From: Greg Kroah-Hartman Date: Mon, 15 Jun 2026 04:18:11 +0000 (+0200) Subject: 7.0-stable patches X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d3c65851276cd32dfab36f49017bf1082d285d8c;p=thirdparty%2Fkernel%2Fstable-queue.git 7.0-stable patches added patches: accel-ivpu-add-bounds-check-for-firmware-runtime-memory.patch accel-ivpu-add-bounds-checks-for-firmware-log-indices.patch accel-ivpu-add-buffer-overflow-check-in-ms-get_info_ioctl.patch accel-ivpu-fix-signed-integer-truncation-in-ipc-receive.patch arm-do-not-select-have_rust-when-kasan-is-enabled.patch bluetooth-hci_sync-reject-oversized-broadcast-announcement-prepend.patch bluetooth-l2cap-reject-br-edr-signaling-packets-over-mtusig.patch cfi-include-uaccess.h-for-get_kernel_nofault.patch cgroup-cpuset-use-effective_xcpus-in-partcmd_update-add-del-mask-calculation.patch drm-i915-gem-fix-phys-bo-pread-pwrite-with-offset.patch firmware-stratix10-rsu-fix-null-deref-on-rsu_send_msg-timeout-in-probe.patch firmware-stratix10-svc-don-t-fail-probe-when-async-ops-unsupported.patch firmware-stratix10-svc-return-eopnotsupp-when-atf-async-unsupported.patch hv_netvsc-use-kmap_local_page-in-netvsc_copy_to_send_buf.patch kvm-arm64-correctly-identify-executable-ptes-at-stage-2.patch kvm-arm64-nv-fix-handling-of-xn-when-feat_xnx.patch kvm-arm64-restore-por_el0-access-to-host-el0.patch kvm-don-t-warn-if-memory-is-dirtied-without-a-vcpu-when-the-vm-is-dying.patch kvm-sev-decouple-the-need-to-sync-the-ghcb-sa-from-the-need-to-free-the-sa.patch mm-memory-failure-fix-hugetlb_lock-aa-deadlock-in-get_huge_page_for_hwpoison.patch mmc-litex_mmc-use-div_round_up-for-more-accurate-clock-calculation.patch mshv-add-a-missing-padding-field.patch namespace-restrict-open_tree_namespace-fsmount_namespace-to-directories.patch netfilter-nft_meta_bridge-fix-stale-stack-leak-via-iifhwaddr-register.patch netfilter-nft_tunnel-fix-use-after-free-on-object-destroy.patch pinctrl-mcp23s08-initialize-mcp-dev-and-mcp-addr-before-regmap-init.patch revert-drm-xe-nvls-define-guc-firmware-for-nvl-s.patch revert-drm-xe-skip-exec-queue-schedule-toggle-if-queue-is-idle-during-suspend.patch rust-arm64-set-uwtable-llvm-module-flag-for-config_unwind_tables.patch rust-kasan-kbuild-fix-rustc-option-when-cross-compiling.patch rust-x86-support-rust-1.98.0-target-spec.patch soc-qcom-ice-fix-race-between-qcom_ice_probe-and-of_qcom_ice_get.patch tee-shm-fix-shm-leak-in-register_shm_helper.patch tracing-fix-cfi-violation-in-probestub-being-called-by-tprobes.patch tracing-probes-point-the-error-offset-correctly-for-eprobe-argument-error.patch --- diff --git a/queue-7.0/accel-ivpu-add-bounds-check-for-firmware-runtime-memory.patch b/queue-7.0/accel-ivpu-add-bounds-check-for-firmware-runtime-memory.patch new file mode 100644 index 0000000000..4c234294aa --- /dev/null +++ b/queue-7.0/accel-ivpu-add-bounds-check-for-firmware-runtime-memory.patch @@ -0,0 +1,54 @@ +From 1d0b597facdd3c0239c88e8797c1014e1ea0ef15 Mon Sep 17 00:00:00 2001 +From: Andrzej Kacprowski +Date: Fri, 29 May 2026 14:08:53 +0200 +Subject: accel/ivpu: Add bounds check for firmware runtime memory + +From: Andrzej Kacprowski + +commit 1d0b597facdd3c0239c88e8797c1014e1ea0ef15 upstream. + +Validate that the firmware runtime memory specified in the image +header is properly aligned and sized to hold the firmware image. +This prevents errors during memory allocation and image transfer. + +Fixes: 2007e210b6a1 ("accel/ivpu: Split FW runtime and global memory buffers") +Cc: stable@vger.kernel.org # v7.0+ +Signed-off-by: Andrzej Kacprowski +Reviewed-by: Karol Wachowski +Signed-off-by: Karol Wachowski +Link: https://patch.msgid.link/20260529120853.135876-1-andrzej.kacprowski@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/accel/ivpu/ivpu_fw.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/drivers/accel/ivpu/ivpu_fw.c b/drivers/accel/ivpu/ivpu_fw.c +index 107f8ad31050..33c50779c06b 100644 +--- a/drivers/accel/ivpu/ivpu_fw.c ++++ b/drivers/accel/ivpu/ivpu_fw.c +@@ -259,6 +259,22 @@ static int ivpu_fw_parse(struct ivpu_device *vdev) + return -EINVAL; + } + ++ if (!PAGE_ALIGNED(runtime_addr)) { ++ ivpu_err(vdev, "Runtime address 0x%llx not page aligned\n", runtime_addr); ++ return -EINVAL; ++ } ++ ++ if (!PAGE_ALIGNED(runtime_size)) { ++ ivpu_err(vdev, "Runtime size %llu not page aligned\n", runtime_size); ++ return -EINVAL; ++ } ++ ++ if (runtime_size < image_size) { ++ ivpu_err(vdev, "Runtime size too small: %llu, image size: %llu\n", ++ runtime_size, image_size); ++ return -EINVAL; ++ } ++ + if (!ivpu_is_within_range(image_load_addr, image_size, &vdev->hw->ranges.runtime)) { + ivpu_err(vdev, "Invalid firmware load address: 0x%llx and size %llu\n", + image_load_addr, image_size); +-- +2.54.0 + diff --git a/queue-7.0/accel-ivpu-add-bounds-checks-for-firmware-log-indices.patch b/queue-7.0/accel-ivpu-add-bounds-checks-for-firmware-log-indices.patch new file mode 100644 index 0000000000..1c17aabef3 --- /dev/null +++ b/queue-7.0/accel-ivpu-add-bounds-checks-for-firmware-log-indices.patch @@ -0,0 +1,42 @@ +From dd1311bcf0e62f0c515115f46a3813370f4a4bb1 Mon Sep 17 00:00:00 2001 +From: Andrzej Kacprowski +Date: Fri, 29 May 2026 13:58:42 +0200 +Subject: accel/ivpu: Add bounds checks for firmware log indices + +From: Andrzej Kacprowski + +commit dd1311bcf0e62f0c515115f46a3813370f4a4bb1 upstream. + +Add validation that read and write indices in the firmware log buffer +are within valid bounds (< data_size) before using them. If +out-of-bounds indices are encountered (from firmware), clamp them to +safe values instead of proceeding with invalid offsets. + +This prevents potential out-of-bounds buffer access when firmware +supplies invalid log indices. + +Fixes: 1fc1251149a7 ("accel/ivpu: Refactor functions in ivpu_fw_log.c") +Cc: stable@vger.kernel.org # v6.18+ +Signed-off-by: Andrzej Kacprowski +Reviewed-by: Karol Wachowski +Signed-off-by: Karol Wachowski +Link: https://patch.msgid.link/20260529115842.135378-1-andrzej.kacprowski@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/accel/ivpu/ivpu_fw_log.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/accel/ivpu/ivpu_fw_log.c ++++ b/drivers/accel/ivpu/ivpu_fw_log.c +@@ -98,6 +98,11 @@ static void fw_log_print_buffer(struct v + u32 log_start = only_new_msgs ? READ_ONCE(log->read_index) : 0; + u32 log_end = READ_ONCE(log->write_index); + ++ if (log_start >= data_size) ++ log_start = 0; ++ if (log_end > data_size) ++ log_end = data_size; ++ + if (log->wrap_count == log->read_wrap_count) { + if (log_end <= log_start) { + drm_printf(p, "==== %s \"%s\" log empty ====\n", prefix, log->name); diff --git a/queue-7.0/accel-ivpu-add-buffer-overflow-check-in-ms-get_info_ioctl.patch b/queue-7.0/accel-ivpu-add-buffer-overflow-check-in-ms-get_info_ioctl.patch new file mode 100644 index 0000000000..d2f211b51e --- /dev/null +++ b/queue-7.0/accel-ivpu-add-buffer-overflow-check-in-ms-get_info_ioctl.patch @@ -0,0 +1,42 @@ +From fb176425837693f50c5c9fc8db6fbb04af22bd0a Mon Sep 17 00:00:00 2001 +From: Andrzej Kacprowski +Date: Fri, 29 May 2026 14:08:41 +0200 +Subject: accel/ivpu: Add buffer overflow check in MS get_info_ioctl + +From: Andrzej Kacprowski + +commit fb176425837693f50c5c9fc8db6fbb04af22bd0a upstream. + +Add validation that the info size returned from the metric stream info +query is not exceeded when checked against the allocated buffer size. +If the firmware returns a size larger than the buffer, reject the +operation with -EOVERFLOW instead of proceeding with an incorrect +buffer copy. + +Fixes: cdfad4db7756 ("accel/ivpu: Add NPU profiling support") +Cc: stable@vger.kernel.org # v6.18+ +Signed-off-by: Andrzej Kacprowski +Reviewed-by: Karol Wachowski +Signed-off-by: Karol Wachowski +Link: https://patch.msgid.link/20260529120841.135852-1-andrzej.kacprowski@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/accel/ivpu/ivpu_ms.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/accel/ivpu/ivpu_ms.c ++++ b/drivers/accel/ivpu/ivpu_ms.c +@@ -291,6 +291,13 @@ int ivpu_ms_get_info_ioctl(struct drm_de + if (ret) + goto unlock; + ++ if (info_size > ivpu_bo_size(bo)) { ++ ivpu_warn_ratelimited(vdev, "MS info overflow: %#llx > %#zx\n", ++ info_size, ivpu_bo_size(bo)); ++ ret = -EOVERFLOW; ++ goto unlock; ++ } ++ + if (args->buffer_size < info_size) { + ret = -ENOSPC; + goto unlock; diff --git a/queue-7.0/accel-ivpu-fix-signed-integer-truncation-in-ipc-receive.patch b/queue-7.0/accel-ivpu-fix-signed-integer-truncation-in-ipc-receive.patch new file mode 100644 index 0000000000..0a9cc5515c --- /dev/null +++ b/queue-7.0/accel-ivpu-fix-signed-integer-truncation-in-ipc-receive.patch @@ -0,0 +1,39 @@ +From d9faef564438d1e4579c692c046603e7ada7bdf4 Mon Sep 17 00:00:00 2001 +From: Andrzej Kacprowski +Date: Mon, 1 Jun 2026 18:16:43 +0200 +Subject: accel/ivpu: Fix signed integer truncation in IPC receive + +From: Andrzej Kacprowski + +commit d9faef564438d1e4579c692c046603e7ada7bdf4 upstream. + +Fix potential buffer overflow where firmware-supplied data_size is cast +to signed int before being used in min_t(). Large unsigned values +(>= 0x80000000) become negative, causing unsigned wraparound and +oversized memcpy operations that can overflow the stack buffer. + +Change min_t(int, ...) to min() as both values are unsigned and can be +handled by min() without explicit cast. + +Fixes: 3b434a3445ff ("accel/ivpu: Use threaded IRQ to handle JOB done messages") +Cc: stable@vger.kernel.org # v6.12+ +Signed-off-by: Andrzej Kacprowski +Reviewed-by: Karol Wachowski +Signed-off-by: Karol Wachowski +Link: https://patch.msgid.link/20260601161643.229342-1-andrzej.kacprowski@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/accel/ivpu/ivpu_ipc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/accel/ivpu/ivpu_ipc.c ++++ b/drivers/accel/ivpu/ivpu_ipc.c +@@ -276,7 +276,7 @@ int ivpu_ipc_receive(struct ivpu_device + if (ipc_buf) + memcpy(ipc_buf, rx_msg->ipc_hdr, sizeof(*ipc_buf)); + if (rx_msg->jsm_msg) { +- u32 size = min_t(int, rx_msg->ipc_hdr->data_size, sizeof(*jsm_msg)); ++ u32 size = min(rx_msg->ipc_hdr->data_size, sizeof(*jsm_msg)); + + if (rx_msg->jsm_msg->result != VPU_JSM_STATUS_SUCCESS) { + ivpu_err(vdev, "IPC resp result error: %d\n", rx_msg->jsm_msg->result); diff --git a/queue-7.0/arm-do-not-select-have_rust-when-kasan-is-enabled.patch b/queue-7.0/arm-do-not-select-have_rust-when-kasan-is-enabled.patch new file mode 100644 index 0000000000..57c6c8407e --- /dev/null +++ b/queue-7.0/arm-do-not-select-have_rust-when-kasan-is-enabled.patch @@ -0,0 +1,44 @@ +From 84a0f7caafc679f763d3868635837e22bb89651a Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Mon, 11 May 2026 17:02:44 +0900 +Subject: ARM: Do not select HAVE_RUST when KASAN is enabled + +From: Nathan Chancellor + +commit 84a0f7caafc679f763d3868635837e22bb89651a upstream. + +When KASAN is enabled, such as with allmodconfig, the build fails when +building the Rust code with: + + error: kernel-address sanitizer is not supported for this target + + error: aborting due to 1 previous error + + make[4]: *** [rust/Makefile:654: rust/core.o] Error 1 + +The arm-unknown-linux-gnueabi target does not support KASAN, so avoid +saying Rust is supported when it is enabled. + +Cc: stable@vger.kernel.org +Fixes: ccb8ce526807 ("ARM: 9441/1: rust: Enable Rust support for ARMv7") +Link: https://github.com/Rust-for-Linux/linux/issues/1234 +Signed-off-by: Nathan Chancellor +Reviewed-by: Christian Schrefl +Link: https://patch.msgid.link/20260511-arm-avoid-rust-with-kasan-v1-1-24d55f4a900b@kernel.org +Signed-off-by: Miguel Ojeda +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/Kconfig ++++ b/arch/arm/Kconfig +@@ -135,7 +135,7 @@ config ARM + select MMU_GATHER_RCU_TABLE_FREE if SMP && ARM_LPAE + select HAVE_REGS_AND_STACK_ACCESS_API + select HAVE_RSEQ +- select HAVE_RUST if CPU_LITTLE_ENDIAN && CPU_32v7 ++ select HAVE_RUST if CPU_LITTLE_ENDIAN && CPU_32v7 && !KASAN + select HAVE_STACKPROTECTOR + select HAVE_SYSCALL_TRACEPOINTS + select HAVE_UID16 diff --git a/queue-7.0/bluetooth-hci_sync-reject-oversized-broadcast-announcement-prepend.patch b/queue-7.0/bluetooth-hci_sync-reject-oversized-broadcast-announcement-prepend.patch new file mode 100644 index 0000000000..5087061f82 --- /dev/null +++ b/queue-7.0/bluetooth-hci_sync-reject-oversized-broadcast-announcement-prepend.patch @@ -0,0 +1,47 @@ +From 5c65b96b549ea2dcfde497436bf9e048deb87758 Mon Sep 17 00:00:00 2001 +From: Yuqi Xu +Date: Fri, 29 May 2026 16:54:23 +0800 +Subject: Bluetooth: hci_sync: reject oversized Broadcast Announcement prepend + +From: Yuqi Xu + +commit 5c65b96b549ea2dcfde497436bf9e048deb87758 upstream. + +Existing advertising instances can already hold the maximum extended +advertising payload. When hci_adv_bcast_annoucement() prepends the +Broadcast Announcement service data to that payload, the combined data +may no longer fit in the temporary buffer used to rebuild the +advertising data. + +Reject that case before copying the existing payload and report the +failure through the device log. This keeps the existing advertising +data intact and avoids overrunning the temporary buffer. + +Fixes: 5725bc608252 ("Bluetooth: hci_sync: Fix broadcast/PA when using an existing instance") +Cc: stable@kernel.org +Reported-by: Yuan Tan +Reported-by: Zhengchuan Liang +Reported-by: Xin Liu +Assisted-by: Codex:GPT-5.4 +Signed-off-by: Yuqi Xu +Signed-off-by: Ren Wei +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/hci_sync.