From 172d9d63fe65d116998374dcc920dafb89e3c135 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 2 Dec 2024 16:36:01 +0100 Subject: [PATCH] 6.12-stable patches added patches: apparmor-test-fix-memory-leak-for-aa_unpack_strdup.patch asoc-amd-yc-add-a-quirk-for-microfone-on-lenovo-thinkpad-p14s-gen-5-21mes00b00.patch asoc-codecs-fix-atomicity-violation-in-snd_soc_component_get_drvdata.patch asoc-da7213-populate-max_register-to-regmap_config.patch bluetooth-fix-type-of-len-in-rfcomm_sock_getsockopt-_old.patch clk-clk-loongson2-fix-memory-corruption-bug-in-struct-loongson2_clk_provider.patch clk-clk-loongson2-fix-potential-buffer-overflow-in-flexible-array-member-access.patch comedi-flush-partial-mappings-in-error-case.patch compiler-attributes-disable-__counted_by-for-clang-19.1.3.patch crypto-x86-aegis128-access-32-bit-arguments-as-32-bit.patch docs-media-update-location-of-the-media-patches.patch dt-bindings-iio-dac-ad3552r-fix-maximum-spi-speed.patch dt-bindings-pinctrl-samsung-fix-interrupt-constraint-for-variants-with-fallbacks.patch exfat-fix-out-of-bounds-access-of-directory-entries.patch exfat-fix-uninit-value-in-__exfat_get_dentry_set.patch ext4-fix-fs_ioc_getfsmap-handling.patch ext4-supress-data-race-warnings-in-ext4_free_inodes_-count-set.patch fcntl-make-f_dupfd_query-associative.patch fsnotify-fix-ordering-of-iput-and-watched_objects-decrement.patch fsnotify-fix-sending-inotify-event-with-unexpected-filename.patch iio-dac-adi-axi-dac-fix-wrong-register-bitfield.patch jfs-xattr-check-invalid-xattr-size-more-strictly.patch kvm-arm64-don-t-retire-aborted-mmio-instruction.patch kvm-arm64-get-rid-of-userspace_irqchip_in_use.patch kvm-arm64-ignore-pmcntenset_el0-while-checking-for-overflow-status.patch kvm-arm64-vgic-its-add-a-data-length-check-in-vgic_its_save_.patch kvm-arm64-vgic-its-clear-dte-when-mapd-unmaps-a-device.patch kvm-arm64-vgic-its-clear-ite-when-discard-frees-an-ite.patch kvm-arm64-vgic-v3-sanitise-guest-writes-to-gicr_invlpir.patch kvm-x86-add-back-x86_local_apic-dependency.patch kvm-x86-break-config_kvm_x86-s-direct-dependency-on-kvm_intel-kvm_amd.patch kvm-x86-mmu-skip-the-try-unsync-path-iff-the-old-spte-was-a-leaf-spte.patch kvm-x86-switch-hugepage-recovery-thread-to-vhost_task.patch locking-lockdep-avoid-creating-new-name-string-literals-in-lockdep_set_subclass.patch loongarch-explicitly-specify-code-model-in-makefile.patch maintainers-update-location-of-media-main-tree.patch pci-fix-use-after-free-of-slot-bus-on-hot-remove.patch perf-x86-intel-pt-fix-buffer-full-but-size-is-0-case.patch pinctrl-qcom-spmi-fix-debugfs-drive-strength.patch powerpc-pseries-fix-kvm-guest-detection-for-disabling-hardlockup-detector.patch revert-kvm-vmx-move-load_ia32_perf_global_ctrl-errata-handling-out-of-setup_vmcs_config.patch tools-nolibc-s390-include-std.h.patch tty-ldsic-fix-tty_ldisc_autoload-sysctl-s-proc_handler.patch xhci-combine-two-if-statements-for-etron-xhci-host.patch xhci-don-t-issue-reset-device-command-to-etron-xhci-host.patch xhci-don-t-perform-soft-retry-for-etron-xhci-host.patch xhci-fix-control-transfer-error-on-etron-xhci-host.patch --- ...fix-memory-leak-for-aa_unpack_strdup.patch | 79 + ...enovo-thinkpad-p14s-gen-5-21mes00b00.patch | 38 + ...ion-in-snd_soc_component_get_drvdata.patch | 61 + ...pulate-max_register-to-regmap_config.patch | 38 + ...f-len-in-rfcomm_sock_getsockopt-_old.patch | 83 + ...bug-in-struct-loongson2_clk_provider.patch | 73 + ...flow-in-flexible-array-member-access.patch | 56 + ...flush-partial-mappings-in-error-case.patch | 49 + ...isable-__counted_by-for-clang-19.1.3.patch | 136 ++ ...28-access-32-bit-arguments-as-32-bit.patch | 131 ++ ...update-location-of-the-media-patches.patch | 45 + ...io-dac-ad3552r-fix-maximum-spi-speed.patch | 33 + ...nstraint-for-variants-with-fallbacks.patch | 66 + ...f-bounds-access-of-directory-entries.patch | 61 + ...init-value-in-__exfat_get_dentry_set.patch | 38 + .../ext4-fix-fs_ioc_getfsmap-handling.patch | 158 ++ ...nings-in-ext4_free_inodes_-count-set.patch | 83 + ...fcntl-make-f_dupfd_query-associative.patch | 51 + ...f-iput-and-watched_objects-decrement.patch | 60 + ...otify-event-with-unexpected-filename.patch | 90 + ...-axi-dac-fix-wrong-register-bitfield.patch | 37 + ...eck-invalid-xattr-size-more-strictly.patch | 38 + ...on-t-retire-aborted-mmio-instruction.patch | 101 ++ ...-get-rid-of-userspace_irqchip_in_use.patch | 168 ++ ...0-while-checking-for-overflow-status.patch | 43 + ...-data-length-check-in-vgic_its_save_.patch | 137 ++ ...-clear-dte-when-mapd-unmaps-a-device.patch | 59 + ...-clear-ite-when-discard-frees-an-ite.patch | 50 + ...anitise-guest-writes-to-gicr_invlpir.patch | 49 + ...6-add-back-x86_local_apic-dependency.patch | 64 + ...rect-dependency-on-kvm_intel-kvm_amd.patch | 43 + ...ath-iff-the-old-spte-was-a-leaf-spte.patch | 66 + ...gepage-recovery-thread-to-vhost_task.patch | 334 ++++ ...ing-literals-in-lockdep_set_subclass.patch | 46 + ...citly-specify-code-model-in-makefile.patch | 42 + ...s-update-location-of-media-main-tree.patch | 1492 +++++++++++++++++ ...after-free-of-slot-bus-on-hot-remove.patch | 129 ++ ...t-fix-buffer-full-but-size-is-0-case.patch | 121 ++ ...qcom-spmi-fix-debugfs-drive-strength.patch | 47 + ...on-for-disabling-hardlockup-detector.patch | 45 + ...ta-handling-out-of-setup_vmcs_config.patch | 142 ++ queue-6.12/series | 47 + .../tools-nolibc-s390-include-std.h.patch | 36 + ...ldisc_autoload-sysctl-s-proc_handler.patch | 40 + ...wo-if-statements-for-etron-xhci-host.patch | 41 + ...et-device-command-to-etron-xhci-host.patch | 97 ++ ...rform-soft-retry-for-etron-xhci-host.patch | 46 + ...ol-transfer-error-on-etron-xhci-host.patch | 83 + 48 files changed, 5072 insertions(+) create mode 100644 queue-6.12/apparmor-test-fix-memory-leak-for-aa_unpack_strdup.patch create mode 100644 queue-6.12/asoc-amd-yc-add-a-quirk-for-microfone-on-lenovo-thinkpad-p14s-gen-5-21mes00b00.patch create mode 100644 queue-6.12/asoc-codecs-fix-atomicity-violation-in-snd_soc_component_get_drvdata.patch create mode 100644 queue-6.12/asoc-da7213-populate-max_register-to-regmap_config.patch create mode 100644 queue-6.12/bluetooth-fix-type-of-len-in-rfcomm_sock_getsockopt-_old.patch create mode 100644 queue-6.12/clk-clk-loongson2-fix-memory-corruption-bug-in-struct-loongson2_clk_provider.patch create mode 100644 queue-6.12/clk-clk-loongson2-fix-potential-buffer-overflow-in-flexible-array-member-access.patch create mode 100644 queue-6.12/comedi-flush-partial-mappings-in-error-case.patch create mode 100644 queue-6.12/compiler-attributes-disable-__counted_by-for-clang-19.1.3.patch create mode 100644 queue-6.12/crypto-x86-aegis128-access-32-bit-arguments-as-32-bit.patch create mode 100644 queue-6.12/docs-media-update-location-of-the-media-patches.patch create mode 100644 queue-6.12/dt-bindings-iio-dac-ad3552r-fix-maximum-spi-speed.patch create mode 100644 queue-6.12/dt-bindings-pinctrl-samsung-fix-interrupt-constraint-for-variants-with-fallbacks.patch create mode 100644 queue-6.12/exfat-fix-out-of-bounds-access-of-directory-entries.patch create mode 100644 queue-6.12/exfat-fix-uninit-value-in-__exfat_get_dentry_set.patch create mode 100644 queue-6.12/ext4-fix-fs_ioc_getfsmap-handling.patch create mode 100644 queue-6.12/ext4-supress-data-race-warnings-in-ext4_free_inodes_-count-set.patch create mode 100644 queue-6.12/fcntl-make-f_dupfd_query-associative.patch create mode 100644 queue-6.12/fsnotify-fix-ordering-of-iput-and-watched_objects-decrement.patch create mode 100644 queue-6.12/fsnotify-fix-sending-inotify-event-with-unexpected-filename.patch create mode 100644 queue-6.12/iio-dac-adi-axi-dac-fix-wrong-register-bitfield.patch create mode 100644 queue-6.12/jfs-xattr-check-invalid-xattr-size-more-strictly.patch create mode 100644 queue-6.12/kvm-arm64-don-t-retire-aborted-mmio-instruction.patch create mode 100644 queue-6.12/kvm-arm64-get-rid-of-userspace_irqchip_in_use.patch create mode 100644 queue-6.12/kvm-arm64-ignore-pmcntenset_el0-while-checking-for-overflow-status.patch create mode 100644 queue-6.12/kvm-arm64-vgic-its-add-a-data-length-check-in-vgic_its_save_.patch create mode 100644 queue-6.12/kvm-arm64-vgic-its-clear-dte-when-mapd-unmaps-a-device.patch create mode 100644 queue-6.12/kvm-arm64-vgic-its-clear-ite-when-discard-frees-an-ite.patch create mode 100644 queue-6.12/kvm-arm64-vgic-v3-sanitise-guest-writes-to-gicr_invlpir.patch create mode 100644 queue-6.12/kvm-x86-add-back-x86_local_apic-dependency.patch create mode 100644 queue-6.12/kvm-x86-break-config_kvm_x86-s-direct-dependency-on-kvm_intel-kvm_amd.patch create mode 100644 queue-6.12/kvm-x86-mmu-skip-the-try-unsync-path-iff-the-old-spte-was-a-leaf-spte.patch create mode 100644 queue-6.12/kvm-x86-switch-hugepage-recovery-thread-to-vhost_task.patch create mode 100644 queue-6.12/locking-lockdep-avoid-creating-new-name-string-literals-in-lockdep_set_subclass.patch create mode 100644 queue-6.12/loongarch-explicitly-specify-code-model-in-makefile.patch create mode 100644 queue-6.12/maintainers-update-location-of-media-main-tree.patch create mode 100644 queue-6.12/pci-fix-use-after-free-of-slot-bus-on-hot-remove.patch create mode 100644 queue-6.12/perf-x86-intel-pt-fix-buffer-full-but-size-is-0-case.patch create mode 100644 queue-6.12/pinctrl-qcom-spmi-fix-debugfs-drive-strength.patch create mode 100644 queue-6.12/powerpc-pseries-fix-kvm-guest-detection-for-disabling-hardlockup-detector.patch create mode 100644 queue-6.12/revert-kvm-vmx-move-load_ia32_perf_global_ctrl-errata-handling-out-of-setup_vmcs_config.patch create mode 100644 queue-6.12/tools-nolibc-s390-include-std.h.patch create mode 100644 queue-6.12/tty-ldsic-fix-tty_ldisc_autoload-sysctl-s-proc_handler.patch create mode 100644 queue-6.12/xhci-combine-two-if-statements-for-etron-xhci-host.patch create mode 100644 queue-6.12/xhci-don-t-issue-reset-device-command-to-etron-xhci-host.patch create mode 100644 queue-6.12/xhci-don-t-perform-soft-retry-for-etron-xhci-host.patch create mode 100644 queue-6.12/xhci-fix-control-transfer-error-on-etron-xhci-host.patch diff --git a/queue-6.12/apparmor-test-fix-memory-leak-for-aa_unpack_strdup.patch b/queue-6.12/apparmor-test-fix-memory-leak-for-aa_unpack_strdup.patch new file mode 100644 index 00000000000..69cf9379c7b --- /dev/null +++ b/queue-6.12/apparmor-test-fix-memory-leak-for-aa_unpack_strdup.patch @@ -0,0 +1,79 @@ +From 7290f59231910ccba427d441a6e8b8c6f6112448 Mon Sep 17 00:00:00 2001 +From: Jinjie Ruan +Date: Fri, 11 Oct 2024 09:22:41 +0800 +Subject: apparmor: test: Fix memory leak for aa_unpack_strdup() + +From: Jinjie Ruan + +commit 7290f59231910ccba427d441a6e8b8c6f6112448 upstream. + +The string allocated by kmemdup() in aa_unpack_strdup() is not +freed and cause following memory leaks, free them to fix it. + + unreferenced object 0xffffff80c6af8a50 (size 8): + comm "kunit_try_catch", pid 225, jiffies 4294894407 + hex dump (first 8 bytes): + 74 65 73 74 69 6e 67 00 testing. + backtrace (crc 5eab668b): + [<0000000001e3714d>] kmemleak_alloc+0x34/0x40 + [<000000006e6c7776>] __kmalloc_node_track_caller_noprof+0x300/0x3e0 + [<000000006870467c>] kmemdup_noprof+0x34/0x60 + [<000000001176bb03>] aa_unpack_strdup+0xd0/0x18c + [<000000008ecde918>] policy_unpack_test_unpack_strdup_with_null_name+0xf8/0x3ec + [<0000000032ef8f77>] kunit_try_run_case+0x13c/0x3ac + [<00000000f3edea23>] kunit_generic_run_threadfn_adapter+0x80/0xec + [<00000000adf936cf>] kthread+0x2e8/0x374 + [<0000000041bb1628>] ret_from_fork+0x10/0x20 + unreferenced object 0xffffff80c2a29090 (size 8): + comm "kunit_try_catch", pid 227, jiffies 4294894409 + hex dump (first 8 bytes): + 74 65 73 74 69 6e 67 00 testing. + backtrace (crc 5eab668b): + [<0000000001e3714d>] kmemleak_alloc+0x34/0x40 + [<000000006e6c7776>] __kmalloc_node_track_caller_noprof+0x300/0x3e0 + [<000000006870467c>] kmemdup_noprof+0x34/0x60 + [<000000001176bb03>] aa_unpack_strdup+0xd0/0x18c + [<0000000046a45c1a>] policy_unpack_test_unpack_strdup_with_name+0xd0/0x3c4 + [<0000000032ef8f77>] kunit_try_run_case+0x13c/0x3ac + [<00000000f3edea23>] kunit_generic_run_threadfn_adapter+0x80/0xec + [<00000000adf936cf>] kthread+0x2e8/0x374 + [<0000000041bb1628>] ret_from_fork+0x10/0x20 + +Cc: stable@vger.kernel.org +Fixes: 4d944bcd4e73 ("apparmor: add AppArmor KUnit tests for policy unpack") +Signed-off-by: Jinjie Ruan +Signed-off-by: John Johansen +Signed-off-by: Greg Kroah-Hartman +--- + security/apparmor/policy_unpack_test.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/security/apparmor/policy_unpack_test.c ++++ b/security/apparmor/policy_unpack_test.c +@@ -281,6 +281,8 @@ static void policy_unpack_test_unpack_st + ((uintptr_t)puf->e->start <= (uintptr_t)string) + && ((uintptr_t)string <= (uintptr_t)puf->e->end)); + KUNIT_EXPECT_STREQ(test, string, TEST_STRING_DATA); ++ ++ kfree(string); + } + + static void policy_unpack_test_unpack_strdup_with_name(struct kunit *test) +@@ -296,6 +298,8 @@ static void policy_unpack_test_unpack_st + ((uintptr_t)puf->e->start <= (uintptr_t)string) + && ((uintptr_t)string <= (uintptr_t)puf->e->end)); + KUNIT_EXPECT_STREQ(test, string, TEST_STRING_DATA); ++ ++ kfree(string); + } + + static void policy_unpack_test_unpack_strdup_out_of_bounds(struct kunit *test) +@@ -313,6 +317,8 @@ static void policy_unpack_test_unpack_st + KUNIT_EXPECT_EQ(test, size, 0); + KUNIT_EXPECT_NULL(test, string); + KUNIT_EXPECT_PTR_EQ(test, puf->e->pos, start); ++ ++ kfree(string); + } + + static void policy_unpack_test_unpack_nameX_with_null_name(struct kunit *test) diff --git a/queue-6.12/asoc-amd-yc-add-a-quirk-for-microfone-on-lenovo-thinkpad-p14s-gen-5-21mes00b00.patch b/queue-6.12/asoc-amd-yc-add-a-quirk-for-microfone-on-lenovo-thinkpad-p14s-gen-5-21mes00b00.patch new file mode 100644 index 00000000000..88e820b1162 --- /dev/null +++ b/queue-6.12/asoc-amd-yc-add-a-quirk-for-microfone-on-lenovo-thinkpad-p14s-gen-5-21mes00b00.patch @@ -0,0 +1,38 @@ +From b682aa788e5f9f1ddacdfbb453e49fd3f4e83721 Mon Sep 17 00:00:00 2001 +From: Ilya Zverev +Date: Wed, 27 Nov 2024 15:44:20 +0200 +Subject: ASoC: amd: yc: Add a quirk for microfone on Lenovo ThinkPad P14s Gen 5 21MES00B00 + +From: Ilya Zverev + +commit b682aa788e5f9f1ddacdfbb453e49fd3f4e83721 upstream. + +New ThinkPads need new quirk entries. Ilya has tested this one. +Laptop product id is 21MES00B00, though the shorthand 21ME works. + +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219533 +Cc: stable@vger.kernel.org +Signed-off-by: Ilya Zverev +Link: https://patch.msgid.link/20241127134420.14471-1-ilya@zverev.info +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/amd/yc/acp6x-mach.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/sound/soc/amd/yc/acp6x-mach.c ++++ b/sound/soc/amd/yc/acp6x-mach.c +@@ -245,6 +245,13 @@ static const struct dmi_system_id yc_acp + .driver_data = &acp6x_card, + .matches = { + DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "21ME"), ++ } ++ }, ++ { ++ .driver_data = &acp6x_card, ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), + DMI_MATCH(DMI_PRODUCT_NAME, "82QF"), + } + }, diff --git a/queue-6.12/asoc-codecs-fix-atomicity-violation-in-snd_soc_component_get_drvdata.patch b/queue-6.12/asoc-codecs-fix-atomicity-violation-in-snd_soc_component_get_drvdata.patch new file mode 100644 index 00000000000..9c0e2735fc4 --- /dev/null +++ b/queue-6.12/asoc-codecs-fix-atomicity-violation-in-snd_soc_component_get_drvdata.patch @@ -0,0 +1,61 @@ +From 1157733344651ca505e259d6554591ff156922fa Mon Sep 17 00:00:00 2001 +From: Qiu-ji Chen +Date: Mon, 30 Sep 2024 18:12:16 +0800 +Subject: ASoC: codecs: Fix atomicity violation in snd_soc_component_get_drvdata() + +From: Qiu-ji Chen + +commit 1157733344651ca505e259d6554591ff156922fa upstream. + +An atomicity violation occurs when the validity of the variables +da7219->clk_src and da7219->mclk_rate is being assessed. Since the entire +assessment is not protected by a lock, the da7219 variable might still be +in flux during the assessment, rendering this check invalid. + +To fix this issue, we recommend adding a lock before the block +if ((da7219->clk_src == clk_id) && (da7219->mclk_rate == freq)) so that +the legitimacy check for da7219->clk_src and da7219->mclk_rate is +protected by the lock, ensuring the validity of the check. + +This possible bug is found by an experimental static analysis tool +developed by our team. This tool analyzes the locking APIs +to extract function pairs that can be concurrently executed, and then +analyzes the instructions in the paired functions to identify possible +concurrency bugs including data races and atomicity violations. + +Fixes: 6d817c0e9fd7 ("ASoC: codecs: Add da7219 codec driver") +Cc: stable@vger.kernel.org +Signed-off-by: Qiu-ji Chen +Link: https://patch.msgid.link/20240930101216.23723-1-chenqiuji666@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/da7219.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/sound/soc/codecs/da7219.c ++++ b/sound/soc/codecs/da7219.c +@@ -1167,17 +1167,20 @@ static int da7219_set_dai_sysclk(struct + struct da7219_priv *da7219 = snd_soc_component_get_drvdata(component); + int ret = 0; + +- if ((da7219->clk_src == clk_id) && (da7219->mclk_rate == freq)) ++ mutex_lock(&da7219->pll_lock); ++ ++ if ((da7219->clk_src == clk_id) && (da7219->mclk_rate == freq)) { ++ mutex_unlock(&da7219->pll_lock); + return 0; ++ } + + if ((freq < 2000000) || (freq > 54000000)) { ++ mutex_unlock(&da7219->pll_lock); + dev_err(codec_dai->dev, "Unsupported MCLK value %d\n", + freq); + return -EINVAL; + } + +- mutex_lock(&da7219->pll_lock); +- + switch (clk_id) { + case DA7219_CLKSRC_MCLK_SQR: + snd_soc_component_update_bits(component, DA7219_PLL_CTRL, diff --git a/queue-6.12/asoc-da7213-populate-max_register-to-regmap_config.patch b/queue-6.12/asoc-da7213-populate-max_register-to-regmap_config.patch new file mode 100644 index 00000000000..2aa5058bfdf --- /dev/null +++ b/queue-6.12/asoc-da7213-populate-max_register-to-regmap_config.patch @@ -0,0 +1,38 @@ +From 9d4f9f6a7bb1afbde57d08c98f2db4ff019ee19d Mon Sep 17 00:00:00 2001 +From: Claudiu Beznea +Date: Wed, 6 Nov 2024 10:18:17 +0200 +Subject: ASoC: da7213: Populate max_register to regmap_config + +From: Claudiu Beznea + +commit 9d4f9f6a7bb1afbde57d08c98f2db4ff019ee19d upstream. + +On the Renesas RZ/G3S SMARC Carrier II board having a DA7212 codec (using +da7213 driver) connected to one SSIF-2 available on the Renesas RZ/G3S SoC +it has been discovered that using the runtime PM API for suspend/resume +(as will be proposed in the following commits) leads to the codec not +being propertly initialized after resume. This is because w/o +max_register populated to regmap_config the regcache_rbtree_sync() +breaks on base_reg > max condition and the regcache_sync_block() call is +skipped. + +Fixes: ef5c2eba2412 ("ASoC: codecs: Add da7213 codec") +Cc: stable@vger.kernel.org +Signed-off-by: Claudiu Beznea +Link: https://patch.msgid.link/20241106081826.1211088-23-claudiu.beznea.uj@bp.renesas.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/da7213.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/soc/codecs/da7213.c ++++ b/sound/soc/codecs/da7213.c +@@ -2136,6 +2136,7 @@ static const struct regmap_config da7213 + .reg_bits = 8, + .val_bits = 8, + ++ .max_register = DA7213_TONE_GEN_OFF_PER, + .reg_defaults = da7213_reg_defaults, + .num_reg_defaults = ARRAY_SIZE(da7213_reg_defaults), + .volatile_reg = da7213_volatile_register, diff --git a/queue-6.12/bluetooth-fix-type-of-len-in-rfcomm_sock_getsockopt-_old.patch b/queue-6.12/bluetooth-fix-type-of-len-in-rfcomm_sock_getsockopt-_old.patch new file mode 100644 index 00000000000..5ff0c81574b --- /dev/null +++ b/queue-6.12/bluetooth-fix-type-of-len-in-rfcomm_sock_getsockopt-_old.patch @@ -0,0 +1,83 @@ +From 5fe6caa62b07fd39cd6a28acc8f92ba2955e11a6 Mon Sep 17 00:00:00 2001 +From: Andrej Shadura +Date: Wed, 9 Oct 2024 14:14:24 +0200 +Subject: Bluetooth: Fix type of len in rfcomm_sock_getsockopt{,_old}() + +From: Andrej Shadura + +commit 5fe6caa62b07fd39cd6a28acc8f92ba2955e11a6 upstream. + +Commit 9bf4e919ccad worked around an issue introduced after an innocuous +optimisation change in LLVM main: + +> len is defined as an 'int' because it is assigned from +> '__user int *optlen'. However, it is clamped against the result of +> sizeof(), which has a type of 'size_t' ('unsigned long' for 64-bit +> platforms). This is done with min_t() because min() requires compatible +> types, which results in both len and the result of sizeof() being casted +> to 'unsigned int', meaning len changes signs and the result of sizeof() +> is truncated. From there, len is passed to copy_to_user(), which has a +> third parameter type of 'unsigned long', so it is widened and changes +> signs again. This excessive casting in combination with the KCSAN +> instrumentation causes LLVM to fail to eliminate the __bad_copy_from() +> call, failing the build. + +The same issue occurs in rfcomm in functions rfcomm_sock_getsockopt and +rfcomm_sock_getsockopt_old. + +Change the type of len to size_t in both rfcomm_sock_getsockopt and +rfcomm_sock_getsockopt_old and replace min_t() with min(). + +Cc: stable@vger.kernel.org +Co-authored-by: Aleksei Vetrov +Improves: 9bf4e919ccad ("Bluetooth: Fix type of len in {l2cap,sco}_sock_getsockopt_old()") +Link: https://github.com/ClangBuiltLinux/linux/issues/2007 +Link: https://github.com/llvm/llvm-project/issues/85647 +Signed-off-by: Andrej Shadura +Reviewed-by: Nathan Chancellor +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/rfcomm/sock.