From: Sasha Levin Date: Mon, 7 Apr 2025 14:02:14 +0000 (-0400) Subject: Fixes for 6.12 X-Git-Tag: v5.4.292~83 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=486214d94efae987b6867cc7376f56d0833bfb52;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.12 Signed-off-by: Sasha Levin --- diff --git a/queue-6.12/acpi-processor-idle-return-an-error-if-both-p_lvl-2-.patch b/queue-6.12/acpi-processor-idle-return-an-error-if-both-p_lvl-2-.patch new file mode 100644 index 0000000000..8496a7f8a7 --- /dev/null +++ b/queue-6.12/acpi-processor-idle-return-an-error-if-both-p_lvl-2-.patch @@ -0,0 +1,58 @@ +From 8af250176660dcf9403119efae5d9e5d30d41e8a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Mar 2025 15:30:39 +0100 +Subject: ACPI: processor: idle: Return an error if both P_LVL{2,3} idle states + are invalid + +From: Giovanni Gherdovich + +[ Upstream commit 9e9b893404d43894d69a18dd2fc8fcf1c36abb7e ] + +Prior to commit 496121c02127 ("ACPI: processor: idle: Allow probing on +platforms with one ACPI C-state"), the acpi_idle driver wouldn't load on +systems without a valid C-State at least as deep as C2. + +The behavior was desirable for guests on hypervisors such as VMWare +ESXi, which by default don't have the _CST ACPI method, and set the C2 +and C3 latencies to 101 and 1001 microseconds respectively via the FADT, +to signify they're unsupported. + +Since the above change though, these virtualized deployments end up +loading acpi_idle, and thus entering the default C1 C-State set by +acpi_processor_get_power_info_default(); this is undesirable for a +system that's communicating to the OS it doesn't want C-States (missing +_CST, and invalid C2/C3 in FADT). + +Make acpi_processor_get_power_info_fadt() return -ENODEV in that case, +so that acpi_processor_get_cstate_info() exits early and doesn't set +pr->flags.power = 1. + +Fixes: 496121c02127 ("ACPI: processor: idle: Allow probing on platforms with one ACPI C-state") +Signed-off-by: Giovanni Gherdovich +Reviewed-by: Zhang Rui +Link: https://patch.msgid.link/20250328143040.9348-1-ggherdovich@suse.cz +[ rjw: Changelog edits ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/processor_idle.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/acpi/processor_idle.c b/drivers/acpi/processor_idle.c +index 831fa4a121598..0888e4d618d53 100644 +--- a/drivers/acpi/processor_idle.c ++++ b/drivers/acpi/processor_idle.c +@@ -268,6 +268,10 @@ static int acpi_processor_get_power_info_fadt(struct acpi_processor *pr) + ACPI_CX_DESC_LEN, "ACPI P_LVL3 IOPORT 0x%x", + pr->power.states[ACPI_STATE_C3].address); + ++ if (!pr->power.states[ACPI_STATE_C2].address && ++ !pr->power.states[ACPI_STATE_C3].address) ++ return -ENODEV; ++ + return 0; + } + +-- +2.39.5 + diff --git a/queue-6.12/affs-don-t-write-overlarge-ofs-data-block-size-field.patch b/queue-6.12/affs-don-t-write-overlarge-ofs-data-block-size-field.patch new file mode 100644 index 0000000000..b5a596420f --- /dev/null +++ b/queue-6.12/affs-don-t-write-overlarge-ofs-data-block-size-field.patch @@ -0,0 +1,51 @@ +From 52710d2ea587e517bd4453d7676393024d39d518 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Feb 2025 08:14:44 +0000 +Subject: affs: don't write overlarge OFS data block size fields + +From: Simon Tatham + +[ Upstream commit 011ea742a25a77bac3d995f457886a67d178c6f0 ] + +If a data sector on an OFS floppy contains a value > 0x1e8 (the +largest amount of data that fits in the sector after its header), then +an Amiga reading the file can return corrupt data, by taking the +overlarge size at its word and reading past the end of the buffer it +read the disk sector into! + +The cause: when affs_write_end_ofs() writes data to an OFS filesystem, +the new size field for a data block was computed by adding the amount +of data currently being written (into the block) to the existing value +of the size field. This is correct if you're extending the file at the +end, but if you seek backwards in the file and overwrite _existing_ +data, it can lead to the size field being larger than the maximum +legal value. + +This commit changes the calculation so that it sets the size field to +the max of its previous size and the position within the block that we +just wrote up to. + +Signed-off-by: Simon Tatham +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/affs/file.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/affs/file.c b/fs/affs/file.c +index 226308f8627e7..7a71018e3f675 100644 +--- a/fs/affs/file.c ++++ b/fs/affs/file.c +@@ -724,7 +724,8 @@ static int affs_write_end_ofs(struct file *file, struct address_space *mapping, + tmp = min(bsize - boff, to - from); + BUG_ON(boff + tmp > bsize || tmp > bsize); + memcpy(AFFS_DATA(bh) + boff, data + from, tmp); +- be32_add_cpu(&AFFS_DATA_HEAD(bh)->size, tmp); ++ AFFS_DATA_HEAD(bh)->size = cpu_to_be32( ++ max(boff + tmp, be32_to_cpu(AFFS_DATA_HEAD(bh)->size))); + affs_fix_checksum(sb, bh); + mark_buffer_dirty_inode(bh, inode); + written += tmp; +-- +2.39.5 + diff --git a/queue-6.12/affs-generate-ofs-sequence-numbers-starting-at-1.patch b/queue-6.12/affs-generate-ofs-sequence-numbers-starting-at-1.patch new file mode 100644 index 0000000000..d0e6064e64 --- /dev/null +++ b/queue-6.12/affs-generate-ofs-sequence-numbers-starting-at-1.patch @@ -0,0 +1,68 @@ +From 9eaa02e088ef8dd58a1603e36e05e6dcaf7c7bf7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Feb 2025 08:14:43 +0000 +Subject: affs: generate OFS sequence numbers starting at 1 + +From: Simon Tatham + +[ Upstream commit e4cf8ec4de4e13f156c1d61977d282d90c221085 ] + +If I write a file to an OFS floppy image, and try to read it back on +an emulated Amiga running Workbench 1.3, the Amiga reports a disk +error trying to read the file. (That is, it's unable to read it _at +all_, even to copy it to the NIL: device. It isn't a matter of getting +the wrong data and being unable to parse the file format.) + +This is because the 'sequence number' field in the OFS data block +header is supposed to be based at 1, but affs writes it based at 0. +All three locations changed by this patch were setting the sequence +number to a variable 'bidx' which was previously obtained by dividing +a file position by bsize, so bidx will naturally use 0 for the first +block. Therefore all three should add 1 to that value before writing +it into the sequence number field. + +With this change, the Amiga successfully reads the file. + +For data block reference: https://wiki.osdev.org/FFS_(Amiga) + +Signed-off-by: Simon Tatham +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/affs/file.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/fs/affs/file.c b/fs/affs/file.c +index a5a861dd52230..226308f8627e7 100644 +--- a/fs/affs/file.c ++++ b/fs/affs/file.c +@@ -596,7 +596,7 @@ affs_extent_file_ofs(struct inode *inode, u32 newsize) + BUG_ON(tmp > bsize); + AFFS_DATA_HEAD(bh)->ptype = cpu_to_be32(T_DATA); + AFFS_DATA_HEAD(bh)->key = cpu_to_be32(inode->i_ino); +- AFFS_DATA_HEAD(bh)->sequence = cpu_to_be32(bidx); ++ AFFS_DATA_HEAD(bh)->sequence = cpu_to_be32(bidx + 1); + AFFS_DATA_HEAD(bh)->size = cpu_to_be32(tmp); + affs_fix_checksum(sb, bh); + bh->b_state &= ~(1UL << BH_New); +@@ -746,7 +746,7 @@ static int affs_write_end_ofs(struct file *file, struct address_space *mapping, + if (buffer_new(bh)) { + AFFS_DATA_HEAD(bh)->ptype = cpu_to_be32(T_DATA); + AFFS_DATA_HEAD(bh)->key = cpu_to_be32(inode->i_ino); +- AFFS_DATA_HEAD(bh)->sequence = cpu_to_be32(bidx); ++ AFFS_DATA_HEAD(bh)->sequence = cpu_to_be32(bidx + 1); + AFFS_DATA_HEAD(bh)->size = cpu_to_be32(bsize); + AFFS_DATA_HEAD(bh)->next = 0; + bh->b_state &= ~(1UL << BH_New); +@@ -780,7 +780,7 @@ static int affs_write_end_ofs(struct file *file, struct address_space *mapping, + if (buffer_new(bh)) { + AFFS_DATA_HEAD(bh)->ptype = cpu_to_be32(T_DATA); + AFFS_DATA_HEAD(bh)->key = cpu_to_be32(inode->i_ino); +- AFFS_DATA_HEAD(bh)->sequence = cpu_to_be32(bidx); ++ AFFS_DATA_HEAD(bh)->sequence = cpu_to_be32(bidx + 1); + AFFS_DATA_HEAD(bh)->size = cpu_to_be32(tmp); + AFFS_DATA_HEAD(bh)->next = 0; + bh->b_state &= ~(1UL << BH_New); +-- +2.39.5 + diff --git a/queue-6.12/alsa-hda-fix-speakers-on-asus-expertbook-p5405csa-1..patch b/queue-6.12/alsa-hda-fix-speakers-on-asus-expertbook-p5405csa-1..patch new file mode 100644 index 0000000000..3d6fcb9f84 --- /dev/null +++ b/queue-6.12/alsa-hda-fix-speakers-on-asus-expertbook-p5405csa-1..patch @@ -0,0 +1,42 @@ +From fb8e076849e71d3d643ca068dc61e742d251c2e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Feb 2025 17:12:55 +0100 +Subject: ALSA: hda: Fix speakers on ASUS EXPERTBOOK P5405CSA 1.0 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Daniel Bárta + +[ Upstream commit f479ecc5ef15ed8d774968c1a8726a49420f11a0 ] + +After some digging around I have found that this laptop has Cirrus's smart +aplifiers connected to SPI bus (spi1-CSC3551:00-cs35l41-hda). + +To get them correctly detected and working I had to modify patch_realtek.c +with ASUS EXPERTBOOK P5405CSA 1.0 SystemID (0x1043, 0x1f63) and add +corresponding hda_quirk (ALC245_FIXUP_CS35L41_SPI_2). + +Signed-off-by: Daniel Bárta +Link: https://patch.msgid.link/20250227161256.18061-2-daniel.barta@trustlab.cz +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index ae6b6186c7854..7dafafaf23b74 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10717,6 +10717,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x1043, 0x1f12, "ASUS UM5302", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x1043, 0x1f1f, "ASUS H7604JI/JV/J3D", ALC245_FIXUP_CS35L41_SPI_2), + SND_PCI_QUIRK(0x1043, 0x1f62, "ASUS UX7602ZM", ALC245_FIXUP_CS35L41_SPI_2), ++ SND_PCI_QUIRK(0x1043, 0x1f63, "ASUS P5405CSA", ALC245_FIXUP_CS35L41_SPI_2), + SND_PCI_QUIRK(0x1043, 0x1f92, "ASUS ROG Flow X16", ALC289_FIXUP_ASUS_GA401), + SND_PCI_QUIRK(0x1043, 0x1fb3, "ASUS ROG Flow Z13 GZ302EA", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x1043, 0x3030, "ASUS ZN270IE", ALC256_FIXUP_ASUS_AIO_GPIO2), +-- +2.39.5 + diff --git a/queue-6.12/alsa-hda-realtek-add-mute-led-quirk-for-hp-pavilion-.patch b/queue-6.12/alsa-hda-realtek-add-mute-led-quirk-for-hp-pavilion-.patch new file mode 100644 index 0000000000..76e32a5440 --- /dev/null +++ b/queue-6.12/alsa-hda-realtek-add-mute-led-quirk-for-hp-pavilion-.patch @@ -0,0 +1,78 @@ +From e457e26075ad68bc54c5eb1decb17dc08199ae0e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 8 Mar 2025 03:03:19 +0530 +Subject: ALSA: hda/realtek: Add mute LED quirk for HP Pavilion x360 14-dy1xxx + +From: Navon John Lukose + +[ Upstream commit b11a74ac4f545626d0dc95a8ca8c41df90532bf3 ] + +Add a fixup to enable the mute LED on HP Pavilion x360 Convertible +14-dy1xxx with ALC295 codec. The appropriate coefficient index and bits +were identified through a brute-force method, as detailed in +https://bbs.archlinux.org/viewtopic.php?pid=2079504#p2079504. + +Signed-off-by: Navon John Lukose +Link: https://patch.msgid.link/20250307213319.35507-1-navonjohnlukose@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index f97837f211253..23dd0bf7f6657 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -4794,6 +4794,21 @@ static void alc236_fixup_hp_coef_micmute_led(struct hda_codec *codec, + } + } + ++static void alc295_fixup_hp_mute_led_coefbit11(struct hda_codec *codec, ++ const struct hda_fixup *fix, int action) ++{ ++ struct alc_spec *spec = codec->spec; ++ ++ if (action == HDA_FIXUP_ACT_PRE_PROBE) { ++ spec->mute_led_polarity = 0; ++ spec->mute_led_coef.idx = 0xb; ++ spec->mute_led_coef.mask = 3 << 3; ++ spec->mute_led_coef.on = 1 << 3; ++ spec->mute_led_coef.off = 1 << 4; ++ snd_hda_gen_add_mute_led_cdev(codec, coef_mute_led_set); ++ } ++} ++ + static void alc285_fixup_hp_mute_led(struct hda_codec *codec, + const struct hda_fixup *fix, int action) + { +@@ -7626,6 +7641,7 @@ enum { + ALC290_FIXUP_MONO_SPEAKERS_HSJACK, + ALC290_FIXUP_SUBWOOFER, + ALC290_FIXUP_SUBWOOFER_HSJACK, ++ ALC295_FIXUP_HP_MUTE_LED_COEFBIT11, + ALC269_FIXUP_THINKPAD_ACPI, + ALC269_FIXUP_DMIC_THINKPAD_ACPI, + ALC269VB_FIXUP_INFINIX_ZERO_BOOK_13, +@@ -9361,6 +9377,10 @@ static const struct hda_fixup alc269_fixups[] = { + .chained = true, + .chain_id = ALC283_FIXUP_INT_MIC, + }, ++ [ALC295_FIXUP_HP_MUTE_LED_COEFBIT11] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = alc295_fixup_hp_mute_led_coefbit11, ++ }, + [ALC298_FIXUP_SAMSUNG_AMP] = { + .type = HDA_FIXUP_FUNC, + .v.func = alc298_fixup_samsung_amp, +@@ -10396,6 +10416,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x103c, 0x84e7, "HP Pavilion 15", ALC269_FIXUP_HP_MUTE_LED_MIC3), + SND_PCI_QUIRK(0x103c, 0x8519, "HP Spectre x360 15-df0xxx", ALC285_FIXUP_HP_SPECTRE_X360), + SND_PCI_QUIRK(0x103c, 0x8537, "HP ProBook 440 G6", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), ++ SND_PCI_QUIRK(0x103c, 0x85c6, "HP Pavilion x360 Convertible 14-dy1xxx", ALC295_FIXUP_HP_MUTE_LED_COEFBIT11), + SND_PCI_QUIRK(0x103c, 0x85de, "HP Envy x360 13-ar0xxx", ALC285_FIXUP_HP_ENVY_X360), + SND_PCI_QUIRK(0x103c, 0x860f, "HP ZBook 15 G6", ALC285_FIXUP_HP_GPIO_AMP_INIT), + SND_PCI_QUIRK(0x103c, 0x861f, "HP Elite Dragonfly G1", ALC285_FIXUP_HP_GPIO_AMP_INIT), +-- +2.39.5 + diff --git a/queue-6.12/alsa-hda-realtek-add-support-for-asus-b3405-and-b360.patch b/queue-6.12/alsa-hda-realtek-add-support-for-asus-b3405-and-b360.patch new file mode 100644 index 0000000000..4c1aa9edcf --- /dev/null +++ b/queue-6.12/alsa-hda-realtek-add-support-for-asus-b3405-and-b360.patch @@ -0,0 +1,49 @@ +From 694e514c1ab1a4281626c4ab7aaa0279461de8bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Mar 2025 17:06:49 +0000 +Subject: ALSA: hda/realtek: Add support for ASUS B3405 and B3605 Laptops using + CS35L41 HDA + +From: Stefan Binding + +[ Upstream commit 7ab61d0a9a35e32497bcf2233310fec79ee3338f ] + +Add support for ASUS B3405CCA / P3405CCA, B3605CCA / P3605CCA, +B3405CCA, B3605CCA. + +Laptops use 2 CS35L41 Amps with HDA, using Internal boost, with SPI + +Signed-off-by: Stefan Binding +Signed-off-by: Takashi Iwai +Link: https://patch.msgid.link/20250305170714.755794-6-sbinding@opensource.cirrus.com +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 7a9d996ac1a45..5c43f9d2ead1a 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10640,6 +10640,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x1043, 0x12a0, "ASUS X441UV", ALC233_FIXUP_EAPD_COEF_AND_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1043, 0x12a3, "Asus N7691ZM", ALC269_FIXUP_ASUS_N7601ZM), + SND_PCI_QUIRK(0x1043, 0x12af, "ASUS UX582ZS", ALC245_FIXUP_CS35L41_SPI_2), ++ SND_PCI_QUIRK(0x1043, 0x12b4, "ASUS B3405CCA / P3405CCA", ALC245_FIXUP_CS35L41_SPI_2), + SND_PCI_QUIRK(0x1043, 0x12e0, "ASUS X541SA", ALC256_FIXUP_ASUS_MIC), + SND_PCI_QUIRK(0x1043, 0x12f0, "ASUS X541UV", ALC256_FIXUP_ASUS_MIC), + SND_PCI_QUIRK(0x1043, 0x1313, "Asus K42JZ", ALC269VB_FIXUP_ASUS_MIC_NO_PRESENCE), +@@ -10725,7 +10726,10 @@ static const struct hda_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x1043, 0x1fb3, "ASUS ROG Flow Z13 GZ302EA", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x1043, 0x3011, "ASUS B5605CVA", ALC245_FIXUP_CS35L41_SPI_2), + SND_PCI_QUIRK(0x1043, 0x3030, "ASUS ZN270IE", ALC256_FIXUP_ASUS_AIO_GPIO2), ++ SND_PCI_QUIRK(0x1043, 0x3061, "ASUS B3405CCA", ALC245_FIXUP_CS35L41_SPI_2), ++ SND_PCI_QUIRK(0x1043, 0x30c1, "ASUS B3605CCA / P3605CCA", ALC245_FIXUP_CS35L41_SPI_2), + SND_PCI_QUIRK(0x1043, 0x31d0, "ASUS Zen AIO 27 Z272SD_A272SD", ALC274_FIXUP_ASUS_ZEN_AIO_27), ++ SND_PCI_QUIRK(0x1043, 0x31f1, "ASUS B3605CCA", ALC245_FIXUP_CS35L41_SPI_2), + SND_PCI_QUIRK(0x1043, 0x3a20, "ASUS G614JZR", ALC285_FIXUP_ASUS_SPI_REAR_SPEAKERS), + SND_PCI_QUIRK(0x1043, 0x3a30, "ASUS G814JVR/JIR", ALC285_FIXUP_ASUS_SPI_REAR_SPEAKERS), + SND_PCI_QUIRK(0x1043, 0x3a40, "ASUS G814JZR", ALC285_FIXUP_ASUS_SPI_REAR_SPEAKERS), +-- +2.39.5 + diff --git a/queue-6.12/alsa-hda-realtek-add-support-for-asus-b5405-and-b560.patch b/queue-6.12/alsa-hda-realtek-add-support-for-asus-b5405-and-b560.patch new file mode 100644 index 0000000000..db3b4f9434 --- /dev/null +++ b/queue-6.12/alsa-hda-realtek-add-support-for-asus-b5405-and-b560.patch @@ -0,0 +1,42 @@ +From 3a0eccb7946cce22828abae137dedcf62a8ef83b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Mar 2025 17:06:50 +0000 +Subject: ALSA: hda/realtek: Add support for ASUS B5405 and B5605 Laptops using + CS35L41 HDA + +From: Stefan Binding + +[ Upstream commit c86dd79a7c338fff9bebb9503857e07db9845eca ] + +Add support for ASUS B5605CCA and B5405CCA. + +Laptops use 2 CS35L41 Amps with HDA, using Internal boost, with SPI + +Signed-off-by: Stefan Binding +Signed-off-by: Takashi Iwai +Link: https://patch.msgid.link/20250305170714.755794-7-sbinding@opensource.cirrus.com +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 5c43f9d2ead1a..4ff531b4f50ed 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10727,8 +10727,12 @@ static const struct hda_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x1043, 0x3011, "ASUS B5605CVA", ALC245_FIXUP_CS35L41_SPI_2), + SND_PCI_QUIRK(0x1043, 0x3030, "ASUS ZN270IE", ALC256_FIXUP_ASUS_AIO_GPIO2), + SND_PCI_QUIRK(0x1043, 0x3061, "ASUS B3405CCA", ALC245_FIXUP_CS35L41_SPI_2), ++ SND_PCI_QUIRK(0x1043, 0x3071, "ASUS B5405CCA", ALC245_FIXUP_CS35L41_SPI_2), + SND_PCI_QUIRK(0x1043, 0x30c1, "ASUS B3605CCA / P3605CCA", ALC245_FIXUP_CS35L41_SPI_2), ++ SND_PCI_QUIRK(0x1043, 0x30d1, "ASUS B5405CCA", ALC245_FIXUP_CS35L41_SPI_2), ++ SND_PCI_QUIRK(0x1043, 0x30e1, "ASUS B5605CCA", ALC245_FIXUP_CS35L41_SPI_2), + SND_PCI_QUIRK(0x1043, 0x31d0, "ASUS Zen AIO 27 Z272SD_A272SD", ALC274_FIXUP_ASUS_ZEN_AIO_27), ++ SND_PCI_QUIRK(0x1043, 0x31e1, "ASUS B5605CCA", ALC245_FIXUP_CS35L41_SPI_2), + SND_PCI_QUIRK(0x1043, 0x31f1, "ASUS B3605CCA", ALC245_FIXUP_CS35L41_SPI_2), + SND_PCI_QUIRK(0x1043, 0x3a20, "ASUS G614JZR", ALC285_FIXUP_ASUS_SPI_REAR_SPEAKERS), + SND_PCI_QUIRK(0x1043, 0x3a30, "ASUS G814JVR/JIR", ALC285_FIXUP_ASUS_SPI_REAR_SPEAKERS), +-- +2.39.5 + diff --git a/queue-6.12/alsa-hda-realtek-add-support-for-asus-rog-strix-g614.patch b/queue-6.12/alsa-hda-realtek-add-support-for-asus-rog-strix-g614.patch new file mode 100644 index 0000000000..1754702e4d --- /dev/null +++ b/queue-6.12/alsa-hda-realtek-add-support-for-asus-rog-strix-g614.patch @@ -0,0 +1,39 @@ +From 1471971b77d40491e2a8532d7416aa4ebd389f44 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Mar 2025 17:06:47 +0000 +Subject: ALSA: hda/realtek: Add support for ASUS ROG Strix G614 Laptops using + CS35L41 HDA + +From: Stefan Binding + +[ Upstream commit 9120b2b4ad0dad2f6bbb6bcacd0456f806fda62d ] + +Add support for ASUS G614PH/PM/PP and G614FH/FM/FP. + +Laptops use 2 CS35L41 Amps with HDA, using Internal boost, with I2C + +Signed-off-by: Stefan Binding +Signed-off-by: Takashi Iwai +Link: https://patch.msgid.link/20250305170714.755794-4-sbinding@opensource.cirrus.com +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index a960ef29a7036..6117aad97ba37 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10620,7 +10620,9 @@ static const struct hda_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x103c, 0x8e1a, "HP ZBook Firefly 14 G12A", ALC285_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x1043, 0x103e, "ASUS X540SA", ALC256_FIXUP_ASUS_MIC), + SND_PCI_QUIRK(0x1043, 0x103f, "ASUS TX300", ALC282_FIXUP_ASUS_TX300), ++ SND_PCI_QUIRK(0x1043, 0x1054, "ASUS G614FH/FM/FP", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x1043, 0x106d, "Asus K53BE", ALC269_FIXUP_LIMIT_INT_MIC_BOOST), ++ SND_PCI_QUIRK(0x1043, 0x1074, "ASUS G614PH/PM/PP", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x1043, 0x10a1, "ASUS UX391UA", ALC294_FIXUP_ASUS_SPK), + SND_PCI_QUIRK(0x1043, 0x10a4, "ASUS TP3407SA", ALC287_FIXUP_TAS2781_I2C), + SND_PCI_QUIRK(0x1043, 0x10c0, "ASUS X540SA", ALC256_FIXUP_ASUS_MIC), +-- +2.39.5 + diff --git a/queue-6.12/alsa-hda-realtek-add-support-for-asus-rog-strix-g814.patch b/queue-6.12/alsa-hda-realtek-add-support-for-asus-rog-strix-g814.patch new file mode 100644 index 0000000000..6d2408d08d --- /dev/null +++ b/queue-6.12/alsa-hda-realtek-add-support-for-asus-rog-strix-g814.patch @@ -0,0 +1,38 @@ +From ed883e5f379525f711af693414596ded5520a821 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Mar 2025 17:06:45 +0000 +Subject: ALSA: hda/realtek: Add support for ASUS ROG Strix G814 Laptop using + CS35L41 HDA + +From: Stefan Binding + +[ Upstream commit f2c11231b57b5163bf16cdfd65271d53d61dd996 ] + +Add support for ASUS G814PH/PM/PP and G814FH/FM/FP. + +Laptops use 2 CS35L41 Amps with HDA, using Internal boost, with I2C. + +Signed-off-by: Stefan Binding +Signed-off-by: Takashi Iwai +Link: https://patch.msgid.link/20250305170714.755794-2-sbinding@opensource.cirrus.com +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 7dafafaf23b74..93986c0482f07 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10727,6 +10727,8 @@ static const struct hda_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x1043, 0x3a40, "ASUS G814JZR", ALC285_FIXUP_ASUS_SPI_REAR_SPEAKERS), + SND_PCI_QUIRK(0x1043, 0x3a50, "ASUS G834JYR/JZR", ALC285_FIXUP_ASUS_SPI_REAR_SPEAKERS), + SND_PCI_QUIRK(0x1043, 0x3a60, "ASUS G634JYR/JZR", ALC285_FIXUP_ASUS_SPI_REAR_SPEAKERS), ++ SND_PCI_QUIRK(0x1043, 0x3e00, "ASUS G814FH/FM/FP", ALC287_FIXUP_CS35L41_I2C_2), ++ SND_PCI_QUIRK(0x1043, 0x3e20, "ASUS G814PH/PM/PP", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x1043, 0x3e30, "ASUS TP3607SA", ALC287_FIXUP_TAS2781_I2C), + SND_PCI_QUIRK(0x1043, 0x3ee0, "ASUS Strix G815_JHR_JMR_JPR", ALC287_FIXUP_TAS2781_I2C), + SND_PCI_QUIRK(0x1043, 0x3ef0, "ASUS Strix G635LR_LW_LX", ALC287_FIXUP_TAS2781_I2C), +-- +2.39.5 + diff --git a/queue-6.12/alsa-hda-realtek-add-support-for-asus-rog-strix-ga60.patch b/queue-6.12/alsa-hda-realtek-add-support-for-asus-rog-strix-ga60.patch new file mode 100644 index 0000000000..811f717898 --- /dev/null +++ b/queue-6.12/alsa-hda-realtek-add-support-for-asus-rog-strix-ga60.patch @@ -0,0 +1,38 @@ +From 681b54a2b382aad036ac34c85d4593fd97c8d32b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Mar 2025 17:06:46 +0000 +Subject: ALSA: hda/realtek: Add support for ASUS ROG Strix GA603 Laptops using + CS35L41 HDA + +From: Stefan Binding + +[ Upstream commit 16dc157346dd4404b02b42e73b88604be3652039 ] + +Add support for ASUS GA603KP, GA603KM and GA603KH. + +Laptops use 2 CS35L41 Amps with HDA, using Internal boost, with I2C + +Signed-off-by: Stefan Binding +Signed-off-by: Takashi Iwai +Link: https://patch.msgid.link/20250305170714.755794-3-sbinding@opensource.cirrus.com +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 93986c0482f07..a960ef29a7036 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10727,6 +10727,8 @@ static const struct hda_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x1043, 0x3a40, "ASUS G814JZR", ALC285_FIXUP_ASUS_SPI_REAR_SPEAKERS), + SND_PCI_QUIRK(0x1043, 0x3a50, "ASUS G834JYR/JZR", ALC285_FIXUP_ASUS_SPI_REAR_SPEAKERS), + SND_PCI_QUIRK(0x1043, 0x3a60, "ASUS G634JYR/JZR", ALC285_FIXUP_ASUS_SPI_REAR_SPEAKERS), ++ SND_PCI_QUIRK(0x1043, 0x3d78, "ASUS GA603KH", ALC287_FIXUP_CS35L41_I2C_2), ++ SND_PCI_QUIRK(0x1043, 0x3d88, "ASUS GA603KM", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x1043, 0x3e00, "ASUS G814FH/FM/FP", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x1043, 0x3e20, "ASUS G814PH/PM/PP", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x1043, 0x3e30, "ASUS TP3607SA", ALC287_FIXUP_TAS2781_I2C), +-- +2.39.5 + diff --git a/queue-6.12/alsa-hda-realtek-add-support-for-asus-zenbook-um3406.patch b/queue-6.12/alsa-hda-realtek-add-support-for-asus-zenbook-um3406.patch new file mode 100644 index 0000000000..c0ac015ccc --- /dev/null +++ b/queue-6.12/alsa-hda-realtek-add-support-for-asus-zenbook-um3406.patch @@ -0,0 +1,35 @@ +From 08d15a4da4501f47d90300b7a7f1f1de9c070755 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Mar 2025 17:06:51 +0000 +Subject: ALSA: hda/realtek: Add support for ASUS Zenbook UM3406KA Laptops + using CS35L41 HDA + +From: Stefan Binding + +[ Upstream commit 8463d2adbe1901247937fcdfe4b525130f6db10b ] + +Laptop uses 2 CS35L41 Amps with HDA, using External boost with I2C + +Signed-off-by: Stefan Binding +Signed-off-by: Takashi Iwai +Link: https://patch.msgid.link/20250305170714.755794-8-sbinding@opensource.cirrus.com +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 4ff531b4f50ed..f97837f211253 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10630,6 +10630,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x1043, 0x10d3, "ASUS K6500ZC", ALC294_FIXUP_ASUS_SPK), + SND_PCI_QUIRK(0x1043, 0x1154, "ASUS TP3607SH", ALC287_FIXUP_TAS2781_I2C), + SND_PCI_QUIRK(0x1043, 0x115d, "Asus 1015E", ALC269_FIXUP_LIMIT_INT_MIC_BOOST), ++ SND_PCI_QUIRK(0x1043, 0x1194, "ASUS UM3406KA", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x1043, 0x11c0, "ASUS X556UR", ALC255_FIXUP_ASUS_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1043, 0x1204, "ASUS Strix G615JHR_JMR_JPR", ALC287_FIXUP_TAS2781_I2C), + SND_PCI_QUIRK(0x1043, 0x1214, "ASUS Strix G615LH_LM_LP", ALC287_FIXUP_TAS2781_I2C), +-- +2.39.5 + diff --git a/queue-6.12/alsa-hda-realtek-add-support-for-various-asus-laptop.patch b/queue-6.12/alsa-hda-realtek-add-support-for-various-asus-laptop.patch new file mode 100644 index 0000000000..32f6fabb55 --- /dev/null +++ b/queue-6.12/alsa-hda-realtek-add-support-for-various-asus-laptop.patch @@ -0,0 +1,54 @@ +From 899b665333fa2e3afad726607a49e0105f189d1d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Mar 2025 17:06:48 +0000 +Subject: ALSA: hda/realtek: Add support for various ASUS Laptops using CS35L41 + HDA + +From: Stefan Binding + +[ Upstream commit 859a11917001424776e1cca02b762efcabb4044e ] + +Add support for ASUS B3405CVA, B5405CVA, B5605CVA, B3605CVA. + +Laptops use 2 CS35L41 Amps with HDA, using Internal boost, with SPI + +Signed-off-by: Stefan Binding +Signed-off-by: Takashi Iwai +Link: https://patch.msgid.link/20250305170714.755794-5-sbinding@opensource.cirrus.com +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 6117aad97ba37..7a9d996ac1a45 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10636,6 +10636,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x1043, 0x125e, "ASUS Q524UQK", ALC255_FIXUP_ASUS_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1043, 0x1271, "ASUS X430UN", ALC256_FIXUP_ASUS_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1043, 0x1290, "ASUS X441SA", ALC233_FIXUP_EAPD_COEF_AND_MIC_NO_PRESENCE), ++ SND_PCI_QUIRK(0x1043, 0x1294, "ASUS B3405CVA", ALC245_FIXUP_CS35L41_SPI_2), + SND_PCI_QUIRK(0x1043, 0x12a0, "ASUS X441UV", ALC233_FIXUP_EAPD_COEF_AND_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1043, 0x12a3, "Asus N7691ZM", ALC269_FIXUP_ASUS_N7601ZM), + SND_PCI_QUIRK(0x1043, 0x12af, "ASUS UX582ZS", ALC245_FIXUP_CS35L41_SPI_2), +@@ -10722,6 +10723,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x1043, 0x1f63, "ASUS P5405CSA", ALC245_FIXUP_CS35L41_SPI_2), + SND_PCI_QUIRK(0x1043, 0x1f92, "ASUS ROG Flow X16", ALC289_FIXUP_ASUS_GA401), + SND_PCI_QUIRK(0x1043, 0x1fb3, "ASUS ROG Flow Z13 GZ302EA", ALC287_FIXUP_CS35L41_I2C_2), ++ SND_PCI_QUIRK(0x1043, 0x3011, "ASUS B5605CVA", ALC245_FIXUP_CS35L41_SPI_2), + SND_PCI_QUIRK(0x1043, 0x3030, "ASUS ZN270IE", ALC256_FIXUP_ASUS_AIO_GPIO2), + SND_PCI_QUIRK(0x1043, 0x31d0, "ASUS Zen AIO 27 Z272SD_A272SD", ALC274_FIXUP_ASUS_ZEN_AIO_27), + SND_PCI_QUIRK(0x1043, 0x3a20, "ASUS G614JZR", ALC285_FIXUP_ASUS_SPI_REAR_SPEAKERS), +@@ -10740,6 +10742,8 @@ static const struct hda_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x1043, 0x3f10, "ASUS Strix G835LR_LW_LX", ALC287_FIXUP_TAS2781_I2C), + SND_PCI_QUIRK(0x1043, 0x3f20, "ASUS Strix G615LR_LW", ALC287_FIXUP_TAS2781_I2C), + SND_PCI_QUIRK(0x1043, 0x3f30, "ASUS Strix G815LR_LW", ALC287_FIXUP_TAS2781_I2C), ++ SND_PCI_QUIRK(0x1043, 0x3fd0, "ASUS B3605CVA", ALC245_FIXUP_CS35L41_SPI_2), ++ SND_PCI_QUIRK(0x1043, 0x3ff0, "ASUS B5405CVA", ALC245_FIXUP_CS35L41_SPI_2), + SND_PCI_QUIRK(0x1043, 0x831a, "ASUS P901", ALC269_FIXUP_STEREO_DMIC), + SND_PCI_QUIRK(0x1043, 0x834a, "ASUS S101", ALC269_FIXUP_STEREO_DMIC), + SND_PCI_QUIRK(0x1043, 0x8398, "ASUS P1005", ALC269_FIXUP_STEREO_DMIC), +-- +2.39.5 + diff --git a/queue-6.12/alsa-hda-realtek-always-honor-no_shutup_pins.patch b/queue-6.12/alsa-hda-realtek-always-honor-no_shutup_pins.patch new file mode 100644 index 0000000000..bf85e84120 --- /dev/null +++ b/queue-6.12/alsa-hda-realtek-always-honor-no_shutup_pins.patch @@ -0,0 +1,55 @@ +From 45f3cd66c292071ff3e583c3eaae02156f3e41fa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 15 Mar 2025 15:30:19 +0100 +Subject: ALSA: hda/realtek: Always honor no_shutup_pins + +From: Takashi Iwai + +[ Upstream commit 5a0c72c1da3cbc0cd4940a95d1be2830104c6edf ] + +The workaround for Dell machines to skip the pin-shutup for mic pins +introduced alc_headset_mic_no_shutup() that is replaced from the +generic snd_hda_shutup_pins() for certain codecs. The problem is that +the call is done unconditionally even if spec->no_shutup_pins is set. +This seems causing problems on other platforms like Lenovo. + +This patch corrects the behavior and the driver honors always +spec->no_shutup_pins flag and skips alc_headset_mic_no_shutup() if +it's set. + +Fixes: dad3197da7a3 ("ALSA: hda/realtek - Fixup headphone noise via runtime suspend") +Reported-and-tested-by: Oleg Gorobets +Link: https://patch.msgid.link/20250315143020.27184-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 8c7da13a804c0..20b3586e4cb6f 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -586,6 +586,9 @@ static void alc_shutup_pins(struct hda_codec *codec) + { + struct alc_spec *spec = codec->spec; + ++ if (spec->no_shutup_pins) ++ return; ++ + switch (codec->core.vendor_id) { + case 0x10ec0236: + case 0x10ec0256: +@@ -601,8 +604,7 @@ static void alc_shutup_pins(struct hda_codec *codec) + alc_headset_mic_no_shutup(codec); + break; + default: +- if (!spec->no_shutup_pins) +- snd_hda_shutup_pins(codec); ++ snd_hda_shutup_pins(codec); + break; + } + } +-- +2.39.5 + diff --git a/queue-6.12/alsa-hda-realtek-fix-asus-z13-2025-audio.patch b/queue-6.12/alsa-hda-realtek-fix-asus-z13-2025-audio.patch new file mode 100644 index 0000000000..84fe10fc66 --- /dev/null +++ b/queue-6.12/alsa-hda-realtek-fix-asus-z13-2025-audio.patch @@ -0,0 +1,36 @@ +From 81ef8452d8563b911b26a42e87f0f1c276fbfb4b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Feb 2025 18:51:07 +0100 +Subject: ALSA: hda/realtek: Fix Asus Z13 2025 audio + +From: Antheas Kapenekakis + +[ Upstream commit 12784ca33b62fd327631749e6a0cd2a10110a56c ] + +Use the basic quirk for this type of amplifier. Sound works in speakers, +headphones, and microphone. Whereas none worked before. + +Tested-by: Kyle Gospodnetich +Signed-off-by: Antheas Kapenekakis +Link: https://patch.msgid.link/20250227175107.33432-3-lkml@antheas.dev +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 20b3586e4cb6f..ae6b6186c7854 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10718,6 +10718,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x1043, 0x1f1f, "ASUS H7604JI/JV/J3D", ALC245_FIXUP_CS35L41_SPI_2), + SND_PCI_QUIRK(0x1043, 0x1f62, "ASUS UX7602ZM", ALC245_FIXUP_CS35L41_SPI_2), + SND_PCI_QUIRK(0x1043, 0x1f92, "ASUS ROG Flow X16", ALC289_FIXUP_ASUS_GA401), ++ SND_PCI_QUIRK(0x1043, 0x1fb3, "ASUS ROG Flow Z13 GZ302EA", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x1043, 0x3030, "ASUS ZN270IE", ALC256_FIXUP_ASUS_AIO_GPIO2), + SND_PCI_QUIRK(0x1043, 0x31d0, "ASUS Zen AIO 27 Z272SD_A272SD", ALC274_FIXUP_ASUS_ZEN_AIO_27), + SND_PCI_QUIRK(0x1043, 0x3a20, "ASUS G614JZR", ALC285_FIXUP_ASUS_SPI_REAR_SPEAKERS), +-- +2.39.5 + diff --git a/queue-6.12/alsa-hda-realtek-fix-built-in-mic-breakage-on-asus-v.patch b/queue-6.12/alsa-hda-realtek-fix-built-in-mic-breakage-on-asus-v.patch new file mode 100644 index 0000000000..4ed63556be --- /dev/null +++ b/queue-6.12/alsa-hda-realtek-fix-built-in-mic-breakage-on-asus-v.patch @@ -0,0 +1,38 @@ +From fcdf4e29473a1defb819b5540f131aa706ce049c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Mar 2025 16:22:01 +0100 +Subject: ALSA: hda/realtek: Fix built-in mic breakage on ASUS VivoBook X515JA + +From: Takashi Iwai + +[ Upstream commit 84c3c08f5a6c2e2209428b76156bcaf349c3a62d ] + +ASUS VivoBook X515JA with PCI SSID 1043:14f2 also hits the same issue +as other VivoBook model about the mic pin assignment, and the same +workaround is required to apply ALC256_FIXUP_ASUS_MIC_NO_PRESENCE +quirk. + +Fixes: 3b4309546b48 ("ALSA: hda: Fix headset detection failure due to unstable sort") +Link: https://bugzilla.kernel.org/show_bug.cgi?id=219902 +Link: https://patch.msgid.link/20250326152205.26733-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 23dd0bf7f6657..1e2059035d5b1 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10676,6 +10676,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x1043, 0x1493, "ASUS GV601VV/VU/VJ/VQ/VI", ALC285_FIXUP_ASUS_HEADSET_MIC), + SND_PCI_QUIRK(0x1043, 0x14d3, "ASUS G614JY/JZ/JG", ALC245_FIXUP_CS35L41_SPI_2), + SND_PCI_QUIRK(0x1043, 0x14e3, "ASUS G513PI/PU/PV", ALC287_FIXUP_CS35L41_I2C_2), ++ SND_PCI_QUIRK(0x1043, 0x14f2, "ASUS VivoBook X515JA", ALC256_FIXUP_ASUS_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1043, 0x1503, "ASUS G733PY/PZ/PZV/PYV", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x1043, 0x1517, "Asus Zenbook UX31A", ALC269VB_FIXUP_ASUS_ZENBOOK_UX31A), + SND_PCI_QUIRK(0x1043, 0x1533, "ASUS GV302XA/XJ/XQ/XU/XV/XI", ALC287_FIXUP_CS35L41_I2C_2), +-- +2.39.5 + diff --git a/queue-6.12/alsa-hda-realtek-fix-built-in-mic-on-another-asus-vi.patch b/queue-6.12/alsa-hda-realtek-fix-built-in-mic-on-another-asus-vi.patch new file mode 100644 index 0000000000..1f640208e9 --- /dev/null +++ b/queue-6.12/alsa-hda-realtek-fix-built-in-mic-on-another-asus-vi.patch @@ -0,0 +1,38 @@ +From 6aa4db97e156e9f3956794f03c6c7f3eee828abe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Apr 2025 09:42:07 +0200 +Subject: ALSA: hda/realtek: Fix built-in mic on another ASUS VivoBook model + +From: Takashi Iwai + +[ Upstream commit 8983dc1b66c0e1928a263b8af0bb06f6cb9229c4 ] + +There is another VivoBook model which built-in mic got broken recently +by the fix of the pin sort. Apply the correct quirk +ALC256_FIXUP_ASUS_MIC_NO_PRESENCE to this model for addressing the +regression, too. + +Fixes: 3b4309546b48 ("ALSA: hda: Fix headset detection failure due to unstable sort") +Closes: https://lore.kernel.org/Z95s5T6OXFPjRnKf@eldamar.lan +Link: https://patch.msgid.link/20250402074208.7347-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 1e2059035d5b1..59e59fdc38f2c 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10716,6 +10716,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x1043, 0x1c43, "ASUS UX8406MA", ALC245_FIXUP_CS35L41_SPI_2), + SND_PCI_QUIRK(0x1043, 0x1c62, "ASUS GU603", ALC289_FIXUP_ASUS_GA401), + SND_PCI_QUIRK(0x1043, 0x1c63, "ASUS GU605M", ALC285_FIXUP_ASUS_GU605_SPI_SPEAKER2_TO_DAC1), ++ SND_PCI_QUIRK(0x1043, 0x1c80, "ASUS VivoBook TP401", ALC256_FIXUP_ASUS_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1043, 0x1c92, "ASUS ROG Strix G15", ALC285_FIXUP_ASUS_G533Z_PINS), + SND_PCI_QUIRK(0x1043, 0x1c9f, "ASUS G614JU/JV/JI", ALC285_FIXUP_ASUS_HEADSET_MIC), + SND_PCI_QUIRK(0x1043, 0x1caf, "ASUS G634JY/JZ/JI/JG", ALC285_FIXUP_ASUS_SPI_REAR_SPEAKERS), +-- +2.39.5 + diff --git a/queue-6.12/alsa-timer-don-t-take-register_mutex-with-copy_from-.patch b/queue-6.12/alsa-timer-don-t-take-register_mutex-with-copy_from-.patch new file mode 100644 index 0000000000..6d78cd5a5b --- /dev/null +++ b/queue-6.12/alsa-timer-don-t-take-register_mutex-with-copy_from-.patch @@ -0,0 +1,263 @@ +From 1f115116c615b3dd67a714fce9f85bc6d7f73612 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Mar 2025 18:26:52 +0100 +Subject: ALSA: timer: Don't take register_mutex with copy_from/to_user() + +From: Takashi Iwai + +[ Upstream commit 3424c8f53bc63c87712a7fc22dc13d0cc85fb0d6 ] + +The infamous mmap_lock taken in copy_from/to_user() can be often +problematic when it's called inside another mutex, as they might lead +to deadlocks. + +In the case of ALSA timer code, the bad pattern is with +guard(mutex)(®ister_mutex) that covers copy_from/to_user() -- which +was mistakenly introduced at converting to guard(), and it had been +carefully worked around in the past. + +This patch fixes those pieces simply by moving copy_from/to_user() out +of the register mutex lock again. + +Fixes: 3923de04c817 ("ALSA: pcm: oss: Use guard() for setup") +Reported-by: syzbot+2b96f44164236dda0f3b@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/67dd86c8.050a0220.25ae54.0059.GAE@google.com +Link: https://patch.msgid.link/20250321172653.14310-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/timer.c | 147 ++++++++++++++++++++++++--------------------- + 1 file changed, 77 insertions(+), 70 deletions(-) + +diff --git a/sound/core/timer.c b/sound/core/timer.c +index fbada79380f9e..d774b9b71ce23 100644 +--- a/sound/core/timer.c ++++ b/sound/core/timer.c +@@ -1515,91 +1515,97 @@ static void snd_timer_user_copy_id(struct snd_timer_id *id, struct snd_timer *ti + id->subdevice = timer->tmr_subdevice; + } + +-static int snd_timer_user_next_device(struct snd_timer_id __user *_tid) ++static void get_next_device(struct snd_timer_id *id) + { +- struct snd_timer_id id; + struct snd_timer *timer; + struct list_head *p; + +- if (copy_from_user(&id, _tid, sizeof(id))) +- return -EFAULT; +- guard(mutex)(®ister_mutex); +- if (id.dev_class < 0) { /* first item */ ++ if (id->dev_class < 0) { /* first item */ + if (list_empty(&snd_timer_list)) +- snd_timer_user_zero_id(&id); ++ snd_timer_user_zero_id(id); + else { + timer = list_entry(snd_timer_list.next, + struct snd_timer, device_list); +- snd_timer_user_copy_id(&id, timer); ++ snd_timer_user_copy_id(id, timer); + } + } else { +- switch (id.dev_class) { ++ switch (id->dev_class) { + case SNDRV_TIMER_CLASS_GLOBAL: +- id.device = id.device < 0 ? 0 : id.device + 1; ++ id->device = id->device < 0 ? 0 : id->device + 1; + list_for_each(p, &snd_timer_list) { + timer = list_entry(p, struct snd_timer, device_list); + if (timer->tmr_class > SNDRV_TIMER_CLASS_GLOBAL) { +- snd_timer_user_copy_id(&id, timer); ++ snd_timer_user_copy_id(id, timer); + break; + } +- if (timer->tmr_device >= id.device) { +- snd_timer_user_copy_id(&id, timer); ++ if (timer->tmr_device >= id->device) { ++ snd_timer_user_copy_id(id, timer); + break; + } + } + if (p == &snd_timer_list) +- snd_timer_user_zero_id(&id); ++ snd_timer_user_zero_id(id); + break; + case SNDRV_TIMER_CLASS_CARD: + case SNDRV_TIMER_CLASS_PCM: +- if (id.card < 0) { +- id.card = 0; ++ if (id->card < 0) { ++ id->card = 0; + } else { +- if (id.device < 0) { +- id.device = 0; ++ if (id->device < 0) { ++ id->device = 0; + } else { +- if (id.subdevice < 0) +- id.subdevice = 0; +- else if (id.subdevice < INT_MAX) +- id.subdevice++; ++ if (id->subdevice < 0) ++ id->subdevice = 0; ++ else if (id->subdevice < INT_MAX) ++ id->subdevice++; + } + } + list_for_each(p, &snd_timer_list) { + timer = list_entry(p, struct snd_timer, device_list); +- if (timer->tmr_class > id.dev_class) { +- snd_timer_user_copy_id(&id, timer); ++ if (timer->tmr_class > id->dev_class) { ++ snd_timer_user_copy_id(id, timer); + break; + } +- if (timer->tmr_class < id.dev_class) ++ if (timer->tmr_class < id->dev_class) + continue; +- if (timer->card->number > id.card) { +- snd_timer_user_copy_id(&id, timer); ++ if (timer->card->number > id->card) { ++ snd_timer_user_copy_id(id, timer); + break; + } +- if (timer->card->number < id.card) ++ if (timer->card->number < id->card) + continue; +- if (timer->tmr_device > id.device) { +- snd_timer_user_copy_id(&id, timer); ++ if (timer->tmr_device > id->device) { ++ snd_timer_user_copy_id(id, timer); + break; + } +- if (timer->tmr_device < id.device) ++ if (timer->tmr_device < id->device) + continue; +- if (timer->tmr_subdevice > id.subdevice) { +- snd_timer_user_copy_id(&id, timer); ++ if (timer->tmr_subdevice > id->subdevice) { ++ snd_timer_user_copy_id(id, timer); + break; + } +- if (timer->tmr_subdevice < id.subdevice) ++ if (timer->tmr_subdevice < id->subdevice) + continue; +- snd_timer_user_copy_id(&id, timer); ++ snd_timer_user_copy_id(id, timer); + break; + } + if (p == &snd_timer_list) +- snd_timer_user_zero_id(&id); ++ snd_timer_user_zero_id(id); + break; + default: +- snd_timer_user_zero_id(&id); ++ snd_timer_user_zero_id(id); + } + } ++} ++ ++static int snd_timer_user_next_device(struct snd_timer_id __user *_tid) ++{ ++ struct snd_timer_id id; ++ ++ if (copy_from_user(&id, _tid, sizeof(id))) ++ return -EFAULT; ++ scoped_guard(mutex, ®ister_mutex) ++ get_next_device(&id); + if (copy_to_user(_tid, &id, sizeof(*_tid))) + return -EFAULT; + return 0; +@@ -1620,23 +1626,24 @@ static int snd_timer_user_ginfo(struct file *file, + tid = ginfo->tid; + memset(ginfo, 0, sizeof(*ginfo)); + ginfo->tid = tid; +- guard(mutex)(®ister_mutex); +- t = snd_timer_find(&tid); +- if (!t) +- return -ENODEV; +- ginfo->card = t->card ? t->card->number : -1; +- if (t->hw.flags & SNDRV_TIMER_HW_SLAVE) +- ginfo->flags |= SNDRV_TIMER_FLG_SLAVE; +- strscpy(ginfo->id, t->id, sizeof(ginfo->id)); +- strscpy(ginfo->name, t->name, sizeof(ginfo->name)); +- scoped_guard(spinlock_irq, &t->lock) +- ginfo->resolution = snd_timer_hw_resolution(t); +- if (t->hw.resolution_min > 0) { +- ginfo->resolution_min = t->hw.resolution_min; +- ginfo->resolution_max = t->hw.resolution_max; +- } +- list_for_each(p, &t->open_list_head) { +- ginfo->clients++; ++ scoped_guard(mutex, ®ister_mutex) { ++ t = snd_timer_find(&tid); ++ if (!t) ++ return -ENODEV; ++ ginfo->card = t->card ? t->card->number : -1; ++ if (t->hw.flags & SNDRV_TIMER_HW_SLAVE) ++ ginfo->flags |= SNDRV_TIMER_FLG_SLAVE; ++ strscpy(ginfo->id, t->id, sizeof(ginfo->id)); ++ strscpy(ginfo->name, t->name, sizeof(ginfo->name)); ++ scoped_guard(spinlock_irq, &t->lock) ++ ginfo->resolution = snd_timer_hw_resolution(t); ++ if (t->hw.resolution_min > 0) { ++ ginfo->resolution_min = t->hw.resolution_min; ++ ginfo->resolution_max = t->hw.resolution_max; ++ } ++ list_for_each(p, &t->open_list_head) { ++ ginfo->clients++; ++ } + } + if (copy_to_user(_ginfo, ginfo, sizeof(*ginfo))) + return -EFAULT; +@@ -1674,31 +1681,31 @@ static int snd_timer_user_gstatus(struct file *file, + struct snd_timer_gstatus gstatus; + struct snd_timer_id tid; + struct snd_timer *t; +- int err = 0; + + if (copy_from_user(&gstatus, _gstatus, sizeof(gstatus))) + return -EFAULT; + tid = gstatus.tid; + memset(&gstatus, 0, sizeof(gstatus)); + gstatus.tid = tid; +- guard(mutex)(®ister_mutex); +- t = snd_timer_find(&tid); +- if (t != NULL) { +- guard(spinlock_irq)(&t->lock); +- gstatus.resolution = snd_timer_hw_resolution(t); +- if (t->hw.precise_resolution) { +- t->hw.precise_resolution(t, &gstatus.resolution_num, +- &gstatus.resolution_den); ++ scoped_guard(mutex, ®ister_mutex) { ++ t = snd_timer_find(&tid); ++ if (t != NULL) { ++ guard(spinlock_irq)(&t->lock); ++ gstatus.resolution = snd_timer_hw_resolution(t); ++ if (t->hw.precise_resolution) { ++ t->hw.precise_resolution(t, &gstatus.resolution_num, ++ &gstatus.resolution_den); ++ } else { ++ gstatus.resolution_num = gstatus.resolution; ++ gstatus.resolution_den = 1000000000uL; ++ } + } else { +- gstatus.resolution_num = gstatus.resolution; +- gstatus.resolution_den = 1000000000uL; ++ return -ENODEV; + } +- } else { +- err = -ENODEV; + } +- if (err >= 0 && copy_to_user(_gstatus, &gstatus, sizeof(gstatus))) +- err = -EFAULT; +- return err; ++ if (copy_to_user(_gstatus, &gstatus, sizeof(gstatus))) ++ return -EFAULT; ++ return 0; + } + + static int snd_timer_user_tselect(struct file *file, +-- +2.39.5 + diff --git a/queue-6.12/arch-powerpc-drop-generic_ptdump-from-mpc885_ads_def.patch b/queue-6.12/arch-powerpc-drop-generic_ptdump-from-mpc885_ads_def.patch new file mode 100644 index 0000000000..919d732fd0 --- /dev/null +++ b/queue-6.12/arch-powerpc-drop-generic_ptdump-from-mpc885_ads_def.patch @@ -0,0 +1,52 @@ +From adf49c49bca79feba8b81d1c2545d6dd193e5d32 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Feb 2025 17:54:01 +0530 +Subject: arch/powerpc: drop GENERIC_PTDUMP from mpc885_ads_defconfig + +From: Anshuman Khandual + +[ Upstream commit 2c5e6ac2db64ace51f66a9f3b3b3ab9553d748e8 ] + +GENERIC_PTDUMP gets selected on powerpc explicitly and hence can be +dropped off from mpc885_ads_defconfig. Replace with CONFIG_PTDUMP_DEBUGFS +instead. + +Link: https://lkml.kernel.org/r/20250226122404.1927473-3-anshuman.khandual@arm.com +Fixes: e084728393a5 ("powerpc/ptdump: Convert powerpc to GENERIC_PTDUMP") +Signed-off-by: Anshuman Khandual +Suggested-by: Christophe Leroy +Reviewed-by: Christophe Leroy +Cc: Madhavan Srinivasan +Cc: Michael Ellerman +Cc: Nicholas Piggin +Cc: Catalin Marinas +Cc: Heiko Carstens +Cc: Ingo Molnar +Cc: Jonathan Corbet +Cc: Marc Zyngier +Cc: Mark Rutland +Cc: Palmer Dabbelt +Cc: Paul Walmsley +Cc: Steven Price +Cc: Thomas Gleixner +Cc: Vasily Gorbik +Cc: Will Deacon +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + arch/powerpc/configs/mpc885_ads_defconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/configs/mpc885_ads_defconfig b/arch/powerpc/configs/mpc885_ads_defconfig +index 77306be62e9ee..129355f87f80f 100644 +--- a/arch/powerpc/configs/mpc885_ads_defconfig ++++ b/arch/powerpc/configs/mpc885_ads_defconfig +@@ -78,4 +78,4 @@ CONFIG_DEBUG_VM_PGTABLE=y + CONFIG_DETECT_HUNG_TASK=y + CONFIG_BDI_SWITCH=y + CONFIG_PPC_EARLY_DEBUG=y +-CONFIG_GENERIC_PTDUMP=y ++CONFIG_PTDUMP_DEBUGFS=y +-- +2.39.5 + diff --git a/queue-6.12/arcnet-add-null-check-in-com20020pci_probe.patch b/queue-6.12/arcnet-add-null-check-in-com20020pci_probe.patch new file mode 100644 index 0000000000..bfe5c84dc4 --- /dev/null +++ b/queue-6.12/arcnet-add-null-check-in-com20020pci_probe.patch @@ -0,0 +1,67 @@ +From 4fe7ada74c549101c5f3a3c1600666c4a51c8038 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Apr 2025 21:50:36 +0800 +Subject: arcnet: Add NULL check in com20020pci_probe() + +From: Henry Martin + +[ Upstream commit fda8c491db2a90ff3e6fbbae58e495b4ddddeca3 ] + +devm_kasprintf() returns NULL when memory allocation fails. Currently, +com20020pci_probe() does not check for this case, which results in a +NULL pointer dereference. + +Add NULL check after devm_kasprintf() to prevent this issue and ensure +no resources are left allocated. + +Fixes: 6b17a597fc2f ("arcnet: restoring support for multiple Sohard Arcnet cards") +Signed-off-by: Henry Martin +Link: https://patch.msgid.link/20250402135036.44697-1-bsdhenrymartin@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/arcnet/com20020-pci.c | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/arcnet/com20020-pci.c b/drivers/net/arcnet/com20020-pci.c +index c5e571ec94c99..0472bcdff1307 100644 +--- a/drivers/net/arcnet/com20020-pci.c ++++ b/drivers/net/arcnet/com20020-pci.c +@@ -251,18 +251,33 @@ static int com20020pci_probe(struct pci_dev *pdev, + card->tx_led.default_trigger = devm_kasprintf(&pdev->dev, + GFP_KERNEL, "arc%d-%d-tx", + dev->dev_id, i); ++ if (!card->tx_led.default_trigger) { ++ ret = -ENOMEM; ++ goto err_free_arcdev; ++ } + card->tx_led.name = devm_kasprintf(&pdev->dev, GFP_KERNEL, + "pci:green:tx:%d-%d", + dev->dev_id, i); +- ++ if (!card->tx_led.name) { ++ ret = -ENOMEM; ++ goto err_free_arcdev; ++ } + card->tx_led.dev = &dev->dev; + card->recon_led.brightness_set = led_recon_set; + card->recon_led.default_trigger = devm_kasprintf(&pdev->dev, + GFP_KERNEL, "arc%d-%d-recon", + dev->dev_id, i); ++ if (!card->recon_led.default_trigger) { ++ ret = -ENOMEM; ++ goto err_free_arcdev; ++ } + card->recon_led.name = devm_kasprintf(&pdev->dev, GFP_KERNEL, + "pci:red:recon:%d-%d", + dev->dev_id, i); ++ if (!card->recon_led.name) { ++ ret = -ENOMEM; ++ goto err_free_arcdev; ++ } + card->recon_led.dev = &dev->dev; + + ret = devm_led_classdev_register(&pdev->dev, &card->tx_led); +-- +2.39.5 + diff --git a/queue-6.12/asoc-amd-acp-fix-for-enabling-dmic-on-acp-platforms-.patch b/queue-6.12/asoc-amd-acp-fix-for-enabling-dmic-on-acp-platforms-.patch new file mode 100644 index 0000000000..0c1e998bc6 --- /dev/null +++ b/queue-6.12/asoc-amd-acp-fix-for-enabling-dmic-on-acp-platforms-.patch @@ -0,0 +1,60 @@ +From 5f53e37d997a4ee38fde947632329e853db5cc7a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Mar 2025 00:02:01 +0530 +Subject: ASoC: amd: acp: Fix for enabling DMIC on acp platforms via _DSD entry + +From: Venkata Prasad Potturu + +[ Upstream commit 02e1cf7a352a3ba5f768849f2b4fcaaaa19f89e3 ] + +Add condition check to register ACP PDM sound card by reading +_WOV acpi entry. + +Fixes: 09068d624c49 ("ASoC: amd: acp: fix for acp platform device creation failure") + +Signed-off-by: Venkata Prasad Potturu +Link: https://patch.msgid.link/20250310183201.11979-15-venkataprasad.potturu@amd.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/amd/acp/acp-legacy-common.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/amd/acp/acp-legacy-common.c b/sound/soc/amd/acp/acp-legacy-common.c +index be01b178172e8..e4af2640feeb1 100644 +--- a/sound/soc/amd/acp/acp-legacy-common.c ++++ b/sound/soc/amd/acp/acp-legacy-common.c +@@ -13,6 +13,7 @@ + */ + + #include "amd.h" ++#include + #include + #include + +@@ -445,7 +446,9 @@ void check_acp_config(struct pci_dev *pci, struct acp_chip_info *chip) + { + struct acpi_device *pdm_dev; + const union acpi_object *obj; +- u32 pdm_addr; ++ acpi_handle handle; ++ acpi_integer dmic_status; ++ u32 pdm_addr, ret; + + switch (chip->acp_rev) { + case ACP3X_DEV: +@@ -477,6 +480,11 @@ void check_acp_config(struct pci_dev *pci, struct acp_chip_info *chip) + obj->integer.value == pdm_addr) + chip->is_pdm_dev = true; + } ++ ++ handle = ACPI_HANDLE(&pci->dev); ++ ret = acpi_evaluate_integer(handle, "_WOV", NULL, &dmic_status); ++ if (!ACPI_FAILURE(ret)) ++ chip->is_pdm_dev = dmic_status; + } + } + EXPORT_SYMBOL_NS_GPL(check_acp_config, SND_SOC_ACP_COMMON); +-- +2.39.5 + diff --git a/queue-6.12/asoc-codecs-rt5665-fix-some-error-handling-paths-in-.patch b/queue-6.12/asoc-codecs-rt5665-fix-some-error-handling-paths-in-.patch new file mode 100644 index 0000000000..f4be50c07f --- /dev/null +++ b/queue-6.12/asoc-codecs-rt5665-fix-some-error-handling-paths-in-.patch @@ -0,0 +1,100 @@ +From c14d502d3b552b0b9db351c384dd2174ad57574d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 22 Mar 2025 08:45:49 +0100 +Subject: ASoC: codecs: rt5665: Fix some error handling paths in rt5665_probe() + +From: Christophe JAILLET + +[ Upstream commit 1ebd4944266e86a7ce274f197847f5a6399651e8 ] + +Should an error occur after a successful regulator_bulk_enable() call, +regulator_bulk_disable() should be called, as already done in the remove +function. + +Instead of adding an error handling path in the probe, switch from +devm_regulator_bulk_get() to devm_regulator_bulk_get_enable() and +simplify the remove function and some other places accordingly. + +Finally, add a missing const when defining rt5665_supply_names to please +checkpatch and constify a few bytes. + +Fixes: 33ada14a26c8 ("ASoC: add rt5665 codec driver") +Signed-off-by: Christophe JAILLET +Link: https://patch.msgid.link/e3c2aa1b2fdfa646752d94f4af968630c0d58248.1742629525.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/rt5665.c | 24 ++++-------------------- + 1 file changed, 4 insertions(+), 20 deletions(-) + +diff --git a/sound/soc/codecs/rt5665.c b/sound/soc/codecs/rt5665.c +index 47df14ba52784..4f0236b34a2d9 100644 +--- a/sound/soc/codecs/rt5665.c ++++ b/sound/soc/codecs/rt5665.c +@@ -31,9 +31,7 @@ + #include "rl6231.h" + #include "rt5665.h" + +-#define RT5665_NUM_SUPPLIES 3 +- +-static const char *rt5665_supply_names[RT5665_NUM_SUPPLIES] = { ++static const char * const rt5665_supply_names[] = { + "AVDD", + "MICVDD", + "VBAT", +@@ -46,7 +44,6 @@ struct rt5665_priv { + struct gpio_desc *gpiod_ldo1_en; + struct gpio_desc *gpiod_reset; + struct snd_soc_jack *hs_jack; +- struct regulator_bulk_data supplies[RT5665_NUM_SUPPLIES]; + struct delayed_work jack_detect_work; + struct delayed_work calibrate_work; + struct delayed_work jd_check_work; +@@ -4471,8 +4468,6 @@ static void rt5665_remove(struct snd_soc_component *component) + struct rt5665_priv *rt5665 = snd_soc_component_get_drvdata(component); + + regmap_write(rt5665->regmap, RT5665_RESET, 0); +- +- regulator_bulk_disable(ARRAY_SIZE(rt5665->supplies), rt5665->supplies); + } + + #ifdef CONFIG_PM +@@ -4758,7 +4753,7 @@ static int rt5665_i2c_probe(struct i2c_client *i2c) + { + struct rt5665_platform_data *pdata = dev_get_platdata(&i2c->dev); + struct rt5665_priv *rt5665; +- int i, ret; ++ int ret; + unsigned int val; + + rt5665 = devm_kzalloc(&i2c->dev, sizeof(struct rt5665_priv), +@@ -4774,24 +4769,13 @@ static int rt5665_i2c_probe(struct i2c_client *i2c) + else + rt5665_parse_dt(rt5665, &i2c->dev); + +- for (i = 0; i < ARRAY_SIZE(rt5665->supplies); i++) +- rt5665->supplies[i].supply = rt5665_supply_names[i]; +- +- ret = devm_regulator_bulk_get(&i2c->dev, ARRAY_SIZE(rt5665->supplies), +- rt5665->supplies); ++ ret = devm_regulator_bulk_get_enable(&i2c->dev, ARRAY_SIZE(rt5665_supply_names), ++ rt5665_supply_names); + if (ret != 0) { + dev_err(&i2c->dev, "Failed to request supplies: %d\n", ret); + return ret; + } + +- ret = regulator_bulk_enable(ARRAY_SIZE(rt5665->supplies), +- rt5665->supplies); +- if (ret != 0) { +- dev_err(&i2c->dev, "Failed to enable supplies: %d\n", ret); +- return ret; +- } +- +- + rt5665->gpiod_ldo1_en = devm_gpiod_get_optional(&i2c->dev, + "realtek,ldo1-en", + GPIOD_OUT_HIGH); +-- +2.39.5 + diff --git a/queue-6.12/asoc-codecs-wsa884x-report-temps-to-hwmon-in-millide.patch b/queue-6.12/asoc-codecs-wsa884x-report-temps-to-hwmon-in-millide.patch new file mode 100644 index 0000000000..872eddb0da --- /dev/null +++ b/queue-6.12/asoc-codecs-wsa884x-report-temps-to-hwmon-in-millide.patch @@ -0,0 +1,77 @@ +From b0f2b0d72147d65047e813bf2d822f7d1adc75db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Feb 2025 04:40:24 +0000 +Subject: ASoC: codecs: wsa884x: report temps to hwmon in millidegree of + Celsius +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alexey Klimov + +[ Upstream commit d776f016d24816f15033169dcd081f077b6c10f4 ] + +Temperatures are reported in units of Celsius however hwmon expects +values to be in millidegree of Celsius. Userspace tools observe values +close to zero and report it as "Not available" or incorrect values like +0C or 1C. Add a simple conversion to fix that. + +Before the change: + +wsa884x-virtual-0 +Adapter: Virtual device +temp1: +0.0°C +-- +wsa884x-virtual-0 +Adapter: Virtual device +temp1: +0.0°C + +Also reported as N/A before first amplifier power on. + +After this change and initial wsa884x power on: + +wsa884x-virtual-0 +Adapter: Virtual device +temp1: +39.0°C +-- +wsa884x-virtual-0 +Adapter: Virtual device +temp1: +37.0°C + +Tested on sm8550 only. + +Cc: Krzysztof Kozlowski +Cc: Srinivas Kandagatla +Signed-off-by: Alexey Klimov +Link: https://patch.msgid.link/20250221044024.1207921-1-alexey.klimov@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/wsa884x.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/codecs/wsa884x.c b/sound/soc/codecs/wsa884x.c +index 86df5152c547b..560a2c04b6955 100644 +--- a/sound/soc/codecs/wsa884x.c ++++ b/sound/soc/codecs/wsa884x.c +@@ -1875,7 +1875,7 @@ static int wsa884x_get_temp(struct wsa884x_priv *wsa884x, long *temp) + * Reading temperature is possible only when Power Amplifier is + * off. Report last cached data. + */ +- *temp = wsa884x->temperature; ++ *temp = wsa884x->temperature * 1000; + return 0; + } + +@@ -1934,7 +1934,7 @@ static int wsa884x_get_temp(struct wsa884x_priv *wsa884x, long *temp) + if ((val > WSA884X_LOW_TEMP_THRESHOLD) && + (val < WSA884X_HIGH_TEMP_THRESHOLD)) { + wsa884x->temperature = val; +- *temp = val; ++ *temp = val * 1000; + ret = 0; + } else { + ret = -EAGAIN; +-- +2.39.5 + diff --git a/queue-6.12/asoc-cs35l41-check-the-return-value-from-spi_setup.patch b/queue-6.12/asoc-cs35l41-check-the-return-value-from-spi_setup.patch new file mode 100644 index 0000000000..7ae6e58a18 --- /dev/null +++ b/queue-6.12/asoc-cs35l41-check-the-return-value-from-spi_setup.patch @@ -0,0 +1,52 @@ +From 0cd2206062f202b161b22376a4af791b282e2639 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Mar 2025 16:56:37 +0500 +Subject: ASoC: cs35l41: check the return value from spi_setup() + +From: Vitaliy Shevtsov + +[ Upstream commit ad5a0970f86d82e39ebd06d45a1f7aa48a1316f8 ] + +Currently the return value from spi_setup() is not checked for a failure. +It is unlikely it will ever fail in this particular case but it is still +better to add this check for the sake of completeness and correctness. This +is cheap since it is performed once when the device is being probed. + +Handle spi_setup() return value. + +Found by Linux Verification Center (linuxtesting.org) with Svace. + +Fixes: 872fc0b6bde8 ("ASoC: cs35l41: Set the max SPI speed for the whole device") +Signed-off-by: Vitaliy Shevtsov +Link: https://patch.msgid.link/20250304115643.2748-1-v.shevtsov@mt-integration.ru +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/cs35l41-spi.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/cs35l41-spi.c b/sound/soc/codecs/cs35l41-spi.c +index a6db44520c060..f9b6bf7bea9c9 100644 +--- a/sound/soc/codecs/cs35l41-spi.c ++++ b/sound/soc/codecs/cs35l41-spi.c +@@ -32,13 +32,16 @@ static int cs35l41_spi_probe(struct spi_device *spi) + const struct regmap_config *regmap_config = &cs35l41_regmap_spi; + struct cs35l41_hw_cfg *hw_cfg = dev_get_platdata(&spi->dev); + struct cs35l41_private *cs35l41; ++ int ret; + + cs35l41 = devm_kzalloc(&spi->dev, sizeof(struct cs35l41_private), GFP_KERNEL); + if (!cs35l41) + return -ENOMEM; + + spi->max_speed_hz = CS35L41_SPI_MAX_FREQ; +- spi_setup(spi); ++ ret = spi_setup(spi); ++ if (ret < 0) ++ return ret; + + spi_set_drvdata(spi, cs35l41); + cs35l41->regmap = devm_regmap_init_spi(spi, regmap_config); +-- +2.39.5 + diff --git a/queue-6.12/asoc-imx-card-add-null-check-in-imx_card_probe.patch b/queue-6.12/asoc-imx-card-add-null-check-in-imx_card_probe.patch new file mode 100644 index 0000000000..18f3e9d117 --- /dev/null +++ b/queue-6.12/asoc-imx-card-add-null-check-in-imx_card_probe.patch @@ -0,0 +1,50 @@ +From 7efc685864a71bd1ad51855e401384626c25d0da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Apr 2025 22:25:10 +0800 +Subject: ASoC: imx-card: Add NULL check in imx_card_probe() + +From: Henry Martin + +[ Upstream commit 93d34608fd162f725172e780b1c60cc93a920719 ] + +devm_kasprintf() returns NULL when memory allocation fails. Currently, +imx_card_probe() does not check for this case, which results in a NULL +pointer dereference. + +Add NULL check after devm_kasprintf() to prevent this issue. + +Fixes: aa736700f42f ("ASoC: imx-card: Add imx-card machine driver") +Signed-off-by: Henry Martin +Reviewed-by: Frank Li +Link: https://patch.msgid.link/20250401142510.29900-1-bsdhenrymartin@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/fsl/imx-card.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/sound/soc/fsl/imx-card.c b/sound/soc/fsl/imx-card.c +index a7215bad64845..93dbe40008c00 100644 +--- a/sound/soc/fsl/imx-card.c ++++ b/sound/soc/fsl/imx-card.c +@@ -738,6 +738,8 @@ static int imx_card_probe(struct platform_device *pdev) + data->dapm_routes[i].sink = + devm_kasprintf(&pdev->dev, GFP_KERNEL, "%d %s", + i + 1, "Playback"); ++ if (!data->dapm_routes[i].sink) ++ return -ENOMEM; + data->dapm_routes[i].source = "CPU-Playback"; + } + } +@@ -755,6 +757,8 @@ static int imx_card_probe(struct platform_device *pdev) + data->dapm_routes[i].source = + devm_kasprintf(&pdev->dev, GFP_KERNEL, "%d %s", + i + 1, "Capture"); ++ if (!data->dapm_routes[i].source) ++ return -ENOMEM; + data->dapm_routes[i].sink = "CPU-Capture"; + } + } +-- +2.39.5 + diff --git a/queue-6.12/asoc-rt1320-set-wake_capable-0-explicitly.patch b/queue-6.12/asoc-rt1320-set-wake_capable-0-explicitly.patch new file mode 100644 index 0000000000..e78d2eccad --- /dev/null +++ b/queue-6.12/asoc-rt1320-set-wake_capable-0-explicitly.patch @@ -0,0 +1,48 @@ +From 6cc6d3136895b2ea75e17c466c39817b21f15cd0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Mar 2025 21:41:13 +0800 +Subject: ASoC: rt1320: set wake_capable = 0 explicitly +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Bard Liao + +[ Upstream commit 927e6bec5cf3624665b0a2e9f64a1d32f3d22cdd ] + +"generic_new_peripheral_assigned: invalid dev_num 1, wake supported 1" +is reported by our internal CI test. + +Rt1320's wake feature is not used in Linux and that's why it is not in +the wake_capable_list[] list in intel_auxdevice.c. +However, BIOS may set it as wake-capable. Overwrite wake_capable to 0 +in the codec driver to align with wake_capable_list[]. + +Signed-off-by: Bard Liao +Reviewed-by: Péter Ujfalusi +Reviewed-by: Ranjani Sridharan +Acked-by: Shuming Fan +Link: https://patch.msgid.link/20250305134113.201326-1-yung-chuan.liao@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/rt1320-sdw.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sound/soc/codecs/rt1320-sdw.c b/sound/soc/codecs/rt1320-sdw.c +index f4e1ea29c2651..f2d194e76a947 100644 +--- a/sound/soc/codecs/rt1320-sdw.c ++++ b/sound/soc/codecs/rt1320-sdw.c +@@ -3705,6 +3705,9 @@ static int rt1320_read_prop(struct sdw_slave *slave) + /* set the timeout values */ + prop->clk_stop_timeout = 64; + ++ /* BIOS may set wake_capable. Make sure it is 0 as wake events are disabled. */ ++ prop->wake_capable = 0; ++ + return 0; + } + +-- +2.39.5 + diff --git a/queue-6.12/asoc-ti-j721e-evm-fix-clock-configuration-for-ti-j72.patch b/queue-6.12/asoc-ti-j721e-evm-fix-clock-configuration-for-ti-j72.patch new file mode 100644 index 0000000000..2cd8be6907 --- /dev/null +++ b/queue-6.12/asoc-ti-j721e-evm-fix-clock-configuration-for-ti-j72.patch @@ -0,0 +1,41 @@ +From c53778cd771525ac032e4a4668e13db33138d9b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Mar 2025 17:05:24 +0530 +Subject: ASoC: ti: j721e-evm: Fix clock configuration for ti,j7200-cpb-audio + compatible + +From: Jayesh Choudhary + +[ Upstream commit 45ff65e30deb919604e68faed156ad96ce7474d9 ] + +For 'ti,j7200-cpb-audio' compatible, there is support for only one PLL for +48k. For 11025, 22050, 44100 and 88200 sampling rates, due to absence of +J721E_CLK_PARENT_44100, we get EINVAL while running any audio application. +Add support for these rates by using the 48k parent clock and adjusting +the clock for these rates later in j721e_configure_refclk. + +Fixes: 6748d0559059 ("ASoC: ti: Add custom machine driver for j721e EVM (CPB and IVI)") +Signed-off-by: Jayesh Choudhary +Link: https://patch.msgid.link/20250318113524.57100-1-j-choudhary@ti.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/ti/j721e-evm.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/soc/ti/j721e-evm.c b/sound/soc/ti/j721e-evm.c +index d9d1e021f5b2e..0f96cc45578d8 100644 +--- a/sound/soc/ti/j721e-evm.c ++++ b/sound/soc/ti/j721e-evm.c +@@ -182,6 +182,8 @@ static int j721e_configure_refclk(struct j721e_priv *priv, + clk_id = J721E_CLK_PARENT_48000; + else if (!(rate % 11025) && priv->pll_rates[J721E_CLK_PARENT_44100]) + clk_id = J721E_CLK_PARENT_44100; ++ else if (!(rate % 11025) && priv->pll_rates[J721E_CLK_PARENT_48000]) ++ clk_id = J721E_CLK_PARENT_48000; + else + return ret; + +-- +2.39.5 + diff --git a/queue-6.12/auxdisplay-max6959-should-select-bitreverse.patch b/queue-6.12/auxdisplay-max6959-should-select-bitreverse.patch new file mode 100644 index 0000000000..2d248761b3 --- /dev/null +++ b/queue-6.12/auxdisplay-max6959-should-select-bitreverse.patch @@ -0,0 +1,38 @@ +From 078807d79b4db9cddc29df9ecc61c3222c8fdb96 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Feb 2025 08:48:42 +0100 +Subject: auxdisplay: MAX6959 should select BITREVERSE + +From: Geert Uytterhoeven + +[ Upstream commit fce85f3da08b76c1b052f53a9f6f9c40a8a10660 ] + +If CONFIG_BITREVERSE is not enabled: + + max6959.c:(.text+0x92): undefined reference to `byte_rev_table' + +Fixes: a9bcd02fa42217c7 ("auxdisplay: Add driver for MAX695x 7-segment LED controllers") +Reported-by: kernel test robot +Closes: https://lore.kernel.org/202502161703.3Vr4M7qg-lkp@intel.com/ +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +--- + drivers/auxdisplay/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/auxdisplay/Kconfig b/drivers/auxdisplay/Kconfig +index 21545ffba0658..2a9bb31633a71 100644 +--- a/drivers/auxdisplay/Kconfig ++++ b/drivers/auxdisplay/Kconfig +@@ -503,6 +503,7 @@ config HT16K33 + config MAX6959 + tristate "Maxim MAX6958/6959 7-segment LED controller" + depends on I2C ++ select BITREVERSE + select REGMAP_I2C + select LINEDISP + help +-- +2.39.5 + diff --git a/queue-6.12/auxdisplay-panel-fix-an-api-misuse-in-panel.c.patch b/queue-6.12/auxdisplay-panel-fix-an-api-misuse-in-panel.c.patch new file mode 100644 index 0000000000..d1fa218f25 --- /dev/null +++ b/queue-6.12/auxdisplay-panel-fix-an-api-misuse-in-panel.c.patch @@ -0,0 +1,46 @@ +From 75cc8b16d0d1377251d8fd57295f7b6ab0b0d4e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Feb 2025 14:36:25 +0200 +Subject: auxdisplay: panel: Fix an API misuse in panel.c + +From: Andy Shevchenko + +[ Upstream commit 72e1c440c848624ad4cfac93d69d8a999a20355b ] + +Variable allocated by charlcd_alloc() should be released +by charlcd_free(). The following patch changed kfree() to +charlcd_free() to fix an API misuse. + +Reviewed-by: Geert Uytterhoeven +Fixes: 718e05ed92ec ("auxdisplay: Introduce hd44780_common.[ch]") +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +--- + drivers/auxdisplay/panel.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/auxdisplay/panel.c b/drivers/auxdisplay/panel.c +index a731f28455b45..6dc8798d01f98 100644 +--- a/drivers/auxdisplay/panel.c ++++ b/drivers/auxdisplay/panel.c +@@ -1664,7 +1664,7 @@ static void panel_attach(struct parport *port) + if (lcd.enabled) + charlcd_unregister(lcd.charlcd); + err_unreg_device: +- kfree(lcd.charlcd); ++ charlcd_free(lcd.charlcd); + lcd.charlcd = NULL; + parport_unregister_device(pprt); + pprt = NULL; +@@ -1692,7 +1692,7 @@ static void panel_detach(struct parport *port) + charlcd_unregister(lcd.charlcd); + lcd.initialized = false; + kfree(lcd.charlcd->drvdata); +- kfree(lcd.charlcd); ++ charlcd_free(lcd.charlcd); + lcd.charlcd = NULL; + } + +-- +2.39.5 + diff --git a/queue-6.12/bpf-fix-array-bounds-error-with-may_goto.patch b/queue-6.12/bpf-fix-array-bounds-error-with-may_goto.patch new file mode 100644 index 0000000000..80f1f6cf20 --- /dev/null +++ b/queue-6.12/bpf-fix-array-bounds-error-with-may_goto.patch @@ -0,0 +1,102 @@ +From c54d11186c022372530f6e66b08a9fbdadc2dce3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Feb 2025 17:18:21 +0800 +Subject: bpf: Fix array bounds error with may_goto + +From: Jiayuan Chen + +[ Upstream commit 6ebc5030e0c5a698f1dd9a6684cddf6ccaed64a0 ] + +may_goto uses an additional 8 bytes on the stack, which causes the +interpreters[] array to go out of bounds when calculating index by +stack_size. + +1. If a BPF program is rewritten, re-evaluate the stack size. For non-JIT +cases, reject loading directly. + +2. For non-JIT cases, calculating interpreters[idx] may still cause +out-of-bounds array access, and just warn about it. + +3. For jit_requested cases, the execution of bpf_func also needs to be +warned. So move the definition of function __bpf_prog_ret0_warn out of +the macro definition CONFIG_BPF_JIT_ALWAYS_ON. + +Reported-by: syzbot+d2a2c639d03ac200a4f1@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/bpf/0000000000000f823606139faa5d@google.com/ +Fixes: 011832b97b311 ("bpf: Introduce may_goto instruction") +Signed-off-by: Jiayuan Chen +Link: https://lore.kernel.org/r/20250214091823.46042-2-mrpre@163.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/core.c | 19 +++++++++++++++---- + kernel/bpf/verifier.c | 7 +++++++ + 2 files changed, 22 insertions(+), 4 deletions(-) + +diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c +index 2b9c8c168a0ba..a60a6a2ce0d7f 100644 +--- a/kernel/bpf/core.c ++++ b/kernel/bpf/core.c +@@ -2290,17 +2290,18 @@ void bpf_patch_call_args(struct bpf_insn *insn, u32 stack_depth) + insn->code = BPF_JMP | BPF_CALL_ARGS; + } + #endif +-#else ++#endif ++ + static unsigned int __bpf_prog_ret0_warn(const void *ctx, + const struct bpf_insn *insn) + { + /* If this handler ever gets executed, then BPF_JIT_ALWAYS_ON +- * is not working properly, so warn about it! ++ * is not working properly, or interpreter is being used when ++ * prog->jit_requested is not 0, so warn about it! + */ + WARN_ON_ONCE(1); + return 0; + } +-#endif + + bool bpf_prog_map_compatible(struct bpf_map *map, + const struct bpf_prog *fp) +@@ -2380,8 +2381,18 @@ static void bpf_prog_select_func(struct bpf_prog *fp) + { + #ifndef CONFIG_BPF_JIT_ALWAYS_ON + u32 stack_depth = max_t(u32, fp->aux->stack_depth, 1); ++ u32 idx = (round_up(stack_depth, 32) / 32) - 1; + +- fp->bpf_func = interpreters[(round_up(stack_depth, 32) / 32) - 1]; ++ /* may_goto may cause stack size > 512, leading to idx out-of-bounds. ++ * But for non-JITed programs, we don't need bpf_func, so no bounds ++ * check needed. ++ */ ++ if (!fp->jit_requested && ++ !WARN_ON_ONCE(idx >= ARRAY_SIZE(interpreters))) { ++ fp->bpf_func = interpreters[idx]; ++ } else { ++ fp->bpf_func = __bpf_prog_ret0_warn; ++ } + #else + fp->bpf_func = __bpf_prog_ret0_warn; + #endif +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index a0cab0d0252fa..9000806ee3bae 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -21276,6 +21276,13 @@ static int do_misc_fixups(struct bpf_verifier_env *env) + if (subprogs[cur_subprog + 1].start == i + delta + 1) { + subprogs[cur_subprog].stack_depth += stack_depth_extra; + subprogs[cur_subprog].stack_extra = stack_depth_extra; ++ ++ stack_depth = subprogs[cur_subprog].stack_depth; ++ if (stack_depth > MAX_BPF_STACK && !prog->jit_requested) { ++ verbose(env, "stack size %d(extra %d) is too large\n", ++ stack_depth, stack_depth_extra); ++ return -EINVAL; ++ } + cur_subprog++; + stack_depth = subprogs[cur_subprog].stack_depth; + stack_depth_extra = 0; +-- +2.39.5 + diff --git a/queue-6.12/bpf-use-preempt_count-directly-in-bpf_send_signal_co.patch b/queue-6.12/bpf-use-preempt_count-directly-in-bpf_send_signal_co.patch new file mode 100644 index 0000000000..1715f865d0 --- /dev/null +++ b/queue-6.12/bpf-use-preempt_count-directly-in-bpf_send_signal_co.patch @@ -0,0 +1,47 @@ +From 41f6d163dbeec7b43a660d38f6c2e155c289add4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Feb 2025 12:22:59 +0800 +Subject: bpf: Use preempt_count() directly in bpf_send_signal_common() + +From: Hou Tao + +[ Upstream commit b4a8b5bba712a711d8ca1f7d04646db63f9c88f5 ] + +bpf_send_signal_common() uses preemptible() to check whether or not the +current context is preemptible. If it is preemptible, it will use +irq_work to send the signal asynchronously instead of trying to hold a +spin-lock, because spin-lock is sleepable under PREEMPT_RT. + +However, preemptible() depends on CONFIG_PREEMPT_COUNT. When +CONFIG_PREEMPT_COUNT is turned off (e.g., CONFIG_PREEMPT_VOLUNTARY=y), +!preemptible() will be evaluated as 1 and bpf_send_signal_common() will +use irq_work unconditionally. + +Fix it by unfolding "!preemptible()" and using "preempt_count() != 0 || +irqs_disabled()" instead. + +Fixes: 87c544108b61 ("bpf: Send signals asynchronously if !preemptible") +Signed-off-by: Hou Tao +Link: https://lore.kernel.org/r/20250220042259.1583319-1-houtao@huaweicloud.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/trace/bpf_trace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c +index 449efaaa387a6..55f279ddfd63d 100644 +--- a/kernel/trace/bpf_trace.c ++++ b/kernel/trace/bpf_trace.c +@@ -833,7 +833,7 @@ static int bpf_send_signal_common(u32 sig, enum pid_type type) + if (unlikely(is_global_init(current))) + return -EPERM; + +- if (!preemptible()) { ++ if (preempt_count() != 0 || irqs_disabled()) { + /* Do an early check on signal validity. Otherwise, + * the error is lost in deferred irq_work. + */ +-- +2.39.5 + diff --git a/queue-6.12/can-statistics-use-atomic-access-in-hot-path.patch b/queue-6.12/can-statistics-use-atomic-access-in-hot-path.patch new file mode 100644 index 0000000000..24ee79e282 --- /dev/null +++ b/queue-6.12/can-statistics-use-atomic-access-in-hot-path.patch @@ -0,0 +1,194 @@ +From 47a7bdaf35b8821447d42ae344ef256abd120794 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Mar 2025 15:33:53 +0100 +Subject: can: statistics: use atomic access in hot path + +From: Oliver Hartkopp + +[ Upstream commit 80b5f90158d1364cbd80ad82852a757fc0692bf2 ] + +In can_send() and can_receive() CAN messages and CAN filter matches are +counted to be visible in the CAN procfs files. + +KCSAN detected a data race within can_send() when two CAN frames have +been generated by a timer event writing to the same CAN netdevice at the +same time. Use atomic operations to access the statistics in the hot path +to fix the KCSAN complaint. + +Reported-by: syzbot+78ce4489b812515d5e4d@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/67cd717d.050a0220.e1a89.0006.GAE@google.com +Signed-off-by: Oliver Hartkopp +Reviewed-by: Vincent Mailhol +Link: https://patch.msgid.link/20250310143353.3242-1-socketcan@hartkopp.net +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + net/can/af_can.c | 12 ++++++------ + net/can/af_can.h | 12 ++++++------ + net/can/proc.c | 46 +++++++++++++++++++++++++++------------------- + 3 files changed, 39 insertions(+), 31 deletions(-) + +diff --git a/net/can/af_can.c b/net/can/af_can.c +index 01f3fbb3b67dc..65230e81fa08c 100644 +--- a/net/can/af_can.c ++++ b/net/can/af_can.c +@@ -287,8 +287,8 @@ int can_send(struct sk_buff *skb, int loop) + netif_rx(newskb); + + /* update statistics */ +- pkg_stats->tx_frames++; +- pkg_stats->tx_frames_delta++; ++ atomic_long_inc(&pkg_stats->tx_frames); ++ atomic_long_inc(&pkg_stats->tx_frames_delta); + + return 0; + +@@ -647,8 +647,8 @@ static void can_receive(struct sk_buff *skb, struct net_device *dev) + int matches; + + /* update statistics */ +- pkg_stats->rx_frames++; +- pkg_stats->rx_frames_delta++; ++ atomic_long_inc(&pkg_stats->rx_frames); ++ atomic_long_inc(&pkg_stats->rx_frames_delta); + + /* create non-zero unique skb identifier together with *skb */ + while (!(can_skb_prv(skb)->skbcnt)) +@@ -669,8 +669,8 @@ static void can_receive(struct sk_buff *skb, struct net_device *dev) + consume_skb(skb); + + if (matches > 0) { +- pkg_stats->matches++; +- pkg_stats->matches_delta++; ++ atomic_long_inc(&pkg_stats->matches); ++ atomic_long_inc(&pkg_stats->matches_delta); + } + } + +diff --git a/net/can/af_can.h b/net/can/af_can.h +index 7c2d9161e2245..22f3352c77fec 100644 +--- a/net/can/af_can.h ++++ b/net/can/af_can.h +@@ -66,9 +66,9 @@ struct receiver { + struct can_pkg_stats { + unsigned long jiffies_init; + +- unsigned long rx_frames; +- unsigned long tx_frames; +- unsigned long matches; ++ atomic_long_t rx_frames; ++ atomic_long_t tx_frames; ++ atomic_long_t matches; + + unsigned long total_rx_rate; + unsigned long total_tx_rate; +@@ -82,9 +82,9 @@ struct can_pkg_stats { + unsigned long max_tx_rate; + unsigned long max_rx_match_ratio; + +- unsigned long rx_frames_delta; +- unsigned long tx_frames_delta; +- unsigned long matches_delta; ++ atomic_long_t rx_frames_delta; ++ atomic_long_t tx_frames_delta; ++ atomic_long_t matches_delta; + }; + + /* persistent statistics */ +diff --git a/net/can/proc.c b/net/can/proc.c +index bbce97825f13f..25fdf060e30d0 100644 +--- a/net/can/proc.c ++++ b/net/can/proc.c +@@ -118,6 +118,13 @@ void can_stat_update(struct timer_list *t) + struct can_pkg_stats *pkg_stats = net->can.pkg_stats; + unsigned long j = jiffies; /* snapshot */ + ++ long rx_frames = atomic_long_read(&pkg_stats->rx_frames); ++ long tx_frames = atomic_long_read(&pkg_stats->tx_frames); ++ long matches = atomic_long_read(&pkg_stats->matches); ++ long rx_frames_delta = atomic_long_read(&pkg_stats->rx_frames_delta); ++ long tx_frames_delta = atomic_long_read(&pkg_stats->tx_frames_delta); ++ long matches_delta = atomic_long_read(&pkg_stats->matches_delta); ++ + /* restart counting in timer context on user request */ + if (user_reset) + can_init_stats(net); +@@ -127,35 +134,33 @@ void can_stat_update(struct timer_list *t) + can_init_stats(net); + + /* prevent overflow in calc_rate() */ +- if (pkg_stats->rx_frames > (ULONG_MAX / HZ)) ++ if (rx_frames > (LONG_MAX / HZ)) + can_init_stats(net); + + /* prevent overflow in calc_rate() */ +- if (pkg_stats->tx_frames > (ULONG_MAX / HZ)) ++ if (tx_frames > (LONG_MAX / HZ)) + can_init_stats(net); + + /* matches overflow - very improbable */ +- if (pkg_stats->matches > (ULONG_MAX / 100)) ++ if (matches > (LONG_MAX / 100)) + can_init_stats(net); + + /* calc total values */ +- if (pkg_stats->rx_frames) +- pkg_stats->total_rx_match_ratio = (pkg_stats->matches * 100) / +- pkg_stats->rx_frames; ++ if (rx_frames) ++ pkg_stats->total_rx_match_ratio = (matches * 100) / rx_frames; + + pkg_stats->total_tx_rate = calc_rate(pkg_stats->jiffies_init, j, +- pkg_stats->tx_frames); ++ tx_frames); + pkg_stats->total_rx_rate = calc_rate(pkg_stats->jiffies_init, j, +- pkg_stats->rx_frames); ++ rx_frames); + + /* calc current values */ +- if (pkg_stats->rx_frames_delta) ++ if (rx_frames_delta) + pkg_stats->current_rx_match_ratio = +- (pkg_stats->matches_delta * 100) / +- pkg_stats->rx_frames_delta; ++ (matches_delta * 100) / rx_frames_delta; + +- pkg_stats->current_tx_rate = calc_rate(0, HZ, pkg_stats->tx_frames_delta); +- pkg_stats->current_rx_rate = calc_rate(0, HZ, pkg_stats->rx_frames_delta); ++ pkg_stats->current_tx_rate = calc_rate(0, HZ, tx_frames_delta); ++ pkg_stats->current_rx_rate = calc_rate(0, HZ, rx_frames_delta); + + /* check / update maximum values */ + if (pkg_stats->max_tx_rate < pkg_stats->current_tx_rate) +@@ -168,9 +173,9 @@ void can_stat_update(struct timer_list *t) + pkg_stats->max_rx_match_ratio = pkg_stats->current_rx_match_ratio; + + /* clear values for 'current rate' calculation */ +- pkg_stats->tx_frames_delta = 0; +- pkg_stats->rx_frames_delta = 0; +- pkg_stats->matches_delta = 0; ++ atomic_long_set(&pkg_stats->tx_frames_delta, 0); ++ atomic_long_set(&pkg_stats->rx_frames_delta, 0); ++ atomic_long_set(&pkg_stats->matches_delta, 0); + + /* restart timer (one second) */ + mod_timer(&net->can.stattimer, round_jiffies(jiffies + HZ)); +@@ -214,9 +219,12 @@ static int can_stats_proc_show(struct seq_file *m, void *v) + struct can_rcv_lists_stats *rcv_lists_stats = net->can.rcv_lists_stats; + + seq_putc(m, '\n'); +- seq_printf(m, " %8ld transmitted frames (TXF)\n", pkg_stats->tx_frames); +- seq_printf(m, " %8ld received frames (RXF)\n", pkg_stats->rx_frames); +- seq_printf(m, " %8ld matched frames (RXMF)\n", pkg_stats->matches); ++ seq_printf(m, " %8ld transmitted frames (TXF)\n", ++ atomic_long_read(&pkg_stats->tx_frames)); ++ seq_printf(m, " %8ld received frames (RXF)\n", ++ atomic_long_read(&pkg_stats->rx_frames)); ++ seq_printf(m, " %8ld matched frames (RXMF)\n", ++ atomic_long_read(&pkg_stats->matches)); + + seq_putc(m, '\n'); + +-- +2.39.5 + diff --git a/queue-6.12/cifs-fix-incorrect-validation-for-num_aces-field-of-.patch b/queue-6.12/cifs-fix-incorrect-validation-for-num_aces-field-of-.patch new file mode 100644 index 0000000000..ca0de0fecc --- /dev/null +++ b/queue-6.12/cifs-fix-incorrect-validation-for-num_aces-field-of-.patch @@ -0,0 +1,54 @@ +From 2689083237115bb2a42e76817f1ab4c967b4548b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Feb 2025 09:37:57 +0900 +Subject: cifs: fix incorrect validation for num_aces field of smb_acl + +From: Namjae Jeon + +[ Upstream commit aa2a739a75ab6f24ef72fb3fdb9192c081eacf06 ] + +parse_dcal() validate num_aces to allocate ace array. + +f (num_aces > ULONG_MAX / sizeof(struct smb_ace *)) + +It is an incorrect validation that we can create an array of size ULONG_MAX. +smb_acl has ->size field to calculate actual number of aces in response buffer +size. Use this to check invalid num_aces. + +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/client/cifsacl.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/fs/smb/client/cifsacl.c b/fs/smb/client/cifsacl.c +index 1f036169fb582..e36f0e2d7d21e 100644 +--- a/fs/smb/client/cifsacl.c ++++ b/fs/smb/client/cifsacl.c +@@ -778,7 +778,8 @@ static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl, + } + + /* validate that we do not go past end of acl */ +- if (end_of_acl < (char *)pdacl + le16_to_cpu(pdacl->size)) { ++ if (end_of_acl < (char *)pdacl + sizeof(struct smb_acl) || ++ end_of_acl < (char *)pdacl + le16_to_cpu(pdacl->size)) { + cifs_dbg(VFS, "ACL too small to parse DACL\n"); + return; + } +@@ -799,8 +800,11 @@ static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl, + if (num_aces > 0) { + umode_t denied_mode = 0; + +- if (num_aces > ULONG_MAX / sizeof(struct smb_ace *)) ++ if (num_aces > (le16_to_cpu(pdacl->size) - sizeof(struct smb_acl)) / ++ (offsetof(struct smb_ace, sid) + ++ offsetof(struct smb_sid, sub_auth) + sizeof(__le16))) + return; ++ + ppace = kmalloc_array(num_aces, sizeof(struct smb_ace *), + GFP_KERNEL); + if (!ppace) +-- +2.39.5 + diff --git a/queue-6.12/clk-amlogic-g12a-fix-mmc-a-peripheral-clock.patch b/queue-6.12/clk-amlogic-g12a-fix-mmc-a-peripheral-clock.patch new file mode 100644 index 0000000000..50df1884c3 --- /dev/null +++ b/queue-6.12/clk-amlogic-g12a-fix-mmc-a-peripheral-clock.patch @@ -0,0 +1,45 @@ +From d0763b46657483365cc10da410cca7fccf352a5a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Dec 2024 11:03:23 +0100 +Subject: clk: amlogic: g12a: fix mmc A peripheral clock + +From: Jerome Brunet + +[ Upstream commit 0079e77c08de692cb20b38e408365c830a44b1ef ] + +The bit index of the peripheral clock for mmc A is wrong +This was probably not a problem for mmc A as the peripheral is likely left +enabled by the bootloader. + +No issues has been reported so far but it could be a problem, most likely +some form of conflict between the ethernet and mmc A clock, breaking +ethernet on init. + +Use the value provided by the documentation for mmc A before this +becomes an actual problem. + +Fixes: 085a4ea93d54 ("clk: meson: g12a: add peripheral clock controller") +Reviewed-by: Neil Armstrong +Link: https://lore.kernel.org/r/20241213-amlogic-clk-g12a-mmca-fix-v1-1-5af421f58b64@baylibre.com +Signed-off-by: Jerome Brunet +Signed-off-by: Sasha Levin +--- + drivers/clk/meson/g12a.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/meson/g12a.c b/drivers/clk/meson/g12a.c +index 06929e1940ef1..4f92b83965d5a 100644 +--- a/drivers/clk/meson/g12a.c ++++ b/drivers/clk/meson/g12a.c +@@ -4329,7 +4329,7 @@ static MESON_GATE(g12a_spicc_1, HHI_GCLK_MPEG0, 14); + static MESON_GATE(g12a_hiu_reg, HHI_GCLK_MPEG0, 19); + static MESON_GATE(g12a_mipi_dsi_phy, HHI_GCLK_MPEG0, 20); + static MESON_GATE(g12a_assist_misc, HHI_GCLK_MPEG0, 23); +-static MESON_GATE(g12a_emmc_a, HHI_GCLK_MPEG0, 4); ++static MESON_GATE(g12a_emmc_a, HHI_GCLK_MPEG0, 24); + static MESON_GATE(g12a_emmc_b, HHI_GCLK_MPEG0, 25); + static MESON_GATE(g12a_emmc_c, HHI_GCLK_MPEG0, 26); + static MESON_GATE(g12a_audio_codec, HHI_GCLK_MPEG0, 28); +-- +2.39.5 + diff --git a/queue-6.12/clk-amlogic-g12b-fix-cluster-a-parent-data.patch b/queue-6.12/clk-amlogic-g12b-fix-cluster-a-parent-data.patch new file mode 100644 index 0000000000..5f8a1f97ff --- /dev/null +++ b/queue-6.12/clk-amlogic-g12b-fix-cluster-a-parent-data.patch @@ -0,0 +1,105 @@ +From 6a8486b4cb43f49a510ee4015b0c73d2e80c420a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Dec 2024 15:30:17 +0100 +Subject: clk: amlogic: g12b: fix cluster A parent data + +From: Jerome Brunet + +[ Upstream commit 8995f8f108c3ac5ad52b12a6cfbbc7b3b32e9a58 ] + +Several clocks used by both g12a and g12b use the g12a cpu A clock hw +pointer as clock parent. This is incorrect on g12b since the parents of +cluster A cpu clock are different. Also the hw clock provided as parent to +these children is not even registered clock on g12b. + +Fix the problem by reverting to the global namespace and let CCF pick +the appropriate, as it is already done for other clocks, such as +cpu_clk_trace_div. + +Fixes: 25e682a02d91 ("clk: meson: g12a: migrate to the new parent description method") +Reviewed-by: Neil Armstrong +Link: https://lore.kernel.org/r/20241213-amlogic-clk-g12a-cpua-parent-fix-v1-1-d8c0f41865fe@baylibre.com +Signed-off-by: Jerome Brunet +Signed-off-by: Sasha Levin +--- + drivers/clk/meson/g12a.c | 36 ++++++++++++++++++++++++------------ + 1 file changed, 24 insertions(+), 12 deletions(-) + +diff --git a/drivers/clk/meson/g12a.c b/drivers/clk/meson/g12a.c +index 02dda57105b10..06929e1940ef1 100644 +--- a/drivers/clk/meson/g12a.c ++++ b/drivers/clk/meson/g12a.c +@@ -1139,8 +1139,18 @@ static struct clk_regmap g12a_cpu_clk_div16_en = { + .hw.init = &(struct clk_init_data) { + .name = "cpu_clk_div16_en", + .ops = &clk_regmap_gate_ro_ops, +- .parent_hws = (const struct clk_hw *[]) { +- &g12a_cpu_clk.hw ++ .parent_data = &(const struct clk_parent_data) { ++ /* ++ * Note: ++ * G12A and G12B have different cpu clocks (with ++ * different struct clk_hw). We fallback to the global ++ * naming string mechanism so this clock picks ++ * up the appropriate one. Same goes for the other ++ * clock using cpu cluster A clock output and present ++ * on both G12 variant. ++ */ ++ .name = "cpu_clk", ++ .index = -1, + }, + .num_parents = 1, + /* +@@ -1205,7 +1215,10 @@ static struct clk_regmap g12a_cpu_clk_apb_div = { + .hw.init = &(struct clk_init_data){ + .name = "cpu_clk_apb_div", + .ops = &clk_regmap_divider_ro_ops, +- .parent_hws = (const struct clk_hw *[]) { &g12a_cpu_clk.hw }, ++ .parent_data = &(const struct clk_parent_data) { ++ .name = "cpu_clk", ++ .index = -1, ++ }, + .num_parents = 1, + }, + }; +@@ -1239,7 +1252,10 @@ static struct clk_regmap g12a_cpu_clk_atb_div = { + .hw.init = &(struct clk_init_data){ + .name = "cpu_clk_atb_div", + .ops = &clk_regmap_divider_ro_ops, +- .parent_hws = (const struct clk_hw *[]) { &g12a_cpu_clk.hw }, ++ .parent_data = &(const struct clk_parent_data) { ++ .name = "cpu_clk", ++ .index = -1, ++ }, + .num_parents = 1, + }, + }; +@@ -1273,7 +1289,10 @@ static struct clk_regmap g12a_cpu_clk_axi_div = { + .hw.init = &(struct clk_init_data){ + .name = "cpu_clk_axi_div", + .ops = &clk_regmap_divider_ro_ops, +- .parent_hws = (const struct clk_hw *[]) { &g12a_cpu_clk.hw }, ++ .parent_data = &(const struct clk_parent_data) { ++ .name = "cpu_clk", ++ .index = -1, ++ }, + .num_parents = 1, + }, + }; +@@ -1308,13 +1327,6 @@ static struct clk_regmap g12a_cpu_clk_trace_div = { + .name = "cpu_clk_trace_div", + .ops = &clk_regmap_divider_ro_ops, + .parent_data = &(const struct clk_parent_data) { +- /* +- * Note: +- * G12A and G12B have different cpu_clks (with +- * different struct clk_hw). We fallback to the global +- * naming string mechanism so cpu_clk_trace_div picks +- * up the appropriate one. +- */ + .name = "cpu_clk", + .index = -1, + }, +-- +2.39.5 + diff --git a/queue-6.12/clk-amlogic-gxbb-drop-incorrect-flag-on-32k-clock.patch b/queue-6.12/clk-amlogic-gxbb-drop-incorrect-flag-on-32k-clock.patch new file mode 100644 index 0000000000..7f4d460209 --- /dev/null +++ b/queue-6.12/clk-amlogic-gxbb-drop-incorrect-flag-on-32k-clock.patch @@ -0,0 +1,43 @@ +From 444afdafe2a8bba06f140080ccefd71f7f33927a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Dec 2024 11:25:36 +0100 +Subject: clk: amlogic: gxbb: drop incorrect flag on 32k clock + +From: Jerome Brunet + +[ Upstream commit f38f7fe4830c5cb4eac138249225f119e7939965 ] + +gxbb_32k_clk_div sets CLK_DIVIDER_ROUND_CLOSEST in the init_data flag which +is incorrect. This is field is not where the divider flags belong. + +Thankfully, CLK_DIVIDER_ROUND_CLOSEST maps to bit 4 which is an unused +clock flag, so there is no unintended consequence to this error. + +Effectively, the clock has been used without CLK_DIVIDER_ROUND_CLOSEST +so far, so just drop it. + +Fixes: 14c735c8e308 ("clk: meson-gxbb: Add EE 32K Clock for CEC") +Reviewed-by: Neil Armstrong +Link: https://lore.kernel.org/r/20241220-amlogic-clk-gxbb-32k-fixes-v1-1-baca56ecf2db@baylibre.com +Signed-off-by: Jerome Brunet +Signed-off-by: Sasha Levin +--- + drivers/clk/meson/gxbb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/meson/gxbb.c b/drivers/clk/meson/gxbb.c +index f071faad1ebb7..738317b3e274d 100644 +--- a/drivers/clk/meson/gxbb.c ++++ b/drivers/clk/meson/gxbb.c +@@ -1312,7 +1312,7 @@ static struct clk_regmap gxbb_32k_clk_div = { + &gxbb_32k_clk_sel.hw + }, + .num_parents = 1, +- .flags = CLK_SET_RATE_PARENT | CLK_DIVIDER_ROUND_CLOSEST, ++ .flags = CLK_SET_RATE_PARENT, + }, + }; + +-- +2.39.5 + diff --git a/queue-6.12/clk-amlogic-gxbb-drop-non-existing-32k-clock-parent.patch b/queue-6.12/clk-amlogic-gxbb-drop-non-existing-32k-clock-parent.patch new file mode 100644 index 0000000000..256772710f --- /dev/null +++ b/queue-6.12/clk-amlogic-gxbb-drop-non-existing-32k-clock-parent.patch @@ -0,0 +1,62 @@ +From b02eab64c1e62f99709ff87e567bb9cab8cb03cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Dec 2024 11:25:37 +0100 +Subject: clk: amlogic: gxbb: drop non existing 32k clock parent + +From: Jerome Brunet + +[ Upstream commit 7915d7d5407c026fa9343befb4d3343f7a345f97 ] + +The 32k clock reference a parent 'cts_slow_oscin' with a fixme note saying +that this clock should be provided by AO controller. + +The HW probably has this clock but it does not exist at the moment in +any controller implementation. Furthermore, referencing clock by the global +name should be avoided whenever possible. + +There is no reason to keep this hack around, at least for now. + +Fixes: 14c735c8e308 ("clk: meson-gxbb: Add EE 32K Clock for CEC") +Reviewed-by: Neil Armstrong +Link: https://lore.kernel.org/r/20241220-amlogic-clk-gxbb-32k-fixes-v1-2-baca56ecf2db@baylibre.com +Signed-off-by: Jerome Brunet +Signed-off-by: Sasha Levin +--- + drivers/clk/meson/gxbb.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/clk/meson/gxbb.c b/drivers/clk/meson/gxbb.c +index 738317b3e274d..d9529de200ae4 100644 +--- a/drivers/clk/meson/gxbb.c ++++ b/drivers/clk/meson/gxbb.c +@@ -1272,14 +1272,13 @@ static struct clk_regmap gxbb_cts_i958 = { + }, + }; + ++/* ++ * This table skips a clock named 'cts_slow_oscin' in the documentation ++ * This clock does not exist yet in this controller or the AO one ++ */ ++static u32 gxbb_32k_clk_parents_val_table[] = { 0, 2, 3 }; + static const struct clk_parent_data gxbb_32k_clk_parent_data[] = { + { .fw_name = "xtal", }, +- /* +- * FIXME: This clock is provided by the ao clock controller but the +- * clock is not yet part of the binding of this controller, so string +- * name must be use to set this parent. +- */ +- { .name = "cts_slow_oscin", .index = -1 }, + { .hw = &gxbb_fclk_div3.hw }, + { .hw = &gxbb_fclk_div5.hw }, + }; +@@ -1289,6 +1288,7 @@ static struct clk_regmap gxbb_32k_clk_sel = { + .offset = HHI_32K_CLK_CNTL, + .mask = 0x3, + .shift = 16, ++ .table = gxbb_32k_clk_parents_val_table, + }, + .hw.init = &(struct clk_init_data){ + .name = "32k_clk_sel", +-- +2.39.5 + diff --git a/queue-6.12/clk-clk-imx8mp-audiomix-fix-dsp-ocram_a-clock-parent.patch b/queue-6.12/clk-clk-imx8mp-audiomix-fix-dsp-ocram_a-clock-parent.patch new file mode 100644 index 0000000000..7b32d351da --- /dev/null +++ b/queue-6.12/clk-clk-imx8mp-audiomix-fix-dsp-ocram_a-clock-parent.patch @@ -0,0 +1,49 @@ +From e8606cea7b3ea129d1078b017e0fd6fd98f02ae5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Feb 2025 11:45:11 -0500 +Subject: clk: clk-imx8mp-audiomix: fix dsp/ocram_a clock parents + +From: Laurentiu Mihalcea + +[ Upstream commit 91be7d27099dedf813b80702e4ca117d1fb38ce6 ] + +The DSP and OCRAM_A modules from AUDIOMIX are clocked by +AUDIO_AXI_CLK_ROOT, not AUDIO_AHB_CLK_ROOT. Update the clock data +accordingly. + +Fixes: 6cd95f7b151c ("clk: imx: imx8mp: Add audiomix block control") +Signed-off-by: Laurentiu Mihalcea +Reviewed-by: Iuliana Prodan +Reviewed-by: Peng Fan +Link: https://lore.kernel.org/r/20250226164513.33822-3-laurentiumihalcea111@gmail.com +Signed-off-by: Abel Vesa +Signed-off-by: Sasha Levin +--- + drivers/clk/imx/clk-imx8mp-audiomix.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/clk/imx/clk-imx8mp-audiomix.c b/drivers/clk/imx/clk-imx8mp-audiomix.c +index c409fc7e06186..775f62dddb11d 100644 +--- a/drivers/clk/imx/clk-imx8mp-audiomix.c ++++ b/drivers/clk/imx/clk-imx8mp-audiomix.c +@@ -180,14 +180,14 @@ static struct clk_imx8mp_audiomix_sel sels[] = { + CLK_GATE("asrc", ASRC_IPG), + CLK_GATE("pdm", PDM_IPG), + CLK_GATE("earc", EARC_IPG), +- CLK_GATE("ocrama", OCRAMA_IPG), ++ CLK_GATE_PARENT("ocrama", OCRAMA_IPG, "axi"), + CLK_GATE("aud2htx", AUD2HTX_IPG), + CLK_GATE_PARENT("earc_phy", EARC_PHY, "sai_pll_out_div2"), + CLK_GATE("sdma2", SDMA2_ROOT), + CLK_GATE("sdma3", SDMA3_ROOT), + CLK_GATE("spba2", SPBA2_ROOT), +- CLK_GATE("dsp", DSP_ROOT), +- CLK_GATE("dspdbg", DSPDBG_ROOT), ++ CLK_GATE_PARENT("dsp", DSP_ROOT, "axi"), ++ CLK_GATE_PARENT("dspdbg", DSPDBG_ROOT, "axi"), + CLK_GATE("edma", EDMA_ROOT), + CLK_GATE_PARENT("audpll", AUDPLL_ROOT, "osc_24m"), + CLK_GATE("mu2", MU2_ROOT), +-- +2.39.5 + diff --git a/queue-6.12/clk-qcom-gcc-msm8953-fix-stuck-venus0_core0-clock.patch b/queue-6.12/clk-qcom-gcc-msm8953-fix-stuck-venus0_core0-clock.patch new file mode 100644 index 0000000000..dd020bd5cb --- /dev/null +++ b/queue-6.12/clk-qcom-gcc-msm8953-fix-stuck-venus0_core0-clock.patch @@ -0,0 +1,43 @@ +From 1313792b22f3328a34c8519ad466b010745989d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 15 Mar 2025 16:26:18 +0100 +Subject: clk: qcom: gcc-msm8953: fix stuck venus0_core0 clock +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Vladimir Lypak + +[ Upstream commit cdc59600bccf2cb4c483645438a97d4ec55f326b ] + +This clock can't be enable with VENUS_CORE0 GDSC turned off. But that +GDSC is under HW control so it can be turned off at any moment. +Instead of checking the dependent clock we can just vote for it to +enable later when GDSC gets turned on. + +Fixes: 9bb6cfc3c77e6 ("clk: qcom: Add Global Clock Controller driver for MSM8953") +Signed-off-by: Vladimir Lypak +Signed-off-by: Barnabás Czémán +Link: https://lore.kernel.org/r/20250315-clock-fix-v1-2-2efdc4920dda@mainlining.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/gcc-msm8953.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/qcom/gcc-msm8953.c b/drivers/clk/qcom/gcc-msm8953.c +index 855a61966f3ef..8f29ecc74c50b 100644 +--- a/drivers/clk/qcom/gcc-msm8953.c ++++ b/drivers/clk/qcom/gcc-msm8953.c +@@ -3770,7 +3770,7 @@ static struct clk_branch gcc_venus0_axi_clk = { + + static struct clk_branch gcc_venus0_core0_vcodec0_clk = { + .halt_reg = 0x4c02c, +- .halt_check = BRANCH_HALT, ++ .halt_check = BRANCH_HALT_SKIP, + .clkr = { + .enable_reg = 0x4c02c, + .enable_mask = BIT(0), +-- +2.39.5 + diff --git a/queue-6.12/clk-qcom-gcc-sm8650-do-not-turn-off-usb-gdscs-during.patch b/queue-6.12/clk-qcom-gcc-sm8650-do-not-turn-off-usb-gdscs-during.patch new file mode 100644 index 0000000000..2667691787 --- /dev/null +++ b/queue-6.12/clk-qcom-gcc-sm8650-do-not-turn-off-usb-gdscs-during.patch @@ -0,0 +1,53 @@ +From 8d4d4c674d540a6f7e91355a453261d6ca429497 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Mar 2025 20:00:29 +0100 +Subject: clk: qcom: gcc-sm8650: Do not turn off USB GDSCs during + gdsc_disable() + +From: Neil Armstrong + +[ Upstream commit 8b75c2973997e66fd897b7e87b5ba2f3d683e94b ] + +With PWRSTS_OFF_ON, USB GDSCs are turned off during gdsc_disable(). This +can happen during scenarios such as system suspend and breaks the resume +of USB controller from suspend. + +So use PWRSTS_RET_ON to indicate the GDSC driver to not turn off the GDSCs +during gdsc_disable() and allow the hardware to transition the GDSCs to +retention when the parent domain enters low power state during system +suspend. + +Fixes: c58225b7e3d7 ("clk: qcom: add the SM8650 Global Clock Controller driver, part 1") +Signed-off-by: Neil Armstrong +Link: https://lore.kernel.org/r/20250305-topic-sm8650-upstream-fix-usb-suspend-v1-1-649036ab0557@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/gcc-sm8650.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/clk/qcom/gcc-sm8650.c b/drivers/clk/qcom/gcc-sm8650.c +index 9dd5c48f33bed..fa1672c4e7d81 100644 +--- a/drivers/clk/qcom/gcc-sm8650.c ++++ b/drivers/clk/qcom/gcc-sm8650.c +@@ -3497,7 +3497,7 @@ static struct gdsc usb30_prim_gdsc = { + .pd = { + .name = "usb30_prim_gdsc", + }, +- .pwrsts = PWRSTS_OFF_ON, ++ .pwrsts = PWRSTS_RET_ON, + .flags = POLL_CFG_GDSCR | RETAIN_FF_ENABLE, + }; + +@@ -3506,7 +3506,7 @@ static struct gdsc usb3_phy_gdsc = { + .pd = { + .name = "usb3_phy_gdsc", + }, +- .pwrsts = PWRSTS_OFF_ON, ++ .pwrsts = PWRSTS_RET_ON, + .flags = POLL_CFG_GDSCR | RETAIN_FF_ENABLE, + }; + +-- +2.39.5 + diff --git a/queue-6.12/clk-qcom-gcc-x1e80100-unregister-gcc_gpu_cfg_ahb_clk.patch b/queue-6.12/clk-qcom-gcc-x1e80100-unregister-gcc_gpu_cfg_ahb_clk.patch new file mode 100644 index 0000000000..5af604ce8b --- /dev/null +++ b/queue-6.12/clk-qcom-gcc-x1e80100-unregister-gcc_gpu_cfg_ahb_clk.patch @@ -0,0 +1,99 @@ +From a264f843f55ab25a1adfb8361fa877e771feaa49 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 11 Jan 2025 17:54:18 +0100 +Subject: clk: qcom: gcc-x1e80100: Unregister + GCC_GPU_CFG_AHB_CLK/GCC_DISP_XO_CLK + +From: Konrad Dybcio + +[ Upstream commit b60521eff227ef459e03879cbea2b2bd85a8d7af ] + +The GPU clock is required for CPU access to GPUSS registers. It was +previously decided (on this and many more platforms) that the added +overhead/hassle introduced by keeping track of it would not bring much +measurable improvement in the power department. + +The display clock is basically the same story over again. + +Now, we're past that discussion and this commit is not trying to change +that. Instead, the clocks are both force-enabled in .probe *and* +registered with the common clock framework, resulting in them being +toggled off after ignore_unused. + +Unregister said clocks to fix breakage when clk_ignore_unused is absent +(as it should be). + +Fixes: 161b7c401f4b ("clk: qcom: Add Global Clock controller (GCC) driver for X1E80100") +Signed-off-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20250111-topic-x1e_fixups-v1-1-77dc39237c12@oss.qualcomm.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/gcc-x1e80100.c | 30 ------------------------------ + 1 file changed, 30 deletions(-) + +diff --git a/drivers/clk/qcom/gcc-x1e80100.c b/drivers/clk/qcom/gcc-x1e80100.c +index 7288af845434d..009f39139b644 100644 +--- a/drivers/clk/qcom/gcc-x1e80100.c ++++ b/drivers/clk/qcom/gcc-x1e80100.c +@@ -2564,19 +2564,6 @@ static struct clk_branch gcc_disp_hf_axi_clk = { + }, + }; + +-static struct clk_branch gcc_disp_xo_clk = { +- .halt_reg = 0x27018, +- .halt_check = BRANCH_HALT, +- .clkr = { +- .enable_reg = 0x27018, +- .enable_mask = BIT(0), +- .hw.init = &(const struct clk_init_data) { +- .name = "gcc_disp_xo_clk", +- .ops = &clk_branch2_ops, +- }, +- }, +-}; +- + static struct clk_branch gcc_gp1_clk = { + .halt_reg = 0x64000, + .halt_check = BRANCH_HALT, +@@ -2631,21 +2618,6 @@ static struct clk_branch gcc_gp3_clk = { + }, + }; + +-static struct clk_branch gcc_gpu_cfg_ahb_clk = { +- .halt_reg = 0x71004, +- .halt_check = BRANCH_HALT_VOTED, +- .hwcg_reg = 0x71004, +- .hwcg_bit = 1, +- .clkr = { +- .enable_reg = 0x71004, +- .enable_mask = BIT(0), +- .hw.init = &(const struct clk_init_data) { +- .name = "gcc_gpu_cfg_ahb_clk", +- .ops = &clk_branch2_ops, +- }, +- }, +-}; +- + static struct clk_branch gcc_gpu_gpll0_cph_clk_src = { + .halt_check = BRANCH_HALT_DELAY, + .clkr = { +@@ -6268,7 +6240,6 @@ static struct clk_regmap *gcc_x1e80100_clocks[] = { + [GCC_CNOC_PCIE_TUNNEL_CLK] = &gcc_cnoc_pcie_tunnel_clk.clkr, + [GCC_DDRSS_GPU_AXI_CLK] = &gcc_ddrss_gpu_axi_clk.clkr, + [GCC_DISP_HF_AXI_CLK] = &gcc_disp_hf_axi_clk.clkr, +- [GCC_DISP_XO_CLK] = &gcc_disp_xo_clk.clkr, + [GCC_GP1_CLK] = &gcc_gp1_clk.clkr, + [GCC_GP1_CLK_SRC] = &gcc_gp1_clk_src.clkr, + [GCC_GP2_CLK] = &gcc_gp2_clk.clkr, +@@ -6281,7 +6252,6 @@ static struct clk_regmap *gcc_x1e80100_clocks[] = { + [GCC_GPLL7] = &gcc_gpll7.clkr, + [GCC_GPLL8] = &gcc_gpll8.clkr, + [GCC_GPLL9] = &gcc_gpll9.clkr, +- [GCC_GPU_CFG_AHB_CLK] = &gcc_gpu_cfg_ahb_clk.clkr, + [GCC_GPU_GPLL0_CPH_CLK_SRC] = &gcc_gpu_gpll0_cph_clk_src.clkr, + [GCC_GPU_GPLL0_DIV_CPH_CLK_SRC] = &gcc_gpu_gpll0_div_cph_clk_src.clkr, + [GCC_GPU_MEMNOC_GFX_CLK] = &gcc_gpu_memnoc_gfx_clk.clkr, +-- +2.39.5 + diff --git a/queue-6.12/clk-qcom-mmcc-sdm660-fix-stuck-video_subcore0-clock.patch b/queue-6.12/clk-qcom-mmcc-sdm660-fix-stuck-video_subcore0-clock.patch new file mode 100644 index 0000000000..02de949524 --- /dev/null +++ b/queue-6.12/clk-qcom-mmcc-sdm660-fix-stuck-video_subcore0-clock.patch @@ -0,0 +1,42 @@ +From af32928c61daaab94beb254a5fad1985b6838174 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 15 Mar 2025 16:26:17 +0100 +Subject: clk: qcom: mmcc-sdm660: fix stuck video_subcore0 clock +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Barnabás Czémán + +[ Upstream commit 000cbe3896c56bf5c625e286ff096533a6b27657 ] + +This clock can't be enable with VENUS_CORE0 GDSC turned off. But that +GDSC is under HW control so it can be turned off at any moment. +Instead of checking the dependent clock we can just vote for it to +enable later when GDSC gets turned on. + +Fixes: 5db3ae8b33de6 ("clk: qcom: Add SDM660 Multimedia Clock Controller (MMCC) driver") +Signed-off-by: Barnabás Czémán +Link: https://lore.kernel.org/r/20250315-clock-fix-v1-1-2efdc4920dda@mainlining.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/mmcc-sdm660.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/qcom/mmcc-sdm660.c b/drivers/clk/qcom/mmcc-sdm660.c +index 98ba5b4518fb3..b9f02d91004e8 100644 +--- a/drivers/clk/qcom/mmcc-sdm660.c ++++ b/drivers/clk/qcom/mmcc-sdm660.c +@@ -2544,7 +2544,7 @@ static struct clk_branch video_core_clk = { + + static struct clk_branch video_subcore0_clk = { + .halt_reg = 0x1048, +- .halt_check = BRANCH_HALT, ++ .halt_check = BRANCH_HALT_SKIP, + .clkr = { + .enable_reg = 0x1048, + .enable_mask = BIT(0), +-- +2.39.5 + diff --git a/queue-6.12/clk-renesas-r8a08g045-check-the-source-of-the-cpu-pl.patch b/queue-6.12/clk-renesas-r8a08g045-check-the-source-of-the-cpu-pl.patch new file mode 100644 index 0000000000..16e7c6e55c --- /dev/null +++ b/queue-6.12/clk-renesas-r8a08g045-check-the-source-of-the-cpu-pl.patch @@ -0,0 +1,140 @@ +From 0bad752381ac1ba1a8009ff1396f979cb0e66808 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Jan 2025 16:20:58 +0200 +Subject: clk: renesas: r8a08g045: Check the source of the CPU PLL settings + +From: Claudiu Beznea + +[ Upstream commit dc0f16c1b76293ac942a783e960abfd19e95fdf5 ] + +On the RZ/G3S SoC, the CPU PLL settings can be set and retrieved through +the CPG_PLL1_CLK1 and CPG_PLL1_CLK2 registers. However, these settings +are applied only when CPG_PLL1_SETTING.SEL_PLL1 is set to 0. +Otherwise, the CPU PLL operates at the default frequency of 1.1 GHz. +Hence add support to the PLL driver for returning the 1.1 GHz frequency +when the CPU PLL is configured with the default frequency. + +Fixes: 01eabef547e6 ("clk: renesas: rzg2l: Add support for RZ/G3S PLL") +Fixes: de60a3ebe410 ("clk: renesas: Add minimal boot support for RZ/G3S SoC") +Signed-off-by: Claudiu Beznea +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/20250115142059.1833063-1-claudiu.beznea.uj@bp.renesas.com +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + drivers/clk/renesas/r9a08g045-cpg.c | 5 +++-- + drivers/clk/renesas/rzg2l-cpg.c | 13 ++++++++++++- + drivers/clk/renesas/rzg2l-cpg.h | 10 +++++++--- + 3 files changed, 22 insertions(+), 6 deletions(-) + +diff --git a/drivers/clk/renesas/r9a08g045-cpg.c b/drivers/clk/renesas/r9a08g045-cpg.c +index 1ce40fb51f13b..a1f961d5b8569 100644 +--- a/drivers/clk/renesas/r9a08g045-cpg.c ++++ b/drivers/clk/renesas/r9a08g045-cpg.c +@@ -50,7 +50,7 @@ + #define G3S_SEL_SDHI2 SEL_PLL_PACK(G3S_CPG_SDHI_DSEL, 8, 2) + + /* PLL 1/4/6 configuration registers macro. */ +-#define G3S_PLL146_CONF(clk1, clk2) ((clk1) << 22 | (clk2) << 12) ++#define G3S_PLL146_CONF(clk1, clk2, setting) ((clk1) << 22 | (clk2) << 12 | (setting)) + + #define DEF_G3S_MUX(_name, _id, _conf, _parent_names, _mux_flags, _clk_flags) \ + DEF_TYPE(_name, _id, CLK_TYPE_MUX, .conf = (_conf), \ +@@ -133,7 +133,8 @@ static const struct cpg_core_clk r9a08g045_core_clks[] __initconst = { + + /* Internal Core Clocks */ + DEF_FIXED(".osc_div1000", CLK_OSC_DIV1000, CLK_EXTAL, 1, 1000), +- DEF_G3S_PLL(".pll1", CLK_PLL1, CLK_EXTAL, G3S_PLL146_CONF(0x4, 0x8)), ++ DEF_G3S_PLL(".pll1", CLK_PLL1, CLK_EXTAL, G3S_PLL146_CONF(0x4, 0x8, 0x100), ++ 1100000000UL), + DEF_FIXED(".pll2", CLK_PLL2, CLK_EXTAL, 200, 3), + DEF_FIXED(".pll3", CLK_PLL3, CLK_EXTAL, 200, 3), + DEF_FIXED(".pll4", CLK_PLL4, CLK_EXTAL, 100, 3), +diff --git a/drivers/clk/renesas/rzg2l-cpg.c b/drivers/clk/renesas/rzg2l-cpg.c +index b43b763dfe186..229f4540b219e 100644 +--- a/drivers/clk/renesas/rzg2l-cpg.c ++++ b/drivers/clk/renesas/rzg2l-cpg.c +@@ -51,6 +51,7 @@ + #define RZG3S_DIV_M GENMASK(25, 22) + #define RZG3S_DIV_NI GENMASK(21, 13) + #define RZG3S_DIV_NF GENMASK(12, 1) ++#define RZG3S_SEL_PLL BIT(0) + + #define CLK_ON_R(reg) (reg) + #define CLK_MON_R(reg) (0x180 + (reg)) +@@ -60,6 +61,7 @@ + #define GET_REG_OFFSET(val) ((val >> 20) & 0xfff) + #define GET_REG_SAMPLL_CLK1(val) ((val >> 22) & 0xfff) + #define GET_REG_SAMPLL_CLK2(val) ((val >> 12) & 0xfff) ++#define GET_REG_SAMPLL_SETTING(val) ((val) & 0xfff) + + #define CPG_WEN_BIT BIT(16) + +@@ -943,6 +945,7 @@ rzg2l_cpg_sipll5_register(const struct cpg_core_clk *core, + + struct pll_clk { + struct clk_hw hw; ++ unsigned long default_rate; + unsigned int conf; + unsigned int type; + void __iomem *base; +@@ -980,12 +983,19 @@ static unsigned long rzg3s_cpg_pll_clk_recalc_rate(struct clk_hw *hw, + { + struct pll_clk *pll_clk = to_pll(hw); + struct rzg2l_cpg_priv *priv = pll_clk->priv; +- u32 nir, nfr, mr, pr, val; ++ u32 nir, nfr, mr, pr, val, setting; + u64 rate; + + if (pll_clk->type != CLK_TYPE_G3S_PLL) + return parent_rate; + ++ setting = GET_REG_SAMPLL_SETTING(pll_clk->conf); ++ if (setting) { ++ val = readl(priv->base + setting); ++ if (val & RZG3S_SEL_PLL) ++ return pll_clk->default_rate; ++ } ++ + val = readl(priv->base + GET_REG_SAMPLL_CLK1(pll_clk->conf)); + + pr = 1 << FIELD_GET(RZG3S_DIV_P, val); +@@ -1038,6 +1048,7 @@ rzg2l_cpg_pll_clk_register(const struct cpg_core_clk *core, + pll_clk->base = priv->base; + pll_clk->priv = priv; + pll_clk->type = core->type; ++ pll_clk->default_rate = core->default_rate; + + ret = devm_clk_hw_register(dev, &pll_clk->hw); + if (ret) +diff --git a/drivers/clk/renesas/rzg2l-cpg.h b/drivers/clk/renesas/rzg2l-cpg.h +index ecfe7e7ea8a17..019efe00ffd9f 100644 +--- a/drivers/clk/renesas/rzg2l-cpg.h ++++ b/drivers/clk/renesas/rzg2l-cpg.h +@@ -102,7 +102,10 @@ struct cpg_core_clk { + const struct clk_div_table *dtable; + const u32 *mtable; + const unsigned long invalid_rate; +- const unsigned long max_rate; ++ union { ++ const unsigned long max_rate; ++ const unsigned long default_rate; ++ }; + const char * const *parent_names; + notifier_fn_t notifier; + u32 flag; +@@ -144,8 +147,9 @@ enum clk_types { + DEF_TYPE(_name, _id, _type, .parent = _parent) + #define DEF_SAMPLL(_name, _id, _parent, _conf) \ + DEF_TYPE(_name, _id, CLK_TYPE_SAM_PLL, .parent = _parent, .conf = _conf) +-#define DEF_G3S_PLL(_name, _id, _parent, _conf) \ +- DEF_TYPE(_name, _id, CLK_TYPE_G3S_PLL, .parent = _parent, .conf = _conf) ++#define DEF_G3S_PLL(_name, _id, _parent, _conf, _default_rate) \ ++ DEF_TYPE(_name, _id, CLK_TYPE_G3S_PLL, .parent = _parent, .conf = _conf, \ ++ .default_rate = _default_rate) + #define DEF_INPUT(_name, _id) \ + DEF_TYPE(_name, _id, CLK_TYPE_IN) + #define DEF_FIXED(_name, _id, _parent, _mult, _div) \ +-- +2.39.5 + diff --git a/queue-6.12/clk-rockchip-rk3328-fix-wrong-clk_ref_usb3otg-parent.patch b/queue-6.12/clk-rockchip-rk3328-fix-wrong-clk_ref_usb3otg-parent.patch new file mode 100644 index 0000000000..ccbe05de6b --- /dev/null +++ b/queue-6.12/clk-rockchip-rk3328-fix-wrong-clk_ref_usb3otg-parent.patch @@ -0,0 +1,39 @@ +From 00cf7be3986b593474d11464b32c3abc59d2a2a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Jan 2025 01:26:22 +0000 +Subject: clk: rockchip: rk3328: fix wrong clk_ref_usb3otg parent + +From: Peter Geis + +[ Upstream commit a9e60f1ffe1ca57d6af6a2573e2f950e76efbf5b ] + +Correct the clk_ref_usb3otg parent to fix clock control for the usb3 +controller on rk3328. Verified against the rk3328 trm, the rk3228h trm, +and the rk3328 usb3 phy clock map. + +Fixes: fe3511ad8a1c ("clk: rockchip: add clock controller for rk3328") +Signed-off-by: Peter Geis +Reviewed-by: Dragan Simic +Link: https://lore.kernel.org/r/20250115012628.1035928-2-pgwipeout@gmail.com +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + drivers/clk/rockchip/clk-rk3328.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/rockchip/clk-rk3328.c b/drivers/clk/rockchip/clk-rk3328.c +index 3bb87b27b662d..cf60fcf2fa5cd 100644 +--- a/drivers/clk/rockchip/clk-rk3328.c ++++ b/drivers/clk/rockchip/clk-rk3328.c +@@ -201,7 +201,7 @@ PNAME(mux_aclk_peri_pre_p) = { "cpll_peri", + "gpll_peri", + "hdmiphy_peri" }; + PNAME(mux_ref_usb3otg_src_p) = { "xin24m", +- "clk_usb3otg_ref" }; ++ "clk_ref_usb3otg_src" }; + PNAME(mux_xin24m_32k_p) = { "xin24m", + "clk_rtc32k" }; + PNAME(mux_mac2io_src_p) = { "clk_mac2io_src", +-- +2.39.5 + diff --git a/queue-6.12/clk-samsung-fix-ubsan-panic-in-samsung_clk_init.patch b/queue-6.12/clk-samsung-fix-ubsan-panic-in-samsung_clk_init.patch new file mode 100644 index 0000000000..6c11122176 --- /dev/null +++ b/queue-6.12/clk-samsung-fix-ubsan-panic-in-samsung_clk_init.patch @@ -0,0 +1,53 @@ +From c160b2f0982b95ddffe0fd9b0fc2379c61580b58 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Feb 2025 10:32:52 -0800 +Subject: clk: samsung: Fix UBSAN panic in samsung_clk_init() + +From: Will McVicker + +[ Upstream commit d19d7345a7bcdb083b65568a11b11adffe0687af ] + +With UBSAN_ARRAY_BOUNDS=y, I'm hitting the below panic due to +dereferencing `ctx->clk_data.hws` before setting +`ctx->clk_data.num = nr_clks`. Move that up to fix the crash. + + UBSAN: array index out of bounds: 00000000f2005512 [#1] PREEMPT SMP + + Call trace: + samsung_clk_init+0x110/0x124 (P) + samsung_clk_init+0x48/0x124 (L) + samsung_cmu_register_one+0x3c/0xa0 + exynos_arm64_register_cmu+0x54/0x64 + __gs101_cmu_top_of_clk_init_declare+0x28/0x60 + ... + +Fixes: e620a1e061c4 ("drivers/clk: convert VL struct to struct_size") +Signed-off-by: Will McVicker +Link: https://lore.kernel.org/r/20250212183253.509771-1-willmcvicker@google.com +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + drivers/clk/samsung/clk.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/samsung/clk.c b/drivers/clk/samsung/clk.c +index afa5760ed3a11..e6533513f8ac2 100644 +--- a/drivers/clk/samsung/clk.c ++++ b/drivers/clk/samsung/clk.c +@@ -74,12 +74,12 @@ struct samsung_clk_provider * __init samsung_clk_init(struct device *dev, + if (!ctx) + panic("could not allocate clock provider context.\n"); + ++ ctx->clk_data.num = nr_clks; + for (i = 0; i < nr_clks; ++i) + ctx->clk_data.hws[i] = ERR_PTR(-ENOENT); + + ctx->dev = dev; + ctx->reg_base = base; +- ctx->clk_data.num = nr_clks; + spin_lock_init(&ctx->lock); + + return ctx; +-- +2.39.5 + diff --git a/queue-6.12/context_tracking-always-inline-ct_-nmi-irq-_-enter-e.patch b/queue-6.12/context_tracking-always-inline-ct_-nmi-irq-_-enter-e.patch new file mode 100644 index 0000000000..c9a9356ae9 --- /dev/null +++ b/queue-6.12/context_tracking-always-inline-ct_-nmi-irq-_-enter-e.patch @@ -0,0 +1,57 @@ +From 805a5ae56c68af47c606e8df5008ecacdcbd5dd4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Mar 2025 21:26:45 -0700 +Subject: context_tracking: Always inline ct_{nmi,irq}_{enter,exit}() + +From: Josh Poimboeuf + +[ Upstream commit 9ac50f7311dc8b39e355582f14c1e82da47a8196 ] + +Thanks to CONFIG_DEBUG_SECTION_MISMATCH, empty functions can be +generated out of line. These can be called from noinstr code, so make +sure they're always inlined. + +Fixes the following warnings: + + vmlinux.o: warning: objtool: irqentry_nmi_enter+0xa2: call to ct_nmi_enter() leaves .noinstr.text section + vmlinux.o: warning: objtool: irqentry_nmi_exit+0x16: call to ct_nmi_exit() leaves .noinstr.text section + vmlinux.o: warning: objtool: irqentry_exit+0x78: call to ct_irq_exit() leaves .noinstr.text section + +Fixes: 6f0e6c1598b1 ("context_tracking: Take IRQ eqs entrypoints over RCU") +Reported-by: Randy Dunlap +Signed-off-by: Josh Poimboeuf +Signed-off-by: Ingo Molnar +Cc: Frederic Weisbecker +Cc: Paul E. McKenney +Cc: Linus Torvalds +Link: https://lore.kernel.org/r/8509bce3f536bcd4ae7af3a2cf6930d48c5e631a.1743481539.git.jpoimboe@kernel.org +Closes: https://lore.kernel.org/d1eca076-fdde-484a-b33e-70e0d167c36d@infradead.org +Signed-off-by: Sasha Levin +--- + include/linux/context_tracking_irq.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/include/linux/context_tracking_irq.h b/include/linux/context_tracking_irq.h +index c50b5670c4a52..197916ee91a4b 100644 +--- a/include/linux/context_tracking_irq.h ++++ b/include/linux/context_tracking_irq.h +@@ -10,12 +10,12 @@ void ct_irq_exit_irqson(void); + void ct_nmi_enter(void); + void ct_nmi_exit(void); + #else +-static inline void ct_irq_enter(void) { } +-static inline void ct_irq_exit(void) { } ++static __always_inline void ct_irq_enter(void) { } ++static __always_inline void ct_irq_exit(void) { } + static inline void ct_irq_enter_irqson(void) { } + static inline void ct_irq_exit_irqson(void) { } +-static inline void ct_nmi_enter(void) { } +-static inline void ct_nmi_exit(void) { } ++static __always_inline void ct_nmi_enter(void) { } ++static __always_inline void ct_nmi_exit(void) { } + #endif + + #endif +-- +2.39.5 + diff --git a/queue-6.12/coresight-catu-fix-number-of-pages-while-using-64k-p.patch b/queue-6.12/coresight-catu-fix-number-of-pages-while-using-64k-p.patch new file mode 100644 index 0000000000..673e2ec5e3 --- /dev/null +++ b/queue-6.12/coresight-catu-fix-number-of-pages-while-using-64k-p.patch @@ -0,0 +1,41 @@ +From bcc2d77923ca2e901f82afd381fd951d1442d3d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Jan 2025 21:53:48 +0000 +Subject: coresight: catu: Fix number of pages while using 64k pages + +From: Ilkka Koskinen + +[ Upstream commit 0e14e062f5ff98aa15264dfa87c5f5e924028561 ] + +Trying to record a trace on kernel with 64k pages resulted in -ENOMEM. +This happens due to a bug in calculating the number of table pages, which +returns zero. Fix the issue by rounding up. + +$ perf record --kcore -e cs_etm/@tmc_etr55,cycacc,branch_broadcast/k --per-thread taskset --cpu-list 1 dd if=/dev/zero of=/dev/null +failed to mmap with 12 (Cannot allocate memory) + +Fixes: 8ed536b1e283 ("coresight: catu: Add support for scatter gather tables") +Signed-off-by: Ilkka Koskinen +Signed-off-by: Suzuki K Poulose +Link: https://lore.kernel.org/r/20250109215348.5483-1-ilkka@os.amperecomputing.com +Signed-off-by: Sasha Levin +--- + drivers/hwtracing/coresight/coresight-catu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hwtracing/coresight/coresight-catu.c b/drivers/hwtracing/coresight/coresight-catu.c +index bfea880d6dfbf..d8ad64ea81f11 100644 +--- a/drivers/hwtracing/coresight/coresight-catu.c ++++ b/drivers/hwtracing/coresight/coresight-catu.c +@@ -269,7 +269,7 @@ catu_init_sg_table(struct device *catu_dev, int node, + * Each table can address upto 1MB and we can have + * CATU_PAGES_PER_SYSPAGE tables in a system page. + */ +- nr_tpages = DIV_ROUND_UP(size, SZ_1M) / CATU_PAGES_PER_SYSPAGE; ++ nr_tpages = DIV_ROUND_UP(size, CATU_PAGES_PER_SYSPAGE * SZ_1M); + catu_table = tmc_alloc_sg_table(catu_dev, node, nr_tpages, + size >> PAGE_SHIFT, pages); + if (IS_ERR(catu_table)) +-- +2.39.5 + diff --git a/queue-6.12/coresight-etm4x-add-isb-before-reading-the-trcstatr.patch b/queue-6.12/coresight-etm4x-add-isb-before-reading-the-trcstatr.patch new file mode 100644 index 0000000000..469dca787f --- /dev/null +++ b/queue-6.12/coresight-etm4x-add-isb-before-reading-the-trcstatr.patch @@ -0,0 +1,196 @@ +From 9264df90bc54bdd425b70585453994c557721cd6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Jan 2025 17:04:20 +0800 +Subject: coresight-etm4x: add isb() before reading the TRCSTATR + +From: Yuanfang Zhang + +[ Upstream commit 4ff6039ffb79a4a8a44b63810a8a2f2b43264856 ] + +As recommended by section 4.3.7 ("Synchronization when using system +instructions to progrom the trace unit") of ARM IHI 0064H.b, the +self-hosted trace analyzer must perform a Context synchronization +event between writing to the TRCPRGCTLR and reading the TRCSTATR. +Additionally, add an ISB between the each read of TRCSTATR on +coresight_timeout() when using system instructions to program the +trace unit. + +Fixes: 1ab3bb9df5e3 ("coresight: etm4x: Add necessary synchronization for sysreg access") +Signed-off-by: Yuanfang Zhang +Signed-off-by: Suzuki K Poulose +Link: https://lore.kernel.org/r/20250116-etm_sync-v4-1-39f2b05e9514@quicinc.com +Signed-off-by: Sasha Levin +--- + drivers/hwtracing/coresight/coresight-core.c | 20 ++++++-- + .../coresight/coresight-etm4x-core.c | 48 +++++++++++++++++-- + include/linux/coresight.h | 4 ++ + 3 files changed, 62 insertions(+), 10 deletions(-) + +diff --git a/drivers/hwtracing/coresight/coresight-core.c b/drivers/hwtracing/coresight/coresight-core.c +index ea38ecf26fcbf..c42aa9fddab9b 100644 +--- a/drivers/hwtracing/coresight/coresight-core.c ++++ b/drivers/hwtracing/coresight/coresight-core.c +@@ -1017,18 +1017,20 @@ static void coresight_remove_conns(struct coresight_device *csdev) + } + + /** +- * coresight_timeout - loop until a bit has changed to a specific register +- * state. ++ * coresight_timeout_action - loop until a bit has changed to a specific register ++ * state, with a callback after every trial. + * @csa: coresight device access for the device + * @offset: Offset of the register from the base of the device. + * @position: the position of the bit of interest. + * @value: the value the bit should have. ++ * @cb: Call back after each trial. + * + * Return: 0 as soon as the bit has taken the desired state or -EAGAIN if + * TIMEOUT_US has elapsed, which ever happens first. + */ +-int coresight_timeout(struct csdev_access *csa, u32 offset, +- int position, int value) ++int coresight_timeout_action(struct csdev_access *csa, u32 offset, ++ int position, int value, ++ coresight_timeout_cb_t cb) + { + int i; + u32 val; +@@ -1044,7 +1046,8 @@ int coresight_timeout(struct csdev_access *csa, u32 offset, + if (!(val & BIT(position))) + return 0; + } +- ++ if (cb) ++ cb(csa, offset, position, value); + /* + * Delay is arbitrary - the specification doesn't say how long + * we are expected to wait. Extra check required to make sure +@@ -1056,6 +1059,13 @@ int coresight_timeout(struct csdev_access *csa, u32 offset, + + return -EAGAIN; + } ++EXPORT_SYMBOL_GPL(coresight_timeout_action); ++ ++int coresight_timeout(struct csdev_access *csa, u32 offset, ++ int position, int value) ++{ ++ return coresight_timeout_action(csa, offset, position, value, NULL); ++} + EXPORT_SYMBOL_GPL(coresight_timeout); + + u32 coresight_relaxed_read32(struct coresight_device *csdev, u32 offset) +diff --git a/drivers/hwtracing/coresight/coresight-etm4x-core.c b/drivers/hwtracing/coresight/coresight-etm4x-core.c +index 66d44a404ad0c..be8b46f26ddc8 100644 +--- a/drivers/hwtracing/coresight/coresight-etm4x-core.c ++++ b/drivers/hwtracing/coresight/coresight-etm4x-core.c +@@ -399,6 +399,29 @@ static void etm4_check_arch_features(struct etmv4_drvdata *drvdata, + } + #endif /* CONFIG_ETM4X_IMPDEF_FEATURE */ + ++static void etm4x_sys_ins_barrier(struct csdev_access *csa, u32 offset, int pos, int val) ++{ ++ if (!csa->io_mem) ++ isb(); ++} ++ ++/* ++ * etm4x_wait_status: Poll for TRCSTATR. == . While using system ++ * instruction to access the trace unit, each access must be separated by a ++ * synchronization barrier. See ARM IHI0064H.b section "4.3.7 Synchronization of ++ * register updates", for system instructions section, in "Notes": ++ * ++ * "In particular, whenever disabling or enabling the trace unit, a poll of ++ * TRCSTATR needs explicit synchronization between each read of TRCSTATR" ++ */ ++static int etm4x_wait_status(struct csdev_access *csa, int pos, int val) ++{ ++ if (!csa->io_mem) ++ return coresight_timeout_action(csa, TRCSTATR, pos, val, ++ etm4x_sys_ins_barrier); ++ return coresight_timeout(csa, TRCSTATR, pos, val); ++} ++ + static int etm4_enable_hw(struct etmv4_drvdata *drvdata) + { + int i, rc; +@@ -430,7 +453,7 @@ static int etm4_enable_hw(struct etmv4_drvdata *drvdata) + isb(); + + /* wait for TRCSTATR.IDLE to go up */ +- if (coresight_timeout(csa, TRCSTATR, TRCSTATR_IDLE_BIT, 1)) ++ if (etm4x_wait_status(csa, TRCSTATR_IDLE_BIT, 1)) + dev_err(etm_dev, + "timeout while waiting for Idle Trace Status\n"); + if (drvdata->nr_pe) +@@ -523,7 +546,7 @@ static int etm4_enable_hw(struct etmv4_drvdata *drvdata) + isb(); + + /* wait for TRCSTATR.IDLE to go back down to '0' */ +- if (coresight_timeout(csa, TRCSTATR, TRCSTATR_IDLE_BIT, 0)) ++ if (etm4x_wait_status(csa, TRCSTATR_IDLE_BIT, 0)) + dev_err(etm_dev, + "timeout while waiting for Idle Trace Status\n"); + +@@ -906,10 +929,25 @@ static void etm4_disable_hw(void *info) + tsb_csync(); + etm4x_relaxed_write32(csa, control, TRCPRGCTLR); + ++ /* ++ * As recommended by section 4.3.7 ("Synchronization when using system ++ * instructions to progrom the trace unit") of ARM IHI 0064H.b, the ++ * self-hosted trace analyzer must perform a Context synchronization ++ * event between writing to the TRCPRGCTLR and reading the TRCSTATR. ++ */ ++ if (!csa->io_mem) ++ isb(); ++ + /* wait for TRCSTATR.PMSTABLE to go to '1' */ +- if (coresight_timeout(csa, TRCSTATR, TRCSTATR_PMSTABLE_BIT, 1)) ++ if (etm4x_wait_status(csa, TRCSTATR_PMSTABLE_BIT, 1)) + dev_err(etm_dev, + "timeout while waiting for PM stable Trace Status\n"); ++ /* ++ * As recommended by section 4.3.7 (Synchronization of register updates) ++ * of ARM IHI 0064H.b. ++ */ ++ isb(); ++ + /* read the status of the single shot comparators */ + for (i = 0; i < drvdata->nr_ss_cmp; i++) { + config->ss_status[i] = +@@ -1711,7 +1749,7 @@ static int __etm4_cpu_save(struct etmv4_drvdata *drvdata) + etm4_os_lock(drvdata); + + /* wait for TRCSTATR.PMSTABLE to go up */ +- if (coresight_timeout(csa, TRCSTATR, TRCSTATR_PMSTABLE_BIT, 1)) { ++ if (etm4x_wait_status(csa, TRCSTATR_PMSTABLE_BIT, 1)) { + dev_err(etm_dev, + "timeout while waiting for PM Stable Status\n"); + etm4_os_unlock(drvdata); +@@ -1802,7 +1840,7 @@ static int __etm4_cpu_save(struct etmv4_drvdata *drvdata) + state->trcpdcr = etm4x_read32(csa, TRCPDCR); + + /* wait for TRCSTATR.IDLE to go up */ +- if (coresight_timeout(csa, TRCSTATR, TRCSTATR_IDLE_BIT, 1)) { ++ if (etm4x_wait_status(csa, TRCSTATR_PMSTABLE_BIT, 1)) { + dev_err(etm_dev, + "timeout while waiting for Idle Trace Status\n"); + etm4_os_unlock(drvdata); +diff --git a/include/linux/coresight.h b/include/linux/coresight.h +index c133425942785..f106b10251118 100644 +--- a/include/linux/coresight.h ++++ b/include/linux/coresight.h +@@ -639,6 +639,10 @@ extern int coresight_enable_sysfs(struct coresight_device *csdev); + extern void coresight_disable_sysfs(struct coresight_device *csdev); + extern int coresight_timeout(struct csdev_access *csa, u32 offset, + int position, int value); ++typedef void (*coresight_timeout_cb_t) (struct csdev_access *, u32, int, int); ++extern int coresight_timeout_action(struct csdev_access *csa, u32 offset, ++ int position, int value, ++ coresight_timeout_cb_t cb); + + extern int coresight_claim_device(struct coresight_device *csdev); + extern int coresight_claim_device_unlocked(struct coresight_device *csdev); +-- +2.39.5 + diff --git a/queue-6.12/cpufreq-governor-fix-negative-idle_time-handling-in-.patch b/queue-6.12/cpufreq-governor-fix-negative-idle_time-handling-in-.patch new file mode 100644 index 0000000000..9ff8537321 --- /dev/null +++ b/queue-6.12/cpufreq-governor-fix-negative-idle_time-handling-in-.patch @@ -0,0 +1,116 @@ +From 12b1b26c1048381e54ed388a188070d4e7834b5b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Feb 2025 11:55:10 +0800 +Subject: cpufreq: governor: Fix negative 'idle_time' handling in dbs_update() + +From: Jie Zhan + +[ Upstream commit 3698dd6b139dc37b35a9ad83d9330c1f99666c02 ] + +We observed an issue that the CPU frequency can't raise up with a 100% CPU +load when NOHZ is off and the 'conservative' governor is selected. + +'idle_time' can be negative if it's obtained from get_cpu_idle_time_jiffy() +when NOHZ is off. This was found and explained in commit 9485e4ca0b48 +("cpufreq: governor: Fix handling of special cases in dbs_update()"). + +However, commit 7592019634f8 ("cpufreq: governors: Fix long idle detection +logic in load calculation") introduced a comparison between 'idle_time' and +'samling_rate' to detect a long idle interval. While 'idle_time' is +converted to int before comparison, it's actually promoted to unsigned +again when compared with an unsigned 'sampling_rate'. Hence, this leads to +wrong idle interval detection when it's in fact 100% busy and sets +policy_dbs->idle_periods to a very large value. 'conservative' adjusts the +frequency to minimum because of the large 'idle_periods', such that the +frequency can't raise up. 'Ondemand' doesn't use policy_dbs->idle_periods +so it fortunately avoids the issue. + +Correct negative 'idle_time' to 0 before any use of it in dbs_update(). + +Fixes: 7592019634f8 ("cpufreq: governors: Fix long idle detection logic in load calculation") +Signed-off-by: Jie Zhan +Reviewed-by: Chen Yu +Link: https://patch.msgid.link/20250213035510.2402076-1-zhanjie9@hisilicon.com +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/cpufreq_governor.c | 45 +++++++++++++++--------------- + 1 file changed, 23 insertions(+), 22 deletions(-) + +diff --git a/drivers/cpufreq/cpufreq_governor.c b/drivers/cpufreq/cpufreq_governor.c +index af44ee6a64304..1a7fcaf39cc9b 100644 +--- a/drivers/cpufreq/cpufreq_governor.c ++++ b/drivers/cpufreq/cpufreq_governor.c +@@ -145,7 +145,23 @@ unsigned int dbs_update(struct cpufreq_policy *policy) + time_elapsed = update_time - j_cdbs->prev_update_time; + j_cdbs->prev_update_time = update_time; + +- idle_time = cur_idle_time - j_cdbs->prev_cpu_idle; ++ /* ++ * cur_idle_time could be smaller than j_cdbs->prev_cpu_idle if ++ * it's obtained from get_cpu_idle_time_jiffy() when NOHZ is ++ * off, where idle_time is calculated by the difference between ++ * time elapsed in jiffies and "busy time" obtained from CPU ++ * statistics. If a CPU is 100% busy, the time elapsed and busy ++ * time should grow with the same amount in two consecutive ++ * samples, but in practice there could be a tiny difference, ++ * making the accumulated idle time decrease sometimes. Hence, ++ * in this case, idle_time should be regarded as 0 in order to ++ * make the further process correct. ++ */ ++ if (cur_idle_time > j_cdbs->prev_cpu_idle) ++ idle_time = cur_idle_time - j_cdbs->prev_cpu_idle; ++ else ++ idle_time = 0; ++ + j_cdbs->prev_cpu_idle = cur_idle_time; + + if (ignore_nice) { +@@ -162,7 +178,7 @@ unsigned int dbs_update(struct cpufreq_policy *policy) + * calls, so the previous load value can be used then. + */ + load = j_cdbs->prev_load; +- } else if (unlikely((int)idle_time > 2 * sampling_rate && ++ } else if (unlikely(idle_time > 2 * sampling_rate && + j_cdbs->prev_load)) { + /* + * If the CPU had gone completely idle and a task has +@@ -189,30 +205,15 @@ unsigned int dbs_update(struct cpufreq_policy *policy) + load = j_cdbs->prev_load; + j_cdbs->prev_load = 0; + } else { +- if (time_elapsed >= idle_time) { ++ if (time_elapsed > idle_time) + load = 100 * (time_elapsed - idle_time) / time_elapsed; +- } else { +- /* +- * That can happen if idle_time is returned by +- * get_cpu_idle_time_jiffy(). In that case +- * idle_time is roughly equal to the difference +- * between time_elapsed and "busy time" obtained +- * from CPU statistics. Then, the "busy time" +- * can end up being greater than time_elapsed +- * (for example, if jiffies_64 and the CPU +- * statistics are updated by different CPUs), +- * so idle_time may in fact be negative. That +- * means, though, that the CPU was busy all +- * the time (on the rough average) during the +- * last sampling interval and 100 can be +- * returned as the load. +- */ +- load = (int)idle_time < 0 ? 