From: Greg Kroah-Hartman Date: Tue, 2 Dec 2025 15:36:00 +0000 (+0100) Subject: 6.17-stable patches X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=483e317ad6b1dc6f5eea23a7f5c60326d43f2156;p=thirdparty%2Fkernel%2Fstable-queue.git 6.17-stable patches added patches: drm-amd-amdgpu-reserve-vm-invalidation-engine-for-uni_mes.patch drm-amd-display-check-null-before-accessing.patch drm-amd-display-don-t-change-brightness-for-disabled-connectors.patch drm-amd-display-increase-edid-read-retries.patch drm-amdgpu-attach-tlb-fence-to-the-pts-update.patch drm-i915-psr-reject-async-flips-when-selective-fetch-is-enabled.patch drm-sti-fix-device-leaks-at-component-probe.patch drm-xe-guc-fix-stack_depot-usage.patch libceph-fix-potential-use-after-free-in-have_mon_and_osd_map.patch libceph-prevent-potential-out-of-bounds-writes-in-handle_auth_session_key.patch libceph-replace-bug_on-with-bounds-check-for-map-max_osd.patch net-dsa-microchip-common-fix-checks-on-irq_find_mapping.patch net-dsa-microchip-don-t-free-uninitialized-ksz_irq.patch net-dsa-microchip-fix-symetry-in-ksz_ptp_msg_irq_-setup-free.patch net-dsa-microchip-free-previously-initialized-ports-on-init-failures.patch net-dsa-microchip-ptp-fix-checks-on-irq_find_mapping.patch usb-serial-ftdi_sio-add-support-for-u-blox-evk-m101.patch usb-serial-option-add-support-for-rolling-rw101r-gl.patch --- diff --git a/queue-6.17/drm-amd-amdgpu-reserve-vm-invalidation-engine-for-uni_mes.patch b/queue-6.17/drm-amd-amdgpu-reserve-vm-invalidation-engine-for-uni_mes.patch new file mode 100644 index 0000000000..b46b1fc916 --- /dev/null +++ b/queue-6.17/drm-amd-amdgpu-reserve-vm-invalidation-engine-for-uni_mes.patch @@ -0,0 +1,35 @@ +From 971fb57429df5aa4e6efc796f7841e0d10b1e83c Mon Sep 17 00:00:00 2001 +From: Michael Chen +Date: Thu, 13 Nov 2025 12:56:43 -0500 +Subject: drm/amd/amdgpu: reserve vm invalidation engine for uni_mes + +From: Michael Chen + +commit 971fb57429df5aa4e6efc796f7841e0d10b1e83c upstream. + +Reserve vm invalidation engine 6 when uni_mes enabled. It +is used in processing tlb flush request from host. + +Signed-off-by: Michael Chen +Acked-by: Alex Deucher +Reviewed-by: Shaoyun liu +Signed-off-by: Alex Deucher +(cherry picked from commit 873373739b9b150720ea2c5390b4e904a4d21505) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c +@@ -597,6 +597,9 @@ int amdgpu_gmc_allocate_vm_inv_eng(struc + /* reserve engine 5 for firmware */ + if (adev->enable_mes) + vm_inv_engs[i] &= ~(1 << 5); ++ /* reserve engine 6 for uni mes */ ++ if (adev->enable_uni_mes) ++ vm_inv_engs[i] &= ~(1 << 6); + /* reserve mmhub engine 3 for firmware */ + if (adev->enable_umsch_mm) + vm_inv_engs[i] &= ~(1 << 3); diff --git a/queue-6.17/drm-amd-display-check-null-before-accessing.patch b/queue-6.17/drm-amd-display-check-null-before-accessing.patch new file mode 100644 index 0000000000..1cafe7b87a --- /dev/null +++ b/queue-6.17/drm-amd-display-check-null-before-accessing.patch @@ -0,0 +1,82 @@ +From 3ce62c189693e8ed7b3abe551802bbc67f3ace54 Mon Sep 17 00:00:00 2001 +From: Alex Hung +Date: Fri, 7 Nov 2025 15:35:58 -0700 +Subject: drm/amd/display: Check NULL before accessing + +From: Alex Hung + +commit 3ce62c189693e8ed7b3abe551802bbc67f3ace54 upstream. + +[WHAT] +IGT kms_cursor_legacy's long-nonblocking-modeset-vs-cursor-atomic +fails with NULL pointer dereference. This can be reproduced with +both an eDP panel and a DP monitors connected. + + BUG: kernel NULL pointer dereference, address: 0000000000000000 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 0 P4D 0 + Oops: Oops: 0000 [#1] SMP NOPTI + CPU: 13 UID: 0 PID: 2960 Comm: kms_cursor_lega Not tainted +6.16.0-99-custom #8 PREEMPT(voluntary) + Hardware name: AMD ........ + RIP: 0010:dc_stream_get_scanoutpos+0x34/0x130 [amdgpu] + Code: 57 4d 89 c7 41 56 49 89 ce 41 55 49 89 d5 41 54 49 + 89 fc 53 48 83 ec 18 48 8b 87 a0 64 00 00 48 89 75 d0 48 c7 c6 e0 41 30 + c2 <48> 8b 38 48 8b 9f 68 06 00 00 e8 8d d7 fd ff 31 c0 48 81 c3 e0 02 + RSP: 0018:ffffd0f3c2bd7608 EFLAGS: 00010292 + RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffd0f3c2bd7668 + RDX: ffffd0f3c2bd7664 RSI: ffffffffc23041e0 RDI: ffff8b32494b8000 + RBP: ffffd0f3c2bd7648 R08: ffffd0f3c2bd766c R09: ffffd0f3c2bd7760 + R10: ffffd0f3c2bd7820 R11: 0000000000000000 R12: ffff8b32494b8000 + R13: ffffd0f3c2bd7664 R14: ffffd0f3c2bd7668 R15: ffffd0f3c2bd766c + FS: 000071f631b68700(0000) GS:ffff8b399f114000(0000) +knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000000000 CR3: 00000001b8105000 CR4: 0000000000f50ef0 + PKRU: 55555554 + Call Trace: + + dm_crtc_get_scanoutpos+0xd7/0x180 [amdgpu] + amdgpu_display_get_crtc_scanoutpos+0x86/0x1c0 [amdgpu] + ? __pfx_amdgpu_crtc_get_scanout_position+0x10/0x10[amdgpu] + amdgpu_crtc_get_scanout_position+0x27/0x50 [amdgpu] + drm_crtc_vblank_helper_get_vblank_timestamp_internal+0xf7/0x400 + drm_crtc_vblank_helper_get_vblank_timestamp+0x1c/0x30 + drm_crtc_get_last_vbltimestamp+0x55/0x90 + drm_crtc_next_vblank_start+0x45/0xa0 + drm_atomic_helper_wait_for_fences+0x81/0x1f0 + ... + +Cc: Mario Limonciello +Cc: Alex Deucher +Reviewed-by: Aurabindo Pillai +Signed-off-by: Alex Hung +Signed-off-by: Alex Deucher +(cherry picked from commit 621e55f1919640acab25383362b96e65f2baea3c) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/core/dc_stream.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/amd/display/dc/core/dc_stream.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc_stream.c +@@ -705,9 +705,14 @@ bool dc_stream_get_scanoutpos(const stru + { + uint8_t i; + bool ret = false; +- struct dc *dc = stream->ctx->dc; +- struct resource_context *res_ctx = +- &dc->current_state->res_ctx; ++ struct dc *dc; ++ struct resource_context *res_ctx; ++ ++ if (!stream->ctx) ++ return false; ++ ++ dc = stream->ctx->dc; ++ res_ctx = &dc->current_state->res_ctx; + + dc_exit_ips_for_hw_access(dc); + diff --git a/queue-6.17/drm-amd-display-don-t-change-brightness-for-disabled-connectors.patch b/queue-6.17/drm-amd-display-don-t-change-brightness-for-disabled-connectors.patch new file mode 100644 index 0000000000..85453a47be --- /dev/null +++ b/queue-6.17/drm-amd-display-don-t-change-brightness-for-disabled-connectors.patch @@ -0,0 +1,57 @@ +From 81f4d4ba509522596143fd5d7dc2fc3495296b0a Mon Sep 17 00:00:00 2001 +From: "Mario Limonciello (AMD)" +Date: Mon, 3 Nov 2025 16:02:11 -0600 +Subject: drm/amd/display: Don't change brightness for disabled connectors + +From: Mario Limonciello (AMD) + +commit 81f4d4ba509522596143fd5d7dc2fc3495296b0a