From: Greg Kroah-Hartman Date: Thu, 16 Oct 2025 13:08:50 +0000 (+0200) Subject: 6.17-stable patches X-Git-Tag: v5.15.195~73 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d7aaaf1bce98d55a5bee2273b28ff1c67b71530d;p=thirdparty%2Fkernel%2Fstable-queue.git 6.17-stable patches added patches: keys-trusted_tpm1-compare-hmac-values-in-constant-time.patch kho-only-fill-kimage-if-kho-is-finalized.patch lib-genalloc-fix-device-leak-in-of_gen_pool_get.patch loop-fix-backing-file-reference-leak-on-validation-error.patch md-fix-mssing-blktrace-bio-split-events.patch memory-samsung-exynos-srom-fix-of_iomap-leak-in-exynos_srom_probe.patch memory-stm32_omm-fix-req2ack-update-test.patch mmc-core-spi-mode-remove-cmd7.patch mmc-mmc_spi-multiple-block-read-remove-read-crc-ack.patch mtd-nand-raw-gpmi-fix-clocks-when-config_pm-n.patch mtd-rawnand-fsmc-default-to-autodetect-buswidth.patch nvme-pci-add-tuxedo-ibs-gen8-to-samsung-sleep-quirk.patch of-unittest-fix-device-reference-count-leak-in-of_unittest_pci_node_verify.patch openat2-don-t-trigger-automounts-with-resolve_no_xdev.patch padata-reset-next-cpu-when-reorder-sequence-wraps-around.patch parisc-don-t-reference-obsolete-termio-struct-for-tc-constants.patch parisc-remove-spurious-if-statement-from-raw_copy_from_user.patch pci-aer-fix-missing-uevent-on-recovery-when-a-reset-is-requested.patch pci-aer-support-errors-introduced-by-pcie-r6.0.patch pci-ensure-relaxed-tail-alignment-does-not-increase-min_align.patch pci-err-fix-uevent-on-failure-to-recover.patch pci-fix-failure-detection-during-resource-resize.patch pci-iov-add-pci-rescan-remove-locking-when-enabling-disabling-sr-iov.patch pci-j721e-fix-module-autoloading.patch pci-j721e-fix-programming-sequence-of-strap-settings.patch pci-keystone-use-devm_request_irq-to-free-ks-pcie-error-irq-on-exit.patch pci-pwrctrl-fix-device-and-of-node-leak-at-bus-scan.patch pci-pwrctrl-fix-device-leak-at-device-stop.patch pci-pwrctrl-fix-device-leak-at-registration.patch pci-rcar-gen4-fix-phy-initialization.patch pci-rcar-host-convert-struct-rcar_msi-mask_lock-into-raw-spinlock.patch pci-rcar-host-drop-pmsr-spinlock.patch pci-sysfs-ensure-devices-are-powered-for-config-reads.patch pci-tegra-convert-struct-tegra_msi-mask_lock-into-raw-spinlock.patch pci-tegra194-fix-broken-tegra_pcie_ep_raise_msi_irq.patch pci-tegra194-handle-errors-in-bpmp-response.patch pci-tegra194-reset-bars-when-running-in-pcie-endpoint-mode.patch pci-xilinx-nwl-fix-ecam-programming.patch pinctrl-samsung-drop-unused-s3c24xx-driver-data.patch pm-em-fix-late-boot-with-holes-in-cpu-topology.patch pm-hibernate-fix-hybrid-sleep.patch pm-hibernate-restrict-gfp-mask-in-power_down.patch power-supply-max77976_charger-fix-constant-current-reporting.patch powerpc-powernv-pci-fix-underflow-and-leak-issue.patch powerpc-pseries-msi-fix-potential-underflow-and-leak-issue.patch pwm-berlin-fix-wrong-register-in-suspend-resume.patch pwm-fix-incorrect-variable-used-in-error-message.patch revert-ipmi-fix-msg-stack-when-ipmi-is-disconnected.patch riscv-use-an-atomic-xchg-in-pudp_huge_get_and_clear.patch rseq-selftests-use-weak-symbol-reference-not-definition-to-link-with-glibc.patch rtc-interface-ensure-alarm-irq-is-enabled-when-uie-is-enabled.patch rtc-interface-fix-long-standing-race-when-setting-alarm.patch sched-deadline-fix-race-in-push_dl_task.patch scsi-hpsa-fix-potential-memory-leak-in-hpsa_big_passthru_ioctl.patch scsi-sd-fix-build-warning-in-sd_revalidate_disk.patch sctp-fix-mac-comparison-to-be-constant-time.patch smb-client-fix-bug-with-newly-created-file-in-cached-dir.patch sparc-fix-error-handling-in-scan_one_device.patch sparc64-fix-hugetlb-for-sun4u.patch spi-cadence-quadspi-fix-cqspi_setup_flash.patch spi-cadence-quadspi-flush-posted-register-writes-before-dac-access.patch spi-cadence-quadspi-flush-posted-register-writes-before-indac-access.patch x86-fred-remove-endbr64-from-fred-entry-points.patch x86-umip-check-that-the-instruction-opcode-is-at-least-two-bytes.patch x86-umip-fix-decoding-of-register-forms-of-0f-01-sgdt-and-sidt-aliases.patch xfs-use-deferred-intent-items-for-reaping-crosslinked-blocks.patch xsk-harden-userspace-supplied-xdp_desc-validation.patch xtensa-simdisk-add-input-size-check-in-proc_write_simdisk.patch --- diff --git a/queue-6.17/keys-trusted_tpm1-compare-hmac-values-in-constant-time.patch b/queue-6.17/keys-trusted_tpm1-compare-hmac-values-in-constant-time.patch new file mode 100644 index 0000000000..bcbd3a41fa --- /dev/null +++ b/queue-6.17/keys-trusted_tpm1-compare-hmac-values-in-constant-time.patch @@ -0,0 +1,63 @@ +From eed0e3d305530066b4fc5370107cff8ef1a0d229 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Sat, 9 Aug 2025 10:19:39 -0700 +Subject: KEYS: trusted_tpm1: Compare HMAC values in constant time + +From: Eric Biggers + +commit eed0e3d305530066b4fc5370107cff8ef1a0d229 upstream. + +To prevent timing attacks, HMAC value comparison needs to be constant +time. Replace the memcmp() with the correct function, crypto_memneq(). + +[For the Fixes commit I used the commit that introduced the memcmp(). +It predates the introduction of crypto_memneq(), but it was still a bug +at the time even though a helper function didn't exist yet.] + +Fixes: d00a1c72f7f4 ("keys: add new trusted key-type") +Cc: stable@vger.kernel.org +Signed-off-by: Eric Biggers +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman +--- + security/keys/trusted-keys/trusted_tpm1.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/security/keys/trusted-keys/trusted_tpm1.c ++++ b/security/keys/trusted-keys/trusted_tpm1.c +@@ -7,6 +7,7 @@ + */ + + #include ++#include + #include + #include + #include +@@ -241,7 +242,7 @@ int TSS_checkhmac1(unsigned char *buffer + if (ret < 0) + goto out; + +- if (memcmp(testhmac, authdata, SHA1_DIGEST_SIZE)) ++ if (crypto_memneq(testhmac, authdata, SHA1_DIGEST_SIZE)) + ret = -EINVAL; + out: + kfree_sensitive(sdesc); +@@ -334,7 +335,7 @@ static int TSS_checkhmac2(unsigned char + TPM_NONCE_SIZE, ononce, 1, continueflag1, 0, 0); + if (ret < 0) + goto out; +- if (memcmp(testhmac1, authdata1, SHA1_DIGEST_SIZE)) { ++ if (crypto_memneq(testhmac1, authdata1, SHA1_DIGEST_SIZE)) { + ret = -EINVAL; + goto out; + } +@@ -343,7 +344,7 @@ static int TSS_checkhmac2(unsigned char + TPM_NONCE_SIZE, ononce, 1, continueflag2, 0, 0); + if (ret < 0) + goto out; +- if (memcmp(testhmac2, authdata2, SHA1_DIGEST_SIZE)) ++ if (crypto_memneq(testhmac2, authdata2, SHA1_DIGEST_SIZE)) + ret = -EINVAL; + out: + kfree_sensitive(sdesc); diff --git a/queue-6.17/kho-only-fill-kimage-if-kho-is-finalized.patch b/queue-6.17/kho-only-fill-kimage-if-kho-is-finalized.patch new file mode 100644 index 0000000000..425f919b7f --- /dev/null +++ b/queue-6.17/kho-only-fill-kimage-if-kho-is-finalized.patch @@ -0,0 +1,59 @@ +From f322a97aeb2a05b6b1ee17629145eb02e1a4c6a0 Mon Sep 17 00:00:00 2001 +From: Pratyush Yadav +Date: Thu, 18 Sep 2025 19:06:15 +0200 +Subject: kho: only fill kimage if KHO is finalized + +From: Pratyush Yadav + +commit f322a97aeb2a05b6b1ee17629145eb02e1a4c6a0 upstream. + +kho_fill_kimage() only checks for KHO being enabled before filling in the +FDT to the image. KHO being enabled does not mean that the kernel has +data to hand over. That happens when KHO is finalized. + +When a kexec is done with KHO enabled but not finalized, the FDT page is +allocated but not initialized. FDT initialization happens after finalize. +This means the KHO segment is filled in but the FDT contains garbage +data. + +This leads to the below error messages in the next kernel: + + [ 0.000000] KHO: setup: handover FDT (0x10116b000) is invalid: -9 + [ 0.000000] KHO: disabling KHO revival: -22 + +There is no problem in practice, and the next kernel boots and works fine. +But this still leads to misleading error messages and garbage being +handed over. + +Only fill in KHO segment when KHO is finalized. When KHO is not enabled, +the debugfs interface is not created and there is no way to finalize it +anyway. So the check for kho_enable is not needed, and kho_out.finalize +alone is enough. + +Link: https://lkml.kernel.org/r/20250918170617.91413-1-pratyush@kernel.org +Fixes: 3bdecc3c93f9 ("kexec: add KHO support to kexec file loads") +Signed-off-by: Pratyush Yadav +Reviewed-by: Mike Rapoport (Microsoft) +Cc: Alexander Graf +Cc: Baoquan He +Cc: Changyuan Lyu +Cc: Jason Gunthorpe +Cc: Pasha Tatashin +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + kernel/kexec_handover.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/kexec_handover.c ++++ b/kernel/kexec_handover.c +@@ -1233,7 +1233,7 @@ int kho_fill_kimage(struct kimage *image + int err = 0; + struct kexec_buf scratch; + +- if (!kho_enable) ++ if (!kho_out.finalized) + return 0; + + image->kho.fdt = page_to_phys(kho_out.ser.fdt); diff --git a/queue-6.17/lib-genalloc-fix-device-leak-in-of_gen_pool_get.patch b/queue-6.17/lib-genalloc-fix-device-leak-in-of_gen_pool_get.patch new file mode 100644 index 0000000000..502786c71c --- /dev/null +++ b/queue-6.17/lib-genalloc-fix-device-leak-in-of_gen_pool_get.patch @@ -0,0 +1,43 @@ +From 1260cbcffa608219fc9188a6cbe9c45a300ef8b5 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 24 Sep 2025 10:02:07 +0200 +Subject: lib/genalloc: fix device leak in of_gen_pool_get() + +From: Johan Hovold + +commit 1260cbcffa608219fc9188a6cbe9c45a300ef8b5 upstream. + +Make sure to drop the reference taken when looking up the genpool platform +device in of_gen_pool_get() before returning the pool. + +Note that holding a reference to a device does typically not prevent its +devres managed resources from being released so there is no point in +keeping the reference. + +Link: https://lkml.kernel.org/r/20250924080207.18006-1-johan@kernel.org +Fixes: 9375db07adea ("genalloc: add devres support, allow to find a managed pool by device") +Signed-off-by: Johan Hovold +Cc: Philipp Zabel +Cc: Vladimir Zapolskiy +Cc: [3.10+] +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + lib/genalloc.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/lib/genalloc.c ++++ b/lib/genalloc.c +@@ -899,8 +899,11 @@ struct gen_pool *of_gen_pool_get(struct + if (!name) + name = of_node_full_name(np_pool); + } +- if (pdev) ++ if (pdev) { + pool = gen_pool_get(&pdev->dev, name); ++ put_device(&pdev->dev); ++ } ++ + of_node_put(np_pool); + + return pool; diff --git a/queue-6.17/loop-fix-backing-file-reference-leak-on-validation-error.patch b/queue-6.17/loop-fix-backing-file-reference-leak-on-validation-error.patch new file mode 100644 index 0000000000..b16b724958 --- /dev/null +++ b/queue-6.17/loop-fix-backing-file-reference-leak-on-validation-error.patch @@ -0,0 +1,56 @@ +From 98b7bf54338b797e3a11e8178ce0e806060d8fa3 Mon Sep 17 00:00:00 2001 +From: Li Chen +Date: Tue, 30 Sep 2025 08:35:59 +0800 +Subject: loop: fix backing file reference leak on validation error + +From: Li Chen + +commit 98b7bf54338b797e3a11e8178ce0e806060d8fa3 upstream. + +loop_change_fd() and loop_configure() call loop_check_backing_file() +to validate the new backing file. If validation fails, the reference +acquired by fget() was not dropped, leaking a file reference. + +Fix this by calling fput(file) before returning the error. + +Cc: stable@vger.kernel.org +Cc: Markus Elfring +CC: Yang Erkun +Cc: Ming Lei +Cc: Yu Kuai +Fixes: f5c84eff634b ("loop: Add sanity check for read/write_iter") +Signed-off-by: Li Chen +Reviewed-by: Ming Lei +Reviewed-by: Yang Erkun +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/loop.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/block/loop.c ++++ b/drivers/block/loop.c +@@ -551,8 +551,10 @@ static int loop_change_fd(struct loop_de + return -EBADF; + + error = loop_check_backing_file(file); +- if (error) ++ if (error) { ++ fput(file); + return error; ++ } + + /* suppress uevents while reconfiguring the device */ + dev_set_uevent_suppress(disk_to_dev(lo->lo_disk), 1); +@@ -993,8 +995,10 @@ static int loop_configure(struct loop_de + return -EBADF; + + error = loop_check_backing_file(file); +- if (error) ++ if (error) { ++ fput(file); + return error; ++ } + + is_loop = is_loop_device(file); + diff --git a/queue-6.17/md-fix-mssing-blktrace-bio-split-events.patch b/queue-6.17/md-fix-mssing-blktrace-bio-split-events.patch new file mode 100644 index 0000000000..333bcbd4a8 --- /dev/null +++ b/queue-6.17/md-fix-mssing-blktrace-bio-split-events.patch @@ -0,0 +1,138 @@ +From 22f166218f7313e8fe2d19213b5f4b3265f8c39e Mon Sep 17 00:00:00 2001 +From: Yu Kuai +Date: Wed, 10 Sep 2025 14:30:44 +0800 +Subject: md: fix mssing blktrace bio split events + +From: Yu Kuai + +commit 22f166218f7313e8fe2d19213b5f4b3265f8c39e upstream. + +If bio is split by internal handling like chunksize or badblocks, the +corresponding trace_block_split() is missing, resulting in blktrace +inability to catch BIO split events and making it harder to analyze the +BIO sequence. + +Cc: stable@vger.kernel.org +Fixes: 4b1faf931650 ("block: Kill bio_pair_split()") +Signed-off-by: Yu Kuai +Reviewed-by: Damien Le Moal +Reviewed-by: Christoph Hellwig +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/md-linear.c | 1 + + drivers/md/raid0.c | 4 ++++ + drivers/md/raid1.c | 4 ++++ + drivers/md/raid10.c | 8 ++++++++ + drivers/md/raid5.c | 2 ++ + 5 files changed, 19 insertions(+) + +--- a/drivers/md/md-linear.c ++++ b/drivers/md/md-linear.c +@@ -267,6 +267,7 @@ static bool linear_make_request(struct m + } + + bio_chain(split, bio); ++ trace_block_split(split, bio->bi_iter.bi_sector); + submit_bio_noacct(bio); + bio = split; + } +--- a/drivers/md/raid0.c ++++ b/drivers/md/raid0.c +@@ -473,7 +473,9 @@ static void raid0_handle_discard(struct + bio_endio(bio); + return; + } ++ + bio_chain(split, bio); ++ trace_block_split(split, bio->bi_iter.bi_sector); + submit_bio_noacct(bio); + bio = split; + end = zone->zone_end; +@@ -621,7 +623,9 @@ static bool raid0_make_request(struct md + bio_endio(bio); + return true; + } ++ + bio_chain(split, bio); ++ trace_block_split(split, bio->bi_iter.bi_sector); + raid0_map_submit_bio(mddev, bio); + bio = split; + } +--- a/drivers/md/raid1.c ++++ b/drivers/md/raid1.c +@@ -1383,7 +1383,9 @@ static void raid1_read_request(struct md + error = PTR_ERR(split); + goto err_handle; + } ++ + bio_chain(split, bio); ++ trace_block_split(split, bio->bi_iter.bi_sector); + submit_bio_noacct(bio); + bio = split; + r1_bio->master_bio = bio; +@@ -1591,7 +1593,9 @@ static void raid1_write_request(struct m + error = PTR_ERR(split); + goto err_handle; + } ++ + bio_chain(split, bio); ++ trace_block_split(split, bio->bi_iter.bi_sector); + submit_bio_noacct(bio); + bio = split; + r1_bio->master_bio = bio; +--- a/drivers/md/raid10.c ++++ b/drivers/md/raid10.c +@@ -1209,7 +1209,9 @@ static void raid10_read_request(struct m + error = PTR_ERR(split); + goto err_handle; + } ++ + bio_chain(split, bio); ++ trace_block_split(split, bio->bi_iter.bi_sector); + allow_barrier(conf); + submit_bio_noacct(bio); + wait_barrier(conf, false); +@@ -1495,7 +1497,9 @@ static void raid10_write_request(struct + error = PTR_ERR(split); + goto err_handle; + } ++ + bio_chain(split, bio); ++ trace_block_split(split, bio->bi_iter.bi_sector); + allow_barrier(conf); + submit_bio_noacct(bio); + wait_barrier(conf, false); +@@ -1679,7 +1683,9 @@ static int raid10_handle_discard(struct + bio_endio(bio); + return 0; + } ++ + bio_chain(split, bio); ++ trace_block_split(split, bio->bi_iter.bi_sector); + allow_barrier(conf); + /* Resend the fist split part */ + submit_bio_noacct(split); +@@ -1694,7 +1700,9 @@ static int raid10_handle_discard(struct + bio_endio(bio); + return 0; + } ++ + bio_chain(split, bio); ++ trace_block_split(split, bio->bi_iter.bi_sector); + allow_barrier(conf); + /* Resend the second split part */ + submit_bio_noacct(bio); +--- a/drivers/md/raid5.c ++++ b/drivers/md/raid5.c +@@ -5475,8 +5475,10 @@ static struct bio *chunk_aligned_read(st + + if (sectors < bio_sectors(raid_bio)) { + struct r5conf *conf = mddev->private; ++ + split = bio_split(raid_bio, sectors, GFP_NOIO, &conf->bio_split); + bio_chain(split, raid_bio); ++ trace_block_split(split, raid_bio->bi_iter.bi_sector); + submit_bio_noacct(raid_bio); + raid_bio = split; + } diff --git a/queue-6.17/memory-samsung-exynos-srom-fix-of_iomap-leak-in-exynos_srom_probe.patch b/queue-6.17/memory-samsung-exynos-srom-fix-of_iomap-leak-in-exynos_srom_probe.patch new file mode 100644 index 0000000000..e062ec5366 --- /dev/null +++ b/queue-6.17/memory-samsung-exynos-srom-fix-of_iomap-leak-in-exynos_srom_probe.patch @@ -0,0 +1,56 @@ +From 6744085079e785dae5f7a2239456135407c58b25 Mon Sep 17 00:00:00 2001 +From: Zhen Ni +Date: Wed, 6 Aug 2025 10:55:38 +0800 +Subject: memory: samsung: exynos-srom: Fix of_iomap leak in exynos_srom_probe + +From: Zhen Ni + +commit 6744085079e785dae5f7a2239456135407c58b25 upstream. + +The of_platform_populate() call at the end of the function has a +possible failure path, causing a resource leak. + +Replace of_iomap() with devm_platform_ioremap_resource() to ensure +automatic cleanup of srom->reg_base. + +This issue was detected by smatch static analysis: +drivers/memory/samsung/exynos-srom.c:155 exynos_srom_probe()warn: +'srom->reg_base' from of_iomap() not released on lines: 155. + +Fixes: 8ac2266d8831 ("memory: samsung: exynos-srom: Add support for bank configuration") +Cc: stable@vger.kernel.org +Signed-off-by: Zhen Ni +Link: https://lore.kernel.org/r/20250806025538.306593-1-zhen.ni@easystack.cn +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/memory/samsung/exynos-srom.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +--- a/drivers/memory/samsung/exynos-srom.c ++++ b/drivers/memory/samsung/exynos-srom.c +@@ -121,20 +121,18 @@ static int exynos_srom_probe(struct plat + return -ENOMEM; + + srom->dev = dev; +- srom->reg_base = of_iomap(np, 0); +- if (!srom->reg_base) { ++ srom->reg_base = devm_platform_ioremap_resource(pdev, 0); ++ if (IS_ERR(srom->reg_base)) { + dev_err(&pdev->dev, "iomap of exynos srom controller failed\n"); +- return -ENOMEM; ++ return PTR_ERR(srom->reg_base); + } + + platform_set_drvdata(pdev, srom); + + srom->reg_offset = exynos_srom_alloc_reg_dump(exynos_srom_offsets, + ARRAY_SIZE(exynos_srom_offsets)); +- if (!srom->reg_offset) { +- iounmap(srom->reg_base); ++ if (!srom->reg_offset) + return -ENOMEM; +- } + + for_each_child_of_node(np, child) { + if (exynos_srom_configure_bank(srom, child)) { diff --git a/queue-6.17/memory-stm32_omm-fix-req2ack-update-test.patch b/queue-6.17/memory-stm32_omm-fix-req2ack-update-test.patch new file mode 100644 index 0000000000..edd47a8444 --- /dev/null +++ b/queue-6.17/memory-stm32_omm-fix-req2ack-update-test.patch @@ -0,0 +1,39 @@ +From d140f3ba76ac98faad7f9b37ef5a3dcbd57f59e2 Mon Sep 17 00:00:00 2001 +From: Patrice Chotard +Date: Thu, 7 Aug 2025 09:34:09 +0200 +Subject: memory: stm32_omm: Fix req2ack update test + +From: Patrice Chotard + +commit d140f3ba76ac98faad7f9b37ef5a3dcbd57f59e2 upstream. + +If "st,omm-req2ack-ns" property is found and its value is not 0, +the current test doesn't allow to compute and set req2ack value, +Fix this test. + +Fixes: 8181d061dcff ("memory: Add STM32 Octo Memory Manager driver") +Signed-off-by: Patrice Chotard +Link: https://lore.kernel.org/r/20250807-upstream_omm_fix_req2ack_test_condition-v2-1-d7df4af2b48b@foss.st.com +Cc: +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/memory/stm32_omm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/memory/stm32_omm.c b/drivers/memory/stm32_omm.c +index bee2ecc8c2b9..5d06623f3f68 100644 +--- a/drivers/memory/stm32_omm.c ++++ b/drivers/memory/stm32_omm.c +@@ -238,7 +238,7 @@ static int stm32_omm_configure(struct device *dev) + if (mux & CR_MUXEN) { + ret = of_property_read_u32(dev->of_node, "st,omm-req2ack-ns", + &req2ack); +- if (!ret && !req2ack) { ++ if (!ret && req2ack) { + req2ack = DIV_ROUND_UP(req2ack, NSEC_PER_SEC / clk_rate_max) - 1; + + if (req2ack > 256) +-- +2.51.0 + diff --git a/queue-6.17/mmc-core-spi-mode-remove-cmd7.patch b/queue-6.17/mmc-core-spi-mode-remove-cmd7.patch new file mode 100644 index 0000000000..9c42e6ee88 --- /dev/null +++ b/queue-6.17/mmc-core-spi-mode-remove-cmd7.patch @@ -0,0 +1,37 @@ +From fec40f44afdabcbc4a7748e4278f30737b54bb1a Mon Sep 17 00:00:00 2001 +From: Rex Chen +Date: Mon, 28 Jul 2025 17:22:29 +0900 +Subject: mmc: core: SPI mode remove cmd7 + +From: Rex Chen + +commit fec40f44afdabcbc4a7748e4278f30737b54bb1a upstream. + +SPI mode doesn't support cmd7, so remove it in mmc_sdio_alive() and +confirm if sdio is active by checking CCCR register value is available +or not. + +Signed-off-by: Rex Chen +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20250728082230.1037917-2-rex.chen_1@nxp.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/core/sdio.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/mmc/core/sdio.c ++++ b/drivers/mmc/core/sdio.c +@@ -945,7 +945,11 @@ static void mmc_sdio_remove(struct mmc_h + */ + static int mmc_sdio_alive(struct mmc_host *host) + { +- return mmc_select_card(host->card); ++ if (!mmc_host_is_spi(host)) ++ return mmc_select_card(host->card); ++ else ++ return mmc_io_rw_direct(host->card, 0, 0, SDIO_CCCR_CCCR, 0, ++ NULL); + } + + /* diff --git a/queue-6.17/mmc-mmc_spi-multiple-block-read-remove-read-crc-ack.patch b/queue-6.17/mmc-mmc_spi-multiple-block-read-remove-read-crc-ack.patch new file mode 100644 index 0000000000..3856290c51 --- /dev/null +++ b/queue-6.17/mmc-mmc_spi-multiple-block-read-remove-read-crc-ack.patch @@ -0,0 +1,46 @@ +From fef12d9f5bcf7e2b19a7cf1295c6abd5642dd241 Mon Sep 17 00:00:00 2001 +From: Rex Chen +Date: Mon, 28 Jul 2025 17:22:30 +0900 +Subject: mmc: mmc_spi: multiple block read remove read crc ack + +From: Rex Chen + +commit fef12d9f5bcf7e2b19a7cf1295c6abd5642dd241 upstream. + +For multiple block read, the current implementation, transfer packet +includes cmd53 + cmd53 response + block nums*(1byte token + +block length bytes payload + 2bytes CRC + 1byte transfer), the last +1byte transfer of every block is not needed, so remove it. + +Why doesn't multiple block read need CRC ack? +For read operation, host side get the payload and CRC value, then +will only check the CRC value to confirm if the data is correct or +not, but not send CRC ack to card. If the data is correct, save it, +or discard it and retransmit if data is error, so the last 1byte +transfer of every block make no sense. + +What's the side effect of this 1byte transfer? +As the SPI is full duplex, if add this redundant 1byte transfer, SDIO +card side take it as the token of next block, then all the next sub +blocks sequence distort. + +Signed-off-by: Rex Chen +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20250728082230.1037917-3-rex.chen_1@nxp.