From 94cb12a9a65d6353b2af404aa3de1a91f143d5db Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 17 Apr 2025 15:32:20 +0200 Subject: [PATCH] 6.1-stable patches added patches: cifs-avoid-null-pointer-dereference-in-dbg-call.patch cifs-fix-integer-overflow-in-match_server.patch clk-qcom-gdsc-capture-pm_genpd_add_subdomain-result-code.patch clk-qcom-gdsc-release-pm-subdomains-in-reverse-add-order.patch clk-qcom-gdsc-set-retain_ff-before-moving-to-hw-ctrl.patch crypto-ccp-fix-check-for-the-primary-asp-device.patch dm-ebs-fix-prefetch-vs-suspend-race.patch dm-integrity-set-ti-error-on-memory-allocation-failure.patch dm-verity-fix-prefetch-vs-suspend-race.patch ftrace-add-cond_resched-to-ftrace_graph_set_hash.patch gpio-tegra186-fix-resource-handling-in-acpi-probe-path.patch gpio-zynq-fix-wakeup-source-leaks-on-device-unbind.patch gve-handle-overflow-when-reporting-tx-consumed-descriptors.patch kvm-x86-acquire-srcu-in-kvm_get_mp_state-to-protect-guest-memory-accesses.patch thermal-drivers-rockchip-add-missing-rk3328-mapping-entry.patch --- ...null-pointer-dereference-in-dbg-call.patch | 42 +++++++++ ...fix-integer-overflow-in-match_server.patch | 41 +++++++++ ...e-pm_genpd_add_subdomain-result-code.patch | 92 +++++++++++++++++++ ...e-pm-subdomains-in-reverse-add-order.patch | 36 ++++++++ ...t-retain_ff-before-moving-to-hw-ctrl.patch | 79 ++++++++++++++++ ...fix-check-for-the-primary-asp-device.patch | 54 +++++++++++ .../dm-ebs-fix-prefetch-vs-suspend-race.patch | 43 +++++++++ ...i-error-on-memory-allocation-failure.patch | 41 +++++++++ ...-verity-fix-prefetch-vs-suspend-race.patch | 45 +++++++++ ...ond_resched-to-ftrace_graph_set_hash.patch | 39 ++++++++ ...resource-handling-in-acpi-probe-path.patch | 69 ++++++++++++++ ...wakeup-source-leaks-on-device-unbind.patch | 31 +++++++ ...en-reporting-tx-consumed-descriptors.patch | 40 ++++++++ ...ate-to-protect-guest-memory-accesses.patch | 82 +++++++++++++++++ queue-6.1/series | 15 +++ ...hip-add-missing-rk3328-mapping-entry.patch | 61 ++++++++++++ 16 files changed, 810 insertions(+) create mode 100644 queue-6.1/cifs-avoid-null-pointer-dereference-in-dbg-call.patch create mode 100644 queue-6.1/cifs-fix-integer-overflow-in-match_server.patch create mode 100644 queue-6.1/clk-qcom-gdsc-capture-pm_genpd_add_subdomain-result-code.patch create mode 100644 queue-6.1/clk-qcom-gdsc-release-pm-subdomains-in-reverse-add-order.patch create mode 100644 queue-6.1/clk-qcom-gdsc-set-retain_ff-before-moving-to-hw-ctrl.patch create mode 100644 queue-6.1/crypto-ccp-fix-check-for-the-primary-asp-device.patch create mode 100644 queue-6.1/dm-ebs-fix-prefetch-vs-suspend-race.patch create mode 100644 queue-6.1/dm-integrity-set-ti-error-on-memory-allocation-failure.patch create mode 100644 queue-6.1/dm-verity-fix-prefetch-vs-suspend-race.patch create mode 100644 queue-6.1/ftrace-add-cond_resched-to-ftrace_graph_set_hash.patch create mode 100644 queue-6.1/gpio-tegra186-fix-resource-handling-in-acpi-probe-path.patch create mode 100644 queue-6.1/gpio-zynq-fix-wakeup-source-leaks-on-device-unbind.patch create mode 100644 queue-6.1/gve-handle-overflow-when-reporting-tx-consumed-descriptors.patch create mode 100644 queue-6.1/kvm-x86-acquire-srcu-in-kvm_get_mp_state-to-protect-guest-memory-accesses.patch create mode 100644 queue-6.1/thermal-drivers-rockchip-add-missing-rk3328-mapping-entry.patch diff --git a/queue-6.1/cifs-avoid-null-pointer-dereference-in-dbg-call.patch b/queue-6.1/cifs-avoid-null-pointer-dereference-in-dbg-call.patch new file mode 100644 index 0000000000..f6647d0257 --- /dev/null +++ b/queue-6.1/cifs-avoid-null-pointer-dereference-in-dbg-call.patch @@ -0,0 +1,42 @@ +From b4885bd5935bb26f0a414ad55679a372e53f9b9b Mon Sep 17 00:00:00 2001 +From: Alexandra Diupina +Date: Wed, 19 Mar 2025 17:28:58 +0300 +Subject: cifs: avoid NULL pointer dereference in dbg call + +From: Alexandra Diupina + +commit b4885bd5935bb26f0a414ad55679a372e53f9b9b upstream. + +cifs_server_dbg() implies server to be non-NULL so +move call under condition to avoid NULL pointer dereference. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: e79b0332ae06 ("cifs: ignore cached share root handle closing errors") +Cc: stable@vger.kernel.org +Signed-off-by: Alexandra Diupina +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/smb2misc.