From: Sasha Levin Date: Thu, 4 Jun 2026 00:05:58 +0000 (-0400) Subject: Fixes for all trees X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=3392340cf113189487c48802dbd342ed77f987c5;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for all trees Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/series b/queue-5.10/series index 5b8948c9f1..7512e7799b 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -40,3 +40,4 @@ batman-adv-tt-avoid-empty-vlan-responses.patch batman-adv-bla-avoid-double-decrement-of-bla.num_req.patch revert-rdma-rxe-fix-double-free-in-rxe_srq_from_init.patch rdma-rxe-fix-double-free-in-rxe_srq_from_init.patch-26331 +smb-client-fix-smbdirect_recv_io-leak-in-smbd_negoti.patch diff --git a/queue-5.10/smb-client-fix-smbdirect_recv_io-leak-in-smbd_negoti.patch b/queue-5.10/smb-client-fix-smbdirect_recv_io-leak-in-smbd_negoti.patch new file mode 100644 index 0000000000..8a191eec69 --- /dev/null +++ b/queue-5.10/smb-client-fix-smbdirect_recv_io-leak-in-smbd_negoti.patch @@ -0,0 +1,46 @@ +From 472f5dfb5100bf33e10de322fd07b5dc777ca817 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Sep 2025 03:06:46 +0200 +Subject: smb: client: fix smbdirect_recv_io leak in smbd_negotiate() error + path + +From: Stefan Metzmacher + +[ Upstream commit daac51c7032036a0ca5f1aa419ad1b0471d1c6e0 ] + +During tests of another unrelated patch I was able to trigger this +error: Objects remaining on __kmem_cache_shutdown() + +Cc: Steve French +Cc: Tom Talpey +Cc: Long Li +Cc: Namjae Jeon +Cc: linux-cifs@vger.kernel.org +Cc: samba-technical@lists.samba.org +Fixes: f198186aa9bb ("CIFS: SMBD: Establish SMB Direct connection") +Signed-off-by: Stefan Metzmacher +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/smbdirect.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/cifs/smbdirect.c b/fs/cifs/smbdirect.c +index ae332f3771f634..e273f3b9efcb63 100644 +--- a/fs/cifs/smbdirect.c ++++ b/fs/cifs/smbdirect.c +@@ -1083,8 +1083,10 @@ static int smbd_negotiate(struct smbd_connection *info) + log_rdma_event(INFO, "smbd_post_recv rc=%d iov.addr=%llx iov.length=%x iov.lkey=%x\n", + rc, response->sge.addr, + response->sge.length, response->sge.lkey); +- if (rc) ++ if (rc) { ++ put_receive_buffer(info, response); + return rc; ++ } + + init_completion(&info->negotiate_completion); + info->negotiate_done = false; +-- +2.53.0 + diff --git a/queue-5.15/phy-mscc-use-phy_id_match_exact-for-vsc8584-vsc8582-.patch b/queue-5.15/phy-mscc-use-phy_id_match_exact-for-vsc8584-vsc8582-.patch new file mode 100644 index 0000000000..fe5097c37a --- /dev/null +++ b/queue-5.15/phy-mscc-use-phy_id_match_exact-for-vsc8584-vsc8582-.patch @@ -0,0 +1,126 @@ +From db9894e649e11f9ea480f71e440aaf4ceab4fe8b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Oct 2025 21:13:49 +0200 +Subject: phy: mscc: Use PHY_ID_MATCH_EXACT for VSC8584, VSC8582, VSC8575, + VSC856X + +From: Horatiu Vultur + +[ Upstream commit 1bc80d673087e5704adbb3ee8e4b785c14899cce ] + +As the PHYs VSC8584, VSC8582, VSC8575 and VSC856X exists only as rev B, +we can use PHY_ID_MATCH_EXACT to match exactly on revision B of the PHY. +Because of this change then there is not need the check if it is a +different revision than rev B in the function vsc8584_probe() as we +already know that this will never happen. +These changes are a preparation for the next patch because in that patch +we will make the PHYs VSC8574 and VSC8572 to use vsc8584_probe() and +these PHYs have multiple revision. + +Reviewed-by: Maxime Chevallier +Signed-off-by: Horatiu Vultur +Link: https://patch.msgid.link/20251023191350.190940-2-horatiu.vultur@microchip.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/mscc/mscc.h | 8 ++++---- + drivers/net/phy/mscc/mscc_main.c | 23 ++++------------------- + 2 files changed, 8 insertions(+), 23 deletions(-) + +diff --git a/drivers/net/phy/mscc/mscc.h b/drivers/net/phy/mscc/mscc.h +index 4a9c12516f2057..17273895bbb361 100644 +--- a/drivers/net/phy/mscc/mscc.h ++++ b/drivers/net/phy/mscc/mscc.h +@@ -285,12 +285,12 @@ enum rgmii_clock_delay { + #define PHY_ID_VSC8540 0x00070760 + #define PHY_ID_VSC8541 0x00070770 + #define PHY_ID_VSC8552 0x000704e0 +-#define PHY_ID_VSC856X 0x000707e0 ++#define PHY_ID_VSC856X 0x000707e1 + #define PHY_ID_VSC8572 0x000704d0 + #define PHY_ID_VSC8574 0x000704a0 +-#define PHY_ID_VSC8575 0x000707d0 +-#define PHY_ID_VSC8582 0x000707b0 +-#define PHY_ID_VSC8584 0x000707c0 ++#define PHY_ID_VSC8575 0x000707d1 ++#define PHY_ID_VSC8582 0x000707b1 ++#define PHY_ID_VSC8584 0x000707c1 + #define PHY_VENDOR_MSCC 0x00070400 + + #define MSCC_VDDMAC_1500 1500 +diff --git a/drivers/net/phy/mscc/mscc_main.c b/drivers/net/phy/mscc/mscc_main.c +index a33e877a4cd151..53f37ca2e0ff82 100644 +--- a/drivers/net/phy/mscc/mscc_main.c ++++ b/drivers/net/phy/mscc/mscc_main.c +@@ -1713,12 +1713,6 @@ static int vsc8584_config_init(struct phy_device *phydev) + * in this pre-init function. + */ + if (phy_package_init_once(phydev)) { +- /* The following switch statement assumes that the lowest +- * nibble of the phy_id_mask is always 0. This works because +- * the lowest nibble of the PHY_ID's below are also 0. +- */ +- WARN_ON(phydev->drv->phy_id_mask & 0xf); +- + switch (phydev->phy_id & phydev->drv->phy_id_mask) { + case PHY_ID_VSC8504: + case PHY_ID_VSC8552: +@@ -2257,11 +2251,6 @@ static int vsc8584_probe(struct phy_device *phydev) + VSC8531_DUPLEX_COLLISION}; + int ret; + +- if ((phydev->phy_id & MSCC_DEV_REV_MASK) != VSC8584_REVB) { +- dev_err(&phydev->mdio.dev, "Only VSC8584 revB is supported.\n"); +- return -ENOTSUPP; +- } +- + vsc8531 = devm_kzalloc(&phydev->mdio.dev, sizeof(*vsc8531), GFP_KERNEL); + if (!vsc8531) + return -ENOMEM; +@@ -2524,9 +2513,8 @@ static struct phy_driver vsc85xx_driver[] = { + .get_stats = &vsc85xx_get_stats, + }, + { +- .phy_id = PHY_ID_VSC856X, ++ PHY_ID_MATCH_EXACT(PHY_ID_VSC856X), + .name = "Microsemi GE VSC856X SyncE", +- .phy_id_mask = 0xfffffff0, + /* PHY_GBIT_FEATURES */ + .soft_reset = &genphy_soft_reset, + .config_init = &vsc8584_config_init, +@@ -2598,9 +2586,8 @@ static struct phy_driver vsc85xx_driver[] = { + .get_stats = &vsc85xx_get_stats, + }, + { +- .phy_id = PHY_ID_VSC8575, ++ PHY_ID_MATCH_EXACT(PHY_ID_VSC8575), + .name = "Microsemi GE VSC8575 SyncE", +- .phy_id_mask = 0xfffffff0, + /* PHY_GBIT_FEATURES */ + .soft_reset = &genphy_soft_reset, + .config_init = &vsc8584_config_init, +@@ -2622,9 +2609,8 @@ static struct phy_driver vsc85xx_driver[] = { + .get_stats = &vsc85xx_get_stats, + }, + { +- .phy_id = PHY_ID_VSC8582, ++ PHY_ID_MATCH_EXACT(PHY_ID_VSC8582), + .name = "Microsemi GE VSC8582 SyncE", +- .phy_id_mask = 0xfffffff0, + /* PHY_GBIT_FEATURES */ + .soft_reset = &genphy_soft_reset, + .config_init = &vsc8584_config_init, +@@ -2646,9 +2632,8 @@ static struct phy_driver vsc85xx_driver[] = { + .get_stats = &vsc85xx_get_stats, + }, + { +- .phy_id = PHY_ID_VSC8584, ++ PHY_ID_MATCH_EXACT(PHY_ID_VSC8584), + .name = "Microsemi GE VSC8584 SyncE", +- .phy_id_mask = 0xfffffff0, + /* PHY_GBIT_FEATURES */ + .soft_reset = &genphy_soft_reset, + .config_init = &vsc8584_config_init, +-- +2.53.0 + diff --git a/queue-5.15/phy-mscc-use-phy_id_match_vendor-to-minimize-phy-id-.patch b/queue-5.15/phy-mscc-use-phy_id_match_vendor-to-minimize-phy-id-.patch new file mode 100644 index 0000000000..9939e4e1e6 --- /dev/null +++ b/queue-5.15/phy-mscc-use-phy_id_match_vendor-to-minimize-phy-id-.patch @@ -0,0 +1,65 @@ +From ede9907086fd9140c2066078feedf3ccc3f9b241 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 May 2023 17:50:16 +0530 +Subject: phy: mscc: Use PHY_ID_MATCH_VENDOR to minimize PHY ID table + +From: Harini Katakam + +[ Upstream commit 31605c01fb242806f5b8c9d08abe11328d514206 ] + +All the PHY devices variants specified have the same mask and +hence can be simplified to one vendor look up for 0x00070400. +Any individual config can be identified by PHY_ID_MATCH_EXACT +in the respective structure. + +Signed-off-by: Harini Katakam +Reviewed-by: Andrew Lunn +Signed-off-by: Jakub Kicinski +Stable-dep-of: 1bc80d673087 ("phy: mscc: Use PHY_ID_MATCH_EXACT for VSC8584, VSC8582, VSC8575, VSC856X") +Signed-off-by: Sasha Levin +--- + drivers/net/phy/mscc/mscc.h | 1 + + drivers/net/phy/mscc/mscc_main.c | 15 +-------------- + 2 files changed, 2 insertions(+), 14 deletions(-) + +diff --git a/drivers/net/phy/mscc/mscc.h b/drivers/net/phy/mscc/mscc.h +index fcfbff691b3c6b..4a9c12516f2057 100644 +--- a/drivers/net/phy/mscc/mscc.h ++++ b/drivers/net/phy/mscc/mscc.h +@@ -291,6 +291,7 @@ enum rgmii_clock_delay { + #define PHY_ID_VSC8575 0x000707d0 + #define PHY_ID_VSC8582 0x000707b0 + #define PHY_ID_VSC8584 0x000707c0 ++#define PHY_VENDOR_MSCC 0x00070400 + + #define MSCC_VDDMAC_1500 1500 + #define MSCC_VDDMAC_1800 1800 +diff --git a/drivers/net/phy/mscc/mscc_main.c b/drivers/net/phy/mscc/mscc_main.c +index acc9e1a2663143..a33e877a4cd151 100644 +--- a/drivers/net/phy/mscc/mscc_main.c ++++ b/drivers/net/phy/mscc/mscc_main.c +@@ -2676,20 +2676,7 @@ static struct phy_driver vsc85xx_driver[] = { + module_phy_driver(vsc85xx_driver); + + static struct mdio_device_id __maybe_unused vsc85xx_tbl[] = { +- { PHY_ID_VSC8502, 0xfffffff0, }, +- { PHY_ID_VSC8504, 0xfffffff0, }, +- { PHY_ID_VSC8514, 0xfffffff0, }, +- { PHY_ID_VSC8530, 0xfffffff0, }, +- { PHY_ID_VSC8531, 0xfffffff0, }, +- { PHY_ID_VSC8540, 0xfffffff0, }, +- { PHY_ID_VSC8541, 0xfffffff0, }, +- { PHY_ID_VSC8552, 0xfffffff0, }, +- { PHY_ID_VSC856X, 0xfffffff0, }, +- { PHY_ID_VSC8572, 0xfffffff0, }, +- { PHY_ID_VSC8574, 0xfffffff0, }, +- { PHY_ID_VSC8575, 0xfffffff0, }, +- { PHY_ID_VSC8582, 0xfffffff0, }, +- { PHY_ID_VSC8584, 0xfffffff0, }, ++ { PHY_ID_MATCH_VENDOR(PHY_VENDOR_MSCC) }, + { } + }; + +-- +2.53.0 + diff --git a/queue-5.15/series b/queue-5.15/series index aa34ceab69..94164aa04a 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -49,3 +49,6 @@ drm-dp-add-edp-1.5-bit-definition.patch drm-i915-psr-apply-intel-dpcd-workaround-when-sdp-on.patch revert-rdma-rxe-fix-double-free-in-rxe_srq_from_init.patch rdma-rxe-fix-double-free-in-rxe_srq_from_init.patch-82 +phy-mscc-use-phy_id_match_vendor-to-minimize-phy-id-.patch +phy-mscc-use-phy_id_match_exact-for-vsc8584-vsc8582-.patch +smb-client-fix-smbdirect_recv_io-leak-in-smbd_negoti.patch diff --git a/queue-5.15/smb-client-fix-smbdirect_recv_io-leak-in-smbd_negoti.patch b/queue-5.15/smb-client-fix-smbdirect_recv_io-leak-in-smbd_negoti.patch new file mode 100644 index 0000000000..3ed414b2f7 --- /dev/null +++ b/queue-5.15/smb-client-fix-smbdirect_recv_io-leak-in-smbd_negoti.patch @@ -0,0 +1,47 @@ +From c005ee76a0c58aabaa318c0be18208a75f8f1237 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Jun 2026 16:15:09 +0800 +Subject: smb: client: fix smbdirect_recv_io leak in smbd_negotiate() error + path + +From: Stefan Metzmacher + +[ Upstream commit daac51c7032036a0ca5f1aa419ad1b0471d1c6e0 ] + +During tests of another unrelated patch I was able to trigger this +error: Objects remaining on __kmem_cache_shutdown() + +Cc: Steve French +Cc: Tom Talpey +Cc: Long Li +Cc: Namjae Jeon +Cc: linux-cifs@vger.kernel.org +Cc: samba-technical@lists.samba.org +Fixes: f198186aa9bb ("CIFS: SMBD: Establish SMB Direct connection") +Signed-off-by: Stefan Metzmacher +Signed-off-by: Steve French +Signed-off-by: Robert Garcia +Signed-off-by: Sasha Levin +--- + fs/cifs/smbdirect.