From: Greg Kroah-Hartman Date: Thu, 17 Apr 2025 13:52:17 +0000 (+0200) Subject: 6.13-stable patches X-Git-Tag: v6.12.24~48 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=629b2467da19068fcbf4ad861279a727a368a6d6;p=thirdparty%2Fkernel%2Fstable-queue.git 6.13-stable patches added patches: landlock-add-erratum-for-tcp-fix.patch landlock-add-the-errata-interface.patch landlock-always-allow-signals-between-threads-of-the-same-process.patch landlock-move-code-to-ease-future-backports.patch landlock-prepare-to-add-second-errata.patch misc-pci_endpoint_test-fix-displaying-irq_type-after-request_irq-error.patch net-mana-switch-to-page-pool-for-jumbo-frames.patch ntb-use-64-bit-arithmetic-for-the-msi-doorbell-mask.patch of-irq-fix-device-node-refcount-leakage-in-api-irq_of_parse_and_map.patch of-irq-fix-device-node-refcount-leakage-in-api-of_irq_parse_one.patch of-irq-fix-device-node-refcount-leakage-in-api-of_irq_parse_raw.patch of-irq-fix-device-node-refcount-leakages-in-of_irq_count.patch of-irq-fix-device-node-refcount-leakages-in-of_irq_init.patch pci-brcmstb-fix-missing-of_node_put-in-brcm_pcie_probe.patch pci-fix-reference-leak-in-pci_alloc_child_bus.patch pci-fix-reference-leak-in-pci_register_host_bridge.patch pci-fix-wrong-length-of-devres-array.patch pci-j721e-fix-the-value-of-.linkdown_irq_regfield-for-j784s4.patch pci-pciehp-avoid-unnecessary-device-replacement-check.patch phy-freescale-imx8m-pcie-assert-phy-reset-and-perst-in-power-off.patch pinctrl-qcom-clear-latched-interrupt-status-when-changing-irq-type.patch pinctrl-samsung-add-support-for-eint_fltcon_offset.patch ring-buffer-use-flush_kernel_vmap_range-over-flush_dcache_folio.patch s390-fix-linker-error-when-no-pie-option-is-unavailable.patch s390-pci-fix-zpci_bus_is_isolated_vf-for-non-vfs.patch s390-virtio_ccw-don-t-allocate-assign-airqs-for-non-existing-queues.patch sched_ext-create_dsq-return-eexist-on-duplicate-request.patch selftests-landlock-add-a-new-test-for-setuid.patch selftests-landlock-split-signal_scoping_threads-tests.patch selftests-mptcp-close-fd_in-before-returning-in-main_loop.patch selftests-mptcp-fix-incorrect-fd-checks-in-main_loop.patch spi-fsl-qspi-fix-double-cleanup-in-probe-error-path.patch spi-fsl-qspi-use-devm-function-instead-of-driver-remove.patch thermal-drivers-mediatek-lvts-disable-monitor-mode-during-suspend.patch thermal-drivers-mediatek-lvts-disable-stage-3-thermal-threshold.patch --- diff --git a/queue-6.13/landlock-add-erratum-for-tcp-fix.patch b/queue-6.13/landlock-add-erratum-for-tcp-fix.patch new file mode 100644 index 0000000000..9461fb7183 --- /dev/null +++ b/queue-6.13/landlock-add-erratum-for-tcp-fix.patch @@ -0,0 +1,45 @@ +From 48fce74fe209ba9e9b416d7100ccee546edc9fc6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= +Date: Tue, 18 Mar 2025 17:14:38 +0100 +Subject: landlock: Add erratum for TCP fix +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mickaël Salaün + +commit 48fce74fe209ba9e9b416d7100ccee546edc9fc6 upstream. + +Add erratum for the TCP socket identification fixed with commit +854277e2cc8c ("landlock: Fix non-TCP sockets restriction"). + +Fixes: 854277e2cc8c ("landlock: Fix non-TCP sockets restriction") +Cc: Günther Noack +Cc: Mikhail Ivanov +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20250318161443.279194-4-mic@digikod.net +Signed-off-by: Mickaël Salaün +Signed-off-by: Greg Kroah-Hartman +--- + security/landlock/errata/abi-4.h | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + create mode 100644 security/landlock/errata/abi-4.h + +--- /dev/null ++++ b/security/landlock/errata/abi-4.h +@@ -0,0 +1,15 @@ ++/* SPDX-License-Identifier: GPL-2.0-only */ ++ ++/** ++ * DOC: erratum_1 ++ * ++ * Erratum 1: TCP socket identification ++ * ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ++ * ++ * This fix addresses an issue where IPv4 and IPv6 stream sockets (e.g., SMC, ++ * MPTCP, or SCTP) were incorrectly restricted by TCP access rights during ++ * :manpage:`bind(2)` and :manpage:`connect(2)` operations. This change ensures ++ * that only TCP sockets are subject to TCP access rights, allowing other ++ * protocols to operate without unnecessary restrictions. ++ */ ++LANDLOCK_ERRATUM(1) diff --git a/queue-6.13/landlock-add-the-errata-interface.patch b/queue-6.13/landlock-add-the-errata-interface.patch new file mode 100644 index 0000000000..70ed1e9876 --- /dev/null +++ b/queue-6.13/landlock-add-the-errata-interface.patch @@ -0,0 +1,337 @@ +From 15383a0d63dbcd63dc7e8d9ec1bf3a0f7ebf64ac Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= +Date: Tue, 18 Mar 2025 17:14:37 +0100 +Subject: landlock: Add the errata interface +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mickaël Salaün + +commit 15383a0d63dbcd63dc7e8d9ec1bf3a0f7ebf64ac upstream. + +Some fixes may require user space to check if they are applied on the +running kernel before using a specific feature. For instance, this +applies when a restriction was previously too restrictive and is now +getting relaxed (e.g. for compatibility reasons). However, non-visible +changes for legitimate use (e.g. security fixes) do not require an +erratum. + +Because fixes are backported down to a specific Landlock ABI, we need a +way to avoid cherry-pick conflicts. The solution is to only update a +file related to the lower ABI impacted by this issue. All the ABI files +are then used to create a bitmask of fixes. + +The new errata interface is similar to the one used to get the supported +Landlock ABI version, but it returns a bitmask instead because the order +of fixes may not match the order of versions, and not all fixes may +apply to all versions. + +The actual errata will come with dedicated commits. The description is +not actually used in the code but serves as documentation. + +Create the landlock_abi_version symbol and use its value to check errata +consistency. + +Update test_base's create_ruleset_checks_ordering tests and add errata +tests. + +This commit is backportable down to the first version of Landlock. + +Fixes: 3532b0b4352c ("landlock: Enable user space to infer supported features") +Cc: Günther Noack +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20250318161443.279194-3-mic@digikod.net +Signed-off-by: Mickaël Salaün +Signed-off-by: Greg Kroah-Hartman +--- + include/uapi/linux/landlock.h | 2 + security/landlock/errata.h | 87 +++++++++++++++++++++++++++ + security/landlock/setup.c | 30 +++++++++ + security/landlock/setup.h | 3 + security/landlock/syscalls.c | 22 +++++- + tools/testing/selftests/landlock/base_test.c | 46 +++++++++++++- + 6 files changed, 185 insertions(+), 5 deletions(-) + create mode 100644 security/landlock/errata.h + +--- a/include/uapi/linux/landlock.h ++++ b/include/uapi/linux/landlock.h +@@ -57,9 +57,11 @@ struct landlock_ruleset_attr { + * + * - %LANDLOCK_CREATE_RULESET_VERSION: Get the highest supported Landlock ABI + * version. ++ * - %LANDLOCK_CREATE_RULESET_ERRATA: Get a bitmask of fixed issues. + */ + /* clang-format off */ + #define LANDLOCK_CREATE_RULESET_VERSION (1U << 0) ++#define LANDLOCK_CREATE_RULESET_ERRATA (1U << 1) + /* clang-format on */ + + /** +--- /dev/null ++++ b/security/landlock/errata.h +@@ -0,0 +1,87 @@ ++/* SPDX-License-Identifier: GPL-2.0-only */ ++/* ++ * Landlock - Errata information ++ * ++ * Copyright © 2025 Microsoft Corporation ++ */ ++ ++#ifndef _SECURITY_LANDLOCK_ERRATA_H ++#define _SECURITY_LANDLOCK_ERRATA_H ++ ++#include ++ ++struct landlock_erratum { ++ const int abi; ++ const u8 number; ++}; ++ ++/* clang-format off */ ++#define LANDLOCK_ERRATUM(NUMBER) \ ++ { \ ++ .abi = LANDLOCK_ERRATA_ABI, \ ++ .number = NUMBER, \ ++ }, ++/* clang-format on */ ++ ++/* ++ * Some fixes may require user space to check if they are applied on the running ++ * kernel before using a specific feature. For instance, this applies when a ++ * restriction was previously too restrictive and is now getting relaxed (for ++ * compatibility or semantic reasons). However, non-visible changes for ++ * legitimate use (e.g. security fixes) do not require an erratum. ++ */ ++static const struct landlock_erratum landlock_errata_init[] __initconst = { ++ ++/* ++ * Only Sparse may not implement __has_include. If a compiler does not ++ * implement __has_include, a warning will be printed at boot time (see ++ * setup.c). ++ */ ++#ifdef __has_include ++ ++#define LANDLOCK_ERRATA_ABI 1 ++#if __has_include("errata/abi-1.h") ++#include "errata/abi-1.h" ++#endif ++#undef LANDLOCK_ERRATA_ABI ++ ++#define LANDLOCK_ERRATA_ABI 2 ++#if __has_include("errata/abi-2.h") ++#include "errata/abi-2.h" ++#endif ++#undef LANDLOCK_ERRATA_ABI ++ ++#define LANDLOCK_ERRATA_ABI 3 ++#if __has_include("errata/abi-3.h") ++#include "errata/abi-3.h" ++#endif ++#undef LANDLOCK_ERRATA_ABI ++ ++#define LANDLOCK_ERRATA_ABI 4 ++#if __has_include("errata/abi-4.h") ++#include "errata/abi-4.h" ++#endif ++#undef LANDLOCK_ERRATA_ABI ++ ++/* ++ * For each new erratum, we need to include all the ABI files up to the impacted ++ * ABI to make all potential future intermediate errata easy to backport. ++ * ++ * If such change involves more than one ABI addition, then it must be in a ++ * dedicated commit with the same Fixes tag as used for the actual fix. ++ * ++ * Each commit creating a new security/landlock/errata/abi-*.h file must have a ++ * Depends-on tag to reference the commit that previously added the line to ++ * include this new file, except if the original Fixes tag is enough. ++ * ++ * Each erratum must be documented in its related ABI file, and a dedicated ++ * commit must update Documentation/userspace-api/landlock.rst to include this ++ * erratum. This commit will not be backported. ++ */ ++ ++#endif ++ ++ {} ++}; ++ ++#endif /* _SECURITY_LANDLOCK_ERRATA_H */ +--- a/security/landlock/setup.c ++++ b/security/landlock/setup.c +@@ -6,12 +6,14 @@ + * Copyright © 2018-2020 ANSSI + */ + ++#include + #include + #include + #include + + #include "common.h" + #include "cred.h" ++#include "errata.h" + #include "fs.h" + #include "net.h" + #include "setup.h" +@@ -31,8 +33,36 @@ struct lsm_blob_sizes landlock_blob_size + .lbs_superblock = sizeof(struct landlock_superblock_security), + }; + ++int landlock_errata __ro_after_init; ++ ++static void __init compute_errata(void) ++{ ++ size_t i; ++ ++#ifndef __has_include ++ /* ++ * This is a safeguard to make sure the compiler implements ++ * __has_include (see errata.h). ++ */ ++ WARN_ON_ONCE(1); ++ return; ++#endif ++ ++ for (i = 0; landlock_errata_init[i].number; i++) { ++ const int prev_errata = landlock_errata; ++ ++ if (WARN_ON_ONCE(landlock_errata_init[i].abi > ++ landlock_abi_version)) ++ continue; ++ ++ landlock_errata |= BIT(landlock_errata_init[i].number - 1); ++ WARN_ON_ONCE(prev_errata == landlock_errata); ++ } ++} ++ + static int __init landlock_init(void) + { ++ compute_errata(); + landlock_add_cred_hooks(); + landlock_add_task_hooks(); + landlock_add_fs_hooks(); +--- a/security/landlock/setup.h ++++ b/security/landlock/setup.h +@@ -11,7 +11,10 @@ + + #include + ++extern const int landlock_abi_version; ++ + extern bool landlock_initialized; ++extern int landlock_errata; + + extern struct lsm_blob_sizes landlock_blob_sizes; + extern const struct lsm_id landlock_lsmid; +--- a/security/landlock/syscalls.c ++++ b/security/landlock/syscalls.c +@@ -159,7 +159,9 @@ static const struct file_operations rule + * the new ruleset. + * @size: Size of the pointed &struct landlock_ruleset_attr (needed for + * backward and forward compatibility). +- * @flags: Supported value: %LANDLOCK_CREATE_RULESET_VERSION. ++ * @flags: Supported value: ++ * - %LANDLOCK_CREATE_RULESET_VERSION ++ * - %LANDLOCK_CREATE_RULESET_ERRATA + * + * This system call enables to create a new Landlock ruleset, and returns the + * related file descriptor on success. +@@ -168,6 +170,10 @@ static const struct file_operations rule + * 0, then the returned value is the highest supported Landlock ABI version + * (starting at 1). + * ++ * If @flags is %LANDLOCK_CREATE_RULESET_ERRATA and @attr is NULL and @size is ++ * 0, then the returned value is a bitmask of fixed issues for the current ++ * Landlock ABI version. ++ * + * Possible returned errors are: + * + * - %EOPNOTSUPP: Landlock is supported by the kernel but disabled at boot time; +@@ -191,9 +197,15 @@ SYSCALL_DEFINE3(landlock_create_ruleset, + return -EOPNOTSUPP; + + if (flags) { +- if ((flags == LANDLOCK_CREATE_RULESET_VERSION) && !attr && +- !size) +- return LANDLOCK_ABI_VERSION; ++ if (attr || size) ++ return -EINVAL; ++ ++ if (flags == LANDLOCK_CREATE_RULESET_VERSION) ++ return landlock_abi_version; ++ ++ if (flags == LANDLOCK_CREATE_RULESET_ERRATA) ++ return landlock_errata; ++ + return -EINVAL; + } + +@@ -234,6 +246,8 @@ SYSCALL_DEFINE3(landlock_create_ruleset, + return ruleset_fd; + } + ++const int landlock_abi_version = LANDLOCK_ABI_VERSION; ++ + /* + * Returns an owned ruleset from a FD. It is thus needed to call + * landlock_put_ruleset() on the return value. +--- a/tools/testing/selftests/landlock/base_test.c ++++ b/tools/testing/selftests/landlock/base_test.c +@@ -98,10 +98,54 @@ TEST(abi_version) + ASSERT_EQ(EINVAL, errno); + } + ++/* ++ * Old source trees might not have the set of Kselftest fixes related to kernel ++ * UAPI headers. ++ */ ++#ifndef LANDLOCK_CREATE_RULESET_ERRATA ++#define LANDLOCK_CREATE_RULESET_ERRATA (1U << 1) ++#endif ++ ++TEST(errata) ++{ ++ const struct landlock_ruleset_attr ruleset_attr = { ++ .handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE, ++ }; ++ int errata; ++ ++ errata = landlock_create_ruleset(NULL, 0, ++ LANDLOCK_CREATE_RULESET_ERRATA); ++ /* The errata bitmask will not be backported to tests. */ ++ ASSERT_LE(0, errata); ++ TH_LOG("errata: 0x%x", errata); ++ ++ ASSERT_EQ(-1, landlock_create_ruleset(&ruleset_attr, 0, ++ LANDLOCK_CREATE_RULESET_ERRATA)); ++ ASSERT_EQ(EINVAL, errno); ++ ++ ASSERT_EQ(-1, landlock_create_ruleset(NULL, sizeof(ruleset_attr), ++ LANDLOCK_CREATE_RULESET_ERRATA)); ++ ASSERT_EQ(EINVAL, errno); ++ ++ ASSERT_EQ(-1, ++ landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), ++ LANDLOCK_CREATE_RULESET_ERRATA)); ++ ASSERT_EQ(EINVAL, errno); ++ ++ ASSERT_EQ(-1, landlock_create_ruleset( ++ NULL, 0, ++ LANDLOCK_CREATE_RULESET_VERSION | ++ LANDLOCK_CREATE_RULESET_ERRATA)); ++ ASSERT_EQ(-1, landlock_create_ruleset(NULL, 0, ++ LANDLOCK_CREATE_RULESET_ERRATA | ++ 1 << 31)); ++ ASSERT_EQ(EINVAL, errno); ++} ++ + /* Tests ordering of syscall argument checks. */ + TEST(create_ruleset_checks_ordering) + { +- const int last_flag = LANDLOCK_CREATE_RULESET_VERSION; ++ const int last_flag = LANDLOCK_CREATE_RULESET_ERRATA; + const int invalid_flag = last_flag << 1; + int ruleset_fd; + const struct landlock_ruleset_attr ruleset_attr = { diff --git a/queue-6.13/landlock-always-allow-signals-between-threads-of-the-same-process.patch