From: Greg Kroah-Hartman Date: Tue, 12 Aug 2025 16:24:27 +0000 (+0200) Subject: 6.16-stable patches X-Git-Tag: v6.1.148~21 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6e3086313f68ce0eed38351ed4167614de4f55de;p=thirdparty%2Fkernel%2Fstable-queue.git 6.16-stable patches added patches: alsa-hda-realtek-fix-mute-led-for-hp-victus-16-d1xxx-mb-8a26.patch alsa-hda-realtek-fix-mute-led-for-hp-victus-16-r1xxx.patch alsa-hda-realtek-fix-mute-led-for-hp-victus-16-s0xxx.patch alsa-intel_hdmi-fix-off-by-one-error-in-__hdmi_lpe_audio_probe.patch alsa-scarlett2-add-retry-on-eproto-from-scarlett2_usb_tx.patch hid-apple-avoid-setting-up-battery-timer-for-devices-without-battery.patch hid-apple-validate-feature-report-field-count-to-prevent-null-pointer-dereference.patch hid-core-harden-s32ton-against-conversion-to-0-bits.patch hid-magicmouse-avoid-setting-up-battery-timer-when-not-needed.patch kvm-arm64-check-for-sysregs_on_cpu-before-accessing-the-cpu-state.patch kvm-arm64-filter-out-hcr_el2-bits-when-running-in-hypervisor-context.patch kvm-vmx-allow-guest-to-set-debugctl.rtm_debug-if-rtm-is-supported.patch kvm-x86-convert-vcpu_run-s-immediate-exit-param-into-a-generic-bitmap.patch kvm-x86-drop-kvm_x86_ops.set_dr6-in-favor-of-a-new-kvm_run-flag.patch media-ti-j721e-csi2rx-fix-list_del-corruption.patch mips-mm-tlb-r4k-uniquify-tlb-entries-on-init.patch mm-hmm-move-pmd_to_hmm_pfn_flags-to-the-respective-ifdeffery.patch mm-shmem-fix-the-shmem-large-folio-allocation-for-the-i915-driver.patch mm-swap-correctly-use-maxpages-in-swapon-syscall-to-avoid-potential-deadloop.patch mm-swap-fix-potential-buffer-overflow-in-setup_clusters.patch mm-swap-move-nr_swap_pages-counter-decrement-from-folio_alloc_swap-to-swap_range_alloc.patch perf-arm-ni-set-initial-irq-affinity.patch platform-x86-intel-pmt-fix-a-crashlog-null-pointer-access.patch s390-mm-remove-possible-false-positive-warning-in-pte_free_defer.patch usb-gadget-f_hid-fix-memory-leak-in-hidg_bind-error-path.patch usb-gadget-fix-use-after-free-in-composite_dev_cleanup.patch usb-gadget-uvc-initialize-frame-based-format-color-matching-descriptor.patch x86-fpu-delay-instruction-pointer-fixup-until-after-warning.patch x86-sev-evict-cache-lines-during-snp-memory-validation.patch zloop-fix-kasan-use-after-free-of-tag-set.patch --- diff --git a/queue-6.16/alsa-hda-realtek-fix-mute-led-for-hp-victus-16-d1xxx-mb-8a26.patch b/queue-6.16/alsa-hda-realtek-fix-mute-led-for-hp-victus-16-d1xxx-mb-8a26.patch new file mode 100644 index 0000000000..f54d517ee0 --- /dev/null +++ b/queue-6.16/alsa-hda-realtek-fix-mute-led-for-hp-victus-16-d1xxx-mb-8a26.patch @@ -0,0 +1,34 @@ +From a9dec0963187d05725369156a5e0e14cd3487bfb Mon Sep 17 00:00:00 2001 +From: Edip Hazuri +Date: Tue, 29 Jul 2025 21:18:50 +0300 +Subject: ALSA: hda/realtek - Fix mute LED for HP Victus 16-d1xxx (MB 8A26) + +From: Edip Hazuri + +commit a9dec0963187d05725369156a5e0e14cd3487bfb upstream. + +My friend have Victus 16-d1xxx with board ID 8A26, the existing quirk +for Victus 16-d1xxx wasn't working because of different board ID + +Tested on Victus 16-d1015nt Laptop. The LED behaviour works +as intended. + +Cc: +Signed-off-by: Edip Hazuri +Link: https://patch.msgid.link/20250729181848.24432-4-edip@medip.dev +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10764,6 +10764,7 @@ static const struct hda_quirk alc269_fix + SND_PCI_QUIRK(0x103c, 0x8a0f, "HP Pavilion 14-ec1xxx", ALC287_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8a20, "HP Laptop 15s-fq5xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2), + SND_PCI_QUIRK(0x103c, 0x8a25, "HP Victus 16-d1xxx (MB 8A25)", ALC245_FIXUP_HP_MUTE_LED_COEFBIT), ++ SND_PCI_QUIRK(0x103c, 0x8a26, "HP Victus 16-d1xxx (MB 8A26)", ALC245_FIXUP_HP_MUTE_LED_COEFBIT), + SND_PCI_QUIRK(0x103c, 0x8a28, "HP Envy 13", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x103c, 0x8a29, "HP Envy 15", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x103c, 0x8a2a, "HP Envy 15", ALC287_FIXUP_CS35L41_I2C_2), diff --git a/queue-6.16/alsa-hda-realtek-fix-mute-led-for-hp-victus-16-r1xxx.patch b/queue-6.16/alsa-hda-realtek-fix-mute-led-for-hp-victus-16-r1xxx.patch new file mode 100644 index 0000000000..21bf3b7893 --- /dev/null +++ b/queue-6.16/alsa-hda-realtek-fix-mute-led-for-hp-victus-16-r1xxx.patch @@ -0,0 +1,34 @@ +From bd7814a4c0fd883894bdf9fe5eda24c9df826e4c Mon Sep 17 00:00:00 2001 +From: Edip Hazuri +Date: Fri, 25 Jul 2025 18:14:37 +0300 +Subject: ALSA: hda/realtek - Fix mute LED for HP Victus 16-r1xxx + +From: Edip Hazuri + +commit bd7814a4c0fd883894bdf9fe5eda24c9df826e4c upstream. + +The mute led on this laptop is using ALC245 but requires a quirk to work +This patch enables the existing quirk for the device. + +Tested on Victus 16-r1xxx Laptop. The LED behaviour works +as intended. + +Cc: +Signed-off-by: Edip Hazuri +Link: https://patch.msgid.link/20250725151436.51543-2-edip@medip.dev +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10874,6 +10874,7 @@ static const struct hda_quirk alc269_fix + SND_PCI_QUIRK(0x103c, 0x8c91, "HP EliteBook 660", ALC236_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8c96, "HP", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), + SND_PCI_QUIRK(0x103c, 0x8c97, "HP ZBook", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), ++ SND_PCI_QUIRK(0x103c, 0x8c99, "HP Victus 16-r1xxx (MB 8C99)", ALC245_FIXUP_HP_MUTE_LED_COEFBIT), + SND_PCI_QUIRK(0x103c, 0x8c9c, "HP Victus 16-s1xxx (MB 8C9C)", ALC245_FIXUP_HP_MUTE_LED_COEFBIT), + SND_PCI_QUIRK(0x103c, 0x8ca1, "HP ZBook Power", ALC236_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8ca2, "HP ZBook Power", ALC236_FIXUP_HP_GPIO_LED), diff --git a/queue-6.16/alsa-hda-realtek-fix-mute-led-for-hp-victus-16-s0xxx.patch b/queue-6.16/alsa-hda-realtek-fix-mute-led-for-hp-victus-16-s0xxx.patch new file mode 100644 index 0000000000..ef52d72827 --- /dev/null +++ b/queue-6.16/alsa-hda-realtek-fix-mute-led-for-hp-victus-16-s0xxx.patch @@ -0,0 +1,34 @@ +From 956048a3cd9d2575032e2c7ca62803677357ae18 Mon Sep 17 00:00:00 2001 +From: Edip Hazuri +Date: Tue, 29 Jul 2025 21:18:48 +0300 +Subject: ALSA: hda/realtek - Fix mute LED for HP Victus 16-s0xxx + +From: Edip Hazuri + +commit 956048a3cd9d2575032e2c7ca62803677357ae18 upstream. + +The mute led on this laptop is using ALC245 but requires a quirk to work +This patch enables the existing quirk for the device. + +Tested on Victus 16-S0063NT Laptop. The LED behaviour works +as intended. + +Cc: +Signed-off-by: Edip Hazuri +Link: https://patch.msgid.link/20250729181848.24432-2-edip@medip.dev +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10822,6 +10822,7 @@ static const struct hda_quirk alc269_fix + SND_PCI_QUIRK(0x103c, 0x8bbe, "HP Victus 16-r0xxx (MB 8BBE)", ALC245_FIXUP_HP_MUTE_LED_COEFBIT), + SND_PCI_QUIRK(0x103c, 0x8bc8, "HP Victus 15-fa1xxx", ALC245_FIXUP_HP_MUTE_LED_COEFBIT), + SND_PCI_QUIRK(0x103c, 0x8bcd, "HP Omen 16-xd0xxx", ALC245_FIXUP_HP_MUTE_LED_V1_COEFBIT), ++ SND_PCI_QUIRK(0x103c, 0x8bd4, "HP Victus 16-s0xxx (MB 8BD4)", ALC245_FIXUP_HP_MUTE_LED_COEFBIT), + SND_PCI_QUIRK(0x103c, 0x8bdd, "HP Envy 17", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x103c, 0x8bde, "HP Envy 17", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x103c, 0x8bdf, "HP Envy 15", ALC287_FIXUP_CS35L41_I2C_2), diff --git a/queue-6.16/alsa-intel_hdmi-fix-off-by-one-error-in-__hdmi_lpe_audio_probe.patch b/queue-6.16/alsa-intel_hdmi-fix-off-by-one-error-in-__hdmi_lpe_audio_probe.patch new file mode 100644 index 0000000000..3ac47f8943 --- /dev/null +++ b/queue-6.16/alsa-intel_hdmi-fix-off-by-one-error-in-__hdmi_lpe_audio_probe.patch @@ -0,0 +1,38 @@ +From 8cbe564974248ee980562be02f2b1912769562c7 Mon Sep 17 00:00:00 2001 +From: Thorsten Blum +Date: Wed, 6 Aug 2025 01:41:53 +0200 +Subject: ALSA: intel_hdmi: Fix off-by-one error in __hdmi_lpe_audio_probe() + +From: Thorsten Blum + +commit 8cbe564974248ee980562be02f2b1912769562c7 upstream. + +In __hdmi_lpe_audio_probe(), strscpy() is incorrectly called with the +length of the source string (excluding the NUL terminator) rather than +the size of the destination buffer. This results in one character less +being copied from 'card->shortname' to 'pcm->name'. + +Use the destination buffer size instead to ensure the card name is +copied correctly. + +Cc: stable@vger.kernel.org +Fixes: 75b1a8f9d62e ("ALSA: Convert strlcpy to strscpy when return value is unused") +Signed-off-by: Thorsten Blum +Link: https://patch.msgid.link/20250805234156.60294-1-thorsten.blum@linux.dev +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/x86/intel_hdmi_audio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/x86/intel_hdmi_audio.c ++++ b/sound/x86/intel_hdmi_audio.c +@@ -1768,7 +1768,7 @@ static int __hdmi_lpe_audio_probe(struct + /* setup private data which can be retrieved when required */ + pcm->private_data = ctx; + pcm->info_flags = 0; +- strscpy(pcm->name, card->shortname, strlen(card->shortname)); ++ strscpy(pcm->name, card->shortname, sizeof(pcm->name)); + /* setup the ops for playback */ + snd_pcm_set_ops(pcm, SNDRV_PCM_STREAM_PLAYBACK, &had_pcm_ops); + diff --git a/queue-6.16/alsa-scarlett2-add-retry-on-eproto-from-scarlett2_usb_tx.patch b/queue-6.16/alsa-scarlett2-add-retry-on-eproto-from-scarlett2_usb_tx.patch new file mode 100644 index 0000000000..db64e1d90c --- /dev/null +++ b/queue-6.16/alsa-scarlett2-add-retry-on-eproto-from-scarlett2_usb_tx.patch @@ -0,0 +1,59 @@ +From 8a15ca0ca51399b652b1bbb23b590b220cf03d62 Mon Sep 17 00:00:00 2001 +From: "Geoffrey D. Bennett" +Date: Mon, 28 Jul 2025 19:00:35 +0930 +Subject: ALSA: scarlett2: Add retry on -EPROTO from scarlett2_usb_tx() + +From: Geoffrey D. Bennett + +commit 8a15ca0ca51399b652b1bbb23b590b220cf03d62 upstream. + +During communication with Focusrite Scarlett Gen 2/3/4 USB audio +interfaces, -EPROTO is sometimes returned from scarlett2_usb_tx(), +snd_usb_ctl_msg() which can cause initialisation and control +operations to fail intermittently. + +This patch adds up to 5 retries in scarlett2_usb(), with a delay +starting at 5ms and doubling each time. This follows the same approach +as the fix for usb_set_interface() in endpoint.c (commit f406005e162b +("ALSA: usb-audio: Add retry on -EPROTO from usb_set_interface()")), +which resolved similar -EPROTO issues during device initialisation, +and is the same approach as in fcp.c:fcp_usb(). + +Fixes: 9e4d5c1be21f ("ALSA: usb-audio: Scarlett Gen 2 mixer interface") +Closes: https://github.com/geoffreybennett/linux-fcp/issues/41 +Cc: stable@vger.kernel.org +Signed-off-by: Geoffrey D. Bennett +Link: https://patch.msgid.link/aIdDO6ld50WQwNim@m.b4.vu +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/mixer_scarlett2.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/sound/usb/mixer_scarlett2.c ++++ b/sound/usb/mixer_scarlett2.c +@@ -2351,6 +2351,8 @@ static int scarlett2_usb( + struct scarlett2_usb_packet *req, *resp = NULL; + size_t req_buf_size = struct_size(req, data, req_size); + size_t resp_buf_size = struct_size(resp, data, resp_size); ++ int retries = 0; ++ const int max_retries = 5; + int err; + + req = kmalloc(req_buf_size, GFP_KERNEL); +@@ -2374,10 +2376,15 @@ static int scarlett2_usb( + if (req_size) + memcpy(req->data, req_data, req_size); + ++retry: + err = scarlett2_usb_tx(dev, private->bInterfaceNumber, + req, req_buf_size); + + if (err != req_buf_size) { ++ if (err == -EPROTO && ++retries <= max_retries) { ++ msleep(5 * (1 << (retries - 1))); ++ goto retry; ++ } + usb_audio_err( + mixer->chip, + "%s USB request result cmd %x was %d\n", diff --git a/queue-6.16/hid-apple-avoid-setting-up-battery-timer-for-devices-without-battery.patch b/queue-6.16/hid-apple-avoid-setting-up-battery-timer-for-devices-without-battery.patch new file mode 100644 index 0000000000..af61bbd466 --- /dev/null +++ b/queue-6.16/hid-apple-avoid-setting-up-battery-timer-for-devices-without-battery.patch @@ -0,0 +1,66 @@ +From c061046fe9ce3ff31fb9a807144a2630ad349c17 Mon Sep 17 00:00:00 2001 +From: Aditya Garg +Date: Mon, 30 Jun 2025 12:37:13 +0000 +Subject: HID: apple: avoid setting up battery timer for devices without battery + +From: Aditya Garg + +commit c061046fe9ce3ff31fb9a807144a2630ad349c17 upstream. + +Currently, the battery timer is set up for all devices using hid-apple, +irrespective of whether they actually have a battery or not. + +APPLE_RDESC_BATTERY is a quirk that indicates the device has a battery +and needs the battery timer. This patch checks for this quirk before +setting up the timer, ensuring that only devices with a battery will +have the timer set up. + +Fixes: 6e143293e17a ("HID: apple: Report Magic Keyboard battery over USB") +Cc: stable@vger.kernel.org +Signed-off-by: Aditya Garg +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-apple.