From 0b759e74b777929cae27f75a20cc0004585f1164 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 17 Apr 2025 15:54:13 +0200 Subject: [PATCH] 6.1-stable patches added patches: ntb-use-64-bit-arithmetic-for-the-msi-doorbell-mask.patch of-irq-fix-device-node-refcount-leakage-in-api-irq_of_parse_and_map.patch of-irq-fix-device-node-refcount-leakage-in-api-of_irq_parse_one.patch of-irq-fix-device-node-refcount-leakage-in-api-of_irq_parse_raw.patch of-irq-fix-device-node-refcount-leakages-in-of_irq_count.patch of-irq-fix-device-node-refcount-leakages-in-of_irq_init.patch pci-brcmstb-fix-missing-of_node_put-in-brcm_pcie_probe.patch pci-fix-reference-leak-in-pci_alloc_child_bus.patch pinctrl-qcom-clear-latched-interrupt-status-when-changing-irq-type.patch selftests-mptcp-close-fd_in-before-returning-in-main_loop.patch --- ...arithmetic-for-the-msi-doorbell-mask.patch | 40 ++++++ ...-leakage-in-api-irq_of_parse_and_map.patch | 44 ++++++ ...ount-leakage-in-api-of_irq_parse_one.patch | 126 ++++++++++++++++++ ...ount-leakage-in-api-of_irq_parse_raw.patch | 51 +++++++ ...de-refcount-leakages-in-of_irq_count.patch | 40 ++++++ ...ode-refcount-leakages-in-of_irq_init.patch | 53 ++++++++ ...ssing-of_node_put-in-brcm_pcie_probe.patch | 61 +++++++++ ...eference-leak-in-pci_alloc_child_bus.patch | 42 ++++++ ...errupt-status-when-changing-irq-type.patch | 107 +++++++++++++++ ...-fd_in-before-returning-in-main_loop.patch | 49 +++++++ queue-6.1/series | 10 ++ 11 files changed, 623 insertions(+) create mode 100644 queue-6.1/ntb-use-64-bit-arithmetic-for-the-msi-doorbell-mask.patch create mode 100644 queue-6.1/of-irq-fix-device-node-refcount-leakage-in-api-irq_of_parse_and_map.patch create mode 100644 queue-6.1/of-irq-fix-device-node-refcount-leakage-in-api-of_irq_parse_one.patch create mode 100644 queue-6.1/of-irq-fix-device-node-refcount-leakage-in-api-of_irq_parse_raw.patch create mode 100644 queue-6.1/of-irq-fix-device-node-refcount-leakages-in-of_irq_count.patch create mode 100644 queue-6.1/of-irq-fix-device-node-refcount-leakages-in-of_irq_init.patch create mode 100644 queue-6.1/pci-brcmstb-fix-missing-of_node_put-in-brcm_pcie_probe.patch create mode 100644 queue-6.1/pci-fix-reference-leak-in-pci_alloc_child_bus.patch create mode 100644 queue-6.1/pinctrl-qcom-clear-latched-interrupt-status-when-changing-irq-type.patch create mode 100644 queue-6.1/selftests-mptcp-close-fd_in-before-returning-in-main_loop.patch diff --git a/queue-6.1/ntb-use-64-bit-arithmetic-for-the-msi-doorbell-mask.patch b/queue-6.1/ntb-use-64-bit-arithmetic-for-the-msi-doorbell-mask.patch new file mode 100644 index 0000000000..0f8cfa2a38 --- /dev/null +++ b/queue-6.1/ntb-use-64-bit-arithmetic-for-the-msi-doorbell-mask.patch @@ -0,0 +1,40 @@ +From fd5625fc86922f36bedee5846fefd647b7e72751 Mon Sep 17 00:00:00 2001 +From: Fedor Pchelkin +Date: Wed, 15 Jan 2025 21:28:17 +0300 +Subject: ntb: use 64-bit arithmetic for the MSI doorbell mask + +From: Fedor Pchelkin + +commit fd5625fc86922f36bedee5846fefd647b7e72751 upstream. + +msi_db_mask is of type 'u64', still the standard 'int' arithmetic is +performed to compute its value. + +While most of the ntb_hw drivers actually don't utilize the higher 32 +bits of the doorbell mask now, this may be the case for Switchtec - see +switchtec_ntb_init_db(). + +Found by Linux Verification Center (linuxtesting.org) with SVACE static +analysis tool. + +Fixes: 2b0569b3b7e6 ("NTB: Add MSI interrupt support to ntb_transport") +Cc: stable@vger.kernel.org +Signed-off-by: Fedor Pchelkin +Reviewed-by: Dave Jiang +Signed-off-by: Jon Mason +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ntb/ntb_transport.