From: Greg Kroah-Hartman Date: Mon, 24 Mar 2025 16:12:41 +0000 (-0700) Subject: 6.1-stable patches X-Git-Tag: v6.1.132~32 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6ea0fdc3be4214ed64376f414d79115bb6fdbc1e;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: arm-dts-imx6qdl-apalis-fix-poweroff-on-apalis-imx6.patch arm-shmobile-smp-enforce-shmobile_smp_-alignment.patch arm64-dts-freescale-imx8mm-verdin-dahlia-add-microphone-jack-to-sound-card.patch arm64-dts-rockchip-add-missing-pcie-supplies-to-rockpro64-board-dtsi.patch batman-adv-ignore-own-maximum-aggregation-size-during-rx.patch can-flexcan-disable-transceiver-during-system-pm.patch can-flexcan-only-change-can-state-when-link-up-in-system-pm.patch can-rcar_canfd-fix-page-entries-in-the-afl-list.patch drm-amd-display-should-support-dmub-hw-lock-on-replay.patch drm-amd-display-use-hw-lock-mgr-for-psr1-when-only-one-edp.patch drm-amdgpu-fix-jpeg-video-caps-max-size-for-navi1x-and-raven.patch drm-radeon-fix-uninitialized-size-issue-in-radeon_vce_cs_parse.patch drm-v3d-don-t-run-jobs-that-have-errors-flagged-in-its-fence.patch efi-libstub-avoid-physical-address-0x0-when-doing-random-allocation.patch i2c-omap-fix-irq-storms.patch memcg-drain-obj-stock-on-cpu-hotplug-teardown.patch mmc-atmel-mci-add-missing-clk_disable_unprepare.patch mmc-sdhci-brcmstb-add-cqhci-suspend-resume-to-pm-ops.patch proc-fix-uaf-in-proc_get_inode.patch regulator-check-that-dummy-regulator-has-been-probed-before-using-it.patch soc-qcom-pdr-fix-the-potential-deadlock.patch xsk-fix-an-integer-overflow-in-xp_create_and_assign_umem.patch --- diff --git a/queue-6.1/arm-dts-imx6qdl-apalis-fix-poweroff-on-apalis-imx6.patch b/queue-6.1/arm-dts-imx6qdl-apalis-fix-poweroff-on-apalis-imx6.patch new file mode 100644 index 0000000000..03ec029e51 --- /dev/null +++ b/queue-6.1/arm-dts-imx6qdl-apalis-fix-poweroff-on-apalis-imx6.patch @@ -0,0 +1,65 @@ +From 83964a29379cb08929a39172780a4c2992bc7c93 Mon Sep 17 00:00:00 2001 +From: Stefan Eichenberger +Date: Fri, 10 Jan 2025 16:18:29 +0100 +Subject: ARM: dts: imx6qdl-apalis: Fix poweroff on Apalis iMX6 + +From: Stefan Eichenberger + +commit 83964a29379cb08929a39172780a4c2992bc7c93 upstream. + +The current solution for powering off the Apalis iMX6 is not functioning +as intended. To resolve this, it is necessary to power off the +vgen2_reg, which will also set the POWER_ENABLE_MOCI signal to a low +state. This ensures the carrier board is properly informed to initiate +its power-off sequence. + +The new solution uses the regulator-poweroff driver, which will power +off the regulator during a system shutdown. + +Cc: +Fixes: 4eb56e26f92e ("ARM: dts: imx6q-apalis: Command pmic to standby for poweroff") +Signed-off-by: Stefan Eichenberger +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/nxp/imx/imx6qdl-apalis.dtsi | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/arch/arm/boot/dts/nxp/imx/imx6qdl-apalis.dtsi b/arch/arm/boot/dts/nxp/imx/imx6qdl-apalis.dtsi +index dffab5aa8b9c..88be29166c1a 100644 +--- a/arch/arm/boot/dts/nxp/imx/imx6qdl-apalis.dtsi ++++ b/arch/arm/boot/dts/nxp/imx/imx6qdl-apalis.dtsi +@@ -108,6 +108,11 @@ lvds_panel_in: endpoint { + }; + }; + ++ poweroff { ++ compatible = "regulator-poweroff"; ++ cpu-supply = <&vgen2_reg>; ++ }; ++ + reg_module_3v3: regulator-module-3v3 { + compatible = "regulator-fixed"; + regulator-always-on; +@@ -236,10 +241,6 @@ &can2 { + status = "disabled"; + }; + +-&clks { +- fsl,pmic-stby-poweroff; +-}; +- + /* Apalis SPI1 */ + &ecspi1 { + cs-gpios = <&gpio5 25 GPIO_ACTIVE_LOW>; +@@ -527,7 +528,6 @@ &i2c2 { + + pmic: pmic@8 { + compatible = "fsl,pfuze100"; +- fsl,pmic-stby-poweroff; + reg = <0x08>; + + regulators { +-- +2.49.0 + diff --git a/queue-6.1/arm-shmobile-smp-enforce-shmobile_smp_-alignment.patch b/queue-6.1/arm-shmobile-smp-enforce-shmobile_smp_-alignment.patch new file mode 100644 index 0000000000..b8298def33 --- /dev/null +++ b/queue-6.1/arm-shmobile-smp-enforce-shmobile_smp_-alignment.patch @@ -0,0 +1,42 @@ +From 379c590113ce46f605439d4887996c60ab8820cc Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Mon, 10 Mar 2025 14:12:20 +0100 +Subject: ARM: shmobile: smp: Enforce shmobile_smp_* alignment + +From: Geert Uytterhoeven + +commit 379c590113ce46f605439d4887996c60ab8820cc upstream. + +When the addresses of the shmobile_smp_mpidr, shmobile_smp_fn, and +shmobile_smp_arg variables are not multiples of 4 bytes, secondary CPU +bring-up fails: + + smp: Bringing up secondary CPUs ... + CPU1: failed to come online + CPU2: failed to come online + CPU3: failed to come online + smp: Brought up 1 node, 1 CPU + +Fix this by adding the missing alignment directive. + +Fixes: 4e960f52fce16a3b ("ARM: shmobile: Move shmobile_smp_{mpidr, fn, arg}[] from .text to .bss") +Closes: https://lore.kernel.org/r/CAMuHMdU=QR-JLgEHKWpsr6SbaZRc-Hz9r91JfpP8c3n2G-OjqA@mail.gmail.com +Signed-off-by: Geert Uytterhoeven +Tested-by: Lad Prabhakar +Link: https://lore.kernel.org/c499234d559a0d95ad9472883e46077311051cd8.1741612208.git.geert+renesas@glider.be +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-shmobile/headsmp.S | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm/mach-shmobile/headsmp.S ++++ b/arch/arm/mach-shmobile/headsmp.S +@@ -136,6 +136,7 @@ ENDPROC(shmobile_smp_sleep) + .long shmobile_smp_arg - 1b + + .bss ++ .align 2 + .globl shmobile_smp_mpidr + shmobile_smp_mpidr: + .space NR_CPUS * 4 diff --git a/queue-6.1/arm64-dts-freescale-imx8mm-verdin-dahlia-add-microphone-jack-to-sound-card.patch b/queue-6.1/arm64-dts-freescale-imx8mm-verdin-dahlia-add-microphone-jack-to-sound-card.patch new file mode 100644 index 0000000000..dd87c3ced7 --- /dev/null +++ b/queue-6.1/arm64-dts-freescale-imx8mm-verdin-dahlia-add-microphone-jack-to-sound-card.patch @@ -0,0 +1,44 @@ +From 2c1092823eb03f8508d6769e2f38eef7e1fe62a0 Mon Sep 17 00:00:00 2001 +From: Stefan Eichenberger +Date: Mon, 17 Feb 2025 15:56:41 +0100 +Subject: arm64: dts: freescale: imx8mm-verdin-dahlia: add Microphone Jack to sound card + +From: Stefan Eichenberger + +commit 2c1092823eb03f8508d6769e2f38eef7e1fe62a0 upstream. + +The simple-audio-card's microphone widget currently connects to the +headphone jack. Routing the microphone input to the microphone jack +allows for independent operation of the microphone and headphones. + +This resolves the following boot-time kernel log message, which +indicated a conflict when the microphone and headphone functions were +not separated: + debugfs: File 'Headphone Jack' in directory 'dapm' already present! + +Fixes: 6a57f224f734 ("arm64: dts: freescale: add initial support for verdin imx8m mini") +Signed-off-by: Stefan Eichenberger +Reviewed-by: Francesco Dolcini +Cc: +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/freescale/imx8mm-verdin-dahlia.dtsi | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/arm64/boot/dts/freescale/imx8mm-verdin-dahlia.