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/net/bluetooth/hci_sync.c ++++ b/net/bluetooth/hci_sync.c +@@ -1725,6 +1725,11 @@ static int hci_adv_bcast_annoucement(str + /* Generate Broadcast ID */ + get_random_bytes(bid, sizeof(bid)); + len = eir_append_service_data(ad, 0, 0x1852, bid, sizeof(bid)); ++ if (adv->adv_data_len > sizeof(ad) - len) { ++ bt_dev_err(hdev, "No room for Broadcast Announcement"); ++ return -EINVAL; ++ } ++ + memcpy(ad + len, adv->adv_data, adv->adv_data_len); + hci_set_adv_instance_data(hdev, adv->instance, len + adv->adv_data_len, + ad, 0, NULL); diff --git a/queue-7.0/bluetooth-l2cap-reject-br-edr-signaling-packets-over-mtusig.patch b/queue-7.0/bluetooth-l2cap-reject-br-edr-signaling-packets-over-mtusig.patch new file mode 100644 index 0000000000..0de1e1ed9e --- /dev/null +++ b/queue-7.0/bluetooth-l2cap-reject-br-edr-signaling-packets-over-mtusig.patch @@ -0,0 +1,128 @@ +From dd214733544427587a95f66dbf3adff072568990 Mon Sep 17 00:00:00 2001 +From: Michael Bommarito +Date: Thu, 21 May 2026 10:45:17 -0400 +Subject: Bluetooth: L2CAP: reject BR/EDR signaling packets over MTUsig + +From: Michael Bommarito + +commit dd214733544427587a95f66dbf3adff072568990 upstream. + +net/bluetooth/l2cap_core.c:l2cap_sig_channel() accepts BR/EDR +signaling packets up to the channel MTU and dispatches each command +without enforcing the signaling MTU (MTUsig). A Bluetooth BR/EDR peer +within radio range can send a fixed-channel CID 0x0001 packet that is +larger than MTUsig and contains many L2CAP_ECHO_REQ commands before +pairing. In a real-radio stock-kernel run, one 681-byte signaling +packet containing 168 zero-length ECHO_REQ commands made the target +transmit 168 ECHO_RSP frames over about 220 ms. + +Impact: a Bluetooth BR/EDR peer within radio range, before pairing, can +force 168 ECHO_RSP frames from one 681-byte fixed-channel signaling +packet containing packed ECHO_REQ commands. + +Define Linux's BR/EDR signaling MTU as the spec minimum of 48 bytes and +reject any larger signaling packet with one L2CAP_COMMAND_REJECT_RSP +carrying L2CAP_REJ_MTU_EXCEEDED before any command is dispatched. + +The Bluetooth Core spec wording for MTUExceeded says the reject +identifier shall match the first request command in the packet, and +that packets containing only responses shall be silently discarded. +Linux intentionally deviates from that prescription: silently +discarding desynchronizes the peer because the remote stack never +learns its responses were dropped, and locating the first request +command requires walking command headers past MTUsig, i.e. processing +bytes from a packet we have already decided is too large to process. +We therefore always emit one reject and use the identifier from the +first command header, a single fixed-offset byte read. + +The unrestricted BR/EDR signaling parser and ECHO_REQ response path both +trace to the initial git import; no later introducing commit is +available for a Fixes tag. + +Cc: stable@vger.kernel.org +Suggested-by: Luiz Augusto von Dentz +Link: https://lore.kernel.org/r/20260518002800.1361430-1-michael.bommarito@gmail.com +Link: https://lore.kernel.org/r/20260520135034.1060859-1-michael.bommarito@gmail.com +Link: https://lore.kernel.org/r/20260521000555.3712030-1-michael.bommarito@gmail.com +Assisted-by: Claude:claude-opus-4-7 +Assisted-by: Codex:gpt-5-5-xhigh +Signed-off-by: Michael Bommarito +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + include/net/bluetooth/l2cap.h | 1 + net/bluetooth/l2cap_core.c | 46 ++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 47 insertions(+) + +--- a/include/net/bluetooth/l2cap.h ++++ b/include/net/bluetooth/l2cap.h +@@ -33,6 +33,7 @@ + /* L2CAP defaults */ + #define L2CAP_DEFAULT_MTU 672 + #define L2CAP_DEFAULT_MIN_MTU 48 ++#define L2CAP_SIG_MTU 48 /* BR/EDR signaling MTU */ + #define L2CAP_DEFAULT_FLUSH_TO 0xFFFF + #define L2CAP_EFS_DEFAULT_FLUSH_TO 0xFFFFFFFF + #define L2CAP_DEFAULT_TX_WINDOW 63 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -5651,6 +5651,15 @@ static inline void l2cap_sig_send_rej(st + l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej); + } + ++static inline void l2cap_sig_send_mtu_rej(struct l2cap_conn *conn, u8 ident) ++{ ++ struct l2cap_cmd_rej_mtu rej; ++ ++ rej.reason = cpu_to_le16(L2CAP_REJ_MTU_EXCEEDED); ++ rej.max_mtu = cpu_to_le16(L2CAP_SIG_MTU); ++ l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej); ++} ++ + static inline void l2cap_sig_channel(struct l2cap_conn *conn, + struct sk_buff *skb) + { +@@ -5663,6 +5672,43 @@ static inline void l2cap_sig_channel(str + if (hcon->type != ACL_LINK) + goto drop; + ++ /* ++ * Bluetooth Core v5.4, Vol 3, Part A, Section 4: the BR/EDR ++ * signaling channel has a fixed signaling MTU (MTUsig) whose ++ * minimum and default is 48 octets. Section 4.1 says that on ++ * an MTUExceeded command reject the identifier "shall match ++ * the first request command in the L2CAP packet" and that ++ * packets containing only response commands "shall be ++ * silently discarded". ++ * ++ * Linux intentionally deviates from that prescription: ++ * ++ * 1. Silently discarding desynchronizes the peer. The ++ * remote stack never learns its responses were dropped, ++ * so any state machine waiting on a paired response ++ * stalls until its own timer fires. ++ * ++ * 2. Locating "the first request command" requires walking ++ * command headers past MTUsig, i.e. processing bytes ++ * from a packet we have already decided is too large to ++ * process. ++ * ++ * Reject every over-MTUsig signaling packet with one ++ * L2CAP_REJ_MTU_EXCEEDED command reject. The reject's ++ * reason field is what tells the peer that the whole packet ++ * was discarded; the identifier value is informational, so ++ * we use the identifier from the first command header, a ++ * single fixed-offset byte read. ++ */ ++ if (skb->len > L2CAP_SIG_MTU) { ++ u8 ident = skb->data[1]; ++ ++ BT_DBG("signaling packet exceeds MTU: %u > %u", ++ skb->len, L2CAP_SIG_MTU); ++ l2cap_sig_send_mtu_rej(conn, ident); ++ goto drop; ++ } ++ + while (skb->len >= L2CAP_CMD_HDR_SIZE) { + u16 len; + diff --git a/queue-7.0/cfi-include-uaccess.h-for-get_kernel_nofault.patch b/queue-7.0/cfi-include-uaccess.h-for-get_kernel_nofault.patch new file mode 100644 index 0000000000..c47d85cad8 --- /dev/null +++ b/queue-7.0/cfi-include-uaccess.h-for-get_kernel_nofault.patch @@ -0,0 +1,52 @@ +From 979c294509f9248fe1e7c358d582fb37dd5ca12d Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Thu, 4 Jun 2026 17:33:21 -0700 +Subject: cfi: Include uaccess.h for get_kernel_nofault() + +From: Nathan Chancellor + +commit 979c294509f9248fe1e7c358d582fb37dd5ca12d upstream. + +After commit 0652a3daa787 ("tracing: Fix CFI violation in probestub +being called by tprobes"), there are many build errors when building +ARCH=arm multi_v7_defconfig + CONFIG_CFI=y like: + + In file included from drivers/base/devres.c:17: + In file included from drivers/base/trace.h:16: + In file included from include/linux/tracepoint.h:23: + include/linux/cfi.h:44:6: error: call to undeclared function 'get_kernel_nofault'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration] + 44 | if (get_kernel_nofault(hash, func - cfi_get_offset())) + | ^ + 1 error generated. + +get_kernel_nofault() is called in the generic version of +cfi_get_func_hash() but nothing ensures uaccess.h is always included for +a proper expansion and prototype. Include uaccess.h in cfi.h to clear +up the errors. + +Cc: stable@vger.kernel.org +Fixes: 0652a3daa787 ("tracing: Fix CFI violation in probestub being called by tprobes") +Signed-off-by: Nathan Chancellor +Acked-by: Masami Hiramatsu (Google) +Reviewed-by: Sami Tolvanen +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/cfi.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/include/linux/cfi.h b/include/linux/cfi.h +index 1fd22ea6eba4..0f220d29225c 100644 +--- a/include/linux/cfi.h ++++ b/include/linux/cfi.h +@@ -9,6 +9,7 @@ + + #include + #include ++#include + #include + + #ifdef CONFIG_CFI +-- +2.54.0 + diff --git a/queue-7.0/cgroup-cpuset-use-effective_xcpus-in-partcmd_update-add-del-mask-calculation.patch b/queue-7.0/cgroup-cpuset-use-effective_xcpus-in-partcmd_update-add-del-mask-calculation.patch new file mode 100644 index 0000000000..c6c08e8431 --- /dev/null +++ b/queue-7.0/cgroup-cpuset-use-effective_xcpus-in-partcmd_update-add-del-mask-calculation.patch @@ -0,0 +1,120 @@ +From 0a68853de27b522bca2b9934127277185374a24f Mon Sep 17 00:00:00 2001 +From: Sun Shaojie +Date: Wed, 27 May 2026 14:43:28 +0800 +Subject: cgroup/cpuset: Use effective_xcpus in partcmd_update add/del mask calculation + +From: Sun Shaojie + +commit 0a68853de27b522bca2b9934127277185374a24f upstream. + +When sibling CPU exclusion occurs, a partition's user_xcpus may contain +CPUs that were never actually granted to it. These CPUs are present in +user_xcpus(cs) but not in cs->effective_xcpus. + +The partcmd_update path in update_parent_effective_cpumask() uses +user_xcpus(cs) (via the local variable xcpus) to compute the addmask +(CPUs to return to parent) and delmask (CPUs to request from parent). +This is incorrect: + + 1) When newmask removes a CPU that was previously excluded by a + sibling, addmask incorrectly includes that CPU and tries to return + it to the parent even though the partition never actually owned it, + causing CPU overlap with sibling partitions and triggering warnings + in generate_sched_domains(). + + 2) When newmask adds a previously excluded CPU that is now available, + delmask fails to request it from the parent because user_xcpus(cs) + already includes it. + +Fix this by using cs->effective_xcpus instead of user_xcpus(cs) in all +partcmd_update paths that calculate addmask or delmask, including the +PERR_NOCPUS error handling paths. + +Reproducers: + + Example 1 - Removing a sibling-excluded CPU incorrectly returns it: + + # cd /sys/fs/cgroup + # echo "0-1" > a1/cpuset.cpus + # echo "root" > a1/cpuset.cpus.partition + # echo "0-2" > b1/cpuset.cpus + # echo "root" > b1/cpuset.cpus.partition + # echo "2" > b1/cpuset.cpus + # cat cpuset.cpus.effective + # Actual: 0-1,3 Expected: 3 + + Example 2 - Expanding to a previously excluded CPU fails to request it: + + # cd /sys/fs/cgroup + # echo "0-1" > a1/cpuset.cpus + # echo "root" > a1/cpuset.cpus.partition + # echo "0-2" > b1/cpuset.cpus + # echo "root" > b1/cpuset.cpus.partition + # echo "member" > a1/cpuset.cpus.partition + # echo "1-2" > b1/cpuset.cpus + # cat cpuset.cpus.effective + # Actual: 0-1,3 Expected: 0,3 + +Fixes: 2a3602030d80 ("cgroup/cpuset: Don't invalidate sibling partitions on cpuset.cpus conflict") +Cc: stable@vger.kernel.org # v7.0+ +Suggested-by: Zhang Guopeng +Signed-off-by: Sun Shaojie +Reviewed-by: Waiman Long +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman +--- + kernel/cgroup/cpuset.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/kernel/cgroup/cpuset.c b/kernel/cgroup/cpuset.c +index 5c33ab20cc20..c9e14fda3d6f 100644 +--- a/kernel/cgroup/cpuset.c ++++ b/kernel/cgroup/cpuset.c +@@ -1811,9 +1811,9 @@ static int update_parent_effective_cpumask(struct cpuset *cs, int cmd, + * Compute add/delete mask to/from effective_cpus + * + * For valid partition: +- * addmask = exclusive_cpus & ~newmask ++ * addmask = effective_xcpus & ~newmask + * & parent->effective_xcpus +- * delmask = newmask & ~exclusive_cpus ++ * delmask = newmask & ~effective_xcpus + * & parent->effective_xcpus + * + * For invalid partition: +@@ -1825,11 +1825,11 @@ static int update_parent_effective_cpumask(struct cpuset *cs, int cmd, + deleting = cpumask_and(tmp->delmask, + newmask, parent->effective_xcpus); + } else { +- cpumask_andnot(tmp->addmask, xcpus, newmask); ++ cpumask_andnot(tmp->addmask, cs->effective_xcpus, newmask); + adding = cpumask_and(tmp->addmask, tmp->addmask, + parent->effective_xcpus); + +- cpumask_andnot(tmp->delmask, newmask, xcpus); ++ cpumask_andnot(tmp->delmask, newmask, cs->effective_xcpus); + deleting = cpumask_and(tmp->delmask, tmp->delmask, + parent->effective_xcpus); + } +@@ -1868,7 +1868,7 @@ static int update_parent_effective_cpumask(struct cpuset *cs, int cmd, + part_error = PERR_NOCPUS; + deleting = false; + adding = cpumask_and(tmp->addmask, +- xcpus, parent->effective_xcpus); ++ cs->effective_xcpus, parent->effective_xcpus); + } + } else { + /* +@@ -1890,7 +1890,8 @@ static int update_parent_effective_cpumask(struct cpuset *cs, int cmd, + part_error = PERR_NOCPUS; + if (is_partition_valid(cs)) + adding = cpumask_and(tmp->addmask, +- xcpus, parent->effective_xcpus); ++ cs->effective_xcpus, ++ parent->effective_xcpus); + } else if (is_partition_invalid(cs) && !cpumask_empty(xcpus) && + cpumask_subset(xcpus, parent->effective_xcpus)) { + struct cgroup_subsys_state *css; +-- +2.54.0 + diff --git a/queue-7.0/drm-i915-gem-fix-phys-bo-pread-pwrite-with-offset.patch b/queue-7.0/drm-i915-gem-fix-phys-bo-pread-pwrite-with-offset.patch new file mode 100644 index 0000000000..6383de2e7c --- /dev/null +++ b/queue-7.0/drm-i915-gem-fix-phys-bo-pread-pwrite-with-offset.patch @@ -0,0 +1,89 @@ +From d21ad938398bca695a511307de38a65889e3b354 Mon Sep 17 00:00:00 2001 +From: Joonas Lahtinen +Date: Wed, 10 Jun 2026 09:03:14 +0300 +Subject: drm/i915/gem: Fix phys BO pread/pwrite with offset + +From: Joonas Lahtinen + +commit d21ad938398bca695a511307de38a65889e3b354 upstream. + +sg_page() returns struct page pointer not (void *) so the scaling +of pread/pwrite is wrong for phys BO and wrong parts of BO would be +accessed if non-zero offset is used. + +Last impacted platform with overlay or cursor planes using phys +mapping was Gen3/945G/Lakeport. + +Reported-by: Matthew Wilcox (Oracle) +Fixes: c6790dc22312 ("drm/i915: Wean off drm_pci_alloc/drm_pci_free") +Cc: # v4.5+ +Cc: Tvrtko Ursulin +Cc: Simona Vetter +Cc: Jani Nikula +Cc: Rodrigo Vivi +Signed-off-by: Joonas Lahtinen +Reviewed-by: Tvrtko Ursulin +Link: https://patch.msgid.link/20260610060314.26111-1-joonas.lahtinen@linux.intel.com +(cherry picked from commit 3e49a2f85070b2fb672c1e0fdba281a4ea3aebe6) +Signed-off-by: Tvrtko Ursulin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/gem/i915_gem_phys.