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/ntb/ntb_transport.c ++++ b/drivers/ntb/ntb_transport.c +@@ -1351,7 +1351,7 @@ static int ntb_transport_probe(struct nt + qp_count = ilog2(qp_bitmap); + if (nt->use_msi) { + qp_count -= 1; +- nt->msi_db_mask = 1 << qp_count; ++ nt->msi_db_mask = BIT_ULL(qp_count); + ntb_db_clear_mask(ndev, nt->msi_db_mask); + } + diff --git a/queue-6.1/of-irq-fix-device-node-refcount-leakage-in-api-irq_of_parse_and_map.patch b/queue-6.1/of-irq-fix-device-node-refcount-leakage-in-api-irq_of_parse_and_map.patch new file mode 100644 index 0000000000..1dff63d375 --- /dev/null +++ b/queue-6.1/of-irq-fix-device-node-refcount-leakage-in-api-irq_of_parse_and_map.patch @@ -0,0 +1,44 @@ +From 962a2805e47b933876ba0e4c488d9e89ced2dd29 Mon Sep 17 00:00:00 2001 +From: Zijun Hu +Date: Sun, 9 Feb 2025 20:58:59 +0800 +Subject: of/irq: Fix device node refcount leakage in API irq_of_parse_and_map() + +From: Zijun Hu + +commit 962a2805e47b933876ba0e4c488d9e89ced2dd29 upstream. + +In irq_of_parse_and_map(), refcount of device node @oirq.np was got +by successful of_irq_parse_one() invocation, but it does not put the +refcount before return, so causes @oirq.np refcount leakage. + +Fix by putting @oirq.np refcount before return. + +Fixes: e3873444990d ("of/irq: Move irq_of_parse_and_map() to common code") +Cc: stable@vger.kernel.org +Signed-off-by: Zijun Hu +Link: https://lore.kernel.org/r/20250209-of_irq_fix-v2-6-93e3a2659aa7@quicinc.com +Signed-off-by: Rob Herring (Arm) +Signed-off-by: Greg Kroah-Hartman +--- + drivers/of/irq.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/of/irq.c ++++ b/drivers/of/irq.c +@@ -39,11 +39,15 @@ + unsigned int irq_of_parse_and_map(struct device_node *dev, int index) + { + struct of_phandle_args oirq; ++ unsigned int ret; + + if (of_irq_parse_one(dev, index, &oirq)) + return 0; + +- return irq_create_of_mapping(&oirq); ++ ret = irq_create_of_mapping(&oirq); ++ of_node_put(oirq.np); ++ ++ return ret; + } + EXPORT_SYMBOL_GPL(irq_of_parse_and_map); + diff --git a/queue-6.1/of-irq-fix-device-node-refcount-leakage-in-api-of_irq_parse_one.patch b/queue-6.1/of-irq-fix-device-node-refcount-leakage-in-api-of_irq_parse_one.patch new file mode 100644 index 0000000000..b3c694c9e0 --- /dev/null +++ b/queue-6.1/of-irq-fix-device-node-refcount-leakage-in-api-of_irq_parse_one.patch @@ -0,0 +1,126 @@ +From 0cb58d6c7b558a69957fabe159bfb184196e1e8d Mon Sep 17 00:00:00 2001 +From: Zijun Hu +Date: Sun, 9 Feb 2025 20:58:55 +0800 +Subject: of/irq: Fix device node refcount leakage in API of_irq_parse_one() + +From: Zijun Hu + +commit 0cb58d6c7b558a69957fabe159bfb184196e1e8d upstream. + +of_irq_parse_one(@int_gen_dev, i, ...) will leak refcount of @i_th_phandle + +int_gen_dev { + ... + interrupts-extended = ..., <&i_th_phandle ...