100 : 0; +- } ++ else ++ load = 0; ++ + j_cdbs->prev_load = load; + } + +- if (unlikely((int)idle_time > 2 * sampling_rate)) { ++ if (unlikely(idle_time > 2 * sampling_rate)) { + unsigned int periods = idle_time / sampling_rate; + + if (periods < idle_periods) +-- +2.39.5 + diff --git a/queue-6.12/cpufreq-scpi-compare-khz-instead-of-hz.patch b/queue-6.12/cpufreq-scpi-compare-khz-instead-of-hz.patch new file mode 100644 index 0000000000..e3c0c9cbc0 --- /dev/null +++ b/queue-6.12/cpufreq-scpi-compare-khz-instead-of-hz.patch @@ -0,0 +1,52 @@ +From cb049188ab073b144ca28c0208aaf79448ef52af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 25 Jan 2025 08:49:49 +0000 +Subject: cpufreq: scpi: compare kHz instead of Hz + +From: zuoqian + +[ Upstream commit 4742da9774a416908ef8e3916164192c15c0e2d1 ] + +The CPU rate from clk_get_rate() may not be divisible by 1000 +(e.g., 133333333). But the rate calculated from frequency(kHz) is +always divisible by 1000 (e.g., 133333000). +Comparing the rate causes a warning during CPU scaling: +"cpufreq: __target_index: Failed to change cpu frequency: -5". +When we choose to compare kHz here, the issue does not occur. + +Fixes: 343a8d17fa8d ("cpufreq: scpi: remove arm_big_little dependency") +Signed-off-by: zuoqian +Reviewed-by: Dan Carpenter +Signed-off-by: Viresh Kumar +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/scpi-cpufreq.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/cpufreq/scpi-cpufreq.c b/drivers/cpufreq/scpi-cpufreq.c +index 8d73e6e8be2a5..f2d913a91be9e 100644 +--- a/drivers/cpufreq/scpi-cpufreq.c ++++ b/drivers/cpufreq/scpi-cpufreq.c +@@ -39,8 +39,9 @@ static unsigned int scpi_cpufreq_get_rate(unsigned int cpu) + static int + scpi_cpufreq_set_target(struct cpufreq_policy *policy, unsigned int index) + { +- u64 rate = policy->freq_table[index].frequency * 1000; ++ unsigned long freq_khz = policy->freq_table[index].frequency; + struct scpi_data *priv = policy->driver_data; ++ unsigned long rate = freq_khz * 1000; + int ret; + + ret = clk_set_rate(priv->clk, rate); +@@ -48,7 +49,7 @@ scpi_cpufreq_set_target(struct cpufreq_policy *policy, unsigned int index) + if (ret) + return ret; + +- if (clk_get_rate(priv->clk) != rate) ++ if (clk_get_rate(priv->clk) / 1000 != freq_khz) + return -EIO; + + return 0; +-- +2.39.5 + diff --git a/queue-6.12/cpufreq-tegra194-allow-building-for-tegra234.patch b/queue-6.12/cpufreq-tegra194-allow-building-for-tegra234.patch new file mode 100644 index 0000000000..b75d62e439 --- /dev/null +++ b/queue-6.12/cpufreq-tegra194-allow-building-for-tegra234.patch @@ -0,0 +1,36 @@ +From 0caffd563581182d92d70fe543f938c380cb11f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Feb 2025 12:51:59 -0600 +Subject: cpufreq: tegra194: Allow building for Tegra234 + +From: Aaron Kling + +[ Upstream commit 4a1e3bf61fc78ad100018adb573355303915dca3 ] + +Support was added for Tegra234 in the referenced commit, but the Kconfig +was not updated to allow building for the arch. + +Fixes: 273bc890a2a8 ("cpufreq: tegra194: Add support for Tegra234") +Signed-off-by: Aaron Kling +Signed-off-by: Viresh Kumar +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/Kconfig.arm | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/cpufreq/Kconfig.arm b/drivers/cpufreq/Kconfig.arm +index 5f7e13e60c802..e67b2326671c9 100644 +--- a/drivers/cpufreq/Kconfig.arm ++++ b/drivers/cpufreq/Kconfig.arm +@@ -245,7 +245,7 @@ config ARM_TEGRA186_CPUFREQ + + config ARM_TEGRA194_CPUFREQ + tristate "Tegra194 CPUFreq support" +- depends on ARCH_TEGRA_194_SOC || (64BIT && COMPILE_TEST) ++ depends on ARCH_TEGRA_194_SOC || ARCH_TEGRA_234_SOC || (64BIT && COMPILE_TEST) + depends on TEGRA_BPMP + default y + help +-- +2.39.5 + diff --git a/queue-6.12/crypto-api-fix-larval-relookup-type-and-mask.patch b/queue-6.12/crypto-api-fix-larval-relookup-type-and-mask.patch new file mode 100644 index 0000000000..d8b34a1f1f --- /dev/null +++ b/queue-6.12/crypto-api-fix-larval-relookup-type-and-mask.patch @@ -0,0 +1,93 @@ +From dd54cecc13af1941c57fc263a01b9330588b8852 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Feb 2025 10:31:25 +0800 +Subject: crypto: api - Fix larval relookup type and mask + +From: Herbert Xu + +[ Upstream commit 7505436e2925d89a13706a295a6734d6cabb4b43 ] + +When the lookup is retried after instance construction, it uses +the type and mask from the larval, which may not match the values +used by the caller. For example, if the caller is requesting for +a !NEEDS_FALLBACK algorithm, it may end up getting an algorithm +that needs fallbacks. + +Fix this by making the caller supply the type/mask and using that +for the lookup. + +Reported-by: Coiby Xu +Fixes: 96ad59552059 ("crypto: api - Remove instance larval fulfilment") +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/api.c | 17 +++++++---------- + 1 file changed, 7 insertions(+), 10 deletions(-) + +diff --git a/crypto/api.c b/crypto/api.c +index bfd177a4313a0..c2c4eb14ef955 100644 +--- a/crypto/api.c ++++ b/crypto/api.c +@@ -36,7 +36,8 @@ EXPORT_SYMBOL_GPL(crypto_chain); + DEFINE_STATIC_KEY_FALSE(__crypto_boot_test_finished); + #endif + +-static struct crypto_alg *crypto_larval_wait(struct crypto_alg *alg); ++static struct crypto_alg *crypto_larval_wait(struct crypto_alg *alg, ++ u32 type, u32 mask); + static struct crypto_alg *crypto_alg_lookup(const char *name, u32 type, + u32 mask); + +@@ -145,7 +146,7 @@ static struct crypto_alg *crypto_larval_add(const char *name, u32 type, + if (alg != &larval->alg) { + kfree(larval); + if (crypto_is_larval(alg)) +- alg = crypto_larval_wait(alg); ++ alg = crypto_larval_wait(alg, type, mask); + } + + return alg; +@@ -197,7 +198,8 @@ static void crypto_start_test(struct crypto_larval *larval) + crypto_schedule_test(larval); + } + +-static struct crypto_alg *crypto_larval_wait(struct crypto_alg *alg) ++static struct crypto_alg *crypto_larval_wait(struct crypto_alg *alg, ++ u32 type, u32 mask) + { + struct crypto_larval *larval; + long time_left; +@@ -219,12 +221,7 @@ static struct crypto_alg *crypto_larval_wait(struct crypto_alg *alg) + crypto_larval_kill(larval); + alg = ERR_PTR(-ETIMEDOUT); + } else if (!alg) { +- u32 type; +- u32 mask; +- + alg = &larval->alg; +- type = alg->cra_flags & ~(CRYPTO_ALG_LARVAL | CRYPTO_ALG_DEAD); +- mask = larval->mask; + alg = crypto_alg_lookup(alg->cra_name, type, mask) ?: + ERR_PTR(-EAGAIN); + } else if (IS_ERR(alg)) +@@ -304,7 +301,7 @@ static struct crypto_alg *crypto_larval_lookup(const char *name, u32 type, + } + + if (!IS_ERR_OR_NULL(alg) && crypto_is_larval(alg)) +- alg = crypto_larval_wait(alg); ++ alg = crypto_larval_wait(alg, type, mask); + else if (alg) + ; + else if (!(mask & CRYPTO_ALG_TESTED)) +@@ -352,7 +349,7 @@ struct crypto_alg *crypto_alg_mod_lookup(const char *name, u32 type, u32 mask) + ok = crypto_probing_notify(CRYPTO_MSG_ALG_REQUEST, larval); + + if (ok == NOTIFY_STOP) +- alg = crypto_larval_wait(larval); ++ alg = crypto_larval_wait(larval, type, mask); + else { + crypto_mod_put(larval); + alg = ERR_PTR(-ENOENT); +-- +2.39.5 + diff --git a/queue-6.12/crypto-bpf-add-module_description-for-skcipher.patch b/queue-6.12/crypto-bpf-add-module_description-for-skcipher.patch new file mode 100644 index 0000000000..f3d8ac9b27 --- /dev/null +++ b/queue-6.12/crypto-bpf-add-module_description-for-skcipher.patch @@ -0,0 +1,37 @@ +From 901a35c64c1869f87098dc404f0c990b9050b509 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Feb 2025 13:55:55 +0100 +Subject: crypto: bpf - Add MODULE_DESCRIPTION for skcipher + +From: Arnd Bergmann + +[ Upstream commit f307c87ea06c64b87fcd3221a682cd713cde51e9 ] + +All modules should have a description, building with extra warnings +enabled prints this outfor the for bpf_crypto_skcipher module: + +WARNING: modpost: missing MODULE_DESCRIPTION() in crypto/bpf_crypto_skcipher.o + +Add a description line. + +Fixes: fda4f71282b2 ("bpf: crypto: add skcipher to bpf crypto") +Signed-off-by: Arnd Bergmann +Reviewed-by: Vadim Fedorenko +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/bpf_crypto_skcipher.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/crypto/bpf_crypto_skcipher.c b/crypto/bpf_crypto_skcipher.c +index b5e657415770a..a88798d3e8c87 100644 +--- a/crypto/bpf_crypto_skcipher.c ++++ b/crypto/bpf_crypto_skcipher.c +@@ -80,3 +80,4 @@ static void __exit bpf_crypto_skcipher_exit(void) + module_init(bpf_crypto_skcipher_init); + module_exit(bpf_crypto_skcipher_exit); + MODULE_LICENSE("GPL"); ++MODULE_DESCRIPTION("Symmetric key cipher support for BPF"); +-- +2.39.5 + diff --git a/queue-6.12/crypto-hisilicon-sec2-fix-for-aead-auth-key-length.patch b/queue-6.12/crypto-hisilicon-sec2-fix-for-aead-auth-key-length.patch new file mode 100644 index 0000000000..6fe0be0d15 --- /dev/null +++ b/queue-6.12/crypto-hisilicon-sec2-fix-for-aead-auth-key-length.patch @@ -0,0 +1,52 @@ +From b1c0afe4d17e95298f70a6c171b06eb2b2cb437c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Feb 2025 11:56:26 +0800 +Subject: crypto: hisilicon/sec2 - fix for aead auth key length + +From: Wenkai Lin + +[ Upstream commit 1b284ffc30b02808a0de698667cbcf5ce5f9144e ] + +According to the HMAC RFC, the authentication key +can be 0 bytes, and the hardware can handle this +scenario. Therefore, remove the incorrect validation +for this case. + +Fixes: 2f072d75d1ab ("crypto: hisilicon - Add aead support on SEC2") +Signed-off-by: Wenkai Lin +Signed-off-by: Chenghai Huang +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/hisilicon/sec2/sec_crypto.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +diff --git a/drivers/crypto/hisilicon/sec2/sec_crypto.c b/drivers/crypto/hisilicon/sec2/sec_crypto.c +index 0d2917b3e8158..8605cb3cae92c 100644 +--- a/drivers/crypto/hisilicon/sec2/sec_crypto.c ++++ b/drivers/crypto/hisilicon/sec2/sec_crypto.c +@@ -1085,11 +1085,6 @@ static int sec_aead_auth_set_key(struct sec_auth_ctx *ctx, + struct crypto_shash *hash_tfm = ctx->hash_tfm; + int blocksize, digestsize, ret; + +- if (!keys->authkeylen) { +- pr_err("hisi_sec2: aead auth key error!\n"); +- return -EINVAL; +- } +- + blocksize = crypto_shash_blocksize(hash_tfm); + digestsize = crypto_shash_digestsize(hash_tfm); + if (keys->authkeylen > blocksize) { +@@ -1101,7 +1096,8 @@ static int sec_aead_auth_set_key(struct sec_auth_ctx *ctx, + } + ctx->a_key_len = digestsize; + } else { +- memcpy(ctx->a_key, keys->authkey, keys->authkeylen); ++ if (keys->authkeylen) ++ memcpy(ctx->a_key, keys->authkey, keys->authkeylen); + ctx->a_key_len = keys->authkeylen; + } + +-- +2.39.5 + diff --git a/queue-6.12/crypto-hisilicon-sec2-fix-for-aead-authsize-alignmen.patch b/queue-6.12/crypto-hisilicon-sec2-fix-for-aead-authsize-alignmen.patch new file mode 100644 index 0000000000..13a72bb76b --- /dev/null +++ b/queue-6.12/crypto-hisilicon-sec2-fix-for-aead-authsize-alignmen.patch @@ -0,0 +1,105 @@ +From 7aede7f5413dd17131cbeefcf87d2a4933bb0a0b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Feb 2025 11:56:27 +0800 +Subject: crypto: hisilicon/sec2 - fix for aead authsize alignment + +From: Wenkai Lin + +[ Upstream commit a49cc71e219040d771a8c1254879984f98192811 ] + +The hardware only supports authentication sizes +that are 4-byte aligned. Therefore, the driver +switches to software computation in this case. + +Fixes: 2f072d75d1ab ("crypto: hisilicon - Add aead support on SEC2") +Signed-off-by: Wenkai Lin +Signed-off-by: Chenghai Huang +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/hisilicon/sec2/sec_crypto.c | 22 +++++++++------------- + 1 file changed, 9 insertions(+), 13 deletions(-) + +diff --git a/drivers/crypto/hisilicon/sec2/sec_crypto.c b/drivers/crypto/hisilicon/sec2/sec_crypto.c +index a9b1b9b0b03bf..ff9ad7f02cefe 100644 +--- a/drivers/crypto/hisilicon/sec2/sec_crypto.c ++++ b/drivers/crypto/hisilicon/sec2/sec_crypto.c +@@ -57,7 +57,6 @@ + #define SEC_TYPE_MASK 0x0F + #define SEC_DONE_MASK 0x0001 + #define SEC_ICV_MASK 0x000E +-#define SEC_SQE_LEN_RATE_MASK 0x3 + + #define SEC_TOTAL_IV_SZ(depth) (SEC_IV_SIZE * (depth)) + #define SEC_SGL_SGE_NR 128 +@@ -80,16 +79,16 @@ + #define SEC_TOTAL_PBUF_SZ(depth) (PAGE_SIZE * SEC_PBUF_PAGE_NUM(depth) + \ + SEC_PBUF_LEFT_SZ(depth)) + +-#define SEC_SQE_LEN_RATE 4 + #define SEC_SQE_CFLAG 2 + #define SEC_SQE_AEAD_FLAG 3 + #define SEC_SQE_DONE 0x1 + #define SEC_ICV_ERR 0x2 +-#define MIN_MAC_LEN 4 + #define MAC_LEN_MASK 0x1U + #define MAX_INPUT_DATA_LEN 0xFFFE00 + #define BITS_MASK 0xFF ++#define WORD_MASK 0x3 + #define BYTE_BITS 0x8 ++#define BYTES_TO_WORDS(bcount) ((bcount) >> 2) + #define SEC_XTS_NAME_SZ 0x3 + #define IV_CM_CAL_NUM 2 + #define IV_CL_MASK 0x7 +@@ -1175,7 +1174,7 @@ static int sec_aead_setkey(struct crypto_aead *tfm, const u8 *key, + goto bad_key; + } + +- if (ctx->a_ctx.a_key_len & SEC_SQE_LEN_RATE_MASK) { ++ if (ctx->a_ctx.a_key_len & WORD_MASK) { + ret = -EINVAL; + dev_err(dev, "AUTH key length error!\n"); + goto bad_key; +@@ -1583,11 +1582,10 @@ static void sec_auth_bd_fill_ex(struct sec_auth_ctx *ctx, int dir, + + sec_sqe->type2.a_key_addr = cpu_to_le64(ctx->a_key_dma); + +- sec_sqe->type2.mac_key_alg = cpu_to_le32(authsize / SEC_SQE_LEN_RATE); ++ sec_sqe->type2.mac_key_alg = cpu_to_le32(BYTES_TO_WORDS(authsize)); + + sec_sqe->type2.mac_key_alg |= +- cpu_to_le32((u32)((ctx->a_key_len) / +- SEC_SQE_LEN_RATE) << SEC_AKEY_OFFSET); ++ cpu_to_le32((u32)BYTES_TO_WORDS(ctx->a_key_len) << SEC_AKEY_OFFSET); + + sec_sqe->type2.mac_key_alg |= + cpu_to_le32((u32)(ctx->a_alg) << SEC_AEAD_ALG_OFFSET); +@@ -1639,12 +1637,10 @@ static void sec_auth_bd_fill_ex_v3(struct sec_auth_ctx *ctx, int dir, + sqe3->a_key_addr = cpu_to_le64(ctx->a_key_dma); + + sqe3->auth_mac_key |= +- cpu_to_le32((u32)(authsize / +- SEC_SQE_LEN_RATE) << SEC_MAC_OFFSET_V3); ++ cpu_to_le32(BYTES_TO_WORDS(authsize) << SEC_MAC_OFFSET_V3); + + sqe3->auth_mac_key |= +- cpu_to_le32((u32)(ctx->a_key_len / +- SEC_SQE_LEN_RATE) << SEC_AKEY_OFFSET_V3); ++ cpu_to_le32((u32)BYTES_TO_WORDS(ctx->a_key_len) << SEC_AKEY_OFFSET_V3); + + sqe3->auth_mac_key |= + cpu_to_le32((u32)(ctx->a_alg) << SEC_AUTH_ALG_OFFSET_V3); +@@ -2234,8 +2230,8 @@ static int sec_aead_spec_check(struct sec_ctx *ctx, struct sec_req *sreq) + struct device *dev = ctx->dev; + int ret; + +- /* Hardware does not handle cases where authsize is less than 4 bytes */ +- if (unlikely(sz < MIN_MAC_LEN)) { ++ /* Hardware does not handle cases where authsize is not 4 bytes aligned */ ++ if (c_mode == SEC_CMODE_CBC && (sz & WORD_MASK)) { + sreq->aead_req.fallback = true; + return -EINVAL; + } +-- +2.39.5 + diff --git a/queue-6.12/crypto-hisilicon-sec2-fix-for-sec-spec-check.patch b/queue-6.12/crypto-hisilicon-sec2-fix-for-sec-spec-check.patch new file mode 100644 index 0000000000..729ff6abf8 --- /dev/null +++ b/queue-6.12/crypto-hisilicon-sec2-fix-for-sec-spec-check.patch @@ -0,0 +1,277 @@ +From 45a0fd69100b085be68dc1fa7620e8a769c77347 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Feb 2025 11:56:28 +0800 +Subject: crypto: hisilicon/sec2 - fix for sec spec check + +From: Wenkai Lin + +[ Upstream commit f4f353cb7ae9bb43e34943edb693532a39118eca ] + +During encryption and decryption, user requests +must be checked first, if the specifications that +are not supported by the hardware are used, the +software computing is used for processing. + +Fixes: 2f072d75d1ab ("crypto: hisilicon - Add aead support on SEC2") +Signed-off-by: Wenkai Lin +Signed-off-by: Chenghai Huang +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/hisilicon/sec2/sec.h | 1 - + drivers/crypto/hisilicon/sec2/sec_crypto.c | 101 ++++++++------------- + 2 files changed, 39 insertions(+), 63 deletions(-) + +diff --git a/drivers/crypto/hisilicon/sec2/sec.h b/drivers/crypto/hisilicon/sec2/sec.h +index 30c2b1a64695c..2fc04e210bc4f 100644 +--- a/drivers/crypto/hisilicon/sec2/sec.h ++++ b/drivers/crypto/hisilicon/sec2/sec.h +@@ -37,7 +37,6 @@ struct sec_aead_req { + u8 *a_ivin; + dma_addr_t a_ivin_dma; + struct aead_request *aead_req; +- bool fallback; + }; + + /* SEC request of Crypto */ +diff --git a/drivers/crypto/hisilicon/sec2/sec_crypto.c b/drivers/crypto/hisilicon/sec2/sec_crypto.c +index ff9ad7f02cefe..0d2917b3e8158 100644 +--- a/drivers/crypto/hisilicon/sec2/sec_crypto.c ++++ b/drivers/crypto/hisilicon/sec2/sec_crypto.c +@@ -690,14 +690,10 @@ static int sec_skcipher_fbtfm_init(struct crypto_skcipher *tfm) + + c_ctx->fallback = false; + +- /* Currently, only XTS mode need fallback tfm when using 192bit key */ +- if (likely(strncmp(alg, "xts", SEC_XTS_NAME_SZ))) +- return 0; +- + c_ctx->fbtfm = crypto_alloc_sync_skcipher(alg, 0, + CRYPTO_ALG_NEED_FALLBACK); + if (IS_ERR(c_ctx->fbtfm)) { +- pr_err("failed to alloc xts mode fallback tfm!\n"); ++ pr_err("failed to alloc fallback tfm for %s!\n", alg); + return PTR_ERR(c_ctx->fbtfm); + } + +@@ -857,7 +853,7 @@ static int sec_skcipher_setkey(struct crypto_skcipher *tfm, const u8 *key, + } + + memcpy(c_ctx->c_key, key, keylen); +- if (c_ctx->fallback && c_ctx->fbtfm) { ++ if (c_ctx->fbtfm) { + ret = crypto_sync_skcipher_setkey(c_ctx->fbtfm, key, keylen); + if (ret) { + dev_err(dev, "failed to set fallback skcipher key!\n"); +@@ -1159,8 +1155,10 @@ static int sec_aead_setkey(struct crypto_aead *tfm, const u8 *key, + } + + ret = crypto_authenc_extractkeys(&keys, key, keylen); +- if (ret) ++ if (ret) { ++ dev_err(dev, "sec extract aead keys err!\n"); + goto bad_key; ++ } + + ret = sec_aead_aes_set_key(c_ctx, &keys); + if (ret) { +@@ -1174,12 +1172,6 @@ static int sec_aead_setkey(struct crypto_aead *tfm, const u8 *key, + goto bad_key; + } + +- if (ctx->a_ctx.a_key_len & WORD_MASK) { +- ret = -EINVAL; +- dev_err(dev, "AUTH key length error!\n"); +- goto bad_key; +- } +- + ret = sec_aead_fallback_setkey(a_ctx, tfm, key, keylen); + if (ret) { + dev_err(dev, "set sec fallback key err!\n"); +@@ -1999,8 +1991,7 @@ static int sec_aead_sha512_ctx_init(struct crypto_aead *tfm) + return sec_aead_ctx_init(tfm, "sha512"); + } + +-static int sec_skcipher_cryptlen_check(struct sec_ctx *ctx, +- struct sec_req *sreq) ++static int sec_skcipher_cryptlen_check(struct sec_ctx *ctx, struct sec_req *sreq) + { + u32 cryptlen = sreq->c_req.sk_req->cryptlen; + struct device *dev = ctx->dev; +@@ -2022,10 +2013,6 @@ static int sec_skcipher_cryptlen_check(struct sec_ctx *ctx, + } + break; + case SEC_CMODE_CTR: +- if (unlikely(ctx->sec->qm.ver < QM_HW_V3)) { +- dev_err(dev, "skcipher HW version error!\n"); +- ret = -EINVAL; +- } + break; + default: + ret = -EINVAL; +@@ -2034,17 +2021,21 @@ static int sec_skcipher_cryptlen_check(struct sec_ctx *ctx, + return ret; + } + +-static int sec_skcipher_param_check(struct sec_ctx *ctx, struct sec_req *sreq) ++static int sec_skcipher_param_check(struct sec_ctx *ctx, ++ struct sec_req *sreq, bool *need_fallback) + { + struct skcipher_request *sk_req = sreq->c_req.sk_req; + struct device *dev = ctx->dev; + u8 c_alg = ctx->c_ctx.c_alg; + +- if (unlikely(!sk_req->src || !sk_req->dst || +- sk_req->cryptlen > MAX_INPUT_DATA_LEN)) { ++ if (unlikely(!sk_req->src || !sk_req->dst)) { + dev_err(dev, "skcipher input param error!\n"); + return -EINVAL; + } ++ ++ if (sk_req->cryptlen > MAX_INPUT_DATA_LEN) ++ *need_fallback = true; ++ + sreq->c_req.c_len = sk_req->cryptlen; + + if (ctx->pbuf_supported && sk_req->cryptlen <= SEC_PBUF_SZ) +@@ -2102,6 +2093,7 @@ static int sec_skcipher_crypto(struct skcipher_request *sk_req, bool encrypt) + struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(sk_req); + struct sec_req *req = skcipher_request_ctx(sk_req); + struct sec_ctx *ctx = crypto_skcipher_ctx(tfm); ++ bool need_fallback = false; + int ret; + + if (!sk_req->cryptlen) { +@@ -2115,11 +2107,11 @@ static int sec_skcipher_crypto(struct skcipher_request *sk_req, bool encrypt) + req->c_req.encrypt = encrypt; + req->ctx = ctx; + +- ret = sec_skcipher_param_check(ctx, req); ++ ret = sec_skcipher_param_check(ctx, req, &need_fallback); + if (unlikely(ret)) + return -EINVAL; + +- if (unlikely(ctx->c_ctx.fallback)) ++ if (unlikely(ctx->c_ctx.fallback || need_fallback)) + return sec_skcipher_soft_crypto(ctx, sk_req, encrypt); + + return ctx->req_op->process(ctx, req); +@@ -2227,52 +2219,35 @@ static int sec_aead_spec_check(struct sec_ctx *ctx, struct sec_req *sreq) + struct crypto_aead *tfm = crypto_aead_reqtfm(req); + size_t sz = crypto_aead_authsize(tfm); + u8 c_mode = ctx->c_ctx.c_mode; +- struct device *dev = ctx->dev; + int ret; + +- /* Hardware does not handle cases where authsize is not 4 bytes aligned */ +- if (c_mode == SEC_CMODE_CBC && (sz & WORD_MASK)) { +- sreq->aead_req.fallback = true; ++ if (unlikely(ctx->sec->qm.ver == QM_HW_V2 && !sreq->c_req.c_len)) + return -EINVAL; +- } + + if (unlikely(req->cryptlen + req->assoclen > MAX_INPUT_DATA_LEN || +- req->assoclen > SEC_MAX_AAD_LEN)) { +- dev_err(dev, "aead input spec error!\n"); ++ req->assoclen > SEC_MAX_AAD_LEN)) + return -EINVAL; +- } + + if (c_mode == SEC_CMODE_CCM) { +- if (unlikely(req->assoclen > SEC_MAX_CCM_AAD_LEN)) { +- dev_err_ratelimited(dev, "CCM input aad parameter is too long!\n"); ++ if (unlikely(req->assoclen > SEC_MAX_CCM_AAD_LEN)) + return -EINVAL; +- } +- ret = aead_iv_demension_check(req); +- if (ret) { +- dev_err(dev, "aead input iv param error!\n"); +- return ret; +- } +- } + +- if (sreq->c_req.encrypt) +- sreq->c_req.c_len = req->cryptlen; +- else +- sreq->c_req.c_len = req->cryptlen - sz; +- if (c_mode == SEC_CMODE_CBC) { +- if (unlikely(sreq->c_req.c_len & (AES_BLOCK_SIZE - 1))) { +- dev_err(dev, "aead crypto length error!\n"); ++ ret = aead_iv_demension_check(req); ++ if (unlikely(ret)) ++ return -EINVAL; ++ } else if (c_mode == SEC_CMODE_CBC) { ++ if (unlikely(sz & WORD_MASK)) ++ return -EINVAL; ++ if (unlikely(ctx->a_ctx.a_key_len & WORD_MASK)) + return -EINVAL; +- } + } + + return 0; + } + +-static int sec_aead_param_check(struct sec_ctx *ctx, struct sec_req *sreq) ++static int sec_aead_param_check(struct sec_ctx *ctx, struct sec_req *sreq, bool *need_fallback) + { + struct aead_request *req = sreq->aead_req.aead_req; +- struct crypto_aead *tfm = crypto_aead_reqtfm(req); +- size_t authsize = crypto_aead_authsize(tfm); + struct device *dev = ctx->dev; + u8 c_alg = ctx->c_ctx.c_alg; + +@@ -2281,12 +2256,10 @@ static int sec_aead_param_check(struct sec_ctx *ctx, struct sec_req *sreq) + return -EINVAL; + } + +- if (ctx->sec->qm.ver == QM_HW_V2) { +- if (unlikely(!req->cryptlen || (!sreq->c_req.encrypt && +- req->cryptlen <= authsize))) { +- sreq->aead_req.fallback = true; +- return -EINVAL; +- } ++ if (unlikely(ctx->c_ctx.c_mode == SEC_CMODE_CBC && ++ sreq->c_req.c_len & (AES_BLOCK_SIZE - 1))) { ++ dev_err(dev, "aead cbc mode input data length error!\n"); ++ return -EINVAL; + } + + /* Support AES or SM4 */ +@@ -2295,8 +2268,10 @@ static int sec_aead_param_check(struct sec_ctx *ctx, struct sec_req *sreq) + return -EINVAL; + } + +- if (unlikely(sec_aead_spec_check(ctx, sreq))) ++ if (unlikely(sec_aead_spec_check(ctx, sreq))) { ++ *need_fallback = true; + return -EINVAL; ++ } + + if (ctx->pbuf_supported && (req->cryptlen + req->assoclen) <= + SEC_PBUF_SZ) +@@ -2340,17 +2315,19 @@ static int sec_aead_crypto(struct aead_request *a_req, bool encrypt) + struct crypto_aead *tfm = crypto_aead_reqtfm(a_req); + struct sec_req *req = aead_request_ctx(a_req); + struct sec_ctx *ctx = crypto_aead_ctx(tfm); ++ size_t sz = crypto_aead_authsize(tfm); ++ bool need_fallback = false; + int ret; + + req->flag = a_req->base.flags; + req->aead_req.aead_req = a_req; + req->c_req.encrypt = encrypt; + req->ctx = ctx; +- req->aead_req.fallback = false; ++ req->c_req.c_len = a_req->cryptlen - (req->c_req.encrypt ? 0 : sz); + +- ret = sec_aead_param_check(ctx, req); ++ ret = sec_aead_param_check(ctx, req, &need_fallback); + if (unlikely(ret)) { +- if (req->aead_req.fallback) ++ if (need_fallback) + return sec_aead_soft_crypto(ctx, a_req, encrypt); + return -EINVAL; + } +-- +2.39.5 + diff --git a/queue-6.12/crypto-iaa-test-the-correct-request-flag.patch b/queue-6.12/crypto-iaa-test-the-correct-request-flag.patch new file mode 100644 index 0000000000..e20cefb1a4 --- /dev/null +++ b/queue-6.12/crypto-iaa-test-the-correct-request-flag.patch @@ -0,0 +1,43 @@ +From 44552798af422aec3e8b5b4f30197bbeb2710fd3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Feb 2025 18:14:55 +0800 +Subject: crypto: iaa - Test the correct request flag + +From: Herbert Xu + +[ Upstream commit fc4bd01d9ff592f620c499686245c093440db0e8 ] + +Test the correct flags for the MAY_SLEEP bit. + +Fixes: 2ec6761df889 ("crypto: iaa - Add support for deflate-iaa compression algorithm") +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/intel/iaa/iaa_crypto_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/crypto/intel/iaa/iaa_crypto_main.c b/drivers/crypto/intel/iaa/iaa_crypto_main.c +index d2f07e34f3142..e1f60f0f507c9 100644 +--- a/drivers/crypto/intel/iaa/iaa_crypto_main.c ++++ b/drivers/crypto/intel/iaa/iaa_crypto_main.c +@@ -1527,7 +1527,7 @@ static int iaa_comp_acompress(struct acomp_req *req) + iaa_wq = idxd_wq_get_private(wq); + + if (!req->dst) { +- gfp_t flags = req->flags & CRYPTO_TFM_REQ_MAY_SLEEP ? GFP_KERNEL : GFP_ATOMIC; ++ gfp_t flags = req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP ? GFP_KERNEL : GFP_ATOMIC; + + /* incompressible data will always be < 2 * slen */ + req->dlen = 2 * req->slen; +@@ -1609,7 +1609,7 @@ static int iaa_comp_acompress(struct acomp_req *req) + + static int iaa_comp_adecompress_alloc_dest(struct acomp_req *req) + { +- gfp_t flags = req->flags & CRYPTO_TFM_REQ_MAY_SLEEP ? ++ gfp_t flags = req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP ? + GFP_KERNEL : GFP_ATOMIC; + struct crypto_tfm *tfm = req->base.tfm; + dma_addr_t src_addr, dst_addr; +-- +2.39.5 + diff --git a/queue-6.12/crypto-nx-fix-uninitialised-hv_nxc-on-error.patch b/queue-6.12/crypto-nx-fix-uninitialised-hv_nxc-on-error.patch new file mode 100644 index 0000000000..2edb3f05cf --- /dev/null +++ b/queue-6.12/crypto-nx-fix-uninitialised-hv_nxc-on-error.patch @@ -0,0 +1,95 @@ +From 0cb93aea14f05d6ef35718328fda486bfc24b04d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 15 Mar 2025 16:50:42 +0800 +Subject: crypto: nx - Fix uninitialised hv_nxc on error + +From: Herbert Xu + +[ Upstream commit 9b00eb923f3e60ca76cbc8b31123716f3a87ac6a ] + +The compiler correctly warns that hv_nxc may be used uninitialised +as that will occur when NX-GZIP is unavailable. + +Fix it by rearranging the code and delay setting caps_feat until +the final query succeeds. + +Fixes: b4ba22114c78 ("crypto/nx: Get NX capabilities for GZIP coprocessor type") +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/nx/nx-common-pseries.c | 37 ++++++++++++--------------- + 1 file changed, 17 insertions(+), 20 deletions(-) + +diff --git a/drivers/crypto/nx/nx-common-pseries.c b/drivers/crypto/nx/nx-common-pseries.c +index 35f2d0d8507ed..7e98f174f69b9 100644 +--- a/drivers/crypto/nx/nx-common-pseries.c ++++ b/drivers/crypto/nx/nx-common-pseries.c +@@ -1144,6 +1144,7 @@ static void __init nxcop_get_capabilities(void) + { + struct hv_vas_all_caps *hv_caps; + struct hv_nx_cop_caps *hv_nxc; ++ u64 feat; + int rc; + + hv_caps = kmalloc(sizeof(*hv_caps), GFP_KERNEL); +@@ -1154,27 +1155,26 @@ static void __init nxcop_get_capabilities(void) + */ + rc = h_query_vas_capabilities(H_QUERY_NX_CAPABILITIES, 0, + (u64)virt_to_phys(hv_caps)); ++ if (!rc) ++ feat = be64_to_cpu(hv_caps->feat_type); ++ kfree(hv_caps); + if (rc) +- goto out; ++ return; ++ if (!(feat & VAS_NX_GZIP_FEAT_BIT)) ++ return; + +- caps_feat = be64_to_cpu(hv_caps->feat_type); + /* + * NX-GZIP feature available + */ +- if (caps_feat & VAS_NX_GZIP_FEAT_BIT) { +- hv_nxc = kmalloc(sizeof(*hv_nxc), GFP_KERNEL); +- if (!hv_nxc) +- goto out; +- /* +- * Get capabilities for NX-GZIP feature +- */ +- rc = h_query_vas_capabilities(H_QUERY_NX_CAPABILITIES, +- VAS_NX_GZIP_FEAT, +- (u64)virt_to_phys(hv_nxc)); +- } else { +- pr_err("NX-GZIP feature is not available\n"); +- rc = -EINVAL; +- } ++ hv_nxc = kmalloc(sizeof(*hv_nxc), GFP_KERNEL); ++ if (!hv_nxc) ++ return; ++ /* ++ * Get capabilities for NX-GZIP feature ++ */ ++ rc = h_query_vas_capabilities(H_QUERY_NX_CAPABILITIES, ++ VAS_NX_GZIP_FEAT, ++ (u64)virt_to_phys(hv_nxc)); + + if (!rc) { + nx_cop_caps.descriptor = be64_to_cpu(hv_nxc->descriptor); +@@ -1184,13 +1184,10 @@ static void __init nxcop_get_capabilities(void) + be64_to_cpu(hv_nxc->min_compress_len); + nx_cop_caps.min_decompress_len = + be64_to_cpu(hv_nxc->min_decompress_len); +- } else { +- caps_feat = 0; ++ caps_feat = feat; + } + + kfree(hv_nxc); +-out: +- kfree(hv_caps); + } + + static const struct vio_device_id nx842_vio_driver_ids[] = { +-- +2.39.5 + diff --git a/queue-6.12/crypto-powerpc-mark-ghashp8-ppc.o-as-an-object_files.patch b/queue-6.12/crypto-powerpc-mark-ghashp8-ppc.o-as-an-object_files.patch new file mode 100644 index 0000000000..d207b19a29 --- /dev/null +++ b/queue-6.12/crypto-powerpc-mark-ghashp8-ppc.o-as-an-object_files.patch @@ -0,0 +1,87 @@ +From 8ae1b7c6e7b25c3bbfd11430332be69adb8ad268 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Mar 2025 00:02:39 +0100 +Subject: crypto: powerpc: Mark ghashp8-ppc.o as an OBJECT_FILES_NON_STANDARD + +From: Christophe Leroy + +[ Upstream commit 1e4d73d06c98f5a1af4f7591cf7c2c4eee5b94fa ] + +The following build warning has been reported: + + arch/powerpc/crypto/ghashp8-ppc.o: warning: objtool: .text+0x22c: unannotated intra-function call + +This happens due to commit bb7f054f4de2 ("objtool/powerpc: Add support +for decoding all types of uncond branches") + +Disassembly of arch/powerpc/crypto/ghashp8-ppc.o shows: + + arch/powerpc/crypto/ghashp8-ppc.o: file format elf64-powerpcle + + Disassembly of section .text: + + 0000000000000140 : + 140: f8 ff 00 3c lis r0,-8 + ... + 20c: 20 00 80 4e blr + 210: 00 00 00 00 .long 0x0 + 214: 00 0c 14 00 .long 0x140c00 + 218: 00 00 04 00 .long 0x40000 + 21c: 00 00 00 00 .long 0x0 + 220: 47 48 41 53 rlwimi. r1,r26,9,1,3 + 224: 48 20 66 6f xoris r6,r27,8264 + 228: 72 20 50 6f xoris r16,r26,8306 + 22c: 77 65 72 49 bla 1726574 <== + ... + +It corresponds to the following code in ghashp8-ppc.o : + + _GLOBAL(gcm_ghash_p8) + lis 0,0xfff8 + ... + blr + .long 0 + .byte 0,12,0x14,0,0,0,4,0 + .long 0 + .size gcm_ghash_p8,.-gcm_ghash_p8 + + .byte 71,72,65,83,72,32,102,111,114,32,80,111,119,101,114,73,83,65,32,50,46,48,55,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 + .align 2 + .align 2 + +In fact this is raw data that is after the function end and that is +not text so shouldn't be disassembled as text. But ghashp8-ppc.S is +generated by a perl script and should have been marked as +OBJECT_FILES_NON_STANDARD. + +Now that 'bla' is understood as a call instruction, that raw data +is mis-interpreted as an infra-function call. + +Mark ghashp8-ppc.o as a OBJECT_FILES_NON_STANDARD to avoid this +warning. + +Reported-by: Venkat Rao Bagalkote +Closes: https://lore.kernel.org/all/8c4c3fc2-2bd7-4148-af68-2f504d6119e0@linux.ibm.com +Fixes: 109303336a0c ("crypto: vmx - Move to arch/powerpc/crypto") +Signed-off-by: Christophe Leroy +Tested-By: Venkat Rao Bagalkote +Reviewed-by: Sathvika Vasireddy +Signed-off-by: Madhavan Srinivasan +Link: https://patch.msgid.link/7aa7eb73fe6bc95ac210510e22394ca0ae227b69.1741128786.git.christophe.leroy@csgroup.eu +Signed-off-by: Sasha Levin +--- + arch/powerpc/crypto/Makefile | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/powerpc/crypto/Makefile b/arch/powerpc/crypto/Makefile +index 59808592f0a1b..1e52b02d8943b 100644 +--- a/arch/powerpc/crypto/Makefile ++++ b/arch/powerpc/crypto/Makefile +@@ -56,3 +56,4 @@ $(obj)/aesp8-ppc.S $(obj)/ghashp8-ppc.S: $(obj)/%.S: $(src)/%.pl FORCE + OBJECT_FILES_NON_STANDARD_aesp10-ppc.o := y + OBJECT_FILES_NON_STANDARD_ghashp10-ppc.o := y + OBJECT_FILES_NON_STANDARD_aesp8-ppc.o := y ++OBJECT_FILES_NON_STANDARD_ghashp8-ppc.o := y +-- +2.39.5 + diff --git a/queue-6.12/crypto-qat-remove-access-to-parity-register-for-qat-.patch b/queue-6.12/crypto-qat-remove-access-to-parity-register-for-qat-.patch new file mode 100644 index 0000000000..c22805a11b --- /dev/null +++ b/queue-6.12/crypto-qat-remove-access-to-parity-register-for-qat-.patch @@ -0,0 +1,114 @@ +From 91c9bdc4869403311729d2918fd6ec7af50c2ca3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Mar 2025 15:09:31 +0000 +Subject: crypto: qat - remove access to parity register for QAT GEN4 + +From: Bairavi Alagappan + +[ Upstream commit 92c6a707d82f0629debf1c21dd87717776d96af2 ] + +The firmware already handles parity errors reported by the accelerators +by clearing them through the corresponding SSMSOFTERRORPARITY register. +To ensure consistent behavior and prevent race conditions between the +driver and firmware, remove the logic that checks the SSMSOFTERRORPARITY +registers. + +Additionally, change the return type of the function +adf_handle_rf_parr_err() to void, as it consistently returns false. +Parity errors are recoverable and do not necessitate a device reset. + +Fixes: 895f7d532c84 ("crypto: qat - add handling of errors from ERRSOU2 for QAT GEN4") +Signed-off-by: Bairavi Alagappan +Reviewed-by: Andy Shevchenko +Signed-off-by: Giovanni Cabiddu +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + .../intel/qat/qat_common/adf_gen4_ras.c | 57 ++----------------- + 1 file changed, 5 insertions(+), 52 deletions(-) + +diff --git a/drivers/crypto/intel/qat/qat_common/adf_gen4_ras.c b/drivers/crypto/intel/qat/qat_common/adf_gen4_ras.c +index bf0ea09faa650..0f7f00a19e7dc 100644 +--- a/drivers/crypto/intel/qat/qat_common/adf_gen4_ras.c ++++ b/drivers/crypto/intel/qat/qat_common/adf_gen4_ras.c +@@ -1043,63 +1043,16 @@ static bool adf_handle_ssmcpppar_err(struct adf_accel_dev *accel_dev, + return reset_required; + } + +-static bool adf_handle_rf_parr_err(struct adf_accel_dev *accel_dev, ++static void adf_handle_rf_parr_err(struct adf_accel_dev *accel_dev, + void __iomem *csr, u32 iastatssm) + { +- struct adf_dev_err_mask *err_mask = GET_ERR_MASK(accel_dev); +- u32 reg; +- + if (!(iastatssm & ADF_GEN4_IAINTSTATSSM_SSMSOFTERRORPARITY_BIT)) +- return false; +- +- reg = ADF_CSR_RD(csr, ADF_GEN4_SSMSOFTERRORPARITY_SRC); +- reg &= ADF_GEN4_SSMSOFTERRORPARITY_SRC_BIT; +- if (reg) { +- ADF_RAS_ERR_CTR_INC(accel_dev->ras_errors, ADF_RAS_UNCORR); +- ADF_CSR_WR(csr, ADF_GEN4_SSMSOFTERRORPARITY_SRC, reg); +- } +- +- reg = ADF_CSR_RD(csr, ADF_GEN4_SSMSOFTERRORPARITY_ATH_CPH); +- reg &= err_mask->parerr_ath_cph_mask; +- if (reg) { +- ADF_RAS_ERR_CTR_INC(accel_dev->ras_errors, ADF_RAS_UNCORR); +- ADF_CSR_WR(csr, ADF_GEN4_SSMSOFTERRORPARITY_ATH_CPH, reg); +- } +- +- reg = ADF_CSR_RD(csr, ADF_GEN4_SSMSOFTERRORPARITY_CPR_XLT); +- reg &= err_mask->parerr_cpr_xlt_mask; +- if (reg) { +- ADF_RAS_ERR_CTR_INC(accel_dev->ras_errors, ADF_RAS_UNCORR); +- ADF_CSR_WR(csr, ADF_GEN4_SSMSOFTERRORPARITY_CPR_XLT, reg); +- } +- +- reg = ADF_CSR_RD(csr, ADF_GEN4_SSMSOFTERRORPARITY_DCPR_UCS); +- reg &= err_mask->parerr_dcpr_ucs_mask; +- if (reg) { +- ADF_RAS_ERR_CTR_INC(accel_dev->ras_errors, ADF_RAS_UNCORR); +- ADF_CSR_WR(csr, ADF_GEN4_SSMSOFTERRORPARITY_DCPR_UCS, reg); +- } +- +- reg = ADF_CSR_RD(csr, ADF_GEN4_SSMSOFTERRORPARITY_PKE); +- reg &= err_mask->parerr_pke_mask; +- if (reg) { +- ADF_RAS_ERR_CTR_INC(accel_dev->ras_errors, ADF_RAS_UNCORR); +- ADF_CSR_WR(csr, ADF_GEN4_SSMSOFTERRORPARITY_PKE, reg); +- } +- +- if (err_mask->parerr_wat_wcp_mask) { +- reg = ADF_CSR_RD(csr, ADF_GEN4_SSMSOFTERRORPARITY_WAT_WCP); +- reg &= err_mask->parerr_wat_wcp_mask; +- if (reg) { +- ADF_RAS_ERR_CTR_INC(accel_dev->ras_errors, ADF_RAS_UNCORR); +- ADF_CSR_WR(csr, ADF_GEN4_SSMSOFTERRORPARITY_WAT_WCP, +- reg); +- } +- } ++ return; + ++ ADF_RAS_ERR_CTR_INC(accel_dev->ras_errors, ADF_RAS_UNCORR); + dev_err(&GET_DEV(accel_dev), "Slice ssm soft parity error reported"); + +- return false; ++ return; + } + + static bool adf_handle_ser_err_ssmsh(struct adf_accel_dev *accel_dev, +@@ -1171,8 +1124,8 @@ static bool adf_handle_iaintstatssm(struct adf_accel_dev *accel_dev, + reset_required |= adf_handle_slice_hang_error(accel_dev, csr, iastatssm); + reset_required |= adf_handle_spppar_err(accel_dev, csr, iastatssm); + reset_required |= adf_handle_ssmcpppar_err(accel_dev, csr, iastatssm); +- reset_required |= adf_handle_rf_parr_err(accel_dev, csr, iastatssm); + reset_required |= adf_handle_ser_err_ssmsh(accel_dev, csr, iastatssm); ++ adf_handle_rf_parr_err(accel_dev, csr, iastatssm); + + ADF_CSR_WR(csr, ADF_GEN4_IAINTSTATSSM, iastatssm); + +-- +2.39.5 + diff --git a/queue-6.12/crypto-qat-set-parity-error-mask-for-qat_420xx.patch b/queue-6.12/crypto-qat-set-parity-error-mask-for-qat_420xx.patch new file mode 100644 index 0000000000..72721f2fee --- /dev/null +++ b/queue-6.12/crypto-qat-set-parity-error-mask-for-qat_420xx.patch @@ -0,0 +1,58 @@ +From 38bbee1c573ad10b2bf9698a749aaa37d9b4a4ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Mar 2025 13:14:29 +0000 +Subject: crypto: qat - set parity error mask for qat_420xx + +From: Bairavi Alagappan + +[ Upstream commit f9555d18084985c80a91baa4fdb7d205b401a754 ] + +The field parerr_wat_wcp_mask in the structure adf_dev_err_mask enables +the detection and reporting of parity errors for the wireless cipher and +wireless authentication accelerators. + +Set the parerr_wat_wcp_mask field, which was inadvertently omitted +during the initial enablement of the qat_420xx driver, to ensure that +parity errors are enabled for those accelerators. + +In addition, fix the string used to report such errors that was +inadvertently set to "ath_cph" (authentication and cipher). + +Fixes: fcf60f4bcf54 ("crypto: qat - add support for 420xx devices") +Signed-off-by: Bairavi Alagappan +Signed-off-by: Giovanni Cabiddu +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/intel/qat/qat_420xx/adf_420xx_hw_data.c | 1 + + drivers/crypto/intel/qat/qat_common/adf_gen4_ras.c | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/crypto/intel/qat/qat_420xx/adf_420xx_hw_data.c b/drivers/crypto/intel/qat/qat_420xx/adf_420xx_hw_data.c +index 9faef33e54bd3..a17adc4beda2e 100644 +--- a/drivers/crypto/intel/qat/qat_420xx/adf_420xx_hw_data.c ++++ b/drivers/crypto/intel/qat/qat_420xx/adf_420xx_hw_data.c +@@ -420,6 +420,7 @@ static void adf_gen4_set_err_mask(struct adf_dev_err_mask *dev_err_mask) + dev_err_mask->parerr_cpr_xlt_mask = ADF_420XX_PARITYERRORMASK_CPR_XLT_MASK; + dev_err_mask->parerr_dcpr_ucs_mask = ADF_420XX_PARITYERRORMASK_DCPR_UCS_MASK; + dev_err_mask->parerr_pke_mask = ADF_420XX_PARITYERRORMASK_PKE_MASK; ++ dev_err_mask->parerr_wat_wcp_mask = ADF_420XX_PARITYERRORMASK_WAT_WCP_MASK; + dev_err_mask->ssmfeatren_mask = ADF_420XX_SSMFEATREN_MASK; + } + +diff --git a/drivers/crypto/intel/qat/qat_common/adf_gen4_ras.c b/drivers/crypto/intel/qat/qat_common/adf_gen4_ras.c +index 2dd3772bf58a6..bf0ea09faa650 100644 +--- a/drivers/crypto/intel/qat/qat_common/adf_gen4_ras.c ++++ b/drivers/crypto/intel/qat/qat_common/adf_gen4_ras.c +@@ -695,7 +695,7 @@ static bool adf_handle_slice_hang_error(struct adf_accel_dev *accel_dev, + if (err_mask->parerr_wat_wcp_mask) + adf_poll_slicehang_csr(accel_dev, csr, + ADF_GEN4_SLICEHANGSTATUS_WAT_WCP, +- "ath_cph"); ++ "wat_wcp"); + + return false; + } +-- +2.39.5 + diff --git a/queue-6.12/crypto-tegra-check-return-value-for-hash-do_one_req.patch b/queue-6.12/crypto-tegra-check-return-value-for-hash-do_one_req.patch new file mode 100644 index 0000000000..a26bd16248 --- /dev/null +++ b/queue-6.12/crypto-tegra-check-return-value-for-hash-do_one_req.patch @@ -0,0 +1,85 @@ +From 4f3e47ae8e691b16c05058d7fbc2aab961c33372 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Feb 2025 14:46:04 +0530 +Subject: crypto: tegra - check return value for hash do_one_req + +From: Akhil R + +[ Upstream commit dcf8b7e49b86738296c77fb58c123dd2d74a22a7 ] + +Initialize and check the return value in hash *do_one_req() functions +and exit the function if there is an error. This fixes the +'uninitialized variable' warnings reported by testbots. + +Reported-by: kernel test robot +Reported-by: Dan Carpenter +Closes: https://lore.kernel.org/r/202412071747.flPux4oB-lkp@intel.com/ +Fixes: 0880bb3b00c8 ("crypto: tegra - Add Tegra Security Engine driver") +Signed-off-by: Akhil R +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/tegra/tegra-se-aes.c | 10 ++++++++-- + drivers/crypto/tegra/tegra-se-hash.c | 7 +++++++ + 2 files changed, 15 insertions(+), 2 deletions(-) + +diff --git a/drivers/crypto/tegra/tegra-se-aes.c b/drivers/crypto/tegra/tegra-se-aes.c +index b42f791667c64..06f60260e0a0f 100644 +--- a/drivers/crypto/tegra/tegra-se-aes.c ++++ b/drivers/crypto/tegra/tegra-se-aes.c +@@ -1581,18 +1581,24 @@ static int tegra_cmac_do_one_req(struct crypto_engine *engine, void *areq) + struct crypto_ahash *tfm = crypto_ahash_reqtfm(req); + struct tegra_cmac_ctx *ctx = crypto_ahash_ctx(tfm); + struct tegra_se *se = ctx->se; +- int ret; ++ int ret = 0; + + if (rctx->task & SHA_UPDATE) { + ret = tegra_cmac_do_update(req); ++ if (ret) ++ goto out; ++ + rctx->task &= ~SHA_UPDATE; + } + + if (rctx->task & SHA_FINAL) { + ret = tegra_cmac_do_final(req); ++ if (ret) ++ goto out; ++ + rctx->task &= ~SHA_FINAL; + } +- ++out: + crypto_finalize_hash_request(se->engine, req, ret); + + return 0; +diff --git a/drivers/crypto/tegra/tegra-se-hash.c b/drivers/crypto/tegra/tegra-se-hash.c +index c7b2a062a03c0..5aead114bd967 100644 +--- a/drivers/crypto/tegra/tegra-se-hash.c ++++ b/drivers/crypto/tegra/tegra-se-hash.c +@@ -417,14 +417,21 @@ static int tegra_sha_do_one_req(struct crypto_engine *engine, void *areq) + + if (rctx->task & SHA_UPDATE) { + ret = tegra_sha_do_update(req); ++ if (ret) ++ goto out; ++ + rctx->task &= ~SHA_UPDATE; + } + + if (rctx->task & SHA_FINAL) { + ret = tegra_sha_do_final(req); ++ if (ret) ++ goto out; ++ + rctx->task &= ~SHA_FINAL; + } + ++out: + crypto_finalize_hash_request(se->engine, req, ret); + + return 0; +-- +2.39.5 + diff --git a/queue-6.12/crypto-tegra-fix-cmac-intermediate-result-handling.patch b/queue-6.12/crypto-tegra-fix-cmac-intermediate-result-handling.patch new file mode 100644 index 0000000000..7118f57005 --- /dev/null +++ b/queue-6.12/crypto-tegra-fix-cmac-intermediate-result-handling.patch @@ -0,0 +1,69 @@ +From 7cfb572ff39c8635015beefc396e7abe7054808f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Feb 2025 14:46:07 +0530 +Subject: crypto: tegra - Fix CMAC intermediate result handling + +From: Akhil R + +[ Upstream commit ce390d6c2675d2e24d798169a1a0e3cdbc076907 ] + +Saving and restoring of the intermediate results are needed if there is +context switch caused by another ongoing request on the same engine. +This is therefore not only to support import/export functionality. +Hence, save and restore the intermediate result for every non-first task. + +Fixes: 0880bb3b00c8 ("crypto: tegra - Add Tegra Security Engine driver") +Signed-off-by: Akhil R +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/tegra/tegra-se-aes.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/drivers/crypto/tegra/tegra-se-aes.c b/drivers/crypto/tegra/tegra-se-aes.c +index 06f60260e0a0f..3308962f11c59 100644 +--- a/drivers/crypto/tegra/tegra-se-aes.c ++++ b/drivers/crypto/tegra/tegra-se-aes.c +@@ -1513,9 +1513,8 @@ static int tegra_cmac_do_update(struct ahash_request *req) + rctx->residue.size = nresidue; + + /* +- * If this is not the first 'update' call, paste the previous copied ++ * If this is not the first task, paste the previous copied + * intermediate results to the registers so that it gets picked up. +- * This is to support the import/export functionality. + */ + if (!(rctx->task & SHA_FIRST)) + tegra_cmac_paste_result(ctx->se, rctx); +@@ -1523,13 +1522,7 @@ static int tegra_cmac_do_update(struct ahash_request *req) + cmdlen = tegra_cmac_prep_cmd(ctx, rctx); + ret = tegra_se_host1x_submit(se, se->cmdbuf, cmdlen); + +- /* +- * If this is not the final update, copy the intermediate results +- * from the registers so that it can be used in the next 'update' +- * call. This is to support the import/export functionality. +- */ +- if (!(rctx->task & SHA_FINAL)) +- tegra_cmac_copy_result(ctx->se, rctx); ++ tegra_cmac_copy_result(ctx->se, rctx); + + return ret; + } +@@ -1553,6 +1546,13 @@ static int tegra_cmac_do_final(struct ahash_request *req) + rctx->total_len += rctx->residue.size; + rctx->config = tegra234_aes_cfg(SE_ALG_CMAC, 0); + ++ /* ++ * If this is not the first task, paste the previous copied ++ * intermediate results to the registers so that it gets picked up. ++ */ ++ if (!(rctx->task & SHA_FIRST)) ++ tegra_cmac_paste_result(ctx->se, rctx); ++ + /* Prepare command and submit */ + cmdlen = tegra_cmac_prep_cmd(ctx, rctx); + ret = tegra_se_host1x_submit(se, se->cmdbuf, cmdlen); +-- +2.39.5 + diff --git a/queue-6.12/crypto-tegra-set-iv-to-null-explicitly-for-aes-ecb.patch b/queue-6.12/crypto-tegra-set-iv-to-null-explicitly-for-aes-ecb.patch new file mode 100644 index 0000000000..1e59addbb3 --- /dev/null +++ b/queue-6.12/crypto-tegra-set-iv-to-null-explicitly-for-aes-ecb.patch @@ -0,0 +1,40 @@ +From 133511b2344ea9385fb26acfd4b1dd2087961dc3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Feb 2025 14:46:08 +0530 +Subject: crypto: tegra - Set IV to NULL explicitly for AES ECB + +From: Akhil R + +[ Upstream commit bde558220866e74f19450e16d9a2472b488dfedf ] + +It may happen that the variable req->iv may have stale values or +zero sized buffer by default and may end up getting used during +encryption/decryption. This inturn may corrupt the results or break the +operation. Set the req->iv variable to NULL explicitly for algorithms +like AES-ECB where IV is not used. + +Fixes: 0880bb3b00c8 ("crypto: tegra - Add Tegra Security Engine driver") +Signed-off-by: Akhil R +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/tegra/tegra-se-aes.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/crypto/tegra/tegra-se-aes.c b/drivers/crypto/tegra/tegra-se-aes.c +index 3308962f11c59..0ed0515e1ed54 100644 +--- a/drivers/crypto/tegra/tegra-se-aes.c ++++ b/drivers/crypto/tegra/tegra-se-aes.c +@@ -443,6 +443,9 @@ static int tegra_aes_crypt(struct skcipher_request *req, bool encrypt) + if (!req->cryptlen) + return 0; + ++ if (ctx->alg == SE_ALG_ECB) ++ req->iv = NULL; ++ + rctx->encrypt = encrypt; + rctx->config = tegra234_aes_cfg(ctx->alg, encrypt); + rctx->crypto_config = tegra234_aes_crypto_cfg(ctx->alg, encrypt); +-- +2.39.5 + diff --git a/queue-6.12/crypto-tegra-use-hmac-fallback-when-keyslots-are-ful.patch b/queue-6.12/crypto-tegra-use-hmac-fallback-when-keyslots-are-ful.patch new file mode 100644 index 0000000000..54f4209d44 --- /dev/null +++ b/queue-6.12/crypto-tegra-use-hmac-fallback-when-keyslots-are-ful.patch @@ -0,0 +1,49 @@ +From ec8adbfcbd01377b1899870511e7ff82eec019d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Feb 2025 14:46:10 +0530 +Subject: crypto: tegra - Use HMAC fallback when keyslots are full + +From: Akhil R + +[ Upstream commit f80a2e2e77bedd0aa645a60f89b4f581c70accda ] + +The intermediate results for HMAC is stored in the allocated keyslot by +the hardware. Dynamic allocation of keyslot during an operation is hence +not possible. As the number of keyslots are limited in the hardware, +fallback to the HMAC software implementation if keyslots are not available + +Fixes: 0880bb3b00c8 ("crypto: tegra - Add Tegra Security Engine driver") +Signed-off-by: Akhil R +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/tegra/tegra-se-hash.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/crypto/tegra/tegra-se-hash.c b/drivers/crypto/tegra/tegra-se-hash.c +index 5aead114bd967..726e30c0e63eb 100644 +--- a/drivers/crypto/tegra/tegra-se-hash.c ++++ b/drivers/crypto/tegra/tegra-se-hash.c +@@ -567,13 +567,18 @@ static int tegra_hmac_setkey(struct crypto_ahash *tfm, const u8 *key, + unsigned int keylen) + { + struct tegra_sha_ctx *ctx = crypto_ahash_ctx(tfm); ++ int ret; + + if (aes_check_keylen(keylen)) + return tegra_hmac_fallback_setkey(ctx, key, keylen); + ++ ret = tegra_key_submit(ctx->se, key, keylen, ctx->alg, &ctx->key_id); ++ if (ret) ++ return tegra_hmac_fallback_setkey(ctx, key, keylen); ++ + ctx->fallback = false; + +- return tegra_key_submit(ctx->se, key, keylen, ctx->alg, &ctx->key_id); ++ return 0; + } + + static int tegra_sha_update(struct ahash_request *req) +-- +2.39.5 + diff --git a/queue-6.12/crypto-tegra-use-separate-buffer-for-setkey.patch b/queue-6.12/crypto-tegra-use-separate-buffer-for-setkey.patch new file mode 100644 index 0000000000..4fc225b8f4 --- /dev/null +++ b/queue-6.12/crypto-tegra-use-separate-buffer-for-setkey.patch @@ -0,0 +1,250 @@ +From 50fb23252d706b140eca4691c5fdf1b27e1530c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Feb 2025 14:46:01 +0530 +Subject: crypto: tegra - Use separate buffer for setkey + +From: Akhil R + +[ Upstream commit bcfc8fc53f3acb3213fb9d28675244aa4ce208e0 ] + +The buffer which sends the commands to host1x was shared for all tasks +in the engine. This causes a problem with the setkey() function as it +gets called asynchronous to the crypto engine queue. Modifying the same +cmdbuf in setkey() will corrupt the ongoing host1x task and in turn +break the encryption/decryption operation. Hence use a separate cmdbuf +for setkey(). + +Fixes: 0880bb3b00c8 ("crypto: tegra - Add Tegra Security Engine driver") +Signed-off-by: Akhil R +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/tegra/tegra-se-aes.c | 16 ++++++++-------- + drivers/crypto/tegra/tegra-se-hash.c | 13 +++++++------ + drivers/crypto/tegra/tegra-se-key.c | 10 ++++++++-- + drivers/crypto/tegra/tegra-se-main.c | 16 ++++++++++++---- + drivers/crypto/tegra/tegra-se.h | 3 ++- + 5 files changed, 37 insertions(+), 21 deletions(-) + +diff --git a/drivers/crypto/tegra/tegra-se-aes.c b/drivers/crypto/tegra/tegra-se-aes.c +index 3106fd1e84b91..b42f791667c64 100644 +--- a/drivers/crypto/tegra/tegra-se-aes.c ++++ b/drivers/crypto/tegra/tegra-se-aes.c +@@ -282,7 +282,7 @@ static int tegra_aes_do_one_req(struct crypto_engine *engine, void *areq) + + /* Prepare the command and submit for execution */ + cmdlen = tegra_aes_prep_cmd(ctx, rctx); +- ret = tegra_se_host1x_submit(se, cmdlen); ++ ret = tegra_se_host1x_submit(se, se->cmdbuf, cmdlen); + + /* Copy the result */ + tegra_aes_update_iv(req, ctx); +@@ -719,7 +719,7 @@ static int tegra_gcm_do_gmac(struct tegra_aead_ctx *ctx, struct tegra_aead_reqct + + cmdlen = tegra_gmac_prep_cmd(ctx, rctx); + +- return tegra_se_host1x_submit(se, cmdlen); ++ return tegra_se_host1x_submit(se, se->cmdbuf, cmdlen); + } + + static int tegra_gcm_do_crypt(struct tegra_aead_ctx *ctx, struct tegra_aead_reqctx *rctx) +@@ -736,7 +736,7 @@ static int tegra_gcm_do_crypt(struct tegra_aead_ctx *ctx, struct tegra_aead_reqc + + /* Prepare command and submit */ + cmdlen = tegra_gcm_crypt_prep_cmd(ctx, rctx); +- ret = tegra_se_host1x_submit(se, cmdlen); ++ ret = tegra_se_host1x_submit(se, se->cmdbuf, cmdlen); + if (ret) + return ret; + +@@ -759,7 +759,7 @@ static int tegra_gcm_do_final(struct tegra_aead_ctx *ctx, struct tegra_aead_reqc + + /* Prepare command and submit */ + cmdlen = tegra_gcm_prep_final_cmd(se, cpuvaddr, rctx); +- ret = tegra_se_host1x_submit(se, cmdlen); ++ ret = tegra_se_host1x_submit(se, se->cmdbuf, cmdlen); + if (ret) + return ret; + +@@ -891,7 +891,7 @@ static int tegra_ccm_do_cbcmac(struct tegra_aead_ctx *ctx, struct tegra_aead_req + /* Prepare command and submit */ + cmdlen = tegra_cbcmac_prep_cmd(ctx, rctx); + +- return tegra_se_host1x_submit(se, cmdlen); ++ return tegra_se_host1x_submit(se, se->cmdbuf, cmdlen); + } + + static int tegra_ccm_set_msg_len(u8 *block, unsigned int msglen, int csize) +@@ -1098,7 +1098,7 @@ static int tegra_ccm_do_ctr(struct tegra_aead_ctx *ctx, struct tegra_aead_reqctx + + /* Prepare command and submit */ + cmdlen = tegra_ctr_prep_cmd(ctx, rctx); +- ret = tegra_se_host1x_submit(se, cmdlen); ++ ret = tegra_se_host1x_submit(se, se->cmdbuf, cmdlen); + if (ret) + return ret; + +@@ -1521,8 +1521,8 @@ static int tegra_cmac_do_update(struct ahash_request *req) + tegra_cmac_paste_result(ctx->se, rctx); + + cmdlen = tegra_cmac_prep_cmd(ctx, rctx); ++ ret = tegra_se_host1x_submit(se, se->cmdbuf, cmdlen); + +- ret = tegra_se_host1x_submit(se, cmdlen); + /* + * If this is not the final update, copy the intermediate results + * from the registers so that it can be used in the next 'update' +@@ -1555,7 +1555,7 @@ static int tegra_cmac_do_final(struct ahash_request *req) + + /* Prepare command and submit */ + cmdlen = tegra_cmac_prep_cmd(ctx, rctx); +- ret = tegra_se_host1x_submit(se, cmdlen); ++ ret = tegra_se_host1x_submit(se, se->cmdbuf, cmdlen); + if (ret) + goto out; + +diff --git a/drivers/crypto/tegra/tegra-se-hash.c b/drivers/crypto/tegra/tegra-se-hash.c +index 0b5cdd5676b17..c7b2a062a03c0 100644 +--- a/drivers/crypto/tegra/tegra-se-hash.c ++++ b/drivers/crypto/tegra/tegra-se-hash.c +@@ -300,8 +300,9 @@ static int tegra_sha_do_update(struct ahash_request *req) + { + struct tegra_sha_ctx *ctx = crypto_ahash_ctx(crypto_ahash_reqtfm(req)); + struct tegra_sha_reqctx *rctx = ahash_request_ctx(req); ++ struct tegra_se *se = ctx->se; + unsigned int nblks, nresidue, size, ret; +- u32 *cpuvaddr = ctx->se->cmdbuf->addr; ++ u32 *cpuvaddr = se->cmdbuf->addr; + + nresidue = (req->nbytes + rctx->residue.size) % rctx->blk_size; + nblks = (req->nbytes + rctx->residue.size) / rctx->blk_size; +@@ -353,11 +354,11 @@ static int tegra_sha_do_update(struct ahash_request *req) + * This is to support the import/export functionality. + */ + if (!(rctx->task & SHA_FIRST)) +- tegra_sha_paste_hash_result(ctx->se, rctx); ++ tegra_sha_paste_hash_result(se, rctx); + +- size = tegra_sha_prep_cmd(ctx->se, cpuvaddr, rctx); ++ size = tegra_sha_prep_cmd(se, cpuvaddr, rctx); + +- ret = tegra_se_host1x_submit(ctx->se, size); ++ ret = tegra_se_host1x_submit(se, se->cmdbuf, size); + + /* + * If this is not the final update, copy the intermediate results +@@ -365,7 +366,7 @@ static int tegra_sha_do_update(struct ahash_request *req) + * call. This is to support the import/export functionality. + */ + if (!(rctx->task & SHA_FINAL)) +- tegra_sha_copy_hash_result(ctx->se, rctx); ++ tegra_sha_copy_hash_result(se, rctx); + + return ret; + } +@@ -388,7 +389,7 @@ static int tegra_sha_do_final(struct ahash_request *req) + + size = tegra_sha_prep_cmd(se, cpuvaddr, rctx); + +- ret = tegra_se_host1x_submit(se, size); ++ ret = tegra_se_host1x_submit(se, se->cmdbuf, size); + if (ret) + goto out; + +diff --git a/drivers/crypto/tegra/tegra-se-key.c b/drivers/crypto/tegra/tegra-se-key.c +index ac14678dbd30d..276b261fb6df1 100644 +--- a/drivers/crypto/tegra/tegra-se-key.c ++++ b/drivers/crypto/tegra/tegra-se-key.c +@@ -115,11 +115,17 @@ static int tegra_key_insert(struct tegra_se *se, const u8 *key, + u32 keylen, u16 slot, u32 alg) + { + const u32 *keyval = (u32 *)key; +- u32 *addr = se->cmdbuf->addr, size; ++ u32 *addr = se->keybuf->addr, size; ++ int ret; ++ ++ mutex_lock(&kslt_lock); + + size = tegra_key_prep_ins_cmd(se, addr, keyval, keylen, slot, alg); ++ ret = tegra_se_host1x_submit(se, se->keybuf, size); + +- return tegra_se_host1x_submit(se, size); ++ mutex_unlock(&kslt_lock); ++ ++ return ret; + } + + void tegra_key_invalidate(struct tegra_se *se, u32 keyid, u32 alg) +diff --git a/drivers/crypto/tegra/tegra-se-main.c b/drivers/crypto/tegra/tegra-se-main.c +index f94c0331b148c..55690b044e417 100644 +--- a/drivers/crypto/tegra/tegra-se-main.c ++++ b/drivers/crypto/tegra/tegra-se-main.c +@@ -141,7 +141,7 @@ static struct tegra_se_cmdbuf *tegra_se_host1x_bo_alloc(struct tegra_se *se, ssi + return cmdbuf; + } + +-int tegra_se_host1x_submit(struct tegra_se *se, u32 size) ++int tegra_se_host1x_submit(struct tegra_se *se, struct tegra_se_cmdbuf *cmdbuf, u32 size) + { + struct host1x_job *job; + int ret; +@@ -160,9 +160,9 @@ int tegra_se_host1x_submit(struct tegra_se *se, u32 size) + job->engine_fallback_streamid = se->stream_id; + job->engine_streamid_offset = SE_STREAM_ID; + +- se->cmdbuf->words = size; ++ cmdbuf->words = size; + +- host1x_job_add_gather(job, &se->cmdbuf->bo, size, 0); ++ host1x_job_add_gather(job, &cmdbuf->bo, size, 0); + + ret = host1x_job_pin(job, se->dev); + if (ret) { +@@ -220,14 +220,22 @@ static int tegra_se_client_init(struct host1x_client *client) + goto syncpt_put; + } + ++ se->keybuf = tegra_se_host1x_bo_alloc(se, SZ_4K); ++ if (!se->keybuf) { ++ ret = -ENOMEM; ++ goto cmdbuf_put; ++ } ++ + ret = se->hw->init_alg(se); + if (ret) { + dev_err(se->dev, "failed to register algorithms\n"); +- goto cmdbuf_put; ++ goto keybuf_put; + } + + return 0; + ++keybuf_put: ++ tegra_se_cmdbuf_put(&se->keybuf->bo); + cmdbuf_put: + tegra_se_cmdbuf_put(&se->cmdbuf->bo); + syncpt_put: +diff --git a/drivers/crypto/tegra/tegra-se.h b/drivers/crypto/tegra/tegra-se.h +index b9dd7ceb8783c..b54aefe717a17 100644 +--- a/drivers/crypto/tegra/tegra-se.h ++++ b/drivers/crypto/tegra/tegra-se.h +@@ -420,6 +420,7 @@ struct tegra_se { + struct host1x_client client; + struct host1x_channel *channel; + struct tegra_se_cmdbuf *cmdbuf; ++ struct tegra_se_cmdbuf *keybuf; + struct crypto_engine *engine; + struct host1x_syncpt *syncpt; + struct device *dev; +@@ -502,7 +503,7 @@ void tegra_deinit_hash(struct tegra_se *se); + int tegra_key_submit(struct tegra_se *se, const u8 *key, + u32 keylen, u32 alg, u32 *keyid); + void tegra_key_invalidate(struct tegra_se *se, u32 keyid, u32 alg); +-int tegra_se_host1x_submit(struct tegra_se *se, u32 size); ++int tegra_se_host1x_submit(struct tegra_se *se, struct tegra_se_cmdbuf *cmdbuf, u32 size); + + /* HOST1x OPCODES */ + static inline u32 host1x_opcode_setpayload(unsigned int payload) +-- +2.39.5 + diff --git a/queue-6.12/dmaengine-fsl-edma-cleanup-chan-after-dma_async_devi.patch b/queue-6.12/dmaengine-fsl-edma-cleanup-chan-after-dma_async_devi.patch new file mode 100644 index 0000000000..a351def862 --- /dev/null +++ b/queue-6.12/dmaengine-fsl-edma-cleanup-chan-after-dma_async_devi.patch @@ -0,0 +1,52 @@ +From cbffded1a2669e3da1757635fa961b03420d77f7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Feb 2025 15:17:19 +0800 +Subject: dmaengine: fsl-edma: cleanup chan after dma_async_device_unregister + +From: Peng Fan + +[ Upstream commit c9c59da76ce9cb3f215b66eb3708cda1134a5206 ] + +There is kernel dump when do module test: +sysfs: cannot create duplicate filename +/devices/platform/soc@0/44000000.bus/44000000.dma-controller/dma/dma0chan0 + __dma_async_device_channel_register+0x128/0x19c + dma_async_device_register+0x150/0x454 + fsl_edma_probe+0x6cc/0x8a0 + platform_probe+0x68/0xc8 + +fsl_edma_cleanup_vchan will unlink vchan.chan.device_node, while +dma_async_device_unregister needs the link to do +__dma_async_device_channel_unregister. So need move fsl_edma_cleanup_vchan +after dma_async_device_unregister to make sure channel could be freed. + +So clean up chan after dma_async_device_unregister to address this. + +Fixes: 6f93b93b2a1b ("dmaengine: fsl-edma: kill the tasklets upon exit") +Reviewed-by: Frank Li +Signed-off-by: Peng Fan +Link: https://lore.kernel.org/r/20250228071720.3780479-1-peng.fan@oss.nxp.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/fsl-edma-main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/dma/fsl-edma-main.c b/drivers/dma/fsl-edma-main.c +index 70cb7fda757a9..db5f06b8575db 100644 +--- a/drivers/dma/fsl-edma-main.c ++++ b/drivers/dma/fsl-edma-main.c +@@ -699,9 +699,9 @@ static void fsl_edma_remove(struct platform_device *pdev) + struct fsl_edma_engine *fsl_edma = platform_get_drvdata(pdev); + + fsl_edma_irq_exit(pdev, fsl_edma); +- fsl_edma_cleanup_vchan(&fsl_edma->dma_dev); + of_dma_controller_free(np); + dma_async_device_unregister(&fsl_edma->dma_dev); ++ fsl_edma_cleanup_vchan(&fsl_edma->dma_dev); + fsl_disable_clocks(fsl_edma, fsl_edma->drvdata->dmamuxs); + } + +-- +2.39.5 + diff --git a/queue-6.12/dmaengine-fsl-edma-free-irq-correctly-in-remove-path.patch b/queue-6.12/dmaengine-fsl-edma-free-irq-correctly-in-remove-path.patch new file mode 100644 index 0000000000..0e979ad902 --- /dev/null +++ b/queue-6.12/dmaengine-fsl-edma-free-irq-correctly-in-remove-path.patch @@ -0,0 +1,77 @@ +From 3ee5aeaf3fd2f654daa962675b3b415b97f29289 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Feb 2025 15:17:20 +0800 +Subject: dmaengine: fsl-edma: free irq correctly in remove path + +From: Peng Fan + +[ Upstream commit fa70c4c3c580c239a0f9e83a14770ab026e8d820 ] + +Add fsl_edma->txirq/errirq check to avoid below warning because no +errirq at i.MX9 platform. Otherwise there will be kernel dump: +WARNING: CPU: 0 PID: 11 at kernel/irq/devres.c:144 devm_free_irq+0x74/0x80 +Modules linked in: +CPU: 0 UID: 0 PID: 11 Comm: kworker/u8:0 Not tainted 6.12.0-rc7#18 +Hardware name: NXP i.MX93 11X11 EVK board (DT) +Workqueue: events_unbound deferred_probe_work_func +pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) +pc : devm_free_irq+0x74/0x80 +lr : devm_free_irq+0x48/0x80 +Call trace: + devm_free_irq+0x74/0x80 (P) + devm_free_irq+0x48/0x80 (L) + fsl_edma_remove+0xc4/0xc8 + platform_remove+0x28/0x44 + device_remove+0x4c/0x80 + +Fixes: 44eb827264de ("dmaengine: fsl-edma: request per-channel IRQ only when channel is allocated") +Reviewed-by: Frank Li +Signed-off-by: Peng Fan +Link: https://lore.kernel.org/r/20250228071720.3780479-2-peng.fan@oss.nxp.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/fsl-edma-main.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/drivers/dma/fsl-edma-main.c b/drivers/dma/fsl-edma-main.c +index db5f06b8575db..27645606f900b 100644 +--- a/drivers/dma/fsl-edma-main.c ++++ b/drivers/dma/fsl-edma-main.c +@@ -303,6 +303,7 @@ fsl_edma2_irq_init(struct platform_device *pdev, + + /* The last IRQ is for eDMA err */ + if (i == count - 1) { ++ fsl_edma->errirq = irq; + ret = devm_request_irq(&pdev->dev, irq, + fsl_edma_err_handler, + 0, "eDMA2-ERR", fsl_edma); +@@ -322,10 +323,13 @@ static void fsl_edma_irq_exit( + struct platform_device *pdev, struct fsl_edma_engine *fsl_edma) + { + if (fsl_edma->txirq == fsl_edma->errirq) { +- devm_free_irq(&pdev->dev, fsl_edma->txirq, fsl_edma); ++ if (fsl_edma->txirq >= 0) ++ devm_free_irq(&pdev->dev, fsl_edma->txirq, fsl_edma); + } else { +- devm_free_irq(&pdev->dev, fsl_edma->txirq, fsl_edma); +- devm_free_irq(&pdev->dev, fsl_edma->errirq, fsl_edma); ++ if (fsl_edma->txirq >= 0) ++ devm_free_irq(&pdev->dev, fsl_edma->txirq, fsl_edma); ++ if (fsl_edma->errirq >= 0) ++ devm_free_irq(&pdev->dev, fsl_edma->errirq, fsl_edma); + } + } + +@@ -513,6 +517,8 @@ static int fsl_edma_probe(struct platform_device *pdev) + if (!fsl_edma) + return -ENOMEM; + ++ fsl_edma->errirq = -EINVAL; ++ fsl_edma->txirq = -EINVAL; + fsl_edma->drvdata = drvdata; + fsl_edma->n_chans = chans; + mutex_init(&fsl_edma->fsl_edma_mutex); +-- +2.39.5 + diff --git a/queue-6.12/drm-amd-display-avoid-npd-when-asic-does-not-support.patch b/queue-6.12/drm-amd-display-avoid-npd-when-asic-does-not-support.patch new file mode 100644 index 0000000000..a3d9ed2fe9 --- /dev/null +++ b/queue-6.12/drm-amd-display-avoid-npd-when-asic-does-not-support.patch @@ -0,0 +1,149 @@ +From 73b06874974c119582b3668854f62ddc301697de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Feb 2025 10:06:38 -0300 +Subject: drm/amd/display: avoid NPD when ASIC does not support DMUB + +From: Thadeu Lima de Souza Cascardo + +[ Upstream commit 42d9d7bed270247f134190ba0cb05bbd072f58c2 ] + +ctx->dmub_srv will de NULL if the ASIC does not support DMUB, which is +tested in dm_dmub_sw_init. + +However, it will be dereferenced in dmub_hw_lock_mgr_cmd if +should_use_dmub_lock returns true. + +This has been the case since dmub support has been added for PSR1. + +Fix this by checking for dmub_srv in should_use_dmub_lock. + +[ 37.440832] BUG: kernel NULL pointer dereference, address: 0000000000000058 +[ 37.447808] #PF: supervisor read access in kernel mode +[ 37.452959] #PF: error_code(0x0000) - not-present page +[ 37.458112] PGD 0 P4D 0 +[ 37.460662] Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI +[ 37.465553] CPU: 2 UID: 1000 PID: 1745 Comm: DrmThread Not tainted 6.14.0-rc1-00003-gd62e938120f0 #23 99720e1cb1e0fc4773b8513150932a07de3c6e88 +[ 37.478324] Hardware name: Google Morphius/Morphius, BIOS Google_Morphius.13434.858.0 10/26/2023 +[ 37.487103] RIP: 0010:dmub_hw_lock_mgr_cmd+0x77/0xb0 +[ 37.492074] Code: 44 24 0e 00 00 00 00 48 c7 04 24 45 00 00 0c 40 88 74 24 0d 0f b6 02 88 44 24 0c 8b 01 89 44 24 08 85 f6 75 05 c6 44 24 0e 01 <48> 8b 7f 58 48 89 e6 ba 01 00 00 00 e8 08 3c 2a 00 65 48 8b 04 5 +[ 37.510822] RSP: 0018:ffff969442853300 EFLAGS: 00010202 +[ 37.516052] RAX: 0000000000000000 RBX: ffff92db03000000 RCX: ffff969442853358 +[ 37.523185] RDX: ffff969442853368 RSI: 0000000000000001 RDI: 0000000000000000 +[ 37.530322] RBP: 0000000000000001 R08: 00000000000004a7 R09: 00000000000004a5 +[ 37.537453] R10: 0000000000000476 R11: 0000000000000062 R12: ffff92db0ade8000 +[ 37.544589] R13: ffff92da01180ae0 R14: ffff92da011802a8 R15: ffff92db03000000 +[ 37.551725] FS: 0000784a9cdfc6c0(0000) GS:ffff92db2af00000(0000) knlGS:0000000000000000 +[ 37.559814] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 37.565562] CR2: 0000000000000058 CR3: 0000000112b1c000 CR4: 00000000003506f0 +[ 37.572697] Call Trace: +[ 37.575152] +[ 37.577258] ? __die_body+0x66/0xb0 +[ 37.580756] ? page_fault_oops+0x3e7/0x4a0 +[ 37.584861] ? exc_page_fault+0x3e/0xe0 +[ 37.588706] ? exc_page_fault+0x5c/0xe0 +[ 37.592550] ? asm_exc_page_fault+0x22/0x30 +[ 37.596742] ? dmub_hw_lock_mgr_cmd+0x77/0xb0 +[ 37.601107] dcn10_cursor_lock+0x1e1/0x240 +[ 37.605211] program_cursor_attributes+0x81/0x190 +[ 37.609923] commit_planes_for_stream+0x998/0x1ef0 +[ 37.614722] update_planes_and_stream_v2+0x41e/0x5c0 +[ 37.619703] dc_update_planes_and_stream+0x78/0x140 +[ 37.624588] amdgpu_dm_atomic_commit_tail+0x4362/0x49f0 +[ 37.629832] ? srso_return_thunk+0x5/0x5f +[ 37.633847] ? mark_held_locks+0x6d/0xd0 +[ 37.637774] ? _raw_spin_unlock_irq+0x24/0x50 +[ 37.642135] ? srso_return_thunk+0x5/0x5f +[ 37.646148] ? lockdep_hardirqs_on+0x95/0x150 +[ 37.650510] ? srso_return_thunk+0x5/0x5f +[ 37.654522] ? _raw_spin_unlock_irq+0x2f/0x50 +[ 37.658883] ? srso_return_thunk+0x5/0x5f +[ 37.662897] ? wait_for_common+0x186/0x1c0 +[ 37.666998] ? srso_return_thunk+0x5/0x5f +[ 37.671009] ? drm_crtc_next_vblank_start+0xc3/0x170 +[ 37.675983] commit_tail+0xf5/0x1c0 +[ 37.679478] drm_atomic_helper_commit+0x2a2/0x2b0 +[ 37.684186] drm_atomic_commit+0xd6/0x100 +[ 37.688199] ? __cfi___drm_printfn_info+0x10/0x10 +[ 37.692911] drm_atomic_helper_update_plane+0xe5/0x130 +[ 37.698054] drm_mode_cursor_common+0x501/0x670 +[ 37.702600] ? __cfi_drm_mode_cursor_ioctl+0x10/0x10 +[ 37.707572] drm_mode_cursor_ioctl+0x48/0x70 +[ 37.711851] drm_ioctl_kernel+0xf2/0x150 +[ 37.715781] drm_ioctl+0x363/0x590 +[ 37.719189] ? __cfi_drm_mode_cursor_ioctl+0x10/0x10 +[ 37.724165] amdgpu_drm_ioctl+0x41/0x80 +[ 37.728013] __se_sys_ioctl+0x7f/0xd0 +[ 37.731685] do_syscall_64+0x87/0x100 +[ 37.735355] ? vma_end_read+0x12/0xe0 +[ 37.739024] ? srso_return_thunk+0x5/0x5f +[ 37.743041] ? find_held_lock+0x47/0xf0 +[ 37.746884] ? vma_end_read+0x12/0xe0 +[ 37.750552] ? srso_return_thunk+0x5/0x5f +[ 37.754565] ? lock_release+0x1c4/0x2e0 +[ 37.758406] ? vma_end_read+0x12/0xe0 +[ 37.762079] ? exc_page_fault+0x84/0xe0 +[ 37.765921] ? srso_return_thunk+0x5/0x5f +[ 37.769938] ? lockdep_hardirqs_on+0x95/0x150 +[ 37.774303] ? srso_return_thunk+0x5/0x5f +[ 37.778317] ? exc_page_fault+0x84/0xe0 +[ 37.782163] entry_SYSCALL_64_after_hwframe+0x55/0x5d +[ 37.787218] RIP: 0033:0x784aa5ec3059 +[ 37.790803] Code: 04 25 28 00 00 00 48 89 45 c8 31 c0 48 8d 45 10 c7 45 b0 10 00 00 00 48 89 45 b8 48 8d 45 d0 48 89 45 c0 b8 10 00 00 00 0f 05 <41> 89 c0 3d 00 f0 ff ff 77 1d 48 8b 45 c8 64 48 2b 04 25 28 00 0 +[ 37.809553] RSP: 002b:0000784a9cdf90e0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 +[ 37.817121] RAX: ffffffffffffffda RBX: 0000784a9cdf917c RCX: 0000784aa5ec3059 +[ 37.824256] RDX: 0000784a9cdf917c RSI: 00000000c01c64a3 RDI: 0000000000000020 +[ 37.831391] RBP: 0000784a9cdf9130 R08: 0000000000000100 R09: 0000000000ff0000 +[ 37.838525] R10: 0000000000000000 R11: 0000000000000246 R12: 0000025c01606ed0 +[ 37.845657] R13: 0000025c00030200 R14: 00000000c01c64a3 R15: 0000000000000020 +[ 37.852799] +[ 37.854992] Modules linked in: +[ 37.864546] gsmi: Log Shutdown Reason 0x03 +[ 37.868656] CR2: 0000000000000058 +[ 37.871979] ---[ end trace 0000000000000000 ]--- +[ 37.880976] RIP: 0010:dmub_hw_lock_mgr_cmd+0x77/0xb0 +[ 37.885954] Code: 44 24 0e 00 00 00 00 48 c7 04 24 45 00 00 0c 40 88 74 24 0d 0f b6 02 88 44 24 0c 8b 01 89 44 24 08 85 f6 75 05 c6 44 24 0e 01 <48> 8b 7f 58 48 89 e6 ba 01 00 00 00 e8 08 3c 2a 00 65 48 8b 04 5 +[ 37.904703] RSP: 0018:ffff969442853300 EFLAGS: 00010202 +[ 37.909933] RAX: 0000000000000000 RBX: ffff92db03000000 RCX: ffff969442853358 +[ 37.917068] RDX: ffff969442853368 RSI: 0000000000000001 RDI: 0000000000000000 +[ 37.924201] RBP: 0000000000000001 R08: 00000000000004a7 R09: 00000000000004a5 +[ 37.931336] R10: 0000000000000476 R11: 0000000000000062 R12: ffff92db0ade8000 +[ 37.938469] R13: ffff92da01180ae0 R14: ffff92da011802a8 R15: ffff92db03000000 +[ 37.945602] FS: 0000784a9cdfc6c0(0000) GS:ffff92db2af00000(0000) knlGS:0000000000000000 +[ 37.953689] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 37.959435] CR2: 0000000000000058 CR3: 0000000112b1c000 CR4: 00000000003506f0 +[ 37.966570] Kernel panic - not syncing: Fatal exception +[ 37.971901] Kernel Offset: 0x30200000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) +[ 37.982840] gsmi: Log Shutdown Reason 0x02 + +Fixes: b5c764d6ed55 ("drm/amd/display: Use HW lock mgr for PSR1") +Signed-off-by: Thadeu Lima de Souza Cascardo +Cc: Sun peng Li +Cc: Tom Chung +Cc: Daniel Wheeler +Cc: Alex Deucher +Reviewed-by: Rodrigo Siqueira +Reviewed-by: Leo Li +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c b/drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c +index 6e2fce329d738..d37ecfdde4f1b 100644 +--- a/drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c ++++ b/drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c +@@ -63,6 +63,10 @@ void dmub_hw_lock_mgr_inbox0_cmd(struct dc_dmub_srv *dmub_srv, + + bool should_use_dmub_lock(struct dc_link *link) + { ++ /* ASIC doesn't support DMUB */ ++ if (!link->ctx->dmub_srv) ++ return false; ++ + if (link->psr_settings.psr_version == DC_PSR_VERSION_SU_1) + return true; + +-- +2.39.5 + diff --git a/queue-6.12/drm-amd-display-fix-an-indent-issue-in-dml21.patch b/queue-6.12/drm-amd-display-fix-an-indent-issue-in-dml21.patch new file mode 100644 index 0000000000..5ec318bfa8 --- /dev/null +++ b/queue-6.12/drm-amd-display-fix-an-indent-issue-in-dml21.patch @@ -0,0 +1,41 @@ +From add03e464df74c16cc5634981bff77725e56e32b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Feb 2025 09:45:12 -0500 +Subject: drm/amd/display: fix an indent issue in DML21 + +From: Aurabindo Pillai + +[ Upstream commit a1addcf8499a566496847f1e36e1cf0b4ad72a26 ] + +Remove extraneous tab and newline in dml2_core_dcn4.c that was +reported by the bot + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202502211920.txUfwtSj-lkp@intel.com/ +Fixes: 70839da6360 ("drm/amd/display: Add new DCN401 sources") +Signed-off-by: Aurabindo Pillai +Reviewed-by: Harry Wentland +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + .../amd/display/dc/dml2/dml21/src/dml2_core/dml2_core_dcn4.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/dml2/dml21/src/dml2_core/dml2_core_dcn4.c b/drivers/gpu/drm/amd/display/dc/dml2/dml21/src/dml2_core/dml2_core_dcn4.c +index 0aa4e4d343b04..2c1316d1b6eb8 100644 +--- a/drivers/gpu/drm/amd/display/dc/dml2/dml21/src/dml2_core/dml2_core_dcn4.c ++++ b/drivers/gpu/drm/amd/display/dc/dml2/dml21/src/dml2_core/dml2_core_dcn4.c +@@ -139,9 +139,8 @@ bool core_dcn4_initialize(struct dml2_core_initialize_in_out *in_out) + core->clean_me_up.mode_lib.ip.subvp_fw_processing_delay_us = core_dcn4_ip_caps_base.subvp_pstate_allow_width_us; + core->clean_me_up.mode_lib.ip.subvp_swath_height_margin_lines = core_dcn4_ip_caps_base.subvp_swath_height_margin_lines; + } else { +- memcpy(&core->clean_me_up.mode_lib.ip, &core_dcn4_ip_caps_base, sizeof(struct dml2_core_ip_params)); ++ memcpy(&core->clean_me_up.mode_lib.ip, &core_dcn4_ip_caps_base, sizeof(struct dml2_core_ip_params)); + patch_ip_params_with_ip_caps(&core->clean_me_up.mode_lib.ip, in_out->ip_caps); +- + core->clean_me_up.mode_lib.ip.imall_supported = false; + } + +-- +2.39.5 + diff --git a/queue-6.12/drm-amd-display-fix-type-mismatch-in-calculatedynami.patch b/queue-6.12/drm-amd-display-fix-type-mismatch-in-calculatedynami.patch new file mode 100644 index 0000000000..7c1e6f6d4e --- /dev/null +++ b/queue-6.12/drm-amd-display-fix-type-mismatch-in-calculatedynami.patch @@ -0,0 +1,64 @@ +From 79f7eca06d2fb04d465d035617cc2171f246b4b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Feb 2025 01:28:51 +0500 +Subject: drm/amd/display: fix type mismatch in + CalculateDynamicMetadataParameters() + +From: Vitaliy Shevtsov + +[ Upstream commit c3c584c18c90a024a54716229809ba36424f9660 ] + +There is a type mismatch between what CalculateDynamicMetadataParameters() +takes and what is passed to it. Currently this function accepts several +args as signed long but it's called with unsigned integers and integer. On +some systems where long is 32 bits and one of these unsigned int params is +greater than INT_MAX it may cause passing input params as negative values. + +Fix this by changing these argument types from long to unsigned int and to +int respectively. Also this will align the function's definition with +similar functions in other dcn* drivers. + +Found by Linux Verification Center (linuxtesting.org) with Svace. + +Fixes: 6725a88f88a7 ("drm/amd/display: Add DCN3 DML") +Signed-off-by: Vitaliy Shevtsov +Reviewed-by: Alex Hung +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + .../amd/display/dc/dml/dcn30/display_mode_vba_30.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/dml/dcn30/display_mode_vba_30.c b/drivers/gpu/drm/amd/display/dc/dml/dcn30/display_mode_vba_30.c +index 1c10ba4dcddea..abe51cf3aab29 100644 +--- a/drivers/gpu/drm/amd/display/dc/dml/dcn30/display_mode_vba_30.c ++++ b/drivers/gpu/drm/amd/display/dc/dml/dcn30/display_mode_vba_30.c +@@ -281,10 +281,10 @@ static void CalculateDynamicMetadataParameters( + double DISPCLK, + double DCFClkDeepSleep, + double PixelClock, +- long HTotal, +- long VBlank, +- long DynamicMetadataTransmittedBytes, +- long DynamicMetadataLinesBeforeActiveRequired, ++ unsigned int HTotal, ++ unsigned int VBlank, ++ unsigned int DynamicMetadataTransmittedBytes, ++ int DynamicMetadataLinesBeforeActiveRequired, + int InterlaceEnable, + bool ProgressiveToInterlaceUnitInOPP, + double *Tsetup, +@@ -3277,8 +3277,8 @@ static double CalculateWriteBackDelay( + + + static void CalculateDynamicMetadataParameters(int MaxInterDCNTileRepeaters, double DPPCLK, double DISPCLK, +- double DCFClkDeepSleep, double PixelClock, long HTotal, long VBlank, long DynamicMetadataTransmittedBytes, +- long DynamicMetadataLinesBeforeActiveRequired, int InterlaceEnable, bool ProgressiveToInterlaceUnitInOPP, ++ double DCFClkDeepSleep, double PixelClock, unsigned int HTotal, unsigned int VBlank, unsigned int DynamicMetadataTransmittedBytes, ++ int DynamicMetadataLinesBeforeActiveRequired, int InterlaceEnable, bool ProgressiveToInterlaceUnitInOPP, + double *Tsetup, double *Tdmbf, double *Tdmec, double *Tdmsks) + { + double TotalRepeaterDelayTime = 0; +-- +2.39.5 + diff --git a/queue-6.12/drm-amd-keep-display-off-while-going-into-s4.patch b/queue-6.12/drm-amd-keep-display-off-while-going-into-s4.patch new file mode 100644 index 0000000000..086fc2f240 --- /dev/null +++ b/queue-6.12/drm-amd-keep-display-off-while-going-into-s4.patch @@ -0,0 +1,102 @@ +From c8ef6639ced3ad25f12b9f5839869b510da0e070 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Mar 2025 12:51:24 -0600 +Subject: drm/amd: Keep display off while going into S4 + +From: Mario Limonciello + +[ Upstream commit 4afacc9948e1f8fdbca401d259ae65ad93d298c0 ] + +When userspace invokes S4 the flow is: + +1) amdgpu_pmops_prepare() +2) amdgpu_pmops_freeze() +3) Create hibernation image +4) amdgpu_pmops_thaw() +5) Write out image to disk +6) Turn off system + +Then on resume amdgpu_pmops_restore() is called. + +This flow has a problem that because amdgpu_pmops_thaw() is called +it will call amdgpu_device_resume() which will resume all of the GPU. + +This includes turning the display hardware back on and discovering +connectors again. + +This is an unexpected experience for the display to turn back on. +Adjust the flow so that during the S4 sequence display hardware is +not turned back on. + +Reported-by: Xaver Hugl +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/2038 +Cc: Muhammad Usama Anjum +Tested-by: Muhammad Usama Anjum +Acked-by: Alex Deucher +Acked-by: Harry Wentland +Link: https://lore.kernel.org/r/20250306185124.44780-1-mario.limonciello@amd.com +Signed-off-by: Mario Limonciello +Signed-off-by: Alex Deucher +(cherry picked from commit 68bfdc8dc0a1a7fdd9ab61e69907ae71a6fd3d91) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 11 +++++++++-- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 5 +++++ + 2 files changed, 14 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c +index 32afcf9485245..7978d5189c37d 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c +@@ -2633,7 +2633,6 @@ static int amdgpu_pmops_freeze(struct device *dev) + + adev->in_s4 = true; + r = amdgpu_device_suspend(drm_dev, true); +- adev->in_s4 = false; + if (r) + return r; + +@@ -2645,8 +2644,13 @@ static int amdgpu_pmops_freeze(struct device *dev) + static int amdgpu_pmops_thaw(struct device *dev) + { + struct drm_device *drm_dev = dev_get_drvdata(dev); ++ struct amdgpu_device *adev = drm_to_adev(drm_dev); ++ int r; + +- return amdgpu_device_resume(drm_dev, true); ++ r = amdgpu_device_resume(drm_dev, true); ++ adev->in_s4 = false; ++ ++ return r; + } + + static int amdgpu_pmops_poweroff(struct device *dev) +@@ -2659,6 +2663,9 @@ static int amdgpu_pmops_poweroff(struct device *dev) + static int amdgpu_pmops_restore(struct device *dev) + { + struct drm_device *drm_dev = dev_get_drvdata(dev); ++ struct amdgpu_device *adev = drm_to_adev(drm_dev); ++ ++ adev->in_s4 = false; + + return amdgpu_device_resume(drm_dev, true); + } +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +index c4c6538eabae6..260b6b8d29fd6 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -3306,6 +3306,11 @@ static int dm_resume(void *handle) + + return 0; + } ++ ++ /* leave display off for S4 sequence */ ++ if (adev->in_s4) ++ return 0; ++ + /* Recreate dc_state - DC invalidates it when setting power state to S3. */ + dc_state_release(dm_state->context); + dm_state->context = dc_state_create(dm->dc, NULL); +-- +2.39.5 + diff --git a/queue-6.12/drm-amdgpu-refine-smu-send-msg-debug-log-format.patch b/queue-6.12/drm-amdgpu-refine-smu-send-msg-debug-log-format.patch new file mode 100644 index 0000000000..65da6a126a --- /dev/null +++ b/queue-6.12/drm-amdgpu-refine-smu-send-msg-debug-log-format.patch @@ -0,0 +1,39 @@ +From dc61abe33b9811c736ae1b19f67db1de337a7f5f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Feb 2025 15:46:42 +0800 +Subject: drm/amdgpu: refine smu send msg debug log format + +From: Yang Wang + +[ Upstream commit 8c6631234557515a7567c6251505a98e9793c8a6 ] + +remove unnecessary line breaks. + +[ 51.280860] amdgpu 0000:24:00.0: amdgpu: smu send message: GetEnabledSmuFeaturesHigh(13) param: 0x00000000, resp: 0x00000001, readval: 0x00003763 + +Fixes: 0cd2bc06de72 ("drm/amd/pm: enable amdgpu smu send message log") +Signed-off-by: Yang Wang +Reviewed-by: Kenneth Feng +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c b/drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c +index 0d71db7be325d..0ce1766c859f5 100644 +--- a/drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c ++++ b/drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c +@@ -459,8 +459,7 @@ int smu_cmn_send_smc_msg_with_param(struct smu_context *smu, + } + if (read_arg) { + smu_cmn_read_arg(smu, read_arg); +- dev_dbg(adev->dev, "smu send message: %s(%d) param: 0x%08x, resp: 0x%08x,\ +- readval: 0x%08x\n", ++ dev_dbg(adev->dev, "smu send message: %s(%d) param: 0x%08x, resp: 0x%08x, readval: 0x%08x\n", + smu_get_message_name(smu, msg), index, param, reg, *read_arg); + } else { + dev_dbg(adev->dev, "smu send message: %s(%d) param: 0x%08x, resp: 0x%08x\n", +-- +2.39.5 + diff --git a/queue-6.12/drm-amdgpu-umsch-fix-ucode-check.patch b/queue-6.12/drm-amdgpu-umsch-fix-ucode-check.patch new file mode 100644 index 0000000000..19c0c4e024 --- /dev/null +++ b/queue-6.12/drm-amdgpu-umsch-fix-ucode-check.patch @@ -0,0 +1,43 @@ +From 723a91a4450f3779aacfe6282125e6d43b0e104e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Feb 2025 16:31:43 -0500 +Subject: drm/amdgpu/umsch: fix ucode check + +From: Alex Deucher + +[ Upstream commit c917e39cbdcd9fff421184db6cc461cc58d52c17 ] + +Return an error if the IP version doesn't match otherwise +we end up passing a NULL string to amdgpu_ucode_request. +We should never hit this in practice today since we only +enable the umsch code on the supported IP versions, but +add a check to be safe. + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202502130406.iWQ0eBug-lkp@intel.com/ +Fixes: 020620424b27 ("drm/amd: Use a constant format string for amdgpu_ucode_request") +Reviewed-by: Saleemkhan Jamadar +Signed-off-by: Alex Deucher +Cc: Arnd Bergmann +Cc: Lang Yu +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_umsch_mm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_umsch_mm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_umsch_mm.c +index 6162582d0aa27..d5125523bfa7b 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_umsch_mm.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_umsch_mm.c +@@ -584,7 +584,7 @@ int amdgpu_umsch_mm_init_microcode(struct amdgpu_umsch_mm *umsch) + fw_name = "amdgpu/umsch_mm_4_0_0.bin"; + break; + default: +- break; ++ return -EINVAL; + } + + r = amdgpu_ucode_request(adev, &adev->umsch_mm.fw, "%s", fw_name); +-- +2.39.5 + diff --git a/queue-6.12/drm-amdkfd-fix-circular-locking-dependency-in-svm_ra.patch b/queue-6.12/drm-amdkfd-fix-circular-locking-dependency-in-svm_ra.patch new file mode 100644 index 0000000000..b0990c221b --- /dev/null +++ b/queue-6.12/drm-amdkfd-fix-circular-locking-dependency-in-svm_ra.patch @@ -0,0 +1,279 @@ +From 43980847daa98b7ca22d6f587560b246f7540767 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Feb 2025 13:46:32 +0530 +Subject: drm/amdkfd: Fix Circular Locking Dependency in + 'svm_range_cpu_invalidate_pagetables' +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Srinivasan Shanmugam + +[ Upstream commit fddc45026311c05a5355fd34b9dc0a1d7eaef4a2 ] + +This commit addresses a circular locking dependency in the +svm_range_cpu_invalidate_pagetables function. The function previously +held a lock while determining whether to perform an unmap or eviction +operation, which could lead to deadlocks. + +Fixes the below: + +[ 223.418794] ====================================================== +[ 223.418820] WARNING: possible circular locking dependency detected +[ 223.418845] 6.12.0-amdstaging-drm-next-lol-050225 #14 Tainted: G U OE +[ 223.418869] ------------------------------------------------------ +[ 223.418889] kfdtest/3939 is trying to acquire lock: +[ 223.418906] ffff8957552eae38 (&dqm->lock_hidden){+.+.}-{3:3}, at: evict_process_queues_cpsch+0x43/0x210 [amdgpu] +[ 223.419302] + but task is already holding lock: +[ 223.419303] ffff8957556b83b0 (&prange->lock){+.+.}-{3:3}, at: svm_range_cpu_invalidate_pagetables+0x9d/0x850 [amdgpu] +[ 223.419447] Console: switching to colour dummy device 80x25 +[ 223.419477] [IGT] amd_basic: executing +[ 223.419599] + which lock already depends on the new lock. + +[ 223.419611] + the existing dependency chain (in reverse order) is: +[ 223.419621] + -> #2 (&prange->lock){+.+.}-{3:3}: +[ 223.419636] __mutex_lock+0x85/0xe20 +[ 223.419647] mutex_lock_nested+0x1b/0x30 +[ 223.419656] svm_range_validate_and_map+0x2f1/0x15b0 [amdgpu] +[ 223.419954] svm_range_set_attr+0xe8c/0x1710 [amdgpu] +[ 223.420236] svm_ioctl+0x46/0x50 [amdgpu] +[ 223.420503] kfd_ioctl_svm+0x50/0x90 [amdgpu] +[ 223.420763] kfd_ioctl+0x409/0x6d0 [amdgpu] +[ 223.421024] __x64_sys_ioctl+0x95/0xd0 +[ 223.421036] x64_sys_call+0x1205/0x20d0 +[ 223.421047] do_syscall_64+0x87/0x140 +[ 223.421056] entry_SYSCALL_64_after_hwframe+0x76/0x7e +[ 223.421068] + -> #1 (reservation_ww_class_mutex){+.+.}-{3:3}: +[ 223.421084] __ww_mutex_lock.constprop.0+0xab/0x1560 +[ 223.421095] ww_mutex_lock+0x2b/0x90 +[ 223.421103] amdgpu_amdkfd_alloc_gtt_mem+0xcc/0x2b0 [amdgpu] +[ 223.421361] add_queue_mes+0x3bc/0x440 [amdgpu] +[ 223.421623] unhalt_cpsch+0x1ae/0x240 [amdgpu] +[ 223.421888] kgd2kfd_start_sched+0x5e/0xd0 [amdgpu] +[ 223.422148] amdgpu_amdkfd_start_sched+0x3d/0x50 [amdgpu] +[ 223.422414] amdgpu_gfx_enforce_isolation_handler+0x132/0x270 [amdgpu] +[ 223.422662] process_one_work+0x21e/0x680 +[ 223.422673] worker_thread+0x190/0x330 +[ 223.422682] kthread+0xe7/0x120 +[ 223.422690] ret_from_fork+0x3c/0x60 +[ 223.422699] ret_from_fork_asm+0x1a/0x30 +[ 223.422708] + -> #0 (&dqm->lock_hidden){+.+.}-{3:3}: +[ 223.422723] __lock_acquire+0x16f4/0x2810 +[ 223.422734] lock_acquire+0xd1/0x300 +[ 223.422742] __mutex_lock+0x85/0xe20 +[ 223.422751] mutex_lock_nested+0x1b/0x30 +[ 223.422760] evict_process_queues_cpsch+0x43/0x210 [amdgpu] +[ 223.423025] kfd_process_evict_queues+0x8a/0x1d0 [amdgpu] +[ 223.423285] kgd2kfd_quiesce_mm+0x43/0x90 [amdgpu] +[ 223.423540] svm_range_cpu_invalidate_pagetables+0x4a7/0x850 [amdgpu] +[ 223.423807] __mmu_notifier_invalidate_range_start+0x1f5/0x250 +[ 223.423819] copy_page_range+0x1e94/0x1ea0 +[ 223.423829] copy_process+0x172f/0x2ad0 +[ 223.423839] kernel_clone+0x9c/0x3f0 +[ 223.423847] __do_sys_clone+0x66/0x90 +[ 223.423856] __x64_sys_clone+0x25/0x30 +[ 223.423864] x64_sys_call+0x1d7c/0x20d0 +[ 223.423872] do_syscall_64+0x87/0x140 +[ 223.423880] entry_SYSCALL_64_after_hwframe+0x76/0x7e +[ 223.423891] + other info that might help us debug this: + +[ 223.423903] Chain exists of: + &dqm->lock_hidden --> reservation_ww_class_mutex --> &prange->lock + +[ 223.423926] Possible unsafe locking scenario: + +[ 223.423935] CPU0 CPU1 +[ 223.423942] ---- ---- +[ 223.423949] lock(&prange->lock); +[ 223.423958] lock(reservation_ww_class_mutex); +[ 223.423970] lock(&prange->lock); +[ 223.423981] lock(&dqm->lock_hidden); +[ 223.423990] + *** DEADLOCK *** + +[ 223.423999] 5 locks held by kfdtest/3939: +[ 223.424006] #0: ffffffffb82b4fc0 (dup_mmap_sem){.+.+}-{0:0}, at: copy_process+0x1387/0x2ad0 +[ 223.424026] #1: ffff89575eda81b0 (&mm->mmap_lock){++++}-{3:3}, at: copy_process+0x13a8/0x2ad0 +[ 223.424046] #2: ffff89575edaf3b0 (&mm->mmap_lock/1){+.+.}-{3:3}, at: copy_process+0x13e4/0x2ad0 +[ 223.424066] #3: ffffffffb82e76e0 (mmu_notifier_invalidate_range_start){+.+.}-{0:0}, at: copy_page_range+0x1cea/0x1ea0 +[ 223.424088] #4: ffff8957556b83b0 (&prange->lock){+.+.}-{3:3}, at: svm_range_cpu_invalidate_pagetables+0x9d/0x850 [amdgpu] +[ 223.424365] + stack backtrace: +[ 223.424374] CPU: 0 UID: 0 PID: 3939 Comm: kfdtest Tainted: G U OE 6.12.0-amdstaging-drm-next-lol-050225 #14 +[ 223.424392] Tainted: [U]=USER, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE +[ 223.424401] Hardware name: Gigabyte Technology Co., Ltd. X570 AORUS PRO WIFI/X570 AORUS PRO WIFI, BIOS F36a 02/16/2022 +[ 223.424416] Call Trace: +[ 223.424423] +[ 223.424430] dump_stack_lvl+0x9b/0xf0 +[ 223.424441] dump_stack+0x10/0x20 +[ 223.424449] print_circular_bug+0x275/0x350 +[ 223.424460] check_noncircular+0x157/0x170 +[ 223.424469] ? __bfs+0xfd/0x2c0 +[ 223.424481] __lock_acquire+0x16f4/0x2810 +[ 223.424490] ? srso_return_thunk+0x5/0x5f +[ 223.424505] lock_acquire+0xd1/0x300 +[ 223.424514] ? evict_process_queues_cpsch+0x43/0x210 [amdgpu] +[ 223.424783] __mutex_lock+0x85/0xe20 +[ 223.424792] ? evict_process_queues_cpsch+0x43/0x210 [amdgpu] +[ 223.425058] ? srso_return_thunk+0x5/0x5f +[ 223.425067] ? mark_held_locks+0x54/0x90 +[ 223.425076] ? evict_process_queues_cpsch+0x43/0x210 [amdgpu] +[ 223.425339] ? srso_return_thunk+0x5/0x5f +[ 223.425350] mutex_lock_nested+0x1b/0x30 +[ 223.425358] ? mutex_lock_nested+0x1b/0x30 +[ 223.425367] evict_process_queues_cpsch+0x43/0x210 [amdgpu] +[ 223.425631] kfd_process_evict_queues+0x8a/0x1d0 [amdgpu] +[ 223.425893] kgd2kfd_quiesce_mm+0x43/0x90 [amdgpu] +[ 223.426156] svm_range_cpu_invalidate_pagetables+0x4a7/0x850 [amdgpu] +[ 223.426423] ? srso_return_thunk+0x5/0x5f +[ 223.426436] __mmu_notifier_invalidate_range_start+0x1f5/0x250 +[ 223.426450] copy_page_range+0x1e94/0x1ea0 +[ 223.426461] ? srso_return_thunk+0x5/0x5f +[ 223.426474] ? srso_return_thunk+0x5/0x5f +[ 223.426484] ? lock_acquire+0xd1/0x300 +[ 223.426494] ? copy_process+0x1718/0x2ad0 +[ 223.426502] ? srso_return_thunk+0x5/0x5f +[ 223.426510] ? sched_clock_noinstr+0x9/0x10 +[ 223.426519] ? local_clock_noinstr+0xe/0xc0 +[ 223.426528] ? copy_process+0x1718/0x2ad0 +[ 223.426537] ? srso_return_thunk+0x5/0x5f +[ 223.426550] copy_process+0x172f/0x2ad0 +[ 223.426569] kernel_clone+0x9c/0x3f0 +[ 223.426577] ? __schedule+0x4c9/0x1b00 +[ 223.426586] ? srso_return_thunk+0x5/0x5f +[ 223.426594] ? sched_clock_noinstr+0x9/0x10 +[ 223.426602] ? srso_return_thunk+0x5/0x5f +[ 223.426610] ? local_clock_noinstr+0xe/0xc0 +[ 223.426619] ? schedule+0x107/0x1a0 +[ 223.426629] __do_sys_clone+0x66/0x90 +[ 223.426643] __x64_sys_clone+0x25/0x30 +[ 223.426652] x64_sys_call+0x1d7c/0x20d0 +[ 223.426661] do_syscall_64+0x87/0x140 +[ 223.426671] ? srso_return_thunk+0x5/0x5f +[ 223.426679] ? common_nsleep+0x44/0x50 +[ 223.426690] ? srso_return_thunk+0x5/0x5f +[ 223.426698] ? trace_hardirqs_off+0x52/0xd0 +[ 223.426709] ? srso_return_thunk+0x5/0x5f +[ 223.426717] ? syscall_exit_to_user_mode+0xcc/0x200 +[ 223.426727] ? srso_return_thunk+0x5/0x5f +[ 223.426736] ? do_syscall_64+0x93/0x140 +[ 223.426748] ? srso_return_thunk+0x5/0x5f +[ 223.426756] ? up_write+0x1c/0x1e0 +[ 223.426765] ? srso_return_thunk+0x5/0x5f +[ 223.426775] ? srso_return_thunk+0x5/0x5f +[ 223.426783] ? trace_hardirqs_off+0x52/0xd0 +[ 223.426792] ? srso_return_thunk+0x5/0x5f +[ 223.426800] ? syscall_exit_to_user_mode+0xcc/0x200 +[ 223.426810] ? srso_return_thunk+0x5/0x5f +[ 223.426818] ? do_syscall_64+0x93/0x140 +[ 223.426826] ? syscall_exit_to_user_mode+0xcc/0x200 +[ 223.426836] ? srso_return_thunk+0x5/0x5f +[ 223.426844] ? do_syscall_64+0x93/0x140 +[ 223.426853] ? srso_return_thunk+0x5/0x5f +[ 223.426861] ? irqentry_exit+0x6b/0x90 +[ 223.426869] ? srso_return_thunk+0x5/0x5f +[ 223.426877] ? exc_page_fault+0xa7/0x2c0 +[ 223.426888] entry_SYSCALL_64_after_hwframe+0x76/0x7e +[ 223.426898] RIP: 0033:0x7f46758eab57 +[ 223.426906] Code: ba 04 00 f3 0f 1e fa 64 48 8b 04 25 10 00 00 00 45 31 c0 31 d2 31 f6 bf 11 00 20 01 4c 8d 90 d0 02 00 00 b8 38 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 41 41 89 c0 85 c0 75 2c 64 48 8b 04 25 10 00 +[ 223.426930] RSP: 002b:00007fff5c3e5188 EFLAGS: 00000246 ORIG_RAX: 0000000000000038 +[ 223.426943] RAX: ffffffffffffffda RBX: 00007f4675f8c040 RCX: 00007f46758eab57 +[ 223.426954] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000001200011 +[ 223.426965] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 +[ 223.426975] R10: 00007f4675e81a50 R11: 0000000000000246 R12: 0000000000000001 +[ 223.426986] R13: 00007fff5c3e5470 R14: 00007fff5c3e53e0 R15: 00007fff5c3e5410 +[ 223.427004] + +v2: To resolve this issue, the allocation of the process context buffer +(`proc_ctx_bo`) has been moved from the `add_queue_mes` function to the +`pqm_create_queue` function. This change ensures that the buffer is +allocated only when the first queue for a process is created and only if +the Micro Engine Scheduler (MES) is enabled. (Felix) + +v3: Fix typo s/Memory Execution Scheduler (MES)/Micro Engine Scheduler +in commit message. (Lijo) + +Fixes: 438b39ac74e2 ("drm/amdkfd: pause autosuspend when creating pdd") +Cc: Jesse Zhang +Cc: Yunxiang Li +Cc: Philip Yang +Cc: Alex Sierra +Cc: Felix Kuehling +Cc: Christian König +Cc: Alex Deucher +Signed-off-by: Srinivasan Shanmugam +Reviewed-by: Felix Kuehling +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + .../drm/amd/amdkfd/kfd_device_queue_manager.c | 15 --------------- + .../drm/amd/amdkfd/kfd_process_queue_manager.c | 16 ++++++++++++++++ + 2 files changed, 16 insertions(+), 15 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c +index dffe2a86f383e..951b87e7e3f68 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c +@@ -205,21 +205,6 @@ static int add_queue_mes(struct device_queue_manager *dqm, struct queue *q, + if (!down_read_trylock(&adev->reset_domain->sem)) + return -EIO; + +- if (!pdd->proc_ctx_cpu_ptr) { +- r = amdgpu_amdkfd_alloc_gtt_mem(adev, +- AMDGPU_MES_PROC_CTX_SIZE, +- &pdd->proc_ctx_bo, +- &pdd->proc_ctx_gpu_addr, +- &pdd->proc_ctx_cpu_ptr, +- false); +- if (r) { +- dev_err(adev->dev, +- "failed to allocate process context bo\n"); +- return r; +- } +- memset(pdd->proc_ctx_cpu_ptr, 0, AMDGPU_MES_PROC_CTX_SIZE); +- } +- + memset(&queue_input, 0x0, sizeof(struct mes_add_queue_input)); + queue_input.process_id = qpd->pqm->process->pasid; + queue_input.page_table_base_addr = qpd->page_table_base; +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c b/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c +index 42fd7669ac7d3..ac777244ee0a1 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c +@@ -361,10 +361,26 @@ int pqm_create_queue(struct process_queue_manager *pqm, + if (retval != 0) + return retval; + ++ /* Register process if this is the first queue */ + if (list_empty(&pdd->qpd.queues_list) && + list_empty(&pdd->qpd.priv_queue_list)) + dev->dqm->ops.register_process(dev->dqm, &pdd->qpd); + ++ /* Allocate proc_ctx_bo only if MES is enabled and this is the first queue */ ++ if (!pdd->proc_ctx_cpu_ptr && dev->kfd->shared_resources.enable_mes) { ++ retval = amdgpu_amdkfd_alloc_gtt_mem(dev->adev, ++ AMDGPU_MES_PROC_CTX_SIZE, ++ &pdd->proc_ctx_bo, ++ &pdd->proc_ctx_gpu_addr, ++ &pdd->proc_ctx_cpu_ptr, ++ false); ++ if (retval) { ++ dev_err(dev->adev->dev, "failed to allocate process context bo\n"); ++ return retval; ++ } ++ memset(pdd->proc_ctx_cpu_ptr, 0, AMDGPU_MES_PROC_CTX_SIZE); ++ } ++ + pqn = kzalloc(sizeof(*pqn), GFP_KERNEL); + if (!pqn) { + retval = -ENOMEM; +-- +2.39.5 + diff --git a/queue-6.12/drm-bridge-it6505-fix-hdcp-v-match-check-is-not-perf.patch b/queue-6.12/drm-bridge-it6505-fix-hdcp-v-match-check-is-not-perf.patch new file mode 100644 index 0000000000..cf6c20bc01 --- /dev/null +++ b/queue-6.12/drm-bridge-it6505-fix-hdcp-v-match-check-is-not-perf.patch @@ -0,0 +1,51 @@ +From 6a9c8fd4d39468fd31be96a1a1ee4e5f3eb48854 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Jan 2025 15:01:51 +0800 +Subject: drm/bridge: it6505: fix HDCP V match check is not performed correctly + +From: Hermes Wu + +[ Upstream commit a5072fc77fb9e38fa9fd883642c83c3720049159 ] + +Fix a typo where V compare incorrectly compares av[] with av[] itself, +which can result in HDCP failure. + +The loop of V compare is expected to iterate for 5 times +which compare V array form av[0][] to av[4][]. +It should check loop counter reach the last statement "i == 5" +before return true + +Fixes: 0989c02c7a5c ("drm/bridge: it6505: fix HDCP CTS compare V matching") +Signed-off-by: Hermes Wu +Reviewed-by: Dmitry Baryshkov +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20250121-fix-hdcp-v-comp-v4-1-185f45c728dc@ite.com.tw +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/ite-it6505.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/bridge/ite-it6505.c b/drivers/gpu/drm/bridge/ite-it6505.c +index faee8e2e82a05..967aa24b7c537 100644 +--- a/drivers/gpu/drm/bridge/ite-it6505.c ++++ b/drivers/gpu/drm/bridge/ite-it6505.c +@@ -2042,12 +2042,13 @@ static bool it6505_hdcp_part2_ksvlist_check(struct it6505 *it6505) + continue; + } + +- for (i = 0; i < 5; i++) { ++ for (i = 0; i < 5; i++) + if (bv[i][3] != av[i][0] || bv[i][2] != av[i][1] || +- av[i][1] != av[i][2] || bv[i][0] != av[i][3]) ++ bv[i][1] != av[i][2] || bv[i][0] != av[i][3]) + break; + +- DRM_DEV_DEBUG_DRIVER(dev, "V' all match!! %d, %d", retry, i); ++ if (i == 5) { ++ DRM_DEV_DEBUG_DRIVER(dev, "V' all match!! %d", retry); + return true; + } + } +-- +2.39.5 + diff --git a/queue-6.12/drm-bridge-ti-sn65dsi86-fix-multiple-instances.patch b/queue-6.12/drm-bridge-ti-sn65dsi86-fix-multiple-instances.patch new file mode 100644 index 0000000000..f4054874d7 --- /dev/null +++ b/queue-6.12/drm-bridge-ti-sn65dsi86-fix-multiple-instances.patch @@ -0,0 +1,52 @@ +From a561b72d0f288375b57e4bddfe36dd24f75f9ebe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Dec 2024 15:18:46 +0100 +Subject: drm/bridge: ti-sn65dsi86: Fix multiple instances + +From: Geert Uytterhoeven + +[ Upstream commit 574f5ee2c85a00a579549d50e9fc9c6c072ee4c4 ] + +Each bridge instance creates up to four auxiliary devices with different +names. However, their IDs are always zero, causing duplicate filename +errors when a system has multiple bridges: + + sysfs: cannot create duplicate filename '/bus/auxiliary/devices/ti_sn65dsi86.gpio.0' + +Fix this by using a unique instance ID per bridge instance. The +instance ID is derived from the I2C adapter number and the bridge's I2C +address, to support multiple instances on the same bus. + +Fixes: bf73537f411b ("drm/bridge: ti-sn65dsi86: Break GPIO and MIPI-to-eDP bridge into sub-drivers") +Signed-off-by: Geert Uytterhoeven +Reviewed-by: Douglas Anderson +Signed-off-by: Douglas Anderson +Link: https://patchwork.freedesktop.org/patch/msgid/7a68a0e3f927e26edca6040067fb653eb06efb79.1733840089.git.geert+renesas@glider.be +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/ti-sn65dsi86.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/bridge/ti-sn65dsi86.c b/drivers/gpu/drm/bridge/ti-sn65dsi86.c +index 582cf4f73a74c..95ce50ed53acf 100644 +--- a/drivers/gpu/drm/bridge/ti-sn65dsi86.c ++++ b/drivers/gpu/drm/bridge/ti-sn65dsi86.c +@@ -480,6 +480,7 @@ static int ti_sn65dsi86_add_aux_device(struct ti_sn65dsi86 *pdata, + const char *name) + { + struct device *dev = pdata->dev; ++ const struct i2c_client *client = to_i2c_client(dev); + struct auxiliary_device *aux; + int ret; + +@@ -488,6 +489,7 @@ static int ti_sn65dsi86_add_aux_device(struct ti_sn65dsi86 *pdata, + return -ENOMEM; + + aux->name = name; ++ aux->id = (client->adapter->nr << 10) | client->addr; + aux->dev.parent = dev; + aux->dev.release = ti_sn65dsi86_aux_device_release; + device_set_of_node_from_dev(&aux->dev, dev); +-- +2.39.5 + diff --git a/queue-6.12/drm-dp_mst-fix-drm-rad-print.patch b/queue-6.12/drm-dp_mst-fix-drm-rad-print.patch new file mode 100644 index 0000000000..c0f4661e2e --- /dev/null +++ b/queue-6.12/drm-dp_mst-fix-drm-rad-print.patch @@ -0,0 +1,95 @@ +From d1c80ee13ddd48e1b1758fa26b4d5f62d1022dcb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Jan 2025 17:10:59 +0800 +Subject: drm/dp_mst: Fix drm RAD print +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Wayne Lin + +[ Upstream commit 6bbce873a9c97cb12f5455c497be279ac58e707f ] + +[Why] +The RAD of sideband message printed today is incorrect. +For RAD stored within MST branch +- If MST branch LCT is 1, it's RAD array is untouched and remained as 0. +- If MST branch LCT is larger than 1, use nibble to store the up facing + port number in cascaded sequence as illustrated below: + + u8 RAD[0] = (LCT_2_UFP << 4) | LCT_3_UFP + RAD[1] = (LCT_4_UFP << 4) | LCT_5_UFP + ... + +In drm_dp_mst_rad_to_str(), it wrongly to use BIT_MASK(4) to fetch the port +number of one nibble. + +[How] +Adjust the code by: +- RAD array items are valuable only for LCT >= 1. +- Use 0xF as the mask to replace BIT_MASK(4) + +V2: +- Document how RAD is constructed (Imre) + +V3: +- Adjust the comment for rad[] so kdoc formats it properly (Lyude) + +Fixes: 2f015ec6eab6 ("drm/dp_mst: Add sideband down request tracing + selftests") +Cc: Imre Deak +Cc: Ville Syrjälä +Cc: Harry Wentland +Cc: Lyude Paul +Reviewed-by: Lyude Paul +Signed-off-by: Wayne Lin +Signed-off-by: Lyude Paul +Link: https://patchwork.freedesktop.org/patch/msgid/20250113091100.3314533-2-Wayne.Lin@amd.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/display/drm_dp_mst_topology.c | 8 ++++---- + include/drm/display/drm_dp_mst_helper.h | 7 +++++++ + 2 files changed, 11 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/display/drm_dp_mst_topology.c b/drivers/gpu/drm/display/drm_dp_mst_topology.c +index da6ff36623d30..3e5f721d75400 100644 +--- a/drivers/gpu/drm/display/drm_dp_mst_topology.c ++++ b/drivers/gpu/drm/display/drm_dp_mst_topology.c +@@ -179,13 +179,13 @@ static int + drm_dp_mst_rad_to_str(const u8 rad[8], u8 lct, char *out, size_t len) + { + int i; +- u8 unpacked_rad[16]; ++ u8 unpacked_rad[16] = {}; + +- for (i = 0; i < lct; i++) { ++ for (i = 1; i < lct; i++) { + if (i % 2) +- unpacked_rad[i] = rad[i / 2] >> 4; ++ unpacked_rad[i] = rad[(i - 1) / 2] >> 4; + else +- unpacked_rad[i] = rad[i / 2] & BIT_MASK(4); ++ unpacked_rad[i] = rad[(i - 1) / 2] & 0xF; + } + + /* TODO: Eventually add something to printk so we can format the rad +diff --git a/include/drm/display/drm_dp_mst_helper.h b/include/drm/display/drm_dp_mst_helper.h +index a80ba457a858f..6398a6b50bd1b 100644 +--- a/include/drm/display/drm_dp_mst_helper.h ++++ b/include/drm/display/drm_dp_mst_helper.h +@@ -222,6 +222,13 @@ struct drm_dp_mst_branch { + */ + struct list_head destroy_next; + ++ /** ++ * @rad: Relative Address of the MST branch. ++ * For &drm_dp_mst_topology_mgr.mst_primary, it's rad[8] are all 0, ++ * unset and unused. For MST branches connected after mst_primary, ++ * in each element of rad[] the nibbles are ordered by the most ++ * signifcant 4 bits first and the least significant 4 bits second. ++ */ + u8 rad[8]; + u8 lct; + int num_ports; +-- +2.39.5 + diff --git a/queue-6.12/drm-mediatek-dp-drm_err-dev_err-in-hpd-path-to-avoid.patch b/queue-6.12/drm-mediatek-dp-drm_err-dev_err-in-hpd-path-to-avoid.patch new file mode 100644 index 0000000000..8438f7a4ae --- /dev/null +++ b/queue-6.12/drm-mediatek-dp-drm_err-dev_err-in-hpd-path-to-avoid.patch @@ -0,0 +1,69 @@ +From 0db06486448332fa1379cd30eefe8e7d43f08790 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Jan 2025 09:42:50 -0800 +Subject: drm/mediatek: dp: drm_err => dev_err in HPD path to avoid NULL ptr + +From: Douglas Anderson + +[ Upstream commit 106a6de46cf4887d535018185ec528ce822d6d84 ] + +The function mtk_dp_wait_hpd_asserted() may be called before the +`mtk_dp->drm_dev` pointer is assigned in mtk_dp_bridge_attach(). +Specifically it can be called via this callpath: + - mtk_edp_wait_hpd_asserted + - [panel probe] + - dp_aux_ep_probe + +Using "drm" level prints anywhere in this callpath causes a NULL +pointer dereference. Change the error message directly in +mtk_dp_wait_hpd_asserted() to dev_err() to avoid this. Also change the +error messages in mtk_dp_parse_capabilities(), which is called by +mtk_dp_wait_hpd_asserted(). + +While touching these prints, also add the error code to them to make +future debugging easier. + +Fixes: 7eacba9a083b ("drm/mediatek: dp: Add .wait_hpd_asserted() for AUX bus") +Signed-off-by: Douglas Anderson +Reviewed-by: CK Hu +Link: https://patchwork.kernel.org/project/dri-devel/patch/20250116094249.1.I29b0b621abb613ddc70ab4996426a3909e1aa75f@changeid/ +Signed-off-by: Chun-Kuang Hu +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/mediatek/mtk_dp.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/mediatek/mtk_dp.c b/drivers/gpu/drm/mediatek/mtk_dp.c +index cad65ea851edc..4979d49ae25a6 100644 +--- a/drivers/gpu/drm/mediatek/mtk_dp.c ++++ b/drivers/gpu/drm/mediatek/mtk_dp.c +@@ -1746,7 +1746,7 @@ static int mtk_dp_parse_capabilities(struct mtk_dp *mtk_dp) + + ret = drm_dp_dpcd_readb(&mtk_dp->aux, DP_MSTM_CAP, &val); + if (ret < 1) { +- drm_err(mtk_dp->drm_dev, "Read mstm cap failed\n"); ++ dev_err(mtk_dp->dev, "Read mstm cap failed: %zd\n", ret); + return ret == 0 ? -EIO : ret; + } + +@@ -1756,7 +1756,7 @@ static int mtk_dp_parse_capabilities(struct mtk_dp *mtk_dp) + DP_DEVICE_SERVICE_IRQ_VECTOR_ESI0, + &val); + if (ret < 1) { +- drm_err(mtk_dp->drm_dev, "Read irq vector failed\n"); ++ dev_err(mtk_dp->dev, "Read irq vector failed: %zd\n", ret); + return ret == 0 ? -EIO : ret; + } + +@@ -2039,7 +2039,7 @@ static int mtk_dp_wait_hpd_asserted(struct drm_dp_aux *mtk_aux, unsigned long wa + + ret = mtk_dp_parse_capabilities(mtk_dp); + if (ret) { +- drm_err(mtk_dp->drm_dev, "Can't parse capabilities\n"); ++ dev_err(mtk_dp->dev, "Can't parse capabilities: %d\n", ret); + return ret; + } + +-- +2.39.5 + diff --git a/queue-6.12/drm-mediatek-dsi-fix-error-codes-in-mtk_dsi_host_tra.patch b/queue-6.12/drm-mediatek-dsi-fix-error-codes-in-mtk_dsi_host_tra.patch new file mode 100644 index 0000000000..836b49592c --- /dev/null +++ b/queue-6.12/drm-mediatek-dsi-fix-error-codes-in-mtk_dsi_host_tra.patch @@ -0,0 +1,64 @@ +From 5c299f764b442e8bd16fc495a0752bdf48fa1c8e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Jan 2025 12:35:57 +0300 +Subject: drm/mediatek: dsi: fix error codes in mtk_dsi_host_transfer() + +From: Dan Carpenter + +[ Upstream commit dcb166ee43c3d594e7b73a24f6e8cf5663eeff2c ] + +There is a type bug because the return statement: + + return ret < 0 ? ret : recv_cnt; + +The issue is that ret is an int, recv_cnt is a u32 and the function +returns ssize_t, which is a signed long. The way that the type promotion +works is that the negative error codes are first cast to u32 and then +to signed long. The error codes end up being positive instead of +negative and the callers treat them as success. + +Fixes: 81cc7e51c4f1 ("drm/mediatek: Allow commands to be sent during video mode") +Reported-by: kernel test robot +Closes: https://lore.kernel.org/r/202412210801.iADw0oIH-lkp@intel.com/ +Signed-off-by: Dan Carpenter +Reviewed-by: Mattijs Korpershoek +Reviewed-by: AngeloGioacchino Del Regno +Reviewed-by: CK Hu +Link: https://patchwork.kernel.org/project/dri-devel/patch/b754a408-4f39-4e37-b52d-7706c132e27f@stanley.mountain/ +Signed-off-by: Chun-Kuang Hu +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/mediatek/mtk_dsi.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/mediatek/mtk_dsi.c b/drivers/gpu/drm/mediatek/mtk_dsi.c +index b9b7fd08b7d7e..88f3dfeb4731d 100644 +--- a/drivers/gpu/drm/mediatek/mtk_dsi.c ++++ b/drivers/gpu/drm/mediatek/mtk_dsi.c +@@ -1108,12 +1108,12 @@ static ssize_t mtk_dsi_host_transfer(struct mipi_dsi_host *host, + const struct mipi_dsi_msg *msg) + { + struct mtk_dsi *dsi = host_to_dsi(host); +- u32 recv_cnt, i; ++ ssize_t recv_cnt; + u8 read_data[16]; + void *src_addr; + u8 irq_flag = CMD_DONE_INT_FLAG; + u32 dsi_mode; +- int ret; ++ int ret, i; + + dsi_mode = readl(dsi->regs + DSI_MODE_CTRL); + if (dsi_mode & MODE) { +@@ -1162,7 +1162,7 @@ static ssize_t mtk_dsi_host_transfer(struct mipi_dsi_host *host, + if (recv_cnt) + memcpy(msg->rx_buf, src_addr, recv_cnt); + +- DRM_INFO("dsi get %d byte data from the panel address(0x%x)\n", ++ DRM_INFO("dsi get %zd byte data from the panel address(0x%x)\n", + recv_cnt, *((u8 *)(msg->tx_buf))); + + restore_dsi_mode: +-- +2.39.5 + diff --git a/queue-6.12/drm-mediatek-fix-config_updating-flag-never-false-wh.patch b/queue-6.12/drm-mediatek-fix-config_updating-flag-never-false-wh.patch new file mode 100644 index 0000000000..fc6965459a --- /dev/null +++ b/queue-6.12/drm-mediatek-fix-config_updating-flag-never-false-wh.patch @@ -0,0 +1,53 @@ +From 7d539400aec41910b986752b5fd93739a746ff38 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Feb 2025 13:12:21 +0800 +Subject: drm/mediatek: Fix config_updating flag never false when no mbox + channel + +From: Jason-JH Lin + +[ Upstream commit 4ba973c8bad04d59fd4efa62512f4d9cee131714 ] + +When CONFIG_MTK_CMDQ is enabled, if the display is controlled by the CPU +while other hardware is controlled by the GCE, the display will encounter +a mbox request channel failure. +However, it will still enter the CONFIG_MTK_CMDQ statement, causing the +config_updating flag to never be set to false. As a result, no page flip +event is sent back to user space, and the screen does not update. + +Fixes: da03801ad08f ("drm/mediatek: Move mtk_crtc_finish_page_flip() to ddp_cmdq_cb()") +Signed-off-by: Jason-JH Lin +Reviewed-by: CK Hu +Link: https://patchwork.kernel.org/project/dri-devel/patch/20250224051301.3538484-1-jason-jh.lin@mediatek.com/ +Signed-off-by: Chun-Kuang Hu +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/mediatek/mtk_crtc.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/mediatek/mtk_crtc.c b/drivers/gpu/drm/mediatek/mtk_crtc.c +index 5674f5707cca8..8f6fba4217ece 100644 +--- a/drivers/gpu/drm/mediatek/mtk_crtc.c ++++ b/drivers/gpu/drm/mediatek/mtk_crtc.c +@@ -620,13 +620,16 @@ static void mtk_crtc_update_config(struct mtk_crtc *mtk_crtc, bool needs_vblank) + + mbox_send_message(mtk_crtc->cmdq_client.chan, cmdq_handle); + mbox_client_txdone(mtk_crtc->cmdq_client.chan, 0); ++ goto update_config_out; + } +-#else ++#endif + spin_lock_irqsave(&mtk_crtc->config_lock, flags); + mtk_crtc->config_updating = false; + spin_unlock_irqrestore(&mtk_crtc->config_lock, flags); +-#endif + ++#if IS_REACHABLE(CONFIG_MTK_CMDQ) ++update_config_out: ++#endif + mutex_unlock(&mtk_crtc->hw_lock); + } + +-- +2.39.5 + diff --git a/queue-6.12/drm-mediatek-mtk_hdmi-fix-typo-for-aud_sampe_size-me.patch b/queue-6.12/drm-mediatek-mtk_hdmi-fix-typo-for-aud_sampe_size-me.patch new file mode 100644 index 0000000000..4a20944eaf --- /dev/null +++ b/queue-6.12/drm-mediatek-mtk_hdmi-fix-typo-for-aud_sampe_size-me.patch @@ -0,0 +1,66 @@ +From 9cf2edcca4247642aaf487d17add42bc861a6b12 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Feb 2025 16:48:12 +0100 +Subject: drm/mediatek: mtk_hdmi: Fix typo for aud_sampe_size member + +From: AngeloGioacchino Del Regno + +[ Upstream commit 72fcb88e7bbc053ed4fc74cebb0315b98a0f20c3 ] + +Rename member aud_sampe_size of struct hdmi_audio_param to +aud_sample_size to fix a typo and enhance readability. + +This commit brings no functional changes. + +Fixes: 8f83f26891e1 ("drm/mediatek: Add HDMI support") +Reviewed-by: CK Hu +Signed-off-by: AngeloGioacchino Del Regno +Link: https://patchwork.kernel.org/project/linux-mediatek/patch/20250217154836.108895-20-angelogioacchino.delregno@collabora.com/ +Signed-off-by: Chun-Kuang Hu +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/mediatek/mtk_hdmi.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/mediatek/mtk_hdmi.c b/drivers/gpu/drm/mediatek/mtk_hdmi.c +index ce808ee82bafb..1aad8e6cf52e7 100644 +--- a/drivers/gpu/drm/mediatek/mtk_hdmi.c ++++ b/drivers/gpu/drm/mediatek/mtk_hdmi.c +@@ -137,7 +137,7 @@ enum hdmi_aud_channel_swap_type { + + struct hdmi_audio_param { + enum hdmi_audio_coding_type aud_codec; +- enum hdmi_audio_sample_size aud_sampe_size; ++ enum hdmi_audio_sample_size aud_sample_size; + enum hdmi_aud_input_type aud_input_type; + enum hdmi_aud_i2s_fmt aud_i2s_fmt; + enum hdmi_aud_mclk aud_mclk; +@@ -1075,7 +1075,7 @@ static int mtk_hdmi_output_init(struct mtk_hdmi *hdmi) + + hdmi->csp = HDMI_COLORSPACE_RGB; + aud_param->aud_codec = HDMI_AUDIO_CODING_TYPE_PCM; +- aud_param->aud_sampe_size = HDMI_AUDIO_SAMPLE_SIZE_16; ++ aud_param->aud_sample_size = HDMI_AUDIO_SAMPLE_SIZE_16; + aud_param->aud_input_type = HDMI_AUD_INPUT_I2S; + aud_param->aud_i2s_fmt = HDMI_I2S_MODE_I2S_24BIT; + aud_param->aud_mclk = HDMI_AUD_MCLK_128FS; +@@ -1573,14 +1573,14 @@ static int mtk_hdmi_audio_hw_params(struct device *dev, void *data, + switch (daifmt->fmt) { + case HDMI_I2S: + hdmi_params.aud_codec = HDMI_AUDIO_CODING_TYPE_PCM; +- hdmi_params.aud_sampe_size = HDMI_AUDIO_SAMPLE_SIZE_16; ++ hdmi_params.aud_sample_size = HDMI_AUDIO_SAMPLE_SIZE_16; + hdmi_params.aud_input_type = HDMI_AUD_INPUT_I2S; + hdmi_params.aud_i2s_fmt = HDMI_I2S_MODE_I2S_24BIT; + hdmi_params.aud_mclk = HDMI_AUD_MCLK_128FS; + break; + case HDMI_SPDIF: + hdmi_params.aud_codec = HDMI_AUDIO_CODING_TYPE_PCM; +- hdmi_params.aud_sampe_size = HDMI_AUDIO_SAMPLE_SIZE_16; ++ hdmi_params.aud_sample_size = HDMI_AUDIO_SAMPLE_SIZE_16; + hdmi_params.aud_input_type = HDMI_AUD_INPUT_SPDIF; + break; + default: +-- +2.39.5 + diff --git a/queue-6.12/drm-mediatek-mtk_hdmi-unregister-audio-platform-devi.patch b/queue-6.12/drm-mediatek-mtk_hdmi-unregister-audio-platform-devi.patch new file mode 100644 index 0000000000..301f22a0d8 --- /dev/null +++ b/queue-6.12/drm-mediatek-mtk_hdmi-unregister-audio-platform-devi.patch @@ -0,0 +1,85 @@ +From de73fa1ed636a00adc0454c4ff17807218d02dc8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Feb 2025 16:48:10 +0100 +Subject: drm/mediatek: mtk_hdmi: Unregister audio platform device on failure + +From: AngeloGioacchino Del Regno + +[ Upstream commit 0be123cafc06eed0fd1227166a66e786434b0c50 ] + +The probe function of this driver may fail after registering the +audio platform device: in that case, the state is not getting +cleaned up, leaving this device registered. + +Adding up to the mix, should the probe function of this driver +return a probe deferral for N times, we're registering up to N +audio platform devices and, again, never freeing them up. + +To fix this, add a pointer to the audio platform device in the +mtk_hdmi structure, and add a devm action to unregister it upon +driver removal or probe failure. + +Fixes: 8f83f26891e1 ("drm/mediatek: Add HDMI support") +Reviewed-by: CK Hu +Signed-off-by: AngeloGioacchino Del Regno +Link: https://patchwork.kernel.org/project/linux-mediatek/patch/20250217154836.108895-18-angelogioacchino.delregno@collabora.com/ +Signed-off-by: Chun-Kuang Hu +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/mediatek/mtk_hdmi.c | 25 +++++++++++++++++++------ + 1 file changed, 19 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/mediatek/mtk_hdmi.c b/drivers/gpu/drm/mediatek/mtk_hdmi.c +index 7687f673964ec..ce808ee82bafb 100644 +--- a/drivers/gpu/drm/mediatek/mtk_hdmi.c ++++ b/drivers/gpu/drm/mediatek/mtk_hdmi.c +@@ -173,6 +173,7 @@ struct mtk_hdmi { + unsigned int sys_offset; + void __iomem *regs; + enum hdmi_colorspace csp; ++ struct platform_device *audio_pdev; + struct hdmi_audio_param aud_param; + bool audio_enable; + bool powered; +@@ -1663,6 +1664,11 @@ static const struct hdmi_codec_ops mtk_hdmi_audio_codec_ops = { + .no_capture_mute = 1, + }; + ++static void mtk_hdmi_unregister_audio_driver(void *data) ++{ ++ platform_device_unregister(data); ++} ++ + static int mtk_hdmi_register_audio_driver(struct device *dev) + { + struct mtk_hdmi *hdmi = dev_get_drvdata(dev); +@@ -1672,13 +1678,20 @@ static int mtk_hdmi_register_audio_driver(struct device *dev) + .i2s = 1, + .data = hdmi, + }; +- struct platform_device *pdev; ++ int ret; + +- pdev = platform_device_register_data(dev, HDMI_CODEC_DRV_NAME, +- PLATFORM_DEVID_AUTO, &codec_data, +- sizeof(codec_data)); +- if (IS_ERR(pdev)) +- return PTR_ERR(pdev); ++ hdmi->audio_pdev = platform_device_register_data(dev, ++ HDMI_CODEC_DRV_NAME, ++ PLATFORM_DEVID_AUTO, ++ &codec_data, ++ sizeof(codec_data)); ++ if (IS_ERR(hdmi->audio_pdev)) ++ return PTR_ERR(hdmi->audio_pdev); ++ ++ ret = devm_add_action_or_reset(dev, mtk_hdmi_unregister_audio_driver, ++ hdmi->audio_pdev); ++ if (ret) ++ return ret; + + DRM_INFO("%s driver bound to HDMI\n", HDMI_CODEC_DRV_NAME); + return 0; +-- +2.39.5 + diff --git a/queue-6.12/drm-msm-a6xx-fix-a6xx-indexed-regs-in-devcoreduump.patch b/queue-6.12/drm-msm-a6xx-fix-a6xx-indexed-regs-in-devcoreduump.patch new file mode 100644 index 0000000000..032813a6d4 --- /dev/null +++ b/queue-6.12/drm-msm-a6xx-fix-a6xx-indexed-regs-in-devcoreduump.patch @@ -0,0 +1,38 @@ +From 194676bd2a06a4f3691182ab873db0eadce8f76a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Feb 2025 13:31:24 -0800 +Subject: drm/msm/a6xx: Fix a6xx indexed-regs in devcoreduump + +From: Rob Clark + +[ Upstream commit 06dd5d86c6aef1c7609ca3a5ffa4097e475e2213 ] + +Somehow, possibly as a result of rebase gone badly, setting +nr_indexed_regs for pre-a650 a6xx devices lost the setting of +nr_indexed_regs, resulting in values getting snapshot, but omitted +from the devcoredump. + +Fixes: e997ae5f45ca ("drm/msm/a6xx: Mostly implement A7xx gpu_state") +Signed-off-by: Rob Clark +Patchwork: https://patchwork.freedesktop.org/patch/640289/ +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c b/drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c +index 0fcae53c0b140..159665cb6b14f 100644 +--- a/drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c ++++ b/drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c +@@ -1507,6 +1507,8 @@ static void a6xx_get_indexed_registers(struct msm_gpu *gpu, + + /* Restore the size in the hardware */ + gpu_write(gpu, REG_A6XX_CP_MEM_POOL_SIZE, mempool_size); ++ ++ a6xx_state->nr_indexed_regs = count; + } + + static void a7xx_get_indexed_registers(struct msm_gpu *gpu, +-- +2.39.5 + diff --git a/queue-6.12/drm-msm-dpu-don-t-use-active-in-atomic_check.patch b/queue-6.12/drm-msm-dpu-don-t-use-active-in-atomic_check.patch new file mode 100644 index 0000000000..d8025cd220 --- /dev/null +++ b/queue-6.12/drm-msm-dpu-don-t-use-active-in-atomic_check.patch @@ -0,0 +1,65 @@ +From 1ad3a5b70fd4a6e6eb8a185b5c89d443bbf716c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Jan 2025 14:43:33 +0200 +Subject: drm/msm/dpu: don't use active in atomic_check() + +From: Dmitry Baryshkov + +[ Upstream commit 25b4614843bcc56ba150f7c99905125a019e656c ] + +The driver isn't supposed to consult crtc_state->active/active_check for +resource allocation. Instead all resources should be allocated if +crtc_state->enabled is set. Stop consulting active / active_changed in +order to determine whether the hardware resources should be +(re)allocated. + +Fixes: ccc862b957c6 ("drm/msm/dpu: Fix reservation failures in modeset") +Reported-by: Simona Vetter +Closes: https://lore.kernel.org/dri-devel/ZtW_S0j5AEr4g0QW@phenom.ffwll.local/ +Reviewed-by: Simona Vetter +Reviewed-by: Abhinav Kumar +Signed-off-by: Dmitry Baryshkov +Patchwork: https://patchwork.freedesktop.org/patch/633393/ +Link: https://lore.kernel.org/r/20250123-drm-dirty-modeset-v2-1-bbfd3a6cd1a4@linaro.org +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c | 4 ---- + drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c | 3 +-- + 2 files changed, 1 insertion(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c +index db6c57900781d..ecd595215a6be 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c +@@ -1191,10 +1191,6 @@ static int dpu_crtc_atomic_check(struct drm_crtc *crtc, + + DRM_DEBUG_ATOMIC("%s: check\n", dpu_crtc->name); + +- /* force a full mode set if active state changed */ +- if (crtc_state->active_changed) +- crtc_state->mode_changed = true; +- + if (cstate->num_mixers) { + rc = _dpu_crtc_check_and_setup_lm_bounds(crtc, crtc_state); + if (rc) +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c +index 2cf8150adf81f..47b514c89ce66 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c +@@ -718,12 +718,11 @@ static int dpu_encoder_virt_atomic_check( + crtc_state->mode_changed = true; + /* + * Release and Allocate resources on every modeset +- * Dont allocate when active is false. + */ + if (drm_atomic_crtc_needs_modeset(crtc_state)) { + dpu_rm_release(global_state, drm_enc); + +- if (!crtc_state->active_changed || crtc_state->enable) ++ if (crtc_state->enable) + ret = dpu_rm_reserve(&dpu_kms->rm, global_state, + drm_enc, crtc_state, topology); + if (!ret) +-- +2.39.5 + diff --git a/queue-6.12/drm-msm-dsi-phy-program-clock-inverters-in-correct-r.patch b/queue-6.12/drm-msm-dsi-phy-program-clock-inverters-in-correct-r.patch new file mode 100644 index 0000000000..85276ae2aa --- /dev/null +++ b/queue-6.12/drm-msm-dsi-phy-program-clock-inverters-in-correct-r.patch @@ -0,0 +1,42 @@ +From 714aa4a2034d2f64ca7d2ad8bb964d5b8f4bec01 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Jan 2025 12:55:04 +0100 +Subject: drm/msm/dsi/phy: Program clock inverters in correct register + +From: Krzysztof Kozlowski + +[ Upstream commit baf49072877726616c7f5943a6b45eb86bfeca0a ] + +Since SM8250 all downstream sources program clock inverters in +PLL_CLOCK_INVERTERS_1 register and leave the PLL_CLOCK_INVERTERS as +reset value (0x0). The most recent Hardware Programming Guide for 3 nm, +4 nm, 5 nm and 7 nm PHYs also mention PLL_CLOCK_INVERTERS_1. + +Signed-off-by: Krzysztof Kozlowski +Fixes: 1ef7c99d145c ("drm/msm/dsi: add support for 7nm DSI PHY/PLL") +Reviewed-by: Dmitry Baryshkov +Reported-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/634489/ +Link: https://lore.kernel.org/r/20250129115504.40080-1-krzysztof.kozlowski@linaro.org +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dsi/phy/dsi_phy_7nm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/dsi/phy/dsi_phy_7nm.c b/drivers/gpu/drm/msm/dsi/phy/dsi_phy_7nm.c +index 798168180c1ab..a2c87c84aa05b 100644 +--- a/drivers/gpu/drm/msm/dsi/phy/dsi_phy_7nm.c ++++ b/drivers/gpu/drm/msm/dsi/phy/dsi_phy_7nm.c +@@ -305,7 +305,7 @@ static void dsi_pll_commit(struct dsi_pll_7nm *pll, struct dsi_pll_config *confi + writel(pll->phy->cphy_mode ? 0x00 : 0x10, + base + REG_DSI_7nm_PHY_PLL_CMODE_1); + writel(config->pll_clock_inverters, +- base + REG_DSI_7nm_PHY_PLL_CLOCK_INVERTERS); ++ base + REG_DSI_7nm_PHY_PLL_CLOCK_INVERTERS_1); + } + + static int dsi_pll_7nm_vco_set_rate(struct clk_hw *hw, unsigned long rate, +-- +2.39.5 + diff --git a/queue-6.12/drm-msm-dsi-set-phy-usescase-and-mode-before-registe.patch b/queue-6.12/drm-msm-dsi-set-phy-usescase-and-mode-before-registe.patch new file mode 100644 index 0000000000..1f8a14f0ab --- /dev/null +++ b/queue-6.12/drm-msm-dsi-set-phy-usescase-and-mode-before-registe.patch @@ -0,0 +1,102 @@ +From 9b6004aeb5137e3cbcaf4183f0ab9436113365a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Feb 2025 12:17:42 +0100 +Subject: drm/msm/dsi: Set PHY usescase (and mode) before registering DSI host + +From: Marijn Suijten + +[ Upstream commit 660c396c98c061f9696bebacc178b74072e80054 ] + +Ordering issues here cause an uninitialized (default STANDALONE) +usecase to be programmed (which appears to be a MUX) in some cases +when msm_dsi_host_register() is called, leading to the slave PLL in +bonded-DSI mode to source from a clock parent (dsi1vco) that is off. + +This should seemingly not be a problem as the actual dispcc clocks from +DSI1 that are muxed in the clock tree of DSI0 are way further down, this +bit still seems to have an effect on them somehow and causes the right +side of the panel controlled by DSI1 to not function. + +In an ideal world this code is refactored to no longer have such +error-prone calls "across subsystems", and instead model the "PLL src" +register field as a regular mux so that changing the clock parents +programmatically or in DTS via `assigned-clock-parents` has the +desired effect. +But for the avid reader, the clocks that we *are* muxing into DSI0's +tree are way further down, so if this bit turns out to be a simple mux +between dsiXvco and out_div, that shouldn't have any effect as this +whole tree is off anyway. + +Fixes: 57bf43389337 ("drm/msm/dsi: Pass down use case to PHY") +Reviewed-by: Abhinav Kumar +Reviewed-by: Dmitry Baryshkov +Signed-off-by: Marijn Suijten +Patchwork: https://patchwork.freedesktop.org/patch/637650/ +Link: https://lore.kernel.org/r/20250217-drm-msm-initial-dualpipe-dsc-fixes-v3-2-913100d6103f@somainline.org +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dsi/dsi_manager.c | 32 ++++++++++++++++++--------- + 1 file changed, 21 insertions(+), 11 deletions(-) + +diff --git a/drivers/gpu/drm/msm/dsi/dsi_manager.c b/drivers/gpu/drm/msm/dsi/dsi_manager.c +index a210b7c9e5ca2..4fabb01345aa2 100644 +--- a/drivers/gpu/drm/msm/dsi/dsi_manager.c ++++ b/drivers/gpu/drm/msm/dsi/dsi_manager.c +@@ -74,17 +74,35 @@ static int dsi_mgr_setup_components(int id) + int ret; + + if (!IS_BONDED_DSI()) { ++ /* ++ * Set the usecase before calling msm_dsi_host_register(), which would ++ * already program the PLL source mux based on a default usecase. ++ */ ++ msm_dsi_phy_set_usecase(msm_dsi->phy, MSM_DSI_PHY_STANDALONE); ++ msm_dsi_host_set_phy_mode(msm_dsi->host, msm_dsi->phy); ++ + ret = msm_dsi_host_register(msm_dsi->host); + if (ret) + return ret; +- +- msm_dsi_phy_set_usecase(msm_dsi->phy, MSM_DSI_PHY_STANDALONE); +- msm_dsi_host_set_phy_mode(msm_dsi->host, msm_dsi->phy); + } else if (other_dsi) { + struct msm_dsi *master_link_dsi = IS_MASTER_DSI_LINK(id) ? + msm_dsi : other_dsi; + struct msm_dsi *slave_link_dsi = IS_MASTER_DSI_LINK(id) ? + other_dsi : msm_dsi; ++ ++ /* ++ * PLL0 is to drive both DSI link clocks in bonded DSI mode. ++ * ++ * Set the usecase before calling msm_dsi_host_register(), which would ++ * already program the PLL source mux based on a default usecase. ++ */ ++ msm_dsi_phy_set_usecase(clk_master_dsi->phy, ++ MSM_DSI_PHY_MASTER); ++ msm_dsi_phy_set_usecase(clk_slave_dsi->phy, ++ MSM_DSI_PHY_SLAVE); ++ msm_dsi_host_set_phy_mode(msm_dsi->host, msm_dsi->phy); ++ msm_dsi_host_set_phy_mode(other_dsi->host, other_dsi->phy); ++ + /* Register slave host first, so that slave DSI device + * has a chance to probe, and do not block the master + * DSI device's probe. +@@ -98,14 +116,6 @@ static int dsi_mgr_setup_components(int id) + ret = msm_dsi_host_register(master_link_dsi->host); + if (ret) + return ret; +- +- /* PLL0 is to drive both 2 DSI link clocks in bonded DSI mode. */ +- msm_dsi_phy_set_usecase(clk_master_dsi->phy, +- MSM_DSI_PHY_MASTER); +- msm_dsi_phy_set_usecase(clk_slave_dsi->phy, +- MSM_DSI_PHY_SLAVE); +- msm_dsi_host_set_phy_mode(msm_dsi->host, msm_dsi->phy); +- msm_dsi_host_set_phy_mode(other_dsi->host, other_dsi->phy); + } + + return 0; +-- +2.39.5 + diff --git a/queue-6.12/drm-msm-dsi-use-existing-per-interface-slice-count-i.patch b/queue-6.12/drm-msm-dsi-use-existing-per-interface-slice-count-i.patch new file mode 100644 index 0000000000..a2bcbaf561 --- /dev/null +++ b/queue-6.12/drm-msm-dsi-use-existing-per-interface-slice-count-i.patch @@ -0,0 +1,107 @@ +From 0511f237161254fa7118de565b07040a7e264e11 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Feb 2025 12:17:41 +0100 +Subject: drm/msm/dsi: Use existing per-interface slice count in DSC timing + +From: Marijn Suijten + +[ Upstream commit 14ad809ceb66d0874cbe4bd5ca9edf0de8d9ad96 ] + +When configuring the timing of DSI hosts (interfaces) in +dsi_timing_setup() all values written to registers are taking +bonded-mode into account by dividing the original mode width by 2 +(half the data is sent over each of the two DSI hosts), but the full +width instead of the interface width is passed as hdisplay parameter to +dsi_update_dsc_timing(). + +Currently only msm_dsc_get_slices_per_intf() is called within +dsi_update_dsc_timing() with the `hdisplay` argument which clearly +documents that it wants the width of a single interface (which, again, +in bonded DSI mode is half the total width of the mode) resulting in all +subsequent values to be completely off. + +However, as soon as we start to pass the halved hdisplay +into dsi_update_dsc_timing() we might as well discard +msm_dsc_get_slices_per_intf() since the value it calculates is already +available in dsc->slice_count which is per-interface by the current +design of MSM DPU/DSI implementations and their use of the DRM DSC +helpers. + +Fixes: 08802f515c3c ("drm/msm/dsi: Add support for DSC configuration") +Reviewed-by: Dmitry Baryshkov +Reviewed-by: Jessica Zhang +Signed-off-by: Marijn Suijten +Patchwork: https://patchwork.freedesktop.org/patch/637648/ +Link: https://lore.kernel.org/r/20250217-drm-msm-initial-dualpipe-dsc-fixes-v3-1-913100d6103f@somainline.org +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dsi/dsi_host.c | 8 ++++---- + drivers/gpu/drm/msm/msm_dsc_helper.h | 11 ----------- + 2 files changed, 4 insertions(+), 15 deletions(-) + +diff --git a/drivers/gpu/drm/msm/dsi/dsi_host.c b/drivers/gpu/drm/msm/dsi/dsi_host.c +index a98d24b7cb00b..7459fb8c51774 100644 +--- a/drivers/gpu/drm/msm/dsi/dsi_host.c ++++ b/drivers/gpu/drm/msm/dsi/dsi_host.c +@@ -846,7 +846,7 @@ static void dsi_ctrl_enable(struct msm_dsi_host *msm_host, + dsi_write(msm_host, REG_DSI_CPHY_MODE_CTRL, BIT(0)); + } + +-static void dsi_update_dsc_timing(struct msm_dsi_host *msm_host, bool is_cmd_mode, u32 hdisplay) ++static void dsi_update_dsc_timing(struct msm_dsi_host *msm_host, bool is_cmd_mode) + { + struct drm_dsc_config *dsc = msm_host->dsc; + u32 reg, reg_ctrl, reg_ctrl2; +@@ -858,7 +858,7 @@ static void dsi_update_dsc_timing(struct msm_dsi_host *msm_host, bool is_cmd_mod + /* first calculate dsc parameters and then program + * compress mode registers + */ +- slice_per_intf = msm_dsc_get_slices_per_intf(dsc, hdisplay); ++ slice_per_intf = dsc->slice_count; + + total_bytes_per_intf = dsc->slice_chunk_size * slice_per_intf; + bytes_per_pkt = dsc->slice_chunk_size; /* * slice_per_pkt; */ +@@ -991,7 +991,7 @@ static void dsi_timing_setup(struct msm_dsi_host *msm_host, bool is_bonded_dsi) + + if (msm_host->mode_flags & MIPI_DSI_MODE_VIDEO) { + if (msm_host->dsc) +- dsi_update_dsc_timing(msm_host, false, mode->hdisplay); ++ dsi_update_dsc_timing(msm_host, false); + + dsi_write(msm_host, REG_DSI_ACTIVE_H, + DSI_ACTIVE_H_START(ha_start) | +@@ -1012,7 +1012,7 @@ static void dsi_timing_setup(struct msm_dsi_host *msm_host, bool is_bonded_dsi) + DSI_ACTIVE_VSYNC_VPOS_END(vs_end)); + } else { /* command mode */ + if (msm_host->dsc) +- dsi_update_dsc_timing(msm_host, true, mode->hdisplay); ++ dsi_update_dsc_timing(msm_host, true); + + /* image data and 1 byte write_memory_start cmd */ + if (!msm_host->dsc) +diff --git a/drivers/gpu/drm/msm/msm_dsc_helper.h b/drivers/gpu/drm/msm/msm_dsc_helper.h +index b9049fe1e2790..63f95523b2cbb 100644 +--- a/drivers/gpu/drm/msm/msm_dsc_helper.h ++++ b/drivers/gpu/drm/msm/msm_dsc_helper.h +@@ -12,17 +12,6 @@ + #include + #include + +-/** +- * msm_dsc_get_slices_per_intf() - calculate number of slices per interface +- * @dsc: Pointer to drm dsc config struct +- * @intf_width: interface width in pixels +- * Returns: Integer representing the number of slices for the given interface +- */ +-static inline u32 msm_dsc_get_slices_per_intf(const struct drm_dsc_config *dsc, u32 intf_width) +-{ +- return DIV_ROUND_UP(intf_width, dsc->slice_width); +-} +- + /** + * msm_dsc_get_bytes_per_line() - calculate bytes per line + * @dsc: Pointer to drm dsc config struct +-- +2.39.5 + diff --git a/queue-6.12/drm-panel-ilitek-ili9882t-fix-gpio-name-in-error-mes.patch b/queue-6.12/drm-panel-ilitek-ili9882t-fix-gpio-name-in-error-mes.patch new file mode 100644 index 0000000000..76c802ebc0 --- /dev/null +++ b/queue-6.12/drm-panel-ilitek-ili9882t-fix-gpio-name-in-error-mes.patch @@ -0,0 +1,38 @@ +From 78f323f366f421e13044faf803afb33298bf5f4d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Feb 2025 12:04:28 +0000 +Subject: drm/panel: ilitek-ili9882t: fix GPIO name in error message + +From: John Keeping + +[ Upstream commit 4ce2c7e201c265df1c62a9190a98a98803208b8f ] + +This driver uses the enable-gpios property and it is confusing that the +error message refers to reset-gpios. Use the correct name when the +enable GPIO is not found. + +Fixes: e2450d32e5fb5 ("drm/panel: ili9882t: Break out as separate driver") +Signed-off-by: John Keeping +Signed-off-by: Linus Walleij +Link: https://patchwork.freedesktop.org/patch/msgid/20250217120428.3779197-1-jkeeping@inmusicbrands.