From: Sasha Levin Date: Tue, 29 Apr 2025 01:39:19 +0000 (-0400) Subject: Fixes for 6.1 X-Git-Tag: v5.4.293~50 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=bd4b5d3a069a1218d058146b6e1eb6052b872597;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.1 Signed-off-by: Sasha Levin --- diff --git a/queue-6.1/9p-net-fix-improper-handling-of-bogus-negative-read-.patch b/queue-6.1/9p-net-fix-improper-handling-of-bogus-negative-read-.patch new file mode 100644 index 0000000000..9222ca6f31 --- /dev/null +++ b/queue-6.1/9p-net-fix-improper-handling-of-bogus-negative-read-.patch @@ -0,0 +1,139 @@ +From 1714fa56ed8763c84d015312ec562ffb4218fa21 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Mar 2025 20:20:15 +0900 +Subject: 9p/net: fix improper handling of bogus negative read/write replies + +From: Dominique Martinet + +[ Upstream commit d0259a856afca31d699b706ed5e2adf11086c73b ] + +In p9_client_write() and p9_client_read_once(), if the server +incorrectly replies with success but a negative write/read count then we +would consider written (negative) <= rsize (positive) because both +variables were signed. + +Make variables unsigned to avoid this problem. + +The reproducer linked below now fails with the following error instead +of a null pointer deref: +9pnet: bogus RWRITE count (4294967295 > 3) + +Reported-by: Robert Morris +Closes: https://lore.kernel.org/16271.1734448631@26-5-164.dynamic.csail.mit.edu +Message-ID: <20250319-9p_unsigned_rw-v3-1-71327f1503d0@codewreck.org> +Reviewed-by: Christian Schoenebeck +Signed-off-by: Dominique Martinet +Signed-off-by: Sasha Levin +--- + net/9p/client.c | 30 ++++++++++++++++-------------- + 1 file changed, 16 insertions(+), 14 deletions(-) + +diff --git a/net/9p/client.c b/net/9p/client.c +index e876d6fea2fc4..e89a91802e038 100644 +--- a/net/9p/client.c ++++ b/net/9p/client.c +@@ -1545,7 +1545,8 @@ p9_client_read_once(struct p9_fid *fid, u64 offset, struct iov_iter *to, + struct p9_client *clnt = fid->clnt; + struct p9_req_t *req; + int count = iov_iter_count(to); +- int rsize, received, non_zc = 0; ++ u32 rsize, received; ++ bool non_zc = false; + char *dataptr; + + *err = 0; +@@ -1568,7 +1569,7 @@ p9_client_read_once(struct p9_fid *fid, u64 offset, struct iov_iter *to, + 0, 11, "dqd", fid->fid, + offset, rsize); + } else { +- non_zc = 1; ++ non_zc = true; + req = p9_client_rpc(clnt, P9_TREAD, "dqd", fid->fid, offset, + rsize); + } +@@ -1589,11 +1590,11 @@ p9_client_read_once(struct p9_fid *fid, u64 offset, struct iov_iter *to, + return 0; + } + if (rsize < received) { +- pr_err("bogus RREAD count (%d > %d)\n", received, rsize); ++ pr_err("bogus RREAD count (%u > %u)\n", received, rsize); + received = rsize; + } + +- p9_debug(P9_DEBUG_9P, "<<< RREAD count %d\n", received); ++ p9_debug(P9_DEBUG_9P, "<<< RREAD count %u\n", received); + + if (non_zc) { + int n = copy_to_iter(dataptr, received, to); +@@ -1620,9 +1621,9 @@ p9_client_write(struct p9_fid *fid, u64 offset, struct iov_iter *from, int *err) + *err = 0; + + while (iov_iter_count(from)) { +- int count = iov_iter_count(from); +- int rsize = fid->iounit; +- int written; ++ size_t count = iov_iter_count(from); ++ u32 rsize = fid->iounit; ++ u32 written; + + if (!rsize || rsize > clnt->msize - P9_IOHDRSZ) + rsize = clnt->msize - P9_IOHDRSZ; +@@ -1630,7 +1631,7 @@ p9_client_write(struct p9_fid *fid, u64 offset, struct iov_iter *from, int *err) + if (count < rsize) + rsize = count; + +- p9_debug(P9_DEBUG_9P, ">>> TWRITE fid %d offset %llu count %d (/%d)\n", ++ p9_debug(P9_DEBUG_9P, ">>> TWRITE fid %d offset %llu count %u (/%zu)\n", + fid->fid, offset, rsize, count); + + /* Don't bother zerocopy for small IO (< 1024) */ +@@ -1656,11 +1657,11 @@ p9_client_write(struct p9_fid *fid, u64 offset, struct iov_iter *from, int *err) + break; + } + if (rsize < written) { +- pr_err("bogus RWRITE count (%d > %d)\n", written, rsize); ++ pr_err("bogus RWRITE count (%u > %u)\n", written, rsize); + written = rsize; + } + +- p9_debug(P9_DEBUG_9P, "<<< RWRITE count %d\n", written); ++ p9_debug(P9_DEBUG_9P, "<<< RWRITE count %u\n", written); + + p9_req_put(clnt, req); + iov_iter_revert(from, count - written - iov_iter_count(from)); +@@ -2056,7 +2057,8 @@ EXPORT_SYMBOL_GPL(p9_client_xattrcreate); + + int p9_client_readdir(struct p9_fid *fid, char *data, u32 count, u64 offset) + { +- int err, rsize, non_zc = 0; ++ int err, non_zc = 0; ++ u32 rsize; + struct p9_client *clnt; + struct p9_req_t *req; + char *dataptr; +@@ -2065,7 +2067,7 @@ int p9_client_readdir(struct p9_fid *fid, char *data, u32 count, u64 offset) + + iov_iter_kvec(&to, ITER_DEST, &kv, 1, count); + +- p9_debug(P9_DEBUG_9P, ">>> TREADDIR fid %d offset %llu count %d\n", ++ p9_debug(P9_DEBUG_9P, ">>> TREADDIR fid %d offset %llu count %u\n", + fid->fid, offset, count); + + err = 0; +@@ -2101,11 +2103,11 @@ int p9_client_readdir(struct p9_fid *fid, char *data, u32 count, u64 offset) + goto free_and_error; + } + if (rsize < count) { +- pr_err("bogus RREADDIR count (%d > %d)\n", count, rsize); ++ pr_err("bogus RREADDIR count (%u > %u)\n", count, rsize); + count = rsize; + } + +- p9_debug(P9_DEBUG_9P, "<<< RREADDIR count %d\n", count); ++ p9_debug(P9_DEBUG_9P, "<<< RREADDIR count %u\n", count); + + if (non_zc) + memmove(data, dataptr, count); +-- +2.39.5 + diff --git a/queue-6.1/acpi-ec-set-ec_no_wakeup-for-lenovo-go-s.patch b/queue-6.1/acpi-ec-set-ec_no_wakeup-for-lenovo-go-s.patch new file mode 100644 index 0000000000..ee07dfd89a --- /dev/null +++ b/queue-6.1/acpi-ec-set-ec_no_wakeup-for-lenovo-go-s.patch @@ -0,0 +1,82 @@ +From 9dc3a937ff1e2e4357e22b6ddc64b0ddbfcd2d93 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Apr 2025 08:38:51 -0500 +Subject: ACPI: EC: Set ec_no_wakeup for Lenovo Go S + +From: Mario Limonciello + +[ Upstream commit b988685388effd648150aab272533f833a2a70f0 ] + +When AC adapter is unplugged or plugged in EC wakes from HW sleep but +APU doesn't enter back into HW sleep. + +The reason this happens is that, when the APU exits HW sleep, the power +rails controlled by the EC will power up the TCON. The TCON has a GPIO +that will be toggled at this time. The GPIO is not marked as a wakeup +source, but the GPIO controller still has an unserviced interrupt. +Unserviced interrupts will block entering HW sleep again. Clearing the +GPIO doesn't help as the TCON continues to assert it until it's been +initialized by i2c-hid. + +Fixing this would require TCON F/W changes and it's already broken in +the wild on production hardware. + +To avoid triggering this issue add a quirk to avoid letting EC wake +up system at all. The power button still works properly on this system. + +Reported-by: Antheas Kapenekakis +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3929 +Link: https://github.com/bazzite-org/patchwork/commit/95b93b2852718ee1e808c72e6b1836da4a95fc63 +Co-developed-by: Antheas Kapenekakis +Signed-off-by: Antheas Kapenekakis +Signed-off-by: Mario Limonciello +Link: https://patch.msgid.link/20250401133858.1892077-1-superm1@kernel.org +[ rjw: Changelog edits ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/ec.c | 28 ++++++++++++++++++++++++++++ + 1 file changed, 28 insertions(+) + +diff --git a/drivers/acpi/ec.c b/drivers/acpi/ec.c +index 63803091f8b1e..5776987390907 100644 +--- a/drivers/acpi/ec.c ++++ b/drivers/acpi/ec.c +@@ -2260,6 +2260,34 @@ static const struct dmi_system_id acpi_ec_no_wakeup[] = { + DMI_MATCH(DMI_PRODUCT_FAMILY, "103C_5336AN HP ZHAN 66 Pro"), + }, + }, ++ /* ++ * Lenovo Legion Go S; touchscreen blocks HW sleep when woken up from EC ++ * https://gitlab.freedesktop.org/drm/amd/-/issues/3929 ++ */ ++ { ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "83L3"), ++ } ++ }, ++ { ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "83N6"), ++ } ++ }, ++ { ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "83Q2"), ++ } ++ }, ++ { ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "83Q3"), ++ } ++ }, + { }, + }; + +-- +2.39.5 + diff --git a/queue-6.1/acpi-pptt-fix-coding-mistakes-in-a-couple-of-sizeof-.patch b/queue-6.1/acpi-pptt-fix-coding-mistakes-in-a-couple-of-sizeof-.patch new file mode 100644 index 0000000000..22b9e06003 --- /dev/null +++ b/queue-6.1/acpi-pptt-fix-coding-mistakes-in-a-couple-of-sizeof-.patch @@ -0,0 +1,46 @@ +From e16015ac6271075ffa9cbc517a0c2ce74abaf340 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Apr 2025 17:15:42 -0700 +Subject: ACPI PPTT: Fix coding mistakes in a couple of sizeof() calls + +From: Jean-Marc Eurin + +[ Upstream commit 7ab4f0e37a0f4207e742a8de69be03984db6ebf0 ] + +The end of table checks should be done with the structure size, +but 2 of the 3 similar calls use the pointer size. + +Signed-off-by: Jean-Marc Eurin +Link: https://patch.msgid.link/20250402001542.2600671-1-jmeurin@google.com +[ rjw: Subject edits ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/pptt.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/acpi/pptt.c b/drivers/acpi/pptt.c +index ced3eb15bd8b7..79a83d8236cb3 100644 +--- a/drivers/acpi/pptt.c ++++ b/drivers/acpi/pptt.c +@@ -217,7 +217,7 @@ static int acpi_pptt_leaf_node(struct acpi_table_header *table_hdr, + node_entry = ACPI_PTR_DIFF(node, table_hdr); + entry = ACPI_ADD_PTR(struct acpi_subtable_header, table_hdr, + sizeof(struct acpi_table_pptt)); +- proc_sz = sizeof(struct acpi_pptt_processor *); ++ proc_sz = sizeof(struct acpi_pptt_processor); + + while ((unsigned long)entry + proc_sz < table_end) { + cpu_node = (struct acpi_pptt_processor *)entry; +@@ -258,7 +258,7 @@ static struct acpi_pptt_processor *acpi_find_processor_node(struct acpi_table_he + table_end = (unsigned long)table_hdr + table_hdr->length; + entry = ACPI_ADD_PTR(struct acpi_subtable_header, table_hdr, + sizeof(struct acpi_table_pptt)); +- proc_sz = sizeof(struct acpi_pptt_processor *); ++ proc_sz = sizeof(struct acpi_pptt_processor); + + /* find the processor structure associated with this cpuid */ + while ((unsigned long)entry + proc_sz < table_end) { +-- +2.39.5 + diff --git a/queue-6.1/bpf-fix-deadlock-between-rcu_tasks_trace-and-event_m.patch b/queue-6.1/bpf-fix-deadlock-between-rcu_tasks_trace-and-event_m.patch new file mode 100644 index 0000000000..b04906ccbe --- /dev/null +++ b/queue-6.1/bpf-fix-deadlock-between-rcu_tasks_trace-and-event_m.patch @@ -0,0 +1,79 @@ +From 1f19c42fd3f8804c6c9030eea92d5db988ce1ab1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Feb 2025 14:16:37 -0800 +Subject: bpf: Fix deadlock between rcu_tasks_trace and event_mutex. + +From: Alexei Starovoitov + +[ Upstream commit 4580f4e0ebdf8dc8d506ae926b88510395a0c1d1 ] + +Fix the following deadlock: +CPU A +_free_event() + perf_kprobe_destroy() + mutex_lock(&event_mutex) + perf_trace_event_unreg() + synchronize_rcu_tasks_trace() + +There are several paths where _free_event() grabs event_mutex +and calls sync_rcu_tasks_trace. Above is one such case. + +CPU B +bpf_prog_test_run_syscall() + rcu_read_lock_trace() + bpf_prog_run_pin_on_cpu() + bpf_prog_load() + bpf_tracing_func_proto() + trace_set_clr_event() + mutex_lock(&event_mutex) + +Delegate trace_set_clr_event() to workqueue to avoid +such lock dependency. + +Signed-off-by: Alexei Starovoitov +Signed-off-by: Andrii Nakryiko +Acked-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20250224221637.4780-1-alexei.starovoitov@gmail.com +Signed-off-by: Sasha Levin +--- + kernel/trace/bpf_trace.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c +index 6b5bb0e380b55..7254c808b27c1 100644 +--- a/kernel/trace/bpf_trace.c ++++ b/kernel/trace/bpf_trace.c +@@ -403,7 +403,7 @@ static const struct bpf_func_proto bpf_trace_printk_proto = { + .arg2_type = ARG_CONST_SIZE, + }; + +-static void __set_printk_clr_event(void) ++static void __set_printk_clr_event(struct work_struct *work) + { + /* + * This program might be calling bpf_trace_printk, +@@ -416,10 +416,11 @@ static void __set_printk_clr_event(void) + if (trace_set_clr_event("bpf_trace", "bpf_trace_printk", 1)) + pr_warn_ratelimited("could not enable bpf_trace_printk events"); + } ++static DECLARE_WORK(set_printk_work, __set_printk_clr_event); + + const struct bpf_func_proto *bpf_get_trace_printk_proto(void) + { +- __set_printk_clr_event(); ++ schedule_work(&set_printk_work); + return &bpf_trace_printk_proto; + } + +@@ -462,7 +463,7 @@ static const struct bpf_func_proto bpf_trace_vprintk_proto = { + + const struct bpf_func_proto *bpf_get_trace_vprintk_proto(void) + { +- __set_printk_clr_event(); ++ schedule_work(&set_printk_work); + return &bpf_trace_vprintk_proto; + } + +-- +2.39.5 + diff --git a/queue-6.1/clk-check-for-disabled-clock-provider-in-of_clk_get_.patch b/queue-6.1/clk-check-for-disabled-clock-provider-in-of_clk_get_.patch new file mode 100644 index 0000000000..b4f8ebfdcd --- /dev/null +++ b/queue-6.1/clk-check-for-disabled-clock-provider-in-of_clk_get_.patch @@ -0,0 +1,61 @@ +From b3fd899e0dd11941f6300f66116c821bf77ac863 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 22 Feb 2025 23:37:33 +0100 +Subject: clk: check for disabled clock-provider in + of_clk_get_hw_from_clkspec() + +From: Heiko Stuebner + +[ Upstream commit b20150d499b3ee5c2d632fbc5ac94f98dd33accf ] + +of_clk_get_hw_from_clkspec() checks all available clock-providers by +comparing their of nodes to the one from the clkspec. If no matching +clock provider is found, the function returns -EPROBE_DEFER to cause a +re-check at a later date. If a matching clock provider is found, an +authoritative answer can be retrieved from it whether the clock exists +or not. + +This does not take into account that the clock-provider may never +appear, because it's node is disabled. This can happen when a clock is +optional, provided by a separate block which never gets enabled. + +One example of this happening is the rk3588's VOP, which has optional +additional display clocks coming from PLLs inside the hdmiphy blocks. +These can be used for better rates, but the system will also work +without them. + +The problem around that is described in the followups to[1]. As we +already know the of node of the presumed clock provider, add a check via +of_device_is_available() whether this is a "valid" device node. This +prevents eternal defer loops. + +Link: https://lore.kernel.org/dri-devel/20250215-vop2-hdmi1-disp-modes-v1-3-81962a7151d6@collabora.com/ [1] +Reviewed-by: Sebastian Reichel +Tested-by: Cristian Ciocaltea +Signed-off-by: Heiko Stuebner +Link: https://lore.kernel.org/r/20250222223733.2990179-1-heiko@sntech.de +[sboyd@kernel.org: Reword commit text a bit] +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/clk.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/clk/clk.c b/drivers/clk/clk.c +index 8ecbb8f494655..5a01ba04e47cf 100644 +--- a/drivers/clk/clk.c ++++ b/drivers/clk/clk.c +@@ -5128,6 +5128,10 @@ of_clk_get_hw_from_clkspec(struct of_phandle_args *clkspec) + if (!clkspec) + return ERR_PTR(-EINVAL); + ++ /* Check if node in clkspec is in disabled/fail state */ ++ if (!of_device_is_available(clkspec->np)) ++ return ERR_PTR(-ENOENT); ++ + mutex_lock(&of_clk_mutex); + list_for_each_entry(provider, &of_clk_providers, link) { + if (provider->node == clkspec->np) { +-- +2.39.5 + diff --git a/queue-6.1/crypto-null-use-spin-lock-instead-of-mutex.patch b/queue-6.1/crypto-null-use-spin-lock-instead-of-mutex.patch new file mode 100644 index 0000000000..0c84df6e68 --- /dev/null +++ b/queue-6.1/crypto-null-use-spin-lock-instead-of-mutex.patch @@ -0,0 +1,101 @@ +From da05629fcb1976257c758a728a3b9a8ed1a405f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Feb 2025 14:10:07 +0800 +Subject: crypto: null - Use spin lock instead of mutex + +From: Herbert Xu + +[ Upstream commit dcc47a028c24e793ce6d6efebfef1a1e92f80297 ] + +As the null algorithm may be freed in softirq context through +af_alg, use spin locks instead of mutexes to protect the default +null algorithm. + +Reported-by: syzbot+b3e02953598f447d4d2a@syzkaller.appspotmail.com +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/crypto_null.c | 39 ++++++++++++++++++++++++++------------- + 1 file changed, 26 insertions(+), 13 deletions(-) + +diff --git a/crypto/crypto_null.c b/crypto/crypto_null.c +index 5b84b0f7cc178..3378670286535 100644 +--- a/crypto/crypto_null.c ++++ b/crypto/crypto_null.c +@@ -17,10 +17,10 @@ + #include + #include + #include +-#include ++#include + #include + +-static DEFINE_MUTEX(crypto_default_null_skcipher_lock); ++static DEFINE_SPINLOCK(crypto_default_null_skcipher_lock); + static struct crypto_sync_skcipher *crypto_default_null_skcipher; + static int crypto_default_null_skcipher_refcnt; + +@@ -152,23 +152,32 @@ MODULE_ALIAS_CRYPTO("cipher_null"); + + struct crypto_sync_skcipher *crypto_get_default_null_skcipher(void) + { ++ struct crypto_sync_skcipher *ntfm = NULL; + struct crypto_sync_skcipher *tfm; + +- mutex_lock(&crypto_default_null_skcipher_lock); ++ spin_lock_bh(&crypto_default_null_skcipher_lock); + tfm = crypto_default_null_skcipher; + + if (!tfm) { +- tfm = crypto_alloc_sync_skcipher("ecb(cipher_null)", 0, 0); +- if (IS_ERR(tfm)) +- goto unlock; +- +- crypto_default_null_skcipher = tfm; ++ spin_unlock_bh(&crypto_default_null_skcipher_lock); ++ ++ ntfm = crypto_alloc_sync_skcipher("ecb(cipher_null)", 0, 0); ++ if (IS_ERR(ntfm)) ++ return ntfm; ++ ++ spin_lock_bh(&crypto_default_null_skcipher_lock); ++ tfm = crypto_default_null_skcipher; ++ if (!tfm) { ++ tfm = ntfm; ++ ntfm = NULL; ++ crypto_default_null_skcipher = tfm; ++ } + } + + crypto_default_null_skcipher_refcnt++; ++ spin_unlock_bh(&crypto_default_null_skcipher_lock); + +-unlock: +- mutex_unlock(&crypto_default_null_skcipher_lock); ++ crypto_free_sync_skcipher(ntfm); + + return tfm; + } +@@ -176,12 +185,16 @@ EXPORT_SYMBOL_GPL(crypto_get_default_null_skcipher); + + void crypto_put_default_null_skcipher(void) + { +- mutex_lock(&crypto_default_null_skcipher_lock); ++ struct crypto_sync_skcipher *tfm = NULL; ++ ++ spin_lock_bh(&crypto_default_null_skcipher_lock); + if (!