From: Greg Kroah-Hartman Date: Thu, 16 Oct 2025 09:08:13 +0000 (+0200) Subject: 6.17-stable patches X-Git-Tag: v5.15.195~99 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=579c7f7ef634df4323486ec5dce4f3ce28a89c95;p=thirdparty%2Fkernel%2Fstable-queue.git 6.17-stable patches added patches: dt-bindings-phy-rockchip-inno-csi-dphy-make-power-domains-non-required.patch firmware-exynos-acpm-fix-pmic-returned-errno.patch firmware-meson_sm-fix-device-leak-at-probe.patch kvm-arm64-fix-debug-checking-for-np-guests-using-huge-mappings.patch kvm-arm64-fix-page-leak-in-user_mem_abort.patch kvm-s390-fix-to-clear-pte-when-discarding-a-swapped-page.patch kvm-svm-re-load-current-not-host-tsc_aux-on-vmexit-from-sev-es-guest.patch kvm-tdx-fix-uninitialized-error-code-for-__tdx_bringup.patch media-cec-extron-da-hd-4k-plus-drop-external-module-make-commands.patch media-cx18-add-missing-check-after-dma-map.patch media-i2c-mt9p031-fix-mbus-code-initialization.patch media-i2c-mt9v111-fix-incorrect-type-for-ret.patch media-lirc-fix-error-handling-in-lirc_register.patch media-mc-fix-must_connect-handling-for-pads-with-no-links.patch media-pci-ivtv-add-missing-check-after-dma-map.patch media-pci-mg4b-fix-uninitialized-iio-scan-data.patch media-platform-mtk-mdp3-add-missing-mt8188-compatible-to-comp_dt_ids.patch media-s5p-mfc-remove-an-unused-uninitialized-variable.patch media-staging-ipu7-fix-isys-device-runtime-pm-usage-in-firmware-closing.patch media-ti-j721e-csi2rx-fix-source-subdev-link-creation.patch media-ti-j721e-csi2rx-use-devm_of_platform_populate.patch media-uvcvideo-avoid-variable-shadowing-in-uvc_ctrl_cleanup_fh.patch media-venus-firmware-use-correct-reset-sequence-for-iris2.patch media-venus-pm_helpers-add-fallback-for-the-opp-table.patch media-vivid-fix-disappearing-vendor-command-with-id-messages.patch media-vsp1-export-missing-vsp1_isp_free_buffer-symbol.patch x86-kvm-force-legacy-pci-hole-to-uc-when-overriding-mtrrs-for-tdx-snp.patch xen-events-cleanup-find_virq-return-codes.patch xen-events-return-eexist-for-bound-virqs.patch xen-events-update-virq_to_irq-on-migration.patch xen-manage-fix-suspend-error-path.patch xen-take-system_transition_mutex-on-suspend.patch --- diff --git a/queue-6.17/dt-bindings-phy-rockchip-inno-csi-dphy-make-power-domains-non-required.patch b/queue-6.17/dt-bindings-phy-rockchip-inno-csi-dphy-make-power-domains-non-required.patch new file mode 100644 index 0000000000..0b09373ac7 --- /dev/null +++ b/queue-6.17/dt-bindings-phy-rockchip-inno-csi-dphy-make-power-domains-non-required.patch @@ -0,0 +1,54 @@ +From c254815b02673cc77a84103c4c0d6197bd90c0ef Mon Sep 17 00:00:00 2001 +From: Michael Riesch +Date: Wed, 3 Sep 2025 19:04:50 +0200 +Subject: dt-bindings: phy: rockchip-inno-csi-dphy: make power-domains non-required + +From: Michael Riesch + +commit c254815b02673cc77a84103c4c0d6197bd90c0ef upstream. + +There are variants of the Rockchip Innosilicon CSI DPHY (e.g., the RK3568 +variant) that are powered on by default as they are part of the ALIVE power +domain. +Remove 'power-domains' from the required properties in order to avoid false +positives. + +Fixes: 22c8e0a69b7f ("dt-bindings: phy: add compatible for rk356x to rockchip-inno-csi-dphy") +Cc: stable@kernel.org +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Michael Riesch +Link: https://lore.kernel.org/r/20250616-rk3588-csi-dphy-v4-2-a4f340a7f0cf@collabora.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/phy/rockchip-inno-csi-dphy.yaml | 15 +++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +--- a/Documentation/devicetree/bindings/phy/rockchip-inno-csi-dphy.yaml ++++ b/Documentation/devicetree/bindings/phy/rockchip-inno-csi-dphy.yaml +@@ -57,11 +57,24 @@ required: + - clocks + - clock-names + - '#phy-cells' +- - power-domains + - resets + - reset-names + - rockchip,grf + ++allOf: ++ - if: ++ properties: ++ compatible: ++ contains: ++ enum: ++ - rockchip,px30-csi-dphy ++ - rockchip,rk1808-csi-dphy ++ - rockchip,rk3326-csi-dphy ++ - rockchip,rk3368-csi-dphy ++ then: ++ required: ++ - power-domains ++ + additionalProperties: false + + examples: diff --git a/queue-6.17/firmware-exynos-acpm-fix-pmic-returned-errno.patch b/queue-6.17/firmware-exynos-acpm-fix-pmic-returned-errno.patch new file mode 100644 index 0000000000..c44d9245b1 --- /dev/null +++ b/queue-6.17/firmware-exynos-acpm-fix-pmic-returned-errno.patch @@ -0,0 +1,104 @@ +From 1da4cbefed4a2e69ebad81fc9b356cd9b807f380 Mon Sep 17 00:00:00 2001 +From: Tudor Ambarus +Date: Mon, 8 Sep 2025 14:02:00 +0000 +Subject: firmware: exynos-acpm: fix PMIC returned errno + +From: Tudor Ambarus + +commit 1da4cbefed4a2e69ebad81fc9b356cd9b807f380 upstream. + +ACPM PMIC command handlers returned a u8 value when they should +have returned either zero or negative error codes. +Translate the APM PMIC errno to linux errno. + +Reported-by: Dan Carpenter +Closes: https://lore.kernel.org/linux-input/aElHlTApXj-W_o1r@stanley.mountain/ +Fixes: a88927b534ba ("firmware: add Exynos ACPM protocol driver") +Cc: stable@vger.kernel.org +Signed-off-by: Tudor Ambarus +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/samsung/exynos-acpm-pmic.c | 25 ++++++++++++++++----- + 1 file changed, 20 insertions(+), 5 deletions(-) + +diff --git a/drivers/firmware/samsung/exynos-acpm-pmic.c b/drivers/firmware/samsung/exynos-acpm-pmic.c +index 39b33a356ebd..961d7599e422 100644 +--- a/drivers/firmware/samsung/exynos-acpm-pmic.c ++++ b/drivers/firmware/samsung/exynos-acpm-pmic.c +@@ -4,7 +4,9 @@ + * Copyright 2020 Google LLC. + * Copyright 2024 Linaro Ltd. + */ ++#include + #include ++#include + #include + #include + #include +@@ -33,6 +35,19 @@ enum exynos_acpm_pmic_func { + ACPM_PMIC_BULK_WRITE, + }; + ++static const int acpm_pmic_linux_errmap[] = { ++ [0] = 0, /* ACPM_PMIC_SUCCESS */ ++ [1] = -EACCES, /* Read register can't be accessed or issues to access it. */ ++ [2] = -EACCES, /* Write register can't be accessed or issues to access it. */ ++}; ++ ++static int acpm_pmic_to_linux_err(int err) ++{ ++ if (err >= 0 && err < ARRAY_SIZE(acpm_pmic_linux_errmap)) ++ return acpm_pmic_linux_errmap[err]; ++ return -EIO; ++} ++ + static inline u32 acpm_pmic_set_bulk(u32 data, unsigned int i) + { + return (data & ACPM_PMIC_BULK_MASK) << (ACPM_PMIC_BULK_SHIFT * i); +@@ -79,7 +94,7 @@ int acpm_pmic_read_reg(const struct acpm_handle *handle, + + *buf = FIELD_GET(ACPM_PMIC_VALUE, xfer.rxd[1]); + +- return FIELD_GET(ACPM_PMIC_RETURN, xfer.rxd[1]); ++ return acpm_pmic_to_linux_err(FIELD_GET(ACPM_PMIC_RETURN, xfer.rxd[1])); + } + + static void acpm_pmic_init_bulk_read_cmd(u32 cmd[4], u8 type, u8 reg, u8 chan, +@@ -110,7 +125,7 @@ int acpm_pmic_bulk_read(const struct acpm_handle *handle, + if (ret) + return ret; + +- ret = FIELD_GET(ACPM_PMIC_RETURN, xfer.rxd[1]); ++ ret = acpm_pmic_to_linux_err(FIELD_GET(ACPM_PMIC_RETURN, xfer.rxd[1])); + if (ret) + return ret; + +@@ -150,7 +165,7 @@ int acpm_pmic_write_reg(const struct acpm_handle *handle, + if (ret) + return ret; + +- return FIELD_GET(ACPM_PMIC_RETURN, xfer.rxd[1]); ++ return acpm_pmic_to_linux_err(FIELD_GET(ACPM_PMIC_RETURN, xfer.rxd[1])); + } + + static void acpm_pmic_init_bulk_write_cmd(u32 cmd[4], u8 type, u8 reg, u8 chan, +@@ -190,7 +205,7 @@ int acpm_pmic_bulk_write(const struct acpm_handle *handle, + if (ret) + return ret; + +- return FIELD_GET(ACPM_PMIC_RETURN, xfer.rxd[1]); ++ return acpm_pmic_to_linux_err(FIELD_GET(ACPM_PMIC_RETURN, xfer.rxd[1])); + } + + static void acpm_pmic_init_update_cmd(u32 cmd[4], u8 type, u8 reg, u8 chan, +@@ -220,5 +235,5 @@ int acpm_pmic_update_reg(const struct acpm_handle *handle, + if (ret) + return ret; + +- return FIELD_GET(ACPM_PMIC_RETURN, xfer.rxd[1]); ++ return acpm_pmic_to_linux_err(FIELD_GET(ACPM_PMIC_RETURN, xfer.rxd[1])); + } +-- +2.51.0 + diff --git a/queue-6.17/firmware-meson_sm-fix-device-leak-at-probe.patch b/queue-6.17/firmware-meson_sm-fix-device-leak-at-probe.patch new file mode 100644 index 0000000000..cdd15e6e11 --- /dev/null +++ b/queue-6.17/firmware-meson_sm-fix-device-leak-at-probe.patch @@ -0,0 +1,49 @@ +From 8ece3173f87df03935906d0c612c2aeda9db92ca Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 25 Jul 2025 09:40:19 +0200 +Subject: firmware: meson_sm: fix device leak at probe + +From: Johan Hovold + +commit 8ece3173f87df03935906d0c612c2aeda9db92ca upstream. + +Make sure to drop the reference to the secure monitor device taken by +of_find_device_by_node() when looking up its driver data on behalf of +other drivers (e.g. during probe). + +Note that holding a reference to the platform device does not prevent +its driver data from going away so there is no point in keeping the +reference after the helper returns. + +Fixes: 8cde3c2153e8 ("firmware: meson_sm: Rework driver as a proper platform driver") +Cc: stable@vger.kernel.org # 5.5 +Cc: Carlo Caione +Signed-off-by: Johan Hovold +Acked-by: Martin Blumenstingl +Link: https://lore.kernel.org/r/20250725074019.8765-1-johan@kernel.org +Signed-off-by: Neil Armstrong +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/meson/meson_sm.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/firmware/meson/meson_sm.c ++++ b/drivers/firmware/meson/meson_sm.c +@@ -232,11 +232,16 @@ EXPORT_SYMBOL(meson_sm_call_write); + struct meson_sm_firmware *meson_sm_get(struct device_node *sm_node) + { + struct platform_device *pdev = of_find_device_by_node(sm_node); ++ struct meson_sm_firmware *fw; + + if (!pdev) + return NULL; + +- return platform_get_drvdata(pdev); ++ fw = platform_get_drvdata(pdev); ++ ++ put_device(&pdev->dev); ++ ++ return fw; + } + EXPORT_SYMBOL_GPL(meson_sm_get); + diff --git a/queue-6.17/kvm-arm64-fix-debug-checking-for-np-guests-using-huge-mappings.patch b/queue-6.17/kvm-arm64-fix-debug-checking-for-np-guests-using-huge-mappings.patch new file mode 100644 index 0000000000..5046229214 --- /dev/null +++ b/queue-6.17/kvm-arm64-fix-debug-checking-for-np-guests-using-huge-mappings.patch @@ -0,0 +1,110 @@ +From 2ba972bf71cb71d2127ec6c3db1ceb6dd0c73173 Mon Sep 17 00:00:00 2001 +From: Ben Horgan +Date: Fri, 15 Aug 2025 17:26:55 +0100 +Subject: KVM: arm64: Fix debug checking for np-guests using huge mappings + +From: Ben Horgan + +commit 2ba972bf71cb71d2127ec6c3db1ceb6dd0c73173 upstream. + +When running with transparent huge pages and CONFIG_NVHE_EL2_DEBUG then +the debug checking in assert_host_shared_guest() fails on the launch of an +np-guest. This WARN_ON() causes a panic and generates the stack below. + +In __pkvm_host_relax_perms_guest() the debug checking assumes the mapping +is a single page but it may be a block map. Update the checking so that +the size is not checked and just assumes the correct size. + +While we're here make the same fix in __pkvm_host_mkyoung_guest(). + + Info: # lkvm run -k /share/arch/arm64/boot/Image -m 704 -c 8 --name guest-128 + Info: Removed ghost socket file "/.lkvm//guest-128.sock". +[ 1406.521757] kvm [141]: nVHE hyp BUG at: arch/arm64/kvm/hyp/nvhe/mem_protect.c:1088! +[ 1406.521804] kvm [141]: nVHE call trace: +[ 1406.521828] kvm [141]: [] __kvm_nvhe_hyp_panic+0xb4/0xe8 +[ 1406.521946] kvm [141]: [] __kvm_nvhe_assert_host_shared_guest+0xb0/0x10c +[ 