From: Greg Kroah-Hartman Date: Mon, 27 Oct 2025 11:48:38 +0000 (+0100) Subject: 5.10-stable patches X-Git-Tag: v5.4.301~14 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=50f5c36372948711c5c3ee5ea716ecdb266708d7;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: arch_topology-fix-incorrect-error-check-in-topology_parse_cpu_capacity.patch arm64-cputype-add-neoverse-v3ae-definitions.patch arm64-errata-apply-workarounds-for-neoverse-v3ae.patch crypto-rockchip-fix-dma_unmap_sg-nents-value.patch drm-amdgpu-use-atomic-functions-with-memory-barriers-for-vm-fault-info.patch ext4-avoid-potential-buffer-over-read-in-parse_apply_sb_mount_options.patch fuse-fix-livelock-in-synchronous-file-put-from-fuseblk-workers.patch iio-imu-inv_icm42600-avoid-configuring-if-already-pm_runtime-suspended.patch iio-imu-inv_icm42600-simplify-pm_runtime-setup.patch iio-imu-inv_icm42600-use-instead-of-memset.patch keys-trusted_tpm1-compare-hmac-values-in-constant-time.patch media-s5p-mfc-remove-an-unused-uninitialized-variable.patch nfsd-define-a-proc_layoutcommit-for-the-flexfiles-layout-type.patch nfsd-fix-last-write-offset-handling-in-layoutcommit.patch nfsd-minor-cleanup-in-layoutcommit-processing.patch nfsd-rework-encoding-and-decoding-of-nfsd4_deviceid.patch padata-reset-next-cpu-when-reorder-sequence-wraps-around.patch pci-add-sysfs-attribute-for-device-power-state.patch pci-j721e-fix-programming-sequence-of-strap-settings.patch pci-sysfs-ensure-devices-are-powered-for-config-reads.patch pci-sysfs-use-sysfs_emit-and-sysfs_emit_at-in-show-functions.patch pci-tegra194-handle-errors-in-bpmp-response.patch pm-runtime-add-new-devm-functions.patch spi-cadence-quadspi-flush-posted-register-writes-before-dac-access.patch vfs-don-t-leak-disconnected-dentries-on-umount.patch vsock-fix-lock-inversion-in-vsock_assign_transport.patch wifi-ath11k-hal-srng-don-t-deinitialize-and-re-initialize-again.patch --- diff --git a/queue-5.10/arch_topology-fix-incorrect-error-check-in-topology_parse_cpu_capacity.patch b/queue-5.10/arch_topology-fix-incorrect-error-check-in-topology_parse_cpu_capacity.patch new file mode 100644 index 0000000000..1de092b117 --- /dev/null +++ b/queue-5.10/arch_topology-fix-incorrect-error-check-in-topology_parse_cpu_capacity.patch @@ -0,0 +1,53 @@ +From stable+bounces-189876-greg=kroah.com@vger.kernel.org Sun Oct 26 17:37:42 2025 +From: Sasha Levin +Date: Sun, 26 Oct 2025 12:37:34 -0400 +Subject: arch_topology: Fix incorrect error check in topology_parse_cpu_capacity() +To: stable@vger.kernel.org +Cc: Kaushlendra Kumar , stable , Sudeep Holla , Greg Kroah-Hartman , Sasha Levin +Message-ID: <20251026163734.117582-1-sashal@kernel.org> + +From: Kaushlendra Kumar + +[ Upstream commit 2eead19334516c8e9927c11b448fbe512b1f18a1 ] + +Fix incorrect use of PTR_ERR_OR_ZERO() in topology_parse_cpu_capacity() +which causes the code to proceed with NULL clock pointers. The current +logic uses !PTR_ERR_OR_ZERO(cpu_clk) which evaluates to true for both +valid pointers and NULL, leading to potential NULL pointer dereference +in clk_get_rate(). + +Per include/linux/err.h documentation, PTR_ERR_OR_ZERO(ptr) returns: +"The error code within @ptr if it is an error pointer; 0 otherwise." + +This means PTR_ERR_OR_ZERO() returns 0 for both valid pointers AND NULL +pointers. Therefore !PTR_ERR_OR_ZERO(cpu_clk) evaluates to true (proceed) +when cpu_clk is either valid or NULL, causing clk_get_rate(NULL) to be +called when of_clk_get() returns NULL. + +Replace with !IS_ERR_OR_NULL(cpu_clk) which only proceeds for valid +pointers, preventing potential NULL pointer dereference in clk_get_rate(). + +Cc: stable +Signed-off-by: Kaushlendra Kumar +Reviewed-by: Sudeep Holla +Fixes: b8fe128dad8f ("arch_topology: Adjust initial CPU capacities with current freq") +Link: https://patch.msgid.link/20250923174308.1771906-1-kaushlendra.kumar@intel.com +Signed-off-by: Greg Kroah-Hartman +[ Adjust context ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/arch_topology.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/base/arch_topology.c ++++ b/drivers/base/arch_topology.c +@@ -196,7 +196,7 @@ bool __init topology_parse_cpu_capacity( + * frequency (by keeping the initial freq_factor value). + */ + cpu_clk = of_clk_get(cpu_node, 0); +- if (!PTR_ERR_OR_ZERO(cpu_clk)) { ++ if (!IS_ERR_OR_NULL(cpu_clk)) { + per_cpu(freq_factor, cpu) = + clk_get_rate(cpu_clk) / 1000; + clk_put(cpu_clk); diff --git a/queue-5.10/arm64-cputype-add-neoverse-v3ae-definitions.patch b/queue-5.10/arm64-cputype-add-neoverse-v3ae-definitions.patch new file mode 100644 index 0000000000..40fb3a0050 --- /dev/null +++ b/queue-5.10/arm64-cputype-add-neoverse-v3ae-definitions.patch @@ -0,0 +1,49 @@ +From 3bbf004c4808e2c3241e5c1ad6cc102f38a03c39 Mon Sep 17 00:00:00 2001 +From: Mark Rutland +Date: Fri, 19 Sep 2025 15:58:28 +0100 +Subject: arm64: cputype: Add Neoverse-V3AE definitions + +From: Mark Rutland + +commit 3bbf004c4808e2c3241e5c1ad6cc102f38a03c39 upstream. + +Add cputype definitions for Neoverse-V3AE. These will be used for errata +detection in subsequent patches. + +These values can be found in the Neoverse-V3AE TRM: + + https://developer.arm.com/documentation/SDEN-2615521/9-0/ + +... in section A.6.1 ("MIDR_EL1, Main ID Register"). + +Signed-off-by: Mark Rutland +Cc: James Morse +Cc: Will Deacon +Cc: Catalin Marinas +Signed-off-by: Ryan Roberts +Signed-off-by: Will Deacon +[ Ryan: Trivial backport ] +Signed-off-by: Ryan Roberts +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/include/asm/cputype.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/arm64/include/asm/cputype.h ++++ b/arch/arm64/include/asm/cputype.h +@@ -92,6 +92,7 @@ + #define ARM_CPU_PART_NEOVERSE_V2 0xD4F + #define ARM_CPU_PART_CORTEX_A720 0xD81 + #define ARM_CPU_PART_CORTEX_X4 0xD82 ++#define ARM_CPU_PART_NEOVERSE_V3AE 0xD83 + #define ARM_CPU_PART_NEOVERSE_V3 0xD84 + #define ARM_CPU_PART_CORTEX_X925 0xD85 + #define ARM_CPU_PART_CORTEX_A725 0xD87 +@@ -157,6 +158,7 @@ + #define MIDR_NEOVERSE_V2 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V2) + #define MIDR_CORTEX_A720 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A720) + #define MIDR_CORTEX_X4 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X4) ++#define MIDR_NEOVERSE_V3AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3AE) + #define MIDR_NEOVERSE_V3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3) + #define MIDR_CORTEX_X925 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X925) + #define MIDR_CORTEX_A725 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A725) diff --git a/queue-5.10/arm64-errata-apply-workarounds-for-neoverse-v3ae.patch b/queue-5.10/arm64-errata-apply-workarounds-for-neoverse-v3ae.patch new file mode 100644 index 0000000000..61ddffe99c --- /dev/null +++ b/queue-5.10/arm64-errata-apply-workarounds-for-neoverse-v3ae.patch @@ -0,0 +1,63 @@ +From 0c33aa1804d101c11ba1992504f17a42233f0e11 Mon Sep 17 00:00:00 2001 +From: Mark Rutland +Date: Fri, 19 Sep 2025 15:58:29 +0100 +Subject: arm64: errata: Apply workarounds for Neoverse-V3AE + +From: Mark Rutland + +commit 0c33aa1804d101c11ba1992504f17a42233f0e11 upstream. + +Neoverse-V3AE is also affected by erratum #3312417, as described in its +Software Developer Errata Notice (SDEN) document: + + Neoverse V3AE (MP172) SDEN v9.0, erratum 3312417 + https://developer.arm.com/documentation/SDEN-2615521/9-0/ + +Enable the workaround for Neoverse-V3AE, and document this. + +Signed-off-by: Mark Rutland +Cc: James Morse +Cc: Will Deacon +Cc: Catalin Marinas +Signed-off-by: Ryan Roberts +Signed-off-by: Will Deacon +[ Ryan: Trivial backport ] +Signed-off-by: Ryan Roberts +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/arm64/silicon-errata.rst | 2 ++ + arch/arm64/Kconfig | 1 + + arch/arm64/kernel/cpu_errata.c | 1 + + 3 files changed, 4 insertions(+) + +--- a/Documentation/arm64/silicon-errata.rst ++++ b/Documentation/arm64/silicon-errata.rst +@@ -144,6 +144,8 @@ stable kernels. + +----------------+-----------------+-----------------+-----------------------------+ + | ARM | Neoverse-V3 | #3312417 | ARM64_ERRATUM_3194386 | + +----------------+-----------------+-----------------+-----------------------------+ ++| ARM | Neoverse-V3AE | #3312417 | ARM64_ERRATUM_3194386 | +++----------------+-----------------+-----------------+-----------------------------+ + | ARM | MMU-500 | #841119,826419 | N/A | + +----------------+-----------------+-----------------+-----------------------------+ + +----------------+-----------------+-----------------+-----------------------------+ +--- a/arch/arm64/Kconfig ++++ b/arch/arm64/Kconfig +@@ -718,6 +718,7 @@ config ARM64_ERRATUM_3194386 + * ARM Neoverse-V1 erratum 3324341 + * ARM Neoverse V2 erratum 3324336 + * ARM Neoverse-V3 erratum 3312417 ++ * ARM Neoverse-V3AE erratum 3312417 + + On affected cores "MSR SSBS, #0" instructions may not affect + subsequent speculative instructions, which may permit unexepected +--- a/arch/arm64/kernel/cpu_errata.c ++++ b/arch/arm64/kernel/cpu_errata.c +@@ -386,6 +386,7 @@ static const struct midr_range erratum_s + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V1), + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V2), + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3), ++ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3AE), + {} + }; + #endif diff --git a/queue-5.10/crypto-rockchip-fix-dma_unmap_sg-nents-value.patch b/queue-5.10/crypto-rockchip-fix-dma_unmap_sg-nents-value.patch new file mode 100644 index 0000000000..5360088879 --- /dev/null +++ b/queue-5.10/crypto-rockchip-fix-dma_unmap_sg-nents-value.patch @@ -0,0 +1,40 @@ +From stable+bounces-188192-greg=kroah.com@vger.kernel.org Mon Oct 20 18:24:19 2025 +From: Sasha Levin +Date: Mon, 20 Oct 2025 12:23:42 -0400 +Subject: crypto: rockchip - Fix dma_unmap_sg() nents value +To: stable@vger.kernel.org +Cc: Thomas Fourier , Herbert Xu , Sasha Levin +Message-ID: <20251020162342.1837833-1-sashal@kernel.org> + +From: Thomas Fourier + +[ Upstream commit 21140e5caf019e4a24e1ceabcaaa16bd693b393f ] + +The dma_unmap_sg() functions should be called with the same nents as the +dma_map_sg(), not the value the map function returned. + +Fixes: 57d67c6e8219 ("crypto: rockchip - rework by using crypto_engine") +Cc: +Signed-off-by: Thomas Fourier +Signed-off-by: Herbert Xu +[ removed unused rctx variable declaration since device pointer already came from tctx->dev->dev instead of rctx->dev ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/rockchip/rk3288_crypto_ahash.