From bca75bdfa93d4bf7e17d9cd40939d410d3e3599c Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 24 Mar 2025 09:13:00 -0700 Subject: [PATCH] 6.6-stable patches added patches: accel-qaic-fix-integer-overflow-in-qaic_validate_req.patch arm-dts-imx6qdl-apalis-fix-poweroff-on-apalis-imx6.patch arm-shmobile-smp-enforce-shmobile_smp_-alignment.patch arm64-dts-freescale-imx8mm-verdin-dahlia-add-microphone-jack-to-sound-card.patch arm64-dts-freescale-imx8mp-verdin-dahlia-add-microphone-jack-to-sound-card.patch arm64-dts-rockchip-add-missing-pcie-supplies-to-rockpro64-board-dtsi.patch arm64-dts-rockchip-fix-pinmux-of-uart0-for-px30-ringneck-on-haikou.patch batman-adv-ignore-own-maximum-aggregation-size-during-rx.patch can-flexcan-disable-transceiver-during-system-pm.patch can-flexcan-only-change-can-state-when-link-up-in-system-pm.patch can-rcar_canfd-fix-page-entries-in-the-afl-list.patch can-ucan-fix-out-of-bound-read-in-strscpy-source.patch drm-amd-display-should-support-dmub-hw-lock-on-replay.patch drm-amd-display-use-hw-lock-mgr-for-psr1-when-only-one-edp.patch drm-amdgpu-fix-jpeg-video-caps-max-size-for-navi1x-and-raven.patch drm-amdgpu-fix-mpeg2-mpeg4-and-vc1-video-caps-max-size.patch drm-radeon-fix-uninitialized-size-issue-in-radeon_vce_cs_parse.patch drm-sched-fix-fence-reference-count-leak.patch drm-v3d-don-t-run-jobs-that-have-errors-flagged-in-its-fence.patch efi-libstub-avoid-physical-address-0x0-when-doing-random-allocation.patch i2c-omap-fix-irq-storms.patch memcg-drain-obj-stock-on-cpu-hotplug-teardown.patch mm-fix-error-handling-in-__filemap_get_folio-with-fgp_nowait.patch mm-migrate-fix-shmem-xarray-update-during-migration.patch mmc-atmel-mci-add-missing-clk_disable_unprepare.patch mmc-sdhci-brcmstb-add-cqhci-suspend-resume-to-pm-ops.patch proc-fix-uaf-in-proc_get_inode.patch regulator-check-that-dummy-regulator-has-been-probed-before-using-it.patch regulator-dummy-force-synchronous-probing.patch riscv-dts-starfive-fix-a-typo-in-starfive-jh7110-pin-function-definitions.patch soc-qcom-pdr-fix-the-potential-deadlock.patch xsk-fix-an-integer-overflow-in-xp_create_and_assign_umem.patch --- ...nteger-overflow-in-qaic_validate_req.patch | 44 +++++ ...l-apalis-fix-poweroff-on-apalis-imx6.patch | 60 ++++++ ...-smp-enforce-shmobile_smp_-alignment.patch | 42 ++++ ...ia-add-microphone-jack-to-sound-card.patch | 44 +++++ ...ia-add-microphone-jack-to-sound-card.patch | 44 +++++ ...cie-supplies-to-rockpro64-board-dtsi.patch | 85 ++++++++ ...of-uart0-for-px30-ringneck-on-haikou.patch | 40 ++++ ...n-maximum-aggregation-size-during-rx.patch | 56 ++++++ ...disable-transceiver-during-system-pm.patch | 55 ++++++ ...-can-state-when-link-up-in-system-pm.patch | 70 +++++++ ...nfd-fix-page-entries-in-the-afl-list.patch | 96 +++++++++ ...-out-of-bound-read-in-strscpy-source.patch | 145 ++++++++++++++ ...hould-support-dmub-hw-lock-on-replay.patch | 39 ++++ ...-lock-mgr-for-psr1-when-only-one-edp.patch | 53 +++++ ...o-caps-max-size-for-navi1x-and-raven.patch | 45 +++++ ...g2-mpeg4-and-vc1-video-caps-max-size.patch | 186 ++++++++++++++++++ ...ed-size-issue-in-radeon_vce_cs_parse.patch | 44 +++++ ...sched-fix-fence-reference-count-leak.patch | 47 +++++ ...hat-have-errors-flagged-in-its-fence.patch | 68 +++++++ ...ess-0x0-when-doing-random-allocation.patch | 45 +++++ queue-6.6/i2c-omap-fix-irq-storms.patch | 112 +++++++++++ ...in-obj-stock-on-cpu-hotplug-teardown.patch | 50 +++++ ...-__filemap_get_folio-with-fgp_nowait.patch | 91 +++++++++ ...shmem-xarray-update-during-migration.patch | 76 +++++++ ...ci-add-missing-clk_disable_unprepare.patch | 39 ++++ ...b-add-cqhci-suspend-resume-to-pm-ops.patch | 57 ++++++ .../proc-fix-uaf-in-proc_get_inode.patch | 177 +++++++++++++++++ ...ator-has-been-probed-before-using-it.patch | 57 ++++++ ...ator-dummy-force-synchronous-probing.patch | 55 ++++++ ...five-jh7110-pin-function-definitions.patch | 37 ++++ queue-6.6/series | 32 +++ ...-qcom-pdr-fix-the-potential-deadlock.patch | 90 +++++++++ ...verflow-in-xp_create_and_assign_umem.patch | 38 ++++ 33 files changed, 2219 insertions(+) create mode 100644 queue-6.6/accel-qaic-fix-integer-overflow-in-qaic_validate_req.patch create mode 100644 queue-6.6/arm-dts-imx6qdl-apalis-fix-poweroff-on-apalis-imx6.patch create mode 100644 queue-6.6/arm-shmobile-smp-enforce-shmobile_smp_-alignment.patch create mode 100644 queue-6.6/arm64-dts-freescale-imx8mm-verdin-dahlia-add-microphone-jack-to-sound-card.patch create mode 100644 queue-6.6/arm64-dts-freescale-imx8mp-verdin-dahlia-add-microphone-jack-to-sound-card.patch create mode 100644 queue-6.6/arm64-dts-rockchip-add-missing-pcie-supplies-to-rockpro64-board-dtsi.patch create mode 100644 queue-6.6/arm64-dts-rockchip-fix-pinmux-of-uart0-for-px30-ringneck-on-haikou.patch create mode 100644 queue-6.6/batman-adv-ignore-own-maximum-aggregation-size-during-rx.patch create mode 100644 queue-6.6/can-flexcan-disable-transceiver-during-system-pm.patch create mode 100644 queue-6.6/can-flexcan-only-change-can-state-when-link-up-in-system-pm.patch create mode 100644 queue-6.6/can-rcar_canfd-fix-page-entries-in-the-afl-list.patch create mode 100644 queue-6.6/can-ucan-fix-out-of-bound-read-in-strscpy-source.patch create mode 100644 queue-6.6/drm-amd-display-should-support-dmub-hw-lock-on-replay.patch create mode 100644 queue-6.6/drm-amd-display-use-hw-lock-mgr-for-psr1-when-only-one-edp.patch create mode 100644 queue-6.6/drm-amdgpu-fix-jpeg-video-caps-max-size-for-navi1x-and-raven.patch create mode 100644 queue-6.6/drm-amdgpu-fix-mpeg2-mpeg4-and-vc1-video-caps-max-size.patch create mode 100644 queue-6.6/drm-radeon-fix-uninitialized-size-issue-in-radeon_vce_cs_parse.patch create mode 100644 queue-6.6/drm-sched-fix-fence-reference-count-leak.patch create mode 100644 queue-6.6/drm-v3d-don-t-run-jobs-that-have-errors-flagged-in-its-fence.patch create mode 100644 queue-6.6/efi-libstub-avoid-physical-address-0x0-when-doing-random-allocation.patch create mode 100644 queue-6.6/i2c-omap-fix-irq-storms.patch create mode 100644 queue-6.6/memcg-drain-obj-stock-on-cpu-hotplug-teardown.patch create mode 100644 queue-6.6/mm-fix-error-handling-in-__filemap_get_folio-with-fgp_nowait.patch create mode 100644 queue-6.6/mm-migrate-fix-shmem-xarray-update-during-migration.patch create mode 100644 queue-6.6/mmc-atmel-mci-add-missing-clk_disable_unprepare.patch create mode 100644 queue-6.6/mmc-sdhci-brcmstb-add-cqhci-suspend-resume-to-pm-ops.patch create mode 100644 queue-6.6/proc-fix-uaf-in-proc_get_inode.patch create mode 100644 queue-6.6/regulator-check-that-dummy-regulator-has-been-probed-before-using-it.patch create mode 100644 queue-6.6/regulator-dummy-force-synchronous-probing.patch create mode 100644 queue-6.6/riscv-dts-starfive-fix-a-typo-in-starfive-jh7110-pin-function-definitions.patch create mode 100644 queue-6.6/soc-qcom-pdr-fix-the-potential-deadlock.patch create mode 100644 queue-6.6/xsk-fix-an-integer-overflow-in-xp_create_and_assign_umem.patch diff --git a/queue-6.6/accel-qaic-fix-integer-overflow-in-qaic_validate_req.patch b/queue-6.6/accel-qaic-fix-integer-overflow-in-qaic_validate_req.patch new file mode 100644 index 0000000000..d57682546e --- /dev/null +++ b/queue-6.6/accel-qaic-fix-integer-overflow-in-qaic_validate_req.patch @@ -0,0 +1,44 @@ +From 67d15c7aa0864dfd82325c7e7e7d8548b5224c7b Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Fri, 7 Mar 2025 11:41:48 +0300 +Subject: accel/qaic: Fix integer overflow in qaic_validate_req() + +From: Dan Carpenter + +commit 67d15c7aa0864dfd82325c7e7e7d8548b5224c7b upstream. + +These are u64 variables that come from the user via +qaic_attach_slice_bo_ioctl(). Use check_add_overflow() to ensure that +the math doesn't have an integer wrapping bug. + +Cc: stable@vger.kernel.org +Fixes: ff13be830333 ("accel/qaic: Add datapath") +Signed-off-by: Dan Carpenter +Reviewed-by: Jeff Hugo +Signed-off-by: Jeff Hugo +Link: https://patchwork.freedesktop.org/patch/msgid/176388fa-40fe-4cb4-9aeb-2c91c22130bd@stanley.mountain +Signed-off-by: Greg Kroah-Hartman +--- + drivers/accel/qaic/qaic_data.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/accel/qaic/qaic_data.c ++++ b/drivers/accel/qaic/qaic_data.c +@@ -550,6 +550,7 @@ static bool invalid_sem(struct qaic_sem + static int qaic_validate_req(struct qaic_device *qdev, struct qaic_attach_slice_entry *slice_ent, + u32 count, u64 total_size) + { ++ u64 total; + int i; + + for (i = 0; i < count; i++) { +@@ -559,7 +560,8 @@ static int qaic_validate_req(struct qaic + invalid_sem(&slice_ent[i].sem2) || invalid_sem(&slice_ent[i].sem3)) + return -EINVAL; + +- if (slice_ent[i].offset + slice_ent[i].size > total_size) ++ if (check_add_overflow(slice_ent[i].offset, slice_ent[i].size, &total) || ++ total > total_size) + return -EINVAL; + } + diff --git a/queue-6.6/arm-dts-imx6qdl-apalis-fix-poweroff-on-apalis-imx6.patch b/queue-6.6/arm-dts-imx6qdl-apalis-fix-poweroff-on-apalis-imx6.patch new file mode 100644 index 0000000000..65a3d4545b --- /dev/null +++ b/queue-6.6/arm-dts-imx6qdl-apalis-fix-poweroff-on-apalis-imx6.patch @@ -0,0 +1,60 @@ +From 83964a29379cb08929a39172780a4c2992bc7c93 Mon Sep 17 00:00:00 2001 +From: Stefan Eichenberger +Date: Fri, 10 Jan 2025 16:18:29 +0100 +Subject: ARM: dts: imx6qdl-apalis: Fix poweroff on Apalis iMX6 + +From: Stefan Eichenberger + +commit 83964a29379cb08929a39172780a4c2992bc7c93 upstream. + +The current solution for powering off the Apalis iMX6 is not functioning +as intended. To resolve this, it is necessary to power off the +vgen2_reg, which will also set the POWER_ENABLE_MOCI signal to a low +state. This ensures the carrier board is properly informed to initiate +its power-off sequence. + +The new solution uses the regulator-poweroff driver, which will power +off the regulator during a system shutdown. + +Cc: +Fixes: 4eb56e26f92e ("ARM: dts: imx6q-apalis: Command pmic to standby for poweroff") +Signed-off-by: Stefan Eichenberger +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/nxp/imx/imx6qdl-apalis.dtsi | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/arch/arm/boot/dts/nxp/imx/imx6qdl-apalis.dtsi ++++ b/arch/arm/boot/dts/nxp/imx/imx6qdl-apalis.dtsi +@@ -101,6 +101,11 @@ + }; + }; + ++ poweroff { ++ compatible = "regulator-poweroff"; ++ cpu-supply = <&vgen2_reg>; ++ }; ++ + reg_module_3v3: regulator-module-3v3 { + compatible = "regulator-fixed"; + regulator-always-on; +@@ -220,10 +225,6 @@ + status = "disabled"; + }; + +-&clks { +- fsl,pmic-stby-poweroff; +-}; +- + /* Apalis SPI1 */ + &ecspi1 { + cs-gpios = <&gpio5 25 GPIO_ACTIVE_LOW>; +@@ -511,7 +512,6 @@ + + pmic: pmic@8 { + compatible = "fsl,pfuze100"; +- fsl,pmic-stby-poweroff; + reg = <0x08>; + + regulators { diff --git a/queue-6.6/arm-shmobile-smp-enforce-shmobile_smp_-alignment.patch b/queue-6.6/arm-shmobile-smp-enforce-shmobile_smp_-alignment.patch new file mode 100644 index 0000000000..b8298def33 --- /dev/null +++ b/queue-6.6/arm-shmobile-smp-enforce-shmobile_smp_-alignment.patch @@ -0,0 +1,42 @@ +From 379c590113ce46f605439d4887996c60ab8820cc Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Mon, 10 Mar 2025 14:12:20 +0100 +Subject: ARM: shmobile: smp: Enforce shmobile_smp_* alignment + +From: Geert Uytterhoeven + +commit 379c590113ce46f605439d4887996c60ab8820cc upstream. + +When the addresses of the shmobile_smp_mpidr, shmobile_smp_fn, and +shmobile_smp_arg variables are not multiples of 4 bytes, secondary CPU +bring-up fails: + + smp: Bringing up secondary CPUs ... + CPU1: failed to come online + CPU2: failed to come online + CPU3: failed to come online + smp: Brought up 1 node, 1 CPU + +Fix this by adding the missing alignment directive. + +Fixes: 4e960f52fce16a3b ("ARM: shmobile: Move shmobile_smp_{mpidr, fn, arg}[] from .text to .bss") +Closes: https://lore.kernel.org/r/CAMuHMdU=QR-JLgEHKWpsr6SbaZRc-Hz9r91JfpP8c3n2G-OjqA@mail.gmail.com +Signed-off-by: Geert Uytterhoeven +Tested-by: Lad Prabhakar +Link: https://lore.kernel.org/c499234d559a0d95ad9472883e46077311051cd8.1741612208.git.geert+renesas@glider.be +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-shmobile/headsmp.S | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm/mach-shmobile/headsmp.S ++++ b/arch/arm/mach-shmobile/headsmp.S +@@ -136,6 +136,7 @@ ENDPROC(shmobile_smp_sleep) + .long shmobile_smp_arg - 1b + + .bss ++ .align 2 + .globl shmobile_smp_mpidr + shmobile_smp_mpidr: + .space NR_CPUS * 4 diff --git a/queue-6.6/arm64-dts-freescale-imx8mm-verdin-dahlia-add-microphone-jack-to-sound-card.patch b/queue-6.6/arm64-dts-freescale-imx8mm-verdin-dahlia-add-microphone-jack-to-sound-card.patch new file mode 100644 index 0000000000..dd87c3ced7 --- /dev/null +++ b/queue-6.6/arm64-dts-freescale-imx8mm-verdin-dahlia-add-microphone-jack-to-sound-card.patch @@ -0,0 +1,44 @@ +From 2c1092823eb03f8508d6769e2f38eef7e1fe62a0 Mon Sep 17 00:00:00 2001 +From: Stefan Eichenberger +Date: Mon, 17 Feb 2025 15:56:41 +0100 +Subject: arm64: dts: freescale: imx8mm-verdin-dahlia: add Microphone Jack to sound card + +From: Stefan Eichenberger + +commit 2c1092823eb03f8508d6769e2f38eef7e1fe62a0 upstream. + +The simple-audio-card's microphone widget currently connects to the +headphone jack. Routing the microphone input to the microphone jack +allows for independent operation of the microphone and headphones. + +This resolves the following boot-time kernel log message, which +indicated a conflict when the microphone and headphone functions were +not separated: + debugfs: File 'Headphone Jack' in directory 'dapm' already present! + +Fixes: 6a57f224f734 ("arm64: dts: freescale: add initial support for verdin imx8m mini") +Signed-off-by: Stefan Eichenberger +Reviewed-by: Francesco Dolcini +Cc: +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/freescale/imx8mm-verdin-dahlia.dtsi | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/arm64/boot/dts/freescale/imx8mm-verdin-dahlia.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mm-verdin-dahlia.dtsi +@@ -16,10 +16,10 @@ + "Headphone Jack", "HPOUTR", + "IN2L", "Line In Jack", + "IN2R", "Line In Jack", +- "Headphone Jack", "MICBIAS", +- "IN1L", "Headphone Jack"; ++ "Microphone Jack", "MICBIAS", ++ "IN1L", "Microphone Jack"; + simple-audio-card,widgets = +- "Microphone", "Headphone Jack", ++ "Microphone", "Microphone Jack", + "Headphone", "Headphone Jack", + "Line", "Line In Jack"; + diff --git a/queue-6.6/arm64-dts-freescale-imx8mp-verdin-dahlia-add-microphone-jack-to-sound-card.patch b/queue-6.6/arm64-dts-freescale-imx8mp-verdin-dahlia-add-microphone-jack-to-sound-card.patch new file mode 100644 index 0000000000..70d9f3c989 --- /dev/null +++ b/queue-6.6/arm64-dts-freescale-imx8mp-verdin-dahlia-add-microphone-jack-to-sound-card.patch @@ -0,0 +1,44 @@ +From b0612fdba9afdce261bfb8684e0cece6f2e2b0bb Mon Sep 17 00:00:00 2001 +From: Stefan Eichenberger +Date: Mon, 17 Feb 2025 15:56:40 +0100 +Subject: arm64: dts: freescale: imx8mp-verdin-dahlia: add Microphone Jack to sound card + +From: Stefan Eichenberger + +commit b0612fdba9afdce261bfb8684e0cece6f2e2b0bb upstream. + +The simple-audio-card's microphone widget currently connects to the +headphone jack. Routing the microphone input to the microphone jack +allows for independent operation of the microphone and headphones. + +This resolves the following boot-time kernel log message, which +indicated a conflict when the microphone and headphone functions were +not separated: + debugfs: File 'Headphone Jack' in directory 'dapm' already present! + +Fixes: 874958916844 ("arm64: dts: freescale: verdin-imx8mp: dahlia: add sound card") +Signed-off-by: Stefan Eichenberger +Reviewed-by: Francesco Dolcini +Cc: +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/freescale/imx8mp-verdin-dahlia.dtsi | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/arm64/boot/dts/freescale/imx8mp-verdin-dahlia.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mp-verdin-dahlia.dtsi +@@ -16,10 +16,10 @@ + "Headphone Jack", "HPOUTR", + "IN2L", "Line In Jack", + "IN2R", "Line In Jack", +- "Headphone Jack", "MICBIAS", +- "IN1L", "Headphone Jack"; ++ "Microphone Jack", "MICBIAS", ++ "IN1L", "Microphone Jack"; + simple-audio-card,widgets = +- "Microphone", "Headphone Jack", ++ "Microphone", "Microphone Jack", + "Headphone", "Headphone Jack", + "Line", "Line In Jack"; + diff --git a/queue-6.6/arm64-dts-rockchip-add-missing-pcie-supplies-to-rockpro64-board-dtsi.patch b/queue-6.6/arm64-dts-rockchip-add-missing-pcie-supplies-to-rockpro64-board-dtsi.patch new file mode 100644 index 0000000000..aa54571789 --- /dev/null +++ b/queue-6.6/arm64-dts-rockchip-add-missing-pcie-supplies-to-rockpro64-board-dtsi.patch @@ -0,0 +1,85 @@ +From ffcef3df680c437ca33ff434be18ec24d72907c2 Mon Sep 17 00:00:00 2001 +From: Dragan Simic +Date: Sun, 2 Mar 2025 19:48:04 +0100 +Subject: arm64: dts: rockchip: Add missing PCIe supplies to RockPro64 board dtsi + +From: Dragan Simic + +commit ffcef3df680c437ca33ff434be18ec24d72907c2 upstream. + +Add missing "vpcie0v9-supply" and "vpcie1v8-supply" properties to the "pcie0" +node in the Pine64 RockPro64 board dtsi file. This eliminates the following +warnings from the kernel log: + + rockchip-pcie f8000000.pcie: supply vpcie1v8 not found, using dummy regulator + rockchip-pcie f8000000.pcie: supply vpcie0v9 not found, using dummy regulator + +These additions improve the accuracy of hardware description of the RockPro64 +and, in theory, they should result in no functional changes to the way board +works after the changes, because the "vcca_0v9" and "vcca_1v8" regulators are +always enabled. [1][2] However, extended reliability testing, performed by +Chris, [3] has proven that the age-old issues with some PCI Express cards, +when used with a Pine64 RockPro64, are also resolved. + +Those issues were already mentioned in the commit 43853e843aa6 (arm64: dts: +rockchip: Remove unsupported node from the Pinebook Pro dts, 2024-04-01), +together with a brief description of the out-of-tree enumeration delay patch +that reportedly resolves those issues. In a nutshell, booting a RockPro64 +with some PCI Express cards attached to it caused a kernel oops. [4] + +Symptomatically enough, to the commit author's best knowledge, only the Pine64 +RockPro64, out of all RK3399-based boards and devices supported upstream, has +been reported to suffer from those PCI Express issues, and only the RockPro64 +had some of the PCI Express supplies missing in its DT. Thus, perhaps some +weird timing issues exist that caused the "vcca_1v8" always-on regulator, +which is part of the RK808 PMIC, to actually not be enabled before the PCI +Express is initialized and enumerated on the RockPro64, causing oopses with +some PCIe cards, and the aforementioned enumeration delay patch [4] probably +acted as just a workaround for the underlying timing issue. + +Admittedly, the Pine64 RockPro64 is a bit specific board by having a standard +PCI Express slot, allowing use of various standard cards, but pretty much +standard PCI Express cards have been attached to other RK3399 boards as well, +and the commit author is unaware ot such issues reported for them. + +It's quite hard to be sure that the PCI Express issues are fully resolved by +these additions to the DT, without some really extensive and time-consuming +testing. However, these additions to the DT can result in good things and +improvements anyway, making them perfectly safe from the standpoint of being +unable to do any harm or cause some unforeseen regressions. + +These changes apply to the both supported hardware revisions of the Pine64 +RockPro64, i.e. to the production-run revisions 2.0 and 2.1. [1][2] + +[1] https://files.pine64.org/doc/rockpro64/rockpro64_v21-SCH.pdf +[2] https://files.pine64.org/doc/rockpro64/rockpro64_v20-SCH.pdf +[3] https://z9.de/hedgedoc/s/nF4d5G7rg#reboot-tests-for-PCIe-improvements +[4] https://lore.kernel.org/lkml/20230509153912.515218-1-vincenzopalazzodev@gmail.com/T/#u + +Fixes: bba821f5479e ("arm64: dts: rockchip: add PCIe nodes on rk3399-rockpro64") +Cc: stable@vger.kernel.org +Cc: Vincenzo Palazzo +Cc: Peter Geis +Cc: Bjorn Helgaas +Reported-by: Diederik de Haas +Tested-by: Chris Vogel +Signed-off-by: Dragan Simic +Tested-by: Diederik de Haas +Link: https://lore.kernel.org/r/b39cfd7490d8194f053bf3971f13a43472d1769e.1740941097.git.dsimic@manjaro.org +Signed-off-by: Heiko Stuebner +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/rockchip/rk3399-rockpro64.dtsi | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/arm64/boot/dts/rockchip/rk3399-rockpro64.dtsi ++++ b/arch/arm64/boot/dts/rockchip/rk3399-rockpro64.dtsi +@@ -661,6 +661,8 @@ + num-lanes = <4>; + pinctrl-names = "default"; + pinctrl-0 = <&pcie_perst>; ++ vpcie0v9-supply = <&vcca_0v9>; ++ vpcie1v8-supply = <&vcca_1v8>; + vpcie12v-supply = <&vcc12v_dcin>; + vpcie3v3-supply = <&vcc3v3_pcie>; + status = "okay"; diff --git a/queue-6.6/arm64-dts-rockchip-fix-pinmux-of-uart0-for-px30-ringneck-on-haikou.patch b/queue-6.6/arm64-dts-rockchip-fix-pinmux-of-uart0-for-px30-ringneck-on-haikou.patch new file mode 100644 index 0000000000..1a71497777 --- /dev/null +++ b/queue-6.6/arm64-dts-rockchip-fix-pinmux-of-uart0-for-px30-ringneck-on-haikou.patch @@ -0,0 +1,40 @@ +From 2db7d29c7b1629ced3cbab3de242511eb3c22066 Mon Sep 17 00:00:00 2001 +From: Quentin Schulz +Date: Tue, 25 Feb 2025 12:53:29 +0100 +Subject: arm64: dts: rockchip: fix pinmux of UART0 for PX30 Ringneck on Haikou +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Quentin Schulz + +commit 2db7d29c7b1629ced3cbab3de242511eb3c22066 upstream. + +UART0 pinmux by default configures GPIO0_B5 in its UART RTS function for +UART0. However, by default on Haikou, it is used as GPIO as UART RTS for +UART5. + +Therefore, let's update UART0 pinmux to not configure the pin in that +mode, a later commit will make UART5 request the GPIO pinmux. + +Fixes: c484cf93f61b ("arm64: dts: rockchip: add PX30-µQ7 (Ringneck) SoM with Haikou baseboard") +Cc: stable@vger.kernel.org +Signed-off-by: Quentin Schulz +Link: https://lore.kernel.org/r/20250225-ringneck-dtbos-v3-1-853a9a6dd597@cherry.de +Signed-off-by: Heiko Stuebner +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/rockchip/px30-ringneck-haikou.dts | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/arm64/boot/dts/rockchip/px30-ringneck-haikou.dts ++++ b/arch/arm64/boot/dts/rockchip/px30-ringneck-haikou.dts +@@ -221,6 +221,8 @@ + }; + + &uart0 { ++ pinctrl-names = "default"; ++ pinctrl-0 = <&uart0_xfer>; + status = "okay"; + }; + diff --git a/queue-6.6/batman-adv-ignore-own-maximum-aggregation-size-during-rx.patch b/queue-6.6/batman-adv-ignore-own-maximum-aggregation-size-during-rx.patch new file mode 100644 index 0000000000..c43a9eb5e1 --- /dev/null +++ b/queue-6.6/batman-adv-ignore-own-maximum-aggregation-size-during-rx.patch @@ -0,0 +1,56 @@ +From 548b0c5de7619ef53bbde5590700693f2f6d2a56 Mon Sep 17 00:00:00 2001 +From: Sven Eckelmann +Date: Sun, 2 Feb 2025 17:04:13 +0100 +Subject: batman-adv: Ignore own maximum aggregation size during RX + +From: Sven Eckelmann + +commit 548b0c5de7619ef53bbde5590700693f2f6d2a56 upstream. + +An OGMv1 and OGMv2 packet receive processing were not only limited by the +number of bytes in the received packet but also by the nodes maximum +aggregation packet size limit. But this limit is relevant for TX and not +for RX. It must not be enforced by batadv_(i)v_ogm_aggr_packet to avoid +loss of information in case of a different limit for sender and receiver. + +This has a minor side effect for B.A.T.M.A.N. IV because the +batadv_iv_ogm_aggr_packet is also used for the preprocessing for the TX. +But since the aggregation code itself will not allow more than +BATADV_MAX_AGGREGATION_BYTES bytes, this check was never triggering (in +this context) prior of removing it. + +Cc: stable@vger.kernel.org +Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol") +Fixes: 9323158ef9f4 ("batman-adv: OGMv2 - implement