From e28d2c5c1a3da83b68f37bb8ace75795d6b683fc Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 2 Nov 2025 18:51:22 -0500 Subject: [PATCH] Fixes for all trees Signed-off-by: Sasha Levin --- ...usb-audio-fix-control-pipe-direction.patch | 37 ++ ...-irq-work-before-freeing-ring-buffer.patch | 46 ++ ...mu-table-id-bound-check-issue-in-smu.patch | 41 ++ ...play-smumgr-fix-pciebootlinklevel-va.patch | 39 ++ ...mumgr-fix-pciebootlinklevel-va.patch-17561 | 39 ++ ...drm-etnaviv-fix-flush-sequence-logic.patch | 46 ++ ...drm-msm-a6xx-fix-gmu-firmware-parser.patch | 51 ++ queue-5.10/series | 9 + .../usbnet-prevents-free-active-kevent.patch | 50 ++ ...memory-leak-on-unsupported-wmi-comma.patch | 41 ++ ...usb-audio-fix-control-pipe-direction.patch | 37 ++ ...not-audit-capability-check-in-do_jit.patch | 50 ++ ...-irq-work-before-freeing-ring-buffer.patch | 46 ++ ...mu-table-id-bound-check-issue-in-smu.patch | 41 ++ ...play-smumgr-fix-pciebootlinklevel-va.patch | 39 ++ ...smumgr-fix-pciebootlinklevel-va.patch-3340 | 39 ++ ...drm-etnaviv-fix-flush-sequence-logic.patch | 46 ++ ...drm-msm-a6xx-fix-gmu-firmware-parser.patch | 51 ++ ...pc-s-stack-register-definition-in-bp.patch | 44 ++ ...malize-pt_regs_xxx-macro-definitions.patch | 476 ++++++++++++++++++ ...eturn-error-code-when-function-fails.patch | 87 ++++ ...-risc-v-rv64-support-to-bpf_tracing..patch | 83 +++ queue-5.15/series | 14 + .../usbnet-prevents-free-active-kevent.patch | 50 ++ ...memory-leak-on-unsupported-wmi-comma.patch | 41 ++ ...drm-etnaviv-fix-flush-sequence-logic.patch | 46 ++ queue-5.4/series | 3 + .../usbnet-prevents-free-active-kevent.patch | 50 ++ ...memory-leak-on-unsupported-wmi-comma.patch | 41 ++ ...usb-audio-fix-control-pipe-direction.patch | 37 ++ ...fsl_sai-fix-bit-order-for-dsd-format.patch | 46 ++ ...-unprepare-a-stream-when-xrun-occurs.patch | 40 ++ ...dio-add-pmctrl-handling-for-bt-close.patch | 61 +++ ...x-tracking-of-advertisement-set-inst.patch | 78 +++ ...nc-fix-race-in-hci_cmd_sync_dequeue_.patch | 55 ++ ...d-support-for-periodic-adv-reports-p.patch | 164 ++++++ ...x-another-instance-of-dst_type-handl.patch | 42 ++ ...not-audit-capability-check-in-do_jit.patch | 50 ++ ...-irq-work-before-freeing-ring-buffer.patch | 46 ++ ...mu-table-id-bound-check-issue-in-smu.patch | 41 ++ ...play-smumgr-fix-pciebootlinklevel-va.patch | 39 ++ ...mumgr-fix-pciebootlinklevel-va.patch-16017 | 39 ++ ...drm-etnaviv-fix-flush-sequence-logic.patch | 46 ++ ...drm-msm-a6xx-fix-gmu-firmware-parser.patch | 51 ++ ...pc-s-stack-register-definition-in-bp.patch | 44 ++ ...eturn-error-code-when-function-fails.patch | 87 ++++ ...itialize-value-of-an-attribute-retur.patch | 42 ++ queue-6.1/series | 20 + .../usbnet-prevents-free-active-kevent.patch | 50 ++ ...memory-leak-on-unsupported-wmi-comma.patch | 41 ++ ...usb-audio-fix-control-pipe-direction.patch | 37 ++ ...test-fix-missing-include-of-kunit-te.patch | 38 ++ ...fsl_sai-fix-bit-order-for-dsd-format.patch | 46 ++ ..._sai-fix-sync-error-in-consumer-mode.patch | 61 +++ ...isable-periods-elapsed-work-when-clo.patch | 38 ++ ...-unprepare-a-stream-when-xrun-occurs.patch | 40 ++ ...dio-add-pmctrl-handling-for-bt-close.patch | 61 +++ ...x-tracking-of-advertisement-set-inst.patch | 78 +++ ...re-fix-tracking-of-periodic-advertis.patch | 88 ++++ ...nc-fix-race-in-hci_cmd_sync_dequeue_.patch | 55 ++ ...x-another-instance-of-dst_type-handl.patch | 42 ++ ...fix-bis-connection-dst_type-handling.patch | 36 ++ ...date-hci_conn_hash_lookup_big-for-br.patch | 75 +++ ...not-audit-capability-check-in-do_jit.patch | 50 ++ ...e-subprogs-for-private-stack-support.patch | 265 ++++++++++ ...-irq-work-before-freeing-ring-buffer.patch | 46 ++ ...peated-usage-of-bpf_prog-aux-stack_d.patch | 73 +++ ...speed-fix-double-free-caused-by-devm.patch | 48 ++ ...ssing-module-name-and-clock-id-to-pi.patch | 46 ++ ...mu-table-id-bound-check-issue-in-smu.patch | 41 ++ ...play-smumgr-fix-pciebootlinklevel-va.patch | 39 ++ ...mumgr-fix-pciebootlinklevel-va.patch-18241 | 39 ++ ...drm-etnaviv-fix-flush-sequence-logic.patch | 46 ++ ...drm-msm-a6xx-fix-gmu-firmware-parser.patch | 51 ++ ...eon-do-not-kfree-devres-managed-rdev.patch | 40 ++ ...m-radeon-remove-calls-to-drm_put_dev.patch | 98 ++++ ...ction-correctly-cast-priv-pointer-to.patch | 49 ++ ...pc-s-stack-register-definition-in-bp.patch | 44 ++ ...eturn-error-code-when-function-fails.patch | 87 ++++ ...itialize-value-of-an-attribute-retur.patch | 42 ++ queue-6.12/series | 40 ++ ...l-memory-leak-in-efx_mae_process_mpo.patch | 51 ++ ...ring-attribute-length-to-include-nul.patch | 75 +++ .../usbnet-prevents-free-active-kevent.patch | 50 ++ ...memory-leak-on-unsupported-wmi-comma.patch | 41 ++ ...missing-platform-ids-for-quirk-table.patch | 126 +++++ .../wifi-ath11k-add-support-for-mu-edca.patch | 221 ++++++++ ...11k-avoid-bit-operation-on-key-flags.patch | 83 +++ ...free-skb-during-idr-cleanup-callback.patch | 107 ++++ ...n-t-mark-keys-for-inactive-links-as-.patch | 41 ++ ...211-fix-key-tailroom-accounting-leak.patch | 52 ++ ...pi-mrrm-check-revision-of-mrrm-table.patch | 38 ++ ...dd-mono-main-switch-to-presonus-s182.patch | 81 +++ ...on-t-log-messages-meant-for-1810c-wh.patch | 84 ++++ ...usb-audio-fix-control-pipe-direction.patch | 37 ++ ...test-fix-missing-include-of-kunit-te.patch | 38 ++ ...il-correct-the-endian-format-for-dsd.patch | 47 ++ ...fsl_sai-fix-bit-order-for-dsd-format.patch | 46 ++ ..._sai-fix-sync-error-in-consumer-mode.patch | 61 +++ ...isable-periods-elapsed-work-when-clo.patch | 38 ++ ...-unprepare-a-stream-when-xrun-occurs.patch | 40 ++ ...x-double-pm_runtime_disable-in-remov.patch | 55 ++ ..._utils-remove-cs42l43-component_name.patch | 42 ++ ...tel_pcie-fix-event-packet-loss-issue.patch | 81 +++ ...dio-add-pmctrl-handling-for-bt-close.patch | 61 +++ ...x-tracking-of-advertisement-set-inst.patch | 78 +++ ...nn-fix-connection-cleanup-with-big-w.patch | 49 ++ ...re-fix-tracking-of-periodic-advertis.patch | 88 ++++ ...nc-fix-race-in-hci_cmd_sync_dequeue_.patch | 55 ++ ...x-another-instance-of-dst_type-handl.patch | 42 ++ ...fix-bis-connection-dst_type-handling.patch | 36 ++ ...ix-crash-in-set_mesh_sync-and-set_me.patch | 114 +++++ ...itionally-include-dynptr-copy-kfuncs.patch | 63 +++ ...not-audit-capability-check-in-do_jit.patch | 50 ++ ...-irq-work-before-freeing-ring-buffer.patch | 46 ++ ...speed-fix-double-free-caused-by-devm.patch | 48 ++ ...c-do-not-modify-the-req-nbytes-value.patch | 166 ++++++ ...ssing-module-name-and-clock-id-to-pi.patch | 46 ++ ...mu-table-id-bound-check-issue-in-smu.patch | 41 ++ ...play-smumgr-fix-pciebootlinklevel-va.patch | 39 ++ ...mumgr-fix-pciebootlinklevel-va.patch-25933 | 39 ++ ...amdgpu-fix-spdx-header-on-amd_cper.h.patch | 36 ++ ...fix-spdx-header-on-irqsrcs_vcn_5_0.h.patch | 36 ++ ...-fix-spdx-headers-on-amdgpu_cper.c-h.patch | 47 ++ ...drm-etnaviv-fix-flush-sequence-logic.patch | 46 ++ ...drm-msm-a6xx-fix-gmu-firmware-parser.patch | 51 ++ ...nsure-vm-is-created-in-vm_bind-ioctl.patch | 37 ++ ...m-fix-gem-free-for-imported-dma-bufs.patch | 91 ++++ ...ke-sure-last_fence-is-always-updated.patch | 57 +++ ...eon-do-not-kfree-devres-managed-rdev.patch | 40 ++ ...m-radeon-remove-calls-to-drm_put_dev.patch | 100 ++++ ...ction-correctly-cast-priv-pointer-to.patch | 49 ++ ...pc-s-stack-register-definition-in-bp.patch | 44 ++ ...eturn-error-code-when-function-fails.patch | 87 ++++ ...et-auth-update-sc_c-in-host-response.patch | 53 ++ ...e-unit-attention-counter-implementat.patch | 76 +++ ...itialize-value-of-an-attribute-retur.patch | 42 ++ queue-6.17/series | 58 +++ ...l-memory-leak-in-efx_mae_process_mpo.patch | 51 ++ ...d-print_field-when-there-is-no-reply.patch | 43 ++ ...ring-attribute-length-to-include-nul.patch | 75 +++ .../usbnet-prevents-free-active-kevent.patch | 50 ++ ...memory-leak-on-unsupported-wmi-comma.patch | 41 ++ ...missing-platform-ids-for-quirk-table.patch | 126 +++++ ...11k-avoid-bit-operation-on-key-flags.patch | 83 +++ ...free-skb-during-idr-cleanup-callback.patch | 107 ++++ ...-potential-use-after-free-in-iwl_mld.patch | 50 ++ ...211-fix-key-tailroom-accounting-leak.patch | 52 ++ ...set-fils-discovery-and-unsol-probe-r.patch | 52 ++ ...0211-call-kfree-without-a-null-check.patch | 42 ++ ...usb-audio-fix-control-pipe-direction.patch | 37 ++ ...fsl_sai-fix-bit-order-for-dsd-format.patch | 46 ++ ...-unprepare-a-stream-when-xrun-occurs.patch | 40 ++ ...dio-add-pmctrl-handling-for-bt-close.patch | 61 +++ ...x-tracking-of-advertisement-set-inst.patch | 78 +++ ...re-fix-tracking-of-periodic-advertis.patch | 88 ++++ ...nc-fix-race-in-hci_cmd_sync_dequeue_.patch | 55 ++ ...x-another-instance-of-dst_type-handl.patch | 42 ++ ...not-audit-capability-check-in-do_jit.patch | 50 ++ ...-irq-work-before-freeing-ring-buffer.patch | 46 ++ ...ry-convert-to-platform-remove-callba.patch | 68 +++ ...speed-fix-double-free-caused-by-devm.patch | 48 ++ ...mu-table-id-bound-check-issue-in-smu.patch | 41 ++ ...play-smumgr-fix-pciebootlinklevel-va.patch | 39 ++ ...mumgr-fix-pciebootlinklevel-va.patch-21603 | 39 ++ ...drm-etnaviv-fix-flush-sequence-logic.patch | 46 ++ ...drm-msm-a6xx-fix-gmu-firmware-parser.patch | 51 ++ ...pc-s-stack-register-definition-in-bp.patch | 44 ++ ...eturn-error-code-when-function-fails.patch | 87 ++++ ...itialize-value-of-an-attribute-retur.patch | 42 ++ queue-6.6/series | 25 + ...l-memory-leak-in-efx_mae_process_mpo.patch | 51 ++ .../usbnet-prevents-free-active-kevent.patch | 50 ++ ...memory-leak-on-unsupported-wmi-comma.patch | 41 ++ ...missing-platform-ids-for-quirk-table.patch | 126 +++++ ...free-skb-during-idr-cleanup-callback.patch | 107 ++++ 176 files changed, 10407 insertions(+) create mode 100644 queue-5.10/alsa-usb-audio-fix-control-pipe-direction.patch create mode 100644 queue-5.10/bpf-sync-pending-irq-work-before-freeing-ring-buffer.patch create mode 100644 queue-5.10/drm-amd-pm-fix-smu-table-id-bound-check-issue-in-smu.patch create mode 100644 queue-5.10/drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch create mode 100644 queue-5.10/drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch-17561 create mode 100644 queue-5.10/drm-etnaviv-fix-flush-sequence-logic.patch create mode 100644 queue-5.10/drm-msm-a6xx-fix-gmu-firmware-parser.patch create mode 100644 queue-5.10/usbnet-prevents-free-active-kevent.patch create mode 100644 queue-5.10/wifi-ath10k-fix-memory-leak-on-unsupported-wmi-comma.patch create mode 100644 queue-5.15/alsa-usb-audio-fix-control-pipe-direction.patch create mode 100644 queue-5.15/bpf-do-not-audit-capability-check-in-do_jit.patch create mode 100644 queue-5.15/bpf-sync-pending-irq-work-before-freeing-ring-buffer.patch create mode 100644 queue-5.15/drm-amd-pm-fix-smu-table-id-bound-check-issue-in-smu.patch create mode 100644 queue-5.15/drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch create mode 100644 queue-5.15/drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch-3340 create mode 100644 queue-5.15/drm-etnaviv-fix-flush-sequence-logic.patch create mode 100644 queue-5.15/drm-msm-a6xx-fix-gmu-firmware-parser.patch create mode 100644 queue-5.15/libbpf-fix-powerpc-s-stack-register-definition-in-bp.patch create mode 100644 queue-5.15/libbpf-normalize-pt_regs_xxx-macro-definitions.patch create mode 100644 queue-5.15/net-hns3-return-error-code-when-function-fails.patch create mode 100644 queue-5.15/riscv-libbpf-add-risc-v-rv64-support-to-bpf_tracing..patch create mode 100644 queue-5.15/usbnet-prevents-free-active-kevent.patch create mode 100644 queue-5.15/wifi-ath10k-fix-memory-leak-on-unsupported-wmi-comma.patch create mode 100644 queue-5.4/drm-etnaviv-fix-flush-sequence-logic.patch create mode 100644 queue-5.4/usbnet-prevents-free-active-kevent.patch create mode 100644 queue-5.4/wifi-ath10k-fix-memory-leak-on-unsupported-wmi-comma.patch create mode 100644 queue-6.1/alsa-usb-audio-fix-control-pipe-direction.patch create mode 100644 queue-6.1/asoc-fsl_sai-fix-bit-order-for-dsd-format.patch create mode 100644 queue-6.1/asoc-intel-avs-unprepare-a-stream-when-xrun-occurs.patch create mode 100644 queue-6.1/bluetooth-btmtksdio-add-pmctrl-handling-for-bt-close.patch create mode 100644 queue-6.1/bluetooth-hci-fix-tracking-of-advertisement-set-inst.patch create mode 100644 queue-6.1/bluetooth-hci_sync-fix-race-in-hci_cmd_sync_dequeue_.patch create mode 100644 queue-6.1/bluetooth-iso-add-support-for-periodic-adv-reports-p.patch create mode 100644 queue-6.1/bluetooth-iso-fix-another-instance-of-dst_type-handl.patch create mode 100644 queue-6.1/bpf-do-not-audit-capability-check-in-do_jit.patch create mode 100644 queue-6.1/bpf-sync-pending-irq-work-before-freeing-ring-buffer.patch create mode 100644 queue-6.1/drm-amd-pm-fix-smu-table-id-bound-check-issue-in-smu.patch create mode 100644 queue-6.1/drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch create mode 100644 queue-6.1/drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch-16017 create mode 100644 queue-6.1/drm-etnaviv-fix-flush-sequence-logic.patch create mode 100644 queue-6.1/drm-msm-a6xx-fix-gmu-firmware-parser.patch create mode 100644 queue-6.1/libbpf-fix-powerpc-s-stack-register-definition-in-bp.patch create mode 100644 queue-6.1/net-hns3-return-error-code-when-function-fails.patch create mode 100644 queue-6.1/scsi-ufs-core-initialize-value-of-an-attribute-retur.patch create mode 100644 queue-6.1/usbnet-prevents-free-active-kevent.patch create mode 100644 queue-6.1/wifi-ath10k-fix-memory-leak-on-unsupported-wmi-comma.patch create mode 100644 queue-6.12/alsa-usb-audio-fix-control-pipe-direction.patch create mode 100644 queue-6.12/asoc-cs-amp-lib-test-fix-missing-include-of-kunit-te.patch create mode 100644 queue-6.12/asoc-fsl_sai-fix-bit-order-for-dsd-format.patch create mode 100644 queue-6.12/asoc-fsl_sai-fix-sync-error-in-consumer-mode.patch create mode 100644 queue-6.12/asoc-intel-avs-disable-periods-elapsed-work-when-clo.patch create mode 100644 queue-6.12/asoc-intel-avs-unprepare-a-stream-when-xrun-occurs.patch create mode 100644 queue-6.12/bluetooth-btmtksdio-add-pmctrl-handling-for-bt-close.patch create mode 100644 queue-6.12/bluetooth-hci-fix-tracking-of-advertisement-set-inst.patch create mode 100644 queue-6.12/bluetooth-hci_core-fix-tracking-of-periodic-advertis.patch create mode 100644 queue-6.12/bluetooth-hci_sync-fix-race-in-hci_cmd_sync_dequeue_.patch create mode 100644 queue-6.12/bluetooth-iso-fix-another-instance-of-dst_type-handl.patch create mode 100644 queue-6.12/bluetooth-iso-fix-bis-connection-dst_type-handling.patch create mode 100644 queue-6.12/bluetooth-iso-update-hci_conn_hash_lookup_big-for-br.patch create mode 100644 queue-6.12/bpf-do-not-audit-capability-check-in-do_jit.patch create mode 100644 queue-6.12/bpf-find-eligible-subprogs-for-private-stack-support.patch create mode 100644 queue-6.12/bpf-sync-pending-irq-work-before-freeing-ring-buffer.patch create mode 100644 queue-6.12/bpf-x86-avoid-repeated-usage-of-bpf_prog-aux-stack_d.patch create mode 100644 queue-6.12/crypto-aspeed-fix-double-free-caused-by-devm.patch create mode 100644 queue-6.12/dpll-spec-add-missing-module-name-and-clock-id-to-pi.patch create mode 100644 queue-6.12/drm-amd-pm-fix-smu-table-id-bound-check-issue-in-smu.patch create mode 100644 queue-6.12/drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch create mode 100644 queue-6.12/drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch-18241 create mode 100644 queue-6.12/drm-etnaviv-fix-flush-sequence-logic.patch create mode 100644 queue-6.12/drm-msm-a6xx-fix-gmu-firmware-parser.patch create mode 100644 queue-6.12/drm-radeon-do-not-kfree-devres-managed-rdev.patch create mode 100644 queue-6.12/drm-radeon-remove-calls-to-drm_put_dev.patch create mode 100644 queue-6.12/kunit-test_dev_action-correctly-cast-priv-pointer-to.patch create mode 100644 queue-6.12/libbpf-fix-powerpc-s-stack-register-definition-in-bp.patch create mode 100644 queue-6.12/net-hns3-return-error-code-when-function-fails.patch create mode 100644 queue-6.12/scsi-ufs-core-initialize-value-of-an-attribute-retur.patch create mode 100644 queue-6.12/sfc-fix-potential-memory-leak-in-efx_mae_process_mpo.patch create mode 100644 queue-6.12/tools-ynl-fix-string-attribute-length-to-include-nul.patch create mode 100644 queue-6.12/usbnet-prevents-free-active-kevent.patch create mode 100644 queue-6.12/wifi-ath10k-fix-memory-leak-on-unsupported-wmi-comma.patch create mode 100644 queue-6.12/wifi-ath11k-add-missing-platform-ids-for-quirk-table.patch create mode 100644 queue-6.12/wifi-ath11k-add-support-for-mu-edca.patch create mode 100644 queue-6.12/wifi-ath11k-avoid-bit-operation-on-key-flags.patch create mode 100644 queue-6.12/wifi-ath12k-free-skb-during-idr-cleanup-callback.patch create mode 100644 queue-6.12/wifi-mac80211-don-t-mark-keys-for-inactive-links-as-.patch create mode 100644 queue-6.12/wifi-mac80211-fix-key-tailroom-accounting-leak.patch create mode 100644 queue-6.17/acpi-mrrm-check-revision-of-mrrm-table.patch create mode 100644 queue-6.17/alsa-usb-audio-add-mono-main-switch-to-presonus-s182.patch create mode 100644 queue-6.17/alsa-usb-audio-don-t-log-messages-meant-for-1810c-wh.patch create mode 100644 queue-6.17/alsa-usb-audio-fix-control-pipe-direction.patch create mode 100644 queue-6.17/asoc-cs-amp-lib-test-fix-missing-include-of-kunit-te.patch create mode 100644 queue-6.17/asoc-fsl_micfil-correct-the-endian-format-for-dsd.patch create mode 100644 queue-6.17/asoc-fsl_sai-fix-bit-order-for-dsd-format.patch create mode 100644 queue-6.17/asoc-fsl_sai-fix-sync-error-in-consumer-mode.patch create mode 100644 queue-6.17/asoc-intel-avs-disable-periods-elapsed-work-when-clo.patch create mode 100644 queue-6.17/asoc-intel-avs-unprepare-a-stream-when-xrun-occurs.patch create mode 100644 queue-6.17/asoc-mediatek-fix-double-pm_runtime_disable-in-remov.patch create mode 100644 queue-6.17/asoc-soc_sdw_utils-remove-cs42l43-component_name.patch create mode 100644 queue-6.17/bluetooth-btintel_pcie-fix-event-packet-loss-issue.patch create mode 100644 queue-6.17/bluetooth-btmtksdio-add-pmctrl-handling-for-bt-close.patch create mode 100644 queue-6.17/bluetooth-hci-fix-tracking-of-advertisement-set-inst.patch create mode 100644 queue-6.17/bluetooth-hci_conn-fix-connection-cleanup-with-big-w.patch create mode 100644 queue-6.17/bluetooth-hci_core-fix-tracking-of-periodic-advertis.patch create mode 100644 queue-6.17/bluetooth-hci_sync-fix-race-in-hci_cmd_sync_dequeue_.patch create mode 100644 queue-6.17/bluetooth-iso-fix-another-instance-of-dst_type-handl.patch create mode 100644 queue-6.17/bluetooth-iso-fix-bis-connection-dst_type-handling.patch create mode 100644 queue-6.17/bluetooth-mgmt-fix-crash-in-set_mesh_sync-and-set_me.patch create mode 100644 queue-6.17/bpf-conditionally-include-dynptr-copy-kfuncs.patch create mode 100644 queue-6.17/bpf-do-not-audit-capability-check-in-do_jit.patch create mode 100644 queue-6.17/bpf-sync-pending-irq-work-before-freeing-ring-buffer.patch create mode 100644 queue-6.17/crypto-aspeed-fix-double-free-caused-by-devm.patch create mode 100644 queue-6.17/crypto-s390-phmac-do-not-modify-the-req-nbytes-value.patch create mode 100644 queue-6.17/dpll-spec-add-missing-module-name-and-clock-id-to-pi.patch create mode 100644 queue-6.17/drm-amd-pm-fix-smu-table-id-bound-check-issue-in-smu.patch create mode 100644 queue-6.17/drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch create mode 100644 queue-6.17/drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch-25933 create mode 100644 queue-6.17/drm-amdgpu-fix-spdx-header-on-amd_cper.h.patch create mode 100644 queue-6.17/drm-amdgpu-fix-spdx-header-on-irqsrcs_vcn_5_0.h.patch create mode 100644 queue-6.17/drm-amdgpu-fix-spdx-headers-on-amdgpu_cper.c-h.patch create mode 100644 queue-6.17/drm-etnaviv-fix-flush-sequence-logic.patch create mode 100644 queue-6.17/drm-msm-a6xx-fix-gmu-firmware-parser.patch create mode 100644 queue-6.17/drm-msm-ensure-vm-is-created-in-vm_bind-ioctl.patch create mode 100644 queue-6.17/drm-msm-fix-gem-free-for-imported-dma-bufs.patch create mode 100644 queue-6.17/drm-msm-make-sure-last_fence-is-always-updated.patch create mode 100644 queue-6.17/drm-radeon-do-not-kfree-devres-managed-rdev.patch create mode 100644 queue-6.17/drm-radeon-remove-calls-to-drm_put_dev.patch create mode 100644 queue-6.17/kunit-test_dev_action-correctly-cast-priv-pointer-to.patch create mode 100644 queue-6.17/libbpf-fix-powerpc-s-stack-register-definition-in-bp.patch create mode 100644 queue-6.17/net-hns3-return-error-code-when-function-fails.patch create mode 100644 queue-6.17/nvmet-auth-update-sc_c-in-host-response.patch create mode 100644 queue-6.17/scsi-core-fix-the-unit-attention-counter-implementat.patch create mode 100644 queue-6.17/scsi-ufs-core-initialize-value-of-an-attribute-retur.patch create mode 100644 queue-6.17/sfc-fix-potential-memory-leak-in-efx_mae_process_mpo.patch create mode 100644 queue-6.17/tools-ynl-avoid-print_field-when-there-is-no-reply.patch create mode 100644 queue-6.17/tools-ynl-fix-string-attribute-length-to-include-nul.patch create mode 100644 queue-6.17/usbnet-prevents-free-active-kevent.patch create mode 100644 queue-6.17/wifi-ath10k-fix-memory-leak-on-unsupported-wmi-comma.patch create mode 100644 queue-6.17/wifi-ath11k-add-missing-platform-ids-for-quirk-table.patch create mode 100644 queue-6.17/wifi-ath11k-avoid-bit-operation-on-key-flags.patch create mode 100644 queue-6.17/wifi-ath12k-free-skb-during-idr-cleanup-callback.patch create mode 100644 queue-6.17/wifi-iwlwifi-fix-potential-use-after-free-in-iwl_mld.patch create mode 100644 queue-6.17/wifi-mac80211-fix-key-tailroom-accounting-leak.patch create mode 100644 queue-6.17/wifi-mac80211-reset-fils-discovery-and-unsol-probe-r.patch create mode 100644 queue-6.17/wifi-nl80211-call-kfree-without-a-null-check.patch create mode 100644 queue-6.6/alsa-usb-audio-fix-control-pipe-direction.patch create mode 100644 queue-6.6/asoc-fsl_sai-fix-bit-order-for-dsd-format.patch create mode 100644 queue-6.6/asoc-intel-avs-unprepare-a-stream-when-xrun-occurs.patch create mode 100644 queue-6.6/bluetooth-btmtksdio-add-pmctrl-handling-for-bt-close.patch create mode 100644 queue-6.6/bluetooth-hci-fix-tracking-of-advertisement-set-inst.patch create mode 100644 queue-6.6/bluetooth-hci_core-fix-tracking-of-periodic-advertis.patch create mode 100644 queue-6.6/bluetooth-hci_sync-fix-race-in-hci_cmd_sync_dequeue_.patch create mode 100644 queue-6.6/bluetooth-iso-fix-another-instance-of-dst_type-handl.patch create mode 100644 queue-6.6/bpf-do-not-audit-capability-check-in-do_jit.patch create mode 100644 queue-6.6/bpf-sync-pending-irq-work-before-freeing-ring-buffer.patch create mode 100644 queue-6.6/crypto-aspeed-acry-convert-to-platform-remove-callba.patch create mode 100644 queue-6.6/crypto-aspeed-fix-double-free-caused-by-devm.patch create mode 100644 queue-6.6/drm-amd-pm-fix-smu-table-id-bound-check-issue-in-smu.patch create mode 100644 queue-6.6/drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch create mode 100644 queue-6.6/drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch-21603 create mode 100644 queue-6.6/drm-etnaviv-fix-flush-sequence-logic.patch create mode 100644 queue-6.6/drm-msm-a6xx-fix-gmu-firmware-parser.patch create mode 100644 queue-6.6/libbpf-fix-powerpc-s-stack-register-definition-in-bp.patch create mode 100644 queue-6.6/net-hns3-return-error-code-when-function-fails.patch create mode 100644 queue-6.6/scsi-ufs-core-initialize-value-of-an-attribute-retur.patch create mode 100644 queue-6.6/sfc-fix-potential-memory-leak-in-efx_mae_process_mpo.patch create mode 100644 queue-6.6/usbnet-prevents-free-active-kevent.patch create mode 100644 queue-6.6/wifi-ath10k-fix-memory-leak-on-unsupported-wmi-comma.patch create mode 100644 queue-6.6/wifi-ath11k-add-missing-platform-ids-for-quirk-table.patch create mode 100644 queue-6.6/wifi-ath12k-free-skb-during-idr-cleanup-callback.patch diff --git a/queue-5.10/alsa-usb-audio-fix-control-pipe-direction.patch b/queue-5.10/alsa-usb-audio-fix-control-pipe-direction.patch new file mode 100644 index 0000000000..3e5fa8e94b --- /dev/null +++ b/queue-5.10/alsa-usb-audio-fix-control-pipe-direction.patch @@ -0,0 +1,37 @@ +From 69842d1b0593be2b1b3ce5288f65d92a185f7c02 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 18 Oct 2025 19:18:22 +0200 +Subject: ALSA: usb-audio: fix control pipe direction + +From: Roy Vegard Ovesen + +[ Upstream commit 7963891f7c9c6f759cc9ab7da71406b4234f3dd6 ] + +Since the requesttype has USB_DIR_OUT the pipe should be +constructed with usb_sndctrlpipe(). + +Fixes: 8dc5efe3d17c ("ALSA: usb-audio: Add support for Presonus Studio 1810c") +Signed-off-by: Roy Vegard Ovesen +Link: https://patch.msgid.link/aPPL3tBFE_oU-JHv@ark +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/mixer_s1810c.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/usb/mixer_s1810c.c b/sound/usb/mixer_s1810c.c +index c53a9773f310b..457e07f6fc7c8 100644 +--- a/sound/usb/mixer_s1810c.c ++++ b/sound/usb/mixer_s1810c.c +@@ -181,7 +181,7 @@ snd_sc1810c_get_status_field(struct usb_device *dev, + + pkt_out.fields[SC1810C_STATE_F1_IDX] = SC1810C_SET_STATE_F1; + pkt_out.fields[SC1810C_STATE_F2_IDX] = SC1810C_SET_STATE_F2; +- ret = snd_usb_ctl_msg(dev, usb_rcvctrlpipe(dev, 0), ++ ret = snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), + SC1810C_SET_STATE_REQ, + SC1810C_SET_STATE_REQTYPE, + (*seqnum), 0, &pkt_out, sizeof(pkt_out)); +-- +2.51.0 + diff --git a/queue-5.10/bpf-sync-pending-irq-work-before-freeing-ring-buffer.patch b/queue-5.10/bpf-sync-pending-irq-work-before-freeing-ring-buffer.patch new file mode 100644 index 0000000000..4512f870fd --- /dev/null +++ b/queue-5.10/bpf-sync-pending-irq-work-before-freeing-ring-buffer.patch @@ -0,0 +1,46 @@ +From 8b51274207f2b4bf202388b221bbe7b0f8a4ef39 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Oct 2025 23:33:01 +0530 +Subject: bpf: Sync pending IRQ work before freeing ring buffer + +From: Noorain Eqbal + +[ Upstream commit 4e9077638301816a7d73fa1e1b4c1db4a7e3b59c ] + +Fix a race where irq_work can be queued in bpf_ringbuf_commit() +but the ring buffer is freed before the work executes. +In the syzbot reproducer, a BPF program attached to sched_switch +triggers bpf_ringbuf_commit(), queuing an irq_work. If the ring buffer +is freed before this work executes, the irq_work thread may accesses +freed memory. +Calling `irq_work_sync(&rb->work)` ensures that all pending irq_work +complete before freeing the buffer. + +Fixes: 457f44363a88 ("bpf: Implement BPF ring buffer and verifier support for it") +Reported-by: syzbot+2617fc732430968b45d2@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=2617fc732430968b45d2 +Tested-by: syzbot+2617fc732430968b45d2@syzkaller.appspotmail.com +Signed-off-by: Noorain Eqbal +Link: https://lore.kernel.org/r/20251020180301.103366-1-nooraineqbal@gmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/ringbuf.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/kernel/bpf/ringbuf.c b/kernel/bpf/ringbuf.c +index eac0026e2fa62..12e2aad376cf5 100644 +--- a/kernel/bpf/ringbuf.c ++++ b/kernel/bpf/ringbuf.c +@@ -203,6 +203,8 @@ static struct bpf_map *ringbuf_map_alloc(union bpf_attr *attr) + + static void bpf_ringbuf_free(struct bpf_ringbuf *rb) + { ++ irq_work_sync(&rb->work); ++ + /* copy pages pointer and nr_pages to local variable, as we are going + * to unmap rb itself with vunmap() below + */ +-- +2.51.0 + diff --git a/queue-5.10/drm-amd-pm-fix-smu-table-id-bound-check-issue-in-smu.patch b/queue-5.10/drm-amd-pm-fix-smu-table-id-bound-check-issue-in-smu.patch new file mode 100644 index 0000000000..ba7c3731f1 --- /dev/null +++ b/queue-5.10/drm-amd-pm-fix-smu-table-id-bound-check-issue-in-smu.patch @@ -0,0 +1,41 @@ +From a68bd094781a5af00d5ef1113cb386defc3f1c25 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Oct 2025 14:12:21 +0800 +Subject: drm/amd/pm: fix smu table id bound check issue in + smu_cmn_update_table() + +From: Yang Wang + +[ Upstream commit 238d468d3ed18a324bb9d8c99f18c665dbac0511 ] + +'table_index' is a variable defined by the smu driver (kmd) +'table_id' is a variable defined by the hw smu (pmfw) + +This code should use table_index as a bounds check. + +Fixes: caad2613dc4bd ("drm/amd/powerplay: move table setting common code to smu_cmn.c") +Signed-off-by: Yang Wang +Reviewed-by: Hawking Zhang +Signed-off-by: Alex Deucher +(cherry picked from commit fca0c66b22303de0d1d6313059baf4dc960a4753) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c b/drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c +index 92b2ea4c197b8..5219eb685c88e 100644 +--- a/drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c ++++ b/drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c +@@ -587,7 +587,7 @@ int smu_cmn_update_table(struct smu_context *smu, + table_index); + uint32_t table_size; + int ret = 0; +- if (!table_data || table_id >= SMU_TABLE_COUNT || table_id < 0) ++ if (!table_data || table_index >= SMU_TABLE_COUNT || table_id < 0) + return -EINVAL; + + table_size = smu_table->tables[table_index].size; +-- +2.51.0 + diff --git a/queue-5.10/drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch b/queue-5.10/drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch new file mode 100644 index 0000000000..f880c48085 --- /dev/null +++ b/queue-5.10/drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch @@ -0,0 +1,39 @@ +From 3ade04a214368610e514d4be375695ea12cdfc5f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Oct 2025 11:08:13 +0200 +Subject: drm/amd/pm/powerplay/smumgr: Fix PCIeBootLinkLevel value on Fiji + +From: John Smith + +[ Upstream commit 07a13f913c291d6ec72ee4fc848d13ecfdc0e705 ] + +Previously this was initialized with zero which represented PCIe Gen +1.0 instead of using the +maximum value from the speed table which is the behaviour of all other +smumgr implementations. + +Fixes: 18edef19ea44 ("drm/amd/powerplay: implement fw image related smu interface for Fiji.") +Signed-off-by: John Smith +Signed-off-by: Alex Deucher +(cherry picked from commit c52238c9fb414555c68340cd80e487d982c1921c) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/pm/powerplay/smumgr/fiji_smumgr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/pm/powerplay/smumgr/fiji_smumgr.c b/drivers/gpu/drm/amd/pm/powerplay/smumgr/fiji_smumgr.c +index ecb9ee46d6b35..6049edcaf6ce9 100644 +--- a/drivers/gpu/drm/amd/pm/powerplay/smumgr/fiji_smumgr.c ++++ b/drivers/gpu/drm/amd/pm/powerplay/smumgr/fiji_smumgr.c +@@ -2026,7 +2026,7 @@ static int fiji_init_smc_table(struct pp_hwmgr *hwmgr) + table->VoltageResponseTime = 0; + table->PhaseResponseTime = 0; + table->MemoryThermThrottleEnable = 1; +- table->PCIeBootLinkLevel = 0; /* 0:Gen1 1:Gen2 2:Gen3*/ ++ table->PCIeBootLinkLevel = (uint8_t) (data->dpm_table.pcie_speed_table.count); + table->PCIeGenInterval = 1; + table->VRConfig = 0; + +-- +2.51.0 + diff --git a/queue-5.10/drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch-17561 b/queue-5.10/drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch-17561 new file mode 100644 index 0000000000..f05fd6e98b --- /dev/null +++ b/queue-5.10/drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch-17561 @@ -0,0 +1,39 @@ +From bdf240079836f43a580209134af6eedd3bf1ed81 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Oct 2025 11:09:09 +0200 +Subject: drm/amd/pm/powerplay/smumgr: Fix PCIeBootLinkLevel value on Iceland + +From: John Smith + +[ Upstream commit 501672e3c1576aa9a8364144213c77b98a31a42c ] + +Previously this was initialized with zero which represented PCIe Gen +1.0 instead of using the +maximum value from the speed table which is the behaviour of all other +smumgr implementations. + +Fixes: 18aafc59b106 ("drm/amd/powerplay: implement fw related smu interface for iceland.") +Signed-off-by: John Smith +Signed-off-by: Alex Deucher +(cherry picked from commit 92b0a6ae6672857ddeabf892223943d2f0e06c97) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/pm/powerplay/smumgr/iceland_smumgr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/pm/powerplay/smumgr/iceland_smumgr.c b/drivers/gpu/drm/amd/pm/powerplay/smumgr/iceland_smumgr.c +index 431ad2fd38df1..06d89fafae55b 100644 +--- a/drivers/gpu/drm/amd/pm/powerplay/smumgr/iceland_smumgr.c ++++ b/drivers/gpu/drm/amd/pm/powerplay/smumgr/iceland_smumgr.c +@@ -2028,7 +2028,7 @@ static int iceland_init_smc_table(struct pp_hwmgr *hwmgr) + table->VoltageResponseTime = 0; + table->PhaseResponseTime = 0; + table->MemoryThermThrottleEnable = 1; +- table->PCIeBootLinkLevel = 0; ++ table->PCIeBootLinkLevel = (uint8_t) (data->dpm_table.pcie_speed_table.count); + table->PCIeGenInterval = 1; + + result = iceland_populate_smc_svi2_config(hwmgr, table); +-- +2.51.0 + diff --git a/queue-5.10/drm-etnaviv-fix-flush-sequence-logic.patch b/queue-5.10/drm-etnaviv-fix-flush-sequence-logic.patch new file mode 100644 index 0000000000..71d0f83431 --- /dev/null +++ b/queue-5.10/drm-etnaviv-fix-flush-sequence-logic.patch @@ -0,0 +1,46 @@ +From 6f2bd885dfd30c77a79e0b7f1de07c3edd582da1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Oct 2025 11:37:23 +0200 +Subject: drm/etnaviv: fix flush sequence logic + +From: Tomeu Vizoso + +[ Upstream commit a042beac6e6f8ac1e923784cfff98b47cbabb185 ] + +The current logic uses the flush sequence from the current address +space. This is harmless when deducing the flush requirements for the +current submit, as either the incoming address space is the same one +as the currently active one or we switch context, in which case the +flush is unconditional. + +However, this sequence is also stored as the current flush sequence +of the GPU. If we switch context the stored flush sequence will no +longer belong to the currently active address space. This incoherency +can then cause missed flushes, resulting in translation errors. + +Fixes: 27b67278e007 ("drm/etnaviv: rework MMU handling") +Signed-off-by: Tomeu Vizoso +Signed-off-by: Lucas Stach +Reviewed-by: Christian Gmeiner +Link: https://lore.kernel.org/r/20251021093723.3887980-1-l.stach@pengutronix.de +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/etnaviv/etnaviv_buffer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/etnaviv/etnaviv_buffer.c b/drivers/gpu/drm/etnaviv/etnaviv_buffer.c +index 982174af74b1e..7d897aafb2a6a 100644 +--- a/drivers/gpu/drm/etnaviv/etnaviv_buffer.c ++++ b/drivers/gpu/drm/etnaviv/etnaviv_buffer.c +@@ -346,7 +346,7 @@ void etnaviv_buffer_queue(struct etnaviv_gpu *gpu, u32 exec_state, + u32 link_target, link_dwords; + bool switch_context = gpu->exec_state != exec_state; + bool switch_mmu_context = gpu->mmu_context != mmu_context; +- unsigned int new_flush_seq = READ_ONCE(gpu->mmu_context->flush_seq); ++ unsigned int new_flush_seq = READ_ONCE(mmu_context->flush_seq); + bool need_flush = switch_mmu_context || gpu->flush_seq != new_flush_seq; + bool has_blt = !!(gpu->identity.minor_features5 & + chipMinorFeatures5_BLT_ENGINE); +-- +2.51.0 + diff --git a/queue-5.10/drm-msm-a6xx-fix-gmu-firmware-parser.patch b/queue-5.10/drm-msm-a6xx-fix-gmu-firmware-parser.patch new file mode 100644 index 0000000000..4717802dd2 --- /dev/null +++ b/queue-5.10/drm-msm-a6xx-fix-gmu-firmware-parser.patch @@ -0,0 +1,51 @@ +From f3a13384442ec95fe9070cf697ed4c17057ef4c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Sep 2025 02:14:05 +0530 +Subject: drm/msm/a6xx: Fix GMU firmware parser + +From: Akhil P Oommen + +[ Upstream commit b4789aac9d3441d9f830f0a4022d8dc122d6cab3 ] + +Current parser logic for GMU firmware assumes a dword aligned payload +size for every block. This is not true for all GMU firmwares. So, fix +this by using correct 'size' value in the calculation for the offset +for the next block's header. + +Fixes: c6ed04f856a4 ("drm/msm/a6xx: A640/A650 GMU firmware path") +Signed-off-by: Akhil P Oommen +Acked-by: Konrad Dybcio +Patchwork: https://patchwork.freedesktop.org/patch/674040/ +Message-ID: <20250911-assorted-sept-1-v2-2-a8bf1ee20792@oss.qualcomm.com> +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/adreno/a6xx_gmu.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/adreno/a6xx_gmu.c b/drivers/gpu/drm/msm/adreno/a6xx_gmu.c +index f11da95566dab..e3b36e2373567 100644 +--- a/drivers/gpu/drm/msm/adreno/a6xx_gmu.c ++++ b/drivers/gpu/drm/msm/adreno/a6xx_gmu.c +@@ -666,6 +666,9 @@ static bool fw_block_mem(struct a6xx_gmu_bo *bo, const struct block_header *blk) + return true; + } + ++#define NEXT_BLK(blk) \ ++ ((const struct block_header *)((const char *)(blk) + sizeof(*(blk)) + (blk)->size)) ++ + static int a6xx_gmu_fw_load(struct a6xx_gmu *gmu) + { + struct a6xx_gpu *a6xx_gpu = container_of(gmu, struct a6xx_gpu, gmu); +@@ -696,7 +699,7 @@ static int a6xx_gmu_fw_load(struct a6xx_gmu *gmu) + + for (blk = (const struct block_header *) fw_image->data; + (const u8*) blk < fw_image->data + fw_image->size; +- blk = (const struct block_header *) &blk->data[blk->size >> 2]) { ++ blk = NEXT_BLK(blk)) { + if (blk->size == 0) + continue; + +-- +2.51.0 + diff --git a/queue-5.10/series b/queue-5.10/series index 1c5806a7c4..109cdc51bb 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -11,3 +11,12 @@ wifi-brcmfmac-fix-crash-while-sending-action-frames-in-standalone-ap-mode.patch fbdev-pvr2fb-fix-leftover-reference-to-onchip_nr_dma_channels.patch fbdev-valkyriefb-fix-reference-count-leak-in-valkyriefb_init.patch asoc-qdsp6-q6asm-do-not-sleep-while-atomic.patch +wifi-ath10k-fix-memory-leak-on-unsupported-wmi-comma.patch +drm-msm-a6xx-fix-gmu-firmware-parser.patch +alsa-usb-audio-fix-control-pipe-direction.patch +bpf-sync-pending-irq-work-before-freeing-ring-buffer.patch +usbnet-prevents-free-active-kevent.patch +drm-etnaviv-fix-flush-sequence-logic.patch +drm-amd-pm-fix-smu-table-id-bound-check-issue-in-smu.patch +drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch +drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch-17561 diff --git a/queue-5.10/usbnet-prevents-free-active-kevent.patch b/queue-5.10/usbnet-prevents-free-active-kevent.patch new file mode 100644 index 0000000000..9de50a009d --- /dev/null +++ b/queue-5.10/usbnet-prevents-free-active-kevent.patch @@ -0,0 +1,50 @@ +From a960e7881069cce56514de31a22cade9ad7d3cbf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Oct 2025 10:40:07 +0800 +Subject: usbnet: Prevents free active kevent + +From: Lizhi Xu + +[ Upstream commit 420c84c330d1688b8c764479e5738bbdbf0a33de ] + +The root cause of this issue are: +1. When probing the usbnet device, executing usbnet_link_change(dev, 0, 0); +put the kevent work in global workqueue. However, the kevent has not yet +been scheduled when the usbnet device is unregistered. Therefore, executing +free_netdev() results in the "free active object (kevent)" error reported +here. + +2. Another factor is that when calling usbnet_disconnect()->unregister_netdev(), +if the usbnet device is up, ndo_stop() is executed to cancel the kevent. +However, because the device is not up, ndo_stop() is not executed. + +The solution to this problem is to cancel the kevent before executing +free_netdev(). + +Fixes: a69e617e533e ("usbnet: Fix linkwatch use-after-free on disconnect") +Reported-by: Sam Sun +Closes: https://syzkaller.appspot.com/bug?extid=8bfd7bcc98f7300afb84 +Signed-off-by: Lizhi Xu +Link: https://patch.msgid.link/20251022024007.1831898-1-lizhi.xu@windriver.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/usbnet.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c +index ac439f9ccfd46..9ac9fbdad5c08 100644 +--- a/drivers/net/usb/usbnet.c ++++ b/drivers/net/usb/usbnet.c +@@ -1597,6 +1597,8 @@ void usbnet_disconnect (struct usb_interface *intf) + net = dev->net; + unregister_netdev (net); + ++ cancel_work_sync(&dev->kevent); ++ + while ((urb = usb_get_from_anchor(&dev->deferred))) { + dev_kfree_skb(urb->context); + kfree(urb->sg); +-- +2.51.0 + diff --git a/queue-5.10/wifi-ath10k-fix-memory-leak-on-unsupported-wmi-comma.patch b/queue-5.10/wifi-ath10k-fix-memory-leak-on-unsupported-wmi-comma.patch new file mode 100644 index 0000000000..b89fb51406 --- /dev/null +++ b/queue-5.10/wifi-ath10k-fix-memory-leak-on-unsupported-wmi-comma.patch @@ -0,0 +1,41 @@ +From 0728d9f2ad28c837f18ceb8020c09e6fec633198 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Sep 2025 21:56:56 +0200 +Subject: wifi: ath10k: Fix memory leak on unsupported WMI command + +From: Loic Poulain + +[ Upstream commit 2e9c1da4ee9d0acfca2e0a3d78f3d8cb5802da1b ] + +ath10k_wmi_cmd_send takes ownership of the passed buffer (skb) and has the +responsibility to release it in case of error. This patch fixes missing +free in case of early error due to unhandled WMI command ID. + +Tested-on: WCN3990 hw1.0 WLAN.HL.3.3.7.c2-00931-QCAHLSWMTPLZ-1 + +Fixes: 553215592f14 ("ath10k: warn if give WMI command is not supported") +Suggested-by: Jeff Johnson +Signed-off-by: Loic Poulain +Reviewed-by: Baochen Qiang +Link: https://patch.msgid.link/20250926195656.187970-1-loic.poulain@oss.qualcomm.com +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/wmi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/ath/ath10k/wmi.c b/drivers/net/wireless/ath/ath10k/wmi.c +index c9a74f3e2e601..6293dbc32bde4 100644 +--- a/drivers/net/wireless/ath/ath10k/wmi.c ++++ b/drivers/net/wireless/ath/ath10k/wmi.c +@@ -1936,6 +1936,7 @@ int ath10k_wmi_cmd_send(struct ath10k *ar, struct sk_buff *skb, u32 cmd_id) + if (cmd_id == WMI_CMD_UNSUPPORTED) { + ath10k_warn(ar, "wmi command %d is not supported by firmware\n", + cmd_id); ++ dev_kfree_skb_any(skb); + return ret; + } + +-- +2.51.0 + diff --git a/queue-5.15/alsa-usb-audio-fix-control-pipe-direction.patch b/queue-5.15/alsa-usb-audio-fix-control-pipe-direction.patch new file mode 100644 index 0000000000..5924e7d142 --- /dev/null +++ b/queue-5.15/alsa-usb-audio-fix-control-pipe-direction.patch @@ -0,0 +1,37 @@ +From c2272e83ba24263cd9ac9c49c9ba137548666f83 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 18 Oct 2025 19:18:22 +0200 +Subject: ALSA: usb-audio: fix control pipe direction + +From: Roy Vegard Ovesen + +[ Upstream commit 7963891f7c9c6f759cc9ab7da71406b4234f3dd6 ] + +Since the requesttype has USB_DIR_OUT the pipe should be +constructed with usb_sndctrlpipe(). + +Fixes: 8dc5efe3d17c ("ALSA: usb-audio: Add support for Presonus Studio 1810c") +Signed-off-by: Roy Vegard Ovesen +Link: https://patch.msgid.link/aPPL3tBFE_oU-JHv@ark +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/mixer_s1810c.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/usb/mixer_s1810c.c b/sound/usb/mixer_s1810c.c +index 0255089c9efb1..38e56ad857243 100644 +--- a/sound/usb/mixer_s1810c.c ++++ b/sound/usb/mixer_s1810c.c +@@ -181,7 +181,7 @@ snd_sc1810c_get_status_field(struct usb_device *dev, + + pkt_out.fields[SC1810C_STATE_F1_IDX] = SC1810C_SET_STATE_F1; + pkt_out.fields[SC1810C_STATE_F2_IDX] = SC1810C_SET_STATE_F2; +- ret = snd_usb_ctl_msg(dev, usb_rcvctrlpipe(dev, 0), ++ ret = snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), + SC1810C_SET_STATE_REQ, + SC1810C_SET_STATE_REQTYPE, + (*seqnum), 0, &pkt_out, sizeof(pkt_out)); +-- +2.51.0 + diff --git a/queue-5.15/bpf-do-not-audit-capability-check-in-do_jit.patch b/queue-5.15/bpf-do-not-audit-capability-check-in-do_jit.patch new file mode 100644 index 0000000000..e8f41c9c08 --- /dev/null +++ b/queue-5.15/bpf-do-not-audit-capability-check-in-do_jit.patch @@ -0,0 +1,50 @@ +From 69755aa5ee728eb7f9a7d72366c36e1c0cea84ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Oct 2025 14:27:58 +0200 +Subject: bpf: Do not audit capability check in do_jit() + +From: Ondrej Mosnacek + +[ Upstream commit 881a9c9cb7856b24e390fad9f59acfd73b98b3b2 ] + +The failure of this check only results in a security mitigation being +applied, slightly affecting performance of the compiled BPF program. It +doesn't result in a failed syscall, an thus auditing a failed LSM +permission check for it is unwanted. For example with SELinux, it causes +a denial to be reported for confined processes running as root, which +tends to be flagged as a problem to be fixed in the policy. Yet +dontauditing or allowing CAP_SYS_ADMIN to the domain may not be +desirable, as it would allow/silence also other checks - either going +against the principle of least privilege or making debugging potentially +harder. + +Fix it by changing it from capable() to ns_capable_noaudit(), which +instructs the LSMs to not audit the resulting denials. + +Link: https://bugzilla.redhat.com/show_bug.cgi?id=2369326 +Fixes: d4e89d212d40 ("x86/bpf: Call branch history clearing sequence on exit") +Signed-off-by: Ondrej Mosnacek +Reviewed-by: Paul Moore +Link: https://lore.kernel.org/r/20251021122758.2659513-1-omosnace@redhat.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + arch/x86/net/bpf_jit_comp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c +index 37a005df0b952..4100eed372486 100644 +--- a/arch/x86/net/bpf_jit_comp.c ++++ b/arch/x86/net/bpf_jit_comp.c +@@ -1786,7 +1786,7 @@ st: if (is_imm8(insn->off)) + ctx->cleanup_addr = proglen; + + if (bpf_prog_was_classic(bpf_prog) && +- !capable(CAP_SYS_ADMIN)) { ++ !ns_capable_noaudit(&init_user_ns, CAP_SYS_ADMIN)) { + u8 *ip = image + addrs[i - 1]; + + if (emit_spectre_bhb_barrier(&prog, ip, bpf_prog)) +-- +2.51.0 + diff --git a/queue-5.15/bpf-sync-pending-irq-work-before-freeing-ring-buffer.patch b/queue-5.15/bpf-sync-pending-irq-work-before-freeing-ring-buffer.patch new file mode 100644 index 0000000000..8ea97f9b2f --- /dev/null +++ b/queue-5.15/bpf-sync-pending-irq-work-before-freeing-ring-buffer.patch @@ -0,0 +1,46 @@ +From 42a36e23d12ed7392671e16dcef48b1715597355 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Oct 2025 23:33:01 +0530 +Subject: bpf: Sync pending IRQ work before freeing ring buffer + +From: Noorain Eqbal + +[ Upstream commit 4e9077638301816a7d73fa1e1b4c1db4a7e3b59c ] + +Fix a race where irq_work can be queued in bpf_ringbuf_commit() +but the ring buffer is freed before the work executes. +In the syzbot reproducer, a BPF program attached to sched_switch +triggers bpf_ringbuf_commit(), queuing an irq_work. If the ring buffer +is freed before this work executes, the irq_work thread may accesses +freed memory. +Calling `irq_work_sync(&rb->work)` ensures that all pending irq_work +complete before freeing the buffer. + +Fixes: 457f44363a88 ("bpf: Implement BPF ring buffer and verifier support for it") +Reported-by: syzbot+2617fc732430968b45d2@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=2617fc732430968b45d2 +Tested-by: syzbot+2617fc732430968b45d2@syzkaller.appspotmail.com +Signed-off-by: Noorain Eqbal +Link: https://lore.kernel.org/r/20251020180301.103366-1-nooraineqbal@gmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/ringbuf.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/kernel/bpf/ringbuf.c b/kernel/bpf/ringbuf.c +index eb6ff0d0c06b6..5798d6dbdcb43 100644 +--- a/kernel/bpf/ringbuf.c ++++ b/kernel/bpf/ringbuf.c +@@ -184,6 +184,8 @@ static struct bpf_map *ringbuf_map_alloc(union bpf_attr *attr) + + static void bpf_ringbuf_free(struct bpf_ringbuf *rb) + { ++ irq_work_sync(&rb->work); ++ + /* copy pages pointer and nr_pages to local variable, as we are going + * to unmap rb itself with vunmap() below + */ +-- +2.51.0 + diff --git a/queue-5.15/drm-amd-pm-fix-smu-table-id-bound-check-issue-in-smu.patch b/queue-5.15/drm-amd-pm-fix-smu-table-id-bound-check-issue-in-smu.patch new file mode 100644 index 0000000000..47505ad3c5 --- /dev/null +++ b/queue-5.15/drm-amd-pm-fix-smu-table-id-bound-check-issue-in-smu.patch @@ -0,0 +1,41 @@ +From 8d5d573e066761bf8dcd83418ef0156212f45e91 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Oct 2025 14:12:21 +0800 +Subject: drm/amd/pm: fix smu table id bound check issue in + smu_cmn_update_table() + +From: Yang Wang + +[ Upstream commit 238d468d3ed18a324bb9d8c99f18c665dbac0511 ] + +'table_index' is a variable defined by the smu driver (kmd) +'table_id' is a variable defined by the hw smu (pmfw) + +This code should use table_index as a bounds check. + +Fixes: caad2613dc4bd ("drm/amd/powerplay: move table setting common code to smu_cmn.c") +Signed-off-by: Yang Wang +Reviewed-by: Hawking Zhang +Signed-off-by: Alex Deucher +(cherry picked from commit fca0c66b22303de0d1d6313059baf4dc960a4753) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c b/drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c +index 843d2cbfc71d4..fbbbea75c52d4 100644 +--- a/drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c ++++ b/drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c +@@ -883,7 +883,7 @@ int smu_cmn_update_table(struct smu_context *smu, + table_index); + uint32_t table_size; + int ret = 0; +- if (!table_data || table_id >= SMU_TABLE_COUNT || table_id < 0) ++ if (!table_data || table_index >= SMU_TABLE_COUNT || table_id < 0) + return -EINVAL; + + table_size = smu_table->tables[table_index].size; +-- +2.51.0 + diff --git a/queue-5.15/drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch b/queue-5.15/drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch new file mode 100644 index 0000000000..ac84c02e03 --- /dev/null +++ b/queue-5.15/drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch @@ -0,0 +1,39 @@ +From 4aa01e2303e1e0b22b34545c164ba36393b296ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Oct 2025 11:08:13 +0200 +Subject: drm/amd/pm/powerplay/smumgr: Fix PCIeBootLinkLevel value on Fiji + +From: John Smith + +[ Upstream commit 07a13f913c291d6ec72ee4fc848d13ecfdc0e705 ] + +Previously this was initialized with zero which represented PCIe Gen +1.0 instead of using the +maximum value from the speed table which is the behaviour of all other +smumgr implementations. + +Fixes: 18edef19ea44 ("drm/amd/powerplay: implement fw image related smu interface for Fiji.") +Signed-off-by: John Smith +Signed-off-by: Alex Deucher +(cherry picked from commit c52238c9fb414555c68340cd80e487d982c1921c) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/pm/powerplay/smumgr/fiji_smumgr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/pm/powerplay/smumgr/fiji_smumgr.c b/drivers/gpu/drm/amd/pm/powerplay/smumgr/fiji_smumgr.c +index 02c094a06605d..50deb4ce767ee 100644 +--- a/drivers/gpu/drm/amd/pm/powerplay/smumgr/fiji_smumgr.c ++++ b/drivers/gpu/drm/amd/pm/powerplay/smumgr/fiji_smumgr.c +@@ -2024,7 +2024,7 @@ static int fiji_init_smc_table(struct pp_hwmgr *hwmgr) + table->VoltageResponseTime = 0; + table->PhaseResponseTime = 0; + table->MemoryThermThrottleEnable = 1; +- table->PCIeBootLinkLevel = 0; /* 0:Gen1 1:Gen2 2:Gen3*/ ++ table->PCIeBootLinkLevel = (uint8_t) (data->dpm_table.pcie_speed_table.count); + table->PCIeGenInterval = 1; + table->VRConfig = 0; + +-- +2.51.0 + diff --git a/queue-5.15/drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch-3340 b/queue-5.15/drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch-3340 new file mode 100644 index 0000000000..9e6dddc3dd --- /dev/null +++ b/queue-5.15/drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch-3340 @@ -0,0 +1,39 @@ +From 54e8855f0a867a8a2a9d95541864717dfa738901 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Oct 2025 11:09:09 +0200 +Subject: drm/amd/pm/powerplay/smumgr: Fix PCIeBootLinkLevel value on Iceland + +From: John Smith + +[ Upstream commit 501672e3c1576aa9a8364144213c77b98a31a42c ] + +Previously this was initialized with zero which represented PCIe Gen +1.0 instead of using the +maximum value from the speed table which is the behaviour of all other +smumgr implementations. + +Fixes: 18aafc59b106 ("drm/amd/powerplay: implement fw related smu interface for iceland.") +Signed-off-by: John Smith +Signed-off-by: Alex Deucher +(cherry picked from commit 92b0a6ae6672857ddeabf892223943d2f0e06c97) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/pm/powerplay/smumgr/iceland_smumgr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/pm/powerplay/smumgr/iceland_smumgr.c b/drivers/gpu/drm/amd/pm/powerplay/smumgr/iceland_smumgr.c +index 03df35dee8ba8..6ddf9ce5471e8 100644 +--- a/drivers/gpu/drm/amd/pm/powerplay/smumgr/iceland_smumgr.c ++++ b/drivers/gpu/drm/amd/pm/powerplay/smumgr/iceland_smumgr.c +@@ -2028,7 +2028,7 @@ static int iceland_init_smc_table(struct pp_hwmgr *hwmgr) + table->VoltageResponseTime = 0; + table->PhaseResponseTime = 0; + table->MemoryThermThrottleEnable = 1; +- table->PCIeBootLinkLevel = 0; ++ table->PCIeBootLinkLevel = (uint8_t) (data->dpm_table.pcie_speed_table.count); + table->PCIeGenInterval = 1; + + result = iceland_populate_smc_svi2_config(hwmgr, table); +-- +2.51.0 + diff --git a/queue-5.15/drm-etnaviv-fix-flush-sequence-logic.patch b/queue-5.15/drm-etnaviv-fix-flush-sequence-logic.patch new file mode 100644 index 0000000000..b48b5414e5 --- /dev/null +++ b/queue-5.15/drm-etnaviv-fix-flush-sequence-logic.patch @@ -0,0 +1,46 @@ +From fb506b6ba8aea2e8cf737fe6bf3e359275bb4ffe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Oct 2025 11:37:23 +0200 +Subject: drm/etnaviv: fix flush sequence logic + +From: Tomeu Vizoso + +[ Upstream commit a042beac6e6f8ac1e923784cfff98b47cbabb185 ] + +The current logic uses the flush sequence from the current address +space. This is harmless when deducing the flush requirements for the +current submit, as either the incoming address space is the same one +as the currently active one or we switch context, in which case the +flush is unconditional. + +However, this sequence is also stored as the current flush sequence +of the GPU. If we switch context the stored flush sequence will no +longer belong to the currently active address space. This incoherency +can then cause missed flushes, resulting in translation errors. + +Fixes: 27b67278e007 ("drm/etnaviv: rework MMU handling") +Signed-off-by: Tomeu Vizoso +Signed-off-by: Lucas Stach +Reviewed-by: Christian Gmeiner +Link: https://lore.kernel.org/r/20251021093723.3887980-1-l.stach@pengutronix.de +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/etnaviv/etnaviv_buffer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/etnaviv/etnaviv_buffer.c b/drivers/gpu/drm/etnaviv/etnaviv_buffer.c +index 982174af74b1e..7d897aafb2a6a 100644 +--- a/drivers/gpu/drm/etnaviv/etnaviv_buffer.c ++++ b/drivers/gpu/drm/etnaviv/etnaviv_buffer.c +@@ -346,7 +346,7 @@ void etnaviv_buffer_queue(struct etnaviv_gpu *gpu, u32 exec_state, + u32 link_target, link_dwords; + bool switch_context = gpu->exec_state != exec_state; + bool switch_mmu_context = gpu->mmu_context != mmu_context; +- unsigned int new_flush_seq = READ_ONCE(gpu->mmu_context->flush_seq); ++ unsigned int new_flush_seq = READ_ONCE(mmu_context->flush_seq); + bool need_flush = switch_mmu_context || gpu->flush_seq != new_flush_seq; + bool has_blt = !!