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/crypto/rockchip/rk3288_crypto_ahash.c ++++ b/drivers/crypto/rockchip/rk3288_crypto_ahash.c +@@ -236,10 +236,9 @@ static int rk_hash_unprepare(struct cryp + { + struct ahash_request *areq = container_of(breq, struct ahash_request, base); + struct crypto_ahash *tfm = crypto_ahash_reqtfm(areq); +- struct rk_ahash_rctx *rctx = ahash_request_ctx(areq); + struct rk_ahash_ctx *tctx = crypto_ahash_ctx(tfm); + +- dma_unmap_sg(tctx->dev->dev, areq->src, rctx->nrsg, DMA_TO_DEVICE); ++ dma_unmap_sg(tctx->dev->dev, areq->src, sg_nents(areq->src), DMA_TO_DEVICE); + return 0; + } + diff --git a/queue-5.10/drm-amdgpu-use-atomic-functions-with-memory-barriers-for-vm-fault-info.patch b/queue-5.10/drm-amdgpu-use-atomic-functions-with-memory-barriers-for-vm-fault-info.patch new file mode 100644 index 0000000000..ba3a8ea202 --- /dev/null +++ b/queue-5.10/drm-amdgpu-use-atomic-functions-with-memory-barriers-for-vm-fault-info.patch @@ -0,0 +1,124 @@ +From stable+bounces-188345-greg=kroah.com@vger.kernel.org Tue Oct 21 15:36:07 2025 +From: Sasha Levin +Date: Tue, 21 Oct 2025 09:34:32 -0400 +Subject: drm/amdgpu: use atomic functions with memory barriers for vm fault info +To: stable@vger.kernel.org +Cc: Gui-Dong Han , Felix Kuehling , Alex Deucher , Sasha Levin +Message-ID: <20251021133432.2080290-1-sashal@kernel.org> + +From: Gui-Dong Han + +[ Upstream commit 6df8e84aa6b5b1812cc2cacd6b3f5ccbb18cda2b ] + +The atomic variable vm_fault_info_updated is used to synchronize access to +adev->gmc.vm_fault_info between the interrupt handler and +get_vm_fault_info(). + +The default atomic functions like atomic_set() and atomic_read() do not +provide memory barriers. This allows for CPU instruction reordering, +meaning the memory accesses to vm_fault_info and the vm_fault_info_updated +flag are not guaranteed to occur in the intended order. This creates a +race condition that can lead to inconsistent or stale data being used. + +The previous implementation, which used an explicit mb(), was incomplete +and inefficient. It failed to account for all potential CPU reorderings, +such as the access of vm_fault_info being reordered before the atomic_read +of the flag. This approach is also more verbose and less performant than +using the proper atomic functions with acquire/release semantics. + +Fix this by switching to atomic_set_release() and atomic_read_acquire(). +These functions provide the necessary acquire and release semantics, +which act as memory barriers to ensure the correct order of operations. +It is also more efficient and idiomatic than using explicit full memory +barriers. + +Fixes: b97dfa27ef3a ("drm/amdgpu: save vm fault information for amdkfd") +Cc: stable@vger.kernel.org +Signed-off-by: Gui-Dong Han +Signed-off-by: Felix Kuehling +Reviewed-by: Felix Kuehling +Signed-off-by: Alex Deucher +[ kept kgd_dev parameter and adev cast in amdgpu_amdkfd_gpuvm_get_vm_fault_info ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 5 ++--- + drivers/gpu/drm/amd/amdgpu/gmc_v7_0.c | 7 +++---- + drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c | 7 +++---- + 3 files changed, 8 insertions(+), 11 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c +@@ -1640,10 +1640,9 @@ int amdgpu_amdkfd_gpuvm_get_vm_fault_inf + struct amdgpu_device *adev; + + adev = (struct amdgpu_device *)kgd; +- if (atomic_read(&adev->gmc.vm_fault_info_updated) == 1) { ++ if (atomic_read_acquire(&adev->gmc.vm_fault_info_updated) == 1) { + *mem = *adev->gmc.vm_fault_info; +- mb(); +- atomic_set(&adev->gmc.vm_fault_info_updated, 0); ++ atomic_set_release(&adev->gmc.vm_fault_info_updated, 0); + } + return 0; + } +--- a/drivers/gpu/drm/amd/amdgpu/gmc_v7_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gmc_v7_0.c +@@ -1067,7 +1067,7 @@ static int gmc_v7_0_sw_init(void *handle + GFP_KERNEL); + if (!adev->gmc.vm_fault_info) + return -ENOMEM; +- atomic_set(&adev->gmc.vm_fault_info_updated, 0); ++ atomic_set_release(&adev->gmc.vm_fault_info_updated, 0); + + return 0; + } +@@ -1297,7 +1297,7 @@ static int gmc_v7_0_process_interrupt(st + vmid = REG_GET_FIELD(status, VM_CONTEXT1_PROTECTION_FAULT_STATUS, + VMID); + if (amdgpu_amdkfd_is_kfd_vmid(adev, vmid) +- && !atomic_read(&adev->gmc.vm_fault_info_updated)) { ++ && !atomic_read_acquire(&adev->gmc.vm_fault_info_updated)) { + struct kfd_vm_fault_info *info = adev->gmc.vm_fault_info; + u32 protections = REG_GET_FIELD(status, + VM_CONTEXT1_PROTECTION_FAULT_STATUS, +@@ -1313,8 +1313,7 @@ static int gmc_v7_0_process_interrupt(st + info->prot_read = protections & 0x8 ? true : false; + info->prot_write = protections & 0x10 ? true : false; + info->prot_exec = protections & 0x20 ? true : false; +- mb(); +- atomic_set(&adev->gmc.vm_fault_info_updated, 1); ++ atomic_set_release(&adev->gmc.vm_fault_info_updated, 1); + } + + return 0; +--- a/drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c +@@ -1199,7 +1199,7 @@ static int gmc_v8_0_sw_init(void *handle + GFP_KERNEL); + if (!adev->gmc.vm_fault_info) + return -ENOMEM; +- atomic_set(&adev->gmc.vm_fault_info_updated, 0); ++ atomic_set_release(&adev->gmc.vm_fault_info_updated, 0); + + return 0; + } +@@ -1488,7 +1488,7 @@ static int gmc_v8_0_process_interrupt(st + vmid = REG_GET_FIELD(status, VM_CONTEXT1_PROTECTION_FAULT_STATUS, + VMID); + if (amdgpu_amdkfd_is_kfd_vmid(adev, vmid) +- && !atomic_read(&adev->gmc.vm_fault_info_updated)) { ++ && !atomic_read_acquire(&adev->gmc.vm_fault_info_updated)) { + struct kfd_vm_fault_info *info = adev->gmc.vm_fault_info; + u32 protections = REG_GET_FIELD(status, + VM_CONTEXT1_PROTECTION_FAULT_STATUS, +@@ -1504,8 +1504,7 @@ static int gmc_v8_0_process_interrupt(st + info->prot_read = protections & 0x8 ? true : false; + info->prot_write = protections & 0x10 ? true : false; + info->prot_exec = protections & 0x20 ? true : false; +- mb(); +- atomic_set(&adev->gmc.vm_fault_info_updated, 1); ++ atomic_set_release(&adev->gmc.vm_fault_info_updated, 1); + } + + return 0; diff --git a/queue-5.10/ext4-avoid-potential-buffer-over-read-in-parse_apply_sb_mount_options.patch b/queue-5.10/ext4-avoid-potential-buffer-over-read-in-parse_apply_sb_mount_options.patch new file mode 100644 index 0000000000..d06ee6c055 --- /dev/null +++ b/queue-5.10/ext4-avoid-potential-buffer-over-read-in-parse_apply_sb_mount_options.patch @@ -0,0 +1,56 @@ +From stable+bounces-188392-greg=kroah.com@vger.kernel.org Tue Oct 21 19:42:06 2025 +From: Sasha Levin +Date: Tue, 21 Oct 2025 13:41:57 -0400 +Subject: ext4: avoid potential buffer over-read in parse_apply_sb_mount_options() +To: stable@vger.kernel.org +Cc: Theodore Ts'o , Jan Kara , "Darrick J. Wong" , Sasha Levin +Message-ID: <20251021174157.2449192-1-sashal@kernel.org> + +From: Theodore Ts'o + +[ Upstream commit 8ecb790ea8c3fc69e77bace57f14cf0d7c177bd8 ] + +Unlike other strings in the ext4 superblock, we rely on tune2fs to +make sure s_mount_opts is NUL terminated. Harden +parse_apply_sb_mount_options() by treating s_mount_opts as a potential +__nonstring. + +Cc: stable@vger.kernel.org +Fixes: 8b67f04ab9de ("ext4: Add mount options in superblock") +Reviewed-by: Jan Kara +Reviewed-by: Darrick J. Wong +Signed-off-by: Theodore Ts'o +Message-ID: <20250916-tune2fs-v2-1-d594dc7486f0@mit.edu> +Signed-off-by: Theodore Ts'o +[ applied to ext4_fill_super() instead of parse_apply_sb_mount_options() ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/super.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -4282,18 +4282,16 @@ static int ext4_fill_super(struct super_ + } + + if (sbi->s_es->s_mount_opts[0]) { +- char *s_mount_opts = kstrndup(sbi->s_es->s_mount_opts, +- sizeof(sbi->s_es->s_mount_opts), +- GFP_KERNEL); +- if (!s_mount_opts) +- goto failed_mount; ++ char s_mount_opts[65]; ++ ++ strscpy_pad(s_mount_opts, sbi->s_es->s_mount_opts, ++ sizeof(s_mount_opts)); + if (!parse_options(s_mount_opts, sb, &journal_devnum, + &journal_ioprio, 0)) { + ext4_msg(sb, KERN_WARNING, + "failed to parse options in superblock: %s", + s_mount_opts); + } +- kfree(s_mount_opts); + } + sbi->s_def_mount_opt = sbi->s_mount_opt; + if (!parse_options((char *) data, sb, &journal_devnum, diff --git a/queue-5.10/fuse-fix-livelock-in-synchronous-file-put-from-fuseblk-workers.patch b/queue-5.10/fuse-fix-livelock-in-synchronous-file-put-from-fuseblk-workers.patch new file mode 100644 index 0000000000..d45e9df429 --- /dev/null +++ b/queue-5.10/fuse-fix-livelock-in-synchronous-file-put-from-fuseblk-workers.patch @@ -0,0 +1,93 @@ +From stable+bounces-188862-greg=kroah.com@vger.kernel.org Wed Oct 22 03:03:28 2025 +From: Sasha Levin +Date: Tue, 21 Oct 2025 21:03:19 -0400 +Subject: fuse: fix livelock in synchronous file put from fuseblk workers +To: stable@vger.kernel.org +Cc: "Darrick J. Wong" , Miklos Szeredi , Sasha Levin +Message-ID: <20251022010319.3557814-1-sashal@kernel.org> + +From: "Darrick J. Wong" + +[ Upstream commit 26e5c67deb2e1f42a951f022fdf5b9f7eb747b01 ] + +I observed a hang when running generic/323 against a fuseblk server. +This test opens a file, initiates a lot of AIO writes to that file +descriptor, and closes the file descriptor before the writes complete. +Unsurprisingly, the AIO exerciser threads are mostly stuck waiting for +responses from the fuseblk server: + +[<0>] request_wait_answer+0x1fe/0x2a0 [fuse] +[<0>] __fuse_simple_request+0xd3/0x2b0 [fuse] +[<0>] fuse_do_getattr+0xfc/0x1f0 [fuse] +[<0>] fuse_file_read_iter+0xbe/0x1c0 [fuse] +[<0>] aio_read+0x130/0x1e0 +[<0>] io_submit_one+0x542/0x860 +[<0>] __x64_sys_io_submit+0x98/0x1a0 +[<0>] do_syscall_64+0x37/0xf0 +[<0>] entry_SYSCALL_64_after_hwframe+0x4b/0x53 + +But the /weird/ part is that the fuseblk server threads are waiting for +responses from itself: + +[<0>] request_wait_answer+0x1fe/0x2a0 [fuse] +[<0>] __fuse_simple_request+0xd3/0x2b0 [fuse] +[<0>] fuse_file_put+0x9a/0xd0 [fuse] +[<0>] fuse_release+0x36/0x50 [fuse] +[<0>] __fput+0xec/0x2b0 +[<0>] task_work_run+0x55/0x90 +[<0>] syscall_exit_to_user_mode+0xe9/0x100 +[<0>] do_syscall_64+0x43/0xf0 +[<0>] entry_SYSCALL_64_after_hwframe+0x4b/0x53 + +The fuseblk server is fuse2fs so there's nothing all that exciting in +the server itself. So why is the fuse server calling fuse_file_put? +The commit message for the fstest sheds some light on that: + +"By closing the file descriptor before calling io_destroy, you pretty +much guarantee that the last put on the ioctx will be done in interrupt +context (during I/O completion). + +Aha. AIO fgets a new struct file from the fd when it queues the ioctx. +The completion of the FUSE_WRITE command from userspace causes the fuse +server to call the AIO completion function. The completion puts the +struct file, queuing a delayed fput to the fuse server task. When the +fuse server task returns to userspace, it has to run the delayed fput, +which in the case of a fuseblk server, it does synchronously. + +Sending the FUSE_RELEASE command sychronously from fuse server threads +is a bad idea because a client program can initiate enough simultaneous +AIOs such that all the fuse server threads end up in delayed_fput, and +now there aren't any threads left to handle the queued fuse commands. + +Fix this by only using asynchronous fputs when closing files, and leave +a comment explaining why. + +Cc: stable@vger.kernel.org # v2.6.38 +Fixes: 5a18ec176c934c ("fuse: fix hang of single threaded fuseblk filesystem") +Signed-off-by: Darrick J. Wong +Signed-off-by: Miklos Szeredi +[ added isdir parameter to fuse_file_put() call ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/fuse/file.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/fs/fuse/file.c ++++ b/fs/fuse/file.c +@@ -324,8 +324,14 @@ void fuse_release_common(struct file *fi + * Make the release synchronous if this is a fuseblk mount, + * synchronous RELEASE is allowed (and desirable) in this case + * because the server can be trusted not to screw up. ++ * ++ * Always use the asynchronous file put because the current thread ++ * might be the fuse server. This can happen if a process starts some ++ * aio and closes the fd before the aio completes. Since aio takes its ++ * own ref to the file, the IO completion has to drop the ref, which is ++ * how the fuse server can end up closing its clients' files. + */ +- fuse_file_put(ff, ff->fm->fc->destroy, isdir); ++ fuse_file_put(ff, false, isdir); + } + + static int fuse_open(struct inode *inode, struct file *file) diff --git a/queue-5.10/iio-imu-inv_icm42600-avoid-configuring-if-already-pm_runtime-suspended.patch b/queue-5.10/iio-imu-inv_icm42600-avoid-configuring-if-already-pm_runtime-suspended.patch new file mode 100644 index 0000000000..6d1b2ad03b --- /dev/null +++ b/queue-5.10/iio-imu-inv_icm42600-avoid-configuring-if-already-pm_runtime-suspended.patch @@ -0,0 +1,66 @@ +From stable+bounces-188116-greg=kroah.com@vger.kernel.org Mon Oct 20 15:11:26 2025 +From: Sasha Levin +Date: Mon, 20 Oct 2025 09:11:14 -0400 +Subject: iio: imu: inv_icm42600: Avoid configuring if already pm_runtime suspended +To: stable@vger.kernel.org +Cc: Sean Nyekjaer , Stable@vger.kernel.org, Jonathan Cameron , Sasha Levin +Message-ID: <20251020131114.1768095-2-sashal@kernel.org> + +From: Sean Nyekjaer + +[ Upstream commit 466f7a2fef2a4e426f809f79845a1ec1aeb558f4 ] + +Do as in suspend, skip resume configuration steps if the device is already +pm_runtime suspended. This avoids reconfiguring a device that is already +in the correct low-power state and ensures that pm_runtime handles the +power state transitions properly. + +Fixes: 31c24c1e93c3 ("iio: imu: inv_icm42600: add core of new inv_icm42600 driver") +Signed-off-by: Sean Nyekjaer +Link: https://patch.msgid.link/20250901-icm42pmreg-v3-3-ef1336246960@geanix.com +Cc: +Signed-off-by: Jonathan Cameron +[ adjusted context to non-APEX suspend/resume implementation ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/imu/inv_icm42600/inv_icm42600_core.