From 222730811c16c24951bc308cb2ce1638468f14ed Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 3 Dec 2024 11:19:10 +0100 Subject: [PATCH] 6.12-stable patches added patches: arm64-dts-mediatek-mt8186-corsola-voltorb-merge-speaker-codec-nodes.patch arm64-tls-fix-context-switching-of-tpidrro_el0-when-kpti-is-enabled.patch blk-mq-make-blk_mq_quiesce_tagset-hold-the-tag-list-mutex-less-long.patch block-fix-missing-dispatching-request-when-queue-is-started-or-unquiesced.patch block-fix-ordering-between-checking-blk_mq_s_stopped-request-adding.patch block-fix-ordering-between-checking-queue_flag_quiesced-request-adding.patch gve-flow-steering-trigger-reset-only-for-timeout-error.patch hid-wacom-interpret-tilt-data-from-intuos-pro-bt-as-signed-values.patch i40e-fix-handling-changed-priv-flags.patch media-intel-ipu6-do-not-handle-interrupts-when-device-is-disabled.patch media-v4l2-core-v4l2-dv-timings-check-cvt-gtf-result.patch media-wl128x-fix-atomicity-violation-in-fmc_send_cmd.patch netdev-genl-hold-rcu_read_lock-in-napi_get.patch soc-fsl-cpm1-qmc-set-the-ret-error-code-on-platform_get_irq-failure.patch soc-fsl-rcpm-fix-missing-of_node_put-in-copy_ippdexpcr1_setting.patch ublk-fix-ublk_ch_mmap-for-64k-page-size.patch --- ...la-voltorb-merge-speaker-codec-nodes.patch | 100 +++++ ...-of-tpidrro_el0-when-kpti-is-enabled.patch | 47 +++ ...et-hold-the-tag-list-mutex-less-long.patch | 41 ++ ...-when-queue-is-started-or-unquiesced.patch | 66 ++++ ...king-blk_mq_s_stopped-request-adding.patch | 113 ++++++ ...g-queue_flag_quiesced-request-adding.patch | 113 ++++++ ...trigger-reset-only-for-timeout-error.patch | 41 ++ ...-from-intuos-pro-bt-as-signed-values.patch | 41 ++ ...i40e-fix-handling-changed-priv-flags.patch | 81 ++++ ...e-interrupts-when-device-is-disabled.patch | 76 ++++ ...v4l2-dv-timings-check-cvt-gtf-result.patch | 368 ++++++++++++++++++ ...-atomicity-violation-in-fmc_send_cmd.patch | 54 +++ ...-genl-hold-rcu_read_lock-in-napi_get.patch | 40 ++ queue-6.12/series | 16 + ...ror-code-on-platform_get_irq-failure.patch | 45 +++ ..._node_put-in-copy_ippdexpcr1_setting.patch | 35 ++ ...k-fix-ublk_ch_mmap-for-64k-page-size.patch | 68 ++++ 17 files changed, 1345 insertions(+) create mode 100644 queue-6.12/arm64-dts-mediatek-mt8186-corsola-voltorb-merge-speaker-codec-nodes.patch create mode 100644 queue-6.12/arm64-tls-fix-context-switching-of-tpidrro_el0-when-kpti-is-enabled.patch create mode 100644 queue-6.12/blk-mq-make-blk_mq_quiesce_tagset-hold-the-tag-list-mutex-less-long.patch create mode 100644 queue-6.12/block-fix-missing-dispatching-request-when-queue-is-started-or-unquiesced.patch create mode 100644 queue-6.12/block-fix-ordering-between-checking-blk_mq_s_stopped-request-adding.patch create mode 100644 queue-6.12/block-fix-ordering-between-checking-queue_flag_quiesced-request-adding.patch create mode 100644 queue-6.12/gve-flow-steering-trigger-reset-only-for-timeout-error.patch create mode 100644 queue-6.12/hid-wacom-interpret-tilt-data-from-intuos-pro-bt-as-signed-values.patch create mode 100644 queue-6.12/i40e-fix-handling-changed-priv-flags.patch create mode 100644 queue-6.12/media-intel-ipu6-do-not-handle-interrupts-when-device-is-disabled.patch create mode 100644 queue-6.12/media-v4l2-core-v4l2-dv-timings-check-cvt-gtf-result.patch create mode 100644 queue-6.12/media-wl128x-fix-atomicity-violation-in-fmc_send_cmd.patch create mode 100644 queue-6.12/netdev-genl-hold-rcu_read_lock-in-napi_get.patch create mode 100644 queue-6.12/soc-fsl-cpm1-qmc-set-the-ret-error-code-on-platform_get_irq-failure.patch create mode 100644 queue-6.12/soc-fsl-rcpm-fix-missing-of_node_put-in-copy_ippdexpcr1_setting.patch create mode 100644 queue-6.12/ublk-fix-ublk_ch_mmap-for-64k-page-size.patch diff --git a/queue-6.12/arm64-dts-mediatek-mt8186-corsola-voltorb-merge-speaker-codec-nodes.patch b/queue-6.12/arm64-dts-mediatek-mt8186-corsola-voltorb-merge-speaker-codec-nodes.patch new file mode 100644 index 00000000000..71c070d06da --- /dev/null +++ b/queue-6.12/arm64-dts-mediatek-mt8186-corsola-voltorb-merge-speaker-codec-nodes.patch @@ -0,0 +1,100 @@ +From 26ea2459d1724406bf0b342df6b4b1f002d7f8e3 Mon Sep 17 00:00:00 2001 +From: Chen-Yu Tsai +Date: Fri, 18 Oct 2024 16:21:11 +0800 +Subject: arm64: dts: mediatek: mt8186-corsola-voltorb: Merge speaker codec nodes + +From: Chen-Yu Tsai + +commit 26ea2459d1724406bf0b342df6b4b1f002d7f8e3 upstream. + +The Voltorb device uses a speaker codec different from the original +Corsola device. When the Voltorb device tree was first added, the new +codec was added as a separate node when it should have just replaced the +existing one. + +Merge the two nodes. The only differences are the compatible string and +the GPIO line property name. This keeps the device node path for the +speaker codec the same across the MT8186 Chromebook line. Also rename +the related labels and node names from having rt1019p to speaker codec. + +Cc: stable@vger.kernel.org # v6.11+ +Signed-off-by: Chen-Yu Tsai +Reviewed-by: AngeloGioacchino Del Regno +Link: https://lore.kernel.org/r/20241018082113.1297268-1-wenst@chromium.org +Signed-off-by: AngeloGioacchino Del Regno +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/mediatek/mt8186-corsola-voltorb.dtsi | 21 +++------------ + arch/arm64/boot/dts/mediatek/mt8186-corsola.dtsi | 8 ++--- + 2 files changed, 9 insertions(+), 20 deletions(-) + +--- a/arch/arm64/boot/dts/mediatek/mt8186-corsola-voltorb.dtsi ++++ b/arch/arm64/boot/dts/mediatek/mt8186-corsola-voltorb.dtsi +@@ -10,12 +10,6 @@ + + / { + chassis-type = "laptop"; +- +- max98360a: max98360a { +- compatible = "maxim,max98360a"; +- sdmode-gpios = <&pio 150 GPIO_ACTIVE_HIGH>; +- #sound-dai-cells = <0>; +- }; + }; + + &cpu6 { +@@ -59,19 +53,14 @@ + opp-hz = /bits/ 64 <2200000000>; + }; + +-&rt1019p{ +- status = "disabled"; +-}; +- + &sound { + compatible = "mediatek,mt8186-mt6366-rt5682s-max98360-sound"; +- status = "okay"; ++}; + +- spk-hdmi-playback-dai-link { +- codec { +- sound-dai = <&it6505dptx>, <&max98360a>; +- }; +- }; ++&speaker_codec { ++ compatible = "maxim,max98360a"; ++ sdmode-gpios = <&pio 150 GPIO_ACTIVE_HIGH>; ++ /delete-property/ sdb-gpios; + }; + + &spmi { +--- a/arch/arm64/boot/dts/mediatek/mt8186-corsola.dtsi ++++ b/arch/arm64/boot/dts/mediatek/mt8186-corsola.dtsi +@@ -259,15 +259,15 @@ + mediatek,clk-provider = "cpu"; + /* RT1019P and IT6505 connected to the same I2S line */ + codec { +- sound-dai = <&it6505dptx>, <&rt1019p>; ++ sound-dai = <&it6505dptx>, <&speaker_codec>; + }; + }; + }; + +- rt1019p: speaker-codec { ++ speaker_codec: speaker-codec { + compatible = "realtek,rt1019p"; + pinctrl-names = "default"; +- pinctrl-0 = <&rt1019p_pins_default>; ++ pinctrl-0 = <&speaker_codec_pins_default>; + #sound-dai-cells = <0>; + sdb-gpios = <&pio 150 GPIO_ACTIVE_HIGH>; + }; +@@ -1179,7 +1179,7 @@ + }; + }; + +- rt1019p_pins_default: rt1019p-default-pins { ++ speaker_codec_pins_default: speaker-codec-default-pins { + pins-sdb { + pinmux = ; + output-low; diff --git a/queue-6.12/arm64-tls-fix-context-switching-of-tpidrro_el0-when-kpti-is-enabled.patch b/queue-6.12/arm64-tls-fix-context-switching-of-tpidrro_el0-when-kpti-is-enabled.patch new file mode 100644 index 00000000000..16db93ba957 --- /dev/null +++ b/queue-6.12/arm64-tls-fix-context-switching-of-tpidrro_el0-when-kpti-is-enabled.patch @@ -0,0 +1,47 @@ +From 67ab51cbdfee02ef07fb9d7d14cc0bf6cb5a5e5c Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Thu, 14 Nov 2024 09:53:32 +0000 +Subject: arm64: tls: Fix context-switching of tpidrro_el0 when kpti is enabled + +From: Will Deacon + +commit 67ab51cbdfee02ef07fb9d7d14cc0bf6cb5a5e5c upstream. + +Commit 18011eac28c7 ("arm64: tls: Avoid unconditional zeroing of +tpidrro_el0 for native tasks") tried to optimise the context switching +of tpidrro_el0 by eliding the clearing of the register when switching +to a native task with kpti enabled, on the erroneous assumption that +the kpti trampoline entry code would already have taken care of the +write. + +Although the kpti trampoline does zero the register on entry from a +native task, the check in tls_thread_switch() is on the *next* task and +so we can end up leaving a stale, non-zero value in the register if the +previous task was 32-bit. + +Drop the broken optimisation and zero tpidrro_el0 unconditionally when +switching to a native 64-bit task. + +Cc: Mark Rutland +Cc: stable@vger.kernel.org +Fixes: 18011eac28c7 ("arm64: tls: Avoid unconditional zeroing of tpidrro_el0 for native tasks") +Signed-off-by: Will Deacon +Acked-by: Mark Rutland +Link: https://lore.kernel.org/r/20241114095332.23391-1-will@kernel.org +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kernel/process.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/kernel/process.c ++++ b/arch/arm64/kernel/process.c +@@ -442,7 +442,7 @@ static void tls_thread_switch(struct tas + + if (is_compat_thread(task_thread_info(next))) + write_sysreg(next->thread.uw.tp_value, tpidrro_el0); +- else if (!arm64_kernel_unmapped_at_el0()) ++ else + write_sysreg(0, tpidrro_el0); + + write_sysreg(*task_user_tls(next), tpidr_el0); diff --git a/queue-6.12/blk-mq-make-blk_mq_quiesce_tagset-hold-the-tag-list-mutex-less-long.patch b/queue-6.12/blk-mq-make-blk_mq_quiesce_tagset-hold-the-tag-list-mutex-less-long.patch new file mode 100644 index 00000000000..c26268fa729 --- /dev/null +++ b/queue-6.12/blk-mq-make-blk_mq_quiesce_tagset-hold-the-tag-list-mutex-less-long.patch @@ -0,0 +1,41 @@ +From ccd9e252c515ac5a3ed04a414c95d1307d17f159 Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Tue, 22 Oct 2024 11:16:17 -0700 +Subject: blk-mq: Make blk_mq_quiesce_tagset() hold the tag list mutex less long + +From: Bart Van Assche + +commit ccd9e252c515ac5a3ed04a414c95d1307d17f159 upstream. + +Make sure that the tag_list_lock mutex is not held any longer than +necessary. This change reduces latency if e.g. blk_mq_quiesce_tagset() +is called concurrently from more than one thread. This function is used +by the NVMe core and also by the UFS driver. + +Reported-by: Peter Wang +Cc: Chao Leng +Cc: Ming Lei +Cc: stable@vger.kernel.org +Fixes: 414dd48e882c ("blk-mq: add tagset quiesce interface") +Signed-off-by: Bart Van Assche +Reviewed-by: Keith Busch +Link: https://lore.kernel.org/r/20241022181617.2716173-1-bvanassche@acm.org +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + block/blk-mq.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -283,8 +283,9 @@ void blk_mq_quiesce_tagset(struct blk_mq + if (!blk_queue_skip_tagset_quiesce(q)) + blk_mq_quiesce_queue_nowait(q); + } +- blk_mq_wait_quiesce_done(set); + mutex_unlock(&set->tag_list_lock); ++ ++ blk_mq_wait_quiesce_done(set); + } + EXPORT_SYMBOL_GPL(blk_mq_quiesce_tagset); + diff --git a/queue-6.12/block-fix-missing-dispatching-request-when-queue-is-started-or-unquiesced.patch b/queue-6.12/block-fix-missing-dispatching-request-when-queue-is-started-or-unquiesced.patch new file mode 100644 index 00000000000..d331cf3e6d1 --- /dev/null +++ b/queue-6.12/block-fix-missing-dispatching-request-when-queue-is-started-or-unquiesced.patch @@ -0,0 +1,66 @@ +From 2003ee8a9aa14d766b06088156978d53c2e9be3d Mon Sep 17 00:00:00 2001 +From: Muchun Song +Date: Mon, 14 Oct 2024 17:29:32 +0800 +Subject: block: fix missing dispatching request when queue is started or unquiesced + +From: Muchun Song + +commit 2003ee8a9aa14d766b06088156978d53c2e9be3d upstream. + +Supposing the following scenario with a virtio_blk driver. + +CPU0 CPU1 CPU2 + +blk_mq_try_issue_directly() + __blk_mq_issue_directly() + q->mq_ops->queue_rq() + virtio_queue_rq() + blk_mq_stop_hw_queue() + virtblk_done() + blk_mq_try_issue_directly() + if (blk_mq_hctx_stopped()) + blk_mq_request_bypass_insert() blk_mq_run_hw_queue() + blk_mq_run_hw_queue() blk_mq_run_hw_queue() + blk_mq_insert_request() + return + +After CPU0 has marked the queue as stopped, CPU1 will see the queue is +stopped. But before CPU1 puts the request on the dispatch list, CPU2 +receives the interrupt of completion of request, so it will run the +hardware queue and marks the queue as non-stopped. Meanwhile, CPU1 also +runs the same hardware queue. After both CPU1 and CPU2 complete +blk_mq_run_hw_queue(), CPU1 just puts the request to the same hardware +queue and returns. It misses dispatching a request. Fix it by running +the hardware queue explicitly. And blk_mq_request_issue_directly() +should handle a similar situation. Fix it as well. + +Fixes: d964f04a8fde ("blk-mq: fix direct issue") +Cc: stable@vger.kernel.org +Cc: Muchun Song +Signed-off-by: Muchun Song +Reviewed-by: Ming Lei +Link: https://lore.kernel.org/r/20241014092934.53630-2-songmuchun@bytedance.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + block/blk-mq.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -2620,6 +2620,7 @@ static void blk_mq_try_issue_directly(st + + if (blk_mq_hctx_stopped(hctx) || blk_queue_quiesced(rq->q)) { + blk_mq_insert_request(rq, 0); ++ blk_mq_run_hw_queue(hctx, false); + return; + } + +@@ -2650,6 +2651,7 @@ static blk_status_t blk_mq_request_issue + + if (blk_mq_hctx_stopped(hctx) || blk_queue_quiesced(rq->q)) { + blk_mq_insert_request(rq, 0); ++ blk_mq_run_hw_queue(hctx, false); + return BLK_STS_OK; + } + diff --git a/queue-6.12/block-fix-ordering-between-checking-blk_mq_s_stopped-request-adding.patch b/queue-6.12/block-fix-ordering-between-checking-blk_mq_s_stopped-request-adding.patch new file mode 100644 index 00000000000..277f7a62f2d --- /dev/null +++ b/queue-6.12/block-fix-ordering-between-checking-blk_mq_s_stopped-request-adding.patch @@ -0,0 +1,113 @@ +From 96a9fe64bfd486ebeeacf1e6011801ffe89dae18 Mon Sep 17 00:00:00 2001 +From: Muchun Song +Date: Mon, 14 Oct 2024 17:29:34 +0800 +Subject: block: fix ordering between checking BLK_MQ_S_STOPPED request adding + +From: Muchun Song + +commit 96a9fe64bfd486ebeeacf1e6011801ffe89dae18 upstream. + +Supposing first scenario with a virtio_blk driver. + +CPU0 CPU1 + +blk_mq_try_issue_directly() + __blk_mq_issue_directly() + q->mq_ops->queue_rq() + virtio_queue_rq() + blk_mq_stop_hw_queue() + virtblk_done() + blk_mq_request_bypass_insert() 1) store + blk_mq_start_stopped_hw_queue() + clear_bit(BLK_MQ_S_STOPPED) 3) store + blk_mq_run_hw_queue() + if (!blk_mq_hctx_has_pending()) 4) load + return + blk_mq_sched_dispatch_requests() + blk_mq_run_hw_queue() + if (!blk_mq_hctx_has_pending()) + return + blk_mq_sched_dispatch_requests() + if (blk_mq_hctx_stopped()) 2) load + return + __blk_mq_sched_dispatch_requests() + +Supposing another scenario. + +CPU0 CPU1 + +blk_mq_requeue_work() + blk_mq_insert_request() 1) store + virtblk_done() + blk_mq_start_stopped_hw_queue() + blk_mq_run_hw_queues() clear_bit(BLK_MQ_S_STOPPED) 3) store + blk_mq_run_hw_queue() + if (!blk_mq_hctx_has_pending()) 4) load + return + blk_mq_sched_dispatch_requests() + if (blk_mq_hctx_stopped()) 2) load + continue + blk_mq_run_hw_queue() + +Both scenarios are similar, the full memory barrier should be inserted +between 1) and 2), as well as between 3) and 4) to make sure that either +CPU0 sees BLK_MQ_S_STOPPED is cleared or CPU1 sees dispatch list. +Otherwise, either CPU will not rerun the hardware queue causing +starvation of the request. + +The easy way to fix it is to add the essential full memory barrier into +helper of blk_mq_hctx_stopped(). In order to not affect the fast path +(hardware queue is not stopped most of the time), we only insert the +barrier into the slow path. Actually, only slow path needs to care about +missing of dispatching the request to the low-level device driver. + +Fixes: 320ae51feed5 ("blk-mq: new multi-queue block IO queueing mechanism") +Cc: stable@vger.kernel.org +Cc: Muchun Song +Signed-off-by: Muchun Song +Reviewed-by: Ming Lei +Link: https://lore.kernel.org/r/20241014092934.53630-4-songmuchun@bytedance.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + block/blk-mq.c | 6 ++++++ + block/blk-mq.h | 13 +++++++++++++ + 2 files changed, 19 insertions(+) + +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -2411,6 +2411,12 @@ void blk_mq_start_stopped_hw_queue(struc + return; + + clear_bit(BLK_MQ_S_STOPPED, &hctx->state); ++ /* ++ * Pairs with the smp_mb() in blk_mq_hctx_stopped() to order the ++ * clearing of BLK_MQ_S_STOPPED above and the checking of dispatch ++ * list in the subsequent routine. ++ */ ++ smp_mb__after_atomic(); + blk_mq_run_hw_queue(hctx, async); + } + EXPORT_SYMBOL_GPL(blk_mq_start_stopped_hw_queue); +--- a/block/blk-mq.h ++++ b/block/blk-mq.h +@@ -230,6 +230,19 @@ static inline struct blk_mq_tags *blk_mq + + static inline bool blk_mq_hctx_stopped(struct blk_mq_hw_ctx *hctx) + { ++ /* Fast path: hardware queue is not stopped most of the time. */ ++ if (likely(!test_bit(BLK_MQ_S_STOPPED, &hctx->state))) ++ return false; ++ ++ /* ++ * This barrier is used to order adding of dispatch list before and ++ * the test of BLK_MQ_S_STOPPED below. Pairs with the memory barrier ++ * in blk_mq_start_stopped_hw_queue() so that dispatch code could ++ * either see BLK_MQ_S_STOPPED is cleared or dispatch list is not ++ * empty to avoid missing dispatching requests. ++ */ ++ smp_mb(); ++ + return test_bit(BLK_MQ_S_STOPPED, &hctx->state); + } + diff --git a/queue-6.12/block-fix-ordering-between-checking-queue_flag_quiesced-request-adding.patch b/queue-6.12/block-fix-ordering-between-checking-queue_flag_quiesced-request-adding.patch new file mode 100644 index 00000000000..b950032ebfb --- /dev/null +++ b/queue-6.12/block-fix-ordering-between-checking-queue_flag_quiesced-request-adding.patch @@ -0,0 +1,113 @@ +From 6bda857bcbb86fb9d0e54fbef93a093d51172acc Mon Sep 17 00:00:00 2001 +From: Muchun Song +Date: Mon, 14 Oct 2024 17:29:33 +0800 +Subject: block: fix ordering between checking QUEUE_FLAG_QUIESCED request adding + +From: Muchun Song + +commit 6bda857bcbb86fb9d0e54fbef93a093d51172acc upstream. + +Supposing the following scenario. + +CPU0 CPU1 + +blk_mq_insert_request() 1) store + blk_mq_unquiesce_queue() + blk_queue_flag_clear() 3) store + blk_mq_run_hw_queues() + blk_mq_run_hw_queue() + if (!blk_mq_hctx_has_pending()) 4) load + return +blk_mq_run_hw_queue() + if (blk_queue_quiesced()) 2) load + return + blk_mq_sched_dispatch_requests() + +The full memory barrier should be inserted between 1) and 2), as well as +between 3) and 4) to make sure that either CPU0 sees QUEUE_FLAG_QUIESCED +is cleared or CPU1 sees dispatch list or setting of bitmap of software +queue. Otherwise, either CPU will not rerun the hardware queue causing +starvation. + +So the first solution is to 1) add a pair of memory barrier to fix the +problem, another solution is to 2) use hctx->queue->queue_lock to +synchronize QUEUE_FLAG_QUIESCED. Here, we chose 2) to fix it since +memory barrier is not easy to be maintained. + +Fixes: f4560ffe8cec ("blk-mq: use QUEUE_FLAG_QUIESCED to quiesce queue") +Cc: stable@vger.kernel.org +Cc: Muchun Song +Signed-off-by: Muchun Song +Reviewed-by: Ming Lei +Link: https://lore.kernel.org/r/20241014092934.53630-3-songmuchun@bytedance.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + block/blk-mq.c | 49 +++++++++++++++++++++++++++++++++++-------------- + 1 file changed, 35 insertions(+), 14 deletions(-) + +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -2200,6 +2200,24 @@ void blk_mq_delay_run_hw_queue(struct bl + } + EXPORT_SYMBOL(blk_mq_delay_run_hw_queue); + ++static inline bool blk_mq_hw_queue_need_run(struct blk_mq_hw_ctx *hctx) ++{ ++ bool need_run; ++ ++ /* ++ * When queue is quiesced, we may be switching io scheduler, or ++ * updating nr_hw_queues, or other things, and we can't run queue ++ * any more, even blk_mq_hctx_has_pending() can't be called safely. ++ * ++ * And queue will be rerun in blk_mq_unquiesce_queue() if it is ++ * quiesced. ++ */ ++ __blk_mq_run_dispatch_ops(hctx->queue, false, ++ need_run = !blk_queue_quiesced(hctx->queue) && ++ blk_mq_hctx_has_pending(hctx)); ++ return need_run; ++} ++ + /** + * blk_mq_run_hw_queue - Start to run a hardware queue. + * @hctx: Pointer to the hardware queue to run. +@@ -2220,20 +2238,23 @@ void blk_mq_run_hw_queue(struct blk_mq_h + + might_sleep_if(!async && hctx->flags & BLK_MQ_F_BLOCKING); + +- /* +- * When queue is quiesced, we may be switching io scheduler, or +- * updating nr_hw_queues, or other things, and we can't run queue +- * any more, even __blk_mq_hctx_has_pending() can't be called safely. +- * +- * And queue will be rerun in blk_mq_unquiesce_queue() if it is +- * quiesced. +- */ +- __blk_mq_run_dispatch_ops(hctx->queue, false, +- need_run = !blk_queue_quiesced(hctx->queue) && +- blk_mq_hctx_has_pending(hctx)); +- +- if (!need_run) +- return; ++ need_run = blk_mq_hw_queue_need_run(hctx); ++ if (!need_run) { ++ unsigned long flags; ++ ++ /* ++ * Synchronize with blk_mq_unquiesce_queue(), because we check ++ * if hw queue is quiesced locklessly above, we need the use ++ * ->queue_lock to make sure we see the up-to-date status to ++ * not miss rerunning the hw queue. ++ */ ++ spin_lock_irqsave(&hctx->queue->queue_lock, flags); ++ need_run = blk_mq_hw_queue_need_run(hctx); ++ spin_unlock_irqrestore(&hctx->queue->queue_lock, flags); ++ ++ if (!need_run) ++ return; ++ } + + if (async || !cpumask_test_cpu(raw_smp_processor_id(), hctx->cpumask)) { + blk_mq_delay_run_hw_queue(hctx, 0); diff --git a/queue-6.12/gve-flow-steering-trigger-reset-only-for-timeout-error.patch b/queue-6.12/gve-flow-steering-trigger-reset-only-for-timeout-error.patch new file mode 100644 index 00000000000..fcb4aceea43 --- /dev/null +++ b/queue-6.12/gve-flow-steering-trigger-reset-only-for-timeout-error.patch @@ -0,0 +1,41 @@ +From 8ffade77b6337a8767fae9820d57d7a6413dd1a1 Mon Sep 17 00:00:00 2001 +From: Ziwei Xiao +Date: Wed, 13 Nov 2024 09:59:30 -0800 +Subject: gve: Flow steering trigger reset only for timeout error + +From: Ziwei Xiao + +commit 8ffade77b6337a8767fae9820d57d7a6413dd1a1 upstream. + +When configuring flow steering rules, the driver is currently going +through a reset for all errors from the device. Instead, the driver +should only reset when there's a timeout error from the device. + +Fixes: 57718b60df9b ("gve: Add flow steering adminq commands") +Cc: stable@vger.kernel.org +Signed-off-by: Ziwei Xiao +Signed-off-by: Jeroen de Borst +Reviewed-by: Harshitha Ramamurthy +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20241113175930.2585680-1-jeroendb@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/google/gve/gve_adminq.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/google/gve/gve_adminq.c ++++ b/drivers/net/ethernet/google/gve/gve_adminq.c +@@ -1248,10 +1248,10 @@ gve_adminq_configure_flow_rule(struct gv + sizeof(struct gve_adminq_configure_flow_rule), + flow_rule_cmd); + +- if (err) { ++ if (err == -ETIME) { + dev_err(&priv->pdev->dev, "Timeout to configure the flow rule, trigger reset"); + gve_reset(priv, true); +- } else { ++ } else if (!err) { + priv->flow_rules_cache.rules_cache_synced = false; + } + diff --git a/queue-6.12/hid-wacom-interpret-tilt-data-from-intuos-pro-bt-as-signed-values.patch b/queue-6.12/hid-wacom-interpret-tilt-data-from-intuos-pro-bt-as-signed-values.patch new file mode 100644 index 00000000000..1eab6a8915c --- /dev/null +++ b/queue-6.12/hid-wacom-interpret-tilt-data-from-intuos-pro-bt-as-signed-values.patch @@ -0,0 +1,41 @@ +From 49a397ad24ee5e2c53a59dada2780d7e71bd3f77 Mon Sep 17 00:00:00 2001 +From: Jason Gerecke +Date: Mon, 28 Oct 2024 10:39:14 -0700 +Subject: HID: wacom: Interpret tilt data from Intuos Pro BT as signed values + +From: Jason Gerecke + +commit 49a397ad24ee5e2c53a59dada2780d7e71bd3f77 upstream. + +The tilt data contained in the Bluetooth packets of an Intuos Pro are +supposed to be interpreted as signed values. Simply casting the values +to type `char` is not guaranteed to work since it is implementation- +defined whether it is signed or unsigned. At least one user has noticed +the data being reported incorrectly on their system. To ensure that the +data is interpreted properly, we specifically cast to `signed char` +instead. + +Link: https://github.com/linuxwacom/input-wacom/issues/445 +Fixes: 4922cd26f03c ("HID: wacom: Support 2nd-gen Intuos Pro's Bluetooth classic interface") +CC: stable@vger.kernel.org # 4.11+ +Signed-off-by: Jason Gerecke +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/wacom_wac.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/hid/wacom_wac.c ++++ b/drivers/hid/wacom_wac.c +@@ -1353,9 +1353,9 @@ static void wacom_intuos_pro2_bt_pen(str + rotation -= 1800; + + input_report_abs(pen_input, ABS_TILT_X, +- (char)frame[7]); ++ (signed char)frame[7]); + input_report_abs(pen_input, ABS_TILT_Y, +- (char)frame[8]); ++ (signed char)frame[8]); + input_report_abs(pen_input, ABS_Z, rotation); + input_report_abs(pen_input, ABS_WHEEL, + get_unaligned_le16(&frame[11])); diff --git a/queue-6.12/i40e-fix-handling-changed-priv-flags.patch b/queue-6.12/i40e-fix-handling-changed-priv-flags.patch new file mode 100644 index 00000000000..bdc5906e429 --- /dev/null +++ b/queue-6.12/i40e-fix-handling-changed-priv-flags.patch @@ -0,0 +1,81 @@ +From ea301aec8bb718b02b68761d2229fc12c9fefa29 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Peter=20Gro=C3=9Fe?= +Date: Wed, 13 Nov 2024 13:07:04 -0800 +Subject: i40e: Fix handling changed priv flags +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Peter Große + +commit ea301aec8bb718b02b68761d2229fc12c9fefa29 upstream. + +After assembling the new private flags on a PF, the operation to determine +the changed flags uses the wrong bitmaps. Instead of xor-ing orig_flags +with new_flags, it uses the still unchanged pf->flags, thus changed_flags +is always 0. + +Fix it by using the correct bitmaps. + +The issue was discovered while debugging why disabling source pruning +stopped working with release 6.7. Although the new flags will be copied to +pf->flags later on in that function, disabling source pruning requires +a reset of the PF, which was skipped due to this bug. + +Disabling source pruning: +$ sudo ethtool --set-priv-flags eno1 disable-source-pruning on +$ sudo ethtool --show-priv-flags eno1 +Private flags for eno1: +MFP : off +total-port-shutdown : off +LinkPolling : off +flow-director-atr : on +veb-stats : off +hw-atr-eviction : off +link-down-on-close : off +legacy-rx : off +disable-source-pruning: on +disable-fw-lldp : off +rs-fec : off +base-r-fec : off +vf-vlan-pruning : off + +Regarding reproducing: + +I observed the issue with a rather complicated lab setup, where + * two VLAN interfaces are created on eno1 + * each with a different MAC address assigned + * each moved into a separate namespace + * both VLANs are bridged externally, so they form a single layer 2 network + +The external bridge is done via a channel emulator adding packet loss and +delay and the application in the namespaces tries to send/receive traffic +and measure the performance. Sender and receiver are separated by +namespaces, yet the network card "sees its own traffic" send back to it. +To make that work, source pruning has to be disabled. + +Cc: stable@vger.kernel.org +Fixes: 70756d0a4727 ("i40e: Use DECLARE_BITMAP for flags and hw_features fields in i40e_pf") +Signed-off-by: Peter Große +Reviewed-by: Paul Menzel +Reviewed-by: Przemek Kitszel +Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Link: https://patch.msgid.link/20241113210705.1296408-1-anthony.l.nguyen@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/i40e/i40e_ethtool.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c +@@ -5299,7 +5299,7 @@ static int i40e_set_priv_flags(struct ne + } + + flags_complete: +- bitmap_xor(changed_flags, pf->flags, orig_flags, I40E_PF_FLAGS_NBITS); ++ bitmap_xor(changed_flags, new_flags, orig_flags, I40E_PF_FLAGS_NBITS); + + if (test_bit(I40E_FLAG_FW_LLDP_DIS, changed_flags)) + reset_needed = I40E_PF_RESET_AND_REBUILD_FLAG; diff --git a/queue-6.12/media-intel-ipu6-do-not-handle-interrupts-when-device-is-disabled.patch b/queue-6.12/media-intel-ipu6-do-not-handle-interrupts-when-device-is-disabled.patch new file mode 100644 index 00000000000..6e951e91db3 --- /dev/null +++ b/queue-6.12/media-intel-ipu6-do-not-handle-interrupts-when-device-is-disabled.patch @@ -0,0 +1,76 @@ +From 1429826883bb18847092b2e04c6598ef34bae1d4 Mon Sep 17 00:00:00 2001 +From: Stanislaw Gruszka +Date: Thu, 31 Oct 2024 11:23:21 +0100 +Subject: media: intel/ipu6: do not handle interrupts when device is disabled + +From: Stanislaw Gruszka + +commit 1429826883bb18847092b2e04c6598ef34bae1d4 upstream. + +Some IPU6 devices have shared interrupts. We need to handle properly +case when interrupt is triggered from other device on shared irq line +and IPU6 itself disabled. In such case we get 0xffffffff from +ISR_STATUS register and handle all irq's cases, for what we are not +not prepared and usually hang the whole system. + +To avoid the issue use pm_runtime_get_if_active() to check if +the device is enabled and prevent suspending it when we handle irq +until the end of irq. Additionally use synchronize_irq() in suspend + +Fixes: ab29a2478e70 ("media: intel/ipu6: add IPU6 buttress interface driver") +Cc: stable@vger.kernel.org +Signed-off-by: Stanislaw Gruszka +Reviewed-by: Hans de Goede +Tested-by: Hans de Goede # ThinkPad X1 Yoga Gen 8, ov2740 +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/pci/intel/ipu6/ipu6-buttress.c | 13 +++++++++---- + drivers/media/pci/intel/ipu6/ipu6.c | 3 +++ + 2 files changed, 12 insertions(+), 4 deletions(-) + +--- a/drivers/media/pci/intel/ipu6/ipu6-buttress.c ++++ b/drivers/media/pci/intel/ipu6/ipu6-buttress.c +@@ -346,12 +346,16 @@ irqreturn_t ipu6_buttress_isr(int irq, v + u32 disable_irqs = 0; + u32 irq_status; + u32 i, count = 0; ++ int active; + +- pm_runtime_get_noresume(&isp->pdev->dev); ++ active = pm_runtime_get_if_active(&isp->pdev->dev); ++ if (!active) ++ return IRQ_NONE; + + irq_status = readl(isp->base + reg_irq_sts); +- if (!irq_status) { +- pm_runtime_put_noidle(&isp->pdev->dev); ++ if (irq_status == 0 || WARN_ON_ONCE(irq_status == 0xffffffffu)) { ++ if (active > 0) ++ pm_runtime_put_noidle(&isp->pdev->dev); + return IRQ_NONE; + } + +@@ -427,7 +431,8 @@ irqreturn_t ipu6_buttress_isr(int irq, v + writel(BUTTRESS_IRQS & ~disable_irqs, + isp->base + BUTTRESS_REG_ISR_ENABLE); + +- pm_runtime_put(&isp->pdev->dev); ++ if (active > 0) ++ pm_runtime_put(&isp->pdev->dev); + + return ret; + } +--- a/drivers/media/pci/intel/ipu6/ipu6.c ++++ b/drivers/media/pci/intel/ipu6/ipu6.c +@@ -752,6 +752,9 @@ static void ipu6_pci_reset_done(struct p + */ + static int ipu6_suspend(struct device *dev) + { ++ struct pci_dev *pdev = to_pci_dev(dev); ++ ++ synchronize_irq(pdev->irq); + return 0; + } + diff --git a/queue-6.12/media-v4l2-core-v4l2-dv-timings-check-cvt-gtf-result.patch b/queue-6.12/media-v4l2-core-v4l2-dv-timings-check-cvt-gtf-result.patch new file mode 100644 index 00000000000..e74f938f26c --- /dev/null +++ b/queue-6.12/media-v4l2-core-v4l2-dv-timings-check-cvt-gtf-result.patch @@ -0,0 +1,368 @@ +From 9f070b1862f3411b8bcdfd51a8eaad25286f9deb Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Mon, 14 Oct 2024 16:52:41 +0200 +Subject: media: v4l2-core: v4l2-dv-timings: check cvt/gtf result + +From: Hans Verkuil + +commit 9f070b1862f3411b8bcdfd51a8eaad25286f9deb upstream. + +The v4l2_detect_cvt/gtf functions should check the result against the +timing capabilities: these functions calculate the timings, so if they +are out of bounds, they should be rejected. + +To do this, add the struct v4l2_dv_timings_cap as argument to those +functions. + +This required updates to the adv7604 and adv7842 drivers since the +prototype of these functions has now changed. The timings struct +that is passed to v4l2_detect_cvt/gtf in those two drivers is filled +with the timings detected by the hardware. + +The vivid driver was also updated, but an additional check was added: +the width and height specified by VIDIOC_S_DV_TIMINGS has to match the +calculated result, otherwise something went wrong. Note that vivid +*emulates* hardware, so all the values passed to the v4l2_detect_cvt/gtf +functions came from the timings struct that was filled by userspace +and passed on to the driver via VIDIOC_S_DV_TIMINGS. So these fields +can contain random data. Both the constraints check via +struct v4l2_dv_timings_cap and the additional width/height check +ensure that the resulting timings are sane and not messed up by the +v4l2_detect_cvt/gtf calculations. + +Signed-off-by: Hans Verkuil +Fixes: 2576415846bc ("[media] v4l2: move dv-timings related code to v4l2-dv-timings.c") +Cc: stable@vger.kernel.org +Reported-by: syzbot+a828133770f62293563e@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/linux-media/000000000000013050062127830a@google.com/ +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/adv7604.c | 5 + drivers/media/i2c/adv7842.c | 13 +- + drivers/media/test-drivers/vivid/vivid-vid-cap.c | 15 ++ + drivers/media/v4l2-core/v4l2-dv-timings.c | 132 ++++++++++++----------- + include/media/v4l2-dv-timings.h | 18 ++- + 5 files changed, 107 insertions(+), 76 deletions(-) + +--- a/drivers/media/i2c/adv7604.c ++++ b/drivers/media/i2c/adv7604.c +@@ -1405,12 +1405,13 @@ static int stdi2dv_timings(struct v4l2_s + if (v4l2_detect_cvt(stdi->lcf + 1, hfreq, stdi->lcvs, 0, + (stdi->hs_pol == '+' ? V4L2_DV_HSYNC_POS_POL : 0) | + (stdi->vs_pol == '+' ? V4L2_DV_VSYNC_POS_POL : 0), +- false, timings)) ++ false, adv76xx_get_dv_timings_cap(sd, -1), timings)) + return 0; + if (v4l2_detect_gtf(stdi->lcf + 1, hfreq, stdi->lcvs, + (stdi->hs_pol == '+' ? V4L2_DV_HSYNC_POS_POL : 0) | + (stdi->vs_pol == '+' ? V4L2_DV_VSYNC_POS_POL : 0), +- false, state->aspect_ratio, timings)) ++ false, state->aspect_ratio, ++ adv76xx_get_dv_timings_cap(sd, -1), timings)) + return 0; + + v4l2_dbg(2, debug, sd, +--- a/drivers/media/i2c/adv7842.c ++++ b/drivers/media/i2c/adv7842.c +@@ -1431,14 +1431,15 @@ static int stdi2dv_timings(struct v4l2_s + } + + if (v4l2_detect_cvt(stdi->lcf + 1, hfreq, stdi->lcvs, 0, +- (stdi->hs_pol == '+' ? V4L2_DV_HSYNC_POS_POL : 0) | +- (stdi->vs_pol == '+' ? V4L2_DV_VSYNC_POS_POL : 0), +- false, timings)) ++ (stdi->hs_pol == '+' ? V4L2_DV_HSYNC_POS_POL : 0) | ++ (stdi->vs_pol == '+' ? V4L2_DV_VSYNC_POS_POL : 0), ++ false, adv7842_get_dv_timings_cap(sd), timings)) + return 0; + if (v4l2_detect_gtf(stdi->lcf + 1, hfreq, stdi->lcvs, +- (stdi->hs_pol == '+' ? V4L2_DV_HSYNC_POS_POL : 0) | +- (stdi->vs_pol == '+' ? V4L2_DV_VSYNC_POS_POL : 0), +- false, state->aspect_ratio, timings)) ++ (stdi->hs_pol == '+' ? V4L2_DV_HSYNC_POS_POL : 0) | ++ (stdi->vs_pol == '+' ? V4L2_DV_VSYNC_POS_POL : 0), ++ false, state->aspect_ratio, ++ adv7842_get_dv_timings_cap(sd), timings)) + return 0; + + v4l2_dbg(2, debug, sd, +--- a/drivers/media/test-drivers/vivid/vivid-vid-cap.c ++++ b/drivers/media/test-drivers/vivid/vivid-vid-cap.c +@@ -1459,12 +1459,19 @@ static bool valid_cvt_gtf_timings(struct + h_freq = (u32)bt->pixelclock / total_h_pixel; + + if (bt->standards == 0 || (bt->standards & V4L2_DV_BT_STD_CVT)) { ++ struct v4l2_dv_timings cvt = {}; ++ + if (v4l2_detect_cvt(total_v_lines, h_freq, bt->vsync, bt->width, +- bt->polarities, bt->interlaced, timings)) ++ bt->polarities, bt->interlaced, ++ &vivid_dv_timings_cap, &cvt) && ++ cvt.bt.width == bt->width && cvt.bt.height == bt->height) { ++ *timings = cvt; + return true; ++ } + } + + if (bt->standards == 0 || (bt->standards & V4L2_DV_BT_STD_GTF)) { ++ struct v4l2_dv_timings gtf = {}; + struct v4l2_fract aspect_ratio; + + find_aspect_ratio(bt->width, bt->height, +@@ -1472,8 +1479,12 @@ static bool valid_cvt_gtf_timings(struct + &aspect_ratio.denominator); + if (v4l2_detect_gtf(total_v_lines, h_freq, bt->vsync, + bt->polarities, bt->interlaced, +- aspect_ratio, timings)) ++ aspect_ratio, &vivid_dv_timings_cap, ++ >f) && ++ gtf.bt.width == bt->width && gtf.bt.height == bt->height) { ++ *timings = gtf; + return true; ++ } + } + return false; + } +--- a/drivers/media/v4l2-core/v4l2-dv-timings.c ++++ b/drivers/media/v4l2-core/v4l2-dv-timings.c +@@ -481,25 +481,28 @@ EXPORT_SYMBOL_GPL(v4l2_calc_timeperframe + * @polarities - the horizontal and vertical polarities (same as struct + * v4l2_bt_timings polarities). + * @interlaced - if this flag is true, it indicates interlaced format +- * @fmt - the resulting timings. ++ * @cap - the v4l2_dv_timings_cap capabilities. ++ * @timings - the resulting timings. + * + * This function will attempt to detect if the given values correspond to a + * valid CVT format. If so, then it will return true, and fmt will be filled + * in with the found CVT timings. + */ +-bool v4l2_detect_cvt(unsigned frame_height, +- unsigned hfreq, +- unsigned vsync, +- unsigned active_width, ++bool v4l2_detect_cvt(unsigned int frame_height, ++ unsigned int hfreq, ++ unsigned int vsync, ++ unsigned int active_width, + u32 polarities, + bool interlaced, +- struct v4l2_dv_timings *fmt) ++ const struct v4l2_dv_timings_cap *cap, ++ struct v4l2_dv_timings *timings) + { +- int v_fp, v_bp, h_fp, h_bp, hsync; +- int frame_width, image_height, image_width; ++ struct v4l2_dv_timings t = {}; ++ int v_fp, v_bp, h_fp, h_bp, hsync; ++ int frame_width, image_height, image_width; + bool reduced_blanking; + bool rb_v2 = false; +- unsigned pix_clk; ++ unsigned int pix_clk; + + if (vsync < 4 || vsync > 8) + return false; +@@ -625,36 +628,39 @@ bool v4l2_detect_cvt(unsigned frame_heig + h_fp = h_blank - hsync - h_bp; + } + +- fmt->type = V4L2_DV_BT_656_1120; +- fmt->bt.polarities = polarities; +- fmt->bt.width = image_width; +- fmt->bt.height = image_height; +- fmt->bt.hfrontporch = h_fp; +- fmt->bt.vfrontporch = v_fp; +- fmt->bt.hsync = hsync; +- fmt->bt.vsync = vsync; +- fmt->bt.hbackporch = frame_width - image_width - h_fp - hsync; ++ t.type = V4L2_DV_BT_656_1120; ++ t.bt.polarities = polarities; ++ t.bt.width = image_width; ++ t.bt.height = image_height; ++ t.bt.hfrontporch = h_fp; ++ t.bt.vfrontporch = v_fp; ++ t.bt.hsync = hsync; ++ t.bt.vsync = vsync; ++ t.bt.hbackporch = frame_width - image_width - h_fp - hsync; + + if (!interlaced) { +- fmt->bt.vbackporch = frame_height - image_height - v_fp - vsync; +- fmt->bt.interlaced = V4L2_DV_PROGRESSIVE; ++ t.bt.vbackporch = frame_height - image_height - v_fp - vsync; ++ t.bt.interlaced = V4L2_DV_PROGRESSIVE; + } else { +- fmt->bt.vbackporch = (frame_height - image_height - 2 * v_fp - ++ t.bt.vbackporch = (frame_height - image_height - 2 * v_fp - + 2 * vsync) / 2; +- fmt->bt.il_vbackporch = frame_height - image_height - 2 * v_fp - +- 2 * vsync - fmt->bt.vbackporch; +- fmt->bt.il_vfrontporch = v_fp; +- fmt->bt.il_vsync = vsync; +- fmt->bt.flags |= V4L2_DV_FL_HALF_LINE; +- fmt->bt.interlaced = V4L2_DV_INTERLACED; ++ t.bt.il_vbackporch = frame_height - image_height - 2 * v_fp - ++ 2 * vsync - t.bt.vbackporch; ++ t.bt.il_vfrontporch = v_fp; ++ t.bt.il_vsync = vsync; ++ t.bt.flags |= V4L2_DV_FL_HALF_LINE; ++ t.bt.interlaced = V4L2_DV_INTERLACED; + } + +- fmt->bt.pixelclock = pix_clk; +- fmt->bt.standards = V4L2_DV_BT_STD_CVT; ++ t.bt.pixelclock = pix_clk; ++ t.bt.standards = V4L2_DV_BT_STD_CVT; + + if (reduced_blanking) +- fmt->bt.flags |= V4L2_DV_FL_REDUCED_BLANKING; ++ t.bt.flags |= V4L2_DV_FL_REDUCED_BLANKING; + ++ if (!v4l2_valid_dv_timings(&t, cap, NULL, NULL)) ++ return false; ++ *timings = t; + return true; + } + EXPORT_SYMBOL_GPL(v4l2_detect_cvt); +@@ -699,22 +705,25 @@ EXPORT_SYMBOL_GPL(v4l2_detect_cvt); + * image height, so it has to be passed explicitly. Usually + * the native screen aspect ratio is used for this. If it + * is not filled in correctly, then 16:9 will be assumed. +- * @fmt - the resulting timings. ++ * @cap - the v4l2_dv_timings_cap capabilities. ++ * @timings - the resulting timings. + * + * This function will attempt to detect if the given values correspond to a + * valid GTF format. If so, then it will return true, and fmt will be filled + * in with the found GTF timings. + */ +-bool v4l2_detect_gtf(unsigned frame_height, +- unsigned hfreq, +- unsigned vsync, +- u32 polarities, +- bool interlaced, +- struct v4l2_fract aspect, +- struct v4l2_dv_timings *fmt) ++bool v4l2_detect_gtf(unsigned int frame_height, ++ unsigned int hfreq, ++ unsigned int vsync, ++ u32 polarities, ++ bool interlaced, ++ struct v4l2_fract aspect, ++ const struct v4l2_dv_timings_cap *cap, ++ struct v4l2_dv_timings *timings) + { ++ struct v4l2_dv_timings t = {}; + int pix_clk; +- int v_fp, v_bp, h_fp, hsync; ++ int v_fp, v_bp, h_fp, hsync; + int frame_width, image_height, image_width; + bool default_gtf; + int h_blank; +@@ -783,36 +792,39 @@ bool v4l2_detect_gtf(unsigned frame_heig + + h_fp = h_blank / 2 - hsync; + +- fmt->type = V4L2_DV_BT_656_1120; +- fmt->bt.polarities = polarities; +- fmt->bt.width = image_width; +- fmt->bt.height = image_height; +- fmt->bt.hfrontporch = h_fp; +- fmt->bt.vfrontporch = v_fp; +- fmt->bt.hsync = hsync; +- fmt->bt.vsync = vsync; +- fmt->bt.hbackporch = frame_width - image_width - h_fp - hsync; ++ t.type = V4L2_DV_BT_656_1120; ++ t.bt.polarities = polarities; ++ t.bt.width = image_width; ++ t.bt.height = image_height; ++ t.bt.hfrontporch = h_fp; ++ t.bt.vfrontporch = v_fp; ++ t.bt.hsync = hsync; ++ t.bt.vsync = vsync; ++ t.bt.hbackporch = frame_width - image_width - h_fp - hsync; + + if (!interlaced) { +- fmt->bt.vbackporch = frame_height - image_height - v_fp - vsync; +- fmt->bt.interlaced = V4L2_DV_PROGRESSIVE; ++ t.bt.vbackporch = frame_height - image_height - v_fp - vsync; ++ t.bt.interlaced = V4L2_DV_PROGRESSIVE; + } else { +- fmt->bt.vbackporch = (frame_height - image_height - 2 * v_fp - ++ t.bt.vbackporch = (frame_height - image_height - 2 * v_fp - + 2 * vsync) / 2; +- fmt->bt.il_vbackporch = frame_height - image_height - 2 * v_fp - +- 2 * vsync - fmt->bt.vbackporch; +- fmt->bt.il_vfrontporch = v_fp; +- fmt->bt.il_vsync = vsync; +- fmt->bt.flags |= V4L2_DV_FL_HALF_LINE; +- fmt->bt.interlaced = V4L2_DV_INTERLACED; ++ t.bt.il_vbackporch = frame_height - image_height - 2 * v_fp - ++ 2 * vsync - t.bt.vbackporch; ++ t.bt.il_vfrontporch = v_fp; ++ t.bt.il_vsync = vsync; ++ t.bt.flags |= V4L2_DV_FL_HALF_LINE; ++ t.bt.interlaced = V4L2_DV_INTERLACED; + } + +- fmt->bt.pixelclock = pix_clk; +- fmt->bt.standards = V4L2_DV_BT_STD_GTF; ++ t.bt.pixelclock = pix_clk; ++ t.bt.standards = V4L2_DV_BT_STD_GTF; + + if (!default_gtf) +- fmt->bt.flags |= V4L2_DV_FL_REDUCED_BLANKING; ++ t.bt.flags |= V4L2_DV_FL_REDUCED_BLANKING; + ++ if (!v4l2_valid_dv_timings(&t, cap, NULL, NULL)) ++ return false; ++ *timings = t; + return true; + } + EXPORT_SYMBOL_GPL(v4l2_detect_gtf); +--- a/include/media/v4l2-dv-timings.h ++++ b/include/media/v4l2-dv-timings.h +@@ -146,15 +146,18 @@ void v4l2_print_dv_timings(const char *d + * @polarities: the horizontal and vertical polarities (same as struct + * v4l2_bt_timings polarities). + * @interlaced: if this flag is true, it indicates interlaced format ++ * @cap: the v4l2_dv_timings_cap capabilities. + * @fmt: the resulting timings. + * + * This function will attempt to detect if the given values correspond to a + * valid CVT format. If so, then it will return true, and fmt will be filled + * in with the found CVT timings. + */ +-bool v4l2_detect_cvt(unsigned frame_height, unsigned hfreq, unsigned vsync, +- unsigned active_width, u32 polarities, bool interlaced, +- struct v4l2_dv_timings *fmt); ++bool v4l2_detect_cvt(unsigned int frame_height, unsigned int hfreq, ++ unsigned int vsync, unsigned int active_width, ++ u32 polarities, bool interlaced, ++ const struct v4l2_dv_timings_cap *cap, ++ struct v4l2_dv_timings *fmt); + + /** + * v4l2_detect_gtf - detect if the given timings follow the GTF standard +@@ -170,15 +173,18 @@ bool v4l2_detect_cvt(unsigned frame_heig + * image height, so it has to be passed explicitly. Usually + * the native screen aspect ratio is used for this. If it + * is not filled in correctly, then 16:9 will be assumed. ++ * @cap: the v4l2_dv_timings_cap capabilities. + * @fmt: the resulting timings. + * + * This function will attempt to detect if the given values correspond to a + * valid GTF format. If so, then it will return true, and fmt will be filled + * in with the found GTF timings. + */ +-bool v4l2_detect_gtf(unsigned frame_height, unsigned hfreq, unsigned vsync, +- u32 polarities, bool interlaced, struct v4l2_fract aspect, +- struct v4l2_dv_timings *fmt); ++bool v4l2_detect_gtf(unsigned int frame_height, unsigned int hfreq, ++ unsigned int vsync, u32 polarities, bool interlaced, ++ struct v4l2_fract aspect, ++ const struct v4l2_dv_timings_cap *cap, ++ struct v4l2_dv_timings *fmt); + + /** + * v4l2_calc_aspect_ratio - calculate the aspect ratio based on bytes diff --git a/queue-6.12/media-wl128x-fix-atomicity-violation-in-fmc_send_cmd.patch b/queue-6.12/media-wl128x-fix-atomicity-violation-in-fmc_send_cmd.patch new file mode 100644 index 00000000000..5cdfc7886a1 --- /dev/null +++ b/queue-6.12/media-wl128x-fix-atomicity-violation-in-fmc_send_cmd.patch @@ -0,0 +1,54 @@ +From ca59f9956d4519ab18ab2270be47c6b8c6ced091 Mon Sep 17 00:00:00 2001 +From: Qiu-ji Chen +Date: Fri, 27 Sep 2024 16:39:02 +0800 +Subject: media: wl128x: Fix atomicity violation in fmc_send_cmd() + +From: Qiu-ji Chen + +commit ca59f9956d4519ab18ab2270be47c6b8c6ced091 upstream. + +Atomicity violation occurs when the fmc_send_cmd() function is executed +simultaneously with the modification of the fmdev->resp_skb value. +Consider a scenario where, after passing the validity check within the +function, a non-null fmdev->resp_skb variable is assigned a null value. +This results in an invalid fmdev->resp_skb variable passing the validity +check. As seen in the later part of the function, skb = fmdev->resp_skb; +when the invalid fmdev->resp_skb passes the check, a null pointer +dereference error may occur at line 478, evt_hdr = (void *)skb->data; + +To address this issue, it is recommended to include the validity check of +fmdev->resp_skb within the locked section of the function. This +modification ensures that the value of fmdev->resp_skb does not change +during the validation process, thereby maintaining its validity. + +This possible bug is found by an experimental static analysis tool +developed by our team. This tool analyzes the locking APIs +to extract function pairs that can be concurrently executed, and then +analyzes the instructions in the paired functions to identify possible +concurrency bugs including data races and atomicity violations. + +Fixes: e8454ff7b9a4 ("[media] drivers:media:radio: wl128x: FM Driver Common sources") +Cc: stable@vger.kernel.org +Signed-off-by: Qiu-ji Chen +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/radio/wl128x/fmdrv_common.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/media/radio/wl128x/fmdrv_common.c ++++ b/drivers/media/radio/wl128x/fmdrv_common.c +@@ -466,11 +466,12 @@ int fmc_send_cmd(struct fmdev *fmdev, u8 + jiffies_to_msecs(FM_DRV_TX_TIMEOUT) / 1000); + return -ETIMEDOUT; + } ++ spin_lock_irqsave(&fmdev->resp_skb_lock, flags); + if (!fmdev->resp_skb) { ++ spin_unlock_irqrestore(&fmdev->resp_skb_lock, flags); + fmerr("Response SKB is missing\n"); + return -EFAULT; + } +- spin_lock_irqsave(&fmdev->resp_skb_lock, flags); + skb = fmdev->resp_skb; + fmdev->resp_skb = NULL; + spin_unlock_irqrestore(&fmdev->resp_skb_lock, flags); diff --git a/queue-6.12/netdev-genl-hold-rcu_read_lock-in-napi_get.patch b/queue-6.12/netdev-genl-hold-rcu_read_lock-in-napi_get.patch new file mode 100644 index 00000000000..196fb50f6b3 --- /dev/null +++ b/queue-6.12/netdev-genl-hold-rcu_read_lock-in-napi_get.patch @@ -0,0 +1,40 @@ +From c53bf100f68619acf6cedcf4cf5249a1ca2db0b4 Mon Sep 17 00:00:00 2001 +From: Joe Damato +Date: Thu, 14 Nov 2024 17:51:56 +0000 +Subject: netdev-genl: Hold rcu_read_lock in napi_get + +From: Joe Damato + +commit c53bf100f68619acf6cedcf4cf5249a1ca2db0b4 upstream. + +Hold rcu_read_lock in netdev_nl_napi_get_doit, which calls napi_by_id +and is required to be called under rcu_read_lock. + +Cc: stable@vger.kernel.org +Fixes: 27f91aaf49b3 ("netdev-genl: Add netlink framework functions for napi") +Signed-off-by: Joe Damato +Link: https://patch.msgid.link/20241114175157.16604-1-jdamato@fastly.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/core/netdev-genl.