From: Greg Kroah-Hartman Date: Fri, 20 Mar 2026 17:39:20 +0000 (+0100) Subject: 5.15-stable patches X-Git-Tag: v6.1.167~83 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ef836425242258cfea78265a2a478cfcf1348a85;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: iommu-vt-d-fix-intel-iommu-iotlb-sync-hardlockup-and-retry.patch mmc-sdhci-fix-timing-selection-for-1-bit-bus-width.patch mmc-sdhci-pci-gli-fix-gl9750-dma-write-corruption.patch mtd-avoid-boot-crash-in-redboot-partition-table-parser.patch mtd-rawnand-cadence-fix-error-check-for-dma_alloc_coherent-in-cadence_nand_init.patch mtd-rawnand-pl353-make-sure-optimal-timings-are-applied.patch --- diff --git a/queue-5.15/iommu-vt-d-fix-intel-iommu-iotlb-sync-hardlockup-and-retry.patch b/queue-5.15/iommu-vt-d-fix-intel-iommu-iotlb-sync-hardlockup-and-retry.patch new file mode 100644 index 0000000000..d75ddda95f --- /dev/null +++ b/queue-5.15/iommu-vt-d-fix-intel-iommu-iotlb-sync-hardlockup-and-retry.patch @@ -0,0 +1,54 @@ +From fe89277c9ceb0d6af0aa665bcf24a41d8b1b79cd Mon Sep 17 00:00:00 2001 +From: Guanghui Feng +Date: Mon, 16 Mar 2026 15:16:39 +0800 +Subject: iommu/vt-d: Fix intel iommu iotlb sync hardlockup and retry + +From: Guanghui Feng + +commit fe89277c9ceb0d6af0aa665bcf24a41d8b1b79cd upstream. + +During the qi_check_fault process after an IOMMU ITE event, requests at +odd-numbered positions in the queue are set to QI_ABORT, only satisfying +single-request submissions. However, qi_submit_sync now supports multiple +simultaneous submissions, and can't guarantee that the wait_desc will be +at an odd-numbered position. Therefore, if an item times out, IOMMU can't +re-initiate the request, resulting in an infinite polling wait. + +This modifies the process by setting the status of all requests already +fetched by IOMMU and recorded as QI_IN_USE status (including wait_desc +requests) to QI_ABORT, thus enabling multiple requests to be resubmitted. + +Fixes: 8a1d82462540 ("iommu/vt-d: Multiple descriptors per qi_submit_sync()") +Cc: stable@vger.kernel.org +Signed-off-by: Guanghui Feng +Tested-by: Shuai Xue +Reviewed-by: Shuai Xue +Reviewed-by: Samiullah Khawaja +Link: https://lore.kernel.org/r/20260306101516.3885775-1-guanghuifeng@linux.alibaba.com +Signed-off-by: Lu Baolu +Fixes: 8a1d82462540 ("iommu/vt-d: Multiple descriptors per qi_submit_sync()") +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/intel/dmar.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/iommu/intel/dmar.c ++++ b/drivers/iommu/intel/dmar.c +@@ -1305,7 +1305,6 @@ static int qi_check_fault(struct intel_i + if (fault & DMA_FSTS_ITE) { + head = readl(iommu->reg + DMAR_IQH_REG); + head = ((head >> shift) - 1 + QI_LENGTH) % QI_LENGTH; +- head |= 1; + tail = readl(iommu->reg + DMAR_IQT_REG); + tail = ((tail >> shift) - 1 + QI_LENGTH) % QI_LENGTH; + +@@ -1315,7 +1314,7 @@ static int qi_check_fault(struct intel_i + do { + if (qi->desc_status[head] == QI_IN_USE) + qi->desc_status[head] = QI_ABORT; +- head = (head - 2 + QI_LENGTH) % QI_LENGTH; ++ head = (head - 1 + QI_LENGTH) % QI_LENGTH; + } while (head != tail); + + if (qi->desc_status[wait_index] == QI_ABORT) diff --git a/queue-5.15/mmc-sdhci-fix-timing-selection-for-1-bit-bus-width.patch b/queue-5.15/mmc-sdhci-fix-timing-selection-for-1-bit-bus-width.patch new file mode 100644 index 0000000000..1e11c24abb --- /dev/null +++ b/queue-5.15/mmc-sdhci-fix-timing-selection-for-1-bit-bus-width.patch @@ -0,0 +1,47 @@ +From 5e3486e64094c28a526543f1e8aa0d5964b7f02d Mon Sep 17 00:00:00 2001 +From: Luke Wang +Date: Wed, 11 Mar 2026 17:50:06 +0800 +Subject: mmc: sdhci: fix timing selection for 1-bit bus width + +From: Luke Wang + +commit 5e3486e64094c28a526543f1e8aa0d5964b7f02d upstream. + +When 1-bit bus width is used with HS200/HS400 capabilities set, +mmc_select_hs200() returns 0 without actually switching. This +causes mmc_select_timing() to skip mmc_select_hs(), leaving eMMC +in legacy mode (26MHz) instead of High Speed SDR (52MHz). + +Per JEDEC eMMC spec section 5.3.2, 1-bit mode supports High Speed +SDR. Drop incompatible HS200/HS400/UHS/DDR caps early so timing +selection falls through to mmc_select_hs() correctly. + +Fixes: f2119df6b764 ("mmc: sd: add support for signal voltage switch procedure") +Signed-off-by: Luke Wang +Acked-by: Adrian Hunter +Cc: stable@vger.kernel.org +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/sdhci.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/mmc/host/sdhci.c ++++ b/drivers/mmc/host/sdhci.c +@@ -4454,8 +4454,15 @@ int sdhci_setup_host(struct sdhci_host * + * their platform code before calling sdhci_add_host(), and we + * won't assume 8-bit width for hosts without that CAP. + */ +- if (!(host->quirks & SDHCI_QUIRK_FORCE_1_BIT_DATA)) ++ if (host->quirks & SDHCI_QUIRK_FORCE_1_BIT_DATA) { ++ host->caps1 &= ~(SDHCI_SUPPORT_SDR104 | SDHCI_SUPPORT_SDR50 | SDHCI_SUPPORT_DDR50); ++ if (host->quirks2 & SDHCI_QUIRK2_CAPS_BIT63_FOR_HS400) ++ host->caps1 &= ~SDHCI_SUPPORT_HS400; ++ mmc->caps2 &= ~(MMC_CAP2_HS200 | MMC_CAP2_HS400 | MMC_CAP2_HS400_ES); ++ mmc->caps &= ~(MMC_CAP_DDR | MMC_CAP_UHS); ++ } else { + mmc->caps |= MMC_CAP_4_BIT_DATA; ++ } + + if (host->quirks2 & SDHCI_QUIRK2_HOST_NO_CMD23) + mmc->caps &= ~MMC_CAP_CMD23; diff --git a/queue-5.15/mmc-sdhci-pci-gli-fix-gl9750-dma-write-corruption.patch b/queue-5.15/mmc-sdhci-pci-gli-fix-gl9750-dma-write-corruption.patch new file mode 100644 index 0000000000..64de47364f --- /dev/null +++ b/queue-5.15/mmc-sdhci-pci-gli-fix-gl9750-dma-write-corruption.patch @@ -0,0 +1,60 @@ +From 2b76e0cc7803e5ab561c875edaba7f6bbd87fbb0 Mon Sep 17 00:00:00 2001 +From: Matthew Schwartz +Date: Mon, 2 Mar 2026 13:07:17 -0800 +Subject: mmc: sdhci-pci-gli: fix GL9750 DMA write corruption + +From: Matthew Schwartz + +commit 2b76e0cc7803e5ab561c875edaba7f6bbd87fbb0 upstream. + +The GL9750 SD host controller has intermittent data corruption during +DMA write operations. The GM_BURST register's R_OSRC_Lmt field +(bits 17:16), which limits outstanding DMA read requests from system +memory, is not being cleared during initialization. The Windows driver +sets R_OSRC_Lmt to zero, limiting requests to the smallest unit. + +Clear R_OSRC_Lmt to match the Windows driver behavior. This eliminates +write corruption verified with f3write/f3read tests while maintaining +DMA performance. + +Cc: stable@vger.kernel.org +Fixes: e51df6ce668a ("mmc: host: sdhci-pci: Add Genesys Logic GL975x support") +Closes: https://lore.kernel.org/linux-mmc/33d12807-5c72-41ce-8679-57aa11831fad@linux.dev/ +Acked-by: Adrian Hunter +Signed-off-by: Matthew Schwartz +Reviewed-by: Ben Chuang +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/sdhci-pci-gli.