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mm-verdin-dahlia.dtsi +@@ -16,10 +16,10 @@ + "Headphone Jack", "HPOUTR", + "IN2L", "Line In Jack", + "IN2R", "Line In Jack", +- "Headphone Jack", "MICBIAS", +- "IN1L", "Headphone Jack"; ++ "Microphone Jack", "MICBIAS", ++ "IN1L", "Microphone Jack"; + simple-audio-card,widgets = +- "Microphone", "Headphone Jack", ++ "Microphone", "Microphone Jack", + "Headphone", "Headphone Jack", + "Line", "Line In Jack"; + diff --git a/queue-6.1/arm64-dts-rockchip-add-missing-pcie-supplies-to-rockpro64-board-dtsi.patch b/queue-6.1/arm64-dts-rockchip-add-missing-pcie-supplies-to-rockpro64-board-dtsi.patch new file mode 100644 index 0000000000..0d0154e0cb --- /dev/null +++ b/queue-6.1/arm64-dts-rockchip-add-missing-pcie-supplies-to-rockpro64-board-dtsi.patch @@ -0,0 +1,85 @@ +From ffcef3df680c437ca33ff434be18ec24d72907c2 Mon Sep 17 00:00:00 2001 +From: Dragan Simic +Date: Sun, 2 Mar 2025 19:48:04 +0100 +Subject: arm64: dts: rockchip: Add missing PCIe supplies to RockPro64 board dtsi + +From: Dragan Simic + +commit ffcef3df680c437ca33ff434be18ec24d72907c2 upstream. + +Add missing "vpcie0v9-supply" and "vpcie1v8-supply" properties to the "pcie0" +node in the Pine64 RockPro64 board dtsi file. This eliminates the following +warnings from the kernel log: + + rockchip-pcie f8000000.pcie: supply vpcie1v8 not found, using dummy regulator + rockchip-pcie f8000000.pcie: supply vpcie0v9 not found, using dummy regulator + +These additions improve the accuracy of hardware description of the RockPro64 +and, in theory, they should result in no functional changes to the way board +works after the changes, because the "vcca_0v9" and "vcca_1v8" regulators are +always enabled. [1][2] However, extended reliability testing, performed by +Chris, [3] has proven that the age-old issues with some PCI Express cards, +when used with a Pine64 RockPro64, are also resolved. + +Those issues were already mentioned in the commit 43853e843aa6 (arm64: dts: +rockchip: Remove unsupported node from the Pinebook Pro dts, 2024-04-01), +together with a brief description of the out-of-tree enumeration delay patch +that reportedly resolves those issues. In a nutshell, booting a RockPro64 +with some PCI Express cards attached to it caused a kernel oops. [4] + +Symptomatically enough, to the commit author's best knowledge, only the Pine64 +RockPro64, out of all RK3399-based boards and devices supported upstream, has +been reported to suffer from those PCI Express issues, and only the RockPro64 +had some of the PCI Express supplies missing in its DT. Thus, perhaps some +weird timing issues exist that caused the "vcca_1v8" always-on regulator, +which is part of the RK808 PMIC, to actually not be enabled before the PCI +Express is initialized and enumerated on the RockPro64, causing oopses with +some PCIe cards, and the aforementioned enumeration delay patch [4] probably +acted as just a workaround for the underlying timing issue. + +Admittedly, the Pine64 RockPro64 is a bit specific board by having a standard +PCI Express slot, allowing use of various standard cards, but pretty much +standard PCI Express cards have been attached to other RK3399 boards as well, +and the commit author is unaware ot such issues reported for them. + +It's quite hard to be sure that the PCI Express issues are fully resolved by +these additions to the DT, without some really extensive and time-consuming +testing. However, these additions to the DT can result in good things and +improvements anyway, making them perfectly safe from the standpoint of being +unable to do any harm or cause some unforeseen regressions. + +These changes apply to the both supported hardware revisions of the Pine64 +RockPro64, i.e. to the production-run revisions 2.0 and 2.1. [1][2] + +[1] https://files.pine64.org/doc/rockpro64/rockpro64_v21-SCH.pdf +[2] https://files.pine64.org/doc/rockpro64/rockpro64_v20-SCH.pdf +[3] https://z9.de/hedgedoc/s/nF4d5G7rg#reboot-tests-for-PCIe-improvements +[4] https://lore.kernel.org/lkml/20230509153912.515218-1-vincenzopalazzodev@gmail.com/T/#u + +Fixes: bba821f5479e ("arm64: dts: rockchip: add PCIe nodes on rk3399-rockpro64") +Cc: stable@vger.kernel.org +Cc: Vincenzo Palazzo +Cc: Peter Geis +Cc: Bjorn Helgaas +Reported-by: Diederik de Haas +Tested-by: Chris Vogel +Signed-off-by: Dragan Simic +Tested-by: Diederik de Haas +Link: https://lore.kernel.org/r/b39cfd7490d8194f053bf3971f13a43472d1769e.1740941097.git.dsimic@manjaro.org +Signed-off-by: Heiko Stuebner +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/rockchip/rk3399-rockpro64.dtsi | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/arm64/boot/dts/rockchip/rk3399-rockpro64.dtsi ++++ b/arch/arm64/boot/dts/rockchip/rk3399-rockpro64.dtsi +@@ -667,6 +667,8 @@ + num-lanes = <4>; + pinctrl-names = "default"; + pinctrl-0 = <&pcie_perst>; ++ vpcie0v9-supply = <&vcca_0v9>; ++ vpcie1v8-supply = <&vcca_1v8>; + vpcie12v-supply = <&vcc12v_dcin>; + vpcie3v3-supply = <&vcc3v3_pcie>; + status = "okay"; diff --git a/queue-6.1/batman-adv-ignore-own-maximum-aggregation-size-during-rx.patch b/queue-6.1/batman-adv-ignore-own-maximum-aggregation-size-during-rx.patch new file mode 100644 index 0000000000..40be62887a --- /dev/null +++ b/queue-6.1/batman-adv-ignore-own-maximum-aggregation-size-during-rx.patch @@ -0,0 +1,56 @@ +From 548b0c5de7619ef53bbde5590700693f2f6d2a56 Mon Sep 17 00:00:00 2001 +From: Sven Eckelmann +Date: Sun, 2 Feb 2025 17:04:13 +0100 +Subject: batman-adv: Ignore own maximum aggregation size during RX + +From: Sven Eckelmann + +commit 548b0c5de7619ef53bbde5590700693f2f6d2a56 upstream. + +An OGMv1 and OGMv2 packet receive processing were not only limited by the +number of bytes in the received packet but also by the nodes maximum +aggregation packet size limit. But this limit is relevant for TX and not +for RX. It must not be enforced by batadv_(i)v_ogm_aggr_packet to avoid +loss of information in case of a different limit for sender and receiver. + +This has a minor side effect for B.A.T.M.A.N. IV because the +batadv_iv_ogm_aggr_packet is also used for the preprocessing for the TX. +But since the aggregation code itself will not allow more than +BATADV_MAX_AGGREGATION_BYTES bytes, this check was never triggering (in +this context) prior of removing it. + +Cc: stable@vger.kernel.org +Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol") +Fixes: 9323158ef9f4 ("batman-adv: OGMv2 - implement originators logic") +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/bat_iv_ogm.c | 3 +-- + net/batman-adv/bat_v_ogm.c | 3 +-- + 2 files changed, 2 insertions(+), 4 deletions(-) + +--- a/net/batman-adv/bat_iv_ogm.c ++++ b/net/batman-adv/bat_iv_ogm.c +@@ -325,8 +325,7 @@ batadv_iv_ogm_aggr_packet(int buff_pos, + /* check if there is enough space for the optional TVLV */ + next_buff_pos += ntohs(ogm_packet->tvlv_len); + +- return (next_buff_pos <= packet_len) && +- (next_buff_pos <= BATADV_MAX_AGGREGATION_BYTES); ++ return next_buff_pos <= packet_len; + } + + /* send a batman ogm to a given interface */ +--- a/net/batman-adv/bat_v_ogm.c ++++ b/net/batman-adv/bat_v_ogm.c +@@ -840,8 +840,7 @@ batadv_v_ogm_aggr_packet(int buff_pos, i + /* check if there is enough space for the optional TVLV */ + next_buff_pos += ntohs(ogm2_packet->tvlv_len); + +- return (next_buff_pos <= packet_len) && +- (next_buff_pos <= BATADV_MAX_AGGREGATION_BYTES); ++ return next_buff_pos <= packet_len; + } + + /** diff --git a/queue-6.1/can-flexcan-disable-transceiver-during-system-pm.patch b/queue-6.1/can-flexcan-disable-transceiver-during-system-pm.patch new file mode 100644 index 0000000000..26299ef2d8 --- /dev/null +++ b/queue-6.1/can-flexcan-disable-transceiver-during-system-pm.patch @@ -0,0 +1,55 @@ +From 5a19143124be42900b3fbc9ada3c919632eb45eb Mon Sep 17 00:00:00 2001 +From: Haibo Chen +Date: Fri, 14 Mar 2025 19:01:45 +0800 +Subject: can: flexcan: disable transceiver during system PM + +From: Haibo Chen + +commit 5a19143124be42900b3fbc9ada3c919632eb45eb upstream. + +During system PM, if no wakeup requirement, disable transceiver to +save power. + +Fixes: 4de349e786a3 ("can: flexcan: fix resume function") +Cc: stable@vger.kernel.org +Reviewed-by: Frank Li +Signed-off-by: Haibo Chen +Link: https://patch.msgid.link/20250314110145.899179-2-haibo.chen@nxp.com +[mkl: add newlines] +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/flexcan/flexcan-core.