>, ...; + ... +}; + +Refcount of @i_th_phandle is increased by of_parse_phandle_with_args() +but is not decreased by API of_irq_parse_one() before return, so causes +refcount leakage. + +Rework the refcounting to use __free() cleanup and simplify the code to +have a single call to of_irq_parse_raw(). + +Also add comments about refcount of node @out_irq->np got by the API. + +Fixes: 79d9701559a9 ("of/irq: create interrupts-extended property") +Cc: stable@vger.kernel.org +Signed-off-by: Zijun Hu +Link: https://lore.kernel.org/r/20250209-of_irq_fix-v2-2-93e3a2659aa7@quicinc.com +[robh: Use __free() to do puts] +Signed-off-by: Rob Herring (Arm) +Signed-off-by: Greg Kroah-Hartman +--- + drivers/of/irq.c | 59 +++++++++++++++++++++++++------------------------------ + 1 file changed, 27 insertions(+), 32 deletions(-) + +--- a/drivers/of/irq.c ++++ b/drivers/of/irq.c +@@ -16,6 +16,7 @@ + + #define pr_fmt(fmt) "OF: " fmt + ++#include + #include + #include + #include +@@ -339,10 +340,12 @@ EXPORT_SYMBOL_GPL(of_irq_parse_raw); + * This function resolves an interrupt for a node by walking the interrupt tree, + * finding which interrupt controller node it is attached to, and returning the + * interrupt specifier that can be used to retrieve a Linux IRQ number. ++ * ++ * Note: refcount of node @out_irq->np is increased by 1 on success. + */ + int of_irq_parse_one(struct device_node *device, int index, struct of_phandle_args *out_irq) + { +- struct device_node *p; ++ struct device_node __free(device_node) *p = NULL; + const __be32 *addr; + u32 intsize; + int i, res, addr_len; +@@ -367,41 +370,33 @@ int of_irq_parse_one(struct device_node + /* Try the new-style interrupts-extended first */ + res = of_parse_phandle_with_args(device, "interrupts-extended", + "#interrupt-cells", index, out_irq); +- if (!res) +- return of_irq_parse_raw(addr_buf, out_irq); +- +- /* Look for the interrupt parent. */ +- p = of_irq_find_parent(device); +- if (p == NULL) +- return -EINVAL; +- +- /* Get size of interrupt specifier */ +- if (of_property_read_u32(p, "#interrupt-cells", &intsize)) { +- res = -EINVAL; +- goto out; +- } +- +- pr_debug(" parent=%pOF, intsize=%d\n", p, intsize); ++ if (!res) { ++ p = out_irq->np; ++ } else { ++ /* Look for the interrupt parent. */ ++ p = of_irq_find_parent(device); ++ /* Get size of interrupt specifier */ ++ if (!p || of_property_read_u32(p, "#interrupt-cells", &intsize)) ++ return -EINVAL; ++ ++ pr_debug(" parent=%pOF, intsize=%d\n", p, intsize); ++ ++ /* Copy intspec into irq structure */ ++ out_irq->np = p; ++ out_irq->args_count = intsize; ++ for (i = 0; i < intsize; i++) { ++ res = of_property_read_u32_index(device, "interrupts", ++ (index * intsize) + i, ++ out_irq->args + i); ++ if (res) ++ return res; ++ } + +- /* Copy intspec into irq structure */ +- out_irq->np = p; +- out_irq->args_count = intsize; +- for (i = 0; i < intsize; i++) { +- res = of_property_read_u32_index(device, "interrupts", +- (index * intsize) + i, +- out_irq->args + i); +- if (res) +- goto out; ++ pr_debug(" intspec=%d\n", *out_irq->args); + } + +- pr_debug(" intspec=%d\n", *out_irq->args); +- +- + /* Check if there are any interrupt-map translations to process */ +- res = of_irq_parse_raw(addr_buf, out_irq); +- out: +- of_node_put(p); +- return res; ++ return of_irq_parse_raw(addr_buf, out_irq); + } + EXPORT_SYMBOL_GPL(of_irq_parse_one); + diff --git a/queue-6.1/of-irq-fix-device-node-refcount-leakage-in-api-of_irq_parse_raw.patch b/queue-6.1/of-irq-fix-device-node-refcount-leakage-in-api-of_irq_parse_raw.patch new file mode 100644 index 0000000000..379ab4bfb3 --- /dev/null +++ b/queue-6.1/of-irq-fix-device-node-refcount-leakage-in-api-of_irq_parse_raw.patch @@ -0,0 +1,51 @@ +From