originators logic") +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/bat_iv_ogm.c | 3 +-- + net/batman-adv/bat_v_ogm.c | 3 +-- + 2 files changed, 2 insertions(+), 4 deletions(-) + +--- a/net/batman-adv/bat_iv_ogm.c ++++ b/net/batman-adv/bat_iv_ogm.c +@@ -324,8 +324,7 @@ batadv_iv_ogm_aggr_packet(int buff_pos, + /* check if there is enough space for the optional TVLV */ + next_buff_pos += ntohs(ogm_packet->tvlv_len); + +- return (next_buff_pos <= packet_len) && +- (next_buff_pos <= BATADV_MAX_AGGREGATION_BYTES); ++ return next_buff_pos <= packet_len; + } + + /* send a batman ogm to a given interface */ +--- a/net/batman-adv/bat_v_ogm.c ++++ b/net/batman-adv/bat_v_ogm.c +@@ -839,8 +839,7 @@ batadv_v_ogm_aggr_packet(int buff_pos, i + /* check if there is enough space for the optional TVLV */ + next_buff_pos += ntohs(ogm2_packet->tvlv_len); + +- return (next_buff_pos <= packet_len) && +- (next_buff_pos <= BATADV_MAX_AGGREGATION_BYTES); ++ return next_buff_pos <= packet_len; + } + + /** diff --git a/queue-6.6/can-flexcan-disable-transceiver-during-system-pm.patch b/queue-6.6/can-flexcan-disable-transceiver-during-system-pm.patch new file mode 100644 index 0000000000..897e9e1190 --- /dev/null +++ b/queue-6.6/can-flexcan-disable-transceiver-during-system-pm.patch @@ -0,0 +1,55 @@ +From 5a19143124be42900b3fbc9ada3c919632eb45eb Mon Sep 17 00:00:00 2001 +From: Haibo Chen +Date: Fri, 14 Mar 2025 19:01:45 +0800 +Subject: can: flexcan: disable transceiver during system PM + +From: Haibo Chen + +commit 5a19143124be42900b3fbc9ada3c919632eb45eb upstream. + +During system PM, if no wakeup requirement, disable transceiver to +save power. + +Fixes: 4de349e786a3 ("can: flexcan: fix resume function") +Cc: stable@vger.kernel.org +Reviewed-by: Frank Li +Signed-off-by: Haibo Chen +Link: https://patch.msgid.link/20250314110145.899179-2-haibo.chen@nxp.com +[mkl: add newlines] +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/flexcan/flexcan-core.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/drivers/net/can/flexcan/flexcan-core.c ++++ b/drivers/net/can/flexcan/flexcan-core.c +@@ -2245,6 +2245,10 @@ static int __maybe_unused flexcan_suspen + + flexcan_chip_interrupts_disable(dev); + ++ err = flexcan_transceiver_disable(priv); ++ if (err) ++ return err; ++ + err = pinctrl_pm_select_sleep_state(device); + if (err) + return err; +@@ -2277,10 +2281,16 @@ static int __maybe_unused flexcan_resume + if (err) + return err; + +- err = flexcan_chip_start(dev); ++ err = flexcan_transceiver_enable(priv); + if (err) + return err; + ++ err = flexcan_chip_start(dev); ++ if (err) { ++ flexcan_transceiver_disable(priv); ++ return err; ++ } ++ + flexcan_chip_interrupts_enable(dev); + } + diff --git a/queue-6.6/can-flexcan-only-change-can-state-when-link-up-in-system-pm.patch b/queue-6.6/can-flexcan-only-change-can-state-when-link-up-in-system-pm.patch new file mode 100644 index 0000000000..d85d9a57a7 --- /dev/null +++ b/queue-6.6/can-flexcan-only-change-can-state-when-link-up-in-system-pm.patch @@ -0,0 +1,70 @@ +From fd99d6ed20234b83d65b9c5417794343577cf3e5 Mon Sep 17 00:00:00 2001 +From: Haibo Chen +Date: Fri, 14 Mar 2025 19:01:44 +0800 +Subject: can: flexcan: only change CAN state when link up in system PM + +From: Haibo Chen + +commit fd99d6ed20234b83d65b9c5417794343577cf3e5 upstream. + +After a suspend/resume cycle on a down interface, it will come up as +ERROR-ACTIVE. + +$ ip -details -s -s a s dev flexcan0 +3: flexcan0: mtu 16 qdisc pfifo_fast state DOWN group default qlen 10 + link/can promiscuity 0 allmulti 0 minmtu 0 maxmtu 0 + can state STOPPED (berr-counter tx 0 rx 0) restart-ms 1000 + +$ sudo systemctl suspend + +$ ip -details -s -s a s dev flexcan0 +3: flexcan0: mtu 16 qdisc pfifo_fast state DOWN group default qlen 10 + link/can promiscuity 0 allmulti 0 minmtu 0 maxmtu 0 + can state ERROR-ACTIVE (berr-counter tx 0 rx 0) restart-ms 1000 + +And only set CAN state to CAN_STATE_ERROR_ACTIVE when resume process +has no issue, otherwise keep in CAN_STATE_SLEEPING as suspend did. + +Fixes: 4de349e786a3 ("can: flexcan: fix resume function") +Cc: stable@vger.kernel.org +Signed-off-by: Haibo Chen +Link: https://patch.msgid.link/20250314110145.899179-1-haibo.chen@nxp.com +Reported-by: Marc Kleine-Budde +Closes: https://lore.kernel.org/all/20250314-married-polar-elephant-b15594-mkl@pengutronix.de +[mkl: add newlines] +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/flexcan/flexcan-core.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/net/can/flexcan/flexcan-core.c ++++ b/drivers/net/can/flexcan/flexcan-core.c +@@ -2251,8 +2251,9 @@ static int __maybe_unused flexcan_suspen + } + netif_stop_queue(dev); + netif_device_detach(dev); ++ ++ priv->can.state = CAN_STATE_SLEEPING; + } +- priv->can.state = CAN_STATE_SLEEPING; + + return 0; + } +@@ -2263,7 +2264,6 @@ static int __maybe_unused flexcan_resume + struct flexcan_priv *priv = netdev_priv(dev); + int err; + +- priv->can.state = CAN_STATE_ERROR_ACTIVE; + if (netif_running(dev)) { + netif_device_attach(dev); + netif_start_queue(dev); +@@ -2283,6 +2283,8 @@ static int __maybe_unused flexcan_resume + + flexcan_chip_interrupts_enable(dev); + } ++ ++ priv->can.state = CAN_STATE_ERROR_ACTIVE; + } + + return 0; diff --git a/queue-6.6/can-rcar_canfd-fix-page-entries-in-the-afl-list.patch b/queue-6.6/can-rcar_canfd-fix-page-entries-in-the-afl-list.patch new file mode 100644 index 0000000000..3dbc42f756 --- /dev/null +++ b/queue-6.6/can-rcar_canfd-fix-page-entries-in-the-afl-list.patch @@ -0,0 +1,96 @@ +From 1dba0a37644ed3022558165bbb5cb9bda540eaf7 Mon Sep 17 00:00:00 2001 +From: Biju Das +Date: Fri, 7 Mar 2025 17:03:27 +0000 +Subject: can: rcar_canfd: Fix page entries in the AFL list + +From: Biju Das + +commit 1dba0a37644ed3022558165bbb5cb9bda540eaf7 upstream. + +There are a total of 96 AFL pages and each page has 16 entries with +registers CFDGAFLIDr, CFDGAFLMr, CFDGAFLP0r, CFDGAFLP1r holding +the rule entries (r = 0..15). + +Currently, RCANFD_GAFL* macros use a start variable to find AFL entries, +which is incorrect as the testing on RZ/G3E shows ch1 and ch4 +gets a start value of 0 and the register contents are overwritten. + +Fix this issue by using rule_entry corresponding to the channel +to find the page entries in the AFL list. + +Fixes: dd3bd23eb438 ("can: rcar_canfd: Add Renesas R-Car CAN FD driver") +Cc: stable@vger.kernel.org +Signed-off-by: Biju Das +Tested-by: Geert Uytterhoeven +Link: https://patch.msgid.link/20250307170330.173425-3-biju.das.jz@bp.renesas.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/rcar/rcar_canfd.c | 28 +++++++++++----------------- + 1 file changed, 11 insertions(+), 17 deletions(-) + +--- a/drivers/net/can/rcar/rcar_canfd.c ++++ b/drivers/net/can/rcar/rcar_canfd.c +@@ -793,22 +793,14 @@ static void rcar_canfd_configure_control + } + + static void rcar_canfd_configure_afl_rules(struct rcar_canfd_global *gpriv, +- u32 ch) ++ u32 ch, u32 rule_entry) + { +- u32 cfg; +- int offset, start, page, num_rules = RCANFD_CHANNEL_NUMRULES; ++ int offset, page, num_rules = RCANFD_CHANNEL_NUMRULES; ++ u32 rule_entry_index = rule_entry % 16; + u32 ridx = ch + RCANFD_RFFIFO_IDX; + +- if (ch == 0) { +- start = 0; /* Channel 0 always starts from 0th rule */ +- } else { +- /* Get number of Channel 0 rules and adjust */ +- cfg = rcar_canfd_read(gpriv->base, RCANFD_GAFLCFG(ch)); +- start = RCANFD_GAFLCFG_GETRNC(gpriv, 0, cfg); +- } +- + /* Enable write access to entry */ +- page = RCANFD_GAFL_PAGENUM(start); ++ page = RCANFD_GAFL_PAGENUM(rule_entry); + rcar_canfd_set_bit(gpriv->base, RCANFD_GAFLECTR, + (RCANFD_GAFLECTR_AFLPN(gpriv, page) | + RCANFD_GAFLECTR_AFLDAE)); +@@ -824,13 +816,13 @@ static void rcar_canfd_configure_afl_rul + offset = RCANFD_C_GAFL_OFFSET; + + /* Accept all IDs */ +- rcar_canfd_write(gpriv->base, RCANFD_GAFLID(offset, start), 0); ++ rcar_canfd_write(gpriv->base, RCANFD_GAFLID(offset, rule_entry_index), 0); + /* IDE or RTR is not considered for matching */ +- rcar_canfd_write(gpriv->base, RCANFD_GAFLM(offset, start), 0); ++ rcar_canfd_write(gpriv->base, RCANFD_GAFLM(offset, rule_entry_index), 0); + /* Any data length accepted */ +- rcar_canfd_write(gpriv->base, RCANFD_GAFLP0(offset, start), 0); ++ rcar_canfd_write(gpriv->base, RCANFD_GAFLP0(offset, rule_entry_index), 0); + /* Place the msg in corresponding Rx FIFO entry */ +- rcar_canfd_set_bit(gpriv->base, RCANFD_GAFLP1(offset, start), ++ rcar_canfd_set_bit(gpriv->base, RCANFD_GAFLP1(offset, rule_entry_index), + RCANFD_GAFLP1_GAFLFDP(ridx)); + + /* Disable write access to page */ +@@ -1857,6 +1849,7 @@ static int rcar_canfd_probe(struct platf + unsigned long channels_mask = 0; + int err, ch_irq, g_irq; + int g_err_irq, g_recc_irq; ++ u32 rule_entry = 0; + bool fdmode = true; /* CAN FD only mode - default */ + char name[9] = "channelX"; + int i; +@@ -2033,7 +2026,8 @@ static int rcar_canfd_probe(struct platf + rcar_canfd_configure_tx(gpriv, ch); + + /* Configure receive rules */ +- rcar_canfd_configure_afl_rules(gpriv, ch); ++ rcar_canfd_configure_afl_rules(gpriv, ch, rule_entry); ++ rule_entry += RCANFD_CHANNEL_NUMRULES; + } + + /* Configure common interrupts */ diff --git a/queue-6.6/can-ucan-fix-out-of-bound-read-in-strscpy-source.patch b/queue-6.6/can-ucan-fix-out-of-bound-read-in-strscpy-source.patch new file mode 100644 index 0000000000..633745cb3e --- /dev/null +++ b/queue-6.6/can-ucan-fix-out-of-bound-read-in-strscpy-source.patch @@ -0,0 +1,145 @@ +From 1d22a122ffb116c3cf78053e812b8b21f8852ee9 Mon Sep 17 00:00:00 2001 +From: Vincent Mailhol +Date: Tue, 18 Feb 2025 23:32:28 +0900 +Subject: can: ucan: fix out of bound read in strscpy() source + +From: Vincent Mailhol + +commit 1d22a122ffb116c3cf78053e812b8b21f8852ee9 upstream. + +Commit 7fdaf8966aae ("can: ucan: use strscpy() to instead of strncpy()") +unintentionally introduced a one byte out of bound read on strscpy()'s +source argument (which is kind of ironic knowing that strscpy() is meant +to be a more secure alternative :)). + +Let's consider below buffers: + + dest[len + 1]; /* will be NUL terminated */ + src[len]; /* may not be NUL terminated */ + +When doing: + + strncpy(dest, src, len); + dest[len] = '\0'; + +strncpy() will read up to len bytes from src. + +On the other hand: + + strscpy(dest, src, len + 1); + +will read up to len + 1 bytes from src, that is to say, an out of bound +read of one byte will occur on src if it is not NUL terminated. Note +that the src[len] byte is never copied, but strscpy() still needs to +read it to check whether a truncation occurred or not. + +This exact pattern happened in ucan. + +The root cause is that the source is not NUL terminated. Instead of +doing a copy in a local buffer, directly NUL terminate it as soon as +usb_control_msg() returns. With this, the local firmware_str[] variable +can be removed. + +On top of this do a couple refactors: + + - ucan_ctl_payload->raw is only used for the firmware string, so + rename it to ucan_ctl_payload->fw_str and change its type from u8 to + char. + + - ucan_device_request_in() is only used to retrieve the firmware + string, so rename it to ucan_get_fw_str() and refactor it to make it + directly handle all the string termination logic. + +Reported-by: syzbot+d7d8c418e8317899e88c@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/linux-can/67b323a4.050a0220.173698.002b.GAE@google.com/ +Fixes: 7fdaf8966aae ("can: ucan: use strscpy() to instead of strncpy()") +Signed-off-by: Vincent Mailhol +Link: https://patch.msgid.link/20250218143515.627682-2-mailhol.vincent@wanadoo.fr +Cc: stable@vger.kernel.org +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/usb/ucan.c | 43 ++++++++++++++++++------------------------- + 1 file changed, 18 insertions(+), 25 deletions(-) + +--- a/drivers/net/can/usb/ucan.c ++++ b/drivers/net/can/usb/ucan.c +@@ -186,7 +186,7 @@ union ucan_ctl_payload { + */ + struct ucan_ctl_cmd_get_protocol_version cmd_get_protocol_version; + +- u8 