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/drivers/net/can/flexcan/flexcan-core.c ++++ b/drivers/net/can/flexcan/flexcan-core.c +@@ -2230,6 +2230,10 @@ static int __maybe_unused flexcan_suspen + + flexcan_chip_interrupts_disable(dev); + ++ err = flexcan_transceiver_disable(priv); ++ if (err) ++ return err; ++ + err = pinctrl_pm_select_sleep_state(device); + if (err) + return err; +@@ -2262,10 +2266,16 @@ static int __maybe_unused flexcan_resume + if (err) + return err; + +- err = flexcan_chip_start(dev); ++ err = flexcan_transceiver_enable(priv); + if (err) + return err; + ++ err = flexcan_chip_start(dev); ++ if (err) { ++ flexcan_transceiver_disable(priv); ++ return err; ++ } ++ + flexcan_chip_interrupts_enable(dev); + } + diff --git a/queue-6.1/can-flexcan-only-change-can-state-when-link-up-in-system-pm.patch b/queue-6.1/can-flexcan-only-change-can-state-when-link-up-in-system-pm.patch new file mode 100644 index 0000000000..3bf4ffa28d --- /dev/null +++ b/queue-6.1/can-flexcan-only-change-can-state-when-link-up-in-system-pm.patch @@ -0,0 +1,70 @@ +From fd99d6ed20234b83d65b9c5417794343577cf3e5 Mon Sep 17 00:00:00 2001 +From: Haibo Chen +Date: Fri, 14 Mar 2025 19:01:44 +0800 +Subject: can: flexcan: only change CAN state when link up in system PM + +From: Haibo Chen + +commit fd99d6ed20234b83d65b9c5417794343577cf3e5 upstream. + +After a suspend/resume cycle on a down interface, it will come up as +ERROR-ACTIVE. + +$ ip -details -s -s a s dev flexcan0 +3: flexcan0: mtu 16 qdisc pfifo_fast state DOWN group default qlen 10 + link/can promiscuity 0 allmulti 0 minmtu 0 maxmtu 0 + can state STOPPED (berr-counter tx 0 rx 0) restart-ms 1000 + +$ sudo systemctl suspend + +$ ip -details -s -s a s dev flexcan0 +3: flexcan0: mtu 16 qdisc pfifo_fast state DOWN group default qlen 10 + link/can promiscuity 0 allmulti 0 minmtu 0 maxmtu 0 + can state ERROR-ACTIVE (berr-counter tx 0 rx 0) restart-ms 1000 + +And only set CAN state to CAN_STATE_ERROR_ACTIVE when resume process +has no issue, otherwise keep in CAN_STATE_SLEEPING as suspend did. + +Fixes: 4de349e786a3 ("can: flexcan: fix resume function") +Cc: stable@vger.kernel.org +Signed-off-by: Haibo Chen +Link: https://patch.msgid.link/20250314110145.899179-1-haibo.chen@nxp.com +Reported-by: Marc Kleine-Budde +Closes: https://lore.kernel.org/all/20250314-married-polar-elephant-b15594-mkl@pengutronix.de +[mkl: add newlines] +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/flexcan/flexcan-core.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/net/can/flexcan/flexcan-core.c ++++ b/drivers/net/can/flexcan/flexcan-core.c +@@ -2236,8 +2236,9 @@ static int __maybe_unused flexcan_suspen + } + netif_stop_queue(dev); + netif_device_detach(dev); ++ ++ priv->can.state = CAN_STATE_SLEEPING; + } +- priv->can.state = CAN_STATE_SLEEPING; + + return 0; + } +@@ -2248,7 +2249,6 @@ static int __maybe_unused flexcan_resume + struct flexcan_priv *priv = netdev_priv(dev); + int err; + +- priv->can.state = CAN_STATE_ERROR_ACTIVE; + if (netif_running(dev)) { + netif_device_attach(dev); + netif_start_queue(dev); +@@ -2268,6 +2268,8 @@ static int __maybe_unused flexcan_resume + + flexcan_chip_interrupts_enable(dev); + } ++ ++ priv->can.state = CAN_STATE_ERROR_ACTIVE; + } + + return 0; diff --git a/queue-6.1/can-rcar_canfd-fix-page-entries-in-the-afl-list.patch b/queue-6.1/can-rcar_canfd-fix-page-entries-in-the-afl-list.patch new file mode 100644 index 0000000000..c52a21a564 --- /dev/null +++ b/queue-6.1/can-rcar_canfd-fix-page-entries-in-the-afl-list.patch @@ -0,0 +1,96 @@ +From 1dba0a37644ed3022558165bbb5cb9bda540eaf7 Mon Sep 17 00:00:00 2001 +From: Biju Das +Date: Fri, 7 Mar 2025 17:03:27 +0000 +Subject: can: rcar_canfd: Fix page entries in the AFL list + +From: Biju Das + +commit 1dba0a37644ed3022558165bbb5cb9bda540eaf7 upstream. + +There are a total of 96 AFL pages and each page has 16 entries with +registers CFDGAFLIDr, CFDGAFLMr, CFDGAFLP0r, CFDGAFLP1r holding +the rule entries (r = 0..15). + +Currently, RCANFD_GAFL* macros use a start variable to find AFL entries, +which is incorrect as the testing on RZ/G3E shows ch1 and ch4 +gets a start value of 0 and the register contents are overwritten. + +Fix this issue by using rule_entry corresponding to the channel +to find the page entries in the AFL list. + +Fixes: dd3bd23eb438 ("can: rcar_canfd: Add Renesas R-Car CAN FD driver") +Cc: stable@vger.kernel.org +Signed-off-by: Biju Das +Tested-by: Geert Uytterhoeven +Link: https://patch.msgid.link/20250307170330.173425-3-biju.das.jz@bp.renesas.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/rcar/rcar_canfd.c | 28 +++++++++++----------------- + 1 file changed, 11 insertions(+), 17 deletions(-) + +--- a/drivers/net/can/rcar/rcar_canfd.c ++++ b/drivers/net/can/rcar/rcar_canfd.c +@@ -772,22 +772,14 @@ static void rcar_canfd_configure_control + } + + static void rcar_canfd_configure_afl_rules(struct rcar_canfd_global *gpriv, +- u32 ch) ++ u32 ch, u32 rule_entry) + { +- u32 cfg; +- int offset, start, page, num_rules = RCANFD_CHANNEL_NUMRULES; ++ int offset, page, num_rules = RCANFD_CHANNEL_NUMRULES; ++ u32 rule_entry_index = rule_entry % 16; + u32 ridx = ch + RCANFD_RFFIFO_IDX; + +- if (ch == 0) { +- start = 0; /* Channel 0 always starts from 0th rule */ +- } else { +- /* Get number of Channel 0 rules and adjust */ +- cfg = rcar_canfd_read(gpriv->base, RCANFD_GAFLCFG(ch)); +- start = RCANFD_GAFLCFG_GETRNC(gpriv, 0, cfg); +- } +- + /* Enable write access to entry */ +- page = RCANFD_GAFL_PAGENUM(start); ++ page = RCANFD_GAFL_PAGENUM(rule_entry); + rcar_canfd_set_bit(gpriv->base, RCANFD_GAFLECTR, + (RCANFD_GAFLECTR_AFLPN(gpriv, page) | + RCANFD_GAFLECTR_AFLDAE)); +@@ -803,13 +795,13 @@ static void rcar_canfd_configure_afl_rul + offset = RCANFD_C_GAFL_OFFSET; + + /* Accept all IDs */ +- rcar_canfd_write(gpriv->base, RCANFD_GAFLID(offset, start), 0); ++ rcar_canfd_write(gpriv->base, RCANFD_GAFLID(offset, rule_entry_index), 0); + /* IDE or RTR is not considered for matching */ +- rcar_canfd_write(gpriv->base, RCANFD_GAFLM(offset, start), 0); ++ rcar_canfd_write(gpriv->base, RCANFD_GAFLM(offset, rule_entry_index), 0); + /* Any data length accepted */ +- rcar_canfd_write(gpriv->base, RCANFD_GAFLP0(offset, start), 0); ++ rcar_canfd_write(gpriv->base, RCANFD_GAFLP0(offset, rule_entry_index), 0); + /* Place the msg in corresponding Rx FIFO entry */ +- rcar_canfd_set_bit(gpriv->base, RCANFD_GAFLP1(offset, start), ++ rcar_canfd_set_bit(gpriv->base, RCANFD_GAFLP1(offset, rule_entry_index), + RCANFD_GAFLP1_GAFLFDP(ridx)); + + /* Disable write access to page */ +@@ -1825,6 +1817,7 @@ static int rcar_canfd_probe(struct platf + unsigned long channels_mask = 0; + int err, ch_irq, g_irq; + int g_err_irq, g_recc_irq; ++ u32 rule_entry = 0; + bool fdmode = true; /* CAN FD only mode - default */ + enum rcanfd_chip_id chip_id; + int max_channels; +@@ -2003,7 +1996,8 @@ static int rcar_canfd_probe(struct platf + rcar_canfd_configure_tx(gpriv, ch); + + /* Configure receive rules */ +- rcar_canfd_configure_afl_rules(gpriv, ch); ++ rcar_canfd_configure_afl_rules(gpriv, ch, rule_entry); ++ rule_entry += RCANFD_CHANNEL_NUMRULES; + } + + /* Configure common interrupts */ diff --git a/queue-6.1/drm-amd-display-should-support-dmub-hw-lock-on-replay.patch b/queue-6.1/drm-amd-display-should-support-dmub-hw-lock-on-replay.patch new file mode 100644 index 0000000000..739be90c30 --- /dev/null +++ b/queue-6.1/drm-amd-display-should-support-dmub-hw-lock-on-replay.patch @@ -0,0 +1,39 @@ +From bfeefe6ea5f18cabb8fda55364079573804623f9 Mon Sep 17 00:00:00 2001 +From: Martin Tsai +Date: Fri, 2 Feb 2024 14:39:29 +0800 +Subject: drm/amd/display: should support dmub hw lock on Replay + +From: Martin Tsai + +commit bfeefe6ea5f18cabb8fda55364079573804623f9 upstream. + +[Why] +Without acquiring DMCUB hw lock, a race condition is caused with +Panel Replay feature, which will trigger a hang. Indicate that a +lock is necessary to prevent this when replay feature is enabled. + +[How] +To allow dmub hw lock on Replay. + +Reviewed-by: Robin Chen +Acked-by: Aurabindo Pillai +Signed-off-by: Martin Tsai +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c ++++ b/drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c +@@ -67,5 +67,9 @@ bool should_use_dmub_lock(struct dc_link + { + if (link->psr_settings.psr_version == DC_PSR_VERSION_SU_1) + return true; ++ ++ if (link->replay_settings.replay_feature_enabled) ++ return true; ++ + return false; + } diff --git a/queue-6.1/drm-amd-display-use-hw-lock-mgr-for-psr1-when-only-one-edp.patch b/queue-6.1/drm-amd-display-use-hw-lock-mgr-for-psr1-when-only-one-edp.patch new file mode 100644 index 0000000000..2e1dd7b3c4 --- /dev/null +++ b/queue-6.1/drm-amd-display-use-hw-lock-mgr-for-psr1-when-only-one-edp.patch @@ -0,0 +1,53 @@ +From acbf16a6ae775b4db86f537448cc466288aa307e Mon Sep 17 00:00:00 2001 +From: Mario Limonciello +Date: Fri, 7 Mar 2025 15:55:20 -0600 +Subject: drm/amd/display: Use HW lock mgr for PSR1 when only one eDP + +From: Mario Limonciello + +commit acbf16a6ae775b4db86f537448cc466288aa307e upstream. + +[WHY] +DMUB locking is important to make sure that registers aren't accessed +while in PSR. Previously it was enabled but caused a deadlock in +situations with multiple eDP panels. + +[HOW] +Detect if multiple eDP panels are in use to decide whether to use +lock. Refactor the function so that the first check is for PSR-SU +and then replay is in use to prevent having to look up number +of eDP panels for those configurations. + +Fixes: f245b400a223 ("Revert "drm/amd/display: Use HW lock mgr for PSR1"") +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3965 +Reviewed-by: ChiaHsuan Chung +Signed-off-by: Mario Limonciello +Signed-off-by: Alex Hung +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +(cherry picked from commit ed569e1279a3045d6b974226c814e071fa0193a6) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c ++++ b/drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c +@@ -71,5 +71,16 @@ bool should_use_dmub_lock(struct dc_link + if (link->replay_settings.replay_feature_enabled) + return true; + ++ /* only use HW lock for PSR1 on single eDP */ ++ if (link->psr_settings.psr_version == DC_PSR_VERSION_1) { ++ struct dc_link *edp_links[MAX_NUM_EDP]; ++ int edp_num; ++ ++ dc_get_edp_links(link->dc, edp_links, &edp_num); ++ ++ if (edp_num == 1) ++ return true; ++ } ++ + return false; + } diff --git a/queue-6.1/drm-amdgpu-fix-jpeg-video-caps-max-size-for-navi1x-and-raven.patch b/queue-6.1/drm-amdgpu-fix-jpeg-video-caps-max-size-for-navi1x-and-raven.patch new file mode 100644 index 0000000000..a499b718c9 --- /dev/null +++ b/queue-6.1/drm-amdgpu-fix-jpeg-video-caps-max-size-for-navi1x-and-raven.patch @@ -0,0 +1,45 @@ +From ec33964d9d88488fa954a03d476a8b811efc6e85 Mon Sep 17 00:00:00 2001 +From: David Rosca +Date: Fri, 28 Feb 2025 13:34:49 +0100 +Subject: drm/amdgpu: Fix JPEG video caps max size for navi1x and raven + +From: David Rosca + +commit ec33964d9d88488fa954a03d476a8b811efc6e85 upstream. + +8192x8192 is the maximum supported resolution. + +Signed-off-by: David Rosca +Acked-by: Alex Deucher +Reviewed-by: Ruijing Dong +Signed-off-by: Alex Deucher +(cherry picked from commit 6e0d2fde3ae8fdb5b47e10389f23ed2cb4daec5d) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/nv.c | 2 +- + drivers/gpu/drm/amd/amdgpu/soc15.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/nv.c ++++ b/drivers/gpu/drm/amd/amdgpu/nv.c +@@ -87,7 +87,7 @@ static const struct amdgpu_video_codec_i + {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4_AVC, 4096, 4096, 52)}, + {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VC1, 4096, 4096, 4)}, + {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_HEVC, 8192, 4352, 186)}, +- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_JPEG, 4096, 4096, 0)}, ++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_JPEG, 8192, 8192, 0)}, + {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VP9, 8192, 4352, 0)}, + }; + +--- a/drivers/gpu/drm/amd/amdgpu/soc15.c ++++ b/drivers/gpu/drm/amd/amdgpu/soc15.c +@@ -125,7 +125,7 @@ static const struct amdgpu_video_codec_i + {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4_AVC, 4096, 4096, 52)}, + {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VC1, 4096, 4096, 4)}, + {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_HEVC, 4096, 4096, 186)}, +- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_JPEG, 4096, 4096, 0)}, ++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_JPEG, 8192, 8192, 0)}, + {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VP9, 4096, 4096, 0)}, + }; + diff --git a/queue-6.1/drm-radeon-fix-uninitialized-size-issue-in-radeon_vce_cs_parse.patch b/queue-6.1/drm-radeon-fix-uninitialized-size-issue-in-radeon_vce_cs_parse.patch new file mode 100644 index 0000000000..061825d024 --- /dev/null +++ b/queue-6.1/drm-radeon-fix-uninitialized-size-issue-in-radeon_vce_cs_parse.patch @@ -0,0 +1,44 @@ +From dd8689b52a24807c2d5ce0a17cb26dc87f75235c Mon Sep 17 00:00:00 2001 +From: Nikita Zhandarovich +Date: Tue, 11 Mar 2025 14:14:59 +0300 +Subject: drm/radeon: fix uninitialized size issue in radeon_vce_cs_parse() + +From: Nikita Zhandarovich + +commit dd8689b52a24807c2d5ce0a17cb26dc87f75235c upstream. + +On the off chance that command stream passed from userspace via +ioctl() call to radeon_vce_cs_parse() is weirdly crafted and +first command to execute is to encode (case 0x03000001), the function +in question will attempt to call radeon_vce_cs_reloc() with size +argument that has not been properly initialized. Specifically, 'size' +will point to 'tmp' variable before the latter had a chance to be +assigned any value. + +Play it safe and init 'tmp' with 0, thus ensuring that +radeon_vce_cs_reloc() will catch an early error in cases like these. + +Found by Linux Verification Center (linuxtesting.org) with static +analysis tool SVACE. + +Fixes: 2fc5703abda2 ("drm/radeon: check VCE relocation buffer range v3") +Signed-off-by: Nikita Zhandarovich +Signed-off-by: Alex Deucher +(cherry picked from commit 2d52de55f9ee7aaee0e09ac443f77855989c6b68) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/radeon/radeon_vce.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/radeon/radeon_vce.c ++++ b/drivers/gpu/drm/radeon/radeon_vce.c +@@ -557,7 +557,7 @@ int radeon_vce_cs_parse(struct radeon_cs + { + int session_idx = -1; + bool destroyed = false, created = false, allocated = false; +- uint32_t tmp, handle = 0; ++ uint32_t tmp = 0, handle = 0; + uint32_t *size = &tmp; + int i, r = 0; + diff --git a/queue-6.1/drm-v3d-don-t-run-jobs-that-have-errors-flagged-in-its-fence.patch b/queue-6.1/drm-v3d-don-t-run-jobs-that-have-errors-flagged-in-its-fence.patch new file mode 100644 index 0000000000..da0874d498 --- /dev/null +++ b/queue-6.1/drm-v3d-don-t-run-jobs-that-have-errors-flagged-in-its-fence.patch @@ -0,0 +1,68 @@ +From 80cbee810e4e13cdbd3ae9654e9ecddf17f3e828 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ma=C3=ADra=20Canal?= +Date: Thu, 13 Mar 2025 11:43:26 -0300 +Subject: drm/v3d: Don't run jobs that have errors flagged in its fence +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maíra Canal + +commit 80cbee810e4e13cdbd3ae9654e9ecddf17f3e828 upstream. + +The V3D driver still relies on `drm_sched_increase_karma()` and +`drm_sched_resubmit_jobs()` for resubmissions when a timeout occurs. +The function `drm_sched_increase_karma()` marks the job as guilty, while +`drm_sched_resubmit_jobs()` sets an error (-ECANCELED) in the DMA fence of +that guilty job. + +Because of this, we must check whether the job’s DMA fence has been +flagged with an error before executing the job. Otherwise, the same guilty +job may be resubmitted indefinitely, causing repeated GPU resets. + +This patch adds a check for an error on the job's fence to prevent running +a guilty job that was previously flagged when the GPU timed out. + +Note that the CPU and CACHE_CLEAN queues do not require this check, as +their jobs are executed synchronously once the DRM scheduler starts them. + +Cc: stable@vger.kernel.org +Fixes: d223f98f0209 ("drm/v3d: Add support for compute shader dispatch.") +Fixes: 1584f16ca96e ("drm/v3d: Add support for submitting jobs to the TFU.") +Reviewed-by: Iago Toral Quiroga +Signed-off-by: Maíra Canal +Link: https://patchwork.freedesktop.org/patch/msgid/20250313-v3d-gpu-reset-fixes-v4-1-c1e780d8e096@igalia.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/v3d/v3d_sched.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/v3d/v3d_sched.c ++++ b/drivers/gpu/drm/v3d/v3d_sched.c +@@ -179,11 +179,15 @@ v3d_tfu_job_run(struct drm_sched_job *sc + struct drm_device *dev = &v3d->drm; + struct dma_fence *fence; + ++ if (unlikely(job->base.base.s_fence->finished.error)) ++ return NULL; ++ ++ v3d->tfu_job = job; ++ + fence = v3d_fence_create(v3d, V3D_TFU); + if (IS_ERR(fence)) + return NULL; + +- v3d->tfu_job = job; + if (job->base.irq_fence) + dma_fence_put(job->base.irq_fence); + job->base.irq_fence = dma_fence_get(fence); +@@ -217,6 +221,9 @@ v3d_csd_job_run(struct drm_sched_job *sc + struct dma_fence *fence; + int i; + ++ if (unlikely(job->base.base.s_fence->finished.error)) ++ return NULL; ++ + v3d->csd_job = job; + + v3d_invalidate_caches(v3d); diff --git a/queue-6.1/efi-libstub-avoid-physical-address-0x0-when-doing-random-allocation.patch b/queue-6.1/efi-libstub-avoid-physical-address-0x0-when-doing-random-allocation.patch new file mode 100644 index 0000000000..59131b673b --- /dev/null +++ b/queue-6.1/efi-libstub-avoid-physical-address-0x0-when-doing-random-allocation.patch @@ -0,0 +1,45 @@ +From cb16dfed0093217a68c0faa9394fa5823927e04c Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Fri, 14 Mar 2025 12:03:33 +0100 +Subject: efi/libstub: Avoid physical address 0x0 when doing random allocation + +From: Ard Biesheuvel + +commit cb16dfed0093217a68c0faa9394fa5823927e04c upstream. + +Ben reports spurious EFI zboot failures on a system where physical RAM +starts at 0x0. When doing random memory allocation from the EFI stub on +such a platform, a random seed of 0x0 (which means no entropy source is +available) will result in the allocation to be placed at address 0x0 if +sufficient space is available. + +When this allocation is subsequently passed on to the decompression +code, the 0x0 address is mistaken for NULL and the code complains and +gives up. + +So avoid address 0x0 when doing random allocation, and set the minimum +address to the minimum alignment. + +Cc: +Reported-by: Ben Schneider +Tested-by: Ben Schneider +Reviewed-by: Ilias Apalodimas +Signed-off-by: Ard Biesheuvel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/efi/libstub/randomalloc.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/firmware/efi/libstub/randomalloc.c ++++ b/drivers/firmware/efi/libstub/randomalloc.c +@@ -75,6 +75,10 @@ efi_status_t efi_random_alloc(unsigned l + if (align < EFI_ALLOC_ALIGN) + align = EFI_ALLOC_ALIGN; + ++ /* Avoid address 0x0, as it can be mistaken for NULL */ ++ if (alloc_min == 0) ++ alloc_min = align; ++ + size = round_up(size, EFI_ALLOC_ALIGN); + + /* count the suitable slots in each memory map entry */ diff --git a/queue-6.1/i2c-omap-fix-irq-storms.patch b/queue-6.1/i2c-omap-fix-irq-storms.patch new file mode 100644 index 0000000000..ff9f8f6694 --- /dev/null +++ b/queue-6.1/i2c-omap-fix-irq-storms.patch @@ -0,0 +1,112 @@ +From 285df995f90e3d61d97f327d34b9659d92313314 Mon Sep 17 00:00:00 2001 +From: Andreas Kemnade +Date: Fri, 28 Feb 2025 15:04:20 +0100 +Subject: i2c: omap: fix IRQ storms + +From: Andreas Kemnade + +commit 285df995f90e3d61d97f327d34b9659d92313314 upstream. + +On the GTA04A5 writing a reset command to the gyroscope causes IRQ +storms because NACK IRQs are enabled and therefore triggered but not +acked. + +Sending a reset command to the gyroscope by +i2cset 1 0x69 0x14 0xb6 +with an additional debug print in the ISR (not the thread) itself +causes + +[ 363.353515] i2c i2c-1: ioctl, cmd=0x720, arg=0xbe801b00 +[ 363.359039] omap_i2c 48072000.i2c: addr: 0x0069, len: 2, flags: 0x0, stop: 1 +[ 363.366180] omap_i2c 48072000.i2c: IRQ LL (ISR = 0x1110) +[ 363.371673] omap_i2c 48072000.i2c: IRQ (ISR = 0x0010) +[ 363.376892] omap_i2c 48072000.i2c: IRQ LL (ISR = 0x0102) +[ 363.382263] omap_i2c 48072000.i2c: IRQ LL (ISR = 0x0102) +[ 363.387664] omap_i2c 48072000.i2c: IRQ LL (ISR = 0x0102) +repeating till infinity +[...] +(0x2 = NACK, 0x100 = Bus free, which is not enabled) +Apparently no other IRQ bit gets set, so this stalls. + +Do not ignore enabled interrupts and make sure they are acked. +If the NACK IRQ is not needed, it should simply not enabled, but +according to the above log, caring about it is necessary unless +the Bus free IRQ is enabled and handled. The assumption that is +will always come with a ARDY IRQ, which was the idea behind +ignoring it, proves wrong. +It is true for simple reads from an unused address. + +To still avoid the i2cdetect trouble which is the reason for +commit c770657bd261 ("i2c: omap: Fix standard mode false ACK readings"), +avoid doing much about NACK in omap_i2c_xfer_data() which is used +by both IRQ mode and polling mode, so also the false detection fix +is extended to polling usage and IRQ storms are avoided. + +By changing this, the hardirq handler is not needed anymore to filter +stuff. + +The mentioned gyro reset now just causes a -ETIMEDOUT instead of +hanging the system. + +Fixes: c770657bd261 ("i2c: omap: Fix standard mode false ACK readings"). +CC: stable@kernel.org +Signed-off-by: Andreas Kemnade +Tested-by: Nishanth Menon +Reviewed-by: Aniket Limaye +Signed-off-by: Andi Shyti +Link: https://lore.kernel.org/r/20250228140420.379498-1-andreas@kemnade.info +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-omap.c | 26 +++++++------------------- + 1 file changed, 7 insertions(+), 19 deletions(-) + +--- a/drivers/i2c/busses/i2c-omap.c ++++ b/drivers/i2c/busses/i2c-omap.c +@@ -1049,23 +1049,6 @@ static int omap_i2c_transmit_data(struct + return 0; + } + +-static irqreturn_t +-omap_i2c_isr(int irq, void *dev_id) +-{ +- struct omap_i2c_dev *omap = dev_id; +- irqreturn_t ret = IRQ_HANDLED; +- u16 mask; +- u16 stat; +- +- stat = omap_i2c_read_reg(omap, OMAP_I2C_STAT_REG); +- mask = omap_i2c_read_reg(omap, OMAP_I2C_IE_REG) & ~OMAP_I2C_STAT_NACK; +- +- if (stat & mask) +- ret = IRQ_WAKE_THREAD; +- +- return ret; +-} +- + static int omap_i2c_xfer_data(struct omap_i2c_dev *omap) + { + u16 bits; +@@ -1096,8 +1079,13 @@ static int omap_i2c_xfer_data(struct oma + } + + if (stat & OMAP_I2C_STAT_NACK) { +- err |= OMAP_I2C_STAT_NACK; ++ omap->cmd_err |= OMAP_I2C_STAT_NACK; + omap_i2c_ack_stat(omap, OMAP_I2C_STAT_NACK); ++ ++ if (!(stat & ~OMAP_I2C_STAT_NACK)) { ++ err = -EAGAIN; ++ break; ++ } + } + + if (stat & OMAP_I2C_STAT_AL) { +@@ -1475,7 +1463,7 @@ omap_i2c_probe(struct platform_device *p + IRQF_NO_SUSPEND, pdev->name, omap); + else + r = devm_request_threaded_irq(&pdev->dev, omap->irq, +- omap_i2c_isr, omap_i2c_isr_thread, ++ NULL, omap_i2c_isr_thread, + IRQF_NO_SUSPEND | IRQF_ONESHOT, + pdev->name, omap); + diff --git a/queue-6.1/memcg-drain-obj-stock-on-cpu-hotplug-teardown.patch b/queue-6.1/memcg-drain-obj-stock-on-cpu-hotplug-teardown.patch new file mode 100644 index 0000000000..c94c0e57a0 --- /dev/null +++ b/queue-6.1/memcg-drain-obj-stock-on-cpu-hotplug-teardown.patch @@ -0,0 +1,50 @@ +From 9f01b4954490d4ccdbcc2b9be34a9921ceee9cbb Mon Sep 17 00:00:00 2001 +From: Shakeel Butt +Date: Mon, 10 Mar 2025 16:09:34 -0700 +Subject: memcg: drain obj stock on cpu hotplug teardown + +From: Shakeel Butt + +commit 9f01b4954490d4ccdbcc2b9be34a9921ceee9cbb upstream. + +Currently on cpu hotplug teardown, only memcg stock is drained but we +need to drain the obj stock as well otherwise we will miss the stats +accumulated on the target cpu as well as the nr_bytes cached. The stats +include MEMCG_KMEM, NR_SLAB_RECLAIMABLE_B & NR_SLAB_UNRECLAIMABLE_B. In +addition we are leaking reference to struct obj_cgroup object. + +Link: https://lkml.kernel.org/r/20250310230934.2913113-1-shakeel.butt@linux.dev +Fixes: bf4f059954dc ("mm: memcg/slab: obj_cgroup API") +Signed-off-by: Shakeel Butt +Reviewed-by: Roman Gushchin +Acked-by: Johannes Weiner +Cc: Michal Hocko +Cc: Muchun Song +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/memcontrol.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/mm/memcontrol.c ++++ b/mm/memcontrol.c +@@ -2368,9 +2368,18 @@ static void drain_all_stock(struct mem_c + static int memcg_hotplug_cpu_dead(unsigned int cpu) + { + struct memcg_stock_pcp *stock; ++ struct obj_cgroup *old; ++ unsigned long flags; + + stock = &per_cpu(memcg_stock, cpu); ++ ++ /* drain_obj_stock requires stock_lock */ ++ local_lock_irqsave(&memcg_stock.stock_lock, flags); ++ old = drain_obj_stock(stock); ++ local_unlock_irqrestore(&memcg_stock.stock_lock, flags); ++ + drain_stock(stock); ++ obj_cgroup_put(old); + + return 0; + } diff --git a/queue-6.1/mmc-atmel-mci-add-missing-clk_disable_unprepare.patch b/queue-6.1/mmc-atmel-mci-add-missing-clk_disable_unprepare.patch new file mode 100644 index 0000000000..04cd695262 --- /dev/null +++ b/queue-6.1/mmc-atmel-mci-add-missing-clk_disable_unprepare.patch @@ -0,0 +1,39 @@ +From e51a349d2dcf1df8422dabb90b2f691dc7df6f92 Mon Sep 17 00:00:00 2001 +From: Gu Bowen +Date: Tue, 25 Feb 2025 10:28:56 +0800 +Subject: mmc: atmel-mci: Add missing clk_disable_unprepare() + +From: Gu Bowen + +commit e51a349d2dcf1df8422dabb90b2f691dc7df6f92 upstream. + +The error path when atmci_configure_dma() set dma fails in atmci driver +does not correctly disable the clock. +Add the missing clk_disable_unprepare() to the error path for pair with +clk_prepare_enable(). + +Fixes: 467e081d23e6 ("mmc: atmel-mci: use probe deferring if dma controller is not ready yet") +Signed-off-by: Gu Bowen +Acked-by: Aubin Constans +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20250225022856.3452240-1-gubowen5@huawei.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/atmel-mci.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/mmc/host/atmel-mci.c ++++ b/drivers/mmc/host/atmel-mci.c +@@ -2506,8 +2506,10 @@ static int atmci_probe(struct platform_d + /* Get MCI capabilities and set operations according to it */ + atmci_get_cap(host); + ret = atmci_configure_dma(host); +- if (ret == -EPROBE_DEFER) ++ if (ret == -EPROBE_DEFER) { ++ clk_disable_unprepare(host->mck); + goto err_dma_probe_defer; ++ } + if (ret == 0) { + host->prepare_data = &atmci_prepare_data_dma; + host->submit_data = &atmci_submit_data_dma; diff --git a/queue-6.1/mmc-sdhci-brcmstb-add-cqhci-suspend-resume-to-pm-ops.patch b/queue-6.1/mmc-sdhci-brcmstb-add-cqhci-suspend-resume-to-pm-ops.patch new file mode 100644 index 0000000000..b68b6b26e1 --- /dev/null +++ b/queue-6.1/mmc-sdhci-brcmstb-add-cqhci-suspend-resume-to-pm-ops.patch @@ -0,0 +1,57 @@ +From 723ef0e20dbb2aa1b5406d2bb75374fc48187daa Mon Sep 17 00:00:00 2001 +From: Kamal Dasu +Date: Tue, 11 Mar 2025 12:59:35 -0400 +Subject: mmc: sdhci-brcmstb: add cqhci suspend/resume to PM ops + +From: Kamal Dasu + +commit 723ef0e20dbb2aa1b5406d2bb75374fc48187daa upstream. + +cqhci timeouts observed on brcmstb platforms during suspend: + ... + [ 164.832853] mmc0: cqhci: timeout for tag 18 + ... + +Adding cqhci_suspend()/resume() calls to disable cqe +in sdhci_brcmstb_suspend()/resume() respectively to fix +CQE timeouts seen on PM suspend. + +Fixes: d46ba2d17f90 ("mmc: sdhci-brcmstb: Add support for Command Queuing (CQE)") +Cc: stable@vger.kernel.org +Signed-off-by: Kamal Dasu +Reviewed-by: Florian Fainelli +Link: https://lore.kernel.org/r/20250311165946.28190-1-kamal.dasu@broadcom.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/sdhci-brcmstb.