b/queue-6.13/landlock-always-allow-signals-between-threads-of-the-same-process.patch new file mode 100644 index 0000000000..df62eb3d68 --- /dev/null +++ b/queue-6.13/landlock-always-allow-signals-between-threads-of-the-same-process.patch @@ -0,0 +1,193 @@ +From 18eb75f3af40be1f0fc2025d4ff821711222a2fd Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= +Date: Tue, 18 Mar 2025 17:14:40 +0100 +Subject: landlock: Always allow signals between threads of the same process +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mickaël Salaün + +commit 18eb75f3af40be1f0fc2025d4ff821711222a2fd upstream. + +Because Linux credentials are managed per thread, user space relies on +some hack to synchronize credential update across threads from the same +process. This is required by the Native POSIX Threads Library and +implemented by set*id(2) wrappers and libcap(3) to use tgkill(2) to +synchronize threads. See nptl(7) and libpsx(3). Furthermore, some +runtimes like Go do not enable developers to have control over threads +[1]. + +To avoid potential issues, and because threads are not security +boundaries, let's relax the Landlock (optional) signal scoping to always +allow signals sent between threads of the same process. This exception +is similar to the __ptrace_may_access() one. + +hook_file_set_fowner() now checks if the target task is part of the same +process as the caller. If this is the case, then the related signal +triggered by the socket will always be allowed. + +Scoping of abstract UNIX sockets is not changed because kernel objects +(e.g. sockets) should be tied to their creator's domain at creation +time. + +Note that creating one Landlock domain per thread puts each of these +threads (and their future children) in their own scope, which is +probably not what users expect, especially in Go where we do not control +threads. However, being able to drop permissions on all threads should +not be restricted by signal scoping. We are working on a way to make it +possible to atomically restrict all threads of a process with the same +domain [2]. + +Add erratum for signal scoping. + +Closes: https://github.com/landlock-lsm/go-landlock/issues/36 +Fixes: 54a6e6bbf3be ("landlock: Add signal scoping") +Fixes: c8994965013e ("selftests/landlock: Test signal scoping for threads") +Depends-on: 26f204380a3c ("fs: Fix file_set_fowner LSM hook inconsistencies") +Link: https://pkg.go.dev/kernel.org/pub/linux/libs/security/libcap/psx [1] +Link: https://github.com/landlock-lsm/linux/issues/2 [2] +Cc: Günther Noack +Cc: Paul Moore +Cc: Serge Hallyn +Cc: Tahera Fahimi +Cc: stable@vger.kernel.org +Acked-by: Christian Brauner +Link: https://lore.kernel.org/r/20250318161443.279194-6-mic@digikod.net +[mic: Add extra pointer check and RCU guard, and ease backport] +Signed-off-by: Mickaël Salaün +Signed-off-by: Greg Kroah-Hartman +--- + security/landlock/errata/abi-6.h | 19 ++++++++ + security/landlock/fs.c | 39 +++++++++++++++--- + security/landlock/task.c | 12 +++++ + tools/testing/selftests/landlock/scoped_signal_test.c | 2 + 4 files changed, 65 insertions(+), 7 deletions(-) + create mode 100644 security/landlock/errata/abi-6.h + +--- /dev/null ++++ b/security/landlock/errata/abi-6.h +@@ -0,0 +1,19 @@ ++/* SPDX-License-Identifier: GPL-2.0-only */ ++ ++/** ++ * DOC: erratum_2 ++ * ++ * Erratum 2: Scoped signal handling ++ * ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ++ * ++ * This fix addresses an issue where signal scoping was overly restrictive, ++ * preventing sandboxed threads from signaling other threads within the same ++ * process if they belonged to different domains. Because threads are not ++ * security boundaries, user space might assume that any thread within the same ++ * process can send signals between themselves (see :manpage:`nptl(7)` and ++ * :manpage:`libpsx(3)`). Consistent with :manpage:`ptrace(2)` behavior, direct ++ * interaction between threads of the same process should always be allowed. ++ * This change ensures that any thread is allowed to send signals to any other ++ * thread within the same process, regardless of their domain. ++ */ ++LANDLOCK_ERRATUM(2) +--- a/security/landlock/fs.c ++++ b/security/landlock/fs.c +@@ -27,7 +27,9 @@ + #include + #include + #include ++#include + #include ++#include + #include + #include + #include +@@ -1623,21 +1625,46 @@ static int hook_file_ioctl_compat(struct + return -EACCES; + } + +-static void hook_file_set_fowner(struct file *file) ++/* ++ * Always allow sending signals between threads of the same process. This ++ * ensures consistency with hook_task_kill(). ++ */ ++static bool control_current_fowner(struct fown_struct *const fown) + { +- struct landlock_ruleset *new_dom, *prev_dom; ++ struct task_struct *p; + + /* + * Lock already held by __f_setown(), see commit 26f204380a3c ("fs: Fix + * file_set_fowner LSM hook inconsistencies"). + */ +- lockdep_assert_held(&file_f_owner(file)->lock); +- new_dom = landlock_get_current_domain(); +- landlock_get_ruleset(new_dom); ++ lockdep_assert_held(&fown->lock); ++ ++ /* ++ * Some callers (e.g. fcntl_dirnotify) may not be in an RCU read-side ++ * critical section. ++ */ ++ guard(rcu)(); ++ p = pid_task(fown->pid, fown->pid_type); ++ if (!p) ++ return true; ++ ++ return !same_thread_group(p, current); ++} ++ ++static void hook_file_set_fowner(struct file *file) ++{ ++ struct landlock_ruleset *prev_dom; ++ struct landlock_ruleset *new_dom = NULL; ++ ++ if (control_current_fowner(file_f_owner(file))) { ++ new_dom = landlock_get_current_domain(); ++ landlock_get_ruleset(new_dom); ++ } ++ + prev_dom = landlock_file(file)->fown_domain; + landlock_file(file)->fown_domain = new_dom; + +- /* Called in an RCU read-side critical section. */ ++ /* May be called in an RCU read-side critical section. */ + landlock_put_ruleset_deferred(prev_dom); + } + +--- a/security/landlock/task.c ++++ b/security/landlock/task.c +@@ -13,6 +13,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -264,6 +265,17 @@ static int hook_task_kill(struct task_st + /* Dealing with USB IO. */ + dom = landlock_cred(cred)->domain; + } else { ++ /* ++ * Always allow sending signals between threads of the same process. ++ * This is required for process credential changes by the Native POSIX ++ * Threads Library and implemented by the set*id(2) wrappers and ++ * libcap(3) with tgkill(2). See nptl(7) and libpsx(3). ++ * ++ * This exception is similar to the __ptrace_may_access() one. ++ */ ++ if (same_thread_group(p, current)) ++ return 0; ++ + dom = landlock_get_current_domain(); + } + dom = landlock_get_applicable_domain(dom, signal_scope); +--- a/tools/testing/selftests/landlock/scoped_signal_test.c ++++ b/tools/testing/selftests/landlock/scoped_signal_test.c +@@ -281,7 +281,7 @@ TEST(signal_scoping_threads) + /* Restricts the domain after creating the first thread. */ + create_scoped_domain(_metadata, LANDLOCK_SCOPE_SIGNAL); + +- ASSERT_EQ(EPERM, pthread_kill(no_sandbox_thread, 0)); ++ ASSERT_EQ(0, pthread_kill(no_sandbox_thread, 0)); + ASSERT_EQ(1, write(thread_pipe[1], ".", 1)); + + ASSERT_EQ(0, pthread_create(&scoped_thread, NULL, thread_func, NULL)); diff --git a/queue-6.13/landlock-move-code-to-ease-future-backports.patch b/queue-6.13/landlock-move-code-to-ease-future-backports.patch new file mode 100644 index 0000000000..75224617e9 --- /dev/null +++ b/queue-6.13/landlock-move-code-to-ease-future-backports.patch @@ -0,0 +1,56 @@ +From 624f177d8f62032b4f3343c289120269645cec37 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= +Date: Tue, 18 Mar 2025 17:14:36 +0100 +Subject: landlock: Move code to ease future backports +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mickaël Salaün + +commit 624f177d8f62032b4f3343c289120269645cec37 upstream. + +To ease backports in setup.c, let's group changes from +__lsm_ro_after_init to __ro_after_init with commit f22f9aaf6c3d +("selinux: remove the runtime disable functionality"), and the +landlock_lsmid addition with commit f3b8788cde61 ("LSM: Identify modules +by more than name"). + +That will help to backport the following errata. + +Cc: Günther Noack +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20250318161443.279194-2-mic@digikod.net +Fixes: f3b8788cde61 ("LSM: Identify modules by more than name") +Signed-off-by: Mickaël Salaün +Signed-off-by: Greg Kroah-Hartman +--- + security/landlock/setup.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/security/landlock/setup.c ++++ b/security/landlock/setup.c +@@ -19,6 +19,11 @@ + + bool landlock_initialized __ro_after_init = false; + ++const struct lsm_id landlock_lsmid = { ++ .name = LANDLOCK_NAME, ++ .id = LSM_ID_LANDLOCK, ++}; ++ + struct lsm_blob_sizes landlock_blob_sizes __ro_after_init = { + .lbs_cred = sizeof(struct landlock_cred_security), + .lbs_file = sizeof(struct landlock_file_security), +@@ -26,11 +31,6 @@ struct lsm_blob_sizes landlock_blob_size + .lbs_superblock = sizeof(struct landlock_superblock_security), + }; + +-const struct lsm_id landlock_lsmid = { +- .name = LANDLOCK_NAME, +- .id = LSM_ID_LANDLOCK, +-}; +- + static int __init landlock_init(void) + { + landlock_add_cred_hooks(); diff --git a/queue-6.13/landlock-prepare-to-add-second-errata.patch b/queue-6.13/landlock-prepare-to-add-second-errata.patch new file mode 100644 index 0000000000..e88269605d --- /dev/null +++ b/queue-6.13/landlock-prepare-to-add-second-errata.patch @@ -0,0 +1,51 @@ +From 6d9ac5e4d70eba3e336f9809ba91ab2c49de6d87 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= +Date: Tue, 18 Mar 2025 17:14:39 +0100 +Subject: landlock: Prepare to add second errata +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mickaël Salaün + +commit 6d9ac5e4d70eba3e336f9809ba91ab2c49de6d87 upstream. + +Potentially include errata for Landlock ABI v5 (Linux 6.10) and v6 +(Linux 6.12). That will be useful for the following signal scoping +erratum. + +As explained in errata.h, this commit should be backportable without +conflict down to ABI v5. It must then not include the errata/abi-6.h +file. + +Fixes: 54a6e6bbf3be ("landlock: Add signal scoping") +Cc: Günther Noack +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20250318161443.279194-5-mic@digikod.net +Signed-off-by: Mickaël Salaün +Signed-off-by: Greg Kroah-Hartman +--- + security/landlock/errata.h | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/security/landlock/errata.h ++++ b/security/landlock/errata.h +@@ -63,6 +63,18 @@ static const struct landlock_erratum lan + #endif + #undef LANDLOCK_ERRATA_ABI + ++#define LANDLOCK_ERRATA_ABI 5 ++#if __has_include("errata/abi-5.h") ++#include "errata/abi-5.h" ++#endif ++#undef LANDLOCK_ERRATA_ABI ++ ++#define LANDLOCK_ERRATA_ABI 6 ++#if __has_include("errata/abi-6.h") ++#include "errata/abi-6.h" ++#endif ++#undef LANDLOCK_ERRATA_ABI ++ + /* + * For each new erratum, we need to include all the ABI files up to the impacted + * ABI to make all potential future intermediate errata easy to backport. diff --git a/queue-6.13/misc-pci_endpoint_test-fix-displaying-irq_type-after-request_irq-error.patch b/queue-6.13/misc-pci_endpoint_test-fix-displaying-irq_type-after-request_irq-error.patch new file mode 100644 index 0000000000..521dccb632 --- /dev/null +++ b/queue-6.13/misc-pci_endpoint_test-fix-displaying-irq_type-after-request_irq-error.patch @@ -0,0 +1,53 @@ +From 919d14603dab6a9cf03ebbeb2cfa556df48737c8 Mon Sep 17 00:00:00 2001 +From: Kunihiko Hayashi +Date: Tue, 25 Feb 2025 20:02:49 +0900 +Subject: misc: pci_endpoint_test: Fix displaying 'irq_type' after 'request_irq' error +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kunihiko Hayashi + +commit 919d14603dab6a9cf03ebbeb2cfa556df48737c8 upstream. + +There are two variables that indicate the interrupt type to be used +in the next test execution, global "irq_type" and "test->irq_type". + +The former is referenced from pci_endpoint_test_get_irq() to preserve +the current type for ioctl(PCITEST_GET_IRQTYPE). + +In the pci_endpoint_test_request_irq(), since this global variable +is referenced when an error occurs, the unintended error message is +displayed. + +For example, after running "pcitest -i 2", the following message +shows "MSI 3" even if the current IRQ type becomes "MSI-X": + + pci-endpoint-test 0000:01:00.0: Failed to request IRQ 30 for MSI 3 + SET IRQ TYPE TO MSI-X: NOT OKAY + +Fix this issue by using "test->irq_type" instead of global "irq_type". + +Cc: stable@vger.kernel.org +Fixes: b2ba9225e031 ("misc: pci_endpoint_test: Avoid using module parameter to determine irqtype") +Reviewed-by: Manivannan Sadhasivam +Signed-off-by: Kunihiko Hayashi +Link: https://lore.kernel.org/r/20250225110252.28866-4-hayashi.kunihiko@socionext.com +[kwilczynski: commit log] +Signed-off-by: Krzysztof Wilczyński +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/pci_endpoint_test.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/misc/pci_endpoint_test.c ++++ b/drivers/misc/pci_endpoint_test.c +@@ -234,7 +234,7 @@ static bool pci_endpoint_test_request_ir + return true; + + fail: +- switch (irq_type) { ++ switch (test->irq_type) { + case IRQ_TYPE_INTX: + dev_err(dev, "Failed to request IRQ %d for Legacy\n", + pci_irq_vector(pdev, i)); diff --git a/queue-6.13/net-mana-switch-to-page-pool-for-jumbo-frames.patch b/queue-6.13/net-mana-switch-to-page-pool-for-jumbo-frames.patch new file mode 100644 index 0000000000..4e2cf9af49 --- /dev/null +++ b/queue-6.13/net-mana-switch-to-page-pool-for-jumbo-frames.patch @@ -0,0 +1,122 @@ +From fa37a8849634db2dd3545116873da8cf4b1e67c6 Mon Sep 17 00:00:00 2001 +From: Haiyang Zhang +Date: Tue, 25 Mar 2025 09:32:37 -0700 +Subject: net: mana: Switch to page pool for jumbo frames + +From: Haiyang Zhang + +commit fa37a8849634db2dd3545116873da8cf4b1e67c6 upstream. + +Frag allocators, such as netdev_alloc_frag(), were not designed to +work for fragsz > PAGE_SIZE. + +So, switch to page pool for jumbo frames instead of using page frag +allocators. This driver is using page pool for smaller MTUs already. + +Cc: stable@vger.kernel.org +Fixes: 80f6215b450e ("net: mana: Add support for jumbo frame") +Signed-off-by: Haiyang Zhang +Reviewed-by: Long Li +Reviewed-by: Shradha Gupta +Link: https://patch.msgid.link/1742920357-27263-1-git-send-email-haiyangz@microsoft.