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/i915/gem/i915_gem_phys.c ++++ b/drivers/gpu/drm/i915/gem/i915_gem_phys.c +@@ -18,6 +18,17 @@ + #include "i915_gem_tiling.h" + #include "i915_scatterlist.h" + ++/* Abuse scatterlist to store pointer instead of struct page. */ ++static inline void __set_phys_vaddr(struct scatterlist *sg, void *vaddr) ++{ ++ sg_assign_page(sg, (struct page *)vaddr); ++} ++ ++static inline void *__get_phys_vaddr(struct scatterlist *sg) ++{ ++ return (void *)sg_page(sg); ++} ++ + static int i915_gem_object_get_pages_phys(struct drm_i915_gem_object *obj) + { + struct address_space *mapping = obj->base.filp->f_mapping; +@@ -58,7 +69,7 @@ static int i915_gem_object_get_pages_phy + sg->offset = 0; + sg->length = obj->base.size; + +- sg_assign_page(sg, (struct page *)vaddr); ++ __set_phys_vaddr(sg, vaddr); + sg_dma_address(sg) = dma; + sg_dma_len(sg) = obj->base.size; + +@@ -99,7 +110,7 @@ i915_gem_object_put_pages_phys(struct dr + struct sg_table *pages) + { + dma_addr_t dma = sg_dma_address(pages->sgl); +- void *vaddr = sg_page(pages->sgl); ++ void *vaddr = __get_phys_vaddr(pages->sgl); + + __i915_gem_object_release_shmem(obj, pages, false); + +@@ -139,7 +150,7 @@ i915_gem_object_put_pages_phys(struct dr + int i915_gem_object_pwrite_phys(struct drm_i915_gem_object *obj, + const struct drm_i915_gem_pwrite *args) + { +- void *vaddr = sg_page(obj->mm.pages->sgl) + args->offset; ++ void *vaddr = __get_phys_vaddr(obj->mm.pages->sgl) + args->offset; + char __user *user_data = u64_to_user_ptr(args->data_ptr); + struct drm_i915_private *i915 = to_i915(obj->base.dev); + int err; +@@ -170,7 +181,7 @@ int i915_gem_object_pwrite_phys(struct d + int i915_gem_object_pread_phys(struct drm_i915_gem_object *obj, + const struct drm_i915_gem_pread *args) + { +- void *vaddr = sg_page(obj->mm.pages->sgl) + args->offset; ++ void *vaddr = __get_phys_vaddr(obj->mm.pages->sgl) + args->offset; + char __user *user_data = u64_to_user_ptr(args->data_ptr); + int err; + diff --git a/queue-7.0/firmware-stratix10-rsu-fix-null-deref-on-rsu_send_msg-timeout-in-probe.patch b/queue-7.0/firmware-stratix10-rsu-fix-null-deref-on-rsu_send_msg-timeout-in-probe.patch new file mode 100644 index 0000000000..e9632a8cde --- /dev/null +++ b/queue-7.0/firmware-stratix10-rsu-fix-null-deref-on-rsu_send_msg-timeout-in-probe.patch @@ -0,0 +1,158 @@ +From bfd2eb9bba548a8f63c3339bb1fb9a2031a42d86 Mon Sep 17 00:00:00 2001 +From: Dinh Nguyen +Date: Wed, 20 May 2026 21:54:57 -0500 +Subject: firmware: stratix10-rsu: Fix NULL deref on rsu_send_msg() timeout in probe + +From: Dinh Nguyen + +commit bfd2eb9bba548a8f63c3339bb1fb9a2031a42d86 upstream. + +rsu_send_msg() can return -ETIMEDOUT when +wait_for_completion_interruptible_timeout() fires while the SMC call is still +pending. In stratix10_rsu_probe(), the error paths for COMMAND_RSU_DCMF_VERSION, +COMMAND_RSU_DCMF_STATUS, COMMAND_RSU_MAX_RETRY and COMMAND_RSU_GET_SPT_TABLE +call stratix10_svc_free_channel() - which sets chan->scl to NULL - but then +fall through and queue the next request on the same channel. The next svc +kthread that runs will dereference pdata->chan->scl in its receive callback +path, triggering a NULL pointer dereference identical to the one fixed by +commit c45f7263100c ("firmware: stratix10-rsu: Fix NULL pointer dereference +when RSU is disabled") for the COMMAND_RSU_STATUS path. + +Apply the same cleanup pattern to the remaining failure paths: remove the +async client, free the channel, and return early so no further messages are +queued on a channel whose scl has been cleared. + +While at it, clean up stratix10_rsu_probe() in two ways without changing +behavior: + +- Drop redundant zero-initialization of fields already cleared by + devm_kzalloc(): client.receive_cb, status.* and spt0/1_address + (INVALID_SPT_ADDRESS is 0x0). + +- Replace five identical 3-line error-cleanup blocks + (stratix10_svc_remove_async_client() + stratix10_svc_free_channel() + + return ret) with goto labels (remove_async_client, free_channel), + matching the standard kernel resource-unwinding pattern and making it + easier to extend the probe sequence without forgetting matching + cleanup. + +Also move init_completion() next to mutex_init() so sync-primitive +initialization is grouped before anything that could trigger a +callback. + +Fixes: 15847537b623 ("firmware: stratix10-rsu: Migrate RSU driver to use stratix10 asynchronous framework.") +Cc: stable@kernel.org +Assisted-by: Claude:claude-4.7-opus-high Cursor +Signed-off-by: Dinh Nguyen +Signed-off-by: Greg Kroah-Hartman +--- +v2: Add a minor clean-up of the function stratix10_rsu_probe() to have a + centralize exit for all the rsu_send_async_msg() and rsu_send_msg(). +--- + drivers/firmware/stratix10-rsu.c | 45 +++++++++++++++++---------------------- + 1 file changed, 20 insertions(+), 25 deletions(-) + +--- a/drivers/firmware/stratix10-rsu.c ++++ b/drivers/firmware/stratix10-rsu.c +@@ -723,15 +723,9 @@ static int stratix10_rsu_probe(struct pl + return -ENOMEM; + + priv->client.dev = dev; +- priv->client.receive_cb = NULL; + priv->client.priv = priv; +- priv->status.current_image = 0; +- priv->status.fail_image = 0; +- priv->status.error_location = 0; +- priv->status.error_details = 0; +- priv->status.version = 0; +- priv->status.state = 0; + priv->retry_counter = INVALID_RETRY_COUNTER; ++ priv->max_retry = INVALID_RETRY_COUNTER; + priv->dcmf_version.dcmf0 = INVALID_DCMF_VERSION; + priv->dcmf_version.dcmf1 = INVALID_DCMF_VERSION; + priv->dcmf_version.dcmf2 = INVALID_DCMF_VERSION; +@@ -740,11 +734,11 @@ static int stratix10_rsu_probe(struct pl + priv->dcmf_status.dcmf1 = INVALID_DCMF_STATUS; + priv->dcmf_status.dcmf2 = INVALID_DCMF_STATUS; + priv->dcmf_status.dcmf3 = INVALID_DCMF_STATUS; +- priv->max_retry = INVALID_RETRY_COUNTER; +- priv->spt0_address = INVALID_SPT_ADDRESS; +- priv->spt1_address = INVALID_SPT_ADDRESS; ++ /* spt0/1_address and status fields default to 0 from kzalloc */ + + mutex_init(&priv->lock); ++ init_completion(&priv->completion); ++ + priv->chan = stratix10_svc_request_channel_byname(&priv->client, + SVC_CLIENT_RSU); + if (IS_ERR(priv->chan)) { +@@ -756,11 +750,9 @@ static int stratix10_rsu_probe(struct pl + ret = stratix10_svc_add_async_client(priv->chan, false); + if (ret) { + dev_err(dev, "failed to add async client\n"); +- stratix10_svc_free_channel(priv->chan); +- return ret; ++ goto free_channel; + } + +- init_completion(&priv->completion); + platform_set_drvdata(pdev, priv); + + /* get the initial state from firmware */ +@@ -768,41 +760,44 @@ static int stratix10_rsu_probe(struct pl + rsu_async_status_callback); + if (ret) { + dev_err(dev, "Error, getting RSU status %i\n", ret); +- stratix10_svc_remove_async_client(priv->chan); +- stratix10_svc_free_channel(priv->chan); +- return ret; ++ goto remove_async_client; + } + + /* get DCMF version from firmware */ +- ret = rsu_send_msg(priv, COMMAND_RSU_DCMF_VERSION, +- 0, rsu_dcmf_version_callback); ++ ret = rsu_send_msg(priv, COMMAND_RSU_DCMF_VERSION, 0, ++ rsu_dcmf_version_callback); + if (ret) { + dev_err(dev, "Error, getting DCMF version %i\n", ret); +- stratix10_svc_free_channel(priv->chan); ++ goto remove_async_client; + } + +- ret = rsu_send_msg(priv, COMMAND_RSU_DCMF_STATUS, +- 0, rsu_dcmf_status_callback); ++ ret = rsu_send_msg(priv, COMMAND_RSU_DCMF_STATUS, 0, ++ rsu_dcmf_status_callback); + if (ret) { + dev_err(dev, "Error, getting DCMF status %i\n", ret); +- stratix10_svc_free_channel(priv->chan); ++ goto remove_async_client; + } + + ret = rsu_send_msg(priv, COMMAND_RSU_MAX_RETRY, 0, + rsu_max_retry_callback); + if (ret) { + dev_err(dev, "Error, getting RSU max retry %i\n", ret); +- stratix10_svc_free_channel(priv->chan); ++ goto remove_async_client; + } + +- + ret = rsu_send_async_msg(dev, priv, COMMAND_RSU_GET_SPT_TABLE, 0, + rsu_async_get_spt_table_callback); + if (ret) { + dev_err(dev, "Error, getting SPT table %i\n", ret); +- stratix10_svc_free_channel(priv->chan); ++ goto remove_async_client; + } + ++ return 0; ++ ++remove_async_client: ++ stratix10_svc_remove_async_client(priv->chan); ++free_channel: ++ stratix10_svc_free_channel(priv->chan); + return ret; + } + diff --git a/queue-7.0/firmware-stratix10-svc-don-t-fail-probe-when-async-ops-unsupported.patch b/queue-7.0/firmware-stratix10-svc-don-t-fail-probe-when-async-ops-unsupported.patch new file mode 100644 index 0000000000..7b93eaa00a --- /dev/null +++ b/queue-7.0/firmware-stratix10-svc-don-t-fail-probe-when-async-ops-unsupported.patch @@ -0,0 +1,58 @@ +From 371aa062219a0af108fb8992f0759d1bac1e8c91 Mon Sep 17 00:00:00 2001 +From: Muhammad Amirul Asyraf Mohamad Jamian + +Date: Thu, 16 Apr 2026 00:22:07 -0700 +Subject: firmware: stratix10-svc: Don't fail probe when async ops unsupported + +From: Muhammad Amirul Asyraf Mohamad Jamian + +commit 371aa062219a0af108fb8992f0759d1bac1e8c91 upstream. + +When the ATF version is too old to support SIP SVC v3 asynchronous +operations (e.g. ATF 2.5), stratix10_svc_async_init() returns +-EOPNOTSUPP. The probe function currently treats any non-zero return +as fatal and aborts, logging: + + stratix10-svc firmware:svc: Intel Service Layer Driver: ATF version \ + is not compatible for async operation + stratix10-svc firmware:svc: probe with driver stratix10-svc failed \ + with error -95 + +This prevents the SVC driver from loading entirely, causing all +dependent client drivers (hwmon, RSU, FCS) to also fail to probe even +though they can operate correctly via the synchronous V1 SMC path. + +Fix this by treating -EOPNOTSUPP from stratix10_svc_async_init() as a +non-fatal degraded condition. The driver loads in sync-only mode and +logs: + + stratix10-svc firmware:svc: Intel Service Layer Driver Initialized \ + (sync-only mode) + +Fixes: bcb9f4f07061 ("firmware: stratix10-svc: Add support for async communication") +Cc: stable@vger.kernel.org +Signed-off-by: Muhammad Amirul Asyraf Mohamad Jamian +Signed-off-by: Dinh Nguyen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/stratix10-svc.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/firmware/stratix10-svc.c ++++ b/drivers/firmware/stratix10-svc.c +@@ -1952,10 +1952,14 @@ static int stratix10_svc_drv_probe(struc + init_completion(&controller->complete_status); + + ret = stratix10_svc_async_init(controller); +- if (ret) { ++ if (ret == -EOPNOTSUPP) { ++ dev_info(dev, "Intel Service Layer Driver Initialized (sync-only mode)\n"); ++ } else if (ret) { + dev_dbg(dev, "Intel Service Layer Driver: Error on stratix10_svc_async_init %d\n", + ret); + goto err_destroy_pool; ++ } else { ++ dev_info(dev, "Intel Service Layer Driver Initialized\n"); + } + + fifo_size = sizeof(struct stratix10_svc_data) * SVC_NUM_DATA_IN_FIFO; diff --git a/queue-7.0/firmware-stratix10-svc-return-eopnotsupp-when-atf-async-unsupported.patch b/queue-7.0/firmware-stratix10-svc-return-eopnotsupp-when-atf-async-unsupported.patch new file mode 100644 index 0000000000..214459747f --- /dev/null +++ b/queue-7.0/firmware-stratix10-svc-return-eopnotsupp-when-atf-async-unsupported.patch @@ -0,0 +1,104 @@ +From 3e529f57931417120fab700afeef6e49553250d5 Mon Sep 17 00:00:00 2001 +From: Muhammad Amirul Asyraf Mohamad Jamian + +Date: Thu, 16 Apr 2026 00:22:06 -0700 +Subject: firmware: stratix10-svc: Return -EOPNOTSUPP when ATF async unsupported + +From: Muhammad Amirul Asyraf Mohamad Jamian + +commit 3e529f57931417120fab700afeef6e49553250d5 upstream. + +Add a 'supported' flag to struct stratix10_async_ctrl to indicate +whether the secure firmware supports SIP SVC v3 asynchronous +communication. When the ATF version check in stratix10_svc_async_init() +fails, set supported=false and return -EOPNOTSUPP instead of -EINVAL. + +This allows callers to distinguish between "async not supported by this +ATF version" (-EOPNOTSUPP) and "programming error / bad argument" +(-EINVAL), and take appropriate action (e.g. fall back to synchronous +V1 SMC path) rather than treating both as fatal. + +Also update stratix10_svc_add_async_client() to return -EOPNOTSUPP +immediately when async is not supported, rather than -EINVAL from the +!actrl->initialized check, so client drivers receive a consistent and +meaningful error code. + +This patch is a prerequisite for the following fix and must be applied +together with it to correctly restore functionality on old ATF versions. + +Fixes: bcb9f4f07061 ("firmware: stratix10-svc: Add support for async communication") +Cc: stable@vger.kernel.org +Suggested-by: Anders Hedlund +Signed-off-by: Mahesh Rao +Signed-off-by: Muhammad Amirul Asyraf Mohamad Jamian +Signed-off-by: Dinh Nguyen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/stratix10-svc.