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +--- a/drivers/hid/hid-apple.c ++++ b/drivers/hid/hid-apple.c +@@ -934,10 +934,12 @@ static int apple_probe(struct hid_device + return ret; + } + +- timer_setup(&asc->battery_timer, apple_battery_timer_tick, 0); +- mod_timer(&asc->battery_timer, +- jiffies + msecs_to_jiffies(APPLE_BATTERY_TIMEOUT_MS)); +- apple_fetch_battery(hdev); ++ if (quirks & APPLE_RDESC_BATTERY) { ++ timer_setup(&asc->battery_timer, apple_battery_timer_tick, 0); ++ mod_timer(&asc->battery_timer, ++ jiffies + msecs_to_jiffies(APPLE_BATTERY_TIMEOUT_MS)); ++ apple_fetch_battery(hdev); ++ } + + if (quirks & APPLE_BACKLIGHT_CTL) + apple_backlight_init(hdev); +@@ -951,7 +953,9 @@ static int apple_probe(struct hid_device + return 0; + + out_err: +- timer_delete_sync(&asc->battery_timer); ++ if (quirks & APPLE_RDESC_BATTERY) ++ timer_delete_sync(&asc->battery_timer); ++ + hid_hw_stop(hdev); + return ret; + } +@@ -960,7 +964,8 @@ static void apple_remove(struct hid_devi + { + struct apple_sc *asc = hid_get_drvdata(hdev); + +- timer_delete_sync(&asc->battery_timer); ++ if (asc->quirks & APPLE_RDESC_BATTERY) ++ timer_delete_sync(&asc->battery_timer); + + hid_hw_stop(hdev); + } diff --git a/queue-6.16/hid-apple-validate-feature-report-field-count-to-prevent-null-pointer-dereference.patch b/queue-6.16/hid-apple-validate-feature-report-field-count-to-prevent-null-pointer-dereference.patch new file mode 100644 index 0000000000..89cfe4c7aa --- /dev/null +++ b/queue-6.16/hid-apple-validate-feature-report-field-count-to-prevent-null-pointer-dereference.patch @@ -0,0 +1,102 @@ +From 1bb3363da862e0464ec050eea2fb5472a36ad86b Mon Sep 17 00:00:00 2001 +From: Qasim Ijaz +Date: Mon, 14 Jul 2025 00:30:08 +0100 +Subject: HID: apple: validate feature-report field count to prevent NULL pointer dereference + +From: Qasim Ijaz + +commit 1bb3363da862e0464ec050eea2fb5472a36ad86b upstream. + +A malicious HID device with quirk APPLE_MAGIC_BACKLIGHT can trigger a NULL +pointer dereference whilst the power feature-report is toggled and sent to +the device in apple_magic_backlight_report_set(). The power feature-report +is expected to have two data fields, but if the descriptor declares one +field then accessing field[1] and dereferencing it in +apple_magic_backlight_report_set() becomes invalid +since field[1] will be NULL. + +An example of a minimal descriptor which can cause the crash is something +like the following where the report with ID 3 (power report) only +references a single 1-byte field. When hid core parses the descriptor it +will encounter the final feature tag, allocate a hid_report (all members +of field[] will be zeroed out), create field structure and populate it, +increasing the maxfield to 1. The subsequent field[1] access and +dereference causes the crash. + + Usage Page (Vendor Defined 0xFF00) + Usage (0x0F) + Collection (Application) + Report ID (1) + Usage (0x01) + Logical Minimum (0) + Logical Maximum (255) + Report Size (8) + Report Count (1) + Feature (Data,Var,Abs) + + Usage (0x02) + Logical Maximum (32767) + Report Size (16) + Report Count (1) + Feature (Data,Var,Abs) + + Report ID (3) + Usage (0x03) + Logical Minimum (0) + Logical Maximum (1) + Report Size (8) + Report Count (1) + Feature (Data,Var,Abs) + End Collection + +Here we see the KASAN splat when the kernel dereferences the +NULL pointer and crashes: + + [ 15.164723] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] SMP KASAN NOPTI + [ 15.165691] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] + [ 15.165691] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.15.0 #31 PREEMPT(voluntary) + [ 15.165691] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 + [ 15.165691] RIP: 0010:apple_magic_backlight_report_set+0xbf/0x210 + [ 15.165691] Call Trace: + [ 15.165691] + [ 15.165691] apple_probe+0x571/0xa20 + [ 15.165691] hid_device_probe+0x2e2/0x6f0 + [ 15.165691] really_probe+0x1ca/0x5c0 + [ 15.165691] __driver_probe_device+0x24f/0x310 + [ 15.165691] driver_probe_device+0x4a/0xd0 + [ 15.165691] __device_attach_driver+0x169/0x220 + [ 15.165691] bus_for_each_drv+0x118/0x1b0 + [ 15.165691] __device_attach+0x1d5/0x380 + [ 15.165691] device_initial_probe+0x12/0x20 + [ 15.165691] bus_probe_device+0x13d/0x180 + [ 15.165691] device_add+0xd87/0x1510 + [...] + +To fix this issue we should validate the number of fields that the +backlight and power reports have and if they do not have the required +number of fields then bail. + +Fixes: 394ba612f941 ("HID: apple: Add support for magic keyboard backlight on T2 Macs") +Cc: stable@vger.kernel.org +Signed-off-by: Qasim Ijaz +Reviewed-by: Orlando Chamberlain +Tested-by: Aditya Garg +Link: https://patch.msgid.link/20250713233008.15131-1-qasdev00@gmail.com +Signed-off-by: Benjamin Tissoires +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-apple.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/hid/hid-apple.c ++++ b/drivers/hid/hid-apple.c +@@ -890,7 +890,8 @@ static int apple_magic_backlight_init(st + backlight->brightness = report_enum->report_id_hash[APPLE_MAGIC_REPORT_ID_BRIGHTNESS]; + backlight->power = report_enum->report_id_hash[APPLE_MAGIC_REPORT_ID_POWER]; + +- if (!backlight->brightness || !backlight->power) ++ if (!backlight->brightness || backlight->brightness->maxfield < 2 || ++ !backlight->power || backlight->power->maxfield < 2) + return -ENODEV; + + backlight->cdev.name = ":white:" LED_FUNCTION_KBD_BACKLIGHT; diff --git a/queue-6.16/hid-core-harden-s32ton-against-conversion-to-0-bits.patch b/queue-6.16/hid-core-harden-s32ton-against-conversion-to-0-bits.patch new file mode 100644 index 0000000000..eb454982f4 --- /dev/null +++ b/queue-6.16/hid-core-harden-s32ton-against-conversion-to-0-bits.patch @@ -0,0 +1,49 @@ +From a6b87bfc2ab5bccb7ad953693c85d9062aef3fdd Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Wed, 23 Jul 2025 10:37:04 -0400 +Subject: HID: core: Harden s32ton() against conversion to 0 bits + +From: Alan Stern + +commit a6b87bfc2ab5bccb7ad953693c85d9062aef3fdd upstream. + +Testing by the syzbot fuzzer showed that the HID core gets a +shift-out-of-bounds exception when it tries to convert a 32-bit +quantity to a 0-bit quantity. Ideally this should never occur, but +there are buggy devices and some might have a report field with size +set to zero; we shouldn't reject the report or the device just because +of that. + +Instead, harden the s32ton() routine so that it returns a reasonable +result instead of crashing when it is called with the number of bits +set to 0 -- the same as what snto32() does. + +Signed-off-by: Alan Stern +Reported-by: syzbot+b63d677d63bcac06cf90@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/linux-usb/68753a08.050a0220.33d347.0008.GAE@google.com/ +Tested-by: syzbot+b63d677d63bcac06cf90@syzkaller.appspotmail.com +Fixes: dde5845a529f ("[PATCH] Generic HID layer - code split") +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/613a66cd-4309-4bce-a4f7-2905f9bce0c9@rowland.harvard.edu +Signed-off-by: Benjamin Tissoires +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-core.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -66,8 +66,12 @@ static s32 snto32(__u32 value, unsigned + + static u32 s32ton(__s32 value, unsigned int n) + { +- s32 a = value >> (n - 1); ++ s32 a; + ++ if (!value || !n) ++ return 0; ++ ++ a = value >> (n - 1); + if (a && a != -1) + return value < 0 ? 1 << (n - 1) : (1 << (n - 1)) - 1; + return value & ((1 << n) - 1); diff --git a/queue-6.16/hid-magicmouse-avoid-setting-up-battery-timer-when-not-needed.patch b/queue-6.16/hid-magicmouse-avoid-setting-up-battery-timer-when-not-needed.patch new file mode 100644 index 0000000000..a05ef21991 --- /dev/null +++ b/queue-6.16/hid-magicmouse-avoid-setting-up-battery-timer-when-not-needed.patch @@ -0,0 +1,130 @@ +From 9bdc30e35cbc1aa78ccf01040354209f1e11ca22 Mon Sep 17 00:00:00 2001 +From: Aditya Garg +Date: Mon, 30 Jun 2025 12:37:13 +0000 +Subject: HID: magicmouse: avoid setting up battery timer when not needed + +From: Aditya Garg + +commit 9bdc30e35cbc1aa78ccf01040354209f1e11ca22 upstream. + +Currently, the battery timer is set up for all devices using +hid-magicmouse, irrespective of whether they actually need it or not. + +The current implementation requires the battery timer for Magic Mouse 2 +and Magic Trackpad 2 when connected via USB only. Add checks to ensure +that the battery timer is only set up when they are connected via USB. + +Fixes: 0b91b4e4dae6 ("HID: magicmouse: Report battery level over USB") +Cc: stable@vger.kernel.org +Signed-off-by: Aditya Garg +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-magicmouse.c | 62 +++++++++++++++++++++++++++---------------- + 1 file changed, 39 insertions(+), 23 deletions(-) + +--- a/drivers/hid/hid-magicmouse.c ++++ b/drivers/hid/hid-magicmouse.c +@@ -791,17 +791,31 @@ static void magicmouse_enable_mt_work(st + hid_err(msc->hdev, "unable to request touch data (%d)\n", ret); + } + ++static bool is_usb_magicmouse2(__u32 vendor, __u32 product) ++{ ++ if (vendor != USB_VENDOR_ID_APPLE) ++ return false; ++ return product == USB_DEVICE_ID_APPLE_MAGICMOUSE2 || ++ product == USB_DEVICE_ID_APPLE_MAGICMOUSE2_USBC; ++} ++ ++static bool is_usb_magictrackpad2(__u32 vendor, __u32 product) ++{ ++ if (vendor != USB_VENDOR_ID_APPLE) ++ return false; ++ return product == USB_DEVICE_ID_APPLE_MAGICTRACKPAD2 || ++ product == USB_DEVICE_ID_APPLE_MAGICTRACKPAD2_USBC; ++} ++ + static int magicmouse_fetch_battery(struct hid_device *hdev) + { + #ifdef CONFIG_HID_BATTERY_STRENGTH + struct hid_report_enum *report_enum; + struct hid_report *report; + +- if (!hdev->battery || hdev->vendor != USB_VENDOR_ID_APPLE || +- (hdev->product != USB_DEVICE_ID_APPLE_MAGICMOUSE2 && +- hdev->product != USB_DEVICE_ID_APPLE_MAGICMOUSE2_USBC && +- hdev->product != USB_DEVICE_ID_APPLE_MAGICTRACKPAD2 && +- hdev->product != USB_DEVICE_ID_APPLE_MAGICTRACKPAD2_USBC)) ++ if (!hdev->battery || ++ (!is_usb_magicmouse2(hdev->vendor, hdev->product) && ++ !is_usb_magictrackpad2(hdev->vendor, hdev->product))) + return -1; + + report_enum = &hdev->report_enum[hdev->battery_report_type]; +@@ -863,17 +877,17 @@ static int magicmouse_probe(struct hid_d + return ret; + } + +- timer_setup(&msc->battery_timer, magicmouse_battery_timer_tick, 0); +- mod_timer(&msc->battery_timer, +- jiffies + msecs_to_jiffies(USB_BATTERY_TIMEOUT_MS)); +- magicmouse_fetch_battery(hdev); +- +- if (id->vendor == USB_VENDOR_ID_APPLE && +- (id->product == USB_DEVICE_ID_APPLE_MAGICMOUSE2 || +- id->product == USB_DEVICE_ID_APPLE_MAGICMOUSE2_USBC || +- ((id->product == USB_DEVICE_ID_APPLE_MAGICTRACKPAD2 || +- id->product == USB_DEVICE_ID_APPLE_MAGICTRACKPAD2_USBC) && +- hdev->type != HID_TYPE_USBMOUSE))) ++ if (is_usb_magicmouse2(id->vendor, id->product) || ++ is_usb_magictrackpad2(id->vendor, id->product)) { ++ timer_setup(&msc->battery_timer, magicmouse_battery_timer_tick, 0); ++ mod_timer(&msc->battery_timer, ++ jiffies + msecs_to_jiffies(USB_BATTERY_TIMEOUT_MS)); ++ magicmouse_fetch_battery(hdev); ++ } ++ ++ if (is_usb_magicmouse2(id->vendor, id->product) || ++ (is_usb_magictrackpad2(id->vendor, id->product) && ++ hdev->type != HID_TYPE_USBMOUSE)) + return 0; + + if (!msc->input) { +@@ -936,7 +950,10 @@ static int magicmouse_probe(struct hid_d + + return 0; + err_stop_hw: +- timer_delete_sync(&msc->battery_timer); ++ if (is_usb_magicmouse2(id->vendor, id->product) || ++ is_usb_magictrackpad2(id->vendor, id->product)) ++ timer_delete_sync(&msc->battery_timer); ++ + hid_hw_stop(hdev); + return ret; + } +@@ -947,7 +964,9 @@ static void magicmouse_remove(struct hid + + if (msc) { + cancel_delayed_work_sync(&msc->work); +- timer_delete_sync(&msc->battery_timer); ++ if (is_usb_magicmouse2(hdev->vendor, hdev->product) || ++ is_usb_magictrackpad2(hdev->vendor, hdev->product)) ++ timer_delete_sync(&msc->battery_timer); + } + + hid_hw_stop(hdev); +@@ -964,11 +983,8 @@ static const __u8 *magicmouse_report_fix + * 0x05, 0x01, // Usage Page (Generic Desktop) 0 + * 0x09, 0x02, // Usage (Mouse) 2 + */ +- if (hdev->vendor == USB_VENDOR_ID_APPLE && +- (hdev->product == USB_DEVICE_ID_APPLE_MAGICMOUSE2 || +- hdev->product == USB_DEVICE_ID_APPLE_MAGICMOUSE2_USBC || +- hdev->product == USB_DEVICE_ID_APPLE_MAGICTRACKPAD2 || +- hdev->product == USB_DEVICE_ID_APPLE_MAGICTRACKPAD2_USBC) && ++ if ((is_usb_magicmouse2(hdev->vendor, hdev->product) || ++ is_usb_magictrackpad2(hdev->vendor, hdev->product)) && + *rsize == 83 && rdesc[46] == 0x84 && rdesc[58] == 0x85) { + hid_info(hdev, + "fixing up magicmouse battery report descriptor\n"); diff --git a/queue-6.16/kvm-arm64-check-for-sysregs_on_cpu-before-accessing-the-cpu-state.patch b/queue-6.16/kvm-arm64-check-for-sysregs_on_cpu-before-accessing-the-cpu-state.patch new file mode 100644 index 0000000000..26c853a3e0 --- /dev/null +++ b/queue-6.16/kvm-arm64-check-for-sysregs_on_cpu-before-accessing-the-cpu-state.patch @@ -0,0 +1,77 @@ +From c6e35dff58d348c1a9489e9b3b62b3721e62631d Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Sun, 20 Jul 2025 11:22:29 +0100 +Subject: KVM: arm64: Check for SYSREGS_ON_CPU before accessing the CPU state + +From: Marc Zyngier + +commit c6e35dff58d348c1a9489e9b3b62b3721e62631d upstream. + +Mark Brown reports that since we commit to making exceptions +visible without the vcpu being loaded, the external abort selftest +fails. + +Upon investigation, it turns out that the code that makes registers +affected by an exception visible to the guest is completely broken +on VHE, as we don't check whether the system registers are loaded +on the CPU at this point. We managed to get away with this so far, +but that's obviously as bad as it gets, + +Add the required checksm and document the absolute need to check +for the SYSREGS_ON_CPU flag before calling into any of the +__vcpu_write_sys_reg_to_cpu()__vcpu_read_sys_reg_from_cpu() helpers. + +Reported-by: Mark Brown +Signed-off-by: Marc Zyngier +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/18535df8-e647-4643-af9a-bb780af03a70@sirena.org.uk +Link: https://lore.kernel.org/r/20250720102229.179114-1-maz@kernel.org +Signed-off-by: Oliver Upton +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/include/asm/kvm_host.h | 4 ++++ + arch/arm64/kvm/hyp/exception.c | 6 ++++-- + 2 files changed, 8 insertions(+), 2 deletions(-) + +--- a/arch/arm64/include/asm/kvm_host.h ++++ b/arch/arm64/include/asm/kvm_host.h +@@ -1149,6 +1149,8 @@ static inline bool __vcpu_read_sys_reg_f + * System registers listed in the switch are not saved on every + * exit from the guest but are only saved on vcpu_put. + * ++ * SYSREGS_ON_CPU *MUST* be checked before using this helper. ++ * + * Note that MPIDR_EL1 for the guest is set by KVM via VMPIDR_EL2 but + * should never be listed below, because the guest cannot modify its + * own MPIDR_EL1 and MPIDR_EL1 is accessed for VCPU A from VCPU B's +@@ -1200,6 +1202,8 @@ static inline bool __vcpu_write_sys_reg_ + * System registers listed in the switch are not restored on every + * entry to the guest but are only restored on vcpu_load. + * ++ * SYSREGS_ON_CPU *MUST* be checked before using this helper. ++ * + * Note that MPIDR_EL1 for the guest is set by KVM via VMPIDR_EL2 but + * should never be listed below, because the MPIDR should only be set + * once, before running the VCPU, and never changed later. +--- a/arch/arm64/kvm/hyp/exception.c ++++ b/arch/arm64/kvm/hyp/exception.c +@@ -26,7 +26,8 @@ static inline u64 __vcpu_read_sys_reg(co + + if (unlikely(vcpu_has_nv(vcpu))) + return vcpu_read_sys_reg(vcpu, reg); +- else if (__vcpu_read_sys_reg_from_cpu(reg, &val)) ++ else if (vcpu_get_flag(vcpu, SYSREGS_ON_CPU) && ++ __vcpu_read_sys_reg_from_cpu(reg, &val)) + return val; + + return __vcpu_sys_reg(vcpu, reg); +@@ -36,7 +37,8 @@ static inline void __vcpu_write_sys_reg( + { + if (unlikely(vcpu_has_nv(vcpu))) + vcpu_write_sys_reg(vcpu, val, reg); +- else if (!__vcpu_write_sys_reg_to_cpu(val, reg)) ++ else if (!vcpu_get_flag(vcpu, SYSREGS_ON_CPU) || ++ !__vcpu_write_sys_reg_to_cpu(val, reg)) + __vcpu_assign_sys_reg(vcpu, reg, val); + } + diff --git a/queue-6.16/kvm-arm64-filter-out-hcr_el2-bits-when-running-in-hypervisor-context.patch b/queue-6.16/kvm-arm64-filter-out-hcr_el2-bits-when-running-in-hypervisor-context.patch new file mode 100644 index 0000000000..445d3b595a --- /dev/null +++ b/queue-6.16/kvm-arm64-filter-out-hcr_el2-bits-when-running-in-hypervisor-context.patch @@ -0,0 +1,69 @@ +From 303084ad12767db64c84ba8fcd0450aec38c8534 Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Mon, 21 Jul 2025 11:19:50 +0100 +Subject: KVM: arm64: Filter out HCR_EL2 bits when running in hypervisor context + +From: Marc Zyngier + +commit 303084ad12767db64c84ba8fcd0450aec38c8534 upstream. + +Most HCR_EL2 bits are not supposed to affect EL2 at all, but only +the guest. However, we gladly merge these bits with the host's +HCR_EL2 configuration, irrespective of entering L1 or L2. + +This leads to some funky behaviour, such as L1 trying to inject +a virtual SError for L2, and getting a taste of its own medecine. +Not quite what the architecture anticipated. + +In the end, the only bits that matter are those we have defined as +invariants, either because we've made them RESx (E2H, HCD...), or +that we actively refuse to merge because the mess with KVM's own +logic. + +Use the sanitisation infrastructure to get the RES1 bits, and let +things rip in a safer way. + +Fixes: 04ab519bb86df ("KVM: arm64: nv: Configure HCR_EL2 for FEAT_NV2") +Signed-off-by: Marc Zyngier +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20250721101955.535159-3-maz@kernel.org +Signed-off-by: Oliver Upton +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kvm/hyp/vhe/switch.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +--- a/arch/arm64/kvm/hyp/vhe/switch.c ++++ b/arch/arm64/kvm/hyp/vhe/switch.c +@@ -48,8 +48,7 @@ DEFINE_PER_CPU(unsigned long, kvm_hyp_ve + + static u64 __compute_hcr(struct kvm_vcpu *vcpu) + { +- u64 guest_hcr = __vcpu_sys_reg(vcpu, HCR_EL2); +- u64 hcr = vcpu->arch.hcr_el2; ++ u64 guest_hcr, hcr = vcpu->arch.hcr_el2; + + if (!vcpu_has_nv(vcpu)) + return hcr; +@@ -68,10 +67,21 @@ static u64 __compute_hcr(struct kvm_vcpu + if (!vcpu_el2_e2h_is_set(vcpu)) + hcr |= HCR_NV1; + ++ /* ++ * Nothing in HCR_EL2 should impact running in hypervisor ++ * context, apart from bits we have defined as RESx (E2H, ++ * HCD and co), or that cannot be set directly (the EXCLUDE ++ * bits). Given that we OR the guest's view with the host's, ++ * we can use the 0 value as the starting point, and only ++ * use the config-driven RES1 bits. ++ */ ++ guest_hcr = kvm_vcpu_apply_reg_masks(vcpu, HCR_EL2, 0); ++ + write_sysreg_s(vcpu->arch.ctxt.vncr_array, SYS_VNCR_EL2); + } else { + host_data_clear_flag(VCPU_IN_HYP_CONTEXT); + ++ guest_hcr = __vcpu_sys_reg(vcpu, HCR_EL2); + if (guest_hcr & HCR_NV) { + u64 va = __fix_to_virt(vncr_fixmap(smp_processor_id())); + diff --git a/queue-6.16/kvm-vmx-allow-guest-to-set-debugctl.rtm_debug-if-rtm-is-supported.patch b/queue-6.16/kvm-vmx-allow-guest-to-set-debugctl.rtm_debug-if-rtm-is-supported.patch new file mode 100644 index 0000000000..1d282402e7 --- /dev/null +++ b/queue-6.16/kvm-vmx-allow-guest-to-set-debugctl.rtm_debug-if-rtm-is-supported.patch @@ -0,0 +1,55 @@ +From 17ec2f965344ee3fd6620bef7ef68792f4ac3af0 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Tue, 10 Jun 2025 16:20:06 -0700 +Subject: KVM: VMX: Allow guest to set DEBUGCTL.RTM_DEBUG if RTM is supported + +From: Sean Christopherson + +commit 17ec2f965344ee3fd6620bef7ef68792f4ac3af0 upstream. + +Let the guest set DEBUGCTL.RTM_DEBUG if RTM is supported according to the +guest CPUID model, as debug support is supposed to be available if RTM is +supported, and there are no known downsides to letting the guest debug RTM +aborts. + +Note, there are no known bug reports related to RTM_DEBUG, the primary +motivation is to reduce the probability of breaking existing guests when a +future change adds a missing consistency check on vmcs12.GUEST_DEBUGCTL +(KVM currently lets L2 run with whatever hardware supports; whoops). + +Note #2, KVM already emulates DR6.RTM, and doesn't restrict access to +DR7.RTM. + +Fixes: 83c529151ab0 ("KVM: x86: expose Intel cpu new features (HLE, RTM) to guest") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20250610232010.162191-5-seanjc@google.com +Signed-off-by: Sean Christopherson +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/msr-index.h | 1 + + arch/x86/kvm/vmx/vmx.c | 4 ++++ + 2 files changed, 5 insertions(+) + +--- a/arch/x86/include/asm/msr-index.h ++++ b/arch/x86/include/asm/msr-index.h +@@ -419,6 +419,7 @@ + #define DEBUGCTLMSR_FREEZE_PERFMON_ON_PMI (1UL << 12) + #define DEBUGCTLMSR_FREEZE_IN_SMM_BIT 14 + #define DEBUGCTLMSR_FREEZE_IN_SMM (1UL << DEBUGCTLMSR_FREEZE_IN_SMM_BIT) ++#define DEBUGCTLMSR_RTM_DEBUG BIT(15) + + #define MSR_PEBS_FRONTEND 0x000003f7 + +--- a/arch/x86/kvm/vmx/vmx.c ++++ b/arch/x86/kvm/vmx/vmx.c +@@ -2186,6 +2186,10 @@ static u64 vmx_get_supported_debugctl(st + (host_initiated || intel_pmu_lbr_is_enabled(vcpu))) + debugctl |= DEBUGCTLMSR_LBR | DEBUGCTLMSR_FREEZE_LBRS_ON_PMI; + ++ if (boot_cpu_has(X86_FEATURE_RTM) && ++ (host_initiated || guest_cpu_cap_has(vcpu, X86_FEATURE_RTM))) ++ debugctl |= DEBUGCTLMSR_RTM_DEBUG; ++ + return debugctl; + } + diff --git a/queue-6.16/kvm-x86-convert-vcpu_run-s-immediate-exit-param-into-a-generic-bitmap.patch b/queue-6.16/kvm-x86-convert-vcpu_run-s-immediate-exit-param-into-a-generic-bitmap.patch new file mode 100644 index 0000000000..8f75ac06d3 --- /dev/null +++ b/queue-6.16/kvm-x86-convert-vcpu_run-s-immediate-exit-param-into-a-generic-bitmap.patch @@ -0,0 +1,206 @@ +From 2478b1b220c49d25cb1c3f061ec4f9b351d9a131 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Tue, 10 Jun 2025 16:20:04 -0700 +Subject: KVM: x86: Convert vcpu_run()'s immediate exit param into a generic bitmap + +From: Sean Christopherson + +commit 2478b1b220c49d25cb1c3f061ec4f9b351d9a131 upstream. + +Convert kvm_x86_ops.vcpu_run()'s "force_immediate_exit" boolean parameter +into an a generic bitmap so that similar "take action" information can be +passed to vendor code without creating a pile of boolean parameters. + +This will allow dropping kvm_x86_ops.set_dr6() in favor of a new flag, and +will also allow for adding similar functionality for re-loading debugctl +in the active VMCS. + +Opportunistically massage the TDX WARN and comment to prepare for adding +more run_flags, all of which are expected to be mutually exclusive with +TDX, i.e. should be WARNed on. + +No functional change intended. + +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20250610232010.162191-3-seanjc@google.com +Signed-off-by: Sean Christopherson +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/kvm_host.h | 6 +++++- + arch/x86/kvm/svm/svm.c | 4 ++-- + arch/x86/kvm/vmx/main.c | 6 +++--- + arch/x86/kvm/vmx/tdx.c | 18 +++++++++--------- + arch/x86/kvm/vmx/vmx.c | 3 ++- + arch/x86/kvm/vmx/x86_ops.h | 4 ++-- + arch/x86/kvm/x86.c | 11 ++++++++--- + 7 files changed, 31 insertions(+), 21 deletions(-) + +--- a/arch/x86/include/asm/kvm_host.h ++++ b/arch/x86/include/asm/kvm_host.h +@@ -1680,6 +1680,10 @@ static inline u16 kvm_lapic_irq_dest_mod + return dest_mode_logical ? APIC_DEST_LOGICAL : APIC_DEST_PHYSICAL; + } + ++enum kvm_x86_run_flags { ++ KVM_RUN_FORCE_IMMEDIATE_EXIT = BIT(0), ++}; ++ + struct kvm_x86_ops { + const char *name; + +@@ -1761,7 +1765,7 @@ struct kvm_x86_ops { + + int (*vcpu_pre_run)(struct kvm_vcpu *vcpu); + enum exit_fastpath_completion (*vcpu_run)(struct kvm_vcpu *vcpu, +- bool force_immediate_exit); ++ u64 run_flags); + int (*handle_exit)(struct kvm_vcpu *vcpu, + enum exit_fastpath_completion exit_fastpath); + int (*skip_emulated_instruction)(struct kvm_vcpu *vcpu); +--- a/arch/x86/kvm/svm/svm.c ++++ b/arch/x86/kvm/svm/svm.c +@@ -4389,9 +4389,9 @@ static noinstr void svm_vcpu_enter_exit( + guest_state_exit_irqoff(); + } + +-static __no_kcsan fastpath_t svm_vcpu_run(struct kvm_vcpu *vcpu, +- bool force_immediate_exit) ++static __no_kcsan fastpath_t svm_vcpu_run(struct kvm_vcpu *vcpu, u64 run_flags) + { ++ bool force_immediate_exit = run_flags & KVM_RUN_FORCE_IMMEDIATE_EXIT; + struct vcpu_svm *svm = to_svm(vcpu); + bool spec_ctrl_intercepted = msr_write_intercepted(vcpu, MSR_IA32_SPEC_CTRL); + +--- a/arch/x86/kvm/vmx/main.c ++++ b/arch/x86/kvm/vmx/main.c +@@ -175,12 +175,12 @@ static int vt_vcpu_pre_run(struct kvm_vc + return vmx_vcpu_pre_run(vcpu); + } + +-static fastpath_t vt_vcpu_run(struct kvm_vcpu *vcpu, bool force_immediate_exit) ++static fastpath_t vt_vcpu_run(struct kvm_vcpu *vcpu, u64 run_flags) + { + if (is_td_vcpu(vcpu)) +- return tdx_vcpu_run(vcpu, force_immediate_exit); ++ return tdx_vcpu_run(vcpu, run_flags); + +- return vmx_vcpu_run(vcpu, force_immediate_exit); ++ return vmx_vcpu_run(vcpu, run_flags); + } + + static int vt_handle_exit(struct kvm_vcpu *vcpu, +--- a/arch/x86/kvm/vmx/tdx.c ++++ b/arch/x86/kvm/vmx/tdx.c +@@ -1025,20 +1025,20 @@ static void