1406.522049] kvm [141]: [] __kvm_nvhe___pkvm_host_relax_perms_guest+0x48/0x104 +[ 1406.522157] kvm [141]: [] __kvm_nvhe_handle___pkvm_host_relax_perms_guest+0x64/0x7c +[ 1406.522250] kvm [141]: [] __kvm_nvhe_handle_trap+0x8c/0x1a8 +[ 1406.522333] kvm [141]: [] __kvm_nvhe___skip_pauth_save+0x4/0x4 +[ 1406.522454] kvm [141]: ---[ end nVHE call trace ]--- +[ 1406.522477] kvm [141]: Hyp Offset: 0xfffece8013600000 +[ 1406.522554] Kernel panic - not syncing: HYP panic: +[ 1406.522554] PS:834003c9 PC:0000b1806db6d170 ESR:00000000f2000800 +[ 1406.522554] FAR:ffff8000804be420 HPFAR:0000000000804be0 PAR:0000000000000000 +[ 1406.522554] VCPU:0000000000000000 +[ 1406.523337] CPU: 3 UID: 0 PID: 141 Comm: kvm-vcpu-0 Not tainted 6.16.0-rc7 #97 PREEMPT +[ 1406.523485] Hardware name: FVP Base RevC (DT) +[ 1406.523566] Call trace: +[ 1406.523629] show_stack+0x18/0x24 (C) +[ 1406.523753] dump_stack_lvl+0xd4/0x108 +[ 1406.523899] dump_stack+0x18/0x24 +[ 1406.524040] panic+0x3d8/0x448 +[ 1406.524184] nvhe_hyp_panic_handler+0x10c/0x23c +[ 1406.524325] kvm_handle_guest_abort+0x68c/0x109c +[ 1406.524500] handle_exit+0x60/0x17c +[ 1406.524630] kvm_arch_vcpu_ioctl_run+0x2e0/0x8c0 +[ 1406.524794] kvm_vcpu_ioctl+0x1a8/0x9cc +[ 1406.524919] __arm64_sys_ioctl+0xac/0x104 +[ 1406.525067] invoke_syscall+0x48/0x10c +[ 1406.525189] el0_svc_common.constprop.0+0x40/0xe0 +[ 1406.525322] do_el0_svc+0x1c/0x28 +[ 1406.525441] el0_svc+0x38/0x120 +[ 1406.525588] el0t_64_sync_handler+0x10c/0x138 +[ 1406.525750] el0t_64_sync+0x1ac/0x1b0 +[ 1406.525876] SMP: stopping secondary CPUs +[ 1406.525965] Kernel Offset: disabled +[ 1406.526032] CPU features: 0x0000,00000080,8e134ca1,9446773f +[ 1406.526130] Memory Limit: none +[ 1406.959099] ---[ end Kernel panic - not syncing: HYP panic: +[ 1406.959099] PS:834003c9 PC:0000b1806db6d170 ESR:00000000f2000800 +[ 1406.959099] FAR:ffff8000804be420 HPFAR:0000000000804be0 PAR:0000000000000000 +[ 1406.959099] VCPU:0000000000000000 ] + +Signed-off-by: Ben Horgan +Fixes: f28f1d02f4eaa ("KVM: arm64: Add a range to __pkvm_host_unshare_guest()") +Cc: Vincent Donnefort +Cc: Quentin Perret +Cc: Ryan Roberts +Cc: stable@vger.kernel.org +Reviewed-by: Vincent Donnefort +Signed-off-by: Marc Zyngier +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kvm/hyp/nvhe/mem_protect.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/arch/arm64/kvm/hyp/nvhe/mem_protect.c ++++ b/arch/arm64/kvm/hyp/nvhe/mem_protect.c +@@ -1010,9 +1010,12 @@ static int __check_host_shared_guest(str + return ret; + if (!kvm_pte_valid(pte)) + return -ENOENT; +- if (kvm_granule_size(level) != size) ++ if (size && kvm_granule_size(level) != size) + return -E2BIG; + ++ if (!size) ++ size = kvm_granule_size(level); ++ + state = guest_get_page_state(pte, ipa); + if (state != PKVM_PAGE_SHARED_BORROWED) + return -EPERM; +@@ -1100,7 +1103,7 @@ int __pkvm_host_relax_perms_guest(u64 gf + if (prot & ~KVM_PGTABLE_PROT_RWX) + return -EINVAL; + +- assert_host_shared_guest(vm, ipa, PAGE_SIZE); ++ assert_host_shared_guest(vm, ipa, 0); + guest_lock_component(vm); + ret = kvm_pgtable_stage2_relax_perms(&vm->pgt, ipa, prot, 0); + guest_unlock_component(vm); +@@ -1156,7 +1159,7 @@ int __pkvm_host_mkyoung_guest(u64 gfn, s + if (pkvm_hyp_vm_is_protected(vm)) + return -EPERM; + +- assert_host_shared_guest(vm, ipa, PAGE_SIZE); ++ assert_host_shared_guest(vm, ipa, 0); + guest_lock_component(vm); + kvm_pgtable_stage2_mkyoung(&vm->pgt, ipa, 0); + guest_unlock_component(vm); diff --git a/queue-6.17/kvm-arm64-fix-page-leak-in-user_mem_abort.patch b/queue-6.17/kvm-arm64-fix-page-leak-in-user_mem_abort.patch new file mode 100644 index 0000000000..141881722f --- /dev/null +++ b/queue-6.17/kvm-arm64-fix-page-leak-in-user_mem_abort.patch @@ -0,0 +1,54 @@ +From 5f9466b50c1b4253d91abf81780b90a722133162 Mon Sep 17 00:00:00 2001 +From: Fuad Tabba +Date: Wed, 17 Sep 2025 14:07:37 +0100 +Subject: KVM: arm64: Fix page leak in user_mem_abort() + +From: Fuad Tabba + +commit 5f9466b50c1b4253d91abf81780b90a722133162 upstream. + +The user_mem_abort() function acquires a page reference via +__kvm_faultin_pfn() early in its execution. However, the subsequent +checks for mismatched attributes between stage 1 and stage 2 mappings +would return an error code directly, bypassing the corresponding page +release. + +Fix this by storing the error and releasing the unused page before +returning the error. + +Fixes: 6d674e28f642 ("KVM: arm/arm64: Properly handle faulting of device mappings") +Fixes: 2a8dfab26677 ("KVM: arm64: Block cacheable PFNMAP mapping") +Signed-off-by: Fuad Tabba +Reviewed-by: Oliver Upton +Signed-off-by: Marc Zyngier +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kvm/mmu.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/arch/arm64/kvm/mmu.c ++++ b/arch/arm64/kvm/mmu.c +@@ -1673,7 +1673,7 @@ static int user_mem_abort(struct kvm_vcp + * cache maintenance. + */ + if (!kvm_supports_cacheable_pfnmap()) +- return -EFAULT; ++ ret = -EFAULT; + } else { + /* + * If the page was identified as device early by looking at +@@ -1696,7 +1696,12 @@ static int user_mem_abort(struct kvm_vcp + } + + if (exec_fault && s2_force_noncacheable) +- return -ENOEXEC; ++ ret = -ENOEXEC; ++ ++ if (ret) { ++ kvm_release_page_unused(page); ++ return ret; ++ } + + /* + * Potentially reduce shadow S2 permissions to match the guest's own diff --git a/queue-6.17/kvm-s390-fix-to-clear-pte-when-discarding-a-swapped-page.patch b/queue-6.17/kvm-s390-fix-to-clear-pte-when-discarding-a-swapped-page.patch new file mode 100644 index 0000000000..e59498e27f --- /dev/null +++ b/queue-6.17/kvm-s390-fix-to-clear-pte-when-discarding-a-swapped-page.patch @@ -0,0 +1,133 @@ +From 5deafa27d9ae040b75d392f60b12e300b42b4792 Mon Sep 17 00:00:00 2001 +From: Gautam Gala +Date: Wed, 24 Sep 2025 13:26:44 +0200 +Subject: KVM: s390: Fix to clear PTE when discarding a swapped page + +From: Gautam Gala + +commit 5deafa27d9ae040b75d392f60b12e300b42b4792 upstream. + +KVM run fails when guests with 'cmm' cpu feature and host are +under memory pressure and use swap heavily. This is because +npages becomes ENOMEN (out of memory) in hva_to_pfn_slow() +which inturn propagates as EFAULT to qemu. Clearing the page +table entry when discarding an address that maps to a swap +entry resolves the issue. + +Fixes: 200197908dc4 ("KVM: s390: Refactor and split some gmap helpers") +Cc: stable@vger.kernel.org +Suggested-by: Claudio Imbrenda +Signed-off-by: Gautam Gala +Reviewed-by: Claudio Imbrenda +Signed-off-by: Claudio Imbrenda +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/include/asm/pgtable.h | 22 ++++++++++++++++++++++ + arch/s390/mm/gmap_helpers.c | 12 +++++++++++- + arch/s390/mm/pgtable.c | 23 +---------------------- + 3 files changed, 34 insertions(+), 23 deletions(-) + +--- a/arch/s390/include/asm/pgtable.h ++++ b/arch/s390/include/asm/pgtable.h +@@ -2055,4 +2055,26 @@ static inline unsigned long gmap_pgste_g + return res; + } + ++static inline pgste_t pgste_get_lock(pte_t *ptep) ++{ ++ unsigned long value = 0; ++#ifdef CONFIG_PGSTE ++ unsigned long *ptr = (unsigned long *)(ptep + PTRS_PER_PTE); ++ ++ do { ++ value = __atomic64_or_barrier(PGSTE_PCL_BIT, ptr); ++ } while (value & PGSTE_PCL_BIT); ++ value |= PGSTE_PCL_BIT; ++#endif ++ return __pgste(value); ++} ++ ++static inline void pgste_set_unlock(pte_t *ptep, pgste_t pgste) ++{ ++#ifdef CONFIG_PGSTE ++ barrier(); ++ WRITE_ONCE(*(unsigned long *)(ptep + PTRS_PER_PTE), pgste_val(pgste) & ~PGSTE_PCL_BIT); ++#endif ++} ++ + #endif /* _S390_PAGE_H */ +--- a/arch/s390/mm/gmap_helpers.c ++++ b/arch/s390/mm/gmap_helpers.c +@@ -15,6 +15,7 @@ + #include + #include + #include ++#include + + /** + * ptep_zap_swap_entry() - discard a swap entry. +@@ -47,6 +48,7 @@ void gmap_helper_zap_one_page(struct mm_ + { + struct vm_area_struct *vma; + spinlock_t *ptl; ++ pgste_t pgste; + pte_t *ptep; + + mmap_assert_locked(mm); +@@ -60,8 +62,16 @@ void gmap_helper_zap_one_page(struct mm_ + ptep = get_locked_pte(mm, vmaddr, &ptl); + if (unlikely(!ptep)) + return; +- if (pte_swap(*ptep)) ++ if (pte_swap(*ptep)) { ++ preempt_disable(); ++ pgste = pgste_get_lock(ptep); ++ + ptep_zap_swap_entry(mm, pte_to_swp_entry(*ptep)); ++ pte_clear(mm, vmaddr, ptep); ++ ++ pgste_set_unlock(ptep, pgste); ++ preempt_enable(); ++ } + pte_unmap_unlock(ptep, ptl); + } + EXPORT_SYMBOL_GPL(gmap_helper_zap_one_page); +--- a/arch/s390/mm/pgtable.c ++++ b/arch/s390/mm/pgtable.c +@@ -24,6 +24,7 @@ + #include + #include + #include ++#include + #include + + pgprot_t pgprot_writecombine(pgprot_t prot) +@@ -115,28 +116,6 @@ static inline pte_t ptep_flush_lazy(stru + return old; + } + +-static inline pgste_t pgste_get_lock(pte_t *ptep) +-{ +- unsigned long value = 0; +-#ifdef CONFIG_PGSTE +- unsigned long *ptr = (unsigned long *)(ptep + PTRS_PER_PTE); +- +- do { +- value = __atomic64_or_barrier(PGSTE_PCL_BIT, ptr); +- } while (value & PGSTE_PCL_BIT); +- value |= PGSTE_PCL_BIT; +-#endif +- return __pgste(value); +-} +- +-static inline void pgste_set_unlock(pte_t *ptep, pgste_t pgste) +-{ +-#ifdef CONFIG_PGSTE +- barrier(); +- WRITE_ONCE(*(unsigned long *)(ptep + PTRS_PER_PTE), pgste_val(pgste) & ~PGSTE_PCL_BIT); +-#endif +-} +- + static inline pgste_t pgste_get(pte_t *ptep) + { + unsigned long pgste = 0; diff --git a/queue-6.17/kvm-svm-re-load-current-not-host-tsc_aux-on-vmexit-from-sev-es-guest.patch b/queue-6.17/kvm-svm-re-load-current-not-host-tsc_aux-on-vmexit-from-sev-es-guest.patch new file mode 100644 index 0000000000..868c220ca8 --- /dev/null +++ b/queue-6.17/kvm-svm-re-load-current-not-host-tsc_aux-on-vmexit-from-sev-es-guest.patch @@ -0,0 +1,127 @@ +From 29da8c823abffdacb71c7c07ec48fcf9eb38757c Mon Sep 17 00:00:00 2001 +From: Hou Wenlong +Date: Tue, 23 Sep 2025 08:37:38 -0700 +Subject: KVM: SVM: Re-load current, not host, TSC_AUX on #VMEXIT from SEV-ES guest + +From: Hou Wenlong + +commit 29da8c823abffdacb71c7c07ec48fcf9eb38757c upstream. + +Prior to running an SEV-ES guest, set TSC_AUX in the host save area to the +current value in hardware, as tracked by the user return infrastructure, +instead of always loading the host's desired value for the CPU. If the +pCPU is also running a non-SEV-ES vCPU, loading the host's value on #VMEXIT +could clobber the other vCPU's value, e.g. if the SEV-ES vCPU preempted +the non-SEV-ES vCPU, in which case KVM expects the other vCPU's TSC_AUX +value to be resident in hardware. + +Note, unlike TDX, which blindly _zeroes_ TSC_AUX on TD-Exit, SEV-ES CPUs +can load an arbitrary value. Stuff the current value in the host save +area instead of refreshing the user return cache so that KVM doesn't need +to track whether or not the vCPU actually enterred the guest and thus +loaded TSC_AUX from the host save area. + +Opportunistically tag tsc_aux_uret_slot as read-only after init to guard +against unexpected modifications, and to make it obvious that using the +variable in sev_es_prepare_switch_to_guest() is safe. + +Fixes: 916e3e5f26ab ("KVM: SVM: Do not use user return MSR support for virtualized TSC_AUX") +Cc: stable@vger.kernel.org +Suggested-by: Lai Jiangshan +Signed-off-by: Hou Wenlong +[sean: handle the SEV-ES case in