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/core/netdev-genl.c ++++ b/net/core/netdev-genl.c +@@ -215,6 +215,7 @@ int netdev_nl_napi_get_doit(struct sk_bu + return -ENOMEM; + + rtnl_lock(); ++ rcu_read_lock(); + + napi = napi_by_id(napi_id); + if (napi) { +@@ -224,6 +225,7 @@ int netdev_nl_napi_get_doit(struct sk_bu + err = -ENOENT; + } + ++ rcu_read_unlock(); + rtnl_unlock(); + + if (err) diff --git a/queue-6.12/series b/queue-6.12/series index e338ce658af..ab50bd51251 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -720,3 +720,19 @@ block-prevent-potential-deadlock-in-blk_revalidate_disk_zones.patch um-vector-do-not-use-drvdata-in-release.patch sh-cpuinfo-fix-a-warning-for-config_cpumask_offstack.patch iio-gts-fix-uninitialized-symbol-ret.patch +ublk-fix-ublk_ch_mmap-for-64k-page-size.patch +arm64-tls-fix-context-switching-of-tpidrro_el0-when-kpti-is-enabled.patch +block-fix-missing-dispatching-request-when-queue-is-started-or-unquiesced.patch +block-fix-ordering-between-checking-queue_flag_quiesced-request-adding.patch +block-fix-ordering-between-checking-blk_mq_s_stopped-request-adding.patch +blk-mq-make-blk_mq_quiesce_tagset-hold-the-tag-list-mutex-less-long.patch +gve-flow-steering-trigger-reset-only-for-timeout-error.patch +hid-wacom-interpret-tilt-data-from-intuos-pro-bt-as-signed-values.patch +i40e-fix-handling-changed-priv-flags.patch +media-wl128x-fix-atomicity-violation-in-fmc_send_cmd.patch +media-intel-ipu6-do-not-handle-interrupts-when-device-is-disabled.patch +arm64-dts-mediatek-mt8186-corsola-voltorb-merge-speaker-codec-nodes.patch +netdev-genl-hold-rcu_read_lock-in-napi_get.patch +soc-fsl-cpm1-qmc-set-the-ret-error-code-on-platform_get_irq-failure.patch +soc-fsl-rcpm-fix-missing-of_node_put-in-copy_ippdexpcr1_setting.patch +media-v4l2-core-v4l2-dv-timings-check-cvt-gtf-result.patch diff --git a/queue-6.12/soc-fsl-cpm1-qmc-set-the-ret-error-code-on-platform_get_irq-failure.patch b/queue-6.12/soc-fsl-cpm1-qmc-set-the-ret-error-code-on-platform_get_irq-failure.patch new file mode 100644 index 00000000000..e148dbe43eb --- /dev/null +++ b/queue-6.12/soc-fsl-cpm1-qmc-set-the-ret-error-code-on-platform_get_irq-failure.patch @@ -0,0 +1,45 @@ +From cb3daa51db819a172e9524e96e2ed96b4237e51a Mon Sep 17 00:00:00 2001 +From: Herve Codina +Date: Tue, 5 Nov 2024 15:56:23 +0100 +Subject: soc: fsl: cpm1: qmc: Set the ret error code on platform_get_irq() failure + +From: Herve Codina + +commit cb3daa51db819a172e9524e96e2ed96b4237e51a upstream. + +A kernel test robot detected a missing error code: + qmc.c:1942 qmc_probe() warn: missing error code 'ret' + +Indeed, the error returned by platform_get_irq() is checked and the +operation is aborted in case of failure but the ret error code is +not set in that case. + +Set the ret error code. + +Reported-by: kernel test robot +Reported-by: Dan Carpenter +Closes: https://lore.kernel.org/r/202411051350.KNy6ZIWA-lkp@intel.com/ +Fixes: 3178d58e0b97 ("soc: fsl: cpm1: Add support for QMC") +Cc: stable@vger.kernel.org +Signed-off-by: Herve Codina +Link: https://lore.kernel.org/r/20241105145623.401528-1-herve.codina@bootlin.com +Signed-off-by: Christophe Leroy +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soc/fsl/qe/qmc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/soc/fsl/qe/qmc.c ++++ b/drivers/soc/fsl/qe/qmc.c +@@ -2004,8 +2004,10 @@ static int qmc_probe(struct platform_dev + + /* Set the irq handler */ + irq = platform_get_irq(pdev, 0); +- if (irq < 0) ++ if (irq < 0) { ++ ret = irq; + goto err_exit_xcc; ++ } + ret = devm_request_irq(qmc->dev, irq, qmc_irq_handler, 0, "qmc", qmc); + if (ret < 0) + goto err_exit_xcc; diff --git a/queue-6.12/soc-fsl-rcpm-fix-missing-of_node_put-in-copy_ippdexpcr1_setting.patch b/queue-6.12/soc-fsl-rcpm-fix-missing-of_node_put-in-copy_ippdexpcr1_setting.patch new file mode 100644 index 00000000000..f7c39f88bdb --- /dev/null +++ b/queue-6.12/soc-fsl-rcpm-fix-missing-of_node_put-in-copy_ippdexpcr1_setting.patch @@ -0,0 +1,35 @@ +From c9f1efabf8e3b3ff886a42669f7093789dbeca94 Mon Sep 17 00:00:00 2001 +From: Javier Carrasco +Date: Sun, 13 Oct 2024 15:29:17 +0200 +Subject: soc: fsl: rcpm: fix missing of_node_put() in copy_ippdexpcr1_setting() + +From: Javier Carrasco + +commit c9f1efabf8e3b3ff886a42669f7093789dbeca94 upstream. + +of_find_compatible_node() requires a call to of_node_put() when the +pointer to the node is not required anymore to decrement its refcount +and avoid leaking memory. + +Add the missing call to of_node_put() after the node has been used. + +Cc: stable@vger.kernel.org +Fixes: e95f287deed2 ("soc: fsl: handle RCPM errata A-008646 on SoC LS1021A") +Signed-off-by: Javier Carrasco +Link: https://lore.kernel.org/r/20241013-rcpm-of_node_put-v1-1-9a8e55a01eae@gmail.com +Signed-off-by: Christophe Leroy +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soc/fsl/rcpm.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/soc/fsl/rcpm.c ++++ b/drivers/soc/fsl/rcpm.c +@@ -36,6 +36,7 @@ static void copy_ippdexpcr1_setting(u32 + return; + + regs = of_iomap(np, 0); ++ of_node_put(np); + if (!regs) + return; + diff --git a/queue-6.12/ublk-fix-ublk_ch_mmap-for-64k-page-size.patch b/queue-6.12/ublk-fix-ublk_ch_mmap-for-64k-page-size.patch new file mode 100644 index 00000000000..093d6211e3e --- /dev/null +++ b/queue-6.12/ublk-fix-ublk_ch_mmap-for-64k-page-size.patch @@ -0,0 +1,68 @@ +From d369735e02ef122d19d4c3d093028da0eb400636 Mon Sep 17 00:00:00 2001 +From: Ming Lei +Date: Mon, 11 Nov 2024 19:07:18 +0800 +Subject: ublk: fix ublk_ch_mmap() for 64K page size + +From: Ming Lei + +commit d369735e02ef122d19d4c3d093028da0eb400636 upstream. + +In ublk_ch_mmap(), queue id is calculated in the following way: + + (vma->vm_pgoff << PAGE_SHIFT) / `max_cmd_buf_size` + +'max_cmd_buf_size' is equal to + + `UBLK_MAX_QUEUE_DEPTH * sizeof(struct ublksrv_io_desc)` + +and UBLK_MAX_QUEUE_DEPTH is 4096 and part of UAPI, so 'max_cmd_buf_size' +is always page aligned in 4K page size kernel. However, it isn't true in +64K page size kernel. + +Fixes the issue by always rounding up 'max_cmd_buf_size' with PAGE_SIZE. + +Cc: stable@vger.kernel.org +Fixes: 71f28f3136af ("ublk_drv: add io_uring based userspace block driver") +Signed-off-by: Ming Lei +Link: https://lore.kernel.org/r/20241111110718.1394001-1-ming.lei@redhat.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/ublk_drv.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +--- a/drivers/block/ublk_drv.c ++++ b/drivers/block/ublk_drv.c +@@ -664,12 +664,21 @@ static inline char *ublk_queue_cmd_buf(s + return ublk_get_queue(ub, q_id)->io_cmd_buf; + } + ++static inline int __ublk_queue_cmd_buf_size(int depth) ++{ ++ return round_up(depth * sizeof(struct ublksrv_io_desc), PAGE_SIZE); ++} ++ + static inline int ublk_queue_cmd_buf_size(struct ublk_device *ub, int q_id) + { + struct ublk_queue *ubq = ublk_get_queue(ub, q_id); + +- return round_up(ubq->q_depth * sizeof(struct ublksrv_io_desc), +- PAGE_SIZE); ++ return __ublk_queue_cmd_buf_size(ubq->q_depth); ++} ++ ++static int ublk_max_cmd_buf_size(void) ++{ ++ return __ublk_queue_cmd_buf_size(UBLK_MAX_QUEUE_DEPTH); + } + + static inline bool ublk_queue_can_use_recovery_reissue( +@@ -1322,7 +1331,7 @@ static int ublk_ch_mmap(struct file *fil + { + struct ublk_device *ub = filp->private_data; + size_t sz = vma->vm_end - vma->vm_start; +- unsigned max_sz = UBLK_MAX_QUEUE_DEPTH * sizeof(struct ublksrv_io_desc); ++ unsigned max_sz = ublk_max_cmd_buf_size(); + unsigned long pfn, end, phys_off = vma->vm_pgoff << PAGE_SHIFT; + int q_id, ret = 0; + -- 2.47.3