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/net/bluetooth/rfcomm/sock.c ++++ b/net/bluetooth/rfcomm/sock.c +@@ -729,7 +729,8 @@ static int rfcomm_sock_getsockopt_old(st + struct sock *l2cap_sk; + struct l2cap_conn *conn; + struct rfcomm_conninfo cinfo; +- int len, err = 0; ++ int err = 0; ++ size_t len; + u32 opt; + + BT_DBG("sk %p", sk); +@@ -783,7 +784,7 @@ static int rfcomm_sock_getsockopt_old(st + cinfo.hci_handle = conn->hcon->handle; + memcpy(cinfo.dev_class, conn->hcon->dev_class, 3); + +- len = min_t(unsigned int, len, sizeof(cinfo)); ++ len = min(len, sizeof(cinfo)); + if (copy_to_user(optval, (char *) &cinfo, len)) + err = -EFAULT; + +@@ -802,7 +803,8 @@ static int rfcomm_sock_getsockopt(struct + { + struct sock *sk = sock->sk; + struct bt_security sec; +- int len, err = 0; ++ int err = 0; ++ size_t len; + + BT_DBG("sk %p", sk); + +@@ -827,7 +829,7 @@ static int rfcomm_sock_getsockopt(struct + sec.level = rfcomm_pi(sk)->sec_level; + sec.key_size = 0; + +- len = min_t(unsigned int, len, sizeof(sec)); ++ len = min(len, sizeof(sec)); + if (copy_to_user(optval, (char *) &sec, len)) + err = -EFAULT; + diff --git a/queue-6.12/clk-clk-loongson2-fix-memory-corruption-bug-in-struct-loongson2_clk_provider.patch b/queue-6.12/clk-clk-loongson2-fix-memory-corruption-bug-in-struct-loongson2_clk_provider.patch new file mode 100644 index 00000000000..0ec4c0c4f63 --- /dev/null +++ b/queue-6.12/clk-clk-loongson2-fix-memory-corruption-bug-in-struct-loongson2_clk_provider.patch @@ -0,0 +1,73 @@ +From 6e4bf018bb040955da53dae9f8628ef8fcec2dbe Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Thu, 14 Nov 2024 16:49:21 -0600 +Subject: clk: clk-loongson2: Fix memory corruption bug in struct loongson2_clk_provider + +From: Gustavo A. R. Silva + +commit 6e4bf018bb040955da53dae9f8628ef8fcec2dbe upstream. + +Some heap space is allocated for the flexible structure `struct +clk_hw_onecell_data` and its flexible-array member `hws` through +the composite structure `struct loongson2_clk_provider` in function +`loongson2_clk_probe()`, as shown below: + +289 struct loongson2_clk_provider *clp; + ... +296 for (p = data; p->name; p++) +297 clks_num++; +298 +299 clp = devm_kzalloc(dev, struct_size(clp, clk_data.hws, clks_num), +300 GFP_KERNEL); + +Then some data is written into the flexible array: + +350 clp->clk_data.hws[p->id] = hw; + +This corrupts `clk_lock`, which is the spinlock variable immediately +following the `clk_data` member in `struct loongson2_clk_provider`: + +struct loongson2_clk_provider { + void __iomem *base; + struct device *dev; + struct clk_hw_onecell_data clk_data; + spinlock_t clk_lock; /* protect access to DIV registers */ +}; + +The problem is that the flexible structure is currently placed in the +middle of `struct loongson2_clk_provider` instead of at the end. + +Fix this by moving `struct clk_hw_onecell_data clk_data;` to the end of +`struct loongson2_clk_provider`. Also, add a code comment to help +prevent this from happening again in case new members are added to the +structure in the future. + +This change also fixes the following -Wflex-array-member-not-at-end +warning: + +drivers/clk/clk-loongson2.c:32:36: warning: structure containing a flexible array member is not at the end of another structure [-Wflex-array-member-not-at-end] + +Fixes: 9796ec0bd04b ("clk: clk-loongson2: Refactor driver for adding new platforms") +Cc: stable@vger.kernel.org +Signed-off-by: Gustavo A. R. Silva +Link: https://lore.kernel.org/r/ZzZ-cd_EFXs6qFaH@kspp +Signed-off-by: Stephen Boyd +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/clk-loongson2.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/clk/clk-loongson2.c ++++ b/drivers/clk/clk-loongson2.c +@@ -29,8 +29,10 @@ enum loongson2_clk_type { + struct loongson2_clk_provider { + void __iomem *base; + struct device *dev; +- struct clk_hw_onecell_data clk_data; + spinlock_t clk_lock; /* protect access to DIV registers */ ++ ++ /* Must be last --ends in a flexible-array member. */ ++ struct clk_hw_onecell_data clk_data; + }; + + struct loongson2_clk_data { diff --git a/queue-6.12/clk-clk-loongson2-fix-potential-buffer-overflow-in-flexible-array-member-access.patch b/queue-6.12/clk-clk-loongson2-fix-potential-buffer-overflow-in-flexible-array-member-access.patch new file mode 100644 index 00000000000..a716b18c82a --- /dev/null +++ b/queue-6.12/clk-clk-loongson2-fix-potential-buffer-overflow-in-flexible-array-member-access.patch @@ -0,0 +1,56 @@ +From 02fb4f0084331ef72c28d0c70fcb15d1bea369ec Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Thu, 14 Nov 2024 17:55:16 -0600 +Subject: clk: clk-loongson2: Fix potential buffer overflow in flexible-array member access + +From: Gustavo A. R. Silva + +commit 02fb4f0084331ef72c28d0c70fcb15d1bea369ec upstream. + +Flexible-array member `hws` in `struct clk_hw_onecell_data` is annotated +with the `counted_by()` attribute. This means that when memory is +allocated for this array, the _counter_, which in this case is member +`num` in the flexible structure, should be set to the maximum number of +elements the flexible array can contain, or fewer. + +In this case, the total number of elements for the flexible array is +determined by variable `clks_num` when allocating heap space via +`devm_kzalloc()`, as shown below: + +289 struct loongson2_clk_provider *clp; + ... +296 for (p = data; p->name; p++) +297 clks_num++; +298 +299 clp = devm_kzalloc(dev, struct_size(clp, clk_data.hws, clks_num), +300 GFP_KERNEL); + +So, `clp->clk_data.num` should be set to `clks_num` or less, and not +exceed `clks_num`, as is currently the case. Otherwise, if data is +written into `clp->clk_data.hws[clks_num]`, the instrumentation +provided by the compiler won't detect the overflow, leading to a +memory corruption bug at runtime. + +Fix this issue by setting `clp->clk_data.num` to `clks_num`. + +Fixes: 9796ec0bd04b ("clk: clk-loongson2: Refactor driver for adding new platforms") +Cc: stable@vger.kernel.org +Signed-off-by: Gustavo A. R. Silva +Link: https://lore.kernel.org/r/ZzaN5MpmMr0hwHw9@kspp +Signed-off-by: Stephen Boyd +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/clk-loongson2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/clk/clk-loongson2.c ++++ b/drivers/clk/clk-loongson2.c +@@ -306,7 +306,7 @@ static int loongson2_clk_probe(struct pl + return PTR_ERR(clp->base); + + spin_lock_init(&clp->clk_lock); +- clp->clk_data.num = clks_num + 1; ++ clp->clk_data.num = clks_num; + clp->dev = dev; + + for (i = 0; i < clks_num; i++) { diff --git a/queue-6.12/comedi-flush-partial-mappings-in-error-case.patch b/queue-6.12/comedi-flush-partial-mappings-in-error-case.patch new file mode 100644 index 00000000000..0c6dc508559 --- /dev/null +++ b/queue-6.12/comedi-flush-partial-mappings-in-error-case.patch @@ -0,0 +1,49 @@ +From ce8f9fb651fac95dd41f69afe54d935420b945bd Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Thu, 17 Oct 2024 21:07:45 +0200 +Subject: comedi: Flush partial mappings in error case + +From: Jann Horn + +commit ce8f9fb651fac95dd41f69afe54d935420b945bd upstream. + +If some remap_pfn_range() calls succeeded before one failed, we still have +buffer pages mapped into the userspace page tables when we drop the buffer +reference with comedi_buf_map_put(bm). The userspace mappings are only +cleaned up later in the mmap error path. + +Fix it by explicitly flushing all mappings in our VMA on the error path. + +See commit 79a61cc3fc04 ("mm: avoid leaving partial pfn mappings around in +error case"). + +Cc: stable@vger.kernel.org +Fixes: ed9eccbe8970 ("Staging: add comedi core") +Signed-off-by: Jann Horn +Link: https://lore.kernel.org/r/20241017-comedi-tlb-v3-1-16b82f9372ce@google.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/comedi/comedi_fops.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/drivers/comedi/comedi_fops.c ++++ b/drivers/comedi/comedi_fops.c +@@ -2407,6 +2407,18 @@ static int comedi_mmap(struct file *file + + start += PAGE_SIZE; + } ++ ++#ifdef CONFIG_MMU ++ /* ++ * Leaving behind a partial mapping of a buffer we're about to ++ * drop is unsafe, see remap_pfn_range_notrack(). ++ * We need to zap the range here ourselves instead of relying ++ * on the automatic zapping in remap_pfn_range() because we call ++ * remap_pfn_range() in a loop. ++ */ ++ if (retval) ++ zap_vma_ptes(vma, vma->vm_start, size); ++#endif + } + + if (retval == 0) { diff --git a/queue-6.12/compiler-attributes-disable-__counted_by-for-clang-19.1.3.patch b/queue-6.12/compiler-attributes-disable-__counted_by-for-clang-19.1.3.patch new file mode 100644 index 00000000000..c4eae611f40 --- /dev/null +++ b/queue-6.12/compiler-attributes-disable-__counted_by-for-clang-19.1.3.patch @@ -0,0 +1,136 @@ +From f06e108a3dc53c0f5234d18de0bd224753db5019 Mon Sep 17 00:00:00 2001 +From: Jan Hendrik Farr +Date: Tue, 29 Oct 2024 15:00:36 +0100 +Subject: Compiler Attributes: disable __counted_by for clang < 19.1.3 + +From: Jan Hendrik Farr + +commit f06e108a3dc53c0f5234d18de0bd224753db5019 upstream. + +This patch disables __counted_by for clang versions < 19.1.3 because +of the two issues listed below. It does this by introducing +CONFIG_CC_HAS_COUNTED_BY. + +1. clang < 19.1.2 has a bug that can lead to __bdos returning 0: +https://github.com/llvm/llvm-project/pull/110497 + +2. clang < 19.1.3 has a bug that can lead to __bdos being off by 4: +https://github.com/llvm/llvm-project/pull/112636 + +Fixes: c8248faf3ca2 ("Compiler Attributes: counted_by: Adjust name and identifier expansion") +Cc: stable@vger.kernel.org # 6.6.x: 16c31dd7fdf6: Compiler Attributes: counted_by: bump min gcc version +Cc: stable@vger.kernel.org # 6.6.x: 2993eb7a8d34: Compiler Attributes: counted_by: fixup clang URL +Cc: stable@vger.kernel.org # 6.6.x: 231dc3f0c936: lkdtm/bugs: Improve warning message for compilers without counted_by support +Cc: stable@vger.kernel.org # 6.6.x +Reported-by: Nathan Chancellor +Closes: https://lore.kernel.org/all/20240913164630.GA4091534@thelio-3990X/ +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-lkp/202409260949.a1254989-oliver.sang@intel.com +Link: https://lore.kernel.org/all/Zw8iawAF5W2uzGuh@archlinux/T/#m204c09f63c076586a02d194b87dffc7e81b8de7b +Suggested-by: Nathan Chancellor +Signed-off-by: Jan Hendrik Farr +Reviewed-by: Nathan Chancellor +Tested-by: Nathan Chancellor +Reviewed-by: Miguel Ojeda +Reviewed-by: Thorsten Blum +Link: https://lore.kernel.org/r/20241029140036.577804-2-kernel@jfarr.cc +Signed-off-by: Kees Cook +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/lkdtm/bugs.c | 2 +- + include/linux/compiler_attributes.h | 13 ------------- + include/linux/compiler_types.h | 19 +++++++++++++++++++ + init/Kconfig | 9 +++++++++ + lib/overflow_kunit.c | 2 +- + 5 files changed, 30 insertions(+), 15 deletions(-) + +--- a/drivers/misc/lkdtm/bugs.c ++++ b/drivers/misc/lkdtm/bugs.c +@@ -445,7 +445,7 @@ static void lkdtm_FAM_BOUNDS(void) + + pr_err("FAIL: survived access of invalid flexible array member index!\n"); + +- if (!__has_attribute(__counted_by__)) ++ if (!IS_ENABLED(CONFIG_CC_HAS_COUNTED_BY)) + pr_warn("This is expected since this %s was built with a compiler that does not support __counted_by\n", + lkdtm_kernel_info); + else if (IS_ENABLED(CONFIG_UBSAN_BOUNDS)) +--- a/include/linux/compiler_attributes.h ++++ b/include/linux/compiler_attributes.h +@@ -95,19 +95,6 @@ + #endif + + /* +- * Optional: only supported since gcc >= 15 +- * Optional: only supported since clang >= 18 +- * +- * gcc: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108896 +- * clang: https://github.com/llvm/llvm-project/pull/76348 +- */ +-#if __has_attribute(__counted_by__) +-# define __counted_by(member) __attribute__((__counted_by__(member))) +-#else +-# define __counted_by(member) +-#endif +- +-/* + * Optional: not supported by gcc + * Optional: only supported since clang >= 14.0 + * +--- a/include/linux/compiler_types.h ++++ b/include/linux/compiler_types.h +@@ -324,6 +324,25 @@ struct ftrace_likely_data { + #endif + + /* ++ * Optional: only supported since gcc >= 15 ++ * Optional: only supported since clang >= 18 ++ * ++ * gcc: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108896 ++ * clang: https://github.com/llvm/llvm-project/pull/76348 ++ * ++ * __bdos on clang < 19.1.2 can erroneously return 0: ++ * https://github.com/llvm/llvm-project/pull/110497 ++ * ++ * __bdos on clang < 19.1.3 can be off by 4: ++ * https://github.com/llvm/llvm-project/pull/112636 ++ */ ++#ifdef CONFIG_CC_HAS_COUNTED_BY ++# define __counted_by(member) __attribute__((__counted_by__(member))) ++#else ++# define __counted_by(member) ++#endif ++ ++/* + * Apply __counted_by() when the Endianness matches to increase test coverage. + */ + #ifdef __LITTLE_ENDIAN +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -120,6 +120,15 @@ config CC_HAS_ASM_INLINE + config CC_HAS_NO_PROFILE_FN_ATTR + def_bool $(success,echo '__attribute__((no_profile_instrument_function)) int x();' | $(CC) -x c - -c -o /dev/null -Werror) + ++config CC_HAS_COUNTED_BY ++ # TODO: when gcc 15 is released remove the build test and add ++ # a gcc version check ++ def_bool $(success,echo 'struct flex { int count; int array[] __attribute__((__counted_by__(count))); };' | $(CC) $(CLANG_FLAGS) -x c - -c -o /dev/null -Werror) ++ # clang needs to be at least 19.1.3 to avoid __bdos miscalculations ++ # https://github.com/llvm/llvm-project/pull/110497 ++ # https://github.com/llvm/llvm-project/pull/112636 ++ depends on !(CC_IS_CLANG && CLANG_VERSION < 190103) ++ + config PAHOLE_VERSION + int + default $(shell,$(srctree)/scripts/pahole-version.sh $(PAHOLE)) +--- a/lib/overflow_kunit.c ++++ b/lib/overflow_kunit.c +@@ -1187,7 +1187,7 @@ static void DEFINE_FLEX_test(struct kuni + { + /* Using _RAW_ on a __counted_by struct will initialize "counter" to zero */ + DEFINE_RAW_FLEX(struct foo, two_but_zero, array, 2); +-#if __has_attribute(__counted_by__) ++#ifdef CONFIG_CC_HAS_COUNTED_BY + int expected_raw_size = sizeof(struct foo); + #else + int expected_raw_size = sizeof(struct foo) + 2 * sizeof(s16); diff --git a/queue-6.12/crypto-x86-aegis128-access-32-bit-arguments-as-32-bit.patch b/queue-6.12/crypto-x86-aegis128-access-32-bit-arguments-as-32-bit.patch new file mode 100644 index 00000000000..dc3a01ead0c --- /dev/null +++ b/queue-6.12/crypto-x86-aegis128-access-32-bit-arguments-as-32-bit.patch @@ -0,0 +1,131 @@ +From 3b2f2d22fb424e9bebda4dbf6676cbfc7f9f62cd Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Wed, 16 Oct 2024 17:00:42 -0700 +Subject: crypto: x86/aegis128 - access 32-bit arguments as 32-bit + +From: Eric Biggers + +commit 3b2f2d22fb424e9bebda4dbf6676cbfc7f9f62cd upstream. + +Fix the AEGIS assembly code to access 'unsigned int' arguments as 32-bit +values instead of 64-bit, since the upper bits of the corresponding +64-bit registers are not guaranteed to be zero. + +Note: there haven't been any reports of this bug actually causing +incorrect behavior. Neither gcc nor clang guarantee zero-extension to +64 bits, but zero-extension is likely to happen in practice because most +instructions that operate on 32-bit registers zero-extend to 64 bits. + +Fixes: 1d373d4e8e15 ("crypto: x86 - Add optimized AEGIS implementations") +Cc: stable@vger.kernel.org +Reviewed-by: Ondrej Mosnacek +Signed-off-by: Eric Biggers +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/crypto/aegis128-aesni-asm.S | 29 +++++++++++++++-------------- + 1 file changed, 15 insertions(+), 14 deletions(-) + +--- a/arch/x86/crypto/aegis128-aesni-asm.S ++++ b/arch/x86/crypto/aegis128-aesni-asm.S +@@ -21,7 +21,7 @@ + #define T1 %xmm7 + + #define STATEP %rdi +-#define LEN %rsi ++#define LEN %esi + #define SRC %rdx + #define DST %rcx + +@@ -76,32 +76,32 @@ SYM_FUNC_START_LOCAL(__load_partial) + xor %r9d, %r9d + pxor MSG, MSG + +- mov LEN, %r8 ++ mov LEN, %r8d + and $0x1, %r8 + jz .Lld_partial_1 + +- mov LEN, %r8 ++ mov LEN, %r8d + and $0x1E, %r8 + add SRC, %r8 + mov (%r8), %r9b + + .Lld_partial_1: +- mov LEN, %r8 ++ mov LEN, %r8d + and $0x2, %r8 + jz .Lld_partial_2 + +- mov LEN, %r8 ++ mov LEN, %r8d + and $0x1C, %r8 + add SRC, %r8 + shl $0x10, %r9 + mov (%r8), %r9w + + .Lld_partial_2: +- mov LEN, %r8 ++ mov LEN, %r8d + and $0x4, %r8 + jz .Lld_partial_4 + +- mov LEN, %r8 ++ mov LEN, %r8d + and $0x18, %r8 + add SRC, %r8 + shl $32, %r9 +@@ -111,11 +111,11 @@ SYM_FUNC_START_LOCAL(__load_partial) + .Lld_partial_4: + movq %r9, MSG + +- mov LEN, %r8 ++ mov LEN, %r8d + and $0x8, %r8 + jz .Lld_partial_8 + +- mov LEN, %r8 ++ mov LEN, %r8d + and $0x10, %r8 + add SRC, %r8 + pslldq $8, MSG +@@ -139,7 +139,7 @@ SYM_FUNC_END(__load_partial) + * %r10 + */ + SYM_FUNC_START_LOCAL(__store_partial) +- mov LEN, %r8 ++ mov LEN, %r8d + mov DST, %r9 + + movq T0, %r10 +@@ -677,7 +677,7 @@ SYM_TYPED_FUNC_START(crypto_aegis128_aes + call __store_partial + + /* mask with byte count: */ +- movq LEN, T0 ++ movd LEN, T0 + punpcklbw T0, T0 + punpcklbw T0, T0 + punpcklbw T0, T0 +@@ -702,7 +702,8 @@ SYM_FUNC_END(crypto_aegis128_aesni_dec_t + + /* + * void crypto_aegis128_aesni_final(void *state, void *tag_xor, +- * u64 assoclen, u64 cryptlen); ++ * unsigned int assoclen, ++ * unsigned int cryptlen); + */ + SYM_FUNC_START(crypto_aegis128_aesni_final) + FRAME_BEGIN +@@ -715,8 +716,8 @@ SYM_FUNC_START(crypto_aegis128_aesni_fin + movdqu 0x40(STATEP), STATE4 + + /* prepare length block: */ +- movq %rdx, MSG +- movq %rcx, T0 ++ movd %edx, MSG ++ movd %ecx, T0 + pslldq $8, T0 + pxor T0, MSG + psllq $3, MSG /* multiply by 8 (to get bit count) */ diff --git a/queue-6.12/docs-media-update-location-of-the-media-patches.patch b/queue-6.12/docs-media-update-location-of-the-media-patches.patch new file mode 100644 index 00000000000..6834f5a89ab --- /dev/null +++ b/queue-6.12/docs-media-update-location-of-the-media-patches.patch @@ -0,0 +1,45 @@ +From 72ad4ff638047bbbdf3232178fea4bec1f429319 Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab +Date: Mon, 18 Nov 2024 07:05:54 +0100 +Subject: docs: media: update location of the media patches + +From: Mauro Carvalho Chehab + +commit 72ad4ff638047bbbdf3232178fea4bec1f429319 upstream. + +Due to recent changes on the way we're maintaining media, the +location of the main tree was updated. + +Change docs accordingly. + +Cc: stable@vger.kernel.org +Signed-off-by: Mauro Carvalho Chehab +Reviewed-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/admin-guide/media/building.rst | 2 +- + Documentation/admin-guide/media/saa7134.rst | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/Documentation/admin-guide/media/building.rst ++++ b/Documentation/admin-guide/media/building.rst +@@ -15,7 +15,7 @@ Please notice, however, that, if: + + you should use the main media development tree ``master`` branch: + +- https://git.linuxtv.org/media_tree.git/ ++ https://git.linuxtv.org/media.git/ + + In this case, you may find some useful information at the + `LinuxTv wiki pages `_: +--- a/Documentation/admin-guide/media/saa7134.rst ++++ b/Documentation/admin-guide/media/saa7134.rst +@@ -67,7 +67,7 @@ Changes / Fixes + Please mail to linux-media AT vger.kernel.org unified diffs against + the linux media git tree: + +- https://git.linuxtv.org/media_tree.git/ ++ https://git.linuxtv.org/media.git/ + + This is done by committing a patch at a clone of the git tree and + submitting the patch using ``git send-email``. Don't forget to diff --git a/queue-6.12/dt-bindings-iio-dac-ad3552r-fix-maximum-spi-speed.patch b/queue-6.12/dt-bindings-iio-dac-ad3552r-fix-maximum-spi-speed.patch new file mode 100644 index 00000000000..58fb72f8c2d --- /dev/null +++ b/queue-6.12/dt-bindings-iio-dac-ad3552r-fix-maximum-spi-speed.patch @@ -0,0 +1,33 @@ +From d1d1c117f39b2057d1e978f26a8bd9631ddb193b Mon Sep 17 00:00:00 2001 +From: Angelo Dureghello +Date: Thu, 3 Oct 2024 19:29:01 +0200 +Subject: dt-bindings: iio: dac: ad3552r: fix maximum spi speed + +From: Angelo Dureghello + +commit d1d1c117f39b2057d1e978f26a8bd9631ddb193b upstream. + +Fix maximum SPI clock speed, as per datasheet (Rev. B, page 6). + +Fixes: b0a96c5f599e ("dt-bindings: iio: dac: Add adi,ad3552r.yaml") +Cc: stable@vger.kernel.org +Signed-off-by: Angelo Dureghello +Acked-by: Krzysztof Kozlowski +Link: https://patch.msgid.link/20241003-wip-bl-ad3552r-axi-v0-iio-testing-v4-4-ceb157487329@baylibre.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/iio/dac/adi,ad3552r.yaml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/Documentation/devicetree/bindings/iio/dac/adi,ad3552r.yaml ++++ b/Documentation/devicetree/bindings/iio/dac/adi,ad3552r.yaml +@@ -30,7 +30,7 @@ properties: + maxItems: 1 + + spi-max-frequency: +- maximum: 30000000 ++ maximum: 66000000 + + reset-gpios: + maxItems: 1 diff --git a/queue-6.12/dt-bindings-pinctrl-samsung-fix-interrupt-constraint-for-variants-with-fallbacks.patch b/queue-6.12/dt-bindings-pinctrl-samsung-fix-interrupt-constraint-for-variants-with-fallbacks.patch new file mode 100644 index 00000000000..8dbc9bb35c4 --- /dev/null +++ b/queue-6.12/dt-bindings-pinctrl-samsung-fix-interrupt-constraint-for-variants-with-fallbacks.patch @@ -0,0 +1,66 @@ +From ffb30875172eabff727e2896f097ccd4bb68723f Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Tue, 15 Oct 2024 08:58:47 +0200 +Subject: dt-bindings: pinctrl: samsung: Fix interrupt constraint for variants with fallbacks + +From: Krzysztof Kozlowski + +commit ffb30875172eabff727e2896f097ccd4bb68723f upstream. + +Commit 904140fa4553 ("dt-bindings: pinctrl: samsung: use Exynos7 +fallbacks for newer wake-up controllers") added +samsung,exynos7-wakeup-eint fallback to some compatibles, so the +intention in the if:then: conditions was to handle the cases: + +1. Single Exynos7 compatible or Exynos5433+Exynos7 or + Exynos7885+Exynos7: only one interrupt + +2. Exynos850+Exynos7: no interrupts + +This was not implemented properly however and if:then: block matches +only single Exynos5433 or Exynos7885 compatibles, which do not exist in +DTS anymore, so basically is a no-op and no enforcement on number of +interrupts is made by the binding. + +Fix the if:then: condition so interrupts in the Exynos5433 and +Exynos7885 wake-up pin controller will be properly constrained. + +Fixes: 904140fa4553 ("dt-bindings: pinctrl: samsung: use Exynos7 fallbacks for newer wake-up controllers") +Cc: stable@vger.kernel.org +Acked-by: Rob Herring (Arm) +Reviewed-by: Linus Walleij +Link: https://lore.kernel.org/r/20241015065848.29429-1-krzysztof.kozlowski@linaro.org +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/pinctrl/samsung,pinctrl-wakeup-interrupt.yaml | 19 +++++----- + 1 file changed, 11 insertions(+), 8 deletions(-) + +--- a/Documentation/devicetree/bindings/pinctrl/samsung,pinctrl-wakeup-interrupt.yaml ++++ b/Documentation/devicetree/bindings/pinctrl/samsung,pinctrl-wakeup-interrupt.yaml +@@ -91,14 +91,17 @@ allOf: + - if: + properties: + compatible: +- # Match without "contains", to skip newer variants which are still +- # compatible with samsung,exynos7-wakeup-eint +- enum: +- - samsung,s5pv210-wakeup-eint +- - samsung,exynos4210-wakeup-eint +- - samsung,exynos5433-wakeup-eint +- - samsung,exynos7-wakeup-eint +- - samsung,exynos7885-wakeup-eint ++ oneOf: ++ # Match without "contains", to skip newer variants which are still ++ # compatible with samsung,exynos7-wakeup-eint ++ - enum: ++ - samsung,exynos4210-wakeup-eint ++ - samsung,exynos7-wakeup-eint ++ - samsung,s5pv210-wakeup-eint ++ - contains: ++ enum: ++ - samsung,exynos5433-wakeup-eint ++ - samsung,exynos7885-wakeup-eint + then: + properties: + interrupts: diff --git a/queue-6.12/exfat-fix-out-of-bounds-access-of-directory-entries.patch b/queue-6.12/exfat-fix-out-of-bounds-access-of-directory-entries.patch new file mode 100644 index 00000000000..ef53b0cdd8f --- /dev/null +++ b/queue-6.12/exfat-fix-out-of-bounds-access-of-directory-entries.patch @@ -0,0 +1,61 @@ +From 184fa506e392eb78364d9283c961217ff2c0617b Mon Sep 17 00:00:00 2001 +From: Yuezhang Mo +Date: Mon, 28 Oct 2024 11:23:36 +0800 +Subject: exfat: fix out-of-bounds access of directory entries + +From: Yuezhang Mo + +commit 184fa506e392eb78364d9283c961217ff2c0617b upstream. + +In the case of the directory size is greater than or equal to +the cluster size, if start_clu becomes an EOF cluster(an invalid +cluster) due to file system corruption, then the directory entry +where ei->hint_femp.eidx hint is outside the directory, resulting +in an out-of-bounds access, which may cause further file system +corruption. + +This commit adds a check for start_clu, if it is an invalid cluster, +the file or directory will be treated as empty. + +Cc: stable@vger.kernel.org +Signed-off-by: Yuezhang Mo +Co-developed-by: Namjae Jeon +Signed-off-by: Namjae Jeon +Signed-off-by: Greg Kroah-Hartman +--- + fs/exfat/namei.c | 20 ++++++++++++++++---- + 1 file changed, 16 insertions(+), 4 deletions(-) + +--- a/fs/exfat/namei.c ++++ b/fs/exfat/namei.c +@@ -638,14 +638,26 @@ static int exfat_find(struct inode *dir, + info->size = le64_to_cpu(ep2->dentry.stream.valid_size); + info->valid_size = le64_to_cpu(ep2->dentry.stream.valid_size); + info->size = le64_to_cpu(ep2->dentry.stream.size); ++ ++ info->start_clu = le32_to_cpu(ep2->dentry.stream.start_clu); ++ if (!is_valid_cluster(sbi, info->start_clu) && info->size) { ++ exfat_warn(sb, "start_clu is invalid cluster(0x%x)", ++ info->start_clu); ++ info->size = 0; ++ info->valid_size = 0; ++ } ++ ++ if (info->valid_size > info->size) { ++ exfat_warn(sb, "valid_size(%lld) is greater than size(%lld)", ++ info->valid_size, info->size); ++ info->valid_size = info->size; ++ } ++ + if (info->size == 0) { + info->flags = ALLOC_NO_FAT_CHAIN; + info->start_clu = EXFAT_EOF_CLUSTER; +- } else { ++ } else + info->flags = ep2->dentry.stream.flags; +- info->start_clu = +- le32_to_cpu(ep2->dentry.stream.start_clu); +- } + + exfat_get_entry_time(sbi, &info->crtime, + ep->dentry.file.create_tz, diff --git a/queue-6.12/exfat-fix-uninit-value-in-__exfat_get_dentry_set.patch b/queue-6.12/exfat-fix-uninit-value-in-__exfat_get_dentry_set.patch new file mode 100644 index 00000000000..697bd1e115e --- /dev/null +++ b/queue-6.12/exfat-fix-uninit-value-in-__exfat_get_dentry_set.patch @@ -0,0 +1,38 @@ +From 02dffe9ab092fc4c8800aee68cb7eafd37a980c4 Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Sat, 26 Oct 2024 13:06:15 +0900 +Subject: exfat: fix uninit-value in __exfat_get_dentry_set + +From: Namjae Jeon + +commit 02dffe9ab092fc4c8800aee68cb7eafd37a980c4 upstream. + +There is no check if stream size and start_clu are invalid. +If start_clu is EOF cluster and stream size is 4096, It will +cause uninit value access. because ei->hint_femp.eidx could +be 128(if cluster size is 4K) and wrong hint will allocate +next cluster. and this cluster will be same with the cluster +that is allocated by exfat_extend_valid_size(). The previous +patch will check invalid start_clu, but for clarity, initialize +hint_femp.eidx to zero. + +Cc: stable@vger.kernel.org +Reported-by: syzbot+01218003be74b5e1213a@syzkaller.appspotmail.com +Tested-by: syzbot+01218003be74b5e1213a@syzkaller.appspotmail.com +Reviewed-by: Yuezhang Mo +Signed-off-by: Namjae Jeon +Signed-off-by: Greg Kroah-Hartman +--- + fs/exfat/namei.