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/cifs/smbdirect.c b/fs/cifs/smbdirect.c +index 48bd879349fbe2..c9bda34fd2f573 100644 +--- a/fs/cifs/smbdirect.c ++++ b/fs/cifs/smbdirect.c +@@ -1084,8 +1084,10 @@ static int smbd_negotiate(struct smbd_connection *info) + log_rdma_event(INFO, "smbd_post_recv rc=%d iov.addr=%llx iov.length=%x iov.lkey=%x\n", + rc, response->sge.addr, + response->sge.length, response->sge.lkey); +- if (rc) ++ if (rc) { ++ put_receive_buffer(info, response); + return rc; ++ } + + init_completion(&info->negotiate_completion); + info->negotiate_done = false; +-- +2.53.0 + diff --git a/queue-6.1/hwmon-pmbus-adm1266-serialize-gpio-pmbus-accesses-wi.patch b/queue-6.1/hwmon-pmbus-adm1266-serialize-gpio-pmbus-accesses-wi.patch new file mode 100644 index 0000000000..05e4e63469 --- /dev/null +++ b/queue-6.1/hwmon-pmbus-adm1266-serialize-gpio-pmbus-accesses-wi.patch @@ -0,0 +1,141 @@ +From bf4c0f12674a2b5b7181b447158b17b7ba6e6dba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Jun 2026 22:05:08 -0400 +Subject: hwmon: (pmbus/adm1266) serialize GPIO PMBus accesses with pmbus_lock + +From: Abdurrahman Hussain + +[ Upstream commit bab8c6fb5af8df7e753d196c1262cb78e92ca872 ] + +adm1266_gpio_get(), adm1266_gpio_get_multiple(), and +adm1266_gpio_dbg_show() all issue PMBus reads against the device but +none of them take pmbus_lock. The pmbus_core framework holds +pmbus_lock around its own multi-transaction sequences (notably the +"set PAGE, then read paged register" pattern used by hwmon +attributes), so an unlocked GPIO accessor can land between a PAGE +write and the subsequent paged read in another thread and corrupt +either side's view of the device state machine. + +Take pmbus_lock at the top of each of the three accessors via the +scope-based guard(). The lock is uncontended in the common case and +adds only a single mutex round-trip per call. + +Fixes: d98dfad35c38 ("hwmon: (pmbus/adm1266) Add support for GPIOs") +Cc: stable@vger.kernel.org +Signed-off-by: Abdurrahman Hussain +Reviewed-by: Bartosz Golaszewski +Link: https://lore.kernel.org/r/20260518-adm1266-gpio-fixes-v3-6-e425e4f88139@nexthop.ai +Signed-off-by: Guenter Roeck +[ open-coded each `guard(pmbus_lock)(data->client)` as explicit `pmbus_lock_interruptible()`/`pmbus_unlock()` ] +Signed-off-by: Sasha Levin +--- + drivers/hwmon/pmbus/adm1266.c | 40 +++++++++++++++++++++++++++++------ + 1 file changed, 34 insertions(+), 6 deletions(-) + +diff --git a/drivers/hwmon/pmbus/adm1266.c b/drivers/hwmon/pmbus/adm1266.c +index a616439cecbf51..51e76e4413519e 100644 +--- a/drivers/hwmon/pmbus/adm1266.c ++++ b/drivers/hwmon/pmbus/adm1266.c +@@ -173,7 +173,12 @@ static int adm1266_gpio_get(struct gpio_chip *chip, unsigned int offset) + else + pmbus_cmd = ADM1266_PDIO_STATUS; + ++ ret = pmbus_lock_interruptible(data->client); ++ if (ret) ++ return ret; ++ + ret = i2c_smbus_read_block_data(data->client, pmbus_cmd, read_buf); ++ pmbus_unlock(data->client); + if (ret < 0) + return ret; + if (ret < 2) +@@ -195,11 +200,19 @@ static int adm1266_gpio_get_multiple(struct gpio_chip *chip, unsigned long *mask + unsigned int gpio_nr; + int ret; + ++ ret = pmbus_lock_interruptible(data->client); ++ if (ret) ++ return ret; ++ + ret = i2c_smbus_read_block_data(data->client, ADM1266_GPIO_STATUS, read_buf); +- if (ret < 0) ++ if (ret < 0) { ++ pmbus_unlock(data->client); + return ret; +- if (ret < 2) ++ } ++ if (ret < 2) { ++ pmbus_unlock(data->client); + return -EIO; ++ } + + status = read_buf[0] + (read_buf[1] << 8); + +@@ -210,10 +223,14 @@ static int adm1266_gpio_get_multiple(struct gpio_chip *chip, unsigned long *mask + } + + ret = i2c_smbus_read_block_data(data->client, ADM1266_PDIO_STATUS, read_buf); +- if (ret < 0) ++ if (ret < 0) { ++ pmbus_unlock(data->client); + return ret; +- if (ret < 2) ++ } ++ if (ret < 2) { ++ pmbus_unlock(data->client); + return -EIO; ++ } + + status = read_buf[0] + (read_buf[1] << 8); + +@@ -222,6 +239,8 @@ static int adm1266_gpio_get_multiple(struct gpio_chip *chip, unsigned long *mask + set_bit(gpio_nr, bits); + } + ++ pmbus_unlock(data->client); ++ + return 0; + } + +@@ -236,11 +255,16 @@ static void adm1266_gpio_dbg_show(struct seq_file *s, struct gpio_chip *chip) + int ret; + int i; + ++ if (pmbus_lock_interruptible(data->client)) ++ return; ++ + for (i = 0; i < ADM1266_GPIO_NR; i++) { + write_cmd = adm1266_gpio_mapping[i][1]; + ret = adm1266_pmbus_block_xfer(data, ADM1266_GPIO_CONFIG, 1, &write_cmd, read_buf); +- if (ret != 2) ++ if (ret != 2) { ++ pmbus_unlock(data->client); + return; ++ } + + gpio_config = read_buf[0]; + seq_puts(s, adm1266_names[i]); +@@ -262,8 +286,10 @@ static void adm1266_gpio_dbg_show(struct seq_file *s, struct gpio_chip *chip) + + write_cmd = 0xFF; + ret = adm1266_pmbus_block_xfer(data, ADM1266_PDIO_CONFIG, 1, &write_cmd, read_buf); +- if (ret != 32) ++ if (ret != 32) { ++ pmbus_unlock(data->client); + return; ++ } + + for (i = 0; i < ADM1266_PDIO_NR; i++) { + seq_puts(s, adm1266_names[ADM1266_GPIO_NR + i]); +@@ -286,6 +312,8 @@ static void adm1266_gpio_dbg_show(struct seq_file *s, struct gpio_chip *chip) + + seq_puts(s, ")\n"); + } ++ ++ pmbus_unlock(data->client); + } + + static int adm1266_config_gpio(struct adm1266_data *data) +-- +2.53.0 + diff --git a/queue-6.1/hwmon-pmbus-adm1266-serialize-nvmem-blackbox-read-wi.patch b/queue-6.1/hwmon-pmbus-adm1266-serialize-nvmem-blackbox-read-wi.patch new file mode 100644 index 0000000000..1b1ba225ef --- /dev/null +++ b/queue-6.1/hwmon-pmbus-adm1266-serialize-nvmem-blackbox-read-wi.patch @@ -0,0 +1,81 @@ +From 64a3d1f4ad0b9fce4a5c3745cad06671ec527ed3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Jun 2026 07:18:25 -0400 +Subject: hwmon: (pmbus/adm1266) serialize NVMEM blackbox read with pmbus_lock + +From: Abdurrahman Hussain + +[ Upstream commit 9f1dd8f9491eb840cbea7ffdf4cad031e25f8ae0 ] + +adm1266_nvmem_read() is the reg_read callback the NVMEM core invokes +when userspace reads /sys/bus/nvmem/devices/.../nvmem on this chip. +On the first byte of every read it does a memset of data->dev_mem, +walks the device blackbox through adm1266_nvmem_read_blackbox() +(which issues a chain of PMBus block transactions), and then memcpys +the refreshed buffer out to userspace. None of that runs under +pmbus_lock today. + +Two consequences: + + - The PMBus traffic the refresh issues is not serialised against + pmbus_core's own multi-step PAGE+register sequences. A paged + hwmon attribute read from another thread can land between a + PAGE write and the paged read in either direction and corrupt + one side's view of the device state machine. + + - The NVMEM core does not serialise concurrent reg_read calls, so + two userspace readers racing at offset 0 can interleave the + memset of data->dev_mem with another reader's + adm1266_nvmem_read_blackbox() refill or memcpy out, returning + torn data to userspace. + +Take pmbus_lock at the top of adm1266_nvmem_read() via the +scope-based guard(). Patch 5 of this series moves +adm1266_config_nvmem() past pmbus_do_probe() so the lock is +guaranteed to be live before the callback is reachable from +userspace. + +Fixes: 15609d189302 ("hwmon: (pmbus/adm1266) read blackbox") +Cc: stable@vger.kernel.org +Signed-off-by: Abdurrahman Hussain +Link: https://lore.kernel.org/r/20260518-adm1266-gpio-fixes-v3-7-e425e4f88139@nexthop.ai +Signed-off-by: Guenter Roeck +[ adapted `guard(pmbus_lock)(data->client)` to manual `pmbus_lock_interruptible()`/`pmbus_unlock()` ] +Signed-off-by: Sasha Levin +--- + drivers/hwmon/pmbus/adm1266.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/hwmon/pmbus/adm1266.c b/drivers/hwmon/pmbus/adm1266.c +index b212aafae1dc4b..0f1cc0dbfc157b 100644 +--- a/drivers/hwmon/pmbus/adm1266.c ++++ b/drivers/hwmon/pmbus/adm1266.c +@@ -430,18 +430,25 @@ static int adm1266_nvmem_read(void *priv, unsigned int offset, void *val, size_t + if (offset + bytes > data->nvmem_config.size) + return -EINVAL; + ++ ret = pmbus_lock_interruptible(data->client); ++ if (ret) ++ return ret; ++ + if (offset == 0) { + memset(data->dev_mem, 0, data->nvmem_config.size); + + ret = adm1266_nvmem_read_blackbox(data, data->dev_mem); + if (ret) { + dev_err(&data->client->dev, "Could not read blackbox!"); ++ pmbus_unlock(data->client); + return ret; + } + } + + memcpy(val, data->dev_mem + offset, bytes); + ++ pmbus_unlock(data->client); ++ + return 0; + } + +-- +2.53.0 + diff --git a/queue-6.1/hwmon-pmbus-adm1266-serialize-sequencer_state-debugf.patch b/queue-6.1/hwmon-pmbus-adm1266-serialize-sequencer_state-debugf.patch new file mode 100644 index 0000000000..9f6c3b7924 --- /dev/null +++ b/queue-6.1/hwmon-pmbus-adm1266-serialize-sequencer_state-debugf.patch @@ -0,0 +1,58 @@ +From 21aca1521961e5f036f1d34b004cf8ce3a04b381 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Jun 2026 22:05:43 -0400 +Subject: hwmon: (pmbus/adm1266) serialize sequencer_state debugfs read with + pmbus_lock + +From: Abdurrahman Hussain + +[ Upstream commit 4e4af55aaca7f6d7673d5f9889ad0529db86a048 ] + +adm1266_state_read() backs the sequencer_state debugfs entry and +issues an i2c_smbus_read_word_data(client, ADM1266_READ_STATE) +against the device without taking pmbus_lock. pmbus_core holds +pmbus_lock around its own multi-transaction sequences (notably the +"set PAGE, then read paged register" pattern used by hwmon +attributes), so an unlocked debugfs reader can land between a PAGE +write and the subsequent paged read in another thread. READ_STATE +itself is not paged, so it cannot corrupt PAGE in flight, but the +same defensive serialisation that applies to the GPIO accessors +applies here: any direct device access from outside pmbus_core +should be ordered with respect to pmbus_core's own. + +Take pmbus_lock at the top of adm1266_state_read() via the +scope-based guard(). + +Fixes: ed1ff457e187 ("hwmon: (pmbus/adm1266) add debugfs for states") +Cc: stable@vger.kernel.org +Signed-off-by: Abdurrahman Hussain +Link: https://lore.kernel.org/r/20260518-adm1266-gpio-fixes-v3-8-e425e4f88139@nexthop.ai +Signed-off-by: Guenter Roeck +[ open-coded `guard(pmbus_lock)(client)` as `pmbus_lock_interruptible()`/`pmbus_unlock()` ] +Signed-off-by: Sasha Levin +--- + drivers/hwmon/pmbus/adm1266.