From: Greg Kroah-Hartman Date: Mon, 28 Apr 2025 12:10:11 +0000 (+0200) Subject: 6.12-stable patches X-Git-Tag: v5.4.293~63 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ebd362dc430bf426e6a2cc5d1e231a06dca3e4c8;p=thirdparty%2Fkernel%2Fstable-queue.git 6.12-stable patches added patches: ata-libata-scsi-fix-ata_mselect_control_ata_feature-return-type.patch ata-libata-scsi-fix-ata_msense_control_ata_feature.patch ata-libata-scsi-improve-cdl-control.patch crypto-atmel-sha204a-set-hwrng-quality-to-lowest-possible.patch cxl-core-regs.c-skip-memory-space-enable-check-for-rcd-and-rch-ports.patch drm-amd-display-fix-gpu-reset-in-multidisplay-config.patch drm-amd-display-force-full-update-in-gpu-reset.patch drm-panel-jd9365da-fix-reset-signal-polarity-in-unprepare.patch io_uring-fix-sync-handling-of-io_fallback_tw.patch irqchip-gic-v2m-prevent-use-after-free-of-gicv2m_get_fwnode.patch kvm-svm-allocate-ir-data-using-atomic-allocation.patch loongarch-handle-fp-lsx-lasx-and-lbt-assembly-symbols.patch loongarch-kvm-fix-pmu-pass-through-issue-if-vm-exits-to-host-finally.patch loongarch-kvm-fully-clear-some-csrs-when-vm-reboot.patch loongarch-remove-a-bogus-reference-to-zone_dma.patch loongarch-return-null-from-huge_pte_offset-for-invalid-pmd.patch mcb-fix-a-double-free-bug-in-chameleon_parse_gdd.patch mei-me-add-panther-lake-h-did.patch mei-vsc-fix-fortify-panic-caused-by-invalid-counted_by-use.patch net-phy-microchip-force-irq-polling-mode-for-lan88xx.patch net-selftests-initialize-tcp-header-and-skb-payload-with-zero.patch rust-firmware-use-ffi-c_char-type-in-fwfunc.patch sched_ext-use-kvzalloc-for-large-exit_dump-allocation.patch scsi-improve-cdl-control.patch scsi-mpi3mr-fix-pending-i-o-counter.patch usb-storage-quirk-for-adata-portable-hdd-ch94.patch virtio_console-fix-missing-byte-order-handling-for-cols-and-rows.patch x86-insn-fix-ctest-instruction-decoding.patch xen-netfront-handle-null-returned-by-xdp_convert_buff_to_frame.patch --- diff --git a/queue-6.12/ata-libata-scsi-fix-ata_mselect_control_ata_feature-return-type.patch b/queue-6.12/ata-libata-scsi-fix-ata_mselect_control_ata_feature-return-type.patch new file mode 100644 index 0000000000..bbde18bc49 --- /dev/null +++ b/queue-6.12/ata-libata-scsi-fix-ata_mselect_control_ata_feature-return-type.patch @@ -0,0 +1,46 @@ +From db91586b1e8f36122a9e5b8fbced11741488dd22 Mon Sep 17 00:00:00 2001 +From: Damien Le Moal +Date: Fri, 18 Apr 2025 15:40:14 +0900 +Subject: ata: libata-scsi: Fix ata_mselect_control_ata_feature() return type + +From: Damien Le Moal + +commit db91586b1e8f36122a9e5b8fbced11741488dd22 upstream. + +The function ata_mselect_control_ata_feature() has a return type defined +as unsigned int but this function may return negative error codes, which +are correctly propagated up the call chain as integers. + +Fix ata_mselect_control_ata_feature() to have the correct int return +type. + +While at it, also fix a typo in this function description comment. + +Fixes: df60f9c64576 ("scsi: ata: libata: Add ATA feature control sub-page translation") +Cc: stable@vger.kernel.org +Signed-off-by: Damien Le Moal +Reviewed-by: Niklas Cassel +Reviewed-by: Igor Pylypiv +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/libata-scsi.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/drivers/ata/libata-scsi.c ++++ b/drivers/ata/libata-scsi.c +@@ -3734,12 +3734,11 @@ static int ata_mselect_control_spg0(stru + } + + /* +- * Translate MODE SELECT control mode page, sub-pages f2h (ATA feature mode ++ * Translate MODE SELECT control mode page, sub-page f2h (ATA feature mode + * page) into a SET FEATURES command. + */ +-static unsigned int ata_mselect_control_ata_feature(struct ata_queued_cmd *qc, +- const u8 *buf, int len, +- u16 *fp) ++static int ata_mselect_control_ata_feature(struct ata_queued_cmd *qc, ++ const u8 *buf, int len, u16 *fp) + { + struct ata_device *dev = qc->dev; + struct ata_taskfile *tf = &qc->tf; diff --git a/queue-6.12/ata-libata-scsi-fix-ata_msense_control_ata_feature.patch b/queue-6.12/ata-libata-scsi-fix-ata_msense_control_ata_feature.patch new file mode 100644 index 0000000000..81d51663fb --- /dev/null +++ b/queue-6.12/ata-libata-scsi-fix-ata_msense_control_ata_feature.patch @@ -0,0 +1,50 @@ +From 88474ad734fb2000805c63e01cc53ea930adf2c7 Mon Sep 17 00:00:00 2001 +From: Damien Le Moal +Date: Sun, 13 Apr 2025 14:45:30 +0900 +Subject: ata: libata-scsi: Fix ata_msense_control_ata_feature() + +From: Damien Le Moal + +commit 88474ad734fb2000805c63e01cc53ea930adf2c7 upstream. + +For the ATA features subpage of the control mode page, the T10 SAT-6 +specifications state that: + +For a MODE SENSE command, the SATL shall return the CDL_CTRL field value +that was last set by an application client. + +However, the function ata_msense_control_ata_feature() always sets the +CDL_CTRL field to the 0x02 value to indicate support for the CDL T2A and +T2B pages. This is thus incorrect and the value 0x02 must be reported +only after the user enables the CDL feature, which is indicated with the +ATA_DFLAG_CDL_ENABLED device flag. When this flag is not set, the +CDL_CTRL field of the ATA feature subpage of the control mode page must +report a value of 0x00. + +Fix ata_msense_control_ata_feature() to report the correct values for +the CDL_CTRL field, according to the enable/disable state of the device +CDL feature. + +Fixes: df60f9c64576 ("scsi: ata: libata: Add ATA feature control sub-page translation") +Cc: stable@vger.kernel.org +Signed-off-by: Damien Le Moal +Reviewed-by: Niklas Cassel +Reviewed-by: Igor Pylypiv +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/libata-scsi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/ata/libata-scsi.c ++++ b/drivers/ata/libata-scsi.c +@@ -2325,8 +2325,8 @@ static unsigned int ata_msense_control_a + */ + put_unaligned_be16(ATA_FEATURE_SUB_MPAGE_LEN - 4, &buf[2]); + +- if (dev->flags & ATA_DFLAG_CDL) +- buf[4] = 0x02; /* Support T2A and T2B pages */ ++ if (dev->flags & ATA_DFLAG_CDL_ENABLED) ++ buf[4] = 0x02; /* T2A and T2B pages enabled */ + else + buf[4] = 0; + diff --git a/queue-6.12/ata-libata-scsi-improve-cdl-control.patch b/queue-6.12/ata-libata-scsi-improve-cdl-control.patch new file mode 100644 index 0000000000..9c949eb737 --- /dev/null +++ b/queue-6.12/ata-libata-scsi-improve-cdl-control.patch @@ -0,0 +1,74 @@ +From 17e897a456752ec9c2d7afb3d9baf268b442451b Mon Sep 17 00:00:00 2001 +From: Damien Le Moal +Date: Mon, 14 Apr 2025 10:25:05 +0900 +Subject: ata: libata-scsi: Improve CDL control + +From: Damien Le Moal + +commit 17e897a456752ec9c2d7afb3d9baf268b442451b upstream. + +With ATA devices supporting the CDL feature, using CDL requires that the +feature be enabled with a SET FEATURES command. This command is issued +as the translated command for the MODE SELECT command issued by +scsi_cdl_enable() when the user enables CDL through the device +cdl_enable sysfs attribute. + +Currently, ata_mselect_control_ata_feature() always translates a MODE +SELECT command for the ATA features subpage of the control mode page to +a SET FEATURES command to enable or disable CDL based on the cdl_ctrl +field. However, there is no need to issue the SET FEATURES command if: +1) The MODE SELECT command requests disabling CDL and CDL is already + disabled. +2) The MODE SELECT command requests enabling CDL and CDL is already + enabled. + +Fix ata_mselect_control_ata_feature() to issue the SET FEATURES command +only when necessary. Since enabling CDL also implies a reset of the CDL +statistics log page, avoiding useless CDL enable operations also avoids +clearing the CDL statistics log. + +Also add debug messages to clearly signal when CDL is being enabled or +disabled using a SET FEATURES command. + +Fixes: df60f9c64576 ("scsi: ata: libata: Add ATA feature control sub-page translation") +Cc: stable@vger.kernel.org +Signed-off-by: Damien Le Moal +Reviewed-by: Niklas Cassel +Reviewed-by: Igor Pylypiv +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/libata-scsi.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +--- a/drivers/ata/libata-scsi.c ++++ b/drivers/ata/libata-scsi.c +@@ -3757,17 +3757,27 @@ static unsigned int ata_mselect_control_ + /* Check cdl_ctrl */ + switch (buf[0] & 0x03) { + case 0: +- /* Disable CDL */ ++ /* Disable CDL if it is enabled */ ++ if (!(dev->flags & ATA_DFLAG_CDL_ENABLED)) ++ return 0; ++ ata_dev_dbg(dev, "Disabling CDL\n"); + cdl_action = 0; + dev->flags &= ~ATA_DFLAG_CDL_ENABLED; + break; + case 0x02: +- /* Enable CDL T2A/T2B: NCQ priority must be disabled */ ++ /* ++ * Enable CDL if not already enabled. Since this is mutually ++ * exclusive with NCQ priority, allow this only if NCQ priority ++ * is disabled. ++ */ ++ if (dev->flags & ATA_DFLAG_CDL_ENABLED) ++ return 0; + if (dev->flags & ATA_DFLAG_NCQ_PRIO_ENABLED) { + ata_dev_err(dev, + "NCQ priority must be disabled to enable CDL\n"); + return -EINVAL; + } ++ ata_dev_dbg(dev, "Enabling CDL\n"); + cdl_action = 1; + dev->flags |= ATA_DFLAG_CDL_ENABLED; + break; diff --git a/queue-6.12/crypto-atmel-sha204a-set-hwrng-quality-to-lowest-possible.patch b/queue-6.12/crypto-atmel-sha204a-set-hwrng-quality-to-lowest-possible.patch new file mode 100644 index 0000000000..58f2ee24d7 --- /dev/null +++ b/queue-6.12/crypto-atmel-sha204a-set-hwrng-quality-to-lowest-possible.patch @@ -0,0 +1,45 @@ +From 8006aff15516a170640239c5a8e6696c0ba18d8e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marek=20Beh=C3=BAn?