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/exfat/namei.c ++++ b/fs/exfat/namei.c +@@ -345,6 +345,7 @@ static int exfat_find_empty_entry(struct + if (ei->start_clu == EXFAT_EOF_CLUSTER) { + ei->start_clu = clu.dir; + p_dir->dir = clu.dir; ++ hint_femp.eidx = 0; + } + + /* append to the FAT chain */ diff --git a/queue-6.12/ext4-fix-fs_ioc_getfsmap-handling.patch b/queue-6.12/ext4-fix-fs_ioc_getfsmap-handling.patch new file mode 100644 index 00000000000..b6101e4d226 --- /dev/null +++ b/queue-6.12/ext4-fix-fs_ioc_getfsmap-handling.patch @@ -0,0 +1,158 @@ +From 4a622e4d477bb12ad5ed4abbc7ad1365de1fa347 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Wed, 23 Oct 2024 00:25:37 -0400 +Subject: ext4: fix FS_IOC_GETFSMAP handling + +From: Theodore Ts'o + +commit 4a622e4d477bb12ad5ed4abbc7ad1365de1fa347 upstream. + +The original implementation ext4's FS_IOC_GETFSMAP handling only +worked when the range of queried blocks included at least one free +(unallocated) block range. This is because how the metadata blocks +were emitted was as a side effect of ext4_mballoc_query_range() +calling ext4_getfsmap_datadev_helper(), and that function was only +called when a free block range was identified. As a result, this +caused generic/365 to fail. + +Fix this by creating a new function ext4_getfsmap_meta_helper() which +gets called so that blocks before the first free block range in a +block group can get properly reported. + +Signed-off-by: Theodore Ts'o +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/fsmap.c | 54 +++++++++++++++++++++++++++++++++++++++++++++++++++++- + fs/ext4/mballoc.c | 18 ++++++++++++++---- + fs/ext4/mballoc.h | 1 + + 3 files changed, 68 insertions(+), 5 deletions(-) + +--- a/fs/ext4/fsmap.c ++++ b/fs/ext4/fsmap.c +@@ -185,6 +185,56 @@ static inline ext4_fsblk_t ext4_fsmap_ne + return fmr->fmr_physical + fmr->fmr_length; + } + ++static int ext4_getfsmap_meta_helper(struct super_block *sb, ++ ext4_group_t agno, ext4_grpblk_t start, ++ ext4_grpblk_t len, void *priv) ++{ ++ struct ext4_getfsmap_info *info = priv; ++ struct ext4_fsmap *p; ++ struct ext4_fsmap *tmp; ++ struct ext4_sb_info *sbi = EXT4_SB(sb); ++ ext4_fsblk_t fsb, fs_start, fs_end; ++ int error; ++ ++ fs_start = fsb = (EXT4_C2B(sbi, start) + ++ ext4_group_first_block_no(sb, agno)); ++ fs_end = fs_start + EXT4_C2B(sbi, len); ++ ++ /* Return relevant extents from the meta_list */ ++ list_for_each_entry_safe(p, tmp, &info->gfi_meta_list, fmr_list) { ++ if (p->fmr_physical < info->gfi_next_fsblk) { ++ list_del(&p->fmr_list); ++ kfree(p); ++ continue; ++ } ++ if (p->fmr_physical <= fs_start || ++ p->fmr_physical + p->fmr_length <= fs_end) { ++ /* Emit the retained free extent record if present */ ++ if (info->gfi_lastfree.fmr_owner) { ++ error = ext4_getfsmap_helper(sb, info, ++ &info->gfi_lastfree); ++ if (error) ++ return error; ++ info->gfi_lastfree.fmr_owner = 0; ++ } ++ error = ext4_getfsmap_helper(sb, info, p); ++ if (error) ++ return error; ++ fsb = p->fmr_physical + p->fmr_length; ++ if (info->gfi_next_fsblk < fsb) ++ info->gfi_next_fsblk = fsb; ++ list_del(&p->fmr_list); ++ kfree(p); ++ continue; ++ } ++ } ++ if (info->gfi_next_fsblk < fsb) ++ info->gfi_next_fsblk = fsb; ++ ++ return 0; ++} ++ ++ + /* Transform a blockgroup's free record into a fsmap */ + static int ext4_getfsmap_datadev_helper(struct super_block *sb, + ext4_group_t agno, ext4_grpblk_t start, +@@ -539,6 +589,7 @@ static int ext4_getfsmap_datadev(struct + error = ext4_mballoc_query_range(sb, info->gfi_agno, + EXT4_B2C(sbi, info->gfi_low.fmr_physical), + EXT4_B2C(sbi, info->gfi_high.fmr_physical), ++ ext4_getfsmap_meta_helper, + ext4_getfsmap_datadev_helper, info); + if (error) + goto err; +@@ -560,7 +611,8 @@ static int ext4_getfsmap_datadev(struct + + /* Report any gaps at the end of the bg */ + info->gfi_last = true; +- error = ext4_getfsmap_datadev_helper(sb, end_ag, last_cluster, 0, info); ++ error = ext4_getfsmap_datadev_helper(sb, end_ag, last_cluster + 1, ++ 0, info); + if (error) + goto err; + +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -6999,13 +6999,14 @@ int + ext4_mballoc_query_range( + struct super_block *sb, + ext4_group_t group, +- ext4_grpblk_t start, ++ ext4_grpblk_t first, + ext4_grpblk_t end, ++ ext4_mballoc_query_range_fn meta_formatter, + ext4_mballoc_query_range_fn formatter, + void *priv) + { + void *bitmap; +- ext4_grpblk_t next; ++ ext4_grpblk_t start, next; + struct ext4_buddy e4b; + int error; + +@@ -7016,10 +7017,19 @@ ext4_mballoc_query_range( + + ext4_lock_group(sb, group); + +- start = max(e4b.bd_info->bb_first_free, start); ++ start = max(e4b.bd_info->bb_first_free, first); + if (end >= EXT4_CLUSTERS_PER_GROUP(sb)) + end = EXT4_CLUSTERS_PER_GROUP(sb) - 1; +- ++ if (meta_formatter && start != first) { ++ if (start > end) ++ start = end; ++ ext4_unlock_group(sb, group); ++ error = meta_formatter(sb, group, first, start - first, ++ priv); ++ if (error) ++ goto out_unload; ++ ext4_lock_group(sb, group); ++ } + while (start <= end) { + start = mb_find_next_zero_bit(bitmap, end + 1, start); + if (start > end) +--- a/fs/ext4/mballoc.h ++++ b/fs/ext4/mballoc.h +@@ -259,6 +259,7 @@ ext4_mballoc_query_range( + ext4_group_t agno, + ext4_grpblk_t start, + ext4_grpblk_t end, ++ ext4_mballoc_query_range_fn meta_formatter, + ext4_mballoc_query_range_fn formatter, + void *priv); + diff --git a/queue-6.12/ext4-supress-data-race-warnings-in-ext4_free_inodes_-count-set.patch b/queue-6.12/ext4-supress-data-race-warnings-in-ext4_free_inodes_-count-set.patch new file mode 100644 index 00000000000..3028869ab92 --- /dev/null +++ b/queue-6.12/ext4-supress-data-race-warnings-in-ext4_free_inodes_-count-set.patch @@ -0,0 +1,83 @@ +From 902cc179c931a033cd7f4242353aa2733bf8524c Mon Sep 17 00:00:00 2001 +From: Jeongjun Park +Date: Thu, 3 Oct 2024 21:53:37 +0900 +Subject: ext4: supress data-race warnings in ext4_free_inodes_{count,set}() + +From: Jeongjun Park + +commit 902cc179c931a033cd7f4242353aa2733bf8524c upstream. + +find_group_other() and find_group_orlov() read *_lo, *_hi with +ext4_free_inodes_count without additional locking. This can cause +data-race warning, but since the lock is held for most writes and free +inodes value is generally not a problem even if it is incorrect, it is +more appropriate to use READ_ONCE()/WRITE_ONCE() than to add locking. + +================================================================== +BUG: KCSAN: data-race in ext4_free_inodes_count / ext4_free_inodes_set + +write to 0xffff88810404300e of 2 bytes by task 6254 on cpu 1: + ext4_free_inodes_set+0x1f/0x80 fs/ext4/super.c:405 + __ext4_new_inode+0x15ca/0x2200 fs/ext4/ialloc.c:1216 + ext4_symlink+0x242/0x5a0 fs/ext4/namei.c:3391 + vfs_symlink+0xca/0x1d0 fs/namei.c:4615 + do_symlinkat+0xe3/0x340 fs/namei.c:4641 + __do_sys_symlinkat fs/namei.c:4657 [inline] + __se_sys_symlinkat fs/namei.c:4654 [inline] + __x64_sys_symlinkat+0x5e/0x70 fs/namei.c:4654 + x64_sys_call+0x1dda/0x2d60 arch/x86/include/generated/asm/syscalls_64.h:267 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0x54/0x120 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + +read to 0xffff88810404300e of 2 bytes by task 6257 on cpu 0: + ext4_free_inodes_count+0x1c/0x80 fs/ext4/super.c:349 + find_group_other fs/ext4/ialloc.c:594 [inline] + __ext4_new_inode+0x6ec/0x2200 fs/ext4/ialloc.c:1017 + ext4_symlink+0x242/0x5a0 fs/ext4/namei.c:3391 + vfs_symlink+0xca/0x1d0 fs/namei.c:4615 + do_symlinkat+0xe3/0x340 fs/namei.c:4641 + __do_sys_symlinkat fs/namei.c:4657 [inline] + __se_sys_symlinkat fs/namei.c:4654 [inline] + __x64_sys_symlinkat+0x5e/0x70 fs/namei.c:4654 + x64_sys_call+0x1dda/0x2d60 arch/x86/include/generated/asm/syscalls_64.h:267 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0x54/0x120 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + +Cc: stable@vger.kernel.org +Signed-off-by: Jeongjun Park +Reviewed-by: Andreas Dilger +Link: https://patch.msgid.link/20241003125337.47283-1-aha310510@gmail.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/super.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -353,9 +353,9 @@ __u32 ext4_free_group_clusters(struct su + __u32 ext4_free_inodes_count(struct super_block *sb, + struct ext4_group_desc *bg) + { +- return le16_to_cpu(bg->bg_free_inodes_count_lo) | ++ return le16_to_cpu(READ_ONCE(bg->bg_free_inodes_count_lo)) | + (EXT4_DESC_SIZE(sb) >= EXT4_MIN_DESC_SIZE_64BIT ? +- (__u32)le16_to_cpu(bg->bg_free_inodes_count_hi) << 16 : 0); ++ (__u32)le16_to_cpu(READ_ONCE(bg->bg_free_inodes_count_hi)) << 16 : 0); + } + + __u32 ext4_used_dirs_count(struct super_block *sb, +@@ -409,9 +409,9 @@ void ext4_free_group_clusters_set(struct + void ext4_free_inodes_set(struct super_block *sb, + struct ext4_group_desc *bg, __u32 count) + { +- bg->bg_free_inodes_count_lo = cpu_to_le16((__u16)count); ++ WRITE_ONCE(bg->bg_free_inodes_count_lo, cpu_to_le16((__u16)count)); + if (EXT4_DESC_SIZE(sb) >= EXT4_MIN_DESC_SIZE_64BIT) +- bg->bg_free_inodes_count_hi = cpu_to_le16(count >> 16); ++ WRITE_ONCE(bg->bg_free_inodes_count_hi, cpu_to_le16(count >> 16)); + } + + void ext4_used_dirs_set(struct super_block *sb, diff --git a/queue-6.12/fcntl-make-f_dupfd_query-associative.patch b/queue-6.12/fcntl-make-f_dupfd_query-associative.patch new file mode 100644 index 00000000000..99bcb312007 --- /dev/null +++ b/queue-6.12/fcntl-make-f_dupfd_query-associative.patch @@ -0,0 +1,51 @@ +From 2714b0d1f36999dbd99a3474a24e7301acbd74f1 Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Tue, 8 Oct 2024 13:30:49 +0200 +Subject: fcntl: make F_DUPFD_QUERY associative + +From: Christian Brauner + +commit 2714b0d1f36999dbd99a3474a24e7301acbd74f1 upstream. + +Currently when passing a closed file descriptor to +fcntl(fd, F_DUPFD_QUERY, fd_dup) the order matters: + + fd = open("/dev/null"); + fd_dup = dup(fd); + +When we now close one of the file descriptors we get: + + (1) fcntl(fd, fd_dup) // -EBADF + (2) fcntl(fd_dup, fd) // 0 aka not equal + +depending on which file descriptor is passed first. That's not a huge +deal but it gives the api I slightly weird feel. Make it so that the +order doesn't matter by requiring that both file descriptors are valid: + +(1') fcntl(fd, fd_dup) // -EBADF +(2') fcntl(fd_dup, fd) // -EBADF + +Link: https://lore.kernel.org/r/20241008-duften-formel-251f967602d5@brauner +Fixes: c62b758bae6a ("fcntl: add F_DUPFD_QUERY fcntl()") +Reviewed-by: Jeff Layton +Reviewed-By: Lennart Poettering +Cc: stable@vger.kernel.org +Reported-by: Lennart Poettering +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/fcntl.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/fcntl.c ++++ b/fs/fcntl.c +@@ -397,6 +397,9 @@ static long f_dupfd_query(int fd, struct + { + CLASS(fd_raw, f)(fd); + ++ if (fd_empty(f)) ++ return -EBADF; ++ + /* + * We can do the 'fdput()' immediately, as the only thing that + * matters is the pointer value which isn't changed by the fdput. diff --git a/queue-6.12/fsnotify-fix-ordering-of-iput-and-watched_objects-decrement.patch b/queue-6.12/fsnotify-fix-ordering-of-iput-and-watched_objects-decrement.patch new file mode 100644 index 00000000000..c358f4e88b0 --- /dev/null +++ b/queue-6.12/fsnotify-fix-ordering-of-iput-and-watched_objects-decrement.patch @@ -0,0 +1,60 @@ +From 21d1b618b6b9da46c5116c640ac4b1cc8d40d63a Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Mon, 18 Nov 2024 17:33:13 +0100 +Subject: fsnotify: Fix ordering of iput() and watched_objects decrement + +From: Jann Horn + +commit 21d1b618b6b9da46c5116c640ac4b1cc8d40d63a upstream. + +Ensure the superblock is kept alive until we're done with iput(). +Holding a reference to an inode is not allowed unless we ensure the +superblock stays alive, which fsnotify does by keeping the +watched_objects count elevated, so iput() must happen before the +watched_objects decrement. +This can lead to a UAF of something like sb->s_fs_info in tmpfs, but the +UAF is hard to hit because race orderings that oops are more likely, thanks +to the CHECK_DATA_CORRUPTION() block in generic_shutdown_super(). + +Also, ensure that fsnotify_put_sb_watched_objects() doesn't call +fsnotify_sb_watched_objects() on a superblock that may have already been +freed, which would cause a UAF read of sb->s_fsnotify_info. + +Cc: stable@kernel.org +Fixes: d2f277e26f52 ("fsnotify: rename fsnotify_{get,put}_sb_connectors()") +Signed-off-by: Jann Horn +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman +--- + fs/notify/mark.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/fs/notify/mark.c ++++ b/fs/notify/mark.c +@@ -138,8 +138,11 @@ static void fsnotify_get_sb_watched_obje + + static void fsnotify_put_sb_watched_objects(struct super_block *sb) + { +- if (atomic_long_dec_and_test(fsnotify_sb_watched_objects(sb))) +- wake_up_var(fsnotify_sb_watched_objects(sb)); ++ atomic_long_t *watched_objects = fsnotify_sb_watched_objects(sb); ++ ++ /* the superblock can go away after this decrement */ ++ if (atomic_long_dec_and_test(watched_objects)) ++ wake_up_var(watched_objects); + } + + static void fsnotify_get_inode_ref(struct inode *inode) +@@ -150,8 +153,11 @@ static void fsnotify_get_inode_ref(struc + + static void fsnotify_put_inode_ref(struct inode *inode) + { +- fsnotify_put_sb_watched_objects(inode->i_sb); ++ /* read ->i_sb before the inode can go away */ ++ struct super_block *sb = inode->i_sb; ++ + iput(inode); ++ fsnotify_put_sb_watched_objects(sb); + } + + /* diff --git a/queue-6.12/fsnotify-fix-sending-inotify-event-with-unexpected-filename.patch b/queue-6.12/fsnotify-fix-sending-inotify-event-with-unexpected-filename.patch new file mode 100644 index 00000000000..db8f1eec1ef --- /dev/null +++ b/queue-6.12/fsnotify-fix-sending-inotify-event-with-unexpected-filename.patch @@ -0,0 +1,90 @@ +From aa52c54da40d9eee3ba87c05cdcb0cd07c04fa13 Mon Sep 17 00:00:00 2001 +From: Amir Goldstein +Date: Wed, 13 Nov 2024 16:40:34 +0100 +Subject: fsnotify: fix sending inotify event with unexpected filename + +From: Amir Goldstein + +commit aa52c54da40d9eee3ba87c05cdcb0cd07c04fa13 upstream. + +We got a report that adding a fanotify filsystem watch prevents tail -f +from receiving events. + +Reproducer: + +1. Create 3 windows / login sessions. Become root in each session. +2. Choose a mounted filesystem that is pretty quiet; I picked /boot. +3. In the first window, run: fsnotifywait -S -m /boot +4. In the second window, run: echo data >> /boot/foo +5. In the third window, run: tail -f /boot/foo +6. Go back to the second window and run: echo more data >> /boot/foo +7. Observe that the tail command doesn't show the new data. +8. In the first window, hit control-C to interrupt fsnotifywait. +9. In the second window, run: echo still more data >> /boot/foo +10. Observe that the tail command in the third window has now printed +the missing data. + +When stracing tail, we observed that when fanotify filesystem mark is +set, tail does get the inotify event, but the event is receieved with +the filename: + +read(4, "\1\0\0\0\2\0\0\0\0\0\0\0\20\0\0\0foo\0\0\0\0\0\0\0\0\0\0\0\0\0", +50) = 32 + +This is unexpected, because tail is watching the file itself and not its +parent and is inconsistent with the inotify event received by tail when +fanotify filesystem mark is not set: + +read(4, "\1\0\0\0\2\0\0\0\0\0\0\0\0\0\0\0", 50) = 16 + +The inteference between different fsnotify groups was caused by the fact +that the mark on the sb requires the filename, so the filename is passed +to fsnotify(). Later on, fsnotify_handle_event() tries to take care of +not passing the filename to groups (such as inotify) that are interested +in the filename only when the parent is watching. + +But the logic was incorrect for the case that no group is watching the +parent, some groups are watching the sb and some watching the inode. + +Reported-by: Miklos Szeredi +Fixes: 7372e79c9eb9 ("fanotify: fix logic of reporting name info with watched parent") +Cc: stable@vger.kernel.org # 5.10+ +Signed-off-by: Amir Goldstein +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman +--- + fs/notify/fsnotify.c | 23 +++++++++++++---------- + 1 file changed, 13 insertions(+), 10 deletions(-) + +--- a/fs/notify/fsnotify.c ++++ b/fs/notify/fsnotify.c +@@ -333,16 +333,19 @@ static int fsnotify_handle_event(struct + if (!inode_mark) + return 0; + +- if (mask & FS_EVENT_ON_CHILD) { +- /* +- * Some events can be sent on both parent dir and child marks +- * (e.g. FS_ATTRIB). If both parent dir and child are +- * watching, report the event once to parent dir with name (if +- * interested) and once to child without name (if interested). +- * The child watcher is expecting an event without a file name +- * and without the FS_EVENT_ON_CHILD flag. +- */ +- mask &= ~FS_EVENT_ON_CHILD; ++ /* ++ * Some events can be sent on both parent dir and child marks (e.g. ++ * FS_ATTRIB). If both parent dir and child are watching, report the ++ * event once to parent dir with name (if interested) and once to child ++ * without name (if interested). ++ * ++ * In any case regardless whether the parent is watching or not, the ++ * child watcher is expecting an event without the FS_EVENT_ON_CHILD ++ * flag. The file name is expected if and only if this is a directory ++ * event. ++ */ ++ mask &= ~FS_EVENT_ON_CHILD; ++ if (!(mask & ALL_FSNOTIFY_DIRENT_EVENTS)) { + dir = NULL; + name = NULL; + } diff --git a/queue-6.12/iio-dac-adi-axi-dac-fix-wrong-register-bitfield.patch b/queue-6.12/iio-dac-adi-axi-dac-fix-wrong-register-bitfield.patch new file mode 100644 index 00000000000..7452a3150b9 --- /dev/null +++ b/queue-6.12/iio-dac-adi-axi-dac-fix-wrong-register-bitfield.patch @@ -0,0 +1,37 @@ +From 70602f529e4d76798c95aeed5ce2a8d36263abe5 Mon Sep 17 00:00:00 2001 +From: Angelo Dureghello +Date: Tue, 8 Oct 2024 17:43:33 +0200 +Subject: iio: dac: adi-axi-dac: fix wrong register bitfield + +From: Angelo Dureghello + +commit 70602f529e4d76798c95aeed5ce2a8d36263abe5 upstream. + +Fix ADI_DAC_R1_MODE of AXI_DAC_REG_CNTRL_2. + +Both generic DAC and ad3552r DAC IPs docs are reporting +bit 5 for it. + +Link: https://wiki.analog.com/resources/fpga/docs/axi_dac_ip +Fixes: 4e3949a192e4 ("iio: dac: add support for AXI DAC IP core") +Cc: stable@vger.kernel.org +Signed-off-by: Angelo Dureghello +Reviewed-by: Nuno Sa +Link: https://patch.msgid.link/20241008-wip-bl-ad3552r-axi-v0-iio-testing-v5-1-3d410944a63d@baylibre.