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/hwmon/pmbus/adm1266.c b/drivers/hwmon/pmbus/adm1266.c +index 51e76e4413519e..b212aafae1dc4b 100644 +--- a/drivers/hwmon/pmbus/adm1266.c ++++ b/drivers/hwmon/pmbus/adm1266.c +@@ -356,7 +356,14 @@ static int adm1266_state_read(struct seq_file *s, void *pdata) + struct i2c_client *client = to_i2c_client(dev); + int ret; + ++ ret = pmbus_lock_interruptible(client); ++ if (ret) ++ return ret; ++ + ret = i2c_smbus_read_word_data(client, ADM1266_READ_STATE); ++ ++ pmbus_unlock(client); ++ + if (ret < 0) + return ret; + +-- +2.53.0 + diff --git a/queue-6.1/net-gro-don-t-merge-zcopy-skbs.patch b/queue-6.1/net-gro-don-t-merge-zcopy-skbs.patch new file mode 100644 index 0000000000..f2e5ee1697 --- /dev/null +++ b/queue-6.1/net-gro-don-t-merge-zcopy-skbs.patch @@ -0,0 +1,51 @@ +From d809e714d594f271b9b330a6d0110ae2c63aa4ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 May 2026 22:44:42 +0200 +Subject: net: gro: don't merge zcopy skbs + +From: Sabrina Dubroca + +[ Upstream commit 4db79a322db8c97f7b73b8a347395ef4d685eb40 ] + +skb_gro_receive() can currently copy frags between the source and GRO +skb, without checking the zerocopy status, and in particular the +SKBFL_MANAGED_FRAG_REFS flag. + +When SKBFL_MANAGED_FRAG_REFS is set, the skb doesn't hold a reference +on the pages in shinfo->frags. Appending those frags to another skb's +frags without fixing up the page refcount can lead to UAF. + +When either the last skb in the GRO chain (the one we would append +frags to) or the source skb is zerocopy, don't merge the skbs. + +Fixes: 753f1ca4e1e5 ("net: introduce managed frags infrastructure") +Reported-by: Huzaifa Sidhpurwala +Signed-off-by: Sabrina Dubroca +Reviewed-by: Willem de Bruijn +Link: https://patch.msgid.link/c3b7f906bbfcbdfd7b4fa9d6c18a438870df85be.1779307748.git.sd@queasysnail.net +Signed-off-by: Jakub Kicinski +[Salvatore Bonaccorso: Adjust for context in 6.1.y series without +e8d4d34df715 ("net: Add netif_get_gro_max_size helper for GRO")] +Signed-off-by: Salvatore Bonaccorso +Signed-off-by: Sasha Levin +--- + net/core/gro.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/core/gro.c b/net/core/gro.c +index ea6571c01faa9e..c5a9733d929a95 100644 +--- a/net/core/gro.c ++++ b/net/core/gro.c +@@ -171,6 +171,9 @@ int skb_gro_receive(struct sk_buff *p, struct sk_buff *skb) + if (p->pp_recycle != skb->pp_recycle) + return -ETOOMANYREFS; + ++ if (skb_zcopy(p) || skb_zcopy(skb)) ++ return -ETOOMANYREFS; ++ + /* pairs with WRITE_ONCE() in netif_set_gro_max_size() */ + gro_max_size = READ_ONCE(p->dev->gro_max_size); + +-- +2.53.0 + diff --git a/queue-6.1/phy-mscc-use-phy_id_match_exact-for-vsc8584-vsc8582-.patch b/queue-6.1/phy-mscc-use-phy_id_match_exact-for-vsc8584-vsc8582-.patch new file mode 100644 index 0000000000..4dbb8cf6ed --- /dev/null +++ b/queue-6.1/phy-mscc-use-phy_id_match_exact-for-vsc8584-vsc8582-.patch @@ -0,0 +1,126 @@ +From f02ad3ac25f689476b67b8e93350c62a6eed26fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Oct 2025 21:13:49 +0200 +Subject: phy: mscc: Use PHY_ID_MATCH_EXACT for VSC8584, VSC8582, VSC8575, + VSC856X + +From: Horatiu Vultur + +[ Upstream commit 1bc80d673087e5704adbb3ee8e4b785c14899cce ] + +As the PHYs VSC8584, VSC8582, VSC8575 and VSC856X exists only as rev B, +we can use PHY_ID_MATCH_EXACT to match exactly on revision B of the PHY. +Because of this change then there is not need the check if it is a +different revision than rev B in the function vsc8584_probe() as we +already know that this will never happen. +These changes are a preparation for the next patch because in that patch +we will make the PHYs VSC8574 and VSC8572 to use vsc8584_probe() and +these PHYs have multiple revision. + +Reviewed-by: Maxime Chevallier +Signed-off-by: Horatiu Vultur +Link: https://patch.msgid.link/20251023191350.190940-2-horatiu.vultur@microchip.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/mscc/mscc.h | 8 ++++---- + drivers/net/phy/mscc/mscc_main.c | 23 ++++------------------- + 2 files changed, 8 insertions(+), 23 deletions(-) + +diff --git a/drivers/net/phy/mscc/mscc.h b/drivers/net/phy/mscc/mscc.h +index 4a9c12516f2057..17273895bbb361 100644 +--- a/drivers/net/phy/mscc/mscc.h ++++ b/drivers/net/phy/mscc/mscc.h +@@ -285,12 +285,12 @@ enum rgmii_clock_delay { + #define PHY_ID_VSC8540 0x00070760 + #define PHY_ID_VSC8541 0x00070770 + #define PHY_ID_VSC8552 0x000704e0 +-#define PHY_ID_VSC856X 0x000707e0 ++#define PHY_ID_VSC856X 0x000707e1 + #define PHY_ID_VSC8572 0x000704d0 + #define PHY_ID_VSC8574 0x000704a0 +-#define PHY_ID_VSC8575 0x000707d0 +-#define PHY_ID_VSC8582 0x000707b0 +-#define PHY_ID_VSC8584 0x000707c0 ++#define PHY_ID_VSC8575 0x000707d1 ++#define PHY_ID_VSC8582 0x000707b1 ++#define PHY_ID_VSC8584 0x000707c1 + #define PHY_VENDOR_MSCC 0x00070400 + + #define MSCC_VDDMAC_1500 1500 +diff --git a/drivers/net/phy/mscc/mscc_main.c b/drivers/net/phy/mscc/mscc_main.c +index dd3b102fb4eec9..f1ca1e0b7934c3 100644 +--- a/drivers/net/phy/mscc/mscc_main.c ++++ b/drivers/net/phy/mscc/mscc_main.c +@@ -1713,12 +1713,6 @@ static int vsc8584_config_init(struct phy_device *phydev) + * in this pre-init function. + */ + if (phy_package_init_once(phydev)) { +- /* The following switch statement assumes that the lowest +- * nibble of the phy_id_mask is always 0. This works because +- * the lowest nibble of the PHY_ID's below are also 0. +- */ +- WARN_ON(phydev->drv->phy_id_mask & 0xf); +- + switch (phydev->phy_id & phydev->drv->phy_id_mask) { + case PHY_ID_VSC8504: + case PHY_ID_VSC8552: +@@ -2257,11 +2251,6 @@ static int vsc8584_probe(struct phy_device *phydev) + VSC8531_DUPLEX_COLLISION}; + int ret; + +- if ((phydev->phy_id & MSCC_DEV_REV_MASK) != VSC8584_REVB) { +- dev_err(&phydev->mdio.dev, "Only VSC8584 revB is supported.\n"); +- return -ENOTSUPP; +- } +- + vsc8531 = devm_kzalloc(&phydev->mdio.dev, sizeof(*vsc8531), GFP_KERNEL); + if (!vsc8531) + return -ENOMEM; +@@ -2524,9 +2513,8 @@ static struct phy_driver vsc85xx_driver[] = { + .get_stats = &vsc85xx_get_stats, + }, + { +- .phy_id = PHY_ID_VSC856X, ++ PHY_ID_MATCH_EXACT(PHY_ID_VSC856X), + .name = "Microsemi GE VSC856X SyncE", +- .phy_id_mask = 0xfffffff0, + /* PHY_GBIT_FEATURES */ + .soft_reset = &genphy_soft_reset, + .config_init = &vsc8584_config_init, +@@ -2598,9 +2586,8 @@ static struct phy_driver vsc85xx_driver[] = { + .get_stats = &vsc85xx_get_stats, + }, + { +- .phy_id = PHY_ID_VSC8575, ++ PHY_ID_MATCH_EXACT(PHY_ID_VSC8575), + .name = "Microsemi GE VSC8575 SyncE", +- .phy_id_mask = 0xfffffff0, + /* PHY_GBIT_FEATURES */ + .soft_reset = &genphy_soft_reset, + .config_init = &vsc8584_config_init, +@@ -2622,9 +2609,8 @@ static struct phy_driver vsc85xx_driver[] = { + .get_stats = &vsc85xx_get_stats, + }, + { +- .phy_id = PHY_ID_VSC8582, ++ PHY_ID_MATCH_EXACT(PHY_ID_VSC8582), + .name = "Microsemi GE VSC8582 SyncE", +- .phy_id_mask = 0xfffffff0, + /* PHY_GBIT_FEATURES */ + .soft_reset = &genphy_soft_reset, + .config_init = &vsc8584_config_init, +@@ -2646,9 +2632,8 @@ static struct phy_driver vsc85xx_driver[] = { + .get_stats = &vsc85xx_get_stats, + }, + { +- .phy_id = PHY_ID_VSC8584, ++ PHY_ID_MATCH_EXACT(PHY_ID_VSC8584), + .name = "Microsemi GE VSC8584 SyncE", +- .phy_id_mask = 0xfffffff0, + /* PHY_GBIT_FEATURES */ + .soft_reset = &genphy_soft_reset, + .config_init = &vsc8584_config_init, +-- +2.53.0 + diff --git a/queue-6.1/phy-mscc-use-phy_id_match_vendor-to-minimize-phy-id-.patch b/queue-6.1/phy-mscc-use-phy_id_match_vendor-to-minimize-phy-id-.patch new file mode 100644 index 0000000000..44df4f8f30 --- /dev/null +++ b/queue-6.1/phy-mscc-use-phy_id_match_vendor-to-minimize-phy-id-.patch @@ -0,0 +1,65 @@ +From 3d4d9ef4f5f68967309f19731aa82e04949b911b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 May 2023 17:50:16 +0530 +Subject: phy: mscc: Use PHY_ID_MATCH_VENDOR to minimize PHY ID table + +From: Harini Katakam + +[ Upstream commit 31605c01fb242806f5b8c9d08abe11328d514206 ] + +All the PHY devices variants specified have the same mask and +hence can be simplified to one vendor look up for 0x00070400. +Any individual config can be identified by PHY_ID_MATCH_EXACT +in the respective structure. + +Signed-off-by: Harini Katakam +Reviewed-by: Andrew Lunn +Signed-off-by: Jakub Kicinski +Stable-dep-of: 1bc80d673087 ("phy: mscc: Use PHY_ID_MATCH_EXACT for VSC8584, VSC8582, VSC8575, VSC856X") +Signed-off-by: Sasha Levin +--- + drivers/net/phy/mscc/mscc.h | 1 + + drivers/net/phy/mscc/mscc_main.c | 15 +-------------- + 2 files changed, 2 insertions(+), 14 deletions(-) + +diff --git a/drivers/net/phy/mscc/mscc.h b/drivers/net/phy/mscc/mscc.h +index fcfbff691b3c6b..4a9c12516f2057 100644 +--- a/drivers/net/phy/mscc/mscc.h ++++ b/drivers/net/phy/mscc/mscc.h +@@ -291,6 +291,7 @@ enum rgmii_clock_delay { + #define PHY_ID_VSC8575 0x000707d0 + #define PHY_ID_VSC8582 0x000707b0 + #define PHY_ID_VSC8584 0x000707c0 ++#define PHY_VENDOR_MSCC 0x00070400 + + #define MSCC_VDDMAC_1500 1500 + #define MSCC_VDDMAC_1800 1800 +diff --git a/drivers/net/phy/mscc/mscc_main.c b/drivers/net/phy/mscc/mscc_main.c +index d9ad8aac580982..dd3b102fb4eec9 100644 +--- a/drivers/net/phy/mscc/mscc_main.c ++++ b/drivers/net/phy/mscc/mscc_main.c +@@ -2676,20 +2676,7 @@ static struct phy_driver vsc85xx_driver[] = { + module_phy_driver(vsc85xx_driver); + + static struct mdio_device_id __maybe_unused vsc85xx_tbl[] = { +- { PHY_ID_VSC8502, 0xfffffff0, }, +- { PHY_ID_VSC8504, 0xfffffff0, }, +- { PHY_ID_VSC8514, 0xfffffff0, }, +- { PHY_ID_VSC8530, 0xfffffff0, }, +- { PHY_ID_VSC8531, 0xfffffff0, }, +- { PHY_ID_VSC8540, 0xfffffff0, }, +- { PHY_ID_VSC8541, 0xfffffff0, }, +- { PHY_ID_VSC8552, 0xfffffff0, }, +- { PHY_ID_VSC856X, 0xfffffff0, }, +- { PHY_ID_VSC8572, 0xfffffff0, }, +- { PHY_ID_VSC8574, 0xfffffff0, }, +- { PHY_ID_VSC8575, 0xfffffff0, }, +- { PHY_ID_VSC8582, 0xfffffff0, }, +- { PHY_ID_VSC8584, 0xfffffff0, }, ++ { PHY_ID_MATCH_VENDOR(PHY_VENDOR_MSCC) }, + { } + }; + +-- +2.53.0 + diff --git a/queue-6.1/series b/queue-6.1/series index d8b5c07ddb..a906f4c3a2 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -73,3 +73,9 @@ drm-i915-psr-read-intel-dpcd-workaround-register.patch drm-i915-psr-apply-intel-dpcd-workaround-when-sdp-on.patch revert-rdma-rxe-fix-double-free-in-rxe_srq_from_init.patch rdma-rxe-fix-double-free-in-rxe_srq_from_init.patch-25226 +net-gro-don-t-merge-zcopy-skbs.patch +phy-mscc-use-phy_id_match_vendor-to-minimize-phy-id-.patch +phy-mscc-use-phy_id_match_exact-for-vsc8584-vsc8582-.patch +hwmon-pmbus-adm1266-serialize-gpio-pmbus-accesses-wi.patch +hwmon-pmbus-adm1266-serialize-sequencer_state-debugf.patch +hwmon-pmbus-adm1266-serialize-nvmem-blackbox-read-wi.patch diff --git a/queue-6.12/arm64-io-extract-user-memory-type-in-ioremap_prot.patch b/queue-6.12/arm64-io-extract-user-memory-type-in-ioremap_prot.patch new file mode 100644 index 0000000000..6b4e20beb0 --- /dev/null +++ b/queue-6.12/arm64-io-extract-user-memory-type-in-ioremap_prot.patch @@ -0,0 +1,83 @@ +From 61d3d2cf56aeebaa3f011667d6043d612b52cb92 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Jun 2026 09:23:14 +0800 +Subject: arm64: io: Extract user memory type in ioremap_prot() + +From: Will Deacon + +[ Upstream commit 8f098037139b294050053123ab2bc0f819d08932 ] + +The only caller of ioremap_prot() outside of the generic ioremap() +implementation is generic_access_phys(), which passes a 'pgprot_t' value +determined from the user mapping of the target 'pfn' being accessed by +the kernel. On arm64, the 'pgprot_t' contains all of the non-address +bits from the pte, including the permission controls, and so we end up +returning a new user mapping from ioremap_prot() which faults when +accessed from the kernel on systems with PAN: + + | Unable to handle