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/mmc_spi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mmc/host/mmc_spi.c ++++ b/drivers/mmc/host/mmc_spi.c +@@ -563,7 +563,7 @@ mmc_spi_setup_data_message(struct mmc_sp + * the next token (next data block, or STOP_TRAN). We can try to + * minimize I/O ops by using a single read to collect end-of-busy. + */ +- if (multiple || write) { ++ if (write) { + t = &host->early_status; + memset(t, 0, sizeof(*t)); + t->len = write ? sizeof(scratch->status) : 1; diff --git a/queue-6.17/mtd-nand-raw-gpmi-fix-clocks-when-config_pm-n.patch b/queue-6.17/mtd-nand-raw-gpmi-fix-clocks-when-config_pm-n.patch new file mode 100644 index 0000000000..1b2b1bba6a --- /dev/null +++ b/queue-6.17/mtd-nand-raw-gpmi-fix-clocks-when-config_pm-n.patch @@ -0,0 +1,70 @@ +From 1001cc1171248ebb21d371fbe086b5d3f11b410b Mon Sep 17 00:00:00 2001 +From: Maarten Zanders +Date: Mon, 22 Sep 2025 17:39:38 +0200 +Subject: mtd: nand: raw: gpmi: fix clocks when CONFIG_PM=N + +From: Maarten Zanders + +commit 1001cc1171248ebb21d371fbe086b5d3f11b410b upstream. + +Commit f04ced6d545e ("mtd: nand: raw: gpmi: improve power management +handling") moved all clock handling into PM callbacks. With CONFIG_PM +disabled, those callbacks are missing, leaving the driver unusable. + +Add clock init/teardown for !CONFIG_PM builds to restore basic operation. +Keeping the driver working without requiring CONFIG_PM is preferred over +adding a Kconfig dependency. + +Fixes: f04ced6d545e ("mtd: nand: raw: gpmi: improve power management handling") +Signed-off-by: Maarten Zanders +Cc: stable@vger.kernel.org +Signed-off-by: Miquel Raynal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/raw/gpmi-nand/gpmi-nand.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +--- a/drivers/mtd/nand/raw/gpmi-nand/gpmi-nand.c ++++ b/drivers/mtd/nand/raw/gpmi-nand/gpmi-nand.c +@@ -145,6 +145,9 @@ err_clk: + return ret; + } + ++#define gpmi_enable_clk(x) __gpmi_enable_clk(x, true) ++#define gpmi_disable_clk(x) __gpmi_enable_clk(x, false) ++ + static int gpmi_init(struct gpmi_nand_data *this) + { + struct resources *r = &this->resources; +@@ -2765,6 +2768,11 @@ static int gpmi_nand_probe(struct platfo + pm_runtime_enable(&pdev->dev); + pm_runtime_set_autosuspend_delay(&pdev->dev, 500); + pm_runtime_use_autosuspend(&pdev->dev); ++#ifndef CONFIG_PM ++ ret = gpmi_enable_clk(this); ++ if (ret) ++ goto exit_acquire_resources; ++#endif + + ret = gpmi_init(this); + if (ret) +@@ -2800,6 +2808,9 @@ static void gpmi_nand_remove(struct plat + release_resources(this); + pm_runtime_dont_use_autosuspend(&pdev->dev); + pm_runtime_disable(&pdev->dev); ++#ifndef CONFIG_PM ++ gpmi_disable_clk(this); ++#endif + } + + static int gpmi_pm_suspend(struct device *dev) +@@ -2846,9 +2857,6 @@ static int gpmi_pm_resume(struct device + return 0; + } + +-#define gpmi_enable_clk(x) __gpmi_enable_clk(x, true) +-#define gpmi_disable_clk(x) __gpmi_enable_clk(x, false) +- + static int gpmi_runtime_suspend(struct device *dev) + { + struct gpmi_nand_data *this = dev_get_drvdata(dev); diff --git a/queue-6.17/mtd-rawnand-fsmc-default-to-autodetect-buswidth.patch b/queue-6.17/mtd-rawnand-fsmc-default-to-autodetect-buswidth.patch new file mode 100644 index 0000000000..d7a308c3ee --- /dev/null +++ b/queue-6.17/mtd-rawnand-fsmc-default-to-autodetect-buswidth.patch @@ -0,0 +1,61 @@ +From b8df622cf7f6808c85764e681847150ed6d85f3d Mon Sep 17 00:00:00 2001 +From: Linus Walleij +Date: Tue, 16 Sep 2025 18:07:37 +0200 +Subject: mtd: rawnand: fsmc: Default to autodetect buswidth + +From: Linus Walleij + +commit b8df622cf7f6808c85764e681847150ed6d85f3d upstream. + +If you don't specify buswidth 2 (16 bits) in the device +tree, FSMC doesn't even probe anymore: + +fsmc-nand 10100000.flash: FSMC device partno 090, + manufacturer 80, revision 00, config 00 +nand: device found, Manufacturer ID: 0x20, Chip ID: 0xb1 +nand: ST Micro 10100000.flash +nand: bus width 8 instead of 16 bits +nand: No NAND device found +fsmc-nand 10100000.flash: probe with driver fsmc-nand failed + with error -22 + +With this patch to use autodetection unless buswidth is +specified, the device is properly detected again: + +fsmc-nand 10100000.flash: FSMC device partno 090, + manufacturer 80, revision 00, config 00 +nand: device found, Manufacturer ID: 0x20, Chip ID: 0xb1 +nand: ST Micro NAND 128MiB 1,8V 16-bit +nand: 128 MiB, SLC, erase size: 128 KiB, page size: 2048, OOB size: 64 +fsmc-nand 10100000.flash: Using 1-bit HW ECC scheme +Scanning device for bad blocks + +I don't know where or how this happened, I think some change +in the nand core. + +Cc: stable@vger.kernel.org +Signed-off-by: Linus Walleij +Signed-off-by: Miquel Raynal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/raw/fsmc_nand.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/mtd/nand/raw/fsmc_nand.c ++++ b/drivers/mtd/nand/raw/fsmc_nand.c +@@ -876,10 +876,14 @@ static int fsmc_nand_probe_config_dt(str + if (!of_property_read_u32(np, "bank-width", &val)) { + if (val == 2) { + nand->options |= NAND_BUSWIDTH_16; +- } else if (val != 1) { ++ } else if (val == 1) { ++ nand->options |= NAND_BUSWIDTH_AUTO; ++ } else { + dev_err(&pdev->dev, "invalid bank-width %u\n", val); + return -EINVAL; + } ++ } else { ++ nand->options |= NAND_BUSWIDTH_AUTO; + } + + if (of_property_read_bool(np, "nand-skip-bbtscan")) diff --git a/queue-6.17/nvme-pci-add-tuxedo-ibs-gen8-to-samsung-sleep-quirk.patch b/queue-6.17/nvme-pci-add-tuxedo-ibs-gen8-to-samsung-sleep-quirk.patch new file mode 100644 index 0000000000..33fb9ed209 --- /dev/null +++ b/queue-6.17/nvme-pci-add-tuxedo-ibs-gen8-to-samsung-sleep-quirk.patch @@ -0,0 +1,39 @@ +From eeaed48980a7aeb0d3d8b438185d4b5a66154ff9 Mon Sep 17 00:00:00 2001 +From: Georg Gottleuber +Date: Tue, 1 Jul 2025 22:55:49 +0200 +Subject: nvme-pci: Add TUXEDO IBS Gen8 to Samsung sleep quirk + +From: Georg Gottleuber + +commit eeaed48980a7aeb0d3d8b438185d4b5a66154ff9 upstream. + +On the TUXEDO InfinityBook S Gen8, a Samsung 990 Evo NVMe leads to +a high power consumption in s2idle sleep (3.5 watts). + +This patch applies 'Force No Simple Suspend' quirk to achieve a sleep with +a lower power consumption, typically around 1 watts. + +Signed-off-by: Georg Gottleuber +Signed-off-by: Werner Sembach +Cc: stable@vger.kernel.org +Signed-off-by: Keith Busch +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/host/pci.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -3324,10 +3324,12 @@ static unsigned long check_vendor_combin + * Exclude Samsung 990 Evo from NVME_QUIRK_SIMPLE_SUSPEND + * because of high power consumption (> 2 Watt) in s2idle + * sleep. Only some boards with Intel CPU are affected. ++ * (Note for testing: Samsung 990 Evo Plus has same PCI ID) + */ + if (dmi_match(DMI_BOARD_NAME, "DN50Z-140HC-YD") || + dmi_match(DMI_BOARD_NAME, "GMxPXxx") || + dmi_match(DMI_BOARD_NAME, "GXxMRXx") || ++ dmi_match(DMI_BOARD_NAME, "NS5X_NS7XAU") || + dmi_match(DMI_BOARD_NAME, "PH4PG31") || + dmi_match(DMI_BOARD_NAME, "PH4PRX1_PH6PRX1") || + dmi_match(DMI_BOARD_NAME, "PH6PG01_PH6PG71")) diff --git a/queue-6.17/of-unittest-fix-device-reference-count-leak-in-of_unittest_pci_node_verify.patch b/queue-6.17/of-unittest-fix-device-reference-count-leak-in-of_unittest_pci_node_verify.patch new file mode 100644 index 0000000000..0cf6dbf184 --- /dev/null +++ b/queue-6.17/of-unittest-fix-device-reference-count-leak-in-of_unittest_pci_node_verify.patch @@ -0,0 +1,41 @@ +From a8de554774ae48efbe48ace79f8badae2daa2bf1 Mon Sep 17 00:00:00 2001 +From: Ma Ke +Date: Tue, 30 Sep 2025 16:16:18 +0800 +Subject: of: unittest: Fix device reference count leak in of_unittest_pci_node_verify + +From: Ma Ke + +commit a8de554774ae48efbe48ace79f8badae2daa2bf1 upstream. + +In of_unittest_pci_node_verify(), when the add parameter is false, +device_find_any_child() obtains a reference to a child device. This +function implicitly calls get_device() to increment the device's +reference count before returning the pointer. However, the caller +fails to properly release this reference by calling put_device(), +leading to a device reference count leak. Add put_device() in the else +branch immediately after child_dev is no longer needed. + +As the comment of device_find_any_child states: "NOTE: you will need +to drop the reference with put_device() after use". + +Found by code review. + +Cc: stable@vger.kernel.org +Fixes: 26409dd04589 ("of: unittest: Add pci_dt_testdrv pci driver") +Signed-off-by: Ma Ke +Signed-off-by: Rob Herring (Arm) +Signed-off-by: Greg Kroah-Hartman +--- + drivers/of/unittest.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/of/unittest.c ++++ b/drivers/of/unittest.c +@@ -4300,6 +4300,7 @@ static int of_unittest_pci_node_verify(s + unittest(!np, "Child device tree node is not removed\n"); + child_dev = device_find_any_child(&pdev->dev); + unittest(!child_dev, "Child device is not removed\n"); ++ put_device(child_dev); + } + + failed: diff --git a/queue-6.17/openat2-don-t-trigger-automounts-with-resolve_no_xdev.patch b/queue-6.17/openat2-don-t-trigger-automounts-with-resolve_no_xdev.patch new file mode 100644 index 0000000000..2092555575 --- /dev/null +++ b/queue-6.17/openat2-don-t-trigger-automounts-with-resolve_no_xdev.patch @@ -0,0 +1,51 @@ +From 042a60680de43175eb4df0977ff04a4eba9da082 Mon Sep 17 00:00:00 2001 +From: Askar Safin +Date: Mon, 25 Aug 2025 18:12:33 +0000 +Subject: openat2: don't trigger automounts with RESOLVE_NO_XDEV + +From: Askar Safin + +commit 042a60680de43175eb4df0977ff04a4eba9da082 upstream. + +openat2 had a bug: if we pass RESOLVE_NO_XDEV, then openat2 +doesn't traverse through automounts, but may still trigger them. +(See the link for full bug report with reproducer.) + +This commit fixes this bug. + +Link: https://lore.kernel.org/linux-fsdevel/20250817075252.4137628-1-safinaskar@zohomail.com/ +Fixes: fddb5d430ad9fa91b49b1 ("open: introduce openat2(2) syscall") +Reviewed-by: Aleksa Sarai +Cc: stable@vger.kernel.org +Signed-off-by: Askar Safin +Link: https://lore.kernel.org/20250825181233.2464822-5-safinaskar@zohomail.com +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/namei.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -1449,6 +1449,10 @@ static int follow_automount(struct path + dentry->d_inode) + return -EISDIR; + ++ /* No need to trigger automounts if mountpoint crossing is disabled. */ ++ if (lookup_flags & LOOKUP_NO_XDEV) ++ return -EXDEV; ++ + if (count && (*count)++ >= MAXSYMLINKS) + return -ELOOP; + +@@ -1472,6 +1476,10 @@ static int __traverse_mounts(struct path + /* Allow the filesystem to manage the transit without i_rwsem + * being held. */ + if (flags & DCACHE_MANAGE_TRANSIT) { ++ if (lookup_flags & LOOKUP_NO_XDEV) { ++ ret = -EXDEV; ++ break; ++ } + ret = path->dentry->d_op->d_manage(path, false); + flags = smp_load_acquire(&path->dentry->d_flags); + if (ret < 0) diff --git a/queue-6.17/padata-reset-next-cpu-when-reorder-sequence-wraps-around.patch b/queue-6.17/padata-reset-next-cpu-when-reorder-sequence-wraps-around.patch new file mode 100644 index 0000000000..393de17265 --- /dev/null +++ b/queue-6.17/padata-reset-next-cpu-when-reorder-sequence-wraps-around.patch @@ -0,0 +1,40 @@ +From 501302d5cee0d8e8ec2c4a5919c37e0df9abc99b Mon Sep 17 00:00:00 2001 +From: Xiao Liang +Date: Sun, 17 Aug 2025 00:30:15 +0800 +Subject: padata: Reset next CPU when reorder sequence wraps around + +From: Xiao Liang + +commit 501302d5cee0d8e8ec2c4a5919c37e0df9abc99b upstream. + +When seq_nr wraps around, the next reorder job with seq 0 is hashed to +the first CPU in padata_do_serial(). Correspondingly, need reset pd->cpu +to the first one when pd->processed wraps around. Otherwise, if the +number of used CPUs is not a power of 2, padata_find_next() will be +checking a wrong list, hence deadlock. + +Fixes: 6fc4dbcf0276 ("padata: Replace delayed timer with immediate workqueue in padata_reorder") +Cc: +Signed-off-by: Xiao Liang +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + kernel/padata.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/kernel/padata.c ++++ b/kernel/padata.c +@@ -291,8 +291,12 @@ static void padata_reorder(struct padata + struct padata_serial_queue *squeue; + int cb_cpu; + +- cpu = cpumask_next_wrap(cpu, pd->cpumask.pcpu); + processed++; ++ /* When sequence wraps around, reset to the first CPU. */ ++ if (unlikely(processed == 0)) ++ cpu = cpumask_first(pd->cpumask.pcpu); ++ else ++ cpu = cpumask_next_wrap(cpu, pd->cpumask.pcpu); + + cb_cpu = padata->cb_cpu; + squeue = per_cpu_ptr(pd->squeue, cb_cpu); diff --git a/queue-6.17/parisc-don-t-reference-obsolete-termio-struct-for-tc-constants.patch b/queue-6.17/parisc-don-t-reference-obsolete-termio-struct-for-tc-constants.patch new file mode 100644 index 0000000000..284563cc73 --- /dev/null +++ b/queue-6.17/parisc-don-t-reference-obsolete-termio-struct-for-tc-constants.patch @@ -0,0 +1,44 @@ +From 8ec5a066f88f89bd52094ba18792b34c49dcd55a Mon Sep 17 00:00:00 2001 +From: Sam James +Date: Wed, 1 Oct 2025 23:58:40 +0100 +Subject: parisc: don't reference obsolete termio struct for TC* constants + +From: Sam James + +commit 8ec5a066f88f89bd52094ba18792b34c49dcd55a upstream. + +Similar in nature to ab107276607af90b13a5994997e19b7b9731e251. glibc-2.42 +drops the legacy termio struct, but the ioctls.h header still defines some +TC* constants in terms of termio (via sizeof). Hardcode the values instead. + +This fixes building Python for example, which falls over like: + ./Modules/termios.c:1119:16: error: invalid application of 'sizeof' to incomplete type 'struct termio' + +Link: https://bugs.gentoo.org/961769 +Link: https://bugs.gentoo.org/962600 +Co-authored-by: Stian Halseth +Cc: stable@vger.kernel.org +Signed-off-by: Sam James +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/include/uapi/asm/ioctls.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/parisc/include/uapi/asm/ioctls.h ++++ b/arch/parisc/include/uapi/asm/ioctls.h +@@ -10,10 +10,10 @@ + #define TCSETS _IOW('T', 17, struct termios) /* TCSETATTR */ + #define TCSETSW _IOW('T', 18, struct termios) /* TCSETATTRD */ + #define TCSETSF _IOW('T', 19, struct termios) /* TCSETATTRF */ +-#define TCGETA _IOR('T', 1, struct termio) +-#define TCSETA _IOW('T', 2, struct termio) +-#define TCSETAW _IOW('T', 3, struct termio) +-#define TCSETAF _IOW('T', 4, struct termio) ++#define TCGETA 0x40125401 ++#define TCSETA 0x80125402 ++#define TCSETAW 0x80125403 ++#define TCSETAF 0x80125404 + #define TCSBRK _IO('T', 5) + #define TCXONC _IO('T', 6) + #define TCFLSH _IO('T', 7) diff --git a/queue-6.17/parisc-remove-spurious-if-statement-from-raw_copy_from_user.patch b/queue-6.17/parisc-remove-spurious-if-statement-from-raw_copy_from_user.patch new file mode 100644 index 0000000000..06880c2a55 --- /dev/null +++ b/queue-6.17/parisc-remove-spurious-if-statement-from-raw_copy_from_user.patch @@ -0,0 +1,30 @@ +From 16794e524d310780163fdd49d0bf7fac30f8dbc8 Mon Sep 17 00:00:00 2001 +From: John David Anglin +Date: Tue, 5 Aug 2025 11:35:30 -0400 +Subject: parisc: Remove spurious if statement from raw_copy_from_user() + +From: John David Anglin + +commit 16794e524d310780163fdd49d0bf7fac30f8dbc8 upstream. + +Accidently introduced in commit 91428ca9320e. + +Signed-off-by: John David Anglin +Signed-off-by: Helge Deller +Fixes: 91428ca9320e ("parisc: Check region is readable by user in raw_copy_from_user()") +Cc: stable@vger.kernel.org # v5.12+ +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/lib/memcpy.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/arch/parisc/lib/memcpy.c ++++ b/arch/parisc/lib/memcpy.c +@@ -41,7 +41,6 @@ unsigned long raw_copy_from_user(void *d + mtsp(get_kernel_space(), SR_TEMP2); + + /* Check region is user accessible */ +- if (start) + while (start < end) { + if (!prober_user(SR_TEMP1, start)) { + newlen = (start - (unsigned long) src); diff --git a/queue-6.17/pci-aer-fix-missing-uevent-on-recovery-when-a-reset-is-requested.patch b/queue-6.17/pci-aer-fix-missing-uevent-on-recovery-when-a-reset-is-requested.patch new file mode 100644 index 0000000000..2e7ae94d8d --- /dev/null +++ b/queue-6.17/pci-aer-fix-missing-uevent-on-recovery-when-a-reset-is-requested.patch @@ -0,0 +1,37 @@ +From bbf7d0468d0da71d76cc6ec9bc8a224325d07b6b Mon Sep 17 00:00:00 2001 +From: Niklas Schnelle +Date: Thu, 7 Aug 2025 15:55:38 +0200 +Subject: PCI/AER: Fix missing uevent on recovery when a reset is requested + +From: Niklas Schnelle + +commit bbf7d0468d0da71d76cc6ec9bc8a224325d07b6b upstream. + +Since commit 7b42d97e99d3 ("PCI/ERR: Always report current recovery +status for udev") AER uses the result of error_detected() as parameter +to pci_uevent_ers(). As pci_uevent_ers() however does not handle +PCI_ERS_RESULT_NEED_RESET this results in a missing uevent for the +beginning of recovery if drivers request a reset. Fix this by treating +PCI_ERS_RESULT_NEED_RESET as beginning recovery. + +Fixes: 7b42d97e99d3 ("PCI/ERR: Always report current recovery status for udev") +Signed-off-by: Niklas Schnelle +Signed-off-by: Bjorn Helgaas +Reviewed-by: Lukas Wunner +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20250807-add_err_uevents-v5-1-adf85b0620b0@linux.ibm.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/pci-driver.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/pci/pci-driver.c ++++ b/drivers/pci/pci-driver.c +@@ -1596,6 +1596,7 @@ void pci_uevent_ers(struct pci_dev *pdev + switch (err_type) { + case PCI_ERS_RESULT_NONE: + case PCI_ERS_RESULT_CAN_RECOVER: ++ case PCI_ERS_RESULT_NEED_RESET: + envp[idx++] = "ERROR_EVENT=BEGIN_RECOVERY"; + envp[idx++] = "DEVICE_ONLINE=0"; + break; diff --git a/queue-6.17/pci-aer-support-errors-introduced-by-pcie-r6.0.patch b/queue-6.17/pci-aer-support-errors-introduced-by-pcie-r6.0.patch new file mode 100644 index 0000000000..e756970551 --- /dev/null +++ b/queue-6.17/pci-aer-support-errors-introduced-by-pcie-r6.0.patch @@ -0,0 +1,58 @@ +From 6633875250b38b18b8638cf01e695de031c71f02 Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Wed, 27 Aug 2025 15:41:09 +0200 +Subject: PCI/AER: Support errors introduced by PCIe r6.0 + +From: Lukas Wunner + +commit 6633875250b38b18b8638cf01e695de031c71f02 upstream. + +PCIe r6.0 defined five additional errors in the Uncorrectable Error +Status, Mask and Severity Registers (PCIe r7.0 sec 7.8.4.2ff). + +lspci has been supporting them since commit 144b0911cc0b ("ls-ecaps: +extend decode support for more fields for AER CE and UE status"): + + https://git.kernel.org/pub/scm/utils/pciutils/pciutils.git/commit/?id=144b0911cc0b + +Amend the AER driver to recognize them as well, instead of logging them as +"Unknown Error Bit". + +Signed-off-by: Lukas Wunner +Signed-off-by: Bjorn Helgaas +Reviewed-by: Kuppuswamy Sathyanarayanan +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/21f1875b18d4078c99353378f37dcd6b994f6d4e.1756301211.git.lukas@wunner.de +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/pcie/aer.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/pci/pcie/aer.c ++++ b/drivers/pci/pcie/aer.c +@@ -43,7 +43,7 @@ + #define AER_ERROR_SOURCES_MAX 128 + + #define AER_MAX_TYPEOF_COR_ERRS 16 /* as per PCI_ERR_COR_STATUS */ +-#define AER_MAX_TYPEOF_UNCOR_ERRS 27 /* as per PCI_ERR_UNCOR_STATUS*/ ++#define AER_MAX_TYPEOF_UNCOR_ERRS 32 /* as per PCI_ERR_UNCOR_STATUS*/ + + struct aer_err_source { + u32 status; /* PCI_ERR_ROOT_STATUS */ +@@ -525,11 +525,11 @@ static const char *aer_uncorrectable_err + "AtomicOpBlocked", /* Bit Position 24 */ + "TLPBlockedErr", /* Bit Position 25 */ + "PoisonTLPBlocked", /* Bit Position 26 */ +- NULL, /* Bit Position 27 */ +- NULL, /* Bit Position 28 */ +- NULL, /* Bit Position 29 */ +- NULL, /* Bit Position 30 */ +- NULL, /* Bit Position 31 */ ++ "DMWrReqBlocked", /* Bit Position 27 */ ++ "IDECheck", /* Bit Position 28 */ ++ "MisIDETLP", /* Bit Position 29 */ ++ "PCRC_CHECK", /* Bit Position 30 */ ++ "TLPXlatBlocked", /* Bit Position 31 */ + }; + + static const char *aer_agent_string[] = { diff --git a/queue-6.17/pci-ensure-relaxed-tail-alignment-does-not-increase-min_align.patch b/queue-6.17/pci-ensure-relaxed-tail-alignment-does-not-increase-min_align.patch new file mode 100644 index 0000000000..afddce5962 --- /dev/null +++ b/queue-6.17/pci-ensure-relaxed-tail-alignment-does-not-increase-min_align.patch @@ -0,0 +1,77 @@ +From 6e460c3d611009a1d1c2c1f61c96578284a14fba Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ilpo=20J=C3=A4rvinen?= +Date: Mon, 30 Jun 2025 17:26:39 +0300 +Subject: PCI: Ensure relaxed tail alignment does not increase min_align +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +commit 6e460c3d611009a1d1c2c1f61c96578284a14fba upstream. + +When using relaxed tail alignment for the bridge window, pbus_size_mem() +also tries to minimize min_align, which can under certain scenarios end up +increasing min_align from that found by calculate_mem_align(). + +Ensure min_align is not increased by the relaxed tail alignment. + +Eventually, it would be better to add calculate_relaxed_head_align() +similar to calculate_mem_align() which finds out what alignment can be used +for the head without introducing any gaps into the bridge window to give +flexibility on head address too. But that looks relatively complex so it +requires much more testing than fixing the immediate problem causing a +regression. + +Fixes: 67f9085596ee ("PCI: Allow relaxed bridge window tail sizing for optional resources") +Reported-by: Rio Liu +Closes: https://lore.kernel.org/all/o2bL8MtD_40-lf8GlslTw-AZpUPzm8nmfCnJKvS8RQ3NOzOW1uq1dVCEfRpUjJ2i7G2WjfQhk2IWZ7oGp-7G-jXN4qOdtnyOcjRR0PZWK5I=@r26.me/ +Signed-off-by: Ilpo Järvinen +Signed-off-by: Bjorn Helgaas +Tested-by: Rio Liu +Cc: stable@vger.kernel.org # v6.15+ +Link: https://patch.msgid.link/20250822123359.16305-2-ilpo.jarvinen@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/setup-bus.