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/microsoft/mana/mana_en.c | 46 +++++--------------------- + 1 file changed, 9 insertions(+), 37 deletions(-) + +--- a/drivers/net/ethernet/microsoft/mana/mana_en.c ++++ b/drivers/net/ethernet/microsoft/mana/mana_en.c +@@ -652,30 +652,16 @@ int mana_pre_alloc_rxbufs(struct mana_po + mpc->rxbpre_total = 0; + + for (i = 0; i < num_rxb; i++) { +- if (mpc->rxbpre_alloc_size > PAGE_SIZE) { +- va = netdev_alloc_frag(mpc->rxbpre_alloc_size); +- if (!va) +- goto error; +- +- page = virt_to_head_page(va); +- /* Check if the frag falls back to single page */ +- if (compound_order(page) < +- get_order(mpc->rxbpre_alloc_size)) { +- put_page(page); +- goto error; +- } +- } else { +- page = dev_alloc_page(); +- if (!page) +- goto error; ++ page = dev_alloc_pages(get_order(mpc->rxbpre_alloc_size)); ++ if (!page) ++ goto error; + +- va = page_to_virt(page); +- } ++ va = page_to_virt(page); + + da = dma_map_single(dev, va + mpc->rxbpre_headroom, + mpc->rxbpre_datasize, DMA_FROM_DEVICE); + if (dma_mapping_error(dev, da)) { +- put_page(virt_to_head_page(va)); ++ put_page(page); + goto error; + } + +@@ -1660,7 +1646,7 @@ drop: + } + + static void *mana_get_rxfrag(struct mana_rxq *rxq, struct device *dev, +- dma_addr_t *da, bool *from_pool, bool is_napi) ++ dma_addr_t *da, bool *from_pool) + { + struct page *page; + void *va; +@@ -1671,21 +1657,6 @@ static void *mana_get_rxfrag(struct mana + if (rxq->xdp_save_va) { + va = rxq->xdp_save_va; + rxq->xdp_save_va = NULL; +- } else if (rxq->alloc_size > PAGE_SIZE) { +- if (is_napi) +- va = napi_alloc_frag(rxq->alloc_size); +- else +- va = netdev_alloc_frag(rxq->alloc_size); +- +- if (!va) +- return NULL; +- +- page = virt_to_head_page(va); +- /* Check if the frag falls back to single page */ +- if (compound_order(page) < get_order(rxq->alloc_size)) { +- put_page(page); +- return NULL; +- } + } else { + page = page_pool_dev_alloc_pages(rxq->page_pool); + if (!page) +@@ -1718,7 +1689,7 @@ static void mana_refill_rx_oob(struct de + dma_addr_t da; + void *va; + +- va = mana_get_rxfrag(rxq, dev, &da, &from_pool, true); ++ va = mana_get_rxfrag(rxq, dev, &da, &from_pool); + if (!va) + return; + +@@ -2158,7 +2129,7 @@ static int mana_fill_rx_oob(struct mana_ + if (mpc->rxbufs_pre) + va = mana_get_rxbuf_pre(rxq, &da); + else +- va = mana_get_rxfrag(rxq, dev, &da, &from_pool, false); ++ va = mana_get_rxfrag(rxq, dev, &da, &from_pool); + + if (!va) + return -ENOMEM; +@@ -2244,6 +2215,7 @@ static int mana_create_page_pool(struct + pprm.nid = gc->numa_node; + pprm.napi = &rxq->rx_cq.napi; + pprm.netdev = rxq->ndev; ++ pprm.order = get_order(rxq->alloc_size); + + rxq->page_pool = page_pool_create(&pprm); + diff --git a/queue-6.13/ntb-use-64-bit-arithmetic-for-the-msi-doorbell-mask.patch b/queue-6.13/ntb-use-64-bit-arithmetic-for-the-msi-doorbell-mask.patch new file mode 100644 index 0000000000..ea3e40df75 --- /dev/null +++ b/queue-6.13/ntb-use-64-bit-arithmetic-for-the-msi-doorbell-mask.patch @@ -0,0 +1,40 @@ +From fd5625fc86922f36bedee5846fefd647b7e72751 Mon Sep 17 00:00:00 2001 +From: Fedor Pchelkin +Date: Wed, 15 Jan 2025 21:28:17 +0300 +Subject: ntb: use 64-bit arithmetic for the MSI doorbell mask + +From: Fedor Pchelkin + +commit fd5625fc86922f36bedee5846fefd647b7e72751 upstream. + +msi_db_mask is of type 'u64', still the standard 'int' arithmetic is +performed to compute its value. + +While most of the ntb_hw drivers actually don't utilize the higher 32 +bits of the doorbell mask now, this may be the case for Switchtec - see +switchtec_ntb_init_db(). + +Found by Linux Verification Center (linuxtesting.org) with SVACE static +analysis tool. + +Fixes: 2b0569b3b7e6 ("NTB: Add MSI interrupt support to ntb_transport") +Cc: stable@vger.kernel.org +Signed-off-by: Fedor Pchelkin +Reviewed-by: Dave Jiang +Signed-off-by: Jon Mason +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ntb/ntb_transport.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/ntb/ntb_transport.c ++++ b/drivers/ntb/ntb_transport.c +@@ -1353,7 +1353,7 @@ static int ntb_transport_probe(struct nt + qp_count = ilog2(qp_bitmap); + if (nt->use_msi) { + qp_count -= 1; +- nt->msi_db_mask = 1 << qp_count; ++ nt->msi_db_mask = BIT_ULL(qp_count); + ntb_db_clear_mask(ndev, nt->msi_db_mask); + } + diff --git a/queue-6.13/of-irq-fix-device-node-refcount-leakage-in-api-irq_of_parse_and_map.patch b/queue-6.13/of-irq-fix-device-node-refcount-leakage-in-api-irq_of_parse_and_map.patch new file mode 100644 index 0000000000..1dff63d375 --- /dev/null +++ b/queue-6.13/of-irq-fix-device-node-refcount-leakage-in-api-irq_of_parse_and_map.patch @@ -0,0 +1,44 @@ +From 962a2805e47b933876ba0e4c488d9e89ced2dd29 Mon Sep 17 00:00:00 2001 +From: Zijun Hu +Date: Sun, 9 Feb 2025 20:58:59 +0800 +Subject: of/irq: Fix device node refcount leakage in API irq_of_parse_and_map() + +From: Zijun Hu + +commit 962a2805e47b933876ba0e4c488d9e89ced2dd29 upstream. + +In irq_of_parse_and_map(), refcount of device node @oirq.np was got +by successful of_irq_parse_one() invocation, but it does not put the +refcount before return, so causes @oirq.np refcount leakage. + +Fix by putting @oirq.np refcount before return. + +Fixes: e3873444990d ("of/irq: Move irq_of_parse_and_map() to common code") +Cc: stable@vger.kernel.org +Signed-off-by: Zijun Hu +Link: https://lore.kernel.org/r/20250209-of_irq_fix-v2-6-93e3a2659aa7@quicinc.com +Signed-off-by: Rob Herring (Arm) +Signed-off-by: Greg Kroah-Hartman +--- + drivers/of/irq.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/of/irq.c ++++ b/drivers/of/irq.c +@@ -39,11 +39,15 @@ + unsigned int irq_of_parse_and_map(struct device_node *dev, int index) + { + struct of_phandle_args oirq; ++ unsigned int ret; + + if (of_irq_parse_one(dev, index, &oirq)) + return 0; + +- return irq_create_of_mapping(&oirq); ++ ret = irq_create_of_mapping(&oirq); ++ of_node_put(oirq.np); ++ ++ return ret; + } + EXPORT_SYMBOL_GPL(irq_of_parse_and_map); + diff --git a/queue-6.13/of-irq-fix-device-node-refcount-leakage-in-api-of_irq_parse_one.patch b/queue-6.13/of-irq-fix-device-node-refcount-leakage-in-api-of_irq_parse_one.patch new file mode 100644 index 0000000000..b3c694c9e0 --- /dev/null +++ b/queue-6.13/of-irq-fix-device-node-refcount-leakage-in-api-of_irq_parse_one.patch @@ -0,0 +1,126 @@ +From 0cb58d6c7b558a69957fabe159bfb184196e1e8d Mon Sep 17 00:00:00 2001 +From: Zijun Hu +Date: Sun, 9 Feb 2025 20:58:55 +0800 +Subject: of/irq: Fix device node refcount leakage in API of_irq_parse_one() + +From: Zijun Hu + +commit 0cb58d6c7b558a69957fabe159bfb184196e1e8d upstream. + +of_irq_parse_one(@int_gen_dev, i, ...) will leak refcount of @i_th_phandle + +int_gen_dev { + ... + interrupts-extended = ..., <&i_th_phandle ...>, ...; + ... +}; + +Refcount of @i_th_phandle is increased by of_parse_phandle_with_args() +but is not decreased by API of_irq_parse_one() before return, so causes +refcount leakage. + +Rework the refcounting to use __free() cleanup and simplify the code to +have a single call to of_irq_parse_raw(). + +Also add comments about refcount of node @out_irq->np got by the API. + +Fixes: 79d9701559a9 ("of/irq: create interrupts-extended property") +Cc: stable@vger.kernel.org +Signed-off-by: Zijun Hu +Link: https://lore.kernel.org/r/20250209-of_irq_fix-v2-2-93e3a2659aa7@quicinc.com +[robh: Use __free() to do puts] +Signed-off-by: Rob Herring (Arm) +Signed-off-by: Greg Kroah-Hartman +--- + drivers/of/irq.c | 59 +++++++++++++++++++++++++------------------------------ + 1 file changed, 27 insertions(+), 32 deletions(-) + +--- a/drivers/of/irq.c ++++ b/drivers/of/irq.c +@@ -16,6 +16,7 @@ + + #define pr_fmt(fmt) "OF: " fmt + ++#include + #include + #include + #include +@@ -339,10 +340,12 @@ EXPORT_SYMBOL_GPL(of_irq_parse_raw); + * This function resolves an interrupt for a node by walking the interrupt tree, + * finding which interrupt controller node it is attached to, and returning the + * interrupt specifier that can be used to retrieve a Linux IRQ number. ++ * ++ * Note: refcount of node @out_irq->np is increased by 1 on success. + */ + int of_irq_parse_one(struct device_node *device, int index, struct of_phandle_args *out_irq) + { +- struct device_node *p; ++ struct device_node __free(device_node) *p = NULL; + const __be32 *addr; + u32 intsize; + int i, res, addr_len; +@@ -367,41 +370,33 @@ int of_irq_parse_one(struct device_node + /* Try the new-style interrupts-extended first */ + res = of_parse_phandle_with_args(device, "interrupts-extended", + "#interrupt-cells", index, out_irq); +- if (!res) +- return of_irq_parse_raw(addr_buf, out_irq); +- +- /* Look for the interrupt parent. */ +- p = of_irq_find_parent(device); +- if (p == NULL) +- return -EINVAL; +- +- /* Get size of interrupt specifier */ +- if (of_property_read_u32(p, "#interrupt-cells", &intsize)) { +- res = -EINVAL; +- goto out; +- } +- +- pr_debug(" parent=%pOF, intsize=%d\n", p, intsize); ++ if (!res) { ++ p = out_irq->np; ++ } else { ++ /* Look for the interrupt parent. */ ++ p = of_irq_find_parent(device); ++ /* Get size of interrupt specifier */ ++ if (!p || of_property_read_u32(p, "#interrupt-cells", &intsize)) ++ return -EINVAL; ++ ++ pr_debug(" parent=%pOF, intsize=%d\n", p, intsize); ++ ++ /* Copy intspec into irq structure */ ++ out_irq->np = p; ++ out_irq->args_count = intsize; ++ for (i = 0; i < intsize; i++) { ++ res = of_property_read_u32_index(device, "interrupts", ++ (index * intsize) + i, ++ out_irq->args + i); ++ if (res) ++ return res; ++ } + +- /* Copy intspec into irq structure */ +- out_irq->np = p; +- out_irq->args_count = intsize; +- for (i = 0; i < intsize; i++) { +- res = of_property_read_u32_index(device, "interrupts", +- (index * intsize) + i, +- out_irq->args + i); +- if (res) +- goto out; ++ pr_debug(" intspec=%d\n", *out_irq->args); + } + +- pr_debug(" intspec=%d\n", *out_irq->args); +- +- + /* Check if there are any interrupt-map translations to process */ +- res = of_irq_parse_raw(addr_buf, out_irq); +- out: +- of_node_put(p); +- return res; ++ return of_irq_parse_raw(addr_buf, out_irq); + } + EXPORT_SYMBOL_GPL(of_irq_parse_one); + diff --git a/queue-6.13/of-irq-fix-device-node-refcount-leakage-in-api-of_irq_parse_raw.patch b/queue-6.13/of-irq-fix-device-node-refcount-leakage-in-api-of_irq_parse_raw.patch new file mode 100644 index 0000000000..379ab4bfb3 --- /dev/null +++ b/queue-6.13/of-irq-fix-device-node-refcount-leakage-in-api-of_irq_parse_raw.patch @@ -0,0 +1,51 @@ +From ff93e7213d6cc8d9a7b0bc64f70ed26094e168f3 Mon Sep 17 00:00:00 2001 +From: Zijun Hu +Date: Sun, 9 Feb 2025 20:58:57 +0800 +Subject: of/irq: Fix device node refcount leakage in API of_irq_parse_raw() + +From: Zijun Hu + +commit ff93e7213d6cc8d9a7b0bc64f70ed26094e168f3 upstream. + +if the node @out_irq->np got by of_irq_parse_raw() is a combo node which +consists of both controller and nexus, namely, of_irq_parse_raw() returns +due to condition (@ipar == @newpar), then the node's refcount was increased +twice, hence causes refcount leakage. + +Fix by putting @out_irq->np refcount before returning due to the condition. +Also add comments about refcount of node @out_irq->np got by the API. + +Fixes: 041284181226 ("of/irq: Allow matching of an interrupt-map local to an interrupt controller") +Cc: stable@vger.kernel.org +Signed-off-by: Zijun Hu +Link: https://lore.kernel.org/r/20250209-of_irq_fix-v2-4-93e3a2659aa7@quicinc.com +Signed-off-by: Rob Herring (Arm) +Signed-off-by: Greg Kroah-Hartman +--- + drivers/of/irq.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/of/irq.c ++++ b/drivers/of/irq.c +@@ -166,6 +166,8 @@ const __be32 *of_irq_parse_imap_parent(c + * the specifier for each map, and then returns the translated map. + * + * Return: 0 on success and a negative number on error ++ * ++ * Note: refcount of node @out_irq->np is increased by 1 on success. + */ + int of_irq_parse_raw(const __be32 *addr, struct of_phandle_args *out_irq) + { +@@ -311,6 +313,12 @@ int of_irq_parse_raw(const __be32 *addr, + addrsize = (imap - match_array) - intsize; + + if (ipar == newpar) { ++ /* ++ * We got @ipar's refcount, but the refcount was ++ * gotten again by of_irq_parse_imap_parent() via its ++ * alias @newpar. ++ */ ++ of_node_put(ipar); + pr_debug("%pOF interrupt-map entry to self\n", ipar); + return 0; + } diff --git a/queue-6.13/of-irq-fix-device-node-refcount-leakages-in-of_irq_count.patch b/queue-6.13/of-irq-fix-device-node-refcount-leakages-in-of_irq_count.patch new file mode 100644 index 0000000000..9fa4ef3463 --- /dev/null +++ b/queue-6.13/of-irq-fix-device-node-refcount-leakages-in-of_irq_count.patch @@ -0,0 +1,40 @@ +From bbf71f44aaf241d853759a71de7e7ebcdb89be3d Mon Sep 17 00:00:00 2001 +From: Zijun Hu +Date: Sun, 9 Feb 2025 20:58:58 +0800 +Subject: of/irq: Fix device node refcount leakages in of_irq_count() + +From: Zijun Hu + +commit bbf71f44aaf241d853759a71de7e7ebcdb89be3d upstream. + +of_irq_count() invokes of_irq_parse_one() to count IRQs, and successful +invocation of the later will get device node @irq.np refcount, but the +former does not put the refcount before next iteration invocation, hence +causes device node refcount leakages. + +Fix by putting @irq.np refcount before the next iteration invocation. + +Fixes: 3da5278727a8 ("of/irq: Rework of_irq_count()") +Cc: stable@vger.kernel.org +Signed-off-by: Zijun Hu +Link: https://lore.kernel.org/r/20250209-of_irq_fix-v2-5-93e3a2659aa7@quicinc.com +Signed-off-by: Rob Herring (Arm) +Signed-off-by: Greg Kroah-Hartman +--- + drivers/of/irq.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/of/irq.c ++++ b/drivers/of/irq.c +@@ -508,8 +508,10 @@ int of_irq_count(struct device_node *dev + struct of_phandle_args irq; + int nr = 0; + +- while (of_irq_parse_one(dev, nr, &irq) == 0) ++ while (of_irq_parse_one(dev, nr, &irq) == 0) { ++ of_node_put(irq.np); + nr++; ++ } + + return nr; + } diff --git a/queue-6.13/of-irq-fix-device-node-refcount-leakages-in-of_irq_init.patch b/queue-6.13/of-irq-fix-device-node-refcount-leakages-in-of_irq_init.patch new file mode 100644 index 0000000000..977302cb37 --- /dev/null +++ b/queue-6.13/of-irq-fix-device-node-refcount-leakages-in-of_irq_init.patch @@ -0,0 +1,53 @@ +From 708124d9e6e7ac5ebf927830760679136b23fdf0 Mon Sep 17 00:00:00 2001 +From: Zijun Hu +Date: Sun, 9 Feb 2025 20:59:00 +0800 +Subject: of/irq: Fix device node refcount leakages in of_irq_init() + +From: Zijun Hu + +commit 708124d9e6e7ac5ebf927830760679136b23fdf0 upstream. + +of_irq_init() will leak interrupt controller device node refcounts +in two places as explained below: + +1) Leak refcounts of both @desc->dev and @desc->interrupt_parent when + suffers @desc->irq_init_cb() failure. +2) Leak refcount of @desc->interrupt_parent when cleans up list + @intc_desc_list in the end. + +Refcounts of both @desc->dev and @desc->interrupt_parent were got in +the first loop, but of_irq_init() does not put them before kfree(@desc) +in places mentioned above, so causes refcount leakages. + +Fix by putting refcounts involved before kfree(@desc). + +Fixes: 8363ccb917c6 ("of/irq: add missing of_node_put") +Fixes: c71a54b08201 ("of/irq: introduce of_irq_init") +Cc: stable@vger.kernel.org +Signed-off-by: Zijun Hu +Link: https://lore.kernel.org/r/20250209-of_irq_fix-v2-7-93e3a2659aa7@quicinc.com +Signed-off-by: Rob Herring (Arm) +Signed-off-by: Greg Kroah-Hartman +--- + drivers/of/irq.