= +Date: Tue, 22 Apr 2025 11:57:18 +0200 +Subject: crypto: atmel-sha204a - Set hwrng quality to lowest possible +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marek Behún + +commit 8006aff15516a170640239c5a8e6696c0ba18d8e upstream. + +According to the review by Bill Cox [1], the Atmel SHA204A random number +generator produces random numbers with very low entropy. + +Set the lowest possible entropy for this chip just to be safe. + +[1] https://www.metzdowd.com/pipermail/cryptography/2014-December/023858.html + +Fixes: da001fb651b00e1d ("crypto: atmel-i2c - add support for SHA204A random number generator") +Cc: +Signed-off-by: Marek Behún +Acked-by: Ard Biesheuvel +Reviewed-by: Linus Walleij +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/atmel-sha204a.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/crypto/atmel-sha204a.c ++++ b/drivers/crypto/atmel-sha204a.c +@@ -163,6 +163,12 @@ static int atmel_sha204a_probe(struct i2 + i2c_priv->hwrng.name = dev_name(&client->dev); + i2c_priv->hwrng.read = atmel_sha204a_rng_read; + ++ /* ++ * According to review by Bill Cox [1], this HWRNG has very low entropy. ++ * [1] https://www.metzdowd.com/pipermail/cryptography/2014-December/023858.html ++ */ ++ i2c_priv->hwrng.quality = 1; ++ + ret = devm_hwrng_register(&client->dev, &i2c_priv->hwrng); + if (ret) + dev_warn(&client->dev, "failed to register RNG (%d)\n", ret); diff --git a/queue-6.12/cxl-core-regs.c-skip-memory-space-enable-check-for-rcd-and-rch-ports.patch b/queue-6.12/cxl-core-regs.c-skip-memory-space-enable-check-for-rcd-and-rch-ports.patch new file mode 100644 index 0000000000..2cea47d605 --- /dev/null +++ b/queue-6.12/cxl-core-regs.c-skip-memory-space-enable-check-for-rcd-and-rch-ports.patch @@ -0,0 +1,70 @@ +From 078d3ee7c162cd66d76171579c02d7890bd77daf Mon Sep 17 00:00:00 2001 +From: Smita Koralahalli +Date: Mon, 7 Apr 2025 19:27:34 +0000 +Subject: cxl/core/regs.c: Skip Memory Space Enable check for RCD and RCH Ports + +From: Smita Koralahalli + +commit 078d3ee7c162cd66d76171579c02d7890bd77daf upstream. + +According to CXL r3.2 section 8.2.1.2, the PCI_COMMAND register fields, +including Memory Space Enable bit, have no effect on the behavior of an +RCD Upstream Port. Retaining this check may incorrectly cause +cxl_pci_probe() to fail on a valid RCD upstream Port. + +While the specification is explicit only for RCD Upstream Ports, this +check is solely for accessing the RCRB, which is always mapped through +memory space. Therefore, its safe to remove the check entirely. In +practice, firmware reliably enables the Memory Space Enable bit for +RCH Downstream Ports and no failures have been observed. + +Removing the check simplifies the code and avoids unnecessary +special-casing, while relying on BIOS/firmware to configure devices +correctly. Moreover, any failures due to inaccessible RCRB regions +will still be caught either in __rcrb_to_component() or while +parsing the component register block. + +The following failure was observed in dmesg when the check was present: + cxl_pci 0000:7f:00.0: No component registers (-6) + +Fixes: d5b1a27143cb ("cxl/acpi: Extract component registers of restricted hosts from RCRB") +Signed-off-by: Smita Koralahalli +Cc: +Reviewed-by: Ira Weiny +Reviewed-by: Terry Bowman +Reviewed-by: Dave Jiang +Reviewed-by: Robert Richter +Link: https://patch.msgid.link/20250407192734.70631-1-Smita.KoralahalliChannabasappa@amd.com +Signed-off-by: Dave Jiang +Signed-off-by: Greg Kroah-Hartman +--- + drivers/cxl/core/regs.c | 4 ---- + 1 file changed, 4 deletions(-) + +--- a/drivers/cxl/core/regs.c ++++ b/drivers/cxl/core/regs.c +@@ -513,7 +513,6 @@ resource_size_t __rcrb_to_component(stru + resource_size_t rcrb = ri->base; + void __iomem *addr; + u32 bar0, bar1; +- u16 cmd; + u32 id; + + if (which == CXL_RCRB_UPSTREAM) +@@ -535,7 +534,6 @@ resource_size_t __rcrb_to_component(stru + } + + id = readl(addr + PCI_VENDOR_ID); +- cmd = readw(addr + PCI_COMMAND); + bar0 = readl(addr + PCI_BASE_ADDRESS_0); + bar1 = readl(addr + PCI_BASE_ADDRESS_1); + iounmap(addr); +@@ -550,8 +548,6 @@ resource_size_t __rcrb_to_component(stru + dev_err(dev, "Failed to access Downstream Port RCRB\n"); + return CXL_RESOURCE_NONE; + } +- if (!(cmd & PCI_COMMAND_MEMORY)) +- return CXL_RESOURCE_NONE; + /* The RCRB is a Memory Window, and the MEM_TYPE_1M bit is obsolete */ + if (bar0 & (PCI_BASE_ADDRESS_MEM_TYPE_1M | PCI_BASE_ADDRESS_SPACE_IO)) + return CXL_RESOURCE_NONE; diff --git a/queue-6.12/drm-amd-display-fix-gpu-reset-in-multidisplay-config.patch b/queue-6.12/drm-amd-display-fix-gpu-reset-in-multidisplay-config.patch new file mode 100644 index 0000000000..d7662d9b2f --- /dev/null +++ b/queue-6.12/drm-amd-display-fix-gpu-reset-in-multidisplay-config.patch @@ -0,0 +1,53 @@ +From 7eb287beeb60be1e4437be2b4e4e9f0da89aab97 Mon Sep 17 00:00:00 2001 +From: Roman Li +Date: Tue, 1 Apr 2025 17:05:10 -0400 +Subject: drm/amd/display: Fix gpu reset in multidisplay config + +From: Roman Li + +commit 7eb287beeb60be1e4437be2b4e4e9f0da89aab97 upstream. + +[Why] +The indexing of stream_status in dm_gpureset_commit_state() is incorrect. +That leads to asserts in multi-display configuration after gpu reset. + +[How] +Adjust the indexing logic to align stream_status with surface_updates. + +Fixes: cdaae8371aa9 ("drm/amd/display: Handle GPU reset for DC block") +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3808 +Reviewed-by: Aurabindo Pillai +Reviewed-by: Mario Limonciello +Signed-off-by: Roman Li +Signed-off-by: Zaeem Mohamed +Tested-by: Mark Broadworth +Signed-off-by: Alex Deucher +(cherry picked from commit d91bc901398741d317d9b55c59ca949d4bc7394b) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -3216,16 +3216,16 @@ static void dm_gpureset_commit_state(str + for (k = 0; k < dc_state->stream_count; k++) { + bundle->stream_update.stream = dc_state->streams[k]; + +- for (m = 0; m < dc_state->stream_status->plane_count; m++) { ++ for (m = 0; m < dc_state->stream_status[k].plane_count; m++) { + bundle->surface_updates[m].surface = +- dc_state->stream_status->plane_states[m]; ++ dc_state->stream_status[k].plane_states[m]; + bundle->surface_updates[m].surface->force_full_update = + true; + } + + update_planes_and_stream_adapter(dm->dc, + UPDATE_TYPE_FULL, +- dc_state->stream_status->plane_count, ++ dc_state->stream_status[k].plane_count, + dc_state->streams[k], + &bundle->stream_update, + bundle->surface_updates); diff --git a/queue-6.12/drm-amd-display-force-full-update-in-gpu-reset.patch b/queue-6.12/drm-amd-display-force-full-update-in-gpu-reset.patch new file mode 100644 index 0000000000..aa0e8c8ab1 --- /dev/null +++ b/queue-6.12/drm-amd-display-force-full-update-in-gpu-reset.patch @@ -0,0 +1,41 @@ +From 67fe574651c73fe5cc176e35f28f2ec1ba498d14 Mon Sep 17 00:00:00 2001 +From: Roman Li +Date: Wed, 26 Mar 2025 10:33:51 -0400 +Subject: drm/amd/display: Force full update in gpu reset + +From: Roman Li + +commit 67fe574651c73fe5cc176e35f28f2ec1ba498d14 upstream. + +[Why] +While system undergoing gpu reset always do full update +to sync the dc state before and after reset. + +[How] +Return true in should_reset_plane() if gpu reset detected + +Reviewed-by: Aurabindo Pillai +Reviewed-by: Mario Limonciello +Signed-off-by: Roman Li +Signed-off-by: Zaeem Mohamed +Tested-by: Mark Broadworth +Signed-off-by: Alex Deucher +(cherry picked from commit 2ba8619b9a378ad218ad6c2e2ccaee8f531e08de) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -10775,6 +10775,9 @@ static bool should_reset_plane(struct dr + state->allow_modeset) + return true; + ++ if (amdgpu_in_reset(adev) && state->allow_modeset) ++ return true; ++ + /* Exit early if we know that we're adding or removing the plane. */ + if (old_plane_state->crtc != new_plane_state->crtc) + return true; diff --git a/queue-6.12/drm-panel-jd9365da-fix-reset-signal-polarity-in-unprepare.patch b/queue-6.12/drm-panel-jd9365da-fix-reset-signal-polarity-in-unprepare.patch new file mode 100644 index 0000000000..0cf1dad0b9 --- /dev/null +++ b/queue-6.12/drm-panel-jd9365da-fix-reset-signal-polarity-in-unprepare.patch @@ -0,0 +1,51 @@ +From 095c8e61f4c71cd4630ee11a82e82cc341b38464 Mon Sep 17 00:00:00 2001 +From: Hugo Villeneuve +Date: Thu, 17 Apr 2025 15:55:06 -0400 +Subject: drm: panel: jd9365da: fix reset signal polarity in unprepare + +From: Hugo Villeneuve + +commit 095c8e61f4c71cd4630ee11a82e82cc341b38464 upstream. + +commit a8972d5a49b4 ("drm: panel: jd9365da-h3: fix reset signal polarity") +fixed reset signal polarity in jadard_dsi_probe() and jadard_prepare(). + +It was not done in jadard_unprepare() because of an incorrect assumption +about reset line handling in power off mode. After looking into the +datasheet, it now appears that before disabling regulators, the reset line +is deasserted first, and if reset_before_power_off_vcioo is true, then the +reset line is asserted. + +Fix reset polarity by inverting gpiod_set_value() second argument in +in jadard_unprepare(). + +Fixes: 6b818c533dd8 ("drm: panel: Add Jadard JD9365DA-H3 DSI panel") +Fixes: 2b976ad760dc ("drm/panel: jd9365da: Support for kd101ne3-40ti MIPI-DSI panel") +Fixes: a8972d5a49b4 ("drm: panel: jd9365da-h3: fix reset signal polarity") +Cc: stable@vger.kernel.org +Signed-off-by: Hugo Villeneuve +Reviewed-by: Neil Armstrong +Link: https://lore.kernel.org/r/20250417195507.778731-1-hugo@hugovil.com +Signed-off-by: Neil Armstrong +Link: https://lore.kernel.org/r/20250417195507.778731-1-hugo@hugovil.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/panel/panel-jadard-jd9365da-h3.