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/drivers/pci/setup-bus.c b/drivers/pci/setup-bus.c +index 7853ac6999e2..527f0479e983 100644 +--- a/drivers/pci/setup-bus.c ++++ b/drivers/pci/setup-bus.c +@@ -1169,6 +1169,7 @@ static int pbus_size_mem(struct pci_bus *bus, unsigned long mask, + resource_size_t children_add_size = 0; + resource_size_t children_add_align = 0; + resource_size_t add_align = 0; ++ resource_size_t relaxed_align; + + if (!b_res) + return -ENOSPC; +@@ -1246,8 +1247,9 @@ static int pbus_size_mem(struct pci_bus *bus, unsigned long mask, + if (bus->self && size0 && + !pbus_upstream_space_available(bus, mask | IORESOURCE_PREFETCH, type, + size0, min_align)) { +- min_align = 1ULL << (max_order + __ffs(SZ_1M)); +- min_align = max(min_align, win_align); ++ relaxed_align = 1ULL << (max_order + __ffs(SZ_1M)); ++ relaxed_align = max(relaxed_align, win_align); ++ min_align = min(min_align, relaxed_align); + size0 = calculate_memsize(size, min_size, 0, 0, resource_size(b_res), win_align); + pci_info(bus->self, "bridge window %pR to %pR requires relaxed alignment rules\n", + b_res, &bus->busn_res); +@@ -1261,8 +1263,9 @@ static int pbus_size_mem(struct pci_bus *bus, unsigned long mask, + if (bus->self && size1 && + !pbus_upstream_space_available(bus, mask | IORESOURCE_PREFETCH, type, + size1, add_align)) { +- min_align = 1ULL << (max_order + __ffs(SZ_1M)); +- min_align = max(min_align, win_align); ++ relaxed_align = 1ULL << (max_order + __ffs(SZ_1M)); ++ relaxed_align = max(relaxed_align, win_align); ++ min_align = min(min_align, relaxed_align); + size1 = calculate_memsize(size, min_size, add_size, children_add_size, + resource_size(b_res), win_align); + pci_info(bus->self, +-- +2.51.0 + diff --git a/queue-6.17/pci-err-fix-uevent-on-failure-to-recover.patch b/queue-6.17/pci-err-fix-uevent-on-failure-to-recover.patch new file mode 100644 index 0000000000..6e9a7de939 --- /dev/null +++ b/queue-6.17/pci-err-fix-uevent-on-failure-to-recover.patch @@ -0,0 +1,59 @@ +From 1cbc5e25fb70e942a7a735a1f3d6dd391afc9b29 Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Wed, 13 Aug 2025 07:11:02 +0200 +Subject: PCI/ERR: Fix uevent on failure to recover + +From: Lukas Wunner + +commit 1cbc5e25fb70e942a7a735a1f3d6dd391afc9b29 upstream. + +Upon failure to recover from a PCIe error through AER, DPC or EDR, a +uevent is sent to inform user space about disconnection of the bridge +whose subordinate devices failed to recover. + +However the bridge itself is not disconnected. Instead, a uevent should +be sent for each of the subordinate devices. + +Only if the "bridge" happens to be a Root Complex Event Collector or +Integrated Endpoint does it make sense to send a uevent for it (because +there are no subordinate devices). + +Right now if there is a mix of subordinate devices with and without +pci_error_handlers, a BEGIN_RECOVERY event is sent for those with +pci_error_handlers but no FAILED_RECOVERY event is ever sent for them +afterwards. Fix it. + +Fixes: 856e1eb9bdd4 ("PCI/AER: Add uevents in AER and EEH error/resume") +Signed-off-by: Lukas Wunner +Signed-off-by: Bjorn Helgaas +Cc: stable@vger.kernel.org # v4.16+ +Link: https://patch.msgid.link/68fc527a380821b5d861dd554d2ce42cb739591c.1755008151.git.lukas@wunner.de +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/pcie/err.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/pci/pcie/err.c ++++ b/drivers/pci/pcie/err.c +@@ -108,6 +108,12 @@ static int report_normal_detected(struct + return report_error_detected(dev, pci_channel_io_normal, data); + } + ++static int report_perm_failure_detected(struct pci_dev *dev, void *data) ++{ ++ pci_uevent_ers(dev, PCI_ERS_RESULT_DISCONNECT); ++ return 0; ++} ++ + static int report_mmio_enabled(struct pci_dev *dev, void *data) + { + struct pci_driver *pdrv; +@@ -269,7 +275,7 @@ pci_ers_result_t pcie_do_recovery(struct + failed: + pci_walk_bridge(bridge, pci_pm_runtime_put, NULL); + +- pci_uevent_ers(bridge, PCI_ERS_RESULT_DISCONNECT); ++ pci_walk_bridge(bridge, report_perm_failure_detected, NULL); + + pci_info(bridge, "device recovery failed\n"); + diff --git a/queue-6.17/pci-fix-failure-detection-during-resource-resize.patch b/queue-6.17/pci-fix-failure-detection-during-resource-resize.patch new file mode 100644 index 0000000000..cce41296e0 --- /dev/null +++ b/queue-6.17/pci-fix-failure-detection-during-resource-resize.patch @@ -0,0 +1,130 @@ +From 31af09b3eaf3603870ce9fd5a7b6c8693129c4cf Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ilpo=20J=C3=A4rvinen?= +Date: Mon, 30 Jun 2025 17:26:41 +0300 +Subject: PCI: Fix failure detection during resource resize +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +commit 31af09b3eaf3603870ce9fd5a7b6c8693129c4cf upstream. + +Since 96336ec70264 ("PCI: Perform reset_resource() and build fail list in +sync") the failed list is always built and returned to let the caller +decide what to do with the failures. The caller may want to retry resource +fitting and assignment and before that can happen, the resources should be +restored to their original state (a reset effectively clears the struct +resource), which requires returning them to the failed list so the original +state remains stored in the associated struct pci_dev_resource. + +Resource resizing is different from the ordinary resource fitting and +assignment in that it only considers part of the resources. This means +failures for other resource types are not relevant at all and should be +ignored. As resize doesn't unassign such unrelated resources, those +resources ending up in the failed list implies assignment of that +resource must have failed before resize too. The check in +pci_reassign_bridge_resources() to decide if the whole assignment is +successful, however, is based on list emptiness which will cause false +negatives when the failed list has resources with an unrelated type. + +If the failed list is not empty, call pci_required_resource_failed() and +extend it to be able to filter on specific resource types too (if +provided). + +Calling pci_required_resource_failed() at this point is slightly +problematic because the resource itself is reset when the failed list +is constructed in __assign_resources_sorted(). As a result, +pci_resource_is_optional() does not have access to the original +resource flags. This could be worked around by restoring and +re-resetting the resource around the call to pci_resource_is_optional(), +however, it shouldn't cause issue as resource resizing is meant for +64-bit prefetchable resources according to Christian König (see the +Link which unfortunately doesn't point directly to Christian's reply +because lore didn't store that email at all). + +Fixes: 96336ec70264 ("PCI: Perform reset_resource() and build fail list in sync") +Link: https://lore.kernel.org/all/c5d1b5d8-8669-5572-75a7-0b480f581ac1@linux.intel.com/ +Reported-by: D Scott Phillips +Closes: https://lore.kernel.org/all/86plf0lgit.fsf@scott-ph-mail.amperecomputing.com/ +Signed-off-by: Ilpo Järvinen +Signed-off-by: Bjorn Helgaas +Tested-by: D Scott Phillips +Reviewed-by: D Scott Phillips +Cc: Christian König +Cc: stable@vger.kernel.org # v6.15+ +Link: https://patch.msgid.link/20250822123359.16305-4-ilpo.jarvinen@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/setup-bus.c | 26 ++++++++++++++++++-------- + 1 file changed, 18 insertions(+), 8 deletions(-) + +--- a/drivers/pci/setup-bus.c ++++ b/drivers/pci/setup-bus.c +@@ -28,6 +28,10 @@ + #include + #include "pci.h" + ++#define PCI_RES_TYPE_MASK \ ++ (IORESOURCE_IO | IORESOURCE_MEM | IORESOURCE_PREFETCH |\ ++ IORESOURCE_MEM_64) ++ + unsigned int pci_flags; + EXPORT_SYMBOL_GPL(pci_flags); + +@@ -384,13 +388,19 @@ static bool pci_need_to_release(unsigned + } + + /* Return: @true if assignment of a required resource failed. */ +-static bool pci_required_resource_failed(struct list_head *fail_head) ++static bool pci_required_resource_failed(struct list_head *fail_head, ++ unsigned long type) + { + struct pci_dev_resource *fail_res; + ++ type &= PCI_RES_TYPE_MASK; ++ + list_for_each_entry(fail_res, fail_head, list) { + int idx = pci_resource_num(fail_res->dev, fail_res->res); + ++ if (type && (fail_res->flags & PCI_RES_TYPE_MASK) != type) ++ continue; ++ + if (!pci_resource_is_optional(fail_res->dev, idx)) + return true; + } +@@ -504,7 +514,7 @@ assign: + } + + /* Without realloc_head and only optional fails, nothing more to do. */ +- if (!pci_required_resource_failed(&local_fail_head) && ++ if (!pci_required_resource_failed(&local_fail_head, 0) && + list_empty(realloc_head)) { + list_for_each_entry(save_res, &save_head, list) { + struct resource *res = save_res->res; +@@ -1707,10 +1717,6 @@ static void __pci_bridge_assign_resource + } + } + +-#define PCI_RES_TYPE_MASK \ +- (IORESOURCE_IO | IORESOURCE_MEM | IORESOURCE_PREFETCH |\ +- IORESOURCE_MEM_64) +- + static void pci_bridge_release_resources(struct pci_bus *bus, + unsigned long type) + { +@@ -2449,8 +2455,12 @@ int pci_reassign_bridge_resources(struct + free_list(&added); + + if (!list_empty(&failed)) { +- ret = -ENOSPC; +- goto cleanup; ++ if (pci_required_resource_failed(&failed, type)) { ++ ret = -ENOSPC; ++ goto cleanup; ++ } ++ /* Only resources with unrelated types failed (again) */ ++ free_list(&failed); + } + + list_for_each_entry(dev_res, &saved, list) { diff --git a/queue-6.17/pci-iov-add-pci-rescan-remove-locking-when-enabling-disabling-sr-iov.patch b/queue-6.17/pci-iov-add-pci-rescan-remove-locking-when-enabling-disabling-sr-iov.patch new file mode 100644 index 0000000000..13601c0b5a --- /dev/null +++ b/queue-6.17/pci-iov-add-pci-rescan-remove-locking-when-enabling-disabling-sr-iov.patch @@ -0,0 +1,105 @@ +From 05703271c3cdcc0f2a8cf6ebdc45892b8ca83520 Mon Sep 17 00:00:00 2001 +From: Niklas Schnelle +Date: Tue, 26 Aug 2025 10:52:08 +0200 +Subject: PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV + +From: Niklas Schnelle + +commit 05703271c3cdcc0f2a8cf6ebdc45892b8ca83520 upstream. + +Before disabling SR-IOV via config space accesses to the parent PF, +sriov_disable() first removes the PCI devices representing the VFs. + +Since commit 9d16947b7583 ("PCI: Add global pci_lock_rescan_remove()") +such removal operations are serialized against concurrent remove and +rescan using the pci_rescan_remove_lock. No such locking was ever added +in sriov_disable() however. In particular when commit 18f9e9d150fc +("PCI/IOV: Factor out sriov_add_vfs()") factored out the PCI device +removal into sriov_del_vfs() there was still no locking around the +pci_iov_remove_virtfn() calls. + +On s390 the lack of serialization in sriov_disable() may cause double +remove and list corruption with the below (amended) trace being observed: + + PSW: 0704c00180000000 0000000c914e4b38 (klist_put+56) + GPRS: 000003800313fb48 0000000000000000 0000000100000001 0000000000000001 + 00000000f9b520a8 0000000000000000 0000000000002fbd 00000000f4cc9480 + 0000000000000001 0000000000000000 0000000000000000 0000000180692828 + 00000000818e8000 000003800313fe2c 000003800313fb20 000003800313fad8 + #0 [3800313fb20] device_del at c9158ad5c + #1 [3800313fb88] pci_remove_bus_device at c915105ba + #2 [3800313fbd0] pci_iov_remove_virtfn at c9152f198 + #3 [3800313fc28] zpci_iov_remove_virtfn at c90fb67c0 + #4 [3800313fc60] zpci_bus_remove_device at c90fb6104 + #5 [3800313fca0] __zpci_event_availability at c90fb3dca + #6 [3800313fd08] chsc_process_sei_nt0 at c918fe4a2 + #7 [3800313fd60] crw_collect_info at c91905822 + #8 [3800313fe10] kthread at c90feb390 + #9 [3800313fe68] __ret_from_fork at c90f6aa64 + #10 [3800313fe98] ret_from_fork at c9194f3f2. + +This is because in addition to sriov_disable() removing the VFs, the +platform also generates hot-unplug events for the VFs. This being the +reverse operation to the hotplug events generated by sriov_enable() and +handled via pdev->no_vf_scan. And while the event processing takes +pci_rescan_remove_lock and checks whether the struct pci_dev still exists, +the lack of synchronization makes this checking racy. + +Other races may also be possible of course though given that this lack of +locking persisted so long observable races seem very rare. Even on s390 the +list corruption was only observed with certain devices since the platform +events are only triggered by config accesses after the removal, so as long +as the removal finished synchronously they would not race. Either way the +locking is missing so fix this by adding it to the sriov_del_vfs() helper. + +Just like PCI rescan-remove, locking is also missing in sriov_add_vfs() +including for the error case where pci_stop_and_remove_bus_device() is +called without the PCI rescan-remove lock being held. Even in the non-error +case, adding new PCI devices and buses should be serialized via the PCI +rescan-remove lock. Add the necessary locking. + +Fixes: 18f9e9d150fc ("PCI/IOV: Factor out sriov_add_vfs()") +Signed-off-by: Niklas Schnelle +Signed-off-by: Bjorn Helgaas +Reviewed-by: Benjamin Block +Reviewed-by: Farhan Ali +Reviewed-by: Julian Ruess +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20250826-pci_fix_sriov_disable-v1-1-2d0bc938f2a3@linux.ibm.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/iov.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/pci/iov.c ++++ b/drivers/pci/iov.c +@@ -629,15 +629,18 @@ static int sriov_add_vfs(struct pci_dev + if (dev->no_vf_scan) + return 0; + ++ pci_lock_rescan_remove(); + for (i = 0; i < num_vfs; i++) { + rc = pci_iov_add_virtfn(dev, i); + if (rc) + goto failed; + } ++ pci_unlock_rescan_remove(); + return 0; + failed: + while (i--) + pci_iov_remove_virtfn(dev, i); ++ pci_unlock_rescan_remove(); + + return rc; + } +@@ -762,8 +765,10 @@ static void sriov_del_vfs(struct pci_dev + struct pci_sriov *iov = dev->sriov; + int i; + ++ pci_lock_rescan_remove(); + for (i = 0; i < iov->num_VFs; i++) + pci_iov_remove_virtfn(dev, i); ++ pci_unlock_rescan_remove(); + } + + static void sriov_disable(struct pci_dev *dev) diff --git a/queue-6.17/pci-j721e-fix-module-autoloading.patch b/queue-6.17/pci-j721e-fix-module-autoloading.patch new file mode 100644 index 0000000000..2469072cf5 --- /dev/null +++ b/queue-6.17/pci-j721e-fix-module-autoloading.patch @@ -0,0 +1,42 @@ +From 9a7f144e18dc5f037d85a0f0d99524a574331098 Mon Sep 17 00:00:00 2001 +From: Siddharth Vadapalli +Date: Mon, 1 Sep 2025 17:33:55 +0530 +Subject: PCI: j721e: Fix module autoloading + +From: Siddharth Vadapalli + +commit 9a7f144e18dc5f037d85a0f0d99524a574331098 upstream. + +Commit a2790bf81f0f ("PCI: j721e: Add support to build as a loadable +module") added support to build the driver as a loadable module. However, +it did not add MODULE_DEVICE_TABLE() which is required for autoloading the +driver based on device table when it is built as a loadable module. + +Fix it by adding MODULE_DEVICE_TABLE. + +Fixes: a2790bf81f0f ("PCI: j721e: Add support to build as a loadable module") +Signed-off-by: Siddharth Vadapalli +[mani: reworded description] +Signed-off-by: Manivannan Sadhasivam +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20250901120359.3410774-1-s-vadapalli@ti.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/controller/cadence/pci-j721e.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/pci/controller/cadence/pci-j721e.c b/drivers/pci/controller/cadence/pci-j721e.c +index 6c93f39d0288..cfca13a4c840 100644 +--- a/drivers/pci/controller/cadence/pci-j721e.c ++++ b/drivers/pci/controller/cadence/pci-j721e.c +@@ -440,6 +440,7 @@ static const struct of_device_id of_j721e_pcie_match[] = { + }, + {}, + }; ++MODULE_DEVICE_TABLE(of, of_j721e_pcie_match); + + static int j721e_pcie_probe(struct platform_device *pdev) + { +-- +2.51.0 + diff --git a/queue-6.17/pci-j721e-fix-programming-sequence-of-strap-settings.patch b/queue-6.17/pci-j721e-fix-programming-sequence-of-strap-settings.patch new file mode 100644 index 0000000000..50af623a27 --- /dev/null +++ b/queue-6.17/pci-j721e-fix-programming-sequence-of-strap-settings.patch @@ -0,0 +1,86 @@ +From f842d3313ba179d4005096357289c7ad09cec575 Mon Sep 17 00:00:00 2001 +From: Siddharth Vadapalli +Date: Mon, 8 Sep 2025 17:38:27 +0530 +Subject: PCI: j721e: Fix programming sequence of "strap" settings + +From: Siddharth Vadapalli + +commit f842d3313ba179d4005096357289c7ad09cec575 upstream. + +The Cadence PCIe Controller integrated in the TI K3 SoCs supports both +Root-Complex and Endpoint modes of operation. The Glue Layer allows +"strapping" the Mode of operation of the Controller, the Link Speed +and the Link Width. This is enabled by programming the "PCIEn_CTRL" +register (n corresponds to the PCIe instance) within the CTRL_MMR +memory-mapped register space. The "reset-values" of the registers are +also different depending on the mode of operation. + +Since the PCIe Controller latches onto the "reset-values" immediately +after being powered on, if the Glue Layer configuration is not done while +the PCIe Controller is off, it will result in the PCIe Controller latching +onto the wrong "reset-values". In practice, this will show up as a wrong +representation of the PCIe Controller's capability structures in the PCIe +Configuration Space. Some such capabilities which are supported by the PCIe +Controller in the Root-Complex mode but are incorrectly latched onto as +being unsupported are: +- Link Bandwidth Notification +- Alternate Routing ID (ARI) Forwarding Support +- Next capability offset within Advanced Error Reporting (AER) capability + +Fix this by powering off the PCIe Controller before programming the "strap" +settings and powering it on after that. The runtime PM APIs namely +pm_runtime_put_sync() and pm_runtime_get_sync() will decrement and +increment the usage counter respectively, causing GENPD to power off and +power on the PCIe Controller. + +Fixes: f3e25911a430 ("PCI: j721e: Add TI J721E PCIe driver") +Signed-off-by: Siddharth Vadapalli +Signed-off-by: Manivannan Sadhasivam +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20250908120828.1471776-1-s-vadapalli@ti.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/controller/cadence/pci-j721e.c | 25 +++++++++++++++++++++++++ + 1 file changed, 25 insertions(+) + +--- a/drivers/pci/controller/cadence/pci-j721e.c ++++ b/drivers/pci/controller/cadence/pci-j721e.c +@@ -284,6 +284,25 @@ static int j721e_pcie_ctrl_init(struct j + if (!ret) + offset = args.args[0]; + ++ /* ++ * The PCIe Controller's registers have different "reset-values" ++ * depending on the "strap" settings programmed into the PCIEn_CTRL ++ * register within the CTRL_MMR memory-mapped register space. ++ * The registers latch onto a "reset-value" based on the "strap" ++ * settings sampled after the PCIe Controller is powered on. ++ * To ensure that the "reset-values" are sampled accurately, power ++ * off the PCIe Controller before programming the "strap" settings ++ * and power it on after that. The runtime PM APIs namely ++ * pm_runtime_put_sync() and pm_runtime_get_sync() will decrement and ++ * increment the usage counter respectively, causing GENPD to power off ++ * and power on the PCIe Controller. ++ */ ++ ret = pm_runtime_put_sync(dev); ++ if (ret < 0) { ++ dev_err(dev, "Failed to power off PCIe Controller\n"); ++ return ret; ++ } ++ + ret = j721e_pcie_set_mode(pcie, syscon, offset); + if (ret < 0) { + dev_err(dev, "Failed to set pci mode\n"); +@@ -302,6 +321,12 @@ static int j721e_pcie_ctrl_init(struct j + return ret; + } + ++ ret = pm_runtime_get_sync(dev); ++ if (ret < 0) { ++ dev_err(dev, "Failed to power on PCIe Controller\n"); ++ return ret; ++ } ++ + /* Enable ACSPCIE refclk output if the optional property exists */ + syscon = syscon_regmap_lookup_by_phandle_optional(node, + "ti,syscon-acspcie-proxy-ctrl"); diff --git a/queue-6.17/pci-keystone-use-devm_request_irq-to-free-ks-pcie-error-irq-on-exit.patch b/queue-6.17/pci-keystone-use-devm_request_irq-to-free-ks-pcie-error-irq-on-exit.patch new file mode 100644 index 0000000000..2145be7bc1 --- /dev/null +++ b/queue-6.17/pci-keystone-use-devm_request_irq-to-free-ks-pcie-error-irq-on-exit.patch @@ -0,0 +1,43 @@ +From e51d05f523e43ce5d2bad957943a2b14f68078cd Mon Sep 17 00:00:00 2001 +From: Siddharth Vadapalli +Date: Fri, 12 Sep 2025 15:37:58 +0530 +Subject: PCI: keystone: Use devm_request_irq() to free "ks-pcie-error-irq" on exit + +From: Siddharth Vadapalli + +commit e51d05f523e43ce5d2bad957943a2b14f68078cd upstream. + +Commit under Fixes introduced the IRQ handler for "ks-pcie-error-irq". +The interrupt is acquired using "request_irq()" but is never freed if +the driver exits due to an error. Although the section in the driver that +invokes "request_irq()" has moved around over time, the issue hasn't been +addressed until now. + +Fix this by using "devm_request_irq()" which automatically frees the +interrupt if the driver exits. + +Fixes: 025dd3daeda7 ("PCI: keystone: Add error IRQ handler") +Reported-by: Jiri Slaby +Closes: https://lore.kernel.org/r/3d3a4b52-e343-42f3-9d69-94c259812143@kernel.org +Signed-off-by: Siddharth Vadapalli +Signed-off-by: Manivannan Sadhasivam +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20250912100802.3136121-2-s-vadapalli@ti.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/controller/dwc/pci-keystone.