From: Greg Kroah-Hartman Date: Tue, 5 Nov 2024 16:18:51 +0000 (+0100) Subject: 6.11-stable patches X-Git-Tag: v4.19.323~73 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8b4dcce5b5f7a6559db0f14c093b368e7b838d9a;p=thirdparty%2Fkernel%2Fstable-queue.git 6.11-stable patches added patches: dt-bindings-iio-adc-ad7380-fix-ad7380-4-reference-supply.patch iio-adc-ad7124-fix-division-by-zero-in-ad7124_set_channel_odr.patch iio-gts-helper-fix-memory-leaks-for-the-error-path-of-iio_gts_build_avail_scale_table.patch iio-gts-helper-fix-memory-leaks-in-iio_gts_build_avail_scale_table.patch iio-light-veml6030-fix-microlux-value-calculation.patch nilfs2-fix-kernel-bug-due-to-missing-clearing-of-checked-flag.patch nilfs2-fix-potential-deadlock-with-newly-created-symlinks.patch revert-driver-core-fix-uevent_show-vs-driver-detach-race.patch revert-drm-amd-display-update-dml2-policy-enhancedprefetchscheduleaccelerationfinal-dcn35.patch revert-selftests-mm-fix-deadlock-for-fork-after-pthread_create-on-arm.patch revert-selftests-mm-replace-atomic_bool-with-pthread_barrier_t.patch staging-iio-frequency-ad9832-fix-division-by-zero-in-ad9832_calc_freqreg.patch wifi-ath10k-fix-memory-leak-in-management-tx.patch wifi-cfg80211-clear-wdev-cqm_config-pointer-on-free.patch wifi-iwlegacy-clear-stale-interrupts-before-resuming-device.patch wifi-iwlwifi-mvm-fix-6-ghz-scan-construction.patch wifi-mac80211-do-not-pass-a-stopped-vif-to-the-driver-in-.get_txpower.patch xhci-fix-link-trb-dma-in-command-ring-stopped-completion-event.patch xhci-use-pm_runtime_get-to-prevent-rpm-on-unsupported-systems.patch --- diff --git a/queue-6.11/dt-bindings-iio-adc-ad7380-fix-ad7380-4-reference-supply.patch b/queue-6.11/dt-bindings-iio-adc-ad7380-fix-ad7380-4-reference-supply.patch new file mode 100644 index 00000000000..fc23e9bc092 --- /dev/null +++ b/queue-6.11/dt-bindings-iio-adc-ad7380-fix-ad7380-4-reference-supply.patch @@ -0,0 +1,67 @@ +From fbe5956e8809f04e9121923db0b6d1b94f2b93ba Mon Sep 17 00:00:00 2001 +From: Julien Stephan +Date: Tue, 22 Oct 2024 15:22:36 +0200 +Subject: dt-bindings: iio: adc: ad7380: fix ad7380-4 reference supply + +From: Julien Stephan + +commit fbe5956e8809f04e9121923db0b6d1b94f2b93ba upstream. + +ad7380-4 is the only device from ad738x family that doesn't have an +internal reference. Moreover its external reference is called REFIN in +the datasheet while all other use REFIO as an optional external +reference. If refio-supply is omitted the internal reference is +used. + +Fix the binding by adding refin-supply and makes it required for +ad7380-4 only. + +Fixes: 1a291cc8ee17 ("dt-bindings: iio: adc: ad7380: add support for ad738x-4 4 channels variants") +Acked-by: Conor Dooley +Reviewed-by: David Lechner +Signed-off-by: Julien Stephan +Link: https://patch.msgid.link/20241022-ad7380-fix-supplies-v3-1-f0cefe1b7fa6@baylibre.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/iio/adc/adi,ad7380.yaml | 21 ++++++++++++++ + 1 file changed, 21 insertions(+) + +--- a/Documentation/devicetree/bindings/iio/adc/adi,ad7380.yaml ++++ b/Documentation/devicetree/bindings/iio/adc/adi,ad7380.yaml +@@ -54,6 +54,10 @@ properties: + A 2.5V to 3.3V supply for the external reference voltage. When omitted, + the internal 2.5V reference is used. + ++ refin-supply: ++ description: ++ A 2.5V to 3.3V supply for external reference voltage, for ad7380-4 only. ++ + aina-supply: + description: + The common mode voltage supply for the AINA- pin on pseudo-differential +@@ -122,6 +126,23 @@ allOf: + ainc-supply: false + aind-supply: false + ++ # ad7380-4 uses refin-supply as external reference. ++ # All other chips from ad738x family use refio as optional external reference. ++ # When refio-supply is omitted, internal reference is used. ++ - if: ++ properties: ++ compatible: ++ enum: ++ - adi,ad7380-4 ++ then: ++ properties: ++ refio-supply: false ++ required: ++ - refin-supply ++ else: ++ properties: ++ refin-supply: false ++ + examples: + - | + #include diff --git a/queue-6.11/iio-adc-ad7124-fix-division-by-zero-in-ad7124_set_channel_odr.patch b/queue-6.11/iio-adc-ad7124-fix-division-by-zero-in-ad7124_set_channel_odr.patch new file mode 100644 index 00000000000..0dc27ec862f --- /dev/null +++ b/queue-6.11/iio-adc-ad7124-fix-division-by-zero-in-ad7124_set_channel_odr.patch @@ -0,0 +1,38 @@ +From efa353ae1b0541981bc96dbf2e586387d0392baa Mon Sep 17 00:00:00 2001 +From: Zicheng Qu +Date: Tue, 22 Oct 2024 13:43:30 +0000 +Subject: iio: adc: ad7124: fix division by zero in ad7124_set_channel_odr() + +From: Zicheng Qu + +commit efa353ae1b0541981bc96dbf2e586387d0392baa upstream. + +In the ad7124_write_raw() function, parameter val can potentially +be zero. This may lead to a division by zero when DIV_ROUND_CLOSEST() +is called within ad7124_set_channel_odr(). The ad7124_write_raw() +function is invoked through the sequence: iio_write_channel_raw() -> +iio_write_channel_attribute() -> iio_channel_write(), with no checks +in place to ensure val is non-zero. + +Cc: stable@vger.kernel.org +Fixes: 7b8d045e497a ("iio: adc: ad7124: allow more than 8 channels") +Signed-off-by: Zicheng Qu +Reviewed-by: Nuno Sa +Link: https://patch.msgid.link/20241022134330.574601-1-quzicheng@huawei.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/ad7124.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/adc/ad7124.c ++++ b/drivers/iio/adc/ad7124.c +@@ -645,7 +645,7 @@ static int ad7124_write_raw(struct iio_d + + switch (info) { + case IIO_CHAN_INFO_SAMP_FREQ: +- if (val2 != 0) { ++ if (val2 != 0 || val == 0) { + ret = -EINVAL; + break; + } diff --git a/queue-6.11/iio-gts-helper-fix-memory-leaks-for-the-error-path-of-iio_gts_build_avail_scale_table.patch b/queue-6.11/iio-gts-helper-fix-memory-leaks-for-the-error-path-of-iio_gts_build_avail_scale_table.patch new file mode 100644 index 00000000000..71e22149fc4 --- /dev/null +++ b/queue-6.11/iio-gts-helper-fix-memory-leaks-for-the-error-path-of-iio_gts_build_avail_scale_table.patch @@ -0,0 +1,38 @@ +From 369f05688911b05216cfcd6ca74473bec87948d7 Mon Sep 17 00:00:00 2001 +From: Jinjie Ruan +Date: Wed, 16 Oct 2024 09:24:53 +0800 +Subject: iio: gts-helper: Fix memory leaks for the error path of iio_gts_build_avail_scale_table() + +From: Jinjie Ruan + +commit 369f05688911b05216cfcd6ca74473bec87948d7 upstream. + +If per_time_scales[i] or per_time_gains[i] kcalloc fails in the for loop +of iio_gts_build_avail_scale_table(), the err_free_out will fail to call +kfree() each time when i is reduced to 0, so all the per_time_scales[0] +and per_time_gains[0] will not be freed, which will cause memory leaks. + +Fix it by checking if i >= 0. + +Cc: stable@vger.kernel.org +Fixes: 38416c28e168 ("iio: light: Add gain-time-scale helpers") +Reviewed-by: Matti Vaittinen +Signed-off-by: Jinjie Ruan +Link: https://patch.msgid.link/20241016012453.2013302-1-ruanjinjie@huawei.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/industrialio-gts-helper.