ff93e7213d6cc8d9a7b0bc64f70ed26094e168f3 Mon Sep 17 00:00:00 2001 +From: Zijun Hu +Date: Sun, 9 Feb 2025 20:58:57 +0800 +Subject: of/irq: Fix device node refcount leakage in API of_irq_parse_raw() + +From: Zijun Hu + +commit ff93e7213d6cc8d9a7b0bc64f70ed26094e168f3 upstream. + +if the node @out_irq->np got by of_irq_parse_raw() is a combo node which +consists of both controller and nexus, namely, of_irq_parse_raw() returns +due to condition (@ipar == @newpar), then the node's refcount was increased +twice, hence causes refcount leakage. + +Fix by putting @out_irq->np refcount before returning due to the condition. +Also add comments about refcount of node @out_irq->np got by the API. + +Fixes: 041284181226 ("of/irq: Allow matching of an interrupt-map local to an interrupt controller") +Cc: stable@vger.kernel.org +Signed-off-by: Zijun Hu +Link: https://lore.kernel.org/r/20250209-of_irq_fix-v2-4-93e3a2659aa7@quicinc.com +Signed-off-by: Rob Herring (Arm) +Signed-off-by: Greg Kroah-Hartman +--- + drivers/of/irq.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/of/irq.c ++++ b/drivers/of/irq.c +@@ -166,6 +166,8 @@ const __be32 *of_irq_parse_imap_parent(c + * the specifier for each map, and then returns the translated map. + * + * Return: 0 on success and a negative number on error ++ * ++ * Note: refcount of node @out_irq->np is increased by 1 on success. + */ + int of_irq_parse_raw(const __be32 *addr, struct of_phandle_args *out_irq) + { +@@ -311,6 +313,12 @@ int of_irq_parse_raw(const __be32 *addr, + addrsize = (imap - match_array) - intsize; + + if (ipar == newpar) { ++ /* ++ * We got @ipar's refcount, but the refcount was ++ * gotten again by of_irq_parse_imap_parent() via its ++ * alias @newpar. ++ */ ++ of_node_put(ipar); + pr_debug("%pOF interrupt-map entry to self\n", ipar); + return 0; + } diff --git a/queue-6.1/of-irq-fix-device-node-refcount-leakages-in-of_irq_count.patch b/queue-6.1/of-irq-fix-device-node-refcount-leakages-in-of_irq_count.patch new file mode 100644 index 0000000000..64650245fd --- /dev/null +++ b/queue-6.1/of-irq-fix-device-node-refcount-leakages-in-of_irq_count.patch @@ -0,0 +1,40 @@ +From bbf71f44aaf241d853759a71de7e7ebcdb89be3d Mon Sep 17 00:00:00 2001 +From: Zijun Hu +Date: Sun, 9 Feb 2025 20:58:58 +0800 +Subject: of/irq: Fix device node refcount leakages in of_irq_count() + +From: Zijun Hu + +commit bbf71f44aaf241d853759a71de7e7ebcdb89be3d upstream. + +of_irq_count() invokes of_irq_parse_one() to count IRQs, and successful +invocation of the later will get device node @irq.np refcount, but the +former does not put the refcount before next iteration invocation, hence +causes device node refcount leakages. + +Fix by putting @irq.np refcount before the next iteration invocation. + +Fixes: 3da5278727a8 ("of/irq: Rework of_irq_count()") +Cc: stable@vger.kernel.org +Signed-off-by: Zijun Hu +Link: https://lore.kernel.org/r/20250209-of_irq_fix-v2-5-93e3a2659aa7@quicinc.com +Signed-off-by: Rob Herring (Arm) +Signed-off-by: Greg Kroah-Hartman +--- + drivers/of/irq.