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/panel/panel-jadard-jd9365da-h3.c ++++ b/drivers/gpu/drm/panel/panel-jadard-jd9365da-h3.c +@@ -129,11 +129,11 @@ static int jadard_unprepare(struct drm_p + { + struct jadard *jadard = panel_to_jadard(panel); + +- gpiod_set_value(jadard->reset, 1); ++ gpiod_set_value(jadard->reset, 0); + msleep(120); + + if (jadard->desc->reset_before_power_off_vcioo) { +- gpiod_set_value(jadard->reset, 0); ++ gpiod_set_value(jadard->reset, 1); + + usleep_range(1000, 2000); + } diff --git a/queue-6.12/io_uring-fix-sync-handling-of-io_fallback_tw.patch b/queue-6.12/io_uring-fix-sync-handling-of-io_fallback_tw.patch new file mode 100644 index 0000000000..49fb6d4b59 --- /dev/null +++ b/queue-6.12/io_uring-fix-sync-handling-of-io_fallback_tw.patch @@ -0,0 +1,53 @@ +From edd43f4d6f50ec3de55a0c9e9df6348d1da51965 Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Thu, 24 Apr 2025 10:28:14 -0600 +Subject: io_uring: fix 'sync' handling of io_fallback_tw() + +From: Jens Axboe + +commit edd43f4d6f50ec3de55a0c9e9df6348d1da51965 upstream. + +A previous commit added a 'sync' parameter to io_fallback_tw(), which if +true, means the caller wants to wait on the fallback thread handling it. +But the logic is somewhat messed up, ensure that ctxs are swapped and +flushed appropriately. + +Cc: stable@vger.kernel.org +Fixes: dfbe5561ae93 ("io_uring: flush offloaded and delayed task_work on exit") +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/io_uring.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +--- a/io_uring/io_uring.c ++++ b/io_uring/io_uring.c +@@ -1103,21 +1103,22 @@ static __cold void io_fallback_tw(struct + while (node) { + req = container_of(node, struct io_kiocb, io_task_work.node); + node = node->next; +- if (sync && last_ctx != req->ctx) { ++ if (last_ctx != req->ctx) { + if (last_ctx) { +- flush_delayed_work(&last_ctx->fallback_work); ++ if (sync) ++ flush_delayed_work(&last_ctx->fallback_work); + percpu_ref_put(&last_ctx->refs); + } + last_ctx = req->ctx; + percpu_ref_get(&last_ctx->refs); + } +- if (llist_add(&req->io_task_work.node, +- &req->ctx->fallback_llist)) +- schedule_delayed_work(&req->ctx->fallback_work, 1); ++ if (llist_add(&req->io_task_work.node, &last_ctx->fallback_llist)) ++ schedule_delayed_work(&last_ctx->fallback_work, 1); + } + + if (last_ctx) { +- flush_delayed_work(&last_ctx->fallback_work); ++ if (sync) ++ flush_delayed_work(&last_ctx->fallback_work); + percpu_ref_put(&last_ctx->refs); + } + } diff --git a/queue-6.12/irqchip-gic-v2m-prevent-use-after-free-of-gicv2m_get_fwnode.patch b/queue-6.12/irqchip-gic-v2m-prevent-use-after-free-of-gicv2m_get_fwnode.patch new file mode 100644 index 0000000000..4bca7a75b0 --- /dev/null +++ b/queue-6.12/irqchip-gic-v2m-prevent-use-after-free-of-gicv2m_get_fwnode.patch @@ -0,0 +1,46 @@ +From 3318dc299b072a0511d6dfd8367f3304fb6d9827 Mon Sep 17 00:00:00 2001 +From: Suzuki K Poulose +Date: Tue, 22 Apr 2025 17:16:16 +0100 +Subject: irqchip/gic-v2m: Prevent use after free of gicv2m_get_fwnode() + +From: Suzuki K Poulose + +commit 3318dc299b072a0511d6dfd8367f3304fb6d9827 upstream. + +With ACPI in place, gicv2m_get_fwnode() is registered with the pci +subsystem as pci_msi_get_fwnode_cb(), which may get invoked at runtime +during a PCI host bridge probe. But, the call back is wrongly marked as +__init, causing it to be freed, while being registered with the PCI +subsystem and could trigger: + + Unable to handle kernel paging request at virtual address ffff8000816c0400 + gicv2m_get_fwnode+0x0/0x58 (P) + pci_set_bus_msi_domain+0x74/0x88 + pci_register_host_bridge+0x194/0x548 + +This is easily reproducible on a Juno board with ACPI boot. + +Retain the function for later use. + +Fixes: 0644b3daca28 ("irqchip/gic-v2m: acpi: Introducing GICv2m ACPI support") +Signed-off-by: Suzuki K Poulose +Signed-off-by: Thomas Gleixner +Signed-off-by: Ingo Molnar +Reviewed-by: Marc Zyngier +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/irqchip/irq-gic-v2m.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/irqchip/irq-gic-v2m.c ++++ b/drivers/irqchip/irq-gic-v2m.c +@@ -423,7 +423,7 @@ static int __init gicv2m_of_init(struct + #ifdef CONFIG_ACPI + static int acpi_num_msi; + +-static __init struct fwnode_handle *gicv2m_get_fwnode(struct device *dev) ++static struct fwnode_handle *gicv2m_get_fwnode(struct device *dev) + { + struct v2m_data *data; + diff --git a/queue-6.12/kvm-svm-allocate-ir-data-using-atomic-allocation.patch b/queue-6.12/kvm-svm-allocate-ir-data-using-atomic-allocation.patch new file mode 100644 index 0000000000..83478ebf38 --- /dev/null +++ b/queue-6.12/kvm-svm-allocate-ir-data-using-atomic-allocation.patch @@ -0,0 +1,34 @@ +From 7537deda36521fa8fff9133b39c46e31893606f2 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Fri, 4 Apr 2025 12:38:16 -0700 +Subject: KVM: SVM: Allocate IR data using atomic allocation + +From: Sean Christopherson + +commit 7537deda36521fa8fff9133b39c46e31893606f2 upstream. + +Allocate SVM's interrupt remapping metadata using GFP_ATOMIC as +svm_ir_list_add() is called with IRQs are disabled and irqfs.lock held +when kvm_irq_routing_update() reacts to GSI routing changes. + +Fixes: 411b44ba80ab ("svm: Implements update_pi_irte hook to setup posted interrupt") +Cc: stable@vger.kernel.org +Signed-off-by: Sean Christopherson +Message-ID: <20250404193923.1413163-2-seanjc@google.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/svm/avic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kvm/svm/avic.c ++++ b/arch/x86/kvm/svm/avic.c +@@ -820,7 +820,7 @@ static int svm_ir_list_add(struct vcpu_s + * Allocating new amd_iommu_pi_data, which will get + * add to the per-vcpu ir_list. + */ +- ir = kzalloc(sizeof(struct amd_svm_iommu_ir), GFP_KERNEL_ACCOUNT); ++ ir = kzalloc(sizeof(struct amd_svm_iommu_ir), GFP_ATOMIC | __GFP_ACCOUNT); + if (!ir) { + ret = -ENOMEM; + goto out; diff --git a/queue-6.12/loongarch-handle-fp-lsx-lasx-and-lbt-assembly-symbols.patch b/queue-6.12/loongarch-handle-fp-lsx-lasx-and-lbt-assembly-symbols.patch new file mode 100644 index 0000000000..045f2e4d1b --- /dev/null +++ b/queue-6.12/loongarch-handle-fp-lsx-lasx-and-lbt-assembly-symbols.patch @@ -0,0 +1,209 @@ +From 2ef174b13344b3b4554d3d28e6f9e2a2c1d3138f Mon Sep 17 00:00:00 2001 +From: Tiezhu Yang +Date: Thu, 24 Apr 2025 20:15:41 +0800 +Subject: LoongArch: Handle fp, lsx, lasx and lbt assembly symbols + +From: Tiezhu Yang + +commit 2ef174b13344b3b4554d3d28e6f9e2a2c1d3138f upstream. + +Like the other relevant symbols, export some fp, lsx, lasx and lbt +assembly symbols and put the function declarations in header files +rather than source files. + +While at it, use "asmlinkage" for the other existing C prototypes +of assembly functions and also do not use the "extern" keyword with +function declarations according to the document coding-style.rst. + +Cc: stable@vger.kernel.org # 6.6+ +Signed-off-by: Tiezhu Yang +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman +--- + arch/loongarch/include/asm/fpu.h | 37 ++++++++++++++++++++++--------------- + arch/loongarch/include/asm/lbt.h | 10 +++++++--- + arch/loongarch/kernel/fpu.S | 6 ++++++ + arch/loongarch/kernel/lbt.S | 4 ++++ + arch/loongarch/kernel/signal.c | 21 --------------------- + 5 files changed, 39 insertions(+), 39 deletions(-) + +--- a/arch/loongarch/include/asm/fpu.h ++++ b/arch/loongarch/include/asm/fpu.h +@@ -22,22 +22,29 @@ + struct sigcontext; + + #define kernel_fpu_available() cpu_has_fpu +-extern void kernel_fpu_begin(void); +-extern void kernel_fpu_end(void); + +-extern void _init_fpu(unsigned int); +-extern void _save_fp(struct loongarch_fpu *); +-extern void _restore_fp(struct loongarch_fpu *); +- +-extern void _save_lsx(struct loongarch_fpu *fpu); +-extern void _restore_lsx(struct loongarch_fpu *fpu); +-extern void _init_lsx_upper(void); +-extern void _restore_lsx_upper(struct loongarch_fpu *fpu); +- +-extern void _save_lasx(struct loongarch_fpu *fpu); +-extern void _restore_lasx(struct loongarch_fpu *fpu); +-extern void _init_lasx_upper(void); +-extern void _restore_lasx_upper(struct loongarch_fpu *fpu); ++void kernel_fpu_begin(void); ++void kernel_fpu_end(void); ++ ++asmlinkage void _init_fpu(unsigned int); ++asmlinkage void _save_fp(struct loongarch_fpu *); ++asmlinkage void _restore_fp(struct loongarch_fpu *); ++asmlinkage int _save_fp_context(void __user *fpregs, void __user *fcc, void __user *csr); ++asmlinkage int _restore_fp_context(void __user *fpregs, void __user *fcc, void __user *csr); ++ ++asmlinkage void _save_lsx(struct loongarch_fpu *fpu); ++asmlinkage void _restore_lsx(struct loongarch_fpu *fpu); ++asmlinkage void _init_lsx_upper(void); ++asmlinkage void _restore_lsx_upper(struct loongarch_fpu *fpu); ++asmlinkage int _save_lsx_context(void __user *fpregs, void __user *fcc, void __user *fcsr); ++asmlinkage int _restore_lsx_context(void __user *fpregs, void __user *fcc, void __user *fcsr); ++ ++asmlinkage void _save_lasx(struct loongarch_fpu *fpu); ++asmlinkage void _restore_lasx(struct loongarch_fpu *fpu); ++asmlinkage void _init_lasx_upper(void); ++asmlinkage void _restore_lasx_upper(struct loongarch_fpu *fpu); ++asmlinkage int _save_lasx_context(void __user *fpregs, void __user *fcc, void __user *fcsr); ++asmlinkage int _restore_lasx_context(void __user *fpregs, void __user *fcc, void __user *fcsr); + + static inline void enable_lsx(void); + static inline void disable_lsx(void); +--- a/arch/loongarch/include/asm/lbt.h ++++ b/arch/loongarch/include/asm/lbt.h +@@ -12,9 +12,13 @@ + #include + #include + +-extern void _init_lbt(void); +-extern void _save_lbt(struct loongarch_lbt *); +-extern void _restore_lbt(struct loongarch_lbt *); ++asmlinkage void _init_lbt(void); ++asmlinkage void _save_lbt(struct