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/dac/adi-axi-dac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/dac/adi-axi-dac.c ++++ b/drivers/iio/dac/adi-axi-dac.c +@@ -46,7 +46,7 @@ + #define AXI_DAC_REG_CNTRL_1 0x0044 + #define AXI_DAC_SYNC BIT(0) + #define AXI_DAC_REG_CNTRL_2 0x0048 +-#define ADI_DAC_R1_MODE BIT(4) ++#define ADI_DAC_R1_MODE BIT(5) + #define AXI_DAC_DRP_STATUS 0x0074 + #define AXI_DAC_DRP_LOCKED BIT(17) + /* DAC Channel controls */ diff --git a/queue-6.12/jfs-xattr-check-invalid-xattr-size-more-strictly.patch b/queue-6.12/jfs-xattr-check-invalid-xattr-size-more-strictly.patch new file mode 100644 index 00000000000..42289e27efe --- /dev/null +++ b/queue-6.12/jfs-xattr-check-invalid-xattr-size-more-strictly.patch @@ -0,0 +1,38 @@ +From d9f9d96136cba8fedd647d2c024342ce090133c2 Mon Sep 17 00:00:00 2001 +From: Artem Sadovnikov +Date: Sat, 5 Oct 2024 10:06:57 +0000 +Subject: jfs: xattr: check invalid xattr size more strictly + +From: Artem Sadovnikov + +commit d9f9d96136cba8fedd647d2c024342ce090133c2 upstream. + +Commit 7c55b78818cf ("jfs: xattr: fix buffer overflow for invalid xattr") +also addresses this issue but it only fixes it for positive values, while +ea_size is an integer type and can take negative values, e.g. in case of +a corrupted filesystem. This still breaks validation and would overflow +because of implicit conversion from int to size_t in print_hex_dump(). + +Fix this issue by clamping the ea_size value instead. + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Cc: stable@vger.kernel.org +Signed-off-by: Artem Sadovnikov +Signed-off-by: Dave Kleikamp +Signed-off-by: Greg Kroah-Hartman +--- + fs/jfs/xattr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/jfs/xattr.c ++++ b/fs/jfs/xattr.c +@@ -559,7 +559,7 @@ static int ea_get(struct inode *inode, s + + size_check: + if (EALIST_SIZE(ea_buf->xattr) != ea_size) { +- int size = min_t(int, EALIST_SIZE(ea_buf->xattr), ea_size); ++ int size = clamp_t(int, ea_size, 0, EALIST_SIZE(ea_buf->xattr)); + + printk(KERN_ERR "ea_get: invalid extended attribute\n"); + print_hex_dump(KERN_ERR, "", DUMP_PREFIX_ADDRESS, 16, 1, diff --git a/queue-6.12/kvm-arm64-don-t-retire-aborted-mmio-instruction.patch b/queue-6.12/kvm-arm64-don-t-retire-aborted-mmio-instruction.patch new file mode 100644 index 00000000000..5f7acccdc2f --- /dev/null +++ b/queue-6.12/kvm-arm64-don-t-retire-aborted-mmio-instruction.patch @@ -0,0 +1,101 @@ +From e735a5da64420a86be370b216c269b5dd8e830e2 Mon Sep 17 00:00:00 2001 +From: Oliver Upton +Date: Fri, 25 Oct 2024 20:31:03 +0000 +Subject: KVM: arm64: Don't retire aborted MMIO instruction + +From: Oliver Upton + +commit e735a5da64420a86be370b216c269b5dd8e830e2 upstream. + +Returning an abort to the guest for an unsupported MMIO access is a +documented feature of the KVM UAPI. Nevertheless, it's clear that this +plumbing has seen limited testing, since userspace can trivially cause a +WARN in the MMIO return: + + WARNING: CPU: 0 PID: 30558 at arch/arm64/include/asm/kvm_emulate.h:536 kvm_handle_mmio_return+0x46c/0x5c4 arch/arm64/include/asm/kvm_emulate.h:536 + Call trace: + kvm_handle_mmio_return+0x46c/0x5c4 arch/arm64/include/asm/kvm_emulate.h:536 + kvm_arch_vcpu_ioctl_run+0x98/0x15b4 arch/arm64/kvm/arm.c:1133 + kvm_vcpu_ioctl+0x75c/0xa78 virt/kvm/kvm_main.c:4487 + __do_sys_ioctl fs/ioctl.c:51 [inline] + __se_sys_ioctl fs/ioctl.c:893 [inline] + __arm64_sys_ioctl+0x14c/0x1c8 fs/ioctl.c:893 + __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] + invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 + el0_svc_common+0x1e0/0x23c arch/arm64/kernel/syscall.c:132 + do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 + el0_svc+0x38/0x68 arch/arm64/kernel/entry-common.c:712 + el0t_64_sync_handler+0x90/0xfc arch/arm64/kernel/entry-common.c:730 + el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598 + +The splat is complaining that KVM is advancing PC while an exception is +pending, i.e. that KVM is retiring the MMIO instruction despite a +pending synchronous external abort. Womp womp. + +Fix the glaring UAPI bug by skipping over all the MMIO emulation in +case there is a pending synchronous exception. Note that while userspace +is capable of pending an asynchronous exception (SError, IRQ, or FIQ), +it is still safe to retire the MMIO instruction in this case as (1) they +are by definition asynchronous, and (2) KVM relies on hardware support +for pending/delivering these exceptions instead of the software state +machine for advancing PC. + +Cc: stable@vger.kernel.org +Fixes: da345174ceca ("KVM: arm/arm64: Allow user injection of external data aborts") +Reported-by: Alexander Potapenko +Reviewed-by: Marc Zyngier +Link: https://lore.kernel.org/r/20241025203106.3529261-2-oliver.upton@linux.dev +Signed-off-by: Oliver Upton +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kvm/mmio.c | 32 ++++++++++++++++++++++++++++++-- + 1 file changed, 30 insertions(+), 2 deletions(-) + +--- a/arch/arm64/kvm/mmio.c ++++ b/arch/arm64/kvm/mmio.c +@@ -72,6 +72,31 @@ unsigned long kvm_mmio_read_buf(const vo + return data; + } + ++static bool kvm_pending_sync_exception(struct kvm_vcpu *vcpu) ++{ ++ if (!vcpu_get_flag(vcpu, PENDING_EXCEPTION)) ++ return false; ++ ++ if (vcpu_el1_is_32bit(vcpu)) { ++ switch (vcpu_get_flag(vcpu, EXCEPT_MASK)) { ++ case unpack_vcpu_flag(EXCEPT_AA32_UND): ++ case unpack_vcpu_flag(EXCEPT_AA32_IABT): ++ case unpack_vcpu_flag(EXCEPT_AA32_DABT): ++ return true; ++ default: ++ return false; ++ } ++ } else { ++ switch (vcpu_get_flag(vcpu, EXCEPT_MASK)) { ++ case unpack_vcpu_flag(EXCEPT_AA64_EL1_SYNC): ++ case unpack_vcpu_flag(EXCEPT_AA64_EL2_SYNC): ++ return true; ++ default: ++ return false; ++ } ++ } ++} ++ + /** + * kvm_handle_mmio_return -- Handle MMIO loads after user space emulation + * or in-kernel IO emulation +@@ -84,8 +109,11 @@ int kvm_handle_mmio_return(struct kvm_vc + unsigned int len; + int mask; + +- /* Detect an already handled MMIO return */ +- if (unlikely(!vcpu->mmio_needed)) ++ /* ++ * Detect if the MMIO return was already handled or if userspace aborted ++ * the MMIO access. ++ */ ++ if (unlikely(!vcpu->mmio_needed || kvm_pending_sync_exception(vcpu))) + return 1; + + vcpu->mmio_needed = 0; diff --git a/queue-6.12/kvm-arm64-get-rid-of-userspace_irqchip_in_use.patch b/queue-6.12/kvm-arm64-get-rid-of-userspace_irqchip_in_use.patch new file mode 100644 index 00000000000..63f81cc41a2 --- /dev/null +++ b/queue-6.12/kvm-arm64-get-rid-of-userspace_irqchip_in_use.patch @@ -0,0 +1,168 @@ +From 38d7aacca09230fdb98a34194fec2af597e8e20d Mon Sep 17 00:00:00 2001 +From: Raghavendra Rao Ananta +Date: Mon, 28 Oct 2024 23:45:33 +0000 +Subject: KVM: arm64: Get rid of userspace_irqchip_in_use + +From: Raghavendra Rao Ananta + +commit 38d7aacca09230fdb98a34194fec2af597e8e20d upstream. + +Improper use of userspace_irqchip_in_use led to syzbot hitting the +following WARN_ON() in kvm_timer_update_irq(): + +WARNING: CPU: 0 PID: 3281 at arch/arm64/kvm/arch_timer.c:459 +kvm_timer_update_irq+0x21c/0x394 +Call trace: + kvm_timer_update_irq+0x21c/0x394 arch/arm64/kvm/arch_timer.c:459 + kvm_timer_vcpu_reset+0x158/0x684 arch/arm64/kvm/arch_timer.c:968 + kvm_reset_vcpu+0x3b4/0x560 arch/arm64/kvm/reset.c:264 + kvm_vcpu_set_target arch/arm64/kvm/arm.c:1553 [inline] + kvm_arch_vcpu_ioctl_vcpu_init arch/arm64/kvm/arm.c:1573 [inline] + kvm_arch_vcpu_ioctl+0x112c/0x1b3c arch/arm64/kvm/arm.c:1695 + kvm_vcpu_ioctl+0x4ec/0xf74 virt/kvm/kvm_main.c:4658 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:907 [inline] + __se_sys_ioctl fs/ioctl.c:893 [inline] + __arm64_sys_ioctl+0x108/0x184 fs/ioctl.c:893 + __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] + invoke_syscall+0x78/0x1b8 arch/arm64/kernel/syscall.c:49 + el0_svc_common+0xe8/0x1b0 arch/arm64/kernel/syscall.c:132 + do_el0_svc+0x40/0x50 arch/arm64/kernel/syscall.c:151 + el0_svc+0x54/0x14c arch/arm64/kernel/entry-common.c:712 + el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730 + el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598 + +The following sequence led to the scenario: + - Userspace creates a VM and a vCPU. + - The vCPU is initialized with KVM_ARM_VCPU_PMU_V3 during + KVM_ARM_VCPU_INIT. + - Without any other setup, such as vGIC or vPMU, userspace issues + KVM_RUN on the vCPU. Since the vPMU is requested, but not setup, + kvm_arm_pmu_v3_enable() fails in kvm_arch_vcpu_run_pid_change(). + As a result, KVM_RUN returns after enabling the timer, but before + incrementing 'userspace_irqchip_in_use': + kvm_arch_vcpu_run_pid_change() + ret = kvm_arm_pmu_v3_enable() + if (!vcpu->arch.pmu.created) + return -EINVAL; + if (ret) + return ret; + [...] + if (!irqchip_in_kernel(kvm)) + static_branch_inc(&userspace_irqchip_in_use); + - Userspace ignores the error and issues KVM_ARM_VCPU_INIT again. + Since the timer is already enabled, control moves through the + following flow, ultimately hitting the WARN_ON(): + kvm_timer_vcpu_reset() + if (timer->enabled) + kvm_timer_update_irq() + if (!userspace_irqchip()) + ret = kvm_vgic_inject_irq() + ret = vgic_lazy_init() + if (unlikely(!vgic_initialized(kvm))) + if (kvm->arch.vgic.vgic_model != + KVM_DEV_TYPE_ARM_VGIC_V2) + return -EBUSY; + WARN_ON(ret); + +Theoretically, since userspace_irqchip_in_use's functionality can be +simply replaced by '!irqchip_in_kernel()', get rid of the static key +to avoid the mismanagement, which also helps with the syzbot issue. + +Cc: +Reported-by: syzbot +Suggested-by: Marc Zyngier +Signed-off-by: Raghavendra Rao Ananta +Signed-off-by: Oliver Upton +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/include/asm/kvm_host.h | 2 -- + arch/arm64/kvm/arch_timer.c | 3 +-- + arch/arm64/kvm/arm.c | 18 +++--------------- + 3 files changed, 4 insertions(+), 19 deletions(-) + +--- a/arch/arm64/include/asm/kvm_host.h ++++ b/arch/arm64/include/asm/kvm_host.h +@@ -74,8 +74,6 @@ enum kvm_mode kvm_get_mode(void); + static inline enum kvm_mode kvm_get_mode(void) { return KVM_MODE_NONE; }; + #endif + +-DECLARE_STATIC_KEY_FALSE(userspace_irqchip_in_use); +- + extern unsigned int __ro_after_init kvm_sve_max_vl; + extern unsigned int __ro_after_init kvm_host_sve_max_vl; + int __init kvm_arm_init_sve(void); +--- a/arch/arm64/kvm/arch_timer.c ++++ b/arch/arm64/kvm/arch_timer.c +@@ -206,8 +206,7 @@ void get_timer_map(struct kvm_vcpu *vcpu + + static inline bool userspace_irqchip(struct kvm *kvm) + { +- return static_branch_unlikely(&userspace_irqchip_in_use) && +- unlikely(!irqchip_in_kernel(kvm)); ++ return unlikely(!irqchip_in_kernel(kvm)); + } + + static void soft_timer_start(struct hrtimer *hrt, u64 ns) +--- a/arch/arm64/kvm/arm.c ++++ b/arch/arm64/kvm/arm.c +@@ -69,7 +69,6 @@ DECLARE_KVM_NVHE_PER_CPU(struct kvm_cpu_ + static bool vgic_present, kvm_arm_initialised; + + static DEFINE_PER_CPU(unsigned char, kvm_hyp_initialized); +-DEFINE_STATIC_KEY_FALSE(userspace_irqchip_in_use); + + bool is_kvm_arm_initialised(void) + { +@@ -503,9 +502,6 @@ void kvm_arch_vcpu_postcreate(struct kvm + + void kvm_arch_vcpu_destroy(struct kvm_vcpu *vcpu) + { +- if (vcpu_has_run_once(vcpu) && unlikely(!irqchip_in_kernel(vcpu->kvm))) +- static_branch_dec(&userspace_irqchip_in_use); +- + kvm_mmu_free_memory_cache(&vcpu->arch.mmu_page_cache); + kvm_timer_vcpu_terminate(vcpu); + kvm_pmu_vcpu_destroy(vcpu); +@@ -848,14 +844,6 @@ int kvm_arch_vcpu_run_pid_change(struct + return ret; + } + +- if (!irqchip_in_kernel(kvm)) { +- /* +- * Tell the rest of the code that there are userspace irqchip +- * VMs in the wild. +- */ +- static_branch_inc(&userspace_irqchip_in_use); +- } +- + /* + * Initialize traps for protected VMs. + * NOTE: Move to run in EL2 directly, rather than via a hypercall, once +@@ -1077,7 +1065,7 @@ static bool kvm_vcpu_exit_request(struct + * state gets updated in kvm_timer_update_run and + * kvm_pmu_update_run below). + */ +- if (static_branch_unlikely(&userspace_irqchip_in_use)) { ++ if (unlikely(!irqchip_in_kernel(vcpu->kvm))) { + if (kvm_timer_should_notify_user(vcpu) || + kvm_pmu_should_notify_user(vcpu)) { + *ret = -EINTR; +@@ -1199,7 +1187,7 @@ int kvm_arch_vcpu_ioctl_run(struct kvm_v + vcpu->mode = OUTSIDE_GUEST_MODE; + isb(); /* Ensure work in x_flush_hwstate is committed */ + kvm_pmu_sync_hwstate(vcpu); +- if (static_branch_unlikely(&userspace_irqchip_in_use)) ++ if (unlikely(!irqchip_in_kernel(vcpu->kvm))) + kvm_timer_sync_user(vcpu); + kvm_vgic_sync_hwstate(vcpu); + local_irq_enable(); +@@ -1245,7 +1233,7 @@ int kvm_arch_vcpu_ioctl_run(struct kvm_v + * we don't want vtimer interrupts to race with syncing the + * timer virtual interrupt state. + */ +- if (static_branch_unlikely(&userspace_irqchip_in_use)) ++ if (unlikely(!irqchip_in_kernel(vcpu->kvm))) + kvm_timer_sync_user(vcpu); + + kvm_arch_vcpu_ctxsync_fp(vcpu); diff --git a/queue-6.12/kvm-arm64-ignore-pmcntenset_el0-while-checking-for-overflow-status.patch b/queue-6.12/kvm-arm64-ignore-pmcntenset_el0-while-checking-for-overflow-status.patch new file mode 100644 index 00000000000..b9191657bfc --- /dev/null +++ b/queue-6.12/kvm-arm64-ignore-pmcntenset_el0-while-checking-for-overflow-status.patch @@ -0,0 +1,43 @@ +From 54bbee190d42166209185d89070c58a343bf514b Mon Sep 17 00:00:00 2001 +From: Raghavendra Rao Ananta +Date: Tue, 19 Nov 2024 16:52:29 -0800 +Subject: KVM: arm64: Ignore PMCNTENSET_EL0 while checking for overflow status + +From: Raghavendra Rao Ananta + +commit 54bbee190d42166209185d89070c58a343bf514b upstream. + +DDI0487K.a D13.3.1 describes the PMU overflow condition, which evaluates +to true if any counter's global enable (PMCR_EL0.E), overflow flag +(PMOVSSET_EL0[n]), and interrupt enable (PMINTENSET_EL1[n]) are all 1. +Of note, this does not require a counter to be enabled +(i.e. PMCNTENSET_EL0[n] = 1) to generate an overflow. + +Align kvm_pmu_overflow_status() with the reality of the architecture +and stop using PMCNTENSET_EL0 as part of the overflow condition. The +bug was discovered while running an SBSA PMU test [*], which only sets +PMCR.E, PMOVSSET<0>, PMINTENSET<0>, and expects an overflow interrupt. + +Cc: stable@vger.kernel.org +Fixes: 76d883c4e640 ("arm64: KVM: Add access handler for PMOVSSET and PMOVSCLR register") +Link: https://github.com/ARM-software/sbsa-acs/blob/master/test_pool/pmu/operating_system/test_pmu001.c +Signed-off-by: Raghavendra Rao Ananta +[ oliver: massaged changelog ] +Reviewed-by: Marc Zyngier +Link: https://lore.kernel.org/r/20241120005230.2335682-2-oliver.upton@linux.dev +Signed-off-by: Oliver Upton +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kvm/pmu-emul.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/arch/arm64/kvm/pmu-emul.c ++++ b/arch/arm64/kvm/pmu-emul.c +@@ -342,7 +342,6 @@ static u64 kvm_pmu_overflow_status(struc + + if ((kvm_vcpu_read_pmcr(vcpu) & ARMV8_PMU_PMCR_E)) { + reg = __vcpu_sys_reg(vcpu, PMOVSSET_EL0); +- reg &= __vcpu_sys_reg(vcpu, PMCNTENSET_EL0); + reg &= __vcpu_sys_reg(vcpu, PMINTENSET_EL1); + } + diff --git a/queue-6.12/kvm-arm64-vgic-its-add-a-data-length-check-in-vgic_its_save_.patch b/queue-6.12/kvm-arm64-vgic-its-add-a-data-length-check-in-vgic_its_save_.patch new file mode 100644 index 00000000000..0a9bf164913 --- /dev/null +++ b/queue-6.12/kvm-arm64-vgic-its-add-a-data-length-check-in-vgic_its_save_.patch @@ -0,0 +1,137 @@ +From 7fe28d7e68f92cc3d0668b8f2fbdf5c303ac3022 Mon Sep 17 00:00:00 2001 +From: Jing Zhang +Date: Thu, 7 Nov 2024 13:41:34 -0800 +Subject: KVM: arm64: vgic-its: Add a data length check in vgic_its_save_* + +From: Jing Zhang + +commit 7fe28d7e68f92cc3d0668b8f2fbdf5c303ac3022 upstream. + +In all the vgic_its_save_*() functinos, they do not check whether +the data length is 8 bytes before calling vgic_write_guest_lock. +This patch adds the check. To prevent the kernel from being blown up +when the fault occurs, KVM_BUG_ON() is used. And the other BUG_ON()s +are replaced together. + +Cc: stable@vger.kernel.org +Signed-off-by: Kunkun Jiang +[Jing: Update with the new entry read/write helpers] +Signed-off-by: Jing Zhang +Link: https://lore.kernel.org/r/20241107214137.428439-4-jingzhangos@google.com +Signed-off-by: Oliver Upton +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kvm/vgic/vgic-its.c | 20 ++++++++------------ + arch/arm64/kvm/vgic/vgic.h | 23 +++++++++++++++++++++++ + 2 files changed, 31 insertions(+), 12 deletions(-) + +--- a/arch/arm64/kvm/vgic/vgic-its.c ++++ b/arch/arm64/kvm/vgic/vgic-its.c +@@ -2090,7 +2090,6 @@ static int scan_its_table(struct vgic_it + static int vgic_its_save_ite(struct vgic_its *its, struct its_device *dev, + struct its_ite *ite, gpa_t gpa, int ite_esz) + { +- struct kvm *kvm = its->dev->kvm; + u32 next_offset; + u64 val; + +@@ -2099,7 +2098,8 @@ static int vgic_its_save_ite(struct vgic + ((u64)ite->irq->intid << KVM_ITS_ITE_PINTID_SHIFT) | + ite->collection->collection_id; + val = cpu_to_le64(val); +- return vgic_write_guest_lock(kvm, gpa, &val, ite_esz); ++ ++ return vgic_its_write_entry_lock(its, gpa, val, ite_esz); + } + + /** +@@ -2243,7 +2243,6 @@ static int vgic_its_restore_itt(struct v + static int vgic_its_save_dte(struct vgic_its *its, struct its_device *dev, + gpa_t ptr, int dte_esz) + { +- struct kvm *kvm = its->dev->kvm; + u64 val, itt_addr_field; + u32 next_offset; + +@@ -2254,7 +2253,8 @@ static int vgic_its_save_dte(struct vgic + (itt_addr_field << KVM_ITS_DTE_ITTADDR_SHIFT) | + (dev->num_eventid_bits - 1)); + val = cpu_to_le64(val); +- return vgic_write_guest_lock(kvm, ptr, &val, dte_esz); ++ ++ return vgic_its_write_entry_lock(its, ptr, val, dte_esz); + } + + /** +@@ -2441,7 +2441,8 @@ static int vgic_its_save_cte(struct vgic + ((u64)collection->target_addr << KVM_ITS_CTE_RDBASE_SHIFT) | + collection->collection_id); + val = cpu_to_le64(val); +- return vgic_write_guest_lock(its->dev->kvm, gpa, &val, esz); ++ ++ return vgic_its_write_entry_lock(its, gpa, val, esz); + } + + /* +@@ -2457,8 +2458,7 @@ static int vgic_its_restore_cte(struct v + u64 val; + int ret; + +- BUG_ON(esz > sizeof(val)); +- ret = kvm_read_guest_lock(kvm, gpa, &val, esz); ++ ret = vgic_its_read_entry_lock(its, gpa, &val, esz); + if (ret) + return ret; + val = le64_to_cpu(val); +@@ -2496,7 +2496,6 @@ static int vgic_its_save_collection_tabl + u64 baser = its->baser_coll_table; + gpa_t gpa = GITS_BASER_ADDR_48_to_52(baser); + struct its_collection *collection; +- u64 val; + size_t max_size, filled = 0; + int ret, cte_esz = abi->cte_esz; + +@@ -2520,10 +2519,7 @@ static int vgic_its_save_collection_tabl + * table is not fully filled, add a last dummy element + * with valid bit unset + */ +- val = 0; +- BUG_ON(cte_esz > sizeof(val)); +- ret = vgic_write_guest_lock(its->dev->kvm, gpa, &val, cte_esz); +- return ret; ++ return vgic_its_write_entry_lock(its, gpa, 0, cte_esz); + } + + /* +--- a/arch/arm64/kvm/vgic/vgic.h ++++ b/arch/arm64/kvm/vgic/vgic.h +@@ -146,6 +146,29 @@ static inline int vgic_write_guest_lock( + return ret; + } + ++static inline int vgic_its_read_entry_lock(struct vgic_its *its, gpa_t eaddr, ++ u64 *eval, unsigned long esize) ++{ ++ struct kvm *kvm = its->dev->kvm; ++ ++ if (KVM_BUG_ON(esize != sizeof(*eval), kvm)) ++ return -EINVAL; ++ ++ return kvm_read_guest_lock(kvm, eaddr, eval, esize); ++ ++} ++ ++static inline int vgic_its_write_entry_lock(struct vgic_its *its, gpa_t eaddr, ++ u64 eval, unsigned long esize) ++{ ++ struct kvm *kvm = its->dev->kvm; ++ ++ if (KVM_BUG_ON(esize != sizeof(eval), kvm)) ++ return -EINVAL; ++ ++ return vgic_write_guest_lock(kvm, eaddr, &eval, esize); ++} ++ + /* + * This struct provides an intermediate representation of the fields contained + * in the GICH_VMCR and ICH_VMCR registers, such that code exporting the GIC diff --git a/queue-6.12/kvm-arm64-vgic-its-clear-dte-when-mapd-unmaps-a-device.patch b/queue-6.12/kvm-arm64-vgic-its-clear-dte-when-mapd-unmaps-a-device.patch new file mode 100644 index 00000000000..9626bc3f6a1 --- /dev/null +++ b/queue-6.12/kvm-arm64-vgic-its-clear-dte-when-mapd-unmaps-a-device.patch @@ -0,0 +1,59 @@ +From e9649129d33dca561305fc590a7c4ba8c3e5675a Mon Sep 17 00:00:00 2001 +From: Kunkun Jiang +Date: Thu, 7 Nov 2024 13:41:36 -0800 +Subject: KVM: arm64: vgic-its: Clear DTE when MAPD unmaps a device + +From: Kunkun Jiang + +commit e9649129d33dca561305fc590a7c4ba8c3e5675a upstream. + +vgic_its_save_device_tables will traverse its->device_list to +save DTE for each device. vgic_its_restore_device_tables will +traverse each entry of device table and check if it is valid. +Restore if valid. + +But when MAPD unmaps a device, it does not invalidate the +corresponding DTE. In the scenario of continuous saves +and restores, there may be a situation where a device's DTE +is not saved but is restored. This is unreasonable and may +cause restore to fail. This patch clears the corresponding +DTE when MAPD unmaps a device. + +Cc: stable@vger.kernel.org +Fixes: 57a9a117154c ("KVM: arm64: vgic-its: Device table save/restore") +Co-developed-by: Shusen Li +Signed-off-by: Shusen Li +Signed-off-by: Kunkun Jiang +[Jing: Update with entry write helper] +Signed-off-by: Jing Zhang +Link: https://lore.kernel.org/r/20241107214137.428439-5-jingzhangos@google.com +Signed-off-by: Oliver Upton +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kvm/vgic/vgic-its.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/arch/arm64/kvm/vgic/vgic-its.c ++++ b/arch/arm64/kvm/vgic/vgic-its.c +@@ -1143,9 +1143,11 @@ static int vgic_its_cmd_handle_mapd(stru + bool valid = its_cmd_get_validbit(its_cmd); + u8 num_eventid_bits = its_cmd_get_size(its_cmd); + gpa_t itt_addr = its_cmd_get_ittaddr(its_cmd); ++ int dte_esz = vgic_its_get_abi(its)->dte_esz; + struct its_device *device; ++ gpa_t gpa; + +- if (!vgic_its_check_id(its, its->baser_device_table, device_id, NULL)) ++ if (!vgic_its_check_id(its, its->baser_device_table, device_id, &gpa)) + return E_ITS_MAPD_DEVICE_OOR; + + if (valid && num_eventid_bits > VITS_TYPER_IDBITS) +@@ -1166,7 +1168,7 @@ static int vgic_its_cmd_handle_mapd(stru + * is an error, so we are done in any case. + */ + if (!valid) +- return 0; ++ return vgic_its_write_entry_lock(its, gpa, 0, dte_esz); + + device = vgic_its_alloc_device(its, device_id, itt_addr, + num_eventid_bits); diff --git a/queue-6.12/kvm-arm64-vgic-its-clear-ite-when-discard-frees-an-ite.patch b/queue-6.12/kvm-arm64-vgic-its-clear-ite-when-discard-frees-an-ite.patch new file mode 100644 index 00000000000..3253e329518 --- /dev/null +++ b/queue-6.12/kvm-arm64-vgic-its-clear-ite-when-discard-frees-an-ite.patch @@ -0,0 +1,50 @@ +From 7602ffd1d5e8927fadd5187cb4aed2fdc9c47143 Mon Sep 17 00:00:00 2001 +From: Kunkun Jiang +Date: Thu, 7 Nov 2024 13:41:37 -0800 +Subject: KVM: arm64: vgic-its: Clear ITE when DISCARD frees an ITE + +From: Kunkun Jiang + +commit 7602ffd1d5e8927fadd5187cb4aed2fdc9c47143 upstream. + +When DISCARD frees an ITE, it does not invalidate the +corresponding ITE. In the scenario of continuous saves and +restores, there may be a situation where an ITE is not saved +but is restored. This is unreasonable and may cause restore +to fail. This patch clears the corresponding ITE when DISCARD +frees an ITE. + +Cc: stable@vger.kernel.org +Fixes: eff484e0298d ("KVM: arm64: vgic-its: ITT save and restore") +Signed-off-by: Kunkun Jiang +[Jing: Update with entry write helper] +Signed-off-by: Jing Zhang +Link: https://lore.kernel.org/r/20241107214137.428439-6-jingzhangos@google.com +Signed-off-by: Oliver Upton +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kvm/vgic/vgic-its.