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/of/irq.c ++++ b/drivers/of/irq.c +@@ -503,8 +503,10 @@ int of_irq_count(struct device_node *dev + struct of_phandle_args irq; + int nr = 0; + +- while (of_irq_parse_one(dev, nr, &irq) == 0) ++ while (of_irq_parse_one(dev, nr, &irq) == 0) { ++ of_node_put(irq.np); + nr++; ++ } + + return nr; + } diff --git a/queue-6.1/of-irq-fix-device-node-refcount-leakages-in-of_irq_init.patch b/queue-6.1/of-irq-fix-device-node-refcount-leakages-in-of_irq_init.patch new file mode 100644 index 0000000000..ddf68a065e --- /dev/null +++ b/queue-6.1/of-irq-fix-device-node-refcount-leakages-in-of_irq_init.patch @@ -0,0 +1,53 @@ +From 708124d9e6e7ac5ebf927830760679136b23fdf0 Mon Sep 17 00:00:00 2001 +From: Zijun Hu +Date: Sun, 9 Feb 2025 20:59:00 +0800 +Subject: of/irq: Fix device node refcount leakages in of_irq_init() + +From: Zijun Hu + +commit 708124d9e6e7ac5ebf927830760679136b23fdf0 upstream. + +of_irq_init() will leak interrupt controller device node refcounts +in two places as explained below: + +1) Leak refcounts of both @desc->dev and @desc->interrupt_parent when + suffers @desc->irq_init_cb() failure. +2) Leak refcount of @desc->interrupt_parent when cleans up list + @intc_desc_list in the end. + +Refcounts of both @desc->dev and @desc->interrupt_parent were got in +the first loop, but of_irq_init() does not put them before kfree(@desc) +in places mentioned above, so causes refcount leakages. + +Fix by putting refcounts involved before kfree(@desc). + +Fixes: 8363ccb917c6 ("of/irq: add missing of_node_put") +Fixes: c71a54b08201 ("of/irq: introduce of_irq_init") +Cc: stable@vger.kernel.org +Signed-off-by: Zijun Hu +Link: https://lore.kernel.org/r/20250209-of_irq_fix-v2-7-93e3a2659aa7@quicinc.com +Signed-off-by: Rob Herring (Arm) +Signed-off-by: Greg Kroah-Hartman +--- + drivers/of/irq.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/of/irq.c ++++ b/drivers/of/irq.c +@@ -627,6 +627,8 @@ void __init of_irq_init(const struct of_ + __func__, desc->dev, desc->dev, + desc->interrupt_parent); + of_node_clear_flag(desc->dev, OF_POPULATED); ++ of_node_put(desc->interrupt_parent); ++ of_node_put(desc->dev); + kfree(desc); + continue; + } +@@ -657,6 +659,7 @@ void __init of_irq_init(const struct of_ + err: + list_for_each_entry_safe(desc, temp_desc, &intc_desc_list, list) { + list_del(&desc->list); ++ of_node_put(desc->interrupt_parent); + of_node_put(desc->dev); + kfree(desc); + } diff --git a/queue-6.1/pci-brcmstb-fix-missing-of_node_put-in-brcm_pcie_probe.patch b/queue-6.1/pci-brcmstb-fix-missing-of_node_put-in-brcm_pcie_probe.patch new file mode 100644 index 0000000000..db9d9f95e8 --- /dev/null +++ b/queue-6.1/pci-brcmstb-fix-missing-of_node_put-in-brcm_pcie_probe.patch @@ -0,0 +1,61 @@ +From 2df181e1aea4628a8fd257f866026625d0519627 Mon Sep 17 00:00:00 2001 +From: Stanimir Varbanov +Date: Thu, 23 Jan 2025 00:29:55 +0200 +Subject: PCI: brcmstb: Fix missing of_node_put() in brcm_pcie_probe() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Stanimir Varbanov + +commit 2df181e1aea4628a8fd257f866026625d0519627 upstream. + +A call to of_parse_phandle() is incrementing the refcount, and as such, +the of_node_put() must be called when the reference is no longer needed. + +Thus, refactor the existing code and add a missing of_node_put() call +following the check to ensure that "msi_np" matches "pcie->np" and after +MSI initialization, but only if the MSI support is enabled system-wide. + +Cc: stable@vger.kernel.org # v5.10+ +Fixes: 40ca1bf580ef ("PCI: brcmstb: Add MSI support") +Signed-off-by: Stanimir Varbanov +Reviewed-by: Florian Fainelli +Reviewed-by: Manivannan Sadhasivam +Link: https://lore.kernel.org/r/20250122222955.1752778-1-svarbanov@suse.de +[kwilczynski: commit log] +Signed-off-by: Krzysztof Wilczyński +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/controller/pcie-brcmstb.