tdx_load_host_xsave_state(st + DEBUGCTLMSR_FREEZE_PERFMON_ON_PMI | \ + DEBUGCTLMSR_FREEZE_IN_SMM) + +-fastpath_t tdx_vcpu_run(struct kvm_vcpu *vcpu, bool force_immediate_exit) ++fastpath_t tdx_vcpu_run(struct kvm_vcpu *vcpu, u64 run_flags) + { + struct vcpu_tdx *tdx = to_tdx(vcpu); + struct vcpu_vt *vt = to_vt(vcpu); + + /* +- * force_immediate_exit requires vCPU entering for events injection with +- * an immediately exit followed. But The TDX module doesn't guarantee +- * entry, it's already possible for KVM to _think_ it completely entry +- * to the guest without actually having done so. +- * Since KVM never needs to force an immediate exit for TDX, and can't +- * do direct injection, just warn on force_immediate_exit. ++ * WARN if KVM wants to force an immediate exit, as the TDX module does ++ * not guarantee entry into the guest, i.e. it's possible for KVM to ++ * _think_ it completed entry to the guest and forced an immediate exit ++ * without actually having done so. Luckily, KVM never needs to force ++ * an immediate exit for TDX (KVM can't do direct event injection, so ++ * just WARN and continue on. + */ +- WARN_ON_ONCE(force_immediate_exit); ++ WARN_ON_ONCE(run_flags); + + /* + * Wait until retry of SEPT-zap-related SEAMCALL completes before +@@ -1048,7 +1048,7 @@ fastpath_t tdx_vcpu_run(struct kvm_vcpu + if (unlikely(READ_ONCE(to_kvm_tdx(vcpu->kvm)->wait_for_sept_zap))) + return EXIT_FASTPATH_EXIT_HANDLED; + +- trace_kvm_entry(vcpu, force_immediate_exit); ++ trace_kvm_entry(vcpu, run_flags & KVM_RUN_FORCE_IMMEDIATE_EXIT); + + if (pi_test_on(&vt->pi_desc)) { + apic->send_IPI_self(POSTED_INTR_VECTOR); +--- a/arch/x86/kvm/vmx/vmx.c ++++ b/arch/x86/kvm/vmx/vmx.c +@@ -7323,8 +7323,9 @@ out: + guest_state_exit_irqoff(); + } + +-fastpath_t vmx_vcpu_run(struct kvm_vcpu *vcpu, bool force_immediate_exit) ++fastpath_t vmx_vcpu_run(struct kvm_vcpu *vcpu, u64 run_flags) + { ++ bool force_immediate_exit = run_flags & KVM_RUN_FORCE_IMMEDIATE_EXIT; + struct vcpu_vmx *vmx = to_vmx(vcpu); + unsigned long cr3, cr4; + +--- a/arch/x86/kvm/vmx/x86_ops.h ++++ b/arch/x86/kvm/vmx/x86_ops.h +@@ -21,7 +21,7 @@ void vmx_vm_destroy(struct kvm *kvm); + int vmx_vcpu_precreate(struct kvm *kvm); + int vmx_vcpu_create(struct kvm_vcpu *vcpu); + int vmx_vcpu_pre_run(struct kvm_vcpu *vcpu); +-fastpath_t vmx_vcpu_run(struct kvm_vcpu *vcpu, bool force_immediate_exit); ++fastpath_t vmx_vcpu_run(struct kvm_vcpu *vcpu, u64 run_flags); + void vmx_vcpu_free(struct kvm_vcpu *vcpu); + void vmx_vcpu_reset(struct kvm_vcpu *vcpu, bool init_event); + void vmx_vcpu_load(struct kvm_vcpu *vcpu, int cpu); +@@ -133,7 +133,7 @@ void tdx_vcpu_reset(struct kvm_vcpu *vcp + void tdx_vcpu_free(struct kvm_vcpu *vcpu); + void tdx_vcpu_load(struct kvm_vcpu *vcpu, int cpu); + int tdx_vcpu_pre_run(struct kvm_vcpu *vcpu); +-fastpath_t tdx_vcpu_run(struct kvm_vcpu *vcpu, bool force_immediate_exit); ++fastpath_t tdx_vcpu_run(struct kvm_vcpu *vcpu, u64 run_flags); + void tdx_prepare_switch_to_guest(struct kvm_vcpu *vcpu); + void tdx_vcpu_put(struct kvm_vcpu *vcpu); + bool tdx_protected_apic_has_interrupt(struct kvm_vcpu *vcpu); +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -10785,6 +10785,7 @@ static int vcpu_enter_guest(struct kvm_v + dm_request_for_irq_injection(vcpu) && + kvm_cpu_accept_dm_intr(vcpu); + fastpath_t exit_fastpath; ++ u64 run_flags; + + bool req_immediate_exit = false; + +@@ -11029,8 +11030,11 @@ static int vcpu_enter_guest(struct kvm_v + goto cancel_injection; + } + +- if (req_immediate_exit) ++ run_flags = 0; ++ if (req_immediate_exit) { ++ run_flags |= KVM_RUN_FORCE_IMMEDIATE_EXIT; + kvm_make_request(KVM_REQ_EVENT, vcpu); ++ } + + fpregs_assert_state_consistent(); + if (test_thread_flag(TIF_NEED_FPU_LOAD)) +@@ -11067,8 +11071,7 @@ static int vcpu_enter_guest(struct kvm_v + WARN_ON_ONCE((kvm_vcpu_apicv_activated(vcpu) != kvm_vcpu_apicv_active(vcpu)) && + (kvm_get_apic_mode(vcpu) != LAPIC_MODE_DISABLED)); + +- exit_fastpath = kvm_x86_call(vcpu_run)(vcpu, +- req_immediate_exit); ++ exit_fastpath = kvm_x86_call(vcpu_run)(vcpu, run_flags); + if (likely(exit_fastpath != EXIT_FASTPATH_REENTER_GUEST)) + break; + +@@ -11080,6 +11083,8 @@ static int vcpu_enter_guest(struct kvm_v + break; + } + ++ run_flags = 0; ++ + /* Note, VM-Exits that go down the "slow" path are accounted below. */ + ++vcpu->stat.exits; + } diff --git a/queue-6.16/kvm-x86-drop-kvm_x86_ops.set_dr6-in-favor-of-a-new-kvm_run-flag.patch b/queue-6.16/kvm-x86-drop-kvm_x86_ops.set_dr6-in-favor-of-a-new-kvm_run-flag.patch new file mode 100644 index 0000000000..64bd7a5c92 --- /dev/null +++ b/queue-6.16/kvm-x86-drop-kvm_x86_ops.set_dr6-in-favor-of-a-new-kvm_run-flag.patch @@ -0,0 +1,148 @@ +From 80c64c7afea1da6a93ebe88d3d29d8a60377ef80 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Tue, 10 Jun 2025 16:20:05 -0700 +Subject: KVM: x86: Drop kvm_x86_ops.set_dr6() in favor of a new KVM_RUN flag + +From: Sean Christopherson + +commit 80c64c7afea1da6a93ebe88d3d29d8a60377ef80 upstream. + +Instruct vendor code to load the guest's DR6 into hardware via a new +KVM_RUN flag, and remove kvm_x86_ops.set_dr6(), whose sole purpose was to +load vcpu->arch.dr6 into hardware when DR6 can be read/written directly +by the guest. + +Note, TDX already WARNs on any run_flag being set, i.e. will yell if KVM +thinks DR6 needs to be reloaded. TDX vCPUs force KVM_DEBUGREG_AUTO_SWITCH +and never clear the flag, i.e. should never observe KVM_RUN_LOAD_GUEST_DR6. + +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20250610232010.162191-4-seanjc@google.com +Signed-off-by: Sean Christopherson +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/kvm-x86-ops.h | 1 - + arch/x86/include/asm/kvm_host.h | 2 +- + arch/x86/kvm/svm/svm.c | 12 +++++++----- + arch/x86/kvm/vmx/main.c | 9 --------- + arch/x86/kvm/vmx/vmx.c | 9 +++------ + arch/x86/kvm/x86.c | 2 +- + 6 files changed, 12 insertions(+), 23 deletions(-) + +--- a/arch/x86/include/asm/kvm-x86-ops.h ++++ b/arch/x86/include/asm/kvm-x86-ops.h +@@ -49,7 +49,6 @@ KVM_X86_OP(set_idt) + KVM_X86_OP(get_gdt) + KVM_X86_OP(set_gdt) + KVM_X86_OP(sync_dirty_debug_regs) +-KVM_X86_OP(set_dr6) + KVM_X86_OP(set_dr7) + KVM_X86_OP(cache_reg) + KVM_X86_OP(get_rflags) +--- a/arch/x86/include/asm/kvm_host.h ++++ b/arch/x86/include/asm/kvm_host.h +@@ -1682,6 +1682,7 @@ static inline u16 kvm_lapic_irq_dest_mod + + enum kvm_x86_run_flags { + KVM_RUN_FORCE_IMMEDIATE_EXIT = BIT(0), ++ KVM_RUN_LOAD_GUEST_DR6 = BIT(1), + }; + + struct kvm_x86_ops { +@@ -1734,7 +1735,6 @@ struct kvm_x86_ops { + void (*get_gdt)(struct kvm_vcpu *vcpu, struct desc_ptr *dt); + void (*set_gdt)(struct kvm_vcpu *vcpu, struct desc_ptr *dt); + void (*sync_dirty_debug_regs)(struct kvm_vcpu *vcpu); +- void (*set_dr6)(struct kvm_vcpu *vcpu, unsigned long value); + void (*set_dr7)(struct kvm_vcpu *vcpu, unsigned long value); + void (*cache_reg)(struct kvm_vcpu *vcpu, enum kvm_reg reg); + unsigned long (*get_rflags)(struct kvm_vcpu *vcpu); +--- a/arch/x86/kvm/svm/svm.c ++++ b/arch/x86/kvm/svm/svm.c +@@ -4438,10 +4438,13 @@ static __no_kcsan fastpath_t svm_vcpu_ru + svm_hv_update_vp_id(svm->vmcb, vcpu); + + /* +- * Run with all-zero DR6 unless needed, so that we can get the exact cause +- * of a #DB. +- */ +- if (likely(!(vcpu->arch.switch_db_regs & KVM_DEBUGREG_WONT_EXIT))) ++ * Run with all-zero DR6 unless the guest can write DR6 freely, so that ++ * KVM can get the exact cause of a #DB. Note, loading guest DR6 from ++ * KVM's snapshot is only necessary when DR accesses won't exit. ++ */ ++ if (unlikely(run_flags & KVM_RUN_LOAD_GUEST_DR6)) ++ svm_set_dr6(vcpu, vcpu->arch.dr6); ++ else if (likely(!(vcpu->arch.switch_db_regs & KVM_DEBUGREG_WONT_EXIT))) + svm_set_dr6(vcpu, DR6_ACTIVE_LOW); + + clgi(); +@@ -5252,7 +5255,6 @@ static struct kvm_x86_ops svm_x86_ops __ + .set_idt = svm_set_idt, + .get_gdt = svm_get_gdt, + .set_gdt = svm_set_gdt, +- .set_dr6 = svm_set_dr6, + .set_dr7 = svm_set_dr7, + .sync_dirty_debug_regs = svm_sync_dirty_debug_regs, + .cache_reg = svm_cache_reg, +--- a/arch/x86/kvm/vmx/main.c ++++ b/arch/x86/kvm/vmx/main.c +@@ -489,14 +489,6 @@ static void vt_set_gdt(struct kvm_vcpu * + vmx_set_gdt(vcpu, dt); + } + +-static void vt_set_dr6(struct kvm_vcpu *vcpu, unsigned long val) +-{ +- if (is_td_vcpu(vcpu)) +- return; +- +- vmx_set_dr6(vcpu, val); +-} +- + static void vt_set_dr7(struct kvm_vcpu *vcpu, unsigned long val) + { + if (is_td_vcpu(vcpu)) +@@ -943,7 +935,6 @@ struct kvm_x86_ops vt_x86_ops __initdata + .set_idt = vt_op(set_idt), + .get_gdt = vt_op(get_gdt), + .set_gdt = vt_op(set_gdt), +- .set_dr6 = vt_op(set_dr6), + .set_dr7 = vt_op(set_dr7), + .sync_dirty_debug_regs = vt_op(sync_dirty_debug_regs), + .cache_reg = vt_op(cache_reg), +--- a/arch/x86/kvm/vmx/vmx.c ++++ b/arch/x86/kvm/vmx/vmx.c +@@ -5606,12 +5606,6 @@ void vmx_sync_dirty_debug_regs(struct kv + set_debugreg(DR6_RESERVED, 6); + } + +-void vmx_set_dr6(struct kvm_vcpu *vcpu, unsigned long val) +-{ +- lockdep_assert_irqs_disabled(); +- set_debugreg(vcpu->arch.dr6, 6); +-} +- + void vmx_set_dr7(struct kvm_vcpu *vcpu, unsigned long val) + { + vmcs_writel(GUEST_DR7, val); +@@ -7370,6 +7364,9 @@ fastpath_t vmx_vcpu_run(struct kvm_vcpu + vmcs_writel(GUEST_RIP, vcpu->arch.regs[VCPU_REGS_RIP]); + vcpu->arch.regs_dirty = 0; + ++ if (run_flags & KVM_RUN_LOAD_GUEST_DR6) ++ set_debugreg(vcpu->arch.dr6, 6); ++ + /* + * Refresh vmcs.HOST_CR3 if necessary. This must be done immediately + * prior to VM-Enter, as the kernel may load a new ASID (PCID) any time +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -11052,7 +11052,7 @@ static int vcpu_enter_guest(struct kvm_v + set_debugreg(vcpu->arch.eff_db[3], 3); + /* When KVM_DEBUGREG_WONT_EXIT, dr6 is accessible in guest. */ + if (unlikely(vcpu->arch.switch_db_regs & KVM_DEBUGREG_WONT_EXIT)) +- kvm_x86_call(set_dr6)(vcpu, vcpu->arch.dr6); ++ run_flags |= KVM_RUN_LOAD_GUEST_DR6; + } else if (unlikely(hw_breakpoint_active())) { + set_debugreg(DR7_FIXED_1, 7); + } diff --git a/queue-6.16/media-ti-j721e-csi2rx-fix-list_del-corruption.patch b/queue-6.16/media-ti-j721e-csi2rx-fix-list_del-corruption.patch new file mode 100644 index 0000000000..f7a9b10568 --- /dev/null +++ b/queue-6.16/media-ti-j721e-csi2rx-fix-list_del-corruption.patch @@ -0,0 +1,96 @@ +From ae42c6fe531425ef2f47e82f96851427d24bbf6b Mon Sep 17 00:00:00 2001 +From: Julien Massot +Date: Mon, 30 Jun 2025 12:46:43 +0200 +Subject: media: ti: j721e-csi2rx: fix list_del corruption + +From: Julien Massot + +commit ae42c6fe531425ef2f47e82f96851427d24bbf6b upstream. + +If ti_csi2rx_start_dma() fails in ti_csi2rx_dma_callback(), the buffer is +marked done with VB2_BUF_STATE_ERROR but is not removed from the DMA queue. +This causes the same buffer to be retried in the next iteration, resulting +in a double list_del() and eventual list corruption. + +Fix this by removing the buffer from the queue before calling +vb2_buffer_done() on error. + +This resolves a crash due to list_del corruption: +[ 37.811243] j721e-csi2rx 30102000.ticsi2rx: Failed to queue the next buffer for DMA +[ 37.832187] slab kmalloc-2k start ffff00000255b000 pointer offset 1064 size 2048 +[ 37.839761] list_del corruption. next->prev should be ffff00000255bc28, but was ffff00000255d428. (next=ffff00000255b428) +[ 37.850799] ------------[ cut here ]------------ +[ 37.855424] kernel BUG at lib/list_debug.c:65! +[ 37.859876] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP +[ 37.866061] Modules linked in: i2c_dev usb_f_rndis u_ether libcomposite dwc3 udc_core usb_common aes_ce_blk aes_ce_cipher ghash_ce gf128mul sha1_ce cpufreq_dt dwc3_am62 phy_gmii_sel sa2ul +[ 37.882830] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.16.0-rc3+ #28 VOLUNTARY +[ 37.890851] Hardware name: Bosch STLA-GSRV2-B0 (DT) +[ 37.895737] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) +[ 37.902703] pc : __list_del_entry_valid_or_report+0xdc/0x114 +[ 37.908390] lr : __list_del_entry_valid_or_report+0xdc/0x114 +[ 37.914059] sp : ffff800080003db0 +[ 37.917375] x29: ffff800080003db0 x28: 0000000000000007 x27: ffff800080e50000 +[ 37.924521] x26: 0000000000000000 x25: ffff0000016abb50 x24: dead000000000122 +[ 37.931666] x23: ffff0000016abb78 x22: ffff0000016ab080 x21: ffff800080003de0 +[ 37.938810] x20: ffff00000255bc00 x19: ffff00000255b800 x18: 000000000000000a +[ 37.945956] x17: 20747562202c3832 x16: 6362353532303030 x15: 0720072007200720 +[ 37.953101] x14: 0720072007200720 x13: 0720072007200720 x12: 00000000ffffffea +[ 37.960248] x11: ffff800080003b18 x10: 00000000ffffefff x9 : ffff800080f5b568 +[ 37.967396] x8 : ffff800080f5b5c0 x7 : 0000000000017fe8 x6 : c0000000ffffefff +[ 37.974542] x5 : ffff00000fea6688 x4 : 0000000000000000 x3 : 0000000000000000 +[ 37.981686] x2 : 0000000000000000 x1 : ffff800080ef2b40 x0 : 000000000000006d +[ 37.988832] Call trace: +[ 37.991281] __list_del_entry_valid_or_report+0xdc/0x114 (P) +[ 37.996959] ti_csi2rx_dma_callback+0x84/0x1c4 +[ 38.001419] udma_vchan_complete+0x1e0/0x344 +[ 38.005705] tasklet_action_common+0x118/0x310 +[ 38.010163] tasklet_action+0x30/0x3c +[ 38.013832] handle_softirqs+0x10c/0x2e0 +[ 38.017761] __do_softirq+0x14/0x20 +[ 38.021256] ____do_softirq+0x10/0x20 +[ 38.024931] call_on_irq_stack+0x24/0x60 +[ 38.028873] do_softirq_own_stack+0x1c/0x40 +[ 38.033064] __irq_exit_rcu+0x130/0x15c +[ 38.036909] irq_exit_rcu+0x10/0x20 +[ 38.040403] el1_interrupt+0x38/0x60 +[ 38.043987] el1h_64_irq_handler+0x18/0x24 +[ 38.048091] el1h_64_irq+0x6c/0x70 +[ 38.051501] default_idle_call+0x34/0xe0 (P) +[ 38.055783] do_idle+0x1f8/0x250 +[ 38.059021] cpu_startup_entry+0x34/0x3c +[ 38.062951] rest_init+0xb4/0xc0 +[ 38.066186] console_on_rootfs+0x0/0x6c +[ 38.070031] __primary_switched+0x88/0x90 +[ 38.074059] Code: b00037e0 91378000 f9400462 97e9bf49 (d4210000) +[ 38.080168] ---[ end trace 0000000000000000 ]--- +[ 38.084795] Kernel panic - not syncing: Oops - BUG: Fatal exception in interrupt +[ 38.092197] SMP: stopping secondary CPUs +[ 38.096139] Kernel Offset: disabled +[ 38.099631] CPU features: 0x0000,00002000,02000801,0400420b +[ 38.105202] Memory Limit: none +[ 38.108260] ---[ end Kernel panic - not syncing: Oops - BUG: Fatal exception in interrupt ]--- + +Fixes: b4a3d877dc92 ("media: ti: Add CSI2RX support for J721E") +Cc: stable@vger.kernel.org +Suggested-by: Sjoerd Simons +Signed-off-by: Sjoerd Simons +Signed-off-by: Julien Massot +Reviewed-by: Jai Luthra +Tested-by: Dirk Behme +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/ti/j721e-csi2rx/j721e-csi2rx.