kernel read from unreadable memory at virtual address ffff80008ea89000 + | ... + | Call trace: + | __memcpy_fromio+0x80/0xf8 + | generic_access_phys+0x20c/0x2b8 + | __access_remote_vm+0x46c/0x5b8 + | access_remote_vm+0x18/0x30 + | environ_read+0x238/0x3e8 + | vfs_read+0xe4/0x2b0 + | ksys_read+0xcc/0x178 + | __arm64_sys_read+0x4c/0x68 + +Extract only the memory type from the user 'pgprot_t' in ioremap_prot() +and assert that we're being passed a user mapping, to protect us against +any changes in future that may require additional handling. To avoid +falsely flagging users of ioremap(), provide our own ioremap() macro +which simply wraps __ioremap_prot(). + +Cc: Zeng Heng +Cc: Jinjiang Tu +Cc: Catalin Marinas +Fixes: 893dea9ccd08 ("arm64: Add HAVE_IOREMAP_PROT support") +Reported-by: Jinjiang Tu +Reviewed-by: Catalin Marinas +Signed-off-by: Will Deacon +[ Modified ioremap_prot() parameter, using "unsigned long user_prot" instead of +"pgprot_t user_prot" to fix conflict with generic header ] +Signed-off-by: Xiangyu Chen +Signed-off-by: Sasha Levin +--- + arch/arm64/include/asm/io.h | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/include/asm/io.h b/arch/arm64/include/asm/io.h +index e6ad41131d80b4..46bd37707e080e 100644 +--- a/arch/arm64/include/asm/io.h ++++ b/arch/arm64/include/asm/io.h +@@ -276,10 +276,23 @@ typedef int (*ioremap_prot_hook_t)(phys_addr_t phys_addr, size_t size, + int arm64_ioremap_prot_hook_register(const ioremap_prot_hook_t hook); + void __iomem *__ioremap_prot(phys_addr_t phys, size_t size, pgprot_t prot); + +-#define ioremap_prot ioremap_prot ++static inline void __iomem *ioremap_prot(phys_addr_t phys, size_t size, ++ unsigned long user_prot) ++{ ++ pgprot_t prot; ++ pteval_t user_prot_val = pgprot_val(__pgprot(user_prot)); ++ ++ if (WARN_ON_ONCE(!(user_prot_val & PTE_USER))) ++ return NULL; + +-#define _PAGE_IOREMAP PROT_DEVICE_nGnRE ++ prot = __pgprot_modify(PAGE_KERNEL, PTE_ATTRINDX_MASK, ++ user_prot_val & PTE_ATTRINDX_MASK); ++ return __ioremap_prot(phys, size, prot); ++} ++#define ioremap_prot ioremap_prot + ++#define ioremap(addr, size) \ ++ __ioremap_prot((addr), (size), __pgprot(PROT_DEVICE_nGnRE)) + #define ioremap_wc(addr, size) \ + __ioremap_prot((addr), (size), __pgprot(PROT_NORMAL_NC)) + #define ioremap_np(addr, size) \ +-- +2.53.0 + diff --git a/queue-6.12/arm64-io-rename-ioremap_prot-to-__ioremap_prot.patch b/queue-6.12/arm64-io-rename-ioremap_prot-to-__ioremap_prot.patch new file mode 100644 index 0000000000..ad64732d32 --- /dev/null +++ b/queue-6.12/arm64-io-rename-ioremap_prot-to-__ioremap_prot.patch @@ -0,0 +1,104 @@ +From 473c04f980037cb6ade45074ea19ce5cfa7a05b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Jun 2026 09:23:13 +0800 +Subject: arm64: io: Rename ioremap_prot() to __ioremap_prot() + +From: Will Deacon + +commit f6bf47ab32e0863df50f5501d207dcdddb7fc507 upstream. + +Rename our ioremap_prot() implementation to __ioremap_prot() and convert +all arch-internal callers over to the new function. + +ioremap_prot() remains as a #define to __ioremap_prot() for +generic_access_phys() and will be subsequently extended to handle user +permissions in 'prot'. + +Cc: Zeng Heng +Cc: Jinjiang Tu +Cc: Catalin Marinas +Reviewed-by: Catalin Marinas +Signed-off-by: Will Deacon +Signed-off-by: Xiangyu Chen +Signed-off-by: Sasha Levin +--- + arch/arm64/include/asm/io.h | 7 ++++--- + arch/arm64/kernel/acpi.c | 2 +- + arch/arm64/mm/ioremap.c | 7 +++---- + 3 files changed, 8 insertions(+), 8 deletions(-) + +diff --git a/arch/arm64/include/asm/io.h b/arch/arm64/include/asm/io.h +index 1ada23a6ec1900..e6ad41131d80b4 100644 +--- a/arch/arm64/include/asm/io.h ++++ b/arch/arm64/include/asm/io.h +@@ -274,15 +274,16 @@ __iowrite64_copy(void __iomem *to, const void *from, size_t count) + typedef int (*ioremap_prot_hook_t)(phys_addr_t phys_addr, size_t size, + pgprot_t *prot); + int arm64_ioremap_prot_hook_register(const ioremap_prot_hook_t hook); ++void __iomem *__ioremap_prot(phys_addr_t phys, size_t size, pgprot_t prot); + + #define ioremap_prot ioremap_prot + + #define _PAGE_IOREMAP PROT_DEVICE_nGnRE + + #define ioremap_wc(addr, size) \ +- ioremap_prot((addr), (size), PROT_NORMAL_NC) ++ __ioremap_prot((addr), (size), __pgprot(PROT_NORMAL_NC)) + #define ioremap_np(addr, size) \ +- ioremap_prot((addr), (size), PROT_DEVICE_nGnRnE) ++ __ioremap_prot((addr), (size), __pgprot(PROT_DEVICE_nGnRnE)) + + /* + * io{read,write}{16,32,64}be() macros +@@ -303,7 +304,7 @@ static inline void __iomem *ioremap_cache(phys_addr_t addr, size_t size) + if (pfn_is_map_memory(__phys_to_pfn(addr))) + return (void __iomem *)__phys_to_virt(addr); + +- return ioremap_prot(addr, size, PROT_NORMAL); ++ return __ioremap_prot(addr, size, __pgprot(PROT_NORMAL)); + } + + /* +diff --git a/arch/arm64/kernel/acpi.c b/arch/arm64/kernel/acpi.c +index e6f66491fbe932..a99476819e6b2d 100644 +--- a/arch/arm64/kernel/acpi.c ++++ b/arch/arm64/kernel/acpi.c +@@ -379,7 +379,7 @@ void __iomem *acpi_os_ioremap(acpi_physical_address phys, acpi_size size) + prot = __acpi_get_writethrough_mem_attribute(); + } + } +- return ioremap_prot(phys, size, pgprot_val(prot)); ++ return __ioremap_prot(phys, size, prot); + } + + /* +diff --git a/arch/arm64/mm/ioremap.c b/arch/arm64/mm/ioremap.c +index 6cc0b7e7eb0384..1e4794a2af7d63 100644 +--- a/arch/arm64/mm/ioremap.c ++++ b/arch/arm64/mm/ioremap.c +@@ -14,11 +14,10 @@ int arm64_ioremap_prot_hook_register(ioremap_prot_hook_t hook) + return 0; + } + +-void __iomem *ioremap_prot(phys_addr_t phys_addr, size_t size, +- unsigned long prot) ++void __iomem *__ioremap_prot(phys_addr_t phys_addr, size_t size, ++ pgprot_t pgprot) + { + unsigned long last_addr = phys_addr + size - 1; +- pgprot_t pgprot = __pgprot(prot); + + /* Don't allow outside PHYS_MASK */ + if (last_addr & ~PHYS_MASK) +@@ -39,7 +38,7 @@ void __iomem *ioremap_prot(phys_addr_t phys_addr, size_t size, + + return generic_ioremap_prot(phys_addr, size, pgprot); + } +-EXPORT_SYMBOL(ioremap_prot); ++EXPORT_SYMBOL(__ioremap_prot); + + /* + * Must be called after early_fixmap_init +-- +2.53.0 + diff --git a/queue-6.12/batman-adv-tt-prevent-tvlv-entry-number-overflow.patch b/queue-6.12/batman-adv-tt-prevent-tvlv-entry-number-overflow.patch new file mode 100644 index 0000000000..93ff47f4ba --- /dev/null +++ b/queue-6.12/batman-adv-tt-prevent-tvlv-entry-number-overflow.patch @@ -0,0 +1,80 @@ +From 280c2e9bc32f730eea157ab2d93336711b2aa441 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 May 2026 20:06:18 +0200 +Subject: batman-adv: tt: prevent TVLV entry number overflow + +From: Sven Eckelmann + +commit 99d9958fa10fb684b2a8e2c48a8d704122721420 upstream. + +The helpers to prepare the buffers for the local and global TT based +replies are trying to sum up all TT entries which can be found for each +VLAN. In theory, this sum can be too big for an u16 and therefore overflow. +A too small buffer would then be allocated for the TVLV. + +The too small buffer will be handled gracefully by +batadv_tt_tvlv_generate() and is not causing a buffer overflow - just a +truncated reply. But this overflow shouldn't have happened in the first and +the too small buffer should never have been allocated when an overflow was +detected. + +Cc: stable@kernel.org +Fixes: 7ea7b4a14275 ("batman-adv: make the TT CRC logic VLAN specific") +Signed-off-by: Sven Eckelmann +Signed-off-by: Sasha Levin +--- + net/batman-adv/translation-table.c | 20 +++++++++++++++++--- + 1 file changed, 17 insertions(+), 3 deletions(-) + +diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c +index 4045ddefc29b47..7041cd69e20070 100644 +--- a/net/batman-adv/translation-table.c ++++ b/net/batman-adv/translation-table.c +@@ -850,11 +850,18 @@ batadv_tt_prepare_tvlv_global_data(struct batadv_orig_node *orig_node, + u16 total_entries = 0; + u8 *tt_change_ptr; + int vlan_entries; ++ u16 sum_entries; + + spin_lock_bh(&orig_node->vlan_list_lock); + hlist_for_each_entry(vlan, &orig_node->vlan_list, list) { + vlan_entries = atomic_read(&vlan->tt.num_entries); +- total_entries += vlan_entries; ++ ++ if (check_add_overflow(vlan_entries, total_entries, &sum_entries)) { ++ *tt_len = 0; ++ goto out; ++ } ++ ++ total_entries = sum_entries; + num_vlan++; + } + +@@ -941,15 +948,22 @@ batadv_tt_prepare_tvlv_local_data(struct batadv_priv *bat_priv, + struct batadv_softif_vlan *vlan; + size_t change_offset; + u16 num_vlan = 0; +- u16 vlan_entries = 0; + u16 total_entries = 0; + u16 tvlv_len; + u8 *tt_change_ptr; ++ int vlan_entries; ++ u16 sum_entries; + + spin_lock_bh(&bat_priv->softif_vlan_list_lock); + hlist_for_each_entry(vlan, &bat_priv->softif_vlan_list, list) { + vlan_entries = atomic_read(&vlan->tt.num_entries); +- total_entries += vlan_entries; ++ ++ if (check_add_overflow(vlan_entries, total_entries, &sum_entries)) { ++ tvlv_len = 0; ++ goto out; ++ } ++ ++ total_entries = sum_entries; + num_vlan++; + } + +-- +2.53.0 + diff --git a/queue-6.12/phy-mscc-use-phy_id_match_exact-for-vsc8584-vsc8582-.patch b/queue-6.12/phy-mscc-use-phy_id_match_exact-for-vsc8584-vsc8582-.patch new file mode 100644 index 0000000000..72f86261a4 --- /dev/null +++ b/queue-6.12/phy-mscc-use-phy_id_match_exact-for-vsc8584-vsc8582-.patch @@ -0,0 +1,126 @@ +From 5da36ad31340fdedcb796df84e463fccc99e089e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Oct 2025 21:13:49 +0200 +Subject: phy: mscc: Use PHY_ID_MATCH_EXACT for VSC8584, VSC8582, VSC8575, + VSC856X + +From: Horatiu Vultur + +[ Upstream commit 1bc80d673087e5704adbb3ee8e4b785c14899cce ] + +As the PHYs VSC8584, VSC8582, VSC8575 and VSC856X exists only as rev B, +we can use PHY_ID_MATCH_EXACT to match exactly on revision B of the PHY. +Because of this change then there is not need the check if it is a +different revision than rev B in the function vsc8584_probe() as we +already know that this will never happen. +These changes are a preparation for the next patch because in that patch +we will make the PHYs VSC8574 and VSC8572 to use vsc8584_probe() and +these PHYs have multiple revision. + +Reviewed-by: Maxime Chevallier +Signed-off-by: Horatiu Vultur +Link: https://patch.msgid.link/20251023191350.190940-2-horatiu.vultur@microchip.