(gpu->identity.minor_features5 & + chipMinorFeatures5_BLT_ENGINE); +-- +2.51.0 + diff --git a/queue-5.15/drm-msm-a6xx-fix-gmu-firmware-parser.patch b/queue-5.15/drm-msm-a6xx-fix-gmu-firmware-parser.patch new file mode 100644 index 0000000000..84078223af --- /dev/null +++ b/queue-5.15/drm-msm-a6xx-fix-gmu-firmware-parser.patch @@ -0,0 +1,51 @@ +From bf1c62ce677c941a7734e9246ef5cdc6f2915fb1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Sep 2025 02:14:05 +0530 +Subject: drm/msm/a6xx: Fix GMU firmware parser + +From: Akhil P Oommen + +[ Upstream commit b4789aac9d3441d9f830f0a4022d8dc122d6cab3 ] + +Current parser logic for GMU firmware assumes a dword aligned payload +size for every block. This is not true for all GMU firmwares. So, fix +this by using correct 'size' value in the calculation for the offset +for the next block's header. + +Fixes: c6ed04f856a4 ("drm/msm/a6xx: A640/A650 GMU firmware path") +Signed-off-by: Akhil P Oommen +Acked-by: Konrad Dybcio +Patchwork: https://patchwork.freedesktop.org/patch/674040/ +Message-ID: <20250911-assorted-sept-1-v2-2-a8bf1ee20792@oss.qualcomm.com> +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/adreno/a6xx_gmu.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/adreno/a6xx_gmu.c b/drivers/gpu/drm/msm/adreno/a6xx_gmu.c +index 9215322fc915d..8fa2b9e051002 100644 +--- a/drivers/gpu/drm/msm/adreno/a6xx_gmu.c ++++ b/drivers/gpu/drm/msm/adreno/a6xx_gmu.c +@@ -685,6 +685,9 @@ static bool fw_block_mem(struct a6xx_gmu_bo *bo, const struct block_header *blk) + return true; + } + ++#define NEXT_BLK(blk) \ ++ ((const struct block_header *)((const char *)(blk) + sizeof(*(blk)) + (blk)->size)) ++ + static int a6xx_gmu_fw_load(struct a6xx_gmu *gmu) + { + struct a6xx_gpu *a6xx_gpu = container_of(gmu, struct a6xx_gpu, gmu); +@@ -715,7 +718,7 @@ static int a6xx_gmu_fw_load(struct a6xx_gmu *gmu) + + for (blk = (const struct block_header *) fw_image->data; + (const u8*) blk < fw_image->data + fw_image->size; +- blk = (const struct block_header *) &blk->data[blk->size >> 2]) { ++ blk = NEXT_BLK(blk)) { + if (blk->size == 0) + continue; + +-- +2.51.0 + diff --git a/queue-5.15/libbpf-fix-powerpc-s-stack-register-definition-in-bp.patch b/queue-5.15/libbpf-fix-powerpc-s-stack-register-definition-in-bp.patch new file mode 100644 index 0000000000..d5961dc8b9 --- /dev/null +++ b/queue-5.15/libbpf-fix-powerpc-s-stack-register-definition-in-bp.patch @@ -0,0 +1,44 @@ +From 28351691098576795979ab46c2a454864b926b42 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Oct 2025 13:36:43 -0700 +Subject: libbpf: Fix powerpc's stack register definition in bpf_tracing.h + +From: Andrii Nakryiko + +[ Upstream commit 7221b9caf84b3294688228a19273d74ea19a2ee4 ] + +retsnoop's build on powerpc (ppc64le) architecture ([0]) failed due to +wrong definition of PT_REGS_SP() macro. Looking at powerpc's +implementation of stack unwinding in perf_callchain_user_64() clearly +shows that stack pointer register is gpr[1]. + +Fix libbpf's definition of __PT_SP_REG for powerpc to fix all this. + + [0] https://kojipkgs.fedoraproject.org/work/tasks/1544/137921544/build.log + +Fixes: 138d6153a139 ("samples/bpf: Enable powerpc support") +Signed-off-by: Andrii Nakryiko +Reviewed-by: Naveen N Rao (AMD) +Link: https://lore.kernel.org/r/20251020203643.989467-1-andrii@kernel.org +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/bpf_tracing.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/lib/bpf/bpf_tracing.h b/tools/lib/bpf/bpf_tracing.h +index 20fe06d0acd98..950ce502d655c 100644 +--- a/tools/lib/bpf/bpf_tracing.h ++++ b/tools/lib/bpf/bpf_tracing.h +@@ -176,7 +176,7 @@ + #define __PT_RET_REG regs[31] + #define __PT_FP_REG __unsupported__ + #define __PT_RC_REG gpr[3] +-#define __PT_SP_REG sp ++#define __PT_SP_REG gpr[1] + #define __PT_IP_REG nip + + #elif defined(bpf_target_sparc) +-- +2.51.0 + diff --git a/queue-5.15/libbpf-normalize-pt_regs_xxx-macro-definitions.patch b/queue-5.15/libbpf-normalize-pt_regs_xxx-macro-definitions.patch new file mode 100644 index 0000000000..c24405c149 --- /dev/null +++ b/queue-5.15/libbpf-normalize-pt_regs_xxx-macro-definitions.patch @@ -0,0 +1,476 @@ +From d679b95488653c60604ac524bf85d47d560071ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Dec 2021 13:39:23 -0800 +Subject: libbpf: Normalize PT_REGS_xxx() macro definitions + +From: Andrii Nakryiko + +[ Upstream commit 3cc31d794097a0de5ac619d4a20b1975139e6b05 ] + +Refactor PT_REGS macros definitions in bpf_tracing.h to avoid excessive +duplication. We currently have classic PT_REGS_xxx() and CO-RE-enabled +PT_REGS_xxx_CORE(). We are about to add also _SYSCALL variants, which +would require excessive copying of all the per-architecture definitions. + +Instead, separate architecture-specific field/register names from the +final macro that utilize them. That way for upcoming _SYSCALL variants +we'll be able to just define x86_64 exception and otherwise have one +common set of _SYSCALL macro definitions common for all architectures. + +Signed-off-by: Andrii Nakryiko +Signed-off-by: Alexei Starovoitov +Tested-by: Ilya Leoshkevich +Acked-by: Yonghong Song +Acked-by: Ilya Leoshkevich +Link: https://lore.kernel.org/bpf/20211222213924.1869758-1-andrii@kernel.org +Stable-dep-of: 7221b9caf84b ("libbpf: Fix powerpc's stack register definition in bpf_tracing.h") +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/bpf_tracing.h | 377 +++++++++++++++--------------------- + 1 file changed, 152 insertions(+), 225 deletions(-) + +diff --git a/tools/lib/bpf/bpf_tracing.h b/tools/lib/bpf/bpf_tracing.h +index db05a59371056..20fe06d0acd98 100644 +--- a/tools/lib/bpf/bpf_tracing.h ++++ b/tools/lib/bpf/bpf_tracing.h +@@ -66,277 +66,204 @@ + + #if defined(__KERNEL__) || defined(__VMLINUX_H__) + +-#define PT_REGS_PARM1(x) ((x)->di) +-#define PT_REGS_PARM2(x) ((x)->si) +-#define PT_REGS_PARM3(x) ((x)->dx) +-#define PT_REGS_PARM4(x) ((x)->cx) +-#define PT_REGS_PARM5(x) ((x)->r8) +-#define PT_REGS_RET(x) ((x)->sp) +-#define PT_REGS_FP(x) ((x)->bp) +-#define PT_REGS_RC(x) ((x)->ax) +-#define PT_REGS_SP(x) ((x)->sp) +-#define PT_REGS_IP(x) ((x)->ip) +- +-#define PT_REGS_PARM1_CORE(x) BPF_CORE_READ((x), di) +-#define PT_REGS_PARM2_CORE(x) BPF_CORE_READ((x), si) +-#define PT_REGS_PARM3_CORE(x) BPF_CORE_READ((x), dx) +-#define PT_REGS_PARM4_CORE(x) BPF_CORE_READ((x), cx) +-#define PT_REGS_PARM5_CORE(x) BPF_CORE_READ((x), r8) +-#define PT_REGS_RET_CORE(x) BPF_CORE_READ((x), sp) +-#define PT_REGS_FP_CORE(x) BPF_CORE_READ((x), bp) +-#define PT_REGS_RC_CORE(x) BPF_CORE_READ((x), ax) +-#define PT_REGS_SP_CORE(x) BPF_CORE_READ((x), sp) +-#define PT_REGS_IP_CORE(x) BPF_CORE_READ((x), ip) ++#define __PT_PARM1_REG di ++#define __PT_PARM2_REG si ++#define __PT_PARM3_REG dx ++#define __PT_PARM4_REG cx ++#define __PT_PARM5_REG r8 ++#define __PT_RET_REG sp ++#define __PT_FP_REG bp ++#define __PT_RC_REG ax ++#define __PT_SP_REG sp ++#define __PT_IP_REG ip + + #else + + #ifdef __i386__ +-/* i386 kernel is built with -mregparm=3 */ +-#define PT_REGS_PARM1(x) ((x)->eax) +-#define PT_REGS_PARM2(x) ((x)->edx) +-#define PT_REGS_PARM3(x) ((x)->ecx) +-#define PT_REGS_PARM4(x) 0 +-#define PT_REGS_PARM5(x) 0 +-#define PT_REGS_RET(x) ((x)->esp) +-#define PT_REGS_FP(x) ((x)->ebp) +-#define PT_REGS_RC(x) ((x)->eax) +-#define PT_REGS_SP(x) ((x)->esp) +-#define PT_REGS_IP(x) ((x)->eip) +- +-#define PT_REGS_PARM1_CORE(x) BPF_CORE_READ((x), eax) +-#define PT_REGS_PARM2_CORE(x) BPF_CORE_READ((x), edx) +-#define PT_REGS_PARM3_CORE(x) BPF_CORE_READ((x), ecx) +-#define PT_REGS_PARM4_CORE(x) 0 +-#define PT_REGS_PARM5_CORE(x) 0 +-#define PT_REGS_RET_CORE(x) BPF_CORE_READ((x), esp) +-#define PT_REGS_FP_CORE(x) BPF_CORE_READ((x), ebp) +-#define PT_REGS_RC_CORE(x) BPF_CORE_READ((x), eax) +-#define PT_REGS_SP_CORE(x) BPF_CORE_READ((x), esp) +-#define PT_REGS_IP_CORE(x) BPF_CORE_READ((x), eip) +- +-#else + +-#define PT_REGS_PARM1(x) ((x)->rdi) +-#define PT_REGS_PARM2(x) ((x)->rsi) +-#define PT_REGS_PARM3(x) ((x)->rdx) +-#define PT_REGS_PARM4(x) ((x)->rcx) +-#define PT_REGS_PARM5(x) ((x)->r8) +-#define PT_REGS_RET(x) ((x)->rsp) +-#define PT_REGS_FP(x) ((x)->rbp) +-#define PT_REGS_RC(x) ((x)->rax) +-#define PT_REGS_SP(x) ((x)->rsp) +-#define PT_REGS_IP(x) ((x)->rip) +- +-#define PT_REGS_PARM1_CORE(x) BPF_CORE_READ((x), rdi) +-#define PT_REGS_PARM2_CORE(x) BPF_CORE_READ((x), rsi) +-#define PT_REGS_PARM3_CORE(x) BPF_CORE_READ((x), rdx) +-#define PT_REGS_PARM4_CORE(x) BPF_CORE_READ((x), rcx) +-#define PT_REGS_PARM5_CORE(x) BPF_CORE_READ((x), r8) +-#define PT_REGS_RET_CORE(x) BPF_CORE_READ((x), rsp) +-#define PT_REGS_FP_CORE(x) BPF_CORE_READ((x), rbp) +-#define PT_REGS_RC_CORE(x) BPF_CORE_READ((x), rax) +-#define PT_REGS_SP_CORE(x) BPF_CORE_READ((x), rsp) +-#define PT_REGS_IP_CORE(x) BPF_CORE_READ((x), rip) +- +-#endif +-#endif ++#define __PT_PARM1_REG eax ++#define __PT_PARM2_REG edx ++#define __PT_PARM3_REG ecx ++/* i386 kernel is built with -mregparm=3 */ ++#define __PT_PARM4_REG __unsupported__ ++#define __PT_PARM5_REG __unsupported__ ++#define __PT_RET_REG esp ++#define __PT_FP_REG ebp ++#define __PT_RC_REG eax ++#define __PT_SP_REG esp ++#define __PT_IP_REG eip ++ ++#else /* __i386__ */ ++ ++#define __PT_PARM1_REG rdi ++#define __PT_PARM2_REG rsi ++#define __PT_PARM3_REG rdx ++#define __PT_PARM4_REG rcx ++#define __PT_PARM5_REG r8 ++#define __PT_RET_REG rsp ++#define __PT_FP_REG rbp ++#define __PT_RC_REG rax ++#define __PT_SP_REG rsp ++#define __PT_IP_REG rip ++ ++#endif /* __i386__ */ ++ ++#endif /* __KERNEL__ || __VMLINUX_H__ */ + + #elif defined(bpf_target_s390) + + /* s390 provides user_pt_regs instead of struct pt_regs to userspace */ +-struct pt_regs; +-#define PT_REGS_S390 const volatile user_pt_regs +-#define PT_REGS_PARM1(x) (((PT_REGS_S390 *)(x))->gprs[2]) +-#define PT_REGS_PARM2(x) (((PT_REGS_S390 *)(x))->gprs[3]) +-#define PT_REGS_PARM3(x) (((PT_REGS_S390 *)(x))->gprs[4]) +-#define PT_REGS_PARM4(x) (((PT_REGS_S390 *)(x))->gprs[5]) +-#define PT_REGS_PARM5(x) (((PT_REGS_S390 *)(x))->gprs[6]) +-#define PT_REGS_RET(x) (((PT_REGS_S390 *)(x))->gprs[14]) +-/* Works only with CONFIG_FRAME_POINTER */ +-#define PT_REGS_FP(x) (((PT_REGS_S390 *)(x))->gprs[11]) +-#define PT_REGS_RC(x) (((PT_REGS_S390 *)(x))->gprs[2]) +-#define PT_REGS_SP(x) (((PT_REGS_S390 *)(x))->gprs[15]) +-#define PT_REGS_IP(x) (((PT_REGS_S390 *)(x))->psw.addr) +- +-#define PT_REGS_PARM1_CORE(x) BPF_CORE_READ((PT_REGS_S390 *)(x), gprs[2]) +-#define PT_REGS_PARM2_CORE(x) BPF_CORE_READ((PT_REGS_S390 *)(x), gprs[3]) +-#define PT_REGS_PARM3_CORE(x) BPF_CORE_READ((PT_REGS_S390 *)(x), gprs[4]) +-#define PT_REGS_PARM4_CORE(x) BPF_CORE_READ((PT_REGS_S390 *)(x), gprs[5]) +-#define PT_REGS_PARM5_CORE(x) BPF_CORE_READ((PT_REGS_S390 *)(x), gprs[6]) +-#define PT_REGS_RET_CORE(x) BPF_CORE_READ((PT_REGS_S390 *)(x), gprs[14]) +-#define PT_REGS_FP_CORE(x) BPF_CORE_READ((PT_REGS_S390 *)(x), gprs[11]) +-#define PT_REGS_RC_CORE(x) BPF_CORE_READ((PT_REGS_S390 *)(x), gprs[2]) +-#define PT_REGS_SP_CORE(x) BPF_CORE_READ((PT_REGS_S390 *)(x), gprs[15]) +-#define PT_REGS_IP_CORE(x) BPF_CORE_READ((PT_REGS_S390 *)(x), psw.addr) ++#define __PT_REGS_CAST(x) ((const user_pt_regs *)(x)) ++#define __PT_PARM1_REG gprs[2] ++#define __PT_PARM2_REG gprs[3] ++#define __PT_PARM3_REG gprs[4] ++#define __PT_PARM4_REG gprs[5] ++#define __PT_PARM5_REG gprs[6] ++#define __PT_RET_REG grps[14] ++#define __PT_FP_REG gprs[11] /* Works only with CONFIG_FRAME_POINTER */ ++#define __PT_RC_REG gprs[2] ++#define __PT_SP_REG gprs[15] ++#define __PT_IP_REG psw.addr + + #elif defined(bpf_target_arm) + +-#define PT_REGS_PARM1(x) ((x)->uregs[0]) +-#define PT_REGS_PARM2(x) ((x)->uregs[1]) +-#define PT_REGS_PARM3(x) ((x)->uregs[2]) +-#define PT_REGS_PARM4(x) ((x)->uregs[3]) +-#define PT_REGS_PARM5(x) ((x)->uregs[4]) +-#define PT_REGS_RET(x) ((x)->uregs[14]) +-#define PT_REGS_FP(x) ((x)->uregs[11]) /* Works only with CONFIG_FRAME_POINTER */ +-#define PT_REGS_RC(x) ((x)->uregs[0]) +-#define PT_REGS_SP(x) ((x)->uregs[13]) +-#define PT_REGS_IP(x) ((x)->uregs[12]) +- +-#define PT_REGS_PARM1_CORE(x) BPF_CORE_READ((x), uregs[0]) +-#define PT_REGS_PARM2_CORE(x) BPF_CORE_READ((x), uregs[1]) +-#define PT_REGS_PARM3_CORE(x) BPF_CORE_READ((x), uregs[2]) +-#define PT_REGS_PARM4_CORE(x) BPF_CORE_READ((x), uregs[3]) +-#define PT_REGS_PARM5_CORE(x) BPF_CORE_READ((x), uregs[4]) +-#define PT_REGS_RET_CORE(x) BPF_CORE_READ((x), uregs[14]) +-#define PT_REGS_FP_CORE(x) BPF_CORE_READ((x), uregs[11]) +-#define PT_REGS_RC_CORE(x) BPF_CORE_READ((x), uregs[0]) +-#define PT_REGS_SP_CORE(x) BPF_CORE_READ((x), uregs[13]) +-#define PT_REGS_IP_CORE(x) BPF_CORE_READ((x), uregs[12]) ++#define __PT_PARM1_REG uregs[0] ++#define __PT_PARM2_REG uregs[1] ++#define __PT_PARM3_REG uregs[2] ++#define __PT_PARM4_REG uregs[3] ++#define __PT_PARM5_REG uregs[4] ++#define __PT_RET_REG uregs[14] ++#define __PT_FP_REG uregs[11] /* Works only with CONFIG_FRAME_POINTER */ ++#define __PT_RC_REG uregs[0] ++#define __PT_SP_REG uregs[13] ++#define __PT_IP_REG uregs[12] + + #elif defined(bpf_target_arm64) + + /* arm64 provides struct user_pt_regs instead of struct pt_regs to userspace */ +-struct pt_regs; +-#define PT_REGS_ARM64 const volatile struct user_pt_regs +-#define PT_REGS_PARM1(x) (((PT_REGS_ARM64 *)(x))->regs[0]) +-#define PT_REGS_PARM2(x) (((PT_REGS_ARM64 *)(x))->regs[1]) +-#define PT_REGS_PARM3(x) (((PT_REGS_ARM64 *)(x))->regs[2]) +-#define PT_REGS_PARM4(x) (((PT_REGS_ARM64 *)(x))->regs[3]) +-#define PT_REGS_PARM5(x) (((PT_REGS_ARM64 *)(x))->regs[4]) +-#define PT_REGS_RET(x) (((PT_REGS_ARM64 *)(x))->regs[30]) +-/* Works only with CONFIG_FRAME_POINTER */ +-#define PT_REGS_FP(x) (((PT_REGS_ARM64 *)(x))->regs[29]) +-#define PT_REGS_RC(x) (((PT_REGS_ARM64 *)(x))->regs[0]) +-#define PT_REGS_SP(x) (((PT_REGS_ARM64 *)(x))->sp) +-#define PT_REGS_IP(x) (((PT_REGS_ARM64 *)(x))->pc) +- +-#define PT_REGS_PARM1_CORE(x) BPF_CORE_READ((PT_REGS_ARM64 *)(x), regs[0]) +-#define PT_REGS_PARM2_CORE(x) BPF_CORE_READ((PT_REGS_ARM64 *)(x), regs[1]) +-#define PT_REGS_PARM3_CORE(x) BPF_CORE_READ((PT_REGS_ARM64 *)(x), regs[2]) +-#define PT_REGS_PARM4_CORE(x) BPF_CORE_READ((PT_REGS_ARM64 *)(x), regs[3]) +-#define PT_REGS_PARM5_CORE(x) BPF_CORE_READ((PT_REGS_ARM64 *)(x), regs[4]) +-#define PT_REGS_RET_CORE(x) BPF_CORE_READ((PT_REGS_ARM64 *)(x), regs[30]) +-#define PT_REGS_FP_CORE(x) BPF_CORE_READ((PT_REGS_ARM64 *)(x), regs[29]) +-#define PT_REGS_RC_CORE(x) BPF_CORE_READ((PT_REGS_ARM64 *)(x), regs[0]) +-#define PT_REGS_SP_CORE(x) BPF_CORE_READ((PT_REGS_ARM64 *)(x), sp) +-#define PT_REGS_IP_CORE(x) BPF_CORE_READ((PT_REGS_ARM64 *)(x), pc) ++#define __PT_REGS_CAST(x) ((const struct user_pt_regs *)(x)) ++#define __PT_PARM1_REG regs[0] ++#define __PT_PARM2_REG regs[1] ++#define __PT_PARM3_REG regs[2] ++#define __PT_PARM4_REG regs[3] ++#define __PT_PARM5_REG regs[4] ++#define __PT_RET_REG regs[30] ++#define __PT_FP_REG regs[29] /* Works only with CONFIG_FRAME_POINTER */ ++#define __PT_RC_REG regs[0] ++#define __PT_SP_REG sp ++#define __PT_IP_REG pc + + #elif defined(bpf_target_mips) + +-#define PT_REGS_PARM1(x) ((x)->regs[4]) +-#define PT_REGS_PARM2(x) ((x)->regs[5]) +-#define PT_REGS_PARM3(x) ((x)->regs[6]) +-#define PT_REGS_PARM4(x) ((x)->regs[7]) +-#define PT_REGS_PARM5(x) ((x)->regs[8]) +-#define PT_REGS_RET(x) ((x)->regs[31]) +-#define PT_REGS_FP(x) ((x)->regs[30]) /* Works only with CONFIG_FRAME_POINTER */ +-#define PT_REGS_RC(x) ((x)->regs[2]) +-#define PT_REGS_SP(x) ((x)->regs[29]) +-#define PT_REGS_IP(x) ((x)->cp0_epc) +- +-#define PT_REGS_PARM1_CORE(x) BPF_CORE_READ((x), regs[4]) +-#define PT_REGS_PARM2_CORE(x) BPF_CORE_READ((x), regs[5]) +-#define PT_REGS_PARM3_CORE(x) BPF_CORE_READ((x), regs[6]) +-#define PT_REGS_PARM4_CORE(x) BPF_CORE_READ((x), regs[7]) +-#define PT_REGS_PARM5_CORE(x) BPF_CORE_READ((x), regs[8]) +-#define PT_REGS_RET_CORE(x) BPF_CORE_READ((x), regs[31]) +-#define PT_REGS_FP_CORE(x) BPF_CORE_READ((x), regs[30]) +-#define PT_REGS_RC_CORE(x) BPF_CORE_READ((x), regs[2]) +-#define PT_REGS_SP_CORE(x) BPF_CORE_READ((x), regs[29]) +-#define PT_REGS_IP_CORE(x) BPF_CORE_READ((x), cp0_epc) ++#define __PT_PARM1_REG regs[4] ++#define __PT_PARM2_REG regs[5] ++#define __PT_PARM3_REG regs[6] ++#define __PT_PARM4_REG regs[7] ++#define __PT_PARM5_REG regs[8] ++#define __PT_RET_REG regs[31] ++#define __PT_FP_REG regs[30] /* Works only with CONFIG_FRAME_POINTER */ ++#define __PT_RC_REG regs[2] ++#define __PT_SP_REG regs[29] ++#define __PT_IP_REG cp0_epc + + #elif defined(bpf_target_powerpc) + +-#define PT_REGS_PARM1(x) ((x)->gpr[3]) +-#define PT_REGS_PARM2(x) ((x)->gpr[4]) +-#define PT_REGS_PARM3(x) ((x)->gpr[5]) +-#define PT_REGS_PARM4(x) ((x)->gpr[6]) +-#define PT_REGS_PARM5(x) ((x)->gpr[7]) +-#define PT_REGS_RC(x) ((x)->gpr[3]) +-#define PT_REGS_SP(x) ((x)->sp) +-#define PT_REGS_IP(x) ((x)->nip) +- +-#define PT_REGS_PARM1_CORE(x) BPF_CORE_READ((x), gpr[3]) +-#define PT_REGS_PARM2_CORE(x) BPF_CORE_READ((x), gpr[4]) +-#define PT_REGS_PARM3_CORE(x) BPF_CORE_READ((x), gpr[5]) +-#define PT_REGS_PARM4_CORE(x) BPF_CORE_READ((x), gpr[6]) +-#define PT_REGS_PARM5_CORE(x) BPF_CORE_READ((x), gpr[7]) +-#define PT_REGS_RC_CORE(x) BPF_CORE_READ((x), gpr[3]) +-#define PT_REGS_SP_CORE(x) BPF_CORE_READ((x), sp) +-#define PT_REGS_IP_CORE(x) BPF_CORE_READ((x), nip) ++#define __PT_PARM1_REG gpr[3] ++#define __PT_PARM2_REG gpr[4] ++#define __PT_PARM3_REG gpr[5] ++#define __PT_PARM4_REG gpr[6] ++#define __PT_PARM5_REG gpr[7] ++#define __PT_RET_REG regs[31] ++#define __PT_FP_REG __unsupported__ ++#define __PT_RC_REG gpr[3] ++#define __PT_SP_REG sp ++#define __PT_IP_REG nip + + #elif defined(bpf_target_sparc) + +-#define PT_REGS_PARM1(x) ((x)->u_regs[UREG_I0]) +-#define PT_REGS_PARM2(x) ((x)->u_regs[UREG_I1]) +-#define PT_REGS_PARM3(x) ((x)->u_regs[UREG_I2]) +-#define PT_REGS_PARM4(x) ((x)->u_regs[UREG_I3]) +-#define PT_REGS_PARM5(x) ((x)->u_regs[UREG_I4]) +-#define PT_REGS_RET(x) ((x)->u_regs[UREG_I7]) +-#define PT_REGS_RC(x) ((x)->u_regs[UREG_I0]) +-#define PT_REGS_SP(x) ((x)->u_regs[UREG_FP]) +- +-#define PT_REGS_PARM1_CORE(x) BPF_CORE_READ((x), u_regs[UREG_I0]) +-#define PT_REGS_PARM2_CORE(x) BPF_CORE_READ((x), u_regs[UREG_I1]) +-#define PT_REGS_PARM3_CORE(x) BPF_CORE_READ((x), u_regs[UREG_I2]) +-#define PT_REGS_PARM4_CORE(x) BPF_CORE_READ((x), u_regs[UREG_I3]) +-#define PT_REGS_PARM5_CORE(x) BPF_CORE_READ((x), u_regs[UREG_I4]) +-#define PT_REGS_RET_CORE(x) BPF_CORE_READ((x), u_regs[UREG_I7]) +-#define PT_REGS_RC_CORE(x) BPF_CORE_READ((x), u_regs[UREG_I0]) +-#define PT_REGS_SP_CORE(x) BPF_CORE_READ((x), u_regs[UREG_FP]) +- ++#define __PT_PARM1_REG u_regs[UREG_I0] ++#define __PT_PARM2_REG u_regs[UREG_I1] ++#define __PT_PARM3_REG u_regs[UREG_I2] ++#define __PT_PARM4_REG u_regs[UREG_I3] ++#define __PT_PARM5_REG u_regs[UREG_I4] ++#define __PT_RET_REG u_regs[UREG_I7] ++#define __PT_FP_REG __unsupported__ ++#define __PT_RC_REG u_regs[UREG_I0] ++#define __PT_SP_REG u_regs[UREG_FP] + /* Should this also be a bpf_target check for the sparc case? */ + #if defined(__arch64__) +-#define PT_REGS_IP(x) ((x)->tpc) +-#define PT_REGS_IP_CORE(x) BPF_CORE_READ((x), tpc) ++#define __PT_IP_REG tpc + #else +-#define PT_REGS_IP(x) ((x)->pc) +-#define PT_REGS_IP_CORE(x) BPF_CORE_READ((x), pc) ++#define __PT_IP_REG pc + #endif + + #elif defined(bpf_target_riscv) + ++#define __PT_REGS_CAST(x) ((const struct user_regs_struct *)(x)) ++#define __PT_PARM1_REG a0 ++#define __PT_PARM2_REG a1 ++#define __PT_PARM3_REG a2 ++#define __PT_PARM4_REG a3 ++#define __PT_PARM5_REG a4 ++#define __PT_RET_REG ra ++#define __PT_FP_REG fp ++#define __PT_RC_REG a5 ++#define __PT_SP_REG sp ++#define __PT_IP_REG epc ++ ++#endif ++ ++#if defined(bpf_target_defined) ++ + struct pt_regs; +-#define PT_REGS_RV const volatile struct user_regs_struct +-#define PT_REGS_PARM1(x) (((PT_REGS_RV *)(x))->a0) +-#define PT_REGS_PARM2(x) (((PT_REGS_RV *)(x))->a1) +-#define PT_REGS_PARM3(x) (((PT_REGS_RV *)(x))->a2) +-#define PT_REGS_PARM4(x) (((PT_REGS_RV *)(x))->a3) +-#define PT_REGS_PARM5(x) (((PT_REGS_RV *)(x))->a4) +-#define PT_REGS_RET(x) (((PT_REGS_RV *)(x))->ra) +-#define PT_REGS_FP(x) (((PT_REGS_RV *)(x))->s5) +-#define PT_REGS_RC(x) (((PT_REGS_RV *)(x))->a5) +-#define PT_REGS_SP(x) (((PT_REGS_RV *)(x))->sp) +-#define PT_REGS_IP(x) (((PT_REGS_RV *)(x))->epc) +- +-#define PT_REGS_PARM1_CORE(x) BPF_CORE_READ((PT_REGS_RV *)(x), a0) +-#define PT_REGS_PARM2_CORE(x) BPF_CORE_READ((PT_REGS_RV *)(x), a1) +-#define PT_REGS_PARM3_CORE(x) BPF_CORE_READ((PT_REGS_RV *)(x), a2) +-#define PT_REGS_PARM4_CORE(x) BPF_CORE_READ((PT_REGS_RV *)(x), a3) +-#define PT_REGS_PARM5_CORE(x) BPF_CORE_READ((PT_REGS_RV *)(x), a4) +-#define PT_REGS_RET_CORE(x) BPF_CORE_READ((PT_REGS_RV *)(x), ra) +-#define PT_REGS_FP_CORE(x) BPF_CORE_READ((PT_REGS_RV *)(x), fp) +-#define PT_REGS_RC_CORE(x) BPF_CORE_READ((PT_REGS_RV *)(x), a5) +-#define PT_REGS_SP_CORE(x) BPF_CORE_READ((PT_REGS_RV *)(x), sp) +-#define PT_REGS_IP_CORE(x) BPF_CORE_READ((PT_REGS_RV *)(x), epc) + ++/* allow some architecutres to override `struct pt_regs` */ ++#ifndef __PT_REGS_CAST ++#define __PT_REGS_CAST(x) (x) + #endif + ++#define PT_REGS_PARM1(x) (__PT_REGS_CAST(x)->__PT_PARM1_REG) ++#define PT_REGS_PARM2(x) (__PT_REGS_CAST(x)->__PT_PARM2_REG) ++#define PT_REGS_PARM3(x) (__PT_REGS_CAST(x)->__PT_PARM3_REG) ++#define PT_REGS_PARM4(x) (__PT_REGS_CAST(x)->__PT_PARM4_REG) ++#define PT_REGS_PARM5(x) (__PT_REGS_CAST(x)->__PT_PARM5_REG) ++#define PT_REGS_RET(x) (__PT_REGS_CAST(x)->__PT_RET_REG) ++#define PT_REGS_FP(x) (__PT_REGS_CAST(x)->__PT_FP_REG) ++#define PT_REGS_RC(x) (__PT_REGS_CAST(x)->__PT_RC_REG) ++#define PT_REGS_SP(x) (__PT_REGS_CAST(x)->__PT_SP_REG) ++#define PT_REGS_IP(x) (__PT_REGS_CAST(x)->__PT_IP_REG) ++ ++#define PT_REGS_PARM1_CORE(x) BPF_CORE_READ(__PT_REGS_CAST(x), __PT_PARM1_REG) ++#define PT_REGS_PARM2_CORE(x) BPF_CORE_READ(__PT_REGS_CAST(x), __PT_PARM2_REG) ++#define PT_REGS_PARM3_CORE(x) BPF_CORE_READ(__PT_REGS_CAST(x), __PT_PARM3_REG) ++#define PT_REGS_PARM4_CORE(x) BPF_CORE_READ(__PT_REGS_CAST(x), __PT_PARM4_REG) ++#define PT_REGS_PARM5_CORE(x) BPF_CORE_READ(__PT_REGS_CAST(x), __PT_PARM5_REG) ++#define PT_REGS_RET_CORE(x) BPF_CORE_READ(__PT_REGS_CAST(x), __PT_RET_REG) ++#define PT_REGS_FP_CORE(x) BPF_CORE_READ(__PT_REGS_CAST(x), __PT_FP_REG) ++#define PT_REGS_RC_CORE(x) BPF_CORE_READ(__PT_REGS_CAST(x), __PT_RC_REG) ++#define PT_REGS_SP_CORE(x) BPF_CORE_READ(__PT_REGS_CAST(x), __PT_SP_REG) ++#define PT_REGS_IP_CORE(x) BPF_CORE_READ(__PT_REGS_CAST(x), __PT_IP_REG) ++ + #if defined(bpf_target_powerpc) ++ + #define BPF_KPROBE_READ_RET_IP(ip, ctx) ({ (ip) = (ctx)->link; }) + #define BPF_KRETPROBE_READ_RET_IP BPF_KPROBE_READ_RET_IP ++ + #elif defined(bpf_target_sparc) ++ + #define BPF_KPROBE_READ_RET_IP(ip, ctx) ({ (ip) = PT_REGS_RET(ctx); }) + #define BPF_KRETPROBE_READ_RET_IP BPF_KPROBE_READ_RET_IP +-#elif defined(bpf_target_defined) ++ ++#else ++ + #define BPF_KPROBE_READ_RET_IP(ip, ctx) \ + ({ bpf_probe_read_kernel(&(ip), sizeof(ip), (void *)PT_REGS_RET(ctx)); }) + #define BPF_KRETPROBE_READ_RET_IP(ip, ctx) \ +- ({ bpf_probe_read_kernel(&(ip), sizeof(ip), \ +- (void *)(PT_REGS_FP(ctx) + sizeof(ip))); }) ++ ({ bpf_probe_read_kernel(&(ip), sizeof(ip), (void *)(PT_REGS_FP(ctx) + sizeof(ip))); }) ++ + #endif + +-#if !defined(bpf_target_defined) ++#else /* defined(bpf_target_defined) */ + + #define PT_REGS_PARM1(x) ({ _Pragma(__BPF_TARGET_MISSING); 0l; }) + #define PT_REGS_PARM2(x) ({ _Pragma(__BPF_TARGET_MISSING); 0l; }) +@@ -363,7 +290,7 @@ struct pt_regs; + #define BPF_KPROBE_READ_RET_IP(ip, ctx) ({ _Pragma(__BPF_TARGET_MISSING); 0l; }) + #define BPF_KRETPROBE_READ_RET_IP(ip, ctx) ({ _Pragma(__BPF_TARGET_MISSING); 0l; }) + +-#endif /* !defined(bpf_target_defined) */ ++#endif /* defined(bpf_target_defined) */ + + #ifndef ___bpf_concat + #define ___bpf_concat(a, b) a ## b +-- +2.51.0 + diff --git a/queue-5.15/net-hns3-return-error-code-when-function-fails.patch b/queue-5.15/net-hns3-return-error-code-when-function-fails.patch new file mode 100644 index 0000000000..de8ead42cc --- /dev/null +++ b/queue-5.15/net-hns3-return-error-code-when-function-fails.patch @@ -0,0 +1,87 @@ +From 4df27f60b2ab223459b2bf856144f518f59bce22 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Oct 2025 21:13:37 +0800 +Subject: net: hns3: return error code when function fails + +From: Jijie Shao + +[ Upstream commit 03ca7c8c42be913529eb9f188278114430c6abbd ] + +Currently, in hclge_mii_ioctl(), the operation to +read the PHY register (SIOCGMIIREG) always returns 0. + +This patch changes the return type of hclge_read_phy_reg(), +returning an error code when the function fails. + +Fixes: 024712f51e57 ("net: hns3: add ioctl support for imp-controlled PHYs") +Signed-off-by: Jijie Shao +Reviewed-by: Alexander Lobakin +Link: https://patch.msgid.link/20251023131338.2642520-2-shaojijie@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 3 +-- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c | 9 ++++++--- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.h | 2 +- + 3 files changed, 8 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +index d228e37f8b3d9..492a754f84a94 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +@@ -9562,8 +9562,7 @@ static int hclge_mii_ioctl(struct hclge_dev *hdev, struct ifreq *ifr, int cmd) + /* this command reads phy id and register at the same time */ + fallthrough; + case SIOCGMIIREG: +- data->val_out = hclge_read_phy_reg(hdev, data->reg_num); +- return 0; ++ return hclge_read_phy_reg(hdev, data->reg_num, &data->val_out); + + case SIOCSMIIREG: + return hclge_write_phy_reg(hdev, data->reg_num, data->val_in); +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c +index 63d2be4349e3e..87a196256864f 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c +@@ -271,7 +271,7 @@ void hclge_mac_stop_phy(struct hclge_dev *hdev) + phy_stop(phydev); + } + +-u16 hclge_read_phy_reg(struct hclge_dev *hdev, u16 reg_addr) ++int hclge_read_phy_reg(struct hclge_dev *hdev, u16 reg_addr, u16 *val) + { + struct hclge_phy_reg_cmd *req; + struct hclge_desc desc; +@@ -283,11 +283,14 @@ u16 hclge_read_phy_reg(struct hclge_dev *hdev, u16 reg_addr) + req->reg_addr = cpu_to_le16(reg_addr); + + ret = hclge_cmd_send(&hdev->hw, &desc, 1); +- if (ret) ++ if (ret) { + dev_err(&hdev->pdev->dev, + "failed to read phy reg, ret = %d.\n", ret); ++ return ret; ++ } + +- return le16_to_cpu(req->reg_val); ++ *val = le16_to_cpu(req->reg_val); ++ return 0; + } + + int hclge_write_phy_reg(struct hclge_dev *hdev, u16 reg_addr, u16 val) +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.h b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.h +index fd0e20190b90f..baeee805a9510 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.h ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.h +@@ -9,7 +9,7 @@ int hclge_mac_connect_phy(struct hnae3_handle *handle); + void hclge_mac_disconnect_phy(struct hnae3_handle *handle); + void hclge_mac_start_phy(struct hclge_dev *hdev); + void hclge_mac_stop_phy(struct hclge_dev *hdev); +-u16 hclge_read_phy_reg(struct hclge_dev *hdev, u16 reg_addr); ++int hclge_read_phy_reg(struct hclge_dev *hdev, u16 reg_addr, u16 *val); + int hclge_write_phy_reg(struct hclge_dev *hdev, u16 reg_addr, u16 val); + + #endif +-- +2.51.0 + diff --git a/queue-5.15/riscv-libbpf-add-risc-v-rv64-support-to-bpf_tracing..patch b/queue-5.15/riscv-libbpf-add-risc-v-rv64-support-to-bpf_tracing..patch new file mode 100644 index 0000000000..1c9523fe2d --- /dev/null +++ b/queue-5.15/riscv-libbpf-add-risc-v-rv64-support-to-bpf_tracing..patch @@ -0,0 +1,83 @@ +From 017aa0830867825c5f459829d1126d1f797b7e60 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Oct 2021 18:10:56 +0200 +Subject: riscv, libbpf: Add RISC-V (RV64) support to bpf_tracing.h +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Björn Töpel + +[ Upstream commit 589fed479ba1e93f94d9772aa6162cd81f7e491c ] + +Add macros for 64-bit RISC-V PT_REGS to bpf_tracing.h. + +Signed-off-by: Björn Töpel +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20211028161057.520552-4-bjorn@kernel.org +Stable-dep-of: 7221b9caf84b ("libbpf: Fix powerpc's stack register definition in bpf_tracing.h") +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/bpf_tracing.h | 32 ++++++++++++++++++++++++++++++++ + 1 file changed, 32 insertions(+) + +diff --git a/tools/lib/bpf/bpf_tracing.h b/tools/lib/bpf/bpf_tracing.h +index d6bfbe009296c..db05a59371056 100644 +--- a/tools/lib/bpf/bpf_tracing.h ++++ b/tools/lib/bpf/bpf_tracing.h +@@ -24,6 +24,9 @@ + #elif defined(__TARGET_ARCH_sparc) + #define bpf_target_sparc + #define bpf_target_defined ++#elif defined(__TARGET_ARCH_riscv) ++ #define bpf_target_riscv ++ #define bpf_target_defined + #else + + /* Fall back to what the compiler says */ +@@ -48,6 +51,9 @@ + #elif defined(__sparc__) + #define bpf_target_sparc + #define bpf_target_defined ++#elif defined(__riscv) && __riscv_xlen == 64 ++ #define bpf_target_riscv ++ #define bpf_target_defined + #endif /* no compiler target */ + + #endif +@@ -288,6 +294,32 @@ struct pt_regs; + #define PT_REGS_IP_CORE(x) BPF_CORE_READ((x), pc) + #endif + ++#elif defined(bpf_target_riscv) ++ ++struct pt_regs; ++#define PT_REGS_RV const volatile struct user_regs_struct ++#define PT_REGS_PARM1(x) (((PT_REGS_RV *)(x))->a0) ++#define PT_REGS_PARM2(x) (((PT_REGS_RV *)(x))->a1) ++#define PT_REGS_PARM3(x) (((PT_REGS_RV *)(x))->a2) ++#define PT_REGS_PARM4(x) (((PT_REGS_RV *)(x))->a3) ++#define PT_REGS_PARM5(x) (((PT_REGS_RV *)(x))->a4) ++#define PT_REGS_RET(x) (((PT_REGS_RV *)(x))->ra) ++#define PT_REGS_FP(x) (((PT_REGS_RV *)(x))->s5) ++#define PT_REGS_RC(x) (((PT_REGS_RV *)(x))->a5) ++#define PT_REGS_SP(x) (((PT_REGS_RV *)(x))->sp) ++#define PT_REGS_IP(x) (((PT_REGS_RV *)(x))->epc) ++ ++#define PT_REGS_PARM1_CORE(x) BPF_CORE_READ((PT_REGS_RV *)(x), a0) ++#define PT_REGS_PARM2_CORE(x) BPF_CORE_READ((PT_REGS_RV *)(x), a1) ++#define PT_REGS_PARM3_CORE(x) BPF_CORE_READ((PT_REGS_RV *)(x), a2) ++#define PT_REGS_PARM4_CORE(x) BPF_CORE_READ((PT_REGS_RV *)(x), a3) ++#define PT_REGS_PARM5_CORE(x) BPF_CORE_READ((PT_REGS_RV *)(x), a4) ++#define PT_REGS_RET_CORE(x) BPF_CORE_READ((PT_REGS_RV *)(x), ra) ++#define PT_REGS_FP_CORE(x) BPF_CORE_READ((PT_REGS_RV *)(x), fp) ++#define PT_REGS_RC_CORE(x) BPF_CORE_READ((PT_REGS_RV *)(x), a5) ++#define PT_REGS_SP_CORE(x) BPF_CORE_READ((PT_REGS_RV *)(x), sp) ++#define PT_REGS_IP_CORE(x) BPF_CORE_READ((PT_REGS_RV *)(x), epc) ++ + #endif + + #if defined(bpf_target_powerpc) +-- +2.51.0 + diff --git a/queue-5.15/series b/queue-5.15/series index d8d7af2699..8bc5df377c 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -13,3 +13,17 @@ fbdev-pvr2fb-fix-leftover-reference-to-onchip_nr_dma_channels.patch fbdev-valkyriefb-fix-reference-count-leak-in-valkyriefb_init.patch mptcp-restore-window-probe.patch asoc-qdsp6-q6asm-do-not-sleep-while-atomic.patch +wifi-ath10k-fix-memory-leak-on-unsupported-wmi-comma.patch +drm-msm-a6xx-fix-gmu-firmware-parser.patch +alsa-usb-audio-fix-control-pipe-direction.patch +bpf-sync-pending-irq-work-before-freeing-ring-buffer.patch +bpf-do-not-audit-capability-check-in-do_jit.patch +riscv-libbpf-add-risc-v-rv64-support-to-bpf_tracing..patch +libbpf-normalize-pt_regs_xxx-macro-definitions.patch +libbpf-fix-powerpc-s-stack-register-definition-in-bp.patch +usbnet-prevents-free-active-kevent.patch +drm-etnaviv-fix-flush-sequence-logic.patch +net-hns3-return-error-code-when-function-fails.patch +drm-amd-pm-fix-smu-table-id-bound-check-issue-in-smu.patch +drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch +drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch-3340 diff --git a/queue-5.15/usbnet-prevents-free-active-kevent.patch b/queue-5.15/usbnet-prevents-free-active-kevent.patch new file mode 100644 index 0000000000..509a24d7d6 --- /dev/null +++ b/queue-5.15/usbnet-prevents-free-active-kevent.patch @@ -0,0 +1,50 @@ +From 554e84731d4ae7eeeff7ae4c6c2c15a3dc9b52ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Oct 2025 10:40:07 +0800 +Subject: usbnet: Prevents free active kevent + +From: Lizhi Xu + +[ Upstream commit 420c84c330d1688b8c764479e5738bbdbf0a33de ] + +The root cause of this issue are: +1. When probing the usbnet device, executing usbnet_link_change(dev, 0, 0); +put the kevent work in global workqueue. However, the kevent has not yet +been scheduled when the usbnet device is unregistered. Therefore, executing +free_netdev() results in the "free active object (kevent)" error reported +here. + +2. Another factor is that when calling usbnet_disconnect()->unregister_netdev(), +if the usbnet device is up, ndo_stop() is executed to cancel the kevent. +However, because the device is not up, ndo_stop() is not executed. + +The solution to this problem is to cancel the kevent before executing +free_netdev(). + +Fixes: a69e617e533e ("usbnet: Fix linkwatch use-after-free on disconnect") +Reported-by: Sam Sun +Closes: https://syzkaller.appspot.com/bug?extid=8bfd7bcc98f7300afb84 +Signed-off-by: Lizhi Xu +Link: https://patch.msgid.link/20251022024007.1831898-1-lizhi.xu@windriver.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/usbnet.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c +index 21f5fdbce0747..aceec2381e802 100644 +--- a/drivers/net/usb/usbnet.c ++++ b/drivers/net/usb/usbnet.c +@@ -1648,6 +1648,8 @@ void usbnet_disconnect (struct usb_interface *intf) + net = dev->net; + unregister_netdev (net); + ++ cancel_work_sync(&dev->kevent); ++ + while ((urb = usb_get_from_anchor(&dev->deferred))) { + dev_kfree_skb(urb->context); + kfree(urb->sg); +-- +2.51.0 + diff --git a/queue-5.15/wifi-ath10k-fix-memory-leak-on-unsupported-wmi-comma.patch b/queue-5.15/wifi-ath10k-fix-memory-leak-on-unsupported-wmi-comma.patch new file mode 100644 index 0000000000..110ac646f2 --- /dev/null +++ b/queue-5.15/wifi-ath10k-fix-memory-leak-on-unsupported-wmi-comma.patch @@ -0,0 +1,41 @@ +From bee315ce17cec141d163a1a7831cc62a38afa3c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Sep 2025 21:56:56 +0200 +Subject: wifi: ath10k: Fix memory leak on unsupported WMI command + +From: Loic Poulain + +[ Upstream commit 2e9c1da4ee9d0acfca2e0a3d78f3d8cb5802da1b ] + +ath10k_wmi_cmd_send takes ownership of the passed buffer (skb) and has the +responsibility to release it in case of error. This patch fixes missing +free in case of early error due to unhandled WMI command ID. + +Tested-on: WCN3990 hw1.0 WLAN.HL.3.3.7.c2-00931-QCAHLSWMTPLZ-1 + +Fixes: 553215592f14 ("ath10k: warn if give WMI command is not supported") +Suggested-by: Jeff Johnson +Signed-off-by: Loic Poulain +Reviewed-by: Baochen Qiang +Link: https://patch.msgid.link/20250926195656.187970-1-loic.poulain@oss.qualcomm.com +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/wmi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/ath/ath10k/wmi.c b/drivers/net/wireless/ath/ath10k/wmi.c +index 5817501b0c3fe..f07788092b269 100644 +--- a/drivers/net/wireless/ath/ath10k/wmi.c ++++ b/drivers/net/wireless/ath/ath10k/wmi.c +@@ -1935,6 +1935,7 @@ int ath10k_wmi_cmd_send(struct ath10k *ar, struct sk_buff *skb, u32 cmd_id) + if (cmd_id == WMI_CMD_UNSUPPORTED) { + ath10k_warn(ar, "wmi command %d is not supported by firmware\n", + cmd_id); ++ dev_kfree_skb_any(skb); + return ret; + } + +-- +2.51.0 + diff --git a/queue-5.4/drm-etnaviv-fix-flush-sequence-logic.patch b/queue-5.4/drm-etnaviv-fix-flush-sequence-logic.patch new file mode 100644 index 0000000000..92f05e1900 --- /dev/null +++ b/queue-5.4/drm-etnaviv-fix-flush-sequence-logic.patch @@ -0,0 +1,46 @@ +From 2522fad1e20ec3ae436ea9b88d4fbcc32c620d9e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Oct 2025 11:37:23 +0200 +Subject: drm/etnaviv: fix flush sequence logic + +From: Tomeu Vizoso + +[ Upstream commit a042beac6e6f8ac1e923784cfff98b47cbabb185 ] + +The current logic uses the flush sequence from the current address +space. This is harmless when deducing the flush requirements for the +current submit, as either the incoming address space is the same one +as the currently active one or we switch context, in which case the +flush is unconditional. + +However, this sequence is also stored as the current flush sequence +of the GPU. If we switch context the stored flush sequence will no +longer belong to the currently active address space. This incoherency +can then cause missed flushes, resulting in translation errors. + +Fixes: 27b67278e007 ("drm/etnaviv: rework MMU handling") +Signed-off-by: Tomeu Vizoso +Signed-off-by: Lucas Stach +Reviewed-by: Christian Gmeiner +Link: https://lore.kernel.org/r/20251021093723.3887980-1-l.stach@pengutronix.de +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/etnaviv/etnaviv_buffer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/etnaviv/etnaviv_buffer.c b/drivers/gpu/drm/etnaviv/etnaviv_buffer.c +index 194af3979679d..9991150c8201a 100644 +--- a/drivers/gpu/drm/etnaviv/etnaviv_buffer.c ++++ b/drivers/gpu/drm/etnaviv/etnaviv_buffer.c +@@ -346,7 +346,7 @@ void etnaviv_buffer_queue(struct etnaviv_gpu *gpu, u32 exec_state, + u32 link_target, link_dwords; + bool switch_context = gpu->exec_state != exec_state; + bool switch_mmu_context = gpu->mmu_context != mmu_context; +- unsigned int new_flush_seq = READ_ONCE(gpu->mmu_context->flush_seq); ++ unsigned int new_flush_seq = READ_ONCE(mmu_context->flush_seq); + bool need_flush = switch_mmu_context || gpu->flush_seq != new_flush_seq; + bool has_blt = !!(gpu->identity.minor_features5 & + chipMinorFeatures5_BLT_ENGINE); +-- +2.51.0 + diff --git a/queue-5.4/series b/queue-5.4/series index a05b1820e1..f0de7bbc45 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -8,3 +8,6 @@ fbdev-bitblit-bound-check-glyph-index-in-bit_putcs.patch fbdev-pvr2fb-fix-leftover-reference-to-onchip_nr_dma_channels.patch fbdev-valkyriefb-fix-reference-count-leak-in-valkyriefb_init.patch asoc-qdsp6-q6asm-do-not-sleep-while-atomic.patch +wifi-ath10k-fix-memory-leak-on-unsupported-wmi-comma.patch +usbnet-prevents-free-active-kevent.patch +drm-etnaviv-fix-flush-sequence-logic.patch diff --git a/queue-5.4/usbnet-prevents-free-active-kevent.patch b/queue-5.4/usbnet-prevents-free-active-kevent.patch new file mode 100644 index 0000000000..304c49d781 --- /dev/null +++ b/queue-5.4/usbnet-prevents-free-active-kevent.patch @@ -0,0 +1,50 @@ +From cc0b573714aa191dc0108979e14bac9bc7aa049f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Oct 2025 10:40:07 +0800 +Subject: usbnet: Prevents free active kevent + +From: Lizhi Xu + +[ Upstream commit 420c84c330d1688b8c764479e5738bbdbf0a33de ] + +The root cause of this issue are: +1. When probing the usbnet device, executing usbnet_link_change(dev, 0, 0); +put the kevent work in global workqueue. However, the kevent has not yet +been scheduled when the usbnet device is unregistered. Therefore, executing +free_netdev() results in the "free active object (kevent)" error reported +here. + +2. Another factor is that when calling usbnet_disconnect()->unregister_netdev(), +if the usbnet device is up, ndo_stop() is executed to cancel the kevent. +However, because the device is not up, ndo_stop() is not executed. + +The solution to this problem is to cancel the kevent before executing +free_netdev(). + +Fixes: a69e617e533e ("usbnet: Fix linkwatch use-after-free on disconnect") +Reported-by: Sam Sun +Closes: https://syzkaller.appspot.com/bug?extid=8bfd7bcc98f7300afb84 +Signed-off-by: Lizhi Xu +Link: https://patch.msgid.link/20251022024007.1831898-1-lizhi.xu@windriver.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/usbnet.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c +index 87c0bcfef4801..f0dd0d7b51dc1 100644 +--- a/drivers/net/usb/usbnet.c ++++ b/drivers/net/usb/usbnet.c +@@ -1615,6 +1615,8 @@ void usbnet_disconnect (struct usb_interface *intf) + net = dev->net; + unregister_netdev (net); + ++ cancel_work_sync(&dev->kevent); ++ + while ((urb = usb_get_from_anchor(&dev->deferred))) { + dev_kfree_skb(urb->context); + kfree(urb->sg); +-- +2.51.0 + diff --git a/queue-5.4/wifi-ath10k-fix-memory-leak-on-unsupported-wmi-comma.patch b/queue-5.4/wifi-ath10k-fix-memory-leak-on-unsupported-wmi-comma.patch new file mode 100644 index 0000000000..0066266f20 --- /dev/null +++ b/queue-5.4/wifi-ath10k-fix-memory-leak-on-unsupported-wmi-comma.patch @@ -0,0 +1,41 @@ +From 80dd07be050d53d6475fc3b167576bddf5cb3c88 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Sep 2025 21:56:56 +0200 +Subject: wifi: ath10k: Fix memory leak on unsupported WMI command + +From: Loic Poulain + +[ Upstream commit 2e9c1da4ee9d0acfca2e0a3d78f3d8cb5802da1b ] + +ath10k_wmi_cmd_send takes ownership of the passed buffer (skb) and has the +responsibility to release it in case of error. This patch fixes missing +free in case of early error due to unhandled WMI command ID. + +Tested-on: WCN3990 hw1.0 WLAN.HL.3.3.7.c2-00931-QCAHLSWMTPLZ-1 + +Fixes: 553215592f14 ("ath10k: warn if give WMI command is not supported") +Suggested-by: Jeff Johnson +Signed-off-by: Loic Poulain +Reviewed-by: Baochen Qiang +Link: https://patch.msgid.link/20250926195656.187970-1-loic.poulain@oss.qualcomm.com +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/wmi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/ath/ath10k/wmi.c b/drivers/net/wireless/ath/ath10k/wmi.c +index ed6316c41cb78..a445a192b30f3 100644 +--- a/drivers/net/wireless/ath/ath10k/wmi.c ++++ b/drivers/net/wireless/ath/ath10k/wmi.c +@@ -1894,6 +1894,7 @@ int ath10k_wmi_cmd_send(struct ath10k *ar, struct sk_buff *skb, u32 cmd_id) + if (cmd_id == WMI_CMD_UNSUPPORTED) { + ath10k_warn(ar, "wmi command %d is not supported by firmware\n", + cmd_id); ++ dev_kfree_skb_any(skb); + return ret; + } + +-- +2.51.0 + diff --git a/queue-6.1/alsa-usb-audio-fix-control-pipe-direction.patch b/queue-6.1/alsa-usb-audio-fix-control-pipe-direction.patch new file mode 100644 index 0000000000..7fed170cf8 --- /dev/null +++ b/queue-6.1/alsa-usb-audio-fix-control-pipe-direction.patch @@ -0,0 +1,37 @@ +From 61123352f476245e5a275a7a1d61803b8d483d71 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 18 Oct 2025 19:18:22 +0200 +Subject: ALSA: usb-audio: fix control pipe direction + +From: Roy Vegard Ovesen + +[ Upstream commit 7963891f7c9c6f759cc9ab7da71406b4234f3dd6 ] + +Since the requesttype has USB_DIR_OUT the pipe should be +constructed with usb_sndctrlpipe(). + +Fixes: 8dc5efe3d17c ("ALSA: usb-audio: Add support for Presonus Studio 1810c") +Signed-off-by: Roy Vegard Ovesen +Link: https://patch.msgid.link/aPPL3tBFE_oU-JHv@ark +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/mixer_s1810c.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/usb/mixer_s1810c.c b/sound/usb/mixer_s1810c.c +index fac4bbc6b2757..65bdda0841048 100644 +--- a/sound/usb/mixer_s1810c.c ++++ b/sound/usb/mixer_s1810c.c +@@ -181,7 +181,7 @@ snd_sc1810c_get_status_field(struct usb_device *dev, + + pkt_out.fields[SC1810C_STATE_F1_IDX] = SC1810C_SET_STATE_F1; + pkt_out.fields[SC1810C_STATE_F2_IDX] = SC1810C_SET_STATE_F2; +- ret = snd_usb_ctl_msg(dev, usb_rcvctrlpipe(dev, 0), ++ ret = snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), + SC1810C_SET_STATE_REQ, + SC1810C_SET_STATE_REQTYPE, + (*seqnum), 0, &pkt_out, sizeof(pkt_out)); +-- +2.51.0 + diff --git a/queue-6.1/asoc-fsl_sai-fix-bit-order-for-dsd-format.patch b/queue-6.1/asoc-fsl_sai-fix-bit-order-for-dsd-format.patch new file mode 100644 index 0000000000..c47f577c45 --- /dev/null +++ b/queue-6.1/asoc-fsl_sai-fix-bit-order-for-dsd-format.patch @@ -0,0 +1,46 @@ +From b9a150fb5409763c49d2049f2ae7e707725df3e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Oct 2025 14:45:37 +0800 +Subject: ASoC: fsl_sai: fix bit order for DSD format + +From: Shengjiu Wang + +[ Upstream commit d9fbe5b0bf7e2d1e20d53e4e2274f9f61bdcca98 ] + +The DSD little endian format requires the msb first, because oldest bit +is in msb. +found this issue by testing with pipewire. + +Fixes: c111c2ddb3fd ("ASoC: fsl_sai: Add PDM daifmt support") +Signed-off-by: Shengjiu Wang +Link: https://patch.msgid.link/20251023064538.368850-2-shengjiu.wang@nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/fsl/fsl_sai.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/sound/soc/fsl/fsl_sai.c b/sound/soc/fsl/fsl_sai.c +index e622c8375a465..f5266be2bbc22 100644 +--- a/sound/soc/fsl/fsl_sai.c ++++ b/sound/soc/fsl/fsl_sai.c +@@ -322,7 +322,6 @@ static int fsl_sai_set_dai_fmt_tr(struct snd_soc_dai *cpu_dai, + break; + case SND_SOC_DAIFMT_PDM: + val_cr2 |= FSL_SAI_CR2_BCP; +- val_cr4 &= ~FSL_SAI_CR4_MF; + sai->is_pdm_mode = true; + break; + case SND_SOC_DAIFMT_RIGHT_J: +@@ -597,7 +596,7 @@ static int fsl_sai_hw_params(struct snd_pcm_substream *substream, + val_cr5 |= FSL_SAI_CR5_WNW(slot_width); + val_cr5 |= FSL_SAI_CR5_W0W(slot_width); + +- if (sai->is_lsb_first || sai->is_pdm_mode) ++ if (sai->is_lsb_first) + val_cr5 |= FSL_SAI_CR5_FBT(0); + else + val_cr5 |= FSL_SAI_CR5_FBT(word_width - 1); +-- +2.51.0 + diff --git a/queue-6.1/asoc-intel-avs-unprepare-a-stream-when-xrun-occurs.patch b/queue-6.1/asoc-intel-avs-unprepare-a-stream-when-xrun-occurs.patch new file mode 100644 index 0000000000..96d4a7d660 --- /dev/null +++ b/queue-6.1/asoc-intel-avs-unprepare-a-stream-when-xrun-occurs.patch @@ -0,0 +1,40 @@ +From d98e499a79a7b4ddb19e8b4a5f4b421f8fbc4af1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Oct 2025 11:23:46 +0200 +Subject: ASoC: Intel: avs: Unprepare a stream when XRUN occurs + +From: Cezary Rojewski + +[ Upstream commit cfca1637bc2b6b1e4f191d2f0b25f12402fbbb26 ] + +The pcm->prepare() function may be called multiple times in a row by the +userspace, as mentioned in the documentation. The driver shall take that +into account and prevent redundancy. However, the exact same function is +called during XRUNs and in such case, the particular stream shall be +reset and setup anew. + +Fixes: 9114700b496c ("ASoC: Intel: avs: Generic PCM FE operations") +Signed-off-by: Cezary Rojewski +Link: https://patch.msgid.link/20251023092348.3119313-2-cezary.rojewski@intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/avs/pcm.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/soc/intel/avs/pcm.c b/sound/soc/intel/avs/pcm.c +index 07428b5755b8a..9d3c0ea99a298 100644 +--- a/sound/soc/intel/avs/pcm.c ++++ b/sound/soc/intel/avs/pcm.c +@@ -556,6 +556,8 @@ static int avs_dai_fe_prepare(struct snd_pcm_substream *substream, struct snd_so + data = snd_soc_dai_get_dma_data(dai, substream); + host_stream = data->host_stream; + ++ if (runtime->state == SNDRV_PCM_STATE_XRUN) ++ hdac_stream(host_stream)->prepared = false; + if (hdac_stream(host_stream)->prepared) + return 0; + +-- +2.51.0 + diff --git a/queue-6.1/bluetooth-btmtksdio-add-pmctrl-handling-for-bt-close.patch b/queue-6.1/bluetooth-btmtksdio-add-pmctrl-handling-for-bt-close.patch new file mode 100644 index 0000000000..bd3e2348d6 --- /dev/null +++ b/queue-6.1/bluetooth-btmtksdio-add-pmctrl-handling-for-bt-close.patch @@ -0,0 +1,61 @@ +From 9621c34542c8bdac219b6c7729a45f57b8e4713d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Sep 2025 13:39:33 +0800 +Subject: Bluetooth: btmtksdio: Add pmctrl handling for BT closed state during + reset + +From: Chris Lu + +[ Upstream commit 77343b8b4f87560f8f03e77b98a81ff3a147b262 ] + +This patch adds logic to handle power management control when the +Bluetooth function is closed during the SDIO reset sequence. + +Specifically, if BT is closed before reset, the driver enables the +SDIO function and sets driver pmctrl. After reset, if BT remains +closed, the driver sets firmware pmctrl and disables the SDIO function. + +These changes ensure proper power management and device state consistency +across the reset flow. + +Fixes: 8fafe702253d ("Bluetooth: mt7921s: support bluetooth reset mechanism") +Signed-off-by: Chris Lu +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btmtksdio.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/drivers/bluetooth/btmtksdio.c b/drivers/bluetooth/btmtksdio.c +index f9a3444753c2b..97659b4792e69 100644 +--- a/drivers/bluetooth/btmtksdio.c ++++ b/drivers/bluetooth/btmtksdio.c +@@ -1257,6 +1257,12 @@ static void btmtksdio_cmd_timeout(struct hci_dev *hdev) + + sdio_claim_host(bdev->func); + ++ /* set drv_pmctrl if BT is closed before doing reset */ ++ if (!test_bit(BTMTKSDIO_FUNC_ENABLED, &bdev->tx_state)) { ++ sdio_enable_func(bdev->func); ++ btmtksdio_drv_pmctrl(bdev); ++ } ++ + sdio_writel(bdev->func, C_INT_EN_CLR, MTK_REG_CHLPCR, NULL); + skb_queue_purge(&bdev->txq); + cancel_work_sync(&bdev->txrx_work); +@@ -1272,6 +1278,12 @@ static void btmtksdio_cmd_timeout(struct hci_dev *hdev) + goto err; + } + ++ /* set fw_pmctrl back if BT is closed after doing reset */ ++ if (!test_bit(BTMTKSDIO_FUNC_ENABLED, &bdev->tx_state)) { ++ btmtksdio_fw_pmctrl(bdev); ++ sdio_disable_func(bdev->func); ++ } ++ + clear_bit(BTMTKSDIO_PATCH_ENABLED, &bdev->tx_state); + err: + sdio_release_host(bdev->func); +-- +2.51.0 + diff --git a/queue-6.1/bluetooth-hci-fix-tracking-of-advertisement-set-inst.patch b/queue-6.1/bluetooth-hci-fix-tracking-of-advertisement-set-inst.patch new file mode 100644 index 0000000000..23cdc2140a --- /dev/null +++ b/queue-6.1/bluetooth-hci-fix-tracking-of-advertisement-set-inst.patch @@ -0,0 +1,78 @@ +From b3dfef70b5fd19d7e3eed94631e40bfd77ed3fb1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Oct 2025 10:55:58 -0400 +Subject: Bluetooth: HCI: Fix tracking of advertisement set/instance 0x00 + +From: Luiz Augusto von Dentz + +[ Upstream commit 0d92808024b4e9868cef68d16f121d509843e80e ] + +This fixes the state tracking of advertisement set/instance 0x00 which +is considered a legacy instance and is not tracked individually by +adv_instances list, previously it was assumed that hci_dev itself would +track it via HCI_LE_ADV but that is a global state not specifc to +instance 0x00, so to fix it a new flag is introduced that only tracks the +state of instance 0x00. + +Fixes: 1488af7b8b5f ("Bluetooth: hci_sync: Fix hci_resume_advertising_sync") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + include/net/bluetooth/hci.h | 1 + + net/bluetooth/hci_event.c | 4 ++++ + net/bluetooth/hci_sync.c | 5 ++--- + 3 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/include/net/bluetooth/hci.h b/include/net/bluetooth/hci.h +index 09bc4bf805c62..1a20fb1fa157b 100644 +--- a/include/net/bluetooth/hci.h ++++ b/include/net/bluetooth/hci.h +@@ -372,6 +372,7 @@ enum { + HCI_USER_CHANNEL, + HCI_EXT_CONFIGURED, + HCI_LE_ADV, ++ HCI_LE_ADV_0, + HCI_LE_PER_ADV, + HCI_LE_SCAN, + HCI_SSP_ENABLED, +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index a0ce0a1e3258e..e1f1be4dfe97a 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -1655,6 +1655,8 @@ static u8 hci_cc_le_set_ext_adv_enable(struct hci_dev *hdev, void *data, + + if (adv) + adv->enabled = true; ++ else if (!set->handle) ++ hci_dev_set_flag(hdev, HCI_LE_ADV_0); + + conn = hci_lookup_le_connect(hdev); + if (conn) +@@ -1665,6 +1667,8 @@ static u8 hci_cc_le_set_ext_adv_enable(struct hci_dev *hdev, void *data, + if (cp->num_of_sets) { + if (adv) + adv->enabled = false; ++ else if (!set->handle) ++ hci_dev_clear_flag(hdev, HCI_LE_ADV_0); + + /* If just one instance was disabled check if there are + * any other instance enabled before clearing HCI_LE_ADV +diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c +index 2937e7a37bcba..5ad09900f8ff1 100644 +--- a/net/bluetooth/hci_sync.c ++++ b/net/bluetooth/hci_sync.c +@@ -2607,9 +2607,8 @@ static int hci_resume_advertising_sync(struct hci_dev *hdev) + /* If current advertising instance is set to instance 0x00 + * then we need to re-enable it. + */ +- if (!hdev->cur_adv_instance) +- err = hci_enable_ext_advertising_sync(hdev, +- hdev->cur_adv_instance); ++ if (hci_dev_test_and_clear_flag(hdev, HCI_LE_ADV_0)) ++ err = hci_enable_ext_advertising_sync(hdev, 0x00); + } else { + /* Schedule for most recent instance to be restarted and begin + * the software rotation loop +-- +2.51.0 + diff --git a/queue-6.1/bluetooth-hci_sync-fix-race-in-hci_cmd_sync_dequeue_.patch b/queue-6.1/bluetooth-hci_sync-fix-race-in-hci_cmd_sync_dequeue_.patch new file mode 100644 index 0000000000..b861e82f69 --- /dev/null +++ b/queue-6.1/bluetooth-hci_sync-fix-race-in-hci_cmd_sync_dequeue_.patch @@ -0,0 +1,55 @@ +From fcbbf7351930fac85c294f5a72dfa3bc17fbb55a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Sep 2025 05:30:17 +0000 +Subject: Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once + +From: Cen Zhang + +[ Upstream commit 09b0cd1297b4dbfe736aeaa0ceeab2265f47f772 ] + +hci_cmd_sync_dequeue_once() does lookup and then cancel +the entry under two separate lock sections. Meanwhile, +hci_cmd_sync_work() can also delete the same entry, +leading to double list_del() and "UAF". + +Fix this by holding cmd_sync_work_lock across both +lookup and cancel, so that the entry cannot be removed +concurrently. + +Fixes: 505ea2b29592 ("Bluetooth: hci_sync: Add helper functions to manipulate cmd_sync queue") +Reported-by: Cen Zhang +Signed-off-by: Cen Zhang +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_sync.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c +index 851a43a5aee0c..2937e7a37bcba 100644 +--- a/net/bluetooth/hci_sync.c ++++ b/net/bluetooth/hci_sync.c +@@ -838,11 +838,17 @@ bool hci_cmd_sync_dequeue_once(struct hci_dev *hdev, + { + struct hci_cmd_sync_work_entry *entry; + +- entry = hci_cmd_sync_lookup_entry(hdev, func, data, destroy); +- if (!entry) ++ mutex_lock(&hdev->cmd_sync_work_lock); ++ ++ entry = _hci_cmd_sync_lookup_entry(hdev, func, data, destroy); ++ if (!entry) { ++ mutex_unlock(&hdev->cmd_sync_work_lock); + return false; ++ } + +- hci_cmd_sync_cancel_entry(hdev, entry); ++ _hci_cmd_sync_cancel_entry(hdev, entry, -ECANCELED); ++ ++ mutex_unlock(&hdev->cmd_sync_work_lock); + + return true; + } +-- +2.51.0 + diff --git a/queue-6.1/bluetooth-iso-add-support-for-periodic-adv-reports-p.patch b/queue-6.1/bluetooth-iso-add-support-for-periodic-adv-reports-p.patch new file mode 100644 index 0000000000..1314891d6e --- /dev/null +++ b/queue-6.1/bluetooth-iso-add-support-for-periodic-adv-reports-p.patch @@ -0,0 +1,164 @@ +From 523527970585126b68190c3a2c96023a317f08f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Jun 2023 12:59:28 +0300 +Subject: Bluetooth: ISO: Add support for periodic adv reports processing + +From: Claudia Draghicescu + +[ Upstream commit 9c0826310bfb784c9bac7d1d9454e304185446c5 ] + +In the case of a Periodic Synchronized Receiver, +the PA report received from a Broadcaster contains the BASE, +which has information about codec and other parameters of a BIG. +This isnformation is stored and the application can retrieve it +using getsockopt(BT_ISO_BASE). + +Signed-off-by: Claudia Draghicescu +Signed-off-by: Luiz Augusto von Dentz +Stable-dep-of: c403da5e98b0 ("Bluetooth: ISO: Fix another instance of dst_type handling") +Signed-off-by: Sasha Levin +--- + include/net/bluetooth/hci.h | 11 +++++++++++ + net/bluetooth/hci_event.c | 23 +++++++++++++++++++++++ + net/bluetooth/iso.c | 28 +++++++++++++++++++++++++++- + 3 files changed, 61 insertions(+), 1 deletion(-) + +diff --git a/include/net/bluetooth/hci.h b/include/net/bluetooth/hci.h +index 1a20fb1fa157b..018fc64329fc6 100644 +--- a/include/net/bluetooth/hci.h ++++ b/include/net/bluetooth/hci.h +@@ -2768,6 +2768,17 @@ struct hci_ev_le_enh_conn_complete { + __u8 clk_accurancy; + } __packed; + ++#define HCI_EV_LE_PER_ADV_REPORT 0x0f ++struct hci_ev_le_per_adv_report { ++ __le16 sync_handle; ++ __u8 tx_power; ++ __u8 rssi; ++ __u8 cte_type; ++ __u8 data_status; ++ __u8 length; ++ __u8 data[]; ++} __packed; ++ + #define HCI_EV_LE_EXT_ADV_SET_TERM 0x12 + struct hci_evt_le_ext_adv_set_term { + __u8 status; +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index e1f1be4dfe97a..e516b169b12fb 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -6469,6 +6469,24 @@ static void hci_le_pa_sync_estabilished_evt(struct hci_dev *hdev, void *data, + hci_dev_unlock(hdev); + } + ++static void hci_le_per_adv_report_evt(struct hci_dev *hdev, void *data, ++ struct sk_buff *skb) ++{ ++ struct hci_ev_le_per_adv_report *ev = data; ++ int mask = hdev->link_mode; ++ __u8 flags = 0; ++ ++ bt_dev_dbg(hdev, "sync_handle 0x%4.4x", le16_to_cpu(ev->sync_handle)); ++ ++ hci_dev_lock(hdev); ++ ++ mask |= hci_proto_connect_ind(hdev, BDADDR_ANY, ISO_LINK, &flags); ++ if (!