upstream. + +[WHY] +When a laptop lid is closed the connector is disabled but userspace +can still try to change brightness. This doesn't work because the +panel is turned off. It will eventually time out, but there is a lot +of stutter along the way. + +[How] +Iterate all connectors to check whether the matching one for the backlight +index is enabled. + +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4675 +Cc: Mario Limonciello +Cc: Alex Deucher +Reviewed-by: Ray Wu +Signed-off-by: Mario Limonciello (AMD) +Signed-off-by: Alex Hung +Signed-off-by: Alex Deucher +(cherry picked from commit f6eeab30323d1174a4cc022e769d248fe8241304) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -4898,6 +4898,21 @@ static void amdgpu_dm_backlight_set_leve + struct dc_link *link; + u32 brightness; + bool rc, reallow_idle = false; ++ struct drm_connector *connector; ++ ++ list_for_each_entry(connector, &dm->ddev->mode_config.connector_list, head) { ++ struct amdgpu_dm_connector *aconnector = to_amdgpu_dm_connector(connector); ++ ++ if (aconnector->bl_idx != bl_idx) ++ continue; ++ ++ /* if connector is off, save the brightness for next time it's on */ ++ if (!aconnector->base.encoder) { ++ dm->brightness[bl_idx] = user_brightness; ++ dm->actual_brightness[bl_idx] = 0; ++ return; ++ } ++ } + + amdgpu_dm_update_backlight_caps(dm, bl_idx); + caps = &dm->backlight_caps[bl_idx]; diff --git a/queue-6.17/drm-amd-display-increase-edid-read-retries.patch b/queue-6.17/drm-amd-display-increase-edid-read-retries.patch new file mode 100644 index 0000000000..637c587861 --- /dev/null +++ b/queue-6.17/drm-amd-display-increase-edid-read-retries.patch @@ -0,0 +1,64 @@ +From 8ea902361734c87b82122f9c17830f168ebfc65a Mon Sep 17 00:00:00 2001 +From: "Mario Limonciello (AMD)" +Date: Wed, 5 Nov 2025 23:04:54 -0600 +Subject: drm/amd/display: Increase EDID read retries + +From: Mario Limonciello (AMD) + +commit 8ea902361734c87b82122f9c17830f168ebfc65a upstream. + +[WHY] +When monitor is still booting EDID read can fail while DPCD read +is successful. In this case no EDID data will be returned, and this +could happen for a while. + +[HOW] +Increase number of attempts to read EDID in dm_helpers_read_local_edid() +to 25. + +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4672 +Cc: Mario Limonciello +Cc: Alex Deucher +Reviewed-by: Alex Hung +Signed-off-by: Mario Limonciello (AMD) +Signed-off-by: Alex Hung +Tested-by: Dan Wheeler +Signed-off-by: Alex Deucher +(cherry picked from commit a76d6f2c76c3abac519ba753e2723e6ffe8e461c) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_helpers.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_helpers.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_helpers.c +@@ -996,8 +996,8 @@ enum dc_edid_status dm_helpers_read_loca + struct amdgpu_dm_connector *aconnector = link->priv; + struct drm_connector *connector = &aconnector->base; + struct i2c_adapter *ddc; +- int retry = 3; +- enum dc_edid_status edid_status; ++ int retry = 25; ++ enum dc_edid_status edid_status = EDID_NO_RESPONSE; + const struct drm_edid *drm_edid; + const struct edid *edid; + +@@ -1027,7 +1027,7 @@ enum dc_edid_status dm_helpers_read_loca + } + + if (!drm_edid) +- return EDID_NO_RESPONSE; ++ continue; + + edid = drm_edid_raw(drm_edid); // FIXME: Get rid of drm_edid_raw() + if (!edid || +@@ -1045,7 +1045,7 @@ enum dc_edid_status dm_helpers_read_loca + &sink->dc_edid, + &sink->edid_caps); + +- } while (edid_status == EDID_BAD_CHECKSUM && --retry > 0); ++ } while ((edid_status == EDID_BAD_CHECKSUM || edid_status == EDID_NO_RESPONSE) && --retry > 0); + + if (edid_status != EDID_OK) + DRM_ERROR("EDID err: %d, on connector: %s", diff --git a/queue-6.17/drm-amdgpu-attach-tlb-fence-to-the-pts-update.patch b/queue-6.17/drm-amdgpu-attach-tlb-fence-to-the-pts-update.patch new file mode 100644 index 0000000000..58b0d8f7f2 --- /dev/null +++ b/queue-6.17/drm-amdgpu-attach-tlb-fence-to-the-pts-update.patch @@ -0,0 +1,38 @@ +From b4a7f4e7ad2b120a94f3111f92a11520052c762d Mon Sep 17 00:00:00 2001 +From: Prike Liang +Date: Fri, 31 Oct 2025 17:02:51 +0800 +Subject: drm/amdgpu: attach tlb fence to the PTs update +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Prike Liang + +commit b4a7f4e7ad2b120a94f3111f92a11520052c762d upstream. + +Ensure the userq TLB flush is emitted only after +the VM update finishes and the PT BOs have been +annotated with bookkeeping fences. + +Suggested-by: Christian König +Signed-off-by: Prike Liang +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +(cherry picked from commit f3854e04b708d73276c4488231a8bd66d30b4671) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c +@@ -1056,7 +1056,7 @@ amdgpu_vm_tlb_flush(struct amdgpu_vm_upd + } + + /* Prepare a TLB flush fence to be attached to PTs */ +- if (!params->unlocked && vm->is_compute_context) { ++ if (!params->unlocked) { + amdgpu_vm_tlb_fence_create(params->adev, vm, fence); + + /* Makes sure no PD/PT is freed before the flush */ diff --git a/queue-6.17/drm-i915-psr-reject-async-flips-when-selective-fetch-is-enabled.patch b/queue-6.17/drm-i915-psr-reject-async-flips-when-selective-fetch-is-enabled.patch new file mode 100644 index 0000000000..f28e58dcc5 --- /dev/null +++ b/queue-6.17/drm-i915-psr-reject-async-flips-when-selective-fetch-is-enabled.patch @@ -0,0 +1,69 @@ +From 7c373b3bd03c77fe8f6ea206ed49375eb4d43d13 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= +Date: Wed, 5 Nov 2025 19:10:15 +0200 +Subject: drm/i915/psr: Reject async flips when selective fetch is enabled +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ville Syrjälä + +commit 7c373b3bd03c77fe8f6ea206ed49375eb4d43d13 upstream. + +The selective fetch code doesn't handle asycn flips correctly. +There is a nonsense check for async flips in +intel_psr2_sel_fetch_config_valid() but that only gets called +for modesets/fastsets and thus does nothing for async flips. + +Currently intel_async_flip_check_hw() is very unhappy as the +selective fetch code pulls in planes that are not even async +flips capable. + +Reject async flips when selective fetch is enabled, until +someone fixes this properly (ie. disable selective fetch while +async flips are being issued). + +Cc: stable@vger.kernel.org +Signed-off-by: Ville Syrjälä +Link: https://patch.msgid.link/20251105171015.22234-1-ville.syrjala@linux.intel.com +Reviewed-by: Jouni Högander +(cherry picked from commit a5f0cc8e0cd4007370af6985cb152001310cf20c) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/display/intel_display.c | 8 ++++++++ + drivers/gpu/drm/i915/display/intel_psr.c | 6 ------ + 2 files changed, 8 insertions(+), 6 deletions(-) + +--- a/drivers/gpu/drm/i915/display/intel_display.c ++++ b/drivers/gpu/drm/i915/display/intel_display.c +@@ -5958,6 +5958,14 @@ static int intel_async_flip_check_uapi(s + return -EINVAL; + } + ++ /* FIXME: selective fetch should be disabled for async flips */ ++ if (new_crtc_state->enable_psr2_sel_fetch) { ++ drm_dbg_kms(display->drm, ++ "[CRTC:%d:%s] async flip disallowed with PSR2 selective fetch\n", ++ crtc->base.base.id, crtc->base.name); ++ return -EINVAL; ++ } ++ + for_each_oldnew_intel_plane_in_state(state, plane, old_plane_state, + new_plane_state, i) { + if (plane->pipe != crtc->pipe) +--- a/drivers/gpu/drm/i915/display/intel_psr.c ++++ b/drivers/gpu/drm/i915/display/intel_psr.c +@@ -1274,12 +1274,6 @@ static bool intel_psr2_sel_fetch_config_ + return false; + } + +- if (crtc_state->uapi.async_flip) { +- drm_dbg_kms(display->drm, +- "PSR2 sel fetch not enabled, async flip enabled\n"); +- return false; +- } +- + return crtc_state->enable_psr2_sel_fetch = true; + } + diff --git a/queue-6.17/drm-sti-fix-device-leaks-at-component-probe.patch b/queue-6.17/drm-sti-fix-device-leaks-at-component-probe.patch new file mode 100644 index 0000000000..eb1cf65472 --- /dev/null +++ b/queue-6.17/drm-sti-fix-device-leaks-at-component-probe.patch @@ -0,0 +1,49 @@ +From 620a8f131154250f6a64a07d049a4f235d6451a5 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 22 Sep 2025 14:20:12 +0200 +Subject: drm: sti: fix device leaks at component probe + +From: Johan Hovold + +commit 620a8f131154250f6a64a07d049a4f235d6451a5 upstream. + +Make sure to drop the references taken to the vtg devices by +of_find_device_by_node() when looking up their driver data during +component probe. + +Note that holding a reference to a platform device does not prevent its +driver data from going away so there is no point in keeping the +reference after the lookup helper returns. + +Fixes: cc6b741c6f63 ("drm: sti: remove useless fields from vtg structure") +Cc: stable@vger.kernel.org # 4.16 +Cc: Benjamin Gaignard +Signed-off-by: Johan Hovold +Link: https://patch.msgid.link/20250922122012.27407-1-johan@kernel.org +Signed-off-by: Raphael Gallais-Pou +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/sti/sti_vtg.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/sti/sti_vtg.c ++++ b/drivers/gpu/drm/sti/sti_vtg.c +@@ -143,12 +143,17 @@ struct sti_vtg { + struct sti_vtg *of_vtg_find(struct device_node *np) + { + struct platform_device *pdev; ++ struct sti_vtg *vtg; + + pdev = of_find_device_by_node(np); + if (!pdev) + return NULL; + +- return (struct sti_vtg *)platform_get_drvdata(pdev); ++ vtg = platform_get_drvdata(pdev); ++ ++ put_device(&pdev->dev); ++ ++ return vtg; + } + + static void vtg_reset(struct sti_vtg *vtg) diff --git a/queue-6.17/drm-xe-guc-fix-stack_depot-usage.patch b/queue-6.17/drm-xe-guc-fix-stack_depot-usage.patch new file mode 100644 index 0000000000..6984ac4698 --- /dev/null +++ b/queue-6.17/drm-xe-guc-fix-stack_depot-usage.patch @@ -0,0 +1,44 @@ +From 0e234632e39bd21dd28ffc9ba3ae8eec4deb949c Mon Sep 17 00:00:00 2001 +From: Lucas De Marchi +Date: Tue, 18 Nov 2025 11:08:11 -0800 +Subject: drm/xe/guc: Fix stack_depot usage + +From: Lucas De Marchi + +commit 0e234632e39bd21dd28ffc9ba3ae8eec4deb949c upstream. + +Add missing stack_depot_init() call when CONFIG_DRM_XE_DEBUG_GUC is +enabled to fix the following call stack: + + [] BUG: kernel NULL pointer dereference, address: 0000000000000000 + [] Workqueue: drm_sched_run_job_work [gpu_sched] + [] RIP: 0010:stack_depot_save_flags+0x172/0x870 + [] Call Trace: + [] + [] fast_req_track+0x58/0xb0 [xe] + +Fixes: 16b7e65d299d ("drm/xe/guc: Track FAST_REQ H2Gs to report where errors came from") +Tested-by: Sagar Ghuge +Cc: stable@vger.kernel.org # v6.17+ +Reviewed-by: Stuart Summers +Link: https://patch.msgid.link/20251118-fix-debug-guc-v1-1-9f780c6bedf8@intel.com +Signed-off-by: Lucas De Marchi +(cherry picked from commit 64fdf496a6929a0a194387d2bb5efaf5da2b542f) +Signed-off-by: Lucas De Marchi +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/xe/xe_guc_ct.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpu/drm/xe/xe_guc_ct.c ++++ b/drivers/gpu/drm/xe/xe_guc_ct.c +@@ -237,6 +237,9 @@ int xe_guc_ct_init_noalloc(struct xe_guc + #if IS_ENABLED(CONFIG_DRM_XE_DEBUG) + spin_lock_init(&ct->dead.lock); + INIT_WORK(&ct->dead.worker, ct_dead_worker_func); ++#if IS_ENABLED(CONFIG_DRM_XE_DEBUG_GUC) ++ stack_depot_init(); ++#endif + #endif + init_waitqueue_head(&ct->wq); + init_waitqueue_head(&ct->g2h_fence_wq); diff --git a/queue-6.17/libceph-fix-potential-use-after-free-in-have_mon_and_osd_map.patch b/queue-6.17/libceph-fix-potential-use-after-free-in-have_mon_and_osd_map.patch new file mode 100644 index 0000000000..212b296520 --- /dev/null +++ b/queue-6.17/libceph-fix-potential-use-after-free-in-have_mon_and_osd_map.patch @@ -0,0 +1,222 @@ +From 076381c261374c587700b3accf410bdd2dba334e Mon Sep 17 00:00:00 2001 +From: Ilya Dryomov +Date: Mon, 3 Nov 2025 21:34:01 +0100 +Subject: libceph: fix potential use-after-free in have_mon_and_osd_map() + +From: Ilya Dryomov + +commit 076381c261374c587700b3accf410bdd2dba334e upstream. + +The wait loop in __ceph_open_session() can race with the client +receiving a new monmap or osdmap shortly after the initial map is +received. Both ceph_monc_handle_map() and handle_one_map() install +a new map immediately after freeing the old one + + kfree(monc->monmap); + monc->monmap = monmap; + + ceph_osdmap_destroy(osdc->osdmap); + osdc->osdmap = newmap; + +under client->monc.mutex and client->osdc.lock respectively, but +because neither is taken in have_mon_and_osd_map() it's possible for +client->monc.monmap->epoch and client->osdc.osdmap->epoch arms in + + client->monc.monmap && client->monc.monmap->epoch && + client->osdc.osdmap && client->osdc.osdmap->epoch; + +condition to dereference an already freed map. This happens to be +reproducible with generic/395 and generic/397 with KASAN enabled: + + BUG: KASAN: slab-use-after-free in have_mon_and_osd_map+0x56/0x70 + Read of size 4 at addr ffff88811012d810 by task mount.ceph/13305 + CPU: 2 UID: 0 PID: 13305 Comm: mount.ceph Not tainted 6.14.0-rc2-build2+ #1266 + ... + Call Trace: + + have_mon_and_osd_map+0x56/0x70 + ceph_open_session+0x182/0x290 + ceph_get_tree+0x333/0x680 + vfs_get_tree+0x49/0x180 + do_new_mount+0x1a3/0x2d0 + path_mount+0x6dd/0x730 + do_mount+0x99/0xe0 + __do_sys_mount+0x141/0x180 + do_syscall_64+0x9f/0x100 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + + + Allocated by task 13305: + ceph_osdmap_alloc+0x16/0x130 + ceph_osdc_init+0x27a/0x4c0 + ceph_create_client+0x153/0x190 + create_fs_client+0x50/0x2a0 + ceph_get_tree+0xff/0x680 + vfs_get_tree+0x49/0x180 + do_new_mount+0x1a3/0x2d0 + path_mount+0x6dd/0x730 + do_mount+0x99/0xe0 + __do_sys_mount+0x141/0x180 + do_syscall_64+0x9f/0x100 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + + Freed by task 9475: + kfree+0x212/0x290 + handle_one_map+0x23c/0x3b0 + ceph_osdc_handle_map+0x3c9/0x590 + mon_dispatch+0x655/0x6f0 + ceph_con_process_message+0xc3/0xe0 + ceph_con_v1_try_read+0x614/0x760 + ceph_con_workfn+0x2de/0x650 + process_one_work+0x486/0x7c0 + process_scheduled_works+0x73/0x90 + worker_thread+0x1c8/0x2a0 + kthread+0x2ec/0x300 + ret_from_fork+0x24/0x40 + ret_from_fork_asm+0x1a/0x30 + +Rewrite the wait loop to check the above condition directly with +client->monc.mutex and client->osdc.lock taken as appropriate. While +at it, improve the timeout handling (previously mount_timeout could be +exceeded in case wait_event_interruptible_timeout() slept more than +once) and access client->auth_err under client->monc.mutex to match +how it's set in finish_auth(). + +monmap_show() and osdmap_show() now take the respective lock before +accessing the map as well. + +Cc: stable@vger.kernel.org +Reported-by: David Howells +Signed-off-by: Ilya Dryomov +Reviewed-by: Viacheslav Dubeyko +Signed-off-by: Greg Kroah-Hartman +--- + net/ceph/ceph_common.c | 53 +++++++++++++++++++++++++++++-------------------- + net/ceph/debugfs.c | 14 +++++++++--- + 2 files changed, 42 insertions(+), 25 deletions(-) + +--- a/net/ceph/ceph_common.c ++++ b/net/ceph/ceph_common.c +@@ -786,41 +786,52 @@ void ceph_reset_client_addr(struct ceph_ + EXPORT_SYMBOL(ceph_reset_client_addr); + + /* +- * true if we have the mon map (and have thus joined the cluster) +- */ +-static bool have_mon_and_osd_map(struct ceph_client *client) +-{ +- return client->monc.monmap && client->monc.monmap->epoch && +- client->osdc.osdmap && client->osdc.osdmap->epoch; +-} +- +-/* + * mount: join the ceph cluster, and open root directory. + */ + int __ceph_open_session(struct ceph_client *client, unsigned long started) + { +- unsigned long timeout = client->options->mount_timeout; +- long err; ++ DEFINE_WAIT_FUNC(wait, woken_wake_function); ++ long timeout = ceph_timeout_jiffies(client->options->mount_timeout); ++ bool have_monmap, have_osdmap; ++ int err; + + /* open session, and wait for mon and osd maps */ + err = ceph_monc_open_session(&client->monc); + if (err < 0) + return err; + +- while (!have_mon_and_osd_map(client)) { +- if (timeout && time_after_eq(jiffies, started + timeout)) +- return -ETIMEDOUT; ++ add_wait_queue(&client->auth_wq, &wait); ++ for (;;) { ++ mutex_lock(&client->monc.mutex); ++ err = client->auth_err; ++ have_monmap = client->monc.monmap && client->monc.monmap->epoch; ++ mutex_unlock(&client->monc.mutex); ++ ++ down_read(&client->osdc.lock); ++ have_osdmap = client->osdc.osdmap && client->osdc.osdmap->epoch; ++ up_read(&client->osdc.lock); ++ ++ if (err || (have_monmap && have_osdmap)) ++ break; ++ ++ if (signal_pending(current)) { ++ err = -ERESTARTSYS; ++ break; ++ } ++ ++ if (!timeout) { ++ err = -ETIMEDOUT; ++ break; ++ } + + /* wait */ + dout("mount waiting for mon_map\n"); +- err = wait_event_interruptible_timeout(client->auth_wq, +- have_mon_and_osd_map(client) || (client->auth_err < 0), +- ceph_timeout_jiffies(timeout)); +- if (err < 0) +- return err; +- if (client->auth_err < 0) +- return client->auth_err; ++ timeout = wait_woken(&wait, TASK_INTERRUPTIBLE, timeout); + } ++ remove_wait_queue(&client->auth_wq, &wait); ++ ++ if (err) ++ return err; + + pr_info("client%llu fsid %pU\n", ceph_client_gid(client), + &client->fsid); +--- a/net/ceph/debugfs.c ++++ b/net/ceph/debugfs.c +@@ -36,8 +36,9 @@ static int monmap_show(struct seq_file * + int i; + struct ceph_client *client = s->private; + ++ mutex_lock(&client->monc.mutex); + if (client->monc.monmap == NULL) +- return 0; ++ goto out_unlock; + + seq_printf(s, "epoch %d\n", client->monc.monmap->epoch); + for (i = 0; i < client->monc.monmap->num_mon; i++) { +@@ -48,6 +49,9 @@ static int monmap_show(struct seq_file * + ENTITY_NAME(inst->name), + ceph_pr_addr(&inst->addr)); + } ++ ++out_unlock: ++ mutex_unlock(&client->monc.mutex); + return 0; + } + +@@ -56,13 +60,14 @@ static int osdmap_show(struct seq_file * + int i; + struct ceph_client *client = s->private; + struct ceph_osd_client *osdc = &client->osdc; +- struct ceph_osdmap *map = osdc->osdmap; ++ struct ceph_osdmap *map; + struct rb_node *n; + ++ down_read(&osdc->lock); ++ map = osdc->osdmap; + if (map == NULL) +- return 0; ++ goto out_unlock; + +- down_read(&osdc->lock); + seq_printf(s, "epoch %u barrier %u flags 0x%x\n", map->epoch, + osdc->epoch_barrier, map->flags); + +@@ -131,6 +136,7 @@ static int osdmap_show(struct seq_file * + seq_printf(s, "]\n"); + } + ++out_unlock: + up_read(&osdc->lock); + return 0; + } diff --git a/queue-6.17/libceph-prevent-potential-out-of-bounds-writes-in-handle_auth_session_key.patch b/queue-6.17/libceph-prevent-potential-out-of-bounds-writes-in-handle_auth_session_key.patch new file mode 100644 index 0000000000..7edce7fd4c --- /dev/null +++ b/queue-6.17/libceph-prevent-potential-out-of-bounds-writes-in-handle_auth_session_key.patch @@ -0,0 +1,42 @@ +From 7fce830ecd0a0256590ee37eb65a39cbad3d64fc Mon Sep 17 00:00:00 2001 +From: ziming zhang +Date: Fri, 14 Nov 2025 16:56:10 +0800 +Subject: libceph: prevent potential out-of-bounds writes in handle_auth_session_key() + +From: ziming zhang + +commit 7fce830ecd0a0256590ee37eb65a39cbad3d64fc upstream. + +The len field originates from untrusted network packets. Boundary +checks have been added to prevent potential out-of-bounds writes when +decrypting the connection secret or processing service tickets. + +[ idryomov: changelog ] + +Cc: stable@vger.kernel.org +Signed-off-by: ziming zhang +Reviewed-by: Ilya Dryomov +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman +--- + net/ceph/auth_x.