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/pci/controller/dwc/pci-keystone.c ++++ b/drivers/pci/controller/dwc/pci-keystone.c +@@ -1201,8 +1201,8 @@ static int ks_pcie_probe(struct platform + if (irq < 0) + return irq; + +- ret = request_irq(irq, ks_pcie_err_irq_handler, IRQF_SHARED, +- "ks-pcie-error-irq", ks_pcie); ++ ret = devm_request_irq(dev, irq, ks_pcie_err_irq_handler, IRQF_SHARED, ++ "ks-pcie-error-irq", ks_pcie); + if (ret < 0) { + dev_err(dev, "failed to request error IRQ %d\n", + irq); diff --git a/queue-6.17/pci-pwrctrl-fix-device-and-of-node-leak-at-bus-scan.patch b/queue-6.17/pci-pwrctrl-fix-device-and-of-node-leak-at-bus-scan.patch new file mode 100644 index 0000000000..d3568daa28 --- /dev/null +++ b/queue-6.17/pci-pwrctrl-fix-device-and-of-node-leak-at-bus-scan.patch @@ -0,0 +1,75 @@ +From e24bbbe0780262a21fc8619fe99078a5b8d64b18 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 21 Jul 2025 17:36:08 +0200 +Subject: PCI/pwrctrl: Fix device and OF node leak at bus scan + +From: Johan Hovold + +commit e24bbbe0780262a21fc8619fe99078a5b8d64b18 upstream. + +Make sure to drop the references to the pwrctrl OF node and device taken by +of_pci_find_child_device() and of_find_device_by_node() respectively when +scanning the bus. + +Fixes: 957f40d039a9 ("PCI/pwrctrl: Move creation of pwrctrl devices to pci_scan_device()") +Signed-off-by: Johan Hovold +Signed-off-by: Bjorn Helgaas +Reviewed-by: Manivannan Sadhasivam +Cc: stable@vger.kernel.org # v6.15 +Link: https://patch.msgid.link/20250721153609.8611-3-johan+linaro@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/probe.c | 19 ++++++++++++++++--- + 1 file changed, 16 insertions(+), 3 deletions(-) + +diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c +index f41128f91ca7..a56dfa1c9b6f 100644 +--- a/drivers/pci/probe.c ++++ b/drivers/pci/probe.c +@@ -2516,9 +2516,15 @@ static struct platform_device *pci_pwrctrl_create_device(struct pci_bus *bus, in + struct device_node *np; + + np = of_pci_find_child_device(dev_of_node(&bus->dev), devfn); +- if (!np || of_find_device_by_node(np)) ++ if (!np) + return NULL; + ++ pdev = of_find_device_by_node(np); ++ if (pdev) { ++ put_device(&pdev->dev); ++ goto err_put_of_node; ++ } ++ + /* + * First check whether the pwrctrl device really needs to be created or + * not. This is decided based on at least one of the power supplies +@@ -2526,17 +2532,24 @@ static struct platform_device *pci_pwrctrl_create_device(struct pci_bus *bus, in + */ + if (!of_pci_supply_present(np)) { + pr_debug("PCI/pwrctrl: Skipping OF node: %s\n", np->name); +- return NULL; ++ goto err_put_of_node; + } + + /* Now create the pwrctrl device */ + pdev = of_platform_device_create(np, NULL, &host->dev); + if (!pdev) { + pr_err("PCI/pwrctrl: Failed to create pwrctrl device for node: %s\n", np->name); +- return NULL; ++ goto err_put_of_node; + } + ++ of_node_put(np); ++ + return pdev; ++ ++err_put_of_node: ++ of_node_put(np); ++ ++ return NULL; + } + #else + static struct platform_device *pci_pwrctrl_create_device(struct pci_bus *bus, int devfn) +-- +2.51.0 + diff --git a/queue-6.17/pci-pwrctrl-fix-device-leak-at-device-stop.patch b/queue-6.17/pci-pwrctrl-fix-device-leak-at-device-stop.patch new file mode 100644 index 0000000000..9d7fffa93a --- /dev/null +++ b/queue-6.17/pci-pwrctrl-fix-device-leak-at-device-stop.patch @@ -0,0 +1,39 @@ +From dc32e9346b26ba33e84ec3034a1e53a9733700f9 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 21 Jul 2025 17:36:09 +0200 +Subject: PCI/pwrctrl: Fix device leak at device stop + +From: Johan Hovold + +commit dc32e9346b26ba33e84ec3034a1e53a9733700f9 upstream. + +Make sure to drop the reference to the pwrctrl device taken by +of_find_device_by_node() when stopping a PCI device. + +Fixes: 681725afb6b9 ("PCI/pwrctl: Remove pwrctl device without iterating over all children of pwrctl parent") +Signed-off-by: Johan Hovold +Signed-off-by: Bjorn Helgaas +Reviewed-by: Manivannan Sadhasivam +Cc: stable@vger.kernel.org # v6.13 +Link: https://patch.msgid.link/20250721153609.8611-4-johan+linaro@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/remove.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/pci/remove.c b/drivers/pci/remove.c +index 445afdfa6498..16f21edbc29d 100644 +--- a/drivers/pci/remove.c ++++ b/drivers/pci/remove.c +@@ -31,6 +31,8 @@ static void pci_pwrctrl_unregister(struct device *dev) + return; + + of_device_unregister(pdev); ++ put_device(&pdev->dev); ++ + of_node_clear_flag(np, OF_POPULATED); + } + +-- +2.51.0 + diff --git a/queue-6.17/pci-pwrctrl-fix-device-leak-at-registration.patch b/queue-6.17/pci-pwrctrl-fix-device-leak-at-registration.patch new file mode 100644 index 0000000000..7199a067a8 --- /dev/null +++ b/queue-6.17/pci-pwrctrl-fix-device-leak-at-registration.patch @@ -0,0 +1,46 @@ +From 39f9be6aba3ae4d6fdd4b8554f1184d054d7a713 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 21 Jul 2025 17:36:07 +0200 +Subject: PCI/pwrctrl: Fix device leak at registration + +From: Johan Hovold + +commit 39f9be6aba3ae4d6fdd4b8554f1184d054d7a713 upstream. + +Make sure to drop the reference to the pwrctrl device taken by +of_find_device_by_node() when registering a PCI device. + +Fixes: b458ff7e8176 ("PCI/pwrctl: Ensure that pwrctl drivers are probed before PCI client drivers") +Signed-off-by: Johan Hovold +Signed-off-by: Bjorn Helgaas +Reviewed-by: Manivannan Sadhasivam +Cc: stable@vger.kernel.org # v6.13 +Link: https://patch.msgid.link/20250721153609.8611-2-johan+linaro@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/bus.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +--- a/drivers/pci/bus.c ++++ b/drivers/pci/bus.c +@@ -361,11 +361,15 @@ void pci_bus_add_device(struct pci_dev * + * before PCI client drivers. + */ + pdev = of_find_device_by_node(dn); +- if (pdev && of_pci_supply_present(dn)) { +- if (!device_link_add(&dev->dev, &pdev->dev, +- DL_FLAG_AUTOREMOVE_CONSUMER)) +- pci_err(dev, "failed to add device link to power control device %s\n", +- pdev->name); ++ if (pdev) { ++ if (of_pci_supply_present(dn)) { ++ if (!device_link_add(&dev->dev, &pdev->dev, ++ DL_FLAG_AUTOREMOVE_CONSUMER)) { ++ pci_err(dev, "failed to add device link to power control device %s\n", ++ pdev->name); ++ } ++ } ++ put_device(&pdev->dev); + } + + if (!dn || of_device_is_available(dn)) diff --git a/queue-6.17/pci-rcar-gen4-fix-phy-initialization.patch b/queue-6.17/pci-rcar-gen4-fix-phy-initialization.patch new file mode 100644 index 0000000000..05afa941bd --- /dev/null +++ b/queue-6.17/pci-rcar-gen4-fix-phy-initialization.patch @@ -0,0 +1,36 @@ +From d96ac5bdc52b271b4f8ac0670a203913666b8758 Mon Sep 17 00:00:00 2001 +From: Marek Vasut +Date: Wed, 6 Aug 2025 21:25:18 +0200 +Subject: PCI: rcar-gen4: Fix PHY initialization + +From: Marek Vasut + +commit d96ac5bdc52b271b4f8ac0670a203913666b8758 upstream. + +R-Car V4H Reference Manual R19UH0186EJ0130 Rev.1.30 Apr. 21, 2025 page 4581 +Figure 104.3b Initial Setting of PCIEC(example), middle of the figure +indicates that fourth write into register 0x148 [2:0] is 0x3 or +GENMASK(1, 0). The current code writes GENMASK(11, 0) which is a typo. Fix +the typo. + +Fixes: faf5a975ee3b ("PCI: rcar-gen4: Add support for R-Car V4H") +Signed-off-by: Marek Vasut +Signed-off-by: Manivannan Sadhasivam +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20250806192548.133140-1-marek.vasut+renesas@mailbox.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/controller/dwc/pcie-rcar-gen4.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/pci/controller/dwc/pcie-rcar-gen4.c ++++ b/drivers/pci/controller/dwc/pcie-rcar-gen4.c +@@ -723,7 +723,7 @@ static int rcar_gen4_pcie_ltssm_control( + rcar_gen4_pcie_phy_reg_update_bits(rcar, 0x148, GENMASK(23, 22), BIT(22)); + rcar_gen4_pcie_phy_reg_update_bits(rcar, 0x148, GENMASK(18, 16), GENMASK(17, 16)); + rcar_gen4_pcie_phy_reg_update_bits(rcar, 0x148, GENMASK(7, 6), BIT(6)); +- rcar_gen4_pcie_phy_reg_update_bits(rcar, 0x148, GENMASK(2, 0), GENMASK(11, 0)); ++ rcar_gen4_pcie_phy_reg_update_bits(rcar, 0x148, GENMASK(2, 0), GENMASK(1, 0)); + rcar_gen4_pcie_phy_reg_update_bits(rcar, 0x1d4, GENMASK(16, 15), GENMASK(16, 15)); + rcar_gen4_pcie_phy_reg_update_bits(rcar, 0x514, BIT(26), BIT(26)); + rcar_gen4_pcie_phy_reg_update_bits(rcar, 0x0f8, BIT(16), 0); diff --git a/queue-6.17/pci-rcar-host-convert-struct-rcar_msi-mask_lock-into-raw-spinlock.patch b/queue-6.17/pci-rcar-host-convert-struct-rcar_msi-mask_lock-into-raw-spinlock.patch new file mode 100644 index 0000000000..3267f2b18e --- /dev/null +++ b/queue-6.17/pci-rcar-host-convert-struct-rcar_msi-mask_lock-into-raw-spinlock.patch @@ -0,0 +1,102 @@ +From 5ed35b4d490d8735021cce9b715b62a418310864 Mon Sep 17 00:00:00 2001 +From: Marek Vasut +Date: Tue, 9 Sep 2025 18:26:25 +0200 +Subject: PCI: rcar-host: Convert struct rcar_msi mask_lock into raw spinlock + +From: Marek Vasut + +commit 5ed35b4d490d8735021cce9b715b62a418310864 upstream. + +The rcar_msi_irq_unmask() function may be called from a PCI driver +request_threaded_irq() function. This triggers kernel/irq/manage.c +__setup_irq() which locks raw spinlock &desc->lock descriptor lock +and with that descriptor lock held, calls rcar_msi_irq_unmask(). + +Since the &desc->lock descriptor lock is a raw spinlock, and the rcar_msi +.mask_lock is not a raw spinlock, this setup triggers 'BUG: Invalid wait +context' with CONFIG_PROVE_RAW_LOCK_NESTING=y. + +Use scoped_guard() to simplify the locking. + +Fixes: 83ed8d4fa656 ("PCI: rcar: Convert to MSI domains") +Reported-by: Duy Nguyen +Reported-by: Thuan Nguyen +Signed-off-by: Marek Vasut +Signed-off-by: Manivannan Sadhasivam +Signed-off-by: Bjorn Helgaas +Reviewed-by: Geert Uytterhoeven +Acked-by: Marc Zyngier +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20250909162707.13927-2-marek.vasut+renesas@mailbox.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/controller/pcie-rcar-host.c | 27 +++++++++++++-------------- + 1 file changed, 13 insertions(+), 14 deletions(-) + +--- a/drivers/pci/controller/pcie-rcar-host.c ++++ b/drivers/pci/controller/pcie-rcar-host.c +@@ -12,6 +12,7 @@ + */ + + #include ++#include + #include + #include + #include +@@ -38,7 +39,7 @@ struct rcar_msi { + DECLARE_BITMAP(used, INT_PCI_MSI_NR); + struct irq_domain *domain; + struct mutex map_lock; +- spinlock_t mask_lock; ++ raw_spinlock_t mask_lock; + int irq1; + int irq2; + }; +@@ -602,28 +603,26 @@ static void rcar_msi_irq_mask(struct irq + { + struct rcar_msi *msi = irq_data_get_irq_chip_data(d); + struct rcar_pcie *pcie = &msi_to_host(msi)->pcie; +- unsigned long flags; + u32 value; + +- spin_lock_irqsave(&msi->mask_lock, flags); +- value = rcar_pci_read_reg(pcie, PCIEMSIIER); +- value &= ~BIT(d->hwirq); +- rcar_pci_write_reg(pcie, value, PCIEMSIIER); +- spin_unlock_irqrestore(&msi->mask_lock, flags); ++ scoped_guard(raw_spinlock_irqsave, &msi->mask_lock) { ++ value = rcar_pci_read_reg(pcie, PCIEMSIIER); ++ value &= ~BIT(d->hwirq); ++ rcar_pci_write_reg(pcie, value, PCIEMSIIER); ++ } + } + + static void rcar_msi_irq_unmask(struct irq_data *d) + { + struct rcar_msi *msi = irq_data_get_irq_chip_data(d); + struct rcar_pcie *pcie = &msi_to_host(msi)->pcie; +- unsigned long flags; + u32 value; + +- spin_lock_irqsave(&msi->mask_lock, flags); +- value = rcar_pci_read_reg(pcie, PCIEMSIIER); +- value |= BIT(d->hwirq); +- rcar_pci_write_reg(pcie, value, PCIEMSIIER); +- spin_unlock_irqrestore(&msi->mask_lock, flags); ++ scoped_guard(raw_spinlock_irqsave, &msi->mask_lock) { ++ value = rcar_pci_read_reg(pcie, PCIEMSIIER); ++ value |= BIT(d->hwirq); ++ rcar_pci_write_reg(pcie, value, PCIEMSIIER); ++ } + } + + static void rcar_compose_msi_msg(struct irq_data *data, struct msi_msg *msg) +@@ -736,7 +735,7 @@ static int rcar_pcie_enable_msi(struct r + int err; + + mutex_init(&msi->map_lock); +- spin_lock_init(&msi->mask_lock); ++ raw_spin_lock_init(&msi->mask_lock); + + err = of_address_to_resource(dev->of_node, 0, &res); + if (err) diff --git a/queue-6.17/pci-rcar-host-drop-pmsr-spinlock.patch b/queue-6.17/pci-rcar-host-drop-pmsr-spinlock.patch new file mode 100644 index 0000000000..18b081a4b5 --- /dev/null +++ b/queue-6.17/pci-rcar-host-drop-pmsr-spinlock.patch @@ -0,0 +1,79 @@ +From 0a8f173d9dad13930d5888505dc4c4fd6a1d4262 Mon Sep 17 00:00:00 2001 +From: Marek Vasut +Date: Tue, 9 Sep 2025 18:26:24 +0200 +Subject: PCI: rcar-host: Drop PMSR spinlock + +From: Marek Vasut + +commit 0a8f173d9dad13930d5888505dc4c4fd6a1d4262 upstream. + +The pmsr_lock spinlock used to be necessary to synchronize access to the +PMSR register, because that access could have been triggered from either +config space access in rcar_pcie_config_access() or an exception handler +rcar_pcie_aarch32_abort_handler(). + +The rcar_pcie_aarch32_abort_handler() case is no longer applicable since +commit 6e36203bc14c ("PCI: rcar: Use PCI_SET_ERROR_RESPONSE after read +which triggered an exception"), which performs more accurate, controlled +invocation of the exception, and a fixup. + +This leaves rcar_pcie_config_access() as the only call site from which +rcar_pcie_wakeup() is called. The rcar_pcie_config_access() can only be +called from the controller struct pci_ops .read and .write callbacks, +and those are serialized in drivers/pci/access.c using raw spinlock +'pci_lock' . It should be noted that CONFIG_PCI_LOCKLESS_CONFIG is never +set on this platform. + +Since the 'pci_lock' is a raw spinlock , and the 'pmsr_lock' is not a +raw spinlock, this constellation triggers 'BUG: Invalid wait context' +with CONFIG_PROVE_RAW_LOCK_NESTING=y . + +Remove the pmsr_lock to fix the locking. + +Fixes: a115b1bd3af0 ("PCI: rcar: Add L1 link state fix into data abort hook") +Reported-by: Duy Nguyen +Reported-by: Thuan Nguyen +Signed-off-by: Marek Vasut +Signed-off-by: Manivannan Sadhasivam +Reviewed-by: Geert Uytterhoeven +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20250909162707.13927-1-marek.vasut+renesas@mailbox.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/controller/pcie-rcar-host.c | 13 ++----------- + 1 file changed, 2 insertions(+), 11 deletions(-) + +--- a/drivers/pci/controller/pcie-rcar-host.c ++++ b/drivers/pci/controller/pcie-rcar-host.c +@@ -52,20 +52,13 @@ struct rcar_pcie_host { + int (*phy_init_fn)(struct rcar_pcie_host *host); + }; + +-static DEFINE_SPINLOCK(pmsr_lock); +- + static int rcar_pcie_wakeup(struct device *pcie_dev, void __iomem *pcie_base) + { +- unsigned long flags; + u32 pmsr, val; + int ret = 0; + +- spin_lock_irqsave(&pmsr_lock, flags); +- +- if (!pcie_base || pm_runtime_suspended(pcie_dev)) { +- ret = -EINVAL; +- goto unlock_exit; +- } ++ if (!pcie_base || pm_runtime_suspended(pcie_dev)) ++ return -EINVAL; + + pmsr = readl(pcie_base + PMSR); + +@@ -87,8 +80,6 @@ static int rcar_pcie_wakeup(struct devic + writel(L1FAEG | PMEL1RX, pcie_base + PMSR); + } + +-unlock_exit: +- spin_unlock_irqrestore(&pmsr_lock, flags); + return ret; + } + diff --git a/queue-6.17/pci-sysfs-ensure-devices-are-powered-for-config-reads.patch b/queue-6.17/pci-sysfs-ensure-devices-are-powered-for-config-reads.patch new file mode 100644 index 0000000000..31db87a7ce --- /dev/null +++ b/queue-6.17/pci-sysfs-ensure-devices-are-powered-for-config-reads.patch @@ -0,0 +1,95 @@ +From 48991e4935078b05f80616c75d1ee2ea3ae18e58 Mon Sep 17 00:00:00 2001 +From: Brian Norris +Date: Wed, 24 Sep 2025 09:57:11 -0700 +Subject: PCI/sysfs: Ensure devices are powered for config reads + +From: Brian Norris + +commit 48991e4935078b05f80616c75d1ee2ea3ae18e58 upstream. + +The "max_link_width", "current_link_speed", "current_link_width", +"secondary_bus_number", and "subordinate_bus_number" sysfs files all access +config registers, but they don't check the runtime PM state. If the device +is in D3cold or a parent bridge is suspended, we may see -EINVAL, bogus +values, or worse, depending on implementation details. + +Wrap these access in pci_config_pm_runtime_{get,put}() like most of the +rest of the similar sysfs attributes. + +Notably, "max_link_speed" does not access config registers; it returns a +cached value since d2bd39c0456b ("PCI: Store all PCIe Supported Link +Speeds"). + +Fixes: 56c1af4606f0 ("PCI: Add sysfs max_link_speed/width, current_link_speed/width, etc") +Signed-off-by: Brian Norris +Signed-off-by: Brian Norris +Signed-off-by: Bjorn Helgaas +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20250924095711.v2.1.Ibb5b6ca1e2c059e04ec53140cd98a44f2684c668@changeid +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/pci-sysfs.c | 20 +++++++++++++++++++- + 1 file changed, 19 insertions(+), 1 deletion(-) + +--- a/drivers/pci/pci-sysfs.c ++++ b/drivers/pci/pci-sysfs.c +@@ -201,8 +201,14 @@ static ssize_t max_link_width_show(struc + struct device_attribute *attr, char *buf) + { + struct pci_dev *pdev = to_pci_dev(dev); ++ ssize_t ret; + +- return sysfs_emit(buf, "%u\n", pcie_get_width_cap(pdev)); ++ /* We read PCI_EXP_LNKCAP, so we need the device to be accessible. */ ++ pci_config_pm_runtime_get(pdev); ++ ret = sysfs_emit(buf, "%u\n", pcie_get_width_cap(pdev)); ++ pci_config_pm_runtime_put(pdev); ++ ++ return ret; + } + static DEVICE_ATTR_RO(max_link_width); + +@@ -214,7 +220,10 @@ static ssize_t current_link_speed_show(s + int err; + enum pci_bus_speed speed; + ++ pci_config_pm_runtime_get(pci_dev); + err = pcie_capability_read_word(pci_dev, PCI_EXP_LNKSTA, &linkstat); ++ pci_config_pm_runtime_put(pci_dev); ++ + if (err) + return -EINVAL; + +@@ -231,7 +240,10 @@ static ssize_t current_link_width_show(s + u16 linkstat; + int err; + ++ pci_config_pm_runtime_get(pci_dev); + err = pcie_capability_read_word(pci_dev, PCI_EXP_LNKSTA, &linkstat); ++ pci_config_pm_runtime_put(pci_dev); ++ + if (err) + return -EINVAL; + +@@ -247,7 +259,10 @@ static ssize_t secondary_bus_number_show + u8 sec_bus; + int err; + ++ pci_config_pm_runtime_get(pci_dev); + err = pci_read_config_byte(pci_dev, PCI_SECONDARY_BUS, &sec_bus); ++ pci_config_pm_runtime_put(pci_dev); ++ + if (err) + return -EINVAL; + +@@ -263,7 +278,10 @@ static ssize_t subordinate_bus_number_sh + u8 sub_bus; + int err; + ++ pci_config_pm_runtime_get(pci_dev); + err = pci_read_config_byte(pci_dev, PCI_SUBORDINATE_BUS, &sub_bus); ++ pci_config_pm_runtime_put(pci_dev); ++ + if (err) + return -EINVAL; + diff --git a/queue-6.17/pci-tegra-convert-struct-tegra_msi-mask_lock-into-raw-spinlock.patch b/queue-6.17/pci-tegra-convert-struct-tegra_msi-mask_lock-into-raw-spinlock.patch new file mode 100644 index 0000000000..0cdb7529a1 --- /dev/null +++ b/queue-6.17/pci-tegra-convert-struct-tegra_msi-mask_lock-into-raw-spinlock.patch @@ -0,0 +1,101 @@ +From 26fda92d3b56bf44a02bcb4001c5a5548e0ae8ee Mon Sep 17 00:00:00 2001 +From: Marek Vasut +Date: Mon, 22 Sep 2025 17:07:48 +0200 +Subject: PCI: tegra: Convert struct tegra_msi mask_lock into raw spinlock + +From: Marek Vasut + +commit 26fda92d3b56bf44a02bcb4001c5a5548e0ae8ee upstream. + +The tegra_msi_irq_unmask() function may be called from a PCI driver +request_threaded_irq() function. This triggers kernel/irq/manage.c +__setup_irq() which locks raw spinlock &desc->lock descriptor lock +and with that descriptor lock held, calls tegra_msi_irq_unmask(). + +Since the &desc->lock descriptor lock is a raw spinlock, and the tegra_msi +.mask_lock is not a raw spinlock, this setup triggers 'BUG: Invalid wait +context' with CONFIG_PROVE_RAW_LOCK_NESTING=y. + +Use scoped_guard() to simplify the locking. + +Fixes: 2c99e55f7955 ("PCI: tegra: Convert to MSI domains") +Reported-by: Geert Uytterhoeven +Closes: https://patchwork.kernel.org/project/linux-pci/patch/20250909162707.13927-2-marek.vasut+renesas@mailbox.org/#26574451 +Signed-off-by: Marek Vasut +Signed-off-by: Manivannan Sadhasivam +Signed-off-by: Bjorn Helgaas +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20250922150811.88450-1-marek.vasut+renesas@mailbox.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/controller/pci-tegra.c | 27 +++++++++++++-------------- + 1 file changed, 13 insertions(+), 14 deletions(-) + +--- a/drivers/pci/controller/pci-tegra.c ++++ b/drivers/pci/controller/pci-tegra.c +@@ -14,6 +14,7 @@ + */ + + #include ++#include + #include + #include + #include +@@ -270,7 +271,7 @@ struct tegra_msi { + DECLARE_BITMAP(used, INT_PCI_MSI_NR); + struct irq_domain *domain; + struct mutex map_lock; +- spinlock_t mask_lock; ++ raw_spinlock_t mask_lock; + void *virt; + dma_addr_t phys; + int irq; +@@ -1581,14 +1582,13 @@ static void tegra_msi_irq_mask(struct ir + struct tegra_msi *msi = irq_data_get_irq_chip_data(d); + struct tegra_pcie *pcie = msi_to_pcie(msi); + unsigned int index = d->hwirq / 32; +- unsigned long flags; + u32 value; + +- spin_lock_irqsave(&msi->mask_lock, flags); +- value = afi_readl(pcie, AFI_MSI_EN_VEC(index)); +- value &= ~BIT(d->hwirq % 32); +- afi_writel(pcie, value, AFI_MSI_EN_VEC(index)); +- spin_unlock_irqrestore(&msi->mask_lock, flags); ++ scoped_guard(raw_spinlock_irqsave, &msi->mask_lock) { ++ value = afi_readl(pcie, AFI_MSI_EN_VEC(index)); ++ value &= ~BIT(d->hwirq % 32); ++ afi_writel(pcie, value, AFI_MSI_EN_VEC(index)); ++ } + } + + static void tegra_msi_irq_unmask(struct irq_data *d) +@@ -1596,14 +1596,13 @@ static void tegra_msi_irq_unmask(struct + struct tegra_msi *msi = irq_data_get_irq_chip_data(d); + struct tegra_pcie *pcie = msi_to_pcie(msi); + unsigned int index = d->hwirq / 32; +- unsigned long flags; + u32 value; + +- spin_lock_irqsave(&msi->mask_lock, flags); +- value = afi_readl(pcie, AFI_MSI_EN_VEC(index)); +- value |= BIT(d->hwirq % 32); +- afi_writel(pcie, value, AFI_MSI_EN_VEC(index)); +- spin_unlock_irqrestore(&msi->mask_lock, flags); ++ scoped_guard(raw_spinlock_irqsave, &msi->mask_lock) { ++ value = afi_readl(pcie, AFI_MSI_EN_VEC(index)); ++ value |= BIT(d->hwirq % 32); ++ afi_writel(pcie, value, AFI_MSI_EN_VEC(index)); ++ } + } + + static void tegra_compose_msi_msg(struct irq_data *data, struct msi_msg *msg) +@@ -1711,7 +1710,7 @@ static int tegra_pcie_msi_setup(struct t + int err; + + mutex_init(&msi->map_lock); +- spin_lock_init(&msi->mask_lock); ++ raw_spin_lock_init(&msi->mask_lock); + + if (IS_ENABLED(CONFIG_PCI_MSI)) { + err = tegra_allocate_domains(msi); diff --git a/queue-6.17/pci-tegra194-fix-broken-tegra_pcie_ep_raise_msi_irq.patch b/queue-6.17/pci-tegra194-fix-broken-tegra_pcie_ep_raise_msi_irq.patch new file mode 100644 index 0000000000..56b6a0c31a --- /dev/null +++ b/queue-6.17/pci-tegra194-fix-broken-tegra_pcie_ep_raise_msi_irq.patch @@ -0,0 +1,43 @@ +From b640d42a6ac9ba01abe65ec34f7c73aaf6758ab8 Mon Sep 17 00:00:00 2001 +From: Niklas Cassel +Date: Mon, 22 Sep 2025 16:08:24 +0200 +Subject: PCI: tegra194: Fix broken tegra_pcie_ep_raise_msi_irq() + +From: Niklas Cassel + +commit b640d42a6ac9ba01abe65ec34f7c73aaf6758ab8 upstream. + +The pci_epc_raise_irq() supplies a MSI or MSI-X interrupt number in range +(1-N), as per the pci_epc_raise_irq() kdoc, where N is 32 for MSI. + +But tegra_pcie_ep_raise_msi_irq() incorrectly uses the interrupt number as +the MSI vector. This causes wrong MSI vector to be triggered, leading to +the failure of PCI endpoint Kselftest MSI_TEST test case. + +To fix this issue, convert the interrupt number to MSI vector. + +Fixes: c57247f940e8 ("PCI: tegra: Add support for PCIe endpoint mode in Tegra194") +Signed-off-by: Niklas Cassel +Signed-off-by: Manivannan Sadhasivam +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20250922140822.519796-6-cassel@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/controller/dwc/pcie-tegra194.