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/industrialio-gts-helper.c ++++ b/drivers/iio/industrialio-gts-helper.c +@@ -313,7 +313,7 @@ static int iio_gts_build_avail_scale_tab + return 0; + + err_free_out: +- for (i--; i; i--) { ++ for (i--; i >= 0; i--) { + kfree(per_time_scales[i]); + kfree(per_time_gains[i]); + } diff --git a/queue-6.11/iio-gts-helper-fix-memory-leaks-in-iio_gts_build_avail_scale_table.patch b/queue-6.11/iio-gts-helper-fix-memory-leaks-in-iio_gts_build_avail_scale_table.patch new file mode 100644 index 00000000000..d1c10b68464 --- /dev/null +++ b/queue-6.11/iio-gts-helper-fix-memory-leaks-in-iio_gts_build_avail_scale_table.patch @@ -0,0 +1,75 @@ +From 691e79ffc42154a9c91dc3b7e96a307037b4be74 Mon Sep 17 00:00:00 2001 +From: Jinjie Ruan +Date: Fri, 11 Oct 2024 17:55:12 +0800 +Subject: iio: gts-helper: Fix memory leaks in iio_gts_build_avail_scale_table() + +From: Jinjie Ruan + +commit 691e79ffc42154a9c91dc3b7e96a307037b4be74 upstream. + +modprobe iio-test-gts and rmmod it, then the following memory leak +occurs: + + unreferenced object 0xffffff80c810be00 (size 64): + comm "kunit_try_catch", pid 1654, jiffies 4294913981 + hex dump (first 32 bytes): + 02 00 00 00 08 00 00 00 20 00 00 00 40 00 00 00 ........ ...@... + 80 00 00 00 00 02 00 00 00 04 00 00 00 08 00 00 ................ + backtrace (crc a63d875e): + [<0000000028c1b3c2>] kmemleak_alloc+0x34/0x40 + [<000000001d6ecc87>] __kmalloc_noprof+0x2bc/0x3c0 + [<00000000393795c1>] devm_iio_init_iio_gts+0x4b4/0x16f4 + [<0000000071bb4b09>] 0xffffffdf052a62e0 + [<000000000315bc18>] 0xffffffdf052a6488 + [<00000000f9dc55b5>] kunit_try_run_case+0x13c/0x3ac + [<00000000175a3fd4>] kunit_generic_run_threadfn_adapter+0x80/0xec + [<00000000f505065d>] kthread+0x2e8/0x374 + [<00000000bbfb0e5d>] ret_from_fork+0x10/0x20 + unreferenced object 0xffffff80cbfe9e70 (size 16): + comm "kunit_try_catch", pid 1658, jiffies 4294914015 + hex dump (first 16 bytes): + 10 00 00 00 40 00 00 00 80 00 00 00 00 00 00 00 ....@........... + backtrace (crc 857f0cb4): + [<0000000028c1b3c2>] kmemleak_alloc+0x34/0x40 + [<000000001d6ecc87>] __kmalloc_noprof+0x2bc/0x3c0 + [<00000000393795c1>] devm_iio_init_iio_gts+0x4b4/0x16f4 + [<0000000071bb4b09>] 0xffffffdf052a62e0 + [<000000007d089d45>] 0xffffffdf052a6864 + [<00000000f9dc55b5>] kunit_try_run_case+0x13c/0x3ac + [<00000000175a3fd4>] kunit_generic_run_threadfn_adapter+0x80/0xec + [<00000000f505065d>] kthread+0x2e8/0x374 + [<00000000bbfb0e5d>] ret_from_fork+0x10/0x20 + ...... + +It includes 5*5 times "size 64" memory leaks, which correspond to 5 times +test_init_iio_gain_scale() calls with gts_test_gains size 10 (10*size(int)) +and gts_test_itimes size 5. It also includes 5*1 times "size 16" +memory leak, which correspond to one time __test_init_iio_gain_scale() +call with gts_test_gains_gain_low size 3 (3*size(int)) and gts_test_itimes +size 5. + +The reason is that the per_time_gains[i] is not freed which is allocated in +the "gts->num_itime" for loop in iio_gts_build_avail_scale_table(). + +Cc: stable@vger.kernel.org +Fixes: 38416c28e168 ("iio: light: Add gain-time-scale helpers") +Signed-off-by: Jinjie Ruan +Reviewed-by: Matti Vaittinen +Link: https://patch.msgid.link/20241011095512.3667549-1-ruanjinjie@huawei.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/industrialio-gts-helper.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/iio/industrialio-gts-helper.c ++++ b/drivers/iio/industrialio-gts-helper.c +@@ -307,6 +307,8 @@ static int iio_gts_build_avail_scale_tab + if (ret) + goto err_free_out; + ++ for (i = 0; i < gts->num_itime; i++) ++ kfree(per_time_gains[i]); + kfree(per_time_gains); + gts->per_time_avail_scale_tables = per_time_scales; + diff --git a/queue-6.11/iio-light-veml6030-fix-microlux-value-calculation.patch b/queue-6.11/iio-light-veml6030-fix-microlux-value-calculation.patch new file mode 100644 index 00000000000..fc6c84fd98f --- /dev/null +++ b/queue-6.11/iio-light-veml6030-fix-microlux-value-calculation.patch @@ -0,0 +1,42 @@ +From 63dd163cd61dda6f38343776b42331cc6b7e56e0 Mon Sep 17 00:00:00 2001 +From: Javier Carrasco +Date: Wed, 16 Oct 2024 19:04:31 +0200 +Subject: iio: light: veml6030: fix microlux value calculation + +From: Javier Carrasco + +commit 63dd163cd61dda6f38343776b42331cc6b7e56e0 upstream. + +The raw value conversion to obtain a measurement in lux as +INT_PLUS_MICRO does not calculate the decimal part properly to display +it as micro (in this case microlux). It only calculates the module to +obtain the decimal part from a resolution that is 10000 times the +provided in the datasheet (0.5376 lux/cnt for the veml6030). The +resulting value must still be multiplied by 100 to make it micro. + +This bug was introduced with the original implementation of the driver. + +Only the illuminance channel is fixed becuase the scale is non sensical +for the intensity channels anyway. + +Cc: stable@vger.kernel.org +Fixes: 7b779f573c48 ("iio: light: add driver for veml6030 ambient light sensor") +Signed-off-by: Javier Carrasco +Link: https://patch.msgid.link/20241016-veml6030-fix-processed-micro-v1-1-4a5644796437@gmail.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/light/veml6030.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/light/veml6030.c ++++ b/drivers/iio/light/veml6030.c +@@ -522,7 +522,7 @@ static int veml6030_read_raw(struct iio_ + } + if (mask == IIO_CHAN_INFO_PROCESSED) { + *val = (reg * data->cur_resolution) / 10000; +- *val2 = (reg * data->cur_resolution) % 10000; ++ *val2 = (reg * data->cur_resolution) % 10000 * 100; + return IIO_VAL_INT_PLUS_MICRO; + } + *val = reg; diff --git a/queue-6.11/nilfs2-fix-kernel-bug-due-to-missing-clearing-of-checked-flag.patch b/queue-6.11/nilfs2-fix-kernel-bug-due-to-missing-clearing-of-checked-flag.patch new file mode 100644 index 00000000000..a596e8ef177 --- /dev/null +++ b/queue-6.11/nilfs2-fix-kernel-bug-due-to-missing-clearing-of-checked-flag.patch @@ -0,0 +1,45 @@ +From 41e192ad2779cae0102879612dfe46726e4396aa Mon Sep 17 00:00:00 2001 +From: Ryusuke Konishi +Date: Fri, 18 Oct 2024 04:33:10 +0900 +Subject: nilfs2: fix kernel bug due to missing clearing of checked flag + +From: Ryusuke Konishi + +commit 41e192ad2779cae0102879612dfe46726e4396aa upstream. + +Syzbot reported that in directory operations after nilfs2 detects +filesystem corruption and degrades to read-only, +__block_write_begin_int(), which is called to prepare block writes, may +fail the BUG_ON check for accesses exceeding the folio/page size, +triggering a kernel bug. + +This was found to be because the "checked" flag of a page/folio was not +cleared when it was discarded by nilfs2's own routine, which causes the +sanity check of directory entries to be skipped when the directory +page/folio is reloaded. So, fix that. + +This was necessary when the use of nilfs2's own page discard routine was +applied to more than just metadata files. + +Link: https://lkml.kernel.org/r/20241017193359.5051-1-konishi.ryusuke@gmail.com +Fixes: 8c26c4e2694a ("nilfs2: fix issue with flush kernel thread after remount in RO mode because of driver's internal error or metadata corruption") +Signed-off-by: Ryusuke Konishi +Reported-by: syzbot+d6ca2daf692c7a82f959@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=d6ca2daf692c7a82f959 +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/nilfs2/page.