From: Greg Kroah-Hartman Date: Fri, 31 Oct 2025 12:32:47 +0000 (+0100) Subject: 6.12-stable patches X-Git-Tag: v6.6.116~5 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ca92ccd5e43f0b955081d27ebdee7d56413c6892;p=thirdparty%2Fkernel%2Fstable-queue.git 6.12-stable patches added patches: bits-add-comments-and-newlines-to-if-else-and-endif-directives.patch bits-introduce-fixed-type-genmask_u.patch gpio-idio-16-define-fixed-direction-of-the-gpio-lines.patch gpio-regmap-add-the-.fixed_direction_output-configuration-parameter.patch gpio-regmap-allow-to-allocate-regmap-irq-device.patch iommu-vt-d-avoid-use-of-null-after-warn_on_once.patch sfc-fix-null-dereferences-in-ef100_process_design_param.patch udmabuf-fix-a-buf-size-overflow-issue-during-udmabuf-creation.patch wifi-ath12k-fix-read-pointer-after-free-in-ath12k_mac_assign_vif_to_vdev.patch --- diff --git a/queue-6.12/bits-add-comments-and-newlines-to-if-else-and-endif-directives.patch b/queue-6.12/bits-add-comments-and-newlines-to-if-else-and-endif-directives.patch new file mode 100644 index 0000000000..3e2f49b9d8 --- /dev/null +++ b/queue-6.12/bits-add-comments-and-newlines-to-if-else-and-endif-directives.patch @@ -0,0 +1,56 @@ +From stable+bounces-191793-greg=kroah.com@vger.kernel.org Fri Oct 31 10:38:01 2025 +From: William Breathitt Gray +Date: Fri, 31 Oct 2025 18:33:15 +0900 +Subject: bits: add comments and newlines to #if, #else and #endif directives +To: stable@vger.kernel.org +Cc: Vincent Mailhol , Andy Shevchenko , Yury Norov , William Breathitt Gray +Message-ID: <20251031093326.517803-1-wbg@kernel.org> + +From: Vincent Mailhol + +[ Upstream commit 31299a5e0211241171b2222c5633aad4763bf700 ] + +This is a preparation for the upcoming GENMASK_U*() and BIT_U*() +changes. After introducing those new macros, there will be a lot of +scrolling between the #if, #else and #endif. + +Add a comment to the #else and #endif preprocessor macros to help keep +track of which context we are in. Also, add new lines to better +visually separate the non-asm and asm sections. + +Signed-off-by: Vincent Mailhol +Reviewed-by: Andy Shevchenko +Signed-off-by: Yury Norov +Stable-dep-of: 2ba5772e530f ("gpio: idio-16: Define fixed direction of the GPIO lines") +Signed-off-by: William Breathitt Gray +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/bits.h | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/include/linux/bits.h ++++ b/include/linux/bits.h +@@ -19,17 +19,21 @@ + * GENMASK_ULL(39, 21) gives us the 64bit vector 0x000000ffffe00000. + */ + #if !defined(__ASSEMBLY__) ++ + #include + #define GENMASK_INPUT_CHECK(h, l) \ + (BUILD_BUG_ON_ZERO(__builtin_choose_expr( \ + __is_constexpr((l) > (h)), (l) > (h), 0))) +-#else ++ ++#else /* defined(__ASSEMBLY__) */ ++ + /* + * BUILD_BUG_ON_ZERO is not available in h files included from asm files, + * disable the input check if that is the case. + */ + #define GENMASK_INPUT_CHECK(h, l) 0 +-#endif ++ ++#endif /* !defined(__ASSEMBLY__) */ + + #define GENMASK(h, l) \ + (GENMASK_INPUT_CHECK(h, l) + __GENMASK(h, l)) diff --git a/queue-6.12/bits-introduce-fixed-type-genmask_u.patch b/queue-6.12/bits-introduce-fixed-type-genmask_u.patch new file mode 100644 index 0000000000..3f3bc11ea5 --- /dev/null +++ b/queue-6.12/bits-introduce-fixed-type-genmask_u.patch @@ -0,0 +1,117 @@ +From stable+bounces-191794-greg=kroah.com@vger.kernel.org Fri Oct 31 10:34:17 2025 +From: William Breathitt Gray +Date: Fri, 31 Oct 2025 18:33:16 +0900 +Subject: bits: introduce fixed-type GENMASK_U*() +To: stable@vger.kernel.org +Cc: Vincent Mailhol , Yury Norov , Lucas De Marchi , Jani Nikula , Andy Shevchenko , William Breathitt Gray +Message-ID: <20251031093326.517803-2-wbg@kernel.org> + +From: Vincent Mailhol + +[ Upstream commit 19408200c094858d952a90bf4977733dc89a4df5 ] + +Add GENMASK_TYPE() which generalizes __GENMASK() to support different +types, and implement fixed-types versions of GENMASK() based on it. +The fixed-type version allows more strict checks to the min/max values +accepted, which is useful for defining registers