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/drivers/firmware/stratix10-svc.c b/drivers/firmware/stratix10-svc.c +index e9e35d67ef96..8a4f18602f36 100644 +--- a/drivers/firmware/stratix10-svc.c ++++ b/drivers/firmware/stratix10-svc.c +@@ -212,6 +212,7 @@ struct stratix10_async_chan { + /** + * struct stratix10_async_ctrl - Control structure for Stratix10 + * asynchronous operations ++ * @supported: Flag indicating whether the system supports async operations + * @initialized: Flag indicating whether the control structure has + * been initialized + * @invoke_fn: Function pointer for invoking Stratix10 service calls +@@ -228,6 +229,7 @@ struct stratix10_async_chan { + */ + + struct stratix10_async_ctrl { ++ bool supported; + bool initialized; + void (*invoke_fn)(struct stratix10_async_ctrl *actrl, + const struct arm_smccc_1_2_regs *args, +@@ -1103,6 +1105,7 @@ EXPORT_SYMBOL_GPL(stratix10_svc_request_channel_byname); + * Return: 0 on success, or a negative error code on failure: + * -EINVAL if the channel is NULL or the async controller is + * not initialized. ++ * -EOPNOTSUPP if async operations are not supported. + * -EALREADY if the async channel is already allocated. + * -ENOMEM if memory allocation fails. + * Other negative values if ID allocation fails. +@@ -1121,6 +1124,9 @@ int stratix10_svc_add_async_client(struct stratix10_svc_chan *chan, + ctrl = chan->ctrl; + actrl = &ctrl->actrl; + ++ if (!actrl->supported) ++ return -EOPNOTSUPP; ++ + if (!actrl->initialized) { + dev_err(ctrl->dev, "Async controller not initialized\n"); + return -EINVAL; +@@ -1562,6 +1568,7 @@ static inline void stratix10_smc_1_2(struct stratix10_async_ctrl *actrl, + * initialized, -ENOMEM if memory allocation fails, + * -EADDRINUSE if the client ID is already reserved, or other + * negative error codes on failure. ++ * -EOPNOTSUPP if system doesn't support async operations. + */ + static int stratix10_svc_async_init(struct stratix10_svc_controller *controller) + { +@@ -1585,10 +1592,12 @@ static int stratix10_svc_async_init(struct stratix10_svc_controller *controller) + !(res.a1 > ASYNC_ATF_MINIMUM_MAJOR_VERSION || + (res.a1 == ASYNC_ATF_MINIMUM_MAJOR_VERSION && + res.a2 >= ASYNC_ATF_MINIMUM_MINOR_VERSION))) { +- dev_err(dev, +- "Intel Service Layer Driver: ATF version is not compatible for async operation\n"); +- return -EINVAL; ++ dev_info(dev, ++ "Intel Service Layer Driver: ATF version is not compatible for async operation\n"); ++ actrl->supported = false; ++ return -EOPNOTSUPP; + } ++ actrl->supported = true; + + actrl->invoke_fn = stratix10_smc_1_2; + +-- +2.54.0 + diff --git a/queue-7.0/hv_netvsc-use-kmap_local_page-in-netvsc_copy_to_send_buf.patch b/queue-7.0/hv_netvsc-use-kmap_local_page-in-netvsc_copy_to_send_buf.patch new file mode 100644 index 0000000000..3c531c1a20 --- /dev/null +++ b/queue-7.0/hv_netvsc-use-kmap_local_page-in-netvsc_copy_to_send_buf.patch @@ -0,0 +1,87 @@ +From 004e9ecfe6c5384f9e0b2f6f6389d42ec22789af Mon Sep 17 00:00:00 2001 +From: Anton Leontev +Date: Thu, 4 Jun 2026 19:59:38 +0300 +Subject: hv_netvsc: use kmap_local_page in netvsc_copy_to_send_buf + +From: Anton Leontev + +commit 004e9ecfe6c5384f9e0b2f6f6389d42ec22789af upstream. + +netvsc_copy_to_send_buf() copies page buffer entries into the VMBus +send buffer using phys_to_virt() on the entry PFN. Entries for the +RNDIS header and the skb linear data come from kmalloc'd memory and +are always in the kernel direct map, but entries for skb fragments +reference page cache or user pages, which on 32-bit x86 with +CONFIG_HIGHMEM=y can live above the LOWMEM boundary. For such a page +phys_to_virt() returns an address outside the direct map and the +subsequent memcpy() faults on the transmit softirq path, which is +fatal. + +Map the pages with kmap_local_page() instead, handling two properties +of the page buffer entries: + + - pb[i].pfn is a Hyper-V PFN at HV_HYP_PAGE_SIZE (4K) granularity, + not a native PFN. Reconstruct the physical address first and derive + the native page from it, so the mapping stays correct where + PAGE_SIZE > HV_HYP_PAGE_SIZE (e.g. arm64 with 64K pages). + + - Since commit 41a6328b2c55 ("hv_netvsc: Preserve contiguous PFN + grouping in the page buffer array"), an entry describes a full + physically contiguous fragment and pb[i].len can exceed PAGE_SIZE, + while kmap_local_page() maps a single page. Copy page by page, + splitting at native page boundaries. + +The copy path only handles packets smaller than the send section size +(6144 bytes by default); larger packets take the cp_partial path where +only the RNDIS header is copied. So entries here are bounded by the +section size and a copy is split at most once on 4K-page systems. On +!CONFIG_HIGHMEM configs kmap_local_page() folds to page_address() and +no mapping work is added. + +Fixes: c25aaf814a63 ("hyperv: Enable sendbuf mechanism on the send path") +Cc: stable@vger.kernel.org +Signed-off-by: Anton Leontev +Link: https://patch.msgid.link/20260604165938.32033-1-leontyevantony@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/hyperv/netvsc.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +--- a/drivers/net/hyperv/netvsc.c ++++ b/drivers/net/hyperv/netvsc.c +@@ -12,6 +12,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -965,12 +966,22 @@ static void netvsc_copy_to_send_buf(stru + } + + for (i = 0; i < page_count; i++) { +- char *src = phys_to_virt(pb[i].pfn << HV_HYP_PAGE_SHIFT); +- u32 offset = pb[i].offset; ++ phys_addr_t paddr = (pb[i].pfn << HV_HYP_PAGE_SHIFT) + ++ pb[i].offset; + u32 len = pb[i].len; + +- memcpy(dest, (src + offset), len); +- dest += len; ++ while (len) { ++ struct page *page = phys_to_page(paddr); ++ u32 off = offset_in_page(paddr); ++ u32 chunk = min_t(u32, len, PAGE_SIZE - off); ++ char *src = kmap_local_page(page); ++ ++ memcpy(dest, src + off, chunk); ++ kunmap_local(src); ++ dest += chunk; ++ paddr += chunk; ++ len -= chunk; ++ } + } + + if (padding) diff --git a/queue-7.0/kvm-arm64-correctly-identify-executable-ptes-at-stage-2.patch b/queue-7.0/kvm-arm64-correctly-identify-executable-ptes-at-stage-2.patch new file mode 100644 index 0000000000..83e6c7ad92 --- /dev/null +++ b/queue-7.0/kvm-arm64-correctly-identify-executable-ptes-at-stage-2.patch @@ -0,0 +1,42 @@ +From 17f073f78fc43280891ecde8f8ec3f84f98bb37c Mon Sep 17 00:00:00 2001 +From: Oliver Upton +Date: Tue, 2 Jun 2026 09:59:01 -0700 +Subject: KVM: arm64: Correctly identify executable PTEs at stage-2 + +From: Oliver Upton + +commit 17f073f78fc43280891ecde8f8ec3f84f98bb37c upstream. + +KVM invalidates the I-cache before installing an executable PTE on +implementations without DIC. Unfortunately, support for FEAT_XNX +broke this check as KVM_PTE_LEAF_ATTR_HI_S2_XN was expanded to a +bitfield. + +Fix it by reusing kvm_pgtable_stage2_pte_prot() and testing the abstract +permission bits instead. + +Fixes: 2608563b466b ("KVM: arm64: Add support for FEAT_XNX stage-2 permissions") +Reported-by: Sashiko (gemini/gemini-3.1-pro-preview) +Signed-off-by: Oliver Upton +Reviewed-by: Wei-Lin Chang +Link: https://patch.msgid.link/20260602165901.52800-3-oupton@kernel.org +Signed-off-by: Marc Zyngier +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kvm/hyp/pgtable.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/arm64/kvm/hyp/pgtable.c ++++ b/arch/arm64/kvm/hyp/pgtable.c +@@ -923,7 +923,9 @@ static bool stage2_pte_cacheable(struct + + static bool stage2_pte_executable(kvm_pte_t pte) + { +- return kvm_pte_valid(pte) && !(pte & KVM_PTE_LEAF_ATTR_HI_S2_XN); ++ enum kvm_pgtable_prot prot = kvm_pgtable_stage2_pte_prot(pte); ++ ++ return prot & (KVM_PGTABLE_PROT_UX | KVM_PGTABLE_PROT_PX); + } + + static u64 stage2_map_walker_phys_addr(const struct kvm_pgtable_visit_ctx *ctx, diff --git a/queue-7.0/kvm-arm64-nv-fix-handling-of-xn-when-feat_xnx.patch b/queue-7.0/kvm-arm64-nv-fix-handling-of-xn-when-feat_xnx.patch new file mode 100644 index 0000000000..561360da70 --- /dev/null +++ b/queue-7.0/kvm-arm64-nv-fix-handling-of-xn-when-feat_xnx.patch @@ -0,0 +1,46 @@ +From 49b32ddb87a3a109afecea89e55d70f73956b8bc Mon Sep 17 00:00:00 2001 +From: Oliver Upton +Date: Tue, 2 Jun 2026 09:59:00 -0700 +Subject: KVM: arm64: nv: Fix handling of XN[0] when !FEAT_XNX + +From: Oliver Upton + +commit 49b32ddb87a3a109afecea89e55d70f73956b8bc upstream. + +XN has already been extracted from its bitfield position so using +FIELD_PREP() on the mask that clears XN[0] is completely broken, having +the effect of unconditionally granting execute permissions... + +Fix the obvious mistake by manipulating the right bit. + +Cc: stable@vger.kernel.org +Fixes: d93febe2ed2e ("KVM: arm64: nv: Forward FEAT_XNX permissions to the shadow stage-2") +Reviewed-by: Wei-Lin Chang +Signed-off-by: Oliver Upton +Link: https://patch.msgid.link/20260602165901.52800-2-oupton@kernel.org +Signed-off-by: Marc Zyngier +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/include/asm/kvm_nested.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm64/include/asm/kvm_nested.h ++++ b/arch/arm64/include/asm/kvm_nested.h +@@ -131,7 +131,7 @@ static inline bool kvm_s2_trans_exec_el0 + u8 xn = FIELD_GET(KVM_PTE_LEAF_ATTR_HI_S2_XN, trans->desc); + + if (!kvm_has_xnx(kvm)) +- xn &= FIELD_PREP(KVM_PTE_LEAF_ATTR_HI_S2_XN, 0b10); ++ xn &= 0b10; + + switch (xn) { + case 0b00: +@@ -147,7 +147,7 @@ static inline bool kvm_s2_trans_exec_el1 + u8 xn = FIELD_GET(KVM_PTE_LEAF_ATTR_HI_S2_XN, trans->desc); + + if (!kvm_has_xnx(kvm)) +- xn &= FIELD_PREP(KVM_PTE_LEAF_ATTR_HI_S2_XN, 0b10); ++ xn &= 0b10; + + switch (xn) { + case 0b00: diff --git a/queue-7.0/kvm-arm64-restore-por_el0-access-to-host-el0.patch b/queue-7.0/kvm-arm64-restore-por_el0-access-to-host-el0.patch new file mode 100644 index 0000000000..12e0b60468 --- /dev/null +++ b/queue-7.0/kvm-arm64-restore-por_el0-access-to-host-el0.patch @@ -0,0 +1,35 @@ +From cbaffe843a942c0d3102e0f9bce0e72b029b2594 Mon Sep 17 00:00:00 2001 +From: Joey Gouly +Date: Thu, 4 Jun 2026 11:54:34 +0100 +Subject: KVM: arm64: Restore POR_EL0 access to host EL0 + +From: Joey Gouly + +commit cbaffe843a942c0d3102e0f9bce0e72b029b2594 upstream. + +CPTR_EL2.E0POE was being cleared in __deactivate_cptr_traps_vhe(), which meant +that any accesses to POR_EL0 from host EL0 would trap and be reported to +userspace as an Illegal instruction. This would happen after running any VM, +regardless if it used POE or not. + +Signed-off-by: Joey Gouly +Link: https://sashiko.dev/#/patchset/20260602155430.2088142-1-maz@kernel.org?part=1 +Link: https://patch.msgid.link/20260604105434.2297268-1-joey.gouly@arm.com +Signed-off-by: Marc Zyngier +Cc: stable@vger,kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kvm/hyp/include/hyp/switch.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/arm64/kvm/hyp/include/hyp/switch.h ++++ b/arch/arm64/kvm/hyp/include/hyp/switch.h +@@ -181,6 +181,8 @@ static inline void __deactivate_cptr_tra + val |= CPACR_EL1_ZEN; + if (cpus_have_final_cap(ARM64_SME)) + val |= CPACR_EL1_SMEN; ++ if (cpus_have_final_cap(ARM64_HAS_S1POE)) ++ val |= CPACR_EL1_E0POE; + + write_sysreg(val, cpacr_el1); + } diff --git a/queue-7.0/kvm-don-t-warn-if-memory-is-dirtied-without-a-vcpu-when-the-vm-is-dying.patch b/queue-7.0/kvm-don-t-warn-if-memory-is-dirtied-without-a-vcpu-when-the-vm-is-dying.patch new file mode 100644 index 0000000000..3006f6867b --- /dev/null +++ b/queue-7.0/kvm-don-t-warn-if-memory-is-dirtied-without-a-vcpu-when-the-vm-is-dying.patch @@ -0,0 +1,63 @@ +From 8618004d3e897c0f1b71d9a9ab860461289bb89a Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Fri, 29 May 2026 20:35:39 +0200 +Subject: KVM: Don't WARN if memory is dirtied without a vCPU when the VM is dying + +From: Sean Christopherson + +commit 8618004d3e897c0f1b71d9a9ab860461289bb89a upstream. + +When marking a page dirty, complain about not having a running/loaded vCPU +if and only if the VM is still alive, i.e. its refcount is non-zero. This +will allow fixing a memory leak for x86 SEV-ES guests without hitting what +is effectively a false positive on the WARN. + +For some SEV-ES VM-Exits, KVM keeps a writable mapping of a guest page +across an exit to userspace, and typically unmaps the page on the next +KVM_RUN. But if userspace never calls KVM_RUN after such an exit, then KVM +needs to unmap the page when the vCPU is destroyed, which in turn triggers +the WARN about not having a running vCPU. + +Alternatively, SEV-ES could temporarily load the vCPU to suppress the WARN, +as is done in nested_vmx_free_vcpu() (but for completely unrelated reasons; +suppressing WARN from nested_put_vmcs12_pages() is pure happenstance). But +loading a vCPU during destruction is gross (ideally nVMX code would be +cleaned up), risks complicating the SEV-ES code (KVM would need to ensure +the temporarily load()+put() only runs when the vCPU isn't already loaded), +and is ultimately pointless. + +The motivation for the WARN is to guard against KVM dirtying guest memory +without pushing the corresponding GFN to the active vCPU's dirty ring, e.g. +to ensure userspace doesn't miss a dirty page. But for the VM's refcount +to reach zero, there can't be _any_ userspace mappings to the dirty ring, +as mapping the dirty ring requires doing mmap() on the vCPU FD. I.e. if +userspace had a valid mapping for the dirty ring, then the vCPU file and +thus the owning VM would still be alive. And so since userspace can't +possibly reach the dirty ring, whether or not KVM technically "misses" a +push to the dirty ring is irrelevant. + +Reported-by: Michael Roth +Cc: stable@vger.kernel.org +Reviewed-by: Michael Roth +Signed-off-by: Sean Christopherson +Message-ID: <20260501202250.2115252-15-seanjc@google.com> +Signed-off-by: Paolo Bonzini +Message-ID: <20260529183549.1104619-15-pbonzini@redhat.