(mask & HCI_LM_ACCEPT)) ++ hci_le_pa_term_sync(hdev, ev->sync_handle); ++ ++ hci_dev_unlock(hdev); ++} ++ + static void hci_le_remote_feat_complete_evt(struct hci_dev *hdev, void *data, + struct sk_buff *skb) + { +@@ -7002,6 +7020,11 @@ static const struct hci_le_ev { + HCI_LE_EV(HCI_EV_LE_PA_SYNC_ESTABLISHED, + hci_le_pa_sync_estabilished_evt, + sizeof(struct hci_ev_le_pa_sync_established)), ++ /* [0x0f = HCI_EV_LE_PER_ADV_REPORT] */ ++ HCI_LE_EV_VL(HCI_EV_LE_PER_ADV_REPORT, ++ hci_le_per_adv_report_evt, ++ sizeof(struct hci_ev_le_per_adv_report), ++ HCI_MAX_EVENT_SIZE), + /* [0x12 = HCI_EV_LE_EXT_ADV_SET_TERM] */ + HCI_LE_EV(HCI_EV_LE_EXT_ADV_SET_TERM, hci_le_ext_adv_term_evt, + sizeof(struct hci_evt_le_ext_adv_set_term)), +diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c +index c542497f040cc..bf7692e15deef 100644 +--- a/net/bluetooth/iso.c ++++ b/net/bluetooth/iso.c +@@ -1314,7 +1314,8 @@ static int iso_sock_getsockopt(struct socket *sock, int level, int optname, + break; + + case BT_ISO_BASE: +- if (sk->sk_state == BT_CONNECTED) { ++ if (sk->sk_state == BT_CONNECTED && ++ !bacmp(&iso_pi(sk)->dst, BDADDR_ANY)) { + base_len = iso_pi(sk)->conn->hcon->le_per_adv_data_len; + base = iso_pi(sk)->conn->hcon->le_per_adv_data; + } else { +@@ -1487,6 +1488,9 @@ static void iso_conn_ready(struct iso_conn *conn) + + bacpy(&iso_pi(sk)->dst, &hcon->dst); + iso_pi(sk)->dst_type = hcon->dst_type; ++ iso_pi(sk)->sync_handle = iso_pi(parent)->sync_handle; ++ memcpy(iso_pi(sk)->base, iso_pi(parent)->base, iso_pi(parent)->base_len); ++ iso_pi(sk)->base_len = iso_pi(parent)->base_len; + + hci_conn_hold(hcon); + iso_chan_add(conn, sk, parent); +@@ -1517,12 +1521,20 @@ static bool iso_match_sync_handle(struct sock *sk, void *data) + return le16_to_cpu(ev->sync_handle) == iso_pi(sk)->sync_handle; + } + ++static bool iso_match_sync_handle_pa_report(struct sock *sk, void *data) ++{ ++ struct hci_ev_le_per_adv_report *ev = data; ++ ++ return le16_to_cpu(ev->sync_handle) == iso_pi(sk)->sync_handle; ++} ++ + /* ----- ISO interface with lower layer (HCI) ----- */ + + int iso_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, __u8 *flags) + { + struct hci_ev_le_pa_sync_established *ev1; + struct hci_evt_le_big_info_adv_report *ev2; ++ struct hci_ev_le_per_adv_report *ev3; + struct sock *sk; + int lm = 0; + +@@ -1538,6 +1550,9 @@ int iso_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, __u8 *flags) + * 2. HCI_EVT_LE_BIG_INFO_ADV_REPORT: When connect_ind is triggered by a + * a BIG Info it attempts to check if there any listening socket with + * the same sync_handle and if it does then attempt to create a sync. ++ * 3. HCI_EV_LE_PER_ADV_REPORT: When a PA report is received, it is stored ++ * in iso_pi(sk)->base so it can be passed up to user, in the case of a ++ * broadcast sink. + */ + ev1 = hci_recv_event_data(hdev, HCI_EV_LE_PA_SYNC_ESTABLISHED); + if (ev1) { +@@ -1570,6 +1585,17 @@ int iso_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, __u8 *flags) + sk = NULL; + } + } ++ } ++ ++ ev3 = hci_recv_event_data(hdev, HCI_EV_LE_PER_ADV_REPORT); ++ if (ev3) { ++ sk = iso_get_sock_listen(&hdev->bdaddr, bdaddr, ++ iso_match_sync_handle_pa_report, ev3); ++ ++ if (sk) { ++ memcpy(iso_pi(sk)->base, ev3->data, ev3->length); ++ iso_pi(sk)->base_len = ev3->length; ++ } + } else { + sk = iso_get_sock_listen(&hdev->bdaddr, BDADDR_ANY, NULL, NULL); + } +-- +2.51.0 + diff --git a/queue-6.1/bluetooth-iso-fix-another-instance-of-dst_type-handl.patch b/queue-6.1/bluetooth-iso-fix-another-instance-of-dst_type-handl.patch new file mode 100644 index 0000000000..4ba0be8c69 --- /dev/null +++ b/queue-6.1/bluetooth-iso-fix-another-instance-of-dst_type-handl.patch @@ -0,0 +1,42 @@ +From 32bb600c42d912dfff7dd1cd85c1d7e1a0c0fc43 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Oct 2025 13:29:15 -0400 +Subject: Bluetooth: ISO: Fix another instance of dst_type handling + +From: Luiz Augusto von Dentz + +[ Upstream commit c403da5e98b04a2aec9cfb25cbeeb28d7ce29975 ] + +Socket dst_type cannot be directly assigned to hci_conn->type since +there domain is different which may lead to the wrong address type being +used. + +Fixes: 6a5ad251b7cd ("Bluetooth: ISO: Fix possible circular locking dependency") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/iso.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c +index bf7692e15deef..7d521ffc66767 100644 +--- a/net/bluetooth/iso.c ++++ b/net/bluetooth/iso.c +@@ -1487,7 +1487,13 @@ static void iso_conn_ready(struct iso_conn *conn) + } + + bacpy(&iso_pi(sk)->dst, &hcon->dst); +- iso_pi(sk)->dst_type = hcon->dst_type; ++ ++ /* Convert from HCI to three-value type */ ++ if (hcon->dst_type == ADDR_LE_DEV_PUBLIC) ++ iso_pi(sk)->dst_type = BDADDR_LE_PUBLIC; ++ else ++ iso_pi(sk)->dst_type = BDADDR_LE_RANDOM; ++ + iso_pi(sk)->sync_handle = iso_pi(parent)->sync_handle; + memcpy(iso_pi(sk)->base, iso_pi(parent)->base, iso_pi(parent)->base_len); + iso_pi(sk)->base_len = iso_pi(parent)->base_len; +-- +2.51.0 + diff --git a/queue-6.1/bpf-do-not-audit-capability-check-in-do_jit.patch b/queue-6.1/bpf-do-not-audit-capability-check-in-do_jit.patch new file mode 100644 index 0000000000..b94f688ee3 --- /dev/null +++ b/queue-6.1/bpf-do-not-audit-capability-check-in-do_jit.patch @@ -0,0 +1,50 @@ +From 152e5253e9cb7f895d070622e93bd97db7068ccb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Oct 2025 14:27:58 +0200 +Subject: bpf: Do not audit capability check in do_jit() + +From: Ondrej Mosnacek + +[ Upstream commit 881a9c9cb7856b24e390fad9f59acfd73b98b3b2 ] + +The failure of this check only results in a security mitigation being +applied, slightly affecting performance of the compiled BPF program. It +doesn't result in a failed syscall, an thus auditing a failed LSM +permission check for it is unwanted. For example with SELinux, it causes +a denial to be reported for confined processes running as root, which +tends to be flagged as a problem to be fixed in the policy. Yet +dontauditing or allowing CAP_SYS_ADMIN to the domain may not be +desirable, as it would allow/silence also other checks - either going +against the principle of least privilege or making debugging potentially +harder. + +Fix it by changing it from capable() to ns_capable_noaudit(), which +instructs the LSMs to not audit the resulting denials. + +Link: https://bugzilla.redhat.com/show_bug.cgi?id=2369326 +Fixes: d4e89d212d40 ("x86/bpf: Call branch history clearing sequence on exit") +Signed-off-by: Ondrej Mosnacek +Reviewed-by: Paul Moore +Link: https://lore.kernel.org/r/20251021122758.2659513-1-omosnace@redhat.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + arch/x86/net/bpf_jit_comp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c +index f3068bb53c4db..095fec941bb73 100644 +--- a/arch/x86/net/bpf_jit_comp.c ++++ b/arch/x86/net/bpf_jit_comp.c +@@ -1809,7 +1809,7 @@ st: if (is_imm8(insn->off)) + ctx->cleanup_addr = proglen; + + if (bpf_prog_was_classic(bpf_prog) && +- !capable(CAP_SYS_ADMIN)) { ++ !ns_capable_noaudit(&init_user_ns, CAP_SYS_ADMIN)) { + u8 *ip = image + addrs[i - 1]; + + if (emit_spectre_bhb_barrier(&prog, ip, bpf_prog)) +-- +2.51.0 + diff --git a/queue-6.1/bpf-sync-pending-irq-work-before-freeing-ring-buffer.patch b/queue-6.1/bpf-sync-pending-irq-work-before-freeing-ring-buffer.patch new file mode 100644 index 0000000000..de6c2d1da3 --- /dev/null +++ b/queue-6.1/bpf-sync-pending-irq-work-before-freeing-ring-buffer.patch @@ -0,0 +1,46 @@ +From 763f9e82619ce88277964d43e6eeca6cc31ec200 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Oct 2025 23:33:01 +0530 +Subject: bpf: Sync pending IRQ work before freeing ring buffer + +From: Noorain Eqbal + +[ Upstream commit 4e9077638301816a7d73fa1e1b4c1db4a7e3b59c ] + +Fix a race where irq_work can be queued in bpf_ringbuf_commit() +but the ring buffer is freed before the work executes. +In the syzbot reproducer, a BPF program attached to sched_switch +triggers bpf_ringbuf_commit(), queuing an irq_work. If the ring buffer +is freed before this work executes, the irq_work thread may accesses +freed memory. +Calling `irq_work_sync(&rb->work)` ensures that all pending irq_work +complete before freeing the buffer. + +Fixes: 457f44363a88 ("bpf: Implement BPF ring buffer and verifier support for it") +Reported-by: syzbot+2617fc732430968b45d2@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=2617fc732430968b45d2 +Tested-by: syzbot+2617fc732430968b45d2@syzkaller.appspotmail.com +Signed-off-by: Noorain Eqbal +Link: https://lore.kernel.org/r/20251020180301.103366-1-nooraineqbal@gmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/ringbuf.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/kernel/bpf/ringbuf.c b/kernel/bpf/ringbuf.c +index 095416e40df3c..1d49e77a6a01b 100644 +--- a/kernel/bpf/ringbuf.c ++++ b/kernel/bpf/ringbuf.c +@@ -218,6 +218,8 @@ static struct bpf_map *ringbuf_map_alloc(union bpf_attr *attr) + + static void bpf_ringbuf_free(struct bpf_ringbuf *rb) + { ++ irq_work_sync(&rb->work); ++ + /* copy pages pointer and nr_pages to local variable, as we are going + * to unmap rb itself with vunmap() below + */ +-- +2.51.0 + diff --git a/queue-6.1/drm-amd-pm-fix-smu-table-id-bound-check-issue-in-smu.patch b/queue-6.1/drm-amd-pm-fix-smu-table-id-bound-check-issue-in-smu.patch new file mode 100644 index 0000000000..81f3cc614e --- /dev/null +++ b/queue-6.1/drm-amd-pm-fix-smu-table-id-bound-check-issue-in-smu.patch @@ -0,0 +1,41 @@ +From a602413cb4eecb1023e62af91e8edb66ce9ecec3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Oct 2025 14:12:21 +0800 +Subject: drm/amd/pm: fix smu table id bound check issue in + smu_cmn_update_table() + +From: Yang Wang + +[ Upstream commit 238d468d3ed18a324bb9d8c99f18c665dbac0511 ] + +'table_index' is a variable defined by the smu driver (kmd) +'table_id' is a variable defined by the hw smu (pmfw) + +This code should use table_index as a bounds check. + +Fixes: caad2613dc4bd ("drm/amd/powerplay: move table setting common code to smu_cmn.c") +Signed-off-by: Yang Wang +Reviewed-by: Hawking Zhang +Signed-off-by: Alex Deucher +(cherry picked from commit fca0c66b22303de0d1d6313059baf4dc960a4753) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c b/drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c +index fd1faa840ec09..24b39a80481a8 100644 +--- a/drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c ++++ b/drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c +@@ -862,7 +862,7 @@ int smu_cmn_update_table(struct smu_context *smu, + table_index); + uint32_t table_size; + int ret = 0; +- if (!table_data || table_id >= SMU_TABLE_COUNT || table_id < 0) ++ if (!table_data || table_index >= SMU_TABLE_COUNT || table_id < 0) + return -EINVAL; + + table_size = smu_table->tables[table_index].size; +-- +2.51.0 + diff --git a/queue-6.1/drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch b/queue-6.1/drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch new file mode 100644 index 0000000000..7fb3a88c37 --- /dev/null +++ b/queue-6.1/drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch @@ -0,0 +1,39 @@ +From 775b5bd5ca95393fca518dca7cfae57874e739fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Oct 2025 11:08:13 +0200 +Subject: drm/amd/pm/powerplay/smumgr: Fix PCIeBootLinkLevel value on Fiji + +From: John Smith + +[ Upstream commit 07a13f913c291d6ec72ee4fc848d13ecfdc0e705 ] + +Previously this was initialized with zero which represented PCIe Gen +1.0 instead of using the +maximum value from the speed table which is the behaviour of all other +smumgr implementations. + +Fixes: 18edef19ea44 ("drm/amd/powerplay: implement fw image related smu interface for Fiji.") +Signed-off-by: John Smith +Signed-off-by: Alex Deucher +(cherry picked from commit c52238c9fb414555c68340cd80e487d982c1921c) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/pm/powerplay/smumgr/fiji_smumgr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/pm/powerplay/smumgr/fiji_smumgr.c b/drivers/gpu/drm/amd/pm/powerplay/smumgr/fiji_smumgr.c +index 02c094a06605d..50deb4ce767ee 100644 +--- a/drivers/gpu/drm/amd/pm/powerplay/smumgr/fiji_smumgr.c ++++ b/drivers/gpu/drm/amd/pm/powerplay/smumgr/fiji_smumgr.c +@@ -2024,7 +2024,7 @@ static int fiji_init_smc_table(struct pp_hwmgr *hwmgr) + table->VoltageResponseTime = 0; + table->PhaseResponseTime = 0; + table->MemoryThermThrottleEnable = 1; +- table->PCIeBootLinkLevel = 0; /* 0:Gen1 1:Gen2 2:Gen3*/ ++ table->PCIeBootLinkLevel = (uint8_t) (data->dpm_table.pcie_speed_table.count); + table->PCIeGenInterval = 1; + table->VRConfig = 0; + +-- +2.51.0 + diff --git a/queue-6.1/drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch-16017 b/queue-6.1/drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch-16017 new file mode 100644 index 0000000000..e216184ffb --- /dev/null +++ b/queue-6.1/drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch-16017 @@ -0,0 +1,39 @@ +From ff5fca6c8f2f064e1b2d67f7eb78763f818f18ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Oct 2025 11:09:09 +0200 +Subject: drm/amd/pm/powerplay/smumgr: Fix PCIeBootLinkLevel value on Iceland + +From: John Smith + +[ Upstream commit 501672e3c1576aa9a8364144213c77b98a31a42c ] + +Previously this was initialized with zero which represented PCIe Gen +1.0 instead of using the +maximum value from the speed table which is the behaviour of all other +smumgr implementations. + +Fixes: 18aafc59b106 ("drm/amd/powerplay: implement fw related smu interface for iceland.") +Signed-off-by: John Smith +Signed-off-by: Alex Deucher +(cherry picked from commit 92b0a6ae6672857ddeabf892223943d2f0e06c97) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/pm/powerplay/smumgr/iceland_smumgr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/pm/powerplay/smumgr/iceland_smumgr.c b/drivers/gpu/drm/amd/pm/powerplay/smumgr/iceland_smumgr.c +index 03df35dee8ba8..6ddf9ce5471e8 100644 +--- a/drivers/gpu/drm/amd/pm/powerplay/smumgr/iceland_smumgr.c ++++ b/drivers/gpu/drm/amd/pm/powerplay/smumgr/iceland_smumgr.c +@@ -2028,7 +2028,7 @@ static int iceland_init_smc_table(struct pp_hwmgr *hwmgr) + table->VoltageResponseTime = 0; + table->PhaseResponseTime = 0; + table->MemoryThermThrottleEnable = 1; +- table->PCIeBootLinkLevel = 0; ++ table->PCIeBootLinkLevel = (uint8_t) (data->dpm_table.pcie_speed_table.count); + table->PCIeGenInterval = 1; + + result = iceland_populate_smc_svi2_config(hwmgr, table); +-- +2.51.0 + diff --git a/queue-6.1/drm-etnaviv-fix-flush-sequence-logic.patch b/queue-6.1/drm-etnaviv-fix-flush-sequence-logic.patch new file mode 100644 index 0000000000..86513f2106 --- /dev/null +++ b/queue-6.1/drm-etnaviv-fix-flush-sequence-logic.patch @@ -0,0 +1,46 @@ +From 0b317b1da5add65d598b3ef83c2d980f4ea2fdc9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Oct 2025 11:37:23 +0200 +Subject: drm/etnaviv: fix flush sequence logic + +From: Tomeu Vizoso + +[ Upstream commit a042beac6e6f8ac1e923784cfff98b47cbabb185 ] + +The current logic uses the flush sequence from the current address +space. This is harmless when deducing the flush requirements for the +current submit, as either the incoming address space is the same one +as the currently active one or we switch context, in which case the +flush is unconditional. + +However, this sequence is also stored as the current flush sequence +of the GPU. If we switch context the stored flush sequence will no +longer belong to the currently active address space. This incoherency +can then cause missed flushes, resulting in translation errors. + +Fixes: 27b67278e007 ("drm/etnaviv: rework MMU handling") +Signed-off-by: Tomeu Vizoso +Signed-off-by: Lucas Stach +Reviewed-by: Christian Gmeiner +Link: https://lore.kernel.org/r/20251021093723.3887980-1-l.stach@pengutronix.de +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/etnaviv/etnaviv_buffer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/etnaviv/etnaviv_buffer.c b/drivers/gpu/drm/etnaviv/etnaviv_buffer.c +index 982174af74b1e..7d897aafb2a6a 100644 +--- a/drivers/gpu/drm/etnaviv/etnaviv_buffer.c ++++ b/drivers/gpu/drm/etnaviv/etnaviv_buffer.c +@@ -346,7 +346,7 @@ void etnaviv_buffer_queue(struct etnaviv_gpu *gpu, u32 exec_state, + u32 link_target, link_dwords; + bool switch_context = gpu->exec_state != exec_state; + bool switch_mmu_context = gpu->mmu_context != mmu_context; +- unsigned int new_flush_seq = READ_ONCE(gpu->mmu_context->flush_seq); ++ unsigned int new_flush_seq = READ_ONCE(mmu_context->flush_seq); + bool need_flush = switch_mmu_context || gpu->flush_seq != new_flush_seq; + bool has_blt = !!(gpu->identity.minor_features5 & + chipMinorFeatures5_BLT_ENGINE); +-- +2.51.0 + diff --git a/queue-6.1/drm-msm-a6xx-fix-gmu-firmware-parser.patch b/queue-6.1/drm-msm-a6xx-fix-gmu-firmware-parser.patch new file mode 100644 index 0000000000..fa1ad071b5 --- /dev/null +++ b/queue-6.1/drm-msm-a6xx-fix-gmu-firmware-parser.patch @@ -0,0 +1,51 @@ +From 211c6c3e751eea81d5857ffd163915d94f7a50a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Sep 2025 02:14:05 +0530 +Subject: drm/msm/a6xx: Fix GMU firmware parser + +From: Akhil P Oommen + +[ Upstream commit b4789aac9d3441d9f830f0a4022d8dc122d6cab3 ] + +Current parser logic for GMU firmware assumes a dword aligned payload +size for every block. This is not true for all GMU firmwares. So, fix +this by using correct 'size' value in the calculation for the offset +for the next block's header. + +Fixes: c6ed04f856a4 ("drm/msm/a6xx: A640/A650 GMU firmware path") +Signed-off-by: Akhil P Oommen +Acked-by: Konrad Dybcio +Patchwork: https://patchwork.freedesktop.org/patch/674040/ +Message-ID: <20250911-assorted-sept-1-v2-2-a8bf1ee20792@oss.qualcomm.com> +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/adreno/a6xx_gmu.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/adreno/a6xx_gmu.c b/drivers/gpu/drm/msm/adreno/a6xx_gmu.c +index cd1d11104607c..7c1894e5627f8 100644 +--- a/drivers/gpu/drm/msm/adreno/a6xx_gmu.c ++++ b/drivers/gpu/drm/msm/adreno/a6xx_gmu.c +@@ -689,6 +689,9 @@ static bool fw_block_mem(struct a6xx_gmu_bo *bo, const struct block_header *blk) + return true; + } + ++#define NEXT_BLK(blk) \ ++ ((const struct block_header *)((const char *)(blk) + sizeof(*(blk)) + (blk)->size)) ++ + static int a6xx_gmu_fw_load(struct a6xx_gmu *gmu) + { + struct a6xx_gpu *a6xx_gpu = container_of(gmu, struct a6xx_gpu, gmu); +@@ -719,7 +722,7 @@ static int a6xx_gmu_fw_load(struct a6xx_gmu *gmu) + + for (blk = (const struct block_header *) fw_image->data; + (const u8*) blk < fw_image->data + fw_image->size; +- blk = (const struct block_header *) &blk->data[blk->size >> 2]) { ++ blk = NEXT_BLK(blk)) { + if (blk->size == 0) + continue; + +-- +2.51.0 + diff --git a/queue-6.1/libbpf-fix-powerpc-s-stack-register-definition-in-bp.patch b/queue-6.1/libbpf-fix-powerpc-s-stack-register-definition-in-bp.patch new file mode 100644 index 0000000000..3dd63f4a8b --- /dev/null +++ b/queue-6.1/libbpf-fix-powerpc-s-stack-register-definition-in-bp.patch @@ -0,0 +1,44 @@ +From 64b99917a69f825166c7a0b98d0007785fdf8b5b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Oct 2025 13:36:43 -0700 +Subject: libbpf: Fix powerpc's stack register definition in bpf_tracing.h + +From: Andrii Nakryiko + +[ Upstream commit 7221b9caf84b3294688228a19273d74ea19a2ee4 ] + +retsnoop's build on powerpc (ppc64le) architecture ([0]) failed due to +wrong definition of PT_REGS_SP() macro. Looking at powerpc's +implementation of stack unwinding in perf_callchain_user_64() clearly +shows that stack pointer register is gpr[1]. + +Fix libbpf's definition of __PT_SP_REG for powerpc to fix all this. + + [0] https://kojipkgs.fedoraproject.org/work/tasks/1544/137921544/build.log + +Fixes: 138d6153a139 ("samples/bpf: Enable powerpc support") +Signed-off-by: Andrii Nakryiko +Reviewed-by: Naveen N Rao (AMD) +Link: https://lore.kernel.org/r/20251020203643.989467-1-andrii@kernel.org +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/bpf_tracing.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/lib/bpf/bpf_tracing.h b/tools/lib/bpf/bpf_tracing.h +index 9c1b1689068d1..8f87a1765c80a 100644 +--- a/tools/lib/bpf/bpf_tracing.h ++++ b/tools/lib/bpf/bpf_tracing.h +@@ -202,7 +202,7 @@ struct pt_regs___arm64 { + #define __PT_RET_REG regs[31] + #define __PT_FP_REG __unsupported__ + #define __PT_RC_REG gpr[3] +-#define __PT_SP_REG sp ++#define __PT_SP_REG gpr[1] + #define __PT_IP_REG nip + /* powerpc does not select ARCH_HAS_SYSCALL_WRAPPER. */ + #define PT_REGS_SYSCALL_REGS(ctx) ctx +-- +2.51.0 + diff --git a/queue-6.1/net-hns3-return-error-code-when-function-fails.patch b/queue-6.1/net-hns3-return-error-code-when-function-fails.patch new file mode 100644 index 0000000000..ec3465e536 --- /dev/null +++ b/queue-6.1/net-hns3-return-error-code-when-function-fails.patch @@ -0,0 +1,87 @@ +From 5ea18a90ce9a04f9b07be85bb7c682ed5810e935 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Oct 2025 21:13:37 +0800 +Subject: net: hns3: return error code when function fails + +From: Jijie Shao + +[ Upstream commit 03ca7c8c42be913529eb9f188278114430c6abbd ] + +Currently, in hclge_mii_ioctl(), the operation to +read the PHY register (SIOCGMIIREG) always returns 0. + +This patch changes the return type of hclge_read_phy_reg(), +returning an error code when the function fails. + +Fixes: 024712f51e57 ("net: hns3: add ioctl support for imp-controlled PHYs") +Signed-off-by: Jijie Shao +Reviewed-by: Alexander Lobakin +Link: https://patch.msgid.link/20251023131338.2642520-2-shaojijie@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 3 +-- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c | 9 ++++++--- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.h | 2 +- + 3 files changed, 8 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +index c509c1e12109f..c45340f26ee49 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +@@ -9452,8 +9452,7 @@ static int hclge_mii_ioctl(struct hclge_dev *hdev, struct ifreq *ifr, int cmd) + /* this command reads phy id and register at the same time */ + fallthrough; + case SIOCGMIIREG: +- data->val_out = hclge_read_phy_reg(hdev, data->reg_num); +- return 0; ++ return hclge_read_phy_reg(hdev, data->reg_num, &data->val_out); + + case SIOCSMIIREG: + return hclge_write_phy_reg(hdev, data->reg_num, data->val_in); +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c +index 80079657afebe..b8dbf932caf94 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c +@@ -274,7 +274,7 @@ void hclge_mac_stop_phy(struct hclge_dev *hdev) + phy_stop(phydev); + } + +-u16 hclge_read_phy_reg(struct hclge_dev *hdev, u16 reg_addr) ++int hclge_read_phy_reg(struct hclge_dev *hdev, u16 reg_addr, u16 *val) + { + struct hclge_phy_reg_cmd *req; + struct hclge_desc desc; +@@ -286,11 +286,14 @@ u16 hclge_read_phy_reg(struct hclge_dev *hdev, u16 reg_addr) + req->reg_addr = cpu_to_le16(reg_addr); + + ret = hclge_cmd_send(&hdev->hw, &desc, 1); +- if (ret) ++ if (ret) { + dev_err(&hdev->pdev->dev, + "failed to read phy reg, ret = %d.\n", ret); ++ return ret; ++ } + +- return le16_to_cpu(req->reg_val); ++ *val = le16_to_cpu(req->reg_val); ++ return 0; + } + + int hclge_write_phy_reg(struct hclge_dev *hdev, u16 reg_addr, u16 val) +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.h b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.h +index 4200d0b6d9317..21d434c82475b 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.h ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.h +@@ -13,7 +13,7 @@ int hclge_mac_connect_phy(struct hnae3_handle *handle); + void hclge_mac_disconnect_phy(struct hnae3_handle *handle); + void hclge_mac_start_phy(struct hclge_dev *hdev); + void hclge_mac_stop_phy(struct hclge_dev *hdev); +-u16 hclge_read_phy_reg(struct hclge_dev *hdev, u16 reg_addr); ++int hclge_read_phy_reg(struct hclge_dev *hdev, u16 reg_addr, u16 *val); + int hclge_write_phy_reg(struct hclge_dev *hdev, u16 reg_addr, u16 val); + + #endif +-- +2.51.0 + diff --git a/queue-6.1/scsi-ufs-core-initialize-value-of-an-attribute-retur.patch b/queue-6.1/scsi-ufs-core-initialize-value-of-an-attribute-retur.patch new file mode 100644 index 0000000000..a27044ccd4 --- /dev/null +++ b/queue-6.1/scsi-ufs-core-initialize-value-of-an-attribute-retur.patch @@ -0,0 +1,42 @@ +From 8db883fad44a77557fb496701b2542ca040885e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Oct 2025 15:15:38 +0900 +Subject: scsi: ufs: core: Initialize value of an attribute returned by uic cmd + +From: Wonkon Kim + +[ Upstream commit 6fe4c679dde3075cb481beb3945269bb2ef8b19a ] + +If ufshcd_send_cmd() fails, *mib_val may have a garbage value. It can +get an unintended value of an attribute. + +Make ufshcd_dme_get_attr() always initialize *mib_val. + +Fixes: 12b4fdb4f6bc ("[SCSI] ufs: add dme configuration primitives") +Signed-off-by: Wonkon Kim +Reviewed-by: Bart Van Assche +Link: https://patch.msgid.link/20251020061539.28661-2-wkon.kim@samsung.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/ufs/core/ufshcd.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c +index f9adb11067470..d78ac2817c1ff 100644 +--- a/drivers/ufs/core/ufshcd.c ++++ b/drivers/ufs/core/ufshcd.c +@@ -4027,8 +4027,8 @@ int ufshcd_dme_get_attr(struct ufs_hba *hba, u32 attr_sel, + get, UIC_GET_ATTR_ID(attr_sel), + UFS_UIC_COMMAND_RETRIES - retries); + +- if (mib_val && !ret) +- *mib_val = uic_cmd.argument3; ++ if (mib_val) ++ *mib_val = ret == 0 ? uic_cmd.argument3 : 0; + + if (peer && (hba->quirks & UFSHCD_QUIRK_DME_PEER_ACCESS_AUTO_MODE) + && pwr_mode_change) +-- +2.51.0 + diff --git a/queue-6.1/series b/queue-6.1/series index 1d37a27bab..a0804c4116 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -33,3 +33,23 @@ fbdev-valkyriefb-fix-reference-count-leak-in-valkyriefb_init.patch mptcp-restore-window-probe.patch asoc-qdsp6-q6asm-do-not-sleep-while-atomic.patch x86-fpu-ensure-xfd-state-on-signal-delivery.patch +wifi-ath10k-fix-memory-leak-on-unsupported-wmi-comma.patch +drm-msm-a6xx-fix-gmu-firmware-parser.patch +alsa-usb-audio-fix-control-pipe-direction.patch +bpf-sync-pending-irq-work-before-freeing-ring-buffer.patch +scsi-ufs-core-initialize-value-of-an-attribute-retur.patch +bpf-do-not-audit-capability-check-in-do_jit.patch +asoc-intel-avs-unprepare-a-stream-when-xrun-occurs.patch +asoc-fsl_sai-fix-bit-order-for-dsd-format.patch +libbpf-fix-powerpc-s-stack-register-definition-in-bp.patch +usbnet-prevents-free-active-kevent.patch +bluetooth-hci_sync-fix-race-in-hci_cmd_sync_dequeue_.patch +bluetooth-btmtksdio-add-pmctrl-handling-for-bt-close.patch +bluetooth-hci-fix-tracking-of-advertisement-set-inst.patch +bluetooth-iso-add-support-for-periodic-adv-reports-p.patch +bluetooth-iso-fix-another-instance-of-dst_type-handl.patch +drm-etnaviv-fix-flush-sequence-logic.patch +net-hns3-return-error-code-when-function-fails.patch +drm-amd-pm-fix-smu-table-id-bound-check-issue-in-smu.patch +drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch +drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch-16017 diff --git a/queue-6.1/usbnet-prevents-free-active-kevent.patch b/queue-6.1/usbnet-prevents-free-active-kevent.patch new file mode 100644 index 0000000000..65f534a96b --- /dev/null +++ b/queue-6.1/usbnet-prevents-free-active-kevent.patch @@ -0,0 +1,50 @@ +From e61ac15d6de5088f64bc575e33c771c045c9b2e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Oct 2025 10:40:07 +0800 +Subject: usbnet: Prevents free active kevent + +From: Lizhi Xu + +[ Upstream commit 420c84c330d1688b8c764479e5738bbdbf0a33de ] + +The root cause of this issue are: +1. When probing the usbnet device, executing usbnet_link_change(dev, 0, 0); +put the kevent work in global workqueue. However, the kevent has not yet +been scheduled when the usbnet device is unregistered. Therefore, executing +free_netdev() results in the "free active object (kevent)" error reported +here. + +2. Another factor is that when calling usbnet_disconnect()->unregister_netdev(), +if the usbnet device is up, ndo_stop() is executed to cancel the kevent. +However, because the device is not up, ndo_stop() is not executed. + +The solution to this problem is to cancel the kevent before executing +free_netdev(). + +Fixes: a69e617e533e ("usbnet: Fix linkwatch use-after-free on disconnect") +Reported-by: Sam Sun +Closes: https://syzkaller.appspot.com/bug?extid=8bfd7bcc98f7300afb84 +Signed-off-by: Lizhi Xu +Link: https://patch.msgid.link/20251022024007.1831898-1-lizhi.xu@windriver.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/usbnet.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c +index a68fead887207..6bdf035e35f56 100644 +--- a/drivers/net/usb/usbnet.c ++++ b/drivers/net/usb/usbnet.c +@@ -1645,6 +1645,8 @@ void usbnet_disconnect (struct usb_interface *intf) + net = dev->net; + unregister_netdev (net); + ++ cancel_work_sync(&dev->kevent); ++ + while ((urb = usb_get_from_anchor(&dev->deferred))) { + dev_kfree_skb(urb->context); + kfree(urb->sg); +-- +2.51.0 + diff --git a/queue-6.1/wifi-ath10k-fix-memory-leak-on-unsupported-wmi-comma.patch b/queue-6.1/wifi-ath10k-fix-memory-leak-on-unsupported-wmi-comma.patch new file mode 100644 index 0000000000..cc923e1bc5 --- /dev/null +++ b/queue-6.1/wifi-ath10k-fix-memory-leak-on-unsupported-wmi-comma.patch @@ -0,0 +1,41 @@ +From f88bcc23e6a64ed88f7bd0d0a896c1fc98d22c47 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Sep 2025 21:56:56 +0200 +Subject: wifi: ath10k: Fix memory leak on unsupported WMI command + +From: Loic Poulain + +[ Upstream commit 2e9c1da4ee9d0acfca2e0a3d78f3d8cb5802da1b ] + +ath10k_wmi_cmd_send takes ownership of the passed buffer (skb) and has the +responsibility to release it in case of error. This patch fixes missing +free in case of early error due to unhandled WMI command ID. + +Tested-on: WCN3990 hw1.0 WLAN.HL.3.3.7.c2-00931-QCAHLSWMTPLZ-1 + +Fixes: 553215592f14 ("ath10k: warn if give WMI command is not supported") +Suggested-by: Jeff Johnson +Signed-off-by: Loic Poulain +Reviewed-by: Baochen Qiang +Link: https://patch.msgid.link/20250926195656.187970-1-loic.poulain@oss.qualcomm.com +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/wmi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/ath/ath10k/wmi.c b/drivers/net/wireless/ath/ath10k/wmi.c +index 2fda5ca3e6ee9..22ce8b529067d 100644 +--- a/drivers/net/wireless/ath/ath10k/wmi.c ++++ b/drivers/net/wireless/ath/ath10k/wmi.c +@@ -1935,6 +1935,7 @@ int ath10k_wmi_cmd_send(struct ath10k *ar, struct sk_buff *skb, u32 cmd_id) + if (cmd_id == WMI_CMD_UNSUPPORTED) { + ath10k_warn(ar, "wmi command %d is not supported by firmware\n", + cmd_id); ++ dev_kfree_skb_any(skb); + return ret; + } + +-- +2.51.0 + diff --git a/queue-6.12/alsa-usb-audio-fix-control-pipe-direction.patch b/queue-6.12/alsa-usb-audio-fix-control-pipe-direction.patch new file mode 100644 index 0000000000..946313bba4 --- /dev/null +++ b/queue-6.12/alsa-usb-audio-fix-control-pipe-direction.patch @@ -0,0 +1,37 @@ +From 500c8c503277832ea5f17a1e03d1ed6f8db3b0b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 18 Oct 2025 19:18:22 +0200 +Subject: ALSA: usb-audio: fix control pipe direction + +From: Roy Vegard Ovesen + +[ Upstream commit 7963891f7c9c6f759cc9ab7da71406b4234f3dd6 ] + +Since the requesttype has USB_DIR_OUT the pipe should be +constructed with usb_sndctrlpipe(). + +Fixes: 8dc5efe3d17c ("ALSA: usb-audio: Add support for Presonus Studio 1810c") +Signed-off-by: Roy Vegard Ovesen +Link: https://patch.msgid.link/aPPL3tBFE_oU-JHv@ark +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/mixer_s1810c.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/usb/mixer_s1810c.c b/sound/usb/mixer_s1810c.c +index fac4bbc6b2757..65bdda0841048 100644 +--- a/sound/usb/mixer_s1810c.c ++++ b/sound/usb/mixer_s1810c.c +@@ -181,7 +181,7 @@ snd_sc1810c_get_status_field(struct usb_device *dev, + + pkt_out.fields[SC1810C_STATE_F1_IDX] = SC1810C_SET_STATE_F1; + pkt_out.fields[SC1810C_STATE_F2_IDX] = SC1810C_SET_STATE_F2; +- ret = snd_usb_ctl_msg(dev, usb_rcvctrlpipe(dev, 0), ++ ret = snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), + SC1810C_SET_STATE_REQ, + SC1810C_SET_STATE_REQTYPE, + (*seqnum), 0, &pkt_out, sizeof(pkt_out)); +-- +2.51.0 + diff --git a/queue-6.12/asoc-cs-amp-lib-test-fix-missing-include-of-kunit-te.patch b/queue-6.12/asoc-cs-amp-lib-test-fix-missing-include-of-kunit-te.patch new file mode 100644 index 0000000000..7dd3a6d87e --- /dev/null +++ b/queue-6.12/asoc-cs-amp-lib-test-fix-missing-include-of-kunit-te.patch @@ -0,0 +1,38 @@ +From bdc458556485ed02cf14672da5892d87f5b18ef0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Oct 2025 10:48:44 +0100 +Subject: ASoC: cs-amp-lib-test: Fix missing include of kunit/test-bug.h + +From: Richard Fitzgerald + +[ Upstream commit ec20584f25233bfe292c8e18f9a429dfaff58a49 ] + +cs-amp-lib-test uses functions from kunit/test-bug.h but wasn't +including it. + +This error was found by smatch. + +Fixes: 177862317a98 ("ASoC: cs-amp-lib: Add KUnit test for calibration helpers") +Signed-off-by: Richard Fitzgerald +Link: https://patch.msgid.link/20251016094844.92796-1-rf@opensource.cirrus.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/cs-amp-lib-test.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/soc/codecs/cs-amp-lib-test.c b/sound/soc/codecs/cs-amp-lib-test.c +index a6e8348a1bd53..1bc43a4cfe09c 100644 +--- a/sound/soc/codecs/cs-amp-lib-test.c ++++ b/sound/soc/codecs/cs-amp-lib-test.c +@@ -6,6 +6,7 @@ + // Cirrus Logic International Semiconductor Ltd. + + #include ++#include + #include + #include + #include +-- +2.51.0 + diff --git a/queue-6.12/asoc-fsl_sai-fix-bit-order-for-dsd-format.patch b/queue-6.12/asoc-fsl_sai-fix-bit-order-for-dsd-format.patch new file mode 100644 index 0000000000..9d7c41df39 --- /dev/null +++ b/queue-6.12/asoc-fsl_sai-fix-bit-order-for-dsd-format.patch @@ -0,0 +1,46 @@ +From 6f39c36906a200a16c394ba7c50897586bd4d83b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Oct 2025 14:45:37 +0800 +Subject: ASoC: fsl_sai: fix bit order for DSD format + +From: Shengjiu Wang + +[ Upstream commit d9fbe5b0bf7e2d1e20d53e4e2274f9f61bdcca98 ] + +The DSD little endian format requires the msb first, because oldest bit +is in msb. +found this issue by testing with pipewire. + +Fixes: c111c2ddb3fd ("ASoC: fsl_sai: Add PDM daifmt support") +Signed-off-by: Shengjiu Wang +Link: https://patch.msgid.link/20251023064538.368850-2-shengjiu.wang@nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/fsl/fsl_sai.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/sound/soc/fsl/fsl_sai.c b/sound/soc/fsl/fsl_sai.c +index 57614c0b711ea..7e4338762f085 100644 +--- a/sound/soc/fsl/fsl_sai.c ++++ b/sound/soc/fsl/fsl_sai.c +@@ -321,7 +321,6 @@ static int fsl_sai_set_dai_fmt_tr(struct snd_soc_dai *cpu_dai, + break; + case SND_SOC_DAIFMT_PDM: + val_cr2 |= FSL_SAI_CR2_BCP; +- val_cr4 &= ~FSL_SAI_CR4_MF; + sai->is_pdm_mode = true; + break; + case SND_SOC_DAIFMT_RIGHT_J: +@@ -606,7 +605,7 @@ static int fsl_sai_hw_params(struct snd_pcm_substream *substream, + val_cr5 |= FSL_SAI_CR5_WNW(slot_width); + val_cr5 |= FSL_SAI_CR5_W0W(slot_width); + +- if (sai->is_lsb_first || sai->is_pdm_mode) ++ if (sai->is_lsb_first) + val_cr5 |= FSL_SAI_CR5_FBT(0); + else + val_cr5 |= FSL_SAI_CR5_FBT(word_width - 1); +-- +2.51.0 + diff --git a/queue-6.12/asoc-fsl_sai-fix-sync-error-in-consumer-mode.patch b/queue-6.12/asoc-fsl_sai-fix-sync-error-in-consumer-mode.patch new file mode 100644 index 0000000000..c2a7599140 --- /dev/null +++ b/queue-6.12/asoc-fsl_sai-fix-sync-error-in-consumer-mode.patch @@ -0,0 +1,61 @@ +From b3e5a1cba0f90d83f549efb01c33a39348e88581 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Oct 2025 15:57:15 +0200 +Subject: ASoC: fsl_sai: Fix sync error in consumer mode + +From: Maarten Zanders + +[ Upstream commit b2dd1d0d322dce5f331961c927e775b84014d5ab ] + +When configured for default synchronisation (Rx syncs to Tx) and the +SAI operates in consumer mode (clocks provided externally to Tx), a +synchronisation error occurs on Tx on the first attempt after device +initialisation when the playback stream is started while a capture +stream is already active. This results in channel shift/swap on the +playback stream. +Subsequent streams (ie after that first failing one) always work +correctly, no matter the order, with or without the other stream active. + +This issue was observed (and fix tested) on an i.MX6UL board connected +to an ADAU1761 codec, where the codec provides both frame and bit clock +(connected to TX pins). + +To fix this, always initialize the 'other' xCR4 and xCR5 registers when +we're starting a stream which is synced to the opposite one, irregardless +of the producer/consumer status. + +Fixes: 51659ca069ce ("ASoC: fsl-sai: set xCR4/xCR5/xMR for SAI master mode") + +Signed-off-by: Maarten Zanders +Reviewed-by: Shengjiu Wang +Link: https://patch.msgid.link/20251024135716.584265-1-maarten@zanders.be +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/fsl/fsl_sai.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/sound/soc/fsl/fsl_sai.c b/sound/soc/fsl/fsl_sai.c +index 7e4338762f085..bc3bf1c55d3c1 100644 +--- a/sound/soc/fsl/fsl_sai.c ++++ b/sound/soc/fsl/fsl_sai.c +@@ -620,12 +620,12 @@ static int fsl_sai_hw_params(struct snd_pcm_substream *substream, + val_cr4 |= FSL_SAI_CR4_CHMOD; + + /* +- * For SAI provider mode, when Tx(Rx) sync with Rx(Tx) clock, Rx(Tx) will +- * generate bclk and frame clock for Tx(Rx), we should set RCR4(TCR4), +- * RCR5(TCR5) for playback(capture), or there will be sync error. ++ * When Tx(Rx) sync with Rx(Tx) clock, Rx(Tx) will provide bclk and ++ * frame clock for Tx(Rx). We should set RCR4(TCR4), RCR5(TCR5) ++ * for playback(capture), or there will be sync error. + */ + +- if (!sai->is_consumer_mode[tx] && fsl_sai_dir_is_synced(sai, adir)) { ++ if (fsl_sai_dir_is_synced(sai, adir)) { + regmap_update_bits(sai->regmap, FSL_SAI_xCR4(!tx, ofs), + FSL_SAI_CR4_SYWD_MASK | FSL_SAI_CR4_FRSZ_MASK | + FSL_SAI_CR4_CHMOD_MASK, +-- +2.51.0 + diff --git a/queue-6.12/asoc-intel-avs-disable-periods-elapsed-work-when-clo.patch b/queue-6.12/asoc-intel-avs-disable-periods-elapsed-work-when-clo.patch new file mode 100644 index 0000000000..a83045e032 --- /dev/null +++ b/queue-6.12/asoc-intel-avs-disable-periods-elapsed-work-when-clo.patch @@ -0,0 +1,38 @@ +From 3f0cbc4a27345c8906340483f64d2a6507fcc47f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Oct 2025 11:23:47 +0200 +Subject: ASoC: Intel: avs: Disable periods-elapsed work when closing PCM + +From: Cezary Rojewski + +[ Upstream commit 845f716dc5f354c719f6fda35048b6c2eca99331 ] + +avs_dai_fe_shutdown() handles the shutdown procedure for HOST HDAudio +stream while period-elapsed work services its IRQs. As the former +frees the DAI's private context, these two operations shall be +synchronized to avoid slab-use-after-free or worse errors. + +Fixes: 0dbb186c3510 ("ASoC: Intel: avs: Update stream status in a separate thread") +Signed-off-by: Cezary Rojewski +Link: https://patch.msgid.link/20251023092348.3119313-3-cezary.rojewski@intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/avs/pcm.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/soc/intel/avs/pcm.c b/sound/soc/intel/avs/pcm.c +index 3041717632ed0..dee871910d211 100644 +--- a/sound/soc/intel/avs/pcm.c ++++ b/sound/soc/intel/avs/pcm.c +@@ -551,6 +551,7 @@ static void avs_dai_fe_shutdown(struct snd_pcm_substream *substream, struct snd_ + + data = snd_soc_dai_get_dma_data(dai, substream); + ++ disable_work_sync(&data->period_elapsed_work); + snd_hdac_ext_stream_release(data->host_stream, HDAC_EXT_STREAM_TYPE_HOST); + avs_dai_shutdown(substream, dai); + } +-- +2.51.0 + diff --git a/queue-6.12/asoc-intel-avs-unprepare-a-stream-when-xrun-occurs.patch b/queue-6.12/asoc-intel-avs-unprepare-a-stream-when-xrun-occurs.patch new file mode 100644 index 0000000000..f79d5085ca --- /dev/null +++ b/queue-6.12/asoc-intel-avs-unprepare-a-stream-when-xrun-occurs.patch @@ -0,0 +1,40 @@ +From 1624cc38d8b31154280790535bc647b530937c8c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Oct 2025 11:23:46 +0200 +Subject: ASoC: Intel: avs: Unprepare a stream when XRUN occurs + +From: Cezary Rojewski + +[ Upstream commit cfca1637bc2b6b1e4f191d2f0b25f12402fbbb26 ] + +The pcm->prepare() function may be called multiple times in a row by the +userspace, as mentioned in the documentation. The driver shall take that +into account and prevent redundancy. However, the exact same function is +called during XRUNs and in such case, the particular stream shall be +reset and setup anew. + +Fixes: 9114700b496c ("ASoC: Intel: avs: Generic PCM FE operations") +Signed-off-by: Cezary Rojewski +Link: https://patch.msgid.link/20251023092348.3119313-2-cezary.rojewski@intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/avs/pcm.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/soc/intel/avs/pcm.c b/sound/soc/intel/avs/pcm.c +index 15defce0f3eb8..3041717632ed0 100644 +--- a/sound/soc/intel/avs/pcm.c ++++ b/sound/soc/intel/avs/pcm.c +@@ -653,6 +653,8 @@ static int avs_dai_fe_prepare(struct snd_pcm_substream *substream, struct snd_so + data = snd_soc_dai_get_dma_data(dai, substream); + host_stream = data->host_stream; + ++ if (runtime->state == SNDRV_PCM_STATE_XRUN) ++ hdac_stream(host_stream)->prepared = false; + if (hdac_stream(host_stream)->prepared) + return 0; + +-- +2.51.0 + diff --git a/queue-6.12/bluetooth-btmtksdio-add-pmctrl-handling-for-bt-close.patch b/queue-6.12/bluetooth-btmtksdio-add-pmctrl-handling-for-bt-close.patch new file mode 100644 index 0000000000..f27c882310 --- /dev/null +++ b/queue-6.12/bluetooth-btmtksdio-add-pmctrl-handling-for-bt-close.patch @@ -0,0 +1,61 @@ +From 6af98161d379b2e22bc5e5faf8254c59f5b79d51 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Sep 2025 13:39:33 +0800 +Subject: Bluetooth: btmtksdio: Add pmctrl handling for BT closed state during + reset + +From: Chris Lu + +[ Upstream commit 77343b8b4f87560f8f03e77b98a81ff3a147b262 ] + +This patch adds logic to handle power management control when the +Bluetooth function is closed during the SDIO reset sequence. + +Specifically, if BT is closed before reset, the driver enables the +SDIO function and sets driver pmctrl. After reset, if BT remains +closed, the driver sets firmware pmctrl and disables the SDIO function. + +These changes ensure proper power management and device state consistency +across the reset flow. + +Fixes: 8fafe702253d ("Bluetooth: mt7921s: support bluetooth reset mechanism") +Signed-off-by: Chris Lu +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btmtksdio.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/drivers/bluetooth/btmtksdio.c b/drivers/bluetooth/btmtksdio.c +index 13dcc0077732b..206de38fc1c82 100644 +--- a/drivers/bluetooth/btmtksdio.c ++++ b/drivers/bluetooth/btmtksdio.c +@@ -1270,6 +1270,12 @@ static void btmtksdio_cmd_timeout(struct hci_dev *hdev) + + sdio_claim_host(bdev->func); + ++ /* set drv_pmctrl if BT is closed before doing reset */ ++ if (!test_bit(BTMTKSDIO_FUNC_ENABLED, &bdev->tx_state)) { ++ sdio_enable_func(bdev->func); ++ btmtksdio_drv_pmctrl(bdev); ++ } ++ + sdio_writel(bdev->func, C_INT_EN_CLR, MTK_REG_CHLPCR, NULL); + skb_queue_purge(&bdev->txq); + cancel_work_sync(&bdev->txrx_work); +@@ -1285,6 +1291,12 @@ static void btmtksdio_cmd_timeout(struct hci_dev *hdev) + goto err; + } + ++ /* set fw_pmctrl back if BT is closed after doing reset */ ++ if (!test_bit(BTMTKSDIO_FUNC_ENABLED, &bdev->tx_state)) { ++ btmtksdio_fw_pmctrl(bdev); ++ sdio_disable_func(bdev->func); ++ } ++ + clear_bit(BTMTKSDIO_PATCH_ENABLED, &bdev->tx_state); + err: + sdio_release_host(bdev->func); +-- +2.51.0 + diff --git a/queue-6.12/bluetooth-hci-fix-tracking-of-advertisement-set-inst.patch b/queue-6.12/bluetooth-hci-fix-tracking-of-advertisement-set-inst.patch new file mode 100644 index 0000000000..e0d7730a04 --- /dev/null +++ b/queue-6.12/bluetooth-hci-fix-tracking-of-advertisement-set-inst.patch @@ -0,0 +1,78 @@ +From ecd77dafa8719a3d9c345c3435fb0ccefff7cc6e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Oct 2025 10:55:58 -0400 +Subject: Bluetooth: HCI: Fix tracking of advertisement set/instance 0x00 + +From: Luiz Augusto von Dentz + +[ Upstream commit 0d92808024b4e9868cef68d16f121d509843e80e ] + +This fixes the state tracking of advertisement set/instance 0x00 which +is considered a legacy instance and is not tracked individually by +adv_instances list, previously it was assumed that hci_dev itself would +track it via HCI_LE_ADV but that is a global state not specifc to +instance 0x00, so to fix it a new flag is introduced that only tracks the +state of instance 0x00. + +Fixes: 1488af7b8b5f ("Bluetooth: hci_sync: Fix hci_resume_advertising_sync") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + include/net/bluetooth/hci.h | 1 + + net/bluetooth/hci_event.c | 4 ++++ + net/bluetooth/hci_sync.c | 5 ++--- + 3 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/include/net/bluetooth/hci.h b/include/net/bluetooth/hci.h +index 4b3200542fe66..999ac27050993 100644 +--- a/include/net/bluetooth/hci.h ++++ b/include/net/bluetooth/hci.h +@@ -424,6 +424,7 @@ enum { + HCI_USER_CHANNEL, + HCI_EXT_CONFIGURED, + HCI_LE_ADV, ++ HCI_LE_ADV_0, + HCI_LE_PER_ADV, + HCI_LE_SCAN, + HCI_SSP_ENABLED, +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index debe9cc2f72d9..176565ef47c63 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -1600,6 +1600,8 @@ static u8 hci_cc_le_set_ext_adv_enable(struct hci_dev *hdev, void *data, + + if (adv && !adv->periodic) + adv->enabled = true; ++ else if (!set->handle) ++ hci_dev_set_flag(hdev, HCI_LE_ADV_0); + + conn = hci_lookup_le_connect(hdev); + if (conn) +@@ -1610,6 +1612,8 @@ static u8 hci_cc_le_set_ext_adv_enable(struct hci_dev *hdev, void *data, + if (cp->num_of_sets) { + if (adv) + adv->enabled = false; ++ else if (!set->handle) ++ hci_dev_clear_flag(hdev, HCI_LE_ADV_0); + + /* If just one instance was disabled check if there are + * any other instance enabled before clearing HCI_LE_ADV +diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c +index c08e46ee70b24..06d8ab997bd85 100644 +--- a/net/bluetooth/hci_sync.c ++++ b/net/bluetooth/hci_sync.c +@@ -2616,9 +2616,8 @@ static int hci_resume_advertising_sync(struct hci_dev *hdev) + /* If current advertising instance is set to instance 0x00 + * then we need to re-enable it. + */ +- if (!hdev->cur_adv_instance) +- err = hci_enable_ext_advertising_sync(hdev, +- hdev->cur_adv_instance); ++ if (hci_dev_test_and_clear_flag(hdev, HCI_LE_ADV_0)) ++ err = hci_enable_ext_advertising_sync(hdev, 0x00); + } else { + /* Schedule for most recent instance to be restarted and begin + * the software rotation loop +-- +2.51.0 + diff --git a/queue-6.12/bluetooth-hci_core-fix-tracking-of-periodic-advertis.patch b/queue-6.12/bluetooth-hci_core-fix-tracking-of-periodic-advertis.patch new file mode 100644 index 0000000000..31bd397dfe --- /dev/null +++ b/queue-6.12/bluetooth-hci_core-fix-tracking-of-periodic-advertis.patch @@ -0,0 +1,88 @@ +From 60023a34467d1c07eb9ee5ad15a00491c709ed4e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Oct 2025 16:03:19 -0400 +Subject: Bluetooth: hci_core: Fix tracking of periodic advertisement + +From: Luiz Augusto von Dentz + +[ Upstream commit 751463ceefc3397566d03c8b64ef4a77f5fd88ac ] + +Periodic advertising enabled flag cannot be tracked by the enabled +flag since advertising and periodic advertising each can be +enabled/disabled separately from one another causing the states to be +inconsistent when for example an advertising set is disabled its +enabled flag is set to false which is then used for periodic which has +not being disabled. + +Fixes: eca0ae4aea66 ("Bluetooth: Add initial implementation of BIS connections") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + include/net/bluetooth/hci_core.h | 1 + + net/bluetooth/hci_event.c | 7 +++++-- + net/bluetooth/hci_sync.c | 4 ++-- + 3 files changed, 8 insertions(+), 4 deletions(-) + +diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h +index ca75c71b58588..35b5f58b562cb 100644 +--- a/include/net/bluetooth/hci_core.h ++++ b/include/net/bluetooth/hci_core.h +@@ -240,6 +240,7 @@ struct adv_info { + bool enabled; + bool pending; + bool periodic; ++ bool periodic_enabled; + __u8 mesh; + __u8 instance; + __u8 handle; +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index 176565ef47c63..ccc73742de356 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -1598,7 +1598,7 @@ static u8 hci_cc_le_set_ext_adv_enable(struct hci_dev *hdev, void *data, + + hci_dev_set_flag(hdev, HCI_LE_ADV); + +- if (adv && !adv->periodic) ++ if (adv) + adv->enabled = true; + else if (!set->handle) + hci_dev_set_flag(hdev, HCI_LE_ADV_0); +@@ -3955,8 +3955,11 @@ static u8 hci_cc_le_set_per_adv_enable(struct hci_dev *hdev, void *data, + hci_dev_set_flag(hdev, HCI_LE_PER_ADV); + + if (adv) +- adv->enabled = true; ++ adv->periodic_enabled = true; + } else { ++ if (adv) ++ adv->periodic_enabled = false; ++ + /* If just one instance was disabled check if there are + * any other instance enabled before clearing HCI_LE_PER_ADV. + * The current periodic adv instance will be marked as +diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c +index 06d8ab997bd85..f79b38603205c 100644 +--- a/net/bluetooth/hci_sync.c ++++ b/net/bluetooth/hci_sync.c +@@ -1605,7 +1605,7 @@ int hci_disable_per_advertising_sync(struct hci_dev *hdev, u8 instance) + + /* If periodic advertising already disabled there is nothing to do. */ + adv = hci_find_adv_instance(hdev, instance); +- if (!adv || !adv->periodic || !adv->enabled) ++ if (!adv || !adv->periodic_enabled) + return 0; + + memset(&cp, 0, sizeof(cp)); +@@ -1670,7 +1670,7 @@ static int hci_enable_per_advertising_sync(struct hci_dev *hdev, u8 instance) + + /* If periodic advertising already enabled there is nothing to do. */ + adv = hci_find_adv_instance(hdev, instance); +- if (adv && adv->periodic && adv->enabled) ++ if (adv && adv->periodic_enabled) + return 0; + + memset(&cp, 0, sizeof(cp)); +-- +2.51.0 + diff --git a/queue-6.12/bluetooth-hci_sync-fix-race-in-hci_cmd_sync_dequeue_.patch b/queue-6.12/bluetooth-hci_sync-fix-race-in-hci_cmd_sync_dequeue_.patch new file mode 100644 index 0000000000..e398b9df0f --- /dev/null +++ b/queue-6.12/bluetooth-hci_sync-fix-race-in-hci_cmd_sync_dequeue_.patch @@ -0,0 +1,55 @@ +From 082a5a3557006ec1f2b37911a3e12b8f08c89170 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Sep 2025 05:30:17 +0000 +Subject: Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once + +From: Cen Zhang + +[ Upstream commit 09b0cd1297b4dbfe736aeaa0ceeab2265f47f772 ] + +hci_cmd_sync_dequeue_once() does lookup and then cancel +the entry under two separate lock sections. Meanwhile, +hci_cmd_sync_work() can also delete the same entry, +leading to double list_del() and "UAF". + +Fix this by holding cmd_sync_work_lock across both +lookup and cancel, so that the entry cannot be removed +concurrently. + +Fixes: 505ea2b29592 ("Bluetooth: hci_sync: Add helper functions to manipulate cmd_sync queue") +Reported-by: Cen Zhang +Signed-off-by: Cen Zhang +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_sync.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c +index 853acfa8e9433..c08e46ee70b24 100644 +--- a/net/bluetooth/hci_sync.c ++++ b/net/bluetooth/hci_sync.c +@@ -863,11 +863,17 @@ bool hci_cmd_sync_dequeue_once(struct hci_dev *hdev, + { + struct hci_cmd_sync_work_entry *entry; + +- entry = hci_cmd_sync_lookup_entry(hdev, func, data, destroy); +- if (!entry) ++ mutex_lock(&hdev->cmd_sync_work_lock); ++ ++ entry = _hci_cmd_sync_lookup_entry(hdev, func, data, destroy); ++ if (!entry) { ++ mutex_unlock(&hdev->cmd_sync_work_lock); + return false; ++ } + +- hci_cmd_sync_cancel_entry(hdev, entry); ++ _hci_cmd_sync_cancel_entry(hdev, entry, -ECANCELED); ++ ++ mutex_unlock(&hdev->cmd_sync_work_lock); + + return true; + } +-- +2.51.0 + diff --git a/queue-6.12/bluetooth-iso-fix-another-instance-of-dst_type-handl.patch b/queue-6.12/bluetooth-iso-fix-another-instance-of-dst_type-handl.patch new file mode 100644 index 0000000000..5957fe7352 --- /dev/null +++ b/queue-6.12/bluetooth-iso-fix-another-instance-of-dst_type-handl.patch @@ -0,0 +1,42 @@ +From c4c1744d39b462c89176329831df7980de1cf725 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Oct 2025 13:29:15 -0400 +Subject: Bluetooth: ISO: Fix another instance of dst_type handling + +From: Luiz Augusto von Dentz + +[ Upstream commit c403da5e98b04a2aec9cfb25cbeeb28d7ce29975 ] + +Socket dst_type cannot be directly assigned to hci_conn->type since +there domain is different which may lead to the wrong address type being +used. + +Fixes: 6a5ad251b7cd ("Bluetooth: ISO: Fix possible circular locking dependency") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/iso.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c +index c9a262f97678b..a48a2868a728b 100644 +--- a/net/bluetooth/iso.c ++++ b/net/bluetooth/iso.c +@@ -1939,7 +1939,13 @@ static void iso_conn_ready(struct iso_conn *conn) + } + + bacpy(&iso_pi(sk)->dst, &hcon->dst); +- iso_pi(sk)->dst_type = hcon->dst_type; ++ ++ /* Convert from HCI to three-value type */ ++ if (hcon->dst_type == ADDR_LE_DEV_PUBLIC) ++ iso_pi(sk)->dst_type = BDADDR_LE_PUBLIC; ++ else ++ iso_pi(sk)->dst_type = BDADDR_LE_RANDOM; ++ + iso_pi(sk)->sync_handle = iso_pi(parent)->sync_handle; + memcpy(iso_pi(sk)->base, iso_pi(parent)->base, iso_pi(parent)->base_len); + iso_pi(sk)->base_len = iso_pi(parent)->base_len; +-- +2.51.0 + diff --git a/queue-6.12/bluetooth-iso-fix-bis-connection-dst_type-handling.patch b/queue-6.12/bluetooth-iso-fix-bis-connection-dst_type-handling.patch new file mode 100644 index 0000000000..a71bfa8050 --- /dev/null +++ b/queue-6.12/bluetooth-iso-fix-bis-connection-dst_type-handling.patch @@ -0,0 +1,36 @@ +From 650b116a085bca7cecd829eea6e409b6328b565f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Sep 2025 11:48:50 -0400 +Subject: Bluetooth: ISO: Fix BIS connection dst_type handling + +From: Luiz Augusto von Dentz + +[ Upstream commit f0c200a4a537f8f374584a974518b0ce69eda76c ] + +Socket dst_type cannot be directly assigned to hci_conn->type since +there domain is different which may lead to the wrong address type being +used. + +Fixes: 6a5ad251b7cd ("Bluetooth: ISO: Fix possible circular locking dependency") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/iso.