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/mscc/mscc.h | 8 ++++---- + drivers/net/phy/mscc/mscc_main.c | 23 ++++------------------- + 2 files changed, 8 insertions(+), 23 deletions(-) + +diff --git a/drivers/net/phy/mscc/mscc.h b/drivers/net/phy/mscc/mscc.h +index 2bfe314ef881c3..105191c43a2c2a 100644 +--- a/drivers/net/phy/mscc/mscc.h ++++ b/drivers/net/phy/mscc/mscc.h +@@ -286,12 +286,12 @@ enum rgmii_clock_delay { + #define PHY_ID_VSC8540 0x00070760 + #define PHY_ID_VSC8541 0x00070770 + #define PHY_ID_VSC8552 0x000704e0 +-#define PHY_ID_VSC856X 0x000707e0 ++#define PHY_ID_VSC856X 0x000707e1 + #define PHY_ID_VSC8572 0x000704d0 + #define PHY_ID_VSC8574 0x000704a0 +-#define PHY_ID_VSC8575 0x000707d0 +-#define PHY_ID_VSC8582 0x000707b0 +-#define PHY_ID_VSC8584 0x000707c0 ++#define PHY_ID_VSC8575 0x000707d1 ++#define PHY_ID_VSC8582 0x000707b1 ++#define PHY_ID_VSC8584 0x000707c1 + #define PHY_VENDOR_MSCC 0x00070400 + + #define MSCC_VDDMAC_1500 1500 +diff --git a/drivers/net/phy/mscc/mscc_main.c b/drivers/net/phy/mscc/mscc_main.c +index a8e587dd96c5cb..7297dea1602734 100644 +--- a/drivers/net/phy/mscc/mscc_main.c ++++ b/drivers/net/phy/mscc/mscc_main.c +@@ -1724,12 +1724,6 @@ static int vsc8584_config_init(struct phy_device *phydev) + * in this pre-init function. + */ + if (phy_package_init_once(phydev)) { +- /* The following switch statement assumes that the lowest +- * nibble of the phy_id_mask is always 0. This works because +- * the lowest nibble of the PHY_ID's below are also 0. +- */ +- WARN_ON(phydev->drv->phy_id_mask & 0xf); +- + switch (phydev->phy_id & phydev->drv->phy_id_mask) { + case PHY_ID_VSC8504: + case PHY_ID_VSC8552: +@@ -2268,11 +2262,6 @@ static int vsc8584_probe(struct phy_device *phydev) + VSC8531_DUPLEX_COLLISION}; + int ret; + +- if ((phydev->phy_id & MSCC_DEV_REV_MASK) != VSC8584_REVB) { +- dev_err(&phydev->mdio.dev, "Only VSC8584 revB is supported.\n"); +- return -ENOTSUPP; +- } +- + vsc8531 = devm_kzalloc(&phydev->mdio.dev, sizeof(*vsc8531), GFP_KERNEL); + if (!vsc8531) + return -ENOMEM; +@@ -2559,9 +2548,8 @@ static struct phy_driver vsc85xx_driver[] = { + .get_stats = &vsc85xx_get_stats, + }, + { +- .phy_id = PHY_ID_VSC856X, ++ PHY_ID_MATCH_EXACT(PHY_ID_VSC856X), + .name = "Microsemi GE VSC856X SyncE", +- .phy_id_mask = 0xfffffff0, + /* PHY_GBIT_FEATURES */ + .soft_reset = &genphy_soft_reset, + .config_init = &vsc8584_config_init, +@@ -2633,9 +2621,8 @@ static struct phy_driver vsc85xx_driver[] = { + .get_stats = &vsc85xx_get_stats, + }, + { +- .phy_id = PHY_ID_VSC8575, ++ PHY_ID_MATCH_EXACT(PHY_ID_VSC8575), + .name = "Microsemi GE VSC8575 SyncE", +- .phy_id_mask = 0xfffffff0, + /* PHY_GBIT_FEATURES */ + .soft_reset = &genphy_soft_reset, + .config_init = &vsc8584_config_init, +@@ -2657,9 +2644,8 @@ static struct phy_driver vsc85xx_driver[] = { + .get_stats = &vsc85xx_get_stats, + }, + { +- .phy_id = PHY_ID_VSC8582, ++ PHY_ID_MATCH_EXACT(PHY_ID_VSC8582), + .name = "Microsemi GE VSC8582 SyncE", +- .phy_id_mask = 0xfffffff0, + /* PHY_GBIT_FEATURES */ + .soft_reset = &genphy_soft_reset, + .config_init = &vsc8584_config_init, +@@ -2681,9 +2667,8 @@ static struct phy_driver vsc85xx_driver[] = { + .get_stats = &vsc85xx_get_stats, + }, + { +- .phy_id = PHY_ID_VSC8584, ++ PHY_ID_MATCH_EXACT(PHY_ID_VSC8584), + .name = "Microsemi GE VSC8584 SyncE", +- .phy_id_mask = 0xfffffff0, + /* PHY_GBIT_FEATURES */ + .soft_reset = &genphy_soft_reset, + .config_init = &vsc8584_config_init, +-- +2.53.0 + diff --git a/queue-6.12/series b/queue-6.12/series index c58c319a72..5790ebef97 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -118,3 +118,7 @@ drm-i915-psr-add-defininitions-for-intel_wa_register.patch drm-i915-psr-read-intel-dpcd-workaround-register.patch drm-dp-add-edp-1.5-bit-definition.patch drm-i915-psr-apply-intel-dpcd-workaround-when-sdp-on.patch +arm64-io-rename-ioremap_prot-to-__ioremap_prot.patch +arm64-io-extract-user-memory-type-in-ioremap_prot.patch +phy-mscc-use-phy_id_match_exact-for-vsc8584-vsc8582-.patch +batman-adv-tt-prevent-tvlv-entry-number-overflow.patch diff --git a/queue-6.18/phy-mscc-use-phy_id_match_exact-for-vsc8584-vsc8582-.patch b/queue-6.18/phy-mscc-use-phy_id_match_exact-for-vsc8584-vsc8582-.patch new file mode 100644 index 0000000000..14281c9564 --- /dev/null +++ b/queue-6.18/phy-mscc-use-phy_id_match_exact-for-vsc8584-vsc8582-.patch @@ -0,0 +1,126 @@ +From ba9cd7d8db9acbf25fdfefad0345c6b4e1612ca8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Oct 2025 21:13:49 +0200 +Subject: phy: mscc: Use PHY_ID_MATCH_EXACT for VSC8584, VSC8582, VSC8575, + VSC856X + +From: Horatiu Vultur + +[ Upstream commit 1bc80d673087e5704adbb3ee8e4b785c14899cce ] + +As the PHYs VSC8584, VSC8582, VSC8575 and VSC856X exists only as rev B, +we can use PHY_ID_MATCH_EXACT to match exactly on revision B of the PHY. +Because of this change then there is not need the check if it is a +different revision than rev B in the function vsc8584_probe() as we +already know that this will never happen. +These changes are a preparation for the next patch because in that patch +we will make the PHYs VSC8574 and VSC8572 to use vsc8584_probe() and +these PHYs have multiple revision. + +Reviewed-by: Maxime Chevallier +Signed-off-by: Horatiu Vultur +Link: https://patch.msgid.link/20251023191350.190940-2-horatiu.vultur@microchip.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/mscc/mscc.h | 8 ++++---- + drivers/net/phy/mscc/mscc_main.c | 23 ++++------------------- + 2 files changed, 8 insertions(+), 23 deletions(-) + +diff --git a/drivers/net/phy/mscc/mscc.h b/drivers/net/phy/mscc/mscc.h +index 2d8eca54c40a29..2eef5956b9cc59 100644 +--- a/drivers/net/phy/mscc/mscc.h ++++ b/drivers/net/phy/mscc/mscc.h +@@ -289,12 +289,12 @@ enum rgmii_clock_delay { + #define PHY_ID_VSC8540 0x00070760 + #define PHY_ID_VSC8541 0x00070770 + #define PHY_ID_VSC8552 0x000704e0 +-#define PHY_ID_VSC856X 0x000707e0 ++#define PHY_ID_VSC856X 0x000707e1 + #define PHY_ID_VSC8572 0x000704d0 + #define PHY_ID_VSC8574 0x000704a0 +-#define PHY_ID_VSC8575 0x000707d0 +-#define PHY_ID_VSC8582 0x000707b0 +-#define PHY_ID_VSC8584 0x000707c0 ++#define PHY_ID_VSC8575 0x000707d1 ++#define PHY_ID_VSC8582 0x000707b1 ++#define PHY_ID_VSC8584 0x000707c1 + #define PHY_VENDOR_MSCC 0x00070400 + + #define MSCC_VDDMAC_1500 1500 +diff --git a/drivers/net/phy/mscc/mscc_main.c b/drivers/net/phy/mscc/mscc_main.c +index 48d43f60b8ff8c..8678ebf89cca51 100644 +--- a/drivers/net/phy/mscc/mscc_main.c ++++ b/drivers/net/phy/mscc/mscc_main.c +@@ -1724,12 +1724,6 @@ static int vsc8584_config_init(struct phy_device *phydev) + * in this pre-init function. + */ + if (phy_package_init_once(phydev)) { +- /* The following switch statement assumes that the lowest +- * nibble of the phy_id_mask is always 0. This works because +- * the lowest nibble of the PHY_ID's below are also 0. +- */ +- WARN_ON(phydev->drv->phy_id_mask & 0xf); +- + switch (phydev->phy_id & phydev->drv->phy_id_mask) { + case PHY_ID_VSC8504: + case PHY_ID_VSC8552: +@@ -2290,11 +2284,6 @@ static int vsc8584_probe(struct phy_device *phydev) + VSC8531_DUPLEX_COLLISION}; + int ret; + +- if ((phydev->phy_id & MSCC_DEV_REV_MASK) != VSC8584_REVB) { +- dev_err(&phydev->mdio.dev, "Only VSC8584 revB is supported.\n"); +- return -ENOTSUPP; +- } +- + vsc8531 = devm_kzalloc(&phydev->mdio.dev, sizeof(*vsc8531), GFP_KERNEL); + if (!vsc8531) + return -ENOMEM; +@@ -2587,9 +2576,8 @@ static struct phy_driver vsc85xx_driver[] = { + .config_inband = vsc85xx_config_inband, + }, + { +- .phy_id = PHY_ID_VSC856X, ++ PHY_ID_MATCH_EXACT(PHY_ID_VSC856X), + .name = "Microsemi GE VSC856X SyncE", +- .phy_id_mask = 0xfffffff0, + /* PHY_GBIT_FEATURES */ + .soft_reset = &genphy_soft_reset, + .config_init = &vsc8584_config_init, +@@ -2667,9 +2655,8 @@ static struct phy_driver vsc85xx_driver[] = { + .config_inband = vsc85xx_config_inband, + }, + { +- .phy_id = PHY_ID_VSC8575, ++ PHY_ID_MATCH_EXACT(PHY_ID_VSC8575), + .name = "Microsemi GE VSC8575 SyncE", +- .phy_id_mask = 0xfffffff0, + /* PHY_GBIT_FEATURES */ + .soft_reset = &genphy_soft_reset, + .config_init = &vsc8584_config_init, +@@ -2693,9 +2680,8 @@ static struct phy_driver vsc85xx_driver[] = { + .config_inband = vsc85xx_config_inband, + }, + { +- .phy_id = PHY_ID_VSC8582, ++ PHY_ID_MATCH_EXACT(PHY_ID_VSC8582), + .name = "Microsemi GE VSC8582 SyncE", +- .phy_id_mask = 0xfffffff0, + /* PHY_GBIT_FEATURES */ + .soft_reset = &genphy_soft_reset, + .config_init = &vsc8584_config_init, +@@ -2719,9 +2705,8 @@ static struct phy_driver vsc85xx_driver[] = { + .config_inband = vsc85xx_config_inband, + }, + { +- .phy_id = PHY_ID_VSC8584, ++ PHY_ID_MATCH_EXACT(PHY_ID_VSC8584), + .name = "Microsemi GE VSC8584 SyncE", +- .phy_id_mask = 0xfffffff0, + /* PHY_GBIT_FEATURES */ + .soft_reset = &genphy_soft_reset, + .config_init = &vsc8584_config_init, +-- +2.53.0 + diff --git a/queue-6.18/series b/queue-6.18/series index 24e6004d59..596b0449f2 100644 --- a/queue-6.18/series +++ b/queue-6.18/series @@ -99,3 +99,4 @@ s390-cio-restore-gfp_dma-for-chsc-allocation.patch drm-i915-psr-add-defininitions-for-intel_wa_register.patch drm-i915-psr-read-intel-dpcd-workaround-register.patch drm-i915-psr-apply-intel-dpcd-workaround-when-sdp-on.patch +phy-mscc-use-phy_id_match_exact-for-vsc8584-vsc8582-.patch diff --git a/queue-6.6/arm64-io-extract-user-memory-type-in-ioremap_prot.patch b/queue-6.6/arm64-io-extract-user-memory-type-in-ioremap_prot.patch new file mode 100644 index 0000000000..8ca66f1760 --- /dev/null +++ b/queue-6.6/arm64-io-extract-user-memory-type-in-ioremap_prot.patch @@ -0,0 +1,83 @@ +From b3fb496049c10834d5cdc0d7b0a117c6d3ffaee4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Jun 2026 17:50:25 +0800 +Subject: arm64: io: Extract user memory type in ioremap_prot() + +From: Will Deacon + +[ Upstream commit 8f098037139b294050053123ab2bc0f819d08932 ] + +The only caller of ioremap_prot() outside of the generic ioremap() +implementation is generic_access_phys(), which passes a 'pgprot_t' value +determined from the user mapping of the target 'pfn' being accessed by +the kernel. On arm64, the 'pgprot_t' contains all of the non-address +bits from the pte, including the permission controls, and so we end up +returning a new user mapping from ioremap_prot() which faults when +accessed from the kernel on systems with PAN: + + | Unable to handle kernel read from unreadable memory at virtual address ffff80008ea89000 + | ... + | Call trace: + | __memcpy_fromio+0x80/0xf8 + | generic_access_phys+0x20c/0x2b8 + | __access_remote_vm+0x46c/0x5b8 + | access_remote_vm+0x18/0x30 + | environ_read+0x238/0x3e8 + | vfs_read+0xe4/0x2b0 + | ksys_read+0xcc/0x178 + | __arm64_sys_read+0x4c/0x68 + +Extract only the memory type from the user 'pgprot_t' in ioremap_prot() +and assert that we're being passed a user mapping, to protect us against +any changes in future that may require additional handling. To avoid +falsely flagging users of ioremap(), provide our own ioremap() macro +which simply wraps __ioremap_prot(). + +Cc: Zeng Heng +Cc: Jinjiang Tu +Cc: Catalin Marinas +Fixes: 893dea9ccd08 ("arm64: Add HAVE_IOREMAP_PROT support") +Reported-by: Jinjiang Tu +Reviewed-by: Catalin Marinas +Signed-off-by: Will Deacon +[ Modified ioremap_prot() parameter, using "unsigned long user_prot" instead of +"pgprot_t user_prot" to fix conflict with generic header. ] +Signed-off-by: Xiangyu Chen +Signed-off-by: Sasha Levin +--- + arch/arm64/include/asm/io.h | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/include/asm/io.h b/arch/arm64/include/asm/io.h +index 46d9f3f8290828..8fae8746eb98da 100644 +--- a/arch/arm64/include/asm/io.h ++++ b/arch/arm64/include/asm/io.h +@@ -141,10 +141,23 @@ extern void __memset_io(volatile void __iomem *, int, size_t); + + void __iomem *__ioremap_prot(phys_addr_t phys, size_t size, pgprot_t prot); + +-#define ioremap_prot ioremap_prot ++static inline void __iomem *ioremap_prot(phys_addr_t phys, size_t size, ++ unsigned long user_prot) ++{ ++ pgprot_t prot; ++ pteval_t user_prot_val = pgprot_val(__pgprot(user_prot)); ++ ++ if (WARN_ON_ONCE(!