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c ++++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c +@@ -680,17 +680,15 @@ EXPORT_SYMBOL_GPL(inv_icm42600_core_prob + static int __maybe_unused inv_icm42600_suspend(struct device *dev) + { + struct inv_icm42600_state *st = dev_get_drvdata(dev); +- int ret; ++ int ret = 0; + + mutex_lock(&st->lock); + + st->suspended.gyro = st->conf.gyro.mode; + st->suspended.accel = st->conf.accel.mode; + st->suspended.temp = st->conf.temp_en; +- if (pm_runtime_suspended(dev)) { +- ret = 0; ++ if (pm_runtime_suspended(dev)) + goto out_unlock; +- } + + /* disable FIFO data streaming */ + if (st->fifo.on) { +@@ -722,10 +720,13 @@ static int __maybe_unused inv_icm42600_r + struct inv_icm42600_state *st = dev_get_drvdata(dev); + struct inv_icm42600_timestamp *gyro_ts = iio_priv(st->indio_gyro); + struct inv_icm42600_timestamp *accel_ts = iio_priv(st->indio_accel); +- int ret; ++ int ret = 0; + + mutex_lock(&st->lock); + ++ if (pm_runtime_suspended(dev)) ++ goto out_unlock; ++ + ret = inv_icm42600_enable_regulator_vddio(st); + if (ret) + goto out_unlock; diff --git a/queue-5.10/iio-imu-inv_icm42600-simplify-pm_runtime-setup.patch b/queue-5.10/iio-imu-inv_icm42600-simplify-pm_runtime-setup.patch new file mode 100644 index 0000000000..d6fc5b2a96 --- /dev/null +++ b/queue-5.10/iio-imu-inv_icm42600-simplify-pm_runtime-setup.patch @@ -0,0 +1,86 @@ +From stable+bounces-188103-greg=kroah.com@vger.kernel.org Mon Oct 20 15:07:22 2025 +From: Sasha Levin +Date: Mon, 20 Oct 2025 09:05:03 -0400 +Subject: iio: imu: inv_icm42600: Simplify pm_runtime setup +To: stable@vger.kernel.org +Cc: Sean Nyekjaer , Stable@vger.kernel.org, Jonathan Cameron , Sasha Levin +Message-ID: <20251020130503.1764881-2-sashal@kernel.org> + +From: Sean Nyekjaer + +[ Upstream commit 0792c1984a45ccd7a296d6b8cb78088bc99a212e ] + +Rework the power management in inv_icm42600_core_probe() to use +devm_pm_runtime_set_active_enabled(), which simplifies the runtime PM +setup by handling activation and enabling in one step. +Remove the separate inv_icm42600_disable_pm callback, as it's no longer +needed with the devm-managed approach. +Using devm_pm_runtime_enable() also fixes the missing disable of +autosuspend. +Update inv_icm42600_disable_vddio_reg() to only disable the regulator if +the device is not suspended i.e. powered-down, preventing unbalanced +disables. +Also remove redundant error msg on regulator_disable(), the regulator +framework already emits an error message when regulator_disable() fails. + +This simplifies the PM setup and avoids manipulating the usage counter +unnecessarily. + +Fixes: 31c24c1e93c3 ("iio: imu: inv_icm42600: add core of new inv_icm42600 driver") +Signed-off-by: Sean Nyekjaer +Link: https://patch.msgid.link/20250901-icm42pmreg-v3-1-ef1336246960@geanix.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/imu/inv_icm42600/inv_icm42600_core.c | 24 ++++++----------------- + 1 file changed, 7 insertions(+), 17 deletions(-) + +--- a/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c ++++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c +@@ -550,20 +550,12 @@ static void inv_icm42600_disable_vdd_reg + static void inv_icm42600_disable_vddio_reg(void *_data) + { + struct inv_icm42600_state *st = _data; +- const struct device *dev = regmap_get_device(st->map); +- int ret; +- +- ret = regulator_disable(st->vddio_supply); +- if (ret) +- dev_err(dev, "failed to disable vddio error %d\n", ret); +-} ++ struct device *dev = regmap_get_device(st->map); + +-static void inv_icm42600_disable_pm(void *_data) +-{ +- struct device *dev = _data; ++ if (pm_runtime_status_suspended(dev)) ++ return; + +- pm_runtime_put_sync(dev); +- pm_runtime_disable(dev); ++ regulator_disable(st->vddio_supply); + } + + int inv_icm42600_core_probe(struct regmap *regmap, int chip, int irq, +@@ -660,16 +652,14 @@ int inv_icm42600_core_probe(struct regma + return ret; + + /* setup runtime power management */ +- ret = pm_runtime_set_active(dev); ++ ret = devm_pm_runtime_set_active_enabled(dev); + if (ret) + return ret; +- pm_runtime_get_noresume(dev); +- pm_runtime_enable(dev); ++ + pm_runtime_set_autosuspend_delay(dev, INV_ICM42600_SUSPEND_DELAY_MS); + pm_runtime_use_autosuspend(dev); +- pm_runtime_put(dev); + +- return devm_add_action_or_reset(dev, inv_icm42600_disable_pm, dev); ++ return ret; + } + EXPORT_SYMBOL_GPL(inv_icm42600_core_probe); + diff --git a/queue-5.10/iio-imu-inv_icm42600-use-instead-of-memset.patch b/queue-5.10/iio-imu-inv_icm42600-use-instead-of-memset.patch new file mode 100644 index 0000000000..b2d857979a --- /dev/null +++ b/queue-5.10/iio-imu-inv_icm42600-use-instead-of-memset.patch @@ -0,0 +1,70 @@ +From stable+bounces-188115-greg=kroah.com@vger.kernel.org Mon Oct 20 15:11:23 2025 +From: Sasha Levin +Date: Mon, 20 Oct 2025 09:11:13 -0400 +Subject: iio: imu: inv_icm42600: use = { } instead of memset() +To: stable@vger.kernel.org +Cc: "David Lechner" , "Nuno Sá" , "Andy Shevchenko" , "Jonathan Cameron" , "Sasha Levin" +Message-ID: <20251020131114.1768095-1-sashal@kernel.org> + +From: David Lechner + +[ Upstream commit 352112e2d9aab6a156c2803ae14eb89a9fd93b7d ] + +Use { } instead of memset() to zero-initialize stack memory to simplify +the code. + +Signed-off-by: David Lechner +Reviewed-by: Nuno Sá +Reviewed-by: Andy Shevchenko +Link: https://patch.msgid.link/20250611-iio-zero-init-stack-with-instead-of-memset-v1-16-ebb2d0a24302@baylibre.com +Signed-off-by: Jonathan Cameron +Stable-dep-of: 466f7a2fef2a ("iio: imu: inv_icm42600: Avoid configuring if already pm_runtime suspended") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/imu/inv_icm42600/inv_icm42600_accel.c | 5 ++--- + drivers/iio/imu/inv_icm42600/inv_icm42600_gyro.c | 5 ++--- + 2 files changed, 4 insertions(+), 6 deletions(-) + +--- a/drivers/iio/imu/inv_icm42600/inv_icm42600_accel.c ++++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_accel.c +@@ -751,7 +751,8 @@ int inv_icm42600_accel_parse_fifo(struct + const int8_t *temp; + unsigned int odr; + int64_t ts_val; +- struct inv_icm42600_accel_buffer buffer; ++ /* buffer is copied to userspace, zeroing it to avoid any data leak */ ++ struct inv_icm42600_accel_buffer buffer = { }; + + /* parse all fifo packets */ + for (i = 0, no = 0; i < st->fifo.count; i += size, ++no) { +@@ -770,8 +771,6 @@ int inv_icm42600_accel_parse_fifo(struct + inv_icm42600_timestamp_apply_odr(ts, st->fifo.period, + st->fifo.nb.total, no); + +- /* buffer is copied to userspace, zeroing it to avoid any data leak */ +- memset(&buffer, 0, sizeof(buffer)); + memcpy(&buffer.accel, accel, sizeof(buffer.accel)); + /* convert 8 bits FIFO temperature in high resolution format */ + buffer.temp = temp ? (*temp * 64) : 0; +--- a/drivers/iio/imu/inv_icm42600/inv_icm42600_gyro.c ++++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_gyro.c +@@ -762,7 +762,8 @@ int inv_icm42600_gyro_parse_fifo(struct + const int8_t *temp; + unsigned int odr; + int64_t ts_val; +- struct inv_icm42600_gyro_buffer buffer; ++ /* buffer is copied to userspace, zeroing it to avoid any data leak */ ++ struct inv_icm42600_gyro_buffer buffer = { }; + + /* parse all fifo packets */ + for (i = 0, no = 0; i < st->fifo.count; i += size, ++no) { +@@ -781,8 +782,6 @@ int inv_icm42600_gyro_parse_fifo(struct + inv_icm42600_timestamp_apply_odr(ts, st->fifo.period, + st->fifo.nb.total, no); + +- /* buffer is copied to userspace, zeroing it to avoid any data leak */ +- memset(&buffer, 0, sizeof(buffer)); + memcpy(&buffer.gyro, gyro, sizeof(buffer.gyro)); + /* convert 8 bits FIFO temperature in high resolution format */ + buffer.temp = temp ? (*temp * 64) : 0; diff --git a/queue-5.10/keys-trusted_tpm1-compare-hmac-values-in-constant-time.patch b/queue-5.10/keys-trusted_tpm1-compare-hmac-values-in-constant-time.patch new file mode 100644 index 0000000000..5e5f5ed741 --- /dev/null +++ b/queue-5.10/keys-trusted_tpm1-compare-hmac-values-in-constant-time.patch @@ -0,0 +1,68 @@ +From stable+bounces-188197-greg=kroah.com@vger.kernel.org Mon Oct 20 18:27:49 2025 +From: Sasha Levin +Date: Mon, 20 Oct 2025 12:26:11 -0400 +Subject: KEYS: trusted_tpm1: Compare HMAC values in constant time +To: stable@vger.kernel.org +Cc: Eric Biggers , Jarkko Sakkinen , Sasha Levin +Message-ID: <20251020162611.1838605-1-sashal@kernel.org> + +From: Eric Biggers + +[ Upstream commit eed0e3d305530066b4fc5370107cff8ef1a0d229 ] + +To prevent timing attacks, HMAC value comparison needs to be constant +time. Replace the memcmp() with the correct function, crypto_memneq(). + +[For the Fixes commit I used the commit that introduced the memcmp(). +It predates the introduction of crypto_memneq(), but it was still a bug +at the time even though a helper function didn't exist yet.] + +Fixes: d00a1c72f7f4 ("keys: add new trusted key-type") +Cc: stable@vger.kernel.org +Signed-off-by: Eric Biggers +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +[ replaced crypto/utils.h include with crypto/algapi.h ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + security/keys/trusted-keys/trusted_tpm1.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/security/keys/trusted-keys/trusted_tpm1.c ++++ b/security/keys/trusted-keys/trusted_tpm1.c +@@ -9,6 +9,7 @@ + */ + + #include ++#include + #include + #include + #include +@@ -248,7 +249,7 @@ int TSS_checkhmac1(unsigned char *buffer + if (ret < 0) + goto out; + +- if (memcmp(testhmac, authdata, SHA1_DIGEST_SIZE)) ++ if (crypto_memneq(testhmac, authdata, SHA1_DIGEST_SIZE)) + ret = -EINVAL; + out: + kfree_sensitive(sdesc); +@@ -341,7 +342,7 @@ static int TSS_checkhmac2(unsigned char + TPM_NONCE_SIZE, ononce, 1, continueflag1, 0, 0); + if (ret < 0) + goto out; +- if (memcmp(testhmac1, authdata1, SHA1_DIGEST_SIZE)) { ++ if (crypto_memneq(testhmac1, authdata1, SHA1_DIGEST_SIZE)) { + ret = -EINVAL; + goto out; + } +@@ -350,7 +351,7 @@ static int TSS_checkhmac2(unsigned char + TPM_NONCE_SIZE, ononce, 1, continueflag2, 0, 0); + if (ret < 0) + goto out; +- if (memcmp(testhmac2, authdata2, SHA1_DIGEST_SIZE)) ++ if (crypto_memneq(testhmac2, authdata2, SHA1_DIGEST_SIZE)) + ret = -EINVAL; + out: + kfree_sensitive(sdesc); diff --git a/queue-5.10/media-s5p-mfc-remove-an-unused-uninitialized-variable.patch b/queue-5.10/media-s5p-mfc-remove-an-unused-uninitialized-variable.patch new file mode 100644 index 0000000000..f1b26c2ba1 --- /dev/null +++ b/queue-5.10/media-s5p-mfc-remove-an-unused-uninitialized-variable.patch @@ -0,0 +1,135 @@ +From stable+bounces-187717-greg=kroah.com@vger.kernel.org Sat Oct 18 01:18:17 2025 +From: Sasha Levin +Date: Fri, 17 Oct 2025 19:18:09 -0400 +Subject: media: s5p-mfc: remove an unused/uninitialized variable +To: stable@vger.kernel.org +Cc: Arnd Bergmann , Hans Verkuil , Sasha Levin +Message-ID: <20251017231809.29564-1-sashal@kernel.org> + +From: Arnd Bergmann + +[ Upstream commit 7fa37ba25a1dfc084e24ea9acc14bf1fad8af14c ] + +The s5p_mfc_cmd_args structure in the v6 driver is never used, not +initialized to anything other than zero, but as of clang-21 this +causes a warning: + +drivers/media/platform/samsung/s5p-mfc/s5p_mfc_cmd_v6.c:45:7: error: variable 'h2r_args' is uninitialized when passed as a const pointer argument here [-Werror,-Wuninitialized-const-pointer] + 45 | &h2r_args); + | ^~~~~~~~ + +Just remove this for simplicity. Since the function is also called +through a callback, this does require adding a trivial wrapper with +the correct prototype. + +Fixes: f96f3cfa0bb8 ("[media] s5p-mfc: Update MFC v4l2 driver to support MFC6.x") +Cc: stable@vger.kernel.org +Signed-off-by: Arnd Bergmann +Signed-off-by: Hans Verkuil +[ Adjust context ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/s5p-mfc/s5p_mfc_cmd_v6.c | 35 ++++++++---------------- + 1 file changed, 13 insertions(+), 22 deletions(-) + +--- a/drivers/media/platform/s5p-mfc/s5p_mfc_cmd_v6.c ++++ b/drivers/media/platform/s5p-mfc/s5p_mfc_cmd_v6.c +@@ -14,8 +14,7 @@ + #include "s5p_mfc_opr.h" + #include "s5p_mfc_cmd_v6.h" + +-static int s5p_mfc_cmd_host2risc_v6(struct s5p_mfc_dev *dev, int cmd, +- struct s5p_mfc_cmd_args *args) ++static int s5p_mfc_cmd_host2risc_v6(struct s5p_mfc_dev *dev, int cmd) + { + mfc_debug(2, "Issue the command: %d\n", cmd); + +@@ -31,7 +30,6 @@ static int s5p_mfc_cmd_host2risc_v6(stru + + static int s5p_mfc_sys_init_cmd_v6(struct s5p_mfc_dev *dev) + { +- struct s5p_mfc_cmd_args h2r_args; + struct s5p_mfc_buf_size_v6 *buf_size = dev->variant->buf_size->priv; + int ret; + +@@ -41,33 +39,23 @@ static int s5p_mfc_sys_init_cmd_v6(struc + + mfc_write(dev, dev->ctx_buf.dma, S5P_FIMV_CONTEXT_MEM_ADDR_V6); + mfc_write(dev, buf_size->dev_ctx, S5P_FIMV_CONTEXT_MEM_SIZE_V6); +- return s5p_mfc_cmd_host2risc_v6(dev, S5P_FIMV_H2R_CMD_SYS_INIT_V6, +- &h2r_args); ++ return s5p_mfc_cmd_host2risc_v6(dev, S5P_FIMV_H2R_CMD_SYS_INIT_V6); + } + + static int s5p_mfc_sleep_cmd_v6(struct s5p_mfc_dev *dev) + { +- struct s5p_mfc_cmd_args h2r_args; +- +- memset(&h2r_args, 0, sizeof(struct s5p_mfc_cmd_args)); +- return s5p_mfc_cmd_host2risc_v6(dev, S5P_FIMV_H2R_CMD_SLEEP_V6, +- &h2r_args); ++ return s5p_mfc_cmd_host2risc_v6(dev, S5P_FIMV_H2R_CMD_SLEEP_V6); + } + + static int s5p_mfc_wakeup_cmd_v6(struct s5p_mfc_dev *dev) + { +- struct s5p_mfc_cmd_args h2r_args; +- +- memset(&h2r_args, 0, sizeof(struct s5p_mfc_cmd_args)); +- return s5p_mfc_cmd_host2risc_v6(dev, S5P_FIMV_H2R_CMD_WAKEUP_V6, +- &h2r_args); ++ return s5p_mfc_cmd_host2risc_v6(dev, S5P_FIMV_H2R_CMD_WAKEUP_V6); + } + + /* Open a new instance and get its number */ + static int s5p_mfc_open_inst_cmd_v6(struct s5p_mfc_ctx *ctx) + { + struct s5p_mfc_dev *dev = ctx->dev; +- struct s5p_mfc_cmd_args h2r_args; + int codec_type; + + mfc_debug(2, "Requested codec mode: %d\n", ctx->codec_mode); +@@ -129,23 +117,20 @@ static int s5p_mfc_open_inst_cmd_v6(stru + mfc_write(dev, ctx->ctx.size, S5P_FIMV_CONTEXT_MEM_SIZE_V6); + mfc_write(dev, 0, S5P_FIMV_D_CRC_CTRL_V6); /* no crc */ + +- return s5p_mfc_cmd_host2risc_v6(dev, S5P_FIMV_H2R_CMD_OPEN_INSTANCE_V6, +- &h2r_args); ++ return s5p_mfc_cmd_host2risc_v6(dev, S5P_FIMV_H2R_CMD_OPEN_INSTANCE_V6); + } + + /* Close instance */ + static int s5p_mfc_close_inst_cmd_v6(struct s5p_mfc_ctx *ctx) + { + struct s5p_mfc_dev *dev = ctx->dev; +- struct s5p_mfc_cmd_args h2r_args; + int ret = 0; + + dev->curr_ctx = ctx->num; + if (ctx->state != MFCINST_FREE) { + mfc_write(dev, ctx->inst_no, S5P_FIMV_INSTANCE_ID_V6); + ret = s5p_mfc_cmd_host2risc_v6(dev, +- S5P_FIMV_H2R_CMD_CLOSE_INSTANCE_V6, +- &h2r_args); ++ S5P_FIMV_H2R_CMD_CLOSE_INSTANCE_V6); + } else { + ret = -EINVAL; + } +@@ -153,9 +138,15 @@ static int s5p_mfc_close_inst_cmd_v6(str + return ret; + } + ++static int s5p_mfc_cmd_host2risc_v6_args(struct s5p_mfc_dev *dev, int cmd, ++ struct s5p_mfc_cmd_args *ignored) ++{ ++ return s5p_mfc_cmd_host2risc_v6(dev, cmd); ++} ++ + /* Initialize cmd function pointers for MFC v6 */ + static struct s5p_mfc_hw_cmds s5p_mfc_cmds_v6 = { +- .cmd_host2risc = s5p_mfc_cmd_host2risc_v6, ++ .cmd_host2risc = s5p_mfc_cmd_host2risc_v6_args, + .sys_init_cmd = s5p_mfc_sys_init_cmd_v6, + .sleep_cmd = s5p_mfc_sleep_cmd_v6, + .wakeup_cmd = s5p_mfc_wakeup_cmd_v6, diff --git a/queue-5.10/nfsd-define-a-proc_layoutcommit-for-the-flexfiles-layout-type.patch b/queue-5.10/nfsd-define-a-proc_layoutcommit-for-the-flexfiles-layout-type.patch new file mode 100644 index 0000000000..6c6cb38503 --- /dev/null +++ b/queue-5.10/nfsd-define-a-proc_layoutcommit-for-the-flexfiles-layout-type.patch @@ -0,0 +1,50 @@ +From stable+bounces-188275-greg=kroah.com@vger.kernel.org Tue Oct 21 02:42:26 2025 +From: Sasha Levin +Date: Mon, 20 Oct 2025 20:42:17 -0400 +Subject: NFSD: Define a proc_layoutcommit for the FlexFiles layout type +To: stable@vger.kernel.org +Cc: Chuck Lever , Robert Morris , Thomas Haynes , Sasha Levin +Message-ID: <20251021004217.1956991-1-sashal@kernel.org> + +From: Chuck Lever + +[ Upstream commit 4b47a8601b71ad98833b447d465592d847b4dc77 ] + +Avoid a crash if a pNFS client should happen to send a LAYOUTCOMMIT +operation on a FlexFiles layout. + +Reported-by: Robert Morris +Closes: https://lore.kernel.org/linux-nfs/152f99b2-ba35-4dec-93a9-4690e625dccd@oracle.com/T/#t +Cc: Thomas Haynes +Cc: stable@vger.kernel.org +Fixes: 9b9960a0ca47 ("nfsd: Add a super simple flex file server") +Signed-off-by: Chuck Lever +[ removed struct svc_rqst parameter from nfsd4_ff_proc_layoutcommit ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/flexfilelayout.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/fs/nfsd/flexfilelayout.c ++++ b/fs/nfsd/flexfilelayout.c +@@ -125,6 +125,13 @@ nfsd4_ff_proc_getdeviceinfo(struct super + return 0; + } + ++static __be32 ++nfsd4_ff_proc_layoutcommit(struct inode *inode, ++ struct nfsd4_layoutcommit *lcp) ++{ ++ return nfs_ok; ++} ++ + const struct nfsd4_layout_ops ff_layout_ops = { + .notify_types = + NOTIFY_DEVICEID4_DELETE | NOTIFY_DEVICEID4_CHANGE, +@@ -133,4 +140,5 @@ const struct nfsd4_layout_ops ff_layout_ + .encode_getdeviceinfo = nfsd4_ff_encode_getdeviceinfo, + .proc_layoutget = nfsd4_ff_proc_layoutget, + .encode_layoutget = nfsd4_ff_encode_layoutget, ++ .proc_layoutcommit = nfsd4_ff_proc_layoutcommit, + }; diff --git a/queue-5.10/nfsd-fix-last-write-offset-handling-in-layoutcommit.patch b/queue-5.10/nfsd-fix-last-write-offset-handling-in-layoutcommit.patch new file mode 100644 index 0000000000..27bee1497d --- /dev/null +++ b/queue-5.10/nfsd-fix-last-write-offset-handling-in-layoutcommit.patch @@ -0,0 +1,114 @@ +From stable+bounces-188083-greg=kroah.com@vger.kernel.org Mon Oct 20 14:57:09 2025 +From: Sasha Levin +Date: Mon, 20 Oct 2025 08:56:56 -0400 +Subject: NFSD: Fix last write offset handling in layoutcommit +To: stable@vger.kernel.org +Cc: Sergey Bashirov , Konstantin Evtushenko , Christoph Hellwig , Jeff Layton , Chuck Lever , Sasha Levin +Message-ID: <20251020125656.1761732-3-sashal@kernel.org> + +From: Sergey Bashirov + +[ Upstream commit d68886bae76a4b9b3484d23e5b7df086f940fa38 ] + +The data type of loca_last_write_offset is newoffset4 and is switched +on a boolean value, no_newoffset, that indicates if a previous write +occurred or not. If no_newoffset is FALSE, an offset is not given. +This means that client does not try to update the file size. Thus, +server should not try to calculate new file size and check if it fits +into the segment range. See RFC 8881, section 12.5.4.2. + +Sometimes the current incorrect logic may cause clients to hang when +trying to sync an inode. If layoutcommit fails, the client marks the +inode as dirty again. + +Fixes: 9cf514ccfacb ("nfsd: implement pNFS operations") +Cc: stable@vger.kernel.org +Co-developed-by: Konstantin Evtushenko +Signed-off-by: Konstantin Evtushenko +Signed-off-by: Sergey Bashirov +Reviewed-by: Christoph Hellwig +Reviewed-by: Jeff Layton +Signed-off-by: Chuck Lever +[ removed rqstp parameter from proc_layoutcommit ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/blocklayout.c | 5 ++--- + fs/nfsd/nfs4proc.c | 30 +++++++++++++++--------------- + 2 files changed, 17 insertions(+), 18 deletions(-) + +--- a/fs/nfsd/blocklayout.c ++++ b/fs/nfsd/blocklayout.c +@@ -121,7 +121,6 @@ static __be32 + nfsd4_block_commit_blocks(struct inode *inode, struct nfsd4_layoutcommit *lcp, + struct iomap *iomaps, int nr_iomaps) + { +- loff_t new_size = lcp->lc_last_wr + 1; + struct iattr iattr = { .ia_valid = 0 }; + int error; + +@@ -131,9 +130,9 @@ nfsd4_block_commit_blocks(struct inode * + iattr.ia_valid |= ATTR_ATIME | ATTR_CTIME | ATTR_MTIME; + iattr.ia_atime = iattr.ia_ctime = iattr.ia_mtime = lcp->lc_mtime; + +- if (new_size > i_size_read(inode)) { ++ if (lcp->lc_size_chg) { + iattr.ia_valid |= ATTR_SIZE; +- iattr.ia_size = new_size; ++ iattr.ia_size = lcp->lc_newsize; + } + + error = inode->i_sb->s_export_op->commit_blocks(inode, iomaps, +--- a/fs/nfsd/nfs4proc.c ++++ b/fs/nfsd/nfs4proc.c +@@ -2262,7 +2262,6 @@ nfsd4_layoutcommit(struct svc_rqst *rqst + const struct nfsd4_layout_seg *seg = &lcp->lc_seg; + struct svc_fh *current_fh = &cstate->current_fh; + const struct nfsd4_layout_ops *ops; +- loff_t new_size = lcp->lc_last_wr + 1; + struct inode *inode; + struct nfs4_layout_stateid *ls; + __be32 nfserr; +@@ -2277,13 +2276,21 @@ nfsd4_layoutcommit(struct svc_rqst *rqst + goto out; + inode = d_inode(current_fh->fh_dentry); + +- nfserr = nfserr_inval; +- if (new_size <= seg->offset) +- goto out; +- if (new_size > seg->offset + seg->length) +- goto out; +- if (!lcp->lc_newoffset && new_size > i_size_read(inode)) +- goto out; ++ lcp->lc_size_chg = false; ++ if (lcp->lc_newoffset) { ++ loff_t new_size = lcp->lc_last_wr + 1; ++ ++ nfserr = nfserr_inval; ++ if (new_size <= seg->offset) ++ goto out; ++ if (new_size > seg->offset + seg->length) ++ goto out; ++ ++ if (new_size > i_size_read(inode)) { ++ lcp->lc_size_chg = true; ++ lcp->lc_newsize = new_size; ++ } ++ } + + nfserr = nfsd4_preprocess_layout_stateid(rqstp, cstate, &lcp->lc_sid, + false, lcp->lc_layout_type, +@@ -2299,13 +2306,6 @@ nfsd4_layoutcommit(struct svc_rqst *rqst + /* LAYOUTCOMMIT does not require any serialization */ + mutex_unlock(&ls->ls_mutex); + +- if (new_size > i_size_read(inode)) { +- lcp->lc_size_chg = 1; +- lcp->lc_newsize = new_size; +- } else { +- lcp->lc_size_chg = 0; +- } +- + nfserr = ops->proc_layoutcommit(inode, lcp); + nfs4_put_stid(&ls->ls_stid); + out: diff --git a/queue-5.10/nfsd-minor-cleanup-in-layoutcommit-processing.patch b/queue-5.10/nfsd-minor-cleanup-in-layoutcommit-processing.patch new file mode 100644 index 0000000000..2bb316798e --- /dev/null +++ b/queue-5.10/nfsd-minor-cleanup-in-layoutcommit-processing.patch @@ -0,0 +1,50 @@ +From stable+bounces-188082-greg=kroah.com@vger.kernel.org Mon Oct 20 14:57:08 2025 +From: Sasha Levin +Date: Mon, 20 Oct 2025 08:56:55 -0400 +Subject: NFSD: Minor cleanup in layoutcommit processing +To: stable@vger.kernel.org +Cc: Sergey Bashirov , Christoph Hellwig , Chuck Lever , Sasha Levin +Message-ID: <20251020125656.1761732-2-sashal@kernel.org> + +From: Sergey Bashirov + +[ Upstream commit 274365a51d88658fb51cca637ba579034e90a799 ] + +Remove dprintk in nfsd4_layoutcommit. These are not needed +in day to day usage, and the information is also available +in Wireshark when capturing NFS traffic. + +Reviewed-by: Christoph Hellwig +Signed-off-by: Sergey Bashirov +Signed-off-by: Chuck Lever +Stable-dep-of: d68886bae76a ("NFSD: Fix last write offset handling in layoutcommit") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfs4proc.c | 12 +++--------- + 1 file changed, 3 insertions(+), 9 deletions(-) + +--- a/fs/nfsd/nfs4proc.c ++++ b/fs/nfsd/nfs4proc.c +@@ -2278,18 +2278,12 @@ nfsd4_layoutcommit(struct svc_rqst *rqst + inode = d_inode(current_fh->fh_dentry); + + nfserr = nfserr_inval; +- if (new_size <= seg->offset) { +- dprintk("pnfsd: last write before layout segment\n"); ++ if (new_size <= seg->offset) + goto out; +- } +- if (new_size > seg->offset + seg->length) { +- dprintk("pnfsd: last write beyond layout segment\n"); ++ if (new_size > seg->offset + seg->length) + goto out; +- } +- if (!lcp->lc_newoffset && new_size > i_size_read(inode)) { +- dprintk("pnfsd: layoutcommit beyond EOF\n"); ++ if (!lcp->lc_newoffset && new_size > i_size_read(inode)) + goto out; +- } + + nfserr = nfsd4_preprocess_layout_stateid(rqstp, cstate, &lcp->lc_sid, + false, lcp->lc_layout_type, diff --git a/queue-5.10/nfsd-rework-encoding-and-decoding-of-nfsd4_deviceid.patch b/queue-5.10/nfsd-rework-encoding-and-decoding-of-nfsd4_deviceid.patch new file mode 100644 index 0000000000..72c9e26c27 --- /dev/null +++ b/queue-5.10/nfsd-rework-encoding-and-decoding-of-nfsd4_deviceid.patch @@ -0,0 +1,156 @@ +From stable+bounces-188081-greg=kroah.com@vger.kernel.org Mon Oct 20 14:57:04 2025 +From: Sasha Levin +Date: Mon, 20 Oct 2025 08:56:54 -0400 +Subject: NFSD: Rework encoding and decoding of nfsd4_deviceid +To: stable@vger.kernel.org +Cc: Sergey Bashirov , Chuck Lever , Sasha Levin +Message-ID: <20251020125656.1761732-1-sashal@kernel.org> + +From: Sergey Bashirov + +[ Upstream commit 832738e4b325b742940761e10487403f9aad13e8 ] + +Compilers may optimize the layout of C structures, so we should not rely +on sizeof struct and memcpy to encode and decode XDR structures. The byte +order of the fields should also be taken into account. + +This patch adds the correct functions to handle the deviceid4 structure +and removes the pad field, which is currently not used by NFSD, from the +runtime state. The server's byte order is preserved because the deviceid4 +blob on the wire is only used as a cookie by the client. + +Signed-off-by: Sergey Bashirov +Signed-off-by: Chuck Lever +Stable-dep-of: d68886bae76a ("NFSD: Fix last write offset handling in layoutcommit") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/blocklayoutxdr.c | 7 ++----- + fs/nfsd/flexfilelayoutxdr.c | 3 +-- + fs/nfsd/nfs4layouts.c | 1 - + fs/nfsd/nfs4xdr.c | 14 +------------- + fs/nfsd/xdr4.h | 36 +++++++++++++++++++++++++++++++++++- + 5 files changed, 39 insertions(+), 22 deletions(-) + +--- a/fs/nfsd/blocklayoutxdr.c ++++ b/fs/nfsd/blocklayoutxdr.c +@@ -29,8 +29,7 @@ nfsd4_block_encode_layoutget(struct xdr_ + *p++ = cpu_to_be32(len); + *p++ = cpu_to_be32(1); /* we always return a single extent */ + +- p = xdr_encode_opaque_fixed(p, &b->vol_id, +- sizeof(struct nfsd4_deviceid)); ++ p = svcxdr_encode_deviceid4(p, &b->vol_id); + p = xdr_encode_hyper(p, b->foff); + p = xdr_encode_hyper(p, b->len); + p = xdr_encode_hyper(p, b->soff); +@@ -145,9 +144,7 @@ nfsd4_block_decode_layoutupdate(__be32 * + for (i = 0; i < nr_iomaps; i++) { + struct pnfs_block_extent bex; + +- memcpy(&bex.vol_id, p, sizeof(struct nfsd4_deviceid)); +- p += XDR_QUADLEN(sizeof(struct nfsd4_deviceid)); +- ++ p = svcxdr_decode_deviceid4(p, &bex.vol_id); + p = xdr_decode_hyper(p, &bex.foff); + if (bex.foff & (block_size - 1)) { + dprintk("%s: unaligned offset 0x%llx\n", +--- a/fs/nfsd/flexfilelayoutxdr.c ++++ b/fs/nfsd/flexfilelayoutxdr.c +@@ -54,8 +54,7 @@ nfsd4_ff_encode_layoutget(struct xdr_str + *p++ = cpu_to_be32(1); /* single mirror */ + *p++ = cpu_to_be32(1); /* single data server */ + +- p = xdr_encode_opaque_fixed(p, &fl->deviceid, +- sizeof(struct nfsd4_deviceid)); ++ p = svcxdr_encode_deviceid4(p, &fl->deviceid); + + *p++ = cpu_to_be32(1); /* efficiency */ + +--- a/fs/nfsd/nfs4layouts.c ++++ b/fs/nfsd/nfs4layouts.c +@@ -120,7 +120,6 @@ nfsd4_set_deviceid(struct nfsd4_deviceid + + id->fsid_idx = fhp->fh_export->ex_devid_map->idx; + id->generation = device_generation; +- id->pad = 0; + return 0; + } + +--- a/fs/nfsd/nfs4xdr.c ++++ b/fs/nfsd/nfs4xdr.c +@@ -566,18 +566,6 @@ nfsd4_decode_state_owner4(struct nfsd4_c + } + + #ifdef CONFIG_NFSD_PNFS +-static __be32 +-nfsd4_decode_deviceid4(struct nfsd4_compoundargs *argp, +- struct nfsd4_deviceid *devid) +-{ +- __be32 *p; +- +- p = xdr_inline_decode(argp->xdr, NFS4_DEVICEID4_SIZE); +- if (!p) +- return nfserr_bad_xdr; +- memcpy(devid, p, sizeof(*devid)); +- return nfs_ok; +-} + + static __be32 + nfsd4_decode_layoutupdate4(struct nfsd4_compoundargs *argp, +@@ -1733,7 +1721,7 @@ nfsd4_decode_getdeviceinfo(struct nfsd4_ + __be32 status; + + memset(gdev, 0, sizeof(*gdev)); +- status = nfsd4_decode_deviceid4(argp, &gdev->gd_devid); ++ status = nfsd4_decode_deviceid4(argp->xdr, &gdev->gd_devid); + if (status) + return status; + if (xdr_stream_decode_u32(argp->xdr, &gdev->gd_layout_type) < 0) +--- a/fs/nfsd/xdr4.h ++++ b/fs/nfsd/xdr4.h +@@ -459,9 +459,43 @@ struct nfsd4_reclaim_complete { + struct nfsd4_deviceid { + u64 fsid_idx; + u32 generation; +- u32 pad; + }; + ++static inline __be32 * ++svcxdr_encode_deviceid4(__be32 *p, const struct nfsd4_deviceid *devid) ++{ ++ __be64 *q = (__be64 *)p; ++ ++ *q = (__force __be64)devid->fsid_idx; ++ p += 2; ++ *p++ = (__force __be32)devid->generation; ++ *p++ = xdr_zero; ++ return p; ++} ++ ++static inline __be32 * ++svcxdr_decode_deviceid4(__be32 *p, struct nfsd4_deviceid *devid) ++{ ++ __be64 *q = (__be64 *)p; ++ ++ devid->fsid_idx = (__force u64)(*q); ++ p += 2; ++ devid->generation = (__force u32)(*p++); ++ p++; /* NFSD does not use the remaining octets */ ++ return p; ++} ++ ++static inline __be32 ++nfsd4_decode_deviceid4(struct xdr_stream *xdr, struct nfsd4_deviceid *devid) ++{ ++ __be32 *p = xdr_inline_decode(xdr, NFS4_DEVICEID4_SIZE); ++ ++ if (unlikely(!p)) ++ return nfserr_bad_xdr; ++ svcxdr_decode_deviceid4(p, devid); ++ return nfs_ok; ++} ++ + struct nfsd4_layout_seg { + u32 iomode; + u64 offset; diff --git a/queue-5.10/padata-reset-next-cpu-when-reorder-sequence-wraps-around.patch b/queue-5.10/padata-reset-next-cpu-when-reorder-sequence-wraps-around.patch new file mode 100644 index 0000000000..318780116d --- /dev/null +++ b/queue-5.10/padata-reset-next-cpu-when-reorder-sequence-wraps-around.patch @@ -0,0 +1,44 @@ +From stable+bounces-188144-greg=kroah.com@vger.kernel.org Mon Oct 20 17:41:04 2025 +From: Sasha Levin +Date: Mon, 20 Oct 2025 11:40:50 -0400 +Subject: padata: Reset next CPU when reorder sequence wraps around +To: stable@vger.kernel.org +Cc: Xiao Liang , Herbert Xu , Sasha Levin +Message-ID: <20251020154050.1821767-1-sashal@kernel.org> + +From: Xiao Liang + +[ Upstream commit 501302d5cee0d8e8ec2c4a5919c37e0df9abc99b ] + +When seq_nr wraps around, the next reorder job with seq 0 is hashed to +the first CPU in padata_do_serial(). Correspondingly, need reset pd->cpu +to the first one when pd->processed wraps around. Otherwise, if the +number of used CPUs is not a power of 2, padata_find_next() will be +checking a wrong list, hence deadlock. + +Fixes: 6fc4dbcf0276 ("padata: Replace delayed timer with immediate workqueue in padata_reorder") +Cc: +Signed-off-by: Xiao Liang +Signed-off-by: Herbert Xu +[ moved from padata_reorder() local variables to padata_find_next() using pd->processed and pd->cpu struct members ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/padata.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/kernel/padata.c ++++ b/kernel/padata.c +@@ -295,7 +295,11 @@ static struct padata_priv *padata_find_n + if (remove_object) { + list_del_init(&padata->list); + ++pd->processed; +- pd->cpu = cpumask_next_wrap(cpu, pd->cpumask.pcpu, -1, false); ++ /* When sequence wraps around, reset to the first CPU. */ ++ if (unlikely(pd->processed == 0)) ++ pd->cpu = cpumask_first(pd->cpumask.pcpu); ++ else ++ pd->cpu = cpumask_next_wrap(cpu, pd->cpumask.pcpu, -1, false); + } + + spin_unlock(&reorder->lock); diff --git a/queue-5.10/pci-add-sysfs-attribute-for-device-power-state.patch b/queue-5.10/pci-add-sysfs-attribute-for-device-power-state.patch new file mode 100644 index 0000000000..040f4db226 --- /dev/null +++ b/queue-5.10/pci-add-sysfs-attribute-for-device-power-state.patch @@ -0,0 +1,76 @@ +From stable+bounces-188194-greg=kroah.com@vger.kernel.org Mon Oct 20 18:28:05 2025 +From: Sasha Levin +Date: Mon, 20 Oct 2025 12:25:16 -0400 +Subject: PCI: Add sysfs attribute for device power state +To: stable@vger.kernel.org +Cc: Maximilian Luz , Bjorn Helgaas , Sasha Levin +Message-ID: <20251020162518.1838256-1-sashal@kernel.org> + +From: Maximilian Luz + +[ Upstream commit 80a129afb75cba8434fc5071bd6919172442315c ] + +While PCI power states D0-D3hot can be queried from user-space via lspci, +D3cold cannot. lspci cannot provide an accurate value when the device is +in D3cold as it has to restore the device to D0 before it can access its +power state via the configuration space, leading to it reporting D0 or +another on-state. Thus lspci cannot be used to diagnose power consumption +issues for devices that can enter D3cold or to ensure that devices properly +enter D3cold at all. + +Add a new sysfs device attribute for the PCI power state, showing the +current power state as seen by the kernel. + +[bhelgaas: drop READ_ONCE(), see discussion at the link] +Link: https://lore.kernel.org/r/20201102141520.831630-1-luzmaximilian@gmail.com +Signed-off-by: Maximilian Luz +Signed-off-by: Bjorn Helgaas +Stable-dep-of: 48991e493507 ("PCI/sysfs: Ensure devices are powered for config reads") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/ABI/testing/sysfs-bus-pci | 9 +++++++++ + drivers/pci/pci-sysfs.c | 10 ++++++++++ + 2 files changed, 19 insertions(+) + +--- a/Documentation/ABI/testing/sysfs-bus-pci ++++ b/Documentation/ABI/testing/sysfs-bus-pci +@@ -377,3 +377,12 @@ Contact: Heiner Kallweit ++Description: ++ This file contains the current PCI power state of the device. ++ The value comes from the PCI kernel device state and can be one ++ of: "unknown", "error", "D0", D1", "D2", "D3hot", "D3cold". ++ The file is read only. +--- a/drivers/pci/pci-sysfs.c ++++ b/drivers/pci/pci-sysfs.c +@@ -124,6 +124,15 @@ static ssize_t cpulistaffinity_show(stru + } + static DEVICE_ATTR_RO(cpulistaffinity); + ++static ssize_t power_state_show(struct device *dev, ++ struct device_attribute *attr, char *buf) ++{ ++ struct pci_dev *pdev = to_pci_dev(dev); ++ ++ return sprintf(buf, "%s\n", pci_power_name(pdev->current_state)); ++} ++static DEVICE_ATTR_RO(power_state); ++ + /* show resources */ + static ssize_t resource_show(struct device *dev, struct device_attribute *attr, + char *buf) +@@ -603,6 +612,7 @@ static ssize_t driver_override_show(stru + static DEVICE_ATTR_RW(driver_override); + + static struct attribute *pci_dev_attrs[] = { ++ &dev_attr_power_state.attr, + &dev_attr_resource.attr, + &dev_attr_vendor.attr, + &dev_attr_device.attr, diff --git a/queue-5.10/pci-j721e-fix-programming-sequence-of-strap-settings.patch b/queue-5.10/pci-j721e-fix-programming-sequence-of-strap-settings.patch new file mode 100644 index 0000000000..8a56994847 --- /dev/null +++ b/queue-5.10/pci-j721e-fix-programming-sequence-of-strap-settings.patch @@ -0,0 +1,91 @@ +From stable+bounces-188178-greg=kroah.com@vger.kernel.org Mon Oct 20 18:16:43 2025 +From: Sasha Levin +Date: Mon, 20 Oct 2025 12:15:01 -0400 +Subject: PCI: j721e: Fix programming sequence of "strap" settings +To: stable@vger.kernel.org +Cc: Siddharth Vadapalli , Manivannan Sadhasivam , Sasha Levin +Message-ID: <20251020161501.1834257-1-sashal@kernel.org> + +From: Siddharth Vadapalli + +[ Upstream commit f842d3313ba179d4005096357289c7ad09cec575 ] + +The Cadence PCIe Controller integrated in the TI K3 SoCs supports both +Root-Complex and Endpoint modes of operation. The Glue Layer allows +"strapping" the Mode of operation of the Controller, the Link Speed +and the Link Width. This is enabled by programming the "PCIEn_CTRL" +register (n corresponds to the PCIe instance) within the CTRL_MMR +memory-mapped register space. The "reset-values" of the registers are +also different depending on the mode of operation. + +Since the PCIe Controller latches onto the "reset-values" immediately +after being powered on, if the Glue Layer configuration is not done while +the PCIe Controller is off, it will result in the PCIe Controller latching +onto the wrong "reset-values". In practice, this will show up as a wrong +representation of the PCIe Controller's capability structures in the PCIe +Configuration Space. Some such capabilities which are supported by the PCIe +Controller in the Root-Complex mode but are incorrectly latched onto as +being unsupported are: +- Link Bandwidth Notification +- Alternate Routing ID (ARI) Forwarding Support +- Next capability offset within Advanced Error Reporting (AER) capability + +Fix this by powering off the PCIe Controller before programming the "strap" +settings and powering it on after that. The runtime PM APIs namely +pm_runtime_put_sync() and pm_runtime_get_sync() will decrement and +increment the usage counter respectively, causing GENPD to power off and +power on the PCIe Controller. + +Fixes: f3e25911a430 ("PCI: j721e: Add TI J721E PCIe driver") +Signed-off-by: Siddharth Vadapalli +Signed-off-by: Manivannan Sadhasivam +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20250908120828.1471776-1-s-vadapalli@ti.com +[ removed offset parameter from j721e_pcie_set_mode() and ACSPCIE refclk handling ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/controller/cadence/pci-j721e.c | 25 +++++++++++++++++++++++++ + 1 file changed, 25 insertions(+) + +--- a/drivers/pci/controller/cadence/pci-j721e.c ++++ b/drivers/pci/controller/cadence/pci-j721e.c +@@ -227,6 +227,25 @@ static int j721e_pcie_ctrl_init(struct j + return PTR_ERR(syscon); + } + ++ /* ++ * The PCIe Controller's registers have different "reset-values" ++ * depending on the "strap" settings programmed into the PCIEn_CTRL ++ * register within the CTRL_MMR memory-mapped register space. ++ * The registers latch onto a "reset-value" based on the "strap" ++ * settings sampled after the PCIe Controller is powered on. ++ * To ensure that the "reset-values" are sampled accurately, power ++ * off the PCIe Controller before programming the "strap" settings ++ * and power it on after that. The runtime PM APIs namely ++ * pm_runtime_put_sync() and pm_runtime_get_sync() will decrement and ++ * increment the usage counter respectively, causing GENPD to power off ++ * and power on the PCIe Controller. ++ */ ++ ret = pm_runtime_put_sync(dev); ++ if (ret < 0) { ++ dev_err(dev, "Failed to power off PCIe Controller\n"); ++ return ret; ++ } ++ + ret = j721e_pcie_set_mode(pcie, syscon); + if (ret < 0) { + dev_err(dev, "Failed to set pci mode\n"); +@@ -245,6 +264,12 @@ static int j721e_pcie_ctrl_init(struct j + return ret; + } + ++ ret = pm_runtime_get_sync(dev); ++ if (ret < 0) { ++ dev_err(dev, "Failed to power on PCIe Controller\n"); ++ return ret; ++ } ++ + return 0; + } + diff --git a/queue-5.10/pci-sysfs-ensure-devices-are-powered-for-config-reads.patch b/queue-5.10/pci-sysfs-ensure-devices-are-powered-for-config-reads.patch new file mode 100644 index 0000000000..7aa8e16b5b --- /dev/null +++ b/queue-5.10/pci-sysfs-ensure-devices-are-powered-for-config-reads.patch @@ -0,0 +1,99 @@ +From stable+bounces-188195-greg=kroah.com@vger.kernel.org Mon Oct 20 18:26:58 2025 +From: Sasha Levin +Date: Mon, 20 Oct 2025 12:25:18 -0400 +Subject: PCI/sysfs: Ensure devices are powered for config reads +To: stable@vger.kernel.org +Cc: Brian Norris , Brian Norris , Bjorn Helgaas , Sasha Levin +Message-ID: <20251020162518.1838256-3-sashal@kernel.org> + +From: Brian Norris + +[ Upstream commit 48991e4935078b05f80616c75d1ee2ea3ae18e58 ] + +The "max_link_width", "current_link_speed", "current_link_width", +"secondary_bus_number", and "subordinate_bus_number" sysfs files all access +config registers, but they don't check the runtime PM state. If the device +is in D3cold or a parent bridge is suspended, we may see -EINVAL, bogus +values, or worse, depending on implementation details. + +Wrap these access in pci_config_pm_runtime_{get,put}() like most of the +rest of the similar sysfs attributes. + +Notably, "max_link_speed" does not access config registers; it returns a +cached value since d2bd39c0456b ("PCI: Store all PCIe Supported Link +Speeds"). + +Fixes: 56c1af4606f0 ("PCI: Add sysfs max_link_speed/width, current_link_speed/width, etc") +Signed-off-by: Brian Norris +Signed-off-by: Brian Norris +Signed-off-by: Bjorn Helgaas +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20250924095711.v2.1.Ibb5b6ca1e2c059e04ec53140cd98a44f2684c668@changeid +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/pci-sysfs.c | 20 +++++++++++++++++++- + 1 file changed, 19 insertions(+), 1 deletion(-) + +--- a/drivers/pci/pci-sysfs.c ++++ b/drivers/pci/pci-sysfs.c +@@ -174,8 +174,14 @@ static ssize_t max_link_width_show(struc + struct device_attribute *attr, char *buf) + { + struct pci_dev *pdev = to_pci_dev(dev); ++ ssize_t ret; + +- return sysfs_emit(buf, "%u\n", pcie_get_width_cap(pdev)); ++ /* We read PCI_EXP_LNKCAP, so we need the device to be accessible. */ ++ pci_config_pm_runtime_get(pdev); ++ ret = sysfs_emit(buf, "%u\n", pcie_get_width_cap(pdev)); ++ pci_config_pm_runtime_put(pdev); ++ ++ return ret; + } + static DEVICE_ATTR_RO(max_link_width); + +@@ -187,7 +193,10 @@ static ssize_t current_link_speed_show(s + int err; + enum pci_bus_speed speed; + ++ pci_config_pm_runtime_get(pci_dev); + err = pcie_capability_read_word(pci_dev, PCI_EXP_LNKSTA, &linkstat); ++ pci_config_pm_runtime_put(pci_dev); ++ + if (err) + return -EINVAL; + +@@ -204,7 +213,10 @@ static ssize_t current_link_width_show(s + u16 linkstat; + int err; + ++ pci_config_pm_runtime_get(pci_dev); + err = pcie_capability_read_word(pci_dev, PCI_EXP_LNKSTA, &linkstat); ++ pci_config_pm_runtime_put(pci_dev); ++ + if (err) + return -EINVAL; + +@@ -221,7 +233,10 @@ static ssize_t secondary_bus_number_show + u8 sec_bus; + int err; + ++ pci_config_pm_runtime_get(pci_dev); + err = pci_read_config_byte(pci_dev, PCI_SECONDARY_BUS, &sec_bus); ++ pci_config_pm_runtime_put(pci_dev); ++ + if (err) + return -EINVAL; + +@@ -237,7 +252,10 @@ static ssize_t subordinate_bus_number_sh + u8 sub_bus; + int err; + ++ pci_config_pm_runtime_get(pci_dev); + err = pci_read_config_byte(pci_dev, PCI_SUBORDINATE_BUS, &sub_bus); ++ pci_config_pm_runtime_put(pci_dev); ++ + if (err) + return -EINVAL; + diff --git a/queue-5.10/pci-sysfs-use-sysfs_emit-and-sysfs_emit_at-in-show-functions.patch b/queue-5.10/pci-sysfs-use-sysfs_emit-and-sysfs_emit_at-in-show-functions.patch new file mode 100644 index 0000000000..6076fb0b0e --- /dev/null +++ b/queue-5.10/pci-sysfs-use-sysfs_emit-and-sysfs_emit_at-in-show-functions.patch @@ -0,0 +1,290 @@ +From stable+bounces-188193-greg=kroah.com@vger.kernel.org Mon Oct 20 18:28:02 2025 +From: Sasha Levin +Date: Mon, 20 Oct 2025 12:25:17 -0400 +Subject: PCI/sysfs: Use sysfs_emit() and sysfs_emit_at() in "show" functions +To: stable@vger.kernel.org +Cc: "Krzysztof Wilczyński" , "Bjorn Helgaas" , "Sasha Levin" +Message-ID: <20251020162518.1838256-2-sashal@kernel.org> + +From: Krzysztof Wilczyński + +[ Upstream commit ad025f8e46f3dbf09b1bf8d7a5b4ce858df74544 ] + +The sysfs_emit() and sysfs_emit_at() functions were introduced to make it +less ambiguous which function is preferred when writing to the output +buffer in a device attribute's "show" callback [1]. + +Convert the PCI sysfs object "show" functions from sprintf(), snprintf() +and scnprintf() to sysfs_emit() and sysfs_emit_at() accordingly, as the +latter is aware of the PAGE_SIZE buffer and correctly returns the number of +bytes written into the buffer. + +No functional change intended. + +[1] Documentation/filesystems/sysfs.rst + +[bhelgaas: drop dsm_label_utf16s_to_utf8s(), link speed/width changes] +Link: https://lore.kernel.org/r/20210416205856.3234481-10-kw@linux.com +Signed-off-by: Krzysztof Wilczyński +Signed-off-by: Bjorn Helgaas +Stable-dep-of: 48991e493507 ("PCI/sysfs: Ensure devices are powered for config reads") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/pci-label.c | 10 ++---- + drivers/pci/pci-sysfs.c | 72 ++++++++++++++++++++++++------------------------ + 2 files changed, 40 insertions(+), 42 deletions(-) + +--- a/drivers/pci/pci-label.c ++++ b/drivers/pci/pci-label.c +@@ -62,13 +62,11 @@ static size_t find_smbios_instance_strin + donboard->devfn == devfn) { + if (buf) { + if (attribute == SMBIOS_ATTR_INSTANCE_SHOW) +- return scnprintf(buf, PAGE_SIZE, +- "%d\n", +- donboard->instance); ++ return sysfs_emit(buf, "%d\n", ++ donboard->instance); + else if (attribute == SMBIOS_ATTR_LABEL_SHOW) +- return scnprintf(buf, PAGE_SIZE, +- "%s\n", +- dmi->name); ++ return sysfs_emit(buf, "%s\n", ++ dmi->name); + } + return strlen(dmi->name); + } +--- a/drivers/pci/pci-sysfs.c ++++ b/drivers/pci/pci-sysfs.c +@@ -39,7 +39,7 @@ field##_show(struct device *dev, struct + struct pci_dev *pdev; \ + \ + pdev = to_pci_dev(dev); \ +- return sprintf(buf, format_string, pdev->field); \ ++ return sysfs_emit(buf, format_string, pdev->field); \ + } \ + static DEVICE_ATTR_RO(field) + +@@ -56,7 +56,7 @@ static ssize_t broken_parity_status_show + char *buf) + { + struct pci_dev *pdev = to_pci_dev(dev); +- return sprintf(buf, "%u\n", pdev->broken_parity_status); ++ return sysfs_emit(buf, "%u\n", pdev->broken_parity_status); + } + + static ssize_t broken_parity_status_store(struct device *dev, +@@ -129,7 +129,7 @@ static ssize_t power_state_show(struct d + { + struct pci_dev *pdev = to_pci_dev(dev); + +- return sprintf(buf, "%s\n", pci_power_name(pdev->current_state)); ++ return sysfs_emit(buf, "%s\n", pci_power_name(pdev->current_state)); + } + static DEVICE_ATTR_RO(power_state); + +@@ -138,10 +138,10 @@ static ssize_t resource_show(struct devi + char *buf) + { + struct pci_dev *pci_dev = to_pci_dev(dev); +- char *str = buf; + int i; + int max; + resource_size_t start, end; ++ size_t len = 0; + + if (pci_dev->subordinate) + max = DEVICE_COUNT_RESOURCE; +@@ -151,12 +151,12 @@ static ssize_t resource_show(struct devi + for (i = 0; i < max; i++) { + struct resource *res = &pci_dev->resource[i]; + pci_resource_to_user(pci_dev, i, res, &start, &end); +- str += sprintf(str, "0x%016llx 0x%016llx 0x%016llx\n", +- (unsigned long long)start, +- (unsigned long long)end, +- (unsigned long long)res->flags); ++ len += sysfs_emit_at(buf, len, "0x%016llx 0x%016llx 0x%016llx\n", ++ (unsigned long long)start, ++ (unsigned long long)end, ++ (unsigned long long)res->flags); + } +- return (str - buf); ++ return len; + } + static DEVICE_ATTR_RO(resource); + +@@ -165,8 +165,8 @@ static ssize_t max_link_speed_show(struc + { + struct pci_dev *pdev = to_pci_dev(dev); + +- return sprintf(buf, "%s\n", +- pci_speed_string(pcie_get_speed_cap(pdev))); ++ return sysfs_emit(buf, "%s\n", ++ pci_speed_string(pcie_get_speed_cap(pdev))); + } + static DEVICE_ATTR_RO(max_link_speed); + +@@ -175,7 +175,7 @@ static ssize_t max_link_width_show(struc + { + struct pci_dev *pdev = to_pci_dev(dev); + +- return sprintf(buf, "%u\n", pcie_get_width_cap(pdev)); ++ return sysfs_emit(buf, "%u\n", pcie_get_width_cap(pdev)); + } + static DEVICE_ATTR_RO(max_link_width); + +@@ -193,7 +193,7 @@ static ssize_t current_link_speed_show(s + + speed = pcie_link_speed[linkstat & PCI_EXP_LNKSTA_CLS]; + +- return sprintf(buf, "%s\n", pci_speed_string(speed)); ++ return sysfs_emit(buf, "%s\n", pci_speed_string(speed)); + } + static DEVICE_ATTR_RO(current_link_speed); + +@@ -208,7 +208,7 @@ static ssize_t current_link_width_show(s + if (err) + return -EINVAL; + +- return sprintf(buf, "%u\n", ++ return sysfs_emit(buf, "%u\n", + (linkstat & PCI_EXP_LNKSTA_NLW) >> PCI_EXP_LNKSTA_NLW_SHIFT); + } + static DEVICE_ATTR_RO(current_link_width); +@@ -225,7 +225,7 @@ static ssize_t secondary_bus_number_show + if (err) + return -EINVAL; + +- return sprintf(buf, "%u\n", sec_bus); ++ return sysfs_emit(buf, "%u\n", sec_bus); + } + static DEVICE_ATTR_RO(secondary_bus_number); + +@@ -241,7 +241,7 @@ static ssize_t subordinate_bus_number_sh + if (err) + return -EINVAL; + +- return sprintf(buf, "%u\n", sub_bus); ++ return sysfs_emit(buf, "%u\n", sub_bus); + } + static DEVICE_ATTR_RO(subordinate_bus_number); + +@@ -251,7 +251,7 @@ static ssize_t ari_enabled_show(struct d + { + struct pci_dev *pci_dev = to_pci_dev(dev); + +- return sprintf(buf, "%u\n", pci_ari_enabled(pci_dev->bus)); ++ return sysfs_emit(buf, "%u\n", pci_ari_enabled(pci_dev->bus)); + } + static DEVICE_ATTR_RO(ari_enabled); + +@@ -260,11 +260,11 @@ static ssize_t modalias_show(struct devi + { + struct pci_dev *pci_dev = to_pci_dev(dev); + +- return sprintf(buf, "pci:v%08Xd%08Xsv%08Xsd%08Xbc%02Xsc%02Xi%02X\n", +- pci_dev->vendor, pci_dev->device, +- pci_dev->subsystem_vendor, pci_dev->subsystem_device, +- (u8)(pci_dev->class >> 16), (u8)(pci_dev->class >> 8), +- (u8)(pci_dev->class)); ++ return sysfs_emit(buf, "pci:v%08Xd%08Xsv%08Xsd%08Xbc%02Xsc%02Xi%02X\n", ++ pci_dev->vendor, pci_dev->device, ++ pci_dev->subsystem_vendor, pci_dev->subsystem_device, ++ (u8)(pci_dev->class >> 16), (u8)(pci_dev->class >> 8), ++ (u8)(pci_dev->class)); + } + static DEVICE_ATTR_RO(modalias); + +@@ -302,7 +302,7 @@ static ssize_t enable_show(struct device + struct pci_dev *pdev; + + pdev = to_pci_dev(dev); +- return sprintf(buf, "%u\n", atomic_read(&pdev->enable_cnt)); ++ return sysfs_emit(buf, "%u\n", atomic_read(&pdev->enable_cnt)); + } + static DEVICE_ATTR_RW(enable); + +@@ -338,7 +338,7 @@ static ssize_t numa_node_store(struct de + static ssize_t numa_node_show(struct device *dev, struct device_attribute *attr, + char *buf) + { +- return sprintf(buf, "%d\n", dev->numa_node); ++ return sysfs_emit(buf, "%d\n", dev->numa_node); + } + static DEVICE_ATTR_RW(numa_node); + #endif +@@ -348,7 +348,7 @@ static ssize_t dma_mask_bits_show(struct + { + struct pci_dev *pdev = to_pci_dev(dev); + +- return sprintf(buf, "%d\n", fls64(pdev->dma_mask)); ++ return sysfs_emit(buf, "%d\n", fls64(pdev->dma_mask)); + } + static DEVICE_ATTR_RO(dma_mask_bits); + +@@ -356,7 +356,7 @@ static ssize_t consistent_dma_mask_bits_ + struct device_attribute *attr, + char *buf) + { +- return sprintf(buf, "%d\n", fls64(dev->coherent_dma_mask)); ++ return sysfs_emit(buf, "%d\n", fls64(dev->coherent_dma_mask)); + } + static DEVICE_ATTR_RO(consistent_dma_mask_bits); + +@@ -366,9 +366,9 @@ static ssize_t msi_bus_show(struct devic + struct pci_dev *pdev = to_pci_dev(dev); + struct pci_bus *subordinate = pdev->subordinate; + +- return sprintf(buf, "%u\n", subordinate ? +- !(subordinate->bus_flags & PCI_BUS_FLAGS_NO_MSI) +- : !pdev->no_msi); ++ return sysfs_emit(buf, "%u\n", subordinate ? ++ !(subordinate->bus_flags & PCI_BUS_FLAGS_NO_MSI) ++ : !pdev->no_msi); + } + + static ssize_t msi_bus_store(struct device *dev, struct device_attribute *attr, +@@ -545,7 +545,7 @@ static ssize_t d3cold_allowed_show(struc + struct device_attribute *attr, char *buf) + { + struct pci_dev *pdev = to_pci_dev(dev); +- return sprintf(buf, "%u\n", pdev->d3cold_allowed); ++ return sysfs_emit(buf, "%u\n", pdev->d3cold_allowed); + } + static DEVICE_ATTR_RW(d3cold_allowed); + #endif +@@ -559,7 +559,7 @@ static ssize_t devspec_show(struct devic + + if (np == NULL) + return 0; +- return sprintf(buf, "%pOF", np); ++ return sysfs_emit(buf, "%pOF", np); + } + static DEVICE_ATTR_RO(devspec); + #endif +@@ -605,7 +605,7 @@ static ssize_t driver_override_show(stru + ssize_t len; + + device_lock(dev); +- len = scnprintf(buf, PAGE_SIZE, "%s\n", pdev->driver_override); ++ len = sysfs_emit(buf, "%s\n", pdev->driver_override); + device_unlock(dev); + return len; + } +@@ -681,11 +681,11 @@ static ssize_t boot_vga_show(struct devi + struct pci_dev *vga_dev = vga_default_device(); + + if (vga_dev) +- return sprintf(buf, "%u\n", (pdev == vga_dev)); ++ return sysfs_emit(buf, "%u\n", (pdev == vga_dev)); + +- return sprintf(buf, "%u\n", +- !!(pdev->resource[PCI_ROM_RESOURCE].flags & +- IORESOURCE_ROM_SHADOW)); ++ return sysfs_emit(buf, "%u\n", ++ !!(pdev->resource[PCI_ROM_RESOURCE].flags & ++ IORESOURCE_ROM_SHADOW)); + } + static DEVICE_ATTR_RO(boot_vga); + diff --git a/queue-5.10/pci-tegra194-handle-errors-in-bpmp-response.patch b/queue-5.10/pci-tegra194-handle-errors-in-bpmp-response.patch new file mode 100644 index 0000000000..8ff9a10325 --- /dev/null +++ b/queue-5.10/pci-tegra194-handle-errors-in-bpmp-response.patch @@ -0,0 +1,108 @@ +From stable+bounces-188191-greg=kroah.com@vger.kernel.org Mon Oct 20 18:22:46 2025 +From: Sasha Levin +Date: Mon, 20 Oct 2025 12:22:37 -0400 +Subject: PCI: tegra194: Handle errors in BPMP response +To: stable@vger.kernel.org +Cc: Vidya Sagar , Niklas Cassel , Manivannan Sadhasivam , Bjorn Helgaas , Jon Hunter , Thierry Reding , Sasha Levin +Message-ID: <20251020162237.1837094-1-sashal@kernel.org> + +From: Vidya Sagar + +[ Upstream commit f8c9ad46b00453a8c075453f3745f8d263f44834 ] + +The return value from tegra_bpmp_transfer() indicates the success or +failure of the IPC transaction with BPMP. If the transaction succeeded, we +also need to check the actual command's result code. + +If we don't have error handling for tegra_bpmp_transfer(), we will set the +pcie->ep_state to EP_STATE_ENABLED even when the tegra_bpmp_transfer() +command fails. Thus, the pcie->ep_state will get out of sync with reality, +and any further PERST# assert + deassert will be a no-op and will not +trigger the hardware initialization sequence. + +This is because pex_ep_event_pex_rst_deassert() checks the current +pcie->ep_state, and does nothing if the current state is already +EP_STATE_ENABLED. + +Thus, it is important to have error handling for tegra_bpmp_transfer(), +such that the pcie->ep_state can not get out of sync with reality, so that +we will try to initialize the hardware not only during the first PERST# +assert + deassert, but also during any succeeding PERST# assert + deassert. + +One example where this fix is needed is when using a rock5b as host. +During the initial PERST# assert + deassert (triggered by the bootloader on +the rock5b) pex_ep_event_pex_rst_deassert() will get called, but for some +unknown reason, the tegra_bpmp_transfer() call to initialize the PHY fails. +Once Linux has been loaded on the rock5b, the PCIe driver will once again +assert + deassert PERST#. However, without tegra_bpmp_transfer() error +handling, this second PERST# assert + deassert will not trigger the +hardware initialization sequence. + +With tegra_bpmp_transfer() error handling, the second PERST# assert + +deassert will once again trigger the hardware to be initialized and this +time the tegra_bpmp_transfer() succeeds. + +Fixes: c57247f940e8 ("PCI: tegra: Add support for PCIe endpoint mode in Tegra194") +Signed-off-by: Vidya Sagar +[cassel: improve commit log] +Signed-off-by: Niklas Cassel +Signed-off-by: Manivannan Sadhasivam +Signed-off-by: Bjorn Helgaas +Reviewed-by: Jon Hunter +Acked-by: Thierry Reding +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20250922140822.519796-8-cassel@kernel.org +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/controller/dwc/pcie-tegra194.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +--- a/drivers/pci/controller/dwc/pcie-tegra194.c ++++ b/drivers/pci/controller/dwc/pcie-tegra194.c +@@ -1160,6 +1160,7 @@ static int tegra_pcie_bpmp_set_ctrl_stat + struct mrq_uphy_response resp; + struct tegra_bpmp_message msg; + struct mrq_uphy_request req; ++ int err; + + /* Controller-5 doesn't need to have its state set by BPMP-FW */ + if (pcie->cid == 5) +@@ -1179,7 +1180,13 @@ static int tegra_pcie_bpmp_set_ctrl_stat + msg.rx.data = &resp; + msg.rx.size = sizeof(resp); + +- return tegra_bpmp_transfer(pcie->bpmp, &msg); ++ err = tegra_bpmp_transfer(pcie->bpmp, &msg); ++ if (err) ++ return err; ++ if (msg.rx.ret) ++ return -EINVAL; ++ ++ return 0; + } + + static int tegra_pcie_bpmp_set_pll_state(struct tegra_pcie_dw *pcie, +@@ -1188,6 +1195,7 @@ static int tegra_pcie_bpmp_set_pll_state + struct mrq_uphy_response resp; + struct tegra_bpmp_message msg; + struct mrq_uphy_request req; ++ int err; + + memset(&req, 0, sizeof(req)); + memset(&resp, 0, sizeof(resp)); +@@ -1207,7 +1215,13 @@ static int tegra_pcie_bpmp_set_pll_state + msg.rx.data = &resp; + msg.rx.size = sizeof(resp); + +- return tegra_bpmp_transfer(pcie->bpmp, &msg); ++ err = tegra_bpmp_transfer(pcie->bpmp, &msg); ++ if (err) ++ return err; ++ if (msg.rx.ret) ++ return -EINVAL; ++ ++ return 0; + } + + static void tegra_pcie_downstream_dev_to_D0(struct tegra_pcie_dw *pcie) diff --git a/queue-5.10/pm-runtime-add-new-devm-functions.patch b/queue-5.10/pm-runtime-add-new-devm-functions.patch new file mode 100644 index 0000000000..e56c386ae0 --- /dev/null +++ b/queue-5.10/pm-runtime-add-new-devm-functions.patch @@ -0,0 +1,109 @@ +From stable+bounces-188102-greg=kroah.com@vger.kernel.org Mon Oct 20 15:05:14 2025 +From: Sasha Levin +Date: Mon, 20 Oct 2025 09:05:02 -0400 +Subject: PM: runtime: Add new devm functions +To: stable@vger.kernel.org +Cc: "Bence Csókás" , "Rafael J. Wysocki" , "Sasha Levin" +Message-ID: <20251020130503.1764881-1-sashal@kernel.org> + +From: Bence Csókás + +[ Upstream commit 73db799bf5efc5a04654bb3ff6c9bf63a0dfa473 ] + +Add `devm_pm_runtime_set_active_enabled()` and +`devm_pm_runtime_get_noresume()` for simplifying +common cases in drivers. + +Signed-off-by: Bence Csókás +Link: https://patch.msgid.link/20250327195928.680771-3-csokas.bence@prolan.hu +Signed-off-by: Rafael J. Wysocki +Stable-dep-of: 0792c1984a45 ("iio: imu: inv_icm42600: Simplify pm_runtime setup") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/power/runtime.c | 44 +++++++++++++++++++++++++++++++++++++++++++ + include/linux/pm_runtime.h | 4 +++ + 2 files changed, 48 insertions(+) + +--- a/drivers/base/power/runtime.c ++++ b/drivers/base/power/runtime.c +@@ -1479,6 +1479,32 @@ void pm_runtime_enable(struct device *de + } + EXPORT_SYMBOL_GPL(pm_runtime_enable); + ++static void pm_runtime_set_suspended_action(void *data) ++{ ++ pm_runtime_set_suspended(data); ++} ++ ++/** ++ * devm_pm_runtime_set_active_enabled - set_active version of devm_pm_runtime_enable. ++ * ++ * @dev: Device to handle. ++ */ ++int devm_pm_runtime_set_active_enabled(struct device *dev) ++{ ++ int err; ++ ++ err = pm_runtime_set_active(dev); ++ if (err) ++ return err; ++ ++ err = devm_add_action_or_reset(dev, pm_runtime_set_suspended_action, dev); ++ if (err) ++ return err; ++ ++ return devm_pm_runtime_enable(dev); ++} ++EXPORT_SYMBOL_GPL(devm_pm_runtime_set_active_enabled); ++ + static void pm_runtime_disable_action(void *data) + { + pm_runtime_dont_use_autosuspend(data); +@@ -1501,6 +1527,24 @@ int devm_pm_runtime_enable(struct device + } + EXPORT_SYMBOL_GPL(devm_pm_runtime_enable); + ++static void pm_runtime_put_noidle_action(void *data) ++{ ++ pm_runtime_put_noidle(data); ++} ++ ++/** ++ * devm_pm_runtime_get_noresume - devres-enabled version of pm_runtime_get_noresume. ++ * ++ * @dev: Device to handle. ++ */ ++int devm_pm_runtime_get_noresume(struct device *dev) ++{ ++ pm_runtime_get_noresume(dev); ++ ++ return devm_add_action_or_reset(dev, pm_runtime_put_noidle_action, dev); ++} ++EXPORT_SYMBOL_GPL(devm_pm_runtime_get_noresume); ++ + /** + * pm_runtime_forbid - Block runtime PM of a device. + * @dev: Device to handle. +--- a/include/linux/pm_runtime.h ++++ b/include/linux/pm_runtime.h +@@ -61,7 +61,9 @@ extern void pm_runtime_new_link(struct d + extern void pm_runtime_drop_link(struct device_link *link); + extern void pm_runtime_release_supplier(struct device_link *link); + ++int devm_pm_runtime_set_active_enabled(struct device *dev); + extern int devm_pm_runtime_enable(struct device *dev); ++int devm_pm_runtime_get_noresume(struct device *dev); + + /** + * pm_runtime_get_if_in_use - Conditionally bump up runtime PM usage counter. +@@ -258,7 +260,9 @@ static inline void __pm_runtime_disable( + static inline void pm_runtime_allow(struct device *dev) {} + static inline void pm_runtime_forbid(struct device *dev) {} + ++static inline int devm_pm_runtime_set_active_enabled(struct device *dev) { return 0; } + static inline int devm_pm_runtime_enable(struct device *dev) { return 0; } ++static inline int devm_pm_runtime_get_noresume(struct device *dev) { return 0; } + + static inline void pm_suspend_ignore_children(struct device *dev, bool enable) {} + static inline void pm_runtime_get_noresume(struct device *dev) {} diff --git a/queue-5.10/series b/queue-5.10/series index 3fe8fdb93a..d463cb80d3 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -300,3 +300,30 @@ mei-me-add-wildcat-lake-p-did.patch most-usb-fix-use-after-free-in-hdm_disconnect.patch most-usb-hdm_probe-fix-calling-put_device-before-device-initialization.patch serial-8250_exar-add-support-for-advantech-2-port-card-with-device-id-0x0018.patch +arm64-cputype-add-neoverse-v3ae-definitions.patch +arm64-errata-apply-workarounds-for-neoverse-v3ae.patch +vsock-fix-lock-inversion-in-vsock_assign_transport.patch +media-s5p-mfc-remove-an-unused-uninitialized-variable.patch +padata-reset-next-cpu-when-reorder-sequence-wraps-around.patch +iio-imu-inv_icm42600-use-instead-of-memset.patch +iio-imu-inv_icm42600-avoid-configuring-if-already-pm_runtime-suspended.patch +pm-runtime-add-new-devm-functions.patch +iio-imu-inv_icm42600-simplify-pm_runtime-setup.patch +nfsd-rework-encoding-and-decoding-of-nfsd4_deviceid.patch +nfsd-minor-cleanup-in-layoutcommit-processing.patch +nfsd-fix-last-write-offset-handling-in-layoutcommit.patch +keys-trusted_tpm1-compare-hmac-values-in-constant-time.patch +crypto-rockchip-fix-dma_unmap_sg-nents-value.patch +pci-tegra194-handle-errors-in-bpmp-response.patch +wifi-ath11k-hal-srng-don-t-deinitialize-and-re-initialize-again.patch +pci-j721e-fix-programming-sequence-of-strap-settings.patch +pci-add-sysfs-attribute-for-device-power-state.patch +pci-sysfs-use-sysfs_emit-and-sysfs_emit_at-in-show-functions.patch +pci-sysfs-ensure-devices-are-powered-for-config-reads.patch +ext4-avoid-potential-buffer-over-read-in-parse_apply_sb_mount_options.patch +spi-cadence-quadspi-flush-posted-register-writes-before-dac-access.patch +drm-amdgpu-use-atomic-functions-with-memory-barriers-for-vm-fault-info.patch +vfs-don-t-leak-disconnected-dentries-on-umount.patch +nfsd-define-a-proc_layoutcommit-for-the-flexfiles-layout-type.patch +fuse-fix-livelock-in-synchronous-file-put-from-fuseblk-workers.patch +arch_topology-fix-incorrect-error-check-in-topology_parse_cpu_capacity.patch diff --git a/queue-5.10/spi-cadence-quadspi-flush-posted-register-writes-before-dac-access.patch b/queue-5.10/spi-cadence-quadspi-flush-posted-register-writes-before-dac-access.patch new file mode 100644 index 0000000000..c7260addc0 --- /dev/null +++ b/queue-5.10/spi-cadence-quadspi-flush-posted-register-writes-before-dac-access.patch @@ -0,0 +1,57 @@ +From stable+bounces-188388-greg=kroah.com@vger.kernel.org Tue Oct 21 19:11:06 2025 +From: Sasha Levin +Date: Tue, 21 Oct 2025 13:10:55 -0400 +Subject: spi: cadence-quadspi: Flush posted register writes before DAC access +To: stable@vger.kernel.org +Cc: Pratyush Yadav , Santhosh Kumar K , Mark Brown , Sasha Levin +Message-ID: <20251021171055.2412702-1-sashal@kernel.org> + +From: Pratyush Yadav + +[ Upstream commit 1ad55767e77a853c98752ed1e33b68049a243bd7 ] + +cqspi_read_setup() and cqspi_write_setup() program the address width as +the last step in the setup. This is likely to be immediately followed by +a DAC region read/write. On TI K3 SoCs the DAC region is on a different +endpoint from the register region. This means that the order of the two +operations is not guaranteed, and they might be reordered at the +interconnect level. It is possible that the DAC read/write goes through +before the address width update goes through. In this situation if the +previous command used a different address width the OSPI command is sent +with the wrong number of address bytes, resulting in an invalid command +and undefined behavior. + +Read back the size register to make sure the write gets flushed before +accessing the DAC region. + +Fixes: 140623410536 ("mtd: spi-nor: Add driver for Cadence Quad SPI Flash Controller") +CC: stable@vger.kernel.org +Reviewed-by: Pratyush Yadav +Signed-off-by: Pratyush Yadav +Signed-off-by: Santhosh Kumar K +Message-ID: <20250905185958.3575037-3-s-k6@ti.com> +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-cadence-quadspi.