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/pci/controller/dwc/pcie-tegra194.c ++++ b/drivers/pci/controller/dwc/pcie-tegra194.c +@@ -1955,10 +1955,10 @@ static int tegra_pcie_ep_raise_intx_irq( + + static int tegra_pcie_ep_raise_msi_irq(struct tegra_pcie_dw *pcie, u16 irq) + { +- if (unlikely(irq > 31)) ++ if (unlikely(irq > 32)) + return -EINVAL; + +- appl_writel(pcie, BIT(irq), APPL_MSI_CTRL_1); ++ appl_writel(pcie, BIT(irq - 1), APPL_MSI_CTRL_1); + + return 0; + } diff --git a/queue-6.17/pci-tegra194-handle-errors-in-bpmp-response.patch b/queue-6.17/pci-tegra194-handle-errors-in-bpmp-response.patch new file mode 100644 index 0000000000..1bafde0313 --- /dev/null +++ b/queue-6.17/pci-tegra194-handle-errors-in-bpmp-response.patch @@ -0,0 +1,104 @@ +From f8c9ad46b00453a8c075453f3745f8d263f44834 Mon Sep 17 00:00:00 2001 +From: Vidya Sagar +Date: Mon, 22 Sep 2025 16:08:26 +0200 +Subject: PCI: tegra194: Handle errors in BPMP response + +From: Vidya Sagar + +commit f8c9ad46b00453a8c075453f3745f8d263f44834 upstream. + +The return value from tegra_bpmp_transfer() indicates the success or +failure of the IPC transaction with BPMP. If the transaction succeeded, we +also need to check the actual command's result code. + +If we don't have error handling for tegra_bpmp_transfer(), we will set the +pcie->ep_state to EP_STATE_ENABLED even when the tegra_bpmp_transfer() +command fails. Thus, the pcie->ep_state will get out of sync with reality, +and any further PERST# assert + deassert will be a no-op and will not +trigger the hardware initialization sequence. + +This is because pex_ep_event_pex_rst_deassert() checks the current +pcie->ep_state, and does nothing if the current state is already +EP_STATE_ENABLED. + +Thus, it is important to have error handling for tegra_bpmp_transfer(), +such that the pcie->ep_state can not get out of sync with reality, so that +we will try to initialize the hardware not only during the first PERST# +assert + deassert, but also during any succeeding PERST# assert + deassert. + +One example where this fix is needed is when using a rock5b as host. +During the initial PERST# assert + deassert (triggered by the bootloader on +the rock5b) pex_ep_event_pex_rst_deassert() will get called, but for some +unknown reason, the tegra_bpmp_transfer() call to initialize the PHY fails. +Once Linux has been loaded on the rock5b, the PCIe driver will once again +assert + deassert PERST#. However, without tegra_bpmp_transfer() error +handling, this second PERST# assert + deassert will not trigger the +hardware initialization sequence. + +With tegra_bpmp_transfer() error handling, the second PERST# assert + +deassert will once again trigger the hardware to be initialized and this +time the tegra_bpmp_transfer() succeeds. + +Fixes: c57247f940e8 ("PCI: tegra: Add support for PCIe endpoint mode in Tegra194") +Signed-off-by: Vidya Sagar +[cassel: improve commit log] +Signed-off-by: Niklas Cassel +Signed-off-by: Manivannan Sadhasivam +Signed-off-by: Bjorn Helgaas +Reviewed-by: Jon Hunter +Acked-by: Thierry Reding +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20250922140822.519796-8-cassel@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/controller/dwc/pcie-tegra194.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +--- a/drivers/pci/controller/dwc/pcie-tegra194.c ++++ b/drivers/pci/controller/dwc/pcie-tegra194.c +@@ -1214,6 +1214,7 @@ static int tegra_pcie_bpmp_set_ctrl_stat + struct mrq_uphy_response resp; + struct tegra_bpmp_message msg; + struct mrq_uphy_request req; ++ int err; + + /* + * Controller-5 doesn't need to have its state set by BPMP-FW in +@@ -1236,7 +1237,13 @@ static int tegra_pcie_bpmp_set_ctrl_stat + msg.rx.data = &resp; + msg.rx.size = sizeof(resp); + +- return tegra_bpmp_transfer(pcie->bpmp, &msg); ++ err = tegra_bpmp_transfer(pcie->bpmp, &msg); ++ if (err) ++ return err; ++ if (msg.rx.ret) ++ return -EINVAL; ++ ++ return 0; + } + + static int tegra_pcie_bpmp_set_pll_state(struct tegra_pcie_dw *pcie, +@@ -1245,6 +1252,7 @@ static int tegra_pcie_bpmp_set_pll_state + struct mrq_uphy_response resp; + struct tegra_bpmp_message msg; + struct mrq_uphy_request req; ++ int err; + + memset(&req, 0, sizeof(req)); + memset(&resp, 0, sizeof(resp)); +@@ -1264,7 +1272,13 @@ static int tegra_pcie_bpmp_set_pll_state + msg.rx.data = &resp; + msg.rx.size = sizeof(resp); + +- return tegra_bpmp_transfer(pcie->bpmp, &msg); ++ err = tegra_bpmp_transfer(pcie->bpmp, &msg); ++ if (err) ++ return err; ++ if (msg.rx.ret) ++ return -EINVAL; ++ ++ return 0; + } + + static void tegra_pcie_downstream_dev_to_D0(struct tegra_pcie_dw *pcie) diff --git a/queue-6.17/pci-tegra194-reset-bars-when-running-in-pcie-endpoint-mode.patch b/queue-6.17/pci-tegra194-reset-bars-when-running-in-pcie-endpoint-mode.patch new file mode 100644 index 0000000000..207e6f6529 --- /dev/null +++ b/queue-6.17/pci-tegra194-reset-bars-when-running-in-pcie-endpoint-mode.patch @@ -0,0 +1,70 @@ +From 42f9c66a6d0cc45758dab77233c5460e1cf003df Mon Sep 17 00:00:00 2001 +From: Niklas Cassel +Date: Mon, 22 Sep 2025 16:08:25 +0200 +Subject: PCI: tegra194: Reset BARs when running in PCIe endpoint mode + +From: Niklas Cassel + +commit 42f9c66a6d0cc45758dab77233c5460e1cf003df upstream. + +Tegra already defines all BARs except BAR0 as BAR_RESERVED. This is +sufficient for pci-epf-test to not allocate backing memory and to not call +set_bar() for those BARs. However, marking a BAR as BAR_RESERVED does not +mean that the BAR gets disabled. + +The host side driver, pci_endpoint_test, simply does an ioremap for all +enabled BARs and will run tests against all enabled BARs, so it will run +tests against the BARs marked as BAR_RESERVED. + +After running the BAR tests (which will write to all enabled BARs), the +inbound address translation is broken. This is because the tegra controller +exposes the ATU Port Logic Structure in BAR4, so when BAR4 is written, the +inbound address translation settings get overwritten. + +To avoid this, implement the dw_pcie_ep_ops .init() callback and start off +by disabling all BARs (pci-epf-test will later enable/configure BARs that +are not defined as BAR_RESERVED). + +This matches the behavior of other PCIe endpoint drivers: dra7xx, imx6, +layerscape-ep, artpec6, dw-rockchip, qcom-ep, rcar-gen4, and uniphier-ep. + +With this, the PCI endpoint kselftest test case CONSECUTIVE_BAR_TEST (which +was specifically made to detect address translation issues) passes. + +Fixes: c57247f940e8 ("PCI: tegra: Add support for PCIe endpoint mode in Tegra194") +Signed-off-by: Niklas Cassel +Signed-off-by: Manivannan Sadhasivam +Signed-off-by: Bjorn Helgaas +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20250922140822.519796-7-cassel@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/controller/dwc/pcie-tegra194.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/pci/controller/dwc/pcie-tegra194.c ++++ b/drivers/pci/controller/dwc/pcie-tegra194.c +@@ -1955,6 +1955,15 @@ static irqreturn_t tegra_pcie_ep_pex_rst + return IRQ_HANDLED; + } + ++static void tegra_pcie_ep_init(struct dw_pcie_ep *ep) ++{ ++ struct dw_pcie *pci = to_dw_pcie_from_ep(ep); ++ enum pci_barno bar; ++ ++ for (bar = 0; bar < PCI_STD_NUM_BARS; bar++) ++ dw_pcie_ep_reset_bar(pci, bar); ++}; ++ + static int tegra_pcie_ep_raise_intx_irq(struct tegra_pcie_dw *pcie, u16 irq) + { + /* Tegra194 supports only INTA */ +@@ -2031,6 +2040,7 @@ tegra_pcie_ep_get_features(struct dw_pci + } + + static const struct dw_pcie_ep_ops pcie_ep_ops = { ++ .init = tegra_pcie_ep_init, + .raise_irq = tegra_pcie_ep_raise_irq, + .get_features = tegra_pcie_ep_get_features, + }; diff --git a/queue-6.17/pci-xilinx-nwl-fix-ecam-programming.patch b/queue-6.17/pci-xilinx-nwl-fix-ecam-programming.patch new file mode 100644 index 0000000000..adf494350b --- /dev/null +++ b/queue-6.17/pci-xilinx-nwl-fix-ecam-programming.patch @@ -0,0 +1,54 @@ +From 98a4f5b7359205ced1b6a626df3963bf7c5e5052 Mon Sep 17 00:00:00 2001 +From: Jani Nurminen +Date: Fri, 12 Sep 2025 11:09:48 +0200 +Subject: PCI: xilinx-nwl: Fix ECAM programming + +From: Jani Nurminen + +commit 98a4f5b7359205ced1b6a626df3963bf7c5e5052 upstream. + +When PCIe has been set up by the bootloader, the ecam_size field in the +E_ECAM_CONTROL register already contains a value. + +The driver previously programmed it to 0xc (for 16 busses; 16 MB), but +bumped to 0x10 (for 256 busses; 256 MB) by the commit 2fccd11518f1 ("PCI: +xilinx-nwl: Modify ECAM size to enable support for 256 buses"). + +Regardless of what the bootloader has programmed, the driver ORs in a +new maximal value without doing a proper RMW sequence. This can lead to +problems. + +For example, if the bootloader programs in 0xc and the driver uses 0x10, +the ORed result is 0x1c, which is beyond the ecam_max_size limit of 0x10 +(from E_ECAM_CAPABILITIES). + +Avoid the problems by doing a proper RMW. + +Fixes: 2fccd11518f1 ("PCI: xilinx-nwl: Modify ECAM size to enable support for 256 buses") +Signed-off-by: Jani Nurminen +[mani: added stable tag] +Signed-off-by: Manivannan Sadhasivam +Signed-off-by: Bjorn Helgaas +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/e83a2af2-af0b-4670-bcf5-ad408571c2b0@windriver.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/controller/pcie-xilinx-nwl.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/pci/controller/pcie-xilinx-nwl.c ++++ b/drivers/pci/controller/pcie-xilinx-nwl.c +@@ -718,9 +718,10 @@ static int nwl_pcie_bridge_init(struct n + nwl_bridge_writel(pcie, nwl_bridge_readl(pcie, E_ECAM_CONTROL) | + E_ECAM_CR_ENABLE, E_ECAM_CONTROL); + +- nwl_bridge_writel(pcie, nwl_bridge_readl(pcie, E_ECAM_CONTROL) | +- (NWL_ECAM_MAX_SIZE << E_ECAM_SIZE_SHIFT), +- E_ECAM_CONTROL); ++ ecam_val = nwl_bridge_readl(pcie, E_ECAM_CONTROL); ++ ecam_val &= ~E_ECAM_SIZE_LOC; ++ ecam_val |= NWL_ECAM_MAX_SIZE << E_ECAM_SIZE_SHIFT; ++ nwl_bridge_writel(pcie, ecam_val, E_ECAM_CONTROL); + + nwl_bridge_writel(pcie, lower_32_bits(pcie->phys_ecam_base), + E_ECAM_BASE_LO); diff --git a/queue-6.17/pinctrl-samsung-drop-unused-s3c24xx-driver-data.patch b/queue-6.17/pinctrl-samsung-drop-unused-s3c24xx-driver-data.patch new file mode 100644 index 0000000000..d94660abfb --- /dev/null +++ b/queue-6.17/pinctrl-samsung-drop-unused-s3c24xx-driver-data.patch @@ -0,0 +1,34 @@ +From 358253fa8179ab4217ac283b56adde0174186f87 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Sat, 30 Aug 2025 13:16:58 +0200 +Subject: pinctrl: samsung: Drop unused S3C24xx driver data + +From: Krzysztof Kozlowski + +commit 358253fa8179ab4217ac283b56adde0174186f87 upstream. + +Drop unused declarations after S3C24xx SoC family removal in the commit +61b7f8920b17 ("ARM: s3c: remove all s3c24xx support"). + +Fixes: 1ea35b355722 ("ARM: s3c: remove s3c24xx specific hacks") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20250830111657.126190-3-krzysztof.kozlowski@linaro.org +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/samsung/pinctrl-samsung.h | 4 ---- + 1 file changed, 4 deletions(-) + +--- a/drivers/pinctrl/samsung/pinctrl-samsung.h ++++ b/drivers/pinctrl/samsung/pinctrl-samsung.h +@@ -402,10 +402,6 @@ extern const struct samsung_pinctrl_of_m + extern const struct samsung_pinctrl_of_match_data fsd_of_data; + extern const struct samsung_pinctrl_of_match_data gs101_of_data; + extern const struct samsung_pinctrl_of_match_data s3c64xx_of_data; +-extern const struct samsung_pinctrl_of_match_data s3c2412_of_data; +-extern const struct samsung_pinctrl_of_match_data s3c2416_of_data; +-extern const struct samsung_pinctrl_of_match_data s3c2440_of_data; +-extern const struct samsung_pinctrl_of_match_data s3c2450_of_data; + extern const struct samsung_pinctrl_of_match_data s5pv210_of_data; + + #endif /* __PINCTRL_SAMSUNG_H */ diff --git a/queue-6.17/pm-em-fix-late-boot-with-holes-in-cpu-topology.patch b/queue-6.17/pm-em-fix-late-boot-with-holes-in-cpu-topology.patch new file mode 100644 index 0000000000..9ff3f55ca6 --- /dev/null +++ b/queue-6.17/pm-em-fix-late-boot-with-holes-in-cpu-topology.patch @@ -0,0 +1,68 @@ +From 1ebe8f7e782523e62cd1fa8237f7afba5d1dae83 Mon Sep 17 00:00:00 2001 +From: Christian Loehle +Date: Sun, 31 Aug 2025 22:43:57 +0100 +Subject: PM: EM: Fix late boot with holes in CPU topology + +From: Christian Loehle + +commit 1ebe8f7e782523e62cd1fa8237f7afba5d1dae83 upstream. + +Commit e3f1164fc9ee ("PM: EM: Support late CPUs booting and capacity +adjustment") added a mechanism to handle CPUs that come up late by +retrying when any of the `cpufreq_cpu_get()` call fails. + +However, if there are holes in the CPU topology (offline CPUs, e.g. +nosmt), the first missing CPU causes the loop to break, preventing +subsequent online CPUs from being updated. + +Instead of aborting on the first missing CPU policy, loop through all +and retry if any were missing. + +Fixes: e3f1164fc9ee ("PM: EM: Support late CPUs booting and capacity adjustment") +Suggested-by: Kenneth Crudup +Reported-by: Kenneth Crudup +Link: https://lore.kernel.org/linux-pm/40212796-734c-4140-8a85-854f72b8144d@panix.com/ +Cc: 6.9+ # 6.9+ +Signed-off-by: Christian Loehle +Link: https://patch.msgid.link/20250831214357.2020076-1-christian.loehle@arm.com +[ rjw: Drop the new pr_debug() message which is not very useful ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + kernel/power/energy_model.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/kernel/power/energy_model.c ++++ b/kernel/power/energy_model.c +@@ -799,7 +799,7 @@ void em_adjust_cpu_capacity(unsigned int + static void em_check_capacity_update(void) + { + cpumask_var_t cpu_done_mask; +- int cpu; ++ int cpu, failed_cpus = 0; + + if (!zalloc_cpumask_var(&cpu_done_mask, GFP_KERNEL)) { + pr_warn("no free memory\n"); +@@ -817,10 +817,8 @@ static void em_check_capacity_update(voi + + policy = cpufreq_cpu_get(cpu); + if (!policy) { +- pr_debug("Accessing cpu%d policy failed\n", cpu); +- schedule_delayed_work(&em_update_work, +- msecs_to_jiffies(1000)); +- break; ++ failed_cpus++; ++ continue; + } + cpufreq_cpu_put(policy); + +@@ -835,6 +833,9 @@ static void em_check_capacity_update(voi + em_adjust_new_capacity(cpu, dev, pd); + } + ++ if (failed_cpus) ++ schedule_delayed_work(&em_update_work, msecs_to_jiffies(1000)); ++ + free_cpumask_var(cpu_done_mask); + } + diff --git a/queue-6.17/pm-hibernate-fix-hybrid-sleep.patch b/queue-6.17/pm-hibernate-fix-hybrid-sleep.patch new file mode 100644 index 0000000000..f8b21c5e2a --- /dev/null +++ b/queue-6.17/pm-hibernate-fix-hybrid-sleep.patch @@ -0,0 +1,54 @@ +From 469d80a3712c66a00b5bb888e62e809db8887ba7 Mon Sep 17 00:00:00 2001 +From: "Mario Limonciello (AMD)" +Date: Thu, 25 Sep 2025 13:51:06 -0500 +Subject: PM: hibernate: Fix hybrid-sleep + +From: Mario Limonciello (AMD) + +commit 469d80a3712c66a00b5bb888e62e809db8887ba7 upstream. + +Hybrid sleep will hibernate the system followed by running through +the suspend routine. Since both the hibernate and the suspend routine +will call pm_restrict_gfp_mask(), pm_restore_gfp_mask() must be called +before starting the suspend sequence. + +Add an explicit call to pm_restore_gfp_mask() to power_down() before +the suspend sequence starts. Add an extra call for pm_restrict_gfp_mask() +when exiting suspend so that the pm_restore_gfp_mask() call in hibernate() +is balanced. + +Reported-by: Ionut Nechita +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4573 +Tested-by: Ionut Nechita +Fixes: 12ffc3b1513eb ("PM: Restrict swap use to later in the suspend sequence") +Tested-by: Kenneth Crudup +Acked-by: Alex Deucher +Signed-off-by: Mario Limonciello (AMD) +Link: https://patch.msgid.link/20250925185108.2968494-2-superm1@kernel.org +[ rjw: Add comment explainig the new pm_restrict_gfp_mask() call purpose ] +Cc: 6.16+ # 6.16+ +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + kernel/power/hibernate.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/kernel/power/hibernate.c ++++ b/kernel/power/hibernate.c +@@ -695,12 +695,16 @@ static void power_down(void) + + #ifdef CONFIG_SUSPEND + if (hibernation_mode == HIBERNATION_SUSPEND) { ++ pm_restore_gfp_mask(); + error = suspend_devices_and_enter(mem_sleep_current); + if (error) { + hibernation_mode = hibernation_ops ? + HIBERNATION_PLATFORM : + HIBERNATION_SHUTDOWN; + } else { ++ /* Match pm_restore_gfp_mask() call in hibernate() */ ++ pm_restrict_gfp_mask(); ++ + /* Restore swap signature. */ + error = swsusp_unmark(); + if (error) diff --git a/queue-6.17/pm-hibernate-restrict-gfp-mask-in-power_down.patch b/queue-6.17/pm-hibernate-restrict-gfp-mask-in-power_down.patch new file mode 100644 index 0000000000..351cb5b360 --- /dev/null +++ b/queue-6.17/pm-hibernate-restrict-gfp-mask-in-power_down.patch @@ -0,0 +1,39 @@ +From 6f4c6f9ed4ce65303f6bb153e2afc71bc33c8ded Mon Sep 17 00:00:00 2001 +From: "Rafael J. Wysocki" +Date: Fri, 26 Sep 2025 18:40:25 +0200 +Subject: PM: hibernate: Restrict GFP mask in power_down() + +From: Rafael J. Wysocki + +commit 6f4c6f9ed4ce65303f6bb153e2afc71bc33c8ded upstream. + +Commit 12ffc3b1513e ("PM: Restrict swap use to later in the +suspend sequence") caused hibernation_platform_enter() to call +pm_restore_gfp_mask() via dpm_resume_end(), so when power_down() +returns after aborting hibernation_platform_enter(), it needs +to match the pm_restore_gfp_mask() call in hibernate() that will +occur subsequently. + +Address this by adding a pm_restrict_gfp_mask() call to the relevant +error path in power_down(). + +Fixes: 12ffc3b1513e ("PM: Restrict swap use to later in the suspend sequence") +Cc: 6.16+ # 6.16+ +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Mario Limonciello (AMD) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/power/hibernate.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/kernel/power/hibernate.c ++++ b/kernel/power/hibernate.c +@@ -722,6 +722,8 @@ static void power_down(void) + case HIBERNATION_PLATFORM: + error = hibernation_platform_enter(); + if (error == -EAGAIN || error == -EBUSY) { ++ /* Match pm_restore_gfp_mask() in hibernate(). */ ++ pm_restrict_gfp_mask(); + swsusp_unmark(); + events_check_enabled = false; + pr_info("Wakeup event detected during hibernation, rolling back.\n"); diff --git a/queue-6.17/power-supply-max77976_charger-fix-constant-current-reporting.patch b/queue-6.17/power-supply-max77976_charger-fix-constant-current-reporting.patch new file mode 100644 index 0000000000..0c71192408 --- /dev/null +++ b/queue-6.17/power-supply-max77976_charger-fix-constant-current-reporting.patch @@ -0,0 +1,69 @@ +From ee6cd8f3e28ee5a929c3b67c01a350f550f9b73a Mon Sep 17 00:00:00 2001 +From: Dzmitry Sankouski +Date: Thu, 18 Sep 2025 20:06:45 +0300 +Subject: power: supply: max77976_charger: fix constant current reporting + +From: Dzmitry Sankouski + +commit ee6cd8f3e28ee5a929c3b67c01a350f550f9b73a upstream. + +CHARGE_CONTROL_LIMIT is a wrong property to report charge current limit, +because `CHARGE_*` attributes represents capacity, not current. The +correct attribute to report and set charge current limit is +CONSTANT_CHARGE_CURRENT. + +Rename CHARGE_CONTROL_LIMIT to CONSTANT_CHARGE_CURRENT. + +Cc: stable@vger.kernel.org +Fixes: 715ecbc10d6a ("power: supply: max77976: add Maxim MAX77976 charger driver") +Signed-off-by: Dzmitry Sankouski +Signed-off-by: Sebastian Reichel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/power/supply/max77976_charger.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/power/supply/max77976_charger.c ++++ b/drivers/power/supply/max77976_charger.c +@@ -292,10 +292,10 @@ static int max77976_get_property(struct + case POWER_SUPPLY_PROP_ONLINE: + err = max77976_get_online(chg, &val->intval); + break; +- case POWER_SUPPLY_PROP_CHARGE_CONTROL_LIMIT_MAX: ++ case POWER_SUPPLY_PROP_CONSTANT_CHARGE_CURRENT_MAX: + val->intval = MAX77976_CHG_CC_MAX; + break; +- case POWER_SUPPLY_PROP_CHARGE_CONTROL_LIMIT: ++ case POWER_SUPPLY_PROP_CONSTANT_CHARGE_CURRENT: + err = max77976_get_integer(chg, CHG_CC, + MAX77976_CHG_CC_MIN, + MAX77976_CHG_CC_MAX, +@@ -330,7 +330,7 @@ static int max77976_set_property(struct + int err = 0; + + switch (psp) { +- case POWER_SUPPLY_PROP_CHARGE_CONTROL_LIMIT: ++ case POWER_SUPPLY_PROP_CONSTANT_CHARGE_CURRENT: + err = max77976_set_integer(chg, CHG_CC, + MAX77976_CHG_CC_MIN, + MAX77976_CHG_CC_MAX, +@@ -355,7 +355,7 @@ static int max77976_property_is_writeabl + enum power_supply_property psp) + { + switch (psp) { +- case POWER_SUPPLY_PROP_CHARGE_CONTROL_LIMIT: ++ case POWER_SUPPLY_PROP_CONSTANT_CHARGE_CURRENT: + case POWER_SUPPLY_PROP_INPUT_CURRENT_LIMIT: + return true; + default: +@@ -368,8 +368,8 @@ static enum power_supply_property max779 + POWER_SUPPLY_PROP_CHARGE_TYPE, + POWER_SUPPLY_PROP_HEALTH, + POWER_SUPPLY_PROP_ONLINE, +- POWER_SUPPLY_PROP_CHARGE_CONTROL_LIMIT, +- POWER_SUPPLY_PROP_CHARGE_CONTROL_LIMIT_MAX, ++ POWER_SUPPLY_PROP_CONSTANT_CHARGE_CURRENT, ++ POWER_SUPPLY_PROP_CONSTANT_CHARGE_CURRENT_MAX, + POWER_SUPPLY_PROP_INPUT_CURRENT_LIMIT, + POWER_SUPPLY_PROP_MODEL_NAME, + POWER_SUPPLY_PROP_MANUFACTURER, diff --git a/queue-6.17/powerpc-powernv-pci-fix-underflow-and-leak-issue.patch b/queue-6.17/powerpc-powernv-pci-fix-underflow-and-leak-issue.patch new file mode 100644 index 0000000000..fa405a60e9 --- /dev/null +++ b/queue-6.17/powerpc-powernv-pci-fix-underflow-and-leak-issue.patch @@ -0,0 +1,47 @@ +From a39087905af9ffecaa237a918a2c03a04e479934 Mon Sep 17 00:00:00 2001 +From: Nam Cao +Date: Mon, 4 Aug 2025 12:07:28 +0200 +Subject: powerpc/powernv/pci: Fix underflow and leak issue +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nam Cao + +commit a39087905af9ffecaa237a918a2c03a04e479934 upstream. + +pnv_irq_domain_alloc() allocates interrupts at parent's interrupt +domain. If it fails in the progress, all allocated interrupts are +freed. + +The number of successfully allocated interrupts so far is stored +"i". However, "i - 1" interrupts are freed. This is broken: + + - One interrupt is not be freed + + - If "i" is zero, "i - 1" wraps around + +Correct the number of freed interrupts to "i". + +Fixes: 0fcfe2247e75 ("powerpc/powernv/pci: Add MSI domains") +Signed-off-by: Nam Cao +Cc: stable@vger.kernel.org +Reviewed-by: Cédric Le Goater +Signed-off-by: Madhavan Srinivasan +Link: https://patch.msgid.link/70f8debe8688e0b467367db769b71c20146a836d.1754300646.git.namcao@linutronix.de +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/platforms/powernv/pci-ioda.