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panel/panel-ilitek-ili9882t.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/panel/panel-ilitek-ili9882t.c b/drivers/gpu/drm/panel/panel-ilitek-ili9882t.c +index 266a087fe14c1..3c24a63b6be8c 100644 +--- a/drivers/gpu/drm/panel/panel-ilitek-ili9882t.c ++++ b/drivers/gpu/drm/panel/panel-ilitek-ili9882t.c +@@ -607,7 +607,7 @@ static int ili9882t_add(struct ili9882t *ili) + + ili->enable_gpio = devm_gpiod_get(dev, "enable", GPIOD_OUT_LOW); + if (IS_ERR(ili->enable_gpio)) { +- dev_err(dev, "cannot get reset-gpios %ld\n", ++ dev_err(dev, "cannot get enable-gpios %ld\n", + PTR_ERR(ili->enable_gpio)); + return PTR_ERR(ili->enable_gpio); + } +-- +2.39.5 + diff --git a/queue-6.12/drm-panthor-update-cs_status_-defines-to-correct-val.patch b/queue-6.12/drm-panthor-update-cs_status_-defines-to-correct-val.patch new file mode 100644 index 0000000000..95342d80b3 --- /dev/null +++ b/queue-6.12/drm-panthor-update-cs_status_-defines-to-correct-val.patch @@ -0,0 +1,50 @@ +From 30cbb819db1bd3dbc83aa8a1bc8dcdb1a37df313 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Mar 2025 18:04:32 +0000 +Subject: drm/panthor: Update CS_STATUS_ defines to correct values +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ashley Smith + +[ Upstream commit c82734fbdc50dc9e568e8686622eaa4498acb81e ] + +Values for SC_STATUS_BLOCKED_REASON_ are documented in the G610 "Odin" +GPU specification (CS_STATUS_BLOCKED_REASON register). + +This change updates the defines to the correct values. + +Fixes: 2718d91816ee ("drm/panthor: Add the FW logical block") +Signed-off-by: Ashley Smith +Reviewed-by: Liviu Dudau +Reviewed-by: Adrián Larumbe +Reviewed-by: Boris Brezillon +Reviewed-by: Steven Price +Signed-off-by: Steven Price +Link: https://patchwork.freedesktop.org/patch/msgid/20250303180444.3768993-1-ashley.smith@collabora.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panthor/panthor_fw.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/panthor/panthor_fw.h b/drivers/gpu/drm/panthor/panthor_fw.h +index 22448abde9923..6598d96c6d2aa 100644 +--- a/drivers/gpu/drm/panthor/panthor_fw.h ++++ b/drivers/gpu/drm/panthor/panthor_fw.h +@@ -102,9 +102,9 @@ struct panthor_fw_cs_output_iface { + #define CS_STATUS_BLOCKED_REASON_SB_WAIT 1 + #define CS_STATUS_BLOCKED_REASON_PROGRESS_WAIT 2 + #define CS_STATUS_BLOCKED_REASON_SYNC_WAIT 3 +-#define CS_STATUS_BLOCKED_REASON_DEFERRED 5 +-#define CS_STATUS_BLOCKED_REASON_RES 6 +-#define CS_STATUS_BLOCKED_REASON_FLUSH 7 ++#define CS_STATUS_BLOCKED_REASON_DEFERRED 4 ++#define CS_STATUS_BLOCKED_REASON_RESOURCE 5 ++#define CS_STATUS_BLOCKED_REASON_FLUSH 6 + #define CS_STATUS_BLOCKED_REASON_MASK GENMASK(3, 0) + u32 status_blocked_reason; + u32 status_wait_sync_value_hi; +-- +2.39.5 + diff --git a/queue-6.12/drm-ssd130x-ensure-ssd132x-pitch-is-correct.patch b/queue-6.12/drm-ssd130x-ensure-ssd132x-pitch-is-correct.patch new file mode 100644 index 0000000000..c801d8d567 --- /dev/null +++ b/queue-6.12/drm-ssd130x-ensure-ssd132x-pitch-is-correct.patch @@ -0,0 +1,48 @@ +From b29a13ed62ef53e80e85c2d403d130cbbe25d755 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Jan 2025 11:01:38 +0000 +Subject: drm/ssd130x: ensure ssd132x pitch is correct + +From: John Keeping + +[ Upstream commit 229adcffdb54b13332d2afd2dc5d203418d50908 ] + +The bounding rectangle is adjusted to ensure it aligns to +SSD132X_SEGMENT_WIDTH, which may adjust the pitch. Calculate the pitch +after aligning the left and right edge. + +Fixes: fdd591e00a9c ("drm/ssd130x: Add support for the SSD132x OLED controller family") +Signed-off-by: John Keeping +Reviewed-by: Javier Martinez Canillas +Link: https://patchwork.freedesktop.org/patch/msgid/20250115110139.1672488-3-jkeeping@inmusicbrands.com +Signed-off-by: Javier Martinez Canillas +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/solomon/ssd130x.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/solomon/ssd130x.c b/drivers/gpu/drm/solomon/ssd130x.c +index 7d071a2f7a460..06f5057690bd8 100644 +--- a/drivers/gpu/drm/solomon/ssd130x.c ++++ b/drivers/gpu/drm/solomon/ssd130x.c +@@ -1037,7 +1037,7 @@ static int ssd132x_fb_blit_rect(struct drm_framebuffer *fb, + struct drm_format_conv_state *fmtcnv_state) + { + struct ssd130x_device *ssd130x = drm_to_ssd130x(fb->dev); +- unsigned int dst_pitch = drm_rect_width(rect); ++ unsigned int dst_pitch; + struct iosys_map dst; + int ret = 0; + +@@ -1046,6 +1046,8 @@ static int ssd132x_fb_blit_rect(struct drm_framebuffer *fb, + rect->x2 = min_t(unsigned int, round_up(rect->x2, SSD132X_SEGMENT_WIDTH), + ssd130x->width); + ++ dst_pitch = drm_rect_width(rect); ++ + ret = drm_gem_fb_begin_cpu_access(fb, DMA_FROM_DEVICE); + if (ret) + return ret; +-- +2.39.5 + diff --git a/queue-6.12/drm-ssd130x-fix-ssd132x-encoding.patch b/queue-6.12/drm-ssd130x-fix-ssd132x-encoding.patch new file mode 100644 index 0000000000..0927fae5c8 --- /dev/null +++ b/queue-6.12/drm-ssd130x-fix-ssd132x-encoding.patch @@ -0,0 +1,40 @@ +From 152e427e0601a293aebd73590ebe08f0bc1cf623 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Jan 2025 11:01:37 +0000 +Subject: drm/ssd130x: fix ssd132x encoding + +From: John Keeping + +[ Upstream commit 1e14484677c8e87548f5f0d4eb8800e408004404 ] + +The ssd132x buffer is encoded one pixel per nibble, with two pixels in +each byte. When encoding an 8-bit greyscale input, take the top 4-bits +as the value and ensure the two pixels are distinct and do not overwrite +each other. + +Fixes: fdd591e00a9c ("drm/ssd130x: Add support for the SSD132x OLED controller family") +Signed-off-by: John Keeping +Reviewed-by: Javier Martinez Canillas +Link: https://patchwork.freedesktop.org/patch/msgid/20250115110139.1672488-2-jkeeping@inmusicbrands.com +Signed-off-by: Javier Martinez Canillas +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/solomon/ssd130x.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/solomon/ssd130x.c b/drivers/gpu/drm/solomon/ssd130x.c +index 6f51bcf774e27..7d071a2f7a460 100644 +--- a/drivers/gpu/drm/solomon/ssd130x.c ++++ b/drivers/gpu/drm/solomon/ssd130x.c +@@ -880,7 +880,7 @@ static int ssd132x_update_rect(struct ssd130x_device *ssd130x, + u8 n1 = buf[i * width + j]; + u8 n2 = buf[i * width + j + 1]; + +- data_array[array_idx++] = (n2 << 4) | n1; ++ data_array[array_idx++] = (n2 & 0xf0) | (n1 >> 4); + } + } + +-- +2.39.5 + diff --git a/queue-6.12/drm-ssd130x-set-spi-.id_table-to-prevent-an-spi-core.patch b/queue-6.12/drm-ssd130x-set-spi-.id_table-to-prevent-an-spi-core.patch new file mode 100644 index 0000000000..8aa925df29 --- /dev/null +++ b/queue-6.12/drm-ssd130x-set-spi-.id_table-to-prevent-an-spi-core.patch @@ -0,0 +1,95 @@ +From e7dcccbf012f978317bf548dd7e25c30bf844993 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 Dec 2024 12:44:58 +0100 +Subject: drm/ssd130x: Set SPI .id_table to prevent an SPI core warning + +From: Javier Martinez Canillas + +[ Upstream commit 5d40d4fae6f2fb789f48207a9d4772bbee970b5c ] + +The only reason for the ssd130x-spi driver to have an spi_device_id table +is that the SPI core always reports an "spi:" MODALIAS, even when the SPI +device has been registered via a Device Tree Blob. + +Without spi_device_id table information in the module's metadata, module +autoloading would not work because there won't be an alias that matches +the MODALIAS reported by the SPI core. + +This spi_device_id table is not needed for device matching though, since +the of_device_id table is always used in this case. For this reason, the +struct spi_driver .id_table member is currently not set in the SPI driver. + +Because the spi_device_id table is always required for module autoloading, +the SPI core checks during driver registration that both an of_device_id +table and a spi_device_id table are present and that they contain the same +entries for all the SPI devices. + +Not setting the .id_table member in the driver then confuses the core and +leads to the following warning when the ssd130x-spi driver is registered: + + [ 41.091198] SPI driver ssd130x-spi has no spi_device_id for sinowealth,sh1106 + [ 41.098614] SPI driver ssd130x-spi has no spi_device_id for solomon,ssd1305 + [ 41.105862] SPI driver ssd130x-spi has no spi_device_id for solomon,ssd1306 + [ 41.113062] SPI driver ssd130x-spi has no spi_device_id for solomon,ssd1307 + [ 41.120247] SPI driver ssd130x-spi has no spi_device_id for solomon,ssd1309 + [ 41.127449] SPI driver ssd130x-spi has no spi_device_id for solomon,ssd1322 + [ 41.134627] SPI driver ssd130x-spi has no spi_device_id for solomon,ssd1325 + [ 41.141784] SPI driver ssd130x-spi has no spi_device_id for solomon,ssd1327 + [ 41.149021] SPI driver ssd130x-spi has no spi_device_id for solomon,ssd1331 + +To prevent the warning, set the .id_table even though it's not necessary. + +Since the check is done even for built-in drivers, drop the condition to +only define the ID table when the driver is built as a module. Finally, +rename the variable to use the "_spi_id" convention used for ID tables. + +Fixes: 74373977d2ca ("drm/solomon: Add SSD130x OLED displays SPI support") +Reviewed-by: Dmitry Baryshkov +Link: https://patchwork.freedesktop.org/patch/msgid/20241231114516.2063201-1-javierm@redhat.com +Signed-off-by: Javier Martinez Canillas +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/solomon/ssd130x-spi.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/solomon/ssd130x-spi.c b/drivers/gpu/drm/solomon/ssd130x-spi.c +index 84bfde31d1724..fd1b858dcb788 100644 +--- a/drivers/gpu/drm/solomon/ssd130x-spi.c ++++ b/drivers/gpu/drm/solomon/ssd130x-spi.c +@@ -151,7 +151,6 @@ static const struct of_device_id ssd130x_of_match[] = { + }; + MODULE_DEVICE_TABLE(of, ssd130x_of_match); + +-#if IS_MODULE(CONFIG_DRM_SSD130X_SPI) + /* + * The SPI core always reports a MODALIAS uevent of the form "spi:", even + * if the device was registered via OF. This means that the module will not be +@@ -160,7 +159,7 @@ MODULE_DEVICE_TABLE(of, ssd130x_of_match); + * To workaround this issue, add a SPI device ID table. Even when this should + * not be needed for this driver to match the registered SPI devices. + */ +-static const struct spi_device_id ssd130x_spi_table[] = { ++static const struct spi_device_id ssd130x_spi_id[] = { + /* ssd130x family */ + { "sh1106", SH1106_ID }, + { "ssd1305", SSD1305_ID }, +@@ -175,14 +174,14 @@ static const struct spi_device_id ssd130x_spi_table[] = { + { "ssd1331", SSD1331_ID }, + { /* sentinel */ } + }; +-MODULE_DEVICE_TABLE(spi, ssd130x_spi_table); +-#endif ++MODULE_DEVICE_TABLE(spi, ssd130x_spi_id); + + static struct spi_driver ssd130x_spi_driver = { + .driver = { + .name = DRIVER_NAME, + .of_match_table = ssd130x_of_match, + }, ++ .id_table = ssd130x_spi_id, + .probe = ssd130x_spi_probe, + .remove = ssd130x_spi_remove, + .shutdown = ssd130x_spi_shutdown, +-- +2.39.5 + diff --git a/queue-6.12/drm-vkms-fix-use-after-free-and-double-free-on-init-.patch b/queue-6.12/drm-vkms-fix-use-after-free-and-double-free-on-init-.patch new file mode 100644 index 0000000000..ec51d0a59b --- /dev/null +++ b/queue-6.12/drm-vkms-fix-use-after-free-and-double-free-on-init-.patch @@ -0,0 +1,76 @@ +From 1242732027811854b9b4625435761659291876b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Feb 2025 09:49:12 +0100 +Subject: drm/vkms: Fix use after free and double free on init error +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: José Expósito + +[ Upstream commit ed15511a773df86205bda66c37193569575ae828 ] + +If the driver initialization fails, the vkms_exit() function might +access an uninitialized or freed default_config pointer and it might +double free it. + +Fix both possible errors by initializing default_config only when the +driver initialization succeeded. + +Reported-by: Louis Chauvet +Closes: https://lore.kernel.org/all/Z5uDHcCmAwiTsGte@louis-chauvet-laptop/ +Fixes: 2df7af93fdad ("drm/vkms: Add vkms_config type") +Signed-off-by: José Expósito +Reviewed-by: Thomas Zimmermann +Reviewed-by: Louis Chauvet +Link: https://patchwork.freedesktop.org/patch/msgid/20250212084912.3196-1-jose.exposito89@gmail.com +Signed-off-by: Louis Chauvet +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vkms/vkms_drv.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/vkms/vkms_drv.c b/drivers/gpu/drm/vkms/vkms_drv.c +index 0c1a713b7b7b3..be642ee739c4f 100644 +--- a/drivers/gpu/drm/vkms/vkms_drv.c ++++ b/drivers/gpu/drm/vkms/vkms_drv.c +@@ -245,17 +245,19 @@ static int __init vkms_init(void) + if (!config) + return -ENOMEM; + +- default_config = config; +- + config->cursor = enable_cursor; + config->writeback = enable_writeback; + config->overlay = enable_overlay; + + ret = vkms_create(config); +- if (ret) ++ if (ret) { + kfree(config); ++ return ret; ++ } + +- return ret; ++ default_config = config; ++ ++ return 0; + } + + static void vkms_destroy(struct vkms_config *config) +@@ -279,9 +281,10 @@ static void vkms_destroy(struct vkms_config *config) + + static void __exit vkms_exit(void) + { +- if (default_config->dev) +- vkms_destroy(default_config); ++ if (!default_config) ++ return; + ++ vkms_destroy(default_config); + kfree(default_config); + } + +-- +2.39.5 + diff --git a/queue-6.12/drm-xlnx-zynqmp-fix-max-dma-segment-size.patch b/queue-6.12/drm-xlnx-zynqmp-fix-max-dma-segment-size.patch new file mode 100644 index 0000000000..ef9d7e49ce --- /dev/null +++ b/queue-6.12/drm-xlnx-zynqmp-fix-max-dma-segment-size.patch @@ -0,0 +1,38 @@ +From a983345f8381980a78f38d72dedf4e730764fabd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Jan 2025 11:03:39 +0200 +Subject: drm: xlnx: zynqmp: Fix max dma segment size + +From: Tomi Valkeinen + +[ Upstream commit 28b529a98525123acd37372a04d21e87ec2edcf7 ] + +Fix "mapping sg segment longer than device claims to support" warning by +setting the max segment size. + +Fixes: d76271d22694 ("drm: xlnx: DRM/KMS driver for Xilinx ZynqMP DisplayPort Subsystem") +Reviewed-by: Sean Anderson +Tested-by: Sean Anderson +Signed-off-by: Tomi Valkeinen +Link: https://patchwork.freedesktop.org/patch/msgid/20250115-xilinx-formats-v2-10-160327ca652a@ideasonboard.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/xlnx/zynqmp_dpsub.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/xlnx/zynqmp_dpsub.c b/drivers/gpu/drm/xlnx/zynqmp_dpsub.c +index f5781939de9c3..a25b22238e3d2 100644 +--- a/drivers/gpu/drm/xlnx/zynqmp_dpsub.c ++++ b/drivers/gpu/drm/xlnx/zynqmp_dpsub.c +@@ -231,6 +231,8 @@ static int zynqmp_dpsub_probe(struct platform_device *pdev) + if (ret) + return ret; + ++ dma_set_max_seg_size(&pdev->dev, DMA_BIT_MASK(32)); ++ + /* Try the reserved memory. Proceed if there's none. */ + of_reserved_mem_device_init(&pdev->dev); + +-- +2.39.5 + diff --git a/queue-6.12/dt-bindings-vendor-prefixes-add-gocontroll.patch b/queue-6.12/dt-bindings-vendor-prefixes-add-gocontroll.patch new file mode 100644 index 0000000000..657f53cb32 --- /dev/null +++ b/queue-6.12/dt-bindings-vendor-prefixes-add-gocontroll.patch @@ -0,0 +1,37 @@ +From 6c460020bcf919314099fa1e421f578e47dd29a4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Feb 2025 15:19:13 +0100 +Subject: dt-bindings: vendor-prefixes: add GOcontroll + +From: Maud Spierings + +[ Upstream commit 5f0d2de417166698c8eba433b696037ce04730da ] + +GOcontroll produces embedded linux systems and IO modules to use in +these systems, add its prefix. + +Acked-by: Rob Herring (Arm) +Signed-off-by: Maud Spierings +Link: https://patch.msgid.link/20250226-initial_display-v2-2-23fafa130817@gocontroll.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + Documentation/devicetree/bindings/vendor-prefixes.yaml | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/Documentation/devicetree/bindings/vendor-prefixes.yaml b/Documentation/devicetree/bindings/vendor-prefixes.yaml +index fbfce9b4ae6b8..71a1a399e1e1f 100644 +--- a/Documentation/devicetree/bindings/vendor-prefixes.yaml ++++ b/Documentation/devicetree/bindings/vendor-prefixes.yaml +@@ -581,6 +581,8 @@ patternProperties: + description: GlobalTop Technology, Inc. + "^gmt,.*": + description: Global Mixed-mode Technology, Inc. ++ "^gocontroll,.*": ++ description: GOcontroll Modular Embedded Electronics B.V. + "^goldelico,.*": + description: Golden Delicious Computers GmbH & Co. KG + "^goodix,.*": +-- +2.39.5 + diff --git a/queue-6.12/dummycon-fix-default-rows-cols.patch b/queue-6.12/dummycon-fix-default-rows-cols.patch new file mode 100644 index 0000000000..6374693138 --- /dev/null +++ b/queue-6.12/dummycon-fix-default-rows-cols.patch @@ -0,0 +1,60 @@ +From 71784b42225c413807b5a3724db3c9815016d563 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Feb 2025 17:44:22 +0100 +Subject: dummycon: fix default rows/cols + +From: Arnd Bergmann + +[ Upstream commit beefaba1978c04ea2950d34236f58fe6cf6a7f58 ] + +dummycon fails to build on ARM/footbridge when the VGA console is +disabled, since I got the dependencies slightly wrong in a previous +patch: + +drivers/video/console/dummycon.c: In function 'dummycon_init': +drivers/video/console/dummycon.c:27:25: error: 'CONFIG_DUMMY_CONSOLE_COLUMNS' undeclared (first use in this function); did you mean 'CONFIG_DUMMY_CONSOLE'? + 27 | #define DUMMY_COLUMNS CONFIG_DUMMY_CONSOLE_COLUMNS +drivers/video/console/dummycon.c:28:25: error: 'CONFIG_DUMMY_CONSOLE_ROWS' undeclared (first use in this function); did you mean 'CONFIG_DUMMY_CONSOLE'? + 28 | #define DUMMY_ROWS CONFIG_DUMMY_CONSOLE_ROWS + +This only showed up after many thousand randconfig builds on Arm, and +doesn't matter in practice, but should still be fixed. Address it by +using the default row/columns on footbridge after all in that corner +case. + +Fixes: 4293b0925149 ("dummycon: limit Arm console size hack to footbridge") +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202409151512.LML1slol-lkp@intel.com/ +Signed-off-by: Arnd Bergmann +Reviewed-by: Thomas Zimmermann +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/console/Kconfig | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/video/console/Kconfig b/drivers/video/console/Kconfig +index bc31db6ef7d26..c4a8f74df2493 100644 +--- a/drivers/video/console/Kconfig ++++ b/drivers/video/console/Kconfig +@@ -52,7 +52,7 @@ config DUMMY_CONSOLE + + config DUMMY_CONSOLE_COLUMNS + int "Initial number of console screen columns" +- depends on DUMMY_CONSOLE && !ARCH_FOOTBRIDGE ++ depends on DUMMY_CONSOLE && !(ARCH_FOOTBRIDGE && VGA_CONSOLE) + default 160 if PARISC + default 80 + help +@@ -62,7 +62,7 @@ config DUMMY_CONSOLE_COLUMNS + + config DUMMY_CONSOLE_ROWS + int "Initial number of console screen rows" +- depends on DUMMY_CONSOLE && !ARCH_FOOTBRIDGE ++ depends on DUMMY_CONSOLE && !(ARCH_FOOTBRIDGE && VGA_CONSOLE) + default 64 if PARISC + default 30 if ARM + default 25 +-- +2.39.5 + diff --git a/queue-6.12/e1000e-change-k1-configuration-on-mtp-and-later-plat.patch b/queue-6.12/e1000e-change-k1-configuration-on-mtp-and-later-plat.patch new file mode 100644 index 0000000000..cea6edb887 --- /dev/null +++ b/queue-6.12/e1000e-change-k1-configuration-on-mtp-and-later-plat.patch @@ -0,0 +1,178 @@ +From cd303ba897912c5a8f6af4c3267aa2bbf66c69c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Mar 2025 16:05:56 +0200 +Subject: e1000e: change k1 configuration on MTP and later platforms + +From: Vitaly Lifshits + +[ Upstream commit efaaf344bc2917cbfa5997633bc18a05d3aed27f ] + +Starting from Meteor Lake, the Kumeran interface between the integrated +MAC and the I219 PHY works at a different frequency. This causes sporadic +MDI errors when accessing the PHY, and in rare circumstances could lead +to packet corruption. + +To overcome this, introduce minor changes to the Kumeran idle +state (K1) parameters during device initialization. Hardware reset +reverts this configuration, therefore it needs to be applied in a few +places. + +Fixes: cc23f4f0b6b9 ("e1000e: Add support for Meteor Lake") +Signed-off-by: Vitaly Lifshits +Tested-by: Avigail Dahan +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/e1000e/defines.h | 3 + + drivers/net/ethernet/intel/e1000e/ich8lan.c | 80 +++++++++++++++++++-- + drivers/net/ethernet/intel/e1000e/ich8lan.h | 4 ++ + 3 files changed, 82 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/intel/e1000e/defines.h b/drivers/net/ethernet/intel/e1000e/defines.h +index 5e2cfa73f8891..8294a7c4f122c 100644 +--- a/drivers/net/ethernet/intel/e1000e/defines.h ++++ b/drivers/net/ethernet/intel/e1000e/defines.h +@@ -803,4 +803,7 @@ + /* SerDes Control */ + #define E1000_GEN_POLL_TIMEOUT 640 + ++#define E1000_FEXTNVM12_PHYPD_CTRL_MASK 0x00C00000 ++#define E1000_FEXTNVM12_PHYPD_CTRL_P1 0x00800000 ++ + #endif /* _E1000_DEFINES_H_ */ +diff --git a/drivers/net/ethernet/intel/e1000e/ich8lan.c b/drivers/net/ethernet/intel/e1000e/ich8lan.c +index 2f9655cf5dd9e..364378133526a 100644 +--- a/drivers/net/ethernet/intel/e1000e/ich8lan.c ++++ b/drivers/net/ethernet/intel/e1000e/ich8lan.c +@@ -285,6 +285,45 @@ static void e1000_toggle_lanphypc_pch_lpt(struct e1000_hw *hw) + } + } + ++/** ++ * e1000_reconfigure_k1_exit_timeout - reconfigure K1 exit timeout to ++ * align to MTP and later platform requirements. ++ * @hw: pointer to the HW structure ++ * ++ * Context: PHY semaphore must be held by caller. ++ * Return: 0 on success, negative on failure ++ */ ++static s32 e1000_reconfigure_k1_exit_timeout(struct e1000_hw *hw) ++{ ++ u16 phy_timeout; ++ u32 fextnvm12; ++ s32 ret_val; ++ ++ if (hw->mac.type < e1000_pch_mtp) ++ return 0; ++ ++ /* Change Kumeran K1 power down state from P0s to P1 */ ++ fextnvm12 = er32(FEXTNVM12); ++ fextnvm12 &= ~E1000_FEXTNVM12_PHYPD_CTRL_MASK; ++ fextnvm12 |= E1000_FEXTNVM12_PHYPD_CTRL_P1; ++ ew32(FEXTNVM12, fextnvm12); ++ ++ /* Wait for the interface the settle */ ++ usleep_range(1000, 1100); ++ ++ /* Change K1 exit timeout */ ++ ret_val = e1e_rphy_locked(hw, I217_PHY_TIMEOUTS_REG, ++ &phy_timeout); ++ if (ret_val) ++ return ret_val; ++ ++ phy_timeout &= ~I217_PHY_TIMEOUTS_K1_EXIT_TO_MASK; ++ phy_timeout |= 0xF00; ++ ++ return e1e_wphy_locked(hw, I217_PHY_TIMEOUTS_REG, ++ phy_timeout); ++} ++ + /** + * e1000_init_phy_workarounds_pchlan - PHY initialization workarounds + * @hw: pointer to the HW structure +@@ -327,15 +366,22 @@ static s32 e1000_init_phy_workarounds_pchlan(struct e1000_hw *hw) + * LANPHYPC Value bit to force the interconnect to PCIe mode. + */ + switch (hw->mac.type) { ++ case e1000_pch_mtp: ++ case e1000_pch_lnp: ++ case e1000_pch_ptp: ++ case e1000_pch_nvp: ++ /* At this point the PHY might be inaccessible so don't ++ * propagate the failure ++ */ ++ if (e1000_reconfigure_k1_exit_timeout(hw)) ++ e_dbg("Failed to reconfigure K1 exit timeout\n"); ++ ++ fallthrough; + case e1000_pch_lpt: + case e1000_pch_spt: + case e1000_pch_cnp: + case e1000_pch_tgp: + case e1000_pch_adp: +- case e1000_pch_mtp: +- case e1000_pch_lnp: +- case e1000_pch_ptp: +- case e1000_pch_nvp: + if (e1000_phy_is_accessible_pchlan(hw)) + break; + +@@ -419,8 +465,20 @@ static s32 e1000_init_phy_workarounds_pchlan(struct e1000_hw *hw) + * the PHY is in. + */ + ret_val = hw->phy.ops.check_reset_block(hw); +- if (ret_val) ++ if (ret_val) { + e_err("ME blocked access to PHY after reset\n"); ++ goto out; ++ } ++ ++ if (hw->mac.type >= e1000_pch_mtp) { ++ ret_val = hw->phy.ops.acquire(hw); ++ if (ret_val) { ++ e_err("Failed to reconfigure K1 exit timeout\n"); ++ goto out; ++ } ++ ret_val = e1000_reconfigure_k1_exit_timeout(hw); ++ hw->phy.ops.release(hw); ++ } + } + + out: +@@ -4888,6 +4946,18 @@ static s32 e1000_init_hw_ich8lan(struct e1000_hw *hw) + u16 i; + + e1000_initialize_hw_bits_ich8lan(hw); ++ if (hw->mac.type >= e1000_pch_mtp) { ++ ret_val = hw->phy.ops.acquire(hw); ++ if (ret_val) ++ return ret_val; ++ ++ ret_val = e1000_reconfigure_k1_exit_timeout(hw); ++ hw->phy.ops.release(hw); ++ if (ret_val) { ++ e_dbg("Error failed to reconfigure K1 exit timeout\n"); ++ return ret_val; ++ } ++ } + + /* Initialize identification LED */ + ret_val = mac->ops.id_led_init(hw); +diff --git a/drivers/net/ethernet/intel/e1000e/ich8lan.h b/drivers/net/ethernet/intel/e1000e/ich8lan.h +index 2504b11c3169f..5feb589a9b5ff 100644 +--- a/drivers/net/ethernet/intel/e1000e/ich8lan.h ++++ b/drivers/net/ethernet/intel/e1000e/ich8lan.h +@@ -219,6 +219,10 @@ + #define I217_PLL_CLOCK_GATE_REG PHY_REG(772, 28) + #define I217_PLL_CLOCK_GATE_MASK 0x07FF + ++/* PHY Timeouts */ ++#define I217_PHY_TIMEOUTS_REG PHY_REG(770, 21) ++#define I217_PHY_TIMEOUTS_K1_EXIT_TO_MASK 0x0FC0 ++ + #define SW_FLAG_TIMEOUT 1000 /* SW Semaphore flag timeout in ms */ + + /* Inband Control */ +-- +2.39.5 + diff --git a/queue-6.12/edac-ie31200-fix-the-dimm-size-mask-for-several-socs.patch b/queue-6.12/edac-ie31200-fix-the-dimm-size-mask-for-several-socs.patch new file mode 100644 index 0000000000..35f0dba821 --- /dev/null +++ b/queue-6.12/edac-ie31200-fix-the-dimm-size-mask-for-several-socs.patch @@ -0,0 +1,46 @@ +From da5fa2373becfc0ff3afe53b0c17d6149d71fadf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Mar 2025 09:14:02 +0800 +Subject: EDAC/ie31200: Fix the DIMM size mask for several SoCs + +From: Qiuxu Zhuo + +[ Upstream commit 3427befbbca6b19fe0e37f91d66ce5221de70bf1 ] + +The DIMM size mask for {Sky, Kaby, Coffee} Lake is not bits{7:0}, +but bits{5:0}. Fix it. + +Fixes: 953dee9bbd24 ("EDAC, ie31200_edac: Add Skylake support") +Signed-off-by: Qiuxu Zhuo +Signed-off-by: Tony Luck +Tested-by: Gary Wang +Link: https://lore.kernel.org/r/20250310011411.31685-3-qiuxu.zhuo@intel.com +Signed-off-by: Sasha Levin +--- + drivers/edac/ie31200_edac.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/edac/ie31200_edac.c b/drivers/edac/ie31200_edac.c +index 98d74c604d726..92714dd88b3f6 100644 +--- a/drivers/edac/ie31200_edac.c ++++ b/drivers/edac/ie31200_edac.c +@@ -162,6 +162,7 @@ + #define IE31200_MAD_DIMM_0_OFFSET 0x5004 + #define IE31200_MAD_DIMM_0_OFFSET_SKL 0x500C + #define IE31200_MAD_DIMM_SIZE GENMASK_ULL(7, 0) ++#define IE31200_MAD_DIMM_SIZE_SKL GENMASK_ULL(5, 0) + #define IE31200_MAD_DIMM_A_RANK BIT(17) + #define IE31200_MAD_DIMM_A_RANK_SHIFT 17 + #define IE31200_MAD_DIMM_A_RANK_SKL BIT(10) +@@ -375,7 +376,7 @@ static void __iomem *ie31200_map_mchbar(struct pci_dev *pdev) + static void __skl_populate_dimm_info(struct dimm_data *dd, u32 addr_decode, + int chan) + { +- dd->size = (addr_decode >> (chan << 4)) & IE31200_MAD_DIMM_SIZE; ++ dd->size = (addr_decode >> (chan << 4)) & IE31200_MAD_DIMM_SIZE_SKL; + dd->dual_rank = (addr_decode & (IE31200_MAD_DIMM_A_RANK_SKL << (chan << 4))) ? 1 : 0; + dd->x16_width = ((addr_decode & (IE31200_MAD_DIMM_A_WIDTH_SKL << (chan << 4))) >> + (IE31200_MAD_DIMM_A_WIDTH_SKL_SHIFT + (chan << 4))); +-- +2.39.5 + diff --git a/queue-6.12/edac-ie31200-fix-the-error-path-order-of-ie31200_ini.patch b/queue-6.12/edac-ie31200-fix-the-error-path-order-of-ie31200_ini.patch new file mode 100644 index 0000000000..8109c229a2 --- /dev/null +++ b/queue-6.12/edac-ie31200-fix-the-error-path-order-of-ie31200_ini.patch @@ -0,0 +1,68 @@ +From 77cb83e8854c0e6787132b83db79e516286f4721 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Mar 2025 09:14:03 +0800 +Subject: EDAC/ie31200: Fix the error path order of ie31200_init() + +From: Qiuxu Zhuo + +[ Upstream commit 231e341036d9988447e3b3345cf741a98139199e ] + +The error path order of ie31200_init() is incorrect, fix it. + +Fixes: 709ed1bcef12 ("EDAC/ie31200: Fallback if host bridge device is already initialized") +Signed-off-by: Qiuxu Zhuo +Signed-off-by: Tony Luck +Tested-by: Gary Wang +Link: https://lore.kernel.org/r/20250310011411.31685-4-qiuxu.zhuo@intel.com +Signed-off-by: Sasha Levin +--- + drivers/edac/ie31200_edac.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/drivers/edac/ie31200_edac.c b/drivers/edac/ie31200_edac.c +index 92714dd88b3f6..56be8ef40f376 100644 +--- a/drivers/edac/ie31200_edac.c ++++ b/drivers/edac/ie31200_edac.c +@@ -617,7 +617,7 @@ static int __init ie31200_init(void) + + pci_rc = pci_register_driver(&ie31200_driver); + if (pci_rc < 0) +- goto fail0; ++ return pci_rc; + + if (!mci_pdev) { + ie31200_registered = 0; +@@ -628,11 +628,13 @@ static int __init ie31200_init(void) + if (mci_pdev) + break; + } ++ + if (!mci_pdev) { + edac_dbg(0, "ie31200 pci_get_device fail\n"); + pci_rc = -ENODEV; +- goto fail1; ++ goto fail0; + } ++ + pci_rc = ie31200_init_one(mci_pdev, &ie31200_pci_tbl[i]); + if (pci_rc < 0) { + edac_dbg(0, "ie31200 init fail\n"); +@@ -640,12 +642,12 @@ static int __init ie31200_init(void) + goto fail1; + } + } +- return 0; + ++ return 0; + fail1: +- pci_unregister_driver(&ie31200_driver); +-fail0: + pci_dev_put(mci_pdev); ++fail0: ++ pci_unregister_driver(&ie31200_driver); + + return pci_rc; + } +-- +2.39.5 + diff --git a/queue-6.12/edac-ie31200-fix-the-size-of-edac_mc_layer_chip_sele.patch b/queue-6.12/edac-ie31200-fix-the-size-of-edac_mc_layer_chip_sele.patch new file mode 100644 index 0000000000..32be8ff3e1 --- /dev/null +++ b/queue-6.12/edac-ie31200-fix-the-size-of-edac_mc_layer_chip_sele.patch @@ -0,0 +1,48 @@ +From 2865b2993bac3973bf39dae8b922704d0a5c1e48 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Mar 2025 09:14:01 +0800 +Subject: EDAC/ie31200: Fix the size of EDAC_MC_LAYER_CHIP_SELECT layer + +From: Qiuxu Zhuo + +[ Upstream commit d59d844e319d97682c8de29b88d2d60922a683b3 ] + +The EDAC_MC_LAYER_CHIP_SELECT layer pertains to the rank, not the DIMM. +Fix its size to reflect the number of ranks instead of the number of DIMMs. +Also delete the unused macros IE31200_{DIMMS,RANKS}. + +Fixes: 7ee40b897d18 ("ie31200_edac: Introduce the driver") +Signed-off-by: Qiuxu Zhuo +Signed-off-by: Tony Luck +Tested-by: Gary Wang +Link: https://lore.kernel.org/r/20250310011411.31685-2-qiuxu.zhuo@intel.com +Signed-off-by: Sasha Levin +--- + drivers/edac/ie31200_edac.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/edac/ie31200_edac.c b/drivers/edac/ie31200_edac.c +index 9ef13570f2e54..98d74c604d726 100644 +--- a/drivers/edac/ie31200_edac.c ++++ b/drivers/edac/ie31200_edac.c +@@ -91,8 +91,6 @@ + (((did) & PCI_DEVICE_ID_INTEL_IE31200_HB_CFL_MASK) == \ + PCI_DEVICE_ID_INTEL_IE31200_HB_CFL_MASK)) + +-#define IE31200_DIMMS 4 +-#define IE31200_RANKS 8 + #define IE31200_RANKS_PER_CHANNEL 4 + #define IE31200_DIMMS_PER_CHANNEL 2 + #define IE31200_CHANNELS 2 +@@ -426,7 +424,7 @@ static int ie31200_probe1(struct pci_dev *pdev, int dev_idx) + + nr_channels = how_many_channels(pdev); + layers[0].type = EDAC_MC_LAYER_CHIP_SELECT; +- layers[0].size = IE31200_DIMMS; ++ layers[0].size = IE31200_RANKS_PER_CHANNEL; + layers[0].is_virt_csrow = true; + layers[1].type = EDAC_MC_LAYER_CHANNEL; + layers[1].size = nr_channels; +-- +2.39.5 + diff --git a/queue-6.12/edac-skx_common-i10nm-fix-some-missing-error-reports.patch b/queue-6.12/edac-skx_common-i10nm-fix-some-missing-error-reports.patch new file mode 100644 index 0000000000..bce7c902ec --- /dev/null +++ b/queue-6.12/edac-skx_common-i10nm-fix-some-missing-error-reports.patch @@ -0,0 +1,144 @@ +From b80508c59f6168d96d69ee85c732fb1bdc853e8a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Feb 2025 08:27:28 +0800 +Subject: EDAC/{skx_common,i10nm}: Fix some missing error reports on Emerald + Rapids + +From: Qiuxu Zhuo + +[ Upstream commit d9207cf7760f5f5599e9ff7eb0fedf56821a1d59 ] + +When doing error injection to some memory DIMMs on certain Intel Emerald +Rapids servers, the i10nm_edac missed error reports for some memory DIMMs. + +Certain BIOS configurations may hide some memory controllers, and the +i10nm_edac doesn't enumerate these hidden memory controllers. However, the +ADXL decodes memory errors using memory controller physical indices even +if there are hidden memory controllers. Therefore, the memory controller +physical indices reported by the ADXL may mismatch the logical indices +enumerated by the i10nm_edac, resulting in missed error reports for some +memory DIMMs. + +Fix this issue by creating a mapping table from memory controller physical +indices (used by the ADXL) to logical indices (used by the i10nm_edac) and +using it to convert the physical indices to the logical indices during the +error handling process. + +Fixes: c545f5e41225 ("EDAC/i10nm: Skip the absent memory controllers") +Reported-by: Kevin Chang +Tested-by: Kevin Chang +Reported-by: Thomas Chen +Tested-by: Thomas Chen +Signed-off-by: Qiuxu Zhuo +Signed-off-by: Tony Luck +Link: https://lore.kernel.org/r/20250214002728.6287-1-qiuxu.zhuo@intel.com +Signed-off-by: Sasha Levin +--- + drivers/edac/i10nm_base.c | 2 ++ + drivers/edac/skx_common.c | 33 +++++++++++++++++++++++++++++++++ + drivers/edac/skx_common.h | 11 +++++++++++ + 3 files changed, 46 insertions(+) + +diff --git a/drivers/edac/i10nm_base.c b/drivers/edac/i10nm_base.c +index 51556c72a9674..fbdf005bed3a4 100644 +--- a/drivers/edac/i10nm_base.c ++++ b/drivers/edac/i10nm_base.c +@@ -751,6 +751,8 @@ static int i10nm_get_ddr_munits(void) + continue; + } else { + d->imc[lmc].mdev = mdev; ++ if (res_cfg->type == SPR) ++ skx_set_mc_mapping(d, i, lmc); + lmc++; + } + } +diff --git a/drivers/edac/skx_common.c b/drivers/edac/skx_common.c +index 6cf17af7d9112..85ec3196664d3 100644 +--- a/drivers/edac/skx_common.c ++++ b/drivers/edac/skx_common.c +@@ -120,6 +120,35 @@ void skx_adxl_put(void) + } + EXPORT_SYMBOL_GPL(skx_adxl_put); + ++static void skx_init_mc_mapping(struct skx_dev *d) ++{ ++ /* ++ * By default, the BIOS presents all memory controllers within each ++ * socket to the EDAC driver. The physical indices are the same as ++ * the logical indices of the memory controllers enumerated by the ++ * EDAC driver. ++ */ ++ for (int i = 0; i < NUM_IMC; i++) ++ d->mc_mapping[i] = i; ++} ++ ++void skx_set_mc_mapping(struct skx_dev *d, u8 pmc, u8 lmc) ++{ ++ edac_dbg(0, "Set the mapping of mc phy idx to logical idx: %02d -> %02d\n", ++ pmc, lmc); ++ ++ d->mc_mapping[pmc] = lmc; ++} ++EXPORT_SYMBOL_GPL(skx_set_mc_mapping); ++ ++static u8 skx_get_mc_mapping(struct skx_dev *d, u8 pmc) ++{ ++ edac_dbg(0, "Get the mapping of mc phy idx to logical idx: %02d -> %02d\n", ++ pmc, d->mc_mapping[pmc]); ++ ++ return d->mc_mapping[pmc]; ++} ++ + static bool skx_adxl_decode(struct decoded_addr *res, enum error_source err_src) + { + struct skx_dev *d; +@@ -187,6 +216,8 @@ static bool skx_adxl_decode(struct decoded_addr *res, enum error_source err_src) + return false; + } + ++ res->imc = skx_get_mc_mapping(d, res->imc); ++ + for (i = 0; i < adxl_component_count; i++) { + if (adxl_values[i] == ~0x0ull) + continue; +@@ -307,6 +338,8 @@ int skx_get_all_bus_mappings(struct res_config *cfg, struct list_head **list) + d->bus[0], d->bus[1], d->bus[2], d->bus[3]); + list_add_tail(&d->list, &dev_edac_list); + prev = pdev; ++ ++ skx_init_mc_mapping(d); + } + + if (list) +diff --git a/drivers/edac/skx_common.h b/drivers/edac/skx_common.h +index 54bba8a62f727..849198fd14da6 100644 +--- a/drivers/edac/skx_common.h ++++ b/drivers/edac/skx_common.h +@@ -93,6 +93,16 @@ struct skx_dev { + struct pci_dev *uracu; /* for i10nm CPU */ + struct pci_dev *pcu_cr3; /* for HBM memory detection */ + u32 mcroute; ++ /* ++ * Some server BIOS may hide certain memory controllers, and the ++ * EDAC driver skips those hidden memory controllers. However, the ++ * ADXL still decodes memory error address using physical memory ++ * controller indices. The mapping table is used to convert the ++ * physical indices (reported by ADXL) to the logical indices ++ * (used the EDAC driver) of present memory controllers during the ++ * error handling process. ++ */ ++ u8 mc_mapping[NUM_IMC]; + struct skx_imc { + struct mem_ctl_info *mci; + struct pci_dev *mdev; /* for i10nm CPU */ +@@ -242,6 +252,7 @@ void skx_adxl_put(void); + void skx_set_decode(skx_decode_f decode, skx_show_retry_log_f show_retry_log); + void skx_set_mem_cfg(bool mem_cfg_2lm); + void skx_set_res_cfg(struct res_config *cfg); ++void skx_set_mc_mapping(struct skx_dev *d, u8 pmc, u8 lmc); + + int skx_get_src_id(struct skx_dev *d, int off, u8 *id); + int skx_get_node_id(struct skx_dev *d, u8 *id); +-- +2.39.5 + diff --git a/queue-6.12/exfat-add-a-check-for-invalid-data-size.patch b/queue-6.12/exfat-add-a-check-for-invalid-data-size.patch new file mode 100644 index 0000000000..e1c34a821a --- /dev/null +++ b/queue-6.12/exfat-add-a-check-for-invalid-data-size.patch @@ -0,0 +1,38 @@ +From d71e6360140792a1294792c32c2ba5687b448662 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 8 Feb 2025 17:16:58 +0800 +Subject: exfat: add a check for invalid data size + +From: Yuezhang Mo + +[ Upstream commit 13940cef95491472760ca261b6713692ece9b946 ] + +Add a check for invalid data size to avoid corrupted filesystem +from being further corrupted. + +Signed-off-by: Yuezhang Mo +Signed-off-by: Namjae Jeon +Signed-off-by: Sasha Levin +--- + fs/exfat/namei.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/fs/exfat/namei.c b/fs/exfat/namei.c +index e47a5ddfc79b3..7b3951951f8af 100644 +--- a/fs/exfat/namei.c ++++ b/fs/exfat/namei.c +@@ -639,6 +639,11 @@ static int exfat_find(struct inode *dir, struct qstr *qname, + info->valid_size = le64_to_cpu(ep2->dentry.stream.valid_size); + info->size = le64_to_cpu(ep2->dentry.stream.size); + ++ if (unlikely(EXFAT_B_TO_CLU_ROUND_UP(info->size, sbi) > sbi->used_clusters)) { ++ exfat_fs_error(sb, "data size is invalid(%lld)", info->size); ++ return -EIO; ++ } ++ + info->start_clu = le32_to_cpu(ep2->dentry.stream.start_clu); + if (!is_valid_cluster(sbi, info->start_clu) && info->size) { + exfat_warn(sb, "start_clu is invalid cluster(0x%x)", +-- +2.39.5 + diff --git a/queue-6.12/exfat-fix-missing-shutdown-check.patch b/queue-6.12/exfat-fix-missing-shutdown-check.patch new file mode 100644 index 0000000000..7b19b38c46 --- /dev/null +++ b/queue-6.12/exfat-fix-missing-shutdown-check.patch @@ -0,0 +1,97 @@ +From e953226dccbd0b3b0f0b36a4c4d272b63da0d5e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Mar 2025 15:02:07 +0800 +Subject: exfat: fix missing shutdown check + +From: Yuezhang Mo + +[ Upstream commit 47e35366bc6fa3cf189a8305bce63992495f3efa ] + +xfstests generic/730 test failed because after deleting the device +that still had dirty data, the file could still be read without +returning an error. The reason is the missing shutdown check in +->read_iter. + +I also noticed that shutdown checks were missing from ->write_iter, +->splice_read, and ->mmap. This commit adds shutdown checks to all +of them. + +Fixes: f761fcdd289d ("exfat: Implement sops->shutdown and ioctl") +Signed-off-by: Yuezhang Mo +Signed-off-by: Namjae Jeon +Signed-off-by: Sasha Levin +--- + fs/exfat/file.c | 29 +++++++++++++++++++++++++++-- + 1 file changed, 27 insertions(+), 2 deletions(-) + +diff --git a/fs/exfat/file.c b/fs/exfat/file.c +index 807349d8ea050..841a5b18e3dfd 100644 +--- a/fs/exfat/file.c ++++ b/fs/exfat/file.c +@@ -582,6 +582,9 @@ static ssize_t exfat_file_write_iter(struct kiocb *iocb, struct iov_iter *iter) + loff_t pos = iocb->ki_pos; + loff_t valid_size; + ++ if (unlikely(exfat_forced_shutdown(inode->i_sb))) ++ return -EIO; ++ + inode_lock(inode); + + valid_size = ei->valid_size; +@@ -635,6 +638,16 @@ static ssize_t exfat_file_write_iter(struct kiocb *iocb, struct iov_iter *iter) + return ret; + } + ++static ssize_t exfat_file_read_iter(struct kiocb *iocb, struct iov_iter *iter) ++{ ++ struct inode *inode = file_inode(iocb->ki_filp); ++ ++ if (unlikely(exfat_forced_shutdown(inode->i_sb))) ++ return -EIO; ++ ++ return generic_file_read_iter(iocb, iter); ++} ++ + static vm_fault_t exfat_page_mkwrite(struct vm_fault *vmf) + { + int err; +@@ -672,14 +685,26 @@ static const struct vm_operations_struct exfat_file_vm_ops = { + + static int exfat_file_mmap(struct file *file, struct vm_area_struct *vma) + { ++ if (unlikely(exfat_forced_shutdown(file_inode(file)->i_sb))) ++ return -EIO; ++ + file_accessed(file); + vma->vm_ops = &exfat_file_vm_ops; + return 0; + } + ++static ssize_t exfat_splice_read(struct file *in, loff_t *ppos, ++ struct pipe_inode_info *pipe, size_t len, unsigned int flags) ++{ ++ if (unlikely(exfat_forced_shutdown(file_inode(in)->i_sb))) ++ return -EIO; ++ ++ return filemap_splice_read(in, ppos, pipe, len, flags); ++} ++ + const struct file_operations exfat_file_operations = { + .llseek = generic_file_llseek, +- .read_iter = generic_file_read_iter, ++ .read_iter = exfat_file_read_iter, + .write_iter = exfat_file_write_iter, + .unlocked_ioctl = exfat_ioctl, + #ifdef CONFIG_COMPAT +@@ -687,7 +712,7 @@ const struct file_operations exfat_file_operations = { + #endif + .mmap = exfat_file_mmap, + .fsync = exfat_file_fsync, +- .splice_read = filemap_splice_read, ++ .splice_read = exfat_splice_read, + .splice_write = iter_file_splice_write, + }; + +-- +2.39.5 + diff --git a/queue-6.12/exfat-fix-the-infinite-loop-in-exfat_find_last_clust.patch b/queue-6.12/exfat-fix-the-infinite-loop-in-exfat_find_last_clust.patch new file mode 100644 index 0000000000..e84eabb0b1 --- /dev/null +++ b/queue-6.12/exfat-fix-the-infinite-loop-in-exfat_find_last_clust.patch @@ -0,0 +1,46 @@ +From 9a4be17396435f9c647b79360483e3298b4dde64 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Mar 2025 10:53:10 +0800 +Subject: exfat: fix the infinite loop in exfat_find_last_cluster() + +From: Yuezhang Mo + +[ Upstream commit b0522303f67255926b946aa66885a0104d1b2980 ] + +In exfat_find_last_cluster(), the cluster chain is traversed until +the EOF cluster. If the cluster chain includes a loop due to file +system corruption, the EOF cluster cannot be traversed, resulting +in an infinite loop. + +If the number of clusters indicated by the file size is inconsistent +with the cluster chain length, exfat_find_last_cluster() will return +an error, so if this inconsistency is found, the traversal can be +aborted without traversing to the EOF cluster. + +Reported-by: syzbot+f7d147e6db52b1e09dba@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=f7d147e6db52b1e09dba +Tested-by: syzbot+f7d147e6db52b1e09dba@syzkaller.appspotmail.com +Fixes: 31023864e67a ("exfat: add fat entry operations") +Signed-off-by: Yuezhang Mo +Signed-off-by: Namjae Jeon +Signed-off-by: Sasha Levin +--- + fs/exfat/fatent.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/exfat/fatent.c b/fs/exfat/fatent.c +index 6f3651c6ca91e..8df5ad6ebb10c 100644 +--- a/fs/exfat/fatent.c ++++ b/fs/exfat/fatent.c +@@ -265,7 +265,7 @@ int exfat_find_last_cluster(struct super_block *sb, struct exfat_chain *p_chain, + clu = next; + if (exfat_ent_get(sb, clu, &next)) + return -EIO; +- } while (next != EXFAT_EOF_CLUSTER); ++ } while (next != EXFAT_EOF_CLUSTER && count <= p_chain->size); + + if (p_chain->size != count) { + exfat_fs_error(sb, +-- +2.39.5 + diff --git a/queue-6.12/fbdev-au1100fb-move-a-variable-assignment-behind-a-n.patch b/queue-6.12/fbdev-au1100fb-move-a-variable-assignment-behind-a-n.patch new file mode 100644 index 0000000000..cbcafe5f62 --- /dev/null +++ b/queue-6.12/fbdev-au1100fb-move-a-variable-assignment-behind-a-n.patch @@ -0,0 +1,52 @@ +From 871f7731670c388538c07d532db8a04b96611291 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Apr 2023 21:35:36 +0200 +Subject: fbdev: au1100fb: Move a variable assignment behind a null pointer + check +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Markus Elfring + +[ Upstream commit 2df2c0caaecfd869b49e14f2b8df822397c5dd7f ] + +The address of a data structure member was determined before +a corresponding null pointer check in the implementation of +the function “au1100fb_setmode”. + +This issue was detected by using the Coccinelle software. + +Fixes: 3b495f2bb749 ("Au1100 FB driver uplift for 2.6.") +Signed-off-by: Markus Elfring +Acked-by: Uwe Kleine-König +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/au1100fb.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/video/fbdev/au1100fb.c b/drivers/video/fbdev/au1100fb.c +index 840f221607635..6251a6b07b3a1 100644 +--- a/drivers/video/fbdev/au1100fb.c ++++ b/drivers/video/fbdev/au1100fb.c +@@ -137,13 +137,15 @@ static int au1100fb_fb_blank(int blank_mode, struct fb_info *fbi) + */ + int au1100fb_setmode(struct au1100fb_device *fbdev) + { +- struct fb_info *info = &fbdev->info; ++ struct fb_info *info; + u32 words; + int index; + + if (!fbdev) + return -EINVAL; + ++ info = &fbdev->info; ++ + /* Update var-dependent FB info */ + if (panel_is_active(fbdev->panel) || panel_is_color(fbdev->panel)) { + if (info->var.bits_per_pixel <= 8) { +-- +2.39.5 + diff --git a/queue-6.12/fbdev-sm501fb-add-some-geometry-checks.patch b/queue-6.12/fbdev-sm501fb-add-some-geometry-checks.patch new file mode 100644 index 0000000000..8b4f1fafe0 --- /dev/null +++ b/queue-6.12/fbdev-sm501fb-add-some-geometry-checks.patch @@ -0,0 +1,44 @@ +From 6557710f78540c3d731a2b7fe3e283a0bebce7c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Mar 2025 01:30:11 +0000 +Subject: fbdev: sm501fb: Add some geometry checks. + +From: Danila Chernetsov + +[ Upstream commit aee50bd88ea5fde1ff4cc021385598f81a65830c ] + +Added checks for xoffset, yoffset settings. +Incorrect settings of these parameters can lead to errors +in sm501fb_pan_ functions. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 5fc404e47bdf ("[PATCH] fb: SM501 framebuffer driver") +Signed-off-by: Danila Chernetsov +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/sm501fb.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/video/fbdev/sm501fb.c b/drivers/video/fbdev/sm501fb.c +index 86ecbb2d86db8..2eb27ebf822e8 100644 +--- a/drivers/video/fbdev/sm501fb.c ++++ b/drivers/video/fbdev/sm501fb.c +@@ -326,6 +326,13 @@ static int sm501fb_check_var(struct fb_var_screeninfo *var, + if (var->xres_virtual > 4096 || var->yres_virtual > 2048) + return -EINVAL; + ++ /* geometry sanity checks */ ++ if (var->xres + var->xoffset > var->xres_virtual) ++ return -EINVAL; ++ ++ if (var->yres + var->yoffset > var->yres_virtual) ++ return -EINVAL; ++ + /* can cope with 8,16 or 32bpp */ + + if (var->bits_per_pixel <= 8) +-- +2.39.5 + diff --git a/queue-6.12/firmware-cs_dsp-ensure-cs_dsp_load-_coeff-returns-0-.patch b/queue-6.12/firmware-cs_dsp-ensure-cs_dsp_load-_coeff-returns-0-.patch new file mode 100644 index 0000000000..cece8b5c07 --- /dev/null +++ b/queue-6.12/firmware-cs_dsp-ensure-cs_dsp_load-_coeff-returns-0-.patch @@ -0,0 +1,67 @@ +From aba3338f2d1c90ed308df8ea3176022988266436 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 23 Mar 2025 17:05:29 +0000 +Subject: firmware: cs_dsp: Ensure cs_dsp_load[_coeff]() returns 0 on success + +From: Richard Fitzgerald + +[ Upstream commit 2593f7e0dc93a898a84220b3fb180d86f1ca8c60 ] + +Set ret = 0 on successful completion of the processing loop in +cs_dsp_load() and cs_dsp_load_coeff() to ensure that the function +returns 0 on success. + +All normal firmware files will have at least one data block, and +processing this block will set ret == 0, from the result of either +regmap_raw_write() or cs_dsp_parse_coeff(). + +The kunit tests create a dummy firmware file that contains only the +header, without any data blocks. This gives cs_dsp a file to "load" +that will not cause any side-effects. As there aren't any data blocks, +the processing loop will not set ret == 0. + +Originally there was a line after the processing loop: + + ret = regmap_async_complete(regmap); + +which would set ret == 0 before the function returned. + +Commit fe08b7d5085a ("firmware: cs_dsp: Remove async regmap writes") +changed the regmap write to a normal sync write, so the call to +regmap_async_complete() wasn't necessary and was removed. It was +overlooked that the ret here wasn't only to check the result of +regmap_async_complete(), it also set the final return value of the +function. + +Fixes: fe08b7d5085a ("firmware: cs_dsp: Remove async regmap writes") +Signed-off-by: Richard Fitzgerald +Link: https://patch.msgid.link/20250323170529.197205-1-rf@opensource.cirrus.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/firmware/cirrus/cs_dsp.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/firmware/cirrus/cs_dsp.c b/drivers/firmware/cirrus/cs_dsp.c +index bd1ea99c3b475..ea452f1908542 100644 +--- a/drivers/firmware/cirrus/cs_dsp.c ++++ b/drivers/firmware/cirrus/cs_dsp.c +@@ -1631,6 +1631,7 @@ static int cs_dsp_load(struct cs_dsp *dsp, const struct firmware *firmware, + + cs_dsp_debugfs_save_wmfwname(dsp, file); + ++ ret = 0; + out_fw: + cs_dsp_buf_free(&buf_list); + +@@ -2338,6 +2339,7 @@ static int cs_dsp_load_coeff(struct cs_dsp *dsp, const struct firmware *firmware + + cs_dsp_debugfs_save_binname(dsp, file); + ++ ret = 0; + out_fw: + cs_dsp_buf_free(&buf_list); + +-- +2.39.5 + diff --git a/queue-6.12/fs-9p-fix-null-pointer-dereference-on-mkdir.patch b/queue-6.12/fs-9p-fix-null-pointer-dereference-on-mkdir.patch new file mode 100644 index 0000000000..401574a7fc --- /dev/null +++ b/queue-6.12/fs-9p-fix-null-pointer-dereference-on-mkdir.patch @@ -0,0 +1,73 @@ +From 6d0ca3c3ae22d825321d8b12e1840c2316a11434 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Mar 2025 13:59:32 +0100 +Subject: fs/9p: fix NULL pointer dereference on mkdir + +From: Christian Schoenebeck + +[ Upstream commit 3f61ac7c65bdb26accb52f9db66313597e759821 ] + +When a 9p tree was mounted with option 'posixacl', parent directory had a +default ACL set for its subdirectories, e.g.: + + setfacl -m default:group:simpsons:rwx parentdir + +then creating a subdirectory crashed 9p client, as v9fs_fid_add() call in +function v9fs_vfs_mkdir_dotl() sets the passed 'fid' pointer to NULL +(since dafbe689736) even though the subsequent v9fs_set_create_acl() call +expects a valid non-NULL 'fid' pointer: + + [ 37.273191] BUG: kernel NULL pointer dereference, address: 0000000000000000 + ... + [ 37.322338] Call Trace: + [ 37.323043] + [ 37.323621] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434) + [ 37.324448] ? page_fault_oops (arch/x86/mm/fault.c:714) + [ 37.325532] ? search_module_extables (kernel/module/main.c:3733) + [ 37.326742] ? p9_client_walk (net/9p/client.c:1165) 9pnet + [ 37.328006] ? search_bpf_extables (kernel/bpf/core.c:804) + [ 37.329142] ? exc_page_fault (./arch/x86/include/asm/paravirt.h:686 arch/x86/mm/fault.c:1488 arch/x86/mm/fault.c:1538) + [ 37.330196] ? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:574) + [ 37.331330] ? p9_client_walk (net/9p/client.c:1165) 9pnet + [ 37.332562] ? v9fs_fid_xattr_get (fs/9p/xattr.c:30) 9p + [ 37.333824] v9fs_fid_xattr_set (fs/9p/fid.h:23 fs/9p/xattr.c:121) 9p + [ 37.335077] v9fs_set_acl (fs/9p/acl.c:276) 9p + [ 37.336112] v9fs_set_create_acl (fs/9p/acl.c:307) 9p + [ 37.337326] v9fs_vfs_mkdir_dotl (fs/9p/vfs_inode_dotl.c:411) 9p + [ 37.338590] vfs_mkdir (fs/namei.c:4313) + [ 37.339535] do_mkdirat (fs/namei.c:4336) + [ 37.340465] __x64_sys_mkdir (fs/namei.c:4354) + [ 37.341455] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) + [ 37.342447] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) + +Fix this by simply swapping the sequence of these two calls in +v9fs_vfs_mkdir_dotl(), i.e. calling v9fs_set_create_acl() before +v9fs_fid_add(). + +Fixes: dafbe689736f ("9p fid refcount: cleanup p9_fid_put calls") +Reported-by: syzbot+5b667f9a1fee4ba3775a@syzkaller.appspotmail.com +Signed-off-by: Christian Schoenebeck +Message-ID: +Signed-off-by: Dominique Martinet +Signed-off-by: Sasha Levin +--- + fs/9p/vfs_inode_dotl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/9p/vfs_inode_dotl.c b/fs/9p/vfs_inode_dotl.c +index 143ac03b7425c..3397939fd2d5a 100644 +--- a/fs/9p/vfs_inode_dotl.c ++++ b/fs/9p/vfs_inode_dotl.c +@@ -407,8 +407,8 @@ static int v9fs_vfs_mkdir_dotl(struct mnt_idmap *idmap, + err); + goto error; + } +- v9fs_fid_add(dentry, &fid); + v9fs_set_create_acl(inode, fid, dacl, pacl); ++ v9fs_fid_add(dentry, &fid); + d_instantiate(dentry, inode); + err = 0; + inc_nlink(dir); +-- +2.39.5 + diff --git a/queue-6.12/fs-ntfs3-fix-a-couple-integer-overflows-on-32bit-sys.patch b/queue-6.12/fs-ntfs3-fix-a-couple-integer-overflows-on-32bit-sys.patch new file mode 100644 index 0000000000..63ff77904c --- /dev/null +++ b/queue-6.12/fs-ntfs3-fix-a-couple-integer-overflows-on-32bit-sys.patch @@ -0,0 +1,45 @@ +From 3990c0e2b1e488d430f85fca04b4cee3aa4bbd27 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 16 Feb 2025 23:52:00 +0300 +Subject: fs/ntfs3: Fix a couple integer overflows on 32bit systems + +From: Dan Carpenter + +[ Upstream commit 5ad414f4df2294b28836b5b7b69787659d6aa708 ] + +On 32bit systems the "off + sizeof(struct NTFS_DE)" addition can +have an integer wrapping issue. Fix it by using size_add(). + +Fixes: 82cae269cfa9 ("fs/ntfs3: Add initialization of super block") +Signed-off-by: Dan Carpenter +Signed-off-by: Konstantin Komarov +Signed-off-by: Sasha Levin +--- + fs/ntfs3/index.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/ntfs3/index.c b/fs/ntfs3/index.c +index 7eb9fae22f8da..78d20e4baa2c9 100644 +--- a/fs/ntfs3/index.c ++++ b/fs/ntfs3/index.c +@@ -618,7 +618,7 @@ static bool index_hdr_check(const struct INDEX_HDR *hdr, u32 bytes) + u32 off = le32_to_cpu(hdr->de_off); + + if (!IS_ALIGNED(off, 8) || tot > bytes || end > tot || +- off + sizeof(struct NTFS_DE) > end) { ++ size_add(off, sizeof(struct NTFS_DE)) > end) { + /* incorrect index buffer. */ + return false; + } +@@ -736,7 +736,7 @@ static struct NTFS_DE *hdr_find_e(const struct ntfs_index *indx, + if (end > total) + return NULL; + +- if (off + sizeof(struct NTFS_DE) > end) ++ if (size_add(off, sizeof(struct NTFS_DE)) > end) + return NULL; + + e = Add2Ptr(hdr, off); +-- +2.39.5 + diff --git a/queue-6.12/fs-ntfs3-prevent-integer-overflow-in-hdr_first_de.patch b/queue-6.12/fs-ntfs3-prevent-integer-overflow-in-hdr_first_de.patch new file mode 100644 index 0000000000..3e61af2fb8 --- /dev/null +++ b/queue-6.12/fs-ntfs3-prevent-integer-overflow-in-hdr_first_de.patch @@ -0,0 +1,38 @@ +From d686ff540f95c22378feda4a52439ea7183b2879 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 16 Feb 2025 23:52:10 +0300 +Subject: fs/ntfs3: Prevent integer overflow in hdr_first_de() + +From: Dan Carpenter + +[ Upstream commit 6bb81b94f7a9cba6bde9a905cef52a65317a8b04 ] + +The "de_off" and "used" variables come from the disk so they both need to +check. The problem is that on 32bit systems if they're both greater than +UINT_MAX - 16 then the check does work as intended because of an integer +overflow. + +Fixes: 60ce8dfde035 ("fs/ntfs3: Fix wrong if in hdr_first_de") +Signed-off-by: Dan Carpenter +Signed-off-by: Konstantin Komarov +Signed-off-by: Sasha Levin +--- + fs/ntfs3/ntfs.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/ntfs3/ntfs.h b/fs/ntfs3/ntfs.h +index 241f2ffdd9201..1ff13b6f96132 100644 +--- a/fs/ntfs3/ntfs.h ++++ b/fs/ntfs3/ntfs.h +@@ -717,7 +717,7 @@ static inline struct NTFS_DE *hdr_first_de(const struct INDEX_HDR *hdr) + struct NTFS_DE *e; + u16 esize; + +- if (de_off >= used || de_off + sizeof(struct NTFS_DE) > used ) ++ if (de_off >= used || size_add(de_off, sizeof(struct NTFS_DE)) > used) + return NULL; + + e = Add2Ptr(hdr, de_off); +-- +2.39.5 + diff --git a/queue-6.12/fs-ntfs3-update-inode-i_mapping-a_ops-on-compression.patch b/queue-6.12/fs-ntfs3-update-inode-i_mapping-a_ops-on-compression.patch new file mode 100644 index 0000000000..9202b5cd2b --- /dev/null +++ b/queue-6.12/fs-ntfs3-update-inode-i_mapping-a_ops-on-compression.patch @@ -0,0 +1,98 @@ +From 9d541a3c35c2a54a80c9ab6b856d4d74079607c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Jan 2025 17:03:41 +0300 +Subject: fs/ntfs3: Update inode->i_mapping->a_ops on compression state + +From: Konstantin Komarov + +[ Upstream commit b432163ebd15a0fb74051949cb61456d6c55ccbd ] + +Update inode->i_mapping->a_ops when the compression state changes to +ensure correct address space operations. +Clear ATTR_FLAG_SPARSED/FILE_ATTRIBUTE_SPARSE_FILE when enabling +compression to prevent flag conflicts. + +v2: +Additionally, ensure that all dirty pages are flushed and concurrent access +to the page cache is blocked. + +Fixes: 6b39bfaeec44 ("fs/ntfs3: Add support for the compression attribute") +Reported-by: Kun Hu , Jiaji Qin +Signed-off-by: Konstantin Komarov +Signed-off-by: Sasha Levin +--- + fs/ntfs3/attrib.c | 3 ++- + fs/ntfs3/file.c | 22 ++++++++++++++++++++-- + fs/ntfs3/frecord.c | 6 ++++-- + 3 files changed, 26 insertions(+), 5 deletions(-) + +diff --git a/fs/ntfs3/attrib.c b/fs/ntfs3/attrib.c +index da1a9312e61a0..dd459316529e8 100644 +--- a/fs/ntfs3/attrib.c ++++ b/fs/ntfs3/attrib.c +@@ -2663,8 +2663,9 @@ int attr_set_compress(struct ntfs_inode *ni, bool compr) + attr->nres.run_off = cpu_to_le16(run_off); + } + +- /* Update data attribute flags. */ ++ /* Update attribute flags. */ + if (compr) { ++ attr->flags &= ~ATTR_FLAG_SPARSED; + attr->flags |= ATTR_FLAG_COMPRESSED; + attr->nres.c_unit = NTFS_LZNT_CUNIT; + } else { +diff --git a/fs/ntfs3/file.c b/fs/ntfs3/file.c +index f704ceef95394..7976ac4611c8d 100644 +--- a/fs/ntfs3/file.c ++++ b/fs/ntfs3/file.c +@@ -101,8 +101,26 @@ int ntfs_fileattr_set(struct mnt_idmap *idmap, struct dentry *dentry, + /* Allowed to change compression for empty files and for directories only. */ + if (!is_dedup(ni) && !is_encrypted(ni) && + (S_ISREG(inode->i_mode) || S_ISDIR(inode->i_mode))) { +- /* Change compress state. */ +- int err = ni_set_compress(inode, flags & FS_COMPR_FL); ++ int err = 0; ++ struct address_space *mapping = inode->i_mapping; ++ ++ /* write out all data and wait. */ ++ filemap_invalidate_lock(mapping); ++ err = filemap_write_and_wait(mapping); ++ ++ if (err >= 0) { ++ /* Change compress state. */ ++ bool compr = flags & FS_COMPR_FL; ++ err = ni_set_compress(inode, compr); ++ ++ /* For files change a_ops too. */ ++ if (!err) ++ mapping->a_ops = compr ? &ntfs_aops_cmpr : ++ &ntfs_aops; ++ } ++ ++ filemap_invalidate_unlock(mapping); ++ + if (err) + return err; + } +diff --git a/fs/ntfs3/frecord.c b/fs/ntfs3/frecord.c +index 175662acd5eaf..608634361a302 100644 +--- a/fs/ntfs3/frecord.c ++++ b/fs/ntfs3/frecord.c +@@ -3431,10 +3431,12 @@ int ni_set_compress(struct inode *inode, bool compr) + } + + ni->std_fa = std->fa; +- if (compr) ++ if (compr) { ++ std->fa &= ~FILE_ATTRIBUTE_SPARSE_FILE; + std->fa |= FILE_ATTRIBUTE_COMPRESSED; +- else ++ } else { + std->fa &= ~FILE_ATTRIBUTE_COMPRESSED; ++ } + + if (ni->std_fa != std->fa) { + ni->std_fa = std->fa; +-- +2.39.5 + diff --git a/queue-6.12/fs-procfs-fix-the-comment-above-proc_pid_wchan.patch b/queue-6.12/fs-procfs-fix-the-comment-above-proc_pid_wchan.patch new file mode 100644 index 0000000000..3ef9ef4919 --- /dev/null +++ b/queue-6.12/fs-procfs-fix-the-comment-above-proc_pid_wchan.patch @@ -0,0 +1,41 @@ +From 69ce93b2c5e4349d5211443b311db36d5c565f3b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Mar 2025 14:02:22 -0700 +Subject: fs/procfs: fix the comment above proc_pid_wchan() + +From: Bart Van Assche + +[ Upstream commit 6287fbad1cd91f0c25cdc3a580499060828a8f30 ] + +proc_pid_wchan() used to report kernel addresses to user space but that is +no longer the case today. Bring the comment above proc_pid_wchan() in +sync with the implementation. + +Link: https://lkml.kernel.org/r/20250319210222.1518771-1-bvanassche@acm.org +Fixes: b2f73922d119 ("fs/proc, core/debug: Don't expose absolute kernel addresses via wchan") +Signed-off-by: Bart Van Assche +Cc: Kees Cook +Cc: Eric W. Biederman +Cc: Alexey Dobriyan +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + fs/proc/base.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/proc/base.c b/fs/proc/base.c +index b31283d81c52e..a2541f5204af0 100644 +--- a/fs/proc/base.c ++++ b/fs/proc/base.c +@@ -417,7 +417,7 @@ static const struct file_operations proc_pid_cmdline_ops = { + #ifdef CONFIG_KALLSYMS + /* + * Provides a wchan file via kallsyms in a proper one-value-per-file format. +- * Returns the resolved symbol. If that fails, simply return the address. ++ * Returns the resolved symbol to user space. + */ + static int proc_pid_wchan(struct seq_file *m, struct pid_namespace *ns, + struct pid *pid, struct task_struct *task) +-- +2.39.5 + diff --git a/queue-6.12/fuse-fix-dax-truncate-punch_hole-fault-path.patch b/queue-6.12/fuse-fix-dax-truncate-punch_hole-fault-path.patch new file mode 100644 index 0000000000..073f2bb047 --- /dev/null +++ b/queue-6.12/fuse-fix-dax-truncate-punch_hole-fault-path.patch @@ -0,0 +1,146 @@ +From 62ee3c973d2f410f95fafe9d1d93ff25e56e9c86 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Feb 2025 14:30:56 +1100 +Subject: fuse: fix dax truncate/punch_hole fault path + +From: Alistair Popple + +[ Upstream commit 7851bf649d423edd7286b292739f2eefded3d35c ] + +Patch series "fs/dax: Fix ZONE_DEVICE page reference counts", v9. + +Device and FS DAX pages have always maintained their own page reference +counts without following the normal rules for page reference counting. In +particular pages are considered free when the refcount hits one rather +than zero and refcounts are not added when mapping the page. + +Tracking this requires special PTE bits (PTE_DEVMAP) and a secondary +mechanism for allowing GUP to hold references on the page (see +get_dev_pagemap). However there doesn't seem to be any reason why FS DAX +pages need their own reference counting scheme. + +By treating the refcounts on these pages the same way as normal pages we +can remove a lot of special checks. In particular pXd_trans_huge() +becomes the same as pXd_leaf(), although I haven't made that change here. +It also frees up a valuable SW define PTE bit on architectures that have +devmap PTE bits defined. + +It also almost certainly allows further clean-up of the devmap managed +functions, but I have left that as a future improvment. It also enables +support for compound ZONE_DEVICE pages which is one of my primary +motivators for doing this work. + +This patch (of 20): + +FS DAX requires file systems to call into the DAX layout prior to +unlinking inodes to ensure there is no ongoing DMA or other remote access +to the direct mapped page. The fuse file system implements +fuse_dax_break_layouts() to do this which includes a comment indicating +that passing dmap_end == 0 leads to unmapping of the whole file. + +However this is not true - passing dmap_end == 0 will not unmap anything +before dmap_start, and further more dax_layout_busy_page_range() will not +scan any of the range to see if there maybe ongoing DMA access to the +range. Fix this by passing -1 for dmap_end to fuse_dax_break_layouts() +which will invalidate the entire file range to +dax_layout_busy_page_range(). + +Link: https://lkml.kernel.org/r/cover.8068ad144a7eea4a813670301f4d2a86a8e68ec4.1740713401.git-series.apopple@nvidia.com +Link: https://lkml.kernel.org/r/f09a34b6c40032022e4ddee6fadb7cc676f08867.1740713401.git-series.apopple@nvidia.com +Fixes: 6ae330cad6ef ("virtiofs: serialize truncate/punch_hole and dax fault path") +Signed-off-by: Alistair Popple +Co-developed-by: Dan Williams +Signed-off-by: Dan Williams +Reviewed-by: Balbir Singh +Tested-by: Alison Schofield +Cc: Vivek Goyal +Cc: Alexander Gordeev +Cc: Asahi Lina +Cc: Bjorn Helgaas +Cc: Catalin Marinas +Cc: Christian Borntraeger +Cc: Christoph Hellwig +Cc: Chunyan Zhang +Cc: "Darrick J. Wong" +Cc: Dave Chinner +Cc: Dave Hansen +Cc: Dave Jiang +Cc: David Hildenbrand +Cc: Gerald Schaefer +Cc: Heiko Carstens +Cc: Huacai Chen +Cc: Ira Weiny +Cc: Jan Kara +Cc: Jason Gunthorpe +Cc: Jason Gunthorpe +Cc: John Hubbard +Cc: linmiaohe +Cc: Logan Gunthorpe +Cc: Matthew Wilcow (Oracle) +Cc: Michael "Camp Drill Sergeant" Ellerman +Cc: Nicholas Piggin +Cc: Peter Xu +Cc: Sven Schnelle +Cc: Ted Ts'o +Cc: Vasily Gorbik +Cc: Vishal Verma +Cc: WANG Xuerui +Cc: Will Deacon +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + fs/fuse/dax.c | 1 - + fs/fuse/dir.c | 2 +- + fs/fuse/file.c | 4 ++-- + 3 files changed, 3 insertions(+), 4 deletions(-) + +diff --git a/fs/fuse/dax.c b/fs/fuse/dax.c +index 12ef91d170bb3..7faf1af59d5d8 100644 +--- a/fs/fuse/dax.c ++++ b/fs/fuse/dax.c +@@ -681,7 +681,6 @@ static int __fuse_dax_break_layouts(struct inode *inode, bool *retry, + 0, 0, fuse_wait_dax_page(inode)); + } + +-/* dmap_end == 0 leads to unmapping of whole file */ + int fuse_dax_break_layouts(struct inode *inode, u64 dmap_start, + u64 dmap_end) + { +diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c +index bd6e675023c62..a1e86ec07c38b 100644 +--- a/fs/fuse/dir.c ++++ b/fs/fuse/dir.c +@@ -1936,7 +1936,7 @@ int fuse_do_setattr(struct mnt_idmap *idmap, struct dentry *dentry, + if (FUSE_IS_DAX(inode) && is_truncate) { + filemap_invalidate_lock(mapping); + fault_blocked = true; +- err = fuse_dax_break_layouts(inode, 0, 0); ++ err = fuse_dax_break_layouts(inode, 0, -1); + if (err) { + filemap_invalidate_unlock(mapping); + return err; +diff --git a/fs/fuse/file.c b/fs/fuse/file.c +index e20d91d0ae558..f597f7e68e501 100644 +--- a/fs/fuse/file.c ++++ b/fs/fuse/file.c +@@ -253,7 +253,7 @@ static int fuse_open(struct inode *inode, struct file *file) + + if (dax_truncate) { + filemap_invalidate_lock(inode->i_mapping); +- err = fuse_dax_break_layouts(inode, 0, 0); ++ err = fuse_dax_break_layouts(inode, 0, -1); + if (err) + goto out_inode_unlock; + } +@@ -3146,7 +3146,7 @@ static long fuse_file_fallocate(struct file *file, int mode, loff_t offset, + inode_lock(inode); + if (block_faults) { + filemap_invalidate_lock(inode->i_mapping); +- err = fuse_dax_break_layouts(inode, 0, 0); ++ err = fuse_dax_break_layouts(inode, 0, -1); + if (err) + goto out; + } +-- +2.39.5 + diff --git a/queue-6.12/gpu-cdns-mhdp8546-fix-call-balance-of-mhdp-clk-handl.patch b/queue-6.12/gpu-cdns-mhdp8546-fix-call-balance-of-mhdp-clk-handl.patch new file mode 100644 index 0000000000..c08b432fbc --- /dev/null +++ b/queue-6.12/gpu-cdns-mhdp8546-fix-call-balance-of-mhdp-clk-handl.patch @@ -0,0 +1,85 @@ +From 3ffa1b1c1b6a1f30e503246ff3aad08b136d78ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Feb 2025 18:46:32 +0300 +Subject: gpu: cdns-mhdp8546: fix call balance of mhdp->clk handling routines + +From: Vitalii Mordan + +[ Upstream commit f65727be3fa5f252c8d982d15023aab8255ded19 ] + +If the clock mhdp->clk was not enabled in cdns_mhdp_probe(), it should not +be disabled in any path. + +The return value of clk_prepare_enable() is not checked. If mhdp->clk was +not enabled, it may be disabled in the error path of cdns_mhdp_probe() +(e.g., if cdns_mhdp_load_firmware() fails) or in cdns_mhdp_remove() after +a successful cdns_mhdp_probe() call. + +Use the devm_clk_get_enabled() helper function to ensure proper call +balance for mhdp->clk. + +Found by Linux Verification Center (linuxtesting.org) with Klever. + +Fixes: fb43aa0acdfd ("drm: bridge: Add support for Cadence MHDP8546 DPI/DP bridge") +Signed-off-by: Vitalii Mordan +Reviewed-by: Dmitry Baryshkov +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20250214154632.1907425-1-mordan@ispras.ru +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c | 12 +++--------- + 1 file changed, 3 insertions(+), 9 deletions(-) + +diff --git a/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c b/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c +index 41f72d458487f..9ba2a667a1f3a 100644 +--- a/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c ++++ b/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c +@@ -2463,9 +2463,9 @@ static int cdns_mhdp_probe(struct platform_device *pdev) + if (!mhdp) + return -ENOMEM; + +- clk = devm_clk_get(dev, NULL); ++ clk = devm_clk_get_enabled(dev, NULL); + if (IS_ERR(clk)) { +- dev_err(dev, "couldn't get clk: %ld\n", PTR_ERR(clk)); ++ dev_err(dev, "couldn't get and enable clk: %ld\n", PTR_ERR(clk)); + return PTR_ERR(clk); + } + +@@ -2504,14 +2504,12 @@ static int cdns_mhdp_probe(struct platform_device *pdev) + + mhdp->info = of_device_get_match_data(dev); + +- clk_prepare_enable(clk); +- + pm_runtime_enable(dev); + ret = pm_runtime_resume_and_get(dev); + if (ret < 0) { + dev_err(dev, "pm_runtime_resume_and_get failed\n"); + pm_runtime_disable(dev); +- goto clk_disable; ++ return ret; + } + + if (mhdp->info && mhdp->info->ops && mhdp->info->ops->init) { +@@ -2590,8 +2588,6 @@ static int cdns_mhdp_probe(struct platform_device *pdev) + runtime_put: + pm_runtime_put_sync(dev); + pm_runtime_disable(dev); +-clk_disable: +- clk_disable_unprepare(mhdp->clk); + + return ret; + } +@@ -2632,8 +2628,6 @@ static void cdns_mhdp_remove(struct platform_device *pdev) + cancel_work_sync(&mhdp->modeset_retry_work); + flush_work(&mhdp->hpd_work); + /* Ignoring mhdp->hdcp.check_work and mhdp->hdcp.prop_work here. */ +- +- clk_disable_unprepare(mhdp->clk); + } + + static const struct of_device_id mhdp_ids[] = { +-- +2.39.5 + diff --git a/queue-6.12/greybus-gb-beagleplay-add-error-handling-for-gb_grey.patch b/queue-6.12/greybus-gb-beagleplay-add-error-handling-for-gb_grey.patch new file mode 100644 index 0000000000..57d8aa721b --- /dev/null +++ b/queue-6.12/greybus-gb-beagleplay-add-error-handling-for-gb_grey.patch @@ -0,0 +1,42 @@ +From 36e72444fb742c58dcbb16a5e70f79f79152b6c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Jan 2025 22:05:47 +0800 +Subject: greybus: gb-beagleplay: Add error handling for gb_greybus_init + +From: Wentao Liang + +[ Upstream commit be382372d55d65b5c7e5a523793ca5e403f8c595 ] + +Add error handling for the gb_greybus_init(bg) function call +during the firmware reflash process to maintain consistency +in error handling throughout the codebase. If initialization +fails, log an error and return FW_UPLOAD_ERR_RW_ERROR. + +Fixes: 0cf7befa3ea2 ("greybus: gb-beagleplay: Add firmware upload API") +Signed-off-by: Wentao Liang +Reviewed-by: Ayush Singh +Link: https://lore.kernel.org/r/20250120140547.1460-1-vulab@iscas.ac.cn +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/greybus/gb-beagleplay.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/greybus/gb-beagleplay.c b/drivers/greybus/gb-beagleplay.c +index 473ac3f2d3821..da31f1131afca 100644 +--- a/drivers/greybus/gb-beagleplay.c ++++ b/drivers/greybus/gb-beagleplay.c +@@ -912,7 +912,9 @@ static enum fw_upload_err cc1352_prepare(struct fw_upload *fw_upload, + cc1352_bootloader_reset(bg); + WRITE_ONCE(bg->flashing_mode, false); + msleep(200); +- gb_greybus_init(bg); ++ if (gb_greybus_init(bg) < 0) ++ return dev_err_probe(&bg->sd->dev, FW_UPLOAD_ERR_RW_ERROR, ++ "Failed to initialize greybus"); + gb_beagleplay_start_svc(bg); + return FW_UPLOAD_ERR_FW_INVALID; + } +-- +2.39.5 + diff --git a/queue-6.12/hid-i2c-hid-improve-i2c_hid_get_report-error-message.patch b/queue-6.12/hid-i2c-hid-improve-i2c_hid_get_report-error-message.patch new file mode 100644 index 0000000000..62d7172d6f --- /dev/null +++ b/queue-6.12/hid-i2c-hid-improve-i2c_hid_get_report-error-message.patch @@ -0,0 +1,43 @@ +From 64f91ec14683dcde370776d576a998acf600c0cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Feb 2025 19:04:18 +0800 +Subject: HID: i2c-hid: improve i2c_hid_get_report error message + +From: Wentao Guan + +[ Upstream commit 723aa55c08c9d1e0734e39a815fd41272eac8269 ] + +We have two places to print "failed to set a report to ...", +use "get a report from" instead of "set a report to", it makes +people who knows less about the module to know where the error +happened. + +Before: +i2c_hid_acpi i2c-FTSC1000:00: failed to set a report to device: -11 + +After: +i2c_hid_acpi i2c-FTSC1000:00: failed to get a report from device: -11 + +Signed-off-by: Wentao Guan +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/i2c-hid/i2c-hid-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hid/i2c-hid/i2c-hid-core.c b/drivers/hid/i2c-hid/i2c-hid-core.c +index 4e87380d3edd6..bcca89ef73606 100644 +--- a/drivers/hid/i2c-hid/i2c-hid-core.c ++++ b/drivers/hid/i2c-hid/i2c-hid-core.c +@@ -284,7 +284,7 @@ static int i2c_hid_get_report(struct i2c_hid *ihid, + ihid->rawbuf, recv_len + sizeof(__le16)); + if (error) { + dev_err(&ihid->client->dev, +- "failed to set a report to device: %d\n", error); ++ "failed to get a report from device: %d\n", error); + return error; + } + +-- +2.39.5 + diff --git a/queue-6.12/hid-remove-superfluous-and-wrong-makefile-entry-for-.patch b/queue-6.12/hid-remove-superfluous-and-wrong-makefile-entry-for-.patch new file mode 100644 index 0000000000..69f882a92d --- /dev/null +++ b/queue-6.12/hid-remove-superfluous-and-wrong-makefile-entry-for-.patch @@ -0,0 +1,44 @@ +From a001ac854dd8fd77f32f99e54ad780e3b8d90b99 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Mar 2025 09:08:22 +0100 +Subject: HID: remove superfluous (and wrong) Makefile entry for + CONFIG_INTEL_ISH_FIRMWARE_DOWNLOADER + +From: Jiri Kosina + +[ Upstream commit fe0fb58325e519008e2606a5aa2cff7ad23e212d ] + +The line + + obj-$(INTEL_ISH_FIRMWARE_DOWNLOADER) += intel-ish-hid/ + +in top-level HID Makefile is both superfluous (as CONFIG_INTEL_ISH_FIRMWARE_DOWNLOADER +depends on CONFIG_INTEL_ISH_HID, which contains intel-ish-hid/ already) and wrong (as it's +missing the CONFIG_ prefix). + +Just remove it. + +Fixes: 91b228107da3e ("HID: intel-ish-hid: ISH firmware loader client driver") +Reported-by: Jiri Slaby +Acked-by: Srinivas Pandruvada +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/Makefile | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/hid/Makefile b/drivers/hid/Makefile +index 496dab54c73a8..f2900ee2ef858 100644 +--- a/drivers/hid/Makefile ++++ b/drivers/hid/Makefile +@@ -165,7 +165,6 @@ obj-$(CONFIG_USB_KBD) += usbhid/ + obj-$(CONFIG_I2C_HID_CORE) += i2c-hid/ + + obj-$(CONFIG_INTEL_ISH_HID) += intel-ish-hid/ +-obj-$(INTEL_ISH_FIRMWARE_DOWNLOADER) += intel-ish-hid/ + + obj-$(CONFIG_AMD_SFH_HID) += amd-sfh-hid/ + +-- +2.39.5 + diff --git a/queue-6.12/hwmon-nct6775-core-fix-out-of-bounds-access-for-nct6.patch b/queue-6.12/hwmon-nct6775-core-fix-out-of-bounds-access-for-nct6.patch new file mode 100644 index 0000000000..26714e4081 --- /dev/null +++ b/queue-6.12/hwmon-nct6775-core-fix-out-of-bounds-access-for-nct6.patch @@ -0,0 +1,40 @@ +From 0a0a4d16c686feb348d53c25a851cb3ad80de9de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Mar 2025 05:08:32 +0200 +Subject: hwmon: (nct6775-core) Fix out of bounds access for NCT679{8,9} + +From: Tasos Sahanidis + +[ Upstream commit 815f80ad20b63830949a77c816e35395d5d55144 ] + +pwm_num is set to 7 for these chips, but NCT6776_REG_PWM_MODE and +NCT6776_PWM_MODE_MASK only contain 6 values. + +Fix this by adding another 0 to the end of each array. + +Signed-off-by: Tasos Sahanidis +Link: https://lore.kernel.org/r/20250312030832.106475-1-tasos@tasossah.com +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/nct6775-core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/hwmon/nct6775-core.c b/drivers/hwmon/nct6775-core.c +index fa3351351825b..79bc67ffb9986 100644 +--- a/drivers/hwmon/nct6775-core.c ++++ b/drivers/hwmon/nct6775-core.c +@@ -273,8 +273,8 @@ static const s8 NCT6776_BEEP_BITS[NUM_BEEP_BITS] = { + static const u16 NCT6776_REG_TOLERANCE_H[] = { + 0x10c, 0x20c, 0x30c, 0x80c, 0x90c, 0xa0c, 0xb0c }; + +-static const u8 NCT6776_REG_PWM_MODE[] = { 0x04, 0, 0, 0, 0, 0 }; +-static const u8 NCT6776_PWM_MODE_MASK[] = { 0x01, 0, 0, 0, 0, 0 }; ++static const u8 NCT6776_REG_PWM_MODE[] = { 0x04, 0, 0, 0, 0, 0, 0 }; ++static const u8 NCT6776_PWM_MODE_MASK[] = { 0x01, 0, 0, 0, 0, 0, 0 }; + + static const u16 NCT6776_REG_FAN_MIN[] = { + 0x63a, 0x63c, 0x63e, 0x640, 0x642, 0x64a, 0x64c }; +-- +2.39.5 + diff --git a/queue-6.12/i3c-master-svc-fix-missing-the-ibi-rules.patch b/queue-6.12/i3c-master-svc-fix-missing-the-ibi-rules.patch new file mode 100644 index 0000000000..c4ea40cb37 --- /dev/null +++ b/queue-6.12/i3c-master-svc-fix-missing-the-ibi-rules.patch @@ -0,0 +1,40 @@ +From 101da2fb75d802471b97345d84ed46a044d40a36 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Mar 2025 13:36:04 +0800 +Subject: i3c: master: svc: Fix missing the IBI rules + +From: Stanley Chu + +[ Upstream commit 9cecad134d84d14dc72a0eea7a107691c3e5a837 ] + +The code does not add IBI rules for devices with controller capability. +However, the secondary controller has the controller capability and works +at target mode when the device is probed. Therefore, add IBI rules for +such devices. + +Fixes: dd3c52846d59 ("i3c: master: svc: Add Silvaco I3C master driver") +Signed-off-by: Stanley Chu +Reviewed-by: Frank Li +Link: https://lore.kernel.org/r/20250318053606.3087121-2-yschu@nuvoton.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/i3c/master/svc-i3c-master.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/i3c/master/svc-i3c-master.c b/drivers/i3c/master/svc-i3c-master.c +index 565af3759813b..87f98fa8afd58 100644 +--- a/drivers/i3c/master/svc-i3c-master.c ++++ b/drivers/i3c/master/svc-i3c-master.c +@@ -990,7 +990,7 @@ static int svc_i3c_update_ibirules(struct svc_i3c_master *master) + + /* Create the IBIRULES register for both cases */ + i3c_bus_for_each_i3cdev(&master->base.bus, dev) { +- if (I3C_BCR_DEVICE_ROLE(dev->info.bcr) == I3C_BCR_I3C_MASTER) ++ if (!(dev->info.bcr & I3C_BCR_IBI_REQ_CAP)) + continue; + + if (dev->info.bcr & I3C_BCR_IBI_PAYLOAD) { +-- +2.39.5 + diff --git a/queue-6.12/ib-mad-check-available-slots-before-posting-receive-.patch b/queue-6.12/ib-mad-check-available-slots-before-posting-receive-.patch new file mode 100644 index 0000000000..4daeeca0d5 --- /dev/null +++ b/queue-6.12/ib-mad-check-available-slots-before-posting-receive-.patch @@ -0,0 +1,133 @@ +From 1b0e09cb5a9f0cb9ac8c29b1cfa9de06bbc55742 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Mar 2025 16:20:17 +0200 +Subject: IB/mad: Check available slots before posting receive WRs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maher Sanalla + +[ Upstream commit 37826f0a8c2f6b6add5179003b8597e32a445362 ] + +The ib_post_receive_mads() function handles posting receive work +requests (WRs) to MAD QPs and is called in two cases: +1) When a MAD port is opened. +2) When a receive WQE is consumed upon receiving a new MAD. + +Whereas, if MADs arrive during the port open phase, a race condition +might cause an extra WR to be posted, exceeding the QP’s capacity. +This leads to failures such as: +infiniband mlx5_0: ib_post_recv failed: -12 +infiniband mlx5_0: Couldn't post receive WRs +infiniband mlx5_0: Couldn't start port +infiniband mlx5_0: Couldn't open port 1 + +Fix this by checking the current receive count before posting a new WR. +If the QP’s receive queue is full, do not post additional WRs. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Maher Sanalla +Link: https://patch.msgid.link/c4984ba3c3a98a5711a558bccefcad789587ecf1.1741875592.git.leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/mad.c | 38 ++++++++++++++++++----------------- + 1 file changed, 20 insertions(+), 18 deletions(-) + +diff --git a/drivers/infiniband/core/mad.c b/drivers/infiniband/core/mad.c +index 1fd54d5c4dd8b..73f3a0b9a54b5 100644 +--- a/drivers/infiniband/core/mad.c ++++ b/drivers/infiniband/core/mad.c +@@ -2671,11 +2671,11 @@ static int ib_mad_post_receive_mads(struct ib_mad_qp_info *qp_info, + struct ib_mad_private *mad) + { + unsigned long flags; +- int post, ret; + struct ib_mad_private *mad_priv; + struct ib_sge sg_list; + struct ib_recv_wr recv_wr; + struct ib_mad_queue *recv_queue = &qp_info->recv_queue; ++ int ret = 0; + + /* Initialize common scatter list fields */ + sg_list.lkey = qp_info->port_priv->pd->local_dma_lkey; +@@ -2685,7 +2685,7 @@ static int ib_mad_post_receive_mads(struct ib_mad_qp_info *qp_info, + recv_wr.sg_list = &sg_list; + recv_wr.num_sge = 1; + +- do { ++ while (true) { + /* Allocate and map receive buffer */ + if (mad) { + mad_priv = mad; +@@ -2693,10 +2693,8 @@ static int ib_mad_post_receive_mads(struct ib_mad_qp_info *qp_info, + } else { + mad_priv = alloc_mad_private(port_mad_size(qp_info->port_priv), + GFP_ATOMIC); +- if (!mad_priv) { +- ret = -ENOMEM; +- break; +- } ++ if (!mad_priv) ++ return -ENOMEM; + } + sg_list.length = mad_priv_dma_size(mad_priv); + sg_list.addr = ib_dma_map_single(qp_info->port_priv->device, +@@ -2705,37 +2703,41 @@ static int ib_mad_post_receive_mads(struct ib_mad_qp_info *qp_info, + DMA_FROM_DEVICE); + if (unlikely(ib_dma_mapping_error(qp_info->port_priv->device, + sg_list.addr))) { +- kfree(mad_priv); + ret = -ENOMEM; +- break; ++ goto free_mad_priv; + } + mad_priv->header.mapping = sg_list.addr; + mad_priv->header.mad_list.mad_queue = recv_queue; + mad_priv->header.mad_list.cqe.done = ib_mad_recv_done; + recv_wr.wr_cqe = &mad_priv->header.mad_list.cqe; +- +- /* Post receive WR */ + spin_lock_irqsave(&recv_queue->lock, flags); +- post = (++recv_queue->count < recv_queue->max_active); +- list_add_tail(&mad_priv->header.mad_list.list, &recv_queue->list); ++ if (recv_queue->count >= recv_queue->max_active) { ++ /* Fully populated the receive queue */ ++ spin_unlock_irqrestore(&recv_queue->lock, flags); ++ break; ++ } ++ recv_queue->count++; ++ list_add_tail(&mad_priv->header.mad_list.list, ++ &recv_queue->list); + spin_unlock_irqrestore(&recv_queue->lock, flags); ++ + ret = ib_post_recv(qp_info->qp, &recv_wr, NULL); + if (ret) { + spin_lock_irqsave(&recv_queue->lock, flags); + list_del(&mad_priv->header.mad_list.list); + recv_queue->count--; + spin_unlock_irqrestore(&recv_queue->lock, flags); +- ib_dma_unmap_single(qp_info->port_priv->device, +- mad_priv->header.mapping, +- mad_priv_dma_size(mad_priv), +- DMA_FROM_DEVICE); +- kfree(mad_priv); + dev_err(&qp_info->port_priv->device->dev, + "ib_post_recv failed: %d\n", ret); + break; + } +- } while (post); ++ } + ++ ib_dma_unmap_single(qp_info->port_priv->device, ++ mad_priv->header.mapping, ++ mad_priv_dma_size(mad_priv), DMA_FROM_DEVICE); ++free_mad_priv: ++ kfree(mad_priv); + return ret; + } + +-- +2.39.5 + diff --git a/queue-6.12/idpf-fix-adapter-null-pointer-dereference-on-reboot.patch b/queue-6.12/idpf-fix-adapter-null-pointer-dereference-on-reboot.patch new file mode 100644 index 0000000000..87efac30d2 --- /dev/null +++ b/queue-6.12/idpf-fix-adapter-null-pointer-dereference-on-reboot.patch @@ -0,0 +1,77 @@ +From 416063ecd21f73539ddda7243b7bc33c5ea51659 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Mar 2025 22:42:02 -0700 +Subject: idpf: fix adapter NULL pointer dereference on reboot + +From: Emil Tantilov + +[ Upstream commit 4c9106f4906a85f6b13542d862e423bcdc118cc3 ] + +With SRIOV enabled, idpf ends up calling into idpf_remove() twice. +First via idpf_shutdown() and then again when idpf_remove() calls into +sriov_disable(), because the VF devices use the idpf driver, hence the +same remove routine. When that happens, it is possible for the adapter +to be NULL from the first call to idpf_remove(), leading to a NULL +pointer dereference. + +echo 1 > /sys/class/net//device/sriov_numvfs +reboot + +BUG: kernel NULL pointer dereference, address: 0000000000000020 +... +RIP: 0010:idpf_remove+0x22/0x1f0 [idpf] +... +? idpf_remove+0x22/0x1f0 [idpf] +? idpf_remove+0x1e4/0x1f0 [idpf] +pci_device_remove+0x3f/0xb0 +device_release_driver_internal+0x19f/0x200 +pci_stop_bus_device+0x6d/0x90 +pci_stop_and_remove_bus_device+0x12/0x20 +pci_iov_remove_virtfn+0xbe/0x120 +sriov_disable+0x34/0xe0 +idpf_sriov_configure+0x58/0x140 [idpf] +idpf_remove+0x1b9/0x1f0 [idpf] +idpf_shutdown+0x12/0x30 [idpf] +pci_device_shutdown+0x35/0x60 +device_shutdown+0x156/0x200 +... + +Replace the direct idpf_remove() call in idpf_shutdown() with +idpf_vc_core_deinit() and idpf_deinit_dflt_mbx(), which perform +the bulk of the cleanup, such as stopping the init task, freeing IRQs, +destroying the vports and freeing the mailbox. This avoids the calls to +sriov_disable() in addition to a small netdev cleanup, and destroying +workqueues, which don't seem to be required on shutdown. + +Reported-by: Yuying Ma +Fixes: e850efed5e15 ("idpf: add module register and probe functionality") +Reviewed-by: Madhu Chittim +Signed-off-by: Emil Tantilov +Reviewed-by: Simon Horman +Tested-by: Samuel Salin +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/idpf/idpf_main.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/idpf/idpf_main.c b/drivers/net/ethernet/intel/idpf/idpf_main.c +index dfd56fc5ff655..7557bb6694c09 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_main.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_main.c +@@ -87,7 +87,11 @@ static void idpf_remove(struct pci_dev *pdev) + */ + static void idpf_shutdown(struct pci_dev *pdev) + { +- idpf_remove(pdev); ++ struct idpf_adapter *adapter = pci_get_drvdata(pdev); ++ ++ cancel_delayed_work_sync(&adapter->vc_event_task); ++ idpf_vc_core_deinit(adapter); ++ idpf_deinit_dflt_mbx(adapter); + + if (system_state == SYSTEM_POWER_OFF) + pci_set_power_state(pdev, PCI_D3hot); +-- +2.39.5 + diff --git a/queue-6.12/iio-accel-mma8452-ensure-error-return-on-failure-to-.patch b/queue-6.12/iio-accel-mma8452-ensure-error-return-on-failure-to-.patch new file mode 100644 index 0000000000..ba1032f12e --- /dev/null +++ b/queue-6.12/iio-accel-mma8452-ensure-error-return-on-failure-to-.patch @@ -0,0 +1,61 @@ +From 91f045e6ddea06a8c52aeeadfc5c4deb41acb6ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Feb 2025 14:01:28 +0000 +Subject: iio: accel: mma8452: Ensure error return on failure to matching + oversampling ratio + +From: Jonathan Cameron + +[ Upstream commit df330c808182a8beab5d0f84a6cbc9cff76c61fc ] + +If a match was not found, then the write_raw() callback would return +the odr index, not an error. Return -EINVAL if this occurs. +To avoid similar issues in future, introduce j, a new indexing variable +rather than using ret for this purpose. + +Fixes: 79de2ee469aa ("iio: accel: mma8452: claim direct mode during write raw") +Reviewed-by: David Lechner +Link: https://patch.msgid.link/20250217140135.896574-2-jic23@kernel.org +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/accel/mma8452.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/iio/accel/mma8452.c b/drivers/iio/accel/mma8452.c +index 62e6369e22696..de207526babee 100644 +--- a/drivers/iio/accel/mma8452.c ++++ b/drivers/iio/accel/mma8452.c +@@ -711,7 +711,7 @@ static int mma8452_write_raw(struct iio_dev *indio_dev, + int val, int val2, long mask) + { + struct mma8452_data *data = iio_priv(indio_dev); +- int i, ret; ++ int i, j, ret; + + ret = iio_device_claim_direct_mode(indio_dev); + if (ret) +@@ -771,14 +771,18 @@ static int mma8452_write_raw(struct iio_dev *indio_dev, + break; + + case IIO_CHAN_INFO_OVERSAMPLING_RATIO: +- ret = mma8452_get_odr_index(data); ++ j = mma8452_get_odr_index(data); + + for (i = 0; i < ARRAY_SIZE(mma8452_os_ratio); i++) { +- if (mma8452_os_ratio[i][ret] == val) { ++ if (mma8452_os_ratio[i][j] == val) { + ret = mma8452_set_power_mode(data, i); + break; + } + } ++ if (i == ARRAY_SIZE(mma8452_os_ratio)) { ++ ret = -EINVAL; ++ break; ++ } + break; + default: + ret = -EINVAL; +-- +2.39.5 + diff --git a/queue-6.12/iio-accel-msa311-fix-failure-to-release-runtime-pm-i.patch b/queue-6.12/iio-accel-msa311-fix-failure-to-release-runtime-pm-i.patch new file mode 100644 index 0000000000..b0e9efddf0 --- /dev/null +++ b/queue-6.12/iio-accel-msa311-fix-failure-to-release-runtime-pm-i.patch @@ -0,0 +1,100 @@ +From e2b128ae993d981bbb4068fdafd813c0823a5cc5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Feb 2025 14:01:33 +0000 +Subject: iio: accel: msa311: Fix failure to release runtime pm if direct mode + claim fails. + +From: Jonathan Cameron + +[ Upstream commit 60a0cf2ebab92011055ab7db6553c0fc3c546938 ] + +Reorder the claiming of direct mode and runtime pm calls to simplify +handling a little. For correct error handling, after the reorder +iio_device_release_direct_mode() must be claimed in an error occurs +in pm_runtime_resume_and_get() + +Fixes: 1ca2cfbc0c33 ("iio: add MEMSensing MSA311 3-axis accelerometer driver") +Reviewed-by: David Lechner +Link: https://patch.msgid.link/20250217140135.896574-7-jic23@kernel.org +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/accel/msa311.c | 26 +++++++++++++++----------- + 1 file changed, 15 insertions(+), 11 deletions(-) + +diff --git a/drivers/iio/accel/msa311.c b/drivers/iio/accel/msa311.c +index 57025354c7cd5..f484be27058d9 100644 +--- a/drivers/iio/accel/msa311.c ++++ b/drivers/iio/accel/msa311.c +@@ -593,23 +593,25 @@ static int msa311_read_raw_data(struct iio_dev *indio_dev, + __le16 axis; + int err; + +- err = pm_runtime_resume_and_get(dev); ++ err = iio_device_claim_direct_mode(indio_dev); + if (err) + return err; + +- err = iio_device_claim_direct_mode(indio_dev); +- if (err) ++ err = pm_runtime_resume_and_get(dev); ++ if (err) { ++ iio_device_release_direct_mode(indio_dev); + return err; ++ } + + mutex_lock(&msa311->lock); + err = msa311_get_axis(msa311, chan, &axis); + mutex_unlock(&msa311->lock); + +- iio_device_release_direct_mode(indio_dev); +- + pm_runtime_mark_last_busy(dev); + pm_runtime_put_autosuspend(dev); + ++ iio_device_release_direct_mode(indio_dev); ++ + if (err) { + dev_err(dev, "can't get axis %s (%pe)\n", + chan->datasheet_name, ERR_PTR(err)); +@@ -755,10 +757,6 @@ static int msa311_write_samp_freq(struct iio_dev *indio_dev, int val, int val2) + unsigned int odr; + int err; + +- err = pm_runtime_resume_and_get(dev); +- if (err) +- return err; +- + /* + * Sampling frequency changing is prohibited when buffer mode is + * enabled, because sometimes MSA311 chip returns outliers during +@@ -768,6 +766,12 @@ static int msa311_write_samp_freq(struct iio_dev *indio_dev, int val, int val2) + if (err) + return err; + ++ err = pm_runtime_resume_and_get(dev); ++ if (err) { ++ iio_device_release_direct_mode(indio_dev); ++ return err; ++ } ++ + err = -EINVAL; + for (odr = 0; odr < ARRAY_SIZE(msa311_odr_table); odr++) + if (val == msa311_odr_table[odr].integral && +@@ -778,11 +782,11 @@ static int msa311_write_samp_freq(struct iio_dev *indio_dev, int val, int val2) + break; + } + +- iio_device_release_direct_mode(indio_dev); +- + pm_runtime_mark_last_busy(dev); + pm_runtime_put_autosuspend(dev); + ++ iio_device_release_direct_mode(indio_dev); ++ + if (err) + dev_err(dev, "can't update frequency (%pe)\n", ERR_PTR(err)); + +-- +2.39.5 + diff --git a/queue-6.12/iio-adc-ad4130-fix-comparison-of-channel-setups.patch b/queue-6.12/iio-adc-ad4130-fix-comparison-of-channel-setups.patch new file mode 100644 index 0000000000..f5646ca62f --- /dev/null +++ b/queue-6.12/iio-adc-ad4130-fix-comparison-of-channel-setups.patch @@ -0,0 +1,109 @@ +From 484d3f1ae01958aaaff2242e9f7a2b280076b67e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Mar 2025 12:47:00 +0100 +Subject: iio: adc: ad4130: Fix comparison of channel setups +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 280acb19824663d55a3f4d09087c76fabe86fa3c ] + +Checking the binary representation of two structs (of the same type) +for equality doesn't have the same semantic as comparing all members for +equality. The former might find a difference where the latter doesn't in +the presence of padding or when ambiguous types like float or bool are +involved. (Floats typically have different representations for single +values, like -0.0 vs +0.0, or 0.5 * 2² vs 0.25 * 2³. The type bool has +at least 8 bits and the raw values 1 and 2 (probably) both evaluate to +true, but memcmp finds a difference.) + +When searching for a channel that already has the configuration we need, +the comparison by member is the one that is needed. + +Convert the comparison accordingly to compare the members one after +another. Also add a static_assert guard to (somewhat) ensure that when +struct ad4130_setup_info is expanded, the comparison is adapted, too. + +This issue is somewhat theoretic, but using memcmp() on a struct is a +bad pattern that is worth fixing. + +Fixes: 62094060cf3a ("iio: adc: ad4130: add AD4130 driver") +Signed-off-by: Uwe Kleine-König +Link: https://patch.msgid.link/20250303114659.1672695-12-u.kleine-koenig@baylibre.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/ad4130.c | 41 ++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 39 insertions(+), 2 deletions(-) + +diff --git a/drivers/iio/adc/ad4130.c b/drivers/iio/adc/ad4130.c +index de32cc9d18c5e..712f95f53c9ec 100644 +--- a/drivers/iio/adc/ad4130.c ++++ b/drivers/iio/adc/ad4130.c +@@ -223,6 +223,10 @@ enum ad4130_pin_function { + AD4130_PIN_FN_VBIAS = BIT(3), + }; + ++/* ++ * If you make adaptations in this struct, you most likely also have to adapt ++ * ad4130_setup_info_eq(), too. ++ */ + struct ad4130_setup_info { + unsigned int iout0_val; + unsigned int iout1_val; +@@ -591,6 +595,40 @@ static irqreturn_t ad4130_irq_handler(int irq, void *private) + return IRQ_HANDLED; + } + ++static bool ad4130_setup_info_eq(struct ad4130_setup_info *a, ++ struct ad4130_setup_info *b) ++{ ++ /* ++ * This is just to make sure that the comparison is adapted after ++ * struct ad4130_setup_info was changed. ++ */ ++ static_assert(sizeof(*a) == ++ sizeof(struct { ++ unsigned int iout0_val; ++ unsigned int iout1_val; ++ unsigned int burnout; ++ unsigned int pga; ++ unsigned int fs; ++ u32 ref_sel; ++ enum ad4130_filter_mode filter_mode; ++ bool ref_bufp; ++ bool ref_bufm; ++ })); ++ ++ if (a->iout0_val != b->iout0_val || ++ a->iout1_val != b->iout1_val || ++ a->burnout != b->burnout || ++ a->pga != b->pga || ++ a->fs != b->fs || ++ a->ref_sel != b->ref_sel || ++ a->filter_mode != b->filter_mode || ++ a->ref_bufp != b->ref_bufp || ++ a->ref_bufm != b->ref_bufm) ++ return false; ++ ++ return true; ++} ++ + static int ad4130_find_slot(struct ad4130_state *st, + struct ad4130_setup_info *target_setup_info, + unsigned int *slot, bool *overwrite) +@@ -604,8 +642,7 @@ static int ad4130_find_slot(struct ad4130_state *st, + struct ad4130_slot_info *slot_info = &st->slots_info[i]; + + /* Immediately accept a matching setup info. */ +- if (!memcmp(target_setup_info, &slot_info->setup, +- sizeof(*target_setup_info))) { ++ if (ad4130_setup_info_eq(target_setup_info, &slot_info->setup)) { + *slot = i; + return 0; + } +-- +2.39.5 + diff --git a/queue-6.12/iio-adc-ad7124-fix-comparison-of-channel-configs.patch b/queue-6.12/iio-adc-ad7124-fix-comparison-of-channel-configs.patch new file mode 100644 index 0000000000..0a89555ed7 --- /dev/null +++ b/queue-6.12/iio-adc-ad7124-fix-comparison-of-channel-configs.patch @@ -0,0 +1,103 @@ +From 36f767dfb9dcd8c8bc900877840647373d976d54 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Mar 2025 12:47:01 +0100 +Subject: iio: adc: ad7124: Fix comparison of channel configs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 05a5d874f7327b75e9bc4359618017e047cc129c ] + +Checking the binary representation of two structs (of the same type) +for equality doesn't have the same semantic as comparing all members for +equality. The former might find a difference where the latter doesn't in +the presence of padding or when ambiguous types like float or bool are +involved. (Floats typically have different representations for single +values, like -0.0 vs +0.0, or 0.5 * 2² vs 0.25 * 2³. The type bool has +at least 8 bits and the raw values 1 and 2 (probably) both evaluate to +true, but memcmp finds a difference.) + +When searching for a channel that already has the configuration we need, +the comparison by member is the one that is needed. + +Convert the comparison accordingly to compare the members one after +another. Also add a static_assert guard to (somewhat) ensure that when +struct ad7124_channel_config::config_props is expanded, the comparison +is adapted, too. + +This issue is somewhat theoretic, but using memcmp() on a struct is a +bad pattern that is worth fixing. + +Fixes: 7b8d045e497a ("iio: adc: ad7124: allow more than 8 channels") +Signed-off-by: Uwe Kleine-König +Link: https://patch.msgid.link/20250303114659.1672695-13-u.kleine-koenig@baylibre.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/ad7124.c | 35 +++++++++++++++++++++++++++++++---- + 1 file changed, 31 insertions(+), 4 deletions(-) + +diff --git a/drivers/iio/adc/ad7124.c b/drivers/iio/adc/ad7124.c +index 8d94bc2b1cac3..30a7392c4f8b9 100644 +--- a/drivers/iio/adc/ad7124.c ++++ b/drivers/iio/adc/ad7124.c +@@ -147,7 +147,11 @@ struct ad7124_chip_info { + struct ad7124_channel_config { + bool live; + unsigned int cfg_slot; +- /* Following fields are used to compare equality. */ ++ /* ++ * Following fields are used to compare for equality. If you ++ * make adaptations in it, you most likely also have to adapt ++ * ad7124_find_similar_live_cfg(), too. ++ */ + struct_group(config_props, + enum ad7124_ref_sel refsel; + bool bipolar; +@@ -334,15 +338,38 @@ static struct ad7124_channel_config *ad7124_find_similar_live_cfg(struct ad7124_ + struct ad7124_channel_config *cfg) + { + struct ad7124_channel_config *cfg_aux; +- ptrdiff_t cmp_size; + int i; + +- cmp_size = sizeof_field(struct ad7124_channel_config, config_props); ++ /* ++ * This is just to make sure that the comparison is adapted after ++ * struct ad7124_channel_config was changed. ++ */ ++ static_assert(sizeof_field(struct ad7124_channel_config, config_props) == ++ sizeof(struct { ++ enum ad7124_ref_sel refsel; ++ bool bipolar; ++ bool buf_positive; ++ bool buf_negative; ++ unsigned int vref_mv; ++ unsigned int pga_bits; ++ unsigned int odr; ++ unsigned int odr_sel_bits; ++ unsigned int filter_type; ++ })); ++ + for (i = 0; i < st->num_channels; i++) { + cfg_aux = &st->channels[i].cfg; + + if (cfg_aux->live && +- !memcmp(&cfg->config_props, &cfg_aux->config_props, cmp_size)) ++ cfg->refsel == cfg_aux->refsel && ++ cfg->bipolar == cfg_aux->bipolar && ++ cfg->buf_positive == cfg_aux->buf_positive && ++ cfg->buf_negative == cfg_aux->buf_negative && ++ cfg->vref_mv == cfg_aux->vref_mv && ++ cfg->pga_bits == cfg_aux->pga_bits && ++ cfg->odr == cfg_aux->odr && ++ cfg->odr_sel_bits == cfg_aux->odr_sel_bits && ++ cfg->filter_type == cfg_aux->filter_type) + return cfg_aux; + } + +-- +2.39.5 + diff --git a/queue-6.12/iio-adc-ad7173-fix-comparison-of-channel-configs.patch b/queue-6.12/iio-adc-ad7173-fix-comparison-of-channel-configs.patch new file mode 100644 index 0000000000..6904e64b9c --- /dev/null +++ b/queue-6.12/iio-adc-ad7173-fix-comparison-of-channel-configs.patch @@ -0,0 +1,93 @@ +From 76773b9670079e20ba8e0ba99bfd0799897cc023 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Mar 2025 12:47:02 +0100 +Subject: iio: adc: ad7173: Fix comparison of channel configs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 7b6033ed5a9e1a369a9cf58018388ae4c5f17e41 ] + +Checking the binary representation of two structs (of the same type) +for equality doesn't have the same semantic as comparing all members for +equality. The former might find a difference where the latter doesn't in +the presence of padding or when ambiguous types like float or bool are +involved. (Floats typically have different representations for single +values, like -0.0 vs +0.0, or 0.5 * 2² vs 0.25 * 2³. The type bool has +at least 8 bits and the raw values 1 and 2 (probably) both evaluate to +true, but memcmp finds a difference.) + +When searching for a channel that already has the configuration we need, +the comparison by member is the one that is needed. + +Convert the comparison accordingly to compare the members one after +another. Also add a static_assert guard to (somewhat) ensure that when +struct ad7173_channel_config::config_props is expanded, the comparison +is adapted, too. + +This issue is somewhat theoretic, but using memcmp() on a struct is a +bad pattern that is worth fixing. + +Fixes: 76a1e6a42802 ("iio: adc: ad7173: add AD7173 driver") +Signed-off-by: Uwe Kleine-König +Link: https://patch.msgid.link/20250303114659.1672695-14-u.kleine-koenig@baylibre.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/ad7173.c | 25 +++++++++++++++++++++---- + 1 file changed, 21 insertions(+), 4 deletions(-) + +diff --git a/drivers/iio/adc/ad7173.c b/drivers/iio/adc/ad7173.c +index 5a65be00dd190..2eebc6f761a63 100644 +--- a/drivers/iio/adc/ad7173.c ++++ b/drivers/iio/adc/ad7173.c +@@ -181,7 +181,11 @@ struct ad7173_channel_config { + u8 cfg_slot; + bool live; + +- /* Following fields are used to compare equality. */ ++ /* ++ * Following fields are used to compare equality. If you ++ * make adaptations in it, you most likely also have to adapt ++ * ad7173_find_live_config(), too. ++ */ + struct_group(config_props, + bool bipolar; + bool input_buf; +@@ -582,15 +586,28 @@ static struct ad7173_channel_config * + ad7173_find_live_config(struct ad7173_state *st, struct ad7173_channel_config *cfg) + { + struct ad7173_channel_config *cfg_aux; +- ptrdiff_t cmp_size; + int i; + +- cmp_size = sizeof_field(struct ad7173_channel_config, config_props); ++ /* ++ * This is just to make sure that the comparison is adapted after ++ * struct ad7173_channel_config was changed. ++ */ ++ static_assert(sizeof_field(struct ad7173_channel_config, config_props) == ++ sizeof(struct { ++ bool bipolar; ++ bool input_buf; ++ u8 odr; ++ u8 ref_sel; ++ })); ++ + for (i = 0; i < st->num_channels; i++) { + cfg_aux = &st->channels[i].cfg; + + if (cfg_aux->live && +- !memcmp(&cfg->config_props, &cfg_aux->config_props, cmp_size)) ++ cfg->bipolar == cfg_aux->bipolar && ++ cfg->input_buf == cfg_aux->input_buf && ++ cfg->odr == cfg_aux->odr && ++ cfg->ref_sel == cfg_aux->ref_sel) + return cfg_aux; + } + return NULL; +-- +2.39.5 + diff --git a/queue-6.12/iio-adc-ad7768-1-set-mosi-idle-state-to-prevent-acci.patch b/queue-6.12/iio-adc-ad7768-1-set-mosi-idle-state-to-prevent-acci.patch new file mode 100644 index 0000000000..f58d4db49c --- /dev/null +++ b/queue-6.12/iio-adc-ad7768-1-set-mosi-idle-state-to-prevent-acci.patch @@ -0,0 +1,55 @@ +From 483357325b7a48f0f7d7b3068ed4fb200ae8acf2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Mar 2025 18:00:43 -0300 +Subject: iio: adc: ad7768-1: set MOSI idle state to prevent accidental reset + +From: Jonathan Santos + +[ Upstream commit 2416cec859299be04d021b4cf98eff814f345af7 ] + +Datasheet recommends Setting the MOSI idle state to high in order to +prevent accidental reset of the device when SCLK is free running. +This happens when the controller clocks out a 1 followed by 63 zeros +while the CS is held low. + +Check if SPI controller supports SPI_MOSI_IDLE_HIGH flag and set it. + +Fixes: a5f8c7da3dbe ("iio: adc: Add AD7768-1 ADC basic support") +Signed-off-by: Jonathan Santos +Reviewed-by: Marcelo Schmitt +Link: https://patch.msgid.link/c2a2b0f3d54829079763a5511359a1fa80516cfb.1741268122.git.Jonathan.Santos@analog.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/ad7768-1.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/drivers/iio/adc/ad7768-1.c b/drivers/iio/adc/ad7768-1.c +index 113703fb72454..6f8816483f1a0 100644 +--- a/drivers/iio/adc/ad7768-1.c ++++ b/drivers/iio/adc/ad7768-1.c +@@ -574,6 +574,21 @@ static int ad7768_probe(struct spi_device *spi) + return -ENOMEM; + + st = iio_priv(indio_dev); ++ /* ++ * Datasheet recommends SDI line to be kept high when data is not being ++ * clocked out of the controller and the spi clock is free running, ++ * to prevent accidental reset. ++ * Since many controllers do not support the SPI_MOSI_IDLE_HIGH flag ++ * yet, only request the MOSI idle state to enable if the controller ++ * supports it. ++ */ ++ if (spi->controller->mode_bits & SPI_MOSI_IDLE_HIGH) { ++ spi->mode |= SPI_MOSI_IDLE_HIGH; ++ ret = spi_setup(spi); ++ if (ret < 0) ++ return ret; ++ } ++ + st->spi = spi; + + st->vref = devm_regulator_get(&spi->dev, "vref"); +-- +2.39.5 + diff --git a/queue-6.12/iio-backend-make-sure-to-null-terminate-stack-buffer.patch b/queue-6.12/iio-backend-make-sure-to-null-terminate-stack-buffer.patch new file mode 100644 index 0000000000..e716701175 --- /dev/null +++ b/queue-6.12/iio-backend-make-sure-to-null-terminate-stack-buffer.patch @@ -0,0 +1,47 @@ +From fe958105fc336785453e5a84a91262c3e73f1955 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Feb 2025 10:31:25 +0000 +Subject: iio: backend: make sure to NULL terminate stack buffer +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nuno Sá + +[ Upstream commit 035b4989211dc1c8626e186d655ae8ca5141bb73 ] + +Make sure to NULL terminate the buffer in +iio_backend_debugfs_write_reg() before passing it to sscanf(). It is a +stack variable so we should not assume it will 0 initialized. + +Fixes: cdf01e0809a4 ("iio: backend: add debugFs interface") +Signed-off-by: Nuno Sá +Reviewed-by: David Lechner +Link: https://patch.msgid.link/20250218-dev-iio-misc-v1-1-bf72b20a1eb8@analog.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/industrialio-backend.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/iio/industrialio-backend.c b/drivers/iio/industrialio-backend.c +index fb34a8e4d04e7..42e0ee683ef6b 100644 +--- a/drivers/iio/industrialio-backend.c ++++ b/drivers/iio/industrialio-backend.c +@@ -155,10 +155,12 @@ static ssize_t iio_backend_debugfs_write_reg(struct file *file, + ssize_t rc; + int ret; + +- rc = simple_write_to_buffer(buf, sizeof(buf), ppos, userbuf, count); ++ rc = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, userbuf, count); + if (rc < 0) + return rc; + ++ buf[count] = '\0'; ++ + ret = sscanf(buf, "%i %i", &back->cached_reg_addr, &val); + + switch (ret) { +-- +2.39.5 + diff --git a/queue-6.12/iio-light-add-check-for-array-bounds-in-veml6075_rea.patch b/queue-6.12/iio-light-add-check-for-array-bounds-in-veml6075_rea.patch new file mode 100644 index 0000000000..ce9c3150bd --- /dev/null +++ b/queue-6.12/iio-light-add-check-for-array-bounds-in-veml6075_rea.patch @@ -0,0 +1,59 @@ +From a6b98e350b85c0e11282ff7776171b159afd72f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Feb 2025 17:34:36 +0000 +Subject: iio: light: Add check for array bounds in veml6075_read_int_time_ms + +From: Karan Sanghavi + +[ Upstream commit ee735aa33db16c1fb5ebccbaf84ad38f5583f3cc ] + +The array contains only 5 elements, but the index calculated by +veml6075_read_int_time_index can range from 0 to 7, +which could lead to out-of-bounds access. The check prevents this issue. + +Coverity Issue +CID 1574309: (#1 of 1): Out-of-bounds read (OVERRUN) +overrun-local: Overrunning array veml6075_it_ms of 5 4-byte +elements at element index 7 (byte offset 31) using +index int_index (which evaluates to 7) + +This is hardening against potentially broken hardware. Good to have +but not necessary to backport. + +Fixes: 3b82f43238ae ("iio: light: add VEML6075 UVA and UVB light sensor driver") +Signed-off-by: Karan Sanghavi +Reviewed-by: Javier Carrasco +Link: https://patch.msgid.link/Z7dnrEpKQdRZ2qFU@Emma +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/light/veml6075.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/iio/light/veml6075.c b/drivers/iio/light/veml6075.c +index 05d4c0e9015d6..859891e8f1152 100644 +--- a/drivers/iio/light/veml6075.c ++++ b/drivers/iio/light/veml6075.c +@@ -195,13 +195,17 @@ static int veml6075_read_uv_direct(struct veml6075_data *data, int chan, + + static int veml6075_read_int_time_index(struct veml6075_data *data) + { +- int ret, conf; ++ int ret, conf, int_index; + + ret = regmap_read(data->regmap, VEML6075_CMD_CONF, &conf); + if (ret < 0) + return ret; + +- return FIELD_GET(VEML6075_CONF_IT, conf); ++ int_index = FIELD_GET(VEML6075_CONF_IT, conf); ++ if (int_index >= ARRAY_SIZE(veml6075_it_ms)) ++ return -EINVAL; ++ ++ return int_index; + } + + static int veml6075_read_int_time_ms(struct veml6075_data *data, int *val) +-- +2.39.5 + diff --git a/queue-6.12/ipv6-do-not-consider-link-down-nexthops-in-path-sele.patch b/queue-6.12/ipv6-do-not-consider-link-down-nexthops-in-path-sele.patch new file mode 100644 index 0000000000..12520b4048 --- /dev/null +++ b/queue-6.12/ipv6-do-not-consider-link-down-nexthops-in-path-sele.patch @@ -0,0 +1,64 @@ +From c624a0160ee981fdda6815c87c60f4c20caa0325 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Apr 2025 14:42:24 +0300 +Subject: ipv6: Do not consider link down nexthops in path selection + +From: Ido Schimmel + +[ Upstream commit 8b8e0dd357165e0258d9f9cdab5366720ed2f619 ] + +Nexthops whose link is down are not supposed to be considered during +path selection when the "ignore_routes_with_linkdown" sysctl is set. +This is done by assigning them a negative region boundary. + +However, when comparing the computed hash (unsigned) with the region +boundary (signed), the negative region boundary is treated as unsigned, +resulting in incorrect nexthop selection. + +Fix by treating the computed hash as signed. Note that the computed hash +is always in range of [0, 2^31 - 1]. + +Fixes: 3d709f69a3e7 ("ipv6: Use hash-threshold instead of modulo-N") +Signed-off-by: Ido Schimmel +Reviewed-by: Willem de Bruijn +Link: https://patch.msgid.link/20250402114224.293392-3-idosch@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/route.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/ipv6/route.c b/net/ipv6/route.c +index 54ce948835a09..987492dcb07ca 100644 +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -442,6 +442,7 @@ void fib6_select_path(const struct net *net, struct fib6_result *res, + { + struct fib6_info *first, *match = res->f6i; + struct fib6_info *sibling; ++ int hash; + + if (!match->nh && (!match->fib6_nsiblings || have_oif_match)) + goto out; +@@ -468,7 +469,8 @@ void fib6_select_path(const struct net *net, struct fib6_result *res, + if (!first) + goto out; + +- if (fl6->mp_hash <= atomic_read(&first->fib6_nh->fib_nh_upper_bound) && ++ hash = fl6->mp_hash; ++ if (hash <= atomic_read(&first->fib6_nh->fib_nh_upper_bound) && + rt6_score_route(first->fib6_nh, first->fib6_flags, oif, + strict) >= 0) { + match = first; +@@ -481,7 +483,7 @@ void fib6_select_path(const struct net *net, struct fib6_result *res, + int nh_upper_bound; + + nh_upper_bound = atomic_read(&nh->fib_nh_upper_bound); +- if (fl6->mp_hash > nh_upper_bound) ++ if (hash > nh_upper_bound) + continue; + if (rt6_score_route(nh, sibling->fib6_flags, oif, strict) < 0) + break; +-- +2.39.5 + diff --git a/queue-6.12/ipv6-fix-omitted-netlink-attributes-when-using-rtext.patch b/queue-6.12/ipv6-fix-omitted-netlink-attributes-when-using-rtext.patch new file mode 100644 index 0000000000..6b2e681b45 --- /dev/null +++ b/queue-6.12/ipv6-fix-omitted-netlink-attributes-when-using-rtext.patch @@ -0,0 +1,87 @@ +From 5869485a40feebf9049206cf9bce8f07b414d1e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Apr 2025 14:17:51 +0200 +Subject: ipv6: fix omitted netlink attributes when using + RTEXT_FILTER_SKIP_STATS + +From: Fernando Fernandez Mancera + +[ Upstream commit 7ac6ea4a3e0898db76aecccd68fb2c403eb7d24e ] + +Using RTEXT_FILTER_SKIP_STATS is incorrectly skipping non-stats IPv6 +netlink attributes on link dump. This causes issues on userspace tools, +e.g iproute2 is not rendering address generation mode as it should due +to missing netlink attribute. + +Move the filling of IFLA_INET6_STATS and IFLA_INET6_ICMP6STATS to a +helper function guarded by a flag check to avoid hitting the same +situation in the future. + +Fixes: d5566fd72ec1 ("rtnetlink: RTEXT_FILTER_SKIP_STATS support to avoid dumping inet/inet6 stats") +Signed-off-by: Fernando Fernandez Mancera +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250402121751.3108-1-ffmancera@riseup.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/addrconf.c | 37 +++++++++++++++++++++++++------------ + 1 file changed, 25 insertions(+), 12 deletions(-) + +diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c +index f7c17388ff6aa..f5d49162f7983 100644 +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -5807,6 +5807,27 @@ static void snmp6_fill_stats(u64 *stats, struct inet6_dev *idev, int attrtype, + } + } + ++static int inet6_fill_ifla6_stats_attrs(struct sk_buff *skb, ++ struct inet6_dev *idev) ++{ ++ struct nlattr *nla; ++ ++ nla = nla_reserve(skb, IFLA_INET6_STATS, IPSTATS_MIB_MAX * sizeof(u64)); ++ if (!nla) ++ goto nla_put_failure; ++ snmp6_fill_stats(nla_data(nla), idev, IFLA_INET6_STATS, nla_len(nla)); ++ ++ nla = nla_reserve(skb, IFLA_INET6_ICMP6STATS, ICMP6_MIB_MAX * sizeof(u64)); ++ if (!nla) ++ goto nla_put_failure; ++ snmp6_fill_stats(nla_data(nla), idev, IFLA_INET6_ICMP6STATS, nla_len(nla)); ++ ++ return 0; ++ ++nla_put_failure: ++ return -EMSGSIZE; ++} ++ + static int inet6_fill_ifla6_attrs(struct sk_buff *skb, struct inet6_dev *idev, + u32 ext_filter_mask) + { +@@ -5829,18 +5850,10 @@ static int inet6_fill_ifla6_attrs(struct sk_buff *skb, struct inet6_dev *idev, + + /* XXX - MC not implemented */ + +- if (ext_filter_mask & RTEXT_FILTER_SKIP_STATS) +- return 0; +- +- nla = nla_reserve(skb, IFLA_INET6_STATS, IPSTATS_MIB_MAX * sizeof(u64)); +- if (!nla) +- goto nla_put_failure; +- snmp6_fill_stats(nla_data(nla), idev, IFLA_INET6_STATS, nla_len(nla)); +- +- nla = nla_reserve(skb, IFLA_INET6_ICMP6STATS, ICMP6_MIB_MAX * sizeof(u64)); +- if (!nla) +- goto nla_put_failure; +- snmp6_fill_stats(nla_data(nla), idev, IFLA_INET6_ICMP6STATS, nla_len(nla)); ++ if (!(ext_filter_mask & RTEXT_FILTER_SKIP_STATS)) { ++ if (inet6_fill_ifla6_stats_attrs(skb, idev) < 0) ++ goto nla_put_failure; ++ } + + nla = nla_reserve(skb, IFLA_INET6_TOKEN, sizeof(struct in6_addr)); + if (!nla) +-- +2.39.5 + diff --git a/queue-6.12/ipv6-start-path-selection-from-the-first-nexthop.patch b/queue-6.12/ipv6-start-path-selection-from-the-first-nexthop.patch new file mode 100644 index 0000000000..bae44e8f89 --- /dev/null +++ b/queue-6.12/ipv6-start-path-selection-from-the-first-nexthop.patch @@ -0,0 +1,101 @@ +From 6b1b2f4914fd9fb61eb6f3822de927b721bcc2ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Apr 2025 14:42:23 +0300 +Subject: ipv6: Start path selection from the first nexthop + +From: Ido Schimmel + +[ Upstream commit 4d0ab3a6885e3e9040310a8d8f54503366083626 ] + +Cited commit transitioned IPv6 path selection to use hash-threshold +instead of modulo-N. With hash-threshold, each nexthop is assigned a +region boundary in the multipath hash function's output space and a +nexthop is chosen if the calculated hash is smaller than the nexthop's +region boundary. + +Hash-threshold does not work correctly if path selection does not start +with the first nexthop. For example, if fib6_select_path() is always +passed the last nexthop in the group, then it will always be chosen +because its region boundary covers the entire hash function's output +space. + +Fix this by starting the selection process from the first nexthop and do +not consider nexthops for which rt6_score_route() provided a negative +score. + +Fixes: 3d709f69a3e7 ("ipv6: Use hash-threshold instead of modulo-N") +Reported-by: Stanislav Fomichev +Closes: https://lore.kernel.org/netdev/Z9RIyKZDNoka53EO@mini-arch/ +Signed-off-by: Ido Schimmel +Link: https://patch.msgid.link/20250402114224.293392-2-idosch@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/route.c | 38 +++++++++++++++++++++++++++++++++++--- + 1 file changed, 35 insertions(+), 3 deletions(-) + +diff --git a/net/ipv6/route.c b/net/ipv6/route.c +index b393c37d24245..54ce948835a09 100644 +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -412,11 +412,35 @@ static bool rt6_check_expired(const struct rt6_info *rt) + return false; + } + ++static struct fib6_info * ++rt6_multipath_first_sibling_rcu(const struct fib6_info *rt) ++{ ++ struct fib6_info *iter; ++ struct fib6_node *fn; ++ ++ fn = rcu_dereference(rt->fib6_node); ++ if (!fn) ++ goto out; ++ iter = rcu_dereference(fn->leaf); ++ if (!iter) ++ goto out; ++ ++ while (iter) { ++ if (iter->fib6_metric == rt->fib6_metric && ++ rt6_qualify_for_ecmp(iter)) ++ return iter; ++ iter = rcu_dereference(iter->fib6_next); ++ } ++ ++out: ++ return NULL; ++} ++ + void fib6_select_path(const struct net *net, struct fib6_result *res, + struct flowi6 *fl6, int oif, bool have_oif_match, + const struct sk_buff *skb, int strict) + { +- struct fib6_info *match = res->f6i; ++ struct fib6_info *first, *match = res->f6i; + struct fib6_info *sibling; + + if (!match->nh && (!match->fib6_nsiblings || have_oif_match)) +@@ -440,10 +464,18 @@ void fib6_select_path(const struct net *net, struct fib6_result *res, + return; + } + +- if (fl6->mp_hash <= atomic_read(&match->fib6_nh->fib_nh_upper_bound)) ++ first = rt6_multipath_first_sibling_rcu(match); ++ if (!first) + goto out; + +- list_for_each_entry_rcu(sibling, &match->fib6_siblings, ++ if (fl6->mp_hash <= atomic_read(&first->fib6_nh->fib_nh_upper_bound) && ++ rt6_score_route(first->fib6_nh, first->fib6_flags, oif, ++ strict) >= 0) { ++ match = first; ++ goto out; ++ } ++ ++ list_for_each_entry_rcu(sibling, &first->fib6_siblings, + fib6_siblings) { + const struct fib6_nh *nh = sibling->fib6_nh; + int nh_upper_bound; +-- +2.39.5 + diff --git a/queue-6.12/isofs-fix-kmsan-uninit-value-bug-in-do_isofs_readdir.patch b/queue-6.12/isofs-fix-kmsan-uninit-value-bug-in-do_isofs_readdir.patch new file mode 100644 index 0000000000..c2f31caeb7 --- /dev/null +++ b/queue-6.12/isofs-fix-kmsan-uninit-value-bug-in-do_isofs_readdir.patch @@ -0,0 +1,89 @@ +From 6219cf46bc9fa8910a39eb2e299a3acecb70b1ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Feb 2025 19:59:00 +0000 +Subject: isofs: fix KMSAN uninit-value bug in do_isofs_readdir() + +From: Qasim Ijaz + +[ Upstream commit 81a82e8f33880793029cd6f8a766fb13b737e6a7 ] + +In do_isofs_readdir() when assigning the variable +"struct iso_directory_record *de" the b_data field of the buffer_head +is accessed and an offset is added to it, the size of b_data is 2048 +and the offset size is 2047, meaning +"de = (struct iso_directory_record *) (bh->b_data + offset);" +yields the final byte of the 2048 sized b_data block. + +The first byte of the directory record (de_len) is then read and +found to be 31, meaning the directory record size is 31 bytes long. +The directory record is defined by the structure: + + struct iso_directory_record { + __u8 length; // 1 byte + __u8 ext_attr_length; // 1 byte + __u8 extent[8]; // 8 bytes + __u8 size[8]; // 8 bytes + __u8 date[7]; // 7 bytes + __u8 flags; // 1 byte + __u8 file_unit_size; // 1 byte + __u8 interleave; // 1 byte + __u8 volume_sequence_number[4]; // 4 bytes + __u8 name_len; // 1 byte + char name[]; // variable size + } __attribute__((packed)); + +The fixed portion of this structure occupies 33 bytes. Therefore, a +valid directory record must be at least 33 bytes long +(even without considering the variable-length name field). +Since de_len is only 31, it is insufficient to contain +the complete fixed header. + +The code later hits the following sanity check that +compares de_len against the sum of de->name_len and +sizeof(struct iso_directory_record): + + if (de_len < de->name_len[0] + sizeof(struct iso_directory_record)) { + ... + } + +Since the fixed portion of the structure is +33 bytes (up to and including name_len member), +a valid record should have de_len of at least 33 bytes; +here, however, de_len is too short, and the field de->name_len +(located at offset 32) is accessed even though it lies beyond +the available 31 bytes. + +This access on the corrupted isofs data triggers a KASAN uninitialized +memory warning. The fix would be to first verify that de_len is at least +sizeof(struct iso_directory_record) before accessing any +fields like de->name_len. + +Reported-by: syzbot +Tested-by: syzbot +Closes: https://syzkaller.appspot.com/bug?extid=812641c6c3d7586a1613 +Fixes: 2deb1acc653c ("isofs: fix access to unallocated memory when reading corrupted filesystem") +Signed-off-by: Qasim Ijaz +Signed-off-by: Jan Kara +Link: https://patch.msgid.link/20250211195900.42406-1-qasdev00@gmail.com +Signed-off-by: Sasha Levin +--- + fs/isofs/dir.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/isofs/dir.c b/fs/isofs/dir.c +index eb2f8273e6f15..09df40b612fbf 100644 +--- a/fs/isofs/dir.c ++++ b/fs/isofs/dir.c +@@ -147,7 +147,8 @@ static int do_isofs_readdir(struct inode *inode, struct file *file, + de = tmpde; + } + /* Basic sanity check, whether name doesn't exceed dir entry */ +- if (de_len < de->name_len[0] + ++ if (de_len < sizeof(struct iso_directory_record) || ++ de_len < de->name_len[0] + + sizeof(struct iso_directory_record)) { + printk(KERN_NOTICE "iso9660: Corrupted directory entry" + " in block %lu of inode %lu\n", block, +-- +2.39.5 + diff --git a/queue-6.12/kernel-events-uprobes-handle-device-exclusive-entrie.patch b/queue-6.12/kernel-events-uprobes-handle-device-exclusive-entrie.patch new file mode 100644 index 0000000000..5cfa84a8ce --- /dev/null +++ b/queue-6.12/kernel-events-uprobes-handle-device-exclusive-entrie.patch @@ -0,0 +1,99 @@ +From d6e6cf8a611fdd61e03abe16a812d03c248ee1ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Feb 2025 20:37:50 +0100 +Subject: kernel/events/uprobes: handle device-exclusive entries correctly in + __replace_page() + +From: David Hildenbrand + +[ Upstream commit 096cbb80ab3fd85a9035ec17a1312c2a7db8bc8c ] + +Ever since commit b756a3b5e7ea ("mm: device exclusive memory access") we +can return with a device-exclusive entry from page_vma_mapped_walk(). + +__replace_page() is not prepared for that, so teach it about these PFN +swap PTEs. Note that device-private entries are so far not applicable on +that path, because GUP would never have returned such folios (conversion +to device-private happens by page migration, not in-place conversion of +the PTE). + +There is a race between GUP and us locking the folio to look it up using +page_vma_mapped_walk(), so this is likely a fix (unless something else +could prevent that race, but it doesn't look like). pte_pfn() on +something that is not a present pte could give use garbage, and we'd +wrongly mess up the mapcount because it was already adjusted by calling +folio_remove_rmap_pte() when making the entry device-exclusive. + +Link: https://lkml.kernel.org/r/20250210193801.781278-9-david@redhat.com +Fixes: b756a3b5e7ea ("mm: device exclusive memory access") +Signed-off-by: David Hildenbrand +Tested-by: Alistair Popple +Cc: Alex Shi +Cc: Danilo Krummrich +Cc: Dave Airlie +Cc: Jann Horn +Cc: Jason Gunthorpe +Cc: Jerome Glisse +Cc: John Hubbard +Cc: Jonathan Corbet +Cc: Karol Herbst +Cc: Liam Howlett +Cc: Lorenzo Stoakes +Cc: Lyude +Cc: "Masami Hiramatsu (Google)" +Cc: Oleg Nesterov +Cc: Pasha Tatashin +Cc: Peter Xu +Cc: Peter Zijlstra (Intel) +Cc: SeongJae Park +Cc: Simona Vetter +Cc: Vlastimil Babka +Cc: Yanteng Si +Cc: Barry Song +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + kernel/events/uprobes.