raw[128]; ++ u8 fw_str[128]; + } __packed; + + enum { +@@ -424,18 +424,20 @@ static int ucan_ctrl_command_out(struct + UCAN_USB_CTL_PIPE_TIMEOUT); + } + +-static int ucan_device_request_in(struct ucan_priv *up, +- u8 cmd, u16 subcmd, u16 datalen) ++static void ucan_get_fw_str(struct ucan_priv *up, char *fw_str, size_t size) + { +- return usb_control_msg(up->udev, +- usb_rcvctrlpipe(up->udev, 0), +- cmd, +- USB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_DEVICE, +- subcmd, +- 0, +- up->ctl_msg_buffer, +- datalen, +- UCAN_USB_CTL_PIPE_TIMEOUT); ++ int ret; ++ ++ ret = usb_control_msg(up->udev, usb_rcvctrlpipe(up->udev, 0), ++ UCAN_DEVICE_GET_FW_STRING, ++ USB_DIR_IN | USB_TYPE_VENDOR | ++ USB_RECIP_DEVICE, ++ 0, 0, fw_str, size - 1, ++ UCAN_USB_CTL_PIPE_TIMEOUT); ++ if (ret > 0) ++ fw_str[ret] = '\0'; ++ else ++ strscpy(fw_str, "unknown", size); + } + + /* Parse the device information structure reported by the device and +@@ -1314,7 +1316,6 @@ static int ucan_probe(struct usb_interfa + u8 in_ep_addr; + u8 out_ep_addr; + union ucan_ctl_payload *ctl_msg_buffer; +- char firmware_str[sizeof(union ucan_ctl_payload) + 1]; + + udev = interface_to_usbdev(intf); + +@@ -1527,17 +1528,6 @@ static int ucan_probe(struct usb_interfa + */ + ucan_parse_device_info(up, &ctl_msg_buffer->cmd_get_device_info); + +- /* just print some device information - if available */ +- ret = ucan_device_request_in(up, UCAN_DEVICE_GET_FW_STRING, 0, +- sizeof(union ucan_ctl_payload)); +- if (ret > 0) { +- /* copy string while ensuring zero termination */ +- strscpy(firmware_str, up->ctl_msg_buffer->raw, +- sizeof(union ucan_ctl_payload) + 1); +- } else { +- strcpy(firmware_str, "unknown"); +- } +- + /* device is compatible, reset it */ + ret = ucan_ctrl_command_out(up, UCAN_COMMAND_RESET, 0, 0); + if (ret < 0) +@@ -1555,7 +1545,10 @@ static int ucan_probe(struct usb_interfa + + /* initialisation complete, log device info */ + netdev_info(up->netdev, "registered device\n"); +- netdev_info(up->netdev, "firmware string: %s\n", firmware_str); ++ ucan_get_fw_str(up, up->ctl_msg_buffer->fw_str, ++ sizeof(up->ctl_msg_buffer->fw_str)); ++ netdev_info(up->netdev, "firmware string: %s\n", ++ up->ctl_msg_buffer->fw_str); + + /* success */ + return 0; diff --git a/queue-6.6/drm-amd-display-should-support-dmub-hw-lock-on-replay.patch b/queue-6.6/drm-amd-display-should-support-dmub-hw-lock-on-replay.patch new file mode 100644 index 0000000000..848ef46086 --- /dev/null +++ b/queue-6.6/drm-amd-display-should-support-dmub-hw-lock-on-replay.patch @@ -0,0 +1,39 @@ +From bfeefe6ea5f18cabb8fda55364079573804623f9 Mon Sep 17 00:00:00 2001 +From: Martin Tsai +Date: Fri, 2 Feb 2024 14:39:29 +0800 +Subject: drm/amd/display: should support dmub hw lock on Replay + +From: Martin Tsai + +commit bfeefe6ea5f18cabb8fda55364079573804623f9 upstream. + +[Why] +Without acquiring DMCUB hw lock, a race condition is caused with +Panel Replay feature, which will trigger a hang. Indicate that a +lock is necessary to prevent this when replay feature is enabled. + +[How] +To allow dmub hw lock on Replay. + +Reviewed-by: Robin Chen +Acked-by: Aurabindo Pillai +Signed-off-by: Martin Tsai +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c ++++ b/drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c +@@ -65,5 +65,9 @@ bool should_use_dmub_lock(struct dc_link + { + if (link->psr_settings.psr_version == DC_PSR_VERSION_SU_1) + return true; ++ ++ if (link->replay_settings.replay_feature_enabled) ++ return true; ++ + return false; + } diff --git a/queue-6.6/drm-amd-display-use-hw-lock-mgr-for-psr1-when-only-one-edp.patch b/queue-6.6/drm-amd-display-use-hw-lock-mgr-for-psr1-when-only-one-edp.patch new file mode 100644 index 0000000000..09fac47b5d --- /dev/null +++ b/queue-6.6/drm-amd-display-use-hw-lock-mgr-for-psr1-when-only-one-edp.patch @@ -0,0 +1,53 @@ +From acbf16a6ae775b4db86f537448cc466288aa307e Mon Sep 17 00:00:00 2001 +From: Mario Limonciello +Date: Fri, 7 Mar 2025 15:55:20 -0600 +Subject: drm/amd/display: Use HW lock mgr for PSR1 when only one eDP + +From: Mario Limonciello + +commit acbf16a6ae775b4db86f537448cc466288aa307e upstream. + +[WHY] +DMUB locking is important to make sure that registers aren't accessed +while in PSR. Previously it was enabled but caused a deadlock in +situations with multiple eDP panels. + +[HOW] +Detect if multiple eDP panels are in use to decide whether to use +lock. Refactor the function so that the first check is for PSR-SU +and then replay is in use to prevent having to look up number +of eDP panels for those configurations. + +Fixes: f245b400a223 ("Revert "drm/amd/display: Use HW lock mgr for PSR1"") +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3965 +Reviewed-by: ChiaHsuan Chung +Signed-off-by: Mario Limonciello +Signed-off-by: Alex Hung +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +(cherry picked from commit ed569e1279a3045d6b974226c814e071fa0193a6) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c ++++ b/drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c +@@ -69,5 +69,16 @@ bool should_use_dmub_lock(struct dc_link + if (link->replay_settings.replay_feature_enabled) + return true; + ++ /* only use HW lock for PSR1 on single eDP */ ++ if (link->psr_settings.psr_version == DC_PSR_VERSION_1) { ++ struct dc_link *edp_links[MAX_NUM_EDP]; ++ int edp_num; ++ ++ dc_get_edp_links(link->dc, edp_links, &edp_num); ++ ++ if (edp_num == 1) ++ return true; ++ } ++ + return false; + } diff --git a/queue-6.6/drm-amdgpu-fix-jpeg-video-caps-max-size-for-navi1x-and-raven.patch b/queue-6.6/drm-amdgpu-fix-jpeg-video-caps-max-size-for-navi1x-and-raven.patch new file mode 100644 index 0000000000..e9ef065a87 --- /dev/null +++ b/queue-6.6/drm-amdgpu-fix-jpeg-video-caps-max-size-for-navi1x-and-raven.patch @@ -0,0 +1,45 @@ +From ec33964d9d88488fa954a03d476a8b811efc6e85 Mon Sep 17 00:00:00 2001 +From: David Rosca +Date: Fri, 28 Feb 2025 13:34:49 +0100 +Subject: drm/amdgpu: Fix JPEG video caps max size for navi1x and raven + +From: David Rosca + +commit ec33964d9d88488fa954a03d476a8b811efc6e85 upstream. + +8192x8192 is the maximum supported resolution. + +Signed-off-by: David Rosca +Acked-by: Alex Deucher +Reviewed-by: Ruijing Dong +Signed-off-by: Alex Deucher +(cherry picked from commit 6e0d2fde3ae8fdb5b47e10389f23ed2cb4daec5d) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/nv.c | 2 +- + drivers/gpu/drm/amd/amdgpu/soc15.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/nv.c ++++ b/drivers/gpu/drm/amd/amdgpu/nv.c +@@ -84,7 +84,7 @@ static const struct amdgpu_video_codec_i + {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4_AVC, 4096, 4096, 52)}, + {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VC1, 1920, 1088, 4)}, + {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_HEVC, 8192, 4352, 186)}, +- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_JPEG, 4096, 4096, 0)}, ++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_JPEG, 8192, 8192, 0)}, + {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VP9, 8192, 4352, 0)}, + }; + +--- a/drivers/gpu/drm/amd/amdgpu/soc15.c ++++ b/drivers/gpu/drm/amd/amdgpu/soc15.c +@@ -125,7 +125,7 @@ static const struct amdgpu_video_codec_i + {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4_AVC, 4096, 4096, 52)}, + {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VC1, 1920, 1088, 4)}, + {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_HEVC, 4096, 4096, 186)}, +- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_JPEG, 4096, 4096, 0)}, ++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_JPEG, 8192, 8192, 0)}, + {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VP9, 4096, 4096, 0)}, + }; + diff --git a/queue-6.6/drm-amdgpu-fix-mpeg2-mpeg4-and-vc1-video-caps-max-size.patch b/queue-6.6/drm-amdgpu-fix-mpeg2-mpeg4-and-vc1-video-caps-max-size.patch new file mode 100644 index 0000000000..f4aee11cec --- /dev/null +++ b/queue-6.6/drm-amdgpu-fix-mpeg2-mpeg4-and-vc1-video-caps-max-size.patch @@ -0,0 +1,186 @@ +From f0105e173103c9d30a2bb959f7399437d536c848 Mon Sep 17 00:00:00 2001 +From: David Rosca +Date: Fri, 28 Feb 2025 13:32:46 +0100 +Subject: drm/amdgpu: Fix MPEG2, MPEG4 and VC1 video caps max size + +From: David Rosca + +commit f0105e173103c9d30a2bb959f7399437d536c848 upstream. + +1920x1088 is the maximum supported resolution. + +Signed-off-by: David Rosca +Acked-by: Alex Deucher +Reviewed-by: Ruijing Dong +Signed-off-by: Alex Deucher +(cherry picked from commit 1a0807feb97082bff2b1342dbbe55a2a9a8bdb88) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/nv.c | 18 +++++++++--------- + drivers/gpu/drm/amd/amdgpu/soc15.c | 18 +++++++++--------- + drivers/gpu/drm/amd/amdgpu/vi.c | 36 ++++++++++++++++++------------------ + 3 files changed, 36 insertions(+), 36 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/nv.c ++++ b/drivers/gpu/drm/amd/amdgpu/nv.c +@@ -79,10 +79,10 @@ static const struct amdgpu_video_codecs + + /* Navi1x */ + static const struct amdgpu_video_codec_info nv_video_codecs_decode_array[] = { +- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG2, 4096, 4096, 3)}, +- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4, 4096, 4096, 5)}, ++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG2, 1920, 1088, 3)}, ++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4, 1920, 1088, 5)}, + {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4_AVC, 4096, 4096, 52)}, +- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VC1, 4096, 4096, 4)}, ++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VC1, 1920, 1088, 4)}, + {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_HEVC, 8192, 4352, 186)}, + {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_JPEG, 4096, 4096, 0)}, + {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VP9, 8192, 4352, 0)}, +@@ -105,10 +105,10 @@ static const struct amdgpu_video_codecs + }; + + static const struct amdgpu_video_codec_info sc_video_codecs_decode_array_vcn0[] = { +- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG2, 4096, 4096, 3)}, +- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4, 4096, 4096, 5)}, ++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG2, 1920, 1088, 3)}, ++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4, 1920, 1088, 5)}, + {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4_AVC, 4096, 4096, 52)}, +- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VC1, 4096, 4096, 4)}, ++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VC1, 1920, 1088, 4)}, + {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_HEVC, 8192, 4352, 186)}, + {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_JPEG, 4096, 4096, 0)}, + {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VP9, 8192, 4352, 0)}, +@@ -116,10 +116,10 @@ static const struct amdgpu_video_codec_i + }; + + static const struct amdgpu_video_codec_info sc_video_codecs_decode_array_vcn1[] = { +- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG2, 4096, 4096, 3)}, +- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4, 4096, 4096, 5)}, ++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG2, 1920, 1088, 3)}, ++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4, 1920, 1088, 5)}, + {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4_AVC, 4096, 4096, 52)}, +- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VC1, 4096, 4096, 4)}, ++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VC1, 1920, 1088, 4)}, + {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_HEVC, 8192, 4352, 186)}, + {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_JPEG, 4096, 4096, 0)}, + {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VP9, 8192, 4352, 0)}, +--- a/drivers/gpu/drm/amd/amdgpu/soc15.c ++++ b/drivers/gpu/drm/amd/amdgpu/soc15.c +@@ -103,10 +103,10 @@ static const struct amdgpu_video_codecs + /* Vega */ + static const struct amdgpu_video_codec_info vega_video_codecs_decode_array[] = + { +- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG2, 