loongarch_lbt *); ++asmlinkage void _restore_lbt(struct loongarch_lbt *); ++asmlinkage int _save_lbt_context(void __user *regs, void __user *eflags); ++asmlinkage int _restore_lbt_context(void __user *regs, void __user *eflags); ++asmlinkage int _save_ftop_context(void __user *ftop); ++asmlinkage int _restore_ftop_context(void __user *ftop); + + static inline int is_lbt_enabled(void) + { +--- a/arch/loongarch/kernel/fpu.S ++++ b/arch/loongarch/kernel/fpu.S +@@ -458,6 +458,7 @@ SYM_FUNC_START(_save_fp_context) + li.w a0, 0 # success + jr ra + SYM_FUNC_END(_save_fp_context) ++EXPORT_SYMBOL_GPL(_save_fp_context) + + /* + * a0: fpregs +@@ -471,6 +472,7 @@ SYM_FUNC_START(_restore_fp_context) + li.w a0, 0 # success + jr ra + SYM_FUNC_END(_restore_fp_context) ++EXPORT_SYMBOL_GPL(_restore_fp_context) + + /* + * a0: fpregs +@@ -484,6 +486,7 @@ SYM_FUNC_START(_save_lsx_context) + li.w a0, 0 # success + jr ra + SYM_FUNC_END(_save_lsx_context) ++EXPORT_SYMBOL_GPL(_save_lsx_context) + + /* + * a0: fpregs +@@ -497,6 +500,7 @@ SYM_FUNC_START(_restore_lsx_context) + li.w a0, 0 # success + jr ra + SYM_FUNC_END(_restore_lsx_context) ++EXPORT_SYMBOL_GPL(_restore_lsx_context) + + /* + * a0: fpregs +@@ -510,6 +514,7 @@ SYM_FUNC_START(_save_lasx_context) + li.w a0, 0 # success + jr ra + SYM_FUNC_END(_save_lasx_context) ++EXPORT_SYMBOL_GPL(_save_lasx_context) + + /* + * a0: fpregs +@@ -523,6 +528,7 @@ SYM_FUNC_START(_restore_lasx_context) + li.w a0, 0 # success + jr ra + SYM_FUNC_END(_restore_lasx_context) ++EXPORT_SYMBOL_GPL(_restore_lasx_context) + + .L_fpu_fault: + li.w a0, -EFAULT # failure +--- a/arch/loongarch/kernel/lbt.S ++++ b/arch/loongarch/kernel/lbt.S +@@ -90,6 +90,7 @@ SYM_FUNC_START(_save_lbt_context) + li.w a0, 0 # success + jr ra + SYM_FUNC_END(_save_lbt_context) ++EXPORT_SYMBOL_GPL(_save_lbt_context) + + /* + * a0: scr +@@ -110,6 +111,7 @@ SYM_FUNC_START(_restore_lbt_context) + li.w a0, 0 # success + jr ra + SYM_FUNC_END(_restore_lbt_context) ++EXPORT_SYMBOL_GPL(_restore_lbt_context) + + /* + * a0: ftop +@@ -120,6 +122,7 @@ SYM_FUNC_START(_save_ftop_context) + li.w a0, 0 # success + jr ra + SYM_FUNC_END(_save_ftop_context) ++EXPORT_SYMBOL_GPL(_save_ftop_context) + + /* + * a0: ftop +@@ -150,6 +153,7 @@ SYM_FUNC_START(_restore_ftop_context) + li.w a0, 0 # success + jr ra + SYM_FUNC_END(_restore_ftop_context) ++EXPORT_SYMBOL_GPL(_restore_ftop_context) + + .L_lbt_fault: + li.w a0, -EFAULT # failure +--- a/arch/loongarch/kernel/signal.c ++++ b/arch/loongarch/kernel/signal.c +@@ -51,27 +51,6 @@ + #define lock_lbt_owner() ({ preempt_disable(); pagefault_disable(); }) + #define unlock_lbt_owner() ({ pagefault_enable(); preempt_enable(); }) + +-/* Assembly functions to move context to/from the FPU */ +-extern asmlinkage int +-_save_fp_context(void __user *fpregs, void __user *fcc, void __user *csr); +-extern asmlinkage int +-_restore_fp_context(void __user *fpregs, void __user *fcc, void __user *csr); +-extern asmlinkage int +-_save_lsx_context(void __user *fpregs, void __user *fcc, void __user *fcsr); +-extern asmlinkage int +-_restore_lsx_context(void __user *fpregs, void __user *fcc, void __user *fcsr); +-extern asmlinkage int +-_save_lasx_context(void __user *fpregs, void __user *fcc, void __user *fcsr); +-extern asmlinkage int +-_restore_lasx_context(void __user *fpregs, void __user *fcc, void __user *fcsr); +- +-#ifdef CONFIG_CPU_HAS_LBT +-extern asmlinkage int _save_lbt_context(void __user *regs, void __user *eflags); +-extern asmlinkage int _restore_lbt_context(void __user *regs, void __user *eflags); +-extern asmlinkage int _save_ftop_context(void __user *ftop); +-extern asmlinkage int _restore_ftop_context(void __user *ftop); +-#endif +- + struct rt_sigframe { + struct siginfo rs_info; + struct ucontext rs_uctx; diff --git a/queue-6.12/loongarch-kvm-fix-pmu-pass-through-issue-if-vm-exits-to-host-finally.patch b/queue-6.12/loongarch-kvm-fix-pmu-pass-through-issue-if-vm-exits-to-host-finally.patch new file mode 100644 index 0000000000..9911760bd9 --- /dev/null +++ b/queue-6.12/loongarch-kvm-fix-pmu-pass-through-issue-if-vm-exits-to-host-finally.patch @@ -0,0 +1,38 @@ +From 5add0dbbebd60628b55e5eb8426612dedab7311a Mon Sep 17 00:00:00 2001 +From: Bibo Mao +Date: Thu, 24 Apr 2025 20:15:52 +0800 +Subject: LoongArch: KVM: Fix PMU pass-through issue if VM exits to host finally + +From: Bibo Mao + +commit 5add0dbbebd60628b55e5eb8426612dedab7311a upstream. + +In function kvm_pre_enter_guest(), it prepares to enter guest and check +whether there are pending signals or events. And it will not enter guest +if there are, PMU pass-through preparation for guest should be cancelled +and host should own PMU hardware. + +Cc: stable@vger.kernel.org +Fixes: f4e40ea9f78f ("LoongArch: KVM: Add PMU support for guest") +Signed-off-by: Bibo Mao +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman +--- + arch/loongarch/kvm/vcpu.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/loongarch/kvm/vcpu.c b/arch/loongarch/kvm/vcpu.c +index 2d3c2a2d1d1c..5af32ec62cb1 100644 +--- a/arch/loongarch/kvm/vcpu.c ++++ b/arch/loongarch/kvm/vcpu.c +@@ -294,6 +294,7 @@ static int kvm_pre_enter_guest(struct kvm_vcpu *vcpu) + vcpu->arch.aux_inuse &= ~KVM_LARCH_SWCSR_LATEST; + + if (kvm_request_pending(vcpu) || xfer_to_guest_mode_work_pending()) { ++ kvm_lose_pmu(vcpu); + /* make sure the vcpu mode has been written */ + smp_store_mb(vcpu->mode, OUTSIDE_GUEST_MODE); + local_irq_enable(); +-- +2.49.0 + diff --git a/queue-6.12/loongarch-kvm-fully-clear-some-csrs-when-vm-reboot.patch b/queue-6.12/loongarch-kvm-fully-clear-some-csrs-when-vm-reboot.patch new file mode 100644 index 0000000000..e39bd630fe --- /dev/null +++ b/queue-6.12/loongarch-kvm-fully-clear-some-csrs-when-vm-reboot.patch @@ -0,0 +1,46 @@ +From 9ea86232a5520d9d21832d06031ea80f055a6ff8 Mon Sep 17 00:00:00 2001 +From: Bibo Mao +Date: Thu, 24 Apr 2025 20:15:52 +0800 +Subject: LoongArch: KVM: Fully clear some CSRs when VM reboot + +From: Bibo Mao + +commit 9ea86232a5520d9d21832d06031ea80f055a6ff8 upstream. + +Some registers such as LOONGARCH_CSR_ESTAT and LOONGARCH_CSR_GINTC are +partly cleared with function _kvm_setcsr(). This comes from the hardware +specification, some bits are read only in VM mode, and however they can +be written in host mode. So they are partly cleared in VM mode, and can +be fully cleared in host mode. + +These read only bits show pending interrupt or exception status. When VM +reset, the read-only bits should be cleared, otherwise vCPU will receive +unknown interrupts in boot stage. + +Here registers LOONGARCH_CSR_ESTAT/LOONGARCH_CSR_GINTC are fully cleared +in ioctl KVM_REG_LOONGARCH_VCPU_RESET vCPU reset path. + +Cc: stable@vger.kernel.org +Signed-off-by: Bibo Mao +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman +--- + arch/loongarch/kvm/vcpu.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/arch/loongarch/kvm/vcpu.c ++++ b/arch/loongarch/kvm/vcpu.c +@@ -874,6 +874,13 @@ static int kvm_set_one_reg(struct kvm_vc + vcpu->arch.st.guest_addr = 0; + memset(&vcpu->arch.irq_pending, 0, sizeof(vcpu->arch.irq_pending)); + memset(&vcpu->arch.irq_clear, 0, sizeof(vcpu->arch.irq_clear)); ++ ++ /* ++ * When vCPU reset, clear the ESTAT and GINTC registers ++ * Other CSR registers are cleared with function _kvm_setcsr(). ++ */ ++ kvm_write_sw_gcsr(vcpu->arch.csr, LOONGARCH_CSR_GINTC, 0); ++ kvm_write_sw_gcsr(vcpu->arch.csr, LOONGARCH_CSR_ESTAT, 0); + break; + default: + ret = -EINVAL; diff --git a/queue-6.12/loongarch-remove-a-bogus-reference-to-zone_dma.patch b/queue-6.12/loongarch-remove-a-bogus-reference-to-zone_dma.patch new file mode 100644 index 0000000000..111c7aa151 --- /dev/null +++ b/queue-6.12/loongarch-remove-a-bogus-reference-to-zone_dma.patch @@ -0,0 +1,33 @@ +From c37325cbd91abe3bfab280b3b09947155abe8e07 Mon Sep 17 00:00:00 2001 +From: Petr Tesarik +Date: Thu, 24 Apr 2025 20:15:41 +0800 +Subject: LoongArch: Remove a bogus reference to ZONE_DMA + +From: Petr Tesarik + +commit c37325cbd91abe3bfab280b3b09947155abe8e07 upstream. + +Remove dead code. LoongArch does not have a DMA memory zone (24bit DMA). +The architecture does not even define MAX_DMA_PFN. + +Cc: stable@vger.kernel.org +Reviewed-by: Mike Rapoport (Microsoft) +Signed-off-by: Petr Tesarik +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman +--- + arch/loongarch/mm/init.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/arch/loongarch/mm/init.c ++++ b/arch/loongarch/mm/init.c +@@ -65,9 +65,6 @@ void __init paging_init(void) + { + unsigned long max_zone_pfns[MAX_NR_ZONES]; + +-#ifdef CONFIG_ZONE_DMA +- max_zone_pfns[ZONE_DMA] = MAX_DMA_PFN; +-#endif + #ifdef CONFIG_ZONE_DMA32 + max_zone_pfns[ZONE_DMA32] = MAX_DMA32_PFN; + #endif diff --git a/queue-6.12/loongarch-return-null-from-huge_pte_offset-for-invalid-pmd.patch b/queue-6.12/loongarch-return-null-from-huge_pte_offset-for-invalid-pmd.patch new file mode 100644 index 0000000000..238213247e --- /dev/null +++ b/queue-6.12/loongarch-return-null-from-huge_pte_offset-for-invalid-pmd.patch @@ -0,0 +1,47 @@ +From bd51834d1cf65a2c801295d230c220aeebf87a73 Mon Sep 17 00:00:00 2001 +From: Ming Wang +Date: Thu, 24 Apr 2025 20:15:47 +0800 +Subject: LoongArch: Return NULL from huge_pte_offset() for invalid PMD + +From: Ming Wang + +commit bd51834d1cf65a2c801295d230c220aeebf87a73 upstream. + +LoongArch's huge_pte_offset() currently returns a pointer to a PMD slot +even if the underlying entry points to invalid_pte_table (indicating no +mapping). Callers like smaps_hugetlb_range() fetch this invalid entry +value (the address of invalid_pte_table) via this pointer. + +The generic is_swap_pte() check then incorrectly identifies this address +as a swap entry on LoongArch, because it satisfies the "!pte_present() +&& !pte_none()" conditions. This misinterpretation, combined with a +coincidental match by is_migration_entry() on the address bits, leads to +kernel crashes in pfn_swap_entry_to_page(). + +Fix this at the architecture level by modifying huge_pte_offset() to +check the PMD entry's content using pmd_none() before returning. If the +entry is invalid (i.e., it points to invalid_pte_table), return NULL +instead of the pointer to the slot. + +Cc: stable@vger.kernel.org +Acked-by: Peter Xu +Co-developed-by: Hongchen Zhang +Signed-off-by: Hongchen Zhang +Signed-off-by: Ming Wang +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman +--- + arch/loongarch/mm/hugetlbpage.