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + virt/kvm/kvm_main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -3527,7 +3527,8 @@ void mark_page_dirty_in_slot(struct kvm + if (WARN_ON_ONCE(vcpu && vcpu->kvm != kvm)) + return; + +- WARN_ON_ONCE(!vcpu && !kvm_arch_allow_write_without_running_vcpu(kvm)); ++ WARN_ON_ONCE(!vcpu && refcount_read(&kvm->users_count) && ++ !kvm_arch_allow_write_without_running_vcpu(kvm)); + #endif + + if (memslot && kvm_slot_dirty_track_enabled(memslot)) { diff --git a/queue-7.0/kvm-sev-decouple-the-need-to-sync-the-ghcb-sa-from-the-need-to-free-the-sa.patch b/queue-7.0/kvm-sev-decouple-the-need-to-sync-the-ghcb-sa-from-the-need-to-free-the-sa.patch new file mode 100644 index 0000000000..1e8b632fcb --- /dev/null +++ b/queue-7.0/kvm-sev-decouple-the-need-to-sync-the-ghcb-sa-from-the-need-to-free-the-sa.patch @@ -0,0 +1,79 @@ +From f041dc80de4abbdd0909d871bf64f3f87d2350ff Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Fri, 29 May 2026 20:35:41 +0200 +Subject: KVM: SEV: Decouple the need to sync the GHCB SA from the need to free the SA + +From: Sean Christopherson + +commit f041dc80de4abbdd0909d871bf64f3f87d2350ff upstream. + +Decouple synchronizing the GHCB SA from freeing/unpinning the SA, so that +the free/unpin path can be reused when freeing a vCPU. + +Opportunistically add a WARN to harden KVM against stomping over (and thus +leaking) an already-allocated scratch area. + +Cc: stable@vger.kernel.org +Reviewed-by: Tom Lendacky +Reviewed-by: Michael Roth +Signed-off-by: Sean Christopherson +Message-ID: <20260501202250.2115252-17-seanjc@google.com> +Signed-off-by: Paolo Bonzini +Message-ID: <20260529183549.1104619-17-pbonzini@redhat.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/svm/sev.c | 27 ++++++++++++++------------- + 1 file changed, 14 insertions(+), 13 deletions(-) + +--- a/arch/x86/kvm/svm/sev.c ++++ b/arch/x86/kvm/svm/sev.c +@@ -3547,20 +3547,17 @@ void sev_es_unmap_ghcb(struct vcpu_svm * + if (!svm->sev_es.ghcb) + return; + +- if (svm->sev_es.ghcb_sa_free) { +- /* +- * The scratch area lives outside the GHCB, so there is a +- * buffer that, depending on the operation performed, may +- * need to be synced, then freed. +- */ +- if (svm->sev_es.ghcb_sa_sync) { +- kvm_write_guest(svm->vcpu.kvm, +- svm->sev_es.sw_scratch, +- svm->sev_es.ghcb_sa, +- svm->sev_es.ghcb_sa_len); +- svm->sev_es.ghcb_sa_sync = false; +- } ++ /* ++ * If the scratch area lives outside the GHCB, there's a buffer that, ++ * depending on the operation performed, may need to be synced. ++ */ ++ if (svm->sev_es.ghcb_sa_sync) { ++ kvm_write_guest(svm->vcpu.kvm, svm->sev_es.sw_scratch, ++ svm->sev_es.ghcb_sa, svm->sev_es.ghcb_sa_len); ++ svm->sev_es.ghcb_sa_sync = false; ++ } + ++ if (svm->sev_es.ghcb_sa_free) { + kvfree(svm->sev_es.ghcb_sa); + svm->sev_es.ghcb_sa = NULL; + svm->sev_es.ghcb_sa_free = false; +@@ -3640,6 +3637,8 @@ static int setup_vmgexit_scratch(struct + goto e_scratch; + } + ++ WARN_ON_ONCE(svm->sev_es.ghcb_sa_sync || svm->sev_es.ghcb_sa_free); ++ + if ((scratch_gpa_beg & PAGE_MASK) == control->ghcb_gpa) { + /* Scratch area begins within GHCB */ + ghcb_scratch_beg = control->ghcb_gpa + +@@ -3661,6 +3660,8 @@ static int setup_vmgexit_scratch(struct + scratch_va = (void *)svm->sev_es.ghcb; + scratch_va += (scratch_gpa_beg - control->ghcb_gpa); + ++ svm->sev_es.ghcb_sa_sync = false; ++ svm->sev_es.ghcb_sa_free = false; + svm->sev_es.ghcb_sa_len = ghcb_scratch_end - scratch_gpa_beg; + } else { + /* GHCB v2 requires the scratch area to be within the GHCB. */ diff --git a/queue-7.0/mm-memory-failure-fix-hugetlb_lock-aa-deadlock-in-get_huge_page_for_hwpoison.patch b/queue-7.0/mm-memory-failure-fix-hugetlb_lock-aa-deadlock-in-get_huge_page_for_hwpoison.patch new file mode 100644 index 0000000000..ec4d5e009b --- /dev/null +++ b/queue-7.0/mm-memory-failure-fix-hugetlb_lock-aa-deadlock-in-get_huge_page_for_hwpoison.patch @@ -0,0 +1,195 @@ +From 3c2d42b8ee345b17a4ba56b0f6492d1ff4c1178e Mon Sep 17 00:00:00 2001 +From: Wupeng Ma +Date: Fri, 22 May 2026 09:03:05 +0800 +Subject: mm/memory-failure: fix hugetlb_lock AA deadlock in get_huge_page_for_hwpoison + +From: Wupeng Ma + +commit 3c2d42b8ee345b17a4ba56b0f6492d1ff4c1178e upstream. + +Two concurrent madvise(MADV_HWPOISON) calls on the same hugetlb page can +trigger a recursive spinlock self-deadlock (AA deadlock) on hugetlb_lock +when racing with a concurrent unmap: + + thread#0 thread#1 + -------- -------- + madvise(folio, MADV_HWPOISON) + -> poisons the folio successfully + madvise(folio, MADV_HWPOISON) unmap(folio) + try_memory_failure_hugetlb + get_huge_page_for_hwpoison + spin_lock_irq(&hugetlb_lock) <- held + __get_huge_page_for_hwpoison + hugetlb_update_hwpoison() + -> MF_HUGETLB_FOLIO_PRE_POISONED + goto out: + folio_put() + refcount: 1 -> 0 + free_huge_folio() + spin_lock_irqsave(&hugetlb_lock) + -> AA DEADLOCK! + +The out: path in __get_huge_page_for_hwpoison() calls folio_put() to drop +the GUP reference while the hugetlb_lock is still held by the hugetlb.c +wrapper get_huge_page_for_hwpoison(). If concurrent unmap has released +the page table mapping reference, folio_put() drops the folio refcount to +zero, triggering free_huge_folio() which attempts to re-acquire the +non-recursive hugetlb_lock. + +Fix this by moving hugetlb_lock acquisition from the hugetlb.c wrapper +into get_huge_page_for_hwpoison(). Place spin_unlock_irq() before the +folio_put() at the out: label so the folio is always released outside the +lock. + +[akpm@linux-foundation.org: fix race, rename label per Miaohe] + Link: https://sashiko.dev/#/patchset/20260522010305.4099834-1-mawupeng1@huawei.com + Link: https://lore.kernel.org/f39f405e-4b4b-8f79-70fe-a2b5b62114eb@huawei.com +Link: https://lore.kernel.org/20260522010305.4099834-1-mawupeng1@huawei.com +Fixes: 405ce051236c ("mm/hwpoison: fix race between hugetlb free/demotion and memory_failure_hugetlb()") +Signed-off-by: Wupeng Ma +Acked-by: Oscar Salvador (SUSE) +Acked-by: Muchun Song +Reviewed-by: Kefeng Wang +Acked-by: Miaohe Lin +Cc: David Hildenbrand +Cc: Liam Howlett +Cc: Lorenzo Stoakes +Cc: Michal Hocko +Cc: Mike Rapoport +Cc: Naoya Horiguchi +Cc: Suren Baghdasaryan +Cc: Vlastimil Babka +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/hugetlb.h | 8 -------- + include/linux/mm.h | 8 -------- + mm/hugetlb.c | 11 ----------- + mm/memory-failure.c | 19 ++++++++++--------- + 4 files changed, 10 insertions(+), 36 deletions(-) + +--- a/include/linux/hugetlb.h ++++ b/include/linux/hugetlb.h +@@ -153,8 +153,6 @@ long hugetlb_unreserve_pages(struct inod + long freed); + bool folio_isolate_hugetlb(struct folio *folio, struct list_head *list); + int get_hwpoison_hugetlb_folio(struct folio *folio, bool *hugetlb, bool unpoison); +-int get_huge_page_for_hwpoison(unsigned long pfn, int flags, +- bool *migratable_cleared); + void folio_putback_hugetlb(struct folio *folio); + void move_hugetlb_state(struct folio *old_folio, struct folio *new_folio, int reason); + void hugetlb_fix_reserve_counts(struct inode *inode); +@@ -420,12 +418,6 @@ static inline int get_hwpoison_hugetlb_f + { + return 0; + } +- +-static inline int get_huge_page_for_hwpoison(unsigned long pfn, int flags, +- bool *migratable_cleared) +-{ +- return 0; +-} + + static inline void folio_putback_hugetlb(struct folio *folio) + { +--- a/include/linux/mm.h ++++ b/include/linux/mm.h +@@ -4601,8 +4601,6 @@ extern int soft_offline_page(unsigned lo + */ + extern const struct attribute_group memory_failure_attr_group; + extern void memory_failure_queue(unsigned long pfn, int flags); +-extern int __get_huge_page_for_hwpoison(unsigned long pfn, int flags, +- bool *migratable_cleared); + void num_poisoned_pages_inc(unsigned long pfn); + void num_poisoned_pages_sub(unsigned long pfn, long i); + #else +@@ -4610,12 +4608,6 @@ static inline void memory_failure_queue( + { + } + +-static inline int __get_huge_page_for_hwpoison(unsigned long pfn, int flags, +- bool *migratable_cleared) +-{ +- return 0; +-} +- + static inline void num_poisoned_pages_inc(unsigned long pfn) + { + } +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -7160,17 +7160,6 @@ int get_hwpoison_hugetlb_folio(struct fo + return ret; + } + +-int get_huge_page_for_hwpoison(unsigned long pfn, int flags, +- bool *migratable_cleared) +-{ +- int ret; +- +- spin_lock_irq(&hugetlb_lock); +- ret = __get_huge_page_for_hwpoison(pfn, flags, migratable_cleared); +- spin_unlock_irq(&hugetlb_lock); +- return ret; +-} +- + /** + * folio_putback_hugetlb - unisolate a hugetlb folio + * @folio: the isolated hugetlb folio +--- a/mm/memory-failure.c ++++ b/mm/memory-failure.c +@@ -1966,20 +1966,19 @@ void folio_clear_hugetlb_hwpoison(struct + folio_free_raw_hwp(folio, true); + } + +-/* +- * Called from hugetlb code with hugetlb_lock held. +- */ +-int __get_huge_page_for_hwpoison(unsigned long pfn, int flags, ++static int get_huge_page_for_hwpoison(unsigned long pfn, int flags, + bool *migratable_cleared) + { + struct page *page = pfn_to_page(pfn); +- struct folio *folio = page_folio(page); ++ struct folio *folio; + bool count_increased = false; + int ret, rc; + ++ spin_lock_irq(&hugetlb_lock); ++ folio = page_folio(page); + if (!folio_test_hugetlb(folio)) { + ret = MF_HUGETLB_NON_HUGEPAGE; +- goto out; ++ goto out_unlock; + } else if (flags & MF_COUNT_INCREASED) { + ret = MF_HUGETLB_IN_USED; + count_increased = true; +@@ -1995,13 +1994,13 @@ int __get_huge_page_for_hwpoison(unsigne + } else { + ret = MF_HUGETLB_RETRY; + if (!(flags & MF_NO_RETRY)) +- goto out; ++ goto out_unlock; + } + + rc = hugetlb_update_hwpoison(folio, page); + if (rc >= MF_HUGETLB_FOLIO_PRE_POISONED) { + ret = rc; +- goto out; ++ goto out_unlock; + } + + /* +@@ -2013,8 +2012,10 @@ int __get_huge_page_for_hwpoison(unsigne + *migratable_cleared = true; + } + ++ spin_unlock_irq(&hugetlb_lock); + return ret; +-out: ++out_unlock: ++ spin_unlock_irq(&hugetlb_lock); + if (count_increased) + folio_put(folio); + return ret; diff --git a/queue-7.0/mmc-litex_mmc-use-div_round_up-for-more-accurate-clock-calculation.patch b/queue-7.0/mmc-litex_mmc-use-div_round_up-for-more-accurate-clock-calculation.patch new file mode 100644 index 0000000000..a4ee529303 --- /dev/null +++ b/queue-7.0/mmc-litex_mmc-use-div_round_up-for-more-accurate-clock-calculation.patch @@ -0,0 +1,49 @@ +From b837e38c255dd9f8b53511d52e87f1fda32b3dfe Mon Sep 17 00:00:00 2001 +From: Inochi Amaoto +Date: Thu, 21 May 2026 15:21:20 +0800 +Subject: mmc: litex_mmc: Use DIV_ROUND_UP for more accurate clock calculation + +From: Inochi Amaoto + +commit b837e38c255dd9f8b53511d52e87f1fda32b3dfe upstream. + +The previous clock uses roundup_pow_of_two() to calculate the core +clock frequency. It does not meet the actual hardware meaning. +The actual frequency is calculated by "ref_clk / ((div >> 1) << 1)". + +Fix the clock divider calculation. + +Fixes: 92e099104729 ("mmc: Add driver for LiteX's LiteSDCard interface") +Signed-off-by: Inochi Amaoto +Reviewed-by: Gabriel Somlo +Cc: stable@vger.kernel.org +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/litex_mmc.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/mmc/host/litex_mmc.c ++++ b/drivers/mmc/host/litex_mmc.c +@@ -16,6 +16,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -436,11 +437,10 @@ static void litex_mmc_setclk(struct lite + struct device *dev = mmc_dev(host->mmc); + u32 div; + +- div = freq ? host->ref_clk / freq : 256U; +- div = roundup_pow_of_two(div); ++ div = freq ? DIV_ROUND_UP(host->ref_clk, freq) : 256U; + div = clamp(div, 2U, 256U); + dev_dbg(dev, "sd_clk_freq=%d: set to %d via div=%d\n", +- freq, host->ref_clk / div, div); ++ freq, host->ref_clk / ((div + 1) & ~1U), div); + litex_write16(host->sdphy + LITEX_PHY_CLOCKERDIV, div); + host->sd_clk = freq; + } diff --git a/queue-7.0/mshv-add-a-missing-padding-field.patch b/queue-7.0/mshv-add-a-missing-padding-field.patch new file mode 100644 index 0000000000..eca0755023 --- /dev/null +++ b/queue-7.0/mshv-add-a-missing-padding-field.patch @@ -0,0 +1,35 @@ +From 48fcc895403cc97aa6c776cb65e6aa11290c0b44 Mon Sep 17 00:00:00 2001 +From: Wei Liu +Date: Thu, 23 Apr 2026 17:26:26 +0000 +Subject: mshv: add a missing padding field +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Wei Liu + +commit 48fcc895403cc97aa6c776cb65e6aa11290c0b44 upstream. + +That was missed when importing the header. + +Reported-by: Doru Blânzeanu +Reported-by: Magnus Kulke +Fixes: e68bda71a2384 ("hyperv: Add new Hyper-V headers in include/hyperv") +Cc: stable@kernel.org +Reviewed-by: Easwar Hariharan +Signed-off-by: Wei Liu +Signed-off-by: Greg Kroah-Hartman +--- + include/hyperv/hvhdk.h | 1 + + 1 file changed, 1 insertion(+) + +--- a/include/hyperv/hvhdk.h ++++ b/include/hyperv/hvhdk.h +@@ -79,6 +79,7 @@ struct hv_vp_register_page { + + u64 registers[18]; + }; ++ u8 reserved[8]; + /* Volatile XMM registers (HV_X64_REGISTER_CLASS_XMM) */ + union { + struct { diff --git a/queue-7.0/namespace-restrict-open_tree_namespace-fsmount_namespace-to-directories.patch b/queue-7.0/namespace-restrict-open_tree_namespace-fsmount_namespace-to-directories.patch new file mode 100644 index 0000000000..e0dbd3d73b --- /dev/null +++ b/queue-7.0/namespace-restrict-open_tree_namespace-fsmount_namespace-to-directories.patch @@ -0,0 +1,49 @@ +From 805d5a2b792819171be100c50c9ddafa0f8c2231 Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Fri, 5 Jun 2026 22:27:33 +0200 +Subject: namespace: restrict OPEN_TREE_NAMESPACE/FSMOUNT_NAMESPACE to directories + +From: Jann Horn + +commit 805d5a2b792819171be100c50c9ddafa0f8c2231 upstream. + +open_tree(..., OPEN_TREE_NAMESPACE) and +fsmount(..., FSMOUNT_NAMESPACE, ...) currently work on non-directories, +like regular files. That's bad for two reasons: + + - It ends up mounting a regular file over the inherited namespace root, + which is a directory; mounting a non-directory over a directory is + normally explicitly forbidden, see for example do_move_mount() + + - It causes setns() on the new namespace to set the cwd to a regular + file, which the rest of VFS does not expect + +Fix it by restricting create_new_namespace() (which is used by both of +these flags) to directories. + +Leave the behavior for OPEN_TREE_CLONE as-is, that seems unproblematic. + +Fixes: 9b8a0ba68246 ("mount: add OPEN_TREE_NAMESPACE") +Cc: Al Viro +Cc: Christian Brauner +Cc: Jan Kara +Cc: stable@kernel.org +Signed-off-by: Jann Horn +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + fs/namespace.