4096, 4096, 3)}, +- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4, 4096, 4096, 5)}, ++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG2, 1920, 1088, 3)}, ++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4, 1920, 1088, 5)}, + {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4_AVC, 4096, 4096, 52)}, +- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VC1, 4096, 4096, 4)}, ++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VC1, 1920, 1088, 4)}, + {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_HEVC, 4096, 4096, 186)}, + {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_JPEG, 4096, 4096, 0)}, + }; +@@ -120,10 +120,10 @@ static const struct amdgpu_video_codecs + /* Raven */ + static const struct amdgpu_video_codec_info rv_video_codecs_decode_array[] = + { +- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG2, 4096, 4096, 3)}, +- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4, 4096, 4096, 5)}, ++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG2, 1920, 1088, 3)}, ++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4, 1920, 1088, 5)}, + {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4_AVC, 4096, 4096, 52)}, +- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VC1, 4096, 4096, 4)}, ++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VC1, 1920, 1088, 4)}, + {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_HEVC, 4096, 4096, 186)}, + {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_JPEG, 4096, 4096, 0)}, + {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VP9, 4096, 4096, 0)}, +@@ -138,10 +138,10 @@ static const struct amdgpu_video_codecs + /* Renoir, Arcturus */ + static const struct amdgpu_video_codec_info rn_video_codecs_decode_array[] = + { +- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG2, 4096, 4096, 3)}, +- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4, 4096, 4096, 5)}, ++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG2, 1920, 1088, 3)}, ++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4, 1920, 1088, 5)}, + {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4_AVC, 4096, 4096, 52)}, +- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VC1, 4096, 4096, 4)}, ++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VC1, 1920, 1088, 4)}, + {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_HEVC, 8192, 4352, 186)}, + {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_JPEG, 4096, 4096, 0)}, + {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VP9, 8192, 4352, 0)}, +--- a/drivers/gpu/drm/amd/amdgpu/vi.c ++++ b/drivers/gpu/drm/amd/amdgpu/vi.c +@@ -167,16 +167,16 @@ static const struct amdgpu_video_codec_i + { + { + .codec_type = AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG2, +- .max_width = 4096, +- .max_height = 4096, +- .max_pixels_per_frame = 4096 * 4096, ++ .max_width = 1920, ++ .max_height = 1088, ++ .max_pixels_per_frame = 1920 * 1088, + .max_level = 3, + }, + { + .codec_type = AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4, +- .max_width = 4096, +- .max_height = 4096, +- .max_pixels_per_frame = 4096 * 4096, ++ .max_width = 1920, ++ .max_height = 1088, ++ .max_pixels_per_frame = 1920 * 1088, + .max_level = 5, + }, + { +@@ -188,9 +188,9 @@ static const struct amdgpu_video_codec_i + }, + { + .codec_type = AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VC1, +- .max_width = 4096, +- .max_height = 4096, +- .max_pixels_per_frame = 4096 * 4096, ++ .max_width = 1920, ++ .max_height = 1088, ++ .max_pixels_per_frame = 1920 * 1088, + .max_level = 4, + }, + }; +@@ -206,16 +206,16 @@ static const struct amdgpu_video_codec_i + { + { + .codec_type = AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG2, +- .max_width = 4096, +- .max_height = 4096, +- .max_pixels_per_frame = 4096 * 4096, ++ .max_width = 1920, ++ .max_height = 1088, ++ .max_pixels_per_frame = 1920 * 1088, + .max_level = 3, + }, + { + .codec_type = AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4, +- .max_width = 4096, +- .max_height = 4096, +- .max_pixels_per_frame = 4096 * 4096, ++ .max_width = 1920, ++ .max_height = 1088, ++ .max_pixels_per_frame = 1920 * 1088, + .max_level = 5, + }, + { +@@ -227,9 +227,9 @@ static const struct amdgpu_video_codec_i + }, + { + .codec_type = AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VC1, +- .max_width = 4096, +- .max_height = 4096, +- .max_pixels_per_frame = 4096 * 4096, ++ .max_width = 1920, ++ .max_height = 1088, ++ .max_pixels_per_frame = 1920 * 1088, + .max_level = 4, + }, + { diff --git a/queue-6.6/drm-radeon-fix-uninitialized-size-issue-in-radeon_vce_cs_parse.patch b/queue-6.6/drm-radeon-fix-uninitialized-size-issue-in-radeon_vce_cs_parse.patch new file mode 100644 index 0000000000..061825d024 --- /dev/null +++ b/queue-6.6/drm-radeon-fix-uninitialized-size-issue-in-radeon_vce_cs_parse.patch @@ -0,0 +1,44 @@ +From dd8689b52a24807c2d5ce0a17cb26dc87f75235c Mon Sep 17 00:00:00 2001 +From: Nikita Zhandarovich +Date: Tue, 11 Mar 2025 14:14:59 +0300 +Subject: drm/radeon: fix uninitialized size issue in radeon_vce_cs_parse() + +From: Nikita Zhandarovich + +commit dd8689b52a24807c2d5ce0a17cb26dc87f75235c upstream. + +On the off chance that command stream passed from userspace via +ioctl() call to radeon_vce_cs_parse() is weirdly crafted and +first command to execute is to encode (case 0x03000001), the function +in question will attempt to call radeon_vce_cs_reloc() with size +argument that has not been properly initialized. Specifically, 'size' +will point to 'tmp' variable before the latter had a chance to be +assigned any value. + +Play it safe and init 'tmp' with 0, thus ensuring that +radeon_vce_cs_reloc() will catch an early error in cases like these. + +Found by Linux Verification Center (linuxtesting.org) with static +analysis tool SVACE. + +Fixes: 2fc5703abda2 ("drm/radeon: check VCE relocation buffer range v3") +Signed-off-by: Nikita Zhandarovich +Signed-off-by: Alex Deucher +(cherry picked from commit 2d52de55f9ee7aaee0e09ac443f77855989c6b68) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/radeon/radeon_vce.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/radeon/radeon_vce.c ++++ b/drivers/gpu/drm/radeon/radeon_vce.c +@@ -557,7 +557,7 @@ int radeon_vce_cs_parse(struct radeon_cs + { + int session_idx = -1; + bool destroyed = false, created = false, allocated = false; +- uint32_t tmp, handle = 0; ++ uint32_t tmp = 0, handle = 0; + uint32_t *size = &tmp; + int i, r = 0; + diff --git a/queue-6.6/drm-sched-fix-fence-reference-count-leak.patch b/queue-6.6/drm-sched-fix-fence-reference-count-leak.patch new file mode 100644 index 0000000000..b54ea060ba --- /dev/null +++ b/queue-6.6/drm-sched-fix-fence-reference-count-leak.patch @@ -0,0 +1,47 @@ +From a952f1ab696873be124e31ce5ef964d36bce817f Mon Sep 17 00:00:00 2001 +From: qianyi liu +Date: Tue, 11 Mar 2025 14:02:51 +0800 +Subject: drm/sched: Fix fence reference count leak + +From: qianyi liu + +commit a952f1ab696873be124e31ce5ef964d36bce817f upstream. + +The last_scheduled fence leaks when an entity is being killed and adding +the cleanup callback fails. + +Decrement the reference count of prev when dma_fence_add_callback() +fails, ensuring proper balance. + +Cc: stable@vger.kernel.org # v6.2+ +[phasta: add git tag info for stable kernel] +Fixes: 2fdb8a8f07c2 ("drm/scheduler: rework entity flush, kill and fini") +Signed-off-by: qianyi liu +Signed-off-by: Philipp Stanner +Link: https://patchwork.freedesktop.org/patch/msgid/20250311060251.4041101-1-liuqianyi125@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/scheduler/sched_entity.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/scheduler/sched_entity.c ++++ b/drivers/gpu/drm/scheduler/sched_entity.c +@@ -237,9 +237,16 @@ static void drm_sched_entity_kill(struct + struct drm_sched_fence *s_fence = job->s_fence; + + dma_fence_get(&s_fence->finished); +- if (!prev || dma_fence_add_callback(prev, &job->finish_cb, +- drm_sched_entity_kill_jobs_cb)) ++ if (!prev || ++ dma_fence_add_callback(prev, &job->finish_cb, ++ drm_sched_entity_kill_jobs_cb)) { ++ /* ++ * Adding callback above failed. ++ * dma_fence_put() checks for NULL. ++ */ ++ dma_fence_put(prev); + drm_sched_entity_kill_jobs_cb(NULL, &job->finish_cb); ++ } + + prev = &s_fence->finished; + } diff --git a/queue-6.6/drm-v3d-don-t-run-jobs-that-have-errors-flagged-in-its-fence.patch b/queue-6.6/drm-v3d-don-t-run-jobs-that-have-errors-flagged-in-its-fence.patch new file mode 100644 index 0000000000..da0874d498 --- /dev/null +++ b/queue-6.6/drm-v3d-don-t-run-jobs-that-have-errors-flagged-in-its-fence.patch @@ -0,0 +1,68 @@ +From 80cbee810e4e13cdbd3ae9654e9ecddf17f3e828 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ma=C3=ADra=20Canal?= +Date: Thu, 13 Mar 2025 11:43:26 -0300 +Subject: drm/v3d: Don't run jobs that have errors flagged in its fence +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maíra Canal + +commit 80cbee810e4e13cdbd3ae9654e9ecddf17f3e828 upstream. + +The V3D driver still relies on `drm_sched_increase_karma()` and +`drm_sched_resubmit_jobs()` for resubmissions when a timeout occurs. +The function `drm_sched_increase_karma()` marks the job as guilty, while +`drm_sched_resubmit_jobs()` sets an error (-ECANCELED) in the DMA fence of +that guilty job. + +Because of this, we must check whether the job’s DMA fence has been +flagged with an error before executing the job. Otherwise, the same guilty +job may be resubmitted indefinitely, causing repeated GPU resets. + +This patch adds a check for an error on the job's fence to prevent running +a guilty job that was previously flagged when the GPU timed out. + +Note that the CPU and CACHE_CLEAN queues do not require this check, as +their jobs are executed synchronously once the DRM scheduler starts them. + +Cc: stable@vger.kernel.org +Fixes: d223f98f0209 ("drm/v3d: Add support for compute shader dispatch.") +Fixes: 1584f16ca96e ("drm/v3d: Add support for submitting jobs to the TFU.") +Reviewed-by: Iago Toral Quiroga +Signed-off-by: Maíra Canal +Link: https://patchwork.freedesktop.org/patch/msgid/20250313-v3d-gpu-reset-fixes-v4-1-c1e780d8e096@igalia.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/v3d/v3d_sched.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/v3d/v3d_sched.c ++++ b/drivers/gpu/drm/v3d/v3d_sched.c +@@ -179,11 +179,15 @@ v3d_tfu_job_run(struct drm_sched_job *sc + struct drm_device *dev = &v3d->drm; + struct dma_fence *fence; + ++ if (unlikely(job->base.base.s_fence->finished.error)) ++ return NULL; ++ ++ v3d->tfu_job = job; ++ + fence = v3d_fence_create(v3d, V3D_TFU); + if (IS_ERR(fence)) + return NULL; + +- v3d->tfu_job = job; + if (job->base.irq_fence) + dma_fence_put(job->base.irq_fence); + job->base.irq_fence = dma_fence_get(fence); +@@ -217,6 +221,9 @@ v3d_csd_job_run(struct drm_sched_job *sc + struct dma_fence *fence; + int i; + ++ if (unlikely(job->base.base.s_fence->finished.error)) ++ return NULL; ++ + v3d->csd_job = job; + + v3d_invalidate_caches(v3d); diff --git a/queue-6.6/efi-libstub-avoid-physical-address-0x0-when-doing-random-allocation.patch b/queue-6.6/efi-libstub-avoid-physical-address-0x0-when-doing-random-allocation.patch new file mode 100644 index 0000000000..59131b673b --- /dev/null +++ b/queue-6.6/efi-libstub-avoid-physical-address-0x0-when-doing-random-allocation.patch @@ -0,0 +1,45 @@ +From cb16dfed0093217a68c0faa9394fa5823927e04c Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Fri, 14 Mar 2025 12:03:33 +0100 +Subject: efi/libstub: Avoid physical address 0x0 when doing random allocation + +From: Ard Biesheuvel + +commit cb16dfed0093217a68c0faa9394fa5823927e04c upstream. + +Ben reports spurious EFI zboot failures on a system where physical RAM +starts at 0x0. When doing random memory allocation from the EFI stub on +such a platform, a random seed of 0x0 (which means no entropy source is +available) will result in the allocation to be placed at address 0x0 if +sufficient space is available. + +When this allocation is subsequently passed on to the decompression +code, the 0x0 address is mistaken for NULL and the code complains and +gives up. + +So avoid address 0x0 when doing random allocation, and set the minimum +address to the minimum alignment. + +Cc: +Reported-by: Ben Schneider +Tested-by: Ben Schneider +Reviewed-by: Ilias Apalodimas +Signed-off-by: Ard Biesheuvel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/efi/libstub/randomalloc.