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/arch/arm64/kvm/vgic/vgic-its.c ++++ b/arch/arm64/kvm/vgic/vgic-its.c +@@ -782,6 +782,9 @@ static int vgic_its_cmd_handle_discard(s + + ite = find_ite(its, device_id, event_id); + if (ite && its_is_collection_mapped(ite->collection)) { ++ struct its_device *device = find_its_device(its, device_id); ++ int ite_esz = vgic_its_get_abi(its)->ite_esz; ++ gpa_t gpa = device->itt_addr + ite->event_id * ite_esz; + /* + * Though the spec talks about removing the pending state, we + * don't bother here since we clear the ITTE anyway and the +@@ -790,7 +793,8 @@ static int vgic_its_cmd_handle_discard(s + vgic_its_invalidate_cache(its); + + its_free_ite(kvm, ite); +- return 0; ++ ++ return vgic_its_write_entry_lock(its, gpa, 0, ite_esz); + } + + return E_ITS_DISCARD_UNMAPPED_INTERRUPT; diff --git a/queue-6.12/kvm-arm64-vgic-v3-sanitise-guest-writes-to-gicr_invlpir.patch b/queue-6.12/kvm-arm64-vgic-v3-sanitise-guest-writes-to-gicr_invlpir.patch new file mode 100644 index 00000000000..75b8319a4d3 --- /dev/null +++ b/queue-6.12/kvm-arm64-vgic-v3-sanitise-guest-writes-to-gicr_invlpir.patch @@ -0,0 +1,49 @@ +From d561491ba927cb5634094ff311795e9d618e9b86 Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Sun, 17 Nov 2024 16:57:54 +0000 +Subject: KVM: arm64: vgic-v3: Sanitise guest writes to GICR_INVLPIR + +From: Marc Zyngier + +commit d561491ba927cb5634094ff311795e9d618e9b86 upstream. + +Make sure we filter out non-LPI invalidation when handling writes +to GICR_INVLPIR. + +Fixes: 4645d11f4a553 ("KVM: arm64: vgic-v3: Implement MMIO-based LPI invalidation") +Reported-by: Alexander Potapenko +Tested-by: Alexander Potapenko +Signed-off-by: Marc Zyngier +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20241117165757.247686-2-maz@kernel.org +Signed-off-by: Oliver Upton +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kvm/vgic/vgic-mmio-v3.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/arch/arm64/kvm/vgic/vgic-mmio-v3.c ++++ b/arch/arm64/kvm/vgic/vgic-mmio-v3.c +@@ -530,6 +530,7 @@ static void vgic_mmio_write_invlpi(struc + unsigned long val) + { + struct vgic_irq *irq; ++ u32 intid; + + /* + * If the guest wrote only to the upper 32bit part of the +@@ -541,9 +542,13 @@ static void vgic_mmio_write_invlpi(struc + if ((addr & 4) || !vgic_lpis_enabled(vcpu)) + return; + ++ intid = lower_32_bits(val); ++ if (intid < VGIC_MIN_LPI) ++ return; ++ + vgic_set_rdist_busy(vcpu, true); + +- irq = vgic_get_irq(vcpu->kvm, NULL, lower_32_bits(val)); ++ irq = vgic_get_irq(vcpu->kvm, NULL, intid); + if (irq) { + vgic_its_inv_lpi(vcpu->kvm, irq); + vgic_put_irq(vcpu->kvm, irq); diff --git a/queue-6.12/kvm-x86-add-back-x86_local_apic-dependency.patch b/queue-6.12/kvm-x86-add-back-x86_local_apic-dependency.patch new file mode 100644 index 00000000000..4bace0a5cd7 --- /dev/null +++ b/queue-6.12/kvm-x86-add-back-x86_local_apic-dependency.patch @@ -0,0 +1,64 @@ +From 1331343af6f502aecd274d522dd34bf7c965f484 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Mon, 18 Nov 2024 09:20:01 -0800 +Subject: KVM: x86: add back X86_LOCAL_APIC dependency + +From: Arnd Bergmann + +commit 1331343af6f502aecd274d522dd34bf7c965f484 upstream. + +Enabling KVM now causes a build failure on x86-32 if X86_LOCAL_APIC +is disabled: + +arch/x86/kvm/svm/svm.c: In function 'svm_emergency_disable_virtualization_cpu': +arch/x86/kvm/svm/svm.c:597:9: error: 'kvm_rebooting' undeclared (first use in this function); did you mean 'kvm_irq_routing'? + 597 | kvm_rebooting = true; + | ^~~~~~~~~~~~~ + | kvm_irq_routing +arch/x86/kvm/svm/svm.c:597:9: note: each undeclared identifier is reported only once for each function it appears in +make[6]: *** [scripts/Makefile.build:221: arch/x86/kvm/svm/svm.o] Error 1 +In file included from include/linux/rculist.h:11, + from include/linux/hashtable.h:14, + from arch/x86/kvm/svm/avic.c:18: +arch/x86/kvm/svm/avic.c: In function 'avic_pi_update_irte': +arch/x86/kvm/svm/avic.c:909:38: error: 'struct kvm' has no member named 'irq_routing' + 909 | irq_rt = srcu_dereference(kvm->irq_routing, &kvm->irq_srcu); + | ^~ +include/linux/rcupdate.h:538:17: note: in definition of macro '__rcu_dereference_check' + 538 | typeof(*p) *local = (typeof(*p) *__force)READ_ONCE(p); \ + +Move the dependency to the same place as before. + +Fixes: ea4290d77bda ("KVM: x86: leave kvm.ko out of the build if no vendor module is requested") +Cc: stable@vger.kernel.org +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202410060426.e9Xsnkvi-lkp@intel.com/ +Signed-off-by: Arnd Bergmann +Acked-by: Sean Christopherson +[sean: add Cc to stable, tweak shortlog scope] +Signed-off-by: Sean Christopherson +Message-ID: <20241118172002.1633824-2-seanjc@google.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kvm/Kconfig ++++ b/arch/x86/kvm/Kconfig +@@ -19,7 +19,6 @@ if VIRTUALIZATION + + config KVM_X86 + def_tristate KVM if KVM_INTEL || KVM_AMD +- depends on X86_LOCAL_APIC + select KVM_COMMON + select KVM_GENERIC_MMU_NOTIFIER + select HAVE_KVM_IRQCHIP +@@ -50,6 +49,7 @@ config KVM_X86 + + config KVM + tristate "Kernel-based Virtual Machine (KVM) support" ++ depends on X86_LOCAL_APIC + help + Support hosting fully virtualized guest machines using hardware + virtualization extensions. You will need a fairly recent diff --git a/queue-6.12/kvm-x86-break-config_kvm_x86-s-direct-dependency-on-kvm_intel-kvm_amd.patch b/queue-6.12/kvm-x86-break-config_kvm_x86-s-direct-dependency-on-kvm_intel-kvm_amd.patch new file mode 100644 index 00000000000..3cbcf142138 --- /dev/null +++ b/queue-6.12/kvm-x86-break-config_kvm_x86-s-direct-dependency-on-kvm_intel-kvm_amd.patch @@ -0,0 +1,43 @@ +From 9ee62c33c0fe017ee02501a877f6f562363122fa Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Mon, 18 Nov 2024 09:20:02 -0800 +Subject: KVM: x86: Break CONFIG_KVM_X86's direct dependency on KVM_INTEL || KVM_AMD + +From: Sean Christopherson + +commit 9ee62c33c0fe017ee02501a877f6f562363122fa upstream. + +Rework CONFIG_KVM_X86's dependency to only check if KVM_INTEL or KVM_AMD +is selected, i.e. not 'n'. Having KVM_X86 depend directly on the vendor +modules results in KVM_X86 being set to 'm' if at least one of KVM_INTEL +or KVM_AMD is enabled, but neither is 'y', regardless of the value of KVM +itself. + +The documentation for def_tristate doesn't explicitly state that this is +the intended behavior, but it does clearly state that the "if" section is +parsed as a dependency, i.e. the behavior is consistent with how tristate +dependencies are handled in general. + + Optionally dependencies for this default value can be added with "if". + +Fixes: ea4290d77bda ("KVM: x86: leave kvm.ko out of the build if no vendor module is requested") +Cc: stable@vger.kernel.org +Signed-off-by: Sean Christopherson +Message-ID: <20241118172002.1633824-3-seanjc@google.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kvm/Kconfig ++++ b/arch/x86/kvm/Kconfig +@@ -18,7 +18,7 @@ menuconfig VIRTUALIZATION + if VIRTUALIZATION + + config KVM_X86 +- def_tristate KVM if KVM_INTEL || KVM_AMD ++ def_tristate KVM if (KVM_INTEL != n || KVM_AMD != n) + select KVM_COMMON + select KVM_GENERIC_MMU_NOTIFIER + select HAVE_KVM_IRQCHIP diff --git a/queue-6.12/kvm-x86-mmu-skip-the-try-unsync-path-iff-the-old-spte-was-a-leaf-spte.patch b/queue-6.12/kvm-x86-mmu-skip-the-try-unsync-path-iff-the-old-spte-was-a-leaf-spte.patch new file mode 100644 index 00000000000..283b8e62d89 --- /dev/null +++ b/queue-6.12/kvm-x86-mmu-skip-the-try-unsync-path-iff-the-old-spte-was-a-leaf-spte.patch @@ -0,0 +1,66 @@ +From 2867eb782cf7f64c2ac427596133b6f9c3f64b7a Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Thu, 10 Oct 2024 11:23:06 -0700 +Subject: KVM: x86/mmu: Skip the "try unsync" path iff the old SPTE was a leaf SPTE +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Sean Christopherson + +commit 2867eb782cf7f64c2ac427596133b6f9c3f64b7a upstream. + +Apply make_spte()'s optimization to skip trying to unsync shadow pages if +and only if the old SPTE was a leaf SPTE, as non-leaf SPTEs in direct MMUs +are always writable, i.e. could trigger a false positive and incorrectly +lead to KVM creating a SPTE without write-protecting or marking shadow +pages unsync. + +This bug only affects the TDP MMU, as the shadow MMU only overwrites a +shadow-present SPTE when synchronizing SPTEs (and only 4KiB SPTEs can be +unsync). Specifically, mmu_set_spte() drops any non-leaf SPTEs *before* +calling make_spte(), whereas the TDP MMU can do a direct replacement of a +page table with the leaf SPTE. + +Opportunistically update the comment to explain why skipping the unsync +stuff is safe, as opposed to simply saying "it's someone else's problem". + +Cc: stable@vger.kernel.org +Tested-by: Alex Bennée +Signed-off-by: Sean Christopherson +Tested-by: Dmitry Osipenko +Signed-off-by: Paolo Bonzini +Message-ID: <20241010182427.1434605-5-seanjc@google.com> +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/mmu/spte.c | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +--- a/arch/x86/kvm/mmu/spte.c ++++ b/arch/x86/kvm/mmu/spte.c +@@ -226,12 +226,20 @@ bool make_spte(struct kvm_vcpu *vcpu, st + spte |= PT_WRITABLE_MASK | shadow_mmu_writable_mask; + + /* +- * Optimization: for pte sync, if spte was writable the hash +- * lookup is unnecessary (and expensive). Write protection +- * is responsibility of kvm_mmu_get_page / kvm_mmu_sync_roots. +- * Same reasoning can be applied to dirty page accounting. ++ * When overwriting an existing leaf SPTE, and the old SPTE was ++ * writable, skip trying to unsync shadow pages as any relevant ++ * shadow pages must already be unsync, i.e. the hash lookup is ++ * unnecessary (and expensive). ++ * ++ * The same reasoning applies to dirty page/folio accounting; ++ * KVM will mark the folio dirty using the old SPTE, thus ++ * there's no need to immediately mark the new SPTE as dirty. ++ * ++ * Note, both cases rely on KVM not changing PFNs without first ++ * zapping the old SPTE, which is guaranteed by both the shadow ++ * MMU and the TDP MMU. + */ +- if (is_writable_pte(old_spte)) ++ if (is_last_spte(old_spte, level) && is_writable_pte(old_spte)) + goto out; + + /* diff --git a/queue-6.12/kvm-x86-switch-hugepage-recovery-thread-to-vhost_task.patch b/queue-6.12/kvm-x86-switch-hugepage-recovery-thread-to-vhost_task.patch new file mode 100644 index 00000000000..b3d6629f6c3 --- /dev/null +++ b/queue-6.12/kvm-x86-switch-hugepage-recovery-thread-to-vhost_task.patch @@ -0,0 +1,334 @@ +From d96c77bd4eeba469bddbbb14323d2191684da82a Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Fri, 8 Nov 2024 04:56:31 -0500 +Subject: KVM: x86: switch hugepage recovery thread to vhost_task + +From: Paolo Bonzini + +commit d96c77bd4eeba469bddbbb14323d2191684da82a upstream. + +kvm_vm_create_worker_thread() is meant to be used for kthreads that +can consume significant amounts of CPU time on behalf of a VM or in +response to how the VM behaves (for example how it accesses its memory). +Therefore it wants to charge the CPU time consumed by that work to +the VM's container. + +However, because of these threads, cgroups which have kvm instances +inside never complete freezing. This can be trivially reproduced: + + root@test ~# mkdir /sys/fs/cgroup/test + root@test ~# echo $$ > /sys/fs/cgroup/test/cgroup.procs + root@test ~# qemu-system-x86_64 -nographic -enable-kvm + +and in another terminal: + + root@test ~# echo 1 > /sys/fs/cgroup/test/cgroup.freeze + root@test ~# cat /sys/fs/cgroup/test/cgroup.events + populated 1 + frozen 0 + +The cgroup freezing happens in the signal delivery path but +kvm_nx_huge_page_recovery_worker, while joining non-root cgroups, never +calls into the signal delivery path and thus never gets frozen. Because +the cgroup freezer determines whether a given cgroup is frozen by +comparing the number of frozen threads to the total number of threads +in the cgroup, the cgroup never becomes frozen and users waiting for +the state transition may hang indefinitely. + +Since the worker kthread is tied to a user process, it's better if +it behaves similarly to user tasks as much as possible, including +being able to send SIGSTOP and SIGCONT. In fact, vhost_task is all +that kvm_vm_create_worker_thread() wanted to be and more: not only it +inherits the userspace process's cgroups, it has other niceties like +being parented properly in the process tree. Use it instead of the +homegrown alternative. + +Incidentally, the new code is also better behaved when you flip recovery +back and forth to disabled and back to enabled. If your recovery period +is 1 minute, it will run the next recovery after 1 minute independent +of how many times you flipped the parameter. + +(Commit message based on emails from Tejun). + +Reported-by: Tejun Heo +Reported-by: Luca Boccassi +Acked-by: Tejun Heo +Tested-by: Luca Boccassi +Cc: stable@vger.kernel.org +Reviewed-by: Sean Christopherson +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/kvm_host.h | 4 + + arch/x86/kvm/Kconfig | 1 + arch/x86/kvm/mmu/mmu.c | 68 ++++++++++++-------------- + include/linux/kvm_host.h | 6 -- + virt/kvm/kvm_main.c | 103 ---------------------------------------- + 5 files changed, 35 insertions(+), 147 deletions(-) + +--- a/arch/x86/include/asm/kvm_host.h ++++ b/arch/x86/include/asm/kvm_host.h +@@ -26,6 +26,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -1443,7 +1444,8 @@ struct kvm_arch { + bool sgx_provisioning_allowed; + + struct kvm_x86_pmu_event_filter __rcu *pmu_event_filter; +- struct task_struct *nx_huge_page_recovery_thread; ++ struct vhost_task *nx_huge_page_recovery_thread; ++ u64 nx_huge_page_last; + + #ifdef CONFIG_X86_64 + /* The number of TDP MMU pages across all roots. */ +--- a/arch/x86/kvm/Kconfig ++++ b/arch/x86/kvm/Kconfig +@@ -29,6 +29,7 @@ config KVM_X86 + select HAVE_KVM_IRQ_BYPASS + select HAVE_KVM_IRQ_ROUTING + select HAVE_KVM_READONLY_MEM ++ select VHOST_TASK + select KVM_ASYNC_PF + select USER_RETURN_NOTIFIER + select KVM_MMIO +--- a/arch/x86/kvm/mmu/mmu.c ++++ b/arch/x86/kvm/mmu/mmu.c +@@ -7281,7 +7281,7 @@ static int set_nx_huge_pages(const char + kvm_mmu_zap_all_fast(kvm); + mutex_unlock(&kvm->slots_lock); + +- wake_up_process(kvm->arch.nx_huge_page_recovery_thread); ++ vhost_task_wake(kvm->arch.nx_huge_page_recovery_thread); + } + mutex_unlock(&kvm_lock); + } +@@ -7427,7 +7427,7 @@ static int set_nx_huge_pages_recovery_pa + mutex_lock(&kvm_lock); + + list_for_each_entry(kvm, &vm_list, vm_list) +- wake_up_process(kvm->arch.nx_huge_page_recovery_thread); ++ vhost_task_wake(kvm->arch.nx_huge_page_recovery_thread); + + mutex_unlock(&kvm_lock); + } +@@ -7530,62 +7530,56 @@ static void kvm_recover_nx_huge_pages(st + srcu_read_unlock(&kvm->srcu, rcu_idx); + } + +-static long get_nx_huge_page_recovery_timeout(u64 start_time) ++static void kvm_nx_huge_page_recovery_worker_kill(void *data) + { +- bool enabled; +- uint period; +- +- enabled = calc_nx_huge_pages_recovery_period(&period); +- +- return enabled ? start_time + msecs_to_jiffies(period) - get_jiffies_64() +- : MAX_SCHEDULE_TIMEOUT; + } + +-static int kvm_nx_huge_page_recovery_worker(struct kvm *kvm, uintptr_t data) ++static bool kvm_nx_huge_page_recovery_worker(void *data) + { +- u64 start_time; ++ struct kvm *kvm = data; ++ bool enabled; ++ uint period; + long remaining_time; + +- while (true) { +- start_time = get_jiffies_64(); +- remaining_time = get_nx_huge_page_recovery_timeout(start_time); +- +- set_current_state(TASK_INTERRUPTIBLE); +- while (!kthread_should_stop() && remaining_time > 0) { +- schedule_timeout(remaining_time); +- remaining_time = get_nx_huge_page_recovery_timeout(start_time); +- set_current_state(TASK_INTERRUPTIBLE); +- } +- +- set_current_state(TASK_RUNNING); +- +- if (kthread_should_stop()) +- return 0; ++ enabled = calc_nx_huge_pages_recovery_period(&period); ++ if (!enabled) ++ return false; + +- kvm_recover_nx_huge_pages(kvm); ++ remaining_time = kvm->arch.nx_huge_page_last + msecs_to_jiffies(period) ++ - get_jiffies_64(); ++ if (remaining_time > 0) { ++ schedule_timeout(remaining_time); ++ /* check for signals and come back */ ++ return true; + } ++ ++ __set_current_state(TASK_RUNNING); ++ kvm_recover_nx_huge_pages(kvm); ++ kvm->arch.nx_huge_page_last = get_jiffies_64(); ++ return true; + } + + int kvm_mmu_post_init_vm(struct kvm *kvm) + { +- int err; +- + if (nx_hugepage_mitigation_hard_disabled) + return 0; + +- err = kvm_vm_create_worker_thread(kvm, kvm_nx_huge_page_recovery_worker, 0, +- "kvm-nx-lpage-recovery", +- &kvm->arch.nx_huge_page_recovery_thread); +- if (!err) +- kthread_unpark(kvm->arch.nx_huge_page_recovery_thread); ++ kvm->arch.nx_huge_page_last = get_jiffies_64(); ++ kvm->arch.nx_huge_page_recovery_thread = vhost_task_create( ++ kvm_nx_huge_page_recovery_worker, kvm_nx_huge_page_recovery_worker_kill, ++ kvm, "kvm-nx-lpage-recovery"); + +- return err; ++ if (!kvm->arch.nx_huge_page_recovery_thread) ++ return -ENOMEM; ++ ++ vhost_task_start(kvm->arch.nx_huge_page_recovery_thread); ++ return 0; + } + + void kvm_mmu_pre_destroy_vm(struct kvm *kvm) + { + if (kvm->arch.nx_huge_page_recovery_thread) +- kthread_stop(kvm->arch.nx_huge_page_recovery_thread); ++ vhost_task_stop(kvm->arch.nx_huge_page_recovery_thread); + } + + #ifdef CONFIG_KVM_GENERIC_MEMORY_ATTRIBUTES +--- a/include/linux/kvm_host.h ++++ b/include/linux/kvm_host.h +@@ -2382,12 +2382,6 @@ static inline int kvm_arch_vcpu_run_pid_ + } + #endif /* CONFIG_HAVE_KVM_VCPU_RUN_PID_CHANGE */ + +-typedef int (*kvm_vm_thread_fn_t)(struct kvm *kvm, uintptr_t data); +- +-int kvm_vm_create_worker_thread(struct kvm *kvm, kvm_vm_thread_fn_t thread_fn, +- uintptr_t data, const char *name, +- struct task_struct **thread_ptr); +- + #ifdef CONFIG_KVM_XFER_TO_GUEST_WORK + static inline void kvm_handle_signal_exit(struct kvm_vcpu *vcpu) + { +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -6561,106 +6561,3 @@ void kvm_exit(void) + kvm_irqfd_exit(); + } + EXPORT_SYMBOL_GPL(kvm_exit); +- +-struct kvm_vm_worker_thread_context { +- struct kvm *kvm; +- struct task_struct *parent; +- struct completion init_done; +- kvm_vm_thread_fn_t thread_fn; +- uintptr_t data; +- int err; +-}; +- +-static int kvm_vm_worker_thread(void *context) +-{ +- /* +- * The init_context is allocated on the stack of the parent thread, so +- * we have to locally copy anything that is needed beyond initialization +- */ +- struct kvm_vm_worker_thread_context *init_context = context; +- struct task_struct *parent; +- struct kvm *kvm = init_context->kvm; +- kvm_vm_thread_fn_t thread_fn = init_context->thread_fn; +- uintptr_t data = init_context->data; +- int err; +- +- err = kthread_park(current); +- /* kthread_park(current) is never supposed to return an error */ +- WARN_ON(err != 0); +- if (err) +- goto init_complete; +- +- err = cgroup_attach_task_all(init_context->parent, current); +- if (err) { +- kvm_err("%s: cgroup_attach_task_all failed with err %d\n", +- __func__, err); +- goto init_complete; +- } +- +- set_user_nice(current, task_nice(init_context->parent)); +- +-init_complete: +- init_context->err = err; +- complete(&init_context->init_done); +- init_context = NULL; +- +- if (err) +- goto out; +- +- /* Wait to be woken up by the spawner before proceeding. */ +- kthread_parkme(); +- +- if (!kthread_should_stop()) +- err = thread_fn(kvm, data); +- +-out: +- /* +- * Move kthread back to its original cgroup to prevent it lingering in +- * the cgroup of the VM process, after the latter finishes its +- * execution. +- * +- * kthread_stop() waits on the 'exited' completion condition which is +- * set in exit_mm(), via mm_release(), in do_exit(). However, the +- * kthread is removed from the cgroup in the cgroup_exit() which is +- * called after the exit_mm(). This causes the kthread_stop() to return +- * before the kthread actually quits the cgroup. +- */ +- rcu_read_lock(); +- parent = rcu_dereference(current->real_parent); +- get_task_struct(parent); +- rcu_read_unlock(); +- cgroup_attach_task_all(parent, current); +- put_task_struct(parent); +- +- return err; +-} +- +-int kvm_vm_create_worker_thread(struct kvm *kvm, kvm_vm_thread_fn_t thread_fn, +- uintptr_t data, const char *name, +- struct task_struct **thread_ptr) +-{ +- struct kvm_vm_worker_thread_context init_context = {}; +- struct task_struct *thread; +- +- *thread_ptr = NULL; +- init_context.kvm = kvm; +- init_context.parent = current; +- init_context.thread_fn = thread_fn; +- init_context.data = data; +- init_completion(&init_context.init_done); +- +- thread = kthread_run(kvm_vm_worker_thread, &init_context, +- "%s-%d", name, task_pid_nr(current)); +- if (IS_ERR(thread)) +- return PTR_ERR(thread); +- +- /* kthread_run is never supposed to return NULL */ +- WARN_ON(thread == NULL); +- +- wait_for_completion(&init_context.init_done); +- +- if (!init_context.err) +- *thread_ptr = thread; +- +- return init_context.err; +-} diff --git a/queue-6.12/locking-lockdep-avoid-creating-new-name-string-literals-in-lockdep_set_subclass.patch b/queue-6.12/locking-lockdep-avoid-creating-new-name-string-literals-in-lockdep_set_subclass.patch new file mode 100644 index 00000000000..adf86b1c354 --- /dev/null +++ b/queue-6.12/locking-lockdep-avoid-creating-new-name-string-literals-in-lockdep_set_subclass.patch @@ -0,0 +1,46 @@ +From d7fe143cb115076fed0126ad8cf5ba6c3e575e43 Mon Sep 17 00:00:00 2001 +From: Ahmed Ehab +Date: Sun, 25 Aug 2024 01:10:30 +0300 +Subject: locking/lockdep: Avoid creating new name string literals in lockdep_set_subclass() + +From: Ahmed Ehab + +commit d7fe143cb115076fed0126ad8cf5ba6c3e575e43 upstream. + +Syzbot reports a problem that a warning will be triggered while +searching a lock class in look_up_lock_class(). + +The cause of the issue is that a new name is created and used by +lockdep_set_subclass() instead of using the existing one. This results +in a lock instance has a different name pointer than previous registered +one stored in lock class, and WARN_ONCE() is triggered because of that +in look_up_lock_class(). + +To fix this, change lockdep_set_subclass() to use the existing name +instead of a new one. Hence, no new name will be created by +lockdep_set_subclass(). Hence, the warning is avoided. + +[boqun: Reword the commit log to state the correct issue] + +Reported-by: +Fixes: de8f5e4f2dc1f ("lockdep: Introduce wait-type checks") +Cc: stable@vger.kernel.org +Signed-off-by: Ahmed Ehab +Signed-off-by: Boqun Feng +Link: https://lore.kernel.org/lkml/20240824221031.7751-1-bottaawesome633@gmail.com/ +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/lockdep.