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/of/irq.c ++++ b/drivers/of/irq.c +@@ -632,6 +632,8 @@ void __init of_irq_init(const struct of_ + __func__, desc->dev, desc->dev, + desc->interrupt_parent); + of_node_clear_flag(desc->dev, OF_POPULATED); ++ of_node_put(desc->interrupt_parent); ++ of_node_put(desc->dev); + kfree(desc); + continue; + } +@@ -662,6 +664,7 @@ void __init of_irq_init(const struct of_ + err: + list_for_each_entry_safe(desc, temp_desc, &intc_desc_list, list) { + list_del(&desc->list); ++ of_node_put(desc->interrupt_parent); + of_node_put(desc->dev); + kfree(desc); + } diff --git a/queue-6.13/pci-brcmstb-fix-missing-of_node_put-in-brcm_pcie_probe.patch b/queue-6.13/pci-brcmstb-fix-missing-of_node_put-in-brcm_pcie_probe.patch new file mode 100644 index 0000000000..3a84c5a353 --- /dev/null +++ b/queue-6.13/pci-brcmstb-fix-missing-of_node_put-in-brcm_pcie_probe.patch @@ -0,0 +1,61 @@ +From 2df181e1aea4628a8fd257f866026625d0519627 Mon Sep 17 00:00:00 2001 +From: Stanimir Varbanov +Date: Thu, 23 Jan 2025 00:29:55 +0200 +Subject: PCI: brcmstb: Fix missing of_node_put() in brcm_pcie_probe() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Stanimir Varbanov + +commit 2df181e1aea4628a8fd257f866026625d0519627 upstream. + +A call to of_parse_phandle() is incrementing the refcount, and as such, +the of_node_put() must be called when the reference is no longer needed. + +Thus, refactor the existing code and add a missing of_node_put() call +following the check to ensure that "msi_np" matches "pcie->np" and after +MSI initialization, but only if the MSI support is enabled system-wide. + +Cc: stable@vger.kernel.org # v5.10+ +Fixes: 40ca1bf580ef ("PCI: brcmstb: Add MSI support") +Signed-off-by: Stanimir Varbanov +Reviewed-by: Florian Fainelli +Reviewed-by: Manivannan Sadhasivam +Link: https://lore.kernel.org/r/20250122222955.1752778-1-svarbanov@suse.de +[kwilczynski: commit log] +Signed-off-by: Krzysztof Wilczyński +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/controller/pcie-brcmstb.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/drivers/pci/controller/pcie-brcmstb.c ++++ b/drivers/pci/controller/pcie-brcmstb.c +@@ -1786,7 +1786,7 @@ static struct pci_ops brcm7425_pcie_ops + + static int brcm_pcie_probe(struct platform_device *pdev) + { +- struct device_node *np = pdev->dev.of_node, *msi_np; ++ struct device_node *np = pdev->dev.of_node; + struct pci_host_bridge *bridge; + const struct pcie_cfg_data *data; + struct brcm_pcie *pcie; +@@ -1890,9 +1890,14 @@ static int brcm_pcie_probe(struct platfo + goto fail; + } + +- msi_np = of_parse_phandle(pcie->np, "msi-parent", 0); +- if (pci_msi_enabled() && msi_np == pcie->np) { +- ret = brcm_pcie_enable_msi(pcie); ++ if (pci_msi_enabled()) { ++ struct device_node *msi_np = of_parse_phandle(pcie->np, "msi-parent", 0); ++ ++ if (msi_np == pcie->np) ++ ret = brcm_pcie_enable_msi(pcie); ++ ++ of_node_put(msi_np); ++ + if (ret) { + dev_err(pcie->dev, "probe of internal MSI failed"); + goto fail; diff --git a/queue-6.13/pci-fix-reference-leak-in-pci_alloc_child_bus.patch b/queue-6.13/pci-fix-reference-leak-in-pci_alloc_child_bus.patch new file mode 100644 index 0000000000..a582fd63c3 --- /dev/null +++ b/queue-6.13/pci-fix-reference-leak-in-pci_alloc_child_bus.patch @@ -0,0 +1,42 @@ +From 1f2768b6a3ee77a295106e3a5d68458064923ede Mon Sep 17 00:00:00 2001 +From: Ma Ke +Date: Sun, 2 Feb 2025 14:23:57 +0800 +Subject: PCI: Fix reference leak in pci_alloc_child_bus() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ma Ke + +commit 1f2768b6a3ee77a295106e3a5d68458064923ede upstream. + +If device_register(&child->dev) fails, call put_device() to explicitly +release child->dev, per the comment at device_register(). + +Found by code review. + +Link: https://lore.kernel.org/r/20250202062357.872971-1-make24@iscas.ac.cn +Fixes: 4f535093cf8f ("PCI: Put pci_dev in device tree as early as possible") +Signed-off-by: Ma Ke +Signed-off-by: Bjorn Helgaas +Reviewed-by: Ilpo Järvinen +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/probe.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/pci/probe.c ++++ b/drivers/pci/probe.c +@@ -1173,7 +1173,10 @@ static struct pci_bus *pci_alloc_child_b + add_dev: + pci_set_bus_msi_domain(child); + ret = device_register(&child->dev); +- WARN_ON(ret < 0); ++ if (WARN_ON(ret < 0)) { ++ put_device(&child->dev); ++ return NULL; ++ } + + pcibios_add_bus(child); + diff --git a/queue-6.13/pci-fix-reference-leak-in-pci_register_host_bridge.patch b/queue-6.13/pci-fix-reference-leak-in-pci_register_host_bridge.patch new file mode 100644 index 0000000000..babc219b66 --- /dev/null +++ b/queue-6.13/pci-fix-reference-leak-in-pci_register_host_bridge.patch @@ -0,0 +1,62 @@ +From 804443c1f27883926de94c849d91f5b7d7d696e9 Mon Sep 17 00:00:00 2001 +From: Ma Ke +Date: Tue, 25 Feb 2025 10:14:40 +0800 +Subject: PCI: Fix reference leak in pci_register_host_bridge() + +From: Ma Ke + +commit 804443c1f27883926de94c849d91f5b7d7d696e9 upstream. + +If device_register() fails, call put_device() to give up the reference to +avoid a memory leak, per the comment at device_register(). + +Found by code review. + +Link: https://lore.kernel.org/r/20250225021440.3130264-1-make24@iscas.ac.cn +Fixes: 37d6a0a6f470 ("PCI: Add pci_register_host_bridge() interface") +Signed-off-by: Ma Ke +[bhelgaas: squash Dan Carpenter's double free fix from +https://lore.kernel.org/r/db806a6c-a91b-4e5a-a84b-6b7e01bdac85@stanley.mountain] +Signed-off-by: Bjorn Helgaas +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/probe.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/pci/probe.c ++++ b/drivers/pci/probe.c +@@ -910,6 +910,7 @@ static int pci_register_host_bridge(stru + resource_size_t offset, next_offset; + LIST_HEAD(resources); + struct resource *res, *next_res; ++ bool bus_registered = false; + char addr[64], *fmt; + const char *name; + int err; +@@ -973,6 +974,7 @@ static int pci_register_host_bridge(stru + name = dev_name(&bus->dev); + + err = device_register(&bus->dev); ++ bus_registered = true; + if (err) + goto unregister; + +@@ -1059,12 +1061,15 @@ static int pci_register_host_bridge(stru + unregister: + put_device(&bridge->dev); + device_del(&bridge->dev); +- + free: + #ifdef CONFIG_PCI_DOMAINS_GENERIC + pci_bus_release_domain_nr(parent, bus->domain_nr); + #endif +- kfree(bus); ++ if (bus_registered) ++ put_device(&bus->dev); ++ else ++ kfree(bus); ++ + return err; + } + diff --git a/queue-6.13/pci-fix-wrong-length-of-devres-array.patch b/queue-6.13/pci-fix-wrong-length-of-devres-array.patch new file mode 100644 index 0000000000..d68420241b --- /dev/null +++ b/queue-6.13/pci-fix-wrong-length-of-devres-array.patch @@ -0,0 +1,45 @@ +From f09d3937d400433080d17982bd1a540da53a156d Mon Sep 17 00:00:00 2001 +From: Philipp Stanner +Date: Wed, 12 Mar 2025 09:06:34 +0100 +Subject: PCI: Fix wrong length of devres array +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Philipp Stanner + +commit f09d3937d400433080d17982bd1a540da53a156d upstream. + +The array for the iomapping cookie addresses has a length of +PCI_STD_NUM_BARS. This constant, however, only describes standard BARs; +while PCI can allow for additional, special BARs. + +The total number of PCI resources is described by constant +PCI_NUM_RESOURCES, which is also used in, e.g., pci_select_bars(). + +Thus, the devres array has so far been too small. + +Change the length of the devres array to PCI_NUM_RESOURCES. + +Link: https://lore.kernel.org/r/20250312080634.13731-3-phasta@kernel.org +Fixes: bbaff68bf4a4 ("PCI: Add managed partial-BAR request and map infrastructure") +Signed-off-by: Philipp Stanner +Signed-off-by: Bjorn Helgaas +Signed-off-by: Krzysztof Wilczyński +Cc: stable@vger.kernel.org # v6.11+ +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/devres.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/pci/devres.c ++++ b/drivers/pci/devres.c +@@ -40,7 +40,7 @@ + * Legacy struct storing addresses to whole mapped BARs. + */ + struct pcim_iomap_devres { +- void __iomem *table[PCI_STD_NUM_BARS]; ++ void __iomem *table[PCI_NUM_RESOURCES]; + }; + + /* Used to restore the old INTx state on driver detach. */ diff --git a/queue-6.13/pci-j721e-fix-the-value-of-.linkdown_irq_regfield-for-j784s4.patch b/queue-6.13/pci-j721e-fix-the-value-of-.linkdown_irq_regfield-for-j784s4.patch new file mode 100644 index 0000000000..1cf8931b88 --- /dev/null +++ b/queue-6.13/pci-j721e-fix-the-value-of-.linkdown_irq_regfield-for-j784s4.patch @@ -0,0 +1,68 @@ +From d66b5b336245b91681c2042e7eedf63ef7c2f6db Mon Sep 17 00:00:00 2001 +From: Siddharth Vadapalli +Date: Wed, 5 Mar 2025 18:50:18 +0530 +Subject: PCI: j721e: Fix the value of .linkdown_irq_regfield for J784S4 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Siddharth Vadapalli + +commit d66b5b336245b91681c2042e7eedf63ef7c2f6db upstream. + +Commit e49ad667815d ("PCI: j721e: Add TI J784S4 PCIe configuration") +assigned the value of .linkdown_irq_regfield for the J784S4 SoC as the +"LINK_DOWN" macro corresponding to BIT(1), and as a result, the Link +Down interrupts on J784S4 SoC are missed. + +According to the Technical Reference Manual and Register Documentation +for the J784S4 SoC[1], BIT(1) corresponds to "ENABLE_SYS_EN_PCIE_DPA_1", +which is not the correct field for the link-state interrupt. Instead, it +is BIT(10) of the "PCIE_INTD_ENABLE_REG_SYS_2" register that corresponds +to the link-state field named as "ENABLE_SYS_EN_PCIE_LINK_STATE". + +Thus, set .linkdown_irq_regfield to the macro "J7200_LINK_DOWN", which +expands to BIT(10) and was first defined for the J7200 SoC. Other SoCs +already reuse this macro since it accurately represents the "link-state" +field in their respective "PCIE_INTD_ENABLE_REG_SYS_2" register. + +1: https://www.ti.com/lit/zip/spruj52 + +Fixes: e49ad667815d ("PCI: j721e: Add TI J784S4 PCIe configuration") +Cc: stable@vger.kernel.org +Signed-off-by: Siddharth Vadapalli +[kwilczynski: commit log, add a missing .linkdown_irq_regfield member +set to the J7200_LINK_DOWN macro to struct j7200_pcie_ep_data] +Signed-off-by: Krzysztof Wilczyński +Link: https://lore.kernel.org/r/20250305132018.2260771-1-s-vadapalli@ti.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/controller/cadence/pci-j721e.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/pci/controller/cadence/pci-j721e.c ++++ b/drivers/pci/controller/cadence/pci-j721e.c +@@ -355,6 +355,7 @@ static const struct j721e_pcie_data j720 + static const struct j721e_pcie_data j7200_pcie_ep_data = { + .mode = PCI_MODE_EP, + .quirk_detect_quiet_flag = true, ++ .linkdown_irq_regfield = J7200_LINK_DOWN, + .quirk_disable_flr = true, + .max_lanes = 2, + }; +@@ -376,13 +377,13 @@ static const struct j721e_pcie_data j784 + .mode = PCI_MODE_RC, + .quirk_retrain_flag = true, + .byte_access_allowed = false, +- .linkdown_irq_regfield = LINK_DOWN, ++ .linkdown_irq_regfield = J7200_LINK_DOWN, + .max_lanes = 4, + }; + + static const struct j721e_pcie_data j784s4_pcie_ep_data = { + .mode = PCI_MODE_EP, +- .linkdown_irq_regfield = LINK_DOWN, ++ .linkdown_irq_regfield = J7200_LINK_DOWN, + .max_lanes = 4, + }; + diff --git a/queue-6.13/pci-pciehp-avoid-unnecessary-device-replacement-check.patch b/queue-6.13/pci-pciehp-avoid-unnecessary-device-replacement-check.patch new file mode 100644 index 0000000000..c3e1e72af6 --- /dev/null +++ b/queue-6.13/pci-pciehp-avoid-unnecessary-device-replacement-check.patch @@ -0,0 +1,78 @@ +From e3260237aaadc9799107ccb940c6688195c4518d Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Tue, 11 Mar 2025 07:27:32 +0100 +Subject: PCI: pciehp: Avoid unnecessary device replacement check + +From: Lukas Wunner + +commit e3260237aaadc9799107ccb940c6688195c4518d upstream. + +Hot-removal of nested PCI hotplug ports suffers from a long-standing race +condition which can lead to a deadlock: A parent hotplug port acquires +pci_lock_rescan_remove(), then waits for pciehp to unbind from a child +hotplug port. Meanwhile that child hotplug port tries to acquire +pci_lock_rescan_remove() as well in order to remove its own children. + +The deadlock only occurs if the parent acquires pci_lock_rescan_remove() +first, not if the child happens to acquire it first. + +Several workarounds to avoid the issue have been proposed and discarded +over the years, e.g.: + +https://lore.kernel.org/r/4c882e25194ba8282b78fe963fec8faae7cf23eb.1529173804.git.lukas@wunner.de/ + +A proper fix is being worked on, but needs more time as it is nontrivial +and necessarily intrusive. + +Recent commit 9d573d19547b ("PCI: pciehp: Detect device replacement during +system sleep") provokes more frequent occurrence of the deadlock when +removing more than one Thunderbolt device during system sleep. The commit +sought to detect device replacement, but also triggered on device removal. +Differentiating reliably between replacement and removal is impossible +because pci_get_dsn() returns 0 both if the device was removed, as well as +if it was replaced with one lacking a Device Serial Number. + +Avoid the more frequent occurrence of the deadlock by checking whether the +hotplug port itself was hot-removed. If so, there's no sense in checking +whether its child device was replaced. + +This works because the ->resume_noirq() callback is invoked in top-down +order for the entire hierarchy: A parent hotplug port detecting device +replacement (or removal) marks all children as removed using +pci_dev_set_disconnected() and a child hotplug port can then reliably +detect being removed. + +Link: https://lore.kernel.org/r/02f166e24c87d6cde4085865cce9adfdfd969688.1741674172.git.lukas@wunner.de +Fixes: 9d573d19547b ("PCI: pciehp: Detect device replacement during system sleep") +Reported-by: Kenneth Crudup +Closes: https://lore.kernel.org/r/83d9302a-f743-43e4-9de2-2dd66d91ab5b@panix.com/ +Reported-by: Chia-Lin Kao (AceLan) +Closes: https://lore.kernel.org/r/20240926125909.2362244-1-acelan.kao@canonical.com/ +Tested-by: Kenneth Crudup +Tested-by: Mika Westerberg +Signed-off-by: Lukas Wunner +Signed-off-by: Bjorn Helgaas +Reviewed-by: Mika Westerberg +Reviewed-by: Kuppuswamy Sathyanarayanan +Cc: stable@vger.kernel.org # v6.11+ +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/hotplug/pciehp_core.