From: Sasha Levin Date: Sun, 18 May 2025 10:30:30 +0000 (-0400) Subject: Fixes for 6.14 X-Git-Tag: v5.15.184~62 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a66c722b330640af577869a6ab418069599d28f2;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.14 Signed-off-by: Sasha Levin --- diff --git a/queue-6.14/alsa-seq-fix-delivery-of-ump-events-to-group-ports.patch b/queue-6.14/alsa-seq-fix-delivery-of-ump-events-to-group-ports.patch new file mode 100644 index 0000000000..c04af6dead --- /dev/null +++ b/queue-6.14/alsa-seq-fix-delivery-of-ump-events-to-group-ports.patch @@ -0,0 +1,158 @@ +From 2321cbe7d8ee41455eeaee64cc7445b762c4a64f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 11 May 2025 15:45:27 +0200 +Subject: ALSA: seq: Fix delivery of UMP events to group ports + +From: Takashi Iwai + +[ Upstream commit ff7b190aef6cccdb6f14d20c5753081fe6420e0b ] + +When an event with UMP message is sent to a UMP client, the EP port +receives always no matter where the event is sent to, as it's a +catch-all port. OTOH, if an event is sent to EP port, and if the +event has a certain UMP Group, it should have been delivered to the +associated UMP Group port, too, but this was ignored, so far. + +This patch addresses the behavior. Now a UMP event sent to the +Endpoint port will be delivered to the subscribers of the UMP group +port the event is associated with. + +The patch also does a bit of refactoring to simplify the code about +__deliver_to_subscribers(). + +Fixes: 177ccf811df4 ("ALSA: seq: Support MIDI 2.0 UMP Endpoint port") +Link: https://patch.msgid.link/20250511134528.6314-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/seq/seq_clientmgr.c | 52 ++++++++++++++++++++------------ + sound/core/seq/seq_ump_convert.c | 18 +++++++++++ + sound/core/seq/seq_ump_convert.h | 1 + + 3 files changed, 52 insertions(+), 19 deletions(-) + +diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c +index 706f53e39b53c..0ae01b85bb18c 100644 +--- a/sound/core/seq/seq_clientmgr.c ++++ b/sound/core/seq/seq_clientmgr.c +@@ -732,15 +732,21 @@ static int snd_seq_deliver_single_event(struct snd_seq_client *client, + */ + static int __deliver_to_subscribers(struct snd_seq_client *client, + struct snd_seq_event *event, +- struct snd_seq_client_port *src_port, +- int atomic, int hop) ++ int port, int atomic, int hop) + { ++ struct snd_seq_client_port *src_port; + struct snd_seq_subscribers *subs; + int err, result = 0, num_ev = 0; + union __snd_seq_event event_saved; + size_t saved_size; + struct snd_seq_port_subs_info *grp; + ++ if (port < 0) ++ return 0; ++ src_port = snd_seq_port_use_ptr(client, port); ++ if (!src_port) ++ return 0; ++ + /* save original event record */ + saved_size = snd_seq_event_packet_size(event); + memcpy(&event_saved, event, saved_size); +@@ -775,6 +781,7 @@ static int __deliver_to_subscribers(struct snd_seq_client *client, + read_unlock(&grp->list_lock); + else + up_read(&grp->list_mutex); ++ snd_seq_port_unlock(src_port); + memcpy(event, &event_saved, saved_size); + return (result < 0) ? result : num_ev; + } +@@ -783,25 +790,32 @@ static int deliver_to_subscribers(struct snd_seq_client *client, + struct snd_seq_event *event, + int atomic, int hop) + { +- struct snd_seq_client_port *src_port; +- int ret = 0, ret2; +- +- src_port = snd_seq_port_use_ptr(client, event->source.port); +- if (src_port) { +- ret = __deliver_to_subscribers(client, event, src_port, atomic, hop); +- snd_seq_port_unlock(src_port); +- } +- +- if (client->ump_endpoint_port < 0 || +- event->source.port == client->ump_endpoint_port) +- return ret; ++ int ret; ++#if IS_ENABLED(CONFIG_SND_SEQ_UMP) ++ int ret2; ++#endif + +- src_port = snd_seq_port_use_ptr(client, client->ump_endpoint_port); +- if (!src_port) ++ ret = __deliver_to_subscribers(client, event, ++ event->source.port, atomic, hop); ++#if IS_ENABLED(CONFIG_SND_SEQ_UMP) ++ if (!snd_seq_client_is_ump(client) || client->ump_endpoint_port < 0) + return ret; +- ret2 = __deliver_to_subscribers(client, event, src_port, atomic, hop); +- snd_seq_port_unlock(src_port); +- return ret2 < 0 ? ret2 : ret; ++ /* If it's an event from EP port (and with a UMP group), ++ * deliver to subscribers of the corresponding UMP group port, too. ++ * Or, if it's from non-EP port, deliver to subscribers of EP port, too. ++ */ ++ if (event->source.port == client->ump_endpoint_port) ++ ret2 = __deliver_to_subscribers(client, event, ++ snd_seq_ump_group_port(event), ++ atomic, hop); ++ else ++ ret2 = __deliver_to_subscribers(client, event, ++ client->ump_endpoint_port, ++ atomic, hop); ++ if (ret2 < 0) ++ return ret2; ++#endif ++ return ret; + } + + /* deliver an event to the destination port(s). +diff --git a/sound/core/seq/seq_ump_convert.c b/sound/core/seq/seq_ump_convert.c +index ff7e558b4d51d..db2f169cae11e 100644 +--- a/sound/core/seq/seq_ump_convert.c ++++ b/sound/core/seq/seq_ump_convert.c +@@ -1285,3 +1285,21 @@ int snd_seq_deliver_to_ump(struct snd_seq_client *source, + else + return cvt_to_ump_midi1(dest, dest_port, event, atomic, hop); + } ++ ++/* return the UMP group-port number of the event; ++ * return -1 if groupless or non-UMP event ++ */ ++int snd_seq_ump_group_port(const struct snd_seq_event *event) ++{ ++ const struct snd_seq_ump_event *ump_ev = ++ (const struct snd_seq_ump_event *)event; ++ unsigned char type; ++ ++ if (!snd_seq_ev_is_ump(event)) ++ return -1; ++ type = ump_message_type(ump_ev->ump[0]); ++ if (ump_is_groupless_msg(type)) ++ return -1; ++ /* group-port number starts from 1 */ ++ return ump_message_group(ump_ev->ump[0]) + 1; ++} +diff --git a/sound/core/seq/seq_ump_convert.h b/sound/core/seq/seq_ump_convert.h +index 6c146d8032804..4abf0a7637d70 100644 +--- a/sound/core/seq/seq_ump_convert.h ++++ b/sound/core/seq/seq_ump_convert.h +@@ -18,5 +18,6 @@ int snd_seq_deliver_to_ump(struct snd_seq_client *source, + struct snd_seq_client_port *dest_port, + struct snd_seq_event *event, + int atomic, int hop); ++int snd_seq_ump_group_port(const struct snd_seq_event *event); + + #endif /* __SEQ_UMP_CONVERT_H */ +-- +2.39.5 + diff --git a/queue-6.14/alsa-sh-snd_aica-should-depend-on-sh_dma_api.patch b/queue-6.14/alsa-sh-snd_aica-should-depend-on-sh_dma_api.patch new file mode 100644 index 0000000000..91f91edfce --- /dev/null +++ b/queue-6.14/alsa-sh-snd_aica-should-depend-on-sh_dma_api.patch @@ -0,0 +1,46 @@ +From edc2ceebd69eced6399c31797adc31c57afbc32a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 May 2025 09:31:04 +0200 +Subject: ALSA: sh: SND_AICA should depend on SH_DMA_API + +From: Geert Uytterhoeven + +[ Upstream commit 66e48ef6ef506c89ec1b3851c6f9f5f80b5835ff ] + +If CONFIG_SH_DMA_API=n: + + WARNING: unmet direct dependencies detected for G2_DMA + Depends on [n]: SH_DREAMCAST [=y] && SH_DMA_API [=n] + Selected by [y]: + - SND_AICA [=y] && SOUND [=y] && SND [=y] && SND_SUPERH [=y] && SH_DREAMCAST [=y] + +SND_AICA selects G2_DMA. As the latter depends on SH_DMA_API, the +former should depend on SH_DMA_API, too. + +Fixes: f477a538c14d07f8 ("sh: dma: fix kconfig dependency for G2_DMA") +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202505131320.PzgTtl9H-lkp@intel.com/ +Signed-off-by: Geert Uytterhoeven +Link: https://patch.msgid.link/b90625f8a9078d0d304bafe862cbe3a3fab40082.1747121335.git.geert+renesas@glider.be +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/sh/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/sh/Kconfig b/sound/sh/Kconfig +index b75fbb3236a7b..f5fa09d740b4c 100644 +--- a/sound/sh/Kconfig ++++ b/sound/sh/Kconfig +@@ -14,7 +14,7 @@ if SND_SUPERH + + config SND_AICA + tristate "Dreamcast Yamaha AICA sound" +- depends on SH_DREAMCAST ++ depends on SH_DREAMCAST && SH_DMA_API + select SND_PCM + select G2_DMA + help +-- +2.39.5 + diff --git a/queue-6.14/alsa-ump-fix-a-typo-of-snd_ump_stream_msg_device_inf.patch b/queue-6.14/alsa-ump-fix-a-typo-of-snd_ump_stream_msg_device_inf.patch new file mode 100644 index 0000000000..23d6681c58 --- /dev/null +++ b/queue-6.14/alsa-ump-fix-a-typo-of-snd_ump_stream_msg_device_inf.patch @@ -0,0 +1,61 @@ +From ceb2b2573a84a31560df346569bc42e499b66e04 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 11 May 2025 16:11:45 +0200 +Subject: ALSA: ump: Fix a typo of snd_ump_stream_msg_device_info + +From: Takashi Iwai + +[ Upstream commit dd33993a9721ab1dae38bd37c9f665987d554239 ] + +s/devince/device/ + +It's used only internally, so no any behavior changes. + +Fixes: 37e0e14128e0 ("ALSA: ump: Support UMP Endpoint and Function Block parsing") +Acked-by: Greg Kroah-Hartman +Link: https://patch.msgid.link/20250511141147.10246-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/f_midi2.c | 2 +- + include/sound/ump_msg.h | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/usb/gadget/function/f_midi2.c b/drivers/usb/gadget/function/f_midi2.c +index 12e866fb311d6..0a800ba53816a 100644 +--- a/drivers/usb/gadget/function/f_midi2.c ++++ b/drivers/usb/gadget/function/f_midi2.c +@@ -475,7 +475,7 @@ static void reply_ump_stream_ep_info(struct f_midi2_ep *ep) + /* reply a UMP EP device info */ + static void reply_ump_stream_ep_device(struct f_midi2_ep *ep) + { +- struct snd_ump_stream_msg_devince_info rep = { ++ struct snd_ump_stream_msg_device_info rep = { + .type = UMP_MSG_TYPE_STREAM, + .status = UMP_STREAM_MSG_STATUS_DEVICE_INFO, + .manufacture_id = ep->info.manufacturer, +diff --git a/include/sound/ump_msg.h b/include/sound/ump_msg.h +index 72f60ddfea753..9556b4755a1ed 100644 +--- a/include/sound/ump_msg.h ++++ b/include/sound/ump_msg.h +@@ -604,7 +604,7 @@ struct snd_ump_stream_msg_ep_info { + } __packed; + + /* UMP Stream Message: Device Info Notification (128bit) */ +-struct snd_ump_stream_msg_devince_info { ++struct snd_ump_stream_msg_device_info { + #ifdef __BIG_ENDIAN_BITFIELD + /* 0 */ + u32 type:4; +@@ -754,7 +754,7 @@ struct snd_ump_stream_msg_fb_name { + union snd_ump_stream_msg { + struct snd_ump_stream_msg_ep_discovery ep_discovery; + struct snd_ump_stream_msg_ep_info ep_info; +- struct snd_ump_stream_msg_devince_info device_info; ++ struct snd_ump_stream_msg_device_info device_info; + struct snd_ump_stream_msg_stream_cfg stream_cfg; + struct snd_ump_stream_msg_fb_discovery fb_discovery; + struct snd_ump_stream_msg_fb_info fb_info; +-- +2.39.5 + diff --git a/queue-6.14/arm64-dts-imx8mp-var-som-fix-ldo5-shutdown-causing-s.patch b/queue-6.14/arm64-dts-imx8mp-var-som-fix-ldo5-shutdown-causing-s.patch new file mode 100644 index 0000000000..ac77deef45 --- /dev/null +++ b/queue-6.14/arm64-dts-imx8mp-var-som-fix-ldo5-shutdown-causing-s.patch @@ -0,0 +1,70 @@ +From ba18bde15f258f3806c588f6a3be2102d09f8dc1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 May 2025 11:28:27 +0530 +Subject: arm64: dts: imx8mp-var-som: Fix LDO5 shutdown causing SD card timeout + +From: Himanshu Bhavani + +[ Upstream commit c6888983134e2ccc2db8ffd2720b0d4826d952e4 ] + +Fix SD card timeout issue caused by LDO5 regulator getting disabled +after boot. + +The kernel log shows LDO5 being disabled, which leads to a timeout +on USDHC2: +[ 33.760561] LDO5: disabling +[ 81.119861] mmc1: Timeout waiting for hardware interrupt. + +To prevent this, set regulator-boot-on and regulator-always-on for +LDO5. Also add the vqmmc regulator to properly support 1.8V/3.3V +signaling for USDHC2 using a GPIO-controlled regulator. + +Fixes: 6c2a1f4f71258 ("arm64: dts: imx8mp-var-som-symphony: Add Variscite Symphony board and VAR-SOM-MX8MP SoM") +Signed-off-by: Himanshu Bhavani +Acked-by: Tarang Raval +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/imx8mp-var-som.dtsi | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/freescale/imx8mp-var-som.dtsi b/arch/arm64/boot/dts/freescale/imx8mp-var-som.dtsi +index b2ac2583a5929..b59da91fdd041 100644 +--- a/arch/arm64/boot/dts/freescale/imx8mp-var-som.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mp-var-som.dtsi +@@ -35,7 +35,6 @@ + <0x1 0x00000000 0 0xc0000000>; + }; + +- + reg_usdhc2_vmmc: regulator-usdhc2-vmmc { + compatible = "regulator-fixed"; + regulator-name = "VSD_3V3"; +@@ -46,6 +45,16 @@ + startup-delay-us = <100>; + off-on-delay-us = <12000>; + }; ++ ++ reg_usdhc2_vqmmc: regulator-usdhc2-vqmmc { ++ compatible = "regulator-gpio"; ++ regulator-name = "VSD_VSEL"; ++ regulator-min-microvolt = <1800000>; ++ regulator-max-microvolt = <3300000>; ++ gpios = <&gpio2 12 GPIO_ACTIVE_HIGH>; ++ states = <3300000 0x0 1800000 0x1>; ++ vin-supply = <&ldo5>; ++ }; + }; + + &A53_0 { +@@ -205,6 +214,7 @@ + pinctrl-2 = <&pinctrl_usdhc2_200mhz>, <&pinctrl_usdhc2_gpio>; + cd-gpios = <&gpio1 14 GPIO_ACTIVE_LOW>; + vmmc-supply = <®_usdhc2_vmmc>; ++ vqmmc-supply = <®_usdhc2_vqmmc>; + bus-width = <4>; + status = "okay"; + }; +-- +2.39.5 + diff --git a/queue-6.14/arm64-dts-rockchip-assign-rt5616-mclk-rate-on-rk3588.patch b/queue-6.14/arm64-dts-rockchip-assign-rt5616-mclk-rate-on-rk3588.patch new file mode 100644 index 0000000000..ea4802d9f3 --- /dev/null +++ b/queue-6.14/arm64-dts-rockchip-assign-rt5616-mclk-rate-on-rk3588.patch @@ -0,0 +1,44 @@ +From f7cc177bb60f06c4562d74b3016c5ef30cb90430 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Apr 2025 09:17:53 +0100 +Subject: arm64: dts: rockchip: Assign RT5616 MCLK rate on + rk3588-friendlyelec-cm3588 + +From: Tom Vincent + +[ Upstream commit 5e6a4ee9799b202fefa8c6264647971f892f0264 ] + +The Realtek RT5616 audio codec on the FriendlyElec CM3588 module fails +to probe correctly due to the missing clock properties. This results +in distorted analogue audio output. + +Assign MCLK to 12.288 MHz, which allows the codec to advertise most of +the standard sample rates per other RK3588 devices. + +Fixes: e23819cf273c ("arm64: dts: rockchip: Add FriendlyElec CM3588 NAS board") +Signed-off-by: Tom Vincent +Link: https://lore.kernel.org/r/20250417081753.644950-1-linux@tlvince.com +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/rockchip/rk3588-friendlyelec-cm3588.dtsi | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/arch/arm64/boot/dts/rockchip/rk3588-friendlyelec-cm3588.dtsi b/arch/arm64/boot/dts/rockchip/rk3588-friendlyelec-cm3588.dtsi +index e3a9598b99fca..cacffc851584f 100644 +--- a/arch/arm64/boot/dts/rockchip/rk3588-friendlyelec-cm3588.dtsi ++++ b/arch/arm64/boot/dts/rockchip/rk3588-friendlyelec-cm3588.dtsi +@@ -222,6 +222,10 @@ + compatible = "realtek,rt5616"; + reg = <0x1b>; + #sound-dai-cells = <0>; ++ assigned-clocks = <&cru I2S0_8CH_MCLKOUT>; ++ assigned-clock-rates = <12288000>; ++ clocks = <&cru I2S0_8CH_MCLKOUT>; ++ clock-names = "mclk"; + }; + }; + +-- +2.39.5 + diff --git a/queue-6.14/arm64-dts-rockchip-fix-sige5-rtc-interrupt-pin.patch b/queue-6.14/arm64-dts-rockchip-fix-sige5-rtc-interrupt-pin.patch new file mode 100644 index 0000000000..00292fa47e --- /dev/null +++ b/queue-6.14/arm64-dts-rockchip-fix-sige5-rtc-interrupt-pin.patch @@ -0,0 +1,41 @@ +From d99263cb42da01417aa1c7e65568567ee659d947 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Apr 2025 18:51:55 +0200 +Subject: arm64: dts: rockchip: fix Sige5 RTC interrupt pin + +From: Nicolas Frattaroli + +[ Upstream commit 4bf593be2e462623c4c34c7e3b604eb3f8f9de45 ] + +Someone made a typo when they added the RTC to the Sige5 DTS, which +resulted in it using interrupts from GPIO0 B0 instead of GPIO0 A0. The +pinctrl entry for it wasn't typoed though, curiously enough. + +The Sige5 v1.1 schematic was used to verify that GPIO0 A0 is the correct +pin for the RTC wakeup interrupt, so let's change it to that. + +Fixes: 40f742b07ab2 ("arm64: dts: rockchip: Add rk3576-armsom-sige5 board") +Signed-off-by: Nicolas Frattaroli +Link: https://lore.kernel.org/r/20250429-sige5-rtc-oopsie-v1-1-8686767d0f1f@collabora.com +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/rockchip/rk3576-armsom-sige5.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/rockchip/rk3576-armsom-sige5.dts b/arch/arm64/boot/dts/rockchip/rk3576-armsom-sige5.dts +index a9b9db31d2a3e..bab66b688e011 100644 +--- a/arch/arm64/boot/dts/rockchip/rk3576-armsom-sige5.dts ++++ b/arch/arm64/boot/dts/rockchip/rk3576-armsom-sige5.dts +@@ -578,7 +578,7 @@ + reg = <0x51>; + clock-output-names = "hym8563"; + interrupt-parent = <&gpio0>; +- interrupts = ; ++ interrupts = ; + pinctrl-names = "default"; + pinctrl-0 = <&hym8563_int>; + wakeup-source; +-- +2.39.5 + diff --git a/queue-6.14/binfmt_elf-move-brk-for-static-pie-even-if-aslr-disa.patch b/queue-6.14/binfmt_elf-move-brk-for-static-pie-even-if-aslr-disa.patch new file mode 100644 index 0000000000..e588624936 --- /dev/null +++ b/queue-6.14/binfmt_elf-move-brk-for-static-pie-even-if-aslr-disa.patch @@ -0,0 +1,198 @@ +From 915da6d5feaad91a4d2bb344fb9a0131e3076b35 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Apr 2025 15:45:06 -0700 +Subject: binfmt_elf: Move brk for static PIE even if ASLR disabled + +From: Kees Cook + +[ Upstream commit 11854fe263eb1b9a8efa33b0c087add7719ea9b4 ] + +In commit bbdc6076d2e5 ("binfmt_elf: move brk out of mmap when doing +direct loader exec"), the brk was moved out of the mmap region when +loading static PIE binaries (ET_DYN without INTERP). The common case +for these binaries was testing new ELF loaders, so the brk needed to +be away from mmap to avoid colliding with stack, future mmaps (of the +loader-loaded binary), etc. But this was only done when ASLR was enabled, +in an attempt to minimize changes to memory layouts. + +After adding support to respect alignment requirements for static PIE +binaries in commit 3545deff0ec7 ("binfmt_elf: Honor PT_LOAD alignment +for static PIE"), it became possible to have a large gap after the +final PT_LOAD segment and the top of the mmap region. This means that +future mmap allocations might go after the last PT_LOAD segment (where +brk might be if ASLR was disabled) instead of before them (where they +traditionally ended up). + +On arm64, running with ASLR disabled, Ubuntu 22.04's "ldconfig" binary, +a static PIE, has alignment requirements that leaves a gap large enough +after the last PT_LOAD segment to fit the vdso and vvar, but still leave +enough space for the brk (which immediately follows the last PT_LOAD +segment) to be allocated by the binary. + +fffff7f20000-fffff7fde000 r-xp 00000000 fe:02 8110426 /sbin/ldconfig.real +fffff7fee000-fffff7ff5000 rw-p 000be000 fe:02 8110426 /sbin/ldconfig.real +fffff7ff5000-fffff7ffa000 rw-p 00000000 00:00 0 +***[brk will go here at fffff7ffa000]*** +fffff7ffc000-fffff7ffe000 r--p 00000000 00:00 0 [vvar] +fffff7ffe000-fffff8000000 r-xp 00000000 00:00 0 [vdso] +fffffffdf000-1000000000000 rw-p 00000000 00:00 0 [stack] + +After commit 0b3bc3354eb9 ("arm64: vdso: Switch to generic storage +implementation"), the arm64 vvar grew slightly, and suddenly the brk +collided with the allocation. + +fffff7f20000-fffff7fde000 r-xp 00000000 fe:02 8110426 /sbin/ldconfig.real +fffff7fee000-fffff7ff5000 rw-p 000be000 fe:02 8110426 /sbin/ldconfig.real +fffff7ff5000-fffff7ffa000 rw-p 00000000 00:00 0 +***[oops, no room any more, vvar is at fffff7ffa000!]*** +fffff7ffa000-fffff7ffe000 r--p 00000000 00:00 0 [vvar] +fffff7ffe000-fffff8000000 r-xp 00000000 00:00 0 [vdso] +fffffffdf000-1000000000000 rw-p 00000000 00:00 0 [stack] + +The solution is to unconditionally move the brk out of the mmap region +for static PIE binaries. Whether ASLR is enabled or not does not change if +there may be future mmap allocation collisions with a growing brk region. + +Update memory layout comments (with kernel-doc headings), consolidate +the setting of mm->brk to later (it isn't needed early), move static PIE +brk out of mmap unconditionally, and make sure brk(2) knows to base brk +position off of mm->start_brk not mm->end_data no matter what the cause of +moving it is (via current->brk_randomized). + +For the CONFIG_COMPAT_BRK case, though, leave the logic unchanged, as we +can never safely move the brk. These systems, however, are not using +specially aligned static PIE binaries. + +Reported-by: Ryan Roberts +Closes: https://lore.kernel.org/lkml/f93db308-4a0e-4806-9faf-98f890f5a5e6@arm.com/ +Fixes: bbdc6076d2e5 ("binfmt_elf: move brk out of mmap when doing direct loader exec") +Link: https://lore.kernel.org/r/20250425224502.work.520-kees@kernel.org +Reviewed-by: Ryan Roberts +Tested-by: Ryan Roberts +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + fs/binfmt_elf.c | 71 ++++++++++++++++++++++++++++++++----------------- + 1 file changed, 47 insertions(+), 24 deletions(-) + +diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c +index 8054f44d39cf7..855ef79561062 100644 +--- a/fs/binfmt_elf.c ++++ b/fs/binfmt_elf.c +@@ -831,6 +831,7 @@ static int load_elf_binary(struct linux_binprm *bprm) + struct elf_phdr *elf_ppnt, *elf_phdata, *interp_elf_phdata = NULL; + struct elf_phdr *elf_property_phdata = NULL; + unsigned long elf_brk; ++ bool brk_moved = false; + int retval, i; + unsigned long elf_entry; + unsigned long e_entry; +@@ -1098,15 +1099,19 @@ static int load_elf_binary(struct linux_binprm *bprm) + /* Calculate any requested alignment. */ + alignment = maximum_alignment(elf_phdata, elf_ex->e_phnum); + +- /* +- * There are effectively two types of ET_DYN +- * binaries: programs (i.e. PIE: ET_DYN with PT_INTERP) +- * and loaders (ET_DYN without PT_INTERP, since they +- * _are_ the ELF interpreter). The loaders must +- * be loaded away from programs since the program +- * may otherwise collide with the loader (especially +- * for ET_EXEC which does not have a randomized +- * position). For example to handle invocations of ++ /** ++ * DOC: PIE handling ++ * ++ * There are effectively two types of ET_DYN ELF ++ * binaries: programs (i.e. PIE: ET_DYN with ++ * PT_INTERP) and loaders (i.e. static PIE: ET_DYN ++ * without PT_INTERP, usually the ELF interpreter ++ * itself). Loaders must be loaded away from programs ++ * since the program may otherwise collide with the ++ * loader (especially for ET_EXEC which does not have ++ * a randomized position). ++ * ++ * For example, to handle invocations of + * "./ld.so someprog" to test out a new version of + * the loader, the subsequent program that the + * loader loads must avoid the loader itself, so +@@ -1119,6 +1124,9 @@ static int load_elf_binary(struct linux_binprm *bprm) + * ELF_ET_DYN_BASE and loaders are loaded into the + * independently randomized mmap region (0 load_bias + * without MAP_FIXED nor MAP_FIXED_NOREPLACE). ++ * ++ * See below for "brk" handling details, which is ++ * also affected by program vs loader and ASLR. + */ + if (interpreter) { + /* On ET_DYN with PT_INTERP, we do the ASLR. */ +@@ -1235,8 +1243,6 @@ static int load_elf_binary(struct linux_binprm *bprm) + start_data += load_bias; + end_data += load_bias; + +- current->mm->start_brk = current->mm->brk = ELF_PAGEALIGN(elf_brk); +- + if (interpreter) { + elf_entry = load_elf_interp(interp_elf_ex, + interpreter, +@@ -1292,27 +1298,44 @@ static int load_elf_binary(struct linux_binprm *bprm) + mm->end_data = end_data; + mm->start_stack = bprm->p; + +- if ((current->flags & PF_RANDOMIZE) && (snapshot_randomize_va_space > 1)) { ++ /** ++ * DOC: "brk" handling ++ * ++ * For architectures with ELF randomization, when executing a ++ * loader directly (i.e. static PIE: ET_DYN without PT_INTERP), ++ * move the brk area out of the mmap region and into the unused ++ * ELF_ET_DYN_BASE region. Since "brk" grows up it may collide ++ * early with the stack growing down or other regions being put ++ * into the mmap region by the kernel (e.g. vdso). ++ * ++ * In the CONFIG_COMPAT_BRK case, though, everything is turned ++ * off because we're not allowed to move the brk at all. ++ */ ++ if (!IS_ENABLED(CONFIG_COMPAT_BRK) && ++ IS_ENABLED(CONFIG_ARCH_HAS_ELF_RANDOMIZE) && ++ elf_ex->e_type == ET_DYN && !interpreter) { ++ elf_brk = ELF_ET_DYN_BASE; ++ /* This counts as moving the brk, so let brk(2) know. */ ++ brk_moved = true; ++ } ++ mm->start_brk = mm->brk = ELF_PAGEALIGN(elf_brk); ++ ++ if ((current->flags & PF_RANDOMIZE) && snapshot_randomize_va_space > 1) { + /* +- * For architectures with ELF randomization, when executing +- * a loader directly (i.e. no interpreter listed in ELF +- * headers), move the brk area out of the mmap region +- * (since it grows up, and may collide early with the stack +- * growing down), and into the unused ELF_ET_DYN_BASE region. ++ * If we didn't move the brk to ELF_ET_DYN_BASE (above), ++ * leave a gap between .bss and brk. + */ +- if (IS_ENABLED(CONFIG_ARCH_HAS_ELF_RANDOMIZE) && +- elf_ex->e_type == ET_DYN && !interpreter) { +- mm->brk = mm->start_brk = ELF_ET_DYN_BASE; +- } else { +- /* Otherwise leave a gap between .bss and brk. */ ++ if (!brk_moved) + mm->brk = mm->start_brk = mm->brk + PAGE_SIZE; +- } + + mm->brk = mm->start_brk = arch_randomize_brk(mm); ++ brk_moved = true; ++ } ++ + #ifdef compat_brk_randomized ++ if (brk_moved) + current->brk_randomized = 1; + #endif +- } + + if (current->personality & MMAP_PAGE_ZERO) { + /* Why this, you ask??? Well SVr4 maps page 0 as read-only, +-- +2.39.5 + diff --git a/queue-6.14/bluetooth-mgmt-fix-mgmt_op_add_device-invalid-device.patch b/queue-6.14/bluetooth-mgmt-fix-mgmt_op_add_device-invalid-device.patch new file mode 100644 index 0000000000..b4a8ab499e --- /dev/null +++ b/queue-6.14/bluetooth-mgmt-fix-mgmt_op_add_device-invalid-device.patch @@ -0,0 +1,55 @@ +From d4ded60727be035ebe8053a4b6df2559222be103 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Apr 2025 15:05:59 -0400 +Subject: Bluetooth: MGMT: Fix MGMT_OP_ADD_DEVICE invalid device flags + +From: Luiz Augusto von Dentz + +[ Upstream commit 1e2e3044c1bc64a64aa0eaf7c17f7832c26c9775 ] + +Device flags could be updated in the meantime while MGMT_OP_ADD_DEVICE +is pending on hci_update_passive_scan_sync so instead of setting the +current_flags as cmd->user_data just do a lookup using +hci_conn_params_lookup and use the latest stored flags. + +Fixes: a182d9c84f9c ("Bluetooth: MGMT: Fix Add Device to responding before completing") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/mgmt.