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c +index f48a694b004ab..c9a262f97678b 100644 +--- a/net/bluetooth/iso.c ++++ b/net/bluetooth/iso.c +@@ -1927,7 +1927,7 @@ static void iso_conn_ready(struct iso_conn *conn) + */ + if (!bacmp(&hcon->dst, BDADDR_ANY)) { + bacpy(&hcon->dst, &iso_pi(parent)->dst); +- hcon->dst_type = iso_pi(parent)->dst_type; ++ hcon->dst_type = le_addr_type(iso_pi(parent)->dst_type); + } + + if (ev3) { +-- +2.51.0 + diff --git a/queue-6.12/bluetooth-iso-update-hci_conn_hash_lookup_big-for-br.patch b/queue-6.12/bluetooth-iso-update-hci_conn_hash_lookup_big-for-br.patch new file mode 100644 index 0000000000..86b577c1e9 --- /dev/null +++ b/queue-6.12/bluetooth-iso-update-hci_conn_hash_lookup_big-for-br.patch @@ -0,0 +1,75 @@ +From 175f7671195efaabe09e6dcd82a097db35ef1690 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Nov 2024 10:23:39 +0200 +Subject: Bluetooth: ISO: Update hci_conn_hash_lookup_big for Broadcast slave + +From: Iulia Tanasescu + +[ Upstream commit 83d328a72eff3268ea4c19deb0a6cf4c7da15746 ] + +Currently, hci_conn_hash_lookup_big only checks for BIS master connections, +by filtering out connections with the destination address set. This commit +updates this function to also consider BIS slave connections, since it is +also used for a Broadcast Receiver to set an available BIG handle before +issuing the LE BIG Create Sync command. + +Signed-off-by: Iulia Tanasescu +Signed-off-by: Luiz Augusto von Dentz +Stable-dep-of: f0c200a4a537 ("Bluetooth: ISO: Fix BIS connection dst_type handling") +Signed-off-by: Sasha Levin +--- + include/net/bluetooth/hci_core.h | 12 +++++++++++- + net/bluetooth/hci_event.c | 1 + + net/bluetooth/iso.c | 1 - + 3 files changed, 12 insertions(+), 2 deletions(-) + +diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h +index 69a1d8b12beff..ca75c71b58588 100644 +--- a/include/net/bluetooth/hci_core.h ++++ b/include/net/bluetooth/hci_core.h +@@ -1315,7 +1315,17 @@ static inline struct hci_conn *hci_conn_hash_lookup_big(struct hci_dev *hdev, + rcu_read_lock(); + + list_for_each_entry_rcu(c, &h->list, list) { +- if (bacmp(&c->dst, BDADDR_ANY) || c->type != ISO_LINK) ++ if (c->type != ISO_LINK) ++ continue; ++ ++ /* An ISO_LINK hcon with BDADDR_ANY as destination ++ * address is a Broadcast connection. A Broadcast ++ * slave connection is associated with a PA train, ++ * so the sync_handle can be used to differentiate ++ * from unicast. ++ */ ++ if (bacmp(&c->dst, BDADDR_ANY) && ++ c->sync_handle == HCI_SYNC_HANDLE_INVALID) + continue; + + if (handle == c->iso_qos.bcast.big) { +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index 1e537ed83ba4b..debe9cc2f72d9 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -6976,6 +6976,7 @@ static void hci_le_big_sync_established_evt(struct hci_dev *hdev, void *data, + /* Mark PA sync as established */ + set_bit(HCI_CONN_PA_SYNC, &bis->flags); + ++ bis->sync_handle = conn->sync_handle; + bis->iso_qos.bcast.big = ev->handle; + memset(&interval, 0, sizeof(interval)); + memcpy(&interval, ev->latency, sizeof(ev->latency)); +diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c +index 2cd0b963c96bd..f48a694b004ab 100644 +--- a/net/bluetooth/iso.c ++++ b/net/bluetooth/iso.c +@@ -1928,7 +1928,6 @@ static void iso_conn_ready(struct iso_conn *conn) + if (!bacmp(&hcon->dst, BDADDR_ANY)) { + bacpy(&hcon->dst, &iso_pi(parent)->dst); + hcon->dst_type = iso_pi(parent)->dst_type; +- hcon->sync_handle = iso_pi(parent)->sync_handle; + } + + if (ev3) { +-- +2.51.0 + diff --git a/queue-6.12/bpf-do-not-audit-capability-check-in-do_jit.patch b/queue-6.12/bpf-do-not-audit-capability-check-in-do_jit.patch new file mode 100644 index 0000000000..a50af4f84e --- /dev/null +++ b/queue-6.12/bpf-do-not-audit-capability-check-in-do_jit.patch @@ -0,0 +1,50 @@ +From 46c8df2e2779509435be4f825a3f1a086c41adc2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Oct 2025 14:27:58 +0200 +Subject: bpf: Do not audit capability check in do_jit() + +From: Ondrej Mosnacek + +[ Upstream commit 881a9c9cb7856b24e390fad9f59acfd73b98b3b2 ] + +The failure of this check only results in a security mitigation being +applied, slightly affecting performance of the compiled BPF program. It +doesn't result in a failed syscall, an thus auditing a failed LSM +permission check for it is unwanted. For example with SELinux, it causes +a denial to be reported for confined processes running as root, which +tends to be flagged as a problem to be fixed in the policy. Yet +dontauditing or allowing CAP_SYS_ADMIN to the domain may not be +desirable, as it would allow/silence also other checks - either going +against the principle of least privilege or making debugging potentially +harder. + +Fix it by changing it from capable() to ns_capable_noaudit(), which +instructs the LSMs to not audit the resulting denials. + +Link: https://bugzilla.redhat.com/show_bug.cgi?id=2369326 +Fixes: d4e89d212d40 ("x86/bpf: Call branch history clearing sequence on exit") +Signed-off-by: Ondrej Mosnacek +Reviewed-by: Paul Moore +Link: https://lore.kernel.org/r/20251021122758.2659513-1-omosnace@redhat.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + arch/x86/net/bpf_jit_comp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c +index 9a861ac77f8eb..8cbc26081bdb2 100644 +--- a/arch/x86/net/bpf_jit_comp.c ++++ b/arch/x86/net/bpf_jit_comp.c +@@ -2453,7 +2453,7 @@ st: if (is_imm8(insn->off)) + /* Update cleanup_addr */ + ctx->cleanup_addr = proglen; + if (bpf_prog_was_classic(bpf_prog) && +- !capable(CAP_SYS_ADMIN)) { ++ !ns_capable_noaudit(&init_user_ns, CAP_SYS_ADMIN)) { + u8 *ip = image + addrs[i - 1]; + + if (emit_spectre_bhb_barrier(&prog, ip, bpf_prog)) +-- +2.51.0 + diff --git a/queue-6.12/bpf-find-eligible-subprogs-for-private-stack-support.patch b/queue-6.12/bpf-find-eligible-subprogs-for-private-stack-support.patch new file mode 100644 index 0000000000..892d0882d9 --- /dev/null +++ b/queue-6.12/bpf-find-eligible-subprogs-for-private-stack-support.patch @@ -0,0 +1,265 @@ +From 6c50a937e4047fee3fe1498ec93478e855c7e4a4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Nov 2024 08:39:07 -0800 +Subject: bpf: Find eligible subprogs for private stack support + +From: Yonghong Song + +[ Upstream commit a76ab5731e32d50ff5b1ae97e9dc4b23f41c23f5 ] + +Private stack will be allocated with percpu allocator in jit time. +To avoid complexity at runtime, only one copy of private stack is +available per cpu per prog. So runtime recursion check is necessary +to avoid stack corruption. + +Current private stack only supports kprobe/perf_event/tp/raw_tp +which has recursion check in the kernel, and prog types that use +bpf trampoline recursion check. For trampoline related prog types, +currently only tracing progs have recursion checking. + +To avoid complexity, all async_cb subprogs use normal kernel stack +including those subprogs used by both main prog subtree and async_cb +subtree. Any prog having tail call also uses kernel stack. + +To avoid jit penalty with private stack support, a subprog stack +size threshold is set such that only if the stack size is no less +than the threshold, private stack is supported. The current threshold +is 64 bytes. This avoids jit penality if the stack usage is small. + +A useless 'continue' is also removed from a loop in func +check_max_stack_depth(). + +Signed-off-by: Yonghong Song +Link: https://lore.kernel.org/r/20241112163907.2223839-1-yonghong.song@linux.dev +Signed-off-by: Alexei Starovoitov +Stable-dep-of: 881a9c9cb785 ("bpf: Do not audit capability check in do_jit()") +Signed-off-by: Sasha Levin +--- + include/linux/bpf_verifier.h | 7 +++ + include/linux/filter.h | 1 + + kernel/bpf/core.c | 5 ++ + kernel/bpf/verifier.c | 96 ++++++++++++++++++++++++++++++++---- + 4 files changed, 99 insertions(+), 10 deletions(-) + +diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h +index fb33458f2fc77..1a9b69743cb15 100644 +--- a/include/linux/bpf_verifier.h ++++ b/include/linux/bpf_verifier.h +@@ -654,6 +654,12 @@ struct bpf_subprog_arg_info { + }; + }; + ++enum priv_stack_mode { ++ PRIV_STACK_UNKNOWN, ++ NO_PRIV_STACK, ++ PRIV_STACK_ADAPTIVE, ++}; ++ + struct bpf_subprog_info { + /* 'start' has to be the first field otherwise find_subprog() won't work */ + u32 start; /* insn idx of function entry point */ +@@ -675,6 +681,7 @@ struct bpf_subprog_info { + bool keep_fastcall_stack: 1; + bool changes_pkt_data: 1; + ++ enum priv_stack_mode priv_stack_mode; + u8 arg_cnt; + struct bpf_subprog_arg_info args[MAX_BPF_FUNC_REG_ARGS]; + }; +diff --git a/include/linux/filter.h b/include/linux/filter.h +index 5118caf8aa1c7..0477254bc2d30 100644 +--- a/include/linux/filter.h ++++ b/include/linux/filter.h +@@ -1119,6 +1119,7 @@ bool bpf_jit_supports_exceptions(void); + bool bpf_jit_supports_ptr_xchg(void); + bool bpf_jit_supports_arena(void); + bool bpf_jit_supports_insn(struct bpf_insn *insn, bool in_arena); ++bool bpf_jit_supports_private_stack(void); + u64 bpf_arch_uaddress_limit(void); + void arch_bpf_stack_walk(bool (*consume_fn)(void *cookie, u64 ip, u64 sp, u64 bp), void *cookie); + bool bpf_helper_changes_pkt_data(enum bpf_func_id func_id); +diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c +index 08bdb623f4f91..76dfa9ab43a5d 100644 +--- a/kernel/bpf/core.c ++++ b/kernel/bpf/core.c +@@ -3094,6 +3094,11 @@ bool __weak bpf_jit_supports_exceptions(void) + return false; + } + ++bool __weak bpf_jit_supports_private_stack(void) ++{ ++ return false; ++} ++ + void __weak arch_bpf_stack_walk(bool (*consume_fn)(void *cookie, u64 ip, u64 sp, u64 bp), void *cookie) + { + } +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index 96640a80fd9c4..709151d33e5e4 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -194,6 +194,8 @@ struct bpf_verifier_stack_elem { + + #define BPF_GLOBAL_PERCPU_MA_MAX_SIZE 512 + ++#define BPF_PRIV_STACK_MIN_SIZE 64 ++ + static int acquire_reference_state(struct bpf_verifier_env *env, int insn_idx); + static int release_reference(struct bpf_verifier_env *env, int ref_obj_id); + static void invalidate_non_owning_refs(struct bpf_verifier_env *env); +@@ -6027,6 +6029,34 @@ static int check_ptr_alignment(struct bpf_verifier_env *env, + strict); + } + ++static enum priv_stack_mode bpf_enable_priv_stack(struct bpf_prog *prog) ++{ ++ if (!bpf_jit_supports_private_stack()) ++ return NO_PRIV_STACK; ++ ++ /* bpf_prog_check_recur() checks all prog types that use bpf trampoline ++ * while kprobe/tp/perf_event/raw_tp don't use trampoline hence checked ++ * explicitly. ++ */ ++ switch (prog->type) { ++ case BPF_PROG_TYPE_KPROBE: ++ case BPF_PROG_TYPE_TRACEPOINT: ++ case BPF_PROG_TYPE_PERF_EVENT: ++ case BPF_PROG_TYPE_RAW_TRACEPOINT: ++ return PRIV_STACK_ADAPTIVE; ++ case BPF_PROG_TYPE_TRACING: ++ case BPF_PROG_TYPE_LSM: ++ case BPF_PROG_TYPE_STRUCT_OPS: ++ if (bpf_prog_check_recur(prog)) ++ return PRIV_STACK_ADAPTIVE; ++ fallthrough; ++ default: ++ break; ++ } ++ ++ return NO_PRIV_STACK; ++} ++ + static int round_up_stack_depth(struct bpf_verifier_env *env, int stack_depth) + { + if (env->prog->jit_requested) +@@ -6044,17 +6074,20 @@ static int round_up_stack_depth(struct bpf_verifier_env *env, int stack_depth) + * Since recursion is prevented by check_cfg() this algorithm + * only needs a local stack of MAX_CALL_FRAMES to remember callsites + */ +-static int check_max_stack_depth_subprog(struct bpf_verifier_env *env, int idx) ++static int check_max_stack_depth_subprog(struct bpf_verifier_env *env, int idx, ++ bool priv_stack_supported) + { + struct bpf_subprog_info *subprog = env->subprog_info; + struct bpf_insn *insn = env->prog->insnsi; +- int depth = 0, frame = 0, i, subprog_end; ++ int depth = 0, frame = 0, i, subprog_end, subprog_depth; + bool tail_call_reachable = false; + int ret_insn[MAX_CALL_FRAMES]; + int ret_prog[MAX_CALL_FRAMES]; + int j; + + i = subprog[idx].start; ++ if (!priv_stack_supported) ++ subprog[idx].priv_stack_mode = NO_PRIV_STACK; + process_func: + /* protect against potential stack overflow that might happen when + * bpf2bpf calls get combined with tailcalls. Limit the caller's stack +@@ -6081,11 +6114,31 @@ static int check_max_stack_depth_subprog(struct bpf_verifier_env *env, int idx) + depth); + return -EACCES; + } +- depth += round_up_stack_depth(env, subprog[idx].stack_depth); +- if (depth > MAX_BPF_STACK) { +- verbose(env, "combined stack size of %d calls is %d. Too large\n", +- frame + 1, depth); +- return -EACCES; ++ ++ subprog_depth = round_up_stack_depth(env, subprog[idx].stack_depth); ++ if (priv_stack_supported) { ++ /* Request private stack support only if the subprog stack ++ * depth is no less than BPF_PRIV_STACK_MIN_SIZE. This is to ++ * avoid jit penalty if the stack usage is small. ++ */ ++ if (subprog[idx].priv_stack_mode == PRIV_STACK_UNKNOWN && ++ subprog_depth >= BPF_PRIV_STACK_MIN_SIZE) ++ subprog[idx].priv_stack_mode = PRIV_STACK_ADAPTIVE; ++ } ++ ++ if (subprog[idx].priv_stack_mode == PRIV_STACK_ADAPTIVE) { ++ if (subprog_depth > MAX_BPF_STACK) { ++ verbose(env, "stack size of subprog %d is %d. Too large\n", ++ idx, subprog_depth); ++ return -EACCES; ++ } ++ } else { ++ depth += subprog_depth; ++ if (depth > MAX_BPF_STACK) { ++ verbose(env, "combined stack size of %d calls is %d. Too large\n", ++ frame + 1, depth); ++ return -EACCES; ++ } + } + continue_func: + subprog_end = subprog[idx + 1].start; +@@ -6142,6 +6195,8 @@ static int check_max_stack_depth_subprog(struct bpf_verifier_env *env, int idx) + } + i = next_insn; + idx = sidx; ++ if (!priv_stack_supported) ++ subprog[idx].priv_stack_mode = NO_PRIV_STACK; + + if (subprog[idx].has_tail_call) + tail_call_reachable = true; +@@ -6175,7 +6230,8 @@ static int check_max_stack_depth_subprog(struct bpf_verifier_env *env, int idx) + */ + if (frame == 0) + return 0; +- depth -= round_up_stack_depth(env, subprog[idx].stack_depth); ++ if (subprog[idx].priv_stack_mode != PRIV_STACK_ADAPTIVE) ++ depth -= round_up_stack_depth(env, subprog[idx].stack_depth); + frame--; + i = ret_insn[frame]; + idx = ret_prog[frame]; +@@ -6184,16 +6240,36 @@ static int check_max_stack_depth_subprog(struct bpf_verifier_env *env, int idx) + + static int check_max_stack_depth(struct bpf_verifier_env *env) + { ++ enum priv_stack_mode priv_stack_mode = PRIV_STACK_UNKNOWN; + struct bpf_subprog_info *si = env->subprog_info; ++ bool priv_stack_supported; + int ret; + + for (int i = 0; i < env->subprog_cnt; i++) { ++ if (si[i].has_tail_call) { ++ priv_stack_mode = NO_PRIV_STACK; ++ break; ++ } ++ } ++ ++ if (priv_stack_mode == PRIV_STACK_UNKNOWN) ++ priv_stack_mode = bpf_enable_priv_stack(env->prog); ++ ++ /* All async_cb subprogs use normal kernel stack. If a particular ++ * subprog appears in both main prog and async_cb subtree, that ++ * subprog will use normal kernel stack to avoid potential nesting. ++ * The reverse subprog traversal ensures when main prog subtree is ++ * checked, the subprogs appearing in async_cb subtrees are already ++ * marked as using normal kernel stack, so stack size checking can ++ * be done properly. ++ */ ++ for (int i = env->subprog_cnt - 1; i >= 0; i--) { + if (!i || si[i].is_async_cb) { +- ret = check_max_stack_depth_subprog(env, i); ++ priv_stack_supported = !i && priv_stack_mode == PRIV_STACK_ADAPTIVE; ++ ret = check_max_stack_depth_subprog(env, i, priv_stack_supported); + if (ret < 0) + return ret; + } +- continue; + } + return 0; + } +-- +2.51.0 + diff --git a/queue-6.12/bpf-sync-pending-irq-work-before-freeing-ring-buffer.patch b/queue-6.12/bpf-sync-pending-irq-work-before-freeing-ring-buffer.patch new file mode 100644 index 0000000000..cdf76e13ae --- /dev/null +++ b/queue-6.12/bpf-sync-pending-irq-work-before-freeing-ring-buffer.patch @@ -0,0 +1,46 @@ +From af55b76a4ae6be368e72345dab752bf765c7da5c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Oct 2025 23:33:01 +0530 +Subject: bpf: Sync pending IRQ work before freeing ring buffer + +From: Noorain Eqbal + +[ Upstream commit 4e9077638301816a7d73fa1e1b4c1db4a7e3b59c ] + +Fix a race where irq_work can be queued in bpf_ringbuf_commit() +but the ring buffer is freed before the work executes. +In the syzbot reproducer, a BPF program attached to sched_switch +triggers bpf_ringbuf_commit(), queuing an irq_work. If the ring buffer +is freed before this work executes, the irq_work thread may accesses +freed memory. +Calling `irq_work_sync(&rb->work)` ensures that all pending irq_work +complete before freeing the buffer. + +Fixes: 457f44363a88 ("bpf: Implement BPF ring buffer and verifier support for it") +Reported-by: syzbot+2617fc732430968b45d2@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=2617fc732430968b45d2 +Tested-by: syzbot+2617fc732430968b45d2@syzkaller.appspotmail.com +Signed-off-by: Noorain Eqbal +Link: https://lore.kernel.org/r/20251020180301.103366-1-nooraineqbal@gmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/ringbuf.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/kernel/bpf/ringbuf.c b/kernel/bpf/ringbuf.c +index 1499d8caa9a35..1f2c504809023 100644 +--- a/kernel/bpf/ringbuf.c ++++ b/kernel/bpf/ringbuf.c +@@ -215,6 +215,8 @@ static struct bpf_map *ringbuf_map_alloc(union bpf_attr *attr) + + static void bpf_ringbuf_free(struct bpf_ringbuf *rb) + { ++ irq_work_sync(&rb->work); ++ + /* copy pages pointer and nr_pages to local variable, as we are going + * to unmap rb itself with vunmap() below + */ +-- +2.51.0 + diff --git a/queue-6.12/bpf-x86-avoid-repeated-usage-of-bpf_prog-aux-stack_d.patch b/queue-6.12/bpf-x86-avoid-repeated-usage-of-bpf_prog-aux-stack_d.patch new file mode 100644 index 0000000000..bd099d0f0b --- /dev/null +++ b/queue-6.12/bpf-x86-avoid-repeated-usage-of-bpf_prog-aux-stack_d.patch @@ -0,0 +1,73 @@ +From 73c3baa62051650ebfbba3e50e98d71c45e4e54e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Nov 2024 08:39:17 -0800 +Subject: bpf, x86: Avoid repeated usage of bpf_prog->aux->stack_depth + +From: Yonghong Song + +[ Upstream commit f4b21ed0b9d6c9fe155451a1fb3531fb44b0afa8 ] + +Refactor the code to avoid repeated usage of bpf_prog->aux->stack_depth +in do_jit() func. If the private stack is used, the stack_depth will be +0 for that prog. Refactoring make it easy to adjust stack_depth. + +Signed-off-by: Yonghong Song +Link: https://lore.kernel.org/r/20241112163917.2224189-1-yonghong.song@linux.dev +Signed-off-by: Alexei Starovoitov +Stable-dep-of: 881a9c9cb785 ("bpf: Do not audit capability check in do_jit()") +Signed-off-by: Sasha Levin +--- + arch/x86/net/bpf_jit_comp.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c +index ccb2f7703c33c..9a861ac77f8eb 100644 +--- a/arch/x86/net/bpf_jit_comp.c ++++ b/arch/x86/net/bpf_jit_comp.c +@@ -1472,14 +1472,17 @@ static int do_jit(struct bpf_prog *bpf_prog, int *addrs, u8 *image, u8 *rw_image + int i, excnt = 0; + int ilen, proglen = 0; + u8 *prog = temp; ++ u32 stack_depth; + int err; + ++ stack_depth = bpf_prog->aux->stack_depth; ++ + arena_vm_start = bpf_arena_get_kern_vm_start(bpf_prog->aux->arena); + user_vm_start = bpf_arena_get_user_vm_start(bpf_prog->aux->arena); + + detect_reg_usage(insn, insn_cnt, callee_regs_used); + +- emit_prologue(&prog, bpf_prog->aux->stack_depth, ++ emit_prologue(&prog, stack_depth, + bpf_prog_was_classic(bpf_prog), tail_call_reachable, + bpf_is_subprog(bpf_prog), bpf_prog->aux->exception_cb); + /* Exception callback will clobber callee regs for its own use, and +@@ -2175,7 +2178,7 @@ st: if (is_imm8(insn->off)) + + func = (u8 *) __bpf_call_base + imm32; + if (tail_call_reachable) { +- LOAD_TAIL_CALL_CNT_PTR(bpf_prog->aux->stack_depth); ++ LOAD_TAIL_CALL_CNT_PTR(stack_depth); + ip += 7; + } + if (!imm32) +@@ -2192,13 +2195,13 @@ st: if (is_imm8(insn->off)) + &bpf_prog->aux->poke_tab[imm32 - 1], + &prog, image + addrs[i - 1], + callee_regs_used, +- bpf_prog->aux->stack_depth, ++ stack_depth, + ctx); + else + emit_bpf_tail_call_indirect(bpf_prog, + &prog, + callee_regs_used, +- bpf_prog->aux->stack_depth, ++ stack_depth, + image + addrs[i - 1], + ctx); + break; +-- +2.51.0 + diff --git a/queue-6.12/crypto-aspeed-fix-double-free-caused-by-devm.patch b/queue-6.12/crypto-aspeed-fix-double-free-caused-by-devm.patch new file mode 100644 index 0000000000..bf521c3049 --- /dev/null +++ b/queue-6.12/crypto-aspeed-fix-double-free-caused-by-devm.patch @@ -0,0 +1,48 @@ +From 31049422317c24982494158324e3cb0788501b8f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Oct 2025 18:11:09 +0800 +Subject: crypto: aspeed - fix double free caused by devm + +From: Haotian Zhang + +[ Upstream commit 3c9bf72cc1ced1297b235f9422d62b613a3fdae9 ] + +The clock obtained via devm_clk_get_enabled() is automatically managed +by devres and will be disabled and freed on driver detach. Manually +calling clk_disable_unprepare() in error path and remove function +causes double free. + +Remove the manual clock cleanup in both aspeed_acry_probe()'s error +path and aspeed_acry_remove(). + +Fixes: 2f1cf4e50c95 ("crypto: aspeed - Add ACRY RSA driver") +Signed-off-by: Haotian Zhang +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/aspeed/aspeed-acry.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/crypto/aspeed/aspeed-acry.c b/drivers/crypto/aspeed/aspeed-acry.c +index b4613bd4ad964..8ca0913d94abf 100644 +--- a/drivers/crypto/aspeed/aspeed-acry.c ++++ b/drivers/crypto/aspeed/aspeed-acry.c +@@ -789,7 +789,6 @@ static int aspeed_acry_probe(struct platform_device *pdev) + err_engine_rsa_start: + crypto_engine_exit(acry_dev->crypt_engine_rsa); + clk_exit: +- clk_disable_unprepare(acry_dev->clk); + + return rc; + } +@@ -801,7 +800,6 @@ static void aspeed_acry_remove(struct platform_device *pdev) + aspeed_acry_unregister(acry_dev); + crypto_engine_exit(acry_dev->crypt_engine_rsa); + tasklet_kill(&acry_dev->done_task); +- clk_disable_unprepare(acry_dev->clk); + } + + MODULE_DEVICE_TABLE(of, aspeed_acry_of_matches); +-- +2.51.0 + diff --git a/queue-6.12/dpll-spec-add-missing-module-name-and-clock-id-to-pi.patch b/queue-6.12/dpll-spec-add-missing-module-name-and-clock-id-to-pi.patch new file mode 100644 index 0000000000..2812808156 --- /dev/null +++ b/queue-6.12/dpll-spec-add-missing-module-name-and-clock-id-to-pi.patch @@ -0,0 +1,46 @@ +From f7b8adc8a1d569e0c0b6c6cbd55c0094a48922d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Oct 2025 20:55:12 +0200 +Subject: dpll: spec: add missing module-name and clock-id to pin-get reply + +From: Petr Oros + +[ Upstream commit 520ad9e96937e825a117e9f00dd35a3e199d67b5 ] + +The dpll.yaml spec incorrectly omitted module-name and clock-id from the +pin-get operation reply specification, even though the kernel DPLL +implementation has always included these attributes in pin-get responses +since the initial implementation. + +This spec inconsistency caused issues with the C YNL code generator. +The generated dpll_pin_get_rsp structure was missing these fields. + +Fix the spec by adding module-name and clock-id to the pin-attrs reply +specification to match the actual kernel behavior. + +Fixes: 3badff3a25d8 ("dpll: spec: Add Netlink spec in YAML") +Signed-off-by: Petr Oros +Reviewed-by: Ivan Vecera +Link: https://patch.msgid.link/20251024185512.363376-1-poros@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + Documentation/netlink/specs/dpll.yaml | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/Documentation/netlink/specs/dpll.yaml b/Documentation/netlink/specs/dpll.yaml +index f2894ca35de84..860350e61edb5 100644 +--- a/Documentation/netlink/specs/dpll.yaml ++++ b/Documentation/netlink/specs/dpll.yaml +@@ -517,6 +517,8 @@ operations: + reply: &pin-attrs + attributes: + - id ++ - module-name ++ - clock-id + - board-label + - panel-label + - package-label +-- +2.51.0 + diff --git a/queue-6.12/drm-amd-pm-fix-smu-table-id-bound-check-issue-in-smu.patch b/queue-6.12/drm-amd-pm-fix-smu-table-id-bound-check-issue-in-smu.patch new file mode 100644 index 0000000000..82f00ed783 --- /dev/null +++ b/queue-6.12/drm-amd-pm-fix-smu-table-id-bound-check-issue-in-smu.patch @@ -0,0 +1,41 @@ +From 761508840499034900f32beded5d32b2c8b0aa55 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Oct 2025 14:12:21 +0800 +Subject: drm/amd/pm: fix smu table id bound check issue in + smu_cmn_update_table() + +From: Yang Wang + +[ Upstream commit 238d468d3ed18a324bb9d8c99f18c665dbac0511 ] + +'table_index' is a variable defined by the smu driver (kmd) +'table_id' is a variable defined by the hw smu (pmfw) + +This code should use table_index as a bounds check. + +Fixes: caad2613dc4bd ("drm/amd/powerplay: move table setting common code to smu_cmn.c") +Signed-off-by: Yang Wang +Reviewed-by: Hawking Zhang +Signed-off-by: Alex Deucher +(cherry picked from commit fca0c66b22303de0d1d6313059baf4dc960a4753) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c b/drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c +index 0ce1766c859f5..d2f11d82312f0 100644 +--- a/drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c ++++ b/drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c +@@ -955,7 +955,7 @@ int smu_cmn_update_table(struct smu_context *smu, + table_index); + uint32_t table_size; + int ret = 0; +- if (!table_data || table_id >= SMU_TABLE_COUNT || table_id < 0) ++ if (!table_data || table_index >= SMU_TABLE_COUNT || table_id < 0) + return -EINVAL; + + table_size = smu_table->tables[table_index].size; +-- +2.51.0 + diff --git a/queue-6.12/drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch b/queue-6.12/drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch new file mode 100644 index 0000000000..6b8823a5b7 --- /dev/null +++ b/queue-6.12/drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch @@ -0,0 +1,39 @@ +From 8231b560f66dab8bcb3cb3a0e4a45f5e45de80e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Oct 2025 11:08:13 +0200 +Subject: drm/amd/pm/powerplay/smumgr: Fix PCIeBootLinkLevel value on Fiji + +From: John Smith + +[ Upstream commit 07a13f913c291d6ec72ee4fc848d13ecfdc0e705 ] + +Previously this was initialized with zero which represented PCIe Gen +1.0 instead of using the +maximum value from the speed table which is the behaviour of all other +smumgr implementations. + +Fixes: 18edef19ea44 ("drm/amd/powerplay: implement fw image related smu interface for Fiji.") +Signed-off-by: John Smith +Signed-off-by: Alex Deucher +(cherry picked from commit c52238c9fb414555c68340cd80e487d982c1921c) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/pm/powerplay/smumgr/fiji_smumgr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/pm/powerplay/smumgr/fiji_smumgr.c b/drivers/gpu/drm/amd/pm/powerplay/smumgr/fiji_smumgr.c +index 5e43ad2b29564..e7e497b166b3e 100644 +--- a/drivers/gpu/drm/amd/pm/powerplay/smumgr/fiji_smumgr.c ++++ b/drivers/gpu/drm/amd/pm/powerplay/smumgr/fiji_smumgr.c +@@ -2024,7 +2024,7 @@ static int fiji_init_smc_table(struct pp_hwmgr *hwmgr) + table->VoltageResponseTime = 0; + table->PhaseResponseTime = 0; + table->MemoryThermThrottleEnable = 1; +- table->PCIeBootLinkLevel = 0; /* 0:Gen1 1:Gen2 2:Gen3*/ ++ table->PCIeBootLinkLevel = (uint8_t) (data->dpm_table.pcie_speed_table.count); + table->PCIeGenInterval = 1; + table->VRConfig = 0; + +-- +2.51.0 + diff --git a/queue-6.12/drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch-18241 b/queue-6.12/drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch-18241 new file mode 100644 index 0000000000..c0da1064e4 --- /dev/null +++ b/queue-6.12/drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch-18241 @@ -0,0 +1,39 @@ +From 91c1cf92e6a63d61748947ab3644a016160b9ba7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Oct 2025 11:09:09 +0200 +Subject: drm/amd/pm/powerplay/smumgr: Fix PCIeBootLinkLevel value on Iceland + +From: John Smith + +[ Upstream commit 501672e3c1576aa9a8364144213c77b98a31a42c ] + +Previously this was initialized with zero which represented PCIe Gen +1.0 instead of using the +maximum value from the speed table which is the behaviour of all other +smumgr implementations. + +Fixes: 18aafc59b106 ("drm/amd/powerplay: implement fw related smu interface for iceland.") +Signed-off-by: John Smith +Signed-off-by: Alex Deucher +(cherry picked from commit 92b0a6ae6672857ddeabf892223943d2f0e06c97) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/pm/powerplay/smumgr/iceland_smumgr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/pm/powerplay/smumgr/iceland_smumgr.c b/drivers/gpu/drm/amd/pm/powerplay/smumgr/iceland_smumgr.c +index 17d2f5bff4a7e..49c32183878de 100644 +--- a/drivers/gpu/drm/amd/pm/powerplay/smumgr/iceland_smumgr.c ++++ b/drivers/gpu/drm/amd/pm/powerplay/smumgr/iceland_smumgr.c +@@ -2028,7 +2028,7 @@ static int iceland_init_smc_table(struct pp_hwmgr *hwmgr) + table->VoltageResponseTime = 0; + table->PhaseResponseTime = 0; + table->MemoryThermThrottleEnable = 1; +- table->PCIeBootLinkLevel = 0; ++ table->PCIeBootLinkLevel = (uint8_t) (data->dpm_table.pcie_speed_table.count); + table->PCIeGenInterval = 1; + + result = iceland_populate_smc_svi2_config(hwmgr, table); +-- +2.51.0 + diff --git a/queue-6.12/drm-etnaviv-fix-flush-sequence-logic.patch b/queue-6.12/drm-etnaviv-fix-flush-sequence-logic.patch new file mode 100644 index 0000000000..012e38c5a3 --- /dev/null +++ b/queue-6.12/drm-etnaviv-fix-flush-sequence-logic.patch @@ -0,0 +1,46 @@ +From 629d998484cbe6eb3d45cb8e90b1b826ca099a17 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Oct 2025 11:37:23 +0200 +Subject: drm/etnaviv: fix flush sequence logic + +From: Tomeu Vizoso + +[ Upstream commit a042beac6e6f8ac1e923784cfff98b47cbabb185 ] + +The current logic uses the flush sequence from the current address +space. This is harmless when deducing the flush requirements for the +current submit, as either the incoming address space is the same one +as the currently active one or we switch context, in which case the +flush is unconditional. + +However, this sequence is also stored as the current flush sequence +of the GPU. If we switch context the stored flush sequence will no +longer belong to the currently active address space. This incoherency +can then cause missed flushes, resulting in translation errors. + +Fixes: 27b67278e007 ("drm/etnaviv: rework MMU handling") +Signed-off-by: Tomeu Vizoso +Signed-off-by: Lucas Stach +Reviewed-by: Christian Gmeiner +Link: https://lore.kernel.org/r/20251021093723.3887980-1-l.stach@pengutronix.de +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/etnaviv/etnaviv_buffer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/etnaviv/etnaviv_buffer.c b/drivers/gpu/drm/etnaviv/etnaviv_buffer.c +index b13a17276d07c..88385dc3b30d8 100644 +--- a/drivers/gpu/drm/etnaviv/etnaviv_buffer.c ++++ b/drivers/gpu/drm/etnaviv/etnaviv_buffer.c +@@ -347,7 +347,7 @@ void etnaviv_buffer_queue(struct etnaviv_gpu *gpu, u32 exec_state, + u32 link_target, link_dwords; + bool switch_context = gpu->exec_state != exec_state; + bool switch_mmu_context = gpu->mmu_context != mmu_context; +- unsigned int new_flush_seq = READ_ONCE(gpu->mmu_context->flush_seq); ++ unsigned int new_flush_seq = READ_ONCE(mmu_context->flush_seq); + bool need_flush = switch_mmu_context || gpu->flush_seq != new_flush_seq; + bool has_blt = !!(gpu->identity.minor_features5 & + chipMinorFeatures5_BLT_ENGINE); +-- +2.51.0 + diff --git a/queue-6.12/drm-msm-a6xx-fix-gmu-firmware-parser.patch b/queue-6.12/drm-msm-a6xx-fix-gmu-firmware-parser.patch new file mode 100644 index 0000000000..6a9cb8d5f4 --- /dev/null +++ b/queue-6.12/drm-msm-a6xx-fix-gmu-firmware-parser.patch @@ -0,0 +1,51 @@ +From 2d71cb003a20652218298638d705579ce45943da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Sep 2025 02:14:05 +0530 +Subject: drm/msm/a6xx: Fix GMU firmware parser + +From: Akhil P Oommen + +[ Upstream commit b4789aac9d3441d9f830f0a4022d8dc122d6cab3 ] + +Current parser logic for GMU firmware assumes a dword aligned payload +size for every block. This is not true for all GMU firmwares. So, fix +this by using correct 'size' value in the calculation for the offset +for the next block's header. + +Fixes: c6ed04f856a4 ("drm/msm/a6xx: A640/A650 GMU firmware path") +Signed-off-by: Akhil P Oommen +Acked-by: Konrad Dybcio +Patchwork: https://patchwork.freedesktop.org/patch/674040/ +Message-ID: <20250911-assorted-sept-1-v2-2-a8bf1ee20792@oss.qualcomm.com> +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/adreno/a6xx_gmu.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/adreno/a6xx_gmu.c b/drivers/gpu/drm/msm/adreno/a6xx_gmu.c +index 8609fa38058ea..bfb1225a47c50 100644 +--- a/drivers/gpu/drm/msm/adreno/a6xx_gmu.c ++++ b/drivers/gpu/drm/msm/adreno/a6xx_gmu.c +@@ -730,6 +730,9 @@ static bool fw_block_mem(struct a6xx_gmu_bo *bo, const struct block_header *blk) + return true; + } + ++#define NEXT_BLK(blk) \ ++ ((const struct block_header *)((const char *)(blk) + sizeof(*(blk)) + (blk)->size)) ++ + static int a6xx_gmu_fw_load(struct a6xx_gmu *gmu) + { + struct a6xx_gpu *a6xx_gpu = container_of(gmu, struct a6xx_gpu, gmu); +@@ -760,7 +763,7 @@ static int a6xx_gmu_fw_load(struct a6xx_gmu *gmu) + + for (blk = (const struct block_header *) fw_image->data; + (const u8*) blk < fw_image->data + fw_image->size; +- blk = (const struct block_header *) &blk->data[blk->size >> 2]) { ++ blk = NEXT_BLK(blk)) { + if (blk->size == 0) + continue; + +-- +2.51.0 + diff --git a/queue-6.12/drm-radeon-do-not-kfree-devres-managed-rdev.patch b/queue-6.12/drm-radeon-do-not-kfree-devres-managed-rdev.patch new file mode 100644 index 0000000000..f51cd351c2 --- /dev/null +++ b/queue-6.12/drm-radeon-do-not-kfree-devres-managed-rdev.patch @@ -0,0 +1,40 @@ +From ede77b0bbb1721a1ede08662c7ce9ff1f2a01cff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 18 Oct 2025 14:44:50 +0900 +Subject: drm/radeon: Do not kfree() devres managed rdev + +From: Daniel Palmer + +[ Upstream commit 3328443363a0895fd9c096edfe8ecd372ca9145e ] + +Since the allocation of the drivers main structure was changed to +devm_drm_dev_alloc() rdev is managed by devres and we shouldn't be calling +kfree() on it. + +This fixes things exploding if the driver probe fails and devres cleans up +the rdev after we already free'd it. + +Fixes: a9ed2f052c5c ("drm/radeon: change drm_dev_alloc to devm_drm_dev_alloc") +Signed-off-by: Daniel Palmer +Signed-off-by: Alex Deucher +(cherry picked from commit 16c0681617b8a045773d4d87b6140002fa75b03b) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/radeon_kms.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/gpu/drm/radeon/radeon_kms.c b/drivers/gpu/drm/radeon/radeon_kms.c +index 645e33bf7947e..ba1446acd7032 100644 +--- a/drivers/gpu/drm/radeon/radeon_kms.c ++++ b/drivers/gpu/drm/radeon/radeon_kms.c +@@ -84,7 +84,6 @@ void radeon_driver_unload_kms(struct drm_device *dev) + rdev->agp = NULL; + + done_free: +- kfree(rdev); + dev->dev_private = NULL; + } + +-- +2.51.0 + diff --git a/queue-6.12/drm-radeon-remove-calls-to-drm_put_dev.patch b/queue-6.12/drm-radeon-remove-calls-to-drm_put_dev.patch new file mode 100644 index 0000000000..075480b94a --- /dev/null +++ b/queue-6.12/drm-radeon-remove-calls-to-drm_put_dev.patch @@ -0,0 +1,98 @@ +From 459cf349eacd109ca0f0d389bb511440717b397f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 18 Oct 2025 14:44:51 +0900 +Subject: drm/radeon: Remove calls to drm_put_dev() + +From: Daniel Palmer + +[ Upstream commit 745bae76acdd71709773c129a69deca01036250b ] + +Since the allocation of the drivers main structure was changed to +devm_drm_dev_alloc() drm_put_dev()'ing to trigger it to be free'd +should be done by devres. + +However, drm_put_dev() is still in the probe error and device remove +paths. When the driver fails to probe warnings like the following are +shown because devres is trying to drm_put_dev() after the driver +already did it. + +[ 5.642230] radeon 0000:01:05.0: probe with driver radeon failed with error -22 +[ 5.649605] ------------[ cut here ]------------ +[ 5.649607] refcount_t: underflow; use-after-free. +[ 5.649620] WARNING: CPU: 0 PID: 357 at lib/refcount.c:28 refcount_warn_saturate+0xbe/0x110 + +Fixes: a9ed2f052c5c ("drm/radeon: change drm_dev_alloc to devm_drm_dev_alloc") +Signed-off-by: Daniel Palmer +Signed-off-by: Alex Deucher +(cherry picked from commit 3eb8c0b4c091da0a623ade0d3ee7aa4a93df1ea4) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/radeon_drv.c | 25 ++++--------------------- + 1 file changed, 4 insertions(+), 21 deletions(-) + +diff --git a/drivers/gpu/drm/radeon/radeon_drv.c b/drivers/gpu/drm/radeon/radeon_drv.c +index e5a6f3e7c75b6..31fac034a17e6 100644 +--- a/drivers/gpu/drm/radeon/radeon_drv.c ++++ b/drivers/gpu/drm/radeon/radeon_drv.c +@@ -312,46 +312,30 @@ static int radeon_pci_probe(struct pci_dev *pdev, + + ret = pci_enable_device(pdev); + if (ret) +- goto err_free; ++ return ret; + + pci_set_drvdata(pdev, ddev); + + ret = radeon_driver_load_kms(ddev, flags); + if (ret) +- goto err_agp; ++ goto err; + + ret = drm_dev_register(ddev, flags); + if (ret) +- goto err_agp; ++ goto err; + + radeon_fbdev_setup(ddev->dev_private); + + return 0; + +-err_agp: ++err: + pci_disable_device(pdev); +-err_free: +- drm_dev_put(ddev); + return ret; + } + +-static void +-radeon_pci_remove(struct pci_dev *pdev) +-{ +- struct drm_device *dev = pci_get_drvdata(pdev); +- +- drm_put_dev(dev); +-} +- + static void + radeon_pci_shutdown(struct pci_dev *pdev) + { +- /* if we are running in a VM, make sure the device +- * torn down properly on reboot/shutdown +- */ +- if (radeon_device_is_virtual()) +- radeon_pci_remove(pdev); +- + #if defined(CONFIG_PPC64) || defined(CONFIG_MACH_LOONGSON64) + /* + * Some adapters need to be suspended before a +@@ -603,7 +587,6 @@ static struct pci_driver radeon_kms_pci_driver = { + .name = DRIVER_NAME, + .id_table = pciidlist, + .probe = radeon_pci_probe, +- .remove = radeon_pci_remove, + .shutdown = radeon_pci_shutdown, + .driver.pm = &radeon_pm_ops, + }; +-- +2.51.0 + diff --git a/queue-6.12/kunit-test_dev_action-correctly-cast-priv-pointer-to.patch b/queue-6.12/kunit-test_dev_action-correctly-cast-priv-pointer-to.patch new file mode 100644 index 0000000000..61e243b715 --- /dev/null +++ b/queue-6.12/kunit-test_dev_action-correctly-cast-priv-pointer-to.patch @@ -0,0 +1,49 @@ +From ec564688929570526de41ae2d60008f6c90fa1ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Oct 2025 11:28:14 +0200 +Subject: kunit: test_dev_action: Correctly cast 'priv' pointer to long* + +From: Florian Schmaus + +[ Upstream commit 2551a1eedc09f5a86f94b038dc1bb16855c256f1 ] + +The previous implementation incorrectly assumed the original type of +'priv' was void**, leading to an unnecessary and misleading +cast. Correct the cast of the 'priv' pointer in test_dev_action() to +its actual type, long*, removing an unnecessary cast. + +As an additional benefit, this fixes an out-of-bounds CHERI fault on +hardware with architectural capabilities. The original implementation +tried to store a capability-sized pointer using the priv +pointer. However, the priv pointer's capability only granted access to +the memory region of its original long type, leading to a bounds +violation since the size of a long is smaller than the size of a +capability. This change ensures that the pointer usage respects the +capabilities' bounds. + +Link: https://lore.kernel.org/r/20251017092814.80022-1-florian.schmaus@codasip.com +Fixes: d03c720e03bd ("kunit: Add APIs for managing devices") +Reviewed-by: David Gow +Signed-off-by: Florian Schmaus +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + lib/kunit/kunit-test.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/kunit/kunit-test.c b/lib/kunit/kunit-test.c +index d9c781c859fde..580374e081071 100644 +--- a/lib/kunit/kunit-test.c ++++ b/lib/kunit/kunit-test.c +@@ -735,7 +735,7 @@ static struct kunit_case kunit_current_test_cases[] = { + + static void test_dev_action(void *priv) + { +- *(void **)priv = (void *)1; ++ *(long *)priv = 1; + } + + static void kunit_device_test(struct kunit *test) +-- +2.51.0 + diff --git a/queue-6.12/libbpf-fix-powerpc-s-stack-register-definition-in-bp.patch b/queue-6.12/libbpf-fix-powerpc-s-stack-register-definition-in-bp.patch new file mode 100644 index 0000000000..9a87536f02 --- /dev/null +++ b/queue-6.12/libbpf-fix-powerpc-s-stack-register-definition-in-bp.patch @@ -0,0 +1,44 @@ +From 609d89957cf1c7881dd0f1cd86be06f58ac3dc15 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Oct 2025 13:36:43 -0700 +Subject: libbpf: Fix powerpc's stack register definition in bpf_tracing.h + +From: Andrii Nakryiko + +[ Upstream commit 7221b9caf84b3294688228a19273d74ea19a2ee4 ] + +retsnoop's build on powerpc (ppc64le) architecture ([0]) failed due to +wrong definition of PT_REGS_SP() macro. Looking at powerpc's +implementation of stack unwinding in perf_callchain_user_64() clearly +shows that stack pointer register is gpr[1]. + +Fix libbpf's definition of __PT_SP_REG for powerpc to fix all this. + + [0] https://kojipkgs.fedoraproject.org/work/tasks/1544/137921544/build.log + +Fixes: 138d6153a139 ("samples/bpf: Enable powerpc support") +Signed-off-by: Andrii Nakryiko +Reviewed-by: Naveen N Rao (AMD) +Link: https://lore.kernel.org/r/20251020203643.989467-1-andrii@kernel.org +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/bpf_tracing.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/lib/bpf/bpf_tracing.h b/tools/lib/bpf/bpf_tracing.h +index a8f6cd4841b03..dbe32a5d02cd7 100644 +--- a/tools/lib/bpf/bpf_tracing.h ++++ b/tools/lib/bpf/bpf_tracing.h +@@ -311,7 +311,7 @@ struct pt_regs___arm64 { + #define __PT_RET_REG regs[31] + #define __PT_FP_REG __unsupported__ + #define __PT_RC_REG gpr[3] +-#define __PT_SP_REG sp ++#define __PT_SP_REG gpr[1] + #define __PT_IP_REG nip + + #elif defined(bpf_target_sparc) +-- +2.51.0 + diff --git a/queue-6.12/net-hns3-return-error-code-when-function-fails.patch b/queue-6.12/net-hns3-return-error-code-when-function-fails.patch new file mode 100644 index 0000000000..f9c51e323c --- /dev/null +++ b/queue-6.12/net-hns3-return-error-code-when-function-fails.patch @@ -0,0 +1,87 @@ +From 24de4285a07cdef3028bdd096397849964e85ae5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Oct 2025 21:13:37 +0800 +Subject: net: hns3: return error code when function fails + +From: Jijie Shao + +[ Upstream commit 03ca7c8c42be913529eb9f188278114430c6abbd ] + +Currently, in hclge_mii_ioctl(), the operation to +read the PHY register (SIOCGMIIREG) always returns 0. + +This patch changes the return type of hclge_read_phy_reg(), +returning an error code when the function fails. + +Fixes: 024712f51e57 ("net: hns3: add ioctl support for imp-controlled PHYs") +Signed-off-by: Jijie Shao +Reviewed-by: Alexander Lobakin +Link: https://patch.msgid.link/20251023131338.2642520-2-shaojijie@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 3 +-- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c | 9 ++++++--- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.h | 2 +- + 3 files changed, 8 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +index 407ad0b985b4f..f5eafd1ded413 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +@@ -9439,8 +9439,7 @@ static int hclge_mii_ioctl(struct hclge_dev *hdev, struct ifreq *ifr, int cmd) + /* this command reads phy id and register at the same time */ + fallthrough; + case SIOCGMIIREG: +- data->val_out = hclge_read_phy_reg(hdev, data->reg_num); +- return 0; ++ return hclge_read_phy_reg(hdev, data->reg_num, &data->val_out); + + case SIOCSMIIREG: + return hclge_write_phy_reg(hdev, data->reg_num, data->val_in); +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c +index 80079657afebe..b8dbf932caf94 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c +@@ -274,7 +274,7 @@ void hclge_mac_stop_phy(struct hclge_dev *hdev) + phy_stop(phydev); + } + +-u16 hclge_read_phy_reg(struct hclge_dev *hdev, u16 reg_addr) ++int hclge_read_phy_reg(struct hclge_dev *hdev, u16 reg_addr, u16 *val) + { + struct hclge_phy_reg_cmd *req; + struct hclge_desc desc; +@@ -286,11 +286,14 @@ u16 hclge_read_phy_reg(struct hclge_dev *hdev, u16 reg_addr) + req->reg_addr = cpu_to_le16(reg_addr); + + ret = hclge_cmd_send(&hdev->hw, &desc, 1); +- if (ret) ++ if (ret) { + dev_err(&hdev->pdev->dev, + "failed to read phy reg, ret = %d.\n", ret); ++ return ret; ++ } + +- return le16_to_cpu(req->reg_val); ++ *val = le16_to_cpu(req->reg_val); ++ return 0; + } + + int hclge_write_phy_reg(struct hclge_dev *hdev, u16 reg_addr, u16 val) +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.h b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.h +index 4200d0b6d9317..21d434c82475b 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.h ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.h +@@ -13,7 +13,7 @@ int hclge_mac_connect_phy(struct hnae3_handle *handle); + void hclge_mac_disconnect_phy(struct hnae3_handle *handle); + void hclge_mac_start_phy(struct hclge_dev *hdev); + void hclge_mac_stop_phy(struct hclge_dev *hdev); +-u16 hclge_read_phy_reg(struct hclge_dev *hdev, u16 reg_addr); ++int hclge_read_phy_reg(struct hclge_dev *hdev, u16 reg_addr, u16 *val); + int hclge_write_phy_reg(struct hclge_dev *hdev, u16 reg_addr, u16 val); + + #endif +-- +2.51.0 + diff --git a/queue-6.12/scsi-ufs-core-initialize-value-of-an-attribute-retur.patch b/queue-6.12/scsi-ufs-core-initialize-value-of-an-attribute-retur.patch new file mode 100644 index 0000000000..4f6c2dc231 --- /dev/null +++ b/queue-6.12/scsi-ufs-core-initialize-value-of-an-attribute-retur.patch @@ -0,0 +1,42 @@ +From bb38de588699678dbe1606b8525fe24e534d84f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Oct 2025 15:15:38 +0900 +Subject: scsi: ufs: core: Initialize value of an attribute returned by uic cmd + +From: Wonkon Kim + +[ Upstream commit 6fe4c679dde3075cb481beb3945269bb2ef8b19a ] + +If ufshcd_send_cmd() fails, *mib_val may have a garbage value. It can +get an unintended value of an attribute. + +Make ufshcd_dme_get_attr() always initialize *mib_val. + +Fixes: 12b4fdb4f6bc ("[SCSI] ufs: add dme configuration primitives") +Signed-off-by: Wonkon Kim +Reviewed-by: Bart Van Assche +Link: https://patch.msgid.link/20251020061539.28661-2-wkon.kim@samsung.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/ufs/core/ufshcd.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c +index e079cb5d9ec69..2d07902ce7f1b 100644 +--- a/drivers/ufs/core/ufshcd.c ++++ b/drivers/ufs/core/ufshcd.c +@@ -4239,8 +4239,8 @@ int ufshcd_dme_get_attr(struct ufs_hba *hba, u32 attr_sel, + get, UIC_GET_ATTR_ID(attr_sel), + UFS_UIC_COMMAND_RETRIES - retries); + +- if (mib_val && !ret) +- *mib_val = uic_cmd.argument3; ++ if (mib_val) ++ *mib_val = ret == 0 ? uic_cmd.argument3 : 0; + + if (peer && (hba->quirks & UFSHCD_QUIRK_DME_PEER_ACCESS_AUTO_MODE) + && pwr_mode_change) +-- +2.51.0 + diff --git a/queue-6.12/series b/queue-6.12/series index 90a68d02d9..3c759e3aa0 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -16,3 +16,43 @@ asoc-qdsp6-q6asm-do-not-sleep-while-atomic.patch s390-pci-restore-irq-unconditionally-for-the-zpci-device.patch smb-client-fix-potential-cfid-uaf-in-smb2_query_info_compound.patch x86-fpu-ensure-xfd-state-on-signal-delivery.patch +wifi-ath10k-fix-memory-leak-on-unsupported-wmi-comma.patch +wifi-ath11k-add-missing-platform-ids-for-quirk-table.patch +wifi-ath12k-free-skb-during-idr-cleanup-callback.patch +wifi-ath11k-add-support-for-mu-edca.patch +wifi-ath11k-avoid-bit-operation-on-key-flags.patch +drm-msm-a6xx-fix-gmu-firmware-parser.patch +alsa-usb-audio-fix-control-pipe-direction.patch +asoc-cs-amp-lib-test-fix-missing-include-of-kunit-te.patch +wifi-mac80211-don-t-mark-keys-for-inactive-links-as-.patch +wifi-mac80211-fix-key-tailroom-accounting-leak.patch +kunit-test_dev_action-correctly-cast-priv-pointer-to.patch +bpf-sync-pending-irq-work-before-freeing-ring-buffer.patch +scsi-ufs-core-initialize-value-of-an-attribute-retur.patch +bpf-find-eligible-subprogs-for-private-stack-support.patch +bpf-x86-avoid-repeated-usage-of-bpf_prog-aux-stack_d.patch +bpf-do-not-audit-capability-check-in-do_jit.patch +crypto-aspeed-fix-double-free-caused-by-devm.patch +asoc-intel-avs-unprepare-a-stream-when-xrun-occurs.patch +asoc-intel-avs-disable-periods-elapsed-work-when-clo.patch +asoc-fsl_sai-fix-bit-order-for-dsd-format.patch +libbpf-fix-powerpc-s-stack-register-definition-in-bp.patch +usbnet-prevents-free-active-kevent.patch +bluetooth-hci_sync-fix-race-in-hci_cmd_sync_dequeue_.patch +bluetooth-iso-update-hci_conn_hash_lookup_big-for-br.patch +bluetooth-iso-fix-bis-connection-dst_type-handling.patch +bluetooth-btmtksdio-add-pmctrl-handling-for-bt-close.patch +bluetooth-hci-fix-tracking-of-advertisement-set-inst.patch +bluetooth-iso-fix-another-instance-of-dst_type-handl.patch +bluetooth-hci_core-fix-tracking-of-periodic-advertis.patch +drm-etnaviv-fix-flush-sequence-logic.patch +tools-ynl-fix-string-attribute-length-to-include-nul.patch +net-hns3-return-error-code-when-function-fails.patch +sfc-fix-potential-memory-leak-in-efx_mae_process_mpo.patch +dpll-spec-add-missing-module-name-and-clock-id-to-pi.patch +asoc-fsl_sai-fix-sync-error-in-consumer-mode.patch +drm-radeon-do-not-kfree-devres-managed-rdev.patch +drm-radeon-remove-calls-to-drm_put_dev.patch +drm-amd-pm-fix-smu-table-id-bound-check-issue-in-smu.patch +drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch +drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch-18241 diff --git a/queue-6.12/sfc-fix-potential-memory-leak-in-efx_mae_process_mpo.patch b/queue-6.12/sfc-fix-potential-memory-leak-in-efx_mae_process_mpo.patch new file mode 100644 index 0000000000..acbaba7fab --- /dev/null +++ b/queue-6.12/sfc-fix-potential-memory-leak-in-efx_mae_process_mpo.patch @@ -0,0 +1,51 @@ +From 16c543cd85152ce72e5981871abcdc8fc7b6e0bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Oct 2025 19:48:42 +0530 +Subject: sfc: fix potential memory leak in efx_mae_process_mport() + +From: Abdun Nihaal + +[ Upstream commit 46a499aaf8c27476fd05e800f3e947bfd71aa724 ] + +In efx_mae_enumerate_mports(), memory allocated for mae_mport_desc is +passed as a argument to efx_mae_process_mport(), but when the error path +in efx_mae_process_mport() gets executed, the memory allocated for desc +gets leaked. + +Fix that by freeing the memory allocation before returning error. + +Fixes: a6a15aca4207 ("sfc: enumerate mports in ef100") +Acked-by: Edward Cree +Signed-off-by: Abdun Nihaal +Link: https://patch.msgid.link/20251023141844.25847-1-nihaal@cse.iitm.ac.in +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sfc/mae.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ethernet/sfc/mae.c b/drivers/net/ethernet/sfc/mae.c +index 10709d828a636..21d5596460732 100644 +--- a/drivers/net/ethernet/sfc/mae.c ++++ b/drivers/net/ethernet/sfc/mae.c +@@ -1101,6 +1101,9 @@ void efx_mae_remove_mport(void *desc, void *arg) + kfree(mport); + } + ++/* ++ * Takes ownership of @desc, even if it returns an error ++ */ + static int efx_mae_process_mport(struct efx_nic *efx, + struct mae_mport_desc *desc) + { +@@ -1111,6 +1114,7 @@ static int efx_mae_process_mport(struct efx_nic *efx, + if (!IS_ERR_OR_NULL(mport)) { + netif_err(efx, drv, efx->net_dev, + "mport with id %u does exist!!!\n", desc->mport_id); ++ kfree(desc); + return -EEXIST; + } + +-- +2.51.0 + diff --git a/queue-6.12/tools-ynl-fix-string-attribute-length-to-include-nul.patch b/queue-6.12/tools-ynl-fix-string-attribute-length-to-include-nul.patch new file mode 100644 index 0000000000..6693f7f901 --- /dev/null +++ b/queue-6.12/tools-ynl-fix-string-attribute-length-to-include-nul.patch @@ -0,0 +1,75 @@ +From 40a494ed1b9e63c9fdba38775b86a2acdc792f4a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Oct 2025 15:24:38 +0200 +Subject: tools: ynl: fix string attribute length to include null terminator + +From: Petr Oros + +[ Upstream commit 65f9c4c5888913c2cf5d2fc9454c83f9930d537d ] + +The ynl_attr_put_str() function was not including the null terminator +in the attribute length calculation. This caused kernel to reject +CTRL_CMD_GETFAMILY requests with EINVAL: +"Attribute failed policy validation". + +For a 4-character family name like "dpll": +- Sent: nla_len=8 (4 byte header + 4 byte string without null) +- Expected: nla_len=9 (4 byte header + 5 byte string with null) + +The bug was introduced in commit 15d2540e0d62 ("tools: ynl: check for +overflow of constructed messages") when refactoring from stpcpy() to +strlen(). The original code correctly included the null terminator: + + end = stpcpy(ynl_attr_data(attr), str); + attr->nla_len = NLA_HDRLEN + NLA_ALIGN(end - + (char *)ynl_attr_data(attr)); + +Since stpcpy() returns a pointer past the null terminator, the length +included it. The refactored version using strlen() omitted the +1. + +The fix also removes NLA_ALIGN() from nla_len calculation, since +nla_len should contain actual attribute length, not aligned length. +Alignment is only for calculating next attribute position. This makes +the code consistent with ynl_attr_put(). + +CTRL_ATTR_FAMILY_NAME uses NLA_NUL_STRING policy which requires +null terminator. Kernel validates with memchr() and rejects if not +found. + +Fixes: 15d2540e0d62 ("tools: ynl: check for overflow of constructed messages") +Signed-off-by: Petr Oros +Tested-by: Ivan Vecera +Reviewed-by: Ivan Vecera +Link: https://lore.kernel.org/20251018151737.365485-3-zahari.doychev@linux.com +Link: https://patch.msgid.link/20251024132438.351290-1-poros@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/net/ynl/lib/ynl-priv.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/net/ynl/lib/ynl-priv.h b/tools/net/ynl/lib/ynl-priv.h +index 3c09a7bbfba59..baafc66a61855 100644 +--- a/tools/net/ynl/lib/ynl-priv.h ++++ b/tools/net/ynl/lib/ynl-priv.h +@@ -301,7 +301,7 @@ ynl_attr_put_str(struct nlmsghdr *nlh, unsigned int attr_type, const char *str) + struct nlattr *attr; + size_t len; + +- len = strlen(str); ++ len = strlen(str) + 1; + if (__ynl_attr_put_overflow(nlh, len)) + return; + +@@ -309,7 +309,7 @@ ynl_attr_put_str(struct nlmsghdr *nlh, unsigned int attr_type, const char *str) + attr->nla_type = attr_type; + + strcpy((char *)ynl_attr_data(attr), str); +- attr->nla_len = NLA_HDRLEN + NLA_ALIGN(len); ++ attr->nla_len = NLA_HDRLEN + len; + + nlh->nlmsg_len += NLMSG_ALIGN(attr->nla_len); + } +-- +2.51.0 + diff --git a/queue-6.12/usbnet-prevents-free-active-kevent.patch b/queue-6.12/usbnet-prevents-free-active-kevent.patch new file mode 100644 index 0000000000..cac0567f20 --- /dev/null +++ b/queue-6.12/usbnet-prevents-free-active-kevent.patch @@ -0,0 +1,50 @@ +From 67cdcd4e1afdc673add2e56d29d61403a530ac86 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Oct 2025 10:40:07 +0800 +Subject: usbnet: Prevents free active kevent + +From: Lizhi Xu + +[ Upstream commit 420c84c330d1688b8c764479e5738bbdbf0a33de ] + +The root cause of this issue are: +1. When probing the usbnet device, executing usbnet_link_change(dev, 0, 0); +put the kevent work in global workqueue. However, the kevent has not yet +been scheduled when the usbnet device is unregistered. Therefore, executing +free_netdev() results in the "free active object (kevent)" error reported +here. + +2. Another factor is that when calling usbnet_disconnect()->unregister_netdev(), +if the usbnet device is up, ndo_stop() is executed to cancel the kevent. +However, because the device is not up, ndo_stop() is not executed. + +The solution to this problem is to cancel the kevent before executing +free_netdev(). + +Fixes: a69e617e533e ("usbnet: Fix linkwatch use-after-free on disconnect") +Reported-by: Sam Sun +Closes: https://syzkaller.appspot.com/bug?extid=8bfd7bcc98f7300afb84 +Signed-off-by: Lizhi Xu +Link: https://patch.msgid.link/20251022024007.1831898-1-lizhi.xu@windriver.