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/media/platform/ti/j721e-csi2rx/j721e-csi2rx.c ++++ b/drivers/media/platform/ti/j721e-csi2rx/j721e-csi2rx.c +@@ -619,6 +619,7 @@ static void ti_csi2rx_dma_callback(void + + if (ti_csi2rx_start_dma(csi, buf)) { + dev_err(csi->dev, "Failed to queue the next buffer for DMA\n"); ++ list_del(&buf->list); + vb2_buffer_done(&buf->vb.vb2_buf, VB2_BUF_STATE_ERROR); + } else { + list_move_tail(&buf->list, &dma->submitted); diff --git a/queue-6.16/mips-mm-tlb-r4k-uniquify-tlb-entries-on-init.patch b/queue-6.16/mips-mm-tlb-r4k-uniquify-tlb-entries-on-init.patch new file mode 100644 index 0000000000..1e2546ce15 --- /dev/null +++ b/queue-6.16/mips-mm-tlb-r4k-uniquify-tlb-entries-on-init.patch @@ -0,0 +1,98 @@ +From 35ad7e181541aa5757f9f316768d3e64403ec843 Mon Sep 17 00:00:00 2001 +From: Jiaxun Yang +Date: Sat, 7 Jun 2025 13:43:56 +0100 +Subject: MIPS: mm: tlb-r4k: Uniquify TLB entries on init + +From: Jiaxun Yang + +commit 35ad7e181541aa5757f9f316768d3e64403ec843 upstream. + +Hardware or bootloader will initialize TLB entries to any value, which +may collide with kernel's UNIQUE_ENTRYHI value. On MIPS microAptiv/M5150 +family of cores this will trigger machine check exception and cause boot +failure. On M5150 simulation this could happen 7 times out of 1000 boots. + +Replace local_flush_tlb_all() with r4k_tlb_uniquify() which probes each +TLB ENTRIHI unique value for collisions before it's written, and in case +of collision try a different ASID. + +Cc: stable@kernel.org +Signed-off-by: Jiaxun Yang +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/mm/tlb-r4k.c | 56 ++++++++++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 55 insertions(+), 1 deletion(-) + +--- a/arch/mips/mm/tlb-r4k.c ++++ b/arch/mips/mm/tlb-r4k.c +@@ -508,6 +508,60 @@ static int __init set_ntlb(char *str) + + __setup("ntlb=", set_ntlb); + ++/* Initialise all TLB entries with unique values */ ++static void r4k_tlb_uniquify(void) ++{ ++ int entry = num_wired_entries(); ++ ++ htw_stop(); ++ write_c0_entrylo0(0); ++ write_c0_entrylo1(0); ++ ++ while (entry < current_cpu_data.tlbsize) { ++ unsigned long asid_mask = cpu_asid_mask(¤t_cpu_data); ++ unsigned long asid = 0; ++ int idx; ++ ++ /* Skip wired MMID to make ginvt_mmid work */ ++ if (cpu_has_mmid) ++ asid = MMID_KERNEL_WIRED + 1; ++ ++ /* Check for match before using UNIQUE_ENTRYHI */ ++ do { ++ if (cpu_has_mmid) { ++ write_c0_memorymapid(asid); ++ write_c0_entryhi(UNIQUE_ENTRYHI(entry)); ++ } else { ++ write_c0_entryhi(UNIQUE_ENTRYHI(entry) | asid); ++ } ++ mtc0_tlbw_hazard(); ++ tlb_probe(); ++ tlb_probe_hazard(); ++ idx = read_c0_index(); ++ /* No match or match is on current entry */ ++ if (idx < 0 || idx == entry) ++ break; ++ /* ++ * If we hit a match, we need to try again with ++ * a different ASID. ++ */ ++ asid++; ++ } while (asid < asid_mask); ++ ++ if (idx >= 0 && idx != entry) ++ panic("Unable to uniquify TLB entry %d", idx); ++ ++ write_c0_index(entry); ++ mtc0_tlbw_hazard(); ++ tlb_write_indexed(); ++ entry++; ++ } ++ ++ tlbw_use_hazard(); ++ htw_start(); ++ flush_micro_tlb(); ++} ++ + /* + * Configure TLB (for init or after a CPU has been powered off). + */ +@@ -547,7 +601,7 @@ static void r4k_tlb_configure(void) + temp_tlb_entry = current_cpu_data.tlbsize - 1; + + /* From this point on the ARC firmware is dead. */ +- local_flush_tlb_all(); ++ r4k_tlb_uniquify(); + + /* Did I tell you that ARC SUCKS? */ + } diff --git a/queue-6.16/mm-hmm-move-pmd_to_hmm_pfn_flags-to-the-respective-ifdeffery.patch b/queue-6.16/mm-hmm-move-pmd_to_hmm_pfn_flags-to-the-respective-ifdeffery.patch new file mode 100644 index 0000000000..80e846964c --- /dev/null +++ b/queue-6.16/mm-hmm-move-pmd_to_hmm_pfn_flags-to-the-respective-ifdeffery.patch @@ -0,0 +1,56 @@ +From 188cb385bbf04d486df3e52f28c47b3961f5f0c0 Mon Sep 17 00:00:00 2001 +From: Andy Shevchenko +Date: Thu, 10 Jul 2025 11:23:53 +0300 +Subject: mm/hmm: move pmd_to_hmm_pfn_flags() to the respective #ifdeffery + +From: Andy Shevchenko + +commit 188cb385bbf04d486df3e52f28c47b3961f5f0c0 upstream. + +When pmd_to_hmm_pfn_flags() is unused, it prevents kernel builds with +clang, `make W=1` and CONFIG_TRANSPARENT_HUGEPAGE=n: + + mm/hmm.c:186:29: warning: unused function 'pmd_to_hmm_pfn_flags' [-Wunused-function] + +Fix this by moving the function to the respective existing ifdeffery +for its the only user. + +See also: + + 6863f5643dd7 ("kbuild: allow Clang to find unused static inline functions for W=1 build") + +Link: https://lkml.kernel.org/r/20250710082403.664093-1-andriy.shevchenko@linux.intel.com +Fixes: 992de9a8b751 ("mm/hmm: allow to mirror vma of a file on a DAX backed filesystem") +Signed-off-by: Andy Shevchenko +Reviewed-by: Leon Romanovsky +Reviewed-by: Alistair Popple +Cc: Andriy Shevchenko +Cc: Bill Wendling +Cc: Jerome Glisse +Cc: Justin Stitt +Cc: Nathan Chancellor +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/hmm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/hmm.c ++++ b/mm/hmm.c +@@ -183,6 +183,7 @@ static inline unsigned long hmm_pfn_flag + return order << HMM_PFN_ORDER_SHIFT; + } + ++#ifdef CONFIG_TRANSPARENT_HUGEPAGE + static inline unsigned long pmd_to_hmm_pfn_flags(struct hmm_range *range, + pmd_t pmd) + { +@@ -193,7 +194,6 @@ static inline unsigned long pmd_to_hmm_p + hmm_pfn_flags_order(PMD_SHIFT - PAGE_SHIFT); + } + +-#ifdef CONFIG_TRANSPARENT_HUGEPAGE + static int hmm_vma_handle_pmd(struct mm_walk *walk, unsigned long addr, + unsigned long end, unsigned long hmm_pfns[], + pmd_t pmd) diff --git a/queue-6.16/mm-shmem-fix-the-shmem-large-folio-allocation-for-the-i915-driver.patch b/queue-6.16/mm-shmem-fix-the-shmem-large-folio-allocation-for-the-i915-driver.patch new file mode 100644 index 0000000000..6fa99dc8ad --- /dev/null +++ b/queue-6.16/mm-shmem-fix-the-shmem-large-folio-allocation-for-the-i915-driver.patch @@ -0,0 +1,66 @@ +From 8d58d65621118fdca3ed6a0b3d658ba7e0e5153c Mon Sep 17 00:00:00 2001 +From: Baolin Wang +Date: Thu, 31 Jul 2025 09:53:43 +0800 +Subject: mm: shmem: fix the shmem large folio allocation for the i915 driver +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Baolin Wang + +commit 8d58d65621118fdca3ed6a0b3d658ba7e0e5153c upstream. + +After commit acd7ccb284b8 ("mm: shmem: add large folio support for +tmpfs"), we extend the 'huge=' option to allow any sized large folios for +tmpfs, which means tmpfs will allow getting a highest order hint based on +the size of write() and fallocate() paths, and then will try each +allowable large order. + +However, when the i915 driver allocates shmem memory, it doesn't provide +hint information about the size of the large folio to be allocated, +resulting in the inability to allocate PMD-sized shmem, which in turn +affects GPU performance. + +Patryk added: + +: In my tests, the performance drop ranges from a few percent up to 13% +: in Unigine Superposition under heavy memory usage on the CPU Core Ultra +: 155H with the Xe 128 EU GPU. Other users have reported performance +: impact up to 30% on certain workloads. Please find more in the +: regressions reports: +: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/14645 +: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/13845 +: +: I believe the change should be backported to all active kernel branches +: after version 6.12. + +To fix this issue, we can use the inode's size as a write size hint in +shmem_read_folio_gfp() to help allocate PMD-sized large folios. + +Link: https://lkml.kernel.org/r/f7e64e99a3a87a8144cc6b2f1dddf7a89c12ce44.1753926601.git.baolin.wang@linux.alibaba.com +Fixes: acd7ccb284b8 ("mm: shmem: add large folio support for tmpfs") +Signed-off-by: Baolin Wang +Reported-by: Patryk Kowalczyk +Reported-by: Ville Syrjälä +Tested-by: Patryk Kowalczyk +Suggested-by: Hugh Dickins +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/shmem.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/mm/shmem.c ++++ b/mm/shmem.c +@@ -5928,8 +5928,8 @@ struct folio *shmem_read_folio_gfp(struc + struct folio *folio; + int error; + +- error = shmem_get_folio_gfp(inode, index, 0, &folio, SGP_CACHE, +- gfp, NULL, NULL); ++ error = shmem_get_folio_gfp(inode, index, i_size_read(inode), ++ &folio, SGP_CACHE, gfp, NULL, NULL); + if (error) + return ERR_PTR(error); + diff --git a/queue-6.16/mm-swap-correctly-use-maxpages-in-swapon-syscall-to-avoid-potential-deadloop.patch b/queue-6.16/mm-swap-correctly-use-maxpages-in-swapon-syscall-to-avoid-potential-deadloop.patch new file mode 100644 index 0000000000..5026efae39 --- /dev/null +++ b/queue-6.16/mm-swap-correctly-use-maxpages-in-swapon-syscall-to-avoid-potential-deadloop.patch @@ -0,0 +1,176 @@ +From 255116c5b0fa2145ede28c2f7b248df5e73834d1 Mon Sep 17 00:00:00 2001 +From: Kemeng Shi +Date: Thu, 22 May 2025 20:25:52 +0800 +Subject: mm: swap: correctly use maxpages in swapon syscall to avoid potential deadloop + +From: Kemeng Shi + +commit 255116c5b0fa2145ede28c2f7b248df5e73834d1 upstream. + +We use maxpages from read_swap_header() to initialize swap_info_struct, +however the maxpages might be reduced in setup_swap_extents() and the +si->max is assigned with the reduced maxpages from the +setup_swap_extents(). + +Obviously, this could lead to memory waste as we allocated memory based on +larger maxpages, besides, this could lead to a potential deadloop as +following: + +1) When calling setup_clusters() with larger maxpages, unavailable + pages within range [si->max, larger maxpages) are not accounted with + inc_cluster_info_page(). As a result, these pages are assumed + available but can not be allocated. The cluster contains these pages + can be moved to frag_clusters list after it's all available pages were + allocated. + +2) When the cluster mentioned in 1) is the only cluster in + frag_clusters list, cluster_alloc_swap_entry() assume order 0 + allocation will never failed and will enter a deadloop by keep trying + to allocate page from the only cluster in frag_clusters which contains + no actually available page. + +Call setup_swap_extents() to get the final maxpages before +swap_info_struct initialization to fix the issue. + +After this change, span will include badblocks and will become large +value which I think is correct value: +In summary, there are two kinds of swapfile_activate operations. + +1. Filesystem style: Treat all blocks logical continuity and find + usable physical extents in logical range. In this way, si->pages will + be actual usable physical blocks and span will be "1 + highest_block - + lowest_block". + +2. Block device style: Treat all blocks physically continue and only + one single extent is added. In this way, si->pages will be si->max and + span will be "si->pages - 