like implemented by +i915 and xe drivers with their REG_GENMASK*() macros. + +The strict checks rely on shift-count-overflow compiler check to fail +the build if a number outside of the range allowed is passed. +Example: + + #define FOO_MASK GENMASK_U32(33, 4) + +will generate a warning like: + + include/linux/bits.h:51:27: error: right shift count >= width of type [-Werror=shift-count-overflow] + 51 | type_max(t) >> (BITS_PER_TYPE(t) - 1 - (h))))) + | ^~ + +The result is casted to the corresponding fixed width type. For +example, GENMASK_U8() returns an u8. Note that because of the C +promotion rules, GENMASK_U8() and GENMASK_U16() will immediately be +promoted to int if used in an expression. Regardless, the main goal is +not to get the correct type, but rather to enforce more checks at +compile time. + +While GENMASK_TYPE() is crafted to cover all variants, including the +already existing GENMASK(), GENMASK_ULL() and GENMASK_U128(), for the +moment, only use it for the newly introduced GENMASK_U*(). The +consolidation will be done in a separate change. + +Co-developed-by: Yury Norov +Signed-off-by: Lucas De Marchi +Acked-by: Jani Nikula +Signed-off-by: Vincent Mailhol +Reviewed-by: Andy Shevchenko +Signed-off-by: Yury Norov +Stable-dep-of: 2ba5772e530f ("gpio: idio-16: Define fixed direction of the GPIO lines") +Signed-off-by: William Breathitt Gray +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/bitops.h | 1 - + include/linux/bits.h | 30 ++++++++++++++++++++++++++++++ + 2 files changed, 30 insertions(+), 1 deletion(-) + +--- a/include/linux/bitops.h ++++ b/include/linux/bitops.h +@@ -8,7 +8,6 @@ + + #include + +-#define BITS_PER_TYPE(type) (sizeof(type) * BITS_PER_BYTE) + #define BITS_TO_LONGS(nr) __KERNEL_DIV_ROUND_UP(nr, BITS_PER_TYPE(long)) + #define BITS_TO_U64(nr) __KERNEL_DIV_ROUND_UP(nr, BITS_PER_TYPE(u64)) + #define BITS_TO_U32(nr) __KERNEL_DIV_ROUND_UP(nr, BITS_PER_TYPE(u32)) +--- a/include/linux/bits.h ++++ b/include/linux/bits.h +@@ -12,6 +12,7 @@ + #define BIT_ULL_MASK(nr) (ULL(1) << ((nr) % BITS_PER_LONG_LONG)) + #define BIT_ULL_WORD(nr) ((nr) / BITS_PER_LONG_LONG) + #define BITS_PER_BYTE 8 ++#define BITS_PER_TYPE(type) (sizeof(type) * BITS_PER_BYTE) + + /* + * Create a contiguous bitmask starting at bit position @l and ending at +@@ -20,11 +21,40 @@ + */ + #if !defined(__ASSEMBLY__) + ++/* ++ * Missing asm support ++ * ++ * GENMASK_U*() depend on BITS_PER_TYPE() which relies on sizeof(), ++ * something not available in asm. Nevertheless, fixed width integers is a C ++ * concept. Assembly code can rely on the long and long long versions instead. ++ */ ++ + #include ++#include + #define GENMASK_INPUT_CHECK(h, l) \ + (BUILD_BUG_ON_ZERO(__builtin_choose_expr( \ + __is_constexpr((l) > (h)), (l) > (h), 0))) + ++/* ++ * Generate a mask for the specified type @t. Additional checks are made to ++ * guarantee the value returned fits in that type, relying on ++ * -Wshift-count-overflow compiler check to detect incompatible arguments. ++ * For example, all these create build errors or warnings: ++ * ++ * - GENMASK(15, 20): wrong argument order ++ * - GENMASK(72, 15): doesn't fit unsigned long ++ * - GENMASK_U32(33, 15): doesn't fit in a u32 ++ */ ++#define GENMASK_TYPE(t, h, l) \ ++ ((t)(GENMASK_INPUT_CHECK(h, l) + \ ++ (type_max(t) << (l) & \ ++ type_max(t) >> (BITS_PER_TYPE(t) - 1 - (h))))) ++ ++#define GENMASK_U8(h, l) GENMASK_TYPE(u8, h, l) ++#define GENMASK_U16(h, l) GENMASK_TYPE(u16, h, l) ++#define GENMASK_U32(h, l) GENMASK_TYPE(u32, h, l) ++#define GENMASK_U64(h, l) GENMASK_TYPE(u64, h, l) ++ + #else /* defined(__ASSEMBLY__) */ + + /* diff --git a/queue-6.12/gpio-idio-16-define-fixed-direction-of-the-gpio-lines.patch b/queue-6.12/gpio-idio-16-define-fixed-direction-of-the-gpio-lines.patch new file mode 100644 index 0000000000..a21bf0aec3 --- /dev/null +++ b/queue-6.12/gpio-idio-16-define-fixed-direction-of-the-gpio-lines.patch @@ -0,0 +1,62 @@ +From stable+bounces-191797-greg=kroah.com@vger.kernel.org Fri Oct 31 10:34:39 2025 +From: William Breathitt Gray +Date: Fri, 31 Oct 2025 18:33:19 +0900 +Subject: gpio: idio-16: Define fixed direction of the GPIO lines +To: stable@vger.kernel.org +Cc: William Breathitt Gray , Mark Cave-Ayland , Michael Walle , Andy Shevchenko , Linus Walleij , Bartosz Golaszewski +Message-ID: <20251031093326.517803-5-wbg@kernel.org> + +From: William Breathitt Gray + +[ Upstream commit 2ba5772e530f73eb847fb96ce6c4017894869552 ] + +The direction of the IDIO-16 GPIO lines is fixed with the first 16 lines +as output and the remaining 16 lines as input. Set the gpio_config +fixed_direction_output member to represent the fixed direction of the +GPIO lines. + +Fixes: db02247827ef ("gpio: idio-16: Migrate to the regmap API") +Reported-by: Mark Cave-Ayland +Closes: https://lore.kernel.org/r/9b0375fd-235f-4ee1-a7fa-daca296ef6bf@nutanix.com +Suggested-by: Michael Walle +Cc: stable@vger.kernel.org # ae495810cffe: gpio: regmap: add the .fixed_direction_output configuration parameter +Cc: stable@vger.kernel.org +Reviewed-by: Andy Shevchenko +Signed-off-by: William Breathitt Gray +Reviewed-by: Linus Walleij +Link: https://lore.kernel.org/r/20251020-fix-gpio-idio-16-regmap-v2-3-ebeb50e93c33@kernel.org +Signed-off-by: Bartosz Golaszewski +Signed-off-by: William Breathitt Gray +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpio-idio-16.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/gpio/gpio-idio-16.c ++++ b/drivers/gpio/gpio-idio-16.c +@@ -3,6 +3,7 @@ + * GPIO library for the ACCES IDIO-16 family + * Copyright (C) 2022 William Breathitt Gray + */ ++#include + #include + #include + #include +@@ -106,6 +107,7 @@ int devm_idio_16_regmap_register(struct + struct idio_16_data *data; + struct regmap_irq_chip *chip; + struct regmap_irq_chip_data *chip_data; ++ DECLARE_BITMAP(fixed_direction_output, IDIO_16_NGPIO); + + if (!config->parent) + return -EINVAL; +@@ -163,6 +165,9 @@ int devm_idio_16_regmap_register(struct + gpio_config.irq_domain = regmap_irq_get_domain(chip_data); + gpio_config.reg_mask_xlate = idio_16_reg_mask_xlate; + ++ bitmap_from_u64(fixed_direction_output, GENMASK_U64(15, 0)); ++ gpio_config.fixed_direction_output = fixed_direction_output; ++ + return PTR_ERR_OR_ZERO(devm_gpio_regmap_register(dev, &gpio_config)); + } + EXPORT_SYMBOL_GPL(devm_idio_16_regmap_register); diff --git a/queue-6.12/gpio-regmap-add-the-.fixed_direction_output-configuration-parameter.patch b/queue-6.12/gpio-regmap-add-the-.fixed_direction_output-configuration-parameter.patch new file mode 100644 index 0000000000..45c8426590 --- /dev/null +++ b/queue-6.12/gpio-regmap-add-the-.fixed_direction_output-configuration-parameter.patch @@ -0,0 +1,128 @@ +From stable+bounces-191796-greg=kroah.com@vger.kernel.org Fri Oct 31 10:34:37 2025 +From: William Breathitt Gray +Date: Fri, 31 Oct 2025 18:33:18 +0900 +Subject: gpio: regmap: add the .fixed_direction_output configuration parameter +To: stable@vger.kernel.org +Cc: Ioana Ciornei , Bartosz Golaszewski , Michael Walle , William Breathitt Gray +Message-ID: <20251031093326.517803-4-wbg@kernel.org> + +From: Ioana Ciornei + +[ Upstream commit 00aaae60faf554c27c95e93d47f200a93ff266ef ] + +There are GPIO controllers such as the one present in the LX2160ARDB +QIXIS FPGA which have fixed-direction input and output GPIO lines mixed +together in a single register. This cannot be modeled using the +gpio-regmap as-is since there is no way to present the true direction of +a GPIO line. + +In order to make this use case possible, add a new configuration +parameter - fixed_direction_output - into the gpio_regmap_config +structure. This will enable user drivers to provide a bitmap that +represents the fixed direction of the GPIO lines. + +Signed-off-by: Ioana Ciornei +Acked-by: Bartosz Golaszewski +Reviewed-by: Michael Walle +Signed-off-by: Bartosz Golaszewski +Stable-dep-of: 2ba5772e530f ("gpio: idio-16: Define fixed direction of the GPIO lines") +Signed-off-by: William Breathitt Gray +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpio-regmap.c | 26 ++++++++++++++++++++++++-- + include/linux/gpio/regmap.h | 5 +++++ + 2 files changed, 29 insertions(+), 2 deletions(-) + +--- a/drivers/gpio/gpio-regmap.c ++++ b/drivers/gpio/gpio-regmap.c +@@ -29,6 +29,7 @@ struct gpio_regmap { + unsigned int reg_clr_base; + unsigned int reg_dir_in_base; + unsigned int reg_dir_out_base; ++ unsigned long *fixed_direction_output; + + #ifdef CONFIG_REGMAP_IRQ + int regmap_irq_line; +@@ -122,6 +123,13 @@ static int gpio_regmap_get_direction(str + unsigned int base, val, reg, mask; + int invert, ret; + ++ if (gpio->fixed_direction_output) { ++ if (test_bit(offset, gpio->fixed_direction_output)) ++ return GPIO_LINE_DIRECTION_OUT; ++ else ++ return GPIO_LINE_DIRECTION_IN; ++ } ++ + if (gpio->reg_dat_base && !gpio->reg_set_base) + return GPIO_LINE_DIRECTION_IN; + if (gpio->reg_set_base && !gpio->reg_dat_base) +@@ -280,9 +288,20 @@ struct gpio_regmap *gpio_regmap_register + chip->direction_output = gpio_regmap_direction_output; + } + ++ if (config->fixed_direction_output) { ++ gpio->fixed_direction_output = bitmap_alloc(chip->ngpio, ++ GFP_KERNEL); ++ if (!gpio->fixed_direction_output) { ++ ret = -ENOMEM; ++ goto err_free_gpio; ++ } ++ bitmap_copy(gpio->fixed_direction_output, ++ config->fixed_direction_output, chip->ngpio); ++ } ++ + ret = gpiochip_add_data(chip, gpio); + if (ret < 0) +- goto err_free_gpio; ++ goto err_free_bitmap; + + #ifdef CONFIG_REGMAP_IRQ + if (config->regmap_irq_chip) { +@@ -291,7 +310,7 @@ struct gpio_regmap *gpio_regmap_register + config->regmap_irq_line, config->regmap_irq_flags, + 0, config->regmap_irq_chip, &gpio->irq_chip_data); + if (ret) +- goto err_free_gpio; ++ goto err_free_bitmap; + + irq_domain = regmap_irq_get_domain(gpio->irq_chip_data); + } else +@@ -308,6 +327,8 @@ struct gpio_regmap *gpio_regmap_register + + err_remove_gpiochip: + gpiochip_remove(chip); ++err_free_bitmap: ++ bitmap_free(gpio->fixed_direction_output); + err_free_gpio: + kfree(gpio); + return ERR_PTR(ret); +@@ -326,6 +347,7 @@ void gpio_regmap_unregister(struct gpio_ + #endif + + gpiochip_remove(&gpio->gpio_chip); ++ bitmap_free(gpio->fixed_direction_output); + kfree(gpio); + } + EXPORT_SYMBOL_GPL(gpio_regmap_unregister); +--- a/include/linux/gpio/regmap.h ++++ b/include/linux/gpio/regmap.h +@@ -37,6 +37,10 @@ struct regmap; + * offset to a register/bitmask pair. If not + * given the default gpio_regmap_simple_xlate() + * is used. ++ * @fixed_direction_output: ++ * (Optional) Bitmap representing the fixed direction of ++ * the GPIO lines. Useful when there are GPIO lines with a ++ * fixed direction mixed together in the same register. + * @drvdata: (Optional) Pointer to driver specific data which is + * not used by gpio-remap but is provided "as is" to the + * driver callback(s). +@@ -82,6 +86,7 @@ struct gpio_regmap_config { + int reg_stride; + int ngpio_per_reg; + struct irq_domain *irq_domain; ++ unsigned long *fixed_direction_output; + + #ifdef CONFIG_REGMAP_IRQ + struct regmap_irq_chip *regmap_irq_chip; diff --git a/queue-6.12/gpio-regmap-allow-to-allocate-regmap-irq-device.patch b/queue-6.12/gpio-regmap-allow-to-allocate-regmap-irq-device.patch new file mode 100644 index 0000000000..c03896a1de --- /dev/null +++ b/queue-6.12/gpio-regmap-allow-to-allocate-regmap-irq-device.patch @@ -0,0 +1,114 @@ +From stable+bounces-191795-greg=kroah.com@vger.kernel.org Fri Oct 31 10:34:36 2025 +From: William Breathitt Gray +Date: Fri, 31 Oct 2025 18:33:17 +0900 +Subject: gpio: regmap: Allow to allocate regmap-irq device +To: stable@vger.kernel.org +Cc: Mathieu Dubois-Briand , Andy Shevchenko , Bartosz Golaszewski , Lee Jones , William Breathitt Gray +Message-ID: <20251031093326.517803-3-wbg@kernel.org> + +From: Mathieu Dubois-Briand + +[ Upstream commit 553b75d4bfe9264f631d459fe9996744e0672b0e ] + +GPIO controller often have support for IRQ: allow to easily allocate +both gpio-regmap and regmap-irq in one operation. + +Reviewed-by: Andy Shevchenko +Acked-by: Bartosz Golaszewski +Signed-off-by: Mathieu Dubois-Briand +Link: https://lore.kernel.org/r/20250824-mdb-max7360-support-v14-5-435cfda2b1ea@bootlin.com +Signed-off-by: Lee Jones +Stable-dep-of: 2ba5772e530f ("gpio: idio-16: Define fixed direction of the GPIO lines") +Signed-off-by: William Breathitt Gray +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpio-regmap.c | 29 +++++++++++++++++++++++++++-- + include/linux/gpio/regmap.h | 11 +++++++++++ + 2 files changed, 38 insertions(+), 2 deletions(-) + +--- a/drivers/gpio/gpio-regmap.c ++++ b/drivers/gpio/gpio-regmap.c +@@ -30,6 +30,11 @@ struct gpio_regmap { + unsigned int reg_dir_in_base; + unsigned int reg_dir_out_base; + ++#ifdef CONFIG_REGMAP_IRQ ++ int regmap_irq_line; ++ struct regmap_irq_chip_data *irq_chip_data; ++#endif ++ + int (*reg_mask_xlate)(struct gpio_regmap *gpio, unsigned int base, + unsigned int offset, unsigned int *reg, + unsigned int *mask); +@@ -203,6 +208,7 @@ EXPORT_SYMBOL_GPL(gpio_regmap_get_drvdat + */ + struct gpio_regmap *gpio_regmap_register(const struct gpio_regmap_config *config) + { ++ struct irq_domain *irq_domain; + struct gpio_regmap *gpio; + struct gpio_chip *chip; + int ret; +@@ -278,8 +284,22 @@ struct gpio_regmap *gpio_regmap_register + if (ret < 0) + goto err_free_gpio; + +- if (config->irq_domain) { +- ret = gpiochip_irqchip_add_domain(chip, config->irq_domain); ++#ifdef CONFIG_REGMAP_IRQ ++ if (config->regmap_irq_chip) { ++ gpio->regmap_irq_line = config->regmap_irq_line; ++ ret = regmap_add_irq_chip_fwnode(dev_fwnode(config->parent), config->regmap, ++ config->regmap_irq_line, config->regmap_irq_flags, ++ 0, config->regmap_irq_chip, &gpio->irq_chip_data); ++ if (ret) ++ goto err_free_gpio; ++ ++ irq_domain = regmap_irq_get_domain(gpio->irq_chip_data); ++ } else ++#endif ++ irq_domain = config->irq_domain; ++ ++ if (irq_domain) { ++ ret = gpiochip_irqchip_add_domain(chip, irq_domain); + if (ret) + goto err_remove_gpiochip; + } +@@ -300,6 +320,11 @@ EXPORT_SYMBOL_GPL(gpio_regmap_register); + */ + void gpio_regmap_unregister(struct gpio_regmap *gpio) + { ++#ifdef CONFIG_REGMAP_IRQ ++ if (gpio->irq_chip_data) ++ regmap_del_irq_chip(gpio->regmap_irq_line, gpio->irq_chip_data); ++#endif ++ + gpiochip_remove(&gpio->gpio_chip); + kfree(gpio); + } +--- a/include/linux/gpio/regmap.h ++++ b/include/linux/gpio/regmap.h +@@ -40,6 +40,11 @@ struct regmap; + * @drvdata: (Optional) Pointer to driver specific data which is + * not used by gpio-remap but is provided "as is" to the + * driver callback(s). ++ * @regmap_irq_chip: (Optional) Pointer on an regmap_irq_chip structure. If ++ * set, a regmap-irq device will be created and the IRQ ++ * domain will be set accordingly. ++ * @regmap_irq_line (Optional) The IRQ the device uses to signal interrupts. ++ * @regmap_irq_flags (Optional) The IRQF_ flags to use for the interrupt. + * + * The ->reg_mask_xlate translates a given base address and GPIO offset to + * register and mask pair. The base address is one of the given register +@@ -78,6 +83,12 @@ struct gpio_regmap_config { + int ngpio_per_reg; + struct irq_domain *irq_domain; + ++#ifdef CONFIG_REGMAP_IRQ ++ struct regmap_irq_chip *regmap_irq_chip; ++ int regmap_irq_line; ++ unsigned long regmap_irq_flags; ++#endif ++ + int (*reg_mask_xlate)(struct gpio_regmap *gpio, unsigned int base, + unsigned int offset, unsigned int *reg, + unsigned int *mask); diff --git a/queue-6.12/iommu-vt-d-avoid-use-of-null-after-warn_on_once.patch b/queue-6.12/iommu-vt-d-avoid-use-of-null-after-warn_on_once.patch new file mode 100644 index 0000000000..4a0371b136 --- /dev/null +++ b/queue-6.12/iommu-vt-d-avoid-use-of-null-after-warn_on_once.patch @@ -0,0 +1,46 @@ +From stable+bounces-191750-greg=kroah.com@vger.kernel.org Thu Oct 30 17:13:41 2025 +From: Amelia Crate +Date: Thu, 30 Oct 2025 11:08:31 -0500 +Subject: iommu/vt-d: Avoid use of NULL after WARN_ON_ONCE +To: gregkh@linuxfoundation.org +Cc: dimitri.ledkov@surgut.co.uk, stable@vger.kernel.org, Kees Bakker , Amelia Crate +Message-ID: <20251030160942.19490-2-acrate@waldn.net> + +From: Kees Bakker + +[ Upstream commit 60f030f7418d3f1d94f2fb207fe3080e1844630b ] + +There is a WARN_ON_ONCE to catch an unlikely situation when +domain_remove_dev_pasid can't find the `pasid`. In case it nevertheless +happens we must avoid using a NULL pointer. + +Signed-off-by: Kees Bakker +Link: https://lore.kernel.org/r/20241218201048.E544818E57E@bout3.ijzerbout.nl +Signed-off-by: Lu Baolu +Signed-off-by: Joerg Roedel +Signed-off-by: Amelia Crate +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/intel/iommu.