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/platforms/powernv/pci-ioda.c ++++ b/arch/powerpc/platforms/powernv/pci-ioda.c +@@ -1854,7 +1854,7 @@ static int pnv_irq_domain_alloc(struct i + return 0; + + out: +- irq_domain_free_irqs_parent(domain, virq, i - 1); ++ irq_domain_free_irqs_parent(domain, virq, i); + msi_bitmap_free_hwirqs(&phb->msi_bmp, hwirq, nr_irqs); + return ret; + } diff --git a/queue-6.17/powerpc-pseries-msi-fix-potential-underflow-and-leak-issue.patch b/queue-6.17/powerpc-pseries-msi-fix-potential-underflow-and-leak-issue.patch new file mode 100644 index 0000000000..eae2f39a68 --- /dev/null +++ b/queue-6.17/powerpc-pseries-msi-fix-potential-underflow-and-leak-issue.patch @@ -0,0 +1,47 @@ +From 3443ff3be6e59b80d74036bb39f5b6409eb23cc9 Mon Sep 17 00:00:00 2001 +From: Nam Cao +Date: Mon, 4 Aug 2025 12:07:27 +0200 +Subject: powerpc/pseries/msi: Fix potential underflow and leak issue +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nam Cao + +commit 3443ff3be6e59b80d74036bb39f5b6409eb23cc9 upstream. + +pseries_irq_domain_alloc() allocates interrupts at parent's interrupt +domain. If it fails in the progress, all allocated interrupts are +freed. + +The number of successfully allocated interrupts so far is stored +"i". However, "i - 1" interrupts are freed. This is broken: + + - One interrupt is not be freed + + - If "i" is zero, "i - 1" wraps around + +Correct the number of freed interrupts to 'i'. + +Fixes: a5f3d2c17b07 ("powerpc/pseries/pci: Add MSI domains") +Signed-off-by: Nam Cao +Cc: stable@vger.kernel.org +Reviewed-by: Cédric Le Goater +Signed-off-by: Madhavan Srinivasan +Link: https://patch.msgid.link/a980067f2b256bf716b4cd713bc1095966eed8cd.1754300646.git.namcao@linutronix.de +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/platforms/pseries/msi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/platforms/pseries/msi.c ++++ b/arch/powerpc/platforms/pseries/msi.c +@@ -593,7 +593,7 @@ static int pseries_irq_domain_alloc(stru + + out: + /* TODO: handle RTAS cleanup in ->msi_finish() ? */ +- irq_domain_free_irqs_parent(domain, virq, i - 1); ++ irq_domain_free_irqs_parent(domain, virq, i); + return ret; + } + diff --git a/queue-6.17/pwm-berlin-fix-wrong-register-in-suspend-resume.patch b/queue-6.17/pwm-berlin-fix-wrong-register-in-suspend-resume.patch new file mode 100644 index 0000000000..090b74c44f --- /dev/null +++ b/queue-6.17/pwm-berlin-fix-wrong-register-in-suspend-resume.patch @@ -0,0 +1,46 @@ +From 3a4b9d027e4061766f618292df91760ea64a1fcc Mon Sep 17 00:00:00 2001 +From: Jisheng Zhang +Date: Tue, 19 Aug 2025 19:42:24 +0800 +Subject: pwm: berlin: Fix wrong register in suspend/resume +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jisheng Zhang + +commit 3a4b9d027e4061766f618292df91760ea64a1fcc upstream. + +The 'enable' register should be BERLIN_PWM_EN rather than +BERLIN_PWM_ENABLE, otherwise, the driver accesses wrong address, there +will be cpu exception then kernel panic during suspend/resume. + +Fixes: bbf0722c1c66 ("pwm: berlin: Add suspend/resume support") +Signed-off-by: Jisheng Zhang +Link: https://lore.kernel.org/r/20250819114224.31825-1-jszhang@kernel.org +Cc: stable@vger.kernel.org +Signed-off-by: Uwe Kleine-König +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pwm/pwm-berlin.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/pwm/pwm-berlin.c ++++ b/drivers/pwm/pwm-berlin.c +@@ -234,7 +234,7 @@ static int berlin_pwm_suspend(struct dev + for (i = 0; i < chip->npwm; i++) { + struct berlin_pwm_channel *channel = &bpc->channel[i]; + +- channel->enable = berlin_pwm_readl(bpc, i, BERLIN_PWM_ENABLE); ++ channel->enable = berlin_pwm_readl(bpc, i, BERLIN_PWM_EN); + channel->ctrl = berlin_pwm_readl(bpc, i, BERLIN_PWM_CONTROL); + channel->duty = berlin_pwm_readl(bpc, i, BERLIN_PWM_DUTY); + channel->tcnt = berlin_pwm_readl(bpc, i, BERLIN_PWM_TCNT); +@@ -262,7 +262,7 @@ static int berlin_pwm_resume(struct devi + berlin_pwm_writel(bpc, i, channel->ctrl, BERLIN_PWM_CONTROL); + berlin_pwm_writel(bpc, i, channel->duty, BERLIN_PWM_DUTY); + berlin_pwm_writel(bpc, i, channel->tcnt, BERLIN_PWM_TCNT); +- berlin_pwm_writel(bpc, i, channel->enable, BERLIN_PWM_ENABLE); ++ berlin_pwm_writel(bpc, i, channel->enable, BERLIN_PWM_EN); + } + + return 0; diff --git a/queue-6.17/pwm-fix-incorrect-variable-used-in-error-message.patch b/queue-6.17/pwm-fix-incorrect-variable-used-in-error-message.patch new file mode 100644 index 0000000000..71adae1b30 --- /dev/null +++ b/queue-6.17/pwm-fix-incorrect-variable-used-in-error-message.patch @@ -0,0 +1,37 @@ +From afe872274edc7da46719a2029bfa4eab142b15f6 Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Tue, 2 Sep 2025 14:03:48 +0100 +Subject: pwm: Fix incorrect variable used in error message +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Colin Ian King + +commit afe872274edc7da46719a2029bfa4eab142b15f6 upstream. + +The dev_err message is reporting the incorrect return value ret_tohw, +it should be reporting the value in ret_fromhw. Fix this by using +ret_fromhw instead of ret_tohw. + +Fixes: 6c5126c6406d ("pwm: Provide new consumer API functions for waveforms") +Signed-off-by: Colin Ian King +Link: https://lore.kernel.org/r/20250902130348.2630053-1-colin.i.king@gmail.com +Cc: stable@vger.kernel.org +Signed-off-by: Uwe Kleine-König +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pwm/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/pwm/core.c ++++ b/drivers/pwm/core.c +@@ -276,7 +276,7 @@ int pwm_round_waveform_might_sleep(struc + + if (IS_ENABLED(CONFIG_PWM_DEBUG) && ret_fromhw > 0) + dev_err(&chip->dev, "Unexpected return value from __pwm_round_waveform_fromhw: requested %llu/%llu [+%llu], return value %d\n", +- wf_req.duty_length_ns, wf_req.period_length_ns, wf_req.duty_offset_ns, ret_tohw); ++ wf_req.duty_length_ns, wf_req.period_length_ns, wf_req.duty_offset_ns, ret_fromhw); + + if (IS_ENABLED(CONFIG_PWM_DEBUG) && + (ret_tohw == 0) != pwm_check_rounding(&wf_req, wf)) diff --git a/queue-6.17/revert-ipmi-fix-msg-stack-when-ipmi-is-disconnected.patch b/queue-6.17/revert-ipmi-fix-msg-stack-when-ipmi-is-disconnected.patch new file mode 100644 index 0000000000..10d78aa8c3 --- /dev/null +++ b/queue-6.17/revert-ipmi-fix-msg-stack-when-ipmi-is-disconnected.patch @@ -0,0 +1,71 @@ +From 5d09ee1bec870263f4ace439402ea840503b503b Mon Sep 17 00:00:00 2001 +From: Corey Minyard +Date: Wed, 20 Aug 2025 11:03:13 -0500 +Subject: Revert "ipmi: fix msg stack when IPMI is disconnected" + +From: Corey Minyard + +commit 5d09ee1bec870263f4ace439402ea840503b503b upstream. + +This reverts commit c608966f3f9c2dca596967501d00753282b395fc. + +This patch has a subtle bug that can cause the IPMI driver to go into an +infinite loop if the BMC misbehaves in a certain way. Apparently +certain BMCs do misbehave this way because several reports have come in +recently about this. + +Signed-off-by: Corey Minyard +Tested-by: Eric Hagberg +Cc: # 6.2 +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/ipmi/ipmi_kcs_sm.c | 16 +++++----------- + 1 file changed, 5 insertions(+), 11 deletions(-) + +--- a/drivers/char/ipmi/ipmi_kcs_sm.c ++++ b/drivers/char/ipmi/ipmi_kcs_sm.c +@@ -122,10 +122,10 @@ struct si_sm_data { + unsigned long error0_timeout; + }; + +-static unsigned int init_kcs_data_with_state(struct si_sm_data *kcs, +- struct si_sm_io *io, enum kcs_states state) ++static unsigned int init_kcs_data(struct si_sm_data *kcs, ++ struct si_sm_io *io) + { +- kcs->state = state; ++ kcs->state = KCS_IDLE; + kcs->io = io; + kcs->write_pos = 0; + kcs->write_count = 0; +@@ -140,12 +140,6 @@ static unsigned int init_kcs_data_with_s + return 2; + } + +-static unsigned int init_kcs_data(struct si_sm_data *kcs, +- struct si_sm_io *io) +-{ +- return init_kcs_data_with_state(kcs, io, KCS_IDLE); +-} +- + static inline unsigned char read_status(struct si_sm_data *kcs) + { + return kcs->io->inputb(kcs->io, 1); +@@ -276,7 +270,7 @@ static int start_kcs_transaction(struct + if (size > MAX_KCS_WRITE_SIZE) + return IPMI_REQ_LEN_EXCEEDED_ERR; + +- if (kcs->state != KCS_IDLE) { ++ if ((kcs->state != KCS_IDLE) && (kcs->state != KCS_HOSED)) { + dev_warn(kcs->io->dev, "KCS in invalid state %d\n", kcs->state); + return IPMI_NOT_IN_MY_STATE_ERR; + } +@@ -501,7 +495,7 @@ static enum si_sm_result kcs_event(struc + } + + if (kcs->state == KCS_HOSED) { +- init_kcs_data_with_state(kcs, kcs->io, KCS_ERROR0); ++ init_kcs_data(kcs, kcs->io); + return SI_SM_HOSED; + } + diff --git a/queue-6.17/riscv-use-an-atomic-xchg-in-pudp_huge_get_and_clear.patch b/queue-6.17/riscv-use-an-atomic-xchg-in-pudp_huge_get_and_clear.patch new file mode 100644 index 0000000000..84a1a31984 --- /dev/null +++ b/queue-6.17/riscv-use-an-atomic-xchg-in-pudp_huge_get_and_clear.patch @@ -0,0 +1,43 @@ +From 668208b161a0b679427e7d0f34c0a65fd7d23979 Mon Sep 17 00:00:00 2001 +From: Alexandre Ghiti +Date: Thu, 14 Aug 2025 12:06:14 +0000 +Subject: riscv: use an atomic xchg in pudp_huge_get_and_clear() + +From: Alexandre Ghiti + +commit 668208b161a0b679427e7d0f34c0a65fd7d23979 upstream. + +Make sure we return the right pud value and not a value that could have +been overwritten in between by a different core. + +Link: https://lkml.kernel.org/r/20250814-dev-alex-thp_pud_xchg-v1-1-b4704dfae206@rivosinc.com +Fixes: c3cc2a4a3a23 ("riscv: Add support for PUD THP") +Signed-off-by: Alexandre Ghiti +Cc: Andrew Donnellan +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/include/asm/pgtable.h | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/arch/riscv/include/asm/pgtable.h ++++ b/arch/riscv/include/asm/pgtable.h +@@ -959,6 +959,17 @@ static inline pud_t pudp_huge_get_and_cl + return pud; + } + ++#define __HAVE_ARCH_PUDP_HUGE_GET_AND_CLEAR ++static inline pud_t pudp_huge_get_and_clear(struct mm_struct *mm, ++ unsigned long address, pud_t *pudp) ++{ ++ pud_t pud = __pud(atomic_long_xchg((atomic_long_t *)pudp, 0)); ++ ++ page_table_check_pud_clear(mm, pud); ++ ++ return pud; ++} ++ + static inline int pud_young(pud_t pud) + { + return pte_young(pud_pte(pud)); diff --git a/queue-6.17/rseq-selftests-use-weak-symbol-reference-not-definition-to-link-with-glibc.patch b/queue-6.17/rseq-selftests-use-weak-symbol-reference-not-definition-to-link-with-glibc.patch new file mode 100644 index 0000000000..5f62dac32c --- /dev/null +++ b/queue-6.17/rseq-selftests-use-weak-symbol-reference-not-definition-to-link-with-glibc.patch @@ -0,0 +1,63 @@ +From a001cd248ab244633c5fabe4f7c707e13fc1d1cc Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Tue, 19 Aug 2025 15:29:44 -0700 +Subject: rseq/selftests: Use weak symbol reference, not definition, to link with glibc + +From: Sean Christopherson + +commit a001cd248ab244633c5fabe4f7c707e13fc1d1cc upstream. + +Add "extern" to the glibc-defined weak rseq symbols to convert the rseq +selftest's usage from weak symbol definitions to weak symbol _references_. +Effectively re-defining the glibc symbols wreaks havoc when building with +-fno-common, e.g. generates segfaults when running multi-threaded programs, +as dynamically linked applications end up with multiple versions of the +symbols. + +Building with -fcommon, which until recently has the been the default for +GCC and clang, papers over the bug by allowing the linker to resolve the +weak/tentative definition to glibc's "real" definition. + +Note, the symbol itself (or rather its address), not the value of the +symbol, is set to 0/NULL for unresolved weak symbol references, as the +symbol doesn't exist and thus can't have a value. Check for a NULL rseq +size pointer to handle the scenario where the test is statically linked +against a libc that doesn't support rseq in any capacity. + +Fixes: 3bcbc20942db ("selftests/rseq: Play nice with binaries statically linked against glibc 2.35+") +Reported-by: Thomas Gleixner +Suggested-by: Florian Weimer +Signed-off-by: Sean Christopherson +Signed-off-by: Thomas Gleixner +Reviewed-by: Mathieu Desnoyers +Cc: stable@vger.kernel.org +Closes: https://lore.kernel.org/all/87frdoybk4.ffs@tglx +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/rseq/rseq.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/tools/testing/selftests/rseq/rseq.c ++++ b/tools/testing/selftests/rseq/rseq.c +@@ -40,9 +40,9 @@ + * Define weak versions to play nice with binaries that are statically linked + * against a libc that doesn't support registering its own rseq. + */ +-__weak ptrdiff_t __rseq_offset; +-__weak unsigned int __rseq_size; +-__weak unsigned int __rseq_flags; ++extern __weak ptrdiff_t __rseq_offset; ++extern __weak unsigned int __rseq_size; ++extern __weak unsigned int __rseq_flags; + + static const ptrdiff_t *libc_rseq_offset_p = &__rseq_offset; + static const unsigned int *libc_rseq_size_p = &__rseq_size; +@@ -209,7 +209,7 @@ void rseq_init(void) + * libc not having registered a restartable sequence. Try to find the + * symbols if that's the case. + */ +- if (!*libc_rseq_size_p) { ++ if (!libc_rseq_size_p || !*libc_rseq_size_p) { + libc_rseq_offset_p = dlsym(RTLD_NEXT, "__rseq_offset"); + libc_rseq_size_p = dlsym(RTLD_NEXT, "__rseq_size"); + libc_rseq_flags_p = dlsym(RTLD_NEXT, "__rseq_flags"); diff --git a/queue-6.17/rtc-interface-ensure-alarm-irq-is-enabled-when-uie-is-enabled.patch b/queue-6.17/rtc-interface-ensure-alarm-irq-is-enabled-when-uie-is-enabled.patch new file mode 100644 index 0000000000..1a248d4393 --- /dev/null +++ b/queue-6.17/rtc-interface-ensure-alarm-irq-is-enabled-when-uie-is-enabled.patch @@ -0,0 +1,39 @@ +From 9db26d5855d0374d4652487bfb5aacf40821c469 Mon Sep 17 00:00:00 2001 +From: Esben Haabendal +Date: Fri, 16 May 2025 09:23:39 +0200 +Subject: rtc: interface: Ensure alarm irq is enabled when UIE is enabled + +From: Esben Haabendal + +commit 9db26d5855d0374d4652487bfb5aacf40821c469 upstream. + +When setting a normal alarm, user-space is responsible for using +RTC_AIE_ON/RTC_AIE_OFF to control if alarm irq should be enabled. + +But when RTC_UIE_ON is used, interrupts must be enabled so that the +requested irq events are generated. +When RTC_UIE_OFF is used, alarm irq is disabled if there are no other +alarms queued, so this commit brings symmetry to that. + +Signed-off-by: Esben Haabendal +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20250516-rtc-uie-irq-fixes-v2-5-3de8e530a39e@geanix.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/rtc/interface.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/rtc/interface.c ++++ b/drivers/rtc/interface.c +@@ -594,6 +594,10 @@ int rtc_update_irq_enable(struct rtc_dev + rtc->uie_rtctimer.node.expires = ktime_add(now, onesec); + rtc->uie_rtctimer.period = ktime_set(1, 0); + err = rtc_timer_enqueue(rtc, &rtc->uie_rtctimer); ++ if (!err && rtc->ops && rtc->ops->alarm_irq_enable) ++ err = rtc->ops->alarm_irq_enable(rtc->dev.parent, 1); ++ if (err) ++ goto out; + } else { + rtc_timer_remove(rtc, &rtc->uie_rtctimer); + } diff --git a/queue-6.17/rtc-interface-fix-long-standing-race-when-setting-alarm.patch b/queue-6.17/rtc-interface-fix-long-standing-race-when-setting-alarm.patch new file mode 100644 index 0000000000..93d7d46190 --- /dev/null +++ b/queue-6.17/rtc-interface-fix-long-standing-race-when-setting-alarm.patch @@ -0,0 +1,71 @@ +From 795cda8338eab036013314dbc0b04aae728880ab Mon Sep 17 00:00:00 2001 +From: Esben Haabendal +Date: Fri, 16 May 2025 09:23:35 +0200 +Subject: rtc: interface: Fix long-standing race when setting alarm + +From: Esben Haabendal + +commit 795cda8338eab036013314dbc0b04aae728880ab upstream. + +As described in the old comment dating back to +commit 6610e0893b8b ("RTC: Rework RTC code to use timerqueue for events") +from 2010, we have been living with a race window when setting alarm +with an expiry in the near future (i.e. next second). +With 1 second resolution, it can happen that the second ticks after the +check for the timer having expired, but before the alarm is actually set. +When this happen, no alarm IRQ is generated, at least not with some RTC +chips (isl12022 is an example of this). + +With UIE RTC timer being implemented on top of alarm irq, being re-armed +every second, UIE will occasionally fail to work, as an alarm irq lost +due to this race will stop the re-arming loop. + +For now, I have limited the additional expiry check to only be done for +alarms set to next seconds. I expect it should be good enough, although I +don't know if we can now for sure that systems with loads could end up +causing the same problems for alarms set 2 seconds or even longer in the +future. + +I haven't been able to reproduce the problem with this check in place. + +Cc: stable@vger.kernel.org +Signed-off-by: Esben Haabendal +Link: https://lore.kernel.org/r/20250516-rtc-uie-irq-fixes-v2-1-3de8e530a39e@geanix.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/rtc/interface.c | 23 +++++++++++++++++++++++ + 1 file changed, 23 insertions(+) + +--- a/drivers/rtc/interface.c ++++ b/drivers/rtc/interface.c +@@ -443,6 +443,29 @@ static int __rtc_set_alarm(struct rtc_de + else + err = rtc->ops->set_alarm(rtc->dev.parent, alarm); + ++ /* ++ * Check for potential race described above. If the waiting for next ++ * second, and the second just ticked since the check above, either ++ * ++ * 1) It ticked after the alarm was set, and an alarm irq should be ++ * generated. ++ * ++ * 2) It ticked before the alarm was set, and alarm irq most likely will ++ * not be generated. ++ * ++ * While we cannot easily check for which of these two scenarios we ++ * are in, we can return -ETIME to signal that the timer has already ++ * expired, which is true in both cases. ++ */ ++ if ((scheduled - now) <= 1) { ++ err = __rtc_read_time(rtc, &tm); ++ if (err) ++ return err; ++ now = rtc_tm_to_time64(&tm); ++ if (scheduled <= now) ++ return -ETIME; ++ } ++ + trace_rtc_set_alarm(rtc_tm_to_time64(&alarm->time), err); + return err; + } diff --git a/queue-6.17/sched-deadline-fix-race-in-push_dl_task.patch b/queue-6.17/sched-deadline-fix-race-in-push_dl_task.patch new file mode 100644 index 0000000000..2a0f84b182 --- /dev/null +++ b/queue-6.17/sched-deadline-fix-race-in-push_dl_task.patch @@ -0,0 +1,138 @@ +From 8fd5485fb4f3d9da3977fd783fcb8e5452463420 Mon Sep 17 00:00:00 2001 +From: Harshit Agarwal +Date: Tue, 8 Apr 2025 04:50:21 +0000 +Subject: sched/deadline: Fix race in push_dl_task() + +From: Harshit Agarwal + +commit 8fd5485fb4f3d9da3977fd783fcb8e5452463420 upstream. + +When a CPU chooses to call push_dl_task and picks a task to push to +another CPU's runqueue then it will call find_lock_later_rq method +which would take a double lock on both CPUs' runqueues. If one of the +locks aren't readily available, it may lead to dropping the current +runqueue lock and reacquiring both the locks at once. During this window +it is possible that the task is already migrated and is running on some +other CPU. These cases are already handled. However, if the task is +migrated and has already been executed and another CPU is now trying to +wake it up (ttwu) such that it is queued again on the runqeue +(on_rq is 1) and also if the task was run by the same CPU, then the +current checks will pass even though the task was migrated out and is no +longer in the pushable tasks list. +Please go through the original rt change for more details on the issue. + +To fix this, after the lock is obtained inside the find_lock_later_rq, +it ensures that the task is still at the head of pushable tasks list. +Also removed some checks that are no longer needed with the addition of +this new check. +However, the new check of pushable tasks list only applies when +find_lock_later_rq is called by push_dl_task. For the other caller i.e. +dl_task_offline_migration, existing checks are used. + +Signed-off-by: Harshit Agarwal +Signed-off-by: Peter Zijlstra (Intel) +Acked-by: Juri Lelli +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20250408045021.3283624-1-harshit@nutanix.com +Signed-off-by: Greg Kroah-Hartman +--- + kernel/sched/deadline.c | 73 ++++++++++++++++++++++++++++++++---------------- + 1 file changed, 49 insertions(+), 24 deletions(-) + +--- a/kernel/sched/deadline.c ++++ b/kernel/sched/deadline.c +@@ -2551,6 +2551,25 @@ static int find_later_rq(struct task_str + return -1; + } + ++static struct task_struct *pick_next_pushable_dl_task(struct rq *rq) ++{ ++ struct task_struct *p; ++ ++ if (!has_pushable_dl_tasks(rq)) ++ return NULL; ++ ++ p = __node_2_pdl(rb_first_cached(&rq->dl.pushable_dl_tasks_root)); ++ ++ WARN_ON_ONCE(rq->cpu != task_cpu(p)); ++ WARN_ON_ONCE(task_current(rq, p)); ++ WARN_ON_ONCE(p->nr_cpus_allowed <= 1); ++ ++ WARN_ON_ONCE(!task_on_rq_queued(p)); ++ WARN_ON_ONCE(!dl_task(p)); ++ ++ return p; ++} ++ + /* Locks the rq it finds */ + static struct rq *find_lock_later_rq(struct task_struct *task, struct rq *rq) + { +@@ -2578,12 +2597,37 @@ static struct rq *find_lock_later_rq(str + + /* Retry if something changed. */ + if (double_lock_balance(rq, later_rq)) { +- if (unlikely(task_rq(task) != rq || ++ /* ++ * double_lock_balance had to release rq->lock, in the ++ * meantime, task may no longer be fit to be migrated. ++ * Check the following to ensure that the task is ++ * still suitable for migration: ++ * 1. It is possible the task