1". Actually, si->pages and si->max is only + used in block device style and span value is set with si->pages. As a + result, span value in block device style will become a larger value as + you mentioned. + +I think larger value is correct based on: + +1. Span value in filesystem style is "1 + highest_block - + lowest_block" which is the range cover all possible phisical blocks + including the badblocks. + +2. For block device style, si->pages is the actual usable block number + and is already in pr_info. The original span value before this patch + is also refer to usable block number which is redundant in pr_info. + +[shikemeng@huaweicloud.com: ensure si->pages == si->max - 1 after setup_swap_extents()] + Link: https://lkml.kernel.org/r/20250522122554.12209-3-shikemeng@huaweicloud.com + Link: https://lkml.kernel.org/r/20250718065139.61989-1-shikemeng@huaweicloud.com +Link: https://lkml.kernel.org/r/20250522122554.12209-3-shikemeng@huaweicloud.com +Fixes: 661383c6111a ("mm: swap: relaim the cached parts that got scanned") +Signed-off-by: Kemeng Shi +Reviewed-by: Baoquan He +Cc: Johannes Weiner +Cc: Kairui Song +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/swapfile.c | 53 ++++++++++++++++++++++++++--------------------------- + 1 file changed, 26 insertions(+), 27 deletions(-) + +--- a/mm/swapfile.c ++++ b/mm/swapfile.c +@@ -3141,43 +3141,30 @@ static unsigned long read_swap_header(st + return maxpages; + } + +-static int setup_swap_map_and_extents(struct swap_info_struct *si, +- union swap_header *swap_header, +- unsigned char *swap_map, +- unsigned long maxpages, +- sector_t *span) ++static int setup_swap_map(struct swap_info_struct *si, ++ union swap_header *swap_header, ++ unsigned char *swap_map, ++ unsigned long maxpages) + { +- unsigned int nr_good_pages; + unsigned long i; +- int nr_extents; +- +- nr_good_pages = maxpages - 1; /* omit header page */ + ++ swap_map[0] = SWAP_MAP_BAD; /* omit header page */ + for (i = 0; i < swap_header->info.nr_badpages; i++) { + unsigned int page_nr = swap_header->info.badpages[i]; + if (page_nr == 0 || page_nr > swap_header->info.last_page) + return -EINVAL; + if (page_nr < maxpages) { + swap_map[page_nr] = SWAP_MAP_BAD; +- nr_good_pages--; ++ si->pages--; + } + } + +- if (nr_good_pages) { +- swap_map[0] = SWAP_MAP_BAD; +- si->max = maxpages; +- si->pages = nr_good_pages; +- nr_extents = setup_swap_extents(si, span); +- if (nr_extents < 0) +- return nr_extents; +- nr_good_pages = si->pages; +- } +- if (!nr_good_pages) { ++ if (!si->pages) { + pr_warn("Empty swap-file\n"); + return -EINVAL; + } + +- return nr_extents; ++ return 0; + } + + #define SWAP_CLUSTER_INFO_COLS \ +@@ -3217,7 +3204,7 @@ static struct swap_cluster_info *setup_c + * Mark unusable pages as unavailable. The clusters aren't + * marked free yet, so no list operations are involved yet. + * +- * See setup_swap_map_and_extents(): header page, bad pages, ++ * See setup_swap_map(): header page, bad pages, + * and the EOF part of the last cluster. + */ + inc_cluster_info_page(si, cluster_info, 0); +@@ -3363,6 +3350,21 @@ SYSCALL_DEFINE2(swapon, const char __use + goto bad_swap_unlock_inode; + } + ++ si->max = maxpages; ++ si->pages = maxpages - 1; ++ nr_extents = setup_swap_extents(si, &span); ++ if (nr_extents < 0) { ++ error = nr_extents; ++ goto bad_swap_unlock_inode; ++ } ++ if (si->pages != si->max - 1) { ++ pr_err("swap:%u != (max:%u - 1)\n", si->pages, si->max); ++ error = -EINVAL; ++ goto bad_swap_unlock_inode; ++ } ++ ++ maxpages = si->max; ++ + /* OK, set up the swap map and apply the bad block list */ + swap_map = vzalloc(maxpages); + if (!swap_map) { +@@ -3374,12 +3376,9 @@ SYSCALL_DEFINE2(swapon, const char __use + if (error) + goto bad_swap_unlock_inode; + +- nr_extents = setup_swap_map_and_extents(si, swap_header, swap_map, +- maxpages, &span); +- if (unlikely(nr_extents < 0)) { +- error = nr_extents; ++ error = setup_swap_map(si, swap_header, swap_map, maxpages); ++ if (error) + goto bad_swap_unlock_inode; +- } + + /* + * Use kvmalloc_array instead of bitmap_zalloc as the allocation order might diff --git a/queue-6.16/mm-swap-fix-potential-buffer-overflow-in-setup_clusters.patch b/queue-6.16/mm-swap-fix-potential-buffer-overflow-in-setup_clusters.patch new file mode 100644 index 0000000000..af83038b7c --- /dev/null +++ b/queue-6.16/mm-swap-fix-potential-buffer-overflow-in-setup_clusters.patch @@ -0,0 +1,48 @@ +From 152c1339dc13ad46f1b136e8693de15980750835 Mon Sep 17 00:00:00 2001 +From: Kemeng Shi +Date: Thu, 22 May 2025 20:25:53 +0800 +Subject: mm: swap: fix potential buffer overflow in setup_clusters() + +From: Kemeng Shi + +commit 152c1339dc13ad46f1b136e8693de15980750835 upstream. + +In setup_swap_map(), we only ensure badpages are in range (0, last_page]. +As maxpages might be < last_page, setup_clusters() will encounter a buffer +overflow when a badpage is >= maxpages. + +Only call inc_cluster_info_page() for badpage which is < maxpages to fix +the issue. + +Link: https://lkml.kernel.org/r/20250522122554.12209-4-shikemeng@huaweicloud.com +Fixes: b843786b0bd0 ("mm: swapfile: fix SSD detection with swapfile on btrfs") +Signed-off-by: Kemeng Shi +Reviewed-by: Baoquan He +Cc: Johannes Weiner +Cc: Kairui Song +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/swapfile.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/mm/swapfile.c ++++ b/mm/swapfile.c +@@ -3208,9 +3208,13 @@ static struct swap_cluster_info *setup_c + * and the EOF part of the last cluster. + */ + inc_cluster_info_page(si, cluster_info, 0); +- for (i = 0; i < swap_header->info.nr_badpages; i++) +- inc_cluster_info_page(si, cluster_info, +- swap_header->info.badpages[i]); ++ for (i = 0; i < swap_header->info.nr_badpages; i++) { ++ unsigned int page_nr = swap_header->info.badpages[i]; ++ ++ if (page_nr >= maxpages) ++ continue; ++ inc_cluster_info_page(si, cluster_info, page_nr); ++ } + for (i = maxpages; i < round_up(maxpages, SWAPFILE_CLUSTER); i++) + inc_cluster_info_page(si, cluster_info, i); + diff --git a/queue-6.16/mm-swap-move-nr_swap_pages-counter-decrement-from-folio_alloc_swap-to-swap_range_alloc.patch b/queue-6.16/mm-swap-move-nr_swap_pages-counter-decrement-from-folio_alloc_swap-to-swap_range_alloc.patch new file mode 100644 index 0000000000..0fab60620e --- /dev/null +++ b/queue-6.16/mm-swap-move-nr_swap_pages-counter-decrement-from-folio_alloc_swap-to-swap_range_alloc.patch @@ -0,0 +1,58 @@ +From 4f78252da887ee7e9d1875dd6e07d9baa936c04f Mon Sep 17 00:00:00 2001 +From: Kemeng Shi +Date: Thu, 22 May 2025 20:25:51 +0800 +Subject: mm: swap: move nr_swap_pages counter decrement from folio_alloc_swap() to swap_range_alloc() + +From: Kemeng Shi + +commit 4f78252da887ee7e9d1875dd6e07d9baa936c04f upstream. + +Patch series "Some randome fixes and cleanups to swapfile". + +Patch 0-3 are some random fixes. Patch 4 is a cleanup. More details can +be found in respective patches. + + +This patch (of 4): + +When folio_alloc_swap() encounters a failure in either +mem_cgroup_try_charge_swap() or add_to_swap_cache(), nr_swap_pages counter +is not decremented for allocated entry. However, the following +put_swap_folio() will increase nr_swap_pages counter unpairly and lead to +an imbalance. + +Move nr_swap_pages decrement from folio_alloc_swap() to swap_range_alloc() +to pair the nr_swap_pages counting. + +Link: https://lkml.kernel.org/r/20250522122554.12209-1-shikemeng@huaweicloud.com +Link: https://lkml.kernel.org/r/20250522122554.12209-2-shikemeng@huaweicloud.com +Fixes: 0ff67f990bd4 ("mm, swap: remove swap slot cache") +Signed-off-by: Kemeng Shi +Reviewed-by: Kairui Song +Reviewed-by: Baoquan He +Cc: Johannes Weiner +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/swapfile.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/swapfile.c ++++ b/mm/swapfile.c +@@ -1115,6 +1115,7 @@ static void swap_range_alloc(struct swap + if (vm_swap_full()) + schedule_work(&si->reclaim_work); + } ++ atomic_long_sub(nr_entries, &nr_swap_pages); + } + + static void swap_range_free(struct swap_info_struct *si, unsigned long offset, +@@ -1313,7 +1314,6 @@ int folio_alloc_swap(struct folio *folio + if (add_to_swap_cache(folio, entry, gfp | __GFP_NOMEMALLOC, NULL)) + goto out_free; + +- atomic_long_sub(size, &nr_swap_pages); + return 0; + + out_free: diff --git a/queue-6.16/perf-arm-ni-set-initial-irq-affinity.patch b/queue-6.16/perf-arm-ni-set-initial-irq-affinity.patch new file mode 100644 index 0000000000..661d8aaa09 --- /dev/null +++ b/queue-6.16/perf-arm-ni-set-initial-irq-affinity.patch @@ -0,0 +1,34 @@ +From c872d7c837382517c51a76dfdcf550332cfab231 Mon Sep 17 00:00:00 2001 +From: Robin Murphy +Date: Tue, 13 May 2025 16:38:58 +0100 +Subject: perf/arm-ni: Set initial IRQ affinity + +From: Robin Murphy + +commit c872d7c837382517c51a76dfdcf550332cfab231 upstream. + +While we do request our IRQs with the right flags to stop their affinity +changing unexpectedly, we forgot to actually set it to start with. Oops. + +Cc: stable@vger.kernel.org +Fixes: 4d5a7680f2b4 ("perf: Add driver for Arm NI-700 interconnect PMU") +Signed-off-by: Robin Murphy +Tested-by: Shouping Wang +Link: https://lore.kernel.org/r/614ced9149ee8324e58930862bd82cbf46228d27.1747149165.git.robin.murphy@arm.com +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman +--- + drivers/perf/arm-ni.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/perf/arm-ni.c ++++ b/drivers/perf/arm-ni.c +@@ -544,6 +544,8 @@ static int arm_ni_init_cd(struct arm_ni + return err; + + cd->cpu = cpumask_local_spread(0, dev_to_node(ni->dev)); ++ irq_set_affinity(cd->irq, cpumask_of(cd->cpu)); ++ + cd->pmu = (struct pmu) { + .module = THIS_MODULE, + .parent = ni->dev, diff --git a/queue-6.16/platform-x86-intel-pmt-fix-a-crashlog-null-pointer-access.patch b/queue-6.16/platform-x86-intel-pmt-fix-a-crashlog-null-pointer-access.patch new file mode 100644 index 0000000000..5ec2cf59b6 --- /dev/null +++ b/queue-6.16/platform-x86-intel-pmt-fix-a-crashlog-null-pointer-access.patch @@ -0,0 +1,79 @@ +From 54d5cd4719c5e87f33d271c9ac2e393147d934f8 Mon Sep 17 00:00:00 2001 +From: "Michael J. Ruhl" +Date: Sun, 13 Jul 2025 13:29:31 -0400 +Subject: platform/x86/intel/pmt: fix a crashlog NULL pointer access +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Michael J. Ruhl + +commit 54d5cd4719c5e87f33d271c9ac2e393147d934f8 upstream. + +Usage of the intel_pmt_read() for binary sysfs, requires a pcidev. The +current use of the endpoint value is only valid for telemetry endpoint +usage. + +Without the ep, the crashlog usage causes the following NULL pointer +exception: + +BUG: kernel NULL pointer dereference, address: 0000000000000000 +Oops: Oops: 0000 [#1] SMP NOPTI +RIP: 0010:intel_pmt_read+0x3b/0x70 [pmt_class] +Code: +Call Trace: + + ? sysfs_kf_bin_read+0xc0/0xe0 + kernfs_fop_read_iter+0xac/0x1a0 + vfs_read+0x26d/0x350 + ksys_read+0x6b/0xe0 + __x64_sys_read+0x1d/0x30 + x64_sys_call+0x1bc8/0x1d70 + do_syscall_64+0x6d/0x110 + +Augment struct intel_pmt_entry with a pointer to the pcidev to avoid +the NULL pointer exception. + +Fixes: 045a513040cc ("platform/x86/intel/pmt: Use PMT callbacks") +Cc: stable@vger.kernel.org +Reviewed-by: David E. Box +Reviewed-by: Tejas Upadhyay +Signed-off-by: Michael J. Ruhl +Link: https://lore.kernel.org/r/20250713172943.7335-2-michael.j.ruhl@intel.