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/lockdep.h ++++ b/include/linux/lockdep.h +@@ -173,7 +173,7 @@ static inline void lockdep_init_map(stru + (lock)->dep_map.lock_type) + + #define lockdep_set_subclass(lock, sub) \ +- lockdep_init_map_type(&(lock)->dep_map, #lock, (lock)->dep_map.key, sub,\ ++ lockdep_init_map_type(&(lock)->dep_map, (lock)->dep_map.name, (lock)->dep_map.key, sub,\ + (lock)->dep_map.wait_type_inner, \ + (lock)->dep_map.wait_type_outer, \ + (lock)->dep_map.lock_type) diff --git a/queue-6.12/loongarch-explicitly-specify-code-model-in-makefile.patch b/queue-6.12/loongarch-explicitly-specify-code-model-in-makefile.patch new file mode 100644 index 00000000000..a9e4a25b859 --- /dev/null +++ b/queue-6.12/loongarch-explicitly-specify-code-model-in-makefile.patch @@ -0,0 +1,42 @@ +From e67e0eb6a98b261caf45048f9eb95fd7609289c0 Mon Sep 17 00:00:00 2001 +From: Huacai Chen +Date: Fri, 22 Nov 2024 15:47:47 +0800 +Subject: LoongArch: Explicitly specify code model in Makefile + +From: Huacai Chen + +commit e67e0eb6a98b261caf45048f9eb95fd7609289c0 upstream. + +LoongArch's toolchain may change the default code model from normal to +medium. This is unnecessary for kernel, and generates some relocations +which cannot be handled by the module loader. So explicitly specify the +code model to normal in Makefile (for Rust 'normal' is 'small'). + +Cc: stable@vger.kernel.org +Tested-by: Haiyong Sun +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman +--- + arch/loongarch/Makefile | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/loongarch/Makefile ++++ b/arch/loongarch/Makefile +@@ -59,7 +59,7 @@ endif + + ifdef CONFIG_64BIT + ld-emul = $(64bit-emul) +-cflags-y += -mabi=lp64s ++cflags-y += -mabi=lp64s -mcmodel=normal + endif + + cflags-y += -pipe $(CC_FLAGS_NO_FPU) +@@ -104,7 +104,7 @@ ifdef CONFIG_OBJTOOL + KBUILD_CFLAGS += -fno-jump-tables + endif + +-KBUILD_RUSTFLAGS += --target=loongarch64-unknown-none-softfloat ++KBUILD_RUSTFLAGS += --target=loongarch64-unknown-none-softfloat -Ccode-model=small + KBUILD_RUSTFLAGS_KERNEL += -Zdirect-access-external-data=yes + KBUILD_RUSTFLAGS_MODULE += -Zdirect-access-external-data=no + diff --git a/queue-6.12/maintainers-update-location-of-media-main-tree.patch b/queue-6.12/maintainers-update-location-of-media-main-tree.patch new file mode 100644 index 00000000000..6d23367cb5e --- /dev/null +++ b/queue-6.12/maintainers-update-location-of-media-main-tree.patch @@ -0,0 +1,1492 @@ +From dc51b3cc9d4d2a04bdbfe34f7746fc9122cc3f49 Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab +Date: Mon, 18 Nov 2024 07:04:18 +0100 +Subject: MAINTAINERS: update location of media main tree + +From: Mauro Carvalho Chehab + +commit dc51b3cc9d4d2a04bdbfe34f7746fc9122cc3f49 upstream. + +There were some recent changes on the way we're handling +media patches. Now, the official tree is located at: + + https://git.linuxtv.org/media.git/ + +Update it at MAINTAINERS file. + +Cc: stable@vger.kernel.org +Signed-off-by: Mauro Carvalho Chehab +Reviewed-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + MAINTAINERS | 332 ++++++++++++++++++++++++++++++------------------------------ + 1 file changed, 166 insertions(+), 166 deletions(-) + +--- a/MAINTAINERS ++++ b/MAINTAINERS +@@ -701,7 +701,7 @@ M: Hans Verkuil + L: linux-media@vger.kernel.org + S: Maintained + W: https://linuxtv.org +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: drivers/media/radio/radio-aimslab* + + AIO +@@ -809,7 +809,7 @@ ALLWINNER A10 CSI DRIVER + M: Maxime Ripard + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: Documentation/devicetree/bindings/media/allwinner,sun4i-a10-csi.yaml + F: drivers/media/platform/sunxi/sun4i-csi/ + +@@ -818,7 +818,7 @@ M: Yong Deng + M: Paul Kocialkowski + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: Documentation/devicetree/bindings/media/allwinner,sun6i-a31-csi.yaml + F: drivers/media/platform/sunxi/sun6i-csi/ + +@@ -826,7 +826,7 @@ ALLWINNER A31 ISP DRIVER + M: Paul Kocialkowski + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: Documentation/devicetree/bindings/media/allwinner,sun6i-a31-isp.yaml + F: drivers/staging/media/sunxi/sun6i-isp/ + F: drivers/staging/media/sunxi/sun6i-isp/uapi/sun6i-isp-config.h +@@ -835,7 +835,7 @@ ALLWINNER A31 MIPI CSI-2 BRIDGE DRIVER + M: Paul Kocialkowski + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: Documentation/devicetree/bindings/media/allwinner,sun6i-a31-mipi-csi2.yaml + F: drivers/media/platform/sunxi/sun6i-mipi-csi2/ + +@@ -3348,7 +3348,7 @@ ASAHI KASEI AK7375 LENS VOICE COIL DRIVE + M: Tianshu Qiu + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: Documentation/devicetree/bindings/media/i2c/asahi-kasei,ak7375.yaml + F: drivers/media/i2c/ak7375.c + +@@ -3765,7 +3765,7 @@ M: Mauro Carvalho Chehab + L: linux-media@vger.kernel.org + S: Maintained + W: https://linuxtv.org +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: drivers/media/radio/radio-aztech* + + B43 WIRELESS DRIVER +@@ -3857,7 +3857,7 @@ M: Fabien Dessenne + L: linux-media@vger.kernel.org + S: Maintained + W: https://linuxtv.org +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: drivers/media/radio/radio-cadet* + + CAFE CMOS INTEGRATED CAMERA CONTROLLER DRIVER + L: linux-media@vger.kernel.org + S: Orphan +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: Documentation/admin-guide/media/cafe_ccic* + F: drivers/media/platform/marvell/ + +@@ -5169,7 +5169,7 @@ M: Hans Verkuil + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: Documentation/devicetree/bindings/media/i2c/chrontel,ch7322.yaml + F: drivers/media/cec/i2c/ch7322.c + +@@ -5582,7 +5582,7 @@ M: Hans Verkuil + L: linux-media@vger.kernel.org + S: Odd Fixes + W: http://linuxtv.org +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: drivers/media/i2c/cs3308.c + + CS5535 Audio ALSA driver +@@ -6057,7 +6057,7 @@ M: Andy Walls + L: linux-media@vger.kernel.org + S: Maintained + W: https://linuxtv.org +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: drivers/media/pci/cx18/ + F: include/uapi/linux/ivtv* + +@@ -6066,7 +6066,7 @@ M: Hans Verkuil + L: linux-media@vger.kernel.org + S: Maintained + W: https://linuxtv.org +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: drivers/media/common/cx2341x* + F: include/media/drv-intf/cx2341x.h + +@@ -6084,7 +6084,7 @@ M: Mauro Carvalho Chehab + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: Documentation/devicetree/bindings/media/allwinner,sun8i-h3-deinterlace.yaml + F: drivers/media/platform/sunxi/sun8i-di/ + +@@ -6447,7 +6447,7 @@ M: Hugues Fruchet + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: Documentation/devicetree/bindings/media/i2c/dongwoon,dw9714.yaml + F: drivers/media/i2c/dw9714.c + +@@ -6863,13 +6863,13 @@ DONGWOON DW9719 LENS VOICE COIL DRIVER + M: Daniel Scally + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: drivers/media/i2c/dw9719.c + + DONGWOON DW9768 LENS VOICE COIL DRIVER + L: linux-media@vger.kernel.org + S: Orphan +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: Documentation/devicetree/bindings/media/i2c/dongwoon,dw9768.yaml + F: drivers/media/i2c/dw9768.c + +@@ -6877,7 +6877,7 @@ DONGWOON DW9807 LENS VOICE COIL DRIVER + M: Sakari Ailus + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: Documentation/devicetree/bindings/media/i2c/dongwoon,dw9807-vcm.yaml + F: drivers/media/i2c/dw9807-vcm.c + +@@ -7860,7 +7860,7 @@ DSBR100 USB FM RADIO DRIVER + M: Alexey Klimov + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: drivers/media/radio/dsbr100.c + + DT3155 MEDIA DRIVER +@@ -7868,7 +7868,7 @@ M: Hans Verkuil + L: linux-media@vger.kernel.org + S: Odd Fixes + W: https://linuxtv.org +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: drivers/media/pci/dt3155/ + + DVB_USB_AF9015 MEDIA DRIVER +@@ -7913,7 +7913,7 @@ S: Maintained + W: https://linuxtv.org + W: http://github.com/mkrufky + Q: http://patchwork.linuxtv.org/project/linux-media/list/ +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: drivers/media/usb/dvb-usb/cxusb* + + DVB_USB_EC168 MEDIA DRIVER +@@ -8282,7 +8282,7 @@ M: Mauro Carvalho Chehab + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: drivers/media/cec/usb/extron-da-hd-4k-plus/ + + EXYNOS DP DRIVER +@@ -9400,7 +9400,7 @@ GALAXYCORE GC2145 SENSOR DRIVER + M: Alain Volmat + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: Documentation/devicetree/bindings/media/i2c/galaxycore,gc2145.yaml + F: drivers/media/i2c/gc2145.c + +@@ -9448,7 +9448,7 @@ M: Hans Verkuil + L: linux-media@vger.kernel.org + S: Maintained + W: https://linuxtv.org +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: drivers/media/radio/radio-gemtek* + + GENERIC ARCHITECTURE TOPOLOGY +@@ -9830,56 +9830,56 @@ GS1662 VIDEO SERIALIZER + M: Charles-Antoine Couret + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: drivers/media/spi/gs1662.c + + GSPCA FINEPIX SUBDRIVER + M: Frank Zago + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: drivers/media/usb/gspca/finepix.c + + GSPCA GL860 SUBDRIVER + M: Olivier Lorin + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: drivers/media/usb/gspca/gl860/ + + GSPCA M5602 SUBDRIVER + M: Erik Andren + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: drivers/media/usb/gspca/m5602/ + + GSPCA PAC207 SONIXB SUBDRIVER + M: Hans Verkuil + L: linux-media@vger.kernel.org + S: Odd Fixes +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: drivers/media/usb/gspca/pac207.c + + GSPCA SN9C20X SUBDRIVER + M: Brian Johnson + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: drivers/media/usb/gspca/sn9c20x.c + + GSPCA T613 SUBDRIVER + M: Leandro Costantino + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: drivers/media/usb/gspca/t613.c + + GSPCA USB WEBCAM DRIVER + M: Hans Verkuil + L: linux-media@vger.kernel.org + S: Odd Fixes +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: drivers/media/usb/gspca/ + + GTP (GPRS Tunneling Protocol) +@@ -9996,7 +9996,7 @@ M: Hans Verkuil + L: linux-media@vger.kernel.org + S: Odd Fixes + W: https://linuxtv.org +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: drivers/media/usb/hdpvr/ + + HEWLETT PACKARD ENTERPRISE ILO CHIF DRIVER +@@ -10503,7 +10503,7 @@ M: Jean-Christophe Trotin + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: drivers/media/i2c/hi556.c + + HYNIX HI846 SENSOR DRIVER +@@ -11502,7 +11502,7 @@ M: Dan Scally + R: Tianshu Qiu + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: Documentation/userspace-api/media/v4l/pixfmt-srggb10-ipu3.rst + F: drivers/media/pci/intel/ipu3/ + +@@ -11523,7 +11523,7 @@ M: Bingbu Cao + R: Tianshu Qiu + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: Documentation/admin-guide/media/ipu6-isys.rst + F: drivers/media/pci/intel/ipu6/ + +@@ -12036,7 +12036,7 @@ M: Hans Verkuil + L: linux-media@vger.kernel.org + S: Maintained + W: https://linuxtv.org +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: drivers/media/radio/radio-isa* + + ISAPNP +@@ -12138,7 +12138,7 @@ M: Andy Walls + L: linux-media@vger.kernel.org + S: Maintained + W: https://linuxtv.org +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: Documentation/admin-guide/media/ivtv* + F: drivers/media/pci/ivtv/ + F: include/uapi/linux/ivtv* +@@ -12286,7 +12286,7 @@ M: Hans Verkuil + L: linux-media@vger.kernel.org + S: Maintained + W: https://linuxtv.org +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: drivers/media/radio/radio-keene* + + KERNEL AUTOMOUNTER +@@ -13573,7 +13573,7 @@ MA901 MASTERKIT USB FM RADIO DRIVER + M: Alexey Klimov + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: drivers/media/radio/radio-ma901.c + + MAC80211 +@@ -13868,7 +13868,7 @@ MAX2175 SDR TUNER DRIVER + M: Ramesh Shanmugasundaram + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: Documentation/devicetree/bindings/media/i2c/max2175.txt + F: Documentation/userspace-api/media/drivers/max2175.rst + F: drivers/media/i2c/max2175* +@@ -14048,7 +14048,7 @@ M: Hans Verkuil + L: linux-media@vger.kernel.org + S: Maintained + W: https://linuxtv.org +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: drivers/media/radio/radio-maxiradio* + + MAXLINEAR ETHERNET PHY DRIVER +@@ -14131,7 +14131,7 @@ M: Laurent Pinchart + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: drivers/media/platform/nxp/imx-pxp.[ch] + + MEDIA DRIVERS FOR ASCOT2E +@@ -14149,7 +14149,7 @@ L: linux-media@vger.kernel.org + S: Supported + W: https://linuxtv.org + W: http://netup.tv/ +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: drivers/media/dvb-frontends/ascot2e* + + MEDIA DRIVERS FOR CXD2099AR CI CONTROLLERS +@@ -14157,7 +14157,7 @@ M: Jasmin Jessich + L: linux-media@vger.kernel.org + S: Maintained + W: https://linuxtv.org +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: drivers/media/dvb-frontends/cxd2099* + + MEDIA DRIVERS FOR CXD2841ER +@@ -14166,7 +14166,7 @@ L: linux-media@vger.kernel.org + S: Supported + W: https://linuxtv.org + W: http://netup.tv/ +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: drivers/media/dvb-frontends/cxd2841er* + + MEDIA DRIVERS FOR CXD2880 +@@ -14174,7 +14174,7 @@ M: Yasunari Takiguchi + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: Documentation/admin-guide/media/imx.rst + F: Documentation/devicetree/bindings/media/imx.txt + F: drivers/staging/media/imx/ +@@ -14204,7 +14204,7 @@ M: Martin Kepplinger + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: Documentation/admin-guide/media/imx7.rst + F: Documentation/devicetree/bindings/media/nxp,imx-mipi-csi2.yaml + F: Documentation/devicetree/bindings/media/nxp,imx7-csi.yaml +@@ -14219,7 +14219,7 @@ L: linux-media@vger.kernel.org + S: Supported + W: https://linuxtv.org + W: http://netup.tv/ +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: drivers/media/dvb-frontends/helene* + + MEDIA DRIVERS FOR HORUS3A +@@ -14228,7 +14228,7 @@ L: linux-media@vger.kernel.org + S: Supported + W: https://linuxtv.org + W: http://netup.tv/ +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: drivers/media/dvb-frontends/horus3a* + + MEDIA DRIVERS FOR LNBH25 +@@ -14237,14 +14237,14 @@ L: linux-media@vger.kernel.org + S: Supported + W: https://linuxtv.org + W: http://netup.tv/ +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: drivers/media/dvb-frontends/lnbh25* + + MEDIA DRIVERS FOR MXL5XX TUNER DEMODULATORS + L: linux-media@vger.kernel.org + S: Orphan + W: https://linuxtv.org +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: drivers/media/dvb-frontends/mxl5xx* + + MEDIA DRIVERS FOR NETUP PCI UNIVERSAL DVB devices +@@ -14253,7 +14253,7 @@ L: linux-media@vger.kernel.org + S: Supported + W: https://linuxtv.org + W: http://netup.tv/ +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: drivers/media/pci/netup_unidvb/* + + MEDIA DRIVERS FOR NVIDIA TEGRA - VDE +@@ -14261,7 +14261,7 @@ M: Dmitry Osipenko + L: linux-media@vger.kernel.org + L: linux-tegra@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: Documentation/devicetree/bindings/media/nvidia,tegra-vde.yaml + F: drivers/media/platform/nvidia/tegra-vde/ + +@@ -14270,7 +14270,7 @@ M: Jacopo Mondi + L: linux-media@vger.kernel.org + L: linux-renesas-soc@vger.kernel.org + S: Supported +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: Documentation/devicetree/bindings/media/renesas,ceu.yaml + F: drivers/media/platform/renesas/renesas-ceu.c + F: include/media/drv-intf/renesas-ceu.h +@@ -14280,7 +14280,7 @@ M: Fabrizio Castro + L: linux-media@vger.kernel.org + S: Supported +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: Documentation/devicetree/bindings/media/st,stm32-dcmi.yaml + F: Documentation/devicetree/bindings/media/st,stm32-dcmipp.yaml + F: drivers/media/platform/st/stm32/stm32-dcmi.c +@@ -14357,7 +14357,7 @@ L: linux-media@vger.kernel.org + S: Maintained + W: https://linuxtv.org + Q: http://patchwork.kernel.org/project/linux-media/list/ +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: Documentation/admin-guide/media/ + F: Documentation/devicetree/bindings/media/ + F: Documentation/driver-api/media/ +@@ -14933,7 +14933,7 @@ L: linux-media@vger.kernel.org + L: linux-amlogic@lists.infradead.org + S: Supported + W: http://linux-meson.com/ +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: Documentation/devicetree/bindings/media/cec/amlogic,meson-gx-ao-cec.yaml + F: drivers/media/cec/platform/meson/ao-cec-g12a.c + F: drivers/media/cec/platform/meson/ao-cec.c +@@ -14943,7 +14943,7 @@ M: Neil Armstrong + L: linux-media@vger.kernel.org + S: Odd Fixes + W: https://linuxtv.org +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: drivers/media/radio/radio-miropcm20* + + MITSUMI MM8013 FG DRIVER +@@ -15709,7 +15709,7 @@ MR800 AVERMEDIA USB FM RADIO DRIVER + M: Alexey Klimov + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: drivers/media/radio/radio-mr800.c + + MRF24J40 IEEE 802.15.4 RADIO DRIVER +@@ -15776,7 +15776,7 @@ MT9M114 ONSEMI SENSOR DRIVER + M: Laurent Pinchart + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: Documentation/devicetree/bindings/media/i2c/onnn,mt9m114.yaml + F: drivers/media/i2c/mt9m114.c + +@@ -15784,7 +15784,7 @@ MT9P031 APTINA CAMERA SENSOR + M: Laurent Pinchart + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: Documentation/devicetree/bindings/media/i2c/aptina,mt9p031.yaml + F: drivers/media/i2c/mt9p031.c + F: include/media/i2c/mt9p031.h +@@ -15793,7 +15793,7 @@ MT9T112 APTINA CAMERA SENSOR + M: Jacopo Mondi + L: linux-media@vger.kernel.org + S: Odd Fixes +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: drivers/media/i2c/mt9t112.c + F: include/media/i2c/mt9t112.h + +@@ -15801,7 +15801,7 @@ MT9V032 APTINA CAMERA SENSOR + M: Laurent Pinchart + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: Documentation/devicetree/bindings/media/i2c/mt9v032.txt + F: drivers/media/i2c/mt9v032.c + F: include/media/i2c/mt9v032.h +@@ -15810,7 +15810,7 @@ MT9V111 APTINA CAMERA SENSOR + M: Jacopo Mondi + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: Documentation/devicetree/bindings/media/i2c/aptina,mt9v111.yaml + F: drivers/media/i2c/mt9v111.c + +@@ -17005,13 +17005,13 @@ OMNIVISION OV01A10 SENSOR DRIVER + M: Bingbu Cao + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: drivers/media/i2c/ov01a10.c + + OMNIVISION OV02A10 SENSOR DRIVER + L: linux-media@vger.kernel.org + S: Orphan +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: Documentation/devicetree/bindings/media/i2c/ovti,ov02a10.yaml + F: drivers/media/i2c/ov02a10.c + +@@ -17019,28 +17019,28 @@ OMNIVISION OV08D10 SENSOR DRIVER + M: Jimmy Su + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: drivers/media/i2c/ov08d10.c + + OMNIVISION OV08X40 SENSOR DRIVER + M: Jason Chen + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: drivers/media/i2c/ov08x40.c + + OMNIVISION OV13858 SENSOR DRIVER + M: Sakari Ailus + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: drivers/media/i2c/ov13858.c + + OMNIVISION OV13B10 SENSOR DRIVER + M: Arec Kao + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: drivers/media/i2c/ov13b10.c + + OMNIVISION OV2680 SENSOR DRIVER +@@ -17048,7 +17048,7 @@ M: Rui Miguel Silva + M: Hans de Goede + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: Documentation/devicetree/bindings/media/i2c/ovti,ov2680.yaml + F: drivers/media/i2c/ov2680.c + +@@ -17056,7 +17056,7 @@ OMNIVISION OV2685 SENSOR DRIVER + M: Shunqian Zheng + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: Documentation/devicetree/bindings/media/i2c/ovti,ov2685.yaml + F: drivers/media/i2c/ov2685.c + +@@ -17066,14 +17066,14 @@ R: Sakari Ailus + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: drivers/media/i2c/ov2740.c + + OMNIVISION OV4689 SENSOR DRIVER + M: Mikhail Rudenko + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: Documentation/devicetree/bindings/media/i2c/ovti,ov4689.yaml + F: drivers/media/i2c/ov4689.c + +@@ -17081,7 +17081,7 @@ OMNIVISION OV5640 SENSOR DRIVER + M: Steve Longerbeam + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: drivers/media/i2c/ov5640.c + + OMNIVISION OV5647 SENSOR DRIVER +@@ -17089,7 +17089,7 @@ M: Dave Stevenson + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: Documentation/devicetree/bindings/media/i2c/ovti,ov5647.yaml + F: drivers/media/i2c/ov5647.c + +@@ -17097,7 +17097,7 @@ OMNIVISION OV5670 SENSOR DRIVER + M: Sakari Ailus + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: Documentation/devicetree/bindings/media/i2c/ovti,ov5670.yaml + F: drivers/media/i2c/ov5670.c + +@@ -17105,7 +17105,7 @@ OMNIVISION OV5675 SENSOR DRIVER + M: Sakari Ailus + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: Documentation/devicetree/bindings/media/i2c/ovti,ov5675.yaml + F: drivers/media/i2c/ov5675.c + +@@ -17113,7 +17113,7 @@ OMNIVISION OV5693 SENSOR DRIVER + M: Daniel Scally + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: Documentation/devicetree/bindings/media/i2c/ovti,ov5693.yaml + F: drivers/media/i2c/ov5693.c + +@@ -17121,21 +17121,21 @@ OMNIVISION OV5695 SENSOR DRIVER + M: Shunqian Zheng + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: drivers/media/i2c/ov5695.c + + OMNIVISION OV64A40 SENSOR DRIVER + M: Jacopo Mondi + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: Documentation/devicetree/bindings/media/i2c/ovti,ov64a40.yaml + F: drivers/media/i2c/ov64a40.c + + OMNIVISION OV7670 SENSOR DRIVER + L: linux-media@vger.kernel.org + S: Orphan +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: Documentation/devicetree/bindings/media/i2c/ov7670.txt + F: drivers/media/i2c/ov7670.c + +@@ -17143,7 +17143,7 @@ OMNIVISION OV772x SENSOR DRIVER + M: Jacopo Mondi + L: linux-media@vger.kernel.org + S: Odd fixes +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: Documentation/devicetree/bindings/media/i2c/ovti,ov772x.yaml + F: drivers/media/i2c/ov772x.c + F: include/media/i2c/ov772x.h +@@ -17151,7 +17151,7 @@ F: include/media/i2c/ov772x.h + OMNIVISION OV7740 SENSOR DRIVER + L: linux-media@vger.kernel.org + S: Orphan +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: Documentation/devicetree/bindings/media/i2c/ov7740.txt + F: drivers/media/i2c/ov7740.c + +@@ -17159,7 +17159,7 @@ OMNIVISION OV8856 SENSOR DRIVER + M: Sakari Ailus + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: Documentation/devicetree/bindings/media/i2c/ovti,ov8856.yaml + F: drivers/media/i2c/ov8856.c + +@@ -17168,7 +17168,7 @@ M: Jacopo Mondi + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: Documentation/devicetree/bindings/media/i2c/ovti,ov8858.yaml + F: drivers/media/i2c/ov8858.c + +@@ -17176,7 +17176,7 @@ OMNIVISION OV9282 SENSOR DRIVER + M: Dave Stevenson + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: Documentation/devicetree/bindings/media/i2c/ovti,ov9282.yaml + F: drivers/media/i2c/ov9282.c + +@@ -17192,7 +17192,7 @@ R: Akinobu Mita + R: Sylwester Nawrocki + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: Documentation/devicetree/bindings/media/i2c/ov9650.txt + F: drivers/media/i2c/ov9650.c + +@@ -17201,7 +17201,7 @@ M: Tianshu Qiu + R: Bingbu Cao + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: drivers/media/i2c/ov9734.c + + ONBOARD USB HUB DRIVER +@@ -18646,7 +18646,7 @@ PULSE8-CEC DRIVER + M: Hans Verkuil + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: drivers/media/cec/usb/pulse8/ + + PURELIFI PLFXLC DRIVER +@@ -18661,7 +18661,7 @@ L: pvrusb2@isely.net (subscribers-only) + L: linux-media@vger.kernel.org + S: Maintained + W: http://www.isely.net/pvrusb2/ +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: Documentation/driver-api/media/drivers/pvrusb2* + F: drivers/media/usb/pvrusb2/ + +@@ -18669,7 +18669,7 @@ PWC WEBCAM DRIVER + M: Hans Verkuil + L: linux-media@vger.kernel.org + S: Odd Fixes +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: drivers/media/usb/pwc/* + F: include/trace/events/pwc.h + +@@ -19173,7 +19173,7 @@ R: Bryan O'Donoghue + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: drivers/media/radio/radio-shark.c + + RADIOSHARK2 RADIO DRIVER + M: Hans Verkuil + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: drivers/media/radio/radio-shark2.c + F: drivers/media/radio/radio-tea5777.c + +@@ -19249,7 +19249,7 @@ RAINSHADOW-CEC DRIVER + M: Hans Verkuil + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: drivers/media/cec/usb/rainshadow/ + + RALINK MIPS ARCHITECTURE +@@ -19333,7 +19333,7 @@ M: Sean Young + L: linux-media@vger.kernel.org + S: Maintained + W: http://linuxtv.org +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: Documentation/driver-api/media/rc-core.rst + F: Documentation/userspace-api/media/rc/ + F: drivers/media/rc/ +@@ -20077,7 +20077,7 @@ ROTATION DRIVER FOR ALLWINNER A83T + M: Jernej Skrabec + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: Documentation/devicetree/bindings/media/allwinner,sun8i-a83t-de2-rotate.yaml + F: drivers/media/platform/sunxi/sun8i-rotate/ + +@@ -20331,7 +20331,7 @@ M: Hans Verkuil + L: linux-media@vger.kernel.org + S: Odd Fixes + W: https://linuxtv.org +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: drivers/media/i2c/saa6588* + + SAA7134 VIDEO4LINUX DRIVER +@@ -20339,7 +20339,7 @@ M: Mauro Carvalho Chehab + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: drivers/media/common/saa7146/ + F: drivers/media/pci/saa7146/ + F: include/media/drv-intf/saa7146* +@@ -20965,7 +20965,7 @@ SHARP RJ54N1CB0C SENSOR DRIVER + M: Jacopo Mondi + L: linux-media@vger.kernel.org + S: Odd fixes +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: drivers/media/i2c/rj54n1cb0c.c + F: include/media/i2c/rj54n1cb0c.h + +@@ -21015,7 +21015,7 @@ M: Hans Verkuil + L: linux-media@vger.kernel.org + S: Odd Fixes + W: https://linuxtv.org +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: Documentation/devicetree/bindings/media/silabs,si470x.yaml + F: drivers/media/radio/si470x/radio-si470x-i2c.c + +@@ -21024,7 +21024,7 @@ M: Hans Verkuil + L: linux-media@vger.kernel.org + S: Maintained + W: https://linuxtv.org +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: drivers/media/radio/si470x/radio-si470x-common.c + F: drivers/media/radio/si470x/radio-si470x-usb.c + F: drivers/media/radio/si470x/radio-si470x.h +@@ -21034,7 +21034,7 @@ M: Eduardo Valentin + L: linux-media@vger.kernel.org + S: Maintained + W: https://linuxtv.org +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: drivers/media/radio/si4713/radio-usb-si4713.c + + SIANO DVB DRIVER +@@ -21058,7 +21058,7 @@ M: Mauro Carvalho Chehab + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: drivers/media/i2c/imx208.c + + SONY IMX214 SENSOR DRIVER + M: Ricardo Ribalda + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: Documentation/devicetree/bindings/media/i2c/sony,imx214.yaml + F: drivers/media/i2c/imx214.c + +@@ -21449,7 +21449,7 @@ SONY IMX219 SENSOR DRIVER + M: Dave Stevenson + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: Documentation/devicetree/bindings/media/i2c/imx219.yaml + F: drivers/media/i2c/imx219.c + +@@ -21457,7 +21457,7 @@ SONY IMX258 SENSOR DRIVER + M: Sakari Ailus + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: Documentation/devicetree/bindings/media/i2c/sony,imx258.yaml + F: drivers/media/i2c/imx258.c + +@@ -21465,7 +21465,7 @@ SONY IMX274 SENSOR DRIVER + M: Leon Luo + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: Documentation/devicetree/bindings/media/i2c/sony,imx274.yaml + F: drivers/media/i2c/imx274.c + +@@ -21474,7 +21474,7 @@ M: Kieran Bingham + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: Documentation/devicetree/bindings/media/i2c/sony,imx283.yaml + F: drivers/media/i2c/imx283.c + +@@ -21482,7 +21482,7 @@ SONY IMX290 SENSOR DRIVER + M: Manivannan Sadhasivam + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: Documentation/devicetree/bindings/media/i2c/sony,imx290.yaml + F: drivers/media/i2c/imx290.c + +@@ -21491,7 +21491,7 @@ M: Laurent Pinchart + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: Documentation/devicetree/bindings/media/i2c/sony,imx296.yaml + F: drivers/media/i2c/imx296.c + +@@ -21499,20 +21499,20 @@ SONY IMX319 SENSOR DRIVER + M: Bingbu Cao + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: drivers/media/i2c/imx319.c + + SONY IMX334 SENSOR DRIVER + L: linux-media@vger.kernel.org + S: Orphan +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: Documentation/devicetree/bindings/media/i2c/sony,imx334.yaml + F: drivers/media/i2c/imx334.c + + SONY IMX335 SENSOR DRIVER + L: linux-media@vger.kernel.org + S: Orphan +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: Documentation/devicetree/bindings/media/i2c/sony,imx335.yaml + F: drivers/media/i2c/imx335.c + +@@ -21520,13 +21520,13 @@ SONY IMX355 SENSOR DRIVER + M: Tianshu Qiu + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: drivers/media/i2c/imx355.c + + SONY IMX412 SENSOR DRIVER + L: linux-media@vger.kernel.org + S: Orphan +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: Documentation/devicetree/bindings/media/i2c/sony,imx412.yaml + F: drivers/media/i2c/imx412.c + +@@ -21534,7 +21534,7 @@ SONY IMX415 SENSOR DRIVER + M: Michael Riesch + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: Documentation/devicetree/bindings/media/i2c/sony,imx415.yaml + F: drivers/media/i2c/imx415.c + +@@ -21823,7 +21823,7 @@ M: Benjamin Mugnier + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: Documentation/devicetree/bindings/media/i2c/st,st-mipid02.yaml + F: drivers/media/i2c/st-mipid02.c + +@@ -21859,7 +21859,7 @@ M: Benjamin Mugnier + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: Documentation/devicetree/bindings/media/i2c/st,st-vgxy61.yaml + F: Documentation/userspace-api/media/drivers/vgxy61.rst + F: drivers/media/i2c/vgxy61.c +@@ -22149,7 +22149,7 @@ STK1160 USB VIDEO CAPTURE DRIVER + M: Ezequiel Garcia + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: drivers/media/usb/stk1160/ + + STM32 AUDIO (ASoC) DRIVERS +@@ -22586,7 +22586,7 @@ L: linux-media@vger.kernel.org + S: Maintained + W: https://linuxtv.org + Q: http://patchwork.linuxtv.org/project/linux-media/list/ +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: drivers/media/tuners/tda18250* + + TDA18271 MEDIA DRIVER +@@ -22632,7 +22632,7 @@ M: Hans Verkuil + L: linux-media@vger.kernel.org + S: Maintained + W: https://linuxtv.org +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: drivers/media/i2c/tda9840* + + TEA5761 TUNER DRIVER +@@ -22640,7 +22640,7 @@ M: Mauro Carvalho Chehab + L: linux-media@vger.kernel.org + S: Maintained + W: https://linuxtv.org +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: drivers/media/i2c/tea6415c* + + TEA6420 MEDIA DRIVER +@@ -22664,7 +22664,7 @@ M: Hans Verkuil + L: linux-media@vger.kernel.org + S: Maintained + W: https://linuxtv.org +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: drivers/media/i2c/tea6420* + + TEAM DRIVER +@@ -22952,7 +22952,7 @@ M: Hans Verkuil + L: linux-media@vger.kernel.org + S: Maintained + W: https://linuxtv.org +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: drivers/media/radio/radio-raremono.c + + THERMAL +@@ -23028,7 +23028,7 @@ M: Laurent Pinchart + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: Documentation/devicetree/bindings/media/i2c/thine,thp7312.yaml + F: Documentation/userspace-api/media/drivers/thp7312.rst + F: drivers/media/i2c/thp7312.c +@@ -23615,7 +23615,7 @@ M: Hans Verkuil + L: linux-media@vger.kernel.org + S: Odd Fixes + W: https://linuxtv.org +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: drivers/media/pci/tw68/ + + TW686X VIDEO4LINUX DRIVER +@@ -23623,7 +23623,7 @@ M: Ezequiel Garcia + L: linux-media@vger.kernel.org + S: Maintained +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: drivers/media/v4l2-core/v4l2-async.c + F: drivers/media/v4l2-core/v4l2-fwnode.c + F: include/media/v4l2-async.h +@@ -24378,7 +24378,7 @@ M: Hans Verkuil + L: linux-media@vger.kernel.org + S: Maintained + W: https://linuxtv.org +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: drivers/media/test-drivers/vivid/* + + VM SOCKETS (AF_VSOCK) +@@ -25217,7 +25217,7 @@ M: Mauro Carvalho Chehab + L: linux-media@vger.kernel.org + S: Supported +-T: git git://linuxtv.org/media_tree.git ++T: git git://linuxtv.org/media.git + F: Documentation/devicetree/bindings/media/xilinx/ + F: drivers/media/platform/xilinx/ + F: include/uapi/linux/xilinx-v4l2-controls.h diff --git a/queue-6.12/pci-fix-use-after-free-of-slot-bus-on-hot-remove.patch b/queue-6.12/pci-fix-use-after-free-of-slot-bus-on-hot-remove.patch new file mode 100644 index 00000000000..010ff556c78 --- /dev/null +++ b/queue-6.12/pci-fix-use-after-free-of-slot-bus-on-hot-remove.patch @@ -0,0 +1,129 @@ +From c7acef99642b763ba585f4a43af999fcdbcc3dc4 Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Thu, 10 Oct 2024 19:10:34 +0200 +Subject: PCI: Fix use-after-free of slot->bus on hot remove + +From: Lukas Wunner + +commit c7acef99642b763ba585f4a43af999fcdbcc3dc4 upstream. + +Dennis reports a boot crash on recent Lenovo laptops with a USB4 dock. + +Since commit 0fc70886569c ("thunderbolt: Reset USB4 v2 host router") and +commit 59a54c5f3dbd ("thunderbolt: Reset topology created by the boot +firmware"), USB4 v2 and v1 Host Routers are reset on probe of the +thunderbolt driver. + +The reset clears the Presence Detect State and Data Link Layer Link Active +bits at the USB4 Host Router's Root Port and thus causes hot removal of the +dock. + +The crash occurs when pciehp is unbound from one of the dock's Downstream +Ports: pciehp creates a pci_slot on bind and destroys it on unbind. The +pci_slot contains a pointer to the pci_bus below the Downstream Port, but +a reference on that pci_bus is never acquired. The pci_bus is destroyed +before the pci_slot, so a use-after-free ensues when pci_slot_release() +accesses slot->bus. + +In principle this should not happen because pci_stop_bus_device() unbinds +pciehp (and therefore destroys the pci_slot) before the pci_bus is +destroyed by pci_remove_bus_device(). + +However the stacktrace provided by Dennis shows that pciehp is unbound from +pci_remove_bus_device() instead of pci_stop_bus_device(). To understand +the significance of this, one needs to know that the PCI core uses a two +step process to remove a portion of the hierarchy: It first unbinds all +drivers in the sub-hierarchy in pci_stop_bus_device() and then actually +removes the devices in pci_remove_bus_device(). There is no precaution to +prevent driver binding in-between pci_stop_bus_device() and +pci_remove_bus_device(). + +In Dennis' case, it seems removal of the hierarchy by pciehp races with +driver binding by pci_bus_add_devices(). pciehp is bound to the +Downstream Port after pci_stop_bus_device() has run, so it is unbound by +pci_remove_bus_device() instead of pci_stop_bus_device(). Because the +pci_bus has already been destroyed at that point, accesses to it result in +a use-after-free. + +One might conclude that driver binding needs to be prevented after +pci_stop_bus_device() has run. However it seems risky that pci_slot points +to pci_bus without holding a reference. Solely relying on correct ordering +of driver unbind versus pci_bus destruction is certainly not defensive +programming. + +If pci_slot has a need to access data in pci_bus, it ought to acquire a +reference. Amend pci_create_slot() accordingly. Dennis reports that the +crash is not reproducible with this change. + +Abridged stacktrace: + + pcieport 0000:00:07.0: PME: Signaling with IRQ 156 + pcieport 0000:00:07.0: pciehp: Slot #12 AttnBtn- PwrCtrl- MRL- AttnInd- PwrInd- HotPlug+ Surprise+ Interlock- NoCompl+ IbPresDis- LLActRep+ + pci_bus 0000:20: dev 00, created physical slot 12 + pcieport 0000:00:07.0: pciehp: Slot(12): Card not present + ... + pcieport 0000:21:02.0: pciehp: pcie_disable_notification: SLOTCTRL d8 write cmd 0 + Oops: general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b6b: 0000 [#1] PREEMPT SMP NOPTI + CPU: 13 UID: 0 PID: 134 Comm: irq/156-pciehp Not tainted 6.11.0-devel+ #1 + RIP: 0010:dev_driver_string+0x12/0x40 + pci_destroy_slot + pciehp_remove + pcie_port_remove_service + device_release_driver_internal + bus_remove_device + device_del + device_unregister + remove_iter + device_for_each_child + pcie_portdrv_remove + pci_device_remove + device_release_driver_internal + bus_remove_device + device_del + pci_remove_bus_device (recursive invocation) + pci_remove_bus_device + pciehp_unconfigure_device + pciehp_disable_slot + pciehp_handle_presence_or_link_change + pciehp_ist + +Link: https://lore.kernel.org/r/4bfd4c0e976c1776cd08e76603903b338cf25729.1728579288.git.lukas@wunner.de +Reported-by: Dennis Wassenberg +Closes: https://lore.kernel.org/r/6de4b45ff2b32dd91a805ec02ec8ec73ef411bf6.camel@secunet.com/ +Tested-by: Dennis Wassenberg +Signed-off-by: Lukas Wunner +Signed-off-by: Bjorn Helgaas +Reviewed-by: Mika Westerberg +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/slot.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/pci/slot.c ++++ b/drivers/pci/slot.c +@@ -79,6 +79,7 @@ static void pci_slot_release(struct kobj + up_read(&pci_bus_sem); + + list_del(&slot->list); ++ pci_bus_put(slot->bus); + + kfree(slot); + } +@@ -261,7 +262,7 @@ placeholder: + goto err; + } + +- slot->bus = parent; ++ slot->bus = pci_bus_get(parent); + slot->number = slot_nr; + + slot->kobj.kset = pci_slots_kset; +@@ -269,6 +270,7 @@ placeholder: + slot_name = make_slot_name(name); + if (!slot_name) { + err = -ENOMEM; ++ pci_bus_put(slot->bus); + kfree(slot); + goto err; + } diff --git a/queue-6.12/perf-x86-intel-pt-fix-buffer-full-but-size-is-0-case.patch b/queue-6.12/perf-x86-intel-pt-fix-buffer-full-but-size-is-0-case.patch new file mode 100644 index 00000000000..701d041b78c --- /dev/null +++ b/queue-6.12/perf-x86-intel-pt-fix-buffer-full-but-size-is-0-case.patch @@ -0,0 +1,121 @@ +From 5b590160d2cf776b304eb054afafea2bd55e3620 Mon Sep 17 00:00:00 2001 +From: Adrian Hunter +Date: Tue, 22 Oct 2024 18:59:07 +0300 +Subject: perf/x86/intel/pt: Fix buffer full but size is 0 case + +From: Adrian Hunter + +commit 5b590160d2cf776b304eb054afafea2bd55e3620 upstream. + +If the trace data buffer becomes full, a truncated flag [T] is reported +in PERF_RECORD_AUX. In some cases, the size reported is 0, even though +data must have been added to make the buffer full. + +That happens when the buffer fills up from empty to full before the +Intel PT driver has updated the buffer position. Then the driver +calculates the new buffer position before calculating the data size. +If the old and new positions are the same, the data size is reported +as 0, even though it is really the whole buffer size. + +Fix by detecting when the buffer position is wrapped, and adjust the +data size calculation accordingly. + +Example + + Use a very small buffer size (8K) and observe the size of truncated [T] + data. Before the fix, it is possible to see records of 0 size. + + Before: + + $ perf record -m,8K -e intel_pt// uname + Linux + [ perf record: Woken up 2 times to write data ] + [ perf record: Captured and wrote 0.105 MB perf.data ] + $ perf script -D --no-itrace | grep AUX | grep -F '[T]' + Warning: + AUX data lost 2 times out of 3! + + 5 19462712368111 0x19710 [0x40]: PERF_RECORD_AUX offset: 0 size: 0 flags: 0x1 [T] + 5 19462712700046 0x19ba8 [0x40]: PERF_RECORD_AUX offset: 0x170 size: 0xe90 flags: 0x1 [T] + + After: + + $ perf record -m,8K -e intel_pt// uname + Linux + [ perf record: Woken up 3 times to write data ] + [ perf record: Captured and wrote 0.040 MB perf.data ] + $ perf script -D --no-itrace | grep AUX | grep -F '[T]' + Warning: + AUX data lost 2 times out of 3! + + 1 113720802995 0x4948 [0x40]: PERF_RECORD_AUX offset: 0 size: 0x2000 flags: 0x1 [T] + 1 113720979812 0x6b10 [0x40]: PERF_RECORD_AUX offset: 0x2000 size: 0x2000 flags: 0x1 [T] + +Fixes: 52ca9ced3f70 ("perf/x86/intel/pt: Add Intel PT PMU driver") +Signed-off-by: Adrian Hunter +Signed-off-by: Peter Zijlstra (Intel) +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/20241022155920.17511-2-adrian.hunter@intel.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/events/intel/pt.c | 11 ++++++++--- + arch/x86/events/intel/pt.h | 2 ++ + 2 files changed, 10 insertions(+), 3 deletions(-) + +--- a/arch/x86/events/intel/pt.c ++++ b/arch/x86/events/intel/pt.c +@@ -828,11 +828,13 @@ static void pt_buffer_advance(struct pt_ + buf->cur_idx++; + + if (buf->cur_idx == buf->cur->last) { +- if (buf->cur == buf->last) ++ if (buf->cur == buf->last) { + buf->cur = buf->first; +- else ++ buf->wrapped = true; ++ } else { + buf->cur = list_entry(buf->cur->list.next, struct topa, + list); ++ } + buf->cur_idx = 0; + } + } +@@ -846,8 +848,11 @@ static void pt_buffer_advance(struct pt_ + static void pt_update_head(struct pt *pt) + { + struct pt_buffer *buf = perf_get_aux(&pt->handle); ++ bool wrapped = buf->wrapped; + u64 topa_idx, base, old; + ++ buf->wrapped = false; ++ + if (buf->single) { + local_set(&buf->data_size, buf->output_off); + return; +@@ -865,7 +870,7 @@ static void pt_update_head(struct pt *pt + } else { + old = (local64_xchg(&buf->head, base) & + ((buf->nr_pages << PAGE_SHIFT) - 1)); +- if (base < old) ++ if (base < old || (base == old && wrapped)) + base += buf->nr_pages << PAGE_SHIFT; + + local_add(base - old, &buf->data_size); +--- a/arch/x86/events/intel/pt.h ++++ b/arch/x86/events/intel/pt.h +@@ -65,6 +65,7 @@ struct pt_pmu { + * @head: logical write offset inside the buffer + * @snapshot: if this is for a snapshot/overwrite counter + * @single: use Single Range Output instead of ToPA ++ * @wrapped: buffer advance wrapped back to the first topa table + * @stop_pos: STOP topa entry index + * @intr_pos: INT topa entry index + * @stop_te: STOP topa entry pointer +@@ -82,6 +83,7 @@ struct pt_buffer { + local64_t head; + bool snapshot; + bool single; ++ bool wrapped; + long stop_pos, intr_pos; + struct topa_entry *stop_te, *intr_te; + void **data_pages; diff --git a/queue-6.12/pinctrl-qcom-spmi-fix-debugfs-drive-strength.patch b/queue-6.12/pinctrl-qcom-spmi-fix-debugfs-drive-strength.patch new file mode 100644 index 00000000000..fb34beb8ffb --- /dev/null +++ b/queue-6.12/pinctrl-qcom-spmi-fix-debugfs-drive-strength.patch @@ -0,0 +1,47 @@ +From 6bc0ebfb1d920f13c522545f114cdabb49e9408a Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 25 Oct 2024 14:16:22 +0200 +Subject: pinctrl: qcom: spmi: fix debugfs drive strength + +From: Johan Hovold + +commit 6bc0ebfb1d920f13c522545f114cdabb49e9408a upstream. + +Commit 723e8462a4fe ("pinctrl: qcom: spmi-gpio: Fix the GPIO strength +mapping") fixed a long-standing issue in the Qualcomm SPMI PMIC gpio +driver which had the 'low' and 'high' drive strength settings switched +but failed to update the debugfs interface which still gets this wrong. + +Fix the debugfs code so that the exported values match the hardware +settings. + +Note that this probably means that most devicetrees that try to describe +the firmware settings got this wrong if the settings were derived from +debugfs. Before the above mentioned commit the settings would have +actually matched the firmware settings even if they were described +incorrectly, but now they are inverted. + +Fixes: 723e8462a4fe ("pinctrl: qcom: spmi-gpio: Fix the GPIO strength mapping") +Fixes: eadff3024472 ("pinctrl: Qualcomm SPMI PMIC GPIO pin controller driver") +Cc: Anjelique Melendez +Cc: stable@vger.kernel.org # 3.19 +Signed-off-by: Johan Hovold +Reviewed-by: Konrad Dybcio +Link: https://lore.kernel.org/20241025121622.1496-1-johan+linaro@kernel.org +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/qcom/pinctrl-spmi-gpio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/pinctrl/qcom/pinctrl-spmi-gpio.c ++++ b/drivers/pinctrl/qcom/pinctrl-spmi-gpio.c +@@ -667,7 +667,7 @@ static void pmic_gpio_config_dbg_show(st + "push-pull", "open-drain", "open-source" + }; + static const char *const strengths[] = { +- "no", "high", "medium", "low" ++ "no", "low", "medium", "high" + }; + + pad = pctldev->desc->pins[pin].drv_data; diff --git a/queue-6.12/powerpc-pseries-fix-kvm-guest-detection-for-disabling-hardlockup-detector.patch b/queue-6.12/powerpc-pseries-fix-kvm-guest-detection-for-disabling-hardlockup-detector.patch new file mode 100644 index 00000000000..3ec7387fdf1 --- /dev/null +++ b/queue-6.12/powerpc-pseries-fix-kvm-guest-detection-for-disabling-hardlockup-detector.patch @@ -0,0 +1,45 @@ +From 44e5d21e6d3fd2a1fed7f0327cf72e99397e2eaf Mon Sep 17 00:00:00 2001 +From: Gautam Menghani +Date: Fri, 8 Nov 2024 15:18:37 +0530 +Subject: powerpc/pseries: Fix KVM guest detection for disabling hardlockup detector + +From: Gautam Menghani + +commit 44e5d21e6d3fd2a1fed7f0327cf72e99397e2eaf upstream. + +As per the kernel documentation[1], hardlockup detector should +be disabled in KVM guests as it may give false positives. On +PPC, hardlockup detector is enabled inside KVM guests because +disable_hardlockup_detector() is marked as early_initcall and it +relies on kvm_guest static key (is_kvm_guest()) which is initialized +later during boot by check_kvm_guest(), which is a core_initcall. +check_kvm_guest() is also called in pSeries_smp_probe(), which is called +before initcalls, but it is skipped if KVM guest does not have doorbell +support or if the guest is launched with SMT=1. + +Call check_kvm_guest() in disable_hardlockup_detector() so that +is_kvm_guest() check goes through fine and hardlockup detector can be +disabled inside the KVM guest. + +[1]: Documentation/admin-guide/sysctl/kernel.rst + +Fixes: 633c8e9800f3 ("powerpc/pseries: Enable hardlockup watchdog for PowerVM partitions") +Cc: stable@vger.kernel.org # v5.14+ +Signed-off-by: Gautam Menghani +Signed-off-by: Michael Ellerman +Link: https://patch.msgid.link/20241108094839.33084-1-gautam@linux.ibm.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kernel/setup_64.