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/pci/hotplug/pciehp_core.c ++++ b/drivers/pci/hotplug/pciehp_core.c +@@ -286,9 +286,12 @@ static int pciehp_suspend(struct pcie_de + + static bool pciehp_device_replaced(struct controller *ctrl) + { +- struct pci_dev *pdev __free(pci_dev_put); ++ struct pci_dev *pdev __free(pci_dev_put) = NULL; + u32 reg; + ++ if (pci_dev_is_disconnected(ctrl->pcie->port)) ++ return false; ++ + pdev = pci_get_slot(ctrl->pcie->port->subordinate, PCI_DEVFN(0, 0)); + if (!pdev) + return true; diff --git a/queue-6.13/phy-freescale-imx8m-pcie-assert-phy-reset-and-perst-in-power-off.patch b/queue-6.13/phy-freescale-imx8m-pcie-assert-phy-reset-and-perst-in-power-off.patch new file mode 100644 index 0000000000..0cc0d57644 --- /dev/null +++ b/queue-6.13/phy-freescale-imx8m-pcie-assert-phy-reset-and-perst-in-power-off.patch @@ -0,0 +1,64 @@ +From aecb63e88c5e5fb9afb782a1577264c76f179af9 Mon Sep 17 00:00:00 2001 +From: Stefan Eichenberger +Date: Wed, 5 Mar 2025 15:43:16 +0100 +Subject: phy: freescale: imx8m-pcie: assert phy reset and perst in power off + +From: Stefan Eichenberger + +commit aecb63e88c5e5fb9afb782a1577264c76f179af9 upstream. + +Ensure the PHY reset and perst is asserted during power-off to +guarantee it is in a reset state upon repeated power-on calls. This +resolves an issue where the PHY may not properly initialize during +subsequent power-on cycles. Power-on will deassert the reset at the +appropriate time after tuning the PHY parameters. + +During suspend/resume cycles, we observed that the PHY PLL failed to +lock during resume when the CPU temperature increased from 65C to 75C. +The observed errors were: + phy phy-32f00000.pcie-phy.3: phy poweron failed --> -110 + imx6q-pcie 33800000.pcie: waiting for PHY ready timeout! + imx6q-pcie 33800000.pcie: PM: dpm_run_callback(): genpd_resume_noirq+0x0/0x80 returns -110 + imx6q-pcie 33800000.pcie: PM: failed to resume noirq: error -110 + +This resulted in a complete CPU freeze, which is resolved by ensuring +the PHY is in reset during power-on, thus preventing PHY PLL failures. + +Cc: stable@vger.kernel.org +Fixes: 1aa97b002258 ("phy: freescale: pcie: Initialize the imx8 pcie standalone phy driver") +Signed-off-by: Stefan Eichenberger +Reviewed-by: Frank Li +Link: https://lore.kernel.org/r/20250305144355.20364-3-eichest@gmail.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/phy/freescale/phy-fsl-imx8m-pcie.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/phy/freescale/phy-fsl-imx8m-pcie.c ++++ b/drivers/phy/freescale/phy-fsl-imx8m-pcie.c +@@ -162,6 +162,16 @@ static int imx8_pcie_phy_power_on(struct + return ret; + } + ++static int imx8_pcie_phy_power_off(struct phy *phy) ++{ ++ struct imx8_pcie_phy *imx8_phy = phy_get_drvdata(phy); ++ ++ reset_control_assert(imx8_phy->reset); ++ reset_control_assert(imx8_phy->perst); ++ ++ return 0; ++} ++ + static int imx8_pcie_phy_init(struct phy *phy) + { + struct imx8_pcie_phy *imx8_phy = phy_get_drvdata(phy); +@@ -182,6 +192,7 @@ static const struct phy_ops imx8_pcie_ph + .init = imx8_pcie_phy_init, + .exit = imx8_pcie_phy_exit, + .power_on = imx8_pcie_phy_power_on, ++ .power_off = imx8_pcie_phy_power_off, + .owner = THIS_MODULE, + }; + diff --git a/queue-6.13/pinctrl-qcom-clear-latched-interrupt-status-when-changing-irq-type.patch b/queue-6.13/pinctrl-qcom-clear-latched-interrupt-status-when-changing-irq-type.patch new file mode 100644 index 0000000000..80580e5f46 --- /dev/null +++ b/queue-6.13/pinctrl-qcom-clear-latched-interrupt-status-when-changing-irq-type.patch @@ -0,0 +1,107 @@ +From e225128c3f8be879e7d4eb71a25949e188b420ae Mon Sep 17 00:00:00 2001 +From: Stephan Gerhold +Date: Wed, 12 Mar 2025 14:19:27 +0100 +Subject: pinctrl: qcom: Clear latched interrupt status when changing IRQ type + +From: Stephan Gerhold + +commit e225128c3f8be879e7d4eb71a25949e188b420ae upstream. + +When submitting the TLMM test driver, Bjorn reported that some of the test +cases are failing for GPIOs that not are backed by PDC (i.e. "non-wakeup" +GPIOs that are handled directly in pinctrl-msm). Basically, lingering +latched interrupt state is still being delivered at IRQ request time, e.g.: + + ok 1 tlmm_test_silent_rising + tlmm_test_silent_falling: ASSERTION FAILED at drivers/pinctrl/qcom/tlmm-test.c:178 + Expected atomic_read(&priv->intr_count) == 0, but + atomic_read(&priv->intr_count) == 1 (0x1) + not ok 2 tlmm_test_silent_falling + tlmm_test_silent_low: ASSERTION FAILED at drivers/pinctrl/qcom/tlmm-test.c:178 + Expected atomic_read(&priv->intr_count) == 0, but + atomic_read(&priv->intr_count) == 1 (0x1) + not ok 3 tlmm_test_silent_low + ok 4 tlmm_test_silent_high + +Whether to report interrupts that came in while the IRQ was unclaimed +doesn't seem to be well-defined in the Linux IRQ API. However, looking +closer at these specific cases, we're actually reporting events that do not +match the interrupt type requested by the driver: + + 1. After "ok 1 tlmm_test_silent_rising", the GPIO is in low state and + configured for IRQF_TRIGGER_RISING. + + 2. (a) In preparation for "tlmm_test_silent_falling", the GPIO is switched + to high state. The rising interrupt gets latched. + (b) The GPIO is re-configured for IRQF_TRIGGER_FALLING, but the latched + interrupt isn't cleared. + (c) The IRQ handler is called for the latched interrupt, but there + wasn't any falling edge. + + 3. (a) For "tlmm_test_silent_low", the GPIO remains in high state. + (b) The GPIO is re-configured for IRQF_TRIGGER_LOW. This seems to + result in a phantom interrupt that gets latched. + (c) The IRQ handler is called for the latched interrupt, but the GPIO + isn't in low state. + + 4. (a) For "tlmm_test_silent_high", the GPIO is switched to low state. + (b) This doesn't result in a latched interrupt, because RAW_STATUS_EN + was cleared when masking the level-triggered interrupt. + +Fix this by clearing the interrupt state whenever making any changes to the +interrupt configuration. This includes previously disabled interrupts, but +also any changes to interrupt polarity or detection type. + +With this change, all 16 test cases are now passing for the non-wakeup +GPIOs in the TLMM. + +Cc: stable@vger.kernel.org +Fixes: cf9d052aa600 ("pinctrl: qcom: Don't clear pending interrupts when enabling") +Reported-by: Bjorn Andersson +Closes: https://lore.kernel.org/r/20250227-tlmm-test-v1-1-d18877b4a5db@oss.qualcomm.com/ +Signed-off-by: Stephan Gerhold +Tested-by: Bjorn Andersson +Reviewed-by: Bjorn Andersson +Link: https://lore.kernel.org/20250312-pinctrl-msm-type-latch-v1-1-ce87c561d3d7@linaro.org +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/qcom/pinctrl-msm.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/pinctrl/qcom/pinctrl-msm.c ++++ b/drivers/pinctrl/qcom/pinctrl-msm.c +@@ -1044,8 +1044,7 @@ static int msm_gpio_irq_set_type(struct + const struct msm_pingroup *g; + u32 intr_target_mask = GENMASK(2, 0); + unsigned long flags; +- bool was_enabled; +- u32 val; ++ u32 val, oldval; + + if (msm_gpio_needs_dual_edge_parent_workaround(d, type)) { + set_bit(d->hwirq, pctrl->dual_edge_irqs); +@@ -1107,8 +1106,7 @@ static int msm_gpio_irq_set_type(struct + * internal circuitry of TLMM, toggling the RAW_STATUS + * could cause the INTR_STATUS to be set for EDGE interrupts. + */ +- val = msm_readl_intr_cfg(pctrl, g); +- was_enabled = val & BIT(g->intr_raw_status_bit); ++ val = oldval = msm_readl_intr_cfg(pctrl, g); + val |= BIT(g->intr_raw_status_bit); + if (g->intr_detection_width == 2) { + val &= ~(3 << g->intr_detection_bit); +@@ -1161,9 +1159,11 @@ static int msm_gpio_irq_set_type(struct + /* + * The first time we set RAW_STATUS_EN it could trigger an interrupt. + * Clear the interrupt. This is safe because we have +- * IRQCHIP_SET_TYPE_MASKED. ++ * IRQCHIP_SET_TYPE_MASKED. When changing the interrupt type, we could ++ * also still have a non-matching interrupt latched, so clear whenever ++ * making changes to the interrupt configuration. + */ +- if (!was_enabled) ++ if (val != oldval) + msm_ack_intr_status(pctrl, g); + + if (test_bit(d->hwirq, pctrl->dual_edge_irqs)) diff --git a/queue-6.13/pinctrl-samsung-add-support-for-eint_fltcon_offset.patch b/queue-6.13/pinctrl-samsung-add-support-for-eint_fltcon_offset.patch new file mode 100644 index 0000000000..7cb2ffdfc5 --- /dev/null +++ b/queue-6.13/pinctrl-samsung-add-support-for-eint_fltcon_offset.patch @@ -0,0 +1,246 @@ +From 701d0e910955627734917c3587258aa7e73068bb Mon Sep 17 00:00:00 2001 +From: Peter Griffin +Date: Fri, 7 Mar 2025 10:29:05 +0000 +Subject: pinctrl: samsung: add support for eint_fltcon_offset +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Peter Griffin + +commit 701d0e910955627734917c3587258aa7e73068bb upstream. + +On gs101 SoC the fltcon0 (filter configuration 0) offset isn't at a +fixed offset like previous SoCs as the fltcon1 register only exists when +there are more than 4 pins in the bank. + +Add a eint_fltcon_offset and new GS101_PIN_BANK_EINT* macros that take +an additional fltcon_offs variable. + +This can then be used in suspend/resume callbacks to save and restore +the fltcon0 and fltcon1 registers. + +Fixes: 4a8be01a1a7a ("pinctrl: samsung: Add gs101 SoC pinctrl configuration") +Cc: stable@vger.kernel.org +Reviewed-by: André Draszik +Signed-off-by: Peter Griffin +Link: https://lore.kernel.org/r/20250307-pinctrl-fltcon-suspend-v4-1-2d775e486036@linaro.org +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/samsung/pinctrl-exynos-arm64.c | 98 ++++++++++++------------- + drivers/pinctrl/samsung/pinctrl-exynos.h | 22 +++++ + drivers/pinctrl/samsung/pinctrl-samsung.c | 1 + drivers/pinctrl/samsung/pinctrl-samsung.h | 4 + + 4 files changed, 76 insertions(+), 49 deletions(-) + +--- a/drivers/pinctrl/samsung/pinctrl-exynos-arm64.c ++++ b/drivers/pinctrl/samsung/pinctrl-exynos-arm64.c +@@ -1370,83 +1370,83 @@ const struct samsung_pinctrl_of_match_da + + /* pin banks of gs101 pin-controller (ALIVE) */ + static const struct samsung_pin_bank_data gs101_pin_alive[] = { +- EXYNOS850_PIN_BANK_EINTW(8, 0x0, "gpa0", 0x00), +- EXYNOS850_PIN_BANK_EINTW(7, 0x20, "gpa1", 0x04), +- EXYNOS850_PIN_BANK_EINTW(5, 0x40, "gpa2", 0x08), +- EXYNOS850_PIN_BANK_EINTW(4, 0x60, "gpa3", 0x0c), +- EXYNOS850_PIN_BANK_EINTW(4, 0x80, "gpa4", 0x10), +- EXYNOS850_PIN_BANK_EINTW(7, 0xa0, "gpa5", 0x14), +- EXYNOS850_PIN_BANK_EINTW(8, 0xc0, "gpa9", 0x18), +- EXYNOS850_PIN_BANK_EINTW(2, 0xe0, "gpa10", 0x1c), ++ GS101_PIN_BANK_EINTW(8, 0x0, "gpa0", 0x00, 0x00), ++ GS101_PIN_BANK_EINTW(7, 0x20, "gpa1", 0x04, 0x08), ++ GS101_PIN_BANK_EINTW(5, 0x40, "gpa2", 0x08, 0x10), ++ GS101_PIN_BANK_EINTW(4, 0x60, "gpa3", 0x0c, 0x18), ++ GS101_PIN_BANK_EINTW(4, 0x80, "gpa4", 0x10, 0x1c), ++ GS101_PIN_BANK_EINTW(7, 0xa0, "gpa5", 0x14, 0x20), ++ GS101_PIN_BANK_EINTW(8, 0xc0, "gpa9", 0x18, 0x28), ++ GS101_PIN_BANK_EINTW(2, 0xe0, "gpa10", 0x1c, 0x30), + }; + + /* pin banks of gs101 pin-controller (FAR_ALIVE) */ + static const struct samsung_pin_bank_data gs101_pin_far_alive[] = { +- EXYNOS850_PIN_BANK_EINTW(8, 0x0, "gpa6", 0x00), +- EXYNOS850_PIN_BANK_EINTW(4, 0x20, "gpa7", 0x04), +- EXYNOS850_PIN_BANK_EINTW(8, 0x40, "gpa8", 0x08), +- EXYNOS850_PIN_BANK_EINTW(2, 0x60, "gpa11", 0x0c), ++ GS101_PIN_BANK_EINTW(8, 0x0, "gpa6", 0x00, 0x00), ++ GS101_PIN_BANK_EINTW(4, 0x20, "gpa7", 0x04, 0x08), ++ GS101_PIN_BANK_EINTW(8, 0x40, "gpa8", 0x08, 0x0c), ++ GS101_PIN_BANK_EINTW(2, 0x60, "gpa11", 0x0c, 0x14), + }; + + /* pin banks of gs101 pin-controller (GSACORE) */ + static const struct samsung_pin_bank_data gs101_pin_gsacore[] = { +- EXYNOS850_PIN_BANK_EINTG(2, 0x0, "gps0", 0x00), +- EXYNOS850_PIN_BANK_EINTG(8, 0x20, "gps1", 0x04), +- EXYNOS850_PIN_BANK_EINTG(3, 0x40, "gps2", 0x08), ++ GS101_PIN_BANK_EINTG(2, 0x0, "gps0", 0x00, 0x00), ++ GS101_PIN_BANK_EINTG(8, 0x20, "gps1", 0x04, 0x04), ++ GS101_PIN_BANK_EINTG(3, 0x40, "gps2", 0x08, 0x0c), + }; + + /* pin banks of gs101 pin-controller (GSACTRL) */ + static const struct samsung_pin_bank_data gs101_pin_gsactrl[] = { +- EXYNOS850_PIN_BANK_EINTW(6, 0x0, "gps3", 0x00), ++ GS101_PIN_BANK_EINTW(6, 0x0, "gps3", 0x00, 0x00), + }; + + /* pin banks of gs101 pin-controller (PERIC0) */ + static const struct samsung_pin_bank_data gs101_pin_peric0[] = { +- EXYNOS850_PIN_BANK_EINTG(5, 0x0, "gpp0", 0x00), +- EXYNOS850_PIN_BANK_EINTG(4, 0x20, "gpp1", 0x04), +- EXYNOS850_PIN_BANK_EINTG(4, 0x40, "gpp2", 0x08), +- EXYNOS850_PIN_BANK_EINTG(2, 0x60, "gpp3", 0x0c), +- EXYNOS850_PIN_BANK_EINTG(4, 0x80, "gpp4", 0x10), +- EXYNOS850_PIN_BANK_EINTG(2, 0xa0, "gpp5", 0x14), +- EXYNOS850_PIN_BANK_EINTG(4, 0xc0, "gpp6", 0x18), +- EXYNOS850_PIN_BANK_EINTG(2, 0xe0, "gpp7", 0x1c), +- EXYNOS850_PIN_BANK_EINTG(4, 0x100, "gpp8", 0x20), +- EXYNOS850_PIN_BANK_EINTG(2, 0x120, "gpp9", 0x24), +- EXYNOS850_PIN_BANK_EINTG(4, 0x140, "gpp10", 0x28), +- EXYNOS850_PIN_BANK_EINTG(2, 0x160, "gpp11", 0x2c), +- EXYNOS850_PIN_BANK_EINTG(4, 0x180, "gpp12", 0x30), +- EXYNOS850_PIN_BANK_EINTG(2, 0x1a0, "gpp13", 0x34), +- EXYNOS850_PIN_BANK_EINTG(4, 0x1c0, "gpp14", 0x38), +- EXYNOS850_PIN_BANK_EINTG(2, 0x1e0, "gpp15", 0x3c), +- EXYNOS850_PIN_BANK_EINTG(4, 0x200, "gpp16", 0x40), +- EXYNOS850_PIN_BANK_EINTG(2, 0x220, "gpp17", 0x44), +- EXYNOS850_PIN_BANK_EINTG(4, 0x240, "gpp18", 0x48), +- EXYNOS850_PIN_BANK_EINTG(4, 0x260, "gpp19", 0x4c), ++ GS101_PIN_BANK_EINTG(5, 0x0, "gpp0", 0x00, 0x00), ++ GS101_PIN_BANK_EINTG(4, 0x20, "gpp1", 0x04, 0x08), ++ GS101_PIN_BANK_EINTG(4, 0x40, "gpp2", 0x08, 0x0c), ++ GS101_PIN_BANK_EINTG(2, 0x60, "gpp3", 0x0c, 0x10), ++ GS101_PIN_BANK_EINTG(4, 0x80, "gpp4", 0x10, 0x14), ++ GS101_PIN_BANK_EINTG(2, 0xa0, "gpp5", 0x14, 0x18), ++ GS101_PIN_BANK_EINTG(4, 0xc0, "gpp6", 0x18, 0x1c), ++ GS101_PIN_BANK_EINTG(2, 0xe0, "gpp7", 0x1c, 0x20), ++ GS101_PIN_BANK_EINTG(4, 0x100, "gpp8", 0x20, 0x24), ++ GS101_PIN_BANK_EINTG(2, 0x120, "gpp9", 0x24, 0x28), ++ GS101_PIN_BANK_EINTG(4, 0x140, "gpp10", 0x28, 0x2c), ++ GS101_PIN_BANK_EINTG(2, 0x160, "gpp11", 0x2c, 0x30), ++ GS101_PIN_BANK_EINTG(4, 0x180, "gpp12", 0x30, 0x34), ++ GS101_PIN_BANK_EINTG(2, 0x1a0, "gpp13", 0x34, 0x38), ++ GS101_PIN_BANK_EINTG(4, 0x1c0, "gpp14", 0x38, 0x3c), ++ GS101_PIN_BANK_EINTG(2, 0x1e0, "gpp15", 0x3c, 0x40), ++ GS101_PIN_BANK_EINTG(4, 0x200, "gpp16", 0x40, 0x44), ++ GS101_PIN_BANK_EINTG(2, 0x220, "gpp17", 0x44, 0x48), ++ GS101_PIN_BANK_EINTG(4, 0x240, "gpp18", 0x48, 0x4c), ++ GS101_PIN_BANK_EINTG(4, 0x260, "gpp19", 0x4c, 0x50), + }; + + /* pin banks of gs101 pin-controller (PERIC1) */ + static const struct samsung_pin_bank_data gs101_pin_peric1[] = { +- EXYNOS850_PIN_BANK_EINTG(8, 0x0, "gpp20", 0x00), +- EXYNOS850_PIN_BANK_EINTG(4, 0x20, "gpp21", 0x04), +- EXYNOS850_PIN_BANK_EINTG(2, 0x40, "gpp22", 0x08), +- EXYNOS850_PIN_BANK_EINTG(8, 0x60, "gpp23", 0x0c), +- EXYNOS850_PIN_BANK_EINTG(4, 0x80, "gpp24", 0x10), +- EXYNOS850_PIN_BANK_EINTG(4, 0xa0, "gpp25", 0x14), +- EXYNOS850_PIN_BANK_EINTG(5, 0xc0, "gpp26", 0x18), +- EXYNOS850_PIN_BANK_EINTG(4, 0xe0, "gpp27", 0x1c), ++ GS101_PIN_BANK_EINTG(8, 0x0, "gpp20", 0x00, 0x00), ++ GS101_PIN_BANK_EINTG(4, 0x20, "gpp21", 0x04, 0x08), ++ GS101_PIN_BANK_EINTG(2, 0x40, "gpp22", 0x08, 0x0c), ++ GS101_PIN_BANK_EINTG(8, 0x60, "gpp23", 0x0c, 0x10), ++ GS101_PIN_BANK_EINTG(4, 0x80, "gpp24", 0x10, 0x18), ++ GS101_PIN_BANK_EINTG(4, 0xa0, "gpp25", 0x14, 0x1c), ++ GS101_PIN_BANK_EINTG(5, 0xc0, "gpp26", 0x18, 0x20), ++ GS101_PIN_BANK_EINTG(4, 0xe0, "gpp27", 0x1c, 0x28), + }; + + /* pin banks of gs101 pin-controller (HSI1) */ + static const struct samsung_pin_bank_data gs101_pin_hsi1[] = { +- EXYNOS850_PIN_BANK_EINTG(6, 0x0, "gph0", 0x00), +- EXYNOS850_PIN_BANK_EINTG(7, 0x20, "gph1", 0x04), ++ GS101_PIN_BANK_EINTG(6, 0x0, "gph0", 