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -3098,6 +3098,9 @@ static struct mnt_namespace *create_new_ + unsigned int copy_flags = 0; + bool locked = false; + ++ if (unlikely(!d_can_lookup(path->dentry))) ++ return ERR_PTR(-ENOTDIR); ++ + if (user_ns != ns->user_ns) + copy_flags |= CL_SLAVE; + diff --git a/queue-7.0/netfilter-nft_meta_bridge-fix-stale-stack-leak-via-iifhwaddr-register.patch b/queue-7.0/netfilter-nft_meta_bridge-fix-stale-stack-leak-via-iifhwaddr-register.patch new file mode 100644 index 0000000000..1d92b0204c --- /dev/null +++ b/queue-7.0/netfilter-nft_meta_bridge-fix-stale-stack-leak-via-iifhwaddr-register.patch @@ -0,0 +1,40 @@ +From c7d573551f9286100a055ef696cde6af54549677 Mon Sep 17 00:00:00 2001 +From: Davide Ornaghi +Date: Wed, 10 Jun 2026 12:39:13 +0200 +Subject: netfilter: nft_meta_bridge: fix stale stack leak via IIFHWADDR register + +From: Davide Ornaghi + +commit c7d573551f9286100a055ef696cde6af54549677 upstream. + +NFT_META_BRI_IIFHWADDR declares its destination register with +len = ETH_ALEN (6 bytes), which the register-init tracking rounds up to +two 32-bit registers (8 bytes). nft_meta_bridge_get_eval() then does +memcpy(dest, br_dev->dev_addr, ETH_ALEN), writing only 6 bytes and +leaving the upper 2 bytes of the second register as uninitialised +nft_do_chain() stack. A downstream load of that register span leaks +those stale bytes to userspace. + +Zero the second register before the memcpy so the full declared span is +written. + +Fixes: cbd2257dc96e ("netfilter: nft_meta_bridge: introduce NFT_META_BRI_IIFHWADDR support") +Cc: stable@vger.kernel.org +Signed-off-by: Davide Ornaghi +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/bridge/netfilter/nft_meta_bridge.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/bridge/netfilter/nft_meta_bridge.c ++++ b/net/bridge/netfilter/nft_meta_bridge.c +@@ -64,6 +64,8 @@ static void nft_meta_bridge_get_eval(con + if (!br_dev) + goto err; + ++ /* ETH_ALEN (6) is shorter than the destination register span (8) */ ++ dest[1] = 0; + memcpy(dest, br_dev->dev_addr, ETH_ALEN); + return; + default: diff --git a/queue-7.0/netfilter-nft_tunnel-fix-use-after-free-on-object-destroy.patch b/queue-7.0/netfilter-nft_tunnel-fix-use-after-free-on-object-destroy.patch new file mode 100644 index 0000000000..fd21a774b3 --- /dev/null +++ b/queue-7.0/netfilter-nft_tunnel-fix-use-after-free-on-object-destroy.patch @@ -0,0 +1,43 @@ +From c32b26aaa2f9216520a38b3f4bfeec846eb3eb8a Mon Sep 17 00:00:00 2001 +From: Tristan Madani +Date: Wed, 27 May 2026 13:57:50 +0000 +Subject: netfilter: nft_tunnel: fix use-after-free on object destroy + +From: Tristan Madani + +commit c32b26aaa2f9216520a38b3f4bfeec846eb3eb8a upstream. + +nft_tunnel_obj_destroy() calls metadata_dst_free() which directly +kfree()s the metadata_dst, ignoring the dst_entry refcount. Packets +that took a reference via dst_hold() in nft_tunnel_obj_eval() and +are still queued (e.g. in a netem qdisc) are left with a dangling +pointer. When these packets are eventually dequeued, dst_release() +operates on freed memory. + +Replace metadata_dst_free() with dst_release() so the metadata_dst +is freed only after all references are dropped. The dst subsystem +already handles metadata_dst cleanup in dst_destroy() when +DST_METADATA is set. + +Fixes: af308b94a2a4 ("netfilter: nf_tables: add tunnel support") +Cc: stable@vger.kernel.org +Signed-off-by: Tristan Madani +Reviewed-by: Fernando Fernandez Mancera +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nft_tunnel.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/netfilter/nft_tunnel.c ++++ b/net/netfilter/nft_tunnel.c +@@ -702,7 +702,7 @@ static void nft_tunnel_obj_destroy(const + { + struct nft_tunnel_obj *priv = nft_obj_data(obj); + +- metadata_dst_free(priv->md); ++ dst_release(&priv->md->dst); + } + + static struct nft_object_type nft_tunnel_obj_type; diff --git a/queue-7.0/pinctrl-mcp23s08-initialize-mcp-dev-and-mcp-addr-before-regmap-init.patch b/queue-7.0/pinctrl-mcp23s08-initialize-mcp-dev-and-mcp-addr-before-regmap-init.patch new file mode 100644 index 0000000000..cf30c16171 --- /dev/null +++ b/queue-7.0/pinctrl-mcp23s08-initialize-mcp-dev-and-mcp-addr-before-regmap-init.patch @@ -0,0 +1,52 @@ +From 8473c3a197b57ff01396f7a2ec6ddf65383820d4 Mon Sep 17 00:00:00 2001 +From: Judith Mendez +Date: Wed, 13 May 2026 18:11:53 -0500 +Subject: pinctrl: mcp23s08: Initialize mcp->dev and mcp->addr before regmap init + +From: Judith Mendez + +commit 8473c3a197b57ff01396f7a2ec6ddf65383820d4 upstream. + +Regmap initialization triggers regcache_maple_populate() which attempts +SPI read to populate cache. SPI read requires mcp->dev and mcp->addr to +be set, without them, NULL pointer dereference occurs during probe. + +Move initialization before mcp23s08_spi_regmap_init() call. + +Cc: stable@vger.kernel.org +Fixes: f9f4fda15e72 ("pinctrl: mcp23s08: init reg_defaults from HW at probe and switch cache type") +Signed-off-by: Judith Mendez +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/pinctrl-mcp23s08_spi.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/pinctrl/pinctrl-mcp23s08_spi.c ++++ b/drivers/pinctrl/pinctrl-mcp23s08_spi.c +@@ -10,6 +10,7 @@ + #include "pinctrl-mcp23s08.h" + + #define MCP_MAX_DEV_PER_CS 8 ++#define MCP23S08_SPI_BASE 0x40 + + /* + * A given spi_device can represent up to eight mcp23sxx chips +@@ -173,6 +174,8 @@ static int mcp23s08_probe(struct spi_dev + for_each_set_bit(addr, &spi_present_mask, MCP_MAX_DEV_PER_CS) { + data->mcp[addr] = &data->chip[--chips]; + data->mcp[addr]->irq = spi->irq; ++ data->mcp[addr]->dev = dev; ++ data->mcp[addr]->addr = MCP23S08_SPI_BASE | (addr << 1); + + ret = mcp23s08_spi_regmap_init(data->mcp[addr], dev, addr, info); + if (ret) +@@ -184,7 +187,7 @@ static int mcp23s08_probe(struct spi_dev + if (!data->mcp[addr]->pinctrl_desc.name) + return -ENOMEM; + +- ret = mcp23s08_probe_one(data->mcp[addr], dev, 0x40 | (addr << 1), ++ ret = mcp23s08_probe_one(data->mcp[addr], dev, MCP23S08_SPI_BASE | (addr << 1), + info->type, -1); + if (ret < 0) + return ret; diff --git a/queue-7.0/revert-drm-xe-nvls-define-guc-firmware-for-nvl-s.patch b/queue-7.0/revert-drm-xe-nvls-define-guc-firmware-for-nvl-s.patch new file mode 100644 index 0000000000..73b517fce0 --- /dev/null +++ b/queue-7.0/revert-drm-xe-nvls-define-guc-firmware-for-nvl-s.patch @@ -0,0 +1,42 @@ +From 42445de1765547f56f48d107c0b8f3482c98458e Mon Sep 17 00:00:00 2001 +From: Daniele Ceraolo Spurio +Date: Fri, 29 May 2026 12:36:02 -0700 +Subject: Revert "drm/xe/nvls: Define GuC firmware for NVL-S" + +From: Daniele Ceraolo Spurio + +commit 42445de1765547f56f48d107c0b8f3482c98458e upstream. + +This reverts commit 4e88de313ff4d1c67b644b1f39f9fb4089711b71. + +The early GuC FW definition meant for our CI branch was accidentally +merged to the drm-xe-next branch instead. This GuC FW will never be +released to linux-firmware, so we do not want the definition to be +available in the mainline Linux codebase. + +Fixes: 4e88de313ff4 ("drm/xe/nvls: Define GuC firmware for NVL-S") +Signed-off-by: Daniele Ceraolo Spurio +Cc: Julia Filipchuk +Cc: Rodrigo Vivi +Cc: Matt Roper +Cc: stable@vger.kernel.org # v7.0+ +Reviewed-by: Rodrigo Vivi +Link: https://patch.msgid.link/20260529193558.185436-11-daniele.ceraolospurio@intel.com +Signed-off-by: Rodrigo Vivi +(cherry picked from commit 65b8e0ac86e48cfc9128c04dfc53ea3395d030dd) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/xe/xe_uc_fw.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/gpu/drm/xe/xe_uc_fw.c ++++ b/drivers/gpu/drm/xe/xe_uc_fw.c +@@ -115,7 +115,6 @@ struct fw_blobs_by_type { + #define XE_GT_TYPE_ANY XE_GT_TYPE_UNINITIALIZED + + #define XE_GUC_FIRMWARE_DEFS(fw_def, mmp_ver, major_ver) \ +- fw_def(NOVALAKE_S, GT_TYPE_ANY, mmp_ver(xe, guc, nvl, 70, 55, 4)) \ + fw_def(PANTHERLAKE, GT_TYPE_ANY, major_ver(xe, guc, ptl, 70, 54, 0)) \ + fw_def(BATTLEMAGE, GT_TYPE_ANY, major_ver(xe, guc, bmg, 70, 54, 0)) \ + fw_def(LUNARLAKE, GT_TYPE_ANY, major_ver(xe, guc, lnl, 70, 53, 0)) \ diff --git a/queue-7.0/revert-drm-xe-skip-exec-queue-schedule-toggle-if-queue-is-idle-during-suspend.patch b/queue-7.0/revert-drm-xe-skip-exec-queue-schedule-toggle-if-queue-is-idle-during-suspend.patch new file mode 100644 index 0000000000..d45ffcdf2d --- /dev/null +++ b/queue-7.0/revert-drm-xe-skip-exec-queue-schedule-toggle-if-queue-is-idle-during-suspend.patch @@ -0,0 +1,199 @@ +From fa7c84726dc217ce0c183926ef9411636c7a2213 Mon Sep 17 00:00:00 2001 +From: Tangudu Tilak Tirumalesh +Date: Wed, 3 Jun 2026 12:22:15 +0530 +Subject: Revert "drm/xe: Skip exec queue schedule toggle if queue is idle during suspend" + +From: Tangudu Tilak Tirumalesh + +commit fa7c84726dc217ce0c183926ef9411636c7a2213 upstream. + +This reverts commit 8533051ce92015e9cc6f75e0d52119b9d91610b6. + +The idle-skip optimization bypasses GuC suspend, so the GPU may not +perform the context switch that flushes TLB entries for invalidated +userptr VMAs. In LR/preempt-fence VM mode, this can lead to missed TLB +invalidation and page faults during userptr invalidation tests. + +Restore unconditional schedule toggling on suspend so the context-switch +TLB flush is always performed. + +This optimization will be reintroduced with a fix that does not skip +suspend in LR/preempt-fence VM mode. + +Fixes: 8533051ce920 ("drm/xe: Skip exec queue schedule toggle if queue is idle during suspend") +Cc: stable@vger.kernel.org # v7.0+ +Suggested-by: Thomas Hellstrom +Signed-off-by: Tangudu Tilak Tirumalesh +Reviewed-by: Thomas Hellstrom +Signed-off-by: Daniele Ceraolo Spurio +Link: https://patch.msgid.link/20260603065217.3131066-2-tilak.tirumalesh.tangudu@intel.com +(cherry picked from commit 6a1e7934d9a6cf46aecae00a99c2603d1295e170) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/xe/xe_exec_queue.h | 17 --------- + drivers/gpu/drm/xe/xe_guc_submit.c | 55 +------------------------------- + drivers/gpu/drm/xe/xe_hw_engine_group.c | 10 +---- + 3 files changed, 5 insertions(+), 77 deletions(-) + +--- a/drivers/gpu/drm/xe/xe_exec_queue.h ++++ b/drivers/gpu/drm/xe/xe_exec_queue.h +@@ -161,21 +161,4 @@ int xe_exec_queue_contexts_hwsp_rebase(s + + struct xe_lrc *xe_exec_queue_lrc(struct xe_exec_queue *q); + +-/** +- * xe_exec_queue_idle_skip_suspend() - Can exec queue skip suspend +- * @q: The exec_queue +- * +- * If an exec queue is not parallel and is idle, the suspend steps can be +- * skipped in the submission backend immediatley signaling the suspend fence. +- * Parallel queues cannot skip this step due to limitations in the submission +- * backend. +- * +- * Return: True if exec queue is idle and can skip suspend steps, False +- * otherwise +- */ +-static inline bool xe_exec_queue_idle_skip_suspend(struct xe_exec_queue *q) +-{ +- return !xe_exec_queue_is_parallel(q) && xe_exec_queue_is_idle(q); +-} +- + #endif +--- a/drivers/gpu/drm/xe/xe_guc_submit.c ++++ b/drivers/gpu/drm/xe/xe_guc_submit.c +@@ -72,7 +72,6 @@ exec_queue_to_guc(struct xe_exec_queue * + #define EXEC_QUEUE_STATE_WEDGED (1 << 8) + #define EXEC_QUEUE_STATE_BANNED (1 << 9) + #define EXEC_QUEUE_STATE_PENDING_RESUME (1 << 10) +-#define EXEC_QUEUE_STATE_IDLE_SKIP_SUSPEND (1 << 11) + + static bool exec_queue_registered(struct xe_exec_queue *q) + { +@@ -224,21 +223,6 @@ static void clear_exec_queue_pending_res + atomic_and(~EXEC_QUEUE_STATE_PENDING_RESUME, &q->guc->state); + } + +-static bool exec_queue_idle_skip_suspend(struct xe_exec_queue *q) +-{ +- return atomic_read(&q->guc->state) & EXEC_QUEUE_STATE_IDLE_SKIP_SUSPEND; +-} +- +-static void set_exec_queue_idle_skip_suspend(struct xe_exec_queue *q) +-{ +- atomic_or(EXEC_QUEUE_STATE_IDLE_SKIP_SUSPEND, &q->guc->state); +-} +- +-static void clear_exec_queue_idle_skip_suspend(struct xe_exec_queue *q) +-{ +- atomic_and(~EXEC_QUEUE_STATE_IDLE_SKIP_SUSPEND, &q->guc->state); +-} +- + static bool exec_queue_killed_or_banned_or_wedged(struct xe_exec_queue *q) + { + return (atomic_read(&q->guc->state) & +@@ -1110,7 +1094,7 @@ static void submit_exec_queue(struct xe_ + if (!job->restore_replay || job->last_replay) { + if (xe_exec_queue_is_parallel(q)) + wq_item_append(q); +- else if (!exec_queue_idle_skip_suspend(q)) ++ else + xe_lrc_set_ring_tail(lrc, lrc->ring.tail); + job->last_replay = false; + } +@@ -1781,10 +1765,9 @@ static void __guc_exec_queue_process_msg + { + struct xe_exec_queue *q = msg->private_data; + struct xe_guc *guc = exec_queue_to_guc(q); +- bool idle_skip_suspend = xe_exec_queue_idle_skip_suspend(q); + +- if (!idle_skip_suspend && guc_exec_queue_allowed_to_change_state(q) && +- !exec_queue_suspended(q) && exec_queue_enabled(q)) { ++ if (guc_exec_queue_allowed_to_change_state(q) && !exec_queue_suspended(q) && ++ exec_queue_enabled(q)) { + wait_event(guc->ct.wq, vf_recovery(guc) || + ((q->guc->resume_time != RESUME_PENDING || + xe_guc_read_stopped(guc)) && !exec_queue_pending_disable(q))); +@@ -1803,33 +1786,11 @@ static void __guc_exec_queue_process_msg + disable_scheduling(q, false); + } + } else if (q->guc->suspend_pending) { +- if (idle_skip_suspend) +- set_exec_queue_idle_skip_suspend(q); + set_exec_queue_suspended(q); + suspend_fence_signal(q); + } + } + +-static void sched_context(struct xe_exec_queue *q) +-{ +- struct xe_guc *guc = exec_queue_to_guc(q); +- struct xe_lrc *lrc = q->lrc[0]; +- u32 action[] = { +- XE_GUC_ACTION_SCHED_CONTEXT, +- q->guc->id, +- }; +- +- xe_gt_assert(guc_to_gt(guc), !xe_exec_queue_is_parallel(q)); +- xe_gt_assert(guc_to_gt(guc), !exec_queue_destroyed(q)); +- xe_gt_assert(guc_to_gt(guc), exec_queue_registered(q)); +- xe_gt_assert(guc_to_gt(guc), !exec_queue_pending_disable(q)); +- +- trace_xe_exec_queue_submit(q); +- +- xe_lrc_set_ring_tail(lrc, lrc->ring.tail); +- xe_guc_ct_send(&guc->ct, action, ARRAY_SIZE(action), 