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c +index 621c555f639be..181b1e070b82e 100644 +--- a/net/bluetooth/mgmt.c ++++ b/net/bluetooth/mgmt.c +@@ -7540,11 +7540,16 @@ static void add_device_complete(struct hci_dev *hdev, void *data, int err) + struct mgmt_cp_add_device *cp = cmd->param; + + if (!err) { ++ struct hci_conn_params *params; ++ ++ params = hci_conn_params_lookup(hdev, &cp->addr.bdaddr, ++ le_addr_type(cp->addr.type)); ++ + device_added(cmd->sk, hdev, &cp->addr.bdaddr, cp->addr.type, + cp->action); + device_flags_changed(NULL, hdev, &cp->addr.bdaddr, + cp->addr.type, hdev->conn_flags, +- PTR_UINT(cmd->user_data)); ++ params ? params->flags : 0); + } + + mgmt_cmd_complete(cmd->sk, hdev->id, MGMT_OP_ADD_DEVICE, +@@ -7647,8 +7652,6 @@ static int add_device(struct sock *sk, struct hci_dev *hdev, + goto unlock; + } + +- cmd->user_data = UINT_PTR(current_flags); +- + err = hci_cmd_sync_queue(hdev, add_device_sync, cmd, + add_device_complete); + if (err < 0) { +-- +2.39.5 + diff --git a/queue-6.14/cgroup-cpuset-extend-kthread_is_per_cpu-check-to-all.patch b/queue-6.14/cgroup-cpuset-extend-kthread_is_per_cpu-check-to-all.patch new file mode 100644 index 0000000000..14cde6eed7 --- /dev/null +++ b/queue-6.14/cgroup-cpuset-extend-kthread_is_per_cpu-check-to-all.patch @@ -0,0 +1,53 @@ +From 2e27a674da553607a0b9e4015e74230dab41a7fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 May 2025 15:24:13 -0400 +Subject: cgroup/cpuset: Extend kthread_is_per_cpu() check to all + PF_NO_SETAFFINITY tasks + +From: Waiman Long + +[ Upstream commit 39b5ef791d109dd54c7c2e6e87933edfcc0ad1ac ] + +Commit ec5fbdfb99d1 ("cgroup/cpuset: Enable update_tasks_cpumask() +on top_cpuset") enabled us to pull CPUs dedicated to child partitions +from tasks in top_cpuset by ignoring per cpu kthreads. However, there +can be other kthreads that are not per cpu but have PF_NO_SETAFFINITY +flag set to indicate that we shouldn't mess with their CPU affinity. +For other kthreads, their affinity will be changed to skip CPUs dedicated +to child partitions whether it is an isolating or a scheduling one. + +As all the per cpu kthreads have PF_NO_SETAFFINITY set, the +PF_NO_SETAFFINITY tasks are essentially a superset of per cpu kthreads. +Fix this issue by dropping the kthread_is_per_cpu() check and checking +the PF_NO_SETAFFINITY flag instead. + +Fixes: ec5fbdfb99d1 ("cgroup/cpuset: Enable update_tasks_cpumask() on top_cpuset") +Signed-off-by: Waiman Long +Acked-by: Frederic Weisbecker +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +--- + kernel/cgroup/cpuset.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/kernel/cgroup/cpuset.c b/kernel/cgroup/cpuset.c +index 1287274ae1ce9..6fbffdca0c741 100644 +--- a/kernel/cgroup/cpuset.c ++++ b/kernel/cgroup/cpuset.c +@@ -1116,9 +1116,11 @@ void cpuset_update_tasks_cpumask(struct cpuset *cs, struct cpumask *new_cpus) + + if (top_cs) { + /* +- * Percpu kthreads in top_cpuset are ignored ++ * PF_NO_SETAFFINITY tasks are ignored. ++ * All per cpu kthreads should have PF_NO_SETAFFINITY ++ * flag set, see kthread_set_per_cpu(). + */ +- if (kthread_is_per_cpu(task)) ++ if (task->flags & PF_NO_SETAFFINITY) + continue; + cpumask_andnot(new_cpus, possible_mask, subpartitions_cpus); + } else { +-- +2.39.5 + diff --git a/queue-6.14/drivers-platform-x86-amd-pmf-check-for-invalid-sidel.patch b/queue-6.14/drivers-platform-x86-amd-pmf-check-for-invalid-sidel.patch new file mode 100644 index 0000000000..84e2661f6f --- /dev/null +++ b/queue-6.14/drivers-platform-x86-amd-pmf-check-for-invalid-sidel.patch @@ -0,0 +1,50 @@ +From 6dbc13b13313ced7c1a621103d51a6c7254d7fff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Apr 2025 08:18:44 -0500 +Subject: drivers/platform/x86/amd: pmf: Check for invalid sideloaded Smart PC + Policies +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mario Limonciello + +[ Upstream commit 690d722e02819ef978f90cd7553973eba1007e6c ] + +If a policy is passed into amd_pmf_get_pb_data() that causes the engine +to fail to start there is a memory leak. Free the memory in this failure +path. + +Fixes: 10817f28e5337 ("platform/x86/amd/pmf: Add capability to sideload of policy binary") +Signed-off-by: Mario Limonciello +Link: https://lore.kernel.org/r/20250423132002.3984997-2-superm1@kernel.org +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/amd/pmf/tee-if.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/amd/pmf/tee-if.c b/drivers/platform/x86/amd/pmf/tee-if.c +index 14b99d8b63d2f..e008ac079fade 100644 +--- a/drivers/platform/x86/amd/pmf/tee-if.c ++++ b/drivers/platform/x86/amd/pmf/tee-if.c +@@ -364,9 +364,14 @@ static ssize_t amd_pmf_get_pb_data(struct file *filp, const char __user *buf, + amd_pmf_hex_dump_pb(dev); + ret = amd_pmf_start_policy_engine(dev); + if (ret < 0) +- return ret; ++ goto cleanup; + + return length; ++ ++cleanup: ++ kfree(dev->policy_buf); ++ dev->policy_buf = NULL; ++ return ret; + } + + static const struct file_operations pb_fops = { +-- +2.39.5 + diff --git a/queue-6.14/drivers-platform-x86-amd-pmf-check-for-invalid-smart.patch b/queue-6.14/drivers-platform-x86-amd-pmf-check-for-invalid-smart.patch new file mode 100644 index 0000000000..6b17f3ed4d --- /dev/null +++ b/queue-6.14/drivers-platform-x86-amd-pmf-check-for-invalid-smart.patch @@ -0,0 +1,78 @@ +From a5ee3308ee51d78181633ff96098a513ca26df6e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Apr 2025 08:18:45 -0500 +Subject: drivers/platform/x86/amd: pmf: Check for invalid Smart PC Policies +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mario Limonciello + +[ Upstream commit 8e81b9cd6e95188d12c9cc25d40b61dd5ea05ace ] + +commit 376a8c2a14439 ("platform/x86/amd/pmf: Update PMF Driver for +Compatibility with new PMF-TA") added support for platforms that support +an updated TA, however it also exposed a number of platforms that although +they have support for the updated TA don't actually populate a policy +binary. + +Add an explicit check that the policy binary isn't empty before +initializing the TA. + +Reported-by: Christian Heusel +Closes: https://lore.kernel.org/platform-driver-x86/ae644428-5bf2-4b30-81ba-0b259ed3449b@heusel.eu/ +Fixes: 376a8c2a14439 ("platform/x86/amd/pmf: Update PMF Driver for Compatibility with new PMF-TA") +Signed-off-by: Mario Limonciello +Tested-by: Christian Heusel +Link: https://lore.kernel.org/r/20250423132002.3984997-3-superm1@kernel.org +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/amd/pmf/tee-if.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/drivers/platform/x86/amd/pmf/tee-if.c b/drivers/platform/x86/amd/pmf/tee-if.c +index e008ac079fade..d3bd12ad036ae 100644 +--- a/drivers/platform/x86/amd/pmf/tee-if.c ++++ b/drivers/platform/x86/amd/pmf/tee-if.c +@@ -334,6 +334,11 @@ static int amd_pmf_start_policy_engine(struct amd_pmf_dev *dev) + return 0; + } + ++static inline bool amd_pmf_pb_valid(struct amd_pmf_dev *dev) ++{ ++ return memchr_inv(dev->policy_buf, 0xff, dev->policy_sz); ++} ++ + #ifdef CONFIG_AMD_PMF_DEBUG + static void amd_pmf_hex_dump_pb(struct amd_pmf_dev *dev) + { +@@ -361,6 +366,11 @@ static ssize_t amd_pmf_get_pb_data(struct file *filp, const char __user *buf, + dev->policy_buf = new_policy_buf; + dev->policy_sz = length; + ++ if (!amd_pmf_pb_valid(dev)) { ++ ret = -EINVAL; ++ goto cleanup; ++ } ++ + amd_pmf_hex_dump_pb(dev); + ret = amd_pmf_start_policy_engine(dev); + if (ret < 0) +@@ -533,6 +543,12 @@ int amd_pmf_init_smart_pc(struct amd_pmf_dev *dev) + + memcpy_fromio(dev->policy_buf, dev->policy_base, dev->policy_sz); + ++ if (!amd_pmf_pb_valid(dev)) { ++ dev_info(dev->dev, "No Smart PC policy present\n"); ++ ret = -EINVAL; ++ goto err_free_policy; ++ } ++ + amd_pmf_hex_dump_pb(dev); + + dev->prev_data = kzalloc(sizeof(*dev->prev_data), GFP_KERNEL); +-- +2.39.5 + diff --git a/queue-6.14/drm-amd-display-fix-null-check-of-pipe_ctx-plane_sta.patch b/queue-6.14/drm-amd-display-fix-null-check-of-pipe_ctx-plane_sta.patch new file mode 100644 index 0000000000..1b01905b0a --- /dev/null +++ b/queue-6.14/drm-amd-display-fix-null-check-of-pipe_ctx-plane_sta.patch @@ -0,0 +1,46 @@ +From b285d23e013cf15c6845e161baf89e32e70c7d37 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Apr 2025 11:11:47 -0300 +Subject: drm/amd/display: Fix null check of pipe_ctx->plane_state for + update_dchubp_dpp + +From: Melissa Wen + +[ Upstream commit a3b7e65b6be59e686e163fa1ceb0922f996897c2 ] + +Similar to commit 6a057072ddd1 ("drm/amd/display: Fix null check for +pipe_ctx->plane_state in dcn20_program_pipe") that addresses a null +pointer dereference on dcn20_update_dchubp_dpp. This is the same +function hooked for update_dchubp_dpp in dcn401, with the same issue. +Fix possible null pointer deference on dcn401_program_pipe too. + +Fixes: 63ab80d9ac0a ("drm/amd/display: DML2.1 Post-Si Cleanup") +Signed-off-by: Melissa Wen +Reviewed-by: Alex Hung +Signed-off-by: Alex Deucher +(cherry picked from commit d8d47f739752227957d8efc0cb894761bfe1d879) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c b/drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c +index 89af3e4afbc25..0d39d193dacfa 100644 +--- a/drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c ++++ b/drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c +@@ -2027,9 +2027,9 @@ static void dcn401_program_pipe( + dc->res_pool->hubbub, pipe_ctx->plane_res.hubp->inst, pipe_ctx->hubp_regs.det_size); + } + +- if (pipe_ctx->update_flags.raw || +- (pipe_ctx->plane_state && pipe_ctx->plane_state->update_flags.raw) || +- pipe_ctx->stream->update_flags.raw) ++ if (pipe_ctx->plane_state && (pipe_ctx->update_flags.raw || ++ pipe_ctx->plane_state->update_flags.raw || ++ pipe_ctx->stream->update_flags.raw)) + dc->hwss.update_dchubp_dpp(dc, pipe_ctx, context); + + if (pipe_ctx->plane_state && (pipe_ctx->update_flags.bits.enable || +-- +2.39.5 + diff --git a/queue-6.14/drm-meson-use-1000ull-when-operating-with-mode-clock.patch b/queue-6.14/drm-meson-use-1000ull-when-operating-with-mode-clock.patch new file mode 100644 index 0000000000..a585b5a98d --- /dev/null +++ b/queue-6.14/drm-meson-use-1000ull-when-operating-with-mode-clock.patch @@ -0,0 +1,49 @@ +From 9d55834c2373051a9943677344fb6ffbcea01afa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 May 2025 02:43:38 +0800 +Subject: drm/meson: Use 1000ULL when operating with mode->clock + +From: I Hsin Cheng + +[ Upstream commit eb0851e14432f3b87c77b704c835ac376deda03a ] + +Coverity scan reported the usage of "mode->clock * 1000" may lead to +integer overflow. Use "1000ULL" instead of "1000" +when utilizing it to avoid potential integer overflow issue. + +Link: https://scan5.scan.coverity.com/#/project-view/10074/10063?selectedIssue=1646759 +Signed-off-by: I Hsin Cheng +Reviewed-by: Martin Blumenstingl +Fixes: 1017560164b6 ("drm/meson: use unsigned long long / Hz for frequency types") +Link: https://lore.kernel.org/r/20250505184338.678540-1-richard120310@gmail.com +Signed-off-by: Neil Armstrong +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/meson/meson_encoder_hdmi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/meson/meson_encoder_hdmi.c b/drivers/gpu/drm/meson/meson_encoder_hdmi.c +index ce8cea5d3a56b..c61e6026adfae 100644 +--- a/drivers/gpu/drm/meson/meson_encoder_hdmi.c ++++ b/drivers/gpu/drm/meson/meson_encoder_hdmi.c +@@ -75,7 +75,7 @@ static void meson_encoder_hdmi_set_vclk(struct meson_encoder_hdmi *encoder_hdmi, + unsigned long long venc_freq; + unsigned long long hdmi_freq; + +- vclk_freq = mode->clock * 1000; ++ vclk_freq = mode->clock * 1000ULL; + + /* For 420, pixel clock is half unlike venc clock */ + if (encoder_hdmi->output_bus_fmt == MEDIA_BUS_FMT_UYYVYY8_0_5X24) +@@ -123,7 +123,7 @@ static enum drm_mode_status meson_encoder_hdmi_mode_valid(struct drm_bridge *bri + struct meson_encoder_hdmi *encoder_hdmi = bridge_to_meson_encoder_hdmi(bridge); + struct meson_drm *priv = encoder_hdmi->priv; + bool is_hdmi2_sink = display_info->hdmi.scdc.supported; +- unsigned long long clock = mode->clock * 1000; ++ unsigned long long clock = mode->clock * 1000ULL; + unsigned long long phy_freq; + unsigned long long vclk_freq; + unsigned long long venc_freq; +-- +2.39.5 + diff --git a/queue-6.14/drm-xe-save-ctx_timestamp-mmio-value-instead-of-lrc-.patch b/queue-6.14/drm-xe-save-ctx_timestamp-mmio-value-instead-of-lrc-.patch new file mode 100644 index 0000000000..e81b57af5c --- /dev/null +++ b/queue-6.14/drm-xe-save-ctx_timestamp-mmio-value-instead-of-lrc-.patch @@ -0,0 +1,81 @@ +From 1e76cf5a5585543addc148aa15c91df759324c5b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 May 2025 09:12:01 -0700 +Subject: drm/xe: Save CTX_TIMESTAMP mmio value instead of LRC value + +From: Umesh Nerlige Ramappa + +[ Upstream commit 66c8f7b435bddb7d8577ac8a57e175a6cb147227 ] + +For determining actual job execution time, save the current value of the +CTX_TIMESTAMP register rather than the value saved in LRC since the +current register value is the closest to the start time of the job. + +v2: Define MI_STORE_REGISTER_MEM to fix compile error +v3: Place MI_STORE_REGISTER_MEM sorted by MI_INSTR (Lucas) + +Fixes: 65921374c48f ("drm/xe: Emit ctx timestamp copy in ring ops") +Signed-off-by: Umesh Nerlige Ramappa +Reviewed-by: Matthew Brost +Reviewed-by: Lucas De Marchi +Link: https://lore.kernel.org/r/20250509161159.2173069-6-umesh.nerlige.ramappa@intel.com +(cherry picked from commit 38b14233e5deff51db8faec287b4acd227152246) +Signed-off-by: Lucas De Marchi +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/xe/instructions/xe_mi_commands.h | 4 ++++ + drivers/gpu/drm/xe/xe_lrc.c | 2 +- + drivers/gpu/drm/xe/xe_ring_ops.c | 7 ++----- + 3 files changed, 7 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/xe/instructions/xe_mi_commands.h b/drivers/gpu/drm/xe/instructions/xe_mi_commands.h +index 10ec2920d31b3..d4033278be9fc 100644 +--- a/drivers/gpu/drm/xe/instructions/xe_mi_commands.h ++++ b/drivers/gpu/drm/xe/instructions/xe_mi_commands.h +@@ -47,6 +47,10 @@ + #define MI_LRI_FORCE_POSTED REG_BIT(12) + #define MI_LRI_LEN(x) (((x) & 0xff) + 1) + ++#define MI_STORE_REGISTER_MEM (__MI_INSTR(0x24) | XE_INSTR_NUM_DW(4)) ++#define MI_SRM_USE_GGTT REG_BIT(22) ++#define MI_SRM_ADD_CS_OFFSET REG_BIT(19) ++ + #define MI_FLUSH_DW __MI_INSTR(0x26) + #define MI_FLUSH_DW_STORE_INDEX REG_BIT(21) + #define MI_INVALIDATE_TLB REG_BIT(18) +diff --git a/drivers/gpu/drm/xe/xe_lrc.c b/drivers/gpu/drm/xe/xe_lrc.c +index bbb9ffbf63672..2a953c4f7d5dd 100644 +--- a/drivers/gpu/drm/xe/xe_lrc.c ++++ b/drivers/gpu/drm/xe/xe_lrc.c +@@ -684,7 +684,7 @@ static inline u32 __xe_lrc_start_seqno_offset(struct xe_lrc *lrc) + + static u32 __xe_lrc_ctx_job_timestamp_offset(struct xe_lrc *lrc) + { +- /* The start seqno is stored in the driver-defined portion of PPHWSP */ ++ /* This is stored in the driver-defined portion of PPHWSP */ + return xe_lrc_pphwsp_offset(lrc) + LRC_CTX_JOB_TIMESTAMP_OFFSET; + } + +diff --git a/drivers/gpu/drm/xe/xe_ring_ops.c b/drivers/gpu/drm/xe/xe_ring_ops.c +index 8d1fb33d923f4..3493177947680 100644 +--- a/drivers/gpu/drm/xe/xe_ring_ops.c ++++ b/drivers/gpu/drm/xe/xe_ring_ops.c +@@ -234,13 +234,10 @@ static u32 get_ppgtt_flag(struct xe_sched_job *job) + + static int emit_copy_timestamp(struct xe_lrc *lrc, u32 *dw, int i) + { +- dw[i++] = MI_COPY_MEM_MEM | MI_COPY_MEM_MEM_SRC_GGTT | +- MI_COPY_MEM_MEM_DST_GGTT; ++ dw[i++] = MI_STORE_REGISTER_MEM | MI_SRM_USE_GGTT | MI_SRM_ADD_CS_OFFSET; ++ dw[i++] = RING_CTX_TIMESTAMP(0).addr; + dw[i++] = xe_lrc_ctx_job_timestamp_ggtt_addr(lrc); + dw[i++] = 0; +- dw[i++] = xe_lrc_ctx_timestamp_ggtt_addr(lrc); +- dw[i++] = 0; +- dw[i++] = MI_NOOP; + + return i; + } +-- +2.39.5 + diff --git a/queue-6.14/fs-xattr.c-fix-simple_xattr_list-to-always-include-s.patch b/queue-6.14/fs-xattr.c-fix-simple_xattr_list-to-always-include-s.patch new file mode 100644 index 0000000000..eef53c9dcc --- /dev/null +++ b/queue-6.14/fs-xattr.c-fix-simple_xattr_list-to-always-include-s.patch @@ -0,0 +1,102 @@ +From 0c0284f3d059aa33ce28127534518ec63a3e359f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Apr 2025 11:28:20 -0400 +Subject: fs/xattr.c: fix simple_xattr_list to always include security.* xattrs + +From: Stephen Smalley + +[ Upstream commit 8b0ba61df5a1c44e2b3cf683831a4fc5e24ea99d ] + +The vfs has long had a fallback to obtain the security.* xattrs from the +LSM when the filesystem does not implement its own listxattr, but +shmem/tmpfs and kernfs later gained their own xattr handlers to support +other xattrs. Unfortunately, as a side effect, tmpfs and kernfs-based +filesystems like sysfs no longer return the synthetic security.* xattr +names via listxattr unless they are explicitly set by userspace or +initially set upon inode creation after policy load. coreutils has +recently switched from unconditionally invoking getxattr for security.* +for ls -Z via libselinux to only doing so if listxattr returns the xattr +name, breaking ls -Z of such inodes. + +Before: +$ getfattr -m.* /run/initramfs + +$ getfattr -m.* /sys/kernel/fscaps + +$ setfattr -n user.foo /run/initramfs +$ getfattr -m.* /run/initramfs +user.foo + +After: +$ getfattr -m.* /run/initramfs +security.selinux +$ getfattr -m.* /sys/kernel/fscaps +security.selinux +$ setfattr -n user.foo /run/initramfs +$ getfattr -m.* /run/initramfs +security.selinux +user.foo + +Link: https://lore.kernel.org/selinux/CAFqZXNtF8wDyQajPCdGn=iOawX4y77ph0EcfcqcUUj+T87FKyA@mail.gmail.com/ +Link: https://lore.kernel.org/selinux/20250423175728.3185-2-stephen.smalley.work@gmail.com/ +Signed-off-by: Stephen Smalley +Link: https://lore.kernel.org/20250424152822.2719-1-stephen.smalley.work@gmail.com +Fixes: b09e0fa4b4ea66266058ee ("tmpfs: implement generic xattr support") +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/xattr.c | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +diff --git a/fs/xattr.c b/fs/xattr.c +index fabb2a04501ee..8ec5b0204bfdc 100644 +--- a/fs/xattr.c ++++ b/fs/xattr.c +@@ -1428,6 +1428,15 @@ static bool xattr_is_trusted(const char *name) + return !strncmp(name, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN); + } + ++static bool xattr_is_maclabel(const char *name) ++{ ++ const char *suffix = name + XATTR_SECURITY_PREFIX_LEN; ++ ++ return !strncmp(name, XATTR_SECURITY_PREFIX, ++ XATTR_SECURITY_PREFIX_LEN) && ++ security_ismaclabel(suffix); ++} ++ + /** + * simple_xattr_list - list all xattr objects + * @inode: inode from which to get the xattrs +@@ -1460,6 +1469,17 @@ ssize_t simple_xattr_list(struct inode *inode, struct simple_xattrs *xattrs, + if (err) + return err; + ++ err = security_inode_listsecurity(inode, buffer, remaining_size); ++ if (err < 0) ++ return err; ++ ++ if (buffer) { ++ if (remaining_size < err) ++ return -ERANGE; ++ buffer += err; ++ } ++ remaining_size -= err; ++ + read_lock(&xattrs->lock); + for (rbp = rb_first(&xattrs->rb_root); rbp; rbp = rb_next(rbp)) { + xattr = rb_entry(rbp, struct simple_xattr, rb_node); +@@ -1468,6 +1488,10 @@ ssize_t simple_xattr_list(struct inode *inode, struct simple_xattrs *xattrs, + if (!trusted && xattr_is_trusted(xattr->name)) + continue; + ++ /* skip MAC labels; these are provided by LSM above */ ++ if (xattr_is_maclabel(xattr->name)) ++ continue; ++ + err = xattr_list_one(&buffer, &remaining_size, xattr->name); + if (err) + break; +-- +2.39.5 + diff --git a/queue-6.14/hid-thrustmaster-fix-memory-leak-in-thrustmaster_int.patch b/queue-6.14/hid-thrustmaster-fix-memory-leak-in-thrustmaster_int.patch new file mode 100644 index 0000000000..629a99710f --- /dev/null +++ b/queue-6.14/hid-thrustmaster-fix-memory-leak-in-thrustmaster_int.patch @@ -0,0 +1,39 @@ +From 9e83d334b37bc65a10ac6795c428112829b82dc6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Mar 2025 23:11:46 +0000 +Subject: HID: thrustmaster: fix memory leak in thrustmaster_interrupts() + +From: Qasim Ijaz + +[ Upstream commit 09d546303b370113323bfff456c4e8cff8756005 ] + +In thrustmaster_interrupts(), the allocated send_buf is not +freed if the usb_check_int_endpoints() check fails, leading +to a memory leak. + +Fix this by ensuring send_buf is freed before returning in +the error path. + +Fixes: 50420d7c79c3 ("HID: hid-thrustmaster: Fix warning in thrustmaster_probe by adding endpoint check") +Signed-off-by: Qasim Ijaz +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-thrustmaster.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hid/hid-thrustmaster.c b/drivers/hid/hid-thrustmaster.c +index 3b81468a1df29..0bf70664c35ee 100644 +--- a/drivers/hid/hid-thrustmaster.c ++++ b/drivers/hid/hid-thrustmaster.c +@@ -174,6 +174,7 @@ static void thrustmaster_interrupts(struct hid_device *hdev) + u8 ep_addr[2] = {b_ep, 0}; + + if (!usb_check_int_endpoints(usbif, ep_addr)) { ++ kfree(send_buf); + hid_err(hdev, "Unexpected non-int endpoint\n"); + return; + } +-- +2.39.5 + diff --git a/queue-6.14/hid-uclogic-add-null-check-in-uclogic_input_configur.patch b/queue-6.14/hid-uclogic-add-null-check-in-uclogic_input_configur.patch new file mode 100644 index 0000000000..33059f5e3b --- /dev/null +++ b/queue-6.14/hid-uclogic-add-null-check-in-uclogic_input_configur.patch @@ -0,0 +1,46 @@ +From fb9bf3dd5270a683079602e0559b2972d18a1440 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Apr 2025 17:48:53 +0800 +Subject: HID: uclogic: Add NULL check in uclogic_input_configured() + +From: Henry Martin + +[ Upstream commit bd07f751208ba190f9b0db5e5b7f35d5bb4a8a1e ] + +devm_kasprintf() returns NULL when memory allocation fails. Currently, +uclogic_input_configured() does not check for this case, which results +in a NULL pointer dereference. + +Add NULL check after devm_kasprintf() to prevent this issue. + +Fixes: dd613a4e45f8 ("HID: uclogic: Correct devm device reference for hidinput input_dev name") +Signed-off-by: Henry Martin +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-uclogic-core.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/hid/hid-uclogic-core.c b/drivers/hid/hid-uclogic-core.c +index d8008933c052f..321c43fb06ae0 100644 +--- a/drivers/hid/hid-uclogic-core.c ++++ b/drivers/hid/hid-uclogic-core.c +@@ -142,11 +142,12 @@ static int uclogic_input_configured(struct hid_device *hdev, + suffix = "System Control"; + break; + } +- } +- +- if (suffix) ++ } else { + hi->input->name = devm_kasprintf(&hdev->dev, GFP_KERNEL, + "%s %s", hdev->name, suffix); ++ if (!hi->input->name) ++ return -ENOMEM; ++ } + + return 0; + } +-- +2.39.5 + diff --git a/queue-6.14/iio-adc-ad7606-check-for-null-before-calling-sw_mode.patch b/queue-6.14/iio-adc-ad7606-check-for-null-before-calling-sw_mode.patch new file mode 100644 index 0000000000..90b8a0e369 --- /dev/null +++ b/queue-6.14/iio-adc-ad7606-check-for-null-before-calling-sw_mode.patch @@ -0,0 +1,59 @@ +From 7f348c93ba25dda111263f490a223aa72b35ad11 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Mar 2025 17:52:09 -0500 +Subject: iio: adc: ad7606: check for NULL before calling sw_mode_config() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: David Lechner + +[ Upstream commit 5257d80e22bf27009d6742e4c174f42cfe54e425 ] + +Check that the sw_mode_config function pointer is not NULL before +calling it. Not all buses define this callback, which resulted in a NULL +pointer dereference. + +Fixes: e571c1902116 ("iio: adc: ad7606: move scale_setup as function pointer on chip-info") +Reviewed-by: Nuno Sá +Signed-off-by: David Lechner +Link: https://patch.msgid.link/20250318-iio-adc-ad7606-improvements-v2-1-4b605427774c@baylibre.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/ad7606.