sev_es_prepare_switch_to_guest()] +Reviewed-by: Xiaoyao Li +Link: https://lore.kernel.org/r/20250923153738.1875174-3-seanjc@google.com +Signed-off-by: Sean Christopherson +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/svm/sev.c | 10 ++++++++++ + arch/x86/kvm/svm/svm.c | 25 ++++++------------------- + arch/x86/kvm/svm/svm.h | 2 ++ + 3 files changed, 18 insertions(+), 19 deletions(-) + +--- a/arch/x86/kvm/svm/sev.c ++++ b/arch/x86/kvm/svm/sev.c +@@ -4618,6 +4618,16 @@ void sev_es_prepare_switch_to_guest(stru + hostsa->dr2_addr_mask = amd_get_dr_addr_mask(2); + hostsa->dr3_addr_mask = amd_get_dr_addr_mask(3); + } ++ ++ /* ++ * TSC_AUX is always virtualized for SEV-ES guests when the feature is ++ * available, i.e. TSC_AUX is loaded on #VMEXIT from the host save area. ++ * Set the save area to the current hardware value, i.e. the current ++ * user return value, so that the correct value is restored on #VMEXIT. ++ */ ++ if (cpu_feature_enabled(X86_FEATURE_V_TSC_AUX) && ++ !WARN_ON_ONCE(tsc_aux_uret_slot < 0)) ++ hostsa->tsc_aux = kvm_get_user_return_msr(tsc_aux_uret_slot); + } + + void sev_vcpu_deliver_sipi_vector(struct kvm_vcpu *vcpu, u8 vector) +--- a/arch/x86/kvm/svm/svm.c ++++ b/arch/x86/kvm/svm/svm.c +@@ -195,7 +195,7 @@ static DEFINE_MUTEX(vmcb_dump_mutex); + * RDTSCP and RDPID are not used in the kernel, specifically to allow KVM to + * defer the restoration of TSC_AUX until the CPU returns to userspace. + */ +-static int tsc_aux_uret_slot __read_mostly = -1; ++int tsc_aux_uret_slot __ro_after_init = -1; + + static int get_npt_level(void) + { +@@ -577,18 +577,6 @@ static int svm_enable_virtualization_cpu + + amd_pmu_enable_virt(); + +- /* +- * If TSC_AUX virtualization is supported, TSC_AUX becomes a swap type +- * "B" field (see sev_es_prepare_switch_to_guest()) for SEV-ES guests. +- * Since Linux does not change the value of TSC_AUX once set, prime the +- * TSC_AUX field now to avoid a RDMSR on every vCPU run. +- */ +- if (boot_cpu_has(X86_FEATURE_V_TSC_AUX)) { +- u32 __maybe_unused msr_hi; +- +- rdmsr(MSR_TSC_AUX, sev_es_host_save_area(sd)->tsc_aux, msr_hi); +- } +- + return 0; + } + +@@ -1423,10 +1411,10 @@ static void svm_prepare_switch_to_guest( + __svm_write_tsc_multiplier(vcpu->arch.tsc_scaling_ratio); + + /* +- * TSC_AUX is always virtualized for SEV-ES guests when the feature is +- * available. The user return MSR support is not required in this case +- * because TSC_AUX is restored on #VMEXIT from the host save area +- * (which has been initialized in svm_enable_virtualization_cpu()). ++ * TSC_AUX is always virtualized (context switched by hardware) for ++ * SEV-ES guests when the feature is available. For non-SEV-ES guests, ++ * context switch TSC_AUX via the user_return MSR infrastructure (not ++ * all CPUs support TSC_AUX virtualization). + */ + if (likely(tsc_aux_uret_slot >= 0) && + (!boot_cpu_has(X86_FEATURE_V_TSC_AUX) || !sev_es_guest(vcpu->kvm))) +@@ -3021,8 +3009,7 @@ static int svm_set_msr(struct kvm_vcpu * + * TSC_AUX is always virtualized for SEV-ES guests when the + * feature is available. The user return MSR support is not + * required in this case because TSC_AUX is restored on #VMEXIT +- * from the host save area (which has been initialized in +- * svm_enable_virtualization_cpu()). ++ * from the host save area. + */ + if (boot_cpu_has(X86_FEATURE_V_TSC_AUX) && sev_es_guest(vcpu->kvm)) + break; +--- a/arch/x86/kvm/svm/svm.h ++++ b/arch/x86/kvm/svm/svm.h +@@ -52,6 +52,8 @@ extern bool x2avic_enabled; + extern bool vnmi; + extern int lbrv; + ++extern int tsc_aux_uret_slot __ro_after_init; ++ + /* + * Clean bits in VMCB. + * VMCB_ALL_CLEAN_MASK might also need to diff --git a/queue-6.17/kvm-tdx-fix-uninitialized-error-code-for-__tdx_bringup.patch b/queue-6.17/kvm-tdx-fix-uninitialized-error-code-for-__tdx_bringup.patch new file mode 100644 index 0000000000..ad29cd372d --- /dev/null +++ b/queue-6.17/kvm-tdx-fix-uninitialized-error-code-for-__tdx_bringup.patch @@ -0,0 +1,64 @@ +From 510c47f165f0c1f0b57329a30a9a797795519831 Mon Sep 17 00:00:00 2001 +From: Tony Lindgren +Date: Thu, 18 Sep 2025 08:32:25 +0300 +Subject: KVM: TDX: Fix uninitialized error code for __tdx_bringup() + +From: Tony Lindgren + +commit 510c47f165f0c1f0b57329a30a9a797795519831 upstream. + +Fix a Smatch static checker warning reported by Dan: + + arch/x86/kvm/vmx/tdx.c:3464 __tdx_bringup() + warn: missing error code 'r' + +Initialize r to -EINVAL before tdx_get_sysinfo() to simplify the code and +to prevent similar issues from sneaking in later on as suggested by Kai. + +Cc: stable@vger.kernel.org +Reported-by: Dan Carpenter +Fixes: 61bb28279623 ("KVM: TDX: Get system-wide info about TDX module on initialization") +Suggested-by: Kai Huang +Reviewed-by: Kai Huang +Signed-off-by: Tony Lindgren +Link: https://lore.kernel.org/r/20250918053226.802204-1-tony.lindgren@linux.intel.com +[sean: tag for stable] +Signed-off-by: Sean Christopherson +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/vmx/tdx.c | 10 +++------- + 1 file changed, 3 insertions(+), 7 deletions(-) + +--- a/arch/x86/kvm/vmx/tdx.c ++++ b/arch/x86/kvm/vmx/tdx.c +@@ -3457,12 +3457,11 @@ static int __init __tdx_bringup(void) + if (r) + goto tdx_bringup_err; + ++ r = -EINVAL; + /* Get TDX global information for later use */ + tdx_sysinfo = tdx_get_sysinfo(); +- if (WARN_ON_ONCE(!tdx_sysinfo)) { +- r = -EINVAL; ++ if (WARN_ON_ONCE(!tdx_sysinfo)) + goto get_sysinfo_err; +- } + + /* Check TDX module and KVM capabilities */ + if (!tdx_get_supported_attrs(&tdx_sysinfo->td_conf) || +@@ -3505,14 +3504,11 @@ static int __init __tdx_bringup(void) + if (td_conf->max_vcpus_per_td < num_present_cpus()) { + pr_err("Disable TDX: MAX_VCPU_PER_TD (%u) smaller than number of logical CPUs (%u).\n", + td_conf->max_vcpus_per_td, num_present_cpus()); +- r = -EINVAL; + goto get_sysinfo_err; + } + +- if (misc_cg_set_capacity(MISC_CG_RES_TDX, tdx_get_nr_guest_keyids())) { +- r = -EINVAL; ++ if (misc_cg_set_capacity(MISC_CG_RES_TDX, tdx_get_nr_guest_keyids())) + goto get_sysinfo_err; +- } + + /* + * Leave hardware virtualization enabled after TDX is enabled diff --git a/queue-6.17/media-cec-extron-da-hd-4k-plus-drop-external-module-make-commands.patch b/queue-6.17/media-cec-extron-da-hd-4k-plus-drop-external-module-make-commands.patch new file mode 100644 index 0000000000..8585aebd69 --- /dev/null +++ b/queue-6.17/media-cec-extron-da-hd-4k-plus-drop-external-module-make-commands.patch @@ -0,0 +1,37 @@ +From d5d12cc03e501c38925e544abe44d5bfe23dc930 Mon Sep 17 00:00:00 2001 +From: Randy Dunlap +Date: Tue, 22 Jul 2025 17:12:00 -0700 +Subject: media: cec: extron-da-hd-4k-plus: drop external-module make commands + +From: Randy Dunlap + +commit d5d12cc03e501c38925e544abe44d5bfe23dc930 upstream. + +Delete the external-module style Makefile commands. They are not needed +for in-tree modules. + +This is the only Makefile in the kernel tree (aside from tools/ and +samples/) that uses this Makefile style. + +The same files are built with or without this patch. + +Fixes: 056f2821b631 ("media: cec: extron-da-hd-4k-plus: add the Extron DA HD 4K Plus CEC driver") +Signed-off-by: Randy Dunlap +Cc: stable@vger.kernel.org +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/cec/usb/extron-da-hd-4k-plus/Makefile | 6 ------ + 1 file changed, 6 deletions(-) + +--- a/drivers/media/cec/usb/extron-da-hd-4k-plus/Makefile ++++ b/drivers/media/cec/usb/extron-da-hd-4k-plus/Makefile +@@ -1,8 +1,2 @@ + extron-da-hd-4k-plus-cec-objs := extron-da-hd-4k-plus.o cec-splitter.o + obj-$(CONFIG_USB_EXTRON_DA_HD_4K_PLUS_CEC) := extron-da-hd-4k-plus-cec.o +- +-all: +- $(MAKE) -C $(KDIR) M=$(shell pwd) modules +- +-install: +- $(MAKE) -C $(KDIR) M=$(shell pwd) modules_install diff --git a/queue-6.17/media-cx18-add-missing-check-after-dma-map.patch b/queue-6.17/media-cx18-add-missing-check-after-dma-map.patch new file mode 100644 index 0000000000..fbd3e96cae --- /dev/null +++ b/queue-6.17/media-cx18-add-missing-check-after-dma-map.patch @@ -0,0 +1,49 @@ +From 23b53639a793477326fd57ed103823a8ab63084f Mon Sep 17 00:00:00 2001 +From: Thomas Fourier +Date: Wed, 9 Jul 2025 13:35:40 +0200 +Subject: media: cx18: Add missing check after DMA map + +From: Thomas Fourier + +commit 23b53639a793477326fd57ed103823a8ab63084f upstream. + +The DMA map functions can fail and should be tested for errors. +If the mapping fails, dealloc buffers, and return. + +Fixes: 1c1e45d17b66 ("V4L/DVB (7786): cx18: new driver for the Conexant CX23418 MPEG encoder chip") +Cc: stable@vger.kernel.org +Signed-off-by: Thomas Fourier +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/pci/cx18/cx18-queue.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +--- a/drivers/media/pci/cx18/cx18-queue.c ++++ b/drivers/media/pci/cx18/cx18-queue.c +@@ -379,15 +379,22 @@ int cx18_stream_alloc(struct cx18_stream + break; + } + ++ buf->dma_handle = dma_map_single(&s->cx->pci_dev->dev, ++ buf->buf, s->buf_size, ++ s->dma); ++ if (dma_mapping_error(&s->cx->pci_dev->dev, buf->dma_handle)) { ++ kfree(buf->buf); ++ kfree(mdl); ++ kfree(buf); ++ break; ++ } ++ + INIT_LIST_HEAD(&mdl->list); + INIT_LIST_HEAD(&mdl->buf_list); + mdl->id = s->mdl_base_idx; /* a somewhat safe value */ + cx18_enqueue(s, mdl, &s->q_idle); + + INIT_LIST_HEAD(&buf->list); +- buf->dma_handle = dma_map_single(&s->cx->pci_dev->dev, +- buf->buf, s->buf_size, +- s->dma); + cx18_buf_sync_for_cpu(s, buf); + list_add_tail(&buf->list, &s->buf_pool); + } diff --git a/queue-6.17/media-i2c-mt9p031-fix-mbus-code-initialization.patch b/queue-6.17/media-i2c-mt9p031-fix-mbus-code-initialization.patch new file mode 100644 index 0000000000..c70e022ed1 --- /dev/null +++ b/queue-6.17/media-i2c-mt9p031-fix-mbus-code-initialization.patch @@ -0,0 +1,47 @@ +From 075710b670d96cf9edca1894abecba7402fe4f34 Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Thu, 24 Apr 2025 11:27:30 +0200 +Subject: media: i2c: mt9p031: fix mbus code initialization + +From: Hans Verkuil + +commit 075710b670d96cf9edca1894abecba7402fe4f34 upstream. + +The mediabus code is device dependent, but the probe() function +thought that device_get_match_data() would return the code directly, +when in fact it returned a pointer to a struct mt9p031_model_info. + +As a result, the initial mbus code was garbage. + +Tested with a BeagleBoard xM and a Leopard Imaging LI-5M03 sensor board. + +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Tested-by: Hans Verkuil +Fixes: a80b1bbff88b ("media: mt9p031: Refactor format handling for different sensor models") +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/mt9p031.