0, 0); +-} +- + static void __guc_exec_queue_process_msg_resume(struct xe_sched_msg *msg) + { + struct xe_exec_queue *q = msg->private_data; +@@ -1837,22 +1798,12 @@ static void __guc_exec_queue_process_msg + if (guc_exec_queue_allowed_to_change_state(q)) { + clear_exec_queue_suspended(q); + if (!exec_queue_enabled(q)) { +- if (exec_queue_idle_skip_suspend(q)) { +- struct xe_lrc *lrc = q->lrc[0]; +- +- clear_exec_queue_idle_skip_suspend(q); +- xe_lrc_set_ring_tail(lrc, lrc->ring.tail); +- } + q->guc->resume_time = RESUME_PENDING; + set_exec_queue_pending_resume(q); + enable_scheduling(q); +- } else if (exec_queue_idle_skip_suspend(q)) { +- clear_exec_queue_idle_skip_suspend(q); +- sched_context(q); + } + } else { + clear_exec_queue_suspended(q); +- clear_exec_queue_idle_skip_suspend(q); + } + } + +--- a/drivers/gpu/drm/xe/xe_hw_engine_group.c ++++ b/drivers/gpu/drm/xe/xe_hw_engine_group.c +@@ -207,21 +207,15 @@ static int xe_hw_engine_group_suspend_fa + lockdep_assert_held_write(&group->mode_sem); + + list_for_each_entry(q, &group->exec_queue_list, hw_engine_group_link) { +- bool idle_skip_suspend; + + if (!xe_vm_in_fault_mode(q->vm)) + continue; + +- idle_skip_suspend = xe_exec_queue_idle_skip_suspend(q); +- if (!idle_skip_suspend && has_deps) ++ if (has_deps) + return -EAGAIN; + + xe_gt_stats_incr(q->gt, XE_GT_STATS_ID_HW_ENGINE_GROUP_SUSPEND_LR_QUEUE_COUNT, 1); +- if (idle_skip_suspend) +- xe_gt_stats_incr(q->gt, +- XE_GT_STATS_ID_HW_ENGINE_GROUP_SKIP_LR_QUEUE_COUNT, 1); +- +- need_resume |= !idle_skip_suspend; ++ need_resume = true; + q->ops->suspend(q); + gt = q->gt; + } diff --git a/queue-7.0/rust-arm64-set-uwtable-llvm-module-flag-for-config_unwind_tables.patch b/queue-7.0/rust-arm64-set-uwtable-llvm-module-flag-for-config_unwind_tables.patch new file mode 100644 index 0000000000..08c89af28f --- /dev/null +++ b/queue-7.0/rust-arm64-set-uwtable-llvm-module-flag-for-config_unwind_tables.patch @@ -0,0 +1,67 @@ +From ac35b5580ace12e5d0a0b5e61e36d2c4e1ffa29c Mon Sep 17 00:00:00 2001 +From: Alice Ryhl +Date: Wed, 27 May 2026 18:18:07 +0000 +Subject: rust: arm64: set uwtable llvm module flag for CONFIG_UNWIND_TABLES + +From: Alice Ryhl + +commit ac35b5580ace12e5d0a0b5e61e36d2c4e1ffa29c upstream. + +Due to a rustc bug [1] the -Cforce-unwind-tables=y flag only emits the +uwtable annotation for functions, but not for the module. This means +that compiler-generated functions such as 'asan.module_ctor' do not +receive the uwtable annotation. + +When CONFIG_UNWIND_PATCH_PAC_INTO_SCS is enabled, this leads to boot +failures because the dwarf information emitted for the kasan +constructors is wrong, which causes the SCS boot patching code to +patch the constructor in an illegal manner. Specifically, the paciasp +instruction is patched, but the autiasp instruction is not. This +mismatch leads to a crash when the constructor is called during boot. + + ================================================================== + BUG: KASAN: global-out-of-bounds in do_basic_setup+0x4c/0x90 + Read of size 8 at addr ffffffe3cc7eb488 by task swapper/0/1 + +Specifically the faulting instruction is the (*fn)() to invoke the +constructor in do_ctors() of the init/main.c file. + +Once the fix lands in rustc, this flag can be made conditional on the +rustc version. Note that passing the flag on a rustc with the fix +present has no effect. + +[ The fix [1] has landed for Rust 1.98.0 (expected release on + 2026-08-20). + + Thus add a version check as discussed. + + - Miguel ] + +Fixes: d077242d68a3 ("rust: support for shadow call stack sanitizer") +Cc: stable@kernel.org +Link: https://github.com/rust-lang/rust/pull/156973 [1] +Reported-by: Bo Ye +Debugged-by: Isaac Manjarres +Debugged-by: Sami Tolvanen +Tested-by: Isaac Manjarres +Signed-off-by: Alice Ryhl +Link: https://patch.msgid.link/20260527-uwtable-module-flag-v1-1-caa41342be4b@google.com +[ Adjusted link and comment. - Miguel ] +Signed-off-by: Miguel Ojeda +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/Makefile | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/arm64/Makefile ++++ b/arch/arm64/Makefile +@@ -63,6 +63,9 @@ else + KBUILD_CFLAGS += -fasynchronous-unwind-tables + KBUILD_AFLAGS += -fasynchronous-unwind-tables + KBUILD_RUSTFLAGS += -Cforce-unwind-tables=y -Zuse-sync-unwind=n ++# Work around rustc bug on compilers without ++# https://github.com/rust-lang/rust/pull/156973. ++KBUILD_RUSTFLAGS += $(if $(call rustc-min-version,109800),,-Zllvm_module_flag=uwtable:u32:2:max) + endif + + ifeq ($(CONFIG_STACKPROTECTOR_PER_TASK),y) diff --git a/queue-7.0/rust-kasan-kbuild-fix-rustc-option-when-cross-compiling.patch b/queue-7.0/rust-kasan-kbuild-fix-rustc-option-when-cross-compiling.patch new file mode 100644 index 0000000000..829fa980b8 --- /dev/null +++ b/queue-7.0/rust-kasan-kbuild-fix-rustc-option-when-cross-compiling.patch @@ -0,0 +1,121 @@ +From 4a44b17406cb5a93f90af3df9392b3a45eb336fb Mon Sep 17 00:00:00 2001 +From: Alice Ryhl +Date: Thu, 7 May 2026 11:14:42 +0000 +Subject: rust: kasan/kbuild: fix rustc-option when cross-compiling + +From: Alice Ryhl + +commit 4a44b17406cb5a93f90af3df9392b3a45eb336fb upstream. + +The Makefile version of rustc-option currently checks whether the option +exists for the host target instead of the target actually being compiled +for. It was done this way in commit 46e24a545cdb ("rust: kasan/kbuild: +fix missing flags on first build") to avoid a circular dependency on +target.json. However, because of this, rustc-option currently does not +function when cross-compiling from x86_64 to aarch64 if +CONFIG_SHADOW_CALL_STACK is enabled. This is because KBUILD_RUSTFLAGS +contains -Zfixed-x18 under this configuration. Since that flag does not +exist on the host target, rustc-option runs into a compilation failure +every time, leading to all flags being rejected as unsupported. + +To fix this, update rustc-option to pass a --target parameter so that +the host target is not used. For targets using target.json, use a +built-in target that is as close as possible to the target created with +target.json to avoid the circular dependency on target.json. + +One scenario where this causes a boot failure: +* Cross-compiled from x86_64 to aarch64. +* With CONFIG_SHADOW_CALL_STACK=y +* With CONFIG_KASAN_SW_TAGS=y +* With CONFIG_KASAN_INLINE=n +Then the resulting kernel image will fail to boot when it first calls +into Rust code with a crash along the lines of "Unable to handle kernel +paging request at virtual address 0ffffffc08541796". This is because the +call threshold is not specified, so rustc will inline kasan operations, +but the kasan shadow offset is not specified, which leads to the inlined +kasan instructions being incorrect. + +Note that the -Zsanitizer=kernel-hwaddress parameter itself does not +lead to a rustc-option failure despite being aarch64-specific because +RUSTFLAGS_KASAN has not yet been added to KBUILD_RUSTFLAGS when +rustc-option is evaluated by the kasan Makefile. + +Cc: stable@vger.kernel.org +Fixes: 46e24a545cdb ("rust: kasan/kbuild: fix missing flags on first build") +Signed-off-by: Alice Ryhl +Link: https://patch.msgid.link/20260507-rustc-option-cross-v2-1-2f650a49c2b5@google.com +[ Edited slightly: + - Reset variable to avoid using the environment. + - Use a simply expanded variable flavor for simplicity. + - Export variable so that behavior in sub-`make`s is consistent. +Signed-off-by: Greg Kroah-Hartman + + This matches other variables. - Miguel ] +Signed-off-by: Miguel Ojeda +--- + Makefile | 3 ++- + arch/x86/Makefile | 4 ++++ + arch/x86/Makefile.um | 8 ++++++++ + scripts/Makefile.compiler | 2 +- + 4 files changed, 15 insertions(+), 2 deletions(-) + +--- a/Makefile ++++ b/Makefile +@@ -606,6 +606,7 @@ KBUILD_RUSTFLAGS := $(rust_common_flags) + -Crelocation-model=static \ + -Zfunction-sections=n \ + -Wclippy::float_arithmetic ++KBUILD_RUSTFLAGS_OPTION_CHKS := + + KBUILD_AFLAGS_KERNEL := + KBUILD_CFLAGS_KERNEL := +@@ -642,7 +643,7 @@ export KBUILD_USERCFLAGS KBUILD_USERLDFL + + export KBUILD_CPPFLAGS NOSTDINC_FLAGS LINUXINCLUDE OBJCOPYFLAGS KBUILD_LDFLAGS + export KBUILD_CFLAGS CFLAGS_KERNEL CFLAGS_MODULE +-export KBUILD_RUSTFLAGS RUSTFLAGS_KERNEL RUSTFLAGS_MODULE ++export KBUILD_RUSTFLAGS RUSTFLAGS_KERNEL RUSTFLAGS_MODULE KBUILD_RUSTFLAGS_OPTION_CHKS + export KBUILD_AFLAGS AFLAGS_KERNEL AFLAGS_MODULE + export KBUILD_AFLAGS_MODULE KBUILD_CFLAGS_MODULE KBUILD_RUSTFLAGS_MODULE KBUILD_LDFLAGS_MODULE + export KBUILD_AFLAGS_KERNEL KBUILD_CFLAGS_KERNEL KBUILD_RUSTFLAGS_KERNEL +--- a/arch/x86/Makefile ++++ b/arch/x86/Makefile +@@ -81,6 +81,10 @@ KBUILD_CFLAGS += -mno-sse -mno-mmx -mno- + KBUILD_RUSTFLAGS += --target=$(objtree)/scripts/target.json + KBUILD_RUSTFLAGS += -Ctarget-feature=-sse,-sse2,-sse3,-ssse3,-sse4.1,-sse4.2,-avx,-avx2 + ++# The target.json file is not available when invoking rustc-option, so use the ++# built-in target when checking whether flags are supported instead. ++KBUILD_RUSTFLAGS_OPTION_CHKS += --target=x86_64-unknown-none ++ + # + # CFLAGS for compiling floating point code inside the kernel. + # +--- a/arch/x86/Makefile.um ++++ b/arch/x86/Makefile.um +@@ -14,6 +14,14 @@ endif + + KBUILD_RUSTFLAGS += --target=$(objtree)/scripts/target.json + ++# The target.json file is not available when invoking rustc-option, so use the ++# built-in target when checking whether flags are supported instead. ++ifeq ($(CONFIG_X86_32),y) ++KBUILD_RUSTFLAGS_OPTION_CHKS += --target=i686-unknown-linux-gnu ++else ++KBUILD_RUSTFLAGS_OPTION_CHKS += --target=x86_64-unknown-linux-gnu ++endif ++ + ifeq ($(CONFIG_X86_32),y) + START := 0x8048000 + +--- a/scripts/Makefile.compiler ++++ b/scripts/Makefile.compiler +@@ -80,7 +80,7 @@ ld-option = $(call try-run, $(LD) $(KBUI + # TODO: remove RUSTC_BOOTSTRAP=1 when we raise the minimum GNU Make version to 4.4 + __rustc-option = $(call try-run,\ + echo '$(pound)![allow(missing_docs)]$(pound)![feature(no_core)]$(pound)![no_core]' | RUSTC_BOOTSTRAP=1\ +- $(1) --sysroot=/dev/null $(filter-out --sysroot=/dev/null --target=%,$(2)) $(3)\ ++ $(1) --sysroot=/dev/null $(KBUILD_RUSTFLAGS_OPTION_CHKS) $(filter-out --sysroot=/dev/null --target=%target.json,$(2)) $(3)\ + --crate-type=rlib --out-dir=$(TMPOUT) --emit=obj=- - >/dev/null,$(3),$(4)) + + # rustc-option diff --git a/queue-7.0/rust-x86-support-rust-1.98.0-target-spec.patch b/queue-7.0/rust-x86-support-rust-1.98.0-target-spec.patch new file mode 100644 index 0000000000..0c3e394059 --- /dev/null +++ b/queue-7.0/rust-x86-support-rust-1.98.0-target-spec.patch @@ -0,0 +1,59 @@ +From 905b06d32a52afe32fcf5f30cf298c9ea6359f11 Mon Sep 17 00:00:00 2001 +From: Miguel Ojeda +Date: Sat, 30 May 2026 13:49:25 +0200 +Subject: rust: x86: support Rust >= 1.98.0 target spec + +From: Miguel Ojeda + +commit 905b06d32a52afe32fcf5f30cf298c9ea6359f11 upstream. + +Starting with Rust 1.98.0 (expected 2026-08-20), the target spec will not +support `x86-softfloat` anymore [1]. Instead, `softfloat` should be used, +which is an alias. Otherwise, one gets: + + error: error loading target specification: rustc-abi: invalid rustc abi: 'x86-softfloat'. allowed values: 'x86-sse2', 'softfloat' at line 3 column 32 + | + = help: run `rustc --print target-list` for a list of built-in targets + +Thus conditionally use one or the other depending on the version. + +The alias has existed since Rust 1.95.0 (released 2026-04-16) [2], but +use the newer version instead to avoid changing how the build works for +existing compilers, at least until more testing takes place. + +Cc: Ralf Jung +Cc: stable@vger.kernel.org # Needed in 6.12.y and later (Rust is pinned in older LTSs). +Link: https://github.com/rust-lang/rust/pull/157151 [1] +Link: https://github.com/rust-lang/rust/pull/151154 [2] +Reviewed-by: Alice Ryhl +Link: https://patch.msgid.link/20260530114925.260754-1-ojeda@kernel.org +Signed-off-by: Miguel Ojeda +Signed-off-by: Greg Kroah-Hartman +--- + scripts/generate_rust_target.rs | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/scripts/generate_rust_target.rs ++++ b/scripts/generate_rust_target.rs +@@ -196,7 +196,9 @@ fn main() { + } + } else if cfg.has("X86_64") { + ts.push("arch", "x86_64"); +- if cfg.rustc_version_atleast(1, 86, 0) { ++ if cfg.rustc_version_atleast(1, 98, 0) { ++ ts.push("rustc-abi", "softfloat"); ++ } else if cfg.rustc_version_atleast(1, 86, 0) { + ts.push("rustc-abi", "x86-softfloat"); + } + ts.push( +@@ -236,7 +238,9 @@ fn main() { + panic!