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/fs/smb/client/smb2misc.c ++++ b/fs/smb/client/smb2misc.c +@@ -814,11 +814,12 @@ smb2_handle_cancelled_close(struct cifs_ + WARN_ONCE(tcon->tc_count < 0, "tcon refcount is negative"); + spin_unlock(&cifs_tcp_ses_lock); + +- if (tcon->ses) ++ if (tcon->ses) { + server = tcon->ses->server; +- +- cifs_server_dbg(FYI, "tid=0x%x: tcon is closing, skipping async close retry of fid %llu %llu\n", +- tcon->tid, persistent_fid, volatile_fid); ++ cifs_server_dbg(FYI, ++ "tid=0x%x: tcon is closing, skipping async close retry of fid %llu %llu\n", ++ tcon->tid, persistent_fid, volatile_fid); ++ } + + return 0; + } diff --git a/queue-6.1/cifs-fix-integer-overflow-in-match_server.patch b/queue-6.1/cifs-fix-integer-overflow-in-match_server.patch new file mode 100644 index 0000000000..3953ac36ac --- /dev/null +++ b/queue-6.1/cifs-fix-integer-overflow-in-match_server.patch @@ -0,0 +1,41 @@ +From 2510859475d7f46ed7940db0853f3342bf1b65ee Mon Sep 17 00:00:00 2001 +From: Roman Smirnov +Date: Mon, 31 Mar 2025 11:22:49 +0300 +Subject: cifs: fix integer overflow in match_server() + +From: Roman Smirnov + +commit 2510859475d7f46ed7940db0853f3342bf1b65ee upstream. + +The echo_interval is not limited in any way during mounting, +which makes it possible to write a large number to it. This can +cause an overflow when multiplying ctx->echo_interval by HZ in +match_server(). + +Add constraints for echo_interval to smb3_fs_context_parse_param(). + +Found by Linux Verification Center (linuxtesting.org) with Svace. + +Fixes: adfeb3e00e8e1 ("cifs: Make echo interval tunable") +Cc: stable@vger.kernel.org +Signed-off-by: Roman Smirnov +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/fs_context.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/fs/smb/client/fs_context.c ++++ b/fs/smb/client/fs_context.c +@@ -1111,6 +1111,11 @@ static int smb3_fs_context_parse_param(s + ctx->closetimeo = HZ * result.uint_32; + break; + case Opt_echo_interval: ++ if (result.uint_32 < SMB_ECHO_INTERVAL_MIN || ++ result.uint_32 > SMB_ECHO_INTERVAL_MAX) { ++ cifs_errorf(fc, "echo interval is out of bounds\n"); ++ goto cifs_parse_mount_err; ++ } + ctx->echo_interval = result.uint_32; + break; + case Opt_snapshot: diff --git a/queue-6.1/clk-qcom-gdsc-capture-pm_genpd_add_subdomain-result-code.patch b/queue-6.1/clk-qcom-gdsc-capture-pm_genpd_add_subdomain-result-code.patch new file mode 100644 index 0000000000..ea7f25a75b --- /dev/null +++ b/queue-6.1/clk-qcom-gdsc-capture-pm_genpd_add_subdomain-result-code.patch @@ -0,0 +1,92 @@ +From 65a733464553ea192797b889d1533a1a37216f32 Mon Sep 17 00:00:00 2001 +From: Bryan O'Donoghue +Date: Fri, 17 Jan 2025 13:54:08 +0000 +Subject: clk: qcom: gdsc: Capture pm_genpd_add_subdomain result code + +From: Bryan O'Donoghue + +commit 65a733464553ea192797b889d1533a1a37216f32 upstream. + +Adding a new clause to this if/else I noticed the existing usage of +pm_genpd_add_subdomain() wasn't capturing and returning the result code. + +pm_genpd_add_subdomain() returns an int and can fail. Capture that result +code and throw it up the call stack if something goes wrong. + +Fixes: 1b771839de05 ("clk: qcom: gdsc: enable optional power domain support") +Cc: stable@vger.kernel.org +Signed-off-by: Bryan O'Donoghue +Link: https://lore.kernel.org/r/20250117-b4-linux-next-24-11-18-clock-multiple-power-domains-v10-2-13f2bb656dad@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/qcom/gdsc.c | 40 +++++++++++++++++++++++++++------------- + 1 file changed, 27 insertions(+), 13 deletions(-) + +--- a/drivers/clk/qcom/gdsc.c ++++ b/drivers/clk/qcom/gdsc.c +@@ -463,6 +463,23 @@ err_disable_supply: + return ret; + } + ++static void gdsc_pm_subdomain_remove(struct gdsc_desc *desc, size_t num) ++{ ++ struct device *dev = desc->dev; ++ struct gdsc **scs = desc->scs; ++ int i; ++ ++ /* Remove subdomains */ ++ for (i = num - 1; i >= 0; i--) { ++ if (!scs[i]) ++ continue; ++ if (scs[i]->parent) ++ pm_genpd_remove_subdomain(scs[i]->parent, &scs[i]->pd); ++ else if (!IS_ERR_OR_NULL(dev->pm_domain)) ++ pm_genpd_remove_subdomain(pd_to_genpd(dev->pm_domain), &scs[i]->pd); ++ } ++} ++ + int gdsc_register(struct gdsc_desc *desc, + struct reset_controller_dev *rcdev, struct regmap *regmap) + { +@@ -507,30 +524,27 @@ int gdsc_register(struct gdsc_desc *desc + if (!scs[i]) + continue; + if (scs[i]->parent) +- pm_genpd_add_subdomain(scs[i]->parent, &scs[i]->pd); ++ ret = pm_genpd_add_subdomain(scs[i]->parent, &scs[i]->pd); + else if (!IS_ERR_OR_NULL(dev->pm_domain)) +- pm_genpd_add_subdomain(pd_to_genpd(dev->pm_domain), &scs[i]->pd); ++ ret = pm_genpd_add_subdomain(pd_to_genpd(dev->pm_domain), &scs[i]->pd); ++ if (ret) ++ goto err_pm_subdomain_remove; + } + + return of_genpd_add_provider_onecell(dev->of_node, data); ++ ++err_pm_subdomain_remove: ++ gdsc_pm_subdomain_remove(desc, i); ++ ++ return ret; + } + + void gdsc_unregister(struct gdsc_desc *desc) + { +- int i; + struct device *dev = desc->dev; +- struct gdsc **scs = desc->scs; + size_t num = desc->num; + +- /* Remove subdomains */ +- for (i = num - 1; i >= 0; i--) { +- if (!scs[i]) +- continue; +- if (scs[i]->parent) +- pm_genpd_remove_subdomain(scs[i]->parent, &scs[i]->pd); +- else if (!IS_ERR_OR_NULL(dev->pm_domain)) +- pm_genpd_remove_subdomain(pd_to_genpd(dev->pm_domain), &scs[i]->pd); +- } ++ gdsc_pm_subdomain_remove(desc, num); + of_genpd_del_provider(dev->of_node); + } + diff --git a/queue-6.1/clk-qcom-gdsc-release-pm-subdomains-in-reverse-add-order.patch b/queue-6.1/clk-qcom-gdsc-release-pm-subdomains-in-reverse-add-order.patch new file mode 100644 index 0000000000..c6a9e2f83e --- /dev/null +++ b/queue-6.1/clk-qcom-gdsc-release-pm-subdomains-in-reverse-add-order.patch @@ -0,0 +1,36 @@ +From 0e6dfde439df0bb977cddd3cf7fff150a084a9bf Mon Sep 17 00:00:00 2001 +From: Bryan O'Donoghue +Date: Fri, 17 Jan 2025 13:54:07 +0000 +Subject: clk: qcom: gdsc: Release pm subdomains in reverse add order + +From: Bryan O'Donoghue + +commit 0e6dfde439df0bb977cddd3cf7fff150a084a9bf upstream. + +gdsc_unregister() should release subdomains in the reverse order to the +order in which those subdomains were added. + +I've made this patch a standalone patch because it facilitates a subsequent +fix to stable. + +Fixes: 1b771839de05 ("clk: qcom: gdsc: enable optional power domain support") +Cc: stable@vger.kernel.org +Signed-off-by: Bryan O'Donoghue +Link: https://lore.kernel.org/r/20250117-b4-linux-next-24-11-18-clock-multiple-power-domains-v10-1-13f2bb656dad@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/qcom/gdsc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/clk/qcom/gdsc.c ++++ b/drivers/clk/qcom/gdsc.c +@@ -523,7 +523,7 @@ void gdsc_unregister(struct gdsc_desc *d + size_t num = desc->num; + + /* Remove subdomains */ +- for (i = 0; i < num; i++) { ++ for (i = num - 1; i >= 0; i--) { + if (!scs[i]) + continue; + if (scs[i]->parent) diff --git a/queue-6.1/clk-qcom-gdsc-set-retain_ff-before-moving-to-hw-ctrl.patch b/queue-6.1/clk-qcom-gdsc-set-retain_ff-before-moving-to-hw-ctrl.patch new file mode 100644 index 0000000000..c1f2437275 --- /dev/null +++ b/queue-6.1/clk-qcom-gdsc-set-retain_ff-before-moving-to-hw-ctrl.patch @@ -0,0 +1,79 @@ +From 25708f73ff171bb4171950c9f4be5aa8504b8459 Mon Sep 17 00:00:00 2001 +From: Taniya Das +Date: Fri, 14 Feb 2025 09:56:59 +0530 +Subject: clk: qcom: gdsc: Set retain_ff before moving to HW CTRL + +From: Taniya Das + +commit 25708f73ff171bb4171950c9f4be5aa8504b8459 upstream. + +Enable the retain_ff_enable bit of GDSCR only if the GDSC is already ON. +Once the GDSCR moves to HW control, SW no longer can determine the state +of the GDSCR and setting the retain_ff bit could destroy all the register +contents we intended to save. +Therefore, move the retain_ff configuration before switching the GDSC to +HW trigger mode. + +Cc: stable@vger.kernel.org +Fixes: 173722995cdb ("clk: qcom: gdsc: Add support to enable retention of GSDCR") +Signed-off-by: Taniya Das +Reviewed-by: Imran Shaik +Tested-by: Imran Shaik # on QCS8300 +Link: https://lore.kernel.org/r/20250214-gdsc_fixes-v1-1-73e56d68a80f@quicinc.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/qcom/gdsc.c | 21 +++++++++++---------- + 1 file changed, 11 insertions(+), 10 deletions(-) + +--- a/drivers/clk/qcom/gdsc.c ++++ b/drivers/clk/qcom/gdsc.c +@@ -290,6 +290,9 @@ static int gdsc_enable(struct generic_pm + */ + udelay(1); + ++ if (sc->flags & RETAIN_FF_ENABLE) ++ gdsc_retain_ff_on(sc); ++ + /* Turn on HW trigger mode if supported */ + if (sc->flags & HW_CTRL) { + ret = gdsc_hwctrl(sc, true); +@@ -306,9 +309,6 @@ static int gdsc_enable(struct generic_pm + udelay(1); + } + +- if (sc->flags & RETAIN_FF_ENABLE) +- gdsc_retain_ff_on(sc); +- + return 0; + } + +@@ -418,13 +418,6 @@ static int gdsc_init(struct gdsc *sc) + goto err_disable_supply; + } + +- /* Turn on HW trigger mode if supported */ +- if (sc->flags & HW_CTRL) { +- ret = gdsc_hwctrl(sc, true); +- if (ret < 0) +- goto err_disable_supply; +- } +- + /* + * Make sure the retain bit is set if the GDSC is already on, + * otherwise we end up turning off the GDSC and destroying all +@@ -432,6 +425,14 @@ static int gdsc_init(struct gdsc *sc) + */ + if (sc->flags & RETAIN_FF_ENABLE) + gdsc_retain_ff_on(sc); ++ ++ /* Turn on HW trigger mode if supported */ ++ if (sc->flags & HW_CTRL) { ++ ret = gdsc_hwctrl(sc, true); ++ if (ret < 0) ++ goto err_disable_supply; ++ } ++ + } else if (sc->flags & ALWAYS_ON) { + /* If ALWAYS_ON GDSCs are not ON, turn them ON */ + gdsc_enable(&sc->pd); diff --git a/queue-6.1/crypto-ccp-fix-check-for-the-primary-asp-device.patch b/queue-6.1/crypto-ccp-fix-check-for-the-primary-asp-device.patch new file mode 100644 index 0000000000..9c1eeb316f --- /dev/null +++ b/queue-6.1/crypto-ccp-fix-check-for-the-primary-asp-device.patch @@ -0,0 +1,54 @@ +From 07bb097b92b987db518e72525b515d77904e966e Mon Sep 17 00:00:00 2001 +From: Tom Lendacky +Date: Fri, 17 Jan 2025 17:05:47 -0600 +Subject: crypto: ccp - Fix check for the primary ASP device + +From: Tom Lendacky + +commit 07bb097b92b987db518e72525b515d77904e966e upstream. + +Currently, the ASP primary device check does not have support for PCI +domains, and, as a result, when the system is configured with PCI domains +(PCI segments) the wrong device can be selected as primary. This results +in commands submitted to the device timing out and failing. The device +check also relies on specific device and function assignments that may +not hold in the future. + +Fix the primary ASP device check to include support for PCI domains and +to perform proper checking of the Bus/Device/Function positions. + +Fixes: 2a6170dfe755 ("crypto: ccp: Add Platform Security Processor (PSP) device support") +Cc: stable@vger.kernel.org +Signed-off-by: Tom Lendacky +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/ccp/sp-pci.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +--- a/drivers/crypto/ccp/sp-pci.c ++++ b/drivers/crypto/ccp/sp-pci.c +@@ -179,14 +179,17 @@ static bool sp_pci_is_master(struct sp_d + pdev_new = to_pci_dev(dev_new); + pdev_cur = to_pci_dev(dev_cur); + +- if (pdev_new->bus->number < pdev_cur->bus->number) +- return true; ++ if (pci_domain_nr(pdev_new->bus) != pci_domain_nr(pdev_cur->bus)) ++ return pci_domain_nr(pdev_new->bus) < pci_domain_nr(pdev_cur->bus); + +- if (PCI_SLOT(pdev_new->devfn) < PCI_SLOT(pdev_cur->devfn)) +- return true; ++ if (pdev_new->bus->number != pdev_cur->bus->number) ++ return pdev_new->bus->number < pdev_cur->bus->number; + +- if (PCI_FUNC(pdev_new->devfn) < PCI_FUNC(pdev_cur->devfn)) +- return true; ++ if (PCI_SLOT(pdev_new->devfn) != PCI_SLOT(pdev_cur->devfn)) ++ return PCI_SLOT(pdev_new->devfn) < PCI_SLOT(pdev_cur->devfn); ++ ++ if (PCI_FUNC(pdev_new->devfn) != PCI_FUNC(pdev_cur->devfn)) ++ return PCI_FUNC(pdev_new->devfn) < PCI_FUNC(pdev_cur->devfn); + + return false; + } diff --git a/queue-6.1/dm-ebs-fix-prefetch-vs-suspend-race.patch b/queue-6.1/dm-ebs-fix-prefetch-vs-suspend-race.patch new file mode 100644 index 0000000000..faa7b4db49 --- /dev/null +++ b/queue-6.1/dm-ebs-fix-prefetch-vs-suspend-race.patch @@ -0,0 +1,43 @@ +From 9c565428788fb9b49066f94ab7b10efc686a0a4c Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Fri, 28 Mar 2025 16:19:07 +0100 +Subject: dm-ebs: fix prefetch-vs-suspend race + +From: Mikulas Patocka + +commit 9c565428788fb9b49066f94ab7b10efc686a0a4c upstream. + +There's a possible race condition in dm-ebs - dm bufio prefetch may be in +progress while the device is suspended. Fix this by calling +dm_bufio_client_reset in the postsuspend hook. + +Signed-off-by: Mikulas Patocka +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-ebs-target.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/md/dm-ebs-target.c ++++ b/drivers/md/dm-ebs-target.c +@@ -389,6 +389,12 @@ static int ebs_map(struct dm_target *ti, + return DM_MAPIO_REMAPPED; + } + ++static void ebs_postsuspend(struct dm_target *ti) ++{ ++ struct ebs_c *ec = ti->private; ++ dm_bufio_client_reset(ec->bufio); ++} ++ + static void ebs_status(struct dm_target *ti, status_type_t type, + unsigned int status_flags, char *result, unsigned int maxlen) + { +@@ -446,6 +452,7 @@ static struct target_type ebs_target = { + .ctr = ebs_ctr, + .dtr = ebs_dtr, + .map = ebs_map, ++ .postsuspend = ebs_postsuspend, + .status = ebs_status, + .io_hints = ebs_io_hints, + .prepare_ioctl = ebs_prepare_ioctl, diff --git a/queue-6.1/dm-integrity-set-ti-error-on-memory-allocation-failure.patch b/queue-6.1/dm-integrity-set-ti-error-on-memory-allocation-failure.patch new file mode 100644 index 0000000000..8da64a68f2 --- /dev/null +++ b/queue-6.1/dm-integrity-set-ti-error-on-memory-allocation-failure.patch @@ -0,0 +1,41 @@ +From 00204ae3d6712ee053353920e3ce2b00c35ef75b Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Mon, 10 Feb 2025 16:14:22 +0100 +Subject: dm-integrity: set ti->error on memory allocation failure + +From: Mikulas Patocka + +commit 00204ae3d6712ee053353920e3ce2b00c35ef75b upstream. + +The dm-integrity target didn't set the error string when memory +allocation failed. This patch fixes it. + +Signed-off-by: Mikulas Patocka +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-integrity.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/md/dm-integrity.c ++++ b/drivers/md/dm-integrity.c +@@ -4546,16 +4546,19 @@ try_smaller_buffer: + + ic->recalc_bitmap = dm_integrity_alloc_page_list(n_bitmap_pages); + if (!ic->recalc_bitmap) { ++ ti->error = "Could not allocate memory for bitmap"; + r = -ENOMEM; + goto bad; + } + ic->may_write_bitmap = dm_integrity_alloc_page_list(n_bitmap_pages); + if (!ic->may_write_bitmap) { ++ ti->error = "Could not allocate memory for bitmap"; + r = -ENOMEM; + goto bad; + } + ic->bbs = kvmalloc_array(ic->n_bitmap_blocks, sizeof(struct bitmap_block_status), GFP_KERNEL); + if (!ic->bbs) { ++ ti->error = "Could not allocate memory for bitmap"; + r = -ENOMEM; + goto bad; + } diff --git a/queue-6.1/dm-verity-fix-prefetch-vs-suspend-race.patch b/queue-6.1/dm-verity-fix-prefetch-vs-suspend-race.patch new file mode 100644 index 0000000000..8fe776fb54 --- /dev/null +++ b/queue-6.1/dm-verity-fix-prefetch-vs-suspend-race.patch @@ -0,0 +1,45 @@ +From 2de510fccbca3d1906b55f4be5f1de83fa2424ef Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Fri, 28 Mar 2025 16:17:45 +0100 +Subject: dm-verity: fix prefetch-vs-suspend race + +From: Mikulas Patocka + +commit 2de510fccbca3d1906b55f4be5f1de83fa2424ef upstream. + +There's a possible race condition in dm-verity - the prefetch work item +may race with suspend and it is possible that prefetch continues to run +while the device is suspended. Fix this by calling flush_workqueue and +dm_bufio_client_reset in the postsuspend hook. + +Signed-off-by: Mikulas Patocka +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-verity-target.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/md/dm-verity-target.c ++++ b/drivers/md/dm-verity-target.c +@@ -823,6 +823,13 @@ static int verity_map(struct dm_target * + return DM_MAPIO_SUBMITTED; + } + ++static void verity_postsuspend(struct dm_target *ti) ++{ ++ struct dm_verity *v = ti->private; ++ flush_workqueue(v->verify_wq); ++ dm_bufio_client_reset(v->bufio); ++} ++ + /* + * Status: V (valid) or C (corruption found) + */ +@@ -1542,6 +1549,7 @@ static struct target_type verity_target + .ctr = verity_ctr, + .dtr = verity_dtr, + .map = verity_map, ++ .postsuspend = verity_postsuspend, + .status = verity_status, + .prepare_ioctl = verity_prepare_ioctl, + .iterate_devices = verity_iterate_devices, diff --git a/queue-6.1/ftrace-add-cond_resched-to-ftrace_graph_set_hash.patch b/queue-6.1/ftrace-add-cond_resched-to-ftrace_graph_set_hash.patch new file mode 100644 index 0000000000..1af91b93d1 --- /dev/null +++ b/queue-6.1/ftrace-add-cond_resched-to-ftrace_graph_set_hash.patch @@ -0,0 +1,39 @@ +From 42ea22e754ba4f2b86f8760ca27f6f71da2d982c Mon Sep 17 00:00:00 2001 +From: zhoumin +Date: Tue, 1 Apr 2025 01:00:34 +0800 +Subject: ftrace: Add cond_resched() to ftrace_graph_set_hash() + +From: zhoumin + +commit 42ea22e754ba4f2b86f8760ca27f6f71da2d982c upstream. + +When the kernel contains a large number of functions that can be traced, +the loop in ftrace_graph_set_hash() may take a lot of time to execute. +This may trigger the softlockup watchdog. + +Add cond_resched() within the loop to allow the kernel to remain +responsive even when processing a large number of functions. + +This matches the cond_resched() that is used in other locations of the +code that iterates over all functions that can be traced. + +Cc: stable@vger.kernel.org +Fixes: b9b0c831bed26 ("ftrace: Convert graph filter to use hash tables") +Link: https://lore.kernel.org/tencent_3E06CE338692017B5809534B9C5C03DA7705@qq.com +Signed-off-by: zhoumin +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/ftrace.