--crypto_default_null_skcipher_refcnt) { +- crypto_free_sync_skcipher(crypto_default_null_skcipher); ++ tfm = crypto_default_null_skcipher; + crypto_default_null_skcipher = NULL; + } +- mutex_unlock(&crypto_default_null_skcipher_lock); ++ spin_unlock_bh(&crypto_default_null_skcipher_lock); ++ ++ crypto_free_sync_skcipher(tfm); + } + EXPORT_SYMBOL_GPL(crypto_put_default_null_skcipher); + +-- +2.39.5 + diff --git a/queue-6.1/dmaengine-dmatest-fix-dmatest-waiting-less-when-inte.patch b/queue-6.1/dmaengine-dmatest-fix-dmatest-waiting-less-when-inte.patch new file mode 100644 index 0000000000..b685e20928 --- /dev/null +++ b/queue-6.1/dmaengine-dmatest-fix-dmatest-waiting-less-when-inte.patch @@ -0,0 +1,51 @@ +From 8f899c9882f679b45bdd4b1172975b7bea0d0f57 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Mar 2025 15:00:06 -0800 +Subject: dmaengine: dmatest: Fix dmatest waiting less when interrupted + +From: Vinicius Costa Gomes + +[ Upstream commit e87ca16e99118ab4e130a41bdf12abbf6a87656c ] + +Change the "wait for operation finish" logic to take interrupts into +account. + +When using dmatest with idxd DMA engine, it's possible that during +longer tests, the interrupt notifying the finish of an operation +happens during wait_event_freezable_timeout(), which causes dmatest to +cleanup all the resources, some of which might still be in use. + +This fix ensures that the wait logic correctly handles interrupts, +preventing premature cleanup of resources. + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-lkp/202502171134.8c403348-lkp@intel.com +Signed-off-by: Vinicius Costa Gomes +Reviewed-by: Dave Jiang +Link: https://lore.kernel.org/r/20250305230007.590178-1-vinicius.gomes@intel.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/dmatest.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/dma/dmatest.c b/drivers/dma/dmatest.c +index ffe621695e472..78b8a97b23637 100644 +--- a/drivers/dma/dmatest.c ++++ b/drivers/dma/dmatest.c +@@ -827,9 +827,9 @@ static int dmatest_func(void *data) + } else { + dma_async_issue_pending(chan); + +- wait_event_freezable_timeout(thread->done_wait, +- done->done, +- msecs_to_jiffies(params->timeout)); ++ wait_event_timeout(thread->done_wait, ++ done->done, ++ msecs_to_jiffies(params->timeout)); + + status = dma_async_is_tx_complete(chan, cookie, NULL, + NULL); +-- +2.39.5 + diff --git a/queue-6.1/ext4-make-block-validity-check-resistent-to-sb-bh-co.patch b/queue-6.1/ext4-make-block-validity-check-resistent-to-sb-bh-co.patch new file mode 100644 index 0000000000..8b5f621e11 --- /dev/null +++ b/queue-6.1/ext4-make-block-validity-check-resistent-to-sb-bh-co.patch @@ -0,0 +1,78 @@ +From 275b110285aa47e13c4cbe2f84a67ae505b729c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Mar 2025 11:54:52 +0530 +Subject: ext4: make block validity check resistent to sb bh corruption + +From: Ojaswin Mujoo + +[ Upstream commit ccad447a3d331a239477c281533bacb585b54a98 ] + +Block validity checks need to be skipped in case they are called +for journal blocks since they are part of system's protected +zone. + +Currently, this is done by checking inode->ino against +sbi->s_es->s_journal_inum, which is a direct read from the ext4 sb +buffer head. If someone modifies this underneath us then the +s_journal_inum field might get corrupted. To prevent against this, +change the check to directly compare the inode with journal->j_inode. + +**Slight change in behavior**: During journal init path, +check_block_validity etc might be called for journal inode when +sbi->s_journal is not set yet. In this case we now proceed with +ext4_inode_block_valid() instead of returning early. Since systems zones +have not been set yet, it is okay to proceed so we can perform basic +checks on the blocks. + +Suggested-by: Baokun Li +Reviewed-by: Baokun Li +Reviewed-by: Jan Kara +Reviewed-by: Zhang Yi +Signed-off-by: Ojaswin Mujoo +Link: https://patch.msgid.link/0c06bc9ebfcd6ccfed84a36e79147bf45ff5adc1.1743142920.git.ojaswin@linux.ibm.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/block_validity.c | 5 ++--- + fs/ext4/inode.c | 7 ++++--- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/fs/ext4/block_validity.c b/fs/ext4/block_validity.c +index 6fe3c941b5651..4d6ba140276b5 100644 +--- a/fs/ext4/block_validity.c ++++ b/fs/ext4/block_validity.c +@@ -351,10 +351,9 @@ int ext4_check_blockref(const char *function, unsigned int line, + { + __le32 *bref = p; + unsigned int blk; ++ journal_t *journal = EXT4_SB(inode->i_sb)->s_journal; + +- if (ext4_has_feature_journal(inode->i_sb) && +- (inode->i_ino == +- le32_to_cpu(EXT4_SB(inode->i_sb)->s_es->s_journal_inum))) ++ if (journal && inode == journal->j_inode) + return 0; + + while (bref < p+max) { +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c +index f460150ec73e5..abe7f769054ff 100644 +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -406,10 +406,11 @@ static int __check_block_validity(struct inode *inode, const char *func, + unsigned int line, + struct ext4_map_blocks *map) + { +- if (ext4_has_feature_journal(inode->i_sb) && +- (inode->i_ino == +- le32_to_cpu(EXT4_SB(inode->i_sb)->s_es->s_journal_inum))) ++ journal_t *journal = EXT4_SB(inode->i_sb)->s_journal; ++ ++ if (journal && inode == journal->j_inode) + return 0; ++ + if (!ext4_inode_block_valid(inode, map->m_pblk, map->m_len)) { + ext4_error_inode(inode, func, line, map->m_pblk, + "lblock %lu mapped to illegal pblock %llu " +-- +2.39.5 + diff --git a/queue-6.1/fs-ntfs3-fix-warning-in-ntfs_extend_initialized_size.patch b/queue-6.1/fs-ntfs3-fix-warning-in-ntfs_extend_initialized_size.patch new file mode 100644 index 0000000000..4ed97c9683 --- /dev/null +++ b/queue-6.1/fs-ntfs3-fix-warning-in-ntfs_extend_initialized_size.patch @@ -0,0 +1,45 @@ +From ce1880de3b97a32f271ac9e2288c28d865a4e4be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Oct 2024 20:16:38 +0800 +Subject: fs/ntfs3: Fix WARNING in ntfs_extend_initialized_size + +From: Edward Adam Davis + +[ Upstream commit ff355926445897cc9fdea3b00611e514232c213c ] + +Syzbot reported a WARNING in ntfs_extend_initialized_size. +The data type of in->i_valid and to is u64 in ntfs_file_mmap(). +If their values are greater than LLONG_MAX, overflow will occur because +the data types of the parameters valid and new_valid corresponding to +the function ntfs_extend_initialized_size() are loff_t. + +Before calling ntfs_extend_initialized_size() in the ntfs_file_mmap(), +the "ni->i_valid < to" has been determined, so the same WARN_ON determination +is not required in ntfs_extend_initialized_size(). +Just execute the ntfs_extend_initialized_size() in ntfs_extend() to make +a WARN_ON check. + +Reported-and-tested-by: syzbot+e37dd1dfc814b10caa55@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=e37dd1dfc814b10caa55 +Signed-off-by: Edward Adam Davis +Signed-off-by: Konstantin Komarov +Signed-off-by: Sasha Levin +--- + fs/ntfs3/file.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/ntfs3/file.c b/fs/ntfs3/file.c +index 72e25842f5dc9..46eec986ec9ca 100644 +--- a/fs/ntfs3/file.c ++++ b/fs/ntfs3/file.c +@@ -354,6 +354,7 @@ static int ntfs_extend(struct inode *inode, loff_t pos, size_t count, + } + + if (extend_init && !is_compressed(ni)) { ++ WARN_ON(ni->i_valid >= pos); + err = ntfs_extend_initialized_size(file, ni, ni->i_valid, pos); + if (err) + goto out; +-- +2.39.5 + diff --git a/queue-6.1/hardening-disable-gcc-randstruct-for-compile_test.patch b/queue-6.1/hardening-disable-gcc-randstruct-for-compile_test.patch new file mode 100644 index 0000000000..8ebdd424c1 --- /dev/null +++ b/queue-6.1/hardening-disable-gcc-randstruct-for-compile_test.patch @@ -0,0 +1,41 @@ +From 3b9668fce3828bbddf4961359124c51d00808507 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Apr 2025 08:11:58 -0700 +Subject: hardening: Disable GCC randstruct for COMPILE_TEST + +From: Kees Cook + +[ Upstream commit f5c68a4e84f9feca3be578199ec648b676db2030 ] + +There is a GCC crash bug in the randstruct for latest GCC versions that +is being tickled by landlock[1]. Temporarily disable GCC randstruct for +COMPILE_TEST builds to unbreak CI systems for the coming -rc2. This can +be restored once the bug is fixed. + +Suggested-by: Mark Brown +Link: https://lore.kernel.org/all/20250407-kbuild-disable-gcc-plugins-v1-1-5d46ae583f5e@kernel.org/ [1] +Acked-by: Mark Brown +Acked-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20250409151154.work.872-kees@kernel.org +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + security/Kconfig.hardening | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening +index 0f295961e7736..12e7e836a3f12 100644 +--- a/security/Kconfig.hardening ++++ b/security/Kconfig.hardening +@@ -287,7 +287,7 @@ config CC_HAS_RANDSTRUCT + + choice + prompt "Randomize layout of sensitive kernel structures" +- default RANDSTRUCT_FULL if COMPILE_TEST && (GCC_PLUGINS || CC_HAS_RANDSTRUCT) ++ default RANDSTRUCT_FULL if COMPILE_TEST && CC_HAS_RANDSTRUCT + default RANDSTRUCT_NONE + help + If you enable this, the layouts of structures that are entirely +-- +2.39.5 + diff --git a/queue-6.1/kvm-s390-don-t-use-pk-through-tracepoints.patch b/queue-6.1/kvm-s390-don-t-use-pk-through-tracepoints.patch new file mode 100644 index 0000000000..2e1e1134d4 --- /dev/null +++ b/queue-6.1/kvm-s390-don-t-use-pk-through-tracepoints.patch @@ -0,0 +1,53 @@ +From dc236c644a36f11492f0f843f3583ad8b86dce5a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Feb 2025 14:13:56 +0100 +Subject: KVM: s390: Don't use %pK through tracepoints +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Weißschuh + +[ Upstream commit 6c9567e0850be2f0f94ab64fa6512413fd1a1eb1 ] + +Restricted pointers ("%pK") are not meant to be used through TP_format(). +It can unintentionally expose security sensitive, raw pointer values. + +Use regular pointer formatting instead. + +Link: https://lore.kernel.org/lkml/20250113171731-dc10e3c1-da64-4af0-b767-7c7070468023@linutronix.de/ +Signed-off-by: Thomas Weißschuh +Reviewed-by: Michael Mueller +Link: https://lore.kernel.org/r/20250217-restricted-pointers-s390-v1-1-0e4ace75d8aa@linutronix.de +Signed-off-by: Janosch Frank +Message-ID: <20250217-restricted-pointers-s390-v1-1-0e4ace75d8aa@linutronix.de> +Signed-off-by: Sasha Levin +--- + arch/s390/kvm/trace-s390.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/s390/kvm/trace-s390.h b/arch/s390/kvm/trace-s390.h +index 6f0209d45164f..9c5f546a2e1a3 100644 +--- a/arch/s390/kvm/trace-s390.h ++++ b/arch/s390/kvm/trace-s390.h +@@ -56,7 +56,7 @@ TRACE_EVENT(kvm_s390_create_vcpu, + __entry->sie_block = sie_block; + ), + +- TP_printk("create cpu %d at 0x%pK, sie block at 0x%pK", ++ TP_printk("create cpu %d at 0x%p, sie block at 0x%p", + __entry->id, __entry->vcpu, __entry->sie_block) + ); + +@@ -255,7 +255,7 @@ TRACE_EVENT(kvm_s390_enable_css, + __entry->kvm = kvm; + ), + +- TP_printk("enabling channel I/O support (kvm @ %pK)\n", ++ TP_printk("enabling channel I/O support (kvm @ %p)\n", + __entry->kvm) + ); + +-- +2.39.5 + diff --git a/queue-6.1/loop-aio-inherit-the-ioprio-of-original-request.patch b/queue-6.1/loop-aio-inherit-the-ioprio-of-original-request.patch new file mode 100644 index 0000000000..c4bde9dfd4 --- /dev/null +++ b/queue-6.1/loop-aio-inherit-the-ioprio-of-original-request.patch @@ -0,0 +1,39 @@ +From 45e08c07ad9f74d09cbcbf31c1f553288bf93650 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Apr 2025 11:01:59 +0800 +Subject: loop: aio inherit the ioprio of original request + +From: Yunlong Xing + +[ Upstream commit 1fdb8188c3d505452b40cdb365b1bb32be533a8e ] + +Set cmd->iocb.ki_ioprio to the ioprio of loop device's request. +The purpose is to inherit the original request ioprio in the aio +flow. + +Signed-off-by: Yunlong Xing +Signed-off-by: Zhiguo Niu +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20250414030159.501180-1-yunlong.xing@unisoc.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/loop.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/block/loop.c b/drivers/block/loop.c +index 1c356bda9dfa8..e3e5d533a7eca 100644 +--- a/drivers/block/loop.c ++++ b/drivers/block/loop.c +@@ -441,7 +441,7 @@ static int lo_rw_aio(struct loop_device *lo, struct loop_cmd *cmd, + cmd->iocb.ki_filp = file; + cmd->iocb.ki_complete = lo_rw_aio_complete; + cmd->iocb.ki_flags = IOCB_DIRECT; +- cmd->iocb.ki_ioprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_NONE, 0); ++ cmd->iocb.ki_ioprio = req_get_ioprio(rq); + + if (rw == ITER_SOURCE) + ret = call_write_iter(file, &cmd->iocb, &iter); +-- +2.39.5 + diff --git a/queue-6.1/md-raid1-add-check-for-missing-source-disk-in-proces.patch b/queue-6.1/md-raid1-add-check-for-missing-source-disk-in-proces.patch new file mode 100644 index 0000000000..2611fb4d79 --- /dev/null +++ b/queue-6.1/md-raid1-add-check-for-missing-source-disk-in-proces.patch @@ -0,0 +1,77 @@ +From d24ebf2321f3f46ff86b02a8f6965f70cdd1f628 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Apr 2025 17:38:08 +0300 +Subject: md/raid1: Add check for missing source disk in process_checks() + +From: Meir Elisha + +[ Upstream commit b7c178d9e57c8fd4238ff77263b877f6f16182ba ] + +During recovery/check operations, the process_checks function loops +through available disks to find a 'primary' source with successfully +read data. + +If no suitable source disk is found after checking all possibilities, +the 'primary' index will reach conf->raid_disks * 2. Add an explicit +check for this condition after the loop. If no source disk was found, +print an error message and return early to prevent further processing +without a valid primary source. + +Link: https://lore.kernel.org/linux-raid/20250408143808.1026534-1-meir.elisha@volumez.com +Signed-off-by: Meir Elisha +Suggested-and-reviewed-by: Yu Kuai +Signed-off-by: Yu Kuai +Signed-off-by: Sasha Levin +--- + drivers/md/raid1.c | 26 ++++++++++++++++---------- + 1 file changed, 16 insertions(+), 10 deletions(-) + +diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c +index 76f7ca53d8123..38e77a4b6b338 100644 +--- a/drivers/md/raid1.c ++++ b/drivers/md/raid1.c +@@ -2068,14 +2068,9 @@ static int fix_sync_read_error(struct r1bio *r1_bio) + if (!rdev_set_badblocks(rdev, sect, s, 0)) + abort = 1; + } +- if (abort) { +- conf->recovery_disabled = +- mddev->recovery_disabled; +- set_bit(MD_RECOVERY_INTR, &mddev->recovery); +- md_done_sync(mddev, r1_bio->sectors, 0); +- put_buf(r1_bio); ++ if (abort) + return 0; +- } ++ + /* Try next page */ + sectors -= s; + sect += s; +@@ -2214,10 +2209,21 @@ static void sync_request_write(struct mddev *mddev, struct r1bio *r1_bio) + int disks = conf->raid_disks * 2; + struct bio *wbio; + +- if (!test_bit(R1BIO_Uptodate, &r1_bio->state)) +- /* ouch - failed to read all of that. */ +- if (!fix_sync_read_error(r1_bio)) ++ if (!test_bit(R1BIO_Uptodate, &r1_bio->state)) { ++ /* ++ * ouch - failed to read all of that. ++ * No need to fix read error for check/repair ++ * because all member disks are read. ++ */ ++ if (test_bit(MD_RECOVERY_REQUESTED, &mddev->recovery) || ++ !fix_sync_read_error(r1_bio)) { ++ conf->recovery_disabled = mddev->recovery_disabled; ++ set_bit(MD_RECOVERY_INTR, &mddev->recovery); ++ md_done_sync(mddev, r1_bio->sectors, 0); ++ put_buf(r1_bio); + return; ++ } ++ } + + if (test_bit(MD_RECOVERY_REQUESTED, &mddev->recovery)) + process_checks(r1_bio); +-- +2.39.5 + diff --git a/queue-6.1/mips-cm-detect-cm-quirks-from-device-tree.patch b/queue-6.1/mips-cm-detect-cm-quirks-from-device-tree.patch new file mode 100644 index 0000000000..1831e5c3ed --- /dev/null +++ b/queue-6.1/mips-cm-detect-cm-quirks-from-device-tree.patch @@ -0,0 +1,107 @@ +From f408f5fab97d8ee93af8bbbf44390d599daf6a5e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Jan 2025 12:01:56 +0100 +Subject: MIPS: cm: Detect CM quirks from device tree + +From: Gregory CLEMENT + +[ Upstream commit e27fbe16af5cfc40639de4ced67d1a866a1953e9 ] + +Some information that should be retrieved at runtime for the Coherence +Manager can be either absent or wrong. This patch allows checking if +some of this information is available from the device tree and updates +the internal variable accordingly. + +For now, only the compatible string associated with the broken HCI is +being retrieved. + +Signed-off-by: Gregory CLEMENT +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/include/asm/mips-cm.h | 22 ++++++++++++++++++++++ + arch/mips/kernel/mips-cm.c | 14 ++++++++++++++ + 2 files changed, 36 insertions(+) + +diff --git a/arch/mips/include/asm/mips-cm.h b/arch/mips/include/asm/mips-cm.h +index 696b40beb774f..0f31324998c0a 100644 +--- a/arch/mips/include/asm/mips-cm.h ++++ b/arch/mips/include/asm/mips-cm.h +@@ -47,6 +47,16 @@ extern phys_addr_t __mips_cm_phys_base(void); + */ + extern int mips_cm_is64; + ++/* ++ * mips_cm_is_l2_hci_broken - determine if HCI is broken ++ * ++ * Some CM reports show that Hardware Cache Initialization is ++ * complete, but in reality it's not the case. They also incorrectly ++ * indicate that Hardware Cache Initialization is supported. This ++ * flags allows warning about this broken feature. ++ */ ++extern bool mips_cm_is_l2_hci_broken; ++ + /** + * mips_cm_error_report - Report CM cache errors + */ +@@ -85,6 +95,18 @@ static inline bool mips_cm_present(void) + #endif + } + ++/** ++ * mips_cm_update_property - update property from the device tree ++ * ++ * Retrieve the properties from the device tree if a CM node exist and ++ * update the internal variable based on this. ++ */ ++#ifdef CONFIG_MIPS_CM ++extern void mips_cm_update_property(void); ++#else ++static void mips_cm_update_property(void) {} ++#endif ++ + /** + * mips_cm_has_l2sync - determine whether an L2-only sync region is present + * +diff --git a/arch/mips/kernel/mips-cm.c b/arch/mips/kernel/mips-cm.c +index b4f7d950c8468..e21c2fd761674 100644 +--- a/arch/mips/kernel/mips-cm.c ++++ b/arch/mips/kernel/mips-cm.c +@@ -5,6 +5,7 @@ + */ + + #include ++#include + #include + #include + +@@ -14,6 +15,7 @@ + void __iomem *mips_gcr_base; + void __iomem *mips_cm_l2sync_base; + int mips_cm_is64; ++bool mips_cm_is_l2_hci_broken; + + static char *cm2_tr[8] = { + "mem", "gcr", "gic", "mmio", +@@ -238,6 +240,18 @@ static void mips_cm_probe_l2sync(void) + mips_cm_l2sync_base = ioremap(addr, MIPS_CM_L2SYNC_SIZE); + } + ++void mips_cm_update_property(void) ++{ ++ struct device_node *cm_node; ++ ++ cm_node = of_find_compatible_node(of_root, NULL, "mobileye,eyeq6-cm"); ++ if (!cm_node) ++ return; ++ pr_info("HCI (Hardware Cache Init for the L2 cache) in GCR_L2_RAM_CONFIG from the CM3 is broken"); ++ mips_cm_is_l2_hci_broken = true; ++ of_node_put(cm_node); ++} ++ + int mips_cm_probe(void) + { + phys_addr_t addr; +-- +2.39.5 + diff --git a/queue-6.1/ntb-reduce-stack-usage-in-idt_scan_mws.patch b/queue-6.1/ntb-reduce-stack-usage-in-idt_scan_mws.patch new file mode 100644 index 0000000000..aa591e7943 --- /dev/null +++ b/queue-6.1/ntb-reduce-stack-usage-in-idt_scan_mws.patch @@ -0,0 +1,77 @@ +From ad05211e9db692a2da933d30f234817e70011978 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Feb 2025 09:57:25 +0100 +Subject: ntb: reduce stack usage in idt_scan_mws + +From: Arnd Bergmann + +[ Upstream commit aff12700b8dd7422bfe2277696e192af4df9de8f ] + +idt_scan_mws() puts a large fixed-size array on the stack and copies +it into a smaller dynamically allocated array at the end. On 32-bit +targets, the fixed size can easily exceed the warning limit for +possible stack overflow: + +drivers/ntb/hw/idt/ntb_hw_idt.c:1041:27: error: stack frame size (1032) exceeds limit (1024) in 'idt_scan_mws' [-Werror,-Wframe-larger-than] + +Change it to instead just always use dynamic allocation for the +array from the start. It's too big for the stack, but not actually +all that much for a permanent allocation. + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/all/202205111109.PiKTruEj-lkp@intel.com/ +Signed-off-by: Arnd Bergmann +Reviewed-by: Dave Jiang +Reviewed-by: Damien Le Moal +Signed-off-by: Jon Mason +Signed-off-by: Sasha Levin +--- + drivers/ntb/hw/idt/ntb_hw_idt.c | 18 +++++++----------- + 1 file changed, 7 insertions(+), 11 deletions(-) + +diff --git a/drivers/ntb/hw/idt/ntb_hw_idt.c b/drivers/ntb/hw/idt/ntb_hw_idt.c +index 51799fccf8404..6f7620b153032 100644 +--- a/drivers/ntb/hw/idt/ntb_hw_idt.c ++++ b/drivers/ntb/hw/idt/ntb_hw_idt.c +@@ -1041,7 +1041,7 @@ static inline char *idt_get_mw_name(enum idt_mw_type mw_type) + static struct idt_mw_cfg *idt_scan_mws(struct idt_ntb_dev *ndev, int port, + unsigned char *mw_cnt) + { +- struct idt_mw_cfg mws[IDT_MAX_NR_MWS], *ret_mws; ++ struct idt_mw_cfg *mws; + const struct idt_ntb_bar *bars; + enum idt_mw_type mw_type; + unsigned char widx, bidx, en_cnt; +@@ -1049,6 +1049,11 @@ static struct idt_mw_cfg *idt_scan_mws(struct idt_ntb_dev *ndev, int port, + int aprt_size; + u32 data; + ++ mws = devm_kcalloc(&ndev->ntb.pdev->dev, IDT_MAX_NR_MWS, ++ sizeof(*mws), GFP_KERNEL); ++ if (!mws) ++ return ERR_PTR(-ENOMEM); ++ + /* Retrieve the array of the BARs registers */ + bars = portdata_tbl[port].bars; + +@@ -1103,16 +1108,7 @@ static struct idt_mw_cfg *idt_scan_mws(struct idt_ntb_dev *ndev, int port, + } + } + +- /* Allocate memory for memory window descriptors */ +- ret_mws = devm_kcalloc(&ndev->ntb.pdev->dev, *mw_cnt, sizeof(*ret_mws), +- GFP_KERNEL); +- if (!ret_mws) +- return ERR_PTR(-ENOMEM); +- +- /* Copy the info of detected memory windows */ +- memcpy(ret_mws, mws, (*mw_cnt)*sizeof(*ret_mws)); +- +- return ret_mws; ++ return mws; + } + + /* +-- +2.39.5 + diff --git a/queue-6.1/ntb_hw_amd-add-ntb-pci-id-for-new-gen-cpu.patch b/queue-6.1/ntb_hw_amd-add-ntb-pci-id-for-new-gen-cpu.patch new file mode 100644 index 0000000000..372c195079 --- /dev/null +++ b/queue-6.1/ntb_hw_amd-add-ntb-pci-id-for-new-gen-cpu.patch @@ -0,0 +1,33 @@ +From e96de771dda3b0c6408ad7d6dd59607116b5e1b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Mar 2025 20:02:16 +0530 +Subject: ntb_hw_amd: Add NTB PCI ID for new gen CPU + +From: Basavaraj Natikar + +[ Upstream commit bf8a7ce7e4c7267a6f5f2b2023cfc459b330b25e ] + +Add NTB support for new generation of processor. + +Signed-off-by: Basavaraj Natikar +Signed-off-by: Jon Mason +Signed-off-by: Sasha Levin +--- + drivers/ntb/hw/amd/ntb_hw_amd.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/ntb/hw/amd/ntb_hw_amd.c b/drivers/ntb/hw/amd/ntb_hw_amd.c +index 730f2103b91d1..9c8dd5dea2733 100644 +--- a/drivers/ntb/hw/amd/ntb_hw_amd.c ++++ b/drivers/ntb/hw/amd/ntb_hw_amd.c +@@ -1323,6 +1323,7 @@ static const struct pci_device_id amd_ntb_pci_tbl[] = { + { PCI_VDEVICE(AMD, 0x148b), (kernel_ulong_t)&dev_data[1] }, + { PCI_VDEVICE(AMD, 0x14c0), (kernel_ulong_t)&dev_data[1] }, + { PCI_VDEVICE(AMD, 0x14c3), (kernel_ulong_t)&dev_data[1] }, ++ { PCI_VDEVICE(AMD, 0x155a), (kernel_ulong_t)&dev_data[1] }, + { PCI_VDEVICE(HYGON, 0x145b), (kernel_ulong_t)&dev_data[0] }, + { 0, } + }; +-- +2.39.5 + diff --git a/queue-6.1/nvme-re-read-ana-log-page-after-ns-scan-completes.patch b/queue-6.1/nvme-re-read-ana-log-page-after-ns-scan-completes.patch new file mode 100644 index 0000000000..8569281678 --- /dev/null +++ b/queue-6.1/nvme-re-read-ana-log-page-after-ns-scan-completes.patch @@ -0,0 +1,47 @@ +From 78051e1c4167b96e56e233d133653cee17f20bbe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Apr 2025 09:19:30 +0200 +Subject: nvme: re-read ANA log page after ns scan completes + +From: Hannes Reinecke + +[ Upstream commit 62baf70c327444338c34703c71aa8cc8e4189bd6 ] + +When scanning for new namespaces we might have missed an ANA AEN. + +The NVMe base spec (NVMe Base Specification v2.1, Figure 151 'Asynchonous +Event Information - Notice': Asymmetric Namespace Access Change) states: + + A controller shall not send this even if an Attached Namespace + Attribute Changed asynchronous event [...] is sent for the same event. + +so we need to re-read the ANA log page after we rescanned the namespace +list to update the ANA states of the new namespaces. + +Signed-off-by: Hannes Reinecke +Reviewed-by: Keith Busch +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/core.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index ec73ec1cf0ff5..e199321086f28 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -4708,6 +4708,11 @@ static void nvme_scan_work(struct work_struct *work) + /* Requeue if we have missed AENs */ + if (test_bit(NVME_AER_NOTICE_NS_CHANGED, &ctrl->events)) + nvme_queue_scan(ctrl); ++#ifdef CONFIG_NVME_MULTIPATH ++ else ++ /* Re-read the ANA log page to not miss updates */ ++ queue_work(nvme_wq, &ctrl->ana_work); ++#endif + } + + /* +-- +2.39.5 + diff --git a/queue-6.1/nvme-requeue-namespace-scan-on-missed-aens.patch b/queue-6.1/nvme-requeue-namespace-scan-on-missed-aens.patch new file mode 100644 index 0000000000..10d82ad000 --- /dev/null +++ b/queue-6.1/nvme-requeue-namespace-scan-on-missed-aens.patch @@ -0,0 +1,42 @@ +From 43b2b4db714534bfe4e27248d0afbe79ed0c6174 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Apr 2025 09:19:29 +0200 +Subject: nvme: requeue namespace scan on missed AENs + +From: Hannes Reinecke + +[ Upstream commit 9546ad1a9bda7362492114f5866b95b0ac4a100e ] + +Scanning for namespaces can take some time, so if the target is +reconfigured while the scan is running we may miss a Attached Namespace +Attribute Changed AEN. + +Check if the NVME_AER_NOTICE_NS_CHANGED bit is set once the scan has +finished, and requeue scanning to pick up any missed change. + +Signed-off-by: Hannes Reinecke +Reviewed-by: Keith Busch +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/core.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index 6a636fe6506b4..ec73ec1cf0ff5 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -4704,6 +4704,10 @@ static void nvme_scan_work(struct work_struct *work) + if (nvme_scan_ns_list(ctrl) != 0) + nvme_scan_ns_sequential(ctrl); + mutex_unlock(&ctrl->scan_lock); ++ ++ /* Requeue if we have missed AENs */ ++ if (test_bit(NVME_AER_NOTICE_NS_CHANGED, &ctrl->events)) ++ nvme_queue_scan(ctrl); + } + + /* +-- +2.39.5 + diff --git a/queue-6.1/nvmet-fc-put-ref-when-assoc-del_work-is-already-sche.patch b/queue-6.1/nvmet-fc-put-ref-when-assoc-del_work-is-already-sche.patch new file mode 100644 index 0000000000..ed9a00e40b --- /dev/null +++ b/queue-6.1/nvmet-fc-put-ref-when-assoc-del_work-is-already-sche.patch @@ -0,0 +1,36 @@ +From 5eaee1b321a8c4488643cb4a9f443d0b0d6e924c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Apr 2025 17:29:10 +0200 +Subject: nvmet-fc: put ref when assoc->del_work is already scheduled + +From: Daniel Wagner + +[ Upstream commit 70289ae5cac4d3a39575405aaf63330486cea030 ] + +Do not leak the tgtport reference when the work is already scheduled. + +Signed-off-by: Daniel Wagner +Reviewed-by: Hannes Reinecke +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/fc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/nvme/target/fc.c b/drivers/nvme/target/fc.c +index 68ff9540e2d13..570c58d2b5a58 100644 +--- a/drivers/nvme/target/fc.c ++++ b/drivers/nvme/target/fc.c +@@ -1091,7 +1091,8 @@ static void + nvmet_fc_schedule_delete_assoc(struct nvmet_fc_tgt_assoc *assoc) + { + nvmet_fc_tgtport_get(assoc->tgtport); +- queue_work(nvmet_wq, &assoc->del_work); ++ if (!queue_work(nvmet_wq, &assoc->del_work)) ++ nvmet_fc_tgtport_put(assoc->tgtport); + } + + static struct nvmet_fc_tgt_assoc * +-- +2.39.5 + diff --git a/queue-6.1/nvmet-fc-take-tgtport-reference-only-once.patch b/queue-6.1/nvmet-fc-take-tgtport-reference-only-once.patch new file mode 100644 index 0000000000..bf2b64199e --- /dev/null +++ b/queue-6.1/nvmet-fc-take-tgtport-reference-only-once.patch @@ -0,0 +1,77 @@ +From f228c30073ea1e6fd43c6ba5e2654805de568e1b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Apr 2025 17:29:09 +0200 +Subject: nvmet-fc: take tgtport reference only once + +From: Daniel Wagner + +[ Upstream commit b0b26ad0e1943de25ce82a7e5af3574f31b1cf99 ] + +The reference counting code can be simplified. Instead taking a tgtport +refrerence at the beginning of nvmet_fc_alloc_hostport and put it back +if not a new hostport object is allocated, only take it when a new +hostport object is allocated. + +Signed-off-by: Daniel Wagner +Reviewed-by: Hannes Reinecke +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/fc.c | 22 +++++++--------------- + 1 file changed, 7 insertions(+), 15 deletions(-) + +diff --git a/drivers/nvme/target/fc.c b/drivers/nvme/target/fc.c +index d40d5a4ea932e..68ff9540e2d13 100644 +--- a/drivers/nvme/target/fc.c ++++ b/drivers/nvme/target/fc.c +@@ -1030,33 +1030,24 @@ nvmet_fc_alloc_hostport(struct nvmet_fc_tgtport *tgtport, void *hosthandle) + struct nvmet_fc_hostport *newhost, *match = NULL; + unsigned long flags; + ++ /* ++ * Caller holds a reference on tgtport. ++ */ ++ + /* if LLDD not implemented, leave as NULL */ + if (!hosthandle) + return NULL; + +- /* +- * take reference for what will be the newly allocated hostport if +- * we end up using a new allocation +- */ +- if (!nvmet_fc_tgtport_get(tgtport)) +- return ERR_PTR(-EINVAL); +- + spin_lock_irqsave(&tgtport->lock, flags); + match = nvmet_fc_match_hostport(tgtport, hosthandle); + spin_unlock_irqrestore(&tgtport->lock, flags); + +- if (match) { +- /* no new allocation - release reference */ +- nvmet_fc_tgtport_put(tgtport); ++ if (match) + return match; +- } + + newhost = kzalloc(sizeof(*newhost), GFP_KERNEL); +- if (!newhost) { +- /* no new allocation - release reference */ +- nvmet_fc_tgtport_put(tgtport); ++ if (!newhost) + return ERR_PTR(-ENOMEM); +- } + + spin_lock_irqsave(&tgtport->lock, flags); + match = nvmet_fc_match_hostport(tgtport, hosthandle); +@@ -1065,6 +1056,7 @@ nvmet_fc_alloc_hostport(struct nvmet_fc_tgtport *tgtport, void *hosthandle) + kfree(newhost); + newhost = match; + } else { ++ nvmet_fc_tgtport_get(tgtport); + newhost->tgtport = tgtport; + newhost->hosthandle = hosthandle; + INIT_LIST_HEAD(&newhost->host_list); +-- +2.39.5 + diff --git a/queue-6.1/objtool-asoc-codecs-wcd934x-remove-potential-undefin.patch b/queue-6.1/objtool-asoc-codecs-wcd934x-remove-potential-undefin.patch new file mode 100644 index 0000000000..d919b6bc62 --- /dev/null +++ b/queue-6.1/objtool-asoc-codecs-wcd934x-remove-potential-undefin.patch @@ -0,0 +1,58 @@ +From d9216e213f4d6a89c8df951936bebdd924e1e31d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Mar 2025 14:56:09 -0700 +Subject: objtool, ASoC: codecs: wcd934x: Remove potential undefined behavior + in wcd934x_slim_irq_handler() + +From: Josh Poimboeuf + +[ Upstream commit 060aed9c0093b341480770457093449771cf1496 ] + +If 'port_id' is negative, the shift counts in wcd934x_slim_irq_handler() +also become negative, resulting in undefined behavior due to shift out +of bounds. + +If I'm reading the code correctly, that appears to be not possible, but +with KCOV enabled, Clang's range analysis isn't always able to determine +that and generates undefined behavior. + +As a result the code generation isn't optimal, and undefined behavior +should be avoided regardless. Improve code generation and remove the +undefined behavior by converting the signed variables to unsigned. + +Fixes the following warning with UBSAN: + + sound/soc/codecs/snd-soc-wcd934x.o: warning: objtool: .text.wcd934x_slim_irq_handler: unexpected end of section + +Reported-by: kernel test robot +Signed-off-by: Josh Poimboeuf +Signed-off-by: Ingo Molnar +Acked-by: Mark Brown +Cc: Srinivas Kandagatla +Cc: Liam Girdwood +Cc: Jaroslav Kysela +Cc: Takashi Iwai +Cc: Linus Torvalds +Link: https://lore.kernel.org/r/7e863839ec7301bf9c0f429a03873d44e484c31c.1742852847.git.jpoimboe@kernel.org +Closes: https://lore.kernel.org/oe-kbuild-all/202503180044.oH9gyPeg-lkp@intel.com/ +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/wcd934x.