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/powerpc/kernel/setup_64.c ++++ b/arch/powerpc/kernel/setup_64.c +@@ -920,6 +920,7 @@ static int __init disable_hardlockup_det + hardlockup_detector_disable(); + #else + if (firmware_has_feature(FW_FEATURE_LPAR)) { ++ check_kvm_guest(); + if (is_kvm_guest()) + hardlockup_detector_disable(); + } diff --git a/queue-6.12/revert-kvm-vmx-move-load_ia32_perf_global_ctrl-errata-handling-out-of-setup_vmcs_config.patch b/queue-6.12/revert-kvm-vmx-move-load_ia32_perf_global_ctrl-errata-handling-out-of-setup_vmcs_config.patch new file mode 100644 index 00000000000..c84253f90fc --- /dev/null +++ b/queue-6.12/revert-kvm-vmx-move-load_ia32_perf_global_ctrl-errata-handling-out-of-setup_vmcs_config.patch @@ -0,0 +1,142 @@ +From 85434c3c73fcad58870016ddfe5eaa5036672675 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Mon, 18 Nov 2024 17:14:33 -0800 +Subject: Revert "KVM: VMX: Move LOAD_IA32_PERF_GLOBAL_CTRL errata handling out of setup_vmcs_config()" + +From: Sean Christopherson + +commit 85434c3c73fcad58870016ddfe5eaa5036672675 upstream. + +Revert back to clearing VM_{ENTRY,EXIT}_LOAD_IA32_PERF_GLOBAL_CTRL in KVM's +golden VMCS config, as applying the workaround during vCPU creation is +pointless and broken. KVM *unconditionally* clears the controls in the +values returned by vmx_vmentry_ctrl() and vmx_vmexit_ctrl(), as KVM loads +PERF_GLOBAL_CTRL if and only if its necessary to do so. E.g. if KVM wants +to run the guest with the same PERF_GLOBAL_CTRL as the host, then there's +no need to re-load the MSR on entry and exit. + +Even worse, the buggy commit failed to apply the erratum where it's +actually needed, add_atomic_switch_msr(). As a result, KVM completely +ignores the erratum for all intents and purposes, i.e. uses the flawed +VMCS controls to load PERF_GLOBAL_CTRL. + +To top things off, the patch was intended to be dropped, as the premise +of an L1 VMM being able to pivot on FMS is flawed, and KVM can (and now +does) fully emulate the controls in software. Simply revert the commit, +as all upstream supported kernels that have the buggy commit should also +have commit f4c93d1a0e71 ("KVM: nVMX: Always emulate PERF_GLOBAL_CTRL +VM-Entry/VM-Exit controls"), i.e. the (likely theoretical) live migration +concern is a complete non-issue. + +Opportunistically drop the manual "kvm: " scope from the warning about +the erratum, as KVM now uses pr_fmt() to provide the correct scope (v6.1 +kernels and earlier don't, but the erratum only applies to CPUs that are +15+ years old; it's not worth a separate patch). + +This reverts commit 9d78d6fb186bc4aff41b5d6c4726b76649d3cb53. + +Link: https://lore.kernel.org/all/YtnZmCutdd5tpUmz@google.com +Fixes: 9d78d6fb186b ("KVM: VMX: Move LOAD_IA32_PERF_GLOBAL_CTRL errata handling out of setup_vmcs_config()") +Cc: stable@vger.kernel.org +Cc: Vitaly Kuznetsov +Cc: Maxim Levitsky +Signed-off-by: Sean Christopherson +Reviewed-by: Vitaly Kuznetsov +Message-ID: <20241119011433.1797921-1-seanjc@google.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/vmx/vmx.c | 54 +++++++++++++++++++------------------------------ + 1 file changed, 21 insertions(+), 33 deletions(-) + +--- a/arch/x86/kvm/vmx/vmx.c ++++ b/arch/x86/kvm/vmx/vmx.c +@@ -2551,28 +2551,6 @@ static bool cpu_has_sgx(void) + return cpuid_eax(0) >= 0x12 && (cpuid_eax(0x12) & BIT(0)); + } + +-/* +- * Some cpus support VM_{ENTRY,EXIT}_IA32_PERF_GLOBAL_CTRL but they +- * can't be used due to errata where VM Exit may incorrectly clear +- * IA32_PERF_GLOBAL_CTRL[34:32]. Work around the errata by using the +- * MSR load mechanism to switch IA32_PERF_GLOBAL_CTRL. +- */ +-static bool cpu_has_perf_global_ctrl_bug(void) +-{ +- switch (boot_cpu_data.x86_vfm) { +- case INTEL_NEHALEM_EP: /* AAK155 */ +- case INTEL_NEHALEM: /* AAP115 */ +- case INTEL_WESTMERE: /* AAT100 */ +- case INTEL_WESTMERE_EP: /* BC86,AAY89,BD102 */ +- case INTEL_NEHALEM_EX: /* BA97 */ +- return true; +- default: +- break; +- } +- +- return false; +-} +- + static int adjust_vmx_controls(u32 ctl_min, u32 ctl_opt, u32 msr, u32 *result) + { + u32 vmx_msr_low, vmx_msr_high; +@@ -2732,6 +2710,27 @@ static int setup_vmcs_config(struct vmcs + _vmexit_control &= ~x_ctrl; + } + ++ /* ++ * Some cpus support VM_{ENTRY,EXIT}_IA32_PERF_GLOBAL_CTRL but they ++ * can't be used due to an errata where VM Exit may incorrectly clear ++ * IA32_PERF_GLOBAL_CTRL[34:32]. Workaround the errata by using the ++ * MSR load mechanism to switch IA32_PERF_GLOBAL_CTRL. ++ */ ++ switch (boot_cpu_data.x86_vfm) { ++ case INTEL_NEHALEM_EP: /* AAK155 */ ++ case INTEL_NEHALEM: /* AAP115 */ ++ case INTEL_WESTMERE: /* AAT100 */ ++ case INTEL_WESTMERE_EP: /* BC86,AAY89,BD102 */ ++ case INTEL_NEHALEM_EX: /* BA97 */ ++ _vmentry_control &= ~VM_ENTRY_LOAD_IA32_PERF_GLOBAL_CTRL; ++ _vmexit_control &= ~VM_EXIT_LOAD_IA32_PERF_GLOBAL_CTRL; ++ pr_warn_once("VM_EXIT_LOAD_IA32_PERF_GLOBAL_CTRL " ++ "does not work properly. Using workaround\n"); ++ break; ++ default: ++ break; ++ } ++ + rdmsrl(MSR_IA32_VMX_BASIC, basic_msr); + + /* IA-32 SDM Vol 3B: VMCS size is never greater than 4kB. */ +@@ -4422,9 +4421,6 @@ static u32 vmx_vmentry_ctrl(void) + VM_ENTRY_LOAD_IA32_EFER | + VM_ENTRY_IA32E_MODE); + +- if (cpu_has_perf_global_ctrl_bug()) +- vmentry_ctrl &= ~VM_ENTRY_LOAD_IA32_PERF_GLOBAL_CTRL; +- + return vmentry_ctrl; + } + +@@ -4442,10 +4438,6 @@ static u32 vmx_vmexit_ctrl(void) + if (vmx_pt_mode_is_system()) + vmexit_ctrl &= ~(VM_EXIT_PT_CONCEAL_PIP | + VM_EXIT_CLEAR_IA32_RTIT_CTL); +- +- if (cpu_has_perf_global_ctrl_bug()) +- vmexit_ctrl &= ~VM_EXIT_LOAD_IA32_PERF_GLOBAL_CTRL; +- + /* Loading of EFER and PERF_GLOBAL_CTRL are toggled dynamically */ + return vmexit_ctrl & + ~(VM_EXIT_LOAD_IA32_PERF_GLOBAL_CTRL | VM_EXIT_LOAD_IA32_EFER); +@@ -8400,10 +8392,6 @@ __init int vmx_hardware_setup(void) + if (setup_vmcs_config(&vmcs_config, &vmx_capability) < 0) + return -EIO; + +- if (cpu_has_perf_global_ctrl_bug()) +- pr_warn_once("VM_EXIT_LOAD_IA32_PERF_GLOBAL_CTRL " +- "does not work properly. Using workaround\n"); +- + if (boot_cpu_has(X86_FEATURE_NX)) + kvm_enable_efer_bits(EFER_NX); + diff --git a/queue-6.12/series b/queue-6.12/series index 8d158e92a6c..480c8b989d9 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -628,3 +628,50 @@ alsa-usb-audio-fix-out-of-bounds-reads-when-finding-clock-sources.patch usb-ehci-spear-fix-call-balance-of-sehci-clk-handling-routines.patch usb-typec-ucsi-glink-fix-off-by-one-in-connector_status.patch xfs-fix-simplify-extent-lookup-in-xfs_can_free_eofblocks.patch +ext4-supress-data-race-warnings-in-ext4_free_inodes_-count-set.patch +ext4-fix-fs_ioc_getfsmap-handling.patch +maintainers-update-location-of-media-main-tree.patch +docs-media-update-location-of-the-media-patches.patch +jfs-xattr-check-invalid-xattr-size-more-strictly.patch +asoc-amd-yc-add-a-quirk-for-microfone-on-lenovo-thinkpad-p14s-gen-5-21mes00b00.patch +asoc-codecs-fix-atomicity-violation-in-snd_soc_component_get_drvdata.patch +asoc-da7213-populate-max_register-to-regmap_config.patch +perf-x86-intel-pt-fix-buffer-full-but-size-is-0-case.patch +crypto-x86-aegis128-access-32-bit-arguments-as-32-bit.patch +kvm-x86-switch-hugepage-recovery-thread-to-vhost_task.patch +kvm-x86-mmu-skip-the-try-unsync-path-iff-the-old-spte-was-a-leaf-spte.patch +kvm-x86-add-back-x86_local_apic-dependency.patch +kvm-x86-break-config_kvm_x86-s-direct-dependency-on-kvm_intel-kvm_amd.patch +powerpc-pseries-fix-kvm-guest-detection-for-disabling-hardlockup-detector.patch +kvm-arm64-vgic-v3-sanitise-guest-writes-to-gicr_invlpir.patch +kvm-arm64-ignore-pmcntenset_el0-while-checking-for-overflow-status.patch +revert-kvm-vmx-move-load_ia32_perf_global_ctrl-errata-handling-out-of-setup_vmcs_config.patch +kvm-arm64-don-t-retire-aborted-mmio-instruction.patch +kvm-arm64-vgic-its-clear-ite-when-discard-frees-an-ite.patch +kvm-arm64-get-rid-of-userspace_irqchip_in_use.patch +kvm-arm64-vgic-its-add-a-data-length-check-in-vgic_its_save_.patch +kvm-arm64-vgic-its-clear-dte-when-mapd-unmaps-a-device.patch +compiler-attributes-disable-__counted_by-for-clang-19.1.3.patch +pci-fix-use-after-free-of-slot-bus-on-hot-remove.patch +loongarch-explicitly-specify-code-model-in-makefile.patch +clk-clk-loongson2-fix-memory-corruption-bug-in-struct-loongson2_clk_provider.patch +clk-clk-loongson2-fix-potential-buffer-overflow-in-flexible-array-member-access.patch +fsnotify-fix-sending-inotify-event-with-unexpected-filename.patch +fsnotify-fix-ordering-of-iput-and-watched_objects-decrement.patch +comedi-flush-partial-mappings-in-error-case.patch +apparmor-test-fix-memory-leak-for-aa_unpack_strdup.patch +iio-dac-adi-axi-dac-fix-wrong-register-bitfield.patch +tty-ldsic-fix-tty_ldisc_autoload-sysctl-s-proc_handler.patch +locking-lockdep-avoid-creating-new-name-string-literals-in-lockdep_set_subclass.patch +tools-nolibc-s390-include-std.h.patch +fcntl-make-f_dupfd_query-associative.patch +pinctrl-qcom-spmi-fix-debugfs-drive-strength.patch +dt-bindings-pinctrl-samsung-fix-interrupt-constraint-for-variants-with-fallbacks.patch +dt-bindings-iio-dac-ad3552r-fix-maximum-spi-speed.patch +exfat-fix-uninit-value-in-__exfat_get_dentry_set.patch +exfat-fix-out-of-bounds-access-of-directory-entries.patch +xhci-fix-control-transfer-error-on-etron-xhci-host.patch +xhci-combine-two-if-statements-for-etron-xhci-host.patch +xhci-don-t-perform-soft-retry-for-etron-xhci-host.patch +xhci-don-t-issue-reset-device-command-to-etron-xhci-host.patch +bluetooth-fix-type-of-len-in-rfcomm_sock_getsockopt-_old.patch diff --git a/queue-6.12/tools-nolibc-s390-include-std.h.patch b/queue-6.12/tools-nolibc-s390-include-std.h.patch new file mode 100644 index 00000000000..2e18e6133df --- /dev/null +++ b/queue-6.12/tools-nolibc-s390-include-std.h.patch @@ -0,0 +1,36 @@ +From 711b5875814b2a0e9a5aaf7a85ba7c80f5a389b1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Thomas=20Wei=C3=9Fschuh?= +Date: Fri, 27 Sep 2024 18:45:38 +0200 +Subject: tools/nolibc: s390: include std.h +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Weißschuh + +commit 711b5875814b2a0e9a5aaf7a85ba7c80f5a389b1 upstream. + +arch-s390.h uses types from std.h, but does not include it. +Depending on the inclusion order the compilation can fail. +Include std.h explicitly to avoid these errors. + +Fixes: 404fa87c0eaf ("tools/nolibc: s390: provide custom implementation for sys_fork") +Cc: stable@vger.kernel.org +Signed-off-by: Thomas Weißschuh +Link: https://lore.kernel.org/r/20240927-nolibc-s390-std-h-v1-1-30442339a6b9@linutronix.de +Signed-off-by: Thomas Weißschuh +Signed-off-by: Greg Kroah-Hartman +--- + tools/include/nolibc/arch-s390.h | 1 + + 1 file changed, 1 insertion(+) + +--- a/tools/include/nolibc/arch-s390.h ++++ b/tools/include/nolibc/arch-s390.h +@@ -10,6 +10,7 @@ + + #include "compiler.h" + #include "crt.h" ++#include "std.h" + + /* Syscalls for s390: + * - registers are 64-bit diff --git a/queue-6.12/tty-ldsic-fix-tty_ldisc_autoload-sysctl-s-proc_handler.patch b/queue-6.12/tty-ldsic-fix-tty_ldisc_autoload-sysctl-s-proc_handler.patch new file mode 100644 index 00000000000..f00b4fb7d5a --- /dev/null +++ b/queue-6.12/tty-ldsic-fix-tty_ldisc_autoload-sysctl-s-proc_handler.patch @@ -0,0 +1,40 @@ +From 635a9fca54f4f4148be1ae1c7c6bd37af80f5773 Mon Sep 17 00:00:00 2001 +From: Nicolas Bouchinet +Date: Tue, 12 Nov 2024 14:13:31 +0100 +Subject: tty: ldsic: fix tty_ldisc_autoload sysctl's proc_handler + +From: Nicolas Bouchinet + +commit 635a9fca54f4f4148be1ae1c7c6bd37af80f5773 upstream. + +Commit 7c0cca7c847e ("tty: ldisc: add sysctl to prevent autoloading of +ldiscs") introduces the tty_ldisc_autoload sysctl with the wrong +proc_handler. .extra1 and .extra2 parameters are set to avoid other values +thant SYSCTL_ZERO or SYSCTL_ONE to be set but proc_dointvec do not uses +them. + +This commit fixes this by using proc_dointvec_minmax instead of +proc_dointvec. + +Fixes: 7c0cca7c847e ("tty: ldisc: add sysctl to prevent autoloading of ldiscs") +Cc: stable +Signed-off-by: Nicolas Bouchinet +Reviewed-by: Lin Feng +Reviewed-by: Jiri Slaby +Link: https://lore.kernel.org/r/20241112131357.49582-4-nicolas.bouchinet@clip-os.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/tty_io.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/tty/tty_io.c ++++ b/drivers/tty/tty_io.c +@@ -3631,7 +3631,7 @@ static struct ctl_table tty_table[] = { + .data = &tty_ldisc_autoload, + .maxlen = sizeof(tty_ldisc_autoload), + .mode = 0644, +- .proc_handler = proc_dointvec, ++ .proc_handler = proc_dointvec_minmax, + .extra1 = SYSCTL_ZERO, + .extra2 = SYSCTL_ONE, + }, diff --git a/queue-6.12/xhci-combine-two-if-statements-for-etron-xhci-host.patch b/queue-6.12/xhci-combine-two-if-statements-for-etron-xhci-host.patch new file mode 100644 index 00000000000..27a52b484dc --- /dev/null +++ b/queue-6.12/xhci-combine-two-if-statements-for-etron-xhci-host.patch @@ -0,0 +1,41 @@ +From d7b11fe5790203fcc0db182249d7bfd945e44ccb Mon Sep 17 00:00:00 2001 +From: Kuangyi Chiang +Date: Wed, 6 Nov 2024 12:14:43 +0200 +Subject: xhci: Combine two if statements for Etron xHCI host + +From: Kuangyi Chiang + +commit d7b11fe5790203fcc0db182249d7bfd945e44ccb upstream. + +Combine two if statements, because these hosts have the same +quirk flags applied. + +[Mathias: has stable tag because other fixes in series depend on this] + +Fixes: 91f7a1524a92 ("xhci: Apply broken streams quirk to Etron EJ188 xHCI host") +Cc: stable@vger.kernel.org +Signed-off-by: Kuangyi Chiang +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20241106101459.775897-18-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-pci.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +--- a/drivers/usb/host/xhci-pci.c ++++ b/drivers/usb/host/xhci-pci.c +@@ -395,12 +395,8 @@ static void xhci_pci_quirks(struct devic + xhci->quirks |= XHCI_DEFAULT_PM_RUNTIME_ALLOW; + + if (pdev->vendor == PCI_VENDOR_ID_ETRON && +- pdev->device == PCI_DEVICE_ID_EJ168) { +- xhci->quirks |= XHCI_RESET_ON_RESUME; +- xhci->quirks |= XHCI_BROKEN_STREAMS; +- } +- if (pdev->vendor == PCI_VENDOR_ID_ETRON && +- pdev->device == PCI_DEVICE_ID_EJ188) { ++ (pdev->device == PCI_DEVICE_ID_EJ168 || ++ pdev->device == PCI_DEVICE_ID_EJ188)) { + xhci->quirks |= XHCI_RESET_ON_RESUME; + xhci->quirks |= XHCI_BROKEN_STREAMS; + } diff --git a/queue-6.12/xhci-don-t-issue-reset-device-command-to-etron-xhci-host.patch b/queue-6.12/xhci-don-t-issue-reset-device-command-to-etron-xhci-host.patch new file mode 100644 index 00000000000..adb74069a62 --- /dev/null +++ b/queue-6.12/xhci-don-t-issue-reset-device-command-to-etron-xhci-host.patch @@ -0,0 +1,97 @@ +From 76d98856b1c6d06ce18f32c20527a4f9d283e660 Mon Sep 17 00:00:00 2001 +From: Kuangyi Chiang +Date: Wed, 6 Nov 2024 12:14:44 +0200 +Subject: xhci: Don't issue Reset Device command to Etron xHCI host + +From: Kuangyi Chiang + +commit 76d98856b1c6d06ce18f32c20527a4f9d283e660 upstream. + +Sometimes the hub driver does not recognize the USB device connected +to the external USB2.0 hub when the system resumes from S4. + +After the SetPortFeature(PORT_RESET) request is completed, the hub +driver calls the HCD reset_device callback, which will issue a Reset +Device command and free all structures associated with endpoints +that were disabled. + +This happens when the xHCI driver issue a Reset Device command to +inform the Etron xHCI host that the USB device associated with a +device slot has been reset. Seems that the Etron xHCI host can not +perform this command correctly, affecting the USB device. + +To work around this, the xHCI driver should obtain a new device slot +with reference to commit 651aaf36a7d7 ("usb: xhci: Handle USB transaction +error on address command"), which is another way to inform the Etron +xHCI host that the USB device has been reset. + +Add a new XHCI_ETRON_HOST quirk flag to invoke the workaround in +xhci_discover_or_reset_device(). + +Fixes: 2a8f82c4ceaf ("USB: xhci: Notify the xHC when a device is reset.") +Cc: stable@vger.kernel.org +Signed-off-by: Kuangyi Chiang +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20241106101459.775897-19-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-pci.c | 1 + + drivers/usb/host/xhci.c | 19 +++++++++++++++++++ + drivers/usb/host/xhci.h | 1 + + 3 files changed, 21 insertions(+) + +--- a/drivers/usb/host/xhci-pci.c ++++ b/drivers/usb/host/xhci-pci.c +@@ -397,6 +397,7 @@ static void xhci_pci_quirks(struct devic + if (pdev->vendor == PCI_VENDOR_ID_ETRON && + (pdev->device == PCI_DEVICE_ID_EJ168 || + pdev->device == PCI_DEVICE_ID_EJ188)) { ++ xhci->quirks |= XHCI_ETRON_HOST; + xhci->quirks |= XHCI_RESET_ON_RESUME; + xhci->quirks |= XHCI_BROKEN_STREAMS; + xhci->quirks |= XHCI_NO_SOFT_RETRY; +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -3692,6 +3692,8 @@ void xhci_free_device_endpoint_resources + xhci->num_active_eps); + } + ++static void xhci_free_dev(struct usb_hcd *hcd, struct usb_device *udev); ++ + /* + * This submits a Reset Device Command, which will set the device state to 0, + * set the device address to 0, and disable all the endpoints except the default +@@ -3762,6 +3764,23 @@ static int xhci_discover_or_reset_device + SLOT_STATE_DISABLED) + return 0; + ++ if (xhci->quirks & XHCI_ETRON_HOST) { ++ /* ++ * Obtaining a new device slot to inform the xHCI host that ++ * the USB device has been reset. ++ */ ++ ret = xhci_disable_slot(xhci, udev->slot_id); ++ xhci_free_virt_device(xhci, udev->slot_id); ++ if (!ret) { ++ ret = xhci_alloc_dev(hcd, udev); ++ if (ret == 1) ++ ret = 0; ++ else ++ ret = -EINVAL; ++ } ++ return ret; ++ } ++ + trace_xhci_discover_or_reset_device(slot_ctx); + + xhci_dbg(xhci, "Resetting device with slot ID %u\n", slot_id); +--- a/drivers/usb/host/xhci.h ++++ b/drivers/usb/host/xhci.h +@@ -1624,6 +1624,7 @@ struct xhci_hcd { + #define XHCI_ZHAOXIN_HOST BIT_ULL(46) + #define XHCI_WRITE_64_HI_LO BIT_ULL(47) + #define XHCI_CDNS_SCTX_QUIRK BIT_ULL(48) ++#define XHCI_ETRON_HOST BIT_ULL(49) + + unsigned int num_active_eps; + unsigned int limit_active_eps; diff --git a/queue-6.12/xhci-don-t-perform-soft-retry-for-etron-xhci-host.patch b/queue-6.12/xhci-don-t-perform-soft-retry-for-etron-xhci-host.patch new file mode 100644 index 00000000000..95df360f492 --- /dev/null +++ b/queue-6.12/xhci-don-t-perform-soft-retry-for-etron-xhci-host.patch @@ -0,0 +1,46 @@ +From e735e957f2b9cfe4be486e0304732ec36928591f Mon Sep 17 00:00:00 2001 +From: Kuangyi Chiang +Date: Wed, 6 Nov 2024 12:14:46 +0200 +Subject: xhci: Don't perform Soft Retry for Etron xHCI host + +From: Kuangyi Chiang + +commit e735e957f2b9cfe4be486e0304732ec36928591f upstream. + +Since commit f8f80be501aa ("xhci: Use soft retry to recover faster from +transaction errors"), unplugging USB device while enumeration results in +errors like this: + +[ 364.855321] xhci_hcd 0000:0b:00.0: ERROR Transfer event for disabled endpoint slot 5 ep 2 +[ 364.864622] xhci_hcd 0000:0b:00.0: @0000002167656d70 67f03000 00000021 0c000000 05038001 +[ 374.934793] xhci_hcd 0000:0b:00.0: Abort failed to stop command ring: -110 +[ 374.958793] xhci_hcd 0000:0b:00.0: xHCI host controller not responding, assume dead +[ 374.967590] xhci_hcd 0000:0b:00.0: HC died; cleaning up +[ 374.973984] xhci_hcd 0000:0b:00.0: Timeout while waiting for configure endpoint command + +Seems that Etorn xHCI host can not perform Soft Retry correctly, apply +XHCI_NO_SOFT_RETRY quirk to disable Soft Retry and then issue is gone. + +This patch depends on commit a4a251f8c235 ("usb: xhci: do not perform +Soft Retry for some xHCI hosts"). + +Fixes: f8f80be501aa ("xhci: Use soft retry to recover faster from transaction errors") +Cc: stable@vger.kernel.org +Signed-off-by: Kuangyi Chiang +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20241106101459.775897-21-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-pci.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/host/xhci-pci.c ++++ b/drivers/usb/host/xhci-pci.c +@@ -399,6 +399,7 @@ static void xhci_pci_quirks(struct devic + pdev->device == PCI_DEVICE_ID_EJ188)) { + xhci->quirks |= XHCI_RESET_ON_RESUME; + xhci->quirks |= XHCI_BROKEN_STREAMS; ++ xhci->quirks |= XHCI_NO_SOFT_RETRY; + } + + if (pdev->vendor == PCI_VENDOR_ID_RENESAS && diff --git a/queue-6.12/xhci-fix-control-transfer-error-on-etron-xhci-host.patch b/queue-6.12/xhci-fix-control-transfer-error-on-etron-xhci-host.patch new file mode 100644 index 00000000000..e337287e546 --- /dev/null +++ b/queue-6.12/xhci-fix-control-transfer-error-on-etron-xhci-host.patch @@ -0,0 +1,83 @@ +From 5e1c67abc9301d05130b7e267c204e7005503b33 Mon Sep 17 00:00:00 2001 +From: Kuangyi Chiang +Date: Wed, 6 Nov 2024 12:14:45 +0200 +Subject: xhci: Fix control transfer error on Etron xHCI host + +From: Kuangyi Chiang + +commit 5e1c67abc9301d05130b7e267c204e7005503b33 upstream. + +Performing a stability stress test on a USB3.0 2.5G ethernet adapter +results in errors like this: + +[ 91.441469] r8152 2-3:1.0 eth3: get_registers -71 +[ 91.458659] r8152 2-3:1.0 eth3: get_registers -71 +[ 91.475911] r8152 2-3:1.0 eth3: get_registers -71 +[ 91.493203] r8152 2-3:1.0 eth3: get_registers -71 +[ 91.510421] r8152 2-3:1.0 eth3: get_registers -71 + +The r8152 driver will periodically issue lots of control-IN requests +to access the status of ethernet adapter hardware registers during +the test. + +This happens when the xHCI driver enqueue a control TD (which cross +over the Link TRB between two ring segments, as shown) in the endpoint +zero's transfer ring. Seems the Etron xHCI host can not perform this +TD correctly, causing the USB transfer error occurred, maybe the upper +driver retry that control-IN request can solve problem, but not all +drivers do this. + +| | +------- +| TRB | Setup Stage +------- +| TRB | Link +------- +------- +| TRB | Data Stage +------- +| TRB | Status Stage +------- +| | + +To work around this, the xHCI driver should enqueue a No Op TRB if +next available TRB is the Link TRB in the ring segment, this can +prevent the Setup and Data Stage TRB to be breaked by the Link TRB. + +Check if the XHCI_ETRON_HOST quirk flag is set before invoking the +workaround in xhci_queue_ctrl_tx(). + +Fixes: d0e96f5a71a0 ("USB: xhci: Control transfer support.") +Cc: stable@vger.kernel.org +Signed-off-by: Kuangyi Chiang +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20241106101459.775897-20-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-ring.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -3727,6 +3727,20 @@ int xhci_queue_ctrl_tx(struct xhci_hcd * + if (!urb->setup_packet) + return -EINVAL; + ++ if ((xhci->quirks & XHCI_ETRON_HOST) && ++ urb->dev->speed >= USB_SPEED_SUPER) { ++ /* ++ * If next available TRB is the Link TRB in the ring segment then ++ * enqueue a No Op TRB, this can prevent the Setup and Data Stage ++ * TRB to be breaked by the Link TRB. ++ */ ++ if (trb_is_link(ep_ring->enqueue + 1)) { ++ field = TRB_TYPE(TRB_TR_NOOP) | ep_ring->cycle_state; ++ queue_trb(xhci, ep_ring, false, 0, 0, ++ TRB_INTR_TARGET(0), field); ++ } ++ } ++ + /* 1 TRB for setup, 1 for status */ + num_trbs = 2; + /* -- 2.47.3