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/firmware/efi/libstub/randomalloc.c ++++ b/drivers/firmware/efi/libstub/randomalloc.c +@@ -75,6 +75,10 @@ efi_status_t efi_random_alloc(unsigned l + if (align < EFI_ALLOC_ALIGN) + align = EFI_ALLOC_ALIGN; + ++ /* Avoid address 0x0, as it can be mistaken for NULL */ ++ if (alloc_min == 0) ++ alloc_min = align; ++ + size = round_up(size, EFI_ALLOC_ALIGN); + + /* count the suitable slots in each memory map entry */ diff --git a/queue-6.6/i2c-omap-fix-irq-storms.patch b/queue-6.6/i2c-omap-fix-irq-storms.patch new file mode 100644 index 0000000000..ff9f8f6694 --- /dev/null +++ b/queue-6.6/i2c-omap-fix-irq-storms.patch @@ -0,0 +1,112 @@ +From 285df995f90e3d61d97f327d34b9659d92313314 Mon Sep 17 00:00:00 2001 +From: Andreas Kemnade +Date: Fri, 28 Feb 2025 15:04:20 +0100 +Subject: i2c: omap: fix IRQ storms + +From: Andreas Kemnade + +commit 285df995f90e3d61d97f327d34b9659d92313314 upstream. + +On the GTA04A5 writing a reset command to the gyroscope causes IRQ +storms because NACK IRQs are enabled and therefore triggered but not +acked. + +Sending a reset command to the gyroscope by +i2cset 1 0x69 0x14 0xb6 +with an additional debug print in the ISR (not the thread) itself +causes + +[ 363.353515] i2c i2c-1: ioctl, cmd=0x720, arg=0xbe801b00 +[ 363.359039] omap_i2c 48072000.i2c: addr: 0x0069, len: 2, flags: 0x0, stop: 1 +[ 363.366180] omap_i2c 48072000.i2c: IRQ LL (ISR = 0x1110) +[ 363.371673] omap_i2c 48072000.i2c: IRQ (ISR = 0x0010) +[ 363.376892] omap_i2c 48072000.i2c: IRQ LL (ISR = 0x0102) +[ 363.382263] omap_i2c 48072000.i2c: IRQ LL (ISR = 0x0102) +[ 363.387664] omap_i2c 48072000.i2c: IRQ LL (ISR = 0x0102) +repeating till infinity +[...] +(0x2 = NACK, 0x100 = Bus free, which is not enabled) +Apparently no other IRQ bit gets set, so this stalls. + +Do not ignore enabled interrupts and make sure they are acked. +If the NACK IRQ is not needed, it should simply not enabled, but +according to the above log, caring about it is necessary unless +the Bus free IRQ is enabled and handled. The assumption that is +will always come with a ARDY IRQ, which was the idea behind +ignoring it, proves wrong. +It is true for simple reads from an unused address. + +To still avoid the i2cdetect trouble which is the reason for +commit c770657bd261 ("i2c: omap: Fix standard mode false ACK readings"), +avoid doing much about NACK in omap_i2c_xfer_data() which is used +by both IRQ mode and polling mode, so also the false detection fix +is extended to polling usage and IRQ storms are avoided. + +By changing this, the hardirq handler is not needed anymore to filter +stuff. + +The mentioned gyro reset now just causes a -ETIMEDOUT instead of +hanging the system. + +Fixes: c770657bd261 ("i2c: omap: Fix standard mode false ACK readings"). +CC: stable@kernel.org +Signed-off-by: Andreas Kemnade +Tested-by: Nishanth Menon +Reviewed-by: Aniket Limaye +Signed-off-by: Andi Shyti +Link: https://lore.kernel.org/r/20250228140420.379498-1-andreas@kemnade.info +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-omap.c | 26 +++++++------------------- + 1 file changed, 7 insertions(+), 19 deletions(-) + +--- a/drivers/i2c/busses/i2c-omap.c ++++ b/drivers/i2c/busses/i2c-omap.c +@@ -1049,23 +1049,6 @@ static int omap_i2c_transmit_data(struct + return 0; + } + +-static irqreturn_t +-omap_i2c_isr(int irq, void *dev_id) +-{ +- struct omap_i2c_dev *omap = dev_id; +- irqreturn_t ret = IRQ_HANDLED; +- u16 mask; +- u16 stat; +- +- stat = omap_i2c_read_reg(omap, OMAP_I2C_STAT_REG); +- mask = omap_i2c_read_reg(omap, OMAP_I2C_IE_REG) & ~OMAP_I2C_STAT_NACK; +- +- if (stat & mask) +- ret = IRQ_WAKE_THREAD; +- +- return ret; +-} +- + static int omap_i2c_xfer_data(struct omap_i2c_dev *omap) + { + u16 bits; +@@ -1096,8 +1079,13 @@ static int omap_i2c_xfer_data(struct oma + } + + if (stat & OMAP_I2C_STAT_NACK) { +- err |= OMAP_I2C_STAT_NACK; ++ omap->cmd_err |= OMAP_I2C_STAT_NACK; + omap_i2c_ack_stat(omap, OMAP_I2C_STAT_NACK); ++ ++ if (!(stat & ~OMAP_I2C_STAT_NACK)) { ++ err = -EAGAIN; ++ break; ++ } + } + + if (stat & OMAP_I2C_STAT_AL) { +@@ -1475,7 +1463,7 @@ omap_i2c_probe(struct platform_device *p + IRQF_NO_SUSPEND, pdev->name, omap); + else + r = devm_request_threaded_irq(&pdev->dev, omap->irq, +- omap_i2c_isr, omap_i2c_isr_thread, ++ NULL, omap_i2c_isr_thread, + IRQF_NO_SUSPEND | IRQF_ONESHOT, + pdev->name, omap); + diff --git a/queue-6.6/memcg-drain-obj-stock-on-cpu-hotplug-teardown.patch b/queue-6.6/memcg-drain-obj-stock-on-cpu-hotplug-teardown.patch new file mode 100644 index 0000000000..e0e6fc33e6 --- /dev/null +++ b/queue-6.6/memcg-drain-obj-stock-on-cpu-hotplug-teardown.patch @@ -0,0 +1,50 @@ +From 9f01b4954490d4ccdbcc2b9be34a9921ceee9cbb Mon Sep 17 00:00:00 2001 +From: Shakeel Butt +Date: Mon, 10 Mar 2025 16:09:34 -0700 +Subject: memcg: drain obj stock on cpu hotplug teardown + +From: Shakeel Butt + +commit 9f01b4954490d4ccdbcc2b9be34a9921ceee9cbb upstream. + +Currently on cpu hotplug teardown, only memcg stock is drained but we +need to drain the obj stock as well otherwise we will miss the stats +accumulated on the target cpu as well as the nr_bytes cached. The stats +include MEMCG_KMEM, NR_SLAB_RECLAIMABLE_B & NR_SLAB_UNRECLAIMABLE_B. In +addition we are leaking reference to struct obj_cgroup object. + +Link: https://lkml.kernel.org/r/20250310230934.2913113-1-shakeel.butt@linux.dev +Fixes: bf4f059954dc ("mm: memcg/slab: obj_cgroup API") +Signed-off-by: Shakeel Butt +Reviewed-by: Roman Gushchin +Acked-by: Johannes Weiner +Cc: Michal Hocko +Cc: Muchun Song +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/memcontrol.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/mm/memcontrol.c ++++ b/mm/memcontrol.c +@@ -2378,9 +2378,18 @@ static void drain_all_stock(struct mem_c + static int memcg_hotplug_cpu_dead(unsigned int cpu) + { + struct memcg_stock_pcp *stock; ++ struct obj_cgroup *old; ++ unsigned long flags; + + stock = &per_cpu(memcg_stock, cpu); ++ ++ /* drain_obj_stock requires stock_lock */ ++ local_lock_irqsave(&memcg_stock.stock_lock, flags); ++ old = drain_obj_stock(stock); ++ local_unlock_irqrestore(&memcg_stock.stock_lock, flags); ++ + drain_stock(stock); ++ obj_cgroup_put(old); + + return 0; + } diff --git a/queue-6.6/mm-fix-error-handling-in-__filemap_get_folio-with-fgp_nowait.patch b/queue-6.6/mm-fix-error-handling-in-__filemap_get_folio-with-fgp_nowait.patch new file mode 100644 index 0000000000..125191e3a0 --- /dev/null +++ b/queue-6.6/mm-fix-error-handling-in-__filemap_get_folio-with-fgp_nowait.patch @@ -0,0 +1,91 @@ +From 182db972c9568dc530b2f586a2f82dfd039d9f2a Mon Sep 17 00:00:00 2001 +From: "Raphael S. Carvalho" +Date: Mon, 24 Feb 2025 11:37:00 -0300 +Subject: mm: fix error handling in __filemap_get_folio() with FGP_NOWAIT +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Raphael S. Carvalho + +commit 182db972c9568dc530b2f586a2f82dfd039d9f2a upstream. + +original report: +https://lore.kernel.org/all/CAKhLTr1UL3ePTpYjXOx2AJfNk8Ku2EdcEfu+CH1sf3Asr=B-Dw@mail.gmail.com/T/ + +When doing buffered writes with FGP_NOWAIT, under memory pressure, the +system returned ENOMEM despite there being plenty of available memory, to +be reclaimed from page cache. The user space used io_uring interface, +which in turn submits I/O with FGP_NOWAIT (the fast path). + +retsnoop pointed to iomap_get_folio: + +00:34:16.180612 -> 00:34:16.180651 TID/PID 253786/253721 +(reactor-1/combined_tests): + + entry_SYSCALL_64_after_hwframe+0x76 + do_syscall_64+0x82 + __do_sys_io_uring_enter+0x265 + io_submit_sqes+0x209 + io_issue_sqe+0x5b + io_write+0xdd + xfs_file_buffered_write+0x84 + iomap_file_buffered_write+0x1a6 + 32us [-ENOMEM] iomap_write_begin+0x408 +iter=&{.inode=0xffff8c67aa031138,.len=4096,.flags=33,.iomap={.addr=0xffffffffffffffff,.length=4096,.type=1,.flags=3,.bdev=0x… +pos=0 len=4096 foliop=0xffffb32c296b7b80 +! 4us [-ENOMEM] iomap_get_folio +iter=&{.inode=0xffff8c67aa031138,.len=4096,.flags=33,.iomap={.addr=0xffffffffffffffff,.length=4096,.type=1,.flags=3,.bdev=0x… +pos=0 len=4096 + +This is likely a regression caused by 66dabbb65d67 ("mm: return an ERR_PTR +from __filemap_get_folio"), which moved error handling from +io_map_get_folio() to __filemap_get_folio(), but broke FGP_NOWAIT +handling, so ENOMEM is being escaped to user space. Had it correctly +returned -EAGAIN with NOWAIT, either io_uring or user space itself would +be able to retry the request. + +It's not enough to patch io_uring since the iomap interface is the one +responsible for it, and pwritev2(RWF_NOWAIT) and AIO interfaces must +return the proper error too. + +The patch was tested with scylladb test suite (its original reproducer), +and the tests all pass now when memory is pressured. + +Link: https://lkml.kernel.org/r/20250224143700.23035-1-raphaelsc@scylladb.com +Fixes: 66dabbb65d67 ("mm: return an ERR_PTR from __filemap_get_folio") +Signed-off-by: Raphael S. Carvalho +Reviewed-by: Christoph Hellwig +Reviewed-by: Dave Chinner +Cc: "Darrick J. Wong" +Cc: Matthew Wilcow (Oracle) +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/filemap.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +--- a/mm/filemap.c ++++ b/mm/filemap.c +@@ -1976,8 +1976,19 @@ no_page: + + if (err == -EEXIST) + goto repeat; +- if (err) ++ if (err) { ++ /* ++ * When NOWAIT I/O fails to allocate folios this could ++ * be due to a nonblocking memory allocation and not ++ * because the system actually is out of memory. ++ * Return -EAGAIN so that there caller retries in a ++ * blocking fashion instead of propagating -ENOMEM ++ * to the application. ++ */ ++ if ((fgp_flags & FGP_NOWAIT) && err == -ENOMEM) ++ err = -EAGAIN; + return ERR_PTR(err); ++ } + /* + * filemap_add_folio locks the page, and for mmap + * we expect an unlocked page. diff --git a/queue-6.6/mm-migrate-fix-shmem-xarray-update-during-migration.patch b/queue-6.6/mm-migrate-fix-shmem-xarray-update-during-migration.patch new file mode 100644 index 0000000000..663b961e5d --- /dev/null +++ b/queue-6.6/mm-migrate-fix-shmem-xarray-update-during-migration.patch @@ -0,0 +1,76 @@ +From 60cf233b585cdf1f3c5e52d1225606b86acd08b0 Mon Sep 17 00:00:00 2001 +From: Zi Yan +Date: Wed, 5 Mar 2025 15:04:03 -0500 +Subject: mm/migrate: fix shmem xarray update during migration + +From: Zi Yan + +commit 60cf233b585cdf1f3c5e52d1225606b86acd08b0 upstream. + +A shmem folio can be either in page cache or in swap cache, but not at the +same time. Namely, once it is in swap cache, folio->mapping should be +NULL, and the folio is no longer in a shmem mapping. + +In __folio_migrate_mapping(), to determine the number of xarray entries to +update, folio_test_swapbacked() is used, but that conflates shmem in page +cache case and shmem in swap cache case. It leads to xarray multi-index +entry corruption, since it turns a sibling entry to a normal entry during +xas_store() (see [1] for a userspace reproduction). Fix it by only using +folio_test_swapcache() to determine whether xarray is storing swap cache +entries or not to choose the right number of xarray entries to update. + +[1] https://lore.kernel.org/linux-mm/Z8idPCkaJW1IChjT@casper.infradead.org/ + +Note: +In __split_huge_page(), folio_test_anon() && folio_test_swapcache() is +used to get swap_cache address space, but that ignores the shmem folio in +swap cache case. It could lead to NULL pointer dereferencing when a +in-swap-cache shmem folio is split at __xa_store(), since +!folio_test_anon() is true and folio->mapping is NULL. But fortunately, +its caller split_huge_page_to_list_to_order() bails out early with EBUSY +when folio->mapping is NULL. So no need to take care of it here. + +Link: https://lkml.kernel.org/r/20250305200403.2822855-1-ziy@nvidia.com +Fixes: fc346d0a70a1 ("mm: migrate high-order folios in swap cache correctly") +Signed-off-by: Zi Yan +Reported-by: Liu Shixin +Closes: https://lore.kernel.org/all/28546fb4-5210-bf75-16d6-43e1f8646080@huawei.com/ +Suggested-by: Hugh Dickins +Reviewed-by: Matthew Wilcox (Oracle) +Reviewed-by: Baolin Wang +Cc: Barry Song +Cc: Charan Teja Kalla +Cc: David Hildenbrand +Cc: Hugh Dickins +Cc: Kefeng Wang +Cc: Lance Yang +Cc: Ryan Roberts +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/migrate.