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/iommu/intel/iommu.c ++++ b/drivers/iommu/intel/iommu.c +@@ -4328,13 +4328,14 @@ static void intel_iommu_remove_dev_pasid + break; + } + } +- WARN_ON_ONCE(!dev_pasid); + spin_unlock_irqrestore(&dmar_domain->lock, flags); + + cache_tag_unassign_domain(dmar_domain, dev, pasid); + domain_detach_iommu(dmar_domain, iommu); +- intel_iommu_debugfs_remove_dev_pasid(dev_pasid); +- kfree(dev_pasid); ++ if (!WARN_ON_ONCE(!dev_pasid)) { ++ intel_iommu_debugfs_remove_dev_pasid(dev_pasid); ++ kfree(dev_pasid); ++ } + intel_pasid_tear_down_entry(iommu, dev, pasid, false); + intel_drain_pasid_prq(dev, pasid); + } diff --git a/queue-6.12/series b/queue-6.12/series index 1b366661fc..6f93bd1c32 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -29,3 +29,12 @@ f2fs-fix-to-avoid-panic-once-fallocation-fails-for-pinfile.patch wifi-cfg80211-add-missing-lock-in-cfg80211_check_and_end_cac.patch bonding-return-detailed-error-when-loading-native-xdp-fails.patch bonding-check-xdp-prog-when-set-bond-mode.patch +bits-add-comments-and-newlines-to-if-else-and-endif-directives.patch +bits-introduce-fixed-type-genmask_u.patch +gpio-regmap-allow-to-allocate-regmap-irq-device.patch +gpio-regmap-add-the-.fixed_direction_output-configuration-parameter.patch +gpio-idio-16-define-fixed-direction-of-the-gpio-lines.patch +iommu-vt-d-avoid-use-of-null-after-warn_on_once.patch +wifi-ath12k-fix-read-pointer-after-free-in-ath12k_mac_assign_vif_to_vdev.patch +udmabuf-fix-a-buf-size-overflow-issue-during-udmabuf-creation.patch +sfc-fix-null-dereferences-in-ef100_process_design_param.patch diff --git a/queue-6.12/sfc-fix-null-dereferences-in-ef100_process_design_param.patch b/queue-6.12/sfc-fix-null-dereferences-in-ef100_process_design_param.patch new file mode 100644 index 0000000000..ea3af378fa --- /dev/null +++ b/queue-6.12/sfc-fix-null-dereferences-in-ef100_process_design_param.patch @@ -0,0 +1,154 @@ +From stable+bounces-191753-greg=kroah.com@vger.kernel.org Thu Oct 30 17:13:49 2025 +From: Amelia Crate +Date: Thu, 30 Oct 2025 11:08:34 -0500 +Subject: sfc: fix NULL dereferences in ef100_process_design_param() +To: gregkh@linuxfoundation.org +Cc: dimitri.ledkov@surgut.co.uk, stable@vger.kernel.org, Edward Cree , Kyungwook Boo , Michal Swiatkowski , Amelia Crate +Message-ID: <20251030160942.19490-5-acrate@waldn.net> + +From: Edward Cree + +[ Upstream commit 8241ecec1cdc6699ae197d52d58e76bddd995fa5 ] + +Since cited commit, ef100_probe_main() and hence also + ef100_check_design_params() run before efx->net_dev is created; + consequently, we cannot netif_set_tso_max_size() or _segs() at this + point. +Move those netif calls to ef100_probe_netdev(), and also replace + netif_err within the design params code with pci_err. + +Reported-by: Kyungwook Boo +Fixes: 98ff4c7c8ac7 ("sfc: Separate netdev probe/remove from PCI probe/remove") +Signed-off-by: Edward Cree +Reviewed-by: Michal Swiatkowski +Link: https://patch.msgid.link/20250401225439.2401047-1-edward.cree@amd.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Amelia Crate +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/sfc/ef100_netdev.c | 6 ++-- + drivers/net/ethernet/sfc/ef100_nic.c | 47 ++++++++++++++------------------ + 2 files changed, 24 insertions(+), 29 deletions(-) + +--- a/drivers/net/ethernet/sfc/ef100_netdev.c ++++ b/drivers/net/ethernet/sfc/ef100_netdev.c +@@ -450,8 +450,9 @@ int ef100_probe_netdev(struct efx_probe_ + net_dev->hw_enc_features |= efx->type->offload_features; + net_dev->vlan_features |= NETIF_F_HW_CSUM | NETIF_F_SG | + NETIF_F_HIGHDMA | NETIF_F_ALL_TSO; +- netif_set_tso_max_segs(net_dev, +- ESE_EF100_DP_GZ_TSO_MAX_HDR_NUM_SEGS_DEFAULT); ++ nic_data = efx->nic_data; ++ netif_set_tso_max_size(efx->net_dev, nic_data->tso_max_payload_len); ++ netif_set_tso_max_segs(efx->net_dev, nic_data->tso_max_payload_num_segs); + efx->mdio.dev = net_dev; + + rc = efx_ef100_init_datapath_caps(efx); +@@ -478,7 +479,6 @@ int ef100_probe_netdev(struct efx_probe_ + /* Don't fail init if RSS setup doesn't work. */ + efx_mcdi_push_default_indir_table(efx, efx->n_rx_channels); + +- nic_data = efx->nic_data; + rc = ef100_get_mac_address(efx, net_dev->perm_addr, CLIENT_HANDLE_SELF, + efx->type->is_vf); + if (rc) +--- a/drivers/net/ethernet/sfc/ef100_nic.c ++++ b/drivers/net/ethernet/sfc/ef100_nic.c +@@ -887,8 +887,7 @@ static int ef100_process_design_param(st + case ESE_EF100_DP_GZ_TSO_MAX_HDR_NUM_SEGS: + /* We always put HDR_NUM_SEGS=1 in our TSO descriptors */ + if (!reader->value) { +- netif_err(efx, probe, efx->net_dev, +- "TSO_MAX_HDR_NUM_SEGS < 1\n"); ++ pci_err(efx->pci_dev, "TSO_MAX_HDR_NUM_SEGS < 1\n"); + return -EOPNOTSUPP; + } + return 0; +@@ -901,32 +900,28 @@ static int ef100_process_design_param(st + */ + if (!reader->value || reader->value > EFX_MIN_DMAQ_SIZE || + EFX_MIN_DMAQ_SIZE % (u32)reader->value) { +- netif_err(efx, probe, efx->net_dev, +- "%s size granularity is %llu, can't guarantee safety\n", +- reader->type == ESE_EF100_DP_GZ_RXQ_SIZE_GRANULARITY ? "RXQ" : "TXQ", +- reader->value); ++ pci_err(efx->pci_dev, ++ "%s size granularity is %llu, can't guarantee safety\n", ++ reader->type == ESE_EF100_DP_GZ_RXQ_SIZE_GRANULARITY ? "RXQ" : "TXQ", ++ reader->value); + return -EOPNOTSUPP; + } + return 0; + case ESE_EF100_DP_GZ_TSO_MAX_PAYLOAD_LEN: + nic_data->tso_max_payload_len = min_t(u64, reader->value, + GSO_LEGACY_MAX_SIZE); +- netif_set_tso_max_size(efx->net_dev, +- nic_data->tso_max_payload_len); + return 0; + case ESE_EF100_DP_GZ_TSO_MAX_PAYLOAD_NUM_SEGS: + nic_data->tso_max_payload_num_segs = min_t(u64, reader->value, 0xffff); +- netif_set_tso_max_segs(efx->net_dev, +- nic_data->tso_max_payload_num_segs); + return 0; + case ESE_EF100_DP_GZ_TSO_MAX_NUM_FRAMES: + nic_data->tso_max_frames = min_t(u64, reader->value, 0xffff); + return 0; + case ESE_EF100_DP_GZ_COMPAT: + if (reader->value) { +- netif_err(efx, probe, efx->net_dev, +- "DP_COMPAT has unknown bits %#llx, driver not compatible with this hw\n", +- reader->value); ++ pci_err(efx->pci_dev, ++ "DP_COMPAT has unknown bits %#llx, driver not compatible with this hw\n", ++ reader->value); + return -EOPNOTSUPP; + } + return 0; +@@ -946,10 +941,10 @@ static int ef100_process_design_param(st + * So the value of this shouldn't matter. + */ + if (reader->value != ESE_EF100_DP_GZ_VI_STRIDES_DEFAULT) +- netif_dbg(efx, probe, efx->net_dev, +- "NIC has other than default VI_STRIDES (mask " +- "%#llx), early probing might use wrong one\n", +- reader->value); ++ pci_dbg(efx->pci_dev, ++ "NIC has other than default VI_STRIDES (mask " ++ "%#llx), early probing might use wrong one\n", ++ reader->value); + return 0; + case ESE_EF100_DP_GZ_RX_MAX_RUNT: + /* Driver doesn't look at L2_STATUS:LEN_ERR bit, so we don't +@@ -961,9 +956,9 @@ static int ef100_process_design_param(st + /* Host interface says "Drivers should ignore design parameters + * that they do not recognise." + */ +- netif_dbg(efx, probe, efx->net_dev, +- "Ignoring unrecognised design parameter %u\n", +- reader->type); ++ pci_dbg(efx->pci_dev, ++ "Ignoring unrecognised design parameter %u\n", ++ reader->type); + return 0; + } + } +@@ -999,13 +994,13 @@ static int ef100_check_design_params(str + */ + if (reader.state != EF100_TLV_TYPE) { + if (reader.state == EF100_TLV_TYPE_CONT) +- netif_err(efx, probe, efx->net_dev, +- "truncated design parameter (incomplete type %u)\n", +- reader.type); ++ pci_err(efx->pci_dev, ++ "truncated design parameter (incomplete type %u)\n", ++ reader.type); + else +- netif_err(efx, probe, efx->net_dev, +- "truncated design parameter %u\n", +- reader.type); ++ pci_err(efx->pci_dev, ++ "truncated design parameter %u\n", ++ reader.type); + rc = -EIO; + } + out: diff --git