(user_prot_val & PTE_USER))) ++ return NULL; + +-#define _PAGE_IOREMAP PROT_DEVICE_nGnRE ++ prot = __pgprot_modify(PAGE_KERNEL, PTE_ATTRINDX_MASK, ++ user_prot_val & PTE_ATTRINDX_MASK); ++ return __ioremap_prot(phys, size, prot); ++} ++#define ioremap_prot ioremap_prot + ++#define ioremap(addr, size) \ ++ __ioremap_prot((addr), (size), __pgprot(PROT_DEVICE_nGnRE)) + #define ioremap_wc(addr, size) \ + __ioremap_prot((addr), (size), __pgprot(PROT_NORMAL_NC)) + #define ioremap_np(addr, size) \ +-- +2.53.0 + diff --git a/queue-6.6/arm64-io-rename-ioremap_prot-to-__ioremap_prot.patch b/queue-6.6/arm64-io-rename-ioremap_prot-to-__ioremap_prot.patch new file mode 100644 index 0000000000..c97e15cc42 --- /dev/null +++ b/queue-6.6/arm64-io-rename-ioremap_prot-to-__ioremap_prot.patch @@ -0,0 +1,104 @@ +From 31a94619372d15477bc0ce61a6b3ec0061d6a8db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Jun 2026 17:50:24 +0800 +Subject: arm64: io: Rename ioremap_prot() to __ioremap_prot() + +From: Will Deacon + +commit f6bf47ab32e0863df50f5501d207dcdddb7fc507 upstream. + +Rename our ioremap_prot() implementation to __ioremap_prot() and convert +all arch-internal callers over to the new function. + +ioremap_prot() remains as a #define to __ioremap_prot() for +generic_access_phys() and will be subsequently extended to handle user +permissions in 'prot'. + +Cc: Zeng Heng +Cc: Jinjiang Tu +Cc: Catalin Marinas +Reviewed-by: Catalin Marinas +Signed-off-by: Will Deacon +Signed-off-by: Xiangyu Chen +Signed-off-by: Sasha Levin +--- + arch/arm64/include/asm/io.h | 8 +++++--- + arch/arm64/kernel/acpi.c | 2 +- + arch/arm64/mm/ioremap.c | 8 ++++---- + 3 files changed, 10 insertions(+), 8 deletions(-) + +diff --git a/arch/arm64/include/asm/io.h b/arch/arm64/include/asm/io.h +index 3b694511b98f83..46d9f3f8290828 100644 +--- a/arch/arm64/include/asm/io.h ++++ b/arch/arm64/include/asm/io.h +@@ -139,14 +139,16 @@ extern void __memset_io(volatile void __iomem *, int, size_t); + * I/O memory mapping functions. + */ + ++void __iomem *__ioremap_prot(phys_addr_t phys, size_t size, pgprot_t prot); ++ + #define ioremap_prot ioremap_prot + + #define _PAGE_IOREMAP PROT_DEVICE_nGnRE + + #define ioremap_wc(addr, size) \ +- ioremap_prot((addr), (size), PROT_NORMAL_NC) ++ __ioremap_prot((addr), (size), __pgprot(PROT_NORMAL_NC)) + #define ioremap_np(addr, size) \ +- ioremap_prot((addr), (size), PROT_DEVICE_nGnRnE) ++ __ioremap_prot((addr), (size), __pgprot(PROT_DEVICE_nGnRnE)) + + /* + * io{read,write}{16,32,64}be() macros +@@ -167,7 +169,7 @@ static inline void __iomem *ioremap_cache(phys_addr_t addr, size_t size) + if (pfn_is_map_memory(__phys_to_pfn(addr))) + return (void __iomem *)__phys_to_virt(addr); + +- return ioremap_prot(addr, size, PROT_NORMAL); ++ return __ioremap_prot(addr, size, __pgprot(PROT_NORMAL)); + } + + /* +diff --git a/arch/arm64/kernel/acpi.c b/arch/arm64/kernel/acpi.c +index dba8fcec7f33d6..0b06e6c2ebc4de 100644 +--- a/arch/arm64/kernel/acpi.c ++++ b/arch/arm64/kernel/acpi.c +@@ -352,7 +352,7 @@ void __iomem *acpi_os_ioremap(acpi_physical_address phys, acpi_size size) + prot = __acpi_get_writethrough_mem_attribute(); + } + } +- return ioremap_prot(phys, size, pgprot_val(prot)); ++ return __ioremap_prot(phys, size, prot); + } + + /* +diff --git a/arch/arm64/mm/ioremap.c b/arch/arm64/mm/ioremap.c +index 269f2f63ab7dc4..49fd31e33c3146 100644 +--- a/arch/arm64/mm/ioremap.c ++++ b/arch/arm64/mm/ioremap.c +@@ -3,8 +3,8 @@ + #include + #include + +-void __iomem *ioremap_prot(phys_addr_t phys_addr, size_t size, +- unsigned long prot) ++void __iomem *__ioremap_prot(phys_addr_t phys_addr, size_t size, ++ pgprot_t pgprot) + { + unsigned long last_addr = phys_addr + size - 1; + +@@ -16,9 +16,9 @@ void __iomem *ioremap_prot(phys_addr_t phys_addr, size_t size, + if (WARN_ON(pfn_is_map_memory(__phys_to_pfn(phys_addr)))) + return NULL; + +- return generic_ioremap_prot(phys_addr, size, __pgprot(prot)); ++ return generic_ioremap_prot(phys_addr, size, pgprot); + } +-EXPORT_SYMBOL(ioremap_prot); ++EXPORT_SYMBOL(__ioremap_prot); + + /* + * Must be called after early_fixmap_init +-- +2.53.0 + diff --git a/queue-6.6/hwmon-pmbus-adm1266-serialize-gpio-pmbus-accesses-wi.patch b/queue-6.6/hwmon-pmbus-adm1266-serialize-gpio-pmbus-accesses-wi.patch new file mode 100644 index 0000000000..53d7283455 --- /dev/null +++ b/queue-6.6/hwmon-pmbus-adm1266-serialize-gpio-pmbus-accesses-wi.patch @@ -0,0 +1,141 @@ +From 061d948cdb99b51e36666fafc42383fde52512c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Jun 2026 22:06:29 -0400 +Subject: hwmon: (pmbus/adm1266) serialize GPIO PMBus accesses with pmbus_lock + +From: Abdurrahman Hussain + +[ Upstream commit bab8c6fb5af8df7e753d196c1262cb78e92ca872 ] + +adm1266_gpio_get(), adm1266_gpio_get_multiple(), and +adm1266_gpio_dbg_show() all issue PMBus reads against the device but +none of them take pmbus_lock. The pmbus_core framework holds +pmbus_lock around its own multi-transaction sequences (notably the +"set PAGE, then read paged register" pattern used by hwmon +attributes), so an unlocked GPIO accessor can land between a PAGE +write and the subsequent paged read in another thread and corrupt +either side's view of the device state machine. + +Take pmbus_lock at the top of each of the three accessors via the +scope-based guard(). The lock is uncontended in the common case and +adds only a single mutex round-trip per call. + +Fixes: d98dfad35c38 ("hwmon: (pmbus/adm1266) Add support for GPIOs") +Cc: stable@vger.kernel.org +Signed-off-by: Abdurrahman Hussain +Reviewed-by: Bartosz Golaszewski +Link: https://lore.kernel.org/r/20260518-adm1266-gpio-fixes-v3-6-e425e4f88139@nexthop.ai +Signed-off-by: Guenter Roeck +[ open-coded `guard(pmbus_lock)()` as explicit `pmbus_lock_interruptible()`/`pmbus_unlock()` ] +Signed-off-by: Sasha Levin +--- + drivers/hwmon/pmbus/adm1266.c | 40 +++++++++++++++++++++++++++++------ + 1 file changed, 34 insertions(+), 6 deletions(-) + +diff --git a/drivers/hwmon/pmbus/adm1266.c b/drivers/hwmon/pmbus/adm1266.c +index a8690d6c9b9cb0..518eaf07a123de 100644 +--- a/drivers/hwmon/pmbus/adm1266.c ++++ b/drivers/hwmon/pmbus/adm1266.c +@@ -173,7 +173,12 @@ static int adm1266_gpio_get(struct gpio_chip *chip, unsigned int offset) + else + pmbus_cmd = ADM1266_PDIO_STATUS; + ++ ret = pmbus_lock_interruptible(data->client); ++ if (ret) ++ return ret; ++ + ret = i2c_smbus_read_block_data(data->client, pmbus_cmd, read_buf); ++ pmbus_unlock(data->client); + if (ret < 0) + return ret; + if (ret < 2) +@@ -195,11 +200,19 @@ static int adm1266_gpio_get_multiple(struct gpio_chip *chip, unsigned long *mask + unsigned int gpio_nr; + int ret; + ++ ret = pmbus_lock_interruptible(data->client); ++ if (ret) ++ return ret; ++ + ret = i2c_smbus_read_block_data(data->client, ADM1266_GPIO_STATUS, read_buf); +- if (ret < 0) ++ if (ret < 0) { ++ pmbus_unlock(data->client); + return ret; +- if (ret < 2) ++ } ++ if (ret < 2) { ++ pmbus_unlock(data->client); + return -EIO; ++ } + + status = read_buf[0] + (read_buf[1] << 8); + +@@ -210,10 +223,14 @@ static int adm1266_gpio_get_multiple(struct gpio_chip *chip, unsigned long *mask + } + + ret = i2c_smbus_read_block_data(data->client, ADM1266_PDIO_STATUS, read_buf); +- if (ret < 0) ++ if (ret < 0) { ++ pmbus_unlock(data->client); + return ret; +- if (ret < 2) ++ } ++ if (ret < 2) { ++ pmbus_unlock(data->client); + return -EIO; ++ } + + status = read_buf[0] + (read_buf[1] << 8); + +@@ -222,6 +239,8 @@ static int adm1266_gpio_get_multiple(struct gpio_chip *chip, unsigned long *mask + set_bit(gpio_nr, bits); + } + ++ pmbus_unlock(data->client); ++ + return 0; + } + +@@ -236,11 +255,16 @@ static void adm1266_gpio_dbg_show(struct seq_file *s, struct gpio_chip *chip) + int ret; + int i; + ++ if (pmbus_lock_interruptible(data->client)) ++ return; ++ + for (i = 0; i < ADM1266_GPIO_NR; i++) { + write_cmd = adm1266_gpio_mapping[i][1]; + ret = adm1266_pmbus_block_xfer(data, ADM1266_GPIO_CONFIG, 1, &write_cmd, read_buf); +- if (ret != 2) ++ if (ret != 2) { ++ pmbus_unlock(data->client); + return; ++ } + + gpio_config = read_buf[0]; + seq_puts(s, adm1266_names[i]); +@@ -262,8 +286,10 @@ static void adm1266_gpio_dbg_show(struct seq_file *s, struct gpio_chip *chip) + + write_cmd = 0xFF; + ret = adm1266_pmbus_block_xfer(data, ADM1266_PDIO_CONFIG, 1, &write_cmd, read_buf); +- if (ret != 32) ++ if (ret != 32) { ++ pmbus_unlock(data->client); + return; ++ } + + for (i = 0; i < ADM1266_PDIO_NR; i++) { + seq_puts(s, adm1266_names[ADM1266_GPIO_NR + i]); +@@ -286,6 +312,8 @@ static void adm1266_gpio_dbg_show(struct seq_file *s, struct gpio_chip *chip) + + seq_puts(s, ")\n"); + } ++ ++ pmbus_unlock(data->client); + } + + static int adm1266_config_gpio(struct adm1266_data *data) +-- +2.53.0 + diff --git a/queue-6.6/hwmon-pmbus-adm1266-serialize-nvmem-blackbox-read-wi.patch b/queue-6.6/hwmon-pmbus-adm1266-serialize-nvmem-blackbox-read-wi.patch new file mode 100644 index 0000000000..1e2b65b794 --- /dev/null +++ b/queue-6.6/hwmon-pmbus-adm1266-serialize-nvmem-blackbox-read-wi.patch @@ -0,0 +1,81 @@ +From 4a9d5968c5aa22396da94f79f471a910e06db28c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Jun 2026 22:06:01 -0400 +Subject: hwmon: (pmbus/adm1266) serialize NVMEM blackbox read with pmbus_lock + +From: Abdurrahman Hussain + +[ Upstream commit 9f1dd8f9491eb840cbea7ffdf4cad031e25f8ae0 ] + +adm1266_nvmem_read() is the reg_read callback the NVMEM core invokes +when userspace reads /sys/bus/nvmem/devices/.../nvmem on this chip. +On the first byte of every read it does a memset of data->dev_mem, +walks the device blackbox through adm1266_nvmem_read_blackbox() +(which issues a chain of PMBus block transactions), and then memcpys +the refreshed buffer out to userspace. None of that runs under +pmbus_lock today. + +Two consequences: + + - The PMBus traffic the refresh issues is not serialised against + pmbus_core's own multi-step PAGE+register sequences. A paged + hwmon attribute read from another thread can land between a + PAGE write and the paged read in either direction and corrupt + one side's view of the device state machine. + + - The NVMEM core does not serialise concurrent reg_read calls, so + two userspace readers racing at offset 0 can interleave the + memset of data->dev_mem with another reader's + adm1266_nvmem_read_blackbox() refill or memcpy out, returning + torn data to userspace. + +Take pmbus_lock at the top of adm1266_nvmem_read() via the +scope-based guard(). Patch 5 of this series moves +adm1266_config_nvmem() past pmbus_do_probe() so the lock is +guaranteed to be live before the callback is reachable from +userspace. + +Fixes: 15609d189302 ("hwmon: (pmbus/adm1266) read blackbox") +Cc: stable@vger.kernel.org +Signed-off-by: Abdurrahman Hussain +Link: https://lore.kernel.org/r/20260518-adm1266-gpio-fixes-v3-7-e425e4f88139@nexthop.ai +Signed-off-by: Guenter Roeck +[ adapted `guard(pmbus_lock)(data->client)` to manual `pmbus_lock_interruptible()`/`pmbus_unlock()` ] +Signed-off-by: Sasha Levin +--- + drivers/hwmon/pmbus/adm1266.