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/drivers/iio/adc/ad7606.c b/drivers/iio/adc/ad7606.c +index 7985570ed1521..0339e27f92c32 100644 +--- a/drivers/iio/adc/ad7606.c ++++ b/drivers/iio/adc/ad7606.c +@@ -1228,9 +1228,11 @@ static int ad7616_sw_mode_setup(struct iio_dev *indio_dev) + st->write_scale = ad7616_write_scale_sw; + st->write_os = &ad7616_write_os_sw; + +- ret = st->bops->sw_mode_config(indio_dev); +- if (ret) +- return ret; ++ if (st->bops->sw_mode_config) { ++ ret = st->bops->sw_mode_config(indio_dev); ++ if (ret) ++ return ret; ++ } + + /* Activate Burst mode and SEQEN MODE */ + return ad7606_write_mask(st, AD7616_CONFIGURATION_REGISTER, +@@ -1261,6 +1263,9 @@ static int ad7606b_sw_mode_setup(struct iio_dev *indio_dev) + st->write_scale = ad7606_write_scale_sw; + st->write_os = &ad7606_write_os_sw; + ++ if (!st->bops->sw_mode_config) ++ return 0; ++ + return st->bops->sw_mode_config(indio_dev); + } + +-- +2.39.5 + diff --git a/queue-6.14/iio-adc-ad7606-move-software-functions-into-common-f.patch b/queue-6.14/iio-adc-ad7606-move-software-functions-into-common-f.patch new file mode 100644 index 0000000000..61d94a447a --- /dev/null +++ b/queue-6.14/iio-adc-ad7606-move-software-functions-into-common-f.patch @@ -0,0 +1,498 @@ +From 87de2f6b911efd64142b52ebe109c7e1abac7a38 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Feb 2025 17:10:53 +0100 +Subject: iio: adc: ad7606: move software functions into common file + +From: Guillaume Stols + +[ Upstream commit d2477887f6677de0675e600f1590378a5fb52909 ] + +Since the register are always the same, whatever bus is used, moving the +software functions into the main file avoids the code to be duplicated +in both SPI and parallel version of the driver. + +Signed-off-by: Guillaume Stols +Co-developed-by: Angelo Dureghello +Signed-off-by: Angelo Dureghello +Link: https://patch.msgid.link/20250210-wip-bl-ad7606_add_backend_sw_mode-v4-3-160df18b1da7@baylibre.com +Signed-off-by: Jonathan Cameron +Stable-dep-of: 5257d80e22bf ("iio: adc: ad7606: check for NULL before calling sw_mode_config()") +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/ad7606.c | 133 +++++++++++++++++++++++++++++++--- + drivers/iio/adc/ad7606.h | 37 +++++++++- + drivers/iio/adc/ad7606_spi.c | 137 +---------------------------------- + 3 files changed, 158 insertions(+), 149 deletions(-) + +diff --git a/drivers/iio/adc/ad7606.c b/drivers/iio/adc/ad7606.c +index 376c808df11c7..7985570ed1521 100644 +--- a/drivers/iio/adc/ad7606.c ++++ b/drivers/iio/adc/ad7606.c +@@ -85,6 +85,10 @@ static const unsigned int ad7606_oversampling_avail[7] = { + 1, 2, 4, 8, 16, 32, 64, + }; + ++static const unsigned int ad7606b_oversampling_avail[9] = { ++ 1, 2, 4, 8, 16, 32, 64, 128, 256, ++}; ++ + static const unsigned int ad7616_oversampling_avail[8] = { + 1, 2, 4, 8, 16, 32, 64, 128, + }; +@@ -187,6 +191,8 @@ static int ad7608_chan_scale_setup(struct iio_dev *indio_dev, + struct iio_chan_spec *chan, int ch); + static int ad7609_chan_scale_setup(struct iio_dev *indio_dev, + struct iio_chan_spec *chan, int ch); ++static int ad7616_sw_mode_setup(struct iio_dev *indio_dev); ++static int ad7606b_sw_mode_setup(struct iio_dev *indio_dev); + + const struct ad7606_chip_info ad7605_4_info = { + .channels = ad7605_channels, +@@ -239,6 +245,7 @@ const struct ad7606_chip_info ad7606b_info = { + .oversampling_avail = ad7606_oversampling_avail, + .oversampling_num = ARRAY_SIZE(ad7606_oversampling_avail), + .scale_setup_cb = ad7606_16bit_chan_scale_setup, ++ .sw_setup_cb = ad7606b_sw_mode_setup, + }; + EXPORT_SYMBOL_NS_GPL(ad7606b_info, "IIO_AD7606"); + +@@ -250,6 +257,7 @@ const struct ad7606_chip_info ad7606c_16_info = { + .oversampling_avail = ad7606_oversampling_avail, + .oversampling_num = ARRAY_SIZE(ad7606_oversampling_avail), + .scale_setup_cb = ad7606c_16bit_chan_scale_setup, ++ .sw_setup_cb = ad7606b_sw_mode_setup, + }; + EXPORT_SYMBOL_NS_GPL(ad7606c_16_info, "IIO_AD7606"); + +@@ -294,6 +302,7 @@ const struct ad7606_chip_info ad7606c_18_info = { + .oversampling_avail = ad7606_oversampling_avail, + .oversampling_num = ARRAY_SIZE(ad7606_oversampling_avail), + .scale_setup_cb = ad7606c_18bit_chan_scale_setup, ++ .sw_setup_cb = ad7606b_sw_mode_setup, + }; + EXPORT_SYMBOL_NS_GPL(ad7606c_18_info, "IIO_AD7606"); + +@@ -307,6 +316,7 @@ const struct ad7606_chip_info ad7616_info = { + .oversampling_num = ARRAY_SIZE(ad7616_oversampling_avail), + .os_req_reset = true, + .scale_setup_cb = ad7606_16bit_chan_scale_setup, ++ .sw_setup_cb = ad7616_sw_mode_setup, + }; + EXPORT_SYMBOL_NS_GPL(ad7616_info, "IIO_AD7606"); + +@@ -1138,16 +1148,118 @@ static const struct iio_trigger_ops ad7606_trigger_ops = { + .validate_device = iio_trigger_validate_own_device, + }; + +-static int ad7606_sw_mode_setup(struct iio_dev *indio_dev) ++static int ad7606_write_mask(struct ad7606_state *st, unsigned int addr, ++ unsigned long mask, unsigned int val) ++{ ++ int readval; ++ ++ readval = st->bops->reg_read(st, addr); ++ if (readval < 0) ++ return readval; ++ ++ readval &= ~mask; ++ readval |= val; ++ ++ return st->bops->reg_write(st, addr, readval); ++} ++ ++static int ad7616_write_scale_sw(struct iio_dev *indio_dev, int ch, int val) + { + struct ad7606_state *st = iio_priv(indio_dev); ++ unsigned int ch_addr, mode, ch_index; + +- st->sw_mode_en = st->bops->sw_mode_config && +- device_property_present(st->dev, "adi,sw-mode"); +- if (!st->sw_mode_en) +- return 0; ++ /* ++ * Ad7616 has 16 channels divided in group A and group B. ++ * The range of channels from A are stored in registers with address 4 ++ * while channels from B are stored in register with address 6. ++ * The last bit from channels determines if it is from group A or B ++ * because the order of channels in iio is 0A, 0B, 1A, 1B... ++ */ ++ ch_index = ch >> 1; ++ ++ ch_addr = AD7616_RANGE_CH_ADDR(ch_index); ++ ++ if ((ch & 0x1) == 0) /* channel A */ ++ ch_addr += AD7616_RANGE_CH_A_ADDR_OFF; ++ else /* channel B */ ++ ch_addr += AD7616_RANGE_CH_B_ADDR_OFF; ++ ++ /* 0b01 for 2.5v, 0b10 for 5v and 0b11 for 10v */ ++ mode = AD7616_RANGE_CH_MODE(ch_index, ((val + 1) & 0b11)); + +- indio_dev->info = &ad7606_info_sw_mode; ++ return ad7606_write_mask(st, ch_addr, AD7616_RANGE_CH_MSK(ch_index), ++ mode); ++} ++ ++static int ad7616_write_os_sw(struct iio_dev *indio_dev, int val) ++{ ++ struct ad7606_state *st = iio_priv(indio_dev); ++ ++ return ad7606_write_mask(st, AD7616_CONFIGURATION_REGISTER, ++ AD7616_OS_MASK, val << 2); ++} ++ ++static int ad7606_write_scale_sw(struct iio_dev *indio_dev, int ch, int val) ++{ ++ struct ad7606_state *st = iio_priv(indio_dev); ++ ++ return ad7606_write_mask(st, AD7606_RANGE_CH_ADDR(ch), ++ AD7606_RANGE_CH_MSK(ch), ++ AD7606_RANGE_CH_MODE(ch, val)); ++} ++ ++static int ad7606_write_os_sw(struct iio_dev *indio_dev, int val) ++{ ++ struct ad7606_state *st = iio_priv(indio_dev); ++ ++ return st->bops->reg_write(st, AD7606_OS_MODE, val); ++} ++ ++static int ad7616_sw_mode_setup(struct iio_dev *indio_dev) ++{ ++ struct ad7606_state *st = iio_priv(indio_dev); ++ int ret; ++ ++ /* ++ * Scale can be configured individually for each channel ++ * in software mode. ++ */ ++ ++ st->write_scale = ad7616_write_scale_sw; ++ st->write_os = &ad7616_write_os_sw; ++ ++ ret = st->bops->sw_mode_config(indio_dev); ++ if (ret) ++ return ret; ++ ++ /* Activate Burst mode and SEQEN MODE */ ++ return ad7606_write_mask(st, AD7616_CONFIGURATION_REGISTER, ++ AD7616_BURST_MODE | AD7616_SEQEN_MODE, ++ AD7616_BURST_MODE | AD7616_SEQEN_MODE); ++} ++ ++static int ad7606b_sw_mode_setup(struct iio_dev *indio_dev) ++{ ++ struct ad7606_state *st = iio_priv(indio_dev); ++ DECLARE_BITMAP(os, 3); ++ ++ bitmap_fill(os, 3); ++ /* ++ * Software mode is enabled when all three oversampling ++ * pins are set to high. If oversampling gpios are defined ++ * in the device tree, then they need to be set to high, ++ * otherwise, they must be hardwired to VDD ++ */ ++ if (st->gpio_os) { ++ gpiod_set_array_value(st->gpio_os->ndescs, st->gpio_os->desc, ++ st->gpio_os->info, os); ++ } ++ /* OS of 128 and 256 are available only in software mode */ ++ st->oversampling_avail = ad7606b_oversampling_avail; ++ st->num_os_ratios = ARRAY_SIZE(ad7606b_oversampling_avail); ++ ++ st->write_scale = ad7606_write_scale_sw; ++ st->write_os = &ad7606_write_os_sw; + + return st->bops->sw_mode_config(indio_dev); + } +@@ -1326,9 +1438,12 @@ int ad7606_probe(struct device *dev, int irq, void __iomem *base_address, + st->write_scale = ad7606_write_scale_hw; + st->write_os = ad7606_write_os_hw; + +- ret = ad7606_sw_mode_setup(indio_dev); +- if (ret) +- return ret; ++ st->sw_mode_en = st->chip_info->sw_setup_cb && ++ device_property_present(st->dev, "adi,sw-mode"); ++ if (st->sw_mode_en) { ++ indio_dev->info = &ad7606_info_sw_mode; ++ st->chip_info->sw_setup_cb(indio_dev); ++ } + + ret = ad7606_chan_scales_setup(indio_dev); + if (ret) +diff --git a/drivers/iio/adc/ad7606.h b/drivers/iio/adc/ad7606.h +index 8778ffe515b30..7a044b499cfe1 100644 +--- a/drivers/iio/adc/ad7606.h ++++ b/drivers/iio/adc/ad7606.h +@@ -10,6 +10,36 @@ + + #define AD760X_MAX_CHANNELS 16 + ++#define AD7616_CONFIGURATION_REGISTER 0x02 ++#define AD7616_OS_MASK GENMASK(4, 2) ++#define AD7616_BURST_MODE BIT(6) ++#define AD7616_SEQEN_MODE BIT(5) ++#define AD7616_RANGE_CH_A_ADDR_OFF 0x04 ++#define AD7616_RANGE_CH_B_ADDR_OFF 0x06 ++/* ++ * Range of channels from a group are stored in 2 registers. ++ * 0, 1, 2, 3 in a register followed by 4, 5, 6, 7 in second register. ++ * For channels from second group(8-15) the order is the same, only with ++ * an offset of 2 for register address. ++ */ ++#define AD7616_RANGE_CH_ADDR(ch) ((ch) >> 2) ++/* The range of the channel is stored in 2 bits */ ++#define AD7616_RANGE_CH_MSK(ch) (0b11 << (((ch) & 0b11) * 2)) ++#define AD7616_RANGE_CH_MODE(ch, mode) ((mode) << ((((ch) & 0b11)) * 2)) ++ ++#define AD7606_CONFIGURATION_REGISTER 0x02 ++#define AD7606_SINGLE_DOUT 0x00 ++ ++/* ++ * Range for AD7606B channels are stored in registers starting with address 0x3. ++ * Each register stores range for 2 channels(4 bits per channel). ++ */ ++#define AD7606_RANGE_CH_MSK(ch) (GENMASK(3, 0) << (4 * ((ch) & 0x1))) ++#define AD7606_RANGE_CH_MODE(ch, mode) \ ++ ((GENMASK(3, 0) & (mode)) << (4 * ((ch) & 0x1))) ++#define AD7606_RANGE_CH_ADDR(ch) (0x03 + ((ch) >> 1)) ++#define AD7606_OS_MODE 0x08 ++ + #define AD760X_CHANNEL(num, mask_sep, mask_type, mask_all, bits) { \ + .type = IIO_VOLTAGE, \ + .indexed = 1, \ +@@ -71,6 +101,7 @@ struct ad7606_state; + + typedef int (*ad7606_scale_setup_cb_t)(struct iio_dev *indio_dev, + struct iio_chan_spec *chan, int ch); ++typedef int (*ad7606_sw_setup_cb_t)(struct iio_dev *indio_dev); + + /** + * struct ad7606_chip_info - chip specific information +@@ -80,6 +111,7 @@ typedef int (*ad7606_scale_setup_cb_t)(struct iio_dev *indio_dev, + * @num_channels: number of channels + * @num_adc_channels the number of channels the ADC actually inputs. + * @scale_setup_cb: callback to setup the scales for each channel ++ * @sw_setup_cb: callback to setup the software mode if available. + * @oversampling_avail pointer to the array which stores the available + * oversampling ratios. + * @oversampling_num number of elements stored in oversampling_avail array +@@ -94,6 +126,7 @@ struct ad7606_chip_info { + unsigned int num_adc_channels; + unsigned int num_channels; + ad7606_scale_setup_cb_t scale_setup_cb; ++ ad7606_sw_setup_cb_t sw_setup_cb; + const unsigned int *oversampling_avail; + unsigned int oversampling_num; + bool os_req_reset; +@@ -206,10 +239,6 @@ struct ad7606_bus_ops { + int (*reg_write)(struct ad7606_state *st, + unsigned int addr, + unsigned int val); +- int (*write_mask)(struct ad7606_state *st, +- unsigned int addr, +- unsigned long mask, +- unsigned int val); + int (*update_scan_mode)(struct iio_dev *indio_dev, const unsigned long *scan_mask); + u16 (*rd_wr_cmd)(int addr, char isWriteOp); + }; +diff --git a/drivers/iio/adc/ad7606_spi.c b/drivers/iio/adc/ad7606_spi.c +index c8bc9e772dfc2..179115e909888 100644 +--- a/drivers/iio/adc/ad7606_spi.c ++++ b/drivers/iio/adc/ad7606_spi.c +@@ -15,36 +15,6 @@ + + #define MAX_SPI_FREQ_HZ 23500000 /* VDRIVE above 4.75 V */ + +-#define AD7616_CONFIGURATION_REGISTER 0x02 +-#define AD7616_OS_MASK GENMASK(4, 2) +-#define AD7616_BURST_MODE BIT(6) +-#define AD7616_SEQEN_MODE BIT(5) +-#define AD7616_RANGE_CH_A_ADDR_OFF 0x04 +-#define AD7616_RANGE_CH_B_ADDR_OFF 0x06 +-/* +- * Range of channels from a group are stored in 2 registers. +- * 0, 1, 2, 3 in a register followed by 4, 5, 6, 7 in second register. +- * For channels from second group(8-15) the order is the same, only with +- * an offset of 2 for register address. +- */ +-#define AD7616_RANGE_CH_ADDR(ch) ((ch) >> 2) +-/* The range of the channel is stored in 2 bits */ +-#define AD7616_RANGE_CH_MSK(ch) (0b11 << (((ch) & 0b11) * 2)) +-#define AD7616_RANGE_CH_MODE(ch, mode) ((mode) << ((((ch) & 0b11)) * 2)) +- +-#define AD7606_CONFIGURATION_REGISTER 0x02 +-#define AD7606_SINGLE_DOUT 0x00 +- +-/* +- * Range for AD7606B channels are stored in registers starting with address 0x3. +- * Each register stores range for 2 channels(4 bits per channel). +- */ +-#define AD7606_RANGE_CH_MSK(ch) (GENMASK(3, 0) << (4 * ((ch) & 0x1))) +-#define AD7606_RANGE_CH_MODE(ch, mode) \ +- ((GENMASK(3, 0) & mode) << (4 * ((ch) & 0x1))) +-#define AD7606_RANGE_CH_ADDR(ch) (0x03 + ((ch) >> 1)) +-#define AD7606_OS_MODE 0x08 +- + static const struct iio_chan_spec ad7616_sw_channels[] = { + IIO_CHAN_SOFT_TIMESTAMP(16), + AD7616_CHANNEL(0), +@@ -89,10 +59,6 @@ static const struct iio_chan_spec ad7606c_18_sw_channels[] = { + AD7606_SW_CHANNEL(7, 18), + }; + +-static const unsigned int ad7606B_oversampling_avail[9] = { +- 1, 2, 4, 8, 16, 32, 64, 128, 256 +-}; +- + static u16 ad7616_spi_rd_wr_cmd(int addr, char isWriteOp) + { + /* +@@ -194,118 +160,20 @@ static int ad7606_spi_reg_write(struct ad7606_state *st, + return spi_write(spi, &st->d16[0], sizeof(st->d16[0])); + } + +-static int ad7606_spi_write_mask(struct ad7606_state *st, +- unsigned int addr, +- unsigned long mask, +- unsigned int val) +-{ +- int readval; +- +- readval = st->bops->reg_read(st, addr); +- if (readval < 0) +- return readval; +- +- readval &= ~mask; +- readval |= val; +- +- return st->bops->reg_write(st, addr, readval); +-} +- +-static int ad7616_write_scale_sw(struct iio_dev *indio_dev, int ch, int val) +-{ +- struct ad7606_state *st = iio_priv(indio_dev); +- unsigned int ch_addr, mode, ch_index; +- +- +- /* +- * Ad7616 has 16 channels divided in group A and group B. +- * The range of channels from A are stored in registers with address 4 +- * while channels from B are stored in register with address 6. +- * The last bit from channels determines if it is from group A or B +- * because the order of channels in iio is 0A, 0B, 1A, 1B... +- */ +- ch_index = ch >> 1; +- +- ch_addr = AD7616_RANGE_CH_ADDR(ch_index); +- +- if ((ch & 0x1) == 0) /* channel A */ +- ch_addr += AD7616_RANGE_CH_A_ADDR_OFF; +- else /* channel B */ +- ch_addr += AD7616_RANGE_CH_B_ADDR_OFF; +- +- /* 0b01 for 2.5v, 0b10 for 5v and 0b11 for 10v */ +- mode = AD7616_RANGE_CH_MODE(ch_index, ((val + 1) & 0b11)); +- return st->bops->write_mask(st, ch_addr, AD7616_RANGE_CH_MSK(ch_index), +- mode); +-} +- +-static int ad7616_write_os_sw(struct iio_dev *indio_dev, int val) +-{ +- struct ad7606_state *st = iio_priv(indio_dev); +- +- return st->bops->write_mask(st, AD7616_CONFIGURATION_REGISTER, +- AD7616_OS_MASK, val << 2); +-} +- +-static int ad7606_write_scale_sw(struct iio_dev *indio_dev, int ch, int val) +-{ +- struct ad7606_state *st = iio_priv(indio_dev); +- +- return ad7606_spi_write_mask(st, +- AD7606_RANGE_CH_ADDR(ch), +- AD7606_RANGE_CH_MSK(ch), +- AD7606_RANGE_CH_MODE(ch, val)); +-} +- +-static int ad7606_write_os_sw(struct iio_dev *indio_dev, int val) +-{ +- struct ad7606_state *st = iio_priv(indio_dev); +- +- return ad7606_spi_reg_write(st, AD7606_OS_MODE, val); +-} +- + static int ad7616_sw_mode_config(struct iio_dev *indio_dev) + { +- struct ad7606_state *st = iio_priv(indio_dev); +- + /* + * Scale can be configured individually for each channel + * in software mode. + */ + indio_dev->channels = ad7616_sw_channels; + +- st->write_scale = ad7616_write_scale_sw; +- st->write_os = &ad7616_write_os_sw; +- +- /* Activate Burst mode and SEQEN MODE */ +- return st->bops->write_mask(st, +- AD7616_CONFIGURATION_REGISTER, +- AD7616_BURST_MODE | AD7616_SEQEN_MODE, +- AD7616_BURST_MODE | AD7616_SEQEN_MODE); ++ return 0; + } + + static int ad7606B_sw_mode_config(struct iio_dev *indio_dev) + { + struct ad7606_state *st = iio_priv(indio_dev); +- DECLARE_BITMAP(os, 3); +- +- bitmap_fill(os, 3); +- /* +- * Software mode is enabled when all three oversampling +- * pins are set to high. If oversampling gpios are defined +- * in the device tree, then they need to be set to high, +- * otherwise, they must be hardwired to VDD +- */ +- if (st->gpio_os) { +- gpiod_set_array_value(st->gpio_os->ndescs, +- st->gpio_os->desc, st->gpio_os->info, os); +- } +- /* OS of 128 and 256 are available only in software mode */ +- st->oversampling_avail = ad7606B_oversampling_avail; +- st->num_os_ratios = ARRAY_SIZE(ad7606B_oversampling_avail); +- +- st->write_scale = ad7606_write_scale_sw; +- st->write_os = &ad7606_write_os_sw; + + /* Configure device spi to output on a single channel */ + st->bops->reg_write(st, +@@ -350,7 +218,6 @@ static const struct ad7606_bus_ops ad7616_spi_bops = { + .read_block = ad7606_spi_read_block, + .reg_read = ad7606_spi_reg_read, + .reg_write = ad7606_spi_reg_write, +- .write_mask = ad7606_spi_write_mask, + .rd_wr_cmd = ad7616_spi_rd_wr_cmd, + .sw_mode_config = ad7616_sw_mode_config, + }; +@@ -359,7 +226,6 @@ static const struct ad7606_bus_ops ad7606b_spi_bops = { + .read_block = ad7606_spi_read_block, + .reg_read = ad7606_spi_reg_read, + .reg_write = ad7606_spi_reg_write, +- .write_mask = ad7606_spi_write_mask, + .rd_wr_cmd = ad7606B_spi_rd_wr_cmd, + .sw_mode_config = ad7606B_sw_mode_config, + }; +@@ -368,7 +234,6 @@ static const struct ad7606_bus_ops ad7606c_18_spi_bops = { + .read_block = ad7606_spi_read_block18to32, + .reg_read = ad7606_spi_reg_read, + .reg_write = ad7606_spi_reg_write, +- .write_mask = ad7606_spi_write_mask, + .rd_wr_cmd = ad7606B_spi_rd_wr_cmd, + .sw_mode_config = ad7606c_18_sw_mode_config, + }; +-- +2.39.5 + diff --git a/queue-6.14/iio-adc-ad7606-move-the-software-mode-configuration.patch b/queue-6.14/iio-adc-ad7606-move-the-software-mode-configuration.patch new file mode 100644 index 0000000000..da3a1f4ae5 --- /dev/null +++ b/queue-6.14/iio-adc-ad7606-move-the-software-mode-configuration.patch @@ -0,0 +1,72 @@ +From 9108346a7d53c0f071352ed75484ef6826083dcd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Feb 2025 17:10:52 +0100 +Subject: iio: adc: ad7606: move the software mode configuration + +From: Guillaume Stols + +[ Upstream commit f2a62931b39478c98f977caf299df5bc072f38e0 ] + +This is a preparation for the intoduction of the sofware functions in +the iio backend version of the driver. +The software mode configuration must be executed once the channels are +configured, and the number of channels is known. This is not the case +before iio-backend's configuration is called, and iio backend version of +the driver does not have a timestamp channel. +Also the sw_mode_config callback is configured during the iio-backend +configuration. +For clarity purpose, I moved the entire block instead of just the +concerned function calls. + +Signed-off-by: Guillaume Stols +Link: https://patch.msgid.link/20250210-wip-bl-ad7606_add_backend_sw_mode-v4-2-160df18b1da7@baylibre.com +Signed-off-by: Jonathan Cameron +Stable-dep-of: 5257d80e22bf ("iio: adc: ad7606: check for NULL before calling sw_mode_config()") +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/ad7606.c | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +diff --git a/drivers/iio/adc/ad7606.c b/drivers/iio/adc/ad7606.c +index d39354afd5394..376c808df11c7 100644 +--- a/drivers/iio/adc/ad7606.c ++++ b/drivers/iio/adc/ad7606.c +@@ -1246,17 +1246,6 @@ int ad7606_probe(struct device *dev, int irq, void __iomem *base_address, + return -ERESTARTSYS; + } + +- st->write_scale = ad7606_write_scale_hw; +- st->write_os = ad7606_write_os_hw; +- +- ret = ad7606_sw_mode_setup(indio_dev); +- if (ret) +- return ret; +- +- ret = ad7606_chan_scales_setup(indio_dev); +- if (ret) +- return ret; +- + /* If convst pin is not defined, setup PWM. */ + if (!st->gpio_convst) { + st->cnvst_pwm = devm_pwm_get(dev, NULL); +@@ -1334,6 +1323,17 @@ int ad7606_probe(struct device *dev, int irq, void __iomem *base_address, + return ret; + } + ++ st->write_scale = ad7606_write_scale_hw; ++ st->write_os = ad7606_write_os_hw; ++ ++ ret = ad7606_sw_mode_setup(indio_dev); ++ if (ret) ++ return ret; ++ ++ ret = ad7606_chan_scales_setup(indio_dev); ++ if (ret) ++ return ret; ++ + return devm_iio_device_register(dev, indio_dev); + } + EXPORT_SYMBOL_NS_GPL(ad7606_probe, "IIO_AD7606"); +-- +2.39.5 + diff --git a/queue-6.14/io_uring-fdinfo-grab-ctx-uring_lock-around-io_uring_.patch b/queue-6.14/io_uring-fdinfo-grab-ctx-uring_lock-around-io_uring_.patch new file mode 100644 index 0000000000..4d520e51a4 --- /dev/null +++ b/queue-6.14/io_uring-fdinfo-grab-ctx-uring_lock-around-io_uring_.patch @@ -0,0 +1,143 @@ +From 1c5b6d142a199167c800ffe8854443d5b292db53 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 May 2025 15:02:23 -0600 +Subject: io_uring/fdinfo: grab ctx->uring_lock around io_uring_show_fdinfo() + +From: Jens Axboe + +[ Upstream commit d871198ee431d90f5308d53998c1ba1d5db5619a ] + +Not everything requires locking in there, which is why the 'has_lock' +variable exists. But enough does that it's a bit unwieldy to manage. +Wrap the whole thing in a ->uring_lock trylock, and just return +with no output if we fail to grab it. The existing trylock() will +already have greatly diminished utility/output for the failure case. + +This fixes an issue with reading the SQE fields, if the ring is being +actively resized at the same time. + +Reported-by: Jann Horn +Fixes: 79cfe9e59c2a ("io_uring/register: add IORING_REGISTER_RESIZE_RINGS") +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + io_uring/fdinfo.c | 48 ++++++++++++++++++++++++----------------------- + 1 file changed, 25 insertions(+), 23 deletions(-) + +diff --git a/io_uring/fdinfo.c b/io_uring/fdinfo.c +index f60d0a9d505e2..336aec7ea8c29 100644 +--- a/io_uring/fdinfo.c ++++ b/io_uring/fdinfo.c +@@ -86,13 +86,8 @@ static inline void napi_show_fdinfo(struct io_ring_ctx *ctx, + } + #endif + +-/* +- * Caller holds a reference to the file already, we don't need to do +- * anything else to get an extra reference. +- */ +-__cold void io_uring_show_fdinfo(struct seq_file *m, struct file *file) ++static void __io_uring_show_fdinfo(struct io_ring_ctx *ctx, struct seq_file *m) + { +- struct io_ring_ctx *ctx = file->private_data; + struct io_overflow_cqe *ocqe; + struct io_rings *r = ctx->rings; + struct rusage sq_usage; +@@ -106,7 +101,6 @@ __cold void io_uring_show_fdinfo(struct seq_file *m, struct file *file) + unsigned int sq_entries, cq_entries; + int sq_pid = -1, sq_cpu = -1; + u64 sq_total_time = 0, sq_work_time = 0; +- bool has_lock; + unsigned int i; + + if (ctx->flags & IORING_SETUP_CQE32) +@@ -176,15 +170,7 @@ __cold void io_uring_show_fdinfo(struct seq_file *m, struct file *file) + seq_printf(m, "\n"); + } + +- /* +- * Avoid ABBA deadlock between the seq lock and the io_uring mutex, +- * since fdinfo case grabs it in the opposite direction of normal use +- * cases. If we fail to get the lock, we just don't iterate any +- * structures that could be going away outside the io_uring mutex. +- */ +- has_lock = mutex_trylock(&ctx->uring_lock); +- +- if (has_lock && (ctx->flags & IORING_SETUP_SQPOLL)) { ++ if (ctx->flags & IORING_SETUP_SQPOLL) { + struct io_sq_data *sq = ctx->sq_data; + + /* +@@ -206,7 +192,7 @@ __cold void io_uring_show_fdinfo(struct seq_file *m, struct file *file) + seq_printf(m, "SqTotalTime:\t%llu\n", sq_total_time); + seq_printf(m, "SqWorkTime:\t%llu\n", sq_work_time); + seq_printf(m, "UserFiles:\t%u\n", ctx->file_table.data.nr); +- for (i = 0; has_lock && i < ctx->file_table.data.nr; i++) { ++ for (i = 0; i < ctx->file_table.data.nr; i++) { + struct file *f = NULL; + + if (ctx->file_table.data.nodes[i]) +@@ -218,7 +204,7 @@ __cold void io_uring_show_fdinfo(struct seq_file *m, struct file *file) + } + } + seq_printf(m, "UserBufs:\t%u\n", ctx->buf_table.nr); +- for (i = 0; has_lock && i < ctx->buf_table.nr; i++) { ++ for (i = 0; i < ctx->buf_table.nr; i++) { + struct io_mapped_ubuf *buf = NULL; + + if (ctx->buf_table.nodes[i]) +@@ -228,7 +214,7 @@ __cold void io_uring_show_fdinfo(struct seq_file *m, struct file *file) + else + seq_printf(m, "%5u: \n", i); + } +- if (has_lock && !xa_empty(&ctx->personalities)) { ++ if (!xa_empty(&ctx->personalities)) { + unsigned long index; + const struct cred *cred; + +@@ -238,7 +224,7 @@ __cold void io_uring_show_fdinfo(struct seq_file *m, struct file *file) + } + + seq_puts(m, "PollList:\n"); +- for (i = 0; has_lock && i < (1U << ctx->cancel_table.hash_bits); i++) { ++ for (i = 0; i < (1U << ctx->cancel_table.hash_bits); i++) { + struct io_hash_bucket *hb = &ctx->cancel_table.hbs[i]; + struct io_kiocb *req; + +@@ -247,9 +233,6 @@ __cold void io_uring_show_fdinfo(struct seq_file *m, struct file *file) + task_work_pending(req->tctx->task)); + } + +- if (has_lock) +- mutex_unlock(&ctx->uring_lock); +- + seq_puts(m, "CqOverflowList:\n"); + spin_lock(&ctx->completion_lock); + list_for_each_entry(ocqe, &ctx->cq_overflow_list, list) { +@@ -262,4 +245,23 @@ __cold void io_uring_show_fdinfo(struct seq_file *m, struct file *file) + spin_unlock(&ctx->completion_lock); + napi_show_fdinfo(ctx, m); + } ++ ++/* ++ * Caller holds a reference to the file already, we don't need to do ++ * anything else to get an extra reference. ++ */ ++__cold void io_uring_show_fdinfo(struct seq_file *m, struct file *file) ++{ ++ struct io_ring_ctx *ctx = file->private_data; ++ ++ /* ++ * Avoid ABBA deadlock between the seq lock and the io_uring mutex, ++ * since fdinfo case grabs it in the opposite direction of normal use ++ * cases. ++ */ ++ if (mutex_trylock(&ctx->uring_lock)) { ++ __io_uring_show_fdinfo(ctx, m); ++ mutex_unlock(&ctx->uring_lock); ++ } ++} + #endif +-- +2.39.5 + diff --git a/queue-6.14/mlxsw-spectrum_router-fix-use-after-free-when-deleti.patch b/queue-6.14/mlxsw-spectrum_router-fix-use-after-free-when-deleti.patch new file mode 100644 index 0000000000..531d8c5aef --- /dev/null +++ b/queue-6.14/mlxsw-spectrum_router-fix-use-after-free-when-deleti.patch @@ -0,0 +1,100 @@ +From 06d116a800a15a514e794d1122921e7145039600 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 May 2025 14:48:05 +0200 +Subject: mlxsw: spectrum_router: Fix use-after-free when deleting GRE net + devices + +From: Ido Schimmel + +[ Upstream commit 92ec4855034b2c4d13f117558dc73d20581fa9ff ] + +The driver only offloads neighbors that are constructed on top of net +devices registered by it or their uppers (which are all Ethernet). The +device supports GRE encapsulation and decapsulation of forwarded +traffic, but the driver will not offload dummy neighbors constructed on +top of GRE net devices as they are not uppers of its net devices: + + # ip link add name gre1 up type gre tos inherit local 192.0.2.1 remote 198.51.100.1 + # ip neigh add 0.0.0.0 lladdr 0.0.0.0 nud noarp dev gre1 + $ ip neigh show dev gre1 nud noarp + 0.0.0.0 lladdr 0.0.0.0 NOARP + +(Note that the neighbor is not marked with 'offload') + +When the driver is reloaded and the existing configuration is replayed, +the driver does not perform the same check regarding existing neighbors +and offloads the previously added one: + + # devlink dev reload pci/0000:01:00.0 + $ ip neigh show dev gre1 nud noarp + 0.0.0.0 lladdr 0.0.0.0 offload NOARP + +If the neighbor is later deleted, the driver will ignore the +notification (given the GRE net device is not its upper) and will +therefore keep referencing freed memory, resulting in a use-after-free +[1] when the net device is deleted: + + # ip neigh del 0.0.0.0 lladdr 0.0.0.0 dev gre1 + # ip link del dev gre1 + +Fix by skipping neighbor replay if the net device for which the replay +is performed is not our upper. + +[1] +BUG: KASAN: slab-use-after-free in mlxsw_sp_neigh_entry_update+0x1ea/0x200 +Read of size 8 at addr ffff888155b0e420 by task ip/2282 +[...] +Call Trace: + + dump_stack_lvl+0x6f/0xa0 + print_address_description.constprop.0+0x6f/0x350 + print_report+0x108/0x205 + kasan_report+0xdf/0x110 + mlxsw_sp_neigh_entry_update+0x1ea/0x200 + mlxsw_sp_router_rif_gone_sync+0x2a8/0x440 + mlxsw_sp_rif_destroy+0x1e9/0x750 + mlxsw_sp_netdevice_ipip_ol_event+0x3c9/0xdc0 + mlxsw_sp_router_netdevice_event+0x3ac/0x15e0 + notifier_call_chain+0xca/0x150 + call_netdevice_notifiers_info+0x7f/0x100 + unregister_netdevice_many_notify+0xc8c/0x1d90 + rtnl_dellink+0x34e/0xa50 + rtnetlink_rcv_msg+0x6fb/0xb70 + netlink_rcv_skb+0x131/0x360 + netlink_unicast+0x426/0x710 + netlink_sendmsg+0x75a/0xc20 + __sock_sendmsg+0xc1/0x150 + ____sys_sendmsg+0x5aa/0x7b0 + ___sys_sendmsg+0xfc/0x180 + __sys_sendmsg+0x121/0x1b0 + do_syscall_64+0xbb/0x1d0 + entry_SYSCALL_64_after_hwframe+0x4b/0x53 + +Fixes: 8fdb09a7674c ("mlxsw: spectrum_router: Replay neighbours when RIF is made") +Signed-off-by: Ido Schimmel +Reviewed-by: Petr Machata +Signed-off-by: Petr Machata +Link: https://patch.msgid.link/c53c02c904fde32dad484657be3b1477884e9ad6.1747225701.git.petrm@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c +index 7d6d859cef3f9..511cd92e0e3e7 100644 +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c +@@ -3014,6 +3014,9 @@ static int mlxsw_sp_neigh_rif_made_sync(struct mlxsw_sp *mlxsw_sp, + .rif = rif, + }; + ++ if (!mlxsw_sp_dev_lower_is_port(mlxsw_sp_rif_dev(rif))) ++ return 0; ++ + neigh_for_each(&arp_tbl, mlxsw_sp_neigh_rif_made_sync_each, &rms); + if (rms.err) + goto err_arp; +-- +2.39.5 + diff --git a/queue-6.14/net-cadence-macb-fix-a-possible-deadlock-in-macb_hal.patch b/queue-6.14/net-cadence-macb-fix-a-possible-deadlock-in-macb_hal.patch new file mode 100644 index 0000000000..d4f5df3a46 --- /dev/null +++ b/queue-6.14/net-cadence-macb-fix-a-possible-deadlock-in-macb_hal.patch @@ -0,0 +1,64 @@ +From 5be1ed2aef1f735c5efdf86aa476a4c0f83bde89 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 May 2025 14:19:35 +0200 +Subject: net: cadence: macb: Fix a possible deadlock in macb_halt_tx. + +From: Mathieu Othacehe + +[ Upstream commit c92d6089d8ad7d4d815ebcedee3f3907b539ff1f ] + +There is a situation where after THALT is set high, TGO stays high as +well. Because jiffies are never updated, as we are in a context with +interrupts disabled, we never exit that loop and have a deadlock. + +That deadlock was noticed on a sama5d4 device that stayed locked for days. + +Use retries instead of jiffies so that the timeout really works and we do +not have a deadlock anymore. + +Fixes: e86cd53afc590 ("net/macb: better manage tx errors") +Signed-off-by: Mathieu Othacehe +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250509121935.16282-1-othacehe@gnu.