0x00, 0x00), ++ GS101_PIN_BANK_EINTG(7, 0x20, "gph1", 0x04, 0x08), + }; + + /* pin banks of gs101 pin-controller (HSI2) */ + static const struct samsung_pin_bank_data gs101_pin_hsi2[] = { +- EXYNOS850_PIN_BANK_EINTG(6, 0x0, "gph2", 0x00), +- EXYNOS850_PIN_BANK_EINTG(2, 0x20, "gph3", 0x04), +- EXYNOS850_PIN_BANK_EINTG(6, 0x40, "gph4", 0x08), ++ GS101_PIN_BANK_EINTG(6, 0x0, "gph2", 0x00, 0x00), ++ GS101_PIN_BANK_EINTG(2, 0x20, "gph3", 0x04, 0x08), ++ GS101_PIN_BANK_EINTG(6, 0x40, "gph4", 0x08, 0x0c), + }; + + static const struct samsung_pin_ctrl gs101_pin_ctrl[] __initconst = { +--- a/drivers/pinctrl/samsung/pinctrl-exynos.h ++++ b/drivers/pinctrl/samsung/pinctrl-exynos.h +@@ -175,6 +175,28 @@ + .name = id \ + } + ++#define GS101_PIN_BANK_EINTG(pins, reg, id, offs, fltcon_offs) \ ++ { \ ++ .type = &exynos850_bank_type_off, \ ++ .pctl_offset = reg, \ ++ .nr_pins = pins, \ ++ .eint_type = EINT_TYPE_GPIO, \ ++ .eint_offset = offs, \ ++ .eint_fltcon_offset = fltcon_offs, \ ++ .name = id \ ++ } ++ ++#define GS101_PIN_BANK_EINTW(pins, reg, id, offs, fltcon_offs) \ ++ { \ ++ .type = &exynos850_bank_type_alive, \ ++ .pctl_offset = reg, \ ++ .nr_pins = pins, \ ++ .eint_type = EINT_TYPE_WKUP, \ ++ .eint_offset = offs, \ ++ .eint_fltcon_offset = fltcon_offs, \ ++ .name = id \ ++ } ++ + /** + * struct exynos_weint_data: irq specific data for all the wakeup interrupts + * generated by the external wakeup interrupt controller. +--- a/drivers/pinctrl/samsung/pinctrl-samsung.c ++++ b/drivers/pinctrl/samsung/pinctrl-samsung.c +@@ -1230,6 +1230,7 @@ samsung_pinctrl_get_soc_data(struct sams + bank->eint_con_offset = bdata->eint_con_offset; + bank->eint_mask_offset = bdata->eint_mask_offset; + bank->eint_pend_offset = bdata->eint_pend_offset; ++ bank->eint_fltcon_offset = bdata->eint_fltcon_offset; + bank->name = bdata->name; + + raw_spin_lock_init(&bank->slock); +--- a/drivers/pinctrl/samsung/pinctrl-samsung.h ++++ b/drivers/pinctrl/samsung/pinctrl-samsung.h +@@ -144,6 +144,7 @@ struct samsung_pin_bank_type { + * @eint_con_offset: ExynosAuto SoC-specific EINT control register offset of bank. + * @eint_mask_offset: ExynosAuto SoC-specific EINT mask register offset of bank. + * @eint_pend_offset: ExynosAuto SoC-specific EINT pend register offset of bank. ++ * @eint_fltcon_offset: GS101 SoC-specific EINT filter config register offset. + * @name: name to be prefixed for each pin in this pin bank. + */ + struct samsung_pin_bank_data { +@@ -158,6 +159,7 @@ struct samsung_pin_bank_data { + u32 eint_con_offset; + u32 eint_mask_offset; + u32 eint_pend_offset; ++ u32 eint_fltcon_offset; + const char *name; + }; + +@@ -175,6 +177,7 @@ struct samsung_pin_bank_data { + * @eint_con_offset: ExynosAuto SoC-specific EINT register or interrupt offset of bank. + * @eint_mask_offset: ExynosAuto SoC-specific EINT mask register offset of bank. + * @eint_pend_offset: ExynosAuto SoC-specific EINT pend register offset of bank. ++ * @eint_fltcon_offset: GS101 SoC-specific EINT filter config register offset. + * @name: name to be prefixed for each pin in this pin bank. + * @id: id of the bank, propagated to the pin range. + * @pin_base: starting pin number of the bank. +@@ -201,6 +204,7 @@ struct samsung_pin_bank { + u32 eint_con_offset; + u32 eint_mask_offset; + u32 eint_pend_offset; ++ u32 eint_fltcon_offset; + const char *name; + u32 id; + diff --git a/queue-6.13/ring-buffer-use-flush_kernel_vmap_range-over-flush_dcache_folio.patch b/queue-6.13/ring-buffer-use-flush_kernel_vmap_range-over-flush_dcache_folio.patch new file mode 100644 index 0000000000..e4e7c896f8 --- /dev/null +++ b/queue-6.13/ring-buffer-use-flush_kernel_vmap_range-over-flush_dcache_folio.patch @@ -0,0 +1,66 @@ +From e4d4b8670c44cdd22212cab3c576e2d317efa67c Mon Sep 17 00:00:00 2001 +From: Steven Rostedt +Date: Wed, 2 Apr 2025 10:49:07 -0400 +Subject: ring-buffer: Use flush_kernel_vmap_range() over flush_dcache_folio() + +From: Steven Rostedt + +commit e4d4b8670c44cdd22212cab3c576e2d317efa67c upstream. + +Some architectures do not have data cache coherency between user and +kernel space. For these architectures, the cache needs to be flushed on +both the kernel and user addresses so that user space can see the updates +the kernel has made. + +Instead of using flush_dcache_folio() and playing with virt_to_folio() +within the call to that function, use flush_kernel_vmap_range() which +takes the virtual address and does the work for those architectures that +need it. + +This also fixes a bug where the flush of the reader page only flushed one +page. If the sub-buffer order is 1 or more, where the sub-buffer size +would be greater than a page, it would miss the rest of the sub-buffer +content, as the "reader page" is not just a page, but the size of a +sub-buffer. + +Link: https://lore.kernel.org/all/CAG48ez3w0my4Rwttbc5tEbNsme6tc0mrSN95thjXUFaJ3aQ6SA@mail.gmail.com/ + +Cc: stable@vger.kernel.org +Cc: Linus Torvalds +Cc: Masami Hiramatsu +Cc: Mark Rutland +Cc: Mathieu Desnoyers +Cc: Andrew Morton +Cc: Vincent Donnefort +Cc: Vlastimil Babka +Cc: Mike Rapoport +Link: https://lore.kernel.org/20250402144953.920792197@goodmis.org +Fixes: 117c39200d9d7 ("ring-buffer: Introducing ring-buffer mapping functions"); +Suggested-by: Jann Horn +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/ring_buffer.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -5994,7 +5994,7 @@ static void rb_update_meta_page(struct r + meta->read = cpu_buffer->read; + + /* Some archs do not have data cache coherency between kernel and user-space */ +- flush_dcache_folio(virt_to_folio(cpu_buffer->meta_page)); ++ flush_kernel_vmap_range(cpu_buffer->meta_page, PAGE_SIZE); + } + + static void +@@ -7309,7 +7309,8 @@ consume: + + out: + /* Some archs do not have data cache coherency between kernel and user-space */ +- flush_dcache_folio(virt_to_folio(cpu_buffer->reader_page->page)); ++ flush_kernel_vmap_range(cpu_buffer->reader_page->page, ++ buffer->subbuf_size + BUF_PAGE_HDR_SIZE); + + rb_update_meta_page(cpu_buffer); + diff --git a/queue-6.13/s390-fix-linker-error-when-no-pie-option-is-unavailable.patch b/queue-6.13/s390-fix-linker-error-when-no-pie-option-is-unavailable.patch new file mode 100644 index 0000000000..42f94afb99 --- /dev/null +++ b/queue-6.13/s390-fix-linker-error-when-no-pie-option-is-unavailable.patch @@ -0,0 +1,45 @@ +From 991a20173a1fbafd9fc0df0c7e17bb62d44a4deb Mon Sep 17 00:00:00 2001 +From: Sumanth Korikkar +Date: Tue, 25 Mar 2025 19:02:45 +0100 +Subject: s390: Fix linker error when -no-pie option is unavailable + +From: Sumanth Korikkar + +commit 991a20173a1fbafd9fc0df0c7e17bb62d44a4deb upstream. + +The kernel build may fail if the linker does not support -no-pie option, +as it always included in LDFLAGS_vmlinux. + +Error log: +s390-linux-ld: unable to disambiguate: -no-pie (did you mean --no-pie ?) + +Although the GNU linker defaults to -no-pie, the ability to explicitly +specify this option was introduced in binutils 2.36. + +Hence, fix it by adding -no-pie to LDFLAGS_vmlinux only when it is +available. + +Cc: stable@vger.kernel.org +Fixes: 00cda11d3b2e ("s390: Compile kernel with -fPIC and link with -no-pie") +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202503220342.T3fElO9L-lkp@intel.com/ +Suggested-by: Jens Remus +Reviewed-by: Jens Remus +Signed-off-by: Sumanth Korikkar +Signed-off-by: Vasily Gorbik +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/s390/Makefile ++++ b/arch/s390/Makefile +@@ -15,7 +15,7 @@ KBUILD_CFLAGS_MODULE += -fPIC + KBUILD_AFLAGS += -m64 + KBUILD_CFLAGS += -m64 + KBUILD_CFLAGS += -fPIC +-LDFLAGS_vmlinux := -no-pie --emit-relocs --discard-none ++LDFLAGS_vmlinux := $(call ld-option,-no-pie) --emit-relocs --discard-none + extra_tools := relocs + aflags_dwarf := -Wa,-gdwarf-2 + KBUILD_AFLAGS_DECOMPRESSOR := $(CLANG_FLAGS) -m64 -D__ASSEMBLY__ diff --git a/queue-6.13/s390-pci-fix-zpci_bus_is_isolated_vf-for-non-vfs.patch b/queue-6.13/s390-pci-fix-zpci_bus_is_isolated_vf-for-non-vfs.patch new file mode 100644 index 0000000000..850a9c35ba --- /dev/null +++ b/queue-6.13/s390-pci-fix-zpci_bus_is_isolated_vf-for-non-vfs.patch @@ -0,0 +1,43 @@ +From 8691abd3afaadd816a298503ec1a759df1305d2e Mon Sep 17 00:00:00 2001 +From: Niklas Schnelle +Date: Thu, 20 Mar 2025 17:26:12 +0100 +Subject: s390/pci: Fix zpci_bus_is_isolated_vf() for non-VFs + +From: Niklas Schnelle + +commit 8691abd3afaadd816a298503ec1a759df1305d2e upstream. + +For non-VFs, zpci_bus_is_isolated_vf() should return false because they +aren't VFs. While zpci_iov_find_parent_pf() specifically checks if +a function is a VF, it then simply returns that there is no parent. The +simplistic check for a parent then leads to these functions being +confused with isolated VFs and isolating them on their own domain even +if sibling PFs should share the domain. + +Fix this by explicitly checking if a function is not a VF. Note also +that at this point the case where RIDs are ignored is already handled +and in this case all PCI functions get isolated by being detected in +zpci_bus_is_multifunction_root(). + +Cc: stable@vger.kernel.org +Fixes: 2844ddbd540f ("s390/pci: Fix handling of isolated VFs") +Signed-off-by: Niklas Schnelle +Reviewed-by: Halil Pasic +Signed-off-by: Vasily Gorbik +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/pci/pci_bus.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/s390/pci/pci_bus.c ++++ b/arch/s390/pci/pci_bus.c +@@ -335,6 +335,9 @@ static bool zpci_bus_is_isolated_vf(stru + { + struct pci_dev *pdev; + ++ if (!zdev->vfn) ++ return false; ++ + pdev = zpci_iov_find_parent_pf(zbus, zdev); + if (!pdev) + return true; diff --git a/queue-6.13/s390-virtio_ccw-don-t-allocate-assign-airqs-for-non-existing-queues.patch b/queue-6.13/s390-virtio_ccw-don-t-allocate-assign-airqs-for-non-existing-queues.patch new file mode 100644 index 0000000000..a9438a5f70 --- /dev/null +++ b/queue-6.13/s390-virtio_ccw-don-t-allocate-assign-airqs-for-non-existing-queues.patch @@ -0,0 +1,140 @@ +From 2ccd42b959aaf490333dbd3b9b102eaf295c036a Mon Sep 17 00:00:00 2001 +From: David Hildenbrand +Date: Wed, 2 Apr 2025 22:36:21 +0200 +Subject: s390/virtio_ccw: Don't allocate/assign airqs for non-existing queues + +From: David Hildenbrand + +commit 2ccd42b959aaf490333dbd3b9b102eaf295c036a upstream. + +If we finds a vq without a name in our input array in +virtio_ccw_find_vqs(), we treat it as "non-existing" and set the vq pointer +to NULL; we will not call virtio_ccw_setup_vq() to allocate/setup a vq. + +Consequently, we create only a queue if it actually exists (name != NULL) +and assign an incremental queue index to each such existing queue. + +However, in virtio_ccw_register_adapter_ind()->get_airq_indicator() we +will not ignore these "non-existing queues", but instead assign an airq +indicator to them. + +Besides never releasing them in virtio_ccw_drop_indicators() (because +there is no virtqueue), the bigger issue seems to be that there will be a +disagreement between the device and the Linux guest about the airq +indicator to be used for notifying a queue, because the indicator bit +for adapter I/O interrupt is derived from the queue index. + +The virtio spec states under "Setting Up Two-Stage Queue Indicators": + + ... indicator contains the guest address of an area wherein the + indicators for the devices are contained, starting at bit_nr, one + bit per virtqueue of the device. + +And further in "Notification via Adapter I/O Interrupts": + + For notifying the driver of virtqueue buffers, the device sets the + bit in the guest-provided indicator area at the corresponding + offset. + +For example, QEMU uses in virtio_ccw_notify() the queue index (passed as +"vector") to select the relevant indicator bit. If a queue does not exist, +it does not have a corresponding indicator bit assigned, because it +effectively doesn't have a queue index. + +Using a virtio-balloon-ccw device under QEMU with free-page-hinting +disabled ("free-page-hint=off") but free-page-reporting enabled +("free-page-reporting=on") will result in free page reporting +not working as expected: in the virtio_balloon driver, we'll be stuck +forever in virtballoon_free_page_report()->wait_event(), because the +waitqueue will not be woken up as the notification from the device is +lost: it would use the wrong indicator bit. + +Free page reporting stops working and we get splats (when configured to +detect hung wqs) like: + + INFO: task kworker/1:3:463 blocked for more than 61 seconds. + Not tainted 6.14.0 #4 + "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. + task:kworker/1:3 [...] + Workqueue: events page_reporting_process + Call Trace: + [<000002f404e6dfb2>] __schedule+0x402/0x1640 + [<000002f404e6f22e>] schedule+0x3e/0xe0 + [<000002f3846a88fa>] virtballoon_free_page_report+0xaa/0x110 [virtio_balloon] + [<000002f40435c8a4>] page_reporting_process+0x2e4/0x740 + [<000002f403fd3ee2>] process_one_work+0x1c2/0x400 + [<000002f403fd4b96>] worker_thread+0x296/0x420 + [<000002f403fe10b4>] kthread+0x124/0x290 + [<000002f403f4e0dc>] __ret_from_fork+0x3c/0x60 + [<000002f404e77272>] ret_from_fork+0xa/0x38 + +There was recently a discussion [1] whether the "holes" should be +treated differently again, effectively assigning also non-existing +queues a queue index: that should also fix the issue, but requires other +workarounds to not break existing setups. + +Let's fix it without affecting existing setups for now by properly ignoring +the non-existing queues, so the indicator bits will match the queue +indexes. + +[1] https://lore.kernel.org/all/cover.1720611677.git.mst@redhat.com/ + +Fixes: a229989d975e ("virtio: don't allocate vqs when names[i] = NULL") +Reported-by: Chandra Merla +Cc: stable@vger.kernel.org +Signed-off-by: David Hildenbrand +Tested-by: Thomas Huth +Reviewed-by: Thomas Huth +Reviewed-by: Cornelia Huck +Acked-by: Michael S. Tsirkin +Acked-by: Christian Borntraeger +Link: https://lore.kernel.org/r/20250402203621.940090-1-david@redhat.com +Signed-off-by: Heiko Carstens +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/virtio/virtio_ccw.