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/usbnet.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c +index ccf45ca2feb56..0ff7357c3c91c 100644 +--- a/drivers/net/usb/usbnet.c ++++ b/drivers/net/usb/usbnet.c +@@ -1650,6 +1650,8 @@ void usbnet_disconnect (struct usb_interface *intf) + net = dev->net; + unregister_netdev (net); + ++ cancel_work_sync(&dev->kevent); ++ + while ((urb = usb_get_from_anchor(&dev->deferred))) { + dev_kfree_skb(urb->context); + kfree(urb->sg); +-- +2.51.0 + diff --git a/queue-6.12/wifi-ath10k-fix-memory-leak-on-unsupported-wmi-comma.patch b/queue-6.12/wifi-ath10k-fix-memory-leak-on-unsupported-wmi-comma.patch new file mode 100644 index 0000000000..98890fc444 --- /dev/null +++ b/queue-6.12/wifi-ath10k-fix-memory-leak-on-unsupported-wmi-comma.patch @@ -0,0 +1,41 @@ +From dc1bfc1ea1c6ba2ebfead8b9448deeaecfb16bea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Sep 2025 21:56:56 +0200 +Subject: wifi: ath10k: Fix memory leak on unsupported WMI command + +From: Loic Poulain + +[ Upstream commit 2e9c1da4ee9d0acfca2e0a3d78f3d8cb5802da1b ] + +ath10k_wmi_cmd_send takes ownership of the passed buffer (skb) and has the +responsibility to release it in case of error. This patch fixes missing +free in case of early error due to unhandled WMI command ID. + +Tested-on: WCN3990 hw1.0 WLAN.HL.3.3.7.c2-00931-QCAHLSWMTPLZ-1 + +Fixes: 553215592f14 ("ath10k: warn if give WMI command is not supported") +Suggested-by: Jeff Johnson +Signed-off-by: Loic Poulain +Reviewed-by: Baochen Qiang +Link: https://patch.msgid.link/20250926195656.187970-1-loic.poulain@oss.qualcomm.com +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/wmi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/ath/ath10k/wmi.c b/drivers/net/wireless/ath/ath10k/wmi.c +index fdab67a56e438..32754f894f0b0 100644 +--- a/drivers/net/wireless/ath/ath10k/wmi.c ++++ b/drivers/net/wireless/ath/ath10k/wmi.c +@@ -1937,6 +1937,7 @@ int ath10k_wmi_cmd_send(struct ath10k *ar, struct sk_buff *skb, u32 cmd_id) + if (cmd_id == WMI_CMD_UNSUPPORTED) { + ath10k_warn(ar, "wmi command %d is not supported by firmware\n", + cmd_id); ++ dev_kfree_skb_any(skb); + return ret; + } + +-- +2.51.0 + diff --git a/queue-6.12/wifi-ath11k-add-missing-platform-ids-for-quirk-table.patch b/queue-6.12/wifi-ath11k-add-missing-platform-ids-for-quirk-table.patch new file mode 100644 index 0000000000..1dc0edb5c7 --- /dev/null +++ b/queue-6.12/wifi-ath11k-add-missing-platform-ids-for-quirk-table.patch @@ -0,0 +1,126 @@ +From 0d43a8784cb08d558c32c65f4a73e1c7013caa01 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Sep 2025 15:21:35 -0400 +Subject: wifi: ath11k: Add missing platform IDs for quirk table + +From: Mark Pearson + +[ Upstream commit 0eb002c93c3b47f88244cecb1e356eaeab61a6bf ] + +Lenovo platforms can come with one of two different IDs. +The pm_quirk table was missing the second ID for each platform. + +Add missing ID and some extra platform identification comments. +Reported on https://bugzilla.kernel.org/show_bug.cgi?id=219196 + +Tested-on: P14s G4 AMD. + +Fixes: ce8669a27016 ("wifi: ath11k: determine PM policy based on machine model") +Signed-off-by: Mark Pearson +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219196 +Reviewed-by: Baochen Qiang +Link: https://patch.msgid.link/20250929192146.1789648-1-mpearson-lenovo@squebb.ca +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/core.c | 54 +++++++++++++++++++++++--- + 1 file changed, 48 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath11k/core.c b/drivers/net/wireless/ath/ath11k/core.c +index afac4a1e9a1db..735032c353b2d 100644 +--- a/drivers/net/wireless/ath/ath11k/core.c ++++ b/drivers/net/wireless/ath/ath11k/core.c +@@ -814,42 +814,84 @@ static const struct ath11k_hw_params ath11k_hw_params[] = { + static const struct dmi_system_id ath11k_pm_quirk_table[] = { + { + .driver_data = (void *)ATH11K_PM_WOW, +- .matches = { ++ .matches = { /* X13 G4 AMD #1 */ ++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "21J3"), ++ }, ++ }, ++ { ++ .driver_data = (void *)ATH11K_PM_WOW, ++ .matches = { /* X13 G4 AMD #2 */ + DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), + DMI_MATCH(DMI_PRODUCT_NAME, "21J4"), + }, + }, + { + .driver_data = (void *)ATH11K_PM_WOW, +- .matches = { ++ .matches = { /* T14 G4 AMD #1 */ ++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "21K3"), ++ }, ++ }, ++ { ++ .driver_data = (void *)ATH11K_PM_WOW, ++ .matches = { /* T14 G4 AMD #2 */ + DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), + DMI_MATCH(DMI_PRODUCT_NAME, "21K4"), + }, + }, + { + .driver_data = (void *)ATH11K_PM_WOW, +- .matches = { ++ .matches = { /* P14s G4 AMD #1 */ ++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "21K5"), ++ }, ++ }, ++ { ++ .driver_data = (void *)ATH11K_PM_WOW, ++ .matches = { /* P14s G4 AMD #2 */ + DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), + DMI_MATCH(DMI_PRODUCT_NAME, "21K6"), + }, + }, + { + .driver_data = (void *)ATH11K_PM_WOW, +- .matches = { ++ .matches = { /* T16 G2 AMD #1 */ ++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "21K7"), ++ }, ++ }, ++ { ++ .driver_data = (void *)ATH11K_PM_WOW, ++ .matches = { /* T16 G2 AMD #2 */ + DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), + DMI_MATCH(DMI_PRODUCT_NAME, "21K8"), + }, + }, + { + .driver_data = (void *)ATH11K_PM_WOW, +- .matches = { ++ .matches = { /* P16s G2 AMD #1 */ ++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "21K9"), ++ }, ++ }, ++ { ++ .driver_data = (void *)ATH11K_PM_WOW, ++ .matches = { /* P16s G2 AMD #2 */ + DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), + DMI_MATCH(DMI_PRODUCT_NAME, "21KA"), + }, + }, + { + .driver_data = (void *)ATH11K_PM_WOW, +- .matches = { ++ .matches = { /* T14s G4 AMD #1 */ ++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "21F8"), ++ }, ++ }, ++ { ++ .driver_data = (void *)ATH11K_PM_WOW, ++ .matches = { /* T14s G4 AMD #2 */ + DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), + DMI_MATCH(DMI_PRODUCT_NAME, "21F9"), + }, +-- +2.51.0 + diff --git a/queue-6.12/wifi-ath11k-add-support-for-mu-edca.patch b/queue-6.12/wifi-ath11k-add-support-for-mu-edca.patch new file mode 100644 index 0000000000..8b8e09977c --- /dev/null +++ b/queue-6.12/wifi-ath11k-add-support-for-mu-edca.patch @@ -0,0 +1,221 @@ +From 7f07216d9ea8d7c87286dac9fadd0afc48eb7e8f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Jan 2025 14:13:43 +0800 +Subject: wifi: ath11k: add support for MU EDCA +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Yu Zhang(Yuriy) + +[ Upstream commit b78c02f7c7104f1e77ade12ebde267e6fb388ca9 ] + +The current code does not have the MU EDCA feature, so it cannot support +the use of EDCA by STA in specific UL MU HE TB PPDU transmissions. Refer +to IEEE Std 802.11ax-2021 "9.4.2.251 MU EDCA Parameter Set element", +"26.2.7 EDCA operation using MU EDCA parameters". + +Add ath11k_mac_op_conf_tx_mu_edca() to construct the MU EDCA parameters +received from mac80211 into WMI WMM parameters,and send to the firmware +according to the different WMM type flags. + +Tested-on: WCN6855 hw2.1 PCI WLAN.HSP.1.1-04523-QCAHSPSWPL_V1_V2_SILICONZ_IOE-1 + +Signed-off-by: Yu Zhang (Yuriy) +Reviewed-by: Vasanthakumar Thiagarajan +Link: https://patch.msgid.link/20250124061343.2263467-1-quic_yuzha@quicinc.com +Signed-off-by: Jeff Johnson +Stable-dep-of: 9c78e747dd4f ("wifi: ath11k: avoid bit operation on key flags") +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/core.h | 3 +- + drivers/net/wireless/ath/ath11k/mac.c | 53 +++++++++++++++++++++++++- + drivers/net/wireless/ath/ath11k/wmi.c | 11 +++--- + drivers/net/wireless/ath/ath11k/wmi.h | 10 ++++- + 4 files changed, 67 insertions(+), 10 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath11k/core.h b/drivers/net/wireless/ath/ath11k/core.h +index cd9f9fb6ab68e..7394b46835e1a 100644 +--- a/drivers/net/wireless/ath/ath11k/core.h ++++ b/drivers/net/wireless/ath/ath11k/core.h +@@ -1,7 +1,7 @@ + /* SPDX-License-Identifier: BSD-3-Clause-Clear */ + /* + * Copyright (c) 2018-2019 The Linux Foundation. All rights reserved. +- * Copyright (c) 2021-2024 Qualcomm Innovation Center, Inc. All rights reserved. ++ * Copyright (c) 2021-2025 Qualcomm Innovation Center, Inc. All rights reserved. + */ + + #ifndef ATH11K_CORE_H +@@ -372,6 +372,7 @@ struct ath11k_vif { + + u16 tx_seq_no; + struct wmi_wmm_params_all_arg wmm_params; ++ struct wmi_wmm_params_all_arg muedca_params; + struct list_head list; + union { + struct { +diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c +index 9db3369d32048..3889f08822d41 100644 +--- a/drivers/net/wireless/ath/ath11k/mac.c ++++ b/drivers/net/wireless/ath/ath11k/mac.c +@@ -1,7 +1,7 @@ + // SPDX-License-Identifier: BSD-3-Clause-Clear + /* + * Copyright (c) 2018-2019 The Linux Foundation. All rights reserved. +- * Copyright (c) 2021-2024 Qualcomm Innovation Center, Inc. All rights reserved. ++ * Copyright (c) 2021-2025 Qualcomm Innovation Center, Inc. All rights reserved. + */ + + #include +@@ -5283,6 +5283,45 @@ static int ath11k_conf_tx_uapsd(struct ath11k *ar, struct ieee80211_vif *vif, + return ret; + } + ++static int ath11k_mac_op_conf_tx_mu_edca(struct ieee80211_hw *hw, ++ struct ieee80211_vif *vif, ++ unsigned int link_id, u16 ac, ++ const struct ieee80211_tx_queue_params *params) ++{ ++ struct ath11k_vif *arvif = ath11k_vif_to_arvif(vif); ++ struct ath11k *ar = hw->priv; ++ struct wmi_wmm_params_arg *p; ++ int ret; ++ ++ switch (ac) { ++ case IEEE80211_AC_VO: ++ p = &arvif->muedca_params.ac_vo; ++ break; ++ case IEEE80211_AC_VI: ++ p = &arvif->muedca_params.ac_vi; ++ break; ++ case IEEE80211_AC_BE: ++ p = &arvif->muedca_params.ac_be; ++ break; ++ case IEEE80211_AC_BK: ++ p = &arvif->muedca_params.ac_bk; ++ break; ++ default: ++ ath11k_warn(ar->ab, "error ac: %d", ac); ++ return -EINVAL; ++ } ++ ++ p->cwmin = u8_get_bits(params->mu_edca_param_rec.ecw_min_max, GENMASK(3, 0)); ++ p->cwmax = u8_get_bits(params->mu_edca_param_rec.ecw_min_max, GENMASK(7, 4)); ++ p->aifs = u8_get_bits(params->mu_edca_param_rec.aifsn, GENMASK(3, 0)); ++ p->txop = params->mu_edca_param_rec.mu_edca_timer; ++ ++ ret = ath11k_wmi_send_wmm_update_cmd_tlv(ar, arvif->vdev_id, ++ &arvif->muedca_params, ++ WMI_WMM_PARAM_TYPE_11AX_MU_EDCA); ++ return ret; ++} ++ + static int ath11k_mac_op_conf_tx(struct ieee80211_hw *hw, + struct ieee80211_vif *vif, + unsigned int link_id, u16 ac, +@@ -5321,12 +5360,22 @@ static int ath11k_mac_op_conf_tx(struct ieee80211_hw *hw, + p->txop = params->txop; + + ret = ath11k_wmi_send_wmm_update_cmd_tlv(ar, arvif->vdev_id, +- &arvif->wmm_params); ++ &arvif->wmm_params, ++ WMI_WMM_PARAM_TYPE_LEGACY); + if (ret) { + ath11k_warn(ar->ab, "failed to set wmm params: %d\n", ret); + goto exit; + } + ++ if (params->mu_edca) { ++ ret = ath11k_mac_op_conf_tx_mu_edca(hw, vif, link_id, ac, ++ params); ++ if (ret) { ++ ath11k_warn(ar->ab, "failed to set mu_edca params: %d\n", ret); ++ goto exit; ++ } ++ } ++ + ret = ath11k_conf_tx_uapsd(ar, vif, ac, params->uapsd); + + if (ret) +diff --git a/drivers/net/wireless/ath/ath11k/wmi.c b/drivers/net/wireless/ath/ath11k/wmi.c +index 5f7edf622de7a..98811726d33bf 100644 +--- a/drivers/net/wireless/ath/ath11k/wmi.c ++++ b/drivers/net/wireless/ath/ath11k/wmi.c +@@ -1,7 +1,7 @@ + // SPDX-License-Identifier: BSD-3-Clause-Clear + /* + * Copyright (c) 2018-2019 The Linux Foundation. All rights reserved. +- * Copyright (c) 2021-2024 Qualcomm Innovation Center, Inc. All rights reserved. ++ * Copyright (c) 2021-2025 Qualcomm Innovation Center, Inc. All rights reserved. + */ + #include + #include +@@ -2662,7 +2662,8 @@ int ath11k_wmi_send_scan_chan_list_cmd(struct ath11k *ar, + } + + int ath11k_wmi_send_wmm_update_cmd_tlv(struct ath11k *ar, u32 vdev_id, +- struct wmi_wmm_params_all_arg *param) ++ struct wmi_wmm_params_all_arg *param, ++ enum wmi_wmm_params_type wmm_param_type) + { + struct ath11k_pdev_wmi *wmi = ar->wmi; + struct wmi_vdev_set_wmm_params_cmd *cmd; +@@ -2681,7 +2682,7 @@ int ath11k_wmi_send_wmm_update_cmd_tlv(struct ath11k *ar, u32 vdev_id, + FIELD_PREP(WMI_TLV_LEN, sizeof(*cmd) - TLV_HDR_SIZE); + + cmd->vdev_id = vdev_id; +- cmd->wmm_param_type = 0; ++ cmd->wmm_param_type = wmm_param_type; + + for (ac = 0; ac < WME_NUM_AC; ac++) { + switch (ac) { +@@ -2714,8 +2715,8 @@ int ath11k_wmi_send_wmm_update_cmd_tlv(struct ath11k *ar, u32 vdev_id, + wmm_param->no_ack = wmi_wmm_arg->no_ack; + + ath11k_dbg(ar->ab, ATH11K_DBG_WMI, +- "wmm set ac %d aifs %d cwmin %d cwmax %d txop %d acm %d no_ack %d\n", +- ac, wmm_param->aifs, wmm_param->cwmin, ++ "wmm set type %d ac %d aifs %d cwmin %d cwmax %d txop %d acm %d no_ack %d\n", ++ wmm_param_type, ac, wmm_param->aifs, wmm_param->cwmin, + wmm_param->cwmax, wmm_param->txoplimit, + wmm_param->acm, wmm_param->no_ack); + } +diff --git a/drivers/net/wireless/ath/ath11k/wmi.h b/drivers/net/wireless/ath/ath11k/wmi.h +index 30b4b0c176826..9fcffaa2f383c 100644 +--- a/drivers/net/wireless/ath/ath11k/wmi.h ++++ b/drivers/net/wireless/ath/ath11k/wmi.h +@@ -1,7 +1,7 @@ + /* SPDX-License-Identifier: BSD-3-Clause-Clear */ + /* + * Copyright (c) 2018-2019 The Linux Foundation. All rights reserved. +- * Copyright (c) 2021-2024 Qualcomm Innovation Center, Inc. All rights reserved. ++ * Copyright (c) 2021-2025 Qualcomm Innovation Center, Inc. All rights reserved. + */ + + #ifndef ATH11K_WMI_H +@@ -6347,6 +6347,11 @@ enum wmi_sta_keepalive_method { + #define WMI_STA_KEEPALIVE_INTERVAL_DEFAULT 30 + #define WMI_STA_KEEPALIVE_INTERVAL_DISABLE 0 + ++enum wmi_wmm_params_type { ++ WMI_WMM_PARAM_TYPE_LEGACY = 0, ++ WMI_WMM_PARAM_TYPE_11AX_MU_EDCA = 1, ++}; ++ + const void **ath11k_wmi_tlv_parse_alloc(struct ath11k_base *ab, + struct sk_buff *skb, gfp_t gfp); + int ath11k_wmi_cmd_send(struct ath11k_pdev_wmi *wmi, struct sk_buff *skb, +@@ -6403,7 +6408,8 @@ int ath11k_wmi_send_scan_start_cmd(struct ath11k *ar, + int ath11k_wmi_send_scan_stop_cmd(struct ath11k *ar, + struct scan_cancel_param *param); + int ath11k_wmi_send_wmm_update_cmd_tlv(struct ath11k *ar, u32 vdev_id, +- struct wmi_wmm_params_all_arg *param); ++ struct wmi_wmm_params_all_arg *param, ++ enum wmi_wmm_params_type wmm_param_type); + int ath11k_wmi_pdev_suspend(struct ath11k *ar, u32 suspend_opt, + u32 pdev_id); + int ath11k_wmi_pdev_resume(struct ath11k *ar, u32 pdev_id); +-- +2.51.0 + diff --git a/queue-6.12/wifi-ath11k-avoid-bit-operation-on-key-flags.patch b/queue-6.12/wifi-ath11k-avoid-bit-operation-on-key-flags.patch new file mode 100644 index 0000000000..c26aee7982 --- /dev/null +++ b/queue-6.12/wifi-ath11k-avoid-bit-operation-on-key-flags.patch @@ -0,0 +1,83 @@ +From 60bf61f1280d3c361b274af528aa416b0cf3bacf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Oct 2025 14:51:58 +0530 +Subject: wifi: ath11k: avoid bit operation on key flags + +From: Rameshkumar Sundaram + +[ Upstream commit 9c78e747dd4fee6c36fcc926212e20032055cf9d ] + +Bitwise operations with WMI_KEY_PAIRWISE (defined as 0) are ineffective +and misleading. This results in pairwise key validations added in +commit 97acb0259cc9 ("wifi: ath11k: fix group data packet drops +during rekey") to always evaluate false and clear key commands for +pairwise keys are not honored. + +Since firmware supports overwriting the new key without explicitly +clearing the previous one, there is no visible impact currently. +However, to restore consistency with the previous behavior and improve +clarity, replace bitwise operations with direct assignments and +comparisons for key flags. + +Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.9.0.1-02146-QCAHKSWPL_SILICONZ-1 +Tested-on: WCN6855 hw2.1 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41 + +Reported-by: Dan Carpenter +Closes: https://lore.kernel.org/linux-wireless/aLlaetkalDvWcB7b@stanley.mountain +Fixes: 97acb0259cc9 ("wifi: ath11k: fix group data packet drops during rekey") +Signed-off-by: Rameshkumar Sundaram +Reviewed-by: Vasanthakumar Thiagarajan +Link: https://patch.msgid.link/20251003092158.1080637-1-rameshkumar.sundaram@oss.qualcomm.com +[update copyright per current guidance] +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/mac.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c +index 3889f08822d41..419c9497800af 100644 +--- a/drivers/net/wireless/ath/ath11k/mac.c ++++ b/drivers/net/wireless/ath/ath11k/mac.c +@@ -1,7 +1,7 @@ + // SPDX-License-Identifier: BSD-3-Clause-Clear + /* + * Copyright (c) 2018-2019 The Linux Foundation. All rights reserved. +- * Copyright (c) 2021-2025 Qualcomm Innovation Center, Inc. All rights reserved. ++ * Copyright (c) Qualcomm Technologies, Inc. and/or its subsidiaries. + */ + + #include +@@ -4407,9 +4407,9 @@ static int ath11k_mac_op_set_key(struct ieee80211_hw *hw, enum set_key_cmd cmd, + } + + if (key->flags & IEEE80211_KEY_FLAG_PAIRWISE) +- flags |= WMI_KEY_PAIRWISE; ++ flags = WMI_KEY_PAIRWISE; + else +- flags |= WMI_KEY_GROUP; ++ flags = WMI_KEY_GROUP; + + ath11k_dbg(ar->ab, ATH11K_DBG_MAC, + "%s for peer %pM on vdev %d flags 0x%X, type = %d, num_sta %d\n", +@@ -4446,7 +4446,7 @@ static int ath11k_mac_op_set_key(struct ieee80211_hw *hw, enum set_key_cmd cmd, + + is_ap_with_no_sta = (vif->type == NL80211_IFTYPE_AP && + !arvif->num_stations); +- if ((flags & WMI_KEY_PAIRWISE) || cmd == SET_KEY || is_ap_with_no_sta) { ++ if (flags == WMI_KEY_PAIRWISE || cmd == SET_KEY || is_ap_with_no_sta) { + ret = ath11k_install_key(arvif, key, cmd, peer_addr, flags); + if (ret) { + ath11k_warn(ab, "ath11k_install_key failed (%d)\n", ret); +@@ -4460,7 +4460,7 @@ static int ath11k_mac_op_set_key(struct ieee80211_hw *hw, enum set_key_cmd cmd, + goto exit; + } + +- if ((flags & WMI_KEY_GROUP) && cmd == SET_KEY && is_ap_with_no_sta) ++ if (flags == WMI_KEY_GROUP && cmd == SET_KEY && is_ap_with_no_sta) + arvif->reinstall_group_keys = true; + } + +-- +2.51.0 + diff --git a/queue-6.12/wifi-ath12k-free-skb-during-idr-cleanup-callback.patch b/queue-6.12/wifi-ath12k-free-skb-during-idr-cleanup-callback.patch new file mode 100644 index 0000000000..260bf5bffe --- /dev/null +++ b/queue-6.12/wifi-ath12k-free-skb-during-idr-cleanup-callback.patch @@ -0,0 +1,107 @@ +From 4d2295474ebe5bb8774ac66919e2f49b5ca18faa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Sep 2025 15:03:16 -0700 +Subject: wifi: ath12k: free skb during idr cleanup callback + +From: Karthik M + +[ Upstream commit 92282074e1d2e7b6da5c05fe38a7cc974187fe14 ] + +ath12k just like ath11k [1] did not handle skb cleanup during idr +cleanup callback. Both ath12k_mac_vif_txmgmt_idr_remove() and +ath12k_mac_tx_mgmt_pending_free() performed idr cleanup and DMA +unmapping for skb but only ath12k_mac_tx_mgmt_pending_free() freed +skb. As a result, during vdev deletion a memory leak occurs. + +Refactor all clean up steps into a new function. New function +ath12k_mac_tx_mgmt_free() creates a centralized area where idr +cleanup, DMA unmapping for skb and freeing skb is performed. Utilize +skb pointer given by idr_remove(), instead of passed as a function +argument because IDR will be protected by locking. This will prevent +concurrent modification of the same IDR. + +Now ath12k_mac_tx_mgmt_pending_free() and +ath12k_mac_vif_txmgmt_idr_remove() call ath12k_mac_tx_mgmt_free(). + +Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1 + +Link: https://lore.kernel.org/r/1637832614-13831-1-git-send-email-quic_srirrama@quicinc.com > # [1] +Fixes: d889913205cf ("wifi: ath12k: driver for Qualcomm Wi-Fi 7 devices") +Signed-off-by: Karthik M +Signed-off-by: Muna Sinada +Reviewed-by: Vasanthakumar Thiagarajan +Reviewed-by: Baochen Qiang +Link: https://patch.msgid.link/20250923220316.1595758-1-muna.sinada@oss.qualcomm.com +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath12k/mac.c | 34 ++++++++++++++------------- + 1 file changed, 18 insertions(+), 16 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath12k/mac.c b/drivers/net/wireless/ath/ath12k/mac.c +index c15eecf2a1882..8e8defddc8fa9 100644 +--- a/drivers/net/wireless/ath/ath12k/mac.c ++++ b/drivers/net/wireless/ath/ath12k/mac.c +@@ -5677,23 +5677,32 @@ static void ath12k_mgmt_over_wmi_tx_drop(struct ath12k *ar, struct sk_buff *skb) + wake_up(&ar->txmgmt_empty_waitq); + } + +-int ath12k_mac_tx_mgmt_pending_free(int buf_id, void *skb, void *ctx) ++static void ath12k_mac_tx_mgmt_free(struct ath12k *ar, int buf_id) + { +- struct sk_buff *msdu = skb; ++ struct sk_buff *msdu; + struct ieee80211_tx_info *info; +- struct ath12k *ar = ctx; +- struct ath12k_base *ab = ar->ab; + + spin_lock_bh(&ar->txmgmt_idr_lock); +- idr_remove(&ar->txmgmt_idr, buf_id); ++ msdu = idr_remove(&ar->txmgmt_idr, buf_id); + spin_unlock_bh(&ar->txmgmt_idr_lock); +- dma_unmap_single(ab->dev, ATH12K_SKB_CB(msdu)->paddr, msdu->len, ++ ++ if (!msdu) ++ return; ++ ++ dma_unmap_single(ar->ab->dev, ATH12K_SKB_CB(msdu)->paddr, msdu->len, + DMA_TO_DEVICE); + + info = IEEE80211_SKB_CB(msdu); + memset(&info->status, 0, sizeof(info->status)); + +- ath12k_mgmt_over_wmi_tx_drop(ar, skb); ++ ath12k_mgmt_over_wmi_tx_drop(ar, msdu); ++} ++ ++int ath12k_mac_tx_mgmt_pending_free(int buf_id, void *skb, void *ctx) ++{ ++ struct ath12k *ar = ctx; ++ ++ ath12k_mac_tx_mgmt_free(ar, buf_id); + + return 0; + } +@@ -5702,17 +5711,10 @@ static int ath12k_mac_vif_txmgmt_idr_remove(int buf_id, void *skb, void *ctx) + { + struct ieee80211_vif *vif = ctx; + struct ath12k_skb_cb *skb_cb = ATH12K_SKB_CB(skb); +- struct sk_buff *msdu = skb; + struct ath12k *ar = skb_cb->ar; +- struct ath12k_base *ab = ar->ab; + +- if (skb_cb->vif == vif) { +- spin_lock_bh(&ar->txmgmt_idr_lock); +- idr_remove(&ar->txmgmt_idr, buf_id); +- spin_unlock_bh(&ar->txmgmt_idr_lock); +- dma_unmap_single(ab->dev, skb_cb->paddr, msdu->len, +- DMA_TO_DEVICE); +- } ++ if (skb_cb->vif == vif) ++ ath12k_mac_tx_mgmt_free(ar, buf_id); + + return 0; + } +-- +2.51.0 + diff --git a/queue-6.12/wifi-mac80211-don-t-mark-keys-for-inactive-links-as-.patch b/queue-6.12/wifi-mac80211-don-t-mark-keys-for-inactive-links-as-.patch new file mode 100644 index 0000000000..34243bd368 --- /dev/null +++ b/queue-6.12/wifi-mac80211-don-t-mark-keys-for-inactive-links-as-.patch @@ -0,0 +1,41 @@ +From beec878ef36a711e3924a453b3c8d828a521b297 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Jul 2025 23:38:00 +0300 +Subject: wifi: mac80211: don't mark keys for inactive links as uploaded + +From: Miri Korenblit + +[ Upstream commit 63df3956903748c5f374a0dfe7a89490714a4625 ] + +During resume, the driver can call ieee80211_add_gtk_rekey for keys that +are not programmed into the device, e.g. keys of inactive links. +Don't mark such a key as uploaded to avoid removing it later from the +driver/device. + +Reviewed-by: Johannes Berg +Signed-off-by: Miri Korenblit +Link: https://patch.msgid.link/20250709233537.655094412b0b.Iacae31af3ba2a705da0a9baea976c2f799d65dc4@changeid +Signed-off-by: Johannes Berg +Stable-dep-of: ed6a47346ec6 ("wifi: mac80211: fix key tailroom accounting leak") +Signed-off-by: Sasha Levin +--- + net/mac80211/key.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/mac80211/key.c b/net/mac80211/key.c +index 67ecfea229829..7809fac6bae5d 100644 +--- a/net/mac80211/key.c ++++ b/net/mac80211/key.c +@@ -510,7 +510,8 @@ static int ieee80211_key_replace(struct ieee80211_sub_if_data *sdata, + } else { + if (!new->local->wowlan) + ret = ieee80211_key_enable_hw_accel(new); +- else ++ else if (link_id < 0 || !sdata->vif.active_links || ++ BIT(link_id) & sdata->vif.active_links) + new->flags |= KEY_FLAG_UPLOADED_TO_HARDWARE; + } + +-- +2.51.0 + diff --git a/queue-6.12/wifi-mac80211-fix-key-tailroom-accounting-leak.patch b/queue-6.12/wifi-mac80211-fix-key-tailroom-accounting-leak.patch new file mode 100644 index 0000000000..9dc47d1ea3 --- /dev/null +++ b/queue-6.12/wifi-mac80211-fix-key-tailroom-accounting-leak.patch @@ -0,0 +1,52 @@ +From 17594920df1f80255dfb84a949a3bfa248f76acd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 19 Oct 2025 11:54:27 +0300 +Subject: wifi: mac80211: fix key tailroom accounting leak + +From: Johannes Berg + +[ Upstream commit ed6a47346ec69e7f1659e0a1a3558293f60d5dd7 ] + +For keys added by ieee80211_gtk_rekey_add(), we assume that +they're already present in the hardware and set the flag +KEY_FLAG_UPLOADED_TO_HARDWARE. However, setting this flag +needs to be paired with decrementing the tailroom needed, +which was missed. + +Fixes: f52a0b408ed1 ("wifi: mac80211: mark keys as uploaded when added by the driver") +Signed-off-by: Johannes Berg +Signed-off-by: Miri Korenblit +Link: https://patch.msgid.link/20251019115358.c88eafb4083e.I69e9d4d78a756a133668c55b5570cf15a4b0e6a4@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/key.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/net/mac80211/key.c b/net/mac80211/key.c +index 7809fac6bae5d..b679ef23d28fd 100644 +--- a/net/mac80211/key.c ++++ b/net/mac80211/key.c +@@ -508,11 +508,16 @@ static int ieee80211_key_replace(struct ieee80211_sub_if_data *sdata, + ret = ieee80211_key_enable_hw_accel(new); + } + } else { +- if (!new->local->wowlan) ++ if (!new->local->wowlan) { + ret = ieee80211_key_enable_hw_accel(new); +- else if (link_id < 0 || !sdata->vif.active_links || +- BIT(link_id) & sdata->vif.active_links) ++ } else if (link_id < 0 || !sdata->vif.active_links || ++ BIT(link_id) & sdata->vif.active_links) { + new->flags |= KEY_FLAG_UPLOADED_TO_HARDWARE; ++ if (!(new->conf.flags & (IEEE80211_KEY_FLAG_GENERATE_MMIC | ++ IEEE80211_KEY_FLAG_PUT_MIC_SPACE | ++ IEEE80211_KEY_FLAG_RESERVE_TAILROOM))) ++ decrease_tailroom_need_count(sdata, 1); ++ } + } + + if (ret) +-- +2.51.0 + diff --git a/queue-6.17/acpi-mrrm-check-revision-of-mrrm-table.patch b/queue-6.17/acpi-mrrm-check-revision-of-mrrm-table.patch new file mode 100644 index 0000000000..b79e00c842 --- /dev/null +++ b/queue-6.17/acpi-mrrm-check-revision-of-mrrm-table.patch @@ -0,0 +1,38 @@ +From 105827c3bd2a7b90aed928f45e4c8f01f0508bf1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Oct 2025 13:45:23 -0700 +Subject: ACPI: MRRM: Check revision of MRRM table + +From: Tony Luck + +[ Upstream commit dc131bcd8d9219f7da533918abcb0d32951b7702 ] + +Before trying to parse the MRRM table, check that the table revision +is the one that is expected. + +Fixes: b9020bdb9f76 ("ACPI: MRRM: Minimal parse of ACPI MRRM table") +Signed-off-by: Tony Luck +Link: https://patch.msgid.link/20251022204523.10752-1-tony.luck@intel.com +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpi_mrrm.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/acpi/acpi_mrrm.c b/drivers/acpi/acpi_mrrm.c +index 47ea3ccc21424..a6dbf623e5571 100644 +--- a/drivers/acpi/acpi_mrrm.c ++++ b/drivers/acpi/acpi_mrrm.c +@@ -63,6 +63,9 @@ static __init int acpi_parse_mrrm(struct acpi_table_header *table) + if (!mrrm) + return -ENODEV; + ++ if (mrrm->header.revision != 1) ++ return -EINVAL; ++ + if (mrrm->flags & ACPI_MRRM_FLAGS_REGION_ASSIGNMENT_OS) + return -EOPNOTSUPP; + +-- +2.51.0 + diff --git a/queue-6.17/alsa-usb-audio-add-mono-main-switch-to-presonus-s182.patch b/queue-6.17/alsa-usb-audio-add-mono-main-switch-to-presonus-s182.patch new file mode 100644 index 0000000000..5e4d3f73f6 --- /dev/null +++ b/queue-6.17/alsa-usb-audio-add-mono-main-switch-to-presonus-s182.patch @@ -0,0 +1,81 @@ +From 2d50629034d38ba445cfd96a6ab5fcd2e0a07d88 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 27 Sep 2025 17:27:30 +0200 +Subject: ALSA: usb-audio: add mono main switch to Presonus S1824c + +From: Roy Vegard Ovesen + +[ Upstream commit 659169c4eb21f8d9646044a4f4e1bc314f6f9d0c ] + +The 1824c does not have the A/B switch that the 1810c has, +but instead it has a mono main switch that sums the two +main output channels to mono. + +Signed-off-by: Roy Vegard Ovesen +Signed-off-by: Takashi Iwai +Stable-dep-of: 75cdae446ddf ("ALSA: usb-audio: don't log messages meant for 1810c when initializing 1824c") +Signed-off-by: Sasha Levin +--- + sound/usb/mixer_s1810c.c | 26 +++++++++++++++++++++++--- + 1 file changed, 23 insertions(+), 3 deletions(-) + +diff --git a/sound/usb/mixer_s1810c.c b/sound/usb/mixer_s1810c.c +index 65bdda0841048..2413a6d96971c 100644 +--- a/sound/usb/mixer_s1810c.c ++++ b/sound/usb/mixer_s1810c.c +@@ -93,6 +93,7 @@ struct s1810c_ctl_packet { + + #define SC1810C_CTL_LINE_SW 0 + #define SC1810C_CTL_MUTE_SW 1 ++#define SC1824C_CTL_MONO_SW 2 + #define SC1810C_CTL_AB_SW 3 + #define SC1810C_CTL_48V_SW 4 + +@@ -123,6 +124,7 @@ struct s1810c_state_packet { + #define SC1810C_STATE_48V_SW 58 + #define SC1810C_STATE_LINE_SW 59 + #define SC1810C_STATE_MUTE_SW 60 ++#define SC1824C_STATE_MONO_SW 61 + #define SC1810C_STATE_AB_SW 62 + + struct s1810_mixer_state { +@@ -502,6 +504,15 @@ static const struct snd_kcontrol_new snd_s1810c_mute_sw = { + .private_value = (SC1810C_STATE_MUTE_SW | SC1810C_CTL_MUTE_SW << 8) + }; + ++static const struct snd_kcontrol_new snd_s1824c_mono_sw = { ++ .iface = SNDRV_CTL_ELEM_IFACE_MIXER, ++ .name = "Mono Main Out Switch", ++ .info = snd_ctl_boolean_mono_info, ++ .get = snd_s1810c_switch_get, ++ .put = snd_s1810c_switch_set, ++ .private_value = (SC1824C_STATE_MONO_SW | SC1824C_CTL_MONO_SW << 8) ++}; ++ + static const struct snd_kcontrol_new snd_s1810c_48v_sw = { + .iface = SNDRV_CTL_ELEM_IFACE_MIXER, + .name = "48V Phantom Power On Mic Inputs Switch", +@@ -588,8 +599,17 @@ int snd_sc1810_init_mixer(struct usb_mixer_interface *mixer) + if (ret < 0) + return ret; + +- ret = snd_s1810c_switch_init(mixer, &snd_s1810c_ab_sw); +- if (ret < 0) +- return ret; ++ // The 1824c has a Mono Main switch instead of a ++ // A/B select switch. ++ if (mixer->chip->usb_id == USB_ID(0x194f, 0x010d)) { ++ ret = snd_s1810c_switch_init(mixer, &snd_s1824c_mono_sw); ++ if (ret < 0) ++ return ret; ++ } else if (mixer->chip->usb_id == USB_ID(0x194f, 0x010c)) { ++ ret = snd_s1810c_switch_init(mixer, &snd_s1810c_ab_sw); ++ if (ret < 0) ++ return ret; ++ } ++ + return ret; + } +-- +2.51.0 + diff --git a/queue-6.17/alsa-usb-audio-don-t-log-messages-meant-for-1810c-wh.patch b/queue-6.17/alsa-usb-audio-don-t-log-messages-meant-for-1810c-wh.patch new file mode 100644 index 0000000000..b8dcc21852 --- /dev/null +++ b/queue-6.17/alsa-usb-audio-don-t-log-messages-meant-for-1810c-wh.patch @@ -0,0 +1,84 @@ +From 1a3ebf8f884e6c516c3a299585d1602c0bb10fd1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Oct 2025 22:15:08 +0200 +Subject: ALSA: usb-audio: don't log messages meant for 1810c when initializing + 1824c + +From: Roy Vegard Ovesen + +[ Upstream commit 75cdae446ddffe0a6a991bbb146dee51d9d4c865 ] + +The log messages for the PreSonus STUDIO 1810c about +device_setup are not applicable to the 1824c, and should +not be logged when 1824c initializes. + +Refactor from if statement to switch statement as there +might be more STUDIO series devices added later. + +Fixes: 080564558eb1 ("ALSA: usb-audio: enable support for Presonus Studio 1824c within 1810c file") +Signed-off-by: Roy Vegard Ovesen +Link: https://patch.msgid.link/aPaYTP7ceuABf8c7@ark +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/mixer_s1810c.c | 33 ++++++++++++++++++--------------- + 1 file changed, 18 insertions(+), 15 deletions(-) + +diff --git a/sound/usb/mixer_s1810c.c b/sound/usb/mixer_s1810c.c +index 2413a6d96971c..5b187f89c7f8e 100644 +--- a/sound/usb/mixer_s1810c.c ++++ b/sound/usb/mixer_s1810c.c +@@ -562,15 +562,6 @@ int snd_sc1810_init_mixer(struct usb_mixer_interface *mixer) + if (!list_empty(&chip->mixer_list)) + return 0; + +- dev_info(&dev->dev, +- "Presonus Studio 1810c, device_setup: %u\n", chip->setup); +- if (chip->setup == 1) +- dev_info(&dev->dev, "(8out/18in @ 48kHz)\n"); +- else if (chip->setup == 2) +- dev_info(&dev->dev, "(6out/8in @ 192kHz)\n"); +- else +- dev_info(&dev->dev, "(8out/14in @ 96kHz)\n"); +- + ret = snd_s1810c_init_mixer_maps(chip); + if (ret < 0) + return ret; +@@ -599,16 +590,28 @@ int snd_sc1810_init_mixer(struct usb_mixer_interface *mixer) + if (ret < 0) + return ret; + +- // The 1824c has a Mono Main switch instead of a +- // A/B select switch. +- if (mixer->chip->usb_id == USB_ID(0x194f, 0x010d)) { +- ret = snd_s1810c_switch_init(mixer, &snd_s1824c_mono_sw); ++ switch (chip->usb_id) { ++ case USB_ID(0x194f, 0x010c): /* Presonus Studio 1810c */ ++ dev_info(&dev->dev, ++ "Presonus Studio 1810c, device_setup: %u\n", chip->setup); ++ if (chip->setup == 1) ++ dev_info(&dev->dev, "(8out/18in @ 48kHz)\n"); ++ else if (chip->setup == 2) ++ dev_info(&dev->dev, "(6out/8in @ 192kHz)\n"); ++ else ++ dev_info(&dev->dev, "(8out/14in @ 96kHz)\n"); ++ ++ ret = snd_s1810c_switch_init(mixer, &snd_s1810c_ab_sw); + if (ret < 0) + return ret; +- } else if (mixer->chip->usb_id == USB_ID(0x194f, 0x010c)) { +- ret = snd_s1810c_switch_init(mixer, &snd_s1810c_ab_sw); ++ ++ break; ++ case USB_ID(0x194f, 0x010d): /* Presonus Studio 1824c */ ++ ret = snd_s1810c_switch_init(mixer, &snd_s1824c_mono_sw); + if (ret < 0) + return ret; ++ ++ break; + } + + return ret; +-- +2.51.0 + diff --git a/queue-6.17/alsa-usb-audio-fix-control-pipe-direction.patch b/queue-6.17/alsa-usb-audio-fix-control-pipe-direction.patch new file mode 100644 index 0000000000..b23d77dd67 --- /dev/null +++ b/queue-6.17/alsa-usb-audio-fix-control-pipe-direction.patch @@ -0,0 +1,37 @@ +From bdd1ce4cf630778f463ea1fbe1c1ac93c53784c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 18 Oct 2025 19:18:22 +0200 +Subject: ALSA: usb-audio: fix control pipe direction + +From: Roy Vegard Ovesen + +[ Upstream commit 7963891f7c9c6f759cc9ab7da71406b4234f3dd6 ] + +Since the requesttype has USB_DIR_OUT the pipe should be +constructed with usb_sndctrlpipe(). + +Fixes: 8dc5efe3d17c ("ALSA: usb-audio: Add support for Presonus Studio 1810c") +Signed-off-by: Roy Vegard Ovesen +Link: https://patch.msgid.link/aPPL3tBFE_oU-JHv@ark +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/mixer_s1810c.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/usb/mixer_s1810c.c b/sound/usb/mixer_s1810c.c +index fac4bbc6b2757..65bdda0841048 100644 +--- a/sound/usb/mixer_s1810c.c ++++ b/sound/usb/mixer_s1810c.c +@@ -181,7 +181,7 @@ snd_sc1810c_get_status_field(struct usb_device *dev, + + pkt_out.fields[SC1810C_STATE_F1_IDX] = SC1810C_SET_STATE_F1; + pkt_out.fields[SC1810C_STATE_F2_IDX] = SC1810C_SET_STATE_F2; +- ret = snd_usb_ctl_msg(dev, usb_rcvctrlpipe(dev, 0), ++ ret = snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), + SC1810C_SET_STATE_REQ, + SC1810C_SET_STATE_REQTYPE, + (*seqnum), 0, &pkt_out, sizeof(pkt_out)); +-- +2.51.0 + diff --git a/queue-6.17/asoc-cs-amp-lib-test-fix-missing-include-of-kunit-te.patch b/queue-6.17/asoc-cs-amp-lib-test-fix-missing-include-of-kunit-te.patch new file mode 100644 index 0000000000..9cec687e49 --- /dev/null +++ b/queue-6.17/asoc-cs-amp-lib-test-fix-missing-include-of-kunit-te.patch @@ -0,0 +1,38 @@ +From 1228c95afb6fcf2568d4136c2d5f502915519ca9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Oct 2025 10:48:44 +0100 +Subject: ASoC: cs-amp-lib-test: Fix missing include of kunit/test-bug.h + +From: Richard Fitzgerald + +[ Upstream commit ec20584f25233bfe292c8e18f9a429dfaff58a49 ] + +cs-amp-lib-test uses functions from kunit/test-bug.h but wasn't +including it. + +This error was found by smatch. + +Fixes: 177862317a98 ("ASoC: cs-amp-lib: Add KUnit test for calibration helpers") +Signed-off-by: Richard Fitzgerald +Link: https://patch.msgid.link/20251016094844.92796-1-rf@opensource.cirrus.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/cs-amp-lib-test.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/soc/codecs/cs-amp-lib-test.c b/sound/soc/codecs/cs-amp-lib-test.c +index f53650128fc3d..a1a9758a73eb6 100644 +--- a/sound/soc/codecs/cs-amp-lib-test.c ++++ b/sound/soc/codecs/cs-amp-lib-test.c +@@ -7,6 +7,7 @@ + + #include + #include ++#include + #include + #include + #include +-- +2.51.0 + diff --git a/queue-6.17/asoc-fsl_micfil-correct-the-endian-format-for-dsd.patch b/queue-6.17/asoc-fsl_micfil-correct-the-endian-format-for-dsd.patch new file mode 100644 index 0000000000..c4684fcb69 --- /dev/null +++ b/queue-6.17/asoc-fsl_micfil-correct-the-endian-format-for-dsd.patch @@ -0,0 +1,47 @@ +From aa3f800397e157dd4bbfd50586114ad0fd581171 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Oct 2025 14:45:38 +0800 +Subject: ASoC: fsl_micfil: correct the endian format for DSD + +From: Shengjiu Wang + +[ Upstream commit ba3a5e1aeaa01ea67067d725710a839114214fc6 ] + +The DSD format supported by micfil is that oldest bit is in bit 31, so +the format should be DSD little endian format. + +Fixes: 21aa330fec31 ("ASoC: fsl_micfil: Add decimation filter bypass mode support") +Signed-off-by: Shengjiu Wang +Reviewed-by: Daniel Baluta +Link: https://patch.msgid.link/20251023064538.368850-3-shengjiu.wang@nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/fsl/fsl_micfil.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/fsl/fsl_micfil.c b/sound/soc/fsl/fsl_micfil.c +index aabd90a8b3eca..cac26ba0aa4b0 100644 +--- a/sound/soc/fsl/fsl_micfil.c ++++ b/sound/soc/fsl/fsl_micfil.c +@@ -131,7 +131,7 @@ static struct fsl_micfil_soc_data fsl_micfil_imx943 = { + .fifos = 8, + .fifo_depth = 32, + .dataline = 0xf, +- .formats = SNDRV_PCM_FMTBIT_S32_LE | SNDRV_PCM_FMTBIT_DSD_U32_BE, ++ .formats = SNDRV_PCM_FMTBIT_S32_LE | SNDRV_PCM_FMTBIT_DSD_U32_LE, + .use_edma = true, + .use_verid = true, + .volume_sx = false, +@@ -823,7 +823,7 @@ static int fsl_micfil_hw_params(struct snd_pcm_substream *substream, + break; + } + +- if (format == SNDRV_PCM_FORMAT_DSD_U32_BE) { ++ if (format == SNDRV_PCM_FORMAT_DSD_U32_LE) { + micfil->dec_bypass = true; + /* + * According to equation 29 in RM: +-- +2.51.0 + diff --git a/queue-6.17/asoc-fsl_sai-fix-bit-order-for-dsd-format.patch b/queue-6.17/asoc-fsl_sai-fix-bit-order-for-dsd-format.patch new file mode 100644 index 0000000000..2f197f4573 --- /dev/null +++ b/queue-6.17/asoc-fsl_sai-fix-bit-order-for-dsd-format.patch @@ -0,0 +1,46 @@ +From 26c1a8a091b0736a5de0819eab8725a7c36a7aec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Oct 2025 14:45:37 +0800 +Subject: ASoC: fsl_sai: fix bit order for DSD format + +From: Shengjiu Wang + +[ Upstream commit d9fbe5b0bf7e2d1e20d53e4e2274f9f61bdcca98 ] + +The DSD little endian format requires the msb first, because oldest bit +is in msb. +found this issue by testing with pipewire. + +Fixes: c111c2ddb3fd ("ASoC: fsl_sai: Add PDM daifmt support") +Signed-off-by: Shengjiu Wang +Link: https://patch.msgid.link/20251023064538.368850-2-shengjiu.wang@nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/fsl/fsl_sai.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/sound/soc/fsl/fsl_sai.c b/sound/soc/fsl/fsl_sai.c +index d0367b21f7757..6c0ae4b33aa4f 100644 +--- a/sound/soc/fsl/fsl_sai.c ++++ b/sound/soc/fsl/fsl_sai.c +@@ -353,7 +353,6 @@ static int fsl_sai_set_dai_fmt_tr(struct snd_soc_dai *cpu_dai, + break; + case SND_SOC_DAIFMT_PDM: + val_cr2 |= FSL_SAI_CR2_BCP; +- val_cr4 &= ~FSL_SAI_CR4_MF; + sai->is_pdm_mode = true; + break; + case SND_SOC_DAIFMT_RIGHT_J: +@@ -638,7 +637,7 @@ static int fsl_sai_hw_params(struct snd_pcm_substream *substream, + val_cr5 |= FSL_SAI_CR5_WNW(slot_width); + val_cr5 |= FSL_SAI_CR5_W0W(slot_width); + +- if (sai->is_lsb_first || sai->is_pdm_mode) ++ if (sai->is_lsb_first) + val_cr5 |= FSL_SAI_CR5_FBT(0); + else + val_cr5 |= FSL_SAI_CR5_FBT(word_width - 1); +-- +2.51.0 + diff --git a/queue-6.17/asoc-fsl_sai-fix-sync-error-in-consumer-mode.patch b/queue-6.17/asoc-fsl_sai-fix-sync-error-in-consumer-mode.patch new file mode 100644 index 0000000000..cc1fddc144 --- /dev/null +++ b/queue-6.17/asoc-fsl_sai-fix-sync-error-in-consumer-mode.patch @@ -0,0 +1,61 @@ +From 61397afc1db1733d17c24a3fac31935488daf531 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Oct 2025 15:57:15 +0200 +Subject: ASoC: fsl_sai: Fix sync error in consumer mode + +From: Maarten Zanders + +[ Upstream commit b2dd1d0d322dce5f331961c927e775b84014d5ab ] + +When configured for default synchronisation (Rx syncs to Tx) and the +SAI operates in consumer mode (clocks provided externally to Tx), a +synchronisation error occurs on Tx on the first attempt after device +initialisation when the playback stream is started while a capture +stream is already active. This results in channel shift/swap on the +playback stream. +Subsequent streams (ie after that first failing one) always work +correctly, no matter the order, with or without the other stream active. + +This issue was observed (and fix tested) on an i.MX6UL board connected +to an ADAU1761 codec, where the codec provides both frame and bit clock +(connected to TX pins). + +To fix this, always initialize the 'other' xCR4 and xCR5 registers when +we're starting a stream which is synced to the opposite one, irregardless +of the producer/consumer status. + +Fixes: 51659ca069ce ("ASoC: fsl-sai: set xCR4/xCR5/xMR for SAI master mode") + +Signed-off-by: Maarten Zanders +Reviewed-by: Shengjiu Wang +Link: https://patch.msgid.link/20251024135716.584265-1-maarten@zanders.be +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/fsl/fsl_sai.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/sound/soc/fsl/fsl_sai.c b/sound/soc/fsl/fsl_sai.c +index 6c0ae4b33aa4f..b6c72c4bd3cd3 100644 +--- a/sound/soc/fsl/fsl_sai.c ++++ b/sound/soc/fsl/fsl_sai.c +@@ -652,12 +652,12 @@ static int fsl_sai_hw_params(struct snd_pcm_substream *substream, + val_cr4 |= FSL_SAI_CR4_CHMOD; + + /* +- * For SAI provider mode, when Tx(Rx) sync with Rx(Tx) clock, Rx(Tx) will +- * generate bclk and frame clock for Tx(Rx), we should set RCR4(TCR4), +- * RCR5(TCR5) for playback(capture), or there will be sync error. ++ * When Tx(Rx) sync with Rx(Tx) clock, Rx(Tx) will provide bclk and ++ * frame clock for Tx(Rx). We should set RCR4(TCR4), RCR5(TCR5) ++ * for playback(capture), or there will be sync error. + */ + +- if (!sai->is_consumer_mode[tx] && fsl_sai_dir_is_synced(sai, adir)) { ++ if (fsl_sai_dir_is_synced(sai, adir)) { + regmap_update_bits(sai->regmap, FSL_SAI_xCR4(!tx, ofs), + FSL_SAI_CR4_SYWD_MASK | FSL_SAI_CR4_FRSZ_MASK | + FSL_SAI_CR4_CHMOD_MASK, +-- +2.51.0 + diff --git a/queue-6.17/asoc-intel-avs-disable-periods-elapsed-work-when-clo.patch b/queue-6.17/asoc-intel-avs-disable-periods-elapsed-work-when-clo.patch new file mode 100644 index 0000000000..eb1cbe201a --- /dev/null +++ b/queue-6.17/asoc-intel-avs-disable-periods-elapsed-work-when-clo.patch @@ -0,0 +1,38 @@ +From 2f61b93dd82ce0792fc9b46a4d93447407d5e34f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Oct 2025 11:23:47 +0200 +Subject: ASoC: Intel: avs: Disable periods-elapsed work when closing PCM + +From: Cezary Rojewski + +[ Upstream commit 845f716dc5f354c719f6fda35048b6c2eca99331 ] + +avs_dai_fe_shutdown() handles the shutdown procedure for HOST HDAudio +stream while period-elapsed work services its IRQs. As the former +frees the DAI's private context, these two operations shall be +synchronized to avoid slab-use-after-free or worse errors. + +Fixes: 0dbb186c3510 ("ASoC: Intel: avs: Update stream status in a separate thread") +Signed-off-by: Cezary Rojewski +Link: https://patch.msgid.link/20251023092348.3119313-3-cezary.rojewski@intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/avs/pcm.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/soc/intel/avs/pcm.c b/sound/soc/intel/avs/pcm.c +index 0d7862910eedd..0180cf7d5fe15 100644 +--- a/sound/soc/intel/avs/pcm.c ++++ b/sound/soc/intel/avs/pcm.c +@@ -651,6 +651,7 @@ static void avs_dai_fe_shutdown(struct snd_pcm_substream *substream, struct snd_ + + data = snd_soc_dai_get_dma_data(dai, substream); + ++ disable_work_sync(&data->period_elapsed_work); + snd_hdac_ext_stream_release(data->host_stream, HDAC_EXT_STREAM_TYPE_HOST); + avs_dai_shutdown(substream, dai); + } +-- +2.51.0 + diff --git a/queue-6.17/asoc-intel-avs-unprepare-a-stream-when-xrun-occurs.patch b/queue-6.17/asoc-intel-avs-unprepare-a-stream-when-xrun-occurs.patch new file mode 100644 index 0000000000..7a74d090bd --- /dev/null +++ b/queue-6.17/asoc-intel-avs-unprepare-a-stream-when-xrun-occurs.patch @@ -0,0 +1,40 @@ +From d828fd37ac75e9fe8e5d60f681f35f179fa410eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Oct 2025 11:23:46 +0200 +Subject: ASoC: Intel: avs: Unprepare a stream when XRUN occurs + +From: Cezary Rojewski + +[ Upstream commit cfca1637bc2b6b1e4f191d2f0b25f12402fbbb26 ] + +The pcm->prepare() function may be called multiple times in a row by the +userspace, as mentioned in the documentation. The driver shall take that +into account and prevent redundancy. However, the exact same function is +called during XRUNs and in such case, the particular stream shall be +reset and setup anew. + +Fixes: 9114700b496c ("ASoC: Intel: avs: Generic PCM FE operations") +Signed-off-by: Cezary Rojewski +Link: https://patch.msgid.link/20251023092348.3119313-2-cezary.rojewski@intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/avs/pcm.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/soc/intel/avs/pcm.c b/sound/soc/intel/avs/pcm.c +index 67ce6675eea75..0d7862910eedd 100644 +--- a/sound/soc/intel/avs/pcm.c ++++ b/sound/soc/intel/avs/pcm.c +@@ -754,6 +754,8 @@ static int avs_dai_fe_prepare(struct snd_pcm_substream *substream, struct snd_so + data = snd_soc_dai_get_dma_data(dai, substream); + host_stream = data->host_stream; + ++ if (runtime->state == SNDRV_PCM_STATE_XRUN) ++ hdac_stream(host_stream)->prepared = false; + if (hdac_stream(host_stream)->prepared) + return 0; + +-- +2.51.0 + diff --git a/queue-6.17/asoc-mediatek-fix-double-pm_runtime_disable-in-remov.patch b/queue-6.17/asoc-mediatek-fix-double-pm_runtime_disable-in-remov.patch new file mode 100644 index 0000000000..a31a2729ac --- /dev/null +++ b/queue-6.17/asoc-mediatek-fix-double-pm_runtime_disable-in-remov.patch @@ -0,0 +1,55 @@ +From a25f4c1fab3fd2bb68b2b861bbddf02a6629fca1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Oct 2025 01:04:40 +0800 +Subject: ASoC: mediatek: Fix double pm_runtime_disable in remove functions + +From: Haotian Zhang + +[ Upstream commit 79a6f2da168543c0431ade57428f673c19c5b72f ] + +Both mt8195-afe-pcm and mt8365-afe-pcm drivers use devm_pm_runtime_enable() +in probe function, which automatically calls pm_runtime_disable() on device +removal via devres mechanism. However, the remove callbacks explicitly call +pm_runtime_disable() again, resulting in double pm_runtime_disable() calls. + +Fix by removing the redundant pm_runtime_disable() calls from remove +functions, letting the devres framework handle it automatically. + +Fixes: 2ca0ec01d49c ("ASoC: mediatek: mt8195-afe-pcm: Simplify runtime PM during probe") +Fixes: e1991d102bc2 ("ASoC: mediatek: mt8365: Add the AFE driver support") +Signed-off-by: Haotian Zhang +Link: https://patch.msgid.link/20251020170440.585-1-vulab@iscas.ac.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/mediatek/mt8195/mt8195-afe-pcm.c | 1 - + sound/soc/mediatek/mt8365/mt8365-afe-pcm.c | 1 - + 2 files changed, 2 deletions(-) + +diff --git a/sound/soc/mediatek/mt8195/mt8195-afe-pcm.c b/sound/soc/mediatek/mt8195/mt8195-afe-pcm.c +index 5d025ad72263f..c63b3444bc176 100644 +--- a/sound/soc/mediatek/mt8195/mt8195-afe-pcm.c ++++ b/sound/soc/mediatek/mt8195/mt8195-afe-pcm.c +@@ -3176,7 +3176,6 @@ static int mt8195_afe_pcm_dev_probe(struct platform_device *pdev) + + static void mt8195_afe_pcm_dev_remove(struct platform_device *pdev) + { +- pm_runtime_disable(&pdev->dev); + if (!pm_runtime_status_suspended(&pdev->dev)) + mt8195_afe_runtime_suspend(&pdev->dev); + } +diff --git a/sound/soc/mediatek/mt8365/mt8365-afe-pcm.c b/sound/soc/mediatek/mt8365/mt8365-afe-pcm.c +index 10793bbe9275d..d48252cd96ac4 100644 +--- a/sound/soc/mediatek/mt8365/mt8365-afe-pcm.c ++++ b/sound/soc/mediatek/mt8365/mt8365-afe-pcm.c +@@ -2238,7 +2238,6 @@ static void mt8365_afe_pcm_dev_remove(struct platform_device *pdev) + + mt8365_afe_disable_top_cg(afe, MT8365_TOP_CG_AFE); + +- pm_runtime_disable(&pdev->dev); + if (!pm_runtime_status_suspended(&pdev->dev)) + mt8365_afe_runtime_suspend(&pdev->dev); + } +-- +2.51.0 + diff --git a/queue-6.17/asoc-soc_sdw_utils-remove-cs42l43-component_name.patch b/queue-6.17/asoc-soc_sdw_utils-remove-cs42l43-component_name.patch new file mode 100644 index 0000000000..e717067a5f --- /dev/null +++ b/queue-6.17/asoc-soc_sdw_utils-remove-cs42l43-component_name.patch @@ -0,0 +1,42 @@ +From 43a7d516ad4d533564f98178085754b10e320a67 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Oct 2025 22:00:12 +0800 +Subject: ASoC: soc_sdw_utils: remove cs42l43 component_name +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Bard Liao + +[ Upstream commit 45f5c9eec43a9bf448f46562f146810831916cc9 ] + +"spk:cs42l43-spk" component string will be added conditionally by +asoc_sdw_cs42l43_spk_rtd_init(). We should not add "spk:cs42l43" +unconditionally. + +Fixes: c61da55412a0 ("ASoC: sdw_utils: Add missed component_name strings for speaker amps") +Signed-off-by: Bard Liao +Reviewed-by: Péter Ujfalusi +Reviewed-by: Charles Keepax +Link: https://patch.msgid.link/20251027140012.966306-1-yung-chuan.liao@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/sdw_utils/soc_sdw_utils.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/sound/soc/sdw_utils/soc_sdw_utils.c b/sound/soc/sdw_utils/soc_sdw_utils.c +index 1580331cd34c5..0c95700b8715a 100644 +--- a/sound/soc/sdw_utils/soc_sdw_utils.c ++++ b/sound/soc/sdw_utils/soc_sdw_utils.c +@@ -600,7 +600,6 @@ struct asoc_sdw_codec_info codec_info_list[] = { + { + .direction = {true, false}, + .dai_name = "cs42l43-dp6", +- .component_name = "cs42l43", + .dai_type = SOC_SDW_DAI_TYPE_AMP, + .dailink = {SOC_SDW_AMP_OUT_DAI_ID, SOC_SDW_UNUSED_DAI_ID}, + .init = asoc_sdw_cs42l43_spk_init, +-- +2.51.0 + diff --git a/queue-6.17/bluetooth-btintel_pcie-fix-event-packet-loss-issue.patch b/queue-6.17/bluetooth-btintel_pcie-fix-event-packet-loss-issue.patch new file mode 100644 index 0000000000..69251f4286 --- /dev/null +++ b/queue-6.17/bluetooth-btintel_pcie-fix-event-packet-loss-issue.patch @@ -0,0 +1,81 @@ +From 005a3b1ee485d145e8e411511f6efeb6005529f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Oct 2025 10:00:43 +0530 +Subject: Bluetooth: btintel_pcie: Fix event packet loss issue + +From: Kiran K + +[ Upstream commit 057b6ca5961203f16a2a02fb0592661a7a959a84 ] + +In the current btintel_pcie driver implementation, when an interrupt is +received, the driver checks for the alive cause before the TX/RX cause. +Handling the alive cause involves resetting the TX/RX queue indices. +This flow works correctly when the causes are mutually exclusive. +However, if both cause bits are set simultaneously, the alive cause +resets the queue indices, resulting in an event packet drop and a +command timeout. To fix this issue, the driver is modified to handle all +other causes before checking for the alive cause. + +Test case: +Issue is seen with stress reboot scenario - 50x run + +[20.337589] Bluetooth: hci0: Device revision is 0 +[20.346750] Bluetooth: hci0: Secure boot is enabled +[20.346752] Bluetooth: hci0: OTP lock is disabled +[20.346752] Bluetooth: hci0: API lock is enabled +[20.346752] Bluetooth: hci0: Debug lock is disabled +[20.346753] Bluetooth: hci0: Minimum firmware build 1 week 10 2014 +[20.346754] Bluetooth: hci0: Bootloader timestamp 2023.43 buildtype 1 build 11631 +[20.359070] Bluetooth: hci0: Found device firmware: intel/ibt-00a0-00a1-iml.sfi +[20.371499] Bluetooth: hci0: Boot Address: 0xb02ff800 +[20.385769] Bluetooth: hci0: Firmware Version: 166-34.25 +[20.538257] Bluetooth: hci0: Waiting for firmware download to complete +[20.554424] Bluetooth: hci0: Firmware loaded in 178651 usecs +[21.081588] Bluetooth: hci0: Timeout (500 ms) on tx completion +[21.096541] Bluetooth: hci0: Failed to send frame (-62) +[21.110240] Bluetooth: hci0: sending frame failed (-62) +[21.138551] Bluetooth: hci0: Failed to send Intel Reset command +[21.170153] Bluetooth: hci0: Intel Soft Reset failed (-62) + +Signed-off-by: Kiran K +Signed-off-by: Sai Teja Aluvala +Reviewed-by: Paul Menzel +Fixes: c2b636b3f788 ("Bluetooth: btintel_pcie: Add support for PCIe transport") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btintel_pcie.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/drivers/bluetooth/btintel_pcie.c b/drivers/bluetooth/btintel_pcie.c +index 585de143ab255..562acaf023f55 100644 +--- a/drivers/bluetooth/btintel_pcie.c ++++ b/drivers/bluetooth/btintel_pcie.c +@@ -1462,11 +1462,6 @@ static irqreturn_t btintel_pcie_irq_msix_handler(int irq, void *dev_id) + if (intr_hw & BTINTEL_PCIE_MSIX_HW_INT_CAUSES_GP1) + btintel_pcie_msix_gp1_handler(data); + +- /* This interrupt is triggered by the firmware after updating +- * boot_stage register and image_response register +- */ +- if (intr_hw & BTINTEL_PCIE_MSIX_HW_INT_CAUSES_GP0) +- btintel_pcie_msix_gp0_handler(data); + + /* For TX */ + if (intr_fh & BTINTEL_PCIE_MSIX_FH_INT_CAUSES_0) { +@@ -1482,6 +1477,12 @@ static irqreturn_t btintel_pcie_irq_msix_handler(int irq, void *dev_id) + btintel_pcie_msix_tx_handle(data); + } + ++ /* This interrupt is triggered by the firmware after updating ++ * boot_stage register and image_response register ++ */ ++ if (intr_hw & BTINTEL_PCIE_MSIX_HW_INT_CAUSES_GP0) ++ btintel_pcie_msix_gp0_handler(data); ++ + /* + * Before sending the interrupt the HW disables it to prevent a nested + * interrupt. This is done by writing 1 to the corresponding bit in +-- +2.51.0 + diff --git a/queue-6.17/bluetooth-btmtksdio-add-pmctrl-handling-for-bt-close.patch b/queue-6.17/bluetooth-btmtksdio-add-pmctrl-handling-for-bt-close.patch new file mode 100644 index 0000000000..af355aa9dd --- /dev/null +++ b/queue-6.17/bluetooth-btmtksdio-add-pmctrl-handling-for-bt-close.patch @@ -0,0 +1,61 @@ +From 292f8877cde50c949bd4494d438064e1bb0f5114 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Sep 2025 13:39:33 +0800 +Subject: Bluetooth: btmtksdio: Add pmctrl handling for BT closed state during + reset + +From: Chris Lu + +[ Upstream commit 77343b8b4f87560f8f03e77b98a81ff3a147b262 ] + +This patch adds logic to handle power management control when the +Bluetooth function is closed during the SDIO reset sequence. + +Specifically, if BT is closed before reset, the driver enables the +SDIO function and sets driver pmctrl. After reset, if BT remains +closed, the driver sets firmware pmctrl and disables the SDIO function. + +These changes ensure proper power management and device state consistency +across the reset flow. + +Fixes: 8fafe702253d ("Bluetooth: mt7921s: support bluetooth reset mechanism") +Signed-off-by: Chris Lu +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btmtksdio.