r29) + STREG %r17, PT_IAOQ0(%r29) ++ ++ LDREG PT_IASQ1(%r29), %r16 ++ LDREG PT_IAOQ1(%r29), %r17 ++ /* adjust iasq1/iaoq1 */ ++ space_adjust %r16,%r17,%r1 ++ STREG %r16, PT_IASQ1(%r29) ++ STREG %r17, PT_IAOQ1(%r29) + #else + skip_save_ior: + #endif diff --git a/queue-6.12/perf-x86-amd-uncore-fix-the-return-value-of-amd_uncore_df_event_init-on-error.patch b/queue-6.12/perf-x86-amd-uncore-fix-the-return-value-of-amd_uncore_df_event_init-on-error.patch new file mode 100644 index 0000000000..28258a7860 --- /dev/null +++ b/queue-6.12/perf-x86-amd-uncore-fix-the-return-value-of-amd_uncore_df_event_init-on-error.patch @@ -0,0 +1,45 @@ +From 01439286514ce9d13b8123f8ec3717d7135ff1d6 Mon Sep 17 00:00:00 2001 +From: Sandipan Das +Date: Tue, 9 Dec 2025 13:56:38 +0530 +Subject: perf/x86/amd/uncore: Fix the return value of amd_uncore_df_event_init() on error + +From: Sandipan Das + +commit 01439286514ce9d13b8123f8ec3717d7135ff1d6 upstream. + +If amd_uncore_event_init() fails, return an error irrespective of the +pmu_version. Setting hwc->config should be safe even if there is an +error so use this opportunity to simplify the code. + +Closes: https://lore.kernel.org/all/aTaI0ci3vZ44lmBn@stanley.mountain/ + +Fixes: d6389d3ccc13 ("perf/x86/amd/uncore: Refactor uncore management") +Reported-by: Dan Carpenter +Signed-off-by: Sandipan Das +Signed-off-by: Ingo Molnar +Cc: Peter Zijlstra +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/076935e23a70335d33bd6e23308b75ae0ad35ba2.1765268667.git.sandipan.das@amd.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/events/amd/uncore.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +--- a/arch/x86/events/amd/uncore.c ++++ b/arch/x86/events/amd/uncore.c +@@ -595,14 +595,11 @@ static int amd_uncore_df_event_init(stru + struct hw_perf_event *hwc = &event->hw; + int ret = amd_uncore_event_init(event); + +- if (ret || pmu_version < 2) +- return ret; +- + hwc->config = event->attr.config & + (pmu_version >= 2 ? AMD64_PERFMON_V2_RAW_EVENT_MASK_NB : + AMD64_RAW_EVENT_MASK_NB); + +- return 0; ++ return ret; + } + + static int amd_uncore_df_add(struct perf_event *event, int flags) diff --git a/queue-6.12/powerpc-pseries-cmm-call-balloon_devinfo_init-also-without-config_balloon_compaction.patch b/queue-6.12/powerpc-pseries-cmm-call-balloon_devinfo_init-also-without-config_balloon_compaction.patch new file mode 100644 index 0000000000..7086b9e6f0 --- /dev/null +++ b/queue-6.12/powerpc-pseries-cmm-call-balloon_devinfo_init-also-without-config_balloon_compaction.patch @@ -0,0 +1,59 @@ +From fc6bcf9ac4de76f5e7bcd020b3c0a86faff3f2d5 Mon Sep 17 00:00:00 2001 +From: David Hildenbrand +Date: Tue, 21 Oct 2025 12:06:05 +0200 +Subject: powerpc/pseries/cmm: call balloon_devinfo_init() also without CONFIG_BALLOON_COMPACTION + +From: David Hildenbrand + +commit fc6bcf9ac4de76f5e7bcd020b3c0a86faff3f2d5 upstream. + +Patch series "powerpc/pseries/cmm: two smaller fixes". + +Two smaller fixes identified while doing a bigger rework. + + +This patch (of 2): + +We always have to initialize the balloon_dev_info, even when compaction is +not configured in: otherwise the containing list and the lock are left +uninitialized. + +Likely not many such configs exist in practice, but let's CC stable to +be sure. + +This was found by code inspection. + +Link: https://lkml.kernel.org/r/20251021100606.148294-1-david@redhat.com +Link: https://lkml.kernel.org/r/20251021100606.148294-2-david@redhat.com +Fixes: fe030c9b85e6 ("powerpc/pseries/cmm: Implement balloon compaction") +Signed-off-by: David Hildenbrand +Reviewed-by: Ritesh Harjani (IBM) +Cc: Christophe Leroy +Cc: Madhavan Srinivasan +Cc: Michael Ellerman +Cc: Nicholas Piggin +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/platforms/pseries/cmm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/platforms/pseries/cmm.c ++++ b/arch/powerpc/platforms/pseries/cmm.c +@@ -550,7 +550,6 @@ static int cmm_migratepage(struct balloo + + static void cmm_balloon_compaction_init(void) + { +- balloon_devinfo_init(&b_dev_info); + b_dev_info.migratepage = cmm_migratepage; + } + #else /* CONFIG_BALLOON_COMPACTION */ +@@ -572,6 +571,7 @@ static int cmm_init(void) + if (!firmware_has_feature(FW_FEATURE_CMO) && !simulate) + return -EOPNOTSUPP; + ++ balloon_devinfo_init(&b_dev_info); + cmm_balloon_compaction_init(); + + rc = register_oom_notifier(&cmm_oom_nb); diff --git a/queue-6.12/series b/queue-6.12/series index d0dd2d1358..8f5ce14269 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -381,3 +381,53 @@ mfd-altera-sysmgr-fix-device-leak-on-sysmgr-regmap-lookup.patch mfd-max77620-fix-potential-irq-chip-conflict-when-probing-two-devices.patch media-rc-st_rc-fix-reset-control-resource-leak.patch media-verisilicon-fix-cpu-stalls-on-g2-bus-error.patch +mtd-mtdpart-ignore-error-enoent-from-parsers-on-subpartitions.patch +mtd-spi-nor-winbond-add-support-for-w25q01nwxxiq-chips.patch +mtd-spi-nor-winbond-add-support-for-w25q01nwxxim-chips.patch +mtd-spi-nor-winbond-add-support-for-w25q02nwxxim-chips.patch +mtd-spi-nor-winbond-add-support-for-w25h512nwxxam-chips.patch +mtd-spi-nor-winbond-add-support-for-w25h01nwxxam-chips.patch +mtd-spi-nor-winbond-add-support-for-w25h02nwxxam-chips.patch +parisc-entry.s-fix-space-adjustment-on-interruption-for-64-bit-userspace.patch +parisc-entry-set-w-bit-for-compat-tasks-in-syscall_restore_rfi.patch +perf-x86-amd-uncore-fix-the-return-value-of-amd_uncore_df_event_init-on-error.patch +powerpc-pseries-cmm-call-balloon_devinfo_init-also-without-config_balloon_compaction.patch +media-adv7842-avoid-possible-out-of-bounds-array-accesses-in-adv7842_cp_log_status.patch +firmware-stratix10-svc-add-mutex-in-stratix10-memory-management.patch +dm-ebs-mark-full-buffer-dirty-even-on-partial-write.patch +dm-bufio-align-write-boundary-on-physical-block-size.patch +fbdev-gbefb-fix-to-use-physical-address-instead-of-dma-address.patch +fbdev-pxafb-fix-multiple-clamped-values-in-pxafb_adjust_timing.patch +fbdev-tcx.c-fix-mem_map-to-correct-smem_start-offset.patch +media-cec-fix-debugfs-leak-on-bus_register-failure.patch +media-msp3400-avoid-possible-out-of-bounds-array-accesses-in-msp3400c_thread.patch +media-platform-mtk-mdp3-fix-device-leaks-at-probe.patch +media-renesas-rcar_drif-fix-device-node-reference-leak-in-rcar_drif_bond_enabled.patch +media-samsung-exynos4-is-fix-potential-abba-deadlock-on-init.patch +media-tda1997x-remove-redundant-cancel_delayed_work-in-probe.patch +media-verisilicon-protect-g2-hevc-decoder-against-invalid-dpb-index.patch +media-videobuf2-fix-device-reference-leak-in-vb2_dc_alloc-error-path.patch +media-vpif_capture-fix-section-mismatch.patch +media-vpif_display-fix-section-mismatch.patch +media-amphion-cancel-message-work-before-releasing-the-vpu-core.patch +media-i2c-adv7604-remove-redundant-cancel_delayed_work-in-probe.patch +media-i2c-adv7842-remove-redundant-cancel_delayed_work-in-probe.patch +media-mediatek-vcodec-fix-a-reference-leak-in-mtk_vcodec_fw_vpu_init.patch +loongarch-add-new-pci-id-for-pci_fixup_vgadev.patch +loongarch-correct-the-calculation-logic-of-thread_count.patch +loongarch-fix-build-errors-for-config_randstruct.patch +loongarch-use-__pmd-__pte-for-swap-entry-conversions.patch +loongarch-use-unsigned-long-for-_end-and-_text.patch +mm-damon-tests-sysfs-kunit-handle-alloc-failures-on-damon_sysfs_test_add_targets.patch +mm-damon-tests-vaddr-kunit-handle-alloc-failures-in-damon_test_split_evenly_fail.patch +mm-damon-tests-vaddr-kunit-handle-alloc-failures-on-damon_test_split_evenly_succ.patch +mm-damon-tests-core-kunit-handle-alloc-failures-on-damon_test_split_at.patch +mm-damon-tests-core-kunit-handle-allocation-failures-in-damon_test_regions.patch +mm-damon-tests-core-kunit-handle-memory-failure-from-damon_test_target.patch +mm-damon-tests-core-kunit-handle-memory-alloc-failure-from-damon_test_aggregate.patch +mm-damon-tests-core-kunit-handle-alloc-failures-on-dasmon_test_merge_regions_of.patch +mm-damon-tests-core-kunit-handle-alloc-failures-on-damon_test_merge_two.patch +mm-damon-tests-core-kunit-handle-alloc-failures-in-damon_test_set_regions.patch +mm-damon-tests-core-kunit-handle-alloc-failures-in-damon_test_update_monitoring_result.patch +mm-damon-tests-core-kunit-handle-alloc-failures-in-damon_test_ops_registration.patch +mm-damon-tests-core-kunit-handle-alloc-failure-on-damon_test_set_attrs.patch