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +--- a/drivers/s390/virtio/virtio_ccw.c ++++ b/drivers/s390/virtio/virtio_ccw.c +@@ -302,11 +302,17 @@ static struct airq_info *new_airq_info(i + static unsigned long *get_airq_indicator(struct virtqueue *vqs[], int nvqs, + u64 *first, void **airq_info) + { +- int i, j; ++ int i, j, queue_idx, highest_queue_idx = -1; + struct airq_info *info; + unsigned long *indicator_addr = NULL; + unsigned long bit, flags; + ++ /* Array entries without an actual queue pointer must be ignored. */ ++ for (i = 0; i < nvqs; i++) { ++ if (vqs[i]) ++ highest_queue_idx++; ++ } ++ + for (i = 0; i < MAX_AIRQ_AREAS && !indicator_addr; i++) { + mutex_lock(&airq_areas_lock); + if (!airq_areas[i]) +@@ -316,7 +322,7 @@ static unsigned long *get_airq_indicator + if (!info) + return NULL; + write_lock_irqsave(&info->lock, flags); +- bit = airq_iv_alloc(info->aiv, nvqs); ++ bit = airq_iv_alloc(info->aiv, highest_queue_idx + 1); + if (bit == -1UL) { + /* Not enough vacancies. */ + write_unlock_irqrestore(&info->lock, flags); +@@ -325,8 +331,10 @@ static unsigned long *get_airq_indicator + *first = bit; + *airq_info = info; + indicator_addr = info->aiv->vector; +- for (j = 0; j < nvqs; j++) { +- airq_iv_set_ptr(info->aiv, bit + j, ++ for (j = 0, queue_idx = 0; j < nvqs; j++) { ++ if (!vqs[j]) ++ continue; ++ airq_iv_set_ptr(info->aiv, bit + queue_idx++, + (unsigned long)vqs[j]); + } + write_unlock_irqrestore(&info->lock, flags); diff --git a/queue-6.13/sched_ext-create_dsq-return-eexist-on-duplicate-request.patch b/queue-6.13/sched_ext-create_dsq-return-eexist-on-duplicate-request.patch new file mode 100644 index 0000000000..d5bbb3da8f --- /dev/null +++ b/queue-6.13/sched_ext-create_dsq-return-eexist-on-duplicate-request.patch @@ -0,0 +1,45 @@ +From a8897ed8523d4c9d782e282b18005a3779c92714 Mon Sep 17 00:00:00 2001 +From: Jake Hillion +Date: Tue, 25 Mar 2025 22:41:52 +0000 +Subject: sched_ext: create_dsq: Return -EEXIST on duplicate request + +From: Jake Hillion + +commit a8897ed8523d4c9d782e282b18005a3779c92714 upstream. + +create_dsq and therefore the scx_bpf_create_dsq kfunc currently silently +ignore duplicate entries. As a sched_ext scheduler is creating each DSQ +for a different purpose this is surprising behaviour. + +Replace rhashtable_insert_fast which ignores duplicates with +rhashtable_lookup_insert_fast that reports duplicates (though doesn't +return their value). The rest of the code is structured correctly and +this now returns -EEXIST. + +Tested by adding an extra scx_bpf_create_dsq to scx_simple. Previously +this was ignored, now init fails with a -17 code. Also ran scx_lavd +which continued to work well. + +Signed-off-by: Jake Hillion +Acked-by: Andrea Righi +Fixes: f0e1a0643a59 ("sched_ext: Implement BPF extensible scheduler class") +Cc: stable@vger.kernel.org # v6.12+ +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman +--- + kernel/sched/ext.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/kernel/sched/ext.c ++++ b/kernel/sched/ext.c +@@ -4501,8 +4501,8 @@ static struct scx_dispatch_q *create_dsq + + init_dsq(dsq, dsq_id); + +- ret = rhashtable_insert_fast(&dsq_hash, &dsq->hash_node, +- dsq_hash_params); ++ ret = rhashtable_lookup_insert_fast(&dsq_hash, &dsq->hash_node, ++ dsq_hash_params); + if (ret) { + kfree(dsq); + return ERR_PTR(ret); diff --git a/queue-6.13/selftests-landlock-add-a-new-test-for-setuid.patch b/queue-6.13/selftests-landlock-add-a-new-test-for-setuid.patch new file mode 100644 index 0000000000..ecd124c400 --- /dev/null +++ b/queue-6.13/selftests-landlock-add-a-new-test-for-setuid.patch @@ -0,0 +1,139 @@ +From c5efa393d82cf68812e0ae4d93e339873eabe9fe Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= +Date: Tue, 18 Mar 2025 17:14:42 +0100 +Subject: selftests/landlock: Add a new test for setuid() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mickaël Salaün + +commit c5efa393d82cf68812e0ae4d93e339873eabe9fe upstream. + +The new signal_scoping_thread_setuid tests check that the libc's +setuid() function works as expected even when a thread is sandboxed with +scoped signal restrictions. + +Before the signal scoping fix, this test would have failed with the +setuid() call: + + [pid 65] getpid() = 65 + [pid 65] tgkill(65, 66, SIGRT_1) = -1 EPERM (Operation not permitted) + [pid 65] futex(0x40a66cdc, FUTEX_WAKE_PRIVATE, 1) = 0 + [pid 65] setuid(1001) = 0 + +After the fix, tgkill(2) is successfully leveraged to synchronize +credentials update across threads: + + [pid 65] getpid() = 65 + [pid 65] tgkill(65, 66, SIGRT_1) = 0 + [pid 66] <... read resumed>0x40a65eb7, 1) = ? ERESTARTSYS (To be restarted if SA_RESTART is set) + [pid 66] --- SIGRT_1 {si_signo=SIGRT_1, si_code=SI_TKILL, si_pid=65, si_uid=1000} --- + [pid 66] getpid() = 65 + [pid 66] setuid(1001) = 0 + [pid 66] futex(0x40a66cdc, FUTEX_WAKE_PRIVATE, 1) = 0 + [pid 66] rt_sigreturn({mask=[]}) = 0 + [pid 66] read(3, + [pid 65] setuid(1001) = 0 + +Test coverage for security/landlock is 92.9% of 1137 lines according to +gcc/gcov-14. + +Fixes: c8994965013e ("selftests/landlock: Test signal scoping for threads") +Cc: Günther Noack +Cc: Tahera Fahimi +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20250318161443.279194-8-mic@digikod.net +[mic: Update test coverage] +Signed-off-by: Mickaël Salaün +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/landlock/common.h | 1 + tools/testing/selftests/landlock/scoped_signal_test.c | 59 ++++++++++++++++++ + 2 files changed, 60 insertions(+) + +--- a/tools/testing/selftests/landlock/common.h ++++ b/tools/testing/selftests/landlock/common.h +@@ -68,6 +68,7 @@ static void _init_caps(struct __test_met + CAP_MKNOD, + CAP_NET_ADMIN, + CAP_NET_BIND_SERVICE, ++ CAP_SETUID, + CAP_SYS_ADMIN, + CAP_SYS_CHROOT, + /* clang-format on */ +--- a/tools/testing/selftests/landlock/scoped_signal_test.c ++++ b/tools/testing/selftests/landlock/scoped_signal_test.c +@@ -253,6 +253,7 @@ enum thread_return { + THREAD_INVALID = 0, + THREAD_SUCCESS = 1, + THREAD_ERROR = 2, ++ THREAD_TEST_FAILED = 3, + }; + + static void *thread_sync(void *arg) +@@ -316,6 +317,64 @@ TEST(signal_scoping_thread_after) + EXPECT_EQ(0, close(thread_pipe[1])); + } + ++struct thread_setuid_args { ++ int pipe_read, new_uid; ++}; ++ ++void *thread_setuid(void *ptr) ++{ ++ const struct thread_setuid_args *arg = ptr; ++ char buf; ++ ++ if (read(arg->pipe_read, &buf, 1) != 1) ++ return (void *)THREAD_ERROR; ++ ++ /* libc's setuid() should update all thread's credentials. */ ++ if (getuid() != arg->new_uid) ++ return (void *)THREAD_TEST_FAILED; ++ ++ return (void *)THREAD_SUCCESS; ++} ++ ++TEST(signal_scoping_thread_setuid) ++{ ++ struct thread_setuid_args arg; ++ pthread_t no_sandbox_thread; ++ enum thread_return ret = THREAD_INVALID; ++ int pipe_parent[2]; ++ int prev_uid; ++ ++ disable_caps(_metadata); ++ ++ /* This test does not need to be run as root. */ ++ prev_uid = getuid(); ++ arg.new_uid = prev_uid + 1; ++ EXPECT_LT(0, arg.new_uid); ++ ++ ASSERT_EQ(0, pipe2(pipe_parent, O_CLOEXEC)); ++ arg.pipe_read = pipe_parent[0]; ++ ++ /* Capabilities must be set before creating a new thread. */ ++ set_cap(_metadata, CAP_SETUID); ++ ASSERT_EQ(0, pthread_create(&no_sandbox_thread, NULL, thread_setuid, ++ &arg)); ++ ++ /* Enforces restriction after creating the thread. */ ++ create_scoped_domain(_metadata, LANDLOCK_SCOPE_SIGNAL); ++ ++ EXPECT_NE(arg.new_uid, getuid()); ++ EXPECT_EQ(0, setuid(arg.new_uid)); ++ EXPECT_EQ(arg.new_uid, getuid()); ++ EXPECT_EQ(1, write(pipe_parent[1], ".", 1)); ++ ++ EXPECT_EQ(0, pthread_join(no_sandbox_thread, (void **)&ret)); ++ EXPECT_EQ(THREAD_SUCCESS, ret); ++ ++ clear_cap(_metadata, CAP_SETUID); ++ EXPECT_EQ(0, close(pipe_parent[0])); ++ EXPECT_EQ(0, close(pipe_parent[1])); ++} ++ + const short backlog = 10; + + static volatile sig_atomic_t signal_received; diff --git a/queue-6.13/selftests-landlock-split-signal_scoping_threads-tests.patch b/queue-6.13/selftests-landlock-split-signal_scoping_threads-tests.patch new file mode 100644 index 0000000000..ca7f09272a --- /dev/null +++ b/queue-6.13/selftests-landlock-split-signal_scoping_threads-tests.patch @@ -0,0 +1,113 @@ +From bbe72274035a83159c8fff7d553b4a0b3c473690 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= +Date: Tue, 18 Mar 2025 17:14:41 +0100 +Subject: selftests/landlock: Split signal_scoping_threads tests +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mickaël Salaün + +commit bbe72274035a83159c8fff7d553b4a0b3c473690 upstream. + +Split signal_scoping_threads tests into signal_scoping_thread_before +and signal_scoping_thread_after. + +Use local variables for thread synchronization. Fix exported function. +Replace some asserts with expects. + +Fixes: c8994965013e ("selftests/landlock: Test signal scoping for threads") +Cc: Günther Noack +Cc: Tahera Fahimi +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20250318161443.279194-7-mic@digikod.net +Signed-off-by: Mickaël Salaün +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/landlock/scoped_signal_test.c | 49 ++++++++++++------ + 1 file changed, 34 insertions(+), 15 deletions(-) + +--- a/tools/testing/selftests/landlock/scoped_signal_test.c ++++ b/tools/testing/selftests/landlock/scoped_signal_test.c +@@ -249,47 +249,66 @@ TEST_F(scoped_domains, check_access_sign + _metadata->exit_code = KSFT_FAIL; + } + +-static int thread_pipe[2]; +- + enum thread_return { + THREAD_INVALID = 0, + THREAD_SUCCESS = 1, + THREAD_ERROR = 2, + }; + +-void *thread_func(void *arg) ++static void *thread_sync(void *arg) + { ++ const int pipe_read = *(int *)arg; + char buf; + +- if (read(thread_pipe[0], &buf, 1) != 1) ++ if (read(pipe_read, &buf, 1) != 1) + return (void *)THREAD_ERROR; + + return (void *)THREAD_SUCCESS; + } + +-TEST(signal_scoping_threads) ++TEST(signal_scoping_thread_before) + { +- pthread_t no_sandbox_thread, scoped_thread; ++ pthread_t no_sandbox_thread; + enum thread_return ret = THREAD_INVALID; ++ int thread_pipe[2]; + + drop_caps(_metadata); + ASSERT_EQ(0, pipe2(thread_pipe, O_CLOEXEC)); + +- ASSERT_EQ(0, +- pthread_create(&no_sandbox_thread, NULL, thread_func, NULL)); ++ ASSERT_EQ(0, pthread_create(&no_sandbox_thread, NULL, thread_sync, ++ &thread_pipe[0])); + +- /* Restricts the domain after creating the first thread. */ ++ /* Enforces restriction after creating the thread. */ + create_scoped_domain(_metadata, LANDLOCK_SCOPE_SIGNAL); + +- ASSERT_EQ(0, pthread_kill(no_sandbox_thread, 0)); +- ASSERT_EQ(1, write(thread_pipe[1], ".", 1)); +- +- ASSERT_EQ(0, pthread_create(&scoped_thread, NULL, thread_func, NULL)); +- ASSERT_EQ(0, pthread_kill(scoped_thread, 0)); +- ASSERT_EQ(1, write(thread_pipe[1], ".", 1)); ++ EXPECT_EQ(0, pthread_kill(no_sandbox_thread, 0)); ++ EXPECT_EQ(1, write(thread_pipe[1], ".", 1)); + + EXPECT_EQ(0, pthread_join(no_sandbox_thread, (void **)&ret)); + EXPECT_EQ(THREAD_SUCCESS, ret); ++ ++ EXPECT_EQ(0, close(thread_pipe[0])); ++ EXPECT_EQ(0, close(thread_pipe[1])); ++} ++ ++TEST(signal_scoping_thread_after) ++{ ++ pthread_t scoped_thread; ++ enum thread_return ret = THREAD_INVALID; ++ int thread_pipe[2]; ++ ++ drop_caps(_metadata); ++ ASSERT_EQ(0, pipe2(thread_pipe, O_CLOEXEC)); ++ ++ /* Enforces restriction before creating the thread. */ ++ create_scoped_domain(_metadata, LANDLOCK_SCOPE_SIGNAL); ++ ++ ASSERT_EQ(0, pthread_create(&scoped_thread, NULL, thread_sync, ++ &thread_pipe[0])); ++ ++ EXPECT_EQ(0, pthread_kill(scoped_thread, 0)); ++ EXPECT_EQ(1, write(thread_pipe[1], ".", 1)); ++ + EXPECT_EQ(0, pthread_join(scoped_thread, (void **)&ret)); + EXPECT_EQ(THREAD_SUCCESS, ret); + diff --git a/queue-6.13/selftests-mptcp-close-fd_in-before-returning-in-main_loop.patch b/queue-6.13/selftests-mptcp-close-fd_in-before-returning-in-main_loop.patch new file mode 100644 index 0000000000..95f2730091 --- /dev/null +++ b/queue-6.13/selftests-mptcp-close-fd_in-before-returning-in-main_loop.patch @@ -0,0 +1,49 @@ +From c183165f87a486d5879f782c05a23c179c3794ab Mon Sep 17 00:00:00 2001 +From: Geliang Tang +Date: Fri, 28 Mar 2025 15:27:18 +0100 +Subject: selftests: mptcp: close fd_in before returning in main_loop + +From: Geliang Tang + +commit c183165f87a486d5879f782c05a23c179c3794ab upstream. + +The file descriptor 'fd_in' is opened when cfg_input is configured, but +not closed in main_loop(), this patch fixes it. + +Fixes: 05be5e273c84 ("selftests: mptcp: add disconnect tests") +Cc: stable@vger.kernel.org +Co-developed-by: Cong Liu +Signed-off-by: Cong Liu +Signed-off-by: Geliang Tang +Reviewed-by: Matthieu Baerts (NGI0) +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20250328-net-mptcp-misc-fixes-6-15-v1-3-34161a482a7f@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/mptcp/mptcp_connect.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/tools/testing/selftests/net/mptcp/mptcp_connect.c ++++ b/tools/testing/selftests/net/mptcp/mptcp_connect.c +@@ -1299,7 +1299,7 @@ again: + + ret = copyfd_io(fd_in, fd, 1, 0, &winfo); + if (ret) +- return ret; ++ goto out; + + if (cfg_truncate > 0) { + shutdown(fd, SHUT_WR); +@@ -1320,7 +1320,10 @@ again: + close(fd); + } + +- return 0; ++out: ++ if (cfg_input) ++ close(fd_in); ++ return ret; + } + + int parse_proto(const char *proto) diff --git a/queue-6.13/selftests-mptcp-fix-incorrect-fd-checks-in-main_loop.patch b/queue-6.13/selftests-mptcp-fix-incorrect-fd-checks-in-main_loop.patch new file mode 100644 index 0000000000..643c3bfd58 --- /dev/null +++ b/queue-6.13/selftests-mptcp-fix-incorrect-fd-checks-in-main_loop.patch @@ -0,0 +1,48 @@ +From 7335d4ac812917c16e04958775826d12d481c92d Mon Sep 17 00:00:00 2001 +From: Cong Liu +Date: Fri, 28 Mar 2025 15:27:17 +0100 +Subject: selftests: mptcp: fix incorrect fd checks in main_loop + +From: Cong Liu + +commit 7335d4ac812917c16e04958775826d12d481c92d upstream. + +Fix a bug where the code was checking the wrong file descriptors +when opening the input files. The code was checking 'fd' instead +of 'fd_in', which could lead to incorrect error handling. + +Fixes: 05be5e273c84 ("selftests: mptcp: add disconnect tests") +Cc: stable@vger.kernel.org +Fixes: ca7ae8916043 ("selftests: mptcp: mptfo Initiator/Listener") +Co-developed-by: Geliang Tang +Signed-off-by: Geliang Tang +Signed-off-by: Cong Liu +Reviewed-by: Matthieu Baerts (NGI0) +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20250328-net-mptcp-misc-fixes-6-15-v1-2-34161a482a7f@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/mptcp/mptcp_connect.