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/ceph/auth_x.c ++++ b/net/ceph/auth_x.c +@@ -631,6 +631,7 @@ static int handle_auth_session_key(struc + + /* connection secret */ + ceph_decode_32_safe(p, end, len, e_inval); ++ ceph_decode_need(p, end, len, e_inval); + dout("%s connection secret blob len %d\n", __func__, len); + if (len > 0) { + dp = *p + ceph_x_encrypt_offset(); +@@ -648,6 +649,7 @@ static int handle_auth_session_key(struc + + /* service tickets */ + ceph_decode_32_safe(p, end, len, e_inval); ++ ceph_decode_need(p, end, len, e_inval); + dout("%s service tickets blob len %d\n", __func__, len); + if (len > 0) { + ret = ceph_x_proc_ticket_reply(ac, &th->session_key, diff --git a/queue-6.17/libceph-replace-bug_on-with-bounds-check-for-map-max_osd.patch b/queue-6.17/libceph-replace-bug_on-with-bounds-check-for-map-max_osd.patch new file mode 100644 index 0000000000..481e058ea4 --- /dev/null +++ b/queue-6.17/libceph-replace-bug_on-with-bounds-check-for-map-max_osd.patch @@ -0,0 +1,92 @@ +From ec3797f043756a94ea2d0f106022e14ac4946c02 Mon Sep 17 00:00:00 2001 +From: ziming zhang +Date: Mon, 17 Nov 2025 18:07:41 +0800 +Subject: libceph: replace BUG_ON with bounds check for map->max_osd + +From: ziming zhang + +commit ec3797f043756a94ea2d0f106022e14ac4946c02 upstream. + +OSD indexes come from untrusted network packets. Boundary checks are +added to validate these against map->max_osd. + +[ idryomov: drop BUG_ON in ceph_get_primary_affinity(), minor cosmetic + edits ] + +Cc: stable@vger.kernel.org +Signed-off-by: ziming zhang +Reviewed-by: Ilya Dryomov +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman +--- + net/ceph/osdmap.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +--- a/net/ceph/osdmap.c ++++ b/net/ceph/osdmap.c +@@ -1504,8 +1504,6 @@ static int decode_new_primary_temp(void + + u32 ceph_get_primary_affinity(struct ceph_osdmap *map, int osd) + { +- BUG_ON(osd >= map->max_osd); +- + if (!map->osd_primary_affinity) + return CEPH_OSD_DEFAULT_PRIMARY_AFFINITY; + +@@ -1514,8 +1512,6 @@ u32 ceph_get_primary_affinity(struct cep + + static int set_primary_affinity(struct ceph_osdmap *map, int osd, u32 aff) + { +- BUG_ON(osd >= map->max_osd); +- + if (!map->osd_primary_affinity) { + int i; + +@@ -1577,6 +1573,8 @@ static int decode_new_primary_affinity(v + + ceph_decode_32_safe(p, end, osd, e_inval); + ceph_decode_32_safe(p, end, aff, e_inval); ++ if (osd >= map->max_osd) ++ goto e_inval; + + ret = set_primary_affinity(map, osd, aff); + if (ret) +@@ -1879,7 +1877,9 @@ static int decode_new_up_state_weight(vo + ceph_decode_need(p, end, 2*sizeof(u32), e_inval); + osd = ceph_decode_32(p); + w = ceph_decode_32(p); +- BUG_ON(osd >= map->max_osd); ++ if (osd >= map->max_osd) ++ goto e_inval; ++ + osdmap_info(map, "osd%d weight 0x%x %s\n", osd, w, + w == CEPH_OSD_IN ? "(in)" : + (w == CEPH_OSD_OUT ? "(out)" : "")); +@@ -1905,13 +1905,15 @@ static int decode_new_up_state_weight(vo + u32 xorstate; + + osd = ceph_decode_32(p); ++ if (osd >= map->max_osd) ++ goto e_inval; ++ + if (struct_v >= 5) + xorstate = ceph_decode_32(p); + else + xorstate = ceph_decode_8(p); + if (xorstate == 0) + xorstate = CEPH_OSD_UP; +- BUG_ON(osd >= map->max_osd); + if ((map->osd_state[osd] & CEPH_OSD_UP) && + (xorstate & CEPH_OSD_UP)) + osdmap_info(map, "osd%d down\n", osd); +@@ -1937,7 +1939,9 @@ static int decode_new_up_state_weight(vo + struct ceph_entity_addr addr; + + osd = ceph_decode_32(p); +- BUG_ON(osd >= map->max_osd); ++ if (osd >= map->max_osd) ++ goto e_inval; ++ + if (struct_v >= 7) + ret = ceph_decode_entity_addrvec(p, end, msgr2, &addr); + else diff --git a/queue-6.17/net-dsa-microchip-common-fix-checks-on-irq_find_mapping.patch b/queue-6.17/net-dsa-microchip-common-fix-checks-on-irq_find_mapping.patch new file mode 100644 index 0000000000..335ba132f5 --- /dev/null +++ b/queue-6.17/net-dsa-microchip-common-fix-checks-on-irq_find_mapping.patch @@ -0,0 +1,52 @@ +From 7b3c09e1667977edee11de94a85e2593a7c15e87 Mon Sep 17 00:00:00 2001 +From: "Bastien Curutchet (Schneider Electric)" +Date: Thu, 20 Nov 2025 10:12:00 +0100 +Subject: net: dsa: microchip: common: Fix checks on irq_find_mapping() + +From: Bastien Curutchet (Schneider Electric) + +commit 7b3c09e1667977edee11de94a85e2593a7c15e87 upstream. + +irq_find_mapping() returns a positive IRQ number or 0 if no IRQ is found +but it never returns a negative value. However, on each +irq_find_mapping() call, we verify that the returned value isn't +negative. + +Fix the irq_find_mapping() checks to enter error paths when 0 is +returned. Return -EINVAL in such cases. + +CC: stable@vger.kernel.org +Fixes: c9cd961c0d43 ("net: dsa: microchip: lan937x: add interrupt support for port phy link") +Reviewed-by: Andrew Lunn +Signed-off-by: Bastien Curutchet (Schneider Electric) +Link: https://patch.msgid.link/20251120-ksz-fix-v6-1-891f80ae7f8f@bootlin.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/microchip/ksz_common.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/net/dsa/microchip/ksz_common.c ++++ b/drivers/net/dsa/microchip/ksz_common.c +@@ -2587,8 +2587,8 @@ static int ksz_irq_phy_setup(struct ksz_ + + irq = irq_find_mapping(dev->ports[port].pirq.domain, + PORT_SRC_PHY_INT); +- if (irq < 0) { +- ret = irq; ++ if (!irq) { ++ ret = -EINVAL; + goto out; + } + ds->user_mii_bus->irq[phy] = irq; +@@ -2952,8 +2952,8 @@ static int ksz_pirq_setup(struct ksz_dev + snprintf(pirq->name, sizeof(pirq->name), "port_irq-%d", p); + + pirq->irq_num = irq_find_mapping(dev->girq.domain, p); +- if (pirq->irq_num < 0) +- return pirq->irq_num; ++ if (!pirq->irq_num) ++ return -EINVAL; + + return ksz_irq_common_setup(dev, pirq); + } diff --git a/queue-6.17/net-dsa-microchip-don-t-free-uninitialized-ksz_irq.patch b/queue-6.17/net-dsa-microchip-don-t-free-uninitialized-ksz_irq.patch new file mode 100644 index 0000000000..4a4fa6a844 --- /dev/null +++ b/queue-6.17/net-dsa-microchip-don-t-free-uninitialized-ksz_irq.patch @@ -0,0 +1,37 @@ +From 25b62cc5b22c45face094ae3e8717258e46d1d19 Mon Sep 17 00:00:00 2001 +From: "Bastien Curutchet (Schneider Electric)" +Date: Thu, 20 Nov 2025 10:12:02 +0100 +Subject: net: dsa: microchip: Don't free uninitialized ksz_irq + +From: Bastien Curutchet (Schneider Electric) + +commit 25b62cc5b22c45face094ae3e8717258e46d1d19 upstream. + +If something goes wrong at setup, ksz_irq_free() can be called on +uninitialized ksz_irq (for example when ksz_ptp_irq_setup() fails). It +leads to freeing uninitialized IRQ numbers and/or domains. + +Use dsa_switch_for_each_user_port_continue_reverse() in the error path +to iterate only over the fully initialized ports. + +Cc: stable@vger.kernel.org +Fixes: cc13ab18b201 ("net: dsa: microchip: ptp: enable interrupt for timestamping") +Signed-off-by: Bastien Curutchet (Schneider Electric) +Link: https://patch.msgid.link/20251120-ksz-fix-v6-3-891f80ae7f8f@bootlin.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/microchip/ksz_common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/dsa/microchip/ksz_common.c ++++ b/drivers/net/dsa/microchip/ksz_common.c +@@ -3082,7 +3082,7 @@ out_ptpirq: + ksz_ptp_irq_free(ds, dp->index); + out_pirq: + if (dev->irq > 0) +- dsa_switch_for_each_user_port(dp, dev->ds) ++ dsa_switch_for_each_user_port_continue_reverse(dp, dev->ds) + ksz_irq_free(&dev->ports[dp->index].pirq); + out_girq: + if (dev->irq > 0) diff --git a/queue-6.17/net-dsa-microchip-fix-symetry-in-ksz_ptp_msg_irq_-setup-free.patch b/queue-6.17/net-dsa-microchip-fix-symetry-in-ksz_ptp_msg_irq_-setup-free.patch new file mode 100644 index 0000000000..90fc36b828 --- /dev/null +++ b/queue-6.17/net-dsa-microchip-fix-symetry-in-ksz_ptp_msg_irq_-setup-free.patch @@ -0,0 +1,84 @@ +From d0b8fec8ae50525b57139393d0bb1f446e82ff7e Mon Sep 17 00:00:00 2001 +From: "Bastien Curutchet (Schneider Electric)" +Date: Thu, 20 Nov 2025 10:12:04 +0100 +Subject: net: dsa: microchip: Fix symetry in ksz_ptp_msg_irq_{setup/free}() + +From: Bastien Curutchet (Schneider Electric) + +commit d0b8fec8ae50525b57139393d0bb1f446e82ff7e upstream. + +The IRQ numbers created through irq_create_mapping() are only assigned +to ptpmsg_irq[n].num at the end of the IRQ setup. So if an error occurs +between their creation and their assignment (for instance during the +request_threaded_irq() step), we enter the error path and fail to +release the newly created virtual IRQs because they aren't yet assigned +to ptpmsg_irq[n].num. + +Move the mapping creation to ksz_ptp_msg_irq_setup() to ensure symetry +with what's released by ksz_ptp_msg_irq_free(). +In the error path, move the irq_dispose_mapping to the out_ptp_msg label +so it will be called only on created IRQs. + +Cc: stable@vger.kernel.org +Fixes: cc13ab18b201 ("net: dsa: microchip: ptp: enable interrupt for timestamping") +Reviewed-by: Andrew Lunn +Signed-off-by: Bastien Curutchet (Schneider Electric) +Link: https://patch.msgid.link/20251120-ksz-fix-v6-5-891f80ae7f8f@bootlin.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/microchip/ksz_ptp.c | 18 +++++++----------- + 1 file changed, 7 insertions(+), 11 deletions(-) + +--- a/drivers/net/dsa/microchip/ksz_ptp.c ++++ b/drivers/net/dsa/microchip/ksz_ptp.c +@@ -1093,19 +1093,19 @@ static int ksz_ptp_msg_irq_setup(struct + static const char * const name[] = {"pdresp-msg", "xdreq-msg", + "sync-msg"}; + const struct ksz_dev_ops *ops = port->ksz_dev->dev_ops; ++ struct ksz_irq *ptpirq = &port->ptpirq; + struct ksz_ptp_irq *ptpmsg_irq; + + ptpmsg_irq = &port->ptpmsg_irq[n]; ++ ptpmsg_irq->num = irq_create_mapping(ptpirq->domain, n); ++ if (!ptpmsg_irq->num) ++ return -EINVAL; + + ptpmsg_irq->port = port; + ptpmsg_irq->ts_reg = ops->get_port_addr(port->num, ts_reg[n]); + + strscpy(ptpmsg_irq->name, name[n]); + +- ptpmsg_irq->num = irq_find_mapping(port->ptpirq.domain, n); +- if (ptpmsg_irq->num < 0) +- return ptpmsg_irq->num; +- + return request_threaded_irq(ptpmsg_irq->num, NULL, + ksz_ptp_msg_thread_fn, IRQF_ONESHOT, + ptpmsg_irq->name, ptpmsg_irq); +@@ -1135,9 +1135,6 @@ int ksz_ptp_irq_setup(struct dsa_switch + if (!ptpirq->domain) + return -ENOMEM; + +- for (irq = 0; irq < ptpirq->nirqs; irq++) +- irq_create_mapping(ptpirq->domain, irq); +- + ptpirq->irq_num = irq_find_mapping(port->pirq.domain, PORT_SRC_PTP_INT); + if (!ptpirq->irq_num) { + ret = -EINVAL; +@@ -1159,12 +1156,11 @@ int ksz_ptp_irq_setup(struct dsa_switch + + out_ptp_msg: + free_irq(ptpirq->irq_num, ptpirq); +- while (irq--) ++ while (irq--) { + free_irq(port->ptpmsg_irq[irq].num, &port->ptpmsg_irq[irq]); +-out: +- for (irq = 0; irq < ptpirq->nirqs; irq++) + irq_dispose_mapping(port->ptpmsg_irq[irq].num); +- ++ } ++out: + irq_domain_remove(ptpirq->domain); + + return ret; diff --git a/queue-6.17/net-dsa-microchip-free-previously-initialized-ports-on-init-failures.patch b/queue-6.17/net-dsa-microchip-free-previously-initialized-ports-on-init-failures.patch new file mode 100644 index 0000000000..ad394be85f --- /dev/null +++ b/queue-6.17/net-dsa-microchip-free-previously-initialized-ports-on-init-failures.patch @@ -0,0 +1,84 @@ +From 0f80e21bf6229637e193248fbd284c0ec44bc0fd Mon Sep 17 00:00:00 2001 +From: "Bastien Curutchet (Schneider Electric)" +Date: Thu, 20 Nov 2025 10:12:03 +0100 +Subject: net: dsa: microchip: Free previously initialized ports on init failures + +From: Bastien Curutchet (Schneider Electric) + +commit 0f80e21bf6229637e193248fbd284c0ec44bc0fd upstream. + +If a port interrupt setup fails after at least one port has already been +successfully initialized, the gotos miss some resource releasing: +- the already initialized PTP IRQs aren't released +- the already initialized port IRQs aren't released if the failure +occurs in ksz_pirq_setup(). + +Merge 'out_girq' and 'out_ptpirq' into a single 'port_release' label. +Behind this label, use the reverse loop to release all IRQ resources +for all initialized ports. +Jump in the middle of the reverse loop if an error occurs in +ksz_ptp_irq_setup() to only release the port IRQ of the current +iteration. + +Cc: stable@vger.kernel.org +Fixes: c9cd961c0d43 ("net: dsa: microchip: lan937x: add interrupt support for port phy link") +Signed-off-by: Bastien Curutchet (Schneider Electric) +Link: https://patch.msgid.link/20251120-ksz-fix-v6-4-891f80ae7f8f@bootlin.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/microchip/ksz_common.c | 23 +++++++++++------------ + 1 file changed, 11 insertions(+), 12 deletions(-) + +--- a/drivers/net/dsa/microchip/ksz_common.c ++++ b/drivers/net/dsa/microchip/ksz_common.c +@@ -3038,12 +3038,12 @@ static int ksz_setup(struct dsa_switch * + dsa_switch_for_each_user_port(dp, dev->ds) { + ret = ksz_pirq_setup(dev, dp->index); + if (ret) +- goto out_girq; ++ goto port_release; + + if (dev->info->ptp_capable) { + ret = ksz_ptp_irq_setup(ds, dp->index); + if (ret) +- goto out_pirq; ++ goto pirq_release; + } + } + } +@@ -3053,7 +3053,7 @@ static int ksz_setup(struct dsa_switch * + if (ret) { + dev_err(dev->dev, "Failed to register PTP clock: %d\n", + ret); +- goto out_ptpirq; ++ goto port_release; + } + } + +@@ -3076,17 +3076,16 @@ static int ksz_setup(struct dsa_switch * + out_ptp_clock_unregister: + if (dev->info->ptp_capable) + ksz_ptp_clock_unregister(ds); +-out_ptpirq: +- if (dev->irq > 0 && dev->info->ptp_capable) +- dsa_switch_for_each_user_port(dp, dev->ds) +- ksz_ptp_irq_free(ds, dp->index); +-out_pirq: +- if (dev->irq > 0) +- dsa_switch_for_each_user_port_continue_reverse(dp, dev->ds) ++port_release: ++ if (dev->irq > 0) { ++ dsa_switch_for_each_user_port_continue_reverse(dp, dev->ds) { ++ if (dev->info->ptp_capable) ++ ksz_ptp_irq_free(ds, dp->index); ++pirq_release: + ksz_irq_free(&dev->ports[dp->index].pirq); +-out_girq: +- if (dev->irq > 0) ++ } + ksz_irq_free(&dev->girq); ++ } + + return ret; + } diff --git a/queue-6.17/net-dsa-microchip-ptp-fix-checks-on-irq_find_mapping.patch b/queue-6.17/net-dsa-microchip-ptp-fix-checks-on-irq_find_mapping.patch new file mode 100644 index 0000000000..2c7da05404 --- /dev/null +++ b/queue-6.17/net-dsa-microchip-ptp-fix-checks-on-irq_find_mapping.patch @@ -0,0 +1,40 @@ +From 9e059305be41a5bd27e03458d8333cf30d70be34 Mon Sep 17 00:00:00 2001 +From: "Bastien Curutchet (Schneider Electric)" +Date: Thu, 20 Nov 2025 10:12:01 +0100 +Subject: net: dsa: microchip: ptp: Fix checks on irq_find_mapping() + +From: Bastien Curutchet (Schneider Electric) + +commit 9e059305be41a5bd27e03458d8333cf30d70be34 upstream. + +irq_find_mapping() returns a positive IRQ number or 0 if no IRQ is found +but it never returns a negative value. However, during the PTP IRQ setup, +we verify that its returned value isn't negative. + +Fix the irq_find_mapping() check to enter the error path when 0 is +returned. Return -EINVAL in such case. + +Cc: stable@vger.kernel.org +Fixes: cc13ab18b201 ("net: dsa: microchip: ptp: enable interrupt for timestamping") +Reviewed-by: Andrew Lunn +Signed-off-by: Bastien Curutchet (Schneider Electric) +Link: https://patch.msgid.link/20251120-ksz-fix-v6-2-891f80ae7f8f@bootlin.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/microchip/ksz_ptp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/dsa/microchip/ksz_ptp.c ++++ b/drivers/net/dsa/microchip/ksz_ptp.c +@@ -1139,8 +1139,8 @@ int ksz_ptp_irq_setup(struct dsa_switch + irq_create_mapping(ptpirq->domain, irq); + + ptpirq->irq_num = irq_find_mapping(port->pirq.domain, PORT_SRC_PTP_INT); +- if (ptpirq->irq_num < 0) { +- ret = ptpirq->irq_num; ++ if (!ptpirq->irq_num) { ++ ret = -EINVAL; + goto out; + } + diff --git a/queue-6.17/series b/queue-6.17/series index e272a897d9..5a09a0f034 100644 --- a/queue-6.17/series +++ b/queue-6.17/series @@ -121,3 +121,21 @@ usb-dwc3-fix-race-condition-between-concurrent-dwc3_remove_requests-call-paths.p xhci-fix-stale-flag-preventig-urbs-after-link-state-error-is-cleared.patch xhci-dbgtty-fix-data-corruption-when-transmitting-data-form-dbc-to-host.patch xhci-dbgtty-fix-device-unregister.patch +usb-serial-ftdi_sio-add-support-for-u-blox-evk-m101.patch +usb-serial-option-add-support-for-rolling-rw101r-gl.patch +drm-sti-fix-device-leaks-at-component-probe.patch +drm-i915-psr-reject-async-flips-when-selective-fetch-is-enabled.patch +drm-xe-guc-fix-stack_depot-usage.patch +drm-amdgpu-attach-tlb-fence-to-the-pts-update.patch +drm-amd-amdgpu-reserve-vm-invalidation-engine-for-uni_mes.patch +drm-amd-display-check-null-before-accessing.patch +drm-amd-display-don-t-change-brightness-for-disabled-connectors.patch +drm-amd-display-increase-edid-read-retries.patch +net-dsa-microchip-common-fix-checks-on-irq_find_mapping.patch +net-dsa-microchip-ptp-fix-checks-on-irq_find_mapping.patch +net-dsa-microchip-don-t-free-uninitialized-ksz_irq.patch +net-dsa-microchip-free-previously-initialized-ports-on-init-failures.patch +net-dsa-microchip-fix-symetry-in-ksz_ptp_msg_irq_-setup-free.patch +libceph-fix-potential-use-after-free-in-have_mon_and_osd_map.patch +libceph-prevent-potential-out-of-bounds-writes-in-handle_auth_session_key.patch +libceph-replace-bug_on-with-bounds-check-for-map-max_osd.patch diff --git a/queue-6.17/usb-serial-ftdi_sio-add-support-for-u-blox-evk-m101.patch b/queue-6.17/usb-serial-ftdi_sio-add-support-for-u-blox-evk-m101.patch new file mode 100644 index 0000000000..d024ad0fcf --- /dev/null +++ b/queue-6.17/usb-serial-ftdi_sio-add-support-for-u-blox-evk-m101.patch @@ -0,0 +1,58 @@ +From 2d8ab771d5316de64f3bb920b82575c58eb00b1b Mon Sep 17 00:00:00 2001 +From: Oleksandr Suvorov +Date: Thu, 30 Oct 2025 17:42:54 +0200 +Subject: USB: serial: ftdi_sio: add support for u-blox EVK-M101 + +From: Oleksandr Suvorov + +commit 2d8ab771d5316de64f3bb920b82575c58eb00b1b upstream. + +The U-Blox EVK-M101 enumerates as 1546:0506 [1] with four FTDI interfaces: +- EVK-M101 current sensors +- EVK-M101 I2C +- EVK-M101 UART +- EVK-M101 port D + +Only the third USB interface is a UART. This change lets ftdi_sio probe +the VID/PID and registers only interface #3 as a TTY, leaving the rest +available for other drivers. + +[1] +usb 5-1.3: new high-speed USB device number 11 using xhci_hcd +usb 5-1.3: New USB device found, idVendor=1546, idProduct=0506, bcdDevice= 8.00 +usb 5-1.3: New USB device strings: Mfr=1, Product=2, SerialNumber=0 +usb 5-1.3: Product: EVK-M101 +usb 5-1.3: Manufacturer: u-blox AG + +Datasheet: https://content.u-blox.com/sites/default/files/documents/EVK-M10_UserGuide_UBX-21003949.pdf + +Signed-off-by: Oleksandr Suvorov +Link: https://lore.kernel.org/20250926060235.3442748-1-cryosay@gmail.com/ +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/ftdi_sio.c | 1 + + drivers/usb/serial/ftdi_sio_ids.h | 1 + + 2 files changed, 2 insertions(+) + +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -1074,6 +1074,7 @@ static const struct usb_device_id id_tab + /* U-Blox devices */ + { USB_DEVICE(UBLOX_VID, UBLOX_C099F9P_ZED_PID) }, + { USB_DEVICE(UBLOX_VID, UBLOX_C099F9P_ODIN_PID) }, ++ { USB_DEVICE_INTERFACE_NUMBER(UBLOX_VID, UBLOX_EVK_M101_PID, 2) }, + /* FreeCalypso USB adapters */ + { USB_DEVICE(FTDI_VID, FTDI_FALCONIA_JTAG_BUF_PID), + .