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/wcd934x.c b/sound/soc/codecs/wcd934x.c +index 0b5999c819db9..04c50f9acda18 100644 +--- a/sound/soc/codecs/wcd934x.c ++++ b/sound/soc/codecs/wcd934x.c +@@ -2281,7 +2281,7 @@ static irqreturn_t wcd934x_slim_irq_handler(int irq, void *data) + { + struct wcd934x_codec *wcd = data; + unsigned long status = 0; +- int i, j, port_id; ++ unsigned int i, j, port_id; + unsigned int val, int_val = 0; + irqreturn_t ret = IRQ_NONE; + bool tx; +-- +2.39.5 + diff --git a/queue-6.1/objtool-lkdtm-obfuscate-the-do_nothing-pointer.patch b/queue-6.1/objtool-lkdtm-obfuscate-the-do_nothing-pointer.patch new file mode 100644 index 0000000000..ee9e4ce1ed --- /dev/null +++ b/queue-6.1/objtool-lkdtm-obfuscate-the-do_nothing-pointer.patch @@ -0,0 +1,86 @@ +From d4c7992dd690217654b268f930cebd08a21cb6c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Mar 2025 14:56:12 -0700 +Subject: objtool, lkdtm: Obfuscate the do_nothing() pointer + +From: Josh Poimboeuf + +[ Upstream commit 05026ea01e95ffdeb0e5ac8fb7fb1b551e3a8726 ] + +If execute_location()'s memcpy of do_nothing() gets inlined and unrolled +by the compiler, it copies one word at a time: + + mov 0x0(%rip),%rax R_X86_64_PC32 .text+0x1374 + mov %rax,0x38(%rbx) + mov 0x0(%rip),%rax R_X86_64_PC32 .text+0x136c + mov %rax,0x30(%rbx) + ... + +Those .text references point to the middle of the function, causing +objtool to complain about their lack of ENDBR. + +Prevent that by resolving the function pointer at runtime rather than +build time. This fixes the following warning: + + drivers/misc/lkdtm/lkdtm.o: warning: objtool: execute_location+0x23: relocation to !ENDBR: .text+0x1378 + +Reported-by: kernel test robot +Signed-off-by: Josh Poimboeuf +Signed-off-by: Ingo Molnar +Reviewed-by: Kees Cook +Cc: Arnd Bergmann +Cc: Greg Kroah-Hartman +Cc: Linus Torvalds +Link: https://lore.kernel.org/r/30b9abffbddeb43c4f6320b1270fa9b4d74c54ed.1742852847.git.jpoimboe@kernel.org +Closes: https://lore.kernel.org/oe-kbuild-all/202503191453.uFfxQy5R-lkp@intel.com/ +Signed-off-by: Sasha Levin +--- + drivers/misc/lkdtm/perms.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/drivers/misc/lkdtm/perms.c b/drivers/misc/lkdtm/perms.c +index b93404d656509..e82d9543a0c5f 100644 +--- a/drivers/misc/lkdtm/perms.c ++++ b/drivers/misc/lkdtm/perms.c +@@ -28,6 +28,13 @@ static const unsigned long rodata = 0xAA55AA55; + /* This is marked __ro_after_init, so it should ultimately be .rodata. */ + static unsigned long ro_after_init __ro_after_init = 0x55AA5500; + ++/* ++ * This is a pointer to do_nothing() which is initialized at runtime rather ++ * than build time to avoid objtool IBT validation warnings caused by an ++ * inlined unrolled memcpy() in execute_location(). ++ */ ++static void __ro_after_init *do_nothing_ptr; ++ + /* + * This just returns to the caller. It is designed to be copied into + * non-executable memory regions. +@@ -65,13 +72,12 @@ static noinline void execute_location(void *dst, bool write) + { + void (*func)(void); + func_desc_t fdesc; +- void *do_nothing_text = dereference_function_descriptor(do_nothing); + +- pr_info("attempting ok execution at %px\n", do_nothing_text); ++ pr_info("attempting ok execution at %px\n", do_nothing_ptr); + do_nothing(); + + if (write == CODE_WRITE) { +- memcpy(dst, do_nothing_text, EXEC_SIZE); ++ memcpy(dst, do_nothing_ptr, EXEC_SIZE); + flush_icache_range((unsigned long)dst, + (unsigned long)dst + EXEC_SIZE); + } +@@ -267,6 +273,8 @@ static void lkdtm_ACCESS_NULL(void) + + void __init lkdtm_perms_init(void) + { ++ do_nothing_ptr = dereference_function_descriptor(do_nothing); ++ + /* Make sure we can write to __ro_after_init values during __init */ + ro_after_init |= 0xAA; + } +-- +2.39.5 + diff --git a/queue-6.1/objtool-silence-more-kcov-warnings.patch b/queue-6.1/objtool-silence-more-kcov-warnings.patch new file mode 100644 index 0000000000..d14cd7cf22 --- /dev/null +++ b/queue-6.1/objtool-silence-more-kcov-warnings.patch @@ -0,0 +1,67 @@ +From 6a267249315f3410217bf77f9d8372be5e9d9654 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Mar 2025 14:55:57 -0700 +Subject: objtool: Silence more KCOV warnings + +From: Josh Poimboeuf + +[ Upstream commit 6b023c7842048c4bbeede802f3cf36b96c7a8b25 ] + +In the past there were issues with KCOV triggering unreachable +instruction warnings, which is why unreachable warnings are now disabled +with CONFIG_KCOV. + +Now some new KCOV warnings are showing up with GCC 14: + + vmlinux.o: warning: objtool: cpuset_write_resmask() falls through to next function cpuset_update_active_cpus.cold() + drivers/usb/core/driver.o: error: objtool: usb_deregister() falls through to next function usb_match_device() + sound/soc/codecs/snd-soc-wcd934x.o: warning: objtool: .text.wcd934x_slim_irq_handler: unexpected end of section + +All are caused by GCC KCOV not finishing an optimization, leaving behind +a never-taken conditional branch to a basic block which falls through to +the next function (or end of section). + +At a high level this is similar to the unreachable warnings mentioned +above, in that KCOV isn't fully removing dead code. Treat it the same +way by adding these to the list of warnings to ignore with CONFIG_KCOV. + +Reported-by: Ingo Molnar +Reported-by: kernel test robot +Signed-off-by: Josh Poimboeuf +Signed-off-by: Ingo Molnar +Cc: Linus Torvalds +Link: https://lore.kernel.org/r/66a61a0b65d74e072d3dc02384e395edb2adc3c5.1742852846.git.jpoimboe@kernel.org +Closes: https://lore.kernel.org/Z9iTsI09AEBlxlHC@gmail.com +Closes: https://lore.kernel.org/oe-kbuild-all/202503180044.oH9gyPeg-lkp@intel.com/ +Signed-off-by: Sasha Levin +--- + tools/objtool/check.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/tools/objtool/check.c b/tools/objtool/check.c +index 6ea78612635ba..b6c91bb5ce3e3 100644 +--- a/tools/objtool/check.c ++++ b/tools/objtool/check.c +@@ -3368,6 +3368,9 @@ static int validate_branch(struct objtool_file *file, struct symbol *func, + if (!strncmp(func->name, "__cfi_", 6)) + return 0; + ++ if (file->ignore_unreachables) ++ return 0; ++ + WARN("%s() falls through to next function %s()", + func->name, insn->func->name); + return 1; +@@ -3582,6 +3585,9 @@ static int validate_branch(struct objtool_file *file, struct symbol *func, + if (!next_insn) { + if (state.cfi.cfa.base == CFI_UNDEFINED) + return 0; ++ if (file->ignore_unreachables) ++ return 0; ++ + WARN("%s: unexpected end of section", sec->name); + return 1; + } +-- +2.39.5 + diff --git a/queue-6.1/objtool-stop-unret-validation-on-ud2.patch b/queue-6.1/objtool-stop-unret-validation-on-ud2.patch new file mode 100644 index 0000000000..f02fe26f1e --- /dev/null +++ b/queue-6.1/objtool-stop-unret-validation-on-ud2.patch @@ -0,0 +1,38 @@ +From b4f67ae8844056dd48b09f1eb4e7be68986de43f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Apr 2025 00:02:15 -0700 +Subject: objtool: Stop UNRET validation on UD2 + +From: Josh Poimboeuf + +[ Upstream commit 9f9cc012c2cbac4833746a0182e06a8eec940d19 ] + +In preparation for simplifying INSN_SYSCALL, make validate_unret() +terminate control flow on UD2 just like validate_branch() already does. + +Signed-off-by: Josh Poimboeuf +Signed-off-by: Ingo Molnar +Cc: Linus Torvalds +Link: https://lore.kernel.org/r/ce841269e7e28c8b7f32064464a9821034d724ff.1744095216.git.jpoimboe@kernel.org +Signed-off-by: Sasha Levin +--- + tools/objtool/check.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/tools/objtool/check.c b/tools/objtool/check.c +index b6c91bb5ce3e3..828c91aaf55bd 100644 +--- a/tools/objtool/check.c ++++ b/tools/objtool/check.c +@@ -3737,6 +3737,9 @@ static int validate_entry(struct objtool_file *file, struct instruction *insn) + break; + } + ++ if (insn->dead_end) ++ return 0; ++ + if (!next) { + WARN_FUNC("teh end!", insn->sec, insn->offset); + return -1; +-- +2.39.5 + diff --git a/queue-6.1/parisc-pdt-fix-missing-prototype-warning.patch b/queue-6.1/parisc-pdt-fix-missing-prototype-warning.patch new file mode 100644 index 0000000000..893bb02447 --- /dev/null +++ b/queue-6.1/parisc-pdt-fix-missing-prototype-warning.patch @@ -0,0 +1,51 @@ +From 213187b756c984f2d672cf96bf41e590a0482229 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 9 Feb 2025 01:43:04 +0800 +Subject: parisc: PDT: Fix missing prototype warning + +From: Yu-Chun Lin + +[ Upstream commit b899981750dcb958ceffa4462d903963ee494aa2 ] + +As reported by the kernel test robot, the following error occurs: + +arch/parisc/kernel/pdt.c:65:6: warning: no previous prototype for 'arch_report_meminfo' [-Wmissing-prototypes] + 65 | void arch_report_meminfo(struct seq_file *m) + | ^~~~~~~~~~~~~~~~~~~ + +arch_report_meminfo() is declared in include/linux/proc_fs.h and only +defined when CONFIG_PROC_FS is enabled. Wrap its definition in #ifdef +CONFIG_PROC_FS to fix the -Wmissing-prototypes warning. + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202502082315.IPaHaTyM-lkp@intel.com/ +Signed-off-by: Yu-Chun Lin +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + arch/parisc/kernel/pdt.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/parisc/kernel/pdt.c b/arch/parisc/kernel/pdt.c +index e391b175f5ece..7dbb241a9fb77 100644 +--- a/arch/parisc/kernel/pdt.c ++++ b/arch/parisc/kernel/pdt.c +@@ -62,6 +62,7 @@ static unsigned long pdt_entry[MAX_PDT_ENTRIES] __page_aligned_bss; + #define PDT_ADDR_PERM_ERR (pdt_type != PDT_PDC ? 2UL : 0UL) + #define PDT_ADDR_SINGLE_ERR 1UL + ++#ifdef CONFIG_PROC_FS + /* report PDT entries via /proc/meminfo */ + void arch_report_meminfo(struct seq_file *m) + { +@@ -73,6 +74,7 @@ void arch_report_meminfo(struct seq_file *m) + seq_printf(m, "PDT_cur_entries: %7lu\n", + pdt_status.pdt_entries); + } ++#endif + + static int get_info_pat_new(void) + { +-- +2.39.5 + diff --git a/queue-6.1/pinctrl-renesas-rza2-fix-potential-null-pointer-dere.patch b/queue-6.1/pinctrl-renesas-rza2-fix-potential-null-pointer-dere.patch new file mode 100644 index 0000000000..e1bde7f882 --- /dev/null +++ b/queue-6.1/pinctrl-renesas-rza2-fix-potential-null-pointer-dere.patch @@ -0,0 +1,39 @@ +From 46c2b47823ac55bc696d789fa9557d713798fe0c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Feb 2025 17:25:52 -0600 +Subject: pinctrl: renesas: rza2: Fix potential NULL pointer dereference + +From: Chenyuan Yang + +[ Upstream commit f752ee5b5b86b5f88a5687c9eb0ef9b39859b908 ] + +`chip.label` in rza2_gpio_register() could be NULL. +Add the missing check. + +Signed-off-by: Chenyuan Yang +Reviewed-by: Geert Uytterhoeven +Reviewed-by: Matthias Brugger +Link: https://lore.kernel.org/20250210232552.1545887-1-chenyuan0y@gmail.com +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/renesas/pinctrl-rza2.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/pinctrl/renesas/pinctrl-rza2.c b/drivers/pinctrl/renesas/pinctrl-rza2.c +index 2d6072e9f5a87..6f0d3fda61c24 100644 +--- a/drivers/pinctrl/renesas/pinctrl-rza2.c ++++ b/drivers/pinctrl/renesas/pinctrl-rza2.c +@@ -242,6 +242,9 @@ static int rza2_gpio_register(struct rza2_pinctrl_priv *priv) + int ret; + + chip.label = devm_kasprintf(priv->dev, GFP_KERNEL, "%pOFn", np); ++ if (!chip.label) ++ return -ENOMEM; ++ + chip.parent = priv->dev; + chip.ngpio = priv->npins; + +-- +2.39.5 + diff --git a/queue-6.1/qibfs-fix-_another_-leak.patch b/queue-6.1/qibfs-fix-_another_-leak.patch new file mode 100644 index 0000000000..610c968272 --- /dev/null +++ b/queue-6.1/qibfs-fix-_another_-leak.patch @@ -0,0 +1,36 @@ +From c076ba35f7c8d91c1e9dd40c7f5b969b0fba8ccf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 May 2024 17:50:34 -0600 +Subject: qibfs: fix _another_ leak + +From: Al Viro + +[ Upstream commit bdb43af4fdb39f844ede401bdb1258f67a580a27 ] + +failure to allocate inode => leaked dentry... + +this one had been there since the initial merge; to be fair, +if we are that far OOM, the odds of failing at that particular +allocation are low... + +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/qib/qib_fs.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/infiniband/hw/qib/qib_fs.c b/drivers/infiniband/hw/qib/qib_fs.c +index 182a89bb24ef4..caade796bc3cb 100644 +--- a/drivers/infiniband/hw/qib/qib_fs.c ++++ b/drivers/infiniband/hw/qib/qib_fs.c +@@ -55,6 +55,7 @@ static int qibfs_mknod(struct inode *dir, struct dentry *dentry, + struct inode *inode = new_inode(dir->i_sb); + + if (!inode) { ++ dput(dentry); + error = -EPERM; + goto bail; + } +-- +2.39.5 + diff --git a/queue-6.1/rtc-pcf85063-do-a-sw-reset-if-por-failed.patch b/queue-6.1/rtc-pcf85063-do-a-sw-reset-if-por-failed.patch new file mode 100644 index 0000000000..957f4a3bb0 --- /dev/null +++ b/queue-6.1/rtc-pcf85063-do-a-sw-reset-if-por-failed.patch @@ -0,0 +1,78 @@ +From 97bb05f6f3d2dbcd523ede0144528d9fca4ce3db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Jan 2025 10:34:49 +0100 +Subject: rtc: pcf85063: do a SW reset if POR failed + +From: Lukas Stockmann + +[ Upstream commit 2b7cbd98495f6ee4cd6422fe77828a19e9edf87f ] + +Power-on Reset has a documented issue in PCF85063, refer to its datasheet, +section "Software reset": + +"There is a low probability that some devices will have corruption of the +registers after the automatic power-on reset if the device is powered up +with a residual VDD level. It is required that the VDD starts at zero volts +at power up or upon power cycling to ensure that there is no corruption of +the registers. If this is not possible, a reset must be initiated after +power-up (i.e. when power is stable) with the software reset command" + +Trigger SW reset if there is an indication that POR has failed. + +Link: https://www.nxp.com/docs/en/data-sheet/PCF85063A.pdf +Signed-off-by: Lukas Stockmann +Signed-off-by: Alexander Sverdlin +Link: https://lore.kernel.org/r/20250120093451.30778-1-alexander.sverdlin@siemens.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-pcf85063.c | 19 ++++++++++++++++++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +diff --git a/drivers/rtc/rtc-pcf85063.c b/drivers/rtc/rtc-pcf85063.c +index 6ffdc10b32d32..4a29b44e75e6a 100644 +--- a/drivers/rtc/rtc-pcf85063.c ++++ b/drivers/rtc/rtc-pcf85063.c +@@ -35,6 +35,7 @@ + #define PCF85063_REG_CTRL1_CAP_SEL BIT(0) + #define PCF85063_REG_CTRL1_STOP BIT(5) + #define PCF85063_REG_CTRL1_EXT_TEST BIT(7) ++#define PCF85063_REG_CTRL1_SWR 0x58 + + #define PCF85063_REG_CTRL2 0x01 + #define PCF85063_CTRL2_AF BIT(6) +@@ -606,7 +607,7 @@ static int pcf85063_probe(struct i2c_client *client) + + i2c_set_clientdata(client, pcf85063); + +- err = regmap_read(pcf85063->regmap, PCF85063_REG_CTRL1, &tmp); ++ err = regmap_read(pcf85063->regmap, PCF85063_REG_SC, &tmp); + if (err) { + dev_err(&client->dev, "RTC chip is not present\n"); + return err; +@@ -616,6 +617,22 @@ static int pcf85063_probe(struct i2c_client *client) + if (IS_ERR(pcf85063->rtc)) + return PTR_ERR(pcf85063->rtc); + ++ /* ++ * If a Power loss is detected, SW reset the device. ++ * From PCF85063A datasheet: ++ * There is a low probability that some devices will have corruption ++ * of the registers after the automatic power-on reset... ++ */ ++ if (tmp & PCF85063_REG_SC_OS) { ++ dev_warn(&client->dev, ++ "POR issue detected, sending a SW reset\n"); ++ err = regmap_write(pcf85063->regmap, PCF85063_REG_CTRL1, ++ PCF85063_REG_CTRL1_SWR); ++ if (err < 0) ++ dev_warn(&client->dev, ++ "SW reset failed, trying to continue\n"); ++ } ++ + err = pcf85063_load_capacitance(pcf85063, client->dev.of_node, + config->force_cap_7000 ? 7000 : 0); + if (err < 0) +-- +2.39.5 + diff --git a/queue-6.1/s390-sclp-add-check-for-get_zeroed_page.patch b/queue-6.1/s390-sclp-add-check-for-get_zeroed_page.patch new file mode 100644 index 0000000000..fc6d3c81cb --- /dev/null +++ b/queue-6.1/s390-sclp-add-check-for-get_zeroed_page.patch @@ -0,0 +1,61 @@ +From 9f0920b71b20fd1c18dc5d6e8effd19a7bae3f9a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Feb 2025 10:52:16 +0800 +Subject: s390/sclp: Add check for get_zeroed_page() + +From: Haoxiang Li + +[ Upstream commit 3db42c75a921854a99db0a2775814fef97415bac ] + +Add check for the return value of get_zeroed_page() in +sclp_console_init() to prevent null pointer dereference. +Furthermore, to solve the memory leak caused by the loop +allocation, add a free helper to do the free job. + +Signed-off-by: Haoxiang Li +Acked-by: Heiko Carstens +Link: https://lore.kernel.org/r/20250218025216.2421548-1-haoxiang_li2024@163.com +Signed-off-by: Vasily Gorbik +Signed-off-by: Sasha Levin +--- + drivers/s390/char/sclp_con.