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cadence/macb_main.c | 19 ++++++------------- + 1 file changed, 6 insertions(+), 13 deletions(-) + +diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c +index c1f57d96e63fc..e3cc26472c2f1 100644 +--- a/drivers/net/ethernet/cadence/macb_main.c ++++ b/drivers/net/ethernet/cadence/macb_main.c +@@ -1002,22 +1002,15 @@ static void macb_update_stats(struct macb *bp) + + static int macb_halt_tx(struct macb *bp) + { +- unsigned long halt_time, timeout; +- u32 status; ++ u32 status; + + macb_writel(bp, NCR, macb_readl(bp, NCR) | MACB_BIT(THALT)); + +- timeout = jiffies + usecs_to_jiffies(MACB_HALT_TIMEOUT); +- do { +- halt_time = jiffies; +- status = macb_readl(bp, TSR); +- if (!(status & MACB_BIT(TGO))) +- return 0; +- +- udelay(250); +- } while (time_before(halt_time, timeout)); +- +- return -ETIMEDOUT; ++ /* Poll TSR until TGO is cleared or timeout. */ ++ return read_poll_timeout_atomic(macb_readl, status, ++ !(status & MACB_BIT(TGO)), ++ 250, MACB_HALT_TIMEOUT, false, ++ bp, TSR); + } + + static void macb_tx_unmap(struct macb *bp, struct macb_tx_skb *tx_skb, int budget) +-- +2.39.5 + diff --git a/queue-6.14/net-dsa-b53-prevent-standalone-from-trying-to-forwar.patch b/queue-6.14/net-dsa-b53-prevent-standalone-from-trying-to-forwar.patch new file mode 100644 index 0000000000..add1a70a8a --- /dev/null +++ b/queue-6.14/net-dsa-b53-prevent-standalone-from-trying-to-forwar.patch @@ -0,0 +1,139 @@ +From 3f2da42f6659efaba8f07c8f77e3170fbd956beb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 May 2025 11:14:24 +0200 +Subject: net: dsa: b53: prevent standalone from trying to forward to other + ports + +From: Jonas Gorski + +[ Upstream commit 4227ea91e2657f7965e34313448e9d0a2b67712e ] + +When bridged ports and standalone ports share a VLAN, e.g. via VLAN +uppers, or untagged traffic with a vlan unaware bridge, the ASIC will +still try to forward traffic to known FDB entries on standalone ports. +But since the port VLAN masks prevent forwarding to bridged ports, this +traffic will be dropped. + +This e.g. can be observed in the bridge_vlan_unaware ping tests, where +this breaks pinging with learning on. + +Work around this by enabling the simplified EAP mode on switches +supporting it for standalone ports, which causes the ASIC to redirect +traffic of unknown source MAC addresses to the CPU port. + +Since standalone ports do not learn, there are no known source MAC +addresses, so effectively this redirects all incoming traffic to the CPU +port. + +Fixes: ff39c2d68679 ("net: dsa: b53: Add bridge support") +Signed-off-by: Jonas Gorski +Reviewed-by: Florian Fainelli +Reviewed-by: Vladimir Oltean +Link: https://patch.msgid.link/20250508091424.26870-1-jonas.gorski@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/b53/b53_common.c | 33 ++++++++++++++++++++++++++++++++ + drivers/net/dsa/b53/b53_regs.h | 14 ++++++++++++++ + 2 files changed, 47 insertions(+) + +diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c +index e3b5b450ee932..10484d19eaac5 100644 +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -326,6 +326,26 @@ static void b53_get_vlan_entry(struct b53_device *dev, u16 vid, + } + } + ++static void b53_set_eap_mode(struct b53_device *dev, int port, int mode) ++{ ++ u64 eap_conf; ++ ++ if (is5325(dev) || is5365(dev) || dev->chip_id == BCM5389_DEVICE_ID) ++ return; ++ ++ b53_read64(dev, B53_EAP_PAGE, B53_PORT_EAP_CONF(port), &eap_conf); ++ ++ if (is63xx(dev)) { ++ eap_conf &= ~EAP_MODE_MASK_63XX; ++ eap_conf |= (u64)mode << EAP_MODE_SHIFT_63XX; ++ } else { ++ eap_conf &= ~EAP_MODE_MASK; ++ eap_conf |= (u64)mode << EAP_MODE_SHIFT; ++ } ++ ++ b53_write64(dev, B53_EAP_PAGE, B53_PORT_EAP_CONF(port), eap_conf); ++} ++ + static void b53_set_forwarding(struct b53_device *dev, int enable) + { + u8 mgmt; +@@ -586,6 +606,13 @@ int b53_setup_port(struct dsa_switch *ds, int port) + b53_port_set_mcast_flood(dev, port, true); + b53_port_set_learning(dev, port, false); + ++ /* Force all traffic to go to the CPU port to prevent the ASIC from ++ * trying to forward to bridged ports on matching FDB entries, then ++ * dropping frames because it isn't allowed to forward there. ++ */ ++ if (dsa_is_user_port(ds, port)) ++ b53_set_eap_mode(dev, port, EAP_MODE_SIMPLIFIED); ++ + return 0; + } + EXPORT_SYMBOL(b53_setup_port); +@@ -2042,6 +2069,9 @@ int b53_br_join(struct dsa_switch *ds, int port, struct dsa_bridge bridge, + pvlan |= BIT(i); + } + ++ /* Disable redirection of unknown SA to the CPU port */ ++ b53_set_eap_mode(dev, port, EAP_MODE_BASIC); ++ + /* Configure the local port VLAN control membership to include + * remote ports and update the local port bitmask + */ +@@ -2077,6 +2107,9 @@ void b53_br_leave(struct dsa_switch *ds, int port, struct dsa_bridge bridge) + pvlan &= ~BIT(i); + } + ++ /* Enable redirection of unknown SA to the CPU port */ ++ b53_set_eap_mode(dev, port, EAP_MODE_SIMPLIFIED); ++ + b53_write16(dev, B53_PVLAN_PAGE, B53_PVLAN_PORT_MASK(port), pvlan); + dev->ports[port].vlan_ctl_mask = pvlan; + +diff --git a/drivers/net/dsa/b53/b53_regs.h b/drivers/net/dsa/b53/b53_regs.h +index bfbcb66bef662..5f7a0e5c5709d 100644 +--- a/drivers/net/dsa/b53/b53_regs.h ++++ b/drivers/net/dsa/b53/b53_regs.h +@@ -50,6 +50,9 @@ + /* Jumbo Frame Registers */ + #define B53_JUMBO_PAGE 0x40 + ++/* EAP Registers */ ++#define B53_EAP_PAGE 0x42 ++ + /* EEE Control Registers Page */ + #define B53_EEE_PAGE 0x92 + +@@ -480,6 +483,17 @@ + #define JMS_MIN_SIZE 1518 + #define JMS_MAX_SIZE 9724 + ++/************************************************************************* ++ * EAP Page Registers ++ *************************************************************************/ ++#define B53_PORT_EAP_CONF(i) (0x20 + 8 * (i)) ++#define EAP_MODE_SHIFT 51 ++#define EAP_MODE_SHIFT_63XX 50 ++#define EAP_MODE_MASK (0x3ull << EAP_MODE_SHIFT) ++#define EAP_MODE_MASK_63XX (0x3ull << EAP_MODE_SHIFT_63XX) ++#define EAP_MODE_BASIC 0 ++#define EAP_MODE_SIMPLIFIED 3 ++ + /************************************************************************* + * EEE Configuration Page Registers + *************************************************************************/ +-- +2.39.5 + diff --git a/queue-6.14/net-dsa-sja1105-discard-incoming-frames-in-br_state_.patch b/queue-6.14/net-dsa-sja1105-discard-incoming-frames-in-br_state_.patch new file mode 100644 index 0000000000..a0d1fd2616 --- /dev/null +++ b/queue-6.14/net-dsa-sja1105-discard-incoming-frames-in-br_state_.patch @@ -0,0 +1,92 @@ +From f85653e0af7a5d0308b919dab4423215ef494a2d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 May 2025 14:38:16 +0300 +Subject: net: dsa: sja1105: discard incoming frames in BR_STATE_LISTENING + +From: Vladimir Oltean + +[ Upstream commit 498625a8ab2c8e1c9ab5105744310e8d6952cc01 ] + +It has been reported that when under a bridge with stp_state=1, the logs +get spammed with this message: + +[ 251.734607] fsl_dpaa2_eth dpni.5 eth0: Couldn't decode source port + +Further debugging shows the following info associated with packets: +source_port=-1, switch_id=-1, vid=-1, vbid=1 + +In other words, they are data plane packets which are supposed to be +decoded by dsa_tag_8021q_find_port_by_vbid(), but the latter (correctly) +refuses to do so, because no switch port is currently in +BR_STATE_LEARNING or BR_STATE_FORWARDING - so the packet is effectively +unexpected. + +The error goes away after the port progresses to BR_STATE_LEARNING in 15 +seconds (the default forward_time of the bridge), because then, +dsa_tag_8021q_find_port_by_vbid() can correctly associate the data plane +packets with a plausible bridge port in a plausible STP state. + +Re-reading IEEE 802.1D-1990, I see the following: + +"4.4.2 Learning: (...) The Forwarding Process shall discard received +frames." + +IEEE 802.1D-2004 further clarifies: + +"DISABLED, BLOCKING, LISTENING, and BROKEN all correspond to the +DISCARDING port state. While those dot1dStpPortStates serve to +distinguish reasons for discarding frames, the operation of the +Forwarding and Learning processes is the same for all of them. (...) +LISTENING represents a port that the spanning tree algorithm has +selected to be part of the active topology (computing a Root Port or +Designated Port role) but is temporarily discarding frames to guard +against loops or incorrect learning." + +Well, this is not what the driver does - instead it sets +mac[port].ingress = true. + +To get rid of the log spam, prevent unexpected data plane packets to +be received by software by discarding them on ingress in the LISTENING +state. + +In terms of blame attribution: the prints only date back to commit +d7f9787a763f ("net: dsa: tag_8021q: add support for imprecise RX based +on the VBID"). However, the settings would permit a LISTENING port to +forward to a FORWARDING port, and the standard suggests that's not OK. + +Fixes: 640f763f98c2 ("net: dsa: sja1105: Add support for Spanning Tree Protocol") +Signed-off-by: Vladimir Oltean +Link: https://patch.msgid.link/20250509113816.2221992-1-vladimir.oltean@nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/sja1105/sja1105_main.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/drivers/net/dsa/sja1105/sja1105_main.c b/drivers/net/dsa/sja1105/sja1105_main.c +index f8454f3b6f9c5..f674c400f05b2 100644 +--- a/drivers/net/dsa/sja1105/sja1105_main.c ++++ b/drivers/net/dsa/sja1105/sja1105_main.c +@@ -2081,6 +2081,7 @@ static void sja1105_bridge_stp_state_set(struct dsa_switch *ds, int port, + switch (state) { + case BR_STATE_DISABLED: + case BR_STATE_BLOCKING: ++ case BR_STATE_LISTENING: + /* From UM10944 description of DRPDTAG (why put this there?): + * "Management traffic flows to the port regardless of the state + * of the INGRESS flag". So BPDUs are still be allowed to pass. +@@ -2090,11 +2091,6 @@ static void sja1105_bridge_stp_state_set(struct dsa_switch *ds, int port, + mac[port].egress = false; + mac[port].dyn_learn = false; + break; +- case BR_STATE_LISTENING: +- mac[port].ingress = true; +- mac[port].egress = false; +- mac[port].dyn_learn = false; +- break; + case BR_STATE_LEARNING: + mac[port].ingress = true; + mac[port].egress = false; +-- +2.39.5 + diff --git a/queue-6.14/net-ethernet-mtk_eth_soc-fix-typo-for-declaration-mt.patch b/queue-6.14/net-ethernet-mtk_eth_soc-fix-typo-for-declaration-mt.patch new file mode 100644 index 0000000000..9ce713d76b --- /dev/null +++ b/queue-6.14/net-ethernet-mtk_eth_soc-fix-typo-for-declaration-mt.patch @@ -0,0 +1,41 @@ +From 89ba0eedee3abc70b43522df361c8fbd91f01d74 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 May 2025 05:27:30 +0100 +Subject: net: ethernet: mtk_eth_soc: fix typo for declaration MT7988 ESW + capability + +From: Bo-Cun Chen + +[ Upstream commit 1bdea6fad6fb985ff13828373c48e337c4e939f9 ] + +Since MTK_ESW_BIT is a bit number rather than a bitmap, it causes +MTK_HAS_CAPS to produce incorrect results. This leads to the ETH +driver not declaring MAC capabilities correctly for the MT7988 ESW. + +Fixes: 445eb6448ed3 ("net: ethernet: mtk_eth_soc: add basic support for MT7988 SoC") +Signed-off-by: Bo-Cun Chen +Signed-off-by: Daniel Golle +Reviewed-by: Michal Swiatkowski +Link: https://patch.msgid.link/b8b37f409d1280fad9c4d32521e6207f63cd3213.1747110258.git.daniel@makrotopia.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mediatek/mtk_eth_soc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c +index 341def2bf1d35..22a8b909dd80b 100644 +--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c ++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c +@@ -4683,7 +4683,7 @@ static int mtk_add_mac(struct mtk_eth *eth, struct device_node *np) + } + + if (mtk_is_netsys_v3_or_greater(mac->hw) && +- MTK_HAS_CAPS(mac->hw->soc->caps, MTK_ESW_BIT) && ++ MTK_HAS_CAPS(mac->hw->soc->caps, MTK_ESW) && + id == MTK_GMAC1_ID) { + mac->phylink_config.mac_capabilities = MAC_ASYM_PAUSE | + MAC_SYM_PAUSE | +-- +2.39.5 + diff --git a/queue-6.14/net-mctp-don-t-access-ifa_index-when-missing.patch b/queue-6.14/net-mctp-don-t-access-ifa_index-when-missing.patch new file mode 100644 index 0000000000..9fbcc9bfc9 --- /dev/null +++ b/queue-6.14/net-mctp-don-t-access-ifa_index-when-missing.patch @@ -0,0 +1,68 @@ +From 1775f1270f5469b5661ae360949f3118bb2e5cfa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 May 2025 13:18:32 +0800 +Subject: net: mctp: Don't access ifa_index when missing + +From: Matt Johnston + +[ Upstream commit f11cf946c0a92c560a890d68e4775723353599e1 ] + +In mctp_dump_addrinfo, ifa_index can be used to filter interfaces, but +only when the struct ifaddrmsg is provided. Otherwise it will be +comparing to uninitialised memory - reproducible in the syzkaller case from +dhcpd, or busybox "ip addr show". + +The kernel MCTP implementation has always filtered by ifa_index, so +existing userspace programs expecting to dump MCTP addresses must +already be passing a valid ifa_index value (either 0 or a real index). + +BUG: KMSAN: uninit-value in mctp_dump_addrinfo+0x208/0xac0 net/mctp/device.c:128 + mctp_dump_addrinfo+0x208/0xac0 net/mctp/device.c:128 + rtnl_dump_all+0x3ec/0x5b0 net/core/rtnetlink.c:4380 + rtnl_dumpit+0xd5/0x2f0 net/core/rtnetlink.c:6824 + netlink_dump+0x97b/0x1690 net/netlink/af_netlink.c:2309 + +Fixes: 583be982d934 ("mctp: Add device handling and netlink interface") +Reported-by: syzbot+e76d52dadc089b9d197f@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/68135815.050a0220.3a872c.000e.GAE@google.com/ +Reported-by: syzbot+1065a199625a388fce60@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/681357d6.050a0220.14dd7d.000d.GAE@google.com/ +Signed-off-by: Matt Johnston +Link: https://patch.msgid.link/20250508-mctp-addr-dump-v2-1-c8a53fd2dd66@codeconstruct.com.au +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/mctp/device.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +diff --git a/net/mctp/device.c b/net/mctp/device.c +index 8e0724c56723d..7c0dcf3df3196 100644 +--- a/net/mctp/device.c ++++ b/net/mctp/device.c +@@ -117,11 +117,18 @@ static int mctp_dump_addrinfo(struct sk_buff *skb, struct netlink_callback *cb) + struct net_device *dev; + struct ifaddrmsg *hdr; + struct mctp_dev *mdev; +- int ifindex, rc; +- +- hdr = nlmsg_data(cb->nlh); +- // filter by ifindex if requested +- ifindex = hdr->ifa_index; ++ int ifindex = 0, rc; ++ ++ /* Filter by ifindex if a header is provided */ ++ if (cb->nlh->nlmsg_len >= nlmsg_msg_size(sizeof(*hdr))) { ++ hdr = nlmsg_data(cb->nlh); ++ ifindex = hdr->ifa_index; ++ } else { ++ if (cb->strict_check) { ++ NL_SET_ERR_MSG(cb->extack, "mctp: Invalid header for addr dump request"); ++ return -EINVAL; ++ } ++ } + + rcu_read_lock(); + for_each_netdev_dump(net, dev, mcb->ifindex) { +-- +2.39.5 + diff --git a/queue-6.14/net-mctp-ensure-keys-maintain-only-one-ref-to-corres.patch b/queue-6.14/net-mctp-ensure-keys-maintain-only-one-ref-to-corres.patch new file mode 100644 index 0000000000..4561583284 --- /dev/null +++ b/queue-6.14/net-mctp-ensure-keys-maintain-only-one-ref-to-corres.patch @@ -0,0 +1,57 @@ +From d4643ffa764ff5efd5987ab135df30a8f51d7799 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 May 2025 14:16:00 +0930 +Subject: net: mctp: Ensure keys maintain only one ref to corresponding dev + +From: Andrew Jeffery + +[ Upstream commit e4f349bd6e58051df698b82f94721f18a02a293d ] + +mctp_flow_prepare_output() is called in mctp_route_output(), which +places outbound packets onto a given interface. The packet may represent +a message fragment, in which case we provoke an unbalanced reference +count to the underlying device. This causes trouble if we ever attempt +to remove the interface: + + [ 48.702195] usb 1-1: USB disconnect, device number 2 + [ 58.883056] unregister_netdevice: waiting for mctpusb0 to become free. Usage count = 2 + [ 69.022548] unregister_netdevice: waiting for mctpusb0 to become free. Usage count = 2 + [ 79.172568] unregister_netdevice: waiting for mctpusb0 to become free. Usage count = 2 + ... + +Predicate the invocation of mctp_dev_set_key() in +mctp_flow_prepare_output() on not already having associated the device +with the key. It's not yet realistic to uphold the property that the key +maintains only one device reference earlier in the transmission sequence +as the route (and therefore the device) may not be known at the time the +key is associated with the socket. + +Fixes: 67737c457281 ("mctp: Pass flow data & flow release events to drivers") +Acked-by: Jeremy Kerr +Signed-off-by: Andrew Jeffery +Link: https://patch.msgid.link/20250508-mctp-dev-refcount-v1-1-d4f965c67bb5@codeconstruct.com.au +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/mctp/route.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/mctp/route.c b/net/mctp/route.c +index 4c460160914f0..d9c8e5a5f9ce9 100644 +--- a/net/mctp/route.c ++++ b/net/mctp/route.c +@@ -313,8 +313,10 @@ static void mctp_flow_prepare_output(struct sk_buff *skb, struct mctp_dev *dev) + + key = flow->key; + +- if (WARN_ON(key->dev && key->dev != dev)) ++ if (key->dev) { ++ WARN_ON(key->dev != dev); + return; ++ } + + mctp_dev_set_key(dev, key); + } +-- +2.39.5 + diff --git a/queue-6.14/net-mlx5e-disable-macsec-offload-for-uplink-represen.patch b/queue-6.14/net-mlx5e-disable-macsec-offload-for-uplink-represen.patch new file mode 100644 index 0000000000..27621eeb10 --- /dev/null +++ b/queue-6.14/net-mlx5e-disable-macsec-offload-for-uplink-represen.patch @@ -0,0 +1,156 @@ +From 556b743b2ac302cd866a5a17730355db82047306 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 11 May 2025 13:15:52 +0300 +Subject: net/mlx5e: Disable MACsec offload for uplink representor profile + +From: Carolina Jubran + +[ Upstream commit 588431474eb7572e57a927fa8558c9ba2f8af143 ] + +MACsec offload is not supported in switchdev mode for uplink +representors. When switching to the uplink representor profile, the +MACsec offload feature must be cleared from the netdevice's features. + +If left enabled, attempts to add offloads result in a null pointer +dereference, as the uplink representor does not support MACsec offload +even though the feature bit remains set. + +Clear NETIF_F_HW_MACSEC in mlx5e_fix_uplink_rep_features(). + +Kernel log: + +Oops: general protection fault, probably for non-canonical address 0xdffffc000000000f: 0000 [#1] SMP KASAN +KASAN: null-ptr-deref in range [0x0000000000000078-0x000000000000007f] +CPU: 29 UID: 0 PID: 4714 Comm: ip Not tainted 6.14.0-rc4_for_upstream_debug_2025_03_02_17_35 #1 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 +RIP: 0010:__mutex_lock+0x128/0x1dd0 +Code: d0 7c 08 84 d2 0f 85 ad 15 00 00 8b 35 91 5c fe 03 85 f6 75 29 49 8d 7e 60 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 a6 15 00 00 4d 3b 76 60 0f 85 fd 0b 00 00 65 ff +RSP: 0018:ffff888147a4f160 EFLAGS: 00010206 +RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000001 +RDX: 000000000000000f RSI: 0000000000000000 RDI: 0000000000000078 +RBP: ffff888147a4f2e0 R08: ffffffffa05d2c19 R09: 0000000000000000 +R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000 +R13: dffffc0000000000 R14: 0000000000000018 R15: ffff888152de0000 +FS: 00007f855e27d800(0000) GS:ffff88881ee80000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00000000004e5768 CR3: 000000013ae7c005 CR4: 0000000000372eb0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 +Call Trace: + + ? die_addr+0x3d/0xa0 + ? exc_general_protection+0x144/0x220 + ? asm_exc_general_protection+0x22/0x30 + ? mlx5e_macsec_add_secy+0xf9/0x700 [mlx5_core] + ? __mutex_lock+0x128/0x1dd0 + ? lockdep_set_lock_cmp_fn+0x190/0x190 + ? mlx5e_macsec_add_secy+0xf9/0x700 [mlx5_core] + ? mutex_lock_io_nested+0x1ae0/0x1ae0 + ? lock_acquire+0x1c2/0x530 + ? macsec_upd_offload+0x145/0x380 + ? lockdep_hardirqs_on_prepare+0x400/0x400 + ? kasan_save_stack+0x30/0x40 + ? kasan_save_stack+0x20/0x40 + ? kasan_save_track+0x10/0x30 + ? __kasan_kmalloc+0x77/0x90 + ? __kmalloc_noprof+0x249/0x6b0 + ? genl_family_rcv_msg_attrs_parse.constprop.0+0xb5/0x240 + ? mlx5e_macsec_add_secy+0xf9/0x700 [mlx5_core] + mlx5e_macsec_add_secy+0xf9/0x700 [mlx5_core] + ? mlx5e_macsec_add_rxsa+0x11a0/0x11a0 [mlx5_core] + macsec_update_offload+0x26c/0x820 + ? macsec_set_mac_address+0x4b0/0x4b0 + ? lockdep_hardirqs_on_prepare+0x284/0x400 + ? _raw_spin_unlock_irqrestore+0x47/0x50 + macsec_upd_offload+0x2c8/0x380 + ? macsec_update_offload+0x820/0x820 + ? __nla_parse+0x22/0x30 + ? genl_family_rcv_msg_attrs_parse.constprop.0+0x15e/0x240 + genl_family_rcv_msg_doit+0x1cc/0x2a0 + ? genl_family_rcv_msg_attrs_parse.constprop.0+0x240/0x240 + ? cap_capable+0xd4/0x330 + genl_rcv_msg+0x3ea/0x670 + ? genl_family_rcv_msg_dumpit+0x2a0/0x2a0 + ? lockdep_set_lock_cmp_fn+0x190/0x190 + ? macsec_update_offload+0x820/0x820 + netlink_rcv_skb+0x12b/0x390 + ? genl_family_rcv_msg_dumpit+0x2a0/0x2a0 + ? netlink_ack+0xd80/0xd80 + ? rwsem_down_read_slowpath+0xf90/0xf90 + ? netlink_deliver_tap+0xcd/0xac0 + ? netlink_deliver_tap+0x155/0xac0 + ? _copy_from_iter+0x1bb/0x12c0 + genl_rcv+0x24/0x40 + netlink_unicast+0x440/0x700 + ? netlink_attachskb+0x760/0x760 + ? lock_acquire+0x1c2/0x530 + ? __might_fault+0xbb/0x170 + netlink_sendmsg+0x749/0xc10 + ? netlink_unicast+0x700/0x700 + ? __might_fault+0xbb/0x170 + ? netlink_unicast+0x700/0x700 + __sock_sendmsg+0xc5/0x190 + ____sys_sendmsg+0x53f/0x760 + ? import_iovec+0x7/0x10 + ? kernel_sendmsg+0x30/0x30 + ? __copy_msghdr+0x3c0/0x3c0 + ? filter_irq_stacks+0x90/0x90 + ? stack_depot_save_flags+0x28/0xa30 + ___sys_sendmsg+0xeb/0x170 + ? kasan_save_stack+0x30/0x40 + ? copy_msghdr_from_user+0x110/0x110 + ? do_syscall_64+0x6d/0x140 + ? lock_acquire+0x1c2/0x530 + ? __virt_addr_valid+0x116/0x3b0 + ? __virt_addr_valid+0x1da/0x3b0 + ? lock_downgrade+0x680/0x680 + ? __delete_object+0x21/0x50 + __sys_sendmsg+0xf7/0x180 + ? __sys_sendmsg_sock+0x20/0x20 + ? kmem_cache_free+0x14c/0x4e0 + ? __x64_sys_close+0x78/0xd0 + do_syscall_64+0x6d/0x140 + entry_SYSCALL_64_after_hwframe+0x4b/0x53 +RIP: 0033:0x7f855e113367 +Code: 0e 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b9 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10 +RSP: 002b:00007ffd15e90c88 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f855e113367 +RDX: 0000000000000000 RSI: 00007ffd15e90cf0 RDI: 0000000000000004 +RBP: 00007ffd15e90dbc R08: 0000000000000028 R09: 000000000045d100 +R10: 00007f855e011dd8 R11: 0000000000000246 R12: 0000000000000019 +R13: 0000000067c6b785 R14: 00000000004a1e80 R15: 0000000000000000 + +Modules linked in: 8021q garp mrp sch_ingress openvswitch nsh mlx5_ib mlx5_fwctl mlx5_dpll mlx5_core rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm ib_uverbs ib_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry overlay zram zsmalloc fuse [last unloaded: mlx5_core] +---[ end trace 0000000000000000 ]--- + +Fixes: 8ff0ac5be144 ("net/mlx5: Add MACsec offload Tx command support") +Signed-off-by: Carolina Jubran +Reviewed-by: Shahar Shitrit +Reviewed-by: Dragos Tatulea +Signed-off-by: Tariq Toukan +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/1746958552-561295-1-git-send-email-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index 8fcaee381b0e0..01f6a60308cb7 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -4373,6 +4373,10 @@ static netdev_features_t mlx5e_fix_uplink_rep_features(struct net_device *netdev + if (netdev->features & NETIF_F_HW_VLAN_CTAG_FILTER) + netdev_warn(netdev, "Disabling HW_VLAN CTAG FILTERING, not supported in switchdev mode\n"); + ++ features &= ~NETIF_F_HW_MACSEC; ++ if (netdev->features & NETIF_F_HW_MACSEC) ++ netdev_warn(netdev, "Disabling HW MACsec offload, not supported in switchdev mode\n"); ++ + return features; + } + +-- +2.39.5 + diff --git