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -6522,6 +6522,7 @@ ftrace_graph_set_hash(struct ftrace_hash + } + } + } ++ cond_resched(); + } while_for_each_ftrace_rec(); + out: + mutex_unlock(&ftrace_lock); diff --git a/queue-6.1/gpio-tegra186-fix-resource-handling-in-acpi-probe-path.patch b/queue-6.1/gpio-tegra186-fix-resource-handling-in-acpi-probe-path.patch new file mode 100644 index 0000000000..c556cc2fcc --- /dev/null +++ b/queue-6.1/gpio-tegra186-fix-resource-handling-in-acpi-probe-path.patch @@ -0,0 +1,69 @@ +From 8323f3a69de6f6e96bf22f32dd8e2920766050c2 Mon Sep 17 00:00:00 2001 +From: Guixin Liu +Date: Thu, 27 Mar 2025 11:23:49 +0800 +Subject: gpio: tegra186: fix resource handling in ACPI probe path + +From: Guixin Liu + +commit 8323f3a69de6f6e96bf22f32dd8e2920766050c2 upstream. + +When the Tegra186 GPIO controller is probed through ACPI matching, +the driver emits two error messages during probing: + "tegra186-gpio NVDA0508:00: invalid resource (null)" + "tegra186-gpio NVDA0508:00: invalid resource (null)" + +Fix this by getting resource first and then do the ioremap. + +Fixes: 2606e7c9f5fc ("gpio: tegra186: Add ACPI support") +Cc: stable@vger.kernel.org +Signed-off-by: Guixin Liu +Link: https://lore.kernel.org/r/20250327032349.78809-1-kanie@linux.alibaba.com +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpio-tegra186.c | 27 ++++++++++++++------------- + 1 file changed, 14 insertions(+), 13 deletions(-) + +--- a/drivers/gpio/gpio-tegra186.c ++++ b/drivers/gpio/gpio-tegra186.c +@@ -753,6 +753,7 @@ static int tegra186_gpio_probe(struct pl + struct gpio_irq_chip *irq; + struct tegra_gpio *gpio; + struct device_node *np; ++ struct resource *res; + char **names; + int err; + +@@ -772,19 +773,19 @@ static int tegra186_gpio_probe(struct pl + gpio->num_banks++; + + /* get register apertures */ +- gpio->secure = devm_platform_ioremap_resource_byname(pdev, "security"); +- if (IS_ERR(gpio->secure)) { +- gpio->secure = devm_platform_ioremap_resource(pdev, 0); +- if (IS_ERR(gpio->secure)) +- return PTR_ERR(gpio->secure); +- } +- +- gpio->base = devm_platform_ioremap_resource_byname(pdev, "gpio"); +- if (IS_ERR(gpio->base)) { +- gpio->base = devm_platform_ioremap_resource(pdev, 1); +- if (IS_ERR(gpio->base)) +- return PTR_ERR(gpio->base); +- } ++ res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "security"); ++ if (!res) ++ res = platform_get_resource(pdev, IORESOURCE_MEM, 0); ++ gpio->secure = devm_ioremap_resource(&pdev->dev, res); ++ if (IS_ERR(gpio->secure)) ++ return PTR_ERR(gpio->secure); ++ ++ res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "gpio"); ++ if (!res) ++ res = platform_get_resource(pdev, IORESOURCE_MEM, 1); ++ gpio->base = devm_ioremap_resource(&pdev->dev, res); ++ if (IS_ERR(gpio->base)) ++ return PTR_ERR(gpio->base); + + err = platform_irq_count(pdev); + if (err < 0) diff --git a/queue-6.1/gpio-zynq-fix-wakeup-source-leaks-on-device-unbind.patch b/queue-6.1/gpio-zynq-fix-wakeup-source-leaks-on-device-unbind.patch new file mode 100644 index 0000000000..3ef47c0abf --- /dev/null +++ b/queue-6.1/gpio-zynq-fix-wakeup-source-leaks-on-device-unbind.patch @@ -0,0 +1,31 @@ +From c5672e310ad971d408752fce7596ed27adc6008f Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Sun, 6 Apr 2025 22:22:45 +0200 +Subject: gpio: zynq: Fix wakeup source leaks on device unbind + +From: Krzysztof Kozlowski + +commit c5672e310ad971d408752fce7596ed27adc6008f upstream. + +Device can be unbound, so driver must also release memory for the wakeup +source. + +Cc: stable@vger.kernel.org +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20250406202245.53854-2-krzysztof.kozlowski@linaro.org +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpio-zynq.