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +--- a/mm/migrate.c ++++ b/mm/migrate.c +@@ -437,15 +437,13 @@ int folio_migrate_mapping(struct address + newfolio->index = folio->index; + newfolio->mapping = folio->mapping; + folio_ref_add(newfolio, nr); /* add cache reference */ +- if (folio_test_swapbacked(folio)) { ++ if (folio_test_swapbacked(folio)) + __folio_set_swapbacked(newfolio); +- if (folio_test_swapcache(folio)) { +- folio_set_swapcache(newfolio); +- newfolio->private = folio_get_private(folio); +- } ++ if (folio_test_swapcache(folio)) { ++ folio_set_swapcache(newfolio); ++ newfolio->private = folio_get_private(folio); + entries = nr; + } else { +- VM_BUG_ON_FOLIO(folio_test_swapcache(folio), folio); + entries = 1; + } + diff --git a/queue-6.6/mmc-atmel-mci-add-missing-clk_disable_unprepare.patch b/queue-6.6/mmc-atmel-mci-add-missing-clk_disable_unprepare.patch new file mode 100644 index 0000000000..3b5ee76545 --- /dev/null +++ b/queue-6.6/mmc-atmel-mci-add-missing-clk_disable_unprepare.patch @@ -0,0 +1,39 @@ +From e51a349d2dcf1df8422dabb90b2f691dc7df6f92 Mon Sep 17 00:00:00 2001 +From: Gu Bowen +Date: Tue, 25 Feb 2025 10:28:56 +0800 +Subject: mmc: atmel-mci: Add missing clk_disable_unprepare() + +From: Gu Bowen + +commit e51a349d2dcf1df8422dabb90b2f691dc7df6f92 upstream. + +The error path when atmci_configure_dma() set dma fails in atmci driver +does not correctly disable the clock. +Add the missing clk_disable_unprepare() to the error path for pair with +clk_prepare_enable(). + +Fixes: 467e081d23e6 ("mmc: atmel-mci: use probe deferring if dma controller is not ready yet") +Signed-off-by: Gu Bowen +Acked-by: Aubin Constans +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20250225022856.3452240-1-gubowen5@huawei.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/atmel-mci.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/mmc/host/atmel-mci.c ++++ b/drivers/mmc/host/atmel-mci.c +@@ -2536,8 +2536,10 @@ static int atmci_probe(struct platform_d + /* Get MCI capabilities and set operations according to it */ + atmci_get_cap(host); + ret = atmci_configure_dma(host); +- if (ret == -EPROBE_DEFER) ++ if (ret == -EPROBE_DEFER) { ++ clk_disable_unprepare(host->mck); + goto err_dma_probe_defer; ++ } + if (ret == 0) { + host->prepare_data = &atmci_prepare_data_dma; + host->submit_data = &atmci_submit_data_dma; diff --git a/queue-6.6/mmc-sdhci-brcmstb-add-cqhci-suspend-resume-to-pm-ops.patch b/queue-6.6/mmc-sdhci-brcmstb-add-cqhci-suspend-resume-to-pm-ops.patch new file mode 100644 index 0000000000..dfbe42ad61 --- /dev/null +++ b/queue-6.6/mmc-sdhci-brcmstb-add-cqhci-suspend-resume-to-pm-ops.patch @@ -0,0 +1,57 @@ +From 723ef0e20dbb2aa1b5406d2bb75374fc48187daa Mon Sep 17 00:00:00 2001 +From: Kamal Dasu +Date: Tue, 11 Mar 2025 12:59:35 -0400 +Subject: mmc: sdhci-brcmstb: add cqhci suspend/resume to PM ops + +From: Kamal Dasu + +commit 723ef0e20dbb2aa1b5406d2bb75374fc48187daa upstream. + +cqhci timeouts observed on brcmstb platforms during suspend: + ... + [ 164.832853] mmc0: cqhci: timeout for tag 18 + ... + +Adding cqhci_suspend()/resume() calls to disable cqe +in sdhci_brcmstb_suspend()/resume() respectively to fix +CQE timeouts seen on PM suspend. + +Fixes: d46ba2d17f90 ("mmc: sdhci-brcmstb: Add support for Command Queuing (CQE)") +Cc: stable@vger.kernel.org +Signed-off-by: Kamal Dasu +Reviewed-by: Florian Fainelli +Link: https://lore.kernel.org/r/20250311165946.28190-1-kamal.dasu@broadcom.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/sdhci-brcmstb.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/mmc/host/sdhci-brcmstb.c ++++ b/drivers/mmc/host/sdhci-brcmstb.c +@@ -384,8 +384,15 @@ static int sdhci_brcmstb_suspend(struct + struct sdhci_host *host = dev_get_drvdata(dev); + struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host); + struct sdhci_brcmstb_priv *priv = sdhci_pltfm_priv(pltfm_host); ++ int ret; + + clk_disable_unprepare(priv->base_clk); ++ if (host->mmc->caps2 & MMC_CAP2_CQE) { ++ ret = cqhci_suspend(host->mmc); ++ if (ret) ++ return ret; ++ } ++ + return sdhci_pltfm_suspend(dev); + } + +@@ -410,6 +417,9 @@ static int sdhci_brcmstb_resume(struct d + ret = clk_set_rate(priv->base_clk, priv->base_freq_hz); + } + ++ if (host->mmc->caps2 & MMC_CAP2_CQE) ++ ret = cqhci_resume(host->mmc); ++ + return ret; + } + #endif diff --git a/queue-6.6/proc-fix-uaf-in-proc_get_inode.patch b/queue-6.6/proc-fix-uaf-in-proc_get_inode.patch new file mode 100644 index 0000000000..bc1b40d81e --- /dev/null +++ b/queue-6.6/proc-fix-uaf-in-proc_get_inode.patch @@ -0,0 +1,177 @@ +From 654b33ada4ab5e926cd9c570196fefa7bec7c1df Mon Sep 17 00:00:00 2001 +From: Ye Bin +Date: Sat, 1 Mar 2025 15:06:24 +0300 +Subject: proc: fix UAF in proc_get_inode() + +From: Ye Bin + +commit 654b33ada4ab5e926cd9c570196fefa7bec7c1df upstream. + +Fix race between rmmod and /proc/XXX's inode instantiation. + +The bug is that pde->proc_ops don't belong to /proc, it belongs to a +module, therefore dereferencing it after /proc entry has been registered +is a bug unless use_pde/unuse_pde() pair has been used. + +use_pde/unuse_pde can be avoided (2 atomic ops!) because pde->proc_ops +never changes so information necessary for inode instantiation can be +saved _before_ proc_register() in PDE itself and used later, avoiding +pde->proc_ops->... dereference. + + rmmod lookup +sys_delete_module + proc_lookup_de + pde_get(de); + proc_get_inode(dir->i_sb, de); + mod->exit() + proc_remove + remove_proc_subtree + proc_entry_rundown(de); + free_module(mod); + + if (S_ISREG(inode->i_mode)) + if (de->proc_ops->proc_read_iter) + --> As module is already freed, will trigger UAF + +BUG: unable to handle page fault for address: fffffbfff80a702b +PGD 817fc4067 P4D 817fc4067 PUD 817fc0067 PMD 102ef4067 PTE 0 +Oops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI +CPU: 26 UID: 0 PID: 2667 Comm: ls Tainted: G +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) +RIP: 0010:proc_get_inode+0x302/0x6e0 +RSP: 0018:ffff88811c837998 EFLAGS: 00010a06 +RAX: dffffc0000000000 RBX: ffffffffc0538140 RCX: 0000000000000007 +RDX: 1ffffffff80a702b RSI: 0000000000000001 RDI: ffffffffc0538158 +RBP: ffff8881299a6000 R08: 0000000067bbe1e5 R09: 1ffff11023906f20 +R10: ffffffffb560ca07 R11: ffffffffb2b43a58 R12: ffff888105bb78f0 +R13: ffff888100518048 R14: ffff8881299a6004 R15: 0000000000000001 +FS: 00007f95b9686840(0000) GS:ffff8883af100000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: fffffbfff80a702b CR3: 0000000117dd2000 CR4: 00000000000006f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + proc_lookup_de+0x11f/0x2e0 + __lookup_slow+0x188/0x350 + walk_component+0x2ab/0x4f0 + path_lookupat+0x120/0x660 + filename_lookup+0x1ce/0x560 + vfs_statx+0xac/0x150 + __do_sys_newstat+0x96/0x110 + do_syscall_64+0x5f/0x170 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + +[adobriyan@gmail.com: don't do 2 atomic ops on the common path] +Link: https://lkml.kernel.org/r/3d25ded0-1739-447e-812b-e34da7990dcf@p183 +Fixes: 778f3dd5a13c ("Fix procfs compat_ioctl regression") +Signed-off-by: Ye Bin +Signed-off-by: Alexey Dobriyan +Cc: Al Viro +Cc: David S. Miller +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/proc/generic.c | 10 +++++++++- + fs/proc/inode.c | 6 +++--- + fs/proc/internal.h | 14 ++++++++++++++ + include/linux/proc_fs.h | 7 +++++-- + 4 files changed, 31 insertions(+), 6 deletions(-) + +--- a/fs/proc/generic.c ++++ b/fs/proc/generic.c +@@ -557,10 +557,16 @@ struct proc_dir_entry *proc_create_reg(c + return p; + } + +-static inline void pde_set_flags(struct proc_dir_entry *pde) ++static void pde_set_flags(struct proc_dir_entry *pde) + { + if (pde->proc_ops->proc_flags & PROC_ENTRY_PERMANENT) + pde->flags |= PROC_ENTRY_PERMANENT; ++ if (pde->proc_ops->proc_read_iter) ++ pde->flags |= PROC_ENTRY_proc_read_iter; ++#ifdef CONFIG_COMPAT ++ if (pde->proc_ops->proc_compat_ioctl) ++ pde->flags |= PROC_ENTRY_proc_compat_ioctl; ++#endif + } + + struct proc_dir_entry *proc_create_data(const char *name, umode_t mode, +@@ -624,6 +630,7 @@ struct proc_dir_entry *proc_create_seq_p + p->proc_ops = &proc_seq_ops; + p->seq_ops = ops; + p->state_size = state_size; ++ pde_set_flags(p); + return proc_register(parent, p); + } + EXPORT_SYMBOL(proc_create_seq_private); +@@ -654,6 +661,7 @@ struct proc_dir_entry *proc_create_singl + return NULL; + p->proc_ops = &proc_single_ops; + p->single_show = show; ++ pde_set_flags(p); + return proc_register(parent, p); + } + EXPORT_SYMBOL(proc_create_single_data); +--- a/fs/proc/inode.c ++++ b/fs/proc/inode.c +@@ -679,13 +679,13 @@ struct inode *proc_get_inode(struct supe + + if (S_ISREG(inode->i_mode)) { + inode->i_op = de->proc_iops; +- if (de->proc_ops->proc_read_iter) ++ if (pde_has_proc_read_iter(de)) + inode->i_fop = &proc_iter_file_ops; + else + inode->i_fop = &proc_reg_file_ops; + #ifdef CONFIG_COMPAT +- if (de->proc_ops->proc_compat_ioctl) { +- if (de->proc_ops->proc_read_iter) ++ if (pde_has_proc_compat_ioctl(de)) { ++ if (pde_has_proc_read_iter(de)) + inode->i_fop = &proc_iter_file_ops_compat; + else + inode->i_fop = &proc_reg_file_ops_compat; +--- a/fs/proc/internal.h ++++ b/fs/proc/internal.h +@@ -84,6 +84,20 @@ static inline void pde_make_permanent(st + pde->flags |= PROC_ENTRY_PERMANENT; + } + ++static inline bool pde_has_proc_read_iter(const struct proc_dir_entry *pde) ++{ ++ return pde->flags & PROC_ENTRY_proc_read_iter; ++} ++ ++static inline bool pde_has_proc_compat_ioctl(const struct proc_dir_entry *pde) ++{ ++#ifdef CONFIG_COMPAT ++ return pde->flags & PROC_ENTRY_proc_compat_ioctl; ++#else ++ return false; ++#endif ++} ++ + extern struct kmem_cache *proc_dir_entry_cache; + void pde_free(struct proc_dir_entry *pde); + +--- a/include/linux/proc_fs.h ++++ b/include/linux/proc_fs.h +@@ -20,10 +20,13 @@ enum { + * If in doubt, ignore this flag. + */ + #ifdef MODULE +- PROC_ENTRY_PERMANENT = 0U, ++ PROC_ENTRY_PERMANENT = 0U, + #else +- PROC_ENTRY_PERMANENT = 1U << 0, ++ PROC_ENTRY_PERMANENT = 1U << 0, + #endif ++ ++ PROC_ENTRY_proc_read_iter = 1U << 1, ++ PROC_ENTRY_proc_compat_ioctl = 1U << 2, + }; + + struct proc_ops { diff --git a/queue-6.6/regulator-check-that-dummy-regulator-has-been-probed-before-using-it.patch b/queue-6.6/regulator-check-that-dummy-regulator-has-been-probed-before-using-it.patch new file mode 100644 index 0000000000..1d4f1d855f --- /dev/null +++ b/queue-6.6/regulator-check-that-dummy-regulator-has-been-probed-before-using-it.patch @@ -0,0 +1,57 @@ +From 2c7a50bec4958f1d1c84d19cde518d0e96a676fd Mon Sep 17 00:00:00 2001 +From: Christian Eggers +Date: Thu, 13 Mar 2025 11:27:39 +0100 +Subject: regulator: check that dummy regulator has been probed before using it + +From: Christian Eggers + +commit 2c7a50bec4958f1d1c84d19cde518d0e96a676fd upstream. + +Due to asynchronous driver probing there is a chance that the dummy +regulator hasn't already been probed when first accessing it. + +Cc: stable@vger.kernel.org +Signed-off-by: Christian Eggers +Link: https://patch.msgid.link/20250313103051.32430-3-ceggers@arri.de +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/regulator/core.