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/media/i2c/mt9p031.c ++++ b/drivers/media/i2c/mt9p031.c +@@ -1092,6 +1092,7 @@ static int mt9p031_parse_properties(stru + static int mt9p031_probe(struct i2c_client *client) + { + struct i2c_adapter *adapter = client->adapter; ++ const struct mt9p031_model_info *info; + struct mt9p031 *mt9p031; + unsigned int i; + int ret; +@@ -1112,7 +1113,8 @@ static int mt9p031_probe(struct i2c_clie + + mt9p031->output_control = MT9P031_OUTPUT_CONTROL_DEF; + mt9p031->mode2 = MT9P031_READ_MODE_2_ROW_BLC; +- mt9p031->code = (uintptr_t)device_get_match_data(&client->dev); ++ info = device_get_match_data(&client->dev); ++ mt9p031->code = info->code; + + mt9p031->regulators[0].supply = "vdd"; + mt9p031->regulators[1].supply = "vdd_io"; diff --git a/queue-6.17/media-i2c-mt9v111-fix-incorrect-type-for-ret.patch b/queue-6.17/media-i2c-mt9v111-fix-incorrect-type-for-ret.patch new file mode 100644 index 0000000000..f5743393d6 --- /dev/null +++ b/queue-6.17/media-i2c-mt9v111-fix-incorrect-type-for-ret.patch @@ -0,0 +1,41 @@ +From bacd713145443dce7764bb2967d30832a95e5ec8 Mon Sep 17 00:00:00 2001 +From: Qianfeng Rong +Date: Wed, 27 Aug 2025 20:39:10 +0800 +Subject: media: i2c: mt9v111: fix incorrect type for ret + +From: Qianfeng Rong + +commit bacd713145443dce7764bb2967d30832a95e5ec8 upstream. + +Change "ret" from unsigned int to int type in mt9v111_calc_frame_rate() +to store negative error codes or zero returned by __mt9v111_hw_reset() +and other functions. + +Storing the negative error codes in unsigned type, doesn't cause an issue +at runtime but it's ugly as pants. + +No effect on runtime. + +Signed-off-by: Qianfeng Rong +Fixes: aab7ed1c3927 ("media: i2c: Add driver for Aptina MT9V111") +Cc: stable@vger.kernel.org +Reviewed-by: Jacopo Mondi +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/mt9v111.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/i2c/mt9v111.c ++++ b/drivers/media/i2c/mt9v111.c +@@ -532,8 +532,8 @@ static int mt9v111_calc_frame_rate(struc + static int mt9v111_hw_config(struct mt9v111_dev *mt9v111) + { + struct i2c_client *c = mt9v111->client; +- unsigned int ret; + u16 outfmtctrl2; ++ int ret; + + /* Force device reset. */ + ret = __mt9v111_hw_reset(mt9v111); diff --git a/queue-6.17/media-lirc-fix-error-handling-in-lirc_register.patch b/queue-6.17/media-lirc-fix-error-handling-in-lirc_register.patch new file mode 100644 index 0000000000..9bf41ef92b --- /dev/null +++ b/queue-6.17/media-lirc-fix-error-handling-in-lirc_register.patch @@ -0,0 +1,52 @@ +From 4f4098c57e139ad972154077fb45c3e3141555dd Mon Sep 17 00:00:00 2001 +From: Ma Ke +Date: Fri, 18 Jul 2025 17:50:54 +0800 +Subject: media: lirc: Fix error handling in lirc_register() + +From: Ma Ke + +commit 4f4098c57e139ad972154077fb45c3e3141555dd upstream. + +When cdev_device_add() failed, calling put_device() to explicitly +release dev->lirc_dev. Otherwise, it could cause the fault of the +reference count. + +Found by code review. + +Cc: stable@vger.kernel.org +Fixes: a6ddd4fecbb0 ("media: lirc: remove last remnants of lirc kapi") +Signed-off-by: Ma Ke +Signed-off-by: Sean Young +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/rc/lirc_dev.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/media/rc/lirc_dev.c ++++ b/drivers/media/rc/lirc_dev.c +@@ -736,11 +736,11 @@ int lirc_register(struct rc_dev *dev) + + cdev_init(&dev->lirc_cdev, &lirc_fops); + ++ get_device(&dev->dev); ++ + err = cdev_device_add(&dev->lirc_cdev, &dev->lirc_dev); + if (err) +- goto out_ida; +- +- get_device(&dev->dev); ++ goto out_put_device; + + switch (dev->driver_type) { + case RC_DRIVER_SCANCODE: +@@ -764,7 +764,8 @@ int lirc_register(struct rc_dev *dev) + + return 0; + +-out_ida: ++out_put_device: ++ put_device(&dev->lirc_dev); + ida_free(&lirc_ida, minor); + return err; + } diff --git a/queue-6.17/media-mc-fix-must_connect-handling-for-pads-with-no-links.patch b/queue-6.17/media-mc-fix-must_connect-handling-for-pads-with-no-links.patch new file mode 100644 index 0000000000..d575a88a70 --- /dev/null +++ b/queue-6.17/media-mc-fix-must_connect-handling-for-pads-with-no-links.patch @@ -0,0 +1,47 @@ +From eec81250219a209b863f11d02128ec1dd8e20877 Mon Sep 17 00:00:00 2001 +From: Laurent Pinchart +Date: Wed, 20 Aug 2025 17:00:20 +0300 +Subject: media: mc: Fix MUST_CONNECT handling for pads with no links +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Laurent Pinchart + +commit eec81250219a209b863f11d02128ec1dd8e20877 upstream. + +Commit b3decc5ce7d7 ("media: mc: Expand MUST_CONNECT flag to always +require an enabled link") expanded the meaning of the MUST_CONNECT flag +to require an enabled link in all cases. To do so, the link exploration +code was expanded to cover unconnected pads, in order to reject those +that have the MUST_CONNECT flag set. The implementation was however +incorrect, ignoring unconnected pads instead of ignoring connected pads. +Fix it. + +Reported-by: Martin Kepplinger-Novaković +Closes: https://lore.kernel.org/linux-media/20250205172957.182362-1-martink@posteo.de +Reported-by: Maud Spierings +Closes: https://lore.kernel.org/linux-media/20250818-imx8_isi-v1-1-e9cfe994c435@gocontroll.com +Fixes: b3decc5ce7d7 ("media: mc: Expand MUST_CONNECT flag to always require an enabled link") +Cc: stable@vger.kernel.org # 6.1 +Signed-off-by: Laurent Pinchart +Tested-by: Maud Spierings +Tested-by: Martin Kepplinger-Novaković +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/mc/mc-entity.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/mc/mc-entity.c ++++ b/drivers/media/mc/mc-entity.c +@@ -691,7 +691,7 @@ done: + * (already discovered through iterating over links) and pads + * not internally connected. + */ +- if (origin == local || !local->num_links || ++ if (origin == local || local->num_links || + !media_entity_has_pad_interdep(origin->entity, origin->index, + local->index)) + continue; diff --git a/queue-6.17/media-pci-ivtv-add-missing-check-after-dma-map.patch b/queue-6.17/media-pci-ivtv-add-missing-check-after-dma-map.patch new file mode 100644 index 0000000000..d24a60d872 --- /dev/null +++ b/queue-6.17/media-pci-ivtv-add-missing-check-after-dma-map.patch @@ -0,0 +1,59 @@ +From 1069a4fe637d0e3e4c163e3f8df9be306cc299b4 Mon Sep 17 00:00:00 2001 +From: Thomas Fourier +Date: Wed, 16 Jul 2025 15:26:30 +0200 +Subject: media: pci: ivtv: Add missing check after DMA map + +From: Thomas Fourier + +commit 1069a4fe637d0e3e4c163e3f8df9be306cc299b4 upstream. + +The DMA map functions can fail and should be tested for errors. +If the mapping fails, free blanking_ptr and set it to 0. As 0 is a +valid DMA address, use blanking_ptr to test if the DMA address +is set. + +Fixes: 1a0adaf37c30 ("V4L/DVB (5345): ivtv driver for Conexant cx23416/cx23415 MPEG encoder/decoder") +Cc: stable@vger.kernel.org +Signed-off-by: Thomas Fourier +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/pci/ivtv/ivtv-irq.c | 2 +- + drivers/media/pci/ivtv/ivtv-yuv.c | 8 +++++++- + 2 files changed, 8 insertions(+), 2 deletions(-) + +--- a/drivers/media/pci/ivtv/ivtv-irq.c ++++ b/drivers/media/pci/ivtv/ivtv-irq.c +@@ -351,7 +351,7 @@ void ivtv_dma_stream_dec_prepare(struct + + /* Insert buffer block for YUV if needed */ + if (s->type == IVTV_DEC_STREAM_TYPE_YUV && f->offset_y) { +- if (yi->blanking_dmaptr) { ++ if (yi->blanking_ptr) { + s->sg_pending[idx].src = yi->blanking_dmaptr; + s->sg_pending[idx].dst = offset; + s->sg_pending[idx].size = 720 * 16; +--- a/drivers/media/pci/ivtv/ivtv-yuv.c ++++ b/drivers/media/pci/ivtv/ivtv-yuv.c +@@ -125,7 +125,7 @@ static int ivtv_yuv_prep_user_dma(struct + ivtv_udma_fill_sg_array(dma, y_buffer_offset, uv_buffer_offset, y_size); + + /* If we've offset the y plane, ensure top area is blanked */ +- if (f->offset_y && yi->blanking_dmaptr) { ++ if (f->offset_y && yi->blanking_ptr) { + dma->SGarray[dma->SG_length].size = cpu_to_le32(720*16); + dma->SGarray[dma->SG_length].src = cpu_to_le32(yi->blanking_dmaptr); + dma->SGarray[dma->SG_length].dst = cpu_to_le32(IVTV_DECODER_OFFSET + yuv_offset[frame]); +@@ -929,6 +929,12 @@ static void ivtv_yuv_init(struct ivtv *i + yi->blanking_dmaptr = dma_map_single(&itv->pdev->dev, + yi->blanking_ptr, + 720 * 16, DMA_TO_DEVICE); ++ if (dma_mapping_error(&itv->pdev->dev, yi->blanking_dmaptr)) { ++ kfree(yi->blanking_ptr); ++ yi->blanking_ptr = NULL; ++ yi->blanking_dmaptr = 0; ++ IVTV_DEBUG_WARN("Failed to dma_map yuv blanking buffer\n"); ++ } + } else { + yi->blanking_dmaptr = 0; + IVTV_DEBUG_WARN("Failed to allocate yuv blanking buffer\n"); diff --git a/queue-6.17/media-pci-mg4b-fix-uninitialized-iio-scan-data.patch b/queue-6.17/media-pci-mg4b-fix-uninitialized-iio-scan-data.patch new file mode 100644 index 0000000000..e6df2e7668 --- /dev/null +++ b/queue-6.17/media-pci-mg4b-fix-uninitialized-iio-scan-data.patch @@ -0,0 +1,33 @@ +From c0d3f6969bb4d72476cfe7ea9263831f1c283704 Mon Sep 17 00:00:00 2001 +From: David Lechner +Date: Tue, 22 Jul 2025 17:05:46 -0500 +Subject: media: pci: mg4b: fix uninitialized iio scan data + +From: David Lechner + +commit c0d3f6969bb4d72476cfe7ea9263831f1c283704 upstream. + +Fix potential leak of uninitialized stack data to userspace by ensuring +that the `scan` structure is zeroed before use. + +Fixes: 0ab13674a9bd ("media: pci: mgb4: Added Digiteq Automotive MGB4 driver") +Cc: stable@vger.kernel.org +Signed-off-by: David Lechner +Reviewed-by: Jonathan Cameron +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/pci/mgb4/mgb4_trigger.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/pci/mgb4/mgb4_trigger.c ++++ b/drivers/media/pci/mgb4/mgb4_trigger.c +@@ -91,7 +91,7 @@ static irqreturn_t trigger_handler(int i + struct { + u32 data; + s64 ts __aligned(8); +- } scan; ++ } scan = { }; + + scan.data = mgb4_read_reg(&st->mgbdev->video, 0xA0); + mgb4_write_reg(&st->mgbdev->video, 0xA0, scan.data); diff --git a/queue-6.17/media-platform-mtk-mdp3-add-missing-mt8188-compatible-to-comp_dt_ids.patch b/queue-6.17/media-platform-mtk-mdp3-add-missing-mt8188-compatible-to-comp_dt_ids.patch new file mode 100644 index 0000000000..5fc9caa77e --- /dev/null +++ b/queue-6.17/media-platform-mtk-mdp3-add-missing-mt8188-compatible-to-comp_dt_ids.patch @@ -0,0 +1,49 @@ +From bbcc6d16dea4b5c878d56a8d25daf996c6b8a1d4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?N=C3=ADcolas=20F=2E=20R=2E=20A=2E=20Prado?= + +Date: Fri, 6 Jun 2025 09:14:22 -0400 +Subject: media: platform: mtk-mdp3: Add missing MT8188 compatible to comp_dt_ids +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nícolas F. R. A. Prado + +commit bbcc6d16dea4b5c878d56a8d25daf996c6b8a1d4 upstream. + +Commit 4a81656c8eaa ("arm64: dts: mediatek: mt8188: Address binding +warnings for MDP3 nodes") caused a regression on the MDP functionality +when it removed the MT8195 compatibles from the MDP3 nodes, since the +MT8188 compatible was not yet listed as a possible MDP component +compatible in mdp_comp_dt_ids. This resulted in an empty output +bitstream when using the MDP from userspace, as well as the following +errors: + + mtk-mdp3 14001000.dma-controller: Uninit component inner id 4 + mtk-mdp3 14001000.dma-controller: mdp_path_ctx_init error 0 + mtk-mdp3 14001000.dma-controller: CMDQ sendtask failed: -22 + +Add the missing compatible to the array to restore functionality. + +Fixes: 4a81656c8eaa ("arm64: dts: mediatek: mt8188: Address binding warnings for MDP3 nodes") +Cc: stable@vger.kernel.org +Signed-off-by: Nícolas F. R. A. Prado +Signed-off-by: Nicolas Dufresne +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/mediatek/mdp3/mtk-mdp3-comp.