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/drivers/s390/char/sclp_con.c b/drivers/s390/char/sclp_con.c +index e5d947c763ea5..6a030ba38bf36 100644 +--- a/drivers/s390/char/sclp_con.c ++++ b/drivers/s390/char/sclp_con.c +@@ -263,6 +263,19 @@ static struct console sclp_console = + .index = 0 /* ttyS0 */ + }; + ++/* ++ * Release allocated pages. ++ */ ++static void __init __sclp_console_free_pages(void) ++{ ++ struct list_head *page, *p; ++ ++ list_for_each_safe(page, p, &sclp_con_pages) { ++ list_del(page); ++ free_page((unsigned long)page); ++ } ++} ++ + /* + * called by console_init() in drivers/char/tty_io.c at boot-time. + */ +@@ -282,6 +295,10 @@ sclp_console_init(void) + /* Allocate pages for output buffering */ + for (i = 0; i < sclp_console_pages; i++) { + page = (void *) get_zeroed_page(GFP_KERNEL | GFP_DMA); ++ if (!page) { ++ __sclp_console_free_pages(); ++ return -ENOMEM; ++ } + list_add_tail(page, &sclp_con_pages); + } + sclp_conbuf = NULL; +-- +2.39.5 + diff --git a/queue-6.1/s390-tty-fix-a-potential-memory-leak-bug.patch b/queue-6.1/s390-tty-fix-a-potential-memory-leak-bug.patch new file mode 100644 index 0000000000..bb5c62ce81 --- /dev/null +++ b/queue-6.1/s390-tty-fix-a-potential-memory-leak-bug.patch @@ -0,0 +1,55 @@ +From e1eafb96a19fbd55f1abe74bd7f466001c972185 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Feb 2025 11:41:04 +0800 +Subject: s390/tty: Fix a potential memory leak bug + +From: Haoxiang Li + +[ Upstream commit ad9bb8f049717d64c5e62b2a44954be9f681c65b ] + +The check for get_zeroed_page() leads to a direct return +and overlooked the memory leak caused by loop allocation. +Add a free helper to free spaces allocated by get_zeroed_page(). + +Signed-off-by: Haoxiang Li +Acked-by: Heiko Carstens +Link: https://lore.kernel.org/r/20250218034104.2436469-1-haoxiang_li2024@163.com +Signed-off-by: Vasily Gorbik +Signed-off-by: Sasha Levin +--- + drivers/s390/char/sclp_tty.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/drivers/s390/char/sclp_tty.c b/drivers/s390/char/sclp_tty.c +index 971fbb52740bf..432dad2a22664 100644 +--- a/drivers/s390/char/sclp_tty.c ++++ b/drivers/s390/char/sclp_tty.c +@@ -490,6 +490,17 @@ static const struct tty_operations sclp_ops = { + .flush_buffer = sclp_tty_flush_buffer, + }; + ++/* Release allocated pages. */ ++static void __init __sclp_tty_free_pages(void) ++{ ++ struct list_head *page, *p; ++ ++ list_for_each_safe(page, p, &sclp_tty_pages) { ++ list_del(page); ++ free_page((unsigned long)page); ++ } ++} ++ + static int __init + sclp_tty_init(void) + { +@@ -516,6 +527,7 @@ sclp_tty_init(void) + for (i = 0; i < MAX_KMEM_PAGES; i++) { + page = (void *) get_zeroed_page(GFP_KERNEL | GFP_DMA); + if (page == NULL) { ++ __sclp_tty_free_pages(); + tty_driver_kref_put(driver); + return -ENOMEM; + } +-- +2.39.5 + diff --git a/queue-6.1/sched-isolation-make-config_cpu_isolation-depend-on-.patch b/queue-6.1/sched-isolation-make-config_cpu_isolation-depend-on-.patch new file mode 100644 index 0000000000..91f3fad3cd --- /dev/null +++ b/queue-6.1/sched-isolation-make-config_cpu_isolation-depend-on-.patch @@ -0,0 +1,46 @@ +From 7a5c501dbaf5ecf904a0b5e8efbd6391530be31f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 30 Mar 2025 15:49:55 +0200 +Subject: sched/isolation: Make CONFIG_CPU_ISOLATION depend on CONFIG_SMP + +From: Oleg Nesterov + +[ Upstream commit 975776841e689dd8ba36df9fa72ac3eca3c2957a ] + +kernel/sched/isolation.c obviously makes no sense without CONFIG_SMP, but +the Kconfig entry we have right now: + + config CPU_ISOLATION + bool "CPU isolation" + depends on SMP || COMPILE_TEST + +allows the creation of pointless .config's which cause +build failures. + +Reported-by: kernel test robot +Signed-off-by: Oleg Nesterov +Signed-off-by: Ingo Molnar +Link: https://lore.kernel.org/r/20250330134955.GA7910@redhat.com + +Closes: https://lore.kernel.org/oe-kbuild-all/202503260646.lrUqD3j5-lkp@intel.com/ +Signed-off-by: Sasha Levin +--- + init/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/init/Kconfig b/init/Kconfig +index b6786ddc88a80..8b6a2848da4a5 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -678,7 +678,7 @@ endmenu # "CPU/Task time and stats accounting" + + config CPU_ISOLATION + bool "CPU isolation" +- depends on SMP || COMPILE_TEST ++ depends on SMP + default y + help + Make sure that CPUs running critical tasks are not disturbed by +-- +2.39.5 + diff --git a/queue-6.1/scsi-hisi_sas-fix-i-o-errors-caused-by-hardware-port.patch b/queue-6.1/scsi-hisi_sas-fix-i-o-errors-caused-by-hardware-port.patch new file mode 100644 index 0000000000..f83bf1bece --- /dev/null +++ b/queue-6.1/scsi-hisi_sas-fix-i-o-errors-caused-by-hardware-port.patch @@ -0,0 +1,59 @@ +From ae66d3253d1bd81933e60808ab658371538ea3e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Mar 2025 17:51:35 +0800 +Subject: scsi: hisi_sas: Fix I/O errors caused by hardware port ID changes + +From: Xingui Yang + +[ Upstream commit daff37f00c7506ca322ccfce95d342022f06ec58 ] + +The hw port ID of phy may change when inserting disks in batches, causing +the port ID in hisi_sas_port and itct to be inconsistent with the hardware, +resulting in I/O errors. The solution is to set the device state to gone to +intercept I/O sent to the device, and then execute linkreset to discard and +find the disk to re-update its information. + +Signed-off-by: Xingui Yang +Link: https://lore.kernel.org/r/20250312095135.3048379-3-yangxingui@huawei.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/hisi_sas/hisi_sas_main.c | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +diff --git a/drivers/scsi/hisi_sas/hisi_sas_main.c b/drivers/scsi/hisi_sas/hisi_sas_main.c +index 2116f5ee36e20..02855164bf28d 100644 +--- a/drivers/scsi/hisi_sas/hisi_sas_main.c ++++ b/drivers/scsi/hisi_sas/hisi_sas_main.c +@@ -865,8 +865,28 @@ static void hisi_sas_phyup_work_common(struct work_struct *work, + container_of(work, typeof(*phy), works[event]); + struct hisi_hba *hisi_hba = phy->hisi_hba; + struct asd_sas_phy *sas_phy = &phy->sas_phy; ++ struct asd_sas_port *sas_port = sas_phy->port; ++ struct hisi_sas_port *port = phy->port; ++ struct device *dev = hisi_hba->dev; ++ struct domain_device *port_dev; + int phy_no = sas_phy->id; + ++ if (!test_bit(HISI_SAS_RESETTING_BIT, &hisi_hba->flags) && ++ sas_port && port && (port->id != phy->port_id)) { ++ dev_info(dev, "phy%d's hw port id changed from %d to %llu\n", ++ phy_no, port->id, phy->port_id); ++ port_dev = sas_port->port_dev; ++ if (port_dev && !dev_is_expander(port_dev->dev_type)) { ++ /* ++ * Set the device state to gone to block ++ * sending IO to the device. ++ */ ++ set_bit(SAS_DEV_GONE, &port_dev->state); ++ hisi_sas_notify_phy_event(phy, HISI_PHYE_LINK_RESET); ++ return; ++ } ++ } ++ + phy->wait_phyup_cnt = 0; + if (phy->identify.target_port_protocols == SAS_PROTOCOL_SSP) + hisi_hba->hw->sl_notify_ssp(hisi_hba, phy_no); +-- +2.39.5 + diff --git a/queue-6.1/scsi-pm80xx-set-phy_attached-to-zero-when-device-is-.patch b/queue-6.1/scsi-pm80xx-set-phy_attached-to-zero-when-device-is-.patch new file mode 100644 index 0000000000..12595daa28 --- /dev/null +++ b/queue-6.1/scsi-pm80xx-set-phy_attached-to-zero-when-device-is-.patch @@ -0,0 +1,36 @@ +From 50a7dcea566c82bae123112bcf51715bfa8b8947 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Mar 2025 23:03:05 +0000 +Subject: scsi: pm80xx: Set phy_attached to zero when device is gone + +From: Igor Pylypiv + +[ Upstream commit f7b705c238d1483f0a766e2b20010f176e5c0fb7 ] + +When a fatal error occurs, a phy down event may not be received to set +phy->phy_attached to zero. + +Signed-off-by: Igor Pylypiv +Signed-off-by: Salomon Dushimirimana +Link: https://lore.kernel.org/r/20250319230305.3172920-1-salomondush@google.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/pm8001/pm8001_sas.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/scsi/pm8001/pm8001_sas.c b/drivers/scsi/pm8001/pm8001_sas.c +index 8e3f2f9ddaacd..a87c3d7e3e5ca 100644 +--- a/drivers/scsi/pm8001/pm8001_sas.c ++++ b/drivers/scsi/pm8001/pm8001_sas.c +@@ -720,6 +720,7 @@ static void pm8001_dev_gone_notify(struct domain_device *dev) + spin_lock_irqsave(&pm8001_ha->lock, flags); + } + PM8001_CHIP_DISP->dereg_dev_req(pm8001_ha, device_id); ++ pm8001_ha->phy[pm8001_dev->attached_phy].phy_attached = 0; + pm8001_free_dev(pm8001_dev); + } else { + pm8001_dbg(pm8001_ha, DISC, "Found dev has gone.\n"); +-- +2.39.5 + diff --git a/queue-6.1/scsi-ufs-exynos-ensure-pre_link-executes-before-exyn.patch b/queue-6.1/scsi-ufs-exynos-ensure-pre_link-executes-before-exyn.patch new file mode 100644 index 0000000000..48a30f35a6 --- /dev/null +++ b/queue-6.1/scsi-ufs-exynos-ensure-pre_link-executes-before-exyn.patch @@ -0,0 +1,58 @@ +From 5ede4f40245792692f98b4d4a655fe832c050fce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Mar 2025 15:30:18 +0000 +Subject: scsi: ufs: exynos: Ensure pre_link() executes before + exynos_ufs_phy_init() + +From: Peter Griffin + +[ Upstream commit 3d101165e72316775947d71321d97194f03dfef3 ] + +Ensure clocks are enabled before configuring unipro. Additionally move +the pre_link() hook before the exynos_ufs_phy_init() calls. This means +the register write sequence more closely resembles the ordering of the +downstream driver. + +Signed-off-by: Peter Griffin +Link: https://lore.kernel.org/r/20250319-exynos-ufs-stability-fixes-v2-1-96722cc2ba1b@linaro.org +Reviewed-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/ufs/host/ufs-exynos.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/ufs/host/ufs-exynos.c b/drivers/ufs/host/ufs-exynos.c +index 064829640c187..e981f1f8805f2 100644 +--- a/drivers/ufs/host/ufs-exynos.c ++++ b/drivers/ufs/host/ufs-exynos.c +@@ -990,9 +990,14 @@ static int exynos_ufs_pre_link(struct ufs_hba *hba) + exynos_ufs_config_intr(ufs, DFES_DEF_L4_ERRS, UNIPRO_L4); + exynos_ufs_set_unipro_pclk_div(ufs); + ++ exynos_ufs_setup_clocks(hba, true, PRE_CHANGE); ++ + /* unipro */ + exynos_ufs_config_unipro(ufs); + ++ if (ufs->drv_data->pre_link) ++ ufs->drv_data->pre_link(ufs); ++ + /* m-phy */ + exynos_ufs_phy_init(ufs); + if (!(ufs->opts & EXYNOS_UFS_OPT_SKIP_CONFIG_PHY_ATTR)) { +@@ -1000,11 +1005,6 @@ static int exynos_ufs_pre_link(struct ufs_hba *hba) + exynos_ufs_config_phy_cap_attr(ufs); + } + +- exynos_ufs_setup_clocks(hba, true, PRE_CHANGE); +- +- if (ufs->drv_data->pre_link) +- ufs->drv_data->pre_link(ufs); +- + return 0; + } + +-- +2.39.5 + diff --git a/queue-6.1/selftests-mincore-allow-read-ahead-pages-to-reach-th.patch b/queue-6.1/selftests-mincore-allow-read-ahead-pages-to-reach-th.patch new file mode 100644 index 0000000000..2a6eb9820f --- /dev/null +++ b/queue-6.1/selftests-mincore-allow-read-ahead-pages-to-reach-th.patch @@ -0,0 +1,62 @@ +From e7374f83f59e2cad805f45395ad5f15e2f9bde18 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Mar 2025 16:09:40 +0800 +Subject: selftests/mincore: Allow read-ahead pages to reach the end of the + file + +From: Qiuxu Zhuo + +[ Upstream commit 197c1eaa7ba633a482ed7588eea6fd4aa57e08d4 ] + +When running the mincore_selftest on a system with an XFS file system, it +failed the "check_file_mmap" test case due to the read-ahead pages reaching +the end of the file. The failure log is as below: + + RUN global.check_file_mmap ... + mincore_selftest.c:264:check_file_mmap:Expected i (1024) < vec_size (1024) + mincore_selftest.c:265:check_file_mmap:Read-ahead pages reached the end of the file + check_file_mmap: Test failed + FAIL global.check_file_mmap + +This is because the read-ahead window size of the XFS file system on this +machine is 4 MB, which is larger than the size from the #PF address to the +end of the file. As a result, all the pages for this file are populated. + + blockdev --getra /dev/nvme0n1p5 + 8192 + blockdev --getbsz /dev/nvme0n1p5 + 512 + +This issue can be fixed by extending the current FILE_SIZE 4MB to a larger +number, but it will still fail if the read-ahead window size of the file +system is larger enough. Additionally, in the real world, read-ahead pages +reaching the end of the file can happen and is an expected behavior. +Therefore, allowing read-ahead pages to reach the end of the file is a +better choice for the "check_file_mmap" test case. + +Link: https://lore.kernel.org/r/20250311080940.21413-1-qiuxu.zhuo@intel.com +Reported-by: Yi Lai +Signed-off-by: Qiuxu Zhuo +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/mincore/mincore_selftest.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/tools/testing/selftests/mincore/mincore_selftest.c b/tools/testing/selftests/mincore/mincore_selftest.c +index 4c88238fc8f05..c0ae86c28d7f3 100644 +--- a/tools/testing/selftests/mincore/mincore_selftest.c ++++ b/tools/testing/selftests/mincore/mincore_selftest.c +@@ -261,9 +261,6 @@ TEST(check_file_mmap) + TH_LOG("No read-ahead pages found in memory"); + } + +- EXPECT_LT(i, vec_size) { +- TH_LOG("Read-ahead pages reached the end of the file"); +- } + /* + * End of the readahead window. The rest of the pages shouldn't + * be in memory. +-- +2.39.5 + diff --git a/queue-6.1/selftests-ublk-fix-test_stripe_04.patch b/queue-6.1/selftests-ublk-fix-test_stripe_04.patch new file mode 100644 index 0000000000..45307ae287 --- /dev/null +++ b/queue-6.1/selftests-ublk-fix-test_stripe_04.patch @@ -0,0 +1,58 @@ +From 6003df64ffc54976906a80da99040e6982ab8e44 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Apr 2025 08:18:49 +0800 +Subject: selftests: ublk: fix test_stripe_04 + +From: Ming Lei + +[ Upstream commit 72070e57b0a518ec8e562a2b68fdfc796ef5c040 ] + +Commit 57ed58c13256 ("selftests: ublk: enable zero copy for stripe target") +added test entry of test_stripe_04, but forgot to add the test script. + +So fix the test by adding the script file. + +Reported-by: Uday Shankar +Signed-off-by: Ming Lei +Reviewed-by: Uday Shankar +Link: https://lore.kernel.org/r/20250404001849.1443064-1-ming.lei@redhat.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + .../testing/selftests/ublk/test_stripe_04.sh | 24 +++++++++++++++++++ + 1 file changed, 24 insertions(+) + create mode 100755 tools/testing/selftests/ublk/test_stripe_04.sh + +diff --git a/tools/testing/selftests/ublk/test_stripe_04.sh b/tools/testing/selftests/ublk/test_stripe_04.sh +new file mode 100755 +index 0000000000000..1f2b642381d17 +--- /dev/null ++++ b/tools/testing/selftests/ublk/test_stripe_04.sh +@@ -0,0 +1,24 @@ ++#!