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/drivers/pci/controller/pcie-brcmstb.c ++++ b/drivers/pci/controller/pcie-brcmstb.c +@@ -1488,7 +1488,7 @@ static struct pci_ops brcm7425_pcie_ops + + static int brcm_pcie_probe(struct platform_device *pdev) + { +- struct device_node *np = pdev->dev.of_node, *msi_np; ++ struct device_node *np = pdev->dev.of_node; + struct pci_host_bridge *bridge; + const struct pcie_cfg_data *data; + struct brcm_pcie *pcie; +@@ -1563,9 +1563,14 @@ static int brcm_pcie_probe(struct platfo + goto fail; + } + +- msi_np = of_parse_phandle(pcie->np, "msi-parent", 0); +- if (pci_msi_enabled() && msi_np == pcie->np) { +- ret = brcm_pcie_enable_msi(pcie); ++ if (pci_msi_enabled()) { ++ struct device_node *msi_np = of_parse_phandle(pcie->np, "msi-parent", 0); ++ ++ if (msi_np == pcie->np) ++ ret = brcm_pcie_enable_msi(pcie); ++ ++ of_node_put(msi_np); ++ + if (ret) { + dev_err(pcie->dev, "probe of internal MSI failed"); + goto fail; diff --git a/queue-6.1/pci-fix-reference-leak-in-pci_alloc_child_bus.patch b/queue-6.1/pci-fix-reference-leak-in-pci_alloc_child_bus.patch new file mode 100644 index 0000000000..5717a40516 --- /dev/null +++ b/queue-6.1/pci-fix-reference-leak-in-pci_alloc_child_bus.patch @@ -0,0 +1,42 @@ +From 1f2768b6a3ee77a295106e3a5d68458064923ede Mon Sep 17 00:00:00 2001 +From: Ma Ke +Date: Sun, 2 Feb 2025 14:23:57 +0800 +Subject: PCI: Fix reference leak in pci_alloc_child_bus() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ma Ke + +commit 1f2768b6a3ee77a295106e3a5d68458064923ede upstream. + +If device_register(&child->dev) fails, call put_device() to explicitly +release child->dev, per the comment at device_register(). + +Found by code review. + +Link: https://lore.kernel.org/r/20250202062357.872971-1-make24@iscas.ac.cn +Fixes: 4f535093cf8f ("PCI: Put pci_dev in device tree as early as possible") +Signed-off-by: Ma Ke +Signed-off-by: Bjorn Helgaas +Reviewed-by: Ilpo Järvinen +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/probe.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/pci/probe.c ++++ b/drivers/pci/probe.c +@@ -1141,7 +1141,10 @@ static struct pci_bus *pci_alloc_child_b + add_dev: + pci_set_bus_msi_domain(child); + ret = device_register(&child->dev); +- WARN_ON(ret < 0); ++ if (WARN_ON(ret < 0)) { ++ put_device(&child->dev); ++ return NULL; ++ } + + pcibios_add_bus(child); + diff --git a/queue-6.1/pinctrl-qcom-clear-latched-interrupt-status-when-changing-irq-type.patch b/queue-6.1/pinctrl-qcom-clear-latched-interrupt-status-when-changing-irq-type.patch new file mode 100644 index 0000000000..23a673e84d --- /dev/null +++ b/queue-6.1/pinctrl-qcom-clear-latched-interrupt-status-when-changing-irq-type.patch @@ -0,0 +1,107 @@ +From e225128c3f8be879e7d4eb71a25949e188b420ae Mon Sep 17 00:00:00 2001 +From: Stephan Gerhold +Date: Wed, 12 Mar 2025 14:19:27 +0100 +Subject: pinctrl: qcom: Clear latched interrupt status when changing IRQ type + +From: Stephan Gerhold + +commit e225128c3f8be879e7d4eb71a25949e188b420ae upstream. + +When submitting the TLMM test driver, Bjorn reported that some of the test +cases are failing for GPIOs that not are backed by PDC (i.e. "non-wakeup" +GPIOs that are handled directly in pinctrl-msm). Basically, lingering +latched interrupt state is still being delivered at IRQ request time, e.g.: + + ok 1 tlmm_test_silent_rising + tlmm_test_silent_falling: ASSERTION FAILED at drivers/pinctrl/qcom/tlmm-test.c:178 + Expected atomic_read(&priv->intr_count) == 0, but + atomic_read(&priv->intr_count) == 1 (0x1) + not ok 2 tlmm_test_silent_falling + tlmm_test_silent_low: ASSERTION FAILED at drivers/pinctrl/qcom/tlmm-test.c:178 + Expected atomic_read(&priv->intr_count) == 0, but + atomic_read(&priv->intr_count) == 1 (0x1) + not ok 3 tlmm_test_silent_low + ok 4 tlmm_test_silent_high + +Whether to report interrupts that came in while the IRQ was unclaimed +doesn't seem to be well-defined in the Linux IRQ API. However, looking +closer at these specific cases, we're actually reporting events that do not +match the interrupt type requested by the driver: + + 1. After "ok 1 tlmm_test_silent_rising", the GPIO is in low state and + configured for IRQF_TRIGGER_RISING. + + 2. (a) In preparation for "tlmm_test_silent_falling", the GPIO is switched + to high state. The rising interrupt gets latched. + (b) The GPIO is re-configured for IRQF_TRIGGER_FALLING, but the latched + interrupt isn't cleared. + (c) The IRQ handler is called for the latched interrupt, but there + wasn't any falling edge. + + 3. (a) For "tlmm_test_silent_low", the GPIO remains in high state. + (b) The GPIO is re-configured for IRQF_TRIGGER_LOW. This seems to + result in a phantom interrupt that gets latched. + (c) The IRQ handler is called for the latched interrupt, but the GPIO + isn't in low state. + + 4. (a) For "tlmm_test_silent_high", the GPIO is switched to low state. + (b) This doesn't result in a latched interrupt, because RAW_STATUS_EN + was cleared when masking the level-triggered interrupt. + +Fix this by clearing the interrupt state whenever making any changes to the +interrupt configuration. This includes previously disabled interrupts, but +also any changes to interrupt polarity or detection type. + +With this change, all 16 test cases are now passing for the non-wakeup +GPIOs in the TLMM. + +Cc: stable@vger.kernel.org +Fixes: cf9d052aa600 ("pinctrl: qcom: Don't clear pending interrupts when enabling") +Reported-by: Bjorn Andersson +Closes: https://lore.kernel.org/r/20250227-tlmm-test-v1-1-d18877b4a5db@oss.qualcomm.com/ +Signed-off-by: Stephan Gerhold +Tested-by: Bjorn Andersson +Reviewed-by: Bjorn Andersson +Link: https://lore.kernel.org/20250312-pinctrl-msm-type-latch-v1-1-ce87c561d3d7@linaro.org +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/qcom/pinctrl-msm.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/pinctrl/qcom/pinctrl-msm.c ++++ b/drivers/pinctrl/qcom/pinctrl-msm.c +@@ -1006,8 +1006,7 @@ static int msm_gpio_irq_set_type(struct + struct msm_pinctrl *pctrl = gpiochip_get_data(gc); + const struct msm_pingroup *g; + unsigned long flags; +- bool was_enabled; +- u32 val; ++ u32 val, oldval; + + if (msm_gpio_needs_dual_edge_parent_workaround(d, type)) { + set_bit(d->hwirq, pctrl->dual_edge_irqs); +@@ -1067,8 +1066,7 @@ static int msm_gpio_irq_set_type(struct + * internal circuitry of TLMM, toggling the RAW_STATUS + * could cause the INTR_STATUS to be set for EDGE interrupts. + */ +- val = msm_readl_intr_cfg(pctrl, g); +- was_enabled = val & BIT(g->intr_raw_status_bit); ++ val = oldval = msm_readl_intr_cfg(pctrl, g); + val |= BIT(g->intr_raw_status_bit); + if (g->intr_detection_width == 2) { + val &= ~(3 << g->intr_detection_bit); +@@ -1121,9 +1119,11 @@ static int msm_gpio_irq_set_type(struct + /* + * The first time we set RAW_STATUS_EN it could trigger an interrupt. + * Clear the interrupt. This is safe because we have +- * IRQCHIP_SET_TYPE_MASKED. ++ * IRQCHIP_SET_TYPE_MASKED. When changing the interrupt type, we could ++ * also still have a non-matching interrupt latched, so clear whenever ++ * making changes to the interrupt configuration. + */ +- if (!was_enabled) ++ if (val != oldval) + msm_ack_intr_status(pctrl, g); + + if (test_bit(d->hwirq, pctrl->dual_edge_irqs)) diff --git a/queue-6.1/selftests-mptcp-close-fd_in-before-returning-in-main_loop.patch b/queue-6.1/selftests-mptcp-close-fd_in-before-returning-in-main_loop.patch new file mode 100644 index 0000000000..a3140ce81b --- /dev/null +++ b/queue-6.1/selftests-mptcp-close-fd_in-before-returning-in-main_loop.patch @@ -0,0 +1,49 @@ +From c183165f87a486d5879f782c05a23c179c3794ab Mon Sep 17 00:00:00 2001 +From: Geliang Tang +Date: Fri, 28 Mar 2025 15:27:18 +0100 +Subject: selftests: mptcp: close fd_in before returning in main_loop + +From: Geliang Tang + +commit c183165f87a486d5879f782c05a23c179c3794ab upstream. + +The file descriptor 'fd_in' is opened when cfg_input is configured, but +not closed in main_loop(), this patch fixes it. + +Fixes: 05be5e273c84 ("selftests: mptcp: add disconnect tests") +Cc: stable@vger.kernel.org +Co-developed-by: Cong Liu +Signed-off-by: Cong Liu +Signed-off-by: Geliang Tang +Reviewed-by: Matthieu Baerts (NGI0) +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20250328-net-mptcp-misc-fixes-6-15-v1-3-34161a482a7f@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/mptcp/mptcp_connect.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/tools/testing/selftests/net/mptcp/mptcp_connect.c ++++ b/tools/testing/selftests/net/mptcp/mptcp_connect.c +@@ -1213,7 +1213,7 @@ again: + /* close the client socket open only if we are not going to reconnect */ + ret = copyfd_io(fd_in, fd, 1, 0); + if (ret) +- return ret; ++ goto out; + + if (cfg_truncate > 0) { + shutdown(fd, SHUT_WR); +@@ -1233,7 +1233,10 @@ again: + close(fd); + } + +- return 0; ++out: ++ if (cfg_input) ++ close(fd_in); ++ return ret; + } + + int parse_proto(const char *proto) diff --git a/queue-6.1/series b/queue-6.1/series index 16eedef7c4..e658698458 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -147,3 +147,13 @@ gpio-tegra186-fix-resource-handling-in-acpi-probe-path.patch gpio-zynq-fix-wakeup-source-leaks-on-device-unbind.patch gve-handle-overflow-when-reporting-tx-consumed-descriptors.patch kvm-x86-acquire-srcu-in-kvm_get_mp_state-to-protect-guest-memory-accesses.patch +ntb-use-64-bit-arithmetic-for-the-msi-doorbell-mask.patch +of-irq-fix-device-node-refcount-leakage-in-api-of_irq_parse_one.patch +of-irq-fix-device-node-refcount-leakage-in-api-of_irq_parse_raw.patch +of-irq-fix-device-node-refcount-leakages-in-of_irq_count.patch +of-irq-fix-device-node-refcount-leakage-in-api-irq_of_parse_and_map.patch +of-irq-fix-device-node-refcount-leakages-in-of_irq_init.patch +pci-brcmstb-fix-missing-of_node_put-in-brcm_pcie_probe.patch +pci-fix-reference-leak-in-pci_alloc_child_bus.patch +pinctrl-qcom-clear-latched-interrupt-status-when-changing-irq-type.patch +selftests-mptcp-close-fd_in-before-returning-in-main_loop.patch -- 2.47.3