a/queue-6.12/udmabuf-fix-a-buf-size-overflow-issue-during-udmabuf-creation.patch b/queue-6.12/udmabuf-fix-a-buf-size-overflow-issue-during-udmabuf-creation.patch new file mode 100644 index 0000000000..091ea00fed --- /dev/null +++ b/queue-6.12/udmabuf-fix-a-buf-size-overflow-issue-during-udmabuf-creation.patch @@ -0,0 +1,34 @@ +From stable+bounces-191751-greg=kroah.com@vger.kernel.org Thu Oct 30 17:14:03 2025 +From: Amelia Crate +Date: Thu, 30 Oct 2025 11:08:32 -0500 +Subject: udmabuf: fix a buf size overflow issue during udmabuf creation +To: gregkh@linuxfoundation.org +Cc: dimitri.ledkov@surgut.co.uk, stable@vger.kernel.org, Xiaogang Chen , Amelia Crate +Message-ID: <20251030160942.19490-3-acrate@waldn.net> + +From: Xiaogang Chen + +[ Upstream commit 021ba7f1babd029e714d13a6bf2571b08af96d0f ] + +by casting size_limit_mb to u64 when calculate pglimit. + +Signed-off-by: Xiaogang Chen +Link: https://patchwork.freedesktop.org/patch/msgid/20250321164126.329638-1-xiaogang.chen@amd.com +Signed-off-by: Christian König +Signed-off-by: Amelia Crate +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma-buf/udmabuf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/dma-buf/udmabuf.c ++++ b/drivers/dma-buf/udmabuf.c +@@ -350,7 +350,7 @@ static long udmabuf_create(struct miscde + return -ENOMEM; + + INIT_LIST_HEAD(&ubuf->unpin_list); +- pglimit = (size_limit_mb * 1024 * 1024) >> PAGE_SHIFT; ++ pglimit = ((u64)size_limit_mb * 1024 * 1024) >> PAGE_SHIFT; + for (i = 0; i < head->count; i++) { + if (!PAGE_ALIGNED(list[i].offset)) + goto err; diff --git a/queue-6.12/wifi-ath12k-fix-read-pointer-after-free-in-ath12k_mac_assign_vif_to_vdev.patch b/queue-6.12/wifi-ath12k-fix-read-pointer-after-free-in-ath12k_mac_assign_vif_to_vdev.patch new file mode 100644 index 0000000000..a79e3c185a --- /dev/null +++ b/queue-6.12/wifi-ath12k-fix-read-pointer-after-free-in-ath12k_mac_assign_vif_to_vdev.patch @@ -0,0 +1,57 @@ +From stable+bounces-191752-greg=kroah.com@vger.kernel.org Thu Oct 30 17:14:18 2025 +From: Amelia Crate +Date: Thu, 30 Oct 2025 11:08:33 -0500 +Subject: wifi: ath12k: fix read pointer after free in ath12k_mac_assign_vif_to_vdev() +To: gregkh@linuxfoundation.org +Cc: dimitri.ledkov@surgut.co.uk, stable@vger.kernel.org, Aditya Kumar Singh , Jeff Johnson , Kalle Valo , Amelia Crate +Message-ID: <20251030160942.19490-4-acrate@waldn.net> + +From: Aditya Kumar Singh + +[ Upstream commit 5a10971c7645a95f5d5dc23c26fbac4bf61801d0 ] + +In ath12k_mac_assign_vif_to_vdev(), if arvif is created on a different +radio, it gets deleted from that radio through a call to +ath12k_mac_unassign_link_vif(). This action frees the arvif pointer. +Subsequently, there is a check involving arvif, which will result in a +read-after-free scenario. + +Fix this by moving this check after arvif is again assigned via call to +ath12k_mac_assign_link_vif(). + +Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.3.1-00173-QCAHKSWPL_SILICONZ-1 + +Closes: https://scan5.scan.coverity.com/#/project-view/63541/10063?selectedIssue=1636423 +Fixes: b5068bc9180d ("wifi: ath12k: Cache vdev configs before vdev create") +Signed-off-by: Aditya Kumar Singh +Acked-by: Jeff Johnson +Acked-by: Kalle Valo +Link: https://patch.msgid.link/20241210-read_after_free-v1-1-969f69c7d66c@quicinc.com +Signed-off-by: Jeff Johnson +Signed-off-by: Amelia Crate +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath12k/mac.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/net/wireless/ath/ath12k/mac.c ++++ b/drivers/net/wireless/ath/ath12k/mac.c +@@ -6733,15 +6733,15 @@ static struct ath12k *ath12k_mac_assign_ + + mutex_lock(&ar->conf_mutex); + +- if (arvif->is_created) +- goto flush; +- + if (vif->type == NL80211_IFTYPE_AP && + ar->num_peers > (ar->max_num_peers - 1)) { + ath12k_warn(ab, "failed to create vdev due to insufficient peer entry resource in firmware\n"); + goto unlock; + } + ++ if (arvif->is_created) ++ goto flush; ++ + if (ar->num_created_vdevs > (TARGET_NUM_VDEVS - 1)) { + ath12k_warn(ab, "failed to create vdev, reached max vdev limit %d\n", + TARGET_NUM_VDEVS);