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/drivers/regulator/core.c ++++ b/drivers/regulator/core.c +@@ -2084,6 +2084,10 @@ static int regulator_resolve_supply(stru + + if (have_full_constraints()) { + r = dummy_regulator_rdev; ++ if (!r) { ++ ret = -EPROBE_DEFER; ++ goto out; ++ } + get_device(&r->dev); + } else { + dev_err(dev, "Failed to resolve %s-supply for %s\n", +@@ -2101,6 +2105,10 @@ static int regulator_resolve_supply(stru + goto out; + } + r = dummy_regulator_rdev; ++ if (!r) { ++ ret = -EPROBE_DEFER; ++ goto out; ++ } + get_device(&r->dev); + } + +@@ -2209,8 +2217,10 @@ struct regulator *_regulator_get(struct + * enabled, even if it isn't hooked up, and just + * provide a dummy. + */ +- dev_warn(dev, "supply %s not found, using dummy regulator\n", id); + rdev = dummy_regulator_rdev; ++ if (!rdev) ++ return ERR_PTR(-EPROBE_DEFER); ++ dev_warn(dev, "supply %s not found, using dummy regulator\n", id); + get_device(&rdev->dev); + break; + diff --git a/queue-6.6/regulator-dummy-force-synchronous-probing.patch b/queue-6.6/regulator-dummy-force-synchronous-probing.patch new file mode 100644 index 0000000000..79a9b32e0d --- /dev/null +++ b/queue-6.6/regulator-dummy-force-synchronous-probing.patch @@ -0,0 +1,55 @@ +From 8619909b38eeebd3e60910158d7d68441fc954e9 Mon Sep 17 00:00:00 2001 +From: Christian Eggers +Date: Tue, 11 Mar 2025 10:18:02 +0100 +Subject: regulator: dummy: force synchronous probing + +From: Christian Eggers + +commit 8619909b38eeebd3e60910158d7d68441fc954e9 upstream. + +Sometimes I get a NULL pointer dereference at boot time in kobject_get() +with the following call stack: + +anatop_regulator_probe() + devm_regulator_register() + regulator_register() + regulator_resolve_supply() + kobject_get() + +By placing some extra BUG_ON() statements I could verify that this is +raised because probing of the 'dummy' regulator driver is not completed +('dummy_regulator_rdev' is still NULL). + +In the JTAG debugger I can see that dummy_regulator_probe() and +anatop_regulator_probe() can be run by different kernel threads +(kworker/u4:*). I haven't further investigated whether this can be +changed or if there are other possibilities to force synchronization +between these two probe routines. On the other hand I don't expect much +boot time penalty by probing the 'dummy' regulator synchronously. + +Cc: stable@vger.kernel.org +Fixes: 259b93b21a9f ("regulator: Set PROBE_PREFER_ASYNCHRONOUS for drivers that existed in 4.14") +Signed-off-by: Christian Eggers +Link: https://patch.msgid.link/20250311091803.31026-1-ceggers@arri.de +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/regulator/dummy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/regulator/dummy.c b/drivers/regulator/dummy.c +index 5b9b9e4e762d..9f59889129ab 100644 +--- a/drivers/regulator/dummy.c ++++ b/drivers/regulator/dummy.c +@@ -60,7 +60,7 @@ static struct platform_driver dummy_regulator_driver = { + .probe = dummy_regulator_probe, + .driver = { + .name = "reg-dummy", +- .probe_type = PROBE_PREFER_ASYNCHRONOUS, ++ .probe_type = PROBE_FORCE_SYNCHRONOUS, + }, + }; + +-- +2.49.0 + diff --git a/queue-6.6/riscv-dts-starfive-fix-a-typo-in-starfive-jh7110-pin-function-definitions.patch b/queue-6.6/riscv-dts-starfive-fix-a-typo-in-starfive-jh7110-pin-function-definitions.patch new file mode 100644 index 0000000000..10640fd406 --- /dev/null +++ b/queue-6.6/riscv-dts-starfive-fix-a-typo-in-starfive-jh7110-pin-function-definitions.patch @@ -0,0 +1,37 @@ +From 1b133129ad6b28186214259af3bd5fc651a85509 Mon Sep 17 00:00:00 2001 +From: E Shattow +Date: Mon, 9 Dec 2024 20:19:56 -0800 +Subject: riscv: dts: starfive: Fix a typo in StarFive JH7110 pin function definitions + +From: E Shattow + +commit 1b133129ad6b28186214259af3bd5fc651a85509 upstream. + +Fix a typo in StarFive JH7110 pin function definitions for GPOUT_SYS_SDIO1_DATA4 + +Fixes: e22f09e598d12 ("riscv: dts: starfive: Add StarFive JH7110 pin function definitions") +Signed-off-by: E Shattow +Acked-by: Hal Feng +CC: stable@vger.kernel.org +Signed-off-by: Conor Dooley +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/boot/dts/starfive/jh7110-pinfunc.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/riscv/boot/dts/starfive/jh7110-pinfunc.h b/arch/riscv/boot/dts/starfive/jh7110-pinfunc.h +index 256de17f5261..ae49c908e7fb 100644 +--- a/arch/riscv/boot/dts/starfive/jh7110-pinfunc.h ++++ b/arch/riscv/boot/dts/starfive/jh7110-pinfunc.h +@@ -89,7 +89,7 @@ + #define GPOUT_SYS_SDIO1_DATA1 59 + #define GPOUT_SYS_SDIO1_DATA2 60 + #define GPOUT_SYS_SDIO1_DATA3 61 +-#define GPOUT_SYS_SDIO1_DATA4 63 ++#define GPOUT_SYS_SDIO1_DATA4 62 + #define GPOUT_SYS_SDIO1_DATA5 63 + #define GPOUT_SYS_SDIO1_DATA6 64 + #define GPOUT_SYS_SDIO1_DATA7 65 +-- +2.49.0 + diff --git a/queue-6.6/series b/queue-6.6/series index 12118ccfd5..5e60971ae3 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -26,3 +26,35 @@ net-atm-fix-use-after-free-in-lec_send.patch net-lwtunnel-fix-recursion-loops.patch net-neighbor-add-missing-policy-for-ndtpa_queue_lenb.patch revert-gre-fix-ipv6-link-local-address-generation.patch +i2c-omap-fix-irq-storms.patch +can-rcar_canfd-fix-page-entries-in-the-afl-list.patch +can-ucan-fix-out-of-bound-read-in-strscpy-source.patch +can-flexcan-only-change-can-state-when-link-up-in-system-pm.patch +can-flexcan-disable-transceiver-during-system-pm.patch +drm-v3d-don-t-run-jobs-that-have-errors-flagged-in-its-fence.patch +riscv-dts-starfive-fix-a-typo-in-starfive-jh7110-pin-function-definitions.patch +regulator-dummy-force-synchronous-probing.patch +regulator-check-that-dummy-regulator-has-been-probed-before-using-it.patch +accel-qaic-fix-integer-overflow-in-qaic_validate_req.patch +arm64-dts-freescale-imx8mp-verdin-dahlia-add-microphone-jack-to-sound-card.patch +arm64-dts-freescale-imx8mm-verdin-dahlia-add-microphone-jack-to-sound-card.patch +arm64-dts-rockchip-fix-pinmux-of-uart0-for-px30-ringneck-on-haikou.patch +arm64-dts-rockchip-add-missing-pcie-supplies-to-rockpro64-board-dtsi.patch +mmc-sdhci-brcmstb-add-cqhci-suspend-resume-to-pm-ops.patch +mmc-atmel-mci-add-missing-clk_disable_unprepare.patch +mm-fix-error-handling-in-__filemap_get_folio-with-fgp_nowait.patch +mm-migrate-fix-shmem-xarray-update-during-migration.patch +proc-fix-uaf-in-proc_get_inode.patch +memcg-drain-obj-stock-on-cpu-hotplug-teardown.patch +arm-dts-imx6qdl-apalis-fix-poweroff-on-apalis-imx6.patch +arm-shmobile-smp-enforce-shmobile_smp_-alignment.patch +efi-libstub-avoid-physical-address-0x0-when-doing-random-allocation.patch +xsk-fix-an-integer-overflow-in-xp_create_and_assign_umem.patch +batman-adv-ignore-own-maximum-aggregation-size-during-rx.patch +soc-qcom-pdr-fix-the-potential-deadlock.patch +drm-radeon-fix-uninitialized-size-issue-in-radeon_vce_cs_parse.patch +drm-sched-fix-fence-reference-count-leak.patch +drm-amdgpu-fix-mpeg2-mpeg4-and-vc1-video-caps-max-size.patch +drm-amdgpu-fix-jpeg-video-caps-max-size-for-navi1x-and-raven.patch +drm-amd-display-should-support-dmub-hw-lock-on-replay.patch +drm-amd-display-use-hw-lock-mgr-for-psr1-when-only-one-edp.patch diff --git a/queue-6.6/soc-qcom-pdr-fix-the-potential-deadlock.patch b/queue-6.6/soc-qcom-pdr-fix-the-potential-deadlock.patch new file mode 100644 index 0000000000..339ad4e6ad --- /dev/null +++ b/queue-6.6/soc-qcom-pdr-fix-the-potential-deadlock.patch @@ -0,0 +1,90 @@ +From 2eeb03ad9f42dfece63051be2400af487ddb96d2 Mon Sep 17 00:00:00 2001 +From: Saranya R +Date: Wed, 12 Feb 2025 22:07:20 +0530 +Subject: soc: qcom: pdr: Fix the potential deadlock + +From: Saranya R + +commit 2eeb03ad9f42dfece63051be2400af487ddb96d2 upstream. + +When some client process A call pdr_add_lookup() to add the look up for +the service and does schedule locator work, later a process B got a new +server packet indicating locator is up and call pdr_locator_new_server() +which eventually sets pdr->locator_init_complete to true which process A +sees and takes list lock and queries domain list but it will timeout due +to deadlock as the response will queued to the same qmi->wq and it is +ordered workqueue and process B is not able to complete new server +request work due to deadlock on list lock. + +Fix it by removing the unnecessary list iteration as the list iteration +is already being done inside locator work, so avoid it here and just +call schedule_work() here. + + Process A Process B + + process_scheduled_works() +pdr_add_lookup() qmi_data_ready_work() + process_scheduled_works() pdr_locator_new_server() + pdr->locator_init_complete=true; + pdr_locator_work() + mutex_lock(&pdr->list_lock); + + pdr_locate_service() mutex_lock(&pdr->list_lock); + + pdr_get_domain_list() + pr_err("PDR: %s get domain list + txn wait failed: %d\n", + req->service_name, + ret); + +Timeout error log due to deadlock: + +" + PDR: tms/servreg get domain list txn wait failed: -110 + PDR: service lookup for msm/adsp/sensor_pd:tms/servreg failed: -110 +" + +Thanks to Bjorn and Johan for letting me know that this commit also fixes +an audio regression when using the in-kernel pd-mapper as that makes it +easier to hit this race. [1] + +Link: https://lore.kernel.org/lkml/Zqet8iInnDhnxkT9@hovoldconsulting.com/ # [1] +Fixes: fbe639b44a82 ("soc: qcom: Introduce Protection Domain Restart helpers") +CC: stable@vger.kernel.org +Reviewed-by: Bjorn Andersson +Tested-by: Bjorn Andersson +Tested-by: Johan Hovold +Signed-off-by: Saranya R +Co-developed-by: Mukesh Ojha +Signed-off-by: Mukesh Ojha +Link: https://lore.kernel.org/r/20250212163720.1577876-1-mukesh.ojha@oss.qualcomm.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soc/qcom/pdr_interface.c | 8 +------- + 1 file changed, 1 insertion(+), 7 deletions(-) + +--- a/drivers/soc/qcom/pdr_interface.c ++++ b/drivers/soc/qcom/pdr_interface.c +@@ -74,7 +74,6 @@ static int pdr_locator_new_server(struct + { + struct pdr_handle *pdr = container_of(qmi, struct pdr_handle, + locator_hdl); +- struct pdr_service *pds; + + mutex_lock(&pdr->lock); + /* Create a local client port for QMI communication */ +@@ -86,12 +85,7 @@ static int pdr_locator_new_server(struct + mutex_unlock(&pdr->lock); + + /* Service pending lookup requests */ +- mutex_lock(&pdr->list_lock); +- list_for_each_entry(pds, &pdr->lookups, node) { +- if (pds->need_locator_lookup) +- schedule_work(&pdr->locator_work); +- } +- mutex_unlock(&pdr->list_lock); ++ schedule_work(&pdr->locator_work); + + return 0; + } diff --git a/queue-6.6/xsk-fix-an-integer-overflow-in-xp_create_and_assign_umem.patch b/queue-6.6/xsk-fix-an-integer-overflow-in-xp_create_and_assign_umem.patch new file mode 100644 index 0000000000..427e751666 --- /dev/null +++ b/queue-6.6/xsk-fix-an-integer-overflow-in-xp_create_and_assign_umem.patch @@ -0,0 +1,38 @@ +From 559847f56769037e5b2e0474d3dbff985b98083d Mon Sep 17 00:00:00 2001 +From: Gavrilov Ilia +Date: Thu, 13 Mar 2025 08:50:08 +0000 +Subject: xsk: fix an integer overflow in xp_create_and_assign_umem() + +From: Gavrilov Ilia + +commit 559847f56769037e5b2e0474d3dbff985b98083d upstream. + +Since the i and pool->chunk_size variables are of type 'u32', +their product can wrap around and then be cast to 'u64'. +This can lead to two different XDP buffers pointing to the same +memory area. + +Found by InfoTeCS on behalf of Linux Verification Center +(linuxtesting.org) with SVACE. + +Fixes: 94033cd8e73b ("xsk: Optimize for aligned case") +Cc: stable@vger.kernel.org +Signed-off-by: Ilia Gavrilov +Link: https://patch.msgid.link/20250313085007.3116044-1-Ilia.Gavrilov@infotecs.ru +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + net/xdp/xsk_buff_pool.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/xdp/xsk_buff_pool.c ++++ b/net/xdp/xsk_buff_pool.c +@@ -104,7 +104,7 @@ struct xsk_buff_pool *xp_create_and_assi + if (pool->unaligned) + pool->free_heads[i] = xskb; + else +- xp_init_xskb_addr(xskb, pool, i * pool->chunk_size); ++ xp_init_xskb_addr(xskb, pool, (u64)i * pool->chunk_size); + } + + return pool; -- 2.47.3