a/queue-6.14/net-tls-fix-kernel-panic-when-alloc_page-failed.patch b/queue-6.14/net-tls-fix-kernel-panic-when-alloc_page-failed.patch new file mode 100644 index 0000000000..4b2a453687 --- /dev/null +++ b/queue-6.14/net-tls-fix-kernel-panic-when-alloc_page-failed.patch @@ -0,0 +1,61 @@ +From 763faf8ee113383dae581d71201d6852d0555e3f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 May 2025 21:20:13 +0800 +Subject: net/tls: fix kernel panic when alloc_page failed + +From: Pengtao He + +[ Upstream commit 491deb9b8c4ad12fe51d554a69b8165b9ef9429f ] + +We cannot set frag_list to NULL pointer when alloc_page failed. +It will be used in tls_strp_check_queue_ok when the next time +tls_strp_read_sock is called. + +This is because we don't reset full_len in tls_strp_flush_anchor_copy() +so the recv path will try to continue handling the partial record +on the next call but we dettached the rcvq from the frag list. +Alternative fix would be to reset full_len. + +Unable to handle kernel NULL pointer dereference +at virtual address 0000000000000028 + Call trace: + tls_strp_check_rcv+0x128/0x27c + tls_strp_data_ready+0x34/0x44 + tls_data_ready+0x3c/0x1f0 + tcp_data_ready+0x9c/0xe4 + tcp_data_queue+0xf6c/0x12d0 + tcp_rcv_established+0x52c/0x798 + +Fixes: 84c61fe1a75b ("tls: rx: do not use the standard strparser") +Signed-off-by: Pengtao He +Link: https://patch.msgid.link/20250514132013.17274-1-hept.hept.hept@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/tls/tls_strp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/tls/tls_strp.c b/net/tls/tls_strp.c +index 77e33e1e340e3..65b0da6fdf6a7 100644 +--- a/net/tls/tls_strp.c ++++ b/net/tls/tls_strp.c +@@ -396,7 +396,6 @@ static int tls_strp_read_copy(struct tls_strparser *strp, bool qshort) + return 0; + + shinfo = skb_shinfo(strp->anchor); +- shinfo->frag_list = NULL; + + /* If we don't know the length go max plus page for cipher overhead */ + need_spc = strp->stm.full_len ?: TLS_MAX_PAYLOAD_SIZE + PAGE_SIZE; +@@ -412,6 +411,8 @@ static int tls_strp_read_copy(struct tls_strparser *strp, bool qshort) + page, 0, 0); + } + ++ shinfo->frag_list = NULL; ++ + strp->copy_mode = 1; + strp->stm.offset = 0; + +-- +2.39.5 + diff --git a/queue-6.14/net_sched-flush-gso_skb-list-too-during-change.patch b/queue-6.14/net_sched-flush-gso_skb-list-too-during-change.patch new file mode 100644 index 0000000000..1fcbbfbc06 --- /dev/null +++ b/queue-6.14/net_sched-flush-gso_skb-list-too-during-change.patch @@ -0,0 +1,147 @@ +From 536f8b517251651c6267821a6c8e9dc6bb736821 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 May 2025 21:35:58 -0700 +Subject: net_sched: Flush gso_skb list too during ->change() + +From: Cong Wang + +[ Upstream commit 2d3cbfd6d54a2c39ce3244f33f85c595844bd7b8 ] + +Previously, when reducing a qdisc's limit via the ->change() operation, only +the main skb queue was trimmed, potentially leaving packets in the gso_skb +list. This could result in NULL pointer dereference when we only check +sch->limit against sch->q.qlen. + +This patch introduces a new helper, qdisc_dequeue_internal(), which ensures +both the gso_skb list and the main queue are properly flushed when trimming +excess packets. All relevant qdiscs (codel, fq, fq_codel, fq_pie, hhf, pie) +are updated to use this helper in their ->change() routines. + +Fixes: 76e3cc126bb2 ("codel: Controlled Delay AQM") +Fixes: 4b549a2ef4be ("fq_codel: Fair Queue Codel AQM") +Fixes: afe4fd062416 ("pkt_sched: fq: Fair Queue packet scheduler") +Fixes: ec97ecf1ebe4 ("net: sched: add Flow Queue PIE packet scheduler") +Fixes: 10239edf86f1 ("net-qdisc-hhf: Heavy-Hitter Filter (HHF) qdisc") +Fixes: d4b36210c2e6 ("net: pkt_sched: PIE AQM scheme") +Reported-by: Will +Reported-by: Savy +Signed-off-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/sch_generic.h | 15 +++++++++++++++ + net/sched/sch_codel.c | 2 +- + net/sched/sch_fq.c | 2 +- + net/sched/sch_fq_codel.c | 2 +- + net/sched/sch_fq_pie.c | 2 +- + net/sched/sch_hhf.c | 2 +- + net/sched/sch_pie.c | 2 +- + 7 files changed, 21 insertions(+), 6 deletions(-) + +diff --git a/include/net/sch_generic.h b/include/net/sch_generic.h +index d48c657191cd0..1c05fed05f2bc 100644 +--- a/include/net/sch_generic.h ++++ b/include/net/sch_generic.h +@@ -1031,6 +1031,21 @@ static inline struct sk_buff *__qdisc_dequeue_head(struct qdisc_skb_head *qh) + return skb; + } + ++static inline struct sk_buff *qdisc_dequeue_internal(struct Qdisc *sch, bool direct) ++{ ++ struct sk_buff *skb; ++ ++ skb = __skb_dequeue(&sch->gso_skb); ++ if (skb) { ++ sch->q.qlen--; ++ return skb; ++ } ++ if (direct) ++ return __qdisc_dequeue_head(&sch->q); ++ else ++ return sch->dequeue(sch); ++} ++ + static inline struct sk_buff *qdisc_dequeue_head(struct Qdisc *sch) + { + struct sk_buff *skb = __qdisc_dequeue_head(&sch->q); +diff --git a/net/sched/sch_codel.c b/net/sched/sch_codel.c +index 12dd71139da39..c93761040c6e7 100644 +--- a/net/sched/sch_codel.c ++++ b/net/sched/sch_codel.c +@@ -144,7 +144,7 @@ static int codel_change(struct Qdisc *sch, struct nlattr *opt, + + qlen = sch->q.qlen; + while (sch->q.qlen > sch->limit) { +- struct sk_buff *skb = __qdisc_dequeue_head(&sch->q); ++ struct sk_buff *skb = qdisc_dequeue_internal(sch, true); + + dropped += qdisc_pkt_len(skb); + qdisc_qstats_backlog_dec(sch, skb); +diff --git a/net/sched/sch_fq.c b/net/sched/sch_fq.c +index 2ca5332cfcc5c..902ff54706072 100644 +--- a/net/sched/sch_fq.c ++++ b/net/sched/sch_fq.c +@@ -1136,7 +1136,7 @@ static int fq_change(struct Qdisc *sch, struct nlattr *opt, + sch_tree_lock(sch); + } + while (sch->q.qlen > sch->limit) { +- struct sk_buff *skb = fq_dequeue(sch); ++ struct sk_buff *skb = qdisc_dequeue_internal(sch, false); + + if (!skb) + break; +diff --git a/net/sched/sch_fq_codel.c b/net/sched/sch_fq_codel.c +index 6c9029f71e88d..2a0f3a513bfaa 100644 +--- a/net/sched/sch_fq_codel.c ++++ b/net/sched/sch_fq_codel.c +@@ -441,7 +441,7 @@ static int fq_codel_change(struct Qdisc *sch, struct nlattr *opt, + + while (sch->q.qlen > sch->limit || + q->memory_usage > q->memory_limit) { +- struct sk_buff *skb = fq_codel_dequeue(sch); ++ struct sk_buff *skb = qdisc_dequeue_internal(sch, false); + + q->cstats.drop_len += qdisc_pkt_len(skb); + rtnl_kfree_skbs(skb, skb); +diff --git a/net/sched/sch_fq_pie.c b/net/sched/sch_fq_pie.c +index 93c36afbf5762..67f437c170582 100644 +--- a/net/sched/sch_fq_pie.c ++++ b/net/sched/sch_fq_pie.c +@@ -366,7 +366,7 @@ static int fq_pie_change(struct Qdisc *sch, struct nlattr *opt, + + /* Drop excess packets if new limit is lower */ + while (sch->q.qlen > sch->limit) { +- struct sk_buff *skb = fq_pie_qdisc_dequeue(sch); ++ struct sk_buff *skb = qdisc_dequeue_internal(sch, false); + + len_dropped += qdisc_pkt_len(skb); + num_dropped += 1; +diff --git a/net/sched/sch_hhf.c b/net/sched/sch_hhf.c +index 44d9efe1a96a8..5aa434b467073 100644 +--- a/net/sched/sch_hhf.c ++++ b/net/sched/sch_hhf.c +@@ -564,7 +564,7 @@ static int hhf_change(struct Qdisc *sch, struct nlattr *opt, + qlen = sch->q.qlen; + prev_backlog = sch->qstats.backlog; + while (sch->q.qlen > sch->limit) { +- struct sk_buff *skb = hhf_dequeue(sch); ++ struct sk_buff *skb = qdisc_dequeue_internal(sch, false); + + rtnl_kfree_skbs(skb, skb); + } +diff --git a/net/sched/sch_pie.c b/net/sched/sch_pie.c +index bb1fa9aa530b2..97f71b6dbf5b5 100644 +--- a/net/sched/sch_pie.c ++++ b/net/sched/sch_pie.c +@@ -195,7 +195,7 @@ static int pie_change(struct Qdisc *sch, struct nlattr *opt, + /* Drop excess packets if new limit is lower */ + qlen = sch->q.qlen; + while (sch->q.qlen > sch->limit) { +- struct sk_buff *skb = __qdisc_dequeue_head(&sch->q); ++ struct sk_buff *skb = qdisc_dequeue_internal(sch, true); + + dropped += qdisc_pkt_len(skb); + qdisc_qstats_backlog_dec(sch, skb); +-- +2.39.5 + diff --git a/queue-6.14/netlink-specs-tc-all-actions-are-indexed-arrays.patch b/queue-6.14/netlink-specs-tc-all-actions-are-indexed-arrays.patch new file mode 100644 index 0000000000..176a249705 --- /dev/null +++ b/queue-6.14/netlink-specs-tc-all-actions-are-indexed-arrays.patch @@ -0,0 +1,48 @@ +From 16f2166ce1a5f15f613f1a243d614011e9d65360 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 May 2025 15:16:38 -0700 +Subject: netlink: specs: tc: all actions are indexed arrays + +From: Jakub Kicinski + +[ Upstream commit f3dd5fb2fa494dcbdb10f8d27f2deac8ef61a2fc ] + +Some TC filters have actions listed as indexed arrays of nests +and some as just nests. They are all indexed arrays, the handling +is common across filters. + +Fixes: 2267672a6190 ("doc/netlink/specs: Update the tc spec") +Link: https://patch.msgid.link/20250513221638.842532-1-kuba@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + Documentation/netlink/specs/tc.yaml | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/Documentation/netlink/specs/tc.yaml b/Documentation/netlink/specs/tc.yaml +index 5e1ff04f51f26..953aa837958b3 100644 +--- a/Documentation/netlink/specs/tc.yaml ++++ b/Documentation/netlink/specs/tc.yaml +@@ -2017,7 +2017,8 @@ attribute-sets: + attributes: + - + name: act +- type: nest ++ type: indexed-array ++ sub-type: nest + nested-attributes: tc-act-attrs + - + name: police +@@ -2250,7 +2251,8 @@ attribute-sets: + attributes: + - + name: act +- type: nest ++ type: indexed-array ++ sub-type: nest + nested-attributes: tc-act-attrs + - + name: police +-- +2.39.5 + diff --git a/queue-6.14/netlink-specs-tc-fix-a-couple-of-attribute-names.patch b/queue-6.14/netlink-specs-tc-fix-a-couple-of-attribute-names.patch new file mode 100644 index 0000000000..68e4d9d481 --- /dev/null +++ b/queue-6.14/netlink-specs-tc-fix-a-couple-of-attribute-names.patch @@ -0,0 +1,47 @@ +From c71dd36045692cee2b131f6e4591c765230d27a4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 May 2025 15:13:16 -0700 +Subject: netlink: specs: tc: fix a couple of attribute names + +From: Jakub Kicinski + +[ Upstream commit a9fb87b8b86918e34ef6bf3316311f41bc1a5b1f ] + +Fix up spelling of two attribute names. These are clearly typoes +and will prevent C codegen from working. Let's treat this as +a fix to get the correction into users' hands ASAP, and prevent +anyone depending on the wrong names. + +Fixes: a1bcfde83669 ("doc/netlink/specs: Add a spec for tc") +Link: https://patch.msgid.link/20250513221316.841700-1-kuba@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + Documentation/netlink/specs/tc.yaml | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/Documentation/netlink/specs/tc.yaml b/Documentation/netlink/specs/tc.yaml +index aacccea5dfe42..5e1ff04f51f26 100644 +--- a/Documentation/netlink/specs/tc.yaml ++++ b/Documentation/netlink/specs/tc.yaml +@@ -2745,7 +2745,7 @@ attribute-sets: + type: u16 + byte-order: big-endian + - +- name: key-l2-tpv3-sid ++ name: key-l2tpv3-sid + type: u32 + byte-order: big-endian + - +@@ -3504,7 +3504,7 @@ attribute-sets: + name: rate64 + type: u64 + - +- name: prate4 ++ name: prate64 + type: u64 + - + name: burst +-- +2.39.5 + diff --git a/queue-6.14/nfs-handle-failure-of-nfs_get_lock_context-in-unlock.patch b/queue-6.14/nfs-handle-failure-of-nfs_get_lock_context-in-unlock.patch new file mode 100644 index 0000000000..8a32bd0093 --- /dev/null +++ b/queue-6.14/nfs-handle-failure-of-nfs_get_lock_context-in-unlock.patch @@ -0,0 +1,97 @@ +From 9ee2d4123eacb1d9fa720590b247a70a09634f76 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Apr 2025 15:25:08 +0800 +Subject: nfs: handle failure of nfs_get_lock_context in unlock path + +From: Li Lingfeng + +[ Upstream commit c457dc1ec770a22636b473ce5d35614adfe97636 ] + +When memory is insufficient, the allocation of nfs_lock_context in +nfs_get_lock_context() fails and returns -ENOMEM. If we mistakenly treat +an nfs4_unlockdata structure (whose l_ctx member has been set to -ENOMEM) +as valid and proceed to execute rpc_run_task(), this will trigger a NULL +pointer dereference in nfs4_locku_prepare. For example: + +BUG: kernel NULL pointer dereference, address: 000000000000000c +PGD 0 P4D 0 +Oops: Oops: 0000 [#1] SMP PTI +CPU: 15 UID: 0 PID: 12 Comm: kworker/u64:0 Not tainted 6.15.0-rc2-dirty #60 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 +Workqueue: rpciod rpc_async_schedule +RIP: 0010:nfs4_locku_prepare+0x35/0xc2 +Code: 89 f2 48 89 fd 48 c7 c7 68 69 ef b5 53 48 8b 8e 90 00 00 00 48 89 f3 +RSP: 0018:ffffbbafc006bdb8 EFLAGS: 00010246 +RAX: 000000000000004b RBX: ffff9b964fc1fa00 RCX: 0000000000000000 +RDX: 0000000000000000 RSI: fffffffffffffff4 RDI: ffff9ba53fddbf40 +RBP: ffff9ba539934000 R08: 0000000000000000 R09: ffffbbafc006bc38 +R10: ffffffffb6b689c8 R11: 0000000000000003 R12: ffff9ba539934030 +R13: 0000000000000001 R14: 0000000004248060 R15: ffffffffb56d1c30 +FS: 0000000000000000(0000) GS:ffff9ba5881f0000(0000) knlGS:00000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 000000000000000c CR3: 000000093f244000 CR4: 00000000000006f0 +Call Trace: + + __rpc_execute+0xbc/0x480 + rpc_async_schedule+0x2f/0x40 + process_one_work+0x232/0x5d0 + worker_thread+0x1da/0x3d0 + ? __pfx_worker_thread+0x10/0x10 + kthread+0x10d/0x240 + ? __pfx_kthread+0x10/0x10 + ret_from_fork+0x34/0x50 + ? __pfx_kthread+0x10/0x10 + ret_from_fork_asm+0x1a/0x30 + +Modules linked in: +CR2: 000000000000000c +---[ end trace 0000000000000000 ]--- + +Free the allocated nfs4_unlockdata when nfs_get_lock_context() fails and +return NULL to terminate subsequent rpc_run_task, preventing NULL pointer +dereference. + +Fixes: f30cb757f680 ("NFS: Always wait for I/O completion before unlock") +Signed-off-by: Li Lingfeng +Reviewed-by: Jeff Layton +Link: https://lore.kernel.org/r/20250417072508.3850532-1-lilingfeng3@huawei.com +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs4proc.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c +index 6e95db6c17e92..810cfd9b7e533 100644 +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -7049,10 +7049,18 @@ static struct nfs4_unlockdata *nfs4_alloc_unlockdata(struct file_lock *fl, + struct nfs4_unlockdata *p; + struct nfs4_state *state = lsp->ls_state; + struct inode *inode = state->inode; ++ struct nfs_lock_context *l_ctx; + + p = kzalloc(sizeof(*p), GFP_KERNEL); + if (p == NULL) + return NULL; ++ l_ctx = nfs_get_lock_context(ctx); ++ if (!IS_ERR(l_ctx)) { ++ p->l_ctx = l_ctx; ++ } else { ++ kfree(p); ++ return NULL; ++ } + p->arg.fh = NFS_FH(inode); + p->arg.fl = &p->fl; + p->arg.seqid = seqid; +@@ -7060,7 +7068,6 @@ static struct nfs4_unlockdata *nfs4_alloc_unlockdata(struct file_lock *fl, + p->lsp = lsp; + /* Ensure we don't close file until we're done freeing locks! */ + p->ctx = get_nfs_open_context(ctx); +- p->l_ctx = nfs_get_lock_context(ctx); + locks_init_lock(&p->fl); + locks_copy_lock(&p->fl, fl); + p->server = NFS_SERVER(inode); +-- +2.39.5 + diff --git a/queue-6.14/nfs-localio-fix-a-race-in-nfs_local_open_fh.patch b/queue-6.14/nfs-localio-fix-a-race-in-nfs_local_open_fh.patch new file mode 100644 index 0000000000..b8501912fc --- /dev/null +++ b/queue-6.14/nfs-localio-fix-a-race-in-nfs_local_open_fh.patch @@ -0,0 +1,44 @@ +From 8793f8e6654c1bbf60450896b86cb6ec21701f8a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Apr 2025 14:43:34 -0400 +Subject: NFS/localio: Fix a race in nfs_local_open_fh() + +From: Trond Myklebust + +[ Upstream commit fa7ab64f1e2fdc8f2603aab8e0dd20de89cb10d9 ] + +Once the clp->cl_uuid.lock has been dropped, another CPU could come in +and free the struct nfsd_file that was just added. To prevent that from +happening, take the RCU read lock before dropping the spin lock. + +Fixes: 86e00412254a ("nfs: cache all open LOCALIO nfsd_file(s) in client") +Signed-off-by: Trond Myklebust +Reviewed-by: Mike Snitzer +Signed-off-by: Sasha Levin +--- + fs/nfs/localio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/nfs/localio.c b/fs/nfs/localio.c +index 5c21caeae075c..4ec952f9f47dd 100644 +--- a/fs/nfs/localio.c ++++ b/fs/nfs/localio.c +@@ -278,6 +278,7 @@ nfs_local_open_fh(struct nfs_client *clp, const struct cred *cred, + new = __nfs_local_open_fh(clp, cred, fh, nfl, mode); + if (IS_ERR(new)) + return NULL; ++ rcu_read_lock(); + /* try to swap in the pointer */ + spin_lock(&clp->cl_uuid.lock); + nf = rcu_dereference_protected(*pnf, 1); +@@ -287,7 +288,6 @@ nfs_local_open_fh(struct nfs_client *clp, const struct cred *cred, + rcu_assign_pointer(*pnf, nf); + } + spin_unlock(&clp->cl_uuid.lock); +- rcu_read_lock(); + } + nf = nfs_local_file_get(nf); + rcu_read_unlock(); +-- +2.39.5 + diff --git a/queue-6.14/nfsv4-pnfs-reset-the-layout-state-after-a-layoutretu.patch b/queue-6.14/nfsv4-pnfs-reset-the-layout-state-after-a-layoutretu.patch new file mode 100644 index 0000000000..bd648e631b --- /dev/null +++ b/queue-6.14/nfsv4-pnfs-reset-the-layout-state-after-a-layoutretu.patch @@ -0,0 +1,50 @@ +From 9224d4e5ec203f81acd92f71addc586e6653bdf1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 10 May 2025 10:50:13 -0400 +Subject: NFSv4/pnfs: Reset the layout state after a layoutreturn + +From: Trond Myklebust + +[ Upstream commit 6d6d7f91cc8c111d40416ac9240a3bb9396c5235 ] + +If there are still layout segments in the layout plh_return_lsegs list +after a layout return, we should be resetting the state to ensure they +eventually get returned as well. + +Fixes: 68f744797edd ("pNFS: Do not free layout segments that are marked for return") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/pnfs.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c +index 5f582713bf05e..683e09be25adf 100644 +--- a/fs/nfs/pnfs.c ++++ b/fs/nfs/pnfs.c +@@ -745,6 +745,14 @@ pnfs_mark_matching_lsegs_invalid(struct pnfs_layout_hdr *lo, + return remaining; + } + ++static void pnfs_reset_return_info(struct pnfs_layout_hdr *lo) ++{ ++ struct pnfs_layout_segment *lseg; ++ ++ list_for_each_entry(lseg, &lo->plh_return_segs, pls_list) ++ pnfs_set_plh_return_info(lo, lseg->pls_range.iomode, 0); ++} ++ + static void + pnfs_free_returned_lsegs(struct pnfs_layout_hdr *lo, + struct list_head *free_me, +@@ -1292,6 +1300,7 @@ void pnfs_layoutreturn_free_lsegs(struct pnfs_layout_hdr *lo, + pnfs_mark_matching_lsegs_invalid(lo, &freeme, range, seq); + pnfs_free_returned_lsegs(lo, &freeme, range, seq); + pnfs_set_layout_stateid(lo, stateid, NULL, true); ++ pnfs_reset_return_info(lo); + } else + pnfs_mark_layout_stateid_invalid(lo, &freeme); + out_unlock: +-- +2.39.5 + diff --git a/queue-6.14/nvme-pci-acquire-cq_poll_lock-in-nvme_poll_irqdisabl.patch b/queue-6.14/nvme-pci-acquire-cq_poll_lock-in-nvme_poll_irqdisabl.patch new file mode 100644 index 0000000000..798a6748dc --- /dev/null +++ b/queue-6.14/nvme-pci-acquire-cq_poll_lock-in-nvme_poll_irqdisabl.patch @@ -0,0 +1,40 @@ +From 35b1fbca965da70431b90c8e7a5819f7b54c03d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 May 2025 16:57:06 +0200 +Subject: nvme-pci: acquire cq_poll_lock in nvme_poll_irqdisable + +From: Keith Busch + +[ Upstream commit 3d8932133dcecbd9bef1559533c1089601006f45 ] + +We need to lock this queue for that condition because the timeout work +executes per-namespace and can poll the poll CQ. + +Reported-by: Hannes Reinecke +Closes: https://lore.kernel.org/all/20240902130728.1999-1-hare@kernel.org/ +Fixes: a0fa9647a54e ("NVMe: add blk polling support") +Signed-off-by: Keith Busch +Signed-off-by: Daniel Wagner +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index 7fdf7f24d46e6..00bd21b5c641e 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -1205,7 +1205,9 @@ static void nvme_poll_irqdisable(struct nvme_queue *nvmeq) + WARN_ON_ONCE(test_bit(NVMEQ_POLLED, &nvmeq->flags)); + + disable_irq(pci_irq_vector(pdev, nvmeq->cq_vector)); ++ spin_lock(&nvmeq->cq_poll_lock); + nvme_poll_cq(nvmeq, NULL); ++ spin_unlock(&nvmeq->cq_poll_lock); + enable_irq(pci_irq_vector(pdev, nvmeq->cq_vector)); + } + +-- +2.39.5 + diff --git a/queue-6.14/nvme-pci-make-nvme_pci_npages_prp-__always_inline.patch b/queue-6.14/nvme-pci-make-nvme_pci_npages_prp-__always_inline.patch new file mode 100644 index 0000000000..224673f1f9 --- /dev/null +++ b/queue-6.14/nvme-pci-make-nvme_pci_npages_prp-__always_inline.patch @@ -0,0 +1,64 @@ +From 0618e64a70c9c632e25101bebccc158fba2dcfdd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 May 2025 20:35:40 -0700 +Subject: nvme-pci: make nvme_pci_npages_prp() __always_inline + +From: Kees Cook + +[ Upstream commit 40696426b8c8c4f13cf6ac52f0470eed144be4b2 ] + +The only reason nvme_pci_npages_prp() could be used as a compile-time +known result in BUILD_BUG_ON() is because the compiler was always choosing +to inline the function. Under special circumstances (sanitizer coverage +functions disabled for __init functions on ARCH=um), the compiler decided +to stop inlining it: + + drivers/nvme/host/pci.c: In function 'nvme_init': + include/linux/compiler_types.h:557:45: error: call to '__compiletime_assert_678' declared with attribute error: BUILD_BUG_ON failed: nvme_pci_npages_prp() > NVME_MAX_NR_ALLOCATIONS + 557 | _compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__) + | ^ + include/linux/compiler_types.h:538:25: note: in definition of macro '__compiletime_assert' + 538 | prefix ## suffix(); \ + | ^~~~~~ + include/linux/compiler_types.h:557:9: note: in expansion of macro '_compiletime_assert' + 557 | _compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__) + | ^~~~~~~~~~~~~~~~~~~ + include/linux/build_bug.h:39:37: note: in expansion of macro 'compiletime_assert' + 39 | #define BUILD_BUG_ON_MSG(cond, msg) compiletime_assert(!(cond), msg) + | ^~~~~~~~~~~~~~~~~~ + include/linux/build_bug.h:50:9: note: in expansion of macro 'BUILD_BUG_ON_MSG' + 50 | BUILD_BUG_ON_MSG(condition, "BUILD_BUG_ON failed: " #condition) + | ^~~~~~~~~~~~~~~~ + drivers/nvme/host/pci.c:3804:9: note: in expansion of macro 'BUILD_BUG_ON' + 3804 | BUILD_BUG_ON(nvme_pci_npages_prp() > NVME_MAX_NR_ALLOCATIONS); + | ^~~~~~~~~~~~ + +Force it to be __always_inline to make sure it is always available for +use with BUILD_BUG_ON(). + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202505061846.12FMyRjj-lkp@intel.com/ +Fixes: c372cdd1efdf ("nvme-pci: iod npages fits in s8") +Signed-off-by: Kees Cook +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index d49b69565d04c..7fdf7f24d46e6 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -390,7 +390,7 @@ static bool nvme_dbbuf_update_and_check_event(u16 value, __le32 *dbbuf_db, + * as it only leads to a small amount of wasted memory for the lifetime of + * the I/O. + */ +-static int nvme_pci_npages_prp(void) ++static __always_inline int nvme_pci_npages_prp(void) + { + unsigned max_bytes = (NVME_MAX_KB_SZ * 1024) + NVME_CTRL_PAGE_SIZE; + unsigned nprps = DIV_ROUND_UP(max_bytes, NVME_CTRL_PAGE_SIZE); +-- +2.39.5 + diff --git a/queue-6.14/octeontx2-af-fix-cgx-receive-counters.patch b/queue-6.14/octeontx2-af-fix-cgx-receive-counters.patch new file mode 100644 index 0000000000..6d65d984e5 --- /dev/null +++ b/queue-6.14/octeontx2-af-fix-cgx-receive-counters.patch @@ -0,0 +1,43 @@ +From 36948be2e6b59d3f7f73c88061b1e49dcf5a70d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 May 2025 12:45:54 +0530 +Subject: octeontx2-af: Fix CGX Receive counters + +From: Hariprasad Kelam + +[ Upstream commit bf449f35e77fd44017abf991fac1f9ab7705bbe0 ] + +Each CGX block supports 4 logical MACs (LMACS). Receive +counters CGX_CMR_RX_STAT0-8 are per LMAC and CGX_CMR_RX_STAT9-12 +are per CGX. + +Due a bug in previous patch, stale Per CGX counters values observed. + +Fixes: 66208910e57a ("octeontx2-af: Support to retrieve CGX LMAC stats") +Signed-off-by: Hariprasad Kelam +Link: https://patch.msgid.link/20250513071554.728922-1-hkelam@marvell.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/af/cgx.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/cgx.c b/drivers/net/ethernet/marvell/octeontx2/af/cgx.c +index 8216f843a7cd5..e43c4608d3ba3 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/cgx.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/cgx.c +@@ -707,6 +707,11 @@ int cgx_get_rx_stats(void *cgxd, int lmac_id, int idx, u64 *rx_stat) + + if (!is_lmac_valid(cgx, lmac_id)) + return -ENODEV; ++ ++ /* pass lmac as 0 for CGX_CMR_RX_STAT9-12 */ ++ if (idx >= CGX_RX_STAT_GLOBAL_INDEX) ++ lmac_id = 0; ++ + *rx_stat = cgx_read(cgx, lmac_id, CGXX_CMRX_RX_STAT0 + (idx * 8)); + return 0; + } +-- +2.39.5 + diff --git a/queue-6.14/octeontx2-pf-do-not-reallocate-all-ntuple-filters.patch b/queue-6.14/octeontx2-pf-do-not-reallocate-all-ntuple-filters.patch new file mode 100644 index 0000000000..a2d0fd8cf1 --- /dev/null +++ b/queue-6.14/octeontx2-pf-do-not-reallocate-all-ntuple-filters.patch @@ -0,0 +1,78 @@ +From 9fca469762ca8ff10affc6b5645d05b6ef3aa4e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 May 2025 18:22:37 +0530 +Subject: octeontx2-pf: Do not reallocate all ntuple filters + +From: Subbaraya Sundeep + +[ Upstream commit dcb479fde00be9a151c047d0a7c0626b64eb0019 ] + +If ntuple filters count is modified followed by +unicast filters count using devlink then the ntuple count +set by user is ignored and all the ntuple filters are +being reallocated. Fix this by storing the ntuple count +set by user. Without this patch, say if user tries +to modify ntuple count as 8 followed by ucast filter count as 4 +using devlink commands then ntuple count is being reverted to +default value 16 i.e, not retaining user set value 8. + +Fixes: 39c469188b6d ("octeontx2-pf: Add ucast filter count configurability via devlink.") +Signed-off-by: Subbaraya Sundeep +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/1747054357-5850-1-git-send-email-sbhatta@marvell.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.h | 1 + + drivers/net/ethernet/marvell/octeontx2/nic/otx2_devlink.c | 1 + + drivers/net/ethernet/marvell/octeontx2/nic/otx2_flows.c | 3 ++- + 3 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.h b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.h +index 65814e3dc93f5..7cc12f10e8a15 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.h ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.h +@@ -349,6 +349,7 @@ struct otx2_flow_config { + struct list_head flow_list_tc; + u8 ucast_flt_cnt; + bool ntuple; ++ u16 ntuple_cnt; + }; + + struct dev_hw_ops { +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_devlink.