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/media/platform/mediatek/mdp3/mtk-mdp3-comp.c ++++ b/drivers/media/platform/mediatek/mdp3/mtk-mdp3-comp.c +@@ -1530,6 +1530,9 @@ static const struct of_device_id mdp_com + }, { + .compatible = "mediatek,mt8195-mdp3-tcc", + .data = (void *)MDP_COMP_TYPE_TCC, ++ }, { ++ .compatible = "mediatek,mt8188-mdp3-rdma", ++ .data = (void *)MDP_COMP_TYPE_RDMA, + }, + {} + }; diff --git a/queue-6.17/media-s5p-mfc-remove-an-unused-uninitialized-variable.patch b/queue-6.17/media-s5p-mfc-remove-an-unused-uninitialized-variable.patch new file mode 100644 index 0000000000..ebd87ecbc3 --- /dev/null +++ b/queue-6.17/media-s5p-mfc-remove-an-unused-uninitialized-variable.patch @@ -0,0 +1,130 @@ +From 7fa37ba25a1dfc084e24ea9acc14bf1fad8af14c Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Thu, 7 Aug 2025 22:54:15 +0200 +Subject: media: s5p-mfc: remove an unused/uninitialized variable + +From: Arnd Bergmann + +commit 7fa37ba25a1dfc084e24ea9acc14bf1fad8af14c upstream. + +The s5p_mfc_cmd_args structure in the v6 driver is never used, not +initialized to anything other than zero, but as of clang-21 this +causes a warning: + +drivers/media/platform/samsung/s5p-mfc/s5p_mfc_cmd_v6.c:45:7: error: variable 'h2r_args' is uninitialized when passed as a const pointer argument here [-Werror,-Wuninitialized-const-pointer] + 45 | &h2r_args); + | ^~~~~~~~ + +Just remove this for simplicity. Since the function is also called +through a callback, this does require adding a trivial wrapper with +the correct prototype. + +Fixes: f96f3cfa0bb8 ("[media] s5p-mfc: Update MFC v4l2 driver to support MFC6.x") +Cc: stable@vger.kernel.org +Signed-off-by: Arnd Bergmann +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/samsung/s5p-mfc/s5p_mfc_cmd_v6.c | 35 +++++----------- + 1 file changed, 13 insertions(+), 22 deletions(-) + +--- a/drivers/media/platform/samsung/s5p-mfc/s5p_mfc_cmd_v6.c ++++ b/drivers/media/platform/samsung/s5p-mfc/s5p_mfc_cmd_v6.c +@@ -14,8 +14,7 @@ + #include "s5p_mfc_opr.h" + #include "s5p_mfc_cmd_v6.h" + +-static int s5p_mfc_cmd_host2risc_v6(struct s5p_mfc_dev *dev, int cmd, +- const struct s5p_mfc_cmd_args *args) ++static int s5p_mfc_cmd_host2risc_v6(struct s5p_mfc_dev *dev, int cmd) + { + mfc_debug(2, "Issue the command: %d\n", cmd); + +@@ -31,7 +30,6 @@ static int s5p_mfc_cmd_host2risc_v6(stru + + static int s5p_mfc_sys_init_cmd_v6(struct s5p_mfc_dev *dev) + { +- struct s5p_mfc_cmd_args h2r_args; + const struct s5p_mfc_buf_size_v6 *buf_size = dev->variant->buf_size->priv; + int ret; + +@@ -41,33 +39,23 @@ static int s5p_mfc_sys_init_cmd_v6(struc + + mfc_write(dev, dev->ctx_buf.dma, S5P_FIMV_CONTEXT_MEM_ADDR_V6); + mfc_write(dev, buf_size->dev_ctx, S5P_FIMV_CONTEXT_MEM_SIZE_V6); +- return s5p_mfc_cmd_host2risc_v6(dev, S5P_FIMV_H2R_CMD_SYS_INIT_V6, +- &h2r_args); ++ return s5p_mfc_cmd_host2risc_v6(dev, S5P_FIMV_H2R_CMD_SYS_INIT_V6); + } + + static int s5p_mfc_sleep_cmd_v6(struct s5p_mfc_dev *dev) + { +- struct s5p_mfc_cmd_args h2r_args; +- +- memset(&h2r_args, 0, sizeof(struct s5p_mfc_cmd_args)); +- return s5p_mfc_cmd_host2risc_v6(dev, S5P_FIMV_H2R_CMD_SLEEP_V6, +- &h2r_args); ++ return s5p_mfc_cmd_host2risc_v6(dev, S5P_FIMV_H2R_CMD_SLEEP_V6); + } + + static int s5p_mfc_wakeup_cmd_v6(struct s5p_mfc_dev *dev) + { +- struct s5p_mfc_cmd_args h2r_args; +- +- memset(&h2r_args, 0, sizeof(struct s5p_mfc_cmd_args)); +- return s5p_mfc_cmd_host2risc_v6(dev, S5P_FIMV_H2R_CMD_WAKEUP_V6, +- &h2r_args); ++ return s5p_mfc_cmd_host2risc_v6(dev, S5P_FIMV_H2R_CMD_WAKEUP_V6); + } + + /* Open a new instance and get its number */ + static int s5p_mfc_open_inst_cmd_v6(struct s5p_mfc_ctx *ctx) + { + struct s5p_mfc_dev *dev = ctx->dev; +- struct s5p_mfc_cmd_args h2r_args; + int codec_type; + + mfc_debug(2, "Requested codec mode: %d\n", ctx->codec_mode); +@@ -129,23 +117,20 @@ static int s5p_mfc_open_inst_cmd_v6(stru + mfc_write(dev, ctx->ctx.size, S5P_FIMV_CONTEXT_MEM_SIZE_V6); + mfc_write(dev, 0, S5P_FIMV_D_CRC_CTRL_V6); /* no crc */ + +- return s5p_mfc_cmd_host2risc_v6(dev, S5P_FIMV_H2R_CMD_OPEN_INSTANCE_V6, +- &h2r_args); ++ return s5p_mfc_cmd_host2risc_v6(dev, S5P_FIMV_H2R_CMD_OPEN_INSTANCE_V6); + } + + /* Close instance */ + static int s5p_mfc_close_inst_cmd_v6(struct s5p_mfc_ctx *ctx) + { + struct s5p_mfc_dev *dev = ctx->dev; +- struct s5p_mfc_cmd_args h2r_args; + int ret = 0; + + dev->curr_ctx = ctx->num; + if (ctx->state != MFCINST_FREE) { + mfc_write(dev, ctx->inst_no, S5P_FIMV_INSTANCE_ID_V6); + ret = s5p_mfc_cmd_host2risc_v6(dev, +- S5P_FIMV_H2R_CMD_CLOSE_INSTANCE_V6, +- &h2r_args); ++ S5P_FIMV_H2R_CMD_CLOSE_INSTANCE_V6); + } else { + ret = -EINVAL; + } +@@ -153,9 +138,15 @@ static int s5p_mfc_close_inst_cmd_v6(str + return ret; + } + ++static int s5p_mfc_cmd_host2risc_v6_args(struct s5p_mfc_dev *dev, int cmd, ++ const struct s5p_mfc_cmd_args *ignored) ++{ ++ return s5p_mfc_cmd_host2risc_v6(dev, cmd); ++} ++ + /* Initialize cmd function pointers for MFC v6 */ + static const struct s5p_mfc_hw_cmds s5p_mfc_cmds_v6 = { +- .cmd_host2risc = s5p_mfc_cmd_host2risc_v6, ++ .cmd_host2risc = s5p_mfc_cmd_host2risc_v6_args, + .sys_init_cmd = s5p_mfc_sys_init_cmd_v6, + .sleep_cmd = s5p_mfc_sleep_cmd_v6, + .wakeup_cmd = s5p_mfc_wakeup_cmd_v6, diff --git a/queue-6.17/media-staging-ipu7-fix-isys-device-runtime-pm-usage-in-firmware-closing.patch b/queue-6.17/media-staging-ipu7-fix-isys-device-runtime-pm-usage-in-firmware-closing.patch new file mode 100644 index 0000000000..fe24ba4fa5 --- /dev/null +++ b/queue-6.17/media-staging-ipu7-fix-isys-device-runtime-pm-usage-in-firmware-closing.patch @@ -0,0 +1,35 @@ +From 895d3b4b5832edefd2f1fbad9d75c0179f47fe0e Mon Sep 17 00:00:00 2001 +From: Bingbu Cao +Date: Tue, 9 Sep 2025 14:01:53 +0800 +Subject: media: staging/ipu7: fix isys device runtime PM usage in firmware closing + +From: Bingbu Cao + +commit 895d3b4b5832edefd2f1fbad9d75c0179f47fe0e upstream. + +The PM usage counter of isys was bumped up when start camera stream +(opening firmware) but it was not dropped after stream stop(closing +firmware), it forbids system fail to suspend due to the wrong PM state +of ISYS. This patch drop the PM usage counter in firmware close to fix +it. + +Cc: Stable@vger.kernel.org +Fixes: a516d36bdc3d ("media: staging/ipu7: add IPU7 input system device driver") +Signed-off-by: Bingbu Cao +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/media/ipu7/ipu7-isys-video.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/staging/media/ipu7/ipu7-isys-video.c ++++ b/drivers/staging/media/ipu7/ipu7-isys-video.c +@@ -946,6 +946,7 @@ void ipu7_isys_fw_close(struct ipu7_isys + ipu7_fw_isys_close(isys); + + mutex_unlock(&isys->mutex); ++ pm_runtime_put(&isys->adev->auxdev.dev); + } + + int ipu7_isys_setup_video(struct ipu7_isys_video *av, diff --git a/queue-6.17/media-ti-j721e-csi2rx-fix-source-subdev-link-creation.patch b/queue-6.17/media-ti-j721e-csi2rx-fix-source-subdev-link-creation.patch new file mode 100644 index 0000000000..adc612eb59 --- /dev/null +++ b/queue-6.17/media-ti-j721e-csi2rx-fix-source-subdev-link-creation.patch @@ -0,0 +1,56 @@ +From 3e743cd0a73246219da117ee99061aad51c4748c Mon Sep 17 00:00:00 2001 +From: Jai Luthra +Date: Mon, 11 Aug 2025 13:50:15 +0530 +Subject: media: ti: j721e-csi2rx: Fix source subdev link creation + +From: Jai Luthra + +commit 3e743cd0a73246219da117ee99061aad51c4748c upstream. + +We don't use OF ports and remote-endpoints to connect the CSI2RX bridge +and this device in the device tree, thus it is wrong to use +v4l2_create_fwnode_links_to_pad() to create the media graph link between +the two. + +It works out on accident, as neither the source nor the sink implement +the .get_fwnode_pad() callback, and the framework helper falls back on +using the first source and sink pads to create the link between them. + +Instead, manually create the media link from the first source pad of the +bridge to the first sink pad of the J721E CSI2RX. + +Fixes: b4a3d877dc92 ("media: ti: Add CSI2RX support for J721E") +Cc: stable@vger.kernel.org +Reviewed-by: Devarsh Thakkar +Tested-by: Yemike Abhilash Chandra (on SK-AM68) +Signed-off-by: Jai Luthra +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/ti/j721e-csi2rx/j721e-csi2rx.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/media/platform/ti/j721e-csi2rx/j721e-csi2rx.c ++++ b/drivers/media/platform/ti/j721e-csi2rx/j721e-csi2rx.c +@@ -52,6 +52,8 @@ + #define DRAIN_TIMEOUT_MS 50 + #define DRAIN_BUFFER_SIZE SZ_32K + ++#define CSI2RX_BRIDGE_SOURCE_PAD 1 ++ + struct ti_csi2rx_fmt { + u32 fourcc; /* Four character code. */ + u32 code; /* Mbus code. */ +@@ -426,8 +428,9 @@ static int csi_async_notifier_complete(s + if (ret) + return ret; + +- ret = v4l2_create_fwnode_links_to_pad(csi->source, &csi->pad, +- MEDIA_LNK_FL_IMMUTABLE | MEDIA_LNK_FL_ENABLED); ++ ret = media_create_pad_link(&csi->source->entity, CSI2RX_BRIDGE_SOURCE_PAD, ++ &vdev->entity, csi->pad.index, ++ MEDIA_LNK_FL_IMMUTABLE | MEDIA_LNK_FL_ENABLED); + + if (ret) { + video_unregister_device(vdev); diff --git a/queue-6.17/media-ti-j721e-csi2rx-use-devm_of_platform_populate.patch b/queue-6.17/media-ti-j721e-csi2rx-use-devm_of_platform_populate.patch new file mode 100644 index 0000000000..c6f4f52530 --- /dev/null +++ b/queue-6.17/media-ti-j721e-csi2rx-use-devm_of_platform_populate.patch @@ -0,0 +1,37 @@ +From 072799db233f9de90a62be54c1e59275c2db3969 Mon Sep 17 00:00:00 2001 +From: Jai Luthra +Date: Mon, 11 Aug 2025 13:50:13 +0530 +Subject: media: ti: j721e-csi2rx: Use devm_of_platform_populate + +From: Jai Luthra + +commit 072799db233f9de90a62be54c1e59275c2db3969 upstream. + +Ensure that we clean up the platform bus when we remove this driver. + +This fixes a crash seen when reloading the module for the child device +with the parent not yet reloaded. + +Fixes: b4a3d877dc92 ("media: ti: Add CSI2RX support for J721E") +Cc: stable@vger.kernel.org +Reviewed-by: Devarsh Thakkar +Tested-by: Yemike Abhilash Chandra (on SK-AM68) +Signed-off-by: Jai Luthra +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/ti/j721e-csi2rx/j721e-csi2rx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/platform/ti/j721e-csi2rx/j721e-csi2rx.c ++++ b/drivers/media/platform/ti/j721e-csi2rx/j721e-csi2rx.c +@@ -1120,7 +1120,7 @@ static int ti_csi2rx_probe(struct platfo + if (ret) + goto err_vb2q; + +- ret = of_platform_populate(csi->dev->of_node, NULL, NULL, csi->dev); ++ ret = devm_of_platform_populate(csi->dev); + if (ret) { + dev_err(csi->dev, "Failed to create children: %d\n", ret); + goto err_subdev; diff --git a/queue-6.17/media-uvcvideo-avoid-variable-shadowing-in-uvc_ctrl_cleanup_fh.patch b/queue-6.17/media-uvcvideo-avoid-variable-shadowing-in-uvc_ctrl_cleanup_fh.patch new file mode 100644 index 0000000000..6fdb272f2d --- /dev/null +++ b/queue-6.17/media-uvcvideo-avoid-variable-shadowing-in-uvc_ctrl_cleanup_fh.patch @@ -0,0 +1,44 @@ +From f4da0de6b4b470a60c5c0cc4c09b0c987f9df35f Mon Sep 17 00:00:00 2001 +From: Desnes Nunes +Date: Tue, 8 Jul 2025 11:46:28 -0300 +Subject: media: uvcvideo: Avoid variable shadowing in uvc_ctrl_cleanup_fh + +From: Desnes Nunes + +commit f4da0de6b4b470a60c5c0cc4c09b0c987f9df35f upstream. + +This avoids a variable loop shadowing occurring between the local loop +iterating through the uvc_entity's controls and the global one going +through the pending async controls of the file handle. + +Fixes: 10acb9101355 ("media: uvcvideo: Increase/decrease the PM counter per IOCTL") +Cc: stable@vger.kernel.org +Signed-off-by: Desnes Nunes +Reviewed-by: Laurent Pinchart +Signed-off-by: Hans de Goede +Signed-off-by: Laurent Pinchart +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/uvc/uvc_ctrl.