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/tools/testing/selftests/net/mptcp/mptcp_connect.c ++++ b/tools/testing/selftests/net/mptcp/mptcp_connect.c +@@ -1270,7 +1270,7 @@ int main_loop(void) + + if (cfg_input && cfg_sockopt_types.mptfo) { + fd_in = open(cfg_input, O_RDONLY); +- if (fd < 0) ++ if (fd_in < 0) + xerror("can't open %s:%d", cfg_input, errno); + } + +@@ -1293,7 +1293,7 @@ again: + + if (cfg_input && !cfg_sockopt_types.mptfo) { + fd_in = open(cfg_input, O_RDONLY); +- if (fd < 0) ++ if (fd_in < 0) + xerror("can't open %s:%d", cfg_input, errno); + } + diff --git a/queue-6.13/series b/queue-6.13/series index 86d60d4399..cc388c0ed6 100644 --- a/queue-6.13/series +++ b/queue-6.13/series @@ -366,3 +366,38 @@ kvm-ppc-enable-cap_spapr_tce_vfio-on-pseries-kvm-guests.patch kvm-x86-explicitly-zero-initialize-on-stack-cpuid-unions.patch kvm-x86-acquire-srcu-in-kvm_get_mp_state-to-protect-guest-memory-accesses.patch scsi-ufs-qcom-fix-dev-reference-leaked-through-of_qcom_ice_get.patch +landlock-move-code-to-ease-future-backports.patch +landlock-add-the-errata-interface.patch +landlock-add-erratum-for-tcp-fix.patch +landlock-always-allow-signals-between-threads-of-the-same-process.patch +landlock-prepare-to-add-second-errata.patch +selftests-landlock-split-signal_scoping_threads-tests.patch +selftests-landlock-add-a-new-test-for-setuid.patch +misc-pci_endpoint_test-fix-displaying-irq_type-after-request_irq-error.patch +net-mana-switch-to-page-pool-for-jumbo-frames.patch +ntb-use-64-bit-arithmetic-for-the-msi-doorbell-mask.patch +of-irq-fix-device-node-refcount-leakage-in-api-of_irq_parse_one.patch +of-irq-fix-device-node-refcount-leakage-in-api-of_irq_parse_raw.patch +of-irq-fix-device-node-refcount-leakages-in-of_irq_count.patch +of-irq-fix-device-node-refcount-leakage-in-api-irq_of_parse_and_map.patch +of-irq-fix-device-node-refcount-leakages-in-of_irq_init.patch +pci-brcmstb-fix-missing-of_node_put-in-brcm_pcie_probe.patch +pci-j721e-fix-the-value-of-.linkdown_irq_regfield-for-j784s4.patch +pci-pciehp-avoid-unnecessary-device-replacement-check.patch +pci-fix-reference-leak-in-pci_alloc_child_bus.patch +pci-fix-reference-leak-in-pci_register_host_bridge.patch +pci-fix-wrong-length-of-devres-array.patch +phy-freescale-imx8m-pcie-assert-phy-reset-and-perst-in-power-off.patch +pinctrl-qcom-clear-latched-interrupt-status-when-changing-irq-type.patch +pinctrl-samsung-add-support-for-eint_fltcon_offset.patch +ring-buffer-use-flush_kernel_vmap_range-over-flush_dcache_folio.patch +s390-pci-fix-zpci_bus_is_isolated_vf-for-non-vfs.patch +s390-virtio_ccw-don-t-allocate-assign-airqs-for-non-existing-queues.patch +s390-fix-linker-error-when-no-pie-option-is-unavailable.patch +sched_ext-create_dsq-return-eexist-on-duplicate-request.patch +selftests-mptcp-close-fd_in-before-returning-in-main_loop.patch +selftests-mptcp-fix-incorrect-fd-checks-in-main_loop.patch +spi-fsl-qspi-use-devm-function-instead-of-driver-remove.patch +spi-fsl-qspi-fix-double-cleanup-in-probe-error-path.patch +thermal-drivers-mediatek-lvts-disable-monitor-mode-during-suspend.patch +thermal-drivers-mediatek-lvts-disable-stage-3-thermal-threshold.patch diff --git a/queue-6.13/spi-fsl-qspi-fix-double-cleanup-in-probe-error-path.patch b/queue-6.13/spi-fsl-qspi-fix-double-cleanup-in-probe-error-path.patch new file mode 100644 index 0000000000..911764484b --- /dev/null +++ b/queue-6.13/spi-fsl-qspi-fix-double-cleanup-in-probe-error-path.patch @@ -0,0 +1,56 @@ +From 5d07ab2a7fa1305e429d9221716582f290b58078 Mon Sep 17 00:00:00 2001 +From: Kevin Hao +Date: Thu, 10 Apr 2025 14:56:09 +0800 +Subject: spi: fsl-qspi: Fix double cleanup in probe error path + +From: Kevin Hao + +commit 5d07ab2a7fa1305e429d9221716582f290b58078 upstream. + +Commit 40369bfe717e ("spi: fsl-qspi: use devm function instead of driver +remove") introduced managed cleanup via fsl_qspi_cleanup(), but +incorrectly retain manual cleanup in two scenarios: + +- On devm_add_action_or_reset() failure, the function automatically call + fsl_qspi_cleanup(). However, the current code still jumps to + err_destroy_mutex, repeating cleanup. + +- After the fsl_qspi_cleanup() action is added successfully, there is no + need to manually perform the cleanup in the subsequent error path. + However, the current code still jumps to err_destroy_mutex on spi + controller failure, repeating cleanup. + +Skip redundant manual cleanup calls to fix these issues. + +Cc: stable@vger.kernel.org +Fixes: 40369bfe717e ("spi: fsl-qspi: use devm function instead of driver remove") +Signed-off-by: Kevin Hao +Link: https://patch.msgid.link/20250410-spi-v1-1-56e867cc19cf@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-fsl-qspi.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +--- a/drivers/spi/spi-fsl-qspi.c ++++ b/drivers/spi/spi-fsl-qspi.c +@@ -943,17 +943,14 @@ static int fsl_qspi_probe(struct platfor + + ret = devm_add_action_or_reset(dev, fsl_qspi_cleanup, q); + if (ret) +- goto err_destroy_mutex; ++ goto err_put_ctrl; + + ret = devm_spi_register_controller(dev, ctlr); + if (ret) +- goto err_destroy_mutex; ++ goto err_put_ctrl; + + return 0; + +-err_destroy_mutex: +- mutex_destroy(&q->lock); +- + err_disable_clk: + fsl_qspi_clk_disable_unprep(q); + diff --git a/queue-6.13/spi-fsl-qspi-use-devm-function-instead-of-driver-remove.patch b/queue-6.13/spi-fsl-qspi-use-devm-function-instead-of-driver-remove.patch new file mode 100644 index 0000000000..3f6263cd46 --- /dev/null +++ b/queue-6.13/spi-fsl-qspi-use-devm-function-instead-of-driver-remove.patch @@ -0,0 +1,91 @@ +From 40369bfe717e96e26650eeecfa5a6363563df6e4 Mon Sep 17 00:00:00 2001 +From: Han Xu +Date: Wed, 26 Mar 2025 17:41:51 -0500 +Subject: spi: fsl-qspi: use devm function instead of driver remove + +From: Han Xu + +commit 40369bfe717e96e26650eeecfa5a6363563df6e4 upstream. + +Driver use devm APIs to manage clk/irq/resources and register the spi +controller, but the legacy remove function will be called first during +device detach and trigger kernel panic. Drop the remove function and use +devm_add_action_or_reset() for driver cleanup to ensure the release +sequence. + +Trigger kernel panic on i.MX8MQ by +echo 30bb0000.spi >/sys/bus/platform/drivers/fsl-quadspi/unbind + +Cc: stable@vger.kernel.org +Fixes: 8fcb830a00f0 ("spi: spi-fsl-qspi: use devm_spi_register_controller") +Reported-by: Kevin Hao +Signed-off-by: Han Xu +Reviewed-by: Frank Li +Link: https://patch.msgid.link/20250326224152.2147099-1-han.xu@nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-fsl-qspi.c | 31 +++++++++++++++++-------------- + 1 file changed, 17 insertions(+), 14 deletions(-) + +--- a/drivers/spi/spi-fsl-qspi.c ++++ b/drivers/spi/spi-fsl-qspi.c +@@ -839,6 +839,19 @@ static const struct spi_controller_mem_o + .get_name = fsl_qspi_get_name, + }; + ++static void fsl_qspi_cleanup(void *data) ++{ ++ struct fsl_qspi *q = data; ++ ++ /* disable the hardware */ ++ qspi_writel(q, QUADSPI_MCR_MDIS_MASK, q->iobase + QUADSPI_MCR); ++ qspi_writel(q, 0x0, q->iobase + QUADSPI_RSER); ++ ++ fsl_qspi_clk_disable_unprep(q); ++ ++ mutex_destroy(&q->lock); ++} ++ + static int fsl_qspi_probe(struct platform_device *pdev) + { + struct spi_controller *ctlr; +@@ -928,6 +941,10 @@ static int fsl_qspi_probe(struct platfor + + ctlr->dev.of_node = np; + ++ ret = devm_add_action_or_reset(dev, fsl_qspi_cleanup, q); ++ if (ret) ++ goto err_destroy_mutex; ++ + ret = devm_spi_register_controller(dev, ctlr); + if (ret) + goto err_destroy_mutex; +@@ -947,19 +964,6 @@ err_put_ctrl: + return ret; + } + +-static void fsl_qspi_remove(struct platform_device *pdev) +-{ +- struct fsl_qspi *q = platform_get_drvdata(pdev); +- +- /* disable the hardware */ +- qspi_writel(q, QUADSPI_MCR_MDIS_MASK, q->iobase + QUADSPI_MCR); +- qspi_writel(q, 0x0, q->iobase + QUADSPI_RSER); +- +- fsl_qspi_clk_disable_unprep(q); +- +- mutex_destroy(&q->lock); +-} +- + static int fsl_qspi_suspend(struct device *dev) + { + return 0; +@@ -997,7 +1001,6 @@ static struct platform_driver fsl_qspi_d + .pm = &fsl_qspi_pm_ops, + }, + .probe = fsl_qspi_probe, +- .remove = fsl_qspi_remove, + }; + module_platform_driver(fsl_qspi_driver); + diff --git a/queue-6.13/thermal-drivers-mediatek-lvts-disable-monitor-mode-during-suspend.patch b/queue-6.13/thermal-drivers-mediatek-lvts-disable-monitor-mode-during-suspend.patch new file mode 100644 index 0000000000..bef6aa0e1e --- /dev/null +++ b/queue-6.13/thermal-drivers-mediatek-lvts-disable-monitor-mode-during-suspend.patch @@ -0,0 +1,100 @@ +From 65594b3745024857f812145a58db3601d733676c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?N=C3=ADcolas=20F=2E=20R=2E=20A=2E=20Prado?= + +Date: Mon, 13 Jan 2025 10:27:12 -0300 +Subject: thermal/drivers/mediatek/lvts: Disable monitor mode during suspend +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nícolas F. R. A. Prado + +commit 65594b3745024857f812145a58db3601d733676c upstream. + +When configured in filtered mode, the LVTS thermal controller will +monitor the temperature from the sensors and trigger an interrupt once a +thermal threshold is crossed. + +Currently this is true even during suspend and resume. The problem with +that is that when enabling the internal clock of the LVTS controller in +lvts_ctrl_set_enable() during resume, the temperature reading can glitch +and appear much higher than the real one, resulting in a spurious +interrupt getting generated. + +Disable the temperature monitoring and give some time for the signals to +stabilize during suspend in order to prevent such spurious interrupts. + +Cc: stable@vger.kernel.org +Reported-by: Hsin-Te Yuan +Closes: https://lore.kernel.org/all/20241108-lvts-v1-1-eee339c6ca20@chromium.org/ +Fixes: 8137bb90600d ("thermal/drivers/mediatek/lvts_thermal: Add suspend and resume") +Reviewed-by: AngeloGioacchino Del Regno +Signed-off-by: Nícolas F. R. A. Prado +Link: https://lore.kernel.org/r/20250113-mt8192-lvts-filtered-suspend-fix-v2-1-07a25200c7c6@collabora.com +Signed-off-by: Daniel Lezcano +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thermal/mediatek/lvts_thermal.c | 36 ++++++++++++++++++++++++++++++-- + 1 file changed, 34 insertions(+), 2 deletions(-) + +--- a/drivers/thermal/mediatek/lvts_thermal.c ++++ b/drivers/thermal/mediatek/lvts_thermal.c +@@ -860,6 +860,32 @@ static int lvts_ctrl_init(struct device + return 0; + } + ++static void lvts_ctrl_monitor_enable(struct device *dev, struct lvts_ctrl *lvts_ctrl, bool enable) ++{ ++ /* ++ * Bitmaps to enable each sensor on filtered mode in the MONCTL0 ++ * register. ++ */ ++ static const u8 sensor_filt_bitmap[] = { BIT(0), BIT(1), BIT(2), BIT(3) }; ++ u32 sensor_map = 0; ++ int i; ++ ++ if (lvts_ctrl->mode != LVTS_MSR_FILTERED_MODE) ++ return; ++ ++ if (enable) { ++ lvts_for_each_valid_sensor(i, lvts_ctrl) ++ sensor_map |= sensor_filt_bitmap[i]; ++ } ++ ++ /* ++ * Bits: ++ * 9: Single point access flow ++ * 0-3: Enable sensing point 0-3 ++ */ ++ writel(sensor_map | BIT(9), LVTS_MONCTL0(lvts_ctrl->base)); ++} ++ + /* + * At this point the configuration register is the only place in the + * driver where we write multiple values. Per hardware constraint, +@@ -1381,8 +1407,11 @@ static int lvts_suspend(struct device *d + + lvts_td = dev_get_drvdata(dev); + +- for (i = 0; i < lvts_td->num_lvts_ctrl; i++) ++ for (i = 0; i < lvts_td->num_lvts_ctrl; i++) { ++ lvts_ctrl_monitor_enable(dev, &lvts_td->lvts_ctrl[i], false); ++ usleep_range(100, 200); + lvts_ctrl_set_enable(&lvts_td->lvts_ctrl[i], false); ++ } + + clk_disable_unprepare(lvts_td->clk); + +@@ -1400,8 +1429,11 @@ static int lvts_resume(struct device *de + if (ret) + return ret; + +- for (i = 0; i < lvts_td->num_lvts_ctrl; i++) ++ for (i = 0; i < lvts_td->num_lvts_ctrl; i++) { + lvts_ctrl_set_enable(&lvts_td->lvts_ctrl[i], true); ++ usleep_range(100, 200); ++ lvts_ctrl_monitor_enable(dev, &lvts_td->lvts_ctrl[i], true); ++ } + + return 0; + } diff --git a/queue-6.13/thermal-drivers-mediatek-lvts-disable-stage-3-thermal-threshold.patch b/queue-6.13/thermal-drivers-mediatek-lvts-disable-stage-3-thermal-threshold.patch new file mode 100644 index 0000000000..ac63b71233 --- /dev/null +++ b/queue-6.13/thermal-drivers-mediatek-lvts-disable-stage-3-thermal-threshold.patch @@ -0,0 +1,105 @@ +From c612cbcdf603aefb3358b2e3964dcd5aa3f827a0 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?N=C3=ADcolas=20F=2E=20R=2E=20A=2E=20Prado?= + +Date: Mon, 13 Jan 2025 10:27:13 -0300 +Subject: thermal/drivers/mediatek/lvts: Disable Stage 3 thermal threshold +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nícolas F. R. A. Prado + +commit c612cbcdf603aefb3358b2e3964dcd5aa3f827a0 upstream. + +The Stage 3 thermal threshold is currently configured during +the controller initialization to 105 Celsius. From the kernel +perspective, this configuration is harmful because: +* The stage 3 interrupt that gets triggered when the threshold is + crossed is not handled in any way by the IRQ handler, it just gets + cleared. Besides, the temperature used for stage 3 comes from the + sensors, and the critical thermal trip points described in the + Devicetree will already cause a shutdown when crossed (at a lower + temperature, of 100 Celsius, for all SoCs currently using this + driver). +* The only effect of crossing the stage 3 threshold that has been + observed is that it causes the machine to no longer be able to enter + suspend. Even if that was a result of a momentary glitch in the + temperature reading of a sensor (as has been observed on the + MT8192-based Chromebooks). + +For those reasons, disable the Stage 3 thermal threshold configuration. + +Cc: stable@vger.kernel.org +Reported-by: Hsin-Te Yuan +Closes: https://lore.kernel.org/all/20241108-lvts-v1-1-eee339c6ca20@chromium.org/ +Fixes: f5f633b18234 ("thermal/drivers/mediatek: Add the Low Voltage Thermal Sensor driver") +Reviewed-by: AngeloGioacchino Del Regno +Signed-off-by: Nícolas F. R. A. Prado +Link: https://lore.kernel.org/r/20250113-mt8192-lvts-filtered-suspend-fix-v2-2-07a25200c7c6@collabora.com +Signed-off-by: Daniel Lezcano +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thermal/mediatek/lvts_thermal.c | 16 ++-------------- + 1 file changed, 2 insertions(+), 14 deletions(-) + +--- a/drivers/thermal/mediatek/lvts_thermal.c ++++ b/drivers/thermal/mediatek/lvts_thermal.c +@@ -65,7 +65,7 @@ + #define LVTS_HW_FILTER 0x0 + #define LVTS_TSSEL_CONF 0x13121110 + #define LVTS_CALSCALE_CONF 0x300 +-#define LVTS_MONINT_CONF 0x8300318C ++#define LVTS_MONINT_CONF 0x0300318C + + #define LVTS_MONINT_OFFSET_SENSOR0 0xC + #define LVTS_MONINT_OFFSET_SENSOR1 0x180 +@@ -91,8 +91,6 @@ + #define LVTS_MSR_READ_TIMEOUT_US 400 + #define LVTS_MSR_READ_WAIT_US (LVTS_MSR_READ_TIMEOUT_US / 2) + +-#define LVTS_HW_TSHUT_TEMP 105000 +- + #define LVTS_MINIMUM_THRESHOLD 20000 + + static int golden_temp = LVTS_GOLDEN_TEMP_DEFAULT; +@@ -145,7 +143,6 @@ struct lvts_ctrl { + struct lvts_sensor sensors[LVTS_SENSOR_MAX]; + const struct lvts_data *lvts_data; + u32 calibration[LVTS_SENSOR_MAX]; +- u32 hw_tshut_raw_temp; + u8 valid_sensor_mask; + int mode; + void __iomem *base; +@@ -837,14 +834,6 @@ static int lvts_ctrl_init(struct device + */ + lvts_ctrl[i].mode = lvts_data->lvts_ctrl[i].mode; + +- /* +- * The temperature to raw temperature must be done +- * after initializing the calibration. +- */ +- lvts_ctrl[i].hw_tshut_raw_temp = +- lvts_temp_to_raw(LVTS_HW_TSHUT_TEMP, +- lvts_data->temp_factor); +- + lvts_ctrl[i].low_thresh = INT_MIN; + lvts_ctrl[i].high_thresh = INT_MIN; + } +@@ -919,7 +908,6 @@ static int lvts_irq_init(struct lvts_ctr + * 10 : Selected sensor with bits 19-18 + * 11 : Reserved + */ +- writel(BIT(16), LVTS_PROTCTL(lvts_ctrl->base)); + + /* + * LVTS_PROTTA : Stage 1 temperature threshold +@@ -932,8 +920,8 @@ static int lvts_irq_init(struct lvts_ctr + * + * writel(0x0, LVTS_PROTTA(lvts_ctrl->base)); + * writel(0x0, LVTS_PROTTB(lvts_ctrl->base)); ++ * writel(0x0, LVTS_PROTTC(lvts_ctrl->base)); + */ +- writel(lvts_ctrl->hw_tshut_raw_temp, LVTS_PROTTC(lvts_ctrl->base)); + + /* + * LVTS_MONINT : Interrupt configuration register