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_devlink.c +index 33ec9a7f7c033..e13ae5484c19c 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_devlink.c ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_devlink.c +@@ -41,6 +41,7 @@ static int otx2_dl_mcam_count_set(struct devlink *devlink, u32 id, + if (!pfvf->flow_cfg) + return 0; + ++ pfvf->flow_cfg->ntuple_cnt = ctx->val.vu16; + otx2_alloc_mcam_entries(pfvf, ctx->val.vu16); + + return 0; +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_flows.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_flows.c +index 47bfd1fb37d4b..64c6d9162ef64 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_flows.c ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_flows.c +@@ -247,7 +247,7 @@ int otx2_mcam_entry_init(struct otx2_nic *pfvf) + mutex_unlock(&pfvf->mbox.lock); + + /* Allocate entries for Ntuple filters */ +- count = otx2_alloc_mcam_entries(pfvf, OTX2_DEFAULT_FLOWCOUNT); ++ count = otx2_alloc_mcam_entries(pfvf, flow_cfg->ntuple_cnt); + if (count <= 0) { + otx2_clear_ntuple_flow_info(pfvf, flow_cfg); + return 0; +@@ -307,6 +307,7 @@ int otx2_mcam_flow_init(struct otx2_nic *pf) + INIT_LIST_HEAD(&pf->flow_cfg->flow_list_tc); + + pf->flow_cfg->ucast_flt_cnt = OTX2_DEFAULT_UNICAST_FLOWS; ++ pf->flow_cfg->ntuple_cnt = OTX2_DEFAULT_FLOWCOUNT; + + /* Allocate bare minimum number of MCAM entries needed for + * unicast and ntuple filters. +-- +2.39.5 + diff --git a/queue-6.14/octeontx2-pf-fix-ethtool-support-for-sdp-representor.patch b/queue-6.14/octeontx2-pf-fix-ethtool-support-for-sdp-representor.patch new file mode 100644 index 0000000000..ebc237bf4d --- /dev/null +++ b/queue-6.14/octeontx2-pf-fix-ethtool-support-for-sdp-representor.patch @@ -0,0 +1,70 @@ +From 1e4e56cf8c910cb548000b1b325daebeaec70a45 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 May 2025 11:59:01 +0530 +Subject: octeontx2-pf: Fix ethtool support for SDP representors + +From: Hariprasad Kelam + +[ Upstream commit 314007549d89adebdd1e214a743d7e26edbd075e ] + +The hardware supports multiple MAC types, including RPM, SDP, and LBK. +However, features such as link settings and pause frames are only available +on RPM MAC, and not supported on SDP or LBK. + +This patch updates the ethtool operations logic accordingly to reflect +this behavior. + +Fixes: 2f7f33a09516 ("octeontx2-pf: Add representors for sdp MAC") +Signed-off-by: Hariprasad Kelam +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c +index 2d53dc77ef1ef..b3f616a7f2e96 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c +@@ -315,7 +315,7 @@ static void otx2_get_pauseparam(struct net_device *netdev, + struct otx2_nic *pfvf = netdev_priv(netdev); + struct cgx_pause_frm_cfg *req, *rsp; + +- if (is_otx2_lbkvf(pfvf->pdev)) ++ if (is_otx2_lbkvf(pfvf->pdev) || is_otx2_sdp_rep(pfvf->pdev)) + return; + + mutex_lock(&pfvf->mbox.lock); +@@ -347,7 +347,7 @@ static int otx2_set_pauseparam(struct net_device *netdev, + if (pause->autoneg) + return -EOPNOTSUPP; + +- if (is_otx2_lbkvf(pfvf->pdev)) ++ if (is_otx2_lbkvf(pfvf->pdev) || is_otx2_sdp_rep(pfvf->pdev)) + return -EOPNOTSUPP; + + if (pause->rx_pause) +@@ -937,8 +937,8 @@ static u32 otx2_get_link(struct net_device *netdev) + { + struct otx2_nic *pfvf = netdev_priv(netdev); + +- /* LBK link is internal and always UP */ +- if (is_otx2_lbkvf(pfvf->pdev)) ++ /* LBK and SDP links are internal and always UP */ ++ if (is_otx2_lbkvf(pfvf->pdev) || is_otx2_sdp_rep(pfvf->pdev)) + return 1; + return pfvf->linfo.link_up; + } +@@ -1409,7 +1409,7 @@ static int otx2vf_get_link_ksettings(struct net_device *netdev, + { + struct otx2_nic *pfvf = netdev_priv(netdev); + +- if (is_otx2_lbkvf(pfvf->pdev)) { ++ if (is_otx2_lbkvf(pfvf->pdev) || is_otx2_sdp_rep(pfvf->pdev)) { + cmd->base.duplex = DUPLEX_FULL; + cmd->base.speed = SPEED_100000; + } else { +-- +2.39.5 + diff --git a/queue-6.14/octeontx2-pf-macsec-fix-incorrect-max-transmit-size-.patch b/queue-6.14/octeontx2-pf-macsec-fix-incorrect-max-transmit-size-.patch new file mode 100644 index 0000000000..2aa670ec96 --- /dev/null +++ b/queue-6.14/octeontx2-pf-macsec-fix-incorrect-max-transmit-size-.patch @@ -0,0 +1,47 @@ +From a51400f349566a413b3871c6c9938afb0bc7e0f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 May 2025 18:12:36 +0530 +Subject: octeontx2-pf: macsec: Fix incorrect max transmit size in TX secy + +From: Subbaraya Sundeep + +[ Upstream commit 865ab2461375e3a5a2526f91f9a9f17b8931bc9e ] + +MASCEC hardware block has a field called maximum transmit size for +TX secy. Max packet size going out of MCS block has be programmed +taking into account full packet size which has L2 header,SecTag +and ICV. MACSEC offload driver is configuring max transmit size as +macsec interface MTU which is incorrect. Say with 1500 MTU of real +device, macsec interface created on top of real device will have MTU of +1468(1500 - (SecTag + ICV)). This is causing packets from macsec +interface of size greater than or equal to 1468 are not getting +transmitted out because driver programmed max transmit size as 1468 +instead of 1514(1500 + ETH_HDR_LEN). + +Fixes: c54ffc73601c ("octeontx2-pf: mcs: Introduce MACSEC hardware offloading") +Signed-off-by: Subbaraya Sundeep +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/1747053756-4529-1-git-send-email-sbhatta@marvell.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c b/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c +index f3b9daffaec3c..4c7e0f345cb5b 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c +@@ -531,7 +531,8 @@ static int cn10k_mcs_write_tx_secy(struct otx2_nic *pfvf, + if (sw_tx_sc->encrypt) + sectag_tci |= (MCS_TCI_E | MCS_TCI_C); + +- policy = FIELD_PREP(MCS_TX_SECY_PLCY_MTU, secy->netdev->mtu); ++ policy = FIELD_PREP(MCS_TX_SECY_PLCY_MTU, ++ pfvf->netdev->mtu + OTX2_ETH_HLEN); + /* Write SecTag excluding AN bits(1..0) */ + policy |= FIELD_PREP(MCS_TX_SECY_PLCY_ST_TCI, sectag_tci >> 2); + policy |= FIELD_PREP(MCS_TX_SECY_PLCY_ST_OFFSET, tag_offset); +-- +2.39.5 + diff --git a/queue-6.14/platform-x86-amd-hsmp-make-amd_hsmp-and-hsmp_acpi-as.patch b/queue-6.14/platform-x86-amd-hsmp-make-amd_hsmp-and-hsmp_acpi-as.patch new file mode 100644 index 0000000000..13025a57eb --- /dev/null +++ b/queue-6.14/platform-x86-amd-hsmp-make-amd_hsmp-and-hsmp_acpi-as.patch @@ -0,0 +1,106 @@ +From e2b17eb2ecc8741a9c63126edb1d28bf9fc519dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Apr 2025 10:23:57 +0000 +Subject: platform/x86/amd/hsmp: Make amd_hsmp and hsmp_acpi as mutually + exclusive drivers +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Suma Hegde + +[ Upstream commit 0581d384f344ed0a963dd27cbff3c7af80c189e7 ] + +amd_hsmp and hsmp_acpi are intended to be mutually exclusive drivers and +amd_hsmp is for legacy platforms. To achieve this, it is essential to +check for the presence of the ACPI device in plat.c. If the hsmp ACPI +device entry is found, allow the hsmp_acpi driver to manage the hsmp +and return an error from plat.c. + +Additionally, rename the driver from amd_hsmp to hsmp_acpi to prevent +"Driver 'amd_hsmp' is already registered, aborting..." error in case +both drivers are loaded simultaneously. + +Also, support both platform device based and ACPI based probing for +family 0x1A models 0x00 to 0x0F, implement only ACPI based probing +for family 0x1A, models 0x10 to 0x1F. Return false from +legacy_hsmp_support() for this platform. +This aligns with the condition check in is_f1a_m0h(). + +Link: https://lore.kernel.org/platform-driver-x86/aALZxvHWmphNL1wa@gourry-fedora-PF4VCD3F/ +Fixes: 7d3135d16356 ("platform/x86/amd/hsmp: Create separate ACPI, plat and common drivers") +Reviewed-by: Naveen Krishna Chatradhi +Co-developed-by: Gregory Price +Signed-off-by: Gregory Price +Signed-off-by: Suma Hegde +Link: https://lore.kernel.org/r/20250425102357.266790-1-suma.hegde@amd.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/amd/hsmp/acpi.c | 3 +-- + drivers/platform/x86/amd/hsmp/hsmp.h | 1 + + drivers/platform/x86/amd/hsmp/plat.c | 6 +++++- + 3 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/platform/x86/amd/hsmp/acpi.c b/drivers/platform/x86/amd/hsmp/acpi.c +index c1eccb3c80c5c..eaae044e4f824 100644 +--- a/drivers/platform/x86/amd/hsmp/acpi.c ++++ b/drivers/platform/x86/amd/hsmp/acpi.c +@@ -27,9 +27,8 @@ + + #include "hsmp.h" + +-#define DRIVER_NAME "amd_hsmp" ++#define DRIVER_NAME "hsmp_acpi" + #define DRIVER_VERSION "2.3" +-#define ACPI_HSMP_DEVICE_HID "AMDI0097" + + /* These are the strings specified in ACPI table */ + #define MSG_IDOFF_STR "MsgIdOffset" +diff --git a/drivers/platform/x86/amd/hsmp/hsmp.h b/drivers/platform/x86/amd/hsmp/hsmp.h +index af8b21f821d66..d58d4f0c20d55 100644 +--- a/drivers/platform/x86/amd/hsmp/hsmp.h ++++ b/drivers/platform/x86/amd/hsmp/hsmp.h +@@ -23,6 +23,7 @@ + + #define HSMP_CDEV_NAME "hsmp_cdev" + #define HSMP_DEVNODE_NAME "hsmp" ++#define ACPI_HSMP_DEVICE_HID "AMDI0097" + + struct hsmp_mbaddr_info { + u32 base_addr; +diff --git a/drivers/platform/x86/amd/hsmp/plat.c b/drivers/platform/x86/amd/hsmp/plat.c +index b9782a078dbd2..81931e808bbc8 100644 +--- a/drivers/platform/x86/amd/hsmp/plat.c ++++ b/drivers/platform/x86/amd/hsmp/plat.c +@@ -11,6 +11,7 @@ + + #include + ++#include + #include + #include + #include +@@ -266,7 +267,7 @@ static bool legacy_hsmp_support(void) + } + case 0x1A: + switch (boot_cpu_data.x86_model) { +- case 0x00 ... 0x1F: ++ case 0x00 ... 0x0F: + return true; + default: + return false; +@@ -288,6 +289,9 @@ static int __init hsmp_plt_init(void) + return ret; + } + ++ if (acpi_dev_present(ACPI_HSMP_DEVICE_HID, NULL, -1)) ++ return -ENODEV; ++ + hsmp_pdev = get_hsmp_pdev(); + if (!hsmp_pdev) + return -ENOMEM; +-- +2.39.5 + diff --git a/queue-6.14/platform-x86-amd-pmc-declare-quirk_spurious_8042-for.patch b/queue-6.14/platform-x86-amd-pmc-declare-quirk_spurious_8042-for.patch new file mode 100644 index 0000000000..e8b4b462f4 --- /dev/null +++ b/queue-6.14/platform-x86-amd-pmc-declare-quirk_spurious_8042-for.patch @@ -0,0 +1,69 @@ +From 308c9b2c7ef772e2905676310ddbfd77777ca914 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 May 2025 18:01:03 +0800 +Subject: platform/x86/amd/pmc: Declare quirk_spurious_8042 for MECHREVO Wujie + 14XA (GX4HRXL) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Runhua He + +[ Upstream commit 0887817e4953885fbd6a5c1bec2fdd339261eb19 ] + +MECHREVO Wujie 14XA (GX4HRXL) wakes up immediately after s2idle entry. +This happens regardless of whether the laptop is plugged into AC power, +or whether any peripheral is plugged into the laptop. + +Similar to commit a55bdad5dfd1 ("platform/x86/amd/pmc: Disable keyboard +wakeup on AMD Framework 13"), the MECHREVO Wujie 14XA wakes up almost +instantly after s2idle suspend entry (IRQ1 is the keyboard): + +2025-04-18 17:23:57,588 DEBUG: PM: Triggering wakeup from IRQ 9 +2025-04-18 17:23:57,588 DEBUG: PM: Triggering wakeup from IRQ 1 + +Add this model to the spurious_8042 quirk to workaround this. + +This patch does not affect the wake-up function of the built-in keyboard. +Because the firmware of this machine adds an insurance for keyboard +wake-up events, as it always triggers an additional IRQ 9 to wake up the +system. + +Suggested-by: Mingcong Bai +Suggested-by: Xinhui Yang +Suggested-by: Rong Zhang +Fixes: a55bdad5dfd1 ("platform/x86/amd/pmc: Disable keyboard wakeup on AMD Framework 13") +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4166 +Cc: Mario Limonciello +Link: https://zhuanldan.zhihu.com/p/730538041 +Tested-by: Yemu Lu +Signed-off-by: Runhua He +Link: https://lore.kernel.org/r/20250507100103.995395-1-hua@aosc.io +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/amd/pmc/pmc-quirks.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/platform/x86/amd/pmc/pmc-quirks.c b/drivers/platform/x86/amd/pmc/pmc-quirks.c +index b4f49720c87f6..2e3f6fc67c568 100644 +--- a/drivers/platform/x86/amd/pmc/pmc-quirks.c ++++ b/drivers/platform/x86/amd/pmc/pmc-quirks.c +@@ -217,6 +217,13 @@ static const struct dmi_system_id fwbug_list[] = { + DMI_MATCH(DMI_BIOS_VERSION, "03.05"), + } + }, ++ { ++ .ident = "MECHREVO Wujie 14X (GX4HRXL)", ++ .driver_data = &quirk_spurious_8042, ++ .matches = { ++ DMI_MATCH(DMI_BOARD_NAME, "WUJIE14-GX4HRXL"), ++ } ++ }, + {} + }; + +-- +2.39.5 + diff --git a/queue-6.14/platform-x86-asus-wmi-fix-wlan_ctrl_by_user-detectio.patch b/queue-6.14/platform-x86-asus-wmi-fix-wlan_ctrl_by_user-detectio.patch new file mode 100644 index 0000000000..d5b209fc3a --- /dev/null +++ b/queue-6.14/platform-x86-asus-wmi-fix-wlan_ctrl_by_user-detectio.patch @@ -0,0 +1,76 @@ +From c891901370e5ff22af4ad751c85e1b3f51bc4034 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 May 2025 15:17:02 +0200 +Subject: platform/x86: asus-wmi: Fix wlan_ctrl_by_user detection +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Hans de Goede + +[ Upstream commit bfcfe6d335a967f8ea0c1980960e6f0205b5de6e ] + +The wlan_ctrl_by_user detection was introduced by commit a50bd128f28c +("asus-wmi: record wlan status while controlled by userapp"). + +Quoting from that commit's commit message: + +""" +When you call WMIMethod(DSTS, 0x00010011) to get WLAN status, it may return + +(1) 0x00050001 (On) +(2) 0x00050000 (Off) +(3) 0x00030001 (On) +(4) 0x00030000 (Off) +(5) 0x00000002 (Unknown) + +(1), (2) means that the model has hardware GPIO for WLAN, you can call +WMIMethod(DEVS, 0x00010011, 1 or 0) to turn WLAN on/off. +(3), (4) means that the model doesn’t have hardware GPIO, you need to use +API or driver library to turn WLAN on/off, and call +WMIMethod(DEVS, 0x00010012, 1 or 0) to set WLAN LED status. +After you set WLAN LED status, you can see the WLAN status is changed with +WMIMethod(DSTS, 0x00010011). Because the status is recorded lastly +(ex: Windows), you can use it for synchronization. +(5) means that the model doesn’t have WLAN device. + +WLAN is the ONLY special case with upper rule. +""" + +The wlan_ctrl_by_user flag should be set on 0x0003000? ((3), (4) above) +return values, but the flag mistakenly also gets set on laptops with +0x0005000? ((1), (2)) return values. This is causing rfkill problems on +laptops where 0x0005000? is returned. + +Fix the check to only set the wlan_ctrl_by_user flag for 0x0003000? +return values. + +Fixes: a50bd128f28c ("asus-wmi: record wlan status while controlled by userapp") +Link: https://bugzilla.kernel.org/show_bug.cgi?id=219786 +Signed-off-by: Hans de Goede +Reviewed-by: Armin Wolf +Link: https://lore.kernel.org/r/20250501131702.103360-2-hdegoede@redhat.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/asus-wmi.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c +index 38ef778e8c19b..f66d152e265da 100644 +--- a/drivers/platform/x86/asus-wmi.c ++++ b/drivers/platform/x86/asus-wmi.c +@@ -4777,7 +4777,8 @@ static int asus_wmi_add(struct platform_device *pdev) + goto fail_leds; + + asus_wmi_get_devstate(asus, ASUS_WMI_DEVID_WLAN, &result); +- if (result & (ASUS_WMI_DSTS_PRESENCE_BIT | ASUS_WMI_DSTS_USER_BIT)) ++ if ((result & (ASUS_WMI_DSTS_PRESENCE_BIT | ASUS_WMI_DSTS_USER_BIT)) == ++ (ASUS_WMI_DSTS_PRESENCE_BIT | ASUS_WMI_DSTS_USER_BIT)) + asus->driver->wlan_ctrl_by_user = 1; + + if (!(asus->driver->wlan_ctrl_by_user && ashs_present())) { +-- +2.39.5 + diff --git a/queue-6.14/qlcnic-fix-memory-leak-in-qlcnic_sriov_channel_cfg_c.patch b/queue-6.14/qlcnic-fix-memory-leak-in-qlcnic_sriov_channel_cfg_c.patch new file mode 100644 index 0000000000..02aad0ea19 --- /dev/null +++ b/queue-6.14/qlcnic-fix-memory-leak-in-qlcnic_sriov_channel_cfg_c.patch @@ -0,0 +1,45 @@ +From 552c93c93ebdc94a087bb1883303396ed4e450e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 May 2025 10:18:27 +0530 +Subject: qlcnic: fix memory leak in qlcnic_sriov_channel_cfg_cmd() + +From: Abdun Nihaal + +[ Upstream commit 9d8a99c5a7c7f4f7eca2c168a4ec254409670035 ] + +In one of the error paths in qlcnic_sriov_channel_cfg_cmd(), the memory +allocated in qlcnic_sriov_alloc_bc_mbx_args() for mailbox arguments is +not freed. Fix that by jumping to the error path that frees them, by +calling qlcnic_free_mbx_args(). This was found using static analysis. + +Fixes: f197a7aa6288 ("qlcnic: VF-PF communication channel implementation") +Signed-off-by: Abdun Nihaal +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250512044829.36400-1-abdun.nihaal@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c +index 28d24d59efb84..d57b976b90409 100644 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c +@@ -1484,8 +1484,11 @@ static int qlcnic_sriov_channel_cfg_cmd(struct qlcnic_adapter *adapter, u8 cmd_o + } + + cmd_op = (cmd.rsp.arg[0] & 0xff); +- if (cmd.rsp.arg[0] >> 25 == 2) +- return 2; ++ if (cmd.rsp.arg[0] >> 25 == 2) { ++ ret = 2; ++ goto out; ++ } ++ + if (cmd_op == QLCNIC_BC_CMD_CHANNEL_INIT) + set_bit(QLC_BC_VF_STATE, &vf->state); + else +-- +2.39.5 + diff --git a/queue-6.14/rdma-core-fix-kasan-slab-use-after-free-read-in-ib_r.patch b/queue-6.14/rdma-core-fix-kasan-slab-use-after-free-read-in-ib_r.patch new file mode 100644 index 0000000000..5d7200c66e --- /dev/null +++ b/queue-6.14/rdma-core-fix-kasan-slab-use-after-free-read-in-ib_r.patch @@ -0,0 +1,93 @@ +From 0efe8e7c9944bca5e7656a57a2214507e584772d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 May 2025 17:10:08 +0200 +Subject: RDMA/core: Fix "KASAN: slab-use-after-free Read in + ib_register_device" problem + +From: Zhu Yanjun + +[ Upstream commit d0706bfd3ee40923c001c6827b786a309e2a8713 ] + +Call Trace: + + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:408 [inline] + print_report+0xc3/0x670 mm/kasan/report.c:521 + kasan_report+0xe0/0x110 mm/kasan/report.c:634 + strlen+0x93/0xa0 lib/string.c:420 + __fortify_strlen include/linux/fortify-string.h:268 [inline] + get_kobj_path_length lib/kobject.c:118 [inline] + kobject_get_path+0x3f/0x2a0 lib/kobject.c:158 + kobject_uevent_env+0x289/0x1870 lib/kobject_uevent.c:545 + ib_register_device drivers/infiniband/core/device.c:1472 [inline] + ib_register_device+0x8cf/0xe00 drivers/infiniband/core/device.c:1393 + rxe_register_device+0x275/0x320 drivers/infiniband/sw/rxe/rxe_verbs.c:1552 + rxe_net_add+0x8e/0xe0 drivers/infiniband/sw/rxe/rxe_net.c:550 + rxe_newlink+0x70/0x190 drivers/infiniband/sw/rxe/rxe.c:225 + nldev_newlink+0x3a3/0x680 drivers/infiniband/core/nldev.c:1796 + rdma_nl_rcv_msg+0x387/0x6e0 drivers/infiniband/core/netlink.c:195 + rdma_nl_rcv_skb.constprop.0.isra.0+0x2e5/0x450 + netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline] + netlink_unicast+0x53a/0x7f0 net/netlink/af_netlink.c:1339 + netlink_sendmsg+0x8d1/0xdd0 net/netlink/af_netlink.c:1883 + sock_sendmsg_nosec net/socket.c:712 [inline] + __sock_sendmsg net/socket.c:727 [inline] + ____sys_sendmsg+0xa95/0xc70 net/socket.c:2566 + ___sys_sendmsg+0x134/0x1d0 net/socket.c:2620 + __sys_sendmsg+0x16d/0x220 net/socket.c:2652 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +This problem is similar to the problem that the +commit 1d6a9e7449e2 ("RDMA/core: Fix use-after-free when rename device name") +fixes. + +The root cause is: the function ib_device_rename() renames the name with +lock. But in the function kobject_uevent(), this name is accessed without +lock protection at the same time. + +The solution is to add the lock protection when this name is accessed in +the function kobject_uevent(). + +Fixes: 779e0bf47632 ("RDMA/core: Do not indicate device ready when device enablement fails") +Link: https://patch.msgid.link/r/20250506151008.75701-1-yanjun.zhu@linux.dev +Reported-by: syzbot+e2ce9e275ecc70a30b72@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=e2ce9e275ecc70a30b72 +Signed-off-by: Zhu Yanjun +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/device.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/core/device.c b/drivers/infiniband/core/device.c +index ee75b99f84bcc..baf12e3e2a7ea 100644 +--- a/drivers/infiniband/core/device.c ++++ b/drivers/infiniband/core/device.c +@@ -1352,6 +1352,9 @@ static void ib_device_notify_register(struct ib_device *device) + + down_read(&devices_rwsem); + ++ /* Mark for userspace that device is ready */ ++ kobject_uevent(&device->dev.kobj, KOBJ_ADD); ++ + ret = rdma_nl_notify_event(device, 0, RDMA_REGISTER_EVENT); + if (ret) + goto out; +@@ -1468,10 +1471,9 @@ int ib_register_device(struct ib_device *device, const char *name, + return ret; + } + dev_set_uevent_suppress(&device->dev, false); +- /* Mark for userspace that device is ready */ +- kobject_uevent(&device->dev.kobj, KOBJ_ADD); + + ib_device_notify_register(device); ++ + ib_device_put(device); + + return 0; +-- +2.39.5 + diff --git a/queue-6.14/rdma-rxe-fix-slab-use-after-free-read-in-rxe_queue_c.patch b/queue-6.14/rdma-rxe-fix-slab-use-after-free-read-in-rxe_queue_c.patch new file mode 100644 index 0000000000..d5d9d0ebff --- /dev/null +++ b/queue-6.14/rdma-rxe-fix-slab-use-after-free-read-in-rxe_queue_c.patch @@ -0,0 +1,69 @@ +From 89ef8170e64d89938bbb05eac0a224bdbdd17267 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Apr 2025 09:57:14 +0200 +Subject: RDMA/rxe: Fix slab-use-after-free Read in rxe_queue_cleanup bug + +From: Zhu Yanjun + +[ Upstream commit f81b33582f9339d2dc17c69b92040d3650bb4bae ] + +Call Trace: + + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0x7d/0xa0 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:378 [inline] + print_report+0xcf/0x610 mm/kasan/report.c:489 + kasan_report+0xb5/0xe0 mm/kasan/report.c:602 + rxe_queue_cleanup+0xd0/0xe0 drivers/infiniband/sw/rxe/rxe_queue.c:195 + rxe_cq_cleanup+0x3f/0x50 drivers/infiniband/sw/rxe/rxe_cq.c:132 + __rxe_cleanup+0x168/0x300 drivers/infiniband/sw/rxe/rxe_pool.c:232 + rxe_create_cq+0x22e/0x3a0 drivers/infiniband/sw/rxe/rxe_verbs.c:1109 + create_cq+0x658/0xb90 drivers/infiniband/core/uverbs_cmd.c:1052 + ib_uverbs_create_cq+0xc7/0x120 drivers/infiniband/core/uverbs_cmd.c:1095 + ib_uverbs_write+0x969/0xc90 drivers/infiniband/core/uverbs_main.c:679 + vfs_write fs/read_write.c:677 [inline] + vfs_write+0x26a/0xcc0 fs/read_write.c:659 + ksys_write+0x1b8/0x200 fs/read_write.c:731 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xaa/0x1b0 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +In the function rxe_create_cq, when rxe_cq_from_init fails, the function +rxe_cleanup will be called to handle the allocated resources. In fact, +some memory resources have already been freed in the function +rxe_cq_from_init. Thus, this problem will occur. + +The solution is to let rxe_cleanup do all the work. + +Fixes: 8700e3e7c485 ("Soft RoCE driver") +Link: https://paste.ubuntu.com/p/tJgC42wDf6/ +Tested-by: liuyi +Signed-off-by: Zhu Yanjun +Link: https://patch.msgid.link/20250412075714.3257358-1-yanjun.zhu@linux.dev +Reviewed-by: Daisuke Matsuda +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/sw/rxe/rxe_cq.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/drivers/infiniband/sw/rxe/rxe_cq.c b/drivers/infiniband/sw/rxe/rxe_cq.c +index fec87c9030abd..fffd144d509eb 100644 +--- a/drivers/infiniband/sw/rxe/rxe_cq.c ++++ b/drivers/infiniband/sw/rxe/rxe_cq.c +@@ -56,11 +56,8 @@ int rxe_cq_from_init(struct rxe_dev *rxe, struct rxe_cq *cq, int cqe, + + err = do_mmap_info(rxe, uresp ? &uresp->mi : NULL, udata, + cq->queue->buf, cq->queue->buf_size, &cq->queue->ip); +- if (err) { +- vfree(cq->queue->buf); +- kfree(cq->queue); ++ if (err) + return err; +- } + + cq->is_user = uresp; + +-- +2.39.5 + diff --git a/queue-6.14/regulator-max20086-fix-invalid-memory-access.patch b/queue-6.14/regulator-max20086-fix-invalid-memory-access.patch new file mode 100644 index 0000000000..ed6b581bc1 --- /dev/null +++ b/queue-6.14/regulator-max20086-fix-invalid-memory-access.patch @@ -0,0 +1,73 @@ +From 6ce589fcd5e91fda79ad8ee1a999e96e3f171846 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 May 2025 09:49:43 +0300 +Subject: regulator: max20086: fix invalid memory access + +From: Cosmin Tanislav + +[ Upstream commit 6b0cd72757c69bc2d45da42b41023e288d02e772 ] + +max20086_parse_regulators_dt() calls of_regulator_match() using an +array of struct of_regulator_match allocated on the stack for the +matches argument. + +of_regulator_match() calls devm_of_regulator_put_matches(), which calls +devres_alloc() to allocate a struct devm_of_regulator_matches which will +be de-allocated using devm_of_regulator_put_matches(). + +struct devm_of_regulator_matches is populated with the stack allocated +matches array. + +If the device fails to probe, devm_of_regulator_put_matches() will be +called and will try to call of_node_put() on that stack pointer, +generating the following dmesg entries: + +max20086 6-0028: Failed to read DEVICE_ID reg: -121 +kobject: '\xc0$\xa5\x03' (000000002cebcb7a): is not initialized, yet +kobject_put() is being called. + +Followed by a stack trace matching the call flow described above. + +Switch to allocating the matches array using devm_kcalloc() to +avoid accessing the stack pointer long after it's out of scope. + +This also has the advantage of allowing multiple max20086 to probe +without overriding the data stored inside the global of_regulator_match. + +Fixes: bfff546aae50 ("regulator: Add MAX20086-MAX20089 driver") +Signed-off-by: Cosmin Tanislav +Link: https://patch.msgid.link/20250508064947.2567255-1-demonsingur@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/max20086-regulator.