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/mmc/host/sdhci-pci-gli.c ++++ b/drivers/mmc/host/sdhci-pci-gli.c +@@ -70,6 +70,9 @@ + #define GLI_9750_MISC_RX_INV_VALUE GLI_9750_MISC_RX_INV_OFF + #define GLI_9750_MISC_TX1_DLY_VALUE 0x5 + ++#define SDHCI_GLI_9750_GM_BURST_SIZE 0x510 ++#define SDHCI_GLI_9750_GM_BURST_SIZE_R_OSRC_LMT GENMASK(17, 16) ++ + #define SDHCI_GLI_9750_TUNING_CONTROL 0x540 + #define SDHCI_GLI_9750_TUNING_CONTROL_EN BIT(4) + #define GLI_9750_TUNING_CONTROL_EN_ON 0x1 +@@ -188,10 +191,16 @@ static void gli_set_9750(struct sdhci_ho + u32 misc_value; + u32 parameter_value; + u32 control_value; ++ u32 burst_value; + u16 ctrl2; + + gl9750_wt_on(host); + ++ /* clear R_OSRC_Lmt to avoid DMA write corruption */ ++ burst_value = sdhci_readl(host, SDHCI_GLI_9750_GM_BURST_SIZE); ++ burst_value &= ~SDHCI_GLI_9750_GM_BURST_SIZE_R_OSRC_LMT; ++ sdhci_writel(host, burst_value, SDHCI_GLI_9750_GM_BURST_SIZE); ++ + driving_value = sdhci_readl(host, SDHCI_GLI_9750_DRIVING); + pll_value = sdhci_readl(host, SDHCI_GLI_9750_PLL); + sw_ctrl_value = sdhci_readl(host, SDHCI_GLI_9750_SW_CTRL); diff --git a/queue-5.15/mtd-avoid-boot-crash-in-redboot-partition-table-parser.patch b/queue-5.15/mtd-avoid-boot-crash-in-redboot-partition-table-parser.patch new file mode 100644 index 0000000000..ce5e52f0fc --- /dev/null +++ b/queue-5.15/mtd-avoid-boot-crash-in-redboot-partition-table-parser.patch @@ -0,0 +1,56 @@ +From 8e2f8020270af7777d49c2e7132260983e4fc566 Mon Sep 17 00:00:00 2001 +From: Finn Thain +Date: Mon, 16 Feb 2026 18:01:30 +1100 +Subject: mtd: Avoid boot crash in RedBoot partition table parser + +From: Finn Thain + +commit 8e2f8020270af7777d49c2e7132260983e4fc566 upstream. + +Given CONFIG_FORTIFY_SOURCE=y and a recent compiler, +commit 439a1bcac648 ("fortify: Use __builtin_dynamic_object_size() when +available") produces the warning below and an oops. + + Searching for RedBoot partition table in 50000000.flash at offset 0x7e0000 + ------------[ cut here ]------------ + WARNING: lib/string_helpers.c:1035 at 0xc029e04c, CPU#0: swapper/0/1 + memcmp: detected buffer overflow: 15 byte read of buffer size 14 + Modules linked in: + CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.19.0 #1 NONE + +As Kees said, "'names' is pointing to the final 'namelen' many bytes +of the allocation ... 'namelen' could be basically any length at all. +This fortify warning looks legit to me -- this code used to be reading +beyond the end of the allocation." + +Since the size of the dynamic allocation is calculated with strlen() +we can use strcmp() instead of memcmp() and remain within bounds. + +Cc: Kees Cook +Cc: stable@vger.kernel.org +Cc: linux-hardening@vger.kernel.org +Link: https://lore.kernel.org/all/202602151911.AD092DFFCD@keescook/ +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Suggested-by: Kees Cook +Signed-off-by: Finn Thain +Signed-off-by: Miquel Raynal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/parsers/redboot.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/mtd/parsers/redboot.c ++++ b/drivers/mtd/parsers/redboot.c +@@ -270,9 +270,9 @@ nogood: + + strcpy(names, fl->img->name); + #ifdef CONFIG_MTD_REDBOOT_PARTS_READONLY +- if (!memcmp(names, "RedBoot", 8) || +- !memcmp(names, "RedBoot config", 15) || +- !memcmp(names, "FIS directory", 14)) { ++ if (!strcmp(names, "RedBoot") || ++ !strcmp(names, "RedBoot config") || ++ !strcmp(names, "FIS directory")) { + parts[i].mask_flags = MTD_WRITEABLE; + } + #endif diff --git a/queue-5.15/mtd-rawnand-cadence-fix-error-check-for-dma_alloc_coherent-in-cadence_nand_init.patch b/queue-5.15/mtd-rawnand-cadence-fix-error-check-for-dma_alloc_coherent-in-cadence_nand_init.patch new file mode 100644 index 0000000000..0dd1c71bd4 --- /dev/null +++ b/queue-5.15/mtd-rawnand-cadence-fix-error-check-for-dma_alloc_coherent-in-cadence_nand_init.patch @@ -0,0 +1,34 @@ +From 0410e1a4c545c769c59c6eda897ad5d574d0c865 Mon Sep 17 00:00:00 2001 +From: Chen Ni +Date: Mon, 9 Feb 2026 15:56:18 +0800 +Subject: mtd: rawnand: cadence: Fix error check for dma_alloc_coherent() in