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/x86/intel/pmt/class.c | 3 ++- + drivers/platform/x86/intel/pmt/class.h | 1 + + 2 files changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/platform/x86/intel/pmt/class.c ++++ b/drivers/platform/x86/intel/pmt/class.c +@@ -97,7 +97,7 @@ intel_pmt_read(struct file *filp, struct + if (count > entry->size - off) + count = entry->size - off; + +- count = pmt_telem_read_mmio(entry->ep->pcidev, entry->cb, entry->header.guid, buf, ++ count = pmt_telem_read_mmio(entry->pcidev, entry->cb, entry->header.guid, buf, + entry->base, off, count); + + return count; +@@ -252,6 +252,7 @@ static int intel_pmt_populate_entry(stru + return -EINVAL; + } + ++ entry->pcidev = pci_dev; + entry->guid = header->guid; + entry->size = header->size; + entry->cb = ivdev->priv_data; +--- a/drivers/platform/x86/intel/pmt/class.h ++++ b/drivers/platform/x86/intel/pmt/class.h +@@ -39,6 +39,7 @@ struct intel_pmt_header { + + struct intel_pmt_entry { + struct telem_endpoint *ep; ++ struct pci_dev *pcidev; + struct intel_pmt_header header; + struct bin_attribute pmt_bin_attr; + struct kobject *kobj; diff --git a/queue-6.16/s390-mm-remove-possible-false-positive-warning-in-pte_free_defer.patch b/queue-6.16/s390-mm-remove-possible-false-positive-warning-in-pte_free_defer.patch new file mode 100644 index 0000000000..d5527ff524 --- /dev/null +++ b/queue-6.16/s390-mm-remove-possible-false-positive-warning-in-pte_free_defer.patch @@ -0,0 +1,56 @@ +From 5647f61ad9171e8f025558ed6dc5702c56a33ba3 Mon Sep 17 00:00:00 2001 +From: Gerald Schaefer +Date: Wed, 9 Jul 2025 20:34:30 +0200 +Subject: s390/mm: Remove possible false-positive warning in pte_free_defer() + +From: Gerald Schaefer + +commit 5647f61ad9171e8f025558ed6dc5702c56a33ba3 upstream. + +Commit 8211dad627981 ("s390: add pte_free_defer() for pgtables sharing +page") added a warning to pte_free_defer(), on our request. It was meant +to warn if this would ever be reached for KVM guest mappings, because +the page table would be freed w/o a gmap_unlink(). THP mappings are not +allowed for KVM guests on s390, so this should never happen. + +However, it is possible that the warning is triggered in a valid case as +false-positive. + +s390_enable_sie() takes the mmap_lock, marks all VMAs as VM_NOHUGEPAGE and +splits possibly existing THP guest mappings. mm->context.has_pgste is set +to 1 before that, to prevent races with the mm_has_pgste() check in +MADV_HUGEPAGE. + +khugepaged drops the mmap_lock for file mappings and might run in parallel, +before a vma is marked VM_NOHUGEPAGE, but after mm->context.has_pgste was +set to 1. If it finds file mappings to collapse, it will eventually call +pte_free_defer(). This will trigger the warning, but it is a valid case +because gmap is not yet set up, and the THP mappings will be split again. + +Therefore, remove the warning and the comment. + +Fixes: 8211dad627981 ("s390: add pte_free_defer() for pgtables sharing page") +Cc: # 6.6+ +Reviewed-by: Alexander Gordeev +Reviewed-by: Claudio Imbrenda +Signed-off-by: Gerald Schaefer +Signed-off-by: Alexander Gordeev +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/mm/pgalloc.c | 5 ----- + 1 file changed, 5 deletions(-) + +--- a/arch/s390/mm/pgalloc.c ++++ b/arch/s390/mm/pgalloc.c +@@ -173,11 +173,6 @@ void pte_free_defer(struct mm_struct *mm + struct ptdesc *ptdesc = virt_to_ptdesc(pgtable); + + call_rcu(&ptdesc->pt_rcu_head, pte_free_now); +- /* +- * THPs are not allowed for KVM guests. Warn if pgste ever reaches here. +- * Turn to the generic pte_free_defer() version once gmap is removed. +- */ +- WARN_ON_ONCE(mm_has_pgste(mm)); + } + #endif /* CONFIG_TRANSPARENT_HUGEPAGE */ + diff --git a/queue-6.16/series b/queue-6.16/series index ba25b1f997..2e87c18359 100644 --- a/queue-6.16/series +++ b/queue-6.16/series @@ -593,3 +593,33 @@ usb-serial-option-add-foxconn-t99w709.patch bluetooth-btusb-add-usb-id-3625-010b-for-tp-link-archer-tx10ub-nano.patch net-usbnet-avoid-potential-rcu-stall-on-link_change-event.patch net-usbnet-fix-the-wrong-netif_carrier_on-call.patch +x86-sev-evict-cache-lines-during-snp-memory-validation.patch +alsa-intel_hdmi-fix-off-by-one-error-in-__hdmi_lpe_audio_probe.patch +alsa-scarlett2-add-retry-on-eproto-from-scarlett2_usb_tx.patch +alsa-hda-realtek-fix-mute-led-for-hp-victus-16-r1xxx.patch +alsa-hda-realtek-fix-mute-led-for-hp-victus-16-s0xxx.patch +alsa-hda-realtek-fix-mute-led-for-hp-victus-16-d1xxx-mb-8a26.patch +platform-x86-intel-pmt-fix-a-crashlog-null-pointer-access.patch +x86-fpu-delay-instruction-pointer-fixup-until-after-warning.patch +kvm-x86-convert-vcpu_run-s-immediate-exit-param-into-a-generic-bitmap.patch +kvm-x86-drop-kvm_x86_ops.set_dr6-in-favor-of-a-new-kvm_run-flag.patch +kvm-vmx-allow-guest-to-set-debugctl.rtm_debug-if-rtm-is-supported.patch +kvm-arm64-check-for-sysregs_on_cpu-before-accessing-the-cpu-state.patch +kvm-arm64-filter-out-hcr_el2-bits-when-running-in-hypervisor-context.patch +zloop-fix-kasan-use-after-free-of-tag-set.patch +s390-mm-remove-possible-false-positive-warning-in-pte_free_defer.patch +mips-mm-tlb-r4k-uniquify-tlb-entries-on-init.patch +mm-hmm-move-pmd_to_hmm_pfn_flags-to-the-respective-ifdeffery.patch +mm-swap-correctly-use-maxpages-in-swapon-syscall-to-avoid-potential-deadloop.patch +mm-swap-fix-potential-buffer-overflow-in-setup_clusters.patch +mm-swap-move-nr_swap_pages-counter-decrement-from-folio_alloc_swap-to-swap_range_alloc.patch +mm-shmem-fix-the-shmem-large-folio-allocation-for-the-i915-driver.patch +usb-gadget-uvc-initialize-frame-based-format-color-matching-descriptor.patch +perf-arm-ni-set-initial-irq-affinity.patch +media-ti-j721e-csi2rx-fix-list_del-corruption.patch +hid-apple-validate-feature-report-field-count-to-prevent-null-pointer-dereference.patch +usb-gadget-f_hid-fix-memory-leak-in-hidg_bind-error-path.patch +hid-core-harden-s32ton-against-conversion-to-0-bits.patch +hid-magicmouse-avoid-setting-up-battery-timer-when-not-needed.patch +hid-apple-avoid-setting-up-battery-timer-for-devices-without-battery.patch +usb-gadget-fix-use-after-free-in-composite_dev_cleanup.patch diff --git a/queue-6.16/usb-gadget-f_hid-fix-memory-leak-in-hidg_bind-error-path.patch b/queue-6.16/usb-gadget-f_hid-fix-memory-leak-in-hidg_bind-error-path.patch new file mode 100644 index 0000000000..0e308629a5 --- /dev/null +++ b/queue-6.16/usb-gadget-f_hid-fix-memory-leak-in-hidg_bind-error-path.patch @@ -0,0 +1,56 @@ +From 62783c30d78aecf9810dae46fd4d11420ad38b74 Mon Sep 17 00:00:00 2001 +From: Yuhao Jiang +Date: Mon, 23 Jun 2025 17:48:44 +0800 +Subject: USB: gadget: f_hid: Fix memory leak in hidg_bind error path + +From: Yuhao Jiang + +commit 62783c30d78aecf9810dae46fd4d11420ad38b74 upstream. + +In hidg_bind(), if alloc_workqueue() fails after usb_assign_descriptors() +has successfully allocated the USB descriptors, the current error handling +does not call usb_free_all_descriptors() to free the allocated descriptors, +resulting in a memory leak. + +Restructure the error handling by adding proper cleanup labels: +- fail_free_all: cleans up workqueue and descriptors +- fail_free_descs: cleans up descriptors only +- fail: original cleanup for earlier failures + +This ensures that allocated resources are properly freed in reverse order +of their allocation, preventing the memory leak when alloc_workqueue() fails. + +Fixes: a139c98f760ef ("USB: gadget: f_hid: Add GET_REPORT via userspace IOCTL") +Cc: stable@vger.kernel.org +Signed-off-by: Yuhao Jiang +Link: https://lore.kernel.org/r/20250623094844.244977-1-danisjiang@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_hid.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/usb/gadget/function/f_hid.c ++++ b/drivers/usb/gadget/function/f_hid.c +@@ -1278,18 +1278,19 @@ static int hidg_bind(struct usb_configur + + if (!hidg->workqueue) { + status = -ENOMEM; +- goto fail; ++ goto fail_free_descs; + } + + /* create char device */ + cdev_init(&hidg->cdev, &f_hidg_fops); + status = cdev_device_add(&hidg->cdev, &hidg->dev); + if (status) +- goto fail_free_descs; ++ goto fail_free_all; + + return 0; +-fail_free_descs: ++fail_free_all: + destroy_workqueue(hidg->workqueue); ++fail_free_descs: + usb_free_all_descriptors(f); + fail: + ERROR(f->config->cdev, "hidg_bind FAILED\n"); diff --git a/queue-6.16/usb-gadget-fix-use-after-free-in-composite_dev_cleanup.patch b/queue-6.16/usb-gadget-fix-use-after-free-in-composite_dev_cleanup.patch new file mode 100644 index 0000000000..ff7159db48 --- /dev/null +++ b/queue-6.16/usb-gadget-fix-use-after-free-in-composite_dev_cleanup.patch @@ -0,0 +1,51 @@ +From 151c0aa896c47a4459e07fee7d4843f44c1bb18e Mon Sep 17 00:00:00 2001 +From: Tao Xue +Date: Mon, 21 Jul 2025 17:39:08 +0800 +Subject: usb: gadget : fix use-after-free in composite_dev_cleanup() + +From: Tao Xue + +commit 151c0aa896c47a4459e07fee7d4843f44c1bb18e upstream. + +1. In func configfs_composite_bind() -> composite_os_desc_req_prepare(): +if kmalloc fails, the pointer cdev->os_desc_req will be freed but not +set to NULL. Then it will return a failure to the upper-level function. +2. in func configfs_composite_bind() -> composite_dev_cleanup(): +it will checks whether cdev->os_desc_req is NULL. If it is not NULL, it +will attempt to use it.This will lead to a use-after-free issue. + +BUG: KASAN: use-after-free in composite_dev_cleanup+0xf4/0x2c0 +Read of size 8 at addr 0000004827837a00 by task init/1 + +CPU: 10 PID: 1 Comm: init Tainted: G O 5.10.97-oh #1 + kasan_report+0x188/0x1cc + __asan_load8+0xb4/0xbc + composite_dev_cleanup+0xf4/0x2c0 + configfs_composite_bind+0x210/0x7ac + udc_bind_to_driver+0xb4/0x1ec + usb_gadget_probe_driver+0xec/0x21c + gadget_dev_desc_UDC_store+0x264/0x27c + +Fixes: 37a3a533429e ("usb: gadget: OS Feature Descriptors support") +Cc: stable +Signed-off-by: Tao Xue +Link: https://lore.kernel.org/r/20250721093908.14967-1-xuetao09@huawei.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/composite.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/usb/gadget/composite.c ++++ b/drivers/usb/gadget/composite.c +@@ -2489,6 +2489,11 @@ int composite_os_desc_req_prepare(struct + if (!cdev->os_desc_req->buf) { + ret = -ENOMEM; + usb_ep_free_request(ep0, cdev->os_desc_req); ++ /* ++ * Set os_desc_req to NULL so that composite_dev_cleanup() ++ * will not try to free it again. ++ */ ++ cdev->os_desc_req = NULL; + goto end; + } + cdev->os_desc_req->context = cdev; diff --git a/queue-6.16/usb-gadget-uvc-initialize-frame-based-format-color-matching-descriptor.patch b/queue-6.16/usb-gadget-uvc-initialize-frame-based-format-color-matching-descriptor.patch new file mode 100644 index 0000000000..fc3885cc56 --- /dev/null +++ b/queue-6.16/usb-gadget-uvc-initialize-frame-based-format-color-matching-descriptor.patch @@ -0,0 +1,109 @@ +From 323a80a1a5ace319a722909c006d5bdb2a35d273 Mon Sep 17 00:00:00 2001 +From: Akash Kumar +Date: Fri, 18 Jul 2025 14:21:38 +0530 +Subject: usb: gadget: uvc: Initialize frame-based format color matching descriptor + +From: Akash Kumar + +commit 323a80a1a5ace319a722909c006d5bdb2a35d273 upstream. + +Fix NULL pointer crash in uvcg_framebased_make due to uninitialized color +matching descriptor for frame-based format which was added in +commit f5e7bdd34aca ("usb: gadget: uvc: Allow creating new color matching +descriptors") that added handling for uncompressed and mjpeg format. + +Crash is seen when userspace configuration (via configfs) does not +explicitly define the color matching descriptor. If color_matching is not +found, config_group_find_item() returns NULL. The code then jumps to +out_put_cm, where it calls config_item_put(color_matching);. If +color_matching is NULL, this will dereference a null pointer, leading to a +crash. + +[ 2.746440] Unable to handle kernel NULL pointer dereference at virtual address 000000000000008c +[ 2.756273] Mem abort info: +[ 2.760080] ESR = 0x0000000096000005 +[ 2.764872] EC = 0x25: DABT (current EL), IL = 32 bits +[ 2.771068] SET = 0, FnV = 0 +[ 2.771069] EA = 0, S1PTW = 0 +[ 2.771070] FSC = 0x05: level 1 translation fault +[ 2.771071] Data abort info: +[ 2.771072] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 +[ 2.771073] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 +[ 2.771074] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 +[ 2.771075] user pgtable: 4k pages, 39-bit VAs, pgdp=00000000a3e59000 +[ 2.771077] [000000000000008c] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000 +[ 2.771081] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP +[ 2.771084] Dumping ftrace buffer: +[ 2.771085] (ftrace buffer empty) +[ 2.771138] CPU: 7 PID: 486 Comm: ln Tainted: G W E 6.6.58-android15 +[ 2.771139] Hardware name: Qualcomm Technologies, Inc. SunP QRD HDK (DT) +[ 2.771140] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) +[ 2.771141] pc : __uvcg_fill_strm+0x198/0x2cc +[ 2.771145] lr : __uvcg_iter_strm_cls+0xc8/0x17c +[ 2.771146] sp : ffffffc08140bbb0 +[ 2.771146] x29: ffffffc08140bbb0 x28: ffffff803bc81380 x27: ffffff8023bbd250 +[ 2.771147] x26: ffffff8023bbd250 x25: ffffff803c361348 x24: ffffff803d8e6768 +[ 2.771148] x23: 0000000000000004 x22: 0000000000000003 x21: ffffffc08140bc48 +[ 2.771149] x20: 0000000000000000 x19: ffffffc08140bc48 x18: ffffffe9f8cf4a00 +[ 2.771150] x17: 000000001bf64ec3 x16: 000000001bf64ec3 x15: ffffff8023bbd250 +[ 2.771151] x14: 000000000000000f x13: 004c4b40000f4240 x12: 000a2c2a00051615 +[ 2.771152] x11: 000000000000004f x10: ffffffe9f76b40ec x9 : ffffffe9f7e389d0 +[ 2.771153] x8 : ffffff803d0d31ce x7 : 000f4240000a2c2a x6 : 0005161500028b0a +[ 2.771154] x5 : ffffff803d0d31ce x4 : 0000000000000003 x3 : 0000000000000000 +[ 2.771155] x2 : ffffffc08140bc50 x1 : ffffffc08140bc48 x0 : 0000000000000000 +[ 2.771156] Call trace: +[ 2.771157] __uvcg_fill_strm+0x198/0x2cc +[ 2.771157] __uvcg_iter_strm_cls+0xc8/0x17c +[ 2.771158] uvcg_streaming_class_allow_link+0x240/0x290 +[ 2.771159] configfs_symlink+0x1f8/0x630 +[ 2.771161] vfs_symlink+0x114/0x1a0 +[ 2.771163] do_symlinkat+0x94/0x28c +[ 2.771164] __arm64_sys_symlinkat+0x54/0x70 +[ 2.771164] invoke_syscall+0x58/0x114 +[ 2.771166] el0_svc_common+0x80/0xe0 +[ 2.771168] do_el0_svc+0x1c/0x28 +[ 2.771169] el0_svc+0x3c/0x70 +[ 2.771172] el0t_64_sync_handler+0x68/0xbc +[ 2.771173] el0t_64_sync+0x1a8/0x1ac + +Initialize color matching descriptor for frame-based format to prevent +NULL pointer crash by mirroring the handling done for uncompressed and +mjpeg formats. + +Fixes: 7b5a58952fc3 ("usb: gadget: uvc: configfs: Add frame-based frame format support") +Cc: stable +Signed-off-by: Akash Kumar +Link: https://lore.kernel.org/r/20250718085138.1118788-1-quic_akakum@quicinc.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/uvc_configfs.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/usb/gadget/function/uvc_configfs.c ++++ b/drivers/usb/gadget/function/uvc_configfs.c +@@ -2916,8 +2916,15 @@ static struct config_group *uvcg_frameba + 'H', '2', '6', '4', 0x00, 0x00, 0x10, 0x00, + 0x80, 0x00, 0x00, 0xaa, 0x00, 0x38, 0x9b, 0x71 + }; ++ struct uvcg_color_matching *color_match; ++ struct config_item *streaming; + struct uvcg_framebased *h; + ++ streaming = group->cg_item.ci_parent; ++ color_match = uvcg_format_get_default_color_match(streaming); ++ if (!color_match) ++ return ERR_PTR(-EINVAL); ++ + h = kzalloc(sizeof(*h), GFP_KERNEL); + if (!h) + return ERR_PTR(-ENOMEM); +@@ -2936,6 +2943,9 @@ static struct config_group *uvcg_frameba + + INIT_LIST_HEAD(&h->fmt.frames); + h->fmt.type = UVCG_FRAMEBASED; ++ ++ h->fmt.color_matching = color_match; ++ color_match->refcnt++; + config_group_init_type_name(&h->fmt.group, name, + &uvcg_framebased_type); + diff --git a/queue-6.16/x86-fpu-delay-instruction-pointer-fixup-until-after-warning.patch b/queue-6.16/x86-fpu-delay-instruction-pointer-fixup-until-after-warning.patch new file mode 100644 index 0000000000..cb62a7bbde --- /dev/null +++ b/queue-6.16/x86-fpu-delay-instruction-pointer-fixup-until-after-warning.patch @@ -0,0 +1,57 @@ +From 1cec9ac2d071cfd2da562241aab0ef701355762a Mon Sep 17 00:00:00 2001 +From: Dave Hansen +Date: Tue, 24 Jun 2025 14:01:48 -0700 +Subject: x86/fpu: Delay instruction pointer fixup until after warning + +From: Dave Hansen + +commit 1cec9ac2d071cfd2da562241aab0ef701355762a upstream. + +Right now, if XRSTOR fails a console message like this is be printed: + + Bad FPU state detected at restore_fpregs_from_fpstate+0x9a/0x170, reinitializing FPU registers. + +However, the text location (...+0x9a in this case) is the instruction +*AFTER* the XRSTOR. The highlighted instruction in the "Code:" dump +also points one instruction late. + +The reason is that the "fixup" moves RIP up to pass the bad XRSTOR and +keep on running after returning from the #GP handler. But it does this +fixup before warning. + +The resulting warning output is nonsensical because it looks like the +non-FPU-related instruction is #GP'ing. + +Do not fix up RIP until after printing the warning. Do this by using +the more generic and standard ex_handler_default(). + +Fixes: d5c8028b4788 ("x86/fpu: Reinitialize FPU registers if restoring FPU state fails") +Signed-off-by: Dave Hansen +Reviewed-by: Chao Gao +Acked-by: Alison Schofield +Acked-by: Peter Zijlstra (Intel) +Cc:stable@vger.kernel.org +Link: https://lore.kernel.org/all/20250624210148.97126F9E%40davehans-spike.ostc.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/mm/extable.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/arch/x86/mm/extable.c ++++ b/arch/x86/mm/extable.c +@@ -122,13 +122,12 @@ static bool ex_handler_sgx(const struct + static bool ex_handler_fprestore(const struct exception_table_entry *fixup, + struct pt_regs *regs) + { +- regs->ip = ex_fixup_addr(fixup); +- + WARN_ONCE(1, "Bad FPU state detected at %pB, reinitializing FPU registers.", + (void *)instruction_pointer(regs)); + + fpu_reset_from_exception_fixup(); +- return true; ++ ++ return ex_handler_default(fixup, regs); + } + + /* diff --git a/queue-6.16/x86-sev-evict-cache-lines-during-snp-memory-validation.patch b/queue-6.16/x86-sev-evict-cache-lines-during-snp-memory-validation.patch new file mode 100644 index 0000000000..34f5fcb079 --- /dev/null +++ b/queue-6.16/x86-sev-evict-cache-lines-during-snp-memory-validation.patch @@ -0,0 +1,164 @@ +From 222ae1ca139e0ffac8d11cc57b429b1bff4d60f0 Mon Sep 17 00:00:00 2001 +From: Tom Lendacky +Date: Wed, 30 Jul 2025 09:12:37 -0500 +Subject: x86/sev: Evict cache lines during SNP memory validation + +From: Tom Lendacky + +Commit 7b306dfa326f70114312b320d083b21fa9481e1e upstream. + +An SNP cache coherency vulnerability requires a cache line eviction +mitigation when validating memory after a page state change to private. +The specific mitigation is to touch the first and last byte of each 4K +page that is being validated. There is no need to perform the mitigation +when performing a page state change to shared and rescinding validation. + +CPUID bit Fn8000001F_EBX[31] defines the COHERENCY_SFW_NO CPUID bit that, +when set, indicates that the software mitigation for this vulnerability is +not needed. + +Implement the mitigation and invoke it when validating memory (making it +private) and the COHERENCY_SFW_NO bit is not set, indicating the SNP guest +is vulnerable. + +Co-developed-by: Michael Roth +Signed-off-by: Michael Roth +Signed-off-by: Tom Lendacky +Signed-off-by: Borislav Petkov (AMD) +Acked-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/boot/cpuflags.c | 13 +++++++++++++ + arch/x86/boot/startup/sev-shared.c | 7 +++++++ + arch/x86/coco/sev/core.c | 21 +++++++++++++++++++++ + arch/x86/include/asm/cpufeatures.h | 1 + + arch/x86/include/asm/sev.h | 19 +++++++++++++++++++ + arch/x86/kernel/cpu/scattered.c | 1 + + 6 files changed, 62 insertions(+) + +--- a/arch/x86/boot/cpuflags.c ++++ b/arch/x86/boot/cpuflags.c +@@ -106,5 +106,18 @@ void get_cpuflags(void) + cpuid(0x80000001, &ignored, &ignored, &cpu.flags[6], + &cpu.flags[1]); + } ++ ++ if (max_amd_level >= 0x8000001f) { ++ u32 ebx; ++ ++ /* ++ * The X86_FEATURE_COHERENCY_SFW_NO feature bit is in ++ * the virtualization flags entry (word 8) and set by ++ * scattered.c, so the bit needs to be explicitly set. ++ */ ++ cpuid(0x8000001f, &ignored, &ebx, &ignored, &ignored); ++ if (ebx & BIT(31)) ++ set_bit(X86_FEATURE_COHERENCY_SFW_NO, cpu.flags); ++ } + } + } +--- a/arch/x86/boot/startup/sev-shared.c ++++ b/arch/x86/boot/startup/sev-shared.c +@@ -810,6 +810,13 @@ static void __head pvalidate_4k_page(uns + if (ret) + sev_es_terminate(SEV_TERM_SET_LINUX, GHCB_TERM_PVALIDATE); + } ++ ++ /* ++ * If validating memory (making it private) and affected by the ++ * cache-coherency vulnerability, perform the cache eviction mitigation. ++ */ ++ if (validate && !has_cpuflag(X86_FEATURE_COHERENCY_SFW_NO)) ++ sev_evict_cache((void *)vaddr, 1); + } + + /* +--- a/arch/x86/coco/sev/core.c ++++ b/arch/x86/coco/sev/core.c +@@ -358,10 +358,31 @@ static void svsm_pval_pages(struct snp_p + + static void pvalidate_pages(struct snp_psc_desc *desc) + { ++ struct psc_entry *e; ++ unsigned int i; ++ + if (snp_vmpl) + svsm_pval_pages(desc); + else + pval_pages(desc); ++ ++ /* ++ * If not affected by the cache-coherency vulnerability there is no need ++ * to perform the cache eviction mitigation. ++ */ ++ if (cpu_feature_enabled(X86_FEATURE_COHERENCY_SFW_NO)) ++ return; ++ ++ for (i = 0; i <= desc->hdr.end_entry; i++) { ++ e = &desc->entries[i]; ++ ++ /* ++ * If validating memory (making it private) perform the cache ++ * eviction mitigation. ++ */ ++ if (e->operation == SNP_PAGE_STATE_PRIVATE) ++ sev_evict_cache(pfn_to_kaddr(e->gfn), e->pagesize ? 512 : 1); ++ } + } + + static int vmgexit_psc(struct ghcb *ghcb, struct snp_psc_desc *desc) +--- a/arch/x86/include/asm/cpufeatures.h ++++ b/arch/x86/include/asm/cpufeatures.h +@@ -218,6 +218,7 @@ + #define X86_FEATURE_FLEXPRIORITY ( 8*32+ 1) /* "flexpriority" Intel FlexPriority */ + #define X86_FEATURE_EPT ( 8*32+ 2) /* "ept" Intel Extended Page Table */ + #define X86_FEATURE_VPID ( 8*32+ 3) /* "vpid" Intel Virtual Processor ID */ ++#define X86_FEATURE_COHERENCY_SFW_NO ( 8*32+ 4) /* SNP cache coherency software work around not needed */ + + #define X86_FEATURE_VMMCALL ( 8*32+15) /* "vmmcall" Prefer VMMCALL to VMCALL */ + #define X86_FEATURE_XENPV ( 8*32+16) /* Xen paravirtual guest */ +--- a/arch/x86/include/asm/sev.h ++++ b/arch/x86/include/asm/sev.h +@@ -621,6 +621,24 @@ int rmp_make_shared(u64 pfn, enum pg_lev + void snp_leak_pages(u64 pfn, unsigned int npages); + void kdump_sev_callback(void); + void snp_fixup_e820_tables(void); ++ ++static inline void sev_evict_cache(void *va, int npages) ++{ ++ volatile u8 val __always_unused; ++ u8 *bytes = va; ++ int page_idx; ++ ++ /* ++ * For SEV guests, a read from the first/last cache-lines of a 4K page ++ * using the guest key is sufficient to cause a flush of all cache-lines ++ * associated with that 4K page without incurring all the overhead of a ++ * full CLFLUSH sequence. ++ */ ++ for (page_idx = 0; page_idx < npages; page_idx++) { ++ val = bytes[page_idx * PAGE_SIZE]; ++ val = bytes[page_idx * PAGE_SIZE + PAGE_SIZE - 1]; ++ } ++} + #else + static inline bool snp_probe_rmptable_info(void) { return false; } + static inline int snp_rmptable_init(void) { return -ENOSYS; } +@@ -636,6 +654,7 @@ static inline int rmp_make_shared(u64 pf + static inline void snp_leak_pages(u64 pfn, unsigned int npages) {} + static inline void kdump_sev_callback(void) { } + static inline void snp_fixup_e820_tables(void) {} ++static inline void sev_evict_cache(void *va, int npages) {} + #endif + + #endif +--- a/arch/x86/kernel/cpu/scattered.c ++++ b/arch/x86/kernel/cpu/scattered.c +@@ -48,6 +48,7 @@ static const struct cpuid_bit cpuid_bits + { X86_FEATURE_PROC_FEEDBACK, CPUID_EDX, 11, 0x80000007, 0 }, + { X86_FEATURE_AMD_FAST_CPPC, CPUID_EDX, 15, 0x80000007, 0 }, + { X86_FEATURE_MBA, CPUID_EBX, 6, 0x80000008, 0 }, ++ { X86_FEATURE_COHERENCY_SFW_NO, CPUID_EBX, 31, 0x8000001f, 0 }, + { X86_FEATURE_SMBA, CPUID_EBX, 2, 0x80000020, 0 }, + { X86_FEATURE_BMEC, CPUID_EBX, 3, 0x80000020, 0 }, + { X86_FEATURE_TSA_SQ_NO, CPUID_ECX, 1, 0x80000021, 0 }, diff --git a/queue-6.16/zloop-fix-kasan-use-after-free-of-tag-set.patch b/queue-6.16/zloop-fix-kasan-use-after-free-of-tag-set.patch new file mode 100644 index 0000000000..8fa7680cb1 --- /dev/null +++ b/queue-6.16/zloop-fix-kasan-use-after-free-of-tag-set.patch @@ -0,0 +1,65 @@ +From 765761851d89c772f482494d452e266795460278 Mon Sep 17 00:00:00 2001 +From: Shin'ichiro Kawasaki +Date: Thu, 31 Jul 2025 20:07:45 +0900 +Subject: zloop: fix KASAN use-after-free of tag set + +From: Shin'ichiro Kawasaki + +commit 765761851d89c772f482494d452e266795460278 upstream. + +When a zoned loop device, or zloop device, is removed, KASAN enabled +kernel reports "BUG KASAN use-after-free" in blk_mq_free_tag_set(). The +BUG happens because zloop_ctl_remove() calls put_disk(), which invokes +zloop_free_disk(). The zloop_free_disk() frees the memory allocated for +the zlo pointer. However, after the memory is freed, zloop_ctl_remove() +calls blk_mq_free_tag_set(&zlo->tag_set), which accesses the freed zlo. +Hence the KASAN use-after-free. + + zloop_ctl_remove() + put_disk(zlo->disk) + put_device() + kobject_put() + ... + zloop_free_disk() + kvfree(zlo) + blk_mq_free_tag_set(&zlo->tag_set) + +To avoid the BUG, move the call to blk_mq_free_tag_set(&zlo->tag_set) +from zloop_ctl_remove() into zloop_free_disk(). This ensures that +the tag_set is freed before the call to kvfree(zlo). + +Fixes: eb0570c7df23 ("block: new zoned loop block device driver") +CC: stable@vger.kernel.org +Signed-off-by: Shin'ichiro Kawasaki +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20250731110745.165751-1-shinichiro.kawasaki@wdc.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/zloop.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/block/zloop.c b/drivers/block/zloop.c +index 553b1a713ab9..a423228e201b 100644 +--- a/drivers/block/zloop.c ++++ b/drivers/block/zloop.c +@@ -700,6 +700,8 @@ static void zloop_free_disk(struct gendisk *disk) + struct zloop_device *zlo = disk->private_data; + unsigned int i; + ++ blk_mq_free_tag_set(&zlo->tag_set); ++ + for (i = 0; i < zlo->nr_zones; i++) { + struct zloop_zone *zone = &zlo->zones[i]; + +@@ -1080,7 +1082,6 @@ static int zloop_ctl_remove(struct zloop_options *opts) + + del_gendisk(zlo->disk); + put_disk(zlo->disk); +- blk_mq_free_tag_set(&zlo->tag_set); + + pr_info("Removed device %d\n", opts->id); + +-- +2.50.1 +