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/regulator/max20086-regulator.c b/drivers/regulator/max20086-regulator.c +index 59eb23d467ec0..198d45f8e8849 100644 +--- a/drivers/regulator/max20086-regulator.c ++++ b/drivers/regulator/max20086-regulator.c +@@ -132,7 +132,7 @@ static int max20086_regulators_register(struct max20086 *chip) + + static int max20086_parse_regulators_dt(struct max20086 *chip, bool *boot_on) + { +- struct of_regulator_match matches[MAX20086_MAX_REGULATORS] = { }; ++ struct of_regulator_match *matches; + struct device_node *node; + unsigned int i; + int ret; +@@ -143,6 +143,11 @@ static int max20086_parse_regulators_dt(struct max20086 *chip, bool *boot_on) + return -ENODEV; + } + ++ matches = devm_kcalloc(chip->dev, chip->info->num_outputs, ++ sizeof(*matches), GFP_KERNEL); ++ if (!matches) ++ return -ENOMEM; ++ + for (i = 0; i < chip->info->num_outputs; ++i) + matches[i].name = max20086_output_names[i]; + +-- +2.39.5 + diff --git a/queue-6.14/riscv-dts-sophgo-fix-dma-data-width-configuration-fo.patch b/queue-6.14/riscv-dts-sophgo-fix-dma-data-width-configuration-fo.patch new file mode 100644 index 0000000000..485186ce17 --- /dev/null +++ b/queue-6.14/riscv-dts-sophgo-fix-dma-data-width-configuration-fo.patch @@ -0,0 +1,57 @@ +From 97ddf3d3d7b762e91f2e7087639733485afb5031 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Apr 2025 17:24:36 +0800 +Subject: riscv: dts: sophgo: fix DMA data-width configuration for CV18xx +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ze Huang + +[ Upstream commit 3e6244429ba38f8dee3336b8b805948276b281ab ] + +The "snps,data-width" property[1] defines the AXI data width of the DMA +controller as: + + width = 8 × (2^n) bits + +(0 = 8 bits, 1 = 16 bits, 2 = 32 bits, ..., 6 = 512 bits) +where "n" is the value of "snps,data-width". + +For the CV18xx DMA controller, the correct AXI data width is 32 bits, +corresponding to "snps,data-width = 2". + +Test results on Milkv Duo S can be found here [2]. + +Link: https://github.com/torvalds/linux/blob/master/Documentation/devicetree/bindings/dma/snps%2Cdw-axi-dmac.yaml#L74 [1] +Link: https://gist.github.com/Sutter099/4fa99bb2d89e5af975983124704b3861 [2] + +Fixes: 514951a81a5e ("riscv: dts: sophgo: cv18xx: add DMA controller") +Co-developed-by: Yu Yuan +Signed-off-by: Yu Yuan +Signed-off-by: Ze Huang +Link: https://lore.kernel.org/r/20250428-duo-dma-config-v1-1-eb6ad836ca42@whut.edu.cn +Signed-off-by: Inochi Amaoto +Signed-off-by: Chen Wang +Signed-off-by: Chen Wang +Signed-off-by: Sasha Levin +--- + arch/riscv/boot/dts/sophgo/cv18xx.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/riscv/boot/dts/sophgo/cv18xx.dtsi b/arch/riscv/boot/dts/sophgo/cv18xx.dtsi +index c18822ec849f3..58cd546392e05 100644 +--- a/arch/riscv/boot/dts/sophgo/cv18xx.dtsi ++++ b/arch/riscv/boot/dts/sophgo/cv18xx.dtsi +@@ -341,7 +341,7 @@ + 1024 1024 1024 1024>; + snps,priority = <0 1 2 3 4 5 6 7>; + snps,dma-masters = <2>; +- snps,data-width = <4>; ++ snps,data-width = <2>; + status = "disabled"; + }; + +-- +2.39.5 + diff --git a/queue-6.14/sched_ext-fix-missing-rq-lock-in-scx_bpf_cpuperf_set.patch b/queue-6.14/sched_ext-fix-missing-rq-lock-in-scx_bpf_cpuperf_set.patch new file mode 100644 index 0000000000..6c10bd2d27 --- /dev/null +++ b/queue-6.14/sched_ext-fix-missing-rq-lock-in-scx_bpf_cpuperf_set.patch @@ -0,0 +1,81 @@ +From e0dd90f92931fd4040aee0bf75b348a402464821 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Apr 2025 10:26:33 +0200 +Subject: sched_ext: Fix missing rq lock in scx_bpf_cpuperf_set() + +From: Andrea Righi + +[ Upstream commit a11d6784d7316a6c77ca9f14fb1a698ebbb3c1fb ] + +scx_bpf_cpuperf_set() can be used to set a performance target level on +any CPU. However, it doesn't correctly acquire the corresponding rq +lock, which may lead to unsafe behavior and trigger the following +warning, due to the lockdep_assert_rq_held() check: + +[ 51.713737] WARNING: CPU: 3 PID: 3899 at kernel/sched/sched.h:1512 scx_bpf_cpuperf_set+0x1a0/0x1e0 +... +[ 51.713836] Call trace: +[ 51.713837] scx_bpf_cpuperf_set+0x1a0/0x1e0 (P) +[ 51.713839] bpf_prog_62d35beb9301601f_bpfland_init+0x168/0x440 +[ 51.713841] bpf__sched_ext_ops_init+0x54/0x8c +[ 51.713843] scx_ops_enable.constprop.0+0x2c0/0x10f0 +[ 51.713845] bpf_scx_reg+0x18/0x30 +[ 51.713847] bpf_struct_ops_link_create+0x154/0x1b0 +[ 51.713849] __sys_bpf+0x1934/0x22a0 + +Fix by properly acquiring the rq lock when possible or raising an error +if we try to operate on a CPU that is not the one currently locked. + +Fixes: d86adb4fc0655 ("sched_ext: Add cpuperf support") +Signed-off-by: Andrea Righi +Acked-by: Changwoo Min +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +--- + kernel/sched/ext.c | 27 +++++++++++++++++++++++---- + 1 file changed, 23 insertions(+), 4 deletions(-) + +diff --git a/kernel/sched/ext.c b/kernel/sched/ext.c +index 77cdff0d9f348..0067f540a3f0f 100644 +--- a/kernel/sched/ext.c ++++ b/kernel/sched/ext.c +@@ -7459,13 +7459,32 @@ __bpf_kfunc void scx_bpf_cpuperf_set(s32 cpu, u32 perf) + } + + if (ops_cpu_valid(cpu, NULL)) { +- struct rq *rq = cpu_rq(cpu); ++ struct rq *rq = cpu_rq(cpu), *locked_rq = scx_locked_rq(); ++ struct rq_flags rf; ++ ++ /* ++ * When called with an rq lock held, restrict the operation ++ * to the corresponding CPU to prevent ABBA deadlocks. ++ */ ++ if (locked_rq && rq != locked_rq) { ++ scx_ops_error("Invalid target CPU %d", cpu); ++ return; ++ } ++ ++ /* ++ * If no rq lock is held, allow to operate on any CPU by ++ * acquiring the corresponding rq lock. ++ */ ++ if (!locked_rq) { ++ rq_lock_irqsave(rq, &rf); ++ update_rq_clock(rq); ++ } + + rq->scx.cpuperf_target = perf; ++ cpufreq_update_util(rq, 0); + +- rcu_read_lock_sched_notrace(); +- cpufreq_update_util(cpu_rq(cpu), 0); +- rcu_read_unlock_sched_notrace(); ++ if (!locked_rq) ++ rq_unlock_irqrestore(rq, &rf); + } + } + +-- +2.39.5 + diff --git a/queue-6.14/series b/queue-6.14/series new file mode 100644 index 0000000000..8cf2719545 --- /dev/null +++ b/queue-6.14/series @@ -0,0 +1,62 @@ +sched_ext-fix-missing-rq-lock-in-scx_bpf_cpuperf_set.patch +arm64-dts-rockchip-assign-rt5616-mclk-rate-on-rk3588.patch +fs-xattr.c-fix-simple_xattr_list-to-always-include-s.patch +drivers-platform-x86-amd-pmf-check-for-invalid-sidel.patch +drivers-platform-x86-amd-pmf-check-for-invalid-smart.patch +x86-amd_node-platform-x86-amd-hsmp-have-hsmp-use-smn.patch +platform-x86-amd-hsmp-make-amd_hsmp-and-hsmp_acpi-as.patch +arm64-dts-rockchip-fix-sige5-rtc-interrupt-pin.patch +riscv-dts-sophgo-fix-dma-data-width-configuration-fo.patch +binfmt_elf-move-brk-for-static-pie-even-if-aslr-disa.patch +platform-x86-amd-pmc-declare-quirk_spurious_8042-for.patch +platform-x86-asus-wmi-fix-wlan_ctrl_by_user-detectio.patch +arm64-dts-imx8mp-var-som-fix-ldo5-shutdown-causing-s.patch +cgroup-cpuset-extend-kthread_is_per_cpu-check-to-all.patch +tracing-fprobe-fix-rcu-warning-message-in-list-trave.patch +tracing-probes-fix-a-possible-race-in-trace_probe_lo.patch +tpm-tis-double-the-timeout-b-to-4s.patch +iio-adc-ad7606-move-the-software-mode-configuration.patch +iio-adc-ad7606-move-software-functions-into-common-f.patch +iio-adc-ad7606-check-for-null-before-calling-sw_mode.patch +rdma-rxe-fix-slab-use-after-free-read-in-rxe_queue_c.patch +hid-thrustmaster-fix-memory-leak-in-thrustmaster_int.patch +hid-uclogic-add-null-check-in-uclogic_input_configur.patch +nfs-handle-failure-of-nfs_get_lock_context-in-unlock.patch +nfs-localio-fix-a-race-in-nfs_local_open_fh.patch +spi-loopback-test-do-not-split-1024-byte-hexdumps.patch +rdma-core-fix-kasan-slab-use-after-free-read-in-ib_r.patch +bluetooth-mgmt-fix-mgmt_op_add_device-invalid-device.patch +net_sched-flush-gso_skb-list-too-during-change.patch +drm-meson-use-1000ull-when-operating-with-mode-clock.patch +tools-net-ynl-ethtool-fix-crash-when-hardware-clock-.patch +net-mctp-don-t-access-ifa_index-when-missing.patch +tests-ncdevmem-fix-double-free-of-queue-array.patch +net-mctp-ensure-keys-maintain-only-one-ref-to-corres.patch +alsa-seq-fix-delivery-of-ump-events-to-group-ports.patch +alsa-ump-fix-a-typo-of-snd_ump_stream_msg_device_inf.patch +net-cadence-macb-fix-a-possible-deadlock-in-macb_hal.patch +net-dsa-sja1105-discard-incoming-frames-in-br_state_.patch +nvme-pci-make-nvme_pci_npages_prp-__always_inline.patch +nvme-pci-acquire-cq_poll_lock-in-nvme_poll_irqdisabl.patch +alsa-sh-snd_aica-should-depend-on-sh_dma_api.patch +net-dsa-b53-prevent-standalone-from-trying-to-forwar.patch +drm-amd-display-fix-null-check-of-pipe_ctx-plane_sta.patch +vsock-test-fix-occasional-failure-in-siocoutq-tests.patch +net-mlx5e-disable-macsec-offload-for-uplink-represen.patch +qlcnic-fix-memory-leak-in-qlcnic_sriov_channel_cfg_c.patch +regulator-max20086-fix-invalid-memory-access.patch +octeontx2-pf-fix-ethtool-support-for-sdp-representor.patch +io_uring-fdinfo-grab-ctx-uring_lock-around-io_uring_.patch +drm-xe-save-ctx_timestamp-mmio-value-instead-of-lrc-.patch +netlink-specs-tc-fix-a-couple-of-attribute-names.patch +netlink-specs-tc-all-actions-are-indexed-arrays.patch +octeontx2-pf-macsec-fix-incorrect-max-transmit-size-.patch +net-ethernet-mtk_eth_soc-fix-typo-for-declaration-mt.patch +octeontx2-af-fix-cgx-receive-counters.patch +octeontx2-pf-do-not-reallocate-all-ntuple-filters.patch +wifi-mac80211-set-n_channels-after-allocating-struct.patch +mlxsw-spectrum_router-fix-use-after-free-when-deleti.patch +net-tls-fix-kernel-panic-when-alloc_page-failed.patch +tsnep-fix-timestamping-with-a-stacked-dsa-driver.patch +ublk-fix-dead-loop-when-canceling-io-command.patch +nfsv4-pnfs-reset-the-layout-state-after-a-layoutretu.patch diff --git a/queue-6.14/spi-loopback-test-do-not-split-1024-byte-hexdumps.patch b/queue-6.14/spi-loopback-test-do-not-split-1024-byte-hexdumps.patch new file mode 100644 index 0000000000..ece73e375b --- /dev/null +++ b/queue-6.14/spi-loopback-test-do-not-split-1024-byte-hexdumps.patch @@ -0,0 +1,43 @@ +From ae313542922cebb20c64e23095c6e8e509847562 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 May 2025 13:10:35 +0200 +Subject: spi: loopback-test: Do not split 1024-byte hexdumps + +From: Geert Uytterhoeven + +[ Upstream commit a73fa3690a1f3014d6677e368dce4e70767a6ba2 ] + +spi_test_print_hex_dump() prints buffers holding less than 1024 bytes in +full. Larger buffers are truncated: only the first 512 and the last 512 +bytes are printed, separated by a truncation message. The latter is +confusing in case the buffer holds exactly 1024 bytes, as all data is +printed anyway. + +Fix this by printing buffers holding up to and including 1024 bytes in +full. + +Fixes: 84e0c4e5e2c4ef42 ("spi: add loopback test driver to allow for spi_master regression tests") +Signed-off-by: Geert Uytterhoeven +Link: https://patch.msgid.link/37ee1bc90c6554c9347040adabf04188c8f704aa.1746184171.git.geert+renesas@glider.be +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-loopback-test.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-loopback-test.c b/drivers/spi/spi-loopback-test.c +index 31a878d9458d9..7740f94847a88 100644 +--- a/drivers/spi/spi-loopback-test.c ++++ b/drivers/spi/spi-loopback-test.c +@@ -420,7 +420,7 @@ MODULE_LICENSE("GPL"); + static void spi_test_print_hex_dump(char *pre, const void *ptr, size_t len) + { + /* limit the hex_dump */ +- if (len < 1024) { ++ if (len <= 1024) { + print_hex_dump(KERN_INFO, pre, + DUMP_PREFIX_OFFSET, 16, 1, + ptr, len, 0); +-- +2.39.5 + diff --git a/queue-6.14/tests-ncdevmem-fix-double-free-of-queue-array.patch b/queue-6.14/tests-ncdevmem-fix-double-free-of-queue-array.patch new file mode 100644 index 0000000000..6fa26000fc --- /dev/null +++ b/queue-6.14/tests-ncdevmem-fix-double-free-of-queue-array.patch @@ -0,0 +1,147 @@ +From 0702022a070c6430a36d20a12a5b0590da3af2bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 May 2025 11:44:34 +0300 +Subject: tests/ncdevmem: Fix double-free of queue array + +From: Cosmin Ratiu + +[ Upstream commit 97c4e094a4b2edbb4fffeda718f8e806f825a18f ] + +netdev_bind_rx takes ownership of the queue array passed as parameter +and frees it, so a queue array buffer cannot be reused across multiple +netdev_bind_rx calls. + +This commit fixes that by always passing in a newly created queue array +to all netdev_bind_rx calls in ncdevmem. + +Fixes: 85585b4bc8d8 ("selftests: add ncdevmem, netcat for devmem TCP") +Signed-off-by: Cosmin Ratiu +Acked-by: Stanislav Fomichev +Reviewed-by: Joe Damato +Reviewed-by: Mina Almasry +Link: https://patch.msgid.link/20250508084434.1933069-1-cratiu@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../selftests/drivers/net/hw/ncdevmem.c | 55 ++++++++----------- + 1 file changed, 22 insertions(+), 33 deletions(-) + +diff --git a/tools/testing/selftests/drivers/net/hw/ncdevmem.c b/tools/testing/selftests/drivers/net/hw/ncdevmem.c +index 19a6969643f46..2d8ffe98700ea 100644 +--- a/tools/testing/selftests/drivers/net/hw/ncdevmem.c ++++ b/tools/testing/selftests/drivers/net/hw/ncdevmem.c +@@ -432,6 +432,22 @@ static int parse_address(const char *str, int port, struct sockaddr_in6 *sin6) + return 0; + } + ++static struct netdev_queue_id *create_queues(void) ++{ ++ struct netdev_queue_id *queues; ++ size_t i = 0; ++ ++ queues = calloc(num_queues, sizeof(*queues)); ++ for (i = 0; i < num_queues; i++) { ++ queues[i]._present.type = 1; ++ queues[i]._present.id = 1; ++ queues[i].type = NETDEV_QUEUE_TYPE_RX; ++ queues[i].id = start_queue + i; ++ } ++ ++ return queues; ++} ++ + int do_server(struct memory_buffer *mem) + { + char ctrl_data[sizeof(int) * 20000]; +@@ -449,7 +465,6 @@ int do_server(struct memory_buffer *mem) + char buffer[256]; + int socket_fd; + int client_fd; +- size_t i = 0; + int ret; + + ret = parse_address(server_ip, atoi(port), &server_sin); +@@ -472,16 +487,7 @@ int do_server(struct memory_buffer *mem) + + sleep(1); + +- queues = malloc(sizeof(*queues) * num_queues); +- +- for (i = 0; i < num_queues; i++) { +- queues[i]._present.type = 1; +- queues[i]._present.id = 1; +- queues[i].type = NETDEV_QUEUE_TYPE_RX; +- queues[i].id = start_queue + i; +- } +- +- if (bind_rx_queue(ifindex, mem->fd, queues, num_queues, &ys)) ++ if (bind_rx_queue(ifindex, mem->fd, create_queues(), num_queues, &ys)) + error(1, 0, "Failed to bind\n"); + + tmp_mem = malloc(mem->size); +@@ -546,7 +552,6 @@ int do_server(struct memory_buffer *mem) + goto cleanup; + } + +- i++; + for (cm = CMSG_FIRSTHDR(&msg); cm; cm = CMSG_NXTHDR(&msg, cm)) { + if (cm->cmsg_level != SOL_SOCKET || + (cm->cmsg_type != SCM_DEVMEM_DMABUF && +@@ -631,10 +636,8 @@ int do_server(struct memory_buffer *mem) + + void run_devmem_tests(void) + { +- struct netdev_queue_id *queues; + struct memory_buffer *mem; + struct ynl_sock *ys; +- size_t i = 0; + + mem = provider->alloc(getpagesize() * NUM_PAGES); + +@@ -642,38 +645,24 @@ void run_devmem_tests(void) + if (configure_rss()) + error(1, 0, "rss error\n"); + +- queues = calloc(num_queues, sizeof(*queues)); +- + if (configure_headersplit(1)) + error(1, 0, "Failed to configure header split\n"); + +- if (!bind_rx_queue(ifindex, mem->fd, queues, num_queues, &ys)) ++ if (!bind_rx_queue(ifindex, mem->fd, ++ calloc(num_queues, sizeof(struct netdev_queue_id)), ++ num_queues, &ys)) + error(1, 0, "Binding empty queues array should have failed\n"); + +- for (i = 0; i < num_queues; i++) { +- queues[i]._present.type = 1; +- queues[i]._present.id = 1; +- queues[i].type = NETDEV_QUEUE_TYPE_RX; +- queues[i].id = start_queue + i; +- } +- + if (configure_headersplit(0)) + error(1, 0, "Failed to configure header split\n"); + +- if (!bind_rx_queue(ifindex, mem->fd, queues, num_queues, &ys)) ++ if (!bind_rx_queue(ifindex, mem->fd, create_queues(), num_queues, &ys)) + error(1, 0, "Configure dmabuf with header split off should have failed\n"); + + if (configure_headersplit(1)) + error(1, 0, "Failed to configure header split\n"); + +- for (i = 0; i < num_queues; i++) { +- queues[i]._present.type = 1; +- queues[i]._present.id = 1; +- queues[i].type = NETDEV_QUEUE_TYPE_RX; +- queues[i].id = start_queue + i; +- } +- +- if (bind_rx_queue(ifindex, mem->fd, queues, num_queues, &ys)) ++ if (bind_rx_queue(ifindex, mem->fd, create_queues(), num_queues, &ys)) + error(1, 0, "Failed to bind\n"); + + /* Deactivating a bound queue should not be legal */ +-- +2.39.5 + diff --git a/queue-6.14/tools-net-ynl-ethtool-fix-crash-when-hardware-clock-.patch b/queue-6.14/tools-net-ynl-ethtool-fix-crash-when-hardware-clock-.patch new file mode 100644 index 0000000000..de3ee61374 --- /dev/null +++ b/queue-6.14/tools-net-ynl-ethtool-fix-crash-when-hardware-clock-.patch @@ -0,0 +1,71 @@ +From c8d08f2f200d7faa080477b31738d527bf004272 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 May 2025 03:54:14 +0000 +Subject: tools/net/ynl: ethtool: fix crash when Hardware Clock info is missing + +From: Hangbin Liu + +[ Upstream commit 45375814eb3f4245956c0c85092a4eee4441d167 ] + +Fix a crash in the ethtool YNL implementation when Hardware Clock information +is not present in the response. This ensures graceful handling of devices or +drivers that do not provide this optional field. e.g. + + Traceback (most recent call last): + File "/net/tools/net/ynl/pyynl/./ethtool.py", line 438, in + main() + ~~~~^^ + File "/net/tools/net/ynl/pyynl/./ethtool.py", line 341, in main + print(f'PTP Hardware Clock: {tsinfo["phc-index"]}') + ~~~~~~^^^^^^^^^^^^^ + KeyError: 'phc-index' + +Fixes: f3d07b02b2b8 ("tools: ynl: ethtool testing tool") +Signed-off-by: Hangbin Liu +Acked-by: Stanislav Fomichev +Link: https://patch.msgid.link/20250508035414.82974-1-liuhangbin@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/net/ynl/pyynl/ethtool.py | 22 +++++++++++++++------- + 1 file changed, 15 insertions(+), 7 deletions(-) + +diff --git a/tools/net/ynl/pyynl/ethtool.py b/tools/net/ynl/pyynl/ethtool.py +index af7fddd7b085b..cab6b576c8762 100755 +--- a/tools/net/ynl/pyynl/ethtool.py ++++ b/tools/net/ynl/pyynl/ethtool.py +@@ -338,16 +338,24 @@ def main(): + print('Capabilities:') + [print(f'\t{v}') for v in bits_to_dict(tsinfo['timestamping'])] + +- print(f'PTP Hardware Clock: {tsinfo["phc-index"]}') ++ print(f'PTP Hardware Clock: {tsinfo.get("phc-index", "none")}') + +- print('Hardware Transmit Timestamp Modes:') +- [print(f'\t{v}') for v in bits_to_dict(tsinfo['tx-types'])] ++ if 'tx-types' in tsinfo: ++ print('Hardware Transmit Timestamp Modes:') ++ [print(f'\t{v}') for v in bits_to_dict(tsinfo['tx-types'])] ++ else: ++ print('Hardware Transmit Timestamp Modes: none') ++ ++ if 'rx-filters' in tsinfo: ++ print('Hardware Receive Filter Modes:') ++ [print(f'\t{v}') for v in bits_to_dict(tsinfo['rx-filters'])] ++ else: ++ print('Hardware Receive Filter Modes: none') + +- print('Hardware Receive Filter Modes:') +- [print(f'\t{v}') for v in bits_to_dict(tsinfo['rx-filters'])] ++ if 'stats' in tsinfo and tsinfo['stats']: ++ print('Statistics:') ++ [print(f'\t{k}: {v}') for k, v in tsinfo['stats'].items()] + +- print('Statistics:') +- [print(f'\t{k}: {v}') for k, v in tsinfo['stats'].items()] + return + + print(f'Settings for {args.device}:') +-- +2.39.5 + diff --git a/queue-6.14/tpm-tis-double-the-timeout-b-to-4s.patch b/queue-6.14/tpm-tis-double-the-timeout-b-to-4s.patch new file mode 100644 index 0000000000..7ce72b44c1 --- /dev/null +++ b/queue-6.14/tpm-tis-double-the-timeout-b-to-4s.patch @@ -0,0 +1,76 @@ +From dd471d57f83dfa2aaa322b14408d25addcadb0a0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Apr 2025 10:23:14 +0200 +Subject: tpm: tis: Double the timeout B to 4s + +From: Michal Suchanek + +[ Upstream commit 2f661f71fda1fc0c42b7746ca5b7da529eb6b5be ] + +With some Infineon chips the timeouts in tpm_tis_send_data (both B and +C) can reach up to about 2250 ms. + +Timeout C is retried since +commit de9e33df7762 ("tpm, tpm_tis: Workaround failed command reception on Infineon devices") + +Timeout B still needs to be extended. + +The problem is most commonly encountered with context related operation +such as load context/save context. These are issued directly by the +kernel, and there is no retry logic for them. + +When a filesystem is set up to use the TPM for unlocking the boot fails, +and restarting the userspace service is ineffective. This is likely +because ignoring a load context/save context result puts the real TPM +state and the TPM state expected by the kernel out of sync. + +Chips known to be affected: +tpm_tis IFX1522:00: 2.0 TPM (device-id 0x1D, rev-id 54) +Description: SLB9672 +Firmware Revision: 15.22 + +tpm_tis MSFT0101:00: 2.0 TPM (device-id 0x1B, rev-id 22) +Firmware Revision: 7.83 + +tpm_tis MSFT0101:00: 2.0 TPM (device-id 0x1A, rev-id 16) +Firmware Revision: 5.63 + +Link: https://lore.kernel.org/linux-integrity/Z5pI07m0Muapyu9w@kitsune.suse.cz/ +Signed-off-by: Michal Suchanek +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Sasha Levin +--- + drivers/char/tpm/tpm_tis_core.h | 2 +- + include/linux/tpm.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/char/tpm/tpm_tis_core.h b/drivers/char/tpm/tpm_tis_core.h +index 970d02c337c7f..6c3aa480396b6 100644 +--- a/drivers/char/tpm/tpm_tis_core.h ++++ b/drivers/char/tpm/tpm_tis_core.h +@@ -54,7 +54,7 @@ enum tis_int_flags { + enum tis_defaults { + TIS_MEM_LEN = 0x5000, + TIS_SHORT_TIMEOUT = 750, /* ms */ +- TIS_LONG_TIMEOUT = 2000, /* 2 sec */ ++ TIS_LONG_TIMEOUT = 4000, /* 4 secs */ + TIS_TIMEOUT_MIN_ATML = 14700, /* usecs */ + TIS_TIMEOUT_MAX_ATML = 15000, /* usecs */ + }; +diff --git a/include/linux/tpm.h b/include/linux/tpm.h +index 6c3125300c009..3db0b6a87d454 100644 +--- a/include/linux/tpm.h ++++ b/include/linux/tpm.h +@@ -224,7 +224,7 @@ enum tpm2_const { + + enum tpm2_timeouts { + TPM2_TIMEOUT_A = 750, +- TPM2_TIMEOUT_B = 2000, ++ TPM2_TIMEOUT_B = 4000, + TPM2_TIMEOUT_C = 200, + TPM2_TIMEOUT_D = 30, + TPM2_DURATION_SHORT = 20, +-- +2.39.5 + diff --git a/queue-6.14/tracing-fprobe-fix-rcu-warning-message-in-list-trave.patch b/queue-6.14/tracing-fprobe-fix-rcu-warning-message-in-list-trave.patch new file mode 100644 index 0000000000..d6d11cb47c --- /dev/null +++ b/queue-6.14/tracing-fprobe-fix-rcu-warning-message-in-list-trave.patch @@ -0,0 +1,63 @@ +From 359a5d9a51c06e0b365b0c1d9d858e55f8e43577 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Apr 2025 05:22:21 -0700 +Subject: tracing: fprobe: Fix RCU warning message in list traversal + +From: Breno Leitao + +[ Upstream commit 9dda18a32b4a6693fccd3f7c0738af646147b1cf ] + +When CONFIG_PROVE_RCU_LIST is enabled, fprobe triggers the following +warning: + + WARNING: suspicious RCU usage + kernel/trace/fprobe.c:457 RCU-list traversed in non-reader section!! + + other info that might help us debug this: + #1: ffffffff863c4e08 (fprobe_mutex){+.+.}-{4:4}, at: fprobe_module_callback+0x7b/0x8c0 + + Call Trace: + fprobe_module_callback + notifier_call_chain + blocking_notifier_call_chain + +This warning occurs because fprobe_remove_node_in_module() traverses an +RCU list using RCU primitives without holding an RCU read lock. However, +the function is only called from fprobe_module_callback(), which holds +the fprobe_mutex lock that provides sufficient protection for safely +traversing the list. + +Fix the warning by specifying the locking design to the +CONFIG_PROVE_RCU_LIST mechanism. Add the lockdep_is_held() argument to +hlist_for_each_entry_rcu() to inform the RCU checker that fprobe_mutex +provides the required protection. + +Link: https://lore.kernel.org/all/20250410-fprobe-v1-1-068ef5f41436@debian.org/ + +Fixes: a3dc2983ca7b90 ("tracing: fprobe: Cleanup fprobe hash when module unloading") +Signed-off-by: Breno Leitao +Tested-by: Antonio Quartulli +Tested-by: Matthieu Baerts (NGI0) +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/fprobe.