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/hwmon/pmbus/adm1266.c b/drivers/hwmon/pmbus/adm1266.c +index 518eaf07a123de..432846ef0cf45d 100644 +--- a/drivers/hwmon/pmbus/adm1266.c ++++ b/drivers/hwmon/pmbus/adm1266.c +@@ -421,18 +421,25 @@ static int adm1266_nvmem_read(void *priv, unsigned int offset, void *val, size_t + if (offset + bytes > data->nvmem_config.size) + return -EINVAL; + ++ ret = pmbus_lock_interruptible(data->client); ++ if (ret) ++ return ret; ++ + if (offset == 0) { + memset(data->dev_mem, 0, data->nvmem_config.size); + + ret = adm1266_nvmem_read_blackbox(data, data->dev_mem); + if (ret) { + dev_err(&data->client->dev, "Could not read blackbox!"); ++ pmbus_unlock(data->client); + return ret; + } + } + + memcpy(val, data->dev_mem + offset, bytes); + ++ pmbus_unlock(data->client); ++ + return 0; + } + +-- +2.53.0 + diff --git a/queue-6.6/ima-verify-the-previous-kernel-s-ima-buffer-lies-in-.patch b/queue-6.6/ima-verify-the-previous-kernel-s-ima-buffer-lies-in-.patch new file mode 100644 index 0000000000..1cb757081b --- /dev/null +++ b/queue-6.6/ima-verify-the-previous-kernel-s-ima-buffer-lies-in-.patch @@ -0,0 +1,130 @@ +From df4dd377d47cfffed8c8eef637ecb978134f69ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Jun 2026 21:02:37 +0800 +Subject: ima: verify the previous kernel's IMA buffer lies in addressable RAM + +From: Harshit Mogalapalli + +[ Upstream commit 10d1c75ed4382a8e79874379caa2ead8952734f9 ] + +Patch series "Address page fault in ima_restore_measurement_list()", v3. + +When the second-stage kernel is booted via kexec with a limiting command +line such as "mem=" we observe a pafe fault that happens. + + BUG: unable to handle page fault for address: ffff97793ff47000 + RIP: ima_restore_measurement_list+0xdc/0x45a + #PF: error_code(0x0000) not-present page + +This happens on x86_64 only, as this is already fixed in aarch64 in +commit: cbf9c4b9617b ("of: check previous kernel's ima-kexec-buffer +against memory bounds") + +This patch (of 3): + +When the second-stage kernel is booted with a limiting command line (e.g. +"mem="), the IMA measurement buffer handed over from the previous +kernel may fall outside the addressable RAM of the new kernel. Accessing +such a buffer can fault during early restore. + +Introduce a small generic helper, ima_validate_range(), which verifies +that a physical [start, end] range for the previous-kernel IMA buffer lies +within addressable memory: + - On x86, use pfn_range_is_mapped(). + - On OF based architectures, use page_is_ram(). + +Link: https://lkml.kernel.org/r/20251231061609.907170-1-harshit.m.mogalapalli@oracle.com +Link: https://lkml.kernel.org/r/20251231061609.907170-2-harshit.m.mogalapalli@oracle.com +Signed-off-by: Harshit Mogalapalli +Reviewed-by: Mimi Zohar +Cc: Alexander Graf +Cc: Ard Biesheuvel +Cc: Borislav Betkov +Cc: guoweikang +Cc: Henry Willard +Cc: "H. Peter Anvin" +Cc: Ingo Molnar +Cc: Jiri Bohac +Cc: Joel Granados +Cc: Jonathan McDowell +Cc: Mike Rapoport +Cc: Paul Webb +Cc: Sohil Mehta +Cc: Sourabh Jain +Cc: Thomas Gleinxer +Cc: Yifei Liu +Cc: Baoquan He +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Wenshan Lan +Signed-off-by: Sasha Levin +--- + include/linux/ima.h | 1 + + security/integrity/ima/ima_kexec.c | 35 ++++++++++++++++++++++++++++++ + 2 files changed, 36 insertions(+) + +diff --git a/include/linux/ima.h b/include/linux/ima.h +index 86b57757c7b100..1ae8647576ff53 100644 +--- a/include/linux/ima.h ++++ b/include/linux/ima.h +@@ -145,6 +145,7 @@ static inline int ima_measure_critical_data(const char *event_label, + #ifdef CONFIG_HAVE_IMA_KEXEC + int __init ima_free_kexec_buffer(void); + int __init ima_get_kexec_buffer(void **addr, size_t *size); ++int ima_validate_range(phys_addr_t phys, size_t size); + #endif + + #ifdef CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT +diff --git a/security/integrity/ima/ima_kexec.c b/security/integrity/ima/ima_kexec.c +index ad133fe120db29..d7c18d8a31035e 100644 +--- a/security/integrity/ima/ima_kexec.c ++++ b/security/integrity/ima/ima_kexec.c +@@ -12,6 +12,8 @@ + #include + #include + #include ++#include ++#include + #include "ima.h" + + #ifdef CONFIG_IMA_KEXEC +@@ -164,3 +166,36 @@ void __init ima_load_kexec_buffer(void) + pr_debug("Error restoring the measurement list: %d\n", rc); + } + } ++ ++/* ++ * ima_validate_range - verify a physical buffer lies in addressable RAM ++ * @phys: physical start address of the buffer from previous kernel ++ * @size: size of the buffer ++ * ++ * On success return 0. On failure returns -EINVAL so callers can skip ++ * restoring. ++ */ ++int ima_validate_range(phys_addr_t phys, size_t size) ++{ ++ unsigned long start_pfn, end_pfn; ++ phys_addr_t end_phys; ++ ++ if (check_add_overflow(phys, (phys_addr_t)size - 1, &end_phys)) ++ return -EINVAL; ++ ++ start_pfn = PHYS_PFN(phys); ++ end_pfn = PHYS_PFN(end_phys); ++ ++#ifdef CONFIG_X86 ++ if (!pfn_range_is_mapped(start_pfn, end_pfn)) ++#else ++ if (!page_is_ram(start_pfn) || !page_is_ram(end_pfn)) ++#endif ++ { ++ pr_warn("IMA: previous kernel measurement buffer %pa (size 0x%zx) lies outside available memory\n", ++ &phys, size); ++ return -EINVAL; ++ } ++ ++ return 0; ++} +-- +2.53.0 + diff --git a/queue-6.6/of-kexec-refactor-ima_get_kexec_buffer-to-use-ima_va.patch b/queue-6.6/of-kexec-refactor-ima_get_kexec_buffer-to-use-ima_va.patch new file mode 100644 index 0000000000..40b9e025ba --- /dev/null +++ b/queue-6.6/of-kexec-refactor-ima_get_kexec_buffer-to-use-ima_va.patch @@ -0,0 +1,76 @@ +From 3ce72eacf0342c2645ce65a019f796273f920ec6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Jun 2026 21:02:38 +0800 +Subject: of/kexec: refactor ima_get_kexec_buffer() to use ima_validate_range() + +From: Harshit Mogalapalli + +[ Upstream commit 4d02233235ed0450de9c10fcdcf3484e3c9401ce ] + +Refactor the OF/DT ima_get_kexec_buffer() to use a generic helper to +validate the address range. No functional change intended. + +Link: https://lkml.kernel.org/r/20251231061609.907170-3-harshit.m.mogalapalli@oracle.com +Signed-off-by: Harshit Mogalapalli +Reviewed-by: Mimi Zohar +Cc: Alexander Graf +Cc: Ard Biesheuvel +Cc: Baoquan He +Cc: Borislav Betkov +Cc: guoweikang +Cc: Henry Willard +Cc: "H. Peter Anvin" +Cc: Ingo Molnar +Cc: Jiri Bohac +Cc: Joel Granados +Cc: Jonathan McDowell +Cc: Mike Rapoport +Cc: Paul Webb +Cc: Sohil Mehta +Cc: Sourabh Jain +Cc: Thomas Gleinxer +Cc: Yifei Liu +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Wenshan Lan +Signed-off-by: Sasha Levin +--- + drivers/of/kexec.c | 15 +++------------ + 1 file changed, 3 insertions(+), 12 deletions(-) + +diff --git a/drivers/of/kexec.c b/drivers/of/kexec.c +index 3b98a57f1f0743..23fde2d032e6d9 100644 +--- a/drivers/of/kexec.c ++++ b/drivers/of/kexec.c +@@ -128,7 +128,6 @@ int __init ima_get_kexec_buffer(void **addr, size_t *size) + { + int ret, len; + unsigned long tmp_addr; +- unsigned long start_pfn, end_pfn; + size_t tmp_size; + const void *prop; + +@@ -144,17 +143,9 @@ int __init ima_get_kexec_buffer(void **addr, size_t *size) + if (!tmp_size) + return -ENOENT; + +- /* +- * Calculate the PFNs for the buffer and ensure +- * they are with in addressable memory. +- */ +- start_pfn = PHYS_PFN(tmp_addr); +- end_pfn = PHYS_PFN(tmp_addr + tmp_size - 1); +- if (!page_is_ram(start_pfn) || !page_is_ram(end_pfn)) { +- pr_warn("IMA buffer at 0x%lx, size = 0x%zx beyond memory\n", +- tmp_addr, tmp_size); +- return -EINVAL; +- } ++ ret = ima_validate_range(tmp_addr, tmp_size); ++ if (ret) ++ return ret; + + *addr = __va(tmp_addr); + *size = tmp_size; +-- +2.53.0 + diff --git a/queue-6.6/phy-mscc-use-phy_id_match_exact-for-vsc8584-vsc8582-.patch b/queue-6.6/phy-mscc-use-phy_id_match_exact-for-vsc8584-vsc8582-.patch new file mode 100644 index 0000000000..54015c735e --- /dev/null +++ b/queue-6.6/phy-mscc-use-phy_id_match_exact-for-vsc8584-vsc8582-.patch @@ -0,0 +1,126 @@ +From 5e4001aa2adc81e8e3810d6a1f4ecc3290e99b34 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Oct 2025 21:13:49 +0200 +Subject: phy: mscc: Use PHY_ID_MATCH_EXACT for VSC8584, VSC8582, VSC8575, + VSC856X + +From: Horatiu Vultur + +[ Upstream commit 1bc80d673087e5704adbb3ee8e4b785c14899cce ] + +As the PHYs VSC8584, VSC8582, VSC8575 and VSC856X exists only as rev B, +we can use PHY_ID_MATCH_EXACT to match exactly on revision B of the PHY. +Because of this change then there is not need the check if it is a +different revision than rev B in the function vsc8584_probe() as we +already know that this will never happen. +These changes are a preparation for the next patch because in that patch +we will make the PHYs VSC8574 and VSC8572 to use vsc8584_probe() and +these PHYs have multiple revision. + +Reviewed-by: Maxime Chevallier +Signed-off-by: Horatiu Vultur +Link: https://patch.msgid.link/20251023191350.190940-2-horatiu.vultur@microchip.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/mscc/mscc.h | 8 ++++---- + drivers/net/phy/mscc/mscc_main.c | 23 ++++------------------- + 2 files changed, 8 insertions(+), 23 deletions(-) + +diff --git a/drivers/net/phy/mscc/mscc.h b/drivers/net/phy/mscc/mscc.h +index 4ba6e32cf6d8d1..c7aaf2c1ee52f1 100644 +--- a/drivers/net/phy/mscc/mscc.h ++++ b/drivers/net/phy/mscc/mscc.h +@@ -286,12 +286,12 @@ enum rgmii_clock_delay { + #define PHY_ID_VSC8540 0x00070760 + #define PHY_ID_VSC8541 0x00070770 + #define PHY_ID_VSC8552 0x000704e0 +-#define PHY_ID_VSC856X 0x000707e0 ++#define PHY_ID_VSC856X 0x000707e1 + #define PHY_ID_VSC8572 0x000704d0 + #define PHY_ID_VSC8574 0x000704a0 +-#define PHY_ID_VSC8575 0x000707d0 +-#define PHY_ID_VSC8582 0x000707b0 +-#define PHY_ID_VSC8584 0x000707c0 ++#define PHY_ID_VSC8575 0x000707d1 ++#define PHY_ID_VSC8582 0x000707b1 ++#define PHY_ID_VSC8584 0x000707c1 + #define PHY_VENDOR_MSCC 0x00070400 + + #define MSCC_VDDMAC_1500 1500 +diff --git a/drivers/net/phy/mscc/mscc_main.c b/drivers/net/phy/mscc/mscc_main.c +index 0a4aa8e08827aa..bce7ff8555c2e9 100644 +--- a/drivers/net/phy/mscc/mscc_main.c ++++ b/drivers/net/phy/mscc/mscc_main.c +@@ -1724,12 +1724,6 @@ static int vsc8584_config_init(struct phy_device *phydev) + * in this pre-init function. + */ + if (phy_package_init_once(phydev)) { +- /* The following switch statement assumes that the lowest +- * nibble of the phy_id_mask is always 0. This works because +- * the lowest nibble of the PHY_ID's below are also 0. +- */ +- WARN_ON(phydev->drv->phy_id_mask & 0xf); +- + switch (phydev->phy_id & phydev->drv->phy_id_mask) { + case PHY_ID_VSC8504: + case PHY_ID_VSC8552: +@@ -2268,11 +2262,6 @@ static int vsc8584_probe(struct phy_device *phydev) + VSC8531_DUPLEX_COLLISION}; + int ret; + +- if ((phydev->phy_id & MSCC_DEV_REV_MASK) != VSC8584_REVB) { +- dev_err(&phydev->mdio.dev, "Only VSC8584 revB is supported.