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/nilfs2/page.c ++++ b/fs/nilfs2/page.c +@@ -409,6 +409,7 @@ void nilfs_clear_folio_dirty(struct foli + + folio_clear_uptodate(folio); + folio_clear_mappedtodisk(folio); ++ folio_clear_checked(folio); + + head = folio_buffers(folio); + if (head) { diff --git a/queue-6.11/nilfs2-fix-potential-deadlock-with-newly-created-symlinks.patch b/queue-6.11/nilfs2-fix-potential-deadlock-with-newly-created-symlinks.patch new file mode 100644 index 00000000000..fd61fefce2d --- /dev/null +++ b/queue-6.11/nilfs2-fix-potential-deadlock-with-newly-created-symlinks.patch @@ -0,0 +1,57 @@ +From b3a033e3ecd3471248d474ef263aadc0059e516a Mon Sep 17 00:00:00 2001 +From: Ryusuke Konishi +Date: Sun, 20 Oct 2024 13:51:28 +0900 +Subject: nilfs2: fix potential deadlock with newly created symlinks + +From: Ryusuke Konishi + +commit b3a033e3ecd3471248d474ef263aadc0059e516a upstream. + +Syzbot reported that page_symlink(), called by nilfs_symlink(), triggers +memory reclamation involving the filesystem layer, which can result in +circular lock dependencies among the reader/writer semaphore +nilfs->ns_segctor_sem, s_writers percpu_rwsem (intwrite) and the +fs_reclaim pseudo lock. + +This is because after commit 21fc61c73c39 ("don't put symlink bodies in +pagecache into highmem"), the gfp flags of the page cache for symbolic +links are overwritten to GFP_KERNEL via inode_nohighmem(). + +This is not a problem for symlinks read from the backing device, because +the __GFP_FS flag is dropped after inode_nohighmem() is called. However, +when a new symlink is created with nilfs_symlink(), the gfp flags remain +overwritten to GFP_KERNEL. Then, memory allocation called from +page_symlink() etc. triggers memory reclamation including the FS layer, +which may call nilfs_evict_inode() or nilfs_dirty_inode(). And these can +cause a deadlock if they are called while nilfs->ns_segctor_sem is held: + +Fix this issue by dropping the __GFP_FS flag from the page cache GFP flags +of newly created symlinks in the same way that nilfs_new_inode() and +__nilfs_read_inode() do, as a workaround until we adopt nofs allocation +scope consistently or improve the locking constraints. + +Link: https://lkml.kernel.org/r/20241020050003.4308-1-konishi.ryusuke@gmail.com +Fixes: 21fc61c73c39 ("don't put symlink bodies in pagecache into highmem") +Signed-off-by: Ryusuke Konishi +Reported-by: syzbot+9ef37ac20608f4836256@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=9ef37ac20608f4836256 +Tested-by: syzbot+9ef37ac20608f4836256@syzkaller.appspotmail.com +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/nilfs2/namei.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/nilfs2/namei.c ++++ b/fs/nilfs2/namei.c +@@ -157,6 +157,9 @@ static int nilfs_symlink(struct mnt_idma + /* slow symlink */ + inode->i_op = &nilfs_symlink_inode_operations; + inode_nohighmem(inode); ++ mapping_set_gfp_mask(inode->i_mapping, ++ mapping_gfp_constraint(inode->i_mapping, ++ ~__GFP_FS)); + inode->i_mapping->a_ops = &nilfs_aops; + err = page_symlink(inode, symname, l); + if (err) diff --git a/queue-6.11/revert-driver-core-fix-uevent_show-vs-driver-detach-race.patch b/queue-6.11/revert-driver-core-fix-uevent_show-vs-driver-detach-race.patch new file mode 100644 index 00000000000..e5e8c71f742 --- /dev/null +++ b/queue-6.11/revert-driver-core-fix-uevent_show-vs-driver-detach-race.patch @@ -0,0 +1,94 @@ +From 9a71892cbcdb9d1459c84f5a4c722b14354158a5 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Tue, 29 Oct 2024 01:23:04 +0100 +Subject: Revert "driver core: Fix uevent_show() vs driver detach race" + +From: Greg Kroah-Hartman + +commit 9a71892cbcdb9d1459c84f5a4c722b14354158a5 upstream. + +This reverts commit 15fffc6a5624b13b428bb1c6e9088e32a55eb82c. + +This commit causes a regression, so revert it for now until it can come +back in a way that works for everyone. + +Link: https://lore.kernel.org/all/172790598832.1168608.4519484276671503678.stgit@dwillia2-xfh.jf.intel.com/ +Fixes: 15fffc6a5624 ("driver core: Fix uevent_show() vs driver detach race") +Cc: stable +Cc: Ashish Sangwan +Cc: Namjae Jeon +Cc: Dirk Behme +Cc: Greg Kroah-Hartman +Cc: Rafael J. Wysocki +Cc: Dan Williams +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/core.c | 13 +++++-------- + drivers/base/module.c | 4 ---- + 2 files changed, 5 insertions(+), 12 deletions(-) + +--- a/drivers/base/core.c ++++ b/drivers/base/core.c +@@ -25,7 +25,6 @@ + #include + #include + #include +-#include + #include + #include + #include +@@ -2641,7 +2640,6 @@ static const char *dev_uevent_name(const + static int dev_uevent(const struct kobject *kobj, struct kobj_uevent_env *env) + { + const struct device *dev = kobj_to_dev(kobj); +- struct device_driver *driver; + int retval = 0; + + /* add device node properties if present */ +@@ -2670,12 +2668,8 @@ static int dev_uevent(const struct kobje + if (dev->type && dev->type->name) + add_uevent_var(env, "DEVTYPE=%s", dev->type->name); + +- /* Synchronize with module_remove_driver() */ +- rcu_read_lock(); +- driver = READ_ONCE(dev->driver); +- if (driver) +- add_uevent_var(env, "DRIVER=%s", driver->name); +- rcu_read_unlock(); ++ if (dev->driver) ++ add_uevent_var(env, "DRIVER=%s", dev->driver->name); + + /* Add common DT information about the device */ + of_device_uevent(dev, env); +@@ -2745,8 +2739,11 @@ static ssize_t uevent_show(struct device + if (!env) + return -ENOMEM; + ++ /* Synchronize with really_probe() */ ++ device_lock(dev); + /* let the kset specific function add its keys */ + retval = kset->uevent_ops->uevent(&dev->kobj, env); ++ device_unlock(dev); + if (retval) + goto out; + +--- a/drivers/base/module.c ++++ b/drivers/base/module.c +@@ -7,7 +7,6 @@ + #include + #include + #include +-#include + #include "base.h" + + static char *make_driver_name(const struct device_driver *drv) +@@ -102,9 +101,6 @@ void module_remove_driver(const struct d + if (!drv) + return; + +- /* Synchronize with dev_uevent() */ +- synchronize_rcu(); +- + sysfs_remove_link(&drv->p->kobj, "module"); + + if (drv->owner) diff --git a/queue-6.11/revert-drm-amd-display-update-dml2-policy-enhancedprefetchscheduleaccelerationfinal-dcn35.patch b/queue-6.11/revert-drm-amd-display-update-dml2-policy-enhancedprefetchscheduleaccelerationfinal-dcn35.patch new file mode 100644 index 00000000000..a61f516a482 --- /dev/null +++ b/queue-6.11/revert-drm-amd-display-update-dml2-policy-enhancedprefetchscheduleaccelerationfinal-dcn35.patch @@ -0,0 +1,42 @@ +From 1b6063a57754eae5705753c01e78dc268b989038 Mon Sep 17 00:00:00 2001 +From: Ovidiu Bunea +Date: Fri, 11 Oct 2024 11:12:19 -0400 +Subject: Revert "drm/amd/display: update DML2 policy EnhancedPrefetchScheduleAccelerationFinal DCN35" + +From: Ovidiu Bunea + +commit 1b6063a57754eae5705753c01e78dc268b989038 upstream. + +This reverts +commit 9dad21f910fc ("drm/amd/display: update DML2 policy EnhancedPrefetchScheduleAccelerationFinal DCN35") + +[why & how] +The offending commit exposes a hang with lid close/open behavior. +Both issues seem to be related to ODM 2:1 mode switching, so there +is another issue generic to that sequence that needs to be +investigated. + +Cc: Mario Limonciello +Cc: Alex Deucher +Reviewed-by: Nicholas Kazlauskas +Signed-off-by: Ovidiu Bunea +Signed-off-by: Tom Chung +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +(cherry picked from commit 68bf95317ebf2cfa7105251e4279e951daceefb7) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/dml2/dml2_policy.