("32-bit x86 only works under UML"); + } + ts.push("arch", "x86"); +- if cfg.rustc_version_atleast(1, 86, 0) { ++ if cfg.rustc_version_atleast(1, 98, 0) { ++ ts.push("rustc-abi", "softfloat"); ++ } else if cfg.rustc_version_atleast(1, 86, 0) { + ts.push("rustc-abi", "x86-softfloat"); + } + ts.push( diff --git a/queue-7.0/series b/queue-7.0/series index 4032117909..2fce9f86d7 100644 --- a/queue-7.0/series +++ b/queue-7.0/series @@ -165,3 +165,38 @@ drm-amd-display-use-plane-color_mgmt_changed-to-trac.patch drm-xe-fix-refcount-leak-in-xe_range_fence_insert.patch drm-xe-fix-job-timeout-recovery-for-unstarted-jobs-a.patch accel-amdxdna-fix-mm_struct-reference-leak-in-aie2_p.patch +namespace-restrict-open_tree_namespace-fsmount_namespace-to-directories.patch +netfilter-nft_tunnel-fix-use-after-free-on-object-destroy.patch +netfilter-nft_meta_bridge-fix-stale-stack-leak-via-iifhwaddr-register.patch +tee-shm-fix-shm-leak-in-register_shm_helper.patch +bluetooth-hci_sync-reject-oversized-broadcast-announcement-prepend.patch +bluetooth-l2cap-reject-br-edr-signaling-packets-over-mtusig.patch +soc-qcom-ice-fix-race-between-qcom_ice_probe-and-of_qcom_ice_get.patch +mm-memory-failure-fix-hugetlb_lock-aa-deadlock-in-get_huge_page_for_hwpoison.patch +revert-drm-xe-nvls-define-guc-firmware-for-nvl-s.patch +accel-ivpu-add-bounds-check-for-firmware-runtime-memory.patch +accel-ivpu-add-bounds-checks-for-firmware-log-indices.patch +firmware-stratix10-svc-don-t-fail-probe-when-async-ops-unsupported.patch +firmware-stratix10-svc-return-eopnotsupp-when-atf-async-unsupported.patch +firmware-stratix10-rsu-fix-null-deref-on-rsu_send_msg-timeout-in-probe.patch +accel-ivpu-add-buffer-overflow-check-in-ms-get_info_ioctl.patch +accel-ivpu-fix-signed-integer-truncation-in-ipc-receive.patch +tracing-fix-cfi-violation-in-probestub-being-called-by-tprobes.patch +tracing-probes-point-the-error-offset-correctly-for-eprobe-argument-error.patch +cgroup-cpuset-use-effective_xcpus-in-partcmd_update-add-del-mask-calculation.patch +revert-drm-xe-skip-exec-queue-schedule-toggle-if-queue-is-idle-during-suspend.patch +rust-x86-support-rust-1.98.0-target-spec.patch +arm-do-not-select-have_rust-when-kasan-is-enabled.patch +rust-arm64-set-uwtable-llvm-module-flag-for-config_unwind_tables.patch +rust-kasan-kbuild-fix-rustc-option-when-cross-compiling.patch +mmc-litex_mmc-use-div_round_up-for-more-accurate-clock-calculation.patch +cfi-include-uaccess.h-for-get_kernel_nofault.patch +mshv-add-a-missing-padding-field.patch +kvm-don-t-warn-if-memory-is-dirtied-without-a-vcpu-when-the-vm-is-dying.patch +kvm-sev-decouple-the-need-to-sync-the-ghcb-sa-from-the-need-to-free-the-sa.patch +kvm-arm64-nv-fix-handling-of-xn-when-feat_xnx.patch +kvm-arm64-correctly-identify-executable-ptes-at-stage-2.patch +kvm-arm64-restore-por_el0-access-to-host-el0.patch +drm-i915-gem-fix-phys-bo-pread-pwrite-with-offset.patch +hv_netvsc-use-kmap_local_page-in-netvsc_copy_to_send_buf.patch +pinctrl-mcp23s08-initialize-mcp-dev-and-mcp-addr-before-regmap-init.patch diff --git a/queue-7.0/soc-qcom-ice-fix-race-between-qcom_ice_probe-and-of_qcom_ice_get.patch b/queue-7.0/soc-qcom-ice-fix-race-between-qcom_ice_probe-and-of_qcom_ice_get.patch new file mode 100644 index 0000000000..0ad422a871 --- /dev/null +++ b/queue-7.0/soc-qcom-ice-fix-race-between-qcom_ice_probe-and-of_qcom_ice_get.patch @@ -0,0 +1,150 @@ +From d922113ef91e6e7e8065e9070f349365341ba32e Mon Sep 17 00:00:00 2001 +From: Manivannan Sadhasivam +Date: Mon, 18 May 2026 19:22:17 +0530 +Subject: soc: qcom: ice: Fix race between qcom_ice_probe() and of_qcom_ice_get() + +From: Manivannan Sadhasivam + +commit d922113ef91e6e7e8065e9070f349365341ba32e upstream. + +The current platform driver design causes probe ordering races with +consumers (UFS, eMMC) due to ICE's dependency on SCM firmware calls. If ICE +probe fails (missing ICE SCM or DT registers), devm_of_qcom_ice_get() loops +with -EPROBE_DEFER, leaving consumers non-functional even when ICE should +be gracefully disabled. devm_of_qcom_ice_get() doesn't know if the ICE +driver probe has failed due to above reasons or it is waiting for the SCM +driver. + +Moreover, there is no devlink dependency between ICE and consumer drivers +as 'qcom,ice' is not considered as a DT 'supplier'. So the consumer drivers +have no idea of when the ICE driver is going to probe. + +To address these issues, store the error pointer in a global xarray with +ice node phandle as a key during probe in addition to the valid ice pointer +and synchronize both qcom_ice_probe() and of_qcom_ice_get() using a mutex. + +If the xarray entry is NULL, then it implies that the driver is not +probed yet, so return -EPROBE_DEFER. If it has any error pointer, return +that error pointer directly. Otherwise, add the devlink as usual and return +the valid pointer to the consumer. + +Xarray is used instead of platform drvdata, since driver core frees the +drvdata during probe failure. So it cannot be used to pass the error +pointer to the consumers. + +Note that this change only fixes the standalone ICE DT node bindings and +not the ones with 'ice' range embedded in the consumer nodes, where there +is no issue. + +Fixes: 2afbf43a4aec ("soc: qcom: Make the Qualcomm UFS/SDCC ICE a dedicated driver") +Reported-by: Sumit Garg +Tested-by: Sumit Garg # OP-TEE as TZ +Acked-by: Sumit Garg +Cc: stable@vger.kernel.org # 6.4 +Signed-off-by: Manivannan Sadhasivam +Link: https://lore.kernel.org/r/20260518-qcom-ice-fix-v7-1-2a595382185b@oss.qualcomm.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soc/qcom/ice.c | 38 +++++++++++++++++++++++++++++++------- + 1 file changed, 31 insertions(+), 7 deletions(-) + +--- a/drivers/soc/qcom/ice.c ++++ b/drivers/soc/qcom/ice.c +@@ -16,6 +16,7 @@ + #include + #include + #include ++#include + + #include + +@@ -114,6 +115,9 @@ struct qcom_ice { + u8 hwkm_version; + }; + ++static DEFINE_XARRAY(ice_handles); ++static DEFINE_MUTEX(ice_mutex); ++ + static bool qcom_ice_check_supported(struct qcom_ice *ice) + { + u32 regval = qcom_ice_readl(ice, QCOM_ICE_REG_VERSION); +@@ -644,6 +648,8 @@ static struct qcom_ice *of_qcom_ice_get( + return qcom_ice_create(&pdev->dev, base); + } + ++ guard(mutex)(&ice_mutex); ++ + /* + * If the consumer node does not provider an 'ice' reg range + * (legacy DT binding), then it must at least provide a phandle +@@ -660,12 +666,13 @@ static struct qcom_ice *of_qcom_ice_get( + return ERR_PTR(-ENODEV); + } + +- ice = platform_get_drvdata(pdev); +- if (!ice) { +- dev_err(dev, "Cannot get ice instance from %s\n", +- dev_name(&pdev->dev)); ++ ice = xa_load(&ice_handles, pdev->dev.of_node->phandle); ++ if (IS_ERR_OR_NULL(ice)) { + platform_device_put(pdev); +- return ERR_PTR(-EPROBE_DEFER); ++ if (!ice) ++ return ERR_PTR(-EPROBE_DEFER); ++ else ++ return ice; + } + + link = device_link_add(dev, &pdev->dev, DL_FLAG_AUTOREMOVE_SUPPLIER); +@@ -729,24 +736,40 @@ EXPORT_SYMBOL_GPL(devm_of_qcom_ice_get); + + static int qcom_ice_probe(struct platform_device *pdev) + { ++ unsigned long phandle = pdev->dev.of_node->phandle; + struct qcom_ice *engine; + void __iomem *base; + ++ guard(mutex)(&ice_mutex); ++ + base = devm_platform_ioremap_resource(pdev, 0); + if (IS_ERR(base)) { + dev_warn(&pdev->dev, "ICE registers not found\n"); ++ /* Store the error pointer for devm_of_qcom_ice_get() */ ++ xa_store(&ice_handles, phandle, (__force void *)base, GFP_KERNEL); + return PTR_ERR(base); + } + + engine = qcom_ice_create(&pdev->dev, base); +- if (IS_ERR(engine)) ++ if (IS_ERR(engine)) { ++ /* Store the error pointer for devm_of_qcom_ice_get() */ ++ xa_store(&ice_handles, phandle, engine, GFP_KERNEL); + return PTR_ERR(engine); ++ } + +- platform_set_drvdata(pdev, engine); ++ xa_store(&ice_handles, phandle, engine, GFP_KERNEL); + + return 0; + } + ++static void qcom_ice_remove(struct platform_device *pdev) ++{ ++ unsigned long phandle = pdev->dev.of_node->phandle; ++ ++ guard(mutex)(&ice_mutex); ++ xa_store(&ice_handles, phandle, NULL, GFP_KERNEL); ++} ++ + static const struct of_device_id qcom_ice_of_match_table[] = { + { .compatible = "qcom,inline-crypto-engine" }, + { }, +@@ -755,6 +778,7 @@ MODULE_DEVICE_TABLE(of, qcom_ice_of_matc + + static struct platform_driver qcom_ice_driver = { + .probe = qcom_ice_probe, ++ .remove = qcom_ice_remove, + .driver = { + .name = "qcom-ice", + .of_match_table = qcom_ice_of_match_table, diff --git a/queue-7.0/tee-shm-fix-shm-leak-in-register_shm_helper.patch b/queue-7.0/tee-shm-fix-shm-leak-in-register_shm_helper.patch new file mode 100644 index 0000000000..ee1a911cc9 --- /dev/null +++ b/queue-7.0/tee-shm-fix-shm-leak-in-register_shm_helper.patch @@ -0,0 +1,40 @@ +From 26682f5efc276e3ad96d102019472bfbf03833b2 Mon Sep 17 00:00:00 2001 +From: Georgiy Osokin +Date: Wed, 8 Apr 2026 18:52:03 +0300 +Subject: tee: shm: fix shm leak in register_shm_helper() + +From: Georgiy Osokin + +commit 26682f5efc276e3ad96d102019472bfbf03833b2 upstream. + +register_shm_helper() allocates shm before calling +iov_iter_npages(). If iov_iter_npages() returns 0, the function +jumps to err_ctx_put and leaks shm. + +This can be triggered by TEE_IOC_SHM_REGISTER with +struct tee_ioctl_shm_register_data where length is 0. + +Jump to err_free_shm instead. + +Fixes: 7bdee4157591 ("tee: Use iov_iter to better support shared buffer registration") +Cc: stable@vger.kernel.org +Cc: lvc-project@linuxtesting.org +Signed-off-by: Georgiy Osokin +Reviewed-by: Sumit Garg +Signed-off-by: Jens Wiklander +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tee/tee_shm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/tee/tee_shm.c ++++ b/drivers/tee/tee_shm.c +@@ -435,7 +435,7 @@ register_shm_helper(struct tee_context * + num_pages = iov_iter_npages(iter, INT_MAX); + if (!num_pages) { + ret = ERR_PTR(-ENOMEM); +- goto err_ctx_put; ++ goto err_free_shm; + } + + shm->pages = kzalloc_objs(*shm->pages, num_pages); diff --git a/queue-7.0/tracing-fix-cfi-violation-in-probestub-being-called-by-tprobes.patch b/queue-7.0/tracing-fix-cfi-violation-in-probestub-being-called-by-tprobes.patch new file mode 100644 index 0000000000..b5b8026537 --- /dev/null +++ b/queue-7.0/tracing-fix-cfi-violation-in-probestub-being-called-by-tprobes.patch @@ -0,0 +1,58 @@ +From 0652a3daa78723f955b1ebeb621665ce72bec53e Mon Sep 17 00:00:00 2001 +From: Eva Kurchatova +Date: Wed, 3 Jun 2026 18:31:42 +0300 +Subject: tracing: Fix CFI violation in probestub being called by tprobes + +From: Eva Kurchatova + +commit 0652a3daa78723f955b1ebeb621665ce72bec53e upstream. + +The probestub is a function to allow tprobes to hook to a tracepoint to +gain access to its parameters. The function itself is only referenced by +the tracepoint structure which lives in the __tracepoint section. objtool +explicitly ignores that section and when processing functions in the +kernel, if it detects one that has no references it will seal it to have +its ENDBR stripped on boot up. + +This means when a tprobe is attached to the sched_wakeup tracepoint, when it +is triggered it will call __probestub_sched_wakeup and due to the missing +ENDBR on a CFI-enabled machine it will take a #CP exception. + +Fix this by adding CFI_NOSEAL annotation to probestub declaration. + +Cc: stable@vger.kernel.org +Acked-by: Masami Hiramatsu (Google) +Link: https://patch.msgid.link/20260603153147.573589-1-eva.kurchatova@virtuozzo.com +Fixes: d5173f753750 ("objtool: Exclude __tracepoints data from ENDBR checks") +Signed-off-by: Eva Kurchatova +[ Updated change log ] +Signed-off-by: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/tracepoint.h | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/include/linux/tracepoint.h ++++ b/include/linux/tracepoint.h +@@ -20,6 +20,7 @@ + #include + #include + #include ++#include + + struct module; + struct tracepoint; +@@ -380,6 +381,13 @@ static inline struct tracepoint *tracepo + void __probestub_##_name(void *__data, proto) \ + { \ + } \ ++ /* \ ++ * Annotate the probestub 'CFI_NOSEAL' to stop objtool from \ ++ * requesting the kernel remove the ENDBR, because the only \ ++ * references to the function are in the __tracepoint section, \ ++ * that objtool doesn't scan. \ ++ */ \ ++ CFI_NOSEAL(__probestub_##_name); \ + DEFINE_STATIC_CALL(tp_func_##_name, __traceiter_##_name); \ + DEFINE_RUST_DO_TRACE(_name, TP_PROTO(proto), TP_ARGS(args)) + diff --git a/queue-7.0/tracing-probes-point-the-error-offset-correctly-for-eprobe-argument-error.patch b/queue-7.0/tracing-probes-point-the-error-offset-correctly-for-eprobe-argument-error.patch new file mode 100644 index 0000000000..305b63b95f --- /dev/null +++ b/queue-7.0/tracing-probes-point-the-error-offset-correctly-for-eprobe-argument-error.patch @@ -0,0 +1,51 @@ +From 85e0f27dd1396307913ffc5745b0c05137e9beac Mon Sep 17 00:00:00 2001 +From: "Masami Hiramatsu (Google)" +Date: Mon, 25 May 2026 11:21:14 +0900 +Subject: tracing/probes: Point the error offset correctly for eprobe argument error + +From: Masami Hiramatsu (Google) + +commit 85e0f27dd1396307913ffc5745b0c05137e9beac upstream. + +Fix to point the error offset correctly for eprobe argument error. +In the cleanup commit 1b8b0cd754cd ("tracing/probes: Move event parameter +fetching code to common parser"), due to incorrect backward compatibility +aimed at conforming to the test specifications, the error location was set +to 0 when a non-existent formal parameter was specified for Eprobe. +However, this should be corrected in both the test and the implementation +to point correct error position. + +Link: https://lore.kernel.org/all/177967567399.209006.1451571244515632097.stgit@devnote2/ + +Fixes: 1b8b0cd754cd ("tracing/probes: Move event parameter fetching code to common parser") +Cc: stable@vger.kernel.org +Signed-off-by: Masami Hiramatsu (Google) +Reviewed-by: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_probe.c | 2 -- + tools/testing/selftests/ftrace/test.d/dynevent/eprobes_syntax_errors.tc | 2 +- + 2 files changed, 1 insertion(+), 3 deletions(-) + +--- a/kernel/trace/trace_probe.c ++++ b/kernel/trace/trace_probe.c +@@ -962,8 +962,6 @@ static int parse_probe_vars(char *orig_a + code->op = FETCH_OP_COMM; + return 0; + } +- /* backward compatibility */ +- ctx->offset = 0; + goto inval; + } + +--- a/tools/testing/selftests/ftrace/test.d/dynevent/eprobes_syntax_errors.tc ++++ b/tools/testing/selftests/ftrace/test.d/dynevent/eprobes_syntax_errors.tc +@@ -20,7 +20,7 @@ check_error 'e:foo/^12345678901234567890 + check_error 'e:foo/^bar.1 syscalls/sys_enter_openat' # BAD_EVENT_NAME + + check_error 'e:foo/bar syscalls/sys_enter_openat arg=^dfd' # BAD_FETCH_ARG +-check_error 'e:foo/bar syscalls/sys_enter_openat ^arg=$foo' # BAD_ATTACH_ARG ++check_error 'e:foo/bar syscalls/sys_enter_openat arg=^$foo' # BAD_ATTACH_ARG + + if grep -q '\..*\[if \]' README; then + check_error 'e:foo/bar syscalls/sys_enter_openat if ^' # NO_EP_FILTER