cadence_nand_init() + +From: Chen Ni + +commit 0410e1a4c545c769c59c6eda897ad5d574d0c865 upstream. + +Fix wrong variable used for error checking after dma_alloc_coherent() +call. The function checks cdns_ctrl->dma_cdma_desc instead of +cdns_ctrl->cdma_desc, which could lead to incorrect error handling. + +Fixes: ec4ba01e894d ("mtd: rawnand: Add new Cadence NAND driver to MTD subsystem") +Cc: stable@vger.kernel.org +Signed-off-by: Chen Ni +Reviewed-by: Alok Tiwari +Signed-off-by: Miquel Raynal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/raw/cadence-nand-controller.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mtd/nand/raw/cadence-nand-controller.c ++++ b/drivers/mtd/nand/raw/cadence-nand-controller.c +@@ -2840,7 +2840,7 @@ static int cadence_nand_init(struct cdns + sizeof(*cdns_ctrl->cdma_desc), + &cdns_ctrl->dma_cdma_desc, + GFP_KERNEL); +- if (!cdns_ctrl->dma_cdma_desc) ++ if (!cdns_ctrl->cdma_desc) + return -ENOMEM; + + cdns_ctrl->buf_size = SZ_16K; diff --git a/queue-5.15/mtd-rawnand-pl353-make-sure-optimal-timings-are-applied.patch b/queue-5.15/mtd-rawnand-pl353-make-sure-optimal-timings-are-applied.patch new file mode 100644 index 0000000000..826a3df0cb --- /dev/null +++ b/queue-5.15/mtd-rawnand-pl353-make-sure-optimal-timings-are-applied.patch @@ -0,0 +1,41 @@ +From b9465b04de4b90228de03db9a1e0d56b00814366 Mon Sep 17 00:00:00 2001 +From: Olivier Sobrie +Date: Tue, 17 Mar 2026 18:18:07 +0100 +Subject: mtd: rawnand: pl353: make sure optimal timings are applied + +From: Olivier Sobrie + +commit b9465b04de4b90228de03db9a1e0d56b00814366 upstream. + +Timings of the nand are adjusted by pl35x_nfc_setup_interface() but +actually applied by the pl35x_nand_select_target() function. +If there is only one nand chip, the pl35x_nand_select_target() will only +apply the timings once since the test at its beginning will always be true +after the first call to this function. As a result, the hardware will +keep using the default timings set at boot to detect the nand chip, not +the optimal ones. + +With this patch, we program directly the new timings when +pl35x_nfc_setup_interface() is called. + +Fixes: 08d8c62164a3 ("mtd: rawnand: pl353: Add support for the ARM PL353 SMC NAND controller") +Signed-off-by: Olivier Sobrie +Cc: stable@vger.kernel.org +Signed-off-by: Miquel Raynal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/raw/pl35x-nand-controller.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/mtd/nand/raw/pl35x-nand-controller.c ++++ b/drivers/mtd/nand/raw/pl35x-nand-controller.c +@@ -864,6 +864,9 @@ static int pl35x_nfc_setup_interface(str + PL35X_SMC_NAND_TAR_CYCLES(tmgs.t_ar) | + PL35X_SMC_NAND_TRR_CYCLES(tmgs.t_rr); + ++ writel(plnand->timings, nfc->conf_regs + PL35X_SMC_CYCLES); ++ pl35x_smc_update_regs(nfc); ++ + return 0; + } + diff --git a/queue-5.15/series b/queue-5.15/series index 5ad824cfe3..a737793f0c 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -200,3 +200,9 @@ nfc-nxp-nci-allow-gpios-to-sleep.patch net-macb-fix-use-after-free-access-to-ptp-clock.patch bluetooth-l2cap-fix-type-confusion-in-l2cap_ecred_reconf_rsp.patch bluetooth-l2cap-validate-l2cap_info_rsp-payload-length-before-access.patch +mmc-sdhci-pci-gli-fix-gl9750-dma-write-corruption.patch +mmc-sdhci-fix-timing-selection-for-1-bit-bus-width.patch +mtd-rawnand-pl353-make-sure-optimal-timings-are-applied.patch +mtd-rawnand-cadence-fix-error-check-for-dma_alloc_coherent-in-cadence_nand_init.patch +mtd-avoid-boot-crash-in-redboot-partition-table-parser.patch +iommu-vt-d-fix-intel-iommu-iotlb-sync-hardlockup-and-retry.patch