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/amd/display/dc/dml2/dml2_policy.c ++++ b/drivers/gpu/drm/amd/display/dc/dml2/dml2_policy.c +@@ -303,6 +303,7 @@ void build_unoptimized_policy_settings(e + if (project == dml_project_dcn35 || + project == dml_project_dcn351) { + policy->DCCProgrammingAssumesScanDirectionUnknownFinal = false; ++ policy->EnhancedPrefetchScheduleAccelerationFinal = 0; + policy->AllowForPStateChangeOrStutterInVBlankFinal = dml_prefetch_support_uclk_fclk_and_stutter_if_possible; /*new*/ + policy->UseOnlyMaxPrefetchModes = 1; + } diff --git a/queue-6.11/revert-selftests-mm-fix-deadlock-for-fork-after-pthread_create-on-arm.patch b/queue-6.11/revert-selftests-mm-fix-deadlock-for-fork-after-pthread_create-on-arm.patch new file mode 100644 index 00000000000..e8ddc8ce13b --- /dev/null +++ b/queue-6.11/revert-selftests-mm-fix-deadlock-for-fork-after-pthread_create-on-arm.patch @@ -0,0 +1,68 @@ +From 5bb1f4c9340e01003b00b94d539eadb0da88f48e Mon Sep 17 00:00:00 2001 +From: Edward Liaw +Date: Fri, 18 Oct 2024 17:17:22 +0000 +Subject: Revert "selftests/mm: fix deadlock for fork after pthread_create on ARM" + +From: Edward Liaw + +commit 5bb1f4c9340e01003b00b94d539eadb0da88f48e upstream. + +Patch series "selftests/mm: revert pthread_barrier change" + +On Android arm, pthread_create followed by a fork caused a deadlock in +the case where the fork required work to be completed by the created +thread. + +The previous patches incorrectly assumed that the parent would +always initialize the pthread_barrier for the child thread. This +reverts the change and replaces the fix for wp-fork-with-event with the +original use of atomic_bool. + + +This patch (of 3): + +This reverts commit e142cc87ac4ec618f2ccf5f68aedcd6e28a59d9d. + +fork_event_consumer may be called by other tests that do not initialize +the pthread_barrier, so this approach is not correct. The subsequent +patch will revert to using atomic_bool instead. + +Link: https://lkml.kernel.org/r/20241018171734.2315053-1-edliaw@google.com +Link: https://lkml.kernel.org/r/20241018171734.2315053-2-edliaw@google.com +Fixes: e142cc87ac4e ("fix deadlock for fork after pthread_create on ARM") +Signed-off-by: Edward Liaw +Cc: Ryan Roberts +Cc: Peter Xu +Cc: Shuah Khan +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/mm/uffd-unit-tests.c | 7 ------- + 1 file changed, 7 deletions(-) + +--- a/tools/testing/selftests/mm/uffd-unit-tests.c ++++ b/tools/testing/selftests/mm/uffd-unit-tests.c +@@ -241,9 +241,6 @@ static void *fork_event_consumer(void *d + fork_event_args *args = data; + struct uffd_msg msg = { 0 }; + +- /* Ready for parent thread to fork */ +- pthread_barrier_wait(&ready_for_fork); +- + /* Read until a full msg received */ + while (uffd_read_msg(args->parent_uffd, &msg)); + +@@ -311,12 +308,8 @@ static int pagemap_test_fork(int uffd, b + + /* Prepare a thread to resolve EVENT_FORK */ + if (with_event) { +- pthread_barrier_init(&ready_for_fork, NULL, 2); + if (pthread_create(&thread, NULL, fork_event_consumer, &args)) + err("pthread_create()"); +- /* Wait for child thread to start before forking */ +- pthread_barrier_wait(&ready_for_fork); +- pthread_barrier_destroy(&ready_for_fork); + } + + child = fork(); diff --git a/queue-6.11/revert-selftests-mm-replace-atomic_bool-with-pthread_barrier_t.patch b/queue-6.11/revert-selftests-mm-replace-atomic_bool-with-pthread_barrier_t.patch new file mode 100644 index 00000000000..4132eb21e72 --- /dev/null +++ b/queue-6.11/revert-selftests-mm-replace-atomic_bool-with-pthread_barrier_t.patch @@ -0,0 +1,114 @@ +From 3673167a3a07f25b3f06754d69f406edea65543a Mon Sep 17 00:00:00 2001 +From: Edward Liaw +Date: Fri, 18 Oct 2024 17:17:23 +0000 +Subject: Revert "selftests/mm: replace atomic_bool with pthread_barrier_t" + +From: Edward Liaw + +commit 3673167a3a07f25b3f06754d69f406edea65543a upstream. + +This reverts commit e61ef21e27e8deed8c474e9f47f4aa7bc37e138c. + +uffd_poll_thread may be called by other tests that do not initialize the +pthread_barrier, so this approach is not correct. This will revert to +using atomic_bool instead. + +Link: https://lkml.kernel.org/r/20241018171734.2315053-3-edliaw@google.com +Fixes: e61ef21e27e8 ("selftests/mm: replace atomic_bool with pthread_barrier_t") +Signed-off-by: Edward Liaw +Cc: Ryan Roberts +Cc: Peter Xu +Cc: Shuah Khan +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/mm/uffd-common.c | 5 ++--- + tools/testing/selftests/mm/uffd-common.h | 3 ++- + tools/testing/selftests/mm/uffd-unit-tests.c | 14 ++++++-------- + 3 files changed, 10 insertions(+), 12 deletions(-) + +--- a/tools/testing/selftests/mm/uffd-common.c ++++ b/tools/testing/selftests/mm/uffd-common.c +@@ -18,7 +18,7 @@ bool test_uffdio_wp = true; + unsigned long long *count_verify; + uffd_test_ops_t *uffd_test_ops; + uffd_test_case_ops_t *uffd_test_case_ops; +-pthread_barrier_t ready_for_fork; ++atomic_bool ready_for_fork; + + static int uffd_mem_fd_create(off_t mem_size, bool hugetlb) + { +@@ -519,8 +519,7 @@ void *uffd_poll_thread(void *arg) + pollfd[1].fd = pipefd[cpu*2]; + pollfd[1].events = POLLIN; + +- /* Ready for parent thread to fork */ +- pthread_barrier_wait(&ready_for_fork); ++ ready_for_fork = true; + + for (;;) { + ret = poll(pollfd, 2, -1); +--- a/tools/testing/selftests/mm/uffd-common.h ++++ b/tools/testing/selftests/mm/uffd-common.h +@@ -33,6 +33,7 @@ + #include + #include + #include ++#include + + #include "../kselftest.h" + #include "vm_util.h" +@@ -104,7 +105,7 @@ extern bool map_shared; + extern bool test_uffdio_wp; + extern unsigned long long *count_verify; + extern volatile bool test_uffdio_copy_eexist; +-extern pthread_barrier_t ready_for_fork; ++extern atomic_bool ready_for_fork; + + extern uffd_test_ops_t anon_uffd_test_ops; + extern uffd_test_ops_t shmem_uffd_test_ops; +--- a/tools/testing/selftests/mm/uffd-unit-tests.c ++++ b/tools/testing/selftests/mm/uffd-unit-tests.c +@@ -774,7 +774,7 @@ static void uffd_sigbus_test_common(bool + char c; + struct uffd_args args = { 0 }; + +- pthread_barrier_init(&ready_for_fork, NULL, 2); ++ ready_for_fork = false; + + fcntl(uffd, F_SETFL, uffd_flags | O_NONBLOCK); + +@@ -791,9 +791,8 @@ static void uffd_sigbus_test_common(bool + if (pthread_create(&uffd_mon, NULL, uffd_poll_thread, &args)) + err("uffd_poll_thread create"); + +- /* Wait for child thread to start before forking */ +- pthread_barrier_wait(&ready_for_fork); +- pthread_barrier_destroy(&ready_for_fork); ++ while (!ready_for_fork) ++ ; /* Wait for the poll_thread to start executing before forking */ + + pid = fork(); + if (pid < 0) +@@ -834,7 +833,7 @@ static void uffd_events_test_common(bool + char c; + struct uffd_args args = { 0 }; + +- pthread_barrier_init(&ready_for_fork, NULL, 2); ++ ready_for_fork = false; + + fcntl(uffd, F_SETFL, uffd_flags | O_NONBLOCK); + if (uffd_register(uffd, area_dst, nr_pages * page_size, +@@ -845,9 +844,8 @@ static void uffd_events_test_common(bool + if (pthread_create(&uffd_mon, NULL, uffd_poll_thread, &args)) + err("uffd_poll_thread