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c +index 4fdc08ca0f3cb..b0909c3839fd9 100644 +--- a/kernel/events/uprobes.c ++++ b/kernel/events/uprobes.c +@@ -167,6 +167,7 @@ static int __replace_page(struct vm_area_struct *vma, unsigned long addr, + DEFINE_FOLIO_VMA_WALK(pvmw, old_folio, vma, addr, 0); + int err; + struct mmu_notifier_range range; ++ pte_t pte; + + mmu_notifier_range_init(&range, MMU_NOTIFY_CLEAR, 0, mm, addr, + addr + PAGE_SIZE); +@@ -186,6 +187,16 @@ static int __replace_page(struct vm_area_struct *vma, unsigned long addr, + if (!page_vma_mapped_walk(&pvmw)) + goto unlock; + VM_BUG_ON_PAGE(addr != pvmw.address, old_page); ++ pte = ptep_get(pvmw.pte); ++ ++ /* ++ * Handle PFN swap PTES, such as device-exclusive ones, that actually ++ * map pages: simply trigger GUP again to fix it up. ++ */ ++ if (unlikely(!pte_present(pte))) { ++ page_vma_mapped_walk_done(&pvmw); ++ goto unlock; ++ } + + if (new_page) { + folio_get(new_folio); +@@ -200,7 +211,7 @@ static int __replace_page(struct vm_area_struct *vma, unsigned long addr, + inc_mm_counter(mm, MM_ANONPAGES); + } + +- flush_cache_page(vma, addr, pte_pfn(ptep_get(pvmw.pte))); ++ flush_cache_page(vma, addr, pte_pfn(pte)); + ptep_clear_flush(vma, addr, pvmw.pte); + if (new_page) + set_pte_at(mm, addr, pvmw.pte, +-- +2.39.5 + diff --git a/queue-6.12/kexec-initialize-elf-lowest-address-to-ulong_max.patch b/queue-6.12/kexec-initialize-elf-lowest-address-to-ulong_max.patch new file mode 100644 index 0000000000..7187572e96 --- /dev/null +++ b/queue-6.12/kexec-initialize-elf-lowest-address-to-ulong_max.patch @@ -0,0 +1,71 @@ +From 0e60b14c87b3e540fb6d448707a1b858ec9c7484 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 Jan 2025 17:08:24 +0530 +Subject: kexec: initialize ELF lowest address to ULONG_MAX + +From: Sourabh Jain + +[ Upstream commit 9986fb5164c8b21f6439cfd45ba36d8cc80c9710 ] + +Patch series "powerpc/crash: use generic crashkernel reservation", v3. + +Commit 0ab97169aa05 ("crash_core: add generic function to do reservation") +added a generic function to reserve crashkernel memory. So let's use the +same function on powerpc and remove the architecture-specific code that +essentially does the same thing. + +The generic crashkernel reservation also provides a way to split the +crashkernel reservation into high and low memory reservations, which can +be enabled for powerpc in the future. + +Additionally move powerpc to use generic APIs to locate memory hole for +kexec segments while loading kdump kernel. + +This patch (of 7): + +kexec_elf_load() loads an ELF executable and sets the address of the +lowest PT_LOAD section to the address held by the lowest_load_addr +function argument. + +To determine the lowest PT_LOAD address, a local variable lowest_addr +(type unsigned long) is initialized to UINT_MAX. After loading each +PT_LOAD, its address is compared to lowest_addr. If a loaded PT_LOAD +address is lower, lowest_addr is updated. However, setting lowest_addr to +UINT_MAX won't work when the kernel image is loaded above 4G, as the +returned lowest PT_LOAD address would be invalid. This is resolved by +initializing lowest_addr to ULONG_MAX instead. + +This issue was discovered while implementing crashkernel high/low +reservation on the PowerPC architecture. + +Link: https://lkml.kernel.org/r/20250131113830.925179-1-sourabhjain@linux.ibm.com +Link: https://lkml.kernel.org/r/20250131113830.925179-2-sourabhjain@linux.ibm.com +Fixes: a0458284f062 ("powerpc: Add support code for kexec_file_load()") +Signed-off-by: Sourabh Jain +Acked-by: Hari Bathini +Acked-by: Baoquan He +Cc: Madhavan Srinivasan +Cc: Mahesh Salgaonkar +Cc: Michael Ellerman +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + kernel/kexec_elf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/kexec_elf.c b/kernel/kexec_elf.c +index d3689632e8b90..3a5c25b2adc94 100644 +--- a/kernel/kexec_elf.c ++++ b/kernel/kexec_elf.c +@@ -390,7 +390,7 @@ int kexec_elf_load(struct kimage *image, struct elfhdr *ehdr, + struct kexec_buf *kbuf, + unsigned long *lowest_load_addr) + { +- unsigned long lowest_addr = UINT_MAX; ++ unsigned long lowest_addr = ULONG_MAX; + int ret; + size_t i; + +-- +2.39.5 + diff --git a/queue-6.12/ksmbd-fix-multichannel-connection-failure.patch b/queue-6.12/ksmbd-fix-multichannel-connection-failure.patch new file mode 100644 index 0000000000..ecdefc03d2 --- /dev/null +++ b/queue-6.12/ksmbd-fix-multichannel-connection-failure.patch @@ -0,0 +1,127 @@ +From ac97d667cd3f9792e3214aab2a2523ebd401fbd7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Mar 2025 20:19:20 +0900 +Subject: ksmbd: fix multichannel connection failure + +From: Namjae Jeon + +[ Upstream commit c1883049aa9b2b7dffd3a68c5fc67fa92c174bd9 ] + +ksmbd check that the session of second channel is in the session list of +first connection. If it is in session list, multichannel connection +should not be allowed. + +Fixes: b95629435b84 ("ksmbd: fix racy issue from session lookup and expire") +Reported-by: Sean Heelan +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/server/mgmt/user_session.c | 16 ++++++++++++++++ + fs/smb/server/mgmt/user_session.h | 2 ++ + fs/smb/server/smb2pdu.c | 12 ++++-------- + 3 files changed, 22 insertions(+), 8 deletions(-) + +diff --git a/fs/smb/server/mgmt/user_session.c b/fs/smb/server/mgmt/user_session.c +index d960ddcbba165..3d47da9c18c42 100644 +--- a/fs/smb/server/mgmt/user_session.c ++++ b/fs/smb/server/mgmt/user_session.c +@@ -256,6 +256,22 @@ void ksmbd_sessions_deregister(struct ksmbd_conn *conn) + up_write(&sessions_table_lock); + } + ++bool is_ksmbd_session_in_connection(struct ksmbd_conn *conn, ++ unsigned long long id) ++{ ++ struct ksmbd_session *sess; ++ ++ down_read(&conn->session_lock); ++ sess = xa_load(&conn->sessions, id); ++ if (sess) { ++ up_read(&conn->session_lock); ++ return true; ++ } ++ up_read(&conn->session_lock); ++ ++ return false; ++} ++ + struct ksmbd_session *ksmbd_session_lookup(struct ksmbd_conn *conn, + unsigned long long id) + { +diff --git a/fs/smb/server/mgmt/user_session.h b/fs/smb/server/mgmt/user_session.h +index c1c4b20bd5c6c..f21348381d598 100644 +--- a/fs/smb/server/mgmt/user_session.h ++++ b/fs/smb/server/mgmt/user_session.h +@@ -87,6 +87,8 @@ void ksmbd_session_destroy(struct ksmbd_session *sess); + struct ksmbd_session *ksmbd_session_lookup_slowpath(unsigned long long id); + struct ksmbd_session *ksmbd_session_lookup(struct ksmbd_conn *conn, + unsigned long long id); ++bool is_ksmbd_session_in_connection(struct ksmbd_conn *conn, ++ unsigned long long id); + int ksmbd_session_register(struct ksmbd_conn *conn, + struct ksmbd_session *sess); + void ksmbd_sessions_deregister(struct ksmbd_conn *conn); +diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c +index 8464261d76387..5b94d90870b0d 100644 +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -1704,44 +1704,38 @@ int smb2_sess_setup(struct ksmbd_work *work) + + if (conn->dialect != sess->dialect) { + rc = -EINVAL; +- ksmbd_user_session_put(sess); + goto out_err; + } + + if (!(req->hdr.Flags & SMB2_FLAGS_SIGNED)) { + rc = -EINVAL; +- ksmbd_user_session_put(sess); + goto out_err; + } + + if (strncmp(conn->ClientGUID, sess->ClientGUID, + SMB2_CLIENT_GUID_SIZE)) { + rc = -ENOENT; +- ksmbd_user_session_put(sess); + goto out_err; + } + + if (sess->state == SMB2_SESSION_IN_PROGRESS) { + rc = -EACCES; +- ksmbd_user_session_put(sess); + goto out_err; + } + + if (sess->state == SMB2_SESSION_EXPIRED) { + rc = -EFAULT; +- ksmbd_user_session_put(sess); + goto out_err; + } +- ksmbd_user_session_put(sess); + + if (ksmbd_conn_need_reconnect(conn)) { + rc = -EFAULT; ++ ksmbd_user_session_put(sess); + sess = NULL; + goto out_err; + } + +- sess = ksmbd_session_lookup(conn, sess_id); +- if (!sess) { ++ if (is_ksmbd_session_in_connection(conn, sess_id)) { + rc = -EACCES; + goto out_err; + } +@@ -1907,6 +1901,8 @@ int smb2_sess_setup(struct ksmbd_work *work) + + sess->last_active = jiffies; + sess->state = SMB2_SESSION_EXPIRED; ++ ksmbd_user_session_put(sess); ++ work->sess = NULL; + if (try_delay) { + ksmbd_conn_set_need_reconnect(conn); + ssleep(5); +-- +2.39.5 + diff --git a/queue-6.12/ksmbd-fix-r_count-dec-increment-mismatch.patch b/queue-6.12/ksmbd-fix-r_count-dec-increment-mismatch.patch new file mode 100644 index 0000000000..3c2ece70f6 --- /dev/null +++ b/queue-6.12/ksmbd-fix-r_count-dec-increment-mismatch.patch @@ -0,0 +1,51 @@ +From fd76e9179bf2f7ea73168d5cacfc32c2eb134521 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Mar 2025 00:00:24 +0900 +Subject: ksmbd: fix r_count dec/increment mismatch + +From: Namjae Jeon + +[ Upstream commit ddb7ea36ba7129c2ed107e2186591128618864e1 ] + +r_count is only increased when there is an oplock break wait, +so r_count inc/decrement are not paired. This can cause r_count +to become negative, which can lead to a problem where the ksmbd +thread does not terminate. + +Fixes: 3aa660c05924 ("ksmbd: prevent connection release during oplock break notification") +Reported-by: Norbert Szetei +Tested-by: Norbert Szetei +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/server/oplock.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/smb/server/oplock.c b/fs/smb/server/oplock.c +index 592fe665973a8..304aefecaaaf5 100644 +--- a/fs/smb/server/oplock.c ++++ b/fs/smb/server/oplock.c +@@ -724,8 +724,8 @@ static int smb2_oplock_break_noti(struct oplock_info *opinfo) + work->conn = conn; + work->sess = opinfo->sess; + ++ ksmbd_conn_r_count_inc(conn); + if (opinfo->op_state == OPLOCK_ACK_WAIT) { +- ksmbd_conn_r_count_inc(conn); + INIT_WORK(&work->work, __smb2_oplock_break_noti); + ksmbd_queue_work(work); + +@@ -833,8 +833,8 @@ static int smb2_lease_break_noti(struct oplock_info *opinfo) + work->conn = conn; + work->sess = opinfo->sess; + ++ ksmbd_conn_r_count_inc(conn); + if (opinfo->op_state == OPLOCK_ACK_WAIT) { +- ksmbd_conn_r_count_inc(conn); + INIT_WORK(&work->work, __smb2_lease_break_noti); + ksmbd_queue_work(work); + wait_for_break_ack(opinfo); +-- +2.39.5 + diff --git a/queue-6.12/ksmbd-use-aead_request_free-to-match-aead_request_al.patch b/queue-6.12/ksmbd-use-aead_request_free-to-match-aead_request_al.patch new file mode 100644 index 0000000000..aef3e361d1 --- /dev/null +++ b/queue-6.12/ksmbd-use-aead_request_free-to-match-aead_request_al.patch @@ -0,0 +1,38 @@ +From c7d13449e300fb07e9a507949016c38dfaa4e9fd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Mar 2025 20:12:34 +0800 +Subject: ksmbd: use aead_request_free to match aead_request_alloc + +From: Miaoqian Lin + +[ Upstream commit 6171063e9d046ffa46f51579b2ca4a43caef581a ] + +Use aead_request_free() instead of kfree() to properly free memory +allocated by aead_request_alloc(). This ensures sensitive crypto data +is zeroed before being freed. + +Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") +Signed-off-by: Miaoqian Lin +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/server/auth.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/smb/server/auth.c b/fs/smb/server/auth.c +index 8892177e500f1..0d458742b7074 100644 +--- a/fs/smb/server/auth.c ++++ b/fs/smb/server/auth.c +@@ -1217,7 +1217,7 @@ int ksmbd_crypt_message(struct ksmbd_work *work, struct kvec *iov, + free_sg: + kfree(sg); + free_req: +- kfree(req); ++ aead_request_free(req); + free_ctx: + ksmbd_release_crypto_ctx(ctx); + return rc; +-- +2.39.5 + diff --git a/queue-6.12/kunit-stackinit-use-fill-byte-different-from-clang-i.patch b/queue-6.12/kunit-stackinit-use-fill-byte-different-from-clang-i.patch new file mode 100644 index 0000000000..571bc20710 --- /dev/null +++ b/queue-6.12/kunit-stackinit-use-fill-byte-different-from-clang-i.patch @@ -0,0 +1,124 @@ +From 411749db35500cc189497826cc987675dd614b63 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Mar 2025 14:56:11 -0800 +Subject: kunit/stackinit: Use fill byte different from Clang i386 pattern + +From: Kees Cook + +[ Upstream commit d985e4399adffb58e10b38dbb5479ef29d53cde6 ] + +The byte initialization values used with -ftrivial-auto-var-init=pattern +(CONFIG_INIT_STACK_ALL_PATTERN=y) depends on the compiler, architecture, +and byte position relative to struct member types. On i386 with Clang, +this includes the 0xFF value, which means it looks like nothing changes +between the leaf byte filling pass and the expected "stack wiping" +pass of the stackinit test. + +Use the byte fill value of 0x99 instead, fixing the test for i386 Clang +builds. + +Reported-by: ernsteiswuerfel +Closes: https://github.com/ClangBuiltLinux/linux/issues/2071 +Fixes: 8c30d32b1a32 ("lib/test_stackinit: Handle Clang auto-initialization pattern") +Tested-by: Nathan Chancellor +Link: https://lore.kernel.org/r/20250304225606.work.030-kees@kernel.org +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + lib/stackinit_kunit.c | 30 ++++++++++++++++++++---------- + 1 file changed, 20 insertions(+), 10 deletions(-) + +diff --git a/lib/stackinit_kunit.c b/lib/stackinit_kunit.c +index c40818ec9c180..49d32e43d06ef 100644 +--- a/lib/stackinit_kunit.c ++++ b/lib/stackinit_kunit.c +@@ -146,6 +146,15 @@ static bool stackinit_range_contains(char *haystack_start, size_t haystack_size, + #define INIT_STRUCT_assigned_copy(var_type) \ + ; var = *(arg) + ++/* ++ * The "did we actually fill the stack?" check value needs ++ * to be neither 0 nor any of the "pattern" bytes. The ++ * pattern bytes are compiler, architecture, and type based, ++ * so we have to pick a value that never appears for those ++ * combinations. Use 0x99 which is not 0xFF, 0xFE, nor 0xAA. ++ */ ++#define FILL_BYTE 0x99 ++ + /* + * @name: unique string name for the test + * @var_type: type to be tested for zeroing initialization +@@ -168,12 +177,12 @@ static noinline void test_ ## name (struct kunit *test) \ + ZERO_CLONE_ ## which(zero); \ + /* Clear entire check buffer for 0xFF overlap test. */ \ + memset(check_buf, 0x00, sizeof(check_buf)); \ +- /* Fill stack with 0xFF. */ \ ++ /* Fill stack with FILL_BYTE. */ \ + ignored = leaf_ ##name((unsigned long)&ignored, 1, \ + FETCH_ARG_ ## which(zero)); \ +- /* Verify all bytes overwritten with 0xFF. */ \ ++ /* Verify all bytes overwritten with FILL_BYTE. */ \ + for (sum = 0, i = 0; i < target_size; i++) \ +- sum += (check_buf[i] != 0xFF); \ ++ sum += (check_buf[i] != FILL_BYTE); \ + /* Clear entire check buffer for later bit tests. */ \ + memset(check_buf, 0x00, sizeof(check_buf)); \ + /* Extract stack-defined variable contents. */ \ +@@ -184,7 +193,8 @@ static noinline void test_ ## name (struct kunit *test) \ + * possible between the two leaf function calls. \ + */ \ + KUNIT_ASSERT_EQ_MSG(test, sum, 0, \ +- "leaf fill was not 0xFF!?\n"); \ ++ "leaf fill was not 0x%02X!?\n", \ ++ FILL_BYTE); \ + \ + /* Validate that compiler lined up fill and target. */ \ + KUNIT_ASSERT_TRUE_MSG(test, \ +@@ -196,9 +206,9 @@ static noinline void test_ ## name (struct kunit *test) \ + (int)((ssize_t)(uintptr_t)fill_start - \ + (ssize_t)(uintptr_t)target_start)); \ + \ +- /* Look for any bytes still 0xFF in check region. */ \ ++ /* Validate check region has no FILL_BYTE bytes. */ \ + for (sum = 0, i = 0; i < target_size; i++) \ +- sum += (check_buf[i] == 0xFF); \ ++ sum += (check_buf[i] == FILL_BYTE); \ + \ + if (sum != 0 && xfail) \ + kunit_skip(test, \ +@@ -233,12 +243,12 @@ static noinline int leaf_ ## name(unsigned long sp, bool fill, \ + * stack frame of SOME kind... \ + */ \ + memset(buf, (char)(sp & 0xff), sizeof(buf)); \ +- /* Fill variable with 0xFF. */ \ ++ /* Fill variable with FILL_BYTE. */ \ + if (fill) { \ + fill_start = &var; \ + fill_size = sizeof(var); \ + memset(fill_start, \ +- (char)((sp & 0xff) | forced_mask), \ ++ FILL_BYTE & forced_mask, \ + fill_size); \ + } \ + \ +@@ -380,7 +390,7 @@ static int noinline __leaf_switch_none(int path, bool fill) + fill_start = &var; + fill_size = sizeof(var); + +- memset(fill_start, forced_mask | 0x55, fill_size); ++ memset(fill_start, (forced_mask | 0x55) & FILL_BYTE, fill_size); + } + memcpy(check_buf, target_start, target_size); + break; +@@ -391,7 +401,7 @@ static int noinline __leaf_switch_none(int path, bool fill) + fill_start = &var; + fill_size = sizeof(var); + +- memset(fill_start, forced_mask | 0xaa, fill_size); ++ memset(fill_start, (forced_mask | 0xaa) & FILL_BYTE, fill_size); + } + memcpy(check_buf, target_start, target_size); + break; +-- +2.39.5 + diff --git a/queue-6.12/leds-fix-led_off-brightness-race.patch b/queue-6.12/leds-fix-led_off-brightness-race.patch new file mode 100644 index 0000000000..991f14357d --- /dev/null +++ b/queue-6.12/leds-fix-led_off-brightness-race.patch @@ -0,0 +1,108 @@ +From 4076e0feb5298213ec1429d947f03e2c33de7cd7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Feb 2025 12:23:17 +0100 +Subject: leds: Fix LED_OFF brightness race + +From: Remi Pommarel + +[ Upstream commit 2c70953b6f535f7698ccbf22c1f5ba26cb6c2816 ] + +While commit fa15d8c69238 ("leds: Fix set_brightness_delayed() race") +successfully forces led_set_brightness() to be called with LED_OFF at +least once when switching from blinking to LED on state so that +hw-blinking can be disabled, another race remains. Indeed in +led_set_brightness(LED_OFF) followed by led_set_brightness(any) +scenario the following CPU scheduling can happen: + + CPU0 CPU1 + ---- ---- + set_brightness_delayed() { + test_and_clear_bit(BRIGHTNESS_OFF) + led_set_brightness(LED_OFF) { + set_bit(BRIGHTNESS_OFF) + queue_work() + } + led_set_brightness(any) { + set_bit(BRIGHTNESS) + queue_work() //already queued + } + test_and_clear_bit(BRIGHTNESS) + /* LED set with brightness any */ + } + + /* From previous CPU1 queue_work() */ + set_brightness_delayed() { + test_and_clear_bit(BRIGHTNESS_OFF) + /* LED turned off */ + test_and_clear_bit(BRIGHTNESS) + /* Clear from previous run, LED remains off */ + +In that case the led_set_brightness(LED_OFF)/led_set_brightness(any) +sequence will be effectively executed in reverse order and LED will +remain off. + +With the introduction of commit 32360bf6a5d4 ("leds: Introduce ordered +workqueue for LEDs events instead of system_wq") the race is easier to +trigger as sysfs brightness configuration does not wait for +set_brightness_delayed() work to finish (flush_work() removal). + +Use delayed_set_value to optionnally re-configure brightness after a +LED_OFF. That way a LED state could be configured more that once but +final state will always be as expected. Ensure that delayed_set_value +modification is seen before set_bit() using smp_mb__before_atomic(). + +Fixes: fa15d8c69238 ("leds: Fix set_brightness_delayed() race") +Signed-off-by: Remi Pommarel +Reviewed-by: Hans de Goede +Link: https://lore.kernel.org/r/19c81177059dab7b656c42063958011a8e4d1a66.1740050412.git.repk@triplefau.lt +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/leds/led-core.c | 22 ++++++++++++++++++---- + 1 file changed, 18 insertions(+), 4 deletions(-) + +diff --git a/drivers/leds/led-core.c b/drivers/leds/led-core.c +index 001c290bc07b7..cda0995b16798 100644 +--- a/drivers/leds/led-core.c ++++ b/drivers/leds/led-core.c +@@ -159,8 +159,19 @@ static void set_brightness_delayed(struct work_struct *ws) + * before this work item runs once. To make sure this works properly + * handle LED_SET_BRIGHTNESS_OFF first. + */ +- if (test_and_clear_bit(LED_SET_BRIGHTNESS_OFF, &led_cdev->work_flags)) ++ if (test_and_clear_bit(LED_SET_BRIGHTNESS_OFF, &led_cdev->work_flags)) { + set_brightness_delayed_set_brightness(led_cdev, LED_OFF); ++ /* ++ * The consecutives led_set_brightness(LED_OFF), ++ * led_set_brightness(LED_FULL) could have been executed out of ++ * order (LED_FULL first), if the work_flags has been set ++ * between LED_SET_BRIGHTNESS_OFF and LED_SET_BRIGHTNESS of this ++ * work. To avoid ending with the LED turned off, turn the LED ++ * on again. ++ */ ++ if (led_cdev->delayed_set_value != LED_OFF) ++ set_bit(LED_SET_BRIGHTNESS, &led_cdev->work_flags); ++ } + + if (test_and_clear_bit(LED_SET_BRIGHTNESS, &led_cdev->work_flags)) + set_brightness_delayed_set_brightness(led_cdev, led_cdev->delayed_set_value); +@@ -331,10 +342,13 @@ void led_set_brightness_nopm(struct led_classdev *led_cdev, unsigned int value) + * change is done immediately afterwards (before the work runs), + * it uses a separate work_flag. + */ +- if (value) { +- led_cdev->delayed_set_value = value; ++ led_cdev->delayed_set_value = value; ++ /* Ensure delayed_set_value is seen before work_flags modification */ ++ smp_mb__before_atomic(); ++ ++ if (value) + set_bit(LED_SET_BRIGHTNESS, &led_cdev->work_flags); +- } else { ++ else { + clear_bit(LED_SET_BRIGHTNESS, &led_cdev->work_flags); + clear_bit(LED_SET_BLINK, &led_cdev->work_flags); + set_bit(LED_SET_BRIGHTNESS_OFF, &led_cdev->work_flags); +-- +2.39.5 + diff --git a/queue-6.12/lib-842-improve-error-handling-in-sw842_compress.patch b/queue-6.12/lib-842-improve-error-handling-in-sw842_compress.patch new file mode 100644 index 0000000000..6d2f337258 --- /dev/null +++ b/queue-6.12/lib-842-improve-error-handling-in-sw842_compress.patch @@ -0,0 +1,44 @@ +From c275c76893dee2aa2a27079469319498baf7ea79 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Jan 2025 19:42:04 +0530 +Subject: lib: 842: Improve error handling in sw842_compress() + +From: Tanya Agarwal + +[ Upstream commit af324dc0e2b558678aec42260cce38be16cc77ca ] + +The static code analysis tool "Coverity Scan" pointed the following +implementation details out for further development considerations: +CID 1309755: Unused value +In sw842_compress: A value assigned to a variable is never used. (CWE-563) +returned_value: Assigning value from add_repeat_template(p, repeat_count) +to ret here, but that stored value is overwritten before it can be used. + +Conclusion: +Add error handling for the return value from an add_repeat_template() +call. + +Fixes: 2da572c959dd ("lib: add software 842 compression/decompression") +Signed-off-by: Tanya Agarwal +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + lib/842/842_compress.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/lib/842/842_compress.c b/lib/842/842_compress.c +index c02baa4168e16..055356508d97c 100644 +--- a/lib/842/842_compress.c ++++ b/lib/842/842_compress.c +@@ -532,6 +532,8 @@ int sw842_compress(const u8 *in, unsigned int ilen, + } + if (repeat_count) { + ret = add_repeat_template(p, repeat_count); ++ if (ret) ++ return ret; + repeat_count = 0; + if (next == last) /* reached max repeat bits */ + goto repeat; +-- +2.39.5 + diff --git a/queue-6.12/libbpf-fix-hypothetical-stt_section-extern-null-dere.patch b/queue-6.12/libbpf-fix-hypothetical-stt_section-extern-null-dere.patch new file mode 100644 index 0000000000..4fbb8ca366 --- /dev/null +++ b/queue-6.12/libbpf-fix-hypothetical-stt_section-extern-null-dere.patch @@ -0,0 +1,41 @@ +From b51550c4434223bf8d7842b3194ba569f5f1d2b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Feb 2025 16:28:21 -0800 +Subject: libbpf: Fix hypothetical STT_SECTION extern NULL deref case + +From: Andrii Nakryiko + +[ Upstream commit e0525cd72b5979d8089fe524a071ea93fd011dc9 ] + +Fix theoretical NULL dereference in linker when resolving *extern* +STT_SECTION symbol against not-yet-existing ELF section. Not sure if +it's possible in practice for valid ELF object files (this would require +embedded assembly manipulations, at which point BTF will be missing), +but fix the s/dst_sym/dst_sec/ typo guarding this condition anyways. + +Fixes: faf6ed321cf6 ("libbpf: Add BPF static linker APIs") +Fixes: a46349227cd8 ("libbpf: Add linker extern resolution support for functions and global variables") +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/r/20250220002821.834400-1-andrii@kernel.org +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/linker.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/lib/bpf/linker.c b/tools/lib/bpf/linker.c +index 777600822d8e4..179f6b31cbd6f 100644 +--- a/tools/lib/bpf/linker.c ++++ b/tools/lib/bpf/linker.c +@@ -2007,7 +2007,7 @@ static int linker_append_elf_sym(struct bpf_linker *linker, struct src_obj *obj, + + obj->sym_map[src_sym_idx] = dst_sym_idx; + +- if (sym_type == STT_SECTION && dst_sym) { ++ if (sym_type == STT_SECTION && dst_sec) { + dst_sec->sec_sym_idx = dst_sym_idx; + dst_sym->st_value = 0; + } +-- +2.39.5 + diff --git a/queue-6.12/lockdep-don-t-disable-interrupts-on-rt-in-disable_ir.patch b/queue-6.12/lockdep-don-t-disable-interrupts-on-rt-in-disable_ir.patch new file mode 100644 index 0000000000..21a18f507c --- /dev/null +++ b/queue-6.12/lockdep-don-t-disable-interrupts-on-rt-in-disable_ir.patch @@ -0,0 +1,82 @@ +From 717a94312c9c64418ebb8555f42c53db50d2c568 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Feb 2025 11:36:18 +0100 +Subject: lockdep: Don't disable interrupts on RT in + disable_irq_nosync_lockdep.*() + +From: Sebastian Andrzej Siewior + +[ Upstream commit 87886b32d669abc11c7be95ef44099215e4f5788 ] + +disable_irq_nosync_lockdep() disables interrupts with lockdep enabled to +avoid false positive reports by lockdep that a certain lock has not been +acquired with disabled interrupts. The user of this macros expects that +a lock can be acquried without disabling interrupts because the IRQ line +triggering the interrupt is disabled. + +This triggers a warning on PREEMPT_RT because after +disable_irq_nosync_lockdep.*() the following spinlock_t now is acquired +with disabled interrupts. + +On PREEMPT_RT there is no difference between spin_lock() and +spin_lock_irq() so avoiding disabling interrupts in this case works for +the two remaining callers as of today. + +Don't disable interrupts on PREEMPT_RT in disable_irq_nosync_lockdep.*(). + +Closes: https://lore.kernel.org/760e34f9-6034-40e0-82a5-ee9becd24438@roeck-us.net +Fixes: e8106b941ceab ("[PATCH] lockdep: core, add enable/disable_irq_irqsave/irqrestore() APIs") +Reported-by: Guenter Roeck +Suggested-by: "Steven Rostedt (Google)" +Signed-off-by: Sebastian Andrzej Siewior +Signed-off-by: Peter Zijlstra (Intel) +Tested-by: Guenter Roeck +Link: https://lore.kernel.org/r/20250212103619.2560503-2-bigeasy@linutronix.de +Signed-off-by: Sasha Levin +--- + include/linux/interrupt.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/include/linux/interrupt.h b/include/linux/interrupt.h +index 457151f9f263d..b378fbf885ce3 100644 +--- a/include/linux/interrupt.h ++++ b/include/linux/interrupt.h +@@ -448,7 +448,7 @@ irq_calc_affinity_vectors(unsigned int minvec, unsigned int maxvec, + static inline void disable_irq_nosync_lockdep(unsigned int irq) + { + disable_irq_nosync(irq); +-#ifdef CONFIG_LOCKDEP ++#if defined(CONFIG_LOCKDEP) && !defined(CONFIG_PREEMPT_RT) + local_irq_disable(); + #endif + } +@@ -456,7 +456,7 @@ static inline void disable_irq_nosync_lockdep(unsigned int irq) + static inline void disable_irq_nosync_lockdep_irqsave(unsigned int irq, unsigned long *flags) + { + disable_irq_nosync(irq); +-#ifdef CONFIG_LOCKDEP ++#if defined(CONFIG_LOCKDEP) && !defined(CONFIG_PREEMPT_RT) + local_irq_save(*flags); + #endif + } +@@ -471,7 +471,7 @@ static inline void disable_irq_lockdep(unsigned int irq) + + static inline void enable_irq_lockdep(unsigned int irq) + { +-#ifdef CONFIG_LOCKDEP ++#if defined(CONFIG_LOCKDEP) && !defined(CONFIG_PREEMPT_RT) + local_irq_enable(); + #endif + enable_irq(irq); +@@ -479,7 +479,7 @@ static inline void enable_irq_lockdep(unsigned int irq) + + static inline void enable_irq_lockdep_irqrestore(unsigned int irq, unsigned long *flags) + { +-#ifdef CONFIG_LOCKDEP ++#if defined(CONFIG_LOCKDEP) && !defined(CONFIG_PREEMPT_RT) + local_irq_restore(*flags); + #endif + enable_irq(irq); +-- +2.39.5 + diff --git a/queue-6.12/lockdep-mm-fix-might_fault-lockdep-check-of-current-.patch b/queue-6.12/lockdep-mm-fix-might_fault-lockdep-check-of-current-.patch new file mode 100644 index 0000000000..ad4f5fcfe6 --- /dev/null +++ b/queue-6.12/lockdep-mm-fix-might_fault-lockdep-check-of-current-.patch @@ -0,0 +1,52 @@ +From 6e4959752860523dacfb21e7aab064ad9efa5503 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Nov 2024 14:39:10 +0100 +Subject: lockdep/mm: Fix might_fault() lockdep check of current->mm->mmap_lock + +From: Peter Zijlstra + +[ Upstream commit a1b65f3f7c6f7f0a08a7dba8be458c6415236487 ] + +Turns out that this commit, about 10 years ago: + + 9ec23531fd48 ("sched/preempt, mm/fault: Trigger might_sleep() in might_fault() with disabled pagefaults") + +... accidentally (and unnessecarily) put the lockdep part of +__might_fault() under CONFIG_DEBUG_ATOMIC_SLEEP=y. + +This is potentially notable because large distributions such as +Ubuntu are running with !CONFIG_DEBUG_ATOMIC_SLEEP. + +Restore the debug check. + +[ mingo: Update changelog. ] + +Fixes: 9ec23531fd48 ("sched/preempt, mm/fault: Trigger might_sleep() in might_fault() with disabled pagefaults") +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Ingo Molnar +Cc: Linus Torvalds +Cc: Andrew Morton +Link: https://lore.kernel.org/r/20241104135517.536628371@infradead.org +Signed-off-by: Sasha Levin +--- + mm/memory.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/mm/memory.c b/mm/memory.c +index 525f96ad65b8d..01c0b3a5a4d66 100644 +--- a/mm/memory.c ++++ b/mm/memory.c +@@ -6718,10 +6718,8 @@ void __might_fault(const char *file, int line) + if (pagefault_disabled()) + return; + __might_sleep(file, line); +-#if defined(CONFIG_DEBUG_ATOMIC_SLEEP) + if (current->mm) + might_lock_read(¤t->mm->mmap_lock); +-#endif + } + EXPORT_SYMBOL(__might_fault); + #endif +-- +2.39.5 + diff --git a/queue-6.12/locking-semaphore-use-wake_q-to-wake-up-processes-ou.patch b/queue-6.12/locking-semaphore-use-wake_q-to-wake-up-processes-ou.patch new file mode 100644 index 0000000000..17e9b309ab --- /dev/null +++ b/queue-6.12/locking-semaphore-use-wake_q-to-wake-up-processes-ou.patch @@ -0,0 +1,150 @@ +From 4adc3f00ee863022e234bf1f271fce69599a2d6a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Mar 2025 15:26:52 -0800 +Subject: locking/semaphore: Use wake_q to wake up processes outside lock + critical section + +From: Waiman Long + +[ Upstream commit 85b2b9c16d053364e2004883140538e73b333cdb ] + +A circular lock dependency splat has been seen involving down_trylock(): + + ====================================================== + WARNING: possible circular locking dependency detected + 6.12.0-41.el10.s390x+debug + ------------------------------------------------------ + dd/32479 is trying to acquire lock: + 0015a20accd0d4f8 ((console_sem).lock){-.-.}-{2:2}, at: down_trylock+0x26/0x90 + + but task is already holding lock: + 000000017e461698 (&zone->lock){-.-.}-{2:2}, at: rmqueue_bulk+0xac/0x8f0 + + the existing dependency chain (in reverse order) is: + -> #4 (&zone->lock){-.-.}-{2:2}: + -> #3 (hrtimer_bases.lock){-.-.}-{2:2}: + -> #2 (&rq->__lock){-.-.}-{2:2}: + -> #1 (&p->pi_lock){-.-.}-{2:2}: + -> #0 ((console_sem).lock){-.-.}-{2:2}: + +The console_sem -> pi_lock dependency is due to calling try_to_wake_up() +while holding the console_sem raw_spinlock. This dependency can be broken +by using wake_q to do the wakeup instead of calling try_to_wake_up() +under the console_sem lock. This will also make the semaphore's +raw_spinlock become a terminal lock without taking any further locks +underneath it. + +The hrtimer_bases.lock is a raw_spinlock while zone->lock is a +spinlock. The hrtimer_bases.lock -> zone->lock dependency happens via +the debug_objects_fill_pool() helper function in the debugobjects code. + + -> #4 (&zone->lock){-.-.}-{2:2}: + __lock_acquire+0xe86/0x1cc0 + lock_acquire.part.0+0x258/0x630 + lock_acquire+0xb8/0xe0 + _raw_spin_lock_irqsave+0xb4/0x120 + rmqueue_bulk+0xac/0x8f0 + __rmqueue_pcplist+0x580/0x830 + rmqueue_pcplist+0xfc/0x470 + rmqueue.isra.0+0xdec/0x11b0 + get_page_from_freelist+0x2ee/0xeb0 + __alloc_pages_noprof+0x2c2/0x520 + alloc_pages_mpol_noprof+0x1fc/0x4d0 + alloc_pages_noprof+0x8c/0xe0 + allocate_slab+0x320/0x460 + ___slab_alloc+0xa58/0x12b0 + __slab_alloc.isra.0+0x42/0x60 + kmem_cache_alloc_noprof+0x304/0x350 + fill_pool+0xf6/0x450 + debug_object_activate+0xfe/0x360 + enqueue_hrtimer+0x34/0x190 + __run_hrtimer+0x3c8/0x4c0 + __hrtimer_run_queues+0x1b2/0x260 + hrtimer_interrupt+0x316/0x760 + do_IRQ+0x9a/0xe0 + do_irq_async+0xf6/0x160 + +Normally a raw_spinlock to spinlock dependency is not legitimate +and will be warned if CONFIG_PROVE_RAW_LOCK_NESTING is enabled, +but debug_objects_fill_pool() is an exception as it explicitly +allows this dependency for non-PREEMPT_RT kernel without causing +PROVE_RAW_LOCK_NESTING lockdep splat. As a result, this dependency is +legitimate and not a bug. + +Anyway, semaphore is the only locking primitive left that is still +using try_to_wake_up() to do wakeup inside critical section, all the +other locking primitives had been migrated to use wake_q to do wakeup +outside of the critical section. It is also possible that there are +other circular locking dependencies involving printk/console_sem or +other existing/new semaphores lurking somewhere which may show up in +the future. Let just do the migration now to wake_q to avoid headache +like this. + +Reported-by: yzbot+ed801a886dfdbfe7136d@syzkaller.appspotmail.com +Signed-off-by: Waiman Long +Signed-off-by: Boqun Feng +Signed-off-by: Ingo Molnar +Cc: Linus Torvalds +Link: https://lore.kernel.org/r/20250307232717.1759087-3-boqun.feng@gmail.com +Signed-off-by: Sasha Levin +--- + kernel/locking/semaphore.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/kernel/locking/semaphore.c b/kernel/locking/semaphore.c +index 34bfae72f2952..de9117c0e671e 100644 +--- a/kernel/locking/semaphore.c ++++ b/kernel/locking/semaphore.c +@@ -29,6 +29,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -38,7 +39,7 @@ static noinline void __down(struct semaphore *sem); + static noinline int __down_interruptible(struct semaphore *sem); + static noinline int __down_killable(struct semaphore *sem); + static noinline int __down_timeout(struct semaphore *sem, long timeout); +-static noinline void __up(struct semaphore *sem); ++static noinline void __up(struct semaphore *sem, struct wake_q_head *wake_q); + + /** + * down - acquire the semaphore +@@ -183,13 +184,16 @@ EXPORT_SYMBOL(down_timeout); + void __sched up(struct semaphore *sem) + { + unsigned long flags; ++ DEFINE_WAKE_Q(wake_q); + + raw_spin_lock_irqsave(&sem->lock, flags); + if (likely(list_empty(&sem->wait_list))) + sem->count++; + else +- __up(sem); ++ __up(sem, &wake_q); + raw_spin_unlock_irqrestore(&sem->lock, flags); ++ if (!wake_q_empty(&wake_q)) ++ wake_up_q(&wake_q); + } + EXPORT_SYMBOL(up); + +@@ -269,11 +273,12 @@ static noinline int __sched __down_timeout(struct semaphore *sem, long timeout) + return __down_common(sem, TASK_UNINTERRUPTIBLE, timeout); + } + +-static noinline void __sched __up(struct semaphore *sem) ++static noinline void __sched __up(struct semaphore *sem, ++ struct wake_q_head *wake_q) + { + struct semaphore_waiter *waiter = list_first_entry(&sem->wait_list, + struct semaphore_waiter, list); + list_del(&waiter->list); + waiter->up = true; +- wake_up_process(waiter->task); ++ wake_q_add(wake_q, waiter->task); + } +-- +2.39.5 + diff --git a/queue-6.12/loongarch-fix-device-node-refcount-leak-in-fdt_cpu_c.patch b/queue-6.12/loongarch-fix-device-node-refcount-leak-in-fdt_cpu_c.patch new file mode 100644 index 0000000000..74d3be49f9 --- /dev/null +++ b/queue-6.12/loongarch-fix-device-node-refcount-leak-in-fdt_cpu_c.patch @@ -0,0 +1,36 @@ +From 0ec01a1115e3695a943e6b844184b44a0bb3beb7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 30 Mar 2025 16:31:09 +0800 +Subject: LoongArch: Fix device node refcount leak in fdt_cpu_clk_init() + +From: Miaoqian Lin + +[ Upstream commit 2e3bc71e4f394ecf8f499d21923cf556b4bfa1e7 ] + +Add missing of_node_put() to properly handle the reference count of the +device node obtained from of_get_cpu_node(). + +Fixes: 44a01f1f726a ("LoongArch: Parsing CPU-related information from DTS") +Signed-off-by: Miaoqian Lin +Signed-off-by: Huacai Chen +Signed-off-by: Sasha Levin +--- + arch/loongarch/kernel/env.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/loongarch/kernel/env.c b/arch/loongarch/kernel/env.c +index 2f1f5b08638f8..27144de5c5fe4 100644 +--- a/arch/loongarch/kernel/env.c ++++ b/arch/loongarch/kernel/env.c +@@ -68,6 +68,8 @@ static int __init fdt_cpu_clk_init(void) + return -ENODEV; + + clk = of_clk_get(np, 0); ++ of_node_put(np); ++ + if (IS_ERR(clk)) + return -ENODEV; + +-- +2.39.5 + diff --git a/queue-6.12/loongarch-fix-help-text-of-cmdline_extend-in-kconfig.patch b/queue-6.12/loongarch-fix-help-text-of-cmdline_extend-in-kconfig.patch new file mode 100644 index 0000000000..dadef75693 --- /dev/null +++ b/queue-6.12/loongarch-fix-help-text-of-cmdline_extend-in-kconfig.patch @@ -0,0 +1,41 @@ +From 683e02f8a670da851a081b0905c5c0a602ef12fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 30 Mar 2025 16:31:09 +0800 +Subject: LoongArch: Fix help text of CMDLINE_EXTEND in Kconfig +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: 谢致邦 (XIE Zhibang) + +[ Upstream commit be216cbc1ddf99a51915414ce147311c0dfd50a2 ] + +It is the built-in command line appended to the bootloader command line, +not the bootloader command line appended to the built-in command line. + +Fixes: fa96b57c1490 ("LoongArch: Add build infrastructure") +Signed-off-by: 谢致邦 (XIE Zhibang) +Signed-off-by: Huacai Chen +Signed-off-by: Sasha Levin +--- + arch/loongarch/Kconfig | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/loongarch/Kconfig b/arch/loongarch/Kconfig +index d9fce0fd475a0..fe9f895138dba 100644 +--- a/arch/loongarch/Kconfig ++++ b/arch/loongarch/Kconfig +@@ -375,8 +375,8 @@ config CMDLINE_BOOTLOADER + config CMDLINE_EXTEND + bool "Use built-in to extend bootloader kernel arguments" + help +- The command-line arguments provided during boot will be +- appended to the built-in command line. This is useful in ++ The built-in command line will be appended to the command- ++ line arguments provided during boot. This is useful in + cases where the provided arguments are insufficient and + you don't want to or cannot modify them. + +-- +2.39.5 + diff --git a/queue-6.12/loongarch-rework-the-arch_kgdb_breakpoint-implementa.patch b/queue-6.12/loongarch-rework-the-arch_kgdb_breakpoint-implementa.patch new file mode 100644 index 0000000000..e462afae91 --- /dev/null +++ b/queue-6.12/loongarch-rework-the-arch_kgdb_breakpoint-implementa.patch @@ -0,0 +1,74 @@ +From 1b75ef5c4c2697cc409623538a8b19be4afdb56c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 30 Mar 2025 16:31:09 +0800 +Subject: LoongArch: Rework the arch_kgdb_breakpoint() implementation + +From: Yuli Wang + +[ Upstream commit 29c92a41c6d2879c1f62220fe4758dce191bb38f ] + +The arch_kgdb_breakpoint() function defines the kgdb_breakinst symbol +using inline assembly. + +1. There's a potential issue where the compiler might inline +arch_kgdb_breakpoint(), which would then define the kgdb_breakinst +symbol multiple times, leading to a linker error. + +To prevent this, declare arch_kgdb_breakpoint() as noinline. + +Fix follow error with LLVM-19 *only* when LTO_CLANG_FULL: + LD vmlinux.o + ld.lld-19: error: ld-temp.o :3:1: symbol 'kgdb_breakinst' is already defined + kgdb_breakinst: break 2 + ^ + +2. Remove "nop" in the inline assembly because it's meaningless for +LoongArch here. + +3. Add "STACK_FRAME_NON_STANDARD" for arch_kgdb_breakpoint() to avoid +the objtool warning. + +Fixes: e14dd076964e ("LoongArch: Add basic KGDB & KDB support") +Tested-by: Binbin Zhou +Co-developed-by: Winston Wen +Signed-off-by: Winston Wen +Co-developed-by: Wentao Guan +Signed-off-by: Wentao Guan +Signed-off-by: Yuli Wang +Signed-off-by: Huacai Chen +Signed-off-by: Sasha Levin +--- + arch/loongarch/kernel/kgdb.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/arch/loongarch/kernel/kgdb.c b/arch/loongarch/kernel/kgdb.c +index 445c452d72a79..7be5b4c0c9002 100644 +--- a/arch/loongarch/kernel/kgdb.c ++++ b/arch/loongarch/kernel/kgdb.c +@@ -8,6 +8,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -224,13 +225,13 @@ void kgdb_arch_set_pc(struct pt_regs *regs, unsigned long pc) + regs->csr_era = pc; + } + +-void arch_kgdb_breakpoint(void) ++noinline void arch_kgdb_breakpoint(void) + { + __asm__ __volatile__ ( \ + ".globl kgdb_breakinst\n\t" \ +- "nop\n" \ + "kgdb_breakinst:\tbreak 2\n\t"); /* BRK_KDB = 2 */ + } ++STACK_FRAME_NON_STANDARD(arch_kgdb_breakpoint); + + /* + * Calls linux_debug_hook before the kernel dies. If KGDB is enabled, +-- +2.39.5 + diff --git a/queue-6.12/mdacon-rework-dependency-list.patch b/queue-6.12/mdacon-rework-dependency-list.patch new file mode 100644 index 0000000000..f2ed0217c3 --- /dev/null +++ b/queue-6.12/mdacon-rework-dependency-list.patch @@ -0,0 +1,47 @@ +From d3390245c0a93d46483144ecfb3d3375e39fed14 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Feb 2025 17:44:23 +0100 +Subject: mdacon: rework dependency list + +From: Arnd Bergmann + +[ Upstream commit 5bbcc7645f4b244ffb5ac6563fbe9d3d42194447 ] + +mdacon has roughly the same dependencies as vgacon but expresses them +as a negative list instead of a positive list, with the only practical +difference being PowerPC/CHRP, which uses vga16fb instead of vgacon. + +The CONFIG_MDA_CONSOLE description advises to only turn it on when vgacon +is also used because MDA/Hercules-only systems should be using vgacon +instead, so just change the list to enforce that directly for simplicity. + +The probing was broken from 2002 to 2008, this improves on the fix +that was added then: If vgacon is a loadable module, then mdacon +cannot be built-in now, and the list of systems that support vgacon +is carried over. + +Fixes: 0b9cf3aa6b1e ("mdacon messing up default vc's - set default to vc13-16 again") +Signed-off-by: Arnd Bergmann +Reviewed-by: Thomas Zimmermann +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/console/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/video/console/Kconfig b/drivers/video/console/Kconfig +index c4a8f74df2493..3e9f2bda67027 100644 +--- a/drivers/video/console/Kconfig ++++ b/drivers/video/console/Kconfig +@@ -24,7 +24,7 @@ config VGA_CONSOLE + Say Y. + + config MDA_CONSOLE +- depends on !M68K && !PARISC && ISA ++ depends on VGA_CONSOLE && ISA + tristate "MDA text console (dual-headed)" + help + Say Y here if you have an old MDA or monochrome Hercules graphics +-- +2.39.5 + diff --git a/queue-6.12/media-platform-allgro-dvt-unregister-v4l2_device-on-.patch b/queue-6.12/media-platform-allgro-dvt-unregister-v4l2_device-on-.patch new file mode 100644 index 0000000000..2a7c0105ad --- /dev/null +++ b/queue-6.12/media-platform-allgro-dvt-unregister-v4l2_device-on-.patch @@ -0,0 +1,38 @@ +From b2a0cb4d182e67f44b6ca726df3e3b7928080f99 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Dec 2024 11:06:21 +0900 +Subject: media: platform: allgro-dvt: unregister v4l2_device on the error path + +From: Joe Hattori + +[ Upstream commit c2b96a6818159fba8a3bcc38262da9e77f9b3ec7 ] + +In allegro_probe(), the v4l2 device is not unregistered in the error +path, which results in a memory leak. Fix it by calling +v4l2_device_unregister() before returning error. + +Fixes: d74d4e2359ec ("media: allegro: move driver out of staging") +Signed-off-by: Joe Hattori +Reviewed-by: Michael Tretter +Signed-off-by: Sebastian Fricke +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/platform/allegro-dvt/allegro-core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/media/platform/allegro-dvt/allegro-core.c b/drivers/media/platform/allegro-dvt/allegro-core.c +index 88c36eb6174ad..9ca4e2f94647b 100644 +--- a/drivers/media/platform/allegro-dvt/allegro-core.c ++++ b/drivers/media/platform/allegro-dvt/allegro-core.c +@@ -3914,6 +3914,7 @@ static int allegro_probe(struct platform_device *pdev) + if (ret < 0) { + v4l2_err(&dev->v4l2_dev, + "failed to request firmware: %d\n", ret); ++ v4l2_device_unregister(&dev->v4l2_dev); + return ret; + } + +-- +2.39.5 + diff --git a/queue-6.12/media-verisilicon-hevc-initialize-start_bit-field.patch b/queue-6.12/media-verisilicon-hevc-initialize-start_bit-field.patch new file mode 100644 index 0000000000..224d3616b7 --- /dev/null +++ b/queue-6.12/media-verisilicon-hevc-initialize-start_bit-field.patch @@ -0,0 +1,40 @@ +From da0d6646ed4c0f7afcff5bcb84d90166424a97c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Jan 2025 09:10:52 +0100 +Subject: media: verisilicon: HEVC: Initialize start_bit field + +From: Benjamin Gaignard + +[ Upstream commit 7fcb42b3835e90ef18d68555934cf72adaf58402 ] + +The HEVC driver needs to set the start_bit field explicitly to avoid +causing corrupted frames when the VP9 decoder is used in parallel. The +reason for this problem is that the VP9 and the HEVC decoder share this +register. + +Fixes: cb5dd5a0fa51 ("media: hantro: Introduce G2/HEVC decoder") +Signed-off-by: Benjamin Gaignard +Tested-by: Nicolas Dufresne +Reviewed-by: Nicolas Dufresne +Signed-off-by: Sebastian Fricke +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/platform/verisilicon/hantro_g2_hevc_dec.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/media/platform/verisilicon/hantro_g2_hevc_dec.c b/drivers/media/platform/verisilicon/hantro_g2_hevc_dec.c +index 85a44143b3786..0e212198dd65b 100644 +--- a/drivers/media/platform/verisilicon/hantro_g2_hevc_dec.c ++++ b/drivers/media/platform/verisilicon/hantro_g2_hevc_dec.c +@@ -518,6 +518,7 @@ static void set_buffers(struct hantro_ctx *ctx) + hantro_reg_write(vpu, &g2_stream_len, src_len); + hantro_reg_write(vpu, &g2_strm_buffer_len, src_buf_len); + hantro_reg_write(vpu, &g2_strm_start_offset, 0); ++ hantro_reg_write(vpu, &g2_start_bit, 0); + hantro_reg_write(vpu, &g2_write_mvs_e, 1); + + hantro_write_addr(vpu, G2_TILE_SIZES_ADDR, ctx->hevc_dec.tile_sizes.dma); +-- +2.39.5 + diff --git a/queue-6.12/memory-omap-gpmc-drop-no-compatible-check.patch b/queue-6.12/memory-omap-gpmc-drop-no-compatible-check.patch new file mode 100644 index 0000000000..48a79b131c --- /dev/null +++ b/queue-6.12/memory-omap-gpmc-drop-no-compatible-check.patch @@ -0,0 +1,58 @@ +From ee12eab40b1fe723a2e54e427434e61812472ae8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Mar 2025 15:15:14 +0100 +Subject: memory: omap-gpmc: drop no compatible check + +From: Roger Quadros + +[ Upstream commit edcccc6892f65eff5fd3027a13976131dc7fd733 ] + +We are no longer depending on legacy device trees so +drop the no compatible check for NAND and OneNAND +nodes. + +Suggested-by: Rob Herring (Arm) +Signed-off-by: Roger Quadros +Reviewed-by: Rob Herring (Arm) +Link: https://lore.kernel.org/r/20250114-omap-gpmc-drop-no-compatible-check-v1-1-262c8d549732@kernel.org +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + drivers/memory/omap-gpmc.c | 20 -------------------- + 1 file changed, 20 deletions(-) + +diff --git a/drivers/memory/omap-gpmc.c b/drivers/memory/omap-gpmc.c +index c8a0d82f9c27d..719225c09a4d6 100644 +--- a/drivers/memory/omap-gpmc.c ++++ b/drivers/memory/omap-gpmc.c +@@ -2245,26 +2245,6 @@ static int gpmc_probe_generic_child(struct platform_device *pdev, + goto err; + } + +- if (of_node_name_eq(child, "nand")) { +- /* Warn about older DT blobs with no compatible property */ +- if (!of_property_read_bool(child, "compatible")) { +- dev_warn(&pdev->dev, +- "Incompatible NAND node: missing compatible"); +- ret = -EINVAL; +- goto err; +- } +- } +- +- if (of_node_name_eq(child, "onenand")) { +- /* Warn about older DT blobs with no compatible property */ +- if (!of_property_read_bool(child, "compatible")) { +- dev_warn(&pdev->dev, +- "Incompatible OneNAND node: missing compatible"); +- ret = -EINVAL; +- goto err; +- } +- } +- + if (of_match_node(omap_nand_ids, child)) { + /* NAND specific setup */ + val = 8; +-- +2.39.5 + diff --git a/queue-6.12/mfd-sm501-switch-to-bit-to-mitigate-integer-overflow.patch b/queue-6.12/mfd-sm501-switch-to-bit-to-mitigate-integer-overflow.patch new file mode 100644 index 0000000000..c334c9385d --- /dev/null +++ b/queue-6.12/mfd-sm501-switch-to-bit-to-mitigate-integer-overflow.patch @@ -0,0 +1,63 @@ +From 14f81a90e507f1a07e49f01fc3ae0c56be44011d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Jan 2025 09:12:06 -0800 +Subject: mfd: sm501: Switch to BIT() to mitigate integer overflows + +From: Nikita Zhandarovich + +[ Upstream commit 2d8cb9ffe18c2f1e5bd07a19cbce85b26c1d0cf0 ] + +If offset end up being high enough, right hand expression in functions +like sm501_gpio_set() shifted left for that number of bits, may +not fit in int type. + +Just in case, fix that by using BIT() both as an option safe from +overflow issues and to make this step look similar to other gpio +drivers. + +Found by Linux Verification Center (linuxtesting.org) with static +analysis tool SVACE. + +Fixes: f61be273d369 ("sm501: add gpiolib support") +Signed-off-by: Nikita Zhandarovich +Link: https://lore.kernel.org/r/20250115171206.20308-1-n.zhandarovich@fintech.ru +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/sm501.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/mfd/sm501.c b/drivers/mfd/sm501.c +index b3592982a83b5..5b6dc1cb9bfc3 100644 +--- a/drivers/mfd/sm501.c ++++ b/drivers/mfd/sm501.c +@@ -920,7 +920,7 @@ static void sm501_gpio_set(struct gpio_chip *chip, unsigned offset, int value) + { + struct sm501_gpio_chip *smchip = gpiochip_get_data(chip); + struct sm501_gpio *smgpio = smchip->ourgpio; +- unsigned long bit = 1 << offset; ++ unsigned long bit = BIT(offset); + void __iomem *regs = smchip->regbase; + unsigned long save; + unsigned long val; +@@ -946,7 +946,7 @@ static int sm501_gpio_input(struct gpio_chip *chip, unsigned offset) + struct sm501_gpio_chip *smchip = gpiochip_get_data(chip); + struct sm501_gpio *smgpio = smchip->ourgpio; + void __iomem *regs = smchip->regbase; +- unsigned long bit = 1 << offset; ++ unsigned long bit = BIT(offset); + unsigned long save; + unsigned long ddr; + +@@ -971,7 +971,7 @@ static int sm501_gpio_output(struct gpio_chip *chip, + { + struct sm501_gpio_chip *smchip = gpiochip_get_data(chip); + struct sm501_gpio *smgpio = smchip->ourgpio; +- unsigned long bit = 1 << offset; ++ unsigned long bit = BIT(offset); + void __iomem *regs = smchip->regbase; + unsigned long save; + unsigned long val; +-- +2.39.5 + diff --git a/queue-6.12/net-decrease-cached-dst-counters-in-dst_release.patch b/queue-6.12/net-decrease-cached-dst-counters-in-dst_release.patch new file mode 100644 index 0000000000..acd6fe39dd --- /dev/null +++ b/queue-6.12/net-decrease-cached-dst-counters-in-dst_release.patch @@ -0,0 +1,61 @@ +From e56b466618135345e902fe5fb56ed54fb2720995 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Mar 2025 18:36:32 +0100 +Subject: net: decrease cached dst counters in dst_release + +From: Antoine Tenart + +[ Upstream commit 3a0a3ff6593d670af2451ec363ccb7b18aec0c0a ] + +Upstream fix ac888d58869b ("net: do not delay dst_entries_add() in +dst_release()") moved decrementing the dst count from dst_destroy to +dst_release to avoid accessing already freed data in case of netns +dismantle. However in case CONFIG_DST_CACHE is enabled and OvS+tunnels +are used, this fix is incomplete as the same issue will be seen for +cached dsts: + + Unable to handle kernel paging request at virtual address ffff5aabf6b5c000 + Call trace: + percpu_counter_add_batch+0x3c/0x160 (P) + dst_release+0xec/0x108 + dst_cache_destroy+0x68/0xd8 + dst_destroy+0x13c/0x168 + dst_destroy_rcu+0x1c/0xb0 + rcu_do_batch+0x18c/0x7d0 + rcu_core+0x174/0x378 + rcu_core_si+0x18/0x30 + +Fix this by invalidating the cache, and thus decrementing cached dst +counters, in dst_release too. + +Fixes: d71785ffc7e7 ("net: add dst_cache to ovs vxlan lwtunnel") +Signed-off-by: Antoine Tenart +Link: https://patch.msgid.link/20250326173634.31096-1-atenart@kernel.org +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/core/dst.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/net/core/dst.c b/net/core/dst.c +index 9552a90d4772d..6d76b799ce645 100644 +--- a/net/core/dst.c ++++ b/net/core/dst.c +@@ -165,6 +165,14 @@ static void dst_count_dec(struct dst_entry *dst) + void dst_release(struct dst_entry *dst) + { + if (dst && rcuref_put(&dst->__rcuref)) { ++#ifdef CONFIG_DST_CACHE ++ if (dst->flags & DST_METADATA) { ++ struct metadata_dst *md_dst = (struct metadata_dst *)dst; ++ ++ if (md_dst->type == METADATA_IP_TUNNEL) ++ dst_cache_reset_now(&md_dst->u.tun_info.dst_cache); ++ } ++#endif + dst_count_dec(dst); + call_rcu_hurry(&dst->rcu_head, dst_destroy_rcu); + } +-- +2.39.5 + diff --git a/queue-6.12/net-devmem-do-not-warn-conditionally-after-netdev_rx.patch b/queue-6.12/net-devmem-do-not-warn-conditionally-after-netdev_rx.patch new file mode 100644 index 0000000000..a4e285d6d4 --- /dev/null +++ b/queue-6.12/net-devmem-do-not-warn-conditionally-after-netdev_rx.patch @@ -0,0 +1,50 @@ +From d11128ef1a9d5404254dd66306aece4749586fa9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 9 Mar 2025 13:42:18 +0000 +Subject: net: devmem: do not WARN conditionally after + netdev_rx_queue_restart() + +From: Taehee Yoo + +[ Upstream commit a70f891e0fa0435379ad4950e156a15a4ef88b4d ] + +When devmem socket is closed, netdev_rx_queue_restart() is called to +reset queue by the net_devmem_unbind_dmabuf(). But callback may return +-ENETDOWN if the interface is down because queues are already freed +when the interface is down so queue reset is not needed. +So, it should not warn if the return value is -ENETDOWN. + +Signed-off-by: Taehee Yoo +Reviewed-by: Mina Almasry +Link: https://patch.msgid.link/20250309134219.91670-8-ap420073@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/devmem.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/core/devmem.c b/net/core/devmem.c +index 11b91c12ee113..17f8a83a5ee74 100644 +--- a/net/core/devmem.c ++++ b/net/core/devmem.c +@@ -108,6 +108,7 @@ void net_devmem_unbind_dmabuf(struct net_devmem_dmabuf_binding *binding) + struct netdev_rx_queue *rxq; + unsigned long xa_idx; + unsigned int rxq_idx; ++ int err; + + if (binding->list.next) + list_del(&binding->list); +@@ -119,7 +120,8 @@ void net_devmem_unbind_dmabuf(struct net_devmem_dmabuf_binding *binding) + + rxq_idx = get_netdev_rx_queue_index(rxq); + +- WARN_ON(netdev_rx_queue_restart(binding->dev, rxq_idx)); ++ err = netdev_rx_queue_restart(binding->dev, rxq_idx); ++ WARN_ON(err && err != -ENETDOWN); + } + + xa_erase(&net_devmem_dmabuf_bindings, binding->id); +-- +2.39.5 + diff --git a/queue-6.12/net-dsa-mv88e6xxx-propperly-shutdown-ppu-re-enable-t.patch b/queue-6.12/net-dsa-mv88e6xxx-propperly-shutdown-ppu-re-enable-t.patch new file mode 100644 index 0000000000..132d4ea4ac --- /dev/null +++ b/queue-6.12/net-dsa-mv88e6xxx-propperly-shutdown-ppu-re-enable-t.patch @@ -0,0 +1,126 @@ +From e2e9e2e2a4366caa433e76df1e407c03190a41a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Apr 2025 15:56:37 +0200 +Subject: net: dsa: mv88e6xxx: propperly shutdown PPU re-enable timer on + destroy + +From: David Oberhollenzer + +[ Upstream commit a58d882841a0750da3c482cd3d82432b1c7edb77 ] + +The mv88e6xxx has an internal PPU that polls PHY state. If we want to +access the internal PHYs, we need to disable the PPU first. Because +that is a slow operation, a 10ms timer is used to re-enable it, +canceled with every access, so bulk operations effectively only +disable it once and re-enable it some 10ms after the last access. + +If a PHY is accessed and then the mv88e6xxx module is removed before +the 10ms are up, the PPU re-enable ends up accessing a dangling pointer. + +This especially affects probing during bootup. The MDIO bus and PHY +registration may succeed, but registration with the DSA framework +may fail later on (e.g. because the CPU port depends on another, +very slow device that isn't done probing yet, returning -EPROBE_DEFER). +In this case, probe() fails, but the MDIO subsystem may already have +accessed the MIDO bus or PHYs, arming the timer. + +This is fixed as follows: + - If probe fails after mv88e6xxx_phy_init(), make sure we also call + mv88e6xxx_phy_destroy() before returning + - In mv88e6xxx_remove(), make sure we do the teardown in the correct + order, calling mv88e6xxx_phy_destroy() after unregistering the + switch device. + - In mv88e6xxx_phy_destroy(), destroy both the timer and the work item + that the timer might schedule, synchronously waiting in case one of + the callbacks already fired and destroying the timer first, before + waiting for the work item. + - Access to the PPU is guarded by a mutex, the worker acquires it + with a mutex_trylock(), not proceeding with the expensive shutdown + if that fails. We grab the mutex in mv88e6xxx_phy_destroy() to make + sure the slow PPU shutdown is already done or won't even enter, when + we wait for the work item. + +Fixes: 2e5f032095ff ("dsa: add support for the Marvell 88E6131 switch chip") +Signed-off-by: David Oberhollenzer +Reviewed-by: Vladimir Oltean +Link: https://patch.msgid.link/20250401135705.92760-1-david.oberhollenzer@sigma-star.at +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/mv88e6xxx/chip.c | 11 +++++++---- + drivers/net/dsa/mv88e6xxx/phy.c | 3 +++ + 2 files changed, 10 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c +index 5aeecfab96306..5935100e7d65f 100644 +--- a/drivers/net/dsa/mv88e6xxx/chip.c ++++ b/drivers/net/dsa/mv88e6xxx/chip.c +@@ -7301,13 +7301,13 @@ static int mv88e6xxx_probe(struct mdio_device *mdiodev) + err = mv88e6xxx_switch_reset(chip); + mv88e6xxx_reg_unlock(chip); + if (err) +- goto out; ++ goto out_phy; + + if (np) { + chip->irq = of_irq_get(np, 0); + if (chip->irq == -EPROBE_DEFER) { + err = chip->irq; +- goto out; ++ goto out_phy; + } + } + +@@ -7326,7 +7326,7 @@ static int mv88e6xxx_probe(struct mdio_device *mdiodev) + mv88e6xxx_reg_unlock(chip); + + if (err) +- goto out; ++ goto out_phy; + + if (chip->info->g2_irqs > 0) { + err = mv88e6xxx_g2_irq_setup(chip); +@@ -7360,6 +7360,8 @@ static int mv88e6xxx_probe(struct mdio_device *mdiodev) + mv88e6xxx_g1_irq_free(chip); + else + mv88e6xxx_irq_poll_free(chip); ++out_phy: ++ mv88e6xxx_phy_destroy(chip); + out: + if (pdata) + dev_put(pdata->netdev); +@@ -7382,7 +7384,6 @@ static void mv88e6xxx_remove(struct mdio_device *mdiodev) + mv88e6xxx_ptp_free(chip); + } + +- mv88e6xxx_phy_destroy(chip); + mv88e6xxx_unregister_switch(chip); + + mv88e6xxx_g1_vtu_prob_irq_free(chip); +@@ -7395,6 +7396,8 @@ static void mv88e6xxx_remove(struct mdio_device *mdiodev) + mv88e6xxx_g1_irq_free(chip); + else + mv88e6xxx_irq_poll_free(chip); ++ ++ mv88e6xxx_phy_destroy(chip); + } + + static void mv88e6xxx_shutdown(struct mdio_device *mdiodev) +diff --git a/drivers/net/dsa/mv88e6xxx/phy.c b/drivers/net/dsa/mv88e6xxx/phy.c +index 8bb88b3d900db..ee9e5d7e52770 100644 +--- a/drivers/net/dsa/mv88e6xxx/phy.c ++++ b/drivers/net/dsa/mv88e6xxx/phy.c +@@ -229,7 +229,10 @@ static void mv88e6xxx_phy_ppu_state_init(struct mv88e6xxx_chip *chip) + + static void mv88e6xxx_phy_ppu_state_destroy(struct mv88e6xxx_chip *chip) + { ++ mutex_lock(&chip->ppu_mutex); + del_timer_sync(&chip->ppu_timer); ++ cancel_work_sync(&chip->ppu_work); ++ mutex_unlock(&chip->ppu_mutex); + } + + int mv88e6185_phy_ppu_read(struct mv88e6xxx_chip *chip, struct mii_bus *bus, +-- +2.39.5 + diff --git a/queue-6.12/net-dsa-rtl8366rb-don-t-prompt-users-for-led-control.patch b/queue-6.12/net-dsa-rtl8366rb-don-t-prompt-users-for-led-control.patch new file mode 100644 index 0000000000..03c3eca479 --- /dev/null +++ b/queue-6.12/net-dsa-rtl8366rb-don-t-prompt-users-for-led-control.patch @@ -0,0 +1,37 @@ +From 2c41ffb80bea942ad10134000545c153206d2c74 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Feb 2025 16:45:34 -0800 +Subject: net: dsa: rtl8366rb: don't prompt users for LED control + +From: Jakub Kicinski + +[ Upstream commit c34424eb3be4c01db831428c0d7d483701ae820f ] + +Make NET_DSA_REALTEK_RTL8366RB_LEDS a hidden symbol. +It seems very unlikely user would want to intentionally +disable it. + +Signed-off-by: Jakub Kicinski +Link: https://patch.msgid.link/20250228004534.3428681-1-kuba@kernel.org +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/realtek/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/dsa/realtek/Kconfig b/drivers/net/dsa/realtek/Kconfig +index 10687722d14c0..d6eb6713e5f6b 100644 +--- a/drivers/net/dsa/realtek/Kconfig ++++ b/drivers/net/dsa/realtek/Kconfig +@@ -44,7 +44,7 @@ config NET_DSA_REALTEK_RTL8366RB + Select to enable support for Realtek RTL8366RB. + + config NET_DSA_REALTEK_RTL8366RB_LEDS +- bool "Support RTL8366RB LED control" ++ bool + depends on (LEDS_CLASS=y || LEDS_CLASS=NET_DSA_REALTEK_RTL8366RB) + depends on NET_DSA_REALTEK_RTL8366RB + default NET_DSA_REALTEK_RTL8366RB +-- +2.39.5 + diff --git a/queue-6.12/net-fix-geneve_opt-length-integer-overflow.patch b/queue-6.12/net-fix-geneve_opt-length-integer-overflow.patch new file mode 100644 index 0000000000..5c623a7ba2 --- /dev/null +++ b/queue-6.12/net-fix-geneve_opt-length-integer-overflow.patch @@ -0,0 +1,134 @@ +From 6241e1ecf4e9b10fb4918072680f749e0f56fde0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Apr 2025 00:56:32 +0800 +Subject: net: fix geneve_opt length integer overflow + +From: Lin Ma + +[ Upstream commit b27055a08ad4b415dcf15b63034f9cb236f7fb40 ] + +struct geneve_opt uses 5 bit length for each single option, which +means every vary size option should be smaller than 128 bytes. + +However, all current related Netlink policies cannot promise this +length condition and the attacker can exploit a exact 128-byte size +option to *fake* a zero length option and confuse the parsing logic, +further achieve heap out-of-bounds read. + +One example crash log is like below: + +[ 3.905425] ================================================================== +[ 3.905925] BUG: KASAN: slab-out-of-bounds in nla_put+0xa9/0xe0 +[ 3.906255] Read of size 124 at addr ffff888005f291cc by task poc/177 +[ 3.906646] +[ 3.906775] CPU: 0 PID: 177 Comm: poc-oob-read Not tainted 6.1.132 #1 +[ 3.907131] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 +[ 3.907784] Call Trace: +[ 3.907925] +[ 3.908048] dump_stack_lvl+0x44/0x5c +[ 3.908258] print_report+0x184/0x4be +[ 3.909151] kasan_report+0xc5/0x100 +[ 3.909539] kasan_check_range+0xf3/0x1a0 +[ 3.909794] memcpy+0x1f/0x60 +[ 3.909968] nla_put+0xa9/0xe0 +[ 3.910147] tunnel_key_dump+0x945/0xba0 +[ 3.911536] tcf_action_dump_1+0x1c1/0x340 +[ 3.912436] tcf_action_dump+0x101/0x180 +[ 3.912689] tcf_exts_dump+0x164/0x1e0 +[ 3.912905] fw_dump+0x18b/0x2d0 +[ 3.913483] tcf_fill_node+0x2ee/0x460 +[ 3.914778] tfilter_notify+0xf4/0x180 +[ 3.915208] tc_new_tfilter+0xd51/0x10d0 +[ 3.918615] rtnetlink_rcv_msg+0x4a2/0x560 +[ 3.919118] netlink_rcv_skb+0xcd/0x200 +[ 3.919787] netlink_unicast+0x395/0x530 +[ 3.921032] netlink_sendmsg+0x3d0/0x6d0 +[ 3.921987] __sock_sendmsg+0x99/0xa0 +[ 3.922220] __sys_sendto+0x1b7/0x240 +[ 3.922682] __x64_sys_sendto+0x72/0x90 +[ 3.922906] do_syscall_64+0x5e/0x90 +[ 3.923814] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 +[ 3.924122] RIP: 0033:0x7e83eab84407 +[ 3.924331] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 faf +[ 3.925330] RSP: 002b:00007ffff505e370 EFLAGS: 00000202 ORIG_RAX: 000000000000002c +[ 3.925752] RAX: ffffffffffffffda RBX: 00007e83eaafa740 RCX: 00007e83eab84407 +[ 3.926173] RDX: 00000000000001a8 RSI: 00007ffff505e3c0 RDI: 0000000000000003 +[ 3.926587] RBP: 00007ffff505f460 R08: 00007e83eace1000 R09: 000000000000000c +[ 3.926977] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffff505f3c0 +[ 3.927367] R13: 00007ffff505f5c8 R14: 00007e83ead1b000 R15: 00005d4fbbe6dcb8 + +Fix these issues by enforing correct length condition in related +policies. + +Fixes: 925d844696d9 ("netfilter: nft_tunnel: add support for geneve opts") +Fixes: 4ece47787077 ("lwtunnel: add options setting and dumping for geneve") +Fixes: 0ed5269f9e41 ("net/sched: add tunnel option support to act_tunnel_key") +Fixes: 0a6e77784f49 ("net/sched: allow flower to match tunnel options") +Signed-off-by: Lin Ma +Reviewed-by: Xin Long +Acked-by: Cong Wang +Link: https://patch.msgid.link/20250402165632.6958-1-linma@zju.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/ip_tunnel_core.c | 2 +- + net/netfilter/nft_tunnel.c | 2 +- + net/sched/act_tunnel_key.c | 2 +- + net/sched/cls_flower.c | 2 +- + 4 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/ip_tunnel_core.c b/net/ipv4/ip_tunnel_core.c +index 364ea798511ea..f65d2f7273813 100644 +--- a/net/ipv4/ip_tunnel_core.c ++++ b/net/ipv4/ip_tunnel_core.c +@@ -451,7 +451,7 @@ static const struct nla_policy + geneve_opt_policy[LWTUNNEL_IP_OPT_GENEVE_MAX + 1] = { + [LWTUNNEL_IP_OPT_GENEVE_CLASS] = { .type = NLA_U16 }, + [LWTUNNEL_IP_OPT_GENEVE_TYPE] = { .type = NLA_U8 }, +- [LWTUNNEL_IP_OPT_GENEVE_DATA] = { .type = NLA_BINARY, .len = 128 }, ++ [LWTUNNEL_IP_OPT_GENEVE_DATA] = { .type = NLA_BINARY, .len = 127 }, + }; + + static const struct nla_policy +diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c +index 52d76b8d15db2..0d99786c322e8 100644 +--- a/net/netfilter/nft_tunnel.c ++++ b/net/netfilter/nft_tunnel.c +@@ -335,7 +335,7 @@ static int nft_tunnel_obj_erspan_init(const struct nlattr *attr, + static const struct nla_policy nft_tunnel_opts_geneve_policy[NFTA_TUNNEL_KEY_GENEVE_MAX + 1] = { + [NFTA_TUNNEL_KEY_GENEVE_CLASS] = { .type = NLA_U16 }, + [NFTA_TUNNEL_KEY_GENEVE_TYPE] = { .type = NLA_U8 }, +- [NFTA_TUNNEL_KEY_GENEVE_DATA] = { .type = NLA_BINARY, .len = 128 }, ++ [NFTA_TUNNEL_KEY_GENEVE_DATA] = { .type = NLA_BINARY, .len = 127 }, + }; + + static int nft_tunnel_obj_geneve_init(const struct nlattr *attr, +diff --git a/net/sched/act_tunnel_key.c b/net/sched/act_tunnel_key.c +index af7c998459488..e296714803dc0 100644 +--- a/net/sched/act_tunnel_key.c ++++ b/net/sched/act_tunnel_key.c +@@ -68,7 +68,7 @@ geneve_opt_policy[TCA_TUNNEL_KEY_ENC_OPT_GENEVE_MAX + 1] = { + [TCA_TUNNEL_KEY_ENC_OPT_GENEVE_CLASS] = { .type = NLA_U16 }, + [TCA_TUNNEL_KEY_ENC_OPT_GENEVE_TYPE] = { .type = NLA_U8 }, + [TCA_TUNNEL_KEY_ENC_OPT_GENEVE_DATA] = { .type = NLA_BINARY, +- .len = 128 }, ++ .len = 127 }, + }; + + static const struct nla_policy +diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c +index 03505673d5234..099ff6a3e1f51 100644 +--- a/net/sched/cls_flower.c ++++ b/net/sched/cls_flower.c +@@ -766,7 +766,7 @@ geneve_opt_policy[TCA_FLOWER_KEY_ENC_OPT_GENEVE_MAX + 1] = { + [TCA_FLOWER_KEY_ENC_OPT_GENEVE_CLASS] = { .type = NLA_U16 }, + [TCA_FLOWER_KEY_ENC_OPT_GENEVE_TYPE] = { .type = NLA_U8 }, + [TCA_FLOWER_KEY_ENC_OPT_GENEVE_DATA] = { .type = NLA_BINARY, +- .len = 128 }, ++ .len = 127 }, + }; + + static const struct nla_policy +-- +2.39.5 + diff --git a/queue-6.12/net-ibmveth-make-veth_pool_store-stop-hanging.patch b/queue-6.12/net-ibmveth-make-veth_pool_store-stop-hanging.patch new file mode 100644 index 0000000000..9e0aa245c6 --- /dev/null +++ b/queue-6.12/net-ibmveth-make-veth_pool_store-stop-hanging.patch @@ -0,0 +1,211 @@ +From 61189db6277d06325fbab9c83b53eb597ce90247 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Apr 2025 10:44:03 -0500 +Subject: net: ibmveth: make veth_pool_store stop hanging + +From: Dave Marquardt + +[ Upstream commit 053f3ff67d7feefc75797863f3d84b47ad47086f ] + +v2: +- Created a single error handling unlock and exit in veth_pool_store +- Greatly expanded commit message with previous explanatory-only text + +Summary: Use rtnl_mutex to synchronize veth_pool_store with itself, +ibmveth_close and ibmveth_open, preventing multiple calls in a row to +napi_disable. + +Background: Two (or more) threads could call veth_pool_store through +writing to /sys/devices/vio/30000002/pool*/*. You can do this easily +with a little shell script. This causes a hang. + +I configured LOCKDEP, compiled ibmveth.c with DEBUG, and built a new +kernel. I ran this test again and saw: + + Setting pool0/active to 0 + Setting pool1/active to 1 + [ 73.911067][ T4365] ibmveth 30000002 eth0: close starting + Setting pool1/active to 1 + Setting pool1/active to 0 + [ 73.911367][ T4366] ibmveth 30000002 eth0: close starting + [ 73.916056][ T4365] ibmveth 30000002 eth0: close complete + [ 73.916064][ T4365] ibmveth 30000002 eth0: open starting + [ 110.808564][ T712] systemd-journald[712]: Sent WATCHDOG=1 notification. + [ 230.808495][ T712] systemd-journald[712]: Sent WATCHDOG=1 notification. + [ 243.683786][ T123] INFO: task stress.sh:4365 blocked for more than 122 seconds. + [ 243.683827][ T123] Not tainted 6.14.0-01103-g2df0c02dab82-dirty #8 + [ 243.683833][ T123] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. + [ 243.683838][ T123] task:stress.sh state:D stack:28096 pid:4365 tgid:4365 ppid:4364 task_flags:0x400040 flags:0x00042000 + [ 243.683852][ T123] Call Trace: + [ 243.683857][ T123] [c00000000c38f690] [0000000000000001] 0x1 (unreliable) + [ 243.683868][ T123] [c00000000c38f840] [c00000000001f908] __switch_to+0x318/0x4e0 + [ 243.683878][ T123] [c00000000c38f8a0] [c000000001549a70] __schedule+0x500/0x12a0 + [ 243.683888][ T123] [c00000000c38f9a0] [c00000000154a878] schedule+0x68/0x210 + [ 243.683896][ T123] [c00000000c38f9d0] [c00000000154ac80] schedule_preempt_disabled+0x30/0x50 + [ 243.683904][ T123] [c00000000c38fa00] [c00000000154dbb0] __mutex_lock+0x730/0x10f0 + [ 243.683913][ T123] [c00000000c38fb10] [c000000001154d40] napi_enable+0x30/0x60 + [ 243.683921][ T123] [c00000000c38fb40] [c000000000f4ae94] ibmveth_open+0x68/0x5dc + [ 243.683928][ T123] [c00000000c38fbe0] [c000000000f4aa20] veth_pool_store+0x220/0x270 + [ 243.683936][ T123] [c00000000c38fc70] [c000000000826278] sysfs_kf_write+0x68/0xb0 + [ 243.683944][ T123] [c00000000c38fcb0] [c0000000008240b8] kernfs_fop_write_iter+0x198/0x2d0 + [ 243.683951][ T123] [c00000000c38fd00] [c00000000071b9ac] vfs_write+0x34c/0x650 + [ 243.683958][ T123] [c00000000c38fdc0] [c00000000071bea8] ksys_write+0x88/0x150 + [ 243.683966][ T123] [c00000000c38fe10] [c0000000000317f4] system_call_exception+0x124/0x340 + [ 243.683973][ T123] [c00000000c38fe50] [c00000000000d05c] system_call_vectored_common+0x15c/0x2ec + ... + [ 243.684087][ T123] Showing all locks held in the system: + [ 243.684095][ T123] 1 lock held by khungtaskd/123: + [ 243.684099][ T123] #0: c00000000278e370 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x50/0x248 + [ 243.684114][ T123] 4 locks held by stress.sh/4365: + [ 243.684119][ T123] #0: c00000003a4cd3f8 (sb_writers#3){.+.+}-{0:0}, at: ksys_write+0x88/0x150 + [ 243.684132][ T123] #1: c000000041aea888 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_fop_write_iter+0x154/0x2d0 + [ 243.684143][ T123] #2: c0000000366fb9a8 (kn->active#64){.+.+}-{0:0}, at: kernfs_fop_write_iter+0x160/0x2d0 + [ 243.684155][ T123] #3: c000000035ff4cb8 (&dev->lock){+.+.}-{3:3}, at: napi_enable+0x30/0x60 + [ 243.684166][ T123] 5 locks held by stress.sh/4366: + [ 243.684170][ T123] #0: c00000003a4cd3f8 (sb_writers#3){.+.+}-{0:0}, at: ksys_write+0x88/0x150 + [ 243.684183][ T123] #1: c00000000aee2288 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_fop_write_iter+0x154/0x2d0 + [ 243.684194][ T123] #2: c0000000366f4ba8 (kn->active#64){.+.+}-{0:0}, at: kernfs_fop_write_iter+0x160/0x2d0 + [ 243.684205][ T123] #3: c000000035ff4cb8 (&dev->lock){+.+.}-{3:3}, at: napi_disable+0x30/0x60 + [ 243.684216][ T123] #4: c0000003ff9bbf18 (&rq->__lock){-.-.}-{2:2}, at: __schedule+0x138/0x12a0 + +From the ibmveth debug, two threads are calling veth_pool_store, which +calls ibmveth_close and ibmveth_open. Here's the sequence: + + T4365 T4366 + ----------------- ----------------- --------- + veth_pool_store veth_pool_store + ibmveth_close + ibmveth_close + napi_disable + napi_disable + ibmveth_open + napi_enable <- HANG + +ibmveth_close calls napi_disable at the top and ibmveth_open calls +napi_enable at the top. + +https://docs.kernel.org/networking/napi.html]] says + + The control APIs are not idempotent. Control API calls are safe + against concurrent use of datapath APIs but an incorrect sequence of + control API calls may result in crashes, deadlocks, or race + conditions. For example, calling napi_disable() multiple times in a + row will deadlock. + +In the normal open and close paths, rtnl_mutex is acquired to prevent +other callers. This is missing from veth_pool_store. Use rtnl_mutex in +veth_pool_store fixes these hangs. + +Signed-off-by: Dave Marquardt +Fixes: 860f242eb534 ("[PATCH] ibmveth change buffer pools dynamically") +Reviewed-by: Nick Child +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250402154403.386744-1-davemarq@linux.ibm.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ibm/ibmveth.c | 39 +++++++++++++++++++++--------- + 1 file changed, 27 insertions(+), 12 deletions(-) + +diff --git a/drivers/net/ethernet/ibm/ibmveth.c b/drivers/net/ethernet/ibm/ibmveth.c +index b619a3ec245b2..04192190bebab 100644 +--- a/drivers/net/ethernet/ibm/ibmveth.c ++++ b/drivers/net/ethernet/ibm/ibmveth.c +@@ -1802,18 +1802,22 @@ static ssize_t veth_pool_store(struct kobject *kobj, struct attribute *attr, + long value = simple_strtol(buf, NULL, 10); + long rc; + ++ rtnl_lock(); ++ + if (attr == &veth_active_attr) { + if (value && !pool->active) { + if (netif_running(netdev)) { + if (ibmveth_alloc_buffer_pool(pool)) { + netdev_err(netdev, + "unable to alloc pool\n"); +- return -ENOMEM; ++ rc = -ENOMEM; ++ goto unlock_err; + } + pool->active = 1; + ibmveth_close(netdev); +- if ((rc = ibmveth_open(netdev))) +- return rc; ++ rc = ibmveth_open(netdev); ++ if (rc) ++ goto unlock_err; + } else { + pool->active = 1; + } +@@ -1833,48 +1837,59 @@ static ssize_t veth_pool_store(struct kobject *kobj, struct attribute *attr, + + if (i == IBMVETH_NUM_BUFF_POOLS) { + netdev_err(netdev, "no active pool >= MTU\n"); +- return -EPERM; ++ rc = -EPERM; ++ goto unlock_err; + } + + if (netif_running(netdev)) { + ibmveth_close(netdev); + pool->active = 0; +- if ((rc = ibmveth_open(netdev))) +- return rc; ++ rc = ibmveth_open(netdev); ++ if (rc) ++ goto unlock_err; + } + pool->active = 0; + } + } else if (attr == &veth_num_attr) { + if (value <= 0 || value > IBMVETH_MAX_POOL_COUNT) { +- return -EINVAL; ++ rc = -EINVAL; ++ goto unlock_err; + } else { + if (netif_running(netdev)) { + ibmveth_close(netdev); + pool->size = value; +- if ((rc = ibmveth_open(netdev))) +- return rc; ++ rc = ibmveth_open(netdev); ++ if (rc) ++ goto unlock_err; + } else { + pool->size = value; + } + } + } else if (attr == &veth_size_attr) { + if (value <= IBMVETH_BUFF_OH || value > IBMVETH_MAX_BUF_SIZE) { +- return -EINVAL; ++ rc = -EINVAL; ++ goto unlock_err; + } else { + if (netif_running(netdev)) { + ibmveth_close(netdev); + pool->buff_size = value; +- if ((rc = ibmveth_open(netdev))) +- return rc; ++ rc = ibmveth_open(netdev); ++ if (rc) ++ goto unlock_err; + } else { + pool->buff_size = value; + } + } + } ++ rtnl_unlock(); + + /* kick the interrupt handler to allocate/deallocate pools */ + ibmveth_interrupt(netdev->irq, netdev); + return count; ++ ++unlock_err: ++ rtnl_unlock(); ++ return rc; + } + + +-- +2.39.5 + diff --git a/queue-6.12/net-mlx5e-shampo-make-reserved-size-independent-of-p.patch b/queue-6.12/net-mlx5e-shampo-make-reserved-size-independent-of-p.patch new file mode 100644 index 0000000000..6fb37b05d5 --- /dev/null +++ b/queue-6.12/net-mlx5e-shampo-make-reserved-size-independent-of-p.patch @@ -0,0 +1,77 @@ +From f777f3c5e77d6e35fd44ca2f0376be26aeb94767 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 23 Mar 2025 14:28:26 +0200 +Subject: net/mlx5e: SHAMPO, Make reserved size independent of page size + +From: Lama Kayal + +[ Upstream commit fab05835688526f9de123d1e98e4d1f838da4e22 ] + +When hw-gro is enabled, the maximum number of header entries that are +needed per wqe (hd_per_wqe) is calculated based on the size of the +reservations among other parameters. + +Miscalculation of the size of reservations leads to incorrect +calculation of hd_per_wqe as 0, particularly in the case of large page +size like in aarch64, this prevents the SHAMPO header from being +correctly initialized in the device, ultimately causing the following +cqe err that indicates a violation of PD. + + mlx5_core 0000:00:08.0 eth2: ERR CQE on RQ: 0x1180 + mlx5_core 0000:00:08.0 eth2: Error cqe on cqn 0x510, ci 0x0, qn 0x1180, opcode 0xe, syndrome 0x4, vendor syndrome 0x32 + 00000000: 00 00 00 00 04 4a 00 00 00 00 00 00 20 00 93 32 + 00000010: 55 00 00 00 fb cc 00 00 00 00 00 00 07 18 00 00 + 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4a + 00000030: 00 00 00 9a 93 00 32 04 00 00 00 00 00 00 da e1 + +Use the correct formula for calculating the size of reservations, +precisely it shouldn't be dependent on page size, instead use the +correct multiply of MLX5E_SHAMPO_WQ_BASE_RESRV_SIZE. + +Fixes: e5ca8fb08ab2 ("net/mlx5e: Add control path for SHAMPO feature") +Signed-off-by: Lama Kayal +Reviewed-by: Dragos Tatulea +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/1742732906-166564-1-git-send-email-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en/params.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/params.c b/drivers/net/ethernet/mellanox/mlx5/core/en/params.c +index 64b62ed17b07a..31eb99f09c63c 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/params.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/params.c +@@ -423,7 +423,7 @@ u8 mlx5e_shampo_get_log_pkt_per_rsrv(struct mlx5_core_dev *mdev, + struct mlx5e_params *params) + { + u32 resrv_size = BIT(mlx5e_shampo_get_log_rsrv_size(mdev, params)) * +- PAGE_SIZE; ++ MLX5E_SHAMPO_WQ_BASE_RESRV_SIZE; + + return order_base_2(DIV_ROUND_UP(resrv_size, params->sw_mtu)); + } +@@ -827,7 +827,8 @@ static u32 mlx5e_shampo_get_log_cq_size(struct mlx5_core_dev *mdev, + struct mlx5e_params *params, + struct mlx5e_xsk_param *xsk) + { +- int rsrv_size = BIT(mlx5e_shampo_get_log_rsrv_size(mdev, params)) * PAGE_SIZE; ++ int rsrv_size = BIT(mlx5e_shampo_get_log_rsrv_size(mdev, params)) * ++ MLX5E_SHAMPO_WQ_BASE_RESRV_SIZE; + u16 num_strides = BIT(mlx5e_mpwqe_get_log_num_strides(mdev, params, xsk)); + int pkt_per_rsrv = BIT(mlx5e_shampo_get_log_pkt_per_rsrv(mdev, params)); + u8 log_stride_sz = mlx5e_mpwqe_get_log_stride_size(mdev, params, xsk); +@@ -1036,7 +1037,8 @@ u32 mlx5e_shampo_hd_per_wqe(struct mlx5_core_dev *mdev, + struct mlx5e_params *params, + struct mlx5e_rq_param *rq_param) + { +- int resv_size = BIT(mlx5e_shampo_get_log_rsrv_size(mdev, params)) * PAGE_SIZE; ++ int resv_size = BIT(mlx5e_shampo_get_log_rsrv_size(mdev, params)) * ++ MLX5E_SHAMPO_WQ_BASE_RESRV_SIZE; + u16 num_strides = BIT(mlx5e_mpwqe_get_log_num_strides(mdev, params, NULL)); + int pkt_per_resv = BIT(mlx5e_shampo_get_log_pkt_per_rsrv(mdev, params)); + u8 log_stride_sz = mlx5e_mpwqe_get_log_stride_size(mdev, params, NULL); +-- +2.39.5 + diff --git a/queue-6.12/net-mvpp2-prevent-parser-tcam-memory-corruption.patch b/queue-6.12/net-mvpp2-prevent-parser-tcam-memory-corruption.patch new file mode 100644 index 0000000000..4020ef393d --- /dev/null +++ b/queue-6.12/net-mvpp2-prevent-parser-tcam-memory-corruption.patch @@ -0,0 +1,659 @@ +From 1b297402a52d2e5dc7fe7ee581d95d884289f71c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Apr 2025 08:58:04 +0200 +Subject: net: mvpp2: Prevent parser TCAM memory corruption + +From: Tobias Waldekranz + +[ Upstream commit 96844075226b49af25a69a1d084b648ec2d9b08d ] + +Protect the parser TCAM/SRAM memory, and the cached (shadow) SRAM +information, from concurrent modifications. + +Both the TCAM and SRAM tables are indirectly accessed by configuring +an index register that selects the row to read or write to. This means +that operations must be atomic in order to, e.g., avoid spreading +writes across multiple rows. Since the shadow SRAM array is used to +find free rows in the hardware table, it must also be protected in +order to avoid TOCTOU errors where multiple cores allocate the same +row. + +This issue was detected in a situation where `mvpp2_set_rx_mode()` ran +concurrently on two CPUs. In this particular case the +MVPP2_PE_MAC_UC_PROMISCUOUS entry was corrupted, causing the +classifier unit to drop all incoming unicast - indicated by the +`rx_classifier_drops` counter. + +Fixes: 3f518509dedc ("ethernet: Add new driver for Marvell Armada 375 network unit") +Signed-off-by: Tobias Waldekranz +Reviewed-by: Maxime Chevallier +Tested-by: Maxime Chevallier +Link: https://patch.msgid.link/20250401065855.3113635-1-tobias@waldekranz.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/mvpp2/mvpp2.h | 3 + + .../net/ethernet/marvell/mvpp2/mvpp2_main.c | 3 +- + .../net/ethernet/marvell/mvpp2/mvpp2_prs.c | 201 ++++++++++++------ + 3 files changed, 140 insertions(+), 67 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2.h b/drivers/net/ethernet/marvell/mvpp2/mvpp2.h +index 9e02e4367bec8..9bd3d76b5fe2a 100644 +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2.h ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2.h +@@ -1108,6 +1108,9 @@ struct mvpp2 { + + /* Spinlocks for CM3 shared memory configuration */ + spinlock_t mss_spinlock; ++ ++ /* Spinlock for shared PRS parser memory and shadow table */ ++ spinlock_t prs_spinlock; + }; + + struct mvpp2_pcpu_stats { +diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c +index 3880dcc0418b2..66b5a80c9c28a 100644 +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c +@@ -7640,8 +7640,9 @@ static int mvpp2_probe(struct platform_device *pdev) + if (mvpp2_read(priv, MVPP2_VER_ID_REG) == MVPP2_VER_PP23) + priv->hw_version = MVPP23; + +- /* Init mss lock */ ++ /* Init locks for shared packet processor resources */ + spin_lock_init(&priv->mss_spinlock); ++ spin_lock_init(&priv->prs_spinlock); + + /* Initialize network controller */ + err = mvpp2_init(pdev, priv); +diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c +index 9af22f497a40f..93e978bdf303c 100644 +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c +@@ -23,6 +23,8 @@ static int mvpp2_prs_hw_write(struct mvpp2 *priv, struct mvpp2_prs_entry *pe) + { + int i; + ++ lockdep_assert_held(&priv->prs_spinlock); ++ + if (pe->index > MVPP2_PRS_TCAM_SRAM_SIZE - 1) + return -EINVAL; + +@@ -43,11 +45,13 @@ static int mvpp2_prs_hw_write(struct mvpp2 *priv, struct mvpp2_prs_entry *pe) + } + + /* Initialize tcam entry from hw */ +-int mvpp2_prs_init_from_hw(struct mvpp2 *priv, struct mvpp2_prs_entry *pe, +- int tid) ++static int __mvpp2_prs_init_from_hw(struct mvpp2 *priv, ++ struct mvpp2_prs_entry *pe, int tid) + { + int i; + ++ lockdep_assert_held(&priv->prs_spinlock); ++ + if (tid > MVPP2_PRS_TCAM_SRAM_SIZE - 1) + return -EINVAL; + +@@ -73,6 +77,18 @@ int mvpp2_prs_init_from_hw(struct mvpp2 *priv, struct mvpp2_prs_entry *pe, + return 0; + } + ++int mvpp2_prs_init_from_hw(struct mvpp2 *priv, struct mvpp2_prs_entry *pe, ++ int tid) ++{ ++ int err; ++ ++ spin_lock_bh(&priv->prs_spinlock); ++ err = __mvpp2_prs_init_from_hw(priv, pe, tid); ++ spin_unlock_bh(&priv->prs_spinlock); ++ ++ return err; ++} ++ + /* Invalidate tcam hw entry */ + static void mvpp2_prs_hw_inv(struct mvpp2 *priv, int index) + { +@@ -374,7 +390,7 @@ static int mvpp2_prs_flow_find(struct mvpp2 *priv, int flow) + priv->prs_shadow[tid].lu != MVPP2_PRS_LU_FLOWS) + continue; + +- mvpp2_prs_init_from_hw(priv, &pe, tid); ++ __mvpp2_prs_init_from_hw(priv, &pe, tid); + bits = mvpp2_prs_sram_ai_get(&pe); + + /* Sram store classification lookup ID in AI bits [5:0] */ +@@ -441,7 +457,7 @@ static void mvpp2_prs_mac_drop_all_set(struct mvpp2 *priv, int port, bool add) + + if (priv->prs_shadow[MVPP2_PE_DROP_ALL].valid) { + /* Entry exist - update port only */ +- mvpp2_prs_init_from_hw(priv, &pe, MVPP2_PE_DROP_ALL); ++ __mvpp2_prs_init_from_hw(priv, &pe, MVPP2_PE_DROP_ALL); + } else { + /* Entry doesn't exist - create new */ + memset(&pe, 0, sizeof(pe)); +@@ -469,14 +485,17 @@ static void mvpp2_prs_mac_drop_all_set(struct mvpp2 *priv, int port, bool add) + } + + /* Set port to unicast or multicast promiscuous mode */ +-void mvpp2_prs_mac_promisc_set(struct mvpp2 *priv, int port, +- enum mvpp2_prs_l2_cast l2_cast, bool add) ++static void __mvpp2_prs_mac_promisc_set(struct mvpp2 *priv, int port, ++ enum mvpp2_prs_l2_cast l2_cast, ++ bool add) + { + struct mvpp2_prs_entry pe; + unsigned char cast_match; + unsigned int ri; + int tid; + ++ lockdep_assert_held(&priv->prs_spinlock); ++ + if (l2_cast == MVPP2_PRS_L2_UNI_CAST) { + cast_match = MVPP2_PRS_UCAST_VAL; + tid = MVPP2_PE_MAC_UC_PROMISCUOUS; +@@ -489,7 +508,7 @@ void mvpp2_prs_mac_promisc_set(struct mvpp2 *priv, int port, + + /* promiscuous mode - Accept unknown unicast or multicast packets */ + if (priv->prs_shadow[tid].valid) { +- mvpp2_prs_init_from_hw(priv, &pe, tid); ++ __mvpp2_prs_init_from_hw(priv, &pe, tid); + } else { + memset(&pe, 0, sizeof(pe)); + mvpp2_prs_tcam_lu_set(&pe, MVPP2_PRS_LU_MAC); +@@ -522,6 +541,14 @@ void mvpp2_prs_mac_promisc_set(struct mvpp2 *priv, int port, + mvpp2_prs_hw_write(priv, &pe); + } + ++void mvpp2_prs_mac_promisc_set(struct mvpp2 *priv, int port, ++ enum mvpp2_prs_l2_cast l2_cast, bool add) ++{ ++ spin_lock_bh(&priv->prs_spinlock); ++ __mvpp2_prs_mac_promisc_set(priv, port, l2_cast, add); ++ spin_unlock_bh(&priv->prs_spinlock); ++} ++ + /* Set entry for dsa packets */ + static void mvpp2_prs_dsa_tag_set(struct mvpp2 *priv, int port, bool add, + bool tagged, bool extend) +@@ -539,7 +566,7 @@ static void mvpp2_prs_dsa_tag_set(struct mvpp2 *priv, int port, bool add, + + if (priv->prs_shadow[tid].valid) { + /* Entry exist - update port only */ +- mvpp2_prs_init_from_hw(priv, &pe, tid); ++ __mvpp2_prs_init_from_hw(priv, &pe, tid); + } else { + /* Entry doesn't exist - create new */ + memset(&pe, 0, sizeof(pe)); +@@ -610,7 +637,7 @@ static void mvpp2_prs_dsa_tag_ethertype_set(struct mvpp2 *priv, int port, + + if (priv->prs_shadow[tid].valid) { + /* Entry exist - update port only */ +- mvpp2_prs_init_from_hw(priv, &pe, tid); ++ __mvpp2_prs_init_from_hw(priv, &pe, tid); + } else { + /* Entry doesn't exist - create new */ + memset(&pe, 0, sizeof(pe)); +@@ -673,7 +700,7 @@ static int mvpp2_prs_vlan_find(struct mvpp2 *priv, unsigned short tpid, int ai) + priv->prs_shadow[tid].lu != MVPP2_PRS_LU_VLAN) + continue; + +- mvpp2_prs_init_from_hw(priv, &pe, tid); ++ __mvpp2_prs_init_from_hw(priv, &pe, tid); + match = mvpp2_prs_tcam_data_cmp(&pe, 0, tpid); + if (!match) + continue; +@@ -726,7 +753,7 @@ static int mvpp2_prs_vlan_add(struct mvpp2 *priv, unsigned short tpid, int ai, + priv->prs_shadow[tid_aux].lu != MVPP2_PRS_LU_VLAN) + continue; + +- mvpp2_prs_init_from_hw(priv, &pe, tid_aux); ++ __mvpp2_prs_init_from_hw(priv, &pe, tid_aux); + ri_bits = mvpp2_prs_sram_ri_get(&pe); + if ((ri_bits & MVPP2_PRS_RI_VLAN_MASK) == + MVPP2_PRS_RI_VLAN_DOUBLE) +@@ -760,7 +787,7 @@ static int mvpp2_prs_vlan_add(struct mvpp2 *priv, unsigned short tpid, int ai, + + mvpp2_prs_shadow_set(priv, pe.index, MVPP2_PRS_LU_VLAN); + } else { +- mvpp2_prs_init_from_hw(priv, &pe, tid); ++ __mvpp2_prs_init_from_hw(priv, &pe, tid); + } + /* Update ports' mask */ + mvpp2_prs_tcam_port_map_set(&pe, port_map); +@@ -800,7 +827,7 @@ static int mvpp2_prs_double_vlan_find(struct mvpp2 *priv, unsigned short tpid1, + priv->prs_shadow[tid].lu != MVPP2_PRS_LU_VLAN) + continue; + +- mvpp2_prs_init_from_hw(priv, &pe, tid); ++ __mvpp2_prs_init_from_hw(priv, &pe, tid); + + match = mvpp2_prs_tcam_data_cmp(&pe, 0, tpid1) && + mvpp2_prs_tcam_data_cmp(&pe, 4, tpid2); +@@ -849,7 +876,7 @@ static int mvpp2_prs_double_vlan_add(struct mvpp2 *priv, unsigned short tpid1, + priv->prs_shadow[tid_aux].lu != MVPP2_PRS_LU_VLAN) + continue; + +- mvpp2_prs_init_from_hw(priv, &pe, tid_aux); ++ __mvpp2_prs_init_from_hw(priv, &pe, tid_aux); + ri_bits = mvpp2_prs_sram_ri_get(&pe); + ri_bits &= MVPP2_PRS_RI_VLAN_MASK; + if (ri_bits == MVPP2_PRS_RI_VLAN_SINGLE || +@@ -880,7 +907,7 @@ static int mvpp2_prs_double_vlan_add(struct mvpp2 *priv, unsigned short tpid1, + + mvpp2_prs_shadow_set(priv, pe.index, MVPP2_PRS_LU_VLAN); + } else { +- mvpp2_prs_init_from_hw(priv, &pe, tid); ++ __mvpp2_prs_init_from_hw(priv, &pe, tid); + } + + /* Update ports' mask */ +@@ -1213,8 +1240,8 @@ static void mvpp2_prs_mac_init(struct mvpp2 *priv) + /* Create dummy entries for drop all and promiscuous modes */ + mvpp2_prs_drop_fc(priv); + mvpp2_prs_mac_drop_all_set(priv, 0, false); +- mvpp2_prs_mac_promisc_set(priv, 0, MVPP2_PRS_L2_UNI_CAST, false); +- mvpp2_prs_mac_promisc_set(priv, 0, MVPP2_PRS_L2_MULTI_CAST, false); ++ __mvpp2_prs_mac_promisc_set(priv, 0, MVPP2_PRS_L2_UNI_CAST, false); ++ __mvpp2_prs_mac_promisc_set(priv, 0, MVPP2_PRS_L2_MULTI_CAST, false); + } + + /* Set default entries for various types of dsa packets */ +@@ -1533,12 +1560,6 @@ static int mvpp2_prs_vlan_init(struct platform_device *pdev, struct mvpp2 *priv) + struct mvpp2_prs_entry pe; + int err; + +- priv->prs_double_vlans = devm_kcalloc(&pdev->dev, sizeof(bool), +- MVPP2_PRS_DBL_VLANS_MAX, +- GFP_KERNEL); +- if (!priv->prs_double_vlans) +- return -ENOMEM; +- + /* Double VLAN: 0x88A8, 0x8100 */ + err = mvpp2_prs_double_vlan_add(priv, ETH_P_8021AD, ETH_P_8021Q, + MVPP2_PRS_PORT_MASK); +@@ -1941,7 +1962,7 @@ static int mvpp2_prs_vid_range_find(struct mvpp2_port *port, u16 vid, u16 mask) + port->priv->prs_shadow[tid].lu != MVPP2_PRS_LU_VID) + continue; + +- mvpp2_prs_init_from_hw(port->priv, &pe, tid); ++ __mvpp2_prs_init_from_hw(port->priv, &pe, tid); + + mvpp2_prs_tcam_data_byte_get(&pe, 2, &byte[0], &enable[0]); + mvpp2_prs_tcam_data_byte_get(&pe, 3, &byte[1], &enable[1]); +@@ -1970,6 +1991,8 @@ int mvpp2_prs_vid_entry_add(struct mvpp2_port *port, u16 vid) + + memset(&pe, 0, sizeof(pe)); + ++ spin_lock_bh(&priv->prs_spinlock); ++ + /* Scan TCAM and see if entry with this already exist */ + tid = mvpp2_prs_vid_range_find(port, vid, mask); + +@@ -1988,8 +2011,10 @@ int mvpp2_prs_vid_entry_add(struct mvpp2_port *port, u16 vid) + MVPP2_PRS_VLAN_FILT_MAX_ENTRY); + + /* There isn't room for a new VID filter */ +- if (tid < 0) ++ if (tid < 0) { ++ spin_unlock_bh(&priv->prs_spinlock); + return tid; ++ } + + mvpp2_prs_tcam_lu_set(&pe, MVPP2_PRS_LU_VID); + pe.index = tid; +@@ -1997,7 +2022,7 @@ int mvpp2_prs_vid_entry_add(struct mvpp2_port *port, u16 vid) + /* Mask all ports */ + mvpp2_prs_tcam_port_map_set(&pe, 0); + } else { +- mvpp2_prs_init_from_hw(priv, &pe, tid); ++ __mvpp2_prs_init_from_hw(priv, &pe, tid); + } + + /* Enable the current port */ +@@ -2019,6 +2044,7 @@ int mvpp2_prs_vid_entry_add(struct mvpp2_port *port, u16 vid) + mvpp2_prs_shadow_set(priv, pe.index, MVPP2_PRS_LU_VID); + mvpp2_prs_hw_write(priv, &pe); + ++ spin_unlock_bh(&priv->prs_spinlock); + return 0; + } + +@@ -2028,15 +2054,16 @@ void mvpp2_prs_vid_entry_remove(struct mvpp2_port *port, u16 vid) + struct mvpp2 *priv = port->priv; + int tid; + +- /* Scan TCAM and see if entry with this already exist */ +- tid = mvpp2_prs_vid_range_find(port, vid, 0xfff); ++ spin_lock_bh(&priv->prs_spinlock); + +- /* No such entry */ +- if (tid < 0) +- return; ++ /* Invalidate TCAM entry with this , if it exists */ ++ tid = mvpp2_prs_vid_range_find(port, vid, 0xfff); ++ if (tid >= 0) { ++ mvpp2_prs_hw_inv(priv, tid); ++ priv->prs_shadow[tid].valid = false; ++ } + +- mvpp2_prs_hw_inv(priv, tid); +- priv->prs_shadow[tid].valid = false; ++ spin_unlock_bh(&priv->prs_spinlock); + } + + /* Remove all existing VID filters on this port */ +@@ -2045,6 +2072,8 @@ void mvpp2_prs_vid_remove_all(struct mvpp2_port *port) + struct mvpp2 *priv = port->priv; + int tid; + ++ spin_lock_bh(&priv->prs_spinlock); ++ + for (tid = MVPP2_PRS_VID_PORT_FIRST(port->id); + tid <= MVPP2_PRS_VID_PORT_LAST(port->id); tid++) { + if (priv->prs_shadow[tid].valid) { +@@ -2052,6 +2081,8 @@ void mvpp2_prs_vid_remove_all(struct mvpp2_port *port) + priv->prs_shadow[tid].valid = false; + } + } ++ ++ spin_unlock_bh(&priv->prs_spinlock); + } + + /* Remove VID filering entry for this port */ +@@ -2060,10 +2091,14 @@ void mvpp2_prs_vid_disable_filtering(struct mvpp2_port *port) + unsigned int tid = MVPP2_PRS_VID_PORT_DFLT(port->id); + struct mvpp2 *priv = port->priv; + ++ spin_lock_bh(&priv->prs_spinlock); ++ + /* Invalidate the guard entry */ + mvpp2_prs_hw_inv(priv, tid); + + priv->prs_shadow[tid].valid = false; ++ ++ spin_unlock_bh(&priv->prs_spinlock); + } + + /* Add guard entry that drops packets when no VID is matched on this port */ +@@ -2079,6 +2114,8 @@ void mvpp2_prs_vid_enable_filtering(struct mvpp2_port *port) + + memset(&pe, 0, sizeof(pe)); + ++ spin_lock_bh(&priv->prs_spinlock); ++ + pe.index = tid; + + reg_val = mvpp2_read(priv, MVPP2_MH_REG(port->id)); +@@ -2111,6 +2148,8 @@ void mvpp2_prs_vid_enable_filtering(struct mvpp2_port *port) + /* Update shadow table */ + mvpp2_prs_shadow_set(priv, pe.index, MVPP2_PRS_LU_VID); + mvpp2_prs_hw_write(priv, &pe); ++ ++ spin_unlock_bh(&priv->prs_spinlock); + } + + /* Parser default initialization */ +@@ -2118,6 +2157,20 @@ int mvpp2_prs_default_init(struct platform_device *pdev, struct mvpp2 *priv) + { + int err, index, i; + ++ priv->prs_shadow = devm_kcalloc(&pdev->dev, MVPP2_PRS_TCAM_SRAM_SIZE, ++ sizeof(*priv->prs_shadow), ++ GFP_KERNEL); ++ if (!priv->prs_shadow) ++ return -ENOMEM; ++ ++ priv->prs_double_vlans = devm_kcalloc(&pdev->dev, sizeof(bool), ++ MVPP2_PRS_DBL_VLANS_MAX, ++ GFP_KERNEL); ++ if (!priv->prs_double_vlans) ++ return -ENOMEM; ++ ++ spin_lock_bh(&priv->prs_spinlock); ++ + /* Enable tcam table */ + mvpp2_write(priv, MVPP2_PRS_TCAM_CTRL_REG, MVPP2_PRS_TCAM_EN_MASK); + +@@ -2136,12 +2189,6 @@ int mvpp2_prs_default_init(struct platform_device *pdev, struct mvpp2 *priv) + for (index = 0; index < MVPP2_PRS_TCAM_SRAM_SIZE; index++) + mvpp2_prs_hw_inv(priv, index); + +- priv->prs_shadow = devm_kcalloc(&pdev->dev, MVPP2_PRS_TCAM_SRAM_SIZE, +- sizeof(*priv->prs_shadow), +- GFP_KERNEL); +- if (!priv->prs_shadow) +- return -ENOMEM; +- + /* Always start from lookup = 0 */ + for (index = 0; index < MVPP2_MAX_PORTS; index++) + mvpp2_prs_hw_port_init(priv, index, MVPP2_PRS_LU_MH, +@@ -2158,26 +2205,13 @@ int mvpp2_prs_default_init(struct platform_device *pdev, struct mvpp2 *priv) + mvpp2_prs_vid_init(priv); + + err = mvpp2_prs_etype_init(priv); +- if (err) +- return err; +- +- err = mvpp2_prs_vlan_init(pdev, priv); +- if (err) +- return err; +- +- err = mvpp2_prs_pppoe_init(priv); +- if (err) +- return err; +- +- err = mvpp2_prs_ip6_init(priv); +- if (err) +- return err; +- +- err = mvpp2_prs_ip4_init(priv); +- if (err) +- return err; ++ err = err ? : mvpp2_prs_vlan_init(pdev, priv); ++ err = err ? : mvpp2_prs_pppoe_init(priv); ++ err = err ? : mvpp2_prs_ip6_init(priv); ++ err = err ? : mvpp2_prs_ip4_init(priv); + +- return 0; ++ spin_unlock_bh(&priv->prs_spinlock); ++ return err; + } + + /* Compare MAC DA with tcam entry data */ +@@ -2217,7 +2251,7 @@ mvpp2_prs_mac_da_range_find(struct mvpp2 *priv, int pmap, const u8 *da, + (priv->prs_shadow[tid].udf != udf_type)) + continue; + +- mvpp2_prs_init_from_hw(priv, &pe, tid); ++ __mvpp2_prs_init_from_hw(priv, &pe, tid); + entry_pmap = mvpp2_prs_tcam_port_map_get(&pe); + + if (mvpp2_prs_mac_range_equals(&pe, da, mask) && +@@ -2229,7 +2263,8 @@ mvpp2_prs_mac_da_range_find(struct mvpp2 *priv, int pmap, const u8 *da, + } + + /* Update parser's mac da entry */ +-int mvpp2_prs_mac_da_accept(struct mvpp2_port *port, const u8 *da, bool add) ++static int __mvpp2_prs_mac_da_accept(struct mvpp2_port *port, ++ const u8 *da, bool add) + { + unsigned char mask[ETH_ALEN] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; + struct mvpp2 *priv = port->priv; +@@ -2261,7 +2296,7 @@ int mvpp2_prs_mac_da_accept(struct mvpp2_port *port, const u8 *da, bool add) + /* Mask all ports */ + mvpp2_prs_tcam_port_map_set(&pe, 0); + } else { +- mvpp2_prs_init_from_hw(priv, &pe, tid); ++ __mvpp2_prs_init_from_hw(priv, &pe, tid); + } + + mvpp2_prs_tcam_lu_set(&pe, MVPP2_PRS_LU_MAC); +@@ -2317,6 +2352,17 @@ int mvpp2_prs_mac_da_accept(struct mvpp2_port *port, const u8 *da, bool add) + return 0; + } + ++int mvpp2_prs_mac_da_accept(struct mvpp2_port *port, const u8 *da, bool add) ++{ ++ int err; ++ ++ spin_lock_bh(&port->priv->prs_spinlock); ++ err = __mvpp2_prs_mac_da_accept(port, da, add); ++ spin_unlock_bh(&port->priv->prs_spinlock); ++ ++ return err; ++} ++ + int mvpp2_prs_update_mac_da(struct net_device *dev, const u8 *da) + { + struct mvpp2_port *port = netdev_priv(dev); +@@ -2345,6 +2391,8 @@ void mvpp2_prs_mac_del_all(struct mvpp2_port *port) + unsigned long pmap; + int index, tid; + ++ spin_lock_bh(&priv->prs_spinlock); ++ + for (tid = MVPP2_PE_MAC_RANGE_START; + tid <= MVPP2_PE_MAC_RANGE_END; tid++) { + unsigned char da[ETH_ALEN], da_mask[ETH_ALEN]; +@@ -2354,7 +2402,7 @@ void mvpp2_prs_mac_del_all(struct mvpp2_port *port) + (priv->prs_shadow[tid].udf != MVPP2_PRS_UDF_MAC_DEF)) + continue; + +- mvpp2_prs_init_from_hw(priv, &pe, tid); ++ __mvpp2_prs_init_from_hw(priv, &pe, tid); + + pmap = mvpp2_prs_tcam_port_map_get(&pe); + +@@ -2375,14 +2423,17 @@ void mvpp2_prs_mac_del_all(struct mvpp2_port *port) + continue; + + /* Remove entry from TCAM */ +- mvpp2_prs_mac_da_accept(port, da, false); ++ __mvpp2_prs_mac_da_accept(port, da, false); + } ++ ++ spin_unlock_bh(&priv->prs_spinlock); + } + + int mvpp2_prs_tag_mode_set(struct mvpp2 *priv, int port, int type) + { + switch (type) { + case MVPP2_TAG_TYPE_EDSA: ++ spin_lock_bh(&priv->prs_spinlock); + /* Add port to EDSA entries */ + mvpp2_prs_dsa_tag_set(priv, port, true, + MVPP2_PRS_TAGGED, MVPP2_PRS_EDSA); +@@ -2393,9 +2444,11 @@ int mvpp2_prs_tag_mode_set(struct mvpp2 *priv, int port, int type) + MVPP2_PRS_TAGGED, MVPP2_PRS_DSA); + mvpp2_prs_dsa_tag_set(priv, port, false, + MVPP2_PRS_UNTAGGED, MVPP2_PRS_DSA); ++ spin_unlock_bh(&priv->prs_spinlock); + break; + + case MVPP2_TAG_TYPE_DSA: ++ spin_lock_bh(&priv->prs_spinlock); + /* Add port to DSA entries */ + mvpp2_prs_dsa_tag_set(priv, port, true, + MVPP2_PRS_TAGGED, MVPP2_PRS_DSA); +@@ -2406,10 +2459,12 @@ int mvpp2_prs_tag_mode_set(struct mvpp2 *priv, int port, int type) + MVPP2_PRS_TAGGED, MVPP2_PRS_EDSA); + mvpp2_prs_dsa_tag_set(priv, port, false, + MVPP2_PRS_UNTAGGED, MVPP2_PRS_EDSA); ++ spin_unlock_bh(&priv->prs_spinlock); + break; + + case MVPP2_TAG_TYPE_MH: + case MVPP2_TAG_TYPE_NONE: ++ spin_lock_bh(&priv->prs_spinlock); + /* Remove port form EDSA and DSA entries */ + mvpp2_prs_dsa_tag_set(priv, port, false, + MVPP2_PRS_TAGGED, MVPP2_PRS_DSA); +@@ -2419,6 +2474,7 @@ int mvpp2_prs_tag_mode_set(struct mvpp2 *priv, int port, int type) + MVPP2_PRS_TAGGED, MVPP2_PRS_EDSA); + mvpp2_prs_dsa_tag_set(priv, port, false, + MVPP2_PRS_UNTAGGED, MVPP2_PRS_EDSA); ++ spin_unlock_bh(&priv->prs_spinlock); + break; + + default: +@@ -2437,11 +2493,15 @@ int mvpp2_prs_add_flow(struct mvpp2 *priv, int flow, u32 ri, u32 ri_mask) + + memset(&pe, 0, sizeof(pe)); + ++ spin_lock_bh(&priv->prs_spinlock); ++ + tid = mvpp2_prs_tcam_first_free(priv, + MVPP2_PE_LAST_FREE_TID, + MVPP2_PE_FIRST_FREE_TID); +- if (tid < 0) ++ if (tid < 0) { ++ spin_unlock_bh(&priv->prs_spinlock); + return tid; ++ } + + pe.index = tid; + +@@ -2461,6 +2521,7 @@ int mvpp2_prs_add_flow(struct mvpp2 *priv, int flow, u32 ri, u32 ri_mask) + mvpp2_prs_tcam_port_map_set(&pe, MVPP2_PRS_PORT_MASK); + mvpp2_prs_hw_write(priv, &pe); + ++ spin_unlock_bh(&priv->prs_spinlock); + return 0; + } + +@@ -2472,6 +2533,8 @@ int mvpp2_prs_def_flow(struct mvpp2_port *port) + + memset(&pe, 0, sizeof(pe)); + ++ spin_lock_bh(&port->priv->prs_spinlock); ++ + tid = mvpp2_prs_flow_find(port->priv, port->id); + + /* Such entry not exist */ +@@ -2480,8 +2543,10 @@ int mvpp2_prs_def_flow(struct mvpp2_port *port) + tid = mvpp2_prs_tcam_first_free(port->priv, + MVPP2_PE_LAST_FREE_TID, + MVPP2_PE_FIRST_FREE_TID); +- if (tid < 0) ++ if (tid < 0) { ++ spin_unlock_bh(&port->priv->prs_spinlock); + return tid; ++ } + + pe.index = tid; + +@@ -2492,13 +2557,14 @@ int mvpp2_prs_def_flow(struct mvpp2_port *port) + /* Update shadow table */ + mvpp2_prs_shadow_set(port->priv, pe.index, MVPP2_PRS_LU_FLOWS); + } else { +- mvpp2_prs_init_from_hw(port->priv, &pe, tid); ++ __mvpp2_prs_init_from_hw(port->priv, &pe, tid); + } + + mvpp2_prs_tcam_lu_set(&pe, MVPP2_PRS_LU_FLOWS); + mvpp2_prs_tcam_port_map_set(&pe, (1 << port->id)); + mvpp2_prs_hw_write(port->priv, &pe); + ++ spin_unlock_bh(&port->priv->prs_spinlock); + return 0; + } + +@@ -2509,11 +2575,14 @@ int mvpp2_prs_hits(struct mvpp2 *priv, int index) + if (index > MVPP2_PRS_TCAM_SRAM_SIZE) + return -EINVAL; + ++ spin_lock_bh(&priv->prs_spinlock); ++ + mvpp2_write(priv, MVPP2_PRS_TCAM_HIT_IDX_REG, index); + + val = mvpp2_read(priv, MVPP2_PRS_TCAM_HIT_CNT_REG); + + val &= MVPP2_PRS_TCAM_HIT_CNT_MASK; + ++ spin_unlock_bh(&priv->prs_spinlock); + return val; + } +-- +2.39.5 + diff --git a/queue-6.12/net-phy-broadcom-correct-bcm5221-phy-model-detection.patch b/queue-6.12/net-phy-broadcom-correct-bcm5221-phy-model-detection.patch new file mode 100644 index 0000000000..1812068a8f --- /dev/null +++ b/queue-6.12/net-phy-broadcom-correct-bcm5221-phy-model-detection.patch @@ -0,0 +1,55 @@ +From f76184f8cb3ff34975f7656b30e9c75e6a193d95 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Mar 2025 14:29:42 +0800 +Subject: net: phy: broadcom: Correct BCM5221 PHY model detection + +From: Jim Liu + +[ Upstream commit 4f1eaabb4b66a1f7473f584e14e15b2ac19dfaf3 ] + +Correct detect condition is applied to the entire 5221 family of PHYs. + +Fixes: 3abbd0699b67 ("net: phy: broadcom: add support for BCM5221 phy") +Signed-off-by: Jim Liu +Reviewed-by: Michal Swiatkowski +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/phy/broadcom.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/phy/broadcom.c b/drivers/net/phy/broadcom.c +index ddded162c44c1..d2a9cf3fde5ac 100644 +--- a/drivers/net/phy/broadcom.c ++++ b/drivers/net/phy/broadcom.c +@@ -859,7 +859,7 @@ static int brcm_fet_config_init(struct phy_device *phydev) + return reg; + + /* Unmask events we are interested in and mask interrupts globally. */ +- if (phydev->phy_id == PHY_ID_BCM5221) ++ if (phydev->drv->phy_id == PHY_ID_BCM5221) + reg = MII_BRCM_FET_IR_ENABLE | + MII_BRCM_FET_IR_MASK; + else +@@ -888,7 +888,7 @@ static int brcm_fet_config_init(struct phy_device *phydev) + return err; + } + +- if (phydev->phy_id != PHY_ID_BCM5221) { ++ if (phydev->drv->phy_id != PHY_ID_BCM5221) { + /* Set the LED mode */ + reg = __phy_read(phydev, MII_BRCM_FET_SHDW_AUXMODE4); + if (reg < 0) { +@@ -1009,7 +1009,7 @@ static int brcm_fet_suspend(struct phy_device *phydev) + return err; + } + +- if (phydev->phy_id == PHY_ID_BCM5221) ++ if (phydev->drv->phy_id == PHY_ID_BCM5221) + /* Force Low Power Mode with clock enabled */ + reg = BCM5221_SHDW_AM4_EN_CLK_LPM | BCM5221_SHDW_AM4_FORCE_LPM; + else +-- +2.39.5 + diff --git a/queue-6.12/net_sched-skbprio-remove-overly-strict-queue-asserti.patch b/queue-6.12/net_sched-skbprio-remove-overly-strict-queue-asserti.patch new file mode 100644 index 0000000000..3f1af6a168 --- /dev/null +++ b/queue-6.12/net_sched-skbprio-remove-overly-strict-queue-asserti.patch @@ -0,0 +1,60 @@ +From 44fa0d0565d43f52dade463c432d665da7c10b8b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 29 Mar 2025 15:25:35 -0700 +Subject: net_sched: skbprio: Remove overly strict queue assertions + +From: Cong Wang + +[ Upstream commit ce8fe975fd99b49c29c42e50f2441ba53112b2e8 ] + +In the current implementation, skbprio enqueue/dequeue contains an assertion +that fails under certain conditions when SKBPRIO is used as a child qdisc under +TBF with specific parameters. The failure occurs because TBF sometimes peeks at +packets in the child qdisc without actually dequeuing them when tokens are +unavailable. + +This peek operation creates a discrepancy between the parent and child qdisc +queue length counters. When TBF later receives a high-priority packet, +SKBPRIO's queue length may show a different value than what's reflected in its +internal priority queue tracking, triggering the assertion. + +The fix removes this overly strict assertions in SKBPRIO, they are not +necessary at all. + +Reported-by: syzbot+a3422a19b05ea96bee18@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=a3422a19b05ea96bee18 +Fixes: aea5f654e6b7 ("net/sched: add skbprio scheduler") +Cc: Nishanth Devarajan +Signed-off-by: Cong Wang +Acked-by: Paolo Abeni +Link: https://patch.msgid.link/20250329222536.696204-2-xiyou.wangcong@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_skbprio.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/net/sched/sch_skbprio.c b/net/sched/sch_skbprio.c +index 20ff7386b74bd..f485f62ab721a 100644 +--- a/net/sched/sch_skbprio.c ++++ b/net/sched/sch_skbprio.c +@@ -123,8 +123,6 @@ static int skbprio_enqueue(struct sk_buff *skb, struct Qdisc *sch, + /* Check to update highest and lowest priorities. */ + if (skb_queue_empty(lp_qdisc)) { + if (q->lowest_prio == q->highest_prio) { +- /* The incoming packet is the only packet in queue. */ +- BUG_ON(sch->q.qlen != 1); + q->lowest_prio = prio; + q->highest_prio = prio; + } else { +@@ -156,7 +154,6 @@ static struct sk_buff *skbprio_dequeue(struct Qdisc *sch) + /* Update highest priority field. */ + if (skb_queue_empty(hpq)) { + if (q->lowest_prio == q->highest_prio) { +- BUG_ON(sch->q.qlen); + q->highest_prio = 0; + q->lowest_prio = SKBPRIO_MAX_PRIORITY - 1; + } else { +-- +2.39.5 + diff --git a/queue-6.12/netfilter-nf_tables-don-t-unregister-hook-when-table.patch b/queue-6.12/netfilter-nf_tables-don-t-unregister-hook-when-table.patch new file mode 100644 index 0000000000..58723e0087 --- /dev/null +++ b/queue-6.12/netfilter-nf_tables-don-t-unregister-hook-when-table.patch @@ -0,0 +1,48 @@ +From 98f25b21678d562eaa8339a98ab5530fd0439358 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Apr 2025 14:36:47 +0200 +Subject: netfilter: nf_tables: don't unregister hook when table is dormant + +From: Florian Westphal + +[ Upstream commit 688c15017d5cd5aac882400782e7213d40dc3556 ] + +When nf_tables_updchain encounters an error, hook registration needs to +be rolled back. + +This should only be done if the hook has been registered, which won't +happen when the table is flagged as dormant (inactive). + +Just move the assignment into the registration block. + +Reported-by: syzbot+53ed3a6440173ddbf499@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=53ed3a6440173ddbf499 +Fixes: b9703ed44ffb ("netfilter: nf_tables: support for adding new devices to an existing netdev chain") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index eb3a6f96b094d..bdee187bc5dd4 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -2732,11 +2732,11 @@ static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy, + err = nft_netdev_register_hooks(ctx->net, &hook.list); + if (err < 0) + goto err_hooks; ++ ++ unregister = true; + } + } + +- unregister = true; +- + if (nla[NFTA_CHAIN_COUNTERS]) { + if (!nft_is_base_chain(chain)) { + err = -EOPNOTSUPP; +-- +2.39.5 + diff --git a/queue-6.12/netfilter-nft_set_hash-gc-reaps-elements-with-connco.patch b/queue-6.12/netfilter-nft_set_hash-gc-reaps-elements-with-connco.patch new file mode 100644 index 0000000000..28e5b2dd64 --- /dev/null +++ b/queue-6.12/netfilter-nft_set_hash-gc-reaps-elements-with-connco.patch @@ -0,0 +1,40 @@ +From 8a809e765de668323abbd57237d0751697f2bf56 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Mar 2025 23:24:20 +0100 +Subject: netfilter: nft_set_hash: GC reaps elements with conncount for dynamic + sets only + +From: Pablo Neira Ayuso + +[ Upstream commit 9d74da1177c800eb3d51c13f9821b7b0683845a5 ] + +conncount has its own GC handler which determines when to reap stale +elements, this is convenient for dynamic sets. However, this also reaps +non-dynamic sets with static configurations coming from control plane. +Always run connlimit gc handler but honor feedback to reap element if +this set is dynamic. + +Fixes: 290180e2448c ("netfilter: nf_tables: add connlimit support") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_set_hash.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nft_set_hash.c b/net/netfilter/nft_set_hash.c +index b93f046ac7d1e..4b3452dff2ec0 100644 +--- a/net/netfilter/nft_set_hash.c ++++ b/net/netfilter/nft_set_hash.c +@@ -309,7 +309,8 @@ static bool nft_rhash_expr_needs_gc_run(const struct nft_set *set, + + nft_setelem_expr_foreach(expr, elem_expr, size) { + if (expr->ops->gc && +- expr->ops->gc(read_pnet(&set->net), expr)) ++ expr->ops->gc(read_pnet(&set->net), expr) && ++ set->flags & NFT_SET_EVAL) + return true; + } + +-- +2.39.5 + diff --git a/queue-6.12/netfilter-nft_tunnel-fix-geneve_opt-type-confusion-a.patch b/queue-6.12/netfilter-nft_tunnel-fix-geneve_opt-type-confusion-a.patch new file mode 100644 index 0000000000..e142e098db --- /dev/null +++ b/queue-6.12/netfilter-nft_tunnel-fix-geneve_opt-type-confusion-a.patch @@ -0,0 +1,88 @@ +From bb2a43bd454c605bf649f584160bb832df30a79c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Apr 2025 01:00:26 +0800 +Subject: netfilter: nft_tunnel: fix geneve_opt type confusion addition + +From: Lin Ma + +[ Upstream commit 1b755d8eb1ace3870789d48fbd94f386ad6e30be ] + +When handling multiple NFTA_TUNNEL_KEY_OPTS_GENEVE attributes, the +parsing logic should place every geneve_opt structure one by one +compactly. Hence, when deciding the next geneve_opt position, the +pointer addition should be in units of char *. + +However, the current implementation erroneously does type conversion +before the addition, which will lead to heap out-of-bounds write. + +[ 6.989857] ================================================================== +[ 6.990293] BUG: KASAN: slab-out-of-bounds in nft_tunnel_obj_init+0x977/0xa70 +[ 6.990725] Write of size 124 at addr ffff888005f18974 by task poc/178 +[ 6.991162] +[ 6.991259] CPU: 0 PID: 178 Comm: poc-oob-write Not tainted 6.1.132 #1 +[ 6.991655] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 +[ 6.992281] Call Trace: +[ 6.992423] +[ 6.992586] dump_stack_lvl+0x44/0x5c +[ 6.992801] print_report+0x184/0x4be +[ 6.993790] kasan_report+0xc5/0x100 +[ 6.994252] kasan_check_range+0xf3/0x1a0 +[ 6.994486] memcpy+0x38/0x60 +[ 6.994692] nft_tunnel_obj_init+0x977/0xa70 +[ 6.995677] nft_obj_init+0x10c/0x1b0 +[ 6.995891] nf_tables_newobj+0x585/0x950 +[ 6.996922] nfnetlink_rcv_batch+0xdf9/0x1020 +[ 6.998997] nfnetlink_rcv+0x1df/0x220 +[ 6.999537] netlink_unicast+0x395/0x530 +[ 7.000771] netlink_sendmsg+0x3d0/0x6d0 +[ 7.001462] __sock_sendmsg+0x99/0xa0 +[ 7.001707] ____sys_sendmsg+0x409/0x450 +[ 7.002391] ___sys_sendmsg+0xfd/0x170 +[ 7.003145] __sys_sendmsg+0xea/0x170 +[ 7.004359] do_syscall_64+0x5e/0x90 +[ 7.005817] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 +[ 7.006127] RIP: 0033:0x7ec756d4e407 +[ 7.006339] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 faf +[ 7.007364] RSP: 002b:00007ffed5d46760 EFLAGS: 00000202 ORIG_RAX: 000000000000002e +[ 7.007827] RAX: ffffffffffffffda RBX: 00007ec756cc4740 RCX: 00007ec756d4e407 +[ 7.008223] RDX: 0000000000000000 RSI: 00007ffed5d467f0 RDI: 0000000000000003 +[ 7.008620] RBP: 00007ffed5d468a0 R08: 0000000000000000 R09: 0000000000000000 +[ 7.009039] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000 +[ 7.009429] R13: 00007ffed5d478b0 R14: 00007ec756ee5000 R15: 00005cbd4e655cb8 + +Fix this bug with correct pointer addition and conversion in parse +and dump code. + +Fixes: 925d844696d9 ("netfilter: nft_tunnel: add support for geneve opts") +Signed-off-by: Lin Ma +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_tunnel.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c +index 5c6ed68cc6e05..52d76b8d15db2 100644 +--- a/net/netfilter/nft_tunnel.c ++++ b/net/netfilter/nft_tunnel.c +@@ -341,7 +341,7 @@ static const struct nla_policy nft_tunnel_opts_geneve_policy[NFTA_TUNNEL_KEY_GEN + static int nft_tunnel_obj_geneve_init(const struct nlattr *attr, + struct nft_tunnel_opts *opts) + { +- struct geneve_opt *opt = (struct geneve_opt *)opts->u.data + opts->len; ++ struct geneve_opt *opt = (struct geneve_opt *)(opts->u.data + opts->len); + struct nlattr *tb[NFTA_TUNNEL_KEY_GENEVE_MAX + 1]; + int err, data_len; + +@@ -628,7 +628,7 @@ static int nft_tunnel_opts_dump(struct sk_buff *skb, + if (!inner) + goto failure; + while (opts->len > offset) { +- opt = (struct geneve_opt *)opts->u.data + offset; ++ opt = (struct geneve_opt *)(opts->u.data + offset); + if (nla_put_be16(skb, NFTA_TUNNEL_KEY_GENEVE_CLASS, + opt->opt_class) || + nla_put_u8(skb, NFTA_TUNNEL_KEY_GENEVE_TYPE, +-- +2.39.5 + diff --git a/queue-6.12/netfs-fix-netfs_unbuffered_read-to-return-ssize_t-ra.patch b/queue-6.12/netfs-fix-netfs_unbuffered_read-to-return-ssize_t-ra.patch new file mode 100644 index 0000000000..bdbfc024c2 --- /dev/null +++ b/queue-6.12/netfs-fix-netfs_unbuffered_read-to-return-ssize_t-ra.patch @@ -0,0 +1,55 @@ +From 57b07aa8a1ad1f7b489424a1c7afd68a76cd141d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Mar 2025 16:41:59 +0000 +Subject: netfs: Fix netfs_unbuffered_read() to return ssize_t rather than int + +From: David Howells + +[ Upstream commit 07c574eb53d4cc9aa7b985bc8bfcb302e5dc4694 ] + +Fix netfs_unbuffered_read() to return an ssize_t rather than an int as +netfs_wait_for_read() returns ssize_t and this gets implicitly truncated. + +Signed-off-by: David Howells +Link: https://lore.kernel.org/r/20250314164201.1993231-5-dhowells@redhat.com +Acked-by: "Paulo Alcantara (Red Hat)" +cc: Jeff Layton +cc: Viacheslav Dubeyko +cc: Alex Markuze +cc: Ilya Dryomov +cc: ceph-devel@vger.kernel.org +cc: linux-fsdevel@vger.kernel.org +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/netfs/direct_read.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/fs/netfs/direct_read.c b/fs/netfs/direct_read.c +index b1a66a6e6bc2d..917b7edc34ef5 100644 +--- a/fs/netfs/direct_read.c ++++ b/fs/netfs/direct_read.c +@@ -108,9 +108,9 @@ static int netfs_dispatch_unbuffered_reads(struct netfs_io_request *rreq) + * Perform a read to an application buffer, bypassing the pagecache and the + * local disk cache. + */ +-static int netfs_unbuffered_read(struct netfs_io_request *rreq, bool sync) ++static ssize_t netfs_unbuffered_read(struct netfs_io_request *rreq, bool sync) + { +- int ret; ++ ssize_t ret; + + _enter("R=%x %llx-%llx", + rreq->debug_id, rreq->start, rreq->start + rreq->len - 1); +@@ -149,7 +149,7 @@ static int netfs_unbuffered_read(struct netfs_io_request *rreq, bool sync) + } + + out: +- _leave(" = %d", ret); ++ _leave(" = %zd", ret); + return ret; + } + +-- +2.39.5 + diff --git a/queue-6.12/netlabel-fix-null-pointer-exception-caused-by-calips.patch b/queue-6.12/netlabel-fix-null-pointer-exception-caused-by-calips.patch new file mode 100644 index 0000000000..5423a0de11 --- /dev/null +++ b/queue-6.12/netlabel-fix-null-pointer-exception-caused-by-calips.patch @@ -0,0 +1,87 @@ +From dfbd5323d637c42759bd8e5af962397c8b8ecd15 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Apr 2025 20:40:18 +0800 +Subject: netlabel: Fix NULL pointer exception caused by CALIPSO on IPv4 + sockets + +From: Debin Zhu + +[ Upstream commit 078aabd567de3d63d37d7673f714e309d369e6e2 ] + +When calling netlbl_conn_setattr(), addr->sa_family is used +to determine the function behavior. If sk is an IPv4 socket, +but the connect function is called with an IPv6 address, +the function calipso_sock_setattr() is triggered. +Inside this function, the following code is executed: + +sk_fullsock(__sk) ? inet_sk(__sk)->pinet6 : NULL; + +Since sk is an IPv4 socket, pinet6 is NULL, leading to a +null pointer dereference. + +This patch fixes the issue by checking if inet6_sk(sk) +returns a NULL pointer before accessing pinet6. + +Signed-off-by: Debin Zhu +Signed-off-by: Bitao Ouyang <1985755126@qq.com> +Acked-by: Paul Moore +Fixes: ceba1832b1b2 ("calipso: Set the calipso socket label to match the secattr.") +Link: https://patch.msgid.link/20250401124018.4763-1-mowenroot@163.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/calipso.c | 21 ++++++++++++++++++--- + 1 file changed, 18 insertions(+), 3 deletions(-) + +diff --git a/net/ipv6/calipso.c b/net/ipv6/calipso.c +index dbcea9fee6262..62618a058b8fa 100644 +--- a/net/ipv6/calipso.c ++++ b/net/ipv6/calipso.c +@@ -1072,8 +1072,13 @@ static int calipso_sock_getattr(struct sock *sk, + struct ipv6_opt_hdr *hop; + int opt_len, len, ret_val = -ENOMSG, offset; + unsigned char *opt; +- struct ipv6_txoptions *txopts = txopt_get(inet6_sk(sk)); ++ struct ipv6_pinfo *pinfo = inet6_sk(sk); ++ struct ipv6_txoptions *txopts; ++ ++ if (!pinfo) ++ return -EAFNOSUPPORT; + ++ txopts = txopt_get(pinfo); + if (!txopts || !txopts->hopopt) + goto done; + +@@ -1125,8 +1130,13 @@ static int calipso_sock_setattr(struct sock *sk, + { + int ret_val; + struct ipv6_opt_hdr *old, *new; +- struct ipv6_txoptions *txopts = txopt_get(inet6_sk(sk)); ++ struct ipv6_pinfo *pinfo = inet6_sk(sk); ++ struct ipv6_txoptions *txopts; ++ ++ if (!pinfo) ++ return -EAFNOSUPPORT; + ++ txopts = txopt_get(pinfo); + old = NULL; + if (txopts) + old = txopts->hopopt; +@@ -1153,8 +1163,13 @@ static int calipso_sock_setattr(struct sock *sk, + static void calipso_sock_delattr(struct sock *sk) + { + struct ipv6_opt_hdr *new_hop; +- struct ipv6_txoptions *txopts = txopt_get(inet6_sk(sk)); ++ struct ipv6_pinfo *pinfo = inet6_sk(sk); ++ struct ipv6_txoptions *txopts; ++ ++ if (!pinfo) ++ return; + ++ txopts = txopt_get(pinfo); + if (!txopts || !txopts->hopopt) + goto done; + +-- +2.39.5 + diff --git a/queue-6.12/nfs-add-missing-release-on-error-in-nfs_lock_and_joi.patch b/queue-6.12/nfs-add-missing-release-on-error-in-nfs_lock_and_joi.patch new file mode 100644 index 0000000000..93bdefd1b3 --- /dev/null +++ b/queue-6.12/nfs-add-missing-release-on-error-in-nfs_lock_and_joi.patch @@ -0,0 +1,39 @@ +From 10932148660d599a12002d6a22e73d9af800396f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Apr 2025 14:02:40 +0300 +Subject: nfs: Add missing release on error in nfs_lock_and_join_requests() + +From: Dan Carpenter + +[ Upstream commit 8e5419d6542fdf2dca9a0acdef2b8255f0e4ba69 ] + +Call nfs_release_request() on this error path before returning. + +Fixes: c3f2235782c3 ("nfs: fold nfs_folio_find_and_lock_request into nfs_lock_and_join_requests") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/3aaaa3d5-1c8a-41e4-98c7-717801ddd171@stanley.mountain +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/write.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/nfs/write.c b/fs/nfs/write.c +index 82ae2b85d393c..8ff8db09a1e06 100644 +--- a/fs/nfs/write.c ++++ b/fs/nfs/write.c +@@ -579,8 +579,10 @@ static struct nfs_page *nfs_lock_and_join_requests(struct folio *folio) + + while (!nfs_lock_request(head)) { + ret = nfs_wait_on_request(head); +- if (ret < 0) ++ if (ret < 0) { ++ nfs_release_request(head); + return ERR_PTR(ret); ++ } + } + + /* Ensure that nobody removed the request before we locked it */ +-- +2.39.5 + diff --git a/queue-6.12/nfs-fix-open_owner_id_maxsz-and-related-fields.patch b/queue-6.12/nfs-fix-open_owner_id_maxsz-and-related-fields.patch new file mode 100644 index 0000000000..0cbbc01d1a --- /dev/null +++ b/queue-6.12/nfs-fix-open_owner_id_maxsz-and-related-fields.patch @@ -0,0 +1,100 @@ +From 7d8a06c014e3821f98acfe24b5268e3e4306933c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Dec 2024 13:53:09 +1100 +Subject: NFS: fix open_owner_id_maxsz and related fields. + +From: NeilBrown + +[ Upstream commit 43502f6e8d1e767d6736ea0676cc784025cf6eeb ] + +A recent change increased the size of an NFSv4 open owner, but didn't +increase the corresponding max_sz defines. This is not know to have +caused failure, but should be fixed. + +This patch also fixes some relates _maxsz fields that are wrong. + +Note that the XXX_owner_id_maxsz values now are only the size of the id +and do NOT include the len field that will always preceed the id in xdr +encoding. I think this is clearer. + +Reported-by: David Disseldorp +Fixes: d98f72272500 ("nfs: simplify and guarantee owner uniqueness.") +Signed-off-by: NeilBrown +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs4xdr.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/fs/nfs/nfs4xdr.c b/fs/nfs/nfs4xdr.c +index e8ac3f615f932..71f45cc0ca74d 100644 +--- a/fs/nfs/nfs4xdr.c ++++ b/fs/nfs/nfs4xdr.c +@@ -82,9 +82,8 @@ static int decode_layoutget(struct xdr_stream *xdr, struct rpc_rqst *req, + * we currently use size 2 (u64) out of (NFS4_OPAQUE_LIMIT >> 2) + */ + #define pagepad_maxsz (1) +-#define open_owner_id_maxsz (1 + 2 + 1 + 1 + 2) +-#define lock_owner_id_maxsz (1 + 1 + 4) +-#define decode_lockowner_maxsz (1 + XDR_QUADLEN(IDMAP_NAMESZ)) ++#define open_owner_id_maxsz (2 + 1 + 2 + 2) ++#define lock_owner_id_maxsz (2 + 1 + 2) + #define compound_encode_hdr_maxsz (3 + (NFS4_MAXTAGLEN >> 2)) + #define compound_decode_hdr_maxsz (3 + (NFS4_MAXTAGLEN >> 2)) + #define op_encode_hdr_maxsz (1) +@@ -185,7 +184,7 @@ static int decode_layoutget(struct xdr_stream *xdr, struct rpc_rqst *req, + #define encode_claim_null_maxsz (1 + nfs4_name_maxsz) + #define encode_open_maxsz (op_encode_hdr_maxsz + \ + 2 + encode_share_access_maxsz + 2 + \ +- open_owner_id_maxsz + \ ++ 1 + open_owner_id_maxsz + \ + encode_opentype_maxsz + \ + encode_claim_null_maxsz) + #define decode_space_limit_maxsz (3) +@@ -255,13 +254,14 @@ static int decode_layoutget(struct xdr_stream *xdr, struct rpc_rqst *req, + #define encode_link_maxsz (op_encode_hdr_maxsz + \ + nfs4_name_maxsz) + #define decode_link_maxsz (op_decode_hdr_maxsz + decode_change_info_maxsz) +-#define encode_lockowner_maxsz (7) ++#define encode_lockowner_maxsz (2 + 1 + lock_owner_id_maxsz) ++ + #define encode_lock_maxsz (op_encode_hdr_maxsz + \ + 7 + \ + 1 + encode_stateid_maxsz + 1 + \ + encode_lockowner_maxsz) + #define decode_lock_denied_maxsz \ +- (8 + decode_lockowner_maxsz) ++ (2 + 2 + 1 + 2 + 1 + lock_owner_id_maxsz) + #define decode_lock_maxsz (op_decode_hdr_maxsz + \ + decode_lock_denied_maxsz) + #define encode_lockt_maxsz (op_encode_hdr_maxsz + 5 + \ +@@ -617,7 +617,7 @@ static int decode_layoutget(struct xdr_stream *xdr, struct rpc_rqst *req, + encode_lockowner_maxsz) + #define NFS4_dec_release_lockowner_sz \ + (compound_decode_hdr_maxsz + \ +- decode_lockowner_maxsz) ++ decode_release_lockowner_maxsz) + #define NFS4_enc_access_sz (compound_encode_hdr_maxsz + \ + encode_sequence_maxsz + \ + encode_putfh_maxsz + \ +@@ -1412,7 +1412,7 @@ static inline void encode_openhdr(struct xdr_stream *xdr, const struct nfs_opena + __be32 *p; + /* + * opcode 4, seqid 4, share_access 4, share_deny 4, clientid 8, ownerlen 4, +- * owner 4 = 32 ++ * owner 28 + */ + encode_nfs4_seqid(xdr, arg->seqid); + encode_share_access(xdr, arg->share_access); +@@ -5077,7 +5077,7 @@ static int decode_link(struct xdr_stream *xdr, struct nfs4_change_info *cinfo) + /* + * We create the owner, so we know a proper owner.id length is 4. + */ +-static int decode_lock_denied (struct xdr_stream *xdr, struct file_lock *fl) ++static int decode_lock_denied(struct xdr_stream *xdr, struct file_lock *fl) + { + uint64_t offset, length, clientid; + __be32 *p; +-- +2.39.5 + diff --git a/queue-6.12/nfs-shut-down-the-nfs_client-only-after-all-the-supe.patch b/queue-6.12/nfs-shut-down-the-nfs_client-only-after-all-the-supe.patch new file mode 100644 index 0000000000..f7746ef720 --- /dev/null +++ b/queue-6.12/nfs-shut-down-the-nfs_client-only-after-all-the-supe.patch @@ -0,0 +1,78 @@ +From 19e44d26d1e86beb0bd0e6656c8fc3237bc5110a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Mar 2025 17:58:50 -0400 +Subject: NFS: Shut down the nfs_client only after all the superblocks + +From: Trond Myklebust + +[ Upstream commit 2d3e998a0bc7fe26a724f87a8ce217848040520e ] + +The nfs_client manages state for all the superblocks in the +"cl_superblocks" list, so it must not be shut down until all of them are +gone. + +Fixes: 7d3e26a054c8 ("NFS: Cancel all existing RPC tasks when shutdown") +Reviewed-by: Benjamin Coddington +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/sysfs.c | 22 +++++++++++++++++++++- + 1 file changed, 21 insertions(+), 1 deletion(-) + +diff --git a/fs/nfs/sysfs.c b/fs/nfs/sysfs.c +index 7b59a40d40c06..784f7c1d003bf 100644 +--- a/fs/nfs/sysfs.c ++++ b/fs/nfs/sysfs.c +@@ -14,6 +14,7 @@ + #include + #include + ++#include "internal.h" + #include "nfs4_fs.h" + #include "netns.h" + #include "sysfs.h" +@@ -228,6 +229,25 @@ static void shutdown_client(struct rpc_clnt *clnt) + rpc_cancel_tasks(clnt, -EIO, shutdown_match_client, NULL); + } + ++/* ++ * Shut down the nfs_client only once all the superblocks ++ * have been shut down. ++ */ ++static void shutdown_nfs_client(struct nfs_client *clp) ++{ ++ struct nfs_server *server; ++ rcu_read_lock(); ++ list_for_each_entry_rcu(server, &clp->cl_superblocks, client_link) { ++ if (!