/bin/bash ++# SPDX-License-Identifier: GPL-2.0 ++ ++. "$(cd "$(dirname "$0")" && pwd)"/test_common.sh ++ ++TID="stripe_04" ++ERR_CODE=0 ++ ++_prep_test "stripe" "mkfs & mount & umount on zero copy" ++ ++backfile_0=$(_create_backfile 256M) ++backfile_1=$(_create_backfile 256M) ++dev_id=$(_add_ublk_dev -t stripe -z -q 2 "$backfile_0" "$backfile_1") ++_check_add_dev $TID $? "$backfile_0" "$backfile_1" ++ ++_mkfs_mount_test /dev/ublkb"${dev_id}" ++ERR_CODE=$? ++ ++_cleanup_test "stripe" ++ ++_remove_backfile "$backfile_0" ++_remove_backfile "$backfile_1" ++ ++_show_result $TID $ERR_CODE +-- +2.39.5 + diff --git a/queue-6.1/series b/queue-6.1/series index fd9c33d0f6..5457d9d85c 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -94,3 +94,58 @@ usb-wdm-handle-io-errors-in-wdm_wwan_port_start.patch usb-wdm-close-race-between-wdm_open-and-wdm_wwan_port_stop.patch usb-wdm-wdm_wwan_port_tx_complete-mutex-in-atomic-context.patch usb-wdm-add-annotation.patch +pinctrl-renesas-rza2-fix-potential-null-pointer-dere.patch +mips-cm-detect-cm-quirks-from-device-tree.patch +crypto-null-use-spin-lock-instead-of-mutex.patch +bpf-fix-deadlock-between-rcu_tasks_trace-and-event_m.patch +clk-check-for-disabled-clock-provider-in-of_clk_get_.patch +parisc-pdt-fix-missing-prototype-warning.patch +s390-sclp-add-check-for-get_zeroed_page.patch +s390-tty-fix-a-potential-memory-leak-bug.patch +x86-kconfig-make-config_pci_cnb20le_quirk-depend-on-.patch +usb-host-max3421-hcd-add-missing-spi_device_id-table.patch +fs-ntfs3-fix-warning-in-ntfs_extend_initialized_size.patch +usb-dwc3-gadget-refactor-loop-to-avoid-null-endpoint.patch +usb-dwc3-gadget-avoid-using-reserved-endpoints-on-in.patch +sound-virtio-fix-cancel_sync-warnings-on-uninitializ.patch +dmaengine-dmatest-fix-dmatest-waiting-less-when-inte.patch +usb-xhci-avoid-stop-endpoint-retry-loop-if-the-endpo.patch +usb-gadget-aspeed-add-null-pointer-check-in-ast_vhub.patch +usb-host-xhci-plat-mvebu-use-quirks-instead-of-init_.patch +thunderbolt-scan-retimers-after-device-router-has-be.patch +objtool-silence-more-kcov-warnings.patch +objtool-asoc-codecs-wcd934x-remove-potential-undefin.patch +objtool-lkdtm-obfuscate-the-do_nothing-pointer.patch +qibfs-fix-_another_-leak.patch +ntb-reduce-stack-usage-in-idt_scan_mws.patch +ntb_hw_amd-add-ntb-pci-id-for-new-gen-cpu.patch +9p-net-fix-improper-handling-of-bogus-negative-read-.patch +rtc-pcf85063-do-a-sw-reset-if-por-failed.patch +sched-isolation-make-config_cpu_isolation-depend-on-.patch +kvm-s390-don-t-use-pk-through-tracepoints.patch +udmabuf-fix-a-buf-size-overflow-issue-during-udmabuf.patch +selftests-ublk-fix-test_stripe_04.patch +xen-change-xen-acpi-processor-dom0-dependency.patch +nvme-requeue-namespace-scan-on-missed-aens.patch +acpi-ec-set-ec_no_wakeup-for-lenovo-go-s.patch +acpi-pptt-fix-coding-mistakes-in-a-couple-of-sizeof-.patch +nvme-re-read-ana-log-page-after-ns-scan-completes.patch +objtool-stop-unret-validation-on-ud2.patch +selftests-mincore-allow-read-ahead-pages-to-reach-th.patch +x86-bugs-use-sbpb-in-write_ibpb-if-applicable.patch +x86-bugs-don-t-fill-rsb-on-vmexit-with-eibrs-retpoli.patch +x86-bugs-don-t-fill-rsb-on-context-switch-with-eibrs.patch +nvmet-fc-take-tgtport-reference-only-once.patch +nvmet-fc-put-ref-when-assoc-del_work-is-already-sche.patch +ext4-make-block-validity-check-resistent-to-sb-bh-co.patch +scsi-hisi_sas-fix-i-o-errors-caused-by-hardware-port.patch +scsi-ufs-exynos-ensure-pre_link-executes-before-exyn.patch +scsi-pm80xx-set-phy_attached-to-zero-when-device-is-.patch +x86-i8253-call-clockevent_i8253_disable-with-interru.patch +loop-aio-inherit-the-ioprio-of-original-request.patch +spi-tegra210-quad-use-warn_on_once-instead-of-warn_o.patch +spi-tegra210-quad-add-rate-limiting-and-simplify-tim.patch +hardening-disable-gcc-randstruct-for-compile_test.patch +ubsan-fix-panic-from-test_ubsan_out_of_bounds.patch +md-raid1-add-check-for-missing-source-disk-in-proces.patch +spi-spi-imx-add-check-for-spi_imx_setupxfer.patch diff --git a/queue-6.1/sound-virtio-fix-cancel_sync-warnings-on-uninitializ.patch b/queue-6.1/sound-virtio-fix-cancel_sync-warnings-on-uninitializ.patch new file mode 100644 index 0000000000..bd3217722d --- /dev/null +++ b/queue-6.1/sound-virtio-fix-cancel_sync-warnings-on-uninitializ.patch @@ -0,0 +1,108 @@ +From f265d8fc636f63f7ba198aea16f1ae575119ac1b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Jan 2025 11:40:59 -0800 +Subject: sound/virtio: Fix cancel_sync warnings on uninitialized work_structs + +From: John Stultz + +[ Upstream commit 3c7df2e27346eb40a0e86230db1ccab195c97cfe ] + +Betty reported hitting the following warning: + +[ 8.709131][ T221] WARNING: CPU: 2 PID: 221 at kernel/workqueue.c:4182 +... +[ 8.713282][ T221] Call trace: +[ 8.713365][ T221] __flush_work+0x8d0/0x914 +[ 8.713468][ T221] __cancel_work_sync+0xac/0xfc +[ 8.713570][ T221] cancel_work_sync+0x24/0x34 +[ 8.713667][ T221] virtsnd_remove+0xa8/0xf8 [virtio_snd ab15f34d0dd772f6d11327e08a81d46dc9c36276] +[ 8.713868][ T221] virtsnd_probe+0x48c/0x664 [virtio_snd ab15f34d0dd772f6d11327e08a81d46dc9c36276] +[ 8.714035][ T221] virtio_dev_probe+0x28c/0x390 +[ 8.714139][ T221] really_probe+0x1bc/0x4c8 +... + +It seems we're hitting the error path in virtsnd_probe(), which +triggers a virtsnd_remove() which iterates over the substreams +calling cancel_work_sync() on the elapsed_period work_struct. + +Looking at the code, from earlier in: +virtsnd_probe()->virtsnd_build_devs()->virtsnd_pcm_parse_cfg() + +We set snd->nsubstreams, allocate the snd->substreams, and if +we then hit an error on the info allocation or something in +virtsnd_ctl_query_info() fails, we will exit without having +initialized the elapsed_period work_struct. + +When that error path unwinds we then call virtsnd_remove() +which as long as the substreams array is allocated, will iterate +through calling cancel_work_sync() on the uninitialized work +struct hitting this warning. + +Takashi Iwai suggested this fix, which initializes the substreams +structure right after allocation, so that if we hit the error +paths we avoid trying to cleanup uninitialized data. + +Note: I have not yet managed to reproduce the issue myself, so +this patch has had limited testing. + +Feedback or thoughts would be appreciated! + +Cc: Anton Yakovlev +Cc: "Michael S. Tsirkin" +Cc: Jaroslav Kysela +Cc: Takashi Iwai +Cc: virtualization@lists.linux.dev +Cc: linux-sound@vger.kernel.org +Cc: kernel-team@android.com +Reported-by: Betty Zhou +Suggested-by: Takashi Iwai +Signed-off-by: John Stultz +Message-Id: <20250116194114.3375616-1-jstultz@google.com> +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Sasha Levin +--- + sound/virtio/virtio_pcm.c | 21 +++++++++++++++------ + 1 file changed, 15 insertions(+), 6 deletions(-) + +diff --git a/sound/virtio/virtio_pcm.c b/sound/virtio/virtio_pcm.c +index c10d91fff2fb0..1ddec1f4f05d5 100644 +--- a/sound/virtio/virtio_pcm.c ++++ b/sound/virtio/virtio_pcm.c +@@ -337,6 +337,21 @@ int virtsnd_pcm_parse_cfg(struct virtio_snd *snd) + if (!snd->substreams) + return -ENOMEM; + ++ /* ++ * Initialize critical substream fields early in case we hit an ++ * error path and end up trying to clean up uninitialized structures ++ * elsewhere. ++ */ ++ for (i = 0; i < snd->nsubstreams; ++i) { ++ struct virtio_pcm_substream *vss = &snd->substreams[i]; ++ ++ vss->snd = snd; ++ vss->sid = i; ++ INIT_WORK(&vss->elapsed_period, virtsnd_pcm_period_elapsed); ++ init_waitqueue_head(&vss->msg_empty); ++ spin_lock_init(&vss->lock); ++ } ++ + info = kcalloc(snd->nsubstreams, sizeof(*info), GFP_KERNEL); + if (!info) + return -ENOMEM; +@@ -350,12 +365,6 @@ int virtsnd_pcm_parse_cfg(struct virtio_snd *snd) + struct virtio_pcm_substream *vss = &snd->substreams[i]; + struct virtio_pcm *vpcm; + +- vss->snd = snd; +- vss->sid = i; +- INIT_WORK(&vss->elapsed_period, virtsnd_pcm_period_elapsed); +- init_waitqueue_head(&vss->msg_empty); +- spin_lock_init(&vss->lock); +- + rc = virtsnd_pcm_build_hw(vss, &info[i]); + if (rc) + goto on_exit; +-- +2.39.5 + diff --git a/queue-6.1/spi-spi-imx-add-check-for-spi_imx_setupxfer.patch b/queue-6.1/spi-spi-imx-add-check-for-spi_imx_setupxfer.patch new file mode 100644 index 0000000000..e88bab67aa --- /dev/null +++ b/queue-6.1/spi-spi-imx-add-check-for-spi_imx_setupxfer.patch @@ -0,0 +1,54 @@ +From d49fcefb65a25572e640674fb477aaefbe4384e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Apr 2025 10:16:05 +0900 +Subject: spi: spi-imx: Add check for spi_imx_setupxfer() + +From: Tamura Dai + +[ Upstream commit 951a04ab3a2db4029debfa48d380ef834b93207e ] + +Add check for the return value of spi_imx_setupxfer(). +spi_imx->rx and spi_imx->tx function pointer can be NULL when +spi_imx_setupxfer() return error, and make NULL pointer dereference. + + Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 + Call trace: + 0x0 + spi_imx_pio_transfer+0x50/0xd8 + spi_imx_transfer_one+0x18c/0x858 + spi_transfer_one_message+0x43c/0x790 + __spi_pump_transfer_message+0x238/0x5d4 + __spi_sync+0x2b0/0x454 + spi_write_then_read+0x11c/0x200 + +Signed-off-by: Tamura Dai +Reviewed-by: Carlos Song +Link: https://patch.msgid.link/20250417011700.14436-1-kirinode0@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-imx.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-imx.c b/drivers/spi/spi-imx.c +index df73a2c7120c9..13a6ebef01894 100644 +--- a/drivers/spi/spi-imx.c ++++ b/drivers/spi/spi-imx.c +@@ -1605,10 +1605,13 @@ static int spi_imx_transfer_one(struct spi_controller *controller, + struct spi_device *spi, + struct spi_transfer *transfer) + { ++ int ret; + struct spi_imx_data *spi_imx = spi_controller_get_devdata(spi->controller); + unsigned long hz_per_byte, byte_limit; + +- spi_imx_setupxfer(spi, transfer); ++ ret = spi_imx_setupxfer(spi, transfer); ++ if (ret < 0) ++ return ret; + transfer->effective_speed_hz = spi_imx->spi_bus_clk; + + /* flush rxfifo before transfer */ +-- +2.39.5 + diff --git a/queue-6.1/spi-tegra210-quad-add-rate-limiting-and-simplify-tim.patch b/queue-6.1/spi-tegra210-quad-add-rate-limiting-and-simplify-tim.patch new file mode 100644 index 0000000000..65e1fba0bb --- /dev/null +++ b/queue-6.1/spi-tegra210-quad-add-rate-limiting-and-simplify-tim.patch @@ -0,0 +1,48 @@ +From 261f613e49b68ee3fac0159c49f1963160cdf7c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Apr 2025 06:47:50 -0700 +Subject: spi: tegra210-quad: add rate limiting and simplify timeout error + message + +From: Breno Leitao + +[ Upstream commit 21f4314e66ed8d40b2ee24185d1a06a07a512eb1 ] + +On malfunctioning hardware, timeout error messages can appear thousands +of times, creating unnecessary system pressure and log bloat. This patch +makes two improvements: + +1. Replace dev_err() with dev_err_ratelimited() to prevent log flooding + when hardware errors persist +2. Remove the redundant timeout value parameter from the error message, + as 'ret' is always zero in this error path + +These changes reduce logging overhead while maintaining necessary error +reporting for debugging purposes. + +Signed-off-by: Breno Leitao +Link: https://patch.msgid.link/20250401-tegra-v2-2-126c293ec047@debian.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-tegra210-quad.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/spi/spi-tegra210-quad.c b/drivers/spi/spi-tegra210-quad.c +index 97f3a4d3c31a9..442d42130ec87 100644 +--- a/drivers/spi/spi-tegra210-quad.c ++++ b/drivers/spi/spi-tegra210-quad.c +@@ -1111,8 +1111,8 @@ static int tegra_qspi_combined_seq_xfer(struct tegra_qspi *tqspi, + QSPI_DMA_TIMEOUT); + + if (WARN_ON_ONCE(ret == 0)) { +- dev_err(tqspi->dev, "QSPI Transfer failed with timeout: %d\n", +- ret); ++ dev_err_ratelimited(tqspi->dev, ++ "QSPI Transfer failed with timeout\n"); + if (tqspi->is_curr_dma_xfer && + (tqspi->cur_direction & DATA_DIR_TX)) + dmaengine_terminate_all +-- +2.39.5 + diff --git a/queue-6.1/spi-tegra210-quad-use-warn_on_once-instead-of-warn_o.patch b/queue-6.1/spi-tegra210-quad-use-warn_on_once-instead-of-warn_o.patch new file mode 100644 index 0000000000..6031fd17e3 --- /dev/null +++ b/queue-6.1/spi-tegra210-quad-use-warn_on_once-instead-of-warn_o.patch @@ -0,0 +1,44 @@ +From 20c254a43117101d59044f25dee76afd98172336 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Apr 2025 06:47:49 -0700 +Subject: spi: tegra210-quad: use WARN_ON_ONCE instead of WARN_ON for timeouts + +From: Breno Leitao + +[ Upstream commit 41c721fc093938745d116c3a21326a0ee03bb491 ] + +Some machines with tegra_qspi_combined_seq_xfer hardware issues generate +excessive kernel warnings, severely polluting the logs: + + dmesg | grep -i "WARNING:.*tegra_qspi_transfer_one_message" | wc -l + 94451 + +This patch replaces WARN_ON with WARN_ON_ONCE for timeout conditions to +reduce log spam. The subsequent error message still prints on each +occurrence, providing sufficient information about the failure, while +the stack trace is only needed once for debugging purposes. + +Signed-off-by: Breno Leitao +Link: https://patch.msgid.link/20250401-tegra-v2-1-126c293ec047@debian.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-tegra210-quad.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-tegra210-quad.c b/drivers/spi/spi-tegra210-quad.c +index 5ac5cb885552b..97f3a4d3c31a9 100644 +--- a/drivers/spi/spi-tegra210-quad.c ++++ b/drivers/spi/spi-tegra210-quad.c +@@ -1110,7 +1110,7 @@ static int tegra_qspi_combined_seq_xfer(struct tegra_qspi *tqspi, + (&tqspi->xfer_completion, + QSPI_DMA_TIMEOUT); + +- if (WARN_ON(ret == 0)) { ++ if (WARN_ON_ONCE(ret == 0)) { + dev_err(tqspi->dev, "QSPI Transfer failed with timeout: %d\n", + ret); + if (tqspi->is_curr_dma_xfer && +-- +2.39.5 + diff --git a/queue-6.1/thunderbolt-scan-retimers-after-device-router-has-be.patch b/queue-6.1/thunderbolt-scan-retimers-after-device-router-has-be.patch new file mode 100644 index 0000000000..b2eacc9916 --- /dev/null +++ b/queue-6.1/thunderbolt-scan-retimers-after-device-router-has-be.patch @@ -0,0 +1,68 @@ +From 2028116595752f0920a0d621c72c32c745b10a8e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Mar 2025 10:53:21 +0200 +Subject: thunderbolt: Scan retimers after device router has been enumerated + +From: Mika Westerberg + +[ Upstream commit 75749d2c1d8cef439f8b69fa1f4f36d0fc3193e6 ] + +Thomas reported connection issues on AMD system with Pluggable UD-4VPD +dock. After some experiments it looks like the device has some sort of +internal timeout that triggers reconnect. This is completely against the +USB4 spec, as there is no requirement for the host to enumerate the +device right away or even at all. + +In Linux case the delay is caused by scanning of retimers on the link so +we can work this around by doing the scanning after the device router +has been enumerated. + +Reported-by: Thomas Lynema +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219748 +Reviewed-by: Mario Limonciello +Signed-off-by: Mika Westerberg +Signed-off-by: Sasha Levin +--- + drivers/thunderbolt/tb.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/drivers/thunderbolt/tb.c b/drivers/thunderbolt/tb.c +index c592032657a1e..0668e1645bc50 100644 +--- a/drivers/thunderbolt/tb.c ++++ b/drivers/thunderbolt/tb.c +@@ -640,11 +640,15 @@ static void tb_scan_port(struct tb_port *port) + goto out_rpm_put; + } + +- tb_retimer_scan(port, true); +- + sw = tb_switch_alloc(port->sw->tb, &port->sw->dev, + tb_downstream_route(port)); + if (IS_ERR(sw)) { ++ /* ++ * Make the downstream retimers available even if there ++ * is no router connected. ++ */ ++ tb_retimer_scan(port, true); ++ + /* + * If there is an error accessing the connected switch + * it may be connected to another domain. Also we allow +@@ -704,6 +708,14 @@ static void tb_scan_port(struct tb_port *port) + tb_switch_lane_bonding_enable(sw); + /* Set the link configured */ + tb_switch_configure_link(sw); ++ /* ++ * Scan for downstream retimers. We only scan them after the ++ * router has been enumerated to avoid issues with certain ++ * Pluggable devices that expect the host to enumerate them ++ * within certain timeout. ++ */ ++ tb_retimer_scan(port, true); ++ + /* + * CL0s and CL1 are enabled and supported together. + * Silently ignore CLx enabling in case CLx is not supported. +-- +2.39.5 + diff --git a/queue-6.1/ubsan-fix-panic-from-test_ubsan_out_of_bounds.patch b/queue-6.1/ubsan-fix-panic-from-test_ubsan_out_of_bounds.patch new file mode 100644 index 0000000000..ebce87dc76 --- /dev/null +++ b/queue-6.1/ubsan-fix-panic-from-test_ubsan_out_of_bounds.patch @@ -0,0 +1,90 @@ +From df7f90c617b8378450cb400d563a727a0ccfba77 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Apr 2025 20:33:54 +0000 +Subject: ubsan: Fix panic from test_ubsan_out_of_bounds + +From: Mostafa Saleh + +[ Upstream commit 9b044614be12d78d3a93767708b8d02fb7dfa9b0 ] + +Running lib_ubsan.ko on arm64 (without CONFIG_UBSAN_TRAP) panics the +kernel: + +[ 31.616546] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: test_ubsan_out_of_bounds+0x158/0x158 [test_ubsan] +[ 31.646817] CPU: 3 UID: 0 PID: 179 Comm: insmod Not tainted 6.15.0-rc2 #1 PREEMPT +[ 31.648153] Hardware name: linux,dummy-virt (DT) +[ 31.648970] Call trace: +[ 31.649345] show_stack+0x18/0x24 (C) +[ 31.650960] dump_stack_lvl+0x40/0x84 +[ 31.651559] dump_stack+0x18/0x24 +[ 31.652264] panic+0x138/0x3b4 +[ 31.652812] __ktime_get_real_seconds+0x0/0x10 +[ 31.653540] test_ubsan_load_invalid_value+0x0/0xa8 [test_ubsan] +[ 31.654388] init_module+0x24/0xff4 [test_ubsan] +[ 31.655077] do_one_initcall+0xd4/0x280 +[ 31.655680] do_init_module+0x58/0x2b4 + +That happens because the test corrupts other data in the stack: +400: d5384108 mrs x8, sp_el0 +404: f9426d08 ldr x8, [x8, #1240] +408: f85f83a9 ldur x9, [x29, #-8] +40c: eb09011f cmp x8, x9 +410: 54000301 b.ne 470 // b.any + +As there is no guarantee the compiler will order the local variables +as declared in the module: + volatile char above[4] = { }; /* Protect surrounding memory. */ + volatile int arr[4]; + volatile char below[4] = { }; /* Protect surrounding memory. */ + +There is another problem where the out-of-bound index is 5 which is larger +than the extra surrounding memory for protection. + +So, use a struct to enforce the ordering, and fix the index to be 4. +Also, remove some of the volatiles and rely on OPTIMIZER_HIDE_VAR() + +Signed-off-by: Mostafa Saleh +Link: https://lore.kernel.org/r/20250415203354.4109415-1-smostafa@google.com +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + lib/test_ubsan.