create"); + +- /* Wait for child thread to start before forking */ +- pthread_barrier_wait(&ready_for_fork); +- pthread_barrier_destroy(&ready_for_fork); ++ while (!ready_for_fork) ++ ; /* Wait for the poll_thread to start executing before forking */ + + pid = fork(); + if (pid < 0) diff --git a/queue-6.11/series b/queue-6.11/series index 7f62dfa3102..80082cf2e41 100644 --- a/queue-6.11/series +++ b/queue-6.11/series @@ -113,3 +113,22 @@ usb-typec-qcom-pmic-typec-fix-missing-fwnode-removal-in-error-path.patch phy-qcom-qmp-usb-fix-null-deref-on-runtime-suspend.patch phy-qcom-qmp-usb-legacy-fix-null-deref-on-runtime-suspend.patch phy-qcom-qmp-usbc-fix-null-deref-on-runtime-suspend.patch +xhci-fix-link-trb-dma-in-command-ring-stopped-completion-event.patch +xhci-use-pm_runtime_get-to-prevent-rpm-on-unsupported-systems.patch +revert-driver-core-fix-uevent_show-vs-driver-detach-race.patch +revert-drm-amd-display-update-dml2-policy-enhancedprefetchscheduleaccelerationfinal-dcn35.patch +revert-selftests-mm-fix-deadlock-for-fork-after-pthread_create-on-arm.patch +revert-selftests-mm-replace-atomic_bool-with-pthread_barrier_t.patch +wifi-mac80211-do-not-pass-a-stopped-vif-to-the-driver-in-.get_txpower.patch +wifi-ath10k-fix-memory-leak-in-management-tx.patch +wifi-cfg80211-clear-wdev-cqm_config-pointer-on-free.patch +wifi-iwlegacy-clear-stale-interrupts-before-resuming-device.patch +wifi-iwlwifi-mvm-fix-6-ghz-scan-construction.patch +staging-iio-frequency-ad9832-fix-division-by-zero-in-ad9832_calc_freqreg.patch +dt-bindings-iio-adc-ad7380-fix-ad7380-4-reference-supply.patch +iio-adc-ad7124-fix-division-by-zero-in-ad7124_set_channel_odr.patch +iio-gts-helper-fix-memory-leaks-for-the-error-path-of-iio_gts_build_avail_scale_table.patch +iio-gts-helper-fix-memory-leaks-in-iio_gts_build_avail_scale_table.patch +iio-light-veml6030-fix-microlux-value-calculation.patch +nilfs2-fix-kernel-bug-due-to-missing-clearing-of-checked-flag.patch +nilfs2-fix-potential-deadlock-with-newly-created-symlinks.patch diff --git a/queue-6.11/staging-iio-frequency-ad9832-fix-division-by-zero-in-ad9832_calc_freqreg.patch b/queue-6.11/staging-iio-frequency-ad9832-fix-division-by-zero-in-ad9832_calc_freqreg.patch new file mode 100644 index 00000000000..b51c7bff586 --- /dev/null +++ b/queue-6.11/staging-iio-frequency-ad9832-fix-division-by-zero-in-ad9832_calc_freqreg.patch @@ -0,0 +1,49 @@ +From 6bd301819f8f69331a55ae2336c8b111fc933f3d Mon Sep 17 00:00:00 2001 +From: Zicheng Qu +Date: Tue, 22 Oct 2024 13:43:54 +0000 +Subject: staging: iio: frequency: ad9832: fix division by zero in ad9832_calc_freqreg() + +From: Zicheng Qu + +commit 6bd301819f8f69331a55ae2336c8b111fc933f3d upstream. + +In the ad9832_write_frequency() function, clk_get_rate() might return 0. +This can lead to a division by zero when calling ad9832_calc_freqreg(). +The check if (fout > (clk_get_rate(st->mclk) / 2)) does not protect +against the case when fout is 0. The ad9832_write_frequency() function +is called from ad9832_write(), and fout is derived from a text buffer, +which can contain any value. + +Link: https://lore.kernel.org/all/2024100904-CVE-2024-47663-9bdc@gregkh/ +Fixes: ea707584bac1 ("Staging: IIO: DDS: AD9832 / AD9835 driver") +Cc: stable@vger.kernel.org +Signed-off-by: Zicheng Qu +Reviewed-by: Nuno Sa +Reviewed-by: Dan Carpenter +Link: https://patch.msgid.link/20241022134354.574614-1-quzicheng@huawei.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/iio/frequency/ad9832.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/staging/iio/frequency/ad9832.c ++++ b/drivers/staging/iio/frequency/ad9832.c +@@ -129,12 +129,15 @@ static unsigned long ad9832_calc_freqreg + static int ad9832_write_frequency(struct ad9832_state *st, + unsigned int addr, unsigned long fout) + { ++ unsigned long clk_freq; + unsigned long regval; + +- if (fout > (clk_get_rate(st->mclk) / 2)) ++ clk_freq = clk_get_rate(st->mclk); ++ ++ if (!clk_freq || fout > (clk_freq / 2)) + return -EINVAL; + +- regval = ad9832_calc_freqreg(clk_get_rate(st->mclk), fout); ++ regval = ad9832_calc_freqreg(clk_freq, fout); + + st->freq_data[0] = cpu_to_be16((AD9832_CMD_FRE8BITSW << CMD_SHIFT) | + (addr << ADD_SHIFT) | diff --git a/queue-6.11/wifi-ath10k-fix-memory-leak-in-management-tx.patch b/queue-6.11/wifi-ath10k-fix-memory-leak-in-management-tx.patch new file mode 100644 index 00000000000..c3a4217f631 --- /dev/null +++ b/queue-6.11/wifi-ath10k-fix-memory-leak-in-management-tx.patch @@ -0,0 +1,86 @@ +From e15d84b3bba187aa372dff7c58ce1fd5cb48a076 Mon Sep 17 00:00:00 2001 +From: Manikanta Pubbisetty +Date: Tue, 15 Oct 2024 12:11:03 +0530 +Subject: wifi: ath10k: Fix memory leak in management tx + +From: Manikanta Pubbisetty + +commit e15d84b3bba187aa372dff7c58ce1fd5cb48a076 upstream. + +In the current logic, memory is allocated for storing the MSDU context +during management packet TX but this memory is not being freed during +management TX completion. Similar leaks are seen in the management TX +cleanup logic. + +Kmemleak reports this problem as below, + +unreferenced object 0xffffff80b64ed250 (size 16): + comm "kworker/u16:7", pid 148, jiffies 4294687130 (age 714.199s) + hex dump (first 16 bytes): + 00 2b d8 d8 80 ff ff ff c4 74 e9 fd 07 00 00 00 .+.......t...... + backtrace: + [] __kmem_cache_alloc_node+0x1e4/0x2d8 + [] kmalloc_trace+0x48/0x110 + [] ath10k_wmi_tlv_op_gen_mgmt_tx_send+0xd4/0x1d8 [ath10k_core] + [] ath10k_mgmt_over_wmi_tx_work+0x134/0x298 [ath10k_core] + [] process_scheduled_works+0x1ac/0x400 + [] worker_thread+0x208/0x328 + [] kthread+0x100/0x1c0 + [] ret_from_fork+0x10/0x20 + +Free the memory during completion and cleanup to fix the leak. + +Protect the mgmt_pending_tx idr_remove() operation in +ath10k_wmi_tlv_op_cleanup_mgmt_tx_send() using ar->data_lock similar to +other instances. + +Tested-on: WCN3990 hw1.0 SNOC WLAN.HL.2.0-01387-QCAHLSWMTPLZ-1 + +Fixes: dc405152bb64 ("ath10k: handle mgmt tx completion event") +Fixes: c730c477176a ("ath10k: Remove msdu from idr when management pkt send fails") +Cc: stable@vger.kernel.org +Signed-off-by: Manikanta Pubbisetty +Link: https://patch.msgid.link/20241015064103.6060-1-quic_mpubbise@quicinc.com +Signed-off-by: Jeff Johnson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath10k/wmi-tlv.c | 7 ++++++- + drivers/net/wireless/ath/ath10k/wmi.c | 2 ++ + 2 files changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/ath/ath10k/wmi-tlv.c ++++ b/drivers/net/wireless/ath/ath10k/wmi-tlv.c +@@ -3043,9 +3043,14 @@ ath10k_wmi_tlv_op_cleanup_mgmt_tx_send(s + struct sk_buff *msdu) + { + struct ath10k_skb_cb *cb = ATH10K_SKB_CB(msdu); ++ struct ath10k_mgmt_tx_pkt_addr *pkt_addr; + struct ath10k_wmi *wmi = &ar->wmi; + +- idr_remove(&wmi->mgmt_pending_tx, cb->msdu_id); ++ spin_lock_bh(&ar->data_lock); ++ pkt_addr = idr_remove(&wmi->mgmt_pending_tx, cb->msdu_id); ++ spin_unlock_bh(&ar->data_lock); ++ ++ kfree(pkt_addr); + + return 0; + } +--- a/drivers/net/wireless/ath/ath10k/wmi.c ++++ b/drivers/net/wireless/ath/ath10k/wmi.c +@@ -2441,6 +2441,7 @@ wmi_process_mgmt_tx_comp(struct ath10k * + dma_unmap_single(ar->dev, pkt_addr->paddr, + msdu->len, DMA_TO_DEVICE); + info = IEEE80211_SKB_CB(msdu); ++ kfree(pkt_addr); + + if (param->status) { + info->flags &= ~IEEE80211_TX_STAT_ACK; +@@ -9612,6 +9613,7 @@ static int ath10k_wmi_mgmt_tx_clean_up_p + dma_unmap_single(ar->dev, pkt_addr->paddr, + msdu->len, DMA_TO_DEVICE); + ieee80211_free_txskb(ar->hw, msdu); ++ kfree(pkt_addr); + + return 0; + } diff --git a/queue-6.11/wifi-cfg80211-clear-wdev-cqm_config-pointer-on-free.patch b/queue-6.11/wifi-cfg80211-clear-wdev-cqm_config-pointer-on-free.patch new file mode 100644 index 00000000000..24c2d51003c --- /dev/null +++ b/queue-6.11/wifi-cfg80211-clear-wdev-cqm_config-pointer-on-free.patch @@ -0,0 +1,35 @@ +From d5fee261dfd9e17b08b1df8471ac5d5736070917 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Tue, 22 Oct 2024 16:17:42 +0200 +Subject: wifi: cfg80211: clear wdev->cqm_config pointer on free + +From: Johannes Berg + +commit d5fee261dfd9e17b08b1df8471ac5d5736070917 upstream. + +When we free wdev->cqm_config when unregistering, we also +need to clear out the pointer since the same wdev/netdev +may get re-registered in another network namespace, then +destroyed later, running this code again, which results in +a double-free. + +Reported-by: syzbot+36218cddfd84b5cc263e@syzkaller.appspotmail.com +Fixes: 37c20b2effe9 ("wifi: cfg80211: fix cqm_config access race") +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20241022161742.7c34b2037726.I121b9cdb7eb180802eafc90b493522950d57ee18@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/wireless/core.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/wireless/core.c ++++ b/net/wireless/core.c +@@ -1236,6 +1236,7 @@ static void _cfg80211_unregister_wdev(st + /* deleted from the list, so can't be found from nl80211 any more */ + cqm_config = rcu_access_pointer(wdev->cqm_config); + kfree_rcu(cqm_config, rcu_head); ++ RCU_INIT_POINTER(wdev->cqm_config, NULL); + + /* + * Ensure that all events have been processed and diff --git a/queue-6.11/wifi-iwlegacy-clear-stale-interrupts-before-resuming-device.patch b/queue-6.11/wifi-iwlegacy-clear-stale-interrupts-before-resuming-device.patch new file mode 100644 index 00000000000..d00a9d8fc2b --- /dev/null +++ b/queue-6.11/wifi-iwlegacy-clear-stale-interrupts-before-resuming-device.patch @@ -0,0 +1,174 @@ +From 07c90acb071b9954e1fecb1e4f4f13d12c544b34 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= +Date: Tue, 1 Oct 2024 23:07:45 +0300 +Subject: wifi: iwlegacy: Clear stale interrupts before resuming device +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ville Syrjälä + +commit 07c90acb071b9954e1fecb1e4f4f13d12c544b34 upstream. + +iwl4965 fails upon resume from hibernation on my laptop. The reason +seems to be a stale interrupt which isn't being cleared out before +interrupts are enabled. We end up with a race beween the resume +trying to bring things back up, and the restart work (queued form +the interrupt handler) trying to bring things down. Eventually +the whole thing blows up. + +Fix the problem by clearing out any stale interrupts before +interrupts get enabled during resume. + +Here's a debug log of the indicent: +[ 12.042589] ieee80211 phy0: il_isr ISR inta 0x00000080, enabled 0xaa00008b, fh 0x00000000 +[ 12.042625] ieee80211 phy0: il4965_irq_tasklet inta 0x00000080, enabled 0x00000000, fh 0x00000000 +[ 12.042651] iwl4965 0000:10:00.0: RF_KILL bit toggled to enable radio. +[ 12.042653] iwl4965 0000:10:00.0: On demand firmware reload +[ 12.042690] ieee80211 phy0: il4965_irq_tasklet End inta 0x00000000, enabled 0xaa00008b, fh 0x00000000, flags 0x00000282 +[ 12.052207] ieee80211 phy0: il4965_mac_start enter +[ 12.052212] ieee80211 phy0: il_prep_station Add STA to driver ID 31: ff:ff:ff:ff:ff:ff +[ 12.052244] ieee80211 phy0: il4965_set_hw_ready hardware ready +[ 12.052324] ieee80211 phy0: il_apm_init Init card's basic functions +[ 12.052348] ieee80211 phy0: il_apm_init L1 Enabled; Disabling L0S +[ 12.055727] ieee80211 phy0: il4965_load_bsm Begin load bsm +[ 12.056140] ieee80211 phy0: il4965_verify_bsm Begin verify bsm +[ 12.058642] ieee80211 phy0: il4965_verify_bsm BSM bootstrap uCode image OK +[ 12.058721] ieee80211 phy0: il4965_load_bsm BSM write complete, poll 1 iterations +[ 12.058734] ieee80211 phy0: __il4965_up iwl4965 is coming up +[ 12.058737] ieee80211 phy0: il4965_mac_start Start UP work done. +[ 12.058757] ieee80211 phy0: __il4965_down iwl4965 is going down +[ 12.058761] ieee80211 phy0: il_scan_cancel_timeout Scan cancel timeout +[ 12.058762] ieee80211 phy0: il_do_scan_abort Not performing scan to abort +[ 12.058765] ieee80211 phy0: il_clear_ucode_stations Clearing ucode stations in driver +[ 12.058767] ieee80211 phy0: il_clear_ucode_stations No active stations found to be cleared +[ 12.058819] ieee80211 phy0: _il_apm_stop Stop card, put in low power state +[ 12.058827] ieee80211 phy0: _il_apm_stop_master stop master +[ 12.058864] ieee80211 phy0: il4965_clear_free_frames 0 frames on pre-allocated heap on clear. +[ 12.058869] ieee80211 phy0: Hardware restart was requested +[ 16.132299] iwl4965 0000:10:00.0: START_ALIVE timeout after 4000ms. +[ 16.132303] ------------[ cut here ]------------ +[ 16.132304] Hardware became unavailable upon resume. This could be a software issue prior to suspend or a hardware issue. +[ 16.132338] WARNING: CPU: 0 PID: 181 at net/mac80211/util.c:1826 ieee80211_reconfig+0x8f/0x14b0 [mac80211] +[ 16.132390] Modules linked in: ctr ccm sch_fq_codel xt_tcpudp xt_multiport xt_state iptable_filter iptable_nat nf_nat nf_conntrack nf_defrag_ipv4 ip_tables x_tables binfmt_misc joydev mousedev btusb btrtl btintel btbcm bluetooth ecdh_generic ecc iTCO_wdt i2c_dev iwl4965 iwlegacy coretemp snd_hda_codec_analog pcspkr psmouse mac80211 snd_hda_codec_generic libarc4 sdhci_pci cqhci sha256_generic sdhci libsha256 firewire_ohci snd_hda_intel snd_intel_dspcfg mmc_core snd_hda_codec snd_hwdep firewire_core led_class iosf_mbi snd_hda_core uhci_hcd lpc_ich crc_itu_t cfg80211 ehci_pci ehci_hcd snd_pcm usbcore mfd_core rfkill snd_timer snd usb_common soundcore video parport_pc parport intel_agp wmi intel_gtt backlight e1000e agpgart evdev +[ 16.132456] CPU: 0 UID: 0 PID: 181 Comm: kworker/u8:6 Not tainted 6.11.0-cl+ #143 +[ 16.132460] Hardware name: Hewlett-Packard HP Compaq 6910p/30BE, BIOS 68MCU Ver. F.19 07/06/2010 +[ 16.132463] Workqueue: async async_run_entry_fn +[ 16.132469] RIP: 0010:ieee80211_reconfig+0x8f/0x14b0 [mac80211] +[ 16.132501] Code: da 02 00 00 c6 83 ad 05 00 00 00 48 89 df e8 98 1b fc ff 85 c0 41 89 c7 0f 84 e9 02 00 00 48 c7 c7 a0 e6 48 a0 e8 d1 77 c4 e0 <0f> 0b eb 2d 84 c0 0f 85 8b 01 00 00 c6 87 ad 05 00 00 00 e8 69 1b +[ 16.132504] RSP: 0018:ffffc9000029fcf0 EFLAGS: 00010282 +[ 16.132507] RAX: 0000000000000000 RBX: ffff8880072008e0 RCX: 0000000000000001 +[ 16.132509] RDX: ffffffff81f21a18 RSI: 0000000000000086 RDI: 0000000000000001 +[ 16.132510] RBP: ffff8880072003c0 R08: 0000000000000000 R09: 0000000000000003 +[ 16.132512] R10: 0000000000000000 R11: ffff88807e5b0000 R12: 0000000000000001 +[ 16.132514] R13: 0000000000000000 R14: 0000000000000000 R15: 00000000ffffff92 +[ 16.132515] FS: 0000000000000000(0000) GS:ffff88807c200000(0000) knlGS:0000000000000000 +[ 16.132517] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 16.132519] CR2: 000055dd43786c08 CR3: 000000000978f000 CR4: 00000000000006f0 +[ 16.132521] Call Trace: +[ 16.132525] +[ 16.132526] ? __warn+0x77/0x120 +[ 16.132532] ? ieee80211_reconfig+0x8f/0x14b0 [mac80211] +[ 16.132564] ? report_bug+0x15c/0x190 +[ 16.132568] ? handle_bug+0x36/0x70 +[ 16.132571] ? exc_invalid_op+0x13/0x60 +[ 16.132573] ? asm_exc_invalid_op+0x16/0x20 +[ 16.132579] ? ieee80211_reconfig+0x8f/0x14b0 [mac80211] +[ 16.132611] ? snd_hdac_bus_init_cmd_io+0x24/0x200 [snd_hda_core] +[ 16.132617] ? pick_eevdf+0x133/0x1c0 +[ 16.132622] ? check_preempt_wakeup_fair+0x70/0x90 +[ 16.132626] ? wakeup_preempt+0x4a/0x60 +[ 16.132628] ? ttwu_do_activate.isra.0+0x5a/0x190 +[ 16.132632] wiphy_resume+0x79/0x1a0 [cfg80211] +[ 16.132675] ? wiphy_suspend+0x2a0/0x2a0 [cfg80211] +[ 16.132697] dpm_run_callback+0x75/0x1b0 +[ 16.132703] device_resume+0x97/0x200 +[ 16.132707] async_resume+0x14/0x20 +[ 16.132711] async_run_entry_fn+0x1b/0xa0 +[ 16.132714] process_one_work+0x13d/0x350 +[ 16.132718] worker_thread+0x2be/0x3d0 +[ 16.132722] ? cancel_delayed_work_sync+0x70/0x70 +[ 16.132725] kthread+0xc0/0xf0 +[ 16.132729] ? kthread_park+0x80/0x80 +[ 16.132732] ret_from_fork+0x28/0x40 +[ 16.132735] ? kthread_park+0x80/0x80 +[ 16.132738] ret_from_fork_asm+0x11/0x20 +[ 16.132741] +[ 16.132742] ---[ end trace 0000000000000000 ]--- +[ 16.132930] ------------[ cut here ]------------ +[ 16.132932] WARNING: CPU: 0 PID: 181 at net/mac80211/driver-ops.c:41 drv_stop+0xe7/0xf0 [mac80211] +[ 16.132957] Modules linked in: ctr ccm sch_fq_codel xt_tcpudp xt_multiport xt_state iptable_filter iptable_nat nf_nat nf_conntrack nf_defrag_ipv4 ip_tables x_tables binfmt_misc joydev mousedev btusb btrtl btintel btbcm bluetooth ecdh_generic ecc iTCO_wdt i2c_dev iwl4965 iwlegacy coretemp snd_hda_codec_analog pcspkr psmouse mac80211 snd_hda_codec_generic libarc4 sdhci_pci cqhci sha256_generic sdhci libsha256 firewire_ohci snd_hda_intel snd_intel_dspcfg mmc_core snd_hda_codec snd_hwdep firewire_core led_class iosf_mbi snd_hda_core uhci_hcd lpc_ich crc_itu_t cfg80211 ehci_pci ehci_hcd snd_pcm usbcore mfd_core rfkill snd_timer snd usb_common soundcore video parport_pc parport intel_agp wmi intel_gtt backlight e1000e agpgart evdev +[ 16.133014] CPU: 0 UID: 0 PID: 181 Comm: kworker/u8:6 Tainted: G W 6.11.0-cl+ #143 +[ 16.133018] Tainted: [W]=WARN +[ 16.133019] Hardware name: Hewlett-Packard HP Compaq 6910p/30BE, BIOS 68MCU Ver. F.19 07/06/2010 +[ 16.133021] Workqueue: async async_run_entry_fn +[ 16.133025] RIP: 0010:drv_stop+0xe7/0xf0 [mac80211] +[ 16.133048] Code: 48 85 c0 74 0e 48 8b 78 08 89 ea 48 89 de e8 e0 87 04 00 65 ff 0d d1 de c4 5f 0f 85 42 ff ff ff e8 be 52 c2 e0 e9 38 ff ff ff <0f> 0b 5b 5d c3 0f 1f 40 00 41 54 49 89 fc 55 53 48 89 f3 2e 2e 2e +[ 16.133050] RSP: 0018:ffffc9000029fc50 EFLAGS: 00010246 +[ 16.133053] RAX: 0000000000000000 RBX: ffff8880072008e0 RCX: ffff88800377f6c0 +[ 16.133054] RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff8880072008e0 +[ 16.133056] RBP: 0000000000000000 R08: ffffffff81f238d8 R09: 0000000000000000 +[ 16.133058] R10: ffff8880080520f0 R11: 0000000000000000 R12: ffff888008051c60 +[ 16.133060] R13: ffff8880072008e0 R14: 0000000000000000 R15: ffff8880072011d8 +[ 16.133061] FS: 0000000000000000(0000) GS:ffff88807c200000(0000) knlGS:0000000000000000 +[ 16.133063] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 16.133065] CR2: 000055dd43786c08 CR3: 000000000978f000 CR4: 00000000000006f0 +[ 16.133067] Call Trace: +[ 16.133069] +[ 16.133070] ? __warn+0x77/0x120 +[ 16.133075] ? drv_stop+0xe7/0xf0 [mac80211] +[ 16.133098] ? report_bug+0x15c/0x190 +[ 16.133100] ? handle_bug+0x36/0x70 +[ 16.133103] ? exc_invalid_op+0x13/0x60 +[ 16.133105] ? asm_exc_invalid_op+0x16/0x20 +[ 16.133109] ? drv_stop+0xe7/0xf0 [mac80211] +[ 16.133132] ieee80211_do_stop+0x55a/0x810 [mac80211] +[ 16.133161] ? fq_codel_reset+0xa5/0xc0 [sch_fq_codel] +[ 16.133164] ieee80211_stop+0x4f/0x180 [mac80211] +[ 16.133192] __dev_close_many+0xa2/0x120 +[ 16.133195] dev_close_many+0x90/0x150 +[ 16.133198] dev_close+0x5d/0x80 +[ 16.133200] cfg80211_shutdown_all_interfaces+0x40/0xe0 [cfg80211] +[ 16.133223] wiphy_resume+0xb2/0x1a0 [cfg80211] +[ 16.133247] ? wiphy_suspend+0x2a0/0x2a0 [cfg80211] +[ 16.133269] dpm_run_callback+0x75/0x1b0 +[ 16.133273] device_resume+0x97/0x200 +[ 16.133277] async_resume+0x14/0x20 +[ 16.133280] async_run_entry_fn+0x1b/0xa0 +[ 16.133283] process_one_work+0x13d/0x350 +[ 16.133287] worker_thread+0x2be/0x3d0 +[ 16.133290] ? cancel_delayed_work_sync+0x70/0x70 +[ 16.133294] kthread+0xc0/0xf0 +[ 16.133296] ? kthread_park+0x80/0x80 +[ 16.133299] ret_from_fork+0x28/0x40 +[ 16.133302] ? kthread_park+0x80/0x80 +[ 16.133304] ret_from_fork_asm+0x11/0x20 +[ 16.133307] +[ 16.133308] ---[ end trace 0000000000000000 ]--- +[ 16.133335] ieee80211 phy0: PM: dpm_run_callback(): wiphy_resume [cfg80211] returns -110 +[ 16.133360] ieee80211 phy0: PM: failed to restore async: error -110 + +Cc: stable@vger.kernel.org +Cc: Stanislaw Gruszka +Cc: Kalle Valo +Cc: linux-wireless@vger.kernel.org +Signed-off-by: Ville Syrjälä +Acked-by: Stanislaw Gruszka +Signed-off-by: Kalle Valo +Link: https://patch.msgid.link/20241001200745.8276-1-ville.syrjala@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/intel/iwlegacy/common.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/wireless/intel/iwlegacy/common.c ++++ b/drivers/net/wireless/intel/iwlegacy/common.c +@@ -4973,6 +4973,8 @@ il_pci_resume(struct device *device) + */ + pci_write_config_byte(pdev, PCI_CFG_RETRY_TIMEOUT, 0x00); + ++ _il_wr(il, CSR_INT, 0xffffffff); ++ _il_wr(il, CSR_FH_INT_STATUS, 0xffffffff); + il_enable_interrupts(il); + + if (!(_il_rd(il, CSR_GP_CNTRL) & CSR_GP_CNTRL_REG_FLAG_HW_RF_KILL_SW)) diff --git a/queue-6.11/wifi-iwlwifi-mvm-fix-6-ghz-scan-construction.patch b/queue-6.11/wifi-iwlwifi-mvm-fix-6-ghz-scan-construction.patch new file mode 100644 index 00000000000..d7f6634fcd6 --- /dev/null +++ b/queue-6.11/wifi-iwlwifi-mvm-fix-6-ghz-scan-construction.patch @@ -0,0 +1,63 @@ +From 7245012f0f496162dd95d888ed2ceb5a35170f1a Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Wed, 23 Oct 2024 09:17:44 +0200 +Subject: wifi: iwlwifi: mvm: fix 6 GHz scan construction + +From: Johannes Berg + +commit 7245012f0f496162dd95d888ed2ceb5a35170f1a upstream. + +If more than 255 colocated APs exist for the set of all +APs found during 2.4/5 GHz scanning, then the 6 GHz scan +construction will loop forever since the loop variable +has type u8, which can never reach the number found when +that's bigger than 255, and is stored in a u32 variable. +Also move it into the loops to have a smaller scope. + +Using a u32 there is fine, we limit the number of APs in +the scan list and each has a limit on the number of RNR +entries due to the frame size. With a limit of 1000 scan +results, a frame size upper bound of 4096 (really it's +more like ~2300) and a TBTT entry size of at least 11, +we get an upper bound for the number of ~372k, well in +the bounds of a u32. + +Cc: stable@vger.kernel.org +Fixes: eae94cf82d74 ("iwlwifi: mvm: add support for 6GHz") +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219375 +Link: https://patch.msgid.link/20241023091744.f4baed5c08a1.I8b417148bbc8c5d11c101e1b8f5bf372e17bf2a7@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/intel/iwlwifi/mvm/scan.