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/loongarch/mm/hugetlbpage.c ++++ b/arch/loongarch/mm/hugetlbpage.c +@@ -47,7 +47,7 @@ pte_t *huge_pte_offset(struct mm_struct + pmd = pmd_offset(pud, addr); + } + } +- return (pte_t *) pmd; ++ return pmd_none(pmdp_get(pmd)) ? NULL : (pte_t *) pmd; + } + + uint64_t pmd_to_entrylo(unsigned long pmd_val) diff --git a/queue-6.12/mcb-fix-a-double-free-bug-in-chameleon_parse_gdd.patch b/queue-6.12/mcb-fix-a-double-free-bug-in-chameleon_parse_gdd.patch new file mode 100644 index 0000000000..1ae3922374 --- /dev/null +++ b/queue-6.12/mcb-fix-a-double-free-bug-in-chameleon_parse_gdd.patch @@ -0,0 +1,35 @@ +From 7c7f1bfdb2249f854a736d9b79778c7e5a29a150 Mon Sep 17 00:00:00 2001 +From: Haoxiang Li +Date: Mon, 10 Mar 2025 09:46:57 +0100 +Subject: mcb: fix a double free bug in chameleon_parse_gdd() + +From: Haoxiang Li + +commit 7c7f1bfdb2249f854a736d9b79778c7e5a29a150 upstream. + +In chameleon_parse_gdd(), if mcb_device_register() fails, 'mdev' +would be released in mcb_device_register() via put_device(). +Thus, goto 'err' label and free 'mdev' again causes a double free. +Just return if mcb_device_register() fails. + +Fixes: 3764e82e5150 ("drivers: Introduce MEN Chameleon Bus") +Cc: stable +Signed-off-by: Haoxiang Li +Signed-off-by: Johannes Thumshirn +Link: https://lore.kernel.org/r/6201d09e2975ae5789879f79a6de4c38de9edd4a.1741596225.git.jth@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mcb/mcb-parse.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mcb/mcb-parse.c ++++ b/drivers/mcb/mcb-parse.c +@@ -96,7 +96,7 @@ static int chameleon_parse_gdd(struct mc + + ret = mcb_device_register(bus, mdev); + if (ret < 0) +- goto err; ++ return ret; + + return 0; + diff --git a/queue-6.12/mei-me-add-panther-lake-h-did.patch b/queue-6.12/mei-me-add-panther-lake-h-did.patch new file mode 100644 index 0000000000..4046a1347b --- /dev/null +++ b/queue-6.12/mei-me-add-panther-lake-h-did.patch @@ -0,0 +1,42 @@ +From 86ce5c0a1dec02e21b4c864b2bc0cc5880a2c13c Mon Sep 17 00:00:00 2001 +From: Alexander Usyskin +Date: Tue, 8 Apr 2025 16:00:05 +0300 +Subject: mei: me: add panther lake H DID + +From: Alexander Usyskin + +commit 86ce5c0a1dec02e21b4c864b2bc0cc5880a2c13c upstream. + +Add Panther Lake H device id. + +Cc: stable +Co-developed-by: Tomas Winkler +Signed-off-by: Tomas Winkler +Signed-off-by: Alexander Usyskin +Link: https://lore.kernel.org/r/20250408130005.1358140-1-alexander.usyskin@intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/mei/hw-me-regs.h | 1 + + drivers/misc/mei/pci-me.c | 1 + + 2 files changed, 2 insertions(+) + +--- a/drivers/misc/mei/hw-me-regs.h ++++ b/drivers/misc/mei/hw-me-regs.h +@@ -117,6 +117,7 @@ + + #define MEI_DEV_ID_LNL_M 0xA870 /* Lunar Lake Point M */ + ++#define MEI_DEV_ID_PTL_H 0xE370 /* Panther Lake H */ + #define MEI_DEV_ID_PTL_P 0xE470 /* Panther Lake P */ + + /* +--- a/drivers/misc/mei/pci-me.c ++++ b/drivers/misc/mei/pci-me.c +@@ -124,6 +124,7 @@ static const struct pci_device_id mei_me + + {MEI_PCI_DEVICE(MEI_DEV_ID_LNL_M, MEI_ME_PCH15_CFG)}, + ++ {MEI_PCI_DEVICE(MEI_DEV_ID_PTL_H, MEI_ME_PCH15_CFG)}, + {MEI_PCI_DEVICE(MEI_DEV_ID_PTL_P, MEI_ME_PCH15_CFG)}, + + /* required last entry */ diff --git a/queue-6.12/mei-vsc-fix-fortify-panic-caused-by-invalid-counted_by-use.patch b/queue-6.12/mei-vsc-fix-fortify-panic-caused-by-invalid-counted_by-use.patch new file mode 100644 index 0000000000..3ad999af4f --- /dev/null +++ b/queue-6.12/mei-vsc-fix-fortify-panic-caused-by-invalid-counted_by-use.patch @@ -0,0 +1,108 @@ +From 00f1cc14da0f06d2897b8c528df7c7dcf1b8da50 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Tue, 18 Mar 2025 15:12:02 +0100 +Subject: mei: vsc: Fix fortify-panic caused by invalid counted_by() use + +From: Hans de Goede + +commit 00f1cc14da0f06d2897b8c528df7c7dcf1b8da50 upstream. + +gcc 15 honors the __counted_by(len) attribute on vsc_tp_packet.buf[] +and the vsc-tp.c code is using this in a wrong way. len does not contain +the available size in the buffer, it contains the actual packet length +*without* the crc. So as soon as vsc_tp_xfer() tries to add the crc to +buf[] the fortify-panic handler gets triggered: + +[ 80.842193] memcpy: detected buffer overflow: 4 byte write of buffer size 0 +[ 80.842243] WARNING: CPU: 4 PID: 272 at lib/string_helpers.c:1032 __fortify_report+0x45/0x50 +... +[ 80.843175] __fortify_panic+0x9/0xb +[ 80.843186] vsc_tp_xfer.cold+0x67/0x67 [mei_vsc_hw] +[ 80.843210] ? seqcount_lockdep_reader_access.constprop.0+0x82/0x90 +[ 80.843229] ? lockdep_hardirqs_on+0x7c/0x110 +[ 80.843250] mei_vsc_hw_start+0x98/0x120 [mei_vsc] +[ 80.843270] mei_reset+0x11d/0x420 [mei] + +The easiest fix would be to just drop the counted-by but with the exception +of the ack buffer in vsc_tp_xfer_helper() which only contains enough room +for the packet-header, all other uses of vsc_tp_packet always use a buffer +of VSC_TP_MAX_XFER_SIZE bytes for the packet. + +Instead of just dropping the counted-by, split the vsc_tp_packet struct +definition into a header and a full-packet definition and use a fixed +size buf[] in the packet definition, this way fortify-source buffer +overrun checking still works when enabled. + +Fixes: 566f5ca97680 ("mei: Add transport driver for IVSC device") +Cc: stable@kernel.org +Signed-off-by: Hans de Goede +Reviewed-by: Alexander Usyskin +Reviewed-by: Sakari Ailus +Link: https://lore.kernel.org/r/20250318141203.94342-2-hdegoede@redhat.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/mei/vsc-tp.c | 26 +++++++++++++++----------- + 1 file changed, 15 insertions(+), 11 deletions(-) + +--- a/drivers/misc/mei/vsc-tp.c ++++ b/drivers/misc/mei/vsc-tp.c +@@ -36,20 +36,24 @@ + #define VSC_TP_XFER_TIMEOUT_BYTES 700 + #define VSC_TP_PACKET_PADDING_SIZE 1 + #define VSC_TP_PACKET_SIZE(pkt) \ +- (sizeof(struct vsc_tp_packet) + le16_to_cpu((pkt)->len) + VSC_TP_CRC_SIZE) ++ (sizeof(struct vsc_tp_packet_hdr) + le16_to_cpu((pkt)->hdr.len) + VSC_TP_CRC_SIZE) + #define VSC_TP_MAX_PACKET_SIZE \ +- (sizeof(struct vsc_tp_packet) + VSC_TP_MAX_MSG_SIZE + VSC_TP_CRC_SIZE) ++ (sizeof(struct vsc_tp_packet_hdr) + VSC_TP_MAX_MSG_SIZE + VSC_TP_CRC_SIZE) + #define VSC_TP_MAX_XFER_SIZE \ + (VSC_TP_MAX_PACKET_SIZE + VSC_TP_XFER_TIMEOUT_BYTES) + #define VSC_TP_NEXT_XFER_LEN(len, offset) \ +- (len + sizeof(struct vsc_tp_packet) + VSC_TP_CRC_SIZE - offset + VSC_TP_PACKET_PADDING_SIZE) ++ (len + sizeof(struct vsc_tp_packet_hdr) + VSC_TP_CRC_SIZE - offset + VSC_TP_PACKET_PADDING_SIZE) + +-struct vsc_tp_packet { ++struct vsc_tp_packet_hdr { + __u8 sync; + __u8 cmd; + __le16 len; + __le32 seq; +- __u8 buf[] __counted_by(len); ++}; ++ ++struct vsc_tp_packet { ++ struct vsc_tp_packet_hdr hdr; ++ __u8 buf[VSC_TP_MAX_XFER_SIZE - sizeof(struct vsc_tp_packet_hdr)]; + }; + + struct vsc_tp { +@@ -158,12 +162,12 @@ static int vsc_tp_dev_xfer(struct vsc_tp + static int vsc_tp_xfer_helper(struct vsc_tp *tp, struct vsc_tp_packet *pkt, + void *ibuf, u16 ilen) + { +- int ret, offset = 0, cpy_len, src_len, dst_len = sizeof(struct vsc_tp_packet); ++ int ret, offset = 0, cpy_len, src_len, dst_len = sizeof(struct vsc_tp_packet_hdr); + int next_xfer_len = VSC_TP_PACKET_SIZE(pkt) + VSC_TP_XFER_TIMEOUT_BYTES; + u8 *src, *crc_src, *rx_buf = tp->rx_buf; + int count_down = VSC_TP_MAX_XFER_COUNT; + u32 recv_crc = 0, crc = ~0; +- struct vsc_tp_packet ack; ++ struct vsc_tp_packet_hdr ack; + u8 *dst = (u8 *)&ack; + bool synced = false; + +@@ -280,10 +284,10 @@ int vsc_tp_xfer(struct vsc_tp *tp, u8 cm + + guard(mutex)(&tp->mutex); + +- pkt->sync = VSC_TP_PACKET_SYNC; +- pkt->cmd = cmd; +- pkt->len = cpu_to_le16(olen); +- pkt->seq = cpu_to_le32(++tp->seq); ++ pkt->hdr.sync = VSC_TP_PACKET_SYNC; ++ pkt->hdr.cmd = cmd; ++ pkt->hdr.len = cpu_to_le16(olen); ++ pkt->hdr.seq = cpu_to_le32(++tp->seq); + memcpy(pkt->buf, obuf, olen); + + crc = ~crc32(~0, (u8 *)pkt, sizeof(pkt) + olen); diff --git a/queue-6.12/net-phy-microchip-force-irq-polling-mode-for-lan88xx.patch b/queue-6.12/net-phy-microchip-force-irq-polling-mode-for-lan88xx.patch new file mode 100644 index 0000000000..d27b481809 --- /dev/null +++ b/queue-6.12/net-phy-microchip-force-irq-polling-mode-for-lan88xx.patch @@ -0,0 +1,106 @@ +From 30a41ed32d3088cd0d682a13d7f30b23baed7e93 Mon Sep 17 00:00:00 2001 +From: Fiona Klute +Date: Wed, 16 Apr 2025 12:24:13 +0200 +Subject: net: phy: microchip: force IRQ polling mode for lan88xx + +From: Fiona Klute + +commit 30a41ed32d3088cd0d682a13d7f30b23baed7e93 upstream. + +With lan88xx based devices the lan78xx driver can get stuck in an +interrupt loop while bringing the device up, flooding the kernel log +with messages like the following: + +lan78xx 2-3:1.0 enp1s0u3: kevent 4 may have been dropped + +Removing interrupt support from the