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, +--- a/drivers/usb/serial/ftdi_sio_ids.h ++++ b/drivers/usb/serial/ftdi_sio_ids.h +@@ -1614,6 +1614,7 @@ + #define UBLOX_VID 0x1546 + #define UBLOX_C099F9P_ZED_PID 0x0502 + #define UBLOX_C099F9P_ODIN_PID 0x0503 ++#define UBLOX_EVK_M101_PID 0x0506 + + /* + * GMC devices diff --git a/queue-6.17/usb-serial-option-add-support-for-rolling-rw101r-gl.patch b/queue-6.17/usb-serial-option-add-support-for-rolling-rw101r-gl.patch new file mode 100644 index 0000000000..08b71154ee --- /dev/null +++ b/queue-6.17/usb-serial-option-add-support-for-rolling-rw101r-gl.patch @@ -0,0 +1,157 @@ +From 523bf0a59e674b52e4b5607a2aba655fbfa20ff2 Mon Sep 17 00:00:00 2001 +From: Vanillan Wang +Date: Mon, 10 Nov 2025 12:20:41 +0800 +Subject: USB: serial: option: add support for Rolling RW101R-GL + +From: Vanillan Wang + +commit 523bf0a59e674b52e4b5607a2aba655fbfa20ff2 upstream. + +- VID:PID 33f8:0301, RW101R-GL for laptop debug M.2 cards (with MBIM + interface for Linux/Chrome OS) + + 0x0301: mbim, pipe + +T: Bus=04 Lev=01 Prnt=01 Port=02 Cnt=01 Dev#= 2 Spd=5000 MxCh= 0 +D: Ver= 3.20 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 9 #Cfgs= 1 +P: Vendor=33f8 ProdID=0301 Rev=05.04 +S: Manufacturer=Rolling Wireless S.a.r.l. +S: Product=Rolling RW101R-GL Module +S: SerialNumber=3ec4efdf +C: #Ifs= 3 Cfg#= 1 Atr=a0 MxPwr=896mA +I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim +E: Ad=81(I) Atr=03(Int.) MxPS= 64 Ivl=32ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim +E: Ad=0f(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=8e(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms +I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=40 Driver=option +E: Ad=01(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=82(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=83(I) Atr=03(Int.) MxPS= 10 Ivl=32ms + +- VID:PID 33f8:01a8, RW101R-GL for laptop debug M.2 cards (with MBIM + interface for Linux/Chrome OS) + + 0x01a8: mbim, diag, AT, ADB, pipe1, pipe2 + +T: Bus=04 Lev=01 Prnt=01 Port=02 Cnt=01 Dev#= 2 Spd=5000 MxCh= 0 +D: Ver= 3.20 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 9 #Cfgs= 1 +P: Vendor=33f8 ProdID=01a8 Rev=05.04 +S: Manufacturer=Rolling Wireless S.a.r.l. +S: Product=Rolling RW101R-GL Module +S: SerialNumber=3ec4efdf +C: #Ifs= 7 Cfg#= 1 Atr=a0 MxPwr=896mA +I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim +E: Ad=81(I) Atr=03(Int.) MxPS= 64 Ivl=32ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim +E: Ad=0f(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=8e(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms +I: If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option +E: Ad=01(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=82(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms +I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=02(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=83(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none) +E: Ad=03(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=85(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms +I: If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=40 Driver=option +E: Ad=04(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=86(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=87(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 6 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=40 Driver=option +E: Ad=05(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=88(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=89(I) Atr=03(Int.) MxPS= 10 Ivl=32ms + +- VID:PID 33f8:0302, RW101R-GL for laptop debug M.2 cards (with MBIM + interface for Linux/Chrome OS) + + 0x0302: mbim, pipe + +T: Bus=03 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 6 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=33f8 ProdID=0302 Rev=05.04 +S: Manufacturer=Rolling Wireless S.a.r.l. +S: Product=Rolling RW101R-GL Module +S: SerialNumber=3ec4efdf +C: #Ifs= 3 Cfg#= 1 Atr=a0 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim +E: Ad=81(I) Atr=03(Int.) MxPS= 64 Ivl=32ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim +E: Ad=0f(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=8e(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=40 Driver=option +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=83(I) Atr=03(Int.) MxPS= 10 Ivl=32ms + +- VID:PID 33f8:01a9, RW101R-GL for laptop debug M.2 cards (with MBIM + interface for Linux/Chrome OS) + + 0x01a9: mbim, diag, AT, ADB, pipe1, pipe2 + +T: Bus=03 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=33f8 ProdID=01a9 Rev=05.04 +S: Manufacturer=Rolling Wireless S.a.r.l. +S: Product=Rolling RW101R-GL Module +S: SerialNumber=3ec4efdf +C: #Ifs= 7 Cfg#= 1 Atr=a0 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim +E: Ad=81(I) Atr=03(Int.) MxPS= 64 Ivl=32ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim +E: Ad=0f(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=8e(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I: If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none) +E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I: If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=40 Driver=option +E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=87(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 6 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=40 Driver=option +E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=89(I) Atr=03(Int.) MxPS= 10 Ivl=32ms + +Signed-off-by: Vanillan Wang +Cc: stable@vger.kernel.org +[ johan: sort vendor entries, edit commit message slightly ] +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/option.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -2424,12 +2424,18 @@ static const struct usb_device_id option + { USB_DEVICE_INTERFACE_CLASS(0x305a, 0x1406, 0xff) }, /* GosunCn GM500 ECM/NCM */ + { USB_DEVICE(0x33f8, 0x0104), /* Rolling RW101-GL (laptop RMNET) */ + .driver_info = RSVD(4) | RSVD(5) }, ++ { USB_DEVICE_INTERFACE_CLASS(0x33f8, 0x0115, 0xff), /* Rolling RW135-GL (laptop MBIM) */ ++ .driver_info = RSVD(5) }, + { USB_DEVICE_INTERFACE_CLASS(0x33f8, 0x01a2, 0xff) }, /* Rolling RW101-GL (laptop MBIM) */ + { USB_DEVICE_INTERFACE_CLASS(0x33f8, 0x01a3, 0xff) }, /* Rolling RW101-GL (laptop MBIM) */ + { USB_DEVICE_INTERFACE_CLASS(0x33f8, 0x01a4, 0xff), /* Rolling RW101-GL (laptop MBIM) */ + .driver_info = RSVD(4) }, +- { USB_DEVICE_INTERFACE_CLASS(0x33f8, 0x0115, 0xff), /* Rolling RW135-GL (laptop MBIM) */ +- .driver_info = RSVD(5) }, ++ { USB_DEVICE_INTERFACE_CLASS(0x33f8, 0x01a8, 0xff), /* Rolling RW101R-GL (laptop MBIM) */ ++ .driver_info = RSVD(4) }, ++ { USB_DEVICE_INTERFACE_CLASS(0x33f8, 0x01a9, 0xff), /* Rolling RW101R-GL (laptop MBIM) */ ++ .driver_info = RSVD(4) }, ++ { USB_DEVICE_INTERFACE_CLASS(0x33f8, 0x0301, 0xff) }, /* Rolling RW101R-GL (laptop MBIM) */ ++ { USB_DEVICE_INTERFACE_CLASS(0x33f8, 0x0302, 0xff) }, /* Rolling RW101R-GL (laptop MBIM) */ + { USB_DEVICE_INTERFACE_CLASS(0x33f8, 0x0802, 0xff), /* Rolling RW350-GL (laptop MBIM) */ + .driver_info = RSVD(5) }, + { USB_DEVICE_AND_INTERFACE_INFO(0x3731, 0x0100, 0xff, 0xff, 0x30) }, /* NetPrisma LCUK54-WWD for Global */