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/media/usb/uvc/uvc_ctrl.c ++++ b/drivers/media/usb/uvc/uvc_ctrl.c +@@ -3307,7 +3307,6 @@ int uvc_ctrl_init_device(struct uvc_devi + void uvc_ctrl_cleanup_fh(struct uvc_fh *handle) + { + struct uvc_entity *entity; +- int i; + + guard(mutex)(&handle->chain->ctrl_mutex); + +@@ -3325,7 +3324,7 @@ void uvc_ctrl_cleanup_fh(struct uvc_fh * + if (!WARN_ON(handle->pending_async_ctrls)) + return; + +- for (i = 0; i < handle->pending_async_ctrls; i++) ++ for (unsigned int i = 0; i < handle->pending_async_ctrls; i++) + uvc_pm_put(handle->stream->dev); + } + diff --git a/queue-6.17/media-venus-firmware-use-correct-reset-sequence-for-iris2.patch b/queue-6.17/media-venus-firmware-use-correct-reset-sequence-for-iris2.patch new file mode 100644 index 0000000000..47614c08d5 --- /dev/null +++ b/queue-6.17/media-venus-firmware-use-correct-reset-sequence-for-iris2.patch @@ -0,0 +1,72 @@ +From 93f213b444a40f1e7a4383b499b65e782dcb14b9 Mon Sep 17 00:00:00 2001 +From: Stephan Gerhold +Date: Wed, 20 Aug 2025 17:16:39 +0200 +Subject: media: venus: firmware: Use correct reset sequence for IRIS2 + +From: Stephan Gerhold + +commit 93f213b444a40f1e7a4383b499b65e782dcb14b9 upstream. + +When starting venus with the "no_tz" code path, IRIS2 needs the same +boot/reset sequence as IRIS2_1. This is because most of the registers were +moved to the "wrapper_tz_base", which is already defined for both IRIS2 and +IRIS2_1 inside core.c. Add IRIS2 to the checks inside firmware.c as well to +make sure that it uses the correct reset sequence. + +Both IRIS2 and IRIS2_1 are HFI v6 variants, so the correct sequence was +used before commit c38610f8981e ("media: venus: firmware: Sanitize +per-VPU-version"). + +Fixes: c38610f8981e ("media: venus: firmware: Sanitize per-VPU-version") +Cc: stable@vger.kernel.org +Signed-off-by: Stephan Gerhold +Reviewed-by: Vikash Garodia +Reviewed-by: Dikshita Agarwal +Reviewed-by: Bryan O'Donoghue +Reviewed-by: Dmitry Baryshkov +[bod: Fixed commit log IRIS -> IRIS2] +Signed-off-by: Bryan O'Donoghue +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/qcom/venus/firmware.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/media/platform/qcom/venus/firmware.c ++++ b/drivers/media/platform/qcom/venus/firmware.c +@@ -30,7 +30,7 @@ static void venus_reset_cpu(struct venus + u32 fw_size = core->fw.mapped_mem_size; + void __iomem *wrapper_base; + +- if (IS_IRIS2_1(core)) ++ if (IS_IRIS2(core) || IS_IRIS2_1(core)) + wrapper_base = core->wrapper_tz_base; + else + wrapper_base = core->wrapper_base; +@@ -42,7 +42,7 @@ static void venus_reset_cpu(struct venus + writel(fw_size, wrapper_base + WRAPPER_NONPIX_START_ADDR); + writel(fw_size, wrapper_base + WRAPPER_NONPIX_END_ADDR); + +- if (IS_IRIS2_1(core)) { ++ if (IS_IRIS2(core) || IS_IRIS2_1(core)) { + /* Bring XTSS out of reset */ + writel(0, wrapper_base + WRAPPER_TZ_XTSS_SW_RESET); + } else { +@@ -68,7 +68,7 @@ int venus_set_hw_state(struct venus_core + if (resume) { + venus_reset_cpu(core); + } else { +- if (IS_IRIS2_1(core)) ++ if (IS_IRIS2(core) || IS_IRIS2_1(core)) + writel(WRAPPER_XTSS_SW_RESET_BIT, + core->wrapper_tz_base + WRAPPER_TZ_XTSS_SW_RESET); + else +@@ -181,7 +181,7 @@ static int venus_shutdown_no_tz(struct v + void __iomem *wrapper_base = core->wrapper_base; + void __iomem *wrapper_tz_base = core->wrapper_tz_base; + +- if (IS_IRIS2_1(core)) { ++ if (IS_IRIS2(core) || IS_IRIS2_1(core)) { + /* Assert the reset to XTSS */ + reg = readl(wrapper_tz_base + WRAPPER_TZ_XTSS_SW_RESET); + reg |= WRAPPER_XTSS_SW_RESET_BIT; diff --git a/queue-6.17/media-venus-pm_helpers-add-fallback-for-the-opp-table.patch b/queue-6.17/media-venus-pm_helpers-add-fallback-for-the-opp-table.patch new file mode 100644 index 0000000000..a8b6f7ae08 --- /dev/null +++ b/queue-6.17/media-venus-pm_helpers-add-fallback-for-the-opp-table.patch @@ -0,0 +1,58 @@ +From afb100a5ea7a13d7e6937dcd3b36b19dc6cc9328 Mon Sep 17 00:00:00 2001 +From: Renjiang Han +Date: Thu, 18 Sep 2025 17:31:08 +0530 +Subject: media: venus: pm_helpers: add fallback for the opp-table + +From: Renjiang Han + +commit afb100a5ea7a13d7e6937dcd3b36b19dc6cc9328 upstream. + +Since the device trees for both HFI_VERSION_1XX and HFI_VERSION_3XX +do not include an opp-table and have not configured opp-pmdomain, they +still need to use the frequencies defined in the driver's freq_tbl. + +Both core_power_v1 and core_power_v4 functions require core_clks_enable +function during POWER_ON. Therefore, in the core_clks_enable function, +if calling dev_pm_opp_find_freq_ceil to obtain the frequency fails, +it needs to fall back to the freq_tbl to retrieve the frequency. + +Fixes: b179234b5e59 ("media: venus: pm_helpers: use opp-table for the frequency") +Cc: stable@vger.kernel.org +Reviewed-by: Dmitry Baryshkov +Reviewed-by: Bryan O'Donoghue +Reviewed-by: Vikash Garodia +Closes: https://lore.kernel.org/linux-media/CA+G9fYu5=3n84VY+vTbCAcfFKOq7Us5vgBZgpypY4MveM=eVwg@mail.gmail.com +Signed-off-by: Renjiang Han +Signed-off-by: Bryan O'Donoghue +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/qcom/venus/pm_helpers.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/media/platform/qcom/venus/pm_helpers.c ++++ b/drivers/media/platform/qcom/venus/pm_helpers.c +@@ -40,6 +40,8 @@ static int core_clks_get(struct venus_co + + static int core_clks_enable(struct venus_core *core) + { ++ const struct freq_tbl *freq_tbl = core->res->freq_tbl; ++ unsigned int freq_tbl_size = core->res->freq_tbl_size; + const struct venus_resources *res = core->res; + struct device *dev = core->dev; + unsigned long freq = 0; +@@ -48,8 +50,13 @@ static int core_clks_enable(struct venus + int ret; + + opp = dev_pm_opp_find_freq_ceil(dev, &freq); +- if (!IS_ERR(opp)) ++ if (IS_ERR(opp)) { ++ if (!freq_tbl) ++ return -ENODEV; ++ freq = freq_tbl[freq_tbl_size - 1].freq; ++ } else { + dev_pm_opp_put(opp); ++ } + + for (i = 0; i < res->clks_num; i++) { + if (IS_V6(core)) { diff --git a/queue-6.17/media-vivid-fix-disappearing-vendor-command-with-id-messages.patch b/queue-6.17/media-vivid-fix-disappearing-vendor-command-with-id-messages.patch new file mode 100644 index 0000000000..cf5eed9a26 --- /dev/null +++ b/queue-6.17/media-vivid-fix-disappearing-vendor-command-with-id-messages.patch @@ -0,0 +1,79 @@ +From 4bd8a6147645480d550242ff816b4c7ba160e5b7 Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Sat, 6 Sep 2025 12:11:21 +0200 +Subject: media: vivid: fix disappearing messages + +From: Hans Verkuil + +commit 4bd8a6147645480d550242ff816b4c7ba160e5b7 upstream. + +The vivid driver supports the message, +but if the Vendor ID of the received message didn't match the Vendor ID +of the CEC Adapter, then it ignores it (good) and returns 0 (bad). + +It should return -ENOMSG to indicate that other followers should be +asked to handle it. Return code 0 means that the driver handled it, +which is wrong in this case. + +As a result, userspace followers never get the chance to process such a +message. + +Refactor the code a bit to have the function return -ENOMSG at the end, +drop the default case, and ensure that the message handlers return 0. + +That way 0 is only returned if the message is actually handled in the +vivid_received() function. + +Fixes: 812765cd6954 ("media: vivid: add support") +Cc: stable@vger.kernel.org +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/test-drivers/vivid/vivid-cec.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +--- a/drivers/media/test-drivers/vivid/vivid-cec.c ++++ b/drivers/media/test-drivers/vivid/vivid-cec.c +@@ -327,7 +327,7 @@ static int vivid_received(struct cec_ada + char osd[14]; + + if (!cec_is_sink(adap)) +- return -ENOMSG; ++ break; + cec_ops_set_osd_string(msg, &disp_ctl, osd); + switch (disp_ctl) { + case CEC_OP_DISP_CTL_DEFAULT: +@@ -348,7 +348,7 @@ static int vivid_received(struct cec_ada + cec_transmit_msg(adap, &reply, false); + break; + } +- break; ++ return 0; + } + case CEC_MSG_VENDOR_COMMAND_WITH_ID: { + u32 vendor_id; +@@ -379,7 +379,7 @@ static int vivid_received(struct cec_ada + if (size == 1) { + // Ignore even op values + if (!(vendor_cmd[0] & 1)) +- break; ++ return 0; + reply.len = msg->len; + memcpy(reply.msg + 1, msg->msg + 1, msg->len - 1); + reply.msg[msg->len - 1]++; +@@ -388,12 +388,10 @@ static int vivid_received(struct cec_ada + CEC_OP_ABORT_INVALID_OP); + } + cec_transmit_msg(adap, &reply, false); +- break; ++ return 0; + } +- default: +- return -ENOMSG; + } +- return 0; ++ return -ENOMSG; + } + + static const struct cec_adap_ops vivid_cec_adap_ops = { diff --git a/queue-6.17/media-vsp1-export-missing-vsp1_isp_free_buffer-symbol.patch b/queue-6.17/media-vsp1-export-missing-vsp1_isp_free_buffer-symbol.patch new file mode 100644 index 0000000000..208ca590ab --- /dev/null +++ b/queue-6.17/media-vsp1-export-missing-vsp1_isp_free_buffer-symbol.patch @@ -0,0 +1,42 @@ +From b32655a5f4c1a3b830f05fe3d43e17b2c4d09146 Mon Sep 17 00:00:00 2001 +From: Laurent Pinchart +Date: Thu, 21 Aug 2025 18:42:41 +0300 +Subject: media: vsp1: Export missing vsp1_isp_free_buffer symbol +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Laurent Pinchart + +commit b32655a5f4c1a3b830f05fe3d43e17b2c4d09146 upstream. + +The vsp1_isp_free_buffer() function implemented by the vsp1 driver is +part of the API exposed to the rcar-isp driver. All other symbols except +that one are properly exported. Fix it. + +Fixes: d06c1a9f348d ("media: vsp1: Add VSPX support") +Cc: stable@vger.kernel.org +Signed-off-by: Laurent Pinchart +Reviewed-by: Jacopo Mondi +Reviewed-by: Niklas Söderlund +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/renesas/vsp1/vsp1_vspx.