lan88xx PHY driver forces the +driver to use polling instead, which avoids the problem. + +The issue has been observed with Raspberry Pi devices at least since +4.14 (see [1], bug report for their downstream kernel), as well as +with Nvidia devices [2] in 2020, where disabling interrupts was the +vendor-suggested workaround (together with the claim that phylib +changes in 4.9 made the interrupt handling in lan78xx incompatible). + +Iperf reports well over 900Mbits/sec per direction with client in +--dualtest mode, so there does not seem to be a significant impact on +throughput (lan88xx device connected via switch to the peer). + +[1] https://github.com/raspberrypi/linux/issues/2447 +[2] https://forums.developer.nvidia.com/t/jetson-xavier-and-lan7800-problem/142134/11 + +Link: https://lore.kernel.org/0901d90d-3f20-4a10-b680-9c978e04ddda@lunn.ch +Fixes: 792aec47d59d ("add microchip LAN88xx phy driver") +Signed-off-by: Fiona Klute +Cc: kernel-list@raspberrypi.com +Cc: stable@vger.kernel.org +Reviewed-by: Andrew Lunn +Link: https://patch.msgid.link/20250416102413.30654-1-fiona.klute@gmx.de +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/microchip.c | 46 ++------------------------------------------ + 1 file changed, 3 insertions(+), 43 deletions(-) + +--- a/drivers/net/phy/microchip.c ++++ b/drivers/net/phy/microchip.c +@@ -37,47 +37,6 @@ static int lan88xx_write_page(struct phy + return __phy_write(phydev, LAN88XX_EXT_PAGE_ACCESS, page); + } + +-static int lan88xx_phy_config_intr(struct phy_device *phydev) +-{ +- int rc; +- +- if (phydev->interrupts == PHY_INTERRUPT_ENABLED) { +- /* unmask all source and clear them before enable */ +- rc = phy_write(phydev, LAN88XX_INT_MASK, 0x7FFF); +- rc = phy_read(phydev, LAN88XX_INT_STS); +- rc = phy_write(phydev, LAN88XX_INT_MASK, +- LAN88XX_INT_MASK_MDINTPIN_EN_ | +- LAN88XX_INT_MASK_LINK_CHANGE_); +- } else { +- rc = phy_write(phydev, LAN88XX_INT_MASK, 0); +- if (rc) +- return rc; +- +- /* Ack interrupts after they have been disabled */ +- rc = phy_read(phydev, LAN88XX_INT_STS); +- } +- +- return rc < 0 ? rc : 0; +-} +- +-static irqreturn_t lan88xx_handle_interrupt(struct phy_device *phydev) +-{ +- int irq_status; +- +- irq_status = phy_read(phydev, LAN88XX_INT_STS); +- if (irq_status < 0) { +- phy_error(phydev); +- return IRQ_NONE; +- } +- +- if (!(irq_status & LAN88XX_INT_STS_LINK_CHANGE_)) +- return IRQ_NONE; +- +- phy_trigger_machine(phydev); +- +- return IRQ_HANDLED; +-} +- + static int lan88xx_suspend(struct phy_device *phydev) + { + struct lan88xx_priv *priv = phydev->priv; +@@ -528,8 +487,9 @@ static struct phy_driver microchip_phy_d + .config_aneg = lan88xx_config_aneg, + .link_change_notify = lan88xx_link_change_notify, + +- .config_intr = lan88xx_phy_config_intr, +- .handle_interrupt = lan88xx_handle_interrupt, ++ /* Interrupt handling is broken, do not define related ++ * functions to force polling. ++ */ + + .suspend = lan88xx_suspend, + .resume = genphy_resume, diff --git a/queue-6.12/net-selftests-initialize-tcp-header-and-skb-payload-with-zero.patch b/queue-6.12/net-selftests-initialize-tcp-header-and-skb-payload-with-zero.patch new file mode 100644 index 0000000000..856c0557de --- /dev/null +++ b/queue-6.12/net-selftests-initialize-tcp-header-and-skb-payload-with-zero.patch @@ -0,0 +1,64 @@ +From 9e8d1013b0c38910cbc9e60de74dbe883878469d Mon Sep 17 00:00:00 2001 +From: Oleksij Rempel +Date: Wed, 16 Apr 2025 18:01:25 +0200 +Subject: net: selftests: initialize TCP header and skb payload with zero + +From: Oleksij Rempel + +commit 9e8d1013b0c38910cbc9e60de74dbe883878469d upstream. + +Zero-initialize TCP header via memset() to avoid garbage values that +may affect checksum or behavior during test transmission. + +Also zero-fill allocated payload and padding regions using memset() +after skb_put(), ensuring deterministic content for all outgoing +test packets. + +Fixes: 3e1e58d64c3d ("net: add generic selftest support") +Signed-off-by: Oleksij Rempel +Cc: stable@vger.kernel.org +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250416160125.2914724-1-o.rempel@pengutronix.de +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + net/core/selftests.c | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +--- a/net/core/selftests.c ++++ b/net/core/selftests.c +@@ -100,10 +100,10 @@ static struct sk_buff *net_test_get_skb( + ehdr->h_proto = htons(ETH_P_IP); + + if (attr->tcp) { ++ memset(thdr, 0, sizeof(*thdr)); + thdr->source = htons(attr->sport); + thdr->dest = htons(attr->dport); + thdr->doff = sizeof(struct tcphdr) / 4; +- thdr->check = 0; + } else { + uhdr->source = htons(attr->sport); + uhdr->dest = htons(attr->dport); +@@ -144,10 +144,18 @@ static struct sk_buff *net_test_get_skb( + attr->id = net_test_next_id; + shdr->id = net_test_next_id++; + +- if (attr->size) +- skb_put(skb, attr->size); +- if (attr->max_size && attr->max_size > skb->len) +- skb_put(skb, attr->max_size - skb->len); ++ if (attr->size) { ++ void *payload = skb_put(skb, attr->size); ++ ++ memset(payload, 0, attr->size); ++ } ++ ++ if (attr->max_size && attr->max_size > skb->len) { ++ size_t pad_len = attr->max_size - skb->len; ++ void *pad = skb_put(skb, pad_len); ++ ++ memset(pad, 0, pad_len); ++ } + + skb->csum = 0; + skb->ip_summed = CHECKSUM_PARTIAL; diff --git a/queue-6.12/rust-firmware-use-ffi-c_char-type-in-fwfunc.patch b/queue-6.12/rust-firmware-use-ffi-c_char-type-in-fwfunc.patch new file mode 100644 index 0000000000..d7542fa4b2 --- /dev/null +++ b/queue-6.12/rust-firmware-use-ffi-c_char-type-in-fwfunc.patch @@ -0,0 +1,119 @@ +From 53bd97801632c940767f4c8407c2cbdeb56b40e7 Mon Sep 17 00:00:00 2001 +From: Christian Schrefl +Date: Sun, 13 Apr 2025 21:26:56 +0200 +Subject: rust: firmware: Use `ffi::c_char` type in `FwFunc` + +From: Christian Schrefl + +commit 53bd97801632c940767f4c8407c2cbdeb56b40e7 upstream. + +The `FwFunc` struct contains an function with a char pointer argument, +for which a `*const u8` pointer was used. This is not really the +"proper" type for this, so use a `*const kernel::ffi::c_char` pointer +instead. + +This has no real functionality changes, since now `kernel::ffi::c_char` +(which bindgen uses for `char`) is now a type alias to `u8` anyways, +but before commit 1bae8729e50a ("rust: map `long` to `isize` and `char` +to `u8`") the concrete type of `kernel::ffi::c_char` depended on the +architecture (However all supported architectures at the time mapped to +`i8`). + +This caused problems on the v6.13 tag when building for 32 bit arm (with +my patches), since back then `*const i8` was used in the function +argument and the function that bindgen generated used +`*const core::ffi::c_char` which Rust mapped to `*const u8` on 32 bit +arm. The stable v6.13.y branch does not have this issue since commit +1bae8729e50a ("rust: map `long` to `isize` and `char` to `u8`") was +backported. + +This caused the following build error: +``` +error[E0308]: mismatched types + --> rust/kernel/firmware.rs:20:4 + | +20 | Self(bindings::request_firmware) + | ---- ^^^^^^^^^^^^^^^^^^^^^^^^^^ expected fn pointer, found fn item + | | + | arguments to this function are incorrect + | + = note: expected fn pointer `unsafe extern "C" fn(_, *const i8, _) -> _` + found fn item `unsafe extern "C" fn(_, *const u8, _) -> _ {request_firmware}` +note: tuple struct defined here + --> rust/kernel/firmware.rs:14:8 + | +14 | struct FwFunc( + | ^^^^^^ + +error[E0308]: mismatched types + --> rust/kernel/firmware.rs:24:14 + | +24 | Self(bindings::firmware_request_nowarn) + | ---- ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ expected fn pointer, found fn item + | | + | arguments to this function are incorrect + | + = note: expected fn pointer `unsafe extern "C" fn(_, *const i8, _) -> _` + found fn item `unsafe extern "C" fn(_, *const u8, _) -> _ {firmware_request_nowarn}` +note: tuple struct defined here + --> rust/kernel/firmware.rs:14:8 + | +14 | struct FwFunc( + | ^^^^^^ + +error[E0308]: mismatched types + --> rust/kernel/firmware.rs:64:45 + | +64 | let ret = unsafe { func.0(pfw as _, name.as_char_ptr(), dev.as_raw()) }; + | ------ ^^^^^^^^^^^^^^^^^^ expected `*const i8`, found `*const u8` + | | + | arguments to this function are incorrect + | + = note: expected raw pointer `*const i8` + found raw pointer `*const u8` + +error: aborting due to 3 previous errors +``` + +Fixes: de6582833db0 ("rust: add firmware abstractions") +Cc: stable@vger.kernel.org +Reviewed-by: Benno Lossin +Signed-off-by: Christian Schrefl +Acked-by: Miguel Ojeda +Link: https://lore.kernel.org/r/20250413-rust_arm_fix_fw_abstaction-v3-1-8dd7c0bbcd47@gmail.com +[ Add firmware prefix to commit subject. - Danilo ] +Signed-off-by: Danilo Krummrich +Signed-off-by: Greg Kroah-Hartman +--- + rust/kernel/firmware.rs | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/rust/kernel/firmware.rs b/rust/kernel/firmware.rs +index f04b058b09b2..2494c96e105f 100644 +--- a/rust/kernel/firmware.rs ++++ b/rust/kernel/firmware.rs +@@ -4,7 +4,7 @@ + //! + //! C header: [`include/linux/firmware.h`](srctree/include/linux/firmware.h) + +-use crate::{bindings, device::Device, error::Error, error::Result, str::CStr}; ++use crate::{bindings, device::Device, error::Error, error::Result, ffi, str::CStr}; + use core::ptr::NonNull; + + /// # Invariants +@@ -12,7 +12,11 @@ + /// One of the following: `bindings::request_firmware`, `bindings::firmware_request_nowarn`, + /// `bindings::firmware_request_platform`, `bindings::request_firmware_direct`. + struct FwFunc( +- unsafe extern "C" fn(*mut *const bindings::firmware, *const u8, *mut