From: Greg Kroah-Hartman Date: Thu, 17 Apr 2025 13:32:16 +0000 (+0200) Subject: 6.6-stable patches X-Git-Tag: v6.12.24~54 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=78d8877d071706c592ab1dc6453b73b54757ea66;p=thirdparty%2Fkernel%2Fstable-queue.git 6.6-stable patches added patches: cifs-avoid-null-pointer-dereference-in-dbg-call.patch cifs-ensure-that-all-non-client-specific-reparse-points-are-processed-by-the-server.patch cifs-fix-integer-overflow-in-match_server.patch clk-qcom-clk-branch-fix-invert-halt-status-bit-check-for-votable-clocks.patch clk-qcom-gdsc-capture-pm_genpd_add_subdomain-result-code.patch clk-qcom-gdsc-release-pm-subdomains-in-reverse-add-order.patch clk-qcom-gdsc-set-retain_ff-before-moving-to-hw-ctrl.patch crypto-ccp-fix-check-for-the-primary-asp-device.patch dm-ebs-fix-prefetch-vs-suspend-race.patch dm-integrity-set-ti-error-on-memory-allocation-failure.patch dm-verity-fix-prefetch-vs-suspend-race.patch dt-bindings-coresight-qcom-coresight-tpda-fix-too-many-reg.patch dt-bindings-coresight-qcom-coresight-tpdm-fix-too-many-reg.patch ftrace-add-cond_resched-to-ftrace_graph_set_hash.patch gpio-tegra186-fix-resource-handling-in-acpi-probe-path.patch gpio-zynq-fix-wakeup-source-leaks-on-device-unbind.patch gve-handle-overflow-when-reporting-tx-consumed-descriptors.patch kvm-x86-acquire-srcu-in-kvm_get_mp_state-to-protect-guest-memory-accesses.patch kvm-x86-explicitly-zero-initialize-on-stack-cpuid-unions.patch scsi-ufs-qcom-fix-dev-reference-leaked-through-of_qcom_ice_get.patch thermal-drivers-rockchip-add-missing-rk3328-mapping-entry.patch tracing-do-not-add-length-to-print-format-in-synthetic-events.patch x86-xen-fix-balloon-target-initialization-for-pvh-dom0.patch --- diff --git a/queue-6.6/cifs-avoid-null-pointer-dereference-in-dbg-call.patch b/queue-6.6/cifs-avoid-null-pointer-dereference-in-dbg-call.patch new file mode 100644 index 0000000000..92f6132dc6 --- /dev/null +++ b/queue-6.6/cifs-avoid-null-pointer-dereference-in-dbg-call.patch @@ -0,0 +1,42 @@ +From b4885bd5935bb26f0a414ad55679a372e53f9b9b Mon Sep 17 00:00:00 2001 +From: Alexandra Diupina +Date: Wed, 19 Mar 2025 17:28:58 +0300 +Subject: cifs: avoid NULL pointer dereference in dbg call + +From: Alexandra Diupina + +commit b4885bd5935bb26f0a414ad55679a372e53f9b9b upstream. + +cifs_server_dbg() implies server to be non-NULL so +move call under condition to avoid NULL pointer dereference. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: e79b0332ae06 ("cifs: ignore cached share root handle closing errors") +Cc: stable@vger.kernel.org +Signed-off-by: Alexandra Diupina +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/smb2misc.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/fs/smb/client/smb2misc.c ++++ b/fs/smb/client/smb2misc.c +@@ -816,11 +816,12 @@ smb2_handle_cancelled_close(struct cifs_ + WARN_ONCE(tcon->tc_count < 0, "tcon refcount is negative"); + spin_unlock(&cifs_tcp_ses_lock); + +- if (tcon->ses) ++ if (tcon->ses) { + server = tcon->ses->server; +- +- cifs_server_dbg(FYI, "tid=0x%x: tcon is closing, skipping async close retry of fid %llu %llu\n", +- tcon->tid, persistent_fid, volatile_fid); ++ cifs_server_dbg(FYI, ++ "tid=0x%x: tcon is closing, skipping async close retry of fid %llu %llu\n", ++ tcon->tid, persistent_fid, volatile_fid); ++ } + + return 0; + } diff --git a/queue-6.6/cifs-ensure-that-all-non-client-specific-reparse-points-are-processed-by-the-server.patch b/queue-6.6/cifs-ensure-that-all-non-client-specific-reparse-points-are-processed-by-the-server.patch new file mode 100644 index 0000000000..38b7fcd918 --- /dev/null +++ b/queue-6.6/cifs-ensure-that-all-non-client-specific-reparse-points-are-processed-by-the-server.patch @@ -0,0 +1,85 @@ +From 6f8a394aa952257575910d57cf0a63627fa949a2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pali=20Roh=C3=A1r?= +Date: Sat, 5 Apr 2025 19:51:07 +0200 +Subject: cifs: Ensure that all non-client-specific reparse points are processed by the server +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +commit 6f8a394aa952257575910d57cf0a63627fa949a2 upstream. + +Fix regression in mounts to e.g. onedrive shares. + +Generally, reparse points are processed by the SMB server during the +SMB OPEN request, but there are few reparse points which do not have +OPEN-like meaning for the SMB server and has to be processed by the SMB +client. Those are symlinks and special files (fifo, socket, block, char). + +For Linux SMB client, it is required to process also name surrogate reparse +points as they represent another entity on the SMB server system. Linux +client will mark them as separate mount points. Examples of name surrogate +reparse points are NTFS junction points (e.g. created by the "mklink" tool +on Windows servers). + +So after processing the name surrogate reparse points, clear the +-EOPNOTSUPP error code returned from the parse_reparse_point() to let SMB +server to process reparse points. + +And remove printing misleading error message "unhandled reparse tag:" as +reparse points are handled by SMB server and hence unhandled fact is normal +operation. + +Fixes: cad3fc0a4c8c ("cifs: Throw -EOPNOTSUPP error on unsupported reparse point type from parse_reparse_point()") +Fixes: b587fd128660 ("cifs: Treat unhandled directory name surrogate reparse points as mount directory nodes") +Cc: stable@vger.kernel.org +Reported-by: Junwen Sun +Tested-by: Junwen Sun +Signed-off-by: Pali Rohár +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/inode.c | 10 ++++++++++ + fs/smb/client/reparse.c | 4 ---- + 2 files changed, 10 insertions(+), 4 deletions(-) + +--- a/fs/smb/client/inode.c ++++ b/fs/smb/client/inode.c +@@ -1145,6 +1145,16 @@ static int reparse_info_to_fattr(struct + cifs_create_junction_fattr(fattr, sb); + goto out; + } ++ /* ++ * If the reparse point is unsupported by the Linux SMB ++ * client then let it process by the SMB server. So mask ++ * the -EOPNOTSUPP error code. This will allow Linux SMB ++ * client to send SMB OPEN request to server. If server ++ * does not support this reparse point too then server ++ * will return error during open the path. ++ */ ++ if (rc == -EOPNOTSUPP) ++ rc = 0; + } + break; + } +--- a/fs/smb/client/reparse.c ++++ b/fs/smb/client/reparse.c +@@ -633,8 +633,6 @@ int parse_reparse_point(struct reparse_d + const char *full_path, + bool unicode, struct cifs_open_info_data *data) + { +- struct cifs_tcon *tcon = cifs_sb_master_tcon(cifs_sb); +- + data->reparse.buf = buf; + + /* See MS-FSCC 2.1.2 */ +@@ -658,8 +656,6 @@ int parse_reparse_point(struct reparse_d + } + return 0; + default: +- cifs_tcon_dbg(VFS | ONCE, "unhandled reparse tag: 0x%08x\n", +- le32_to_cpu(buf->ReparseTag)); + return -EOPNOTSUPP; + } + } diff --git a/queue-6.6/cifs-fix-integer-overflow-in-match_server.patch b/queue-6.6/cifs-fix-integer-overflow-in-match_server.patch new file mode 100644 index 0000000000..63ab128f6f --- /dev/null +++ b/queue-6.6/cifs-fix-integer-overflow-in-match_server.patch @@ -0,0 +1,41 @@ +From 2510859475d7f46ed7940db0853f3342bf1b65ee Mon Sep 17 00:00:00 2001 +From: Roman Smirnov +Date: Mon, 31 Mar 2025 11:22:49 +0300 +Subject: cifs: fix integer overflow in match_server() + +From: Roman Smirnov + +commit 2510859475d7f46ed7940db0853f3342bf1b65ee upstream. + +The echo_interval is not limited in any way during mounting, +which makes it possible to write a large number to it. This can +cause an overflow when multiplying ctx->echo_interval by HZ in +match_server(). + +Add constraints for echo_interval to smb3_fs_context_parse_param(). + +Found by Linux Verification Center (linuxtesting.org) with Svace. + +Fixes: adfeb3e00e8e1 ("cifs: Make echo interval tunable") +Cc: stable@vger.kernel.org +Signed-off-by: Roman Smirnov +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/fs_context.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/fs/smb/client/fs_context.c ++++ b/fs/smb/client/fs_context.c +@@ -1299,6 +1299,11 @@ static int smb3_fs_context_parse_param(s + ctx->closetimeo = HZ * result.uint_32; + break; + case Opt_echo_interval: ++ if (result.uint_32 < SMB_ECHO_INTERVAL_MIN || ++ result.uint_32 > SMB_ECHO_INTERVAL_MAX) { ++ cifs_errorf(fc, "echo interval is out of bounds\n"); ++ goto cifs_parse_mount_err; ++ } + ctx->echo_interval = result.uint_32; + break; + case Opt_snapshot: diff --git a/queue-6.6/clk-qcom-clk-branch-fix-invert-halt-status-bit-check-for-votable-clocks.patch b/queue-6.6/clk-qcom-clk-branch-fix-invert-halt-status-bit-check-for-votable-clocks.patch new file mode 100644 index 0000000000..ddee8178a4 --- /dev/null +++ b/queue-6.6/clk-qcom-clk-branch-fix-invert-halt-status-bit-check-for-votable-clocks.patch @@ -0,0 +1,49 @@ +From 5eac348182d2b5ed1066459abedb7bc6b5466f81 Mon Sep 17 00:00:00 2001 +From: Ajit Pandey +Date: Tue, 28 Jan 2025 17:08:35 +0530 +Subject: clk: qcom: clk-branch: Fix invert halt status bit check for votable clocks + +From: Ajit Pandey + +commit 5eac348182d2b5ed1066459abedb7bc6b5466f81 upstream. + +BRANCH_HALT_ENABLE and BRANCH_HALT_ENABLE_VOTED flags are used to check +halt status of branch clocks, which have an inverted logic for the halt +bit in CBCR register. However, the current logic in the _check_halt() +method only compares the BRANCH_HALT_ENABLE flags, ignoring the votable +branch clocks. + +Update the logic to correctly handle the invert logic for votable clocks +using the BRANCH_HALT_ENABLE_VOTED flags. + +Fixes: 9092d1083a62 ("clk: qcom: branch: Extend the invert logic for branch2 clocks") +Cc: stable@vger.kernel.org +Signed-off-by: Ajit Pandey +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20250128-push_fix-v1-1-fafec6747881@quicinc.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/qcom/clk-branch.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/clk/qcom/clk-branch.c ++++ b/drivers/clk/qcom/clk-branch.c +@@ -27,7 +27,7 @@ static bool clk_branch_in_hwcg_mode(cons + + static bool clk_branch_check_halt(const struct clk_branch *br, bool enabling) + { +- bool invert = (br->halt_check == BRANCH_HALT_ENABLE); ++ bool invert = (br->halt_check & BRANCH_HALT_ENABLE); + u32 val; + + regmap_read(br->clkr.regmap, br->halt_reg, &val); +@@ -43,7 +43,7 @@ static bool clk_branch2_check_halt(const + { + u32 val; + u32 mask; +- bool invert = (br->halt_check == BRANCH_HALT_ENABLE); ++ bool invert = (br->halt_check & BRANCH_HALT_ENABLE); + + mask = CBCR_NOC_FSM_STATUS; + mask |= CBCR_CLK_OFF; diff --git a/queue-6.6/clk-qcom-gdsc-capture-pm_genpd_add_subdomain-result-code.patch b/queue-6.6/clk-qcom-gdsc-capture-pm_genpd_add_subdomain-result-code.patch new file mode 100644 index 0000000000..2ed7db31c9 --- /dev/null +++ b/queue-6.6/clk-qcom-gdsc-capture-pm_genpd_add_subdomain-result-code.patch @@ -0,0 +1,92 @@ +From 65a733464553ea192797b889d1533a1a37216f32 Mon Sep 17 00:00:00 2001 +From: Bryan O'Donoghue +Date: Fri, 17 Jan 2025 13:54:08 +0000 +Subject: clk: qcom: gdsc: Capture pm_genpd_add_subdomain result code + +From: Bryan O'Donoghue + +commit 65a733464553ea192797b889d1533a1a37216f32 upstream. + +Adding a new clause to this if/else I noticed the existing usage of +pm_genpd_add_subdomain() wasn't capturing and returning the result code. + +pm_genpd_add_subdomain() returns an int and can fail. Capture that result +code and throw it up the call stack if something goes wrong. + +Fixes: 1b771839de05 ("clk: qcom: gdsc: enable optional power domain support") +Cc: stable@vger.kernel.org +Signed-off-by: Bryan O'Donoghue +Link: https://lore.kernel.org/r/20250117-b4-linux-next-24-11-18-clock-multiple-power-domains-v10-2-13f2bb656dad@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/qcom/gdsc.c | 40 +++++++++++++++++++++++++++------------- + 1 file changed, 27 insertions(+), 13 deletions(-) + +--- a/drivers/clk/qcom/gdsc.c ++++ b/drivers/clk/qcom/gdsc.c +@@ -465,6 +465,23 @@ err_disable_supply: + return ret; + } + ++static void gdsc_pm_subdomain_remove(struct gdsc_desc *desc, size_t num) ++{ ++ struct device *dev = desc->dev; ++ struct gdsc **scs = desc->scs; ++ int i; ++ ++ /* Remove subdomains */ ++ for (i = num - 1; i >= 0; i--) { ++ if (!scs[i]) ++ continue; ++ if (scs[i]->parent) ++ pm_genpd_remove_subdomain(scs[i]->parent, &scs[i]->pd); ++ else if (!IS_ERR_OR_NULL(dev->pm_domain)) ++ pm_genpd_remove_subdomain(pd_to_genpd(dev->pm_domain), &scs[i]->pd); ++ } ++} ++ + int gdsc_register(struct gdsc_desc *desc, + struct reset_controller_dev *rcdev, struct regmap *regmap) + { +@@ -509,30 +526,27 @@ int gdsc_register(struct gdsc_desc *desc + if (!scs[i]) + continue; + if (scs[i]->parent) +- pm_genpd_add_subdomain(scs[i]->parent, &scs[i]->pd); ++ ret = pm_genpd_add_subdomain(scs[i]->parent, &scs[i]->pd); + else if (!IS_ERR_OR_NULL(dev->pm_domain)) +- pm_genpd_add_subdomain(pd_to_genpd(dev->pm_domain), &scs[i]->pd); ++ ret = pm_genpd_add_subdomain(pd_to_genpd(dev->pm_domain), &scs[i]->pd); ++ if (ret) ++ goto err_pm_subdomain_remove; + } + + return of_genpd_add_provider_onecell(dev->of_node, data); ++ ++err_pm_subdomain_remove: ++ gdsc_pm_subdomain_remove(desc, i); ++ ++ return ret; + } + + void gdsc_unregister(struct gdsc_desc *desc) + { +- int i; + struct device *dev = desc->dev; +- struct gdsc **scs = desc->scs; + size_t num = desc->num; + +- /* Remove subdomains */ +- for (i = num - 1; i >= 0; i--) { +- if (!scs[i]) +- continue; +- if (scs[i]->parent) +- pm_genpd_remove_subdomain(scs[i]->parent, &scs[i]->pd); +- else if (!IS_ERR_OR_NULL(dev->pm_domain)) +- pm_genpd_remove_subdomain(pd_to_genpd(dev->pm_domain), &scs[i]->pd); +- } ++ gdsc_pm_subdomain_remove(desc, num); + of_genpd_del_provider(dev->of_node); + } + diff --git a/queue-6.6/clk-qcom-gdsc-release-pm-subdomains-in-reverse-add-order.patch b/queue-6.6/clk-qcom-gdsc-release-pm-subdomains-in-reverse-add-order.patch new file mode 100644 index 0000000000..4816fdb7e0 --- /dev/null +++ b/queue-6.6/clk-qcom-gdsc-release-pm-subdomains-in-reverse-add-order.patch @@ -0,0 +1,36 @@ +From 0e6dfde439df0bb977cddd3cf7fff150a084a9bf Mon Sep 17 00:00:00 2001 +From: Bryan O'Donoghue +Date: Fri, 17 Jan 2025 13:54:07 +0000 +Subject: clk: qcom: gdsc: Release pm subdomains in reverse add order + +From: Bryan O'Donoghue + +commit 0e6dfde439df0bb977cddd3cf7fff150a084a9bf upstream. + +gdsc_unregister() should release subdomains in the reverse order to the +order in which those subdomains were added. + +I've made this patch a standalone patch because it facilitates a subsequent +fix to stable. + +Fixes: 1b771839de05 ("clk: qcom: gdsc: enable optional power domain support") +Cc: stable@vger.kernel.org +Signed-off-by: Bryan O'Donoghue +Link: https://lore.kernel.org/r/20250117-b4-linux-next-24-11-18-clock-multiple-power-domains-v10-1-13f2bb656dad@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/qcom/gdsc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/clk/qcom/gdsc.c ++++ b/drivers/clk/qcom/gdsc.c +@@ -525,7 +525,7 @@ void gdsc_unregister(struct gdsc_desc *d + size_t num = desc->num; + + /* Remove subdomains */ +- for (i = 0; i < num; i++) { ++ for (i = num - 1; i >= 0; i--) { + if (!scs[i]) + continue; + if (scs[i]->parent) diff --git a/queue-6.6/clk-qcom-gdsc-set-retain_ff-before-moving-to-hw-ctrl.patch b/queue-6.6/clk-qcom-gdsc-set-retain_ff-before-moving-to-hw-ctrl.patch new file mode 100644 index 0000000000..35bf583f63 --- /dev/null +++ b/queue-6.6/clk-qcom-gdsc-set-retain_ff-before-moving-to-hw-ctrl.patch @@ -0,0 +1,79 @@ +From 25708f73ff171bb4171950c9f4be5aa8504b8459 Mon Sep 17 00:00:00 2001 +From: Taniya Das +Date: Fri, 14 Feb 2025 09:56:59 +0530 +Subject: clk: qcom: gdsc: Set retain_ff before moving to HW CTRL + +From: Taniya Das + +commit 25708f73ff171bb4171950c9f4be5aa8504b8459 upstream. + +Enable the retain_ff_enable bit of GDSCR only if the GDSC is already ON. +Once the GDSCR moves to HW control, SW no longer can determine the state +of the GDSCR and setting the retain_ff bit could destroy all the register +contents we intended to save. +Therefore, move the retain_ff configuration before switching the GDSC to +HW trigger mode. + +Cc: stable@vger.kernel.org +Fixes: 173722995cdb ("clk: qcom: gdsc: Add support to enable retention of GSDCR") +Signed-off-by: Taniya Das +Reviewed-by: Imran Shaik +Tested-by: Imran Shaik # on QCS8300 +Link: https://lore.kernel.org/r/20250214-gdsc_fixes-v1-1-73e56d68a80f@quicinc.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/qcom/gdsc.c | 21 +++++++++++---------- + 1 file changed, 11 insertions(+), 10 deletions(-) + +--- a/drivers/clk/qcom/gdsc.c ++++ b/drivers/clk/qcom/gdsc.c +@@ -292,6 +292,9 @@ static int gdsc_enable(struct generic_pm + */ + udelay(1); + ++ if (sc->flags & RETAIN_FF_ENABLE) ++ gdsc_retain_ff_on(sc); ++ + /* Turn on HW trigger mode if supported */ + if (sc->flags & HW_CTRL) { + ret = gdsc_hwctrl(sc, true); +@@ -308,9 +311,6 @@ static int gdsc_enable(struct generic_pm + udelay(1); + } + +- if (sc->flags & RETAIN_FF_ENABLE) +- gdsc_retain_ff_on(sc); +- + return 0; + } + +@@ -420,13 +420,6 @@ static int gdsc_init(struct gdsc *sc) + goto err_disable_supply; + } + +- /* Turn on HW trigger mode if supported */ +- if (sc->flags & HW_CTRL) { +- ret = gdsc_hwctrl(sc, true); +- if (ret < 0) +- goto err_disable_supply; +- } +- + /* + * Make sure the retain bit is set if the GDSC is already on, + * otherwise we end up turning off the GDSC and destroying all +@@ -434,6 +427,14 @@ static int gdsc_init(struct gdsc *sc) + */ + if (sc->flags & RETAIN_FF_ENABLE) + gdsc_retain_ff_on(sc); ++ ++ /* Turn on HW trigger mode if supported */ ++ if (sc->flags & HW_CTRL) { ++ ret = gdsc_hwctrl(sc, true); ++ if (ret < 0) ++ goto err_disable_supply; ++ } ++ + } else if (sc->flags & ALWAYS_ON) { + /* If ALWAYS_ON GDSCs are not ON, turn them ON */ + gdsc_enable(&sc->pd); diff --git a/queue-6.6/crypto-ccp-fix-check-for-the-primary-asp-device.patch b/queue-6.6/crypto-ccp-fix-check-for-the-primary-asp-device.patch new file mode 100644 index 0000000000..0352c9d829 --- /dev/null +++ b/queue-6.6/crypto-ccp-fix-check-for-the-primary-asp-device.patch @@ -0,0 +1,54 @@ +From 07bb097b92b987db518e72525b515d77904e966e Mon Sep 17 00:00:00 2001 +From: Tom Lendacky +Date: Fri, 17 Jan 2025 17:05:47 -0600 +Subject: crypto: ccp - Fix check for the primary ASP device + +From: Tom Lendacky + +commit 07bb097b92b987db518e72525b515d77904e966e upstream. + +Currently, the ASP primary device check does not have support for PCI +domains, and, as a result, when the system is configured with PCI domains +(PCI segments) the wrong device can be selected as primary. This results +in commands submitted to the device timing out and failing. The device +check also relies on specific device and function assignments that may +not hold in the future. + +Fix the primary ASP device check to include support for PCI domains and +to perform proper checking of the Bus/Device/Function positions. + +Fixes: 2a6170dfe755 ("crypto: ccp: Add Platform Security Processor (PSP) device support") +Cc: stable@vger.kernel.org +Signed-off-by: Tom Lendacky +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/ccp/sp-pci.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +--- a/drivers/crypto/ccp/sp-pci.c ++++ b/drivers/crypto/ccp/sp-pci.c +@@ -243,14 +243,17 @@ static bool sp_pci_is_master(struct sp_d + pdev_new = to_pci_dev(dev_new); + pdev_cur = to_pci_dev(dev_cur); + +- if (pdev_new->bus->number < pdev_cur->bus->number) +- return true; ++ if (pci_domain_nr(pdev_new->bus) != pci_domain_nr(pdev_cur->bus)) ++ return pci_domain_nr(pdev_new->bus) < pci_domain_nr(pdev_cur->bus); + +- if (PCI_SLOT(pdev_new->devfn) < PCI_SLOT(pdev_cur->devfn)) +- return true; ++ if (pdev_new->bus->number != pdev_cur->bus->number) ++ return pdev_new->bus->number < pdev_cur->bus->number; + +- if (PCI_FUNC(pdev_new->devfn) < PCI_FUNC(pdev_cur->devfn)) +- return true; ++ if (PCI_SLOT(pdev_new->devfn) != PCI_SLOT(pdev_cur->devfn)) ++ return PCI_SLOT(pdev_new->devfn) < PCI_SLOT(pdev_cur->devfn); ++ ++ if (PCI_FUNC(pdev_new->devfn) != PCI_FUNC(pdev_cur->devfn)) ++ return PCI_FUNC(pdev_new->devfn) < PCI_FUNC(pdev_cur->devfn); + + return false; + } diff --git a/queue-6.6/dm-ebs-fix-prefetch-vs-suspend-race.patch b/queue-6.6/dm-ebs-fix-prefetch-vs-suspend-race.patch new file mode 100644 index 0000000000..fc4d1c80a4 --- /dev/null +++ b/queue-6.6/dm-ebs-fix-prefetch-vs-suspend-race.patch @@ -0,0 +1,43 @@ +From 9c565428788fb9b49066f94ab7b10efc686a0a4c Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Fri, 28 Mar 2025 16:19:07 +0100 +Subject: dm-ebs: fix prefetch-vs-suspend race + +From: Mikulas Patocka + +commit 9c565428788fb9b49066f94ab7b10efc686a0a4c upstream. + +There's a possible race condition in dm-ebs - dm bufio prefetch may be in +progress while the device is suspended. Fix this by calling +dm_bufio_client_reset in the postsuspend hook. + +Signed-off-by: Mikulas Patocka +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-ebs-target.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/md/dm-ebs-target.c ++++ b/drivers/md/dm-ebs-target.c +@@ -390,6 +390,12 @@ static int ebs_map(struct dm_target *ti, + return DM_MAPIO_REMAPPED; + } + ++static void ebs_postsuspend(struct dm_target *ti) ++{ ++ struct ebs_c *ec = ti->private; ++ dm_bufio_client_reset(ec->bufio); ++} ++ + static void ebs_status(struct dm_target *ti, status_type_t type, + unsigned int status_flags, char *result, unsigned int maxlen) + { +@@ -447,6 +453,7 @@ static struct target_type ebs_target = { + .ctr = ebs_ctr, + .dtr = ebs_dtr, + .map = ebs_map, ++ .postsuspend = ebs_postsuspend, + .status = ebs_status, + .io_hints = ebs_io_hints, + .prepare_ioctl = ebs_prepare_ioctl, diff --git a/queue-6.6/dm-integrity-set-ti-error-on-memory-allocation-failure.patch b/queue-6.6/dm-integrity-set-ti-error-on-memory-allocation-failure.patch new file mode 100644 index 0000000000..804f385d91 --- /dev/null +++ b/queue-6.6/dm-integrity-set-ti-error-on-memory-allocation-failure.patch @@ -0,0 +1,41 @@ +From 00204ae3d6712ee053353920e3ce2b00c35ef75b Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Mon, 10 Feb 2025 16:14:22 +0100 +Subject: dm-integrity: set ti->error on memory allocation failure + +From: Mikulas Patocka + +commit 00204ae3d6712ee053353920e3ce2b00c35ef75b upstream. + +The dm-integrity target didn't set the error string when memory +allocation failed. This patch fixes it. + +Signed-off-by: Mikulas Patocka +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-integrity.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/md/dm-integrity.c ++++ b/drivers/md/dm-integrity.c +@@ -4594,16 +4594,19 @@ try_smaller_buffer: + + ic->recalc_bitmap = dm_integrity_alloc_page_list(n_bitmap_pages); + if (!ic->recalc_bitmap) { ++ ti->error = "Could not allocate memory for bitmap"; + r = -ENOMEM; + goto bad; + } + ic->may_write_bitmap = dm_integrity_alloc_page_list(n_bitmap_pages); + if (!ic->may_write_bitmap) { ++ ti->error = "Could not allocate memory for bitmap"; + r = -ENOMEM; + goto bad; + } + ic->bbs = kvmalloc_array(ic->n_bitmap_blocks, sizeof(struct bitmap_block_status), GFP_KERNEL); + if (!ic->bbs) { ++ ti->error = "Could not allocate memory for bitmap"; + r = -ENOMEM; + goto bad; + } diff --git a/queue-6.6/dm-verity-fix-prefetch-vs-suspend-race.patch b/queue-6.6/dm-verity-fix-prefetch-vs-suspend-race.patch new file mode 100644 index 0000000000..064e60a665 --- /dev/null +++ b/queue-6.6/dm-verity-fix-prefetch-vs-suspend-race.patch @@ -0,0 +1,45 @@ +From 2de510fccbca3d1906b55f4be5f1de83fa2424ef Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Fri, 28 Mar 2025 16:17:45 +0100 +Subject: dm-verity: fix prefetch-vs-suspend race + +From: Mikulas Patocka + +commit 2de510fccbca3d1906b55f4be5f1de83fa2424ef upstream. + +There's a possible race condition in dm-verity - the prefetch work item +may race with suspend and it is possible that prefetch continues to run +while the device is suspended. Fix this by calling flush_workqueue and +dm_bufio_client_reset in the postsuspend hook. + +Signed-off-by: Mikulas Patocka +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-verity-target.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/md/dm-verity-target.c ++++ b/drivers/md/dm-verity-target.c +@@ -836,6 +836,13 @@ static int verity_map(struct dm_target * + return DM_MAPIO_SUBMITTED; + } + ++static void verity_postsuspend(struct dm_target *ti) ++{ ++ struct dm_verity *v = ti->private; ++ flush_workqueue(v->verify_wq); ++ dm_bufio_client_reset(v->bufio); ++} ++ + /* + * Status: V (valid) or C (corruption found) + */ +@@ -1557,6 +1564,7 @@ static struct target_type verity_target + .ctr = verity_ctr, + .dtr = verity_dtr, + .map = verity_map, ++ .postsuspend = verity_postsuspend, + .status = verity_status, + .prepare_ioctl = verity_prepare_ioctl, + .iterate_devices = verity_iterate_devices, diff --git a/queue-6.6/dt-bindings-coresight-qcom-coresight-tpda-fix-too-many-reg.patch b/queue-6.6/dt-bindings-coresight-qcom-coresight-tpda-fix-too-many-reg.patch new file mode 100644 index 0000000000..0fc491ec3a --- /dev/null +++ b/queue-6.6/dt-bindings-coresight-qcom-coresight-tpda-fix-too-many-reg.patch @@ -0,0 +1,36 @@ +From d72deaf05ac18e421d7e52a6be8966fd6ee185f4 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Wed, 26 Feb 2025 12:29:13 +0100 +Subject: dt-bindings: coresight: qcom,coresight-tpda: Fix too many 'reg' + +From: Krzysztof Kozlowski + +commit d72deaf05ac18e421d7e52a6be8966fd6ee185f4 upstream. + +Binding listed variable number of IO addresses without defining them, +however example DTS code, all in-tree DTS and Linux kernel driver +mention only one address space, so drop the second to make binding +precise and correctly describe the hardware. + +Fixes: a8fbe1442c2b ("dt-bindings: arm: Adds CoreSight TPDA hardware definitions") +Cc: stable@vger.kernel.org +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Suzuki K Poulose +Link: https://lore.kernel.org/r/20250226112914.94361-1-krzysztof.kozlowski@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/arm/qcom,coresight-tpda.yaml | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/Documentation/devicetree/bindings/arm/qcom,coresight-tpda.yaml ++++ b/Documentation/devicetree/bindings/arm/qcom,coresight-tpda.yaml +@@ -55,8 +55,7 @@ properties: + - const: arm,primecell + + reg: +- minItems: 1 +- maxItems: 2 ++ maxItems: 1 + + clocks: + maxItems: 1 diff --git a/queue-6.6/dt-bindings-coresight-qcom-coresight-tpdm-fix-too-many-reg.patch b/queue-6.6/dt-bindings-coresight-qcom-coresight-tpdm-fix-too-many-reg.patch new file mode 100644 index 0000000000..8f263dc22f --- /dev/null +++ b/queue-6.6/dt-bindings-coresight-qcom-coresight-tpdm-fix-too-many-reg.patch @@ -0,0 +1,36 @@ +From 1e4e454223f770748775f211455513c79cb3121e Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Wed, 26 Feb 2025 12:29:14 +0100 +Subject: dt-bindings: coresight: qcom,coresight-tpdm: Fix too many 'reg' + +From: Krzysztof Kozlowski + +commit 1e4e454223f770748775f211455513c79cb3121e upstream. + +Binding listed variable number of IO addresses without defining them, +however example DTS code, all in-tree DTS and Linux kernel driver +mention only one address space, so drop the second to make binding +precise and correctly describe the hardware. + +Fixes: 6c781a35133d ("dt-bindings: arm: Add CoreSight TPDM hardware") +Cc: stable@vger.kernel.org +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Suzuki K Poulose +Link: https://lore.kernel.org/r/20250226112914.94361-2-krzysztof.kozlowski@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/arm/qcom,coresight-tpdm.yaml | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/Documentation/devicetree/bindings/arm/qcom,coresight-tpdm.yaml ++++ b/Documentation/devicetree/bindings/arm/qcom,coresight-tpdm.yaml +@@ -41,8 +41,7 @@ properties: + - const: arm,primecell + + reg: +- minItems: 1 +- maxItems: 2 ++ maxItems: 1 + + clocks: + maxItems: 1 diff --git a/queue-6.6/ftrace-add-cond_resched-to-ftrace_graph_set_hash.patch b/queue-6.6/ftrace-add-cond_resched-to-ftrace_graph_set_hash.patch new file mode 100644 index 0000000000..8781302ab2 --- /dev/null +++ b/queue-6.6/ftrace-add-cond_resched-to-ftrace_graph_set_hash.patch @@ -0,0 +1,39 @@ +From 42ea22e754ba4f2b86f8760ca27f6f71da2d982c Mon Sep 17 00:00:00 2001 +From: zhoumin +Date: Tue, 1 Apr 2025 01:00:34 +0800 +Subject: ftrace: Add cond_resched() to ftrace_graph_set_hash() + +From: zhoumin + +commit 42ea22e754ba4f2b86f8760ca27f6f71da2d982c upstream. + +When the kernel contains a large number of functions that can be traced, +the loop in ftrace_graph_set_hash() may take a lot of time to execute. +This may trigger the softlockup watchdog. + +Add cond_resched() within the loop to allow the kernel to remain +responsive even when processing a large number of functions. + +This matches the cond_resched() that is used in other locations of the +code that iterates over all functions that can be traced. + +Cc: stable@vger.kernel.org +Fixes: b9b0c831bed26 ("ftrace: Convert graph filter to use hash tables") +Link: https://lore.kernel.org/tencent_3E06CE338692017B5809534B9C5C03DA7705@qq.com +Signed-off-by: zhoumin +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/ftrace.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -6325,6 +6325,7 @@ ftrace_graph_set_hash(struct ftrace_hash + } + } + } ++ cond_resched(); + } while_for_each_ftrace_rec(); + out: + mutex_unlock(&ftrace_lock); diff --git a/queue-6.6/gpio-tegra186-fix-resource-handling-in-acpi-probe-path.patch b/queue-6.6/gpio-tegra186-fix-resource-handling-in-acpi-probe-path.patch new file mode 100644 index 0000000000..c16d8489f4 --- /dev/null +++ b/queue-6.6/gpio-tegra186-fix-resource-handling-in-acpi-probe-path.patch @@ -0,0 +1,69 @@ +From 8323f3a69de6f6e96bf22f32dd8e2920766050c2 Mon Sep 17 00:00:00 2001 +From: Guixin Liu +Date: Thu, 27 Mar 2025 11:23:49 +0800 +Subject: gpio: tegra186: fix resource handling in ACPI probe path + +From: Guixin Liu + +commit 8323f3a69de6f6e96bf22f32dd8e2920766050c2 upstream. + +When the Tegra186 GPIO controller is probed through ACPI matching, +the driver emits two error messages during probing: + "tegra186-gpio NVDA0508:00: invalid resource (null)" + "tegra186-gpio NVDA0508:00: invalid resource (null)" + +Fix this by getting resource first and then do the ioremap. + +Fixes: 2606e7c9f5fc ("gpio: tegra186: Add ACPI support") +Cc: stable@vger.kernel.org +Signed-off-by: Guixin Liu +Link: https://lore.kernel.org/r/20250327032349.78809-1-kanie@linux.alibaba.com +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpio-tegra186.c | 27 ++++++++++++++------------- + 1 file changed, 14 insertions(+), 13 deletions(-) + +--- a/drivers/gpio/gpio-tegra186.c ++++ b/drivers/gpio/gpio-tegra186.c +@@ -822,6 +822,7 @@ static int tegra186_gpio_probe(struct pl + struct gpio_irq_chip *irq; + struct tegra_gpio *gpio; + struct device_node *np; ++ struct resource *res; + char **names; + int err; + +@@ -841,19 +842,19 @@ static int tegra186_gpio_probe(struct pl + gpio->num_banks++; + + /* get register apertures */ +- gpio->secure = devm_platform_ioremap_resource_byname(pdev, "security"); +- if (IS_ERR(gpio->secure)) { +- gpio->secure = devm_platform_ioremap_resource(pdev, 0); +- if (IS_ERR(gpio->secure)) +- return PTR_ERR(gpio->secure); +- } +- +- gpio->base = devm_platform_ioremap_resource_byname(pdev, "gpio"); +- if (IS_ERR(gpio->base)) { +- gpio->base = devm_platform_ioremap_resource(pdev, 1); +- if (IS_ERR(gpio->base)) +- return PTR_ERR(gpio->base); +- } ++ res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "security"); ++ if (!res) ++ res = platform_get_resource(pdev, IORESOURCE_MEM, 0); ++ gpio->secure = devm_ioremap_resource(&pdev->dev, res); ++ if (IS_ERR(gpio->secure)) ++ return PTR_ERR(gpio->secure); ++ ++ res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "gpio"); ++ if (!res) ++ res = platform_get_resource(pdev, IORESOURCE_MEM, 1); ++ gpio->base = devm_ioremap_resource(&pdev->dev, res); ++ if (IS_ERR(gpio->base)) ++ return PTR_ERR(gpio->base); + + err = platform_irq_count(pdev); + if (err < 0) diff --git a/queue-6.6/gpio-zynq-fix-wakeup-source-leaks-on-device-unbind.patch b/queue-6.6/gpio-zynq-fix-wakeup-source-leaks-on-device-unbind.patch new file mode 100644 index 0000000000..69e4223367 --- /dev/null +++ b/queue-6.6/gpio-zynq-fix-wakeup-source-leaks-on-device-unbind.patch @@ -0,0 +1,31 @@ +From c5672e310ad971d408752fce7596ed27adc6008f Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Sun, 6 Apr 2025 22:22:45 +0200 +Subject: gpio: zynq: Fix wakeup source leaks on device unbind + +From: Krzysztof Kozlowski + +commit c5672e310ad971d408752fce7596ed27adc6008f upstream. + +Device can be unbound, so driver must also release memory for the wakeup +source. + +Cc: stable@vger.kernel.org +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20250406202245.53854-2-krzysztof.kozlowski@linaro.org +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpio-zynq.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpio/gpio-zynq.c ++++ b/drivers/gpio/gpio-zynq.c +@@ -1018,6 +1018,7 @@ static int zynq_gpio_remove(struct platf + ret = pm_runtime_get_sync(&pdev->dev); + if (ret < 0) + dev_warn(&pdev->dev, "pm_runtime_get_sync() Failed\n"); ++ device_init_wakeup(&pdev->dev, 0); + gpiochip_remove(&gpio->chip); + clk_disable_unprepare(gpio->clk); + device_set_wakeup_capable(&pdev->dev, 0); diff --git a/queue-6.6/gve-handle-overflow-when-reporting-tx-consumed-descriptors.patch b/queue-6.6/gve-handle-overflow-when-reporting-tx-consumed-descriptors.patch new file mode 100644 index 0000000000..77e60f04f1 --- /dev/null +++ b/queue-6.6/gve-handle-overflow-when-reporting-tx-consumed-descriptors.patch @@ -0,0 +1,40 @@ +From 15970e1b23f5c25db88c613fddf9131de086f28e Mon Sep 17 00:00:00 2001 +From: Joshua Washington +Date: Wed, 2 Apr 2025 00:10:37 +0000 +Subject: gve: handle overflow when reporting TX consumed descriptors + +From: Joshua Washington + +commit 15970e1b23f5c25db88c613fddf9131de086f28e upstream. + +When the tx tail is less than the head (in cases of wraparound), the TX +consumed descriptor statistic in DQ will be reported as +UINT32_MAX - head + tail, which is incorrect. Mask the difference of +head and tail according to the ring size when reporting the statistic. + +Cc: stable@vger.kernel.org +Fixes: 2c9198356d56 ("gve: Add consumed counts to ethtool stats") +Signed-off-by: Joshua Washington +Signed-off-by: Harshitha Ramamurthy +Reviewed-by: Michal Swiatkowski +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250402001037.2717315-1-hramamurthy@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/google/gve/gve_ethtool.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/google/gve/gve_ethtool.c ++++ b/drivers/net/ethernet/google/gve/gve_ethtool.c +@@ -356,7 +356,9 @@ gve_get_ethtool_stats(struct net_device + */ + data[i++] = 0; + data[i++] = 0; +- data[i++] = tx->dqo_tx.tail - tx->dqo_tx.head; ++ data[i++] = ++ (tx->dqo_tx.tail - tx->dqo_tx.head) & ++ tx->mask; + } + do { + start = diff --git a/queue-6.6/kvm-x86-acquire-srcu-in-kvm_get_mp_state-to-protect-guest-memory-accesses.patch b/queue-6.6/kvm-x86-acquire-srcu-in-kvm_get_mp_state-to-protect-guest-memory-accesses.patch new file mode 100644 index 0000000000..7a4156135f --- /dev/null +++ b/queue-6.6/kvm-x86-acquire-srcu-in-kvm_get_mp_state-to-protect-guest-memory-accesses.patch @@ -0,0 +1,82 @@ +From ef01cac401f18647d62720cf773d7bb0541827da Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Tue, 1 Apr 2025 08:05:04 -0700 +Subject: KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses + +From: Sean Christopherson + +commit ef01cac401f18647d62720cf773d7bb0541827da upstream. + +Acquire a lock on kvm->srcu when userspace is getting MP state to handle a +rather extreme edge case where "accepting" APIC events, i.e. processing +pending INIT or SIPI, can trigger accesses to guest memory. If the vCPU +is in L2 with INIT *and* a TRIPLE_FAULT request pending, then getting MP +state will trigger a nested VM-Exit by way of ->check_nested_events(), and +emuating the nested VM-Exit can access guest memory. + +The splat was originally hit by syzkaller on a Google-internal kernel, and +reproduced on an upstream kernel by hacking the triple_fault_event_test +selftest to stuff a pending INIT, store an MSR on VM-Exit (to generate a +memory access on VMX), and do vcpu_mp_state_get() to trigger the scenario. + + ============================= + WARNING: suspicious RCU usage + 6.14.0-rc3-b112d356288b-vmx/pi_lockdep_false_pos-lock #3 Not tainted + ----------------------------- + include/linux/kvm_host.h:1058 suspicious rcu_dereference_check() usage! + + other info that might help us debug this: + + rcu_scheduler_active = 2, debug_locks = 1 + 1 lock held by triple_fault_ev/1256: + #0: ffff88810df5a330 (&vcpu->mutex){+.+.}-{4:4}, at: kvm_vcpu_ioctl+0x8b/0x9a0 [kvm] + + stack backtrace: + CPU: 11 UID: 1000 PID: 1256 Comm: triple_fault_ev Not tainted 6.14.0-rc3-b112d356288b-vmx #3 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 + Call Trace: + + dump_stack_lvl+0x7f/0x90 + lockdep_rcu_suspicious+0x144/0x190 + kvm_vcpu_gfn_to_memslot+0x156/0x180 [kvm] + kvm_vcpu_read_guest+0x3e/0x90 [kvm] + read_and_check_msr_entry+0x2e/0x180 [kvm_intel] + __nested_vmx_vmexit+0x550/0xde0 [kvm_intel] + kvm_check_nested_events+0x1b/0x30 [kvm] + kvm_apic_accept_events+0x33/0x100 [kvm] + kvm_arch_vcpu_ioctl_get_mpstate+0x30/0x1d0 [kvm] + kvm_vcpu_ioctl+0x33e/0x9a0 [kvm] + __x64_sys_ioctl+0x8b/0xb0 + do_syscall_64+0x6c/0x170 + entry_SYSCALL_64_after_hwframe+0x4b/0x53 + + +Cc: stable@vger.kernel.org +Signed-off-by: Sean Christopherson +Message-ID: <20250401150504.829812-1-seanjc@google.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/x86.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -11396,6 +11396,8 @@ int kvm_arch_vcpu_ioctl_get_mpstate(stru + if (kvm_mpx_supported()) + kvm_load_guest_fpu(vcpu); + ++ kvm_vcpu_srcu_read_lock(vcpu); ++ + r = kvm_apic_accept_events(vcpu); + if (r < 0) + goto out; +@@ -11409,6 +11411,8 @@ int kvm_arch_vcpu_ioctl_get_mpstate(stru + mp_state->mp_state = vcpu->arch.mp_state; + + out: ++ kvm_vcpu_srcu_read_unlock(vcpu); ++ + if (kvm_mpx_supported()) + kvm_put_guest_fpu(vcpu); + vcpu_put(vcpu); diff --git a/queue-6.6/kvm-x86-explicitly-zero-initialize-on-stack-cpuid-unions.patch b/queue-6.6/kvm-x86-explicitly-zero-initialize-on-stack-cpuid-unions.patch new file mode 100644 index 0000000000..5ff538921c --- /dev/null +++ b/queue-6.6/kvm-x86-explicitly-zero-initialize-on-stack-cpuid-unions.patch @@ -0,0 +1,55 @@ +From bc52ae0a708cb6fa3926d11c88e3c55e1171b4a1 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Fri, 14 Mar 2025 19:41:02 -0700 +Subject: KVM: x86: Explicitly zero-initialize on-stack CPUID unions + +From: Sean Christopherson + +commit bc52ae0a708cb6fa3926d11c88e3c55e1171b4a1 upstream. + +Explicitly zero/empty-initialize the unions used for PMU related CPUID +entries, instead of manually zeroing all fields (hopefully), or in the +case of 0x80000022, relying on the compiler to clobber the uninitialized +bitfields. + +Signed-off-by: Sean Christopherson +Reviewed-by: Jim Mattson +Message-ID: <20250315024102.2361628-1-seanjc@google.com> +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/cpuid.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +--- a/arch/x86/kvm/cpuid.c ++++ b/arch/x86/kvm/cpuid.c +@@ -1011,8 +1011,8 @@ static inline int __do_cpuid_func(struct + } + break; + case 0xa: { /* Architectural Performance Monitoring */ +- union cpuid10_eax eax; +- union cpuid10_edx edx; ++ union cpuid10_eax eax = { }; ++ union cpuid10_edx edx = { }; + + if (!enable_pmu || !static_cpu_has(X86_FEATURE_ARCH_PERFMON)) { + entry->eax = entry->ebx = entry->ecx = entry->edx = 0; +@@ -1028,8 +1028,6 @@ static inline int __do_cpuid_func(struct + + if (kvm_pmu_cap.version) + edx.split.anythread_deprecated = 1; +- edx.split.reserved1 = 0; +- edx.split.reserved2 = 0; + + entry->eax = eax.full; + entry->ebx = kvm_pmu_cap.events_mask; +@@ -1303,7 +1301,7 @@ static inline int __do_cpuid_func(struct + break; + /* AMD Extended Performance Monitoring and Debug */ + case 0x80000022: { +- union cpuid_0x80000022_ebx ebx; ++ union cpuid_0x80000022_ebx ebx = { }; + + entry->ecx = entry->edx = 0; + if (!enable_pmu || !kvm_cpu_cap_has(X86_FEATURE_PERFMON_V2)) { diff --git a/queue-6.6/scsi-ufs-qcom-fix-dev-reference-leaked-through-of_qcom_ice_get.patch b/queue-6.6/scsi-ufs-qcom-fix-dev-reference-leaked-through-of_qcom_ice_get.patch new file mode 100644 index 0000000000..670d6a1056 --- /dev/null +++ b/queue-6.6/scsi-ufs-qcom-fix-dev-reference-leaked-through-of_qcom_ice_get.patch @@ -0,0 +1,37 @@ +From ded40f32b55f7f2f4ed9627dd3c37a1fe89ed8c6 Mon Sep 17 00:00:00 2001 +From: Tudor Ambarus +Date: Fri, 17 Jan 2025 14:18:52 +0000 +Subject: scsi: ufs: qcom: fix dev reference leaked through of_qcom_ice_get + +From: Tudor Ambarus + +commit ded40f32b55f7f2f4ed9627dd3c37a1fe89ed8c6 upstream. + +The driver leaks the device reference taken with +of_find_device_by_node(). Fix the leak by using devm_of_qcom_ice_get(). + +Fixes: 56541c7c4468 ("scsi: ufs: ufs-qcom: Switch to the new ICE API") +Cc: stable@vger.kernel.org +Signed-off-by: Tudor Ambarus +Reviewed-by: Krzysztof Kozlowski +Reviewed-by: Abel Vesa +Acked-by: Martin K. Petersen # SCSI +Reviewed-by: Manivannan Sadhasivam +Link: https://lore.kernel.org/r/20250117-qcom-ice-fix-dev-leak-v2-3-1ffa5b6884cb@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ufs/host/ufs-qcom.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/ufs/host/ufs-qcom.c ++++ b/drivers/ufs/host/ufs-qcom.c +@@ -121,7 +121,7 @@ static int ufs_qcom_ice_init(struct ufs_ + struct device *dev = hba->dev; + struct qcom_ice *ice; + +- ice = of_qcom_ice_get(dev); ++ ice = devm_of_qcom_ice_get(dev); + if (ice == ERR_PTR(-EOPNOTSUPP)) { + dev_warn(dev, "Disabling inline encryption support\n"); + ice = NULL; diff --git a/queue-6.6/series b/queue-6.6/series index ee329da601..66b7df133e 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -195,3 +195,26 @@ mm-userfaultfd-fix-release-hang-over-concurrent-gup.patch mm-hwpoison-do-not-send-sigbus-to-processes-with-recovered-clean-pages.patch mm-hugetlb-move-hugetlb_sysctl_init-to-the-__init-section.patch sctp-detect-and-prevent-references-to-a-freed-transport-in-sendmsg.patch +x86-xen-fix-balloon-target-initialization-for-pvh-dom0.patch +tracing-do-not-add-length-to-print-format-in-synthetic-events.patch +thermal-drivers-rockchip-add-missing-rk3328-mapping-entry.patch +cifs-avoid-null-pointer-dereference-in-dbg-call.patch +cifs-fix-integer-overflow-in-match_server.patch +cifs-ensure-that-all-non-client-specific-reparse-points-are-processed-by-the-server.patch +clk-qcom-clk-branch-fix-invert-halt-status-bit-check-for-votable-clocks.patch +clk-qcom-gdsc-release-pm-subdomains-in-reverse-add-order.patch +clk-qcom-gdsc-capture-pm_genpd_add_subdomain-result-code.patch +clk-qcom-gdsc-set-retain_ff-before-moving-to-hw-ctrl.patch +crypto-ccp-fix-check-for-the-primary-asp-device.patch +dm-ebs-fix-prefetch-vs-suspend-race.patch +dm-integrity-set-ti-error-on-memory-allocation-failure.patch +dm-verity-fix-prefetch-vs-suspend-race.patch +dt-bindings-coresight-qcom-coresight-tpda-fix-too-many-reg.patch +dt-bindings-coresight-qcom-coresight-tpdm-fix-too-many-reg.patch +ftrace-add-cond_resched-to-ftrace_graph_set_hash.patch +gpio-tegra186-fix-resource-handling-in-acpi-probe-path.patch +gpio-zynq-fix-wakeup-source-leaks-on-device-unbind.patch +gve-handle-overflow-when-reporting-tx-consumed-descriptors.patch +kvm-x86-explicitly-zero-initialize-on-stack-cpuid-unions.patch +kvm-x86-acquire-srcu-in-kvm_get_mp_state-to-protect-guest-memory-accesses.patch +scsi-ufs-qcom-fix-dev-reference-leaked-through-of_qcom_ice_get.patch diff --git a/queue-6.6/thermal-drivers-rockchip-add-missing-rk3328-mapping-entry.patch b/queue-6.6/thermal-drivers-rockchip-add-missing-rk3328-mapping-entry.patch new file mode 100644 index 0000000000..7a833af7bb --- /dev/null +++ b/queue-6.6/thermal-drivers-rockchip-add-missing-rk3328-mapping-entry.patch @@ -0,0 +1,61 @@ +From ee022e5cae052e0c67ca7c5fec0f2e7bc897c70e Mon Sep 17 00:00:00 2001 +From: Trevor Woerner +Date: Fri, 7 Feb 2025 12:50:47 -0500 +Subject: thermal/drivers/rockchip: Add missing rk3328 mapping entry + +From: Trevor Woerner + +commit ee022e5cae052e0c67ca7c5fec0f2e7bc897c70e upstream. + +The mapping table for the rk3328 is missing the entry for -25C which is +found in the TRM section 9.5.2 "Temperature-to-code mapping". + +NOTE: the kernel uses the tsadc_q_sel=1'b1 mode which is defined as: + 4096-. Whereas the table in the TRM gives the code + "3774" for -25C, the kernel uses 4096-3774=322. + +[Dragan Simic] : "After going through the RK3308 and RK3328 TRMs, as + well as through the downstream kernel code, it seems we may have + some troubles at our hands. Let me explain, please. + + To sum it up, part 1 of the RK3308 TRM v1.1 says on page 538 that + the equation for the output when tsadc_q_sel equals 1 is (4096 - + tsadc_q), while part 1 of the RK3328 TRM v1.2 says that the output + equation is (1024 - tsadc_q) in that case. + + The downstream kernel code, however, treats the RK3308 and RK3328 + tables and their values as being the same. It even mentions 1024 as + the "offset" value in a comment block for the rk_tsadcv3_control() + function, just like the upstream code does, which is obviously wrong + "offset" value when correlated with the table on page 544 of part 1 + of the RK3308 TRM v1.1. + + With all this in mind, it's obvious that more work is needed to make + it clear where's the actual mistake (it could be that the TRM is + wrong), which I'll volunteer for as part of the SoC binning project. + In the meantime, this patch looks fine as-is to me, by offering + what's a clear improvement to the current state of the upstream + code" + +Link: https://opensource.rock-chips.com/images/9/97/Rockchip_RK3328TRM_V1.1-Part1-20170321.pdf +Cc: stable@vger.kernel.org +Fixes: eda519d5f73e ("thermal: rockchip: Support the RK3328 SOC in thermal driver") +Signed-off-by: Trevor Woerner +Reviewed-by: Dragan Simic +Link: https://lore.kernel.org/r/20250207175048.35959-1-twoerner@gmail.com +Signed-off-by: Daniel Lezcano +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thermal/rockchip_thermal.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/thermal/rockchip_thermal.c ++++ b/drivers/thermal/rockchip_thermal.c +@@ -386,6 +386,7 @@ static const struct tsadc_table rk3328_c + {296, -40000}, + {304, -35000}, + {313, -30000}, ++ {322, -25000}, + {331, -20000}, + {340, -15000}, + {349, -10000}, diff --git a/queue-6.6/tracing-do-not-add-length-to-print-format-in-synthetic-events.patch b/queue-6.6/tracing-do-not-add-length-to-print-format-in-synthetic-events.patch new file mode 100644 index 0000000000..8a0f13cac1 --- /dev/null +++ b/queue-6.6/tracing-do-not-add-length-to-print-format-in-synthetic-events.patch @@ -0,0 +1,56 @@ +From e1a453a57bc76be678bd746f84e3d73f378a9511 Mon Sep 17 00:00:00 2001 +From: Steven Rostedt +Date: Mon, 7 Apr 2025 15:41:39 -0400 +Subject: tracing: Do not add length to print format in synthetic events + +From: Steven Rostedt + +commit e1a453a57bc76be678bd746f84e3d73f378a9511 upstream. + +The following causes a vsnprintf fault: + + # echo 's:wake_lat char[] wakee; u64 delta;' >> /sys/kernel/tracing/dynamic_events + # echo 'hist:keys=pid:ts=common_timestamp.usecs if !(common_flags & 0x18)' > /sys/kernel/tracing/events/sched/sched_waking/trigger + # echo 'hist:keys=next_pid:delta=common_timestamp.usecs-$ts:onmatch(sched.sched_waking).trace(wake_lat,next_comm,$delta)' > /sys/kernel/tracing/events/sched/sched_switch/trigger + +Because the synthetic event's "wakee" field is created as a dynamic string +(even though the string copied is not). The print format to print the +dynamic string changed from "%*s" to "%s" because another location +(__set_synth_event_print_fmt()) exported this to user space, and user +space did not need that. But it is still used in print_synth_event(), and +the output looks like: + + -0 [001] d..5. 193.428167: wake_lat: wakee=(efault)sshd-sessiondelta=155 + sshd-session-879 [001] d..5. 193.811080: wake_lat: wakee=(efault)kworker/u34:5delta=58 + -0 [002] d..5. 193.811198: wake_lat: wakee=(efault)bashdelta=91 + bash-880 [002] d..5. 193.811371: wake_lat: wakee=(efault)kworker/u35:2delta=21 + -0 [001] d..5. 193.811516: wake_lat: wakee=(efault)sshd-sessiondelta=129 + sshd-session-879 [001] d..5. 193.967576: wake_lat: wakee=(efault)kworker/u34:5delta=50 + +The length isn't needed as the string is always nul terminated. Just print +the string and not add the length (which was hard coded to the max string +length anyway). + +Cc: stable@vger.kernel.org +Cc: Mathieu Desnoyers +Cc: Tom Zanussi +Cc: Douglas Raillard +Acked-by: Masami Hiramatsu (Google) +Link: https://lore.kernel.org/20250407154139.69955768@gandalf.local.home +Fixes: 4d38328eb442d ("tracing: Fix synth event printk format for str fields"); +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_events_synth.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/kernel/trace/trace_events_synth.c ++++ b/kernel/trace/trace_events_synth.c +@@ -377,7 +377,6 @@ static enum print_line_t print_synth_eve + union trace_synth_field *data = &entry->fields[n_u64]; + + trace_seq_printf(s, print_fmt, se->fields[i]->name, +- STR_VAR_LEN_MAX, + (char *)entry + data->as_dynamic.offset, + i == se->n_fields - 1 ? "" : " "); + n_u64++; diff --git a/queue-6.6/x86-xen-fix-balloon-target-initialization-for-pvh-dom0.patch b/queue-6.6/x86-xen-fix-balloon-target-initialization-for-pvh-dom0.patch new file mode 100644 index 0000000000..4f0de7bc2e --- /dev/null +++ b/queue-6.6/x86-xen-fix-balloon-target-initialization-for-pvh-dom0.patch @@ -0,0 +1,162 @@ +From 87af633689ce16ddb166c80f32b120e50b1295de Mon Sep 17 00:00:00 2001 +From: Roger Pau Monne +Date: Mon, 7 Apr 2025 10:28:37 +0200 +Subject: x86/xen: fix balloon target initialization for PVH dom0 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Roger Pau Monne + +commit 87af633689ce16ddb166c80f32b120e50b1295de upstream. + +PVH dom0 re-uses logic from PV dom0, in which RAM ranges not assigned to +dom0 are re-used as scratch memory to map foreign and grant pages. Such +logic relies on reporting those unpopulated ranges as RAM to Linux, and +mark them as reserved. This way Linux creates the underlying page +structures required for metadata management. + +Such approach works fine on PV because the initial balloon target is +calculated using specific Xen data, that doesn't take into account the +memory type changes described above. However on HVM and PVH the initial +balloon target is calculated using get_num_physpages(), and that function +does take into account the unpopulated RAM regions used as scratch space +for remote domain mappings. + +This leads to PVH dom0 having an incorrect initial balloon target, which +causes malfunction (excessive memory freeing) of the balloon driver if the +dom0 memory target is later adjusted from the toolstack. + +Fix this by using xen_released_pages to account for any pages that are part +of the memory map, but are already unpopulated when the balloon driver is +initialized. This accounts for any regions used for scratch remote +mappings. Note on x86 xen_released_pages definition is moved to +enlighten.c so it's uniformly available for all Xen-enabled builds. + +Take the opportunity to unify PV with PVH/HVM guests regarding the usage of +get_num_physpages(), as that avoids having to add different logic for PV vs +PVH in both balloon_add_regions() and arch_xen_unpopulated_init(). + +Much like a6aa4eb994ee, the code in this changeset should have been part of +38620fc4e893. + +Fixes: a6aa4eb994ee ('xen/x86: add extra pages to unpopulated-alloc if available') +Signed-off-by: Roger Pau Monné +Reviewed-by: Juergen Gross +Cc: stable@vger.kernel.org +Signed-off-by: Juergen Gross +Message-ID: <20250407082838.65495-1-roger.pau@citrix.com> +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/xen/enlighten.c | 10 ++++++++++ + arch/x86/xen/setup.c | 3 --- + drivers/xen/balloon.c | 34 ++++++++++++++++++++++++---------- + 3 files changed, 34 insertions(+), 13 deletions(-) + +--- a/arch/x86/xen/enlighten.c ++++ b/arch/x86/xen/enlighten.c +@@ -75,6 +75,9 @@ EXPORT_SYMBOL(xen_start_flags); + */ + struct shared_info *HYPERVISOR_shared_info = &xen_dummy_shared_info; + ++/* Number of pages released from the initial allocation. */ ++unsigned long xen_released_pages; ++ + static __ref void xen_get_vendor(void) + { + init_cpu_devs(); +@@ -471,6 +474,13 @@ int __init arch_xen_unpopulated_init(str + xen_free_unpopulated_pages(1, &pg); + } + ++ /* ++ * Account for the region being in the physmap but unpopulated. ++ * The value in xen_released_pages is used by the balloon ++ * driver to know how much of the physmap is unpopulated and ++ * set an accurate initial memory target. ++ */ ++ xen_released_pages += xen_extra_mem[i].n_pfns; + /* Zero so region is not also added to the balloon driver. */ + xen_extra_mem[i].n_pfns = 0; + } +--- a/arch/x86/xen/setup.c ++++ b/arch/x86/xen/setup.c +@@ -38,9 +38,6 @@ + + #define GB(x) ((uint64_t)(x) * 1024 * 1024 * 1024) + +-/* Number of pages released from the initial allocation. */ +-unsigned long xen_released_pages; +- + /* Memory map would allow PCI passthrough. */ + bool xen_pv_pci_possible; + +--- a/drivers/xen/balloon.c ++++ b/drivers/xen/balloon.c +@@ -671,7 +671,7 @@ void xen_free_ballooned_pages(unsigned i + } + EXPORT_SYMBOL(xen_free_ballooned_pages); + +-static void __init balloon_add_regions(void) ++static int __init balloon_add_regions(void) + { + unsigned long start_pfn, pages; + unsigned long pfn, extra_pfn_end; +@@ -694,26 +694,38 @@ static void __init balloon_add_regions(v + for (pfn = start_pfn; pfn < extra_pfn_end; pfn++) + balloon_append(pfn_to_page(pfn)); + +- balloon_stats.total_pages += extra_pfn_end - start_pfn; ++ /* ++ * Extra regions are accounted for in the physmap, but need ++ * decreasing from current_pages to balloon down the initial ++ * allocation, because they are already accounted for in ++ * total_pages. ++ */ ++ if (extra_pfn_end - start_pfn >= balloon_stats.current_pages) { ++ WARN(1, "Extra pages underflow current target"); ++ return -ERANGE; ++ } ++ balloon_stats.current_pages -= extra_pfn_end - start_pfn; + } ++ ++ return 0; + } + + static int __init balloon_init(void) + { + struct task_struct *task; ++ int rc; + + if (!xen_domain()) + return -ENODEV; + + pr_info("Initialising balloon driver\n"); + +-#ifdef CONFIG_XEN_PV +- balloon_stats.current_pages = xen_pv_domain() +- ? min(xen_start_info->nr_pages - xen_released_pages, max_pfn) +- : get_num_physpages(); +-#else +- balloon_stats.current_pages = get_num_physpages(); +-#endif ++ if (xen_released_pages >= get_num_physpages()) { ++ WARN(1, "Released pages underflow current target"); ++ return -ERANGE; ++ } ++ ++ balloon_stats.current_pages = get_num_physpages() - xen_released_pages; + balloon_stats.target_pages = balloon_stats.current_pages; + balloon_stats.balloon_low = 0; + balloon_stats.balloon_high = 0; +@@ -730,7 +742,9 @@ static int __init balloon_init(void) + register_sysctl_init("xen/balloon", balloon_table); + #endif + +- balloon_add_regions(); ++ rc = balloon_add_regions(); ++ if (rc) ++ return rc; + + task = kthread_run(balloon_thread, NULL, "xen-balloon"); + if (IS_ERR(task)) {