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/media/platform/renesas/vsp1/vsp1_vspx.c b/drivers/media/platform/renesas/vsp1/vsp1_vspx.c +index a754b92232bd..1673479be0ff 100644 +--- a/drivers/media/platform/renesas/vsp1/vsp1_vspx.c ++++ b/drivers/media/platform/renesas/vsp1/vsp1_vspx.c +@@ -286,6 +286,7 @@ void vsp1_isp_free_buffer(struct device *dev, + dma_free_coherent(bus_master, buffer_desc->size, buffer_desc->cpu_addr, + buffer_desc->dma_addr); + } ++EXPORT_SYMBOL_GPL(vsp1_isp_free_buffer); + + /** + * vsp1_isp_start_streaming - Start processing VSPX jobs +-- +2.51.0 + diff --git a/queue-6.17/series b/queue-6.17/series index 6eaaf52c70..ee1a641683 100644 --- a/queue-6.17/series +++ b/queue-6.17/series @@ -151,3 +151,35 @@ arm-am33xx-implement-ti-advisory-1.0.36-emu0-emu1-pins-state-on-reset.patch arm-omap2-pm33xx-core-ix-device-node-reference-leaks-in-amx3_idle_init.patch firmware-arm_scmi-quirk-prevent-writes-to-string-constants.patch perf-arm-cmn-fix-cmn-s3-dtm-offset.patch +kvm-s390-fix-to-clear-pte-when-discarding-a-swapped-page.patch +kvm-arm64-fix-debug-checking-for-np-guests-using-huge-mappings.patch +kvm-arm64-fix-page-leak-in-user_mem_abort.patch +x86-kvm-force-legacy-pci-hole-to-uc-when-overriding-mtrrs-for-tdx-snp.patch +kvm-svm-re-load-current-not-host-tsc_aux-on-vmexit-from-sev-es-guest.patch +kvm-tdx-fix-uninitialized-error-code-for-__tdx_bringup.patch +dt-bindings-phy-rockchip-inno-csi-dphy-make-power-domains-non-required.patch +xen-take-system_transition_mutex-on-suspend.patch +xen-events-cleanup-find_virq-return-codes.patch +xen-manage-fix-suspend-error-path.patch +xen-events-return-eexist-for-bound-virqs.patch +xen-events-update-virq_to_irq-on-migration.patch +firmware-exynos-acpm-fix-pmic-returned-errno.patch +firmware-meson_sm-fix-device-leak-at-probe.patch +media-cec-extron-da-hd-4k-plus-drop-external-module-make-commands.patch +media-cx18-add-missing-check-after-dma-map.patch +media-i2c-mt9p031-fix-mbus-code-initialization.patch +media-i2c-mt9v111-fix-incorrect-type-for-ret.patch +media-mc-fix-must_connect-handling-for-pads-with-no-links.patch +media-pci-ivtv-add-missing-check-after-dma-map.patch +media-pci-mg4b-fix-uninitialized-iio-scan-data.patch +media-platform-mtk-mdp3-add-missing-mt8188-compatible-to-comp_dt_ids.patch +media-s5p-mfc-remove-an-unused-uninitialized-variable.patch +media-staging-ipu7-fix-isys-device-runtime-pm-usage-in-firmware-closing.patch +media-uvcvideo-avoid-variable-shadowing-in-uvc_ctrl_cleanup_fh.patch +media-venus-firmware-use-correct-reset-sequence-for-iris2.patch +media-venus-pm_helpers-add-fallback-for-the-opp-table.patch +media-vivid-fix-disappearing-vendor-command-with-id-messages.patch +media-vsp1-export-missing-vsp1_isp_free_buffer-symbol.patch +media-ti-j721e-csi2rx-use-devm_of_platform_populate.patch +media-ti-j721e-csi2rx-fix-source-subdev-link-creation.patch +media-lirc-fix-error-handling-in-lirc_register.patch diff --git a/queue-6.17/x86-kvm-force-legacy-pci-hole-to-uc-when-overriding-mtrrs-for-tdx-snp.patch b/queue-6.17/x86-kvm-force-legacy-pci-hole-to-uc-when-overriding-mtrrs-for-tdx-snp.patch new file mode 100644 index 0000000000..806d56c9b9 --- /dev/null +++ b/queue-6.17/x86-kvm-force-legacy-pci-hole-to-uc-when-overriding-mtrrs-for-tdx-snp.patch @@ -0,0 +1,198 @@ +From 0dccbc75e18df85399a71933d60b97494110f559 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Wed, 27 Aug 2025 17:52:49 -0700 +Subject: x86/kvm: Force legacy PCI hole to UC when overriding MTRRs for TDX/SNP +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Sean Christopherson + +commit 0dccbc75e18df85399a71933d60b97494110f559 upstream. + +When running as an SNP or TDX guest under KVM, force the legacy PCI hole, +i.e. memory between Top of Lower Usable DRAM and 4GiB, to be mapped as UC +via a forced variable MTRR range. + +In most KVM-based setups, legacy devices such as the HPET and TPM are +enumerated via ACPI. ACPI enumeration includes a Memory32Fixed entry, and +optionally a SystemMemory descriptor for an OperationRegion, e.g. if the +device needs to be accessed via a Control Method. + +If a SystemMemory entry is present, then the kernel's ACPI driver will +auto-ioremap the region so that it can be accessed at will. However, the +ACPI spec doesn't provide a way to enumerate the memory type of +SystemMemory regions, i.e. there's no way to tell software that a region +must be mapped as UC vs. WB, etc. As a result, Linux's ACPI driver always +maps SystemMemory regions using ioremap_cache(), i.e. as WB on x86. + +The dedicated device drivers however, e.g. the HPET driver and TPM driver, +want to map their associated memory as UC or WC, as accessing PCI devices +using WB is unsupported. + +On bare metal and non-CoCO, the conflicting requirements "work" as firmware +configures the PCI hole (and other device memory) to be UC in the MTRRs. +So even though the ACPI mappings request WB, they are forced to UC- in the +kernel's tracking due to the kernel properly handling the MTRR overrides, +and thus are compatible with the drivers' requested WC/UC-. + +With force WB MTRRs on SNP and TDX guests, the ACPI mappings get their +requested WB if the ACPI mappings are established before the dedicated +driver code attempts to initialize the device. E.g. if acpi_init() +runs before the corresponding device driver is probed, ACPI's WB mapping +will "win", and result in the driver's ioremap() failing because the +existing WB mapping isn't compatible with the requested WC/UC-. + +E.g. when a TPM is emulated by the hypervisor (ignoring the security +implications of relying on what is allegedly an untrusted entity to store +measurements), the TPM driver will request UC and fail: + + [ 1.730459] ioremap error for 0xfed40000-0xfed45000, requested 0x2, got 0x0 + [ 1.732780] tpm_tis MSFT0101:00: probe with driver tpm_tis failed with error -12 + +Note, the '0x2' and '0x0' values refer to "enum page_cache_mode", not x86's +memtypes (which frustratingly are an almost pure inversion; 2 == WB, 0 == UC). +E.g. tracing mapping requests for TPM TIS yields: + + Mapping TPM TIS with req_type = 0 + WARNING: CPU: 22 PID: 1 at arch/x86/mm/pat/memtype.c:530 memtype_reserve+0x2ab/0x460 + Modules linked in: + CPU: 22 UID: 0 PID: 1 Comm: swapper/0 Tainted: G W 6.16.0-rc7+ #2 VOLUNTARY + Tainted: [W]=WARN + Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/29/2025 + RIP: 0010:memtype_reserve+0x2ab/0x460 + __ioremap_caller+0x16d/0x3d0 + ioremap_cache+0x17/0x30 + x86_acpi_os_ioremap+0xe/0x20 + acpi_os_map_iomem+0x1f3/0x240 + acpi_os_map_memory+0xe/0x20 + acpi_ex_system_memory_space_handler+0x273/0x440 + acpi_ev_address_space_dispatch+0x176/0x4c0 + acpi_ex_access_region+0x2ad/0x530 + acpi_ex_field_datum_io+0xa2/0x4f0 + acpi_ex_extract_from_field+0x296/0x3e0 + acpi_ex_read_data_from_field+0xd1/0x460 + acpi_ex_resolve_node_to_value+0x2ee/0x530 + acpi_ex_resolve_to_value+0x1f2/0x540 + acpi_ds_evaluate_name_path+0x11b/0x190 + acpi_ds_exec_end_op+0x456/0x960 + acpi_ps_parse_loop+0x27a/0xa50 + acpi_ps_parse_aml+0x226/0x600 + acpi_ps_execute_method+0x172/0x3e0 + acpi_ns_evaluate+0x175/0x5f0 + acpi_evaluate_object+0x213/0x490 + acpi_evaluate_integer+0x6d/0x140 + acpi_bus_get_status+0x93/0x150 + acpi_add_single_object+0x43a/0x7c0 + acpi_bus_check_add+0x149/0x3a0 + acpi_bus_check_add_1+0x16/0x30 + acpi_ns_walk_namespace+0x22c/0x360 + acpi_walk_namespace+0x15c/0x170 + acpi_bus_scan+0x1dd/0x200 + acpi_scan_init+0xe5/0x2b0 + acpi_init+0x264/0x5b0 + do_one_initcall+0x5a/0x310 + kernel_init_freeable+0x34f/0x4f0 + kernel_init+0x1b/0x200 + ret_from_fork+0x186/0x1b0 + ret_from_fork_asm+0x1a/0x30 + + +The above traces are from a Google-VMM based VM, but the same behavior +happens with a QEMU based VM that is modified to add a SystemMemory range +for the TPM TIS address space. + +The only reason this doesn't cause problems for HPET, which appears to +require a SystemMemory region, is because HPET gets special treatment via +x86_init.timers.timer_init(), and so gets a chance to create its UC- +mapping before acpi_init() clobbers things. Disabling the early call to +hpet_time_init() yields the same behavior for HPET: + + [ 0.318264] ioremap error for 0xfed00000-0xfed01000, requested 0x2, got 0x0 + +Hack around the ACPI gap by forcing the legacy PCI hole to UC when +overriding the (virtual) MTRRs for CoCo guest, so that ioremap handling +of MTRRs naturally kicks in and forces the ACPI mappings to be UC. + +Note, the requested/mapped memtype doesn't actually matter in terms of +accessing the device. In practically every setup, legacy PCI devices are +emulated by the hypervisor, and accesses are intercepted and handled as +emulated MMIO, i.e. never access physical memory and thus don't have an +effective memtype. + +Even in a theoretical setup where such devices are passed through by the +host, i.e. point at real MMIO memory, it is KVM's (as the hypervisor) +responsibility to force the memory to be WC/UC, e.g. via EPT memtype +under TDX or real hardware MTRRs under SNP. Not doing so cannot work, +and the hypervisor is highly motivated to do the right thing as letting +the guest access hardware MMIO with WB would likely result in a variety +of fatal #MCs. + +In other words, forcing the range to be UC is all about coercing the +kernel's tracking into thinking that it has established UC mappings, so +that the ioremap code doesn't reject mappings from e.g. the TPM driver and +thus prevent the driver from loading and the device from functioning. + +Note #2, relying on guest firmware to handle this scenario, e.g. by setting +virtual MTRRs and then consuming them in Linux, is not a viable option, as +the virtual MTRR state is managed by the untrusted hypervisor, and because +OVMF at least has stopped programming virtual MTRRs when running as a TDX +guest. + +Link: https://lore.kernel.org/all/8137d98e-8825-415b-9282-1d2a115bb51a@linux.intel.com +Fixes: 8e690b817e38 ("x86/kvm: Override default caching mode for SEV-SNP and TDX") +Cc: stable@vger.kernel.org +Cc: Peter Gonda +Cc: Vitaly Kuznetsov +Cc: Tom Lendacky +Cc: Jürgen Groß +Cc: Korakit Seemakhupt +Cc: Jianxiong Gao +Cc: Nikolay Borisov +Suggested-by: Binbin Wu +Reviewed-by: Binbin Wu +Tested-by: Korakit Seemakhupt +Link: https://lore.kernel.org/r/20250828005249.39339-1-seanjc@google.com +Signed-off-by: Sean Christopherson +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/kvm.c | 21 +++++++++++++++++++-- + 1 file changed, 19 insertions(+), 2 deletions(-) + +--- a/arch/x86/kernel/kvm.c ++++ b/arch/x86/kernel/kvm.c +@@ -933,6 +933,19 @@ static void kvm_sev_hc_page_enc_status(u + + static void __init kvm_init_platform(void) + { ++ u64 tolud = PFN_PHYS(e820__end_of_low_ram_pfn()); ++ /* ++ * Note, hardware requires variable MTRR ranges to be power-of-2 sized ++ * and naturally aligned. But when forcing guest MTRR state, Linux ++ * doesn't program the forced ranges into hardware. Don't bother doing ++ * the math to generate a technically-legal range. ++ */ ++ struct mtrr_var_range pci_hole = { ++ .base_lo = tolud | X86_MEMTYPE_UC, ++ .mask_lo = (u32)(~(SZ_4G - tolud - 1)) | MTRR_PHYSMASK_V, ++ .mask_hi = (BIT_ULL(boot_cpu_data.x86_phys_bits) - 1) >> 32, ++ }; ++ + if (cc_platform_has(CC_ATTR_GUEST_MEM_ENCRYPT) && + kvm_para_has_feature(KVM_FEATURE_MIGRATION_CONTROL)) { + unsigned long nr_pages; +@@ -982,8 +995,12 @@ static void __init kvm_init_platform(voi + kvmclock_init(); + x86_platform.apic_post_init = kvm_apic_init; + +- /* Set WB as the default cache mode for SEV-SNP and TDX */ +- guest_force_mtrr_state(NULL, 0, MTRR_TYPE_WRBACK); ++ /* ++ * Set WB as the default cache mode for SEV-SNP and TDX, with a single ++ * UC range for the legacy PCI hole, e.g. so that devices that expect ++ * to get UC/WC mappings don't get surprised with WB. ++ */ ++ guest_force_mtrr_state(&pci_hole, 1, MTRR_TYPE_WRBACK); + } + + #if defined(CONFIG_AMD_MEM_ENCRYPT) diff --git a/queue-6.17/xen-events-cleanup-find_virq-return-codes.patch b/queue-6.17/xen-events-cleanup-find_virq-return-codes.patch new file mode 100644 index 0000000000..b9be759444 --- /dev/null +++ b/queue-6.17/xen-events-cleanup-find_virq-return-codes.patch @@ -0,0 +1,55 @@ +From 08df2d7dd4ab2db8a172d824cda7872d5eca460a Mon Sep 17 00:00:00 2001 +From: Jason Andryuk +Date: Wed, 27 Aug 2025 20:36:01 -0400 +Subject: xen/events: Cleanup find_virq() return codes + +From: Jason Andryuk + +commit 08df2d7dd4ab2db8a172d824cda7872d5eca460a upstream. + +rc is overwritten by the evtchn_status hypercall in each iteration, so +the return value will be whatever the last iteration is. This could +incorrectly return success even if the event channel was not found. +Change to an explicit -ENOENT for an un-found virq and return 0 on a +successful match. + +Fixes: 62cc5fc7b2e0 ("xen/pv-on-hvm kexec: rebind virqs to existing eventchannel ports") +Cc: stable@vger.kernel.org +Signed-off-by: Jason Andryuk +Reviewed-by: Jan Beulich +Reviewed-by: Juergen Gross +Signed-off-by: Juergen Gross +Message-ID: <20250828003604.8949-2-jason.andryuk@amd.com> +Signed-off-by: Greg Kroah-Hartman +--- + drivers/xen/events/events_base.