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpio/gpio-zynq.c ++++ b/drivers/gpio/gpio-zynq.c +@@ -1012,6 +1012,7 @@ static int zynq_gpio_remove(struct platf + ret = pm_runtime_get_sync(&pdev->dev); + if (ret < 0) + dev_warn(&pdev->dev, "pm_runtime_get_sync() Failed\n"); ++ device_init_wakeup(&pdev->dev, 0); + gpiochip_remove(&gpio->chip); + clk_disable_unprepare(gpio->clk); + device_set_wakeup_capable(&pdev->dev, 0); diff --git a/queue-6.1/gve-handle-overflow-when-reporting-tx-consumed-descriptors.patch b/queue-6.1/gve-handle-overflow-when-reporting-tx-consumed-descriptors.patch new file mode 100644 index 0000000000..6cc2cc30eb --- /dev/null +++ b/queue-6.1/gve-handle-overflow-when-reporting-tx-consumed-descriptors.patch @@ -0,0 +1,40 @@ +From 15970e1b23f5c25db88c613fddf9131de086f28e Mon Sep 17 00:00:00 2001 +From: Joshua Washington +Date: Wed, 2 Apr 2025 00:10:37 +0000 +Subject: gve: handle overflow when reporting TX consumed descriptors + +From: Joshua Washington + +commit 15970e1b23f5c25db88c613fddf9131de086f28e upstream. + +When the tx tail is less than the head (in cases of wraparound), the TX +consumed descriptor statistic in DQ will be reported as +UINT32_MAX - head + tail, which is incorrect. Mask the difference of +head and tail according to the ring size when reporting the statistic. + +Cc: stable@vger.kernel.org +Fixes: 2c9198356d56 ("gve: Add consumed counts to ethtool stats") +Signed-off-by: Joshua Washington +Signed-off-by: Harshitha Ramamurthy +Reviewed-by: Michal Swiatkowski +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250402001037.2717315-1-hramamurthy@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/google/gve/gve_ethtool.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/google/gve/gve_ethtool.c ++++ b/drivers/net/ethernet/google/gve/gve_ethtool.c +@@ -327,7 +327,9 @@ gve_get_ethtool_stats(struct net_device + */ + data[i++] = 0; + data[i++] = 0; +- data[i++] = tx->dqo_tx.tail - tx->dqo_tx.head; ++ data[i++] = ++ (tx->dqo_tx.tail - tx->dqo_tx.head) & ++ tx->mask; + } + do { + start = diff --git a/queue-6.1/kvm-x86-acquire-srcu-in-kvm_get_mp_state-to-protect-guest-memory-accesses.patch b/queue-6.1/kvm-x86-acquire-srcu-in-kvm_get_mp_state-to-protect-guest-memory-accesses.patch new file mode 100644 index 0000000000..fe9907f6f6 --- /dev/null +++ b/queue-6.1/kvm-x86-acquire-srcu-in-kvm_get_mp_state-to-protect-guest-memory-accesses.patch @@ -0,0 +1,82 @@ +From ef01cac401f18647d62720cf773d7bb0541827da Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Tue, 1 Apr 2025 08:05:04 -0700 +Subject: KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses + +From: Sean Christopherson + +commit ef01cac401f18647d62720cf773d7bb0541827da upstream. + +Acquire a lock on kvm->srcu when userspace is getting MP state to handle a +rather extreme edge case where "accepting" APIC events, i.e. processing +pending INIT or SIPI, can trigger accesses to guest memory. If the vCPU +is in L2 with INIT *and* a TRIPLE_FAULT request pending, then getting MP +state will trigger a nested VM-Exit by way of ->check_nested_events(), and +emuating the nested VM-Exit can access guest memory. + +The splat was originally hit by syzkaller on a Google-internal kernel, and +reproduced on an upstream kernel by hacking the triple_fault_event_test +selftest to stuff a pending INIT, store an MSR on VM-Exit (to generate a +memory access on VMX), and do vcpu_mp_state_get() to trigger the scenario. + + ============================= + WARNING: suspicious RCU usage + 6.14.0-rc3-b112d356288b-vmx/pi_lockdep_false_pos-lock #3 Not tainted + ----------------------------- + include/linux/kvm_host.h:1058 suspicious rcu_dereference_check() usage! + + other info that might help us debug this: + + rcu_scheduler_active = 2, debug_locks = 1 + 1 lock held by triple_fault_ev/1256: + #0: ffff88810df5a330 (&vcpu->mutex){+.+.}-{4:4}, at: kvm_vcpu_ioctl+0x8b/0x9a0 [kvm] + + stack backtrace: + CPU: 11 UID: 1000 PID: 1256 Comm: triple_fault_ev Not tainted 6.14.0-rc3-b112d356288b-vmx #3 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 + Call Trace: + + dump_stack_lvl+0x7f/0x90 + lockdep_rcu_suspicious+0x144/0x190 + kvm_vcpu_gfn_to_memslot+0x156/0x180 [kvm] + kvm_vcpu_read_guest+0x3e/0x90 [kvm] + read_and_check_msr_entry+0x2e/0x180 [kvm_intel] + __nested_vmx_vmexit+0x550/0xde0 [kvm_intel] + kvm_check_nested_events+0x1b/0x30 [kvm] + kvm_apic_accept_events+0x33/0x100 [kvm] + kvm_arch_vcpu_ioctl_get_mpstate+0x30/0x1d0 [kvm] + kvm_vcpu_ioctl+0x33e/0x9a0 [kvm] + __x64_sys_ioctl+0x8b/0xb0 + do_syscall_64+0x6c/0x170 + entry_SYSCALL_64_after_hwframe+0x4b/0x53 + + +Cc: stable@vger.kernel.org +Signed-off-by: Sean Christopherson +Message-ID: <20250401150504.829812-1-seanjc@google.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/x86.