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +diff --git a/lib/test_ubsan.c b/lib/test_ubsan.c +index 2062be1f2e80f..f90f2b9842ec4 100644 +--- a/lib/test_ubsan.c ++++ b/lib/test_ubsan.c +@@ -35,18 +35,22 @@ static void test_ubsan_shift_out_of_bounds(void) + + static void test_ubsan_out_of_bounds(void) + { +- volatile int i = 4, j = 5, k = -1; +- volatile char above[4] = { }; /* Protect surrounding memory. */ +- volatile int arr[4]; +- volatile char below[4] = { }; /* Protect surrounding memory. */ ++ int i = 4, j = 4, k = -1; ++ volatile struct { ++ char above[4]; /* Protect surrounding memory. */ ++ int arr[4]; ++ char below[4]; /* Protect surrounding memory. */ ++ } data; + +- above[0] = below[0]; ++ OPTIMIZER_HIDE_VAR(i); ++ OPTIMIZER_HIDE_VAR(j); ++ OPTIMIZER_HIDE_VAR(k); + + UBSAN_TEST(CONFIG_UBSAN_BOUNDS, "above"); +- arr[j] = i; ++ data.arr[j] = i; + + UBSAN_TEST(CONFIG_UBSAN_BOUNDS, "below"); +- arr[k] = i; ++ data.arr[k] = i; + } + + enum ubsan_test_enum { +-- +2.39.5 + diff --git a/queue-6.1/udmabuf-fix-a-buf-size-overflow-issue-during-udmabuf.patch b/queue-6.1/udmabuf-fix-a-buf-size-overflow-issue-during-udmabuf.patch new file mode 100644 index 0000000000..5b1c4f7d03 --- /dev/null +++ b/queue-6.1/udmabuf-fix-a-buf-size-overflow-issue-during-udmabuf.patch @@ -0,0 +1,38 @@ +From 80d4b69a038ed2d5ad2cea074ea291a21188fb6f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Mar 2025 11:41:26 -0500 +Subject: udmabuf: fix a buf size overflow issue during udmabuf creation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Xiaogang Chen + +[ Upstream commit 021ba7f1babd029e714d13a6bf2571b08af96d0f ] + +by casting size_limit_mb to u64 when calculate pglimit. + +Signed-off-by: Xiaogang Chen +Link: https://patchwork.freedesktop.org/patch/msgid/20250321164126.329638-1-xiaogang.chen@amd.com +Signed-off-by: Christian König +Signed-off-by: Sasha Levin +--- + drivers/dma-buf/udmabuf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/dma-buf/udmabuf.c b/drivers/dma-buf/udmabuf.c +index ef99174d81ced..546bba502fbc1 100644 +--- a/drivers/dma-buf/udmabuf.c ++++ b/drivers/dma-buf/udmabuf.c +@@ -186,7 +186,7 @@ static long udmabuf_create(struct miscdevice *device, + if (!ubuf) + return -ENOMEM; + +- pglimit = (size_limit_mb * 1024 * 1024) >> PAGE_SHIFT; ++ pglimit = ((u64)size_limit_mb * 1024 * 1024) >> PAGE_SHIFT; + for (i = 0; i < head->count; i++) { + if (!IS_ALIGNED(list[i].offset, PAGE_SIZE)) + goto err; +-- +2.39.5 + diff --git a/queue-6.1/usb-dwc3-gadget-avoid-using-reserved-endpoints-on-in.patch b/queue-6.1/usb-dwc3-gadget-avoid-using-reserved-endpoints-on-in.patch new file mode 100644 index 0000000000..9e54704bec --- /dev/null +++ b/queue-6.1/usb-dwc3-gadget-avoid-using-reserved-endpoints-on-in.patch @@ -0,0 +1,68 @@ +From 8db659967ef5d2a55ca315b8ae706cbb59eb1c98 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Feb 2025 21:28:04 +0200 +Subject: usb: dwc3: gadget: Avoid using reserved endpoints on Intel Merrifield +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Andy Shevchenko + +[ Upstream commit 461f24bff86808ee5fbfe74751a825f8a7ab24e0 ] + +Intel Merrifield SoC uses these endpoints for tracing and they cannot +be re-allocated if being used because the side band flow control signals +are hard wired to certain endpoints: + +• 1 High BW Bulk IN (IN#1) (RTIT) +• 1 1KB BW Bulk IN (IN#8) + 1 1KB BW Bulk OUT (Run Control) (OUT#8) + +In device mode, since RTIT (EP#1) and EXI/RunControl (EP#8) uses +External Buffer Control (EBC) mode, these endpoints are to be mapped to +EBC mode (to be done by EXI target driver). Additionally TRB for RTIT +and EXI are maintained in STM (System Trace Module) unit and the EXI +target driver will as well configure the TRB location for EP #1 IN +and EP#8 (IN and OUT). Since STM/PTI and EXI hardware blocks manage +these endpoints and interface to OTG3 controller through EBC interface, +there is no need to enable any events (such as XferComplete etc) +for these end points. + +Signed-off-by: Andy Shevchenko +Tested-by: Ferry Toth +Acked-by: Thinh Nguyen +Link: https://lore.kernel.org/r/20250212193116.2487289-5-andriy.shevchenko@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/dwc3-pci.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/usb/dwc3/dwc3-pci.c b/drivers/usb/dwc3/dwc3-pci.c +index 6110ab1f91318..e2401cc4f1556 100644 +--- a/drivers/usb/dwc3/dwc3-pci.c ++++ b/drivers/usb/dwc3/dwc3-pci.c +@@ -143,11 +143,21 @@ static const struct property_entry dwc3_pci_intel_byt_properties[] = { + {} + }; + ++/* ++ * Intel Merrifield SoC uses these endpoints for tracing and they cannot ++ * be re-allocated if being used because the side band flow control signals ++ * are hard wired to certain endpoints: ++ * - 1 High BW Bulk IN (IN#1) (RTIT) ++ * - 1 1KB BW Bulk IN (IN#8) + 1 1KB BW Bulk OUT (Run Control) (OUT#8) ++ */ ++static const u8 dwc3_pci_mrfld_reserved_endpoints[] = { 3, 16, 17 }; ++ + static const struct property_entry dwc3_pci_mrfld_properties[] = { + PROPERTY_ENTRY_STRING("dr_mode", "otg"), + PROPERTY_ENTRY_STRING("linux,extcon-name", "mrfld_bcove_pwrsrc"), + PROPERTY_ENTRY_BOOL("snps,dis_u3_susphy_quirk"), + PROPERTY_ENTRY_BOOL("snps,dis_u2_susphy_quirk"), ++ PROPERTY_ENTRY_U8_ARRAY("snps,reserved-endpoints", dwc3_pci_mrfld_reserved_endpoints), + PROPERTY_ENTRY_BOOL("snps,usb2-gadget-lpm-disable"), + PROPERTY_ENTRY_BOOL("linux,sysdev_is_parent"), + {} +-- +2.39.5 + diff --git a/queue-6.1/usb-dwc3-gadget-refactor-loop-to-avoid-null-endpoint.patch b/queue-6.1/usb-dwc3-gadget-refactor-loop-to-avoid-null-endpoint.patch new file mode 100644 index 0000000000..278c150820 --- /dev/null +++ b/queue-6.1/usb-dwc3-gadget-refactor-loop-to-avoid-null-endpoint.patch @@ -0,0 +1,89 @@ +From 0e6a5b72c3ea6005a3c433d433db03a9d105dd51 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Feb 2025 21:28:02 +0200 +Subject: usb: dwc3: gadget: Refactor loop to avoid NULL endpoints + +From: Andy Shevchenko + +[ Upstream commit eafba0205426091354f050381c32ad1567c35844 ] + +Prepare the gadget driver to handle the reserved endpoints that will be +not allocated at the initialisation time. + +While at it, add a warning where the NULL endpoint should never happen. + +Signed-off-by: Andy Shevchenko +Tested-by: Ferry Toth +Acked-by: Thinh Nguyen +Link: https://lore.kernel.org/r/20250212193116.2487289-3-andriy.shevchenko@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/gadget.c | 22 ++++++++++++++++++---- + 1 file changed, 18 insertions(+), 4 deletions(-) + +diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c +index 75f24febaee4b..3360a59c3d331 100644 +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -555,6 +555,7 @@ static int dwc3_gadget_set_xfer_resource(struct dwc3_ep *dep) + int dwc3_gadget_start_config(struct dwc3 *dwc, unsigned int resource_index) + { + struct dwc3_gadget_ep_cmd_params params; ++ struct dwc3_ep *dep; + u32 cmd; + int i; + int ret; +@@ -571,8 +572,13 @@ int dwc3_gadget_start_config(struct dwc3 *dwc, unsigned int resource_index) + return ret; + + /* Reset resource allocation flags */ +- for (i = resource_index; i < dwc->num_eps && dwc->eps[i]; i++) +- dwc->eps[i]->flags &= ~DWC3_EP_RESOURCE_ALLOCATED; ++ for (i = resource_index; i < dwc->num_eps; i++) { ++ dep = dwc->eps[i]; ++ if (!dep) ++ continue; ++ ++ dep->flags &= ~DWC3_EP_RESOURCE_ALLOCATED; ++ } + + return 0; + } +@@ -721,9 +727,11 @@ void dwc3_gadget_clear_tx_fifos(struct dwc3 *dwc) + + dwc->last_fifo_depth = fifo_depth; + /* Clear existing TXFIFO for all IN eps except ep0 */ +- for (num = 3; num < min_t(int, dwc->num_eps, DWC3_ENDPOINTS_NUM); +- num += 2) { ++ for (num = 3; num < min_t(int, dwc->num_eps, DWC3_ENDPOINTS_NUM); num += 2) { + dep = dwc->eps[num]; ++ if (!dep) ++ continue; ++ + /* Don't change TXFRAMNUM on usb31 version */ + size = DWC3_IP_IS(DWC3) ? 0 : + dwc3_readl(dwc->regs, DWC3_GTXFIFOSIZ(num >> 1)) & +@@ -3525,6 +3533,8 @@ static bool dwc3_gadget_endpoint_trbs_complete(struct dwc3_ep *dep, + + for (i = 0; i < DWC3_ENDPOINTS_NUM; i++) { + dep = dwc->eps[i]; ++ if (!dep) ++ continue; + + if (!(dep->flags & DWC3_EP_ENABLED)) + continue; +@@ -3713,6 +3723,10 @@ static void dwc3_endpoint_interrupt(struct dwc3 *dwc, + u8 epnum = event->endpoint_number; + + dep = dwc->eps[epnum]; ++ if (!dep) { ++ dev_warn(dwc->dev, "spurious event, endpoint %u is not allocated\n", epnum); ++ return; ++ } + + if (!(dep->flags & DWC3_EP_ENABLED)) { + if ((epnum > 1) && !(dep->flags & DWC3_EP_TRANSFER_STARTED)) +-- +2.39.5 + diff --git a/queue-6.1/usb-gadget-aspeed-add-null-pointer-check-in-ast_vhub.patch b/queue-6.1/usb-gadget-aspeed-add-null-pointer-check-in-ast_vhub.patch new file mode 100644 index 0000000000..e27fd4b7af --- /dev/null +++ b/queue-6.1/usb-gadget-aspeed-add-null-pointer-check-in-ast_vhub.patch @@ -0,0 +1,41 @@ +From 7ef7ff17b7f9d8d066204abe74e20f6223c6ac28 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Mar 2025 20:27:05 -0500 +Subject: usb: gadget: aspeed: Add NULL pointer check in ast_vhub_init_dev() + +From: Chenyuan Yang + +[ Upstream commit 8c75f3e6a433d92084ad4e78b029ae680865420f ] + +The variable d->name, returned by devm_kasprintf(), could be NULL. +A pointer check is added to prevent potential NULL pointer dereference. +This is similar to the fix in commit 3027e7b15b02 +("ice: Fix some null pointer dereference issues in ice_ptp.c"). + +This issue is found by our static analysis tool + +Signed-off-by: Chenyuan Yang +Link: https://lore.kernel.org/r/20250311012705.1233829-1-chenyuan0y@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/aspeed-vhub/dev.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/usb/gadget/udc/aspeed-vhub/dev.c b/drivers/usb/gadget/udc/aspeed-vhub/dev.c +index 4f3bc27c1c628..73664a123c7a0 100644 +--- a/drivers/usb/gadget/udc/aspeed-vhub/dev.c ++++ b/drivers/usb/gadget/udc/aspeed-vhub/dev.c +@@ -549,6 +549,9 @@ int ast_vhub_init_dev(struct ast_vhub *vhub, unsigned int idx) + d->vhub = vhub; + d->index = idx; + d->name = devm_kasprintf(parent, GFP_KERNEL, "port%d", idx+1); ++ if (!d->name) ++ return -ENOMEM; ++ + d->regs = vhub->regs + 0x100 + 0x10 * idx; + + ast_vhub_init_ep0(vhub, &d->ep0, d); +-- +2.39.5 + diff --git a/queue-6.1/usb-host-max3421-hcd-add-missing-spi_device_id-table.patch b/queue-6.1/usb-host-max3421-hcd-add-missing-spi_device_id-table.patch new file mode 100644 index 0000000000..33a550f0ac --- /dev/null +++ b/queue-6.1/usb-host-max3421-hcd-add-missing-spi_device_id-table.patch @@ -0,0 +1,51 @@ +From c5132b48c20f3a668a739134ae87390d5a03f380 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Jan 2025 20:51:13 +0100 +Subject: usb: host: max3421-hcd: Add missing spi_device_id table + +From: Alexander Stein + +[ Upstream commit 41d5e3806cf589f658f92c75195095df0b66f66a ] + +"maxim,max3421" DT compatible is missing its SPI device ID entry, not +allowing module autoloading and leading to the following message: + "SPI driver max3421-hcd has no spi_device_id for maxim,max3421" + +Fix this by adding the spi_device_id table. + +Signed-off-by: Alexander Stein +Link: https://lore.kernel.org/r/20250128195114.56321-1-alexander.stein@mailbox.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/max3421-hcd.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/usb/host/max3421-hcd.c b/drivers/usb/host/max3421-hcd.c +index ab12d76b01fbe..8aaafba058aa9 100644 +--- a/drivers/usb/host/max3421-hcd.c ++++ b/drivers/usb/host/max3421-hcd.c +@@ -1955,6 +1955,12 @@ max3421_remove(struct spi_device *spi) + usb_put_hcd(hcd); + } + ++static const struct spi_device_id max3421_spi_ids[] = { ++ { "max3421" }, ++ { }, ++}; ++MODULE_DEVICE_TABLE(spi, max3421_spi_ids); ++ + static const struct of_device_id max3421_of_match_table[] = { + { .compatible = "maxim,max3421", }, + {}, +@@ -1964,6 +1970,7 @@ MODULE_DEVICE_TABLE(of, max3421_of_match_table); + static struct spi_driver max3421_driver = { + .probe = max3421_probe, + .remove = max3421_remove, ++ .id_table = max3421_spi_ids, + .driver = { + .name = "max3421-hcd", + .of_match_table = of_match_ptr(max3421_of_match_table), +-- +2.39.5 + diff --git a/queue-6.1/usb-host-xhci-plat-mvebu-use-quirks-instead-of-init_.patch b/queue-6.1/usb-host-xhci-plat-mvebu-use-quirks-instead-of-init_.patch new file mode 100644 index 0000000000..373f0b5f8d --- /dev/null +++ b/queue-6.1/usb-host-xhci-plat-mvebu-use-quirks-instead-of-init_.patch @@ -0,0 +1,84 @@ +From 4e5b04b860d5bd1ed9526e77e74331d518a308ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Feb 2025 18:36:46 +0100 +Subject: usb: host: xhci-plat: mvebu: use ->quirks instead of ->init_quirk() + func +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Théo Lebrun + +[ Upstream commit 64eb182d5f7a5ec30227bce4f6922ff663432f44 ] + +Compatible "marvell,armada3700-xhci" match data uses the +struct xhci_plat_priv::init_quirk() function pointer to add +XHCI_RESET_ON_RESUME as quirk on XHCI. + +Instead, use the struct xhci_plat_priv::quirks field. + +Signed-off-by: Théo Lebrun +Link: https://lore.kernel.org/r/20250205-s2r-cdns-v7-1-13658a271c3c@bootlin.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/xhci-mvebu.c | 10 ---------- + drivers/usb/host/xhci-mvebu.h | 6 ------ + drivers/usb/host/xhci-plat.c | 2 +- + 3 files changed, 1 insertion(+), 17 deletions(-) + +diff --git a/drivers/usb/host/xhci-mvebu.c b/drivers/usb/host/xhci-mvebu.c +index 87f1597a0e5ab..257e4d79971fd 100644 +--- a/drivers/usb/host/xhci-mvebu.c ++++ b/drivers/usb/host/xhci-mvebu.c +@@ -73,13 +73,3 @@ int xhci_mvebu_mbus_init_quirk(struct usb_hcd *hcd) + + return 0; + } +- +-int xhci_mvebu_a3700_init_quirk(struct usb_hcd *hcd) +-{ +- struct xhci_hcd *xhci = hcd_to_xhci(hcd); +- +- /* Without reset on resume, the HC won't work at all */ +- xhci->quirks |= XHCI_RESET_ON_RESUME; +- +- return 0; +-} +diff --git a/drivers/usb/host/xhci-mvebu.h b/drivers/usb/host/xhci-mvebu.h +index 3be021793cc8b..9d26e22c48422 100644 +--- a/drivers/usb/host/xhci-mvebu.h ++++ b/drivers/usb/host/xhci-mvebu.h +@@ -12,16 +12,10 @@ struct usb_hcd; + + #if IS_ENABLED(CONFIG_USB_XHCI_MVEBU) + int xhci_mvebu_mbus_init_quirk(struct usb_hcd *hcd); +-int xhci_mvebu_a3700_init_quirk(struct usb_hcd *hcd); + #else + static inline int xhci_mvebu_mbus_init_quirk(struct usb_hcd *hcd) + { + return 0; + } +- +-static inline int xhci_mvebu_a3700_init_quirk(struct usb_hcd *hcd) +-{ +- return 0; +-} + #endif + #endif /* __LINUX_XHCI_MVEBU_H */ +diff --git a/drivers/usb/host/xhci-plat.c b/drivers/usb/host/xhci-plat.c +index b387d39bfb81d..59f1cb68e6579 100644 +--- a/drivers/usb/host/xhci-plat.c ++++ b/drivers/usb/host/xhci-plat.c +@@ -111,7 +111,7 @@ static const struct xhci_plat_priv xhci_plat_marvell_armada = { + }; + + static const struct xhci_plat_priv xhci_plat_marvell_armada3700 = { +- .init_quirk = xhci_mvebu_a3700_init_quirk, ++ .quirks = XHCI_RESET_ON_RESUME, + }; + + static const struct xhci_plat_priv xhci_plat_renesas_rcar_gen2 = { +-- +2.39.5 + diff --git a/queue-6.1/usb-xhci-avoid-stop-endpoint-retry-loop-if-the-endpo.patch b/queue-6.1/usb-xhci-avoid-stop-endpoint-retry-loop-if-the-endpo.patch new file mode 100644 index 0000000000..4689f5b313 --- /dev/null +++ b/queue-6.1/usb-xhci-avoid-stop-endpoint-retry-loop-if-the-endpo.patch @@ -0,0 +1,57 @@ +From 7a51f339181640f7b1eeb1f9b04f986403c6696b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Mar 2025 17:45:51 +0200 +Subject: usb: xhci: Avoid Stop Endpoint retry loop if the endpoint seems + Running + +From: Michal Pecio + +[ Upstream commit 28a76fcc4c85dd39633fb96edb643c91820133e3 ] + +Nothing prevents a broken HC from claiming that an endpoint is Running +and repeatedly rejecting Stop Endpoint with Context State Error. + +Avoid infinite retries and give back cancelled TDs. + +No such cases known so far, but HCs have bugs. + +Signed-off-by: Michal Pecio +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20250311154551.4035726-4-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/xhci-ring.