bindings::device) -> i32, ++ unsafe extern "C" fn( ++ *mut *const bindings::firmware, ++ *const ffi::c_char, ++ *mut bindings::device, ++ ) -> i32, + ); + + impl FwFunc { +-- +2.49.0 + diff --git a/queue-6.12/sched_ext-use-kvzalloc-for-large-exit_dump-allocation.patch b/queue-6.12/sched_ext-use-kvzalloc-for-large-exit_dump-allocation.patch new file mode 100644 index 0000000000..66cd32c3be --- /dev/null +++ b/queue-6.12/sched_ext-use-kvzalloc-for-large-exit_dump-allocation.patch @@ -0,0 +1,48 @@ +From 47068309b5777313b6ac84a77d8d10dc7312260a Mon Sep 17 00:00:00 2001 +From: Breno Leitao +Date: Tue, 8 Apr 2025 09:50:42 -0700 +Subject: sched_ext: Use kvzalloc for large exit_dump allocation + +From: Breno Leitao + +commit 47068309b5777313b6ac84a77d8d10dc7312260a upstream. + +Replace kzalloc with kvzalloc for the exit_dump buffer allocation, which +can require large contiguous memory depending on the implementation. +This change prevents allocation failures by allowing the system to fall +back to vmalloc when contiguous memory allocation fails. + +Since this buffer is only used for debugging purposes, physical memory +contiguity is not required, making vmalloc a suitable alternative. + +Cc: stable@vger.kernel.org +Fixes: 07814a9439a3b0 ("sched_ext: Print debug dump after an error exit") +Suggested-by: Rik van Riel +Signed-off-by: Breno Leitao +Acked-by: Andrea Righi +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman +--- + kernel/sched/ext.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/kernel/sched/ext.c ++++ b/kernel/sched/ext.c +@@ -4530,7 +4530,7 @@ unlock: + + static void free_exit_info(struct scx_exit_info *ei) + { +- kfree(ei->dump); ++ kvfree(ei->dump); + kfree(ei->msg); + kfree(ei->bt); + kfree(ei); +@@ -4546,7 +4546,7 @@ static struct scx_exit_info *alloc_exit_ + + ei->bt = kcalloc(SCX_EXIT_BT_LEN, sizeof(ei->bt[0]), GFP_KERNEL); + ei->msg = kzalloc(SCX_EXIT_MSG_LEN, GFP_KERNEL); +- ei->dump = kzalloc(exit_dump_len, GFP_KERNEL); ++ ei->dump = kvzalloc(exit_dump_len, GFP_KERNEL); + + if (!ei->bt || !ei->msg || !ei->dump) { + free_exit_info(ei); diff --git a/queue-6.12/scsi-improve-cdl-control.patch b/queue-6.12/scsi-improve-cdl-control.patch new file mode 100644 index 0000000000..60fde6f7f5 --- /dev/null +++ b/queue-6.12/scsi-improve-cdl-control.patch @@ -0,0 +1,121 @@ +From 14a3cc755825ef7b34c986aa2786ea815023e9c5 Mon Sep 17 00:00:00 2001 +From: Damien Le Moal +Date: Sun, 13 Apr 2025 11:24:47 +0900 +Subject: scsi: Improve CDL control + +From: Damien Le Moal + +commit 14a3cc755825ef7b34c986aa2786ea815023e9c5 upstream. + +With ATA devices supporting the CDL feature, using CDL requires that the +feature be enabled with a SET FEATURES command. This command is issued +as the translated command for the MODE SELECT command issued by +scsi_cdl_enable() when the user enables CDL through the device +cdl_enable sysfs attribute. + +However, the implementation of scsi_cdl_enable() always issues a MODE +SELECT command for ATA devices when the enable argument is true, even if +CDL is already enabled on the device. While this does not cause any +issue with using CDL descriptors with read/write commands (the CDL +feature will be enabled on the drive), issuing the MODE SELECT command +even when the device CDL feature is already enabled will cause a reset +of the ATA device CDL statistics log page (as defined in ACS, any CDL +enable action must reset the device statistics). + +Avoid this needless actions (and the implied statistics log page reset) +by modifying scsi_cdl_enable() to issue the MODE SELECT command to +enable CDL if and only if CDL is not reported as already enabled on the +device. + +And while at it, simplify the initialization of the is_ata boolean +variable and move the declaration of the scsi mode data and sense header +variables to within the scope of ATA device handling. + +Fixes: 1b22cfb14142 ("scsi: core: Allow enabling and disabling command duration limits") +Cc: stable@vger.kernel.org +Signed-off-by: Damien Le Moal +Reviewed-by: Niklas Cassel +Reviewed-by: Igor Pylypiv +Reviewed-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/scsi.c | 36 ++++++++++++++++++++++++------------ + 1 file changed, 24 insertions(+), 12 deletions(-) + +--- a/drivers/scsi/scsi.c ++++ b/drivers/scsi/scsi.c +@@ -695,26 +695,23 @@ void scsi_cdl_check(struct scsi_device * + */ + int scsi_cdl_enable(struct scsi_device *sdev, bool enable) + { +- struct scsi_mode_data data; +- struct scsi_sense_hdr sshdr; +- struct scsi_vpd *vpd; +- bool is_ata = false; + char buf[64]; ++ bool is_ata; + int ret; + + if (!sdev->cdl_supported) + return -EOPNOTSUPP; + + rcu_read_lock(); +- vpd = rcu_dereference(sdev->vpd_pg89); +- if (vpd) +- is_ata = true; ++ is_ata = rcu_dereference(sdev->vpd_pg89); + rcu_read_unlock(); + + /* + * For ATA devices, CDL needs to be enabled with a SET FEATURES command. + */ + if (is_ata) { ++ struct scsi_mode_data data; ++ struct scsi_sense_hdr sshdr; + char *buf_data; + int len; + +@@ -723,16 +720,30 @@ int scsi_cdl_enable(struct scsi_device * + if (ret) + return -EINVAL; + +- /* Enable CDL using the ATA feature page */ ++ /* Enable or disable CDL using the ATA feature page */ + len = min_t(size_t, sizeof(buf), + data.length - data.header_length - + data.block_descriptor_length); + buf_data = buf + data.header_length + + data.block_descriptor_length; +- if (enable) +- buf_data[4] = 0x02; +- else +- buf_data[4] = 0; ++ ++ /* ++ * If we want to enable CDL and CDL is already enabled on the ++ * device, do nothing. This avoids needlessly resetting the CDL ++ * statistics on the device as that is implied by the CDL enable ++ * action. Similar to this, there is no need to do anything if ++ * we want to disable CDL and CDL is already disabled. ++ */ ++ if (enable) { ++ if ((buf_data[4] & 0x03) == 0x02) ++ goto out; ++ buf_data[4] &= ~0x03; ++ buf_data[4] |= 0x02; ++ } else { ++ if ((buf_data[4] & 0x03) == 0x00) ++ goto out; ++ buf_data[4] &= ~0x03; ++ } + + ret = scsi_mode_select(sdev, 1, 0, buf_data, len, 5 * HZ, 3, + &data, &sshdr); +@@ -744,6 +755,7 @@ int scsi_cdl_enable(struct scsi_device * + } + } + ++out: + sdev->cdl_enable = enable; + + return 0; diff --git a/queue-6.12/scsi-mpi3mr-fix-pending-i-o-counter.patch b/queue-6.12/scsi-mpi3mr-fix-pending-i-o-counter.patch new file mode 100644 index 0000000000..a6d40ccac7 --- /dev/null +++ b/queue-6.12/scsi-mpi3mr-fix-pending-i-o-counter.patch @@ -0,0 +1,39 @@ +From cdd445258db9919e9dde497a6d5c3477ea7faf4d Mon Sep 17 00:00:00 2001 +From: Ranjan Kumar +Date: Fri, 11 Apr 2025 16:44:18 +0530 +Subject: scsi: mpi3mr: Fix pending I/O counter + +From: Ranjan Kumar + +commit cdd445258db9919e9dde497a6d5c3477ea7faf4d upstream. + +Commit 199510e33dea ("scsi: mpi3mr: Update consumer index of reply +queues after every 100 replies") introduced a regression with the +per-reply queue pending I/O counter which was erroneously decremented, +leading to the counter going negative. + +Drop the incorrect atomic decrement for the pending I/O counter. + +Fixes: 199510e33dea ("scsi: mpi3mr: Update consumer index of reply queues after every 100 replies") +Cc: stable@vger.kernel.org +Co-developed-by: Sathya Prakash +Signed-off-by: Sathya Prakash +Signed-off-by: Ranjan Kumar +Link: https://lore.kernel.org/r/20250411111419.135485-2-ranjan.kumar@broadcom.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/mpi3mr/mpi3mr_fw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/mpi3mr/mpi3mr_fw.c ++++ b/drivers/scsi/mpi3mr/mpi3mr_fw.c +@@ -563,7 +563,7 @@ int mpi3mr_process_op_reply_q(struct mpi + WRITE_ONCE(op_req_q->ci, le16_to_cpu(reply_desc->request_queue_ci)); + mpi3mr_process_op_reply_desc(mrioc, reply_desc, &reply_dma, + reply_qidx); +- atomic_dec(&op_reply_q->pend_ios); ++ + if (reply_dma) + mpi3mr_repost_reply_buf(mrioc, reply_dma); + num_op_reply++; diff --git a/queue-6.12/series b/queue-6.12/series index 1579742b0e..0bae992acd 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -91,3 +91,32 @@ loongarch-make-regs_irqs_disabled-more-clear.patch loongarch-make-do_xyz-exception-handlers-more-robust.patch kvm-svm-disable-avic-on-snp-enabled-system-without-hvinusewrallowed-feature.patch netfilter-fib-avoid-lookup-if-socket-is-available.patch +virtio_console-fix-missing-byte-order-handling-for-cols-and-rows.patch +sched_ext-use-kvzalloc-for-large-exit_dump-allocation.patch +crypto-atmel-sha204a-set-hwrng-quality-to-lowest-possible.patch +xen-netfront-handle-null-returned-by-xdp_convert_buff_to_frame.patch +net-selftests-initialize-tcp-header-and-skb-payload-with-zero.patch +net-phy-microchip-force-irq-polling-mode-for-lan88xx.patch +scsi-mpi3mr-fix-pending-i-o-counter.patch +rust-firmware-use-ffi-c_char-type-in-fwfunc.patch +drm-panel-jd9365da-fix-reset-signal-polarity-in-unprepare.patch +drm-amd-display-fix-gpu-reset-in-multidisplay-config.patch +drm-amd-display-force-full-update-in-gpu-reset.patch +x86-insn-fix-ctest-instruction-decoding.patch +irqchip-gic-v2m-prevent-use-after-free-of-gicv2m_get_fwnode.patch +loongarch-handle-fp-lsx-lasx-and-lbt-assembly-symbols.patch +loongarch-return-null-from-huge_pte_offset-for-invalid-pmd.patch +loongarch-remove-a-bogus-reference-to-zone_dma.patch +loongarch-kvm-fully-clear-some-csrs-when-vm-reboot.patch +loongarch-kvm-fix-pmu-pass-through-issue-if-vm-exits-to-host-finally.patch +io_uring-fix-sync-handling-of-io_fallback_tw.patch +kvm-svm-allocate-ir-data-using-atomic-allocation.patch +cxl-core-regs.c-skip-memory-space-enable-check-for-rcd-and-rch-ports.patch +mcb-fix-a-double-free-bug-in-chameleon_parse_gdd.patch +ata-libata-scsi-improve-cdl-control.patch +ata-libata-scsi-fix-ata_mselect_control_ata_feature-return-type.patch +ata-libata-scsi-fix-ata_msense_control_ata_feature.patch +usb-storage-quirk-for-adata-portable-hdd-ch94.patch +scsi-improve-cdl-control.patch +mei-me-add-panther-lake-h-did.patch +mei-vsc-fix-fortify-panic-caused-by-invalid-counted_by-use.patch diff --git a/queue-6.12/usb-storage-quirk-for-adata-portable-hdd-ch94.patch b/queue-6.12/usb-storage-quirk-for-adata-portable-hdd-ch94.patch new file mode 100644 index 0000000000..9c76def8c6 --- /dev/null +++ b/queue-6.12/usb-storage-quirk-for-adata-portable-hdd-ch94.patch @@ -0,0 +1,36 @@ +From 9ab75eee1a056f896b87d139044dd103adc532b9 Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Thu, 3 Apr 2025 19:59:45 +0200 +Subject: USB: storage: quirk for ADATA Portable HDD CH94 + +From: Oliver Neukum + +commit 9ab75eee1a056f896b87d139044dd103adc532b9 upstream. + +Version 1.60 specifically needs this quirk. +Version 2.00 is known good. + +Cc: stable +Signed-off-by: Oliver Neukum +Link: https://lore.kernel.org/r/20250403180004.343133-1-oneukum@suse.