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/mmc/host/sdhci-brcmstb.c ++++ b/drivers/mmc/host/sdhci-brcmstb.c +@@ -396,8 +396,15 @@ static int sdhci_brcmstb_suspend(struct + struct sdhci_host *host = dev_get_drvdata(dev); + struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host); + struct sdhci_brcmstb_priv *priv = sdhci_pltfm_priv(pltfm_host); ++ int ret; + + clk_disable_unprepare(priv->base_clk); ++ if (host->mmc->caps2 & MMC_CAP2_CQE) { ++ ret = cqhci_suspend(host->mmc); ++ if (ret) ++ return ret; ++ } ++ + return sdhci_pltfm_suspend(dev); + } + +@@ -422,6 +429,9 @@ static int sdhci_brcmstb_resume(struct d + ret = clk_set_rate(priv->base_clk, priv->base_freq_hz); + } + ++ if (host->mmc->caps2 & MMC_CAP2_CQE) ++ ret = cqhci_resume(host->mmc); ++ + return ret; + } + #endif diff --git a/queue-6.1/proc-fix-uaf-in-proc_get_inode.patch b/queue-6.1/proc-fix-uaf-in-proc_get_inode.patch new file mode 100644 index 0000000000..45c30913e0 --- /dev/null +++ b/queue-6.1/proc-fix-uaf-in-proc_get_inode.patch @@ -0,0 +1,177 @@ +From 654b33ada4ab5e926cd9c570196fefa7bec7c1df Mon Sep 17 00:00:00 2001 +From: Ye Bin +Date: Sat, 1 Mar 2025 15:06:24 +0300 +Subject: proc: fix UAF in proc_get_inode() + +From: Ye Bin + +commit 654b33ada4ab5e926cd9c570196fefa7bec7c1df upstream. + +Fix race between rmmod and /proc/XXX's inode instantiation. + +The bug is that pde->proc_ops don't belong to /proc, it belongs to a +module, therefore dereferencing it after /proc entry has been registered +is a bug unless use_pde/unuse_pde() pair has been used. + +use_pde/unuse_pde can be avoided (2 atomic ops!) because pde->proc_ops +never changes so information necessary for inode instantiation can be +saved _before_ proc_register() in PDE itself and used later, avoiding +pde->proc_ops->... dereference. + + rmmod lookup +sys_delete_module + proc_lookup_de + pde_get(de); + proc_get_inode(dir->i_sb, de); + mod->exit() + proc_remove + remove_proc_subtree + proc_entry_rundown(de); + free_module(mod); + + if (S_ISREG(inode->i_mode)) + if (de->proc_ops->proc_read_iter) + --> As module is already freed, will trigger UAF + +BUG: unable to handle page fault for address: fffffbfff80a702b +PGD 817fc4067 P4D 817fc4067 PUD 817fc0067 PMD 102ef4067 PTE 0 +Oops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI +CPU: 26 UID: 0 PID: 2667 Comm: ls Tainted: G +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) +RIP: 0010:proc_get_inode+0x302/0x6e0 +RSP: 0018:ffff88811c837998 EFLAGS: 00010a06 +RAX: dffffc0000000000 RBX: ffffffffc0538140 RCX: 0000000000000007 +RDX: 1ffffffff80a702b RSI: 0000000000000001 RDI: ffffffffc0538158 +RBP: ffff8881299a6000 R08: 0000000067bbe1e5 R09: 1ffff11023906f20 +R10: ffffffffb560ca07 R11: ffffffffb2b43a58 R12: ffff888105bb78f0 +R13: ffff888100518048 R14: ffff8881299a6004 R15: 0000000000000001 +FS: 00007f95b9686840(0000) GS:ffff8883af100000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: fffffbfff80a702b CR3: 0000000117dd2000 CR4: 00000000000006f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + proc_lookup_de+0x11f/0x2e0 + __lookup_slow+0x188/0x350 + walk_component+0x2ab/0x4f0 + path_lookupat+0x120/0x660 + filename_lookup+0x1ce/0x560 + vfs_statx+0xac/0x150 + __do_sys_newstat+0x96/0x110 + do_syscall_64+0x5f/0x170 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + +[adobriyan@gmail.com: don't do 2 atomic ops on the common path] +Link: https://lkml.kernel.org/r/3d25ded0-1739-447e-812b-e34da7990dcf@p183 +Fixes: 778f3dd5a13c ("Fix procfs compat_ioctl regression") +Signed-off-by: Ye Bin +Signed-off-by: Alexey Dobriyan +Cc: Al Viro +Cc: David S. Miller +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/proc/generic.c | 10 +++++++++- + fs/proc/inode.c | 6 +++--- + fs/proc/internal.h | 14 ++++++++++++++ + include/linux/proc_fs.h | 7 +++++-- + 4 files changed, 31 insertions(+), 6 deletions(-) + +--- a/fs/proc/generic.c ++++ b/fs/proc/generic.c +@@ -558,10 +558,16 @@ struct proc_dir_entry *proc_create_reg(c + return p; + } + +-static inline void pde_set_flags(struct proc_dir_entry *pde) ++static void pde_set_flags(struct proc_dir_entry *pde) + { + if (pde->proc_ops->proc_flags & PROC_ENTRY_PERMANENT) + pde->flags |= PROC_ENTRY_PERMANENT; ++ if (pde->proc_ops->proc_read_iter) ++ pde->flags |= PROC_ENTRY_proc_read_iter; ++#ifdef CONFIG_COMPAT ++ if (pde->proc_ops->proc_compat_ioctl) ++ pde->flags |= PROC_ENTRY_proc_compat_ioctl; ++#endif + } + + struct proc_dir_entry *proc_create_data(const char *name, umode_t mode, +@@ -625,6 +631,7 @@ struct proc_dir_entry *proc_create_seq_p + p->proc_ops = &proc_seq_ops; + p->seq_ops = ops; + p->state_size = state_size; ++ pde_set_flags(p); + return proc_register(parent, p); + } + EXPORT_SYMBOL(proc_create_seq_private); +@@ -655,6 +662,7 @@ struct proc_dir_entry *proc_create_singl + return NULL; + p->proc_ops = &proc_single_ops; + p->single_show = show; ++ pde_set_flags(p); + return proc_register(parent, p); + } + EXPORT_SYMBOL(proc_create_single_data); +--- a/fs/proc/inode.c ++++ b/fs/proc/inode.c +@@ -679,13 +679,13 @@ struct inode *proc_get_inode(struct supe + + if (S_ISREG(inode->i_mode)) { + inode->i_op = de->proc_iops; +- if (de->proc_ops->proc_read_iter) ++ if (pde_has_proc_read_iter(de)) + inode->i_fop = &proc_iter_file_ops; + else + inode->i_fop = &proc_reg_file_ops; + #ifdef CONFIG_COMPAT +- if (de->proc_ops->proc_compat_ioctl) { +- if (de->proc_ops->proc_read_iter) ++ if (pde_has_proc_compat_ioctl(de)) { ++ if (pde_has_proc_read_iter(de)) + inode->i_fop = &proc_iter_file_ops_compat; + else + inode->i_fop = &proc_reg_file_ops_compat; +--- a/fs/proc/internal.h ++++ b/fs/proc/internal.h +@@ -84,6 +84,20 @@ static inline void pde_make_permanent(st + pde->flags |= PROC_ENTRY_PERMANENT; + } + ++static inline bool pde_has_proc_read_iter(const struct proc_dir_entry *pde) ++{ ++ return pde->flags & PROC_ENTRY_proc_read_iter; ++} ++ ++static inline bool pde_has_proc_compat_ioctl(const struct proc_dir_entry *pde) ++{ ++#ifdef CONFIG_COMPAT ++ return pde->flags & PROC_ENTRY_proc_compat_ioctl; ++#else ++ return false; ++#endif ++} ++ + extern struct kmem_cache *proc_dir_entry_cache; + void pde_free(struct proc_dir_entry *pde); + +--- a/include/linux/proc_fs.h ++++ b/include/linux/proc_fs.h +@@ -20,10 +20,13 @@ enum { + * If in doubt, ignore this flag. + */ + #ifdef MODULE +- PROC_ENTRY_PERMANENT = 0U, ++ PROC_ENTRY_PERMANENT = 0U, + #else +- PROC_ENTRY_PERMANENT = 1U << 0, ++ PROC_ENTRY_PERMANENT = 1U << 0, + #endif ++ ++ PROC_ENTRY_proc_read_iter = 1U << 1, ++ PROC_ENTRY_proc_compat_ioctl = 1U << 2, + }; + + struct proc_ops { diff --git a/queue-6.1/regulator-check-that-dummy-regulator-has-been-probed-before-using-it.patch b/queue-6.1/regulator-check-that-dummy-regulator-has-been-probed-before-using-it.patch new file mode 100644 index 0000000000..4c1960edf1 --- /dev/null +++ b/queue-6.1/regulator-check-that-dummy-regulator-has-been-probed-before-using-it.patch @@ -0,0 +1,57 @@ +From 2c7a50bec4958f1d1c84d19cde518d0e96a676fd Mon Sep 17 00:00:00 2001 +From: Christian Eggers +Date: Thu, 13 Mar 2025 11:27:39 +0100 +Subject: regulator: check that dummy regulator has been probed before using it + +From: Christian Eggers + +commit 2c7a50bec4958f1d1c84d19cde518d0e96a676fd upstream. + +Due to asynchronous driver probing there is a chance that the dummy +regulator hasn't already been probed when first accessing it. + +Cc: stable@vger.kernel.org +Signed-off-by: Christian Eggers +Link: https://patch.msgid.link/20250313103051.32430-3-ceggers@arri.de +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/regulator/core.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/drivers/regulator/core.c ++++ b/drivers/regulator/core.c +@@ -2091,6 +2091,10 @@ static int regulator_resolve_supply(stru + + if (have_full_constraints()) { + r = dummy_regulator_rdev; ++ if (!r) { ++ ret = -EPROBE_DEFER; ++ goto out; ++ } + get_device(&r->dev); + } else { + dev_err(dev, "Failed to resolve %s-supply for %s\n", +@@ -2108,6 +2112,10 @@ static int regulator_resolve_supply(stru + goto out; + } + r = dummy_regulator_rdev; ++ if (!r) { ++ ret = -EPROBE_DEFER; ++ goto out; ++ } + get_device(&r->dev); + } + +@@ -2216,8 +2224,10 @@ struct regulator *_regulator_get(struct + * enabled, even if it isn't hooked up, and just + * provide a dummy. + */ +- dev_warn(dev, "supply %s not found, using dummy regulator\n", id); + rdev = dummy_regulator_rdev; ++ if (!rdev) ++ return ERR_PTR(-EPROBE_DEFER); ++ dev_warn(dev, "supply %s not found, using dummy regulator\n", id); + get_device(&rdev->dev); + break; + diff --git a/queue-6.1/series b/queue-6.1/series index b43699a236..169665746a 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -168,3 +168,25 @@ net-atm-fix-use-after-free-in-lec_send.patch net-lwtunnel-fix-recursion-loops.patch net-neighbor-add-missing-policy-for-ndtpa_queue_lenb.patch revert-gre-fix-ipv6-link-local-address-generation.patch +i2c-omap-fix-irq-storms.patch +can-rcar_canfd-fix-page-entries-in-the-afl-list.patch +can-flexcan-only-change-can-state-when-link-up-in-system-pm.patch +can-flexcan-disable-transceiver-during-system-pm.patch +drm-v3d-don-t-run-jobs-that-have-errors-flagged-in-its-fence.patch +regulator-check-that-dummy-regulator-has-been-probed-before-using-it.patch +arm64-dts-freescale-imx8mm-verdin-dahlia-add-microphone-jack-to-sound-card.patch +arm64-dts-rockchip-add-missing-pcie-supplies-to-rockpro64-board-dtsi.patch +mmc-sdhci-brcmstb-add-cqhci-suspend-resume-to-pm-ops.patch +mmc-atmel-mci-add-missing-clk_disable_unprepare.patch +proc-fix-uaf-in-proc_get_inode.patch +memcg-drain-obj-stock-on-cpu-hotplug-teardown.patch +arm-shmobile-smp-enforce-shmobile_smp_-alignment.patch +efi-libstub-avoid-physical-address-0x0-when-doing-random-allocation.patch +xsk-fix-an-integer-overflow-in-xp_create_and_assign_umem.patch +batman-adv-ignore-own-maximum-aggregation-size-during-rx.patch +soc-qcom-pdr-fix-the-potential-deadlock.patch +drm-radeon-fix-uninitialized-size-issue-in-radeon_vce_cs_parse.patch +drm-amdgpu-fix-jpeg-video-caps-max-size-for-navi1x-and-raven.patch +drm-amd-display-should-support-dmub-hw-lock-on-replay.patch +drm-amd-display-use-hw-lock-mgr-for-psr1-when-only-one-edp.patch +arm-dts-imx6qdl-apalis-fix-poweroff-on-apalis-imx6.patch diff --git a/queue-6.1/soc-qcom-pdr-fix-the-potential-deadlock.patch b/queue-6.1/soc-qcom-pdr-fix-the-potential-deadlock.patch new file mode 100644 index 0000000000..339ad4e6ad --- /dev/null +++ b/queue-6.1/soc-qcom-pdr-fix-the-potential-deadlock.patch @@ -0,0 +1,90 @@ +From 2eeb03ad9f42dfece63051be2400af487ddb96d2 Mon Sep 17 00:00:00 2001 +From: Saranya R +Date: Wed, 12 Feb 2025 22:07:20 +0530 +Subject: soc: qcom: pdr: Fix the potential deadlock + +From: Saranya R + +commit 2eeb03ad9f42dfece63051be2400af487ddb96d2 upstream. + +When some client process A call pdr_add_lookup() to add the look up for +the service and does schedule locator work, later a process B got a new +server packet indicating locator is up and call pdr_locator_new_server() +which eventually sets pdr->locator_init_complete to true which process A +sees and takes list lock and queries domain list but it will timeout due +to deadlock as the response will queued to the same qmi->wq and it is +ordered workqueue and process B is not able to complete new server +request work due to deadlock on list lock. + +Fix it by removing the unnecessary list iteration as the list iteration +is already being done inside locator work, so avoid it here and just +call schedule_work() here. + + Process A Process B + + process_scheduled_works() +pdr_add_lookup() qmi_data_ready_work() + process_scheduled_works() pdr_locator_new_server() + pdr->locator_init_complete=true; + pdr_locator_work() + mutex_lock(&pdr->list_lock); + + pdr_locate_service() mutex_lock(&pdr->list_lock); + + pdr_get_domain_list() + pr_err("PDR: %s get domain list + txn wait failed: %d\n", + req->service_name, + ret); + +Timeout error log due to deadlock: + +" + PDR: tms/servreg get domain list txn wait failed: -110 + PDR: service lookup for msm/adsp/sensor_pd:tms/servreg failed: -110 +" + +Thanks to Bjorn and Johan for letting me know that this commit also fixes +an audio regression when using the in-kernel pd-mapper as that makes it +easier to hit this race. [1] + +Link: https://lore.kernel.org/lkml/Zqet8iInnDhnxkT9@hovoldconsulting.com/ # [1] +Fixes: fbe639b44a82 ("soc: qcom: Introduce Protection Domain Restart helpers") +CC: stable@vger.kernel.org +Reviewed-by: Bjorn Andersson +Tested-by: Bjorn Andersson +Tested-by: Johan Hovold +Signed-off-by: Saranya R +Co-developed-by: Mukesh Ojha +Signed-off-by: Mukesh Ojha +Link: https://lore.kernel.org/r/20250212163720.1577876-1-mukesh.ojha@oss.qualcomm.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soc/qcom/pdr_interface.c | 8 +------- + 1 file changed, 1 insertion(+), 7 deletions(-) + +--- a/drivers/soc/qcom/pdr_interface.c ++++ b/drivers/soc/qcom/pdr_interface.c +@@ -74,7 +74,6 @@ static int pdr_locator_new_server(struct + { + struct pdr_handle *pdr = container_of(qmi, struct pdr_handle, + locator_hdl); +- struct pdr_service *pds; + + mutex_lock(&pdr->lock); + /* Create a local client port for QMI communication */ +@@ -86,12 +85,7 @@ static int pdr_locator_new_server(struct + mutex_unlock(&pdr->lock); + + /* Service pending lookup requests */ +- mutex_lock(&pdr->list_lock); +- list_for_each_entry(pds, &pdr->lookups, node) { +- if (pds->need_locator_lookup) +- schedule_work(&pdr->locator_work); +- } +- mutex_unlock(&pdr->list_lock); ++ schedule_work(&pdr->locator_work); + + return 0; + } diff --git a/queue-6.1/xsk-fix-an-integer-overflow-in-xp_create_and_assign_umem.patch b/queue-6.1/xsk-fix-an-integer-overflow-in-xp_create_and_assign_umem.patch new file mode 100644 index 0000000000..784662ef26 --- /dev/null +++ b/queue-6.1/xsk-fix-an-integer-overflow-in-xp_create_and_assign_umem.patch @@ -0,0 +1,38 @@ +From 559847f56769037e5b2e0474d3dbff985b98083d Mon Sep 17 00:00:00 2001 +From: Gavrilov Ilia +Date: Thu, 13 Mar 2025 08:50:08 +0000 +Subject: xsk: fix an integer overflow in xp_create_and_assign_umem() + +From: Gavrilov Ilia + +commit 559847f56769037e5b2e0474d3dbff985b98083d upstream. + +Since the i and pool->chunk_size variables are of type 'u32', +their product can wrap around and then be cast to 'u64'. +This can lead to two different XDP buffers pointing to the same +memory area. + +Found by InfoTeCS on behalf of Linux Verification Center +(linuxtesting.org) with SVACE. + +Fixes: 94033cd8e73b ("xsk: Optimize for aligned case") +Cc: stable@vger.kernel.org +Signed-off-by: Ilia Gavrilov +Link: https://patch.msgid.link/20250313085007.3116044-1-Ilia.Gavrilov@infotecs.ru +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + net/xdp/xsk_buff_pool.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/xdp/xsk_buff_pool.c ++++ b/net/xdp/xsk_buff_pool.c +@@ -102,7 +102,7 @@ struct xsk_buff_pool *xp_create_and_assi + if (pool->unaligned) + pool->free_heads[i] = xskb; + else +- xp_init_xskb_addr(xskb, pool, i * pool->chunk_size); ++ xp_init_xskb_addr(xskb, pool, (u64)i * pool->chunk_size); + } + + return pool;