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c +index 85a2b3ca05075..0862fdd3e5682 100644 +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -1175,16 +1175,19 @@ static void xhci_handle_cmd_stop_ep(struct xhci_hcd *xhci, int slot_id, + * Stopped state, but it will soon change to Running. + * + * Assume this bug on unexpected Stop Endpoint failures. +- * Keep retrying until the EP starts and stops again, on +- * chips where this is known to help. Wait for 100ms. ++ * Keep retrying until the EP starts and stops again. + */ +- if (time_is_before_jiffies(ep->stop_time + msecs_to_jiffies(100))) +- break; + fallthrough; + case EP_STATE_RUNNING: + /* Race, HW handled stop ep cmd before ep was running */ + xhci_dbg(xhci, "Stop ep completion ctx error, ctx_state %d\n", + GET_EP_CTX_STATE(ep_ctx)); ++ /* ++ * Don't retry forever if we guessed wrong or a defective HC never starts ++ * the EP or says 'Running' but fails the command. We must give back TDs. ++ */ ++ if (time_is_before_jiffies(ep->stop_time + msecs_to_jiffies(100))) ++ break; + + command = xhci_alloc_command(xhci, false, GFP_ATOMIC); + if (!command) { +-- +2.39.5 + diff --git a/queue-6.1/x86-bugs-don-t-fill-rsb-on-context-switch-with-eibrs.patch b/queue-6.1/x86-bugs-don-t-fill-rsb-on-context-switch-with-eibrs.patch new file mode 100644 index 0000000000..b510bd1bb1 --- /dev/null +++ b/queue-6.1/x86-bugs-don-t-fill-rsb-on-context-switch-with-eibrs.patch @@ -0,0 +1,113 @@ +From eb95a55f1c9f90bf52152dc8ef5dae6600495158 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Apr 2025 14:47:34 -0700 +Subject: x86/bugs: Don't fill RSB on context switch with eIBRS + +From: Josh Poimboeuf + +[ Upstream commit 27ce8299bc1ec6df8306073785ff82b30b3cc5ee ] + +User->user Spectre v2 attacks (including RSB) across context switches +are already mitigated by IBPB in cond_mitigation(), if enabled globally +or if either the prev or the next task has opted in to protection. RSB +filling without IBPB serves no purpose for protecting user space, as +indirect branches are still vulnerable. + +User->kernel RSB attacks are mitigated by eIBRS. In which case the RSB +filling on context switch isn't needed, so remove it. + +Suggested-by: Pawan Gupta +Signed-off-by: Josh Poimboeuf +Signed-off-by: Ingo Molnar +Reviewed-by: Pawan Gupta +Reviewed-by: Amit Shah +Reviewed-by: Nikolay Borisov +Link: https://lore.kernel.org/r/98cdefe42180358efebf78e3b80752850c7a3e1b.1744148254.git.jpoimboe@kernel.org +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/bugs.c | 24 ++++++++++++------------ + arch/x86/mm/tlb.c | 6 +++--- + 2 files changed, 15 insertions(+), 15 deletions(-) + +diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c +index f0f184afa44f3..0be0edb07a2a9 100644 +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -1553,7 +1553,7 @@ static void __init spec_ctrl_disable_kernel_rrsba(void) + rrsba_disabled = true; + } + +-static void __init spectre_v2_determine_rsb_fill_type_at_vmexit(enum spectre_v2_mitigation mode) ++static void __init spectre_v2_select_rsb_mitigation(enum spectre_v2_mitigation mode) + { + /* + * Similar to context switches, there are two types of RSB attacks +@@ -1577,7 +1577,7 @@ static void __init spectre_v2_determine_rsb_fill_type_at_vmexit(enum spectre_v2_ + */ + switch (mode) { + case SPECTRE_V2_NONE: +- return; ++ break; + + case SPECTRE_V2_EIBRS: + case SPECTRE_V2_EIBRS_LFENCE: +@@ -1586,18 +1586,21 @@ static void __init spectre_v2_determine_rsb_fill_type_at_vmexit(enum spectre_v2_ + pr_info("Spectre v2 / PBRSB-eIBRS: Retire a single CALL on VMEXIT\n"); + setup_force_cpu_cap(X86_FEATURE_RSB_VMEXIT_LITE); + } +- return; ++ break; + + case SPECTRE_V2_RETPOLINE: + case SPECTRE_V2_LFENCE: + case SPECTRE_V2_IBRS: +- pr_info("Spectre v2 / SpectreRSB : Filling RSB on VMEXIT\n"); ++ pr_info("Spectre v2 / SpectreRSB: Filling RSB on context switch and VMEXIT\n"); ++ setup_force_cpu_cap(X86_FEATURE_RSB_CTXSW); + setup_force_cpu_cap(X86_FEATURE_RSB_VMEXIT); +- return; +- } ++ break; + +- pr_warn_once("Unknown Spectre v2 mode, disabling RSB mitigation at VM exit"); +- dump_stack(); ++ default: ++ pr_warn_once("Unknown Spectre v2 mode, disabling RSB mitigation\n"); ++ dump_stack(); ++ break; ++ } + } + + /* +@@ -1822,10 +1825,7 @@ static void __init spectre_v2_select_mitigation(void) + * + * FIXME: Is this pointless for retbleed-affected AMD? + */ +- setup_force_cpu_cap(X86_FEATURE_RSB_CTXSW); +- pr_info("Spectre v2 / SpectreRSB mitigation: Filling RSB on context switch\n"); +- +- spectre_v2_determine_rsb_fill_type_at_vmexit(mode); ++ spectre_v2_select_rsb_mitigation(mode); + + /* + * Retpoline protects the kernel, but doesn't protect firmware. IBRS +diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c +index b07e2167fcebf..8d46b9c0e9204 100644 +--- a/arch/x86/mm/tlb.c ++++ b/arch/x86/mm/tlb.c +@@ -385,9 +385,9 @@ static void cond_mitigation(struct task_struct *next) + prev_mm = this_cpu_read(cpu_tlbstate.last_user_mm_spec); + + /* +- * Avoid user/user BTB poisoning by flushing the branch predictor +- * when switching between processes. This stops one process from +- * doing Spectre-v2 attacks on another. ++ * Avoid user->user BTB/RSB poisoning by flushing them when switching ++ * between processes. This stops one process from doing Spectre-v2 ++ * attacks on another. + * + * Both, the conditional and the always IBPB mode use the mm + * pointer to avoid the IBPB when switching between tasks of the +-- +2.39.5 + diff --git a/queue-6.1/x86-bugs-don-t-fill-rsb-on-vmexit-with-eibrs-retpoli.patch b/queue-6.1/x86-bugs-don-t-fill-rsb-on-vmexit-with-eibrs-retpoli.patch new file mode 100644 index 0000000000..3cb83bbc20 --- /dev/null +++ b/queue-6.1/x86-bugs-don-t-fill-rsb-on-vmexit-with-eibrs-retpoli.patch @@ -0,0 +1,64 @@ +From 6f6058fdc2f5e1a4d332a843a6f49997c234f803 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Apr 2025 14:47:33 -0700 +Subject: x86/bugs: Don't fill RSB on VMEXIT with eIBRS+retpoline + +From: Josh Poimboeuf + +[ Upstream commit 18bae0dfec15b24ec14ca17dc18603372f5f254f ] + +eIBRS protects against guest->host RSB underflow/poisoning attacks. +Adding retpoline to the mix doesn't change that. Retpoline has a +balanced CALL/RET anyway. + +So the current full RSB filling on VMEXIT with eIBRS+retpoline is +overkill. Disable it or do the VMEXIT_LITE mitigation if needed. + +Suggested-by: Pawan Gupta +Signed-off-by: Josh Poimboeuf +Signed-off-by: Ingo Molnar +Reviewed-by: Pawan Gupta +Reviewed-by: Amit Shah +Reviewed-by: Nikolay Borisov +Cc: Paolo Bonzini +Cc: Vitaly Kuznetsov +Cc: Sean Christopherson +Cc: David Woodhouse +Link: https://lore.kernel.org/r/84a1226e5c9e2698eae1b5ade861f1b8bf3677dc.1744148254.git.jpoimboe@kernel.org +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/bugs.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c +index 7d73b53115514..f0f184afa44f3 100644 +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -1579,20 +1579,20 @@ static void __init spectre_v2_determine_rsb_fill_type_at_vmexit(enum spectre_v2_ + case SPECTRE_V2_NONE: + return; + +- case SPECTRE_V2_EIBRS_LFENCE: + case SPECTRE_V2_EIBRS: ++ case SPECTRE_V2_EIBRS_LFENCE: ++ case SPECTRE_V2_EIBRS_RETPOLINE: + if (boot_cpu_has_bug(X86_BUG_EIBRS_PBRSB)) { +- setup_force_cpu_cap(X86_FEATURE_RSB_VMEXIT_LITE); + pr_info("Spectre v2 / PBRSB-eIBRS: Retire a single CALL on VMEXIT\n"); ++ setup_force_cpu_cap(X86_FEATURE_RSB_VMEXIT_LITE); + } + return; + +- case SPECTRE_V2_EIBRS_RETPOLINE: + case SPECTRE_V2_RETPOLINE: + case SPECTRE_V2_LFENCE: + case SPECTRE_V2_IBRS: +- setup_force_cpu_cap(X86_FEATURE_RSB_VMEXIT); + pr_info("Spectre v2 / SpectreRSB : Filling RSB on VMEXIT\n"); ++ setup_force_cpu_cap(X86_FEATURE_RSB_VMEXIT); + return; + } + +-- +2.39.5 + diff --git a/queue-6.1/x86-bugs-use-sbpb-in-write_ibpb-if-applicable.patch b/queue-6.1/x86-bugs-use-sbpb-in-write_ibpb-if-applicable.patch new file mode 100644 index 0000000000..4f4865d930 --- /dev/null +++ b/queue-6.1/x86-bugs-use-sbpb-in-write_ibpb-if-applicable.patch @@ -0,0 +1,41 @@ +From 76d3d8f283f519f1a566aafe0ceef4a172df7b31 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Apr 2025 14:47:31 -0700 +Subject: x86/bugs: Use SBPB in write_ibpb() if applicable + +From: Josh Poimboeuf + +[ Upstream commit fc9fd3f98423367c79e0bd85a9515df26dc1b3cc ] + +write_ibpb() does IBPB, which (among other things) flushes branch type +predictions on AMD. If the CPU has SRSO_NO, or if the SRSO mitigation +has been disabled, branch type flushing isn't needed, in which case the +lighter-weight SBPB can be used. + +The 'x86_pred_cmd' variable already keeps track of whether IBPB or SBPB +should be used. Use that instead of hardcoding IBPB. + +Signed-off-by: Josh Poimboeuf +Signed-off-by: Ingo Molnar +Link: https://lore.kernel.org/r/17c5dcd14b29199b75199d67ff7758de9d9a4928.1744148254.git.jpoimboe@kernel.org +Signed-off-by: Sasha Levin +--- + arch/x86/entry/entry.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/entry/entry.S b/arch/x86/entry/entry.S +index f4419afc7147d..bda217961172b 100644 +--- a/arch/x86/entry/entry.S ++++ b/arch/x86/entry/entry.S +@@ -16,7 +16,7 @@ + + SYM_FUNC_START(entry_ibpb) + movl $MSR_IA32_PRED_CMD, %ecx +- movl $PRED_CMD_IBPB, %eax ++ movl _ASM_RIP(x86_pred_cmd), %eax + xorl %edx, %edx + wrmsr + +-- +2.39.5 + diff --git a/queue-6.1/x86-i8253-call-clockevent_i8253_disable-with-interru.patch b/queue-6.1/x86-i8253-call-clockevent_i8253_disable-with-interru.patch new file mode 100644 index 0000000000..593647beb6 --- /dev/null +++ b/queue-6.1/x86-i8253-call-clockevent_i8253_disable-with-interru.patch @@ -0,0 +1,73 @@ +From 1617a92ba6366333b6d63576294bc4aa8bb043c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Apr 2025 11:23:03 +0200 +Subject: x86/i8253: Call clockevent_i8253_disable() with interrupts disabled + +From: Fernando Fernandez Mancera + +[ Upstream commit 3940f5349b476197fb079c5aa19c9a988de64efb ] + +There's a lockdep false positive warning related to i8253_lock: + + WARNING: HARDIRQ-safe -> HARDIRQ-unsafe lock order detected + ... + systemd-sleep/3324 [HC0[0]:SC0[0]:HE0:SE1] is trying to acquire: + ffffffffb2c23398 (i8253_lock){+.+.}-{2:2}, at: pcspkr_event+0x3f/0xe0 [pcspkr] + + ... + ... which became HARDIRQ-irq-unsafe at: + ... + lock_acquire+0xd0/0x2f0 + _raw_spin_lock+0x30/0x40 + clockevent_i8253_disable+0x1c/0x60 + pit_timer_init+0x25/0x50 + hpet_time_init+0x46/0x50 + x86_late_time_init+0x1b/0x40 + start_kernel+0x962/0xa00 + x86_64_start_reservations+0x24/0x30 + x86_64_start_kernel+0xed/0xf0 + common_startup_64+0x13e/0x141 + ... + +Lockdep complains due pit_timer_init() using the lock in an IRQ-unsafe +fashion, but it's a false positive, because there is no deadlock +possible at that point due to init ordering: at the point where +pit_timer_init() is called there is no other possible usage of +i8253_lock because the system is still in the very early boot stage +with no interrupts. + +But in any case, pit_timer_init() should disable interrupts before +calling clockevent_i8253_disable() out of general principle, and to +keep lockdep working even in this scenario. + +Use scoped_guard() for that, as suggested by Thomas Gleixner. + +[ mingo: Cleaned up the changelog. ] + +Suggested-by: Thomas Gleixner +Signed-off-by: Fernando Fernandez Mancera +Signed-off-by: Ingo Molnar +Reviewed-by: Thomas Gleixner +Link: https://lore.kernel.org/r/Z-uwd4Bnn7FcCShX@gmail.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/i8253.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/i8253.c b/arch/x86/kernel/i8253.c +index 80e262bb627fe..cb9852ad60989 100644 +--- a/arch/x86/kernel/i8253.c ++++ b/arch/x86/kernel/i8253.c +@@ -46,7 +46,8 @@ bool __init pit_timer_init(void) + * VMMs otherwise steal CPU time just to pointlessly waggle + * the (masked) IRQ. + */ +- clockevent_i8253_disable(); ++ scoped_guard(irq) ++ clockevent_i8253_disable(); + return false; + } + clockevent_i8253_init(true); +-- +2.39.5 + diff --git a/queue-6.1/x86-kconfig-make-config_pci_cnb20le_quirk-depend-on-.patch b/queue-6.1/x86-kconfig-make-config_pci_cnb20le_quirk-depend-on-.patch new file mode 100644 index 0000000000..54ef49baa3 --- /dev/null +++ b/queue-6.1/x86-kconfig-make-config_pci_cnb20le_quirk-depend-on-.patch @@ -0,0 +1,97 @@ +From d072ec1a548db49a88b8e861e8a25bce08206008 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Mar 2025 21:48:48 +0100 +Subject: x86/Kconfig: Make CONFIG_PCI_CNB20LE_QUIRK depend on X86_32 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mateusz Jończyk + +[ Upstream commit d9f87802676bb23b9425aea8ad95c76ad9b50c6e ] + +I was unable to find a good description of the ServerWorks CNB20LE +chipset. However, it was probably exclusively used with the Pentium III +processor (this CPU model was used in all references to it that I +found where the CPU model was provided: dmesgs in [1] and [2]; +[3] page 2; [4]-[7]). + +As is widely known, the Pentium III processor did not support the 64-bit +mode, support for which was introduced by Intel a couple of years later. +So it is safe to assume that no systems with the CNB20LE chipset have +amd64 and the CONFIG_PCI_CNB20LE_QUIRK may now depend on X86_32. + +Additionally, I have determined that most computers with the CNB20LE +chipset did have ACPI support and this driver was inactive on them. +I have submitted a patch to remove this driver, but it was met with +resistance [8]. + +[1] Jim Studt, Re: Problem with ServerWorks CNB20LE and lost interrupts + Linux Kernel Mailing List, https://lkml.org/lkml/2002/1/11/111 + +[2] RedHat Bug 665109 - e100 problems on old Compaq Proliant DL320 + https://bugzilla.redhat.com/show_bug.cgi?id=665109 + +[3] R. Hughes-Jones, S. Dallison, G. Fairey, Performance Measurements on + Gigabit Ethernet NICs and Server Quality Motherboards, + http://datatag.web.cern.ch/papers/pfldnet2003-rhj.doc + +[4] "Hardware for Linux", + Probe #d6b5151873 of Intel STL2-bd A28808-302 Desktop Computer (STL2) + https://linux-hardware.org/?probe=d6b5151873 + +[5] "Hardware for Linux", Probe #0b5d843f10 of Compaq ProLiant DL380 + https://linux-hardware.org/?probe=0b5d843f10 + +[6] Ubuntu Forums, Dell Poweredge 2400 - Adaptec SCSI Bus AIC-7880 + https://ubuntuforums.org/showthread.php?t=1689552 + +[7] Ira W. Snyder, "BISECTED: 2.6.35 (and -git) fail to boot: APIC problems" + https://lkml.org/lkml/2010/8/13/220 + +[8] Bjorn Helgaas, "Re: [PATCH] x86/pci: drop ServerWorks / Broadcom + CNB20LE PCI host bridge driver" + https://lore.kernel.org/lkml/20220318165535.GA840063@bhelgaas/T/ + +Signed-off-by: Mateusz Jończyk +Signed-off-by: David Heideberg +Signed-off-by: Ingo Molnar +Cc: "H. Peter Anvin" +Cc: Linus Torvalds +Link: https://lore.kernel.org/r/20250321-x86_x2apic-v3-6-b0cbaa6fa338@ixit.cz +Signed-off-by: Sasha Levin +--- + arch/x86/Kconfig | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig +index 48ab6e8f2d1d4..6da1115e1f0fe 100644 +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -2795,13 +2795,21 @@ config MMCONF_FAM10H + depends on X86_64 && PCI_MMCONFIG && ACPI + + config PCI_CNB20LE_QUIRK +- bool "Read CNB20LE Host Bridge Windows" if EXPERT +- depends on PCI ++ bool "Read PCI host bridge windows from the CNB20LE chipset" if EXPERT ++ depends on X86_32 && PCI + help + Read the PCI windows out of the CNB20LE host bridge. This allows + PCI hotplug to work on systems with the CNB20LE chipset which do + not have ACPI. + ++ The ServerWorks (later Broadcom) CNB20LE was a chipset designed ++ most probably only for Pentium III. ++ ++ To find out if you have such a chipset, search for a PCI device with ++ 1166:0009 PCI IDs, for example by executing ++ lspci -nn | grep '1166:0009' ++ The code is inactive if there is none. ++ + There's no public spec for this chipset, and this functionality + is known to be incomplete. + +-- +2.39.5 + diff --git a/queue-6.1/xen-change-xen-acpi-processor-dom0-dependency.patch b/queue-6.1/xen-change-xen-acpi-processor-dom0-dependency.patch new file mode 100644 index 0000000000..ec181bb013 --- /dev/null +++ b/queue-6.1/xen-change-xen-acpi-processor-dom0-dependency.patch @@ -0,0 +1,40 @@ +From 4618109bf283c9a1241d263a9264682aeea4bc88 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Mar 2025 13:29:12 -0400 +Subject: xen: Change xen-acpi-processor dom0 dependency + +From: Jason Andryuk + +[ Upstream commit 0f2946bb172632e122d4033e0b03f85230a29510 ] + +xen-acpi-processor functions under a PVH dom0 with only a +xen_initial_domain() runtime check. Change the Kconfig dependency from +PV dom0 to generic dom0 to reflect that. + +Suggested-by: Jan Beulich +Signed-off-by: Jason Andryuk +Reviewed-by: Juergen Gross +Tested-by: Jan Beulich +Signed-off-by: Juergen Gross +Message-ID: <20250331172913.51240-1-jason.andryuk@amd.com> +Signed-off-by: Sasha Levin +--- + drivers/xen/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/xen/Kconfig b/drivers/xen/Kconfig +index d5d7c402b6511..ab135c3e43410 100644 +--- a/drivers/xen/Kconfig ++++ b/drivers/xen/Kconfig +@@ -271,7 +271,7 @@ config XEN_PRIVCMD + + config XEN_ACPI_PROCESSOR + tristate "Xen ACPI processor" +- depends on XEN && XEN_PV_DOM0 && X86 && ACPI_PROCESSOR && CPU_FREQ ++ depends on XEN && XEN_DOM0 && X86 && ACPI_PROCESSOR && CPU_FREQ + default m + help + This ACPI processor uploads Power Management information to the Xen +-- +2.39.5 +