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/drivers/bluetooth/btmtksdio.c b/drivers/bluetooth/btmtksdio.c +index 4fc673640bfce..24ce1bf660669 100644 +--- a/drivers/bluetooth/btmtksdio.c ++++ b/drivers/bluetooth/btmtksdio.c +@@ -1270,6 +1270,12 @@ static void btmtksdio_reset(struct hci_dev *hdev) + + sdio_claim_host(bdev->func); + ++ /* set drv_pmctrl if BT is closed before doing reset */ ++ if (!test_bit(BTMTKSDIO_FUNC_ENABLED, &bdev->tx_state)) { ++ sdio_enable_func(bdev->func); ++ btmtksdio_drv_pmctrl(bdev); ++ } ++ + sdio_writel(bdev->func, C_INT_EN_CLR, MTK_REG_CHLPCR, NULL); + skb_queue_purge(&bdev->txq); + cancel_work_sync(&bdev->txrx_work); +@@ -1285,6 +1291,12 @@ static void btmtksdio_reset(struct hci_dev *hdev) + goto err; + } + ++ /* set fw_pmctrl back if BT is closed after doing reset */ ++ if (!test_bit(BTMTKSDIO_FUNC_ENABLED, &bdev->tx_state)) { ++ btmtksdio_fw_pmctrl(bdev); ++ sdio_disable_func(bdev->func); ++ } ++ + clear_bit(BTMTKSDIO_PATCH_ENABLED, &bdev->tx_state); + err: + sdio_release_host(bdev->func); +-- +2.51.0 + diff --git a/queue-6.17/bluetooth-hci-fix-tracking-of-advertisement-set-inst.patch b/queue-6.17/bluetooth-hci-fix-tracking-of-advertisement-set-inst.patch new file mode 100644 index 0000000000..c3279a998a --- /dev/null +++ b/queue-6.17/bluetooth-hci-fix-tracking-of-advertisement-set-inst.patch @@ -0,0 +1,78 @@ +From 73a626477eee5d9a5c0568e817055f93ccb86ea2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Oct 2025 10:55:58 -0400 +Subject: Bluetooth: HCI: Fix tracking of advertisement set/instance 0x00 + +From: Luiz Augusto von Dentz + +[ Upstream commit 0d92808024b4e9868cef68d16f121d509843e80e ] + +This fixes the state tracking of advertisement set/instance 0x00 which +is considered a legacy instance and is not tracked individually by +adv_instances list, previously it was assumed that hci_dev itself would +track it via HCI_LE_ADV but that is a global state not specifc to +instance 0x00, so to fix it a new flag is introduced that only tracks the +state of instance 0x00. + +Fixes: 1488af7b8b5f ("Bluetooth: hci_sync: Fix hci_resume_advertising_sync") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + include/net/bluetooth/hci.h | 1 + + net/bluetooth/hci_event.c | 4 ++++ + net/bluetooth/hci_sync.c | 5 ++--- + 3 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/include/net/bluetooth/hci.h b/include/net/bluetooth/hci.h +index df1847b74e55e..dca650cede3c4 100644 +--- a/include/net/bluetooth/hci.h ++++ b/include/net/bluetooth/hci.h +@@ -434,6 +434,7 @@ enum { + HCI_USER_CHANNEL, + HCI_EXT_CONFIGURED, + HCI_LE_ADV, ++ HCI_LE_ADV_0, + HCI_LE_PER_ADV, + HCI_LE_SCAN, + HCI_SSP_ENABLED, +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index fe49e8a7969ff..e1b7eabe72744 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -1609,6 +1609,8 @@ static u8 hci_cc_le_set_ext_adv_enable(struct hci_dev *hdev, void *data, + + if (adv && !adv->periodic) + adv->enabled = true; ++ else if (!set->handle) ++ hci_dev_set_flag(hdev, HCI_LE_ADV_0); + + conn = hci_lookup_le_connect(hdev); + if (conn) +@@ -1619,6 +1621,8 @@ static u8 hci_cc_le_set_ext_adv_enable(struct hci_dev *hdev, void *data, + if (cp->num_of_sets) { + if (adv) + adv->enabled = false; ++ else if (!set->handle) ++ hci_dev_clear_flag(hdev, HCI_LE_ADV_0); + + /* If just one instance was disabled check if there are + * any other instance enabled before clearing HCI_LE_ADV +diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c +index d160e5e1fe8ab..28ad08cd7d706 100644 +--- a/net/bluetooth/hci_sync.c ++++ b/net/bluetooth/hci_sync.c +@@ -2606,9 +2606,8 @@ static int hci_resume_advertising_sync(struct hci_dev *hdev) + /* If current advertising instance is set to instance 0x00 + * then we need to re-enable it. + */ +- if (!hdev->cur_adv_instance) +- err = hci_enable_ext_advertising_sync(hdev, +- hdev->cur_adv_instance); ++ if (hci_dev_test_and_clear_flag(hdev, HCI_LE_ADV_0)) ++ err = hci_enable_ext_advertising_sync(hdev, 0x00); + } else { + /* Schedule for most recent instance to be restarted and begin + * the software rotation loop +-- +2.51.0 + diff --git a/queue-6.17/bluetooth-hci_conn-fix-connection-cleanup-with-big-w.patch b/queue-6.17/bluetooth-hci_conn-fix-connection-cleanup-with-big-w.patch new file mode 100644 index 0000000000..5791288a53 --- /dev/null +++ b/queue-6.17/bluetooth-hci_conn-fix-connection-cleanup-with-big-w.patch @@ -0,0 +1,49 @@ +From a76c4c5b3c92b19f692905248d7b18101ac25991 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Oct 2025 16:29:41 -0400 +Subject: Bluetooth: hci_conn: Fix connection cleanup with BIG with 2 or more + BIS + +From: Luiz Augusto von Dentz + +[ Upstream commit 857eb0fabc389be5159e0e17d84bc122614b5b98 ] + +This fixes bis_cleanup not considering connections in BT_OPEN state +before attempting to remove the BIG causing the following error: + +btproxy[20110]: < HCI Command: LE Terminate Broadcast Isochronous Group (0x08|0x006a) plen 2 + BIG Handle: 0x01 + Reason: Connection Terminated By Local Host (0x16) +> HCI Event: Command Status (0x0f) plen 4 + LE Terminate Broadcast Isochronous Group (0x08|0x006a) ncmd 1 + Status: Unknown Advertising Identifier (0x42) + +Fixes: fa224d0c094a ("Bluetooth: ISO: Reassociate a socket with an active BIS") +Signed-off-by: Luiz Augusto von Dentz +Reviewed-by: Paul Menzel +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_conn.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c +index e524bb59bff23..63ae62fe20bbc 100644 +--- a/net/bluetooth/hci_conn.c ++++ b/net/bluetooth/hci_conn.c +@@ -843,6 +843,13 @@ static void bis_cleanup(struct hci_conn *conn) + if (bis) + return; + ++ bis = hci_conn_hash_lookup_big_state(hdev, ++ conn->iso_qos.bcast.big, ++ BT_OPEN, ++ HCI_ROLE_MASTER); ++ if (bis) ++ return; ++ + hci_le_terminate_big(hdev, conn); + } else { + hci_le_big_terminate(hdev, conn->iso_qos.bcast.big, +-- +2.51.0 + diff --git a/queue-6.17/bluetooth-hci_core-fix-tracking-of-periodic-advertis.patch b/queue-6.17/bluetooth-hci_core-fix-tracking-of-periodic-advertis.patch new file mode 100644 index 0000000000..7102472fc7 --- /dev/null +++ b/queue-6.17/bluetooth-hci_core-fix-tracking-of-periodic-advertis.patch @@ -0,0 +1,88 @@ +From 21b78ea5cdc88134e18fe6f454fb8e56f1d24351 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Oct 2025 16:03:19 -0400 +Subject: Bluetooth: hci_core: Fix tracking of periodic advertisement + +From: Luiz Augusto von Dentz + +[ Upstream commit 751463ceefc3397566d03c8b64ef4a77f5fd88ac ] + +Periodic advertising enabled flag cannot be tracked by the enabled +flag since advertising and periodic advertising each can be +enabled/disabled separately from one another causing the states to be +inconsistent when for example an advertising set is disabled its +enabled flag is set to false which is then used for periodic which has +not being disabled. + +Fixes: eca0ae4aea66 ("Bluetooth: Add initial implementation of BIS connections") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + include/net/bluetooth/hci_core.h | 1 + + net/bluetooth/hci_event.c | 7 +++++-- + net/bluetooth/hci_sync.c | 4 ++-- + 3 files changed, 8 insertions(+), 4 deletions(-) + +diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h +index 6560b32f31255..8a4b2ac15f470 100644 +--- a/include/net/bluetooth/hci_core.h ++++ b/include/net/bluetooth/hci_core.h +@@ -244,6 +244,7 @@ struct adv_info { + bool enabled; + bool pending; + bool periodic; ++ bool periodic_enabled; + __u8 mesh; + __u8 instance; + __u8 handle; +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index e1b7eabe72744..429f5a858a14b 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -1607,7 +1607,7 @@ static u8 hci_cc_le_set_ext_adv_enable(struct hci_dev *hdev, void *data, + + hci_dev_set_flag(hdev, HCI_LE_ADV); + +- if (adv && !adv->periodic) ++ if (adv) + adv->enabled = true; + else if (!set->handle) + hci_dev_set_flag(hdev, HCI_LE_ADV_0); +@@ -3963,8 +3963,11 @@ static u8 hci_cc_le_set_per_adv_enable(struct hci_dev *hdev, void *data, + hci_dev_set_flag(hdev, HCI_LE_PER_ADV); + + if (adv) +- adv->enabled = true; ++ adv->periodic_enabled = true; + } else { ++ if (adv) ++ adv->periodic_enabled = false; ++ + /* If just one instance was disabled check if there are + * any other instance enabled before clearing HCI_LE_PER_ADV. + * The current periodic adv instance will be marked as +diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c +index 28ad08cd7d706..73fc41b68b687 100644 +--- a/net/bluetooth/hci_sync.c ++++ b/net/bluetooth/hci_sync.c +@@ -1607,7 +1607,7 @@ int hci_disable_per_advertising_sync(struct hci_dev *hdev, u8 instance) + + /* If periodic advertising already disabled there is nothing to do. */ + adv = hci_find_adv_instance(hdev, instance); +- if (!adv || !adv->periodic || !adv->enabled) ++ if (!adv || !adv->periodic_enabled) + return 0; + + memset(&cp, 0, sizeof(cp)); +@@ -1672,7 +1672,7 @@ static int hci_enable_per_advertising_sync(struct hci_dev *hdev, u8 instance) + + /* If periodic advertising already enabled there is nothing to do. */ + adv = hci_find_adv_instance(hdev, instance); +- if (adv && adv->periodic && adv->enabled) ++ if (adv && adv->periodic_enabled) + return 0; + + memset(&cp, 0, sizeof(cp)); +-- +2.51.0 + diff --git a/queue-6.17/bluetooth-hci_sync-fix-race-in-hci_cmd_sync_dequeue_.patch b/queue-6.17/bluetooth-hci_sync-fix-race-in-hci_cmd_sync_dequeue_.patch new file mode 100644 index 0000000000..ebda3c4e4d --- /dev/null +++ b/queue-6.17/bluetooth-hci_sync-fix-race-in-hci_cmd_sync_dequeue_.patch @@ -0,0 +1,55 @@ +From 6af7550763e06ef7d1f5b890600b590ff03352cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Sep 2025 05:30:17 +0000 +Subject: Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once + +From: Cen Zhang + +[ Upstream commit 09b0cd1297b4dbfe736aeaa0ceeab2265f47f772 ] + +hci_cmd_sync_dequeue_once() does lookup and then cancel +the entry under two separate lock sections. Meanwhile, +hci_cmd_sync_work() can also delete the same entry, +leading to double list_del() and "UAF". + +Fix this by holding cmd_sync_work_lock across both +lookup and cancel, so that the entry cannot be removed +concurrently. + +Fixes: 505ea2b29592 ("Bluetooth: hci_sync: Add helper functions to manipulate cmd_sync queue") +Reported-by: Cen Zhang +Signed-off-by: Cen Zhang +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_sync.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c +index eefdb6134ca53..d160e5e1fe8ab 100644 +--- a/net/bluetooth/hci_sync.c ++++ b/net/bluetooth/hci_sync.c +@@ -863,11 +863,17 @@ bool hci_cmd_sync_dequeue_once(struct hci_dev *hdev, + { + struct hci_cmd_sync_work_entry *entry; + +- entry = hci_cmd_sync_lookup_entry(hdev, func, data, destroy); +- if (!entry) ++ mutex_lock(&hdev->cmd_sync_work_lock); ++ ++ entry = _hci_cmd_sync_lookup_entry(hdev, func, data, destroy); ++ if (!entry) { ++ mutex_unlock(&hdev->cmd_sync_work_lock); + return false; ++ } + +- hci_cmd_sync_cancel_entry(hdev, entry); ++ _hci_cmd_sync_cancel_entry(hdev, entry, -ECANCELED); ++ ++ mutex_unlock(&hdev->cmd_sync_work_lock); + + return true; + } +-- +2.51.0 + diff --git a/queue-6.17/bluetooth-iso-fix-another-instance-of-dst_type-handl.patch b/queue-6.17/bluetooth-iso-fix-another-instance-of-dst_type-handl.patch new file mode 100644 index 0000000000..55206d713f --- /dev/null +++ b/queue-6.17/bluetooth-iso-fix-another-instance-of-dst_type-handl.patch @@ -0,0 +1,42 @@ +From a4f558aeabb4591952c18c0a8816c9cf5478b8a4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Oct 2025 13:29:15 -0400 +Subject: Bluetooth: ISO: Fix another instance of dst_type handling + +From: Luiz Augusto von Dentz + +[ Upstream commit c403da5e98b04a2aec9cfb25cbeeb28d7ce29975 ] + +Socket dst_type cannot be directly assigned to hci_conn->type since +there domain is different which may lead to the wrong address type being +used. + +Fixes: 6a5ad251b7cd ("Bluetooth: ISO: Fix possible circular locking dependency") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/iso.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c +index 4351b0b794e57..6e2923b301505 100644 +--- a/net/bluetooth/iso.c ++++ b/net/bluetooth/iso.c +@@ -2035,7 +2035,13 @@ static void iso_conn_ready(struct iso_conn *conn) + } + + bacpy(&iso_pi(sk)->dst, &hcon->dst); +- iso_pi(sk)->dst_type = hcon->dst_type; ++ ++ /* Convert from HCI to three-value type */ ++ if (hcon->dst_type == ADDR_LE_DEV_PUBLIC) ++ iso_pi(sk)->dst_type = BDADDR_LE_PUBLIC; ++ else ++ iso_pi(sk)->dst_type = BDADDR_LE_RANDOM; ++ + iso_pi(sk)->sync_handle = iso_pi(parent)->sync_handle; + memcpy(iso_pi(sk)->base, iso_pi(parent)->base, iso_pi(parent)->base_len); + iso_pi(sk)->base_len = iso_pi(parent)->base_len; +-- +2.51.0 + diff --git a/queue-6.17/bluetooth-iso-fix-bis-connection-dst_type-handling.patch b/queue-6.17/bluetooth-iso-fix-bis-connection-dst_type-handling.patch new file mode 100644 index 0000000000..9622835780 --- /dev/null +++ b/queue-6.17/bluetooth-iso-fix-bis-connection-dst_type-handling.patch @@ -0,0 +1,36 @@ +From 5857d84bae03636cf9d3939c3c82279a13b00edb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Sep 2025 11:48:50 -0400 +Subject: Bluetooth: ISO: Fix BIS connection dst_type handling + +From: Luiz Augusto von Dentz + +[ Upstream commit f0c200a4a537f8f374584a974518b0ce69eda76c ] + +Socket dst_type cannot be directly assigned to hci_conn->type since +there domain is different which may lead to the wrong address type being +used. + +Fixes: 6a5ad251b7cd ("Bluetooth: ISO: Fix possible circular locking dependency") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/iso.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c +index 88602f19decac..4351b0b794e57 100644 +--- a/net/bluetooth/iso.c ++++ b/net/bluetooth/iso.c +@@ -2021,7 +2021,7 @@ static void iso_conn_ready(struct iso_conn *conn) + */ + if (!bacmp(&hcon->dst, BDADDR_ANY)) { + bacpy(&hcon->dst, &iso_pi(parent)->dst); +- hcon->dst_type = iso_pi(parent)->dst_type; ++ hcon->dst_type = le_addr_type(iso_pi(parent)->dst_type); + } + + if (test_bit(HCI_CONN_PA_SYNC, &hcon->flags)) { +-- +2.51.0 + diff --git a/queue-6.17/bluetooth-mgmt-fix-crash-in-set_mesh_sync-and-set_me.patch b/queue-6.17/bluetooth-mgmt-fix-crash-in-set_mesh_sync-and-set_me.patch new file mode 100644 index 0000000000..540a7423d0 --- /dev/null +++ b/queue-6.17/bluetooth-mgmt-fix-crash-in-set_mesh_sync-and-set_me.patch @@ -0,0 +1,114 @@ +From b8e68e76a72aa107309f26f78ccd405f0d559be1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Oct 2025 22:07:32 +0300 +Subject: Bluetooth: MGMT: fix crash in set_mesh_sync and set_mesh_complete + +From: Pauli Virtanen + +[ Upstream commit e8785404de06a69d89dcdd1e9a0b6ea42dc6d327 ] + +There is a BUG: KASAN: stack-out-of-bounds in set_mesh_sync due to +memcpy from badly declared on-stack flexible array. + +Another crash is in set_mesh_complete() due to double list_del via +mgmt_pending_valid + mgmt_pending_remove. + +Use DEFINE_FLEX to declare the flexible array right, and don't memcpy +outside bounds. + +As mgmt_pending_valid removes the cmd from list, use mgmt_pending_free, +and also report status on error. + +Fixes: 302a1f674c00d ("Bluetooth: MGMT: Fix possible UAFs") +Signed-off-by: Pauli Virtanen +Reviewed-by: Paul Menzel +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + include/net/bluetooth/mgmt.h | 2 +- + net/bluetooth/mgmt.c | 26 +++++++++++++++----------- + 2 files changed, 16 insertions(+), 12 deletions(-) + +diff --git a/include/net/bluetooth/mgmt.h b/include/net/bluetooth/mgmt.h +index 3575cd16049a8..6095cbb03811d 100644 +--- a/include/net/bluetooth/mgmt.h ++++ b/include/net/bluetooth/mgmt.h +@@ -848,7 +848,7 @@ struct mgmt_cp_set_mesh { + __le16 window; + __le16 period; + __u8 num_ad_types; +- __u8 ad_types[]; ++ __u8 ad_types[] __counted_by(num_ad_types); + } __packed; + #define MGMT_SET_MESH_RECEIVER_SIZE 6 + +diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c +index a3d16eece0d23..24e335e3a7271 100644 +--- a/net/bluetooth/mgmt.c ++++ b/net/bluetooth/mgmt.c +@@ -2175,19 +2175,24 @@ static void set_mesh_complete(struct hci_dev *hdev, void *data, int err) + sk = cmd->sk; + + if (status) { ++ mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_SET_MESH_RECEIVER, ++ status); + mgmt_pending_foreach(MGMT_OP_SET_MESH_RECEIVER, hdev, true, + cmd_status_rsp, &status); +- return; ++ goto done; + } + +- mgmt_pending_remove(cmd); + mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_MESH_RECEIVER, 0, NULL, 0); ++ ++done: ++ mgmt_pending_free(cmd); + } + + static int set_mesh_sync(struct hci_dev *hdev, void *data) + { + struct mgmt_pending_cmd *cmd = data; +- struct mgmt_cp_set_mesh cp; ++ DEFINE_FLEX(struct mgmt_cp_set_mesh, cp, ad_types, num_ad_types, ++ sizeof(hdev->mesh_ad_types)); + size_t len; + + mutex_lock(&hdev->mgmt_pending_lock); +@@ -2197,27 +2202,26 @@ static int set_mesh_sync(struct hci_dev *hdev, void *data) + return -ECANCELED; + } + +- memcpy(&cp, cmd->param, sizeof(cp)); ++ len = cmd->param_len; ++ memcpy(cp, cmd->param, min(__struct_size(cp), len)); + + mutex_unlock(&hdev->mgmt_pending_lock); + +- len = cmd->param_len; +- + memset(hdev->mesh_ad_types, 0, sizeof(hdev->mesh_ad_types)); + +- if (cp.enable) ++ if (cp->enable) + hci_dev_set_flag(hdev, HCI_MESH); + else + hci_dev_clear_flag(hdev, HCI_MESH); + +- hdev->le_scan_interval = __le16_to_cpu(cp.period); +- hdev->le_scan_window = __le16_to_cpu(cp.window); ++ hdev->le_scan_interval = __le16_to_cpu(cp->period); ++ hdev->le_scan_window = __le16_to_cpu(cp->window); + +- len -= sizeof(cp); ++ len -= sizeof(struct mgmt_cp_set_mesh); + + /* If filters don't fit, forward all adv pkts */ + if (len <= sizeof(hdev->mesh_ad_types)) +- memcpy(hdev->mesh_ad_types, cp.ad_types, len); ++ memcpy(hdev->mesh_ad_types, cp->ad_types, len); + + hci_update_passive_scan_sync(hdev); + return 0; +-- +2.51.0 + diff --git a/queue-6.17/bpf-conditionally-include-dynptr-copy-kfuncs.patch b/queue-6.17/bpf-conditionally-include-dynptr-copy-kfuncs.patch new file mode 100644 index 0000000000..350442eb10 --- /dev/null +++ b/queue-6.17/bpf-conditionally-include-dynptr-copy-kfuncs.patch @@ -0,0 +1,63 @@ +From c87cd82b0858bf98bc4377f8a70f8faef0b0ab03 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Oct 2025 17:14:36 +0200 +Subject: bpf: Conditionally include dynptr copy kfuncs + +From: Malin Jonsson + +[ Upstream commit 8ce93aabbf75171470e3d1be56bf1a6937dc5db8 ] + +Since commit a498ee7576de ("bpf: Implement dynptr copy kfuncs"), if +CONFIG_BPF_EVENTS is not enabled, but BPF_SYSCALL and DEBUG_INFO_BTF are, +the build will break like so: + + BTFIDS vmlinux.unstripped +WARN: resolve_btfids: unresolved symbol bpf_probe_read_user_str_dynptr +WARN: resolve_btfids: unresolved symbol bpf_probe_read_user_dynptr +WARN: resolve_btfids: unresolved symbol bpf_probe_read_kernel_str_dynptr +WARN: resolve_btfids: unresolved symbol bpf_probe_read_kernel_dynptr +WARN: resolve_btfids: unresolved symbol bpf_copy_from_user_task_str_dynptr +WARN: resolve_btfids: unresolved symbol bpf_copy_from_user_task_dynptr +WARN: resolve_btfids: unresolved symbol bpf_copy_from_user_str_dynptr +WARN: resolve_btfids: unresolved symbol bpf_copy_from_user_dynptr +make[2]: *** [scripts/Makefile.vmlinux:72: vmlinux.unstripped] Error 255 +make[2]: *** Deleting file 'vmlinux.unstripped' +make[1]: *** [/repo/malin/upstream/linux/Makefile:1242: vmlinux] Error 2 +make: *** [Makefile:248: __sub-make] Error 2 + +Guard these symbols with #ifdef CONFIG_BPF_EVENTS to resolve the problem. + +Fixes: a498ee7576de ("bpf: Implement dynptr copy kfuncs") +Reported-by: Yong Gu +Acked-by: Mykyta Yatsenko +Signed-off-by: Malin Jonsson +Link: https://lore.kernel.org/r/20251024151436.139131-1-malin.jonsson@est.tech +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/helpers.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c +index 9c750a6a895bf..a12f4fa444086 100644 +--- a/kernel/bpf/helpers.c ++++ b/kernel/bpf/helpers.c +@@ -3816,6 +3816,7 @@ BTF_ID_FLAGS(func, bpf_iter_kmem_cache_next, KF_ITER_NEXT | KF_RET_NULL | KF_SLE + BTF_ID_FLAGS(func, bpf_iter_kmem_cache_destroy, KF_ITER_DESTROY | KF_SLEEPABLE) + BTF_ID_FLAGS(func, bpf_local_irq_save) + BTF_ID_FLAGS(func, bpf_local_irq_restore) ++#ifdef CONFIG_BPF_EVENTS + BTF_ID_FLAGS(func, bpf_probe_read_user_dynptr) + BTF_ID_FLAGS(func, bpf_probe_read_kernel_dynptr) + BTF_ID_FLAGS(func, bpf_probe_read_user_str_dynptr) +@@ -3824,6 +3825,7 @@ BTF_ID_FLAGS(func, bpf_copy_from_user_dynptr, KF_SLEEPABLE) + BTF_ID_FLAGS(func, bpf_copy_from_user_str_dynptr, KF_SLEEPABLE) + BTF_ID_FLAGS(func, bpf_copy_from_user_task_dynptr, KF_SLEEPABLE | KF_TRUSTED_ARGS) + BTF_ID_FLAGS(func, bpf_copy_from_user_task_str_dynptr, KF_SLEEPABLE | KF_TRUSTED_ARGS) ++#endif + #ifdef CONFIG_DMA_SHARED_BUFFER + BTF_ID_FLAGS(func, bpf_iter_dmabuf_new, KF_ITER_NEW | KF_SLEEPABLE) + BTF_ID_FLAGS(func, bpf_iter_dmabuf_next, KF_ITER_NEXT | KF_RET_NULL | KF_SLEEPABLE) +-- +2.51.0 + diff --git a/queue-6.17/bpf-do-not-audit-capability-check-in-do_jit.patch b/queue-6.17/bpf-do-not-audit-capability-check-in-do_jit.patch new file mode 100644 index 0000000000..380075ba20 --- /dev/null +++ b/queue-6.17/bpf-do-not-audit-capability-check-in-do_jit.patch @@ -0,0 +1,50 @@ +From 5aac23cf837cd20a3249c21f4e13cf4ce3ae40b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Oct 2025 14:27:58 +0200 +Subject: bpf: Do not audit capability check in do_jit() + +From: Ondrej Mosnacek + +[ Upstream commit 881a9c9cb7856b24e390fad9f59acfd73b98b3b2 ] + +The failure of this check only results in a security mitigation being +applied, slightly affecting performance of the compiled BPF program. It +doesn't result in a failed syscall, an thus auditing a failed LSM +permission check for it is unwanted. For example with SELinux, it causes +a denial to be reported for confined processes running as root, which +tends to be flagged as a problem to be fixed in the policy. Yet +dontauditing or allowing CAP_SYS_ADMIN to the domain may not be +desirable, as it would allow/silence also other checks - either going +against the principle of least privilege or making debugging potentially +harder. + +Fix it by changing it from capable() to ns_capable_noaudit(), which +instructs the LSMs to not audit the resulting denials. + +Link: https://bugzilla.redhat.com/show_bug.cgi?id=2369326 +Fixes: d4e89d212d40 ("x86/bpf: Call branch history clearing sequence on exit") +Signed-off-by: Ondrej Mosnacek +Reviewed-by: Paul Moore +Link: https://lore.kernel.org/r/20251021122758.2659513-1-omosnace@redhat.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + arch/x86/net/bpf_jit_comp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c +index 7e3fca1646203..574586a6d97f8 100644 +--- a/arch/x86/net/bpf_jit_comp.c ++++ b/arch/x86/net/bpf_jit_comp.c +@@ -2592,7 +2592,7 @@ st: if (is_imm8(insn->off)) + /* Update cleanup_addr */ + ctx->cleanup_addr = proglen; + if (bpf_prog_was_classic(bpf_prog) && +- !capable(CAP_SYS_ADMIN)) { ++ !ns_capable_noaudit(&init_user_ns, CAP_SYS_ADMIN)) { + u8 *ip = image + addrs[i - 1]; + + if (emit_spectre_bhb_barrier(&prog, ip, bpf_prog)) +-- +2.51.0 + diff --git a/queue-6.17/bpf-sync-pending-irq-work-before-freeing-ring-buffer.patch b/queue-6.17/bpf-sync-pending-irq-work-before-freeing-ring-buffer.patch new file mode 100644 index 0000000000..511a6b123d --- /dev/null +++ b/queue-6.17/bpf-sync-pending-irq-work-before-freeing-ring-buffer.patch @@ -0,0 +1,46 @@ +From ad3685da4429a5e7012d2c5a1fcb0a35e27790c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Oct 2025 23:33:01 +0530 +Subject: bpf: Sync pending IRQ work before freeing ring buffer + +From: Noorain Eqbal + +[ Upstream commit 4e9077638301816a7d73fa1e1b4c1db4a7e3b59c ] + +Fix a race where irq_work can be queued in bpf_ringbuf_commit() +but the ring buffer is freed before the work executes. +In the syzbot reproducer, a BPF program attached to sched_switch +triggers bpf_ringbuf_commit(), queuing an irq_work. If the ring buffer +is freed before this work executes, the irq_work thread may accesses +freed memory. +Calling `irq_work_sync(&rb->work)` ensures that all pending irq_work +complete before freeing the buffer. + +Fixes: 457f44363a88 ("bpf: Implement BPF ring buffer and verifier support for it") +Reported-by: syzbot+2617fc732430968b45d2@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=2617fc732430968b45d2 +Tested-by: syzbot+2617fc732430968b45d2@syzkaller.appspotmail.com +Signed-off-by: Noorain Eqbal +Link: https://lore.kernel.org/r/20251020180301.103366-1-nooraineqbal@gmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/ringbuf.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/kernel/bpf/ringbuf.c b/kernel/bpf/ringbuf.c +index 719d73299397b..d706c4b7f532d 100644 +--- a/kernel/bpf/ringbuf.c ++++ b/kernel/bpf/ringbuf.c +@@ -216,6 +216,8 @@ static struct bpf_map *ringbuf_map_alloc(union bpf_attr *attr) + + static void bpf_ringbuf_free(struct bpf_ringbuf *rb) + { ++ irq_work_sync(&rb->work); ++ + /* copy pages pointer and nr_pages to local variable, as we are going + * to unmap rb itself with vunmap() below + */ +-- +2.51.0 + diff --git a/queue-6.17/crypto-aspeed-fix-double-free-caused-by-devm.patch b/queue-6.17/crypto-aspeed-fix-double-free-caused-by-devm.patch new file mode 100644 index 0000000000..bee19c6a5d --- /dev/null +++ b/queue-6.17/crypto-aspeed-fix-double-free-caused-by-devm.patch @@ -0,0 +1,48 @@ +From 2b8863693bd362d9116e5b525e895153af53ce05 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Oct 2025 18:11:09 +0800 +Subject: crypto: aspeed - fix double free caused by devm + +From: Haotian Zhang + +[ Upstream commit 3c9bf72cc1ced1297b235f9422d62b613a3fdae9 ] + +The clock obtained via devm_clk_get_enabled() is automatically managed +by devres and will be disabled and freed on driver detach. Manually +calling clk_disable_unprepare() in error path and remove function +causes double free. + +Remove the manual clock cleanup in both aspeed_acry_probe()'s error +path and aspeed_acry_remove(). + +Fixes: 2f1cf4e50c95 ("crypto: aspeed - Add ACRY RSA driver") +Signed-off-by: Haotian Zhang +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/aspeed/aspeed-acry.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/crypto/aspeed/aspeed-acry.c b/drivers/crypto/aspeed/aspeed-acry.c +index 8d1c79aaca07d..5993bcba97163 100644 +--- a/drivers/crypto/aspeed/aspeed-acry.c ++++ b/drivers/crypto/aspeed/aspeed-acry.c +@@ -787,7 +787,6 @@ static int aspeed_acry_probe(struct platform_device *pdev) + err_engine_rsa_start: + crypto_engine_exit(acry_dev->crypt_engine_rsa); + clk_exit: +- clk_disable_unprepare(acry_dev->clk); + + return rc; + } +@@ -799,7 +798,6 @@ static void aspeed_acry_remove(struct platform_device *pdev) + aspeed_acry_unregister(acry_dev); + crypto_engine_exit(acry_dev->crypt_engine_rsa); + tasklet_kill(&acry_dev->done_task); +- clk_disable_unprepare(acry_dev->clk); + } + + MODULE_DEVICE_TABLE(of, aspeed_acry_of_matches); +-- +2.51.0 + diff --git a/queue-6.17/crypto-s390-phmac-do-not-modify-the-req-nbytes-value.patch b/queue-6.17/crypto-s390-phmac-do-not-modify-the-req-nbytes-value.patch new file mode 100644 index 0000000000..aa7028ea02 --- /dev/null +++ b/queue-6.17/crypto-s390-phmac-do-not-modify-the-req-nbytes-value.patch @@ -0,0 +1,166 @@ +From 3c48f895141a8f9984c67d94aaf84ad3d2fc538e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Oct 2025 14:32:54 +0200 +Subject: crypto: s390/phmac - Do not modify the req->nbytes value + +From: Harald Freudenberger + +[ Upstream commit 3ac2939bc4341ac28700a2ed0c345ba7e7bdb6fd ] + +The phmac implementation used the req->nbytes field on combined +operations (finup, digest) to track the state: +with req->nbytes > 0 the update needs to be processed, +while req->nbytes == 0 means to do the final operation. For +this purpose the req->nbytes field was set to 0 after successful +update operation. However, aead uses the req->nbytes field after a +successful hash operation to determine the amount of data to +en/decrypt. So an implementation must not modify the nbytes field. + +Fixed by a slight rework on the phmac implementation. There is +now a new field async_op in the request context which tracks +the (asynch) operation to process. So the 'state' via req->nbytes +is not needed any more and now this field is untouched and may +be evaluated even after a request is processed by the phmac +implementation. + +Fixes: cbbc675506cc ("crypto: s390 - New s390 specific protected key hash phmac") +Reported-by: Ingo Franzki +Signed-off-by: Harald Freudenberger +Tested-by: Ingo Franzki +Reviewed-by: Ingo Franzki +Reviewed-by: Holger Dengler +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + arch/s390/crypto/phmac_s390.c | 52 +++++++++++++++++++++++------------ + 1 file changed, 34 insertions(+), 18 deletions(-) + +diff --git a/arch/s390/crypto/phmac_s390.c b/arch/s390/crypto/phmac_s390.c +index 7ecfdc4fba2d0..89f3e6d8fd897 100644 +--- a/arch/s390/crypto/phmac_s390.c ++++ b/arch/s390/crypto/phmac_s390.c +@@ -169,11 +169,18 @@ struct kmac_sha2_ctx { + u64 buflen[2]; + }; + ++enum async_op { ++ OP_NOP = 0, ++ OP_UPDATE, ++ OP_FINAL, ++ OP_FINUP, ++}; ++ + /* phmac request context */ + struct phmac_req_ctx { + struct hash_walk_helper hwh; + struct kmac_sha2_ctx kmac_ctx; +- bool final; ++ enum async_op async_op; + }; + + /* +@@ -610,6 +617,7 @@ static int phmac_update(struct ahash_request *req) + * using engine to serialize requests. + */ + if (rc == 0 || rc == -EKEYEXPIRED) { ++ req_ctx->async_op = OP_UPDATE; + atomic_inc(&tfm_ctx->via_engine_ctr); + rc = crypto_transfer_hash_request_to_engine(phmac_crypto_engine, req); + if (rc != -EINPROGRESS) +@@ -647,8 +655,7 @@ static int phmac_final(struct ahash_request *req) + * using engine to serialize requests. + */ + if (rc == 0 || rc == -EKEYEXPIRED) { +- req->nbytes = 0; +- req_ctx->final = true; ++ req_ctx->async_op = OP_FINAL; + atomic_inc(&tfm_ctx->via_engine_ctr); + rc = crypto_transfer_hash_request_to_engine(phmac_crypto_engine, req); + if (rc != -EINPROGRESS) +@@ -676,13 +683,16 @@ static int phmac_finup(struct ahash_request *req) + if (rc) + goto out; + ++ req_ctx->async_op = OP_FINUP; ++ + /* Try synchronous operations if no active engine usage */ + if (!atomic_read(&tfm_ctx->via_engine_ctr)) { + rc = phmac_kmac_update(req, false); + if (rc == 0) +- req->nbytes = 0; ++ req_ctx->async_op = OP_FINAL; + } +- if (!rc && !req->nbytes && !atomic_read(&tfm_ctx->via_engine_ctr)) { ++ if (!rc && req_ctx->async_op == OP_FINAL && ++ !atomic_read(&tfm_ctx->via_engine_ctr)) { + rc = phmac_kmac_final(req, false); + if (rc == 0) + goto out; +@@ -694,7 +704,7 @@ static int phmac_finup(struct ahash_request *req) + * using engine to serialize requests. + */ + if (rc == 0 || rc == -EKEYEXPIRED) { +- req_ctx->final = true; ++ /* req->async_op has been set to either OP_FINUP or OP_FINAL */ + atomic_inc(&tfm_ctx->via_engine_ctr); + rc = crypto_transfer_hash_request_to_engine(phmac_crypto_engine, req); + if (rc != -EINPROGRESS) +@@ -855,15 +865,16 @@ static int phmac_do_one_request(struct crypto_engine *engine, void *areq) + + /* + * Three kinds of requests come in here: +- * update when req->nbytes > 0 and req_ctx->final is false +- * final when req->nbytes = 0 and req_ctx->final is true +- * finup when req->nbytes > 0 and req_ctx->final is true +- * For update and finup the hwh walk needs to be prepared and +- * up to date but the actual nr of bytes in req->nbytes may be +- * any non zero number. For final there is no hwh walk needed. ++ * 1. req->async_op == OP_UPDATE with req->nbytes > 0 ++ * 2. req->async_op == OP_FINUP with req->nbytes > 0 ++ * 3. req->async_op == OP_FINAL ++ * For update and finup the hwh walk has already been prepared ++ * by the caller. For final there is no hwh walk needed. + */ + +- if (req->nbytes) { ++ switch (req_ctx->async_op) { ++ case OP_UPDATE: ++ case OP_FINUP: + rc = phmac_kmac_update(req, true); + if (rc == -EKEYEXPIRED) { + /* +@@ -880,10 +891,11 @@ static int phmac_do_one_request(struct crypto_engine *engine, void *areq) + hwh_advance(hwh, rc); + goto out; + } +- req->nbytes = 0; +- } +- +- if (req_ctx->final) { ++ if (req_ctx->async_op == OP_UPDATE) ++ break; ++ req_ctx->async_op = OP_FINAL; ++ fallthrough; ++ case OP_FINAL: + rc = phmac_kmac_final(req, true); + if (rc == -EKEYEXPIRED) { + /* +@@ -897,10 +909,14 @@ static int phmac_do_one_request(struct crypto_engine *engine, void *areq) + cond_resched(); + return -ENOSPC; + } ++ break; ++ default: ++ /* unknown/unsupported/unimplemented asynch op */ ++ return -EOPNOTSUPP; + } + + out: +- if (rc || req_ctx->final) ++ if (rc || req_ctx->async_op == OP_FINAL) + memzero_explicit(kmac_ctx, sizeof(*kmac_ctx)); + pr_debug("request complete with rc=%d\n", rc); + local_bh_disable(); +-- +2.51.0 + diff --git a/queue-6.17/dpll-spec-add-missing-module-name-and-clock-id-to-pi.patch b/queue-6.17/dpll-spec-add-missing-module-name-and-clock-id-to-pi.patch new file mode 100644 index 0000000000..e7840a5617 --- /dev/null +++ b/queue-6.17/dpll-spec-add-missing-module-name-and-clock-id-to-pi.patch @@ -0,0 +1,46 @@ +From 4be9ff852b98ca9a20d5376d8a9159b7f79f40e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Oct 2025 20:55:12 +0200 +Subject: dpll: spec: add missing module-name and clock-id to pin-get reply + +From: Petr Oros + +[ Upstream commit 520ad9e96937e825a117e9f00dd35a3e199d67b5 ] + +The dpll.yaml spec incorrectly omitted module-name and clock-id from the +pin-get operation reply specification, even though the kernel DPLL +implementation has always included these attributes in pin-get responses +since the initial implementation. + +This spec inconsistency caused issues with the C YNL code generator. +The generated dpll_pin_get_rsp structure was missing these fields. + +Fix the spec by adding module-name and clock-id to the pin-attrs reply +specification to match the actual kernel behavior. + +Fixes: 3badff3a25d8 ("dpll: spec: Add Netlink spec in YAML") +Signed-off-by: Petr Oros +Reviewed-by: Ivan Vecera +Link: https://patch.msgid.link/20251024185512.363376-1-poros@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + Documentation/netlink/specs/dpll.yaml | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/Documentation/netlink/specs/dpll.yaml b/Documentation/netlink/specs/dpll.yaml +index 5decee61a2c4c..0159091dde966 100644 +--- a/Documentation/netlink/specs/dpll.yaml ++++ b/Documentation/netlink/specs/dpll.yaml +@@ -599,6 +599,8 @@ operations: + reply: &pin-attrs + attributes: + - id ++ - module-name ++ - clock-id + - board-label + - panel-label + - package-label +-- +2.51.0 + diff --git a/queue-6.17/drm-amd-pm-fix-smu-table-id-bound-check-issue-in-smu.patch b/queue-6.17/drm-amd-pm-fix-smu-table-id-bound-check-issue-in-smu.patch new file mode 100644 index 0000000000..5587879f96 --- /dev/null +++ b/queue-6.17/drm-amd-pm-fix-smu-table-id-bound-check-issue-in-smu.patch @@ -0,0 +1,41 @@ +From f1f45571ad6fea3e7d873faebde279dcce240598 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Oct 2025 14:12:21 +0800 +Subject: drm/amd/pm: fix smu table id bound check issue in + smu_cmn_update_table() + +From: Yang Wang + +[ Upstream commit 238d468d3ed18a324bb9d8c99f18c665dbac0511 ] + +'table_index' is a variable defined by the smu driver (kmd) +'table_id' is a variable defined by the hw smu (pmfw) + +This code should use table_index as a bounds check. + +Fixes: caad2613dc4bd ("drm/amd/powerplay: move table setting common code to smu_cmn.c") +Signed-off-by: Yang Wang +Reviewed-by: Hawking Zhang +Signed-off-by: Alex Deucher +(cherry picked from commit fca0c66b22303de0d1d6313059baf4dc960a4753) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c b/drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c +index 59f9abd0f7b8c..00f6c6acc3e68 100644 +--- a/drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c ++++ b/drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c +@@ -965,7 +965,7 @@ int smu_cmn_update_table(struct smu_context *smu, + table_index); + uint32_t table_size; + int ret = 0; +- if (!table_data || table_id >= SMU_TABLE_COUNT || table_id < 0) ++ if (!table_data || table_index >= SMU_TABLE_COUNT || table_id < 0) + return -EINVAL; + + table_size = smu_table->tables[table_index].size; +-- +2.51.0 + diff --git a/queue-6.17/drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch b/queue-6.17/drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch new file mode 100644 index 0000000000..6209b3fc62 --- /dev/null +++ b/queue-6.17/drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch @@ -0,0 +1,39 @@ +From fa8280f6503eeae9da0189581ce4ac18f166d144 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Oct 2025 11:08:13 +0200 +Subject: drm/amd/pm/powerplay/smumgr: Fix PCIeBootLinkLevel value on Fiji + +From: John Smith + +[ Upstream commit 07a13f913c291d6ec72ee4fc848d13ecfdc0e705 ] + +Previously this was initialized with zero which represented PCIe Gen +1.0 instead of using the +maximum value from the speed table which is the behaviour of all other +smumgr implementations. + +Fixes: 18edef19ea44 ("drm/amd/powerplay: implement fw image related smu interface for Fiji.") +Signed-off-by: John Smith +Signed-off-by: Alex Deucher +(cherry picked from commit c52238c9fb414555c68340cd80e487d982c1921c) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/pm/powerplay/smumgr/fiji_smumgr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/pm/powerplay/smumgr/fiji_smumgr.c b/drivers/gpu/drm/amd/pm/powerplay/smumgr/fiji_smumgr.c +index 5e43ad2b29564..e7e497b166b3e 100644 +--- a/drivers/gpu/drm/amd/pm/powerplay/smumgr/fiji_smumgr.c ++++ b/drivers/gpu/drm/amd/pm/powerplay/smumgr/fiji_smumgr.c +@@ -2024,7 +2024,7 @@ static int fiji_init_smc_table(struct pp_hwmgr *hwmgr) + table->VoltageResponseTime = 0; + table->PhaseResponseTime = 0; + table->MemoryThermThrottleEnable = 1; +- table->PCIeBootLinkLevel = 0; /* 0:Gen1 1:Gen2 2:Gen3*/ ++ table->PCIeBootLinkLevel = (uint8_t) (data->dpm_table.pcie_speed_table.count); + table->PCIeGenInterval = 1; + table->VRConfig = 0; + +-- +2.51.0 + diff --git a/queue-6.17/drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch-25933 b/queue-6.17/drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch-25933 new file mode 100644 index 0000000000..be447ac0ac --- /dev/null +++ b/queue-6.17/drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch-25933 @@ -0,0 +1,39 @@ +From d39310d4479145ef56cc7596b61353d2010e8297 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Oct 2025 11:09:09 +0200 +Subject: drm/amd/pm/powerplay/smumgr: Fix PCIeBootLinkLevel value on Iceland + +From: John Smith + +[ Upstream commit 501672e3c1576aa9a8364144213c77b98a31a42c ] + +Previously this was initialized with zero which represented PCIe Gen +1.0 instead of using the +maximum value from the speed table which is the behaviour of all other +smumgr implementations. + +Fixes: 18aafc59b106 ("drm/amd/powerplay: implement fw related smu interface for iceland.") +Signed-off-by: John Smith +Signed-off-by: Alex Deucher +(cherry picked from commit 92b0a6ae6672857ddeabf892223943d2f0e06c97) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/pm/powerplay/smumgr/iceland_smumgr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/pm/powerplay/smumgr/iceland_smumgr.c b/drivers/gpu/drm/amd/pm/powerplay/smumgr/iceland_smumgr.c +index 17d2f5bff4a7e..49c32183878de 100644 +--- a/drivers/gpu/drm/amd/pm/powerplay/smumgr/iceland_smumgr.c ++++ b/drivers/gpu/drm/amd/pm/powerplay/smumgr/iceland_smumgr.c +@@ -2028,7 +2028,7 @@ static int iceland_init_smc_table(struct pp_hwmgr *hwmgr) + table->VoltageResponseTime = 0; + table->PhaseResponseTime = 0; + table->MemoryThermThrottleEnable = 1; +- table->PCIeBootLinkLevel = 0; ++ table->PCIeBootLinkLevel = (uint8_t) (data->dpm_table.pcie_speed_table.count); + table->PCIeGenInterval = 1; + + result = iceland_populate_smc_svi2_config(hwmgr, table); +-- +2.51.0 + diff --git a/queue-6.17/drm-amdgpu-fix-spdx-header-on-amd_cper.h.patch b/queue-6.17/drm-amdgpu-fix-spdx-header-on-amd_cper.h.patch new file mode 100644 index 0000000000..95a33eefa3 --- /dev/null +++ b/queue-6.17/drm-amdgpu-fix-spdx-header-on-amd_cper.h.patch @@ -0,0 +1,36 @@ +From dd4ee3420280f5b96f94e00f63ea51e4001d4874 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Oct 2025 09:14:55 -0400 +Subject: drm/amdgpu: fix SPDX header on amd_cper.h + +From: Alex Deucher + +[ Upstream commit 964f8ff276a54ad7fb09168141fb6a8d891d548a ] + +This should be MIT. The driver in general is MIT and +the license text at the top of the file is MIT so fix +it. + +Fixes: 523b69c65445 ("drm/amd/include: Add amd cper header") +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4654 +Reviewed-by: Mario Limonciello +Signed-off-by: Alex Deucher +(cherry picked from commit 72c5482cb0f3d3c772c9de50e5a4265258a53f81) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/include/amd_cper.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/include/amd_cper.h b/drivers/gpu/drm/amd/include/amd_cper.h +index 086869264425c..a252ee4c7874c 100644 +--- a/drivers/gpu/drm/amd/include/amd_cper.h ++++ b/drivers/gpu/drm/amd/include/amd_cper.h +@@ -1,4 +1,4 @@ +-/* SPDX-License-Identifier: GPL-2.0 */ ++/* SPDX-License-Identifier: MIT */ + /* + * Copyright 2025 Advanced Micro Devices, Inc. + * +-- +2.51.0 + diff --git a/queue-6.17/drm-amdgpu-fix-spdx-header-on-irqsrcs_vcn_5_0.h.patch b/queue-6.17/drm-amdgpu-fix-spdx-header-on-irqsrcs_vcn_5_0.h.patch new file mode 100644 index 0000000000..bce2a559d5 --- /dev/null +++ b/queue-6.17/drm-amdgpu-fix-spdx-header-on-irqsrcs_vcn_5_0.h.patch @@ -0,0 +1,36 @@ +From 07ecd51a1a4d9519c3a40e14c9897bc1becfe6c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Oct 2025 09:17:37 -0400 +Subject: drm/amdgpu: fix SPDX header on irqsrcs_vcn_5_0.h + +From: Alex Deucher + +[ Upstream commit 8284a9e91722d3214aac5d54b4e0d2c91af0fdfc ] + +This should be MIT. The driver in general is MIT and +the license text at the top of the file is MIT so fix +it. + +Fixes: d1bb64651095 ("drm/amdgpu: add irq source ids for VCN5_0/JPEG5_0") +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4654 +Reviewed-by: Mario Limonciello +Signed-off-by: Alex Deucher +(cherry picked from commit 68c20d7b1779f97d600e61b9e95726c0cd609e2a) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/include/ivsrcid/vcn/irqsrcs_vcn_5_0.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/include/ivsrcid/vcn/irqsrcs_vcn_5_0.h b/drivers/gpu/drm/amd/include/ivsrcid/vcn/irqsrcs_vcn_5_0.h +index 64b553e7de1ae..e7fdcee22a714 100644 +--- a/drivers/gpu/drm/amd/include/ivsrcid/vcn/irqsrcs_vcn_5_0.h ++++ b/drivers/gpu/drm/amd/include/ivsrcid/vcn/irqsrcs_vcn_5_0.h +@@ -1,4 +1,4 @@ +-/* SPDX-License-Identifier: GPL-2.0 */ ++/* SPDX-License-Identifier: MIT */ + + /* + * Copyright 2024 Advanced Micro Devices, Inc. All rights reserved. +-- +2.51.0 + diff --git a/queue-6.17/drm-amdgpu-fix-spdx-headers-on-amdgpu_cper.c-h.patch b/queue-6.17/drm-amdgpu-fix-spdx-headers-on-amdgpu_cper.c-h.patch new file mode 100644 index 0000000000..a7fe7c6c2d --- /dev/null +++ b/queue-6.17/drm-amdgpu-fix-spdx-headers-on-amdgpu_cper.c-h.patch @@ -0,0 +1,47 @@ +From df64584112854ab3d4f9b939a2dad2042e6d3b08 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Oct 2025 09:12:54 -0400 +Subject: drm/amdgpu: fix SPDX headers on amdgpu_cper.c/h + +From: Alex Deucher + +[ Upstream commit f3b37ebf2c94e3a3d7bbf5e3788ad86cf30fc7be ] + +These should be MIT. The driver in general is MIT and +the license text at the top of the files is MIT so fix +it. + +Fixes: 92d5d2a09de1 ("drm/amdgpu: Introduce funcs for populating CPER") +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4654 +Reviewed-by: Mario Limonciello +Signed-off-by: Alex Deucher +(cherry picked from commit abd3f876404cafb107cb34bacb74706bfee11cbe) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_cper.c | 2 +- + drivers/gpu/drm/amd/amdgpu/amdgpu_cper.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_cper.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_cper.c +index 25252231a68a9..48a8aa1044b15 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_cper.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_cper.c +@@ -1,4 +1,4 @@ +-// SPDX-License-Identifier: GPL-2.0 ++// SPDX-License-Identifier: MIT + /* + * Copyright 2025 Advanced Micro Devices, Inc. + * +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_cper.h b/drivers/gpu/drm/amd/amdgpu/amdgpu_cper.h +index bcb97d245673b..353421807387e 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_cper.h ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_cper.h +@@ -1,4 +1,4 @@ +-/* SPDX-License-Identifier: GPL-2.0 */ ++/* SPDX-License-Identifier: MIT */ + /* + * Copyright 2025 Advanced Micro Devices, Inc. + * +-- +2.51.0 + diff --git a/queue-6.17/drm-etnaviv-fix-flush-sequence-logic.patch b/queue-6.17/drm-etnaviv-fix-flush-sequence-logic.patch new file mode 100644 index 0000000000..4d55708360 --- /dev/null +++ b/queue-6.17/drm-etnaviv-fix-flush-sequence-logic.patch @@ -0,0 +1,46 @@ +From c2e5f8f1bcc84a8af4b6f6eaf8caffc44504e7b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Oct 2025 11:37:23 +0200 +Subject: drm/etnaviv: fix flush sequence logic + +From: Tomeu Vizoso + +[ Upstream commit a042beac6e6f8ac1e923784cfff98b47cbabb185 ] + +The current logic uses the flush sequence from the current address +space. This is harmless when deducing the flush requirements for the +current submit, as either the incoming address space is the same one +as the currently active one or we switch context, in which case the +flush is unconditional. + +However, this sequence is also stored as the current flush sequence +of the GPU. If we switch context the stored flush sequence will no +longer belong to the currently active address space. This incoherency +can then cause missed flushes, resulting in translation errors. + +Fixes: 27b67278e007 ("drm/etnaviv: rework MMU handling") +Signed-off-by: Tomeu Vizoso +Signed-off-by: Lucas Stach +Reviewed-by: Christian Gmeiner +Link: https://lore.kernel.org/r/20251021093723.3887980-1-l.stach@pengutronix.de +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/etnaviv/etnaviv_buffer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/etnaviv/etnaviv_buffer.c b/drivers/gpu/drm/etnaviv/etnaviv_buffer.c +index b13a17276d07c..88385dc3b30d8 100644 +--- a/drivers/gpu/drm/etnaviv/etnaviv_buffer.c ++++ b/drivers/gpu/drm/etnaviv/etnaviv_buffer.c +@@ -347,7 +347,7 @@ void etnaviv_buffer_queue(struct etnaviv_gpu *gpu, u32 exec_state, + u32 link_target, link_dwords; + bool switch_context = gpu->exec_state != exec_state; + bool switch_mmu_context = gpu->mmu_context != mmu_context; +- unsigned int new_flush_seq = READ_ONCE(gpu->mmu_context->flush_seq); ++ unsigned int new_flush_seq = READ_ONCE(mmu_context->flush_seq); + bool need_flush = switch_mmu_context || gpu->flush_seq != new_flush_seq; + bool has_blt = !!(gpu->identity.minor_features5 & + chipMinorFeatures5_BLT_ENGINE); +-- +2.51.0 + diff --git a/queue-6.17/drm-msm-a6xx-fix-gmu-firmware-parser.patch b/queue-6.17/drm-msm-a6xx-fix-gmu-firmware-parser.patch new file mode 100644 index 0000000000..4ad37af12f --- /dev/null +++ b/queue-6.17/drm-msm-a6xx-fix-gmu-firmware-parser.patch @@ -0,0 +1,51 @@ +From 907a2ca0352d896eba6d3b921c07786f3332a67d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Sep 2025 02:14:05 +0530 +Subject: drm/msm/a6xx: Fix GMU firmware parser + +From: Akhil P Oommen + +[ Upstream commit b4789aac9d3441d9f830f0a4022d8dc122d6cab3 ] + +Current parser logic for GMU firmware assumes a dword aligned payload +size for every block. This is not true for all GMU firmwares. So, fix +this by using correct 'size' value in the calculation for the offset +for the next block's header. + +Fixes: c6ed04f856a4 ("drm/msm/a6xx: A640/A650 GMU firmware path") +Signed-off-by: Akhil P Oommen +Acked-by: Konrad Dybcio +Patchwork: https://patchwork.freedesktop.org/patch/674040/ +Message-ID: <20250911-assorted-sept-1-v2-2-a8bf1ee20792@oss.qualcomm.com> +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/adreno/a6xx_gmu.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/adreno/a6xx_gmu.c b/drivers/gpu/drm/msm/adreno/a6xx_gmu.c +index 3369a03978d53..ee82489025c3c 100644 +--- a/drivers/gpu/drm/msm/adreno/a6xx_gmu.c ++++ b/drivers/gpu/drm/msm/adreno/a6xx_gmu.c +@@ -766,6 +766,9 @@ static bool fw_block_mem(struct a6xx_gmu_bo *bo, const struct block_header *blk) + return true; + } + ++#define NEXT_BLK(blk) \ ++ ((const struct block_header *)((const char *)(blk) + sizeof(*(blk)) + (blk)->size)) ++ + static int a6xx_gmu_fw_load(struct a6xx_gmu *gmu) + { + struct a6xx_gpu *a6xx_gpu = container_of(gmu, struct a6xx_gpu, gmu); +@@ -797,7 +800,7 @@ static int a6xx_gmu_fw_load(struct a6xx_gmu *gmu) + + for (blk = (const struct block_header *) fw_image->data; + (const u8*) blk < fw_image->data + fw_image->size; +- blk = (const struct block_header *) &blk->data[blk->size >> 2]) { ++ blk = NEXT_BLK(blk)) { + if (blk->size == 0) + continue; + +-- +2.51.0 + diff --git a/queue-6.17/drm-msm-ensure-vm-is-created-in-vm_bind-ioctl.patch b/queue-6.17/drm-msm-ensure-vm-is-created-in-vm_bind-ioctl.patch new file mode 100644 index 0000000000..85140f569d --- /dev/null +++ b/queue-6.17/drm-msm-ensure-vm-is-created-in-vm_bind-ioctl.patch @@ -0,0 +1,37 @@ +From c6b8d317de677f401be6354e053e1fd21489d02e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Oct 2025 15:20:38 -0700 +Subject: drm/msm: Ensure vm is created in VM_BIND ioctl + +From: Rob Clark + +[ Upstream commit 00d5f09719aa6c37545be5c05d25a1eaf8f3da7e ] + +Since the vm is lazily created, to allow userspace to opt-in to a +VM_BIND context, we can't assume it is already created. + +Fixes: 2e6a8a1fe2b2 ("drm/msm: Add VM_BIND ioctl") +Signed-off-by: Rob Clark +Patchwork: https://patchwork.freedesktop.org/patch/682939/ +Message-ID: <20251022222039.9937-1-robin.clark@oss.qualcomm.com> +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/msm_gem_vma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/msm_gem_vma.c b/drivers/gpu/drm/msm/msm_gem_vma.c +index 381a0853c05ba..b6248f86a5ab1 100644 +--- a/drivers/gpu/drm/msm/msm_gem_vma.c ++++ b/drivers/gpu/drm/msm/msm_gem_vma.c +@@ -1401,7 +1401,7 @@ msm_ioctl_vm_bind(struct drm_device *dev, void *data, struct drm_file *file) + * Maybe we could allow just UNMAP ops? OTOH userspace should just + * immediately close the device file and all will be torn down. + */ +- if (to_msm_vm(ctx->vm)->unusable) ++ if (to_msm_vm(msm_context_vm(dev, ctx))->unusable) + return UERR(EPIPE, dev, "context is unusable"); + + /* +-- +2.51.0 + diff --git a/queue-6.17/drm-msm-fix-gem-free-for-imported-dma-bufs.patch b/queue-6.17/drm-msm-fix-gem-free-for-imported-dma-bufs.patch new file mode 100644 index 0000000000..1bf51d01ea --- /dev/null +++ b/queue-6.17/drm-msm-fix-gem-free-for-imported-dma-bufs.patch @@ -0,0 +1,91 @@ +From 94cfa3e2919d5feb5777dc5617e9ccfec2680242 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Sep 2025 07:04:40 -0700 +Subject: drm/msm: Fix GEM free for imported dma-bufs + +From: Rob Clark + +[ Upstream commit c34e08ba6c0037a72a7433741225b020c989e4ae ] + +Imported dma-bufs also have obj->resv != &obj->_resv. So we should +check both this condition in addition to flags for handling the +_NO_SHARE case. + +Fixes this splat that was reported with IRIS video playback: + + ------------[ cut here ]------------ + WARNING: CPU: 3 PID: 2040 at drivers/gpu/drm/msm/msm_gem.c:1127 msm_gem_free_object+0x1f8/0x264 [msm] + CPU: 3 UID: 1000 PID: 2040 Comm: .gnome-shell-wr Not tainted 6.17.0-rc7 #1 PREEMPT + pstate: 81400005 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) + pc : msm_gem_free_object+0x1f8/0x264 [msm] + lr : msm_gem_free_object+0x138/0x264 [msm] + sp : ffff800092a1bb30 + x29: ffff800092a1bb80 x28: ffff800092a1bce8 x27: ffffbc702dbdbe08 + x26: 0000000000000008 x25: 0000000000000009 x24: 00000000000000a6 + x23: ffff00083c72f850 x22: ffff00083c72f868 x21: ffff00087e69f200 + x20: ffff00087e69f330 x19: ffff00084d157ae0 x18: 0000000000000000 + x17: 0000000000000000 x16: ffffbc704bd46b80 x15: 0000ffffd0959540 + x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 + x11: ffffbc702e6cdb48 x10: 0000000000000000 x9 : 000000000000003f + x8 : ffff800092a1ba90 x7 : 0000000000000000 x6 : 0000000000000020 + x5 : ffffbc704bd46c40 x4 : fffffdffe102cf60 x3 : 0000000000400032 + x2 : 0000000000020000 x1 : ffff00087e6978e8 x0 : ffff00087e6977e8 + Call trace: + msm_gem_free_object+0x1f8/0x264 [msm] (P) + drm_gem_object_free+0x1c/0x30 [drm] + drm_gem_object_handle_put_unlocked+0x138/0x150 [drm] + drm_gem_object_release_handle+0x5c/0xcc [drm] + drm_gem_handle_delete+0x68/0xbc [drm] + drm_gem_close_ioctl+0x34/0x40 [drm] + drm_ioctl_kernel+0xc0/0x130 [drm] + drm_ioctl+0x360/0x4e0 [drm] + __arm64_sys_ioctl+0xac/0x104 + invoke_syscall+0x48/0x104 + el0_svc_common.constprop.0+0x40/0xe0 + do_el0_svc+0x1c/0x28 + el0_svc+0x34/0xec + el0t_64_sync_handler+0xa0/0xe4 + el0t_64_sync+0x198/0x19c + ---[ end trace 0000000000000000 ]--- + ------------[ cut here ]------------ + +Reported-by: Stephan Gerhold +Fixes: de651b6e040b ("drm/msm: Fix refcnt underflow in error path") +Signed-off-by: Rob Clark +Tested-by: Stephan Gerhold +Tested-by: Luca Weiss +Tested-by: Bryan O'Donoghue # qrb5165-rb5 +Patchwork: https://patchwork.freedesktop.org/patch/676273/ +Message-ID: <20250923140441.746081-1-robin.clark@oss.qualcomm.com> +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/msm_gem.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/msm/msm_gem.c b/drivers/gpu/drm/msm/msm_gem.c +index e7631f4ef5309..0745d958f3987 100644 +--- a/drivers/gpu/drm/msm/msm_gem.c ++++ b/drivers/gpu/drm/msm/msm_gem.c +@@ -1120,12 +1120,16 @@ static void msm_gem_free_object(struct drm_gem_object *obj) + put_pages(obj); + } + +- if (obj->resv != &obj->_resv) { ++ /* ++ * In error paths, we could end up here before msm_gem_new_handle() ++ * has changed obj->resv to point to the shared resv. In this case, ++ * we don't want to drop a ref to the shared r_obj that we haven't ++ * taken yet. ++ */ ++ if ((msm_obj->flags & MSM_BO_NO_SHARE) && (obj->resv != &obj->_resv)) { + struct drm_gem_object *r_obj = + container_of(obj->resv, struct drm_gem_object, _resv); + +- WARN_ON(!(msm_obj->flags & MSM_BO_NO_SHARE)); +- + /* Drop reference we hold to shared resv obj: */ + drm_gem_object_put(r_obj); + } +-- +2.51.0 + diff --git a/queue-6.17/drm-msm-make-sure-last_fence-is-always-updated.patch b/queue-6.17/drm-msm-make-sure-last_fence-is-always-updated.patch new file mode 100644 index 0000000000..3dd4053d58 --- /dev/null +++ b/queue-6.17/drm-msm-make-sure-last_fence-is-always-updated.patch @@ -0,0 +1,57 @@ +From 1163b415add2e2f6ba148b69ad8bdee1a1747d36 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 11 Oct 2025 15:45:10 +0200 +Subject: drm/msm: make sure last_fence is always updated + +From: Anna Maniscalco + +[ Upstream commit 86404a9e3013d814a772ac407573be5d3cd4ee0d ] + +Update last_fence in the vm-bind path instead of kernel managed path. + +last_fence is used to wait for work to finish in vm_bind contexts but not +used for kernel managed contexts. + +This fixes a bug where last_fence is not waited on context close leading +to faults as resources are freed while in use. + +Fixes: 92395af63a99 ("drm/msm: Add VM_BIND submitqueue") +Signed-off-by: Anna Maniscalco +Patchwork: https://patchwork.freedesktop.org/patch/680080/ +Message-ID: <20251011-close_fence_wait_fix-v3-1-5134787755ff@gmail.com> +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/msm_gem_submit.