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -11460,6 +11460,8 @@ int kvm_arch_vcpu_ioctl_get_mpstate(stru + if (kvm_mpx_supported()) + kvm_load_guest_fpu(vcpu); + ++ kvm_vcpu_srcu_read_lock(vcpu); ++ + r = kvm_apic_accept_events(vcpu); + if (r < 0) + goto out; +@@ -11473,6 +11475,8 @@ int kvm_arch_vcpu_ioctl_get_mpstate(stru + mp_state->mp_state = vcpu->arch.mp_state; + + out: ++ kvm_vcpu_srcu_read_unlock(vcpu); ++ + if (kvm_mpx_supported()) + kvm_put_guest_fpu(vcpu); + vcpu_put(vcpu); diff --git a/queue-6.1/series b/queue-6.1/series index 42e4ab63a0..16eedef7c4 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -132,3 +132,18 @@ mm-rmap-reject-hugetlb-folios-in-folio_make_device_exclusive.patch mm-add-missing-release-barrier-on-pgdat_reclaim_locked-unlock.patch mm-hwpoison-do-not-send-sigbus-to-processes-with-recovered-clean-pages.patch sctp-detect-and-prevent-references-to-a-freed-transport-in-sendmsg.patch +thermal-drivers-rockchip-add-missing-rk3328-mapping-entry.patch +cifs-avoid-null-pointer-dereference-in-dbg-call.patch +cifs-fix-integer-overflow-in-match_server.patch +clk-qcom-gdsc-release-pm-subdomains-in-reverse-add-order.patch +clk-qcom-gdsc-capture-pm_genpd_add_subdomain-result-code.patch +clk-qcom-gdsc-set-retain_ff-before-moving-to-hw-ctrl.patch +crypto-ccp-fix-check-for-the-primary-asp-device.patch +dm-ebs-fix-prefetch-vs-suspend-race.patch +dm-integrity-set-ti-error-on-memory-allocation-failure.patch +dm-verity-fix-prefetch-vs-suspend-race.patch +ftrace-add-cond_resched-to-ftrace_graph_set_hash.patch +gpio-tegra186-fix-resource-handling-in-acpi-probe-path.patch +gpio-zynq-fix-wakeup-source-leaks-on-device-unbind.patch +gve-handle-overflow-when-reporting-tx-consumed-descriptors.patch +kvm-x86-acquire-srcu-in-kvm_get_mp_state-to-protect-guest-memory-accesses.patch diff --git a/queue-6.1/thermal-drivers-rockchip-add-missing-rk3328-mapping-entry.patch b/queue-6.1/thermal-drivers-rockchip-add-missing-rk3328-mapping-entry.patch new file mode 100644 index 0000000000..ac1ef83815 --- /dev/null +++ b/queue-6.1/thermal-drivers-rockchip-add-missing-rk3328-mapping-entry.patch @@ -0,0 +1,61 @@ +From ee022e5cae052e0c67ca7c5fec0f2e7bc897c70e Mon Sep 17 00:00:00 2001 +From: Trevor Woerner +Date: Fri, 7 Feb 2025 12:50:47 -0500 +Subject: thermal/drivers/rockchip: Add missing rk3328 mapping entry + +From: Trevor Woerner + +commit ee022e5cae052e0c67ca7c5fec0f2e7bc897c70e upstream. + +The mapping table for the rk3328 is missing the entry for -25C which is +found in the TRM section 9.5.2 "Temperature-to-code mapping". + +NOTE: the kernel uses the tsadc_q_sel=1'b1 mode which is defined as: + 4096-. Whereas the table in the TRM gives the code + "3774" for -25C, the kernel uses 4096-3774=322. + +[Dragan Simic] : "After going through the RK3308 and RK3328 TRMs, as + well as through the downstream kernel code, it seems we may have + some troubles at our hands. Let me explain, please. + + To sum it up, part 1 of the RK3308 TRM v1.1 says on page 538 that + the equation for the output when tsadc_q_sel equals 1 is (4096 - + tsadc_q), while part 1 of the RK3328 TRM v1.2 says that the output + equation is (1024 - tsadc_q) in that case. + + The downstream kernel code, however, treats the RK3308 and RK3328 + tables and their values as being the same. It even mentions 1024 as + the "offset" value in a comment block for the rk_tsadcv3_control() + function, just like the upstream code does, which is obviously wrong + "offset" value when correlated with the table on page 544 of part 1 + of the RK3308 TRM v1.1. + + With all this in mind, it's obvious that more work is needed to make + it clear where's the actual mistake (it could be that the TRM is + wrong), which I'll volunteer for as part of the SoC binning project. + In the meantime, this patch looks fine as-is to me, by offering + what's a clear improvement to the current state of the upstream + code" + +Link: https://opensource.rock-chips.com/images/9/97/Rockchip_RK3328TRM_V1.1-Part1-20170321.pdf +Cc: stable@vger.kernel.org +Fixes: eda519d5f73e ("thermal: rockchip: Support the RK3328 SOC in thermal driver") +Signed-off-by: Trevor Woerner +Reviewed-by: Dragan Simic +Link: https://lore.kernel.org/r/20250207175048.35959-1-twoerner@gmail.com +Signed-off-by: Daniel Lezcano +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thermal/rockchip_thermal.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/thermal/rockchip_thermal.c ++++ b/drivers/thermal/rockchip_thermal.c +@@ -373,6 +373,7 @@ static const struct tsadc_table rk3328_c + {296, -40000}, + {304, -35000}, + {313, -30000}, ++ {322, -25000}, + {331, -20000}, + {340, -15000}, + {349, -10000}, -- 2.47.3