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/kernel/trace/fprobe.c b/kernel/trace/fprobe.c +index 95c6e3473a76b..ba7ff14f5339b 100644 +--- a/kernel/trace/fprobe.c ++++ b/kernel/trace/fprobe.c +@@ -454,7 +454,8 @@ static void fprobe_remove_node_in_module(struct module *mod, struct hlist_head * + struct fprobe_hlist_node *node; + int ret = 0; + +- hlist_for_each_entry_rcu(node, head, hlist) { ++ hlist_for_each_entry_rcu(node, head, hlist, ++ lockdep_is_held(&fprobe_mutex)) { + if (!within_module(node->addr, mod)) + continue; + if (delete_fprobe_node(node)) +-- +2.39.5 + diff --git a/queue-6.14/tracing-probes-fix-a-possible-race-in-trace_probe_lo.patch b/queue-6.14/tracing-probes-fix-a-possible-race-in-trace_probe_lo.patch new file mode 100644 index 0000000000..6e0d5e3312 --- /dev/null +++ b/queue-6.14/tracing-probes-fix-a-possible-race-in-trace_probe_lo.patch @@ -0,0 +1,153 @@ +From 215fe92818c96bd903c734c5c48bc014d7f99d8c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 10 May 2025 12:44:41 +0900 +Subject: tracing: probes: Fix a possible race in trace_probe_log APIs + +From: Masami Hiramatsu (Google) + +[ Upstream commit fd837de3c9cb1a162c69bc1fb1f438467fe7f2f5 ] + +Since the shared trace_probe_log variable can be accessed and +modified via probe event create operation of kprobe_events, +uprobe_events, and dynamic_events, it should be protected. +In the dynamic_events, all operations are serialized by +`dyn_event_ops_mutex`. But kprobe_events and uprobe_events +interfaces are not serialized. + +To solve this issue, introduces dyn_event_create(), which runs +create() operation under the mutex, for kprobe_events and +uprobe_events. This also uses lockdep to check the mutex is +held when using trace_probe_log* APIs. + +Link: https://lore.kernel.org/all/174684868120.551552.3068655787654268804.stgit@devnote2/ + +Reported-by: Paul Cacheux +Closes: https://lore.kernel.org/all/20250510074456.805a16872b591e2971a4d221@kernel.org/ +Fixes: ab105a4fb894 ("tracing: Use tracing error_log with probe events") +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace_dynevent.c | 16 +++++++++++++++- + kernel/trace/trace_dynevent.h | 1 + + kernel/trace/trace_kprobe.c | 2 +- + kernel/trace/trace_probe.c | 9 +++++++++ + kernel/trace/trace_uprobe.c | 2 +- + 5 files changed, 27 insertions(+), 3 deletions(-) + +diff --git a/kernel/trace/trace_dynevent.c b/kernel/trace/trace_dynevent.c +index a322e4f249a50..5d64a18cacacc 100644 +--- a/kernel/trace/trace_dynevent.c ++++ b/kernel/trace/trace_dynevent.c +@@ -16,7 +16,7 @@ + #include "trace_output.h" /* for trace_event_sem */ + #include "trace_dynevent.h" + +-static DEFINE_MUTEX(dyn_event_ops_mutex); ++DEFINE_MUTEX(dyn_event_ops_mutex); + static LIST_HEAD(dyn_event_ops_list); + + bool trace_event_dyn_try_get_ref(struct trace_event_call *dyn_call) +@@ -116,6 +116,20 @@ int dyn_event_release(const char *raw_command, struct dyn_event_operations *type + return ret; + } + ++/* ++ * Locked version of event creation. The event creation must be protected by ++ * dyn_event_ops_mutex because of protecting trace_probe_log. ++ */ ++int dyn_event_create(const char *raw_command, struct dyn_event_operations *type) ++{ ++ int ret; ++ ++ mutex_lock(&dyn_event_ops_mutex); ++ ret = type->create(raw_command); ++ mutex_unlock(&dyn_event_ops_mutex); ++ return ret; ++} ++ + static int create_dyn_event(const char *raw_command) + { + struct dyn_event_operations *ops; +diff --git a/kernel/trace/trace_dynevent.h b/kernel/trace/trace_dynevent.h +index 936477a111d3e..beee3f8d75444 100644 +--- a/kernel/trace/trace_dynevent.h ++++ b/kernel/trace/trace_dynevent.h +@@ -100,6 +100,7 @@ void *dyn_event_seq_next(struct seq_file *m, void *v, loff_t *pos); + void dyn_event_seq_stop(struct seq_file *m, void *v); + int dyn_events_release_all(struct dyn_event_operations *type); + int dyn_event_release(const char *raw_command, struct dyn_event_operations *type); ++int dyn_event_create(const char *raw_command, struct dyn_event_operations *type); + + /* + * for_each_dyn_event - iterate over the dyn_event list +diff --git a/kernel/trace/trace_kprobe.c b/kernel/trace/trace_kprobe.c +index 8287b175667f3..a5d46f109fcce 100644 +--- a/kernel/trace/trace_kprobe.c ++++ b/kernel/trace/trace_kprobe.c +@@ -1092,7 +1092,7 @@ static int create_or_delete_trace_kprobe(const char *raw_command) + if (raw_command[0] == '-') + return dyn_event_release(raw_command, &trace_kprobe_ops); + +- ret = trace_kprobe_create(raw_command); ++ ret = dyn_event_create(raw_command, &trace_kprobe_ops); + return ret == -ECANCELED ? -EINVAL : ret; + } + +diff --git a/kernel/trace/trace_probe.c b/kernel/trace/trace_probe.c +index 2eeecb6c95eea..424751cdf31f9 100644 +--- a/kernel/trace/trace_probe.c ++++ b/kernel/trace/trace_probe.c +@@ -154,9 +154,12 @@ static const struct fetch_type *find_fetch_type(const char *type, unsigned long + } + + static struct trace_probe_log trace_probe_log; ++extern struct mutex dyn_event_ops_mutex; + + void trace_probe_log_init(const char *subsystem, int argc, const char **argv) + { ++ lockdep_assert_held(&dyn_event_ops_mutex); ++ + trace_probe_log.subsystem = subsystem; + trace_probe_log.argc = argc; + trace_probe_log.argv = argv; +@@ -165,11 +168,15 @@ void trace_probe_log_init(const char *subsystem, int argc, const char **argv) + + void trace_probe_log_clear(void) + { ++ lockdep_assert_held(&dyn_event_ops_mutex); ++ + memset(&trace_probe_log, 0, sizeof(trace_probe_log)); + } + + void trace_probe_log_set_index(int index) + { ++ lockdep_assert_held(&dyn_event_ops_mutex); ++ + trace_probe_log.index = index; + } + +@@ -178,6 +185,8 @@ void __trace_probe_log_err(int offset, int err_type) + char *command, *p; + int i, len = 0, pos = 0; + ++ lockdep_assert_held(&dyn_event_ops_mutex); ++ + if (!trace_probe_log.argv) + return; + +diff --git a/kernel/trace/trace_uprobe.c b/kernel/trace/trace_uprobe.c +index 3386439ec9f67..35cf76c75dd76 100644 +--- a/kernel/trace/trace_uprobe.c ++++ b/kernel/trace/trace_uprobe.c +@@ -741,7 +741,7 @@ static int create_or_delete_trace_uprobe(const char *raw_command) + if (raw_command[0] == '-') + return dyn_event_release(raw_command, &trace_uprobe_ops); + +- ret = trace_uprobe_create(raw_command); ++ ret = dyn_event_create(raw_command, &trace_uprobe_ops); + return ret == -ECANCELED ? -EINVAL : ret; + } + +-- +2.39.5 + diff --git a/queue-6.14/tsnep-fix-timestamping-with-a-stacked-dsa-driver.patch b/queue-6.14/tsnep-fix-timestamping-with-a-stacked-dsa-driver.patch new file mode 100644 index 0000000000..9a4df84cb3 --- /dev/null +++ b/queue-6.14/tsnep-fix-timestamping-with-a-stacked-dsa-driver.patch @@ -0,0 +1,133 @@ +From a77f5f12bb7783accb4fe3a066619209e3dd33ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 May 2025 21:56:57 +0200 +Subject: tsnep: fix timestamping with a stacked DSA driver + +From: Gerhard Engleder + +[ Upstream commit b3ca9eef6646576ad506a96d941d87a69f66732a ] + +This driver is susceptible to a form of the bug explained in commit +c26a2c2ddc01 ("gianfar: Fix TX timestamping with a stacked DSA driver") +and in Documentation/networking/timestamping.rst section "Other caveats +for MAC drivers", specifically it timestamps any skb which has +SKBTX_HW_TSTAMP, and does not consider if timestamping has been enabled +in adapter->hwtstamp_config.tx_type. + +Evaluate the proper TX timestamping condition only once on the TX +path (in tsnep_xmit_frame_ring()) and store the result in an additional +TX entry flag. Evaluate the new TX entry flag in the TX confirmation path +(in tsnep_tx_poll()). + +This way SKBTX_IN_PROGRESS is set by the driver as required, but never +evaluated. SKBTX_IN_PROGRESS shall not be evaluated as it can be set +by a stacked DSA driver and evaluating it would lead to unwanted +timestamps. + +Fixes: 403f69bbdbad ("tsnep: Add TSN endpoint Ethernet MAC driver") +Suggested-by: Vladimir Oltean +Signed-off-by: Gerhard Engleder +Reviewed-by: Vladimir Oltean +Link: https://patch.msgid.link/20250514195657.25874-1-gerhard@engleder-embedded.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/engleder/tsnep_main.c | 30 ++++++++++++++-------- + 1 file changed, 19 insertions(+), 11 deletions(-) + +diff --git a/drivers/net/ethernet/engleder/tsnep_main.c b/drivers/net/ethernet/engleder/tsnep_main.c +index 0d030cb0b21c7..63aeb400051c4 100644 +--- a/drivers/net/ethernet/engleder/tsnep_main.c ++++ b/drivers/net/ethernet/engleder/tsnep_main.c +@@ -67,6 +67,8 @@ + #define TSNEP_TX_TYPE_XDP_NDO_MAP_PAGE (TSNEP_TX_TYPE_XDP_NDO | TSNEP_TX_TYPE_MAP_PAGE) + #define TSNEP_TX_TYPE_XDP (TSNEP_TX_TYPE_XDP_TX | TSNEP_TX_TYPE_XDP_NDO) + #define TSNEP_TX_TYPE_XSK BIT(12) ++#define TSNEP_TX_TYPE_TSTAMP BIT(13) ++#define TSNEP_TX_TYPE_SKB_TSTAMP (TSNEP_TX_TYPE_SKB | TSNEP_TX_TYPE_TSTAMP) + + #define TSNEP_XDP_TX BIT(0) + #define TSNEP_XDP_REDIRECT BIT(1) +@@ -387,8 +389,7 @@ static void tsnep_tx_activate(struct tsnep_tx *tx, int index, int length, + if (entry->skb) { + entry->properties = length & TSNEP_DESC_LENGTH_MASK; + entry->properties |= TSNEP_DESC_INTERRUPT_FLAG; +- if ((entry->type & TSNEP_TX_TYPE_SKB) && +- (skb_shinfo(entry->skb)->tx_flags & SKBTX_IN_PROGRESS)) ++ if ((entry->type & TSNEP_TX_TYPE_SKB_TSTAMP) == TSNEP_TX_TYPE_SKB_TSTAMP) + entry->properties |= TSNEP_DESC_EXTENDED_WRITEBACK_FLAG; + + /* toggle user flag to prevent false acknowledge +@@ -480,7 +481,8 @@ static int tsnep_tx_map_frag(skb_frag_t *frag, struct tsnep_tx_entry *entry, + return mapped; + } + +-static int tsnep_tx_map(struct sk_buff *skb, struct tsnep_tx *tx, int count) ++static int tsnep_tx_map(struct sk_buff *skb, struct tsnep_tx *tx, int count, ++ bool do_tstamp) + { + struct device *dmadev = tx->adapter->dmadev; + struct tsnep_tx_entry *entry; +@@ -506,6 +508,9 @@ static int tsnep_tx_map(struct sk_buff *skb, struct tsnep_tx *tx, int count) + entry->type = TSNEP_TX_TYPE_SKB_INLINE; + mapped = 0; + } ++ ++ if (do_tstamp) ++ entry->type |= TSNEP_TX_TYPE_TSTAMP; + } else { + skb_frag_t *frag = &skb_shinfo(skb)->frags[i - 1]; + +@@ -559,11 +564,12 @@ static int tsnep_tx_unmap(struct tsnep_tx *tx, int index, int count) + static netdev_tx_t tsnep_xmit_frame_ring(struct sk_buff *skb, + struct tsnep_tx *tx) + { +- int count = 1; + struct tsnep_tx_entry *entry; ++ bool do_tstamp = false; ++ int count = 1; + int length; +- int i; + int retval; ++ int i; + + if (skb_shinfo(skb)->nr_frags > 0) + count += skb_shinfo(skb)->nr_frags; +@@ -580,7 +586,13 @@ static netdev_tx_t tsnep_xmit_frame_ring(struct sk_buff *skb, + entry = &tx->entry[tx->write]; + entry->skb = skb; + +- retval = tsnep_tx_map(skb, tx, count); ++ if (unlikely(skb_shinfo(skb)->tx_flags & SKBTX_HW_TSTAMP) && ++ tx->adapter->hwtstamp_config.tx_type == HWTSTAMP_TX_ON) { ++ skb_shinfo(skb)->tx_flags |= SKBTX_IN_PROGRESS; ++ do_tstamp = true; ++ } ++ ++ retval = tsnep_tx_map(skb, tx, count, do_tstamp); + if (retval < 0) { + tsnep_tx_unmap(tx, tx->write, count); + dev_kfree_skb_any(entry->skb); +@@ -592,9 +604,6 @@ static netdev_tx_t tsnep_xmit_frame_ring(struct sk_buff *skb, + } + length = retval; + +- if (skb_shinfo(skb)->tx_flags & SKBTX_HW_TSTAMP) +- skb_shinfo(skb)->tx_flags |= SKBTX_IN_PROGRESS; +- + for (i = 0; i < count; i++) + tsnep_tx_activate(tx, (tx->write + i) & TSNEP_RING_MASK, length, + i == count - 1); +@@ -845,8 +854,7 @@ static bool tsnep_tx_poll(struct tsnep_tx *tx, int napi_budget) + + length = tsnep_tx_unmap(tx, tx->read, count); + +- if ((entry->type & TSNEP_TX_TYPE_SKB) && +- (skb_shinfo(entry->skb)->tx_flags & SKBTX_IN_PROGRESS) && ++ if (((entry->type & TSNEP_TX_TYPE_SKB_TSTAMP) == TSNEP_TX_TYPE_SKB_TSTAMP) && + (__le32_to_cpu(entry->desc_wb->properties) & + TSNEP_DESC_EXTENDED_WRITEBACK_FLAG)) { + struct skb_shared_hwtstamps hwtstamps; +-- +2.39.5 + diff --git a/queue-6.14/ublk-fix-dead-loop-when-canceling-io-command.patch b/queue-6.14/ublk-fix-dead-loop-when-canceling-io-command.patch new file mode 100644 index 0000000000..4dcbaec5a3 --- /dev/null +++ b/queue-6.14/ublk-fix-dead-loop-when-canceling-io-command.patch @@ -0,0 +1,56 @@ +From b1cebc70152d3b6e948830af4e8f36633cbf544e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 May 2025 00:26:01 +0800 +Subject: ublk: fix dead loop when canceling io command + +From: Ming Lei + +[ Upstream commit dd24f87f65c957f30e605e44961d2fd53a44c780 ] + +Commit: + +f40139fde527 ("ublk: fix race between io_uring_cmd_complete_in_task and + ublk_cancel_cmd") + +adds a request state check in ublk_cancel_cmd(), and if the request is +started, skips canceling this uring_cmd. + +However, the current uring_cmd may be in ACTIVE state, without block +request coming to the uring command. Meantime, if the cached request in +tag_set.tags[tag] has been delivered to ublk server and reycycled, then +this uring_cmd can't be canceled. + +ublk requests are aborted in ublk char device release handler, which +depends on canceling all ACTIVE uring_cmd. So it causes a dead loop. + +Fix this issue by not taking a stale request into account when canceling +uring_cmd in ublk_cancel_cmd(). + +Reported-by: Shinichiro Kawasaki +Closes: https://lore.kernel.org/linux-block/mruqwpf4tqenkbtgezv5oxwq7ngyq24jzeyqy4ixzvivatbbxv@4oh2wzz4e6qn/ +Fixes: f40139fde527 ("ublk: fix race between io_uring_cmd_complete_in_task and ublk_cancel_cmd") +Signed-off-by: Ming Lei +Link: https://lore.kernel.org/r/20250515162601.77346-1-ming.lei@redhat.com +[axboe: rewording of commit message] +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/ublk_drv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c +index 348c4feb7a2df..7bbfc20f116a4 100644 +--- a/drivers/block/ublk_drv.c ++++ b/drivers/block/ublk_drv.c +@@ -1677,7 +1677,7 @@ static void ublk_cancel_cmd(struct ublk_queue *ubq, unsigned tag, + * that ublk_dispatch_req() is always called + */ + req = blk_mq_tag_to_rq(ub->tag_set.tags[ubq->q_id], tag); +- if (req && blk_mq_request_started(req)) ++ if (req && blk_mq_request_started(req) && req->tag == tag) + return; + + spin_lock(&ubq->cancel_lock); +-- +2.39.5 + diff --git a/queue-6.14/vsock-test-fix-occasional-failure-in-siocoutq-tests.patch b/queue-6.14/vsock-test-fix-occasional-failure-in-siocoutq-tests.patch new file mode 100644 index 0000000000..1d8b56d2e7 --- /dev/null +++ b/queue-6.14/vsock-test-fix-occasional-failure-in-siocoutq-tests.patch @@ -0,0 +1,82 @@ +From 31886d07fb1eed384bae344600f6f56398dde3a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 May 2025 10:14:56 -0500 +Subject: vsock/test: Fix occasional failure in SIOCOUTQ tests + +From: Konstantin Shkolnyy + +[ Upstream commit 7fd7ad6f36af36f30a06d165eff3780cb139fa79 ] + +These tests: + "SOCK_STREAM ioctl(SIOCOUTQ) 0 unsent bytes" + "SOCK_SEQPACKET ioctl(SIOCOUTQ) 0 unsent bytes" +output: "Unexpected 'SIOCOUTQ' value, expected 0, got 64 (CLIENT)". + +They test that the SIOCOUTQ ioctl reports 0 unsent bytes after the data +have been received by the other side. However, sometimes there is a delay +in updating this "unsent bytes" counter, and the test fails even though +the counter properly goes to 0 several milliseconds later. + +The delay occurs in the kernel because the used buffer notification +callback virtio_vsock_tx_done(), called upon receipt of the data by the +other side, doesn't update the counter itself. It delegates that to +a kernel thread (via vsock->tx_work). Sometimes that thread is delayed +more than the test expects. + +Change the test to poll SIOCOUTQ until it returns 0 or a timeout occurs. + +Signed-off-by: Konstantin Shkolnyy +Reviewed-by: Stefano Garzarella +Fixes: 18ee44ce97c1 ("test/vsock: add ioctl unsent bytes test") +Link: https://patch.msgid.link/20250507151456.2577061-1-kshk@linux.ibm.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/vsock/vsock_test.c | 28 ++++++++++++++++------------ + 1 file changed, 16 insertions(+), 12 deletions(-) + +diff --git a/tools/testing/vsock/vsock_test.c b/tools/testing/vsock/vsock_test.c +index d0f6d253ac72d..613551132a966 100644 +--- a/tools/testing/vsock/vsock_test.c ++++ b/tools/testing/vsock/vsock_test.c +@@ -1264,21 +1264,25 @@ static void test_unsent_bytes_client(const struct test_opts *opts, int type) + send_buf(fd, buf, sizeof(buf), 0, sizeof(buf)); + control_expectln("RECEIVED"); + +- ret = ioctl(fd, SIOCOUTQ, &sock_bytes_unsent); +- if (ret < 0) { +- if (errno == EOPNOTSUPP) { +- fprintf(stderr, "Test skipped, SIOCOUTQ not supported.\n"); +- } else { ++ /* SIOCOUTQ isn't guaranteed to instantly track sent data. Even though ++ * the "RECEIVED" message means that the other side has received the ++ * data, there can be a delay in our kernel before updating the "unsent ++ * bytes" counter. Repeat SIOCOUTQ until it returns 0. ++ */ ++ timeout_begin(TIMEOUT); ++ do { ++ ret = ioctl(fd, SIOCOUTQ, &sock_bytes_unsent); ++ if (ret < 0) { ++ if (errno == EOPNOTSUPP) { ++ fprintf(stderr, "Test skipped, SIOCOUTQ not supported.\n"); ++ break; ++ } + perror("ioctl"); + exit(EXIT_FAILURE); + } +- } else if (ret == 0 && sock_bytes_unsent != 0) { +- fprintf(stderr, +- "Unexpected 'SIOCOUTQ' value, expected 0, got %i\n", +- sock_bytes_unsent); +- exit(EXIT_FAILURE); +- } +- ++ timeout_check("SIOCOUTQ"); ++ } while (sock_bytes_unsent != 0); ++ timeout_end(); + close(fd); + } + +-- +2.39.5 + diff --git a/queue-6.14/wifi-mac80211-set-n_channels-after-allocating-struct.patch b/queue-6.14/wifi-mac80211-set-n_channels-after-allocating-struct.patch new file mode 100644 index 0000000000..8a00e1bcb5 --- /dev/null +++ b/queue-6.14/wifi-mac80211-set-n_channels-after-allocating-struct.patch @@ -0,0 +1,55 @@ +From 1304d2c7a203a2197887840be7013cee1bbd4d9f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 May 2025 11:46:45 -0700 +Subject: wifi: mac80211: Set n_channels after allocating struct + cfg80211_scan_request + +From: Kees Cook + +[ Upstream commit 82bbe02b2500ef0a62053fe2eb84773fe31c5a0a ] + +Make sure that n_channels is set after allocating the +struct cfg80211_registered_device::int_scan_req member. Seen with +syzkaller: + +UBSAN: array-index-out-of-bounds in net/mac80211/scan.c:1208:5 +index 0 is out of range for type 'struct ieee80211_channel *[] __counted_by(n_channels)' (aka 'struct ieee80211_channel *[]') + +This was missed in the initial conversions because I failed to locate +the allocation likely due to the "sizeof(void *)" not matching the +"channels" array type. + +Reported-by: syzbot+4bcdddd48bb6f0be0da1@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/lkml/680fd171.050a0220.2b69d1.045e.GAE@google.com/ +Fixes: e3eac9f32ec0 ("wifi: cfg80211: Annotate struct cfg80211_scan_request with __counted_by") +Signed-off-by: Kees Cook +Reviewed-by: Gustavo A. R. Silva +Link: https://patch.msgid.link/20250509184641.work.542-kees@kernel.org +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/main.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/mac80211/main.c b/net/mac80211/main.c +index 53e5aee468856..2b6249d75a5d4 100644 +--- a/net/mac80211/main.c ++++ b/net/mac80211/main.c +@@ -1354,10 +1354,12 @@ int ieee80211_register_hw(struct ieee80211_hw *hw) + hw->wiphy->software_iftypes |= BIT(NL80211_IFTYPE_MONITOR); + + +- local->int_scan_req = kzalloc(sizeof(*local->int_scan_req) + +- sizeof(void *) * channels, GFP_KERNEL); ++ local->int_scan_req = kzalloc(struct_size(local->int_scan_req, ++ channels, channels), ++ GFP_KERNEL); + if (!local->int_scan_req) + return -ENOMEM; ++ local->int_scan_req->n_channels = channels; + + eth_broadcast_addr(local->int_scan_req->bssid); + +-- +2.39.5 + diff --git a/queue-6.14/x86-amd_node-platform-x86-amd-hsmp-have-hsmp-use-smn.patch b/queue-6.14/x86-amd_node-platform-x86-amd-hsmp-have-hsmp-use-smn.patch new file mode 100644 index 0000000000..5d880d7208 --- /dev/null +++ b/queue-6.14/x86-amd_node-platform-x86-amd-hsmp-have-hsmp-use-smn.patch @@ -0,0 +1,288 @@ +From 96445d6d69316af8e556ad8901d44190d93166d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Jan 2025 19:48:55 +0000 +Subject: x86/amd_node, platform/x86/amd/hsmp: Have HSMP use SMN through + AMD_NODE +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Yazen Ghannam + +[ Upstream commit 735049b801cf3d597752017385cfc8768ce44303 ] + +The HSMP interface is just an SMN interface with different offsets. + +Define an HSMP wrapper in the SMN code and have the HSMP platform driver +use that rather than a local solution. + +Also, remove the "root" member from AMD_NB, since there are no more +users of it. + +Signed-off-by: Yazen Ghannam +Signed-off-by: Borislav Petkov (AMD) +Reviewed-by: Carlos Bilbao +Acked-by: Ilpo Järvinen +Link: https://lore.kernel.org/r/20250130-wip-x86-amd-nb-cleanup-v4-1-b5cc997e471b@amd.com +Stable-dep-of: 0581d384f344 ("platform/x86/amd/hsmp: Make amd_hsmp and hsmp_acpi as mutually exclusive drivers") +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/amd_nb.h | 1 - + arch/x86/include/asm/amd_node.h | 13 ++++++++++ + arch/x86/kernel/amd_nb.c | 1 - + arch/x86/kernel/amd_node.c | 9 +++++++ + drivers/platform/x86/amd/hsmp/Kconfig | 2 +- + drivers/platform/x86/amd/hsmp/acpi.c | 7 +++--- + drivers/platform/x86/amd/hsmp/hsmp.c | 1 - + drivers/platform/x86/amd/hsmp/hsmp.h | 3 --- + drivers/platform/x86/amd/hsmp/plat.c | 36 +++++++++------------------ + 9 files changed, 39 insertions(+), 34 deletions(-) + +diff --git a/arch/x86/include/asm/amd_nb.h b/arch/x86/include/asm/amd_nb.h +index 4c4efb93045ed..adfa0854cf2da 100644 +--- a/arch/x86/include/asm/amd_nb.h ++++ b/arch/x86/include/asm/amd_nb.h +@@ -27,7 +27,6 @@ struct amd_l3_cache { + }; + + struct amd_northbridge { +- struct pci_dev *root; + struct pci_dev *misc; + struct pci_dev *link; + struct amd_l3_cache l3_cache; +diff --git a/arch/x86/include/asm/amd_node.h b/arch/x86/include/asm/amd_node.h +index 113ad3e8ee40a..002c3afbd30f9 100644 +--- a/arch/x86/include/asm/amd_node.h ++++ b/arch/x86/include/asm/amd_node.h +@@ -30,7 +30,20 @@ static inline u16 amd_num_nodes(void) + return topology_amd_nodes_per_pkg() * topology_max_packages(); + } + ++#ifdef CONFIG_AMD_NODE + int __must_check amd_smn_read(u16 node, u32 address, u32 *value); + int __must_check amd_smn_write(u16 node, u32 address, u32 value); + ++/* Should only be used by the HSMP driver. */ ++int __must_check amd_smn_hsmp_rdwr(u16 node, u32 address, u32 *value, bool write); ++#else ++static inline int __must_check amd_smn_read(u16 node, u32 address, u32 *value) { return -ENODEV; } ++static inline int __must_check amd_smn_write(u16 node, u32 address, u32 value) { return -ENODEV; } ++ ++static inline int __must_check amd_smn_hsmp_rdwr(u16 node, u32 address, u32 *value, bool write) ++{ ++ return -ENODEV; ++} ++#endif /* CONFIG_AMD_NODE */ ++ + #endif /*_ASM_X86_AMD_NODE_H_*/ +diff --git a/arch/x86/kernel/amd_nb.c b/arch/x86/kernel/amd_nb.c +index 67e773744edb2..6d12a9b694327 100644 +--- a/arch/x86/kernel/amd_nb.c ++++ b/arch/x86/kernel/amd_nb.c +@@ -73,7 +73,6 @@ static int amd_cache_northbridges(void) + amd_northbridges.nb = nb; + + for (i = 0; i < amd_northbridges.num; i++) { +- node_to_amd_nb(i)->root = amd_node_get_root(i); + node_to_amd_nb(i)->misc = amd_node_get_func(i, 3); + + /* +diff --git a/arch/x86/kernel/amd_node.c b/arch/x86/kernel/amd_node.c +index d2ec7fd555c51..65045f223c10a 100644 +--- a/arch/x86/kernel/amd_node.c ++++ b/arch/x86/kernel/amd_node.c +@@ -97,6 +97,9 @@ static DEFINE_MUTEX(smn_mutex); + #define SMN_INDEX_OFFSET 0x60 + #define SMN_DATA_OFFSET 0x64 + ++#define HSMP_INDEX_OFFSET 0xc4 ++#define HSMP_DATA_OFFSET 0xc8 ++ + /* + * SMN accesses may fail in ways that are difficult to detect here in the called + * functions amd_smn_read() and amd_smn_write(). Therefore, callers must do +@@ -179,6 +182,12 @@ int __must_check amd_smn_write(u16 node, u32 address, u32 value) + } + EXPORT_SYMBOL_GPL(amd_smn_write); + ++int __must_check amd_smn_hsmp_rdwr(u16 node, u32 address, u32 *value, bool write) ++{ ++ return __amd_smn_rw(HSMP_INDEX_OFFSET, HSMP_DATA_OFFSET, node, address, value, write); ++} ++EXPORT_SYMBOL_GPL(amd_smn_hsmp_rdwr); ++ + static int amd_cache_roots(void) + { + u16 node, num_nodes = amd_num_nodes(); +diff --git a/drivers/platform/x86/amd/hsmp/Kconfig b/drivers/platform/x86/amd/hsmp/Kconfig +index 7d10d4462a453..d6f7a62d55b5e 100644 +--- a/drivers/platform/x86/amd/hsmp/Kconfig ++++ b/drivers/platform/x86/amd/hsmp/Kconfig +@@ -7,7 +7,7 @@ config AMD_HSMP + tristate + + menu "AMD HSMP Driver" +- depends on AMD_NB || COMPILE_TEST ++ depends on AMD_NODE || COMPILE_TEST + + config AMD_HSMP_ACPI + tristate "AMD HSMP ACPI device driver" +diff --git a/drivers/platform/x86/amd/hsmp/acpi.c b/drivers/platform/x86/amd/hsmp/acpi.c +index 444b43be35a25..c1eccb3c80c5c 100644 +--- a/drivers/platform/x86/amd/hsmp/acpi.c ++++ b/drivers/platform/x86/amd/hsmp/acpi.c +@@ -10,7 +10,6 @@ + #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt + + #include +-#include + + #include + #include +@@ -24,6 +23,8 @@ + + #include + ++#include ++ + #include "hsmp.h" + + #define DRIVER_NAME "amd_hsmp" +@@ -321,8 +322,8 @@ static int hsmp_acpi_probe(struct platform_device *pdev) + return -ENOMEM; + + if (!hsmp_pdev->is_probed) { +- hsmp_pdev->num_sockets = amd_nb_num(); +- if (hsmp_pdev->num_sockets == 0 || hsmp_pdev->num_sockets > MAX_AMD_SOCKETS) ++ hsmp_pdev->num_sockets = amd_num_nodes(); ++ if (hsmp_pdev->num_sockets == 0 || hsmp_pdev->num_sockets > MAX_AMD_NUM_NODES) + return -ENODEV; + + hsmp_pdev->sock = devm_kcalloc(&pdev->dev, hsmp_pdev->num_sockets, +diff --git a/drivers/platform/x86/amd/hsmp/hsmp.c b/drivers/platform/x86/amd/hsmp/hsmp.c +index 03164e30b3a50..a3ac09a90de45 100644 +--- a/drivers/platform/x86/amd/hsmp/hsmp.c ++++ b/drivers/platform/x86/amd/hsmp/hsmp.c +@@ -8,7 +8,6 @@ + */ + + #include +-#include + + #include + #include +diff --git a/drivers/platform/x86/amd/hsmp/hsmp.h b/drivers/platform/x86/amd/hsmp/hsmp.h +index e852f0a947e4f..af8b21f821d66 100644 +--- a/drivers/platform/x86/amd/hsmp/hsmp.h ++++ b/drivers/platform/x86/amd/hsmp/hsmp.h +@@ -21,8 +21,6 @@ + + #define HSMP_ATTR_GRP_NAME_SIZE 10 + +-#define MAX_AMD_SOCKETS 8 +- + #define HSMP_CDEV_NAME "hsmp_cdev" + #define HSMP_DEVNODE_NAME "hsmp" + +@@ -41,7 +39,6 @@ struct hsmp_socket { + void __iomem *virt_base_addr; + struct semaphore hsmp_sem; + char name[HSMP_ATTR_GRP_NAME_SIZE]; +- struct pci_dev *root; + struct device *dev; + u16 sock_ind; + int (*amd_hsmp_rdwr)(struct hsmp_socket *sock, u32 off, u32 *val, bool rw); +diff --git a/drivers/platform/x86/amd/hsmp/plat.c b/drivers/platform/x86/amd/hsmp/plat.c +index 02ca85762b686..b9782a078dbd2 100644 +--- a/drivers/platform/x86/amd/hsmp/plat.c ++++ b/drivers/platform/x86/amd/hsmp/plat.c +@@ -10,14 +10,16 @@ + #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt + + #include +-#include + ++#include + #include + #include + #include + #include + #include + ++#include ++ + #include "hsmp.h" + + #define DRIVER_NAME "amd_hsmp" +@@ -34,28 +36,12 @@ + #define SMN_HSMP_MSG_RESP 0x0010980 + #define SMN_HSMP_MSG_DATA 0x00109E0 + +-#define HSMP_INDEX_REG 0xc4 +-#define HSMP_DATA_REG 0xc8 +- + static struct hsmp_plat_device *hsmp_pdev; + + static int amd_hsmp_pci_rdwr(struct hsmp_socket *sock, u32 offset, + u32 *value, bool write) + { +- int ret; +- +- if (!sock->root) +- return -ENODEV; +- +- ret = pci_write_config_dword(sock->root, HSMP_INDEX_REG, +- sock->mbinfo.base_addr + offset); +- if (ret) +- return ret; +- +- ret = (write ? pci_write_config_dword(sock->root, HSMP_DATA_REG, *value) +- : pci_read_config_dword(sock->root, HSMP_DATA_REG, value)); +- +- return ret; ++ return amd_smn_hsmp_rdwr(sock->sock_ind, sock->mbinfo.base_addr + offset, value, write); + } + + static ssize_t hsmp_metric_tbl_plat_read(struct file *filp, struct kobject *kobj, +@@ -95,7 +81,12 @@ static umode_t hsmp_is_sock_attr_visible(struct kobject *kobj, + * Static array of 8 + 1(for NULL) elements is created below + * to create sysfs groups for sockets. + * is_bin_visible function is used to show / hide the necessary groups. ++ * ++ * Validate the maximum number against MAX_AMD_NUM_NODES. If this changes, ++ * then the attributes and groups below must be adjusted. + */ ++static_assert(MAX_AMD_NUM_NODES == 8); ++ + #define HSMP_BIN_ATTR(index, _list) \ + static const struct bin_attribute attr##index = { \ + .attr = { .name = HSMP_METRICS_TABLE_NAME, .mode = 0444}, \ +@@ -159,10 +150,7 @@ static int init_platform_device(struct device *dev) + int ret, i; + + for (i = 0; i < hsmp_pdev->num_sockets; i++) { +- if (!node_to_amd_nb(i)) +- return -ENODEV; + sock = &hsmp_pdev->sock[i]; +- sock->root = node_to_amd_nb(i)->root; + sock->sock_ind = i; + sock->dev = dev; + sock->mbinfo.base_addr = SMN_HSMP_BASE; +@@ -305,11 +293,11 @@ static int __init hsmp_plt_init(void) + return -ENOMEM; + + /* +- * amd_nb_num() returns number of SMN/DF interfaces present in the system ++ * amd_num_nodes() returns number of SMN/DF interfaces present in the system + * if we have N SMN/DF interfaces that ideally means N sockets + */ +- hsmp_pdev->num_sockets = amd_nb_num(); +- if (hsmp_pdev->num_sockets == 0 || hsmp_pdev->num_sockets > MAX_AMD_SOCKETS) ++ hsmp_pdev->num_sockets = amd_num_nodes(); ++ if (hsmp_pdev->num_sockets == 0 || hsmp_pdev->num_sockets > MAX_AMD_NUM_NODES) + return ret; + + ret = platform_driver_register(&amd_hsmp_driver); +-- +2.39.5 +