(server->flags & NFS_MOUNT_SHUTDOWN)) { ++ rcu_read_unlock(); ++ return; ++ } ++ } ++ rcu_read_unlock(); ++ nfs_mark_client_ready(clp, -EIO); ++ shutdown_client(clp->cl_rpcclient); ++} ++ + static ssize_t + shutdown_show(struct kobject *kobj, struct kobj_attribute *attr, + char *buf) +@@ -259,7 +279,6 @@ shutdown_store(struct kobject *kobj, struct kobj_attribute *attr, + + server->flags |= NFS_MOUNT_SHUTDOWN; + shutdown_client(server->client); +- shutdown_client(server->nfs_client->cl_rpcclient); + + if (!IS_ERR(server->client_acl)) + shutdown_client(server->client_acl); +@@ -267,6 +286,7 @@ shutdown_store(struct kobject *kobj, struct kobj_attribute *attr, + if (server->nlm_host) + shutdown_client(server->nlm_host->h_rpcclnt); + out: ++ shutdown_nfs_client(server->nfs_client); + return count; + } + +-- +2.39.5 + diff --git a/queue-6.12/nfsv4-avoid-unnecessary-scans-of-filesystems-for-del.patch b/queue-6.12/nfsv4-avoid-unnecessary-scans-of-filesystems-for-del.patch new file mode 100644 index 0000000000..3173daacec --- /dev/null +++ b/queue-6.12/nfsv4-avoid-unnecessary-scans-of-filesystems-for-del.patch @@ -0,0 +1,102 @@ +From 1eb384f02fa32c9b792466406a5f399c0e6ba3be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Feb 2025 18:37:51 -0500 +Subject: NFSv4: Avoid unnecessary scans of filesystems for delayed delegations + +From: Trond Myklebust + +[ Upstream commit e767b59e29b8327d25edde65efc743f479f30d0a ] + +The amount of looping through the list of delegations is occasionally +leading to soft lockups. If the state manager was asked to manage the +delayed return of delegations, then only scan those filesystems +containing delegations that were marked as being delayed. + +Fixes: be20037725d1 ("NFSv4: Fix delegation return in cases where we have to retry") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/delegation.c | 18 ++++++++++++------ + include/linux/nfs_fs_sb.h | 1 + + 2 files changed, 13 insertions(+), 6 deletions(-) + +diff --git a/fs/nfs/delegation.c b/fs/nfs/delegation.c +index abd952cc47e4b..325ba0663a6de 100644 +--- a/fs/nfs/delegation.c ++++ b/fs/nfs/delegation.c +@@ -331,14 +331,16 @@ nfs_start_delegation_return(struct nfs_inode *nfsi) + } + + static void nfs_abort_delegation_return(struct nfs_delegation *delegation, +- struct nfs_client *clp, int err) ++ struct nfs_server *server, int err) + { +- + spin_lock(&delegation->lock); + clear_bit(NFS_DELEGATION_RETURNING, &delegation->flags); + if (err == -EAGAIN) { + set_bit(NFS_DELEGATION_RETURN_DELAYED, &delegation->flags); +- set_bit(NFS4CLNT_DELEGRETURN_DELAYED, &clp->cl_state); ++ set_bit(NFS4SERV_DELEGRETURN_DELAYED, ++ &server->delegation_flags); ++ set_bit(NFS4CLNT_DELEGRETURN_DELAYED, ++ &server->nfs_client->cl_state); + } + spin_unlock(&delegation->lock); + } +@@ -548,7 +550,7 @@ int nfs_inode_set_delegation(struct inode *inode, const struct cred *cred, + */ + static int nfs_end_delegation_return(struct inode *inode, struct nfs_delegation *delegation, int issync) + { +- struct nfs_client *clp = NFS_SERVER(inode)->nfs_client; ++ struct nfs_server *server = NFS_SERVER(inode); + unsigned int mode = O_WRONLY | O_RDWR; + int err = 0; + +@@ -570,11 +572,11 @@ static int nfs_end_delegation_return(struct inode *inode, struct nfs_delegation + /* + * Guard against state recovery + */ +- err = nfs4_wait_clnt_recover(clp); ++ err = nfs4_wait_clnt_recover(server->nfs_client); + } + + if (err) { +- nfs_abort_delegation_return(delegation, clp, err); ++ nfs_abort_delegation_return(delegation, server, err); + goto out; + } + +@@ -678,6 +680,9 @@ static bool nfs_server_clear_delayed_delegations(struct nfs_server *server) + struct nfs_delegation *d; + bool ret = false; + ++ if (!test_and_clear_bit(NFS4SERV_DELEGRETURN_DELAYED, ++ &server->delegation_flags)) ++ goto out; + list_for_each_entry_rcu (d, &server->delegations, super_list) { + if (!test_bit(NFS_DELEGATION_RETURN_DELAYED, &d->flags)) + continue; +@@ -685,6 +690,7 @@ static bool nfs_server_clear_delayed_delegations(struct nfs_server *server) + clear_bit(NFS_DELEGATION_RETURN_DELAYED, &d->flags); + ret = true; + } ++out: + return ret; + } + +diff --git a/include/linux/nfs_fs_sb.h b/include/linux/nfs_fs_sb.h +index f4cb1f4850a0c..81ab18658d72d 100644 +--- a/include/linux/nfs_fs_sb.h ++++ b/include/linux/nfs_fs_sb.h +@@ -254,6 +254,7 @@ struct nfs_server { + unsigned long delegation_flags; + #define NFS4SERV_DELEGRETURN (1) + #define NFS4SERV_DELEGATION_EXPIRED (2) ++#define NFS4SERV_DELEGRETURN_DELAYED (3) + unsigned long delegation_gen; + unsigned long mig_gen; + unsigned long mig_status; +-- +2.39.5 + diff --git a/queue-6.12/nfsv4-avoid-unnecessary-scans-of-filesystems-for-exp.patch b/queue-6.12/nfsv4-avoid-unnecessary-scans-of-filesystems-for-exp.patch new file mode 100644 index 0000000000..c5ceaf17c1 --- /dev/null +++ b/queue-6.12/nfsv4-avoid-unnecessary-scans-of-filesystems-for-exp.patch @@ -0,0 +1,69 @@ +From c50fc6a3ca849346615ddcf6e3bea6610ff1cf72 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Feb 2025 19:03:21 -0500 +Subject: NFSv4: Avoid unnecessary scans of filesystems for expired delegations + +From: Trond Myklebust + +[ Upstream commit f163aa81a799e2d46d7f8f0b42a0e7770eaa0d06 ] + +The amount of looping through the list of delegations is occasionally +leading to soft lockups. If the state manager was asked to reap the +expired delegations, it should scan only those filesystems that hold +delegations that need to be reaped. + +Fixes: 7f156ef0bf45 ("NFSv4: Clean up nfs_delegation_reap_expired()") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/delegation.c | 7 +++++++ + include/linux/nfs_fs_sb.h | 1 + + 2 files changed, 8 insertions(+) + +diff --git a/fs/nfs/delegation.c b/fs/nfs/delegation.c +index d1f5e497729c3..abd952cc47e4b 100644 +--- a/fs/nfs/delegation.c ++++ b/fs/nfs/delegation.c +@@ -1284,6 +1284,7 @@ static void nfs_mark_test_expired_delegation(struct nfs_server *server, + return; + clear_bit(NFS_DELEGATION_NEED_RECLAIM, &delegation->flags); + set_bit(NFS_DELEGATION_TEST_EXPIRED, &delegation->flags); ++ set_bit(NFS4SERV_DELEGATION_EXPIRED, &server->delegation_flags); + set_bit(NFS4CLNT_DELEGATION_EXPIRED, &server->nfs_client->cl_state); + } + +@@ -1362,6 +1363,9 @@ static int nfs_server_reap_expired_delegations(struct nfs_server *server, + nfs4_stateid stateid; + unsigned long gen = ++server->delegation_gen; + ++ if (!test_and_clear_bit(NFS4SERV_DELEGATION_EXPIRED, ++ &server->delegation_flags)) ++ return 0; + restart: + rcu_read_lock(); + list_for_each_entry_rcu(delegation, &server->delegations, super_list) { +@@ -1391,6 +1395,9 @@ static int nfs_server_reap_expired_delegations(struct nfs_server *server, + goto restart; + } + nfs_inode_mark_test_expired_delegation(server,inode); ++ set_bit(NFS4SERV_DELEGATION_EXPIRED, &server->delegation_flags); ++ set_bit(NFS4CLNT_DELEGATION_EXPIRED, ++ &server->nfs_client->cl_state); + iput(inode); + return -EAGAIN; + } +diff --git a/include/linux/nfs_fs_sb.h b/include/linux/nfs_fs_sb.h +index 98fc10ee0b869..f4cb1f4850a0c 100644 +--- a/include/linux/nfs_fs_sb.h ++++ b/include/linux/nfs_fs_sb.h +@@ -253,6 +253,7 @@ struct nfs_server { + + unsigned long delegation_flags; + #define NFS4SERV_DELEGRETURN (1) ++#define NFS4SERV_DELEGATION_EXPIRED (2) + unsigned long delegation_gen; + unsigned long mig_gen; + unsigned long mig_status; +-- +2.39.5 + diff --git a/queue-6.12/nfsv4-avoid-unnecessary-scans-of-filesystems-for-ret.patch b/queue-6.12/nfsv4-avoid-unnecessary-scans-of-filesystems-for-ret.patch new file mode 100644 index 0000000000..e92c41f716 --- /dev/null +++ b/queue-6.12/nfsv4-avoid-unnecessary-scans-of-filesystems-for-ret.patch @@ -0,0 +1,69 @@ +From 3ba0bfe249640ded17cf560876aba470a8aeac84 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Feb 2025 18:14:26 -0500 +Subject: NFSv4: Avoid unnecessary scans of filesystems for returning + delegations + +From: Trond Myklebust + +[ Upstream commit 35a566a24e58f1b5f89737edf60b77de58719ed0 ] + +The amount of looping through the list of delegations is occasionally +leading to soft lockups. If the state manager was asked to return +delegations asynchronously, it should only scan those filesystems that +hold delegations that need to be returned. + +Fixes: af3b61bf6131 ("NFSv4: Clean up nfs_client_return_marked_delegations()") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/delegation.c | 5 +++++ + include/linux/nfs_fs_sb.h | 2 ++ + 2 files changed, 7 insertions(+) + +diff --git a/fs/nfs/delegation.c b/fs/nfs/delegation.c +index df77d68d9ff99..d1f5e497729c3 100644 +--- a/fs/nfs/delegation.c ++++ b/fs/nfs/delegation.c +@@ -79,6 +79,7 @@ static void nfs_mark_return_delegation(struct nfs_server *server, + struct nfs_delegation *delegation) + { + set_bit(NFS_DELEGATION_RETURN, &delegation->flags); ++ set_bit(NFS4SERV_DELEGRETURN, &server->delegation_flags); + set_bit(NFS4CLNT_DELEGRETURN, &server->nfs_client->cl_state); + } + +@@ -608,6 +609,9 @@ static int nfs_server_return_marked_delegations(struct nfs_server *server, + struct nfs_delegation *place_holder_deleg = NULL; + int err = 0; + ++ if (!test_and_clear_bit(NFS4SERV_DELEGRETURN, ++ &server->delegation_flags)) ++ return 0; + restart: + /* + * To avoid quadratic looping we hold a reference +@@ -659,6 +663,7 @@ static int nfs_server_return_marked_delegations(struct nfs_server *server, + cond_resched(); + if (!err) + goto restart; ++ set_bit(NFS4SERV_DELEGRETURN, &server->delegation_flags); + set_bit(NFS4CLNT_DELEGRETURN, &server->nfs_client->cl_state); + goto out; + } +diff --git a/include/linux/nfs_fs_sb.h b/include/linux/nfs_fs_sb.h +index b804346a97419..98fc10ee0b869 100644 +--- a/include/linux/nfs_fs_sb.h ++++ b/include/linux/nfs_fs_sb.h +@@ -251,6 +251,8 @@ struct nfs_server { + struct list_head ss_copies; + struct list_head ss_src_copies; + ++ unsigned long delegation_flags; ++#define NFS4SERV_DELEGRETURN (1) + unsigned long delegation_gen; + unsigned long mig_gen; + unsigned long mig_status; +-- +2.39.5 + diff --git a/queue-6.12/nfsv4-don-t-trigger-uneccessary-scans-for-return-on-.patch b/queue-6.12/nfsv4-don-t-trigger-uneccessary-scans-for-return-on-.patch new file mode 100644 index 0000000000..114a01a943 --- /dev/null +++ b/queue-6.12/nfsv4-don-t-trigger-uneccessary-scans-for-return-on-.patch @@ -0,0 +1,79 @@ +From 214eefba39e489e593388bab49c82fc5fe78963c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Feb 2025 16:50:30 -0500 +Subject: NFSv4: Don't trigger uneccessary scans for return-on-close + delegations + +From: Trond Myklebust + +[ Upstream commit 47acca884f714f41d95dc654f802845544554784 ] + +The amount of looping through the list of delegations is occasionally +leading to soft lockups. Avoid at least some loops by not requiring the +NFSv4 state manager to scan for delegations that are marked for +return-on-close. Instead, either mark them for immediate return (if +possible) or else leave it up to nfs4_inode_return_delegation_on_close() +to return them once the file is closed by the application. + +Fixes: b757144fd77c ("NFSv4: Be less aggressive about returning delegations for open files") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/delegation.c | 33 ++++++++++++++++++--------------- + 1 file changed, 18 insertions(+), 15 deletions(-) + +diff --git a/fs/nfs/delegation.c b/fs/nfs/delegation.c +index 4db912f562305..df77d68d9ff99 100644 +--- a/fs/nfs/delegation.c ++++ b/fs/nfs/delegation.c +@@ -590,17 +590,6 @@ static bool nfs_delegation_need_return(struct nfs_delegation *delegation) + + if (test_and_clear_bit(NFS_DELEGATION_RETURN, &delegation->flags)) + ret = true; +- else if (test_bit(NFS_DELEGATION_RETURN_IF_CLOSED, &delegation->flags)) { +- struct inode *inode; +- +- spin_lock(&delegation->lock); +- inode = delegation->inode; +- if (inode && list_empty(&NFS_I(inode)->open_files)) +- ret = true; +- spin_unlock(&delegation->lock); +- } +- if (ret) +- clear_bit(NFS_DELEGATION_RETURN_IF_CLOSED, &delegation->flags); + if (test_bit(NFS_DELEGATION_RETURNING, &delegation->flags) || + test_bit(NFS_DELEGATION_RETURN_DELAYED, &delegation->flags) || + test_bit(NFS_DELEGATION_REVOKED, &delegation->flags)) +@@ -878,11 +867,25 @@ int nfs4_inode_make_writeable(struct inode *inode) + return nfs4_inode_return_delegation(inode); + } + +-static void nfs_mark_return_if_closed_delegation(struct nfs_server *server, +- struct nfs_delegation *delegation) ++static void ++nfs_mark_return_if_closed_delegation(struct nfs_server *server, ++ struct nfs_delegation *delegation) + { +- set_bit(NFS_DELEGATION_RETURN_IF_CLOSED, &delegation->flags); +- set_bit(NFS4CLNT_DELEGRETURN, &server->nfs_client->cl_state); ++ struct inode *inode; ++ ++ if (test_bit(NFS_DELEGATION_RETURN, &delegation->flags) || ++ test_bit(NFS_DELEGATION_RETURN_IF_CLOSED, &delegation->flags)) ++ return; ++ spin_lock(&delegation->lock); ++ inode = delegation->inode; ++ if (!inode) ++ goto out; ++ if (list_empty(&NFS_I(inode)->open_files)) ++ nfs_mark_return_delegation(server, delegation); ++ else ++ set_bit(NFS_DELEGATION_RETURN_IF_CLOSED, &delegation->flags); ++out: ++ spin_unlock(&delegation->lock); + } + + static bool nfs_server_mark_return_all_delegations(struct nfs_server *server) +-- +2.39.5 + diff --git a/queue-6.12/ntb-intel-fix-using-link-status-db-s.patch b/queue-6.12/ntb-intel-fix-using-link-status-db-s.patch new file mode 100644 index 0000000000..2eab28b3c3 --- /dev/null +++ b/queue-6.12/ntb-intel-fix-using-link-status-db-s.patch @@ -0,0 +1,37 @@ +From a604c5ee0df86f530b573cec6c4c3b52e52622f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Jun 2024 11:15:19 +0300 +Subject: ntb: intel: Fix using link status DB's + +From: Nikita Shubin + +[ Upstream commit 8144e9c8f30fb23bb736a5d24d5c9d46965563c4 ] + +Make sure we are not using DB's which were remapped for link status. + +Fixes: f6e51c354b60 ("ntb: intel: split out the gen3 code") +Signed-off-by: Nikita Shubin +Reviewed-by: Dave Jiang +Signed-off-by: Jon Mason +Signed-off-by: Sasha Levin +--- + drivers/ntb/hw/intel/ntb_hw_gen3.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/ntb/hw/intel/ntb_hw_gen3.c b/drivers/ntb/hw/intel/ntb_hw_gen3.c +index ffcfc3e02c353..a5aa96a31f4a6 100644 +--- a/drivers/ntb/hw/intel/ntb_hw_gen3.c ++++ b/drivers/ntb/hw/intel/ntb_hw_gen3.c +@@ -215,6 +215,9 @@ static int gen3_init_ntb(struct intel_ntb_dev *ndev) + } + + ndev->db_valid_mask = BIT_ULL(ndev->db_count) - 1; ++ /* Make sure we are not using DB's used for link status */ ++ if (ndev->hwerr_flags & NTB_HWERR_MSIX_VECTOR32_BAD) ++ ndev->db_valid_mask &= ~ndev->db_link_mask; + + ndev->reg->db_iowrite(ndev->db_valid_mask, + ndev->self_mmio + +-- +2.39.5 + diff --git a/queue-6.12/ntb_hw_switchtec-fix-shift-out-of-bounds-in-switchte.patch b/queue-6.12/ntb_hw_switchtec-fix-shift-out-of-bounds-in-switchte.patch new file mode 100644 index 0000000000..bb3752776f --- /dev/null +++ b/queue-6.12/ntb_hw_switchtec-fix-shift-out-of-bounds-in-switchte.patch @@ -0,0 +1,45 @@ +From 7f18db59de92a44e56c28d008836f47507763d3e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Aug 2023 16:33:05 +0800 +Subject: ntb_hw_switchtec: Fix shift-out-of-bounds in + switchtec_ntb_mw_set_trans + +From: Yajun Deng + +[ Upstream commit de203da734fae00e75be50220ba5391e7beecdf9 ] + +There is a kernel API ntb_mw_clear_trans() would pass 0 to both addr and +size. This would make xlate_pos negative. + +[ 23.734156] switchtec switchtec0: MW 0: part 0 addr 0x0000000000000000 size 0x0000000000000000 +[ 23.734158] ================================================================================ +[ 23.734172] UBSAN: shift-out-of-bounds in drivers/ntb/hw/mscc/ntb_hw_switchtec.c:293:7 +[ 23.734418] shift exponent -1 is negative + +Ensuring xlate_pos is a positive or zero before BIT. + +Fixes: 1e2fd202f859 ("ntb_hw_switchtec: Check for alignment of the buffer in mw_set_trans()") +Signed-off-by: Yajun Deng +Reviewed-by: Logan Gunthorpe +Signed-off-by: Jon Mason +Signed-off-by: Sasha Levin +--- + drivers/ntb/hw/mscc/ntb_hw_switchtec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/ntb/hw/mscc/ntb_hw_switchtec.c b/drivers/ntb/hw/mscc/ntb_hw_switchtec.c +index ad1786be2554b..f851397b65d6e 100644 +--- a/drivers/ntb/hw/mscc/ntb_hw_switchtec.c ++++ b/drivers/ntb/hw/mscc/ntb_hw_switchtec.c +@@ -288,7 +288,7 @@ static int switchtec_ntb_mw_set_trans(struct ntb_dev *ntb, int pidx, int widx, + if (size != 0 && xlate_pos < 12) + return -EINVAL; + +- if (!IS_ALIGNED(addr, BIT_ULL(xlate_pos))) { ++ if (xlate_pos >= 0 && !IS_ALIGNED(addr, BIT_ULL(xlate_pos))) { + /* + * In certain circumstances we can get a buffer that is + * not aligned to its size. (Most of the time +-- +2.39.5 + diff --git a/queue-6.12/ntsync-set-the-permissions-to-be-0666.patch b/queue-6.12/ntsync-set-the-permissions-to-be-0666.patch new file mode 100644 index 0000000000..974dca3590 --- /dev/null +++ b/queue-6.12/ntsync-set-the-permissions-to-be-0666.patch @@ -0,0 +1,35 @@ +From 9972da8b6f0b22e14f78282260d774eff354145e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Feb 2025 12:28:00 +0000 +Subject: ntsync: Set the permissions to be 0666 + +From: Mike Lothian + +[ Upstream commit fa2e55811ae25020a5e9b23a8932e67e6d6261a4 ] + +This allows ntsync to be usuable by non-root processes out of the box + +Signed-off-by: Mike Lothian +Reviewed-by: Elizabeth Figura +Link: https://lore.kernel.org/r/20250214122759.2629-2-mike@fireburn.co.uk +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/ntsync.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/misc/ntsync.c b/drivers/misc/ntsync.c +index 4954553b7baa6..c3ba3f0ebf300 100644 +--- a/drivers/misc/ntsync.c ++++ b/drivers/misc/ntsync.c +@@ -238,6 +238,7 @@ static struct miscdevice ntsync_misc = { + .minor = MISC_DYNAMIC_MINOR, + .name = NTSYNC_NAME, + .fops = &ntsync_fops, ++ .mode = 0666, + }; + + module_misc_device(ntsync_misc); +-- +2.39.5 + diff --git a/queue-6.12/nvme-ioctl-don-t-warn-on-vectorized-uring_cmd-with-f.patch b/queue-6.12/nvme-ioctl-don-t-warn-on-vectorized-uring_cmd-with-f.patch new file mode 100644 index 0000000000..2dae5ce9eb --- /dev/null +++ b/queue-6.12/nvme-ioctl-don-t-warn-on-vectorized-uring_cmd-with-f.patch @@ -0,0 +1,40 @@ +From 7e94b672c5149511d9b20aa180840b502a0901a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Mar 2025 09:46:45 -0600 +Subject: nvme/ioctl: don't warn on vectorized uring_cmd with fixed buffer + +From: Caleb Sander Mateos + +[ Upstream commit eada75467fca0b016b9b22212637c07216135c20 ] + +The vectorized io_uring NVMe passthru opcodes don't yet support fixed +buffers. But since userspace can trigger this condition based on the +io_uring SQE parameters, it shouldn't cause a kernel warning. + +Signed-off-by: Caleb Sander Mateos +Reviewed-by: Jens Axboe +Reviewed-by: Chaitanya Kulkarni +Reviewed-by: Christoph Hellwig +Fixes: 23fd22e55b76 ("nvme: wire up fixed buffer support for nvme passthrough") +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/ioctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/ioctl.c b/drivers/nvme/host/ioctl.c +index e4daac9c24401..a1b3c538a4bd2 100644 +--- a/drivers/nvme/host/ioctl.c ++++ b/drivers/nvme/host/ioctl.c +@@ -141,7 +141,7 @@ static int nvme_map_user_request(struct request *req, u64 ubuffer, + struct iov_iter iter; + + /* fixedbufs is only for non-vectored io */ +- if (WARN_ON_ONCE(flags & NVME_IOCTL_VEC)) { ++ if (flags & NVME_IOCTL_VEC) { + ret = -EINVAL; + goto out; + } +-- +2.39.5 + diff --git a/queue-6.12/nvme-pci-clean-up-cmbmsc-when-registering-cmb-fails.patch b/queue-6.12/nvme-pci-clean-up-cmbmsc-when-registering-cmb-fails.patch new file mode 100644 index 0000000000..ac9ebb55ae --- /dev/null +++ b/queue-6.12/nvme-pci-clean-up-cmbmsc-when-registering-cmb-fails.patch @@ -0,0 +1,38 @@ +From 6b8c3e79efe7d36b7ddd77f13463642651a78e0b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Feb 2025 01:04:43 +0800 +Subject: nvme-pci: clean up CMBMSC when registering CMB fails + +From: Icenowy Zheng + +[ Upstream commit 6a3572e10f740acd48e2713ef37e92186a3ce5e8 ] + +CMB decoding should get disabled when the CMB block isn't successfully +registered to P2P DMA subsystem. + +Clean up the CMBMSC register in this error handling codepath to disable +CMB decoding (and CMBLOC/CMBSZ registers). + +Signed-off-by: Icenowy Zheng +Reviewed-by: Christoph Hellwig +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index 1d3205f08af84..84c0611697a9b 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -2005,6 +2005,7 @@ static void nvme_map_cmb(struct nvme_dev *dev) + if (pci_p2pdma_add_resource(pdev, bar, size, offset)) { + dev_warn(dev->ctrl.device, + "failed to register the CMB\n"); ++ hi_lo_writeq(0, dev->bar + NVME_REG_CMBMSC); + return; + } + +-- +2.39.5 + diff --git a/queue-6.12/nvme-pci-fix-stuck-reset-on-concurrent-dpc-and-hp.patch b/queue-6.12/nvme-pci-fix-stuck-reset-on-concurrent-dpc-and-hp.patch new file mode 100644 index 0000000000..2c9cda0dfa --- /dev/null +++ b/queue-6.12/nvme-pci-fix-stuck-reset-on-concurrent-dpc-and-hp.patch @@ -0,0 +1,76 @@ +From f68de5688b91c970d944bd53b2971b84ea43f5e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Mar 2025 14:25:57 -0800 +Subject: nvme-pci: fix stuck reset on concurrent DPC and HP + +From: Keith Busch + +[ Upstream commit 3f674e7b670b7b7d9261935820e4eba3c059f835 ] + +The PCIe error handling has the nvme driver quiesce the device, attempt +to restart it, then wait for that restart to complete. + +A PCIe DPC event also toggles the PCIe link. If the slot doesn't have +out-of-band presence detection, this will trigger a pciehp +re-enumeration. + +The error handling that calls nvme_error_resume is holding the device +lock while this happens. This lock blocks pciehp's request to disconnect +the driver from proceeding. + +Meanwhile the nvme's reset can't make forward progress because its +device isn't there anymore with outstanding IO, and the timeout handler +won't do anything to fix it because the device is undergoing error +handling. + +End result: deadlocked. + +Fix this by having the timeout handler short cut the disabling for a +disconnected PCIe device. The downside is that we're relying on an IO +timeout to clean up this mess, which could be a minute by default. + +Tested-by: Nilay Shroff +Reviewed-by: Nilay Shroff +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index 833a67b79e13c..af45a1b865ee1 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -1413,9 +1413,20 @@ static enum blk_eh_timer_return nvme_timeout(struct request *req) + struct nvme_dev *dev = nvmeq->dev; + struct request *abort_req; + struct nvme_command cmd = { }; ++ struct pci_dev *pdev = to_pci_dev(dev->dev); + u32 csts = readl(dev->bar + NVME_REG_CSTS); + u8 opcode; + ++ /* ++ * Shutdown the device immediately if we see it is disconnected. This ++ * unblocks PCIe error handling if the nvme driver is waiting in ++ * error_resume for a device that has been removed. We can't unbind the ++ * driver while the driver's error callback is waiting to complete, so ++ * we're relying on a timeout to break that deadlock if a removal ++ * occurs while reset work is running. ++ */ ++ if (pci_dev_is_disconnected(pdev)) ++ nvme_change_ctrl_state(&dev->ctrl, NVME_CTRL_DELETING); + if (nvme_state_terminal(&dev->ctrl)) + goto disable; + +@@ -1423,7 +1434,7 @@ static enum blk_eh_timer_return nvme_timeout(struct request *req) + * the recovery mechanism will surely fail. + */ + mb(); +- if (pci_channel_offline(to_pci_dev(dev->dev))) ++ if (pci_channel_offline(pdev)) + return BLK_EH_RESET_TIMER; + + /* +-- +2.39.5 + diff --git a/queue-6.12/nvme-pci-skip-cmb-blocks-incompatible-with-pci-p2p-d.patch b/queue-6.12/nvme-pci-skip-cmb-blocks-incompatible-with-pci-p2p-d.patch new file mode 100644 index 0000000000..0a01e5cad8 --- /dev/null +++ b/queue-6.12/nvme-pci-skip-cmb-blocks-incompatible-with-pci-p2p-d.patch @@ -0,0 +1,68 @@ +From 21da7f1d63aaba168a03284727c78cf2a07c35ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Feb 2025 01:04:44 +0800 +Subject: nvme-pci: skip CMB blocks incompatible with PCI P2P DMA + +From: Icenowy Zheng + +[ Upstream commit 56cf7ef0d490b28fad8f8629fc135c5ab7c9f54e ] + +The PCI P2PDMA code will register the CMB block to the memory +hot-plugging subsystem, which have an alignment requirement. Memory +blocks that do not satisfy this alignment requirement (usually 2MB) will +lead to a WARNING from memory hotplugging. + +Verify the CMB block's address and size against the alignment and only +try to send CMB blocks compatible with it to prevent this warning. + +Tested on Intel DC D4502 SSD, which has a 512K CMB block that is too +small for memory hotplugging (thus PCI P2PDMA). + +Signed-off-by: Icenowy Zheng +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index 84c0611697a9b..833a67b79e13c 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -1984,6 +1984,18 @@ static void nvme_map_cmb(struct nvme_dev *dev) + if (offset > bar_size) + return; + ++ /* ++ * Controllers may support a CMB size larger than their BAR, for ++ * example, due to being behind a bridge. Reduce the CMB to the ++ * reported size of the BAR ++ */ ++ size = min(size, bar_size - offset); ++ ++ if (!IS_ALIGNED(size, memremap_compat_align()) || ++ !IS_ALIGNED(pci_resource_start(pdev, bar), ++ memremap_compat_align())) ++ return; ++ + /* + * Tell the controller about the host side address mapping the CMB, + * and enable CMB decoding for the NVMe 1.4+ scheme: +@@ -1994,14 +2006,6 @@ static void nvme_map_cmb(struct nvme_dev *dev) + dev->bar + NVME_REG_CMBMSC); + } + +- /* +- * Controllers may support a CMB size larger than their BAR, +- * for example, due to being behind a bridge. Reduce the CMB to +- * the reported size of the BAR +- */ +- if (size > bar_size - offset) +- size = bar_size - offset; +- + if (pci_p2pdma_add_resource(pdev, bar, size, offset)) { + dev_warn(dev->ctrl.device, + "failed to register the CMB\n"); +-- +2.39.5 + diff --git a/queue-6.12/nvme-pci-skip-nvme_write_sq_db-on-empty-rqlist.patch b/queue-6.12/nvme-pci-skip-nvme_write_sq_db-on-empty-rqlist.patch new file mode 100644 index 0000000000..1971a99be2 --- /dev/null +++ b/queue-6.12/nvme-pci-skip-nvme_write_sq_db-on-empty-rqlist.patch @@ -0,0 +1,37 @@ +From cec423a355e8f7357084807e1a244e9994735737 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Mar 2025 18:28:59 +0200 +Subject: nvme-pci: skip nvme_write_sq_db on empty rqlist + +From: Maurizio Lombardi + +[ Upstream commit 288ff0d10beb069355036355d5f7612579dc869c ] + +nvme_submit_cmds() should check the rqlist before calling +nvme_write_sq_db(); if the list is empty, it must return immediately. + +Fixes: beadf0088501 ("nvme-pci: reverse request order in nvme_queue_rqs") +Signed-off-by: Maurizio Lombardi +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index af45a1b865ee1..4fdcf146cbaad 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -989,6 +989,9 @@ static void nvme_submit_cmds(struct nvme_queue *nvmeq, struct request **rqlist) + { + struct request *req; + ++ if (rq_list_empty(rqlist)) ++ return; ++ + spin_lock(&nvmeq->sq_lock); + while ((req = rq_list_pop(rqlist))) { + struct nvme_iod *iod = blk_mq_rq_to_pdu(req); +-- +2.39.5 + diff --git a/queue-6.12/nvme-tcp-fix-possible-uaf-in-nvme_tcp_poll.patch b/queue-6.12/nvme-tcp-fix-possible-uaf-in-nvme_tcp_poll.patch new file mode 100644 index 0000000000..78d1fb3dd3 --- /dev/null +++ b/queue-6.12/nvme-tcp-fix-possible-uaf-in-nvme_tcp_poll.patch @@ -0,0 +1,88 @@ +From 48605f3996d2c502e4200fd6cf466a037692e1b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Feb 2025 13:18:30 +0200 +Subject: nvme-tcp: fix possible UAF in nvme_tcp_poll + +From: Sagi Grimberg + +[ Upstream commit 8c1624b63a7d24142a2bbc3a5ee7e95f004ea36e ] + +nvme_tcp_poll() may race with the send path error handler because +it may complete the request while it is actively being polled for +completion, resulting in a UAF panic [1]: + +We should make sure to stop polling when we see an error when +trying to read from the socket. Hence make sure to propagate the +error so that the block layer breaks the polling cycle. + +[1]: +-- +[35665.692310] nvme nvme2: failed to send request -13 +[35665.702265] nvme nvme2: unsupported pdu type (3) +[35665.702272] BUG: kernel NULL pointer dereference, address: 0000000000000000 +[35665.702542] nvme nvme2: queue 1 receive failed: -22 +[35665.703209] #PF: supervisor write access in kernel mode +[35665.703213] #PF: error_code(0x0002) - not-present page +[35665.703214] PGD 8000003801cce067 P4D 8000003801cce067 PUD 37e6f79067 PMD 0 +[35665.703220] Oops: 0002 [#1] SMP PTI +[35665.703658] nvme nvme2: starting error recovery +[35665.705809] Hardware name: Inspur aaabbb/YZMB-00882-104, BIOS 4.1.26 09/22/2022 +[35665.705812] Workqueue: kblockd blk_mq_requeue_work +[35665.709172] RIP: 0010:_raw_spin_lock+0xc/0x30 +[35665.715788] Call Trace: +[35665.716201] +[35665.716613] ? show_trace_log_lvl+0x1c1/0x2d9 +[35665.717049] ? show_trace_log_lvl+0x1c1/0x2d9 +[35665.717457] ? blk_mq_request_bypass_insert+0x2c/0xb0 +[35665.717950] ? __die_body.cold+0x8/0xd +[35665.718361] ? page_fault_oops+0xac/0x140 +[35665.718749] ? blk_mq_start_request+0x30/0xf0 +[35665.719144] ? nvme_tcp_queue_rq+0xc7/0x170 [nvme_tcp] +[35665.719547] ? exc_page_fault+0x62/0x130 +[35665.719938] ? asm_exc_page_fault+0x22/0x30 +[35665.720333] ? _raw_spin_lock+0xc/0x30 +[35665.720723] blk_mq_request_bypass_insert+0x2c/0xb0 +[35665.721101] blk_mq_requeue_work+0xa5/0x180 +[35665.721451] process_one_work+0x1e8/0x390 +[35665.721809] worker_thread+0x53/0x3d0 +[35665.722159] ? process_one_work+0x390/0x390 +[35665.722501] kthread+0x124/0x150 +[35665.722849] ? set_kthread_struct+0x50/0x50 +[35665.723182] ret_from_fork+0x1f/0x30 + +Reported-by: Zhang Guanghui +Signed-off-by: Sagi Grimberg +Reviewed-by: Chaitanya Kulkarni +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/tcp.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c +index eeb05b7bc0fd0..854aa6a070ca8 100644 +--- a/drivers/nvme/host/tcp.c ++++ b/drivers/nvme/host/tcp.c +@@ -2736,6 +2736,7 @@ static int nvme_tcp_poll(struct blk_mq_hw_ctx *hctx, struct io_comp_batch *iob) + { + struct nvme_tcp_queue *queue = hctx->driver_data; + struct sock *sk = queue->sock->sk; ++ int ret; + + if (!test_bit(NVME_TCP_Q_LIVE, &queue->flags)) + return 0; +@@ -2743,9 +2744,9 @@ static int nvme_tcp_poll(struct blk_mq_hw_ctx *hctx, struct io_comp_batch *iob) + set_bit(NVME_TCP_Q_POLLING, &queue->flags); + if (sk_can_busy_loop(sk) && skb_queue_empty_lockless(&sk->sk_receive_queue)) + sk_busy_loop(sk, true); +- nvme_tcp_try_recv(queue); ++ ret = nvme_tcp_try_recv(queue); + clear_bit(NVME_TCP_Q_POLLING, &queue->flags); +- return queue->nr_cqe; ++ return ret < 0 ? ret : queue->nr_cqe; + } + + static int nvme_tcp_get_address(struct nvme_ctrl *ctrl, char *buf, int size) +-- +2.39.5 + diff --git a/queue-6.12/objtool-fix-segfault-in-ignore_unreachable_insn.patch b/queue-6.12/objtool-fix-segfault-in-ignore_unreachable_insn.patch new file mode 100644 index 0000000000..cec69bd085 --- /dev/null +++ b/queue-6.12/objtool-fix-segfault-in-ignore_unreachable_insn.patch @@ -0,0 +1,41 @@ +From b7cd77740f6e232c24a202a773bccfb565c29860 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Mar 2025 22:04:21 -0700 +Subject: objtool: Fix segfault in ignore_unreachable_insn() + +From: Josh Poimboeuf + +[ Upstream commit 69d41d6dafff0967565b971d950bd10443e4076c ] + +Check 'prev_insn' before dereferencing it. + +Fixes: bd841d6154f5 ("objtool: Fix CONFIG_UBSAN_TRAP unreachable warnings") +Reported-by: Arnd Bergmann +Reported-by: Ingo Molnar +Signed-off-by: Josh Poimboeuf +Signed-off-by: Ingo Molnar +Link: https://lore.kernel.org/r/5df4ff89c9e4b9e788b77b0531234ffa7ba03e9e.1743136205.git.jpoimboe@kernel.org + +Closes: https://lore.kernel.org/d86b4cc6-0b97-4095-8793-a7384410b8ab@app.fastmail.com +Closes: https://lore.kernel.org/Z-V_rruKY0-36pqA@gmail.com +Signed-off-by: Sasha Levin +--- + tools/objtool/check.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/objtool/check.c b/tools/objtool/check.c +index 24a1adca30dbc..4030412637ad0 100644 +--- a/tools/objtool/check.c ++++ b/tools/objtool/check.c +@@ -4153,7 +4153,7 @@ static bool ignore_unreachable_insn(struct objtool_file *file, struct instructio + * It may also insert a UD2 after calling a __noreturn function. + */ + prev_insn = prev_insn_same_sec(file, insn); +- if (prev_insn->dead_end && ++ if (prev_insn && prev_insn->dead_end && + (insn->type == INSN_BUG || + (insn->type == INSN_JUMP_UNCONDITIONAL && + insn->jump_dest && insn->jump_dest->type == INSN_BUG))) +-- +2.39.5 + diff --git a/queue-6.12/objtool-fix-verbose-disassembly-if-cross_compile-isn.patch b/queue-6.12/objtool-fix-verbose-disassembly-if-cross_compile-isn.patch new file mode 100644 index 0000000000..4f6359ab5a --- /dev/null +++ b/queue-6.12/objtool-fix-verbose-disassembly-if-cross_compile-isn.patch @@ -0,0 +1,46 @@ +From 22cf58e2156aa516c9f008b8d372a17d5c645c7b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Mar 2025 21:26:42 -0700 +Subject: objtool: Fix verbose disassembly if CROSS_COMPILE isn't set + +From: David Laight + +[ Upstream commit e77956e4e5c11218e60a1fe8cdbccd02476f2e56 ] + +In verbose mode, when printing the disassembly of affected functions, if +CROSS_COMPILE isn't set, the objdump command string gets prefixed with +"(null)". + +Somehow this worked before. Maybe some versions of glibc return an +empty string instead of NULL. Fix it regardless. + +[ jpoimboe: Rewrite commit log. ] + +Fixes: ca653464dd097 ("objtool: Add verbose option for disassembling affected functions") +Signed-off-by: David Laight +Signed-off-by: Josh Poimboeuf +Signed-off-by: Ingo Molnar +Cc: Linus Torvalds +Link: https://lore.kernel.org/r/20250215142321.14081-1-david.laight.linux@gmail.com +Link: https://lore.kernel.org/r/b931a4786bc0127aa4c94e8b35ed617dcbd3d3da.1743481539.git.jpoimboe@kernel.org +Signed-off-by: Sasha Levin +--- + tools/objtool/check.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tools/objtool/check.c b/tools/objtool/check.c +index 4030412637ad0..286a2c0af02aa 100644 +--- a/tools/objtool/check.c ++++ b/tools/objtool/check.c +@@ -4614,6 +4614,8 @@ static int disas_funcs(const char *funcs) + char *cmd; + + cross_compile = getenv("CROSS_COMPILE"); ++ if (!cross_compile) ++ cross_compile = ""; + + objdump_str = "%sobjdump -wdr %s | gawk -M -v _funcs='%s' '" + "BEGIN { split(_funcs, funcs); }" +-- +2.39.5 + diff --git a/queue-6.12/objtool-loongarch-add-unwind-hints-in-prepare_framet.patch b/queue-6.12/objtool-loongarch-add-unwind-hints-in-prepare_framet.patch new file mode 100644 index 0000000000..cad949a061 --- /dev/null +++ b/queue-6.12/objtool-loongarch-add-unwind-hints-in-prepare_framet.patch @@ -0,0 +1,86 @@ +From cd8039dda35cd4bc0b0760f1c0cc70275eafc606 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Mar 2025 21:26:43 -0700 +Subject: objtool/loongarch: Add unwind hints in prepare_frametrace() + +From: Josh Poimboeuf + +[ Upstream commit 7c977393b8277ed319e92e4b598b26598c9d30c0 ] + +If 'regs' points to a local stack variable, prepare_frametrace() stores +all registers to the stack. This confuses objtool as it expects them to +be restored from the stack later. + +The stores don't affect stack tracing, so use unwind hints to hide them +from objtool. + +Fixes the following warnings: + + arch/loongarch/kernel/traps.o: warning: objtool: show_stack+0xe0: stack state mismatch: reg1[22]=-1+0 reg2[22]=-2-160 + arch/loongarch/kernel/traps.o: warning: objtool: show_stack+0xe0: stack state mismatch: reg1[23]=-1+0 reg2[23]=-2-152 + +Fixes: cb8a2ef0848c ("LoongArch: Add ORC stack unwinder support") +Reported-by: kernel test robot +Tested-by: Tiezhu Yang +Signed-off-by: Josh Poimboeuf +Signed-off-by: Ingo Molnar +Cc: Linus Torvalds +Link: https://lore.kernel.org/r/270cadd8040dda74db2307f23497bb68e65db98d.1743481539.git.jpoimboe@kernel.org +Closes: https://lore.kernel.org/oe-kbuild-all/202503280703.OARM8SrY-lkp@intel.com/ +Signed-off-by: Sasha Levin +--- + arch/loongarch/include/asm/stacktrace.h | 3 +++ + arch/loongarch/include/asm/unwind_hints.h | 10 +++++++++- + 2 files changed, 12 insertions(+), 1 deletion(-) + +diff --git a/arch/loongarch/include/asm/stacktrace.h b/arch/loongarch/include/asm/stacktrace.h +index f23adb15f418f..fc8b64773794a 100644 +--- a/arch/loongarch/include/asm/stacktrace.h ++++ b/arch/loongarch/include/asm/stacktrace.h +@@ -8,6 +8,7 @@ + #include + #include + #include ++#include + #include + + enum stack_type { +@@ -43,6 +44,7 @@ int get_stack_info(unsigned long stack, struct task_struct *task, struct stack_i + static __always_inline void prepare_frametrace(struct pt_regs *regs) + { + __asm__ __volatile__( ++ UNWIND_HINT_SAVE + /* Save $ra */ + STORE_ONE_REG(1) + /* Use $ra to save PC */ +@@ -80,6 +82,7 @@ static __always_inline void prepare_frametrace(struct pt_regs *regs) + STORE_ONE_REG(29) + STORE_ONE_REG(30) + STORE_ONE_REG(31) ++ UNWIND_HINT_RESTORE + : "=m" (regs->csr_era) + : "r" (regs->regs) + : "memory"); +diff --git a/arch/loongarch/include/asm/unwind_hints.h b/arch/loongarch/include/asm/unwind_hints.h +index a01086ad9ddea..2c68bc72736c9 100644 +--- a/arch/loongarch/include/asm/unwind_hints.h ++++ b/arch/loongarch/include/asm/unwind_hints.h +@@ -23,6 +23,14 @@ + UNWIND_HINT sp_reg=ORC_REG_SP type=UNWIND_HINT_TYPE_CALL + .endm + +-#endif /* __ASSEMBLY__ */ ++#else /* !__ASSEMBLY__ */ ++ ++#define UNWIND_HINT_SAVE \ ++ UNWIND_HINT(UNWIND_HINT_TYPE_SAVE, 0, 0, 0) ++ ++#define UNWIND_HINT_RESTORE \ ++ UNWIND_HINT(UNWIND_HINT_TYPE_RESTORE, 0, 0, 0) ++ ++#endif /* !__ASSEMBLY__ */ + + #endif /* _ASM_LOONGARCH_UNWIND_HINTS_H */ +-- +2.39.5 + diff --git a/queue-6.12/objtool-media-dib8000-prevent-divide-by-zero-in-dib8.patch b/queue-6.12/objtool-media-dib8000-prevent-divide-by-zero-in-dib8.patch new file mode 100644 index 0000000000..689e90900d --- /dev/null +++ b/queue-6.12/objtool-media-dib8000-prevent-divide-by-zero-in-dib8.patch @@ -0,0 +1,49 @@ +From a8b5de56f99ac92066d8ecce70a6f32dd8c2b904 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Mar 2025 14:56:06 -0700 +Subject: objtool, media: dib8000: Prevent divide-by-zero in dib8000_set_dds() + +From: Josh Poimboeuf + +[ Upstream commit e63d465f59011dede0a0f1d21718b59a64c3ff5c ] + +If dib8000_set_dds()'s call to dib8000_read32() returns zero, the result +is a divide-by-zero. Prevent that from happening. + +Fixes the following warning with an UBSAN kernel: + + drivers/media/dvb-frontends/dib8000.o: warning: objtool: dib8000_tune() falls through to next function dib8096p_cfg_DibRx() + +Fixes: 173a64cb3fcf ("[media] dib8000: enhancement") +Reported-by: kernel test robot +Signed-off-by: Josh Poimboeuf +Signed-off-by: Ingo Molnar +Cc: Mauro Carvalho Chehab +Cc: Linus Torvalds +Link: https://lore.kernel.org/r/bd1d504d930ae3f073b1e071bcf62cae7708773c.1742852847.git.jpoimboe@kernel.org +Closes: https://lore.kernel.org/r/202503210602.fvH5DO1i-lkp@intel.com/ +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-frontends/dib8000.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/dvb-frontends/dib8000.c b/drivers/media/dvb-frontends/dib8000.c +index 2f5165918163d..cfe59c3255f70 100644 +--- a/drivers/media/dvb-frontends/dib8000.c ++++ b/drivers/media/dvb-frontends/dib8000.c +@@ -2701,8 +2701,11 @@ static void dib8000_set_dds(struct dib8000_state *state, s32 offset_khz) + u8 ratio; + + if (state->revision == 0x8090) { ++ u32 internal = dib8000_read32(state, 23) / 1000; ++ + ratio = 4; +- unit_khz_dds_val = (1<<26) / (dib8000_read32(state, 23) / 1000); ++ ++ unit_khz_dds_val = (1<<26) / (internal ?: 1); + if (offset_khz < 0) + dds = (1 << 26) - (abs_offset_khz * unit_khz_dds_val); + else +-- +2.39.5 + diff --git a/queue-6.12/objtool-nvmet-fix-out-of-bounds-stack-access-in-nvme.patch b/queue-6.12/objtool-nvmet-fix-out-of-bounds-stack-access-in-nvme.patch new file mode 100644 index 0000000000..8724f687aa --- /dev/null +++ b/queue-6.12/objtool-nvmet-fix-out-of-bounds-stack-access-in-nvme.patch @@ -0,0 +1,49 @@ +From 1d14459574f69617cf1a028c5f4ad101a8ca08a4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Mar 2025 14:56:05 -0700 +Subject: objtool, nvmet: Fix out-of-bounds stack access in + nvmet_ctrl_state_show() + +From: Josh Poimboeuf + +[ Upstream commit 107a23185d990e3df6638d9a84c835f963fe30a6 ] + +The csts_state_names[] array only has six sparse entries, but the +iteration code in nvmet_ctrl_state_show() iterates seven, resulting in a +potential out-of-bounds stack read. Fix that. + +Fixes the following warning with an UBSAN kernel: + + vmlinux.o: warning: objtool: .text.nvmet_ctrl_state_show: unexpected end of section + +Fixes: 649fd41420a8 ("nvmet: add debugfs support") +Reported-by: kernel test robot +Signed-off-by: Josh Poimboeuf +Signed-off-by: Ingo Molnar +Cc: Christoph Hellwig +Cc: Sagi Grimberg +Cc: Chaitanya Kulkarni +Cc: Linus Torvalds +Link: https://lore.kernel.org/r/f1f60858ee7a941863dc7f5506c540cb9f97b5f6.1742852847.git.jpoimboe@kernel.org +Closes: https://lore.kernel.org/oe-kbuild-all/202503171547.LlCTJLQL-lkp@intel.com/ +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/debugfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/nvme/target/debugfs.c b/drivers/nvme/target/debugfs.c +index 220c7391fc19a..c6571fbd35e30 100644 +--- a/drivers/nvme/target/debugfs.c ++++ b/drivers/nvme/target/debugfs.c +@@ -78,7 +78,7 @@ static int nvmet_ctrl_state_show(struct seq_file *m, void *p) + bool sep = false; + int i; + +- for (i = 0; i < 7; i++) { ++ for (i = 0; i < ARRAY_SIZE(csts_state_names); i++) { + int state = BIT(i); + + if (!(ctrl->csts & state)) +-- +2.39.5 + diff --git a/queue-6.12/ocfs2-validate-l_tree_depth-to-avoid-out-of-bounds-a.patch b/queue-6.12/ocfs2-validate-l_tree_depth-to-avoid-out-of-bounds-a.patch new file mode 100644 index 0000000000..e454f2dd18 --- /dev/null +++ b/queue-6.12/ocfs2-validate-l_tree_depth-to-avoid-out-of-bounds-a.patch @@ -0,0 +1,56 @@ +From 9103575f871a61fc5966a9fd31d2bb4459dda8f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Feb 2025 11:49:08 +0300 +Subject: ocfs2: validate l_tree_depth to avoid out-of-bounds access + +From: Vasiliy Kovalev + +[ Upstream commit a406aff8c05115119127c962cbbbbd202e1973ef ] + +The l_tree_depth field is 16-bit (__le16), but the actual maximum depth is +limited to OCFS2_MAX_PATH_DEPTH. + +Add a check to prevent out-of-bounds access if l_tree_depth has an invalid +value, which may occur when reading from a corrupted mounted disk [1]. + +Link: https://lkml.kernel.org/r/20250214084908.736528-1-kovalev@altlinux.org +Fixes: ccd979bdbce9 ("[PATCH] OCFS2: The Second Oracle Cluster Filesystem") +Signed-off-by: Vasiliy Kovalev +Reported-by: syzbot+66c146268dc88f4341fd@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=66c146268dc88f4341fd [1] +Reviewed-by: Joseph Qi +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Jun Piao +Cc: Kurt Hackel +Cc: Mark Fasheh +Cc: Vasiliy Kovalev +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + fs/ocfs2/alloc.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/fs/ocfs2/alloc.c b/fs/ocfs2/alloc.c +index ea9127ba32084..5d9388b44e5be 100644 +--- a/fs/ocfs2/alloc.c ++++ b/fs/ocfs2/alloc.c +@@ -1803,6 +1803,14 @@ static int __ocfs2_find_path(struct ocfs2_caching_info *ci, + + el = root_el; + while (el->l_tree_depth) { ++ if (unlikely(le16_to_cpu(el->l_tree_depth) >= OCFS2_MAX_PATH_DEPTH)) { ++ ocfs2_error(ocfs2_metadata_cache_get_super(ci), ++ "Owner %llu has invalid tree depth %u in extent list\n", ++ (unsigned long long)ocfs2_metadata_cache_owner(ci), ++ le16_to_cpu(el->l_tree_depth)); ++ ret = -EROFS; ++ goto out; ++ } + if (le16_to_cpu(el->l_next_free_rec) == 0) { + ocfs2_error(ocfs2_metadata_cache_get_super(ci), + "Owner %llu has empty extent list at depth %u\n", +-- +2.39.5 + diff --git a/queue-6.12/octeontx2-af-fix-mbox-intr-handler-when-num-vfs-64.patch b/queue-6.12/octeontx2-af-fix-mbox-intr-handler-when-num-vfs-64.patch new file mode 100644 index 0000000000..9f57b63246 --- /dev/null +++ b/queue-6.12/octeontx2-af-fix-mbox-intr-handler-when-num-vfs-64.patch @@ -0,0 +1,39 @@ +From 7cedea65d0aab561814a7755d58d99a0f3947edb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Mar 2025 14:44:41 +0530 +Subject: octeontx2-af: Fix mbox INTR handler when num VFs > 64 + +From: Geetha sowjanya + +[ Upstream commit 0fdba88a211508984eb5df62008c29688692b134 ] + +When number of RVU VFs > 64, the vfs value passed to "rvu_queue_work" +function is incorrect. Due to which mbox workqueue entries for +VFs 0 to 63 never gets added to workqueue. + +Fixes: 9bdc47a6e328 ("octeontx2-af: Mbox communication support btw AF and it's VFs") +Signed-off-by: Geetha sowjanya +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250327091441.1284-1-gakula@marvell.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/af/rvu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c +index cd0d7b7774f1a..6575c422635b7 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c +@@ -2634,7 +2634,7 @@ static irqreturn_t rvu_mbox_intr_handler(int irq, void *rvu_irq) + rvupf_write64(rvu, RVU_PF_VFPF_MBOX_INTX(1), intr); + + rvu_queue_work(&rvu->afvf_wq_info, 64, vfs, intr); +- vfs -= 64; ++ vfs = 64; + } + + intr = rvupf_read64(rvu, RVU_PF_VFPF_MBOX_INTX(0)); +-- +2.39.5 + diff --git a/queue-6.12/octeontx2-af-free-nix_af_int_vec_gen-irq.patch b/queue-6.12/octeontx2-af-free-nix_af_int_vec_gen-irq.patch new file mode 100644 index 0000000000..522901b2f6 --- /dev/null +++ b/queue-6.12/octeontx2-af-free-nix_af_int_vec_gen-irq.patch @@ -0,0 +1,40 @@ +From fc8a8f4432419f2af43922e26aefa52f4a004a1b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Mar 2025 15:10:54 +0530 +Subject: octeontx2-af: Free NIX_AF_INT_VEC_GEN irq + +From: Geetha sowjanya + +[ Upstream commit 323d6db6dc7decb06f2545efb9496259ddacd4f4 ] + +Due to the incorrect initial vector number in +rvu_nix_unregister_interrupts(), NIX_AF_INT_VEC_GEN is not +geeting free. Fix the vector number to include NIX_AF_INT_VEC_GEN +irq. + +Fixes: 5ed66306eab6 ("octeontx2-af: Add devlink health reporters for NIX") +Signed-off-by: Geetha sowjanya +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250327094054.2312-1-gakula@marvell.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c +index 7498ab429963d..06f778baaeef2 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c +@@ -207,7 +207,7 @@ static void rvu_nix_unregister_interrupts(struct rvu *rvu) + rvu->irq_allocated[offs + NIX_AF_INT_VEC_RVU] = false; + } + +- for (i = NIX_AF_INT_VEC_AF_ERR; i < NIX_AF_INT_VEC_CNT; i++) ++ for (i = NIX_AF_INT_VEC_GEN; i < NIX_AF_INT_VEC_CNT; i++) + if (rvu->irq_allocated[offs + i]) { + free_irq(pci_irq_vector(rvu->pdev, offs + i), rvu_dl); + rvu->irq_allocated[offs + i] = false; +-- +2.39.5 + diff --git a/queue-6.12/of-property-increase-nr_fwnode_reference_args.patch b/queue-6.12/of-property-increase-nr_fwnode_reference_args.patch new file mode 100644 index 0000000000..622abea59e --- /dev/null +++ b/queue-6.12/of-property-increase-nr_fwnode_reference_args.patch @@ -0,0 +1,52 @@ +From d46855693e1ab8ec00ddf034fadc442934035d3c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Feb 2025 21:58:06 +0800 +Subject: of: property: Increase NR_FWNODE_REFERENCE_ARGS + +From: Zijun Hu + +[ Upstream commit eb50844d728f11e87491f7c7af15a4a737f1159d ] + +Currently, the following two macros have different values: + +// The maximal argument count for firmware node reference + #define NR_FWNODE_REFERENCE_ARGS 8 +// The maximal argument count for DT node reference + #define MAX_PHANDLE_ARGS 16 + +It may cause firmware node reference's argument count out of range if +directly assign DT node reference's argument count to firmware's. + +drivers/of/property.c:of_fwnode_get_reference_args() is doing the direct +assignment, so may cause firmware's argument count @args->nargs got out +of range, namely, in [9, 16]. + +Fix by increasing NR_FWNODE_REFERENCE_ARGS to 16 to meet DT requirement. +Will align both macros later to avoid such inconsistency. + +Fixes: 3e3119d3088f ("device property: Introduce fwnode_property_get_reference_args") +Signed-off-by: Zijun Hu +Acked-by: Sakari Ailus +Link: https://lore.kernel.org/r/20250225-fix_arg_count-v4-1-13cdc519eb31@quicinc.com +Signed-off-by: Rob Herring (Arm) +Signed-off-by: Sasha Levin +--- + include/linux/fwnode.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/fwnode.h b/include/linux/fwnode.h +index 0d79070c5a70f..487d4bd9b0c99 100644 +--- a/include/linux/fwnode.h ++++ b/include/linux/fwnode.h +@@ -91,7 +91,7 @@ struct fwnode_endpoint { + #define SWNODE_GRAPH_PORT_NAME_FMT "port@%u" + #define SWNODE_GRAPH_ENDPOINT_NAME_FMT "endpoint@%u" + +-#define NR_FWNODE_REFERENCE_ARGS 8 ++#define NR_FWNODE_REFERENCE_ARGS 16 + + /** + * struct fwnode_reference_args - Fwnode reference with additional arguments +-- +2.39.5 + diff --git a/queue-6.12/pci-acs-fix-pci-config_acs-parameter.patch b/queue-6.12/pci-acs-fix-pci-config_acs-parameter.patch new file mode 100644 index 0000000000..5e0f85e939 --- /dev/null +++ b/queue-6.12/pci-acs-fix-pci-config_acs-parameter.patch @@ -0,0 +1,143 @@ +From 7e89d78eb1fb8c3f1093622cb5722a81c0d34be5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Feb 2025 19:03:38 -0800 +Subject: PCI/ACS: Fix 'pci=config_acs=' parameter + +From: Tushar Dave + +[ Upstream commit 9cf8a952d57b422d3ff8a9a0163f8adf694f4b2b ] + +Commit 47c8846a49ba ("PCI: Extend ACS configurability") introduced bugs +that fail to configure ACS ctrl to the value specified by the kernel +parameter. Essentially there are two bugs: + +1) When ACS is configured for multiple PCI devices using 'config_acs' + kernel parameter, it results into error "PCI: Can't parse ACS command + line parameter". This is due to a bug that doesn't preserve the ACS + mask, but instead overwrites the mask with value 0. + + For example, using 'config_acs' to configure ACS ctrl for multiple BDFs + fails: + + Kernel command line: pci=config_acs=1111011@0020:02:00.0;101xxxx@0039:00:00.0 "dyndbg=file drivers/pci/pci.c +p" + PCI: Can't parse ACS command line parameter + pci 0020:02:00.0: ACS mask = 0x007f + pci 0020:02:00.0: ACS flags = 0x007b + pci 0020:02:00.0: Configured ACS to 0x007b + + After this fix: + + Kernel command line: pci=config_acs=1111011@0020:02:00.0;101xxxx@0039:00:00.0 "dyndbg=file drivers/pci/pci.c +p" + pci 0020:02:00.0: ACS mask = 0x007f + pci 0020:02:00.0: ACS flags = 0x007b + pci 0020:02:00.0: ACS control = 0x005f + pci 0020:02:00.0: ACS fw_ctrl = 0x0053 + pci 0020:02:00.0: Configured ACS to 0x007b + pci 0039:00:00.0: ACS mask = 0x0070 + pci 0039:00:00.0: ACS flags = 0x0050 + pci 0039:00:00.0: ACS control = 0x001d + pci 0039:00:00.0: ACS fw_ctrl = 0x0000 + pci 0039:00:00.0: Configured ACS to 0x0050 + +2) In the bit manipulation logic, we copy the bit from the firmware + settings when mask bit 0. + + For example, 'disable_acs_redir' fails to clear all three ACS P2P redir + bits due to the wrong bit fiddling: + + Kernel command line: pci=disable_acs_redir=0020:02:00.0;0030:02:00.0;0039:00:00.0 "dyndbg=file drivers/pci/pci.c +p" + pci 0020:02:00.0: ACS mask = 0x002c + pci 0020:02:00.0: ACS flags = 0xffd3 + pci 0020:02:00.0: Configured ACS to 0xfffb + pci 0030:02:00.0: ACS mask = 0x002c + pci 0030:02:00.0: ACS flags = 0xffd3 + pci 0030:02:00.0: Configured ACS to 0xffdf + pci 0039:00:00.0: ACS mask = 0x002c + pci 0039:00:00.0: ACS flags = 0xffd3 + pci 0039:00:00.0: Configured ACS to 0xffd3 + + After this fix: + + Kernel command line: pci=disable_acs_redir=0020:02:00.0;0030:02:00.0;0039:00:00.0 "dyndbg=file drivers/pci/pci.c +p" + pci 0020:02:00.0: ACS mask = 0x002c + pci 0020:02:00.0: ACS flags = 0xffd3 + pci 0020:02:00.0: ACS control = 0x007f + pci 0020:02:00.0: ACS fw_ctrl = 0x007b + pci 0020:02:00.0: Configured ACS to 0x0053 + pci 0030:02:00.0: ACS mask = 0x002c + pci 0030:02:00.0: ACS flags = 0xffd3 + pci 0030:02:00.0: ACS control = 0x005f + pci 0030:02:00.0: ACS fw_ctrl = 0x005f + pci 0030:02:00.0: Configured ACS to 0x0053 + pci 0039:00:00.0: ACS mask = 0x002c + pci 0039:00:00.0: ACS flags = 0xffd3 + pci 0039:00:00.0: ACS control = 0x001d + pci 0039:00:00.0: ACS fw_ctrl = 0x0000 + pci 0039:00:00.0: Configured ACS to 0x0000 + +Link: https://lore.kernel.org/r/20250207030338.456887-1-tdave@nvidia.com +Fixes: 47c8846a49ba ("PCI: Extend ACS configurability") +Signed-off-by: Tushar Dave +Signed-off-by: Bjorn Helgaas +Reviewed-by: Jason Gunthorpe +Reviewed-by: Kuppuswamy Sathyanarayanan +Signed-off-by: Sasha Levin +--- + drivers/pci/pci.c | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c +index 1aa5d6f98ebda..25211d1219227 100644 +--- a/drivers/pci/pci.c ++++ b/drivers/pci/pci.c +@@ -955,8 +955,10 @@ struct pci_acs { + }; + + static void __pci_config_acs(struct pci_dev *dev, struct pci_acs *caps, +- const char *p, u16 mask, u16 flags) ++ const char *p, const u16 acs_mask, const u16 acs_flags) + { ++ u16 flags = acs_flags; ++ u16 mask = acs_mask; + char *delimit; + int ret = 0; + +@@ -964,7 +966,7 @@ static void __pci_config_acs(struct pci_dev *dev, struct pci_acs *caps, + return; + + while (*p) { +- if (!mask) { ++ if (!acs_mask) { + /* Check for ACS flags */ + delimit = strstr(p, "@"); + if (delimit) { +@@ -972,6 +974,8 @@ static void __pci_config_acs(struct pci_dev *dev, struct pci_acs *caps, + u32 shift = 0; + + end = delimit - p - 1; ++ mask = 0; ++ flags = 0; + + while (end > -1) { + if (*(p + end) == '0') { +@@ -1028,10 +1032,14 @@ static void __pci_config_acs(struct pci_dev *dev, struct pci_acs *caps, + + pci_dbg(dev, "ACS mask = %#06x\n", mask); + pci_dbg(dev, "ACS flags = %#06x\n", flags); ++ pci_dbg(dev, "ACS control = %#06x\n", caps->ctrl); ++ pci_dbg(dev, "ACS fw_ctrl = %#06x\n", caps->fw_ctrl); + +- /* If mask is 0 then we copy the bit from the firmware setting. */ +- caps->ctrl = (caps->ctrl & ~mask) | (caps->fw_ctrl & mask); +- caps->ctrl |= flags; ++ /* ++ * For mask bits that are 0, copy them from the firmware setting ++ * and apply flags for all the mask bits that are 1. ++ */ ++ caps->ctrl = (caps->fw_ctrl & ~mask) | (flags & mask); + + pci_info(dev, "Configured ACS to %#06x\n", caps->ctrl); + } +-- +2.39.5 + diff --git a/queue-6.12/pci-aspm-fix-link-state-exit-during-switch-upstream-.patch b/queue-6.12/pci-aspm-fix-link-state-exit-during-switch-upstream-.patch new file mode 100644 index 0000000000..b8e3d0776e --- /dev/null +++ b/queue-6.12/pci-aspm-fix-link-state-exit-during-switch-upstream-.patch @@ -0,0 +1,84 @@ +From 07d6061e548506529940fa0b54a4061e804aa87a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 22 Dec 2024 19:39:08 -0800 +Subject: PCI/ASPM: Fix link state exit during switch upstream function removal +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Daniel Stodden + +[ Upstream commit cbf937dcadfd571a434f8074d057b32cd14fbea5 ] + +Before 456d8aa37d0f ("PCI/ASPM: Disable ASPM on MFD function removal to +avoid use-after-free"), we would free the ASPM link only after the last +function on the bus pertaining to the given link was removed. + +That was too late. If function 0 is removed before sibling function, +link->downstream would point to free'd memory after. + +After above change, we freed the ASPM parent link state upon any function +removal on the bus pertaining to a given link. + +That is too early. If the link is to a PCIe switch with MFD on the upstream +port, then removing functions other than 0 first would free a link which +still remains parent_link to the remaining downstream ports. + +The resulting GPFs are especially frequent during hot-unplug, because +pciehp removes devices on the link bus in reverse order. + +On that switch, function 0 is the virtual P2P bridge to the internal bus. +Free exactly when function 0 is removed -- before the parent link is +obsolete, but after all subordinate links are gone. + +Link: https://lore.kernel.org/r/e12898835f25234561c9d7de4435590d957b85d9.1734924854.git.dns@arista.com +Fixes: 456d8aa37d0f ("PCI/ASPM: Disable ASPM on MFD function removal to avoid use-after-free") +Signed-off-by: Daniel Stodden +Signed-off-by: Bjorn Helgaas +[kwilczynski: commit log] +Signed-off-by: Krzysztof Wilczyński +Signed-off-by: Sasha Levin +--- + drivers/pci/pcie/aspm.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/drivers/pci/pcie/aspm.c b/drivers/pci/pcie/aspm.c +index cee2365e54b8b..62650a2f00ccc 100644 +--- a/drivers/pci/pcie/aspm.c ++++ b/drivers/pci/pcie/aspm.c +@@ -1242,16 +1242,16 @@ void pcie_aspm_exit_link_state(struct pci_dev *pdev) + parent_link = link->parent; + + /* +- * link->downstream is a pointer to the pci_dev of function 0. If +- * we remove that function, the pci_dev is about to be deallocated, +- * so we can't use link->downstream again. Free the link state to +- * avoid this. ++ * Free the parent link state, no later than function 0 (i.e. ++ * link->downstream) being removed. + * +- * If we're removing a non-0 function, it's possible we could +- * retain the link state, but PCIe r6.0, sec 7.5.3.7, recommends +- * programming the same ASPM Control value for all functions of +- * multi-function devices, so disable ASPM for all of them. ++ * Do not free the link state any earlier. If function 0 is a ++ * switch upstream port, this link state is parent_link to all ++ * subordinate ones. + */ ++ if (pdev != link->downstream) ++ goto out; ++ + pcie_config_aspm_link(link, 0); + list_del(&link->sibling); + free_link_state(link); +@@ -1262,6 +1262,7 @@ void pcie_aspm_exit_link_state(struct pci_dev *pdev) + pcie_config_aspm_path(parent_link); + } + ++ out: + mutex_unlock(&aspm_lock); + up_read(&pci_bus_sem); + } +-- +2.39.5 + diff --git a/queue-6.12/pci-avoid-reset-when-disabled-via-sysfs.patch b/queue-6.12/pci-avoid-reset-when-disabled-via-sysfs.patch new file mode 100644 index 0000000000..fb63c16782 --- /dev/null +++ b/queue-6.12/pci-avoid-reset-when-disabled-via-sysfs.patch @@ -0,0 +1,67 @@ +From b02adf62db42c42adc9bc0ee435383464aa81b4e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Feb 2025 14:56:00 -0600 +Subject: PCI: Avoid reset when disabled via sysfs + +From: Nishanth Aravamudan + +[ Upstream commit 479380efe1625e251008d24b2810283db60d6fcd ] + +After d88f521da3ef ("PCI: Allow userspace to query and set device reset +mechanism"), userspace can disable reset of specific PCI devices by writing +an empty string to the sysfs reset_method file. + +However, pci_slot_resettable() does not check pci_reset_supported(), which +means that pci_reset_function() will still reset the device even if +userspace has disabled all the reset methods. + +I was able to reproduce this issue with a vfio device passed to a qemu +guest, where I had disabled PCI reset via sysfs. + +Add an explicit check of pci_reset_supported() in both +pci_slot_resettable() and pci_bus_resettable() to ensure both the reset +status and reset execution are bypassed if an administrator disables it for +a device. + +Link: https://lore.kernel.org/r/20250207205600.1846178-1-naravamudan@nvidia.com +Fixes: d88f521da3ef ("PCI: Allow userspace to query and set device reset mechanism") +Signed-off-by: Nishanth Aravamudan +[bhelgaas: commit log] +Signed-off-by: Bjorn Helgaas +Cc: Alex Williamson +Cc: Raphael Norwitz +Cc: Amey Narkhede +Cc: Jason Gunthorpe +Cc: Yishai Hadas +Cc: Shameer Kolothum +Cc: Kevin Tian +Signed-off-by: Sasha Levin +--- + drivers/pci/pci.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c +index 25211d1219227..169aa8fd74a11 100644 +--- a/drivers/pci/pci.c ++++ b/drivers/pci/pci.c +@@ -5528,6 +5528,8 @@ static bool pci_bus_resettable(struct pci_bus *bus) + return false; + + list_for_each_entry(dev, &bus->devices, bus_list) { ++ if (!pci_reset_supported(dev)) ++ return false; + if (dev->dev_flags & PCI_DEV_FLAGS_NO_BUS_RESET || + (dev->subordinate && !pci_bus_resettable(dev->subordinate))) + return false; +@@ -5604,6 +5606,8 @@ static bool pci_slot_resettable(struct pci_slot *slot) + list_for_each_entry(dev, &slot->bus->devices, bus_list) { + if (!dev->slot || dev->slot != slot) + continue; ++ if (!pci_reset_supported(dev)) ++ return false; + if (dev->dev_flags & PCI_DEV_FLAGS_NO_BUS_RESET || + (dev->subordinate && !pci_bus_resettable(dev->subordinate))) + return false; +-- +2.39.5 + diff --git a/queue-6.12/pci-brcmstb-fix-error-path-after-a-call-to-regulator.patch b/queue-6.12/pci-brcmstb-fix-error-path-after-a-call-to-regulator.patch new file mode 100644 index 0000000000..230d0560c4 --- /dev/null +++ b/queue-6.12/pci-brcmstb-fix-error-path-after-a-call-to-regulator.patch @@ -0,0 +1,50 @@ +From 92c747d42b65de6309540cdcf827e81ddf864bc7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Feb 2025 12:39:32 -0500 +Subject: PCI: brcmstb: Fix error path after a call to regulator_bulk_get() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jim Quinlan + +[ Upstream commit 3651ad5249c51cf7eee078e12612557040a6bdb4 ] + +If the regulator_bulk_get() returns an error and no regulators +are created, we need to set their number to zero. + +If we don't do this and the PCIe link up fails, a call to the +regulator_bulk_free() will result in a kernel panic. + +While at it, print the error value, as we cannot return an error +upwards as the kernel will WARN() on an error from add_bus(). + +Fixes: 9e6be018b263 ("PCI: brcmstb: Enable child bus device regulators from DT") +Signed-off-by: Jim Quinlan +Reviewed-by: Florian Fainelli +Link: https://lore.kernel.org/r/20250214173944.47506-5-james.quinlan@broadcom.com +[kwilczynski: commit log, use comma in the message to match style with +other similar messages] +Signed-off-by: Krzysztof Wilczyński +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/pcie-brcmstb.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/pci/controller/pcie-brcmstb.c b/drivers/pci/controller/pcie-brcmstb.c +index 3bb35f096b45b..31778b5a949d7 100644 +--- a/drivers/pci/controller/pcie-brcmstb.c ++++ b/drivers/pci/controller/pcie-brcmstb.c +@@ -1368,7 +1368,8 @@ static int brcm_pcie_add_bus(struct pci_bus *bus) + + ret = regulator_bulk_get(dev, sr->num_supplies, sr->supplies); + if (ret) { +- dev_info(dev, "No regulators for downstream device\n"); ++ dev_info(dev, "Did not get regulators, err=%d\n", ret); ++ pcie->sr = NULL; + goto no_regulators; + } + +-- +2.39.5 + diff --git a/queue-6.12/pci-brcmstb-fix-potential-premature-regulator-disabl.patch b/queue-6.12/pci-brcmstb-fix-potential-premature-regulator-disabl.patch new file mode 100644 index 0000000000..0f99d2c166 --- /dev/null +++ b/queue-6.12/pci-brcmstb-fix-potential-premature-regulator-disabl.patch @@ -0,0 +1,47 @@ +From d725b306f0de75a838f8fc66708e1c327760fe8c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Feb 2025 12:39:33 -0500 +Subject: PCI: brcmstb: Fix potential premature regulator disabling +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jim Quinlan + +[ Upstream commit b7de1b60ecab2f7b6f05d8116e93228a0bbb8563 ] + +The platform supports enabling and disabling regulators only on +ports below the Root Complex. + +Thus, we need to verify this both when adding and removing the bus, +otherwise regulators may be disabled prematurely when a bus further +down the topology is removed. + +Fixes: 9e6be018b263 ("PCI: brcmstb: Enable child bus device regulators from DT") +Signed-off-by: Jim Quinlan +Reviewed-by: Florian Fainelli +Reviewed-by: Manivannan Sadhasivam +Link: https://lore.kernel.org/r/20250214173944.47506-6-james.quinlan@broadcom.com +[kwilczynski: commit log] +Signed-off-by: Krzysztof Wilczyński +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/pcie-brcmstb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pci/controller/pcie-brcmstb.c b/drivers/pci/controller/pcie-brcmstb.c +index 31778b5a949d7..582fa11070878 100644 +--- a/drivers/pci/controller/pcie-brcmstb.c ++++ b/drivers/pci/controller/pcie-brcmstb.c +@@ -1392,7 +1392,7 @@ static void brcm_pcie_remove_bus(struct pci_bus *bus) + struct subdev_regulators *sr = pcie->sr; + struct device *dev = &bus->dev; + +- if (!sr) ++ if (!sr || !bus->parent || !pci_is_root_bus(bus->parent)) + return; + + if (regulator_bulk_disable(sr->num_supplies, sr->supplies)) +-- +2.39.5 + diff --git a/queue-6.12/pci-brcmstb-set-generation-limit-before-pcie-link-up.patch b/queue-6.12/pci-brcmstb-set-generation-limit-before-pcie-link-up.patch new file mode 100644 index 0000000000..302cb21523 --- /dev/null +++ b/queue-6.12/pci-brcmstb-set-generation-limit-before-pcie-link-up.patch @@ -0,0 +1,56 @@ +From f8bab4376d134954850388556497ea4fa64edf19 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Feb 2025 12:39:29 -0500 +Subject: PCI: brcmstb: Set generation limit before PCIe link up +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jim Quinlan + +[ Upstream commit 72d36589c6b7bef6b30eb99fcb7082f72faca37f ] + +When the user elects to limit the PCIe generation via the appropriate +devicetree property, apply the settings before the PCIe link up, not +after. + +Fixes: c0452137034b ("PCI: brcmstb: Add Broadcom STB PCIe host controller driver") +Signed-off-by: Jim Quinlan +Reviewed-by: Florian Fainelli +Reviewed-by: Manivannan Sadhasivam +Link: https://lore.kernel.org/r/20250214173944.47506-2-james.quinlan@broadcom.com +[kwilczynski: commit log] +Signed-off-by: Krzysztof Wilczyński +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/pcie-brcmstb.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/pci/controller/pcie-brcmstb.c b/drivers/pci/controller/pcie-brcmstb.c +index 9321280f6edba..98e3531927298 100644 +--- a/drivers/pci/controller/pcie-brcmstb.c ++++ b/drivers/pci/controller/pcie-brcmstb.c +@@ -1276,6 +1276,10 @@ static int brcm_pcie_start_link(struct brcm_pcie *pcie) + bool ssc_good = false; + int ret, i; + ++ /* Limit the generation if specified */ ++ if (pcie->gen) ++ brcm_pcie_set_gen(pcie, pcie->gen); ++ + /* Unassert the fundamental reset */ + ret = pcie->perst_set(pcie, 0); + if (ret) +@@ -1302,9 +1306,6 @@ static int brcm_pcie_start_link(struct brcm_pcie *pcie) + + brcm_config_clkreq(pcie); + +- if (pcie->gen) +- brcm_pcie_set_gen(pcie, pcie->gen); +- + if (pcie->ssc) { + ret = brcm_pcie_set_ssc(pcie); + if (ret == 0) +-- +2.39.5 + diff --git a/queue-6.12/pci-brcmstb-use-internal-register-to-change-link-cap.patch b/queue-6.12/pci-brcmstb-use-internal-register-to-change-link-cap.patch new file mode 100644 index 0000000000..003ba2fe09 --- /dev/null +++ b/queue-6.12/pci-brcmstb-use-internal-register-to-change-link-cap.patch @@ -0,0 +1,54 @@ +From fe0c526ba1461b73ccf40263695377aa1edbd0ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Feb 2025 12:39:30 -0500 +Subject: PCI: brcmstb: Use internal register to change link capability +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jim Quinlan + +[ Upstream commit 0c97321e11e0e9e18546f828492758f6aaecec59 ] + +The driver has been mistakenly writing to a read-only (RO) +configuration space register (PCI_EXP_LNKCAP) to change the +PCIe link capability. + +Although harmless in this case, the proper write destination +is an internal register that is reflected by PCI_EXP_LNKCAP. + +Thus, fix the brcm_pcie_set_gen() function to correctly update +the link capability. + +Fixes: c0452137034b ("PCI: brcmstb: Add Broadcom STB PCIe host controller driver") +Signed-off-by: Jim Quinlan +Reviewed-by: Florian Fainelli +Reviewed-by: Manivannan Sadhasivam +Link: https://lore.kernel.org/r/20250214173944.47506-3-james.quinlan@broadcom.com +[kwilczynski: commit log] +Signed-off-by: Krzysztof Wilczyński +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/pcie-brcmstb.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/pci/controller/pcie-brcmstb.c b/drivers/pci/controller/pcie-brcmstb.c +index 98e3531927298..3bb35f096b45b 100644 +--- a/drivers/pci/controller/pcie-brcmstb.c ++++ b/drivers/pci/controller/pcie-brcmstb.c +@@ -403,10 +403,10 @@ static int brcm_pcie_set_ssc(struct brcm_pcie *pcie) + static void brcm_pcie_set_gen(struct brcm_pcie *pcie, int gen) + { + u16 lnkctl2 = readw(pcie->base + BRCM_PCIE_CAP_REGS + PCI_EXP_LNKCTL2); +- u32 lnkcap = readl(pcie->base + BRCM_PCIE_CAP_REGS + PCI_EXP_LNKCAP); ++ u32 lnkcap = readl(pcie->base + PCIE_RC_CFG_PRIV1_LINK_CAPABILITY); + + lnkcap = (lnkcap & ~PCI_EXP_LNKCAP_SLS) | gen; +- writel(lnkcap, pcie->base + BRCM_PCIE_CAP_REGS + PCI_EXP_LNKCAP); ++ writel(lnkcap, pcie->base + PCIE_RC_CFG_PRIV1_LINK_CAPABILITY); + + lnkctl2 = (lnkctl2 & ~0xf) | gen; + writew(lnkctl2, pcie->base + BRCM_PCIE_CAP_REGS + PCI_EXP_LNKCTL2); +-- +2.39.5 + diff --git a/queue-6.12/pci-cadence-ep-fix-the-driver-to-send-msg-tlp-for-in.patch b/queue-6.12/pci-cadence-ep-fix-the-driver-to-send-msg-tlp-for-in.patch new file mode 100644 index 0000000000..ec26b43ba5 --- /dev/null +++ b/queue-6.12/pci-cadence-ep-fix-the-driver-to-send-msg-tlp-for-in.patch @@ -0,0 +1,67 @@ +From 87a5801026d24daaccd7e3530901c50f5a3082ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 15 Feb 2025 00:57:24 +0800 +Subject: PCI: cadence-ep: Fix the driver to send MSG TLP for INTx without data + payload +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Hans Zhang <18255117159@163.com> + +[ Upstream commit 3ac47fbf4f6e8c3a7c3855fac68cc3246f90f850 ] + +Per the Cadence's "PCIe Controller IP for AX14" user guide, Version +1.04, Section 9.1.7.1, "AXI Subordinate to PCIe Address Translation +Registers", Table 9.4, the bit 16 of the AXI Subordinate Address +(axi_s_awaddr) when set corresponds to MSG with data, and when not set, +to MSG without data. + +However, the driver is currently doing the opposite and due to this, +the INTx is never received on the host. + +So, fix the driver to reflect the documentation and also make INTx work. + +Fixes: 37dddf14f1ae ("PCI: cadence: Add EndPoint Controller driver for Cadence PCIe controller") +Signed-off-by: Hans Zhang <18255117159@163.com> +Signed-off-by: Hans Zhang +Reviewed-by: Manivannan Sadhasivam +Link: https://lore.kernel.org/r/20250214165724.184599-1-18255117159@163.com +[kwilczynski: commit log] +Signed-off-by: Krzysztof Wilczyński +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/cadence/pcie-cadence-ep.c | 3 +-- + drivers/pci/controller/cadence/pcie-cadence.h | 2 +- + 2 files changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/pci/controller/cadence/pcie-cadence-ep.c b/drivers/pci/controller/cadence/pcie-cadence-ep.c +index e0cc4560dfde7..0bf4cde34f517 100644 +--- a/drivers/pci/controller/cadence/pcie-cadence-ep.c ++++ b/drivers/pci/controller/cadence/pcie-cadence-ep.c +@@ -352,8 +352,7 @@ static void cdns_pcie_ep_assert_intx(struct cdns_pcie_ep *ep, u8 fn, u8 intx, + spin_unlock_irqrestore(&ep->lock, flags); + + offset = CDNS_PCIE_NORMAL_MSG_ROUTING(MSG_ROUTING_LOCAL) | +- CDNS_PCIE_NORMAL_MSG_CODE(msg_code) | +- CDNS_PCIE_MSG_NO_DATA; ++ CDNS_PCIE_NORMAL_MSG_CODE(msg_code); + writel(0, ep->irq_cpu_addr + offset); + } + +diff --git a/drivers/pci/controller/cadence/pcie-cadence.h b/drivers/pci/controller/cadence/pcie-cadence.h +index f5eeff834ec19..39ee9945c903e 100644 +--- a/drivers/pci/controller/cadence/pcie-cadence.h ++++ b/drivers/pci/controller/cadence/pcie-cadence.h +@@ -246,7 +246,7 @@ struct cdns_pcie_rp_ib_bar { + #define CDNS_PCIE_NORMAL_MSG_CODE_MASK GENMASK(15, 8) + #define CDNS_PCIE_NORMAL_MSG_CODE(code) \ + (((code) << 8) & CDNS_PCIE_NORMAL_MSG_CODE_MASK) +-#define CDNS_PCIE_MSG_NO_DATA BIT(16) ++#define CDNS_PCIE_MSG_DATA BIT(16) + + struct cdns_pcie; + +-- +2.39.5 + diff --git a/queue-6.12/pci-dwc-ep-return-enomem-for-allocation-failures.patch b/queue-6.12/pci-dwc-ep-return-enomem-for-allocation-failures.patch new file mode 100644 index 0000000000..5f0519068c --- /dev/null +++ b/queue-6.12/pci-dwc-ep-return-enomem-for-allocation-failures.patch @@ -0,0 +1,44 @@ +From b61a82099185d4114b88159f1bde7bb8882ecefd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Mar 2025 18:00:07 +0300 +Subject: PCI: dwc: ep: Return -ENOMEM for allocation failures +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dan Carpenter + +[ Upstream commit 8189aa56dbed0bfb46b7b30d4d231f57ab17b3f4 ] + +If the bitmap or memory allocations fail, then dw_pcie_ep_init_registers() +will incorrectly return a success. + +Return -ENOMEM instead. + +Fixes: 869bc5253406 ("PCI: dwc: ep: Fix DBI access failure for drivers requiring refclk from host") +Signed-off-by: Dan Carpenter +[kwilczynski: commit log] +Signed-off-by: Krzysztof Wilczyński +Reviewed-by: Krzysztof Wilczyński +Reviewed-by: Manivannan Sadhasivam +Link: https://lore.kernel.org/r/36dcb6fc-f292-4dd5-bd45-a8c6f9dc3df7@stanley.mountain +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/dwc/pcie-designware-ep.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/pci/controller/dwc/pcie-designware-ep.c b/drivers/pci/controller/dwc/pcie-designware-ep.c +index b58e89ea566b8..dea19250598a6 100644 +--- a/drivers/pci/controller/dwc/pcie-designware-ep.c ++++ b/drivers/pci/controller/dwc/pcie-designware-ep.c +@@ -755,6 +755,7 @@ int dw_pcie_ep_init_registers(struct dw_pcie_ep *ep) + if (ret) + return ret; + ++ ret = -ENOMEM; + if (!ep->ib_window_map) { + ep->ib_window_map = devm_bitmap_zalloc(dev, pci->num_ib_windows, + GFP_KERNEL); +-- +2.39.5 + diff --git a/queue-6.12/pci-fix-bar-resizing-when-vf-bars-are-assigned.patch b/queue-6.12/pci-fix-bar-resizing-when-vf-bars-are-assigned.patch new file mode 100644 index 0000000000..5babb114cf --- /dev/null +++ b/queue-6.12/pci-fix-bar-resizing-when-vf-bars-are-assigned.patch @@ -0,0 +1,62 @@ +From 6232281c299834f4fd0ae3d10b16af7e38728008 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Mar 2025 16:28:37 +0200 +Subject: PCI: Fix BAR resizing when VF BARs are assigned +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +[ Upstream commit 9ec19bfa78bd788945e2445b09de7b4482dee432 ] + +__resource_resize_store() attempts to release all resources of the device +before attempting the resize. The loop, however, only covers standard BARs +(< PCI_STD_NUM_BARS). If a device has VF BARs that are assigned, +pci_reassign_bridge_resources() finds the bridge window still has some +assigned child resources and returns -NOENT which makes +pci_resize_resource() to detect an error and abort the resize. + +Change the release loop to cover all resources up to VF BARs which allows +the resize operation to release the bridge windows and attempt to assigned +them again with the different size. + +If SR-IOV is enabled, disallow resize as it requires releasing also IOV +resources. + +Link: https://lore.kernel.org/r/20250320142837.8027-1-ilpo.jarvinen@linux.intel.com +Fixes: 91fa127794ac ("PCI: Expose PCIe Resizable BAR support via sysfs") +Reported-by: Michał Winiarski +Signed-off-by: Ilpo Järvinen +Signed-off-by: Bjorn Helgaas +Reviewed-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/pci/pci-sysfs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c +index 3e5a117f5b5d6..5af4a804a4f89 100644 +--- a/drivers/pci/pci-sysfs.c ++++ b/drivers/pci/pci-sysfs.c +@@ -1444,7 +1444,7 @@ static ssize_t __resource_resize_store(struct device *dev, int n, + return -EINVAL; + + device_lock(dev); +- if (dev->driver) { ++ if (dev->driver || pci_num_vf(pdev)) { + ret = -EBUSY; + goto unlock; + } +@@ -1466,7 +1466,7 @@ static ssize_t __resource_resize_store(struct device *dev, int n, + + pci_remove_resource_files(pdev); + +- for (i = 0; i < PCI_STD_NUM_BARS; i++) { ++ for (i = 0; i < PCI_BRIDGE_RESOURCES; i++) { + if (pci_resource_len(pdev, i) && + pci_resource_flags(pdev, i) == flags) + pci_release_resource(pdev, i); +-- +2.39.5 + diff --git a/queue-6.12/pci-histb-fix-an-error-handling-path-in-histb_pcie_p.patch b/queue-6.12/pci-histb-fix-an-error-handling-path-in-histb_pcie_p.patch new file mode 100644 index 0000000000..143d49673b --- /dev/null +++ b/queue-6.12/pci-histb-fix-an-error-handling-path-in-histb_pcie_p.patch @@ -0,0 +1,71 @@ +From 51c7fbc25a77c06f75d50dca1420c640cba10f27 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 Mar 2025 19:42:54 +0100 +Subject: PCI: histb: Fix an error handling path in histb_pcie_probe() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Christophe JAILLET + +[ Upstream commit b36fb50701619efca5f5450b355d42575cf532ed ] + +If an error occurs after a successful phy_init() call, then phy_exit() +should be called. + +Add the missing call, as already done in the remove function. + +Fixes: bbd11bddb398 ("PCI: hisi: Add HiSilicon STB SoC PCIe controller driver") +Signed-off-by: Christophe JAILLET +[kwilczynski: remove unnecessary hipcie->phy NULL check from +histb_pcie_probe() and squash a patch that removes similar NULL +check for hipcie-phy from histb_pcie_remove() from +https://lore.kernel.org/linux-pci/c369b5d25e17a44984ae5a889ccc28a59a0737f7.1742058005.git.christophe.jaillet@wanadoo.fr] +Signed-off-by: Krzysztof Wilczyński +Link: https://lore.kernel.org/r/8301fc15cdea5d2dac21f57613e8e6922fb1ad95.1740854531.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/dwc/pcie-histb.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/drivers/pci/controller/dwc/pcie-histb.c b/drivers/pci/controller/dwc/pcie-histb.c +index 7a11c618b9d9c..5538e5bf99fb6 100644 +--- a/drivers/pci/controller/dwc/pcie-histb.c ++++ b/drivers/pci/controller/dwc/pcie-histb.c +@@ -409,16 +409,21 @@ static int histb_pcie_probe(struct platform_device *pdev) + ret = histb_pcie_host_enable(pp); + if (ret) { + dev_err(dev, "failed to enable host\n"); +- return ret; ++ goto err_exit_phy; + } + + ret = dw_pcie_host_init(pp); + if (ret) { + dev_err(dev, "failed to initialize host\n"); +- return ret; ++ goto err_exit_phy; + } + + return 0; ++ ++err_exit_phy: ++ phy_exit(hipcie->phy); ++ ++ return ret; + } + + static void histb_pcie_remove(struct platform_device *pdev) +@@ -427,8 +432,7 @@ static void histb_pcie_remove(struct platform_device *pdev) + + histb_pcie_host_disable(hipcie); + +- if (hipcie->phy) +- phy_exit(hipcie->phy); ++ phy_exit(hipcie->phy); + } + + static const struct of_device_id histb_pcie_of_match[] = { +-- +2.39.5 + diff --git a/queue-6.12/pci-pciehp-don-t-enable-hpie-when-resuming-in-poll-m.patch b/queue-6.12/pci-pciehp-don-t-enable-hpie-when-resuming-in-poll-m.patch new file mode 100644 index 0000000000..c37bed2dfd --- /dev/null +++ b/queue-6.12/pci-pciehp-don-t-enable-hpie-when-resuming-in-poll-m.patch @@ -0,0 +1,49 @@ +From 74d7e3fb27014d09158e21f2363700de4e21d4ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Mar 2025 18:21:14 +0200 +Subject: PCI: pciehp: Don't enable HPIE when resuming in poll mode +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +[ Upstream commit 527664f738afb6f2c58022cd35e63801e5dc7aec ] + +PCIe hotplug can operate in poll mode without interrupt handlers using a +polling kthread only. eb34da60edee ("PCI: pciehp: Disable hotplug +interrupt during suspend") failed to consider that and enables HPIE +(Hot-Plug Interrupt Enable) unconditionally when resuming the Port. + +Only set HPIE if non-poll mode is in use. This makes +pcie_enable_interrupt() match how pcie_enable_notification() already +handles HPIE. + +Link: https://lore.kernel.org/r/20250321162114.3939-1-ilpo.jarvinen@linux.intel.com +Fixes: eb34da60edee ("PCI: pciehp: Disable hotplug interrupt during suspend") +Signed-off-by: Ilpo Järvinen +Signed-off-by: Bjorn Helgaas +Reviewed-by: Lukas Wunner +Signed-off-by: Sasha Levin +--- + drivers/pci/hotplug/pciehp_hpc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/pci/hotplug/pciehp_hpc.c b/drivers/pci/hotplug/pciehp_hpc.c +index 736ad8baa2a55..8f3e4c7de961f 100644 +--- a/drivers/pci/hotplug/pciehp_hpc.c ++++ b/drivers/pci/hotplug/pciehp_hpc.c +@@ -842,7 +842,9 @@ void pcie_enable_interrupt(struct controller *ctrl) + { + u16 mask; + +- mask = PCI_EXP_SLTCTL_HPIE | PCI_EXP_SLTCTL_DLLSCE; ++ mask = PCI_EXP_SLTCTL_DLLSCE; ++ if (!pciehp_poll_mode) ++ mask |= PCI_EXP_SLTCTL_HPIE; + pcie_write_cmd(ctrl, mask, mask); + } + +-- +2.39.5 + diff --git a/queue-6.12/pci-portdrv-only-disable-pciehp-interrupts-early-whe.patch b/queue-6.12/pci-portdrv-only-disable-pciehp-interrupts-early-whe.patch new file mode 100644 index 0000000000..4563d6af1c --- /dev/null +++ b/queue-6.12/pci-portdrv-only-disable-pciehp-interrupts-early-whe.patch @@ -0,0 +1,60 @@ +From 1b10db1ff5520aa1dffeaf1c753dc22e024e0d73 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Mar 2025 10:36:30 +0800 +Subject: PCI/portdrv: Only disable pciehp interrupts early when needed + +From: Feng Tang + +[ Upstream commit 9d7db4db19827380e225914618c0c1bf435ed2f5 ] + +Firmware developers reported that Linux issues two PCIe hotplug commands in +very short intervals on an ARM server, which doesn't comply with the PCIe +spec. According to PCIe r6.1, sec 6.7.3.2, if the Command Completed event +is supported, software must wait for a command to complete or wait at +least 1 second before sending a new command. + +In the failure case, the first PCIe hotplug command is from +get_port_device_capability(), which sends a command to disable PCIe hotplug +interrupts without waiting for its completion, and the second command comes +from pcie_enable_notification() of pciehp driver, which enables hotplug +interrupts again. + +Fix this by only disabling the hotplug interrupts when the pciehp driver is +not enabled. + +Link: https://lore.kernel.org/r/20250303023630.78397-1-feng.tang@linux.alibaba.com +Fixes: 2bd50dd800b5 ("PCI: PCIe: Disable PCIe port services during port initialization") +Suggested-by: Lukas Wunner +Signed-off-by: Feng Tang +[bhelgaas: commit log] +Signed-off-by: Bjorn Helgaas +Reviewed-by: Lukas Wunner +Reviewed-by: Kuppuswamy Sathyanarayanan +Signed-off-by: Sasha Levin +--- + drivers/pci/pcie/portdrv.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/pci/pcie/portdrv.c b/drivers/pci/pcie/portdrv.c +index 6af5e04258728..604c055f60786 100644 +--- a/drivers/pci/pcie/portdrv.c ++++ b/drivers/pci/pcie/portdrv.c +@@ -228,10 +228,12 @@ static int get_port_device_capability(struct pci_dev *dev) + + /* + * Disable hot-plug interrupts in case they have been enabled +- * by the BIOS and the hot-plug service driver is not loaded. ++ * by the BIOS and the hot-plug service driver won't be loaded ++ * to handle them. + */ +- pcie_capability_clear_word(dev, PCI_EXP_SLTCTL, +- PCI_EXP_SLTCTL_CCIE | PCI_EXP_SLTCTL_HPIE); ++ if (!IS_ENABLED(CONFIG_HOTPLUG_PCI_PCIE)) ++ pcie_capability_clear_word(dev, PCI_EXP_SLTCTL, ++ PCI_EXP_SLTCTL_CCIE | PCI_EXP_SLTCTL_HPIE); + } + + #ifdef CONFIG_PCIEAER +-- +2.39.5 + diff --git a/queue-6.12/pci-remove-add_align-overwrite-unrelated-to-size0.patch b/queue-6.12/pci-remove-add_align-overwrite-unrelated-to-size0.patch new file mode 100644 index 0000000000..ee93dbaabd --- /dev/null +++ b/queue-6.12/pci-remove-add_align-overwrite-unrelated-to-size0.patch @@ -0,0 +1,45 @@ +From 626b9a3539ef901fd0ee5da423cb8bfa5dceb4a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Dec 2024 19:56:08 +0200 +Subject: PCI: Remove add_align overwrite unrelated to size0 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +[ Upstream commit d06cc1e3809040e8250f69a4c656e3717e6b963c ] + +Commit 566f1dd52816 ("PCI: Relax bridge window tail sizing rules") +relaxed bridge window tail alignment rule for the non-optional part +(size0, no add_size/add_align). The change, however, also overwrote +add_align, which is only related to case where optional size1 related +entry is added into realloc head. + +Correct this by removing the add_align overwrite. + +Link: https://lore.kernel.org/r/20241216175632.4175-2-ilpo.jarvinen@linux.intel.com +Fixes: 566f1dd52816 ("PCI: Relax bridge window tail sizing rules") +Signed-off-by: Ilpo Järvinen +Signed-off-by: Bjorn Helgaas +Tested-by: Xiaochun Lee +Signed-off-by: Sasha Levin +--- + drivers/pci/setup-bus.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/pci/setup-bus.c b/drivers/pci/setup-bus.c +index a6e653a4f5b1a..f16c7ce3bf3fc 100644 +--- a/drivers/pci/setup-bus.c ++++ b/drivers/pci/setup-bus.c +@@ -1150,7 +1150,6 @@ static int pbus_size_mem(struct pci_bus *bus, unsigned long mask, + min_align = 1ULL << (max_order + __ffs(SZ_1M)); + min_align = max(min_align, win_align); + size0 = calculate_memsize(size, min_size, 0, 0, resource_size(b_res), win_align); +- add_align = win_align; + pci_info(bus->self, "bridge window %pR to %pR requires relaxed alignment rules\n", + b_res, &bus->busn_res); + } +-- +2.39.5 + diff --git a/queue-6.12/pci-remove-stray-put_device-in-pci_register_host_bri.patch b/queue-6.12/pci-remove-stray-put_device-in-pci_register_host_bri.patch new file mode 100644 index 0000000000..74b412bd68 --- /dev/null +++ b/queue-6.12/pci-remove-stray-put_device-in-pci_register_host_bri.patch @@ -0,0 +1,41 @@ +From cecabb77f8d7d4d8d8b6215088090512054b31e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Mar 2025 11:46:34 +0300 +Subject: PCI: Remove stray put_device() in pci_register_host_bridge() + +From: Dan Carpenter + +[ Upstream commit 6e8d06e5096c80cbf41313b4a204f43071ca42be ] + +This put_device() was accidentally left over from when we changed the code +from using device_register() to calling device_add(). Delete it. + +Link: https://lore.kernel.org/r/55b24870-89fb-4c91-b85d-744e35db53c2@stanley.mountain +Fixes: 9885440b16b8 ("PCI: Fix pci_host_bridge struct device release/free handling") +Signed-off-by: Dan Carpenter +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +--- + drivers/pci/probe.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c +index ebb0c1d5cae25..0e757b23a09f0 100644 +--- a/drivers/pci/probe.c ++++ b/drivers/pci/probe.c +@@ -950,10 +950,9 @@ static int pci_register_host_bridge(struct pci_host_bridge *bridge) + /* Temporarily move resources off the list */ + list_splice_init(&bridge->windows, &resources); + err = device_add(&bridge->dev); +- if (err) { +- put_device(&bridge->dev); ++ if (err) + goto free; +- } ++ + bus->bridge = get_device(&bridge->dev); + device_enable_async_suspend(bus->bridge); + pci_set_bus_of_node(bus); +-- +2.39.5 + diff --git a/queue-6.12/pci-use-downstream-bridges-for-distributing-resource.patch b/queue-6.12/pci-use-downstream-bridges-for-distributing-resource.patch new file mode 100644 index 0000000000..e37f26b5bf --- /dev/null +++ b/queue-6.12/pci-use-downstream-bridges-for-distributing-resource.patch @@ -0,0 +1,96 @@ +From 520018364a5a8456fb312b84fcae85843314dd73 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Dec 2024 10:24:57 +0800 +Subject: PCI: Use downstream bridges for distributing resources + +From: Kai-Heng Feng + +[ Upstream commit 1a596ad00ffe9b37fc60a93cbdd4daead3bf95f3 ] + +7180c1d08639 ("PCI: Distribute available resources for root buses, too") +breaks BAR assignment on some devices: + + pci 0006:03:00.0: BAR 0 [mem 0x6300c0000000-0x6300c1ffffff 64bit pref]: assigned + pci 0006:03:00.1: BAR 0 [mem 0x6300c2000000-0x6300c3ffffff 64bit pref]: assigned + pci 0006:03:00.2: BAR 0 [mem size 0x00800000 64bit pref]: can't assign; no space + pci 0006:03:00.0: VF BAR 0 [mem size 0x02000000 64bit pref]: can't assign; no space + pci 0006:03:00.1: VF BAR 0 [mem size 0x02000000 64bit pref]: can't assign; no space + +The apertures of domain 0006 before 7180c1d08639: + + 6300c0000000-63ffffffffff : PCI Bus 0006:00 + 6300c0000000-6300c9ffffff : PCI Bus 0006:01 + 6300c0000000-6300c9ffffff : PCI Bus 0006:02 # 160MB + 6300c0000000-6300c8ffffff : PCI Bus 0006:03 # 144MB + 6300c0000000-6300c1ffffff : 0006:03:00.0 # 32MB + 6300c2000000-6300c3ffffff : 0006:03:00.1 # 32MB + 6300c4000000-6300c47fffff : 0006:03:00.2 # 8MB + 6300c4800000-6300c67fffff : 0006:03:00.0 # 32MB + 6300c6800000-6300c87fffff : 0006:03:00.1 # 32MB + 6300c9000000-6300c9bfffff : PCI Bus 0006:04 # 12MB + 6300c9000000-6300c9bfffff : PCI Bus 0006:05 # 12MB + 6300c9000000-6300c91fffff : PCI Bus 0006:06 # 2MB + 6300c9200000-6300c93fffff : PCI Bus 0006:07 # 2MB + 6300c9400000-6300c95fffff : PCI Bus 0006:08 # 2MB + 6300c9600000-6300c97fffff : PCI Bus 0006:09 # 2MB + +After 7180c1d08639: + + 6300c0000000-63ffffffffff : PCI Bus 0006:00 + 6300c0000000-6300c9ffffff : PCI Bus 0006:01 + 6300c0000000-6300c9ffffff : PCI Bus 0006:02 # 160MB + 6300c0000000-6300c43fffff : PCI Bus 0006:03 # 68MB + 6300c0000000-6300c1ffffff : 0006:03:00.0 # 32MB + 6300c2000000-6300c3ffffff : 0006:03:00.1 # 32MB + --- no space --- : 0006:03:00.2 # 8MB + --- no space --- : 0006:03:00.0 # 32MB + --- no space --- : 0006:03:00.1 # 32MB + 6300c4400000-6300c4dfffff : PCI Bus 0006:04 # 10MB + 6300c4400000-6300c4dfffff : PCI Bus 0006:05 # 10MB + 6300c4400000-6300c45fffff : PCI Bus 0006:06 # 2MB + 6300c4600000-6300c47fffff : PCI Bus 0006:07 # 2MB + 6300c4800000-6300c49fffff : PCI Bus 0006:08 # 2MB + 6300c4a00000-6300c4bfffff : PCI Bus 0006:09 # 2MB + +We can see that the window to 0006:03 gets shrunken too much and 0006:04 +eats away the window for 0006:03:00.2. + +The offending commit distributes the upstream bridge's resources multiple +times to every downstream bridge, hence makes the aperture smaller than +desired because calculation of io_per_b, mmio_per_b and mmio_pref_per_b +becomes incorrect. + +Instead, distribute downstream bridges' own resources to resolve the issue. + +Link: https://lore.kernel.org/r/20241204022457.51322-1-kaihengf@nvidia.com +Fixes: 7180c1d08639 ("PCI: Distribute available resources for root buses, too") +Link: https://bugzilla.kernel.org/show_bug.cgi?id=219540 +Signed-off-by: Kai-Heng Feng +Signed-off-by: Bjorn Helgaas +Tested-by: Chia-Lin Kao (AceLan) +Reviewed-by: Mika Westerberg +Cc: Carol Soto +Cc: Jonathan Cameron +Cc: Chris Chiu +Signed-off-by: Sasha Levin +--- + drivers/pci/setup-bus.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/pci/setup-bus.c b/drivers/pci/setup-bus.c +index 23082bc0ca37a..a6e653a4f5b1a 100644 +--- a/drivers/pci/setup-bus.c ++++ b/drivers/pci/setup-bus.c +@@ -2105,8 +2105,7 @@ pci_root_bus_distribute_available_resources(struct pci_bus *bus, + * in case of root bus. + */ + if (bridge && pci_bridge_resources_not_assigned(dev)) +- pci_bridge_distribute_available_resources(bridge, +- add_list); ++ pci_bridge_distribute_available_resources(dev, add_list); + else + pci_root_bus_distribute_available_resources(b, add_list); + } +-- +2.39.5 + diff --git a/queue-6.12/pci-xilinx-cpm-fix-irq-domain-leak-in-error-path-of-.patch b/queue-6.12/pci-xilinx-cpm-fix-irq-domain-leak-in-error-path-of-.patch new file mode 100644 index 0000000000..cf29a6dc64 --- /dev/null +++ b/queue-6.12/pci-xilinx-cpm-fix-irq-domain-leak-in-error-path-of-.patch @@ -0,0 +1,65 @@ +From 63897904063806e2e4937aad8045fb6ed2898be5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Feb 2025 21:20:22 +0530 +Subject: PCI: xilinx-cpm: Fix IRQ domain leak in error path of probe +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thippeswamy Havalige + +[ Upstream commit 57b0302240741e73fe51f88404b3866e0d2933ad ] + +The IRQ domain allocated for the PCIe controller is not freed if +resource_list_first_type() returns NULL, leading to a resource leak. + +This fix ensures properly cleaning up the allocated IRQ domain in +the error path. + +Fixes: 49e427e6bdd1 ("Merge branch 'pci/host-probe-refactor'") +Signed-off-by: Thippeswamy Havalige +[kwilczynski: added missing Fixes: tag, refactored to use one of the goto labels] +Signed-off-by: Krzysztof Wilczyński +Link: https://lore.kernel.org/r/20250224155025.782179-2-thippeswamy.havalige@amd.com +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/pcie-xilinx-cpm.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/pci/controller/pcie-xilinx-cpm.c b/drivers/pci/controller/pcie-xilinx-cpm.c +index a0f5e1d67b04c..1594d9e9e637a 100644 +--- a/drivers/pci/controller/pcie-xilinx-cpm.c ++++ b/drivers/pci/controller/pcie-xilinx-cpm.c +@@ -570,15 +570,17 @@ static int xilinx_cpm_pcie_probe(struct platform_device *pdev) + return err; + + bus = resource_list_first_type(&bridge->windows, IORESOURCE_BUS); +- if (!bus) +- return -ENODEV; ++ if (!bus) { ++ err = -ENODEV; ++ goto err_free_irq_domains; ++ } + + port->variant = of_device_get_match_data(dev); + + err = xilinx_cpm_pcie_parse_dt(port, bus->res); + if (err) { + dev_err(dev, "Parsing DT failed\n"); +- goto err_parse_dt; ++ goto err_free_irq_domains; + } + + xilinx_cpm_pcie_init_port(port); +@@ -602,7 +604,7 @@ static int xilinx_cpm_pcie_probe(struct platform_device *pdev) + xilinx_cpm_free_interrupts(port); + err_setup_irq: + pci_ecam_free(port->cfg); +-err_parse_dt: ++err_free_irq_domains: + xilinx_cpm_free_irq_domains(port); + return err; + } +-- +2.39.5 + diff --git a/queue-6.12/perf-always-feature-test-reallocarray.patch b/queue-6.12/perf-always-feature-test-reallocarray.patch new file mode 100644 index 0000000000..6ac179923b --- /dev/null +++ b/queue-6.12/perf-always-feature-test-reallocarray.patch @@ -0,0 +1,86 @@ +From 626f90365df142c0621a58ec48eb041fdcdeb8c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Jan 2025 15:44:05 +0000 +Subject: perf: Always feature test reallocarray + +From: James Clark + +[ Upstream commit 4c4c0724d6521a8092b7c16f8f210c5869d95b17 ] + +This is also used in util/comm.c now, so instead of selectively doing +the feature test, always do it. If it's ever used anywhere else it's +less likely to cause another build failure. + +This doesn't remove the need to manually include libc_compat.h, and +missing that will still cause an error for glibc < 2.26. There isn't a +way to fix that without poisoning reallocarray like libbpf did, but that +has other downsides like making memory debugging tools less useful. So +for Perf keep it like this and we'll have to fix up any missed includes. + +Fixes the following build error: + + util/comm.c:152:31: error: implicit declaration of function + 'reallocarray' [-Wimplicit-function-declaration] + 152 | tmp = reallocarray(comm_strs->strs, + | ^~~~~~~~~~~~ + +Fixes: 13ca628716c6 ("perf comm: Add reference count checking to 'struct comm_str'") +Reported-by: Ali Utku Selen +Signed-off-by: James Clark +Reviewed-by: Ian Rogers +Link: https://lore.kernel.org/r/20250129154405.777533-1-james.clark@linaro.org +Signed-off-by: Namhyung Kim +Signed-off-by: Sasha Levin +--- + tools/perf/Makefile.config | 10 ++++------ + tools/perf/util/comm.c | 2 ++ + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/tools/perf/Makefile.config b/tools/perf/Makefile.config +index 2ce71d2e5fae0..b102a4c525e4b 100644 +--- a/tools/perf/Makefile.config ++++ b/tools/perf/Makefile.config +@@ -513,13 +513,14 @@ ifeq ($(feature-setns), 1) + $(call detected,CONFIG_SETNS) + endif + ++ifeq ($(feature-reallocarray), 0) ++ CFLAGS += -DCOMPAT_NEED_REALLOCARRAY ++endif ++ + ifdef CORESIGHT + $(call feature_check,libopencsd) + ifeq ($(feature-libopencsd), 1) + CFLAGS += -DHAVE_CSTRACE_SUPPORT $(LIBOPENCSD_CFLAGS) +- ifeq ($(feature-reallocarray), 0) +- CFLAGS += -DCOMPAT_NEED_REALLOCARRAY +- endif + LDFLAGS += $(LIBOPENCSD_LDFLAGS) + EXTLIBS += $(OPENCSDLIBS) + $(call detected,CONFIG_LIBOPENCSD) +@@ -1135,9 +1136,6 @@ ifndef NO_AUXTRACE + ifndef NO_AUXTRACE + $(call detected,CONFIG_AUXTRACE) + CFLAGS += -DHAVE_AUXTRACE_SUPPORT +- ifeq ($(feature-reallocarray), 0) +- CFLAGS += -DCOMPAT_NEED_REALLOCARRAY +- endif + endif + endif + +diff --git a/tools/perf/util/comm.c b/tools/perf/util/comm.c +index 49b79cf0c5cc5..8aa456d7c2cd2 100644 +--- a/tools/perf/util/comm.c ++++ b/tools/perf/util/comm.c +@@ -5,6 +5,8 @@ + #include + #include + #include ++#include // reallocarray ++ + #include "rwsem.h" + + DECLARE_RC_STRUCT(comm_str) { +-- +2.39.5 + diff --git a/queue-6.12/perf-arm-spe-fix-load-store-operation-checking.patch b/queue-6.12/perf-arm-spe-fix-load-store-operation-checking.patch new file mode 100644 index 0000000000..fa847db357 --- /dev/null +++ b/queue-6.12/perf-arm-spe-fix-load-store-operation-checking.patch @@ -0,0 +1,64 @@ +From b83ed2171bcadc6e25d8b7335fb470c5e73916ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Mar 2025 11:12:34 +0000 +Subject: perf arm-spe: Fix load-store operation checking + +From: Leo Yan + +[ Upstream commit e1d47850bbf79a541c9b3bacdd562f5e0112274d ] + +The ARM_SPE_OP_LD and ARM_SPE_OP_ST operations are secondary operation +type, they are overlapping with other second level's operation types +belonging to SVE and branch operations. As a result, a non load-store +operation can be parsed for data source and memory sample. + +To fix the issue, this commit introduces a is_ldst_op() macro for +checking LDST operation, and apply the checking when synthesize data +source and memory samples. + +Fixes: a89dbc9b988f ("perf arm-spe: Set sample's data source field") +Signed-off-by: Leo Yan +Reviewed-by: James Clark +Link: https://lore.kernel.org/r/20250304111240.3378214-7-leo.yan@arm.com +Signed-off-by: Namhyung Kim +Signed-off-by: Sasha Levin +--- + tools/perf/util/arm-spe.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/tools/perf/util/arm-spe.c b/tools/perf/util/arm-spe.c +index 138ffc71b32dd..2c06f2a85400e 100644 +--- a/tools/perf/util/arm-spe.c ++++ b/tools/perf/util/arm-spe.c +@@ -37,6 +37,8 @@ + #include "../../arch/arm64/include/asm/cputype.h" + #define MAX_TIMESTAMP (~0ULL) + ++#define is_ldst_op(op) (!!((op) & ARM_SPE_OP_LDST)) ++ + struct arm_spe { + struct auxtrace auxtrace; + struct auxtrace_queues queues; +@@ -520,6 +522,10 @@ static u64 arm_spe__synth_data_source(const struct arm_spe_record *record, u64 m + union perf_mem_data_src data_src = { .mem_op = PERF_MEM_OP_NA }; + bool is_neoverse = is_midr_in_range_list(midr, neoverse_spe); + ++ /* Only synthesize data source for LDST operations */ ++ if (!is_ldst_op(record->op)) ++ return 0; ++ + if (record->op & ARM_SPE_OP_LD) + data_src.mem_op = PERF_MEM_OP_LOAD; + else if (record->op & ARM_SPE_OP_ST) +@@ -619,7 +625,7 @@ static int arm_spe_sample(struct arm_spe_queue *speq) + * When data_src is zero it means the record is not a memory operation, + * skip to synthesize memory sample for this case. + */ +- if (spe->sample_memory && data_src) { ++ if (spe->sample_memory && is_ldst_op(record->op)) { + err = arm_spe__synth_mem_sample(speq, spe->memory_id, data_src); + if (err) + return err; +-- +2.39.5 + diff --git a/queue-6.12/perf-bench-fix-perf-bench-syscall-loop-count.patch b/queue-6.12/perf-bench-fix-perf-bench-syscall-loop-count.patch new file mode 100644 index 0000000000..4fb28a186c --- /dev/null +++ b/queue-6.12/perf-bench-fix-perf-bench-syscall-loop-count.patch @@ -0,0 +1,104 @@ +From 14f269e86463639dc7591bd879deb0c808896381 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Mar 2025 10:23:49 +0100 +Subject: perf bench: Fix perf bench syscall loop count + +From: Thomas Richter + +[ Upstream commit 957d194163bf983da98bf7ec7e4f86caff8cd0eb ] + +Command 'perf bench syscall fork -l 100000' offers option -l to run for +a specified number of iterations. However this option is not always +observed. The number is silently limited to 10000 iterations as can be +seen: + +Output before: + # perf bench syscall fork -l 100000 + # Running 'syscall/fork' benchmark: + # Executed 10,000 fork() calls + Total time: 23.388 [sec] + + 2338.809800 usecs/op + 427 ops/sec + # + +When explicitly specified with option -l or --loops, also observe +higher number of iterations: + +Output after: + # perf bench syscall fork -l 100000 + # Running 'syscall/fork' benchmark: + # Executed 100,000 fork() calls + Total time: 716.982 [sec] + + 7169.829510 usecs/op + 139 ops/sec + # + +This patch fixes the issue for basic execve fork and getpgid. + +Fixes: ece7f7c0507c ("perf bench syscall: Add fork syscall benchmark") +Signed-off-by: Thomas Richter +Acked-by: Sumanth Korikkar +Tested-by: Athira Rajeev +Cc: Tiezhu Yang +Link: https://lore.kernel.org/r/20250304092349.2618082-1-tmricht@linux.ibm.com +Signed-off-by: Namhyung Kim +Signed-off-by: Sasha Levin +--- + tools/perf/bench/syscall.c | 22 +++++++++++++--------- + 1 file changed, 13 insertions(+), 9 deletions(-) + +diff --git a/tools/perf/bench/syscall.c b/tools/perf/bench/syscall.c +index ea4dfc07cbd6b..e7dc216f717f5 100644 +--- a/tools/perf/bench/syscall.c ++++ b/tools/perf/bench/syscall.c +@@ -22,8 +22,7 @@ + #define __NR_fork -1 + #endif + +-#define LOOPS_DEFAULT 10000000 +-static int loops = LOOPS_DEFAULT; ++static int loops; + + static const struct option options[] = { + OPT_INTEGER('l', "loop", &loops, "Specify number of loops"), +@@ -80,6 +79,18 @@ static int bench_syscall_common(int argc, const char **argv, int syscall) + const char *name = NULL; + int i; + ++ switch (syscall) { ++ case __NR_fork: ++ case __NR_execve: ++ /* Limit default loop to 10000 times to save time */ ++ loops = 10000; ++ break; ++ default: ++ loops = 10000000; ++ break; ++ } ++ ++ /* Options -l and --loops override default above */ + argc = parse_options(argc, argv, options, bench_syscall_usage, 0); + + gettimeofday(&start, NULL); +@@ -94,16 +105,9 @@ static int bench_syscall_common(int argc, const char **argv, int syscall) + break; + case __NR_fork: + test_fork(); +- /* Only loop 10000 times to save time */ +- if (i == 10000) +- loops = 10000; + break; + case __NR_execve: + test_execve(); +- /* Only loop 10000 times to save time */ +- if (i == 10000) +- loops = 10000; +- break; + default: + break; + } +-- +2.39.5 + diff --git a/queue-6.12/perf-bpf-filter-fix-a-parsing-error-with-comma.patch b/queue-6.12/perf-bpf-filter-fix-a-parsing-error-with-comma.patch new file mode 100644 index 0000000000..0300766c20 --- /dev/null +++ b/queue-6.12/perf-bpf-filter-fix-a-parsing-error-with-comma.patch @@ -0,0 +1,81 @@ +From cf9198b92c4dfe46c1f2279403d781e367caf053 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Mar 2025 14:09:21 -0800 +Subject: perf bpf-filter: Fix a parsing error with comma + +From: Namhyung Kim + +[ Upstream commit 35d13f841a3d8159ef20d5e32a9ed3faa27875bc ] + +The previous change to support cgroup filters introduced a bug that +pathname can include commas. It confused the lexer to treat an item and +the trailing comma as a single token. And it resulted in a parse error: + + $ sudo perf record -e cycles:P --filter 'period > 0, ip > 64' -- true + perf_bpf_filter: Error: Unexpected item: 0, + perf_bpf_filter: syntax error, unexpected BFT_ERROR, expecting BFT_NUM + + Usage: perf record [] [] + or: perf record [] -- [] + + --filter + event filter + +It should get "0" and "," separately. + +An easiest fix would be to remove "," from the possible pathname +characters. As it's for cgroup names, probably ok to assume it won't +have commas in the pathname. + +I found that the existing BPF filtering test didn't have any complex +filter condition with commas. Let's update the group filter test which +is supposed to test filter combinations like this. + +Link: https://lore.kernel.org/r/20250307220922.434319-1-namhyung@kernel.org +Fixes: 91e88437d5156b20 ("perf bpf-filter: Support filtering on cgroups") +Reported-by: Sally Shi +Signed-off-by: Namhyung Kim +Signed-off-by: Sasha Levin +--- + tools/perf/tests/shell/record_bpf_filter.sh | 4 ++-- + tools/perf/util/bpf-filter.l | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/tools/perf/tests/shell/record_bpf_filter.sh b/tools/perf/tests/shell/record_bpf_filter.sh +index 1b58ccc1fd882..4d6c3c1b7fb92 100755 +--- a/tools/perf/tests/shell/record_bpf_filter.sh ++++ b/tools/perf/tests/shell/record_bpf_filter.sh +@@ -89,7 +89,7 @@ test_bpf_filter_fail() { + test_bpf_filter_group() { + echo "Group bpf-filter test" + +- if ! perf record -e task-clock --filter 'period > 1000 || ip > 0' \ ++ if ! perf record -e task-clock --filter 'period > 1000, ip > 0' \ + -o /dev/null true 2>/dev/null + then + echo "Group bpf-filter test [Failed should succeed]" +@@ -97,7 +97,7 @@ test_bpf_filter_group() { + return + fi + +- if ! perf record -e task-clock --filter 'cpu > 0 || ip > 0' \ ++ if ! perf record -e task-clock --filter 'period > 1000 , cpu > 0 || ip > 0' \ + -o /dev/null true 2>&1 | grep -q PERF_SAMPLE_CPU + then + echo "Group bpf-filter test [Failed forbidden CPU]" +diff --git a/tools/perf/util/bpf-filter.l b/tools/perf/util/bpf-filter.l +index f313404f95a90..6aa65ade33851 100644 +--- a/tools/perf/util/bpf-filter.l ++++ b/tools/perf/util/bpf-filter.l +@@ -76,7 +76,7 @@ static int path_or_error(void) + num_dec [0-9]+ + num_hex 0[Xx][0-9a-fA-F]+ + space [ \t]+ +-path [^ \t\n]+ ++path [^ \t\n,]+ + ident [_a-zA-Z][_a-zA-Z0-9]+ + + %% +-- +2.39.5 + diff --git a/queue-6.12/perf-build-fix-in-tree-build-due-to-symbolic-link.patch b/queue-6.12/perf-build-fix-in-tree-build-due-to-symbolic-link.patch new file mode 100644 index 0000000000..40bd04e494 --- /dev/null +++ b/queue-6.12/perf-build-fix-in-tree-build-due-to-symbolic-link.patch @@ -0,0 +1,80 @@ +From 438432a47a7eb1ed86a20665e8afd84b6cdd9cb6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Jan 2025 14:06:08 +0100 +Subject: perf build: Fix in-tree build due to symbolic link + +From: Luca Ceresoli + +[ Upstream commit 75100d848ef4b8ca39bb6dd3a21181e37dea27e2 ] + +Building perf in-tree is broken after commit 890a1961c812 ("perf tools: +Create source symlink in perf object dir") which added a 'source' symlink +in the output dir pointing to the source dir. + +With in-tree builds, the added 'SOURCE = ...' line is executed multiple +times (I observed 2 during the build plus 2 during installation). This is a +minor inefficiency, in theory not harmful because symlink creation is +assumed to be idempotent. But it is not. + +Considering with in-tree builds: + + srctree=/absolute/path/to/linux + OUTPUT=/absolute/path/to/linux/tools/perf + +here's what happens: + + 1. ln -sf $(srctree)/tools/perf $(OUTPUT)/source + -> creates /absolute/path/to/linux/tools/perf/source + link to /absolute/path/to/linux/tools/perf + => OK, that's what was intended + 2. ln -sf $(srctree)/tools/perf $(OUTPUT)/source # same command as 1 + -> creates /absolute/path/to/linux/tools/perf/perf + link to /absolute/path/to/linux/tools/perf + => Not what was intended, not idempotent + 3. Now the build _should_ create the 'perf' executable, but it fails + +The reason is the tricky 'ln' command line. At the first invocation 'ln' +uses the 1st form: + + ln [OPTION]... [-T] TARGET LINK_NAME + +and creates a link to TARGET *called LINK_NAME*. + +At the second invocation $(OUTPUT)/source exists, so 'ln' uses the 3rd +form: + + ln [OPTION]... TARGET... DIRECTORY + +and creates a link to TARGET *called TARGET* inside DIRECTORY. + +Fix by adding -n/--no-dereference to "treat LINK_NAME as a normal file +if it is a symbolic link to a directory", as the manpage says. + +Closes: https://lore.kernel.org/all/20241125182506.38af9907@booty/ +Fixes: 890a1961c812 ("perf tools: Create source symlink in perf object dir") +Signed-off-by: Luca Ceresoli +Reviewed-by: Charlie Jenkins +Tested-by: Charlie Jenkins +Link: https://lore.kernel.org/r/20250124-perf-fix-intree-build-v1-1-485dd7a855e4@bootlin.com +Signed-off-by: Namhyung Kim +Signed-off-by: Sasha Levin +--- + tools/perf/Makefile.perf | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/Makefile.perf b/tools/perf/Makefile.perf +index 9dd2e8d3f3c9b..8ee59ecb14110 100644 +--- a/tools/perf/Makefile.perf ++++ b/tools/perf/Makefile.perf +@@ -164,7 +164,7 @@ ifneq ($(OUTPUT),) + VPATH += $(OUTPUT) + export VPATH + # create symlink to the original source +-SOURCE := $(shell ln -sf $(srctree)/tools/perf $(OUTPUT)/source) ++SOURCE := $(shell ln -sfn $(srctree)/tools/perf $(OUTPUT)/source) + endif + + ifeq ($(V),1) +-- +2.39.5 + diff --git a/queue-6.12/perf-core-fix-perf_pmu_register-vs.-perf_init_event.patch b/queue-6.12/perf-core-fix-perf_pmu_register-vs.-perf_init_event.patch new file mode 100644 index 0000000000..49a3e99bf2 --- /dev/null +++ b/queue-6.12/perf-core-fix-perf_pmu_register-vs.-perf_init_event.patch @@ -0,0 +1,101 @@ +From b212750bc8474d1882c3ca7a728793c35d926a5f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Nov 2024 14:39:12 +0100 +Subject: perf/core: Fix perf_pmu_register() vs. perf_init_event() + +From: Peter Zijlstra + +[ Upstream commit 003659fec9f6d8c04738cb74b5384398ae8a7e88 ] + +There is a fairly obvious race between perf_init_event() doing +idr_find() and perf_pmu_register() doing idr_alloc() with an +incompletely initialized PMU pointer. + +Avoid by doing idr_alloc() on a NULL pointer to register the id, and +swizzling the real struct pmu pointer at the end using idr_replace(). + +Also making sure to not set struct pmu members after publishing +the struct pmu, duh. + +[ introduce idr_cmpxchg() in order to better handle the idr_replace() + error case -- if it were to return an unexpected pointer, it will + already have replaced the value and there is no going back. ] + +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Ingo Molnar +Link: https://lore.kernel.org/r/20241104135517.858805880@infradead.org +Signed-off-by: Sasha Levin +--- + kernel/events/core.c | 28 ++++++++++++++++++++++++++-- + 1 file changed, 26 insertions(+), 2 deletions(-) + +diff --git a/kernel/events/core.c b/kernel/events/core.c +index 5fff74c736063..cf2ec0a1582fd 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -11737,6 +11737,21 @@ static int pmu_dev_alloc(struct pmu *pmu) + static struct lock_class_key cpuctx_mutex; + static struct lock_class_key cpuctx_lock; + ++static bool idr_cmpxchg(struct idr *idr, unsigned long id, void *old, void *new) ++{ ++ void *tmp, *val = idr_find(idr, id); ++ ++ if (val != old) ++ return false; ++ ++ tmp = idr_replace(idr, new, id); ++ if (IS_ERR(tmp)) ++ return false; ++ ++ WARN_ON_ONCE(tmp != val); ++ return true; ++} ++ + int perf_pmu_register(struct pmu *pmu, const char *name, int type) + { + int cpu, ret, max = PERF_TYPE_MAX; +@@ -11763,7 +11778,7 @@ int perf_pmu_register(struct pmu *pmu, const char *name, int type) + if (type >= 0) + max = type; + +- ret = idr_alloc(&pmu_idr, pmu, max, 0, GFP_KERNEL); ++ ret = idr_alloc(&pmu_idr, NULL, max, 0, GFP_KERNEL); + if (ret < 0) + goto free_pdc; + +@@ -11771,6 +11786,7 @@ int perf_pmu_register(struct pmu *pmu, const char *name, int type) + + type = ret; + pmu->type = type; ++ atomic_set(&pmu->exclusive_cnt, 0); + + if (pmu_bus_running && !pmu->dev) { + ret = pmu_dev_alloc(pmu); +@@ -11819,14 +11835,22 @@ int perf_pmu_register(struct pmu *pmu, const char *name, int type) + if (!pmu->event_idx) + pmu->event_idx = perf_event_idx_default; + ++ /* ++ * Now that the PMU is complete, make it visible to perf_try_init_event(). ++ */ ++ if (!idr_cmpxchg(&pmu_idr, pmu->type, NULL, pmu)) ++ goto free_context; + list_add_rcu(&pmu->entry, &pmus); +- atomic_set(&pmu->exclusive_cnt, 0); ++ + ret = 0; + unlock: + mutex_unlock(&pmus_lock); + + return ret; + ++free_context: ++ free_percpu(pmu->cpu_pmu_context); ++ + free_dev: + if (pmu->dev && pmu->dev != PMU_NULL_DEV) { + device_del(pmu->dev); +-- +2.39.5 + diff --git a/queue-6.12/perf-debug-avoid-stack-overflow-in-recursive-error-m.patch b/queue-6.12/perf-debug-avoid-stack-overflow-in-recursive-error-m.patch new file mode 100644 index 0000000000..647f4fc973 --- /dev/null +++ b/queue-6.12/perf-debug-avoid-stack-overflow-in-recursive-error-m.patch @@ -0,0 +1,41 @@ +From 74d9be208212725bad7e4380930d0823f1d27a4d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Feb 2025 14:22:58 -0800 +Subject: perf debug: Avoid stack overflow in recursive error message + +From: Ian Rogers + +[ Upstream commit bda840191d2aae3b7cadc3ac21835dcf29487191 ] + +In debug_file, pr_warning_once is called on error. As that function +calls debug_file the function will yield a stack overflow. Switch the +location of the call so the recursion is avoided. + +Reviewed-by: Howard Chu +Signed-off-by: Ian Rogers +Reviewed-by: Arnaldo Carvalho de Melo +Link: https://lore.kernel.org/r/20250228222308.626803-2-irogers@google.com +Fixes: ec49230cf6dda704 ("perf debug: Expose debug file") +Signed-off-by: Namhyung Kim +Signed-off-by: Sasha Levin +--- + tools/perf/util/debug.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/util/debug.c b/tools/perf/util/debug.c +index d633d15329fa0..e56330c85fe7e 100644 +--- a/tools/perf/util/debug.c ++++ b/tools/perf/util/debug.c +@@ -46,8 +46,8 @@ int debug_type_profile; + FILE *debug_file(void) + { + if (!_debug_file) { +- pr_warning_once("debug_file not set"); + debug_set_file(stderr); ++ pr_warning_once("debug_file not set"); + } + return _debug_file; + } +-- +2.39.5 + diff --git a/queue-6.12/perf-dso-fix-dso__is_kallsyms-check.patch b/queue-6.12/perf-dso-fix-dso__is_kallsyms-check.patch new file mode 100644 index 0000000000..3e1de79cfa --- /dev/null +++ b/queue-6.12/perf-dso-fix-dso__is_kallsyms-check.patch @@ -0,0 +1,63 @@ +From 56bad338171fc3aa5f30ebf4d54a2595d06079c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Mar 2025 16:00:11 -0700 +Subject: perf dso: fix dso__is_kallsyms() check + +From: Stephen Brennan + +[ Upstream commit ebf0b332732dcc64239119e554faa946562b0b93 ] + +Kernel modules for which we cannot find a file on-disk will have a +dso->long_name that looks like "[module_name]". Prior to the commit +listed in the fixes, the dso->kernel field would be zero (for user +space), so dso__is_kallsyms() would return false. After the commit, +kernel module DSOs are correctly labeled, but the result is that +dso__is_kallsyms() erroneously returns true for those modules without a +filesystem path. + +Later, build_id_cache__add() consults this value of is_kallsyms, and +when true, it copies /proc/kallsyms into the cache. Users with many +kernel modules without a filesystem path (e.g. ksplice or possibly +kernel live patch modules) have reported excessive disk space usage in +the build ID cache directory due to this behavior. + +To reproduce the issue, it's enough to build a trivial out-of-tree hello +world kernel module, load it using insmod, and then use: + + perf record -ag -- sleep 1 + +In the build ID directory, there will be a directory for your module +name containing a kallsyms file. + +Fix this up by changing dso__is_kallsyms() to consult the +dso_binary_type enumeration, which is also symmetric to the above checks +for dso__is_vmlinux() and dso__is_kcore(). With this change, kallsyms is +not cached in the build-id cache for out-of-tree modules. + +Fixes: 02213cec64bbe ("perf maps: Mark module DSOs with kernel type") +Signed-off-by: Stephen Brennan +Link: https://lore.kernel.org/r/20250318230012.2038790-1-stephen.s.brennan@oracle.com +Signed-off-by: Namhyung Kim +Signed-off-by: Sasha Levin +--- + tools/perf/util/dso.h | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/tools/perf/util/dso.h b/tools/perf/util/dso.h +index bb8e8f444054d..c0472a41147c3 100644 +--- a/tools/perf/util/dso.h ++++ b/tools/perf/util/dso.h +@@ -808,7 +808,9 @@ static inline bool dso__is_kcore(const struct dso *dso) + + static inline bool dso__is_kallsyms(const struct dso *dso) + { +- return RC_CHK_ACCESS(dso)->kernel && RC_CHK_ACCESS(dso)->long_name[0] != '/'; ++ enum dso_binary_type bt = dso__binary_type(dso); ++ ++ return bt == DSO_BINARY_TYPE__KALLSYMS || bt == DSO_BINARY_TYPE__GUEST_KALLSYMS; + } + + bool dso__is_object_file(const struct dso *dso); +-- +2.39.5 + diff --git a/queue-6.12/perf-evlist-add-success-path-to-evlist__create_syswi.patch b/queue-6.12/perf-evlist-add-success-path-to-evlist__create_syswi.patch new file mode 100644 index 0000000000..5b443586c4 --- /dev/null +++ b/queue-6.12/perf-evlist-add-success-path-to-evlist__create_syswi.patch @@ -0,0 +1,57 @@ +From 8af50123ddecced49d90055243ddc388d0a1763f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Feb 2025 14:22:59 -0800 +Subject: perf evlist: Add success path to evlist__create_syswide_maps + +From: Ian Rogers + +[ Upstream commit fe0ce8a9d85a48642880c9b78944cb0d23e779c5 ] + +Over various refactorings evlist__create_syswide_maps has been made to +only ever return with -ENOMEM. Fix this so that when +perf_evlist__set_maps is successfully called, 0 is returned. + +Reviewed-by: Howard Chu +Signed-off-by: Ian Rogers +Reviewed-by: Arnaldo Carvalho de Melo +Link: https://lore.kernel.org/r/20250228222308.626803-3-irogers@google.com +Fixes: 8c0498b6891d7ca5 ("perf evlist: Fix create_syswide_maps() not propagating maps") +Signed-off-by: Namhyung Kim +Signed-off-by: Sasha Levin +--- + tools/perf/util/evlist.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/tools/perf/util/evlist.c b/tools/perf/util/evlist.c +index a9df84692d4a8..dac87dccaaaa5 100644 +--- a/tools/perf/util/evlist.c ++++ b/tools/perf/util/evlist.c +@@ -1434,19 +1434,18 @@ static int evlist__create_syswide_maps(struct evlist *evlist) + */ + cpus = perf_cpu_map__new_online_cpus(); + if (!cpus) +- goto out; ++ return -ENOMEM; + + threads = perf_thread_map__new_dummy(); +- if (!threads) +- goto out_put; ++ if (!threads) { ++ perf_cpu_map__put(cpus); ++ return -ENOMEM; ++ } + + perf_evlist__set_maps(&evlist->core, cpus, threads); +- + perf_thread_map__put(threads); +-out_put: + perf_cpu_map__put(cpus); +-out: +- return -ENOMEM; ++ return 0; + } + + int evlist__open(struct evlist *evlist) +-- +2.39.5 + diff --git a/queue-6.12/perf-intel-tpebs-fix-incorrect-usage-of-zfree.patch b/queue-6.12/perf-intel-tpebs-fix-incorrect-usage-of-zfree.patch new file mode 100644 index 0000000000..381e5bec42 --- /dev/null +++ b/queue-6.12/perf-intel-tpebs-fix-incorrect-usage-of-zfree.patch @@ -0,0 +1,39 @@ +From b7714a62ff186f7ca2caff8d0957829617abf79b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Mar 2025 10:16:10 +0000 +Subject: perf: intel-tpebs: Fix incorrect usage of zfree() + +From: James Clark + +[ Upstream commit 6d2dcd635204c023eb5328ad7d38b198a5558c9b ] + +zfree() requires an address otherwise it frees what's in name, rather +than name itself. Pass the address of name to fix it. + +This was the only incorrect occurrence in Perf found using a search. + +Fixes: 8db5cabcf1b6 ("perf stat: Fork and launch 'perf record' when 'perf stat' needs to get retire latency value for a metric.") +Signed-off-by: James Clark +Link: https://lore.kernel.org/r/20250319101614.190922-1-james.clark@linaro.org +Signed-off-by: Namhyung Kim +Signed-off-by: Sasha Levin +--- + tools/perf/util/intel-tpebs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/util/intel-tpebs.c b/tools/perf/util/intel-tpebs.c +index 50a3c3e071606..2c421b475b3b8 100644 +--- a/tools/perf/util/intel-tpebs.c ++++ b/tools/perf/util/intel-tpebs.c +@@ -254,7 +254,7 @@ int tpebs_start(struct evlist *evsel_list) + new = zalloc(sizeof(*new)); + if (!new) { + ret = -1; +- zfree(name); ++ zfree(&name); + goto err; + } + new->name = name; +-- +2.39.5 + diff --git a/queue-6.12/perf-pmu-don-t-double-count-common-sysfs-and-json-ev.patch b/queue-6.12/perf-pmu-don-t-double-count-common-sysfs-and-json-ev.patch new file mode 100644 index 0000000000..e1ee10b07a --- /dev/null +++ b/queue-6.12/perf-pmu-don-t-double-count-common-sysfs-and-json-ev.patch @@ -0,0 +1,81 @@ +From f798cca80c2b14488efcca96dc76b731370f0c93 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Feb 2025 10:41:01 +0000 +Subject: perf pmu: Don't double count common sysfs and json events + +From: James Clark + +[ Upstream commit c9d699e10fa6c0cdabcddcf991e7ff42af6b2503 ] + +After pmu_add_cpu_aliases() is called, perf_pmu__num_events() returns an +incorrect value that double counts common events and doesn't match the +actual count of events in the alias list. This is because after +'cpu_aliases_added == true', the number of events returned is +'sysfs_aliases + cpu_json_aliases'. But when adding 'case +EVENT_SRC_SYSFS' events, 'sysfs_aliases' and 'cpu_json_aliases' are both +incremented together, failing to account that these ones overlap and +only add a single item to the list. Fix it by adding another counter for +overlapping events which doesn't influence 'cpu_json_aliases'. + +There doesn't seem to be a current issue because it's used in perf list +before pmu_add_cpu_aliases() so the correct value is returned. Other +uses in tests may also miss it for other reasons like only looking at +uncore events. However it's marked as a fixes commit in case any new fix +with new uses of perf_pmu__num_events() is backported. + +Fixes: d9c5f5f94c2d ("perf pmu: Count sys and cpuid JSON events separately") +Reviewed-by: Ian Rogers +Signed-off-by: James Clark +Link: https://lore.kernel.org/r/20250226104111.564443-3-james.clark@linaro.org +Signed-off-by: Namhyung Kim +Signed-off-by: Sasha Levin +--- + tools/perf/util/pmu.c | 7 ++++--- + tools/perf/util/pmu.h | 5 +++++ + 2 files changed, 9 insertions(+), 3 deletions(-) + +diff --git a/tools/perf/util/pmu.c b/tools/perf/util/pmu.c +index ed893c3c6ad93..8b4e346808b4c 100644 +--- a/tools/perf/util/pmu.c ++++ b/tools/perf/util/pmu.c +@@ -593,7 +593,7 @@ static int perf_pmu__new_alias(struct perf_pmu *pmu, const char *name, + }; + if (pmu_events_table__find_event(pmu->events_table, pmu, name, + update_alias, &data) == 0) +- pmu->cpu_json_aliases++; ++ pmu->cpu_common_json_aliases++; + } + pmu->sysfs_aliases++; + break; +@@ -1807,9 +1807,10 @@ size_t perf_pmu__num_events(struct perf_pmu *pmu) + if (pmu->cpu_aliases_added) + nr += pmu->cpu_json_aliases; + else if (pmu->events_table) +- nr += pmu_events_table__num_events(pmu->events_table, pmu) - pmu->cpu_json_aliases; ++ nr += pmu_events_table__num_events(pmu->events_table, pmu) - ++ pmu->cpu_common_json_aliases; + else +- assert(pmu->cpu_json_aliases == 0); ++ assert(pmu->cpu_json_aliases == 0 && pmu->cpu_common_json_aliases == 0); + + return pmu->selectable ? nr + 1 : nr; + } +diff --git a/tools/perf/util/pmu.h b/tools/perf/util/pmu.h +index 4397c48ad569a..bcd278b9b546f 100644 +--- a/tools/perf/util/pmu.h ++++ b/tools/perf/util/pmu.h +@@ -131,6 +131,11 @@ struct perf_pmu { + uint32_t cpu_json_aliases; + /** @sys_json_aliases: Number of json event aliases loaded matching the PMU's identifier. */ + uint32_t sys_json_aliases; ++ /** ++ * @cpu_common_json_aliases: Number of json events that overlapped with sysfs when ++ * loading all sysfs events. ++ */ ++ uint32_t cpu_common_json_aliases; + /** @sysfs_aliases_loaded: Are sysfs aliases loaded from disk? */ + bool sysfs_aliases_loaded; + /** +-- +2.39.5 + diff --git a/queue-6.12/perf-python-check-if-there-is-space-to-copy-all-the-.patch b/queue-6.12/perf-python-check-if-there-is-space-to-copy-all-the-.patch new file mode 100644 index 0000000000..add7911ac7 --- /dev/null +++ b/queue-6.12/perf-python-check-if-there-is-space-to-copy-all-the-.patch @@ -0,0 +1,68 @@ +From 6b0889224392f3429f86d57f402336a9070475f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Mar 2025 17:31:41 -0300 +Subject: perf python: Check if there is space to copy all the event + +From: Arnaldo Carvalho de Melo + +[ Upstream commit 89aaeaf84231157288035b366cb6300c1c6cac64 ] + +The pyrf_event__new() method copies the event obtained from the perf +ring buffer to a structure that will then be turned into a python object +for further consumption, so it copies perf_event.header.size bytes to +its 'event' member: + + $ pahole -C pyrf_event /tmp/build/perf-tools-next/python/perf.cpython-312-x86_64-linux-gnu.so + struct pyrf_event { + PyObject ob_base; /* 0 16 */ + struct evsel * evsel; /* 16 8 */ + struct perf_sample sample; /* 24 312 */ + + /* XXX last struct has 7 bytes of padding, 2 holes */ + + /* --- cacheline 5 boundary (320 bytes) was 16 bytes ago --- */ + union perf_event event; /* 336 4168 */ + + /* size: 4504, cachelines: 71, members: 4 */ + /* member types with holes: 1, total: 2 */ + /* paddings: 1, sum paddings: 7 */ + /* last cacheline: 24 bytes */ + }; + + $ + +It was doing so without checking if the event just obtained has more +than that space, fix it. + +This isn't a proper, final solution, as we need to support larger +events, but for the time being we at least bounds check and document it. + +Fixes: 877108e42b1b9ba6 ("perf tools: Initial python binding") +Signed-off-by: Arnaldo Carvalho de Melo +Reviewed-by: Ian Rogers +Link: https://lore.kernel.org/r/20250312203141.285263-7-acme@kernel.org +Signed-off-by: Namhyung Kim +Signed-off-by: Sasha Levin +--- + tools/perf/util/python.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/tools/perf/util/python.c b/tools/perf/util/python.c +index 71c37bde178a2..e7f36ea9e2fa1 100644 +--- a/tools/perf/util/python.c ++++ b/tools/perf/util/python.c +@@ -512,6 +512,11 @@ static PyObject *pyrf_event__new(union perf_event *event) + event->header.type == PERF_RECORD_SWITCH_CPU_WIDE)) + return NULL; + ++ // FIXME this better be dynamic or we need to parse everything ++ // before calling perf_mmap__consume(), including tracepoint fields. ++ if (sizeof(pevent->event) < event->header.size) ++ return NULL; ++ + ptype = pyrf_event__type[event->header.type]; + pevent = PyObject_New(struct pyrf_event, ptype); + if (pevent != NULL) +-- +2.39.5 + diff --git a/queue-6.12/perf-python-decrement-the-refcount-of-just-created-e.patch b/queue-6.12/perf-python-decrement-the-refcount-of-just-created-e.patch new file mode 100644 index 0000000000..93dabb0424 --- /dev/null +++ b/queue-6.12/perf-python-decrement-the-refcount-of-just-created-e.patch @@ -0,0 +1,52 @@ +From dc3c80a65abdcb7af9b660a6243acf152245e70b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Mar 2025 17:31:39 -0300 +Subject: perf python: Decrement the refcount of just created event on failure + +From: Arnaldo Carvalho de Melo + +[ Upstream commit 3de5a2bf5b4847f7a59a184568f969f8fe05d57f ] + +To avoid a leak if we have the python object but then something happens +and we need to return the operation, decrement the offset of the newly +created object. + +Fixes: 377f698db12150a1 ("perf python: Add struct evsel into struct pyrf_event") +Signed-off-by: Arnaldo Carvalho de Melo +Reviewed-by: Ian Rogers +Link: https://lore.kernel.org/r/20250312203141.285263-5-acme@kernel.org +Signed-off-by: Namhyung Kim +Signed-off-by: Sasha Levin +--- + tools/perf/util/python.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/tools/perf/util/python.c b/tools/perf/util/python.c +index 80ca08efb9bfd..3cd2ea99d6b6c 100644 +--- a/tools/perf/util/python.c ++++ b/tools/perf/util/python.c +@@ -1011,6 +1011,7 @@ static PyObject *pyrf_evlist__read_on_cpu(struct pyrf_evlist *pevlist, + + evsel = evlist__event2evsel(evlist, event); + if (!evsel) { ++ Py_DECREF(pyevent); + Py_INCREF(Py_None); + return Py_None; + } +@@ -1022,9 +1023,12 @@ static PyObject *pyrf_evlist__read_on_cpu(struct pyrf_evlist *pevlist, + /* Consume the even only after we parsed it out. */ + perf_mmap__consume(&md->core); + +- if (err) ++ if (err) { ++ Py_DECREF(pyevent); + return PyErr_Format(PyExc_OSError, + "perf: can't parse sample, err=%d", err); ++ } ++ + return pyevent; + } + end: +-- +2.39.5 + diff --git a/queue-6.12/perf-python-don-t-keep-a-raw_data-pointer-to-consume.patch b/queue-6.12/perf-python-don-t-keep-a-raw_data-pointer-to-consume.patch new file mode 100644 index 0000000000..0b061fb9fb --- /dev/null +++ b/queue-6.12/perf-python-don-t-keep-a-raw_data-pointer-to-consume.patch @@ -0,0 +1,86 @@ +From 8c6a4d47d3b174c5449a38d09f9f85c071b99867 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Mar 2025 17:31:40 -0300 +Subject: perf python: Don't keep a raw_data pointer to consumed ring buffer + space +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Arnaldo Carvalho de Melo + +[ Upstream commit f3fed3ae34d606819d87a63d970cc3092a5be7ab ] + +When processing tracepoints the perf python binding was parsing the +event before calling perf_mmap__consume(&md->core) in +pyrf_evlist__read_on_cpu(). + +But part of this event parsing was to set the perf_sample->raw_data +pointer to the payload of the event, which then could be overwritten by +other event before tracepoint fields were asked for via event.prev_comm +in a python program, for instance. + +This also happened with other fields, but strings were were problems +were surfacing, as there is UTF-8 validation for the potentially garbled +data. + +This ended up showing up as (with some added debugging messages): + + ( field 'prev_comm' ret=0x7f7c31f65110, raw_size=68 ) ( field 'prev_pid' ret=0x7f7c23b1bed0, raw_size=68 ) ( field 'prev_prio' ret=0x7f7c239c0030, raw_size=68 ) ( field 'prev_state' ret=0x7f7c239c0250, raw_size=68 ) time 14771421785867 prev_comm= prev_pid=1919907691 prev_prio=796026219 prev_state=0x303a32313175 ==> + ( XXX '��' len=16, raw_size=68) ( field 'next_comm' ret=(nil), raw_size=68 ) Traceback (most recent call last): + File "/home/acme/git/perf-tools-next/tools/perf/python/tracepoint.py", line 51, in + main() + File "/home/acme/git/perf-tools-next/tools/perf/python/tracepoint.py", line 46, in main + event.next_comm, + ^^^^^^^^^^^^^^^ + AttributeError: 'perf.sample_event' object has no attribute 'next_comm' + +When event.next_comm was asked for, the PyUnicode_FromString() python +API would fail and that tracepoint field wouldn't be available, stopping +the tools/perf/python/tracepoint.py test tool. + +But, since we already do a copy of the whole event in pyrf_event__new, +just use it and while at it remove what was done in in e8968e654191390a +("perf python: Fix pyrf_evlist__read_on_cpu event consuming") because we +don't really need to wait for parsing the sample before declaring the +event as consumed. + +This copy is questionable as is now, as it limits the maximum event + +sample_type and tracepoint payload to sizeof(union perf_event), this all +has been "working" because 'struct perf_event_mmap2', the largest entry +in 'union perf_event' is: + + $ pahole -C perf_event ~/bin/perf | grep mmap2 + struct perf_record_mmap2 mmap2; /* 0 4168 */ + $ + +Fixes: bae57e3825a3dded ("perf python: Add support to resolve tracepoint fields") +Signed-off-by: Arnaldo Carvalho de Melo +Reviewed-by: Ian Rogers +Link: https://lore.kernel.org/r/20250312203141.285263-6-acme@kernel.org +Signed-off-by: Namhyung Kim +Signed-off-by: Sasha Levin +--- + tools/perf/util/python.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/tools/perf/util/python.c b/tools/perf/util/python.c +index 3cd2ea99d6b6c..71c37bde178a2 100644 +--- a/tools/perf/util/python.c ++++ b/tools/perf/util/python.c +@@ -1018,11 +1018,9 @@ static PyObject *pyrf_evlist__read_on_cpu(struct pyrf_evlist *pevlist, + + pevent->evsel = evsel; + +- err = evsel__parse_sample(evsel, event, &pevent->sample); +- +- /* Consume the even only after we parsed it out. */ + perf_mmap__consume(&md->core); + ++ err = evsel__parse_sample(evsel, &pevent->event, &pevent->sample); + if (err) { + Py_DECREF(pyevent); + return PyErr_Format(PyExc_OSError, +-- +2.39.5 + diff --git a/queue-6.12/perf-python-fixup-description-of-sample.id-event-mem.patch b/queue-6.12/perf-python-fixup-description-of-sample.id-event-mem.patch new file mode 100644 index 0000000000..4dfb731244 --- /dev/null +++ b/queue-6.12/perf-python-fixup-description-of-sample.id-event-mem.patch @@ -0,0 +1,38 @@ +From c7c5de028cde52deb3d662142599ad56935a51fd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Mar 2025 17:31:36 -0300 +Subject: perf python: Fixup description of sample.id event member + +From: Arnaldo Carvalho de Melo + +[ Upstream commit 1376c195e8ad327bb9f2d32e0acc5ac39e7cb30a ] + +Some old cut'n'paste error, its "ip", so the description should be +"event ip", not "event type". + +Fixes: 877108e42b1b9ba6 ("perf tools: Initial python binding") +Signed-off-by: Arnaldo Carvalho de Melo +Reviewed-by: Ian Rogers +Link: https://lore.kernel.org/r/20250312203141.285263-2-acme@kernel.org +Signed-off-by: Namhyung Kim +Signed-off-by: Sasha Levin +--- + tools/perf/util/python.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/util/python.c b/tools/perf/util/python.c +index ee3d43a7ba457..80ca08efb9bfd 100644 +--- a/tools/perf/util/python.c ++++ b/tools/perf/util/python.c +@@ -79,7 +79,7 @@ struct pyrf_event { + }; + + #define sample_members \ +- sample_member_def(sample_ip, ip, T_ULONGLONG, "event type"), \ ++ sample_member_def(sample_ip, ip, T_ULONGLONG, "event ip"), \ + sample_member_def(sample_pid, pid, T_INT, "event pid"), \ + sample_member_def(sample_tid, tid, T_INT, "event tid"), \ + sample_member_def(sample_time, time, T_ULONGLONG, "event timestamp"), \ +-- +2.39.5 + diff --git a/queue-6.12/perf-report-switch-data-file-correctly-in-tui.patch b/queue-6.12/perf-report-switch-data-file-correctly-in-tui.patch new file mode 100644 index 0000000000..9632a50365 --- /dev/null +++ b/queue-6.12/perf-report-switch-data-file-correctly-in-tui.patch @@ -0,0 +1,48 @@ +From c570402dd66510b5bce8c10d09235bb8d89fd12a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Feb 2025 22:07:44 -0800 +Subject: perf report: Switch data file correctly in TUI + +From: Namhyung Kim + +[ Upstream commit 43c2b6139b188d8a756130147f7efd5ddf99f88d ] + +The 's' key is to switch to a new data file and load the data in the +same window. The switch_data_file() will show a popup menu to select +which data file user wants and update the 'input_name' global variable. + +But in the cmd_report(), it didn't update the data.path using the new +'input_name' and keep usng the old file. This is fairly an old bug and +I assume people don't use this feature much. :) + +Link: https://lore.kernel.org/r/20250211060745.294289-1-namhyung@kernel.org +Closes: https://lore.kernel.org/linux-perf-users/89e678bc-f0af-4929-a8a6-a2666f1294a4@linaro.org +Fixes: f5fc14124c5cefdd ("perf tools: Add data object to handle perf data file") +Reported-by: James Clark +Signed-off-by: Namhyung Kim +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-report.