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/scan.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/scan.c +@@ -1774,7 +1774,7 @@ iwl_mvm_umac_scan_cfg_channels_v7_6g(str + &cp->channel_config[ch_cnt]; + + u32 s_ssid_bitmap = 0, bssid_bitmap = 0, flags = 0; +- u8 j, k, n_s_ssids = 0, n_bssids = 0; ++ u8 k, n_s_ssids = 0, n_bssids = 0; + u8 max_s_ssids, max_bssids; + bool force_passive = false, found = false, allow_passive = true, + unsolicited_probe_on_chan = false, psc_no_listen = false; +@@ -1799,7 +1799,7 @@ iwl_mvm_umac_scan_cfg_channels_v7_6g(str + cfg->v5.iter_count = 1; + cfg->v5.iter_interval = 0; + +- for (j = 0; j < params->n_6ghz_params; j++) { ++ for (u32 j = 0; j < params->n_6ghz_params; j++) { + s8 tmp_psd_20; + + if (!(scan_6ghz_params[j].channel_idx == i)) +@@ -1873,7 +1873,7 @@ iwl_mvm_umac_scan_cfg_channels_v7_6g(str + * SSID. + * TODO: improve this logic + */ +- for (j = 0; j < params->n_6ghz_params; j++) { ++ for (u32 j = 0; j < params->n_6ghz_params; j++) { + if (!(scan_6ghz_params[j].channel_idx == i)) + continue; + diff --git a/queue-6.11/wifi-mac80211-do-not-pass-a-stopped-vif-to-the-driver-in-.get_txpower.patch b/queue-6.11/wifi-mac80211-do-not-pass-a-stopped-vif-to-the-driver-in-.get_txpower.patch new file mode 100644 index 00000000000..0d844ff2533 --- /dev/null +++ b/queue-6.11/wifi-mac80211-do-not-pass-a-stopped-vif-to-the-driver-in-.get_txpower.patch @@ -0,0 +1,33 @@ +From 393b6bc174b0dd21bb2a36c13b36e62fc3474a23 Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Wed, 2 Oct 2024 11:56:30 +0200 +Subject: wifi: mac80211: do not pass a stopped vif to the driver in .get_txpower + +From: Felix Fietkau + +commit 393b6bc174b0dd21bb2a36c13b36e62fc3474a23 upstream. + +Avoid potentially crashing in the driver because of uninitialized private data + +Fixes: 5b3dc42b1b0d ("mac80211: add support for driver tx power reporting") +Cc: stable@vger.kernel.org +Signed-off-by: Felix Fietkau +Link: https://patch.msgid.link/20241002095630.22431-1-nbd@nbd.name +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/cfg.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -3138,7 +3138,8 @@ static int ieee80211_get_tx_power(struct + struct ieee80211_local *local = wiphy_priv(wiphy); + struct ieee80211_sub_if_data *sdata = IEEE80211_WDEV_TO_SUB_IF(wdev); + +- if (local->ops->get_txpower) ++ if (local->ops->get_txpower && ++ (sdata->flags & IEEE80211_SDATA_IN_DRIVER)) + return drv_get_txpower(local, sdata, dbm); + + if (local->emulate_chanctx) diff --git a/queue-6.11/xhci-fix-link-trb-dma-in-command-ring-stopped-completion-event.patch b/queue-6.11/xhci-fix-link-trb-dma-in-command-ring-stopped-completion-event.patch new file mode 100644 index 00000000000..44fe8d3e07c --- /dev/null +++ b/queue-6.11/xhci-fix-link-trb-dma-in-command-ring-stopped-completion-event.patch @@ -0,0 +1,64 @@ +From 075919f6df5dd82ad0b1894898b315fbb3c29b84 Mon Sep 17 00:00:00 2001 +From: Faisal Hassan +Date: Tue, 22 Oct 2024 21:26:31 +0530 +Subject: xhci: Fix Link TRB DMA in command ring stopped completion event + +From: Faisal Hassan + +commit 075919f6df5dd82ad0b1894898b315fbb3c29b84 upstream. + +During the aborting of a command, the software receives a command +completion event for the command ring stopped, with the TRB pointing +to the next TRB after the aborted command. + +If the command we abort is located just before the Link TRB in the +command ring, then during the 'command ring stopped' completion event, +the xHC gives the Link TRB in the event's cmd DMA, which causes a +mismatch in handling command completion event. + +To address this situation, move the 'command ring stopped' completion +event check slightly earlier, since the specific command it stopped +on isn't of significant concern. + +Fixes: 7f84eef0dafb ("USB: xhci: No-op command queueing and irq handler.") +Cc: stable@vger.kernel.org +Signed-off-by: Faisal Hassan +Acked-by: Mathias Nyman +Link: https://lore.kernel.org/r/20241022155631.1185-1-quic_faisalh@quicinc.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-ring.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -1718,6 +1718,14 @@ static void handle_cmd_completion(struct + + trace_xhci_handle_command(xhci->cmd_ring, &cmd_trb->generic); + ++ cmd_comp_code = GET_COMP_CODE(le32_to_cpu(event->status)); ++ ++ /* If CMD ring stopped we own the trbs between enqueue and dequeue */ ++ if (cmd_comp_code == COMP_COMMAND_RING_STOPPED) { ++ complete_all(&xhci->cmd_ring_stop_completion); ++ return; ++ } ++ + cmd_dequeue_dma = xhci_trb_virt_to_dma(xhci->cmd_ring->deq_seg, + cmd_trb); + /* +@@ -1734,14 +1742,6 @@ static void handle_cmd_completion(struct + + cancel_delayed_work(&xhci->cmd_timer); + +- cmd_comp_code = GET_COMP_CODE(le32_to_cpu(event->status)); +- +- /* If CMD ring stopped we own the trbs between enqueue and dequeue */ +- if (cmd_comp_code == COMP_COMMAND_RING_STOPPED) { +- complete_all(&xhci->cmd_ring_stop_completion); +- return; +- } +- + if (cmd->command_trb != xhci->cmd_ring->dequeue) { + xhci_err(xhci, + "Command completion event does not match command\n"); diff --git a/queue-6.11/xhci-use-pm_runtime_get-to-prevent-rpm-on-unsupported-systems.patch b/queue-6.11/xhci-use-pm_runtime_get-to-prevent-rpm-on-unsupported-systems.patch new file mode 100644 index 00000000000..870bdb9b382 --- /dev/null +++ b/queue-6.11/xhci-use-pm_runtime_get-to-prevent-rpm-on-unsupported-systems.patch @@ -0,0 +1,47 @@ +From 31004740e42846a6f0bb255e6348281df3eb8032 Mon Sep 17 00:00:00 2001 +From: Basavaraj Natikar +Date: Thu, 24 Oct 2024 19:07:18 +0530 +Subject: xhci: Use pm_runtime_get to prevent RPM on unsupported systems + +From: Basavaraj Natikar + +commit 31004740e42846a6f0bb255e6348281df3eb8032 upstream. + +Use pm_runtime_put in the remove function and pm_runtime_get to disable +RPM on platforms that don't support runtime D3, as re-enabling it through +sysfs auto power control may cause the controller to malfunction. This +can lead to issues such as hotplug devices not being detected due to +failed interrupt generation. + +Fixes: a5d6264b638e ("xhci: Enable RPM on controllers that support low-power states") +Cc: stable +Signed-off-by: Basavaraj Natikar +Reviewed-by: Mario Limonciello +Link: https://lore.kernel.org/r/20241024133718.723846-1-Basavaraj.Natikar@amd.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-pci.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/usb/host/xhci-pci.c ++++ b/drivers/usb/host/xhci-pci.c +@@ -654,7 +654,7 @@ static int xhci_pci_probe(struct pci_dev + pm_runtime_put_noidle(&dev->dev); + + if (pci_choose_state(dev, PMSG_SUSPEND) == PCI_D0) +- pm_runtime_forbid(&dev->dev); ++ pm_runtime_get(&dev->dev); + else if (xhci->quirks & XHCI_DEFAULT_PM_RUNTIME_ALLOW) + pm_runtime_allow(&dev->dev); + +@@ -681,7 +681,9 @@ static void xhci_pci_remove(struct pci_d + + xhci->xhc_state |= XHCI_STATE_REMOVING; + +- if (xhci->quirks & XHCI_DEFAULT_PM_RUNTIME_ALLOW) ++ if (pci_choose_state(dev, PMSG_SUSPEND) == PCI_D0) ++ pm_runtime_put(&dev->dev); ++ else if (xhci->quirks & XHCI_DEFAULT_PM_RUNTIME_ALLOW) + pm_runtime_forbid(&dev->dev); + + if (xhci->shared_hcd) {