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/msm/msm_gem_submit.c b/drivers/gpu/drm/msm/msm_gem_submit.c +index 3ab3b27134f93..75d9f35743700 100644 +--- a/drivers/gpu/drm/msm/msm_gem_submit.c ++++ b/drivers/gpu/drm/msm/msm_gem_submit.c +@@ -414,6 +414,11 @@ static void submit_attach_object_fences(struct msm_gem_submit *submit) + submit->user_fence, + DMA_RESV_USAGE_BOOKKEEP, + DMA_RESV_USAGE_BOOKKEEP); ++ ++ last_fence = vm->last_fence; ++ vm->last_fence = dma_fence_unwrap_merge(submit->user_fence, last_fence); ++ dma_fence_put(last_fence); ++ + return; + } + +@@ -427,10 +432,6 @@ static void submit_attach_object_fences(struct msm_gem_submit *submit) + dma_resv_add_fence(obj->resv, submit->user_fence, + DMA_RESV_USAGE_READ); + } +- +- last_fence = vm->last_fence; +- vm->last_fence = dma_fence_unwrap_merge(submit->user_fence, last_fence); +- dma_fence_put(last_fence); + } + + static int submit_bo(struct msm_gem_submit *submit, uint32_t idx, +-- +2.51.0 + diff --git a/queue-6.17/drm-radeon-do-not-kfree-devres-managed-rdev.patch b/queue-6.17/drm-radeon-do-not-kfree-devres-managed-rdev.patch new file mode 100644 index 0000000000..7c5b5197ec --- /dev/null +++ b/queue-6.17/drm-radeon-do-not-kfree-devres-managed-rdev.patch @@ -0,0 +1,40 @@ +From 9d794132ce3e2ac8e8e9d8eecfb6cba600b689c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 18 Oct 2025 14:44:50 +0900 +Subject: drm/radeon: Do not kfree() devres managed rdev + +From: Daniel Palmer + +[ Upstream commit 3328443363a0895fd9c096edfe8ecd372ca9145e ] + +Since the allocation of the drivers main structure was changed to +devm_drm_dev_alloc() rdev is managed by devres and we shouldn't be calling +kfree() on it. + +This fixes things exploding if the driver probe fails and devres cleans up +the rdev after we already free'd it. + +Fixes: a9ed2f052c5c ("drm/radeon: change drm_dev_alloc to devm_drm_dev_alloc") +Signed-off-by: Daniel Palmer +Signed-off-by: Alex Deucher +(cherry picked from commit 16c0681617b8a045773d4d87b6140002fa75b03b) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/radeon_kms.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/gpu/drm/radeon/radeon_kms.c b/drivers/gpu/drm/radeon/radeon_kms.c +index 645e33bf7947e..ba1446acd7032 100644 +--- a/drivers/gpu/drm/radeon/radeon_kms.c ++++ b/drivers/gpu/drm/radeon/radeon_kms.c +@@ -84,7 +84,6 @@ void radeon_driver_unload_kms(struct drm_device *dev) + rdev->agp = NULL; + + done_free: +- kfree(rdev); + dev->dev_private = NULL; + } + +-- +2.51.0 + diff --git a/queue-6.17/drm-radeon-remove-calls-to-drm_put_dev.patch b/queue-6.17/drm-radeon-remove-calls-to-drm_put_dev.patch new file mode 100644 index 0000000000..ad312f549c --- /dev/null +++ b/queue-6.17/drm-radeon-remove-calls-to-drm_put_dev.patch @@ -0,0 +1,100 @@ +From e9e4793ac31b1c32d7f4975cc0b347a280b1383e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 18 Oct 2025 14:44:51 +0900 +Subject: drm/radeon: Remove calls to drm_put_dev() + +From: Daniel Palmer + +[ Upstream commit 745bae76acdd71709773c129a69deca01036250b ] + +Since the allocation of the drivers main structure was changed to +devm_drm_dev_alloc() drm_put_dev()'ing to trigger it to be free'd +should be done by devres. + +However, drm_put_dev() is still in the probe error and device remove +paths. When the driver fails to probe warnings like the following are +shown because devres is trying to drm_put_dev() after the driver +already did it. + +[ 5.642230] radeon 0000:01:05.0: probe with driver radeon failed with error -22 +[ 5.649605] ------------[ cut here ]------------ +[ 5.649607] refcount_t: underflow; use-after-free. +[ 5.649620] WARNING: CPU: 0 PID: 357 at lib/refcount.c:28 refcount_warn_saturate+0xbe/0x110 + +Fixes: a9ed2f052c5c ("drm/radeon: change drm_dev_alloc to devm_drm_dev_alloc") +Signed-off-by: Daniel Palmer +Signed-off-by: Alex Deucher +(cherry picked from commit 3eb8c0b4c091da0a623ade0d3ee7aa4a93df1ea4) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/radeon_drv.c | 25 ++++--------------------- + 1 file changed, 4 insertions(+), 21 deletions(-) + +diff --git a/drivers/gpu/drm/radeon/radeon_drv.c b/drivers/gpu/drm/radeon/radeon_drv.c +index 88e821d67af77..9c8907bc61d9f 100644 +--- a/drivers/gpu/drm/radeon/radeon_drv.c ++++ b/drivers/gpu/drm/radeon/radeon_drv.c +@@ -314,17 +314,17 @@ static int radeon_pci_probe(struct pci_dev *pdev, + + ret = pci_enable_device(pdev); + if (ret) +- goto err_free; ++ return ret; + + pci_set_drvdata(pdev, ddev); + + ret = radeon_driver_load_kms(ddev, flags); + if (ret) +- goto err_agp; ++ goto err; + + ret = drm_dev_register(ddev, flags); + if (ret) +- goto err_agp; ++ goto err; + + if (rdev->mc.real_vram_size <= (8 * 1024 * 1024)) + format = drm_format_info(DRM_FORMAT_C8); +@@ -337,30 +337,14 @@ static int radeon_pci_probe(struct pci_dev *pdev, + + return 0; + +-err_agp: ++err: + pci_disable_device(pdev); +-err_free: +- drm_dev_put(ddev); + return ret; + } + +-static void +-radeon_pci_remove(struct pci_dev *pdev) +-{ +- struct drm_device *dev = pci_get_drvdata(pdev); +- +- drm_put_dev(dev); +-} +- + static void + radeon_pci_shutdown(struct pci_dev *pdev) + { +- /* if we are running in a VM, make sure the device +- * torn down properly on reboot/shutdown +- */ +- if (radeon_device_is_virtual()) +- radeon_pci_remove(pdev); +- + #if defined(CONFIG_PPC64) || defined(CONFIG_MACH_LOONGSON64) + /* + * Some adapters need to be suspended before a +@@ -613,7 +597,6 @@ static struct pci_driver radeon_kms_pci_driver = { + .name = DRIVER_NAME, + .id_table = pciidlist, + .probe = radeon_pci_probe, +- .remove = radeon_pci_remove, + .shutdown = radeon_pci_shutdown, + .driver.pm = &radeon_pm_ops, + }; +-- +2.51.0 + diff --git a/queue-6.17/kunit-test_dev_action-correctly-cast-priv-pointer-to.patch b/queue-6.17/kunit-test_dev_action-correctly-cast-priv-pointer-to.patch new file mode 100644 index 0000000000..6c53fb1f2e --- /dev/null +++ b/queue-6.17/kunit-test_dev_action-correctly-cast-priv-pointer-to.patch @@ -0,0 +1,49 @@ +From 1c06e7d4d9779754313d2dd218835f28111d1514 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Oct 2025 11:28:14 +0200 +Subject: kunit: test_dev_action: Correctly cast 'priv' pointer to long* + +From: Florian Schmaus + +[ Upstream commit 2551a1eedc09f5a86f94b038dc1bb16855c256f1 ] + +The previous implementation incorrectly assumed the original type of +'priv' was void**, leading to an unnecessary and misleading +cast. Correct the cast of the 'priv' pointer in test_dev_action() to +its actual type, long*, removing an unnecessary cast. + +As an additional benefit, this fixes an out-of-bounds CHERI fault on +hardware with architectural capabilities. The original implementation +tried to store a capability-sized pointer using the priv +pointer. However, the priv pointer's capability only granted access to +the memory region of its original long type, leading to a bounds +violation since the size of a long is smaller than the size of a +capability. This change ensures that the pointer usage respects the +capabilities' bounds. + +Link: https://lore.kernel.org/r/20251017092814.80022-1-florian.schmaus@codasip.com +Fixes: d03c720e03bd ("kunit: Add APIs for managing devices") +Reviewed-by: David Gow +Signed-off-by: Florian Schmaus +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + lib/kunit/kunit-test.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/kunit/kunit-test.c b/lib/kunit/kunit-test.c +index 8c01eabd4eaf2..63130a48e2371 100644 +--- a/lib/kunit/kunit-test.c ++++ b/lib/kunit/kunit-test.c +@@ -739,7 +739,7 @@ static struct kunit_case kunit_current_test_cases[] = { + + static void test_dev_action(void *priv) + { +- *(void **)priv = (void *)1; ++ *(long *)priv = 1; + } + + static void kunit_device_test(struct kunit *test) +-- +2.51.0 + diff --git a/queue-6.17/libbpf-fix-powerpc-s-stack-register-definition-in-bp.patch b/queue-6.17/libbpf-fix-powerpc-s-stack-register-definition-in-bp.patch new file mode 100644 index 0000000000..bd605ba152 --- /dev/null +++ b/queue-6.17/libbpf-fix-powerpc-s-stack-register-definition-in-bp.patch @@ -0,0 +1,44 @@ +From caa5b7b0e148e88f461e35e34b781a74b391ce17 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Oct 2025 13:36:43 -0700 +Subject: libbpf: Fix powerpc's stack register definition in bpf_tracing.h + +From: Andrii Nakryiko + +[ Upstream commit 7221b9caf84b3294688228a19273d74ea19a2ee4 ] + +retsnoop's build on powerpc (ppc64le) architecture ([0]) failed due to +wrong definition of PT_REGS_SP() macro. Looking at powerpc's +implementation of stack unwinding in perf_callchain_user_64() clearly +shows that stack pointer register is gpr[1]. + +Fix libbpf's definition of __PT_SP_REG for powerpc to fix all this. + + [0] https://kojipkgs.fedoraproject.org/work/tasks/1544/137921544/build.log + +Fixes: 138d6153a139 ("samples/bpf: Enable powerpc support") +Signed-off-by: Andrii Nakryiko +Reviewed-by: Naveen N Rao (AMD) +Link: https://lore.kernel.org/r/20251020203643.989467-1-andrii@kernel.org +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/bpf_tracing.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/lib/bpf/bpf_tracing.h b/tools/lib/bpf/bpf_tracing.h +index a8f6cd4841b03..dbe32a5d02cd7 100644 +--- a/tools/lib/bpf/bpf_tracing.h ++++ b/tools/lib/bpf/bpf_tracing.h +@@ -311,7 +311,7 @@ struct pt_regs___arm64 { + #define __PT_RET_REG regs[31] + #define __PT_FP_REG __unsupported__ + #define __PT_RC_REG gpr[3] +-#define __PT_SP_REG sp ++#define __PT_SP_REG gpr[1] + #define __PT_IP_REG nip + + #elif defined(bpf_target_sparc) +-- +2.51.0 + diff --git a/queue-6.17/net-hns3-return-error-code-when-function-fails.patch b/queue-6.17/net-hns3-return-error-code-when-function-fails.patch new file mode 100644 index 0000000000..5c231da6e1 --- /dev/null +++ b/queue-6.17/net-hns3-return-error-code-when-function-fails.patch @@ -0,0 +1,87 @@ +From d51628f99aee52132ac466f198ef1a7783ed3efa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Oct 2025 21:13:37 +0800 +Subject: net: hns3: return error code when function fails + +From: Jijie Shao + +[ Upstream commit 03ca7c8c42be913529eb9f188278114430c6abbd ] + +Currently, in hclge_mii_ioctl(), the operation to +read the PHY register (SIOCGMIIREG) always returns 0. + +This patch changes the return type of hclge_read_phy_reg(), +returning an error code when the function fails. + +Fixes: 024712f51e57 ("net: hns3: add ioctl support for imp-controlled PHYs") +Signed-off-by: Jijie Shao +Reviewed-by: Alexander Lobakin +Link: https://patch.msgid.link/20251023131338.2642520-2-shaojijie@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 3 +-- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c | 9 ++++++--- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.h | 2 +- + 3 files changed, 8 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +index f209a05e2033b..d3d17f9e5457b 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +@@ -9429,8 +9429,7 @@ static int hclge_mii_ioctl(struct hclge_dev *hdev, struct ifreq *ifr, int cmd) + /* this command reads phy id and register at the same time */ + fallthrough; + case SIOCGMIIREG: +- data->val_out = hclge_read_phy_reg(hdev, data->reg_num); +- return 0; ++ return hclge_read_phy_reg(hdev, data->reg_num, &data->val_out); + + case SIOCSMIIREG: + return hclge_write_phy_reg(hdev, data->reg_num, data->val_in); +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c +index 96553109f44c9..cf881108fa570 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c +@@ -274,7 +274,7 @@ void hclge_mac_stop_phy(struct hclge_dev *hdev) + phy_stop(phydev); + } + +-u16 hclge_read_phy_reg(struct hclge_dev *hdev, u16 reg_addr) ++int hclge_read_phy_reg(struct hclge_dev *hdev, u16 reg_addr, u16 *val) + { + struct hclge_phy_reg_cmd *req; + struct hclge_desc desc; +@@ -286,11 +286,14 @@ u16 hclge_read_phy_reg(struct hclge_dev *hdev, u16 reg_addr) + req->reg_addr = cpu_to_le16(reg_addr); + + ret = hclge_cmd_send(&hdev->hw, &desc, 1); +- if (ret) ++ if (ret) { + dev_err(&hdev->pdev->dev, + "failed to read phy reg, ret = %d.\n", ret); ++ return ret; ++ } + +- return le16_to_cpu(req->reg_val); ++ *val = le16_to_cpu(req->reg_val); ++ return 0; + } + + int hclge_write_phy_reg(struct hclge_dev *hdev, u16 reg_addr, u16 val) +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.h b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.h +index 4200d0b6d9317..21d434c82475b 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.h ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.h +@@ -13,7 +13,7 @@ int hclge_mac_connect_phy(struct hnae3_handle *handle); + void hclge_mac_disconnect_phy(struct hnae3_handle *handle); + void hclge_mac_start_phy(struct hclge_dev *hdev); + void hclge_mac_stop_phy(struct hclge_dev *hdev); +-u16 hclge_read_phy_reg(struct hclge_dev *hdev, u16 reg_addr); ++int hclge_read_phy_reg(struct hclge_dev *hdev, u16 reg_addr, u16 *val); + int hclge_write_phy_reg(struct hclge_dev *hdev, u16 reg_addr, u16 val); + + #endif +-- +2.51.0 + diff --git a/queue-6.17/nvmet-auth-update-sc_c-in-host-response.patch b/queue-6.17/nvmet-auth-update-sc_c-in-host-response.patch new file mode 100644 index 0000000000..2d694fcb3b --- /dev/null +++ b/queue-6.17/nvmet-auth-update-sc_c-in-host-response.patch @@ -0,0 +1,53 @@ +From 73a2708822d00823493029ac039126892d4b97f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Oct 2025 09:59:24 +0200 +Subject: nvmet-auth: update sc_c in host response + +From: Hannes Reinecke + +[ Upstream commit 60ad1de8e59278656092f56e87189ec82f078d12 ] + +The target code should set the sc_c bit in calculating the host response +based on the status of the 'concat' setting, otherwise we'll get an +authentication mismatch for hosts setting that bit correctly. + +Fixes: 7e091add9c43 ("nvme-auth: update sc_c in host response") +Signed-off-by: Hannes Reinecke +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/auth.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/nvme/target/auth.c b/drivers/nvme/target/auth.c +index b340380f38922..ceba21684e82c 100644 +--- a/drivers/nvme/target/auth.c ++++ b/drivers/nvme/target/auth.c +@@ -298,7 +298,7 @@ int nvmet_auth_host_hash(struct nvmet_req *req, u8 *response, + const char *hash_name; + u8 *challenge = req->sq->dhchap_c1; + struct nvme_dhchap_key *transformed_key; +- u8 buf[4]; ++ u8 buf[4], sc_c = ctrl->concat ? 1 : 0; + int ret; + + hash_name = nvme_auth_hmac_name(ctrl->shash_id); +@@ -367,13 +367,14 @@ int nvmet_auth_host_hash(struct nvmet_req *req, u8 *response, + ret = crypto_shash_update(shash, buf, 2); + if (ret) + goto out; +- memset(buf, 0, 4); ++ *buf = sc_c; + ret = crypto_shash_update(shash, buf, 1); + if (ret) + goto out; + ret = crypto_shash_update(shash, "HostHost", 8); + if (ret) + goto out; ++ memset(buf, 0, 4); + ret = crypto_shash_update(shash, ctrl->hostnqn, strlen(ctrl->hostnqn)); + if (ret) + goto out; +-- +2.51.0 + diff --git a/queue-6.17/scsi-core-fix-the-unit-attention-counter-implementat.patch b/queue-6.17/scsi-core-fix-the-unit-attention-counter-implementat.patch new file mode 100644 index 0000000000..a77c69b925 --- /dev/null +++ b/queue-6.17/scsi-core-fix-the-unit-attention-counter-implementat.patch @@ -0,0 +1,76 @@ +From 99d23a926535f4f427ffc17712eecf992fc2c1ed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Oct 2025 15:02:43 -0700 +Subject: scsi: core: Fix the unit attention counter implementation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Bart Van Assche + +[ Upstream commit d54c676d4fe0543d1642ab7a68ffdd31e8639a5d ] + +scsi_decide_disposition() may call scsi_check_sense(). +scsi_decide_disposition() calls are not serialized. Hence, counter +updates by scsi_check_sense() must be serialized. Hence this patch that +makes the counters updated by scsi_check_sense() atomic. + +Cc: Kai Mäkisara +Fixes: a5d518cd4e3e ("scsi: core: Add counters for New Media and Power On/Reset UNIT ATTENTIONs") +Signed-off-by: Bart Van Assche +Reviewed-by: Ewan D. Milne +Link: https://patch.msgid.link/20251014220244.3689508-1-bvanassche@acm.org +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_error.c | 4 ++-- + include/scsi/scsi_device.h | 10 ++++------ + 2 files changed, 6 insertions(+), 8 deletions(-) + +diff --git a/drivers/scsi/scsi_error.c b/drivers/scsi/scsi_error.c +index 746ff6a1f309a..1c13812a3f035 100644 +--- a/drivers/scsi/scsi_error.c ++++ b/drivers/scsi/scsi_error.c +@@ -554,9 +554,9 @@ enum scsi_disposition scsi_check_sense(struct scsi_cmnd *scmd) + * happened, even if someone else gets the sense data. + */ + if (sshdr.asc == 0x28) +- scmd->device->ua_new_media_ctr++; ++ atomic_inc(&sdev->ua_new_media_ctr); + else if (sshdr.asc == 0x29) +- scmd->device->ua_por_ctr++; ++ atomic_inc(&sdev->ua_por_ctr); + } + + if (scsi_sense_is_deferred(&sshdr)) +diff --git a/include/scsi/scsi_device.h b/include/scsi/scsi_device.h +index 6d6500148c4b7..993008cdea65f 100644 +--- a/include/scsi/scsi_device.h ++++ b/include/scsi/scsi_device.h +@@ -252,8 +252,8 @@ struct scsi_device { + unsigned int queue_stopped; /* request queue is quiesced */ + bool offline_already; /* Device offline message logged */ + +- unsigned int ua_new_media_ctr; /* Counter for New Media UNIT ATTENTIONs */ +- unsigned int ua_por_ctr; /* Counter for Power On / Reset UAs */ ++ atomic_t ua_new_media_ctr; /* Counter for New Media UNIT ATTENTIONs */ ++ atomic_t ua_por_ctr; /* Counter for Power On / Reset UAs */ + + atomic_t disk_events_disable_depth; /* disable depth for disk events */ + +@@ -693,10 +693,8 @@ static inline int scsi_device_busy(struct scsi_device *sdev) + } + + /* Macros to access the UNIT ATTENTION counters */ +-#define scsi_get_ua_new_media_ctr(sdev) \ +- ((const unsigned int)(sdev->ua_new_media_ctr)) +-#define scsi_get_ua_por_ctr(sdev) \ +- ((const unsigned int)(sdev->ua_por_ctr)) ++#define scsi_get_ua_new_media_ctr(sdev) atomic_read(&sdev->ua_new_media_ctr) ++#define scsi_get_ua_por_ctr(sdev) atomic_read(&sdev->ua_por_ctr) + + #define MODULE_ALIAS_SCSI_DEVICE(type) \ + MODULE_ALIAS("scsi:t-" __stringify(type) "*") +-- +2.51.0 + diff --git a/queue-6.17/scsi-ufs-core-initialize-value-of-an-attribute-retur.patch b/queue-6.17/scsi-ufs-core-initialize-value-of-an-attribute-retur.patch new file mode 100644 index 0000000000..bae6fbace9 --- /dev/null +++ b/queue-6.17/scsi-ufs-core-initialize-value-of-an-attribute-retur.patch @@ -0,0 +1,42 @@ +From 3edf95ddeff56efc083bbe7168adca49efd270a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Oct 2025 15:15:38 +0900 +Subject: scsi: ufs: core: Initialize value of an attribute returned by uic cmd + +From: Wonkon Kim + +[ Upstream commit 6fe4c679dde3075cb481beb3945269bb2ef8b19a ] + +If ufshcd_send_cmd() fails, *mib_val may have a garbage value. It can +get an unintended value of an attribute. + +Make ufshcd_dme_get_attr() always initialize *mib_val. + +Fixes: 12b4fdb4f6bc ("[SCSI] ufs: add dme configuration primitives") +Signed-off-by: Wonkon Kim +Reviewed-by: Bart Van Assche +Link: https://patch.msgid.link/20251020061539.28661-2-wkon.kim@samsung.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/ufs/core/ufshcd.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c +index 465e66dbe08e8..52f2c599a348e 100644 +--- a/drivers/ufs/core/ufshcd.c ++++ b/drivers/ufs/core/ufshcd.c +@@ -4278,8 +4278,8 @@ int ufshcd_dme_get_attr(struct ufs_hba *hba, u32 attr_sel, + get, UIC_GET_ATTR_ID(attr_sel), + UFS_UIC_COMMAND_RETRIES - retries); + +- if (mib_val && !ret) +- *mib_val = uic_cmd.argument3; ++ if (mib_val) ++ *mib_val = ret == 0 ? uic_cmd.argument3 : 0; + + if (peer && (hba->quirks & UFSHCD_QUIRK_DME_PEER_ACCESS_AUTO_MODE) + && pwr_mode_change) +-- +2.51.0 + diff --git a/queue-6.17/series b/queue-6.17/series index c542a8fec9..8b7a893086 100644 --- a/queue-6.17/series +++ b/queue-6.17/series @@ -26,3 +26,61 @@ smb-client-fix-potential-cfid-uaf-in-smb2_query_info_compound.patch x86-build-disable-sse4a.patch x86-cpu-amd-add-rdseed-fix-for-zen5.patch x86-fpu-ensure-xfd-state-on-signal-delivery.patch +wifi-ath10k-fix-memory-leak-on-unsupported-wmi-comma.patch +wifi-ath11k-add-missing-platform-ids-for-quirk-table.patch +wifi-ath12k-free-skb-during-idr-cleanup-callback.patch +wifi-ath11k-avoid-bit-operation-on-key-flags.patch +drm-msm-fix-gem-free-for-imported-dma-bufs.patch +drm-msm-a6xx-fix-gmu-firmware-parser.patch +drm-msm-make-sure-last_fence-is-always-updated.patch +alsa-usb-audio-fix-control-pipe-direction.patch +wifi-iwlwifi-fix-potential-use-after-free-in-iwl_mld.patch +asoc-cs-amp-lib-test-fix-missing-include-of-kunit-te.patch +wifi-mac80211-reset-fils-discovery-and-unsol-probe-r.patch +wifi-mac80211-fix-key-tailroom-accounting-leak.patch +wifi-nl80211-call-kfree-without-a-null-check.patch +kunit-test_dev_action-correctly-cast-priv-pointer-to.patch +bpf-sync-pending-irq-work-before-freeing-ring-buffer.patch +scsi-ufs-core-initialize-value-of-an-attribute-retur.patch +scsi-core-fix-the-unit-attention-counter-implementat.patch +bpf-do-not-audit-capability-check-in-do_jit.patch +nvmet-auth-update-sc_c-in-host-response.patch +crypto-s390-phmac-do-not-modify-the-req-nbytes-value.patch +crypto-aspeed-fix-double-free-caused-by-devm.patch +asoc-intel-avs-unprepare-a-stream-when-xrun-occurs.patch +asoc-intel-avs-disable-periods-elapsed-work-when-clo.patch +asoc-fsl_sai-fix-bit-order-for-dsd-format.patch +asoc-fsl_micfil-correct-the-endian-format-for-dsd.patch +libbpf-fix-powerpc-s-stack-register-definition-in-bp.patch +asoc-mediatek-fix-double-pm_runtime_disable-in-remov.patch +usbnet-prevents-free-active-kevent.patch +bluetooth-hci_sync-fix-race-in-hci_cmd_sync_dequeue_.patch +bluetooth-iso-fix-bis-connection-dst_type-handling.patch +bluetooth-btmtksdio-add-pmctrl-handling-for-bt-close.patch +bluetooth-hci-fix-tracking-of-advertisement-set-inst.patch +bluetooth-mgmt-fix-crash-in-set_mesh_sync-and-set_me.patch +bluetooth-iso-fix-another-instance-of-dst_type-handl.patch +bluetooth-btintel_pcie-fix-event-packet-loss-issue.patch +bluetooth-hci_conn-fix-connection-cleanup-with-big-w.patch +bluetooth-hci_core-fix-tracking-of-periodic-advertis.patch +bpf-conditionally-include-dynptr-copy-kfuncs.patch +drm-msm-ensure-vm-is-created-in-vm_bind-ioctl.patch +alsa-usb-audio-add-mono-main-switch-to-presonus-s182.patch +alsa-usb-audio-don-t-log-messages-meant-for-1810c-wh.patch +acpi-mrrm-check-revision-of-mrrm-table.patch +drm-etnaviv-fix-flush-sequence-logic.patch +tools-ynl-fix-string-attribute-length-to-include-nul.patch +net-hns3-return-error-code-when-function-fails.patch +sfc-fix-potential-memory-leak-in-efx_mae_process_mpo.patch +tools-ynl-avoid-print_field-when-there-is-no-reply.patch +dpll-spec-add-missing-module-name-and-clock-id-to-pi.patch +asoc-fsl_sai-fix-sync-error-in-consumer-mode.patch +asoc-soc_sdw_utils-remove-cs42l43-component_name.patch +drm-radeon-do-not-kfree-devres-managed-rdev.patch +drm-radeon-remove-calls-to-drm_put_dev.patch +drm-amd-pm-fix-smu-table-id-bound-check-issue-in-smu.patch +drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch +drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch-25933 +drm-amdgpu-fix-spdx-headers-on-amdgpu_cper.c-h.patch +drm-amdgpu-fix-spdx-header-on-amd_cper.h.patch +drm-amdgpu-fix-spdx-header-on-irqsrcs_vcn_5_0.h.patch diff --git a/queue-6.17/sfc-fix-potential-memory-leak-in-efx_mae_process_mpo.patch b/queue-6.17/sfc-fix-potential-memory-leak-in-efx_mae_process_mpo.patch new file mode 100644 index 0000000000..e6eccb2f41 --- /dev/null +++ b/queue-6.17/sfc-fix-potential-memory-leak-in-efx_mae_process_mpo.patch @@ -0,0 +1,51 @@ +From c7fb25b152d30651571993227245d4576a9cfbae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Oct 2025 19:48:42 +0530 +Subject: sfc: fix potential memory leak in efx_mae_process_mport() + +From: Abdun Nihaal + +[ Upstream commit 46a499aaf8c27476fd05e800f3e947bfd71aa724 ] + +In efx_mae_enumerate_mports(), memory allocated for mae_mport_desc is +passed as a argument to efx_mae_process_mport(), but when the error path +in efx_mae_process_mport() gets executed, the memory allocated for desc +gets leaked. + +Fix that by freeing the memory allocation before returning error. + +Fixes: a6a15aca4207 ("sfc: enumerate mports in ef100") +Acked-by: Edward Cree +Signed-off-by: Abdun Nihaal +Link: https://patch.msgid.link/20251023141844.25847-1-nihaal@cse.iitm.ac.in +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sfc/mae.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ethernet/sfc/mae.c b/drivers/net/ethernet/sfc/mae.c +index 6fd0c1e9a7d54..7cfd9000f79de 100644 +--- a/drivers/net/ethernet/sfc/mae.c ++++ b/drivers/net/ethernet/sfc/mae.c +@@ -1090,6 +1090,9 @@ void efx_mae_remove_mport(void *desc, void *arg) + kfree(mport); + } + ++/* ++ * Takes ownership of @desc, even if it returns an error ++ */ + static int efx_mae_process_mport(struct efx_nic *efx, + struct mae_mport_desc *desc) + { +@@ -1100,6 +1103,7 @@ static int efx_mae_process_mport(struct efx_nic *efx, + if (!IS_ERR_OR_NULL(mport)) { + netif_err(efx, drv, efx->net_dev, + "mport with id %u does exist!!!\n", desc->mport_id); ++ kfree(desc); + return -EEXIST; + } + +-- +2.51.0 + diff --git a/queue-6.17/tools-ynl-avoid-print_field-when-there-is-no-reply.patch b/queue-6.17/tools-ynl-avoid-print_field-when-there-is-no-reply.patch new file mode 100644 index 0000000000..9904f2b8b9 --- /dev/null +++ b/queue-6.17/tools-ynl-avoid-print_field-when-there-is-no-reply.patch @@ -0,0 +1,43 @@ +From cdc99c3a8b1ee8c964fbe91d4379af5ffd521f38 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Oct 2025 12:58:53 +0000 +Subject: tools: ynl: avoid print_field when there is no reply + +From: Hangbin Liu + +[ Upstream commit e3966940559d52aa1800a008dcfeec218dd31f88 ] + +When request a none support device operation, there will be no reply. +In this case, the len(desc) check will always be true, causing print_field +to enter an infinite loop and crash the program. Example reproducer: + + # ethtool.py -c veth0 + +To fix this, return immediately if there is no reply. + +Fixes: f3d07b02b2b8 ("tools: ynl: ethtool testing tool") +Signed-off-by: Hangbin Liu +Link: https://patch.msgid.link/20251024125853.102916-1-liuhangbin@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/net/ynl/pyynl/ethtool.py | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/tools/net/ynl/pyynl/ethtool.py b/tools/net/ynl/pyynl/ethtool.py +index cab6b576c8762..87bb561080056 100755 +--- a/tools/net/ynl/pyynl/ethtool.py ++++ b/tools/net/ynl/pyynl/ethtool.py +@@ -45,6 +45,9 @@ def print_field(reply, *desc): + Pretty-print a set of fields from the reply. desc specifies the + fields and the optional type (bool/yn). + """ ++ if not reply: ++ return ++ + if len(desc) == 0: + return print_field(reply, *zip(reply.keys(), reply.keys())) + +-- +2.51.0 + diff --git a/queue-6.17/tools-ynl-fix-string-attribute-length-to-include-nul.patch b/queue-6.17/tools-ynl-fix-string-attribute-length-to-include-nul.patch new file mode 100644 index 0000000000..eaeb4d9979 --- /dev/null +++ b/queue-6.17/tools-ynl-fix-string-attribute-length-to-include-nul.patch @@ -0,0 +1,75 @@ +From 219dc9751ce7cb01d9ff1960de588f4216dfa7e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Oct 2025 15:24:38 +0200 +Subject: tools: ynl: fix string attribute length to include null terminator + +From: Petr Oros + +[ Upstream commit 65f9c4c5888913c2cf5d2fc9454c83f9930d537d ] + +The ynl_attr_put_str() function was not including the null terminator +in the attribute length calculation. This caused kernel to reject +CTRL_CMD_GETFAMILY requests with EINVAL: +"Attribute failed policy validation". + +For a 4-character family name like "dpll": +- Sent: nla_len=8 (4 byte header + 4 byte string without null) +- Expected: nla_len=9 (4 byte header + 5 byte string with null) + +The bug was introduced in commit 15d2540e0d62 ("tools: ynl: check for +overflow of constructed messages") when refactoring from stpcpy() to +strlen(). The original code correctly included the null terminator: + + end = stpcpy(ynl_attr_data(attr), str); + attr->nla_len = NLA_HDRLEN + NLA_ALIGN(end - + (char *)ynl_attr_data(attr)); + +Since stpcpy() returns a pointer past the null terminator, the length +included it. The refactored version using strlen() omitted the +1. + +The fix also removes NLA_ALIGN() from nla_len calculation, since +nla_len should contain actual attribute length, not aligned length. +Alignment is only for calculating next attribute position. This makes +the code consistent with ynl_attr_put(). + +CTRL_ATTR_FAMILY_NAME uses NLA_NUL_STRING policy which requires +null terminator. Kernel validates with memchr() and rejects if not +found. + +Fixes: 15d2540e0d62 ("tools: ynl: check for overflow of constructed messages") +Signed-off-by: Petr Oros +Tested-by: Ivan Vecera +Reviewed-by: Ivan Vecera +Link: https://lore.kernel.org/20251018151737.365485-3-zahari.doychev@linux.com +Link: https://patch.msgid.link/20251024132438.351290-1-poros@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/net/ynl/lib/ynl-priv.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/net/ynl/lib/ynl-priv.h b/tools/net/ynl/lib/ynl-priv.h +index 824777d7e05ea..fca519d7ec9a7 100644 +--- a/tools/net/ynl/lib/ynl-priv.h ++++ b/tools/net/ynl/lib/ynl-priv.h +@@ -314,7 +314,7 @@ ynl_attr_put_str(struct nlmsghdr *nlh, unsigned int attr_type, const char *str) + struct nlattr *attr; + size_t len; + +- len = strlen(str); ++ len = strlen(str) + 1; + if (__ynl_attr_put_overflow(nlh, len)) + return; + +@@ -322,7 +322,7 @@ ynl_attr_put_str(struct nlmsghdr *nlh, unsigned int attr_type, const char *str) + attr->nla_type = attr_type; + + strcpy((char *)ynl_attr_data(attr), str); +- attr->nla_len = NLA_HDRLEN + NLA_ALIGN(len); ++ attr->nla_len = NLA_HDRLEN + len; + + nlh->nlmsg_len += NLMSG_ALIGN(attr->nla_len); + } +-- +2.51.0 + diff --git a/queue-6.17/usbnet-prevents-free-active-kevent.patch b/queue-6.17/usbnet-prevents-free-active-kevent.patch new file mode 100644 index 0000000000..acf8f885cd --- /dev/null +++ b/queue-6.17/usbnet-prevents-free-active-kevent.patch @@ -0,0 +1,50 @@ +From f66b6edfada66de4efe5ad557c475f973c75535c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Oct 2025 10:40:07 +0800 +Subject: usbnet: Prevents free active kevent + +From: Lizhi Xu + +[ Upstream commit 420c84c330d1688b8c764479e5738bbdbf0a33de ] + +The root cause of this issue are: +1. When probing the usbnet device, executing usbnet_link_change(dev, 0, 0); +put the kevent work in global workqueue. However, the kevent has not yet +been scheduled when the usbnet device is unregistered. Therefore, executing +free_netdev() results in the "free active object (kevent)" error reported +here. + +2. Another factor is that when calling usbnet_disconnect()->unregister_netdev(), +if the usbnet device is up, ndo_stop() is executed to cancel the kevent. +However, because the device is not up, ndo_stop() is not executed. + +The solution to this problem is to cancel the kevent before executing +free_netdev(). + +Fixes: a69e617e533e ("usbnet: Fix linkwatch use-after-free on disconnect") +Reported-by: Sam Sun +Closes: https://syzkaller.appspot.com/bug?extid=8bfd7bcc98f7300afb84 +Signed-off-by: Lizhi Xu +Link: https://patch.msgid.link/20251022024007.1831898-1-lizhi.xu@windriver.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/usbnet.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c +index bf01f27285318..697cd9d866d3d 100644 +--- a/drivers/net/usb/usbnet.c ++++ b/drivers/net/usb/usbnet.c +@@ -1659,6 +1659,8 @@ void usbnet_disconnect (struct usb_interface *intf) + net = dev->net; + unregister_netdev (net); + ++ cancel_work_sync(&dev->kevent); ++ + while ((urb = usb_get_from_anchor(&dev->deferred))) { + dev_kfree_skb(urb->context); + kfree(urb->sg); +-- +2.51.0 + diff --git a/queue-6.17/wifi-ath10k-fix-memory-leak-on-unsupported-wmi-comma.patch b/queue-6.17/wifi-ath10k-fix-memory-leak-on-unsupported-wmi-comma.patch new file mode 100644 index 0000000000..e796b38a1e --- /dev/null +++ b/queue-6.17/wifi-ath10k-fix-memory-leak-on-unsupported-wmi-comma.patch @@ -0,0 +1,41 @@ +From 26a778bde0ebea9cbb4585bf1182bc2002955386 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Sep 2025 21:56:56 +0200 +Subject: wifi: ath10k: Fix memory leak on unsupported WMI command + +From: Loic Poulain + +[ Upstream commit 2e9c1da4ee9d0acfca2e0a3d78f3d8cb5802da1b ] + +ath10k_wmi_cmd_send takes ownership of the passed buffer (skb) and has the +responsibility to release it in case of error. This patch fixes missing +free in case of early error due to unhandled WMI command ID. + +Tested-on: WCN3990 hw1.0 WLAN.HL.3.3.7.c2-00931-QCAHLSWMTPLZ-1 + +Fixes: 553215592f14 ("ath10k: warn if give WMI command is not supported") +Suggested-by: Jeff Johnson +Signed-off-by: Loic Poulain +Reviewed-by: Baochen Qiang +Link: https://patch.msgid.link/20250926195656.187970-1-loic.poulain@oss.qualcomm.com +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/wmi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/ath/ath10k/wmi.c b/drivers/net/wireless/ath/ath10k/wmi.c +index e595b0979a56d..b3b00d324075b 100644 +--- a/drivers/net/wireless/ath/ath10k/wmi.c ++++ b/drivers/net/wireless/ath/ath10k/wmi.c +@@ -1937,6 +1937,7 @@ int ath10k_wmi_cmd_send(struct ath10k *ar, struct sk_buff *skb, u32 cmd_id) + if (cmd_id == WMI_CMD_UNSUPPORTED) { + ath10k_warn(ar, "wmi command %d is not supported by firmware\n", + cmd_id); ++ dev_kfree_skb_any(skb); + return ret; + } + +-- +2.51.0 + diff --git a/queue-6.17/wifi-ath11k-add-missing-platform-ids-for-quirk-table.patch b/queue-6.17/wifi-ath11k-add-missing-platform-ids-for-quirk-table.patch new file mode 100644 index 0000000000..f52cc5bbc9 --- /dev/null +++ b/queue-6.17/wifi-ath11k-add-missing-platform-ids-for-quirk-table.patch @@ -0,0 +1,126 @@ +From 7dfe8c053dac0f28b922d24ed04acecb1a924ee0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Sep 2025 15:21:35 -0400 +Subject: wifi: ath11k: Add missing platform IDs for quirk table + +From: Mark Pearson + +[ Upstream commit 0eb002c93c3b47f88244cecb1e356eaeab61a6bf ] + +Lenovo platforms can come with one of two different IDs. +The pm_quirk table was missing the second ID for each platform. + +Add missing ID and some extra platform identification comments. +Reported on https://bugzilla.kernel.org/show_bug.cgi?id=219196 + +Tested-on: P14s G4 AMD. + +Fixes: ce8669a27016 ("wifi: ath11k: determine PM policy based on machine model") +Signed-off-by: Mark Pearson +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219196 +Reviewed-by: Baochen Qiang +Link: https://patch.msgid.link/20250929192146.1789648-1-mpearson-lenovo@squebb.ca +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/core.c | 54 +++++++++++++++++++++++--- + 1 file changed, 48 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath11k/core.c b/drivers/net/wireless/ath/ath11k/core.c +index 2810752260f2f..812686173ac8a 100644 +--- a/drivers/net/wireless/ath/ath11k/core.c ++++ b/drivers/net/wireless/ath/ath11k/core.c +@@ -912,42 +912,84 @@ static const struct ath11k_hw_params ath11k_hw_params[] = { + static const struct dmi_system_id ath11k_pm_quirk_table[] = { + { + .driver_data = (void *)ATH11K_PM_WOW, +- .matches = { ++ .matches = { /* X13 G4 AMD #1 */ ++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "21J3"), ++ }, ++ }, ++ { ++ .driver_data = (void *)ATH11K_PM_WOW, ++ .matches = { /* X13 G4 AMD #2 */ + DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), + DMI_MATCH(DMI_PRODUCT_NAME, "21J4"), + }, + }, + { + .driver_data = (void *)ATH11K_PM_WOW, +- .matches = { ++ .matches = { /* T14 G4 AMD #1 */ ++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "21K3"), ++ }, ++ }, ++ { ++ .driver_data = (void *)ATH11K_PM_WOW, ++ .matches = { /* T14 G4 AMD #2 */ + DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), + DMI_MATCH(DMI_PRODUCT_NAME, "21K4"), + }, + }, + { + .driver_data = (void *)ATH11K_PM_WOW, +- .matches = { ++ .matches = { /* P14s G4 AMD #1 */ ++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "21K5"), ++ }, ++ }, ++ { ++ .driver_data = (void *)ATH11K_PM_WOW, ++ .matches = { /* P14s G4 AMD #2 */ + DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), + DMI_MATCH(DMI_PRODUCT_NAME, "21K6"), + }, + }, + { + .driver_data = (void *)ATH11K_PM_WOW, +- .matches = { ++ .matches = { /* T16 G2 AMD #1 */ ++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "21K7"), ++ }, ++ }, ++ { ++ .driver_data = (void *)ATH11K_PM_WOW, ++ .matches = { /* T16 G2 AMD #2 */ + DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), + DMI_MATCH(DMI_PRODUCT_NAME, "21K8"), + }, + }, + { + .driver_data = (void *)ATH11K_PM_WOW, +- .matches = { ++ .matches = { /* P16s G2 AMD #1 */ ++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "21K9"), ++ }, ++ }, ++ { ++ .driver_data = (void *)ATH11K_PM_WOW, ++ .matches = { /* P16s G2 AMD #2 */ + DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), + DMI_MATCH(DMI_PRODUCT_NAME, "21KA"), + }, + }, + { + .driver_data = (void *)ATH11K_PM_WOW, +- .matches = { ++ .matches = { /* T14s G4 AMD #1 */ ++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "21F8"), ++ }, ++ }, ++ { ++ .driver_data = (void *)ATH11K_PM_WOW, ++ .matches = { /* T14s G4 AMD #2 */ + DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), + DMI_MATCH(DMI_PRODUCT_NAME, "21F9"), + }, +-- +2.51.0 + diff --git a/queue-6.17/wifi-ath11k-avoid-bit-operation-on-key-flags.patch b/queue-6.17/wifi-ath11k-avoid-bit-operation-on-key-flags.patch new file mode 100644 index 0000000000..4eda3e0a0e --- /dev/null +++ b/queue-6.17/wifi-ath11k-avoid-bit-operation-on-key-flags.patch @@ -0,0 +1,83 @@ +From 42cd6d8894be0e6d4deded905a050697dc0b4770 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Oct 2025 14:51:58 +0530 +Subject: wifi: ath11k: avoid bit operation on key flags + +From: Rameshkumar Sundaram + +[ Upstream commit 9c78e747dd4fee6c36fcc926212e20032055cf9d ] + +Bitwise operations with WMI_KEY_PAIRWISE (defined as 0) are ineffective +and misleading. This results in pairwise key validations added in +commit 97acb0259cc9 ("wifi: ath11k: fix group data packet drops +during rekey") to always evaluate false and clear key commands for +pairwise keys are not honored. + +Since firmware supports overwriting the new key without explicitly +clearing the previous one, there is no visible impact currently. +However, to restore consistency with the previous behavior and improve +clarity, replace bitwise operations with direct assignments and +comparisons for key flags. + +Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.9.0.1-02146-QCAHKSWPL_SILICONZ-1 +Tested-on: WCN6855 hw2.1 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41 + +Reported-by: Dan Carpenter +Closes: https://lore.kernel.org/linux-wireless/aLlaetkalDvWcB7b@stanley.mountain +Fixes: 97acb0259cc9 ("wifi: ath11k: fix group data packet drops during rekey") +Signed-off-by: Rameshkumar Sundaram +Reviewed-by: Vasanthakumar Thiagarajan +Link: https://patch.msgid.link/20251003092158.1080637-1-rameshkumar.sundaram@oss.qualcomm.com +[update copyright per current guidance] +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/mac.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c +index 106e2530b64e9..0e41b5a91d66d 100644 +--- a/drivers/net/wireless/ath/ath11k/mac.c ++++ b/drivers/net/wireless/ath/ath11k/mac.c +@@ -1,7 +1,7 @@ + // SPDX-License-Identifier: BSD-3-Clause-Clear + /* + * Copyright (c) 2018-2019 The Linux Foundation. All rights reserved. +- * Copyright (c) 2021-2025 Qualcomm Innovation Center, Inc. All rights reserved. ++ * Copyright (c) Qualcomm Technologies, Inc. and/or its subsidiaries. + */ + + #include +@@ -4417,9 +4417,9 @@ static int ath11k_mac_op_set_key(struct ieee80211_hw *hw, enum set_key_cmd cmd, + } + + if (key->flags & IEEE80211_KEY_FLAG_PAIRWISE) +- flags |= WMI_KEY_PAIRWISE; ++ flags = WMI_KEY_PAIRWISE; + else +- flags |= WMI_KEY_GROUP; ++ flags = WMI_KEY_GROUP; + + ath11k_dbg(ar->ab, ATH11K_DBG_MAC, + "%s for peer %pM on vdev %d flags 0x%X, type = %d, num_sta %d\n", +@@ -4456,7 +4456,7 @@ static int ath11k_mac_op_set_key(struct ieee80211_hw *hw, enum set_key_cmd cmd, + + is_ap_with_no_sta = (vif->type == NL80211_IFTYPE_AP && + !arvif->num_stations); +- if ((flags & WMI_KEY_PAIRWISE) || cmd == SET_KEY || is_ap_with_no_sta) { ++ if (flags == WMI_KEY_PAIRWISE || cmd == SET_KEY || is_ap_with_no_sta) { + ret = ath11k_install_key(arvif, key, cmd, peer_addr, flags); + if (ret) { + ath11k_warn(ab, "ath11k_install_key failed (%d)\n", ret); +@@ -4470,7 +4470,7 @@ static int ath11k_mac_op_set_key(struct ieee80211_hw *hw, enum set_key_cmd cmd, + goto exit; + } + +- if ((flags & WMI_KEY_GROUP) && cmd == SET_KEY && is_ap_with_no_sta) ++ if (flags == WMI_KEY_GROUP && cmd == SET_KEY && is_ap_with_no_sta) + arvif->reinstall_group_keys = true; + } + +-- +2.51.0 + diff --git a/queue-6.17/wifi-ath12k-free-skb-during-idr-cleanup-callback.patch b/queue-6.17/wifi-ath12k-free-skb-during-idr-cleanup-callback.patch new file mode 100644 index 0000000000..40d49bfb93 --- /dev/null +++ b/queue-6.17/wifi-ath12k-free-skb-during-idr-cleanup-callback.patch @@ -0,0 +1,107 @@ +From 1a7bf410430a52c13123122b0ad4d920c6446883 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Sep 2025 15:03:16 -0700 +Subject: wifi: ath12k: free skb during idr cleanup callback + +From: Karthik M + +[ Upstream commit 92282074e1d2e7b6da5c05fe38a7cc974187fe14 ] + +ath12k just like ath11k [1] did not handle skb cleanup during idr +cleanup callback. Both ath12k_mac_vif_txmgmt_idr_remove() and +ath12k_mac_tx_mgmt_pending_free() performed idr cleanup and DMA +unmapping for skb but only ath12k_mac_tx_mgmt_pending_free() freed +skb. As a result, during vdev deletion a memory leak occurs. + +Refactor all clean up steps into a new function. New function +ath12k_mac_tx_mgmt_free() creates a centralized area where idr +cleanup, DMA unmapping for skb and freeing skb is performed. Utilize +skb pointer given by idr_remove(), instead of passed as a function +argument because IDR will be protected by locking. This will prevent +concurrent modification of the same IDR. + +Now ath12k_mac_tx_mgmt_pending_free() and +ath12k_mac_vif_txmgmt_idr_remove() call ath12k_mac_tx_mgmt_free(). + +Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1 + +Link: https://lore.kernel.org/r/1637832614-13831-1-git-send-email-quic_srirrama@quicinc.com > # [1] +Fixes: d889913205cf ("wifi: ath12k: driver for Qualcomm Wi-Fi 7 devices") +Signed-off-by: Karthik M +Signed-off-by: Muna Sinada +Reviewed-by: Vasanthakumar Thiagarajan +Reviewed-by: Baochen Qiang +Link: https://patch.msgid.link/20250923220316.1595758-1-muna.sinada@oss.qualcomm.com +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath12k/mac.c | 34 ++++++++++++++------------- + 1 file changed, 18 insertions(+), 16 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath12k/mac.c b/drivers/net/wireless/ath/ath12k/mac.c +index 2644b5d4b0bc8..d717e74b01c89 100644 +--- a/drivers/net/wireless/ath/ath12k/mac.c ++++ b/drivers/net/wireless/ath/ath12k/mac.c +@@ -8304,23 +8304,32 @@ static void ath12k_mgmt_over_wmi_tx_drop(struct ath12k *ar, struct sk_buff *skb) + wake_up(&ar->txmgmt_empty_waitq); + } + +-int ath12k_mac_tx_mgmt_pending_free(int buf_id, void *skb, void *ctx) ++static void ath12k_mac_tx_mgmt_free(struct ath12k *ar, int buf_id) + { +- struct sk_buff *msdu = skb; ++ struct sk_buff *msdu; + struct ieee80211_tx_info *info; +- struct ath12k *ar = ctx; +- struct ath12k_base *ab = ar->ab; + + spin_lock_bh(&ar->txmgmt_idr_lock); +- idr_remove(&ar->txmgmt_idr, buf_id); ++ msdu = idr_remove(&ar->txmgmt_idr, buf_id); + spin_unlock_bh(&ar->txmgmt_idr_lock); +- dma_unmap_single(ab->dev, ATH12K_SKB_CB(msdu)->paddr, msdu->len, ++ ++ if (!msdu) ++ return; ++ ++ dma_unmap_single(ar->ab->dev, ATH12K_SKB_CB(msdu)->paddr, msdu->len, + DMA_TO_DEVICE); + + info = IEEE80211_SKB_CB(msdu); + memset(&info->status, 0, sizeof(info->status)); + +- ath12k_mgmt_over_wmi_tx_drop(ar, skb); ++ ath12k_mgmt_over_wmi_tx_drop(ar, msdu); ++} ++ ++int ath12k_mac_tx_mgmt_pending_free(int buf_id, void *skb, void *ctx) ++{ ++ struct ath12k *ar = ctx; ++ ++ ath12k_mac_tx_mgmt_free(ar, buf_id); + + return 0; + } +@@ -8329,17 +8338,10 @@ static int ath12k_mac_vif_txmgmt_idr_remove(int buf_id, void *skb, void *ctx) + { + struct ieee80211_vif *vif = ctx; + struct ath12k_skb_cb *skb_cb = ATH12K_SKB_CB(skb); +- struct sk_buff *msdu = skb; + struct ath12k *ar = skb_cb->ar; +- struct ath12k_base *ab = ar->ab; + +- if (skb_cb->vif == vif) { +- spin_lock_bh(&ar->txmgmt_idr_lock); +- idr_remove(&ar->txmgmt_idr, buf_id); +- spin_unlock_bh(&ar->txmgmt_idr_lock); +- dma_unmap_single(ab->dev, skb_cb->paddr, msdu->len, +- DMA_TO_DEVICE); +- } ++ if (skb_cb->vif == vif) ++ ath12k_mac_tx_mgmt_free(ar, buf_id); + + return 0; + } +-- +2.51.0 + diff --git a/queue-6.17/wifi-iwlwifi-fix-potential-use-after-free-in-iwl_mld.patch b/queue-6.17/wifi-iwlwifi-fix-potential-use-after-free-in-iwl_mld.patch new file mode 100644 index 0000000000..e491a86748 --- /dev/null +++ b/queue-6.17/wifi-iwlwifi-fix-potential-use-after-free-in-iwl_mld.patch @@ -0,0 +1,50 @@ +From 5597b48255c0bc23a65767ddad3438cf0fc62022 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Sep 2025 14:20:16 +0300 +Subject: wifi: iwlwifi: fix potential use after free in iwl_mld_remove_link() + +From: Dan Carpenter + +[ Upstream commit 77e67d5daaf155f7d0f99f4e797c4842169ec19e ] + +This code frees "link" by calling kfree_rcu(link, rcu_head) and then it +dereferences "link" to get the "link->fw_id". Save the "link->fw_id" +first to avoid a potential use after free. + +Fixes: d1e879ec600f ("wifi: iwlwifi: add iwlmld sub-driver") +Signed-off-by: Dan Carpenter +Link: https://patch.msgid.link/aNKCcKlbSkkS4_gO@stanley.mountain +Signed-off-by: Miri Korenblit +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mld/link.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mld/link.c b/drivers/net/wireless/intel/iwlwifi/mld/link.c +index 782fc41aa1c31..960dcd208f005 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mld/link.c ++++ b/drivers/net/wireless/intel/iwlwifi/mld/link.c +@@ -501,6 +501,7 @@ void iwl_mld_remove_link(struct iwl_mld *mld, + struct iwl_mld_vif *mld_vif = iwl_mld_vif_from_mac80211(bss_conf->vif); + struct iwl_mld_link *link = iwl_mld_link_from_mac80211(bss_conf); + bool is_deflink = link == &mld_vif->deflink; ++ u8 fw_id = link->fw_id; + + if (WARN_ON(!link || link->active)) + return; +@@ -513,10 +514,10 @@ void iwl_mld_remove_link(struct iwl_mld *mld, + + RCU_INIT_POINTER(mld_vif->link[bss_conf->link_id], NULL); + +- if (WARN_ON(link->fw_id >= mld->fw->ucode_capa.num_links)) ++ if (WARN_ON(fw_id >= mld->fw->ucode_capa.num_links)) + return; + +- RCU_INIT_POINTER(mld->fw_id_to_bss_conf[link->fw_id], NULL); ++ RCU_INIT_POINTER(mld->fw_id_to_bss_conf[fw_id], NULL); + } + + void iwl_mld_handle_missed_beacon_notif(struct iwl_mld *mld, +-- +2.51.0 + diff --git a/queue-6.17/wifi-mac80211-fix-key-tailroom-accounting-leak.patch b/queue-6.17/wifi-mac80211-fix-key-tailroom-accounting-leak.patch new file mode 100644 index 0000000000..17d8895ce6 --- /dev/null +++ b/queue-6.17/wifi-mac80211-fix-key-tailroom-accounting-leak.patch @@ -0,0 +1,52 @@ +From e8c9e9615005e3bde16163431559ff612a9deb9e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 19 Oct 2025 11:54:27 +0300 +Subject: wifi: mac80211: fix key tailroom accounting leak + +From: Johannes Berg + +[ Upstream commit ed6a47346ec69e7f1659e0a1a3558293f60d5dd7 ] + +For keys added by ieee80211_gtk_rekey_add(), we assume that +they're already present in the hardware and set the flag +KEY_FLAG_UPLOADED_TO_HARDWARE. However, setting this flag +needs to be paired with decrementing the tailroom needed, +which was missed. + +Fixes: f52a0b408ed1 ("wifi: mac80211: mark keys as uploaded when added by the driver") +Signed-off-by: Johannes Berg +Signed-off-by: Miri Korenblit +Link: https://patch.msgid.link/20251019115358.c88eafb4083e.I69e9d4d78a756a133668c55b5570cf15a4b0e6a4@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/key.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/net/mac80211/key.c b/net/mac80211/key.c +index b14e9cd9713ff..d5da7ccea66e0 100644 +--- a/net/mac80211/key.c ++++ b/net/mac80211/key.c +@@ -508,11 +508,16 @@ static int ieee80211_key_replace(struct ieee80211_sub_if_data *sdata, + ret = ieee80211_key_enable_hw_accel(new); + } + } else { +- if (!new->local->wowlan) ++ if (!new->local->wowlan) { + ret = ieee80211_key_enable_hw_accel(new); +- else if (link_id < 0 || !sdata->vif.active_links || +- BIT(link_id) & sdata->vif.active_links) ++ } else if (link_id < 0 || !sdata->vif.active_links || ++ BIT(link_id) & sdata->vif.active_links) { + new->flags |= KEY_FLAG_UPLOADED_TO_HARDWARE; ++ if (!(new->conf.flags & (IEEE80211_KEY_FLAG_GENERATE_MMIC | ++ IEEE80211_KEY_FLAG_PUT_MIC_SPACE | ++ IEEE80211_KEY_FLAG_RESERVE_TAILROOM))) ++ decrease_tailroom_need_count(sdata, 1); ++ } + } + + if (ret) +-- +2.51.0 + diff --git a/queue-6.17/wifi-mac80211-reset-fils-discovery-and-unsol-probe-r.patch b/queue-6.17/wifi-mac80211-reset-fils-discovery-and-unsol-probe-r.patch new file mode 100644 index 0000000000..270d7b9559 --- /dev/null +++ b/queue-6.17/wifi-mac80211-reset-fils-discovery-and-unsol-probe-r.patch @@ -0,0 +1,52 @@ +From ab390dab7004b6f7fcab3172b59b85d70b178f9a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Sep 2025 18:30:14 +0530 +Subject: wifi: mac80211: reset FILS discovery and unsol probe resp intervals + +From: Aloka Dixit + +[ Upstream commit 607844761454e3c17e928002e126ccf21c83f6aa ] + +When ieee80211_stop_ap() deletes the FILS discovery and unsolicited +broadcast probe response templates, the associated interval values +are not reset. This can lead to drivers subsequently operating with +the non-zero values, leading to unexpected behavior. + +Trigger repeated retrieval attempts of the FILS discovery template in +ath12k, resulting in excessive log messages such as: + +mac vdev 0 failed to retrieve FILS discovery template +mac vdev 4 failed to retrieve FILS discovery template + +Fix this by resetting the intervals in ieee80211_stop_ap() to ensure +proper cleanup of FILS discovery and unsolicited broadcast probe +response templates. + +Fixes: 295b02c4be74 ("mac80211: Add FILS discovery support") +Fixes: 632189a0180f ("mac80211: Unsolicited broadcast probe response support") +Signed-off-by: Aloka Dixit +Signed-off-by: Aaradhana Sahu +Link: https://patch.msgid.link/20250924130014.2575533-1-aaradhana.sahu@oss.qualcomm.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/cfg.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c +index 7609c7c31df74..e5e82e0b48ff1 100644 +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -1772,6 +1772,9 @@ static int ieee80211_stop_ap(struct wiphy *wiphy, struct net_device *dev, + link_conf->nontransmitted = false; + link_conf->ema_ap = false; + link_conf->bssid_indicator = 0; ++ link_conf->fils_discovery.min_interval = 0; ++ link_conf->fils_discovery.max_interval = 0; ++ link_conf->unsol_bcast_probe_resp_interval = 0; + + __sta_info_flush(sdata, true, link_id, NULL); + +-- +2.51.0 + diff --git a/queue-6.17/wifi-nl80211-call-kfree-without-a-null-check.patch b/queue-6.17/wifi-nl80211-call-kfree-without-a-null-check.patch new file mode 100644 index 0000000000..2cb609d63b --- /dev/null +++ b/queue-6.17/wifi-nl80211-call-kfree-without-a-null-check.patch @@ -0,0 +1,42 @@ +From 92f94611e4aa47a5164b4d2eae9dea9ea1c56155 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Oct 2025 10:57:45 +0300 +Subject: wifi: nl80211: call kfree without a NULL check + +From: Emmanuel Grumbach + +[ Upstream commit 249e1443e3d57e059925bdb698f53e4d008fc106 ] + +Coverity is unhappy because we may leak old_radio_rts_threshold. Since +this pointer is only valid in the context of the function and kfree is +NULL pointer safe, don't check and just call kfree. +Note that somehow, we were checking old_rts_threshold to free +old_radio_rts_threshold which is a bit odd. + +Fixes: 264637941cf4 ("wifi: cfg80211: Add Support to Set RTS Threshold for each Radio") +Reviewed-by: Johannes Berg +Signed-off-by: Emmanuel Grumbach +Link: https://patch.msgid.link/20251020075745.44168-1-emmanuel.grumbach@intel.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/nl80211.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c +index 852573423e52d..46b29ed0bd2e4 100644 +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -4012,8 +4012,7 @@ static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info) + rdev->wiphy.txq_quantum = old_txq_quantum; + } + +- if (old_rts_threshold) +- kfree(old_radio_rts_threshold); ++ kfree(old_radio_rts_threshold); + return result; + } + +-- +2.51.0 + diff --git a/queue-6.6/alsa-usb-audio-fix-control-pipe-direction.patch b/queue-6.6/alsa-usb-audio-fix-control-pipe-direction.patch new file mode 100644 index 0000000000..99f323775e --- /dev/null +++ b/queue-6.6/alsa-usb-audio-fix-control-pipe-direction.patch @@ -0,0 +1,37 @@ +From 8ae79a91ad0f0f5871f0a9526106d26f0c2559f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 18 Oct 2025 19:18:22 +0200 +Subject: ALSA: usb-audio: fix control pipe direction + +From: Roy Vegard Ovesen + +[ Upstream commit 7963891f7c9c6f759cc9ab7da71406b4234f3dd6 ] + +Since the requesttype has USB_DIR_OUT the pipe should be +constructed with usb_sndctrlpipe(). + +Fixes: 8dc5efe3d17c ("ALSA: usb-audio: Add support for Presonus Studio 1810c") +Signed-off-by: Roy Vegard Ovesen +Link: https://patch.msgid.link/aPPL3tBFE_oU-JHv@ark +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/mixer_s1810c.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/usb/mixer_s1810c.c b/sound/usb/mixer_s1810c.c +index fac4bbc6b2757..65bdda0841048 100644 +--- a/sound/usb/mixer_s1810c.c ++++ b/sound/usb/mixer_s1810c.c +@@ -181,7 +181,7 @@ snd_sc1810c_get_status_field(struct usb_device *dev, + + pkt_out.fields[SC1810C_STATE_F1_IDX] = SC1810C_SET_STATE_F1; + pkt_out.fields[SC1810C_STATE_F2_IDX] = SC1810C_SET_STATE_F2; +- ret = snd_usb_ctl_msg(dev, usb_rcvctrlpipe(dev, 0), ++ ret = snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), + SC1810C_SET_STATE_REQ, + SC1810C_SET_STATE_REQTYPE, + (*seqnum), 0, &pkt_out, sizeof(pkt_out)); +-- +2.51.0 + diff --git a/queue-6.6/asoc-fsl_sai-fix-bit-order-for-dsd-format.patch b/queue-6.6/asoc-fsl_sai-fix-bit-order-for-dsd-format.patch new file mode 100644 index 0000000000..6387a8bdc7 --- /dev/null +++ b/queue-6.6/asoc-fsl_sai-fix-bit-order-for-dsd-format.patch @@ -0,0 +1,46 @@ +From 2f3398b5efe322049cb0a9e0226960e2a0080c81 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Oct 2025 14:45:37 +0800 +Subject: ASoC: fsl_sai: fix bit order for DSD format + +From: Shengjiu Wang + +[ Upstream commit d9fbe5b0bf7e2d1e20d53e4e2274f9f61bdcca98 ] + +The DSD little endian format requires the msb first, because oldest bit +is in msb. +found this issue by testing with pipewire. + +Fixes: c111c2ddb3fd ("ASoC: fsl_sai: Add PDM daifmt support") +Signed-off-by: Shengjiu Wang +Link: https://patch.msgid.link/20251023064538.368850-2-shengjiu.wang@nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/fsl/fsl_sai.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/sound/soc/fsl/fsl_sai.c b/sound/soc/fsl/fsl_sai.c +index a6948a57636ab..0de878d64a3bd 100644 +--- a/sound/soc/fsl/fsl_sai.c ++++ b/sound/soc/fsl/fsl_sai.c +@@ -322,7 +322,6 @@ static int fsl_sai_set_dai_fmt_tr(struct snd_soc_dai *cpu_dai, + break; + case SND_SOC_DAIFMT_PDM: + val_cr2 |= FSL_SAI_CR2_BCP; +- val_cr4 &= ~FSL_SAI_CR4_MF; + sai->is_pdm_mode = true; + break; + case SND_SOC_DAIFMT_RIGHT_J: +@@ -597,7 +596,7 @@ static int fsl_sai_hw_params(struct snd_pcm_substream *substream, + val_cr5 |= FSL_SAI_CR5_WNW(slot_width); + val_cr5 |= FSL_SAI_CR5_W0W(slot_width); + +- if (sai->is_lsb_first || sai->is_pdm_mode) ++ if (sai->is_lsb_first) + val_cr5 |= FSL_SAI_CR5_FBT(0); + else + val_cr5 |= FSL_SAI_CR5_FBT(word_width - 1); +-- +2.51.0 + diff --git a/queue-6.6/asoc-intel-avs-unprepare-a-stream-when-xrun-occurs.patch b/queue-6.6/asoc-intel-avs-unprepare-a-stream-when-xrun-occurs.patch new file mode 100644 index 0000000000..ec48ada9e2 --- /dev/null +++ b/queue-6.6/asoc-intel-avs-unprepare-a-stream-when-xrun-occurs.patch @@ -0,0 +1,40 @@ +From a3253f2cd9a8efc1340e0d545730dd52d1e3bc50 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Oct 2025 11:23:46 +0200 +Subject: ASoC: Intel: avs: Unprepare a stream when XRUN occurs + +From: Cezary Rojewski + +[ Upstream commit cfca1637bc2b6b1e4f191d2f0b25f12402fbbb26 ] + +The pcm->prepare() function may be called multiple times in a row by the +userspace, as mentioned in the documentation. The driver shall take that +into account and prevent redundancy. However, the exact same function is +called during XRUNs and in such case, the particular stream shall be +reset and setup anew. + +Fixes: 9114700b496c ("ASoC: Intel: avs: Generic PCM FE operations") +Signed-off-by: Cezary Rojewski +Link: https://patch.msgid.link/20251023092348.3119313-2-cezary.rojewski@intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/avs/pcm.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/soc/intel/avs/pcm.c b/sound/soc/intel/avs/pcm.c +index 781019685b941..9251c38cf9d12 100644 +--- a/sound/soc/intel/avs/pcm.c ++++ b/sound/soc/intel/avs/pcm.c +@@ -611,6 +611,8 @@ static int avs_dai_fe_prepare(struct snd_pcm_substream *substream, struct snd_so + data = snd_soc_dai_get_dma_data(dai, substream); + host_stream = data->host_stream; + ++ if (runtime->state == SNDRV_PCM_STATE_XRUN) ++ hdac_stream(host_stream)->prepared = false; + if (hdac_stream(host_stream)->prepared) + return 0; + +-- +2.51.0 + diff --git a/queue-6.6/bluetooth-btmtksdio-add-pmctrl-handling-for-bt-close.patch b/queue-6.6/bluetooth-btmtksdio-add-pmctrl-handling-for-bt-close.patch new file mode 100644 index 0000000000..e84426c904 --- /dev/null +++ b/queue-6.6/bluetooth-btmtksdio-add-pmctrl-handling-for-bt-close.patch @@ -0,0 +1,61 @@ +From f6626797d59505853fea5188476215d4ca6d2b5d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Sep 2025 13:39:33 +0800 +Subject: Bluetooth: btmtksdio: Add pmctrl handling for BT closed state during + reset + +From: Chris Lu + +[ Upstream commit 77343b8b4f87560f8f03e77b98a81ff3a147b262 ] + +This patch adds logic to handle power management control when the +Bluetooth function is closed during the SDIO reset sequence. + +Specifically, if BT is closed before reset, the driver enables the +SDIO function and sets driver pmctrl. After reset, if BT remains +closed, the driver sets firmware pmctrl and disables the SDIO function. + +These changes ensure proper power management and device state consistency +across the reset flow. + +Fixes: 8fafe702253d ("Bluetooth: mt7921s: support bluetooth reset mechanism") +Signed-off-by: Chris Lu +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btmtksdio.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/drivers/bluetooth/btmtksdio.c b/drivers/bluetooth/btmtksdio.c +index f9a3444753c2b..97659b4792e69 100644 +--- a/drivers/bluetooth/btmtksdio.c ++++ b/drivers/bluetooth/btmtksdio.c +@@ -1257,6 +1257,12 @@ static void btmtksdio_cmd_timeout(struct hci_dev *hdev) + + sdio_claim_host(bdev->func); + ++ /* set drv_pmctrl if BT is closed before doing reset */ ++ if (!test_bit(BTMTKSDIO_FUNC_ENABLED, &bdev->tx_state)) { ++ sdio_enable_func(bdev->func); ++ btmtksdio_drv_pmctrl(bdev); ++ } ++ + sdio_writel(bdev->func, C_INT_EN_CLR, MTK_REG_CHLPCR, NULL); + skb_queue_purge(&bdev->txq); + cancel_work_sync(&bdev->txrx_work); +@@ -1272,6 +1278,12 @@ static void btmtksdio_cmd_timeout(struct hci_dev *hdev) + goto err; + } + ++ /* set fw_pmctrl back if BT is closed after doing reset */ ++ if (!test_bit(BTMTKSDIO_FUNC_ENABLED, &bdev->tx_state)) { ++ btmtksdio_fw_pmctrl(bdev); ++ sdio_disable_func(bdev->func); ++ } ++ + clear_bit(BTMTKSDIO_PATCH_ENABLED, &bdev->tx_state); + err: + sdio_release_host(bdev->func); +-- +2.51.0 + diff --git a/queue-6.6/bluetooth-hci-fix-tracking-of-advertisement-set-inst.patch b/queue-6.6/bluetooth-hci-fix-tracking-of-advertisement-set-inst.patch new file mode 100644 index 0000000000..39d29bc541 --- /dev/null +++ b/queue-6.6/bluetooth-hci-fix-tracking-of-advertisement-set-inst.patch @@ -0,0 +1,78 @@ +From f2455847bb7a98deff5d265447578f6566d9b6cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Oct 2025 10:55:58 -0400 +Subject: Bluetooth: HCI: Fix tracking of advertisement set/instance 0x00 + +From: Luiz Augusto von Dentz + +[ Upstream commit 0d92808024b4e9868cef68d16f121d509843e80e ] + +This fixes the state tracking of advertisement set/instance 0x00 which +is considered a legacy instance and is not tracked individually by +adv_instances list, previously it was assumed that hci_dev itself would +track it via HCI_LE_ADV but that is a global state not specifc to +instance 0x00, so to fix it a new flag is introduced that only tracks the +state of instance 0x00. + +Fixes: 1488af7b8b5f ("Bluetooth: hci_sync: Fix hci_resume_advertising_sync") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + include/net/bluetooth/hci.h | 1 + + net/bluetooth/hci_event.c | 4 ++++ + net/bluetooth/hci_sync.c | 5 ++--- + 3 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/include/net/bluetooth/hci.h b/include/net/bluetooth/hci.h +index 4c084a03d6bb7..b25746b91986c 100644 +--- a/include/net/bluetooth/hci.h ++++ b/include/net/bluetooth/hci.h +@@ -392,6 +392,7 @@ enum { + HCI_USER_CHANNEL, + HCI_EXT_CONFIGURED, + HCI_LE_ADV, ++ HCI_LE_ADV_0, + HCI_LE_PER_ADV, + HCI_LE_SCAN, + HCI_SSP_ENABLED, +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index 7bda00dcb0b2f..064fde4fb70ff 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -1598,6 +1598,8 @@ static u8 hci_cc_le_set_ext_adv_enable(struct hci_dev *hdev, void *data, + + if (adv && !adv->periodic) + adv->enabled = true; ++ else if (!set->handle) ++ hci_dev_set_flag(hdev, HCI_LE_ADV_0); + + conn = hci_lookup_le_connect(hdev); + if (conn) +@@ -1608,6 +1610,8 @@ static u8 hci_cc_le_set_ext_adv_enable(struct hci_dev *hdev, void *data, + if (cp->num_of_sets) { + if (adv) + adv->enabled = false; ++ else if (!set->handle) ++ hci_dev_clear_flag(hdev, HCI_LE_ADV_0); + + /* If just one instance was disabled check if there are + * any other instance enabled before clearing HCI_LE_ADV +diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c +index 47924f20565d4..f5bbcbbcfbd7b 100644 +--- a/net/bluetooth/hci_sync.c ++++ b/net/bluetooth/hci_sync.c +@@ -2651,9 +2651,8 @@ static int hci_resume_advertising_sync(struct hci_dev *hdev) + /* If current advertising instance is set to instance 0x00 + * then we need to re-enable it. + */ +- if (!hdev->cur_adv_instance) +- err = hci_enable_ext_advertising_sync(hdev, +- hdev->cur_adv_instance); ++ if (hci_dev_test_and_clear_flag(hdev, HCI_LE_ADV_0)) ++ err = hci_enable_ext_advertising_sync(hdev, 0x00); + } else { + /* Schedule for most recent instance to be restarted and begin + * the software rotation loop +-- +2.51.0 + diff --git a/queue-6.6/bluetooth-hci_core-fix-tracking-of-periodic-advertis.patch b/queue-6.6/bluetooth-hci_core-fix-tracking-of-periodic-advertis.patch new file mode 100644 index 0000000000..68bd575595 --- /dev/null +++ b/queue-6.6/bluetooth-hci_core-fix-tracking-of-periodic-advertis.patch @@ -0,0 +1,88 @@ +From 77e37c0bcc0672e86c54f00408f1f31122ced15d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Oct 2025 16:03:19 -0400 +Subject: Bluetooth: hci_core: Fix tracking of periodic advertisement + +From: Luiz Augusto von Dentz + +[ Upstream commit 751463ceefc3397566d03c8b64ef4a77f5fd88ac ] + +Periodic advertising enabled flag cannot be tracked by the enabled +flag since advertising and periodic advertising each can be +enabled/disabled separately from one another causing the states to be +inconsistent when for example an advertising set is disabled its +enabled flag is set to false which is then used for periodic which has +not being disabled. + +Fixes: eca0ae4aea66 ("Bluetooth: Add initial implementation of BIS connections") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + include/net/bluetooth/hci_core.h | 1 + + net/bluetooth/hci_event.c | 7 +++++-- + net/bluetooth/hci_sync.c | 4 ++-- + 3 files changed, 8 insertions(+), 4 deletions(-) + +diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h +index 62135b7782f5b..7672d8d6005d1 100644 +--- a/include/net/bluetooth/hci_core.h ++++ b/include/net/bluetooth/hci_core.h +@@ -240,6 +240,7 @@ struct adv_info { + bool enabled; + bool pending; + bool periodic; ++ bool periodic_enabled; + __u8 mesh; + __u8 instance; + __u32 flags; +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index 064fde4fb70ff..4e70b85647035 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -1596,7 +1596,7 @@ static u8 hci_cc_le_set_ext_adv_enable(struct hci_dev *hdev, void *data, + + hci_dev_set_flag(hdev, HCI_LE_ADV); + +- if (adv && !adv->periodic) ++ if (adv) + adv->enabled = true; + else if (!set->handle) + hci_dev_set_flag(hdev, HCI_LE_ADV_0); +@@ -3953,8 +3953,11 @@ static u8 hci_cc_le_set_per_adv_enable(struct hci_dev *hdev, void *data, + hci_dev_set_flag(hdev, HCI_LE_PER_ADV); + + if (adv) +- adv->enabled = true; ++ adv->periodic_enabled = true; + } else { ++ if (adv) ++ adv->periodic_enabled = false; ++ + /* If just one instance was disabled check if there are + * any other instance enabled before clearing HCI_LE_PER_ADV. + * The current periodic adv instance will be marked as +diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c +index f5bbcbbcfbd7b..f0eb52d5c0581 100644 +--- a/net/bluetooth/hci_sync.c ++++ b/net/bluetooth/hci_sync.c +@@ -1631,7 +1631,7 @@ int hci_disable_per_advertising_sync(struct hci_dev *hdev, u8 instance) + + /* If periodic advertising already disabled there is nothing to do. */ + adv = hci_find_adv_instance(hdev, instance); +- if (!adv || !adv->periodic || !adv->enabled) ++ if (!adv || !adv->periodic_enabled) + return 0; + + memset(&cp, 0, sizeof(cp)); +@@ -1700,7 +1700,7 @@ static int hci_enable_per_advertising_sync(struct hci_dev *hdev, u8 instance) + + /* If periodic advertising already enabled there is nothing to do. */ + adv = hci_find_adv_instance(hdev, instance); +- if (adv && adv->periodic && adv->enabled) ++ if (adv && adv->periodic_enabled) + return 0; + + memset(&cp, 0, sizeof(cp)); +-- +2.51.0 + diff --git a/queue-6.6/bluetooth-hci_sync-fix-race-in-hci_cmd_sync_dequeue_.patch b/queue-6.6/bluetooth-hci_sync-fix-race-in-hci_cmd_sync_dequeue_.patch new file mode 100644 index 0000000000..4427aa466d --- /dev/null +++ b/queue-6.6/bluetooth-hci_sync-fix-race-in-hci_cmd_sync_dequeue_.patch @@ -0,0 +1,55 @@ +From 1ecf65003252282dd8c7a974b90172090feb1971 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Sep 2025 05:30:17 +0000 +Subject: Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once + +From: Cen Zhang + +[ Upstream commit 09b0cd1297b4dbfe736aeaa0ceeab2265f47f772 ] + +hci_cmd_sync_dequeue_once() does lookup and then cancel +the entry under two separate lock sections. Meanwhile, +hci_cmd_sync_work() can also delete the same entry, +leading to double list_del() and "UAF". + +Fix this by holding cmd_sync_work_lock across both +lookup and cancel, so that the entry cannot be removed +concurrently. + +Fixes: 505ea2b29592 ("Bluetooth: hci_sync: Add helper functions to manipulate cmd_sync queue") +Reported-by: Cen Zhang +Signed-off-by: Cen Zhang +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_sync.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c +index a128e5709fa15..47924f20565d4 100644 +--- a/net/bluetooth/hci_sync.c ++++ b/net/bluetooth/hci_sync.c +@@ -881,11 +881,17 @@ bool hci_cmd_sync_dequeue_once(struct hci_dev *hdev, + { + struct hci_cmd_sync_work_entry *entry; + +- entry = hci_cmd_sync_lookup_entry(hdev, func, data, destroy); +- if (!entry) ++ mutex_lock(&hdev->cmd_sync_work_lock); ++ ++ entry = _hci_cmd_sync_lookup_entry(hdev, func, data, destroy); ++ if (!entry) { ++ mutex_unlock(&hdev->cmd_sync_work_lock); + return false; ++ } + +- hci_cmd_sync_cancel_entry(hdev, entry); ++ _hci_cmd_sync_cancel_entry(hdev, entry, -ECANCELED); ++ ++ mutex_unlock(&hdev->cmd_sync_work_lock); + + return true; + } +-- +2.51.0 + diff --git a/queue-6.6/bluetooth-iso-fix-another-instance-of-dst_type-handl.patch b/queue-6.6/bluetooth-iso-fix-another-instance-of-dst_type-handl.patch new file mode 100644 index 0000000000..4490afc4a0 --- /dev/null +++ b/queue-6.6/bluetooth-iso-fix-another-instance-of-dst_type-handl.patch @@ -0,0 +1,42 @@ +From 74853574c7966dd1434bbdaeaa531d82a7f201a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Oct 2025 13:29:15 -0400 +Subject: Bluetooth: ISO: Fix another instance of dst_type handling + +From: Luiz Augusto von Dentz + +[ Upstream commit c403da5e98b04a2aec9cfb25cbeeb28d7ce29975 ] + +Socket dst_type cannot be directly assigned to hci_conn->type since +there domain is different which may lead to the wrong address type being +used. + +Fixes: 6a5ad251b7cd ("Bluetooth: ISO: Fix possible circular locking dependency") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/iso.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c +index 69529a3049e74..1469e9b69e631 100644 +--- a/net/bluetooth/iso.c ++++ b/net/bluetooth/iso.c +@@ -1782,7 +1782,13 @@ static void iso_conn_ready(struct iso_conn *conn) + } + + bacpy(&iso_pi(sk)->dst, &hcon->dst); +- iso_pi(sk)->dst_type = hcon->dst_type; ++ ++ /* Convert from HCI to three-value type */ ++ if (hcon->dst_type == ADDR_LE_DEV_PUBLIC) ++ iso_pi(sk)->dst_type = BDADDR_LE_PUBLIC; ++ else ++ iso_pi(sk)->dst_type = BDADDR_LE_RANDOM; ++ + iso_pi(sk)->sync_handle = iso_pi(parent)->sync_handle; + memcpy(iso_pi(sk)->base, iso_pi(parent)->base, iso_pi(parent)->base_len); + iso_pi(sk)->base_len = iso_pi(parent)->base_len; +-- +2.51.0 + diff --git a/queue-6.6/bpf-do-not-audit-capability-check-in-do_jit.patch b/queue-6.6/bpf-do-not-audit-capability-check-in-do_jit.patch new file mode 100644 index 0000000000..d3155082c0 --- /dev/null +++ b/queue-6.6/bpf-do-not-audit-capability-check-in-do_jit.patch @@ -0,0 +1,50 @@ +From d101d60686c68828eaf108e4ee46c2a99f9ece15 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Oct 2025 14:27:58 +0200 +Subject: bpf: Do not audit capability check in do_jit() + +From: Ondrej Mosnacek + +[ Upstream commit 881a9c9cb7856b24e390fad9f59acfd73b98b3b2 ] + +The failure of this check only results in a security mitigation being +applied, slightly affecting performance of the compiled BPF program. It +doesn't result in a failed syscall, an thus auditing a failed LSM +permission check for it is unwanted. For example with SELinux, it causes +a denial to be reported for confined processes running as root, which +tends to be flagged as a problem to be fixed in the policy. Yet +dontauditing or allowing CAP_SYS_ADMIN to the domain may not be +desirable, as it would allow/silence also other checks - either going +against the principle of least privilege or making debugging potentially +harder. + +Fix it by changing it from capable() to ns_capable_noaudit(), which +instructs the LSMs to not audit the resulting denials. + +Link: https://bugzilla.redhat.com/show_bug.cgi?id=2369326 +Fixes: d4e89d212d40 ("x86/bpf: Call branch history clearing sequence on exit") +Signed-off-by: Ondrej Mosnacek +Reviewed-by: Paul Moore +Link: https://lore.kernel.org/r/20251021122758.2659513-1-omosnace@redhat.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + arch/x86/net/bpf_jit_comp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c +index 07592eef253c2..0be138fbd0a05 100644 +--- a/arch/x86/net/bpf_jit_comp.c ++++ b/arch/x86/net/bpf_jit_comp.c +@@ -1995,7 +1995,7 @@ st: if (is_imm8(insn->off)) + ctx->cleanup_addr = proglen; + + if (bpf_prog_was_classic(bpf_prog) && +- !capable(CAP_SYS_ADMIN)) { ++ !ns_capable_noaudit(&init_user_ns, CAP_SYS_ADMIN)) { + u8 *ip = image + addrs[i - 1]; + + if (emit_spectre_bhb_barrier(&prog, ip, bpf_prog)) +-- +2.51.0 + diff --git a/queue-6.6/bpf-sync-pending-irq-work-before-freeing-ring-buffer.patch b/queue-6.6/bpf-sync-pending-irq-work-before-freeing-ring-buffer.patch new file mode 100644 index 0000000000..6e8a9b666d --- /dev/null +++ b/queue-6.6/bpf-sync-pending-irq-work-before-freeing-ring-buffer.patch @@ -0,0 +1,46 @@ +From 851cf49068fae368ce8a2000c028aaa7b25f5309 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Oct 2025 23:33:01 +0530 +Subject: bpf: Sync pending IRQ work before freeing ring buffer + +From: Noorain Eqbal + +[ Upstream commit 4e9077638301816a7d73fa1e1b4c1db4a7e3b59c ] + +Fix a race where irq_work can be queued in bpf_ringbuf_commit() +but the ring buffer is freed before the work executes. +In the syzbot reproducer, a BPF program attached to sched_switch +triggers bpf_ringbuf_commit(), queuing an irq_work. If the ring buffer +is freed before this work executes, the irq_work thread may accesses +freed memory. +Calling `irq_work_sync(&rb->work)` ensures that all pending irq_work +complete before freeing the buffer. + +Fixes: 457f44363a88 ("bpf: Implement BPF ring buffer and verifier support for it") +Reported-by: syzbot+2617fc732430968b45d2@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=2617fc732430968b45d2 +Tested-by: syzbot+2617fc732430968b45d2@syzkaller.appspotmail.com +Signed-off-by: Noorain Eqbal +Link: https://lore.kernel.org/r/20251020180301.103366-1-nooraineqbal@gmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/ringbuf.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/kernel/bpf/ringbuf.c b/kernel/bpf/ringbuf.c +index 6aff5ee483b60..c0c5e9b313e43 100644 +--- a/kernel/bpf/ringbuf.c ++++ b/kernel/bpf/ringbuf.c +@@ -215,6 +215,8 @@ static struct bpf_map *ringbuf_map_alloc(union bpf_attr *attr) + + static void bpf_ringbuf_free(struct bpf_ringbuf *rb) + { ++ irq_work_sync(&rb->work); ++ + /* copy pages pointer and nr_pages to local variable, as we are going + * to unmap rb itself with vunmap() below + */ +-- +2.51.0 + diff --git a/queue-6.6/crypto-aspeed-acry-convert-to-platform-remove-callba.patch b/queue-6.6/crypto-aspeed-acry-convert-to-platform-remove-callba.patch new file mode 100644 index 0000000000..659b21a280 --- /dev/null +++ b/queue-6.6/crypto-aspeed-acry-convert-to-platform-remove-callba.patch @@ -0,0 +1,68 @@ +From 9c25132cec500026feb326a3d0b498a8ee79a825 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Oct 2023 09:55:28 +0200 +Subject: crypto: aspeed-acry - Convert to platform remove callback returning + void +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 8819da7e685008de2c1926c067a388b1ecaeb8aa ] + +The .remove() callback for a platform driver returns an int which makes +many driver authors wrongly assume it's possible to do error handling by +returning an error code. However the value returned is ignored (apart +from emitting a warning) and this typically results in resource leaks. + +To improve here there is a quest to make the remove callback return +void. In the first step of this quest all drivers are converted to +.remove_new(), which already returns void. Eventually after all drivers +are converted, .remove_new() will be renamed to .remove(). + +Trivially convert this driver from always returning zero in the remove +callback to the void returning variant. + +Signed-off-by: Uwe Kleine-König +Reviewed-by: Andrew Jeffery +Signed-off-by: Herbert Xu +Stable-dep-of: 3c9bf72cc1ce ("crypto: aspeed - fix double free caused by devm") +Signed-off-by: Sasha Levin +--- + drivers/crypto/aspeed/aspeed-acry.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/crypto/aspeed/aspeed-acry.c b/drivers/crypto/aspeed/aspeed-acry.c +index 247c568aa8dfe..b4613bd4ad964 100644 +--- a/drivers/crypto/aspeed/aspeed-acry.c ++++ b/drivers/crypto/aspeed/aspeed-acry.c +@@ -794,7 +794,7 @@ static int aspeed_acry_probe(struct platform_device *pdev) + return rc; + } + +-static int aspeed_acry_remove(struct platform_device *pdev) ++static void aspeed_acry_remove(struct platform_device *pdev) + { + struct aspeed_acry_dev *acry_dev = platform_get_drvdata(pdev); + +@@ -802,15 +802,13 @@ static int aspeed_acry_remove(struct platform_device *pdev) + crypto_engine_exit(acry_dev->crypt_engine_rsa); + tasklet_kill(&acry_dev->done_task); + clk_disable_unprepare(acry_dev->clk); +- +- return 0; + } + + MODULE_DEVICE_TABLE(of, aspeed_acry_of_matches); + + static struct platform_driver aspeed_acry_driver = { + .probe = aspeed_acry_probe, +- .remove = aspeed_acry_remove, ++ .remove_new = aspeed_acry_remove, + .driver = { + .name = KBUILD_MODNAME, + .of_match_table = aspeed_acry_of_matches, +-- +2.51.0 + diff --git a/queue-6.6/crypto-aspeed-fix-double-free-caused-by-devm.patch b/queue-6.6/crypto-aspeed-fix-double-free-caused-by-devm.patch new file mode 100644 index 0000000000..44f471465a --- /dev/null +++ b/queue-6.6/crypto-aspeed-fix-double-free-caused-by-devm.patch @@ -0,0 +1,48 @@ +From d2c868e8d3a675ff826434e7c5c1b1595a47c37c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Oct 2025 18:11:09 +0800 +Subject: crypto: aspeed - fix double free caused by devm + +From: Haotian Zhang + +[ Upstream commit 3c9bf72cc1ced1297b235f9422d62b613a3fdae9 ] + +The clock obtained via devm_clk_get_enabled() is automatically managed +by devres and will be disabled and freed on driver detach. Manually +calling clk_disable_unprepare() in error path and remove function +causes double free. + +Remove the manual clock cleanup in both aspeed_acry_probe()'s error +path and aspeed_acry_remove(). + +Fixes: 2f1cf4e50c95 ("crypto: aspeed - Add ACRY RSA driver") +Signed-off-by: Haotian Zhang +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/aspeed/aspeed-acry.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/crypto/aspeed/aspeed-acry.c b/drivers/crypto/aspeed/aspeed-acry.c +index b4613bd4ad964..8ca0913d94abf 100644 +--- a/drivers/crypto/aspeed/aspeed-acry.c ++++ b/drivers/crypto/aspeed/aspeed-acry.c +@@ -789,7 +789,6 @@ static int aspeed_acry_probe(struct platform_device *pdev) + err_engine_rsa_start: + crypto_engine_exit(acry_dev->crypt_engine_rsa); + clk_exit: +- clk_disable_unprepare(acry_dev->clk); + + return rc; + } +@@ -801,7 +800,6 @@ static void aspeed_acry_remove(struct platform_device *pdev) + aspeed_acry_unregister(acry_dev); + crypto_engine_exit(acry_dev->crypt_engine_rsa); + tasklet_kill(&acry_dev->done_task); +- clk_disable_unprepare(acry_dev->clk); + } + + MODULE_DEVICE_TABLE(of, aspeed_acry_of_matches); +-- +2.51.0 + diff --git a/queue-6.6/drm-amd-pm-fix-smu-table-id-bound-check-issue-in-smu.patch b/queue-6.6/drm-amd-pm-fix-smu-table-id-bound-check-issue-in-smu.patch new file mode 100644 index 0000000000..c6c515e20e --- /dev/null +++ b/queue-6.6/drm-amd-pm-fix-smu-table-id-bound-check-issue-in-smu.patch @@ -0,0 +1,41 @@ +From c9c5920efb553e65709a13aacdd0270c03f83b46 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Oct 2025 14:12:21 +0800 +Subject: drm/amd/pm: fix smu table id bound check issue in + smu_cmn_update_table() + +From: Yang Wang + +[ Upstream commit 238d468d3ed18a324bb9d8c99f18c665dbac0511 ] + +'table_index' is a variable defined by the smu driver (kmd) +'table_id' is a variable defined by the hw smu (pmfw) + +This code should use table_index as a bounds check. + +Fixes: caad2613dc4bd ("drm/amd/powerplay: move table setting common code to smu_cmn.c") +Signed-off-by: Yang Wang +Reviewed-by: Hawking Zhang +Signed-off-by: Alex Deucher +(cherry picked from commit fca0c66b22303de0d1d6313059baf4dc960a4753) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c b/drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c +index c1962f1974c6f..2c9612b5f1568 100644 +--- a/drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c ++++ b/drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c +@@ -870,7 +870,7 @@ int smu_cmn_update_table(struct smu_context *smu, + table_index); + uint32_t table_size; + int ret = 0; +- if (!table_data || table_id >= SMU_TABLE_COUNT || table_id < 0) ++ if (!table_data || table_index >= SMU_TABLE_COUNT || table_id < 0) + return -EINVAL; + + table_size = smu_table->tables[table_index].size; +-- +2.51.0 + diff --git a/queue-6.6/drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch b/queue-6.6/drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch new file mode 100644 index 0000000000..4335294e95 --- /dev/null +++ b/queue-6.6/drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch @@ -0,0 +1,39 @@ +From 40a0153d7c989785f2107680be47aea954855d05 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Oct 2025 11:08:13 +0200 +Subject: drm/amd/pm/powerplay/smumgr: Fix PCIeBootLinkLevel value on Fiji + +From: John Smith + +[ Upstream commit 07a13f913c291d6ec72ee4fc848d13ecfdc0e705 ] + +Previously this was initialized with zero which represented PCIe Gen +1.0 instead of using the +maximum value from the speed table which is the behaviour of all other +smumgr implementations. + +Fixes: 18edef19ea44 ("drm/amd/powerplay: implement fw image related smu interface for Fiji.") +Signed-off-by: John Smith +Signed-off-by: Alex Deucher +(cherry picked from commit c52238c9fb414555c68340cd80e487d982c1921c) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/pm/powerplay/smumgr/fiji_smumgr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/pm/powerplay/smumgr/fiji_smumgr.c b/drivers/gpu/drm/amd/pm/powerplay/smumgr/fiji_smumgr.c +index 5e43ad2b29564..e7e497b166b3e 100644 +--- a/drivers/gpu/drm/amd/pm/powerplay/smumgr/fiji_smumgr.c ++++ b/drivers/gpu/drm/amd/pm/powerplay/smumgr/fiji_smumgr.c +@@ -2024,7 +2024,7 @@ static int fiji_init_smc_table(struct pp_hwmgr *hwmgr) + table->VoltageResponseTime = 0; + table->PhaseResponseTime = 0; + table->MemoryThermThrottleEnable = 1; +- table->PCIeBootLinkLevel = 0; /* 0:Gen1 1:Gen2 2:Gen3*/ ++ table->PCIeBootLinkLevel = (uint8_t) (data->dpm_table.pcie_speed_table.count); + table->PCIeGenInterval = 1; + table->VRConfig = 0; + +-- +2.51.0 + diff --git a/queue-6.6/drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch-21603 b/queue-6.6/drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch-21603 new file mode 100644 index 0000000000..6941ee896c --- /dev/null +++ b/queue-6.6/drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch-21603 @@ -0,0 +1,39 @@ +From 18a15f4864e3cfe9007cae42488da177278db596 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Oct 2025 11:09:09 +0200 +Subject: drm/amd/pm/powerplay/smumgr: Fix PCIeBootLinkLevel value on Iceland + +From: John Smith + +[ Upstream commit 501672e3c1576aa9a8364144213c77b98a31a42c ] + +Previously this was initialized with zero which represented PCIe Gen +1.0 instead of using the +maximum value from the speed table which is the behaviour of all other +smumgr implementations. + +Fixes: 18aafc59b106 ("drm/amd/powerplay: implement fw related smu interface for iceland.") +Signed-off-by: John Smith +Signed-off-by: Alex Deucher +(cherry picked from commit 92b0a6ae6672857ddeabf892223943d2f0e06c97) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/pm/powerplay/smumgr/iceland_smumgr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/pm/powerplay/smumgr/iceland_smumgr.c b/drivers/gpu/drm/amd/pm/powerplay/smumgr/iceland_smumgr.c +index 97d9802fe6731..43458f1b0077d 100644 +--- a/drivers/gpu/drm/amd/pm/powerplay/smumgr/iceland_smumgr.c ++++ b/drivers/gpu/drm/amd/pm/powerplay/smumgr/iceland_smumgr.c +@@ -2028,7 +2028,7 @@ static int iceland_init_smc_table(struct pp_hwmgr *hwmgr) + table->VoltageResponseTime = 0; + table->PhaseResponseTime = 0; + table->MemoryThermThrottleEnable = 1; +- table->PCIeBootLinkLevel = 0; ++ table->PCIeBootLinkLevel = (uint8_t) (data->dpm_table.pcie_speed_table.count); + table->PCIeGenInterval = 1; + + result = iceland_populate_smc_svi2_config(hwmgr, table); +-- +2.51.0 + diff --git a/queue-6.6/drm-etnaviv-fix-flush-sequence-logic.patch b/queue-6.6/drm-etnaviv-fix-flush-sequence-logic.patch new file mode 100644 index 0000000000..76922c9b57 --- /dev/null +++ b/queue-6.6/drm-etnaviv-fix-flush-sequence-logic.patch @@ -0,0 +1,46 @@ +From 818c76fbc16efb9c936657f9de819b8d78f87eaf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Oct 2025 11:37:23 +0200 +Subject: drm/etnaviv: fix flush sequence logic + +From: Tomeu Vizoso + +[ Upstream commit a042beac6e6f8ac1e923784cfff98b47cbabb185 ] + +The current logic uses the flush sequence from the current address +space. This is harmless when deducing the flush requirements for the +current submit, as either the incoming address space is the same one +as the currently active one or we switch context, in which case the +flush is unconditional. + +However, this sequence is also stored as the current flush sequence +of the GPU. If we switch context the stored flush sequence will no +longer belong to the currently active address space. This incoherency +can then cause missed flushes, resulting in translation errors. + +Fixes: 27b67278e007 ("drm/etnaviv: rework MMU handling") +Signed-off-by: Tomeu Vizoso +Signed-off-by: Lucas Stach +Reviewed-by: Christian Gmeiner +Link: https://lore.kernel.org/r/20251021093723.3887980-1-l.stach@pengutronix.de +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/etnaviv/etnaviv_buffer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/etnaviv/etnaviv_buffer.c b/drivers/gpu/drm/etnaviv/etnaviv_buffer.c +index b13a17276d07c..88385dc3b30d8 100644 +--- a/drivers/gpu/drm/etnaviv/etnaviv_buffer.c ++++ b/drivers/gpu/drm/etnaviv/etnaviv_buffer.c +@@ -347,7 +347,7 @@ void etnaviv_buffer_queue(struct etnaviv_gpu *gpu, u32 exec_state, + u32 link_target, link_dwords; + bool switch_context = gpu->exec_state != exec_state; + bool switch_mmu_context = gpu->mmu_context != mmu_context; +- unsigned int new_flush_seq = READ_ONCE(gpu->mmu_context->flush_seq); ++ unsigned int new_flush_seq = READ_ONCE(mmu_context->flush_seq); + bool need_flush = switch_mmu_context || gpu->flush_seq != new_flush_seq; + bool has_blt = !!(gpu->identity.minor_features5 & + chipMinorFeatures5_BLT_ENGINE); +-- +2.51.0 + diff --git a/queue-6.6/drm-msm-a6xx-fix-gmu-firmware-parser.patch b/queue-6.6/drm-msm-a6xx-fix-gmu-firmware-parser.patch new file mode 100644 index 0000000000..bb30a63d5d --- /dev/null +++ b/queue-6.6/drm-msm-a6xx-fix-gmu-firmware-parser.patch @@ -0,0 +1,51 @@ +From b71a30efaa87d4503fae2315a944490f148ad5e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Sep 2025 02:14:05 +0530 +Subject: drm/msm/a6xx: Fix GMU firmware parser + +From: Akhil P Oommen + +[ Upstream commit b4789aac9d3441d9f830f0a4022d8dc122d6cab3 ] + +Current parser logic for GMU firmware assumes a dword aligned payload +size for every block. This is not true for all GMU firmwares. So, fix +this by using correct 'size' value in the calculation for the offset +for the next block's header. + +Fixes: c6ed04f856a4 ("drm/msm/a6xx: A640/A650 GMU firmware path") +Signed-off-by: Akhil P Oommen +Acked-by: Konrad Dybcio +Patchwork: https://patchwork.freedesktop.org/patch/674040/ +Message-ID: <20250911-assorted-sept-1-v2-2-a8bf1ee20792@oss.qualcomm.com> +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/adreno/a6xx_gmu.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/adreno/a6xx_gmu.c b/drivers/gpu/drm/msm/adreno/a6xx_gmu.c +index c50aafa0ecdb6..e816ddcac2f8d 100644 +--- a/drivers/gpu/drm/msm/adreno/a6xx_gmu.c ++++ b/drivers/gpu/drm/msm/adreno/a6xx_gmu.c +@@ -693,6 +693,9 @@ static bool fw_block_mem(struct a6xx_gmu_bo *bo, const struct block_header *blk) + return true; + } + ++#define NEXT_BLK(blk) \ ++ ((const struct block_header *)((const char *)(blk) + sizeof(*(blk)) + (blk)->size)) ++ + static int a6xx_gmu_fw_load(struct a6xx_gmu *gmu) + { + struct a6xx_gpu *a6xx_gpu = container_of(gmu, struct a6xx_gpu, gmu); +@@ -723,7 +726,7 @@ static int a6xx_gmu_fw_load(struct a6xx_gmu *gmu) + + for (blk = (const struct block_header *) fw_image->data; + (const u8*) blk < fw_image->data + fw_image->size; +- blk = (const struct block_header *) &blk->data[blk->size >> 2]) { ++ blk = NEXT_BLK(blk)) { + if (blk->size == 0) + continue; + +-- +2.51.0 + diff --git a/queue-6.6/libbpf-fix-powerpc-s-stack-register-definition-in-bp.patch b/queue-6.6/libbpf-fix-powerpc-s-stack-register-definition-in-bp.patch new file mode 100644 index 0000000000..7c675dfdf6 --- /dev/null +++ b/queue-6.6/libbpf-fix-powerpc-s-stack-register-definition-in-bp.patch @@ -0,0 +1,44 @@ +From 648f39c3cf7720cfaf4daba915697f51d8ec78dd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Oct 2025 13:36:43 -0700 +Subject: libbpf: Fix powerpc's stack register definition in bpf_tracing.h + +From: Andrii Nakryiko + +[ Upstream commit 7221b9caf84b3294688228a19273d74ea19a2ee4 ] + +retsnoop's build on powerpc (ppc64le) architecture ([0]) failed due to +wrong definition of PT_REGS_SP() macro. Looking at powerpc's +implementation of stack unwinding in perf_callchain_user_64() clearly +shows that stack pointer register is gpr[1]. + +Fix libbpf's definition of __PT_SP_REG for powerpc to fix all this. + + [0] https://kojipkgs.fedoraproject.org/work/tasks/1544/137921544/build.log + +Fixes: 138d6153a139 ("samples/bpf: Enable powerpc support") +Signed-off-by: Andrii Nakryiko +Reviewed-by: Naveen N Rao (AMD) +Link: https://lore.kernel.org/r/20251020203643.989467-1-andrii@kernel.org +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/bpf_tracing.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/lib/bpf/bpf_tracing.h b/tools/lib/bpf/bpf_tracing.h +index 1c13f8e88833b..66b925bd954eb 100644 +--- a/tools/lib/bpf/bpf_tracing.h ++++ b/tools/lib/bpf/bpf_tracing.h +@@ -311,7 +311,7 @@ struct pt_regs___arm64 { + #define __PT_RET_REG regs[31] + #define __PT_FP_REG __unsupported__ + #define __PT_RC_REG gpr[3] +-#define __PT_SP_REG sp ++#define __PT_SP_REG gpr[1] + #define __PT_IP_REG nip + + #elif defined(bpf_target_sparc) +-- +2.51.0 + diff --git a/queue-6.6/net-hns3-return-error-code-when-function-fails.patch b/queue-6.6/net-hns3-return-error-code-when-function-fails.patch new file mode 100644 index 0000000000..d5af036a6a --- /dev/null +++ b/queue-6.6/net-hns3-return-error-code-when-function-fails.patch @@ -0,0 +1,87 @@ +From 4283a0b1ec7862308a67cf05ec189f1ed07e9334 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Oct 2025 21:13:37 +0800 +Subject: net: hns3: return error code when function fails + +From: Jijie Shao + +[ Upstream commit 03ca7c8c42be913529eb9f188278114430c6abbd ] + +Currently, in hclge_mii_ioctl(), the operation to +read the PHY register (SIOCGMIIREG) always returns 0. + +This patch changes the return type of hclge_read_phy_reg(), +returning an error code when the function fails. + +Fixes: 024712f51e57 ("net: hns3: add ioctl support for imp-controlled PHYs") +Signed-off-by: Jijie Shao +Reviewed-by: Alexander Lobakin +Link: https://patch.msgid.link/20251023131338.2642520-2-shaojijie@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 3 +-- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c | 9 ++++++--- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.h | 2 +- + 3 files changed, 8 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +index 789f72d1067f8..2fa64099e8be2 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +@@ -9346,8 +9346,7 @@ static int hclge_mii_ioctl(struct hclge_dev *hdev, struct ifreq *ifr, int cmd) + /* this command reads phy id and register at the same time */ + fallthrough; + case SIOCGMIIREG: +- data->val_out = hclge_read_phy_reg(hdev, data->reg_num); +- return 0; ++ return hclge_read_phy_reg(hdev, data->reg_num, &data->val_out); + + case SIOCSMIIREG: + return hclge_write_phy_reg(hdev, data->reg_num, data->val_in); +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c +index 80079657afebe..b8dbf932caf94 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c +@@ -274,7 +274,7 @@ void hclge_mac_stop_phy(struct hclge_dev *hdev) + phy_stop(phydev); + } + +-u16 hclge_read_phy_reg(struct hclge_dev *hdev, u16 reg_addr) ++int hclge_read_phy_reg(struct hclge_dev *hdev, u16 reg_addr, u16 *val) + { + struct hclge_phy_reg_cmd *req; + struct hclge_desc desc; +@@ -286,11 +286,14 @@ u16 hclge_read_phy_reg(struct hclge_dev *hdev, u16 reg_addr) + req->reg_addr = cpu_to_le16(reg_addr); + + ret = hclge_cmd_send(&hdev->hw, &desc, 1); +- if (ret) ++ if (ret) { + dev_err(&hdev->pdev->dev, + "failed to read phy reg, ret = %d.\n", ret); ++ return ret; ++ } + +- return le16_to_cpu(req->reg_val); ++ *val = le16_to_cpu(req->reg_val); ++ return 0; + } + + int hclge_write_phy_reg(struct hclge_dev *hdev, u16 reg_addr, u16 val) +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.h b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.h +index 4200d0b6d9317..21d434c82475b 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.h ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.h +@@ -13,7 +13,7 @@ int hclge_mac_connect_phy(struct hnae3_handle *handle); + void hclge_mac_disconnect_phy(struct hnae3_handle *handle); + void hclge_mac_start_phy(struct hclge_dev *hdev); + void hclge_mac_stop_phy(struct hclge_dev *hdev); +-u16 hclge_read_phy_reg(struct hclge_dev *hdev, u16 reg_addr); ++int hclge_read_phy_reg(struct hclge_dev *hdev, u16 reg_addr, u16 *val); + int hclge_write_phy_reg(struct hclge_dev *hdev, u16 reg_addr, u16 val); + + #endif +-- +2.51.0 + diff --git a/queue-6.6/scsi-ufs-core-initialize-value-of-an-attribute-retur.patch b/queue-6.6/scsi-ufs-core-initialize-value-of-an-attribute-retur.patch new file mode 100644 index 0000000000..4d318da14b --- /dev/null +++ b/queue-6.6/scsi-ufs-core-initialize-value-of-an-attribute-retur.patch @@ -0,0 +1,42 @@ +From ead7f030e7f0486ff7628b7ff753c3b5be54d1b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Oct 2025 15:15:38 +0900 +Subject: scsi: ufs: core: Initialize value of an attribute returned by uic cmd + +From: Wonkon Kim + +[ Upstream commit 6fe4c679dde3075cb481beb3945269bb2ef8b19a ] + +If ufshcd_send_cmd() fails, *mib_val may have a garbage value. It can +get an unintended value of an attribute. + +Make ufshcd_dme_get_attr() always initialize *mib_val. + +Fixes: 12b4fdb4f6bc ("[SCSI] ufs: add dme configuration primitives") +Signed-off-by: Wonkon Kim +Reviewed-by: Bart Van Assche +Link: https://patch.msgid.link/20251020061539.28661-2-wkon.kim@samsung.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/ufs/core/ufshcd.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c +index 7dcdaac31546b..2080b251580c8 100644 +--- a/drivers/ufs/core/ufshcd.c ++++ b/drivers/ufs/core/ufshcd.c +@@ -4176,8 +4176,8 @@ int ufshcd_dme_get_attr(struct ufs_hba *hba, u32 attr_sel, + get, UIC_GET_ATTR_ID(attr_sel), + UFS_UIC_COMMAND_RETRIES - retries); + +- if (mib_val && !ret) +- *mib_val = uic_cmd.argument3; ++ if (mib_val) ++ *mib_val = ret == 0 ? uic_cmd.argument3 : 0; + + if (peer && (hba->quirks & UFSHCD_QUIRK_DME_PEER_ACCESS_AUTO_MODE) + && pwr_mode_change) +-- +2.51.0 + diff --git a/queue-6.6/series b/queue-6.6/series index b609e43b53..b8ee5bc514 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -14,3 +14,28 @@ mptcp-restore-window-probe.patch asoc-qdsp6-q6asm-do-not-sleep-while-atomic.patch smb-client-fix-potential-cfid-uaf-in-smb2_query_info_compound.patch x86-fpu-ensure-xfd-state-on-signal-delivery.patch +wifi-ath10k-fix-memory-leak-on-unsupported-wmi-comma.patch +wifi-ath11k-add-missing-platform-ids-for-quirk-table.patch +wifi-ath12k-free-skb-during-idr-cleanup-callback.patch +drm-msm-a6xx-fix-gmu-firmware-parser.patch +alsa-usb-audio-fix-control-pipe-direction.patch +bpf-sync-pending-irq-work-before-freeing-ring-buffer.patch +scsi-ufs-core-initialize-value-of-an-attribute-retur.patch +bpf-do-not-audit-capability-check-in-do_jit.patch +crypto-aspeed-acry-convert-to-platform-remove-callba.patch +crypto-aspeed-fix-double-free-caused-by-devm.patch +asoc-intel-avs-unprepare-a-stream-when-xrun-occurs.patch +asoc-fsl_sai-fix-bit-order-for-dsd-format.patch +libbpf-fix-powerpc-s-stack-register-definition-in-bp.patch +usbnet-prevents-free-active-kevent.patch +bluetooth-hci_sync-fix-race-in-hci_cmd_sync_dequeue_.patch +bluetooth-btmtksdio-add-pmctrl-handling-for-bt-close.patch +bluetooth-hci-fix-tracking-of-advertisement-set-inst.patch +bluetooth-iso-fix-another-instance-of-dst_type-handl.patch +bluetooth-hci_core-fix-tracking-of-periodic-advertis.patch +drm-etnaviv-fix-flush-sequence-logic.patch +net-hns3-return-error-code-when-function-fails.patch +sfc-fix-potential-memory-leak-in-efx_mae_process_mpo.patch +drm-amd-pm-fix-smu-table-id-bound-check-issue-in-smu.patch +drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch +drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch-21603 diff --git a/queue-6.6/sfc-fix-potential-memory-leak-in-efx_mae_process_mpo.patch b/queue-6.6/sfc-fix-potential-memory-leak-in-efx_mae_process_mpo.patch new file mode 100644 index 0000000000..ec8ce1053b --- /dev/null +++ b/queue-6.6/sfc-fix-potential-memory-leak-in-efx_mae_process_mpo.patch @@ -0,0 +1,51 @@ +From b4380e0b51a289e1f547bd3fcaeb856c0d0dd8aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Oct 2025 19:48:42 +0530 +Subject: sfc: fix potential memory leak in efx_mae_process_mport() + +From: Abdun Nihaal + +[ Upstream commit 46a499aaf8c27476fd05e800f3e947bfd71aa724 ] + +In efx_mae_enumerate_mports(), memory allocated for mae_mport_desc is +passed as a argument to efx_mae_process_mport(), but when the error path +in efx_mae_process_mport() gets executed, the memory allocated for desc +gets leaked. + +Fix that by freeing the memory allocation before returning error. + +Fixes: a6a15aca4207 ("sfc: enumerate mports in ef100") +Acked-by: Edward Cree +Signed-off-by: Abdun Nihaal +Link: https://patch.msgid.link/20251023141844.25847-1-nihaal@cse.iitm.ac.in +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sfc/mae.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ethernet/sfc/mae.c b/drivers/net/ethernet/sfc/mae.c +index c3e2b4a21d105..3b08e36e1ef87 100644 +--- a/drivers/net/ethernet/sfc/mae.c ++++ b/drivers/net/ethernet/sfc/mae.c +@@ -1101,6 +1101,9 @@ void efx_mae_remove_mport(void *desc, void *arg) + kfree(mport); + } + ++/* ++ * Takes ownership of @desc, even if it returns an error ++ */ + static int efx_mae_process_mport(struct efx_nic *efx, + struct mae_mport_desc *desc) + { +@@ -1111,6 +1114,7 @@ static int efx_mae_process_mport(struct efx_nic *efx, + if (!IS_ERR_OR_NULL(mport)) { + netif_err(efx, drv, efx->net_dev, + "mport with id %u does exist!!!\n", desc->mport_id); ++ kfree(desc); + return -EEXIST; + } + +-- +2.51.0 + diff --git a/queue-6.6/usbnet-prevents-free-active-kevent.patch b/queue-6.6/usbnet-prevents-free-active-kevent.patch new file mode 100644 index 0000000000..dcfe442cdd --- /dev/null +++ b/queue-6.6/usbnet-prevents-free-active-kevent.patch @@ -0,0 +1,50 @@ +From 78dfd1e740296713ad4a9665fe96edcefe6705a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Oct 2025 10:40:07 +0800 +Subject: usbnet: Prevents free active kevent + +From: Lizhi Xu + +[ Upstream commit 420c84c330d1688b8c764479e5738bbdbf0a33de ] + +The root cause of this issue are: +1. When probing the usbnet device, executing usbnet_link_change(dev, 0, 0); +put the kevent work in global workqueue. However, the kevent has not yet +been scheduled when the usbnet device is unregistered. Therefore, executing +free_netdev() results in the "free active object (kevent)" error reported +here. + +2. Another factor is that when calling usbnet_disconnect()->unregister_netdev(), +if the usbnet device is up, ndo_stop() is executed to cancel the kevent. +However, because the device is not up, ndo_stop() is not executed. + +The solution to this problem is to cancel the kevent before executing +free_netdev(). + +Fixes: a69e617e533e ("usbnet: Fix linkwatch use-after-free on disconnect") +Reported-by: Sam Sun +Closes: https://syzkaller.appspot.com/bug?extid=8bfd7bcc98f7300afb84 +Signed-off-by: Lizhi Xu +Link: https://patch.msgid.link/20251022024007.1831898-1-lizhi.xu@windriver.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/usbnet.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c +index fd6b5865ac513..e6a1864f03f94 100644 +--- a/drivers/net/usb/usbnet.c ++++ b/drivers/net/usb/usbnet.c +@@ -1650,6 +1650,8 @@ void usbnet_disconnect (struct usb_interface *intf) + net = dev->net; + unregister_netdev (net); + ++ cancel_work_sync(&dev->kevent); ++ + while ((urb = usb_get_from_anchor(&dev->deferred))) { + dev_kfree_skb(urb->context); + kfree(urb->sg); +-- +2.51.0 + diff --git a/queue-6.6/wifi-ath10k-fix-memory-leak-on-unsupported-wmi-comma.patch b/queue-6.6/wifi-ath10k-fix-memory-leak-on-unsupported-wmi-comma.patch new file mode 100644 index 0000000000..99c97cd1de --- /dev/null +++ b/queue-6.6/wifi-ath10k-fix-memory-leak-on-unsupported-wmi-comma.patch @@ -0,0 +1,41 @@ +From aaf403ce9eed5e0cf5ae71ed85a870bf703e1c43 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Sep 2025 21:56:56 +0200 +Subject: wifi: ath10k: Fix memory leak on unsupported WMI command + +From: Loic Poulain + +[ Upstream commit 2e9c1da4ee9d0acfca2e0a3d78f3d8cb5802da1b ] + +ath10k_wmi_cmd_send takes ownership of the passed buffer (skb) and has the +responsibility to release it in case of error. This patch fixes missing +free in case of early error due to unhandled WMI command ID. + +Tested-on: WCN3990 hw1.0 WLAN.HL.3.3.7.c2-00931-QCAHLSWMTPLZ-1 + +Fixes: 553215592f14 ("ath10k: warn if give WMI command is not supported") +Suggested-by: Jeff Johnson +Signed-off-by: Loic Poulain +Reviewed-by: Baochen Qiang +Link: https://patch.msgid.link/20250926195656.187970-1-loic.poulain@oss.qualcomm.com +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/wmi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/ath/ath10k/wmi.c b/drivers/net/wireless/ath/ath10k/wmi.c +index 340502c47a10d..a15b73d502c0d 100644 +--- a/drivers/net/wireless/ath/ath10k/wmi.c ++++ b/drivers/net/wireless/ath/ath10k/wmi.c +@@ -1936,6 +1936,7 @@ int ath10k_wmi_cmd_send(struct ath10k *ar, struct sk_buff *skb, u32 cmd_id) + if (cmd_id == WMI_CMD_UNSUPPORTED) { + ath10k_warn(ar, "wmi command %d is not supported by firmware\n", + cmd_id); ++ dev_kfree_skb_any(skb); + return ret; + } + +-- +2.51.0 + diff --git a/queue-6.6/wifi-ath11k-add-missing-platform-ids-for-quirk-table.patch b/queue-6.6/wifi-ath11k-add-missing-platform-ids-for-quirk-table.patch new file mode 100644 index 0000000000..52a0d60c2a --- /dev/null +++ b/queue-6.6/wifi-ath11k-add-missing-platform-ids-for-quirk-table.patch @@ -0,0 +1,126 @@ +From 57bfe34c60658e9b38799e369b85f045dbe3de06 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Sep 2025 15:21:35 -0400 +Subject: wifi: ath11k: Add missing platform IDs for quirk table + +From: Mark Pearson + +[ Upstream commit 0eb002c93c3b47f88244cecb1e356eaeab61a6bf ] + +Lenovo platforms can come with one of two different IDs. +The pm_quirk table was missing the second ID for each platform. + +Add missing ID and some extra platform identification comments. +Reported on https://bugzilla.kernel.org/show_bug.cgi?id=219196 + +Tested-on: P14s G4 AMD. + +Fixes: ce8669a27016 ("wifi: ath11k: determine PM policy based on machine model") +Signed-off-by: Mark Pearson +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219196 +Reviewed-by: Baochen Qiang +Link: https://patch.msgid.link/20250929192146.1789648-1-mpearson-lenovo@squebb.ca +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/core.c | 54 +++++++++++++++++++++++--- + 1 file changed, 48 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath11k/core.c b/drivers/net/wireless/ath/ath11k/core.c +index 3a340cb2b205f..355424baeedde 100644 +--- a/drivers/net/wireless/ath/ath11k/core.c ++++ b/drivers/net/wireless/ath/ath11k/core.c +@@ -707,42 +707,84 @@ static const struct ath11k_hw_params ath11k_hw_params[] = { + static const struct dmi_system_id ath11k_pm_quirk_table[] = { + { + .driver_data = (void *)ATH11K_PM_WOW, +- .matches = { ++ .matches = { /* X13 G4 AMD #1 */ ++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "21J3"), ++ }, ++ }, ++ { ++ .driver_data = (void *)ATH11K_PM_WOW, ++ .matches = { /* X13 G4 AMD #2 */ + DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), + DMI_MATCH(DMI_PRODUCT_NAME, "21J4"), + }, + }, + { + .driver_data = (void *)ATH11K_PM_WOW, +- .matches = { ++ .matches = { /* T14 G4 AMD #1 */ ++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "21K3"), ++ }, ++ }, ++ { ++ .driver_data = (void *)ATH11K_PM_WOW, ++ .matches = { /* T14 G4 AMD #2 */ + DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), + DMI_MATCH(DMI_PRODUCT_NAME, "21K4"), + }, + }, + { + .driver_data = (void *)ATH11K_PM_WOW, +- .matches = { ++ .matches = { /* P14s G4 AMD #1 */ ++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "21K5"), ++ }, ++ }, ++ { ++ .driver_data = (void *)ATH11K_PM_WOW, ++ .matches = { /* P14s G4 AMD #2 */ + DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), + DMI_MATCH(DMI_PRODUCT_NAME, "21K6"), + }, + }, + { + .driver_data = (void *)ATH11K_PM_WOW, +- .matches = { ++ .matches = { /* T16 G2 AMD #1 */ ++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "21K7"), ++ }, ++ }, ++ { ++ .driver_data = (void *)ATH11K_PM_WOW, ++ .matches = { /* T16 G2 AMD #2 */ + DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), + DMI_MATCH(DMI_PRODUCT_NAME, "21K8"), + }, + }, + { + .driver_data = (void *)ATH11K_PM_WOW, +- .matches = { ++ .matches = { /* P16s G2 AMD #1 */ ++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "21K9"), ++ }, ++ }, ++ { ++ .driver_data = (void *)ATH11K_PM_WOW, ++ .matches = { /* P16s G2 AMD #2 */ + DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), + DMI_MATCH(DMI_PRODUCT_NAME, "21KA"), + }, + }, + { + .driver_data = (void *)ATH11K_PM_WOW, +- .matches = { ++ .matches = { /* T14s G4 AMD #1 */ ++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "21F8"), ++ }, ++ }, ++ { ++ .driver_data = (void *)ATH11K_PM_WOW, ++ .matches = { /* T14s G4 AMD #2 */ + DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), + DMI_MATCH(DMI_PRODUCT_NAME, "21F9"), + }, +-- +2.51.0 + diff --git a/queue-6.6/wifi-ath12k-free-skb-during-idr-cleanup-callback.patch b/queue-6.6/wifi-ath12k-free-skb-during-idr-cleanup-callback.patch new file mode 100644 index 0000000000..632a046c9d --- /dev/null +++ b/queue-6.6/wifi-ath12k-free-skb-during-idr-cleanup-callback.patch @@ -0,0 +1,107 @@ +From bf1e1845604bc61b339c25d46c082a35b9bd58f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Sep 2025 15:03:16 -0700 +Subject: wifi: ath12k: free skb during idr cleanup callback + +From: Karthik M + +[ Upstream commit 92282074e1d2e7b6da5c05fe38a7cc974187fe14 ] + +ath12k just like ath11k [1] did not handle skb cleanup during idr +cleanup callback. Both ath12k_mac_vif_txmgmt_idr_remove() and +ath12k_mac_tx_mgmt_pending_free() performed idr cleanup and DMA +unmapping for skb but only ath12k_mac_tx_mgmt_pending_free() freed +skb. As a result, during vdev deletion a memory leak occurs. + +Refactor all clean up steps into a new function. New function +ath12k_mac_tx_mgmt_free() creates a centralized area where idr +cleanup, DMA unmapping for skb and freeing skb is performed. Utilize +skb pointer given by idr_remove(), instead of passed as a function +argument because IDR will be protected by locking. This will prevent +concurrent modification of the same IDR. + +Now ath12k_mac_tx_mgmt_pending_free() and +ath12k_mac_vif_txmgmt_idr_remove() call ath12k_mac_tx_mgmt_free(). + +Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1 + +Link: https://lore.kernel.org/r/1637832614-13831-1-git-send-email-quic_srirrama@quicinc.com > # [1] +Fixes: d889913205cf ("wifi: ath12k: driver for Qualcomm Wi-Fi 7 devices") +Signed-off-by: Karthik M +Signed-off-by: Muna Sinada +Reviewed-by: Vasanthakumar Thiagarajan +Reviewed-by: Baochen Qiang +Link: https://patch.msgid.link/20250923220316.1595758-1-muna.sinada@oss.qualcomm.com +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath12k/mac.c | 34 ++++++++++++++------------- + 1 file changed, 18 insertions(+), 16 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath12k/mac.c b/drivers/net/wireless/ath/ath12k/mac.c +index e1db6e69d2207..010413bfdb141 100644 +--- a/drivers/net/wireless/ath/ath12k/mac.c ++++ b/drivers/net/wireless/ath/ath12k/mac.c +@@ -4743,23 +4743,32 @@ static void ath12k_mgmt_over_wmi_tx_drop(struct ath12k *ar, struct sk_buff *skb) + wake_up(&ar->txmgmt_empty_waitq); + } + +-int ath12k_mac_tx_mgmt_pending_free(int buf_id, void *skb, void *ctx) ++static void ath12k_mac_tx_mgmt_free(struct ath12k *ar, int buf_id) + { +- struct sk_buff *msdu = skb; ++ struct sk_buff *msdu; + struct ieee80211_tx_info *info; +- struct ath12k *ar = ctx; +- struct ath12k_base *ab = ar->ab; + + spin_lock_bh(&ar->txmgmt_idr_lock); +- idr_remove(&ar->txmgmt_idr, buf_id); ++ msdu = idr_remove(&ar->txmgmt_idr, buf_id); + spin_unlock_bh(&ar->txmgmt_idr_lock); +- dma_unmap_single(ab->dev, ATH12K_SKB_CB(msdu)->paddr, msdu->len, ++ ++ if (!msdu) ++ return; ++ ++ dma_unmap_single(ar->ab->dev, ATH12K_SKB_CB(msdu)->paddr, msdu->len, + DMA_TO_DEVICE); + + info = IEEE80211_SKB_CB(msdu); + memset(&info->status, 0, sizeof(info->status)); + +- ath12k_mgmt_over_wmi_tx_drop(ar, skb); ++ ath12k_mgmt_over_wmi_tx_drop(ar, msdu); ++} ++ ++int ath12k_mac_tx_mgmt_pending_free(int buf_id, void *skb, void *ctx) ++{ ++ struct ath12k *ar = ctx; ++ ++ ath12k_mac_tx_mgmt_free(ar, buf_id); + + return 0; + } +@@ -4768,17 +4777,10 @@ static int ath12k_mac_vif_txmgmt_idr_remove(int buf_id, void *skb, void *ctx) + { + struct ieee80211_vif *vif = ctx; + struct ath12k_skb_cb *skb_cb = ATH12K_SKB_CB(skb); +- struct sk_buff *msdu = skb; + struct ath12k *ar = skb_cb->ar; +- struct ath12k_base *ab = ar->ab; + +- if (skb_cb->vif == vif) { +- spin_lock_bh(&ar->txmgmt_idr_lock); +- idr_remove(&ar->txmgmt_idr, buf_id); +- spin_unlock_bh(&ar->txmgmt_idr_lock); +- dma_unmap_single(ab->dev, skb_cb->paddr, msdu->len, +- DMA_TO_DEVICE); +- } ++ if (skb_cb->vif == vif) ++ ath12k_mac_tx_mgmt_free(ar, buf_id); + + return 0; + } +-- +2.51.0 + -- 2.47.3