was scheduled, ++ * migrate_disabled was set and then got preempted, ++ * so we must check the task migration disable ++ * flag. ++ * 2. The CPU picked is in the task's affinity. ++ * 3. For throttled task (dl_task_offline_migration), ++ * check the following: ++ * - the task is not on the rq anymore (it was ++ * migrated) ++ * - the task is not on CPU anymore ++ * - the task is still a dl task ++ * - the task is not queued on the rq anymore ++ * 4. For the non-throttled task (push_dl_task), the ++ * check to ensure that this task is still at the ++ * head of the pushable tasks list is enough. ++ */ ++ if (unlikely(is_migration_disabled(task) || + !cpumask_test_cpu(later_rq->cpu, &task->cpus_mask) || +- task_on_cpu(rq, task) || +- !dl_task(task) || +- is_migration_disabled(task) || +- !task_on_rq_queued(task))) { ++ (task->dl.dl_throttled && ++ (task_rq(task) != rq || ++ task_on_cpu(rq, task) || ++ !dl_task(task) || ++ !task_on_rq_queued(task))) || ++ (!task->dl.dl_throttled && ++ task != pick_next_pushable_dl_task(rq)))) { ++ + double_unlock_balance(rq, later_rq); + later_rq = NULL; + break; +@@ -2606,25 +2650,6 @@ static struct rq *find_lock_later_rq(str + return later_rq; + } + +-static struct task_struct *pick_next_pushable_dl_task(struct rq *rq) +-{ +- struct task_struct *p; +- +- if (!has_pushable_dl_tasks(rq)) +- return NULL; +- +- p = __node_2_pdl(rb_first_cached(&rq->dl.pushable_dl_tasks_root)); +- +- WARN_ON_ONCE(rq->cpu != task_cpu(p)); +- WARN_ON_ONCE(task_current(rq, p)); +- WARN_ON_ONCE(p->nr_cpus_allowed <= 1); +- +- WARN_ON_ONCE(!task_on_rq_queued(p)); +- WARN_ON_ONCE(!dl_task(p)); +- +- return p; +-} +- + /* + * See if the non running -deadline tasks on this rq + * can be sent to some other CPU where they can preempt diff --git a/queue-6.17/scsi-hpsa-fix-potential-memory-leak-in-hpsa_big_passthru_ioctl.patch b/queue-6.17/scsi-hpsa-fix-potential-memory-leak-in-hpsa_big_passthru_ioctl.patch new file mode 100644 index 0000000000..4fc16f722b --- /dev/null +++ b/queue-6.17/scsi-hpsa-fix-potential-memory-leak-in-hpsa_big_passthru_ioctl.patch @@ -0,0 +1,60 @@ +From b81296591c567b12d3873b05a37b975707959b94 Mon Sep 17 00:00:00 2001 +From: Thorsten Blum +Date: Fri, 19 Sep 2025 11:26:37 +0200 +Subject: scsi: hpsa: Fix potential memory leak in hpsa_big_passthru_ioctl() + +From: Thorsten Blum + +commit b81296591c567b12d3873b05a37b975707959b94 upstream. + +Replace kmalloc() followed by copy_from_user() with memdup_user() to fix +a memory leak that occurs when copy_from_user(buff[sg_used],,) fails and +the 'cleanup1:' path does not free the memory for 'buff[sg_used]'. Using +memdup_user() avoids this by freeing the memory internally. + +Since memdup_user() already allocates memory, use kzalloc() in the else +branch instead of manually zeroing 'buff[sg_used]' using memset(0). + +Cc: stable@vger.kernel.org +Fixes: edd163687ea5 ("[SCSI] hpsa: add driver for HP Smart Array controllers.") +Signed-off-by: Thorsten Blum +Acked-by: Don Brace +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/hpsa.c | 21 ++++++++++++--------- + 1 file changed, 12 insertions(+), 9 deletions(-) + +--- a/drivers/scsi/hpsa.c ++++ b/drivers/scsi/hpsa.c +@@ -6522,18 +6522,21 @@ static int hpsa_big_passthru_ioctl(struc + while (left) { + sz = (left > ioc->malloc_size) ? ioc->malloc_size : left; + buff_size[sg_used] = sz; +- buff[sg_used] = kmalloc(sz, GFP_KERNEL); +- if (buff[sg_used] == NULL) { +- status = -ENOMEM; +- goto cleanup1; +- } ++ + if (ioc->Request.Type.Direction & XFER_WRITE) { +- if (copy_from_user(buff[sg_used], data_ptr, sz)) { +- status = -EFAULT; ++ buff[sg_used] = memdup_user(data_ptr, sz); ++ if (IS_ERR(buff[sg_used])) { ++ status = PTR_ERR(buff[sg_used]); ++ goto cleanup1; ++ } ++ } else { ++ buff[sg_used] = kzalloc(sz, GFP_KERNEL); ++ if (!buff[sg_used]) { ++ status = -ENOMEM; + goto cleanup1; + } +- } else +- memset(buff[sg_used], 0, sz); ++ } ++ + left -= sz; + data_ptr += sz; + sg_used++; diff --git a/queue-6.17/scsi-sd-fix-build-warning-in-sd_revalidate_disk.patch b/queue-6.17/scsi-sd-fix-build-warning-in-sd_revalidate_disk.patch new file mode 100644 index 0000000000..5ba21628ea --- /dev/null +++ b/queue-6.17/scsi-sd-fix-build-warning-in-sd_revalidate_disk.patch @@ -0,0 +1,174 @@ +From b5f717b31b5e478398740db8aee2ecbc4dd72bf3 Mon Sep 17 00:00:00 2001 +From: Abinash Singh +Date: Tue, 26 Aug 2025 00:09:38 +0530 +Subject: scsi: sd: Fix build warning in sd_revalidate_disk() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Abinash Singh + +commit b5f717b31b5e478398740db8aee2ecbc4dd72bf3 upstream. + +A build warning was triggered due to excessive stack usage in +sd_revalidate_disk(): + +drivers/scsi/sd.c: In function ‘sd_revalidate_disk.isra’: +drivers/scsi/sd.c:3824:1: warning: the frame size of 1160 bytes is larger than 1024 bytes [-Wframe-larger-than=] + +This is caused by a large local struct queue_limits (~400B) allocated on +the stack. Replacing it with a heap allocation using kmalloc() +significantly reduces frame usage. Kernel stack is limited (~8 KB), and +allocating large structs on the stack is discouraged. As the function +already performs heap allocations (e.g. for buffer), this change fits +well. + +Fixes: 804e498e0496 ("sd: convert to the atomic queue limits API") +Cc: stable@vger.kernel.org +Reviewed-by: Bart Van Assche +Signed-off-by: Abinash Singh +Link: https://lore.kernel.org/r/20250825183940.13211-2-abinashsinghlalotra@gmail.com +Reviewed-by: Damien Le Moal +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/sd.c | 50 ++++++++++++++++++++++++++++---------------------- + 1 file changed, 28 insertions(+), 22 deletions(-) + +--- a/drivers/scsi/sd.c ++++ b/drivers/scsi/sd.c +@@ -3696,10 +3696,10 @@ static int sd_revalidate_disk(struct gen + struct scsi_disk *sdkp = scsi_disk(disk); + struct scsi_device *sdp = sdkp->device; + sector_t old_capacity = sdkp->capacity; +- struct queue_limits lim; +- unsigned char *buffer; ++ struct queue_limits *lim = NULL; ++ unsigned char *buffer = NULL; + unsigned int dev_max; +- int err; ++ int err = 0; + + SCSI_LOG_HLQUEUE(3, sd_printk(KERN_INFO, sdkp, + "sd_revalidate_disk\n")); +@@ -3711,6 +3711,10 @@ static int sd_revalidate_disk(struct gen + if (!scsi_device_online(sdp)) + goto out; + ++ lim = kmalloc(sizeof(*lim), GFP_KERNEL); ++ if (!lim) ++ goto out; ++ + buffer = kmalloc(SD_BUF_SIZE, GFP_KERNEL); + if (!buffer) { + sd_printk(KERN_WARNING, sdkp, "sd_revalidate_disk: Memory " +@@ -3720,14 +3724,14 @@ static int sd_revalidate_disk(struct gen + + sd_spinup_disk(sdkp); + +- lim = queue_limits_start_update(sdkp->disk->queue); ++ *lim = queue_limits_start_update(sdkp->disk->queue); + + /* + * Without media there is no reason to ask; moreover, some devices + * react badly if we do. + */ + if (sdkp->media_present) { +- sd_read_capacity(sdkp, &lim, buffer); ++ sd_read_capacity(sdkp, lim, buffer); + /* + * Some USB/UAS devices return generic values for mode pages + * until the media has been accessed. Trigger a READ operation +@@ -3741,17 +3745,17 @@ static int sd_revalidate_disk(struct gen + * cause this to be updated correctly and any device which + * doesn't support it should be treated as rotational. + */ +- lim.features |= (BLK_FEAT_ROTATIONAL | BLK_FEAT_ADD_RANDOM); ++ lim->features |= (BLK_FEAT_ROTATIONAL | BLK_FEAT_ADD_RANDOM); + + if (scsi_device_supports_vpd(sdp)) { + sd_read_block_provisioning(sdkp); +- sd_read_block_limits(sdkp, &lim); ++ sd_read_block_limits(sdkp, lim); + sd_read_block_limits_ext(sdkp); +- sd_read_block_characteristics(sdkp, &lim); +- sd_zbc_read_zones(sdkp, &lim, buffer); ++ sd_read_block_characteristics(sdkp, lim); ++ sd_zbc_read_zones(sdkp, lim, buffer); + } + +- sd_config_discard(sdkp, &lim, sd_discard_mode(sdkp)); ++ sd_config_discard(sdkp, lim, sd_discard_mode(sdkp)); + + sd_print_capacity(sdkp, old_capacity); + +@@ -3761,47 +3765,46 @@ static int sd_revalidate_disk(struct gen + sd_read_app_tag_own(sdkp, buffer); + sd_read_write_same(sdkp, buffer); + sd_read_security(sdkp, buffer); +- sd_config_protection(sdkp, &lim); ++ sd_config_protection(sdkp, lim); + } + + /* + * We now have all cache related info, determine how we deal + * with flush requests. + */ +- sd_set_flush_flag(sdkp, &lim); ++ sd_set_flush_flag(sdkp, lim); + + /* Initial block count limit based on CDB TRANSFER LENGTH field size. */ + dev_max = sdp->use_16_for_rw ? SD_MAX_XFER_BLOCKS : SD_DEF_XFER_BLOCKS; + + /* Some devices report a maximum block count for READ/WRITE requests. */ + dev_max = min_not_zero(dev_max, sdkp->max_xfer_blocks); +- lim.max_dev_sectors = logical_to_sectors(sdp, dev_max); ++ lim->max_dev_sectors = logical_to_sectors(sdp, dev_max); + + if (sd_validate_min_xfer_size(sdkp)) +- lim.io_min = logical_to_bytes(sdp, sdkp->min_xfer_blocks); ++ lim->io_min = logical_to_bytes(sdp, sdkp->min_xfer_blocks); + else +- lim.io_min = 0; ++ lim->io_min = 0; + + /* + * Limit default to SCSI host optimal sector limit if set. There may be + * an impact on performance for when the size of a request exceeds this + * host limit. + */ +- lim.io_opt = sdp->host->opt_sectors << SECTOR_SHIFT; ++ lim->io_opt = sdp->host->opt_sectors << SECTOR_SHIFT; + if (sd_validate_opt_xfer_size(sdkp, dev_max)) { +- lim.io_opt = min_not_zero(lim.io_opt, ++ lim->io_opt = min_not_zero(lim->io_opt, + logical_to_bytes(sdp, sdkp->opt_xfer_blocks)); + } + + sdkp->first_scan = 0; + + set_capacity_and_notify(disk, logical_to_sectors(sdp, sdkp->capacity)); +- sd_config_write_same(sdkp, &lim); +- kfree(buffer); ++ sd_config_write_same(sdkp, lim); + +- err = queue_limits_commit_update_frozen(sdkp->disk->queue, &lim); ++ err = queue_limits_commit_update_frozen(sdkp->disk->queue, lim); + if (err) +- return err; ++ goto out; + + /* + * Query concurrent positioning ranges after +@@ -3820,7 +3823,10 @@ static int sd_revalidate_disk(struct gen + set_capacity_and_notify(disk, 0); + + out: +- return 0; ++ kfree(buffer); ++ kfree(lim); ++ ++ return err; + } + + /** diff --git a/queue-6.17/sctp-fix-mac-comparison-to-be-constant-time.patch b/queue-6.17/sctp-fix-mac-comparison-to-be-constant-time.patch new file mode 100644 index 0000000000..fd7be95558 --- /dev/null +++ b/queue-6.17/sctp-fix-mac-comparison-to-be-constant-time.patch @@ -0,0 +1,62 @@ +From dd91c79e4f58fbe2898dac84858033700e0e99fb Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Mon, 18 Aug 2025 13:54:23 -0700 +Subject: sctp: Fix MAC comparison to be constant-time + +From: Eric Biggers + +commit dd91c79e4f58fbe2898dac84858033700e0e99fb upstream. + +To prevent timing attacks, MACs need to be compared in constant time. +Use the appropriate helper function for this. + +Fixes: bbd0d59809f9 ("[SCTP]: Implement the receive and verification of AUTH chunk") +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable@vger.kernel.org +Signed-off-by: Eric Biggers +Link: https://patch.msgid.link/20250818205426.30222-3-ebiggers@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/sm_make_chunk.c | 3 ++- + net/sctp/sm_statefuns.c | 3 ++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +--- a/net/sctp/sm_make_chunk.c ++++ b/net/sctp/sm_make_chunk.c +@@ -31,6 +31,7 @@ + #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt + + #include ++#include + #include + #include + #include +@@ -1788,7 +1789,7 @@ struct sctp_association *sctp_unpack_coo + } + } + +- if (memcmp(digest, cookie->signature, SCTP_SIGNATURE_SIZE)) { ++ if (crypto_memneq(digest, cookie->signature, SCTP_SIGNATURE_SIZE)) { + *error = -SCTP_IERROR_BAD_SIG; + goto fail; + } +--- a/net/sctp/sm_statefuns.c ++++ b/net/sctp/sm_statefuns.c +@@ -30,6 +30,7 @@ + + #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt + ++#include + #include + #include + #include +@@ -4417,7 +4418,7 @@ static enum sctp_ierror sctp_sf_authenti + sh_key, GFP_ATOMIC); + + /* Discard the packet if the digests do not match */ +- if (memcmp(save_digest, digest, sig_len)) { ++ if (crypto_memneq(save_digest, digest, sig_len)) { + kfree(save_digest); + return SCTP_IERROR_BAD_SIG; + } diff --git a/queue-6.17/series b/queue-6.17/series index 0c4759f192..92169f1b1d 100644 --- a/queue-6.17/series +++ b/queue-6.17/series @@ -230,3 +230,71 @@ iommu-vt-d-prs-isn-t-usable-if-pds-isn-t-supported.patch ipmi-rework-user-message-limit-handling.patch ipmi-msghandler-change-seq_lock-to-a-mutex.patch kernel-sys.c-fix-the-racy-usage-of-task_lock-tsk-group_leader-in-sys_prlimit64-paths.patch +keys-trusted_tpm1-compare-hmac-values-in-constant-time.patch +kho-only-fill-kimage-if-kho-is-finalized.patch +lib-genalloc-fix-device-leak-in-of_gen_pool_get.patch +loop-fix-backing-file-reference-leak-on-validation-error.patch +md-fix-mssing-blktrace-bio-split-events.patch +of-unittest-fix-device-reference-count-leak-in-of_unittest_pci_node_verify.patch +openat2-don-t-trigger-automounts-with-resolve_no_xdev.patch +padata-reset-next-cpu-when-reorder-sequence-wraps-around.patch +parisc-don-t-reference-obsolete-termio-struct-for-tc-constants.patch +parisc-remove-spurious-if-statement-from-raw_copy_from_user.patch +nvme-pci-add-tuxedo-ibs-gen8-to-samsung-sleep-quirk.patch +pinctrl-samsung-drop-unused-s3c24xx-driver-data.patch +pm-em-fix-late-boot-with-holes-in-cpu-topology.patch +pm-hibernate-fix-hybrid-sleep.patch +pm-hibernate-restrict-gfp-mask-in-power_down.patch +power-supply-max77976_charger-fix-constant-current-reporting.patch +powerpc-powernv-pci-fix-underflow-and-leak-issue.patch +powerpc-pseries-msi-fix-potential-underflow-and-leak-issue.patch +pwm-berlin-fix-wrong-register-in-suspend-resume.patch +pwm-fix-incorrect-variable-used-in-error-message.patch +revert-ipmi-fix-msg-stack-when-ipmi-is-disconnected.patch +riscv-use-an-atomic-xchg-in-pudp_huge_get_and_clear.patch +sched-deadline-fix-race-in-push_dl_task.patch +scsi-hpsa-fix-potential-memory-leak-in-hpsa_big_passthru_ioctl.patch +scsi-sd-fix-build-warning-in-sd_revalidate_disk.patch +sctp-fix-mac-comparison-to-be-constant-time.patch +smb-client-fix-bug-with-newly-created-file-in-cached-dir.patch +sparc64-fix-hugetlb-for-sun4u.patch +sparc-fix-error-handling-in-scan_one_device.patch +xtensa-simdisk-add-input-size-check-in-proc_write_simdisk.patch +xsk-harden-userspace-supplied-xdp_desc-validation.patch +mtd-rawnand-fsmc-default-to-autodetect-buswidth.patch +mtd-nand-raw-gpmi-fix-clocks-when-config_pm-n.patch +mmc-core-spi-mode-remove-cmd7.patch +mmc-mmc_spi-multiple-block-read-remove-read-crc-ack.patch +memory-samsung-exynos-srom-fix-of_iomap-leak-in-exynos_srom_probe.patch +memory-stm32_omm-fix-req2ack-update-test.patch +rtc-interface-ensure-alarm-irq-is-enabled-when-uie-is-enabled.patch +rtc-interface-fix-long-standing-race-when-setting-alarm.patch +rseq-selftests-use-weak-symbol-reference-not-definition-to-link-with-glibc.patch +pci-xilinx-nwl-fix-ecam-programming.patch +pci-tegra-convert-struct-tegra_msi-mask_lock-into-raw-spinlock.patch +pci-sysfs-ensure-devices-are-powered-for-config-reads.patch +pci-iov-add-pci-rescan-remove-locking-when-enabling-disabling-sr-iov.patch +pci-err-fix-uevent-on-failure-to-recover.patch +pci-aer-fix-missing-uevent-on-recovery-when-a-reset-is-requested.patch +pci-aer-support-errors-introduced-by-pcie-r6.0.patch +pci-ensure-relaxed-tail-alignment-does-not-increase-min_align.patch +pci-fix-failure-detection-during-resource-resize.patch +pci-j721e-fix-module-autoloading.patch +pci-j721e-fix-programming-sequence-of-strap-settings.patch +pci-keystone-use-devm_request_irq-to-free-ks-pcie-error-irq-on-exit.patch +pci-rcar-gen4-fix-phy-initialization.patch +pci-rcar-host-drop-pmsr-spinlock.patch +pci-rcar-host-convert-struct-rcar_msi-mask_lock-into-raw-spinlock.patch +pci-tegra194-fix-broken-tegra_pcie_ep_raise_msi_irq.patch +pci-tegra194-handle-errors-in-bpmp-response.patch +pci-tegra194-reset-bars-when-running-in-pcie-endpoint-mode.patch +pci-pwrctrl-fix-device-leak-at-registration.patch +pci-pwrctrl-fix-device-and-of-node-leak-at-bus-scan.patch +pci-pwrctrl-fix-device-leak-at-device-stop.patch +spi-cadence-quadspi-flush-posted-register-writes-before-indac-access.patch +spi-cadence-quadspi-flush-posted-register-writes-before-dac-access.patch +spi-cadence-quadspi-fix-cqspi_setup_flash.patch +xfs-use-deferred-intent-items-for-reaping-crosslinked-blocks.patch +x86-fred-remove-endbr64-from-fred-entry-points.patch +x86-umip-check-that-the-instruction-opcode-is-at-least-two-bytes.patch +x86-umip-fix-decoding-of-register-forms-of-0f-01-sgdt-and-sidt-aliases.patch diff --git a/queue-6.17/smb-client-fix-bug-with-newly-created-file-in-cached-dir.patch b/queue-6.17/smb-client-fix-bug-with-newly-created-file-in-cached-dir.patch new file mode 100644 index 0000000000..d07aca0f6b --- /dev/null +++ b/queue-6.17/smb-client-fix-bug-with-newly-created-file-in-cached-dir.patch @@ -0,0 +1,38 @@ +From aa12118dbcfe659697567c9daa0eac2c71e3fd37 Mon Sep 17 00:00:00 2001 +From: Bharath SM +Date: Fri, 26 Sep 2025 10:13:50 -0500 +Subject: smb client: fix bug with newly created file in cached dir + +From: Bharath SM + +commit aa12118dbcfe659697567c9daa0eac2c71e3fd37 upstream. + +Test generic/637 spotted a problem with create of a new file in a +cached directory (by the same client) could cause cases where the +new file does not show up properly in ls on that client until the +lease times out. + +Fixes: 037e1bae588e ("smb: client: use ParentLeaseKey in cifs_do_create") +Cc: stable@vger.kernel.org +Signed-off-by: Bharath SM +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/dir.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/smb/client/dir.c b/fs/smb/client/dir.c +index bc145436eba4..a233a5fe377b 100644 +--- a/fs/smb/client/dir.c ++++ b/fs/smb/client/dir.c +@@ -329,6 +329,7 @@ static int cifs_do_create(struct inode *inode, struct dentry *direntry, unsigned + parent_cfid->fid.lease_key, + SMB2_LEASE_KEY_SIZE); + parent_cfid->dirents.is_valid = false; ++ parent_cfid->dirents.is_failed = true; + } + break; + } +-- +2.51.0 + diff --git a/queue-6.17/sparc-fix-error-handling-in-scan_one_device.patch b/queue-6.17/sparc-fix-error-handling-in-scan_one_device.patch new file mode 100644 index 0000000000..44d4b4aca2 --- /dev/null +++ b/queue-6.17/sparc-fix-error-handling-in-scan_one_device.patch @@ -0,0 +1,52 @@ +From 302c04110f0ce70d25add2496b521132548cd408 Mon Sep 17 00:00:00 2001 +From: Ma Ke +Date: Sat, 20 Sep 2025 20:53:12 +0800 +Subject: sparc: fix error handling in scan_one_device() + +From: Ma Ke + +commit 302c04110f0ce70d25add2496b521132548cd408 upstream. + +Once of_device_register() failed, we should call put_device() to +decrement reference count for cleanup. Or it could cause memory leak. +So fix this by calling put_device(), then the name can be freed in +kobject_cleanup(). + +Calling path: of_device_register() -> of_device_add() -> device_add(). +As comment of device_add() says, 'if device_add() succeeds, you should +call device_del() when you want to get rid of it. If device_add() has +not succeeded, use only put_device() to drop the reference count'. + +Found by code review. + +Cc: stable@vger.kernel.org +Fixes: cf44bbc26cf1 ("[SPARC]: Beginnings of generic of_device framework.") +Signed-off-by: Ma Ke +Reviewed-by: Andreas Larsson +Signed-off-by: Andreas Larsson +Signed-off-by: Greg Kroah-Hartman +--- + arch/sparc/kernel/of_device_32.c | 1 + + arch/sparc/kernel/of_device_64.c | 1 + + 2 files changed, 2 insertions(+) + +--- a/arch/sparc/kernel/of_device_32.c ++++ b/arch/sparc/kernel/of_device_32.c +@@ -387,6 +387,7 @@ static struct platform_device * __init s + + if (of_device_register(op)) { + printk("%pOF: Could not register of device.\n", dp); ++ put_device(&op->dev); + kfree(op); + op = NULL; + } +--- a/arch/sparc/kernel/of_device_64.c ++++ b/arch/sparc/kernel/of_device_64.c +@@ -677,6 +677,7 @@ static struct platform_device * __init s + + if (of_device_register(op)) { + printk("%pOF: Could not register of device.\n", dp); ++ put_device(&op->dev); + kfree(op); + op = NULL; + } diff --git a/queue-6.17/sparc64-fix-hugetlb-for-sun4u.patch b/queue-6.17/sparc64-fix-hugetlb-for-sun4u.patch new file mode 100644 index 0000000000..6d61b7869a --- /dev/null +++ b/queue-6.17/sparc64-fix-hugetlb-for-sun4u.patch @@ -0,0 +1,64 @@ +From 6fd44a481b3c6111e4801cec964627791d0f3ec5 Mon Sep 17 00:00:00 2001 +From: Anthony Yznaga +Date: Tue, 15 Jul 2025 18:24:46 -0700 +Subject: sparc64: fix hugetlb for sun4u + +From: Anthony Yznaga + +commit 6fd44a481b3c6111e4801cec964627791d0f3ec5 upstream. + +An attempt to exercise sparc hugetlb code in a sun4u-based guest +running under qemu results in the guest hanging due to being stuck +in a trap loop. This is due to invalid hugetlb TTEs being installed +that do not have the expected _PAGE_PMD_HUGE and page size bits set. +Although the breakage has gone apparently unnoticed for several years, +fix it now so there is the option to exercise sparc hugetlb code under +qemu. This can be useful because sun4v support in qemu does not support +linux guests currently and sun4v-based hardware resources may not be +readily available. + +Fix tested with a 6.15.2 and 6.16-rc6 kernels by running libhugetlbfs +tests on a qemu guest running Debian 13. + +Fixes: c7d9f77d33a7 ("sparc64: Multi-page size support") +Cc: stable@vger.kernel.org +Signed-off-by: Anthony Yznaga +Tested-by: John Paul Adrian Glaubitz +Reviewed-by: John Paul Adrian Glaubitz +Reviewed-by: Andreas Larsson +Link: https://lore.kernel.org/r/20250716012446.10357-1-anthony.yznaga@oracle.com +Signed-off-by: Andreas Larsson +Signed-off-by: Greg Kroah-Hartman +--- + arch/sparc/mm/hugetlbpage.c | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +--- a/arch/sparc/mm/hugetlbpage.c ++++ b/arch/sparc/mm/hugetlbpage.c +@@ -22,6 +22,26 @@ + + static pte_t sun4u_hugepage_shift_to_tte(pte_t entry, unsigned int shift) + { ++ unsigned long hugepage_size = _PAGE_SZ4MB_4U; ++ ++ pte_val(entry) = pte_val(entry) & ~_PAGE_SZALL_4U; ++ ++ switch (shift) { ++ case HPAGE_256MB_SHIFT: ++ hugepage_size = _PAGE_SZ256MB_4U; ++ pte_val(entry) |= _PAGE_PMD_HUGE; ++ break; ++ case HPAGE_SHIFT: ++ pte_val(entry) |= _PAGE_PMD_HUGE; ++ break; ++ case HPAGE_64K_SHIFT: ++ hugepage_size = _PAGE_SZ64K_4U; ++ break; ++ default: ++ WARN_ONCE(1, "unsupported hugepage shift=%u\n", shift); ++ } ++ ++ pte_val(entry) = pte_val(entry) | hugepage_size; + return entry; + } + diff --git a/queue-6.17/spi-cadence-quadspi-fix-cqspi_setup_flash.patch b/queue-6.17/spi-cadence-quadspi-fix-cqspi_setup_flash.patch new file mode 100644 index 0000000000..ca649ee87d --- /dev/null +++ b/queue-6.17/spi-cadence-quadspi-fix-cqspi_setup_flash.patch @@ -0,0 +1,71 @@ +From 858d4d9e0a9d6b64160ef3c824f428c9742172c4 Mon Sep 17 00:00:00 2001 +From: Santhosh Kumar K +Date: Sat, 6 Sep 2025 00:29:57 +0530 +Subject: spi: cadence-quadspi: Fix cqspi_setup_flash() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Santhosh Kumar K + +commit 858d4d9e0a9d6b64160ef3c824f428c9742172c4 upstream. + +The 'max_cs' stores the largest chip select number. It should only +be updated when the current 'cs' is greater than existing 'max_cs'. So, +fix the condition accordingly. + +Also, return failure if there are no flash device declared. + +Fixes: 0f3841a5e115 ("spi: cadence-qspi: report correct number of chip-select") +CC: stable@vger.kernel.org +Reviewed-by: Pratyush Yadav +Reviewed-by: Théo Lebrun +Signed-off-by: Santhosh Kumar K +Message-ID: <20250905185958.3575037-4-s-k6@ti.com> +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-cadence-quadspi.