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/spi/spi-cadence-quadspi.c ++++ b/drivers/spi/spi-cadence-quadspi.c +@@ -474,6 +474,7 @@ static int cqspi_read_setup(struct cqspi + reg &= ~CQSPI_REG_SIZE_ADDRESS_MASK; + reg |= (op->addr.nbytes - 1); + writel(reg, reg_base + CQSPI_REG_SIZE); ++ readl(reg_base + CQSPI_REG_SIZE); /* Flush posted write. */ + return 0; + } + +@@ -587,6 +588,7 @@ static int cqspi_write_setup(struct cqsp + reg &= ~CQSPI_REG_SIZE_ADDRESS_MASK; + reg |= (op->addr.nbytes - 1); + writel(reg, reg_base + CQSPI_REG_SIZE); ++ readl(reg_base + CQSPI_REG_SIZE); /* Flush posted write. */ + return 0; + } + diff --git a/queue-5.10/vfs-don-t-leak-disconnected-dentries-on-umount.patch b/queue-5.10/vfs-don-t-leak-disconnected-dentries-on-umount.patch new file mode 100644 index 0000000000..952dd49d66 --- /dev/null +++ b/queue-5.10/vfs-don-t-leak-disconnected-dentries-on-umount.patch @@ -0,0 +1,58 @@ +From stable+bounces-188279-greg=kroah.com@vger.kernel.org Tue Oct 21 03:11:38 2025 +From: Sasha Levin +Date: Mon, 20 Oct 2025 21:11:19 -0400 +Subject: vfs: Don't leak disconnected dentries on umount +To: stable@vger.kernel.org +Cc: Jan Kara , syzbot+1d79ebe5383fc016cf07@syzkaller.appspotmail.com, Christian Brauner , Sasha Levin +Message-ID: <20251021011119.1965137-1-sashal@kernel.org> + +From: Jan Kara + +[ Upstream commit 56094ad3eaa21e6621396cc33811d8f72847a834 ] + +When user calls open_by_handle_at() on some inode that is not cached, we +will create disconnected dentry for it. If such dentry is a directory, +exportfs_decode_fh_raw() will then try to connect this dentry to the +dentry tree through reconnect_path(). It may happen for various reasons +(such as corrupted fs or race with rename) that the call to +lookup_one_unlocked() in reconnect_one() will fail to find the dentry we +are trying to reconnect and instead create a new dentry under the +parent. Now this dentry will not be marked as disconnected although the +parent still may well be disconnected (at least in case this +inconsistency happened because the fs is corrupted and .. doesn't point +to the real parent directory). This creates inconsistency in +disconnected flags but AFAICS it was mostly harmless. At least until +commit f1ee616214cb ("VFS: don't keep disconnected dentries on d_anon") +which removed adding of most disconnected dentries to sb->s_anon list. +Thus after this commit cleanup of disconnected dentries implicitely +relies on the fact that dput() will immediately reclaim such dentries. +However when some leaf dentry isn't marked as disconnected, as in the +scenario described above, the reclaim doesn't happen and the dentries +are "leaked". Memory reclaim can eventually reclaim them but otherwise +they stay in memory and if umount comes first, we hit infamous "Busy +inodes after unmount" bug. Make sure all dentries created under a +disconnected parent are marked as disconnected as well. + +Reported-by: syzbot+1d79ebe5383fc016cf07@syzkaller.appspotmail.com +Fixes: f1ee616214cb ("VFS: don't keep disconnected dentries on d_anon") +CC: stable@vger.kernel.org +Signed-off-by: Jan Kara +Signed-off-by: Christian Brauner +[ relocated DCACHE_DISCONNECTED propagation from d_alloc_parallel() to d_alloc() ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/dcache.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/dcache.c ++++ b/fs/dcache.c +@@ -1801,6 +1801,8 @@ struct dentry *d_alloc(struct dentry * p + __dget_dlock(parent); + dentry->d_parent = parent; + list_add(&dentry->d_child, &parent->d_subdirs); ++ if (parent->d_flags & DCACHE_DISCONNECTED) ++ dentry->d_flags |= DCACHE_DISCONNECTED; + spin_unlock(&parent->d_lock); + + return dentry; diff --git a/queue-5.10/vsock-fix-lock-inversion-in-vsock_assign_transport.patch b/queue-5.10/vsock-fix-lock-inversion-in-vsock_assign_transport.patch new file mode 100644 index 0000000000..4bb9846130 --- /dev/null +++ b/queue-5.10/vsock-fix-lock-inversion-in-vsock_assign_transport.patch @@ -0,0 +1,97 @@ +From f7c877e7535260cc7a21484c994e8ce7e8cb6780 Mon Sep 17 00:00:00 2001 +From: Stefano Garzarella +Date: Tue, 21 Oct 2025 14:17:18 +0200 +Subject: vsock: fix lock inversion in vsock_assign_transport() + +From: Stefano Garzarella + +commit f7c877e7535260cc7a21484c994e8ce7e8cb6780 upstream. + +Syzbot reported a potential lock inversion deadlock between +vsock_register_mutex and sk_lock-AF_VSOCK when vsock_linger() is called. + +The issue was introduced by commit 687aa0c5581b ("vsock: Fix +transport_* TOCTOU") which added vsock_register_mutex locking in +vsock_assign_transport() around the transport->release() call, that can +call vsock_linger(). vsock_assign_transport() can be called with sk_lock +held. vsock_linger() calls sk_wait_event() that temporarily releases and +re-acquires sk_lock. During this window, if another thread hold +vsock_register_mutex while trying to acquire sk_lock, a circular +dependency is created. + +Fix this by releasing vsock_register_mutex before calling +transport->release() and vsock_deassign_transport(). This is safe +because we don't need to hold vsock_register_mutex while releasing the +old transport, and we ensure the new transport won't disappear by +obtaining a module reference first via try_module_get(). + +Reported-by: syzbot+10e35716f8e4929681fa@syzkaller.appspotmail.com +Tested-by: syzbot+10e35716f8e4929681fa@syzkaller.appspotmail.com +Fixes: 687aa0c5581b ("vsock: Fix transport_* TOCTOU") +Cc: mhal@rbox.co +Cc: stable@vger.kernel.org +Signed-off-by: Stefano Garzarella +Link: https://patch.msgid.link/20251021121718.137668-1-sgarzare@redhat.com +Signed-off-by: Paolo Abeni +[Stefano: fixed context since 5.10 is missing SEQPACKET support in vsock] +Signed-off-by: Stefano Garzarella +Signed-off-by: Greg Kroah-Hartman +--- + net/vmw_vsock/af_vsock.c | 38 +++++++++++++++++++------------------- + 1 file changed, 19 insertions(+), 19 deletions(-) + +--- a/net/vmw_vsock/af_vsock.c ++++ b/net/vmw_vsock/af_vsock.c +@@ -479,12 +479,26 @@ int vsock_assign_transport(struct vsock_ + goto err; + } + +- if (vsk->transport) { +- if (vsk->transport == new_transport) { +- ret = 0; +- goto err; +- } ++ if (vsk->transport && vsk->transport == new_transport) { ++ ret = 0; ++ goto err; ++ } ++ ++ /* We increase the module refcnt to prevent the transport unloading ++ * while there are open sockets assigned to it. ++ */ ++ if (!new_transport || !try_module_get(new_transport->module)) { ++ ret = -ENODEV; ++ goto err; ++ } ++ ++ /* It's safe to release the mutex after a successful try_module_get(). ++ * Whichever transport `new_transport` points at, it won't go away until ++ * the last module_put() below or in vsock_deassign_transport(). ++ */ ++ mutex_unlock(&vsock_register_mutex); + ++ if (vsk->transport) { + /* transport->release() must be called with sock lock acquired. + * This path can only be taken during vsock_stream_connect(), + * where we have already held the sock lock. +@@ -504,20 +518,6 @@ int vsock_assign_transport(struct vsock_ + vsk->peer_shutdown = 0; + } + +- /* We increase the module refcnt to prevent the transport unloading +- * while there are open sockets assigned to it. +- */ +- if (!new_transport || !try_module_get(new_transport->module)) { +- ret = -ENODEV; +- goto err; +- } +- +- /* It's safe to release the mutex after a successful try_module_get(). +- * Whichever transport `new_transport` points at, it won't go away until +- * the last module_put() below or in vsock_deassign_transport(). +- */ +- mutex_unlock(&vsock_register_mutex); +- + ret = new_transport->init(vsk, psk); + if (ret) { + module_put(new_transport->module); diff --git a/queue-5.10/wifi-ath11k-hal-srng-don-t-deinitialize-and-re-initialize-again.patch b/queue-5.10/wifi-ath11k-hal-srng-don-t-deinitialize-and-re-initialize-again.patch new file mode 100644 index 0000000000..5b07b05980 --- /dev/null +++ b/queue-5.10/wifi-ath11k-hal-srng-don-t-deinitialize-and-re-initialize-again.patch @@ -0,0 +1,86 @@ +From stable+bounces-188182-greg=kroah.com@vger.kernel.org Mon Oct 20 18:18:22 2025 +From: Sasha Levin +Date: Mon, 20 Oct 2025 12:18:13 -0400 +Subject: wifi: ath11k: HAL SRNG: don't deinitialize and re-initialize again +To: stable@vger.kernel.org +Cc: Muhammad Usama Anjum , Baochen Qiang , Jeff Johnson , Sasha Levin +Message-ID: <20251020161813.1835424-1-sashal@kernel.org> + +From: Muhammad Usama Anjum + +[ Upstream commit 32be3ca4cf78b309dfe7ba52fe2d7cc3c23c5634 ] + +Don't deinitialize and reinitialize the HAL helpers. The dma memory is +deallocated and there is high possibility that we'll not be able to get +the same memory allocated from dma when there is high memory pressure. + +Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03926.13-QCAHSPSWPL_V2_SILICONZ_CE-2.52297.6 + +Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices") +Cc: stable@vger.kernel.org +Cc: Baochen Qiang +Reviewed-by: Baochen Qiang +Signed-off-by: Muhammad Usama Anjum +Link: https://patch.msgid.link/20250722053121.1145001-1-usama.anjum@collabora.com +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath11k/core.c | 6 +----- + drivers/net/wireless/ath/ath11k/hal.c | 16 ++++++++++++++++ + drivers/net/wireless/ath/ath11k/hal.h | 1 + + 3 files changed, 18 insertions(+), 5 deletions(-) + +--- a/drivers/net/wireless/ath/ath11k/core.c ++++ b/drivers/net/wireless/ath/ath11k/core.c +@@ -710,14 +710,10 @@ static int ath11k_core_reconfigure_on_cr + mutex_unlock(&ab->core_lock); + + ath11k_dp_free(ab); +- ath11k_hal_srng_deinit(ab); ++ ath11k_hal_srng_clear(ab); + + ab->free_vdev_map = (1LL << (ab->num_radios * TARGET_NUM_VDEVS)) - 1; + +- ret = ath11k_hal_srng_init(ab); +- if (ret) +- return ret; +- + clear_bit(ATH11K_FLAG_CRASH_FLUSH, &ab->dev_flags); + + ret = ath11k_core_qmi_firmware_ready(ab); +--- a/drivers/net/wireless/ath/ath11k/hal.c ++++ b/drivers/net/wireless/ath/ath11k/hal.c +@@ -1317,6 +1317,22 @@ void ath11k_hal_srng_deinit(struct ath11 + } + EXPORT_SYMBOL(ath11k_hal_srng_deinit); + ++void ath11k_hal_srng_clear(struct ath11k_base *ab) ++{ ++ /* No need to memset rdp and wrp memory since each individual ++ * segment would get cleared in ath11k_hal_srng_src_hw_init() ++ * and ath11k_hal_srng_dst_hw_init(). ++ */ ++ memset(ab->hal.srng_list, 0, ++ sizeof(ab->hal.srng_list)); ++ memset(ab->hal.shadow_reg_addr, 0, ++ sizeof(ab->hal.shadow_reg_addr)); ++ ab->hal.avail_blk_resource = 0; ++ ab->hal.current_blk_index = 0; ++ ab->hal.num_shadow_reg_configured = 0; ++} ++EXPORT_SYMBOL(ath11k_hal_srng_clear); ++ + void ath11k_hal_dump_srng_stats(struct ath11k_base *ab) + { + struct hal_srng *srng; +--- a/drivers/net/wireless/ath/ath11k/hal.h ++++ b/drivers/net/wireless/ath/ath11k/hal.h +@@ -940,6 +940,7 @@ int ath11k_hal_srng_setup(struct ath11k_ + struct hal_srng_params *params); + int ath11k_hal_srng_init(struct ath11k_base *ath11k); + void ath11k_hal_srng_deinit(struct ath11k_base *ath11k); ++void ath11k_hal_srng_clear(struct ath11k_base *ab); + void ath11k_hal_dump_srng_stats(struct ath11k_base *ab); + void ath11k_hal_srng_get_shadow_config(struct ath11k_base *ab, + u32 **cfg, u32 *len);