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/builtin-report.c b/tools/perf/builtin-report.c +index 645deec294c84..8700c39680662 100644 +--- a/tools/perf/builtin-report.c ++++ b/tools/perf/builtin-report.c +@@ -1551,12 +1551,12 @@ int cmd_report(int argc, const char **argv) + input_name = "perf.data"; + } + ++repeat: + data.path = input_name; + data.force = symbol_conf.force; + + symbol_conf.skip_empty = report.skip_empty; + +-repeat: + perf_tool__init(&report.tool, ordered_events); + report.tool.sample = process_sample_event; + report.tool.mmap = perf_event__process_mmap; +-- +2.39.5 + diff --git a/queue-6.12/perf-ring_buffer-allow-the-epollrdnorm-flag-for-poll.patch b/queue-6.12/perf-ring_buffer-allow-the-epollrdnorm-flag-for-poll.patch new file mode 100644 index 0000000000..25513c3e2c --- /dev/null +++ b/queue-6.12/perf-ring_buffer-allow-the-epollrdnorm-flag-for-poll.patch @@ -0,0 +1,43 @@ +From 6ffa189c8c1d018e897af1f152b0406747704ab4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Mar 2025 11:00:36 +0800 +Subject: perf/ring_buffer: Allow the EPOLLRDNORM flag for poll + +From: Tao Chen + +[ Upstream commit c96fff391c095c11dc87dab35be72dee7d217cde ] + +The poll man page says POLLRDNORM is equivalent to POLLIN. For poll(), +it seems that if user sets pollfd with POLLRDNORM in userspace, perf_poll +will not return until timeout even if perf_output_wakeup called, +whereas POLLIN returns. + +Fixes: 76369139ceb9 ("perf: Split up buffer handling from core code") +Signed-off-by: Tao Chen +Signed-off-by: Ingo Molnar +Cc: Peter Zijlstra +Cc: Arnaldo Carvalho de Melo +Cc: "H. Peter Anvin" +Cc: Linus Torvalds +Link: https://lore.kernel.org/r/20250314030036.2543180-1-chen.dylane@linux.dev +Signed-off-by: Sasha Levin +--- + kernel/events/ring_buffer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/events/ring_buffer.c b/kernel/events/ring_buffer.c +index 4f46f688d0d49..bbfa22c0a1597 100644 +--- a/kernel/events/ring_buffer.c ++++ b/kernel/events/ring_buffer.c +@@ -19,7 +19,7 @@ + + static void perf_output_wakeup(struct perf_output_handle *handle) + { +- atomic_set(&handle->rb->poll, EPOLLIN); ++ atomic_set(&handle->rb->poll, EPOLLIN | EPOLLRDNORM); + + handle->event->pending_wakeup = 1; + +-- +2.39.5 + diff --git a/queue-6.12/perf-stat-fix-find_stat-for-mixed-legacy-non-legacy-.patch b/queue-6.12/perf-stat-fix-find_stat-for-mixed-legacy-non-legacy-.patch new file mode 100644 index 0000000000..ee80a691df --- /dev/null +++ b/queue-6.12/perf-stat-fix-find_stat-for-mixed-legacy-non-legacy-.patch @@ -0,0 +1,107 @@ +From 330f318c7f0471f9ae685b2037fe07b37c1b2219 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Jan 2025 14:21:07 -0800 +Subject: perf stat: Fix find_stat for mixed legacy/non-legacy events + +From: Ian Rogers + +[ Upstream commit 8ce0d2da14d3fb62844dd0e95982c194326b1a5f ] + +Legacy events typically don't have a PMU when added leading to +mismatched legacy/non-legacy cases in find_stat. Use evsel__find_pmu +to make sure the evsel PMU is looked up. Update the evsel__find_pmu +code to look for the PMU using the extended config type or, for legacy +hardware/hw_cache events on non-hybrid systems, just use the core PMU. + +Before: +``` +$ perf stat -e cycles,cpu/instructions/ -a sleep 1 + Performance counter stats for 'system wide': + + 215,309,764 cycles + 44,326,491 cpu/instructions/ + + 1.002555314 seconds time elapsed +``` +After: +``` +$ perf stat -e cycles,cpu/instructions/ -a sleep 1 + + Performance counter stats for 'system wide': + + 990,676,332 cycles + 1,235,762,487 cpu/instructions/ # 1.25 insn per cycle + + 1.002667198 seconds time elapsed +``` + +Fixes: 3612ca8e2935 ("perf stat: Fix the hard-coded metrics calculation on the hybrid") +Signed-off-by: Ian Rogers +Tested-by: James Clark +Tested-by: Leo Yan +Tested-by: Atish Patra +Link: https://lore.kernel.org/r/20250109222109.567031-3-irogers@google.com +Signed-off-by: Namhyung Kim +Signed-off-by: Sasha Levin +--- + tools/perf/util/pmus.c | 20 +++++++++++++++++--- + tools/perf/util/stat-shadow.c | 3 ++- + 2 files changed, 19 insertions(+), 4 deletions(-) + +diff --git a/tools/perf/util/pmus.c b/tools/perf/util/pmus.c +index d7d67e09d759b..362596ed27294 100644 +--- a/tools/perf/util/pmus.c ++++ b/tools/perf/util/pmus.c +@@ -701,11 +701,25 @@ char *perf_pmus__default_pmu_name(void) + struct perf_pmu *evsel__find_pmu(const struct evsel *evsel) + { + struct perf_pmu *pmu = evsel->pmu; ++ bool legacy_core_type; + +- if (!pmu) { +- pmu = perf_pmus__find_by_type(evsel->core.attr.type); +- ((struct evsel *)evsel)->pmu = pmu; ++ if (pmu) ++ return pmu; ++ ++ pmu = perf_pmus__find_by_type(evsel->core.attr.type); ++ legacy_core_type = ++ evsel->core.attr.type == PERF_TYPE_HARDWARE || ++ evsel->core.attr.type == PERF_TYPE_HW_CACHE; ++ if (!pmu && legacy_core_type) { ++ if (perf_pmus__supports_extended_type()) { ++ u32 type = evsel->core.attr.config >> PERF_PMU_TYPE_SHIFT; ++ ++ pmu = perf_pmus__find_by_type(type); ++ } else { ++ pmu = perf_pmus__find_core_pmu(); ++ } + } ++ ((struct evsel *)evsel)->pmu = pmu; + return pmu; + } + +diff --git a/tools/perf/util/stat-shadow.c b/tools/perf/util/stat-shadow.c +index 99376c12dd8ec..7c49997fab3a3 100644 +--- a/tools/perf/util/stat-shadow.c ++++ b/tools/perf/util/stat-shadow.c +@@ -154,6 +154,7 @@ static double find_stat(const struct evsel *evsel, int aggr_idx, enum stat_type + { + const struct evsel *cur; + int evsel_ctx = evsel_context(evsel); ++ struct perf_pmu *evsel_pmu = evsel__find_pmu(evsel); + + evlist__for_each_entry(evsel->evlist, cur) { + struct perf_stat_aggr *aggr; +@@ -180,7 +181,7 @@ static double find_stat(const struct evsel *evsel, int aggr_idx, enum stat_type + * Except the SW CLOCK events, + * ignore if not the PMU we're looking for. + */ +- if ((type != STAT_NSECS) && (evsel->pmu != cur->pmu)) ++ if ((type != STAT_NSECS) && (evsel_pmu != evsel__find_pmu(cur))) + continue; + + aggr = &cur->stats->aggr[aggr_idx]; +-- +2.39.5 + diff --git a/queue-6.12/perf-tools-annotate-asm_pure_loop.s.patch b/queue-6.12/perf-tools-annotate-asm_pure_loop.s.patch new file mode 100644 index 0000000000..8fb4b8c959 --- /dev/null +++ b/queue-6.12/perf-tools-annotate-asm_pure_loop.s.patch @@ -0,0 +1,34 @@ +From c30383e2a51256a22165d99f33149678607a774a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 23 Mar 2025 09:53:45 +0100 +Subject: perf tools: annotate asm_pure_loop.S + +From: Marcus Meissner + +[ Upstream commit 9a352a90e88a041f4b26d359493e12a7f5ae1a6a ] + +Annotate so it is built with non-executable stack. + +Fixes: 8b97519711c3 ("perf test: Add asm pureloop test tool") +Signed-off-by: Marcus Meissner +Reviewed-by: Leo Yan +Link: https://lore.kernel.org/r/20250323085410.23751-1-meissner@suse.de +Signed-off-by: Namhyung Kim +Signed-off-by: Sasha Levin +--- + tools/perf/tests/shell/coresight/asm_pure_loop/asm_pure_loop.S | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tools/perf/tests/shell/coresight/asm_pure_loop/asm_pure_loop.S b/tools/perf/tests/shell/coresight/asm_pure_loop/asm_pure_loop.S +index 75cf084a927d3..5777600467723 100644 +--- a/tools/perf/tests/shell/coresight/asm_pure_loop/asm_pure_loop.S ++++ b/tools/perf/tests/shell/coresight/asm_pure_loop/asm_pure_loop.S +@@ -26,3 +26,5 @@ skip: + mov x0, #0 + mov x8, #93 // __NR_exit syscall + svc #0 ++ ++.section .note.GNU-stack, "", @progbits +-- +2.39.5 + diff --git a/queue-6.12/perf-units-fix-insufficient-array-space.patch b/queue-6.12/perf-units-fix-insufficient-array-space.patch new file mode 100644 index 0000000000..7b1af3e4c6 --- /dev/null +++ b/queue-6.12/perf-units-fix-insufficient-array-space.patch @@ -0,0 +1,46 @@ +From 86fcc3d885acbb855fd72a7009e3ebfff7df0e41 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Mar 2025 16:45:32 -0300 +Subject: perf units: Fix insufficient array space + +From: Arnaldo Carvalho de Melo + +[ Upstream commit cf67629f7f637fb988228abdb3aae46d0c1748fe ] + +No need to specify the array size, let the compiler figure that out. + +This addresses this compiler warning that was noticed while build +testing on fedora rawhide: + + 31 15.81 fedora:rawhide : FAIL gcc version 15.0.1 20250225 (Red Hat 15.0.1-0) (GCC) + util/units.c: In function 'unit_number__scnprintf': + util/units.c:67:24: error: initializer-string for array of 'char' is too long [-Werror=unterminated-string-initialization] + 67 | char unit[4] = "BKMG"; + | ^~~~~~ + cc1: all warnings being treated as errors + +Fixes: 9808143ba2e54818 ("perf tools: Add unit_number__scnprintf function") +Signed-off-by: Arnaldo Carvalho de Melo +Link: https://lore.kernel.org/r/20250310194534.265487-3-acme@kernel.org +Signed-off-by: Namhyung Kim +Signed-off-by: Sasha Levin +--- + tools/perf/util/units.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/util/units.c b/tools/perf/util/units.c +index 32c39cfe209b3..4c6a86e1cb54b 100644 +--- a/tools/perf/util/units.c ++++ b/tools/perf/util/units.c +@@ -64,7 +64,7 @@ unsigned long convert_unit(unsigned long value, char *unit) + + int unit_number__scnprintf(char *buf, size_t size, u64 n) + { +- char unit[4] = "BKMG"; ++ char unit[] = "BKMG"; + int i = 0; + + while (((n / 1024) > 1) && (i < 3)) { +-- +2.39.5 + diff --git a/queue-6.12/perf-vendor-events-arm64-ampereonex-fix-frontend_bou.patch b/queue-6.12/perf-vendor-events-arm64-ampereonex-fix-frontend_bou.patch new file mode 100644 index 0000000000..dfaf74da30 --- /dev/null +++ b/queue-6.12/perf-vendor-events-arm64-ampereonex-fix-frontend_bou.patch @@ -0,0 +1,63 @@ +From 506a178111abee7a54818af8a1be25794c9a0fba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Mar 2025 20:15:59 +0000 +Subject: perf vendor events arm64 AmpereOneX: Fix frontend_bound calculation + +From: Ilkka Koskinen + +[ Upstream commit 182f12f3193341c3400ae719a34c00a8a1204cff ] + +frontend_bound metrics was miscalculated due to different scaling in +a couple of metrics it depends on. Change the scaling to match with +AmpereOne. + +Fixes: 16438b652b46 ("perf vendor events arm64 AmpereOneX: Add core PMU events and metrics") +Signed-off-by: Ilkka Koskinen +Reviewed-by: James Clark +Link: https://lore.kernel.org/r/20250313201559.11332-3-ilkka@os.amperecomputing.com +Signed-off-by: Namhyung Kim +Signed-off-by: Sasha Levin +--- + .../arch/arm64/ampere/ampereonex/metrics.json | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/tools/perf/pmu-events/arch/arm64/ampere/ampereonex/metrics.json b/tools/perf/pmu-events/arch/arm64/ampere/ampereonex/metrics.json +index c5d1d22bd034b..5228f94a793f9 100644 +--- a/tools/perf/pmu-events/arch/arm64/ampere/ampereonex/metrics.json ++++ b/tools/perf/pmu-events/arch/arm64/ampere/ampereonex/metrics.json +@@ -229,19 +229,19 @@ + }, + { + "MetricName": "slots_lost_misspeculation_fraction", +- "MetricExpr": "(OP_SPEC - OP_RETIRED) / (CPU_CYCLES * #slots)", ++ "MetricExpr": "100 * (OP_SPEC - OP_RETIRED) / (CPU_CYCLES * #slots)", + "BriefDescription": "Fraction of slots lost due to misspeculation", + "DefaultMetricgroupName": "TopdownL1", + "MetricGroup": "Default;TopdownL1", +- "ScaleUnit": "100percent of slots" ++ "ScaleUnit": "1percent of slots" + }, + { + "MetricName": "retired_fraction", +- "MetricExpr": "OP_RETIRED / (CPU_CYCLES * #slots)", ++ "MetricExpr": "100 * OP_RETIRED / (CPU_CYCLES * #slots)", + "BriefDescription": "Fraction of slots retiring, useful work", + "DefaultMetricgroupName": "TopdownL1", + "MetricGroup": "Default;TopdownL1", +- "ScaleUnit": "100percent of slots" ++ "ScaleUnit": "1percent of slots" + }, + { + "MetricName": "backend_core", +@@ -266,7 +266,7 @@ + }, + { + "MetricName": "frontend_bandwidth", +- "MetricExpr": "frontend_bound - frontend_latency", ++ "MetricExpr": "frontend_bound - 100 * frontend_latency", + "BriefDescription": "Fraction of slots the CPU did not dispatch at full bandwidth - able to dispatch partial slots only (1, 2, or 3 uops)", + "MetricGroup": "TopdownL2", + "ScaleUnit": "1percent of slots" +-- +2.39.5 + diff --git a/queue-6.12/phy-phy-rockchip-samsung-hdptx-don-t-use-dt-aliases-.patch b/queue-6.12/phy-phy-rockchip-samsung-hdptx-don-t-use-dt-aliases-.patch new file mode 100644 index 0000000000..232595bbc4 --- /dev/null +++ b/queue-6.12/phy-phy-rockchip-samsung-hdptx-don-t-use-dt-aliases-.patch @@ -0,0 +1,139 @@ +From 55d4853fcdda62d04419481085ddb1e7dfa71c22 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Dec 2024 11:34:01 +0100 +Subject: phy: phy-rockchip-samsung-hdptx: Don't use dt aliases to determine + phy-id + +From: Heiko Stuebner + +[ Upstream commit f08d1c08563846f9be79a4859e912c8795d690fd ] + +The phy needs to know its identity in the system (phy0 or phy1 on rk3588) +for some actions and the driver currently contains code abusing of_alias +for that. + +Devicetree aliases are always optional and should not be used for core +device functionality, so instead keep a list of phys on a soc in the +of_device_data and find the phy-id by comparing against the mapped +register-base. + +Fixes: c4b09c562086 ("phy: phy-rockchip-samsung-hdptx: Add clock provider support") +Signed-off-by: Heiko Stuebner +Reviewed-by: Cristian Ciocaltea +Reviewed-by: Sebastian Reichel +Link: https://lore.kernel.org/r/20241206103401.1780416-3-heiko@sntech.de +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + .../phy/rockchip/phy-rockchip-samsung-hdptx.c | 50 ++++++++++++++++--- + 1 file changed, 44 insertions(+), 6 deletions(-) + +diff --git a/drivers/phy/rockchip/phy-rockchip-samsung-hdptx.c b/drivers/phy/rockchip/phy-rockchip-samsung-hdptx.c +index 69c3ec0938f74..be6f1ca9095aa 100644 +--- a/drivers/phy/rockchip/phy-rockchip-samsung-hdptx.c ++++ b/drivers/phy/rockchip/phy-rockchip-samsung-hdptx.c +@@ -266,11 +266,22 @@ enum rk_hdptx_reset { + RST_MAX + }; + ++#define MAX_HDPTX_PHY_NUM 2 ++ ++struct rk_hdptx_phy_cfg { ++ unsigned int num_phys; ++ unsigned int phy_ids[MAX_HDPTX_PHY_NUM]; ++}; ++ + struct rk_hdptx_phy { + struct device *dev; + struct regmap *regmap; + struct regmap *grf; + ++ /* PHY const config */ ++ const struct rk_hdptx_phy_cfg *cfgs; ++ int phy_id; ++ + struct phy *phy; + struct phy_config *phy_cfg; + struct clk_bulk_data *clks; +@@ -1019,15 +1030,14 @@ static int rk_hdptx_phy_clk_register(struct rk_hdptx_phy *hdptx) + struct device *dev = hdptx->dev; + const char *name, *pname; + struct clk *refclk; +- int ret, id; ++ int ret; + + refclk = devm_clk_get(dev, "ref"); + if (IS_ERR(refclk)) + return dev_err_probe(dev, PTR_ERR(refclk), + "Failed to get ref clock\n"); + +- id = of_alias_get_id(dev->of_node, "hdptxphy"); +- name = id > 0 ? "clk_hdmiphy_pixel1" : "clk_hdmiphy_pixel0"; ++ name = hdptx->phy_id > 0 ? "clk_hdmiphy_pixel1" : "clk_hdmiphy_pixel0"; + pname = __clk_get_name(refclk); + + hdptx->hw.init = CLK_HW_INIT(name, pname, &hdptx_phy_clk_ops, +@@ -1070,8 +1080,9 @@ static int rk_hdptx_phy_probe(struct platform_device *pdev) + struct phy_provider *phy_provider; + struct device *dev = &pdev->dev; + struct rk_hdptx_phy *hdptx; ++ struct resource *res; + void __iomem *regs; +- int ret; ++ int ret, id; + + hdptx = devm_kzalloc(dev, sizeof(*hdptx), GFP_KERNEL); + if (!hdptx) +@@ -1079,11 +1090,27 @@ static int rk_hdptx_phy_probe(struct platform_device *pdev) + + hdptx->dev = dev; + +- regs = devm_platform_ioremap_resource(pdev, 0); ++ regs = devm_platform_get_and_ioremap_resource(pdev, 0, &res); + if (IS_ERR(regs)) + return dev_err_probe(dev, PTR_ERR(regs), + "Failed to ioremap resource\n"); + ++ hdptx->cfgs = device_get_match_data(dev); ++ if (!hdptx->cfgs) ++ return dev_err_probe(dev, -EINVAL, "missing match data\n"); ++ ++ /* find the phy-id from the io address */ ++ hdptx->phy_id = -ENODEV; ++ for (id = 0; id < hdptx->cfgs->num_phys; id++) { ++ if (res->start == hdptx->cfgs->phy_ids[id]) { ++ hdptx->phy_id = id; ++ break; ++ } ++ } ++ ++ if (hdptx->phy_id < 0) ++ return dev_err_probe(dev, -ENODEV, "no matching device found\n"); ++ + ret = devm_clk_bulk_get_all(dev, &hdptx->clks); + if (ret < 0) + return dev_err_probe(dev, ret, "Failed to get clocks\n"); +@@ -1147,8 +1174,19 @@ static const struct dev_pm_ops rk_hdptx_phy_pm_ops = { + rk_hdptx_phy_runtime_resume, NULL) + }; + ++static const struct rk_hdptx_phy_cfg rk3588_hdptx_phy_cfgs = { ++ .num_phys = 2, ++ .phy_ids = { ++ 0xfed60000, ++ 0xfed70000, ++ }, ++}; ++ + static const struct of_device_id rk_hdptx_phy_of_match[] = { +- { .compatible = "rockchip,rk3588-hdptx-phy", }, ++ { ++ .compatible = "rockchip,rk3588-hdptx-phy", ++ .data = &rk3588_hdptx_phy_cfgs ++ }, + {} + }; + MODULE_DEVICE_TABLE(of, rk_hdptx_phy_of_match); +-- +2.39.5 + diff --git a/queue-6.12/pinctrl-intel-fix-wrong-bypass-assignment-in-intel_p.patch b/queue-6.12/pinctrl-intel-fix-wrong-bypass-assignment-in-intel_p.patch new file mode 100644 index 0000000000..1311c5bb5b --- /dev/null +++ b/queue-6.12/pinctrl-intel-fix-wrong-bypass-assignment-in-intel_p.patch @@ -0,0 +1,39 @@ +From 595de1abb93ac231764944c6f72aef7b15703f50 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Feb 2025 21:44:51 +0200 +Subject: pinctrl: intel: Fix wrong bypass assignment in + intel_pinctrl_probe_pwm() + +From: Andy Shevchenko + +[ Upstream commit 0eee258cdf172763502f142d85e967f27a573be0 ] + +When instantiating PWM, the bypass should be set to false. The field +is used for the selected Intel SoCs that do not have PWM feature enabled +in their pin control IPs. + +Fixes: eb78d3604d6b ("pinctrl: intel: Enumerate PWM device when community has a capability") +Reported-by: Alexis GUILLEMET +Signed-off-by: Andy Shevchenko +Reviewed-by: Mika Westerberg +Tested-by: Alexis GUILLEMET +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/intel/pinctrl-intel.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/pinctrl/intel/pinctrl-intel.c b/drivers/pinctrl/intel/pinctrl-intel.c +index 928607a21d36d..f8abc69a39d16 100644 +--- a/drivers/pinctrl/intel/pinctrl-intel.c ++++ b/drivers/pinctrl/intel/pinctrl-intel.c +@@ -1531,7 +1531,6 @@ static int intel_pinctrl_probe_pwm(struct intel_pinctrl *pctrl, + .clk_rate = 19200000, + .npwm = 1, + .base_unit_bits = 22, +- .bypass = true, + }; + struct pwm_chip *chip; + +-- +2.39.5 + diff --git a/queue-6.12/pinctrl-npcm8xx-fix-incorrect-struct-npcm8xx_pincfg-.patch b/queue-6.12/pinctrl-npcm8xx-fix-incorrect-struct-npcm8xx_pincfg-.patch new file mode 100644 index 0000000000..4caf6e0057 --- /dev/null +++ b/queue-6.12/pinctrl-npcm8xx-fix-incorrect-struct-npcm8xx_pincfg-.patch @@ -0,0 +1,57 @@ +From 62786583bfcb7e0be65d0a9bed0f75ca1e4abedc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Mar 2025 12:57:14 +0200 +Subject: pinctrl: npcm8xx: Fix incorrect struct npcm8xx_pincfg assignment + +From: Andy Shevchenko + +[ Upstream commit 113ec87b0f26a17b02c58aa2714a9b8f1020eed9 ] + +Sparse is not happy about implementation of the NPCM8XX_PINCFG() + + pinctrl-npcm8xx.c:1314:9: warning: obsolete array initializer, use C99 syntax + pinctrl-npcm8xx.c:1315:9: warning: obsolete array initializer, use C99 syntax + ... + pinctrl-npcm8xx.c:1412:9: warning: obsolete array initializer, use C99 syntax + pinctrl-npcm8xx.c:1413:9: warning: too many warnings + +which uses index-based assignment in a wrong way, i.e. it missed +the equal sign and hence the index is simply ignored, while the +entries are indexed naturally. This is not a problem as the pin +numbering repeats the natural order, but it might be in case of +shuffling the entries. Fix this by adding missed equal sign and +reformat a bit for better readability. + +Fixes: acf4884a5717 ("pinctrl: nuvoton: add NPCM8XX pinctrl and GPIO driver") +Signed-off-by: Andy Shevchenko +Link: https://lore.kernel.org/20250318105932.2090926-2-andriy.shevchenko@linux.intel.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/nuvoton/pinctrl-npcm8xx.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/pinctrl/nuvoton/pinctrl-npcm8xx.c b/drivers/pinctrl/nuvoton/pinctrl-npcm8xx.c +index 17825bbe14213..f6a1e684a3864 100644 +--- a/drivers/pinctrl/nuvoton/pinctrl-npcm8xx.c ++++ b/drivers/pinctrl/nuvoton/pinctrl-npcm8xx.c +@@ -1290,12 +1290,14 @@ static struct npcm8xx_func npcm8xx_funcs[] = { + }; + + #define NPCM8XX_PINCFG(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p, q) \ +- [a] { .fn0 = fn_ ## b, .reg0 = NPCM8XX_GCR_ ## c, .bit0 = d, \ ++ [a] = { \ ++ .flag = q, \ ++ .fn0 = fn_ ## b, .reg0 = NPCM8XX_GCR_ ## c, .bit0 = d, \ + .fn1 = fn_ ## e, .reg1 = NPCM8XX_GCR_ ## f, .bit1 = g, \ + .fn2 = fn_ ## h, .reg2 = NPCM8XX_GCR_ ## i, .bit2 = j, \ + .fn3 = fn_ ## k, .reg3 = NPCM8XX_GCR_ ## l, .bit3 = m, \ + .fn4 = fn_ ## n, .reg4 = NPCM8XX_GCR_ ## o, .bit4 = p, \ +- .flag = q } ++ } + + /* Drive strength controlled by NPCM8XX_GP_N_ODSC */ + #define DRIVE_STRENGTH_LO_SHIFT 8 +-- +2.39.5 + diff --git a/queue-6.12/pinctrl-nuvoton-npcm8xx-fix-error-handling-in-npcm8x.patch b/queue-6.12/pinctrl-nuvoton-npcm8xx-fix-error-handling-in-npcm8x.patch new file mode 100644 index 0000000000..8646a4a43e --- /dev/null +++ b/queue-6.12/pinctrl-nuvoton-npcm8xx-fix-error-handling-in-npcm8x.patch @@ -0,0 +1,39 @@ +From 89211eafd0505363a0f14a87e3968cac90145df1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 18 Jan 2025 11:13:34 +0800 +Subject: pinctrl: nuvoton: npcm8xx: Fix error handling in npcm8xx_gpio_fw() + +From: Yue Haibing + +[ Upstream commit d6c6fd77e5816e3f6689a2767cdd777797506f24 ] + +fwnode_irq_get() was changed to not return 0, fix this by checking +for negative error, also update the error log. + +Fixes: acf4884a5717 ("pinctrl: nuvoton: add NPCM8XX pinctrl and GPIO driver") +Signed-off-by: Yue Haibing +Link: https://lore.kernel.org/20250118031334.243324-1-yuehaibing@huawei.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/nuvoton/pinctrl-npcm8xx.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/pinctrl/nuvoton/pinctrl-npcm8xx.c b/drivers/pinctrl/nuvoton/pinctrl-npcm8xx.c +index d09a5e9b2eca5..17825bbe14213 100644 +--- a/drivers/pinctrl/nuvoton/pinctrl-npcm8xx.c ++++ b/drivers/pinctrl/nuvoton/pinctrl-npcm8xx.c +@@ -2361,8 +2361,8 @@ static int npcm8xx_gpio_fw(struct npcm8xx_pinctrl *pctrl) + return dev_err_probe(dev, ret, "gpio-ranges fail for GPIO bank %u\n", id); + + ret = fwnode_irq_get(child, 0); +- if (!ret) +- return dev_err_probe(dev, ret, "No IRQ for GPIO bank %u\n", id); ++ if (ret < 0) ++ return dev_err_probe(dev, ret, "Failed to retrieve IRQ for bank %u\n", id); + + pctrl->gpio_bank[id].irq = ret; + pctrl->gpio_bank[id].irq_chip = npcmgpio_irqchip; +-- +2.39.5 + diff --git a/queue-6.12/pinctrl-renesas-rza2-fix-missing-of_node_put-call.patch b/queue-6.12/pinctrl-renesas-rza2-fix-missing-of_node_put-call.patch new file mode 100644 index 0000000000..a77763def2 --- /dev/null +++ b/queue-6.12/pinctrl-renesas-rza2-fix-missing-of_node_put-call.patch @@ -0,0 +1,42 @@ +From 56e235fb2b0efaee67b9640ce352dcb8c0481a72 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Mar 2025 16:37:53 +0000 +Subject: pinctrl: renesas: rza2: Fix missing of_node_put() call + +From: Fabrizio Castro + +[ Upstream commit abcdeb4e299a11ecb5a3ea0cce00e68e8f540375 ] + +of_parse_phandle_with_fixed_args() requires its caller to +call into of_node_put() on the node pointer from the output +structure, but such a call is currently missing. + +Call into of_node_put() to rectify that. + +Fixes: b59d0e782706 ("pinctrl: Add RZ/A2 pin and gpio controller") +Signed-off-by: Fabrizio Castro +Reviewed-by: Lad Prabhakar +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/20250305163753.34913-5-fabrizio.castro.jz@renesas.com +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/renesas/pinctrl-rza2.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/pinctrl/renesas/pinctrl-rza2.c b/drivers/pinctrl/renesas/pinctrl-rza2.c +index af689d7c117f3..773eaf508565b 100644 +--- a/drivers/pinctrl/renesas/pinctrl-rza2.c ++++ b/drivers/pinctrl/renesas/pinctrl-rza2.c +@@ -253,6 +253,8 @@ static int rza2_gpio_register(struct rza2_pinctrl_priv *priv) + return ret; + } + ++ of_node_put(of_args.np); ++ + if ((of_args.args[0] != 0) || + (of_args.args[1] != 0) || + (of_args.args[2] != priv->npins)) { +-- +2.39.5 + diff --git a/queue-6.12/pinctrl-renesas-rzg2l-fix-missing-of_node_put-call.patch b/queue-6.12/pinctrl-renesas-rzg2l-fix-missing-of_node_put-call.patch new file mode 100644 index 0000000000..b812f5c017 --- /dev/null +++ b/queue-6.12/pinctrl-renesas-rzg2l-fix-missing-of_node_put-call.patch @@ -0,0 +1,42 @@ +From 32a39007f71c34de716ba5d6278f78b999a8f4cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Mar 2025 16:37:51 +0000 +Subject: pinctrl: renesas: rzg2l: Fix missing of_node_put() call + +From: Fabrizio Castro + +[ Upstream commit a5779e625e2b377f16a6675c432aaf299ce5028c ] + +of_parse_phandle_with_fixed_args() requires its caller to +call into of_node_put() on the node pointer from the output +structure, but such a call is currently missing. + +Call into of_node_put() to rectify that. + +Fixes: c4c4637eb57f ("pinctrl: renesas: Add RZ/G2L pin and gpio controller driver") +Signed-off-by: Fabrizio Castro +Reviewed-by: Lad Prabhakar +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/20250305163753.34913-3-fabrizio.castro.jz@renesas.com +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/renesas/pinctrl-rzg2l.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/pinctrl/renesas/pinctrl-rzg2l.c b/drivers/pinctrl/renesas/pinctrl-rzg2l.c +index 47e6552c3751d..d90685cfe2e1a 100644 +--- a/drivers/pinctrl/renesas/pinctrl-rzg2l.c ++++ b/drivers/pinctrl/renesas/pinctrl-rzg2l.c +@@ -2583,6 +2583,8 @@ static int rzg2l_gpio_register(struct rzg2l_pinctrl *pctrl) + if (ret) + return dev_err_probe(pctrl->dev, ret, "Unable to parse gpio-ranges\n"); + ++ of_node_put(of_args.np); ++ + if (of_args.args[0] != 0 || of_args.args[1] != 0 || + of_args.args[2] != pctrl->data->n_port_pins) + return dev_err_probe(pctrl->dev, -EINVAL, +-- +2.39.5 + diff --git a/queue-6.12/pinctrl-renesas-rzg2l-suppress-binding-attributes.patch b/queue-6.12/pinctrl-renesas-rzg2l-suppress-binding-attributes.patch new file mode 100644 index 0000000000..faf671c98c --- /dev/null +++ b/queue-6.12/pinctrl-renesas-rzg2l-suppress-binding-attributes.patch @@ -0,0 +1,40 @@ +From e47b880b83cd53dd92282e08ac6f2408fd4b0feb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 15 Feb 2025 15:12:35 +0200 +Subject: pinctrl: renesas: rzg2l: Suppress binding attributes + +From: Claudiu Beznea + +[ Upstream commit ea4065345643f3163e812e58ed8add2c75c3ee46 ] + +Suppress binding attributes for the rzg2l pinctrl driver, as it is an +essential block for Renesas SoCs. Unbinding the driver leads to +warnings from __device_links_no_driver() and can eventually render the +system inaccessible. + +Fixes: c4c4637eb57f ("pinctrl: renesas: Add RZ/G2L pin and gpio controller driver") +Signed-off-by: Claudiu Beznea +Reviewed-by: Lad Prabhakar +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/20250215131235.228274-1-claudiu.beznea.uj@bp.renesas.com +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/renesas/pinctrl-rzg2l.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/pinctrl/renesas/pinctrl-rzg2l.c b/drivers/pinctrl/renesas/pinctrl-rzg2l.c +index 5081c7d8064fa..47e6552c3751d 100644 +--- a/drivers/pinctrl/renesas/pinctrl-rzg2l.c ++++ b/drivers/pinctrl/renesas/pinctrl-rzg2l.c +@@ -3180,6 +3180,7 @@ static struct platform_driver rzg2l_pinctrl_driver = { + .name = DRV_NAME, + .of_match_table = of_match_ptr(rzg2l_pinctrl_of_table), + .pm = pm_sleep_ptr(&rzg2l_pinctrl_pm_ops), ++ .suppress_bind_attrs = true, + }, + .probe = rzg2l_pinctrl_probe, + }; +-- +2.39.5 + diff --git a/queue-6.12/pinctrl-renesas-rzv2m-fix-missing-of_node_put-call.patch b/queue-6.12/pinctrl-renesas-rzv2m-fix-missing-of_node_put-call.patch new file mode 100644 index 0000000000..37e5b59595 --- /dev/null +++ b/queue-6.12/pinctrl-renesas-rzv2m-fix-missing-of_node_put-call.patch @@ -0,0 +1,42 @@ +From 337305bab0196c1c29f72abf127bf2d2e866e53a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Mar 2025 16:37:52 +0000 +Subject: pinctrl: renesas: rzv2m: Fix missing of_node_put() call + +From: Fabrizio Castro + +[ Upstream commit 5a550b00704d3a2cd9d766a9427b0f8166da37df ] + +of_parse_phandle_with_fixed_args() requires its caller to +call into of_node_put() on the node pointer from the output +structure, but such a call is currently missing. + +Call into of_node_put() to rectify that. + +Fixes: 92a9b8252576 ("pinctrl: renesas: Add RZ/V2M pin and gpio controller driver") +Signed-off-by: Fabrizio Castro +Reviewed-by: Lad Prabhakar +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/20250305163753.34913-4-fabrizio.castro.jz@renesas.com +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/renesas/pinctrl-rzv2m.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/pinctrl/renesas/pinctrl-rzv2m.c b/drivers/pinctrl/renesas/pinctrl-rzv2m.c +index 4062c56619f59..8c7169db4fcce 100644 +--- a/drivers/pinctrl/renesas/pinctrl-rzv2m.c ++++ b/drivers/pinctrl/renesas/pinctrl-rzv2m.c +@@ -940,6 +940,8 @@ static int rzv2m_gpio_register(struct rzv2m_pinctrl *pctrl) + return ret; + } + ++ of_node_put(of_args.np); ++ + if (of_args.args[0] != 0 || of_args.args[1] != 0 || + of_args.args[2] != pctrl->data->n_port_pins) { + dev_err(pctrl->dev, "gpio-ranges does not match selected SOC\n"); +-- +2.39.5 + diff --git a/queue-6.12/pinctrl-tegra-set-sfio-mode-to-mux-register.patch b/queue-6.12/pinctrl-tegra-set-sfio-mode-to-mux-register.patch new file mode 100644 index 0000000000..5817f726ed --- /dev/null +++ b/queue-6.12/pinctrl-tegra-set-sfio-mode-to-mux-register.patch @@ -0,0 +1,49 @@ +From 0859a34e6eaf46e31283d3c71597b5c9b1950f5e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Mar 2025 10:35:42 +0530 +Subject: pinctrl: tegra: Set SFIO mode to Mux Register + +From: Prathamesh Shete + +[ Upstream commit 17013f0acb322e5052ff9b9d0fab0ab5a4bfd828 ] + +Tegra devices have an 'sfsel' bit field that determines whether a pin +operates in SFIO (Special Function I/O) or GPIO mode. Currently, +tegra_pinctrl_gpio_disable_free() sets this bit when releasing a GPIO. + +However, tegra_pinctrl_set_mux() can be called independently in certain +code paths where gpio_disable_free() is not invoked. In such cases, failing +to set the SFIO mode could lead to incorrect pin configurations, resulting +in functional issues for peripherals relying on SFIO. + +This patch ensures that whenever set_mux() is called, the SFIO mode is +correctly set in the Mux Register if the 'sfsel' bit is present. This +prevents situations where the pin remains in GPIO mode despite being +configured for SFIO use. + +Fixes: 971dac7123c7 ("pinctrl: add a driver for NVIDIA Tegra") +Signed-off-by: Prathamesh Shete +Link: https://lore.kernel.org/20250306050542.16335-1-pshete@nvidia.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/tegra/pinctrl-tegra.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/pinctrl/tegra/pinctrl-tegra.c b/drivers/pinctrl/tegra/pinctrl-tegra.c +index c83e5a65e6801..3b046450bd3ff 100644 +--- a/drivers/pinctrl/tegra/pinctrl-tegra.c ++++ b/drivers/pinctrl/tegra/pinctrl-tegra.c +@@ -270,6 +270,9 @@ static int tegra_pinctrl_set_mux(struct pinctrl_dev *pctldev, + val = pmx_readl(pmx, g->mux_bank, g->mux_reg); + val &= ~(0x3 << g->mux_bit); + val |= i << g->mux_bit; ++ /* Set the SFIO/GPIO selection to SFIO when under pinmux control*/ ++ if (pmx->soc->sfsel_in_mux) ++ val |= (1 << g->sfsel_bit); + pmx_writel(pmx, val, g->mux_bank, g->mux_reg); + + return 0; +-- +2.39.5 + diff --git a/queue-6.12/platform-x86-amd-pmf-propagate-pmf-ta-return-codes.patch b/queue-6.12/platform-x86-amd-pmf-propagate-pmf-ta-return-codes.patch new file mode 100644 index 0000000000..c5e8b9e708 --- /dev/null +++ b/queue-6.12/platform-x86-amd-pmf-propagate-pmf-ta-return-codes.patch @@ -0,0 +1,45 @@ +From fa0905eb9c5a2709efc5a06bf53902f30edc5622 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Mar 2025 10:28:41 +0530 +Subject: platform/x86/amd/pmf: Propagate PMF-TA return codes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Shyam Sundar S K + +[ Upstream commit 9ba93cb8212d62bccd8b41b8adb6656abf37280a ] + +In the amd_pmf_invoke_cmd_init() function within the PMF driver ensure +that the actual result from the PMF-TA is returned rather than a generic +EIO. This change allows for proper handling of errors originating from the +PMF-TA. + +Reviewed-by: Mario Limonciello +Co-developed-by: Patil Rajesh Reddy +Signed-off-by: Patil Rajesh Reddy +Signed-off-by: Shyam Sundar S K +Link: https://lore.kernel.org/r/20250305045842.4117767-1-Shyam-sundar.S-k@amd.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/amd/pmf/tee-if.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/amd/pmf/tee-if.c b/drivers/platform/x86/amd/pmf/tee-if.c +index 19c27b6e46663..0ad571783d126 100644 +--- a/drivers/platform/x86/amd/pmf/tee-if.c ++++ b/drivers/platform/x86/amd/pmf/tee-if.c +@@ -323,7 +323,7 @@ static int amd_pmf_start_policy_engine(struct amd_pmf_dev *dev) + } else { + dev_err(dev->dev, "ta invoke cmd init failed err: %x\n", res); + dev->smart_pc_enabled = false; +- return -EIO; ++ return res; + } + + return 0; +-- +2.39.5 + diff --git a/queue-6.12/platform-x86-amd-pmf-update-pmf-driver-for-compatibi.patch b/queue-6.12/platform-x86-amd-pmf-update-pmf-driver-for-compatibi.patch new file mode 100644 index 0000000000..709327b980 --- /dev/null +++ b/queue-6.12/platform-x86-amd-pmf-update-pmf-driver-for-compatibi.patch @@ -0,0 +1,177 @@ +From b161364daf36b16cbb2b91a823702938071c59d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Mar 2025 10:28:42 +0530 +Subject: platform/x86/amd/pmf: Update PMF Driver for Compatibility with new + PMF-TA +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Shyam Sundar S K + +[ Upstream commit 376a8c2a144397d9cf2a67d403dd64f4a7ff9104 ] + +The PMF driver allocates a shared memory buffer using +tee_shm_alloc_kernel_buf() for communication with the PMF-TA. + +The latest PMF-TA version introduces new structures with OEM debug +information and additional policy input conditions for evaluating the +policy binary. Consequently, the shared memory size must be increased to +ensure compatibility between the PMF driver and the updated PMF-TA. + +To do so, introduce the new PMF-TA UUID and update the PMF shared memory +configuration to ensure compatibility with the latest PMF-TA version. +Additionally, export the TA UUID. + +These updates will result in modifications to the prototypes of +amd_pmf_tee_init() and amd_pmf_ta_open_session(). + +Link: https://lore.kernel.org/all/55ac865f-b1c7-fa81-51c4-d211c7963e7e@linux.intel.com/ +Reviewed-by: Mario Limonciello +Co-developed-by: Patil Rajesh Reddy +Signed-off-by: Patil Rajesh Reddy +Signed-off-by: Shyam Sundar S K +Link: https://lore.kernel.org/r/20250305045842.4117767-2-Shyam-sundar.S-k@amd.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/amd/pmf/pmf.h | 5 ++- + drivers/platform/x86/amd/pmf/tee-if.c | 50 +++++++++++++++++++-------- + 2 files changed, 40 insertions(+), 15 deletions(-) + +diff --git a/drivers/platform/x86/amd/pmf/pmf.h b/drivers/platform/x86/amd/pmf/pmf.h +index 8ce8816da9c16..43ba1b9aa1811 100644 +--- a/drivers/platform/x86/amd/pmf/pmf.h ++++ b/drivers/platform/x86/amd/pmf/pmf.h +@@ -105,9 +105,12 @@ struct cookie_header { + #define PMF_TA_IF_VERSION_MAJOR 1 + #define TA_PMF_ACTION_MAX 32 + #define TA_PMF_UNDO_MAX 8 +-#define TA_OUTPUT_RESERVED_MEM 906 ++#define TA_OUTPUT_RESERVED_MEM 922 + #define MAX_OPERATION_PARAMS 4 + ++#define TA_ERROR_CRYPTO_INVALID_PARAM 0x20002 ++#define TA_ERROR_CRYPTO_BIN_TOO_LARGE 0x2000d ++ + #define PMF_IF_V1 1 + #define PMF_IF_V2 2 + +diff --git a/drivers/platform/x86/amd/pmf/tee-if.c b/drivers/platform/x86/amd/pmf/tee-if.c +index 0ad571783d126..35495ef2c87df 100644 +--- a/drivers/platform/x86/amd/pmf/tee-if.c ++++ b/drivers/platform/x86/amd/pmf/tee-if.c +@@ -27,8 +27,11 @@ module_param(pb_side_load, bool, 0444); + MODULE_PARM_DESC(pb_side_load, "Sideload policy binaries debug policy failures"); + #endif + +-static const uuid_t amd_pmf_ta_uuid = UUID_INIT(0x6fd93b77, 0x3fb8, 0x524d, +- 0xb1, 0x2d, 0xc5, 0x29, 0xb1, 0x3d, 0x85, 0x43); ++static const uuid_t amd_pmf_ta_uuid[] = { UUID_INIT(0xd9b39bf2, 0x66bd, 0x4154, 0xaf, 0xb8, 0x8a, ++ 0xcc, 0x2b, 0x2b, 0x60, 0xd6), ++ UUID_INIT(0x6fd93b77, 0x3fb8, 0x524d, 0xb1, 0x2d, 0xc5, ++ 0x29, 0xb1, 0x3d, 0x85, 0x43), ++ }; + + static const char *amd_pmf_uevent_as_str(unsigned int state) + { +@@ -321,7 +324,7 @@ static int amd_pmf_start_policy_engine(struct amd_pmf_dev *dev) + */ + schedule_delayed_work(&dev->pb_work, msecs_to_jiffies(pb_actions_ms * 3)); + } else { +- dev_err(dev->dev, "ta invoke cmd init failed err: %x\n", res); ++ dev_dbg(dev->dev, "ta invoke cmd init failed err: %x\n", res); + dev->smart_pc_enabled = false; + return res; + } +@@ -390,12 +393,12 @@ static int amd_pmf_amdtee_ta_match(struct tee_ioctl_version_data *ver, const voi + return ver->impl_id == TEE_IMPL_ID_AMDTEE; + } + +-static int amd_pmf_ta_open_session(struct tee_context *ctx, u32 *id) ++static int amd_pmf_ta_open_session(struct tee_context *ctx, u32 *id, const uuid_t *uuid) + { + struct tee_ioctl_open_session_arg sess_arg = {}; + int rc; + +- export_uuid(sess_arg.uuid, &amd_pmf_ta_uuid); ++ export_uuid(sess_arg.uuid, uuid); + sess_arg.clnt_login = TEE_IOCTL_LOGIN_PUBLIC; + sess_arg.num_params = 0; + +@@ -434,7 +437,7 @@ static int amd_pmf_register_input_device(struct amd_pmf_dev *dev) + return 0; + } + +-static int amd_pmf_tee_init(struct amd_pmf_dev *dev) ++static int amd_pmf_tee_init(struct amd_pmf_dev *dev, const uuid_t *uuid) + { + u32 size; + int ret; +@@ -445,7 +448,7 @@ static int amd_pmf_tee_init(struct amd_pmf_dev *dev) + return PTR_ERR(dev->tee_ctx); + } + +- ret = amd_pmf_ta_open_session(dev->tee_ctx, &dev->session_id); ++ ret = amd_pmf_ta_open_session(dev->tee_ctx, &dev->session_id, uuid); + if (ret) { + dev_err(dev->dev, "Failed to open TA session (%d)\n", ret); + ret = -EINVAL; +@@ -489,7 +492,8 @@ static void amd_pmf_tee_deinit(struct amd_pmf_dev *dev) + + int amd_pmf_init_smart_pc(struct amd_pmf_dev *dev) + { +- int ret; ++ bool status; ++ int ret, i; + + ret = apmf_check_smart_pc(dev); + if (ret) { +@@ -502,10 +506,6 @@ int amd_pmf_init_smart_pc(struct amd_pmf_dev *dev) + return -ENODEV; + } + +- ret = amd_pmf_tee_init(dev); +- if (ret) +- return ret; +- + INIT_DELAYED_WORK(&dev->pb_work, amd_pmf_invoke_cmd); + + ret = amd_pmf_set_dram_addr(dev, true); +@@ -534,8 +534,30 @@ int amd_pmf_init_smart_pc(struct amd_pmf_dev *dev) + goto error; + } + +- ret = amd_pmf_start_policy_engine(dev); +- if (ret) ++ for (i = 0; i < ARRAY_SIZE(amd_pmf_ta_uuid); i++) { ++ ret = amd_pmf_tee_init(dev, &amd_pmf_ta_uuid[i]); ++ if (ret) ++ return ret; ++ ++ ret = amd_pmf_start_policy_engine(dev); ++ switch (ret) { ++ case TA_PMF_TYPE_SUCCESS: ++ status = true; ++ break; ++ case TA_ERROR_CRYPTO_INVALID_PARAM: ++ case TA_ERROR_CRYPTO_BIN_TOO_LARGE: ++ amd_pmf_tee_deinit(dev); ++ status = false; ++ break; ++ default: ++ goto error; ++ } ++ ++ if (status) ++ break; ++ } ++ ++ if (!status && !pb_side_load) + goto error; + + if (pb_side_load) +-- +2.39.5 + diff --git a/queue-6.12/platform-x86-dell-ddv-fix-temperature-calculation.patch b/queue-6.12/platform-x86-dell-ddv-fix-temperature-calculation.patch new file mode 100644 index 0000000000..8684cc1ec6 --- /dev/null +++ b/queue-6.12/platform-x86-dell-ddv-fix-temperature-calculation.patch @@ -0,0 +1,50 @@ +From 45ffe7bdc42c4fbc0634857de0b901e4f664dc75 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Mar 2025 06:30:07 +0100 +Subject: platform/x86: dell-ddv: Fix temperature calculation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Armin Wolf + +[ Upstream commit 7a248294a3145bc65eb0d8980a0a8edbb1b92db4 ] + +On the Dell Inspiron 3505 the battery temperature is always +0.1 degrees larger than the temperature show inside the OEM +application. + +Emulate this behaviour to avoid showing strange looking values +like 29.1 degrees. + +Fixes: 0331b1b0ba653 ("platform/x86: dell-ddv: Fix temperature scaling") +Signed-off-by: Armin Wolf +Reviewed-by: Sebastian Reichel +Link: https://lore.kernel.org/r/20250305053009.378609-2-W_Armin@gmx.de +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/dell/dell-wmi-ddv.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/platform/x86/dell/dell-wmi-ddv.c b/drivers/platform/x86/dell/dell-wmi-ddv.c +index e75cd6e1efe6a..ab5f7d3ab8249 100644 +--- a/drivers/platform/x86/dell/dell-wmi-ddv.c ++++ b/drivers/platform/x86/dell/dell-wmi-ddv.c +@@ -665,8 +665,10 @@ static ssize_t temp_show(struct device *dev, struct device_attribute *attr, char + if (ret < 0) + return ret; + +- /* Use 2731 instead of 2731.5 to avoid unnecessary rounding */ +- return sysfs_emit(buf, "%d\n", value - 2731); ++ /* Use 2732 instead of 2731.5 to avoid unnecessary rounding and to emulate ++ * the behaviour of the OEM application which seems to round down the result. ++ */ ++ return sysfs_emit(buf, "%d\n", value - 2732); + } + + static ssize_t eppid_show(struct device *dev, struct device_attribute *attr, char *buf) +-- +2.39.5 + diff --git a/queue-6.12/platform-x86-dell-uart-backlight-make-dell_uart_bl_s.patch b/queue-6.12/platform-x86-dell-uart-backlight-make-dell_uart_bl_s.patch new file mode 100644 index 0000000000..3fc8ac3e05 --- /dev/null +++ b/queue-6.12/platform-x86-dell-uart-backlight-make-dell_uart_bl_s.patch @@ -0,0 +1,47 @@ +From 317aebee29effa3086cc4ad580088fa73b757362 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Mar 2025 18:06:39 +0200 +Subject: platform/x86: dell-uart-backlight: Make dell_uart_bl_serdev_driver + static +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +[ Upstream commit 4878e0b14c3e31a87ab147bd2dae443394cb5a2c ] + +Sparse reports: + +dell-uart-backlight.c:328:29: warning: symbol +'dell_uart_bl_serdev_driver' was not declared. Should it be static? + +Fix it by making the symbol static. + +Fixes: 484bae9e4d6ac ("platform/x86: Add new Dell UART backlight driver") +Reviewed-by: Mario Limonciello +Reviewed-by: Hans de Goede +Link: https://lore.kernel.org/r/20250304160639.4295-2-ilpo.jarvinen@linux.intel.com +Signed-off-by: Ilpo Järvinen +Reviewed-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/dell/dell-uart-backlight.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/dell/dell-uart-backlight.c b/drivers/platform/x86/dell/dell-uart-backlight.c +index c45bc332af7a0..e4868584cde2d 100644 +--- a/drivers/platform/x86/dell/dell-uart-backlight.c ++++ b/drivers/platform/x86/dell/dell-uart-backlight.c +@@ -325,7 +325,7 @@ static int dell_uart_bl_serdev_probe(struct serdev_device *serdev) + return PTR_ERR_OR_ZERO(dell_bl->bl); + } + +-struct serdev_device_driver dell_uart_bl_serdev_driver = { ++static struct serdev_device_driver dell_uart_bl_serdev_driver = { + .probe = dell_uart_bl_serdev_probe, + .driver = { + .name = KBUILD_MODNAME, +-- +2.39.5 + diff --git a/queue-6.12/platform-x86-intel-hid-fix-volume-buttons-on-microso.patch b/queue-6.12/platform-x86-intel-hid-fix-volume-buttons-on-microso.patch new file mode 100644 index 0000000000..38ba68e0fb --- /dev/null +++ b/queue-6.12/platform-x86-intel-hid-fix-volume-buttons-on-microso.patch @@ -0,0 +1,47 @@ +From 69c66454bfd56166a5e44e299e05c19b6ad54c52 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Feb 2025 17:39:31 +0200 +Subject: platform/x86: intel-hid: fix volume buttons on Microsoft Surface Go 4 + tablet +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dmitry Panchenko + +[ Upstream commit 2738d06fb4f01145b24c542fb06de538ffc56430 ] + +Volume buttons on Microsoft Surface Go 4 tablet didn't send any events. +Add Surface Go 4 DMI match to button_array_table to fix this. + +Signed-off-by: Dmitry Panchenko +Reviewed-by: Hans de Goede +Link: https://lore.kernel.org/r/20250220154016.3620917-1-dmitry@d-systems.ee +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/intel/hid.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/platform/x86/intel/hid.c b/drivers/platform/x86/intel/hid.c +index 445e7a59beb41..9a609358956f3 100644 +--- a/drivers/platform/x86/intel/hid.c ++++ b/drivers/platform/x86/intel/hid.c +@@ -132,6 +132,13 @@ static const struct dmi_system_id button_array_table[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "Surface Go 3"), + }, + }, ++ { ++ .ident = "Microsoft Surface Go 4", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Microsoft Corporation"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Surface Go 4"), ++ }, ++ }, + { } + }; + +-- +2.39.5 + diff --git a/queue-6.12/platform-x86-intel-vsec-add-diamond-rapids-support.patch b/queue-6.12/platform-x86-intel-vsec-add-diamond-rapids-support.patch new file mode 100644 index 0000000000..0e435ce07b --- /dev/null +++ b/queue-6.12/platform-x86-intel-vsec-add-diamond-rapids-support.patch @@ -0,0 +1,58 @@ +From 2a675c5498bffb52560960415de7b564e0a84a4c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Feb 2025 13:47:27 -0800 +Subject: platform/x86/intel/vsec: Add Diamond Rapids support +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: David E. Box + +[ Upstream commit f317f38e7fbb15a0d8329289fef8cf034938fb4f ] + +Add PCI ID for the Diamond Rapids Platforms + +Signed-off-by: David E. Box +Link: https://lore.kernel.org/r/20250226214728.1256747-1-david.e.box@linux.intel.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/intel/vsec.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/platform/x86/intel/vsec.c b/drivers/platform/x86/intel/vsec.c +index 7b5cc9993974e..55dd2286f3f35 100644 +--- a/drivers/platform/x86/intel/vsec.c ++++ b/drivers/platform/x86/intel/vsec.c +@@ -410,6 +410,11 @@ static const struct intel_vsec_platform_info oobmsm_info = { + .caps = VSEC_CAP_TELEMETRY | VSEC_CAP_SDSI | VSEC_CAP_TPMI, + }; + ++/* DMR OOBMSM info */ ++static const struct intel_vsec_platform_info dmr_oobmsm_info = { ++ .caps = VSEC_CAP_TELEMETRY | VSEC_CAP_TPMI, ++}; ++ + /* TGL info */ + static const struct intel_vsec_platform_info tgl_info = { + .caps = VSEC_CAP_TELEMETRY, +@@ -426,6 +431,7 @@ static const struct intel_vsec_platform_info lnl_info = { + #define PCI_DEVICE_ID_INTEL_VSEC_MTL_M 0x7d0d + #define PCI_DEVICE_ID_INTEL_VSEC_MTL_S 0xad0d + #define PCI_DEVICE_ID_INTEL_VSEC_OOBMSM 0x09a7 ++#define PCI_DEVICE_ID_INTEL_VSEC_OOBMSM_DMR 0x09a1 + #define PCI_DEVICE_ID_INTEL_VSEC_RPL 0xa77d + #define PCI_DEVICE_ID_INTEL_VSEC_TGL 0x9a0d + #define PCI_DEVICE_ID_INTEL_VSEC_LNL_M 0x647d +@@ -435,6 +441,7 @@ static const struct pci_device_id intel_vsec_pci_ids[] = { + { PCI_DEVICE_DATA(INTEL, VSEC_MTL_M, &mtl_info) }, + { PCI_DEVICE_DATA(INTEL, VSEC_MTL_S, &mtl_info) }, + { PCI_DEVICE_DATA(INTEL, VSEC_OOBMSM, &oobmsm_info) }, ++ { PCI_DEVICE_DATA(INTEL, VSEC_OOBMSM_DMR, &dmr_oobmsm_info) }, + { PCI_DEVICE_DATA(INTEL, VSEC_RPL, &tgl_info) }, + { PCI_DEVICE_DATA(INTEL, VSEC_TGL, &tgl_info) }, + { PCI_DEVICE_DATA(INTEL, VSEC_LNL_M, &lnl_info) }, +-- +2.39.5 + diff --git a/queue-6.12/platform-x86-lenovo-yoga-tab2-pro-1380-fastcharger-m.patch b/queue-6.12/platform-x86-lenovo-yoga-tab2-pro-1380-fastcharger-m.patch new file mode 100644 index 0000000000..4f7927c29f --- /dev/null +++ b/queue-6.12/platform-x86-lenovo-yoga-tab2-pro-1380-fastcharger-m.patch @@ -0,0 +1,47 @@ +From 3ce95f10a529b98bf726f0ca742cf8caa1cd2a9e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Mar 2025 18:06:38 +0200 +Subject: platform/x86: lenovo-yoga-tab2-pro-1380-fastcharger: Make symbol + static +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +[ Upstream commit 886ca11a0c70efe5627a18557062e8a44370d78f ] + +Sparse reports: + +lenovo-yoga-tab2-pro-1380-fastcharger.c:222:29: warning: symbol +'yt2_1380_fc_serdev_driver' was not declared. Should it be static? + +Fix that by making the symbol static. + +Fixes: b2ed33e8d486a ("platform/x86: Add lenovo-yoga-tab2-pro-1380-fastcharger driver") +Reviewed-by: Mario Limonciello +Reviewed-by: Hans de Goede +Link: https://lore.kernel.org/r/20250304160639.4295-1-ilpo.jarvinen@linux.intel.com +Signed-off-by: Ilpo Järvinen +Reviewed-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/lenovo-yoga-tab2-pro-1380-fastcharger.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/lenovo-yoga-tab2-pro-1380-fastcharger.c b/drivers/platform/x86/lenovo-yoga-tab2-pro-1380-fastcharger.c +index 32d9b6009c422..21de7c3a1ee3d 100644 +--- a/drivers/platform/x86/lenovo-yoga-tab2-pro-1380-fastcharger.c ++++ b/drivers/platform/x86/lenovo-yoga-tab2-pro-1380-fastcharger.c +@@ -219,7 +219,7 @@ static int yt2_1380_fc_serdev_probe(struct serdev_device *serdev) + return 0; + } + +-struct serdev_device_driver yt2_1380_fc_serdev_driver = { ++static struct serdev_device_driver yt2_1380_fc_serdev_driver = { + .probe = yt2_1380_fc_serdev_probe, + .driver = { + .name = KBUILD_MODNAME, +-- +2.39.5 + diff --git a/queue-6.12/pm-sleep-adjust-check-before-setting-power.must_resu.patch b/queue-6.12/pm-sleep-adjust-check-before-setting-power.must_resu.patch new file mode 100644 index 0000000000..b7a5616a4d --- /dev/null +++ b/queue-6.12/pm-sleep-adjust-check-before-setting-power.must_resu.patch @@ -0,0 +1,86 @@ +From e1ea1b590d17e4ef88d317d0160d6244f29a950b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Feb 2025 11:53:50 +0100 +Subject: PM: sleep: Adjust check before setting power.must_resume + +From: Rafael J. Wysocki + +[ Upstream commit eeb87d17aceab7803a5a5bcb6cf2817b745157cf ] + +The check before setting power.must_resume in device_suspend_noirq() +does not take power.child_count into account, but it should do that, so +use pm_runtime_need_not_resume() in it for this purpose and adjust the +comment next to it accordingly. + +Fixes: 107d47b2b95e ("PM: sleep: core: Simplify the SMART_SUSPEND flag handling") +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Ulf Hansson +Link: https://patch.msgid.link/3353728.44csPzL39Z@rjwysocki.net +Signed-off-by: Sasha Levin +--- + drivers/base/power/main.c | 13 ++++++------- + drivers/base/power/runtime.c | 2 +- + include/linux/pm_runtime.h | 2 ++ + 3 files changed, 9 insertions(+), 8 deletions(-) + +diff --git a/drivers/base/power/main.c b/drivers/base/power/main.c +index 4a67e83300e16..d4875c3712ede 100644 +--- a/drivers/base/power/main.c ++++ b/drivers/base/power/main.c +@@ -1254,14 +1254,13 @@ static int device_suspend_noirq(struct device *dev, pm_message_t state, bool asy + dev->power.is_noirq_suspended = true; + + /* +- * Skipping the resume of devices that were in use right before the +- * system suspend (as indicated by their PM-runtime usage counters) +- * would be suboptimal. Also resume them if doing that is not allowed +- * to be skipped. ++ * Devices must be resumed unless they are explicitly allowed to be left ++ * in suspend, but even in that case skipping the resume of devices that ++ * were in use right before the system suspend (as indicated by their ++ * runtime PM usage counters and child counters) would be suboptimal. + */ +- if (atomic_read(&dev->power.usage_count) > 1 || +- !(dev_pm_test_driver_flags(dev, DPM_FLAG_MAY_SKIP_RESUME) && +- dev->power.may_skip_resume)) ++ if (!(dev_pm_test_driver_flags(dev, DPM_FLAG_MAY_SKIP_RESUME) && ++ dev->power.may_skip_resume) || !pm_runtime_need_not_resume(dev)) + dev->power.must_resume = true; + + if (dev->power.must_resume) +diff --git a/drivers/base/power/runtime.c b/drivers/base/power/runtime.c +index 2ee45841486bc..04113adb092b5 100644 +--- a/drivers/base/power/runtime.c ++++ b/drivers/base/power/runtime.c +@@ -1874,7 +1874,7 @@ void pm_runtime_drop_link(struct device_link *link) + pm_request_idle(link->supplier); + } + +-static bool pm_runtime_need_not_resume(struct device *dev) ++bool pm_runtime_need_not_resume(struct device *dev) + { + return atomic_read(&dev->power.usage_count) <= 1 && + (atomic_read(&dev->power.child_count) == 0 || +diff --git a/include/linux/pm_runtime.h b/include/linux/pm_runtime.h +index d39dc863f612f..d0b29cd1fd204 100644 +--- a/include/linux/pm_runtime.h ++++ b/include/linux/pm_runtime.h +@@ -66,6 +66,7 @@ static inline bool queue_pm_work(struct work_struct *work) + + extern int pm_generic_runtime_suspend(struct device *dev); + extern int pm_generic_runtime_resume(struct device *dev); ++extern bool pm_runtime_need_not_resume(struct device *dev); + extern int pm_runtime_force_suspend(struct device *dev); + extern int pm_runtime_force_resume(struct device *dev); + +@@ -241,6 +242,7 @@ static inline bool queue_pm_work(struct work_struct *work) { return false; } + + static inline int pm_generic_runtime_suspend(struct device *dev) { return 0; } + static inline int pm_generic_runtime_resume(struct device *dev) { return 0; } ++static inline bool pm_runtime_need_not_resume(struct device *dev) {return true; } + static inline int pm_runtime_force_suspend(struct device *dev) { return 0; } + static inline int pm_runtime_force_resume(struct device *dev) { return 0; } + +-- +2.39.5 + diff --git a/queue-6.12/pm-sleep-fix-handling-devices-with-direct_complete-s.patch b/queue-6.12/pm-sleep-fix-handling-devices-with-direct_complete-s.patch new file mode 100644 index 0000000000..5486d88c4c --- /dev/null +++ b/queue-6.12/pm-sleep-fix-handling-devices-with-direct_complete-s.patch @@ -0,0 +1,91 @@ +From f5b0a787942bea851e79767f0375dc19ebf2c031 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Mar 2025 17:00:00 +0100 +Subject: PM: sleep: Fix handling devices with direct_complete set on errors + +From: Rafael J. Wysocki + +[ Upstream commit 03f1444016b71feffa1dfb8a51f15ba592f94b13 ] + +When dpm_suspend() fails, some devices with power.direct_complete set +may not have been handled by device_suspend() yet, so runtime PM has +not been disabled for them yet even though power.direct_complete is set. + +Since device_resume() expects that runtime PM has been disabled for all +devices with power.direct_complete set, it will attempt to reenable +runtime PM for the devices that have not been processed by device_suspend() +which does not make sense. Had those devices had runtime PM disabled +before device_suspend() had run, device_resume() would have inadvertently +enable runtime PM for them, but this is not expected to happen because +it would require ->prepare() callbacks to return positive values for +devices with runtime PM disabled, which would be invalid. + +In practice, this issue is most likely benign because pm_runtime_enable() +will not allow the "disable depth" counter to underflow, but it causes a +warning message to be printed for each affected device. + +To allow device_resume() to distinguish the "direct complete" devices +that have been processed by device_suspend() from those which have not +been handled by it, make device_suspend() set power.is_suspended for +"direct complete" devices. + +Next, move the power.is_suspended check in device_resume() before the +power.direct_complete check in it to make it skip the "direct complete" +devices that have not been handled by device_suspend(). + +This change is based on a preliminary patch from Saravana Kannan. + +Fixes: aae4518b3124 ("PM / sleep: Mechanism to avoid resuming runtime-suspended devices unnecessarily") +Link: https://lore.kernel.org/linux-pm/20241114220921.2529905-2-saravanak@google.com/ +Reported-by: Saravana Kannan +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Saravana Kannan +Link: https://patch.msgid.link/12627587.O9o76ZdvQC@rjwysocki.net +Signed-off-by: Sasha Levin +--- + drivers/base/power/main.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/base/power/main.c b/drivers/base/power/main.c +index d4875c3712ede..1abe61f11525d 100644 +--- a/drivers/base/power/main.c ++++ b/drivers/base/power/main.c +@@ -913,6 +913,9 @@ static void device_resume(struct device *dev, pm_message_t state, bool async) + if (dev->power.syscore) + goto Complete; + ++ if (!dev->power.is_suspended) ++ goto Complete; ++ + if (dev->power.direct_complete) { + /* Match the pm_runtime_disable() in __device_suspend(). */ + pm_runtime_enable(dev); +@@ -931,9 +934,6 @@ static void device_resume(struct device *dev, pm_message_t state, bool async) + */ + dev->power.is_prepared = false; + +- if (!dev->power.is_suspended) +- goto Unlock; +- + if (dev->pm_domain) { + info = "power domain "; + callback = pm_op(&dev->pm_domain->ops, state); +@@ -973,7 +973,6 @@ static void device_resume(struct device *dev, pm_message_t state, bool async) + error = dpm_run_callback(callback, dev, state, info); + dev->power.is_suspended = false; + +- Unlock: + device_unlock(dev); + dpm_watchdog_clear(&wd); + +@@ -1627,6 +1626,7 @@ static int device_suspend(struct device *dev, pm_message_t state, bool async) + pm_runtime_disable(dev); + if (pm_runtime_status_suspended(dev)) { + pm_dev_dbg(dev, state, "direct-complete "); ++ dev->power.is_suspended = true; + goto Complete; + } + +-- +2.39.5 + diff --git a/queue-6.12/power-supply-bq27xxx_battery-do-not-update-cached-fl.patch b/queue-6.12/power-supply-bq27xxx_battery-do-not-update-cached-fl.patch new file mode 100644 index 0000000000..03d4edc7a2 --- /dev/null +++ b/queue-6.12/power-supply-bq27xxx_battery-do-not-update-cached-fl.patch @@ -0,0 +1,40 @@ +From 16c33e6be90d311c5760b8b12712a1d759e6b13a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Nov 2024 17:29:30 +0200 +Subject: power: supply: bq27xxx_battery: do not update cached flags + prematurely + +From: Sicelo A. Mhlongo + +[ Upstream commit 45291874a762dbb12a619dc2efaf84598859007a ] + +Commit 243f8ffc883a1 ("power: supply: bq27xxx_battery: Notify also about +status changes") intended to notify userspace when the status changes, +based on the flags register. However, the cached state is updated too +early, before the flags are tested for any changes. Remove the premature +update. + +Fixes: 243f8ffc883a1 ("power: supply: bq27xxx_battery: Notify also about status changes") +Signed-off-by: Sicelo A. Mhlongo +Link: https://lore.kernel.org/r/20241125152945.47937-1-absicsz@gmail.com +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/bq27xxx_battery.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/power/supply/bq27xxx_battery.c b/drivers/power/supply/bq27xxx_battery.c +index 51fb88aca0f9f..1a20c775489c7 100644 +--- a/drivers/power/supply/bq27xxx_battery.c ++++ b/drivers/power/supply/bq27xxx_battery.c +@@ -1913,7 +1913,6 @@ static void bq27xxx_battery_update_unlocked(struct bq27xxx_device_info *di) + cache.flags = -1; /* read error */ + if (cache.flags >= 0) { + cache.capacity = bq27xxx_battery_read_soc(di); +- di->cache.flags = cache.flags; + + /* + * On gauges with signed current reporting the current must be +-- +2.39.5 + diff --git a/queue-6.12/power-supply-max77693-fix-wrong-conversion-of-charge.patch b/queue-6.12/power-supply-max77693-fix-wrong-conversion-of-charge.patch new file mode 100644 index 0000000000..d1b070a026 --- /dev/null +++ b/queue-6.12/power-supply-max77693-fix-wrong-conversion-of-charge.patch @@ -0,0 +1,46 @@ +From 6ee63f395fb14a99cf3a5f7b3846a2bac3d532f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 16 Mar 2025 21:11:49 +0100 +Subject: power: supply: max77693: Fix wrong conversion of charge input + threshold value + +From: Artur Weber + +[ Upstream commit 30cc7b0d0e9341d419eb7da15fb5c22406dbe499 ] + +The charge input threshold voltage register on the MAX77693 PMIC accepts +four values: 0x0 for 4.3v, 0x1 for 4.7v, 0x2 for 4.8v and 0x3 for 4.9v. +Due to an oversight, the driver calculated the values for 4.7v and above +starting from 0x0, rather than from 0x1 ([(4700000 - 4700000) / 100000] +gives 0). + +Add 1 to the calculation to ensure that 4.7v is converted to a register +value of 0x1 and that the other two voltages are converted correctly as +well. + +Fixes: 87c2d9067893 ("power: max77693: Add charger driver for Maxim 77693") +Signed-off-by: Artur Weber +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20250316-max77693-charger-input-threshold-fix-v1-1-2b037d0ac722@gmail.com +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/max77693_charger.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/power/supply/max77693_charger.c b/drivers/power/supply/max77693_charger.c +index 4caac142c4285..b32d881111850 100644 +--- a/drivers/power/supply/max77693_charger.c ++++ b/drivers/power/supply/max77693_charger.c +@@ -608,7 +608,7 @@ static int max77693_set_charge_input_threshold_volt(struct max77693_charger *chg + case 4700000: + case 4800000: + case 4900000: +- data = (uvolt - 4700000) / 100000; ++ data = ((uvolt - 4700000) / 100000) + 1; + break; + default: + dev_err(chg->dev, "Wrong value for charge input voltage regulation threshold\n"); +-- +2.39.5 + diff --git a/queue-6.12/powerpc-kexec-fix-physical-address-calculation-in-cl.patch b/queue-6.12/powerpc-kexec-fix-physical-address-calculation-in-cl.patch new file mode 100644 index 0000000000..cfb25b7581 --- /dev/null +++ b/queue-6.12/powerpc-kexec-fix-physical-address-calculation-in-cl.patch @@ -0,0 +1,57 @@ +From edea255a763919d43dfd97bb7b66dd1ac08373ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Mar 2025 11:24:28 +0100 +Subject: powerpc/kexec: fix physical address calculation in clear_utlb_entry() + +From: Christophe Leroy + +[ Upstream commit 861efb8a48ee8b73ae4e8817509cd4e82fd52bc4 ] + +In relocate_32.S, function clear_utlb_entry() goes into real mode. To +do so, it has to calculate the physical address based on the virtual +address. To get the virtual address it uses 'bl' which is problematic +(see commit c974809a26a1 ("powerpc/vdso: Avoid link stack corruption +in __get_datapage()")). In addition, the calculation is done on a +wrong address because 'bl' loads LR with the address of the following +instruction, not the address of the target. So when the target is not +the instruction following the 'bl' instruction, it may lead to +unexpected behaviour. + +Fix it by re-writing the code so that is goes via another path which +is based 'bcl 20,31,.+4' which is the right instruction to use for that. + +Fixes: 683430200315 ("powerpc/47x: Kernel support for KEXEC") +Signed-off-by: Christophe Leroy +Signed-off-by: Madhavan Srinivasan +Link: https://patch.msgid.link/dc4f9616fba9c05c5dbf9b4b5480eb1c362adc17.1741256651.git.christophe.leroy@csgroup.eu +Signed-off-by: Sasha Levin +--- + arch/powerpc/kexec/relocate_32.S | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/arch/powerpc/kexec/relocate_32.S b/arch/powerpc/kexec/relocate_32.S +index 104c9911f4061..dd86e338307d3 100644 +--- a/arch/powerpc/kexec/relocate_32.S ++++ b/arch/powerpc/kexec/relocate_32.S +@@ -348,16 +348,13 @@ write_utlb: + rlwinm r10, r24, 0, 22, 27 + + cmpwi r10, PPC47x_TLB0_4K +- bne 0f + li r10, 0x1000 /* r10 = 4k */ +- ANNOTATE_INTRA_FUNCTION_CALL +- bl 1f ++ beq 0f + +-0: + /* Defaults to 256M */ + lis r10, 0x1000 + +- bcl 20,31,$+4 ++0: bcl 20,31,$+4 + 1: mflr r4 + addi r4, r4, (2f-1b) /* virtual address of 2f */ + +-- +2.39.5 + diff --git a/queue-6.12/rcu-tasks-always-inline-rcu_irq_work_resched.patch b/queue-6.12/rcu-tasks-always-inline-rcu_irq_work_resched.patch new file mode 100644 index 0000000000..6e724ace5c --- /dev/null +++ b/queue-6.12/rcu-tasks-always-inline-rcu_irq_work_resched.patch @@ -0,0 +1,43 @@ +From 3190173e8e9e82adf210d8b2a156cd467d1c15b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Mar 2025 21:26:46 -0700 +Subject: rcu-tasks: Always inline rcu_irq_work_resched() + +From: Josh Poimboeuf + +[ Upstream commit 6309a5c43b0dc629851f25b2e5ef8beff61d08e5 ] + +Thanks to CONFIG_DEBUG_SECTION_MISMATCH, empty functions can be +generated out of line. rcu_irq_work_resched() can be called from +noinstr code, so make sure it's always inlined. + +Fixes: 564506495ca9 ("rcu/context-tracking: Move deferred nocb resched to context tracking") +Reported-by: Randy Dunlap +Signed-off-by: Josh Poimboeuf +Signed-off-by: Ingo Molnar +Cc: Frederic Weisbecker +Cc: Paul E. McKenney +Cc: Linus Torvalds +Link: https://lore.kernel.org/r/e84f15f013c07e4c410d972e75620c53b62c1b3e.1743481539.git.jpoimboe@kernel.org +Closes: https://lore.kernel.org/d1eca076-fdde-484a-b33e-70e0d167c36d@infradead.org +Signed-off-by: Sasha Levin +--- + include/linux/rcupdate.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/rcupdate.h b/include/linux/rcupdate.h +index 48e5c03df1dd8..bd69ddc102fbc 100644 +--- a/include/linux/rcupdate.h ++++ b/include/linux/rcupdate.h +@@ -138,7 +138,7 @@ static inline void rcu_sysrq_end(void) { } + #if defined(CONFIG_NO_HZ_FULL) && (!defined(CONFIG_GENERIC_ENTRY) || !defined(CONFIG_KVM_XFER_TO_GUEST_WORK)) + void rcu_irq_work_resched(void); + #else +-static inline void rcu_irq_work_resched(void) { } ++static __always_inline void rcu_irq_work_resched(void) { } + #endif + + #ifdef CONFIG_RCU_NOCB_CPU +-- +2.39.5 + diff --git a/queue-6.12/rdma-core-don-t-expose-hw_counters-outside-of-init-n.patch b/queue-6.12/rdma-core-don-t-expose-hw_counters-outside-of-init-n.patch new file mode 100644 index 0000000000..12389b4aff --- /dev/null +++ b/queue-6.12/rdma-core-don-t-expose-hw_counters-outside-of-init-n.patch @@ -0,0 +1,150 @@ +From 8e00091ffdaf489181be68a593ad8f184a668b51 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Feb 2025 16:54:20 +0000 +Subject: RDMA/core: Don't expose hw_counters outside of init net namespace + +From: Roman Gushchin + +[ Upstream commit a1ecb30f90856b0be4168ad51b8875148e285c1f ] + +Commit 467f432a521a ("RDMA/core: Split port and device counter sysfs +attributes") accidentally almost exposed hw counters to non-init net +namespaces. It didn't expose them fully, as an attempt to read any of +those counters leads to a crash like this one: + +[42021.807566] BUG: kernel NULL pointer dereference, address: 0000000000000028 +[42021.814463] #PF: supervisor read access in kernel mode +[42021.819549] #PF: error_code(0x0000) - not-present page +[42021.824636] PGD 0 P4D 0 +[42021.827145] Oops: 0000 [#1] SMP PTI +[42021.830598] CPU: 82 PID: 2843922 Comm: switchto-defaul Kdump: loaded Tainted: G S W I XXX +[42021.841697] Hardware name: XXX +[42021.849619] RIP: 0010:hw_stat_device_show+0x1e/0x40 [ib_core] +[42021.855362] Code: 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 49 89 d0 4c 8b 5e 20 48 8b 8f b8 04 00 00 48 81 c7 f0 fa ff ff <48> 8b 41 28 48 29 ce 48 83 c6 d0 48 c1 ee 04 69 d6 ab aa aa aa 48 +[42021.873931] RSP: 0018:ffff97fe90f03da0 EFLAGS: 00010287 +[42021.879108] RAX: ffff9406988a8c60 RBX: ffff940e1072d438 RCX: 0000000000000000 +[42021.886169] RDX: ffff94085f1aa000 RSI: ffff93c6cbbdbcb0 RDI: ffff940c7517aef0 +[42021.893230] RBP: ffff97fe90f03e70 R08: ffff94085f1aa000 R09: 0000000000000000 +[42021.900294] R10: ffff94085f1aa000 R11: ffffffffc0775680 R12: ffffffff87ca2530 +[42021.907355] R13: ffff940651602840 R14: ffff93c6cbbdbcb0 R15: ffff94085f1aa000 +[42021.914418] FS: 00007fda1a3b9700(0000) GS:ffff94453fb80000(0000) knlGS:0000000000000000 +[42021.922423] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[42021.928130] CR2: 0000000000000028 CR3: 00000042dcfb8003 CR4: 00000000003726f0 +[42021.935194] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[42021.942257] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[42021.949324] Call Trace: +[42021.951756] +[42021.953842] [] ? show_regs+0x64/0x70 +[42021.959030] [] ? __die+0x78/0xc0 +[42021.963874] [] ? page_fault_oops+0x2b5/0x3b0 +[42021.969749] [] ? exc_page_fault+0x1a2/0x3c0 +[42021.975549] [] ? asm_exc_page_fault+0x26/0x30 +[42021.981517] [] ? __pfx_show_hw_stats+0x10/0x10 [ib_core] +[42021.988482] [] ? hw_stat_device_show+0x1e/0x40 [ib_core] +[42021.995438] [] dev_attr_show+0x1e/0x50 +[42022.000803] [] sysfs_kf_seq_show+0x81/0xe0 +[42022.006508] [] seq_read_iter+0xf4/0x410 +[42022.011954] [] vfs_read+0x16e/0x2f0 +[42022.017058] [] ksys_read+0x6e/0xe0 +[42022.022073] [] do_syscall_64+0x6a/0xa0 +[42022.027441] [] entry_SYSCALL_64_after_hwframe+0x78/0xe2 + +The problem can be reproduced using the following steps: + ip netns add foo + ip netns exec foo bash + cat /sys/class/infiniband/mlx4_0/hw_counters/* + +The panic occurs because of casting the device pointer into an +ib_device pointer using container_of() in hw_stat_device_show() is +wrong and leads to a memory corruption. + +However the real problem is that hw counters should never been exposed +outside of the non-init net namespace. + +Fix this by saving the index of the corresponding attribute group +(it might be 1 or 2 depending on the presence of driver-specific +attributes) and zeroing the pointer to hw_counters group for compat +devices during the initialization. + +With this fix applied hw_counters are not available in a non-init +net namespace: + find /sys/class/infiniband/mlx4_0/ -name hw_counters + /sys/class/infiniband/mlx4_0/ports/1/hw_counters + /sys/class/infiniband/mlx4_0/ports/2/hw_counters + /sys/class/infiniband/mlx4_0/hw_counters + + ip netns add foo + ip netns exec foo bash + find /sys/class/infiniband/mlx4_0/ -name hw_counters + +Fixes: 467f432a521a ("RDMA/core: Split port and device counter sysfs attributes") +Signed-off-by: Roman Gushchin +Cc: Jason Gunthorpe +Cc: Leon Romanovsky +Cc: Maher Sanalla +Cc: linux-rdma@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Link: https://patch.msgid.link/20250227165420.3430301-1-roman.gushchin@linux.dev +Reviewed-by: Parav Pandit +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/device.c | 9 +++++++++ + drivers/infiniband/core/sysfs.c | 1 + + include/rdma/ib_verbs.h | 1 + + 3 files changed, 11 insertions(+) + +diff --git a/drivers/infiniband/core/device.c b/drivers/infiniband/core/device.c +index e029401b56805..9de3236873429 100644 +--- a/drivers/infiniband/core/device.c ++++ b/drivers/infiniband/core/device.c +@@ -544,6 +544,8 @@ static struct class ib_class = { + static void rdma_init_coredev(struct ib_core_device *coredev, + struct ib_device *dev, struct net *net) + { ++ bool is_full_dev = &dev->coredev == coredev; ++ + /* This BUILD_BUG_ON is intended to catch layout change + * of union of ib_core_device and device. + * dev must be the first element as ib_core and providers +@@ -555,6 +557,13 @@ static void rdma_init_coredev(struct ib_core_device *coredev, + + coredev->dev.class = &ib_class; + coredev->dev.groups = dev->groups; ++ ++ /* ++ * Don't expose hw counters outside of the init namespace. ++ */ ++ if (!is_full_dev && dev->hw_stats_attr_index) ++ coredev->dev.groups[dev->hw_stats_attr_index] = NULL; ++ + device_initialize(&coredev->dev); + coredev->owner = dev; + INIT_LIST_HEAD(&coredev->port_list); +diff --git a/drivers/infiniband/core/sysfs.c b/drivers/infiniband/core/sysfs.c +index 9f97bef021497..210092b9bf17d 100644 +--- a/drivers/infiniband/core/sysfs.c ++++ b/drivers/infiniband/core/sysfs.c +@@ -988,6 +988,7 @@ int ib_setup_device_attrs(struct ib_device *ibdev) + for (i = 0; i != ARRAY_SIZE(ibdev->groups); i++) + if (!ibdev->groups[i]) { + ibdev->groups[i] = &data->group; ++ ibdev->hw_stats_attr_index = i; + return 0; + } + WARN(true, "struct ib_device->groups is too small"); +diff --git a/include/rdma/ib_verbs.h b/include/rdma/ib_verbs.h +index 67551133b5228..c2b5de75daf25 100644 +--- a/include/rdma/ib_verbs.h ++++ b/include/rdma/ib_verbs.h +@@ -2737,6 +2737,7 @@ struct ib_device { + * It is a NULL terminated array. + */ + const struct attribute_group *groups[4]; ++ u8 hw_stats_attr_index; + + u64 uverbs_cmd_mask; + +-- +2.39.5 + diff --git a/queue-6.12/rdma-core-fix-use-after-free-when-rename-device-name.patch b/queue-6.12/rdma-core-fix-use-after-free-when-rename-device-name.patch new file mode 100644 index 0000000000..147003e810 --- /dev/null +++ b/queue-6.12/rdma-core-fix-use-after-free-when-rename-device-name.patch @@ -0,0 +1,171 @@ +From 63a43790cbd60b79d355320f98d7554578ea0446 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Mar 2025 17:24:21 +0800 +Subject: RDMA/core: Fix use-after-free when rename device name + +From: Wang Liang + +[ Upstream commit 1d6a9e7449e2a0c1e2934eee7880ba8bd1e464cd ] + +Syzbot reported a slab-use-after-free with the following call trace: + +================================================================== +BUG: KASAN: slab-use-after-free in nla_put+0xd3/0x150 lib/nlattr.c:1099 +Read of size 5 at addr ffff888140ea1c60 by task syz.0.988/10025 + +CPU: 0 UID: 0 PID: 10025 Comm: syz.0.988 +Not tainted 6.14.0-rc4-syzkaller-00859-gf77f12010f67 #0 +Hardware name: Google Compute Engine, BIOS Google 02/12/2025 +Call Trace: + + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:408 [inline] + print_report+0x16e/0x5b0 mm/kasan/report.c:521 + kasan_report+0x143/0x180 mm/kasan/report.c:634 + kasan_check_range+0x282/0x290 mm/kasan/generic.c:189 + __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105 + nla_put+0xd3/0x150 lib/nlattr.c:1099 + nla_put_string include/net/netlink.h:1621 [inline] + fill_nldev_handle+0x16e/0x200 drivers/infiniband/core/nldev.c:265 + rdma_nl_notify_event+0x561/0xef0 drivers/infiniband/core/nldev.c:2857 + ib_device_notify_register+0x22/0x230 drivers/infiniband/core/device.c:1344 + ib_register_device+0x1292/0x1460 drivers/infiniband/core/device.c:1460 + rxe_register_device+0x233/0x350 drivers/infiniband/sw/rxe/rxe_verbs.c:1540 + rxe_net_add+0x74/0xf0 drivers/infiniband/sw/rxe/rxe_net.c:550 + rxe_newlink+0xde/0x1a0 drivers/infiniband/sw/rxe/rxe.c:212 + nldev_newlink+0x5ea/0x680 drivers/infiniband/core/nldev.c:1795 + rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline] + rdma_nl_rcv+0x6dd/0x9e0 drivers/infiniband/core/netlink.c:259 + netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline] + netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1339 + netlink_sendmsg+0x8de/0xcb0 net/netlink/af_netlink.c:1883 + sock_sendmsg_nosec net/socket.c:709 [inline] + __sock_sendmsg+0x221/0x270 net/socket.c:724 + ____sys_sendmsg+0x53a/0x860 net/socket.c:2564 + ___sys_sendmsg net/socket.c:2618 [inline] + __sys_sendmsg+0x269/0x350 net/socket.c:2650 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7f42d1b8d169 +Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 ... +RSP: 002b:00007f42d2960038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 00007f42d1da6320 RCX: 00007f42d1b8d169 +RDX: 0000000000000000 RSI: 00004000000002c0 RDI: 000000000000000c +RBP: 00007f42d1c0e2a0 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 0000000000000000 R14: 00007f42d1da6320 R15: 00007ffe399344a8 + + +Allocated by task 10025: + kasan_save_stack mm/kasan/common.c:47 [inline] + kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 + poison_kmalloc_redzone mm/kasan/common.c:377 [inline] + __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394 + kasan_kmalloc include/linux/kasan.h:260 [inline] + __do_kmalloc_node mm/slub.c:4294 [inline] + __kmalloc_node_track_caller_noprof+0x28b/0x4c0 mm/slub.c:4313 + __kmemdup_nul mm/util.c:61 [inline] + kstrdup+0x42/0x100 mm/util.c:81 + kobject_set_name_vargs+0x61/0x120 lib/kobject.c:274 + dev_set_name+0xd5/0x120 drivers/base/core.c:3468 + assign_name drivers/infiniband/core/device.c:1202 [inline] + ib_register_device+0x178/0x1460 drivers/infiniband/core/device.c:1384 + rxe_register_device+0x233/0x350 drivers/infiniband/sw/rxe/rxe_verbs.c:1540 + rxe_net_add+0x74/0xf0 drivers/infiniband/sw/rxe/rxe_net.c:550 + rxe_newlink+0xde/0x1a0 drivers/infiniband/sw/rxe/rxe.c:212 + nldev_newlink+0x5ea/0x680 drivers/infiniband/core/nldev.c:1795 + rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline] + rdma_nl_rcv+0x6dd/0x9e0 drivers/infiniband/core/netlink.c:259 + netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline] + netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1339 + netlink_sendmsg+0x8de/0xcb0 net/netlink/af_netlink.c:1883 + sock_sendmsg_nosec net/socket.c:709 [inline] + __sock_sendmsg+0x221/0x270 net/socket.c:724 + ____sys_sendmsg+0x53a/0x860 net/socket.c:2564 + ___sys_sendmsg net/socket.c:2618 [inline] + __sys_sendmsg+0x269/0x350 net/socket.c:2650 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Freed by task 10035: + kasan_save_stack mm/kasan/common.c:47 [inline] + kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 + kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:576 + poison_slab_object mm/kasan/common.c:247 [inline] + __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264 + kasan_slab_free include/linux/kasan.h:233 [inline] + slab_free_hook mm/slub.c:2353 [inline] + slab_free mm/slub.c:4609 [inline] + kfree+0x196/0x430 mm/slub.c:4757 + kobject_rename+0x38f/0x410 lib/kobject.c:524 + device_rename+0x16a/0x200 drivers/base/core.c:4525 + ib_device_rename+0x270/0x710 drivers/infiniband/core/device.c:402 + nldev_set_doit+0x30e/0x4c0 drivers/infiniband/core/nldev.c:1146 + rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline] + rdma_nl_rcv+0x6dd/0x9e0 drivers/infiniband/core/netlink.c:259 + netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline] + netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1339 + netlink_sendmsg+0x8de/0xcb0 net/netlink/af_netlink.c:1883 + sock_sendmsg_nosec net/socket.c:709 [inline] + __sock_sendmsg+0x221/0x270 net/socket.c:724 + ____sys_sendmsg+0x53a/0x860 net/socket.c:2564 + ___sys_sendmsg net/socket.c:2618 [inline] + __sys_sendmsg+0x269/0x350 net/socket.c:2650 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +This is because if rename device happens, the old name is freed in +ib_device_rename() with lock, but ib_device_notify_register() may visit +the dev name locklessly by event RDMA_REGISTER_EVENT or +RDMA_NETDEV_ATTACH_EVENT. + +Fix this by hold devices_rwsem in ib_device_notify_register(). + +Reported-by: syzbot+f60349ba1f9f08df349f@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=25bc6f0ed2b88b9eb9b8 +Fixes: 9cbed5aab5ae ("RDMA/nldev: Add support for RDMA monitoring") +Signed-off-by: Wang Liang +Link: https://patch.msgid.link/20250313092421.944658-1-wangliang74@huawei.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/device.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/core/device.c b/drivers/infiniband/core/device.c +index 9de3236873429..46102f179955b 100644 +--- a/drivers/infiniband/core/device.c ++++ b/drivers/infiniband/core/device.c +@@ -1366,9 +1366,11 @@ static void ib_device_notify_register(struct ib_device *device) + u32 port; + int ret; + ++ down_read(&devices_rwsem); ++ + ret = rdma_nl_notify_event(device, 0, RDMA_REGISTER_EVENT); + if (ret) +- return; ++ goto out; + + rdma_for_each_port(device, port) { + netdev = ib_device_get_netdev(device, port); +@@ -1379,8 +1381,11 @@ static void ib_device_notify_register(struct ib_device *device) + RDMA_NETDEV_ATTACH_EVENT); + dev_put(netdev); + if (ret) +- return; ++ goto out; + } ++ ++out: ++ up_read(&devices_rwsem); + } + + /** +-- +2.39.5 + diff --git a/queue-6.12/rdma-erdma-prevent-use-after-free-in-erdma_accept_ne.patch b/queue-6.12/rdma-erdma-prevent-use-after-free-in-erdma_accept_ne.patch new file mode 100644 index 0000000000..d94df5470b --- /dev/null +++ b/queue-6.12/rdma-erdma-prevent-use-after-free-in-erdma_accept_ne.patch @@ -0,0 +1,36 @@ +From 873835774c208b3513507f9249b4e7ad5ed91876 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Mar 2025 20:04:40 +0800 +Subject: RDMA/erdma: Prevent use-after-free in erdma_accept_newconn() + +From: Cheng Xu + +[ Upstream commit 83437689249e6a17b25e27712fbee292e42e7855 ] + +After the erdma_cep_put(new_cep) being called, new_cep will be freed, +and the following dereference will cause a UAF problem. Fix this issue. + +Fixes: 920d93eac8b9 ("RDMA/erdma: Add connection management (CM) support") +Signed-off-by: Markus Elfring +Signed-off-by: Cheng Xu +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/erdma/erdma_cm.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/infiniband/hw/erdma/erdma_cm.c b/drivers/infiniband/hw/erdma/erdma_cm.c +index 771059a8eb7d7..e349e8d2fb50a 100644 +--- a/drivers/infiniband/hw/erdma/erdma_cm.c ++++ b/drivers/infiniband/hw/erdma/erdma_cm.c +@@ -705,7 +705,6 @@ static void erdma_accept_newconn(struct erdma_cep *cep) + erdma_cancel_mpatimer(new_cep); + + erdma_cep_put(new_cep); +- new_cep->sock = NULL; + } + + if (new_s) { +-- +2.39.5 + diff --git a/queue-6.12/rdma-mana_ib-ensure-variable-err-is-initialized.patch b/queue-6.12/rdma-mana_ib-ensure-variable-err-is-initialized.patch new file mode 100644 index 0000000000..079a1ddb24 --- /dev/null +++ b/queue-6.12/rdma-mana_ib-ensure-variable-err-is-initialized.patch @@ -0,0 +1,38 @@ +From 18ceaae6b742a272c522de39410e766045057351 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Feb 2025 20:39:03 +0100 +Subject: RDMA/mana_ib: Ensure variable err is initialized + +From: Kees Bakker + +[ Upstream commit be35a3127d60964b338da95c7bfaaf4a01b330d4 ] + +In the function mana_ib_gd_create_dma_region if there are no dma blocks +to process the variable `err` remains uninitialized. + +Fixes: 0266a177631d ("RDMA/mana_ib: Add a driver for Microsoft Azure Network Adapter") +Signed-off-by: Kees Bakker +Link: https://patch.msgid.link/20250221195833.7516C16290A@bout3.ijzerbout.nl +Reviewed-by: Long Li +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mana/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/mana/main.c b/drivers/infiniband/hw/mana/main.c +index 457cea6d99095..f6bf289041bfe 100644 +--- a/drivers/infiniband/hw/mana/main.c ++++ b/drivers/infiniband/hw/mana/main.c +@@ -358,7 +358,7 @@ static int mana_ib_gd_create_dma_region(struct mana_ib_dev *dev, struct ib_umem + unsigned int tail = 0; + u64 *page_addr_list; + void *request_buf; +- int err; ++ int err = 0; + + gc = mdev_to_gc(dev); + hwc = gc->hwc.driver_data; +-- +2.39.5 + diff --git a/queue-6.12/rdma-mlx5-fix-calculation-of-total-invalidated-pages.patch b/queue-6.12/rdma-mlx5-fix-calculation-of-total-invalidated-pages.patch new file mode 100644 index 0000000000..550ceea0fb --- /dev/null +++ b/queue-6.12/rdma-mlx5-fix-calculation-of-total-invalidated-pages.patch @@ -0,0 +1,65 @@ +From e4126e05a150a891e6e3bfd86ba1c16355c79f2c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Mar 2025 16:29:54 +0200 +Subject: RDMA/mlx5: Fix calculation of total invalidated pages + +From: Chiara Meiohas + +[ Upstream commit 79195147644653ebffadece31a42181e4c48c07d ] + +When invalidating an address range in mlx5, there is an optimization to +do UMR operations in chunks. +Previously, the invalidation counter was incorrectly updated for the +same indexes within a chunk. Now, the invalidation counter is updated +only when a chunk is complete and mlx5r_umr_update_xlt() is called. +This ensures that the counter accurately represents the number of pages +invalidated using UMR. + +Fixes: a3de94e3d61e ("IB/mlx5: Introduce ODP diagnostic counters") +Signed-off-by: Chiara Meiohas +Reviewed-by: Michael Guralnik +Link: https://patch.msgid.link/560deb2433318e5947282b070c915f3c81fef77f.1741875692.git.leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx5/odp.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/infiniband/hw/mlx5/odp.c b/drivers/infiniband/hw/mlx5/odp.c +index b4e2a6f9cb9c3..e158d5b1ab17b 100644 +--- a/drivers/infiniband/hw/mlx5/odp.c ++++ b/drivers/infiniband/hw/mlx5/odp.c +@@ -309,9 +309,6 @@ static bool mlx5_ib_invalidate_range(struct mmu_interval_notifier *mni, + blk_start_idx = idx; + in_block = 1; + } +- +- /* Count page invalidations */ +- invalidations += idx - blk_start_idx + 1; + } else { + u64 umr_offset = idx & umr_block_mask; + +@@ -321,14 +318,19 @@ static bool mlx5_ib_invalidate_range(struct mmu_interval_notifier *mni, + MLX5_IB_UPD_XLT_ZAP | + MLX5_IB_UPD_XLT_ATOMIC); + in_block = 0; ++ /* Count page invalidations */ ++ invalidations += idx - blk_start_idx + 1; + } + } + } +- if (in_block) ++ if (in_block) { + mlx5r_umr_update_xlt(mr, blk_start_idx, + idx - blk_start_idx + 1, 0, + MLX5_IB_UPD_XLT_ZAP | + MLX5_IB_UPD_XLT_ATOMIC); ++ /* Count page invalidations */ ++ invalidations += idx - blk_start_idx + 1; ++ } + + mlx5_update_odp_stats(mr, invalidations, invalidations); + +-- +2.39.5 + diff --git a/queue-6.12/rdma-mlx5-fix-mlx5_poll_one-cur_qp-update-flow.patch b/queue-6.12/rdma-mlx5-fix-mlx5_poll_one-cur_qp-update-flow.patch new file mode 100644 index 0000000000..c352118d43 --- /dev/null +++ b/queue-6.12/rdma-mlx5-fix-mlx5_poll_one-cur_qp-update-flow.patch @@ -0,0 +1,91 @@ +From f22ae135ed9f7cf9959a9e8339256dfb22acf29b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Mar 2025 16:29:53 +0200 +Subject: RDMA/mlx5: Fix mlx5_poll_one() cur_qp update flow + +From: Patrisious Haddad + +[ Upstream commit 5ed3b0cb3f827072e93b4c5b6e2b8106fd7cccbd ] + +When cur_qp isn't NULL, in order to avoid fetching the QP from +the radix tree again we check if the next cqe QP is identical to +the one we already have. + +The bug however is that we are checking if the QP is identical by +checking the QP number inside the CQE against the QP number inside the +mlx5_ib_qp, but that's wrong since the QP number from the CQE is from +FW so it should be matched against mlx5_core_qp which is our FW QP +number. + +Otherwise we could use the wrong QP when handling a CQE which could +cause the kernel trace below. + +This issue is mainly noticeable over QPs 0 & 1, since for now they are +the only QPs in our driver whereas the QP number inside mlx5_ib_qp +doesn't match the QP number inside mlx5_core_qp. + +BUG: kernel NULL pointer dereference, address: 0000000000000012 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 0 P4D 0 + Oops: Oops: 0000 [#1] SMP + CPU: 0 UID: 0 PID: 7927 Comm: kworker/u62:1 Not tainted 6.14.0-rc3+ #189 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 + Workqueue: ib-comp-unb-wq ib_cq_poll_work [ib_core] + RIP: 0010:mlx5_ib_poll_cq+0x4c7/0xd90 [mlx5_ib] + Code: 03 00 00 8d 58 ff 21 cb 66 39 d3 74 39 48 c7 c7 3c 89 6e a0 0f b7 db e8 b7 d2 b3 e0 49 8b 86 60 03 00 00 48 c7 c7 4a 89 6e a0 <0f> b7 5c 98 02 e8 9f d2 b3 e0 41 0f b7 86 78 03 00 00 83 e8 01 21 + RSP: 0018:ffff88810511bd60 EFLAGS: 00010046 + RAX: 0000000000000010 RBX: 0000000000000000 RCX: 0000000000000000 + RDX: 0000000000000000 RSI: ffff88885fa1b3c0 RDI: ffffffffa06e894a + RBP: 00000000000000b0 R08: 0000000000000000 R09: ffff88810511bc10 + R10: 0000000000000001 R11: 0000000000000001 R12: ffff88810d593000 + R13: ffff88810e579108 R14: ffff888105146000 R15: 00000000000000b0 + FS: 0000000000000000(0000) GS:ffff88885fa00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000000012 CR3: 00000001077e6001 CR4: 0000000000370eb0 + Call Trace: + + ? __die+0x20/0x60 + ? page_fault_oops+0x150/0x3e0 + ? exc_page_fault+0x74/0x130 + ? asm_exc_page_fault+0x22/0x30 + ? mlx5_ib_poll_cq+0x4c7/0xd90 [mlx5_ib] + __ib_process_cq+0x5a/0x150 [ib_core] + ib_cq_poll_work+0x31/0x90 [ib_core] + process_one_work+0x169/0x320 + worker_thread+0x288/0x3a0 + ? work_busy+0xb0/0xb0 + kthread+0xd7/0x1f0 + ? kthreads_online_cpu+0x130/0x130 + ? kthreads_online_cpu+0x130/0x130 + ret_from_fork+0x2d/0x50 + ? kthreads_online_cpu+0x130/0x130 + ret_from_fork_asm+0x11/0x20 + + +Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters") +Signed-off-by: Patrisious Haddad +Reviewed-by: Edward Srouji +Link: https://patch.msgid.link/4ada09d41f1e36db62c44a9b25c209ea5f054316.1741875692.git.leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx5/cq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/mlx5/cq.c b/drivers/infiniband/hw/mlx5/cq.c +index 4c54dc5780690..1aa5311b03e9f 100644 +--- a/drivers/infiniband/hw/mlx5/cq.c ++++ b/drivers/infiniband/hw/mlx5/cq.c +@@ -490,7 +490,7 @@ static int mlx5_poll_one(struct mlx5_ib_cq *cq, + } + + qpn = ntohl(cqe64->sop_drop_qpn) & 0xffffff; +- if (!*cur_qp || (qpn != (*cur_qp)->ibqp.qp_num)) { ++ if (!*cur_qp || (qpn != (*cur_qp)->trans_qp.base.mqp.qpn)) { + /* We do not have to take the QP table lock here, + * because CQs will be locked while QPs are removed + * from the table. +-- +2.39.5 + diff --git a/queue-6.12/rdma-mlx5-fix-mr-cache-initialization-error-flow.patch b/queue-6.12/rdma-mlx5-fix-mr-cache-initialization-error-flow.patch new file mode 100644 index 0000000000..1d06b0363f --- /dev/null +++ b/queue-6.12/rdma-mlx5-fix-mr-cache-initialization-error-flow.patch @@ -0,0 +1,83 @@ +From 90c658b0c6fbe64b97783762df302d25a0cf7b86 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Mar 2025 16:29:48 +0200 +Subject: RDMA/mlx5: Fix MR cache initialization error flow + +From: Michael Guralnik + +[ Upstream commit a0130ef84b00c68ba0b79ee974a0f01459741421 ] + +Destroy all previously created cache entries and work queue when rolling +back the MR cache initialization upon an error. + +Fixes: 73d09b2fe833 ("RDMA/mlx5: Introduce mlx5r_cache_rb_key") +Signed-off-by: Michael Guralnik +Reviewed-by: Yishai Hadas +Link: https://patch.msgid.link/c41d525fb3c72e28dd38511bf3aaccb5d584063e.1741875692.git.leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx5/mr.c | 33 ++++++++++++++++++++++----------- + 1 file changed, 22 insertions(+), 11 deletions(-) + +diff --git a/drivers/infiniband/hw/mlx5/mr.c b/drivers/infiniband/hw/mlx5/mr.c +index eeb94d1ae60d9..068eac3bdb50b 100644 +--- a/drivers/infiniband/hw/mlx5/mr.c ++++ b/drivers/infiniband/hw/mlx5/mr.c +@@ -919,6 +919,25 @@ mlx5r_cache_create_ent_locked(struct mlx5_ib_dev *dev, + return ERR_PTR(ret); + } + ++static void mlx5r_destroy_cache_entries(struct mlx5_ib_dev *dev) ++{ ++ struct rb_root *root = &dev->cache.rb_root; ++ struct mlx5_cache_ent *ent; ++ struct rb_node *node; ++ ++ mutex_lock(&dev->cache.rb_lock); ++ node = rb_first(root); ++ while (node) { ++ ent = rb_entry(node, struct mlx5_cache_ent, node); ++ node = rb_next(node); ++ clean_keys(dev, ent); ++ rb_erase(&ent->node, root); ++ mlx5r_mkeys_uninit(ent); ++ kfree(ent); ++ } ++ mutex_unlock(&dev->cache.rb_lock); ++} ++ + int mlx5_mkey_cache_init(struct mlx5_ib_dev *dev) + { + struct mlx5_mkey_cache *cache = &dev->cache; +@@ -970,6 +989,8 @@ int mlx5_mkey_cache_init(struct mlx5_ib_dev *dev) + err: + mutex_unlock(&cache->rb_lock); + mlx5_mkey_cache_debugfs_cleanup(dev); ++ mlx5r_destroy_cache_entries(dev); ++ destroy_workqueue(cache->wq); + mlx5_ib_warn(dev, "failed to create mkey cache entry\n"); + return ret; + } +@@ -1003,17 +1024,7 @@ void mlx5_mkey_cache_cleanup(struct mlx5_ib_dev *dev) + mlx5_cmd_cleanup_async_ctx(&dev->async_ctx); + + /* At this point all entries are disabled and have no concurrent work. */ +- mutex_lock(&dev->cache.rb_lock); +- node = rb_first(root); +- while (node) { +- ent = rb_entry(node, struct mlx5_cache_ent, node); +- node = rb_next(node); +- clean_keys(dev, ent); +- rb_erase(&ent->node, root); +- mlx5r_mkeys_uninit(ent); +- kfree(ent); +- } +- mutex_unlock(&dev->cache.rb_lock); ++ mlx5r_destroy_cache_entries(dev); + + destroy_workqueue(dev->cache.wq); + del_timer_sync(&dev->delay_timer); +-- +2.39.5 + diff --git a/queue-6.12/rdma-mlx5-fix-page_size-variable-overflow.patch b/queue-6.12/rdma-mlx5-fix-page_size-variable-overflow.patch new file mode 100644 index 0000000000..db83bdbdef --- /dev/null +++ b/queue-6.12/rdma-mlx5-fix-page_size-variable-overflow.patch @@ -0,0 +1,121 @@ +From eb2b25c1583df76204c2d8e360bef4869a84da45 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Mar 2025 16:29:51 +0200 +Subject: RDMA/mlx5: Fix page_size variable overflow + +From: Michael Guralnik + +[ Upstream commit f0c2427412b43cdf1b7b0944749ea17ddb97d5a5 ] + +Change all variables storing mlx5_umem_mkc_find_best_pgsz() result to +unsigned long to support values larger than 31 and avoid overflow. + +For example: If we try to register 4GB of memory that is contiguous in +physical memory, the driver will optimize the page_size and try to use +an mkey with 4GB entity size. The 'unsigned int' page_size variable will +overflow to '0' and we'll hit the WARN_ON() in alloc_cacheable_mr(). + +WARNING: CPU: 2 PID: 1203 at drivers/infiniband/hw/mlx5/mr.c:1124 alloc_cacheable_mr+0x22/0x580 [mlx5_ib] +Modules linked in: mlx5_ib mlx5_core bonding ip6_gre ip6_tunnel tunnel6 ip_gre gre rdma_rxe rdma_ucm ib_uverbs ib_ipoib ib_umad rpcrdma ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm fuse ib_core [last unloaded: mlx5_core] +CPU: 2 UID: 70878 PID: 1203 Comm: rdma_resource_l Tainted: G W 6.14.0-rc4-dirty #43 +Tainted: [W]=WARN +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 +RIP: 0010:alloc_cacheable_mr+0x22/0x580 [mlx5_ib] +Code: 90 90 90 90 90 90 90 90 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 55 41 54 41 52 53 48 83 ec 30 f6 46 28 04 4c 8b 77 08 75 21 <0f> 0b 49 c7 c2 ea ff ff ff 48 8d 65 d0 4c 89 d0 5b 41 5a 41 5c 41 +RSP: 0018:ffffc900006ffac8 EFLAGS: 00010246 +RAX: 0000000004c0d0d0 RBX: ffff888217a22000 RCX: 0000000000100001 +RDX: 00007fb7ac480000 RSI: ffff8882037b1240 RDI: ffff8882046f0600 +RBP: ffffc900006ffb28 R08: 0000000000000001 R09: 0000000000000000 +R10: 00000000000007e0 R11: ffffea0008011d40 R12: ffff8882037b1240 +R13: ffff8882046f0600 R14: ffff888217a22000 R15: ffffc900006ffe00 +FS: 00007fb7ed013340(0000) GS:ffff88885fd00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007fb7ed1d8000 CR3: 00000001fd8f6006 CR4: 0000000000772eb0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +PKRU: 55555554 +Call Trace: + + ? __warn+0x81/0x130 + ? alloc_cacheable_mr+0x22/0x580 [mlx5_ib] + ? report_bug+0xfc/0x1e0 + ? handle_bug+0x55/0x90 + ? exc_invalid_op+0x17/0x70 + ? asm_exc_invalid_op+0x1a/0x20 + ? alloc_cacheable_mr+0x22/0x580 [mlx5_ib] + create_real_mr+0x54/0x150 [mlx5_ib] + ib_uverbs_reg_mr+0x17f/0x2a0 [ib_uverbs] + ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0xca/0x140 [ib_uverbs] + ib_uverbs_run_method+0x6d0/0x780 [ib_uverbs] + ? __pfx_ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x10/0x10 [ib_uverbs] + ib_uverbs_cmd_verbs+0x19b/0x360 [ib_uverbs] + ? walk_system_ram_range+0x79/0xd0 + ? ___pte_offset_map+0x1b/0x110 + ? __pte_offset_map_lock+0x80/0x100 + ib_uverbs_ioctl+0xac/0x110 [ib_uverbs] + __x64_sys_ioctl+0x94/0xb0 + do_syscall_64+0x50/0x110 + entry_SYSCALL_64_after_hwframe+0x76/0x7e +RIP: 0033:0x7fb7ecf0737b +Code: ff ff ff 85 c0 79 9b 49 c7 c4 ff ff ff ff 5b 5d 4c 89 e0 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 7d 2a 0f 00 f7 d8 64 89 01 48 +RSP: 002b:00007ffdbe03ecc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 +RAX: ffffffffffffffda RBX: 00007ffdbe03edb8 RCX: 00007fb7ecf0737b +RDX: 00007ffdbe03eda0 RSI: 00000000c0181b01 RDI: 0000000000000003 +RBP: 00007ffdbe03ed80 R08: 00007fb7ecc84010 R09: 00007ffdbe03eed4 +R10: 0000000000000009 R11: 0000000000000246 R12: 00007ffdbe03eed4 +R13: 000000000000000c R14: 000000000000000c R15: 00007fb7ecc84150 + + +Fixes: cef7dde8836a ("net/mlx5: Expand mkey page size to support 6 bits") +Signed-off-by: Michael Guralnik +Reviewed-by: Yishai Hadas +Link: https://patch.msgid.link/2479a4a3f6fd9bd032e1b6d396274a89c4c5e22f.1741875692.git.leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx5/mr.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/infiniband/hw/mlx5/mr.c b/drivers/infiniband/hw/mlx5/mr.c +index 753faa9ad06a8..eeb94d1ae60d9 100644 +--- a/drivers/infiniband/hw/mlx5/mr.c ++++ b/drivers/infiniband/hw/mlx5/mr.c +@@ -56,7 +56,7 @@ static void + create_mkey_callback(int status, struct mlx5_async_work *context); + static struct mlx5_ib_mr *reg_create(struct ib_pd *pd, struct ib_umem *umem, + u64 iova, int access_flags, +- unsigned int page_size, bool populate, ++ unsigned long page_size, bool populate, + int access_mode); + static int __mlx5_ib_dereg_mr(struct ib_mr *ibmr); + +@@ -1115,7 +1115,7 @@ static struct mlx5_ib_mr *alloc_cacheable_mr(struct ib_pd *pd, + struct mlx5r_cache_rb_key rb_key = {}; + struct mlx5_cache_ent *ent; + struct mlx5_ib_mr *mr; +- unsigned int page_size; ++ unsigned long page_size; + + if (umem->is_dmabuf) + page_size = mlx5_umem_dmabuf_default_pgsz(umem, iova); +@@ -1219,7 +1219,7 @@ reg_create_crossing_vhca_mr(struct ib_pd *pd, u64 iova, u64 length, int access_f + */ + static struct mlx5_ib_mr *reg_create(struct ib_pd *pd, struct ib_umem *umem, + u64 iova, int access_flags, +- unsigned int page_size, bool populate, ++ unsigned long page_size, bool populate, + int access_mode) + { + struct mlx5_ib_dev *dev = to_mdev(pd->device); +@@ -1425,7 +1425,7 @@ static struct ib_mr *create_real_mr(struct ib_pd *pd, struct ib_umem *umem, + mr = alloc_cacheable_mr(pd, umem, iova, access_flags, + MLX5_MKC_ACCESS_MODE_MTT); + } else { +- unsigned int page_size = ++ unsigned long page_size = + mlx5_umem_mkc_find_best_pgsz(dev, umem, iova); + + mutex_lock(&dev->slow_path_mutex); +-- +2.39.5 + diff --git a/queue-6.12/regulator-pca9450-fix-enable-register-for-ldo5.patch b/queue-6.12/regulator-pca9450-fix-enable-register-for-ldo5.patch new file mode 100644 index 0000000000..46f6feafd6 --- /dev/null +++ b/queue-6.12/regulator-pca9450-fix-enable-register-for-ldo5.patch @@ -0,0 +1,56 @@ +From 43adbdba29c1f28b8b1523866a7966cd481958c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Dec 2024 16:27:28 +0100 +Subject: regulator: pca9450: Fix enable register for LDO5 + +From: Frieder Schrempf + +[ Upstream commit f5aab0438ef17f01c5ecd25e61ae6a03f82a4586 ] + +The LDO5 regulator has two configuration registers, but only +LDO5CTRL_L contains the bits for enabling/disabling the regulator. + +Fixes: 0935ff5f1f0a ("regulator: pca9450: add pca9450 pmic driver") +Signed-off-by: Frieder Schrempf +Reviewed-by: Marek Vasut +Link: https://patch.msgid.link/20241218152842.97483-6-frieder@fris.de +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/pca9450-regulator.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/regulator/pca9450-regulator.c b/drivers/regulator/pca9450-regulator.c +index 9714afe347dcc..1ffa145319f23 100644 +--- a/drivers/regulator/pca9450-regulator.c ++++ b/drivers/regulator/pca9450-regulator.c +@@ -454,7 +454,7 @@ static const struct pca9450_regulator_desc pca9450a_regulators[] = { + .n_linear_ranges = ARRAY_SIZE(pca9450_ldo5_volts), + .vsel_reg = PCA9450_REG_LDO5CTRL_H, + .vsel_mask = LDO5HOUT_MASK, +- .enable_reg = PCA9450_REG_LDO5CTRL_H, ++ .enable_reg = PCA9450_REG_LDO5CTRL_L, + .enable_mask = LDO5H_EN_MASK, + .owner = THIS_MODULE, + }, +@@ -663,7 +663,7 @@ static const struct pca9450_regulator_desc pca9450bc_regulators[] = { + .n_linear_ranges = ARRAY_SIZE(pca9450_ldo5_volts), + .vsel_reg = PCA9450_REG_LDO5CTRL_H, + .vsel_mask = LDO5HOUT_MASK, +- .enable_reg = PCA9450_REG_LDO5CTRL_H, ++ .enable_reg = PCA9450_REG_LDO5CTRL_L, + .enable_mask = LDO5H_EN_MASK, + .owner = THIS_MODULE, + }, +@@ -835,7 +835,7 @@ static const struct pca9450_regulator_desc pca9451a_regulators[] = { + .n_linear_ranges = ARRAY_SIZE(pca9450_ldo5_volts), + .vsel_reg = PCA9450_REG_LDO5CTRL_H, + .vsel_mask = LDO5HOUT_MASK, +- .enable_reg = PCA9450_REG_LDO5CTRL_H, ++ .enable_reg = PCA9450_REG_LDO5CTRL_L, + .enable_mask = LDO5H_EN_MASK, + .owner = THIS_MODULE, + }, +-- +2.39.5 + diff --git a/queue-6.12/remoteproc-core-clear-table_sz-when-rproc_shutdown.patch b/queue-6.12/remoteproc-core-clear-table_sz-when-rproc_shutdown.patch new file mode 100644 index 0000000000..7ad563d560 --- /dev/null +++ b/queue-6.12/remoteproc-core-clear-table_sz-when-rproc_shutdown.patch @@ -0,0 +1,86 @@ +From fbf11509d08ec68184a4e540292d1add9d97a18e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Mar 2025 18:01:05 +0800 +Subject: remoteproc: core: Clear table_sz when rproc_shutdown + +From: Peng Fan + +[ Upstream commit efdde3d73ab25cef4ff2d06783b0aad8b093c0e4 ] + +There is case as below could trigger kernel dump: +Use U-Boot to start remote processor(rproc) with resource table +published to a fixed address by rproc. After Kernel boots up, +stop the rproc, load a new firmware which doesn't have resource table +,and start rproc. + +When starting rproc with a firmware not have resource table, +`memcpy(loaded_table, rproc->cached_table, rproc->table_sz)` will +trigger dump, because rproc->cache_table is set to NULL during the last +stop operation, but rproc->table_sz is still valid. + +This issue is found on i.MX8MP and i.MX9. + +Dump as below: +Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 +Mem abort info: + ESR = 0x0000000096000004 + EC = 0x25: DABT (current EL), IL = 32 bits + SET = 0, FnV = 0 + EA = 0, S1PTW = 0 + FSC = 0x04: level 0 translation fault +Data abort info: + ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 + CM = 0, WnR = 0, TnD = 0, TagAccess = 0 + GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 +user pgtable: 4k pages, 48-bit VAs, pgdp=000000010af63000 +[0000000000000000] pgd=0000000000000000, p4d=0000000000000000 +Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP +Modules linked in: +CPU: 2 UID: 0 PID: 1060 Comm: sh Not tainted 6.14.0-rc7-next-20250317-dirty #38 +Hardware name: NXP i.MX8MPlus EVK board (DT) +pstate: a0000005 (NzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) +pc : __pi_memcpy_generic+0x110/0x22c +lr : rproc_start+0x88/0x1e0 +Call trace: + __pi_memcpy_generic+0x110/0x22c (P) + rproc_boot+0x198/0x57c + state_store+0x40/0x104 + dev_attr_store+0x18/0x2c + sysfs_kf_write+0x7c/0x94 + kernfs_fop_write_iter+0x120/0x1cc + vfs_write+0x240/0x378 + ksys_write+0x70/0x108 + __arm64_sys_write+0x1c/0x28 + invoke_syscall+0x48/0x10c + el0_svc_common.constprop.0+0xc0/0xe0 + do_el0_svc+0x1c/0x28 + el0_svc+0x30/0xcc + el0t_64_sync_handler+0x10c/0x138 + el0t_64_sync+0x198/0x19c + +Clear rproc->table_sz to address the issue. + +Fixes: 9dc9507f1880 ("remoteproc: Properly deal with the resource table when detaching") +Signed-off-by: Peng Fan +Link: https://lore.kernel.org/r/20250319100106.3622619-1-peng.fan@oss.nxp.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/remoteproc/remoteproc_core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/remoteproc/remoteproc_core.c b/drivers/remoteproc/remoteproc_core.c +index ef6febe356330..d2308c2f97eb9 100644 +--- a/drivers/remoteproc/remoteproc_core.c ++++ b/drivers/remoteproc/remoteproc_core.c +@@ -2025,6 +2025,7 @@ int rproc_shutdown(struct rproc *rproc) + kfree(rproc->cached_table); + rproc->cached_table = NULL; + rproc->table_ptr = NULL; ++ rproc->table_sz = 0; + out: + mutex_unlock(&rproc->lock); + return ret; +-- +2.39.5 + diff --git a/queue-6.12/remoteproc-qcom-pas-add-minidump_id-to-sc7280-wpss.patch b/queue-6.12/remoteproc-qcom-pas-add-minidump_id-to-sc7280-wpss.patch new file mode 100644 index 0000000000..4b86ec6068 --- /dev/null +++ b/queue-6.12/remoteproc-qcom-pas-add-minidump_id-to-sc7280-wpss.patch @@ -0,0 +1,35 @@ +From 4cc0b306e547b2aae72ea158e9c41d4d2b75d52f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Mar 2025 09:24:31 +0100 +Subject: remoteproc: qcom: pas: add minidump_id to SC7280 WPSS + +From: Luca Weiss + +[ Upstream commit d2909538bff0189d4d038f4e903c70be5f5c2bfc ] + +Add the minidump ID to the wpss resources, based on msm-5.4 devicetree. + +Fixes: 300ed425dfa9 ("remoteproc: qcom_q6v5_pas: Add SC7280 ADSP, CDSP & WPSS") +Signed-off-by: Luca Weiss +Link: https://lore.kernel.org/r/20250314-sc7280-wpss-minidump-v1-1-d869d53fd432@fairphone.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/remoteproc/qcom_q6v5_pas.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/remoteproc/qcom_q6v5_pas.c b/drivers/remoteproc/qcom_q6v5_pas.c +index 179a0afd5fe6f..a1636bbf36118 100644 +--- a/drivers/remoteproc/qcom_q6v5_pas.c ++++ b/drivers/remoteproc/qcom_q6v5_pas.c +@@ -1356,6 +1356,7 @@ static const struct adsp_data sc7280_wpss_resource = { + .crash_reason_smem = 626, + .firmware_name = "wpss.mdt", + .pas_id = 6, ++ .minidump_id = 4, + .auto_boot = false, + .proxy_pd_names = (char*[]){ + "cx", +-- +2.39.5 + diff --git a/queue-6.12/remoteproc-qcom_q6v5_mss-handle-platforms-with-one-p.patch b/queue-6.12/remoteproc-qcom_q6v5_mss-handle-platforms-with-one-p.patch new file mode 100644 index 0000000000..59223c0001 --- /dev/null +++ b/queue-6.12/remoteproc-qcom_q6v5_mss-handle-platforms-with-one-p.patch @@ -0,0 +1,90 @@ +From 494c6f12a2d75a22fa7853ea0dd5c77d30c0b570 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Feb 2025 23:05:18 +0100 +Subject: remoteproc: qcom_q6v5_mss: Handle platforms with one power domain +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Luca Weiss + +[ Upstream commit 4641840341f37dc8231e0840ec1514b4061b4322 ] + +For example MSM8974 has mx voltage rail exposed as regulator and only cx +voltage rail is exposed as power domain. This power domain (cx) is +attached internally in power domain and cannot be attached in this driver. + +Fixes: 8750cf392394 ("remoteproc: qcom_q6v5_mss: Allow replacing regulators with power domains") +Co-developed-by: Matti Lehtimäki +Signed-off-by: Matti Lehtimäki +Reviewed-by: Stephan Gerhold +Signed-off-by: Luca Weiss +Link: https://lore.kernel.org/r/20250217-msm8226-modem-v5-4-2bc74b80e0ae@lucaweiss.eu +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/remoteproc/qcom_q6v5_mss.c | 21 +++++++++++++++++---- + 1 file changed, 17 insertions(+), 4 deletions(-) + +diff --git a/drivers/remoteproc/qcom_q6v5_mss.c b/drivers/remoteproc/qcom_q6v5_mss.c +index 32c3531b20c70..e19081d530226 100644 +--- a/drivers/remoteproc/qcom_q6v5_mss.c ++++ b/drivers/remoteproc/qcom_q6v5_mss.c +@@ -1839,6 +1839,13 @@ static int q6v5_pds_attach(struct device *dev, struct device **devs, + while (pd_names[num_pds]) + num_pds++; + ++ /* Handle single power domain */ ++ if (num_pds == 1 && dev->pm_domain) { ++ devs[0] = dev; ++ pm_runtime_enable(dev); ++ return 1; ++ } ++ + for (i = 0; i < num_pds; i++) { + devs[i] = dev_pm_domain_attach_by_name(dev, pd_names[i]); + if (IS_ERR_OR_NULL(devs[i])) { +@@ -1859,8 +1866,15 @@ static int q6v5_pds_attach(struct device *dev, struct device **devs, + static void q6v5_pds_detach(struct q6v5 *qproc, struct device **pds, + size_t pd_count) + { ++ struct device *dev = qproc->dev; + int i; + ++ /* Handle single power domain */ ++ if (pd_count == 1 && dev->pm_domain) { ++ pm_runtime_disable(dev); ++ return; ++ } ++ + for (i = 0; i < pd_count; i++) + dev_pm_domain_detach(pds[i], false); + } +@@ -2469,13 +2483,13 @@ static const struct rproc_hexagon_res msm8974_mss = { + .supply = "pll", + .uA = 100000, + }, +- {} +- }, +- .fallback_proxy_supply = (struct qcom_mss_reg_res[]) { + { + .supply = "mx", + .uV = 1050000, + }, ++ {} ++ }, ++ .fallback_proxy_supply = (struct qcom_mss_reg_res[]) { + { + .supply = "cx", + .uA = 100000, +@@ -2501,7 +2515,6 @@ static const struct rproc_hexagon_res msm8974_mss = { + NULL + }, + .proxy_pd_names = (char*[]){ +- "mx", + "cx", + NULL + }, +-- +2.39.5 + diff --git a/queue-6.12/remoteproc-qcom_q6v5_pas-make-single-pd-handling-mor.patch b/queue-6.12/remoteproc-qcom_q6v5_pas-make-single-pd-handling-mor.patch new file mode 100644 index 0000000000..44afe68865 --- /dev/null +++ b/queue-6.12/remoteproc-qcom_q6v5_pas-make-single-pd-handling-mor.patch @@ -0,0 +1,63 @@ +From 852cd7be1e1500b4a1a6c4c1b5fccb3abd19671c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Jan 2025 22:54:00 +0100 +Subject: remoteproc: qcom_q6v5_pas: Make single-PD handling more robust + +From: Luca Weiss + +[ Upstream commit e917b73234b02aa4966325e7380d2559bf127ba9 ] + +Only go into the if condition for single-PD handling when there's +actually just one power domain specified there. Otherwise it'll be an +issue in the dts and we should fail in the regular code path. + +This also mirrors the latest changes in the qcom_q6v5_mss driver. + +Suggested-by: Stephan Gerhold +Fixes: 17ee2fb4e856 ("remoteproc: qcom: pas: Vote for active/proxy power domains") +Signed-off-by: Luca Weiss +Reviewed-by: Stephan Gerhold +Link: https://lore.kernel.org/r/20250128-pas-singlepd-v1-2-85d9ae4b0093@lucaweiss.eu +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/remoteproc/qcom_q6v5_pas.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/remoteproc/qcom_q6v5_pas.c b/drivers/remoteproc/qcom_q6v5_pas.c +index 1a2d08ec9de9e..179a0afd5fe6f 100644 +--- a/drivers/remoteproc/qcom_q6v5_pas.c ++++ b/drivers/remoteproc/qcom_q6v5_pas.c +@@ -509,16 +509,16 @@ static int adsp_pds_attach(struct device *dev, struct device **devs, + if (!pd_names) + return 0; + ++ while (pd_names[num_pds]) ++ num_pds++; ++ + /* Handle single power domain */ +- if (dev->pm_domain) { ++ if (num_pds == 1 && dev->pm_domain) { + devs[0] = dev; + pm_runtime_enable(dev); + return 1; + } + +- while (pd_names[num_pds]) +- num_pds++; +- + for (i = 0; i < num_pds; i++) { + devs[i] = dev_pm_domain_attach_by_name(dev, pd_names[i]); + if (IS_ERR_OR_NULL(devs[i])) { +@@ -543,7 +543,7 @@ static void adsp_pds_detach(struct qcom_adsp *adsp, struct device **pds, + int i; + + /* Handle single power domain */ +- if (dev->pm_domain && pd_count) { ++ if (pd_count == 1 && dev->pm_domain) { + pm_runtime_disable(dev); + return; + } +-- +2.39.5 + diff --git a/queue-6.12/remoteproc-qcom_q6v5_pas-use-resource-with-cx-pd-for.patch b/queue-6.12/remoteproc-qcom_q6v5_pas-use-resource-with-cx-pd-for.patch new file mode 100644 index 0000000000..e7c12cb93f --- /dev/null +++ b/queue-6.12/remoteproc-qcom_q6v5_pas-use-resource-with-cx-pd-for.patch @@ -0,0 +1,39 @@ +From b01da414a0c32269bd90fe946809b6127a9b5701 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Jan 2025 22:53:59 +0100 +Subject: remoteproc: qcom_q6v5_pas: Use resource with CX PD for MSM8226 + +From: Luca Weiss + +[ Upstream commit ba785ff4162a65f18ed501019637a998b752b5ad ] + +MSM8226 requires the CX power domain, so use the msm8996_adsp_resource +which has cx under proxy_pd_names and is otherwise equivalent. + +Suggested-by: Stephan Gerhold +Fixes: fb4f07cc9399 ("remoteproc: qcom: pas: Add MSM8226 ADSP support") +Signed-off-by: Luca Weiss +Reviewed-by: Stephan Gerhold +Link: https://lore.kernel.org/r/20250128-pas-singlepd-v1-1-85d9ae4b0093@lucaweiss.eu +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/remoteproc/qcom_q6v5_pas.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/remoteproc/qcom_q6v5_pas.c b/drivers/remoteproc/qcom_q6v5_pas.c +index a1636bbf36118..ea4a91f37b506 100644 +--- a/drivers/remoteproc/qcom_q6v5_pas.c ++++ b/drivers/remoteproc/qcom_q6v5_pas.c +@@ -1419,7 +1419,7 @@ static const struct adsp_data sm8650_mpss_resource = { + }; + + static const struct of_device_id adsp_of_match[] = { +- { .compatible = "qcom,msm8226-adsp-pil", .data = &adsp_resource_init}, ++ { .compatible = "qcom,msm8226-adsp-pil", .data = &msm8996_adsp_resource}, + { .compatible = "qcom,msm8953-adsp-pil", .data = &msm8996_adsp_resource}, + { .compatible = "qcom,msm8974-adsp-pil", .data = &adsp_resource_init}, + { .compatible = "qcom,msm8996-adsp-pil", .data = &msm8996_adsp_resource}, +-- +2.39.5 + diff --git a/queue-6.12/ring-buffer-fix-bytes_dropped-calculation-issue.patch b/queue-6.12/ring-buffer-fix-bytes_dropped-calculation-issue.patch new file mode 100644 index 0000000000..f24c873925 --- /dev/null +++ b/queue-6.12/ring-buffer-fix-bytes_dropped-calculation-issue.patch @@ -0,0 +1,41 @@ +From 295a00f36f850511b6f18cc7fb36ece7a897e0f7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 23 Feb 2025 15:01:06 +0800 +Subject: ring-buffer: Fix bytes_dropped calculation issue + +From: Feng Yang + +[ Upstream commit c73f0b69648501978e8b3e8fa7eef7f4197d0481 ] + +The calculation of bytes-dropped and bytes_dropped_nested is reversed. +Although it does not affect the final calculation of total_dropped, +it should still be modified. + +Link: https://lore.kernel.org/20250223070106.6781-1-yangfeng59949@163.com +Fixes: 6c43e554a2a5 ("ring-buffer: Add ring buffer startup selftest") +Signed-off-by: Feng Yang +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/ring_buffer.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c +index ea8ad5480e286..3e252ba16d5c6 100644 +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -7442,9 +7442,9 @@ static __init int rb_write_something(struct rb_test_data *data, bool nested) + /* Ignore dropped events before test starts. */ + if (started) { + if (nested) +- data->bytes_dropped += len; +- else + data->bytes_dropped_nested += len; ++ else ++ data->bytes_dropped += len; + } + return len; + } +-- +2.39.5 + diff --git a/queue-6.12/risc-v-errata-use-medany-for-relocatable-builds.patch b/queue-6.12/risc-v-errata-use-medany-for-relocatable-builds.patch new file mode 100644 index 0000000000..2f9da8c628 --- /dev/null +++ b/queue-6.12/risc-v-errata-use-medany-for-relocatable-builds.patch @@ -0,0 +1,42 @@ +From 5b9a2d3ec7da83cf995f4212c5324976ddf3092f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Mar 2025 15:45:07 -0700 +Subject: RISC-V: errata: Use medany for relocatable builds + +From: Palmer Dabbelt + +[ Upstream commit bb58e1579f431d42469b6aed0f03eff383ba6db5 ] + +We're trying to mix non-PIC/PIE objects into the otherwise-PIE +relocatable kernels, to avoid GOT/PLT references during early boot +alternative resolution (which happens before the GOT/PLT are set up). + +riscv64-unknown-linux-gnu-ld: arch/riscv/errata/sifive/errata.o: relocation R_RISCV_HI20 against `tlb_flush_all_threshold' can not be used when making a shared object; recompile with -fPIC +riscv64-unknown-linux-gnu-ld: arch/riscv/errata/thead/errata.o: relocation R_RISCV_HI20 against `riscv_cbom_block_size' can not be used when making a shared object; recompile with -fPIC + +Fixes: 8dc2a7e8027f ("riscv: Fix relocatable kernels with early alternatives using -fno-pie") +Link: https://lore.kernel.org/r/20250326224506.27165-2-palmer@rivosinc.com +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +--- + arch/riscv/errata/Makefile | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/arch/riscv/errata/Makefile b/arch/riscv/errata/Makefile +index f0da9d7b39c37..bc6c77ba837d2 100644 +--- a/arch/riscv/errata/Makefile ++++ b/arch/riscv/errata/Makefile +@@ -1,5 +1,9 @@ + ifdef CONFIG_RELOCATABLE +-KBUILD_CFLAGS += -fno-pie ++# We can't use PIC/PIE when handling early-boot errata parsing, as the kernel ++# doesn't have a GOT setup at that point. So instead just use medany: it's ++# usually position-independent, so it should be good enough for the errata ++# handling. ++KBUILD_CFLAGS += -fno-pie -mcmodel=medany + endif + + ifdef CONFIG_RISCV_ALTERNATIVE_EARLY +-- +2.39.5 + diff --git a/queue-6.12/risc-v-kvm-disable-the-kernel-perf-counter-during-co.patch b/queue-6.12/risc-v-kvm-disable-the-kernel-perf-counter-during-co.patch new file mode 100644 index 0000000000..416a2f5c79 --- /dev/null +++ b/queue-6.12/risc-v-kvm-disable-the-kernel-perf-counter-during-co.patch @@ -0,0 +1,42 @@ +From e4379d1f170a8e018ce281789c5a3e7de76f6125 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Mar 2025 14:53:06 -0800 +Subject: RISC-V: KVM: Disable the kernel perf counter during configure + +From: Atish Patra + +[ Upstream commit bbb622488749478955485765ddff9d56be4a7e4b ] + +The perf event should be marked disabled during the creation as +it is not ready to be scheduled until there is SBI PMU start call +or config matching is called with auto start. Otherwise, event add/start +gets called during perf_event_create_kernel_counter function. +It will be enabled and scheduled to run via perf_event_enable during +either the above mentioned scenario. + +Fixes: 0cb74b65d2e5 ("RISC-V: KVM: Implement perf support without sampling") + +Reviewed-by: Andrew Jones +Signed-off-by: Atish Patra +Link: https://lore.kernel.org/r/20250303-kvm_pmu_improve-v2-1-41d177e45929@rivosinc.com +Signed-off-by: Anup Patel +Signed-off-by: Sasha Levin +--- + arch/riscv/kvm/vcpu_pmu.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/riscv/kvm/vcpu_pmu.c b/arch/riscv/kvm/vcpu_pmu.c +index 2707a51b082ca..78ac3216a54dd 100644 +--- a/arch/riscv/kvm/vcpu_pmu.c ++++ b/arch/riscv/kvm/vcpu_pmu.c +@@ -666,6 +666,7 @@ int kvm_riscv_vcpu_pmu_ctr_cfg_match(struct kvm_vcpu *vcpu, unsigned long ctr_ba + .type = etype, + .size = sizeof(struct perf_event_attr), + .pinned = true, ++ .disabled = true, + /* + * It should never reach here if the platform doesn't support the sscofpmf + * extension as mode filtering won't work without it. +-- +2.39.5 + diff --git a/queue-6.12/riscv-fix-hugetlb-retrieval-of-number-of-ptes-in-cas.patch b/queue-6.12/riscv-fix-hugetlb-retrieval-of-number-of-ptes-in-cas.patch new file mode 100644 index 0000000000..ffcf68c53d --- /dev/null +++ b/queue-6.12/riscv-fix-hugetlb-retrieval-of-number-of-ptes-in-cas.patch @@ -0,0 +1,162 @@ +From 589fc361de0746b88860064d51e8fce205e45c4e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Mar 2025 08:25:51 +0100 +Subject: riscv: Fix hugetlb retrieval of number of ptes in case of !present + pte + +From: Alexandre Ghiti + +[ Upstream commit 83d78ac677b9fdd8ea763507c6fe02d6bf415f3a ] + +Ryan sent a fix [1] for arm64 that applies to riscv too: in some hugetlb +functions, we must not use the pte value to get the size of a mapping +because the pte may not be present. + +So use the already present size parameter for huge_pte_clear() and the +newly introduced size parameter for huge_ptep_get_and_clear(). And make +sure to gather A/D bits only on present ptes. + +Fixes: 82a1a1f3bfb6 ("riscv: mm: support Svnapot in hugetlb page") +Link: https://lore.kernel.org/all/20250217140419.1702389-1-ryan.roberts@arm.com/ [1] +Link: https://lore.kernel.org/r/20250317072551.572169-1-alexghiti@rivosinc.com +Signed-off-by: Alexandre Ghiti +Signed-off-by: Sasha Levin +--- + arch/riscv/mm/hugetlbpage.c | 76 ++++++++++++++++++++++--------------- + 1 file changed, 45 insertions(+), 31 deletions(-) + +diff --git a/arch/riscv/mm/hugetlbpage.c b/arch/riscv/mm/hugetlbpage.c +index b4a78a4b35cff..375dd96bb4a0d 100644 +--- a/arch/riscv/mm/hugetlbpage.c ++++ b/arch/riscv/mm/hugetlbpage.c +@@ -148,22 +148,25 @@ unsigned long hugetlb_mask_last_page(struct hstate *h) + static pte_t get_clear_contig(struct mm_struct *mm, + unsigned long addr, + pte_t *ptep, +- unsigned long pte_num) ++ unsigned long ncontig) + { +- pte_t orig_pte = ptep_get(ptep); +- unsigned long i; +- +- for (i = 0; i < pte_num; i++, addr += PAGE_SIZE, ptep++) { +- pte_t pte = ptep_get_and_clear(mm, addr, ptep); +- +- if (pte_dirty(pte)) +- orig_pte = pte_mkdirty(orig_pte); +- +- if (pte_young(pte)) +- orig_pte = pte_mkyoung(orig_pte); ++ pte_t pte, tmp_pte; ++ bool present; ++ ++ pte = ptep_get_and_clear(mm, addr, ptep); ++ present = pte_present(pte); ++ while (--ncontig) { ++ ptep++; ++ addr += PAGE_SIZE; ++ tmp_pte = ptep_get_and_clear(mm, addr, ptep); ++ if (present) { ++ if (pte_dirty(tmp_pte)) ++ pte = pte_mkdirty(pte); ++ if (pte_young(tmp_pte)) ++ pte = pte_mkyoung(pte); ++ } + } +- +- return orig_pte; ++ return pte; + } + + static pte_t get_clear_contig_flush(struct mm_struct *mm, +@@ -212,6 +215,26 @@ static void clear_flush(struct mm_struct *mm, + flush_tlb_range(&vma, saddr, addr); + } + ++static int num_contig_ptes_from_size(unsigned long sz, size_t *pgsize) ++{ ++ unsigned long hugepage_shift; ++ ++ if (sz >= PGDIR_SIZE) ++ hugepage_shift = PGDIR_SHIFT; ++ else if (sz >= P4D_SIZE) ++ hugepage_shift = P4D_SHIFT; ++ else if (sz >= PUD_SIZE) ++ hugepage_shift = PUD_SHIFT; ++ else if (sz >= PMD_SIZE) ++ hugepage_shift = PMD_SHIFT; ++ else ++ hugepage_shift = PAGE_SHIFT; ++ ++ *pgsize = 1 << hugepage_shift; ++ ++ return sz >> hugepage_shift; ++} ++ + /* + * When dealing with NAPOT mappings, the privileged specification indicates that + * "if an update needs to be made, the OS generally should first mark all of the +@@ -226,22 +249,10 @@ void set_huge_pte_at(struct mm_struct *mm, + pte_t pte, + unsigned long sz) + { +- unsigned long hugepage_shift, pgsize; ++ size_t pgsize; + int i, pte_num; + +- if (sz >= PGDIR_SIZE) +- hugepage_shift = PGDIR_SHIFT; +- else if (sz >= P4D_SIZE) +- hugepage_shift = P4D_SHIFT; +- else if (sz >= PUD_SIZE) +- hugepage_shift = PUD_SHIFT; +- else if (sz >= PMD_SIZE) +- hugepage_shift = PMD_SHIFT; +- else +- hugepage_shift = PAGE_SHIFT; +- +- pte_num = sz >> hugepage_shift; +- pgsize = 1 << hugepage_shift; ++ pte_num = num_contig_ptes_from_size(sz, &pgsize); + + if (!pte_present(pte)) { + for (i = 0; i < pte_num; i++, ptep++, addr += pgsize) +@@ -295,13 +306,14 @@ pte_t huge_ptep_get_and_clear(struct mm_struct *mm, + unsigned long addr, + pte_t *ptep, unsigned long sz) + { ++ size_t pgsize; + pte_t orig_pte = ptep_get(ptep); + int pte_num; + + if (!pte_napot(orig_pte)) + return ptep_get_and_clear(mm, addr, ptep); + +- pte_num = napot_pte_num(napot_cont_order(orig_pte)); ++ pte_num = num_contig_ptes_from_size(sz, &pgsize); + + return get_clear_contig(mm, addr, ptep, pte_num); + } +@@ -351,6 +363,7 @@ void huge_pte_clear(struct mm_struct *mm, + pte_t *ptep, + unsigned long sz) + { ++ size_t pgsize; + pte_t pte = ptep_get(ptep); + int i, pte_num; + +@@ -359,8 +372,9 @@ void huge_pte_clear(struct mm_struct *mm, + return; + } + +- pte_num = napot_pte_num(napot_cont_order(pte)); +- for (i = 0; i < pte_num; i++, addr += PAGE_SIZE, ptep++) ++ pte_num = num_contig_ptes_from_size(sz, &pgsize); ++ ++ for (i = 0; i < pte_num; i++, addr += pgsize, ptep++) + pte_clear(mm, addr, ptep); + } + +-- +2.39.5 + diff --git a/queue-6.12/riscv-ftrace-add-parentheses-in-macro-definitions-of.patch b/queue-6.12/riscv-ftrace-add-parentheses-in-macro-definitions-of.patch new file mode 100644 index 0000000000..815898429f --- /dev/null +++ b/queue-6.12/riscv-ftrace-add-parentheses-in-macro-definitions-of.patch @@ -0,0 +1,63 @@ +From 39fd16a92d727ab1ac7c226f14784c00d84e3a03 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Feb 2025 13:28:36 -0600 +Subject: riscv: ftrace: Add parentheses in macro definitions of make_call_t0 + and make_call_ra + +From: Juhan Jin + +[ Upstream commit 5f1a58ed91a040d4625d854f9bb3dd4995919202 ] + +This patch adds parentheses to parameters caller and callee of macros +make_call_t0 and make_call_ra. Every existing invocation of these two +macros uses a single variable for each argument, so the absence of the +parentheses seems okay. However, future invocations might use more +complex expressions as arguments. For example, a future invocation might +look like this: make_call_t0(a - b, c, call). Without parentheses in the +macro definition, the macro invocation expands to: + +... +unsigned int offset = (unsigned long) c - (unsigned long) a - b; +... + +which is clearly wrong. + +The use of parentheses ensures arguments are correctly evaluated and +potentially saves future users of make_call_t0 and make_call_ra debugging +trouble. + +Fixes: 6724a76cff85 ("riscv: ftrace: Reduce the detour code size to half") +Signed-off-by: Juhan Jin +Reviewed-by: Alexandre Ghiti +Link: https://lore.kernel.org/r/tencent_AE90AA59903A628E87E9F80E563DA5BA5508@qq.com +Signed-off-by: Alexandre Ghiti +Signed-off-by: Sasha Levin +--- + arch/riscv/include/asm/ftrace.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/riscv/include/asm/ftrace.h b/arch/riscv/include/asm/ftrace.h +index 2cddd79ff21b1..f253c8dae878e 100644 +--- a/arch/riscv/include/asm/ftrace.h ++++ b/arch/riscv/include/asm/ftrace.h +@@ -92,7 +92,7 @@ struct dyn_arch_ftrace { + #define make_call_t0(caller, callee, call) \ + do { \ + unsigned int offset = \ +- (unsigned long) callee - (unsigned long) caller; \ ++ (unsigned long) (callee) - (unsigned long) (caller); \ + call[0] = to_auipc_t0(offset); \ + call[1] = to_jalr_t0(offset); \ + } while (0) +@@ -108,7 +108,7 @@ do { \ + #define make_call_ra(caller, callee, call) \ + do { \ + unsigned int offset = \ +- (unsigned long) callee - (unsigned long) caller; \ ++ (unsigned long) (callee) - (unsigned long) (caller); \ + call[0] = to_auipc_ra(offset); \ + call[1] = to_jalr_ra(offset); \ + } while (0) +-- +2.39.5 + diff --git a/queue-6.12/riscv-kexec_file-handle-r_riscv_64-in-purgatory-relo.patch b/queue-6.12/riscv-kexec_file-handle-r_riscv_64-in-purgatory-relo.patch new file mode 100644 index 0000000000..713c364cf5 --- /dev/null +++ b/queue-6.12/riscv-kexec_file-handle-r_riscv_64-in-purgatory-relo.patch @@ -0,0 +1,54 @@ +From 8fd87dc71f8d22435f67c5975b4fad8892d06cd7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Mar 2025 05:14:46 +0000 +Subject: riscv/kexec_file: Handle R_RISCV_64 in purgatory relocator +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Yao Zi + +[ Upstream commit 28093cfef5dd62f4cbd537f2bdf6f0bf85309c45 ] + +Commit 58ff537109ac ("riscv: Omit optimized string routines when +using KASAN") introduced calls to EXPORT_SYMBOL() in assembly string +routines, which result in R_RISCV_64 relocations against +.export_symbol section. As these rountines are reused by RISC-V +purgatory and our relocator doesn't recognize these relocations, this +fails kexec-file-load with dmesg like + + [ 11.344251] kexec_image: Unknown rela relocation: 2 + [ 11.345972] kexec_image: Error loading purgatory ret=-8 + +Let's support R_RISCV_64 relocation to fix kexec on 64-bit RISC-V. +32-bit variant isn't covered since KEXEC_FILE and KEXEC_PURGATORY isn't +available. + +Fixes: 58ff537109ac ("riscv: Omit optimized string routines when using KASAN") +Signed-off-by: Yao Zi +Tested-by: Björn Töpel +Reviewed-by: Björn Töpel +Link: https://lore.kernel.org/r/20250326051445.55131-2-ziyao@disroot.org +Signed-off-by: Alexandre Ghiti +Signed-off-by: Sasha Levin +--- + arch/riscv/kernel/elf_kexec.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/riscv/kernel/elf_kexec.c b/arch/riscv/kernel/elf_kexec.c +index 3c37661801f95..e783a72d051f4 100644 +--- a/arch/riscv/kernel/elf_kexec.c ++++ b/arch/riscv/kernel/elf_kexec.c +@@ -468,6 +468,9 @@ int arch_kexec_apply_relocations_add(struct purgatory_info *pi, + case R_RISCV_ALIGN: + case R_RISCV_RELAX: + break; ++ case R_RISCV_64: ++ *(u64 *)loc = val; ++ break; + default: + pr_err("Unknown rela relocation: %d\n", r_type); + return -ENOEXEC; +-- +2.39.5 + diff --git a/queue-6.12/riscv-purgatory-4b-align-purgatory_start.patch b/queue-6.12/riscv-purgatory-4b-align-purgatory_start.patch new file mode 100644 index 0000000000..700dd1f9f3 --- /dev/null +++ b/queue-6.12/riscv-purgatory-4b-align-purgatory_start.patch @@ -0,0 +1,63 @@ +From cbab6ffeb7e2929ffcfe8d16338e72f3b6e10f9c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Mar 2025 09:53:11 +0100 +Subject: riscv/purgatory: 4B align purgatory_start +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Björn Töpel + +[ Upstream commit 3f7023171df43641a8a8a1c9a12124501e589010 ] + +When a crashkernel is launched on RISC-V, the entry to purgatory is +done by trapping via the stvec CSR. From riscv_kexec_norelocate(): + + | ... + | /* + | * Switch to physical addressing + | * This will also trigger a jump to CSR_STVEC + | * which in this case is the address of the new + | * kernel. + | */ + | csrw CSR_STVEC, a2 + | csrw CSR_SATP, zero + +stvec requires that the address is 4B aligned, which was not the case, +e.g.: + + | Loaded purgatory at 0xffffc000 + | kexec_file: kexec_file_load: type:1, start:0xffffd232 head:0x4 flags:0x6 + +The address 0xffffd232 not 4B aligned. + +Correct by adding proper function alignment. + +With this change, crashkernels loaded with kexec-file will be able to +properly enter the purgatory. + +Fixes: 736e30af583fb ("RISC-V: Add purgatory") +Signed-off-by: Björn Töpel +Reviewed-by: Alexandre Ghiti +Link: https://lore.kernel.org/r/20250328085313.1193815-1-bjorn@kernel.org +Signed-off-by: Alexandre Ghiti +Signed-off-by: Sasha Levin +--- + arch/riscv/purgatory/entry.S | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/riscv/purgatory/entry.S b/arch/riscv/purgatory/entry.S +index 0e6ca6d5ae4b4..c5db2f072c341 100644 +--- a/arch/riscv/purgatory/entry.S ++++ b/arch/riscv/purgatory/entry.S +@@ -12,6 +12,7 @@ + + .text + ++.align 2 + SYM_CODE_START(purgatory_start) + + lla sp, .Lstack +-- +2.39.5 + diff --git a/queue-6.12/rndis_host-flag-rndis-modems-as-wwan-devices.patch b/queue-6.12/rndis_host-flag-rndis-modems-as-wwan-devices.patch new file mode 100644 index 0000000000..0fc29e94b4 --- /dev/null +++ b/queue-6.12/rndis_host-flag-rndis-modems-as-wwan-devices.patch @@ -0,0 +1,70 @@ +From 79360df879a8d56cccc7a6f841c6b571611a29b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Mar 2025 10:58:41 +0100 +Subject: rndis_host: Flag RNDIS modems as WWAN devices + +From: Lubomir Rintel + +[ Upstream commit 67d1a8956d2d62fe6b4c13ebabb57806098511d8 ] + +Set FLAG_WWAN instead of FLAG_ETHERNET for RNDIS interfaces on Mobile +Broadband Modems, as opposed to regular Ethernet adapters. + +Otherwise NetworkManager gets confused, misjudges the device type, +and wouldn't know it should connect a modem to get the device to work. +What would be the result depends on ModemManager version -- older +ModemManager would end up disconnecting a device after an unsuccessful +probe attempt (if it connected without needing to unlock a SIM), while +a newer one might spawn a separate PPP connection over a tty interface +instead, resulting in a general confusion and no end of chaos. + +The only way to get this work reliably is to fix the device type +and have good enough version ModemManager (or equivalent). + +Fixes: 63ba395cd7a5 ("rndis_host: support Novatel Verizon USB730L") +Signed-off-by: Lubomir Rintel +Link: https://patch.msgid.link/20250325095842.1567999-1-lkundrak@v3.sk +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/rndis_host.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/usb/rndis_host.c b/drivers/net/usb/rndis_host.c +index 7b3739b29c8f7..bb0bf14158727 100644 +--- a/drivers/net/usb/rndis_host.c ++++ b/drivers/net/usb/rndis_host.c +@@ -630,6 +630,16 @@ static const struct driver_info zte_rndis_info = { + .tx_fixup = rndis_tx_fixup, + }; + ++static const struct driver_info wwan_rndis_info = { ++ .description = "Mobile Broadband RNDIS device", ++ .flags = FLAG_WWAN | FLAG_POINTTOPOINT | FLAG_FRAMING_RN | FLAG_NO_SETINT, ++ .bind = rndis_bind, ++ .unbind = rndis_unbind, ++ .status = rndis_status, ++ .rx_fixup = rndis_rx_fixup, ++ .tx_fixup = rndis_tx_fixup, ++}; ++ + /*-------------------------------------------------------------------------*/ + + static const struct usb_device_id products [] = { +@@ -666,9 +676,11 @@ static const struct usb_device_id products [] = { + USB_INTERFACE_INFO(USB_CLASS_WIRELESS_CONTROLLER, 1, 3), + .driver_info = (unsigned long) &rndis_info, + }, { +- /* Novatel Verizon USB730L */ ++ /* Mobile Broadband Modem, seen in Novatel Verizon USB730L and ++ * Telit FN990A (RNDIS) ++ */ + USB_INTERFACE_INFO(USB_CLASS_MISC, 4, 1), +- .driver_info = (unsigned long) &rndis_info, ++ .driver_info = (unsigned long)&wwan_rndis_info, + }, + { }, // END + }; +-- +2.39.5 + diff --git a/queue-6.12/rtnetlink-allocate-vfinfo-size-for-vf-guids-when-sup.patch b/queue-6.12/rtnetlink-allocate-vfinfo-size-for-vf-guids-when-sup.patch new file mode 100644 index 0000000000..8432d7ec97 --- /dev/null +++ b/queue-6.12/rtnetlink-allocate-vfinfo-size-for-vf-guids-when-sup.patch @@ -0,0 +1,163 @@ +From d2bf895bba28a9551d10f0e52f45fc882d794caf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Mar 2025 11:02:26 +0200 +Subject: rtnetlink: Allocate vfinfo size for VF GUIDs when supported + +From: Mark Zhang + +[ Upstream commit 23f00807619d15063d676218f36c5dfeda1eb420 ] + +Commit 30aad41721e0 ("net/core: Add support for getting VF GUIDs") +added support for getting VF port and node GUIDs in netlink ifinfo +messages, but their size was not taken into consideration in the +function that allocates the netlink message, causing the following +warning when a netlink message is filled with many VF port and node +GUIDs: + # echo 64 > /sys/bus/pci/devices/0000\:08\:00.0/sriov_numvfs + # ip link show dev ib0 + RTNETLINK answers: Message too long + Cannot send link get request: Message too long + +Kernel warning: + + ------------[ cut here ]------------ + WARNING: CPU: 2 PID: 1930 at net/core/rtnetlink.c:4151 rtnl_getlink+0x586/0x5a0 + Modules linked in: xt_conntrack xt_MASQUERADE nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter overlay mlx5_ib macsec mlx5_core tls rpcrdma rdma_ucm ib_uverbs ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm iw_cm ib_ipoib fuse ib_cm ib_core + CPU: 2 UID: 0 PID: 1930 Comm: ip Not tainted 6.14.0-rc2+ #1 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 + RIP: 0010:rtnl_getlink+0x586/0x5a0 + Code: cb 82 e8 3d af 0a 00 4d 85 ff 0f 84 08 ff ff ff 4c 89 ff 41 be ea ff ff ff e8 66 63 5b ff 49 c7 07 80 4f cb 82 e9 36 fc ff ff <0f> 0b e9 16 fe ff ff e8 de a0 56 00 66 66 2e 0f 1f 84 00 00 00 00 + RSP: 0018:ffff888113557348 EFLAGS: 00010246 + RAX: 00000000ffffffa6 RBX: ffff88817e87aa34 RCX: dffffc0000000000 + RDX: 0000000000000003 RSI: 0000000000000000 RDI: ffff88817e87afb8 + RBP: 0000000000000009 R08: ffffffff821f44aa R09: 0000000000000000 + R10: ffff8881260f79a8 R11: ffff88817e87af00 R12: ffff88817e87aa00 + R13: ffffffff8563d300 R14: 00000000ffffffa6 R15: 00000000ffffffff + FS: 00007f63a5dbf280(0000) GS:ffff88881ee00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007f63a5ba4493 CR3: 00000001700fe002 CR4: 0000000000772eb0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + PKRU: 55555554 + Call Trace: + + ? __warn+0xa5/0x230 + ? rtnl_getlink+0x586/0x5a0 + ? report_bug+0x22d/0x240 + ? handle_bug+0x53/0xa0 + ? exc_invalid_op+0x14/0x50 + ? asm_exc_invalid_op+0x16/0x20 + ? skb_trim+0x6a/0x80 + ? rtnl_getlink+0x586/0x5a0 + ? __pfx_rtnl_getlink+0x10/0x10 + ? rtnetlink_rcv_msg+0x1e5/0x860 + ? __pfx___mutex_lock+0x10/0x10 + ? rcu_is_watching+0x34/0x60 + ? __pfx_lock_acquire+0x10/0x10 + ? stack_trace_save+0x90/0xd0 + ? filter_irq_stacks+0x1d/0x70 + ? kasan_save_stack+0x30/0x40 + ? kasan_save_stack+0x20/0x40 + ? kasan_save_track+0x10/0x30 + rtnetlink_rcv_msg+0x21c/0x860 + ? entry_SYSCALL_64_after_hwframe+0x76/0x7e + ? __pfx_rtnetlink_rcv_msg+0x10/0x10 + ? arch_stack_walk+0x9e/0xf0 + ? rcu_is_watching+0x34/0x60 + ? lock_acquire+0xd5/0x410 + ? rcu_is_watching+0x34/0x60 + netlink_rcv_skb+0xe0/0x210 + ? __pfx_rtnetlink_rcv_msg+0x10/0x10 + ? __pfx_netlink_rcv_skb+0x10/0x10 + ? rcu_is_watching+0x34/0x60 + ? __pfx___netlink_lookup+0x10/0x10 + ? lock_release+0x62/0x200 + ? netlink_deliver_tap+0xfd/0x290 + ? rcu_is_watching+0x34/0x60 + ? lock_release+0x62/0x200 + ? netlink_deliver_tap+0x95/0x290 + netlink_unicast+0x31f/0x480 + ? __pfx_netlink_unicast+0x10/0x10 + ? rcu_is_watching+0x34/0x60 + ? lock_acquire+0xd5/0x410 + netlink_sendmsg+0x369/0x660 + ? lock_release+0x62/0x200 + ? __pfx_netlink_sendmsg+0x10/0x10 + ? import_ubuf+0xb9/0xf0 + ? __import_iovec+0x254/0x2b0 + ? lock_release+0x62/0x200 + ? __pfx_netlink_sendmsg+0x10/0x10 + ____sys_sendmsg+0x559/0x5a0 + ? __pfx_____sys_sendmsg+0x10/0x10 + ? __pfx_copy_msghdr_from_user+0x10/0x10 + ? rcu_is_watching+0x34/0x60 + ? do_read_fault+0x213/0x4a0 + ? rcu_is_watching+0x34/0x60 + ___sys_sendmsg+0xe4/0x150 + ? __pfx____sys_sendmsg+0x10/0x10 + ? do_fault+0x2cc/0x6f0 + ? handle_pte_fault+0x2e3/0x3d0 + ? __pfx_handle_pte_fault+0x10/0x10 + ? preempt_count_sub+0x14/0xc0 + ? __down_read_trylock+0x150/0x270 + ? __handle_mm_fault+0x404/0x8e0 + ? __pfx___handle_mm_fault+0x10/0x10 + ? lock_release+0x62/0x200 + ? __rcu_read_unlock+0x65/0x90 + ? rcu_is_watching+0x34/0x60 + __sys_sendmsg+0xd5/0x150 + ? __pfx___sys_sendmsg+0x10/0x10 + ? __up_read+0x192/0x480 + ? lock_release+0x62/0x200 + ? __rcu_read_unlock+0x65/0x90 + ? rcu_is_watching+0x34/0x60 + do_syscall_64+0x6d/0x140 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + RIP: 0033:0x7f63a5b13367 + Code: 0e 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b9 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10 + RSP: 002b:00007fff8c726bc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e + RAX: ffffffffffffffda RBX: 0000000067b687c2 RCX: 00007f63a5b13367 + RDX: 0000000000000000 RSI: 00007fff8c726c30 RDI: 0000000000000004 + RBP: 00007fff8c726cb8 R08: 0000000000000000 R09: 0000000000000034 + R10: 00007fff8c726c7c R11: 0000000000000246 R12: 0000000000000001 + R13: 0000000000000000 R14: 00007fff8c726cd0 R15: 00007fff8c726cd0 + + irq event stamp: 0 + hardirqs last enabled at (0): [<0000000000000000>] 0x0 + hardirqs last disabled at (0): [] copy_process+0xd08/0x2830 + softirqs last enabled at (0): [] copy_process+0xd08/0x2830 + softirqs last disabled at (0): [<0000000000000000>] 0x0 + ---[ end trace 0000000000000000 ]--- + +Thus, when calculating ifinfo message size, take VF GUIDs sizes into +account when supported. + +Fixes: 30aad41721e0 ("net/core: Add support for getting VF GUIDs") +Signed-off-by: Mark Zhang +Reviewed-by: Maher Sanalla +Signed-off-by: Mark Bloch +Reviewed-by: Sabrina Dubroca +Link: https://patch.msgid.link/20250325090226.749730-1-mbloch@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/rtnetlink.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c +index 2ba5cd965d3fa..4d0ee1c9002aa 100644 +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -1005,6 +1005,9 @@ static inline int rtnl_vfinfo_size(const struct net_device *dev, + /* IFLA_VF_STATS_TX_DROPPED */ + nla_total_size_64bit(sizeof(__u64))); + } ++ if (dev->netdev_ops->ndo_get_vf_guid) ++ size += num_vfs * 2 * ++ nla_total_size(sizeof(struct ifla_vf_guid)); + return size; + } else + return 0; +-- +2.39.5 + diff --git a/queue-6.12/rust-fix-signature-of-rust_fmt_argument.patch b/queue-6.12/rust-fix-signature-of-rust_fmt_argument.patch new file mode 100644 index 0000000000..05d68b875e --- /dev/null +++ b/queue-6.12/rust-fix-signature-of-rust_fmt_argument.patch @@ -0,0 +1,78 @@ +From 9f26b6c53166b75f0fd7bd7c874d8d43f1f39b96 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Mar 2025 08:45:12 +0000 +Subject: rust: fix signature of rust_fmt_argument + +From: Alice Ryhl + +[ Upstream commit 901b3290bd4dc35e613d13abd03c129e754dd3dd ] + +Without this change, the rest of this series will emit the following +error message: + +error[E0308]: `if` and `else` have incompatible types + --> /rust/kernel/print.rs:22:22 + | +21 | #[export] + | --------- expected because of this +22 | unsafe extern "C" fn rust_fmt_argument( + | ^^^^^^^^^^^^^^^^^ expected `u8`, found `i8` + | + = note: expected fn item `unsafe extern "C" fn(*mut u8, *mut u8, *mut c_void) -> *mut u8 {bindings::rust_fmt_argument}` + found fn item `unsafe extern "C" fn(*mut i8, *mut i8, *const c_void) -> *mut i8 {print::rust_fmt_argument}` + +The error may be different depending on the architecture. + +To fix this, change the void pointer argument to use a const pointer, +and change the imports to use crate::ffi instead of core::ffi for +integer types. + +Fixes: 787983da7718 ("vsprintf: add new `%pA` format specifier") +Reviewed-by: Tamir Duberstein +Acked-by: Greg Kroah-Hartman +Signed-off-by: Alice Ryhl +Acked-by: Petr Mladek +Link: https://lore.kernel.org/r/20250303-export-macro-v3-1-41fbad85a27f@google.com +Signed-off-by: Miguel Ojeda +Signed-off-by: Sasha Levin +--- + lib/vsprintf.c | 2 +- + rust/kernel/print.rs | 7 +++---- + 2 files changed, 4 insertions(+), 5 deletions(-) + +diff --git a/lib/vsprintf.c b/lib/vsprintf.c +index c5e2ec9303c5d..a69e71a1ca55e 100644 +--- a/lib/vsprintf.c ++++ b/lib/vsprintf.c +@@ -2255,7 +2255,7 @@ int __init no_hash_pointers_enable(char *str) + early_param("no_hash_pointers", no_hash_pointers_enable); + + /* Used for Rust formatting ('%pA'). */ +-char *rust_fmt_argument(char *buf, char *end, void *ptr); ++char *rust_fmt_argument(char *buf, char *end, const void *ptr); + + /* + * Show a '%p' thing. A kernel extension is that the '%p' is followed +diff --git a/rust/kernel/print.rs b/rust/kernel/print.rs +index a28077a7cb301..e52cd64333bcc 100644 +--- a/rust/kernel/print.rs ++++ b/rust/kernel/print.rs +@@ -6,12 +6,11 @@ + //! + //! Reference: + +-use core::{ ++use crate::{ + ffi::{c_char, c_void}, +- fmt, ++ str::RawFormatter, + }; +- +-use crate::str::RawFormatter; ++use core::fmt; + + // Called from `vsprintf` with format specifier `%pA`. + #[expect(clippy::missing_safety_doc)] +-- +2.39.5 + diff --git a/queue-6.12/s390-entry-fix-setting-_cif_mcck_guest-with-lowcore-.patch b/queue-6.12/s390-entry-fix-setting-_cif_mcck_guest-with-lowcore-.patch new file mode 100644 index 0000000000..8671464ab8 --- /dev/null +++ b/queue-6.12/s390-entry-fix-setting-_cif_mcck_guest-with-lowcore-.patch @@ -0,0 +1,39 @@ +From 9945edbc6bfeda87f82377636a76a3d517a46deb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Mar 2025 13:25:38 +0100 +Subject: s390/entry: Fix setting _CIF_MCCK_GUEST with lowcore relocation + +From: Sven Schnelle + +[ Upstream commit 121df45b37a1016ee6828c2ca3ba825f3e18a8c1 ] + +When lowcore relocation is enabled, the machine check handler doesn't +use the lowcore address when setting _CIF_MCCK_GUEST. Fix this by +adding the missing base register. + +Fixes: 0001b7bbc53a ("s390/entry: Make mchk_int_handler() ready for lowcore relocation") +Reported-by: Heiko Carstens +Reviewed-by: Heiko Carstens +Signed-off-by: Sven Schnelle +Signed-off-by: Vasily Gorbik +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/entry.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/s390/kernel/entry.S b/arch/s390/kernel/entry.S +index 594da4cba707a..a7de838f80318 100644 +--- a/arch/s390/kernel/entry.S ++++ b/arch/s390/kernel/entry.S +@@ -501,7 +501,7 @@ SYM_CODE_START(mcck_int_handler) + clgrjl %r9,%r14, 4f + larl %r14,.Lsie_leave + clgrjhe %r9,%r14, 4f +- lg %r10,__LC_PCPU ++ lg %r10,__LC_PCPU(%r13) + oi __PCPU_FLAGS+7(%r10), _CIF_MCCK_GUEST + 4: BPENTER __SF_SIE_FLAGS(%r15),_TIF_ISOLATE_BP_GUEST + SIEEXIT __SF_SIE_CONTROL(%r15),%r13 +-- +2.39.5 + diff --git a/queue-6.12/s390-remove-ioremap_wt-and-pgprot_writethrough.patch b/queue-6.12/s390-remove-ioremap_wt-and-pgprot_writethrough.patch new file mode 100644 index 0000000000..fde9a4205a --- /dev/null +++ b/queue-6.12/s390-remove-ioremap_wt-and-pgprot_writethrough.patch @@ -0,0 +1,89 @@ +From 3df762529d9d8d6c11966e296ab722b0314194de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Feb 2025 12:51:48 +0100 +Subject: s390: Remove ioremap_wt() and pgprot_writethrough() + +From: Niklas Schnelle + +[ Upstream commit c94bff63e49302d4ce36502a85a2710a67332a4f ] + +It turns out that while s390 architecture calls its memory-I/O mapping +variants write-through and write-back the implementation of ioremap_wt() +and pgprot_writethrough() does not match Linux notion of ioremap_wt(). + +In particular Linux expects ioremap_wt() to be weaker still than +ioremap_wc(), allowing not just gathering and re-ordering but also reads +to be served from cache. Instead s390's implementation is equivalent to +normal ioremap() while its ioremap_wc() allows re-ordering. + +Note that there are no known users of ioremap_wt() on s390 and the +resulting behavior is in line with asm-generic defining ioremap_wt() as +ioremap(), if undefined, so no breakage is expected. + +As s390 does not have a mapping type matching the Linux notion of +ioremap_wt() and pgprot_writethrough(), simply drop them and rely on the +asm-generic fallbacks instead. + +Fixes: b02002cc4c0f ("s390/pci: Implement ioremap_wc/prot() with MIO") +Fixes: b43b3fff042d ("s390: mm: convert to GENERIC_IOREMAP") +Acked-by: Heiko Carstens +Signed-off-by: Niklas Schnelle +Signed-off-by: Vasily Gorbik +Signed-off-by: Sasha Levin +--- + arch/s390/include/asm/io.h | 2 -- + arch/s390/include/asm/pgtable.h | 3 --- + arch/s390/mm/pgtable.c | 10 ---------- + 3 files changed, 15 deletions(-) + +diff --git a/arch/s390/include/asm/io.h b/arch/s390/include/asm/io.h +index fc9933a743d69..251e0372ccbd0 100644 +--- a/arch/s390/include/asm/io.h ++++ b/arch/s390/include/asm/io.h +@@ -34,8 +34,6 @@ void unxlate_dev_mem_ptr(phys_addr_t phys, void *addr); + + #define ioremap_wc(addr, size) \ + ioremap_prot((addr), (size), pgprot_val(pgprot_writecombine(PAGE_KERNEL))) +-#define ioremap_wt(addr, size) \ +- ioremap_prot((addr), (size), pgprot_val(pgprot_writethrough(PAGE_KERNEL))) + + static inline void __iomem *ioport_map(unsigned long port, unsigned int nr) + { +diff --git a/arch/s390/include/asm/pgtable.h b/arch/s390/include/asm/pgtable.h +index 0ffbaf7419558..5ee73f245a0c0 100644 +--- a/arch/s390/include/asm/pgtable.h ++++ b/arch/s390/include/asm/pgtable.h +@@ -1365,9 +1365,6 @@ void gmap_pmdp_idte_global(struct mm_struct *mm, unsigned long vmaddr); + #define pgprot_writecombine pgprot_writecombine + pgprot_t pgprot_writecombine(pgprot_t prot); + +-#define pgprot_writethrough pgprot_writethrough +-pgprot_t pgprot_writethrough(pgprot_t prot); +- + #define PFN_PTE_SHIFT PAGE_SHIFT + + /* +diff --git a/arch/s390/mm/pgtable.c b/arch/s390/mm/pgtable.c +index 2c944bafb0309..b03c665d72426 100644 +--- a/arch/s390/mm/pgtable.c ++++ b/arch/s390/mm/pgtable.c +@@ -34,16 +34,6 @@ pgprot_t pgprot_writecombine(pgprot_t prot) + } + EXPORT_SYMBOL_GPL(pgprot_writecombine); + +-pgprot_t pgprot_writethrough(pgprot_t prot) +-{ +- /* +- * mio_wb_bit_mask may be set on a different CPU, but it is only set +- * once at init and only read afterwards. +- */ +- return __pgprot(pgprot_val(prot) & ~mio_wb_bit_mask); +-} +-EXPORT_SYMBOL_GPL(pgprot_writethrough); +- + static inline void ptep_ipte_local(struct mm_struct *mm, unsigned long addr, + pte_t *ptep, int nodat) + { +-- +2.39.5 + diff --git a/queue-6.12/sched-cancel-the-slice-protection-of-the-idle-entity.patch b/queue-6.12/sched-cancel-the-slice-protection-of-the-idle-entity.patch new file mode 100644 index 0000000000..27395f6450 --- /dev/null +++ b/queue-6.12/sched-cancel-the-slice-protection-of-the-idle-entity.patch @@ -0,0 +1,122 @@ +From b668b273ecff1bc737c1ecc889a8e64108e715f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 8 Feb 2025 16:08:52 +0800 +Subject: sched: Cancel the slice protection of the idle entity + +From: zihan zhou <15645113830zzh@gmail.com> + +[ Upstream commit f553741ac8c0e467a3b873e305f34b902e50b86d ] + +A wakeup non-idle entity should preempt idle entity at any time, +but because of the slice protection of the idle entity, the non-idle +entity has to wait, so just cancel it. + +This patch is aimed at minimizing the impact of SCHED_IDLE on +SCHED_NORMAL. For example, a task with SCHED_IDLE policy that sleeps for +1s and then runs for 3 ms, running cyclictest on the same cpu, has a +maximum latency of 3 ms, which is caused by the slice protection of the +idle entity. It is unreasonable. With this patch, the cyclictest latency +under the same conditions is basically the same on the cpu with idle +processes and on empty cpu. + +[peterz: add helpers] +Fixes: 63304558ba5d ("sched/eevdf: Curb wakeup-preemption") +Signed-off-by: zihan zhou <15645113830zzh@gmail.com> +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Vincent Guittot +Tested-by: Vincent Guittot +Link: https://lkml.kernel.org/r/20250208080850.16300-1-15645113830zzh@gmail.com +Signed-off-by: Sasha Levin +--- + kernel/sched/fair.c | 46 ++++++++++++++++++++++++++++++++------------- + 1 file changed, 33 insertions(+), 13 deletions(-) + +diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c +index 58ba14ed8fbcb..49e340f9fa71b 100644 +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -885,6 +885,26 @@ struct sched_entity *__pick_first_entity(struct cfs_rq *cfs_rq) + return __node_2_se(left); + } + ++/* ++ * HACK, stash a copy of deadline at the point of pick in vlag, ++ * which isn't used until dequeue. ++ */ ++static inline void set_protect_slice(struct sched_entity *se) ++{ ++ se->vlag = se->deadline; ++} ++ ++static inline bool protect_slice(struct sched_entity *se) ++{ ++ return se->vlag == se->deadline; ++} ++ ++static inline void cancel_protect_slice(struct sched_entity *se) ++{ ++ if (protect_slice(se)) ++ se->vlag = se->deadline + 1; ++} ++ + /* + * Earliest Eligible Virtual Deadline First + * +@@ -921,11 +941,7 @@ static struct sched_entity *pick_eevdf(struct cfs_rq *cfs_rq) + if (curr && (!curr->on_rq || !entity_eligible(cfs_rq, curr))) + curr = NULL; + +- /* +- * Once selected, run a task until it either becomes non-eligible or +- * until it gets a new slice. See the HACK in set_next_entity(). +- */ +- if (sched_feat(RUN_TO_PARITY) && curr && curr->vlag == curr->deadline) ++ if (sched_feat(RUN_TO_PARITY) && curr && protect_slice(curr)) + return curr; + + /* Pick the leftmost entity if it's eligible */ +@@ -5626,11 +5642,8 @@ set_next_entity(struct cfs_rq *cfs_rq, struct sched_entity *se) + update_stats_wait_end_fair(cfs_rq, se); + __dequeue_entity(cfs_rq, se); + update_load_avg(cfs_rq, se, UPDATE_TG); +- /* +- * HACK, stash a copy of deadline at the point of pick in vlag, +- * which isn't used until dequeue. +- */ +- se->vlag = se->deadline; ++ ++ set_protect_slice(se); + } + + update_stats_curr_start(cfs_rq, se); +@@ -8882,8 +8895,15 @@ static void check_preempt_wakeup_fair(struct rq *rq, struct task_struct *p, int + * Preempt an idle entity in favor of a non-idle entity (and don't preempt + * in the inverse case). + */ +- if (cse_is_idle && !pse_is_idle) ++ if (cse_is_idle && !pse_is_idle) { ++ /* ++ * When non-idle entity preempt an idle entity, ++ * don't give idle entity slice protection. ++ */ ++ cancel_protect_slice(se); + goto preempt; ++ } ++ + if (cse_is_idle != pse_is_idle) + return; + +@@ -8902,8 +8922,8 @@ static void check_preempt_wakeup_fair(struct rq *rq, struct task_struct *p, int + * Note that even if @p does not turn out to be the most eligible + * task at this moment, current's slice protection will be lost. + */ +- if (do_preempt_short(cfs_rq, pse, se) && se->vlag == se->deadline) +- se->vlag = se->deadline + 1; ++ if (do_preempt_short(cfs_rq, pse, se)) ++ cancel_protect_slice(se); + + /* + * If @p has become the most eligible task, force preemption. +-- +2.39.5 + diff --git a/queue-6.12/sched-deadline-use-online-cpus-for-validating-runtim.patch b/queue-6.12/sched-deadline-use-online-cpus-for-validating-runtim.patch new file mode 100644 index 0000000000..fdd10b6691 --- /dev/null +++ b/queue-6.12/sched-deadline-use-online-cpus-for-validating-runtim.patch @@ -0,0 +1,45 @@ +From ebb1691be0d19edad193cbc5aa024128a969e7dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Mar 2025 10:59:53 +0530 +Subject: sched/deadline: Use online cpus for validating runtime + +From: Shrikanth Hegde + +[ Upstream commit 14672f059d83f591afb2ee1fff56858efe055e5a ] + +The ftrace selftest reported a failure because writing -1 to +sched_rt_runtime_us returns -EBUSY. This happens when the possible +CPUs are different from active CPUs. + +Active CPUs are part of one root domain, while remaining CPUs are part +of def_root_domain. Since active cpumask is being used, this results in +cpus=0 when a non active CPUs is used in the loop. + +Fix it by looping over the online CPUs instead for validating the +bandwidth calculations. + +Signed-off-by: Shrikanth Hegde +Signed-off-by: Ingo Molnar +Reviewed-by: Juri Lelli +Link: https://lore.kernel.org/r/20250306052954.452005-2-sshegde@linux.ibm.com +Signed-off-by: Sasha Levin +--- + kernel/sched/deadline.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/sched/deadline.c b/kernel/sched/deadline.c +index a17c23b53049c..5e7ae404c8d2a 100644 +--- a/kernel/sched/deadline.c ++++ b/kernel/sched/deadline.c +@@ -3179,7 +3179,7 @@ int sched_dl_global_validate(void) + * value smaller than the currently allocated bandwidth in + * any of the root_domains. + */ +- for_each_possible_cpu(cpu) { ++ for_each_online_cpu(cpu) { + rcu_read_lock_sched(); + + if (dl_bw_visited(cpu, gen)) +-- +2.39.5 + diff --git a/queue-6.12/sched-eevdf-force-propagating-min_slice-of-cfs_rq-wh.patch b/queue-6.12/sched-eevdf-force-propagating-min_slice-of-cfs_rq-wh.patch new file mode 100644 index 0000000000..f2d0907ce6 --- /dev/null +++ b/queue-6.12/sched-eevdf-force-propagating-min_slice-of-cfs_rq-wh.patch @@ -0,0 +1,53 @@ +From 7f341156a4df03cf7b78c564edba5d26faa6f57b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Feb 2025 14:36:59 +0800 +Subject: sched/eevdf: Force propagating min_slice of cfs_rq when {en,de}queue + tasks + +From: Tianchen Ding + +[ Upstream commit 563bc2161b94571ea425bbe2cf69fd38e24cdedf ] + +When a task is enqueued and its parent cgroup se is already on_rq, this +parent cgroup se will not be enqueued again, and hence the root->min_slice +leaves unchanged. The same issue happens when a task is dequeued and its +parent cgroup se has other runnable entities, and the parent cgroup se +will not be dequeued. + +Force propagating min_slice when se doesn't need to be enqueued or +dequeued. Ensure the se hierarchy always get the latest min_slice. + +Fixes: aef6987d8954 ("sched/eevdf: Propagate min_slice up the cgroup hierarchy") +Signed-off-by: Tianchen Ding +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/20250211063659.7180-1-dtcccc@linux.alibaba.com +Signed-off-by: Sasha Levin +--- + kernel/sched/fair.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c +index 49e340f9fa71b..ceb023629d48d 100644 +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -7103,6 +7103,8 @@ enqueue_task_fair(struct rq *rq, struct task_struct *p, int flags) + update_cfs_group(se); + + se->slice = slice; ++ if (se != cfs_rq->curr) ++ min_vruntime_cb_propagate(&se->run_node, NULL); + slice = cfs_rq_min_slice(cfs_rq); + + cfs_rq->h_nr_running++; +@@ -7232,6 +7234,8 @@ static int dequeue_entities(struct rq *rq, struct sched_entity *se, int flags) + update_cfs_group(se); + + se->slice = slice; ++ if (se != cfs_rq->curr) ++ min_vruntime_cb_propagate(&se->run_node, NULL); + slice = cfs_rq_min_slice(cfs_rq); + + cfs_rq->h_nr_running -= h_nr_running; +-- +2.39.5 + diff --git a/queue-6.12/sched-smt-always-inline-sched_smt_active.patch b/queue-6.12/sched-smt-always-inline-sched_smt_active.patch new file mode 100644 index 0000000000..1f6bd65e68 --- /dev/null +++ b/queue-6.12/sched-smt-always-inline-sched_smt_active.patch @@ -0,0 +1,45 @@ +From f8bbc5d01e29b1599bdf377ab787defe3d271e4f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Mar 2025 21:26:44 -0700 +Subject: sched/smt: Always inline sched_smt_active() + +From: Josh Poimboeuf + +[ Upstream commit 09f37f2d7b21ff35b8b533f9ab8cfad2fe8f72f6 ] + +sched_smt_active() can be called from noinstr code, so it should always +be inlined. The CONFIG_SCHED_SMT version already has __always_inline. +Do the same for its !CONFIG_SCHED_SMT counterpart. + +Fixes the following warning: + + vmlinux.o: error: objtool: intel_idle_ibrs+0x13: call to sched_smt_active() leaves .noinstr.text section + +Fixes: 321a874a7ef8 ("sched/smt: Expose sched_smt_present static key") +Reported-by: kernel test robot +Signed-off-by: Josh Poimboeuf +Signed-off-by: Ingo Molnar +Cc: Linus Torvalds +Link: https://lore.kernel.org/r/1d03907b0a247cf7fb5c1d518de378864f603060.1743481539.git.jpoimboe@kernel.org +Closes: https://lore.kernel.org/r/202503311434.lyw2Tveh-lkp@intel.com/ +Signed-off-by: Sasha Levin +--- + include/linux/sched/smt.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/sched/smt.h b/include/linux/sched/smt.h +index fb1e295e7e63e..166b19af956f8 100644 +--- a/include/linux/sched/smt.h ++++ b/include/linux/sched/smt.h +@@ -12,7 +12,7 @@ static __always_inline bool sched_smt_active(void) + return static_branch_likely(&sched_smt_present); + } + #else +-static inline bool sched_smt_active(void) { return false; } ++static __always_inline bool sched_smt_active(void) { return false; } + #endif + + void arch_smt_update(void); +-- +2.39.5 + diff --git a/queue-6.12/sctp-add-mutual-exclusion-in-proc_sctp_do_udp_port.patch b/queue-6.12/sctp-add-mutual-exclusion-in-proc_sctp_do_udp_port.patch new file mode 100644 index 0000000000..708166015b --- /dev/null +++ b/queue-6.12/sctp-add-mutual-exclusion-in-proc_sctp_do_udp_port.patch @@ -0,0 +1,80 @@ +From 2fd07964a6625adf9a1835c9baef6a59a8f37ae8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Mar 2025 09:15:32 +0000 +Subject: sctp: add mutual exclusion in proc_sctp_do_udp_port() + +From: Eric Dumazet + +[ Upstream commit 10206302af856791fbcc27a33ed3c3eb09b2793d ] + +We must serialize calls to sctp_udp_sock_stop() and sctp_udp_sock_start() +or risk a crash as syzbot reported: + +Oops: general protection fault, probably for non-canonical address 0xdffffc000000000d: 0000 [#1] SMP KASAN PTI +KASAN: null-ptr-deref in range [0x0000000000000068-0x000000000000006f] +CPU: 1 UID: 0 PID: 6551 Comm: syz.1.44 Not tainted 6.14.0-syzkaller-g7f2ff7b62617 #0 PREEMPT(full) +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 + RIP: 0010:kernel_sock_shutdown+0x47/0x70 net/socket.c:3653 +Call Trace: + + udp_tunnel_sock_release+0x68/0x80 net/ipv4/udp_tunnel_core.c:181 + sctp_udp_sock_stop+0x71/0x160 net/sctp/protocol.c:930 + proc_sctp_do_udp_port+0x264/0x450 net/sctp/sysctl.c:553 + proc_sys_call_handler+0x3d0/0x5b0 fs/proc/proc_sysctl.c:601 + iter_file_splice_write+0x91c/0x1150 fs/splice.c:738 + do_splice_from fs/splice.c:935 [inline] + direct_splice_actor+0x18f/0x6c0 fs/splice.c:1158 + splice_direct_to_actor+0x342/0xa30 fs/splice.c:1102 + do_splice_direct_actor fs/splice.c:1201 [inline] + do_splice_direct+0x174/0x240 fs/splice.c:1227 + do_sendfile+0xafd/0xe50 fs/read_write.c:1368 + __do_sys_sendfile64 fs/read_write.c:1429 [inline] + __se_sys_sendfile64 fs/read_write.c:1415 [inline] + __x64_sys_sendfile64+0x1d8/0x220 fs/read_write.c:1415 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + +Fixes: 046c052b475e ("sctp: enable udp tunneling socks") +Reported-by: syzbot+fae49d997eb56fa7c74d@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/67ea5c01.050a0220.1547ec.012b.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Cc: Marcelo Ricardo Leitner +Acked-by: Xin Long +Link: https://patch.msgid.link/20250331091532.224982-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sctp/sysctl.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/sctp/sysctl.c b/net/sctp/sysctl.c +index 8e1e97be4df79..ee3eac338a9de 100644 +--- a/net/sctp/sysctl.c ++++ b/net/sctp/sysctl.c +@@ -525,6 +525,8 @@ static int proc_sctp_do_auth(const struct ctl_table *ctl, int write, + return ret; + } + ++static DEFINE_MUTEX(sctp_sysctl_mutex); ++ + static int proc_sctp_do_udp_port(const struct ctl_table *ctl, int write, + void *buffer, size_t *lenp, loff_t *ppos) + { +@@ -549,6 +551,7 @@ static int proc_sctp_do_udp_port(const struct ctl_table *ctl, int write, + if (new_value > max || new_value < min) + return -EINVAL; + ++ mutex_lock(&sctp_sysctl_mutex); + net->sctp.udp_port = new_value; + sctp_udp_sock_stop(net); + if (new_value) { +@@ -561,6 +564,7 @@ static int proc_sctp_do_udp_port(const struct ctl_table *ctl, int write, + lock_sock(sk); + sctp_sk(sk)->udp_port = htons(net->sctp.udp_port); + release_sock(sk); ++ mutex_unlock(&sctp_sysctl_mutex); + } + + return ret; +-- +2.39.5 + diff --git a/queue-6.12/selftests-bpf-fix-freplace_link-segfault-in-tailcall.patch b/queue-6.12/selftests-bpf-fix-freplace_link-segfault-in-tailcall.patch new file mode 100644 index 0000000000..2416426026 --- /dev/null +++ b/queue-6.12/selftests-bpf-fix-freplace_link-segfault-in-tailcall.patch @@ -0,0 +1,44 @@ +From c1a30992f3421d321551ae24d494251e487307ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Jan 2025 10:28:38 +0800 +Subject: selftests/bpf: Fix freplace_link segfault in tailcalls prog test + +From: Tengda Wu + +[ Upstream commit a63a631c9b5cb25a1c17dd2cb18c63df91e978b1 ] + +There are two bpf_link__destroy(freplace_link) calls in +test_tailcall_bpf2bpf_freplace(). After the first bpf_link__destroy() +is called, if the following bpf_map_{update,delete}_elem() throws an +exception, it will jump to the "out" label and call bpf_link__destroy() +again, causing double free and eventually leading to a segfault. + +Fix it by directly resetting freplace_link to NULL after the first +bpf_link__destroy() call. + +Fixes: 021611d33e78 ("selftests/bpf: Add test to verify tailcall and freplace restrictions") +Signed-off-by: Tengda Wu +Signed-off-by: Andrii Nakryiko +Reviewed-by: Leon Hwang +Link: https://lore.kernel.org/bpf/20250122022838.1079157-1-wutengda@huaweicloud.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/prog_tests/tailcalls.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/testing/selftests/bpf/prog_tests/tailcalls.c b/tools/testing/selftests/bpf/prog_tests/tailcalls.c +index 40f22454cf05b..1f0977742741f 100644 +--- a/tools/testing/selftests/bpf/prog_tests/tailcalls.c ++++ b/tools/testing/selftests/bpf/prog_tests/tailcalls.c +@@ -1599,6 +1599,7 @@ static void test_tailcall_bpf2bpf_freplace(void) + goto out; + + err = bpf_link__destroy(freplace_link); ++ freplace_link = NULL; + if (!ASSERT_OK(err, "destroy link")) + goto out; + +-- +2.39.5 + diff --git a/queue-6.12/selftests-bpf-fix-string-read-in-strncmp-benchmark.patch b/queue-6.12/selftests-bpf-fix-string-read-in-strncmp-benchmark.patch new file mode 100644 index 0000000000..b6f62e6cb3 --- /dev/null +++ b/queue-6.12/selftests-bpf-fix-string-read-in-strncmp-benchmark.patch @@ -0,0 +1,83 @@ +From b297cf4e4fbfd0fcd644792b57d926b0572f6409 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Mar 2025 13:28:52 +0100 +Subject: selftests/bpf: Fix string read in strncmp benchmark +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Viktor Malik + +[ Upstream commit de07b182899227d5fd1ca7a1a7d495ecd453d49c ] + +The strncmp benchmark uses the bpf_strncmp helper and a hand-written +loop to compare two strings. The values of the strings are filled from +userspace. One of the strings is non-const (in .bss) while the other is +const (in .rodata) since that is the requirement of bpf_strncmp. + +The problem is that in the hand-written loop, Clang optimizes the reads +from the const string to always return 0 which breaks the benchmark. + +Use barrier_var to prevent the optimization. + +The effect can be seen on the strncmp-no-helper variant. + +Before this change: + + # ./bench strncmp-no-helper + Setting up benchmark 'strncmp-no-helper'... + Benchmark 'strncmp-no-helper' started. + Iter 0 (112.309us): hits 0.000M/s ( 0.000M/prod), drops 0.000M/s, total operations 0.000M/s + Iter 1 (-23.238us): hits 0.000M/s ( 0.000M/prod), drops 0.000M/s, total operations 0.000M/s + Iter 2 ( 58.994us): hits 0.000M/s ( 0.000M/prod), drops 0.000M/s, total operations 0.000M/s + Iter 3 (-30.466us): hits 0.000M/s ( 0.000M/prod), drops 0.000M/s, total operations 0.000M/s + Iter 4 ( 29.996us): hits 0.000M/s ( 0.000M/prod), drops 0.000M/s, total operations 0.000M/s + Iter 5 ( 16.949us): hits 0.000M/s ( 0.000M/prod), drops 0.000M/s, total operations 0.000M/s + Iter 6 (-60.035us): hits 0.000M/s ( 0.000M/prod), drops 0.000M/s, total operations 0.000M/s + Summary: hits 0.000 ± 0.000M/s ( 0.000M/prod), drops 0.000 ± 0.000M/s, total operations 0.000 ± 0.000M/s + +After this change: + + # ./bench strncmp-no-helper + Setting up benchmark 'strncmp-no-helper'... + Benchmark 'strncmp-no-helper' started. + Iter 0 ( 77.711us): hits 5.534M/s ( 5.534M/prod), drops 0.000M/s, total operations 5.534M/s + Iter 1 ( 11.215us): hits 6.006M/s ( 6.006M/prod), drops 0.000M/s, total operations 6.006M/s + Iter 2 (-14.253us): hits 5.931M/s ( 5.931M/prod), drops 0.000M/s, total operations 5.931M/s + Iter 3 ( 59.087us): hits 6.005M/s ( 6.005M/prod), drops 0.000M/s, total operations 6.005M/s + Iter 4 (-21.379us): hits 6.010M/s ( 6.010M/prod), drops 0.000M/s, total operations 6.010M/s + Iter 5 (-20.310us): hits 5.861M/s ( 5.861M/prod), drops 0.000M/s, total operations 5.861M/s + Iter 6 ( 53.937us): hits 6.004M/s ( 6.004M/prod), drops 0.000M/s, total operations 6.004M/s + Summary: hits 5.969 ± 0.061M/s ( 5.969M/prod), drops 0.000 ± 0.000M/s, total operations 5.969 ± 0.061M/s + +Fixes: 9c42652f8be3 ("selftests/bpf: Add benchmark for bpf_strncmp() helper") +Suggested-by: Andrii Nakryiko +Signed-off-by: Viktor Malik +Signed-off-by: Andrii Nakryiko +Acked-by: Hou Tao +Link: https://lore.kernel.org/bpf/20250313122852.1365202-1-vmalik@redhat.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/progs/strncmp_bench.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/bpf/progs/strncmp_bench.c b/tools/testing/selftests/bpf/progs/strncmp_bench.c +index 18373a7df76e6..f47bf88f8d2a7 100644 +--- a/tools/testing/selftests/bpf/progs/strncmp_bench.c ++++ b/tools/testing/selftests/bpf/progs/strncmp_bench.c +@@ -35,7 +35,10 @@ static __always_inline int local_strncmp(const char *s1, unsigned int sz, + SEC("tp/syscalls/sys_enter_getpgid") + int strncmp_no_helper(void *ctx) + { +- if (local_strncmp(str, cmp_str_len + 1, target) < 0) ++ const char *target_str = target; ++ ++ barrier_var(target_str); ++ if (local_strncmp(str, cmp_str_len + 1, target_str) < 0) + __sync_add_and_fetch(&hits, 1); + return 0; + } +-- +2.39.5 + diff --git a/queue-6.12/selftests-bpf-select-numa_no_node-to-create-map.patch b/queue-6.12/selftests-bpf-select-numa_no_node-to-create-map.patch new file mode 100644 index 0000000000..da4506b8de --- /dev/null +++ b/queue-6.12/selftests-bpf-select-numa_no_node-to-create-map.patch @@ -0,0 +1,55 @@ +From 42e51006b4f3bb9f3eb8c7638dcb95fd4edd87e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 Jan 2025 12:35:22 +0530 +Subject: selftests/bpf: Select NUMA_NO_NODE to create map + +From: Saket Kumar Bhaskar + +[ Upstream commit 4107a1aeb20ed4cdad6a0d49de92ea0f933c71b7 ] + +On powerpc, a CPU does not necessarily originate from NUMA node 0. +This contrasts with architectures like x86, where CPU 0 is not +hot-pluggable, making NUMA node 0 a consistently valid node. +This discrepancy can lead to failures when creating a map on NUMA +node 0, which is initialized by default, if no CPUs are allocated +from NUMA node 0. + +This patch fixes the issue by setting NUMA_NO_NODE (-1) for map +creation for this selftest. + +Fixes: 96eabe7a40aa ("bpf: Allow selecting numa node during map creation") +Signed-off-by: Saket Kumar Bhaskar +Signed-off-by: Andrii Nakryiko +Acked-by: Yonghong Song +Link: https://lore.kernel.org/bpf/cf1f61468b47425ecf3728689bc9636ddd1d910e.1738302337.git.skb99@linux.ibm.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/prog_tests/bloom_filter_map.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/tools/testing/selftests/bpf/prog_tests/bloom_filter_map.c b/tools/testing/selftests/bpf/prog_tests/bloom_filter_map.c +index cc184e4420f6e..67557cda22083 100644 +--- a/tools/testing/selftests/bpf/prog_tests/bloom_filter_map.c ++++ b/tools/testing/selftests/bpf/prog_tests/bloom_filter_map.c +@@ -6,6 +6,10 @@ + #include + #include "bloom_filter_map.skel.h" + ++#ifndef NUMA_NO_NODE ++#define NUMA_NO_NODE (-1) ++#endif ++ + static void test_fail_cases(void) + { + LIBBPF_OPTS(bpf_map_create_opts, opts); +@@ -69,6 +73,7 @@ static void test_success_cases(void) + + /* Create a map */ + opts.map_flags = BPF_F_ZERO_SEED | BPF_F_NUMA_NODE; ++ opts.numa_node = NUMA_NO_NODE; + fd = bpf_map_create(BPF_MAP_TYPE_BLOOM_FILTER, NULL, 0, sizeof(value), 100, &opts); + if (!ASSERT_GE(fd, 0, "bpf_map_create bloom filter success case")) + return; +-- +2.39.5 + diff --git a/queue-6.12/selftests-mm-cow-fix-the-incorrect-error-handling.patch b/queue-6.12/selftests-mm-cow-fix-the-incorrect-error-handling.patch new file mode 100644 index 0000000000..bb886634be --- /dev/null +++ b/queue-6.12/selftests-mm-cow-fix-the-incorrect-error-handling.patch @@ -0,0 +1,41 @@ +From 8b3a8b501ec2a8e8505588db7223d5906f52f75d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Mar 2025 12:38:40 +0800 +Subject: selftests/mm/cow: fix the incorrect error handling + +From: Cyan Yang + +[ Upstream commit f841ad9ca5007167c02de143980c9dc703f90b3d ] + +Error handling doesn't check the correct return value. This patch will +fix it. + +Link: https://lkml.kernel.org/r/20250312043840.71799-1-cyan.yang@sifive.com +Fixes: f4b5fd6946e2 ("selftests/vm: anon_cow: THP tests") +Signed-off-by: Cyan Yang +Reviewed-by: Dev Jain +Reviewed-by: Muhammad Usama Anjum +Cc: David Hildenbrand +Cc: Shuah Khan +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/mm/cow.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/mm/cow.c b/tools/testing/selftests/mm/cow.c +index 1238e1c5aae15..d87c5b1763ff1 100644 +--- a/tools/testing/selftests/mm/cow.c ++++ b/tools/testing/selftests/mm/cow.c +@@ -876,7 +876,7 @@ static void do_run_with_thp(test_fn fn, enum thp_run thp_run, size_t thpsize) + mremap_size = thpsize / 2; + mremap_mem = mmap(NULL, mremap_size, PROT_NONE, + MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); +- if (mem == MAP_FAILED) { ++ if (mremap_mem == MAP_FAILED) { + ksft_test_result_fail("mmap() failed\n"); + goto munmap; + } +-- +2.39.5 + diff --git a/queue-6.12/selftests-netfilter-skip-br_netfilter-queue-tests-if.patch b/queue-6.12/selftests-netfilter-skip-br_netfilter-queue-tests-if.patch new file mode 100644 index 0000000000..19be900266 --- /dev/null +++ b/queue-6.12/selftests-netfilter-skip-br_netfilter-queue-tests-if.patch @@ -0,0 +1,90 @@ +From 410cdeabffebfc46aa9c6ba9afb101d12b41cb3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Mar 2025 12:52:45 +0100 +Subject: selftests: netfilter: skip br_netfilter queue tests if kernel is + tainted + +From: Florian Westphal + +[ Upstream commit c21b02fd9cbf15aed6e32c89e0fd70070281e3d1 ] + +These scripts fail if the kernel is tainted which leads to wrong test +failure reports in CI environments when an unrelated test triggers some +splat. + +Check taint state at start of script and SKIP if its already dodgy. + +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/netfilter/br_netfilter.sh | 7 +++++++ + .../testing/selftests/net/netfilter/br_netfilter_queue.sh | 7 +++++++ + tools/testing/selftests/net/netfilter/nft_queue.sh | 1 + + 3 files changed, 15 insertions(+) + +diff --git a/tools/testing/selftests/net/netfilter/br_netfilter.sh b/tools/testing/selftests/net/netfilter/br_netfilter.sh +index c28379a965d83..1559ba275105e 100755 +--- a/tools/testing/selftests/net/netfilter/br_netfilter.sh ++++ b/tools/testing/selftests/net/netfilter/br_netfilter.sh +@@ -13,6 +13,12 @@ source lib.sh + + checktool "nft --version" "run test without nft tool" + ++read t < /proc/sys/kernel/tainted ++if [ "$t" -ne 0 ];then ++ echo SKIP: kernel is tainted ++ exit $ksft_skip ++fi ++ + cleanup() { + cleanup_all_ns + } +@@ -165,6 +171,7 @@ if [ "$t" -eq 0 ];then + echo PASS: kernel not tainted + else + echo ERROR: kernel is tainted ++ dmesg + ret=1 + fi + +diff --git a/tools/testing/selftests/net/netfilter/br_netfilter_queue.sh b/tools/testing/selftests/net/netfilter/br_netfilter_queue.sh +index 6a764d70ab06f..4788641717d93 100755 +--- a/tools/testing/selftests/net/netfilter/br_netfilter_queue.sh ++++ b/tools/testing/selftests/net/netfilter/br_netfilter_queue.sh +@@ -4,6 +4,12 @@ source lib.sh + + checktool "nft --version" "run test without nft tool" + ++read t < /proc/sys/kernel/tainted ++if [ "$t" -ne 0 ];then ++ echo SKIP: kernel is tainted ++ exit $ksft_skip ++fi ++ + cleanup() { + cleanup_all_ns + } +@@ -72,6 +78,7 @@ if [ "$t" -eq 0 ];then + echo PASS: kernel not tainted + else + echo ERROR: kernel is tainted ++ dmesg + exit 1 + fi + +diff --git a/tools/testing/selftests/net/netfilter/nft_queue.sh b/tools/testing/selftests/net/netfilter/nft_queue.sh +index a9d109fcc15c2..00fe1a6c1f30c 100755 +--- a/tools/testing/selftests/net/netfilter/nft_queue.sh ++++ b/tools/testing/selftests/net/netfilter/nft_queue.sh +@@ -593,6 +593,7 @@ EOF + echo "PASS: queue program exiting while packets queued" + else + echo "TAINT: queue program exiting while packets queued" ++ dmesg + ret=1 + fi + } +-- +2.39.5 + diff --git a/queue-6.12/selinux-chain-up-tool-resolving-errors-in-install_po.patch b/queue-6.12/selinux-chain-up-tool-resolving-errors-in-install_po.patch new file mode 100644 index 0000000000..58b3f17280 --- /dev/null +++ b/queue-6.12/selinux-chain-up-tool-resolving-errors-in-install_po.patch @@ -0,0 +1,66 @@ +From c6ca1438967e1d3b36dd6daccdac27926c7f469a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Mar 2025 10:56:43 +0100 +Subject: selinux: Chain up tool resolving errors in install_policy.sh + +From: Tim Schumacher + +[ Upstream commit 6ae0042f4d3f331e841495eb0a3d51598e593ec2 ] + +Subshell evaluations are not exempt from errexit, so if a command is +not available, `which` will fail and exit the script as a whole. +This causes the helpful error messages to not be printed if they are +tacked on using a `$?` comparison. + +Resolve the issue by using chains of logical operators, which are not +subject to the effects of errexit. + +Fixes: e37c1877ba5b1 ("scripts/selinux: modernize mdp") +Signed-off-by: Tim Schumacher +Signed-off-by: Paul Moore +Signed-off-by: Sasha Levin +--- + scripts/selinux/install_policy.sh | 15 ++++++--------- + 1 file changed, 6 insertions(+), 9 deletions(-) + +diff --git a/scripts/selinux/install_policy.sh b/scripts/selinux/install_policy.sh +index 24086793b0d8d..db40237e60ce7 100755 +--- a/scripts/selinux/install_policy.sh ++++ b/scripts/selinux/install_policy.sh +@@ -6,27 +6,24 @@ if [ `id -u` -ne 0 ]; then + exit 1 + fi + +-SF=`which setfiles` +-if [ $? -eq 1 ]; then ++SF=`which setfiles` || { + echo "Could not find setfiles" + echo "Do you have policycoreutils installed?" + exit 1 +-fi ++} + +-CP=`which checkpolicy` +-if [ $? -eq 1 ]; then ++CP=`which checkpolicy` || { + echo "Could not find checkpolicy" + echo "Do you have checkpolicy installed?" + exit 1 +-fi ++} + VERS=`$CP -V | awk '{print $1}'` + +-ENABLED=`which selinuxenabled` +-if [ $? -eq 1 ]; then ++ENABLED=`which selinuxenabled` || { + echo "Could not find selinuxenabled" + echo "Do you have libselinux-utils installed?" + exit 1 +-fi ++} + + if selinuxenabled; then + echo "SELinux is already enabled" +-- +2.39.5 + diff --git a/queue-6.12/series b/queue-6.12/series new file mode 100644 index 0000000000..dac3bea9fa --- /dev/null +++ b/queue-6.12/series @@ -0,0 +1,345 @@ +watch_queue-fix-pipe-accounting-mismatch.patch +x86-mm-pat-cpa-test-fix-length-for-cpa_array-test.patch +cpufreq-scpi-compare-khz-instead-of-hz.patch +smack-dont-compile-ipv6-code-unless-ipv6-is-configur.patch +smack-ipv4-ipv6-tcp-dccp-sctp-fix-incorrect-child-so.patch +sched-cancel-the-slice-protection-of-the-idle-entity.patch +sched-eevdf-force-propagating-min_slice-of-cfs_rq-wh.patch +cpufreq-governor-fix-negative-idle_time-handling-in-.patch +edac-skx_common-i10nm-fix-some-missing-error-reports.patch +x86-fpu-fix-guest-fpu-state-buffer-allocation-size.patch +x86-fpu-avoid-copying-dynamic-fp-state-from-init_tas.patch +x86-platform-only-allow-config_eisa-for-32-bit.patch +x86-sev-add-missing-rip_rel_ref-invocations-during-s.patch +lockdep-mm-fix-might_fault-lockdep-check-of-current-.patch +pm-sleep-adjust-check-before-setting-power.must_resu.patch +cpufreq-tegra194-allow-building-for-tegra234.patch +risc-v-kvm-disable-the-kernel-perf-counter-during-co.patch +kunit-stackinit-use-fill-byte-different-from-clang-i.patch +watchdog-hardlockup-perf-fix-perf_event-memory-leak.patch +selinux-chain-up-tool-resolving-errors-in-install_po.patch +edac-ie31200-fix-the-size-of-edac_mc_layer_chip_sele.patch +edac-ie31200-fix-the-dimm-size-mask-for-several-socs.patch +edac-ie31200-fix-the-error-path-order-of-ie31200_ini.patch +x86-resctrl-fix-allocation-of-cleanest-closid-on-pla.patch +thermal-int340x-add-null-check-for-adev.patch +pm-sleep-fix-handling-devices-with-direct_complete-s.patch +lockdep-don-t-disable-interrupts-on-rt-in-disable_ir.patch +perf-ring_buffer-allow-the-epollrdnorm-flag-for-poll.patch +x86-traps-make-exc_double_fault-consistently-noretur.patch +x86-fpu-xstate-fix-inconsistencies-in-guest-fpu-xfea.patch +x86-entry-add-__init-to-ia32_emulation_override_cmdl.patch +regulator-pca9450-fix-enable-register-for-ldo5.patch +auxdisplay-max6959-should-select-bitreverse.patch +media-verisilicon-hevc-initialize-start_bit-field.patch +media-platform-allgro-dvt-unregister-v4l2_device-on-.patch +auxdisplay-panel-fix-an-api-misuse-in-panel.c.patch +platform-x86-lenovo-yoga-tab2-pro-1380-fastcharger-m.patch +platform-x86-dell-uart-backlight-make-dell_uart_bl_s.patch +platform-x86-dell-ddv-fix-temperature-calculation.patch +asoc-cs35l41-check-the-return-value-from-spi_setup.patch +asoc-amd-acp-fix-for-enabling-dmic-on-acp-platforms-.patch +hid-remove-superfluous-and-wrong-makefile-entry-for-.patch +dt-bindings-vendor-prefixes-add-gocontroll.patch +alsa-hda-realtek-always-honor-no_shutup_pins.patch +asoc-ti-j721e-evm-fix-clock-configuration-for-ti-j72.patch +alsa-timer-don-t-take-register_mutex-with-copy_from-.patch +drm-bridge-ti-sn65dsi86-fix-multiple-instances.patch +drm-ssd130x-set-spi-.id_table-to-prevent-an-spi-core.patch +drm-ssd130x-fix-ssd132x-encoding.patch +drm-ssd130x-ensure-ssd132x-pitch-is-correct.patch +drm-dp_mst-fix-drm-rad-print.patch +drm-bridge-it6505-fix-hdcp-v-match-check-is-not-perf.patch +drm-xlnx-zynqmp-fix-max-dma-segment-size.patch +drm-vkms-fix-use-after-free-and-double-free-on-init-.patch +gpu-cdns-mhdp8546-fix-call-balance-of-mhdp-clk-handl.patch +drm-amdgpu-refine-smu-send-msg-debug-log-format.patch +drm-amdgpu-umsch-fix-ucode-check.patch +pci-use-downstream-bridges-for-distributing-resource.patch +pci-remove-add_align-overwrite-unrelated-to-size0.patch +drm-mediatek-mtk_hdmi-unregister-audio-platform-devi.patch +drm-mediatek-mtk_hdmi-fix-typo-for-aud_sampe_size-me.patch +pci-aspm-fix-link-state-exit-during-switch-upstream-.patch +drm-panel-ilitek-ili9882t-fix-gpio-name-in-error-mes.patch +pci-acs-fix-pci-config_acs-parameter.patch +drm-amd-display-fix-an-indent-issue-in-dml21.patch +drm-msm-dpu-don-t-use-active-in-atomic_check.patch +drm-msm-dsi-phy-program-clock-inverters-in-correct-r.patch +drm-msm-dsi-use-existing-per-interface-slice-count-i.patch +drm-msm-dsi-set-phy-usescase-and-mode-before-registe.patch +drm-amdkfd-fix-circular-locking-dependency-in-svm_ra.patch +pci-cadence-ep-fix-the-driver-to-send-msg-tlp-for-in.patch +pci-brcmstb-set-generation-limit-before-pcie-link-up.patch +pci-brcmstb-use-internal-register-to-change-link-cap.patch +pci-brcmstb-fix-error-path-after-a-call-to-regulator.patch +pci-brcmstb-fix-potential-premature-regulator-disabl.patch +pci-portdrv-only-disable-pciehp-interrupts-early-whe.patch +pci-avoid-reset-when-disabled-via-sysfs.patch +drm-panthor-update-cs_status_-defines-to-correct-val.patch +drm-amd-display-fix-type-mismatch-in-calculatedynami.patch +drm-msm-a6xx-fix-a6xx-indexed-regs-in-devcoreduump.patch +crypto-powerpc-mark-ghashp8-ppc.o-as-an-object_files.patch +powerpc-kexec-fix-physical-address-calculation-in-cl.patch +pci-remove-stray-put_device-in-pci_register_host_bri.patch +pci-xilinx-cpm-fix-irq-domain-leak-in-error-path-of-.patch +drm-mediatek-fix-config_updating-flag-never-false-wh.patch +drm-mediatek-dp-drm_err-dev_err-in-hpd-path-to-avoid.patch +drm-mediatek-dsi-fix-error-codes-in-mtk_dsi_host_tra.patch +drm-amd-display-avoid-npd-when-asic-does-not-support.patch +pci-dwc-ep-return-enomem-for-allocation-failures.patch +pci-histb-fix-an-error-handling-path-in-histb_pcie_p.patch +pci-fix-bar-resizing-when-vf-bars-are-assigned.patch +pci-pciehp-don-t-enable-hpie-when-resuming-in-poll-m.patch +fbdev-au1100fb-move-a-variable-assignment-behind-a-n.patch +dummycon-fix-default-rows-cols.patch +mdacon-rework-dependency-list.patch +fbdev-sm501fb-add-some-geometry-checks.patch +crypto-iaa-test-the-correct-request-flag.patch +crypto-qat-set-parity-error-mask-for-qat_420xx.patch +crypto-tegra-use-separate-buffer-for-setkey.patch +crypto-tegra-check-return-value-for-hash-do_one_req.patch +crypto-bpf-add-module_description-for-skcipher.patch +crypto-tegra-use-hmac-fallback-when-keyslots-are-ful.patch +clk-amlogic-gxbb-drop-incorrect-flag-on-32k-clock.patch +crypto-hisilicon-sec2-fix-for-aead-authsize-alignmen.patch +crypto-hisilicon-sec2-fix-for-sec-spec-check.patch +rdma-mlx5-fix-page_size-variable-overflow.patch +remoteproc-core-clear-table_sz-when-rproc_shutdown.patch +of-property-increase-nr_fwnode_reference_args.patch +pinctrl-renesas-rzg2l-suppress-binding-attributes.patch +remoteproc-qcom_q6v5_pas-make-single-pd-handling-mor.patch +libbpf-fix-hypothetical-stt_section-extern-null-dere.patch +selftests-bpf-fix-string-read-in-strncmp-benchmark.patch +x86-mm-pat-fix-vm_pat-handling-when-fork-fails-in-co.patch +clk-renesas-r8a08g045-check-the-source-of-the-cpu-pl.patch +remoteproc-qcom-pas-add-minidump_id-to-sc7280-wpss.patch +clk-samsung-fix-ubsan-panic-in-samsung_clk_init.patch +pinctrl-nuvoton-npcm8xx-fix-error-handling-in-npcm8x.patch +crypto-tegra-fix-cmac-intermediate-result-handling.patch +clk-qcom-gcc-msm8953-fix-stuck-venus0_core0-clock.patch +s390-remove-ioremap_wt-and-pgprot_writethrough.patch +rdma-mana_ib-ensure-variable-err-is-initialized.patch +crypto-tegra-set-iv-to-null-explicitly-for-aes-ecb.patch +remoteproc-qcom_q6v5_pas-use-resource-with-cx-pd-for.patch +clk-qcom-gcc-x1e80100-unregister-gcc_gpu_cfg_ahb_clk.patch +bpf-use-preempt_count-directly-in-bpf_send_signal_co.patch +lib-842-improve-error-handling-in-sw842_compress.patch +pinctrl-renesas-rza2-fix-missing-of_node_put-call.patch +pinctrl-renesas-rzg2l-fix-missing-of_node_put-call.patch +rdma-mlx5-fix-mr-cache-initialization-error-flow.patch +selftests-bpf-fix-freplace_link-segfault-in-tailcall.patch +clk-rockchip-rk3328-fix-wrong-clk_ref_usb3otg-parent.patch +rdma-core-don-t-expose-hw_counters-outside-of-init-n.patch +rdma-mlx5-fix-calculation-of-total-invalidated-pages.patch +rdma-erdma-prevent-use-after-free-in-erdma_accept_ne.patch +remoteproc-qcom_q6v5_mss-handle-platforms-with-one-p.patch +power-supply-bq27xxx_battery-do-not-update-cached-fl.patch +crypto-api-fix-larval-relookup-type-and-mask.patch +ib-mad-check-available-slots-before-posting-receive-.patch +pinctrl-tegra-set-sfio-mode-to-mux-register.patch +clk-amlogic-g12b-fix-cluster-a-parent-data.patch +clk-amlogic-gxbb-drop-non-existing-32k-clock-parent.patch +selftests-bpf-select-numa_no_node-to-create-map.patch +rust-fix-signature-of-rust_fmt_argument.patch +pinctrl-npcm8xx-fix-incorrect-struct-npcm8xx_pincfg-.patch +crypto-qat-remove-access-to-parity-register-for-qat-.patch +clk-clk-imx8mp-audiomix-fix-dsp-ocram_a-clock-parent.patch +clk-amlogic-g12a-fix-mmc-a-peripheral-clock.patch +x86-entry-fix-orc-unwinder-for-push_regs-with-save_r.patch +power-supply-max77693-fix-wrong-conversion-of-charge.patch +crypto-nx-fix-uninitialised-hv_nxc-on-error.patch +clk-qcom-gcc-sm8650-do-not-turn-off-usb-gdscs-during.patch +bpf-fix-array-bounds-error-with-may_goto.patch +rdma-mlx5-fix-mlx5_poll_one-cur_qp-update-flow.patch +pinctrl-renesas-rzv2m-fix-missing-of_node_put-call.patch +mfd-sm501-switch-to-bit-to-mitigate-integer-overflow.patch +leds-fix-led_off-brightness-race.patch +x86-dumpstack-fix-inaccurate-unwinding-from-exceptio.patch +rdma-core-fix-use-after-free-when-rename-device-name.patch +crypto-hisilicon-sec2-fix-for-aead-auth-key-length.patch +pinctrl-intel-fix-wrong-bypass-assignment-in-intel_p.patch +clk-qcom-mmcc-sdm660-fix-stuck-video_subcore0-clock.patch +perf-stat-fix-find_stat-for-mixed-legacy-non-legacy-.patch +perf-always-feature-test-reallocarray.patch +w1-fix-null-pointer-dereference-in-probe.patch +fs-ntfs3-update-inode-i_mapping-a_ops-on-compression.patch +phy-phy-rockchip-samsung-hdptx-don-t-use-dt-aliases-.patch +isofs-fix-kmsan-uninit-value-bug-in-do_isofs_readdir.patch +soundwire-slave-fix-an-of-node-reference-leak-in-sou.patch +perf-report-switch-data-file-correctly-in-tui.patch +greybus-gb-beagleplay-add-error-handling-for-gb_grey.patch +coresight-catu-fix-number-of-pages-while-using-64k-p.patch +vhost-scsi-fix-handling-of-multiple-calls-to-vhost_s.patch +coresight-etm4x-add-isb-before-reading-the-trcstatr.patch +perf-pmu-don-t-double-count-common-sysfs-and-json-ev.patch +tools-x86-fix-linux-unaligned.h-include-path-in-lib-.patch +perf-build-fix-in-tree-build-due-to-symbolic-link.patch +ucsi_ccg-don-t-show-failed-to-get-fw-build-informati.patch +iio-accel-mma8452-ensure-error-return-on-failure-to-.patch +iio-accel-msa311-fix-failure-to-release-runtime-pm-i.patch +iio-backend-make-sure-to-null-terminate-stack-buffer.patch +perf-arm-spe-fix-load-store-operation-checking.patch +perf-bench-fix-perf-bench-syscall-loop-count.patch +usb-xhci-correct-debug-message-page-size-calculation.patch +fs-ntfs3-fix-a-couple-integer-overflows-on-32bit-sys.patch +fs-ntfs3-prevent-integer-overflow-in-hdr_first_de.patch +dmaengine-fsl-edma-cleanup-chan-after-dma_async_devi.patch +dmaengine-fsl-edma-free-irq-correctly-in-remove-path.patch +iio-adc-ad4130-fix-comparison-of-channel-setups.patch +iio-adc-ad7124-fix-comparison-of-channel-configs.patch +iio-adc-ad7173-fix-comparison-of-channel-configs.patch +iio-adc-ad7768-1-set-mosi-idle-state-to-prevent-acci.patch +iio-light-add-check-for-array-bounds-in-veml6075_rea.patch +perf-debug-avoid-stack-overflow-in-recursive-error-m.patch +perf-evlist-add-success-path-to-evlist__create_syswi.patch +perf-units-fix-insufficient-array-space.patch +kernel-events-uprobes-handle-device-exclusive-entrie.patch +kexec-initialize-elf-lowest-address-to-ulong_max.patch +ocfs2-validate-l_tree_depth-to-avoid-out-of-bounds-a.patch +arch-powerpc-drop-generic_ptdump-from-mpc885_ads_def.patch +nfsv4-don-t-trigger-uneccessary-scans-for-return-on-.patch +nfsv4-avoid-unnecessary-scans-of-filesystems-for-ret.patch +nfsv4-avoid-unnecessary-scans-of-filesystems-for-exp.patch +nfsv4-avoid-unnecessary-scans-of-filesystems-for-del.patch +nfs-fix-open_owner_id_maxsz-and-related-fields.patch +fuse-fix-dax-truncate-punch_hole-fault-path.patch +selftests-mm-cow-fix-the-incorrect-error-handling.patch +um-pass-the-correct-rust-target-and-options-with-gcc.patch +um-remove-copy_from_kernel_nofault_allowed.patch +um-hostfs-avoid-issues-on-inode-number-reuse-by-host.patch +i3c-master-svc-fix-missing-the-ibi-rules.patch +perf-python-fixup-description-of-sample.id-event-mem.patch +perf-python-decrement-the-refcount-of-just-created-e.patch +perf-python-don-t-keep-a-raw_data-pointer-to-consume.patch +perf-python-check-if-there-is-space-to-copy-all-the-.patch +perf-dso-fix-dso__is_kallsyms-check.patch +perf-intel-tpebs-fix-incorrect-usage-of-zfree.patch +staging-rtl8723bs-select-config_crypto_lib_aes.patch +staging-vchiq_arm-register-debugfs-after-cdev.patch +staging-vchiq_arm-fix-possible-npr-of-keep-alive-thr.patch +tty-n_tty-use-uint-for-space-returned-by-tty_write_r.patch +perf-vendor-events-arm64-ampereonex-fix-frontend_bou.patch +fs-procfs-fix-the-comment-above-proc_pid_wchan.patch +perf-tools-annotate-asm_pure_loop.s.patch +perf-bpf-filter-fix-a-parsing-error-with-comma.patch +thermal-core-remove-duplicate-struct-declaration.patch +objtool-nvmet-fix-out-of-bounds-stack-access-in-nvme.patch +objtool-media-dib8000-prevent-divide-by-zero-in-dib8.patch +nfs-shut-down-the-nfs_client-only-after-all-the-supe.patch +smb-client-fix-netns-refcount-imbalance-causing-leak.patch +exfat-fix-the-infinite-loop-in-exfat_find_last_clust.patch +exfat-fix-missing-shutdown-check.patch +rtnetlink-allocate-vfinfo-size-for-vf-guids-when-sup.patch +rndis_host-flag-rndis-modems-as-wwan-devices.patch +ksmbd-use-aead_request_free-to-match-aead_request_al.patch +ksmbd-fix-multichannel-connection-failure.patch +ksmbd-fix-r_count-dec-increment-mismatch.patch +net-mlx5e-shampo-make-reserved-size-independent-of-p.patch +ring-buffer-fix-bytes_dropped-calculation-issue.patch +objtool-fix-segfault-in-ignore_unreachable_insn.patch +loongarch-fix-help-text-of-cmdline_extend-in-kconfig.patch +loongarch-fix-device-node-refcount-leak-in-fdt_cpu_c.patch +loongarch-rework-the-arch_kgdb_breakpoint-implementa.patch +acpi-processor-idle-return-an-error-if-both-p_lvl-2-.patch +net-phy-broadcom-correct-bcm5221-phy-model-detection.patch +octeontx2-af-fix-mbox-intr-handler-when-num-vfs-64.patch +octeontx2-af-free-nix_af_int_vec_gen-irq.patch +objtool-fix-verbose-disassembly-if-cross_compile-isn.patch +sched-smt-always-inline-sched_smt_active.patch +context_tracking-always-inline-ct_-nmi-irq-_-enter-e.patch +rcu-tasks-always-inline-rcu_irq_work_resched.patch +objtool-loongarch-add-unwind-hints-in-prepare_framet.patch +nfs-add-missing-release-on-error-in-nfs_lock_and_joi.patch +wifi-mac80211-cleanup-sta-txqs-on-flush.patch +wifi-mac80211-remove-debugfs-dir-for-virtual-monitor.patch +wifi-iwlwifi-fw-allocate-chained-sg-tables-for-dump.patch +wifi-iwlwifi-mvm-use-the-right-version-of-the-rate-a.patch +ntsync-set-the-permissions-to-be-0666.patch +nvme-tcp-fix-possible-uaf-in-nvme_tcp_poll.patch +nvme-pci-clean-up-cmbmsc-when-registering-cmb-fails.patch +nvme-pci-skip-cmb-blocks-incompatible-with-pci-p2p-d.patch +wifi-brcmfmac-keep-power-during-suspend-if-board-req.patch +affs-generate-ofs-sequence-numbers-starting-at-1.patch +affs-don-t-write-overlarge-ofs-data-block-size-field.patch +alsa-hda-realtek-fix-asus-z13-2025-audio.patch +alsa-hda-fix-speakers-on-asus-expertbook-p5405csa-1..patch +perf-core-fix-perf_pmu_register-vs.-perf_init_event.patch +smb-common-change-the-data-type-of-num_aces-to-le16.patch +cifs-fix-incorrect-validation-for-num_aces-field-of-.patch +platform-x86-intel-hid-fix-volume-buttons-on-microso.patch +platform-x86-intel-vsec-add-diamond-rapids-support.patch +net-dsa-rtl8366rb-don-t-prompt-users-for-led-control.patch +hid-i2c-hid-improve-i2c_hid_get_report-error-message.patch +platform-x86-amd-pmf-propagate-pmf-ta-return-codes.patch +platform-x86-amd-pmf-update-pmf-driver-for-compatibi.patch +exfat-add-a-check-for-invalid-data-size.patch +alsa-hda-realtek-add-support-for-asus-rog-strix-g814.patch +alsa-hda-realtek-add-support-for-asus-rog-strix-ga60.patch +alsa-hda-realtek-add-support-for-asus-rog-strix-g614.patch +alsa-hda-realtek-add-support-for-various-asus-laptop.patch +alsa-hda-realtek-add-support-for-asus-b3405-and-b360.patch +alsa-hda-realtek-add-support-for-asus-b5405-and-b560.patch +alsa-hda-realtek-add-support-for-asus-zenbook-um3406.patch +sched-deadline-use-online-cpus-for-validating-runtim.patch +x86-hyperv-vtl-stop-kernel-from-probing-vtl0-low-mem.patch +asoc-codecs-wsa884x-report-temps-to-hwmon-in-millide.patch +asoc-rt1320-set-wake_capable-0-explicitly.patch +wifi-mac80211-flush-the-station-before-moving-it-to-.patch +wifi-mac80211-fix-sa-query-processing-in-mlo.patch +locking-semaphore-use-wake_q-to-wake-up-processes-ou.patch +x86-hyperv-fix-output-argument-to-hypercall-that-cha.patch +x86-sgx-warn-explicitly-if-x86_feature_sgx_lc-is-not.patch +nvme-pci-fix-stuck-reset-on-concurrent-dpc-and-hp.patch +drm-amd-keep-display-off-while-going-into-s4.patch +net-devmem-do-not-warn-conditionally-after-netdev_rx.patch +selftests-netfilter-skip-br_netfilter-queue-tests-if.patch +alsa-hda-realtek-add-mute-led-quirk-for-hp-pavilion-.patch +can-statistics-use-atomic-access-in-hot-path.patch +memory-omap-gpmc-drop-no-compatible-check.patch +hwmon-nct6775-core-fix-out-of-bounds-access-for-nct6.patch +netfs-fix-netfs_unbuffered_read-to-return-ssize_t-ra.patch +spufs-fix-a-leak-on-spufs_new_file-failure.patch +spufs-fix-gang-directory-lifetimes.patch +spufs-fix-a-leak-in-spufs_create_context.patch +fs-9p-fix-null-pointer-dereference-on-mkdir.patch +riscv-ftrace-add-parentheses-in-macro-definitions-of.patch +ntb_hw_switchtec-fix-shift-out-of-bounds-in-switchte.patch +ntb-intel-fix-using-link-status-db-s.patch +firmware-cs_dsp-ensure-cs_dsp_load-_coeff-returns-0-.patch +alsa-hda-realtek-fix-built-in-mic-breakage-on-asus-v.patch +risc-v-errata-use-medany-for-relocatable-builds.patch +x86-uaccess-improve-performance-by-aligning-writes-t.patch +ublk-make-sure-ubq-canceling-is-set-when-queue-is-fr.patch +s390-entry-fix-setting-_cif_mcck_guest-with-lowcore-.patch +asoc-codecs-rt5665-fix-some-error-handling-paths-in-.patch +spi-cadence-fix-out-of-bounds-array-access-in-cdns_m.patch +riscv-fix-hugetlb-retrieval-of-number-of-ptes-in-cas.patch +riscv-kexec_file-handle-r_riscv_64-in-purgatory-relo.patch +riscv-purgatory-4b-align-purgatory_start.patch +nvme-ioctl-don-t-warn-on-vectorized-uring_cmd-with-f.patch +nvme-pci-skip-nvme_write_sq_db-on-empty-rqlist.patch +asoc-imx-card-add-null-check-in-imx_card_probe.patch +spi-bcm2835-do-not-call-gpiod_put-on-invalid-descrip.patch +alsa-hda-realtek-fix-built-in-mic-on-another-asus-vi.patch +spi-bcm2835-restore-native-cs-probing-when-pinctrl-b.patch +e1000e-change-k1-configuration-on-mtp-and-later-plat.patch +idpf-fix-adapter-null-pointer-dereference-on-reboot.patch +netfilter-nft_set_hash-gc-reaps-elements-with-connco.patch +netfilter-nf_tables-don-t-unregister-hook-when-table.patch +netlabel-fix-null-pointer-exception-caused-by-calips.patch +net_sched-skbprio-remove-overly-strict-queue-asserti.patch +sctp-add-mutual-exclusion-in-proc_sctp_do_udp_port.patch +net-mvpp2-prevent-parser-tcam-memory-corruption.patch +udp-fix-multiple-wraparounds-of-sk-sk_rmem_alloc.patch +udp-fix-memory-accounting-leak.patch +vsock-avoid-timeout-during-connect-if-the-socket-is-.patch +tunnels-accept-packet_host-in-skb_tunnel_check_pmtu.patch +net-decrease-cached-dst-counters-in-dst_release.patch +netfilter-nft_tunnel-fix-geneve_opt-type-confusion-a.patch +ipv6-fix-omitted-netlink-attributes-when-using-rtext.patch +net-dsa-mv88e6xxx-propperly-shutdown-ppu-re-enable-t.patch +net-fix-geneve_opt-length-integer-overflow.patch +ipv6-start-path-selection-from-the-first-nexthop.patch +ipv6-do-not-consider-link-down-nexthops-in-path-sele.patch +arcnet-add-null-check-in-com20020pci_probe.patch +net-ibmveth-make-veth_pool_store-stop-hanging.patch diff --git a/queue-6.12/smack-dont-compile-ipv6-code-unless-ipv6-is-configur.patch b/queue-6.12/smack-dont-compile-ipv6-code-unless-ipv6-is-configur.patch new file mode 100644 index 0000000000..15c0268850 --- /dev/null +++ b/queue-6.12/smack-dont-compile-ipv6-code-unless-ipv6-is-configur.patch @@ -0,0 +1,133 @@ +From f698c9062fa5c50e7335c0267f34ef5a8b2778ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Jan 2025 19:36:42 +0300 +Subject: smack: dont compile ipv6 code unless ipv6 is configured + +From: Konstantin Andreev + +[ Upstream commit bfcf4004bcbce2cb674b4e8dbd31ce0891766bac ] + +I want to be sure that ipv6-specific code +is not compiled in kernel binaries +if ipv6 is not configured. + +[1] was getting rid of "unused variable" warning, but, +with that, it also mandated compilation of a handful ipv6- +specific functions in ipv4-only kernel configurations: + +smk_ipv6_localhost, smack_ipv6host_label, smk_ipv6_check. + +Their compiled bodies are likely to be removed by compiler +from the resulting binary, but, to be on the safe side, +I remove them from the compiler view. + +[1] +Fixes: 00720f0e7f28 ("smack: avoid unused 'sip' variable warning") + +Signed-off-by: Konstantin Andreev +Signed-off-by: Casey Schaufler +Signed-off-by: Sasha Levin +--- + security/smack/smack.h | 6 ++++++ + security/smack/smack_lsm.c | 10 +++++++++- + 2 files changed, 15 insertions(+), 1 deletion(-) + +diff --git a/security/smack/smack.h b/security/smack/smack.h +index dbf8d7226eb56..1c3656b5e3b91 100644 +--- a/security/smack/smack.h ++++ b/security/smack/smack.h +@@ -152,6 +152,7 @@ struct smk_net4addr { + struct smack_known *smk_label; /* label */ + }; + ++#if IS_ENABLED(CONFIG_IPV6) + /* + * An entry in the table identifying IPv6 hosts. + */ +@@ -162,7 +163,9 @@ struct smk_net6addr { + int smk_masks; /* mask size */ + struct smack_known *smk_label; /* label */ + }; ++#endif /* CONFIG_IPV6 */ + ++#ifdef SMACK_IPV6_PORT_LABELING + /* + * An entry in the table identifying ports. + */ +@@ -175,6 +178,7 @@ struct smk_port_label { + short smk_sock_type; /* Socket type */ + short smk_can_reuse; + }; ++#endif /* SMACK_IPV6_PORT_LABELING */ + + struct smack_known_list_elem { + struct list_head list; +@@ -314,7 +318,9 @@ extern struct smack_known smack_known_web; + extern struct mutex smack_known_lock; + extern struct list_head smack_known_list; + extern struct list_head smk_net4addr_list; ++#if IS_ENABLED(CONFIG_IPV6) + extern struct list_head smk_net6addr_list; ++#endif /* CONFIG_IPV6 */ + + extern struct mutex smack_onlycap_lock; + extern struct list_head smack_onlycap_list; +diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c +index 370fd594da125..c066c38c50882 100644 +--- a/security/smack/smack_lsm.c ++++ b/security/smack/smack_lsm.c +@@ -2498,6 +2498,7 @@ static struct smack_known *smack_ipv4host_label(struct sockaddr_in *sip) + return NULL; + } + ++#if IS_ENABLED(CONFIG_IPV6) + /* + * smk_ipv6_localhost - Check for local ipv6 host address + * @sip: the address +@@ -2565,6 +2566,7 @@ static struct smack_known *smack_ipv6host_label(struct sockaddr_in6 *sip) + + return NULL; + } ++#endif /* CONFIG_IPV6 */ + + /** + * smack_netlbl_add - Set the secattr on a socket +@@ -2669,6 +2671,7 @@ static int smk_ipv4_check(struct sock *sk, struct sockaddr_in *sap) + return rc; + } + ++#if IS_ENABLED(CONFIG_IPV6) + /** + * smk_ipv6_check - check Smack access + * @subject: subject Smack label +@@ -2701,6 +2704,7 @@ static int smk_ipv6_check(struct smack_known *subject, + rc = smk_bu_note("IPv6 check", subject, object, MAY_WRITE, rc); + return rc; + } ++#endif /* CONFIG_IPV6 */ + + #ifdef SMACK_IPV6_PORT_LABELING + /** +@@ -3033,7 +3037,9 @@ static int smack_socket_connect(struct socket *sock, struct sockaddr *sap, + return 0; + if (addrlen < offsetofend(struct sockaddr, sa_family)) + return 0; +- if (IS_ENABLED(CONFIG_IPV6) && sap->sa_family == AF_INET6) { ++ ++#if IS_ENABLED(CONFIG_IPV6) ++ if (sap->sa_family == AF_INET6) { + struct sockaddr_in6 *sip = (struct sockaddr_in6 *)sap; + struct smack_known *rsp = NULL; + +@@ -3053,6 +3059,8 @@ static int smack_socket_connect(struct socket *sock, struct sockaddr *sap, + + return rc; + } ++#endif /* CONFIG_IPV6 */ ++ + if (sap->sa_family != AF_INET || addrlen < sizeof(struct sockaddr_in)) + return 0; + rc = smk_ipv4_check(sock->sk, (struct sockaddr_in *)sap); +-- +2.39.5 + diff --git a/queue-6.12/smack-ipv4-ipv6-tcp-dccp-sctp-fix-incorrect-child-so.patch b/queue-6.12/smack-ipv4-ipv6-tcp-dccp-sctp-fix-incorrect-child-so.patch new file mode 100644 index 0000000000..ad12ba92c2 --- /dev/null +++ b/queue-6.12/smack-ipv4-ipv6-tcp-dccp-sctp-fix-incorrect-child-so.patch @@ -0,0 +1,181 @@ +From 9d4ecf79b98aa11cc3773ac314d845d609d67ebe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 26 Jan 2025 17:07:27 +0300 +Subject: smack: ipv4/ipv6: tcp/dccp/sctp: fix incorrect child socket label +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Konstantin Andreev + +[ Upstream commit 6cce0cc3861337b3ad8d4ac131d6e47efa0954ec ] + +Since inception [1], SMACK initializes ipv* child socket security +for connection-oriented communications (tcp/sctp/dccp) +during accept() syscall, in the security_sock_graft() hook: + +| void smack_sock_graft(struct sock *sk, ...) +| { +| // only ipv4 and ipv6 are eligible here +| // ... +| ssp = sk->sk_security; // socket security +| ssp->smk_in = skp; // process label: smk_of_current() +| ssp->smk_out = skp; // process label: smk_of_current() +| } + +This approach is incorrect for two reasons: + +A) initialization occurs too late for child socket security: + + The child socket is created by the kernel once the handshake + completes (e.g., for tcp: after receiving ack for syn+ack). + + Data can legitimately start arriving to the child socket + immediately, long before the application calls accept() + on the socket. + + Those data are (currently — were) processed by SMACK using + incorrect child socket security attributes. + +B) Incoming connection requests are handled using the listening + socket's security, hence, the child socket must inherit the + listening socket's security attributes. + + smack_sock_graft() initilizes the child socket's security with + a process label, as is done for a new socket() + + But ... the process label is not necessarily the same as the + listening socket label. A privileged application may legitimately + set other in/out labels for a listening socket. + + When this happens, SMACK processes incoming packets using + incorrect socket security attributes. + +In [2] Michael Lontke noticed (A) and fixed it in [3] by adding +socket initialization into security_sk_clone_security() hook like + +| void smack_sk_clone_security(struct sock *oldsk, struct sock *newsk) +| { +| *(struct socket_smack *)newsk->sk_security = +| *(struct socket_smack *)oldsk->sk_security; +| } + +This initializes the child socket security with the parent (listening) +socket security at the appropriate time. + +I was forced to revisit this old story because + +smack_sock_graft() was left in place by [3] and continues overwriting +the child socket's labels with the process label, +and there might be a reason for this, so I undertook a study. + +If the process label differs from the listening socket's labels, +the following occurs for ipv4: + +assigning the smk_out is not accompanied by netlbl_sock_setattr, +so the outgoing packet's cipso label does not change. + +So, the only effect of this assignment for interhost communications +is a divergence between the program-visible “out” socket label and +the cipso network label. For intrahost communications this label, +however, becomes visible via secmark netfilter marking, and is +checked for access rights by the client, receiving side. + +Assigning the smk_in affects both interhost and intrahost +communications: the server begins to check access rights against +an wrong label. + +Access check against wrong label (smk_in or smk_out), +unsurprisingly fails, breaking the connection. + +The above affects protocols that calls security_sock_graft() +during accept(), namely: {tcp,dccp,sctp}/{ipv4,ipv6} +One extra security_sock_graft() caller, crypto/af_alg.c`af_alg_accept +is not affected, because smack_sock_graft() does nothing for PF_ALG. + +To reproduce, assign non-default in/out labels to a listening socket, +setup rules between these labels and client label, attempt to connect +and send some data. + +Ipv6 specific: ipv6 packets do not convey SMACK labels. To reproduce +the issue in interhost communications set opposite labels in +/smack/ipv6host on both hosts. +Ipv6 intrahost communications do not require tricking, because SMACK +labels are conveyed via secmark netfilter marking. + +So, currently smack_sock_graft() is not useful, but harmful, +therefore, I have removed it. + +This fixes the issue for {tcp,dccp}/{ipv4,ipv6}, +but not sctp/{ipv4,ipv6}. + +Although this change is necessary for sctp+smack to function +correctly, it is not sufficient because: +sctp/ipv4 does not call security_sk_clone() and +sctp/ipv6 ignores SMACK completely. + +These are separate issues, belong to other subsystem, +and should be addressed separately. + +[1] 2008-02-04, +Fixes: e114e473771c ("Smack: Simplified Mandatory Access Control Kernel") + +[2] Michael Lontke, 2022-08-31, SMACK LSM checks wrong object label + during ingress network traffic +Link: https://lore.kernel.org/linux-security-module/6324997ce4fc092c5020a4add075257f9c5f6442.camel@elektrobit.com/ + +[3] 2022-08-31, michael.lontke, + commit 4ca165fc6c49 ("SMACK: Add sk_clone_security LSM hook") + +Signed-off-by: Konstantin Andreev +Signed-off-by: Casey Schaufler +Signed-off-by: Sasha Levin +--- + security/smack/smack_lsm.c | 24 ------------------------ + 1 file changed, 24 deletions(-) + +diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c +index c066c38c50882..9e13fd3920630 100644 +--- a/security/smack/smack_lsm.c ++++ b/security/smack/smack_lsm.c +@@ -4357,29 +4357,6 @@ static int smack_socket_getpeersec_dgram(struct socket *sock, + return 0; + } + +-/** +- * smack_sock_graft - Initialize a newly created socket with an existing sock +- * @sk: child sock +- * @parent: parent socket +- * +- * Set the smk_{in,out} state of an existing sock based on the process that +- * is creating the new socket. +- */ +-static void smack_sock_graft(struct sock *sk, struct socket *parent) +-{ +- struct socket_smack *ssp; +- struct smack_known *skp = smk_of_current(); +- +- if (sk == NULL || +- (sk->sk_family != PF_INET && sk->sk_family != PF_INET6)) +- return; +- +- ssp = smack_sock(sk); +- ssp->smk_in = skp; +- ssp->smk_out = skp; +- /* cssp->smk_packet is already set in smack_inet_csk_clone() */ +-} +- + /** + * smack_inet_conn_request - Smack access check on connect + * @sk: socket involved +@@ -5168,7 +5145,6 @@ static struct security_hook_list smack_hooks[] __ro_after_init = { + LSM_HOOK_INIT(sk_free_security, smack_sk_free_security), + #endif + LSM_HOOK_INIT(sk_clone_security, smack_sk_clone_security), +- LSM_HOOK_INIT(sock_graft, smack_sock_graft), + LSM_HOOK_INIT(inet_conn_request, smack_inet_conn_request), + LSM_HOOK_INIT(inet_csk_clone, smack_inet_csk_clone), + +-- +2.39.5 + diff --git a/queue-6.12/smb-client-fix-netns-refcount-imbalance-causing-leak.patch b/queue-6.12/smb-client-fix-netns-refcount-imbalance-causing-leak.patch new file mode 100644 index 0000000000..9a9d431acc --- /dev/null +++ b/queue-6.12/smb-client-fix-netns-refcount-imbalance-causing-leak.patch @@ -0,0 +1,175 @@ +From 936410d578c57e158474335b68ac25f48e8b5a7d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Feb 2025 22:30:05 +0800 +Subject: smb: client: Fix netns refcount imbalance causing leaks and + use-after-free + +From: Wang Zhaolong + +[ Upstream commit 4e7f1644f2ac6d01dc584f6301c3b1d5aac4eaef ] + +Commit ef7134c7fc48 ("smb: client: Fix use-after-free of network +namespace.") attempted to fix a netns use-after-free issue by manually +adjusting reference counts via sk->sk_net_refcnt and sock_inuse_add(). + +However, a later commit e9f2517a3e18 ("smb: client: fix TCP timers deadlock +after rmmod") pointed out that the approach of manually setting +sk->sk_net_refcnt in the first commit was technically incorrect, as +sk->sk_net_refcnt should only be set for user sockets. It led to issues +like TCP timers not being cleared properly on close. The second commit +moved to a model of just holding an extra netns reference for +server->ssocket using get_net(), and dropping it when the server is torn +down. + +But there remain some gaps in the get_net()/put_net() balancing added by +these commits. The incomplete reference handling in these fixes results +in two issues: + +1. Netns refcount leaks[1] + +The problem process is as follows: + +``` +mount.cifs cifsd + +cifs_do_mount + cifs_mount + cifs_mount_get_session + cifs_get_tcp_session + get_net() /* First get net. */ + ip_connect + generic_ip_connect /* Try port 445 */ + get_net() + ->connect() /* Failed */ + put_net() + generic_ip_connect /* Try port 139 */ + get_net() /* Missing matching put_net() for this get_net().*/ + cifs_get_smb_ses + cifs_negotiate_protocol + smb2_negotiate + SMB2_negotiate + cifs_send_recv + wait_for_response + cifs_demultiplex_thread + cifs_read_from_socket + cifs_readv_from_socket + cifs_reconnect + cifs_abort_connection + sock_release(); + server->ssocket = NULL; + /* Missing put_net() here. */ + generic_ip_connect + get_net() + ->connect() /* Failed */ + put_net() + sock_release(); + server->ssocket = NULL; + free_rsp_buf + ... + clean_demultiplex_info + /* It's only called once here. */ + put_net() +``` + +When cifs_reconnect() is triggered, the server->ssocket is released +without a corresponding put_net() for the reference acquired in +generic_ip_connect() before. it ends up calling generic_ip_connect() +again to retry get_net(). After that, server->ssocket is set to NULL +in the error path of generic_ip_connect(), and the net count cannot be +released in the final clean_demultiplex_info() function. + +2. Potential use-after-free + +The current refcounting scheme can lead to a potential use-after-free issue +in the following scenario: + +``` + cifs_do_mount + cifs_mount + cifs_mount_get_session + cifs_get_tcp_session + get_net() /* First get net */ + ip_connect + generic_ip_connect + get_net() + bind_socket + kernel_bind /* failed */ + put_net() + /* after out_err_crypto_release label */ + put_net() + /* after out_err label */ + put_net() +``` + +In the exception handling process where binding the socket fails, the +get_net() and put_net() calls are unbalanced, which may cause the +server->net reference count to drop to zero and be prematurely released. + +To address both issues, this patch ties the netns reference counting to +the server->ssocket and server lifecycles. The extra reference is now +acquired when the server or socket is created, and released when the +socket is destroyed or the server is torn down. + +[1]: https://bugzilla.kernel.org/show_bug.cgi?id=219792 + +Fixes: ef7134c7fc48 ("smb: client: Fix use-after-free of network namespace.") +Fixes: e9f2517a3e18 ("smb: client: fix TCP timers deadlock after rmmod") +Signed-off-by: Wang Zhaolong +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/client/connect.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/fs/smb/client/connect.c b/fs/smb/client/connect.c +index d327f31b317db..8b8475b4e2627 100644 +--- a/fs/smb/client/connect.c ++++ b/fs/smb/client/connect.c +@@ -316,6 +316,7 @@ cifs_abort_connection(struct TCP_Server_Info *server) + server->ssocket->flags); + sock_release(server->ssocket); + server->ssocket = NULL; ++ put_net(cifs_net_ns(server)); + } + server->sequence_number = 0; + server->session_estab = false; +@@ -3138,8 +3139,12 @@ generic_ip_connect(struct TCP_Server_Info *server) + /* + * Grab netns reference for the socket. + * +- * It'll be released here, on error, or in clean_demultiplex_info() upon server +- * teardown. ++ * This reference will be released in several situations: ++ * - In the failure path before the cifsd thread is started. ++ * - In the all place where server->socket is released, it is ++ * also set to NULL. ++ * - Ultimately in clean_demultiplex_info(), during the final ++ * teardown. + */ + get_net(net); + +@@ -3155,10 +3160,8 @@ generic_ip_connect(struct TCP_Server_Info *server) + } + + rc = bind_socket(server); +- if (rc < 0) { +- put_net(cifs_net_ns(server)); ++ if (rc < 0) + return rc; +- } + + /* + * Eventually check for other socket options to change from +@@ -3204,9 +3207,6 @@ generic_ip_connect(struct TCP_Server_Info *server) + if (sport == htons(RFC1001_PORT)) + rc = ip_rfc1001_connect(server); + +- if (rc < 0) +- put_net(cifs_net_ns(server)); +- + return rc; + } + +-- +2.39.5 + diff --git a/queue-6.12/smb-common-change-the-data-type-of-num_aces-to-le16.patch b/queue-6.12/smb-common-change-the-data-type-of-num_aces-to-le16.patch new file mode 100644 index 0000000000..f18e0631ae --- /dev/null +++ b/queue-6.12/smb-common-change-the-data-type-of-num_aces-to-le16.patch @@ -0,0 +1,302 @@ +From 642af258a3399da7b30b4c643b91764c4cb9f55f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Feb 2025 23:26:09 +0900 +Subject: smb: common: change the data type of num_aces to le16 + +From: Namjae Jeon + +[ Upstream commit 62e7dd0a39c2d0d7ff03274c36df971f1b3d2d0d ] + +2.4.5 in [MS-DTYP].pdf describe the data type of num_aces as le16. + +AceCount (2 bytes): An unsigned 16-bit integer that specifies the count +of the number of ACE records in the ACL. + +Change it to le16 and add reserved field to smb_acl struct. + +Reported-by: Igor Leite Ladessa +Tested-by: Igor Leite Ladessa +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/client/cifsacl.c | 26 +++++++++++++------------- + fs/smb/common/smbacl.h | 3 ++- + fs/smb/server/smbacl.c | 31 ++++++++++++++++--------------- + fs/smb/server/smbacl.h | 2 +- + 4 files changed, 32 insertions(+), 30 deletions(-) + +diff --git a/fs/smb/client/cifsacl.c b/fs/smb/client/cifsacl.c +index ebe9a7d7c70e8..1f036169fb582 100644 +--- a/fs/smb/client/cifsacl.c ++++ b/fs/smb/client/cifsacl.c +@@ -763,7 +763,7 @@ static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl, + struct cifs_fattr *fattr, bool mode_from_special_sid) + { + int i; +- int num_aces = 0; ++ u16 num_aces = 0; + int acl_size; + char *acl_base; + struct smb_ace **ppace; +@@ -785,7 +785,7 @@ static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl, + + cifs_dbg(NOISY, "DACL revision %d size %d num aces %d\n", + le16_to_cpu(pdacl->revision), le16_to_cpu(pdacl->size), +- le32_to_cpu(pdacl->num_aces)); ++ le16_to_cpu(pdacl->num_aces)); + + /* reset rwx permissions for user/group/other. + Also, if num_aces is 0 i.e. DACL has no ACEs, +@@ -795,7 +795,7 @@ static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl, + acl_base = (char *)pdacl; + acl_size = sizeof(struct smb_acl); + +- num_aces = le32_to_cpu(pdacl->num_aces); ++ num_aces = le16_to_cpu(pdacl->num_aces); + if (num_aces > 0) { + umode_t denied_mode = 0; + +@@ -937,12 +937,12 @@ unsigned int setup_special_user_owner_ACE(struct smb_ace *pntace) + static void populate_new_aces(char *nacl_base, + struct smb_sid *pownersid, + struct smb_sid *pgrpsid, +- __u64 *pnmode, u32 *pnum_aces, u16 *pnsize, ++ __u64 *pnmode, u16 *pnum_aces, u16 *pnsize, + bool modefromsid, + bool posix) + { + __u64 nmode; +- u32 num_aces = 0; ++ u16 num_aces = 0; + u16 nsize = 0; + __u64 user_mode; + __u64 group_mode; +@@ -1050,7 +1050,7 @@ static __u16 replace_sids_and_copy_aces(struct smb_acl *pdacl, struct smb_acl *p + u16 size = 0; + struct smb_ace *pntace = NULL; + char *acl_base = NULL; +- u32 src_num_aces = 0; ++ u16 src_num_aces = 0; + u16 nsize = 0; + struct smb_ace *pnntace = NULL; + char *nacl_base = NULL; +@@ -1058,7 +1058,7 @@ static __u16 replace_sids_and_copy_aces(struct smb_acl *pdacl, struct smb_acl *p + + acl_base = (char *)pdacl; + size = sizeof(struct smb_acl); +- src_num_aces = le32_to_cpu(pdacl->num_aces); ++ src_num_aces = le16_to_cpu(pdacl->num_aces); + + nacl_base = (char *)pndacl; + nsize = sizeof(struct smb_acl); +@@ -1090,11 +1090,11 @@ static int set_chmod_dacl(struct smb_acl *pdacl, struct smb_acl *pndacl, + u16 size = 0; + struct smb_ace *pntace = NULL; + char *acl_base = NULL; +- u32 src_num_aces = 0; ++ u16 src_num_aces = 0; + u16 nsize = 0; + struct smb_ace *pnntace = NULL; + char *nacl_base = NULL; +- u32 num_aces = 0; ++ u16 num_aces = 0; + bool new_aces_set = false; + + /* Assuming that pndacl and pnmode are never NULL */ +@@ -1112,7 +1112,7 @@ static int set_chmod_dacl(struct smb_acl *pdacl, struct smb_acl *pndacl, + + acl_base = (char *)pdacl; + size = sizeof(struct smb_acl); +- src_num_aces = le32_to_cpu(pdacl->num_aces); ++ src_num_aces = le16_to_cpu(pdacl->num_aces); + + /* Retain old ACEs which we can retain */ + for (i = 0; i < src_num_aces; ++i) { +@@ -1158,7 +1158,7 @@ static int set_chmod_dacl(struct smb_acl *pdacl, struct smb_acl *pndacl, + } + + finalize_dacl: +- pndacl->num_aces = cpu_to_le32(num_aces); ++ pndacl->num_aces = cpu_to_le16(num_aces); + pndacl->size = cpu_to_le16(nsize); + + return 0; +@@ -1293,7 +1293,7 @@ static int build_sec_desc(struct smb_ntsd *pntsd, struct smb_ntsd *pnntsd, + dacloffset ? dacl_ptr->revision : cpu_to_le16(ACL_REVISION); + + ndacl_ptr->size = cpu_to_le16(0); +- ndacl_ptr->num_aces = cpu_to_le32(0); ++ ndacl_ptr->num_aces = cpu_to_le16(0); + + rc = set_chmod_dacl(dacl_ptr, ndacl_ptr, owner_sid_ptr, group_sid_ptr, + pnmode, mode_from_sid, posix); +@@ -1651,7 +1651,7 @@ id_mode_to_cifs_acl(struct inode *inode, const char *path, __u64 *pnmode, + dacl_ptr = (struct smb_acl *)((char *)pntsd + dacloffset); + if (mode_from_sid) + nsecdesclen += +- le32_to_cpu(dacl_ptr->num_aces) * sizeof(struct smb_ace); ++ le16_to_cpu(dacl_ptr->num_aces) * sizeof(struct smb_ace); + else /* cifsacl */ + nsecdesclen += le16_to_cpu(dacl_ptr->size); + } +diff --git a/fs/smb/common/smbacl.h b/fs/smb/common/smbacl.h +index 6a60698fc6f0f..a624ec9e4a144 100644 +--- a/fs/smb/common/smbacl.h ++++ b/fs/smb/common/smbacl.h +@@ -107,7 +107,8 @@ struct smb_sid { + struct smb_acl { + __le16 revision; /* revision level */ + __le16 size; +- __le32 num_aces; ++ __le16 num_aces; ++ __le16 reserved; + } __attribute__((packed)); + + struct smb_ace { +diff --git a/fs/smb/server/smbacl.c b/fs/smb/server/smbacl.c +index 109036e2227ca..5e6ffb821f6fd 100644 +--- a/fs/smb/server/smbacl.c ++++ b/fs/smb/server/smbacl.c +@@ -333,7 +333,7 @@ void posix_state_to_acl(struct posix_acl_state *state, + pace->e_perm = state->other.allow; + } + +-int init_acl_state(struct posix_acl_state *state, int cnt) ++int init_acl_state(struct posix_acl_state *state, u16 cnt) + { + int alloc; + +@@ -368,7 +368,7 @@ static void parse_dacl(struct mnt_idmap *idmap, + struct smb_fattr *fattr) + { + int i, ret; +- int num_aces = 0; ++ u16 num_aces = 0; + unsigned int acl_size; + char *acl_base; + struct smb_ace **ppace; +@@ -389,12 +389,12 @@ static void parse_dacl(struct mnt_idmap *idmap, + + ksmbd_debug(SMB, "DACL revision %d size %d num aces %d\n", + le16_to_cpu(pdacl->revision), le16_to_cpu(pdacl->size), +- le32_to_cpu(pdacl->num_aces)); ++ le16_to_cpu(pdacl->num_aces)); + + acl_base = (char *)pdacl; + acl_size = sizeof(struct smb_acl); + +- num_aces = le32_to_cpu(pdacl->num_aces); ++ num_aces = le16_to_cpu(pdacl->num_aces); + if (num_aces <= 0) + return; + +@@ -583,7 +583,7 @@ static void parse_dacl(struct mnt_idmap *idmap, + + static void set_posix_acl_entries_dacl(struct mnt_idmap *idmap, + struct smb_ace *pndace, +- struct smb_fattr *fattr, u32 *num_aces, ++ struct smb_fattr *fattr, u16 *num_aces, + u16 *size, u32 nt_aces_num) + { + struct posix_acl_entry *pace; +@@ -704,7 +704,7 @@ static void set_ntacl_dacl(struct mnt_idmap *idmap, + struct smb_fattr *fattr) + { + struct smb_ace *ntace, *pndace; +- int nt_num_aces = le32_to_cpu(nt_dacl->num_aces), num_aces = 0; ++ u16 nt_num_aces = le16_to_cpu(nt_dacl->num_aces), num_aces = 0; + unsigned short size = 0; + int i; + +@@ -731,7 +731,7 @@ static void set_ntacl_dacl(struct mnt_idmap *idmap, + + set_posix_acl_entries_dacl(idmap, pndace, fattr, + &num_aces, &size, nt_num_aces); +- pndacl->num_aces = cpu_to_le32(num_aces); ++ pndacl->num_aces = cpu_to_le16(num_aces); + pndacl->size = cpu_to_le16(le16_to_cpu(pndacl->size) + size); + } + +@@ -739,7 +739,7 @@ static void set_mode_dacl(struct mnt_idmap *idmap, + struct smb_acl *pndacl, struct smb_fattr *fattr) + { + struct smb_ace *pace, *pndace; +- u32 num_aces = 0; ++ u16 num_aces = 0; + u16 size = 0, ace_size = 0; + uid_t uid; + const struct smb_sid *sid; +@@ -795,7 +795,7 @@ static void set_mode_dacl(struct mnt_idmap *idmap, + fattr->cf_mode, 0007); + + out: +- pndacl->num_aces = cpu_to_le32(num_aces); ++ pndacl->num_aces = cpu_to_le16(num_aces); + pndacl->size = cpu_to_le16(le16_to_cpu(pndacl->size) + size); + } + +@@ -1025,8 +1025,9 @@ int smb_inherit_dacl(struct ksmbd_conn *conn, + struct smb_sid owner_sid, group_sid; + struct dentry *parent = path->dentry->d_parent; + struct mnt_idmap *idmap = mnt_idmap(path->mnt); +- int inherited_flags = 0, flags = 0, i, ace_cnt = 0, nt_size = 0, pdacl_size; +- int rc = 0, num_aces, dacloffset, pntsd_type, pntsd_size, acl_len, aces_size; ++ int inherited_flags = 0, flags = 0, i, nt_size = 0, pdacl_size; ++ int rc = 0, dacloffset, pntsd_type, pntsd_size, acl_len, aces_size; ++ u16 num_aces, ace_cnt = 0; + char *aces_base; + bool is_dir = S_ISDIR(d_inode(path->dentry)->i_mode); + +@@ -1042,7 +1043,7 @@ int smb_inherit_dacl(struct ksmbd_conn *conn, + + parent_pdacl = (struct smb_acl *)((char *)parent_pntsd + dacloffset); + acl_len = pntsd_size - dacloffset; +- num_aces = le32_to_cpu(parent_pdacl->num_aces); ++ num_aces = le16_to_cpu(parent_pdacl->num_aces); + pntsd_type = le16_to_cpu(parent_pntsd->type); + pdacl_size = le16_to_cpu(parent_pdacl->size); + +@@ -1201,7 +1202,7 @@ int smb_inherit_dacl(struct ksmbd_conn *conn, + pdacl = (struct smb_acl *)((char *)pntsd + le32_to_cpu(pntsd->dacloffset)); + pdacl->revision = cpu_to_le16(2); + pdacl->size = cpu_to_le16(sizeof(struct smb_acl) + nt_size); +- pdacl->num_aces = cpu_to_le32(ace_cnt); ++ pdacl->num_aces = cpu_to_le16(ace_cnt); + pace = (struct smb_ace *)((char *)pdacl + sizeof(struct smb_acl)); + memcpy(pace, aces_base, nt_size); + pntsd_size += sizeof(struct smb_acl) + nt_size; +@@ -1282,7 +1283,7 @@ int smb_check_perm_dacl(struct ksmbd_conn *conn, const struct path *path, + + ace = (struct smb_ace *)((char *)pdacl + sizeof(struct smb_acl)); + aces_size = acl_size - sizeof(struct smb_acl); +- for (i = 0; i < le32_to_cpu(pdacl->num_aces); i++) { ++ for (i = 0; i < le16_to_cpu(pdacl->num_aces); i++) { + if (offsetof(struct smb_ace, access_req) > aces_size) + break; + ace_size = le16_to_cpu(ace->size); +@@ -1303,7 +1304,7 @@ int smb_check_perm_dacl(struct ksmbd_conn *conn, const struct path *path, + + ace = (struct smb_ace *)((char *)pdacl + sizeof(struct smb_acl)); + aces_size = acl_size - sizeof(struct smb_acl); +- for (i = 0; i < le32_to_cpu(pdacl->num_aces); i++) { ++ for (i = 0; i < le16_to_cpu(pdacl->num_aces); i++) { + if (offsetof(struct smb_ace, access_req) > aces_size) + break; + ace_size = le16_to_cpu(ace->size); +diff --git a/fs/smb/server/smbacl.h b/fs/smb/server/smbacl.h +index 24ce576fc2924..355adaee39b87 100644 +--- a/fs/smb/server/smbacl.h ++++ b/fs/smb/server/smbacl.h +@@ -86,7 +86,7 @@ int parse_sec_desc(struct mnt_idmap *idmap, struct smb_ntsd *pntsd, + int build_sec_desc(struct mnt_idmap *idmap, struct smb_ntsd *pntsd, + struct smb_ntsd *ppntsd, int ppntsd_size, int addition_info, + __u32 *secdesclen, struct smb_fattr *fattr); +-int init_acl_state(struct posix_acl_state *state, int cnt); ++int init_acl_state(struct posix_acl_state *state, u16 cnt); + void free_acl_state(struct posix_acl_state *state); + void posix_state_to_acl(struct posix_acl_state *state, + struct posix_acl_entry *pace); +-- +2.39.5 + diff --git a/queue-6.12/soundwire-slave-fix-an-of-node-reference-leak-in-sou.patch b/queue-6.12/soundwire-slave-fix-an-of-node-reference-leak-in-sou.patch new file mode 100644 index 0000000000..12b17c10ae --- /dev/null +++ b/queue-6.12/soundwire-slave-fix-an-of-node-reference-leak-in-sou.patch @@ -0,0 +1,40 @@ +From 38f248152e3d95c703f7c9c7d127f6a9df9085d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Dec 2024 12:48:44 +0900 +Subject: soundwire: slave: fix an OF node reference leak in soundwire slave + device + +From: Joe Hattori + +[ Upstream commit aac2f8363f773ae1f65aab140e06e2084ac6b787 ] + +When initializing a soundwire slave device, an OF node is stored to the +device with refcount incremented. However, the refcount is not +decremented in .release(), thus call of_node_put() in +sdw_slave_release(). + +Fixes: a2e484585ad3 ("soundwire: core: add device tree support for slave devices") +Signed-off-by: Joe Hattori +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20241205034844.2784964-1-joe@pf.is.s.u-tokyo.ac.jp +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/soundwire/slave.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/soundwire/slave.c b/drivers/soundwire/slave.c +index f1a4df6cfebd9..2bcb733de4de4 100644 +--- a/drivers/soundwire/slave.c ++++ b/drivers/soundwire/slave.c +@@ -12,6 +12,7 @@ static void sdw_slave_release(struct device *dev) + { + struct sdw_slave *slave = dev_to_sdw_dev(dev); + ++ of_node_put(slave->dev.of_node); + mutex_destroy(&slave->sdw_dev_lock); + kfree(slave); + } +-- +2.39.5 + diff --git a/queue-6.12/spi-bcm2835-do-not-call-gpiod_put-on-invalid-descrip.patch b/queue-6.12/spi-bcm2835-do-not-call-gpiod_put-on-invalid-descrip.patch new file mode 100644 index 0000000000..3883fe3c5e --- /dev/null +++ b/queue-6.12/spi-bcm2835-do-not-call-gpiod_put-on-invalid-descrip.patch @@ -0,0 +1,39 @@ +From 5968131b536d0cccf23cfcbe36341a8dc3ef1728 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Apr 2025 15:42:38 -0700 +Subject: spi: bcm2835: Do not call gpiod_put() on invalid descriptor + +From: Florian Fainelli + +[ Upstream commit d6691010523fe1016f482a1e1defcc6289eeea48 ] + +If we are unable to lookup the chip-select GPIO, the error path will +call bcm2835_spi_cleanup() which unconditionally calls gpiod_put() on +the cs->gpio variable which we just determined was invalid. + +Fixes: 21f252cd29f0 ("spi: bcm2835: reduce the abuse of the GPIO API") +Signed-off-by: Florian Fainelli +Link: https://patch.msgid.link/20250401224238.2854256-1-florian.fainelli@broadcom.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-bcm2835.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-bcm2835.c b/drivers/spi/spi-bcm2835.c +index e1b9b12357877..a5d621b94d5e3 100644 +--- a/drivers/spi/spi-bcm2835.c ++++ b/drivers/spi/spi-bcm2835.c +@@ -1162,7 +1162,8 @@ static void bcm2835_spi_cleanup(struct spi_device *spi) + sizeof(u32), + DMA_TO_DEVICE); + +- gpiod_put(bs->cs_gpio); ++ if (!IS_ERR(bs->cs_gpio)) ++ gpiod_put(bs->cs_gpio); + spi_set_csgpiod(spi, 0, NULL); + + kfree(target); +-- +2.39.5 + diff --git a/queue-6.12/spi-bcm2835-restore-native-cs-probing-when-pinctrl-b.patch b/queue-6.12/spi-bcm2835-restore-native-cs-probing-when-pinctrl-b.patch new file mode 100644 index 0000000000..0ac74c73f7 --- /dev/null +++ b/queue-6.12/spi-bcm2835-restore-native-cs-probing-when-pinctrl-b.patch @@ -0,0 +1,76 @@ +From c82329f1b278d6baf5d9510a6603e301c800ce2a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Apr 2025 16:36:03 -0700 +Subject: spi: bcm2835: Restore native CS probing when pinctrl-bcm2835 is + absent + +From: Florian Fainelli + +[ Upstream commit e19c1272c80a5ecce387c1b0c3b995f4edf9c525 ] + +The lookup table forces the use of the "pinctrl-bcm2835" GPIO chip +provider and essentially assumes that there is going to be such a +provider, and if not, we will fail to set-up the SPI device. + +While this is true on Raspberry Pi based systems (2835/36/37, 2711, +2712), this is not true on 7712/77122 Broadcom STB systems which use the +SPI driver, but not the GPIO driver. + +There used to be an early check: + + chip = gpiochip_find("pinctrl-bcm2835", chip_match_name); + if (!chip) + return 0; + +which would accomplish that nicely, bring something similar back by +checking for the compatible strings matched by the pinctrl-bcm2835.c +driver, if there is no Device Tree node matching those compatible +strings, then we won't find any GPIO provider registered by the +"pinctrl-bcm2835" driver. + +Fixes: 21f252cd29f0 ("spi: bcm2835: reduce the abuse of the GPIO API") +Signed-off-by: Florian Fainelli +Link: https://patch.msgid.link/20250401233603.2938955-1-florian.fainelli@broadcom.com +Acked-by: Bartosz Golaszewski +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-bcm2835.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-bcm2835.c b/drivers/spi/spi-bcm2835.c +index a5d621b94d5e3..5926e004d9a65 100644 +--- a/drivers/spi/spi-bcm2835.c ++++ b/drivers/spi/spi-bcm2835.c +@@ -1226,7 +1226,12 @@ static int bcm2835_spi_setup(struct spi_device *spi) + struct bcm2835_spi *bs = spi_controller_get_devdata(ctlr); + struct bcm2835_spidev *target = spi_get_ctldata(spi); + struct gpiod_lookup_table *lookup __free(kfree) = NULL; +- int ret; ++ const char *pinctrl_compats[] = { ++ "brcm,bcm2835-gpio", ++ "brcm,bcm2711-gpio", ++ "brcm,bcm7211-gpio", ++ }; ++ int ret, i; + u32 cs; + + if (!target) { +@@ -1291,6 +1296,14 @@ static int bcm2835_spi_setup(struct spi_device *spi) + goto err_cleanup; + } + ++ for (i = 0; i < ARRAY_SIZE(pinctrl_compats); i++) { ++ if (of_find_compatible_node(NULL, NULL, pinctrl_compats[i])) ++ break; ++ } ++ ++ if (i == ARRAY_SIZE(pinctrl_compats)) ++ return 0; ++ + /* + * TODO: The code below is a slightly better alternative to the utter + * abuse of the GPIO API that I found here before. It creates a +-- +2.39.5 + diff --git a/queue-6.12/spi-cadence-fix-out-of-bounds-array-access-in-cdns_m.patch b/queue-6.12/spi-cadence-fix-out-of-bounds-array-access-in-cdns_m.patch new file mode 100644 index 0000000000..e6a2b2ed56 --- /dev/null +++ b/queue-6.12/spi-cadence-fix-out-of-bounds-array-access-in-cdns_m.patch @@ -0,0 +1,49 @@ +From 5503645ebcc3f4ef3a16f80de102b039bd5dca1a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Mar 2025 08:33:32 -0700 +Subject: spi: cadence: Fix out-of-bounds array access in + cdns_mrvl_xspi_setup_clock() + +From: Josh Poimboeuf + +[ Upstream commit 7ba0847fa1c22e7801cebfe5f7b75aee4fae317e ] + +If requested_clk > 128, cdns_mrvl_xspi_setup_clock() iterates over the +entire cdns_mrvl_xspi_clk_div_list array without breaking out early, +causing 'i' to go beyond the array bounds. + +Fix that by stopping the loop when it gets to the last entry, clamping +the clock to the minimum 6.25 MHz. + +Fixes the following warning with an UBSAN kernel: + + vmlinux.o: warning: objtool: cdns_mrvl_xspi_setup_clock: unexpected end of section .text.cdns_mrvl_xspi_setup_clock + +Fixes: 26d34fdc4971 ("spi: cadence: Add clock configuration for Marvell xSPI overlay") +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202503282236.UhfRsF3B-lkp@intel.com/ +Link: https://lore.kernel.org/r/gs2ooxfkblnee6cc5yfcxh7nu4wvoqnuv4lrllkhccxgcac2jg@7snmwd73jkhs +Signed-off-by: Josh Poimboeuf +Link: https://patch.msgid.link/h6bef6wof6zpjfp3jbhrkigqsnykdfy6j4qmmvb6gsabhianhj@k57a7hwpa3bj +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-cadence-xspi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-cadence-xspi.c b/drivers/spi/spi-cadence-xspi.c +index aed98ab143346..6dcba0e0ddaa3 100644 +--- a/drivers/spi/spi-cadence-xspi.c ++++ b/drivers/spi/spi-cadence-xspi.c +@@ -432,7 +432,7 @@ static bool cdns_mrvl_xspi_setup_clock(struct cdns_xspi_dev *cdns_xspi, + u32 clk_reg; + bool update_clk = false; + +- while (i < ARRAY_SIZE(cdns_mrvl_xspi_clk_div_list)) { ++ while (i < (ARRAY_SIZE(cdns_mrvl_xspi_clk_div_list) - 1)) { + clk_val = MRVL_XSPI_CLOCK_DIVIDED( + cdns_mrvl_xspi_clk_div_list[i]); + if (clk_val <= requested_clk) +-- +2.39.5 + diff --git a/queue-6.12/spufs-fix-a-leak-in-spufs_create_context.patch b/queue-6.12/spufs-fix-a-leak-in-spufs_create_context.patch new file mode 100644 index 0000000000..5125c3166e --- /dev/null +++ b/queue-6.12/spufs-fix-a-leak-in-spufs_create_context.patch @@ -0,0 +1,39 @@ +From ed2ebc88ed2842fe5860bc082e0cc3c4d0f3124a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Mar 2025 19:38:28 -0400 +Subject: spufs: fix a leak in spufs_create_context() + +From: Al Viro + +[ Upstream commit 0f5cce3fc55b08ee4da3372baccf4bcd36a98396 ] + +Leak fixes back in 2008 missed one case - if we are trying to set affinity +and spufs_mkdir() fails, we need to drop the reference to neighbor. + +Fixes: 58119068cb27 "[POWERPC] spufs: Fix memory leak on SPU affinity" +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/cell/spufs/inode.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/arch/powerpc/platforms/cell/spufs/inode.c b/arch/powerpc/platforms/cell/spufs/inode.c +index c566e7997f2c1..9f9e4b8716278 100644 +--- a/arch/powerpc/platforms/cell/spufs/inode.c ++++ b/arch/powerpc/platforms/cell/spufs/inode.c +@@ -460,8 +460,11 @@ spufs_create_context(struct inode *inode, struct dentry *dentry, + } + + ret = spufs_mkdir(inode, dentry, flags, mode & 0777); +- if (ret) ++ if (ret) { ++ if (neighbor) ++ put_spu_context(neighbor); + goto out_aff_unlock; ++ } + + if (affinity) { + spufs_set_affinity(flags, SPUFS_I(d_inode(dentry))->i_ctx, +-- +2.39.5 + diff --git a/queue-6.12/spufs-fix-a-leak-on-spufs_new_file-failure.patch b/queue-6.12/spufs-fix-a-leak-on-spufs_new_file-failure.patch new file mode 100644 index 0000000000..2519dc5129 --- /dev/null +++ b/queue-6.12/spufs-fix-a-leak-on-spufs_new_file-failure.patch @@ -0,0 +1,40 @@ +From da351fbf15da6bccd0734eacd9517c7615d60689 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 8 Mar 2025 19:26:31 -0500 +Subject: spufs: fix a leak on spufs_new_file() failure + +From: Al Viro + +[ Upstream commit d1ca8698ca1332625d83ea0d753747be66f9906d ] + +It's called from spufs_fill_dir(), and caller of that will do +spufs_rmdir() in case of failure. That does remove everything +we'd managed to create, but... the problem dentry is still +negative. IOW, it needs to be explicitly dropped. + +Fixes: 3f51dd91c807 "[PATCH] spufs: fix spufs_fill_dir error path" +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/cell/spufs/inode.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/arch/powerpc/platforms/cell/spufs/inode.c b/arch/powerpc/platforms/cell/spufs/inode.c +index 70236d1df3d3e..793c005607cf0 100644 +--- a/arch/powerpc/platforms/cell/spufs/inode.c ++++ b/arch/powerpc/platforms/cell/spufs/inode.c +@@ -192,8 +192,10 @@ static int spufs_fill_dir(struct dentry *dir, + return -ENOMEM; + ret = spufs_new_file(dir->d_sb, dentry, files->ops, + files->mode & mode, files->size, ctx); +- if (ret) ++ if (ret) { ++ dput(dentry); + return ret; ++ } + files++; + } + return 0; +-- +2.39.5 + diff --git a/queue-6.12/spufs-fix-gang-directory-lifetimes.patch b/queue-6.12/spufs-fix-gang-directory-lifetimes.patch new file mode 100644 index 0000000000..02d661058e --- /dev/null +++ b/queue-6.12/spufs-fix-gang-directory-lifetimes.patch @@ -0,0 +1,195 @@ +From da2cd85c0ace5c3965219e375412abc5f41adf21 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Mar 2025 19:18:39 -0400 +Subject: spufs: fix gang directory lifetimes + +From: Al Viro + +[ Upstream commit c134deabf4784e155d360744d4a6a835b9de4dd4 ] + +prior to "[POWERPC] spufs: Fix gang destroy leaks" we used to have +a problem with gang lifetimes - creation of a gang returns opened +gang directory, which normally gets removed when that gets closed, +but if somebody has created a context belonging to that gang and +kept it alive until the gang got closed, removal failed and we +ended up with a leak. + +Unfortunately, it had been fixed the wrong way. Dentry of gang +directory was no longer pinned, and rmdir on close was gone. +One problem was that failure of open kept calling simple_rmdir() +as cleanup, which meant an unbalanced dput(). Another bug was +in the success case - gang creation incremented link count on +root directory, but that was no longer undone when gang got +destroyed. + +Fix consists of + * reverting the commit in question + * adding a counter to gang, protected by ->i_rwsem +of gang directory inode. + * having it set to 1 at creation time, dropped +in both spufs_dir_close() and spufs_gang_close() and bumped +in spufs_create_context(), provided that it's not 0. + * using simple_recursive_removal() to take the gang +directory out when counter reaches zero. + +Fixes: 877907d37da9 "[POWERPC] spufs: Fix gang destroy leaks" +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/cell/spufs/gang.c | 1 + + arch/powerpc/platforms/cell/spufs/inode.c | 54 +++++++++++++++++++---- + arch/powerpc/platforms/cell/spufs/spufs.h | 2 + + 3 files changed, 49 insertions(+), 8 deletions(-) + +diff --git a/arch/powerpc/platforms/cell/spufs/gang.c b/arch/powerpc/platforms/cell/spufs/gang.c +index 827d338deaf4c..2c2999de6bfa2 100644 +--- a/arch/powerpc/platforms/cell/spufs/gang.c ++++ b/arch/powerpc/platforms/cell/spufs/gang.c +@@ -25,6 +25,7 @@ struct spu_gang *alloc_spu_gang(void) + mutex_init(&gang->aff_mutex); + INIT_LIST_HEAD(&gang->list); + INIT_LIST_HEAD(&gang->aff_list_head); ++ gang->alive = 1; + + out: + return gang; +diff --git a/arch/powerpc/platforms/cell/spufs/inode.c b/arch/powerpc/platforms/cell/spufs/inode.c +index 793c005607cf0..c566e7997f2c1 100644 +--- a/arch/powerpc/platforms/cell/spufs/inode.c ++++ b/arch/powerpc/platforms/cell/spufs/inode.c +@@ -201,6 +201,23 @@ static int spufs_fill_dir(struct dentry *dir, + return 0; + } + ++static void unuse_gang(struct dentry *dir) ++{ ++ struct inode *inode = dir->d_inode; ++ struct spu_gang *gang = SPUFS_I(inode)->i_gang; ++ ++ if (gang) { ++ bool dead; ++ ++ inode_lock(inode); // exclusion with spufs_create_context() ++ dead = !--gang->alive; ++ inode_unlock(inode); ++ ++ if (dead) ++ simple_recursive_removal(dir, NULL); ++ } ++} ++ + static int spufs_dir_close(struct inode *inode, struct file *file) + { + struct inode *parent; +@@ -215,6 +232,7 @@ static int spufs_dir_close(struct inode *inode, struct file *file) + inode_unlock(parent); + WARN_ON(ret); + ++ unuse_gang(dir->d_parent); + return dcache_dir_close(inode, file); + } + +@@ -407,7 +425,7 @@ spufs_create_context(struct inode *inode, struct dentry *dentry, + { + int ret; + int affinity; +- struct spu_gang *gang; ++ struct spu_gang *gang = SPUFS_I(inode)->i_gang; + struct spu_context *neighbor; + struct path path = {.mnt = mnt, .dentry = dentry}; + +@@ -422,11 +440,15 @@ spufs_create_context(struct inode *inode, struct dentry *dentry, + if ((flags & SPU_CREATE_ISOLATE) && !isolated_loader) + return -ENODEV; + +- gang = NULL; ++ if (gang) { ++ if (!gang->alive) ++ return -ENOENT; ++ gang->alive++; ++ } ++ + neighbor = NULL; + affinity = flags & (SPU_CREATE_AFFINITY_MEM | SPU_CREATE_AFFINITY_SPU); + if (affinity) { +- gang = SPUFS_I(inode)->i_gang; + if (!gang) + return -EINVAL; + mutex_lock(&gang->aff_mutex); +@@ -455,6 +477,8 @@ spufs_create_context(struct inode *inode, struct dentry *dentry, + out_aff_unlock: + if (affinity) + mutex_unlock(&gang->aff_mutex); ++ if (ret && gang) ++ gang->alive--; // can't reach 0 + return ret; + } + +@@ -484,6 +508,7 @@ spufs_mkgang(struct inode *dir, struct dentry *dentry, umode_t mode) + inode->i_fop = &simple_dir_operations; + + d_instantiate(dentry, inode); ++ dget(dentry); + inc_nlink(dir); + inc_nlink(d_inode(dentry)); + return ret; +@@ -494,6 +519,21 @@ spufs_mkgang(struct inode *dir, struct dentry *dentry, umode_t mode) + return ret; + } + ++static int spufs_gang_close(struct inode *inode, struct file *file) ++{ ++ unuse_gang(file->f_path.dentry); ++ return dcache_dir_close(inode, file); ++} ++ ++static const struct file_operations spufs_gang_fops = { ++ .open = dcache_dir_open, ++ .release = spufs_gang_close, ++ .llseek = dcache_dir_lseek, ++ .read = generic_read_dir, ++ .iterate_shared = dcache_readdir, ++ .fsync = noop_fsync, ++}; ++ + static int spufs_gang_open(const struct path *path) + { + int ret; +@@ -513,7 +553,7 @@ static int spufs_gang_open(const struct path *path) + return PTR_ERR(filp); + } + +- filp->f_op = &simple_dir_operations; ++ filp->f_op = &spufs_gang_fops; + fd_install(ret, filp); + return ret; + } +@@ -528,10 +568,8 @@ static int spufs_create_gang(struct inode *inode, + ret = spufs_mkgang(inode, dentry, mode & 0777); + if (!ret) { + ret = spufs_gang_open(&path); +- if (ret < 0) { +- int err = simple_rmdir(inode, dentry); +- WARN_ON(err); +- } ++ if (ret < 0) ++ unuse_gang(dentry); + } + return ret; + } +diff --git a/arch/powerpc/platforms/cell/spufs/spufs.h b/arch/powerpc/platforms/cell/spufs/spufs.h +index 84958487f696a..d33787c57c39a 100644 +--- a/arch/powerpc/platforms/cell/spufs/spufs.h ++++ b/arch/powerpc/platforms/cell/spufs/spufs.h +@@ -151,6 +151,8 @@ struct spu_gang { + int aff_flags; + struct spu *aff_ref_spu; + atomic_t aff_sched_count; ++ ++ int alive; + }; + + /* Flag bits for spu_gang aff_flags */ +-- +2.39.5 + diff --git a/queue-6.12/staging-rtl8723bs-select-config_crypto_lib_aes.patch b/queue-6.12/staging-rtl8723bs-select-config_crypto_lib_aes.patch new file mode 100644 index 0000000000..4d82d07851 --- /dev/null +++ b/queue-6.12/staging-rtl8723bs-select-config_crypto_lib_aes.patch @@ -0,0 +1,44 @@ +From a796d721c854e5dc7c687d6ad71ffe5c026233c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 22 Feb 2025 19:36:17 +0000 +Subject: staging: rtl8723bs: select CONFIG_CRYPTO_LIB_AES +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: 谢致邦 (XIE Zhibang) + +[ Upstream commit b2a9a6a26b7e954297e51822e396572026480bad ] + +This fixes the following issue: +ERROR: modpost: "aes_expandkey" [drivers/staging/rtl8723bs/r8723bs.ko] +undefined! +ERROR: modpost: "aes_encrypt" [drivers/staging/rtl8723bs/r8723bs.ko] +undefined! + +Fixes: 7d40753d8820 ("staging: rtl8723bs: use in-kernel aes encryption in OMAC1 routines") +Fixes: 3d3a170f6d80 ("staging: rtl8723bs: use in-kernel aes encryption") +Signed-off-by: 谢致邦 (XIE Zhibang) +Reviewed-by: Hans de Goede +Link: https://lore.kernel.org/r/tencent_0BDDF3A721708D16A2E7C3DAFF0FEC79A105@qq.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/rtl8723bs/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/staging/rtl8723bs/Kconfig b/drivers/staging/rtl8723bs/Kconfig +index 8d48c61961a6b..353e6ee2c1450 100644 +--- a/drivers/staging/rtl8723bs/Kconfig ++++ b/drivers/staging/rtl8723bs/Kconfig +@@ -4,6 +4,7 @@ config RTL8723BS + depends on WLAN && MMC && CFG80211 + depends on m + select CRYPTO ++ select CRYPTO_LIB_AES + select CRYPTO_LIB_ARC4 + help + This option enables support for RTL8723BS SDIO drivers, such as +-- +2.39.5 + diff --git a/queue-6.12/staging-vchiq_arm-fix-possible-npr-of-keep-alive-thr.patch b/queue-6.12/staging-vchiq_arm-fix-possible-npr-of-keep-alive-thr.patch new file mode 100644 index 0000000000..33c7ac060d --- /dev/null +++ b/queue-6.12/staging-vchiq_arm-fix-possible-npr-of-keep-alive-thr.patch @@ -0,0 +1,39 @@ +From bc5180f7feec05655d0bea69eb9a671dd6374a96 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 9 Mar 2025 13:50:11 +0100 +Subject: staging: vchiq_arm: Fix possible NPR of keep-alive thread + +From: Stefan Wahren + +[ Upstream commit 3db89bc6d973e2bcaa852f6409c98c228f39a926 ] + +In case vchiq_platform_conn_state_changed() is never called or fails before +driver removal, ka_thread won't be a valid pointer to a task_struct. So +do the necessary checks before calling kthread_stop to avoid a crash. + +Fixes: 863a756aaf49 ("staging: vc04_services: vchiq_core: Stop kthreads on vchiq module unload") +Signed-off-by: Stefan Wahren +Link: https://lore.kernel.org/r/20250309125014.37166-3-wahrenst@gmx.net +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c +index ecf6e9635a10b..97787002080a1 100644 +--- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c ++++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c +@@ -1786,7 +1786,8 @@ static void vchiq_remove(struct platform_device *pdev) + kthread_stop(mgmt->state.slot_handler_thread); + + arm_state = vchiq_platform_get_arm_state(&mgmt->state); +- kthread_stop(arm_state->ka_thread); ++ if (!IS_ERR_OR_NULL(arm_state->ka_thread)) ++ kthread_stop(arm_state->ka_thread); + } + + static struct platform_driver vchiq_driver = { +-- +2.39.5 + diff --git a/queue-6.12/staging-vchiq_arm-register-debugfs-after-cdev.patch b/queue-6.12/staging-vchiq_arm-register-debugfs-after-cdev.patch new file mode 100644 index 0000000000..b3816be929 --- /dev/null +++ b/queue-6.12/staging-vchiq_arm-register-debugfs-after-cdev.patch @@ -0,0 +1,48 @@ +From d408efb91861451b0aa7aafb3507dce7a8215f49 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 9 Mar 2025 13:50:10 +0100 +Subject: staging: vchiq_arm: Register debugfs after cdev + +From: Stefan Wahren + +[ Upstream commit 63f4dbb196db60a8536ba3d1b835d597a83f6cbb ] + +The commit 2a4d15a4ae98 ("staging: vchiq: Refactor vchiq cdev code") +moved the debugfs directory creation before vchiq character device +registration. In case the latter fails, the debugfs directory won't +be cleaned up. + +Fixes: 2a4d15a4ae98 ("staging: vchiq: Refactor vchiq cdev code") +Signed-off-by: Stefan Wahren +Link: https://lore.kernel.org/r/20250309125014.37166-2-wahrenst@gmx.net +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c +index 5fab33adf58ed..ecf6e9635a10b 100644 +--- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c ++++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c +@@ -1745,8 +1745,6 @@ static int vchiq_probe(struct platform_device *pdev) + if (ret) + goto failed_platform_init; + +- vchiq_debugfs_init(&mgmt->state); +- + dev_dbg(&pdev->dev, "arm: platform initialised - version %d (min %d)\n", + VCHIQ_VERSION, VCHIQ_VERSION_MIN); + +@@ -1760,6 +1758,8 @@ static int vchiq_probe(struct platform_device *pdev) + goto error_exit; + } + ++ vchiq_debugfs_init(&mgmt->state); ++ + bcm2835_audio = vchiq_device_register(&pdev->dev, "bcm2835-audio"); + bcm2835_camera = vchiq_device_register(&pdev->dev, "bcm2835-camera"); + +-- +2.39.5 + diff --git a/queue-6.12/thermal-core-remove-duplicate-struct-declaration.patch b/queue-6.12/thermal-core-remove-duplicate-struct-declaration.patch new file mode 100644 index 0000000000..b2a232e15b --- /dev/null +++ b/queue-6.12/thermal-core-remove-duplicate-struct-declaration.patch @@ -0,0 +1,37 @@ +From 2a685aebaebc2555bea638a781d93a8d5f0c701a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Feb 2025 16:14:36 +0800 +Subject: thermal: core: Remove duplicate struct declaration + +From: xueqin Luo + +[ Upstream commit 9e6ec8cf64e2973f0ec74f09023988cabd218426 ] + +The struct thermal_zone_device is already declared on line 32, so the +duplicate declaration has been removed. + +Fixes: b1ae92dcfa8e ("thermal: core: Make struct thermal_zone_device definition internal") +Signed-off-by: xueqin Luo +Link: https://lore.kernel.org/r/20250206081436.51785-1-luoxueqin@kylinos.cn +Signed-off-by: Daniel Lezcano +Signed-off-by: Sasha Levin +--- + include/linux/thermal.h | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/include/linux/thermal.h b/include/linux/thermal.h +index 25ea8fe2313e6..0da2c257e32cf 100644 +--- a/include/linux/thermal.h ++++ b/include/linux/thermal.h +@@ -83,8 +83,6 @@ struct thermal_trip { + #define THERMAL_TRIP_PRIV_TO_INT(_val_) (uintptr_t)(_val_) + #define THERMAL_INT_TO_TRIP_PRIV(_val_) (void *)(uintptr_t)(_val_) + +-struct thermal_zone_device; +- + struct cooling_spec { + unsigned long upper; /* Highest cooling state */ + unsigned long lower; /* Lowest cooling state */ +-- +2.39.5 + diff --git a/queue-6.12/thermal-int340x-add-null-check-for-adev.patch b/queue-6.12/thermal-int340x-add-null-check-for-adev.patch new file mode 100644 index 0000000000..8ebd98febe --- /dev/null +++ b/queue-6.12/thermal-int340x-add-null-check-for-adev.patch @@ -0,0 +1,50 @@ +From 554748112cdfc060d862e0d29022fd47e7c076e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Mar 2025 23:36:11 -0500 +Subject: thermal: int340x: Add NULL check for adev +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Chenyuan Yang + +[ Upstream commit 2542a3f70e563a9e70e7ded314286535a3321bdb ] + +Not all devices have an ACPI companion fwnode, so adev might be NULL. +This is similar to the commit cd2fd6eab480 +("platform/x86: int3472: Check for adev == NULL"). + +Add a check for adev not being set and return -ENODEV in that case to +avoid a possible NULL pointer deref in int3402_thermal_probe(). + +Note, under the same directory, int3400_thermal_probe() has such a +check. + +Fixes: 77e337c6e23e ("Thermal: introduce INT3402 thermal driver") +Signed-off-by: Chenyuan Yang +Acked-by: Uwe Kleine-König +Link: https://patch.msgid.link/20250313043611.1212116-1-chenyuan0y@gmail.com +[ rjw: Subject edit, added Fixes: ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/thermal/intel/int340x_thermal/int3402_thermal.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/thermal/intel/int340x_thermal/int3402_thermal.c b/drivers/thermal/intel/int340x_thermal/int3402_thermal.c +index ab8bfb5a3946b..40ab6b2d4fb05 100644 +--- a/drivers/thermal/intel/int340x_thermal/int3402_thermal.c ++++ b/drivers/thermal/intel/int340x_thermal/int3402_thermal.c +@@ -45,6 +45,9 @@ static int int3402_thermal_probe(struct platform_device *pdev) + struct int3402_thermal_data *d; + int ret; + ++ if (!adev) ++ return -ENODEV; ++ + if (!acpi_has_method(adev->handle, "_TMP")) + return -ENODEV; + +-- +2.39.5 + diff --git a/queue-6.12/tools-x86-fix-linux-unaligned.h-include-path-in-lib-.patch b/queue-6.12/tools-x86-fix-linux-unaligned.h-include-path-in-lib-.patch new file mode 100644 index 0000000000..0e1b9cc336 --- /dev/null +++ b/queue-6.12/tools-x86-fix-linux-unaligned.h-include-path-in-lib-.patch @@ -0,0 +1,40 @@ +From b2b64c18a442026d148a49327a65703b111bacd7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Feb 2025 11:36:00 -0800 +Subject: tools/x86: Fix linux/unaligned.h include path in lib/insn.c + +From: Ian Rogers + +[ Upstream commit fad07a5c0f07ad0884e1cb4362fe28c083b5b811 ] + +tools/arch/x86/include/linux doesn't exist but building is working by +virtue of a -I. Building using bazel this fails. Use angle brackets to +include unaligned.h so there isn't an invalid relative include. + +Fixes: 5f60d5f6bbc1 ("move asm/unaligned.h to linux/unaligned.h") +Signed-off-by: Ian Rogers +Acked-by: Josh Poimboeuf +Cc: Al Viro +Link: https://lore.kernel.org/r/20250225193600.90037-1-irogers@google.com +Signed-off-by: Namhyung Kim +Signed-off-by: Sasha Levin +--- + tools/arch/x86/lib/insn.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/arch/x86/lib/insn.c b/tools/arch/x86/lib/insn.c +index ab5cdc3337dac..e91d4c4e1c162 100644 +--- a/tools/arch/x86/lib/insn.c ++++ b/tools/arch/x86/lib/insn.c +@@ -13,7 +13,7 @@ + #endif + #include "../include/asm/inat.h" /* __ignore_sync_check__ */ + #include "../include/asm/insn.h" /* __ignore_sync_check__ */ +-#include "../include/linux/unaligned.h" /* __ignore_sync_check__ */ ++#include /* __ignore_sync_check__ */ + + #include + #include +-- +2.39.5 + diff --git a/queue-6.12/tty-n_tty-use-uint-for-space-returned-by-tty_write_r.patch b/queue-6.12/tty-n_tty-use-uint-for-space-returned-by-tty_write_r.patch new file mode 100644 index 0000000000..431cbdcd79 --- /dev/null +++ b/queue-6.12/tty-n_tty-use-uint-for-space-returned-by-tty_write_r.patch @@ -0,0 +1,85 @@ +From 706c8248f01cf8f4b2c503fc80e3fd4a15a5481d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Mar 2025 08:00:20 +0100 +Subject: tty: n_tty: use uint for space returned by tty_write_room() + +From: Jiri Slaby (SUSE) + +[ Upstream commit d97aa066678bd1e2951ee93db9690835dfe57ab6 ] + +tty_write_room() returns an "unsigned int". So in case some insane +driver (like my tty test driver) returns (legitimate) UINT_MAX from its +tty_operations::write_room(), n_tty is confused on several places. + +For example, in process_output_block(), the result of tty_write_room() +is stored into (signed) "int". So this UINT_MAX suddenly becomes -1. And +that is extended to ssize_t and returned from process_output_block(). +This causes a write() to such a node to receive -EPERM (which is -1). + +Fix that by using proper "unsigned int" and proper "== 0" test. And +return 0 constant directly in that "if", so that it is immediately clear +what is returned ("space" equals to 0 at that point). + +Similarly for process_output() and __process_echoes(). + +Note this does not fix any in-tree driver as of now. + +If you want "Fixes: something", it would be commit 03b3b1a2405c ("tty: +make tty_operations::write_room return uint"). I intentionally do not +mark this patch by a real tag below. + +Signed-off-by: Jiri Slaby (SUSE) +Link: https://lore.kernel.org/r/20250317070046.24386-6-jirislaby@kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/n_tty.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c +index 5e9ca4376d686..94fa981081fdb 100644 +--- a/drivers/tty/n_tty.c ++++ b/drivers/tty/n_tty.c +@@ -486,7 +486,8 @@ static int do_output_char(u8 c, struct tty_struct *tty, int space) + static int process_output(u8 c, struct tty_struct *tty) + { + struct n_tty_data *ldata = tty->disc_data; +- int space, retval; ++ unsigned int space; ++ int retval; + + mutex_lock(&ldata->output_lock); + +@@ -522,16 +523,16 @@ static ssize_t process_output_block(struct tty_struct *tty, + const u8 *buf, unsigned int nr) + { + struct n_tty_data *ldata = tty->disc_data; +- int space; +- int i; ++ unsigned int space; ++ int i; + const u8 *cp; + + mutex_lock(&ldata->output_lock); + + space = tty_write_room(tty); +- if (space <= 0) { ++ if (space == 0) { + mutex_unlock(&ldata->output_lock); +- return space; ++ return 0; + } + if (nr > space) + nr = space; +@@ -696,7 +697,7 @@ static int n_tty_process_echo_ops(struct tty_struct *tty, size_t *tail, + static size_t __process_echoes(struct tty_struct *tty) + { + struct n_tty_data *ldata = tty->disc_data; +- int space, old_space; ++ unsigned int space, old_space; + size_t tail; + u8 c; + +-- +2.39.5 + diff --git a/queue-6.12/tunnels-accept-packet_host-in-skb_tunnel_check_pmtu.patch b/queue-6.12/tunnels-accept-packet_host-in-skb_tunnel_check_pmtu.patch new file mode 100644 index 0000000000..85ef185a10 --- /dev/null +++ b/queue-6.12/tunnels-accept-packet_host-in-skb_tunnel_check_pmtu.patch @@ -0,0 +1,83 @@ +From ffdeb7c7c63be0e9d97548eb1b5e05222df3dc41 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 29 Mar 2025 01:33:44 +0100 +Subject: tunnels: Accept PACKET_HOST in skb_tunnel_check_pmtu(). + +From: Guillaume Nault + +[ Upstream commit 8930424777e43257f5bf6f0f0f53defd0d30415c ] + +Because skb_tunnel_check_pmtu() doesn't handle PACKET_HOST packets, +commit 30a92c9e3d6b ("openvswitch: Set the skbuff pkt_type for proper +pmtud support.") forced skb->pkt_type to PACKET_OUTGOING for +openvswitch packets that are sent using the OVS_ACTION_ATTR_OUTPUT +action. This allowed such packets to invoke the +iptunnel_pmtud_check_icmp() or iptunnel_pmtud_check_icmpv6() helpers +and thus trigger PMTU update on the input device. + +However, this also broke other parts of PMTU discovery. Since these +packets don't have the PACKET_HOST type anymore, they won't trigger the +sending of ICMP Fragmentation Needed or Packet Too Big messages to +remote hosts when oversized (see the skb_in->pkt_type condition in +__icmp_send() for example). + +These two skb->pkt_type checks are therefore incompatible as one +requires skb->pkt_type to be PACKET_HOST, while the other requires it +to be anything but PACKET_HOST. + +It makes sense to not trigger ICMP messages for non-PACKET_HOST packets +as these messages should be generated only for incoming l2-unicast +packets. However there doesn't seem to be any reason for +skb_tunnel_check_pmtu() to ignore PACKET_HOST packets. + +Allow both cases to work by allowing skb_tunnel_check_pmtu() to work on +PACKET_HOST packets and not overriding skb->pkt_type in openvswitch +anymore. + +Fixes: 30a92c9e3d6b ("openvswitch: Set the skbuff pkt_type for proper pmtud support.") +Fixes: 4cb47a8644cc ("tunnels: PMTU discovery support for directly bridged IP packets") +Signed-off-by: Guillaume Nault +Reviewed-by: Stefano Brivio +Reviewed-by: Aaron Conole +Tested-by: Aaron Conole +Link: https://patch.msgid.link/eac941652b86fddf8909df9b3bf0d97bc9444793.1743208264.git.gnault@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/ip_tunnel_core.c | 2 +- + net/openvswitch/actions.c | 6 ------ + 2 files changed, 1 insertion(+), 7 deletions(-) + +diff --git a/net/ipv4/ip_tunnel_core.c b/net/ipv4/ip_tunnel_core.c +index a3676155be78b..364ea798511ea 100644 +--- a/net/ipv4/ip_tunnel_core.c ++++ b/net/ipv4/ip_tunnel_core.c +@@ -416,7 +416,7 @@ int skb_tunnel_check_pmtu(struct sk_buff *skb, struct dst_entry *encap_dst, + + skb_dst_update_pmtu_no_confirm(skb, mtu); + +- if (!reply || skb->pkt_type == PACKET_HOST) ++ if (!reply) + return 0; + + if (skb->protocol == htons(ETH_P_IP)) +diff --git a/net/openvswitch/actions.c b/net/openvswitch/actions.c +index 704c858cf2093..61fea7baae5d5 100644 +--- a/net/openvswitch/actions.c ++++ b/net/openvswitch/actions.c +@@ -947,12 +947,6 @@ static void do_output(struct datapath *dp, struct sk_buff *skb, int out_port, + pskb_trim(skb, ovs_mac_header_len(key)); + } + +- /* Need to set the pkt_type to involve the routing layer. The +- * packet movement through the OVS datapath doesn't generally +- * use routing, but this is needed for tunnel cases. +- */ +- skb->pkt_type = PACKET_OUTGOING; +- + if (likely(!mru || + (skb->len <= mru + vport->dev->hard_header_len))) { + ovs_vport_send(vport, skb, ovs_key_mac_proto(key)); +-- +2.39.5 + diff --git a/queue-6.12/ublk-make-sure-ubq-canceling-is-set-when-queue-is-fr.patch b/queue-6.12/ublk-make-sure-ubq-canceling-is-set-when-queue-is-fr.patch new file mode 100644 index 0000000000..51d24a1c57 --- /dev/null +++ b/queue-6.12/ublk-make-sure-ubq-canceling-is-set-when-queue-is-fr.patch @@ -0,0 +1,97 @@ +From 179e2b9a6141900a31e1b7baac83ca22a50ff85f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Mar 2025 17:51:10 +0800 +Subject: ublk: make sure ubq->canceling is set when queue is frozen + +From: Ming Lei + +[ Upstream commit 8741d0737921ec1c03cf59aebf4d01400c2b461a ] + +Now ublk driver depends on `ubq->canceling` for deciding if the request +can be dispatched via uring_cmd & io_uring_cmd_complete_in_task(). + +Once ubq->canceling is set, the uring_cmd can be done via ublk_cancel_cmd() +and io_uring_cmd_done(). + +So set ubq->canceling when queue is frozen, this way makes sure that the +flag can be observed from ublk_queue_rq() reliably, and avoids +use-after-free on uring_cmd. + +Fixes: 216c8f5ef0f2 ("ublk: replace monitor with cancelable uring_cmd") +Signed-off-by: Ming Lei +Link: https://lore.kernel.org/r/20250327095123.179113-2-ming.lei@redhat.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/ublk_drv.c | 39 +++++++++++++++++++++++++++++---------- + 1 file changed, 29 insertions(+), 10 deletions(-) + +diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c +index c7d728d686e5a..79b7bd8bfd458 100644 +--- a/drivers/block/ublk_drv.c ++++ b/drivers/block/ublk_drv.c +@@ -1416,17 +1416,27 @@ static void ublk_abort_queue(struct ublk_device *ub, struct ublk_queue *ubq) + } + } + ++/* Must be called when queue is frozen */ ++static bool ublk_mark_queue_canceling(struct ublk_queue *ubq) ++{ ++ bool canceled; ++ ++ spin_lock(&ubq->cancel_lock); ++ canceled = ubq->canceling; ++ if (!canceled) ++ ubq->canceling = true; ++ spin_unlock(&ubq->cancel_lock); ++ ++ return canceled; ++} ++ + static bool ublk_abort_requests(struct ublk_device *ub, struct ublk_queue *ubq) + { ++ bool was_canceled = ubq->canceling; + struct gendisk *disk; + +- spin_lock(&ubq->cancel_lock); +- if (ubq->canceling) { +- spin_unlock(&ubq->cancel_lock); ++ if (was_canceled) + return false; +- } +- ubq->canceling = true; +- spin_unlock(&ubq->cancel_lock); + + spin_lock(&ub->lock); + disk = ub->ub_disk; +@@ -1438,14 +1448,23 @@ static bool ublk_abort_requests(struct ublk_device *ub, struct ublk_queue *ubq) + if (!disk) + return false; + +- /* Now we are serialized with ublk_queue_rq() */ ++ /* ++ * Now we are serialized with ublk_queue_rq() ++ * ++ * Make sure that ubq->canceling is set when queue is frozen, ++ * because ublk_queue_rq() has to rely on this flag for avoiding to ++ * touch completed uring_cmd ++ */ + blk_mq_quiesce_queue(disk->queue); +- /* abort queue is for making forward progress */ +- ublk_abort_queue(ub, ubq); ++ was_canceled = ublk_mark_queue_canceling(ubq); ++ if (!was_canceled) { ++ /* abort queue is for making forward progress */ ++ ublk_abort_queue(ub, ubq); ++ } + blk_mq_unquiesce_queue(disk->queue); + put_device(disk_to_dev(disk)); + +- return true; ++ return !was_canceled; + } + + static void ublk_cancel_cmd(struct ublk_queue *ubq, struct ublk_io *io, +-- +2.39.5 + diff --git a/queue-6.12/ucsi_ccg-don-t-show-failed-to-get-fw-build-informati.patch b/queue-6.12/ucsi_ccg-don-t-show-failed-to-get-fw-build-informati.patch new file mode 100644 index 0000000000..8f6c90e105 --- /dev/null +++ b/queue-6.12/ucsi_ccg-don-t-show-failed-to-get-fw-build-informati.patch @@ -0,0 +1,47 @@ +From b82231e299c683cb32b7f21331501f89a999ac5d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Feb 2025 23:40:03 -0600 +Subject: ucsi_ccg: Don't show failed to get FW build information error + +From: Mario Limonciello + +[ Upstream commit c16006852732dc4fe37c14b81f9b4458df05b832 ] + +The error `failed to get FW build information` is added for what looks +to be for misdetection of the device property firmware-name. + +If the property is missing (such as on non-nvidia HW) this error shows up. +Move the error into the scope of the property parser for "firmware-name" +to avoid showing errors on systems without the firmware-name property. + +Fixes: 5c9ae5a87573d ("usb: typec: ucsi: ccg: add firmware flashing support") +Signed-off-by: Mario Limonciello +Reviewed-by: Heikki Krogerus +Link: https://lore.kernel.org/r/20250221054137.1631765-2-superm1@kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/typec/ucsi/ucsi_ccg.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/usb/typec/ucsi/ucsi_ccg.c b/drivers/usb/typec/ucsi/ucsi_ccg.c +index 4b1668733a4be..511dd1b224ae5 100644 +--- a/drivers/usb/typec/ucsi/ucsi_ccg.c ++++ b/drivers/usb/typec/ucsi/ucsi_ccg.c +@@ -1433,11 +1433,10 @@ static int ucsi_ccg_probe(struct i2c_client *client) + uc->fw_build = CCG_FW_BUILD_NVIDIA_TEGRA; + else if (!strcmp(fw_name, "nvidia,gpu")) + uc->fw_build = CCG_FW_BUILD_NVIDIA; ++ if (!uc->fw_build) ++ dev_err(uc->dev, "failed to get FW build information\n"); + } + +- if (!uc->fw_build) +- dev_err(uc->dev, "failed to get FW build information\n"); +- + /* reset ccg device and initialize ucsi */ + status = ucsi_ccg_init(uc); + if (status < 0) { +-- +2.39.5 + diff --git a/queue-6.12/udp-fix-memory-accounting-leak.patch b/queue-6.12/udp-fix-memory-accounting-leak.patch new file mode 100644 index 0000000000..b2008df5a4 --- /dev/null +++ b/queue-6.12/udp-fix-memory-accounting-leak.patch @@ -0,0 +1,171 @@ +From e46bf086caf0d78231a79786e9a13ade799839ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Apr 2025 11:44:43 -0700 +Subject: udp: Fix memory accounting leak. + +From: Kuniyuki Iwashima + +[ Upstream commit df207de9d9e7a4d92f8567e2c539d9c8c12fd99d ] + +Matt Dowling reported a weird UDP memory usage issue. + +Under normal operation, the UDP memory usage reported in /proc/net/sockstat +remains close to zero. However, it occasionally spiked to 524,288 pages +and never dropped. Moreover, the value doubled when the application was +terminated. Finally, it caused intermittent packet drops. + +We can reproduce the issue with the script below [0]: + + 1. /proc/net/sockstat reports 0 pages + + # cat /proc/net/sockstat | grep UDP: + UDP: inuse 1 mem 0 + + 2. Run the script till the report reaches 524,288 + + # python3 test.py & sleep 5 + # cat /proc/net/sockstat | grep UDP: + UDP: inuse 3 mem 524288 <-- (INT_MAX + 1) >> PAGE_SHIFT + + 3. Kill the socket and confirm the number never drops + + # pkill python3 && sleep 5 + # cat /proc/net/sockstat | grep UDP: + UDP: inuse 1 mem 524288 + + 4. (necessary since v6.0) Trigger proto_memory_pcpu_drain() + + # python3 test.py & sleep 1 && pkill python3 + + 5. The number doubles + + # cat /proc/net/sockstat | grep UDP: + UDP: inuse 1 mem 1048577 + +The application set INT_MAX to SO_RCVBUF, which triggered an integer +overflow in udp_rmem_release(). + +When a socket is close()d, udp_destruct_common() purges its receive +queue and sums up skb->truesize in the queue. This total is calculated +and stored in a local unsigned integer variable. + +The total size is then passed to udp_rmem_release() to adjust memory +accounting. However, because the function takes a signed integer +argument, the total size can wrap around, causing an overflow. + +Then, the released amount is calculated as follows: + + 1) Add size to sk->sk_forward_alloc. + 2) Round down sk->sk_forward_alloc to the nearest lower multiple of + PAGE_SIZE and assign it to amount. + 3) Subtract amount from sk->sk_forward_alloc. + 4) Pass amount >> PAGE_SHIFT to __sk_mem_reduce_allocated(). + +When the issue occurred, the total in udp_destruct_common() was 2147484480 +(INT_MAX + 833), which was cast to -2147482816 in udp_rmem_release(). + +At 1) sk->sk_forward_alloc is changed from 3264 to -2147479552, and +2) sets -2147479552 to amount. 3) reverts the wraparound, so we don't +see a warning in inet_sock_destruct(). However, udp_memory_allocated +ends up doubling at 4). + +Since commit 3cd3399dd7a8 ("net: implement per-cpu reserves for +memory_allocated"), memory usage no longer doubles immediately after +a socket is close()d because __sk_mem_reduce_allocated() caches the +amount in udp_memory_per_cpu_fw_alloc. However, the next time a UDP +socket receives a packet, the subtraction takes effect, causing UDP +memory usage to double. + +This issue makes further memory allocation fail once the socket's +sk->sk_rmem_alloc exceeds net.ipv4.udp_rmem_min, resulting in packet +drops. + +To prevent this issue, let's use unsigned int for the calculation and +call sk_forward_alloc_add() only once for the small delta. + +Note that first_packet_length() also potentially has the same problem. + +[0]: +from socket import * + +SO_RCVBUFFORCE = 33 +INT_MAX = (2 ** 31) - 1 + +s = socket(AF_INET, SOCK_DGRAM) +s.bind(('', 0)) +s.setsockopt(SOL_SOCKET, SO_RCVBUFFORCE, INT_MAX) + +c = socket(AF_INET, SOCK_DGRAM) +c.connect(s.getsockname()) + +data = b'a' * 100 + +while True: + c.send(data) + +Fixes: f970bd9e3a06 ("udp: implement memory accounting helpers") +Reported-by: Matt Dowling +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Willem de Bruijn +Link: https://patch.msgid.link/20250401184501.67377-3-kuniyu@amazon.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/udp.c | 16 +++++++--------- + 1 file changed, 7 insertions(+), 9 deletions(-) + +diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c +index 4f52d220f4d0c..f4e24fc878fab 100644 +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -1470,12 +1470,12 @@ static bool udp_skb_has_head_state(struct sk_buff *skb) + } + + /* fully reclaim rmem/fwd memory allocated for skb */ +-static void udp_rmem_release(struct sock *sk, int size, int partial, +- bool rx_queue_lock_held) ++static void udp_rmem_release(struct sock *sk, unsigned int size, ++ int partial, bool rx_queue_lock_held) + { + struct udp_sock *up = udp_sk(sk); + struct sk_buff_head *sk_queue; +- int amt; ++ unsigned int amt; + + if (likely(partial)) { + up->forward_deficit += size; +@@ -1495,10 +1495,8 @@ static void udp_rmem_release(struct sock *sk, int size, int partial, + if (!rx_queue_lock_held) + spin_lock(&sk_queue->lock); + +- +- sk_forward_alloc_add(sk, size); +- amt = (sk->sk_forward_alloc - partial) & ~(PAGE_SIZE - 1); +- sk_forward_alloc_add(sk, -amt); ++ amt = (size + sk->sk_forward_alloc - partial) & ~(PAGE_SIZE - 1); ++ sk_forward_alloc_add(sk, size - amt); + + if (amt) + __sk_mem_reduce_allocated(sk, amt >> PAGE_SHIFT); +@@ -1688,7 +1686,7 @@ EXPORT_SYMBOL_GPL(skb_consume_udp); + + static struct sk_buff *__first_packet_length(struct sock *sk, + struct sk_buff_head *rcvq, +- int *total) ++ unsigned int *total) + { + struct sk_buff *skb; + +@@ -1721,8 +1719,8 @@ static int first_packet_length(struct sock *sk) + { + struct sk_buff_head *rcvq = &udp_sk(sk)->reader_queue; + struct sk_buff_head *sk_queue = &sk->sk_receive_queue; ++ unsigned int total = 0; + struct sk_buff *skb; +- int total = 0; + int res; + + spin_lock_bh(&rcvq->lock); +-- +2.39.5 + diff --git a/queue-6.12/udp-fix-multiple-wraparounds-of-sk-sk_rmem_alloc.patch b/queue-6.12/udp-fix-multiple-wraparounds-of-sk-sk_rmem_alloc.patch new file mode 100644 index 0000000000..1608f2b0a7 --- /dev/null +++ b/queue-6.12/udp-fix-multiple-wraparounds-of-sk-sk_rmem_alloc.patch @@ -0,0 +1,138 @@ +From 6e2cd8526171d91d9647e645c84e27d8dc9aeed1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Apr 2025 11:44:42 -0700 +Subject: udp: Fix multiple wraparounds of sk->sk_rmem_alloc. + +From: Kuniyuki Iwashima + +[ Upstream commit 5a465a0da13ee9fbd7d3cd0b2893309b0fe4b7e3 ] + +__udp_enqueue_schedule_skb() has the following condition: + + if (atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf) + goto drop; + +sk->sk_rcvbuf is initialised by net.core.rmem_default and later can +be configured by SO_RCVBUF, which is limited by net.core.rmem_max, +or SO_RCVBUFFORCE. + +If we set INT_MAX to sk->sk_rcvbuf, the condition is always false +as sk->sk_rmem_alloc is also signed int. + +Then, the size of the incoming skb is added to sk->sk_rmem_alloc +unconditionally. + +This results in integer overflow (possibly multiple times) on +sk->sk_rmem_alloc and allows a single socket to have skb up to +net.core.udp_mem[1]. + +For example, if we set a large value to udp_mem[1] and INT_MAX to +sk->sk_rcvbuf and flood packets to the socket, we can see multiple +overflows: + + # cat /proc/net/sockstat | grep UDP: + UDP: inuse 3 mem 7956736 <-- (7956736 << 12) bytes > INT_MAX * 15 + ^- PAGE_SHIFT + # ss -uam + State Recv-Q ... + UNCONN -1757018048 ... <-- flipping the sign repeatedly + skmem:(r2537949248,rb2147483646,t0,tb212992,f1984,w0,o0,bl0,d0) + +Previously, we had a boundary check for INT_MAX, which was removed by +commit 6a1f12dd85a8 ("udp: relax atomic operation on sk->sk_rmem_alloc"). + +A complete fix would be to revert it and cap the right operand by +INT_MAX: + + rmem = atomic_add_return(size, &sk->sk_rmem_alloc); + if (rmem > min(size + (unsigned int)sk->sk_rcvbuf, INT_MAX)) + goto uncharge_drop; + +but we do not want to add the expensive atomic_add_return() back just +for the corner case. + +Casting rmem to unsigned int prevents multiple wraparounds, but we still +allow a single wraparound. + + # cat /proc/net/sockstat | grep UDP: + UDP: inuse 3 mem 524288 <-- (INT_MAX + 1) >> 12 + + # ss -uam + State Recv-Q ... + UNCONN -2147482816 ... <-- INT_MAX + 831 bytes + skmem:(r2147484480,rb2147483646,t0,tb212992,f3264,w0,o0,bl0,d14468947) + +So, let's define rmem and rcvbuf as unsigned int and check skb->truesize +only when rcvbuf is large enough to lower the overflow possibility. + +Note that we still have a small chance to see overflow if multiple skbs +to the same socket are processed on different core at the same time and +each size does not exceed the limit but the total size does. + +Note also that we must ignore skb->truesize for a small buffer as +explained in commit 363dc73acacb ("udp: be less conservative with +sock rmem accounting"). + +Fixes: 6a1f12dd85a8 ("udp: relax atomic operation on sk->sk_rmem_alloc") +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Willem de Bruijn +Link: https://patch.msgid.link/20250401184501.67377-2-kuniyu@amazon.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/udp.c | 26 +++++++++++++++++--------- + 1 file changed, 17 insertions(+), 9 deletions(-) + +diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c +index 8da74dc63061c..4f52d220f4d0c 100644 +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -1570,17 +1570,25 @@ static int udp_rmem_schedule(struct sock *sk, int size) + int __udp_enqueue_schedule_skb(struct sock *sk, struct sk_buff *skb) + { + struct sk_buff_head *list = &sk->sk_receive_queue; +- int rmem, err = -ENOMEM; ++ unsigned int rmem, rcvbuf; + spinlock_t *busy = NULL; +- int size, rcvbuf; ++ int size, err = -ENOMEM; + +- /* Immediately drop when the receive queue is full. +- * Always allow at least one packet. +- */ + rmem = atomic_read(&sk->sk_rmem_alloc); + rcvbuf = READ_ONCE(sk->sk_rcvbuf); +- if (rmem > rcvbuf) +- goto drop; ++ size = skb->truesize; ++ ++ /* Immediately drop when the receive queue is full. ++ * Cast to unsigned int performs the boundary check for INT_MAX. ++ */ ++ if (rmem + size > rcvbuf) { ++ if (rcvbuf > INT_MAX >> 1) ++ goto drop; ++ ++ /* Always allow at least one packet for small buffer. */ ++ if (rmem > rcvbuf) ++ goto drop; ++ } + + /* Under mem pressure, it might be helpful to help udp_recvmsg() + * having linear skbs : +@@ -1590,10 +1598,10 @@ int __udp_enqueue_schedule_skb(struct sock *sk, struct sk_buff *skb) + */ + if (rmem > (rcvbuf >> 1)) { + skb_condense(skb); +- ++ size = skb->truesize; + busy = busylock_acquire(sk); + } +- size = skb->truesize; ++ + udp_set_dev_scratch(skb); + + atomic_add(size, &sk->sk_rmem_alloc); +-- +2.39.5 + diff --git a/queue-6.12/um-hostfs-avoid-issues-on-inode-number-reuse-by-host.patch b/queue-6.12/um-hostfs-avoid-issues-on-inode-number-reuse-by-host.patch new file mode 100644 index 0000000000..52595f1ff1 --- /dev/null +++ b/queue-6.12/um-hostfs-avoid-issues-on-inode-number-reuse-by-host.patch @@ -0,0 +1,172 @@ +From 4cf3f4b142c4a5a0582eb7aa8bb765f141d87c84 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Feb 2025 10:28:22 +0100 +Subject: um: hostfs: avoid issues on inode number reuse by host +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Benjamin Berg + +[ Upstream commit 0bc754d1e31f40f4a343b692096d9e092ccc0370 ] + +Some file systems (e.g. ext4) may reuse inode numbers once the inode is +not in use anymore. Usually hostfs will keep an FD open for each inode, +but this is not always the case. In the case of sockets, this cannot +even be done properly. + +As such, the following sequence of events was possible: + * application creates and deletes a socket + * hostfs creates/deletes the socket on the host + * inode is still in the hostfs cache + * hostfs creates a new file + * ext4 on the outside reuses the inode number + * hostfs finds the socket inode for the newly created file + * application receives -ENXIO when opening the file + +As mentioned, this can only happen if the deleted file is a special file +that is never opened on the host (i.e. no .open fop). + +As such, to prevent issues, it is sufficient to check that the inode +has the expected type. That said, also add a check for the inode birth +time, just to be on the safe side. + +Fixes: 74ce793bcbde ("hostfs: Fix ephemeral inodes") +Signed-off-by: Benjamin Berg +Reviewed-by: Mickaël Salaün +Tested-by: Mickaël Salaün +Link: https://patch.msgid.link/20250214092822.1241575-1-benjamin@sipsolutions.net +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + fs/hostfs/hostfs.h | 2 +- + fs/hostfs/hostfs_kern.c | 7 ++++- + fs/hostfs/hostfs_user.c | 59 ++++++++++++++++++++++++----------------- + 3 files changed, 41 insertions(+), 27 deletions(-) + +diff --git a/fs/hostfs/hostfs.h b/fs/hostfs/hostfs.h +index 8b39c15c408cc..15b2f094d36ef 100644 +--- a/fs/hostfs/hostfs.h ++++ b/fs/hostfs/hostfs.h +@@ -60,7 +60,7 @@ struct hostfs_stat { + unsigned int uid; + unsigned int gid; + unsigned long long size; +- struct hostfs_timespec atime, mtime, ctime; ++ struct hostfs_timespec atime, mtime, ctime, btime; + unsigned int blksize; + unsigned long long blocks; + struct { +diff --git a/fs/hostfs/hostfs_kern.c b/fs/hostfs/hostfs_kern.c +index 94f3cc42c7403..a16a7df0766cd 100644 +--- a/fs/hostfs/hostfs_kern.c ++++ b/fs/hostfs/hostfs_kern.c +@@ -33,6 +33,7 @@ struct hostfs_inode_info { + struct inode vfs_inode; + struct mutex open_mutex; + dev_t dev; ++ struct hostfs_timespec btime; + }; + + static inline struct hostfs_inode_info *HOSTFS_I(struct inode *inode) +@@ -550,6 +551,7 @@ static int hostfs_inode_set(struct inode *ino, void *data) + } + + HOSTFS_I(ino)->dev = dev; ++ HOSTFS_I(ino)->btime = st->btime; + ino->i_ino = st->ino; + ino->i_mode = st->mode; + return hostfs_inode_update(ino, st); +@@ -560,7 +562,10 @@ static int hostfs_inode_test(struct inode *inode, void *data) + const struct hostfs_stat *st = data; + dev_t dev = MKDEV(st->dev.maj, st->dev.min); + +- return inode->i_ino == st->ino && HOSTFS_I(inode)->dev == dev; ++ return inode->i_ino == st->ino && HOSTFS_I(inode)->dev == dev && ++ (inode->i_mode & S_IFMT) == (st->mode & S_IFMT) && ++ HOSTFS_I(inode)->btime.tv_sec == st->btime.tv_sec && ++ HOSTFS_I(inode)->btime.tv_nsec == st->btime.tv_nsec; + } + + static struct inode *hostfs_iget(struct super_block *sb, char *name) +diff --git a/fs/hostfs/hostfs_user.c b/fs/hostfs/hostfs_user.c +index 97e9c40a94488..3bcd9f35e70b2 100644 +--- a/fs/hostfs/hostfs_user.c ++++ b/fs/hostfs/hostfs_user.c +@@ -18,39 +18,48 @@ + #include "hostfs.h" + #include + +-static void stat64_to_hostfs(const struct stat64 *buf, struct hostfs_stat *p) ++static void statx_to_hostfs(const struct statx *buf, struct hostfs_stat *p) + { +- p->ino = buf->st_ino; +- p->mode = buf->st_mode; +- p->nlink = buf->st_nlink; +- p->uid = buf->st_uid; +- p->gid = buf->st_gid; +- p->size = buf->st_size; +- p->atime.tv_sec = buf->st_atime; +- p->atime.tv_nsec = 0; +- p->ctime.tv_sec = buf->st_ctime; +- p->ctime.tv_nsec = 0; +- p->mtime.tv_sec = buf->st_mtime; +- p->mtime.tv_nsec = 0; +- p->blksize = buf->st_blksize; +- p->blocks = buf->st_blocks; +- p->rdev.maj = os_major(buf->st_rdev); +- p->rdev.min = os_minor(buf->st_rdev); +- p->dev.maj = os_major(buf->st_dev); +- p->dev.min = os_minor(buf->st_dev); ++ p->ino = buf->stx_ino; ++ p->mode = buf->stx_mode; ++ p->nlink = buf->stx_nlink; ++ p->uid = buf->stx_uid; ++ p->gid = buf->stx_gid; ++ p->size = buf->stx_size; ++ p->atime.tv_sec = buf->stx_atime.tv_sec; ++ p->atime.tv_nsec = buf->stx_atime.tv_nsec; ++ p->ctime.tv_sec = buf->stx_ctime.tv_sec; ++ p->ctime.tv_nsec = buf->stx_ctime.tv_nsec; ++ p->mtime.tv_sec = buf->stx_mtime.tv_sec; ++ p->mtime.tv_nsec = buf->stx_mtime.tv_nsec; ++ if (buf->stx_mask & STATX_BTIME) { ++ p->btime.tv_sec = buf->stx_btime.tv_sec; ++ p->btime.tv_nsec = buf->stx_btime.tv_nsec; ++ } else { ++ memset(&p->btime, 0, sizeof(p->btime)); ++ } ++ p->blksize = buf->stx_blksize; ++ p->blocks = buf->stx_blocks; ++ p->rdev.maj = buf->stx_rdev_major; ++ p->rdev.min = buf->stx_rdev_minor; ++ p->dev.maj = buf->stx_dev_major; ++ p->dev.min = buf->stx_dev_minor; + } + + int stat_file(const char *path, struct hostfs_stat *p, int fd) + { +- struct stat64 buf; ++ struct statx buf; ++ int flags = AT_SYMLINK_NOFOLLOW; + + if (fd >= 0) { +- if (fstat64(fd, &buf) < 0) +- return -errno; +- } else if (lstat64(path, &buf) < 0) { +- return -errno; ++ flags |= AT_EMPTY_PATH; ++ path = ""; + } +- stat64_to_hostfs(&buf, p); ++ ++ if ((statx(fd, path, flags, STATX_BASIC_STATS | STATX_BTIME, &buf)) < 0) ++ return -errno; ++ ++ statx_to_hostfs(&buf, p); + return 0; + } + +-- +2.39.5 + diff --git a/queue-6.12/um-pass-the-correct-rust-target-and-options-with-gcc.patch b/queue-6.12/um-pass-the-correct-rust-target-and-options-with-gcc.patch new file mode 100644 index 0000000000..e66ab889de --- /dev/null +++ b/queue-6.12/um-pass-the-correct-rust-target-and-options-with-gcc.patch @@ -0,0 +1,57 @@ +From 03568fa672598d886676d2ceedd608f8c9e89513 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Feb 2025 18:53:51 +0800 +Subject: um: Pass the correct Rust target and options with gcc + +From: David Gow + +[ Upstream commit 5550187c4c21740942c32a9ae56f9f472a104cb4 ] + +In order to work around some issues with disabling SSE on older versions +of gcc (compilation would fail upon seeing a function declaration +containing a float, even if it was never called or defined), the +corresponding CFLAGS and RUSTFLAGS were only set when using clang. + +However, this led to two problems: +- Newer gcc versions also wouldn't get the correct flags, despite not + having the bug. +- The RUSTFLAGS for setting the rust target definition were not set, + despite being unrelated. This works by chance for x86_64, as the + built-in default target is close enough, but not for 32-bit x86. + +Move the target definition outside the conditional block, and update the +condition to take into account the gcc version. + +Fixes: a3046a618a28 ("um: Only disable SSE on clang to work around old GCC bugs") +Signed-off-by: David Gow +Link: https://patch.msgid.link/20250210105353.2238769-2-davidgow@google.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + arch/x86/Makefile.um | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/arch/x86/Makefile.um b/arch/x86/Makefile.um +index a46b1397ad01c..c86cbd9cbba38 100644 +--- a/arch/x86/Makefile.um ++++ b/arch/x86/Makefile.um +@@ -7,12 +7,13 @@ core-y += arch/x86/crypto/ + # GCC versions < 11. See: + # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99652 + # +-ifeq ($(CONFIG_CC_IS_CLANG),y) +-KBUILD_CFLAGS += -mno-sse -mno-mmx -mno-sse2 -mno-3dnow -mno-avx +-KBUILD_RUSTFLAGS += --target=$(objtree)/scripts/target.json ++ifeq ($(call gcc-min-version, 110000)$(CONFIG_CC_IS_CLANG),y) ++KBUILD_CFLAGS += -mno-sse -mno-mmx -mno-sse2 -mno-3dnow -mno-avx + KBUILD_RUSTFLAGS += -Ctarget-feature=-sse,-sse2,-sse3,-ssse3,-sse4.1,-sse4.2,-avx,-avx2 + endif + ++KBUILD_RUSTFLAGS += --target=$(objtree)/scripts/target.json ++ + ifeq ($(CONFIG_X86_32),y) + START := 0x8048000 + +-- +2.39.5 + diff --git a/queue-6.12/um-remove-copy_from_kernel_nofault_allowed.patch b/queue-6.12/um-remove-copy_from_kernel_nofault_allowed.patch new file mode 100644 index 0000000000..ab7b8bd970 --- /dev/null +++ b/queue-6.12/um-remove-copy_from_kernel_nofault_allowed.patch @@ -0,0 +1,144 @@ +From c5763e83fe2178ae6b42dd3e69471552abb4f3cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Feb 2025 17:09:26 +0100 +Subject: um: remove copy_from_kernel_nofault_allowed + +From: Benjamin Berg + +[ Upstream commit 84a6fc378471fbeaf48f8604566a5a33a3d63c18 ] + +There is no need to override the default version of this function +anymore as UML now has proper _nofault memory access functions. + +Doing this also fixes the fact that the implementation was incorrect as +using mincore() will incorrectly flag pages as inaccessible if they were +swapped out by the host. + +Fixes: f75b1b1bedfb ("um: Implement probe_kernel_read()") +Signed-off-by: Benjamin Berg +Link: https://patch.msgid.link/20250210160926.420133-3-benjamin@sipsolutions.net +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + arch/um/include/shared/os.h | 1 - + arch/um/kernel/Makefile | 2 +- + arch/um/kernel/maccess.c | 19 -------------- + arch/um/os-Linux/process.c | 51 ------------------------------------- + 4 files changed, 1 insertion(+), 72 deletions(-) + delete mode 100644 arch/um/kernel/maccess.c + +diff --git a/arch/um/include/shared/os.h b/arch/um/include/shared/os.h +index 9a039d6f1f748..77a8593f219a1 100644 +--- a/arch/um/include/shared/os.h ++++ b/arch/um/include/shared/os.h +@@ -218,7 +218,6 @@ extern int os_protect_memory(void *addr, unsigned long len, + extern int os_unmap_memory(void *addr, int len); + extern int os_drop_memory(void *addr, int length); + extern int can_drop_memory(void); +-extern int os_mincore(void *addr, unsigned long len); + + /* execvp.c */ + extern int execvp_noalloc(char *buf, const char *file, char *const argv[]); +diff --git a/arch/um/kernel/Makefile b/arch/um/kernel/Makefile +index f8567b933ffaa..4df1cd0d20179 100644 +--- a/arch/um/kernel/Makefile ++++ b/arch/um/kernel/Makefile +@@ -17,7 +17,7 @@ extra-y := vmlinux.lds + obj-y = config.o exec.o exitcode.o irq.o ksyms.o mem.o \ + physmem.o process.o ptrace.o reboot.o sigio.o \ + signal.o sysrq.o time.o tlb.o trap.o \ +- um_arch.o umid.o maccess.o kmsg_dump.o capflags.o skas/ ++ um_arch.o umid.o kmsg_dump.o capflags.o skas/ + obj-y += load_file.o + + obj-$(CONFIG_BLK_DEV_INITRD) += initrd.o +diff --git a/arch/um/kernel/maccess.c b/arch/um/kernel/maccess.c +deleted file mode 100644 +index 8ccd56813f684..0000000000000 +--- a/arch/um/kernel/maccess.c ++++ /dev/null +@@ -1,19 +0,0 @@ +-// SPDX-License-Identifier: GPL-2.0-only +-/* +- * Copyright (C) 2013 Richard Weinberger +- */ +- +-#include +-#include +-#include +- +-bool copy_from_kernel_nofault_allowed(const void *src, size_t size) +-{ +- void *psrc = (void *)rounddown((unsigned long)src, PAGE_SIZE); +- +- if ((unsigned long)src < PAGE_SIZE || size <= 0) +- return false; +- if (os_mincore(psrc, size + src - psrc) <= 0) +- return false; +- return true; +-} +diff --git a/arch/um/os-Linux/process.c b/arch/um/os-Linux/process.c +index e52dd37ddadcc..2686120ab2325 100644 +--- a/arch/um/os-Linux/process.c ++++ b/arch/um/os-Linux/process.c +@@ -223,57 +223,6 @@ int __init can_drop_memory(void) + return ok; + } + +-static int os_page_mincore(void *addr) +-{ +- char vec[2]; +- int ret; +- +- ret = mincore(addr, UM_KERN_PAGE_SIZE, vec); +- if (ret < 0) { +- if (errno == ENOMEM || errno == EINVAL) +- return 0; +- else +- return -errno; +- } +- +- return vec[0] & 1; +-} +- +-int os_mincore(void *addr, unsigned long len) +-{ +- char *vec; +- int ret, i; +- +- if (len <= UM_KERN_PAGE_SIZE) +- return os_page_mincore(addr); +- +- vec = calloc(1, (len + UM_KERN_PAGE_SIZE - 1) / UM_KERN_PAGE_SIZE); +- if (!vec) +- return -ENOMEM; +- +- ret = mincore(addr, UM_KERN_PAGE_SIZE, vec); +- if (ret < 0) { +- if (errno == ENOMEM || errno == EINVAL) +- ret = 0; +- else +- ret = -errno; +- +- goto out; +- } +- +- for (i = 0; i < ((len + UM_KERN_PAGE_SIZE - 1) / UM_KERN_PAGE_SIZE); i++) { +- if (!(vec[i] & 1)) { +- ret = 0; +- goto out; +- } +- } +- +- ret = 1; +-out: +- free(vec); +- return ret; +-} +- + void init_new_thread_signals(void) + { + set_handler(SIGSEGV); +-- +2.39.5 + diff --git a/queue-6.12/usb-xhci-correct-debug-message-page-size-calculation.patch b/queue-6.12/usb-xhci-correct-debug-message-page-size-calculation.patch new file mode 100644 index 0000000000..fb7b8e8e51 --- /dev/null +++ b/queue-6.12/usb-xhci-correct-debug-message-page-size-calculation.patch @@ -0,0 +1,52 @@ +From d394adc6f3bf172fa4dbcefe8acf79303e98ff73 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Mar 2025 16:49:47 +0200 +Subject: usb: xhci: correct debug message page size calculation + +From: Niklas Neronin + +[ Upstream commit 55741c723318905e6d5161bf1e12749020b161e3 ] + +The ffs() function returns the index of the first set bit, starting from 1. +If no bits are set, it returns zero. This behavior causes an off-by-one +page size in the debug message, as the page size calculation [1] +is zero-based, while ffs() is one-based. + +Fix this by subtracting one from the result of ffs(). Note that since +variable 'val' is unsigned, subtracting one from zero will result in the +maximum unsigned integer value. Consequently, the condition 'if (val < 16)' +will still function correctly. + +[1], Page size: (2^(n+12)), where 'n' is the set page size bit. + +Fixes: 81720ec5320c ("usb: host: xhci: use ffs() in xhci_mem_init()") +Signed-off-by: Niklas Neronin +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20250306144954.3507700-9-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/xhci-mem.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c +index 32c8693b438b0..8c26275696df9 100644 +--- a/drivers/usb/host/xhci-mem.c ++++ b/drivers/usb/host/xhci-mem.c +@@ -2397,10 +2397,10 @@ int xhci_mem_init(struct xhci_hcd *xhci, gfp_t flags) + page_size = readl(&xhci->op_regs->page_size); + xhci_dbg_trace(xhci, trace_xhci_dbg_init, + "Supported page size register = 0x%x", page_size); +- i = ffs(page_size); +- if (i < 16) ++ val = ffs(page_size) - 1; ++ if (val < 16) + xhci_dbg_trace(xhci, trace_xhci_dbg_init, +- "Supported page size of %iK", (1 << (i+12)) / 1024); ++ "Supported page size of %iK", (1 << (val + 12)) / 1024); + else + xhci_warn(xhci, "WARN: no supported page size\n"); + /* Use 4K pages, since that's common and the minimum the HC supports */ +-- +2.39.5 + diff --git a/queue-6.12/vhost-scsi-fix-handling-of-multiple-calls-to-vhost_s.patch b/queue-6.12/vhost-scsi-fix-handling-of-multiple-calls-to-vhost_s.patch new file mode 100644 index 0000000000..52fcd7bfef --- /dev/null +++ b/queue-6.12/vhost-scsi-fix-handling-of-multiple-calls-to-vhost_s.patch @@ -0,0 +1,176 @@ +From 536665196c2563ea1f98ef8f00a045bda8323547 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Jan 2025 15:09:22 -0600 +Subject: vhost-scsi: Fix handling of multiple calls to vhost_scsi_set_endpoint + +From: Mike Christie + +[ Upstream commit 5dd639a1646ef5fe8f4bf270fad47c5c3755b9b6 ] + +If vhost_scsi_set_endpoint is called multiple times without a +vhost_scsi_clear_endpoint between them, we can hit multiple bugs +found by Haoran Zhang: + +1. Use-after-free when no tpgs are found: + +This fixes a use after free that occurs when vhost_scsi_set_endpoint is +called more than once and calls after the first call do not find any +tpgs to add to the vs_tpg. When vhost_scsi_set_endpoint first finds +tpgs to add to the vs_tpg array match=true, so we will do: + +vhost_vq_set_backend(vq, vs_tpg); +... + +kfree(vs->vs_tpg); +vs->vs_tpg = vs_tpg; + +If vhost_scsi_set_endpoint is called again and no tpgs are found +match=false so we skip the vhost_vq_set_backend call leaving the +pointer to the vs_tpg we then free via: + +kfree(vs->vs_tpg); +vs->vs_tpg = vs_tpg; + +If a scsi request is then sent we do: + +vhost_scsi_handle_vq -> vhost_scsi_get_req -> vhost_vq_get_backend + +which sees the vs_tpg we just did a kfree on. + +2. Tpg dir removal hang: + +This patch fixes an issue where we cannot remove a LIO/target layer +tpg (and structs above it like the target) dir due to the refcount +dropping to -1. + +The problem is that if vhost_scsi_set_endpoint detects a tpg is already +in the vs->vs_tpg array or if the tpg has been removed so +target_depend_item fails, the undepend goto handler will do +target_undepend_item on all tpgs in the vs_tpg array dropping their +refcount to 0. At this time vs_tpg contains both the tpgs we have added +in the current vhost_scsi_set_endpoint call as well as tpgs we added in +previous calls which are also in vs->vs_tpg. + +Later, when vhost_scsi_clear_endpoint runs it will do +target_undepend_item on all the tpgs in the vs->vs_tpg which will drop +their refcount to -1. Userspace will then not be able to remove the tpg +and will hang when it tries to do rmdir on the tpg dir. + +3. Tpg leak: + +This fixes a bug where we can leak tpgs and cause them to be +un-removable because the target name is overwritten when +vhost_scsi_set_endpoint is called multiple times but with different +target names. + +The bug occurs if a user has called VHOST_SCSI_SET_ENDPOINT and setup +a vhost-scsi device to target/tpg mapping, then calls +VHOST_SCSI_SET_ENDPOINT again with a new target name that has tpgs we +haven't seen before (target1 has tpg1 but target2 has tpg2). When this +happens we don't teardown the old target tpg mapping and just overwrite +the target name and the vs->vs_tpg array. Later when we do +vhost_scsi_clear_endpoint, we are passed in either target1 or target2's +name and we will only match that target's tpgs when we loop over the +vs->vs_tpg. We will then return from the function without doing +target_undepend_item on the tpgs. + +Because of all these bugs, it looks like being able to call +vhost_scsi_set_endpoint multiple times was never supported. The major +user, QEMU, already has checks to prevent this use case. So to fix the +issues, this patch prevents vhost_scsi_set_endpoint from being called +if it's already successfully added tpgs. To add, remove or change the +tpg config or target name, you must do a vhost_scsi_clear_endpoint +first. + +Fixes: 25b98b64e284 ("vhost scsi: alloc cmds per vq instead of session") +Fixes: 4f7f46d32c98 ("tcm_vhost: Use vq->private_data to indicate if the endpoint is setup") +Reported-by: Haoran Zhang +Closes: https://lore.kernel.org/virtualization/e418a5ee-45ca-4d18-9b5d-6f8b6b1add8e@oracle.com/T/#me6c0041ce376677419b9b2563494172a01487ecb +Signed-off-by: Mike Christie +Reviewed-by: Stefan Hajnoczi +Message-Id: <20250129210922.121533-1-michael.christie@oracle.com> +Signed-off-by: Michael S. Tsirkin +Acked-by: Stefano Garzarella +Signed-off-by: Sasha Levin +--- + drivers/vhost/scsi.c | 25 +++++++++++++------------ + 1 file changed, 13 insertions(+), 12 deletions(-) + +diff --git a/drivers/vhost/scsi.c b/drivers/vhost/scsi.c +index 718fa4e0b31ec..7aeff435c1d87 100644 +--- a/drivers/vhost/scsi.c ++++ b/drivers/vhost/scsi.c +@@ -1699,14 +1699,19 @@ vhost_scsi_set_endpoint(struct vhost_scsi *vs, + } + } + ++ if (vs->vs_tpg) { ++ pr_err("vhost-scsi endpoint already set for %s.\n", ++ vs->vs_vhost_wwpn); ++ ret = -EEXIST; ++ goto out; ++ } ++ + len = sizeof(vs_tpg[0]) * VHOST_SCSI_MAX_TARGET; + vs_tpg = kzalloc(len, GFP_KERNEL); + if (!vs_tpg) { + ret = -ENOMEM; + goto out; + } +- if (vs->vs_tpg) +- memcpy(vs_tpg, vs->vs_tpg, len); + + mutex_lock(&vhost_scsi_mutex); + list_for_each_entry(tpg, &vhost_scsi_list, tv_tpg_list) { +@@ -1722,12 +1727,6 @@ vhost_scsi_set_endpoint(struct vhost_scsi *vs, + tv_tport = tpg->tport; + + if (!strcmp(tv_tport->tport_name, t->vhost_wwpn)) { +- if (vs->vs_tpg && vs->vs_tpg[tpg->tport_tpgt]) { +- mutex_unlock(&tpg->tv_tpg_mutex); +- mutex_unlock(&vhost_scsi_mutex); +- ret = -EEXIST; +- goto undepend; +- } + /* + * In order to ensure individual vhost-scsi configfs + * groups cannot be removed while in use by vhost ioctl, +@@ -1774,15 +1773,15 @@ vhost_scsi_set_endpoint(struct vhost_scsi *vs, + } + ret = 0; + } else { +- ret = -EEXIST; ++ ret = -ENODEV; ++ goto free_tpg; + } + + /* +- * Act as synchronize_rcu to make sure access to +- * old vs->vs_tpg is finished. ++ * Act as synchronize_rcu to make sure requests after this point ++ * see a fully setup device. + */ + vhost_scsi_flush(vs); +- kfree(vs->vs_tpg); + vs->vs_tpg = vs_tpg; + goto out; + +@@ -1802,6 +1801,7 @@ vhost_scsi_set_endpoint(struct vhost_scsi *vs, + target_undepend_item(&tpg->se_tpg.tpg_group.cg_item); + } + } ++free_tpg: + kfree(vs_tpg); + out: + mutex_unlock(&vs->dev.mutex); +@@ -1904,6 +1904,7 @@ vhost_scsi_clear_endpoint(struct vhost_scsi *vs, + vhost_scsi_flush(vs); + kfree(vs->vs_tpg); + vs->vs_tpg = NULL; ++ memset(vs->vs_vhost_wwpn, 0, sizeof(vs->vs_vhost_wwpn)); + WARN_ON(vs->vs_events_nr); + mutex_unlock(&vs->dev.mutex); + return 0; +-- +2.39.5 + diff --git a/queue-6.12/vsock-avoid-timeout-during-connect-if-the-socket-is-.patch b/queue-6.12/vsock-avoid-timeout-during-connect-if-the-socket-is-.patch new file mode 100644 index 0000000000..0a6ae97a60 --- /dev/null +++ b/queue-6.12/vsock-avoid-timeout-during-connect-if-the-socket-is-.patch @@ -0,0 +1,62 @@ +From d45366a411b772069e809ae053acbfa26930ecca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Mar 2025 15:15:28 +0100 +Subject: vsock: avoid timeout during connect() if the socket is closing + +From: Stefano Garzarella + +[ Upstream commit fccd2b711d9628c7ce0111d5e4938652101ee30a ] + +When a peer attempts to establish a connection, vsock_connect() contains +a loop that waits for the state to be TCP_ESTABLISHED. However, the +other peer can be fast enough to accept the connection and close it +immediately, thus moving the state to TCP_CLOSING. + +When this happens, the peer in the vsock_connect() is properly woken up, +but since the state is not TCP_ESTABLISHED, it goes back to sleep +until the timeout expires, returning -ETIMEDOUT. + +If the socket state is TCP_CLOSING, waiting for the timeout is pointless. +vsock_connect() can return immediately without errors or delay since the +connection actually happened. The socket will be in a closing state, +but this is not an issue, and subsequent calls will fail as expected. + +We discovered this issue while developing a test that accepts and +immediately closes connections to stress the transport switch between +two connect() calls, where the first one was interrupted by a signal +(see Closes link). + +Reported-by: Luigi Leonardi +Closes: https://lore.kernel.org/virtualization/bq6hxrolno2vmtqwcvb5bljfpb7mvwb3kohrvaed6auz5vxrfv@ijmd2f3grobn/ +Fixes: d021c344051a ("VSOCK: Introduce VM Sockets") +Signed-off-by: Stefano Garzarella +Acked-by: Paolo Abeni +Tested-by: Luigi Leonardi +Reviewed-by: Luigi Leonardi +Link: https://patch.msgid.link/20250328141528.420719-1-sgarzare@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/vmw_vsock/af_vsock.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c +index eb6ea26b390ee..d08f205b33dcc 100644 +--- a/net/vmw_vsock/af_vsock.c ++++ b/net/vmw_vsock/af_vsock.c +@@ -1551,7 +1551,11 @@ static int vsock_connect(struct socket *sock, struct sockaddr *addr, + timeout = vsk->connect_timeout; + prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE); + +- while (sk->sk_state != TCP_ESTABLISHED && sk->sk_err == 0) { ++ /* If the socket is already closing or it is in an error state, there ++ * is no point in waiting. ++ */ ++ while (sk->sk_state != TCP_ESTABLISHED && ++ sk->sk_state != TCP_CLOSING && sk->sk_err == 0) { + if (flags & O_NONBLOCK) { + /* If we're not going to block, we schedule a timeout + * function to generate a timeout on the connection +-- +2.39.5 + diff --git a/queue-6.12/w1-fix-null-pointer-dereference-in-probe.patch b/queue-6.12/w1-fix-null-pointer-dereference-in-probe.patch new file mode 100644 index 0000000000..eaa5d85234 --- /dev/null +++ b/queue-6.12/w1-fix-null-pointer-dereference-in-probe.patch @@ -0,0 +1,54 @@ +From c39373aae7fe46949c8aca05c9a0fc428245491d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 11 Jan 2025 12:18:03 -0600 +Subject: w1: fix NULL pointer dereference in probe + +From: Chenyuan Yang + +[ Upstream commit 0dd6770a72f138dabea9eae87f3da6ffa68f0d06 ] + +The w1_uart_probe() function calls w1_uart_serdev_open() (which includes +devm_serdev_device_open()) before setting the client ops via +serdev_device_set_client_ops(). This ordering can trigger a NULL pointer +dereference in the serdev controller's receive_buf handler, as it assumes +serdev->ops is valid when SERPORT_ACTIVE is set. + +This is similar to the issue fixed in commit 5e700b384ec1 +("platform/chrome: cros_ec_uart: properly fix race condition") where +devm_serdev_device_open() was called before fully initializing the +device. + +Fix the race by ensuring client ops are set before enabling the port via +w1_uart_serdev_open(). + +Fixes: a3c08804364e ("w1: add UART w1 bus driver") +Signed-off-by: Chenyuan Yang +Acked-by: Christoph Winklhofer +Link: https://lore.kernel.org/r/20250111181803.2283611-1-chenyuan0y@gmail.com +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + drivers/w1/masters/w1-uart.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/w1/masters/w1-uart.c b/drivers/w1/masters/w1-uart.c +index a31782e56ba75..c87eea3478067 100644 +--- a/drivers/w1/masters/w1-uart.c ++++ b/drivers/w1/masters/w1-uart.c +@@ -372,11 +372,11 @@ static int w1_uart_probe(struct serdev_device *serdev) + init_completion(&w1dev->rx_byte_received); + mutex_init(&w1dev->rx_mutex); + ++ serdev_device_set_drvdata(serdev, w1dev); ++ serdev_device_set_client_ops(serdev, &w1_uart_serdev_ops); + ret = w1_uart_serdev_open(w1dev); + if (ret < 0) + return ret; +- serdev_device_set_drvdata(serdev, w1dev); +- serdev_device_set_client_ops(serdev, &w1_uart_serdev_ops); + + return w1_add_master_device(&w1dev->bus); + } +-- +2.39.5 + diff --git a/queue-6.12/watch_queue-fix-pipe-accounting-mismatch.patch b/queue-6.12/watch_queue-fix-pipe-accounting-mismatch.patch new file mode 100644 index 0000000000..b7424a1294 --- /dev/null +++ b/queue-6.12/watch_queue-fix-pipe-accounting-mismatch.patch @@ -0,0 +1,55 @@ +From 4f50b066cbd6e055aa3fe861ab980fa3533b7811 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Feb 2025 11:41:08 -0600 +Subject: watch_queue: fix pipe accounting mismatch + +From: Eric Sandeen + +[ Upstream commit f13abc1e8e1a3b7455511c4e122750127f6bc9b0 ] + +Currently, watch_queue_set_size() modifies the pipe buffers charged to +user->pipe_bufs without updating the pipe->nr_accounted on the pipe +itself, due to the if (!pipe_has_watch_queue()) test in +pipe_resize_ring(). This means that when the pipe is ultimately freed, +we decrement user->pipe_bufs by something other than what than we had +charged to it, potentially leading to an underflow. This in turn can +cause subsequent too_many_pipe_buffers_soft() tests to fail with -EPERM. + +To remedy this, explicitly account for the pipe usage in +watch_queue_set_size() to match the number set via account_pipe_buffers() + +(It's unclear why watch_queue_set_size() does not update nr_accounted; +it may be due to intentional overprovisioning in watch_queue_set_size()?) + +Fixes: e95aada4cb93d ("pipe: wakeup wr_wait after setting max_usage") +Signed-off-by: Eric Sandeen +Link: https://lore.kernel.org/r/206682a8-0604-49e5-8224-fdbe0c12b460@redhat.com +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + kernel/watch_queue.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/kernel/watch_queue.c b/kernel/watch_queue.c +index d36242fd49364..e55f9810b91ad 100644 +--- a/kernel/watch_queue.c ++++ b/kernel/watch_queue.c +@@ -269,6 +269,15 @@ long watch_queue_set_size(struct pipe_inode_info *pipe, unsigned int nr_notes) + if (ret < 0) + goto error; + ++ /* ++ * pipe_resize_ring() does not update nr_accounted for watch_queue ++ * pipes, because the above vastly overprovisions. Set nr_accounted on ++ * and max_usage this pipe to the number that was actually charged to ++ * the user above via account_pipe_buffers. ++ */ ++ pipe->max_usage = nr_pages; ++ pipe->nr_accounted = nr_pages; ++ + ret = -ENOMEM; + pages = kcalloc(nr_pages, sizeof(struct page *), GFP_KERNEL); + if (!pages) +-- +2.39.5 + diff --git a/queue-6.12/watchdog-hardlockup-perf-fix-perf_event-memory-leak.patch b/queue-6.12/watchdog-hardlockup-perf-fix-perf_event-memory-leak.patch new file mode 100644 index 0000000000..ed8b5357f9 --- /dev/null +++ b/queue-6.12/watchdog-hardlockup-perf-fix-perf_event-memory-leak.patch @@ -0,0 +1,288 @@ +From 625b789eb2a194e32aebf24337a370cb675756e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Oct 2024 03:30:03 +0800 +Subject: watchdog/hardlockup/perf: Fix perf_event memory leak + +From: Li Huafei + +[ Upstream commit d6834d9c990333bfa433bc1816e2417f268eebbe ] + +During stress-testing, we found a kmemleak report for perf_event: + + unreferenced object 0xff110001410a33e0 (size 1328): + comm "kworker/4:11", pid 288, jiffies 4294916004 + hex dump (first 32 bytes): + b8 be c2 3b 02 00 11 ff 22 01 00 00 00 00 ad de ...;...."....... + f0 33 0a 41 01 00 11 ff f0 33 0a 41 01 00 11 ff .3.A.....3.A.... + backtrace (crc 24eb7b3a): + [<00000000e211b653>] kmem_cache_alloc_node_noprof+0x269/0x2e0 + [<000000009d0985fa>] perf_event_alloc+0x5f/0xcf0 + [<00000000084ad4a2>] perf_event_create_kernel_counter+0x38/0x1b0 + [<00000000fde96401>] hardlockup_detector_event_create+0x50/0xe0 + [<0000000051183158>] watchdog_hardlockup_enable+0x17/0x70 + [<00000000ac89727f>] softlockup_start_fn+0x15/0x40 + ... + +Our stress test includes CPU online and offline cycles, and updating the +watchdog configuration. + +After reading the code, I found that there may be a race between cleaning up +perf_event after updating watchdog and disabling event when the CPU goes offline: + + CPU0 CPU1 CPU2 + (update watchdog) (hotplug offline CPU1) + + ... _cpu_down(CPU1) + cpus_read_lock() // waiting for cpu lock + softlockup_start_all + smp_call_on_cpu(CPU1) + softlockup_start_fn + ... + watchdog_hardlockup_enable(CPU1) + perf create E1 + watchdog_ev[CPU1] = E1 + cpus_read_unlock() + cpus_write_lock() + cpuhp_kick_ap_work(CPU1) + cpuhp_thread_fun + ... + watchdog_hardlockup_disable(CPU1) + watchdog_ev[CPU1] = NULL + dead_event[CPU1] = E1 + __lockup_detector_cleanup + for each dead_events_mask + release each dead_event + /* + * CPU1 has not been added to + * dead_events_mask, then E1 + * will not be released + */ + CPU1 -> dead_events_mask + cpumask_clear(&dead_events_mask) + // dead_events_mask is cleared, E1 is leaked + +In this case, the leaked perf_event E1 matches the perf_event leak +reported by kmemleak. Due to the low probability of problem recurrence +(only reported once), I added some hack delays in the code: + + static void __lockup_detector_reconfigure(void) + { + ... + watchdog_hardlockup_start(); + cpus_read_unlock(); + + mdelay(100); + /* + * Must be called outside the cpus locked section to prevent + * recursive locking in the perf code. + ... + } + + void watchdog_hardlockup_disable(unsigned int cpu) + { + ... + perf_event_disable(event); + this_cpu_write(watchdog_ev, NULL); + this_cpu_write(dead_event, event); + + mdelay(100); + cpumask_set_cpu(smp_processor_id(), &dead_events_mask); + atomic_dec(&watchdog_cpus); + ... + } + + void hardlockup_detector_perf_cleanup(void) + { + ... + perf_event_release_kernel(event); + per_cpu(dead_event, cpu) = NULL; + } + + mdelay(100); + cpumask_clear(&dead_events_mask); + } + +Then, simultaneously performing CPU on/off and switching watchdog, it is +almost certain to reproduce this leak. + +The problem here is that releasing perf_event is not within the CPU +hotplug read-write lock. Commit: + + 941154bd6937 ("watchdog/hardlockup/perf: Prevent CPU hotplug deadlock") + +introduced deferred release to solve the deadlock caused by calling +get_online_cpus() when releasing perf_event. Later, commit: + + efe951d3de91 ("perf/x86: Fix perf,x86,cpuhp deadlock") + +removed the get_online_cpus() call on the perf_event release path to solve +another deadlock problem. + +Therefore, it is now possible to move the release of perf_event back +into the CPU hotplug read-write lock, and release the event immediately +after disabling it. + +Fixes: 941154bd6937 ("watchdog/hardlockup/perf: Prevent CPU hotplug deadlock") +Signed-off-by: Li Huafei +Signed-off-by: Ingo Molnar +Cc: Thomas Gleixner +Cc: Peter Zijlstra +Link: https://lore.kernel.org/r/20241021193004.308303-1-lihuafei1@huawei.com +Signed-off-by: Sasha Levin +--- + include/linux/nmi.h | 4 ---- + kernel/cpu.c | 5 ----- + kernel/watchdog.c | 25 ------------------------- + kernel/watchdog_perf.c | 28 +--------------------------- + 4 files changed, 1 insertion(+), 61 deletions(-) + +diff --git a/include/linux/nmi.h b/include/linux/nmi.h +index a8dfb38c9bb6f..e78fa535f61dd 100644 +--- a/include/linux/nmi.h ++++ b/include/linux/nmi.h +@@ -17,7 +17,6 @@ + void lockup_detector_init(void); + void lockup_detector_retry_init(void); + void lockup_detector_soft_poweroff(void); +-void lockup_detector_cleanup(void); + + extern int watchdog_user_enabled; + extern int watchdog_thresh; +@@ -37,7 +36,6 @@ extern int sysctl_hardlockup_all_cpu_backtrace; + static inline void lockup_detector_init(void) { } + static inline void lockup_detector_retry_init(void) { } + static inline void lockup_detector_soft_poweroff(void) { } +-static inline void lockup_detector_cleanup(void) { } + #endif /* !CONFIG_LOCKUP_DETECTOR */ + + #ifdef CONFIG_SOFTLOCKUP_DETECTOR +@@ -104,12 +102,10 @@ void watchdog_hardlockup_check(unsigned int cpu, struct pt_regs *regs); + #if defined(CONFIG_HARDLOCKUP_DETECTOR_PERF) + extern void hardlockup_detector_perf_stop(void); + extern void hardlockup_detector_perf_restart(void); +-extern void hardlockup_detector_perf_cleanup(void); + extern void hardlockup_config_perf_event(const char *str); + #else + static inline void hardlockup_detector_perf_stop(void) { } + static inline void hardlockup_detector_perf_restart(void) { } +-static inline void hardlockup_detector_perf_cleanup(void) { } + static inline void hardlockup_config_perf_event(const char *str) { } + #endif + +diff --git a/kernel/cpu.c b/kernel/cpu.c +index 9ee6c9145b1df..cf02a629f9902 100644 +--- a/kernel/cpu.c ++++ b/kernel/cpu.c +@@ -1452,11 +1452,6 @@ static int __ref _cpu_down(unsigned int cpu, int tasks_frozen, + + out: + cpus_write_unlock(); +- /* +- * Do post unplug cleanup. This is still protected against +- * concurrent CPU hotplug via cpu_add_remove_lock. +- */ +- lockup_detector_cleanup(); + arch_smt_update(); + return ret; + } +diff --git a/kernel/watchdog.c b/kernel/watchdog.c +index 262691ba62b7a..4dc72540c3b0f 100644 +--- a/kernel/watchdog.c ++++ b/kernel/watchdog.c +@@ -347,8 +347,6 @@ static int __init watchdog_thresh_setup(char *str) + } + __setup("watchdog_thresh=", watchdog_thresh_setup); + +-static void __lockup_detector_cleanup(void); +- + #ifdef CONFIG_SOFTLOCKUP_DETECTOR_INTR_STORM + enum stats_per_group { + STATS_SYSTEM, +@@ -878,11 +876,6 @@ static void __lockup_detector_reconfigure(void) + + watchdog_hardlockup_start(); + cpus_read_unlock(); +- /* +- * Must be called outside the cpus locked section to prevent +- * recursive locking in the perf code. +- */ +- __lockup_detector_cleanup(); + } + + void lockup_detector_reconfigure(void) +@@ -932,24 +925,6 @@ static inline void lockup_detector_setup(void) + } + #endif /* !CONFIG_SOFTLOCKUP_DETECTOR */ + +-static void __lockup_detector_cleanup(void) +-{ +- lockdep_assert_held(&watchdog_mutex); +- hardlockup_detector_perf_cleanup(); +-} +- +-/** +- * lockup_detector_cleanup - Cleanup after cpu hotplug or sysctl changes +- * +- * Caller must not hold the cpu hotplug rwsem. +- */ +-void lockup_detector_cleanup(void) +-{ +- mutex_lock(&watchdog_mutex); +- __lockup_detector_cleanup(); +- mutex_unlock(&watchdog_mutex); +-} +- + /** + * lockup_detector_soft_poweroff - Interface to stop lockup detector(s) + * +diff --git a/kernel/watchdog_perf.c b/kernel/watchdog_perf.c +index 59c1d86a73a24..2fdb96eaf4933 100644 +--- a/kernel/watchdog_perf.c ++++ b/kernel/watchdog_perf.c +@@ -21,8 +21,6 @@ + #include + + static DEFINE_PER_CPU(struct perf_event *, watchdog_ev); +-static DEFINE_PER_CPU(struct perf_event *, dead_event); +-static struct cpumask dead_events_mask; + + static atomic_t watchdog_cpus = ATOMIC_INIT(0); + +@@ -181,36 +179,12 @@ void watchdog_hardlockup_disable(unsigned int cpu) + + if (event) { + perf_event_disable(event); ++ perf_event_release_kernel(event); + this_cpu_write(watchdog_ev, NULL); +- this_cpu_write(dead_event, event); +- cpumask_set_cpu(smp_processor_id(), &dead_events_mask); + atomic_dec(&watchdog_cpus); + } + } + +-/** +- * hardlockup_detector_perf_cleanup - Cleanup disabled events and destroy them +- * +- * Called from lockup_detector_cleanup(). Serialized by the caller. +- */ +-void hardlockup_detector_perf_cleanup(void) +-{ +- int cpu; +- +- for_each_cpu(cpu, &dead_events_mask) { +- struct perf_event *event = per_cpu(dead_event, cpu); +- +- /* +- * Required because for_each_cpu() reports unconditionally +- * CPU0 as set on UP kernels. Sigh. +- */ +- if (event) +- perf_event_release_kernel(event); +- per_cpu(dead_event, cpu) = NULL; +- } +- cpumask_clear(&dead_events_mask); +-} +- + /** + * hardlockup_detector_perf_stop - Globally stop watchdog events + * +-- +2.39.5 + diff --git a/queue-6.12/wifi-brcmfmac-keep-power-during-suspend-if-board-req.patch b/queue-6.12/wifi-brcmfmac-keep-power-during-suspend-if-board-req.patch new file mode 100644 index 0000000000..d4b2043dee --- /dev/null +++ b/queue-6.12/wifi-brcmfmac-keep-power-during-suspend-if-board-req.patch @@ -0,0 +1,100 @@ +From afcf0bd5068ee28e9407bd9b44b40fc02fee8780 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Feb 2025 19:59:35 +0100 +Subject: wifi: brcmfmac: keep power during suspend if board requires it + +From: Matthias Proske + +[ Upstream commit 8c3170628a9ce24a59647bd24f897e666af919b8 ] + +After commit 92cadedd9d5f ("brcmfmac: Avoid keeping power to SDIO card +unless WOWL is used"), the wifi adapter by default is turned off on +suspend and then re-probed on resume. + +This conflicts with some embedded boards that require to remain powered. +They will fail on resume with: + +brcmfmac: brcmf_sdio_bus_rxctl: resumed on timeout +ieee80211 phy1: brcmf_bus_started: failed: -110 +ieee80211 phy1: brcmf_attach: dongle is not responding: err=-110 +brcmfmac: brcmf_sdio_firmware_callback: brcmf_attach failed + +This commit checks for the Device Tree property 'cap-power-off-cards'. +If this property is not set, it means that we do not have the capability +to power off and should therefore remain powered. + +Signed-off-by: Matthias Proske +Acked-by: Arend van Spriel +Link: https://patch.msgid.link/20250212185941.146958-2-email@matthias-proske.de +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + .../broadcom/brcm80211/brcmfmac/bcmsdh.c | 20 ++++++++++++------- + 1 file changed, 13 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c +index 8a1e337642448..cfdd92564060a 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c +@@ -1167,6 +1167,7 @@ static int brcmf_ops_sdio_suspend(struct device *dev) + struct brcmf_bus *bus_if; + struct brcmf_sdio_dev *sdiodev; + mmc_pm_flag_t sdio_flags; ++ bool cap_power_off; + int ret = 0; + + func = container_of(dev, struct sdio_func, dev); +@@ -1174,19 +1175,23 @@ static int brcmf_ops_sdio_suspend(struct device *dev) + if (func->num != 1) + return 0; + ++ cap_power_off = !!(func->card->host->caps & MMC_CAP_POWER_OFF_CARD); + + bus_if = dev_get_drvdata(dev); + sdiodev = bus_if->bus_priv.sdio; + +- if (sdiodev->wowl_enabled) { ++ if (sdiodev->wowl_enabled || !cap_power_off) { + brcmf_sdiod_freezer_on(sdiodev); + brcmf_sdio_wd_timer(sdiodev->bus, 0); + + sdio_flags = MMC_PM_KEEP_POWER; +- if (sdiodev->settings->bus.sdio.oob_irq_supported) +- enable_irq_wake(sdiodev->settings->bus.sdio.oob_irq_nr); +- else +- sdio_flags |= MMC_PM_WAKE_SDIO_IRQ; ++ ++ if (sdiodev->wowl_enabled) { ++ if (sdiodev->settings->bus.sdio.oob_irq_supported) ++ enable_irq_wake(sdiodev->settings->bus.sdio.oob_irq_nr); ++ else ++ sdio_flags |= MMC_PM_WAKE_SDIO_IRQ; ++ } + + if (sdio_set_host_pm_flags(sdiodev->func1, sdio_flags)) + brcmf_err("Failed to set pm_flags %x\n", sdio_flags); +@@ -1208,18 +1213,19 @@ static int brcmf_ops_sdio_resume(struct device *dev) + struct brcmf_sdio_dev *sdiodev = bus_if->bus_priv.sdio; + struct sdio_func *func = container_of(dev, struct sdio_func, dev); + int ret = 0; ++ bool cap_power_off = !!(func->card->host->caps & MMC_CAP_POWER_OFF_CARD); + + brcmf_dbg(SDIO, "Enter: F%d\n", func->num); + if (func->num != 2) + return 0; + +- if (!sdiodev->wowl_enabled) { ++ if (!sdiodev->wowl_enabled && cap_power_off) { + /* bus was powered off and device removed, probe again */ + ret = brcmf_sdiod_probe(sdiodev); + if (ret) + brcmf_err("Failed to probe device on resume\n"); + } else { +- if (sdiodev->settings->bus.sdio.oob_irq_supported) ++ if (sdiodev->wowl_enabled && sdiodev->settings->bus.sdio.oob_irq_supported) + disable_irq_wake(sdiodev->settings->bus.sdio.oob_irq_nr); + + brcmf_sdiod_freezer_off(sdiodev); +-- +2.39.5 + diff --git a/queue-6.12/wifi-iwlwifi-fw-allocate-chained-sg-tables-for-dump.patch b/queue-6.12/wifi-iwlwifi-fw-allocate-chained-sg-tables-for-dump.patch new file mode 100644 index 0000000000..c8062f1cc7 --- /dev/null +++ b/queue-6.12/wifi-iwlwifi-fw-allocate-chained-sg-tables-for-dump.patch @@ -0,0 +1,140 @@ +From 91b5fc49b804d9868bcad3eb88bcaad5608eb985 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 9 Feb 2025 14:34:45 +0200 +Subject: wifi: iwlwifi: fw: allocate chained SG tables for dump + +From: Johannes Berg + +[ Upstream commit 7774e3920029398ad49dc848b23840593f14d515 ] + +The firmware dumps can be pretty big, and since we use single +pages for each SG table entry, even the table itself may end +up being an order-5 allocation. Build chained tables so that +we need not allocate a higher-order table here. + +This could be improved and cleaned up, e.g. by using the SG +pool code or simply kvmalloc(), but all of that would require +also updating the devcoredump first since that frees it all, +so we need to be more careful. SG pool might also run against +the CONFIG_ARCH_NO_SG_CHAIN limitation, which is irrelevant +here. + +Also use _devcd_free_sgtable() for the error paths now, much +simpler especially since it's in two places now. + +Signed-off-by: Johannes Berg +Signed-off-by: Miri Korenblit +Link: https://patch.msgid.link/20250209143303.697c7a465ac9.Iea982df46b5c075bfb77ade36f187d99a70c63db@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/fw/dbg.c | 86 ++++++++++++++------- + 1 file changed, 58 insertions(+), 28 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/fw/dbg.c b/drivers/net/wireless/intel/iwlwifi/fw/dbg.c +index fb2ea38e89aca..6594216f873c4 100644 +--- a/drivers/net/wireless/intel/iwlwifi/fw/dbg.c ++++ b/drivers/net/wireless/intel/iwlwifi/fw/dbg.c +@@ -558,41 +558,71 @@ static void iwl_dump_prph(struct iwl_fw_runtime *fwrt, + } + + /* +- * alloc_sgtable - allocates scallerlist table in the given size, +- * fills it with pages and returns it ++ * alloc_sgtable - allocates (chained) scatterlist in the given size, ++ * fills it with pages and returns it + * @size: the size (in bytes) of the table +-*/ +-static struct scatterlist *alloc_sgtable(int size) ++ */ ++static struct scatterlist *alloc_sgtable(ssize_t size) + { +- int alloc_size, nents, i; +- struct page *new_page; +- struct scatterlist *iter; +- struct scatterlist *table; ++ struct scatterlist *result = NULL, *prev; ++ int nents, i, n_prev; + + nents = DIV_ROUND_UP(size, PAGE_SIZE); +- table = kcalloc(nents, sizeof(*table), GFP_KERNEL); +- if (!table) +- return NULL; +- sg_init_table(table, nents); +- iter = table; +- for_each_sg(table, iter, sg_nents(table), i) { +- new_page = alloc_page(GFP_KERNEL); +- if (!new_page) { +- /* release all previous allocated pages in the table */ +- iter = table; +- for_each_sg(table, iter, sg_nents(table), i) { +- new_page = sg_page(iter); +- if (new_page) +- __free_page(new_page); +- } +- kfree(table); ++ ++#define N_ENTRIES_PER_PAGE (PAGE_SIZE / sizeof(*result)) ++ /* ++ * We need an additional entry for table chaining, ++ * this ensures the loop can finish i.e. we can ++ * fit at least two entries per page (obviously, ++ * many more really fit.) ++ */ ++ BUILD_BUG_ON(N_ENTRIES_PER_PAGE < 2); ++ ++ while (nents > 0) { ++ struct scatterlist *new, *iter; ++ int n_fill, n_alloc; ++ ++ if (nents <= N_ENTRIES_PER_PAGE) { ++ /* last needed table */ ++ n_fill = nents; ++ n_alloc = nents; ++ nents = 0; ++ } else { ++ /* fill a page with entries */ ++ n_alloc = N_ENTRIES_PER_PAGE; ++ /* reserve one for chaining */ ++ n_fill = n_alloc - 1; ++ nents -= n_fill; ++ } ++ ++ new = kcalloc(n_alloc, sizeof(*new), GFP_KERNEL); ++ if (!new) { ++ if (result) ++ _devcd_free_sgtable(result); + return NULL; + } +- alloc_size = min_t(int, size, PAGE_SIZE); +- size -= PAGE_SIZE; +- sg_set_page(iter, new_page, alloc_size, 0); ++ sg_init_table(new, n_alloc); ++ ++ if (!result) ++ result = new; ++ else ++ sg_chain(prev, n_prev, new); ++ prev = new; ++ n_prev = n_alloc; ++ ++ for_each_sg(new, iter, n_fill, i) { ++ struct page *new_page = alloc_page(GFP_KERNEL); ++ ++ if (!new_page) { ++ _devcd_free_sgtable(result); ++ return NULL; ++ } ++ ++ sg_set_page(iter, new_page, PAGE_SIZE, 0); ++ } + } +- return table; ++ ++ return result; + } + + static void iwl_fw_get_prph_len(struct iwl_fw_runtime *fwrt, +-- +2.39.5 + diff --git a/queue-6.12/wifi-iwlwifi-mvm-use-the-right-version-of-the-rate-a.patch b/queue-6.12/wifi-iwlwifi-mvm-use-the-right-version-of-the-rate-a.patch new file mode 100644 index 0000000000..33eaabdf46 --- /dev/null +++ b/queue-6.12/wifi-iwlwifi-mvm-use-the-right-version-of-the-rate-a.patch @@ -0,0 +1,56 @@ +From 130b7c2e2a9f4b8dd15ac623fb7fd2f34ed7a326 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 9 Feb 2025 14:34:50 +0200 +Subject: wifi: iwlwifi: mvm: use the right version of the rate API + +From: Emmanuel Grumbach + +[ Upstream commit a03e2082e678ea10d0d8bdf3ed933eb05a8ddbb0 ] + +The firmware uses the newer version of the API in recent devices. For +older devices, we translate the rate to the new format. +Don't parse the rate with old parsing macros. + +Signed-off-by: Emmanuel Grumbach +Reviewed-by: Johannes Berg +Signed-off-by: Miri Korenblit +Link: https://patch.msgid.link/20250209143303.13d70cdcbb4e.Ic92193bce4013b70a823cfef250ee79c16cf7c17@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c b/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c +index 65f8933c34b42..0b52d77f57837 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c +@@ -995,7 +995,7 @@ iwl_mvm_decode_he_phy_ru_alloc(struct iwl_mvm_rx_phy_data *phy_data, + */ + u8 ru = le32_get_bits(phy_data->d1, IWL_RX_PHY_DATA1_HE_RU_ALLOC_MASK); + u32 rate_n_flags = phy_data->rate_n_flags; +- u32 he_type = rate_n_flags & RATE_MCS_HE_TYPE_MSK_V1; ++ u32 he_type = rate_n_flags & RATE_MCS_HE_TYPE_MSK; + u8 offs = 0; + + rx_status->bw = RATE_INFO_BW_HE_RU; +@@ -1050,13 +1050,13 @@ iwl_mvm_decode_he_phy_ru_alloc(struct iwl_mvm_rx_phy_data *phy_data, + + if (he_mu) + he_mu->flags2 |= +- le16_encode_bits(FIELD_GET(RATE_MCS_CHAN_WIDTH_MSK_V1, ++ le16_encode_bits(FIELD_GET(RATE_MCS_CHAN_WIDTH_MSK, + rate_n_flags), + IEEE80211_RADIOTAP_HE_MU_FLAGS2_BW_FROM_SIG_A_BW); +- else if (he_type == RATE_MCS_HE_TYPE_TRIG_V1) ++ else if (he_type == RATE_MCS_HE_TYPE_TRIG) + he->data6 |= + cpu_to_le16(IEEE80211_RADIOTAP_HE_DATA6_TB_PPDU_BW_KNOWN) | +- le16_encode_bits(FIELD_GET(RATE_MCS_CHAN_WIDTH_MSK_V1, ++ le16_encode_bits(FIELD_GET(RATE_MCS_CHAN_WIDTH_MSK, + rate_n_flags), + IEEE80211_RADIOTAP_HE_DATA6_TB_PPDU_BW); + } +-- +2.39.5 + diff --git a/queue-6.12/wifi-mac80211-cleanup-sta-txqs-on-flush.patch b/queue-6.12/wifi-mac80211-cleanup-sta-txqs-on-flush.patch new file mode 100644 index 0000000000..b0215befda --- /dev/null +++ b/queue-6.12/wifi-mac80211-cleanup-sta-txqs-on-flush.patch @@ -0,0 +1,50 @@ +From c332b91454bb43e93fcebf7a5a9a07175c9b5ddc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Feb 2025 13:31:29 +0100 +Subject: wifi: mac80211: Cleanup sta TXQs on flush + +From: Alexander Wetzel + +[ Upstream commit 5b999006e35ea9c11116ddff7e375b256421d0af ] + +Drop the sta TXQs on flush when the drivers is not supporting +flush. + +ieee80211_set_disassoc() tries to clean up everything for the sta. +But it ignored queued frames in the sta TX queues when the driver +isn't supporting the flush driver ops. + +Signed-off-by: Alexander Wetzel +Link: https://patch.msgid.link/20250204123129.9162-1-Alexander@wetzel-home.de +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/util.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/net/mac80211/util.c b/net/mac80211/util.c +index 2b6e8e7307ee5..a98ae563613c0 100644 +--- a/net/mac80211/util.c ++++ b/net/mac80211/util.c +@@ -685,7 +685,7 @@ void __ieee80211_flush_queues(struct ieee80211_local *local, + struct ieee80211_sub_if_data *sdata, + unsigned int queues, bool drop) + { +- if (!local->ops->flush) ++ if (!local->ops->flush && !drop) + return; + + /* +@@ -712,7 +712,8 @@ void __ieee80211_flush_queues(struct ieee80211_local *local, + } + } + +- drv_flush(local, sdata, queues, drop); ++ if (local->ops->flush) ++ drv_flush(local, sdata, queues, drop); + + ieee80211_wake_queues_by_reason(&local->hw, queues, + IEEE80211_QUEUE_STOP_REASON_FLUSH, +-- +2.39.5 + diff --git a/queue-6.12/wifi-mac80211-fix-sa-query-processing-in-mlo.patch b/queue-6.12/wifi-mac80211-fix-sa-query-processing-in-mlo.patch new file mode 100644 index 0000000000..9851e026ce --- /dev/null +++ b/queue-6.12/wifi-mac80211-fix-sa-query-processing-in-mlo.patch @@ -0,0 +1,63 @@ +From d21ade1b98e6970a0962cf22138dc50b30ee73b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Mar 2025 12:37:58 +0200 +Subject: wifi: mac80211: fix SA Query processing in MLO + +From: Johannes Berg + +[ Upstream commit 9a267ce4a3fca93a34a8881046f97bcf472228c8 ] + +When MLO is used and SA Query processing isn't done by +userspace (e.g. wpa_supplicant w/o CONFIG_OCV), then +the mac80211 code kicks in but uses the wrong addresses. +Fix them. + +Signed-off-by: Johannes Berg +Reviewed-by: Ilan Peer +Signed-off-by: Miri Korenblit +Link: https://patch.msgid.link/20250306123626.bab48bb49061.I9391b22f1360d20ac8c4e92604de23f27696ba8f@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/rx.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c +index 6f3a86040cfcd..8e1fbdd3bff10 100644 +--- a/net/mac80211/rx.c ++++ b/net/mac80211/rx.c +@@ -6,7 +6,7 @@ + * Copyright 2007-2010 Johannes Berg + * Copyright 2013-2014 Intel Mobile Communications GmbH + * Copyright(c) 2015 - 2017 Intel Deutschland GmbH +- * Copyright (C) 2018-2024 Intel Corporation ++ * Copyright (C) 2018-2025 Intel Corporation + */ + + #include +@@ -3323,8 +3323,8 @@ static void ieee80211_process_sa_query_req(struct ieee80211_sub_if_data *sdata, + return; + } + +- if (!ether_addr_equal(mgmt->sa, sdata->deflink.u.mgd.bssid) || +- !ether_addr_equal(mgmt->bssid, sdata->deflink.u.mgd.bssid)) { ++ if (!ether_addr_equal(mgmt->sa, sdata->vif.cfg.ap_addr) || ++ !ether_addr_equal(mgmt->bssid, sdata->vif.cfg.ap_addr)) { + /* Not from the current AP or not associated yet. */ + return; + } +@@ -3340,9 +3340,9 @@ static void ieee80211_process_sa_query_req(struct ieee80211_sub_if_data *sdata, + + skb_reserve(skb, local->hw.extra_tx_headroom); + resp = skb_put_zero(skb, 24); +- memcpy(resp->da, mgmt->sa, ETH_ALEN); ++ memcpy(resp->da, sdata->vif.cfg.ap_addr, ETH_ALEN); + memcpy(resp->sa, sdata->vif.addr, ETH_ALEN); +- memcpy(resp->bssid, sdata->deflink.u.mgd.bssid, ETH_ALEN); ++ memcpy(resp->bssid, sdata->vif.cfg.ap_addr, ETH_ALEN); + resp->frame_control = cpu_to_le16(IEEE80211_FTYPE_MGMT | + IEEE80211_STYPE_ACTION); + skb_put(skb, 1 + sizeof(resp->u.action.u.sa_query)); +-- +2.39.5 + diff --git a/queue-6.12/wifi-mac80211-flush-the-station-before-moving-it-to-.patch b/queue-6.12/wifi-mac80211-flush-the-station-before-moving-it-to-.patch new file mode 100644 index 0000000000..f98e588b4c --- /dev/null +++ b/queue-6.12/wifi-mac80211-flush-the-station-before-moving-it-to-.patch @@ -0,0 +1,78 @@ +From c92c1cd391fcf9035c37171286c3ca19cc6235b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Mar 2025 12:37:55 +0200 +Subject: wifi: mac80211: flush the station before moving it to UN-AUTHORIZED + state + +From: Emmanuel Grumbach + +[ Upstream commit 43e04077170799d0e6289f3e928f727e401b3d79 ] + +We first want to flush the station to make sure we no longer have any +frames being Tx by the station before the station is moved to +un-authorized state. Failing to do that will lead to races: a frame may +be sent after the station's state has been changed. + +Since the API clearly states that the driver can't fail the sta_state() +transition down the list of state, we can easily flush the station +first, and only then call the driver's sta_state(). + +Signed-off-by: Emmanuel Grumbach +Reviewed-by: Johannes Berg +Signed-off-by: Miri Korenblit +Link: https://patch.msgid.link/20250306123626.450bc40e8b04.I636ba96843c77f13309c15c9fd6eb0c5a52a7976@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/sta_info.c | 20 +++++++++++++++++--- + 1 file changed, 17 insertions(+), 3 deletions(-) + +diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c +index aa22f09e6d145..49095f19a0f22 100644 +--- a/net/mac80211/sta_info.c ++++ b/net/mac80211/sta_info.c +@@ -4,7 +4,7 @@ + * Copyright 2006-2007 Jiri Benc + * Copyright 2013-2014 Intel Mobile Communications GmbH + * Copyright (C) 2015 - 2017 Intel Deutschland GmbH +- * Copyright (C) 2018-2023 Intel Corporation ++ * Copyright (C) 2018-2024 Intel Corporation + */ + + #include +@@ -1317,9 +1317,13 @@ static int _sta_info_move_state(struct sta_info *sta, + sta->sta.addr, new_state); + + /* notify the driver before the actual changes so it can +- * fail the transition ++ * fail the transition if the state is increasing. ++ * The driver is required not to fail when the transition ++ * is decreasing the state, so first, do all the preparation ++ * work and only then, notify the driver. + */ +- if (test_sta_flag(sta, WLAN_STA_INSERTED)) { ++ if (new_state > sta->sta_state && ++ test_sta_flag(sta, WLAN_STA_INSERTED)) { + int err = drv_sta_state(sta->local, sta->sdata, sta, + sta->sta_state, new_state); + if (err) +@@ -1395,6 +1399,16 @@ static int _sta_info_move_state(struct sta_info *sta, + break; + } + ++ if (new_state < sta->sta_state && ++ test_sta_flag(sta, WLAN_STA_INSERTED)) { ++ int err = drv_sta_state(sta->local, sta->sdata, sta, ++ sta->sta_state, new_state); ++ ++ WARN_ONCE(err, ++ "Driver is not allowed to fail if the sta_state is transitioning down the list: %d\n", ++ err); ++ } ++ + sta->sta_state = new_state; + + return 0; +-- +2.39.5 + diff --git a/queue-6.12/wifi-mac80211-remove-debugfs-dir-for-virtual-monitor.patch b/queue-6.12/wifi-mac80211-remove-debugfs-dir-for-virtual-monitor.patch new file mode 100644 index 0000000000..03644374d1 --- /dev/null +++ b/queue-6.12/wifi-mac80211-remove-debugfs-dir-for-virtual-monitor.patch @@ -0,0 +1,78 @@ +From 898b9236e76977531cf2599dbad614263f2ed88f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Feb 2025 17:42:40 +0100 +Subject: wifi: mac80211: remove debugfs dir for virtual monitor + +From: Alexander Wetzel + +[ Upstream commit 646262c71aca87bb66945933abe4e620796d6c5a ] + +Don't call ieee80211_debugfs_recreate_netdev() for virtual monitor +interface when deleting it. + +The virtual monitor interface shouldn't have debugfs entries and trying +to update them will *create* them on deletion. + +And when the virtual monitor interface is created/destroyed multiple +times we'll get warnings about debugfs name conflicts. + +Signed-off-by: Alexander Wetzel +Link: https://patch.msgid.link/20250204164240.370153-1-Alexander@wetzel-home.de +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/driver-ops.c | 10 ++++++++-- + net/mac80211/iface.c | 11 ++++++----- + 2 files changed, 14 insertions(+), 7 deletions(-) + +diff --git a/net/mac80211/driver-ops.c b/net/mac80211/driver-ops.c +index fe868b5216220..9b7d099948207 100644 +--- a/net/mac80211/driver-ops.c ++++ b/net/mac80211/driver-ops.c +@@ -115,8 +115,14 @@ void drv_remove_interface(struct ieee80211_local *local, + + sdata->flags &= ~IEEE80211_SDATA_IN_DRIVER; + +- /* Remove driver debugfs entries */ +- ieee80211_debugfs_recreate_netdev(sdata, sdata->vif.valid_links); ++ /* ++ * Remove driver debugfs entries. ++ * The virtual monitor interface doesn't get a debugfs ++ * entry, so it's exempt here. ++ */ ++ if (sdata != local->monitor_sdata) ++ ieee80211_debugfs_recreate_netdev(sdata, ++ sdata->vif.valid_links); + + trace_drv_remove_interface(local, sdata); + local->ops->remove_interface(&local->hw, &sdata->vif); +diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c +index af9055252e6df..8bbfa45e1796d 100644 +--- a/net/mac80211/iface.c ++++ b/net/mac80211/iface.c +@@ -1205,16 +1205,17 @@ void ieee80211_del_virtual_monitor(struct ieee80211_local *local) + return; + } + +- RCU_INIT_POINTER(local->monitor_sdata, NULL); +- mutex_unlock(&local->iflist_mtx); +- +- synchronize_net(); +- ++ clear_bit(SDATA_STATE_RUNNING, &sdata->state); + ieee80211_link_release_channel(&sdata->deflink); + + if (ieee80211_hw_check(&local->hw, WANT_MONITOR_VIF)) + drv_remove_interface(local, sdata); + ++ RCU_INIT_POINTER(local->monitor_sdata, NULL); ++ mutex_unlock(&local->iflist_mtx); ++ ++ synchronize_net(); ++ + kfree(sdata); + } + +-- +2.39.5 + diff --git a/queue-6.12/x86-dumpstack-fix-inaccurate-unwinding-from-exceptio.patch b/queue-6.12/x86-dumpstack-fix-inaccurate-unwinding-from-exceptio.patch new file mode 100644 index 0000000000..7e39ed85ae --- /dev/null +++ b/queue-6.12/x86-dumpstack-fix-inaccurate-unwinding-from-exceptio.patch @@ -0,0 +1,69 @@ +From 3a99dd58e1909b3f07d043f58f690c0473dd3028 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Mar 2025 03:01:23 +0100 +Subject: x86/dumpstack: Fix inaccurate unwinding from exception stacks due to + misplaced assignment + +From: Jann Horn + +[ Upstream commit 2c118f50d7fd4d9aefc4533a26f83338b2906b7a ] + +Commit: + + 2e4be0d011f2 ("x86/show_trace_log_lvl: Ensure stack pointer is aligned, again") + +was intended to ensure alignment of the stack pointer; but it also moved +the initialization of the "stack" variable down into the loop header. + +This was likely intended as a no-op cleanup, since the commit +message does not mention it; however, this caused a behavioral change +because the value of "regs" is different between the two places. + +Originally, get_stack_pointer() used the regs provided by the caller; after +that commit, get_stack_pointer() instead uses the regs at the top of the +stack frame the unwinder is looking at. Often, there are no such regs at +all, and "regs" is NULL, causing get_stack_pointer() to fall back to the +task's current stack pointer, which is not what we want here, but probably +happens to mostly work. Other times, the original regs will point to +another regs frame - in that case, the linear guess unwind logic in +show_trace_log_lvl() will start unwinding too far up the stack, causing the +first frame found by the proper unwinder to never be visited, resulting in +a stack trace consisting purely of guess lines. + +Fix it by moving the "stack = " assignment back where it belongs. + +Fixes: 2e4be0d011f2 ("x86/show_trace_log_lvl: Ensure stack pointer is aligned, again") +Signed-off-by: Jann Horn +Signed-off-by: Ingo Molnar +Link: https://lore.kernel.org/r/20250325-2025-03-unwind-fixes-v1-2-acd774364768@google.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/dumpstack.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/arch/x86/kernel/dumpstack.c b/arch/x86/kernel/dumpstack.c +index a7d562697e50e..b2b118a8c09be 100644 +--- a/arch/x86/kernel/dumpstack.c ++++ b/arch/x86/kernel/dumpstack.c +@@ -195,6 +195,7 @@ static void show_trace_log_lvl(struct task_struct *task, struct pt_regs *regs, + printk("%sCall Trace:\n", log_lvl); + + unwind_start(&state, task, regs, stack); ++ stack = stack ?: get_stack_pointer(task, regs); + regs = unwind_get_entry_regs(&state, &partial); + + /* +@@ -213,9 +214,7 @@ static void show_trace_log_lvl(struct task_struct *task, struct pt_regs *regs, + * - hardirq stack + * - entry stack + */ +- for (stack = stack ?: get_stack_pointer(task, regs); +- stack; +- stack = stack_info.next_sp) { ++ for (; stack; stack = stack_info.next_sp) { + const char *stack_name; + + stack = PTR_ALIGN(stack, sizeof(long)); +-- +2.39.5 + diff --git a/queue-6.12/x86-entry-add-__init-to-ia32_emulation_override_cmdl.patch b/queue-6.12/x86-entry-add-__init-to-ia32_emulation_override_cmdl.patch new file mode 100644 index 0000000000..265fce7456 --- /dev/null +++ b/queue-6.12/x86-entry-add-__init-to-ia32_emulation_override_cmdl.patch @@ -0,0 +1,41 @@ +From c8890d3ecc02aa250ad7c9f4494f1f93ea0ac4b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Dec 2024 16:16:50 +0100 +Subject: x86/entry: Add __init to ia32_emulation_override_cmdline() + +From: Vitaly Kuznetsov + +[ Upstream commit d55f31e29047f2f987286d55928ae75775111fe7 ] + +ia32_emulation_override_cmdline() is an early_param() arg and these +are only needed at boot time. In fact, all other early_param() functions +in arch/x86 seem to have '__init' annotation and +ia32_emulation_override_cmdline() is the only exception. + +Fixes: a11e097504ac ("x86: Make IA32_EMULATION boot time configurable") +Signed-off-by: Vitaly Kuznetsov +Signed-off-by: Dave Hansen +Signed-off-by: Ingo Molnar +Reviewed-by: Nikolay Borisov +Link: https://lore.kernel.org/all/20241210151650.1746022-1-vkuznets%40redhat.com +Signed-off-by: Sasha Levin +--- + arch/x86/entry/common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/entry/common.c b/arch/x86/entry/common.c +index 94941c5a10ac1..51efd2da4d7fd 100644 +--- a/arch/x86/entry/common.c ++++ b/arch/x86/entry/common.c +@@ -142,7 +142,7 @@ static __always_inline int syscall_32_enter(struct pt_regs *regs) + #ifdef CONFIG_IA32_EMULATION + bool __ia32_enabled __ro_after_init = !IS_ENABLED(CONFIG_IA32_EMULATION_DEFAULT_DISABLED); + +-static int ia32_emulation_override_cmdline(char *arg) ++static int __init ia32_emulation_override_cmdline(char *arg) + { + return kstrtobool(arg, &__ia32_enabled); + } +-- +2.39.5 + diff --git a/queue-6.12/x86-entry-fix-orc-unwinder-for-push_regs-with-save_r.patch b/queue-6.12/x86-entry-fix-orc-unwinder-for-push_regs-with-save_r.patch new file mode 100644 index 0000000000..59663a7bc3 --- /dev/null +++ b/queue-6.12/x86-entry-fix-orc-unwinder-for-push_regs-with-save_r.patch @@ -0,0 +1,55 @@ +From 8b7bb29e88d7449cffc9022aa0ebdc3c42f7ebfd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Mar 2025 03:01:22 +0100 +Subject: x86/entry: Fix ORC unwinder for PUSH_REGS with save_ret=1 + +From: Jann Horn + +[ Upstream commit 57e2428f8df8263275344566e02c277648a4b7f1 ] + +PUSH_REGS with save_ret=1 is used by interrupt entry helper functions that +initially start with a UNWIND_HINT_FUNC ORC state. + +However, save_ret=1 means that we clobber the helper function's return +address (and then later restore the return address further down on the +stack); after that point, the only thing on the stack we can unwind through +is the IRET frame, so use UNWIND_HINT_IRET_REGS until we have a full +pt_regs frame. + +( An alternate approach would be to move the pt_regs->di overwrite down + such that it is the final step of pt_regs setup; but I don't want to + rearrange entry code just to make unwinding a tiny bit more elegant. ) + +Fixes: 9e809d15d6b6 ("x86/entry: Reduce the code footprint of the 'idtentry' macro") +Signed-off-by: Jann Horn +Signed-off-by: Ingo Molnar +Cc: Andy Lutomirski +Cc: Brian Gerst +Cc: Juergen Gross +Cc: H. Peter Anvin +Cc: Linus Torvalds +Cc: Kees Cook +Cc: Peter Zijlstra +Cc: Josh Poimboeuf +Link: https://lore.kernel.org/r/20250325-2025-03-unwind-fixes-v1-1-acd774364768@google.com +Signed-off-by: Sasha Levin +--- + arch/x86/entry/calling.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/x86/entry/calling.h b/arch/x86/entry/calling.h +index ea81770629eea..626a81c6015bd 100644 +--- a/arch/x86/entry/calling.h ++++ b/arch/x86/entry/calling.h +@@ -70,6 +70,8 @@ For 32-bit we have the following conventions - kernel is built with + pushq %rsi /* pt_regs->si */ + movq 8(%rsp), %rsi /* temporarily store the return address in %rsi */ + movq %rdi, 8(%rsp) /* pt_regs->di (overwriting original return address) */ ++ /* We just clobbered the return address - use the IRET frame for unwinding: */ ++ UNWIND_HINT_IRET_REGS offset=3*8 + .else + pushq %rdi /* pt_regs->di */ + pushq %rsi /* pt_regs->si */ +-- +2.39.5 + diff --git a/queue-6.12/x86-fpu-avoid-copying-dynamic-fp-state-from-init_tas.patch b/queue-6.12/x86-fpu-avoid-copying-dynamic-fp-state-from-init_tas.patch new file mode 100644 index 0000000000..a9b2f4b4ec --- /dev/null +++ b/queue-6.12/x86-fpu-avoid-copying-dynamic-fp-state-from-init_tas.patch @@ -0,0 +1,57 @@ +From da95a53ca6ee8e8ef0e7cc100dc3f2275a562885 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Feb 2025 14:31:36 +0100 +Subject: x86/fpu: Avoid copying dynamic FP state from init_task in + arch_dup_task_struct() + +From: Benjamin Berg + +[ Upstream commit 5d3b81d4d8520efe888536b6906dc10fd1a228a8 ] + +The init_task instance of struct task_struct is statically allocated and +may not contain the full FP state for userspace. As such, limit the copy +to the valid area of both init_task and 'dst' and ensure all memory is +initialized. + +Note that the FP state is only needed for userspace, and as such it is +entirely reasonable for init_task to not contain parts of it. + +Fixes: 5aaeb5c01c5b ("x86/fpu, sched: Introduce CONFIG_ARCH_WANTS_DYNAMIC_TASK_STRUCT and use it on x86") +Signed-off-by: Benjamin Berg +Signed-off-by: Ingo Molnar +Cc: Andy Lutomirski +Cc: H. Peter Anvin +Cc: Oleg Nesterov +Link: https://lore.kernel.org/r/20250226133136.816901-1-benjamin@sipsolutions.net +---- + +v2: +- Fix code if arch_task_struct_size < sizeof(init_task) by using + memcpy_and_pad. + +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/process.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c +index 15507e739c255..e42db0de02920 100644 +--- a/arch/x86/kernel/process.c ++++ b/arch/x86/kernel/process.c +@@ -92,7 +92,12 @@ EXPORT_PER_CPU_SYMBOL_GPL(__tss_limit_invalid); + */ + int arch_dup_task_struct(struct task_struct *dst, struct task_struct *src) + { +- memcpy(dst, src, arch_task_struct_size); ++ /* init_task is not dynamically sized (incomplete FPU state) */ ++ if (unlikely(src == &init_task)) ++ memcpy_and_pad(dst, arch_task_struct_size, src, sizeof(init_task), 0); ++ else ++ memcpy(dst, src, arch_task_struct_size); ++ + #ifdef CONFIG_VM86 + dst->thread.vm86 = NULL; + #endif +-- +2.39.5 + diff --git a/queue-6.12/x86-fpu-fix-guest-fpu-state-buffer-allocation-size.patch b/queue-6.12/x86-fpu-fix-guest-fpu-state-buffer-allocation-size.patch new file mode 100644 index 0000000000..121c430e6c --- /dev/null +++ b/queue-6.12/x86-fpu-fix-guest-fpu-state-buffer-allocation-size.patch @@ -0,0 +1,49 @@ +From 68e3b4a169f9010a664bb968b6d3e83fd9b23738 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Feb 2025 14:10:45 +0000 +Subject: x86/fpu: Fix guest FPU state buffer allocation size + +From: Stanislav Spassov + +[ Upstream commit 1937e18cc3cf27e2b3ef70e8c161437051ab7608 ] + +Ongoing work on an optimization to batch-preallocate vCPU state buffers +for KVM revealed a mismatch between the allocation sizes used in +fpu_alloc_guest_fpstate() and fpstate_realloc(). While the former +allocates a buffer sized to fit the default set of XSAVE features +in UABI form (as per fpu_user_cfg), the latter uses its ksize argument +derived (for the requested set of features) in the same way as the sizes +found in fpu_kernel_cfg, i.e. using the compacted in-kernel +representation. + +The correct size to use for guest FPU state should indeed be the +kernel one as seen in fpstate_realloc(). The original issue likely +went unnoticed through a combination of UABI size typically being +larger than or equal to kernel size, and/or both amounting to the +same number of allocated 4K pages. + +Fixes: 69f6ed1d14c6 ("x86/fpu: Provide infrastructure for KVM FPU cleanup") +Signed-off-by: Stanislav Spassov +Signed-off-by: Ingo Molnar +Link: https://lore.kernel.org/r/20250218141045.85201-1-stanspas@amazon.de +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/fpu/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/fpu/core.c b/arch/x86/kernel/fpu/core.c +index 1209c7aebb211..36df548acc403 100644 +--- a/arch/x86/kernel/fpu/core.c ++++ b/arch/x86/kernel/fpu/core.c +@@ -220,7 +220,7 @@ bool fpu_alloc_guest_fpstate(struct fpu_guest *gfpu) + struct fpstate *fpstate; + unsigned int size; + +- size = fpu_user_cfg.default_size + ALIGN(offsetof(struct fpstate, regs), 64); ++ size = fpu_kernel_cfg.default_size + ALIGN(offsetof(struct fpstate, regs), 64); + fpstate = vzalloc(size); + if (!fpstate) + return false; +-- +2.39.5 + diff --git a/queue-6.12/x86-fpu-xstate-fix-inconsistencies-in-guest-fpu-xfea.patch b/queue-6.12/x86-fpu-xstate-fix-inconsistencies-in-guest-fpu-xfea.patch new file mode 100644 index 0000000000..261a219ee1 --- /dev/null +++ b/queue-6.12/x86-fpu-xstate-fix-inconsistencies-in-guest-fpu-xfea.patch @@ -0,0 +1,86 @@ +From e1814e1998cae409ab6bf2381ea04a28f8695e87 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Mar 2025 22:06:11 +0800 +Subject: x86/fpu/xstate: Fix inconsistencies in guest FPU xfeatures + +From: Chao Gao + +[ Upstream commit dda366083e5ff307a4a728757db874bbfe7550be ] + +Guest FPUs manage vCPU FPU states. They are allocated via +fpu_alloc_guest_fpstate() and are resized in fpstate_realloc() when XFD +features are enabled. + +Since the introduction of guest FPUs, there have been inconsistencies in +the kernel buffer size and xfeatures: + + 1. fpu_alloc_guest_fpstate() uses fpu_user_cfg since its introduction. See: + + 69f6ed1d14c6 ("x86/fpu: Provide infrastructure for KVM FPU cleanup") + 36487e6228c4 ("x86/fpu: Prepare guest FPU for dynamically enabled FPU features") + + 2. __fpstate_reset() references fpu_kernel_cfg to set storage attributes. + + 3. fpu->guest_perm uses fpu_kernel_cfg, affecting fpstate_realloc(). + +A recent commit in the tip:x86/fpu tree partially addressed the inconsistency +between (1) and (3) by using fpu_kernel_cfg for size calculation in (1), +but left fpu_guest->xfeatures and fpu_guest->perm still referencing +fpu_user_cfg: + + https://lore.kernel.org/all/20250218141045.85201-1-stanspas@amazon.de/ + + 1937e18cc3cf ("x86/fpu: Fix guest FPU state buffer allocation size") + +The inconsistencies within fpu_alloc_guest_fpstate() and across the +mentioned functions cause confusion. + +Fix them by using fpu_kernel_cfg consistently in fpu_alloc_guest_fpstate(), +except for fields related to the UABI buffer. Referencing fpu_kernel_cfg +won't impact functionalities, as: + + 1. fpu_guest->perm is overwritten shortly in fpu_init_guest_permissions() + with fpstate->guest_perm, which already uses fpu_kernel_cfg. + + 2. fpu_guest->xfeatures is solely used to check if XFD features are enabled. + Including supervisor xfeatures doesn't affect the check. + +Fixes: 36487e6228c4 ("x86/fpu: Prepare guest FPU for dynamically enabled FPU features") +Suggested-by: Chang S. Bae +Signed-off-by: Chao Gao +Signed-off-by: Ingo Molnar +Cc: Andy Lutomirski +Cc: H. Peter Anvin +Cc: Linus Torvalds +Cc: Oleg Nesterov +Cc: Dave Hansen +Cc: Juergen Gross +Cc: Stefano Stabellini +Cc: Paolo Bonzini +Cc: Vitaly Kuznetsov +Cc: Sean Christopherson +Cc: David Woodhouse +Link: https://lore.kernel.org/r/20250317140613.1761633-1-chao.gao@intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/fpu/core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kernel/fpu/core.c b/arch/x86/kernel/fpu/core.c +index 36df548acc403..dcac3c058fb76 100644 +--- a/arch/x86/kernel/fpu/core.c ++++ b/arch/x86/kernel/fpu/core.c +@@ -232,8 +232,8 @@ bool fpu_alloc_guest_fpstate(struct fpu_guest *gfpu) + fpstate->is_guest = true; + + gfpu->fpstate = fpstate; +- gfpu->xfeatures = fpu_user_cfg.default_features; +- gfpu->perm = fpu_user_cfg.default_features; ++ gfpu->xfeatures = fpu_kernel_cfg.default_features; ++ gfpu->perm = fpu_kernel_cfg.default_features; + + /* + * KVM sets the FP+SSE bits in the XSAVE header when copying FPU state +-- +2.39.5 + diff --git a/queue-6.12/x86-hyperv-fix-output-argument-to-hypercall-that-cha.patch b/queue-6.12/x86-hyperv-fix-output-argument-to-hypercall-that-cha.patch new file mode 100644 index 0000000000..efc295e63f --- /dev/null +++ b/queue-6.12/x86-hyperv-fix-output-argument-to-hypercall-that-cha.patch @@ -0,0 +1,53 @@ +From 1d0a317f2861d26d5551005ef6bbba1a7744bec7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Feb 2025 12:06:06 -0800 +Subject: x86/hyperv: Fix output argument to hypercall that changes page + visibility + +From: Michael Kelley + +[ Upstream commit 09beefefb57bbc3a06d98f319d85db4d719d7bcb ] + +The hypercall in hv_mark_gpa_visibility() is invoked with an input +argument and an output argument. The output argument ostensibly returns +the number of pages that were processed. But in fact, the hypercall does +not provide any output, so the output argument is spurious. + +The spurious argument is harmless because Hyper-V ignores it, but in the +interest of correctness and to avoid the potential for future problems, +remove it. + +Signed-off-by: Michael Kelley +Reviewed-by: Nuno Das Neves +Link: https://lore.kernel.org/r/20250226200612.2062-2-mhklinux@outlook.com +Signed-off-by: Wei Liu +Message-ID: <20250226200612.2062-2-mhklinux@outlook.com> +Signed-off-by: Sasha Levin +--- + arch/x86/hyperv/ivm.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/arch/x86/hyperv/ivm.c b/arch/x86/hyperv/ivm.c +index 60fc3ed728304..aa8befc4d9013 100644 +--- a/arch/x86/hyperv/ivm.c ++++ b/arch/x86/hyperv/ivm.c +@@ -465,7 +465,6 @@ static int hv_mark_gpa_visibility(u16 count, const u64 pfn[], + enum hv_mem_host_visibility visibility) + { + struct hv_gpa_range_for_visibility *input; +- u16 pages_processed; + u64 hv_status; + unsigned long flags; + +@@ -494,7 +493,7 @@ static int hv_mark_gpa_visibility(u16 count, const u64 pfn[], + memcpy((void *)input->gpa_page_list, pfn, count * sizeof(*pfn)); + hv_status = hv_do_rep_hypercall( + HVCALL_MODIFY_SPARSE_GPA_PAGE_HOST_VISIBILITY, count, +- 0, input, &pages_processed); ++ 0, input, NULL); + local_irq_restore(flags); + + if (hv_result_success(hv_status)) +-- +2.39.5 + diff --git a/queue-6.12/x86-hyperv-vtl-stop-kernel-from-probing-vtl0-low-mem.patch b/queue-6.12/x86-hyperv-vtl-stop-kernel-from-probing-vtl0-low-mem.patch new file mode 100644 index 0000000000..260b4fba27 --- /dev/null +++ b/queue-6.12/x86-hyperv-vtl-stop-kernel-from-probing-vtl0-low-mem.patch @@ -0,0 +1,44 @@ +From 791aab28867ab1cd63a57e76b03125eb2dc4a21e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Jan 2025 06:12:24 +0000 +Subject: x86/hyperv/vtl: Stop kernel from probing VTL0 low memory + +From: Naman Jain + +[ Upstream commit 59115e2e25f42924181055ed7cc1d123af7598b7 ] + +For Linux, running in Hyper-V VTL (Virtual Trust Level), kernel in VTL2 +tries to access VTL0 low memory in probe_roms. This memory is not +described in the e820 map. Initialize probe_roms call to no-ops +during boot for VTL2 kernel to avoid this. The issue got identified +in OpenVMM which detects invalid accesses initiated from kernel running +in VTL2. + +Co-developed-by: Saurabh Sengar +Signed-off-by: Saurabh Sengar +Signed-off-by: Naman Jain +Tested-by: Roman Kisel +Reviewed-by: Roman Kisel +Link: https://lore.kernel.org/r/20250116061224.1701-1-namjain@linux.microsoft.com +Signed-off-by: Wei Liu +Message-ID: <20250116061224.1701-1-namjain@linux.microsoft.com> +Signed-off-by: Sasha Levin +--- + arch/x86/hyperv/hv_vtl.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/x86/hyperv/hv_vtl.c b/arch/x86/hyperv/hv_vtl.c +index 04775346369c5..d04ccd4b3b4af 100644 +--- a/arch/x86/hyperv/hv_vtl.c ++++ b/arch/x86/hyperv/hv_vtl.c +@@ -30,6 +30,7 @@ void __init hv_vtl_init_platform(void) + x86_platform.realmode_init = x86_init_noop; + x86_init.irqs.pre_vector_init = x86_init_noop; + x86_init.timers.timer_init = x86_init_noop; ++ x86_init.resources.probe_roms = x86_init_noop; + + /* Avoid searching for BIOS MP tables */ + x86_init.mpparse.find_mptable = x86_init_noop; +-- +2.39.5 + diff --git a/queue-6.12/x86-mm-pat-cpa-test-fix-length-for-cpa_array-test.patch b/queue-6.12/x86-mm-pat-cpa-test-fix-length-for-cpa_array-test.patch new file mode 100644 index 0000000000..bb4d0e726b --- /dev/null +++ b/queue-6.12/x86-mm-pat-cpa-test-fix-length-for-cpa_array-test.patch @@ -0,0 +1,40 @@ +From 7e673d8d7c171dfe1285a1a1724f3d0425effd08 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 26 Jan 2025 09:47:25 +0200 +Subject: x86/mm/pat: cpa-test: fix length for CPA_ARRAY test + +From: Mike Rapoport (Microsoft) + +[ Upstream commit 33ea120582a638b2f2e380a50686c2b1d7cce795 ] + +The CPA_ARRAY test always uses len[1] as numpages argument to +change_page_attr_set() although the addresses array is different each +iteration of the test loop. + +Replace len[1] with len[i] to have numpages matching the addresses array. + +Fixes: ecc729f1f471 ("x86/mm/cpa: Add ARRAY and PAGES_ARRAY selftests") +Signed-off-by: "Mike Rapoport (Microsoft)" +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lore.kernel.org/r/20250126074733.1384926-2-rppt@kernel.org +Signed-off-by: Sasha Levin +--- + arch/x86/mm/pat/cpa-test.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/mm/pat/cpa-test.c b/arch/x86/mm/pat/cpa-test.c +index 3d2f7f0a6ed14..ad3c1feec990d 100644 +--- a/arch/x86/mm/pat/cpa-test.c ++++ b/arch/x86/mm/pat/cpa-test.c +@@ -183,7 +183,7 @@ static int pageattr_test(void) + break; + + case 1: +- err = change_page_attr_set(addrs, len[1], PAGE_CPA_TEST, 1); ++ err = change_page_attr_set(addrs, len[i], PAGE_CPA_TEST, 1); + break; + + case 2: +-- +2.39.5 + diff --git a/queue-6.12/x86-mm-pat-fix-vm_pat-handling-when-fork-fails-in-co.patch b/queue-6.12/x86-mm-pat-fix-vm_pat-handling-when-fork-fails-in-co.patch new file mode 100644 index 0000000000..479c2cfd1b --- /dev/null +++ b/queue-6.12/x86-mm-pat-fix-vm_pat-handling-when-fork-fails-in-co.patch @@ -0,0 +1,297 @@ +From 5423e8a34558e4031b78e21e5589e381a3a720ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Mar 2025 12:23:23 +0100 +Subject: x86/mm/pat: Fix VM_PAT handling when fork() fails in + copy_page_range() + +From: David Hildenbrand + +[ Upstream commit dc84bc2aba85a1508f04a936f9f9a15f64ebfb31 ] + +If track_pfn_copy() fails, we already added the dst VMA to the maple +tree. As fork() fails, we'll cleanup the maple tree, and stumble over +the dst VMA for which we neither performed any reservation nor copied +any page tables. + +Consequently untrack_pfn() will see VM_PAT and try obtaining the +PAT information from the page table -- which fails because the page +table was not copied. + +The easiest fix would be to simply clear the VM_PAT flag of the dst VMA +if track_pfn_copy() fails. However, the whole thing is about "simply" +clearing the VM_PAT flag is shaky as well: if we passed track_pfn_copy() +and performed a reservation, but copying the page tables fails, we'll +simply clear the VM_PAT flag, not properly undoing the reservation ... +which is also wrong. + +So let's fix it properly: set the VM_PAT flag only if the reservation +succeeded (leaving it clear initially), and undo the reservation if +anything goes wrong while copying the page tables: clearing the VM_PAT +flag after undoing the reservation. + +Note that any copied page table entries will get zapped when the VMA will +get removed later, after copy_page_range() succeeded; as VM_PAT is not set +then, we won't try cleaning VM_PAT up once more and untrack_pfn() will be +happy. Note that leaving these page tables in place without a reservation +is not a problem, as we are aborting fork(); this process will never run. + +A reproducer can trigger this usually at the first try: + + https://gitlab.com/davidhildenbrand/scratchspace/-/raw/main/reproducers/pat_fork.c + + WARNING: CPU: 26 PID: 11650 at arch/x86/mm/pat/memtype.c:983 get_pat_info+0xf6/0x110 + Modules linked in: ... + CPU: 26 UID: 0 PID: 11650 Comm: repro3 Not tainted 6.12.0-rc5+ #92 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 + RIP: 0010:get_pat_info+0xf6/0x110 + ... + Call Trace: + + ... + untrack_pfn+0x52/0x110 + unmap_single_vma+0xa6/0xe0 + unmap_vmas+0x105/0x1f0 + exit_mmap+0xf6/0x460 + __mmput+0x4b/0x120 + copy_process+0x1bf6/0x2aa0 + kernel_clone+0xab/0x440 + __do_sys_clone+0x66/0x90 + do_syscall_64+0x95/0x180 + +Likely this case was missed in: + + d155df53f310 ("x86/mm/pat: clear VM_PAT if copy_p4d_range failed") + +... and instead of undoing the reservation we simply cleared the VM_PAT flag. + +Keep the documentation of these functions in include/linux/pgtable.h, +one place is more than sufficient -- we should clean that up for the other +functions like track_pfn_remap/untrack_pfn separately. + +Fixes: d155df53f310 ("x86/mm/pat: clear VM_PAT if copy_p4d_range failed") +Fixes: 2ab640379a0a ("x86: PAT: hooks in generic vm code to help archs to track pfnmap regions - v3") +Reported-by: xingwei lee +Reported-by: yuxin wang +Reported-by: Marius Fleischer +Signed-off-by: David Hildenbrand +Signed-off-by: Ingo Molnar +Cc: Andy Lutomirski +Cc: Peter Zijlstra +Cc: Rik van Riel +Cc: "H. Peter Anvin" +Cc: Linus Torvalds +Cc: Andrew Morton +Cc: linux-mm@kvack.org +Link: https://lore.kernel.org/r/20250321112323.153741-1-david@redhat.com +Closes: https://lore.kernel.org/lkml/CABOYnLx_dnqzpCW99G81DmOr+2UzdmZMk=T3uxwNxwz+R1RAwg@mail.gmail.com/ +Closes: https://lore.kernel.org/lkml/CAJg=8jwijTP5fre8woS4JVJQ8iUA6v+iNcsOgtj9Zfpc3obDOQ@mail.gmail.com/ +Signed-off-by: Sasha Levin +--- + arch/x86/mm/pat/memtype.c | 52 +++++++++++++++++++++------------------ + include/linux/pgtable.h | 28 ++++++++++++++++----- + kernel/fork.c | 4 +++ + mm/memory.c | 11 +++------ + 4 files changed, 58 insertions(+), 37 deletions(-) + +diff --git a/arch/x86/mm/pat/memtype.c b/arch/x86/mm/pat/memtype.c +index feb8cc6a12bf2..d721cc19addbd 100644 +--- a/arch/x86/mm/pat/memtype.c ++++ b/arch/x86/mm/pat/memtype.c +@@ -984,29 +984,42 @@ static int get_pat_info(struct vm_area_struct *vma, resource_size_t *paddr, + return -EINVAL; + } + +-/* +- * track_pfn_copy is called when vma that is covering the pfnmap gets +- * copied through copy_page_range(). +- * +- * If the vma has a linear pfn mapping for the entire range, we get the prot +- * from pte and reserve the entire vma range with single reserve_pfn_range call. +- */ +-int track_pfn_copy(struct vm_area_struct *vma) ++int track_pfn_copy(struct vm_area_struct *dst_vma, ++ struct vm_area_struct *src_vma, unsigned long *pfn) + { ++ const unsigned long vma_size = src_vma->vm_end - src_vma->vm_start; + resource_size_t paddr; +- unsigned long vma_size = vma->vm_end - vma->vm_start; + pgprot_t pgprot; ++ int rc; + +- if (vma->vm_flags & VM_PAT) { +- if (get_pat_info(vma, &paddr, &pgprot)) +- return -EINVAL; +- /* reserve the whole chunk covered by vma. */ +- return reserve_pfn_range(paddr, vma_size, &pgprot, 1); +- } ++ if (!(src_vma->vm_flags & VM_PAT)) ++ return 0; ++ ++ /* ++ * Duplicate the PAT information for the dst VMA based on the src ++ * VMA. ++ */ ++ if (get_pat_info(src_vma, &paddr, &pgprot)) ++ return -EINVAL; ++ rc = reserve_pfn_range(paddr, vma_size, &pgprot, 1); ++ if (rc) ++ return rc; + ++ /* Reservation for the destination VMA succeeded. */ ++ vm_flags_set(dst_vma, VM_PAT); ++ *pfn = PHYS_PFN(paddr); + return 0; + } + ++void untrack_pfn_copy(struct vm_area_struct *dst_vma, unsigned long pfn) ++{ ++ untrack_pfn(dst_vma, pfn, dst_vma->vm_end - dst_vma->vm_start, true); ++ /* ++ * Reservation was freed, any copied page tables will get cleaned ++ * up later, but without getting PAT involved again. ++ */ ++} ++ + /* + * prot is passed in as a parameter for the new mapping. If the vma has + * a linear pfn mapping for the entire range, or no vma is provided, +@@ -1095,15 +1108,6 @@ void untrack_pfn(struct vm_area_struct *vma, unsigned long pfn, + } + } + +-/* +- * untrack_pfn_clear is called if the following situation fits: +- * +- * 1) while mremapping a pfnmap for a new region, with the old vma after +- * its pfnmap page table has been removed. The new vma has a new pfnmap +- * to the same pfn & cache type with VM_PAT set. +- * 2) while duplicating vm area, the new vma fails to copy the pgtable from +- * old vma. +- */ + void untrack_pfn_clear(struct vm_area_struct *vma) + { + vm_flags_clear(vma, VM_PAT); +diff --git a/include/linux/pgtable.h b/include/linux/pgtable.h +index e8b2ac6bd2ae3..8df030ebd8628 100644 +--- a/include/linux/pgtable.h ++++ b/include/linux/pgtable.h +@@ -1518,14 +1518,25 @@ static inline void track_pfn_insert(struct vm_area_struct *vma, pgprot_t *prot, + } + + /* +- * track_pfn_copy is called when vma that is covering the pfnmap gets +- * copied through copy_page_range(). ++ * track_pfn_copy is called when a VM_PFNMAP VMA is about to get the page ++ * tables copied during copy_page_range(). On success, stores the pfn to be ++ * passed to untrack_pfn_copy(). + */ +-static inline int track_pfn_copy(struct vm_area_struct *vma) ++static inline int track_pfn_copy(struct vm_area_struct *dst_vma, ++ struct vm_area_struct *src_vma, unsigned long *pfn) + { + return 0; + } + ++/* ++ * untrack_pfn_copy is called when a VM_PFNMAP VMA failed to copy during ++ * copy_page_range(), but after track_pfn_copy() was already called. ++ */ ++static inline void untrack_pfn_copy(struct vm_area_struct *dst_vma, ++ unsigned long pfn) ++{ ++} ++ + /* + * untrack_pfn is called while unmapping a pfnmap for a region. + * untrack can be called for a specific region indicated by pfn and size or +@@ -1538,8 +1549,10 @@ static inline void untrack_pfn(struct vm_area_struct *vma, + } + + /* +- * untrack_pfn_clear is called while mremapping a pfnmap for a new region +- * or fails to copy pgtable during duplicate vm area. ++ * untrack_pfn_clear is called in the following cases on a VM_PFNMAP VMA: ++ * ++ * 1) During mremap() on the src VMA after the page tables were moved. ++ * 2) During fork() on the dst VMA, immediately after duplicating the src VMA. + */ + static inline void untrack_pfn_clear(struct vm_area_struct *vma) + { +@@ -1550,7 +1563,10 @@ extern int track_pfn_remap(struct vm_area_struct *vma, pgprot_t *prot, + unsigned long size); + extern void track_pfn_insert(struct vm_area_struct *vma, pgprot_t *prot, + pfn_t pfn); +-extern int track_pfn_copy(struct vm_area_struct *vma); ++extern int track_pfn_copy(struct vm_area_struct *dst_vma, ++ struct vm_area_struct *src_vma, unsigned long *pfn); ++extern void untrack_pfn_copy(struct vm_area_struct *dst_vma, ++ unsigned long pfn); + extern void untrack_pfn(struct vm_area_struct *vma, unsigned long pfn, + unsigned long size, bool mm_wr_locked); + extern void untrack_pfn_clear(struct vm_area_struct *vma); +diff --git a/kernel/fork.c b/kernel/fork.c +index e192bdbc9adeb..12decadff468f 100644 +--- a/kernel/fork.c ++++ b/kernel/fork.c +@@ -505,6 +505,10 @@ struct vm_area_struct *vm_area_dup(struct vm_area_struct *orig) + vma_numab_state_init(new); + dup_anon_vma_name(orig, new); + ++ /* track_pfn_copy() will later take care of copying internal state. */ ++ if (unlikely(new->vm_flags & VM_PFNMAP)) ++ untrack_pfn_clear(new); ++ + return new; + } + +diff --git a/mm/memory.c b/mm/memory.c +index 01c0b3a5a4d66..99dceaf6a1057 100644 +--- a/mm/memory.c ++++ b/mm/memory.c +@@ -1356,12 +1356,12 @@ int + copy_page_range(struct vm_area_struct *dst_vma, struct vm_area_struct *src_vma) + { + pgd_t *src_pgd, *dst_pgd; +- unsigned long next; + unsigned long addr = src_vma->vm_start; + unsigned long end = src_vma->vm_end; + struct mm_struct *dst_mm = dst_vma->vm_mm; + struct mm_struct *src_mm = src_vma->vm_mm; + struct mmu_notifier_range range; ++ unsigned long next, pfn; + bool is_cow; + int ret; + +@@ -1372,11 +1372,7 @@ copy_page_range(struct vm_area_struct *dst_vma, struct vm_area_struct *src_vma) + return copy_hugetlb_page_range(dst_mm, src_mm, dst_vma, src_vma); + + if (unlikely(src_vma->vm_flags & VM_PFNMAP)) { +- /* +- * We do not free on error cases below as remove_vma +- * gets called on error from higher level routine +- */ +- ret = track_pfn_copy(src_vma); ++ ret = track_pfn_copy(dst_vma, src_vma, &pfn); + if (ret) + return ret; + } +@@ -1413,7 +1409,6 @@ copy_page_range(struct vm_area_struct *dst_vma, struct vm_area_struct *src_vma) + continue; + if (unlikely(copy_p4d_range(dst_vma, src_vma, dst_pgd, src_pgd, + addr, next))) { +- untrack_pfn_clear(dst_vma); + ret = -ENOMEM; + break; + } +@@ -1423,6 +1418,8 @@ copy_page_range(struct vm_area_struct *dst_vma, struct vm_area_struct *src_vma) + raw_write_seqcount_end(&src_mm->write_protect_seq); + mmu_notifier_invalidate_range_end(&range); + } ++ if (ret && unlikely(src_vma->vm_flags & VM_PFNMAP)) ++ untrack_pfn_copy(dst_vma, pfn); + return ret; + } + +-- +2.39.5 + diff --git a/queue-6.12/x86-platform-only-allow-config_eisa-for-32-bit.patch b/queue-6.12/x86-platform-only-allow-config_eisa-for-32-bit.patch new file mode 100644 index 0000000000..56d8399aba --- /dev/null +++ b/queue-6.12/x86-platform-only-allow-config_eisa-for-32-bit.patch @@ -0,0 +1,43 @@ +From 43c820c3450bce6b35ad0ad101ea0965c1adc21d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Feb 2025 22:37:14 +0100 +Subject: x86/platform: Only allow CONFIG_EISA for 32-bit + +From: Arnd Bergmann + +[ Upstream commit 976ba8da2f3c2f1e997f4f620da83ae65c0e3728 ] + +The CONFIG_EISA menu was cleaned up in 2018, but this inadvertently +brought the option back on 64-bit machines: ISA remains guarded by +a CONFIG_X86_32 check, but EISA no longer depends on ISA. + +The last Intel machines ith EISA support used a 82375EB PCI/EISA bridge +from 1993 that could be paired with the 440FX chipset on early Pentium-II +CPUs, long before the first x86-64 products. + +Fixes: 6630a8e50105 ("eisa: consolidate EISA Kconfig entry in drivers/eisa") +Signed-off-by: Arnd Bergmann +Signed-off-by: Ingo Molnar +Cc: Linus Torvalds +Link: https://lore.kernel.org/r/20250226213714.4040853-11-arnd@kernel.org +Signed-off-by: Sasha Levin +--- + arch/x86/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig +index 6f8e9af827e0c..c915097d3b732 100644 +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -226,7 +226,7 @@ config X86 + select HAVE_SAMPLE_FTRACE_DIRECT_MULTI if X86_64 + select HAVE_EBPF_JIT + select HAVE_EFFICIENT_UNALIGNED_ACCESS +- select HAVE_EISA ++ select HAVE_EISA if X86_32 + select HAVE_EXIT_THREAD + select HAVE_GUP_FAST + select HAVE_FENTRY if X86_64 || DYNAMIC_FTRACE +-- +2.39.5 + diff --git a/queue-6.12/x86-resctrl-fix-allocation-of-cleanest-closid-on-pla.patch b/queue-6.12/x86-resctrl-fix-allocation-of-cleanest-closid-on-pla.patch new file mode 100644 index 0000000000..bf053ffa38 --- /dev/null +++ b/queue-6.12/x86-resctrl-fix-allocation-of-cleanest-closid-on-pla.patch @@ -0,0 +1,67 @@ +From 0af911fca80144a2de5276cf908120c3857d87c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Mar 2025 18:36:46 +0000 +Subject: x86/resctrl: Fix allocation of cleanest CLOSID on platforms with no + monitors + +From: James Morse + +[ Upstream commit a121798ae669351ec0697c94f71c3a692b2a755b ] + +Commit + + 6eac36bb9eb0 ("x86/resctrl: Allocate the cleanest CLOSID by searching closid_num_dirty_rmid") + +added logic that causes resctrl to search for the CLOSID with the fewest dirty +cache lines when creating a new control group, if requested by the arch code. +This depends on the values read from the llc_occupancy counters. The logic is +applicable to architectures where the CLOSID effectively forms part of the +monitoring identifier and so do not allow complete freedom to choose an unused +monitoring identifier for a given CLOSID. + +This support missed that some platforms may not have these counters. This +causes a NULL pointer dereference when creating a new control group as the +array was not allocated by dom_data_init(). + +As this feature isn't necessary on platforms that don't have cache occupancy +monitors, add this to the check that occurs when a new control group is +allocated. + +Fixes: 6eac36bb9eb0 ("x86/resctrl: Allocate the cleanest CLOSID by searching closid_num_dirty_rmid") +Signed-off-by: James Morse +Signed-off-by: Borislav Petkov (AMD) +Reviewed-by: Shaopeng Tan +Reviewed-by: David Hildenbrand +Reviewed-by: Reinette Chatre +Reviewed-by: Tony Luck +Reviewed-by: Fenghua Yu +Reviewed-by: Babu Moger +Tested-by: Carl Worth # arm64 +Tested-by: Shaopeng Tan +Tested-by: Peter Newman +Tested-by: Amit Singh Tomar # arm64 +Tested-by: Shanker Donthineni # arm64 +Tested-by: Babu Moger +Link: https://lore.kernel.org/r/20250311183715.16445-2-james.morse@arm.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/resctrl/rdtgroup.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/cpu/resctrl/rdtgroup.c b/arch/x86/kernel/cpu/resctrl/rdtgroup.c +index d7163b764c626..2d48db66fca85 100644 +--- a/arch/x86/kernel/cpu/resctrl/rdtgroup.c ++++ b/arch/x86/kernel/cpu/resctrl/rdtgroup.c +@@ -148,7 +148,8 @@ static int closid_alloc(void) + + lockdep_assert_held(&rdtgroup_mutex); + +- if (IS_ENABLED(CONFIG_RESCTRL_RMID_DEPENDS_ON_CLOSID)) { ++ if (IS_ENABLED(CONFIG_RESCTRL_RMID_DEPENDS_ON_CLOSID) && ++ is_llc_occupancy_enabled()) { + cleanest_closid = resctrl_find_cleanest_closid(); + if (cleanest_closid < 0) + return cleanest_closid; +-- +2.39.5 + diff --git a/queue-6.12/x86-sev-add-missing-rip_rel_ref-invocations-during-s.patch b/queue-6.12/x86-sev-add-missing-rip_rel_ref-invocations-during-s.patch new file mode 100644 index 0000000000..6106d20f08 --- /dev/null +++ b/queue-6.12/x86-sev-add-missing-rip_rel_ref-invocations-during-s.patch @@ -0,0 +1,52 @@ +From 12c361cf106b1d2a92b4a130e60f8713639f4859 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Nov 2024 20:23:22 +0000 +Subject: x86/sev: Add missing RIP_REL_REF() invocations during sme_enable() + +From: Kevin Loughlin + +[ Upstream commit 72dafb567760320f2de7447cd6e979bf9d4e5d17 ] + +The following commit: + + 1c811d403afd ("x86/sev: Fix position dependent variable references in startup code") + +introduced RIP_REL_REF() to force RIP-relative accesses to global variables, +as needed to prevent crashes during early SEV/SME startup code. + +For completeness, RIP_REL_REF() should be used with additional variables during +sme_enable(): + + https://lore.kernel.org/all/CAMj1kXHnA0fJu6zh634=fbJswp59kSRAbhW+ubDGj1+NYwZJ-Q@mail.gmail.com/ + +Access these vars with RIP_REL_REF() to prevent problem reoccurence. + +Fixes: 1c811d403afd ("x86/sev: Fix position dependent variable references in startup code") +Signed-off-by: Kevin Loughlin +Signed-off-by: Ingo Molnar +Reviewed-by: Ard Biesheuvel +Reviewed-by: Tom Lendacky +Cc: Dave Hansen +Link: https://lore.kernel.org/r/20241122202322.977678-1-kevinloughlin@google.com +Signed-off-by: Sasha Levin +--- + arch/x86/mm/mem_encrypt_identity.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/mm/mem_encrypt_identity.c b/arch/x86/mm/mem_encrypt_identity.c +index ac33b2263a434..b922b9fea6b64 100644 +--- a/arch/x86/mm/mem_encrypt_identity.c ++++ b/arch/x86/mm/mem_encrypt_identity.c +@@ -562,7 +562,7 @@ void __head sme_enable(struct boot_params *bp) + } + + RIP_REL_REF(sme_me_mask) = me_mask; +- physical_mask &= ~me_mask; +- cc_vendor = CC_VENDOR_AMD; ++ RIP_REL_REF(physical_mask) &= ~me_mask; ++ RIP_REL_REF(cc_vendor) = CC_VENDOR_AMD; + cc_set_mask(me_mask); + } +-- +2.39.5 + diff --git a/queue-6.12/x86-sgx-warn-explicitly-if-x86_feature_sgx_lc-is-not.patch b/queue-6.12/x86-sgx-warn-explicitly-if-x86_feature_sgx_lc-is-not.patch new file mode 100644 index 0000000000..a277f39bc5 --- /dev/null +++ b/queue-6.12/x86-sgx-warn-explicitly-if-x86_feature_sgx_lc-is-not.patch @@ -0,0 +1,87 @@ +From 4f2edefafe06c6387e3020be010e24ed276f154a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 9 Mar 2025 18:22:16 +0100 +Subject: x86/sgx: Warn explicitly if X86_FEATURE_SGX_LC is not enabled + +From: Vladis Dronov + +[ Upstream commit 65be5c95d08eedda570a6c888a12384c77fe7614 ] + +The kernel requires X86_FEATURE_SGX_LC to be able to create SGX enclaves, +not just X86_FEATURE_SGX. + +There is quite a number of hardware which has X86_FEATURE_SGX but not +X86_FEATURE_SGX_LC. A kernel running on such hardware does not create +the /dev/sgx_enclave file and does so silently. + +Explicitly warn if X86_FEATURE_SGX_LC is not enabled to properly notify +users that the kernel disabled the SGX driver. + +The X86_FEATURE_SGX_LC, a.k.a. SGX Launch Control, is a CPU feature +that enables LE (Launch Enclave) hash MSRs to be writable (with +additional opt-in required in the 'feature control' MSR) when running +enclaves, i.e. using a custom root key rather than the Intel proprietary +key for enclave signing. + +I've hit this issue myself and have spent some time researching where +my /dev/sgx_enclave file went on SGX-enabled hardware. + +Related links: + + https://github.com/intel/linux-sgx/issues/837 + https://patchwork.kernel.org/project/platform-driver-x86/patch/20180827185507.17087-3-jarkko.sakkinen@linux.intel.com/ + +[ mingo: Made the error message a bit more verbose, and added other cases + where the kernel fails to create the /dev/sgx_enclave device node. ] + +Signed-off-by: Vladis Dronov +Signed-off-by: Ingo Molnar +Acked-by: Kai Huang +Cc: Jarkko Sakkinen +Cc: Andy Lutomirski +Cc: Sean Christopherson +Cc: Linus Torvalds +Cc: Peter Zijlstra +Link: https://lore.kernel.org/r/20250309172215.21777-2-vdronov@redhat.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/sgx/driver.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/arch/x86/kernel/cpu/sgx/driver.c b/arch/x86/kernel/cpu/sgx/driver.c +index 22b65a5f5ec6c..7f8d1e11dbee2 100644 +--- a/arch/x86/kernel/cpu/sgx/driver.c ++++ b/arch/x86/kernel/cpu/sgx/driver.c +@@ -150,13 +150,15 @@ int __init sgx_drv_init(void) + u64 xfrm_mask; + int ret; + +- if (!cpu_feature_enabled(X86_FEATURE_SGX_LC)) ++ if (!cpu_feature_enabled(X86_FEATURE_SGX_LC)) { ++ pr_info("SGX disabled: SGX launch control CPU feature is not available, /dev/sgx_enclave disabled.\n"); + return -ENODEV; ++ } + + cpuid_count(SGX_CPUID, 0, &eax, &ebx, &ecx, &edx); + + if (!(eax & 1)) { +- pr_err("SGX disabled: SGX1 instruction support not available.\n"); ++ pr_info("SGX disabled: SGX1 instruction support not available, /dev/sgx_enclave disabled.\n"); + return -ENODEV; + } + +@@ -173,8 +175,10 @@ int __init sgx_drv_init(void) + } + + ret = misc_register(&sgx_dev_enclave); +- if (ret) ++ if (ret) { ++ pr_info("SGX disabled: Unable to register the /dev/sgx_enclave driver (%d).\n", ret); + return ret; ++ } + + return 0; + } +-- +2.39.5 + diff --git a/queue-6.12/x86-traps-make-exc_double_fault-consistently-noretur.patch b/queue-6.12/x86-traps-make-exc_double_fault-consistently-noretur.patch new file mode 100644 index 0000000000..333ace5a3d --- /dev/null +++ b/queue-6.12/x86-traps-make-exc_double_fault-consistently-noretur.patch @@ -0,0 +1,127 @@ +From 7a1cb3ed2d70749bd129e938aa835db2de00c2ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Mar 2025 12:28:59 -0700 +Subject: x86/traps: Make exc_double_fault() consistently noreturn + +From: Josh Poimboeuf + +[ Upstream commit 8085fcd78c1a3dbdf2278732579009d41ce0bc4e ] + +The CONFIG_X86_ESPFIX64 version of exc_double_fault() can return to its +caller, but the !CONFIG_X86_ESPFIX64 version never does. In the latter +case the compiler and/or objtool may consider it to be implicitly +noreturn. + +However, due to the currently inflexible way objtool detects noreturns, +a function's noreturn status needs to be consistent across configs. + +The current workaround for this issue is to suppress unreachable +warnings for exc_double_fault()'s callers. Unfortunately that can +result in ORC coverage gaps and potentially worse issues like inert +static calls and silently disabled CPU mitigations. + +Instead, prevent exc_double_fault() from ever being implicitly marked +noreturn by forcing a return behind a never-taken conditional. + +Until a more integrated noreturn detection method exists, this is likely +the least objectionable workaround. + +Fixes: 55eeab2a8a11 ("objtool: Ignore exc_double_fault() __noreturn warnings") +Signed-off-by: Josh Poimboeuf +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Brendan Jackman +Link: https://lore.kernel.org/r/d1f4026f8dc35d0de6cc61f2684e0cb6484009d1.1741975349.git.jpoimboe@kernel.org +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/traps.c | 18 +++++++++++++++++- + tools/objtool/check.c | 31 +------------------------------ + 2 files changed, 18 insertions(+), 31 deletions(-) + +diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c +index 2dbadf347b5f4..5e3e036e6e537 100644 +--- a/arch/x86/kernel/traps.c ++++ b/arch/x86/kernel/traps.c +@@ -379,6 +379,21 @@ __visible void __noreturn handle_stack_overflow(struct pt_regs *regs, + } + #endif + ++/* ++ * Prevent the compiler and/or objtool from marking the !CONFIG_X86_ESPFIX64 ++ * version of exc_double_fault() as noreturn. Otherwise the noreturn mismatch ++ * between configs triggers objtool warnings. ++ * ++ * This is a temporary hack until we have compiler or plugin support for ++ * annotating noreturns. ++ */ ++#ifdef CONFIG_X86_ESPFIX64 ++#define always_true() true ++#else ++bool always_true(void); ++bool __weak always_true(void) { return true; } ++#endif ++ + /* + * Runs on an IST stack for x86_64 and on a special task stack for x86_32. + * +@@ -514,7 +529,8 @@ DEFINE_IDTENTRY_DF(exc_double_fault) + + pr_emerg("PANIC: double fault, error_code: 0x%lx\n", error_code); + die("double fault", regs, error_code); +- panic("Machine halted."); ++ if (always_true()) ++ panic("Machine halted."); + instrumentation_end(); + } + +diff --git a/tools/objtool/check.c b/tools/objtool/check.c +index 3c3e5760e81b8..24a1adca30dbc 100644 +--- a/tools/objtool/check.c ++++ b/tools/objtool/check.c +@@ -4575,35 +4575,6 @@ static int validate_sls(struct objtool_file *file) + return warnings; + } + +-static bool ignore_noreturn_call(struct instruction *insn) +-{ +- struct symbol *call_dest = insn_call_dest(insn); +- +- /* +- * FIXME: hack, we need a real noreturn solution +- * +- * Problem is, exc_double_fault() may or may not return, depending on +- * whether CONFIG_X86_ESPFIX64 is set. But objtool has no visibility +- * to the kernel config. +- * +- * Other potential ways to fix it: +- * +- * - have compiler communicate __noreturn functions somehow +- * - remove CONFIG_X86_ESPFIX64 +- * - read the .config file +- * - add a cmdline option +- * - create a generic objtool annotation format (vs a bunch of custom +- * formats) and annotate it +- */ +- if (!strcmp(call_dest->name, "exc_double_fault")) { +- /* prevent further unreachable warnings for the caller */ +- insn->sym->warned = 1; +- return true; +- } +- +- return false; +-} +- + static int validate_reachable_instructions(struct objtool_file *file) + { + struct instruction *insn, *prev_insn; +@@ -4620,7 +4591,7 @@ static int validate_reachable_instructions(struct objtool_file *file) + prev_insn = prev_insn_same_sec(file, insn); + if (prev_insn && prev_insn->dead_end) { + call_dest = insn_call_dest(prev_insn); +- if (call_dest && !ignore_noreturn_call(prev_insn)) { ++ if (call_dest) { + WARN_INSN(insn, "%s() is missing a __noreturn annotation", + call_dest->name); + warnings++; +-- +2.39.5 + diff --git a/queue-6.12/x86-uaccess-improve-performance-by-aligning-writes-t.patch b/queue-6.12/x86-uaccess-improve-performance-by-aligning-writes-t.patch new file mode 100644 index 0000000000..556056f923 --- /dev/null +++ b/queue-6.12/x86-uaccess-improve-performance-by-aligning-writes-t.patch @@ -0,0 +1,190 @@ +From deb80aa379393ce4753c61c961caa7f0a76d93d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Mar 2025 11:22:13 -0300 +Subject: x86/uaccess: Improve performance by aligning writes to 8 bytes in + copy_user_generic(), on non-FSRM/ERMS CPUs + +From: Herton R. Krzesinski + +[ Upstream commit b5322b6ec06a6c58650f52abcd2492000396363b ] + +History of the performance regression: +====================================== + +Since the following series of user copy updates were merged upstream +~2 years ago via: + + a5624566431d ("Merge branch 'x86-rep-insns': x86 user copy clarifications") + +.. copy_user_generic() on x86_64 stopped doing alignment of the +writes to the destination to a 8 byte boundary for the non FSRM case. + +Previously, this was done through the ALIGN_DESTINATION macro that +was used in the now removed copy_user_generic_unrolled function. + +Turns out this change causes some loss of performance/throughput on +some use cases and specific CPU/platforms without FSRM and ERMS. + +Lately I got two reports of performance/throughput issues after a +RHEL 9 kernel pulled the same upstream series with updates to user +copy functions. Both reports consisted of running specific +networking/TCP related testing using iperf3. + +Partial upstream fix +==================== + +The first report was related to a Linux Bridge testing using VMs on a +specific machine with an AMD CPU (EPYC 7402), and after a brief +investigation it turned out that the later change via: + + ca96b162bfd2 ("x86: bring back rep movsq for user access on CPUs without ERMS") + +... helped/fixed the performance issue. + +However, after the later commit/fix was applied, then I got another +regression reported in a multistream TCP test on a 100Gbit mlx5 nic, also +running on an AMD based platform (AMD EPYC 7302 CPU), again that was using +iperf3 to run the test. That regression was after applying the later +fix/commit, but only this didn't help in telling the whole history. + +Testing performed to pinpoint residual regression +================================================= + +So I narrowed down the second regression use case, but running it +without traffic through a NIC, on localhost, in trying to narrow down +CPU usage and not being limited by other factor like network bandwidth. +I used another system also with an AMD CPU (AMD EPYC 7742). Basically, +I run iperf3 in server and client mode in the same system, for example: + + - Start the server binding it to CPU core/thread 19: + $ taskset -c 19 iperf3 -D -s -B 127.0.0.1 -p 12000 + + - Start the client always binding/running on CPU core/thread 17, using + perf to get statistics: + $ perf stat -o stat.txt taskset -c 17 iperf3 -c 127.0.0.1 -b 0/1000 -V \ + -n 50G --repeating-payload -l 16384 -p 12000 --cport 12001 2>&1 \ + > stat-19.txt + +For the client, always running/pinned to CPU 17. But for the iperf3 in +server mode, I did test runs using CPUs 19, 21, 23 or not pinned to any +specific CPU. So it basically consisted with four runs of the same +commands, just changing the CPU which the server is pinned, or without +pinning by removing the taskset call before the server command. The CPUs +were chosen based on NUMA node they were on, this is the relevant output +of lscpu on the system: + + $ lscpu + ... + Model name: AMD EPYC 7742 64-Core Processor + ... + Caches (sum of all): + L1d: 2 MiB (64 instances) + L1i: 2 MiB (64 instances) + L2: 32 MiB (64 instances) + L3: 256 MiB (16 instances) + NUMA: + NUMA node(s): 4 + NUMA node0 CPU(s): 0,1,8,9,16,17,24,25,32,33,40,41,48,49,56,57,64,65,72,73,80,81,88,89,96,97,104,105,112,113,120,121 + NUMA node1 CPU(s): 2,3,10,11,18,19,26,27,34,35,42,43,50,51,58,59,66,67,74,75,82,83,90,91,98,99,106,107,114,115,122,123 + NUMA node2 CPU(s): 4,5,12,13,20,21,28,29,36,37,44,45,52,53,60,61,68,69,76,77,84,85,92,93,100,101,108,109,116,117,124,125 + NUMA node3 CPU(s): 6,7,14,15,22,23,30,31,38,39,46,47,54,55,62,63,70,71,78,79,86,87,94,95,102,103,110,111,118,119,126,127 + ... + +So for the server run, when picking a CPU, I chose CPUs to be not on the same +node. The reason is with that I was able to get/measure relevant +performance differences when changing the alignment of the writes to the +destination in copy_user_generic. + +Testing shows up to +81% performance improvement under iperf3 +============================================================= + +Here's a summary of the iperf3 runs: + + # Vanilla upstream alignment: + + CPU RATE SYS TIME sender-receiver + Server bind 19: 13.0Gbits/sec 28.371851000 33.233499566 86.9%-70.8% + Server bind 21: 12.9Gbits/sec 28.283381000 33.586486621 85.8%-69.9% + Server bind 23: 11.1Gbits/sec 33.660190000 39.012243176 87.7%-64.5% + Server bind none: 18.9Gbits/sec 19.215339000 22.875117865 86.0%-80.5% + + # With the attached patch (aligning writes in non ERMS/FSRM case): + + CPU RATE SYS TIME sender-receiver + Server bind 19: 20.8Gbits/sec 14.897284000 20.811101382 75.7%-89.0% + Server bind 21: 20.4Gbits/sec 15.205055000 21.263165909 75.4%-89.7% + Server bind 23: 20.2Gbits/sec 15.433801000 21.456175000 75.5%-89.8% + Server bind none: 26.1Gbits/sec 12.534022000 16.632447315 79.8%-89.6% + +So I consistently got better results when aligning the write. The +results above were run on 6.14.0-rc6/rc7 based kernels. The sys is sys +time and then the total time to run/transfer 50G of data. The last +field is the CPU usage of sender/receiver iperf3 process. It's also +worth to note that each pair of iperf3 runs may get slightly different +results on each run, but I always got consistent higher results with +the write alignment for this specific test of running the processes +on CPUs in different NUMA nodes. + +Linus Torvalds helped/provided this version of the patch. Initially I +proposed a version which aligned writes for all cases in +rep_movs_alternative, however it used two extra registers and thus +Linus provided an enhanced version that only aligns the write on the +large_movsq case, which is sufficient since the problem happens only +on those AMD CPUs like ones mentioned above without ERMS/FSRM, and +also doesn't require using extra registers. Also, I validated that +aligning only on large_movsq case is really enough for getting the +performance back. + +I also tested this patch on an old Intel based non-ERMS/FRMS system +(with Xeon E5-2667 - Sandy Bridge based) and didn't get any problems: +no performance enhancement but also no regression either, using the +same iperf3 based benchmark. Also newer Intel processors after +Sandy Bridge usually have ERMS and should not be affected by this change. + +[ mingo: Updated the changelog. ] + +Fixes: ca96b162bfd2 ("x86: bring back rep movsq for user access on CPUs without ERMS") +Fixes: 034ff37d3407 ("x86: rewrite '__copy_user_nocache' function") +Reported-by: Ondrej Lichtner +Co-developed-by: Linus Torvalds +Signed-off-by: Linus Torvalds +Signed-off-by: Herton R. Krzesinski +Signed-off-by: Ingo Molnar +Link: https://lore.kernel.org/r/20250320142213.2623518-1-herton@redhat.com +Signed-off-by: Sasha Levin +--- + arch/x86/lib/copy_user_64.S | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/arch/x86/lib/copy_user_64.S b/arch/x86/lib/copy_user_64.S +index fc9fb5d061744..b8f74d80f35c6 100644 +--- a/arch/x86/lib/copy_user_64.S ++++ b/arch/x86/lib/copy_user_64.S +@@ -74,6 +74,24 @@ SYM_FUNC_START(rep_movs_alternative) + _ASM_EXTABLE_UA( 0b, 1b) + + .Llarge_movsq: ++ /* Do the first possibly unaligned word */ ++0: movq (%rsi),%rax ++1: movq %rax,(%rdi) ++ ++ _ASM_EXTABLE_UA( 0b, .Lcopy_user_tail) ++ _ASM_EXTABLE_UA( 1b, .Lcopy_user_tail) ++ ++ /* What would be the offset to the aligned destination? */ ++ leaq 8(%rdi),%rax ++ andq $-8,%rax ++ subq %rdi,%rax ++ ++ /* .. and update pointers and count to match */ ++ addq %rax,%rdi ++ addq %rax,%rsi ++ subq %rax,%rcx ++ ++ /* make %rcx contain the number of words, %rax the remainder */ + movq %rcx,%rax + shrq $3,%rcx + andl $7,%eax +-- +2.39.5 +