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +--- a/drivers/spi/spi-cadence-quadspi.c ++++ b/drivers/spi/spi-cadence-quadspi.c +@@ -1727,12 +1727,10 @@ static const struct spi_controller_mem_c + + static int cqspi_setup_flash(struct cqspi_st *cqspi) + { +- unsigned int max_cs = cqspi->num_chipselect - 1; + struct platform_device *pdev = cqspi->pdev; + struct device *dev = &pdev->dev; + struct cqspi_flash_pdata *f_pdata; +- unsigned int cs; +- int ret; ++ int ret, cs, max_cs = -1; + + /* Get flash device data */ + for_each_available_child_of_node_scoped(dev->of_node, np) { +@@ -1745,10 +1743,10 @@ static int cqspi_setup_flash(struct cqsp + if (cs >= cqspi->num_chipselect) { + dev_err(dev, "Chip select %d out of range.\n", cs); + return -EINVAL; +- } else if (cs < max_cs) { +- max_cs = cs; + } + ++ max_cs = max_t(int, cs, max_cs); ++ + f_pdata = &cqspi->f_pdata[cs]; + f_pdata->cqspi = cqspi; + f_pdata->cs = cs; +@@ -1758,6 +1756,11 @@ static int cqspi_setup_flash(struct cqsp + return ret; + } + ++ if (max_cs < 0) { ++ dev_err(dev, "No flash device declared\n"); ++ return -ENODEV; ++ } ++ + cqspi->num_chipselect = max_cs + 1; + return 0; + } diff --git a/queue-6.17/spi-cadence-quadspi-flush-posted-register-writes-before-dac-access.patch b/queue-6.17/spi-cadence-quadspi-flush-posted-register-writes-before-dac-access.patch new file mode 100644 index 0000000000..12574abe0f --- /dev/null +++ b/queue-6.17/spi-cadence-quadspi-flush-posted-register-writes-before-dac-access.patch @@ -0,0 +1,53 @@ +From 1ad55767e77a853c98752ed1e33b68049a243bd7 Mon Sep 17 00:00:00 2001 +From: Pratyush Yadav +Date: Sat, 6 Sep 2025 00:29:56 +0530 +Subject: spi: cadence-quadspi: Flush posted register writes before DAC access + +From: Pratyush Yadav + +commit 1ad55767e77a853c98752ed1e33b68049a243bd7 upstream. + +cqspi_read_setup() and cqspi_write_setup() program the address width as +the last step in the setup. This is likely to be immediately followed by +a DAC region read/write. On TI K3 SoCs the DAC region is on a different +endpoint from the register region. This means that the order of the two +operations is not guaranteed, and they might be reordered at the +interconnect level. It is possible that the DAC read/write goes through +before the address width update goes through. In this situation if the +previous command used a different address width the OSPI command is sent +with the wrong number of address bytes, resulting in an invalid command +and undefined behavior. + +Read back the size register to make sure the write gets flushed before +accessing the DAC region. + +Fixes: 140623410536 ("mtd: spi-nor: Add driver for Cadence Quad SPI Flash Controller") +CC: stable@vger.kernel.org +Reviewed-by: Pratyush Yadav +Signed-off-by: Pratyush Yadav +Signed-off-by: Santhosh Kumar K +Message-ID: <20250905185958.3575037-3-s-k6@ti.com> +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-cadence-quadspi.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/spi/spi-cadence-quadspi.c ++++ b/drivers/spi/spi-cadence-quadspi.c +@@ -720,6 +720,7 @@ static int cqspi_read_setup(struct cqspi + reg &= ~CQSPI_REG_SIZE_ADDRESS_MASK; + reg |= (op->addr.nbytes - 1); + writel(reg, reg_base + CQSPI_REG_SIZE); ++ readl(reg_base + CQSPI_REG_SIZE); /* Flush posted write. */ + return 0; + } + +@@ -1064,6 +1065,7 @@ static int cqspi_write_setup(struct cqsp + reg &= ~CQSPI_REG_SIZE_ADDRESS_MASK; + reg |= (op->addr.nbytes - 1); + writel(reg, reg_base + CQSPI_REG_SIZE); ++ readl(reg_base + CQSPI_REG_SIZE); /* Flush posted write. */ + return 0; + } + diff --git a/queue-6.17/spi-cadence-quadspi-flush-posted-register-writes-before-indac-access.patch b/queue-6.17/spi-cadence-quadspi-flush-posted-register-writes-before-indac-access.patch new file mode 100644 index 0000000000..f42dc7582c --- /dev/null +++ b/queue-6.17/spi-cadence-quadspi-flush-posted-register-writes-before-indac-access.patch @@ -0,0 +1,52 @@ +From 29e0b471ccbd674d20d4bbddea1a51e7105212c5 Mon Sep 17 00:00:00 2001 +From: Pratyush Yadav +Date: Sat, 6 Sep 2025 00:29:55 +0530 +Subject: spi: cadence-quadspi: Flush posted register writes before INDAC access + +From: Pratyush Yadav + +commit 29e0b471ccbd674d20d4bbddea1a51e7105212c5 upstream. + +cqspi_indirect_read_execute() and cqspi_indirect_write_execute() first +set the enable bit on APB region and then start reading/writing to the +AHB region. On TI K3 SoCs these regions lie on different endpoints. This +means that the order of the two operations is not guaranteed, and they +might be reordered at the interconnect level. + +It is possible for the AHB write to be executed before the APB write to +enable the indirect controller, causing the transaction to be invalid +and the write erroring out. Read back the APB region write before +accessing the AHB region to make sure the write got flushed and the race +condition is eliminated. + +Fixes: 140623410536 ("mtd: spi-nor: Add driver for Cadence Quad SPI Flash Controller") +CC: stable@vger.kernel.org +Reviewed-by: Pratyush Yadav +Signed-off-by: Pratyush Yadav +Signed-off-by: Santhosh Kumar K +Message-ID: <20250905185958.3575037-2-s-k6@ti.com> +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-cadence-quadspi.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/spi/spi-cadence-quadspi.c ++++ b/drivers/spi/spi-cadence-quadspi.c +@@ -765,6 +765,7 @@ static int cqspi_indirect_read_execute(s + reinit_completion(&cqspi->transfer_complete); + writel(CQSPI_REG_INDIRECTRD_START_MASK, + reg_base + CQSPI_REG_INDIRECTRD); ++ readl(reg_base + CQSPI_REG_INDIRECTRD); /* Flush posted write. */ + + while (remaining > 0) { + if (use_irq && +@@ -1091,6 +1092,8 @@ static int cqspi_indirect_write_execute( + reinit_completion(&cqspi->transfer_complete); + writel(CQSPI_REG_INDIRECTWR_START_MASK, + reg_base + CQSPI_REG_INDIRECTWR); ++ readl(reg_base + CQSPI_REG_INDIRECTWR); /* Flush posted write. */ ++ + /* + * As per 66AK2G02 TRM SPRUHY8F section 11.15.5.3 Indirect Access + * Controller programming sequence, couple of cycles of diff --git a/queue-6.17/x86-fred-remove-endbr64-from-fred-entry-points.patch b/queue-6.17/x86-fred-remove-endbr64-from-fred-entry-points.patch new file mode 100644 index 0000000000..abe414152d --- /dev/null +++ b/queue-6.17/x86-fred-remove-endbr64-from-fred-entry-points.patch @@ -0,0 +1,57 @@ +From 3da01ffe1aeaa0d427ab5235ba735226670a80d9 Mon Sep 17 00:00:00 2001 +From: "Xin Li (Intel)" +Date: Tue, 15 Jul 2025 23:33:20 -0700 +Subject: x86/fred: Remove ENDBR64 from FRED entry points + +From: Xin Li (Intel) + +commit 3da01ffe1aeaa0d427ab5235ba735226670a80d9 upstream. + +The FRED specification has been changed in v9.0 to state that there +is no need for FRED event handlers to begin with ENDBR64, because +in the presence of supervisor indirect branch tracking, FRED event +delivery does not enter the WAIT_FOR_ENDBRANCH state. + +As a result, remove ENDBR64 from FRED entry points. + +Then add ANNOTATE_NOENDBR to indicate that FRED entry points will +never be used for indirect calls to suppress an objtool warning. + +This change implies that any indirect CALL/JMP to FRED entry points +causes #CP in the presence of supervisor indirect branch tracking. + +Credit goes to Jennifer Miller and other contributors +from Arizona State University whose research shows that placing ENDBR +at entry points has negative value thus led to this change. + +Note: This is obviously an incompatible change to the FRED +architecture. But, it's OK because there no FRED systems out in the +wild today. All production hardware and late pre-production hardware +will follow the FRED v9 spec and be compatible with this approach. + +[ dhansen: add note to changelog about incompatibility ] + +Fixes: 14619d912b65 ("x86/fred: FRED entry/exit and dispatch code") +Signed-off-by: Xin Li (Intel) +Signed-off-by: Dave Hansen +Reviewed-by: H. Peter Anvin (Intel) +Reviewed-by: Andrew Cooper +Link: https://lore.kernel.org/linux-hardening/Z60NwR4w%2F28Z7XUa@ubun/ +Cc:stable@vger.kernel.org +Link: https://lore.kernel.org/all/20250716063320.1337818-1-xin%40zytor.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/entry/entry_64_fred.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/entry/entry_64_fred.S ++++ b/arch/x86/entry/entry_64_fred.S +@@ -16,7 +16,7 @@ + + .macro FRED_ENTER + UNWIND_HINT_END_OF_STACK +- ENDBR ++ ANNOTATE_NOENDBR + PUSH_AND_CLEAR_REGS + movq %rsp, %rdi /* %rdi -> pt_regs */ + .endm diff --git a/queue-6.17/x86-umip-check-that-the-instruction-opcode-is-at-least-two-bytes.patch b/queue-6.17/x86-umip-check-that-the-instruction-opcode-is-at-least-two-bytes.patch new file mode 100644 index 0000000000..9dbdb7ca9e --- /dev/null +++ b/queue-6.17/x86-umip-check-that-the-instruction-opcode-is-at-least-two-bytes.patch @@ -0,0 +1,56 @@ +From 32278c677947ae2f042c9535674a7fff9a245dd3 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Fri, 8 Aug 2025 10:23:56 -0700 +Subject: x86/umip: Check that the instruction opcode is at least two bytes + +From: Sean Christopherson + +commit 32278c677947ae2f042c9535674a7fff9a245dd3 upstream. + +When checking for a potential UMIP violation on #GP, verify the decoder found +at least two opcode bytes to avoid false positives when the kernel encounters +an unknown instruction that starts with 0f. Because the array of opcode.bytes +is zero-initialized by insn_init(), peeking at bytes[1] will misinterpret +garbage as a potential SLDT or STR instruction, and can incorrectly trigger +emulation. + +E.g. if a VPALIGNR instruction + + 62 83 c5 05 0f 08 ff vpalignr xmm17{k5},xmm23,XMMWORD PTR [r8],0xff + +hits a #GP, the kernel emulates it as STR and squashes the #GP (and corrupts +the userspace code stream). + +Arguably the check should look for exactly two bytes, but no three byte +opcodes use '0f 00 xx' or '0f 01 xx' as an escape, i.e. it should be +impossible to get a false positive if the first two opcode bytes match '0f 00' +or '0f 01'. Go with a more conservative check with respect to the existing +code to minimize the chances of breaking userspace, e.g. due to decoder +weirdness. + +Analyzed by Nick Bray . + +Fixes: 1e5db223696a ("x86/umip: Add emulation code for UMIP instructions") +Reported-by: Dan Snyder +Signed-off-by: Sean Christopherson +Signed-off-by: Borislav Petkov (AMD) +Acked-by: Peter Zijlstra (Intel) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/umip.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/x86/kernel/umip.c ++++ b/arch/x86/kernel/umip.c +@@ -156,8 +156,8 @@ static int identify_insn(struct insn *in + if (!insn->modrm.nbytes) + return -EINVAL; + +- /* All the instructions of interest start with 0x0f. */ +- if (insn->opcode.bytes[0] != 0xf) ++ /* The instructions of interest have 2-byte opcodes: 0F 00 or 0F 01. */ ++ if (insn->opcode.nbytes < 2 || insn->opcode.bytes[0] != 0xf) + return -EINVAL; + + if (insn->opcode.bytes[1] == 0x1) { diff --git a/queue-6.17/x86-umip-fix-decoding-of-register-forms-of-0f-01-sgdt-and-sidt-aliases.patch b/queue-6.17/x86-umip-fix-decoding-of-register-forms-of-0f-01-sgdt-and-sidt-aliases.patch new file mode 100644 index 0000000000..df0f3ea3c0 --- /dev/null +++ b/queue-6.17/x86-umip-fix-decoding-of-register-forms-of-0f-01-sgdt-and-sidt-aliases.patch @@ -0,0 +1,48 @@ +From 27b1fd62012dfe9d3eb8ecde344d7aa673695ecf Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Fri, 8 Aug 2025 10:23:57 -0700 +Subject: x86/umip: Fix decoding of register forms of 0F 01 (SGDT and SIDT aliases) + +From: Sean Christopherson + +commit 27b1fd62012dfe9d3eb8ecde344d7aa673695ecf upstream. + +Filter out the register forms of 0F 01 when determining whether or not to +emulate in response to a potential UMIP violation #GP, as SGDT and SIDT only +accept memory operands. The register variants of 0F 01 are used to encode +instructions for things like VMX and SGX, i.e. not checking the Mod field +would cause the kernel to incorrectly emulate on #GP, e.g. due to a CPL +violation on VMLAUNCH. + +Fixes: 1e5db223696a ("x86/umip: Add emulation code for UMIP instructions") +Signed-off-by: Sean Christopherson +Signed-off-by: Borislav Petkov (AMD) +Acked-by: Peter Zijlstra (Intel) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/umip.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/arch/x86/kernel/umip.c ++++ b/arch/x86/kernel/umip.c +@@ -163,8 +163,19 @@ static int identify_insn(struct insn *in + if (insn->opcode.bytes[1] == 0x1) { + switch (X86_MODRM_REG(insn->modrm.value)) { + case 0: ++ /* The reg form of 0F 01 /0 encodes VMX instructions. */ ++ if (X86_MODRM_MOD(insn->modrm.value) == 3) ++ return -EINVAL; ++ + return UMIP_INST_SGDT; + case 1: ++ /* ++ * The reg form of 0F 01 /1 encodes MONITOR/MWAIT, ++ * STAC/CLAC, and ENCLS. ++ */ ++ if (X86_MODRM_MOD(insn->modrm.value) == 3) ++ return -EINVAL; ++ + return UMIP_INST_SIDT; + case 4: + return UMIP_INST_SMSW; diff --git a/queue-6.17/xfs-use-deferred-intent-items-for-reaping-crosslinked-blocks.patch b/queue-6.17/xfs-use-deferred-intent-items-for-reaping-crosslinked-blocks.patch new file mode 100644 index 0000000000..d1819cbc87 --- /dev/null +++ b/queue-6.17/xfs-use-deferred-intent-items-for-reaping-crosslinked-blocks.patch @@ -0,0 +1,50 @@ +From cd32a0c0dcdf634f2e0e71f41c272e19dece6264 Mon Sep 17 00:00:00 2001 +From: "Darrick J. Wong" +Date: Tue, 8 Apr 2025 16:14:32 -0700 +Subject: xfs: use deferred intent items for reaping crosslinked blocks + +From: Darrick J. Wong + +commit cd32a0c0dcdf634f2e0e71f41c272e19dece6264 upstream. + +When we're removing rmap records for crosslinked blocks, use deferred +intent items so that we can try to free/unmap as many of the old data +structure's blocks as we can in the same transaction as the commit. + +Cc: # v6.6 +Fixes: 1c7ce115e52106 ("xfs: reap large AG metadata extents when possible") +Signed-off-by: "Darrick J. Wong" +Reviewed-by: Christoph Hellwig +Signed-off-by: Greg Kroah-Hartman +--- + fs/xfs/scrub/reap.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/fs/xfs/scrub/reap.c ++++ b/fs/xfs/scrub/reap.c +@@ -416,8 +416,6 @@ xreap_agextent_iter( + trace_xreap_dispose_unmap_extent(pag_group(sc->sa.pag), agbno, + *aglenp); + +- rs->force_roll = true; +- + if (rs->oinfo == &XFS_RMAP_OINFO_COW) { + /* + * If we're unmapping CoW staging extents, remove the +@@ -426,11 +424,14 @@ xreap_agextent_iter( + */ + xfs_refcount_free_cow_extent(sc->tp, false, fsbno, + *aglenp); ++ rs->force_roll = true; + return 0; + } + +- return xfs_rmap_free(sc->tp, sc->sa.agf_bp, sc->sa.pag, agbno, +- *aglenp, rs->oinfo); ++ xfs_rmap_free_extent(sc->tp, false, fsbno, *aglenp, ++ rs->oinfo->oi_owner); ++ rs->deferred++; ++ return 0; + } + + trace_xreap_dispose_free_extent(pag_group(sc->sa.pag), agbno, *aglenp); diff --git a/queue-6.17/xsk-harden-userspace-supplied-xdp_desc-validation.patch b/queue-6.17/xsk-harden-userspace-supplied-xdp_desc-validation.patch new file mode 100644 index 0000000000..2a3b56b482 --- /dev/null +++ b/queue-6.17/xsk-harden-userspace-supplied-xdp_desc-validation.patch @@ -0,0 +1,127 @@ +From 07ca98f906a403637fc5e513a872a50ef1247f3b Mon Sep 17 00:00:00 2001 +From: Alexander Lobakin +Date: Wed, 8 Oct 2025 18:56:59 +0200 +Subject: xsk: Harden userspace-supplied xdp_desc validation + +From: Alexander Lobakin + +commit 07ca98f906a403637fc5e513a872a50ef1247f3b upstream. + +Turned out certain clearly invalid values passed in xdp_desc from +userspace can pass xp_{,un}aligned_validate_desc() and then lead +to UBs or just invalid frames to be queued for xmit. + +desc->len close to ``U32_MAX`` with a non-zero pool->tx_metadata_len +can cause positive integer overflow and wraparound, the same way low +enough desc->addr with a non-zero pool->tx_metadata_len can cause +negative integer overflow. Both scenarios can then pass the +validation successfully. +This doesn't happen with valid XSk applications, but can be used +to perform attacks. + +Always promote desc->len to ``u64`` first to exclude positive +overflows of it. Use explicit check_{add,sub}_overflow() when +validating desc->addr (which is ``u64`` already). + +bloat-o-meter reports a little growth of the code size: + +add/remove: 0/0 grow/shrink: 2/1 up/down: 60/-16 (44) +Function old new delta +xskq_cons_peek_desc 299 330 +31 +xsk_tx_peek_release_desc_batch 973 1002 +29 +xsk_generic_xmit 3148 3132 -16 + +but hopefully this doesn't hurt the performance much. + +Fixes: 341ac980eab9 ("xsk: Support tx_metadata_len") +Cc: stable@vger.kernel.org # 6.8+ +Signed-off-by: Alexander Lobakin +Reviewed-by: Jason Xing +Reviewed-by: Maciej Fijalkowski +Link: https://lore.kernel.org/r/20251008165659.4141318-1-aleksander.lobakin@intel.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Greg Kroah-Hartman +--- + net/xdp/xsk_queue.h | 45 +++++++++++++++++++++++++++++++++++---------- + 1 file changed, 35 insertions(+), 10 deletions(-) + +--- a/net/xdp/xsk_queue.h ++++ b/net/xdp/xsk_queue.h +@@ -143,14 +143,24 @@ static inline bool xp_unused_options_set + static inline bool xp_aligned_validate_desc(struct xsk_buff_pool *pool, + struct xdp_desc *desc) + { +- u64 addr = desc->addr - pool->tx_metadata_len; +- u64 len = desc->len + pool->tx_metadata_len; +- u64 offset = addr & (pool->chunk_size - 1); ++ u64 len = desc->len; ++ u64 addr, offset; + +- if (!desc->len) ++ if (!len) + return false; + +- if (offset + len > pool->chunk_size) ++ /* Can overflow if desc->addr < pool->tx_metadata_len */ ++ if (check_sub_overflow(desc->addr, pool->tx_metadata_len, &addr)) ++ return false; ++ ++ offset = addr & (pool->chunk_size - 1); ++ ++ /* ++ * Can't overflow: @offset is guaranteed to be < ``U32_MAX`` ++ * (pool->chunk_size is ``u32``), @len is guaranteed ++ * to be <= ``U32_MAX``. ++ */ ++ if (offset + len + pool->tx_metadata_len > pool->chunk_size) + return false; + + if (addr >= pool->addrs_cnt) +@@ -158,27 +168,42 @@ static inline bool xp_aligned_validate_d + + if (xp_unused_options_set(desc->options)) + return false; ++ + return true; + } + + static inline bool xp_unaligned_validate_desc(struct xsk_buff_pool *pool, + struct xdp_desc *desc) + { +- u64 addr = xp_unaligned_add_offset_to_addr(desc->addr) - pool->tx_metadata_len; +- u64 len = desc->len + pool->tx_metadata_len; ++ u64 len = desc->len; ++ u64 addr, end; + +- if (!desc->len) ++ if (!len) + return false; + ++ /* Can't overflow: @len is guaranteed to be <= ``U32_MAX`` */ ++ len += pool->tx_metadata_len; + if (len > pool->chunk_size) + return false; + +- if (addr >= pool->addrs_cnt || addr + len > pool->addrs_cnt || +- xp_desc_crosses_non_contig_pg(pool, addr, len)) ++ /* Can overflow if desc->addr is close to 0 */ ++ if (check_sub_overflow(xp_unaligned_add_offset_to_addr(desc->addr), ++ pool->tx_metadata_len, &addr)) ++ return false; ++ ++ if (addr >= pool->addrs_cnt) ++ return false; ++ ++ /* Can overflow if pool->addrs_cnt is high enough */ ++ if (check_add_overflow(addr, len, &end) || end > pool->addrs_cnt) ++ return false; ++ ++ if (xp_desc_crosses_non_contig_pg(pool, addr, len)) + return false; + + if (xp_unused_options_set(desc->options)) + return false; ++ + return true; + } + diff --git a/queue-6.17/xtensa-simdisk-add-input-size-check-in-proc_write_simdisk.patch b/queue-6.17/xtensa-simdisk-add-input-size-check-in-proc_write_simdisk.patch new file mode 100644 index 0000000000..7ee31166ff --- /dev/null +++ b/queue-6.17/xtensa-simdisk-add-input-size-check-in-proc_write_simdisk.patch @@ -0,0 +1,44 @@ +From 5d5f08fd0cd970184376bee07d59f635c8403f63 Mon Sep 17 00:00:00 2001 +From: Miaoqian Lin +Date: Fri, 29 Aug 2025 16:30:15 +0800 +Subject: xtensa: simdisk: add input size check in proc_write_simdisk + +From: Miaoqian Lin + +commit 5d5f08fd0cd970184376bee07d59f635c8403f63 upstream. + +A malicious user could pass an arbitrarily bad value +to memdup_user_nul(), potentially causing kernel crash. + +This follows the same pattern as commit ee76746387f6 +("netdevsim: prevent bad user input in nsim_dev_health_break_write()") + +Fixes: b6c7e873daf7 ("xtensa: ISS: add host file-based simulated disk") +Fixes: 16e5c1fc3604 ("convert a bunch of open-coded instances of memdup_user_nul()") +Cc: stable@vger.kernel.org +Signed-off-by: Miaoqian Lin +Message-Id: <20250829083015.1992751-1-linmq006@gmail.com> +Signed-off-by: Max Filippov +Signed-off-by: Greg Kroah-Hartman +--- + arch/xtensa/platforms/iss/simdisk.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/arch/xtensa/platforms/iss/simdisk.c ++++ b/arch/xtensa/platforms/iss/simdisk.c +@@ -231,10 +231,14 @@ static ssize_t proc_read_simdisk(struct + static ssize_t proc_write_simdisk(struct file *file, const char __user *buf, + size_t count, loff_t *ppos) + { +- char *tmp = memdup_user_nul(buf, count); ++ char *tmp; + struct simdisk *dev = pde_data(file_inode(file)); + int err; + ++ if (count == 0 || count > PAGE_SIZE) ++ return -EINVAL; ++ ++ tmp = memdup_user_nul(buf, count); + if (IS_ERR(tmp)) + return PTR_ERR(tmp); +