\n"); +- return -ENOTSUPP; +- } +- + vsc8531 = devm_kzalloc(&phydev->mdio.dev, sizeof(*vsc8531), GFP_KERNEL); + if (!vsc8531) + return -ENOMEM; +@@ -2559,9 +2548,8 @@ static struct phy_driver vsc85xx_driver[] = { + .get_stats = &vsc85xx_get_stats, + }, + { +- .phy_id = PHY_ID_VSC856X, ++ PHY_ID_MATCH_EXACT(PHY_ID_VSC856X), + .name = "Microsemi GE VSC856X SyncE", +- .phy_id_mask = 0xfffffff0, + /* PHY_GBIT_FEATURES */ + .soft_reset = &genphy_soft_reset, + .config_init = &vsc8584_config_init, +@@ -2633,9 +2621,8 @@ static struct phy_driver vsc85xx_driver[] = { + .get_stats = &vsc85xx_get_stats, + }, + { +- .phy_id = PHY_ID_VSC8575, ++ PHY_ID_MATCH_EXACT(PHY_ID_VSC8575), + .name = "Microsemi GE VSC8575 SyncE", +- .phy_id_mask = 0xfffffff0, + /* PHY_GBIT_FEATURES */ + .soft_reset = &genphy_soft_reset, + .config_init = &vsc8584_config_init, +@@ -2657,9 +2644,8 @@ static struct phy_driver vsc85xx_driver[] = { + .get_stats = &vsc85xx_get_stats, + }, + { +- .phy_id = PHY_ID_VSC8582, ++ PHY_ID_MATCH_EXACT(PHY_ID_VSC8582), + .name = "Microsemi GE VSC8582 SyncE", +- .phy_id_mask = 0xfffffff0, + /* PHY_GBIT_FEATURES */ + .soft_reset = &genphy_soft_reset, + .config_init = &vsc8584_config_init, +@@ -2681,9 +2667,8 @@ static struct phy_driver vsc85xx_driver[] = { + .get_stats = &vsc85xx_get_stats, + }, + { +- .phy_id = PHY_ID_VSC8584, ++ PHY_ID_MATCH_EXACT(PHY_ID_VSC8584), + .name = "Microsemi GE VSC8584 SyncE", +- .phy_id_mask = 0xfffffff0, + /* PHY_GBIT_FEATURES */ + .soft_reset = &genphy_soft_reset, + .config_init = &vsc8584_config_init, +-- +2.53.0 + diff --git a/queue-6.6/series b/queue-6.6/series index b89bedefbf..a6685b0122 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -70,3 +70,12 @@ drm-i915-psr-add-defininitions-for-intel_wa_register.patch drm-i915-psr-read-intel-dpcd-workaround-register.patch drm-dp-add-edp-1.5-bit-definition.patch drm-i915-psr-apply-intel-dpcd-workaround-when-sdp-on.patch +arm64-io-rename-ioremap_prot-to-__ioremap_prot.patch +arm64-io-extract-user-memory-type-in-ioremap_prot.patch +phy-mscc-use-phy_id_match_exact-for-vsc8584-vsc8582-.patch +ima-verify-the-previous-kernel-s-ima-buffer-lies-in-.patch +of-kexec-refactor-ima_get_kexec_buffer-to-use-ima_va.patch +x86-kexec-add-a-sanity-check-on-previous-kernel-s-im.patch +hwmon-pmbus-adm1266-serialize-gpio-pmbus-accesses-wi.patch +hwmon-pmbus-adm1266-serialize-nvmem-blackbox-read-wi.patch +soc-tegra-pmc-fix-unsafe-generic_handle_irq-call.patch diff --git a/queue-6.6/soc-tegra-pmc-fix-unsafe-generic_handle_irq-call.patch b/queue-6.6/soc-tegra-pmc-fix-unsafe-generic_handle_irq-call.patch new file mode 100644 index 0000000000..02bc47eb35 --- /dev/null +++ b/queue-6.6/soc-tegra-pmc-fix-unsafe-generic_handle_irq-call.patch @@ -0,0 +1,207 @@ +From 3d8279e4ba3c7b56cf4810b52b354150c39de740 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Jun 2026 16:09:12 +0800 +Subject: soc/tegra: pmc: Fix unsafe generic_handle_irq() call + +From: Prathamesh Shete + +[ Upstream commit e6d96073af681780820c94079b978474a8a44413 ] + +Currently, when resuming from system suspend on Tegra platforms, +the following warning is observed: + +WARNING: CPU: 0 PID: 14459 at kernel/irq/irqdesc.c:666 +Call trace: + handle_irq_desc+0x20/0x58 (P) + tegra186_pmc_wake_syscore_resume+0xe4/0x15c + syscore_resume+0x3c/0xb8 + suspend_devices_and_enter+0x510/0x540 + pm_suspend+0x16c/0x1d8 + +The warning occurs because generic_handle_irq() is being called from +a non-interrupt context which is considered as unsafe. + +Fix this warning by deferring generic_handle_irq() call to an IRQ work +which gets executed in hard IRQ context where generic_handle_irq() +can be called safely. + +When PREEMPT_RT kernels are used, regular IRQ work (initialized with +init_irq_work) is deferred to run in per-CPU kthreads in preemptible +context rather than hard IRQ context. Hence, use the IRQ_WORK_INIT_HARD +variant so that with PREEMPT_RT kernels, the IRQ work is processed in +hardirq context instead of being deferred to a thread which is required +for calling generic_handle_irq(). + +On non-PREEMPT_RT kernels, both init_irq_work() and IRQ_WORK_INIT_HARD() +execute in IRQ context, so this change has no functional impact for +standard kernel configurations. + +Signed-off-by: Petlozu Pravareshwar +Signed-off-by: Prathamesh Shete +Reviewed-by: Jon Hunter +Tested-by: Jon Hunter +[treding@nvidia.com: miscellaneous cleanups] +Signed-off-by: Thierry Reding +Signed-off-by: Robert Garcia +Signed-off-by: Sasha Levin +--- + drivers/soc/tegra/pmc.c | 104 ++++++++++++++++++++++++++++------------ + 1 file changed, 74 insertions(+), 30 deletions(-) + +diff --git a/drivers/soc/tegra/pmc.c b/drivers/soc/tegra/pmc.c +index 1306e3b8b5c04b..4cb47c29dc6b95 100644 +--- a/drivers/soc/tegra/pmc.c ++++ b/drivers/soc/tegra/pmc.c +@@ -28,6 +28,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -467,6 +468,10 @@ struct tegra_pmc { + unsigned long *wake_sw_status_map; + unsigned long *wake_cntrl_level_map; + struct syscore_ops syscore; ++ ++ /* Pending wake IRQ processing */ ++ struct irq_work wake_work; ++ u32 *wake_status; + }; + + static struct tegra_pmc *pmc = &(struct tegra_pmc) { +@@ -1940,6 +1945,50 @@ static int tegra_pmc_parse_dt(struct tegra_pmc *pmc, struct device_node *np) + return 0; + } + ++/* translate sc7 wake sources back into IRQs to catch edge triggered wakeups */ ++static void tegra186_pmc_wake_handler(struct irq_work *work) ++{ ++ struct tegra_pmc *pmc = container_of(work, struct tegra_pmc, wake_work); ++ unsigned int i, wake; ++ ++ for (i = 0; i < pmc->soc->max_wake_vectors; i++) { ++ unsigned long status = pmc->wake_status[i]; ++ ++ for_each_set_bit(wake, &status, 32) { ++ irq_hw_number_t hwirq = wake + (i * 32); ++ struct irq_desc *desc; ++ unsigned int irq; ++ ++ irq = irq_find_mapping(pmc->domain, hwirq); ++ if (!irq) { ++ dev_warn(pmc->dev, ++ "No IRQ found for WAKE#%lu!\n", ++ hwirq); ++ continue; ++ } ++ ++ dev_dbg(pmc->dev, ++ "Resume caused by WAKE#%lu mapped to IRQ#%u\n", ++ hwirq, irq); ++ ++ desc = irq_to_desc(irq); ++ if (!desc) { ++ dev_warn(pmc->dev, ++ "No descriptor found for IRQ#%u\n", ++ irq); ++ continue; ++ } ++ ++ if (!desc->action || !desc->action->name) ++ continue; ++ ++ generic_handle_irq(irq); ++ } ++ ++ pmc->wake_status[i] = 0; ++ } ++} ++ + static int tegra_pmc_init(struct tegra_pmc *pmc) + { + if (pmc->soc->max_wake_events > 0) { +@@ -1958,6 +2007,18 @@ static int tegra_pmc_init(struct tegra_pmc *pmc) + pmc->wake_cntrl_level_map = bitmap_zalloc(pmc->soc->max_wake_events, GFP_KERNEL); + if (!pmc->wake_cntrl_level_map) + return -ENOMEM; ++ ++ pmc->wake_status = kcalloc(pmc->soc->max_wake_vectors, sizeof(u32), GFP_KERNEL); ++ if (!pmc->wake_status) ++ return -ENOMEM; ++ ++ /* ++ * Initialize IRQ work for processing wake IRQs. Must use ++ * HARD_IRQ variant to run in hard IRQ context on PREEMPT_RT ++ * because we call generic_handle_irq() which requires hard ++ * IRQ context. ++ */ ++ pmc->wake_work = IRQ_WORK_INIT_HARD(tegra186_pmc_wake_handler); + } + + if (pmc->soc->init) +@@ -3156,47 +3217,30 @@ static void wke_clear_wake_status(struct tegra_pmc *pmc) + } + } + +-/* translate sc7 wake sources back into IRQs to catch edge triggered wakeups */ +-static void tegra186_pmc_process_wake_events(struct tegra_pmc *pmc, unsigned int index, +- unsigned long status) +-{ +- unsigned int wake; +- +- dev_dbg(pmc->dev, "Wake[%d:%d] status=%#lx\n", (index * 32) + 31, index * 32, status); +- +- for_each_set_bit(wake, &status, 32) { +- irq_hw_number_t hwirq = wake + 32 * index; +- struct irq_desc *desc; +- unsigned int irq; +- +- irq = irq_find_mapping(pmc->domain, hwirq); +- +- desc = irq_to_desc(irq); +- if (!desc || !desc->action || !desc->action->name) { +- dev_dbg(pmc->dev, "Resume caused by WAKE%ld, IRQ %d\n", hwirq, irq); +- continue; +- } +- +- dev_dbg(pmc->dev, "Resume caused by WAKE%ld, %s\n", hwirq, desc->action->name); +- generic_handle_irq(irq); +- } +-} +- + static void tegra186_pmc_wake_syscore_resume(void) + { +- u32 status, mask; + unsigned int i; ++ u32 mask; + + for (i = 0; i < pmc->soc->max_wake_vectors; i++) { + mask = readl(pmc->wake + WAKE_AOWAKE_TIER2_ROUTING(i)); +- status = readl(pmc->wake + WAKE_AOWAKE_STATUS_R(i)) & mask; +- +- tegra186_pmc_process_wake_events(pmc, i, status); ++ pmc->wake_status[i] = readl(pmc->wake + WAKE_AOWAKE_STATUS_R(i)) & mask; + } ++ ++ /* Schedule IRQ work to process wake IRQs (if any) */ ++ irq_work_queue(&pmc->wake_work); + } + + static int tegra186_pmc_wake_syscore_suspend(void) + { ++ unsigned int i; ++ ++ /* Check if there are unhandled wake IRQs */ ++ for (i = 0; i < pmc->soc->max_wake_vectors; i++) ++ if (pmc->wake_status[i]) ++ dev_warn(pmc->dev, ++ "Unhandled wake IRQs pending vector[%u]: 0x%x\n", ++ i, pmc->wake_status[i]); + wke_read_sw_wake_status(pmc); + + /* flip the wakeup trigger for dual-edge triggered pads +-- +2.53.0 + diff --git a/queue-6.6/x86-kexec-add-a-sanity-check-on-previous-kernel-s-im.patch b/queue-6.6/x86-kexec-add-a-sanity-check-on-previous-kernel-s-im.patch new file mode 100644 index 0000000000..fe29dd05a4 --- /dev/null +++ b/queue-6.6/x86-kexec-add-a-sanity-check-on-previous-kernel-s-im.patch @@ -0,0 +1,80 @@ +From 1cb1d148461bd6504fb7a0c2f28f62065d97bdc5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Jun 2026 21:02:39 +0800 +Subject: x86/kexec: add a sanity check on previous kernel's ima kexec buffer +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Harshit Mogalapalli + +[ Upstream commit c5489d04337b47e93c0623e8145fcba3f5739efd ] + +When the second-stage kernel is booted via kexec with a limiting command +line such as "mem=", the physical range that contains the carried +over IMA measurement list may fall outside the truncated RAM leading to a +kernel panic. + + BUG: unable to handle page fault for address: ffff97793ff47000 + RIP: ima_restore_measurement_list+0xdc/0x45a + #PF: error_code(0x0000) – not-present page + +Other architectures already validate the range with page_is_ram(), as done +in commit cbf9c4b9617b ("of: check previous kernel's ima-kexec-buffer +against memory bounds") do a similar check on x86. + +Without carrying the measurement list across kexec, the attestation +would fail. + +Link: https://lkml.kernel.org/r/20251231061609.907170-4-harshit.m.mogalapalli@oracle.com +Signed-off-by: Harshit Mogalapalli +Fixes: b69a2afd5afc ("x86/kexec: Carry forward IMA measurement log on kexec") +Reported-by: Paul Webb +Reviewed-by: Mimi Zohar +Cc: Alexander Graf +Cc: Ard Biesheuvel +Cc: Baoquan He +Cc: Borislav Betkov +Cc: guoweikang +Cc: Henry Willard +Cc: "H. Peter Anvin" +Cc: Ingo Molnar +Cc: Jiri Bohac +Cc: Joel Granados +Cc: Jonathan McDowell +Cc: Mike Rapoport +Cc: Sohil Mehta +Cc: Sourabh Jain +Cc: Thomas Gleinxer +Cc: Yifei Liu +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Wenshan Lan +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/setup.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c +index eb129277dcdd64..df74f865c9f121 100644 +--- a/arch/x86/kernel/setup.c ++++ b/arch/x86/kernel/setup.c +@@ -372,9 +372,15 @@ int __init ima_free_kexec_buffer(void) + + int __init ima_get_kexec_buffer(void **addr, size_t *size) + { ++ int ret; ++ + if (!ima_kexec_buffer_size) + return -ENOENT; + ++ ret = ima_validate_range(ima_kexec_buffer_phys, ima_kexec_buffer_size); ++ if (ret) ++ return ret; ++ + *addr = __va(ima_kexec_buffer_phys); + *size = ima_kexec_buffer_size; + +-- +2.53.0 +