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/xen/events/events_base.c ++++ b/drivers/xen/events/events_base.c +@@ -1318,10 +1318,11 @@ static int find_virq(unsigned int virq, + { + struct evtchn_status status; + evtchn_port_t port; +- int rc = -ENOENT; + + memset(&status, 0, sizeof(status)); + for (port = 0; port < xen_evtchn_max_channels(); port++) { ++ int rc; ++ + status.dom = DOMID_SELF; + status.port = port; + rc = HYPERVISOR_event_channel_op(EVTCHNOP_status, &status); +@@ -1331,10 +1332,10 @@ static int find_virq(unsigned int virq, + continue; + if (status.u.virq == virq && status.vcpu == xen_vcpu_nr(cpu)) { + *evtchn = port; +- break; ++ return 0; + } + } +- return rc; ++ return -ENOENT; + } + + /** diff --git a/queue-6.17/xen-events-return-eexist-for-bound-virqs.patch b/queue-6.17/xen-events-return-eexist-for-bound-virqs.patch new file mode 100644 index 0000000000..a66c6921a2 --- /dev/null +++ b/queue-6.17/xen-events-return-eexist-for-bound-virqs.patch @@ -0,0 +1,82 @@ +From 07ce121d93a5e5fb2440a24da3dbf408fcee978e Mon Sep 17 00:00:00 2001 +From: Jason Andryuk +Date: Wed, 27 Aug 2025 20:36:02 -0400 +Subject: xen/events: Return -EEXIST for bound VIRQs + +From: Jason Andryuk + +commit 07ce121d93a5e5fb2440a24da3dbf408fcee978e upstream. + +Change find_virq() to return -EEXIST when a VIRQ is bound to a +different CPU than the one passed in. With that, remove the BUG_ON() +from bind_virq_to_irq() to propogate the error upwards. + +Some VIRQs are per-cpu, but others are per-domain or global. Those must +be bound to CPU0 and can then migrate elsewhere. The lookup for +per-domain and global will probably fail when migrated off CPU 0, +especially when the current CPU is tracked. This now returns -EEXIST +instead of BUG_ON(). + +A second call to bind a per-domain or global VIRQ is not expected, but +make it non-fatal to avoid trying to look up the irq, since we don't +know which per_cpu(virq_to_irq) it will be in. + +Cc: stable@vger.kernel.org +Signed-off-by: Jason Andryuk +Reviewed-by: Juergen Gross +Signed-off-by: Juergen Gross +Message-ID: <20250828003604.8949-3-jason.andryuk@amd.com> +Signed-off-by: Greg Kroah-Hartman +--- + drivers/xen/events/events_base.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +--- a/drivers/xen/events/events_base.c ++++ b/drivers/xen/events/events_base.c +@@ -1314,10 +1314,12 @@ int bind_interdomain_evtchn_to_irq_latee + } + EXPORT_SYMBOL_GPL(bind_interdomain_evtchn_to_irq_lateeoi); + +-static int find_virq(unsigned int virq, unsigned int cpu, evtchn_port_t *evtchn) ++static int find_virq(unsigned int virq, unsigned int cpu, evtchn_port_t *evtchn, ++ bool percpu) + { + struct evtchn_status status; + evtchn_port_t port; ++ bool exists = false; + + memset(&status, 0, sizeof(status)); + for (port = 0; port < xen_evtchn_max_channels(); port++) { +@@ -1330,12 +1332,16 @@ static int find_virq(unsigned int virq, + continue; + if (status.status != EVTCHNSTAT_virq) + continue; +- if (status.u.virq == virq && status.vcpu == xen_vcpu_nr(cpu)) { ++ if (status.u.virq != virq) ++ continue; ++ if (status.vcpu == xen_vcpu_nr(cpu)) { + *evtchn = port; + return 0; ++ } else if (!percpu) { ++ exists = true; + } + } +- return -ENOENT; ++ return exists ? -EEXIST : -ENOENT; + } + + /** +@@ -1382,8 +1388,11 @@ int bind_virq_to_irq(unsigned int virq, + evtchn = bind_virq.port; + else { + if (ret == -EEXIST) +- ret = find_virq(virq, cpu, &evtchn); +- BUG_ON(ret < 0); ++ ret = find_virq(virq, cpu, &evtchn, percpu); ++ if (ret) { ++ __unbind_from_irq(info, info->irq); ++ goto out; ++ } + } + + ret = xen_irq_info_virq_setup(info, cpu, evtchn, virq); diff --git a/queue-6.17/xen-events-update-virq_to_irq-on-migration.patch b/queue-6.17/xen-events-update-virq_to_irq-on-migration.patch new file mode 100644 index 0000000000..af0f751f2b --- /dev/null +++ b/queue-6.17/xen-events-update-virq_to_irq-on-migration.patch @@ -0,0 +1,59 @@ +From 3fcc8e146935415d69ffabb5df40ecf50e106131 Mon Sep 17 00:00:00 2001 +From: Jason Andryuk +Date: Wed, 27 Aug 2025 20:36:03 -0400 +Subject: xen/events: Update virq_to_irq on migration + +From: Jason Andryuk + +commit 3fcc8e146935415d69ffabb5df40ecf50e106131 upstream. + +VIRQs come in 3 flavors, per-VPU, per-domain, and global, and the VIRQs +are tracked in per-cpu virq_to_irq arrays. + +Per-domain and global VIRQs must be bound on CPU 0, and +bind_virq_to_irq() sets the per_cpu virq_to_irq at registration time +Later, the interrupt can migrate, and info->cpu is updated. When +calling __unbind_from_irq(), the per-cpu virq_to_irq is cleared for a +different cpu. If bind_virq_to_irq() is called again with CPU 0, the +stale irq is returned. There won't be any irq_info for the irq, so +things break. + +Make xen_rebind_evtchn_to_cpu() update the per_cpu virq_to_irq mappings +to keep them update to date with the current cpu. This ensures the +correct virq_to_irq is cleared in __unbind_from_irq(). + +Fixes: e46cdb66c8fc ("xen: event channels") +Cc: stable@vger.kernel.org +Signed-off-by: Jason Andryuk +Reviewed-by: Juergen Gross +Signed-off-by: Juergen Gross +Message-ID: <20250828003604.8949-4-jason.andryuk@amd.com> +Signed-off-by: Greg Kroah-Hartman +--- + drivers/xen/events/events_base.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +--- a/drivers/xen/events/events_base.c ++++ b/drivers/xen/events/events_base.c +@@ -1797,9 +1797,20 @@ static int xen_rebind_evtchn_to_cpu(stru + * virq or IPI channel, which don't actually need to be rebound. Ignore + * it, but don't do the xenlinux-level rebind in that case. + */ +- if (HYPERVISOR_event_channel_op(EVTCHNOP_bind_vcpu, &bind_vcpu) >= 0) ++ if (HYPERVISOR_event_channel_op(EVTCHNOP_bind_vcpu, &bind_vcpu) >= 0) { ++ int old_cpu = info->cpu; ++ + bind_evtchn_to_cpu(info, tcpu, false); + ++ if (info->type == IRQT_VIRQ) { ++ int virq = info->u.virq; ++ int irq = per_cpu(virq_to_irq, old_cpu)[virq]; ++ ++ per_cpu(virq_to_irq, old_cpu)[virq] = -1; ++ per_cpu(virq_to_irq, tcpu)[virq] = irq; ++ } ++ } ++ + do_unmask(info, EVT_MASK_REASON_TEMPORARY); + + return 0; diff --git a/queue-6.17/xen-manage-fix-suspend-error-path.patch b/queue-6.17/xen-manage-fix-suspend-error-path.patch new file mode 100644 index 0000000000..1531170bd9 --- /dev/null +++ b/queue-6.17/xen-manage-fix-suspend-error-path.patch @@ -0,0 +1,54 @@ +From f770c3d858687252f1270265ba152d5c622e793f Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Thu, 4 Sep 2025 15:11:09 +0200 +Subject: xen/manage: Fix suspend error path + +From: Lukas Wunner + +commit f770c3d858687252f1270265ba152d5c622e793f upstream. + +The device power management API has the following asymmetry: +* dpm_suspend_start() does not clean up on failure + (it requires a call to dpm_resume_end()) +* dpm_suspend_end() does clean up on failure + (it does not require a call to dpm_resume_start()) + +The asymmetry was introduced by commit d8f3de0d2412 ("Suspend-related +patches for 2.6.27") in June 2008: It removed a call to device_resume() +from device_suspend() (which was later renamed to dpm_suspend_start()). + +When Xen began using the device power management API in May 2008 with +commit 0e91398f2a5d ("xen: implement save/restore"), the asymmetry did +not yet exist. But since it was introduced, a call to dpm_resume_end() +is missing in the error path of dpm_suspend_start(). Fix it. + +Fixes: d8f3de0d2412 ("Suspend-related patches for 2.6.27") +Signed-off-by: Lukas Wunner +Cc: stable@vger.kernel.org # v2.6.27 +Reviewed-by: "Rafael J. Wysocki (Intel)" +Signed-off-by: Juergen Gross +Message-ID: <22453676d1ddcebbe81641bb68ddf587fee7e21e.1756990799.git.lukas@wunner.de> +Signed-off-by: Greg Kroah-Hartman +--- + drivers/xen/manage.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/xen/manage.c ++++ b/drivers/xen/manage.c +@@ -117,7 +117,7 @@ static void do_suspend(void) + err = dpm_suspend_start(PMSG_FREEZE); + if (err) { + pr_err("%s: dpm_suspend_start %d\n", __func__, err); +- goto out_thaw; ++ goto out_resume_end; + } + + printk(KERN_DEBUG "suspending xenstore...\n"); +@@ -157,6 +157,7 @@ out_resume: + else + xs_suspend_cancel(); + ++out_resume_end: + dpm_resume_end(si.cancelled ? PMSG_THAW : PMSG_RESTORE); + + out_thaw: diff --git a/queue-6.17/xen-take-system_transition_mutex-on-suspend.patch b/queue-6.17/xen-take-system_transition_mutex-on-suspend.patch new file mode 100644 index 0000000000..33b597a526 --- /dev/null +++ b/queue-6.17/xen-take-system_transition_mutex-on-suspend.patch @@ -0,0 +1,70 @@ +From 9d52b0b41be5b932a0a929c10038f1bb04af4ca5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= + +Date: Sun, 21 Sep 2025 18:28:47 +0200 +Subject: xen: take system_transition_mutex on suspend +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marek Marczykowski-Górecki + +commit 9d52b0b41be5b932a0a929c10038f1bb04af4ca5 upstream. + +Xen's do_suspend() calls dpm_suspend_start() without taking required +system_transition_mutex. Since 12ffc3b1513eb moved the +pm_restrict_gfp_mask() call, not taking that mutex results in a WARN. + +Take the mutex in do_suspend(), and use mutex_trylock() to follow +how enter_state() does this. + +Suggested-by: Jürgen Groß +Fixes: 12ffc3b1513eb "PM: Restrict swap use to later in the suspend sequence" +Link: https://lore.kernel.org/xen-devel/aKiBJeqsYx_4Top5@mail-itl/ +Signed-off-by: Marek Marczykowski-Górecki +Cc: stable@vger.kernel.org # v6.16+ +Reviewed-by: Juergen Gross +Signed-off-by: Juergen Gross +Message-ID: <20250921162853.223116-1-marmarek@invisiblethingslab.com> +Signed-off-by: Greg Kroah-Hartman +--- + drivers/xen/manage.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/drivers/xen/manage.c ++++ b/drivers/xen/manage.c +@@ -11,6 +11,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -95,10 +96,16 @@ static void do_suspend(void) + + shutting_down = SHUTDOWN_SUSPEND; + ++ if (!mutex_trylock(&system_transition_mutex)) ++ { ++ pr_err("%s: failed to take system_transition_mutex\n", __func__); ++ goto out; ++ } ++ + err = freeze_processes(); + if (err) { + pr_err("%s: freeze processes failed %d\n", __func__, err); +- goto out; ++ goto out_unlock; + } + + err = freeze_kernel_threads(); +@@ -154,6 +161,8 @@ out_resume: + + out_thaw: + thaw_processes(); ++out_unlock: ++ mutex_unlock(&system_transition_mutex); + out: + shutting_down = SHUTDOWN_INVALID; + }