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/storage/unusual_uas.h | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/usb/storage/unusual_uas.h ++++ b/drivers/usb/storage/unusual_uas.h +@@ -83,6 +83,13 @@ UNUSUAL_DEV(0x0bc2, 0x331a, 0x0000, 0x99 + USB_SC_DEVICE, USB_PR_DEVICE, NULL, + US_FL_NO_REPORT_LUNS), + ++/* Reported-by: Oliver Neukum */ ++UNUSUAL_DEV(0x125f, 0xa94a, 0x0160, 0x0160, ++ "ADATA", ++ "Portable HDD CH94", ++ USB_SC_DEVICE, USB_PR_DEVICE, NULL, ++ US_FL_NO_ATA_1X), ++ + /* Reported-by: Benjamin Tissoires */ + UNUSUAL_DEV(0x13fd, 0x3940, 0x0000, 0x9999, + "Initio Corporation", diff --git a/queue-6.12/virtio_console-fix-missing-byte-order-handling-for-cols-and-rows.patch b/queue-6.12/virtio_console-fix-missing-byte-order-handling-for-cols-and-rows.patch new file mode 100644 index 0000000000..999937b667 --- /dev/null +++ b/queue-6.12/virtio_console-fix-missing-byte-order-handling-for-cols-and-rows.patch @@ -0,0 +1,60 @@ +From fbd3039a64b01b769040677c4fc68badeca8e3b2 Mon Sep 17 00:00:00 2001 +From: Halil Pasic +Date: Sat, 22 Mar 2025 01:29:54 +0100 +Subject: virtio_console: fix missing byte order handling for cols and rows + +From: Halil Pasic + +commit fbd3039a64b01b769040677c4fc68badeca8e3b2 upstream. + +As per virtio spec the fields cols and rows are specified as little +endian. Although there is no legacy interface requirement that would +state that cols and rows need to be handled as native endian when legacy +interface is used, unlike for the fields of the adjacent struct +virtio_console_control, I decided to err on the side of caution based +on some non-conclusive virtio spec repo archaeology and opt for using +virtio16_to_cpu() much like for virtio_console_control.event. Strictly +by the letter of the spec virtio_le_to_cpu() would have been sufficient. +But when the legacy interface is not used, it boils down to the same. + +And when using the legacy interface, the device formatting these as +little endian when the guest is big endian would surprise me more than +it using guest native byte order (which would make it compatible with +the current implementation). Nevertheless somebody trying to implement +the spec following it to the letter could end up forcing little endian +byte order when the legacy interface is in use. So IMHO this ultimately +needs a judgement call by the maintainers. + +Fixes: 8345adbf96fc1 ("virtio: console: Accept console size along with resize control message") +Signed-off-by: Halil Pasic +Cc: stable@vger.kernel.org # v2.6.35+ +Message-Id: <20250322002954.3129282-1-pasic@linux.ibm.com> +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/virtio_console.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/char/virtio_console.c ++++ b/drivers/char/virtio_console.c +@@ -1579,8 +1579,8 @@ static void handle_control_message(struc + break; + case VIRTIO_CONSOLE_RESIZE: { + struct { +- __u16 rows; +- __u16 cols; ++ __virtio16 rows; ++ __virtio16 cols; + } size; + + if (!is_console_port(port)) +@@ -1588,7 +1588,8 @@ static void handle_control_message(struc + + memcpy(&size, buf->buf + buf->offset + sizeof(*cpkt), + sizeof(size)); +- set_console_size(port, size.rows, size.cols); ++ set_console_size(port, virtio16_to_cpu(vdev, size.rows), ++ virtio16_to_cpu(vdev, size.cols)); + + port->cons.hvc->irq_requested = 1; + resize_console(port); diff --git a/queue-6.12/x86-insn-fix-ctest-instruction-decoding.patch b/queue-6.12/x86-insn-fix-ctest-instruction-decoding.patch new file mode 100644 index 0000000000..e16102fc5e --- /dev/null +++ b/queue-6.12/x86-insn-fix-ctest-instruction-decoding.patch @@ -0,0 +1,57 @@ +From 85fd85bc025a525354acb2241beb3c5387c551ec Mon Sep 17 00:00:00 2001 +From: "Kirill A. Shutemov" +Date: Wed, 23 Apr 2025 09:58:15 +0300 +Subject: x86/insn: Fix CTEST instruction decoding + +From: Kirill A. Shutemov + +commit 85fd85bc025a525354acb2241beb3c5387c551ec upstream. + +insn_decoder_test found a problem with decoding APX CTEST instructions: + + Found an x86 instruction decoder bug, please report this. + ffffffff810021df 62 54 94 05 85 ff ctestneq + objdump says 6 bytes, but insn_get_length() says 5 + +It happens because x86-opcode-map.txt doesn't specify arguments for the +instruction and the decoder doesn't expect to see ModRM byte. + +Fixes: 690ca3a3067f ("x86/insn: Add support for APX EVEX instructions to the opcode map") +Signed-off-by: Kirill A. Shutemov +Signed-off-by: Ingo Molnar +Cc: H. Peter Anvin +Cc: Adrian Hunter +Cc: stable@vger.kernel.org # v6.10+ +Link: https://lore.kernel.org/r/20250423065815.2003231-1-kirill.shutemov@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/lib/x86-opcode-map.txt | 4 ++-- + tools/arch/x86/lib/x86-opcode-map.txt | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/x86/lib/x86-opcode-map.txt ++++ b/arch/x86/lib/x86-opcode-map.txt +@@ -996,8 +996,8 @@ AVXcode: 4 + 83: Grp1 Ev,Ib (1A),(es) + # CTESTSCC instructions are: CTESTB, CTESTBE, CTESTF, CTESTL, CTESTLE, CTESTNB, CTESTNBE, CTESTNL, + # CTESTNLE, CTESTNO, CTESTNS, CTESTNZ, CTESTO, CTESTS, CTESTT, CTESTZ +-84: CTESTSCC (ev) +-85: CTESTSCC (es) | CTESTSCC (66),(es) ++84: CTESTSCC Eb,Gb (ev) ++85: CTESTSCC Ev,Gv (es) | CTESTSCC Ev,Gv (66),(es) + 88: POPCNT Gv,Ev (es) | POPCNT Gv,Ev (66),(es) + 8f: POP2 Bq,Rq (000),(11B),(ev) + a5: SHLD Ev,Gv,CL (es) | SHLD Ev,Gv,CL (66),(es) +--- a/tools/arch/x86/lib/x86-opcode-map.txt ++++ b/tools/arch/x86/lib/x86-opcode-map.txt +@@ -996,8 +996,8 @@ AVXcode: 4 + 83: Grp1 Ev,Ib (1A),(es) + # CTESTSCC instructions are: CTESTB, CTESTBE, CTESTF, CTESTL, CTESTLE, CTESTNB, CTESTNBE, CTESTNL, + # CTESTNLE, CTESTNO, CTESTNS, CTESTNZ, CTESTO, CTESTS, CTESTT, CTESTZ +-84: CTESTSCC (ev) +-85: CTESTSCC (es) | CTESTSCC (66),(es) ++84: CTESTSCC Eb,Gb (ev) ++85: CTESTSCC Ev,Gv (es) | CTESTSCC Ev,Gv (66),(es) + 88: POPCNT Gv,Ev (es) | POPCNT Gv,Ev (66),(es) + 8f: POP2 Bq,Rq (000),(11B),(ev) + a5: SHLD Ev,Gv,CL (es) | SHLD Ev,Gv,CL (66),(es) diff --git a/queue-6.12/xen-netfront-handle-null-returned-by-xdp_convert_buff_to_frame.patch b/queue-6.12/xen-netfront-handle-null-returned-by-xdp_convert_buff_to_frame.patch new file mode 100644 index 0000000000..a87b5f95cd --- /dev/null +++ b/queue-6.12/xen-netfront-handle-null-returned-by-xdp_convert_buff_to_frame.patch @@ -0,0 +1,65 @@ +From cc3628dcd851ddd8d418bf0c897024b4621ddc92 Mon Sep 17 00:00:00 2001 +From: Alexey Nepomnyashih +Date: Thu, 17 Apr 2025 12:21:17 +0000 +Subject: xen-netfront: handle NULL returned by xdp_convert_buff_to_frame() + +From: Alexey Nepomnyashih + +commit cc3628dcd851ddd8d418bf0c897024b4621ddc92 upstream. + +The function xdp_convert_buff_to_frame() may return NULL if it fails +to correctly convert the XDP buffer into an XDP frame due to memory +constraints, internal errors, or invalid data. Failing to check for NULL +may lead to a NULL pointer dereference if the result is used later in +processing, potentially causing crashes, data corruption, or undefined +behavior. + +On XDP redirect failure, the associated page must be released explicitly +if it was previously retained via get_page(). Failing to do so may result +in a memory leak, as the pages reference count is not decremented. + +Cc: stable@vger.kernel.org # v5.9+ +Fixes: 6c5aa6fc4def ("xen networking: add basic XDP support for xen-netfront") +Signed-off-by: Alexey Nepomnyashih +Link: https://patch.msgid.link/20250417122118.1009824-1-sdl@nppct.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/xen-netfront.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +--- a/drivers/net/xen-netfront.c ++++ b/drivers/net/xen-netfront.c +@@ -985,20 +985,27 @@ static u32 xennet_run_xdp(struct netfron + act = bpf_prog_run_xdp(prog, xdp); + switch (act) { + case XDP_TX: +- get_page(pdata); + xdpf = xdp_convert_buff_to_frame(xdp); ++ if (unlikely(!xdpf)) { ++ trace_xdp_exception(queue->info->netdev, prog, act); ++ break; ++ } ++ get_page(pdata); + err = xennet_xdp_xmit(queue->info->netdev, 1, &xdpf, 0); +- if (unlikely(!err)) ++ if (unlikely(err <= 0)) { ++ if (err < 0) ++ trace_xdp_exception(queue->info->netdev, prog, act); + xdp_return_frame_rx_napi(xdpf); +- else if (unlikely(err < 0)) +- trace_xdp_exception(queue->info->netdev, prog, act); ++ } + break; + case XDP_REDIRECT: + get_page(pdata); + err = xdp_do_redirect(queue->info->netdev, xdp, prog); + *need_xdp_flush = true; +- if (unlikely(err)) ++ if (unlikely(err)) { + trace_xdp_exception(queue->info->netdev, prog, act); ++ xdp_return_buff(xdp); ++ } + break; + case XDP_PASS: + case XDP_DROP: